char *ca_path;
char *subject_match;
GSList *altsubject_matches;
+ char *domain_suffix_match;
GBytes *client_cert;
char *phase1_peapver;
char *phase1_peaplabel;
char *phase2_ca_path;
char *phase2_subject_match;
GSList *phase2_altsubject_matches;
+ char *phase2_domain_suffix_match;
GBytes *phase2_client_cert;
char *password;
NMSettingSecretFlags password_flags;
PROP_CA_PATH,
PROP_SUBJECT_MATCH,
PROP_ALTSUBJECT_MATCHES,
+ PROP_DOMAIN_SUFFIX_MATCH,
PROP_CLIENT_CERT,
PROP_PHASE1_PEAPVER,
PROP_PHASE1_PEAPLABEL,
PROP_PHASE2_CA_PATH,
PROP_PHASE2_SUBJECT_MATCH,
PROP_PHASE2_ALTSUBJECT_MATCHES,
+ PROP_PHASE2_DOMAIN_SUFFIX_MATCH,
PROP_PHASE2_CLIENT_CERT,
PROP_PASSWORD,
PROP_PASSWORD_FLAGS,
g_object_notify (G_OBJECT (setting), NM_SETTING_802_1X_ALTSUBJECT_MATCHES);
}
+/**
+ * nm_setting_802_1x_get_domain_suffix_match:
+ * @setting: the #NMSetting8021x
+ *
+ * Returns: the #NMSetting8021x:domain-suffix-match property.
+ *
+ * Since: 1.2
+ **/
+const char *
+nm_setting_802_1x_get_domain_suffix_match (NMSetting8021x *setting)
+{
+ g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL);
+
+ return NM_SETTING_802_1X_GET_PRIVATE (setting)->domain_suffix_match;
+}
+
/**
* nm_setting_802_1x_get_client_cert_scheme:
* @setting: the #NMSetting8021x
return g_slist_length (NM_SETTING_802_1X_GET_PRIVATE (setting)->phase2_altsubject_matches);
}
+/**
+ * nm_setting_802_1x_get_phase2_domain_suffix_match:
+ * @setting: the #NMSetting8021x
+ *
+ * Returns: the #NMSetting8021x:phase2-domain-suffix-match property.
+ *
+ * Since: 1.2
+ **/
+const char *
+nm_setting_802_1x_get_phase2_domain_suffix_match (NMSetting8021x *setting)
+{
+ g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL);
+
+ return NM_SETTING_802_1X_GET_PRIVATE (setting)->phase2_domain_suffix_match;
+}
+
/**
* nm_setting_802_1x_get_phase2_altsubject_match:
* @setting: the #NMSettingConnection
g_free (priv->anonymous_identity);
g_free (priv->ca_path);
g_free (priv->subject_match);
+ g_free (priv->domain_suffix_match);
g_free (priv->phase1_peapver);
g_free (priv->phase1_peaplabel);
g_free (priv->phase1_fast_provisioning);
g_free (priv->phase2_autheap);
g_free (priv->phase2_ca_path);
g_free (priv->phase2_subject_match);
+ g_free (priv->phase2_domain_suffix_match);
g_free (priv->password);
if (priv->password_raw)
g_bytes_unref (priv->password_raw);
g_slist_free_full (priv->altsubject_matches, g_free);
priv->altsubject_matches = _nm_utils_strv_to_slist (g_value_get_boxed (value), TRUE);
break;
+ case PROP_DOMAIN_SUFFIX_MATCH:
+ g_free (priv->domain_suffix_match);
+ priv->domain_suffix_match = g_value_dup_string (value);
+ break;
case PROP_CLIENT_CERT:
if (priv->client_cert)
g_bytes_unref (priv->client_cert);
g_slist_free_full (priv->phase2_altsubject_matches, g_free);
priv->phase2_altsubject_matches = _nm_utils_strv_to_slist (g_value_get_boxed (value), TRUE);
break;
+ case PROP_PHASE2_DOMAIN_SUFFIX_MATCH:
+ g_free (priv->phase2_domain_suffix_match);
+ priv->phase2_domain_suffix_match = g_value_dup_string (value);
+ break;
case PROP_PHASE2_CLIENT_CERT:
if (priv->phase2_client_cert)
g_bytes_unref (priv->phase2_client_cert);
case PROP_ALTSUBJECT_MATCHES:
g_value_take_boxed (value, _nm_utils_slist_to_strv (priv->altsubject_matches, TRUE));
break;
+ case PROP_DOMAIN_SUFFIX_MATCH:
+ g_value_set_string (value, priv->domain_suffix_match);
+ break;
case PROP_CLIENT_CERT:
g_value_set_boxed (value, priv->client_cert);
break;
case PROP_PHASE2_ALTSUBJECT_MATCHES:
g_value_take_boxed (value, _nm_utils_slist_to_strv (priv->phase2_altsubject_matches, TRUE));
break;
+ case PROP_PHASE2_DOMAIN_SUFFIX_MATCH:
+ g_value_set_string (value, priv->phase2_domain_suffix_match);
+ break;
case PROP_PHASE2_CLIENT_CERT:
g_value_set_boxed (value, priv->phase2_client_cert);
break;
*
* Substring to be matched against the subject of the certificate presented
* by the authentication server. When unset, no verification of the
- * authentication server certificate's subject is performed.
+ * authentication server certificate's subject is performed. This property
+ * provides little security, if any, and its use is deprecated in favor of
+ * NMSetting8021x:domain-suffix-match.
**/
/* ---ifcfg-rh---
* property: subject-match
G_PARAM_READWRITE |
G_PARAM_STATIC_STRINGS));
+ /**
+ * NMSetting8021x:domain-suffix-match:
+ *
+ * Constraint for server domain name. If set, this FQDN is used as a suffix
+ * match requirement for dNSName element(s) of the certificate presented by
+ * the authentication server. If a matching dNSName is found, this
+ * constraint is met. If no dNSName values are present, this constraint is
+ * matched against SubjectName CN using same suffix match comparison.
+ *
+ * Since: 1.2
+ **/
+ g_object_class_install_property
+ (object_class, PROP_DOMAIN_SUFFIX_MATCH,
+ g_param_spec_string (NM_SETTING_802_1X_DOMAIN_SUFFIX_MATCH, "", "",
+ NULL,
+ G_PARAM_READWRITE |
+ G_PARAM_STATIC_STRINGS));
+
/**
* NMSetting8021x:client-cert:
*
* Substring to be matched against the subject of the certificate presented
* by the authentication server during the inner "phase 2"
* authentication. When unset, no verification of the authentication server
- * certificate's subject is performed.
+ * certificate's subject is performed. This property provides little security,
+ * if any, and its use is deprecated in favor of
+ * NMSetting8021x:phase2-domain-suffix-match.
**/
/* ---ifcfg-rh---
* property: phase2-subject-match
G_PARAM_READWRITE |
G_PARAM_STATIC_STRINGS));
+ /**
+ * NMSetting8021x:phase2-domain-suffix-match:
+ *
+ * Constraint for server domain name. If set, this FQDN is used as a suffix
+ * match requirement for dNSName element(s) of the certificate presented by
+ * the authentication server during the inner "phase 2" authentication. If
+ * a matching dNSName is found, this constraint is met. If no dNSName
+ * values are present, this constraint is matched against SubjectName CN
+ * using same suffix match comparison.
+ *
+ * Since: 1.2
+ **/
+ g_object_class_install_property
+ (object_class, PROP_PHASE2_DOMAIN_SUFFIX_MATCH,
+ g_param_spec_string (NM_SETTING_802_1X_PHASE2_DOMAIN_SUFFIX_MATCH, "", "",
+ NULL,
+ G_PARAM_READWRITE |
+ G_PARAM_STATIC_STRINGS));
+
/**
* NMSetting8021x:phase2-client-cert:
*
#define NM_SETTING_802_1X_CA_PATH "ca-path"
#define NM_SETTING_802_1X_SUBJECT_MATCH "subject-match"
#define NM_SETTING_802_1X_ALTSUBJECT_MATCHES "altsubject-matches"
+#define NM_SETTING_802_1X_DOMAIN_SUFFIX_MATCH "domain-suffix-match"
#define NM_SETTING_802_1X_CLIENT_CERT "client-cert"
#define NM_SETTING_802_1X_PHASE1_PEAPVER "phase1-peapver"
#define NM_SETTING_802_1X_PHASE1_PEAPLABEL "phase1-peaplabel"
#define NM_SETTING_802_1X_PHASE2_CA_PATH "phase2-ca-path"
#define NM_SETTING_802_1X_PHASE2_SUBJECT_MATCH "phase2-subject-match"
#define NM_SETTING_802_1X_PHASE2_ALTSUBJECT_MATCHES "phase2-altsubject-matches"
+#define NM_SETTING_802_1X_PHASE2_DOMAIN_SUFFIX_MATCH "phase2-domain-suffix-match"
#define NM_SETTING_802_1X_PHASE2_CLIENT_CERT "phase2-client-cert"
#define NM_SETTING_802_1X_PASSWORD "password"
#define NM_SETTING_802_1X_PASSWORD_FLAGS "password-flags"
gboolean nm_setting_802_1x_remove_altsubject_match_by_value (NMSetting8021x *setting,
const char *altsubject_match);
void nm_setting_802_1x_clear_altsubject_matches (NMSetting8021x *setting);
+NM_AVAILABLE_IN_1_2
+const char * nm_setting_802_1x_get_domain_suffix_match (NMSetting8021x *setting);
NMSetting8021xCKScheme nm_setting_802_1x_get_client_cert_scheme (NMSetting8021x *setting);
GBytes * nm_setting_802_1x_get_client_cert_blob (NMSetting8021x *setting);
gboolean nm_setting_802_1x_remove_phase2_altsubject_match_by_value (NMSetting8021x *setting,
const char *phase2_altsubject_match);
void nm_setting_802_1x_clear_phase2_altsubject_matches (NMSetting8021x *setting);
+NM_AVAILABLE_IN_1_2
+const char * nm_setting_802_1x_get_phase2_domain_suffix_match (NMSetting8021x *setting);
NMSetting8021xCKScheme nm_setting_802_1x_get_phase2_client_cert_scheme (NMSetting8021x *setting);
GBytes * nm_setting_802_1x_get_phase2_client_cert_blob (NMSetting8021x *setting);