Revert "wifi: support "802-1x.phase1-auth-flags=tls-allow-unsafe-renegotiation" flag"

There is still no agreement, about how to name this option, or whether it should exist at all. Revert the addition of the flag. As the new release is coming up, drop the new API. https://bugzilla.redhat.com/show_bug.cgi?id=2072070#c64 https://bugzilla.redhat.com/show_bug.cgi?id=2077973#c24 http://lists.infradead.org/pipermail/hostap/2022-July/040665.html This reverts commit a5a4aea2e6.
2024-10-01 13:55:36 +00:00 · 2022-08-11 15:43:33 +02:00 · 2022-08-11 15:43:33 +02:00 · 3117198f15
parent c99503abc4
commit 3117198f15
6 changed files with 7 additions and 21 deletions
--- a/2
+++ b/2
@ -27,8 +27,6 @@ USE AT YOUR OWN RISK.  NOT RECOMMENDED FOR PRODUCTION USE!
  With MPTCP handling enabled, NetworkManager will relax a strict (1) rp_filter
  to loose (2). Otherwise rp_filter is untouched by NetworkManager.
 * NetworkManager expanded log messages for invalid DHCP options.
-* Support "802-1x.phase1-auth-flags=tls-allow-unsafe-renegotiation" flag
-  for Wi-Fi.
 * Fix the requirement of hardware address for DHCPv6, by dropping it.
 * Increase the PMK lifetime for Wi-Fi connections using WPA-EAP.
 * "nmcli networking off" now waits for deactivations to complete.
--- a/src/core/supplicant/nm-supplicant-config.c
+++ b/src/core/supplicant/nm-supplicant-config.c
@ -1375,9 +1375,6 @@ nm_supplicant_config_add_setting_8021x(NMSupplicantConfig *self,
        g_string_append_printf(phase1, "%stls_disable_tlsv1_1=1", (phase1->len ? " " : ""));
    if (NM_FLAGS_HAS(phase1_auth_flags, NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_2_DISABLE))
        g_string_append_printf(phase1, "%stls_disable_tlsv1_2=1", (phase1->len ? " " : ""));
-    if (NM_FLAGS_HAS(phase1_auth_flags,
-                     NM_SETTING_802_1X_AUTH_FLAGS_TLS_ALLOW_UNSAFE_RENEGOTIATION))
-        g_string_append_printf(phase1, "%sallow_unsafe_renegotiation=1", (phase1->len ? " " : ""));

    if (phase1->len) {
        if (!add_string_val(self, phase1->str, "phase1", FALSE, NULL, error)) {
--- a/src/libnm-core-impl/nm-setting-8021x.c
+++ b/src/libnm-core-impl/nm-setting-8021x.c
@ -3594,13 +3594,9 @@ nm_setting_802_1x_class_init(NMSetting8021xClass *klass)
     *
     * Specifies authentication flags to use in "phase 1" outer
     * authentication using #NMSetting8021xAuthFlags options.
-     *
     * The individual TLS versions can be explicitly disabled. If a certain
     * TLS disable flag is not set, it is up to the supplicant to allow
     * or forbid it. The TLS options map to tls_disable_tlsv1_x settings.
-     * It also allows to set "tls-allow-unsafe-renegotiation" to workaround
-     * authentication servers that don't support RFC 5746 secure authentication.
-     *
     * See the wpa_supplicant documentation for more details.
     *
     * Since: 1.8
--- a/src/libnm-core-public/nm-setting-8021x.h
+++ b/src/libnm-core-public/nm-setting-8021x.h
@ -65,10 +65,6 @@ typedef enum { /*< underscore_name=nm_setting_802_1x_ck_scheme >*/
 * @NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_0_DISABLE: Disable TLSv1.0
 * @NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_1_DISABLE: Disable TLSv1.1
 * @NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_2_DISABLE: Disable TLSv1.2
- * @NM_SETTING_802_1X_AUTH_FLAGS_TLS_ALLOW_UNSAFE_RENEGOTIATION: Allow
- *   unsafe TLS renegotiation, if the authentication server does not support
- *   RFC 5746. This might open security vulnerabilities, but might
- *   be necessary to connect to legacy authentication servers. Since: 1.40.
 * @NM_SETTING_802_1X_AUTH_FLAGS_ALL: All supported flags
 *
 * #NMSetting8021xAuthFlags values indicate which authentication settings
@ -80,13 +76,12 @@ typedef enum { /*< underscore_name=nm_setting_802_1x_ck_scheme >*/
 * Since: 1.8
 */
 typedef enum /*< underscore_name=nm_setting_802_1x_auth_flags, flags >*/ {
-    NM_SETTING_802_1X_AUTH_FLAGS_NONE                           = 0,
-    NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_0_DISABLE                = 0x1,
-    NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_1_DISABLE                = 0x2,
-    NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_2_DISABLE                = 0x4,
-    NM_SETTING_802_1X_AUTH_FLAGS_TLS_ALLOW_UNSAFE_RENEGOTIATION = 0x8,
+    NM_SETTING_802_1X_AUTH_FLAGS_NONE            = 0,
+    NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_0_DISABLE = 0x1,
+    NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_1_DISABLE = 0x2,
+    NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_2_DISABLE = 0x4,

-    NM_SETTING_802_1X_AUTH_FLAGS_ALL = 0xF,
+    NM_SETTING_802_1X_AUTH_FLAGS_ALL = 0x7,
 } NMSetting8021xAuthFlags;

 #define NM_TYPE_SETTING_802_1X (nm_setting_802_1x_get_type())
--- a/src/libnmc-setting/settings-docs.h.in
+++ b/src/libnmc-setting/settings-docs.h.in
@ -49,7 +49,7 @@
 #define DESCRIBE_DOC_NM_SETTING_802_1X_PASSWORD_FLAGS N_("Flags indicating how to handle the \"password\" property.")
 #define DESCRIBE_DOC_NM_SETTING_802_1X_PASSWORD_RAW N_("Password used for EAP authentication methods, given as a byte array to allow passwords in other encodings than UTF-8 to be used. If both the \"password\" property and the \"password-raw\" property are specified, \"password\" is preferred.")
 #define DESCRIBE_DOC_NM_SETTING_802_1X_PASSWORD_RAW_FLAGS N_("Flags indicating how to handle the \"password-raw\" property.")
-#define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE1_AUTH_FLAGS N_("Specifies authentication flags to use in \"phase 1\" outer authentication using NMSetting8021xAuthFlags options. The individual TLS versions can be explicitly disabled. If a certain TLS disable flag is not set, it is up to the supplicant to allow or forbid it. The TLS options map to tls_disable_tlsv1_x settings. It also allows to set \"tls-allow-unsafe-renegotiation\" to workaround authentication servers that don't support RFC 5746 secure authentication. See the wpa_supplicant documentation for more details.")
+#define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE1_AUTH_FLAGS N_("Specifies authentication flags to use in \"phase 1\" outer authentication using NMSetting8021xAuthFlags options. The individual TLS versions can be explicitly disabled. If a certain TLS disable flag is not set, it is up to the supplicant to allow or forbid it. The TLS options map to tls_disable_tlsv1_x settings. See the wpa_supplicant documentation for more details.")
 #define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE1_FAST_PROVISIONING N_("Enables or disables in-line provisioning of EAP-FAST credentials when FAST is specified as the EAP method in the \"eap\" property. Recognized values are \"0\" (disabled), \"1\" (allow unauthenticated provisioning), \"2\" (allow authenticated provisioning), and \"3\" (allow both authenticated and unauthenticated provisioning).  See the wpa_supplicant documentation for more details.")
 #define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE1_PEAPLABEL N_("Forces use of the new PEAP label during key derivation.  Some RADIUS servers may require forcing the new PEAP label to interoperate with PEAPv1.  Set to \"1\" to force use of the new PEAP label.  See the wpa_supplicant documentation for more details.")
 #define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE1_PEAPVER N_("Forces which PEAP version is used when PEAP is set as the EAP method in the \"eap\" property.  When unset, the version reported by the server will be used.  Sometimes when using older RADIUS servers, it is necessary to force the client to use a particular PEAP version.  To do so, this property may be set to \"0\" or \"1\" to force that specific PEAP version.")
--- a/src/nmcli/generate-docs-nm-settings-nmcli.xml.in
+++ b/src/nmcli/generate-docs-nm-settings-nmcli.xml.in
@ -143,7 +143,7 @@
        <property name="phase1-fast-provisioning"
                  description="Enables or disables in-line provisioning of EAP-FAST credentials when FAST is specified as the EAP method in the &quot;eap&quot; property. Recognized values are &quot;0&quot; (disabled), &quot;1&quot; (allow unauthenticated provisioning), &quot;2&quot; (allow authenticated provisioning), and &quot;3&quot; (allow both authenticated and unauthenticated provisioning).  See the wpa_supplicant documentation for more details." />
        <property name="phase1-auth-flags"
-                  description="Specifies authentication flags to use in &quot;phase 1&quot; outer authentication using NMSetting8021xAuthFlags options. The individual TLS versions can be explicitly disabled. If a certain TLS disable flag is not set, it is up to the supplicant to allow or forbid it. The TLS options map to tls_disable_tlsv1_x settings. It also allows to set &quot;tls-allow-unsafe-renegotiation&quot; to workaround authentication servers that don&apos;t support RFC 5746 secure authentication. See the wpa_supplicant documentation for more details." />
+                  description="Specifies authentication flags to use in &quot;phase 1&quot; outer authentication using NMSetting8021xAuthFlags options. The individual TLS versions can be explicitly disabled. If a certain TLS disable flag is not set, it is up to the supplicant to allow or forbid it. The TLS options map to tls_disable_tlsv1_x settings. See the wpa_supplicant documentation for more details." />
        <property name="phase2-auth"
                  description="Specifies the allowed &quot;phase 2&quot; inner authentication method when an EAP method that uses an inner TLS tunnel is specified in the &quot;eap&quot; property.  For TTLS this property selects one of the supported non-EAP inner methods: &quot;pap&quot;, &quot;chap&quot;, &quot;mschap&quot;, &quot;mschapv2&quot; while &quot;phase2-autheap&quot; selects an EAP inner method.  For PEAP this selects an inner EAP method, one of: &quot;gtc&quot;, &quot;otp&quot;, &quot;md5&quot; and &quot;tls&quot;. Each &quot;phase 2&quot; inner method requires specific parameters for successful authentication; see the wpa_supplicant documentation for more details. Both &quot;phase2-auth&quot; and &quot;phase2-autheap&quot; cannot be specified." />
        <property name="phase2-autheap"