Add domain_match mode for wifi certificate domain comparison

https://gitlab.freedesktop.org/NetworkManager/NetworkManager/issues/308
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/437

clients/common/nm-meta-setting-desc.c

@@ -4562,6 +4562,9 @@ static const NMMetaPropertyInfo *const property_infos_802_1X[] = {
 	PROPERTY_INFO_WITH_DESC (NM_SETTING_802_1X_DOMAIN_SUFFIX_MATCH,
 	    .property_type =                &_pt_gobject_string,
 	),
+	PROPERTY_INFO_WITH_DESC (NM_SETTING_802_1X_DOMAIN_MATCH,
+	    .property_type =                &_pt_gobject_string,
+	),
 	PROPERTY_INFO_WITH_DESC (NM_SETTING_802_1X_CLIENT_CERT,
 	    .describe_message =
 	        N_("Enter file path to client certificate (optionally prefixed with file://).\n"
@@ -4659,6 +4662,9 @@ static const NMMetaPropertyInfo *const property_infos_802_1X[] = {
 	PROPERTY_INFO_WITH_DESC (NM_SETTING_802_1X_PHASE2_DOMAIN_SUFFIX_MATCH,
 	    .property_type =                &_pt_gobject_string,
 	),
+	PROPERTY_INFO_WITH_DESC (NM_SETTING_802_1X_PHASE2_DOMAIN_MATCH,
+	    .property_type =                &_pt_gobject_string,
+	),
 	PROPERTY_INFO_WITH_DESC (NM_SETTING_802_1X_PHASE2_CLIENT_CERT,
 	    .describe_message =
 	        N_("Enter file path to client certificate for inner authentication (optionally prefixed\n"

clients/common/settings-docs.h.in

@@ -51,7 +51,8 @@
 #define DESCRIBE_DOC_NM_SETTING_802_1X_CLIENT_CERT N_("Contains the client certificate if used by the EAP method specified in the \"eap\" property. Certificate data is specified using a \"scheme\"; two are currently supported: blob and path. When using the blob scheme (which is backwards compatible with NM 0.7.x) this property should be set to the certificate's DER encoded data. When using the path scheme, this property should be set to the full UTF-8 encoded path of the certificate, prefixed with the string \"file://\" and ending with a terminating NUL byte.")
 #define DESCRIBE_DOC_NM_SETTING_802_1X_CLIENT_CERT_PASSWORD N_("The password used to access the client certificate stored in \"client-cert\" property. Only makes sense if the certificate is stored on a PKCS#11 token that requires a login.")
 #define DESCRIBE_DOC_NM_SETTING_802_1X_CLIENT_CERT_PASSWORD_FLAGS N_("Flags indicating how to handle the \"client-cert-password\" property.")
-#define DESCRIBE_DOC_NM_SETTING_802_1X_DOMAIN_SUFFIX_MATCH N_("Constraint for server domain name. If set, this FQDN is used as a suffix match requirement for dNSName element(s) of the certificate presented by the authentication server.  If a matching dNSName is found, this constraint is met.  If no dNSName values are present, this constraint is matched against SubjectName CN using same suffix match comparison.")
+#define DESCRIBE_DOC_NM_SETTING_802_1X_DOMAIN_MATCH N_("Constraint for server domain name. If set, this list of FQDNs is used as a match requirement for dNSName element(s) of the certificate presented by the authentication server.  If a matching dNSName is found, this constraint is met.  If no dNSName values are present, this constraint is matched against SubjectName CN using the same comparison. Multiple valid FQDNs can be passed as a \";\" delimited list.")
+#define DESCRIBE_DOC_NM_SETTING_802_1X_DOMAIN_SUFFIX_MATCH N_("Constraint for server domain name. If set, this FQDN is used as a suffix match requirement for dNSName element(s) of the certificate presented by the authentication server.  If a matching dNSName is found, this constraint is met.  If no dNSName values are present, this constraint is matched against SubjectName CN using same suffix match comparison. Since version 1.24, multiple valid FQDNs can be passed as a \";\" delimited list.")
 #define DESCRIBE_DOC_NM_SETTING_802_1X_EAP N_("The allowed EAP method to be used when authenticating to the network with 802.1x.  Valid methods are: \"leap\", \"md5\", \"tls\", \"peap\", \"ttls\", \"pwd\", and \"fast\".  Each method requires different configuration using the properties of this setting; refer to wpa_supplicant documentation for the allowed combinations.")
 #define DESCRIBE_DOC_NM_SETTING_802_1X_IDENTITY N_("Identity string for EAP authentication methods.  Often the user's user or login name.")
 #define DESCRIBE_DOC_NM_SETTING_802_1X_OPTIONAL N_("Whether the 802.1X authentication is optional. If TRUE, the activation will continue even after a timeout or an authentication failure. Setting the property to TRUE is currently allowed only for Ethernet connections. If set to FALSE, the activation can continue only after a successful authentication.")
@@ -74,7 +75,8 @@
 #define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE2_CLIENT_CERT N_("Contains the \"phase 2\" client certificate if used by the EAP method specified in the \"phase2-auth\" or \"phase2-autheap\" properties. Certificate data is specified using a \"scheme\"; two are currently supported: blob and path. When using the blob scheme (which is backwards compatible with NM 0.7.x) this property should be set to the certificate's DER encoded data. When using the path scheme, this property should be set to the full UTF-8 encoded path of the certificate, prefixed with the string \"file://\" and ending with a terminating NUL byte. This property can be unset even if the EAP method supports CA certificates, but this allows man-in-the-middle attacks and is NOT recommended.")
 #define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE2_CLIENT_CERT_PASSWORD N_("The password used to access the \"phase2\" client certificate stored in \"phase2-client-cert\" property. Only makes sense if the certificate is stored on a PKCS#11 token that requires a login.")
 #define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE2_CLIENT_CERT_PASSWORD_FLAGS N_("Flags indicating how to handle the \"phase2-client-cert-password\" property.")
-#define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE2_DOMAIN_SUFFIX_MATCH N_("Constraint for server domain name. If set, this FQDN is used as a suffix match requirement for dNSName element(s) of the certificate presented by the authentication server during the inner \"phase 2\" authentication.  If a matching dNSName is found, this constraint is met.  If no dNSName values are present, this constraint is matched against SubjectName CN using same suffix match comparison.")
+#define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE2_DOMAIN_MATCH N_("Constraint for server domain name. If set, this list of FQDNs is used as a match requirement for dNSName element(s) of the certificate presented by the authentication server during the inner \"phase 2\" authentication. If a matching dNSName is found, this constraint is met.  If no dNSName values are present, this constraint is matched against SubjectName CN using the same comparison. Multiple valid FQDNs can be passed as a \";\" delimited list.")
+#define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE2_DOMAIN_SUFFIX_MATCH N_("Constraint for server domain name. If set, this FQDN is used as a suffix match requirement for dNSName element(s) of the certificate presented by the authentication server during the inner \"phase 2\" authentication.  If a matching dNSName is found, this constraint is met.  If no dNSName values are present, this constraint is matched against SubjectName CN using same suffix match comparison. Since version 1.24, multiple valid FQDNs can be passed as a \";\" delimited list.")
 #define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE2_PRIVATE_KEY N_("Contains the \"phase 2\" inner private key when the \"phase2-auth\" or \"phase2-autheap\" property is set to \"tls\". Key data is specified using a \"scheme\"; two are currently supported: blob and path. When using the blob scheme and private keys, this property should be set to the key's encrypted PEM encoded data. When using private keys with the path scheme, this property should be set to the full UTF-8 encoded path of the key, prefixed with the string \"file://\" and ending with a terminating NUL byte. When using PKCS#12 format private keys and the blob scheme, this property should be set to the PKCS#12 data and the \"phase2-private-key-password\" property must be set to password used to decrypt the PKCS#12 certificate and key. When using PKCS#12 files and the path scheme, this property should be set to the full UTF-8 encoded path of the key, prefixed with the string \"file://\" and ending with a terminating NUL byte, and as with the blob scheme the \"phase2-private-key-password\" property must be set to the password used to decode the PKCS#12 private key and certificate.")
 #define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE2_PRIVATE_KEY_PASSWORD N_("The password used to decrypt the \"phase 2\" private key specified in the \"phase2-private-key\" property when the private key either uses the path scheme, or is a PKCS#12 format key.")
 #define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE2_PRIVATE_KEY_PASSWORD_FLAGS N_("Flags indicating how to handle the \"phase2-private-key-password\" property.")

libnm-core/nm-setting-8021x.c

@@ -92,6 +92,7 @@ NM_GOBJECT_PROPERTIES_DEFINE (NMSetting8021x,
 	PROP_SUBJECT_MATCH,
 	PROP_ALTSUBJECT_MATCHES,
 	PROP_DOMAIN_SUFFIX_MATCH,
+	PROP_DOMAIN_MATCH,
 	PROP_CLIENT_CERT,
 	PROP_CLIENT_CERT_PASSWORD,
 	PROP_CLIENT_CERT_PASSWORD_FLAGS,
@@ -108,6 +109,7 @@ NM_GOBJECT_PROPERTIES_DEFINE (NMSetting8021x,
 	PROP_PHASE2_SUBJECT_MATCH,
 	PROP_PHASE2_ALTSUBJECT_MATCHES,
 	PROP_PHASE2_DOMAIN_SUFFIX_MATCH,
+	PROP_PHASE2_DOMAIN_MATCH,
 	PROP_PHASE2_CLIENT_CERT,
 	PROP_PHASE2_CLIENT_CERT_PASSWORD,
 	PROP_PHASE2_CLIENT_CERT_PASSWORD_FLAGS,
@@ -139,6 +141,7 @@ typedef struct {
 	char *subject_match;
 	GSList *altsubject_matches;
 	char *domain_suffix_match;
+	char *domain_match;
 	GBytes *client_cert;
 	char *client_cert_password;
 	char *phase1_peapver;
@@ -152,6 +155,7 @@ typedef struct {
 	char *phase2_subject_match;
 	GSList *phase2_altsubject_matches;
 	char *phase2_domain_suffix_match;
+	char *phase2_domain_match;
 	GBytes *phase2_client_cert;
 	char *phase2_client_cert_password;
 	char *password;
@@ -1244,6 +1248,22 @@ nm_setting_802_1x_get_domain_suffix_match (NMSetting8021x *setting)
 	return NM_SETTING_802_1X_GET_PRIVATE (setting)->domain_suffix_match;
 }
 
+/**
+ * nm_setting_802_1x_get_domain_match:
+ * @setting: the #NMSetting8021x
+ *
+ * Returns: the #NMSetting8021x:domain-match property.
+ *
+ * Since: 1.24
+ **/
+const char *
+nm_setting_802_1x_get_domain_match (NMSetting8021x *setting)
+{
+	g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL);
+
+	return NM_SETTING_802_1X_GET_PRIVATE (setting)->domain_match;
+}
+
 /**
  * nm_setting_802_1x_get_client_cert_scheme:
  * @setting: the #NMSetting8021x
@@ -1691,6 +1711,22 @@ nm_setting_802_1x_get_phase2_domain_suffix_match (NMSetting8021x *setting)
 	return NM_SETTING_802_1X_GET_PRIVATE (setting)->phase2_domain_suffix_match;
 }
 
+/**
+ * nm_setting_802_1x_get_phase2_domain_match:
+ * @setting: the #NMSetting8021x
+ *
+ * Returns: the #NMSetting8021x:phase2-domain-match property.
+ *
+ * Since: 1.24
+ **/
+const char *
+nm_setting_802_1x_get_phase2_domain_match (NMSetting8021x *setting)
+{
+	g_return_val_if_fail (NM_IS_SETTING_802_1X (setting), NULL);
+
+	return NM_SETTING_802_1X_GET_PRIVATE (setting)->phase2_domain_match;
+}
+
 /**
  * nm_setting_802_1x_get_phase2_altsubject_match:
  * @setting: the #NMSettingConnection
@@ -3074,6 +3110,9 @@ get_property (GObject *object, guint prop_id,
 	case PROP_DOMAIN_SUFFIX_MATCH:
 		g_value_set_string (value, priv->domain_suffix_match);
 		break;
+	case PROP_DOMAIN_MATCH:
+		g_value_set_string (value, priv->domain_match);
+		break;
 	case PROP_CLIENT_CERT:
 		g_value_set_boxed (value, priv->client_cert);
 		break;
@@ -3122,6 +3161,9 @@ get_property (GObject *object, guint prop_id,
 	case PROP_PHASE2_DOMAIN_SUFFIX_MATCH:
 		g_value_set_string (value, priv->phase2_domain_suffix_match);
 		break;
+	case PROP_PHASE2_DOMAIN_MATCH:
+		g_value_set_string (value, priv->phase2_domain_match);
+		break;
 	case PROP_PHASE2_CLIENT_CERT:
 		g_value_set_boxed (value, priv->phase2_client_cert);
 		break;
@@ -3233,6 +3275,10 @@ set_property (GObject *object, guint prop_id,
 		g_free (priv->domain_suffix_match);
 		priv->domain_suffix_match = nm_strdup_not_empty (g_value_get_string (value));
 		break;
+	case PROP_DOMAIN_MATCH:
+		g_free (priv->domain_match);
+		priv->domain_match = nm_strdup_not_empty (g_value_get_string (value));
+		break;
 	case PROP_CLIENT_CERT:
 		g_bytes_unref (priv->client_cert);
 		priv->client_cert = g_value_dup_boxed (value);
@@ -3294,6 +3340,10 @@ set_property (GObject *object, guint prop_id,
 		g_free (priv->phase2_domain_suffix_match);
 		priv->phase2_domain_suffix_match = nm_strdup_not_empty (g_value_get_string (value));
 		break;
+	case PROP_PHASE2_DOMAIN_MATCH:
+		g_free (priv->phase2_domain_match);
+		priv->phase2_domain_match = nm_strdup_not_empty (g_value_get_string (value));
+		break;
 	case PROP_PHASE2_CLIENT_CERT:
 		g_bytes_unref (priv->phase2_client_cert);
 		priv->phase2_client_cert = g_value_dup_boxed (value);
@@ -3656,6 +3706,8 @@ nm_setting_802_1x_class_init (NMSetting8021xClass *klass)
 	 * the authentication server.  If a matching dNSName is found, this
 	 * constraint is met.  If no dNSName values are present, this constraint is
 	 * matched against SubjectName CN using same suffix match comparison.
+	 * Since version 1.24, multiple valid FQDNs can be passed as a ";" delimited
+	 * list.
 	 *
 	 * Since: 1.2
 	 **/
@@ -3671,6 +3723,30 @@ nm_setting_802_1x_class_init (NMSetting8021xClass *klass)
 	                         G_PARAM_READWRITE |
 	                         G_PARAM_STATIC_STRINGS);
 
+	/**
+	 * NMSetting8021x:domain-match:
+	 *
+	 * Constraint for server domain name. If set, this list of FQDNs is used as
+	 * a match requirement for dNSName element(s) of the certificate presented
+	 * by the authentication server.  If a matching dNSName is found, this
+	 * constraint is met.  If no dNSName values are present, this constraint is
+	 * matched against SubjectName CN using the same comparison.
+	 * Multiple valid FQDNs can be passed as a ";" delimited list.
+	 *
+	 * Since: 1.24
+	 **/
+	/* ---ifcfg-rh---
+	 * property: domain-match
+	 * description: Value to match domain of server certificate against.
+	 * variable: IEEE_8021X_DOMAIN_MATCH(+)
+	 * ---end---
+	 */
+	obj_properties[PROP_DOMAIN_MATCH] =
+	    g_param_spec_string (NM_SETTING_802_1X_DOMAIN_MATCH, "", "",
+	                         NULL,
+	                         G_PARAM_READWRITE |
+	                         G_PARAM_STATIC_STRINGS);
+
 	/**
 	 * NMSetting8021x:client-cert:
 	 *
@@ -4006,6 +4082,8 @@ nm_setting_802_1x_class_init (NMSetting8021xClass *klass)
 	 * a matching dNSName is found, this constraint is met.  If no dNSName
 	 * values are present, this constraint is matched against SubjectName CN
 	 * using same suffix match comparison.
+	 * Since version 1.24, multiple valid FQDNs can be passed as a ";" delimited
+	 * list.
 	 *
 	 * Since: 1.2
 	 **/
@@ -4021,6 +4099,31 @@ nm_setting_802_1x_class_init (NMSetting8021xClass *klass)
 	                         G_PARAM_READWRITE |
 	                         G_PARAM_STATIC_STRINGS);
 
+	/**
+	 * NMSetting8021x:phase2-domain-match:
+	 *
+	 * Constraint for server domain name. If set, this list of FQDNs is used as
+	 * a match requirement for dNSName element(s) of the certificate presented
+	 * by the authentication server during the inner "phase 2" authentication.
+	 * If a matching dNSName is found, this constraint is met.  If no dNSName
+	 * values are present, this constraint is matched against SubjectName CN
+	 * using the same comparison.
+	 * Multiple valid FQDNs can be passed as a ";" delimited list.
+	 *
+	 * Since: 1.24
+	 **/
+	/* ---ifcfg-rh---
+	 * property: phase2-domain-match
+	 * description: Value to match domain of server certificate for phase 2 against.
+	 * variable: IEEE_8021X_PHASE2_DOMAIN_MATCH(+)
+	 * ---end---
+	 */
+	obj_properties[PROP_PHASE2_DOMAIN_MATCH] =
+	    g_param_spec_string (NM_SETTING_802_1X_PHASE2_DOMAIN_MATCH, "", "",
+	                         NULL,
+	                         G_PARAM_READWRITE |
+	                         G_PARAM_STATIC_STRINGS);
+
 	/**
 	 * NMSetting8021x:phase2-client-cert:
 	 *

libnm-core/nm-setting-8021x.h

@@ -104,6 +104,7 @@ typedef enum { /*< flags, underscore_name=nm_setting_802_1x_auth_flags >*/
 #define NM_SETTING_802_1X_SUBJECT_MATCH "subject-match"
 #define NM_SETTING_802_1X_ALTSUBJECT_MATCHES "altsubject-matches"
 #define NM_SETTING_802_1X_DOMAIN_SUFFIX_MATCH "domain-suffix-match"
+#define NM_SETTING_802_1X_DOMAIN_MATCH "domain-match"
 #define NM_SETTING_802_1X_CLIENT_CERT "client-cert"
 #define NM_SETTING_802_1X_CLIENT_CERT_PASSWORD "client-cert-password"
 #define NM_SETTING_802_1X_CLIENT_CERT_PASSWORD_FLAGS "client-cert-password-flags"
@@ -120,6 +121,7 @@ typedef enum { /*< flags, underscore_name=nm_setting_802_1x_auth_flags >*/
 #define NM_SETTING_802_1X_PHASE2_SUBJECT_MATCH "phase2-subject-match"
 #define NM_SETTING_802_1X_PHASE2_ALTSUBJECT_MATCHES "phase2-altsubject-matches"
 #define NM_SETTING_802_1X_PHASE2_DOMAIN_SUFFIX_MATCH "phase2-domain-suffix-match"
+#define NM_SETTING_802_1X_PHASE2_DOMAIN_MATCH "phase2-domain-match"
 #define NM_SETTING_802_1X_PHASE2_CLIENT_CERT "phase2-client-cert"
 #define NM_SETTING_802_1X_PHASE2_CLIENT_CERT_PASSWORD "phase2-client-cert-password"
 #define NM_SETTING_802_1X_PHASE2_CLIENT_CERT_PASSWORD_FLAGS "phase2-client-cert-password-flags"
@@ -230,6 +232,9 @@ void              nm_setting_802_1x_clear_altsubject_matches         (NMSetting8
 NM_AVAILABLE_IN_1_2
 const char *      nm_setting_802_1x_get_domain_suffix_match          (NMSetting8021x *setting);
 
+NM_AVAILABLE_IN_1_24
+const char *      nm_setting_802_1x_get_domain_match                 (NMSetting8021x *setting);
+
 NMSetting8021xCKScheme nm_setting_802_1x_get_client_cert_scheme      (NMSetting8021x *setting);
 GBytes *               nm_setting_802_1x_get_client_cert_blob        (NMSetting8021x *setting);
 const char *           nm_setting_802_1x_get_client_cert_path        (NMSetting8021x *setting);
@@ -287,6 +292,9 @@ void              nm_setting_802_1x_clear_phase2_altsubject_matches         (NMS
 NM_AVAILABLE_IN_1_2
 const char *      nm_setting_802_1x_get_phase2_domain_suffix_match          (NMSetting8021x *setting);
 
+NM_AVAILABLE_IN_1_24
+const char *      nm_setting_802_1x_get_phase2_domain_match                 (NMSetting8021x *setting);
+
 NMSetting8021xCKScheme nm_setting_802_1x_get_phase2_client_cert_scheme   (NMSetting8021x *setting);
 GBytes *               nm_setting_802_1x_get_phase2_client_cert_blob     (NMSetting8021x *setting);
 const char *           nm_setting_802_1x_get_phase2_client_cert_path     (NMSetting8021x *setting);

libnm/libnm.ver

@@ -1682,6 +1682,8 @@ global:
 	nm_secret_agent_old_get_dbus_connection;
 	nm_secret_agent_old_get_dbus_name_owner;
 	nm_secret_agent_old_get_main_context;
+	nm_setting_802_1x_get_domain_match;
+	nm_setting_802_1x_get_phase2_domain_match;
 	nm_setting_bond_get_option_normalized;
 	nm_setting_vrf_get_table;
 	nm_setting_vrf_get_type;

src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-reader.c

@@ -3669,6 +3669,14 @@ next:
 	v = svGetValueStr (ifcfg, "IEEE_8021X_PHASE2_DOMAIN_SUFFIX_MATCH", &value);
 	g_object_set (s_8021x, NM_SETTING_802_1X_PHASE2_DOMAIN_SUFFIX_MATCH, v, NULL);
 
+	nm_clear_g_free (&value);
+	v = svGetValueStr (ifcfg, "IEEE_8021X_DOMAIN_MATCH", &value);
+	g_object_set (s_8021x, NM_SETTING_802_1X_DOMAIN_MATCH, v, NULL);
+
+	nm_clear_g_free (&value);
+	v = svGetValueStr (ifcfg, "IEEE_8021X_PHASE2_DOMAIN_MATCH", &value);
+	g_object_set (s_8021x, NM_SETTING_802_1X_PHASE2_DOMAIN_MATCH, v, NULL);
+
 	timeout = svGetValueInt64 (ifcfg, "IEEE_8021X_AUTH_TIMEOUT", 10, 0, G_MAXINT32, 0);
 	g_object_set (s_8021x, NM_SETTING_802_1X_AUTH_TIMEOUT, (int) timeout, NULL);
 

src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-utils.c

@@ -815,6 +815,7 @@ const NMSIfcfgKeyTypeInfo nms_ifcfg_well_known_keys[] = {
 	_KEY_TYPE ("IEEE_8021X_CLIENT_CERT",                      NMS_IFCFG_KEY_TYPE_IS_PLAIN ),
 	_KEY_TYPE ("IEEE_8021X_CLIENT_CERT_PASSWORD",             NMS_IFCFG_KEY_TYPE_IS_PLAIN ),
 	_KEY_TYPE ("IEEE_8021X_CLIENT_CERT_PASSWORD_FLAGS",       NMS_IFCFG_KEY_TYPE_IS_PLAIN ),
+	_KEY_TYPE ("IEEE_8021X_DOMAIN_MATCH",                     NMS_IFCFG_KEY_TYPE_IS_PLAIN ),
 	_KEY_TYPE ("IEEE_8021X_DOMAIN_SUFFIX_MATCH",              NMS_IFCFG_KEY_TYPE_IS_PLAIN ),
 	_KEY_TYPE ("IEEE_8021X_EAP_METHODS",                      NMS_IFCFG_KEY_TYPE_IS_PLAIN ),
 	_KEY_TYPE ("IEEE_8021X_FAST_PROVISIONING",                NMS_IFCFG_KEY_TYPE_IS_PLAIN ),
@@ -839,6 +840,7 @@ const NMSIfcfgKeyTypeInfo nms_ifcfg_well_known_keys[] = {
 	_KEY_TYPE ("IEEE_8021X_PEAP_VERSION",                     NMS_IFCFG_KEY_TYPE_IS_PLAIN ),
 	_KEY_TYPE ("IEEE_8021X_PHASE1_AUTH_FLAGS",                NMS_IFCFG_KEY_TYPE_IS_PLAIN ),
 	_KEY_TYPE ("IEEE_8021X_PHASE2_ALTSUBJECT_MATCHES",        NMS_IFCFG_KEY_TYPE_IS_PLAIN ),
+	_KEY_TYPE ("IEEE_8021X_PHASE2_DOMAIN_MATCH",              NMS_IFCFG_KEY_TYPE_IS_PLAIN ),
 	_KEY_TYPE ("IEEE_8021X_PHASE2_DOMAIN_SUFFIX_MATCH",       NMS_IFCFG_KEY_TYPE_IS_PLAIN ),
 	_KEY_TYPE ("IEEE_8021X_PHASE2_SUBJECT_MATCH",             NMS_IFCFG_KEY_TYPE_IS_PLAIN ),
 	_KEY_TYPE ("IEEE_8021X_PRIVATE_KEY",                      NMS_IFCFG_KEY_TYPE_IS_PLAIN ),

src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-utils.h

@@ -33,7 +33,7 @@ typedef struct {
 	NMSIfcfgKeyTypeFlags key_flags;
 } NMSIfcfgKeyTypeInfo;
 
-extern const NMSIfcfgKeyTypeInfo nms_ifcfg_well_known_keys[229];
+extern const NMSIfcfgKeyTypeInfo nms_ifcfg_well_known_keys[231];
 
 const NMSIfcfgKeyTypeInfo *nms_ifcfg_well_known_key_find_info (const char *key, gssize *out_idx);
 

src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-writer.c

@@ -503,6 +503,11 @@ write_8021x_setting (NMConnection *connection,
 	svSetValueStr (ifcfg, "IEEE_8021X_PHASE2_DOMAIN_SUFFIX_MATCH",
 	               nm_setting_802_1x_get_phase2_domain_suffix_match (s_8021x));
 
+	svSetValueStr (ifcfg, "IEEE_8021X_DOMAIN_MATCH",
+	               nm_setting_802_1x_get_domain_match (s_8021x));
+	svSetValueStr (ifcfg, "IEEE_8021X_PHASE2_DOMAIN_MATCH",
+	               nm_setting_802_1x_get_phase2_domain_match (s_8021x));
+
 	vint = nm_setting_802_1x_get_auth_timeout (s_8021x);
 	svSetValueInt64_cond (ifcfg, "IEEE_8021X_AUTH_TIMEOUT", vint > 0, vint);
 

src/supplicant/nm-supplicant-config.c

@@ -1329,6 +1329,14 @@ nm_supplicant_config_add_setting_8021x (NMSupplicantConfig *self,
 	if (!add_string_val (self, value, "domain_suffix_match2", FALSE, NULL, error))
 		return FALSE;
 
+	/* domain match */
+	value = nm_setting_802_1x_get_domain_match (setting);
+	if (!add_string_val (self, value, "domain_match", FALSE, NULL, error))
+		return FALSE;
+	value = nm_setting_802_1x_get_phase2_domain_match (setting);
+	if (!add_string_val (self, value, "domain_match2", FALSE, NULL, error))
+		return FALSE;
+
 	/* Private key */
 	added = FALSE;
 	switch (nm_setting_802_1x_get_private_key_scheme (setting)) {

src/supplicant/nm-supplicant-settings-verify.c

@@ -99,6 +99,7 @@ static const struct Opt opt_table[] = {
 	{ "subject_match",      TYPE_BYTES,   0, 0, FALSE,  NULL },
 	{ "altsubject_match",   TYPE_BYTES,   0, 0, FALSE,  NULL },
 	{ "domain_suffix_match",TYPE_BYTES,   0, 0, FALSE,  NULL },
+	{ "domain_match",       TYPE_BYTES,   0, 0, FALSE,  NULL },
 	{ "ca_cert",            TYPE_BYTES,   0, 65536, FALSE,  NULL },
 	{ "client_cert",        TYPE_BYTES,   0, 65536, FALSE,  NULL },
 	{ "private_key",        TYPE_BYTES,   0, 65536, FALSE,  NULL },
@@ -110,6 +111,7 @@ static const struct Opt opt_table[] = {
 	{ "subject_match2",     TYPE_BYTES,   0, 0, FALSE,  NULL },
 	{ "altsubject_match2",  TYPE_BYTES,   0, 0, FALSE,  NULL },
 	{ "domain_suffix_match2", TYPE_BYTES, 0, 0, FALSE,  NULL },
+	{ "domain_match2",      TYPE_BYTES,   0, 0, FALSE,  NULL },
 	{ "ca_cert2",           TYPE_BYTES,   0, 65536, FALSE,  NULL },
 	{ "client_cert2",       TYPE_BYTES,   0, 65536, FALSE,  NULL },
 	{ "private_key2",       TYPE_BYTES,   0, 65536, FALSE,  NULL },