802.1x: add openssl_ciphers setting

Setting for wpa_supplicant openssl_ciphers - openssl sometimes moves
ciphers among SECLEVELs. That is generaly a good thing, but some servers
are too old to support newer ciphers. Thus expert user should be allowed
to define openssl_ciphers per connection, so that they can connect to
old server, while not compromising security of other connections.

src/core/settings/plugins/ifcfg-rh/nms-ifcfg-rh-reader.c

@@ -4129,6 +4129,10 @@ next:
     v = svGetValueStr(ifcfg, "IEEE_8021X_PHASE2_CA_PATH", &value);
     g_object_set(s_8021x, NM_SETTING_802_1X_PHASE2_CA_PATH, v, NULL);
 
+    nm_clear_g_free(&value);
+    v = svGetValueStr(ifcfg, "IEEE_8021X_OPENSSL_CIPHERS", &value);
+    g_object_set(s_8021x, NM_SETTING_802_1X_OPENSSL_CIPHERS, v, NULL);
+
     g_object_set(s_8021x,
                  NM_SETTING_802_1X_OPTIONAL,
                  svGetValueBoolean(ifcfg, "IEEE_8021X_OPTIONAL", FALSE),

src/core/settings/plugins/ifcfg-rh/nms-ifcfg-rh-utils.c

@@ -828,6 +828,7 @@ const NMSIfcfgKeyTypeInfo nms_ifcfg_well_known_keys[] = {
     _KEY_TYPE("IEEE_8021X_INNER_PRIVATE_KEY", NMS_IFCFG_KEY_TYPE_IS_PLAIN),
     _KEY_TYPE("IEEE_8021X_INNER_PRIVATE_KEY_PASSWORD", NMS_IFCFG_KEY_TYPE_IS_PLAIN),
     _KEY_TYPE("IEEE_8021X_INNER_PRIVATE_KEY_PASSWORD_FLAGS", NMS_IFCFG_KEY_TYPE_IS_PLAIN),
+    _KEY_TYPE("IEEE_8021X_OPENSSL_CIPHERS", NMS_IFCFG_KEY_TYPE_IS_PLAIN),
     _KEY_TYPE("IEEE_8021X_OPTIONAL", NMS_IFCFG_KEY_TYPE_IS_PLAIN),
     _KEY_TYPE("IEEE_8021X_PAC_FILE", NMS_IFCFG_KEY_TYPE_IS_PLAIN),
     _KEY_TYPE("IEEE_8021X_PASSWORD", NMS_IFCFG_KEY_TYPE_IS_PLAIN),

src/core/settings/plugins/ifcfg-rh/nms-ifcfg-rh-utils.h

@@ -33,7 +33,7 @@ typedef struct {
     NMSIfcfgKeyTypeFlags key_flags;
 } NMSIfcfgKeyTypeInfo;
 
-extern const NMSIfcfgKeyTypeInfo nms_ifcfg_well_known_keys[264];
+extern const NMSIfcfgKeyTypeInfo nms_ifcfg_well_known_keys[265];
 
 const NMSIfcfgKeyTypeInfo *nms_ifcfg_well_known_key_find_info(const char *key, gssize *out_idx);
 

src/core/settings/plugins/ifcfg-rh/nms-ifcfg-rh-writer.c

@@ -579,6 +579,10 @@ write_8021x_setting(NMConnection *connection,
                "IEEE_8021X_PIN_FLAGS",
                nm_setting_802_1x_get_pin_flags(s_8021x));
 
+    svSetValueStr(ifcfg,
+                  "IEEE_8021X_OPENSSL_CIPHERS",
+                  nm_setting_802_1x_get_openssl_ciphers(s_8021x));
+
     if (!write_8021x_certs(s_8021x, secrets, blobs, FALSE, ifcfg, error))
         return FALSE;
 

src/core/settings/plugins/ifcfg-rh/tests/network-scripts/ifcfg-test-wired-8021x-peap-mschapv2

@@ -13,3 +13,4 @@ IEEE_8021X_PEAP_VERSION=1
 IEEE_8021X_PEAP_FORCE_NEW_LABEL=yes
 IEEE_8021X_INNER_AUTH_METHODS=MSCHAPV2
 IEEE_8021X_ANON_IDENTITY=somebody
+IEEE_8021X_OPENSSL_CIPHERS=DEFAULT@SECLEVEL=0

src/core/settings/plugins/ifcfg-rh/tests/test-ifcfg-rh.c

@@ -5317,6 +5317,8 @@ test_write_wired_dhcp_8021x_peap_mschapv2(void)
                  "1",
                  NM_SETTING_802_1X_PHASE2_AUTH,
                  "mschapv2",
+                 NM_SETTING_802_1X_OPENSSL_CIPHERS,
+                 "DEFAULT@SECLEVEL=0",
                  NULL);
     nm_setting_802_1x_add_eap_method(s_8021x, "peap");
 

src/core/supplicant/nm-supplicant-config.c

@@ -1811,6 +1811,9 @@ nm_supplicant_config_add_setting_8021x(NMSupplicantConfig *self,
     value = nm_setting_802_1x_get_anonymous_identity(setting);
     if (!add_string_val(self, value, "anonymous_identity", FALSE, NULL, error))
         return FALSE;
+    value = nm_setting_802_1x_get_openssl_ciphers(setting);
+    if (value && !add_string_val(self, value, "openssl_ciphers", FALSE, NULL, error))
+        return FALSE;
 
     return TRUE;
 }

src/core/supplicant/nm-supplicant-settings-verify.c

@@ -93,6 +93,7 @@ static const struct Opt opt_table[] = {
     OPT_BYTES("mka_cak", 65536),
     OPT_BYTES("mka_ckn", 65536),
     OPT_BYTES("nai", 0),
+    OPT_BYTES("openssl_ciphers", 0),
     OPT_INT("owe_only", 0, 1),
     OPT_BYTES("pac_file", 0),
     OPT_KEYWORD("pairwise", NM_MAKE_STRV("CCMP", "TKIP", "GCMP-256", "NONE", )),

src/libnm-client-impl/libnm.ver

@@ -1991,4 +1991,5 @@ global:
 	nm_setting_wireless_get_num_mac_denylist_items;
 	nm_setting_wireless_remove_mac_denylist_item;
 	nm_setting_wireless_remove_mac_denylist_item_by_value;
+	nm_setting_802_1x_get_openssl_ciphers;
 } libnm_1_46_0;

src/libnm-core-impl/gen-metadata-nm-settings-libnm-core.xml.in

@@ -311,6 +311,10 @@
                   dbus-type="s"
                   gprop-type="gchararray"
                   />
+        <property name="openssl-ciphers"
+                  dbus-type="s"
+                  gprop-type="gchararray"
+                  />
         <property name="optional"
                   dbus-type="b"
                   gprop-type="gboolean"

src/libnm-core-impl/nm-setting-8021x.c

@@ -131,7 +131,8 @@ NM_GOBJECT_PROPERTIES_DEFINE(NMSetting8021x,
                              PROP_PIN_FLAGS,
                              PROP_SYSTEM_CA_CERTS,
                              PROP_OPTIONAL,
-                             PROP_AUTH_TIMEOUT, );
+                             PROP_AUTH_TIMEOUT,
+                             PROP_OPENSSL_CIPHERS, );
 
 typedef struct {
     GSList *eap; /* GSList of strings */
@@ -168,6 +169,7 @@ typedef struct {
     char   *private_key_password;
     GBytes *phase2_private_key;
     char   *phase2_private_key_password;
+    char   *openssl_ciphers;
     guint   ca_cert_password_flags;
     guint   client_cert_password_flags;
     guint   phase2_ca_cert_password_flags;
@@ -2498,6 +2500,24 @@ nm_setting_802_1x_get_optional(NMSetting8021x *setting)
     return NM_SETTING_802_1X_GET_PRIVATE(setting)->optional;
 }
 
+/**
+ * nm_setting_802_1x_get_openssl_ciphers:
+ * @setting: the #NMSetting8021x
+ *
+ * Returns the openssl_ciphers configuration for wpa_supplicant.
+ *
+ * Returns: cipher string for tls setup in wpa_supplicant.
+ *
+ * Since: 1.48
+ **/
+const char *
+nm_setting_802_1x_get_openssl_ciphers(NMSetting8021x *setting)
+{
+    g_return_val_if_fail(NM_IS_SETTING_802_1X(setting), NULL);
+
+    return NM_SETTING_802_1X_GET_PRIVATE(setting)->openssl_ciphers;
+}
+
 /*****************************************************************************/
 
 static void
@@ -4364,6 +4384,30 @@ nm_setting_802_1x_class_init(NMSetting8021xClass *klass)
                                                NMSetting8021xPrivate,
                                                optional);
 
+    /**
+     * NMSetting8021x:openssl-ciphers:
+     *
+     * Define openssl_ciphers for wpa_supplicant. Openssl sometimes moves ciphers
+     * among SECLEVELs, thus compiled-in default value in wpa_supplicant
+     * (as modified by some linux distributions) sometimes prevents
+     * to connect to old servers that do not support new protocols.
+     *
+     * Since: 1.48
+     **/
+    /* ---ifcfg-rh---
+     * property: openssl-ciphers
+     * variable: IEEE_8021X_OPENSSL_CIPHERS(+)
+     * description: Cipher string for tls setup of wpa_supplicant.
+     * ---end---
+     */
+    _nm_setting_property_define_direct_string(properties_override,
+                                              obj_properties,
+                                              NM_SETTING_802_1X_OPENSSL_CIPHERS,
+                                              PROP_OPENSSL_CIPHERS,
+                                              NM_SETTING_PARAM_NONE,
+                                              NMSetting8021xPrivate,
+                                              openssl_ciphers);
+
     g_object_class_install_properties(object_class, _PROPERTY_ENUMS_LAST, obj_properties);
 
     _nm_setting_class_commit(setting_class,

src/libnm-core-impl/tests/test-secrets.c

@@ -250,6 +250,8 @@ make_tls_phase2_connection(const char *detail, NMSetting8021xCKScheme scheme)
                                           &error);
     nmtst_assert_success(success, error);
 
+    g_object_set(s_8021x, NM_SETTING_802_1X_OPENSSL_CIPHERS, "DEFAULT@SECLEVEL=0", NULL);
+
     /* IP4 setting */
     s_ip4 = (NMSettingIP4Config *) nm_setting_ip4_config_new();
     nm_connection_add_setting(connection, NM_SETTING(s_ip4));

src/libnm-core-public/nm-setting-8021x.h

@@ -155,6 +155,7 @@ typedef enum /*< underscore_name=nm_setting_802_1x_auth_flags, flags >*/ {
 #define NM_SETTING_802_1X_SYSTEM_CA_CERTS                   "system-ca-certs"
 #define NM_SETTING_802_1X_AUTH_TIMEOUT                      "auth-timeout"
 #define NM_SETTING_802_1X_OPTIONAL                          "optional"
+#define NM_SETTING_802_1X_OPENSSL_CIPHERS                   "openssl-ciphers"
 
 /* PRIVATE KEY NOTE: when setting PKCS#12 private keys directly via properties
  * using the "blob" scheme, the data must be passed in PKCS#12 binary format.
@@ -358,6 +359,8 @@ NM_AVAILABLE_IN_1_8
 int nm_setting_802_1x_get_auth_timeout(NMSetting8021x *setting);
 NM_AVAILABLE_IN_1_22
 gboolean nm_setting_802_1x_get_optional(NMSetting8021x *setting);
+NM_AVAILABLE_IN_1_48
+const char *nm_setting_802_1x_get_openssl_ciphers(NMSetting8021x *setting);
 
 G_END_DECLS
 

src/libnmc-setting/nm-meta-setting-desc.c

@@ -5162,6 +5162,9 @@ static const NMMetaPropertyInfo *const property_infos_802_1X[] = {
     PROPERTY_INFO_WITH_DESC (NM_SETTING_802_1X_AUTH_TIMEOUT,
         .property_type =                &_pt_gobject_int,
     ),
+    PROPERTY_INFO_WITH_DESC (NM_SETTING_802_1X_OPENSSL_CIPHERS,
+        .property_type =                &_pt_gobject_string,
+    ),
     NULL
 };
 

src/libnmc-setting/settings-docs.h.in

@@ -47,6 +47,7 @@
 #define DESCRIBE_DOC_NM_SETTING_802_1X_DOMAIN_SUFFIX_MATCH N_("Constraint for server domain name. If set, this FQDN is used as a suffix match requirement for dNSName element(s) of the certificate presented by the authentication server.  If a matching dNSName is found, this constraint is met.  If no dNSName values are present, this constraint is matched against SubjectName CN using same suffix match comparison. Since version 1.24, multiple valid FQDNs can be passed as a \";\" delimited list.")
 #define DESCRIBE_DOC_NM_SETTING_802_1X_EAP N_("The allowed EAP method to be used when authenticating to the network with 802.1x.  Valid methods are: \"leap\", \"md5\", \"tls\", \"peap\", \"ttls\", \"pwd\", and \"fast\".  Each method requires different configuration using the properties of this setting; refer to wpa_supplicant documentation for the allowed combinations.")
 #define DESCRIBE_DOC_NM_SETTING_802_1X_IDENTITY N_("Identity string for EAP authentication methods.  Often the user's user or login name.")
+#define DESCRIBE_DOC_NM_SETTING_802_1X_OPENSSL_CIPHERS N_("Define openssl_ciphers for wpa_supplicant. Openssl sometimes moves ciphers among SECLEVELs, thus compiled-in default value in wpa_supplicant (as modified by some linux distributions) sometimes prevents to connect to old servers that do not support new protocols.")
 #define DESCRIBE_DOC_NM_SETTING_802_1X_OPTIONAL N_("Whether the 802.1X authentication is optional. If TRUE, the activation will continue even after a timeout or an authentication failure. Setting the property to TRUE is currently allowed only for Ethernet connections. If set to FALSE, the activation can continue only after a successful authentication.")
 #define DESCRIBE_DOC_NM_SETTING_802_1X_PAC_FILE N_("UTF-8 encoded file path containing PAC for EAP-FAST.")
 #define DESCRIBE_DOC_NM_SETTING_802_1X_PASSWORD N_("UTF-8 encoded password used for EAP authentication methods. If both the \"password\" property and the \"password-raw\" property are specified, \"password\" is preferred.")

src/nmcli/gen-metadata-nm-settings-nmcli.xml.in

@@ -327,6 +327,9 @@
                   nmcli-description="A timeout for the authentication. Zero means the global default; if the global default is not set, the authentication timeout is 25 seconds."
                   format="integer"
                   values="0 - 2147483647" />
+        <property name="openssl-ciphers"
+                  nmcli-description="Define openssl_ciphers for wpa_supplicant. Openssl sometimes moves ciphers among SECLEVELs, thus compiled-in default value in wpa_supplicant (as modified by some linux distributions) sometimes prevents to connect to old servers that do not support new protocols."
+                  format="string" />
     </setting>
     <setting name="802-3-ethernet"
              alias="ethernet" >