wpa_supplicant: add tls_disable_time_checks flag to phase 1 auth flagsadd_TLS_disable_time

6 files changed, 18 insertions, 11 deletions

diff --git a/src/core/supplicant/nm-supplicant-config.c b/src/core/supplicant/nm-supplicant-config.c
index 22c422a2e5..707ad98100 100644
--- a/src/core/supplicant/nm-supplicant-config.c
+++ b/src/core/supplicant/nm-supplicant-config.c
@@ -1375,6 +1375,8 @@ nm_supplicant_config_add_setting_8021x(NMSupplicantConfig *self,
         g_string_append_printf(phase1, "%stls_disable_tlsv1_1=1", (phase1->len ? " " : ""));
     if (NM_FLAGS_HAS(phase1_auth_flags, NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_2_DISABLE))
         g_string_append_printf(phase1, "%stls_disable_tlsv1_2=1", (phase1->len ? " " : ""));
+    if (NM_FLAGS_HAS(phase1_auth_flags, NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_TIME_CHECKS))
+        g_string_append_printf(phase1, "%stls_disable_time_checks=1", (phase1->len ? " " : ""));
 
     if (phase1->len) {
         if (!add_string_val(self, phase1->str, "phase1", FALSE, NULL, error)) {
diff --git a/src/core/supplicant/nm-supplicant-settings-verify.c b/src/core/supplicant/nm-supplicant-settings-verify.c
index 9881c552dc..1dc41b3471 100644
--- a/src/core/supplicant/nm-supplicant-settings-verify.c
+++ b/src/core/supplicant/nm-supplicant-settings-verify.c
@@ -113,7 +113,9 @@ static const struct Opt opt_table[] = {
                              "tls_disable_tlsv1_1=0",
                              "tls_disable_tlsv1_1=1",
                              "tls_disable_tlsv1_2=0",
-                             "tls_disable_tlsv1_2=1", )),
+                             "tls_disable_tlsv1_2=1",
+                             "tls_disable_time_checks=0",
+                             "tls_disable_time_checks=1", )),
     OPT_KEYWORD("phase2",
                 NM_MAKE_STRV("auth=PAP",
                              "auth=CHAP",
diff --git a/src/libnm-core-impl/nm-setting-8021x.c b/src/libnm-core-impl/nm-setting-8021x.c
index 5c36bed6bf..8858c0cebf 100644
--- a/src/libnm-core-impl/nm-setting-8021x.c
+++ b/src/libnm-core-impl/nm-setting-8021x.c
@@ -3583,9 +3583,10 @@ nm_setting_802_1x_class_init(NMSetting8021xClass *klass)
      *
      * Specifies authentication flags to use in "phase 1" outer
      * authentication using #NMSetting8021xAuthFlags options.
-     * The individual TLS versions can be explicitly disabled. If a certain
-     * TLS disable flag is not set, it is up to the supplicant to allow
-     * or forbid it. The TLS options map to tls_disable_tlsv1_x settings.
+     * The individual TLS versions can be explicitly disabled. TLS time checks
+     * can be also disabled. If a certain TLS disable flag is not
+     * set, it is up to the supplicant to allow or forbid it. The TLS options
+     * map to tls_disable_tlsv1_x and tls_disable_time_checks settings.
      * See the wpa_supplicant documentation for more details.
      *
      * Since: 1.8
diff --git a/src/libnm-core-public/nm-setting-8021x.h b/src/libnm-core-public/nm-setting-8021x.h
index 93c78fa374..c5da7df5b1 100644
--- a/src/libnm-core-public/nm-setting-8021x.h
+++ b/src/libnm-core-public/nm-setting-8021x.h
@@ -65,6 +65,7 @@ typedef enum { /*< underscore_name=nm_setting_802_1x_ck_scheme >*/
  * @NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_0_DISABLE: Disable TLSv1.0
  * @NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_1_DISABLE: Disable TLSv1.1
  * @NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_2_DISABLE: Disable TLSv1.2
+ * @NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_TIME_CHECKS: Disable TLS time checks. Since 1.42.
  * @NM_SETTING_802_1X_AUTH_FLAGS_ALL: All supported flags
  *
  * #NMSetting8021xAuthFlags values indicate which authentication settings
@@ -76,12 +77,13 @@ typedef enum { /*< underscore_name=nm_setting_802_1x_ck_scheme >*/
  * Since: 1.8
  */
 typedef enum /*< underscore_name=nm_setting_802_1x_auth_flags, flags >*/ {
-    NM_SETTING_802_1X_AUTH_FLAGS_NONE            = 0,
-    NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_0_DISABLE = 0x1,
-    NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_1_DISABLE = 0x2,
-    NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_2_DISABLE = 0x4,
+    NM_SETTING_802_1X_AUTH_FLAGS_NONE                    = 0,
+    NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_0_DISABLE         = 0x1,
+    NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_1_DISABLE         = 0x2,
+    NM_SETTING_802_1X_AUTH_FLAGS_TLS_1_2_DISABLE         = 0x4,
+    NM_SETTING_802_1X_AUTH_FLAGS_TLS_DISABLE_TIME_CHECKS = 0x8,
 
-    NM_SETTING_802_1X_AUTH_FLAGS_ALL = 0x7,
+    NM_SETTING_802_1X_AUTH_FLAGS_ALL = 0xF,
 } NMSetting8021xAuthFlags;
 
 #define NM_TYPE_SETTING_802_1X (nm_setting_802_1x_get_type())
diff --git a/src/libnmc-setting/settings-docs.h.in b/src/libnmc-setting/settings-docs.h.in
index 4fdafed5db..4df96c7d31 100644
--- a/src/libnmc-setting/settings-docs.h.in
+++ b/src/libnmc-setting/settings-docs.h.in
@@ -49,7 +49,7 @@
 #define DESCRIBE_DOC_NM_SETTING_802_1X_PASSWORD_FLAGS N_("Flags indicating how to handle the \"password\" property.")
 #define DESCRIBE_DOC_NM_SETTING_802_1X_PASSWORD_RAW N_("Password used for EAP authentication methods, given as a byte array to allow passwords in other encodings than UTF-8 to be used. If both the \"password\" property and the \"password-raw\" property are specified, \"password\" is preferred.")
 #define DESCRIBE_DOC_NM_SETTING_802_1X_PASSWORD_RAW_FLAGS N_("Flags indicating how to handle the \"password-raw\" property.")
-#define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE1_AUTH_FLAGS N_("Specifies authentication flags to use in \"phase 1\" outer authentication using NMSetting8021xAuthFlags options. The individual TLS versions can be explicitly disabled. If a certain TLS disable flag is not set, it is up to the supplicant to allow or forbid it. The TLS options map to tls_disable_tlsv1_x settings. See the wpa_supplicant documentation for more details.")
+#define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE1_AUTH_FLAGS N_("Specifies authentication flags to use in \"phase 1\" outer authentication using NMSetting8021xAuthFlags options. The individual TLS versions can be explicitly disabled. TLS time checks can be also disabled. If a certain TLS disable flag is not set, it is up to the supplicant to allow or forbid it. The TLS options map to tls_disable_tlsv1_x and tls_disable_time_checks settings. See the wpa_supplicant documentation for more details.")
 #define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE1_FAST_PROVISIONING N_("Enables or disables in-line provisioning of EAP-FAST credentials when FAST is specified as the EAP method in the \"eap\" property. Recognized values are \"0\" (disabled), \"1\" (allow unauthenticated provisioning), \"2\" (allow authenticated provisioning), and \"3\" (allow both authenticated and unauthenticated provisioning).  See the wpa_supplicant documentation for more details.")
 #define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE1_PEAPLABEL N_("Forces use of the new PEAP label during key derivation.  Some RADIUS servers may require forcing the new PEAP label to interoperate with PEAPv1.  Set to \"1\" to force use of the new PEAP label.  See the wpa_supplicant documentation for more details.")
 #define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE1_PEAPVER N_("Forces which PEAP version is used when PEAP is set as the EAP method in the \"eap\" property.  When unset, the version reported by the server will be used.  Sometimes when using older RADIUS servers, it is necessary to force the client to use a particular PEAP version.  To do so, this property may be set to \"0\" or \"1\" to force that specific PEAP version.")
diff --git a/src/nmcli/generate-docs-nm-settings-nmcli.xml.in b/src/nmcli/generate-docs-nm-settings-nmcli.xml.in
index a9bde03d9b..c3cb530096 100644
--- a/src/nmcli/generate-docs-nm-settings-nmcli.xml.in
+++ b/src/nmcli/generate-docs-nm-settings-nmcli.xml.in
@@ -143,7 +143,7 @@
         <property name="phase1-fast-provisioning"
                   description="Enables or disables in-line provisioning of EAP-FAST credentials when FAST is specified as the EAP method in the &quot;eap&quot; property. Recognized values are &quot;0&quot; (disabled), &quot;1&quot; (allow unauthenticated provisioning), &quot;2&quot; (allow authenticated provisioning), and &quot;3&quot; (allow both authenticated and unauthenticated provisioning).  See the wpa_supplicant documentation for more details." />
         <property name="phase1-auth-flags"
-                  description="Specifies authentication flags to use in &quot;phase 1&quot; outer authentication using NMSetting8021xAuthFlags options. The individual TLS versions can be explicitly disabled. If a certain TLS disable flag is not set, it is up to the supplicant to allow or forbid it. The TLS options map to tls_disable_tlsv1_x settings. See the wpa_supplicant documentation for more details." />
+                  description="Specifies authentication flags to use in &quot;phase 1&quot; outer authentication using NMSetting8021xAuthFlags options. The individual TLS versions can be explicitly disabled. TLS time checks can be also disabled. If a certain TLS disable flag is not set, it is up to the supplicant to allow or forbid it. The TLS options map to tls_disable_tlsv1_x and tls_disable_time_checks settings. See the wpa_supplicant documentation for more details." />
         <property name="phase2-auth"
                   description="Specifies the allowed &quot;phase 2&quot; inner authentication method when an EAP method that uses an inner TLS tunnel is specified in the &quot;eap&quot; property.  For TTLS this property selects one of the supported non-EAP inner methods: &quot;pap&quot;, &quot;chap&quot;, &quot;mschap&quot;, &quot;mschapv2&quot; while &quot;phase2-autheap&quot; selects an EAP inner method.  For PEAP this selects an inner EAP method, one of: &quot;gtc&quot;, &quot;otp&quot;, &quot;md5&quot; and &quot;tls&quot;. Each &quot;phase 2&quot; inner method requires specific parameters for successful authentication; see the wpa_supplicant documentation for more details. Both &quot;phase2-auth&quot; and &quot;phase2-autheap&quot; cannot be specified." />
         <property name="phase2-autheap"