eap-tls: Add FastReauthentication setting

Seeing that some authenticators can't handle TLS session caching properly, allow the EAP-TLS-based methods session caching support to be disabled per-network using a method specific FastReauthentication setting. Defaults to true. With the previous commit, authentication should succeed at least every other attempt. I'd also expect that EAP-TLS is not usually affected because there's no phase2, unlike with EAP-PEAP/EAP-TTLS.
2023-01-28 00:33:23 +01:00 · 2023-01-28 00:33:23 +01:00 · ce3507558c
parent 5db06bf935
commit ce3507558c
2 changed files with 39 additions and 2 deletions
--- a/src/eap-tls-common.c
+++ b/src/eap-tls-common.c
@ -116,6 +116,7 @@ struct eap_tls_state {
 	bool expecting_frag_ack:1;
 	bool tunnel_ready:1;
 	bool tls_session_resumed:1;
+	bool tls_cache_disabled:1;

 	struct l_queue *ca_cert;
 	struct l_certchain *client_cert;
@ -179,7 +180,9 @@ static void __eap_tls_common_state_reset(struct eap_state *eap)

 		if (eap_tls->tls_session_resumed)
 			l_warn("EAP: method did not finish after successful TLS"
-				" session resumption.");
+				" session resumption.  If this repeats consider"
+				" disabling [Security].EAP-%sFastReauthentication",
+				eap_get_method_name(eap));
 	}

 	eap_tls->tls_session_resumed = false;
@ -691,7 +694,7 @@ static bool eap_tls_tunnel_init(struct eap_state *eap)
 	if (eap_tls->domain_mask)
 		l_tls_set_domain_mask(eap_tls->tunnel, eap_tls->domain_mask);

-	if (!eap_tls_session_cache_load)
+	if (!eap_tls_session_cache_load || eap_tls->tls_cache_disabled)
 		goto start;

 	if (!eap_tls_session_cache)
@ -1040,6 +1043,16 @@ int eap_tls_common_settings_check(struct l_settings *settings,
 		return -EINVAL;
 	}

+	snprintf(setting_key, sizeof(setting_key),
+					"%sFastReauthentication", prefix);
+
+	if (l_settings_has_key(settings, "Security", setting_key) &&
+			!l_settings_get_bool(settings, "Security",
+						setting_key, NULL)) {
+		l_error("Can't parse %s", setting_key);
+		return -EINVAL;
+	}
+
 	return 0;
 }

@ -1051,6 +1064,7 @@ bool eap_tls_common_settings_load(struct eap_state *eap,
 	struct eap_tls_state *eap_tls;
 	char setting_key[72];
 	char *domain_mask_str;
+	bool bool_val;

 	L_AUTO_FREE_VAR(char *, value) = NULL;

@ -1080,6 +1094,14 @@ bool eap_tls_common_settings_load(struct eap_state *eap,
 		l_free(domain_mask_str);
 	}

+	snprintf(setting_key, sizeof(setting_key),
+					"%sFastReauthentication", prefix);
+
+	if (!l_settings_get_bool(settings, "Security", setting_key, &bool_val))
+		bool_val = true;
+
+	eap_tls->tls_cache_disabled = !bool_val;
+
 	eap_set_data(eap, eap_tls);

 	return true;
--- a/src/iwd.network.rst
+++ b/src/iwd.network.rst
@ -281,6 +281,21 @@ connect to that network.
       domain name. An asterisk segment in the mask matches any label.  An
       asterisk segment at the beginning of the mask matches one or more
       consecutive labels from the beginning of the domain string.
+   * - | EAP-TLS-FastReauthentication,
+       | EAP-TTLS-FastReauthentication,
+       | EAP-PEAP-FastReauthentication,
+     - Values: **true**, false
+
+       Controls whether TLS session caching for EAP-TLS, EAP-TTLS and EAP-PEAP
+       is used.  This allows for faster re-connections to EAP-Enterprise based
+       networks.
+
+       Some network authenticators may be misconfigured in a way that TLS
+       session resumption is allowed but actually attempting it will cause
+       the EAP method to fail or time out.  In that case, assuming the
+       credentials and other settings are correct, every other connection
+       attempt will fail as sessions are cached and forgotten in alternating
+       attempts.  Use this setting to disable caching for this network.
   * - | EAP-TTLS-Phase2-Method
     - | The following values are allowed:
       |    Tunneled-CHAP,