From ce3507558c9f7b7da676bed142e64e97257abe46 Mon Sep 17 00:00:00 2001 From: Andrew Zaborowski Date: Sat, 28 Jan 2023 00:33:23 +0100 Subject: [PATCH] eap-tls: Add FastReauthentication setting Seeing that some authenticators can't handle TLS session caching properly, allow the EAP-TLS-based methods session caching support to be disabled per-network using a method specific FastReauthentication setting. Defaults to true. With the previous commit, authentication should succeed at least every other attempt. I'd also expect that EAP-TLS is not usually affected because there's no phase2, unlike with EAP-PEAP/EAP-TTLS. --- src/eap-tls-common.c | 26 ++++++++++++++++++++++++-- src/iwd.network.rst | 15 +++++++++++++++ 2 files changed, 39 insertions(+), 2 deletions(-) diff --git a/src/eap-tls-common.c b/src/eap-tls-common.c index e21e215b..9c9f68a0 100644 --- a/src/eap-tls-common.c +++ b/src/eap-tls-common.c @@ -116,6 +116,7 @@ struct eap_tls_state { bool expecting_frag_ack:1; bool tunnel_ready:1; bool tls_session_resumed:1; + bool tls_cache_disabled:1; struct l_queue *ca_cert; struct l_certchain *client_cert; @@ -179,7 +180,9 @@ static void __eap_tls_common_state_reset(struct eap_state *eap) if (eap_tls->tls_session_resumed) l_warn("EAP: method did not finish after successful TLS" - " session resumption."); + " session resumption. If this repeats consider" + " disabling [Security].EAP-%sFastReauthentication", + eap_get_method_name(eap)); } eap_tls->tls_session_resumed = false; @@ -691,7 +694,7 @@ static bool eap_tls_tunnel_init(struct eap_state *eap) if (eap_tls->domain_mask) l_tls_set_domain_mask(eap_tls->tunnel, eap_tls->domain_mask); - if (!eap_tls_session_cache_load) + if (!eap_tls_session_cache_load || eap_tls->tls_cache_disabled) goto start; if (!eap_tls_session_cache) @@ -1040,6 +1043,16 @@ int eap_tls_common_settings_check(struct l_settings *settings, return -EINVAL; } + snprintf(setting_key, sizeof(setting_key), + "%sFastReauthentication", prefix); + + if (l_settings_has_key(settings, "Security", setting_key) && + !l_settings_get_bool(settings, "Security", + setting_key, NULL)) { + l_error("Can't parse %s", setting_key); + return -EINVAL; + } + return 0; } @@ -1051,6 +1064,7 @@ bool eap_tls_common_settings_load(struct eap_state *eap, struct eap_tls_state *eap_tls; char setting_key[72]; char *domain_mask_str; + bool bool_val; L_AUTO_FREE_VAR(char *, value) = NULL; @@ -1080,6 +1094,14 @@ bool eap_tls_common_settings_load(struct eap_state *eap, l_free(domain_mask_str); } + snprintf(setting_key, sizeof(setting_key), + "%sFastReauthentication", prefix); + + if (!l_settings_get_bool(settings, "Security", setting_key, &bool_val)) + bool_val = true; + + eap_tls->tls_cache_disabled = !bool_val; + eap_set_data(eap, eap_tls); return true; diff --git a/src/iwd.network.rst b/src/iwd.network.rst index d3692834..719853fa 100644 --- a/src/iwd.network.rst +++ b/src/iwd.network.rst @@ -281,6 +281,21 @@ connect to that network. domain name. An asterisk segment in the mask matches any label. An asterisk segment at the beginning of the mask matches one or more consecutive labels from the beginning of the domain string. + * - | EAP-TLS-FastReauthentication, + | EAP-TTLS-FastReauthentication, + | EAP-PEAP-FastReauthentication, + - Values: **true**, false + + Controls whether TLS session caching for EAP-TLS, EAP-TTLS and EAP-PEAP + is used. This allows for faster re-connections to EAP-Enterprise based + networks. + + Some network authenticators may be misconfigured in a way that TLS + session resumption is allowed but actually attempting it will cause + the EAP method to fail or time out. In that case, assuming the + credentials and other settings are correct, every other connection + attempt will fail as sessions are cached and forgotten in alternating + attempts. Use this setting to disable caching for this network. * - | EAP-TTLS-Phase2-Method - | The following values are allowed: | Tunneled-CHAP,