3
0
mirror of https://git.kernel.org/pub/scm/network/wireless/iwd.git synced 2024-11-29 05:39:24 +01:00

eap-tls: Add FastReauthentication setting

Seeing that some authenticators can't handle TLS session caching
properly, allow the EAP-TLS-based methods session caching support to be
disabled per-network using a method specific FastReauthentication setting.
Defaults to true.

With the previous commit, authentication should succeed at least every
other attempt.  I'd also expect that EAP-TLS is not usually affected
because there's no phase2, unlike with EAP-PEAP/EAP-TTLS.
This commit is contained in:
Andrew Zaborowski 2023-01-28 00:33:23 +01:00 committed by Denis Kenzior
parent 5db06bf935
commit ce3507558c
2 changed files with 39 additions and 2 deletions

View File

@ -116,6 +116,7 @@ struct eap_tls_state {
bool expecting_frag_ack:1; bool expecting_frag_ack:1;
bool tunnel_ready:1; bool tunnel_ready:1;
bool tls_session_resumed:1; bool tls_session_resumed:1;
bool tls_cache_disabled:1;
struct l_queue *ca_cert; struct l_queue *ca_cert;
struct l_certchain *client_cert; struct l_certchain *client_cert;
@ -179,7 +180,9 @@ static void __eap_tls_common_state_reset(struct eap_state *eap)
if (eap_tls->tls_session_resumed) if (eap_tls->tls_session_resumed)
l_warn("EAP: method did not finish after successful TLS" l_warn("EAP: method did not finish after successful TLS"
" session resumption."); " session resumption. If this repeats consider"
" disabling [Security].EAP-%sFastReauthentication",
eap_get_method_name(eap));
} }
eap_tls->tls_session_resumed = false; eap_tls->tls_session_resumed = false;
@ -691,7 +694,7 @@ static bool eap_tls_tunnel_init(struct eap_state *eap)
if (eap_tls->domain_mask) if (eap_tls->domain_mask)
l_tls_set_domain_mask(eap_tls->tunnel, eap_tls->domain_mask); l_tls_set_domain_mask(eap_tls->tunnel, eap_tls->domain_mask);
if (!eap_tls_session_cache_load) if (!eap_tls_session_cache_load || eap_tls->tls_cache_disabled)
goto start; goto start;
if (!eap_tls_session_cache) if (!eap_tls_session_cache)
@ -1040,6 +1043,16 @@ int eap_tls_common_settings_check(struct l_settings *settings,
return -EINVAL; return -EINVAL;
} }
snprintf(setting_key, sizeof(setting_key),
"%sFastReauthentication", prefix);
if (l_settings_has_key(settings, "Security", setting_key) &&
!l_settings_get_bool(settings, "Security",
setting_key, NULL)) {
l_error("Can't parse %s", setting_key);
return -EINVAL;
}
return 0; return 0;
} }
@ -1051,6 +1064,7 @@ bool eap_tls_common_settings_load(struct eap_state *eap,
struct eap_tls_state *eap_tls; struct eap_tls_state *eap_tls;
char setting_key[72]; char setting_key[72];
char *domain_mask_str; char *domain_mask_str;
bool bool_val;
L_AUTO_FREE_VAR(char *, value) = NULL; L_AUTO_FREE_VAR(char *, value) = NULL;
@ -1080,6 +1094,14 @@ bool eap_tls_common_settings_load(struct eap_state *eap,
l_free(domain_mask_str); l_free(domain_mask_str);
} }
snprintf(setting_key, sizeof(setting_key),
"%sFastReauthentication", prefix);
if (!l_settings_get_bool(settings, "Security", setting_key, &bool_val))
bool_val = true;
eap_tls->tls_cache_disabled = !bool_val;
eap_set_data(eap, eap_tls); eap_set_data(eap, eap_tls);
return true; return true;

View File

@ -281,6 +281,21 @@ connect to that network.
domain name. An asterisk segment in the mask matches any label. An domain name. An asterisk segment in the mask matches any label. An
asterisk segment at the beginning of the mask matches one or more asterisk segment at the beginning of the mask matches one or more
consecutive labels from the beginning of the domain string. consecutive labels from the beginning of the domain string.
* - | EAP-TLS-FastReauthentication,
| EAP-TTLS-FastReauthentication,
| EAP-PEAP-FastReauthentication,
- Values: **true**, false
Controls whether TLS session caching for EAP-TLS, EAP-TTLS and EAP-PEAP
is used. This allows for faster re-connections to EAP-Enterprise based
networks.
Some network authenticators may be misconfigured in a way that TLS
session resumption is allowed but actually attempting it will cause
the EAP method to fail or time out. In that case, assuming the
credentials and other settings are correct, every other connection
attempt will fail as sessions are cached and forgotten in alternating
attempts. Use this setting to disable caching for this network.
* - | EAP-TTLS-Phase2-Method * - | EAP-TTLS-Phase2-Method
- | The following values are allowed: - | The following values are allowed:
| Tunneled-CHAP, | Tunneled-CHAP,