mirror of
https://git.kernel.org/pub/scm/network/wireless/iwd.git
synced 2024-11-29 05:39:24 +01:00
eap-tls: Add FastReauthentication setting
Seeing that some authenticators can't handle TLS session caching properly, allow the EAP-TLS-based methods session caching support to be disabled per-network using a method specific FastReauthentication setting. Defaults to true. With the previous commit, authentication should succeed at least every other attempt. I'd also expect that EAP-TLS is not usually affected because there's no phase2, unlike with EAP-PEAP/EAP-TTLS.
This commit is contained in:
parent
5db06bf935
commit
ce3507558c
@ -116,6 +116,7 @@ struct eap_tls_state {
|
|||||||
bool expecting_frag_ack:1;
|
bool expecting_frag_ack:1;
|
||||||
bool tunnel_ready:1;
|
bool tunnel_ready:1;
|
||||||
bool tls_session_resumed:1;
|
bool tls_session_resumed:1;
|
||||||
|
bool tls_cache_disabled:1;
|
||||||
|
|
||||||
struct l_queue *ca_cert;
|
struct l_queue *ca_cert;
|
||||||
struct l_certchain *client_cert;
|
struct l_certchain *client_cert;
|
||||||
@ -179,7 +180,9 @@ static void __eap_tls_common_state_reset(struct eap_state *eap)
|
|||||||
|
|
||||||
if (eap_tls->tls_session_resumed)
|
if (eap_tls->tls_session_resumed)
|
||||||
l_warn("EAP: method did not finish after successful TLS"
|
l_warn("EAP: method did not finish after successful TLS"
|
||||||
" session resumption.");
|
" session resumption. If this repeats consider"
|
||||||
|
" disabling [Security].EAP-%sFastReauthentication",
|
||||||
|
eap_get_method_name(eap));
|
||||||
}
|
}
|
||||||
|
|
||||||
eap_tls->tls_session_resumed = false;
|
eap_tls->tls_session_resumed = false;
|
||||||
@ -691,7 +694,7 @@ static bool eap_tls_tunnel_init(struct eap_state *eap)
|
|||||||
if (eap_tls->domain_mask)
|
if (eap_tls->domain_mask)
|
||||||
l_tls_set_domain_mask(eap_tls->tunnel, eap_tls->domain_mask);
|
l_tls_set_domain_mask(eap_tls->tunnel, eap_tls->domain_mask);
|
||||||
|
|
||||||
if (!eap_tls_session_cache_load)
|
if (!eap_tls_session_cache_load || eap_tls->tls_cache_disabled)
|
||||||
goto start;
|
goto start;
|
||||||
|
|
||||||
if (!eap_tls_session_cache)
|
if (!eap_tls_session_cache)
|
||||||
@ -1040,6 +1043,16 @@ int eap_tls_common_settings_check(struct l_settings *settings,
|
|||||||
return -EINVAL;
|
return -EINVAL;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
snprintf(setting_key, sizeof(setting_key),
|
||||||
|
"%sFastReauthentication", prefix);
|
||||||
|
|
||||||
|
if (l_settings_has_key(settings, "Security", setting_key) &&
|
||||||
|
!l_settings_get_bool(settings, "Security",
|
||||||
|
setting_key, NULL)) {
|
||||||
|
l_error("Can't parse %s", setting_key);
|
||||||
|
return -EINVAL;
|
||||||
|
}
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1051,6 +1064,7 @@ bool eap_tls_common_settings_load(struct eap_state *eap,
|
|||||||
struct eap_tls_state *eap_tls;
|
struct eap_tls_state *eap_tls;
|
||||||
char setting_key[72];
|
char setting_key[72];
|
||||||
char *domain_mask_str;
|
char *domain_mask_str;
|
||||||
|
bool bool_val;
|
||||||
|
|
||||||
L_AUTO_FREE_VAR(char *, value) = NULL;
|
L_AUTO_FREE_VAR(char *, value) = NULL;
|
||||||
|
|
||||||
@ -1080,6 +1094,14 @@ bool eap_tls_common_settings_load(struct eap_state *eap,
|
|||||||
l_free(domain_mask_str);
|
l_free(domain_mask_str);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
snprintf(setting_key, sizeof(setting_key),
|
||||||
|
"%sFastReauthentication", prefix);
|
||||||
|
|
||||||
|
if (!l_settings_get_bool(settings, "Security", setting_key, &bool_val))
|
||||||
|
bool_val = true;
|
||||||
|
|
||||||
|
eap_tls->tls_cache_disabled = !bool_val;
|
||||||
|
|
||||||
eap_set_data(eap, eap_tls);
|
eap_set_data(eap, eap_tls);
|
||||||
|
|
||||||
return true;
|
return true;
|
||||||
|
@ -281,6 +281,21 @@ connect to that network.
|
|||||||
domain name. An asterisk segment in the mask matches any label. An
|
domain name. An asterisk segment in the mask matches any label. An
|
||||||
asterisk segment at the beginning of the mask matches one or more
|
asterisk segment at the beginning of the mask matches one or more
|
||||||
consecutive labels from the beginning of the domain string.
|
consecutive labels from the beginning of the domain string.
|
||||||
|
* - | EAP-TLS-FastReauthentication,
|
||||||
|
| EAP-TTLS-FastReauthentication,
|
||||||
|
| EAP-PEAP-FastReauthentication,
|
||||||
|
- Values: **true**, false
|
||||||
|
|
||||||
|
Controls whether TLS session caching for EAP-TLS, EAP-TTLS and EAP-PEAP
|
||||||
|
is used. This allows for faster re-connections to EAP-Enterprise based
|
||||||
|
networks.
|
||||||
|
|
||||||
|
Some network authenticators may be misconfigured in a way that TLS
|
||||||
|
session resumption is allowed but actually attempting it will cause
|
||||||
|
the EAP method to fail or time out. In that case, assuming the
|
||||||
|
credentials and other settings are correct, every other connection
|
||||||
|
attempt will fail as sessions are cached and forgotten in alternating
|
||||||
|
attempts. Use this setting to disable caching for this network.
|
||||||
* - | EAP-TTLS-Phase2-Method
|
* - | EAP-TTLS-Phase2-Method
|
||||||
- | The following values are allowed:
|
- | The following values are allowed:
|
||||||
| Tunneled-CHAP,
|
| Tunneled-CHAP,
|
||||||
|
Loading…
Reference in New Issue
Block a user