mirror of
https://git.kernel.org/pub/scm/network/wireless/iwd.git
synced 2024-11-25 09:39:25 +01:00
eap-tls: Add FastReauthentication setting
Seeing that some authenticators can't handle TLS session caching properly, allow the EAP-TLS-based methods session caching support to be disabled per-network using a method specific FastReauthentication setting. Defaults to true. With the previous commit, authentication should succeed at least every other attempt. I'd also expect that EAP-TLS is not usually affected because there's no phase2, unlike with EAP-PEAP/EAP-TTLS.
This commit is contained in:
parent
5db06bf935
commit
ce3507558c
@ -116,6 +116,7 @@ struct eap_tls_state {
|
||||
bool expecting_frag_ack:1;
|
||||
bool tunnel_ready:1;
|
||||
bool tls_session_resumed:1;
|
||||
bool tls_cache_disabled:1;
|
||||
|
||||
struct l_queue *ca_cert;
|
||||
struct l_certchain *client_cert;
|
||||
@ -179,7 +180,9 @@ static void __eap_tls_common_state_reset(struct eap_state *eap)
|
||||
|
||||
if (eap_tls->tls_session_resumed)
|
||||
l_warn("EAP: method did not finish after successful TLS"
|
||||
" session resumption.");
|
||||
" session resumption. If this repeats consider"
|
||||
" disabling [Security].EAP-%sFastReauthentication",
|
||||
eap_get_method_name(eap));
|
||||
}
|
||||
|
||||
eap_tls->tls_session_resumed = false;
|
||||
@ -691,7 +694,7 @@ static bool eap_tls_tunnel_init(struct eap_state *eap)
|
||||
if (eap_tls->domain_mask)
|
||||
l_tls_set_domain_mask(eap_tls->tunnel, eap_tls->domain_mask);
|
||||
|
||||
if (!eap_tls_session_cache_load)
|
||||
if (!eap_tls_session_cache_load || eap_tls->tls_cache_disabled)
|
||||
goto start;
|
||||
|
||||
if (!eap_tls_session_cache)
|
||||
@ -1040,6 +1043,16 @@ int eap_tls_common_settings_check(struct l_settings *settings,
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
snprintf(setting_key, sizeof(setting_key),
|
||||
"%sFastReauthentication", prefix);
|
||||
|
||||
if (l_settings_has_key(settings, "Security", setting_key) &&
|
||||
!l_settings_get_bool(settings, "Security",
|
||||
setting_key, NULL)) {
|
||||
l_error("Can't parse %s", setting_key);
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
@ -1051,6 +1064,7 @@ bool eap_tls_common_settings_load(struct eap_state *eap,
|
||||
struct eap_tls_state *eap_tls;
|
||||
char setting_key[72];
|
||||
char *domain_mask_str;
|
||||
bool bool_val;
|
||||
|
||||
L_AUTO_FREE_VAR(char *, value) = NULL;
|
||||
|
||||
@ -1080,6 +1094,14 @@ bool eap_tls_common_settings_load(struct eap_state *eap,
|
||||
l_free(domain_mask_str);
|
||||
}
|
||||
|
||||
snprintf(setting_key, sizeof(setting_key),
|
||||
"%sFastReauthentication", prefix);
|
||||
|
||||
if (!l_settings_get_bool(settings, "Security", setting_key, &bool_val))
|
||||
bool_val = true;
|
||||
|
||||
eap_tls->tls_cache_disabled = !bool_val;
|
||||
|
||||
eap_set_data(eap, eap_tls);
|
||||
|
||||
return true;
|
||||
|
@ -281,6 +281,21 @@ connect to that network.
|
||||
domain name. An asterisk segment in the mask matches any label. An
|
||||
asterisk segment at the beginning of the mask matches one or more
|
||||
consecutive labels from the beginning of the domain string.
|
||||
* - | EAP-TLS-FastReauthentication,
|
||||
| EAP-TTLS-FastReauthentication,
|
||||
| EAP-PEAP-FastReauthentication,
|
||||
- Values: **true**, false
|
||||
|
||||
Controls whether TLS session caching for EAP-TLS, EAP-TTLS and EAP-PEAP
|
||||
is used. This allows for faster re-connections to EAP-Enterprise based
|
||||
networks.
|
||||
|
||||
Some network authenticators may be misconfigured in a way that TLS
|
||||
session resumption is allowed but actually attempting it will cause
|
||||
the EAP method to fail or time out. In that case, assuming the
|
||||
credentials and other settings are correct, every other connection
|
||||
attempt will fail as sessions are cached and forgotten in alternating
|
||||
attempts. Use this setting to disable caching for this network.
|
||||
* - | EAP-TTLS-Phase2-Method
|
||||
- | The following values are allowed:
|
||||
| Tunneled-CHAP,
|
||||
|
Loading…
Reference in New Issue
Block a user