diff mbox series

[2/2] eap-tls: Add DisableEAPTLSCache bool setting

Message ID 20230127233323.3317642-2-andrew.zaborowski@intel.com (mailing list archive)
State New
Headers show
Series [1/2] eap-tls: Drop cached session when phase2 fails | expand

Checks

Context Check Description
tedd_an/pre-ci_am success Success
prestwoj/iwd-ci-gitlint success GitLint

Commit Message

Andrew Zaborowski Jan. 27, 2023, 11:33 p.m. UTC 
Seeing that some authenticators can't handle TLS session caching
properly, allow the EAP-TLS-based methods session caching support to be
disabled per-network using a [Settings].DisableEAPTLSCache setting.
Defaults to false.

With the previous commit, authentication should succeed at least every
other attempt.  I'd also expect that EAP-TLS is not usually affected
because there's no phase2, unlike with EAP-PEAP/EAP-TTLS.
---
 src/eap-tls-common.c | 18 ++++++++++++++++--
 src/iwd.network.rst  | 10 ++++++++++
 2 files changed, 26 insertions(+), 2 deletions(-)

Comments

Denis Kenzior Jan. 30, 2023, 4:17 p.m. UTC | #1 
Hi Andrew,

On 1/27/23 17:33, Andrew Zaborowski wrote:
> Seeing that some authenticators can't handle TLS session caching
> properly, allow the EAP-TLS-based methods session caching support to be
> disabled per-network using a [Settings].DisableEAPTLSCache setting.
> Defaults to false.
> 
> With the previous commit, authentication should succeed at least every
> other attempt.  I'd also expect that EAP-TLS is not usually affected
> because there's no phase2, unlike with EAP-PEAP/EAP-TTLS.
> ---
>   src/eap-tls-common.c | 18 ++++++++++++++++--
>   src/iwd.network.rst  | 10 ++++++++++
>   2 files changed, 26 insertions(+), 2 deletions(-)
> 

I modified this patch and commit description:
  - Renamed the setting to EAP-{TLS|TTLS|PEAP}FastReauthentication to be 
consistent with other EAP-TLS based method settings.
  - Moved the setting to [Security] instead of [Settings].  Again to be more 
consistent.
  - Modified the warning message to reflect the above.

Please double check that I didn't screw anything up.

Applied, thanks.

Regards,
-Denis
diff mbox series

Patch

diff --git a/src/eap-tls-common.c b/src/eap-tls-common.c
index e21e215b..b621d395 100644
--- a/src/eap-tls-common.c
+++ b/src/eap-tls-common.c
@@ -116,6 +116,7 @@  struct eap_tls_state {
 	bool expecting_frag_ack:1;
 	bool tunnel_ready:1;
 	bool tls_session_resumed:1;
+	bool tls_cache_disabled:1;
 
 	struct l_queue *ca_cert;
 	struct l_certchain *client_cert;
@@ -179,7 +180,8 @@  static void __eap_tls_common_state_reset(struct eap_state *eap)
 
 		if (eap_tls->tls_session_resumed)
 			l_warn("EAP: method did not finish after successful TLS"
-				" session resumption.");
+				" session resumption.  If this repeats consider"
+				" setting [Settings].DisableEAPTLSCache.");
 	}
 
 	eap_tls->tls_session_resumed = false;
@@ -691,7 +693,7 @@  static bool eap_tls_tunnel_init(struct eap_state *eap)
 	if (eap_tls->domain_mask)
 		l_tls_set_domain_mask(eap_tls->tunnel, eap_tls->domain_mask);
 
-	if (!eap_tls_session_cache_load)
+	if (!eap_tls_session_cache_load || eap_tls->tls_cache_disabled)
 		goto start;
 
 	if (!eap_tls_session_cache)
@@ -1040,6 +1042,13 @@  int eap_tls_common_settings_check(struct l_settings *settings,
 		return -EINVAL;
 	}
 
+	if (l_settings_has_key(settings, "Settings", "DisableEAPTLSCache") &&
+			!l_settings_get_bool(settings, "Settings",
+						"DisableEAPTLSCache", NULL)) {
+		l_error("Can't parse DisableEAPTLSCache");
+		return -EINVAL;
+	}
+
 	return 0;
 }
 
@@ -1051,6 +1060,7 @@  bool eap_tls_common_settings_load(struct eap_state *eap,
 	struct eap_tls_state *eap_tls;
 	char setting_key[72];
 	char *domain_mask_str;
+	bool bool_val;
 
 	L_AUTO_FREE_VAR(char *, value) = NULL;
 
@@ -1080,6 +1090,10 @@  bool eap_tls_common_settings_load(struct eap_state *eap,
 		l_free(domain_mask_str);
 	}
 
+	eap_tls->tls_cache_disabled =
+		l_settings_get_bool(settings, "Settings", "DisableEAPTLSCache",
+					&bool_val) && bool_val;
+
 	eap_set_data(eap, eap_tls);
 
 	return true;
diff --git a/src/iwd.network.rst b/src/iwd.network.rst
index d3692834..8833f33b 100644
--- a/src/iwd.network.rst
+++ b/src/iwd.network.rst
@@ -174,6 +174,16 @@  The group ``[Settings]`` contains general settings.
        Properly configured Access Points will typically update this setting
        appropriately via Transition Disable indications.  User customization
        of this value is thus typically not required.
+   * - DisableEAPTLSCache
+     - Values: true, **false**
+
+       Disables TLS session caching in EAP-TLS, EAP-TTLS and EAP-PEAP.
+       Some network authenticators may be misconfigured in a way that TLS
+       session resumption is allowed but actually attempting it will cause
+       the EAP method to fail or time out.  In that case, assuming the
+       credentials and other settings are correct, every other connection
+       attempt will fail as sessions are cached and forgotten in alternating
+       attempts.  Use this setting to disable caching for this network.
 
 Network Authentication Settings
 -------------------------------