EAP: Do not allow fast session resumption with different network block

This forces EAP peer implementation to drop any possible fast resumption
data if the network block for the current connection is not the same as
the one used for the previous one. This allows different network blocks
to be used with non-matching parameters to enforce different rules even
if the same authentication server is used. For example, this allows
different CA trust rules to be enforced with different ca_cert
parameters which can prevent EAP-TTLS Phase 2 from being used based on
TLS session resumption.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/eap_peer/eap.c b/src/eap_peer/eap.c
index a2faeb2d29f6ff0242f57cd2575c32d3b1abf47b..9880d3bce01e84de202bc325ddbb18a3c70b02d4 100644 (file)
--- a/src/eap_peer/eap.c
+++ b/src/eap_peer/eap.c
@@ -153,11 +153,13 @@ SM_STATE(EAP, INITIALIZE)
        SM_ENTRY(EAP, INITIALIZE);
        if (sm->fast_reauth && sm->m && sm->m->has_reauth_data &&
            sm->m->has_reauth_data(sm, sm->eap_method_priv) &&
-           !sm->prev_failure) {
+           !sm->prev_failure &&
+           sm->last_config == eap_get_config(sm)) {
                wpa_printf(MSG_DEBUG, "EAP: maintaining EAP method data for "
                           "fast reauthentication");
                sm->m->deinit_for_reauth(sm, sm->eap_method_priv);
        } else {
+               sm->last_config = eap_get_config(sm);
                eap_deinit_prev_method(sm, "INITIALIZE");
        }
        sm->selectedMethod = EAP_TYPE_NONE;

diff --git a/src/eap_peer/eap_i.h b/src/eap_peer/eap_i.h
index 8288ba5b51798537e5f423667b4ebd0d8cbfb141..fde809c3181c58b1f3bb089e34f1e643ee73c558 100644 (file)
--- a/src/eap_peer/eap_i.h
+++ b/src/eap_peer/eap_i.h
@@ -345,6 +345,7 @@ struct eap_sm {
        struct wps_context *wps;
 
        int prev_failure;
+       struct eap_peer_config *last_config;
 
        struct ext_password_data *ext_pw;
        struct wpabuf *ext_pw_buf;