From: Jouni Malinen Date: Sat, 26 Jul 2014 16:35:02 +0000 (+0300) Subject: EAP: Do not allow fast session resumption with different network block X-Git-Tag: hostap_2_3~153 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=27a725cf74d5b3d8dc68a3a1cf3c3d44ca415ddb;p=thirdparty%2Fhostap.git EAP: Do not allow fast session resumption with different network block This forces EAP peer implementation to drop any possible fast resumption data if the network block for the current connection is not the same as the one used for the previous one. This allows different network blocks to be used with non-matching parameters to enforce different rules even if the same authentication server is used. For example, this allows different CA trust rules to be enforced with different ca_cert parameters which can prevent EAP-TTLS Phase 2 from being used based on TLS session resumption. Signed-off-by: Jouni Malinen --- diff --git a/src/eap_peer/eap.c b/src/eap_peer/eap.c index a2faeb2d2..9880d3bce 100644 --- a/src/eap_peer/eap.c +++ b/src/eap_peer/eap.c @@ -153,11 +153,13 @@ SM_STATE(EAP, INITIALIZE) SM_ENTRY(EAP, INITIALIZE); if (sm->fast_reauth && sm->m && sm->m->has_reauth_data && sm->m->has_reauth_data(sm, sm->eap_method_priv) && - !sm->prev_failure) { + !sm->prev_failure && + sm->last_config == eap_get_config(sm)) { wpa_printf(MSG_DEBUG, "EAP: maintaining EAP method data for " "fast reauthentication"); sm->m->deinit_for_reauth(sm, sm->eap_method_priv); } else { + sm->last_config = eap_get_config(sm); eap_deinit_prev_method(sm, "INITIALIZE"); } sm->selectedMethod = EAP_TYPE_NONE; diff --git a/src/eap_peer/eap_i.h b/src/eap_peer/eap_i.h index 8288ba5b5..fde809c31 100644 --- a/src/eap_peer/eap_i.h +++ b/src/eap_peer/eap_i.h @@ -345,6 +345,7 @@ struct eap_sm { struct wps_context *wps; int prev_failure; + struct eap_peer_config *last_config; struct ext_password_data *ext_pw; struct wpabuf *ext_pw_buf;