EAP: Do not allow fast session resumption with different network block
This forces EAP peer implementation to drop any possible fast resumption data if the network block for the current connection is not the same as the one used for the previous one. This allows different network blocks to be used with non-matching parameters to enforce different rules even if the same authentication server is used. For example, this allows different CA trust rules to be enforced with different ca_cert parameters which can prevent EAP-TTLS Phase 2 from being used based on TLS session resumption. Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen
parent
52f4abfd06
commit
27a725cf74
2 changed files with 4 additions and 1 deletions
|
|
@ -153,11 +153,13 @@ SM_STATE(EAP, INITIALIZE)
|
|||
SM_ENTRY(EAP, INITIALIZE);
|
||||
if (sm->fast_reauth && sm->m && sm->m->has_reauth_data &&
|
||||
sm->m->has_reauth_data(sm, sm->eap_method_priv) &&
|
||||
!sm->prev_failure) {
|
||||
!sm->prev_failure &&
|
||||
sm->last_config == eap_get_config(sm)) {
|
||||
wpa_printf(MSG_DEBUG, "EAP: maintaining EAP method data for "
|
||||
"fast reauthentication");
|
||||
sm->m->deinit_for_reauth(sm, sm->eap_method_priv);
|
||||
} else {
|
||||
sm->last_config = eap_get_config(sm);
|
||||
eap_deinit_prev_method(sm, "INITIALIZE");
|
||||
}
|
||||
sm->selectedMethod = EAP_TYPE_NONE;
|
||||
|
|
|
|||
|
|
@ -345,6 +345,7 @@ struct eap_sm {
|
|||
struct wps_context *wps;
|
||||
|
||||
int prev_failure;
|
||||
struct eap_peer_config *last_config;
|
||||
|
||||
struct ext_password_data *ext_pw;
|
||||
struct wpabuf *ext_pw_buf;
|
||||
|
|
|
|||
Loading…
Reference in a new issue