mirror of
https://github.com/vanhoefm/fragattacks.git
synced 2025-01-17 18:34:03 -05:00
EAP: Do not allow fast session resumption with different network block
This forces EAP peer implementation to drop any possible fast resumption data if the network block for the current connection is not the same as the one used for the previous one. This allows different network blocks to be used with non-matching parameters to enforce different rules even if the same authentication server is used. For example, this allows different CA trust rules to be enforced with different ca_cert parameters which can prevent EAP-TTLS Phase 2 from being used based on TLS session resumption. Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
parent
52f4abfd06
commit
27a725cf74
@ -153,11 +153,13 @@ SM_STATE(EAP, INITIALIZE)
|
|||||||
SM_ENTRY(EAP, INITIALIZE);
|
SM_ENTRY(EAP, INITIALIZE);
|
||||||
if (sm->fast_reauth && sm->m && sm->m->has_reauth_data &&
|
if (sm->fast_reauth && sm->m && sm->m->has_reauth_data &&
|
||||||
sm->m->has_reauth_data(sm, sm->eap_method_priv) &&
|
sm->m->has_reauth_data(sm, sm->eap_method_priv) &&
|
||||||
!sm->prev_failure) {
|
!sm->prev_failure &&
|
||||||
|
sm->last_config == eap_get_config(sm)) {
|
||||||
wpa_printf(MSG_DEBUG, "EAP: maintaining EAP method data for "
|
wpa_printf(MSG_DEBUG, "EAP: maintaining EAP method data for "
|
||||||
"fast reauthentication");
|
"fast reauthentication");
|
||||||
sm->m->deinit_for_reauth(sm, sm->eap_method_priv);
|
sm->m->deinit_for_reauth(sm, sm->eap_method_priv);
|
||||||
} else {
|
} else {
|
||||||
|
sm->last_config = eap_get_config(sm);
|
||||||
eap_deinit_prev_method(sm, "INITIALIZE");
|
eap_deinit_prev_method(sm, "INITIALIZE");
|
||||||
}
|
}
|
||||||
sm->selectedMethod = EAP_TYPE_NONE;
|
sm->selectedMethod = EAP_TYPE_NONE;
|
||||||
|
@ -345,6 +345,7 @@ struct eap_sm {
|
|||||||
struct wps_context *wps;
|
struct wps_context *wps;
|
||||||
|
|
||||||
int prev_failure;
|
int prev_failure;
|
||||||
|
struct eap_peer_config *last_config;
|
||||||
|
|
||||||
struct ext_password_data *ext_pw;
|
struct ext_password_data *ext_pw;
|
||||||
struct wpabuf *ext_pw_buf;
|
struct wpabuf *ext_pw_buf;
|
||||||
|
Loading…
Reference in New Issue
Block a user