EAP: Do not allow fast session resumption with different network block

This forces EAP peer implementation to drop any possible fast resumption
data if the network block for the current connection is not the same as
the one used for the previous one. This allows different network blocks
to be used with non-matching parameters to enforce different rules even
if the same authentication server is used. For example, this allows
different CA trust rules to be enforced with different ca_cert
parameters which can prevent EAP-TTLS Phase 2 from being used based on
TLS session resumption.

Signed-off-by: Jouni Malinen <j@w1.fi>

src/eap_peer/eap.c

@@ -153,11 +153,13 @@ SM_STATE(EAP, INITIALIZE)
 	SM_ENTRY(EAP, INITIALIZE);
 	if (sm->fast_reauth && sm->m && sm->m->has_reauth_data &&
 	    sm->m->has_reauth_data(sm, sm->eap_method_priv) &&
-	    !sm->prev_failure) {
+	    !sm->prev_failure &&
+	    sm->last_config == eap_get_config(sm)) {
 		wpa_printf(MSG_DEBUG, "EAP: maintaining EAP method data for "
 			   "fast reauthentication");
 		sm->m->deinit_for_reauth(sm, sm->eap_method_priv);
 	} else {
+		sm->last_config = eap_get_config(sm);
 		eap_deinit_prev_method(sm, "INITIALIZE");
 	}
 	sm->selectedMethod = EAP_TYPE_NONE;

src/eap_peer/eap_i.h

@@ -345,6 +345,7 @@ struct eap_sm {
 	struct wps_context *wps;
 
 	int prev_failure;
+	struct eap_peer_config *last_config;
 
 	struct ext_password_data *ext_pw;
 	struct wpabuf *ext_pw_buf;