Check EAP-AKA' AT_KDF duplication only if KDF was negotiated

This fixes an issue where two AKA'/Challenge messages are received when
resynchronizing SEQ#. Previously, this used to trigger an authentication
failure since the second Challenge message did not duplicate AT_KDF.
(cherry picked from commit 2cfcd014f4e2c9886af2e7433c40119091ff1535)

1 files changed, 4 insertions, 1 deletions

diff --git a/src/eap_peer/eap_aka.c b/src/eap_peer/eap_aka.c
index da3df0d..f237141 100644
--- a/src/eap_peer/eap_aka.c
+++ b/src/eap_peer/eap_aka.c
@@ -60,6 +60,7 @@ struct eap_aka_data {
 	u8 *network_name;
 	size_t network_name_len;
 	u16 kdf;
+	int kdf_negotiation;
 };
 
 
@@ -665,6 +666,7 @@ static struct wpabuf * eap_aka_prime_kdf_select(struct eap_aka_data *data,
 {
 	struct eap_sim_msg *msg;
 
+	data->kdf_negotiation = 1;
 	data->kdf = kdf;
 	wpa_printf(MSG_DEBUG, "Generating EAP-AKA Challenge (id=%d) (KDF "
 		   "select)", id);
@@ -704,7 +706,7 @@ static int eap_aka_prime_kdf_valid(struct eap_aka_data *data,
 	/* The only allowed (and required) duplication of a KDF is the addition
 	 * of the selected KDF into the beginning of the list. */
 
-	if (data->kdf) {
+	if (data->kdf_negotiation) {
 		if (attr->kdf[0] != data->kdf) {
 			wpa_printf(MSG_WARNING, "EAP-AKA': The server did not "
 				   "accept the selected KDF");
@@ -1251,6 +1253,7 @@ static void eap_aka_deinit_for_reauth(struct eap_sm *sm, void *priv)
 	wpabuf_free(data->id_msgs);
 	data->id_msgs = NULL;
 	data->use_result_ind = 0;
+	data->kdf_negotiation = 0;
 }