EAP-AKA server: Fix fallback to full auth

Commit 68a41bbb44ac78087076ce65e6c1803d036bc4a2 broke fallback from
reauth id to fullauth id by not allowing a second AKA/Identity round to
be used after having received unrecognized reauth_id in the first round.
Fix this by allowing fullauth id to be requested in such a case.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>

diff --git a/src/eap_server/eap_server_aka.c b/src/eap_server/eap_server_aka.c
index 177b58dac52f17e95c2047688f4299298cf72a63..469b9a0fa653869cef4111e87455ba7aa44d3dbd 100644 (file)
--- a/src/eap_server/eap_server_aka.c
+++ b/src/eap_server/eap_server_aka.c
@@ -731,6 +731,17 @@ static void eap_aka_determine_identity(struct eap_sm *sm,
                return;
        }
 
+       if (((data->eap_method == EAP_TYPE_AKA_PRIME &&
+             username[0] == EAP_AKA_PRIME_REAUTH_ID_PREFIX) ||
+            (data->eap_method == EAP_TYPE_AKA &&
+             username[0] == EAP_AKA_REAUTH_ID_PREFIX)) &&
+           data->identity_round == 1) {
+               /* Remain in IDENTITY state for another round to request full
+                * auth identity since we did not recognize reauth id */
+               os_free(username);
+               return;
+       }
+
        if ((data->eap_method == EAP_TYPE_AKA_PRIME &&
             username[0] == EAP_AKA_PRIME_PSEUDONYM_PREFIX) ||
            (data->eap_method == EAP_TYPE_AKA &&