EAP-SIM/AKA: Do not allow anonymous@realm "pseudonym" to be cleared

If the EAP-SIM/AKA server does not provide a new pseudonym and the
locally configured "pseudonym" in anonymous_identity is actually an
anonymous identitity instead of a real EAP-SIM/AKA pseudonym, do not
clear the anonymous_identity network profile parameter. This is needed
to avoid forgetting the anonymous identity when going through
EAP-SIM/AKA authentication and then reverting back to using IMSI-based
(e.g., encrypted) identity.

Fixes: 4df4133917 ("EAP-SIM/AKA: Add support for anonymous@realm")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>

src/eap_peer/eap_aka.c

@@ -632,8 +632,13 @@ static struct wpabuf * eap_aka_response_identity(struct eap_sm *sm,
 	} else if (id_req != NO_ID_REQ) {
 		identity = eap_get_config_identity(sm, &identity_len);
 		if (identity) {
-			eap_aka_clear_identities(sm, data, CLEAR_PSEUDONYM |
-						 CLEAR_REAUTH_ID);
+			int ids = CLEAR_PSEUDONYM | CLEAR_REAUTH_ID;
+
+			if (data->pseudonym &&
+			    eap_sim_anonymous_username(data->pseudonym,
+						       data->pseudonym_len))
+				ids &= ~CLEAR_PSEUDONYM;
+			eap_aka_clear_identities(sm, data, ids);
 		}
 	}
 	if (id_req != NO_ID_REQ)

src/eap_peer/eap_sim.c

@@ -502,8 +502,13 @@ static struct wpabuf * eap_sim_response_start(struct eap_sm *sm,
 	} else if (id_req != NO_ID_REQ) {
 		identity = eap_get_config_identity(sm, &identity_len);
 		if (identity) {
-			eap_sim_clear_identities(sm, data, CLEAR_PSEUDONYM |
-						 CLEAR_REAUTH_ID);
+			int ids = CLEAR_PSEUDONYM | CLEAR_REAUTH_ID;
+
+			if (data->pseudonym &&
+			    eap_sim_anonymous_username(data->pseudonym,
+						       data->pseudonym_len))
+				ids &= ~CLEAR_PSEUDONYM;
+			eap_sim_clear_identities(sm, data, ids);
 		}
 	}
 	if (id_req != NO_ID_REQ)