Corrected supplicant EAP-TLS sequence id validation

Suplicant now ignores messages with old sequence id i.e. value
less than previously used by the authenticator.

Author: Mika Leppänen

source/Security/protocols/eap_tls_sec_prot/auth_eap_tls_sec_prot.c

@@ -405,9 +405,6 @@ static void auth_eap_tls_sec_prot_state_machine(sec_prot_t *prot)
                 return;
             }
 
-            // Increment sequence ID
-            //auth_eap_tls_sec_prot_seq_id_update(prot);
-
             // Sends EAP request, TLS EAP start
             auth_eap_tls_sec_prot_message_send(prot, EAP_REQ, EAP_TLS, EAP_TLS_EXCHANGE_START);
 

source/Security/protocols/eap_tls_sec_prot/supp_eap_tls_sec_prot.c

@@ -186,15 +186,19 @@ static int8_t supp_eap_tls_sec_prot_message_handle(sec_prot_t *prot)
     uint8_t *data_ptr = data->recv_eapol_pdu.msg.eap.data_ptr;
     uint16_t length = data->recv_eapol_pdu.msg.eap.length;
 
+    tr_info("EAP-TLS recv %s type %s id %i flags %x len %i", eap_msg_trace[data->eap_code - 1],
+            data->eap_type == EAP_IDENTITY ? "IDENTITY" : "TLS", data->recv_eapol_pdu.msg.eap.id_seq,
+            length >= 6 ? data_ptr[0] : 0, length);
+
     uint8_t new_seq_id = false;
+    // New sequence identifier received
     if (data->recv_eapol_pdu.msg.eap.id_seq > data->eap_id_seq) {
         new_seq_id = true;
+    } else if (data->recv_eapol_pdu.msg.eap.id_seq < data->eap_id_seq) {
+        // Already received sequence ID is received again, ignore
+        return EAP_TLS_MSG_DECODE_ERROR;
     }
 
-    tr_info("EAP-TLS recv %s type %s id %i flags %x len %i", eap_msg_trace[data->eap_code - 1],
-            data->eap_type == EAP_IDENTITY ? "IDENTITY" : "TLS", data->recv_eapol_pdu.msg.eap.id_seq,
-            length >= 6 ? data_ptr[0] : 0, length);
-
     if (data->eap_type == EAP_IDENTITY) {
         return EAP_TLS_MSG_IDENTITY;
     }