diff --git a/src/eapol.c b/src/eapol.c
index 72b58ba1..7ef45c9f 100644
--- a/src/eapol.c
+++ b/src/eapol.c
@@ -144,6 +144,9 @@ uint8_t *eapol_decrypt_key_data(const uint8_t *kek,
 		break;
 	case EAPOL_KEY_DESCRIPTOR_VERSION_HMAC_SHA1_AES:
 	case EAPOL_KEY_DESCRIPTOR_VERSION_AES_128_CMAC_AES:
+		if (key_data_len < 24 || key_data_len % 8)
+			return NULL;
+
 		expected_len = key_data_len - 8;
 		break;
 	default:
@@ -171,9 +174,6 @@ uint8_t *eapol_decrypt_key_data(const uint8_t *kek,
 	}
 	case EAPOL_KEY_DESCRIPTOR_VERSION_HMAC_SHA1_AES:
 	case EAPOL_KEY_DESCRIPTOR_VERSION_AES_128_CMAC_AES:
-		if (key_data_len < 24 || key_data_len % 8)
-			goto error;
-
 		if (!aes_unwrap(kek, key_data, key_data_len, buf))
 			goto error;