1 files changed, 267 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple2.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple2.patch
new file mode 100644
index 0000000000..501bb4b56b
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple2.patch
@@ -0,0 +1,267 @@
+The WPA2 four-way handshake protocol is vulnerable to replay attacks which can
+result in unauthenticated clients gaining access to the network.
+Backport a number of patches from upstream to fix this.
+CVE: CVE-2017-13077
+CVE: CVE-2017-13078
+CVE: CVE-2017-13079
+CVE: CVE-2017-13080
+CVE: CVE-2017-13081
+CVE: CVE-2017-13082
+CVE: CVE-2017-13086
+CVE: CVE-2017-13087
+CVE: CVE-2017-13088
+Upstream-Status: Backport
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+From 927f891007c402fefd1ff384645b3f07597c3ede Mon Sep 17 00:00:00 2001
+From: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
+Date: Wed, 12 Jul 2017 16:03:24 +0200
+Subject: [PATCH 2/8] Prevent reinstallation of an already in-use group key
+Track the current GTK and IGTK that is in use and when receiving a
+(possibly retransmitted) Group Message 1 or WNM-Sleep Mode Response, do
+not install the given key if it is already in use. This prevents an
+attacker from trying to trick the client into resetting or lowering the
+sequence counter associated to the group key.
+Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
+---
+ src/common/wpa_common.h |  11 +++++
+ src/rsn_supp/wpa.c      | 116 ++++++++++++++++++++++++++++++------------------
+ src/rsn_supp/wpa_i.h    |   4 ++
+ 3 files changed, 87 insertions(+), 44 deletions(-)
+diff --git a/src/common/wpa_common.h b/src/common/wpa_common.h
+index af1d0f0..d200285 100644
+--- a/src/common/wpa_common.h
+++ b/src/common/wpa_common.h
+@@ -217,6 +217,17 @@ struct wpa_ptk {
+        size_t tk_len;
+ };
+ 
+struct wpa_gtk {
+       u8 gtk[WPA_GTK_MAX_LEN];
+       size_t gtk_len;
+};
+
+#ifdef CONFIG_IEEE80211W
+struct wpa_igtk {
+       u8 igtk[WPA_IGTK_MAX_LEN];
+       size_t igtk_len;
+};
+#endif /* CONFIG_IEEE80211W */
+ 
+ /* WPA IE version 1
+  * 00-50-f2:1 (OUI:OUI type)
+diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
+index 3c47879..95bd7be 100644
+--- a/src/rsn_supp/wpa.c
+++ b/src/rsn_supp/wpa.c
+@@ -714,6 +714,15 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
+        const u8 *_gtk = gd->gtk;
+        u8 gtk_buf[32];
+ 
+       /* Detect possible key reinstallation */
+       if (sm->gtk.gtk_len == (size_t) gd->gtk_len &&
+           os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) {
+               wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
+                       "WPA: Not reinstalling already in-use GTK to the driver (keyidx=%d tx=%d len=%d)",
+                       gd->keyidx, gd->tx, gd->gtk_len);
+               return 0;
+       }
+
+        wpa_hexdump_key(MSG_DEBUG, "WPA: Group Key", gd->gtk, gd->gtk_len);
+        wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
+                "WPA: Installing GTK to the driver (keyidx=%d tx=%d len=%d)",
+@@ -748,6 +757,9 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
+        }
+        os_memset(gtk_buf, 0, sizeof(gtk_buf));
+ 
+       sm->gtk.gtk_len = gd->gtk_len;
+       os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len);
+
+        return 0;
+ }
+ 
+@@ -854,6 +866,48 @@ static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm,
+ }
+ 
+ 
+#ifdef CONFIG_IEEE80211W
+static int wpa_supplicant_install_igtk(struct wpa_sm *sm,
+                                      const struct wpa_igtk_kde *igtk)
+{
+       size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher);
+       u16 keyidx = WPA_GET_LE16(igtk->keyid);
+
+       /* Detect possible key reinstallation */
+       if (sm->igtk.igtk_len == len &&
+           os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) {
+               wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
+                       "WPA: Not reinstalling already in-use IGTK to the driver (keyidx=%d)",
+                       keyidx);
+               return  0;
+       }
+
+       wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
+               "WPA: IGTK keyid %d pn %02x%02x%02x%02x%02x%02x",
+               keyidx, MAC2STR(igtk->pn));
+       wpa_hexdump_key(MSG_DEBUG, "WPA: IGTK", igtk->igtk, len);
+       if (keyidx > 4095) {
+               wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
+                       "WPA: Invalid IGTK KeyID %d", keyidx);
+               return -1;
+       }
+       if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher),
+                          broadcast_ether_addr,
+                          keyidx, 0, igtk->pn, sizeof(igtk->pn),
+                          igtk->igtk, len) < 0) {
+               wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
+                       "WPA: Failed to configure IGTK to the driver");
+               return -1;
+       }
+
+       sm->igtk.igtk_len = len;
+       os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len);
+
+       return 0;
+}
+#endif /* CONFIG_IEEE80211W */
+
+
+ static int ieee80211w_set_keys(struct wpa_sm *sm,
+                               struct wpa_eapol_ie_parse *ie)
+ {
+@@ -864,30 +918,14 @@ static int ieee80211w_set_keys(struct wpa_sm *sm,
+        if (ie->igtk) {
+                size_t len;
+                const struct wpa_igtk_kde *igtk;
+-               u16 keyidx;
+
+                len = wpa_cipher_key_len(sm->mgmt_group_cipher);
+                if (ie->igtk_len != WPA_IGTK_KDE_PREFIX_LEN + len)
+                        return -1;
+
+                igtk = (const struct wpa_igtk_kde *) ie->igtk;
+-               keyidx = WPA_GET_LE16(igtk->keyid);
+-               wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: IGTK keyid %d "
+-                       "pn %02x%02x%02x%02x%02x%02x",
+-                       keyidx, MAC2STR(igtk->pn));
+-               wpa_hexdump_key(MSG_DEBUG, "WPA: IGTK",
+-                               igtk->igtk, len);
+-               if (keyidx > 4095) {
+-                       wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
+-                               "WPA: Invalid IGTK KeyID %d", keyidx);
+-                       return -1;
+-               }
+-               if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher),
+-                                  broadcast_ether_addr,
+-                                  keyidx, 0, igtk->pn, sizeof(igtk->pn),
+-                                  igtk->igtk, len) < 0) {
+-                       wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
+-                               "WPA: Failed to configure IGTK to the driver");
+               if (wpa_supplicant_install_igtk(sm, igtk) < 0)
+                        return -1;
+-               }
+        }
+ 
+        return 0;
+@@ -2307,7 +2345,7 @@ void wpa_sm_deinit(struct wpa_sm *sm)
+  */
+ void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid)
+ {
+-       int clear_ptk = 1;
+       int clear_keys = 1;
+ 
+        if (sm == NULL)
+                return;
+@@ -2333,11 +2371,11 @@ void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid)
+                /* Prepare for the next transition */
+                wpa_ft_prepare_auth_request(sm, NULL);
+ 
+-               clear_ptk = 0;
+               clear_keys = 0;
+        }
+ #endif /* CONFIG_IEEE80211R */
+ 
+-       if (clear_ptk) {
+       if (clear_keys) {
+                /*
+                 * IEEE 802.11, 8.4.10: Delete PTK SA on (re)association if
+                 * this is not part of a Fast BSS Transition.
+@@ -2347,6 +2385,10 @@ void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid)
+                os_memset(&sm->ptk, 0, sizeof(sm->ptk));
+                sm->tptk_set = 0;
+                os_memset(&sm->tptk, 0, sizeof(sm->tptk));
+               os_memset(&sm->gtk, 0, sizeof(sm->gtk));
+#ifdef CONFIG_IEEE80211W
+               os_memset(&sm->igtk, 0, sizeof(sm->igtk));
+#endif /* CONFIG_IEEE80211W */
+        }
+ 
+ #ifdef CONFIG_TDLS
+@@ -2877,6 +2919,10 @@ void wpa_sm_drop_sa(struct wpa_sm *sm)
+        os_memset(sm->pmk, 0, sizeof(sm->pmk));
+        os_memset(&sm->ptk, 0, sizeof(sm->ptk));
+        os_memset(&sm->tptk, 0, sizeof(sm->tptk));
+       os_memset(&sm->gtk, 0, sizeof(sm->gtk));
+#ifdef CONFIG_IEEE80211W
+       os_memset(&sm->igtk, 0, sizeof(sm->igtk));
+#endif /* CONFIG_IEEE80211W */
+ #ifdef CONFIG_IEEE80211R
+        os_memset(sm->xxkey, 0, sizeof(sm->xxkey));
+        os_memset(sm->pmk_r0, 0, sizeof(sm->pmk_r0));
+@@ -2949,29 +2995,11 @@ int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf)
+                os_memset(&gd, 0, sizeof(gd));
+ #ifdef CONFIG_IEEE80211W
+        } else if (subelem_id == WNM_SLEEP_SUBELEM_IGTK) {
+-               struct wpa_igtk_kde igd;
+-               u16 keyidx;
+-
+-               os_memset(&igd, 0, sizeof(igd));
+-               keylen = wpa_cipher_key_len(sm->mgmt_group_cipher);
+-               os_memcpy(igd.keyid, buf + 2, 2);
+-               os_memcpy(igd.pn, buf + 4, 6);
+-
+-               keyidx = WPA_GET_LE16(igd.keyid);
+-               os_memcpy(igd.igtk, buf + 10, keylen);
+-
+-               wpa_hexdump_key(MSG_DEBUG, "Install IGTK (WNM SLEEP)",
+-                               igd.igtk, keylen);
+-               if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher),
+-                                  broadcast_ether_addr,
+-                                  keyidx, 0, igd.pn, sizeof(igd.pn),
+-                                  igd.igtk, keylen) < 0) {
+-                       wpa_printf(MSG_DEBUG, "Failed to install the IGTK in "
+-                                  "WNM mode");
+-                       os_memset(&igd, 0, sizeof(igd));
+               const struct wpa_igtk_kde *igtk;
+
+               igtk = (const struct wpa_igtk_kde *) (buf + 2);
+               if (wpa_supplicant_install_igtk(sm, igtk) < 0)
+                        return -1;
+-               }
+-               os_memset(&igd, 0, sizeof(igd));
+ #endif /* CONFIG_IEEE80211W */
+        } else {
+                wpa_printf(MSG_DEBUG, "Unknown element id");
+diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h
+index f653ba6..afc9e37 100644
+--- a/src/rsn_supp/wpa_i.h
+++ b/src/rsn_supp/wpa_i.h
+@@ -31,6 +31,10 @@ struct wpa_sm {
+        u8 rx_replay_counter[WPA_REPLAY_COUNTER_LEN];
+        int rx_replay_counter_set;
+        u8 request_counter[WPA_REPLAY_COUNTER_LEN];
+       struct wpa_gtk gtk;
+#ifdef CONFIG_IEEE80211W
+       struct wpa_igtk igtk;
+#endif /* CONFIG_IEEE80211W */
+ 
+        struct eapol_sm *eapol; /* EAPOL state machine from upper level code */
+ 
+-- 
+2.7.4
+\ No newline at end of file

diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple2.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple2.patch new file mode 100644 index 0000000000..501bb4b56b --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/key-replay-cve-multiple2.patch
@@ -0,0 +1,267 @@
	1	The WPA2 four-way handshake protocol is vulnerable to replay attacks which can
	2	result in unauthenticated clients gaining access to the network.
	3
	4	Backport a number of patches from upstream to fix this.
	5
	6	CVE: CVE-2017-13077
	7	CVE: CVE-2017-13078
	8	CVE: CVE-2017-13079
	9	CVE: CVE-2017-13080
	10	CVE: CVE-2017-13081
	11	CVE: CVE-2017-13082
	12	CVE: CVE-2017-13086
	13	CVE: CVE-2017-13087
	14	CVE: CVE-2017-13088
	15
	16	Upstream-Status: Backport
	17	Signed-off-by: Ross Burton <ross.burton@intel.com>
	18
	19	From 927f891007c402fefd1ff384645b3f07597c3ede Mon Sep 17 00:00:00 2001
	20	From: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
	21	Date: Wed, 12 Jul 2017 16:03:24 +0200
	22	Subject: [PATCH 2/8] Prevent reinstallation of an already in-use group key
	23
	24	Track the current GTK and IGTK that is in use and when receiving a
	25	(possibly retransmitted) Group Message 1 or WNM-Sleep Mode Response, do
	26	not install the given key if it is already in use. This prevents an
	27	attacker from trying to trick the client into resetting or lowering the
	28	sequence counter associated to the group key.
	29
	30	Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
	31	---
	32	src/common/wpa_common.h \| 11 +++++
	33	src/rsn_supp/wpa.c \| 116 ++++++++++++++++++++++++++++++------------------
	34	src/rsn_supp/wpa_i.h \| 4 ++
	35	3 files changed, 87 insertions(+), 44 deletions(-)
	36
	37	diff --git a/src/common/wpa_common.h b/src/common/wpa_common.h
	38	index af1d0f0..d200285 100644
	39	--- a/src/common/wpa_common.h
	40	+++ b/src/common/wpa_common.h
	41	@@ -217,6 +217,17 @@ struct wpa_ptk {
	42	size_t tk_len;
	43	};
	44
	45	+struct wpa_gtk {
	46	+ u8 gtk[WPA_GTK_MAX_LEN];
	47	+ size_t gtk_len;
	48	+};
	49	+
	50	+#ifdef CONFIG_IEEE80211W
	51	+struct wpa_igtk {
	52	+ u8 igtk[WPA_IGTK_MAX_LEN];
	53	+ size_t igtk_len;
	54	+};
	55	+#endif /* CONFIG_IEEE80211W */
	56
	57	/* WPA IE version 1
	58	* 00-50-f2:1 (OUI:OUI type)
	59	diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
	60	index 3c47879..95bd7be 100644
	61	--- a/src/rsn_supp/wpa.c
	62	+++ b/src/rsn_supp/wpa.c
	63	@@ -714,6 +714,15 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
	64	const u8 *_gtk = gd->gtk;
	65	u8 gtk_buf[32];
	66
	67	+ /* Detect possible key reinstallation */
	68	+ if (sm->gtk.gtk_len == (size_t) gd->gtk_len &&
	69	+ os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) {
	70	+ wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
	71	+ "WPA: Not reinstalling already in-use GTK to the driver (keyidx=%d tx=%d len=%d)",
	72	+ gd->keyidx, gd->tx, gd->gtk_len);
	73	+ return 0;
	74	+ }
	75	+
	76	wpa_hexdump_key(MSG_DEBUG, "WPA: Group Key", gd->gtk, gd->gtk_len);
	77	wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
	78	"WPA: Installing GTK to the driver (keyidx=%d tx=%d len=%d)",
	79	@@ -748,6 +757,9 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
	80	}
	81	os_memset(gtk_buf, 0, sizeof(gtk_buf));
	82
	83	+ sm->gtk.gtk_len = gd->gtk_len;
	84	+ os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len);
	85	+
	86	return 0;
	87	}
	88
	89	@@ -854,6 +866,48 @@ static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm,
	90	}
	91
	92
	93	+#ifdef CONFIG_IEEE80211W
	94	+static int wpa_supplicant_install_igtk(struct wpa_sm *sm,
	95	+ const struct wpa_igtk_kde *igtk)
	96	+{
	97	+ size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher);
	98	+ u16 keyidx = WPA_GET_LE16(igtk->keyid);
	99	+
	100	+ /* Detect possible key reinstallation */
	101	+ if (sm->igtk.igtk_len == len &&
	102	+ os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) {
	103	+ wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
	104	+ "WPA: Not reinstalling already in-use IGTK to the driver (keyidx=%d)",
	105	+ keyidx);
	106	+ return 0;
	107	+ }
	108	+
	109	+ wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
	110	+ "WPA: IGTK keyid %d pn %02x%02x%02x%02x%02x%02x",
	111	+ keyidx, MAC2STR(igtk->pn));
	112	+ wpa_hexdump_key(MSG_DEBUG, "WPA: IGTK", igtk->igtk, len);
	113	+ if (keyidx > 4095) {
	114	+ wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
	115	+ "WPA: Invalid IGTK KeyID %d", keyidx);
	116	+ return -1;
	117	+ }
	118	+ if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher),
	119	+ broadcast_ether_addr,
	120	+ keyidx, 0, igtk->pn, sizeof(igtk->pn),
	121	+ igtk->igtk, len) < 0) {
	122	+ wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
	123	+ "WPA: Failed to configure IGTK to the driver");
	124	+ return -1;
	125	+ }
	126	+
	127	+ sm->igtk.igtk_len = len;
	128	+ os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len);
	129	+
	130	+ return 0;
	131	+}
	132	+#endif /* CONFIG_IEEE80211W */
	133	+
	134	+
	135	static int ieee80211w_set_keys(struct wpa_sm *sm,
	136	struct wpa_eapol_ie_parse *ie)
	137	{
	138	@@ -864,30 +918,14 @@ static int ieee80211w_set_keys(struct wpa_sm *sm,
	139	if (ie->igtk) {
	140	size_t len;
	141	const struct wpa_igtk_kde *igtk;
	142	- u16 keyidx;
	143	+
	144	len = wpa_cipher_key_len(sm->mgmt_group_cipher);
	145	if (ie->igtk_len != WPA_IGTK_KDE_PREFIX_LEN + len)
	146	return -1;
	147	+
	148	igtk = (const struct wpa_igtk_kde *) ie->igtk;
	149	- keyidx = WPA_GET_LE16(igtk->keyid);
	150	- wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: IGTK keyid %d "
	151	- "pn %02x%02x%02x%02x%02x%02x",
	152	- keyidx, MAC2STR(igtk->pn));
	153	- wpa_hexdump_key(MSG_DEBUG, "WPA: IGTK",
	154	- igtk->igtk, len);
	155	- if (keyidx > 4095) {
	156	- wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
	157	- "WPA: Invalid IGTK KeyID %d", keyidx);
	158	- return -1;
	159	- }
	160	- if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher),
	161	- broadcast_ether_addr,
	162	- keyidx, 0, igtk->pn, sizeof(igtk->pn),
	163	- igtk->igtk, len) < 0) {
	164	- wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
	165	- "WPA: Failed to configure IGTK to the driver");
	166	+ if (wpa_supplicant_install_igtk(sm, igtk) < 0)
	167	return -1;
	168	- }
	169	}
	170
	171	return 0;
	172	@@ -2307,7 +2345,7 @@ void wpa_sm_deinit(struct wpa_sm *sm)
	173	*/
	174	void wpa_sm_notify_assoc(struct wpa_sm sm, const u8 bssid)
	175	{
	176	- int clear_ptk = 1;
	177	+ int clear_keys = 1;
	178
	179	if (sm == NULL)
	180	return;
	181	@@ -2333,11 +2371,11 @@ void wpa_sm_notify_assoc(struct wpa_sm sm, const u8 bssid)
	182	/* Prepare for the next transition */
	183	wpa_ft_prepare_auth_request(sm, NULL);
	184
	185	- clear_ptk = 0;
	186	+ clear_keys = 0;
	187	}
	188	#endif /* CONFIG_IEEE80211R */
	189
	190	- if (clear_ptk) {
	191	+ if (clear_keys) {
	192	/*
	193	* IEEE 802.11, 8.4.10: Delete PTK SA on (re)association if
	194	* this is not part of a Fast BSS Transition.
	195	@@ -2347,6 +2385,10 @@ void wpa_sm_notify_assoc(struct wpa_sm sm, const u8 bssid)
	196	os_memset(&sm->ptk, 0, sizeof(sm->ptk));
	197	sm->tptk_set = 0;
	198	os_memset(&sm->tptk, 0, sizeof(sm->tptk));
	199	+ os_memset(&sm->gtk, 0, sizeof(sm->gtk));
	200	+#ifdef CONFIG_IEEE80211W
	201	+ os_memset(&sm->igtk, 0, sizeof(sm->igtk));
	202	+#endif /* CONFIG_IEEE80211W */
	203	}
	204
	205	#ifdef CONFIG_TDLS
	206	@@ -2877,6 +2919,10 @@ void wpa_sm_drop_sa(struct wpa_sm *sm)
	207	os_memset(sm->pmk, 0, sizeof(sm->pmk));
	208	os_memset(&sm->ptk, 0, sizeof(sm->ptk));
	209	os_memset(&sm->tptk, 0, sizeof(sm->tptk));
	210	+ os_memset(&sm->gtk, 0, sizeof(sm->gtk));
	211	+#ifdef CONFIG_IEEE80211W
	212	+ os_memset(&sm->igtk, 0, sizeof(sm->igtk));
	213	+#endif /* CONFIG_IEEE80211W */
	214	#ifdef CONFIG_IEEE80211R
	215	os_memset(sm->xxkey, 0, sizeof(sm->xxkey));
	216	os_memset(sm->pmk_r0, 0, sizeof(sm->pmk_r0));
	217	@@ -2949,29 +2995,11 @@ int wpa_wnmsleep_install_key(struct wpa_sm sm, u8 subelem_id, u8 buf)
	218	os_memset(&gd, 0, sizeof(gd));
	219	#ifdef CONFIG_IEEE80211W
	220	} else if (subelem_id == WNM_SLEEP_SUBELEM_IGTK) {
	221	- struct wpa_igtk_kde igd;
	222	- u16 keyidx;
	223	-
	224	- os_memset(&igd, 0, sizeof(igd));
	225	- keylen = wpa_cipher_key_len(sm->mgmt_group_cipher);
	226	- os_memcpy(igd.keyid, buf + 2, 2);
	227	- os_memcpy(igd.pn, buf + 4, 6);
	228	-
	229	- keyidx = WPA_GET_LE16(igd.keyid);
	230	- os_memcpy(igd.igtk, buf + 10, keylen);
	231	-
	232	- wpa_hexdump_key(MSG_DEBUG, "Install IGTK (WNM SLEEP)",
	233	- igd.igtk, keylen);
	234	- if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher),
	235	- broadcast_ether_addr,
	236	- keyidx, 0, igd.pn, sizeof(igd.pn),
	237	- igd.igtk, keylen) < 0) {
	238	- wpa_printf(MSG_DEBUG, "Failed to install the IGTK in "
	239	- "WNM mode");
	240	- os_memset(&igd, 0, sizeof(igd));
	241	+ const struct wpa_igtk_kde *igtk;
	242	+
	243	+ igtk = (const struct wpa_igtk_kde *) (buf + 2);
	244	+ if (wpa_supplicant_install_igtk(sm, igtk) < 0)
	245	return -1;
	246	- }
	247	- os_memset(&igd, 0, sizeof(igd));
	248	#endif /* CONFIG_IEEE80211W */
	249	} else {
	250	wpa_printf(MSG_DEBUG, "Unknown element id");
	251	diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h
	252	index f653ba6..afc9e37 100644
	253	--- a/src/rsn_supp/wpa_i.h
	254	+++ b/src/rsn_supp/wpa_i.h
	255	@@ -31,6 +31,10 @@ struct wpa_sm {
	256	u8 rx_replay_counter[WPA_REPLAY_COUNTER_LEN];
	257	int rx_replay_counter_set;
	258	u8 request_counter[WPA_REPLAY_COUNTER_LEN];
	259	+ struct wpa_gtk gtk;
	260	+#ifdef CONFIG_IEEE80211W
	261	+ struct wpa_igtk igtk;
	262	+#endif /* CONFIG_IEEE80211W */
	263
	264	struct eapol_sm eapol; / EAPOL state machine from upper level code */
	265
	266	--
	267	2.7.4 \ No newline at end of file