RSN: Report completion only after IGTK configuration

Previously wpa_supplicant_key_neg_complete() was called before the
attempt to configure the IGTK received from the authenticator. This
could resulted in somewhat surprising sequence of events if IGTK
configuration failed since completion event would be followed by
immediate disconnection event. Reorder these operations so that
completion is reported only if GTK and IGTK are configurated
successfully.

Furthermore, check for missing GTK KDE in case of RSN and handle that
with an explicit disconnection instead of waiting for the AP to deliver
the GTK later.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>

src/rsn_supp/wpa.c

@@ -1021,8 +1021,6 @@ static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm,
 	}
 	os_memset(&gd, 0, sizeof(gd));
 
-	wpa_supplicant_key_neg_complete(sm, sm->bssid,
-					key_info & WPA_KEY_INFO_SECURE);
 	return 0;
 }
 
@@ -1503,8 +1501,11 @@ static void wpa_supplicant_process_3_of_4(struct wpa_sm *sm,
 	wpa_sm_set_state(sm, WPA_GROUP_HANDSHAKE);
 
 	if (sm->group_cipher == WPA_CIPHER_GTK_NOT_USED) {
-		wpa_supplicant_key_neg_complete(sm, sm->bssid,
-						key_info & WPA_KEY_INFO_SECURE);
+		/* No GTK to be set to the driver */
+	} else if (!ie.gtk && sm->proto == WPA_PROTO_RSN) {
+		wpa_msg(sm->ctx->msg_ctx, MSG_INFO,
+			"RSN: No GTK KDE included in EAPOL-Key msg 3/4");
+		goto failed;
 	} else if (ie.gtk &&
 	    wpa_supplicant_pairwise_gtk(sm, key,
 					ie.gtk, ie.gtk_len, key_info) < 0) {
@@ -1519,6 +1520,10 @@ static void wpa_supplicant_process_3_of_4(struct wpa_sm *sm,
 		goto failed;
 	}
 
+	if (sm->group_cipher == WPA_CIPHER_GTK_NOT_USED || ie.gtk)
+		wpa_supplicant_key_neg_complete(sm, sm->bssid,
+						key_info & WPA_KEY_INFO_SECURE);
+
 	if (ie.gtk)
 		wpa_sm_set_rekey_offload(sm);