Corrected PTK and PMK lifetime handling

- Changed PMK/PTK lifetime update timer to one second resolution from
60 seconds on authenticator, since amount of active supplicants is now
limited (based on configuration e.g. to 50).
- Changed security protocols to init the PMK/PTK lifetime rigth away
to configured value and not to init needed value. This required adding
the EAPOL timer configuration structure to security protocol structure
so that it is available to security protocols.
- Added storing/reading of PMK/PTK lifetime to/from NVM on supplicant,
that was missing on NVM data storing functions.

Author: Mika Leppänen

source/6LoWPAN/ws/ws_pae_auth.c

@@ -98,7 +98,6 @@ typedef struct {
     sec_timer_cfg_t *sec_timer_cfg;                          /**< Timer configuration */
     sec_prot_cfg_t *sec_prot_cfg;                            /**< Protocol Configuration */
     uint16_t supp_max_number;                                /**< Max number of stored supplicants */
-    uint16_t slow_timer_seconds;                             /**< Slow timer seconds */
     bool timer_running : 1;                                  /**< Timer is running */
     bool gtk_new_inst_req_exp : 1;                           /**< GTK new install required timer expired */
     bool gtk_new_act_time_exp: 1;                            /**< GTK new activation time expired */
@@ -127,7 +126,7 @@ static void ws_pae_auth_kmp_api_create_indication(kmp_api_t *kmp, kmp_type_e typ
 static void ws_pae_auth_kmp_api_finished_indication(kmp_api_t *kmp, kmp_result_e result, kmp_sec_keys_t *sec_keys);
 static void ws_pae_auth_next_kmp_trigger(pae_auth_t *pae_auth, supp_entry_t *supp_entry);
 static kmp_type_e ws_pae_auth_next_protocol_get(pae_auth_t *pae_auth, supp_entry_t *supp_entry);
-static kmp_api_t *ws_pae_auth_kmp_create_and_start(kmp_service_t *service, kmp_type_e type, supp_entry_t *supp_entry, sec_prot_cfg_t *cfg);
+static kmp_api_t *ws_pae_auth_kmp_create_and_start(kmp_service_t *service, kmp_type_e type, supp_entry_t *supp_entry, sec_prot_cfg_t *prot_cfg, sec_timer_cfg_t *timer_cfg);
 static void ws_pae_auth_kmp_api_finished(kmp_api_t *kmp);
 
 static int8_t tasklet_id = -1;
@@ -167,7 +166,6 @@ int8_t ws_pae_auth_init(protocol_interface_info_entry_t *interface_ptr, sec_prot
     pae_auth->sec_prot_cfg = sec_prot_cfg;
     pae_auth->supp_max_number = SUPPLICANT_MAX_NUMBER;
 
-    pae_auth->slow_timer_seconds = 0;
     pae_auth->gtk_new_inst_req_exp = false;
     pae_auth->gtk_new_act_time_exp = false;
 
@@ -708,11 +706,7 @@ void ws_pae_auth_slow_timer(uint16_t seconds)
             }
         }
 
-        pae_auth->slow_timer_seconds += seconds;
-        if (pae_auth->slow_timer_seconds > 60) {
-            ws_pae_lib_supp_list_slow_timer_update(&pae_auth->active_supp_list, pae_auth->sec_timer_cfg, pae_auth->slow_timer_seconds);
-            pae_auth->slow_timer_seconds = 0;
-        }
+        ws_pae_lib_supp_list_slow_timer_update(&pae_auth->active_supp_list, seconds);
     }
 
     // Update key storage timer
@@ -905,7 +899,7 @@ static kmp_api_t *ws_pae_auth_kmp_incoming_ind(kmp_service_t *service, kmp_type_
     }
 
     // Create a new KMP for initial eapol-key
-    kmp = kmp_api_create(service, type + IEEE_802_1X_INITIAL_KEY, pae_auth->sec_prot_cfg);
+    kmp = kmp_api_create(service, type + IEEE_802_1X_INITIAL_KEY, pae_auth->sec_prot_cfg, pae_auth->sec_timer_cfg);
 
     if (!kmp) {
         return 0;
@@ -1020,7 +1014,7 @@ static void ws_pae_auth_next_kmp_trigger(pae_auth_t *pae_auth, supp_entry_t *sup
     }
 
     // Create new instance
-    kmp_api_t *new_kmp = ws_pae_auth_kmp_create_and_start(pae_auth->kmp_service, next_type, supp_entry, pae_auth->sec_prot_cfg);
+    kmp_api_t *new_kmp = ws_pae_auth_kmp_create_and_start(pae_auth->kmp_service, next_type, supp_entry, pae_auth->sec_prot_cfg, pae_auth->sec_timer_cfg);
     if (!new_kmp) {
         return;
     }
@@ -1033,7 +1027,7 @@ static void ws_pae_auth_next_kmp_trigger(pae_auth_t *pae_auth, supp_entry_t *sup
             return;
         }
         // Create TLS instance */
-        if (ws_pae_auth_kmp_create_and_start(pae_auth->kmp_service, TLS_PROT, supp_entry, pae_auth->sec_prot_cfg) == NULL) {
+        if (ws_pae_auth_kmp_create_and_start(pae_auth->kmp_service, TLS_PROT, supp_entry, pae_auth->sec_prot_cfg, pae_auth->sec_timer_cfg) == NULL) {
             ws_pae_lib_kmp_list_delete(&supp_entry->kmp_list, new_kmp);
             return;
         }
@@ -1100,10 +1094,10 @@ static kmp_type_e ws_pae_auth_next_protocol_get(pae_auth_t *pae_auth, supp_entry
     return next_type;
 }
 
-static kmp_api_t *ws_pae_auth_kmp_create_and_start(kmp_service_t *service, kmp_type_e type, supp_entry_t *supp_entry, sec_prot_cfg_t *cfg)
+static kmp_api_t *ws_pae_auth_kmp_create_and_start(kmp_service_t *service, kmp_type_e type, supp_entry_t *supp_entry, sec_prot_cfg_t *prot_cfg, sec_timer_cfg_t *timer_cfg)
 {
     // Create KMP instance for new authentication
-    kmp_api_t *kmp = kmp_api_create(service, type, cfg);
+    kmp_api_t *kmp = kmp_api_create(service, type, prot_cfg, timer_cfg);
 
     if (!kmp) {
         return NULL;

source/6LoWPAN/ws/ws_pae_lib.c

@@ -26,8 +26,8 @@
 #include "NWK_INTERFACE/Include/protocol.h"
 #include "6LoWPAN/ws/ws_cfg_settings.h"
 #include "6LoWPAN/ws/ws_config.h"
-#include "6LoWPAN/ws/ws_pae_timers.h"
 #include "Security/protocols/sec_prot_cfg.h"
+#include "6LoWPAN/ws/ws_pae_timers.h"
 #include "Security/kmp/kmp_addr.h"
 #include "Security/kmp/kmp_api.h"
 #include "Security/protocols/sec_prot_certs.h"
@@ -242,17 +242,16 @@ bool ws_pae_lib_supp_list_timer_update(void *instance, supp_list_t *active_supp_
     return timer_running;
 }
 
-void ws_pae_lib_supp_list_slow_timer_update(supp_list_t *supp_list, sec_timer_cfg_t *timer_settings, uint16_t seconds)
+void ws_pae_lib_supp_list_slow_timer_update(supp_list_t *supp_list, uint16_t seconds)
 {
     ns_list_foreach(supp_entry_t, entry, supp_list) {
-        if (sec_prot_keys_pmk_lifetime_decrement(&entry->sec_keys, timer_settings->pmk_lifetime, seconds)) {
+        if (sec_prot_keys_pmk_lifetime_decrement(&entry->sec_keys, seconds)) {
             tr_info("PMK and PTK expired, eui-64: %s, system time: %"PRIu32"", trace_array(entry->addr.eui_64, 8), protocol_core_monotonic_time / 10);
         }
-        if (sec_prot_keys_ptk_lifetime_decrement(&entry->sec_keys, timer_settings->ptk_lifetime, seconds)) {
+        if (sec_prot_keys_ptk_lifetime_decrement(&entry->sec_keys, seconds)) {
             tr_info("PTK expired, eui-64: %s, system time: %"PRIu32"", trace_array(entry->addr.eui_64, 8), protocol_core_monotonic_time / 10);
         }
     }
-
 }
 
 void ws_pae_lib_supp_init(supp_entry_t *entry)

source/6LoWPAN/ws/ws_pae_lib.h

@@ -252,11 +252,10 @@ bool ws_pae_lib_supp_list_timer_update(void *instance, supp_list_t *active_supp_
  *  ws_pae_lib_supp_list_slow_timer_update updates slow timer on supplicant list
  *
  * \param supp_list list of supplicants
- * \param timer_settings timer settings
  * \param seconds seconds
  *
  */
-void ws_pae_lib_supp_list_slow_timer_update(supp_list_t *supp_list, sec_timer_cfg_t *timer_settings, uint16_t seconds);
+void ws_pae_lib_supp_list_slow_timer_update(supp_list_t *supp_list, uint16_t seconds);
 
 /**
  *  ws_pae_lib_supp_list_timer_update updates supplicant timers

source/6LoWPAN/ws/ws_pae_nvm_data.c

@@ -204,10 +204,12 @@ void ws_pae_nvm_store_keys_tlv_create(nvm_tlv_t *tlv_entry, sec_prot_keys_t *sec
     uint8_t *pmk = sec_prot_keys_pmk_get(sec_keys);
     if (pmk) {
         *tlv++ = PAE_NVM_FIELD_SET;
+        uint32_t lifetime = sec_prot_keys_pmk_lifetime_get(sec_keys);
+        tlv = common_write_32_bit(lifetime, tlv);
         memcpy(tlv, pmk, PMK_LEN);
     } else {
         *tlv++ = PAE_NVM_FIELD_NOT_SET;
-        memset(tlv, 0, PMK_LEN);
+        memset(tlv, 0, 4 + PMK_LEN);
     }
     tlv += PMK_LEN;
 
@@ -217,10 +219,12 @@ void ws_pae_nvm_store_keys_tlv_create(nvm_tlv_t *tlv_entry, sec_prot_keys_t *sec
     uint8_t *ptk = sec_prot_keys_ptk_get(sec_keys);
     if (ptk) {
         *tlv++ = PAE_NVM_FIELD_SET;
+        uint32_t lifetime = sec_prot_keys_ptk_lifetime_get(sec_keys);
+        tlv = common_write_32_bit(lifetime, tlv);
         memcpy(tlv, ptk, PTK_LEN);
     } else {
         *tlv++ = PAE_NVM_FIELD_NOT_SET;
-        memset(tlv, 0, PTK_LEN);
+        memset(tlv, 0, 4 + PTK_LEN);
     }
     tlv += PTK_LEN;
 
@@ -247,7 +251,11 @@ int8_t ws_pae_nvm_store_keys_tlv_read(nvm_tlv_t *tlv_entry, sec_prot_keys_t *sec
 
     // PMK set
     if (*tlv++ == PAE_NVM_FIELD_SET) {
-        sec_prot_keys_pmk_write(sec_keys, tlv);
+        uint32_t lifetime = common_read_32_bit(tlv);
+        tlv += 4;
+        sec_prot_keys_pmk_write(sec_keys, tlv, lifetime);
+    } else {
+        tlv += 4;
     }
     tlv += PMK_LEN;
 
@@ -257,7 +265,11 @@ int8_t ws_pae_nvm_store_keys_tlv_read(nvm_tlv_t *tlv_entry, sec_prot_keys_t *sec
 
     // PTK set
     if (*tlv++ == PAE_NVM_FIELD_SET) {
-        sec_prot_keys_ptk_write(sec_keys, tlv);
+        uint32_t lifetime = common_read_32_bit(tlv);
+        tlv += 4;
+        sec_prot_keys_ptk_write(sec_keys, tlv, lifetime);
+    } else {
+        tlv += 4;
     }
 
     tlv += PTK_LEN;

source/6LoWPAN/ws/ws_pae_nvm_data.h

@@ -38,8 +38,8 @@
 // pan_id (2) +  network name (33) + (GTK set (1) + GTK expiry timestamp (8) + status (1) + install order (1) + GTK (16)) * 4
 #define PAE_NVM_NW_INFO_LEN              2 + 33 + (1 + 8 + 1 + 1 + GTK_LEN) * GTK_NUM
 
-// PTK EUI-64 set (1) + PTK EUI-64 (8) + PMK set (1) + PMK (32) + PMK replay counter (8) + PTK set (1) + PTK (48)
-#define PAE_NVM_KEYS_LEN                 1 + 8 + 1 + PMK_LEN + 8 + 1 + PTK_LEN
+// PTK EUI-64 set (1) + PTK EUI-64 (8) + PMK set (1) + PMK lifetime (4) + PMK (32) + PMK replay counter (8) + PTK set (1) + PTK lifetime (4) + PTK (48)
+#define PAE_NVM_KEYS_LEN                 1 + 8 + 1 + 4 + PMK_LEN + 8 + 1 + 4 + PTK_LEN
 
 // restart counter + stored time + (frame counter set (1) + GTK (16) + frame counter (4)) * 4
 #define PAE_NVM_FRAME_COUNTER_LEN        4 + 8 + (1 + GTK_LEN + 4) * GTK_NUM

source/6LoWPAN/ws/ws_pae_supp.c

@@ -1137,7 +1137,7 @@ static kmp_api_t *ws_pae_supp_kmp_incoming_ind(kmp_service_t *service, kmp_type_
 static kmp_api_t *ws_pae_supp_kmp_create_and_start(kmp_service_t *service, kmp_type_e type, pae_supp_t *pae_supp)
 {
     // Create new instance
-    kmp_api_t *kmp = kmp_api_create(service, type, pae_supp->sec_prot_cfg);
+    kmp_api_t *kmp = kmp_api_create(service, type, pae_supp->sec_prot_cfg, pae_supp->sec_timer_cfg);
     if (!kmp) {
         return NULL;
     }

source/6LoWPAN/ws/ws_pae_timers.c

@@ -26,6 +26,7 @@
 #include "NWK_INTERFACE/Include/protocol.h"
 #include "6LoWPAN/ws/ws_config.h"
 #include "6LoWPAN/ws/ws_cfg_settings.h"
+#include "Security/protocols/sec_prot_cfg.h"
 #include "6LoWPAN/ws/ws_pae_timers.h"
 
 #ifdef HAVE_WS

source/6LoWPAN/ws/ws_pae_timers.h

@@ -18,18 +18,6 @@
 #ifndef WS_PAE_TIMERS_H_
 #define WS_PAE_TIMERS_H_
 
-typedef struct sec_timer_cfg_s {
-    uint32_t gtk_expire_offset;                      /* GTK lifetime; GTK_EXPIRE_OFFSET (seconds) */
-    uint32_t pmk_lifetime;                           /* PMK lifetime (seconds) */
-    uint32_t ptk_lifetime;                           /* PTK lifetime (seconds) */
-    uint16_t gtk_new_act_time;                       /* GTK_NEW_ACTIVATION_TIME (1/X of expire offset) */
-    uint16_t revocat_lifetime_reduct;                /* REVOCATION_LIFETIME_REDUCTION (reduction of lifetime) */
-    uint16_t gtk_request_imin;                       /* GTK_REQUEST_IMIN (seconds) */
-    uint16_t gtk_request_imax;                       /* GTK_REQUEST_IMAX (seconds) */
-    uint16_t gtk_max_mismatch;                       /* GTK_MAX_MISMATCH (seconds) */
-    uint8_t gtk_new_install_req;                     /* GTK_NEW_INSTALL_REQUIRED (percent of GTK lifetime) */
-} sec_timer_cfg_t;
-
 /**
  * ws_pae_timers_settings_init initializes timer settings structure
  *

source/Security/kmp/kmp_api.c

@@ -99,7 +99,7 @@ static void kmp_sec_prot_receive_disable(sec_prot_t *prot);
 
 #define kmp_api_get_from_prot(prot) (kmp_api_t *)(((uint8_t *)prot) - offsetof(kmp_api_t, sec_prot));
 
-kmp_api_t *kmp_api_create(kmp_service_t *service, kmp_type_e type, sec_prot_cfg_t *cfg)
+kmp_api_t *kmp_api_create(kmp_service_t *service, kmp_type_e type, sec_prot_cfg_t *prot_cfg, sec_timer_cfg_t *timer_cfg)
 {
     if (!service) {
         return 0;
@@ -151,7 +151,8 @@ kmp_api_t *kmp_api_create(kmp_service_t *service, kmp_type_e type, sec_prot_cfg_
     kmp->sec_prot.addr_get = kmp_sec_prot_eui64_addr_get;
     kmp->sec_prot.type_get = kmp_sec_prot_by_type_get;
     kmp->sec_prot.receive_disable = kmp_sec_prot_receive_disable;
-    kmp->sec_prot.cfg = cfg;
+    kmp->sec_prot.prot_cfg = prot_cfg;
+    kmp->sec_prot.timer_cfg = timer_cfg;
 
     if (sec_prot->init(&kmp->sec_prot) < 0) {
         ns_dyn_mem_free(kmp);

source/Security/kmp/kmp_api.h

@@ -125,12 +125,13 @@ typedef void kmp_api_finished(kmp_api_t *kmp);
  *
  * \param service KMP service
  * \param type KMP type
- * \param cfg configuration
+ * \param prot_cfg protocol configuration
+ * \param timer_cfg timer configuration
  *
  * \return KMP instance or NULL
  *
  */
-kmp_api_t *kmp_api_create(kmp_service_t *service, kmp_type_e type, sec_prot_cfg_t *cfg);
+kmp_api_t *kmp_api_create(kmp_service_t *service, kmp_type_e type, sec_prot_cfg_t *prot_cfg, sec_timer_cfg_t *timer_cfg);
 
 /**
  * kmp_api_start start KMP api

source/Security/protocols/eap_tls_sec_prot/auth_eap_tls_sec_prot.c

@@ -189,7 +189,7 @@ static int8_t auth_eap_tls_sec_prot_receive(sec_prot_t *prot, void *pdu, uint16_
                 // Call state machine
                 prot->state_machine(prot);
                 // Resets trickle timer to give time for supplicant to answer
-                sec_prot_timer_trickle_start(&data->common, &prot->cfg->sec_prot_trickle_params);
+                sec_prot_timer_trickle_start(&data->common, &prot->prot_cfg->sec_prot_trickle_params);
                 data->init_key_cnt++;
             }
             // Filters repeated initial EAPOL-key messages
@@ -297,7 +297,7 @@ static void auth_eap_tls_sec_prot_timer_timeout(sec_prot_t *prot, uint16_t ticks
     }
 
     sec_prot_timer_timeout_handle(prot, &data->common,
-                                  &prot->cfg->sec_prot_trickle_params, ticks);
+                                  &prot->prot_cfg->sec_prot_trickle_params, ticks);
 }
 
 static void auth_eap_tls_sec_prot_tls_create_indication(sec_prot_t *tls_prot)
@@ -421,7 +421,7 @@ static void auth_eap_tls_sec_prot_state_machine(sec_prot_t *prot)
             auth_eap_tls_sec_prot_message_send(prot, EAP_REQ, EAP_IDENTITY, EAP_TLS_EXCHANGE_NONE);
 
             // Start trickle timer to re-send if no response
-            sec_prot_timer_trickle_start(&data->common, &prot->cfg->sec_prot_trickle_params);
+            sec_prot_timer_trickle_start(&data->common, &prot->prot_cfg->sec_prot_trickle_params);
 
             sec_prot_state_set(prot, &data->common, EAP_TLS_STATE_RESPONSE_ID);
             break;
@@ -445,7 +445,7 @@ static void auth_eap_tls_sec_prot_state_machine(sec_prot_t *prot)
             auth_eap_tls_sec_prot_message_send(prot, EAP_REQ, EAP_TLS, EAP_TLS_EXCHANGE_START);
 
             // Start trickle timer to re-send if no response
-            sec_prot_timer_trickle_start(&data->common, &prot->cfg->sec_prot_trickle_params);
+            sec_prot_timer_trickle_start(&data->common, &prot->prot_cfg->sec_prot_trickle_params);
 
             sec_prot_state_set(prot, &data->common, EAP_TLS_STATE_RESPONSE_START);
             break;
@@ -527,7 +527,7 @@ static void auth_eap_tls_sec_prot_state_machine(sec_prot_t *prot)
                 auth_eap_tls_sec_prot_message_send(prot, EAP_REQ, EAP_TLS, EAP_TLS_EXCHANGE_ONGOING);
 
                 // Start trickle timer to re-send if no response
-                sec_prot_timer_trickle_start(&data->common, &prot->cfg->sec_prot_trickle_params);
+                sec_prot_timer_trickle_start(&data->common, &prot->prot_cfg->sec_prot_trickle_params);
             } else {
                 // TLS done, indicate success to peer
                 if (data->tls_result == EAP_TLS_RESULT_HANDSHAKE_OVER) {

source/Security/protocols/eap_tls_sec_prot/supp_eap_tls_sec_prot.c

@@ -404,7 +404,7 @@ static void supp_eap_tls_sec_prot_state_machine(sec_prot_t *prot)
             }
 
             // Set retry timeout based on network size
-            data->common.ticks = prot->cfg->sec_prot_retry_timeout;
+            data->common.ticks = prot->prot_cfg->sec_prot_retry_timeout;
 
             // Store sequence ID
             supp_eap_tls_sec_prot_seq_id_update(prot);
@@ -449,7 +449,7 @@ static void supp_eap_tls_sec_prot_state_machine(sec_prot_t *prot)
             supp_eap_tls_sec_prot_seq_id_update(prot);
 
             sec_prot_state_set(prot, &data->common, EAP_TLS_STATE_REQUEST);
-            data->common.ticks = prot->cfg->sec_prot_retry_timeout;
+            data->common.ticks = prot->prot_cfg->sec_prot_retry_timeout;
 
             // Initialize TLS protocol
             if (supp_eap_tls_sec_prot_init_tls(prot) < 0) {
@@ -483,7 +483,7 @@ static void supp_eap_tls_sec_prot_state_machine(sec_prot_t *prot)
                 // Store sequence ID
                 if (supp_eap_tls_sec_prot_seq_id_update(prot)) {
                     // When receiving a new sequence number, adds more time for re-send if no response
-                    data->common.ticks = prot->cfg->sec_prot_retry_timeout;
+                    data->common.ticks = prot->prot_cfg->sec_prot_retry_timeout;
                 }
 
                 // All fragments received for a message

source/Security/protocols/fwh_sec_prot/auth_fwh_sec_prot.c

@@ -313,7 +313,7 @@ static int8_t auth_fwh_sec_prot_message_send(sec_prot_t *prot, fwh_sec_prot_msg_
 static void auth_fwh_sec_prot_timer_timeout(sec_prot_t *prot, uint16_t ticks)
 {
     fwh_sec_prot_int_t *data = fwh_sec_prot_get(prot);
-    sec_prot_timer_timeout_handle(prot, &data->common, &prot->cfg->sec_prot_trickle_params, ticks);
+    sec_prot_timer_timeout_handle(prot, &data->common, &prot->prot_cfg->sec_prot_trickle_params, ticks);
 }
 
 static void auth_fwh_sec_prot_state_machine(sec_prot_t *prot)
@@ -350,7 +350,7 @@ static void auth_fwh_sec_prot_state_machine(sec_prot_t *prot)
             auth_fwh_sec_prot_message_send(prot, FWH_MESSAGE_1);
 
             // Start trickle timer to re-send if no response
-            sec_prot_timer_trickle_start(&data->common, &prot->cfg->sec_prot_trickle_params);
+            sec_prot_timer_trickle_start(&data->common, &prot->prot_cfg->sec_prot_trickle_params);
 
             sec_prot_state_set(prot, &data->common, FWH_STATE_MESSAGE_2);
             break;
@@ -378,7 +378,7 @@ static void auth_fwh_sec_prot_state_machine(sec_prot_t *prot)
                 auth_fwh_sec_prot_message_send(prot, FWH_MESSAGE_3);
 
                 // Start trickle timer to re-send if no response
-                sec_prot_timer_trickle_start(&data->common, &prot->cfg->sec_prot_trickle_params);
+                sec_prot_timer_trickle_start(&data->common, &prot->prot_cfg->sec_prot_trickle_params);
 
                 sec_prot_state_set(prot, &data->common, FWH_STATE_MESSAGE_4);
             }
@@ -406,7 +406,7 @@ static void auth_fwh_sec_prot_state_machine(sec_prot_t *prot)
                 // Reset PTK mismatch
                 sec_prot_keys_ptk_mismatch_reset(prot->sec_keys);
                 // Update PTK
-                sec_prot_keys_ptk_write(prot->sec_keys, data->new_ptk);
+                sec_prot_keys_ptk_write(prot->sec_keys, data->new_ptk, prot->timer_cfg->ptk_lifetime);
                 sec_prot_keys_ptk_eui_64_write(prot->sec_keys, data->remote_eui64);
                 sec_prot_state_set(prot, &data->common, FWH_STATE_FINISH);
             }