[gipsies]

No, the standard is secure. This is a vulnerability in the implementation. The comment in the code merely says that the explicit definition of the state machine behind a 4-way handshake implementation is not in the standard (but it's described in prose). Most standards don't provide explicit state machines.

The 802.11i is the official standard. WPA1 is based on a draft of 802.11i, while WPA2 is based on the final version of 802.11i. All of them contain the 4-way handshake.

[0xcde4c3db]

Okay, thanks for the clarification. I guess my main point of confusion is why it would work (edit: that is, why an OpenBSD client would be able to connect pre-patch), but I guess if there's no actual state machine that makes it possible for an attacker to "skip to the end"?

[gipsies]

Exactly, since there is no state machine, an attacker can immediately send the last message. The client will try to check the integrity of this message. But it will use an uninitialized all-zero key to do this! So an attacker can spoof the last message. And once the client receives this message, it will accept all traffic.