[PATCH 1/2] wpa_supplicant: Handle randomization changes for same ESS

Jouni Malinen j at w1.fi
Mon Dec 5 09:16:18 PST 2022

> On 5. Dec 2022, at 19.04, Andrzej Ostruszka <amo at semihalf.com> wrote:
> On Fri, Dec 02, 2022 at 12:49:13PM +0200, Jouni Malinen wrote:
>> Wouldn't this disable PMKSA caching completely for all rand_style > 0
>> cases? In particular, this flushing of the PMKSA cache entries seems
>> undesired for rand_style==3 when reassociating within the ESS using the
>> same MAC address.
> You are right.  I'll change wpas_update_random_addr() to return "> 0"
> when the address has been changed, "0" for no change and "< 0" on error
> (like it is now) and will flush only for "> 0".
> BTW shouldn't we also clear cache when restoring hardware MAC?

The PMKSA cache entries are cleared mainly to avoid exposing the same PMKID when using MAC address randomization for privacy protection. In addition, entries are removed when something changes in the local configuration if that change might have an impact on the authentication or key derivation.

I recently added more checks on the local address that was used when a PMKSA cache entry was aded, so likely the only remaining reason to flush entries on address change would be to free some resources when using random MAC addresses with no plan on restoring a previously used address. For cases where a previously used MAC address is restored (whether a globally unique one or a per-ESS random one) for connection purposes, the PMKSA cache entries should not really be removed since use of the same PMKID does not reveal more than use of the same MAC address about the device and wpa_supplicant uses an entry for PMKSA caching only if the currently used address matches the one that was used to generate the PMKSA.

- Jouni

More information about the Hostap mailing list