[PATCH] dbus: Add FlushPMKSA method to D-Bus interface

Sbenazar voroninan95ton at gmail.com
Fri Apr 3 03:57:10 PDT 2026 

Expose PMKSA_FLUSH over D-Bus. The new FlushPMKSA method on
fi.w1.wpa_supplicant1.Interface does the same thing as the existing
control interface command: flushes PTKSA, PMKSA, and (with CONFIG_AP)
AP-side PMKSA caches. doc/dbus.doxygen updated too.

I hit this because NetworkManager only talks D-Bus and had no way to
flush the PMKSA cache before suspend. After resume the supplicant
tries to reconnect with a stale PMKID, and the AP rejects it:

  10:26:22  PMKSA-CACHE-ADDED (stale, from before suspend)
  10:26:23  ASSOC-REJECT status_code=53
  10:26:23  PMKSA-CACHE-REMOVED, re-auth, PMKSA-CACHE-ADDED
  10:26:46  Disconnected (reason=2, PREV_AUTH_NOT_VALID)
  10:27:01  SSID temp-disabled after repeated failures

Happens on every SAE network I tested (two APs, 2.4/5 GHz, ath11k
WCN6855). Full journal available on request.

Related NM issues:
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/1871
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/1472

NM side (calls FlushPMKSA on disconnect):
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/2393

Signed-off-by: Sbenazar <voroninan95ton at gmail.com>
---
 doc/dbus.doxygen                        |  5 +++++
 wpa_supplicant/dbus/dbus_new.c          |  6 ++++++
 wpa_supplicant/dbus/dbus_new_handlers.c | 22 ++++++++++++++++++++++
 wpa_supplicant/dbus/dbus_new_handlers.h |  3 +++
 4 files changed, 36 insertions(+)

diff --git a/doc/dbus.doxygen b/doc/dbus.doxygen
index fa73e8a..0a288d1 100644
--- a/doc/dbus.doxygen
+++ b/doc/dbus.doxygen
@@ -709,6 +709,11 @@ fi.w1.wpa_supplicant1.CreateInterface.
 	</dl>
       </li>
 
+      <li>
+	<h3>FlushPMKSA ( ) --> nothing</h3>
+	<p>Flush PMKSA and PTKSA cache entries.</p>
+      </li>
+
       <li>
 	<h3>SubscribeProbeReq ( ) --> nothing</h3>
 	<p>Subscribe to receive Probe Request events. This is needed in addition to registering a signal handler for the ProbeRequest signal to avoid flooding D-Bus with all Probe Request indications when no application is interested in them.</p>
diff --git a/wpa_supplicant/dbus/dbus_new.c b/wpa_supplicant/dbus/dbus_new.c
index 2989002..7506f97 100644
--- a/wpa_supplicant/dbus/dbus_new.c
+++ b/wpa_supplicant/dbus/dbus_new.c
@@ -3715,6 +3715,12 @@ static const struct wpa_dbus_method_desc wpas_dbus_interface_methods[] = {
 		  END_ARGS
 	  }
 	},
+	{ "FlushPMKSA", WPAS_DBUS_NEW_IFACE_INTERFACE,
+	  (WPADBusMethodHandler) wpas_dbus_handler_flush_pmksa,
+	  {
+		  END_ARGS
+	  }
+	},
 #ifdef CONFIG_AP
 	{ "SubscribeProbeReq", WPAS_DBUS_NEW_IFACE_INTERFACE,
 	  (WPADBusMethodHandler) wpas_dbus_handler_subscribe_preq,
diff --git a/wpa_supplicant/dbus/dbus_new_handlers.c b/wpa_supplicant/dbus/dbus_new_handlers.c
index cb4a8a6..95a7df1 100644
--- a/wpa_supplicant/dbus/dbus_new_handlers.c
+++ b/wpa_supplicant/dbus/dbus_new_handlers.c
@@ -13,6 +13,7 @@
 #include "common.h"
 #include "common/ieee802_11_defs.h"
 #include "common/nan_de.h"
+#include "common/ptksa_cache.h"
 #include "eap_peer/eap_methods.h"
 #include "eapol_supp/eapol_supp_sm.h"
 #include "rsn_supp/wpa.h"
@@ -2737,6 +2738,27 @@ DBusMessage * wpas_dbus_handler_flush_bss(DBusMessage *message,
 }
 
 
+/*
+ * wpas_dbus_handler_flush_pmksa - Flush the PMKSA cache
+ * @message: Pointer to incoming dbus message
+ * @wpa_s: wpa_supplicant structure for a network interface
+ * Returns: NULL
+ *
+ * Handler function for "FlushPMKSA" method call of network interface.
+ */
+DBusMessage * wpas_dbus_handler_flush_pmksa(DBusMessage *message,
+					    struct wpa_supplicant *wpa_s)
+{
+	ptksa_cache_flush(wpa_s->ptksa, NULL, WPA_CIPHER_NONE);
+	wpa_sm_pmksa_cache_flush(wpa_s->wpa, NULL);
+#ifdef CONFIG_AP
+	wpas_ap_pmksa_cache_flush(wpa_s);
+#endif /* CONFIG_AP */
+
+	return NULL;
+}
+
+
 #ifdef CONFIG_AUTOSCAN
 /**
  * wpas_dbus_handler_autoscan - Set autoscan parameters for the interface
diff --git a/wpa_supplicant/dbus/dbus_new_handlers.h b/wpa_supplicant/dbus/dbus_new_handlers.h
index 24ee678..e969757 100644
--- a/wpa_supplicant/dbus/dbus_new_handlers.h
+++ b/wpa_supplicant/dbus/dbus_new_handlers.h
@@ -135,6 +135,9 @@ DBusMessage * wpas_dbus_handler_set_pkcs11_engine_and_module_path(
 DBusMessage * wpas_dbus_handler_flush_bss(DBusMessage *message,
 					  struct wpa_supplicant *wpa_s);
 
+DBusMessage * wpas_dbus_handler_flush_pmksa(DBusMessage *message,
+					    struct wpa_supplicant *wpa_s);
+
 DBusMessage * wpas_dbus_handler_autoscan(DBusMessage *message,
 					 struct wpa_supplicant *wpa_s);
 
-- 
2.53.0

More information about the Hostap mailing list