[PATCH] dbus: Add FlushPMKSA method to D-Bus interface
Jouni Malinen
j at w1.fi
Sat Apr 4 06:36:53 PDT 2026
On Fri, Apr 03, 2026 at 01:57:10PM +0300, Sbenazar wrote:
> Expose PMKSA_FLUSH over D-Bus. The new FlushPMKSA method on
> fi.w1.wpa_supplicant1.Interface does the same thing as the existing
> control interface command: flushes PTKSA, PMKSA, and (with CONFIG_AP)
> AP-side PMKSA caches. doc/dbus.doxygen updated too.
I would have no issues adding such functionality, but this is not the
best solution for what is described as the issue here:
> I hit this because NetworkManager only talks D-Bus and had no way to
> flush the PMKSA cache before suspend. After resume the supplicant
> tries to reconnect with a stale PMKID, and the AP rejects it:
>
> 10:26:22 PMKSA-CACHE-ADDED (stale, from before suspend)
> 10:26:23 ASSOC-REJECT status_code=53
> 10:26:23 PMKSA-CACHE-REMOVED, re-auth, PMKSA-CACHE-ADDED
> 10:26:46 Disconnected (reason=2, PREV_AUTH_NOT_VALID)
> 10:27:01 SSID temp-disabled after repeated failures
>
> Happens on every SAE network I tested (two APs, 2.4/5 GHz, ath11k
> WCN6855). Full journal available on request.
wpa_supplicant needs to handle such cases on its own without depending
on external components to clear the PMKSA cache. Blindly clearing the
PMKSA cache based on an association rejection is not a good idea since
that can result in DoS attacks based on unauthenticated frames. In fact,
wpa_supplicant is already supposed to do this with "PMKSA caching
attempt rejected - drop PMKSA cache entry and fall back to SAE
authentication" showing up in the debug log when the PMKSA cache entry
is removed due to the AP rejecting the attempt to use PMKSA caching.
Could you please provide a more detailed wpa_supplicant debug log
showing the issue?
--
Jouni Malinen PGP id EFC895FA
More information about the Hostap
mailing list