[PATCH v2 24/28] EPPKE: Skip 4-Way handshake and authorize supplicant port on association

Ainy Kumari ainy.kumari at oss.qualcomm.com
Tue Jan 6 05:45:34 PST 2026 

For EPPKE authentication, PTK is derived during authentication frame
exchange. Skip EAPOL 4-Way handshake and move supplicant state to
WPA_CONNECTED after association. Update state handling to authorize
the port and ensure proper control for SME-in-Userspace scenarios.

Signed-off-by: Ainy Kumari <ainy.kumari at oss.qualcomm.com>
---
 src/rsn_supp/wpa.c              | 10 ++++++++++
 src/rsn_supp/wpa.h              |  6 ++++++
 src/rsn_supp/wpa_i.h            |  3 +++
 wpa_supplicant/events.c         | 12 ++++++++++++
 wpa_supplicant/wpa_supplicant.c |  5 +++++
 5 files changed, 36 insertions(+)

diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
index 01ca1679d..5f0b0e3d8 100644
--- a/src/rsn_supp/wpa.c
+++ b/src/rsn_supp/wpa.c
@@ -7076,6 +7076,16 @@ int wpa_fils_is_completed(struct wpa_sm *sm)
 }
 
 
+int wpa_eppke_is_completed(struct wpa_sm *sm)
+{
+#ifdef CONFIG_ENC_ASSOC
+	return sm && sm->eppke_completed;
+#else /* CONFIG_ENC_ASSOC */
+	return 0;
+#endif /* CONFIG_ENC_ASSOC */
+}
+
+
 #ifdef CONFIG_OWE
 
 struct wpabuf * owe_build_assoc_req(struct wpa_sm *sm, u16 group)
diff --git a/src/rsn_supp/wpa.h b/src/rsn_supp/wpa.h
index acd905b71..46e03ad99 100644
--- a/src/rsn_supp/wpa.h
+++ b/src/rsn_supp/wpa.h
@@ -280,6 +280,7 @@ void wpa_sm_set_ptk_kck_kek(struct wpa_sm *sm,
 			    const u8 *ptk_kck, size_t ptk_kck_len,
 			    const u8 *ptk_kek, size_t ptk_kek_len);
 int wpa_fils_is_completed(struct wpa_sm *sm);
+int wpa_eppke_is_completed(struct wpa_sm *sm);
 void wpa_sm_pmksa_cache_reconfig(struct wpa_sm *sm);
 int wpa_sm_set_mlo_params(struct wpa_sm *sm, const struct wpa_sm_mlo *mlo);
 void wpa_sm_set_driver_bss_selection(struct wpa_sm *sm,
@@ -518,6 +519,11 @@ static inline int wpa_fils_is_completed(struct wpa_sm *sm)
 	return 0;
 }
 
+static inline int wpa_eppke_is_completed(struct wpa_sm *sm)
+{
+	return 0;
+}
+
 static inline void wpa_sm_pmksa_cache_reconfig(struct wpa_sm *sm)
 {
 }
diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h
index d0c3541b5..c36a1f3ae 100644
--- a/src/rsn_supp/wpa_i.h
+++ b/src/rsn_supp/wpa_i.h
@@ -223,6 +223,9 @@ struct wpa_sm {
 	u8 fils_ft[FILS_FT_MAX_LEN];
 	size_t fils_ft_len;
 #endif /* CONFIG_FILS */
+#ifdef CONFIG_ENC_ASSOC
+	unsigned int eppke_completed:1;
+#endif /* CONFIG_ENC_ASSOC */
 
 #ifdef CONFIG_OWE
 	struct crypto_ecdh *owe_ecdh;
diff --git a/wpa_supplicant/events.c b/wpa_supplicant/events.c
index 3083271f8..ba79f7f6d 100644
--- a/wpa_supplicant/events.c
+++ b/wpa_supplicant/events.c
@@ -4409,6 +4409,9 @@ static void wpa_supplicant_event_assoc(struct wpa_supplicant *wpa_s,
 	if (!ft_completed)
 		ft_completed = wpa_fils_is_completed(wpa_s->wpa);
 
+	if (!ft_completed)
+		ft_completed = wpa_eppke_is_completed(wpa_s->wpa);
+
 	wpa_supplicant_set_state(wpa_s, WPA_ASSOCIATED);
 	if (!ether_addr_equal(bssid, wpa_s->bssid)) {
 		if (os_reltime_initialized(&wpa_s->session_start)) {
@@ -4432,6 +4435,7 @@ static void wpa_supplicant_event_assoc(struct wpa_supplicant *wpa_s,
 		if (wpa_supplicant_dynamic_keys(wpa_s) && !ft_completed) {
 			wpa_clear_keys(wpa_s, bssid);
 		}
+
 		if (wpa_supplicant_select_config(wpa_s, data) < 0) {
 			wpa_supplicant_deauthenticate(
 				wpa_s, WLAN_REASON_DEAUTH_LEAVING);
@@ -4467,6 +4471,14 @@ static void wpa_supplicant_event_assoc(struct wpa_supplicant *wpa_s,
 #endif /* CONFIG_SME */
 
 	wpa_msg(wpa_s, MSG_INFO, "Associated with " MACSTR, MAC2STR(bssid));
+#ifdef CONFIG_SME
+#ifdef CONFIG_ENC_ASSOC
+	if (wpa_s->sme.auth_alg == WPA_AUTH_ALG_EPPKE) {
+		data->assoc_info.authorized = true;
+		wpa_supplicant_set_state(wpa_s, WPA_COMPLETED);
+	}
+#endif /* CONFIG_ENC_ASSOC */
+#endif
 	if (wpa_s->current_ssid) {
 		/* When using scanning (ap_scan=1), SIM PC/SC interface can be
 		 * initialized before association, but for other modes,
diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c
index 70c92ea00..1bd43a0bf 100644
--- a/wpa_supplicant/wpa_supplicant.c
+++ b/wpa_supplicant/wpa_supplicant.c
@@ -1216,6 +1216,11 @@ void wpa_supplicant_set_state(struct wpa_supplicant *wpa_s,
 				    MAC2STR(wpa_s->ap_mld_addr));
 
 #ifdef CONFIG_SME
+#ifdef CONFIG_ENC_ASSOC
+		if ((wpa_s->drv_flags & WPA_DRIVER_FLAGS_SME) &&
+		    wpa_auth_alg_eppke(wpa_s->sme.auth_alg))
+			wpa_drv_set_supp_port(wpa_s, 1);
+#endif /* CONFIG_ENC_ASSOC */
 		if ((wpa_s->drv_flags & WPA_DRIVER_FLAGS_SME) &&
 		    wpa_auth_alg_fils(wpa_s->sme.auth_alg))
 			fils_hlp_sent = 1;
-- 
2.25.1

More information about the Hostap mailing list