[PATCH v2 22/28] Add support for temporal key removal on association failure

[Ainy Kumari]

From: Kavita Kavita <kavita.kavita at oss.qualcomm.com>

This change adds logic to remove the configured temporal key (TK) for
Enhanced Privacy Protection Key Exchange (EPPKE) in the event of an
association request and/or response failure.

The removal is triggered immediately upon detection of association
request/response failure.

Signed-off-by: Kavita Kavita <kavita.kavita at oss.qualcomm.com>
---
 wpa_supplicant/events.c | 10 ++++++++++
 wpa_supplicant/sme.c    | 20 ++++++++++++++++++++
 2 files changed, 30 insertions(+)

diff --git a/wpa_supplicant/events.c b/wpa_supplicant/events.c
index d831557b3..3083271f8 100644
--- a/wpa_supplicant/events.c
+++ b/wpa_supplicant/events.c
@@ -390,6 +390,16 @@ void wpa_supplicant_mark_disassoc(struct wpa_supplicant *wpa_s)
 	}
 
 	wpa_supplicant_set_state(wpa_s, WPA_DISCONNECTED);
+
+#ifdef CONFIG_ENC_ASSOC
+	/* Clear configured keys and PTKSA */
+
+	if (wpa_s->ptksa &&
+	    ptksa_cache_get(wpa_s->ptksa, wpa_s->bssid, WPA_CIPHER_NONE)) {
+		wpa_clear_keys(wpa_s, wpa_s->bssid);
+		ptksa_cache_flush(wpa_s->ptksa, wpa_s->bssid, WPA_CIPHER_NONE);
+	}
+#endif
 	bssid_changed = !is_zero_ether_addr(wpa_s->bssid);
 	os_memset(wpa_s->bssid, 0, ETH_ALEN);
 	os_memset(wpa_s->pending_bssid, 0, ETH_ALEN);
diff --git a/wpa_supplicant/sme.c b/wpa_supplicant/sme.c
index eaed91c1c..092ad6ff5 100644
--- a/wpa_supplicant/sme.c
+++ b/wpa_supplicant/sme.c
@@ -2997,6 +2997,17 @@ mscs_fail:
 			wpas_connection_failed(wpa_s, wpa_s->pending_bssid,
 					       NULL);
 			wpa_supplicant_set_state(wpa_s, WPA_DISCONNECTED);
+#ifdef CONFIG_ENC_ASSOC
+			/* Clear configured keys and PTKSA */
+
+			if (wpa_s->ptksa && ptksa_cache_get(wpa_s->ptksa,
+							    wpa_s->bssid,
+							    WPA_CIPHER_NONE)) {
+				wpa_clear_keys(wpa_s, wpa_s->bssid);
+				ptksa_cache_flush(wpa_s->ptksa, wpa_s->bssid,
+						  WPA_CIPHER_NONE);
+			}
+#endif
 			os_memset(wpa_s->pending_bssid, 0, ETH_ALEN);
 		}
 		return;
@@ -3059,6 +3070,15 @@ static void sme_deauth(struct wpa_supplicant *wpa_s, const u8 **link_bssids)
 
 	wpas_connection_failed(wpa_s, wpa_s->pending_bssid, link_bssids);
 	wpa_supplicant_set_state(wpa_s, WPA_DISCONNECTED);
+#ifdef CONFIG_ENC_ASSOC
+	/* Clear configured keys and PTKSA */
+
+	if (wpa_s->ptksa &&
+		ptksa_cache_get(wpa_s->ptksa, wpa_s->bssid, WPA_CIPHER_NONE)) {
+		wpa_clear_keys(wpa_s, wpa_s->bssid);
+		ptksa_cache_flush(wpa_s->ptksa, wpa_s->bssid, WPA_CIPHER_NONE);
+	}
+#endif
 	os_memset(wpa_s->bssid, 0, ETH_ALEN);
 	os_memset(wpa_s->pending_bssid, 0, ETH_ALEN);
 	if (bssid_changed)
-- 
2.25.1