[PATCH] wpa_supplicant: Cache PMK for 802.1X 4-way handshake offload

Chung-Hsien Hsu chung-hsien.hsu at infineon.com
Tue Jun 2 19:22:28 PDT 2026 

When driver-based 4-way handshake offload is used with IEEE 802.1X,
wpa_supplicant_eapol_cb() retrieves the PMK from the EAPOL state machine
and configures it to the driver. However, this path bypasses the normal
host-driven EAPOL-Key processing path that stores the PMK in the WPA
state machine and updates the PMKSA cache.

Store the PMK in the WPA state machine after it has been retrieved for
the driver-based 4-way handshake path. For the same non-FT and
non-Suite-B RSN IEEE 802.1X cases where the host-driven EAPOL-Key
processing path creates a PMKSA cache entry, pass the authenticator
address to wpa_sm_set_pmk() so that the PMKSA cache is updated as well.
For MLO associations, wpa_sm_get_auth_addr() returns the AP MLD address.

This keeps the FT and Suite-B PMKSA cache handling unchanged since those
AKMs have separate PMKID derivation and caching requirements.

Signed-off-by: Chung-Hsien Hsu <chung-hsien.hsu at infineon.com>
---
 wpa_supplicant/wpas_glue.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/wpa_supplicant/wpas_glue.c b/wpa_supplicant/wpas_glue.c
index e57114503228..d89a11033b5f 100644
--- a/wpa_supplicant/wpas_glue.c
+++ b/wpa_supplicant/wpas_glue.c
@@ -292,6 +292,7 @@ static void wpa_supplicant_eapol_cb(struct eapol_sm *eapol,
 				    void *ctx)
 {
 	struct wpa_supplicant *wpa_s = ctx;
+	const u8 *auth_addr = NULL;
 	int res, pmk_len;
 	u8 pmk[PMK_LEN_MAX];
 
@@ -380,6 +381,15 @@ static void wpa_supplicant_eapol_cb(struct eapol_sm *eapol,
 		wpa_printf(MSG_DEBUG, "Failed to set PMK to the driver");
 	}
 
+	if (wpa_s->wpa_proto == WPA_PROTO_RSN &&
+	    !wpa_key_mgmt_suite_b(wpa_s->key_mgmt) &&
+	    !wpa_key_mgmt_ft(wpa_s->key_mgmt)) {
+		auth_addr = wpa_sm_get_auth_addr(wpa_s->wpa);
+		if (is_zero_ether_addr(auth_addr))
+			auth_addr = NULL;
+	}
+	wpa_sm_set_pmk(wpa_s->wpa, pmk, pmk_len, NULL, auth_addr);
+
 	wpa_supplicant_cancel_scan(wpa_s);
 	wpa_supplicant_cancel_auth_timeout(wpa_s);
 	wpa_supplicant_set_state(wpa_s, WPA_COMPLETED);
-- 
2.25.1

More information about the Hostap mailing list