hostapd: config_reload: Switch from WPA to open leaves keys
sven at narfation.org
Wed Apr 21 18:58:32 BST 2021
it was noticed that the hostapd runtime switch (config reload) from an AP
config with a WPA2 PSK to an open AP created a non-working AP interface. The
driver was ath11k in this case and the client just connected to the open AP
and tried a link local IPv6 (ping ff02::1%wlan0). The AP could receive the
unencrypted data but the AP was unable to send back unencrypted (solicitation)
packets - the multicast data packets were still encrypted
I could see that following happened when changing from PSK to PSK:
* ath11k_install_key (DISABLE_KEY)
* ath11k_install_key (SET_KEY)
Nothing like this happened when switching from PSK to Open. It is still
possible to see the old key in /sys/kernel/debug/ieee80211/phy1/keys/0/
An investigation showed that the relevant code to delete this information from
the kernel is #ifdef'ed out in hostapd (CONFIG_WEP was not in my config) since
commit 200c7693c9a1 ("Make WEP functionality an optional build parameter").
If I enable it again then I can see that the key is removed correctly by
hostapd_broadcast_wep_clear -> hostapd_broadcast_key_clear_iface.
This also triggers the removal in ath11k but it afterwards still not able to
transmit data to the client because it still encrypts mcast frames. I haven't
checked this part in detail but at least the re-enabling of this code path
fixed it for ath10k. For ath11k, I still have to restart the whole vif or
otherwise I will only see encrypted multicast frames from the AP (and no
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: This is a digitally signed message part.
More information about the Hostap