hostapd: config_reload: Switch from WPA to open leaves keys

Sven Eckelmann sven at
Wed Apr 21 18:58:32 BST 2021


it was noticed that the hostapd runtime switch (config reload) from an AP 
config with a WPA2 PSK to an open AP created a non-working AP interface. The 
driver was ath11k in this case and the client just connected to the open AP 
and tried a link local IPv6 (ping ff02::1%wlan0). The AP could receive the 
unencrypted data but the AP was unable to send back unencrypted (solicitation) 
packets - the multicast data packets were still encrypted

I could see that following happened when changing from PSK to PSK:

* nl80211_new_key
* ...
* ath11k_install_key (DISABLE_KEY)
* ath11k_install_key (SET_KEY)

Nothing like this happened when switching from PSK to Open. It is still 
possible to see the old key in /sys/kernel/debug/ieee80211/phy1/keys/0/

An investigation showed that the relevant code to delete this information from 
the kernel is #ifdef'ed out in hostapd (CONFIG_WEP was not in my config) since 
commit 200c7693c9a1 ("Make WEP functionality an optional build parameter").

If I enable it again then I can see that the key is removed correctly by 
hostapd_broadcast_wep_clear -> hostapd_broadcast_key_clear_iface.

This also triggers the removal in ath11k but it afterwards still not able to 
transmit data to the client because it still encrypts mcast frames. I haven't 
checked this part in detail but at least the re-enabling of this code path
fixed it for ath10k. For ath11k, I still have to restart the whole vif or
otherwise I will only see encrypted multicast frames from the AP (and no 

Kind regards,

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <>

More information about the Hostap mailing list