[PATCH 1/1] hostapd: Handle PMKSA flush for SAE/OWE offload cases

Vinayak Yadawad vinayak.yadawad at broadcom.com
Fri Dec 15 04:09:27 PST 2023


For supplicant based SAE/OWE connection, the supplicant state
machine is aware of the PMKID created for a connection and this
gets removed when "remove_network all" is called. However when
SAE/OWE offload is enabled, the supplicant is not aware of the
PMKID generated by the driver/firmware. So this patch adds
pmksa del indication to the driver from remove_network context
so that driver can free PMKs associated with the SSID.

Signed-off-by: Vinayak Yadawad <vinayak.yadawad at broadcom.com>
---
 wpa_supplicant/ctrl_iface.c |  4 ++++
 wpa_supplicant/notify.c     | 14 +++++++++++++-
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/wpa_supplicant/ctrl_iface.c b/wpa_supplicant/ctrl_iface.c
index 32f964f9c..fefb68d89 100644
--- a/wpa_supplicant/ctrl_iface.c
+++ b/wpa_supplicant/ctrl_iface.c
@@ -3575,6 +3575,10 @@ static int wpa_supplicant_ctrl_iface_remove_network(
 	/* cmd: "<network id>" or "all" */
 	if (os_strcmp(cmd, "all") == 0) {
 		wpa_printf(MSG_DEBUG, "CTRL_IFACE: REMOVE_NETWORK all");
+		if (wpa_s->drv_flags2 &
+		    (WPA_DRIVER_FLAGS2_SAE_OFFLOAD_STA |
+			 WPA_DRIVER_FLAGS2_OWE_OFFLOAD_STA))
+			wpa_drv_flush_pmkid(wpa_s);
 		return wpa_supplicant_remove_all_networks(wpa_s);
 	}
 
diff --git a/wpa_supplicant/notify.c b/wpa_supplicant/notify.c
index 0f9616d38..22b23ad4c 100644
--- a/wpa_supplicant/notify.c
+++ b/wpa_supplicant/notify.c
@@ -404,8 +404,20 @@ void wpas_notify_network_removed(struct wpa_supplicant *wpa_s,
 	if (wpa_s->sme.ext_auth_wpa_ssid == ssid)
 		wpa_s->sme.ext_auth_wpa_ssid = NULL;
 #endif /* CONFIG_SME && CONFIG_SAE */
-	if (wpa_s->wpa)
+	if (wpa_s->wpa) {
+		if ((wpa_key_mgmt_sae(ssid->key_mgmt) &&
+		    (wpa_s->drv_flags2 & WPA_DRIVER_FLAGS2_SAE_OFFLOAD_STA)) ||
+		    ((ssid->key_mgmt & WPA_KEY_MGMT_OWE) &&
+		    (wpa_s->drv_flags2 & WPA_DRIVER_FLAGS2_OWE_OFFLOAD_STA))) {
+			/* For cases when PMK is generated at the driver */
+			struct wpa_pmkid_params params;
+			os_memset(&params, 0, sizeof(params));
+			params.ssid = ssid->ssid;
+			params.ssid_len = ssid->ssid_len;
+			wpa_drv_remove_pmkid(wpa_s, &params);
+		}
 		wpa_sm_pmksa_cache_flush(wpa_s->wpa, ssid);
+	}
 	if (!ssid->p2p_group && wpa_s->global->p2p_group_formation != wpa_s &&
 	    !wpa_s->p2p_mgmt) {
 		wpas_dbus_unregister_network(wpa_s, ssid->id);
-- 
2.32.0

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4218 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.infradead.org/pipermail/hostap/attachments/20231215/c6e294f8/attachment.p7s>


More information about the Hostap mailing list