[PATCH 19/29] EPPKE: Skip 4WH and move PTK state directly to PTKINITDONE

Sai Pratyusha Magam smagam at qti.qualcomm.com
Thu Dec 11 05:14:33 PST 2025 

A successful EPPKE Authentication results in the
establishment of a PTKSA. So skip 4-way handshake
procedure and move the PTK state directly to PTKINITDONE
Also move the peer state to authorized.

Signed-off-by: Rohan Dutta <drohan at qti.qualcomm.com>
Signed-off-by: Sai Pratyusha Magam <smagam at qti.qualcomm.com>
---
 src/ap/ap_mlme.c    |  6 ++++--
 src/ap/ieee802_11.c |  3 ++-
 src/ap/wpa_auth.c   | 16 ++++++++++++++++
 3 files changed, 22 insertions(+), 3 deletions(-)

diff --git a/src/ap/ap_mlme.c b/src/ap/ap_mlme.c
index 309e69a3f..efc214fe5 100644
--- a/src/ap/ap_mlme.c
+++ b/src/ap/ap_mlme.c
@@ -112,7 +112,8 @@ void mlme_associate_indication(struct hostapd_data *hapd, struct sta_info *sta)
 	if (sta->auth_alg != WLAN_AUTH_FT &&
 	    sta->auth_alg != WLAN_AUTH_FILS_SK &&
 	    sta->auth_alg != WLAN_AUTH_FILS_SK_PFS &&
-	    sta->auth_alg != WLAN_AUTH_FILS_PK)
+	    sta->auth_alg != WLAN_AUTH_FILS_PK &&
+	    sta->auth_alg != WLAN_AUTH_EPPKE)
 		mlme_deletekeys_request(hapd, sta);
 	ap_sta_clear_disconnect_timeouts(hapd, sta);
 }
@@ -140,7 +141,8 @@ void mlme_reassociate_indication(struct hostapd_data *hapd,
 	if (sta->auth_alg != WLAN_AUTH_FT &&
 	    sta->auth_alg != WLAN_AUTH_FILS_SK &&
 	    sta->auth_alg != WLAN_AUTH_FILS_SK_PFS &&
-	    sta->auth_alg != WLAN_AUTH_FILS_PK)
+	    sta->auth_alg != WLAN_AUTH_FILS_PK &&
+	    sta->auth_alg != WLAN_AUTH_EPPKE)
 		mlme_deletekeys_request(hapd, sta);
 	ap_sta_clear_disconnect_timeouts(hapd, sta);
 }
diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index 9a242de19..df7ec8270 100644
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -7302,7 +7302,8 @@ static void handle_assoc_cb(struct hostapd_data *hapd,
 	    sta->auth_alg == WLAN_AUTH_FILS_SK ||
 	    sta->auth_alg == WLAN_AUTH_FILS_SK_PFS ||
 	    sta->auth_alg == WLAN_AUTH_FILS_PK ||
-	    sta->auth_alg == WLAN_AUTH_FT) {
+	    sta->auth_alg == WLAN_AUTH_FT ||
+	    sta->auth_alg == WLAN_AUTH_EPPKE) {
 		/*
 		 * Open, static WEP, FT protocol, or FILS; no separate
 		 * authorization step.
diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c
index 99d8e45c2..bbdf76a70 100644
--- a/src/ap/wpa_auth.c
+++ b/src/ap/wpa_auth.c
@@ -1051,6 +1051,17 @@ int wpa_auth_sta_associated(struct wpa_authenticator *wpa_auth,
 	if (!wpa_auth || !wpa_auth->conf.wpa || !sm)
 		return -1;
 
+#ifdef CONFIG_ENC_ASSOC
+	if (sm->auth_alg == WLAN_AUTH_EPPKE) {
+		wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_DEBUG,
+				"EPPKE authentication already completed - do not start 4-way handshake");
+		/* Go to PTKINITDONE state to allow GTK rekeying */
+		sm->wpa_ptk_state = WPA_PTK_PTKINITDONE;
+		sm->Pair = true;
+		return 0;
+	}
+#endif /* CONFIG_ENC_ASSOC */
+
 #ifdef CONFIG_IEEE80211R_AP
 	if (sm->ft_completed) {
 		wpa_auth_logger(wpa_auth, wpa_auth_get_spa(sm), LOGGER_DEBUG,
@@ -2532,6 +2543,11 @@ int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event)
 	    (event == WPA_AUTH || event == WPA_ASSOC))
 		remove_ptk = 0;
 #endif /* CONFIG_FILS */
+#ifdef CONFIG_ENC_ASSOC
+	if (sm->auth_alg == WLAN_AUTH_EPPKE &&
+	    (event == WPA_AUTH || event == WPA_ASSOC))
+		remove_ptk = 0;
+#endif /* CONFIG_ENC_ASSOC */
 
 	if (remove_ptk) {
 		sm->PTK_valid = false;
-- 
2.34.1

More information about the Hostap mailing list