[PATCH 26/29] EPPKE: Skip 4-Way handshake and authorize supplicant port on association

Thu Dec 11 05:14:40 PST 2025

From: Ainy Kumari <ainy.kumari at oss.qualcomm.com>

For EPPKE authentication, PTK is derived during authentication frame
exchange. Skip EAPOL 4-Way handshake and move supplicant state to
WPA_CONNECTED after association. Update state handling to authorize
the port and ensure proper control for SME-in-Userspace scenarios.

Signed-off-by: Ainy Kumari <ainy.kumari at oss.qualcomm.com>
---
 wpa_supplicant/events.c         | 15 +++++++++++++++
 wpa_supplicant/wpa_supplicant.c |  5 +++++
 2 files changed, 20 insertions(+)

diff --git a/wpa_supplicant/events.c b/wpa_supplicant/events.c
index 19ea8d7d3..c4f0adaba 100644
--- a/wpa_supplicant/events.c
+++ b/wpa_supplicant/events.c
@@ -4393,9 +4393,16 @@ static void wpa_supplicant_event_assoc(struct wpa_supplicant *wpa_s,
 		os_memset(wpa_s->pending_bssid, 0, ETH_ALEN);
 		wpas_notify_bssid_changed(wpa_s);
 
+#ifdef CONFIG_ENC_ASSOC
+		if (wpa_supplicant_dynamic_keys(wpa_s) && !ft_completed &&
+		    !(wpa_s->sme.auth_alg == WPA_AUTH_ALG_EPPKE)) {
+			wpa_clear_keys(wpa_s, bssid, false);
+		}
+#else
 		if (wpa_supplicant_dynamic_keys(wpa_s) && !ft_completed) {
 			wpa_clear_keys(wpa_s, bssid, false);
 		}
+#endif /* CONFIG_ENC_ASSOC */
 		if (wpa_supplicant_select_config(wpa_s, data) < 0) {
 			wpa_supplicant_deauthenticate(
 				wpa_s, WLAN_REASON_DEAUTH_LEAVING);
@@ -4431,6 +4438,14 @@ static void wpa_supplicant_event_assoc(struct wpa_supplicant *wpa_s,
 #endif /* CONFIG_SME */
 
 	wpa_msg(wpa_s, MSG_INFO, "Associated with " MACSTR, MAC2STR(bssid));
+#ifdef CONFIG_SME
+#ifdef CONFIG_ENC_ASSOC
+	if (wpa_s->sme.auth_alg == WPA_AUTH_ALG_EPPKE) {
+		data->assoc_info.authorized = true;
+		wpa_supplicant_set_state(wpa_s, WPA_COMPLETED);
+	}
+#endif /* CONFIG_ENC_ASSOC */
+#endif
 	if (wpa_s->current_ssid) {
 		/* When using scanning (ap_scan=1), SIM PC/SC interface can be
 		 * initialized before association, but for other modes,
diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c
index 65dca0f72..cceb1194f 100644
--- a/wpa_supplicant/wpa_supplicant.c
+++ b/wpa_supplicant/wpa_supplicant.c
@@ -1219,6 +1219,11 @@ void wpa_supplicant_set_state(struct wpa_supplicant *wpa_s,
 				    MAC2STR(wpa_s->ap_mld_addr));
 
 #ifdef CONFIG_SME
+#ifdef CONFIG_ENC_ASSOC
+		if ((wpa_s->drv_flags & WPA_DRIVER_FLAGS_SME) &&
+		    wpa_auth_alg_eppke(wpa_s->sme.auth_alg))
+			wpa_drv_set_supp_port(wpa_s, 1);
+#endif /* CONFIG_ENC_ASSOC */
 		if ((wpa_s->drv_flags & WPA_DRIVER_FLAGS_SME) &&
 		    wpa_auth_alg_fils(wpa_s->sme.auth_alg))
 			fils_hlp_sent = 1;
-- 
2.34.1


