[PATCH v2] wpa:change state to AUTHENTICATING after trigger external_auth ok

Jouni Malinen j at w1.fi
Fri Nov 25 08:47:55 PST 2022


On Tue, Nov 08, 2022 at 02:47:36PM +0800, xinpeng wang wrote:
> When the connection to wifi fails, nm judges whether recall
> ask-password-dialog according to the status change of wpa; for sae, if it
> is in external authentication mode, when the authentication fails, the
> state is from ASSOCIATING to DISCONNECTED; if it is not external
> authentication, when the authentication fails, the state is AUTHENTICATING
> To DISCONNECTED.

So is this patch proposing the state sequence for
SAE-external-authentication to be changed to DISCONNECT -> ASSOCIATING
-> AUTHENTICATING -> ASSOCIATED? If so, that would feel really
confusing since ASSOCIATING state is used only after AUTHENTICATING
state has been completed.

> Therefore, nm needs to ask for a password when the state
> of wpa changes from AUTHENTICATING or ASSOCIATING to DISCONNECTED when sae.

Why would that result in requesting a password? Such state changes have
no protected indication of incorrect password being used and it would be
trivial for attacks to force user to get to this inconvenient state
where the password might need to be re-entered. Would that also drop a
previously working password? If so, this would be really inconvenient
user experience.

> This range is too large, and there may be misjudgments. Therefore, consider
> changing the status to AUTHENTICATING for the successful triggering of
> external authentication.

There can be misjudgment here already if this is trying to determine
that a SAE password is wrong based on any kind of state wpa_change. That
does not provide any robust information about the correctness of the
password.

-- 
Jouni Malinen                                            PGP id EFC895FA



More information about the Hostap mailing list