PATCH 1/1: AP: Add status/reason codes to PSK mismatch logs

Nefi Guclu nefi.guclu at airties.com
Fri Jun 27 00:27:21 PDT 2025 

>From a9dc464c5988ee89a348d67e890ac4556c0759c7 Mon Sep 17 00:00:00 2001
From: Nefi Guclu <nefi.guclu at airties.com>
Date: Fri, 27 Jun 2025 10:14:13 +0300
Subject: [PATCH] AP: Add status/reason codes to PSK mismatch logs

Extend PSK mismatch logging to include status codes for SAE failures
and reason codes for WPA-PSK failures.

Changes:
- SAE authentication failure paths now log the status code.
- WPA-PSK 4-way handshake failures now
  trigger a log with the corresponding disconnect reason code.
- Disconnect reason codes adjusted to better reflect failure causes.

This improves the ability to distinguish between different types of
authentication failures in logs.

Signed-off-by: Nefi Guclu <nefi.guclu at airties.com>
---
 src/ap/ieee802_11.c    |  4 ++++
 src/ap/wpa_auth.c      | 13 ++++++++-----
 src/ap/wpa_auth.h      |  2 +-
 src/ap/wpa_auth_glue.c |  6 +++---
 4 files changed, 16 insertions(+), 9 deletions(-)

diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index 866a1c1c8..cdf9c42ba 100644
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -1767,9 +1767,13 @@ static void handle_auth_sae(struct hostapd_data *hapd, struct sta_info *sta,
                                                sta->sae->tmp->
                                                        try_other_password = 1;
                                        resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
+                                       wpa_msg(hapd->msg_ctx, MSG_INFO, AP_STA_POSSIBLE_PSK_MISMATCH MACSTR " status=%d",
+                                              MAC2STR(sta->addr), resp);
                                        goto reply;
                                }
                                resp = WLAN_STATUS_CHALLENGE_FAIL;
+                               wpa_msg(hapd->msg_ctx, MSG_INFO, AP_STA_POSSIBLE_PSK_MISMATCH MACSTR " status=%d",
+                                   MAC2STR(sta->addr), resp);
                                goto reply;
                        }
                        sae_password_track_success(hapd, sta);
diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c
index 333467ce8..0f30b97c2 100644
--- a/src/ap/wpa_auth.c
+++ b/src/ap/wpa_auth.c
@@ -237,10 +237,10 @@ static inline int wpa_auth_mic_failure_report(


 static inline void wpa_auth_psk_failure_report(
-       struct wpa_authenticator *wpa_auth, const u8 *addr)
+       struct wpa_authenticator *wpa_auth, const u8 *addr, u16 disconnect_reason)
 {
        if (wpa_auth->cb->psk_failure_report)
-               wpa_auth->cb->psk_failure_report(wpa_auth->cb_ctx, addr);
+               wpa_auth->cb->psk_failure_report(wpa_auth->cb_ctx, addr, disconnect_reason);
 }


@@ -3867,7 +3867,8 @@ SM_STATE(WPA_PTK, PTKCALCNEGOTIATING)
                                LOGGER_DEBUG,
                                "invalid MIC in msg 2/4 of 4-Way Handshake");
                if (psk_found)
-                       wpa_auth_psk_failure_report(sm->wpa_auth, sm->addr);
+                       sm->disconnect_reason = WLAN_REASON_MICHAEL_MIC_FAILURE;
+                       wpa_auth_psk_failure_report(sm->wpa_auth, sm->addr, sm->disconnect_reason);
                goto out;
        }

@@ -5360,8 +5361,10 @@ SM_STEP(WPA_PTK)
                                         LOGGER_DEBUG,
                                         "PTKSTART: Retry limit %u reached",
                                         conf->wpa_pairwise_update_count);
-                       sm->disconnect_reason =
-                               WLAN_REASON_4WAY_HANDSHAKE_TIMEOUT;
+                       if (sm->disconnect_reason != WLAN_REASON_MICHAEL_MIC_FAILURE) {
+                               sm->disconnect_reason = WLAN_REASON_4WAY_HANDSHAKE_TIMEOUT;
+                               wpa_auth_psk_failure_report(sm->wpa_auth, sm->addr, sm->disconnect_reason);
+                       }
                        SM_ENTER(WPA_PTK, DISCONNECT);
                } else if (sm->TimeoutEvt)
                        SM_ENTER(WPA_PTK, PTKSTART);
diff --git a/src/ap/wpa_auth.h b/src/ap/wpa_auth.h
index 176ed2c44..02a246e18 100644
--- a/src/ap/wpa_auth.h
+++ b/src/ap/wpa_auth.h
@@ -362,7 +362,7 @@ struct wpa_auth_callbacks {
                       const char *txt);
        void (*disconnect)(void *ctx, const u8 *addr, u16 reason);
        int (*mic_failure_report)(void *ctx, const u8 *addr);
-       void (*psk_failure_report)(void *ctx, const u8 *addr);
+       void (*psk_failure_report)(void *ctx, const u8 *addr, u16 disconnect_reason);
        void (*set_eapol)(void *ctx, const u8 *addr, wpa_eapol_variable var,
                          int value);
        int (*get_eapol)(void *ctx, const u8 *addr, wpa_eapol_variable var);
diff --git a/src/ap/wpa_auth_glue.c b/src/ap/wpa_auth_glue.c
index 519948a51..f8e7e78e9 100644
--- a/src/ap/wpa_auth_glue.c
+++ b/src/ap/wpa_auth_glue.c
@@ -315,11 +315,11 @@ static int hostapd_wpa_auth_mic_failure_report(void *ctx, const u8 *addr)
 }


-static void hostapd_wpa_auth_psk_failure_report(void *ctx, const u8 *addr)
+static void hostapd_wpa_auth_psk_failure_report(void *ctx, const u8 *addr, u16 disconnect_reason)
 {
        struct hostapd_data *hapd = ctx;
-       wpa_msg(hapd->msg_ctx, MSG_INFO, AP_STA_POSSIBLE_PSK_MISMATCH MACSTR,
-               MAC2STR(addr));
+       wpa_msg(hapd->msg_ctx, MSG_INFO, AP_STA_POSSIBLE_PSK_MISMATCH MACSTR " reason=%d",
+               MAC2STR(addr), disconnect_reason);
 }


--
2.25.1
Information in this email including any attachments may be privileged, confidential and is intended exclusively for the addressee. The views expressed may not be official policy, but the personal views of the originator. If you have received it in error, please notify the sender by return e-mail and delete it from your system. You should not reproduce, distribute, store, retransmit, use or disclose its contents to anyone.

More information about the Hostap mailing list