[PATCH 2/2] dbus: emit the PskMismatch signal also for SAE

Jouni Malinen j at w1.fi
Fri Oct 3 06:54:46 PDT 2025 

On Fri, Oct 03, 2025 at 08:31:21AM -0500, Mitchell Augustin wrote:
> In my experience, I typically see
> wpa_supplicant[1618]: wlP9s9: CTRL-EVENT-ASSOC-REJECT bssid=<address>
> status_code=53
> 
> when I enter an incorrect password for my WPA3 network, which
> corresponds to "Invalid shared key (pairwise master key identifier or
> PMKID)" based on this list [0]. With that said, it seems like we
> should send the mismatch alert only in cases of data->auth.status_code
> == 53.
> 
> Do you agree? If so, are there any additional status codes we should
> consider beyond 53 from [0]?

As far as the IEEE 802.11 standard is concerned, the status code 15
(CHALLENGE_FAILURE, i.e., "Authentication rejected because of challenge
failure") is the one to use whenever reporting that a received SAE
Confirm message could not be successfully verified. That would the step
at which a mismatch in the SAE password would be detected.

That said, not all AP implementations follow this expectation.. As an
example, hostapd used to return status code 1 until it got fixed in
2022. Status code 53 (STATUS_INVALID_PMKID) should not really be used
with SAE at all (other than potentially some cases that might involve
attempts to use PMKSA caching in Authentication frames; maybe PASN, but
I'm not convinced that would be applicable either).

It would be cleanest to start with notification being sent out only when
an Authentication frame with auth_alg=SAE, transaction=2, and
status_code=15 is received and then potentially extend that based on
actually observed behavior from deployed APs as needed.

> If you'd like to keep in line with WPA3 terminology, what name would
> you recommend for the WPA3-SAE authentication failure signal?
> "SaeFailure" or "PweMismatch" come to mind for me as possible options.

"SaePasswordMismatch" would seem most applicable for this. Should there
be actual deployment of SAE password identifiers in the future, that
would have another potential signal to be added (e.g.,
"SaeUnknownPasswordId"). Other SAE failure cases do not really
indication that the user should consider any kind of change to the
configured password (or password identifier).

-- 
Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list