[PATCH] dbus: Add D-Bus signal for SAE confirm mismatch

xinpeng wang wangxinpeng at uniontech.com
Wed Jan 8 01:19:46 PST 2025 

When wpa_supplicant connects to an Access Point (AP) using the SAE
security mode,it verifies whether the confirm value returned by the
AP is correct. If a confirm value mismatch occurs, this may indicate
that the provided password could be incorrect.

To notify other applications of this condition, this patch introduces
a new D-Bus signal `SAEConfirmMismatch`. This signal should be treated
as a heuristic indicator that the configured password might be incorrect,
rather than a definitive proof.

Signed-off-by: xinpeng wang <wangxinpeng at uniontech.com>
---
 doc/dbus.doxygen               |  4 ++++
 src/common/sae.c               |  2 +-
 wpa_supplicant/dbus/dbus_new.c | 22 ++++++++++++++++++++++
 wpa_supplicant/dbus/dbus_new.h |  5 +++++
 wpa_supplicant/notify.c        |  5 +++++
 wpa_supplicant/notify.h        |  1 +
 wpa_supplicant/sme.c           | 10 ++++++++--
 7 files changed, 46 insertions(+), 3 deletions(-)

diff --git a/doc/dbus.doxygen b/doc/dbus.doxygen
index 31f7a010f..624532aff 100644
--- a/doc/dbus.doxygen
+++ b/doc/dbus.doxygen
@@ -1571,6 +1571,10 @@ fi.w1.wpa_supplicant1.CreateInterface.
 	  <dd>The reason of termination</dd>
 	</dl>
       </li>
+      <li>
+	<h3>SAEConfirmMismatch ( )</h3>
+	<p>A possible SAE comfirm mismatch is identified.</p>
+      </li>
     </ul>
 
 
diff --git a/src/common/sae.c b/src/common/sae.c
index ce282db6b..6c4a00f60 100644
--- a/src/common/sae.c
+++ b/src/common/sae.c
@@ -2454,7 +2454,7 @@ int sae_check_confirm(struct sae_data *sae, const u8 *data, size_t len,
 			    data + 2, hash_len);
 		wpa_hexdump(MSG_DEBUG, "SAE: Calculated verifier",
 			    verifier, hash_len);
-		return -1;
+		return -2;
 	}
 
 #ifdef CONFIG_SAE_PK
diff --git a/wpa_supplicant/dbus/dbus_new.c b/wpa_supplicant/dbus/dbus_new.c
index ff7e003cb..be595ca3b 100644
--- a/wpa_supplicant/dbus/dbus_new.c
+++ b/wpa_supplicant/dbus/dbus_new.c
@@ -1158,6 +1158,28 @@ void wpas_dbus_signal_psk_mismatch(struct wpa_supplicant *wpa_s)
 	dbus_message_unref(msg);
 }
 
+void wpas_dbus_signal_sae_confirm_mismatch(struct wpa_supplicant *wpa_s)
+{
+	struct wpas_dbus_priv *iface;
+	DBusMessage *msg;
+
+	iface = wpa_s->global->dbus;
+
+	/* Do nothing if the control interface is not turned on */
+	if (!iface || !wpa_s->dbus_new_path)
+		return;
+
+	msg = dbus_message_new_signal(wpa_s->dbus_new_path,
+				      WPAS_DBUS_NEW_IFACE_INTERFACE,
+				      "SAEConfirmMismatch");
+	if (!msg)
+		return;
+
+	dbus_connection_send(iface->con, msg, NULL);
+
+	dbus_message_unref(msg);
+}
+
 
 /**
  * wpas_dbus_signal_sta - Send a station related event signal
diff --git a/wpa_supplicant/dbus/dbus_new.h b/wpa_supplicant/dbus/dbus_new.h
index f9ff63642..dc62adc0e 100644
--- a/wpa_supplicant/dbus/dbus_new.h
+++ b/wpa_supplicant/dbus/dbus_new.h
@@ -258,6 +258,7 @@ void wpas_dbus_signal_preq(struct wpa_supplicant *wpa_s,
 void wpas_dbus_signal_eap_status(struct wpa_supplicant *wpa_s,
 				 const char *status, const char *parameter);
 void wpas_dbus_signal_psk_mismatch(struct wpa_supplicant *wpa_s);
+void wpas_dbus_signal_sae_confirm_mismatch(struct wpa_supplicant *wpa_s);
 void wpas_dbus_signal_sta_authorized(struct wpa_supplicant *wpa_s,
 				     const u8 *sta);
 void wpas_dbus_signal_sta_deauthorized(struct wpa_supplicant *wpa_s,
@@ -623,6 +624,10 @@ static inline void wpas_dbus_signal_psk_mismatch(struct wpa_supplicant *wpa_s)
 {
 }
 
+static inline void wpas_dbus_signal_sae_confirm_mismatch(struct wpa_supplicant *wpa_s)
+{
+}
+
 static inline
 void wpas_dbus_signal_sta_authorized(struct wpa_supplicant *wpa_s,
 				     const u8 *sta)
diff --git a/wpa_supplicant/notify.c b/wpa_supplicant/notify.c
index 06e006963..4080cac3d 100644
--- a/wpa_supplicant/notify.c
+++ b/wpa_supplicant/notify.c
@@ -940,6 +940,11 @@ void wpas_notify_psk_mismatch(struct wpa_supplicant *wpa_s)
 	wpas_dbus_signal_psk_mismatch(wpa_s);
 }
 
+void wpas_notify_sae_confirm_mismatch(struct wpa_supplicant *wpa_s)
+{
+	wpas_dbus_signal_sae_confirm_mismatch(wpa_s);
+}
+
 
 void wpas_notify_network_bssid_set_changed(struct wpa_supplicant *wpa_s,
 					   struct wpa_ssid *ssid)
diff --git a/wpa_supplicant/notify.h b/wpa_supplicant/notify.h
index 7f6c345d2..f537dcc72 100644
--- a/wpa_supplicant/notify.h
+++ b/wpa_supplicant/notify.h
@@ -149,6 +149,7 @@ void wpas_notify_eap_status(struct wpa_supplicant *wpa_s, const char *status,
 			    const char *parameter);
 void wpas_notify_eap_error(struct wpa_supplicant *wpa_s, int error_code);
 void wpas_notify_psk_mismatch(struct wpa_supplicant *wpa_s);
+void wpas_notify_sae_confirm_mismatch(struct wpa_supplicant *wpa_s);
 void wpas_notify_network_bssid_set_changed(struct wpa_supplicant *wpa_s,
 					   struct wpa_ssid *ssid);
 void wpas_notify_network_type_changed(struct wpa_supplicant *wpa_s,
diff --git a/wpa_supplicant/sme.c b/wpa_supplicant/sme.c
index 2b758939d..acdfbfe50 100644
--- a/wpa_supplicant/sme.c
+++ b/wpa_supplicant/sme.c
@@ -1907,13 +1907,19 @@ static int sme_sae_auth(struct wpa_supplicant *wpa_s, u16 auth_transaction,
 		}
 		return 0;
 	} else if (auth_transaction == 2) {
+		int ret;
+
 		if (status_code != WLAN_STATUS_SUCCESS)
 			return -1;
 		wpa_dbg(wpa_s, MSG_DEBUG, "SME SAE confirm");
 		if (wpa_s->sme.sae.state != SAE_CONFIRMED)
 			return -1;
-		if (sae_check_confirm(&wpa_s->sme.sae, data, len,
-				      ie_offset) < 0)
+		ret = sae_check_confirm(&wpa_s->sme.sae, data, len,
+				      ie_offset);
+		if (ret == -2) {
+			wpas_notify_sae_confirm_mismatch(wpa_s);
+		}
+		if (ret < 0)
 			return -1;
 		if (external && wpa_s->sme.ext_ml_auth &&
 		    sme_external_ml_auth(wpa_s, data, len, *ie_offset,
-- 
2.20.1

More information about the Hostap mailing list