[PATCH 2/2] dbus: emit the PskMismatch signal also for SAE

Mitchell Augustin mitchell.augustin at canonical.com
Fri Oct 3 07:36:39 PDT 2025 

(resending as plaintext for the mailing list)
Thanks a ton, this is very helpful.

So, essentially, instead of this:

> diff --git a/wpa_supplicant/sme.c b/wpa_supplicant/sme.c
> @@ -2056,6 +2056,9 @@ void sme_event_auth(struct wpa_supplicant *wpa_s, union wpa_event_data *data)
>     data->auth.ies_len, 0, data->auth.peer,
>     &ie_offset);
>   if (res < 0) {
> + if (res == -2)
> + wpas_notify_sae_password_mismatch(wpa_s); # Implementation TBD

something more like this (which I don't think requires additional
checks for SAE, since this is already within `if (data->auth.auth_type
== WLAN_AUTH_SAE) {`):

> diff --git a/wpa_supplicant/sme.c b/wpa_supplicant/sme.c
> @@ -2056,6 +2056,9 @@ void sme_event_auth(struct wpa_supplicant *wpa_s, union wpa_event_data *data)
>     data->auth.ies_len, 0, data->auth.peer,
>     &ie_offset);
>   if (res < 0) {
> + if (data->auth.auth_transaction == 2 && data->auth.status_code == WLAN_STATUS_CHALLENGE_FAIL)
> + wpas_notify_psk_mismatch(wpa_s);

Which constant should I be using for checking if auth.auth_transaction == 2?


On Fri, Oct 3, 2025 at 8:54 AM Jouni Malinen <j at w1.fi> wrote:
>
> On Fri, Oct 03, 2025 at 08:31:21AM -0500, Mitchell Augustin wrote:
> > In my experience, I typically see
> > wpa_supplicant[1618]: wlP9s9: CTRL-EVENT-ASSOC-REJECT bssid=<address>
> > status_code=53
> >
> > when I enter an incorrect password for my WPA3 network, which
> > corresponds to "Invalid shared key (pairwise master key identifier or
> > PMKID)" based on this list [0]. With that said, it seems like we
> > should send the mismatch alert only in cases of data->auth.status_code
> > == 53.
> >
> > Do you agree? If so, are there any additional status codes we should
> > consider beyond 53 from [0]?
>
> As far as the IEEE 802.11 standard is concerned, the status code 15
> (CHALLENGE_FAILURE, i.e., "Authentication rejected because of challenge
> failure") is the one to use whenever reporting that a received SAE
> Confirm message could not be successfully verified. That would the step
> at which a mismatch in the SAE password would be detected.
>
> That said, not all AP implementations follow this expectation.. As an
> example, hostapd used to return status code 1 until it got fixed in
> 2022. Status code 53 (STATUS_INVALID_PMKID) should not really be used
> with SAE at all (other than potentially some cases that might involve
> attempts to use PMKSA caching in Authentication frames; maybe PASN, but
> I'm not convinced that would be applicable either).
>
> It would be cleanest to start with notification being sent out only when
> an Authentication frame with auth_alg=SAE, transaction=2, and
> status_code=15 is received and then potentially extend that based on
> actually observed behavior from deployed APs as needed.
>
> > If you'd like to keep in line with WPA3 terminology, what name would
> > you recommend for the WPA3-SAE authentication failure signal?
> > "SaeFailure" or "PweMismatch" come to mind for me as possible options.
>
> "SaePasswordMismatch" would seem most applicable for this. Should there
> be actual deployment of SAE password identifiers in the future, that
> would have another potential signal to be added (e.g.,
> "SaeUnknownPasswordId"). Other SAE failure cases do not really
> indication that the user should consider any kind of change to the
> configured password (or password identifier).
>
> --
> Jouni Malinen                                            PGP id EFC895FA



-- 
Mitchell Augustin
Software Engineer - Ubuntu Partner Engineering
Email:mitchell.augustin at canonical.com
Location:United States of America (Central Time)


canonical.com
ubuntu.com

More information about the Hostap mailing list