[PATCH] wpa_supplicant: Add SaePasswordMismatch dbus signal

Fri Oct 3 10:57:58 PDT 2025

Per the IEEE 802.11 standard, status code 15 (WLAN_STATUS_CHALLENGE_FAIL),
when returned during an authentication frame of an SAE connection, is
indicative of a password mismatch.

Add a new dbus signal "SaePasswordMismatch" and emit it when a password
mismatch is detected as defined by that scenario.

Discussion: https://lists.infradead.org/pipermail/hostap/2025-October/043817.html

Signed-off-by: Mitchell Augustin <mitchell.augustin at canonical.com>
---
 wpa_supplicant/dbus/dbus_new.c | 23 +++++++++++++++++++++++
 wpa_supplicant/dbus/dbus_new.h |  5 +++++
 wpa_supplicant/notify.c        |  4 ++++
 wpa_supplicant/notify.h        |  1 +
 wpa_supplicant/sme.c           |  3 +++
 5 files changed, 36 insertions(+)

diff --git a/wpa_supplicant/dbus/dbus_new.c b/wpa_supplicant/dbus/dbus_new.c
index 2d623fe8d..007e4ce56 100644
--- a/wpa_supplicant/dbus/dbus_new.c
+++ b/wpa_supplicant/dbus/dbus_new.c
@@ -1159,6 +1159,29 @@ void wpas_dbus_signal_psk_mismatch(struct wpa_supplicant *wpa_s)
 }
 
 
+void wpas_dbus_signal_sae_password_mismatch(struct wpa_supplicant *wpa_s)
+{
+	struct wpas_dbus_priv *iface;
+	DBusMessage *msg;
+
+	iface = wpa_s->global->dbus;
+
+	/* Do nothing if the control interface is not turned on */
+	if (!iface || !wpa_s->dbus_new_path)
+		return;
+
+	msg = dbus_message_new_signal(wpa_s->dbus_new_path,
+				      WPAS_DBUS_NEW_IFACE_INTERFACE,
+				      "SaePasswordMismatch");
+	if (!msg)
+		return;
+
+	dbus_connection_send(iface->con, msg, NULL);
+
+	dbus_message_unref(msg);
+}
+
+
 /**
  * wpas_dbus_signal_sta - Send a station related event signal
  * @wpa_s: %wpa_supplicant network interface data
diff --git a/wpa_supplicant/dbus/dbus_new.h b/wpa_supplicant/dbus/dbus_new.h
index d64843568..5e5a6f60e 100644
--- a/wpa_supplicant/dbus/dbus_new.h
+++ b/wpa_supplicant/dbus/dbus_new.h
@@ -258,6 +258,7 @@ void wpas_dbus_signal_preq(struct wpa_supplicant *wpa_s,
 void wpas_dbus_signal_eap_status(struct wpa_supplicant *wpa_s,
 				 const char *status, const char *parameter);
 void wpas_dbus_signal_psk_mismatch(struct wpa_supplicant *wpa_s);
+void wpas_dbus_signal_sae_password_mismatch(struct wpa_supplicant *wpa_s);
 void wpas_dbus_signal_sta_authorized(struct wpa_supplicant *wpa_s,
 				     const u8 *sta);
 void wpas_dbus_signal_sta_deauthorized(struct wpa_supplicant *wpa_s,
@@ -624,6 +625,10 @@ static inline void wpas_dbus_signal_psk_mismatch(struct wpa_supplicant *wpa_s)
 {
 }
 
+static inline void wpas_dbus_signal_sae_password_mismatch(struct wpa_supplicant *wpa_s)
+{
+}
+
 static inline
 void wpas_dbus_signal_sta_authorized(struct wpa_supplicant *wpa_s,
 				     const u8 *sta)
diff --git a/wpa_supplicant/notify.c b/wpa_supplicant/notify.c
index 0827e51de..dd8fd2af7 100644
--- a/wpa_supplicant/notify.c
+++ b/wpa_supplicant/notify.c
@@ -942,6 +942,10 @@ void wpas_notify_psk_mismatch(struct wpa_supplicant *wpa_s)
 	wpas_dbus_signal_psk_mismatch(wpa_s);
 }
 
+void wpas_notify_sae_password_mismatch(struct wpa_supplicant *wpa_s)
+{
+	wpas_dbus_signal_sae_password_mismatch(wpa_s);
+}
 
 void wpas_notify_network_bssid_set_changed(struct wpa_supplicant *wpa_s,
 					   struct wpa_ssid *ssid)
diff --git a/wpa_supplicant/notify.h b/wpa_supplicant/notify.h
index 9e5047c81..a72cb1b08 100644
--- a/wpa_supplicant/notify.h
+++ b/wpa_supplicant/notify.h
@@ -149,6 +149,7 @@ void wpas_notify_eap_status(struct wpa_supplicant *wpa_s, const char *status,
 			    const char *parameter);
 void wpas_notify_eap_error(struct wpa_supplicant *wpa_s, int error_code);
 void wpas_notify_psk_mismatch(struct wpa_supplicant *wpa_s);
+void wpas_notify_sae_password_mismatch(struct wpa_supplicant *wpa_s);
 void wpas_notify_network_bssid_set_changed(struct wpa_supplicant *wpa_s,
 					   struct wpa_ssid *ssid);
 void wpas_notify_network_type_changed(struct wpa_supplicant *wpa_s,
diff --git a/wpa_supplicant/sme.c b/wpa_supplicant/sme.c
index 55dcf41ef..c0b2c317e 100644
--- a/wpa_supplicant/sme.c
+++ b/wpa_supplicant/sme.c
@@ -2065,6 +2065,9 @@ void sme_event_auth(struct wpa_supplicant *wpa_s, union wpa_event_data *data)
 				   data->auth.ies_len, 0, data->auth.peer,
 				   &ie_offset);
 		if (res < 0) {
+			if (data->auth.auth_transaction == 2 && data->auth.status_code == WLAN_STATUS_CHALLENGE_FAIL) {
+				wpas_notify_sae_password_mismatch(wpa_s);
+			}
 			wpas_connection_failed(wpa_s, wpa_s->pending_bssid,
 					       NULL);
 			wpa_supplicant_set_state(wpa_s, WPA_DISCONNECTED);
-- 
2.43.0


