[PATCH 2/2] dbus: emit the PskMismatch signal also for SAE

Mitchell Augustin mitchell.augustin at canonical.com
Fri Oct 3 11:00:33 PDT 2025 

It seems like there are some instances of directly checking
`auth_transaction == 1` in sme.c already, so I went ahead and
submitted a revised patch ("[PATCH] wpa_supplicant: Add
SaePasswordMismatch dbus signal", pending mailing list approval). It
worked in my tests with a locally patched NetworkManager that listens
for SaePasswordMismatch.

Thanks,
Mitchell Augustin

On Fri, Oct 3, 2025 at 9:36 AM Mitchell Augustin
<mitchell.augustin at canonical.com> wrote:
>
> (resending as plaintext for the mailing list)
> Thanks a ton, this is very helpful.
>
> So, essentially, instead of this:
>
> > diff --git a/wpa_supplicant/sme.c b/wpa_supplicant/sme.c
> > @@ -2056,6 +2056,9 @@ void sme_event_auth(struct wpa_supplicant *wpa_s, union wpa_event_data *data)
> >     data->auth.ies_len, 0, data->auth.peer,
> >     &ie_offset);
> >   if (res < 0) {
> > + if (res == -2)
> > + wpas_notify_sae_password_mismatch(wpa_s); # Implementation TBD
>
> something more like this (which I don't think requires additional
> checks for SAE, since this is already within `if (data->auth.auth_type
> == WLAN_AUTH_SAE) {`):
>
> > diff --git a/wpa_supplicant/sme.c b/wpa_supplicant/sme.c
> > @@ -2056,6 +2056,9 @@ void sme_event_auth(struct wpa_supplicant *wpa_s, union wpa_event_data *data)
> >     data->auth.ies_len, 0, data->auth.peer,
> >     &ie_offset);
> >   if (res < 0) {
> > + if (data->auth.auth_transaction == 2 && data->auth.status_code == WLAN_STATUS_CHALLENGE_FAIL)
> > + wpas_notify_psk_mismatch(wpa_s);
>
> Which constant should I be using for checking if auth.auth_transaction == 2?
>
>
> On Fri, Oct 3, 2025 at 8:54 AM Jouni Malinen <j at w1.fi> wrote:
> >
> > On Fri, Oct 03, 2025 at 08:31:21AM -0500, Mitchell Augustin wrote:
> > > In my experience, I typically see
> > > wpa_supplicant[1618]: wlP9s9: CTRL-EVENT-ASSOC-REJECT bssid=<address>
> > > status_code=53
> > >
> > > when I enter an incorrect password for my WPA3 network, which
> > > corresponds to "Invalid shared key (pairwise master key identifier or
> > > PMKID)" based on this list [0]. With that said, it seems like we
> > > should send the mismatch alert only in cases of data->auth.status_code
> > > == 53.
> > >
> > > Do you agree? If so, are there any additional status codes we should
> > > consider beyond 53 from [0]?
> >
> > As far as the IEEE 802.11 standard is concerned, the status code 15
> > (CHALLENGE_FAILURE, i.e., "Authentication rejected because of challenge
> > failure") is the one to use whenever reporting that a received SAE
> > Confirm message could not be successfully verified. That would the step
> > at which a mismatch in the SAE password would be detected.
> >
> > That said, not all AP implementations follow this expectation.. As an
> > example, hostapd used to return status code 1 until it got fixed in
> > 2022. Status code 53 (STATUS_INVALID_PMKID) should not really be used
> > with SAE at all (other than potentially some cases that might involve
> > attempts to use PMKSA caching in Authentication frames; maybe PASN, but
> > I'm not convinced that would be applicable either).
> >
> > It would be cleanest to start with notification being sent out only when
> > an Authentication frame with auth_alg=SAE, transaction=2, and
> > status_code=15 is received and then potentially extend that based on
> > actually observed behavior from deployed APs as needed.
> >
> > > If you'd like to keep in line with WPA3 terminology, what name would
> > > you recommend for the WPA3-SAE authentication failure signal?
> > > "SaeFailure" or "PweMismatch" come to mind for me as possible options.
> >
> > "SaePasswordMismatch" would seem most applicable for this. Should there
> > be actual deployment of SAE password identifiers in the future, that
> > would have another potential signal to be added (e.g.,
> > "SaeUnknownPasswordId"). Other SAE failure cases do not really
> > indication that the user should consider any kind of change to the
> > configured password (or password identifier).
> >
> > --
> > Jouni Malinen                                            PGP id EFC895FA
>
>
>
> --
> Mitchell Augustin
> Software Engineer - Ubuntu Partner Engineering
> Email:mitchell.augustin at canonical.com
> Location:United States of America (Central Time)
>
>
> canonical.com
> ubuntu.com



-- 
Mitchell Augustin
Software Engineer - Ubuntu Partner Engineering
Email:mitchell.augustin at canonical.com
Location:United States of America (Central Time)


canonical.com
ubuntu.com

More information about the Hostap mailing list