Ubuntu
wpa package

Merge ~mitchellaugustin/ubuntu/+source/wpa:resolute-sae-mismatch into ubuntu/+source/wpa:ubuntu/devel

  1. Git
  2. lp:~mitchellaugustin/ubuntu/+source/wpa
  3. resolute-sae-mismatch
  4. Merge into ubuntu/devel
Proposed by Mitchell Augustin
Status: Needs review
Proposed branch: ~mitchellaugustin/ubuntu/+source/wpa:resolute-sae-mismatch
Merge into: ubuntu/+source/wpa:ubuntu/devel
Diff against target: 215 lines (+139/-48)
4 files modified
debian/changelog (+7/-0)
debian/patches/0016-dbus-Add-SaePasswordMismatch-signal-on-AP-indication.patch (+131/-0)
debian/patches/series (+1/-1)
dev/null (+0/-47)
Reviewer Review Type Date Requested Status
Ubuntu Sponsors Pending
Review via email: mp+496765@code.launchpad.net

Commit message

Add SaePasswordMismatch signal handling (LP: #2125203)

Description of the change

Add SaePasswordMismatch signal handling (LP: #2125203)

This MP reverts a prior change to PskMismatch signal emission, which upstream said had the potential to be too aggressive and could introduce regressions [0].

The new patch (SaePasswordMismatch signal handler) implements the upstream approved and merged version of this functionality, which allows failed connections to WPA3 networks to prompt the user to enter their password correctly, without the prior patch's risk for false positives.

[0] https://lists.infradead.org/pipermail/hostap/2025-October/043804.html

To post a comment you must log in.
Revision history for this message
Mitchell Augustin (mitchellaugustin) wrote :

Tested using the wpa in https://launchpad.net/~mitchellaugustin/+archive/ubuntu/quick-publish-dev-ppa-10-10-25/+packages and the NM in https://launchpad.net/~mitchellaugustin/+archive/ubuntu/wpa3-sae-signal-10-3-25, which has been patched to include https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/2293 (which we expect will land upstream soon).

Reply
Revision history for this message
John Chittum (jchittum) :
Reply
Revision history for this message
Mitchell Augustin (mitchellaugustin) wrote :

Fixed, thanks!

Reply

Unmerged commits

834daf3... by Mitchell Augustin

Changelog update for SaePasswordMismatch signal fix

7e89981... by Mitchell Augustin

Add SaePasswordMismatch signal handler (LP: #2125203)

1cf2139... by Mitchell Augustin

Remove old version of PSKMismatch signal detection enhancement

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index 3303a0a..d3d63e5 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,10 @@
6+wpa (2:2.11-0ubuntu5) resolute; urgency=medium
7+
8+ * Add SaePasswordMismatch signal handling (LP: #2125203)
9+ * Revert "Improve PSK mismatch detection and dbus signal" (LP: #2125203)
10+
11+ -- Mitchell Augustin <mitchell.augustin@canonical.com> Tue, 02 Dec 2025 15:57:00 -0600
12+
13 wpa (2:2.11-0ubuntu4) questing; urgency=medium
14
15 * Improve PSK mismatch detection and dbus signal (LP: #2125203)
16diff --git a/debian/patches/0016-dbus-Add-SaePasswordMismatch-signal-on-AP-indication.patch b/debian/patches/0016-dbus-Add-SaePasswordMismatch-signal-on-AP-indication.patch
17new file mode 100644
18index 0000000..681d092
19--- /dev/null
20+++ b/debian/patches/0016-dbus-Add-SaePasswordMismatch-signal-on-AP-indication.patch
21@@ -0,0 +1,131 @@
22+From: Mitchell Augustin <mitchell.augustin@canonical.com>
23+Date: Fri, 3 Oct 2025 12:57:58 -0500
24+Subject: dbus: Add SaePasswordMismatch signal on AP indication of failed SAE
25+ auth
26+
27+Per the IEEE 802.11 standard, status code 15
28+(WLAN_STATUS_CHALLENGE_FAIL), when returned in an Authentication frame
29+of an SAE exchange, is indicative of a password mismatch.
30+
31+Add a new dbus signal "SaePasswordMismatch" and emit it when a password
32+mismatch is detected as defined by that scenario.
33+
34+Discussion: https://lists.infradead.org/pipermail/hostap/2025-October/043817.html
35+
36+(cherry picked from commit 446a274b89e32dac8934f64822e5a3acee190dad)
37+Signed-off-by: Mitchell Augustin <mitchell.augustin@canonical.com>
38+
39+Author: Mitchell Augustin <mitchell.augustin@canonical.com>
40+Bug-Ubuntu: https://launchpad.net/bugs/2125203
41+Origin: upstream, 446a274b89e32dac8934f64822e5a3acee190dad
42+Forwarded: not-needed
43+---
44+ wpa_supplicant/dbus/dbus_new.c | 23 +++++++++++++++++++++++
45+ wpa_supplicant/dbus/dbus_new.h | 6 ++++++
46+ wpa_supplicant/notify.c | 6 ++++++
47+ wpa_supplicant/notify.h | 1 +
48+ wpa_supplicant/sme.c | 4 ++++
49+ 5 files changed, 40 insertions(+)
50+
51+diff --git a/wpa_supplicant/dbus/dbus_new.c b/wpa_supplicant/dbus/dbus_new.c
52+index 76e42ff..0fe009c 100644
53+--- a/wpa_supplicant/dbus/dbus_new.c
54++++ b/wpa_supplicant/dbus/dbus_new.c
55+@@ -1159,6 +1159,29 @@ void wpas_dbus_signal_psk_mismatch(struct wpa_supplicant *wpa_s)
56+ }
57+
58+
59++void wpas_dbus_signal_sae_password_mismatch(struct wpa_supplicant *wpa_s)
60++{
61++ struct wpas_dbus_priv *iface;
62++ DBusMessage *msg;
63++
64++ iface = wpa_s->global->dbus;
65++
66++ /* Do nothing if the control interface is not turned on */
67++ if (!iface || !wpa_s->dbus_new_path)
68++ return;
69++
70++ msg = dbus_message_new_signal(wpa_s->dbus_new_path,
71++ WPAS_DBUS_NEW_IFACE_INTERFACE,
72++ "SaePasswordMismatch");
73++ if (!msg)
74++ return;
75++
76++ dbus_connection_send(iface->con, msg, NULL);
77++
78++ dbus_message_unref(msg);
79++}
80++
81++
82+ /**
83+ * wpas_dbus_signal_sta - Send a station related event signal
84+ * @wpa_s: %wpa_supplicant network interface data
85+diff --git a/wpa_supplicant/dbus/dbus_new.h b/wpa_supplicant/dbus/dbus_new.h
86+index 952bb42..bd78b7c 100644
87+--- a/wpa_supplicant/dbus/dbus_new.h
88++++ b/wpa_supplicant/dbus/dbus_new.h
89+@@ -256,6 +256,7 @@ void wpas_dbus_signal_preq(struct wpa_supplicant *wpa_s,
90+ void wpas_dbus_signal_eap_status(struct wpa_supplicant *wpa_s,
91+ const char *status, const char *parameter);
92+ void wpas_dbus_signal_psk_mismatch(struct wpa_supplicant *wpa_s);
93++void wpas_dbus_signal_sae_password_mismatch(struct wpa_supplicant *wpa_s);
94+ void wpas_dbus_signal_sta_authorized(struct wpa_supplicant *wpa_s,
95+ const u8 *sta);
96+ void wpas_dbus_signal_sta_deauthorized(struct wpa_supplicant *wpa_s,
97+@@ -595,6 +596,11 @@ static inline void wpas_dbus_signal_psk_mismatch(struct wpa_supplicant *wpa_s)
98+ {
99+ }
100+
101++static inline void
102++wpas_dbus_signal_sae_password_mismatch(struct wpa_supplicant *wpa_s)
103++{
104++}
105++
106+ static inline
107+ void wpas_dbus_signal_sta_authorized(struct wpa_supplicant *wpa_s,
108+ const u8 *sta)
109+diff --git a/wpa_supplicant/notify.c b/wpa_supplicant/notify.c
110+index e967dc8..a890133 100644
111+--- a/wpa_supplicant/notify.c
112++++ b/wpa_supplicant/notify.c
113+@@ -912,6 +912,12 @@ void wpas_notify_psk_mismatch(struct wpa_supplicant *wpa_s)
114+ }
115+
116+
117++void wpas_notify_sae_password_mismatch(struct wpa_supplicant *wpa_s)
118++{
119++ wpas_dbus_signal_sae_password_mismatch(wpa_s);
120++}
121++
122++
123+ void wpas_notify_network_bssid_set_changed(struct wpa_supplicant *wpa_s,
124+ struct wpa_ssid *ssid)
125+ {
126+diff --git a/wpa_supplicant/notify.h b/wpa_supplicant/notify.h
127+index f6c7ac4..eaf588b 100644
128+--- a/wpa_supplicant/notify.h
129++++ b/wpa_supplicant/notify.h
130+@@ -146,6 +146,7 @@ void wpas_notify_eap_status(struct wpa_supplicant *wpa_s, const char *status,
131+ const char *parameter);
132+ void wpas_notify_eap_error(struct wpa_supplicant *wpa_s, int error_code);
133+ void wpas_notify_psk_mismatch(struct wpa_supplicant *wpa_s);
134++void wpas_notify_sae_password_mismatch(struct wpa_supplicant *wpa_s);
135+ void wpas_notify_network_bssid_set_changed(struct wpa_supplicant *wpa_s,
136+ struct wpa_ssid *ssid);
137+ void wpas_notify_network_type_changed(struct wpa_supplicant *wpa_s,
138+diff --git a/wpa_supplicant/sme.c b/wpa_supplicant/sme.c
139+index e6538e8..502fda1 100644
140+--- a/wpa_supplicant/sme.c
141++++ b/wpa_supplicant/sme.c
142+@@ -2030,6 +2030,10 @@ void sme_event_auth(struct wpa_supplicant *wpa_s, union wpa_event_data *data)
143+ data->auth.ies_len, 0, data->auth.peer,
144+ &ie_offset);
145+ if (res < 0) {
146++ if (data->auth.auth_transaction == 2 &&
147++ data->auth.status_code ==
148++ WLAN_STATUS_CHALLENGE_FAIL)
149++ wpas_notify_sae_password_mismatch(wpa_s);
150+ wpas_connection_failed(wpa_s, wpa_s->pending_bssid,
151+ NULL);
152+ wpa_supplicant_set_state(wpa_s, WPA_DISCONNECTED);
153diff --git a/debian/patches/Improve-PSK-mismatch-detection-and-dbus-signal.patch b/debian/patches/Improve-PSK-mismatch-detection-and-dbus-signal.patch
154deleted file mode 100644
155index 674b0e1..0000000
156--- a/debian/patches/Improve-PSK-mismatch-detection-and-dbus-signal.patch
157+++ /dev/null
158@@ -1,47 +0,0 @@
159-Description: Improve PSK mismatch detection and dbus signal
160-
161-As the comment in wpa_supplicant_event_disassoc_finish() says,
162-mac80211-based drivers use the WLAN_REASON_DISASSOC_DUE_TO_INACTIVITY
163-reason code in locally generated disconnection events for cases where
164-the AP does not reply anymore. The code does not indicate that the PSK
165-is wrong. Adjust could_be_psk_mismatch() to reflect that this code is
166-not considered a PSK mismatch condition.
167-
168-Commit a678a510fb20 ("dbus: Add D-Bus signal for PSK mismatch
169-heuristics") introduced the "PskMismatch" signal. D-Bus clients can
170-use this signal to detect a wrong WPA-PSK password and prompt the user
171-for a new one.
172-This commit adds the same functionality to SAE authentication,
173-emitting the signal when a failure occurs that is likely caused by a
174-wrong password.
175-
176-
177-Author: Beniamino Galvani <bgalvani@redhat.com>
178-Bug-Ubuntu: https://bugs.launchpad.net/bugs/2125203
179-Origin: other, https://lists.infradead.org/pipermail/hostap/2025-June/043584.html
180-Forwarded: not-needed
181-
182----
183---- wpa-2.11.orig/wpa_supplicant/events.c
184-+++ wpa-2.11/wpa_supplicant/events.c
185-@@ -4506,6 +4506,8 @@ static int could_be_psk_mismatch(struct
186- if (locally_generated) {
187- if (reason_code == WLAN_REASON_IE_IN_4WAY_DIFFERS)
188- return 0;
189-+ if (reason_code == WLAN_REASON_DISASSOC_DUE_TO_INACTIVITY)
190-+ return 0;
191- }
192-
193- return 1;
194---- wpa-2.11.orig/wpa_supplicant/sme.c
195-+++ wpa-2.11/wpa_supplicant/sme.c
196-@@ -2030,6 +2030,9 @@ void sme_event_auth(struct wpa_supplican
197- data->auth.ies_len, 0, data->auth.peer,
198- &ie_offset);
199- if (res < 0) {
200-+ if (res == -2)
201-+ wpas_notify_psk_mismatch(wpa_s);
202-+
203- wpas_connection_failed(wpa_s, wpa_s->pending_bssid,
204- NULL);
205- wpa_supplicant_set_state(wpa_s, WPA_DISCONNECTED);
206diff --git a/debian/patches/series b/debian/patches/series
207index 8eacdb6..99cca06 100644
208--- a/debian/patches/series
209+++ b/debian/patches/series
210@@ -13,4 +13,4 @@ CVE-2024-5290-lib_engine_trusted_path.patch
211 0019-Send-CTRL-EVENT-SIGNAL-CHANGE-message-to-control-int.patch
212 Bump-DEFAULT_BSS_MAX_COUNT-to-1000.patch
213 0015-Revert-Mark-authorization-completed-on-driver-indica.patch
214-Improve-PSK-mismatch-detection-and-dbus-signal.patch
215+0016-dbus-Add-SaePasswordMismatch-signal-on-AP-indication.patch

Subscribers

People subscribed via source and target branches