On Tue, Nov 08, 2022 at 02:47:36PM +0800, xinpeng wang wrote: > When the connection to wifi fails, nm judges whether recall > ask-password-dialog according to the status change of wpa; for sae, if it > is in external authentication mode, when the authentication fails, the > state is from ASSOCIATING to DISCONNECTED; if it is not external > authentication, when the authentication fails, the state is AUTHENTICATING > To DISCONNECTED. So is this patch proposing the state sequence for SAE-external-authentication to be changed to DISCONNECT -> ASSOCIATING -> AUTHENTICATING -> ASSOCIATED? If so, that would feel really confusing since ASSOCIATING state is used only after AUTHENTICATING state has been completed. > Therefore, nm needs to ask for a password when the state > of wpa changes from AUTHENTICATING or ASSOCIATING to DISCONNECTED when sae. Why would that result in requesting a password? Such state changes have no protected indication of incorrect password being used and it would be trivial for attacks to force user to get to this inconvenient state where the password might need to be re-entered. Would that also drop a previously working password? If so, this would be really inconvenient user experience. > This range is too large, and there may be misjudgments. Therefore, consider > changing the status to AUTHENTICATING for the successful triggering of > external authentication. There can be misjudgment here already if this is trying to determine that a SAE password is wrong based on any kind of state wpa_change. That does not provide any robust information about the correctness of the password. -- Jouni Malinen PGP id EFC895FA _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
