Re: [PATCH] Display error on SAE connection with incorrect key

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Sun, 2023-10-29 at 18:13 +0200, Jouni Malinen wrote:
>  	 
> External email : Please do not click links or open attachments until
> you have verified the sender or the content.
>  On Fri, Oct 27, 2023 at 03:34:32PM +0800, Jianling.Fu wrote:
> > If a failure occurs at sae "auth confirm" step,
> > the most probable cause is an error related to the key.
> 
> Well, it depends.. I guess that might be the case when adding a new
> network for the first time and there having been no successful
> authentications before this. However, if there has been a successful
> authentication, I would be quite careful on how to interpret failures
> during SAE authentication since they could be caused by active
> attacks
> and should not result in something like dropping the password and
> asking
> using to enter a different one.
> 
> > Correspondingly, in the case of handling SME in wpa_supplicant,
> > a similar way to internally trigger an association reject
> > event is used. We do this through calling sme_event_assoc_reject
> > to trigger upper layer processing with the WRONG_PASSWORD event.
> 
> This feels really wrong. SAE authentication failing has nothing to do
> with the AP explicitly rejecting association. This could result in
> unexpected behavior and issues when sme_event_assoc_reject() might do
> something now, or in the future after some change, that is not
> appropriate for the authentication step.
> 
> -- 
> Jouni Malinen                                            PGP id
> EFC895FA


How about this modification? I add "had_been_connected" to identify
the network whether connected. And notify wrong key only under the
below situations:

1. return -2 when "sae_check_confirm" failed

 if (sae_check_confirm(&wpa_s->sme.sae, data, len,
              ie_offset) < 0)
-        return -1;
+        return -2;


2. notify wrongkey when "never connected" && (auth reject || sae
confirm check fail)
+         if (wpa_s->drv_flags & WPA_DRIVER_FLAGS_SME
+             && data->auth.auth_transaction == 2
+             && ssid->had_been_connected == 0
+             && (data->auth.status_code ==
+                  WLAN_STATUS_UNSPECIFIED_FAILURE
+                     || res == -2)) {
		.......
	}

_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux