On Mon, Dec 23, 2024 at 09:10:03PM +0800, xinpeng wang wrote: > Add a new dbus property SAENeedAuth to notify the desktop that a > password dialog needs to pop up for the user to enter the correct > password What does "SAENeedAuth" mean? That feels like a strange name for this. > diff --git a/wpa_supplicant/dbus/dbus_new_handlers.c b/wpa_supplicant/dbus/dbus_new_handlers.c > +dbus_bool_t wpas_dbus_getter_sae_need_auth( > + const struct wpa_dbus_property_desc *property_desc, > + DBusMessageIter *iter, DBusError *error, void *user_data) > +{ > + struct wpa_supplicant *wpa_s = user_data; > + dbus_bool_t sae_need_auth = wpa_s->sme.sae.sae_need_auth ? TRUE : FALSE; This would break compilation without CONFIG_SME=y. > diff --git a/wpa_supplicant/sme.c b/wpa_supplicant/sme.c > @@ -1913,8 +1913,12 @@ static int sme_sae_auth(struct wpa_supplicant *wpa_s, u16 auth_transaction, > if (sae_check_confirm(&wpa_s->sme.sae, data, len, > - ie_offset) < 0) > + ie_offset) < 0) { > + wpa_s->sme.sae.sae_need_auth = 1; > + wpa_dbg(wpa_s, MSG_DEBUG, "SME: Notifying SAENeedAuth attribute changes"); > + wpas_notify_sae_need_auth(wpa_s); > return -1; > + } This would not work for cases where the AP sends out its SAE Confirm message only after having received a valid SAE Confirm from the STA. Furthermore, this would have no impact for drivers that use SME-in-driver design. In either of these cases, the new property would confusingly show FALSE regardless of what happened with SAE authentication. sae_check_confirm() can fail for a number of reasons and only the actual mismatch in the verifier value might be of reason to consider whether the configured password would need to be changed. It should also be noted that it could be a bad idea to automatically pop up a new dialog to the user whenever this happens if that operation would end up replacing the currently configured password since there is no authentication of this information and it would be trivial for attackers to force this to happen. In other words, the commit message should be much more careful in implying that this should always result in user dialog and a new password being entered. -- Jouni Malinen PGP id EFC895FA _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap