* [PATCH] wifi: Handle invalid-key case on WPA-SAE authentication failure @ 2022-09-14 18:46 Ariel D'Alessandro 2022-09-14 18:57 ` Ariel D'Alessandro 2022-09-20 17:08 ` Daniel Wagner 0 siblings, 2 replies; 5+ messages in thread From: Ariel D'Alessandro @ 2022-09-14 18:46 UTC (permalink / raw) To: connman; +Cc: john On WPA3-SAE authentication, wpa_supplicant goes directly from authenticating to disconnected state if the key was invalid. The above is currently not handled and the `connect-failed` error is reported on such cases. In order to make the client agent prompt for a new password, we need to handle this transition and report the `invalid-key` error. Signed-off-by: Ariel D'Alessandro <ariel.dalessandro@collabora.com> --- plugins/wifi.c | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/plugins/wifi.c b/plugins/wifi.c index 2a933708..ed7437f5 100644 --- a/plugins/wifi.c +++ b/plugins/wifi.c @@ -2528,6 +2528,25 @@ static bool handle_4way_handshake_failure(GSupplicantInterface *interface, return false; } +static bool handle_sae_authentication_failure(struct connman_network *network, + struct wifi_data *wifi) +{ + struct wifi_network *network_data = connman_network_get_data(network); + + if (!(network_data->keymgmt & G_SUPPLICANT_KEYMGMT_SAE)) + return false; + + if (wifi->state != G_SUPPLICANT_STATE_AUTHENTICATING) + return false; + + if (wifi->connected) + return false; + + connman_network_set_error(network, CONNMAN_NETWORK_ERROR_INVALID_KEY); + + return true; +} + static void interface_state(GSupplicantInterface *interface) { struct connman_network *network; @@ -2625,6 +2644,13 @@ static void interface_state(GSupplicantInterface *interface) network, wifi)) break; + /* + * On WPA3-SAE authentication, wpa_supplicant goes directly from + * authenticating to disconnected state if the key was invalid. + */ + if (handle_sae_authentication_failure(network, wifi)) + break; + /* See table 8-36 Reason codes in IEEE Std 802.11 */ switch (wifi->disconnect_code) { case 6: /* Class 2 frame received from nonauthenticated STA */ -- 2.37.2 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH] wifi: Handle invalid-key case on WPA-SAE authentication failure 2022-09-14 18:46 [PATCH] wifi: Handle invalid-key case on WPA-SAE authentication failure Ariel D'Alessandro @ 2022-09-14 18:57 ` Ariel D'Alessandro 2022-09-20 12:08 ` Ariel D'Alessandro 2022-09-20 17:08 ` Daniel Wagner 1 sibling, 1 reply; 5+ messages in thread From: Ariel D'Alessandro @ 2022-09-14 18:57 UTC (permalink / raw) To: connman; +Cc: john Hi all, John, This patch is a follow up of my question e-mail with subject "No password prompt after wrong entry". There's currently a difference on the state transitions between WPA2-PSK and WPA3-SAE, which makes the latter not to prompt for a new password after an invalid key has been sent and rejected. Note that on the former case (WPA2-PSK) that works as expected and the client agent asks for a new password if the key was invalid. The issue comes from the state transitions on each case. For the WPA2-PSK wrong-key case, connman goes through states: * G_SUPPLICANT_STATE_AUTHENTICATING * G_SUPPLICANT_STATE_4WAY_HANDSHAKE * G_SUPPLICANT_STATE_DISCONNECTED So, the invalid-key error is handled and reported here: https://git.kernel.org/pub/scm/network/connman/connman.git/tree/plugins/wifi.c#n2526 However, for the WPA3-SAE wrong-key case, connman goes through states: * G_SUPPLICANT_STATE_AUTHENTICATING * G_SUPPLICANT_STATE_DISCONNECTED So, the invalid-key error never gets reported. Instead, connect-failed is reported by connman, which makes the client agent never prompt for a new password. Any feedback is welcome, specially if the proposed solution should be implemented in a different way Thanks in advance :-) Ariel D'Alessandro -- Collabora Ltd. https://www.collabora.com/ On 9/14/22 15:46, Ariel D'Alessandro wrote: > On WPA3-SAE authentication, wpa_supplicant goes directly from > authenticating to disconnected state if the key was invalid. > > The above is currently not handled and the `connect-failed` error is > reported on such cases. In order to make the client agent prompt for a > new password, we need to handle this transition and report the > `invalid-key` error. > > Signed-off-by: Ariel D'Alessandro <ariel.dalessandro@collabora.com> > --- > plugins/wifi.c | 26 ++++++++++++++++++++++++++ > 1 file changed, 26 insertions(+) > > diff --git a/plugins/wifi.c b/plugins/wifi.c > index 2a933708..ed7437f5 100644 > --- a/plugins/wifi.c > +++ b/plugins/wifi.c > @@ -2528,6 +2528,25 @@ static bool handle_4way_handshake_failure(GSupplicantInterface *interface, > return false; > } > > +static bool handle_sae_authentication_failure(struct connman_network *network, > + struct wifi_data *wifi) > +{ > + struct wifi_network *network_data = connman_network_get_data(network); > + > + if (!(network_data->keymgmt & G_SUPPLICANT_KEYMGMT_SAE)) > + return false; > + > + if (wifi->state != G_SUPPLICANT_STATE_AUTHENTICATING) > + return false; > + > + if (wifi->connected) > + return false; > + > + connman_network_set_error(network, CONNMAN_NETWORK_ERROR_INVALID_KEY); > + > + return true; > +} > + > static void interface_state(GSupplicantInterface *interface) > { > struct connman_network *network; > @@ -2625,6 +2644,13 @@ static void interface_state(GSupplicantInterface *interface) > network, wifi)) > break; > > + /* > + * On WPA3-SAE authentication, wpa_supplicant goes directly from > + * authenticating to disconnected state if the key was invalid. > + */ > + if (handle_sae_authentication_failure(network, wifi)) > + break; > + > /* See table 8-36 Reason codes in IEEE Std 802.11 */ > switch (wifi->disconnect_code) { > case 6: /* Class 2 frame received from nonauthenticated STA */ ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] wifi: Handle invalid-key case on WPA-SAE authentication failure 2022-09-14 18:57 ` Ariel D'Alessandro @ 2022-09-20 12:08 ` Ariel D'Alessandro 2022-09-20 16:06 ` Daniel Wagner 0 siblings, 1 reply; 5+ messages in thread From: Ariel D'Alessandro @ 2022-09-20 12:08 UTC (permalink / raw) To: connman; +Cc: john, wagi +cc Daniel, in case you have any possible feedback :-) On 9/14/22 15:57, Ariel D'Alessandro wrote: > Hi all, John, > > This patch is a follow up of my question e-mail with subject "No > password prompt after wrong entry". > > There's currently a difference on the state transitions between WPA2-PSK > and WPA3-SAE, which makes the latter not to prompt for a new password > after an invalid key has been sent and rejected. Note that on the former > case (WPA2-PSK) that works as expected and the client agent asks for a > new password if the key was invalid. > > The issue comes from the state transitions on each case. > > For the WPA2-PSK wrong-key case, connman goes through states: > * G_SUPPLICANT_STATE_AUTHENTICATING > * G_SUPPLICANT_STATE_4WAY_HANDSHAKE > * G_SUPPLICANT_STATE_DISCONNECTED > > So, the invalid-key error is handled and reported here: > > https://git.kernel.org/pub/scm/network/connman/connman.git/tree/plugins/wifi.c#n2526 > > However, for the WPA3-SAE wrong-key case, connman goes through states: > * G_SUPPLICANT_STATE_AUTHENTICATING > * G_SUPPLICANT_STATE_DISCONNECTED > > So, the invalid-key error never gets reported. Instead, connect-failed > is reported by connman, which makes the client agent never prompt for a > new password. > > Any feedback is welcome, specially if the proposed solution should be > implemented in a different way > > Thanks in advance :-) > Ariel D'Alessandro > -- > Collabora Ltd. > https://www.collabora.com/ > > On 9/14/22 15:46, Ariel D'Alessandro wrote: >> On WPA3-SAE authentication, wpa_supplicant goes directly from >> authenticating to disconnected state if the key was invalid. >> >> The above is currently not handled and the `connect-failed` error is >> reported on such cases. In order to make the client agent prompt for a >> new password, we need to handle this transition and report the >> `invalid-key` error. >> >> Signed-off-by: Ariel D'Alessandro <ariel.dalessandro@collabora.com> >> --- >> plugins/wifi.c | 26 ++++++++++++++++++++++++++ >> 1 file changed, 26 insertions(+) >> >> diff --git a/plugins/wifi.c b/plugins/wifi.c >> index 2a933708..ed7437f5 100644 >> --- a/plugins/wifi.c >> +++ b/plugins/wifi.c >> @@ -2528,6 +2528,25 @@ static bool handle_4way_handshake_failure(GSupplicantInterface *interface, >> return false; >> } >> >> +static bool handle_sae_authentication_failure(struct connman_network *network, >> + struct wifi_data *wifi) >> +{ >> + struct wifi_network *network_data = connman_network_get_data(network); >> + >> + if (!(network_data->keymgmt & G_SUPPLICANT_KEYMGMT_SAE)) >> + return false; >> + >> + if (wifi->state != G_SUPPLICANT_STATE_AUTHENTICATING) >> + return false; >> + >> + if (wifi->connected) >> + return false; >> + >> + connman_network_set_error(network, CONNMAN_NETWORK_ERROR_INVALID_KEY); >> + >> + return true; >> +} >> + >> static void interface_state(GSupplicantInterface *interface) >> { >> struct connman_network *network; >> @@ -2625,6 +2644,13 @@ static void interface_state(GSupplicantInterface *interface) >> network, wifi)) >> break; >> >> + /* >> + * On WPA3-SAE authentication, wpa_supplicant goes directly from >> + * authenticating to disconnected state if the key was invalid. >> + */ >> + if (handle_sae_authentication_failure(network, wifi)) >> + break; >> + >> /* See table 8-36 Reason codes in IEEE Std 802.11 */ >> switch (wifi->disconnect_code) { >> case 6: /* Class 2 frame received from nonauthenticated STA */ > ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] wifi: Handle invalid-key case on WPA-SAE authentication failure 2022-09-20 12:08 ` Ariel D'Alessandro @ 2022-09-20 16:06 ` Daniel Wagner 0 siblings, 0 replies; 5+ messages in thread From: Daniel Wagner @ 2022-09-20 16:06 UTC (permalink / raw) To: Ariel D'Alessandro; +Cc: connman, john On Tue, Sep 20, 2022 at 09:08:29AM -0300, Ariel D'Alessandro wrote: > +cc Daniel, in case you have any possible feedback :-) I've seen it. Just not yet found time to look at. From a quick glance, it looks good. I'll apply this evening. Sorry, I know I am really not moving things forward... :( ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] wifi: Handle invalid-key case on WPA-SAE authentication failure 2022-09-14 18:46 [PATCH] wifi: Handle invalid-key case on WPA-SAE authentication failure Ariel D'Alessandro 2022-09-14 18:57 ` Ariel D'Alessandro @ 2022-09-20 17:08 ` Daniel Wagner 1 sibling, 0 replies; 5+ messages in thread From: Daniel Wagner @ 2022-09-20 17:08 UTC (permalink / raw) To: Ariel D'Alessandro; +Cc: connman, john On Wed, Sep 14, 2022 at 03:46:10PM -0300, Ariel D'Alessandro wrote: > On WPA3-SAE authentication, wpa_supplicant goes directly from > authenticating to disconnected state if the key was invalid. > > The above is currently not handled and the `connect-failed` error is > reported on such cases. In order to make the client agent prompt for a > new password, we need to handle this transition and report the > `invalid-key` error. Patch applied. Thanks! Daniel ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2022-09-20 17:08 UTC | newest] Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2022-09-14 18:46 [PATCH] wifi: Handle invalid-key case on WPA-SAE authentication failure Ariel D'Alessandro 2022-09-14 18:57 ` Ariel D'Alessandro 2022-09-20 12:08 ` Ariel D'Alessandro 2022-09-20 16:06 ` Daniel Wagner 2022-09-20 17:08 ` Daniel Wagner
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).