debcrafters-packages team mailing list archive

Thread
Date
[Bug 2125203] [NEW] wpa_supplicant does not specify disconnection reason, which prevents NetworkManager from displaying password re-entry prompt on auth failure

To: debcrafters-packages@xxxxxxxxxxxxxxxxxxx
From: Mitchell Augustin <2125203@xxxxxxxxxxxxxxxxxx>
Date: Fri, 19 Sep 2025 14:01:18 -0000
Reply-to: Bug 2125203 <2125203@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
Public bug reported:

SRU Justification:

[ Impact ]

Users who input an incorrect password to a WPA3-SAE Wi-Fi network will
not receive a prompt to enter a new password when the authentication
fails - instead, the connection will fail silently, and the user will
need to "forget" the saved profile and try a fresh connection attempt.

[ Test Plan ]

1. Set up a WPA3-SAE access point
2. On your test device, attempt to connect to the WPA3-SAE access point with the wrong password

Expected behavior: User should be presented with a dialog to re-enter the password
Actual behavior (without patch): The connection attempt will fail silently, and the user is never presented with an option to re-enter the password. As a result, they must forget the saved connection profile and try a fresh connection attempt.

[ Fix ]

In wpa_supplicant, refine could_be_psk_mismatch() so that it does *not*
report a mismatch if the disconnect reason is
WLAN_REASON_DISASSOC_DUE_TO_INACTIVITY, and add a
wpas_notify_psk_mismatch() invocation to the SME connection handler so
that it is invoked for WPA3-SAE networks as well.

On Ubuntu releases prior to Questing, this will require:
- Upstream patch a678a510fb20 (dbus: Add D-Bus signal for PSK mismatch heuristics)
- https://lists.infradead.org/pipermail/hostap/2025-June/043584.html
- https://lists.infradead.org/pipermail/hostap/2025-June/043583.html

Questing will only require the last two.

The last two will be applied as Ubuntu sauce patches, since hostap
upstream is unresponsive.

[ Where problems could occur ]

Valid connection attempts to WPA3 networks should not be impacted by
this change, since it only impacts the code path for authentication
failures.

(further analysis ongoing)


[ Other Info ]

Related to https://bugs.launchpad.net/ubuntu/+source/network-
manager/+bug/2122458

** Affects: wpa (Ubuntu)
     Importance: High
     Assignee: Mitchell Augustin (mitchellaugustin)
         Status: In Progress

** Affects: wpa (Ubuntu Jammy)
     Importance: Undecided
         Status: New

** Affects: wpa (Ubuntu Noble)
     Importance: Undecided
         Status: New

** Affects: wpa (Ubuntu Plucky)
     Importance: Undecided
         Status: New

** Affects: wpa (Ubuntu Questing)
     Importance: High
     Assignee: Mitchell Augustin (mitchellaugustin)
         Status: In Progress

** Changed in: wpa (Ubuntu)
   Importance: Undecided => High

** Changed in: wpa (Ubuntu)
     Assignee: (unassigned) => Mitchell Augustin (mitchellaugustin)

** Changed in: wpa (Ubuntu)
       Status: New => In Progress

** Also affects: wpa (Ubuntu Plucky)
   Importance: Undecided
       Status: New

** Also affects: wpa (Ubuntu Questing)
   Importance: High
     Assignee: Mitchell Augustin (mitchellaugustin)
       Status: In Progress

** Also affects: wpa (Ubuntu Jammy)
   Importance: Undecided
       Status: New

** Also affects: wpa (Ubuntu Noble)
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to wpa in Ubuntu.
https://bugs.launchpad.net/bugs/2125203

Title:
  wpa_supplicant does not specify disconnection reason, which prevents
  NetworkManager from displaying password re-entry prompt on auth
  failure

Status in wpa package in Ubuntu:
  In Progress
Status in wpa source package in Jammy:
  New
Status in wpa source package in Noble:
  New
Status in wpa source package in Plucky:
  New
Status in wpa source package in Questing:
  In Progress

Bug description:
  SRU Justification:

  [ Impact ]

  Users who input an incorrect password to a WPA3-SAE Wi-Fi network will
  not receive a prompt to enter a new password when the authentication
  fails - instead, the connection will fail silently, and the user will
  need to "forget" the saved profile and try a fresh connection attempt.

  [ Test Plan ]

  1. Set up a WPA3-SAE access point
  2. On your test device, attempt to connect to the WPA3-SAE access point with the wrong password

  Expected behavior: User should be presented with a dialog to re-enter the password
  Actual behavior (without patch): The connection attempt will fail silently, and the user is never presented with an option to re-enter the password. As a result, they must forget the saved connection profile and try a fresh connection attempt.

  [ Fix ]

  In wpa_supplicant, refine could_be_psk_mismatch() so that it does
  *not* report a mismatch if the disconnect reason is
  WLAN_REASON_DISASSOC_DUE_TO_INACTIVITY, and add a
  wpas_notify_psk_mismatch() invocation to the SME connection handler so
  that it is invoked for WPA3-SAE networks as well.

  On Ubuntu releases prior to Questing, this will require:
  - Upstream patch a678a510fb20 (dbus: Add D-Bus signal for PSK mismatch heuristics)
  - https://lists.infradead.org/pipermail/hostap/2025-June/043584.html
  - https://lists.infradead.org/pipermail/hostap/2025-June/043583.html

  Questing will only require the last two.

  The last two will be applied as Ubuntu sauce patches, since hostap
  upstream is unresponsive.

  [ Where problems could occur ]

  Valid connection attempts to WPA3 networks should not be impacted by
  this change, since it only impacts the code path for authentication
  failures.

  (further analysis ongoing)

  
  [ Other Info ]

  Related to https://bugs.launchpad.net/ubuntu/+source/network-
  manager/+bug/2122458

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/wpa/+bug/2125203/+subscriptions