← Back to team overview

debcrafters-packages team mailing list archive

  1. debcrafters-packages team
  2. Mailing list archive
  3. Message #08039

[Bug 2122458] Re: Password re-entry popup does not appear on incorrect password entry with WPA3 networks

  Thread PreviousDate PreviousThread Next 
** Description changed:

  SRU Justification:
  
  [ Impact ]
  
  Users who input an incorrect password to a WPA3-SAE Wi-Fi network will
  not receive a prompt to enter a new password when the authentication
  fails - instead, the connection will fail silently, and the user will
  need to "forget" the saved profile and try a fresh connection attempt.
  
  [ Test Plan ]
  
  1. Set up a WPA3-SAE access point
  2. On your test device, attempt to connect to the WPA3-SAE access point with the wrong password
  
  Expected behavior: User should be presented with a dialog to re-enter the password
  Actual behavior (without patch): The connection attempt will fail silently, and the user is never presented with an option to re-enter the password. As a result, they must forget the saved connection profile and try a fresh connection attempt.
  
  [ Fix ]
  
- Add a new function need_new_wpa3_secret(), invoked via handle_8021x_or_psk_auth_fail(), that will prompt for a new secret if a disconnection occurs after the wpa_supplicant AUTHENTICATING state.
- (This is needed since the current source is only adapted to WPA2, where authentication will fail during the 4-way handshake - whereas with WPA3-SAE, it can fail during the AUTHENTICATING state)
+ Add new signal handlers that will prompt for a new secret if a
+ disconnection is reported from wpa_supplicant via the PskMismatch dbus
+ signal
  
  [ Where problems could occur ]
  
- Valid connection attempts to WPA3 networks should not be impacted by
- this change, since it only impacts the code path for authentication
- failures.
+ Existing auth failure related code paths within NetworkManager should
+ not be impacted by this change, since this change only adds a new signal
+ handling function for PskMismatch.
  
- However, the new user experience could be slightly unexpected in some
- very niche scenarios.
- 
- The conditional where (last state == AUTHENTICATING, current state ==
- DISCONNECT, "sae" as network type) is this same scenario if a WPA3 AP
- goes out of range or down, meaning the password request could
- theoretically be brought up in this state as well, which does not make
- sense.
- 
- The proposed patch limits this occurrence by only showing the prompt if
- this cycle happens twice, which is sufficient to nearly totally
- eliminate the false positives on AP disconnect in my testing so far, but
- is typical of an incorrect password attempt (since multiple re-
- authentications will typically happen in a row).
- 
- In a test of an older version of the patch, where I could force the
- password prompt to appear on AP disconnect, I was able to confirm that
- with another available network in the area, the DUT will still continue
- scanning and eventually remove the dead WPA3 network, which will allow
- the DUT to reconnect to the other good network in the background - so
- the unexpected behavior would be purely cosmetic if it did occur with my
- latest revision.
- 
- From my discussions with NM upstream[0], there really is not any higher
- level of precision we can get from wpa_supplicant, due to their upstream
- not merging patches that would expose the failure reason over dbus for
- NM to read - so this might be the most precise approach we can get.
- 
- I believe this (theoretically possible, but not yet observed) cosmetic
- quirk is preferable to the user never being able to see a re-entry popup
- *at all* until they forget the saved profile.
+ If a user is within range of a WPA3 AP that they have an incorrect
+ password saved for, this bug fix will cause NM to prompt for a new
+ password. If the secret manager agent is blocking, this behavior may be
+ unexpected (but still totally correct) to the user.
  
  [ Other Info ]
- Upstream patch: https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/2282
+ Upstream patch: https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/2287
  
- Impacts Noble, Plucky, Questing
- 
- Likely impacts Jammy (to be confirmed)
- 
- [0]
- https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/2230#note_3091605
+ Impacts Jammy, Noble, Plucky, Questing

-- 
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to network-manager in Ubuntu.
https://bugs.launchpad.net/bugs/2122458

Title:
  Password re-entry popup does not appear on incorrect password entry
  with WPA3 networks

Status in network-manager package in Ubuntu:
  In Progress
Status in network-manager source package in Jammy:
  New
Status in network-manager source package in Noble:
  New
Status in network-manager source package in Plucky:
  New
Status in network-manager source package in Questing:
  In Progress

Bug description:
  SRU Justification:

  [ Impact ]

  Users who input an incorrect password to a WPA3-SAE Wi-Fi network will
  not receive a prompt to enter a new password when the authentication
  fails - instead, the connection will fail silently, and the user will
  need to "forget" the saved profile and try a fresh connection attempt.

  [ Test Plan ]

  1. Set up a WPA3-SAE access point
  2. On your test device, attempt to connect to the WPA3-SAE access point with the wrong password

  Expected behavior: User should be presented with a dialog to re-enter the password
  Actual behavior (without patch): The connection attempt will fail silently, and the user is never presented with an option to re-enter the password. As a result, they must forget the saved connection profile and try a fresh connection attempt.

  [ Fix ]

  Add new signal handlers that will prompt for a new secret if a
  disconnection is reported from wpa_supplicant via the PskMismatch dbus
  signal

  [ Where problems could occur ]

  Existing auth failure related code paths within NetworkManager should
  not be impacted by this change, since this change only adds a new
  signal handling function for PskMismatch.

  If a user is within range of a WPA3 AP that they have an incorrect
  password saved for, this bug fix will cause NM to prompt for a new
  password. If the secret manager agent is blocking, this behavior may
  be unexpected (but still totally correct) to the user.

  [ Other Info ]
  Upstream patch: https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/2287

  Impacts Jammy, Noble, Plucky, Questing

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/2122458/+subscriptions

References

  Thread PreviousDate PreviousThread Next