Re: [PATCH] DPP: Convert AKM to PSK/SAE for legacy DPP1 client

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Feb 10, 2021 at 05:04:38PM -0700, Wystan Schmidt wrote:
> Currently, hostapd will convert a DPP2 Config object
> to a DPP-only config for a legacy DPP1 client.
> 
> However, Android 10+ phones, the only potential DPP1
> clients (AFAIK), do not support the DPP-AKM and will fail
> when given a DPP-AKM object.

That is unfortunate taken into account DPP AKM support in DPP (v1) is
mandatory while support for DPP to provision SAE credential is not.

What kind of a use case is this targeting? PSK+SAE+DPP enabled in
Configurator for all Enrollees regardless of the Enrollee capabilities?

> diff --git a/src/common/dpp.c b/src/common/dpp.c
> @@ -1450,9 +1450,15 @@ dpp_build_conf_obj_dpp(struct dpp_authentication *auth,
> 
>         akm = conf->akm;
>         if (dpp_akm_ver2(akm) && auth->peer_version < 2) {
> -               wpa_printf(MSG_DEBUG,
> -                          "DPP: Convert DPP+legacy credential to
> DPP-only for peer that does not support version 2");
> -               akm = DPP_AKM_DPP;
> +               if (akm == DPP_AKM_PSK_SAE_DPP) {
> +            wpa_printf(MSG_DEBUG,
> +                   "DPP: Convert DPP+legacy credential to legacy
> WPA2-PSK for peer that does not support version 2");
> +            akm = DPP_AKM_PSK;

PSK is the least secure option of those three included AKMs. This looks
a really bad way of handling this case.. DPP_AKM_DPP is used here to
pick the strongest option (and one that is actually mandatory to
support). At minimum, this should use DPP_AKM_PSK_SAE which was defined
in DPP v1.

> +        } else if (akm == DPP_AKM_SAE_DPP) {
> +            wpa_printf(MSG_DEBUG,
> +                   "DPP: Convert DPP+legacy credential to WPA3 for
> peer that does not support version 2");
> +            akm = DPP_AKM_SAE;
> +        }

DPP AKM support is mandatory while SAE AKM support is optional. This
does not really look like a good default behavior from the protocol view
point.

-- 
Jouni Malinen                                            PGP id EFC895FA

_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap



[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux