On Wed, Feb 10, 2021 at 05:04:38PM -0700, Wystan Schmidt wrote:
> Currently, hostapd will convert a DPP2 Config object
> to a DPP-only config for a legacy DPP1 client.
>
> However, Android 10+ phones, the only potential DPP1
> clients (AFAIK), do not support the DPP-AKM and will fail
> when given a DPP-AKM object.
That is unfortunate taken into account DPP AKM support in DPP (v1) is
mandatory while support for DPP to provision SAE credential is not.
What kind of a use case is this targeting? PSK+SAE+DPP enabled in
Configurator for all Enrollees regardless of the Enrollee capabilities?
> diff --git a/src/common/dpp.c b/src/common/dpp.c
> @@ -1450,9 +1450,15 @@ dpp_build_conf_obj_dpp(struct dpp_authentication *auth,
>
> akm = conf->akm;
> if (dpp_akm_ver2(akm) && auth->peer_version < 2) {
> - wpa_printf(MSG_DEBUG,
> - "DPP: Convert DPP+legacy credential to
> DPP-only for peer that does not support version 2");
> - akm = DPP_AKM_DPP;
> + if (akm == DPP_AKM_PSK_SAE_DPP) {
> + wpa_printf(MSG_DEBUG,
> + "DPP: Convert DPP+legacy credential to legacy
> WPA2-PSK for peer that does not support version 2");
> + akm = DPP_AKM_PSK;
PSK is the least secure option of those three included AKMs. This looks
a really bad way of handling this case.. DPP_AKM_DPP is used here to
pick the strongest option (and one that is actually mandatory to
support). At minimum, this should use DPP_AKM_PSK_SAE which was defined
in DPP v1.
> + } else if (akm == DPP_AKM_SAE_DPP) {
> + wpa_printf(MSG_DEBUG,
> + "DPP: Convert DPP+legacy credential to WPA3 for
> peer that does not support version 2");
> + akm = DPP_AKM_SAE;
> + }
DPP AKM support is mandatory while SAE AKM support is optional. This
does not really look like a good default behavior from the protocol view
point.
--
Jouni Malinen PGP id EFC895FA
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
