> That is unfortunate taken into account DPP AKM support in DPP (v1) is
> mandatory while support for DPP to provision SAE credential is not.
It is unfortunate. As a service provider this puts us in the difficult
position of having to
choose between adhering to the spec and supporting a flawed but
widespread implementation.
> What kind of a use case is this targeting? PSK+SAE+DPP enabled in
> Configurator for all Enrollees regardless of the Enrollee capabilities?
This is just targeting DPP1 Initiator-Enrollees. DPP1 does not support enrolling
additional configurators.
> At minimum, this should use DPP_AKM_PSK_SAE which was defined
> in DPP v1.
This is good feedback. I agree that DPP_AKM_PSK_SAE is a better option than
splitting into two cases. And Android supports SAE.
On Sat, Feb 13, 2021 at 2:30 PM Jouni Malinen <j@xxxxx> wrote:
>
> On Wed, Feb 10, 2021 at 05:04:38PM -0700, Wystan Schmidt wrote:
> > Currently, hostapd will convert a DPP2 Config object
> > to a DPP-only config for a legacy DPP1 client.
> >
> > However, Android 10+ phones, the only potential DPP1
> > clients (AFAIK), do not support the DPP-AKM and will fail
> > when given a DPP-AKM object.
>
> That is unfortunate taken into account DPP AKM support in DPP (v1) is
> mandatory while support for DPP to provision SAE credential is not.
>
> What kind of a use case is this targeting? PSK+SAE+DPP enabled in
> Configurator for all Enrollees regardless of the Enrollee capabilities?
>
> > diff --git a/src/common/dpp.c b/src/common/dpp.c
> > @@ -1450,9 +1450,15 @@ dpp_build_conf_obj_dpp(struct dpp_authentication *auth,
> >
> > akm = conf->akm;
> > if (dpp_akm_ver2(akm) && auth->peer_version < 2) {
> > - wpa_printf(MSG_DEBUG,
> > - "DPP: Convert DPP+legacy credential to
> > DPP-only for peer that does not support version 2");
> > - akm = DPP_AKM_DPP;
> > + if (akm == DPP_AKM_PSK_SAE_DPP) {
> > + wpa_printf(MSG_DEBUG,
> > + "DPP: Convert DPP+legacy credential to legacy
> > WPA2-PSK for peer that does not support version 2");
> > + akm = DPP_AKM_PSK;
>
> PSK is the least secure option of those three included AKMs. This looks
> a really bad way of handling this case.. DPP_AKM_DPP is used here to
> pick the strongest option (and one that is actually mandatory to
> support). At minimum, this should use DPP_AKM_PSK_SAE which was defined
> in DPP v1.
>
> > + } else if (akm == DPP_AKM_SAE_DPP) {
> > + wpa_printf(MSG_DEBUG,
> > + "DPP: Convert DPP+legacy credential to WPA3 for
> > peer that does not support version 2");
> > + akm = DPP_AKM_SAE;
> > + }
>
> DPP AKM support is mandatory while SAE AKM support is optional. This
> does not really look like a good default behavior from the protocol view
> point.
>
> --
> Jouni Malinen PGP id EFC895FA
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
