On Mon, Jan 16, 2023 at 02:31:38PM +0000, ABDO Alexandre wrote: > The current implementation of dpp_configuration_parse_helper seems to indicate that it should be possible to configure both APs and STAs with the same configuration object by setting "conf=ap-* conf=sta-* [...]" when setting DPP configurator parameters. The DPP configuration protocol can be executed only for a single netRole (i.e., sta, ap, or configuration, but only one of those at a time). In other words, there can be only a single configObject that includes only the entries specific for the particular netRole that the Enrollee indicated in the config request. While it would in theory be possible to make the implementation allow separate per-netRole configurations to be prepared and then the relevant one to be selected based on what the Enrollee requests, that is not supported functionality currently. The supported way of addressing cases where the Enrollee could be either an AP or a STA is by not pre-configuring anything on the Configurator and instead, waiting for the DPP-CONF-NEEDED event to show up and indicate net_role=sta/ap and then issue the DPP_CONF_SET command to specify the appropriate configuration for the particular STA/AP role. > However, with this same implementation, the result is 2 configuration objects : > > One for the AP containing all the information specified in the command > One for the STA containing only the AKM I'm not completely sure I an understand what this is saying.. > My question is : Should it be possible to configure both APs and STAs using the same configuration, or, should this function fail if both conf=ap-* and conf=sta-* are present ? That is not supported functionality. There is minimal support for provisioning two STA Enrollee config objects in a single exchange with a value like this: conf=sta-psk pass=7061737370687261736520666f722070736b ssid=7465737431 @CONF-OBJ-SEP@ conf=sta-sae pass=70617373776f726420666f7220736165 ssid=746573742d32 I guess this could be extended to cover one config object for STA role and one for AP if there is a use case for that. Otherwise, it might indeed make sense to reject the value if there are parameters for multiple netRoles. In practice, the current behavior might be to just use the first entry and behave as if the other one was not there at all. Furthermore, there is a bug in the @CONF-OBJ-SEP@ handling.. I'll fix that one, but anyway, this multi-confObject thing is undocumented testing functionality for the time being.. -- Jouni Malinen PGP id EFC895FA _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
