DPP configuration object for both APs and STAs

Jouni Malinen j at w1.fi
Wed Feb 22 07:00:12 PST 2023

On Mon, Jan 16, 2023 at 02:31:38PM +0000, ABDO Alexandre wrote:
> The current implementation of dpp_configuration_parse_helper seems to indicate that it should be possible to configure both APs and STAs with the same configuration object by setting "conf=ap-* conf=sta-* [...]" when setting DPP configurator parameters.

The DPP configuration protocol can be executed only for a single netRole
(i.e., sta, ap, or configuration, but only one of those at a time). In
other words, there can be only a single configObject that includes only
the entries specific for the particular netRole that the Enrollee
indicated in the config request.

While it would in theory be possible to make the implementation allow
separate per-netRole configurations to be prepared and then the relevant
one to be selected based on what the Enrollee requests, that is not
supported functionality currently. The supported way of addressing cases
where the Enrollee could be either an AP or a STA is by not
pre-configuring anything on the Configurator and instead, waiting for
the DPP-CONF-NEEDED event to show up and indicate net_role=sta/ap and
then issue the DPP_CONF_SET command to specify the appropriate
configuration for the particular STA/AP role.

> However, with this same implementation, the result is 2 configuration objects :
>     One for the AP containing all the information specified in the command
>     One for the STA containing only the AKM

I'm not completely sure I an understand what this is saying..

> My question is : Should it be possible to configure both APs and STAs using the same configuration, or, should this function fail if both conf=ap-* and conf=sta-* are present ?

That is not supported functionality. There is minimal support for
provisioning two STA Enrollee config objects in a single exchange with a
value like this:
conf=sta-psk pass=7061737370687261736520666f722070736b ssid=7465737431 @CONF-OBJ-SEP@ conf=sta-sae pass=70617373776f726420666f7220736165 ssid=746573742d32

I guess this could be extended to cover one config object for STA role
and one for AP if there is a use case for that. Otherwise, it might
indeed make sense to reject the value if there are parameters for
multiple netRoles. In practice, the current behavior might be to just
use the first entry and behave as if the other one was not there at all.
Furthermore, there is a bug in the @CONF-OBJ-SEP@ handling.. I'll fix
that one, but anyway, this multi-confObject thing is undocumented
testing functionality for the time being..

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list