1 /*
2 * hostapd / Configuration helper functions
3 * Copyright (c) 2003-2024, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "utils/includes.h"
10
11 #include "utils/common.h"
12 #include "crypto/sha1.h"
13 #include "crypto/tls.h"
14 #include "radius/radius_client.h"
15 #include "common/ieee802_11_defs.h"
16 #include "common/ieee802_1x_defs.h"
17 #include "common/eapol_common.h"
18 #include "common/dhcp.h"
19 #include "common/sae.h"
20 #include "eap_common/eap_wsc_common.h"
21 #include "eap_server/eap.h"
22 #include "wpa_auth.h"
23 #include "sta_info.h"
24 #include "airtime_policy.h"
25 #include "ap_config.h"
26
27
hostapd_config_free_vlan(struct hostapd_bss_config * bss)28 static void hostapd_config_free_vlan(struct hostapd_bss_config *bss)
29 {
30 struct hostapd_vlan *vlan, *prev;
31
32 vlan = bss->vlan;
33 prev = NULL;
34 while (vlan) {
35 prev = vlan;
36 vlan = vlan->next;
37 os_free(prev);
38 }
39
40 bss->vlan = NULL;
41 }
42
43
44 #ifndef DEFAULT_WPA_DISABLE_EAPOL_KEY_RETRIES
45 #define DEFAULT_WPA_DISABLE_EAPOL_KEY_RETRIES 0
46 #endif /* DEFAULT_WPA_DISABLE_EAPOL_KEY_RETRIES */
47
hostapd_config_defaults_bss(struct hostapd_bss_config * bss)48 void hostapd_config_defaults_bss(struct hostapd_bss_config *bss)
49 {
50 dl_list_init(&bss->anqp_elem);
51
52 bss->logger_syslog_level = HOSTAPD_LEVEL_INFO;
53 bss->logger_stdout_level = HOSTAPD_LEVEL_INFO;
54 bss->logger_syslog = (unsigned int) -1;
55 bss->logger_stdout = (unsigned int) -1;
56
57 #ifdef CONFIG_WEP
58 bss->auth_algs = WPA_AUTH_ALG_OPEN | WPA_AUTH_ALG_SHARED;
59
60 bss->wep_rekeying_period = 300;
61 /* use key0 in individual key and key1 in broadcast key */
62 bss->broadcast_key_idx_min = 1;
63 bss->broadcast_key_idx_max = 2;
64 #else /* CONFIG_WEP */
65 bss->auth_algs = WPA_AUTH_ALG_OPEN;
66 #endif /* CONFIG_WEP */
67 bss->eap_reauth_period = 3600;
68
69 bss->wpa_group_rekey = 600;
70 bss->wpa_gmk_rekey = 86400;
71 bss->wpa_deny_ptk0_rekey = PTK0_REKEY_ALLOW_ALWAYS;
72 bss->wpa_group_update_count = 4;
73 bss->wpa_pairwise_update_count = 4;
74 bss->wpa_disable_eapol_key_retries =
75 DEFAULT_WPA_DISABLE_EAPOL_KEY_RETRIES;
76 bss->wpa_key_mgmt = WPA_KEY_MGMT_PSK;
77 #ifdef CONFIG_NO_TKIP
78 bss->wpa_pairwise = WPA_CIPHER_CCMP;
79 bss->wpa_group = WPA_CIPHER_CCMP;
80 #else /* CONFIG_NO_TKIP */
81 bss->wpa_pairwise = WPA_CIPHER_TKIP;
82 bss->wpa_group = WPA_CIPHER_TKIP;
83 #endif /* CONFIG_NO_TKIP */
84 bss->rsn_pairwise = 0;
85
86 bss->max_num_sta = MAX_STA_COUNT;
87
88 bss->dtim_period = 2;
89
90 bss->radius_server_auth_port = 1812;
91 bss->eap_sim_db_timeout = 1;
92 bss->eap_sim_id = 3;
93 bss->eap_sim_aka_fast_reauth_limit = 1000;
94 bss->ap_max_inactivity = AP_MAX_INACTIVITY;
95 bss->bss_max_idle = 1;
96 bss->eapol_version = EAPOL_VERSION;
97
98 bss->max_listen_interval = 65535;
99
100 bss->pwd_group = 19; /* ECC: GF(p=256) */
101
102 bss->assoc_sa_query_max_timeout = 1000;
103 bss->assoc_sa_query_retry_timeout = 201;
104 bss->group_mgmt_cipher = WPA_CIPHER_AES_128_CMAC;
105 #ifdef EAP_SERVER_FAST
106 /* both anonymous and authenticated provisioning */
107 bss->eap_fast_prov = 3;
108 bss->pac_key_lifetime = 7 * 24 * 60 * 60;
109 bss->pac_key_refresh_time = 1 * 24 * 60 * 60;
110 #endif /* EAP_SERVER_FAST */
111
112 /* Set to -1 as defaults depends on HT in setup */
113 bss->wmm_enabled = -1;
114
115 #ifdef CONFIG_IEEE80211R_AP
116 bss->ft_over_ds = 1;
117 bss->rkh_pos_timeout = 86400;
118 bss->rkh_neg_timeout = 60;
119 bss->rkh_pull_timeout = 1000;
120 bss->rkh_pull_retries = 4;
121 bss->r0_key_lifetime = 1209600;
122 #endif /* CONFIG_IEEE80211R_AP */
123
124 bss->radius_das_time_window = 300;
125 bss->radius_require_message_authenticator = 1;
126
127 bss->anti_clogging_threshold = 5;
128 bss->sae_sync = 3;
129
130 bss->gas_frag_limit = 1400;
131
132 #ifdef CONFIG_FILS
133 dl_list_init(&bss->fils_realms);
134 bss->fils_hlp_wait_time = 30;
135 bss->dhcp_server_port = DHCP_SERVER_PORT;
136 bss->dhcp_relay_port = DHCP_SERVER_PORT;
137 bss->fils_discovery_min_int = 20;
138 #endif /* CONFIG_FILS */
139
140 bss->broadcast_deauth = 1;
141
142 #ifdef CONFIG_MBO
143 bss->mbo_cell_data_conn_pref = -1;
144 #endif /* CONFIG_MBO */
145
146 /* Disable TLS v1.3 by default for now to avoid interoperability issue.
147 * This can be enabled by default once the implementation has been fully
148 * completed and tested with other implementations. */
149 bss->tls_flags = TLS_CONN_DISABLE_TLSv1_3;
150
151 bss->max_auth_rounds = 100;
152 bss->max_auth_rounds_short = 50;
153
154 bss->send_probe_response = 1;
155
156 #ifdef CONFIG_HS20
157 bss->hs20_release = (HS20_VERSION >> 4) + 1;
158 #endif /* CONFIG_HS20 */
159
160 #ifdef CONFIG_MACSEC
161 bss->mka_priority = DEFAULT_PRIO_NOT_KEY_SERVER;
162 bss->macsec_port = 1;
163 #endif /* CONFIG_MACSEC */
164
165 /* Default to strict CRL checking. */
166 bss->check_crl_strict = 1;
167
168 bss->multi_ap_profile = MULTI_AP_PROFILE_2;
169
170 #ifdef CONFIG_TESTING_OPTIONS
171 bss->sae_commit_status = -1;
172 bss->test_assoc_comeback_type = -1;
173 #endif /* CONFIG_TESTING_OPTIONS */
174
175 #ifdef CONFIG_PASN
176 /* comeback after 10 TUs */
177 bss->pasn_comeback_after = 10;
178 bss->pasn_noauth = 1;
179 #endif /* CONFIG_PASN */
180 }
181
182
hostapd_config_defaults(void)183 struct hostapd_config * hostapd_config_defaults(void)
184 {
185 #define ecw2cw(ecw) ((1 << (ecw)) - 1)
186
187 struct hostapd_config *conf;
188 struct hostapd_bss_config *bss;
189 const int aCWmin = 4, aCWmax = 10;
190 const struct hostapd_wmm_ac_params ac_bk =
191 { aCWmin, aCWmax, 7, 0, 0 }; /* background traffic */
192 const struct hostapd_wmm_ac_params ac_be =
193 { aCWmin, aCWmax, 3, 0, 0 }; /* best effort traffic */
194 const struct hostapd_wmm_ac_params ac_vi = /* video traffic */
195 { aCWmin - 1, aCWmin, 2, 3008 / 32, 0 };
196 const struct hostapd_wmm_ac_params ac_vo = /* voice traffic */
197 { aCWmin - 2, aCWmin - 1, 2, 1504 / 32, 0 };
198 const struct hostapd_tx_queue_params txq_bk =
199 { 7, ecw2cw(aCWmin), ecw2cw(aCWmax), 0 };
200 const struct hostapd_tx_queue_params txq_be =
201 { 3, ecw2cw(aCWmin), 4 * (ecw2cw(aCWmin) + 1) - 1, 0};
202 const struct hostapd_tx_queue_params txq_vi =
203 { 1, (ecw2cw(aCWmin) + 1) / 2 - 1, ecw2cw(aCWmin), 30};
204 const struct hostapd_tx_queue_params txq_vo =
205 { 1, (ecw2cw(aCWmin) + 1) / 4 - 1,
206 (ecw2cw(aCWmin) + 1) / 2 - 1, 15};
207
208 #undef ecw2cw
209
210 conf = os_zalloc(sizeof(*conf));
211 bss = os_zalloc(sizeof(*bss));
212 if (conf == NULL || bss == NULL) {
213 wpa_printf(MSG_ERROR, "Failed to allocate memory for "
214 "configuration data.");
215 os_free(conf);
216 os_free(bss);
217 return NULL;
218 }
219 conf->bss = os_calloc(1, sizeof(struct hostapd_bss_config *));
220 if (conf->bss == NULL) {
221 os_free(conf);
222 os_free(bss);
223 return NULL;
224 }
225 conf->bss[0] = bss;
226
227 bss->radius = os_zalloc(sizeof(*bss->radius));
228 if (bss->radius == NULL) {
229 os_free(conf->bss);
230 os_free(conf);
231 os_free(bss);
232 return NULL;
233 }
234
235 hostapd_config_defaults_bss(bss);
236
237 conf->num_bss = 1;
238
239 conf->beacon_int = 100;
240 conf->rts_threshold = -2; /* use driver default: 2347 */
241 conf->fragm_threshold = -2; /* user driver default: 2346 */
242 /* Set to invalid value means do not add Power Constraint IE */
243 conf->local_pwr_constraint = -1;
244
245 conf->wmm_ac_params[0] = ac_be;
246 conf->wmm_ac_params[1] = ac_bk;
247 conf->wmm_ac_params[2] = ac_vi;
248 conf->wmm_ac_params[3] = ac_vo;
249
250 conf->tx_queue[0] = txq_vo;
251 conf->tx_queue[1] = txq_vi;
252 conf->tx_queue[2] = txq_be;
253 conf->tx_queue[3] = txq_bk;
254
255 conf->ht_capab = HT_CAP_INFO_SMPS_DISABLED;
256
257 conf->ap_table_max_size = 255;
258 conf->ap_table_expiration_time = 60;
259 conf->track_sta_max_age = 180;
260
261 #ifdef CONFIG_TESTING_OPTIONS
262 conf->ignore_probe_probability = 0.0;
263 conf->ignore_auth_probability = 0.0;
264 conf->ignore_assoc_probability = 0.0;
265 conf->ignore_reassoc_probability = 0.0;
266 conf->corrupt_gtk_rekey_mic_probability = 0.0;
267 conf->ecsa_ie_only = 0;
268 #endif /* CONFIG_TESTING_OPTIONS */
269
270 conf->acs = 0;
271 conf->acs_ch_list.num = 0;
272 #ifdef CONFIG_ACS
273 conf->acs_num_scans = 5;
274 #endif /* CONFIG_ACS */
275
276 #ifdef CONFIG_IEEE80211AX
277 conf->he_op.he_rts_threshold = HE_OPERATION_RTS_THRESHOLD_MASK >>
278 HE_OPERATION_RTS_THRESHOLD_OFFSET;
279 /* Set default basic MCS/NSS set to single stream MCS 0-7 */
280 conf->he_op.he_basic_mcs_nss_set = 0xfffc;
281 conf->he_op.he_bss_color_disabled = 1;
282 conf->he_op.he_bss_color_partial = 0;
283 conf->he_op.he_bss_color = os_random() % 63 + 1;
284 conf->he_op.he_twt_responder = 1;
285 conf->he_6ghz_max_mpdu = 2;
286 conf->he_6ghz_max_ampdu_len_exp = 7;
287 conf->he_6ghz_rx_ant_pat = 1;
288 conf->he_6ghz_tx_ant_pat = 1;
289 conf->he_6ghz_reg_pwr_type = HE_REG_INFO_6GHZ_AP_TYPE_VLP;
290 conf->reg_def_cli_eirp_psd = -1;
291 conf->reg_sub_cli_eirp_psd = -1;
292 conf->reg_def_cli_eirp = -1;
293 #endif /* CONFIG_IEEE80211AX */
294
295 /* The third octet of the country string uses an ASCII space character
296 * by default to indicate that the regulations encompass all
297 * environments for the current frequency band in the country. */
298 conf->country[2] = ' ';
299
300 conf->rssi_reject_assoc_rssi = 0;
301 conf->rssi_reject_assoc_timeout = 30;
302
303 #ifdef CONFIG_AIRTIME_POLICY
304 conf->airtime_update_interval = AIRTIME_DEFAULT_UPDATE_INTERVAL;
305 #endif /* CONFIG_AIRTIME_POLICY */
306
307 hostapd_set_and_check_bw320_offset(conf, 0);
308
309 return conf;
310 }
311
312
hostapd_mac_comp(const void * a,const void * b)313 int hostapd_mac_comp(const void *a, const void *b)
314 {
315 return os_memcmp(a, b, sizeof(macaddr));
316 }
317
318
hostapd_config_read_wpa_psk(const char * fname,struct hostapd_ssid * ssid)319 static int hostapd_config_read_wpa_psk(const char *fname,
320 struct hostapd_ssid *ssid)
321 {
322 FILE *f;
323 char buf[128], *pos;
324 const char *keyid;
325 char *context;
326 char *context2;
327 char *token;
328 char *name;
329 char *value;
330 int line = 0, ret = 0, len, ok;
331 u8 addr[ETH_ALEN];
332 struct hostapd_wpa_psk *psk;
333
334 if (!fname)
335 return 0;
336
337 f = fopen(fname, "r");
338 if (!f) {
339 wpa_printf(MSG_ERROR, "WPA PSK file '%s' not found.", fname);
340 return -1;
341 }
342
343 while (fgets(buf, sizeof(buf), f)) {
344 int vlan_id = 0;
345 int wps = 0;
346
347 line++;
348
349 if (buf[0] == '#')
350 continue;
351 pos = buf;
352 while (*pos != '\0') {
353 if (*pos == '\n') {
354 *pos = '\0';
355 break;
356 }
357 pos++;
358 }
359 if (buf[0] == '\0')
360 continue;
361
362 context = NULL;
363 keyid = NULL;
364 while ((token = str_token(buf, " ", &context))) {
365 if (!os_strchr(token, '='))
366 break;
367 context2 = NULL;
368 name = str_token(token, "=", &context2);
369 if (!name)
370 break;
371 value = str_token(token, "", &context2);
372 if (!value)
373 value = "";
374 if (!os_strcmp(name, "keyid")) {
375 keyid = value;
376 } else if (!os_strcmp(name, "wps")) {
377 wps = atoi(value);
378 } else if (!os_strcmp(name, "vlanid")) {
379 vlan_id = atoi(value);
380 } else {
381 wpa_printf(MSG_ERROR,
382 "Unrecognized '%s=%s' on line %d in '%s'",
383 name, value, line, fname);
384 ret = -1;
385 break;
386 }
387 }
388
389 if (ret == -1)
390 break;
391
392 if (!token)
393 token = "";
394 if (hwaddr_aton(token, addr)) {
395 wpa_printf(MSG_ERROR,
396 "Invalid MAC address '%s' on line %d in '%s'",
397 token, line, fname);
398 ret = -1;
399 break;
400 }
401
402 psk = os_zalloc(sizeof(*psk));
403 if (psk == NULL) {
404 wpa_printf(MSG_ERROR, "WPA PSK allocation failed");
405 ret = -1;
406 break;
407 }
408 psk->vlan_id = vlan_id;
409 if (is_zero_ether_addr(addr))
410 psk->group = 1;
411 else
412 os_memcpy(psk->addr, addr, ETH_ALEN);
413
414 pos = str_token(buf, "", &context);
415 if (!pos) {
416 wpa_printf(MSG_ERROR, "No PSK on line %d in '%s'",
417 line, fname);
418 os_free(psk);
419 ret = -1;
420 break;
421 }
422
423 ok = 0;
424 len = os_strlen(pos);
425 if (len == 2 * PMK_LEN &&
426 hexstr2bin(pos, psk->psk, PMK_LEN) == 0)
427 ok = 1;
428 else if (len >= 8 && len < 64 &&
429 pbkdf2_sha1(pos, ssid->ssid, ssid->ssid_len,
430 4096, psk->psk, PMK_LEN) == 0)
431 ok = 1;
432 if (!ok) {
433 wpa_printf(MSG_ERROR,
434 "Invalid PSK '%s' on line %d in '%s'",
435 pos, line, fname);
436 os_free(psk);
437 ret = -1;
438 break;
439 }
440
441 if (keyid) {
442 len = os_strlcpy(psk->keyid, keyid, sizeof(psk->keyid));
443 if ((size_t) len >= sizeof(psk->keyid)) {
444 wpa_printf(MSG_ERROR,
445 "PSK keyid too long on line %d in '%s'",
446 line, fname);
447 os_free(psk);
448 ret = -1;
449 break;
450 }
451 }
452
453 psk->wps = wps;
454
455 psk->next = ssid->wpa_psk;
456 ssid->wpa_psk = psk;
457 }
458
459 fclose(f);
460
461 return ret;
462 }
463
464
hostapd_derive_psk(struct hostapd_ssid * ssid)465 static int hostapd_derive_psk(struct hostapd_ssid *ssid)
466 {
467 ssid->wpa_psk = os_zalloc(sizeof(struct hostapd_wpa_psk));
468 if (ssid->wpa_psk == NULL) {
469 wpa_printf(MSG_ERROR, "Unable to alloc space for PSK");
470 return -1;
471 }
472 wpa_hexdump_ascii(MSG_DEBUG, "SSID",
473 (u8 *) ssid->ssid, ssid->ssid_len);
474 wpa_hexdump_ascii_key(MSG_DEBUG, "PSK (ASCII passphrase)",
475 (u8 *) ssid->wpa_passphrase,
476 os_strlen(ssid->wpa_passphrase));
477 if (pbkdf2_sha1(ssid->wpa_passphrase,
478 ssid->ssid, ssid->ssid_len,
479 4096, ssid->wpa_psk->psk, PMK_LEN) != 0) {
480 wpa_printf(MSG_ERROR, "Error in pbkdf2_sha1()");
481 return -1;
482 }
483 wpa_hexdump_key(MSG_DEBUG, "PSK (from passphrase)",
484 ssid->wpa_psk->psk, PMK_LEN);
485 return 0;
486 }
487
488
hostapd_setup_sae_pt(struct hostapd_bss_config * conf)489 int hostapd_setup_sae_pt(struct hostapd_bss_config *conf)
490 {
491 #ifdef CONFIG_SAE
492 struct hostapd_ssid *ssid = &conf->ssid;
493 struct sae_password_entry *pw;
494
495 if ((conf->sae_pwe == SAE_PWE_HUNT_AND_PECK &&
496 !hostapd_sae_pw_id_in_use(conf) &&
497 !wpa_key_mgmt_sae_ext_key(conf->wpa_key_mgmt) &&
498 !hostapd_sae_pk_in_use(conf)) ||
499 conf->sae_pwe == SAE_PWE_FORCE_HUNT_AND_PECK ||
500 !wpa_key_mgmt_sae(conf->wpa_key_mgmt))
501 return 0; /* PT not needed */
502
503 sae_deinit_pt(ssid->pt);
504 ssid->pt = NULL;
505 if (ssid->wpa_passphrase) {
506 ssid->pt = sae_derive_pt(conf->sae_groups, ssid->ssid,
507 ssid->ssid_len,
508 (const u8 *) ssid->wpa_passphrase,
509 os_strlen(ssid->wpa_passphrase),
510 NULL);
511 if (!ssid->pt)
512 return -1;
513 }
514
515 for (pw = conf->sae_passwords; pw; pw = pw->next) {
516 sae_deinit_pt(pw->pt);
517 pw->pt = sae_derive_pt(conf->sae_groups, ssid->ssid,
518 ssid->ssid_len,
519 (const u8 *) pw->password,
520 os_strlen(pw->password),
521 pw->identifier);
522 if (!pw->pt)
523 return -1;
524 }
525 #endif /* CONFIG_SAE */
526
527 return 0;
528 }
529
530
hostapd_setup_wpa_psk(struct hostapd_bss_config * conf)531 int hostapd_setup_wpa_psk(struct hostapd_bss_config *conf)
532 {
533 struct hostapd_ssid *ssid = &conf->ssid;
534
535 if (hostapd_setup_sae_pt(conf) < 0)
536 return -1;
537
538 if (ssid->wpa_passphrase != NULL) {
539 if (ssid->wpa_psk != NULL) {
540 wpa_printf(MSG_DEBUG, "Using pre-configured WPA PSK "
541 "instead of passphrase");
542 } else {
543 wpa_printf(MSG_DEBUG, "Deriving WPA PSK based on "
544 "passphrase");
545 if (hostapd_derive_psk(ssid) < 0)
546 return -1;
547 }
548 ssid->wpa_psk->group = 1;
549 }
550
551 return hostapd_config_read_wpa_psk(ssid->wpa_psk_file, &conf->ssid);
552 }
553
554
hostapd_config_free_radius(struct hostapd_radius_server * servers,int num_servers)555 static void hostapd_config_free_radius(struct hostapd_radius_server *servers,
556 int num_servers)
557 {
558 int i;
559
560 for (i = 0; i < num_servers; i++) {
561 os_free(servers[i].shared_secret);
562 os_free(servers[i].ca_cert);
563 os_free(servers[i].client_cert);
564 os_free(servers[i].private_key);
565 os_free(servers[i].private_key_passwd);
566 }
567 os_free(servers);
568 }
569
570
571 struct hostapd_radius_attr *
hostapd_config_get_radius_attr(struct hostapd_radius_attr * attr,u8 type)572 hostapd_config_get_radius_attr(struct hostapd_radius_attr *attr, u8 type)
573 {
574 for (; attr; attr = attr->next) {
575 if (attr->type == type)
576 return attr;
577 }
578 return NULL;
579 }
580
581
hostapd_parse_radius_attr(const char * value)582 struct hostapd_radius_attr * hostapd_parse_radius_attr(const char *value)
583 {
584 const char *pos;
585 char syntax;
586 struct hostapd_radius_attr *attr;
587 size_t len;
588
589 attr = os_zalloc(sizeof(*attr));
590 if (!attr)
591 return NULL;
592
593 attr->type = atoi(value);
594
595 pos = os_strchr(value, ':');
596 if (!pos) {
597 attr->val = wpabuf_alloc(1);
598 if (!attr->val) {
599 os_free(attr);
600 return NULL;
601 }
602 wpabuf_put_u8(attr->val, 0);
603 return attr;
604 }
605
606 pos++;
607 if (pos[0] == '\0' || pos[1] != ':') {
608 os_free(attr);
609 return NULL;
610 }
611 syntax = *pos++;
612 pos++;
613
614 switch (syntax) {
615 case 's':
616 attr->val = wpabuf_alloc_copy(pos, os_strlen(pos));
617 break;
618 case 'x':
619 len = os_strlen(pos);
620 if (len & 1)
621 break;
622 len /= 2;
623 attr->val = wpabuf_alloc(len);
624 if (!attr->val)
625 break;
626 if (hexstr2bin(pos, wpabuf_put(attr->val, len), len) < 0) {
627 wpabuf_free(attr->val);
628 os_free(attr);
629 return NULL;
630 }
631 break;
632 case 'd':
633 attr->val = wpabuf_alloc(4);
634 if (attr->val)
635 wpabuf_put_be32(attr->val, atoi(pos));
636 break;
637 default:
638 os_free(attr);
639 return NULL;
640 }
641
642 if (!attr->val) {
643 os_free(attr);
644 return NULL;
645 }
646
647 return attr;
648 }
649
650
hostapd_config_free_radius_attr(struct hostapd_radius_attr * attr)651 void hostapd_config_free_radius_attr(struct hostapd_radius_attr *attr)
652 {
653 struct hostapd_radius_attr *prev;
654
655 while (attr) {
656 prev = attr;
657 attr = attr->next;
658 wpabuf_free(prev->val);
659 os_free(prev);
660 }
661 }
662
663
hostapd_config_free_eap_user(struct hostapd_eap_user * user)664 void hostapd_config_free_eap_user(struct hostapd_eap_user *user)
665 {
666 hostapd_config_free_radius_attr(user->accept_attr);
667 os_free(user->identity);
668 bin_clear_free(user->password, user->password_len);
669 bin_clear_free(user->salt, user->salt_len);
670 os_free(user);
671 }
672
673
hostapd_config_free_eap_users(struct hostapd_eap_user * user)674 void hostapd_config_free_eap_users(struct hostapd_eap_user *user)
675 {
676 struct hostapd_eap_user *prev_user;
677
678 while (user) {
679 prev_user = user;
680 user = user->next;
681 hostapd_config_free_eap_user(prev_user);
682 }
683 }
684
685
686 #ifdef CONFIG_WEP
hostapd_config_free_wep(struct hostapd_wep_keys * keys)687 static void hostapd_config_free_wep(struct hostapd_wep_keys *keys)
688 {
689 int i;
690 for (i = 0; i < NUM_WEP_KEYS; i++) {
691 bin_clear_free(keys->key[i], keys->len[i]);
692 keys->key[i] = NULL;
693 }
694 }
695 #endif /* CONFIG_WEP */
696
697
hostapd_config_clear_wpa_psk(struct hostapd_wpa_psk ** l)698 void hostapd_config_clear_wpa_psk(struct hostapd_wpa_psk **l)
699 {
700 struct hostapd_wpa_psk *psk, *tmp;
701
702 for (psk = *l; psk;) {
703 tmp = psk;
704 psk = psk->next;
705 bin_clear_free(tmp, sizeof(*tmp));
706 }
707 *l = NULL;
708 }
709
710
711 #ifdef CONFIG_IEEE80211R_AP
712
hostapd_config_clear_rxkhs(struct hostapd_bss_config * conf)713 void hostapd_config_clear_rxkhs(struct hostapd_bss_config *conf)
714 {
715 struct ft_remote_r0kh *r0kh, *r0kh_prev;
716 struct ft_remote_r1kh *r1kh, *r1kh_prev;
717
718 r0kh = conf->r0kh_list;
719 conf->r0kh_list = NULL;
720 while (r0kh) {
721 r0kh_prev = r0kh;
722 r0kh = r0kh->next;
723 os_free(r0kh_prev);
724 }
725
726 r1kh = conf->r1kh_list;
727 conf->r1kh_list = NULL;
728 while (r1kh) {
729 r1kh_prev = r1kh;
730 r1kh = r1kh->next;
731 os_free(r1kh_prev);
732 }
733 }
734
735 #endif /* CONFIG_IEEE80211R_AP */
736
737
hostapd_config_free_anqp_elem(struct hostapd_bss_config * conf)738 static void hostapd_config_free_anqp_elem(struct hostapd_bss_config *conf)
739 {
740 struct anqp_element *elem;
741
742 while ((elem = dl_list_first(&conf->anqp_elem, struct anqp_element,
743 list))) {
744 dl_list_del(&elem->list);
745 wpabuf_free(elem->payload);
746 os_free(elem);
747 }
748 }
749
750
hostapd_config_free_fils_realms(struct hostapd_bss_config * conf)751 static void hostapd_config_free_fils_realms(struct hostapd_bss_config *conf)
752 {
753 #ifdef CONFIG_FILS
754 struct fils_realm *realm;
755
756 while ((realm = dl_list_first(&conf->fils_realms, struct fils_realm,
757 list))) {
758 dl_list_del(&realm->list);
759 os_free(realm);
760 }
761 #endif /* CONFIG_FILS */
762 }
763
764
hostapd_config_free_sae_passwords(struct hostapd_bss_config * conf)765 static void hostapd_config_free_sae_passwords(struct hostapd_bss_config *conf)
766 {
767 struct sae_password_entry *pw, *tmp;
768
769 pw = conf->sae_passwords;
770 conf->sae_passwords = NULL;
771 while (pw) {
772 tmp = pw;
773 pw = pw->next;
774 str_clear_free(tmp->password);
775 os_free(tmp->identifier);
776 #ifdef CONFIG_SAE
777 sae_deinit_pt(tmp->pt);
778 #endif /* CONFIG_SAE */
779 #ifdef CONFIG_SAE_PK
780 sae_deinit_pk(tmp->pk);
781 #endif /* CONFIG_SAE_PK */
782 os_free(tmp);
783 }
784 }
785
786
787 #ifdef CONFIG_DPP2
hostapd_dpp_controller_conf_free(struct dpp_controller_conf * conf)788 static void hostapd_dpp_controller_conf_free(struct dpp_controller_conf *conf)
789 {
790 struct dpp_controller_conf *prev;
791
792 while (conf) {
793 prev = conf;
794 conf = conf->next;
795 os_free(prev);
796 }
797 }
798 #endif /* CONFIG_DPP2 */
799
800
hostapd_config_free_bss(struct hostapd_bss_config * conf)801 void hostapd_config_free_bss(struct hostapd_bss_config *conf)
802 {
803 #if defined(CONFIG_WPS) || defined(CONFIG_HS20)
804 size_t i;
805 #endif
806
807 if (conf == NULL)
808 return;
809
810 hostapd_config_clear_wpa_psk(&conf->ssid.wpa_psk);
811
812 str_clear_free(conf->ssid.wpa_passphrase);
813 os_free(conf->ssid.wpa_psk_file);
814 #ifdef CONFIG_WEP
815 hostapd_config_free_wep(&conf->ssid.wep);
816 #endif /* CONFIG_WEP */
817 #ifdef CONFIG_FULL_DYNAMIC_VLAN
818 os_free(conf->ssid.vlan_tagged_interface);
819 #endif /* CONFIG_FULL_DYNAMIC_VLAN */
820 #ifdef CONFIG_SAE
821 sae_deinit_pt(conf->ssid.pt);
822 #endif /* CONFIG_SAE */
823
824 hostapd_config_free_eap_users(conf->eap_user);
825 os_free(conf->eap_user_sqlite);
826
827 os_free(conf->eap_req_id_text);
828 os_free(conf->erp_domain);
829 os_free(conf->accept_mac);
830 os_free(conf->deny_mac);
831 os_free(conf->nas_identifier);
832 if (conf->radius) {
833 hostapd_config_free_radius(conf->radius->auth_servers,
834 conf->radius->num_auth_servers);
835 hostapd_config_free_radius(conf->radius->acct_servers,
836 conf->radius->num_acct_servers);
837 os_free(conf->radius->force_client_dev);
838 }
839 hostapd_config_free_radius_attr(conf->radius_auth_req_attr);
840 hostapd_config_free_radius_attr(conf->radius_acct_req_attr);
841 os_free(conf->radius_req_attr_sqlite);
842 os_free(conf->rsn_preauth_interfaces);
843 os_free(conf->ctrl_interface);
844 os_free(conf->config_id);
845 os_free(conf->ca_cert);
846 os_free(conf->server_cert);
847 os_free(conf->server_cert2);
848 os_free(conf->private_key);
849 os_free(conf->private_key2);
850 os_free(conf->private_key_passwd);
851 os_free(conf->private_key_passwd2);
852 os_free(conf->check_cert_subject);
853 os_free(conf->ocsp_stapling_response);
854 os_free(conf->ocsp_stapling_response_multi);
855 os_free(conf->dh_file);
856 os_free(conf->openssl_ciphers);
857 os_free(conf->openssl_ecdh_curves);
858 os_free(conf->pac_opaque_encr_key);
859 os_free(conf->eap_fast_a_id);
860 os_free(conf->eap_fast_a_id_info);
861 os_free(conf->eap_sim_db);
862 os_free(conf->imsi_privacy_key);
863 os_free(conf->radius_server_clients);
864 os_free(conf->radius);
865 os_free(conf->radius_das_shared_secret);
866 hostapd_config_free_vlan(conf);
867 os_free(conf->time_zone);
868
869 #ifdef CONFIG_IEEE80211R_AP
870 hostapd_config_clear_rxkhs(conf);
871 os_free(conf->rxkh_file);
872 conf->rxkh_file = NULL;
873 #endif /* CONFIG_IEEE80211R_AP */
874
875 #ifdef CONFIG_WPS
876 os_free(conf->wps_pin_requests);
877 os_free(conf->device_name);
878 os_free(conf->manufacturer);
879 os_free(conf->model_name);
880 os_free(conf->model_number);
881 os_free(conf->serial_number);
882 os_free(conf->config_methods);
883 os_free(conf->ap_pin);
884 os_free(conf->extra_cred);
885 os_free(conf->ap_settings);
886 hostapd_config_clear_wpa_psk(&conf->multi_ap_backhaul_ssid.wpa_psk);
887 str_clear_free(conf->multi_ap_backhaul_ssid.wpa_passphrase);
888 os_free(conf->upnp_iface);
889 os_free(conf->friendly_name);
890 os_free(conf->manufacturer_url);
891 os_free(conf->model_description);
892 os_free(conf->model_url);
893 os_free(conf->upc);
894 for (i = 0; i < MAX_WPS_VENDOR_EXTENSIONS; i++)
895 wpabuf_free(conf->wps_vendor_ext[i]);
896 wpabuf_free(conf->wps_application_ext);
897 wpabuf_free(conf->wps_nfc_dh_pubkey);
898 wpabuf_free(conf->wps_nfc_dh_privkey);
899 wpabuf_free(conf->wps_nfc_dev_pw);
900 #endif /* CONFIG_WPS */
901
902 os_free(conf->roaming_consortium);
903 os_free(conf->venue_name);
904 os_free(conf->venue_url);
905 os_free(conf->nai_realm_data);
906 os_free(conf->network_auth_type);
907 os_free(conf->anqp_3gpp_cell_net);
908 os_free(conf->domain_name);
909 hostapd_config_free_anqp_elem(conf);
910
911 #ifdef CONFIG_RADIUS_TEST
912 os_free(conf->dump_msk_file);
913 #endif /* CONFIG_RADIUS_TEST */
914
915 #ifdef CONFIG_HS20
916 os_free(conf->hs20_oper_friendly_name);
917 os_free(conf->hs20_wan_metrics);
918 os_free(conf->hs20_connection_capability);
919 os_free(conf->hs20_operating_class);
920 os_free(conf->hs20_icons);
921 if (conf->hs20_osu_providers) {
922 for (i = 0; i < conf->hs20_osu_providers_count; i++) {
923 struct hs20_osu_provider *p;
924 size_t j;
925 p = &conf->hs20_osu_providers[i];
926 os_free(p->friendly_name);
927 os_free(p->server_uri);
928 os_free(p->method_list);
929 for (j = 0; j < p->icons_count; j++)
930 os_free(p->icons[j]);
931 os_free(p->icons);
932 os_free(p->osu_nai);
933 os_free(p->osu_nai2);
934 os_free(p->service_desc);
935 }
936 os_free(conf->hs20_osu_providers);
937 }
938 if (conf->hs20_operator_icon) {
939 for (i = 0; i < conf->hs20_operator_icon_count; i++)
940 os_free(conf->hs20_operator_icon[i]);
941 os_free(conf->hs20_operator_icon);
942 }
943 os_free(conf->subscr_remediation_url);
944 os_free(conf->hs20_sim_provisioning_url);
945 os_free(conf->t_c_filename);
946 os_free(conf->t_c_server_url);
947 #endif /* CONFIG_HS20 */
948
949 wpabuf_free(conf->vendor_elements);
950 wpabuf_free(conf->assocresp_elements);
951
952 os_free(conf->sae_groups);
953 #ifdef CONFIG_OWE
954 os_free(conf->owe_groups);
955 #endif /* CONFIG_OWE */
956
957 os_free(conf->wowlan_triggers);
958
959 os_free(conf->server_id);
960
961 #ifdef CONFIG_TESTING_OPTIONS
962 wpabuf_free(conf->own_ie_override);
963 wpabuf_free(conf->sae_commit_override);
964 wpabuf_free(conf->rsne_override_eapol);
965 wpabuf_free(conf->rsnxe_override_eapol);
966 wpabuf_free(conf->rsne_override_ft);
967 wpabuf_free(conf->rsnxe_override_ft);
968 wpabuf_free(conf->gtk_rsc_override);
969 wpabuf_free(conf->igtk_rsc_override);
970 wpabuf_free(conf->eapol_m1_elements);
971 wpabuf_free(conf->eapol_m3_elements);
972 wpabuf_free(conf->presp_elements);
973 #endif /* CONFIG_TESTING_OPTIONS */
974
975 os_free(conf->no_probe_resp_if_seen_on);
976 os_free(conf->no_auth_if_seen_on);
977
978 hostapd_config_free_fils_realms(conf);
979
980 #ifdef CONFIG_DPP
981 os_free(conf->dpp_name);
982 os_free(conf->dpp_mud_url);
983 os_free(conf->dpp_extra_conf_req_name);
984 os_free(conf->dpp_extra_conf_req_value);
985 os_free(conf->dpp_connector);
986 wpabuf_free(conf->dpp_netaccesskey);
987 wpabuf_free(conf->dpp_csign);
988 #ifdef CONFIG_DPP2
989 hostapd_dpp_controller_conf_free(conf->dpp_controller);
990 #endif /* CONFIG_DPP2 */
991 #endif /* CONFIG_DPP */
992
993 hostapd_config_free_sae_passwords(conf);
994
995 #ifdef CONFIG_AIRTIME_POLICY
996 {
997 struct airtime_sta_weight *wt, *wt_prev;
998
999 wt = conf->airtime_weight_list;
1000 conf->airtime_weight_list = NULL;
1001 while (wt) {
1002 wt_prev = wt;
1003 wt = wt->next;
1004 os_free(wt_prev);
1005 }
1006 }
1007 #endif /* CONFIG_AIRTIME_POLICY */
1008
1009 #ifdef CONFIG_PASN
1010 os_free(conf->pasn_groups);
1011 #endif /* CONFIG_PASN */
1012
1013 os_free(conf);
1014 }
1015
1016
1017 /**
1018 * hostapd_config_free - Free hostapd configuration
1019 * @conf: Configuration data from hostapd_config_read().
1020 */
hostapd_config_free(struct hostapd_config * conf)1021 void hostapd_config_free(struct hostapd_config *conf)
1022 {
1023 size_t i;
1024
1025 if (conf == NULL)
1026 return;
1027
1028 for (i = 0; i < conf->num_bss; i++)
1029 hostapd_config_free_bss(conf->bss[i]);
1030 os_free(conf->bss);
1031 os_free(conf->supported_rates);
1032 os_free(conf->basic_rates);
1033 os_free(conf->acs_ch_list.range);
1034 os_free(conf->acs_freq_list.range);
1035 os_free(conf->driver_params);
1036 #ifdef CONFIG_ACS
1037 os_free(conf->acs_chan_bias);
1038 #endif /* CONFIG_ACS */
1039 wpabuf_free(conf->lci);
1040 wpabuf_free(conf->civic);
1041
1042 os_free(conf);
1043 }
1044
1045
1046 /**
1047 * hostapd_maclist_found - Find a MAC address from a list
1048 * @list: MAC address list
1049 * @num_entries: Number of addresses in the list
1050 * @addr: Address to search for
1051 * @vlan_id: Buffer for returning VLAN ID or %NULL if not needed
1052 * Returns: 1 if address is in the list or 0 if not.
1053 *
1054 * Perform a binary search for given MAC address from a pre-sorted list.
1055 */
hostapd_maclist_found(struct mac_acl_entry * list,int num_entries,const u8 * addr,struct vlan_description * vlan_id)1056 int hostapd_maclist_found(struct mac_acl_entry *list, int num_entries,
1057 const u8 *addr, struct vlan_description *vlan_id)
1058 {
1059 int start, end, middle, res;
1060
1061 start = 0;
1062 end = num_entries - 1;
1063
1064 while (start <= end) {
1065 middle = (start + end) / 2;
1066 res = os_memcmp(list[middle].addr, addr, ETH_ALEN);
1067 if (res == 0) {
1068 if (vlan_id)
1069 *vlan_id = list[middle].vlan_id;
1070 return 1;
1071 }
1072 if (res < 0)
1073 start = middle + 1;
1074 else
1075 end = middle - 1;
1076 }
1077
1078 return 0;
1079 }
1080
1081
hostapd_rate_found(int * list,int rate)1082 int hostapd_rate_found(int *list, int rate)
1083 {
1084 int i;
1085
1086 if (list == NULL)
1087 return 0;
1088
1089 for (i = 0; list[i] >= 0; i++)
1090 if (list[i] == rate)
1091 return 1;
1092
1093 return 0;
1094 }
1095
1096
hostapd_vlan_valid(struct hostapd_vlan * vlan,struct vlan_description * vlan_desc)1097 int hostapd_vlan_valid(struct hostapd_vlan *vlan,
1098 struct vlan_description *vlan_desc)
1099 {
1100 struct hostapd_vlan *v = vlan;
1101 int i;
1102
1103 if (!vlan_desc->notempty || vlan_desc->untagged < 0 ||
1104 vlan_desc->untagged > MAX_VLAN_ID)
1105 return 0;
1106 for (i = 0; i < MAX_NUM_TAGGED_VLAN; i++) {
1107 if (vlan_desc->tagged[i] < 0 ||
1108 vlan_desc->tagged[i] > MAX_VLAN_ID)
1109 return 0;
1110 }
1111 if (!vlan_desc->untagged && !vlan_desc->tagged[0])
1112 return 0;
1113
1114 while (v) {
1115 if (!vlan_compare(&v->vlan_desc, vlan_desc) ||
1116 v->vlan_id == VLAN_ID_WILDCARD)
1117 return 1;
1118 v = v->next;
1119 }
1120 return 0;
1121 }
1122
1123
hostapd_get_vlan_id_ifname(struct hostapd_vlan * vlan,int vlan_id)1124 const char * hostapd_get_vlan_id_ifname(struct hostapd_vlan *vlan, int vlan_id)
1125 {
1126 struct hostapd_vlan *v = vlan;
1127 while (v) {
1128 if (v->vlan_id == vlan_id)
1129 return v->ifname;
1130 v = v->next;
1131 }
1132 return NULL;
1133 }
1134
1135
hostapd_get_psk(const struct hostapd_bss_config * conf,const u8 * addr,const u8 * p2p_dev_addr,const u8 * prev_psk,int * vlan_id)1136 const u8 * hostapd_get_psk(const struct hostapd_bss_config *conf,
1137 const u8 *addr, const u8 *p2p_dev_addr,
1138 const u8 *prev_psk, int *vlan_id)
1139 {
1140 struct hostapd_wpa_psk *psk;
1141 int next_ok = prev_psk == NULL;
1142
1143 if (vlan_id)
1144 *vlan_id = 0;
1145
1146 if (p2p_dev_addr && !is_zero_ether_addr(p2p_dev_addr)) {
1147 wpa_printf(MSG_DEBUG, "Searching a PSK for " MACSTR
1148 " p2p_dev_addr=" MACSTR " prev_psk=%p",
1149 MAC2STR(addr), MAC2STR(p2p_dev_addr), prev_psk);
1150 addr = NULL; /* Use P2P Device Address for matching */
1151 } else {
1152 wpa_printf(MSG_DEBUG, "Searching a PSK for " MACSTR
1153 " prev_psk=%p",
1154 MAC2STR(addr), prev_psk);
1155 }
1156
1157 for (psk = conf->ssid.wpa_psk; psk != NULL; psk = psk->next) {
1158 if (next_ok &&
1159 (psk->group ||
1160 (addr && ether_addr_equal(psk->addr, addr)) ||
1161 (!addr && p2p_dev_addr &&
1162 ether_addr_equal(psk->p2p_dev_addr, p2p_dev_addr)))) {
1163 if (vlan_id)
1164 *vlan_id = psk->vlan_id;
1165 return psk->psk;
1166 }
1167
1168 if (psk->psk == prev_psk)
1169 next_ok = 1;
1170 }
1171
1172 return NULL;
1173 }
1174
1175
1176 #ifdef CONFIG_SAE_PK
hostapd_sae_pk_password_without_pk(struct hostapd_bss_config * bss)1177 static bool hostapd_sae_pk_password_without_pk(struct hostapd_bss_config *bss)
1178 {
1179 struct sae_password_entry *pw;
1180 bool res = false;
1181
1182 if (bss->ssid.wpa_passphrase &&
1183 #ifdef CONFIG_TESTING_OPTIONS
1184 !bss->sae_pk_password_check_skip &&
1185 #endif /* CONFIG_TESTING_OPTIONS */
1186 sae_pk_valid_password(bss->ssid.wpa_passphrase))
1187 res = true;
1188
1189 for (pw = bss->sae_passwords; pw; pw = pw->next) {
1190 if (!pw->pk &&
1191 #ifdef CONFIG_TESTING_OPTIONS
1192 !bss->sae_pk_password_check_skip &&
1193 #endif /* CONFIG_TESTING_OPTIONS */
1194 sae_pk_valid_password(pw->password))
1195 return true;
1196
1197 if (bss->ssid.wpa_passphrase && res && pw->pk &&
1198 os_strcmp(bss->ssid.wpa_passphrase, pw->password) == 0)
1199 res = false;
1200 }
1201
1202 return res;
1203 }
1204 #endif /* CONFIG_SAE_PK */
1205
1206
hostapd_config_check_bss_6g(struct hostapd_bss_config * bss)1207 static bool hostapd_config_check_bss_6g(struct hostapd_bss_config *bss)
1208 {
1209 if (bss->wpa != WPA_PROTO_RSN) {
1210 wpa_printf(MSG_ERROR,
1211 "Pre-RSNA security methods are not allowed in 6 GHz");
1212 return false;
1213 }
1214
1215 if (bss->ieee80211w != MGMT_FRAME_PROTECTION_REQUIRED) {
1216 wpa_printf(MSG_ERROR,
1217 "Management frame protection is required in 6 GHz");
1218 return false;
1219 }
1220
1221 if (bss->wpa_key_mgmt & (WPA_KEY_MGMT_PSK |
1222 WPA_KEY_MGMT_FT_PSK |
1223 WPA_KEY_MGMT_PSK_SHA256)) {
1224 wpa_printf(MSG_ERROR, "Invalid AKM suite for 6 GHz");
1225 return false;
1226 }
1227
1228 if (bss->rsn_pairwise & (WPA_CIPHER_WEP40 |
1229 WPA_CIPHER_WEP104 |
1230 WPA_CIPHER_TKIP)) {
1231 wpa_printf(MSG_ERROR,
1232 "Invalid pairwise cipher suite for 6 GHz");
1233 return false;
1234 }
1235
1236 if (bss->wpa_group & (WPA_CIPHER_WEP40 |
1237 WPA_CIPHER_WEP104 |
1238 WPA_CIPHER_TKIP)) {
1239 wpa_printf(MSG_ERROR, "Invalid group cipher suite for 6 GHz");
1240 return false;
1241 }
1242
1243 #ifdef CONFIG_SAE
1244 if (wpa_key_mgmt_sae(bss->wpa_key_mgmt) &&
1245 bss->sae_pwe == SAE_PWE_HUNT_AND_PECK) {
1246 wpa_printf(MSG_INFO, "SAE: Enabling SAE H2E on 6 GHz");
1247 bss->sae_pwe = SAE_PWE_BOTH;
1248 }
1249 #endif /* CONFIG_SAE */
1250
1251 return true;
1252 }
1253
1254
hostapd_config_check_bss(struct hostapd_bss_config * bss,struct hostapd_config * conf,int full_config)1255 static int hostapd_config_check_bss(struct hostapd_bss_config *bss,
1256 struct hostapd_config *conf,
1257 int full_config)
1258 {
1259 if (full_config && is_6ghz_op_class(conf->op_class) &&
1260 !hostapd_config_check_bss_6g(bss))
1261 return -1;
1262
1263 if (full_config && bss->ieee802_1x && !bss->eap_server &&
1264 !bss->radius->auth_servers) {
1265 wpa_printf(MSG_ERROR, "Invalid IEEE 802.1X configuration (no "
1266 "EAP authenticator configured).");
1267 return -1;
1268 }
1269
1270 #ifdef CONFIG_WEP
1271 if (bss->wpa) {
1272 int wep, i;
1273
1274 wep = bss->default_wep_key_len > 0 ||
1275 bss->individual_wep_key_len > 0;
1276 for (i = 0; i < NUM_WEP_KEYS; i++) {
1277 if (bss->ssid.wep.keys_set) {
1278 wep = 1;
1279 break;
1280 }
1281 }
1282
1283 if (wep) {
1284 wpa_printf(MSG_ERROR, "WEP configuration in a WPA network is not supported");
1285 return -1;
1286 }
1287 }
1288 #endif /* CONFIG_WEP */
1289
1290 if (full_config && bss->wpa &&
1291 bss->wpa_psk_radius != PSK_RADIUS_IGNORED &&
1292 bss->wpa_psk_radius != PSK_RADIUS_DURING_4WAY_HS &&
1293 bss->macaddr_acl != USE_EXTERNAL_RADIUS_AUTH) {
1294 wpa_printf(MSG_ERROR, "WPA-PSK using RADIUS enabled, but no "
1295 "RADIUS checking (macaddr_acl=2) enabled.");
1296 return -1;
1297 }
1298
1299 if (full_config && bss->wpa &&
1300 wpa_key_mgmt_wpa_psk_no_sae(bss->wpa_key_mgmt) &&
1301 bss->ssid.wpa_psk == NULL && bss->ssid.wpa_passphrase == NULL &&
1302 bss->ssid.wpa_psk_file == NULL &&
1303 bss->wpa_psk_radius != PSK_RADIUS_DURING_4WAY_HS &&
1304 (bss->wpa_psk_radius != PSK_RADIUS_REQUIRED ||
1305 bss->macaddr_acl != USE_EXTERNAL_RADIUS_AUTH)) {
1306 wpa_printf(MSG_ERROR, "WPA-PSK enabled, but PSK or passphrase "
1307 "is not configured.");
1308 return -1;
1309 }
1310
1311 if (full_config && !is_zero_ether_addr(bss->bssid)) {
1312 size_t i;
1313
1314 for (i = 0; i < conf->num_bss; i++) {
1315 if (conf->bss[i] != bss &&
1316 (hostapd_mac_comp(conf->bss[i]->bssid,
1317 bss->bssid) == 0)) {
1318 wpa_printf(MSG_ERROR, "Duplicate BSSID " MACSTR
1319 " on interface '%s' and '%s'.",
1320 MAC2STR(bss->bssid),
1321 conf->bss[i]->iface, bss->iface);
1322 return -1;
1323 }
1324 }
1325 }
1326
1327 #ifdef CONFIG_IEEE80211R_AP
1328 if (full_config && wpa_key_mgmt_ft(bss->wpa_key_mgmt) &&
1329 (bss->nas_identifier == NULL ||
1330 os_strlen(bss->nas_identifier) < 1 ||
1331 os_strlen(bss->nas_identifier) > FT_R0KH_ID_MAX_LEN)) {
1332 wpa_printf(MSG_ERROR, "FT (IEEE 802.11r) requires "
1333 "nas_identifier to be configured as a 1..48 octet "
1334 "string");
1335 return -1;
1336 }
1337 #endif /* CONFIG_IEEE80211R_AP */
1338
1339 if (full_config && conf->ieee80211n &&
1340 conf->hw_mode == HOSTAPD_MODE_IEEE80211B) {
1341 bss->disable_11n = true;
1342 wpa_printf(MSG_ERROR, "HT (IEEE 802.11n) in 11b mode is not "
1343 "allowed, disabling HT capabilities");
1344 }
1345
1346 #ifdef CONFIG_WEP
1347 if (full_config && conf->ieee80211n &&
1348 bss->ssid.security_policy == SECURITY_STATIC_WEP) {
1349 bss->disable_11n = true;
1350 wpa_printf(MSG_ERROR, "HT (IEEE 802.11n) with WEP is not "
1351 "allowed, disabling HT capabilities");
1352 }
1353 #endif /* CONFIG_WEP */
1354
1355 if (full_config && conf->ieee80211n && bss->wpa &&
1356 !(bss->wpa_pairwise & WPA_CIPHER_CCMP) &&
1357 !(bss->rsn_pairwise & (WPA_CIPHER_CCMP | WPA_CIPHER_GCMP |
1358 WPA_CIPHER_CCMP_256 | WPA_CIPHER_GCMP_256)))
1359 {
1360 bss->disable_11n = true;
1361 wpa_printf(MSG_ERROR, "HT (IEEE 802.11n) with WPA/WPA2 "
1362 "requires CCMP/GCMP to be enabled, disabling HT "
1363 "capabilities");
1364 }
1365
1366 #ifdef CONFIG_IEEE80211AC
1367 #ifdef CONFIG_WEP
1368 if (full_config && conf->ieee80211ac &&
1369 bss->ssid.security_policy == SECURITY_STATIC_WEP) {
1370 bss->disable_11ac = true;
1371 wpa_printf(MSG_ERROR,
1372 "VHT (IEEE 802.11ac) with WEP is not allowed, disabling VHT capabilities");
1373 }
1374 #endif /* CONFIG_WEP */
1375
1376 if (full_config && conf->ieee80211ac && bss->wpa &&
1377 !(bss->wpa_pairwise & WPA_CIPHER_CCMP) &&
1378 !(bss->rsn_pairwise & (WPA_CIPHER_CCMP | WPA_CIPHER_GCMP |
1379 WPA_CIPHER_CCMP_256 | WPA_CIPHER_GCMP_256)))
1380 {
1381 bss->disable_11ac = true;
1382 wpa_printf(MSG_ERROR,
1383 "VHT (IEEE 802.11ac) with WPA/WPA2 requires CCMP/GCMP to be enabled, disabling VHT capabilities");
1384 }
1385 #endif /* CONFIG_IEEE80211AC */
1386
1387 #ifdef CONFIG_IEEE80211AX
1388 #ifdef CONFIG_WEP
1389 if (full_config && conf->ieee80211ax &&
1390 bss->ssid.security_policy == SECURITY_STATIC_WEP) {
1391 bss->disable_11ax = true;
1392 wpa_printf(MSG_ERROR,
1393 "HE (IEEE 802.11ax) with WEP is not allowed, disabling HE capabilities");
1394 }
1395 #endif /* CONFIG_WEP */
1396
1397 if (full_config && conf->ieee80211ax && bss->wpa &&
1398 !(bss->wpa_pairwise & WPA_CIPHER_CCMP) &&
1399 !(bss->rsn_pairwise & (WPA_CIPHER_CCMP | WPA_CIPHER_GCMP |
1400 WPA_CIPHER_CCMP_256 | WPA_CIPHER_GCMP_256)))
1401 {
1402 bss->disable_11ax = true;
1403 wpa_printf(MSG_ERROR,
1404 "HE (IEEE 802.11ax) with WPA/WPA2 requires CCMP/GCMP to be enabled, disabling HE capabilities");
1405 }
1406 #endif /* CONFIG_IEEE80211AX */
1407
1408 #ifdef CONFIG_WPS
1409 if (full_config && bss->wps_state && bss->ignore_broadcast_ssid) {
1410 wpa_printf(MSG_INFO, "WPS: ignore_broadcast_ssid "
1411 "configuration forced WPS to be disabled");
1412 bss->wps_state = 0;
1413 }
1414
1415 #ifdef CONFIG_WEP
1416 if (full_config && bss->wps_state &&
1417 bss->ssid.wep.keys_set && bss->wpa == 0) {
1418 wpa_printf(MSG_INFO, "WPS: WEP configuration forced WPS to be "
1419 "disabled");
1420 bss->wps_state = 0;
1421 }
1422 #endif /* CONFIG_WEP */
1423
1424 if (full_config && bss->wps_state && bss->wpa &&
1425 (!(bss->wpa & 2) ||
1426 !(bss->rsn_pairwise & (WPA_CIPHER_CCMP | WPA_CIPHER_GCMP |
1427 WPA_CIPHER_CCMP_256 |
1428 WPA_CIPHER_GCMP_256)))) {
1429 wpa_printf(MSG_INFO, "WPS: WPA/TKIP configuration without "
1430 "WPA2/CCMP/GCMP forced WPS to be disabled");
1431 bss->wps_state = 0;
1432 }
1433 #endif /* CONFIG_WPS */
1434
1435 #ifdef CONFIG_HS20
1436 if (full_config && bss->hs20 &&
1437 (!(bss->wpa & 2) ||
1438 !(bss->rsn_pairwise & (WPA_CIPHER_CCMP | WPA_CIPHER_GCMP |
1439 WPA_CIPHER_CCMP_256 |
1440 WPA_CIPHER_GCMP_256)))) {
1441 wpa_printf(MSG_ERROR, "HS 2.0: WPA2-Enterprise/CCMP "
1442 "configuration is required for Hotspot 2.0 "
1443 "functionality");
1444 return -1;
1445 }
1446 #endif /* CONFIG_HS20 */
1447
1448 #ifdef CONFIG_MBO
1449 if (full_config && bss->mbo_enabled && (bss->wpa & 2) &&
1450 bss->ieee80211w == NO_MGMT_FRAME_PROTECTION) {
1451 wpa_printf(MSG_ERROR,
1452 "MBO: PMF needs to be enabled whenever using WPA2 with MBO");
1453 return -1;
1454 }
1455 #endif /* CONFIG_MBO */
1456
1457 #ifdef CONFIG_OCV
1458 if (full_config && bss->ieee80211w == NO_MGMT_FRAME_PROTECTION &&
1459 bss->ocv) {
1460 wpa_printf(MSG_ERROR,
1461 "OCV: PMF needs to be enabled whenever using OCV");
1462 return -1;
1463 }
1464 #endif /* CONFIG_OCV */
1465
1466 #ifdef CONFIG_SAE_PK
1467 if (full_config && hostapd_sae_pk_in_use(bss) &&
1468 hostapd_sae_pk_password_without_pk(bss)) {
1469 wpa_printf(MSG_ERROR,
1470 "SAE-PK: SAE password uses SAE-PK style, but does not have PK configured");
1471 return -1;
1472 }
1473 #endif /* CONFIG_SAE_PK */
1474
1475 #ifdef CONFIG_FILS
1476 if (full_config && bss->fils_discovery_max_int &&
1477 (!conf->ieee80211ax || bss->disable_11ax)) {
1478 wpa_printf(MSG_ERROR,
1479 "Currently IEEE 802.11ax support is mandatory to enable FILS discovery transmission.");
1480 return -1;
1481 }
1482
1483 if (full_config && bss->fils_discovery_max_int &&
1484 bss->unsol_bcast_probe_resp_interval) {
1485 wpa_printf(MSG_ERROR,
1486 "Cannot enable both FILS discovery and unsolicited broadcast Probe Response at the same time");
1487 return -1;
1488 }
1489 #endif /* CONFIG_FILS */
1490
1491 #ifdef CONFIG_IEEE80211BE
1492 if (full_config && !bss->disable_11be && bss->disable_11ax) {
1493 bss->disable_11be = true;
1494 wpa_printf(MSG_INFO,
1495 "Disabling IEEE 802.11be as IEEE 802.11ax is disabled for this BSS");
1496 }
1497 #endif /* CONFIG_IEEE80211BE */
1498
1499 if (full_config && bss->ignore_broadcast_ssid && conf->mbssid) {
1500 wpa_printf(MSG_ERROR,
1501 "Hidden SSID is not suppored when MBSSID is enabled");
1502 return -1;
1503 }
1504
1505 return 0;
1506 }
1507
1508
hostapd_config_check_cw(struct hostapd_config * conf,int queue)1509 static int hostapd_config_check_cw(struct hostapd_config *conf, int queue)
1510 {
1511 int tx_cwmin = conf->tx_queue[queue].cwmin;
1512 int tx_cwmax = conf->tx_queue[queue].cwmax;
1513 int ac_cwmin = conf->wmm_ac_params[queue].cwmin;
1514 int ac_cwmax = conf->wmm_ac_params[queue].cwmax;
1515
1516 if (tx_cwmin > tx_cwmax) {
1517 wpa_printf(MSG_ERROR,
1518 "Invalid TX queue cwMin/cwMax values. cwMin(%d) greater than cwMax(%d)",
1519 tx_cwmin, tx_cwmax);
1520 return -1;
1521 }
1522 if (ac_cwmin > ac_cwmax) {
1523 wpa_printf(MSG_ERROR,
1524 "Invalid WMM AC cwMin/cwMax values. cwMin(%d) greater than cwMax(%d)",
1525 ac_cwmin, ac_cwmax);
1526 return -1;
1527 }
1528 return 0;
1529 }
1530
1531
hostapd_config_check(struct hostapd_config * conf,int full_config)1532 int hostapd_config_check(struct hostapd_config *conf, int full_config)
1533 {
1534 size_t i;
1535
1536 if (full_config && is_6ghz_op_class(conf->op_class) &&
1537 !conf->hw_mode_set) {
1538 /* Use the appropriate hw_mode value automatically when the
1539 * op_class parameter has been set, but hw_mode was not. */
1540 conf->hw_mode = HOSTAPD_MODE_IEEE80211A;
1541 }
1542
1543 if (full_config && conf->ieee80211d &&
1544 (!conf->country[0] || !conf->country[1])) {
1545 wpa_printf(MSG_ERROR, "Cannot enable IEEE 802.11d without "
1546 "setting the country_code");
1547 return -1;
1548 }
1549
1550 if (full_config && conf->ieee80211h && !conf->ieee80211d) {
1551 wpa_printf(MSG_ERROR, "Cannot enable IEEE 802.11h without "
1552 "IEEE 802.11d enabled");
1553 return -1;
1554 }
1555
1556 if (full_config && conf->local_pwr_constraint != -1 &&
1557 !conf->ieee80211d) {
1558 wpa_printf(MSG_ERROR, "Cannot add Power Constraint element without Country element");
1559 return -1;
1560 }
1561
1562 if (full_config && conf->spectrum_mgmt_required &&
1563 conf->local_pwr_constraint == -1) {
1564 wpa_printf(MSG_ERROR, "Cannot set Spectrum Management bit without Country and Power Constraint elements");
1565 return -1;
1566 }
1567
1568 #ifdef CONFIG_AIRTIME_POLICY
1569 if (full_config && conf->airtime_mode > AIRTIME_MODE_STATIC &&
1570 !conf->airtime_update_interval) {
1571 wpa_printf(MSG_ERROR, "Airtime update interval cannot be zero");
1572 return -1;
1573 }
1574 #endif /* CONFIG_AIRTIME_POLICY */
1575 for (i = 0; i < NUM_TX_QUEUES; i++) {
1576 if (hostapd_config_check_cw(conf, i))
1577 return -1;
1578 }
1579
1580 #ifdef CONFIG_IEEE80211BE
1581 if (full_config && conf->ieee80211be && !conf->ieee80211ax) {
1582 wpa_printf(MSG_ERROR,
1583 "Cannot set ieee80211be without ieee80211ax");
1584 return -1;
1585 }
1586
1587 if (full_config)
1588 hostapd_set_and_check_bw320_offset(conf,
1589 conf->eht_bw320_offset);
1590 #endif /* CONFIG_IEEE80211BE */
1591
1592 if (full_config && conf->mbssid && !conf->ieee80211ax) {
1593 wpa_printf(MSG_ERROR,
1594 "Cannot enable multiple BSSID support without ieee80211ax");
1595 return -1;
1596 }
1597
1598 for (i = 0; i < conf->num_bss; i++) {
1599 if (hostapd_config_check_bss(conf->bss[i], conf, full_config))
1600 return -1;
1601 }
1602
1603 return 0;
1604 }
1605
1606
hostapd_set_security_params(struct hostapd_bss_config * bss,int full_config)1607 void hostapd_set_security_params(struct hostapd_bss_config *bss,
1608 int full_config)
1609 {
1610 #ifdef CONFIG_WEP
1611 if (bss->individual_wep_key_len == 0) {
1612 /* individual keys are not use; can use key idx0 for
1613 * broadcast keys */
1614 bss->broadcast_key_idx_min = 0;
1615 }
1616 #endif /* CONFIG_WEP */
1617
1618 if ((bss->wpa & 2) && bss->rsn_pairwise == 0)
1619 bss->rsn_pairwise = bss->wpa_pairwise;
1620 if (bss->group_cipher)
1621 bss->wpa_group = bss->group_cipher;
1622 else
1623 bss->wpa_group = wpa_select_ap_group_cipher(bss->wpa,
1624 bss->wpa_pairwise,
1625 bss->rsn_pairwise);
1626 if (!bss->wpa_group_rekey_set)
1627 bss->wpa_group_rekey = bss->wpa_group == WPA_CIPHER_TKIP ?
1628 600 : 86400;
1629
1630 if (full_config) {
1631 bss->radius->auth_server = bss->radius->auth_servers;
1632 bss->radius->acct_server = bss->radius->acct_servers;
1633 }
1634
1635 if (bss->wpa && bss->ieee802_1x) {
1636 bss->ssid.security_policy = SECURITY_WPA;
1637 } else if (bss->wpa) {
1638 bss->ssid.security_policy = SECURITY_WPA_PSK;
1639 } else if (bss->ieee802_1x) {
1640 int cipher = WPA_CIPHER_NONE;
1641 bss->ssid.security_policy = SECURITY_IEEE_802_1X;
1642 #ifdef CONFIG_WEP
1643 bss->ssid.wep.default_len = bss->default_wep_key_len;
1644 if (full_config && bss->default_wep_key_len) {
1645 cipher = bss->default_wep_key_len >= 13 ?
1646 WPA_CIPHER_WEP104 : WPA_CIPHER_WEP40;
1647 } else if (full_config && bss->ssid.wep.keys_set) {
1648 if (bss->ssid.wep.len[0] >= 13)
1649 cipher = WPA_CIPHER_WEP104;
1650 else
1651 cipher = WPA_CIPHER_WEP40;
1652 }
1653 #endif /* CONFIG_WEP */
1654 bss->wpa_group = cipher;
1655 bss->wpa_pairwise = cipher;
1656 bss->rsn_pairwise = cipher;
1657 if (full_config)
1658 bss->wpa_key_mgmt = WPA_KEY_MGMT_IEEE8021X_NO_WPA;
1659 #ifdef CONFIG_WEP
1660 } else if (bss->ssid.wep.keys_set) {
1661 int cipher = WPA_CIPHER_WEP40;
1662 if (bss->ssid.wep.len[0] >= 13)
1663 cipher = WPA_CIPHER_WEP104;
1664 bss->ssid.security_policy = SECURITY_STATIC_WEP;
1665 bss->wpa_group = cipher;
1666 bss->wpa_pairwise = cipher;
1667 bss->rsn_pairwise = cipher;
1668 if (full_config)
1669 bss->wpa_key_mgmt = WPA_KEY_MGMT_NONE;
1670 #endif /* CONFIG_WEP */
1671 } else if (bss->osen) {
1672 bss->ssid.security_policy = SECURITY_OSEN;
1673 bss->wpa_group = WPA_CIPHER_CCMP;
1674 bss->wpa_pairwise = 0;
1675 bss->rsn_pairwise = WPA_CIPHER_CCMP;
1676 } else {
1677 bss->ssid.security_policy = SECURITY_PLAINTEXT;
1678 if (full_config) {
1679 bss->wpa_group = WPA_CIPHER_NONE;
1680 bss->wpa_pairwise = WPA_CIPHER_NONE;
1681 bss->rsn_pairwise = WPA_CIPHER_NONE;
1682 bss->wpa_key_mgmt = WPA_KEY_MGMT_NONE;
1683 }
1684 }
1685 }
1686
1687
hostapd_sae_pw_id_in_use(struct hostapd_bss_config * conf)1688 int hostapd_sae_pw_id_in_use(struct hostapd_bss_config *conf)
1689 {
1690 int with_id = 0, without_id = 0;
1691 struct sae_password_entry *pw;
1692
1693 if (conf->ssid.wpa_passphrase)
1694 without_id = 1;
1695
1696 for (pw = conf->sae_passwords; pw; pw = pw->next) {
1697 if (pw->identifier)
1698 with_id = 1;
1699 else
1700 without_id = 1;
1701 if (with_id && without_id)
1702 break;
1703 }
1704
1705 if (with_id && !without_id)
1706 return 2;
1707 return with_id;
1708 }
1709
1710
hostapd_sae_pk_in_use(struct hostapd_bss_config * conf)1711 bool hostapd_sae_pk_in_use(struct hostapd_bss_config *conf)
1712 {
1713 #ifdef CONFIG_SAE_PK
1714 struct sae_password_entry *pw;
1715
1716 for (pw = conf->sae_passwords; pw; pw = pw->next) {
1717 if (pw->pk)
1718 return true;
1719 }
1720 #endif /* CONFIG_SAE_PK */
1721
1722 return false;
1723 }
1724
1725
1726 #ifdef CONFIG_SAE_PK
hostapd_sae_pk_exclusively(struct hostapd_bss_config * conf)1727 bool hostapd_sae_pk_exclusively(struct hostapd_bss_config *conf)
1728 {
1729 bool with_pk = false;
1730 struct sae_password_entry *pw;
1731
1732 if (conf->ssid.wpa_passphrase)
1733 return false;
1734
1735 for (pw = conf->sae_passwords; pw; pw = pw->next) {
1736 if (!pw->pk)
1737 return false;
1738 with_pk = true;
1739 }
1740
1741 return with_pk;
1742 }
1743 #endif /* CONFIG_SAE_PK */
1744
1745
hostapd_acl_comp(const void * a,const void * b)1746 int hostapd_acl_comp(const void *a, const void *b)
1747 {
1748 const struct mac_acl_entry *aa = a;
1749 const struct mac_acl_entry *bb = b;
1750 return os_memcmp(aa->addr, bb->addr, sizeof(macaddr));
1751 }
1752
1753
hostapd_add_acl_maclist(struct mac_acl_entry ** acl,int * num,int vlan_id,const u8 * addr)1754 int hostapd_add_acl_maclist(struct mac_acl_entry **acl, int *num,
1755 int vlan_id, const u8 *addr)
1756 {
1757 struct mac_acl_entry *newacl;
1758
1759 newacl = os_realloc_array(*acl, *num + 1, sizeof(**acl));
1760 if (!newacl) {
1761 wpa_printf(MSG_ERROR, "MAC list reallocation failed");
1762 return -1;
1763 }
1764
1765 *acl = newacl;
1766 os_memcpy((*acl)[*num].addr, addr, ETH_ALEN);
1767 os_memset(&(*acl)[*num].vlan_id, 0, sizeof((*acl)[*num].vlan_id));
1768 (*acl)[*num].vlan_id.untagged = vlan_id;
1769 (*acl)[*num].vlan_id.notempty = !!vlan_id;
1770 (*num)++;
1771
1772 return 0;
1773 }
1774
1775
hostapd_remove_acl_mac(struct mac_acl_entry ** acl,int * num,const u8 * addr)1776 void hostapd_remove_acl_mac(struct mac_acl_entry **acl, int *num,
1777 const u8 *addr)
1778 {
1779 int i = 0;
1780
1781 while (i < *num) {
1782 if (ether_addr_equal((*acl)[i].addr, addr)) {
1783 os_remove_in_array(*acl, *num, sizeof(**acl), i);
1784 (*num)--;
1785 } else {
1786 i++;
1787 }
1788 }
1789 }
1790