1 /* 2 * hostapd / Configuration helper functions 3 * Copyright (c) 2003-2014, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "utils/includes.h" 10 11 #include "utils/common.h" 12 #include "crypto/sha1.h" 13 #include "crypto/tls.h" 14 #include "radius/radius_client.h" 15 #include "common/ieee802_11_defs.h" 16 #include "common/ieee802_1x_defs.h" 17 #include "common/eapol_common.h" 18 #include "common/dhcp.h" 19 #include "common/sae.h" 20 #include "eap_common/eap_wsc_common.h" 21 #include "eap_server/eap.h" 22 #include "wpa_auth.h" 23 #include "sta_info.h" 24 #include "airtime_policy.h" 25 #include "ap_config.h" 26 27 28 static void hostapd_config_free_vlan(struct hostapd_bss_config *bss) 29 { 30 struct hostapd_vlan *vlan, *prev; 31 32 vlan = bss->vlan; 33 prev = NULL; 34 while (vlan) { 35 prev = vlan; 36 vlan = vlan->next; 37 os_free(prev); 38 } 39 40 bss->vlan = NULL; 41 } 42 43 44 #ifndef DEFAULT_WPA_DISABLE_EAPOL_KEY_RETRIES 45 #define DEFAULT_WPA_DISABLE_EAPOL_KEY_RETRIES 0 46 #endif /* DEFAULT_WPA_DISABLE_EAPOL_KEY_RETRIES */ 47 48 void hostapd_config_defaults_bss(struct hostapd_bss_config *bss) 49 { 50 dl_list_init(&bss->anqp_elem); 51 52 bss->logger_syslog_level = HOSTAPD_LEVEL_INFO; 53 bss->logger_stdout_level = HOSTAPD_LEVEL_INFO; 54 bss->logger_syslog = (unsigned int) -1; 55 bss->logger_stdout = (unsigned int) -1; 56 57 #ifdef CONFIG_WEP 58 bss->auth_algs = WPA_AUTH_ALG_OPEN | WPA_AUTH_ALG_SHARED; 59 60 bss->wep_rekeying_period = 300; 61 /* use key0 in individual key and key1 in broadcast key */ 62 bss->broadcast_key_idx_min = 1; 63 bss->broadcast_key_idx_max = 2; 64 #else /* CONFIG_WEP */ 65 bss->auth_algs = WPA_AUTH_ALG_OPEN; 66 #endif /* CONFIG_WEP */ 67 bss->eap_reauth_period = 3600; 68 69 bss->wpa_group_rekey = 600; 70 bss->wpa_gmk_rekey = 86400; 71 bss->wpa_deny_ptk0_rekey = PTK0_REKEY_ALLOW_ALWAYS; 72 bss->wpa_group_update_count = 4; 73 bss->wpa_pairwise_update_count = 4; 74 bss->wpa_disable_eapol_key_retries = 75 DEFAULT_WPA_DISABLE_EAPOL_KEY_RETRIES; 76 bss->wpa_key_mgmt = WPA_KEY_MGMT_PSK; 77 #ifdef CONFIG_NO_TKIP 78 bss->wpa_pairwise = WPA_CIPHER_CCMP; 79 bss->wpa_group = WPA_CIPHER_CCMP; 80 #else /* CONFIG_NO_TKIP */ 81 bss->wpa_pairwise = WPA_CIPHER_TKIP; 82 bss->wpa_group = WPA_CIPHER_TKIP; 83 #endif /* CONFIG_NO_TKIP */ 84 bss->rsn_pairwise = 0; 85 86 bss->max_num_sta = MAX_STA_COUNT; 87 88 bss->dtim_period = 2; 89 90 bss->radius_server_auth_port = 1812; 91 bss->eap_sim_db_timeout = 1; 92 bss->eap_sim_id = 3; 93 bss->ap_max_inactivity = AP_MAX_INACTIVITY; 94 bss->eapol_version = EAPOL_VERSION; 95 96 bss->max_listen_interval = 65535; 97 98 bss->pwd_group = 19; /* ECC: GF(p=256) */ 99 100 bss->assoc_sa_query_max_timeout = 1000; 101 bss->assoc_sa_query_retry_timeout = 201; 102 bss->group_mgmt_cipher = WPA_CIPHER_AES_128_CMAC; 103 #ifdef EAP_SERVER_FAST 104 /* both anonymous and authenticated provisioning */ 105 bss->eap_fast_prov = 3; 106 bss->pac_key_lifetime = 7 * 24 * 60 * 60; 107 bss->pac_key_refresh_time = 1 * 24 * 60 * 60; 108 #endif /* EAP_SERVER_FAST */ 109 110 /* Set to -1 as defaults depends on HT in setup */ 111 bss->wmm_enabled = -1; 112 113 #ifdef CONFIG_IEEE80211R_AP 114 bss->ft_over_ds = 1; 115 bss->rkh_pos_timeout = 86400; 116 bss->rkh_neg_timeout = 60; 117 bss->rkh_pull_timeout = 1000; 118 bss->rkh_pull_retries = 4; 119 bss->r0_key_lifetime = 1209600; 120 #endif /* CONFIG_IEEE80211R_AP */ 121 122 bss->radius_das_time_window = 300; 123 124 bss->anti_clogging_threshold = 5; 125 bss->sae_sync = 5; 126 127 bss->gas_frag_limit = 1400; 128 129 #ifdef CONFIG_FILS 130 dl_list_init(&bss->fils_realms); 131 bss->fils_hlp_wait_time = 30; 132 bss->dhcp_server_port = DHCP_SERVER_PORT; 133 bss->dhcp_relay_port = DHCP_SERVER_PORT; 134 bss->fils_discovery_min_int = 20; 135 #endif /* CONFIG_FILS */ 136 137 bss->broadcast_deauth = 1; 138 139 #ifdef CONFIG_MBO 140 bss->mbo_cell_data_conn_pref = -1; 141 #endif /* CONFIG_MBO */ 142 143 /* Disable TLS v1.3 by default for now to avoid interoperability issue. 144 * This can be enabled by default once the implementation has been fully 145 * completed and tested with other implementations. */ 146 bss->tls_flags = TLS_CONN_DISABLE_TLSv1_3; 147 148 bss->max_auth_rounds = 100; 149 bss->max_auth_rounds_short = 50; 150 151 bss->send_probe_response = 1; 152 153 #ifdef CONFIG_HS20 154 bss->hs20_release = (HS20_VERSION >> 4) + 1; 155 #endif /* CONFIG_HS20 */ 156 157 #ifdef CONFIG_MACSEC 158 bss->mka_priority = DEFAULT_PRIO_NOT_KEY_SERVER; 159 bss->macsec_port = 1; 160 #endif /* CONFIG_MACSEC */ 161 162 /* Default to strict CRL checking. */ 163 bss->check_crl_strict = 1; 164 165 #ifdef CONFIG_TESTING_OPTIONS 166 bss->sae_commit_status = -1; 167 #endif /* CONFIG_TESTING_OPTIONS */ 168 169 #ifdef CONFIG_PASN 170 /* comeback after 10 TUs */ 171 bss->pasn_comeback_after = 10; 172 #endif /* CONFIG_PASN */ 173 } 174 175 176 struct hostapd_config * hostapd_config_defaults(void) 177 { 178 #define ecw2cw(ecw) ((1 << (ecw)) - 1) 179 180 struct hostapd_config *conf; 181 struct hostapd_bss_config *bss; 182 const int aCWmin = 4, aCWmax = 10; 183 const struct hostapd_wmm_ac_params ac_bk = 184 { aCWmin, aCWmax, 7, 0, 0 }; /* background traffic */ 185 const struct hostapd_wmm_ac_params ac_be = 186 { aCWmin, aCWmax, 3, 0, 0 }; /* best effort traffic */ 187 const struct hostapd_wmm_ac_params ac_vi = /* video traffic */ 188 { aCWmin - 1, aCWmin, 2, 3008 / 32, 0 }; 189 const struct hostapd_wmm_ac_params ac_vo = /* voice traffic */ 190 { aCWmin - 2, aCWmin - 1, 2, 1504 / 32, 0 }; 191 const struct hostapd_tx_queue_params txq_bk = 192 { 7, ecw2cw(aCWmin), ecw2cw(aCWmax), 0 }; 193 const struct hostapd_tx_queue_params txq_be = 194 { 3, ecw2cw(aCWmin), 4 * (ecw2cw(aCWmin) + 1) - 1, 0}; 195 const struct hostapd_tx_queue_params txq_vi = 196 { 1, (ecw2cw(aCWmin) + 1) / 2 - 1, ecw2cw(aCWmin), 30}; 197 const struct hostapd_tx_queue_params txq_vo = 198 { 1, (ecw2cw(aCWmin) + 1) / 4 - 1, 199 (ecw2cw(aCWmin) + 1) / 2 - 1, 15}; 200 201 #undef ecw2cw 202 203 conf = os_zalloc(sizeof(*conf)); 204 bss = os_zalloc(sizeof(*bss)); 205 if (conf == NULL || bss == NULL) { 206 wpa_printf(MSG_ERROR, "Failed to allocate memory for " 207 "configuration data."); 208 os_free(conf); 209 os_free(bss); 210 return NULL; 211 } 212 conf->bss = os_calloc(1, sizeof(struct hostapd_bss_config *)); 213 if (conf->bss == NULL) { 214 os_free(conf); 215 os_free(bss); 216 return NULL; 217 } 218 conf->bss[0] = bss; 219 220 bss->radius = os_zalloc(sizeof(*bss->radius)); 221 if (bss->radius == NULL) { 222 os_free(conf->bss); 223 os_free(conf); 224 os_free(bss); 225 return NULL; 226 } 227 228 hostapd_config_defaults_bss(bss); 229 230 conf->num_bss = 1; 231 232 conf->beacon_int = 100; 233 conf->rts_threshold = -2; /* use driver default: 2347 */ 234 conf->fragm_threshold = -2; /* user driver default: 2346 */ 235 /* Set to invalid value means do not add Power Constraint IE */ 236 conf->local_pwr_constraint = -1; 237 238 conf->wmm_ac_params[0] = ac_be; 239 conf->wmm_ac_params[1] = ac_bk; 240 conf->wmm_ac_params[2] = ac_vi; 241 conf->wmm_ac_params[3] = ac_vo; 242 243 conf->tx_queue[0] = txq_vo; 244 conf->tx_queue[1] = txq_vi; 245 conf->tx_queue[2] = txq_be; 246 conf->tx_queue[3] = txq_bk; 247 248 conf->ht_capab = HT_CAP_INFO_SMPS_DISABLED; 249 250 conf->ap_table_max_size = 255; 251 conf->ap_table_expiration_time = 60; 252 conf->track_sta_max_age = 180; 253 254 #ifdef CONFIG_TESTING_OPTIONS 255 conf->ignore_probe_probability = 0.0; 256 conf->ignore_auth_probability = 0.0; 257 conf->ignore_assoc_probability = 0.0; 258 conf->ignore_reassoc_probability = 0.0; 259 conf->corrupt_gtk_rekey_mic_probability = 0.0; 260 conf->ecsa_ie_only = 0; 261 #endif /* CONFIG_TESTING_OPTIONS */ 262 263 conf->acs = 0; 264 conf->acs_ch_list.num = 0; 265 #ifdef CONFIG_ACS 266 conf->acs_num_scans = 5; 267 #endif /* CONFIG_ACS */ 268 269 #ifdef CONFIG_IEEE80211AX 270 conf->he_op.he_rts_threshold = HE_OPERATION_RTS_THRESHOLD_MASK >> 271 HE_OPERATION_RTS_THRESHOLD_OFFSET; 272 /* Set default basic MCS/NSS set to single stream MCS 0-7 */ 273 conf->he_op.he_basic_mcs_nss_set = 0xfffc; 274 conf->he_op.he_bss_color_disabled = 1; 275 conf->he_op.he_bss_color_partial = 0; 276 conf->he_op.he_bss_color = os_random() % 63 + 1; 277 conf->he_op.he_twt_responder = 1; 278 conf->he_6ghz_max_mpdu = 2; 279 conf->he_6ghz_max_ampdu_len_exp = 7; 280 conf->he_6ghz_rx_ant_pat = 1; 281 conf->he_6ghz_tx_ant_pat = 1; 282 #endif /* CONFIG_IEEE80211AX */ 283 284 /* The third octet of the country string uses an ASCII space character 285 * by default to indicate that the regulations encompass all 286 * environments for the current frequency band in the country. */ 287 conf->country[2] = ' '; 288 289 conf->rssi_reject_assoc_rssi = 0; 290 conf->rssi_reject_assoc_timeout = 30; 291 292 #ifdef CONFIG_AIRTIME_POLICY 293 conf->airtime_update_interval = AIRTIME_DEFAULT_UPDATE_INTERVAL; 294 #endif /* CONFIG_AIRTIME_POLICY */ 295 296 return conf; 297 } 298 299 300 int hostapd_mac_comp(const void *a, const void *b) 301 { 302 return os_memcmp(a, b, sizeof(macaddr)); 303 } 304 305 306 static int hostapd_config_read_wpa_psk(const char *fname, 307 struct hostapd_ssid *ssid) 308 { 309 FILE *f; 310 char buf[128], *pos; 311 const char *keyid; 312 char *context; 313 char *context2; 314 char *token; 315 char *name; 316 char *value; 317 int line = 0, ret = 0, len, ok; 318 u8 addr[ETH_ALEN]; 319 struct hostapd_wpa_psk *psk; 320 321 if (!fname) 322 return 0; 323 324 f = fopen(fname, "r"); 325 if (!f) { 326 wpa_printf(MSG_ERROR, "WPA PSK file '%s' not found.", fname); 327 return -1; 328 } 329 330 while (fgets(buf, sizeof(buf), f)) { 331 int vlan_id = 0; 332 int wps = 0; 333 334 line++; 335 336 if (buf[0] == '#') 337 continue; 338 pos = buf; 339 while (*pos != '\0') { 340 if (*pos == '\n') { 341 *pos = '\0'; 342 break; 343 } 344 pos++; 345 } 346 if (buf[0] == '\0') 347 continue; 348 349 context = NULL; 350 keyid = NULL; 351 while ((token = str_token(buf, " ", &context))) { 352 if (!os_strchr(token, '=')) 353 break; 354 context2 = NULL; 355 name = str_token(token, "=", &context2); 356 if (!name) 357 break; 358 value = str_token(token, "", &context2); 359 if (!value) 360 value = ""; 361 if (!os_strcmp(name, "keyid")) { 362 keyid = value; 363 } else if (!os_strcmp(name, "wps")) { 364 wps = atoi(value); 365 } else if (!os_strcmp(name, "vlanid")) { 366 vlan_id = atoi(value); 367 } else { 368 wpa_printf(MSG_ERROR, 369 "Unrecognized '%s=%s' on line %d in '%s'", 370 name, value, line, fname); 371 ret = -1; 372 break; 373 } 374 } 375 376 if (ret == -1) 377 break; 378 379 if (!token) 380 token = ""; 381 if (hwaddr_aton(token, addr)) { 382 wpa_printf(MSG_ERROR, 383 "Invalid MAC address '%s' on line %d in '%s'", 384 token, line, fname); 385 ret = -1; 386 break; 387 } 388 389 psk = os_zalloc(sizeof(*psk)); 390 if (psk == NULL) { 391 wpa_printf(MSG_ERROR, "WPA PSK allocation failed"); 392 ret = -1; 393 break; 394 } 395 psk->vlan_id = vlan_id; 396 if (is_zero_ether_addr(addr)) 397 psk->group = 1; 398 else 399 os_memcpy(psk->addr, addr, ETH_ALEN); 400 401 pos = str_token(buf, "", &context); 402 if (!pos) { 403 wpa_printf(MSG_ERROR, "No PSK on line %d in '%s'", 404 line, fname); 405 os_free(psk); 406 ret = -1; 407 break; 408 } 409 410 ok = 0; 411 len = os_strlen(pos); 412 if (len == 2 * PMK_LEN && 413 hexstr2bin(pos, psk->psk, PMK_LEN) == 0) 414 ok = 1; 415 else if (len >= 8 && len < 64 && 416 pbkdf2_sha1(pos, ssid->ssid, ssid->ssid_len, 417 4096, psk->psk, PMK_LEN) == 0) 418 ok = 1; 419 if (!ok) { 420 wpa_printf(MSG_ERROR, 421 "Invalid PSK '%s' on line %d in '%s'", 422 pos, line, fname); 423 os_free(psk); 424 ret = -1; 425 break; 426 } 427 428 if (keyid) { 429 len = os_strlcpy(psk->keyid, keyid, sizeof(psk->keyid)); 430 if ((size_t) len >= sizeof(psk->keyid)) { 431 wpa_printf(MSG_ERROR, 432 "PSK keyid too long on line %d in '%s'", 433 line, fname); 434 os_free(psk); 435 ret = -1; 436 break; 437 } 438 } 439 440 psk->wps = wps; 441 442 psk->next = ssid->wpa_psk; 443 ssid->wpa_psk = psk; 444 } 445 446 fclose(f); 447 448 return ret; 449 } 450 451 452 static int hostapd_derive_psk(struct hostapd_ssid *ssid) 453 { 454 ssid->wpa_psk = os_zalloc(sizeof(struct hostapd_wpa_psk)); 455 if (ssid->wpa_psk == NULL) { 456 wpa_printf(MSG_ERROR, "Unable to alloc space for PSK"); 457 return -1; 458 } 459 wpa_hexdump_ascii(MSG_DEBUG, "SSID", 460 (u8 *) ssid->ssid, ssid->ssid_len); 461 wpa_hexdump_ascii_key(MSG_DEBUG, "PSK (ASCII passphrase)", 462 (u8 *) ssid->wpa_passphrase, 463 os_strlen(ssid->wpa_passphrase)); 464 pbkdf2_sha1(ssid->wpa_passphrase, 465 ssid->ssid, ssid->ssid_len, 466 4096, ssid->wpa_psk->psk, PMK_LEN); 467 wpa_hexdump_key(MSG_DEBUG, "PSK (from passphrase)", 468 ssid->wpa_psk->psk, PMK_LEN); 469 return 0; 470 } 471 472 473 int hostapd_setup_sae_pt(struct hostapd_bss_config *conf) 474 { 475 #ifdef CONFIG_SAE 476 struct hostapd_ssid *ssid = &conf->ssid; 477 struct sae_password_entry *pw; 478 479 if ((conf->sae_pwe == 0 && !hostapd_sae_pw_id_in_use(conf) && 480 !hostapd_sae_pk_in_use(conf)) || 481 conf->sae_pwe == 3 || 482 !wpa_key_mgmt_sae(conf->wpa_key_mgmt)) 483 return 0; /* PT not needed */ 484 485 sae_deinit_pt(ssid->pt); 486 ssid->pt = NULL; 487 if (ssid->wpa_passphrase) { 488 ssid->pt = sae_derive_pt(conf->sae_groups, ssid->ssid, 489 ssid->ssid_len, 490 (const u8 *) ssid->wpa_passphrase, 491 os_strlen(ssid->wpa_passphrase), 492 NULL); 493 if (!ssid->pt) 494 return -1; 495 } 496 497 for (pw = conf->sae_passwords; pw; pw = pw->next) { 498 sae_deinit_pt(pw->pt); 499 pw->pt = sae_derive_pt(conf->sae_groups, ssid->ssid, 500 ssid->ssid_len, 501 (const u8 *) pw->password, 502 os_strlen(pw->password), 503 pw->identifier); 504 if (!pw->pt) 505 return -1; 506 } 507 #endif /* CONFIG_SAE */ 508 509 return 0; 510 } 511 512 513 int hostapd_setup_wpa_psk(struct hostapd_bss_config *conf) 514 { 515 struct hostapd_ssid *ssid = &conf->ssid; 516 517 if (hostapd_setup_sae_pt(conf) < 0) 518 return -1; 519 520 if (ssid->wpa_passphrase != NULL) { 521 if (ssid->wpa_psk != NULL) { 522 wpa_printf(MSG_DEBUG, "Using pre-configured WPA PSK " 523 "instead of passphrase"); 524 } else { 525 wpa_printf(MSG_DEBUG, "Deriving WPA PSK based on " 526 "passphrase"); 527 if (hostapd_derive_psk(ssid) < 0) 528 return -1; 529 } 530 ssid->wpa_psk->group = 1; 531 } 532 533 return hostapd_config_read_wpa_psk(ssid->wpa_psk_file, &conf->ssid); 534 } 535 536 537 static void hostapd_config_free_radius(struct hostapd_radius_server *servers, 538 int num_servers) 539 { 540 int i; 541 542 for (i = 0; i < num_servers; i++) { 543 os_free(servers[i].shared_secret); 544 } 545 os_free(servers); 546 } 547 548 549 struct hostapd_radius_attr * 550 hostapd_config_get_radius_attr(struct hostapd_radius_attr *attr, u8 type) 551 { 552 for (; attr; attr = attr->next) { 553 if (attr->type == type) 554 return attr; 555 } 556 return NULL; 557 } 558 559 560 struct hostapd_radius_attr * hostapd_parse_radius_attr(const char *value) 561 { 562 const char *pos; 563 char syntax; 564 struct hostapd_radius_attr *attr; 565 size_t len; 566 567 attr = os_zalloc(sizeof(*attr)); 568 if (!attr) 569 return NULL; 570 571 attr->type = atoi(value); 572 573 pos = os_strchr(value, ':'); 574 if (!pos) { 575 attr->val = wpabuf_alloc(1); 576 if (!attr->val) { 577 os_free(attr); 578 return NULL; 579 } 580 wpabuf_put_u8(attr->val, 0); 581 return attr; 582 } 583 584 pos++; 585 if (pos[0] == '\0' || pos[1] != ':') { 586 os_free(attr); 587 return NULL; 588 } 589 syntax = *pos++; 590 pos++; 591 592 switch (syntax) { 593 case 's': 594 attr->val = wpabuf_alloc_copy(pos, os_strlen(pos)); 595 break; 596 case 'x': 597 len = os_strlen(pos); 598 if (len & 1) 599 break; 600 len /= 2; 601 attr->val = wpabuf_alloc(len); 602 if (!attr->val) 603 break; 604 if (hexstr2bin(pos, wpabuf_put(attr->val, len), len) < 0) { 605 wpabuf_free(attr->val); 606 os_free(attr); 607 return NULL; 608 } 609 break; 610 case 'd': 611 attr->val = wpabuf_alloc(4); 612 if (attr->val) 613 wpabuf_put_be32(attr->val, atoi(pos)); 614 break; 615 default: 616 os_free(attr); 617 return NULL; 618 } 619 620 if (!attr->val) { 621 os_free(attr); 622 return NULL; 623 } 624 625 return attr; 626 } 627 628 629 void hostapd_config_free_radius_attr(struct hostapd_radius_attr *attr) 630 { 631 struct hostapd_radius_attr *prev; 632 633 while (attr) { 634 prev = attr; 635 attr = attr->next; 636 wpabuf_free(prev->val); 637 os_free(prev); 638 } 639 } 640 641 642 void hostapd_config_free_eap_user(struct hostapd_eap_user *user) 643 { 644 hostapd_config_free_radius_attr(user->accept_attr); 645 os_free(user->identity); 646 bin_clear_free(user->password, user->password_len); 647 bin_clear_free(user->salt, user->salt_len); 648 os_free(user); 649 } 650 651 652 void hostapd_config_free_eap_users(struct hostapd_eap_user *user) 653 { 654 struct hostapd_eap_user *prev_user; 655 656 while (user) { 657 prev_user = user; 658 user = user->next; 659 hostapd_config_free_eap_user(prev_user); 660 } 661 } 662 663 664 #ifdef CONFIG_WEP 665 static void hostapd_config_free_wep(struct hostapd_wep_keys *keys) 666 { 667 int i; 668 for (i = 0; i < NUM_WEP_KEYS; i++) { 669 bin_clear_free(keys->key[i], keys->len[i]); 670 keys->key[i] = NULL; 671 } 672 } 673 #endif /* CONFIG_WEP */ 674 675 676 void hostapd_config_clear_wpa_psk(struct hostapd_wpa_psk **l) 677 { 678 struct hostapd_wpa_psk *psk, *tmp; 679 680 for (psk = *l; psk;) { 681 tmp = psk; 682 psk = psk->next; 683 bin_clear_free(tmp, sizeof(*tmp)); 684 } 685 *l = NULL; 686 } 687 688 689 static void hostapd_config_free_anqp_elem(struct hostapd_bss_config *conf) 690 { 691 struct anqp_element *elem; 692 693 while ((elem = dl_list_first(&conf->anqp_elem, struct anqp_element, 694 list))) { 695 dl_list_del(&elem->list); 696 wpabuf_free(elem->payload); 697 os_free(elem); 698 } 699 } 700 701 702 static void hostapd_config_free_fils_realms(struct hostapd_bss_config *conf) 703 { 704 #ifdef CONFIG_FILS 705 struct fils_realm *realm; 706 707 while ((realm = dl_list_first(&conf->fils_realms, struct fils_realm, 708 list))) { 709 dl_list_del(&realm->list); 710 os_free(realm); 711 } 712 #endif /* CONFIG_FILS */ 713 } 714 715 716 static void hostapd_config_free_sae_passwords(struct hostapd_bss_config *conf) 717 { 718 struct sae_password_entry *pw, *tmp; 719 720 pw = conf->sae_passwords; 721 conf->sae_passwords = NULL; 722 while (pw) { 723 tmp = pw; 724 pw = pw->next; 725 str_clear_free(tmp->password); 726 os_free(tmp->identifier); 727 #ifdef CONFIG_SAE 728 sae_deinit_pt(tmp->pt); 729 #endif /* CONFIG_SAE */ 730 #ifdef CONFIG_SAE_PK 731 sae_deinit_pk(tmp->pk); 732 #endif /* CONFIG_SAE_PK */ 733 os_free(tmp); 734 } 735 } 736 737 738 #ifdef CONFIG_DPP2 739 static void hostapd_dpp_controller_conf_free(struct dpp_controller_conf *conf) 740 { 741 struct dpp_controller_conf *prev; 742 743 while (conf) { 744 prev = conf; 745 conf = conf->next; 746 os_free(prev); 747 } 748 } 749 #endif /* CONFIG_DPP2 */ 750 751 752 void hostapd_config_free_bss(struct hostapd_bss_config *conf) 753 { 754 #if defined(CONFIG_WPS) || defined(CONFIG_HS20) 755 size_t i; 756 #endif 757 758 if (conf == NULL) 759 return; 760 761 hostapd_config_clear_wpa_psk(&conf->ssid.wpa_psk); 762 763 str_clear_free(conf->ssid.wpa_passphrase); 764 os_free(conf->ssid.wpa_psk_file); 765 #ifdef CONFIG_WEP 766 hostapd_config_free_wep(&conf->ssid.wep); 767 #endif /* CONFIG_WEP */ 768 #ifdef CONFIG_FULL_DYNAMIC_VLAN 769 os_free(conf->ssid.vlan_tagged_interface); 770 #endif /* CONFIG_FULL_DYNAMIC_VLAN */ 771 #ifdef CONFIG_SAE 772 sae_deinit_pt(conf->ssid.pt); 773 #endif /* CONFIG_SAE */ 774 775 hostapd_config_free_eap_users(conf->eap_user); 776 os_free(conf->eap_user_sqlite); 777 778 os_free(conf->eap_req_id_text); 779 os_free(conf->erp_domain); 780 os_free(conf->accept_mac); 781 os_free(conf->deny_mac); 782 os_free(conf->nas_identifier); 783 if (conf->radius) { 784 hostapd_config_free_radius(conf->radius->auth_servers, 785 conf->radius->num_auth_servers); 786 hostapd_config_free_radius(conf->radius->acct_servers, 787 conf->radius->num_acct_servers); 788 os_free(conf->radius->force_client_dev); 789 } 790 hostapd_config_free_radius_attr(conf->radius_auth_req_attr); 791 hostapd_config_free_radius_attr(conf->radius_acct_req_attr); 792 os_free(conf->radius_req_attr_sqlite); 793 os_free(conf->rsn_preauth_interfaces); 794 os_free(conf->ctrl_interface); 795 os_free(conf->ca_cert); 796 os_free(conf->server_cert); 797 os_free(conf->server_cert2); 798 os_free(conf->private_key); 799 os_free(conf->private_key2); 800 os_free(conf->private_key_passwd); 801 os_free(conf->private_key_passwd2); 802 os_free(conf->check_cert_subject); 803 os_free(conf->ocsp_stapling_response); 804 os_free(conf->ocsp_stapling_response_multi); 805 os_free(conf->dh_file); 806 os_free(conf->openssl_ciphers); 807 os_free(conf->openssl_ecdh_curves); 808 os_free(conf->pac_opaque_encr_key); 809 os_free(conf->eap_fast_a_id); 810 os_free(conf->eap_fast_a_id_info); 811 os_free(conf->eap_sim_db); 812 os_free(conf->radius_server_clients); 813 os_free(conf->radius); 814 os_free(conf->radius_das_shared_secret); 815 hostapd_config_free_vlan(conf); 816 os_free(conf->time_zone); 817 818 #ifdef CONFIG_IEEE80211R_AP 819 { 820 struct ft_remote_r0kh *r0kh, *r0kh_prev; 821 struct ft_remote_r1kh *r1kh, *r1kh_prev; 822 823 r0kh = conf->r0kh_list; 824 conf->r0kh_list = NULL; 825 while (r0kh) { 826 r0kh_prev = r0kh; 827 r0kh = r0kh->next; 828 os_free(r0kh_prev); 829 } 830 831 r1kh = conf->r1kh_list; 832 conf->r1kh_list = NULL; 833 while (r1kh) { 834 r1kh_prev = r1kh; 835 r1kh = r1kh->next; 836 os_free(r1kh_prev); 837 } 838 } 839 #endif /* CONFIG_IEEE80211R_AP */ 840 841 #ifdef CONFIG_WPS 842 os_free(conf->wps_pin_requests); 843 os_free(conf->device_name); 844 os_free(conf->manufacturer); 845 os_free(conf->model_name); 846 os_free(conf->model_number); 847 os_free(conf->serial_number); 848 os_free(conf->config_methods); 849 os_free(conf->ap_pin); 850 os_free(conf->extra_cred); 851 os_free(conf->ap_settings); 852 hostapd_config_clear_wpa_psk(&conf->multi_ap_backhaul_ssid.wpa_psk); 853 str_clear_free(conf->multi_ap_backhaul_ssid.wpa_passphrase); 854 os_free(conf->upnp_iface); 855 os_free(conf->friendly_name); 856 os_free(conf->manufacturer_url); 857 os_free(conf->model_description); 858 os_free(conf->model_url); 859 os_free(conf->upc); 860 for (i = 0; i < MAX_WPS_VENDOR_EXTENSIONS; i++) 861 wpabuf_free(conf->wps_vendor_ext[i]); 862 wpabuf_free(conf->wps_application_ext); 863 wpabuf_free(conf->wps_nfc_dh_pubkey); 864 wpabuf_free(conf->wps_nfc_dh_privkey); 865 wpabuf_free(conf->wps_nfc_dev_pw); 866 #endif /* CONFIG_WPS */ 867 868 os_free(conf->roaming_consortium); 869 os_free(conf->venue_name); 870 os_free(conf->venue_url); 871 os_free(conf->nai_realm_data); 872 os_free(conf->network_auth_type); 873 os_free(conf->anqp_3gpp_cell_net); 874 os_free(conf->domain_name); 875 hostapd_config_free_anqp_elem(conf); 876 877 #ifdef CONFIG_RADIUS_TEST 878 os_free(conf->dump_msk_file); 879 #endif /* CONFIG_RADIUS_TEST */ 880 881 #ifdef CONFIG_HS20 882 os_free(conf->hs20_oper_friendly_name); 883 os_free(conf->hs20_wan_metrics); 884 os_free(conf->hs20_connection_capability); 885 os_free(conf->hs20_operating_class); 886 os_free(conf->hs20_icons); 887 if (conf->hs20_osu_providers) { 888 for (i = 0; i < conf->hs20_osu_providers_count; i++) { 889 struct hs20_osu_provider *p; 890 size_t j; 891 p = &conf->hs20_osu_providers[i]; 892 os_free(p->friendly_name); 893 os_free(p->server_uri); 894 os_free(p->method_list); 895 for (j = 0; j < p->icons_count; j++) 896 os_free(p->icons[j]); 897 os_free(p->icons); 898 os_free(p->osu_nai); 899 os_free(p->osu_nai2); 900 os_free(p->service_desc); 901 } 902 os_free(conf->hs20_osu_providers); 903 } 904 if (conf->hs20_operator_icon) { 905 for (i = 0; i < conf->hs20_operator_icon_count; i++) 906 os_free(conf->hs20_operator_icon[i]); 907 os_free(conf->hs20_operator_icon); 908 } 909 os_free(conf->subscr_remediation_url); 910 os_free(conf->hs20_sim_provisioning_url); 911 os_free(conf->t_c_filename); 912 os_free(conf->t_c_server_url); 913 #endif /* CONFIG_HS20 */ 914 915 wpabuf_free(conf->vendor_elements); 916 wpabuf_free(conf->assocresp_elements); 917 918 os_free(conf->sae_groups); 919 #ifdef CONFIG_OWE 920 os_free(conf->owe_groups); 921 #endif /* CONFIG_OWE */ 922 923 os_free(conf->wowlan_triggers); 924 925 os_free(conf->server_id); 926 927 #ifdef CONFIG_TESTING_OPTIONS 928 wpabuf_free(conf->own_ie_override); 929 wpabuf_free(conf->sae_commit_override); 930 wpabuf_free(conf->rsne_override_eapol); 931 wpabuf_free(conf->rsnxe_override_eapol); 932 wpabuf_free(conf->rsne_override_ft); 933 wpabuf_free(conf->rsnxe_override_ft); 934 wpabuf_free(conf->gtk_rsc_override); 935 wpabuf_free(conf->igtk_rsc_override); 936 #endif /* CONFIG_TESTING_OPTIONS */ 937 938 os_free(conf->no_probe_resp_if_seen_on); 939 os_free(conf->no_auth_if_seen_on); 940 941 hostapd_config_free_fils_realms(conf); 942 943 #ifdef CONFIG_DPP 944 os_free(conf->dpp_name); 945 os_free(conf->dpp_mud_url); 946 os_free(conf->dpp_connector); 947 wpabuf_free(conf->dpp_netaccesskey); 948 wpabuf_free(conf->dpp_csign); 949 #ifdef CONFIG_DPP2 950 hostapd_dpp_controller_conf_free(conf->dpp_controller); 951 #endif /* CONFIG_DPP2 */ 952 #endif /* CONFIG_DPP */ 953 954 hostapd_config_free_sae_passwords(conf); 955 956 #ifdef CONFIG_AIRTIME_POLICY 957 { 958 struct airtime_sta_weight *wt, *wt_prev; 959 960 wt = conf->airtime_weight_list; 961 conf->airtime_weight_list = NULL; 962 while (wt) { 963 wt_prev = wt; 964 wt = wt->next; 965 os_free(wt_prev); 966 } 967 } 968 #endif /* CONFIG_AIRTIME_POLICY */ 969 970 #ifdef CONFIG_PASN 971 os_free(conf->pasn_groups); 972 #endif /* CONFIG_PASN */ 973 974 os_free(conf); 975 } 976 977 978 /** 979 * hostapd_config_free - Free hostapd configuration 980 * @conf: Configuration data from hostapd_config_read(). 981 */ 982 void hostapd_config_free(struct hostapd_config *conf) 983 { 984 size_t i; 985 986 if (conf == NULL) 987 return; 988 989 for (i = 0; i < conf->num_bss; i++) 990 hostapd_config_free_bss(conf->bss[i]); 991 os_free(conf->bss); 992 os_free(conf->supported_rates); 993 os_free(conf->basic_rates); 994 os_free(conf->acs_ch_list.range); 995 os_free(conf->acs_freq_list.range); 996 os_free(conf->driver_params); 997 #ifdef CONFIG_ACS 998 os_free(conf->acs_chan_bias); 999 #endif /* CONFIG_ACS */ 1000 wpabuf_free(conf->lci); 1001 wpabuf_free(conf->civic); 1002 1003 os_free(conf); 1004 } 1005 1006 1007 /** 1008 * hostapd_maclist_found - Find a MAC address from a list 1009 * @list: MAC address list 1010 * @num_entries: Number of addresses in the list 1011 * @addr: Address to search for 1012 * @vlan_id: Buffer for returning VLAN ID or %NULL if not needed 1013 * Returns: 1 if address is in the list or 0 if not. 1014 * 1015 * Perform a binary search for given MAC address from a pre-sorted list. 1016 */ 1017 int hostapd_maclist_found(struct mac_acl_entry *list, int num_entries, 1018 const u8 *addr, struct vlan_description *vlan_id) 1019 { 1020 int start, end, middle, res; 1021 1022 start = 0; 1023 end = num_entries - 1; 1024 1025 while (start <= end) { 1026 middle = (start + end) / 2; 1027 res = os_memcmp(list[middle].addr, addr, ETH_ALEN); 1028 if (res == 0) { 1029 if (vlan_id) 1030 *vlan_id = list[middle].vlan_id; 1031 return 1; 1032 } 1033 if (res < 0) 1034 start = middle + 1; 1035 else 1036 end = middle - 1; 1037 } 1038 1039 return 0; 1040 } 1041 1042 1043 int hostapd_rate_found(int *list, int rate) 1044 { 1045 int i; 1046 1047 if (list == NULL) 1048 return 0; 1049 1050 for (i = 0; list[i] >= 0; i++) 1051 if (list[i] == rate) 1052 return 1; 1053 1054 return 0; 1055 } 1056 1057 1058 int hostapd_vlan_valid(struct hostapd_vlan *vlan, 1059 struct vlan_description *vlan_desc) 1060 { 1061 struct hostapd_vlan *v = vlan; 1062 int i; 1063 1064 if (!vlan_desc->notempty || vlan_desc->untagged < 0 || 1065 vlan_desc->untagged > MAX_VLAN_ID) 1066 return 0; 1067 for (i = 0; i < MAX_NUM_TAGGED_VLAN; i++) { 1068 if (vlan_desc->tagged[i] < 0 || 1069 vlan_desc->tagged[i] > MAX_VLAN_ID) 1070 return 0; 1071 } 1072 if (!vlan_desc->untagged && !vlan_desc->tagged[0]) 1073 return 0; 1074 1075 while (v) { 1076 if (!vlan_compare(&v->vlan_desc, vlan_desc) || 1077 v->vlan_id == VLAN_ID_WILDCARD) 1078 return 1; 1079 v = v->next; 1080 } 1081 return 0; 1082 } 1083 1084 1085 const char * hostapd_get_vlan_id_ifname(struct hostapd_vlan *vlan, int vlan_id) 1086 { 1087 struct hostapd_vlan *v = vlan; 1088 while (v) { 1089 if (v->vlan_id == vlan_id) 1090 return v->ifname; 1091 v = v->next; 1092 } 1093 return NULL; 1094 } 1095 1096 1097 const u8 * hostapd_get_psk(const struct hostapd_bss_config *conf, 1098 const u8 *addr, const u8 *p2p_dev_addr, 1099 const u8 *prev_psk, int *vlan_id) 1100 { 1101 struct hostapd_wpa_psk *psk; 1102 int next_ok = prev_psk == NULL; 1103 1104 if (vlan_id) 1105 *vlan_id = 0; 1106 1107 if (p2p_dev_addr && !is_zero_ether_addr(p2p_dev_addr)) { 1108 wpa_printf(MSG_DEBUG, "Searching a PSK for " MACSTR 1109 " p2p_dev_addr=" MACSTR " prev_psk=%p", 1110 MAC2STR(addr), MAC2STR(p2p_dev_addr), prev_psk); 1111 addr = NULL; /* Use P2P Device Address for matching */ 1112 } else { 1113 wpa_printf(MSG_DEBUG, "Searching a PSK for " MACSTR 1114 " prev_psk=%p", 1115 MAC2STR(addr), prev_psk); 1116 } 1117 1118 for (psk = conf->ssid.wpa_psk; psk != NULL; psk = psk->next) { 1119 if (next_ok && 1120 (psk->group || 1121 (addr && os_memcmp(psk->addr, addr, ETH_ALEN) == 0) || 1122 (!addr && p2p_dev_addr && 1123 os_memcmp(psk->p2p_dev_addr, p2p_dev_addr, ETH_ALEN) == 1124 0))) { 1125 if (vlan_id) 1126 *vlan_id = psk->vlan_id; 1127 return psk->psk; 1128 } 1129 1130 if (psk->psk == prev_psk) 1131 next_ok = 1; 1132 } 1133 1134 return NULL; 1135 } 1136 1137 1138 #ifdef CONFIG_SAE_PK 1139 static bool hostapd_sae_pk_password_without_pk(struct hostapd_bss_config *bss) 1140 { 1141 struct sae_password_entry *pw; 1142 bool res = false; 1143 1144 if (bss->ssid.wpa_passphrase && 1145 #ifdef CONFIG_TESTING_OPTIONS 1146 !bss->sae_pk_password_check_skip && 1147 #endif /* CONFIG_TESTING_OPTIONS */ 1148 sae_pk_valid_password(bss->ssid.wpa_passphrase)) 1149 res = true; 1150 1151 for (pw = bss->sae_passwords; pw; pw = pw->next) { 1152 if (!pw->pk && 1153 #ifdef CONFIG_TESTING_OPTIONS 1154 !bss->sae_pk_password_check_skip && 1155 #endif /* CONFIG_TESTING_OPTIONS */ 1156 sae_pk_valid_password(pw->password)) 1157 return true; 1158 1159 if (bss->ssid.wpa_passphrase && res && pw->pk && 1160 os_strcmp(bss->ssid.wpa_passphrase, pw->password) == 0) 1161 res = false; 1162 } 1163 1164 return res; 1165 } 1166 #endif /* CONFIG_SAE_PK */ 1167 1168 1169 static bool hostapd_config_check_bss_6g(struct hostapd_bss_config *bss) 1170 { 1171 if (bss->wpa != WPA_PROTO_RSN) { 1172 wpa_printf(MSG_ERROR, 1173 "Pre-RSNA security methods are not allowed in 6 GHz"); 1174 return false; 1175 } 1176 1177 if (bss->ieee80211w != MGMT_FRAME_PROTECTION_REQUIRED) { 1178 wpa_printf(MSG_ERROR, 1179 "Management frame protection is required in 6 GHz"); 1180 return false; 1181 } 1182 1183 if (bss->wpa_key_mgmt & (WPA_KEY_MGMT_PSK | 1184 WPA_KEY_MGMT_FT_PSK | 1185 WPA_KEY_MGMT_PSK_SHA256)) { 1186 wpa_printf(MSG_ERROR, "Invalid AKM suite for 6 GHz"); 1187 return false; 1188 } 1189 1190 if (bss->rsn_pairwise & (WPA_CIPHER_WEP40 | 1191 WPA_CIPHER_WEP104 | 1192 WPA_CIPHER_TKIP)) { 1193 wpa_printf(MSG_ERROR, 1194 "Invalid pairwise cipher suite for 6 GHz"); 1195 return false; 1196 } 1197 1198 if (bss->wpa_group & (WPA_CIPHER_WEP40 | 1199 WPA_CIPHER_WEP104 | 1200 WPA_CIPHER_TKIP)) { 1201 wpa_printf(MSG_ERROR, "Invalid group cipher suite for 6 GHz"); 1202 return false; 1203 } 1204 1205 return true; 1206 } 1207 1208 1209 static int hostapd_config_check_bss(struct hostapd_bss_config *bss, 1210 struct hostapd_config *conf, 1211 int full_config) 1212 { 1213 if (full_config && is_6ghz_op_class(conf->op_class) && 1214 !hostapd_config_check_bss_6g(bss)) 1215 return -1; 1216 1217 if (full_config && bss->ieee802_1x && !bss->eap_server && 1218 !bss->radius->auth_servers) { 1219 wpa_printf(MSG_ERROR, "Invalid IEEE 802.1X configuration (no " 1220 "EAP authenticator configured)."); 1221 return -1; 1222 } 1223 1224 #ifdef CONFIG_WEP 1225 if (bss->wpa) { 1226 int wep, i; 1227 1228 wep = bss->default_wep_key_len > 0 || 1229 bss->individual_wep_key_len > 0; 1230 for (i = 0; i < NUM_WEP_KEYS; i++) { 1231 if (bss->ssid.wep.keys_set) { 1232 wep = 1; 1233 break; 1234 } 1235 } 1236 1237 if (wep) { 1238 wpa_printf(MSG_ERROR, "WEP configuration in a WPA network is not supported"); 1239 return -1; 1240 } 1241 } 1242 #endif /* CONFIG_WEP */ 1243 1244 if (full_config && bss->wpa && 1245 bss->wpa_psk_radius != PSK_RADIUS_IGNORED && 1246 bss->macaddr_acl != USE_EXTERNAL_RADIUS_AUTH) { 1247 wpa_printf(MSG_ERROR, "WPA-PSK using RADIUS enabled, but no " 1248 "RADIUS checking (macaddr_acl=2) enabled."); 1249 return -1; 1250 } 1251 1252 if (full_config && bss->wpa && (bss->wpa_key_mgmt & WPA_KEY_MGMT_PSK) && 1253 bss->ssid.wpa_psk == NULL && bss->ssid.wpa_passphrase == NULL && 1254 bss->ssid.wpa_psk_file == NULL && 1255 (bss->wpa_psk_radius != PSK_RADIUS_REQUIRED || 1256 bss->macaddr_acl != USE_EXTERNAL_RADIUS_AUTH)) { 1257 wpa_printf(MSG_ERROR, "WPA-PSK enabled, but PSK or passphrase " 1258 "is not configured."); 1259 return -1; 1260 } 1261 1262 if (full_config && !is_zero_ether_addr(bss->bssid)) { 1263 size_t i; 1264 1265 for (i = 0; i < conf->num_bss; i++) { 1266 if (conf->bss[i] != bss && 1267 (hostapd_mac_comp(conf->bss[i]->bssid, 1268 bss->bssid) == 0)) { 1269 wpa_printf(MSG_ERROR, "Duplicate BSSID " MACSTR 1270 " on interface '%s' and '%s'.", 1271 MAC2STR(bss->bssid), 1272 conf->bss[i]->iface, bss->iface); 1273 return -1; 1274 } 1275 } 1276 } 1277 1278 #ifdef CONFIG_IEEE80211R_AP 1279 if (full_config && wpa_key_mgmt_ft(bss->wpa_key_mgmt) && 1280 (bss->nas_identifier == NULL || 1281 os_strlen(bss->nas_identifier) < 1 || 1282 os_strlen(bss->nas_identifier) > FT_R0KH_ID_MAX_LEN)) { 1283 wpa_printf(MSG_ERROR, "FT (IEEE 802.11r) requires " 1284 "nas_identifier to be configured as a 1..48 octet " 1285 "string"); 1286 return -1; 1287 } 1288 #endif /* CONFIG_IEEE80211R_AP */ 1289 1290 if (full_config && conf->ieee80211n && 1291 conf->hw_mode == HOSTAPD_MODE_IEEE80211B) { 1292 bss->disable_11n = true; 1293 wpa_printf(MSG_ERROR, "HT (IEEE 802.11n) in 11b mode is not " 1294 "allowed, disabling HT capabilities"); 1295 } 1296 1297 #ifdef CONFIG_WEP 1298 if (full_config && conf->ieee80211n && 1299 bss->ssid.security_policy == SECURITY_STATIC_WEP) { 1300 bss->disable_11n = true; 1301 wpa_printf(MSG_ERROR, "HT (IEEE 802.11n) with WEP is not " 1302 "allowed, disabling HT capabilities"); 1303 } 1304 #endif /* CONFIG_WEP */ 1305 1306 if (full_config && conf->ieee80211n && bss->wpa && 1307 !(bss->wpa_pairwise & WPA_CIPHER_CCMP) && 1308 !(bss->rsn_pairwise & (WPA_CIPHER_CCMP | WPA_CIPHER_GCMP | 1309 WPA_CIPHER_CCMP_256 | WPA_CIPHER_GCMP_256))) 1310 { 1311 bss->disable_11n = true; 1312 wpa_printf(MSG_ERROR, "HT (IEEE 802.11n) with WPA/WPA2 " 1313 "requires CCMP/GCMP to be enabled, disabling HT " 1314 "capabilities"); 1315 } 1316 1317 #ifdef CONFIG_IEEE80211AC 1318 #ifdef CONFIG_WEP 1319 if (full_config && conf->ieee80211ac && 1320 bss->ssid.security_policy == SECURITY_STATIC_WEP) { 1321 bss->disable_11ac = true; 1322 wpa_printf(MSG_ERROR, 1323 "VHT (IEEE 802.11ac) with WEP is not allowed, disabling VHT capabilities"); 1324 } 1325 #endif /* CONFIG_WEP */ 1326 1327 if (full_config && conf->ieee80211ac && bss->wpa && 1328 !(bss->wpa_pairwise & WPA_CIPHER_CCMP) && 1329 !(bss->rsn_pairwise & (WPA_CIPHER_CCMP | WPA_CIPHER_GCMP | 1330 WPA_CIPHER_CCMP_256 | WPA_CIPHER_GCMP_256))) 1331 { 1332 bss->disable_11ac = true; 1333 wpa_printf(MSG_ERROR, 1334 "VHT (IEEE 802.11ac) with WPA/WPA2 requires CCMP/GCMP to be enabled, disabling VHT capabilities"); 1335 } 1336 #endif /* CONFIG_IEEE80211AC */ 1337 1338 #ifdef CONFIG_IEEE80211AX 1339 #ifdef CONFIG_WEP 1340 if (full_config && conf->ieee80211ax && 1341 bss->ssid.security_policy == SECURITY_STATIC_WEP) { 1342 bss->disable_11ax = true; 1343 wpa_printf(MSG_ERROR, 1344 "HE (IEEE 802.11ax) with WEP is not allowed, disabling HE capabilities"); 1345 } 1346 #endif /* CONFIG_WEP */ 1347 1348 if (full_config && conf->ieee80211ax && bss->wpa && 1349 !(bss->wpa_pairwise & WPA_CIPHER_CCMP) && 1350 !(bss->rsn_pairwise & (WPA_CIPHER_CCMP | WPA_CIPHER_GCMP | 1351 WPA_CIPHER_CCMP_256 | WPA_CIPHER_GCMP_256))) 1352 { 1353 bss->disable_11ax = true; 1354 wpa_printf(MSG_ERROR, 1355 "HE (IEEE 802.11ax) with WPA/WPA2 requires CCMP/GCMP to be enabled, disabling HE capabilities"); 1356 } 1357 #endif /* CONFIG_IEEE80211AX */ 1358 1359 #ifdef CONFIG_WPS 1360 if (full_config && bss->wps_state && bss->ignore_broadcast_ssid) { 1361 wpa_printf(MSG_INFO, "WPS: ignore_broadcast_ssid " 1362 "configuration forced WPS to be disabled"); 1363 bss->wps_state = 0; 1364 } 1365 1366 #ifdef CONFIG_WEP 1367 if (full_config && bss->wps_state && 1368 bss->ssid.wep.keys_set && bss->wpa == 0) { 1369 wpa_printf(MSG_INFO, "WPS: WEP configuration forced WPS to be " 1370 "disabled"); 1371 bss->wps_state = 0; 1372 } 1373 #endif /* CONFIG_WEP */ 1374 1375 if (full_config && bss->wps_state && bss->wpa && 1376 (!(bss->wpa & 2) || 1377 !(bss->rsn_pairwise & (WPA_CIPHER_CCMP | WPA_CIPHER_GCMP | 1378 WPA_CIPHER_CCMP_256 | 1379 WPA_CIPHER_GCMP_256)))) { 1380 wpa_printf(MSG_INFO, "WPS: WPA/TKIP configuration without " 1381 "WPA2/CCMP/GCMP forced WPS to be disabled"); 1382 bss->wps_state = 0; 1383 } 1384 #endif /* CONFIG_WPS */ 1385 1386 #ifdef CONFIG_HS20 1387 if (full_config && bss->hs20 && 1388 (!(bss->wpa & 2) || 1389 !(bss->rsn_pairwise & (WPA_CIPHER_CCMP | WPA_CIPHER_GCMP | 1390 WPA_CIPHER_CCMP_256 | 1391 WPA_CIPHER_GCMP_256)))) { 1392 wpa_printf(MSG_ERROR, "HS 2.0: WPA2-Enterprise/CCMP " 1393 "configuration is required for Hotspot 2.0 " 1394 "functionality"); 1395 return -1; 1396 } 1397 #endif /* CONFIG_HS20 */ 1398 1399 #ifdef CONFIG_MBO 1400 if (full_config && bss->mbo_enabled && (bss->wpa & 2) && 1401 bss->ieee80211w == NO_MGMT_FRAME_PROTECTION) { 1402 wpa_printf(MSG_ERROR, 1403 "MBO: PMF needs to be enabled whenever using WPA2 with MBO"); 1404 return -1; 1405 } 1406 #endif /* CONFIG_MBO */ 1407 1408 #ifdef CONFIG_OCV 1409 if (full_config && bss->ieee80211w == NO_MGMT_FRAME_PROTECTION && 1410 bss->ocv) { 1411 wpa_printf(MSG_ERROR, 1412 "OCV: PMF needs to be enabled whenever using OCV"); 1413 return -1; 1414 } 1415 #endif /* CONFIG_OCV */ 1416 1417 #ifdef CONFIG_SAE_PK 1418 if (full_config && hostapd_sae_pk_in_use(bss) && 1419 hostapd_sae_pk_password_without_pk(bss)) { 1420 wpa_printf(MSG_ERROR, 1421 "SAE-PK: SAE password uses SAE-PK style, but does not have PK configured"); 1422 return -1; 1423 } 1424 #endif /* CONFIG_SAE_PK */ 1425 1426 #ifdef CONFIG_FILS 1427 if (full_config && bss->fils_discovery_min_int && 1428 bss->unsol_bcast_probe_resp_interval) { 1429 wpa_printf(MSG_ERROR, 1430 "Cannot enable both FILS discovery and unsolicited broadcast Probe Response at the same time"); 1431 return -1; 1432 } 1433 #endif /* CONFIG_FILS */ 1434 1435 return 0; 1436 } 1437 1438 1439 static int hostapd_config_check_cw(struct hostapd_config *conf, int queue) 1440 { 1441 int tx_cwmin = conf->tx_queue[queue].cwmin; 1442 int tx_cwmax = conf->tx_queue[queue].cwmax; 1443 int ac_cwmin = conf->wmm_ac_params[queue].cwmin; 1444 int ac_cwmax = conf->wmm_ac_params[queue].cwmax; 1445 1446 if (tx_cwmin > tx_cwmax) { 1447 wpa_printf(MSG_ERROR, 1448 "Invalid TX queue cwMin/cwMax values. cwMin(%d) greater than cwMax(%d)", 1449 tx_cwmin, tx_cwmax); 1450 return -1; 1451 } 1452 if (ac_cwmin > ac_cwmax) { 1453 wpa_printf(MSG_ERROR, 1454 "Invalid WMM AC cwMin/cwMax values. cwMin(%d) greater than cwMax(%d)", 1455 ac_cwmin, ac_cwmax); 1456 return -1; 1457 } 1458 return 0; 1459 } 1460 1461 1462 int hostapd_config_check(struct hostapd_config *conf, int full_config) 1463 { 1464 size_t i; 1465 1466 if (full_config && conf->ieee80211d && 1467 (!conf->country[0] || !conf->country[1])) { 1468 wpa_printf(MSG_ERROR, "Cannot enable IEEE 802.11d without " 1469 "setting the country_code"); 1470 return -1; 1471 } 1472 1473 if (full_config && conf->ieee80211h && !conf->ieee80211d) { 1474 wpa_printf(MSG_ERROR, "Cannot enable IEEE 802.11h without " 1475 "IEEE 802.11d enabled"); 1476 return -1; 1477 } 1478 1479 if (full_config && conf->local_pwr_constraint != -1 && 1480 !conf->ieee80211d) { 1481 wpa_printf(MSG_ERROR, "Cannot add Power Constraint element without Country element"); 1482 return -1; 1483 } 1484 1485 if (full_config && conf->spectrum_mgmt_required && 1486 conf->local_pwr_constraint == -1) { 1487 wpa_printf(MSG_ERROR, "Cannot set Spectrum Management bit without Country and Power Constraint elements"); 1488 return -1; 1489 } 1490 1491 #ifdef CONFIG_AIRTIME_POLICY 1492 if (full_config && conf->airtime_mode > AIRTIME_MODE_STATIC && 1493 !conf->airtime_update_interval) { 1494 wpa_printf(MSG_ERROR, "Airtime update interval cannot be zero"); 1495 return -1; 1496 } 1497 #endif /* CONFIG_AIRTIME_POLICY */ 1498 for (i = 0; i < NUM_TX_QUEUES; i++) { 1499 if (hostapd_config_check_cw(conf, i)) 1500 return -1; 1501 } 1502 1503 for (i = 0; i < conf->num_bss; i++) { 1504 if (hostapd_config_check_bss(conf->bss[i], conf, full_config)) 1505 return -1; 1506 } 1507 1508 return 0; 1509 } 1510 1511 1512 void hostapd_set_security_params(struct hostapd_bss_config *bss, 1513 int full_config) 1514 { 1515 #ifdef CONFIG_WEP 1516 if (bss->individual_wep_key_len == 0) { 1517 /* individual keys are not use; can use key idx0 for 1518 * broadcast keys */ 1519 bss->broadcast_key_idx_min = 0; 1520 } 1521 #endif /* CONFIG_WEP */ 1522 1523 if ((bss->wpa & 2) && bss->rsn_pairwise == 0) 1524 bss->rsn_pairwise = bss->wpa_pairwise; 1525 if (bss->group_cipher) 1526 bss->wpa_group = bss->group_cipher; 1527 else 1528 bss->wpa_group = wpa_select_ap_group_cipher(bss->wpa, 1529 bss->wpa_pairwise, 1530 bss->rsn_pairwise); 1531 if (!bss->wpa_group_rekey_set) 1532 bss->wpa_group_rekey = bss->wpa_group == WPA_CIPHER_TKIP ? 1533 600 : 86400; 1534 1535 if (full_config) { 1536 bss->radius->auth_server = bss->radius->auth_servers; 1537 bss->radius->acct_server = bss->radius->acct_servers; 1538 } 1539 1540 if (bss->wpa && bss->ieee802_1x) { 1541 bss->ssid.security_policy = SECURITY_WPA; 1542 } else if (bss->wpa) { 1543 bss->ssid.security_policy = SECURITY_WPA_PSK; 1544 } else if (bss->ieee802_1x) { 1545 int cipher = WPA_CIPHER_NONE; 1546 bss->ssid.security_policy = SECURITY_IEEE_802_1X; 1547 #ifdef CONFIG_WEP 1548 bss->ssid.wep.default_len = bss->default_wep_key_len; 1549 if (full_config && bss->default_wep_key_len) { 1550 cipher = bss->default_wep_key_len >= 13 ? 1551 WPA_CIPHER_WEP104 : WPA_CIPHER_WEP40; 1552 } else if (full_config && bss->ssid.wep.keys_set) { 1553 if (bss->ssid.wep.len[0] >= 13) 1554 cipher = WPA_CIPHER_WEP104; 1555 else 1556 cipher = WPA_CIPHER_WEP40; 1557 } 1558 #endif /* CONFIG_WEP */ 1559 bss->wpa_group = cipher; 1560 bss->wpa_pairwise = cipher; 1561 bss->rsn_pairwise = cipher; 1562 if (full_config) 1563 bss->wpa_key_mgmt = WPA_KEY_MGMT_IEEE8021X_NO_WPA; 1564 #ifdef CONFIG_WEP 1565 } else if (bss->ssid.wep.keys_set) { 1566 int cipher = WPA_CIPHER_WEP40; 1567 if (bss->ssid.wep.len[0] >= 13) 1568 cipher = WPA_CIPHER_WEP104; 1569 bss->ssid.security_policy = SECURITY_STATIC_WEP; 1570 bss->wpa_group = cipher; 1571 bss->wpa_pairwise = cipher; 1572 bss->rsn_pairwise = cipher; 1573 if (full_config) 1574 bss->wpa_key_mgmt = WPA_KEY_MGMT_NONE; 1575 #endif /* CONFIG_WEP */ 1576 } else if (bss->osen) { 1577 bss->ssid.security_policy = SECURITY_OSEN; 1578 bss->wpa_group = WPA_CIPHER_CCMP; 1579 bss->wpa_pairwise = 0; 1580 bss->rsn_pairwise = WPA_CIPHER_CCMP; 1581 } else { 1582 bss->ssid.security_policy = SECURITY_PLAINTEXT; 1583 if (full_config) { 1584 bss->wpa_group = WPA_CIPHER_NONE; 1585 bss->wpa_pairwise = WPA_CIPHER_NONE; 1586 bss->rsn_pairwise = WPA_CIPHER_NONE; 1587 bss->wpa_key_mgmt = WPA_KEY_MGMT_NONE; 1588 } 1589 } 1590 } 1591 1592 1593 int hostapd_sae_pw_id_in_use(struct hostapd_bss_config *conf) 1594 { 1595 int with_id = 0, without_id = 0; 1596 struct sae_password_entry *pw; 1597 1598 if (conf->ssid.wpa_passphrase) 1599 without_id = 1; 1600 1601 for (pw = conf->sae_passwords; pw; pw = pw->next) { 1602 if (pw->identifier) 1603 with_id = 1; 1604 else 1605 without_id = 1; 1606 if (with_id && without_id) 1607 break; 1608 } 1609 1610 if (with_id && !without_id) 1611 return 2; 1612 return with_id; 1613 } 1614 1615 1616 bool hostapd_sae_pk_in_use(struct hostapd_bss_config *conf) 1617 { 1618 #ifdef CONFIG_SAE_PK 1619 struct sae_password_entry *pw; 1620 1621 for (pw = conf->sae_passwords; pw; pw = pw->next) { 1622 if (pw->pk) 1623 return true; 1624 } 1625 #endif /* CONFIG_SAE_PK */ 1626 1627 return false; 1628 } 1629 1630 1631 #ifdef CONFIG_SAE_PK 1632 bool hostapd_sae_pk_exclusively(struct hostapd_bss_config *conf) 1633 { 1634 bool with_pk = false; 1635 struct sae_password_entry *pw; 1636 1637 if (conf->ssid.wpa_passphrase) 1638 return false; 1639 1640 for (pw = conf->sae_passwords; pw; pw = pw->next) { 1641 if (!pw->pk) 1642 return false; 1643 with_pk = true; 1644 } 1645 1646 return with_pk; 1647 } 1648 #endif /* CONFIG_SAE_PK */ 1649