1 /*
2 * hostapd / Configuration helper functions
3 * Copyright (c) 2003-2024, Jouni Malinen <[email protected]>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "utils/includes.h"
10
11 #include "utils/common.h"
12 #include "crypto/sha1.h"
13 #include "crypto/tls.h"
14 #include "radius/radius_client.h"
15 #include "common/ieee802_11_defs.h"
16 #include "common/ieee802_1x_defs.h"
17 #include "common/eapol_common.h"
18 #include "common/dhcp.h"
19 #include "common/sae.h"
20 #include "eap_common/eap_wsc_common.h"
21 #include "eap_server/eap.h"
22 #include "wpa_auth.h"
23 #include "sta_info.h"
24 #include "airtime_policy.h"
25 #include "ap_config.h"
26
27
hostapd_config_free_vlan(struct hostapd_bss_config * bss)28 static void hostapd_config_free_vlan(struct hostapd_bss_config *bss)
29 {
30 struct hostapd_vlan *vlan, *prev;
31
32 vlan = bss->vlan;
33 prev = NULL;
34 while (vlan) {
35 prev = vlan;
36 vlan = vlan->next;
37 os_free(prev);
38 }
39
40 bss->vlan = NULL;
41 }
42
43
44 #ifndef DEFAULT_WPA_DISABLE_EAPOL_KEY_RETRIES
45 #define DEFAULT_WPA_DISABLE_EAPOL_KEY_RETRIES 0
46 #endif /* DEFAULT_WPA_DISABLE_EAPOL_KEY_RETRIES */
47
hostapd_config_defaults_bss(struct hostapd_bss_config * bss)48 void hostapd_config_defaults_bss(struct hostapd_bss_config *bss)
49 {
50 dl_list_init(&bss->anqp_elem);
51
52 bss->logger_syslog_level = HOSTAPD_LEVEL_INFO;
53 bss->logger_stdout_level = HOSTAPD_LEVEL_INFO;
54 bss->logger_syslog = (unsigned int) -1;
55 bss->logger_stdout = (unsigned int) -1;
56
57 #ifdef CONFIG_WEP
58 bss->auth_algs = WPA_AUTH_ALG_OPEN | WPA_AUTH_ALG_SHARED;
59
60 bss->wep_rekeying_period = 300;
61 /* use key0 in individual key and key1 in broadcast key */
62 bss->broadcast_key_idx_min = 1;
63 bss->broadcast_key_idx_max = 2;
64 #else /* CONFIG_WEP */
65 bss->auth_algs = WPA_AUTH_ALG_OPEN;
66 #endif /* CONFIG_WEP */
67 bss->eap_reauth_period = 3600;
68
69 bss->wpa_group_rekey = 600;
70 bss->wpa_gmk_rekey = 86400;
71 bss->wpa_deny_ptk0_rekey = PTK0_REKEY_ALLOW_ALWAYS;
72 bss->wpa_group_update_count = 4;
73 bss->wpa_pairwise_update_count = 4;
74 bss->wpa_disable_eapol_key_retries =
75 DEFAULT_WPA_DISABLE_EAPOL_KEY_RETRIES;
76 bss->wpa_key_mgmt = WPA_KEY_MGMT_PSK;
77 #ifdef CONFIG_NO_TKIP
78 bss->wpa_pairwise = WPA_CIPHER_CCMP;
79 bss->wpa_group = WPA_CIPHER_CCMP;
80 #else /* CONFIG_NO_TKIP */
81 bss->wpa_pairwise = WPA_CIPHER_TKIP;
82 bss->wpa_group = WPA_CIPHER_TKIP;
83 #endif /* CONFIG_NO_TKIP */
84 bss->rsn_pairwise = 0;
85
86 bss->max_num_sta = MAX_STA_COUNT;
87
88 bss->dtim_period = 2;
89
90 bss->radius_server_auth_port = 1812;
91 bss->eap_sim_db_timeout = 1;
92 bss->eap_sim_id = 3;
93 bss->eap_sim_aka_fast_reauth_limit = 1000;
94 bss->ap_max_inactivity = AP_MAX_INACTIVITY;
95 bss->bss_max_idle = 1;
96 bss->eapol_version = EAPOL_VERSION;
97
98 bss->max_listen_interval = 65535;
99
100 bss->pwd_group = 19; /* ECC: GF(p=256) */
101
102 bss->assoc_sa_query_max_timeout = 1000;
103 bss->assoc_sa_query_retry_timeout = 201;
104 bss->group_mgmt_cipher = WPA_CIPHER_AES_128_CMAC;
105 #ifdef EAP_SERVER_FAST
106 /* both anonymous and authenticated provisioning */
107 bss->eap_fast_prov = 3;
108 bss->pac_key_lifetime = 7 * 24 * 60 * 60;
109 bss->pac_key_refresh_time = 1 * 24 * 60 * 60;
110 #endif /* EAP_SERVER_FAST */
111
112 /* Set to -1 as defaults depends on HT in setup */
113 bss->wmm_enabled = -1;
114
115 #ifdef CONFIG_IEEE80211R_AP
116 bss->ft_over_ds = 1;
117 bss->rkh_pos_timeout = 86400;
118 bss->rkh_neg_timeout = 60;
119 bss->rkh_pull_timeout = 1000;
120 bss->rkh_pull_retries = 4;
121 bss->r0_key_lifetime = 1209600;
122 #endif /* CONFIG_IEEE80211R_AP */
123
124 bss->radius_das_time_window = 300;
125 bss->radius_require_message_authenticator = 1;
126
127 bss->anti_clogging_threshold = 5;
128 bss->sae_sync = 3;
129
130 bss->gas_frag_limit = 1400;
131
132 #ifdef CONFIG_FILS
133 dl_list_init(&bss->fils_realms);
134 bss->fils_hlp_wait_time = 30;
135 bss->dhcp_server_port = DHCP_SERVER_PORT;
136 bss->dhcp_relay_port = DHCP_SERVER_PORT;
137 bss->fils_discovery_min_int = 20;
138 #endif /* CONFIG_FILS */
139
140 bss->broadcast_deauth = 1;
141
142 #ifdef CONFIG_MBO
143 bss->mbo_cell_data_conn_pref = -1;
144 #endif /* CONFIG_MBO */
145
146 /* Disable TLS v1.3 by default for now to avoid interoperability issue.
147 * This can be enabled by default once the implementation has been fully
148 * completed and tested with other implementations. */
149 bss->tls_flags = TLS_CONN_DISABLE_TLSv1_3;
150
151 bss->max_auth_rounds = 100;
152 bss->max_auth_rounds_short = 50;
153
154 bss->send_probe_response = 1;
155
156 #ifdef CONFIG_HS20
157 bss->hs20_release = (HS20_VERSION >> 4) + 1;
158 #endif /* CONFIG_HS20 */
159
160 #ifdef CONFIG_MACSEC
161 bss->mka_priority = DEFAULT_PRIO_NOT_KEY_SERVER;
162 bss->macsec_port = 1;
163 #endif /* CONFIG_MACSEC */
164
165 /* Default to strict CRL checking. */
166 bss->check_crl_strict = 1;
167
168 bss->multi_ap_profile = MULTI_AP_PROFILE_2;
169
170 #ifdef CONFIG_TESTING_OPTIONS
171 bss->sae_commit_status = -1;
172 bss->test_assoc_comeback_type = -1;
173 #endif /* CONFIG_TESTING_OPTIONS */
174
175 #ifdef CONFIG_PASN
176 /* comeback after 10 TUs */
177 bss->pasn_comeback_after = 10;
178 bss->pasn_noauth = 1;
179 #endif /* CONFIG_PASN */
180 }
181
182
hostapd_config_defaults(void)183 struct hostapd_config * hostapd_config_defaults(void)
184 {
185 #define ecw2cw(ecw) ((1 << (ecw)) - 1)
186
187 struct hostapd_config *conf;
188 struct hostapd_bss_config *bss;
189 const int aCWmin = 4, aCWmax = 10;
190 const struct hostapd_wmm_ac_params ac_bk =
191 { aCWmin, aCWmax, 7, 0, 0 }; /* background traffic */
192 const struct hostapd_wmm_ac_params ac_be =
193 { aCWmin, aCWmax, 3, 0, 0 }; /* best effort traffic */
194 const struct hostapd_wmm_ac_params ac_vi = /* video traffic */
195 { aCWmin - 1, aCWmin, 2, 3008 / 32, 0 };
196 const struct hostapd_wmm_ac_params ac_vo = /* voice traffic */
197 { aCWmin - 2, aCWmin - 1, 2, 1504 / 32, 0 };
198 const struct hostapd_tx_queue_params txq_bk =
199 { 7, ecw2cw(aCWmin), ecw2cw(aCWmax), 0 };
200 const struct hostapd_tx_queue_params txq_be =
201 { 3, ecw2cw(aCWmin), 4 * (ecw2cw(aCWmin) + 1) - 1, 0};
202 const struct hostapd_tx_queue_params txq_vi =
203 { 1, (ecw2cw(aCWmin) + 1) / 2 - 1, ecw2cw(aCWmin), 30};
204 const struct hostapd_tx_queue_params txq_vo =
205 { 1, (ecw2cw(aCWmin) + 1) / 4 - 1,
206 (ecw2cw(aCWmin) + 1) / 2 - 1, 15};
207
208 #undef ecw2cw
209
210 conf = os_zalloc(sizeof(*conf));
211 bss = os_zalloc(sizeof(*bss));
212 if (conf == NULL || bss == NULL) {
213 wpa_printf(MSG_ERROR, "Failed to allocate memory for "
214 "configuration data.");
215 os_free(conf);
216 os_free(bss);
217 return NULL;
218 }
219 conf->bss = os_calloc(1, sizeof(struct hostapd_bss_config *));
220 if (conf->bss == NULL) {
221 os_free(conf);
222 os_free(bss);
223 return NULL;
224 }
225 conf->bss[0] = bss;
226
227 bss->radius = os_zalloc(sizeof(*bss->radius));
228 if (bss->radius == NULL) {
229 os_free(conf->bss);
230 os_free(conf);
231 os_free(bss);
232 return NULL;
233 }
234
235 hostapd_config_defaults_bss(bss);
236
237 conf->num_bss = 1;
238
239 conf->beacon_int = 100;
240 conf->rts_threshold = -2; /* use driver default: 2347 */
241 conf->fragm_threshold = -2; /* user driver default: 2346 */
242 /* Set to invalid value means do not add Power Constraint IE */
243 conf->local_pwr_constraint = -1;
244
245 conf->wmm_ac_params[0] = ac_be;
246 conf->wmm_ac_params[1] = ac_bk;
247 conf->wmm_ac_params[2] = ac_vi;
248 conf->wmm_ac_params[3] = ac_vo;
249
250 conf->tx_queue[0] = txq_vo;
251 conf->tx_queue[1] = txq_vi;
252 conf->tx_queue[2] = txq_be;
253 conf->tx_queue[3] = txq_bk;
254
255 conf->ht_capab = HT_CAP_INFO_SMPS_DISABLED;
256
257 conf->ap_table_max_size = 255;
258 conf->ap_table_expiration_time = 60;
259 conf->track_sta_max_age = 180;
260
261 #ifdef CONFIG_TESTING_OPTIONS
262 conf->ignore_probe_probability = 0.0;
263 conf->ignore_auth_probability = 0.0;
264 conf->ignore_assoc_probability = 0.0;
265 conf->ignore_reassoc_probability = 0.0;
266 conf->corrupt_gtk_rekey_mic_probability = 0.0;
267 conf->ecsa_ie_only = 0;
268 conf->skip_send_eapol = 0;
269 conf->enable_eapol_large_timeout = 0;
270 #endif /* CONFIG_TESTING_OPTIONS */
271
272 conf->acs = 0;
273 conf->acs_ch_list.num = 0;
274 #ifdef CONFIG_ACS
275 conf->acs_num_scans = 5;
276 #endif /* CONFIG_ACS */
277
278 #ifdef CONFIG_IEEE80211AX
279 conf->he_op.he_rts_threshold = HE_OPERATION_RTS_THRESHOLD_MASK >>
280 HE_OPERATION_RTS_THRESHOLD_OFFSET;
281 /* Set default basic MCS/NSS set to single stream MCS 0-7 */
282 conf->he_op.he_basic_mcs_nss_set = 0xfffc;
283 conf->he_op.he_bss_color_disabled = 1;
284 conf->he_op.he_bss_color_partial = 0;
285 conf->he_op.he_bss_color = os_random() % 63 + 1;
286 conf->he_op.he_twt_responder = 1;
287 conf->he_6ghz_max_mpdu = 2;
288 conf->he_6ghz_max_ampdu_len_exp = 7;
289 conf->he_6ghz_rx_ant_pat = 1;
290 conf->he_6ghz_tx_ant_pat = 1;
291 conf->he_6ghz_reg_pwr_type = HE_REG_INFO_6GHZ_AP_TYPE_VLP;
292 conf->reg_def_cli_eirp_psd = -1;
293 conf->reg_sub_cli_eirp_psd = -1;
294 conf->reg_def_cli_eirp = -1;
295 #endif /* CONFIG_IEEE80211AX */
296
297 /* The third octet of the country string uses an ASCII space character
298 * by default to indicate that the regulations encompass all
299 * environments for the current frequency band in the country. */
300 conf->country[2] = ' ';
301
302 conf->rssi_reject_assoc_rssi = 0;
303 conf->rssi_reject_assoc_timeout = 30;
304
305 #ifdef CONFIG_AIRTIME_POLICY
306 conf->airtime_update_interval = AIRTIME_DEFAULT_UPDATE_INTERVAL;
307 #endif /* CONFIG_AIRTIME_POLICY */
308
309 hostapd_set_and_check_bw320_offset(conf, 0);
310
311 return conf;
312 }
313
314
hostapd_mac_comp(const void * a,const void * b)315 int hostapd_mac_comp(const void *a, const void *b)
316 {
317 return os_memcmp(a, b, sizeof(macaddr));
318 }
319
320
hostapd_config_read_wpa_psk(const char * fname,struct hostapd_ssid * ssid)321 static int hostapd_config_read_wpa_psk(const char *fname,
322 struct hostapd_ssid *ssid)
323 {
324 FILE *f;
325 char buf[128], *pos;
326 const char *keyid;
327 char *context;
328 char *context2;
329 char *token;
330 char *name;
331 char *value;
332 int line = 0, ret = 0, len, ok;
333 u8 addr[ETH_ALEN];
334 struct hostapd_wpa_psk *psk;
335
336 if (!fname)
337 return 0;
338
339 f = fopen(fname, "r");
340 if (!f) {
341 wpa_printf(MSG_ERROR, "WPA PSK file '%s' not found.", fname);
342 return -1;
343 }
344
345 while (fgets(buf, sizeof(buf), f)) {
346 int vlan_id = 0;
347 int wps = 0;
348
349 line++;
350
351 if (buf[0] == '#')
352 continue;
353 pos = buf;
354 while (*pos != '\0') {
355 if (*pos == '\n') {
356 *pos = '\0';
357 break;
358 }
359 pos++;
360 }
361 if (buf[0] == '\0')
362 continue;
363
364 context = NULL;
365 keyid = NULL;
366 while ((token = str_token(buf, " ", &context))) {
367 if (!os_strchr(token, '='))
368 break;
369 context2 = NULL;
370 name = str_token(token, "=", &context2);
371 if (!name)
372 break;
373 value = str_token(token, "", &context2);
374 if (!value)
375 value = "";
376 if (!os_strcmp(name, "keyid")) {
377 keyid = value;
378 } else if (!os_strcmp(name, "wps")) {
379 wps = atoi(value);
380 } else if (!os_strcmp(name, "vlanid")) {
381 vlan_id = atoi(value);
382 } else {
383 wpa_printf(MSG_ERROR,
384 "Unrecognized '%s=%s' on line %d in '%s'",
385 name, value, line, fname);
386 ret = -1;
387 break;
388 }
389 }
390
391 if (ret == -1)
392 break;
393
394 if (!token)
395 token = "";
396 if (hwaddr_aton(token, addr)) {
397 wpa_printf(MSG_ERROR,
398 "Invalid MAC address '%s' on line %d in '%s'",
399 token, line, fname);
400 ret = -1;
401 break;
402 }
403
404 psk = os_zalloc(sizeof(*psk));
405 if (psk == NULL) {
406 wpa_printf(MSG_ERROR, "WPA PSK allocation failed");
407 ret = -1;
408 break;
409 }
410 psk->vlan_id = vlan_id;
411 if (is_zero_ether_addr(addr))
412 psk->group = 1;
413 else
414 os_memcpy(psk->addr, addr, ETH_ALEN);
415
416 pos = str_token(buf, "", &context);
417 if (!pos) {
418 wpa_printf(MSG_ERROR, "No PSK on line %d in '%s'",
419 line, fname);
420 os_free(psk);
421 ret = -1;
422 break;
423 }
424
425 ok = 0;
426 len = os_strlen(pos);
427 if (len == 2 * PMK_LEN &&
428 hexstr2bin(pos, psk->psk, PMK_LEN) == 0)
429 ok = 1;
430 else if (len >= 8 && len < 64 &&
431 pbkdf2_sha1(pos, ssid->ssid, ssid->ssid_len,
432 4096, psk->psk, PMK_LEN) == 0)
433 ok = 1;
434 if (!ok) {
435 wpa_printf(MSG_ERROR,
436 "Invalid PSK '%s' on line %d in '%s'",
437 pos, line, fname);
438 os_free(psk);
439 ret = -1;
440 break;
441 }
442
443 if (keyid) {
444 len = os_strlcpy(psk->keyid, keyid, sizeof(psk->keyid));
445 if ((size_t) len >= sizeof(psk->keyid)) {
446 wpa_printf(MSG_ERROR,
447 "PSK keyid too long on line %d in '%s'",
448 line, fname);
449 os_free(psk);
450 ret = -1;
451 break;
452 }
453 }
454
455 psk->wps = wps;
456
457 psk->next = ssid->wpa_psk;
458 ssid->wpa_psk = psk;
459 }
460
461 fclose(f);
462
463 return ret;
464 }
465
466
hostapd_derive_psk(struct hostapd_ssid * ssid)467 static int hostapd_derive_psk(struct hostapd_ssid *ssid)
468 {
469 ssid->wpa_psk = os_zalloc(sizeof(struct hostapd_wpa_psk));
470 if (ssid->wpa_psk == NULL) {
471 wpa_printf(MSG_ERROR, "Unable to alloc space for PSK");
472 return -1;
473 }
474 wpa_hexdump_ascii(MSG_DEBUG, "SSID",
475 (u8 *) ssid->ssid, ssid->ssid_len);
476 wpa_hexdump_ascii_key(MSG_DEBUG, "PSK (ASCII passphrase)",
477 (u8 *) ssid->wpa_passphrase,
478 os_strlen(ssid->wpa_passphrase));
479 if (pbkdf2_sha1(ssid->wpa_passphrase,
480 ssid->ssid, ssid->ssid_len,
481 4096, ssid->wpa_psk->psk, PMK_LEN) != 0) {
482 wpa_printf(MSG_ERROR, "Error in pbkdf2_sha1()");
483 return -1;
484 }
485 wpa_hexdump_key(MSG_DEBUG, "PSK (from passphrase)",
486 ssid->wpa_psk->psk, PMK_LEN);
487 return 0;
488 }
489
490
hostapd_setup_sae_pt(struct hostapd_bss_config * conf)491 int hostapd_setup_sae_pt(struct hostapd_bss_config *conf)
492 {
493 #ifdef CONFIG_SAE
494 struct hostapd_ssid *ssid = &conf->ssid;
495 struct sae_password_entry *pw;
496 int *groups = conf->sae_groups;
497 int default_groups[] = { 19, 0, 0 };
498
499 if ((conf->sae_pwe == SAE_PWE_HUNT_AND_PECK &&
500 !hostapd_sae_pw_id_in_use(conf) &&
501 !wpa_key_mgmt_sae_ext_key(conf->wpa_key_mgmt |
502 conf->rsn_override_key_mgmt |
503 conf->rsn_override_key_mgmt_2) &&
504 !hostapd_sae_pk_in_use(conf)) ||
505 conf->sae_pwe == SAE_PWE_FORCE_HUNT_AND_PECK ||
506 !wpa_key_mgmt_sae(conf->wpa_key_mgmt |
507 conf->rsn_override_key_mgmt |
508 conf->rsn_override_key_mgmt_2))
509 return 0; /* PT not needed */
510
511 if (!groups) {
512 groups = default_groups;
513 if (wpa_key_mgmt_sae_ext_key(conf->wpa_key_mgmt |
514 conf->rsn_override_key_mgmt |
515 conf->rsn_override_key_mgmt_2))
516 default_groups[1] = 20;
517 }
518
519 sae_deinit_pt(ssid->pt);
520 ssid->pt = NULL;
521 if (ssid->wpa_passphrase) {
522 ssid->pt = sae_derive_pt(groups, ssid->ssid, ssid->ssid_len,
523 (const u8 *) ssid->wpa_passphrase,
524 os_strlen(ssid->wpa_passphrase),
525 NULL);
526 if (!ssid->pt)
527 return -1;
528 }
529
530 for (pw = conf->sae_passwords; pw; pw = pw->next) {
531 sae_deinit_pt(pw->pt);
532 pw->pt = sae_derive_pt(groups, ssid->ssid, ssid->ssid_len,
533 (const u8 *) pw->password,
534 os_strlen(pw->password),
535 pw->identifier);
536 if (!pw->pt)
537 return -1;
538 }
539 #endif /* CONFIG_SAE */
540
541 return 0;
542 }
543
544
hostapd_setup_wpa_psk(struct hostapd_bss_config * conf)545 int hostapd_setup_wpa_psk(struct hostapd_bss_config *conf)
546 {
547 struct hostapd_ssid *ssid = &conf->ssid;
548
549 if (hostapd_setup_sae_pt(conf) < 0)
550 return -1;
551
552 if (ssid->wpa_passphrase != NULL) {
553 if (ssid->wpa_psk != NULL) {
554 wpa_printf(MSG_DEBUG, "Using pre-configured WPA PSK "
555 "instead of passphrase");
556 } else {
557 wpa_printf(MSG_DEBUG, "Deriving WPA PSK based on "
558 "passphrase");
559 if (hostapd_derive_psk(ssid) < 0)
560 return -1;
561 }
562 ssid->wpa_psk->group = 1;
563 }
564
565 return hostapd_config_read_wpa_psk(ssid->wpa_psk_file, &conf->ssid);
566 }
567
568
hostapd_config_free_radius(struct hostapd_radius_server * servers,int num_servers)569 static void hostapd_config_free_radius(struct hostapd_radius_server *servers,
570 int num_servers)
571 {
572 int i;
573
574 for (i = 0; i < num_servers; i++) {
575 os_free(servers[i].shared_secret);
576 os_free(servers[i].ca_cert);
577 os_free(servers[i].client_cert);
578 os_free(servers[i].private_key);
579 os_free(servers[i].private_key_passwd);
580 }
581 os_free(servers);
582 }
583
584
585 struct hostapd_radius_attr *
hostapd_config_get_radius_attr(struct hostapd_radius_attr * attr,u8 type)586 hostapd_config_get_radius_attr(struct hostapd_radius_attr *attr, u8 type)
587 {
588 for (; attr; attr = attr->next) {
589 if (attr->type == type)
590 return attr;
591 }
592 return NULL;
593 }
594
595
hostapd_parse_radius_attr(const char * value)596 struct hostapd_radius_attr * hostapd_parse_radius_attr(const char *value)
597 {
598 const char *pos;
599 char syntax;
600 struct hostapd_radius_attr *attr;
601 size_t len;
602
603 attr = os_zalloc(sizeof(*attr));
604 if (!attr)
605 return NULL;
606
607 attr->type = atoi(value);
608
609 pos = os_strchr(value, ':');
610 if (!pos) {
611 attr->val = wpabuf_alloc(1);
612 if (!attr->val) {
613 os_free(attr);
614 return NULL;
615 }
616 wpabuf_put_u8(attr->val, 0);
617 return attr;
618 }
619
620 pos++;
621 if (pos[0] == '\0' || pos[1] != ':') {
622 os_free(attr);
623 return NULL;
624 }
625 syntax = *pos++;
626 pos++;
627
628 switch (syntax) {
629 case 's':
630 attr->val = wpabuf_alloc_copy(pos, os_strlen(pos));
631 break;
632 case 'x':
633 len = os_strlen(pos);
634 if (len & 1)
635 break;
636 len /= 2;
637 attr->val = wpabuf_alloc(len);
638 if (!attr->val)
639 break;
640 if (hexstr2bin(pos, wpabuf_put(attr->val, len), len) < 0) {
641 wpabuf_free(attr->val);
642 os_free(attr);
643 return NULL;
644 }
645 break;
646 case 'd':
647 attr->val = wpabuf_alloc(4);
648 if (attr->val)
649 wpabuf_put_be32(attr->val, atoi(pos));
650 break;
651 default:
652 os_free(attr);
653 return NULL;
654 }
655
656 if (!attr->val) {
657 os_free(attr);
658 return NULL;
659 }
660
661 return attr;
662 }
663
664
hostapd_config_free_radius_attr(struct hostapd_radius_attr * attr)665 void hostapd_config_free_radius_attr(struct hostapd_radius_attr *attr)
666 {
667 struct hostapd_radius_attr *prev;
668
669 while (attr) {
670 prev = attr;
671 attr = attr->next;
672 wpabuf_free(prev->val);
673 os_free(prev);
674 }
675 }
676
677
hostapd_config_free_eap_user(struct hostapd_eap_user * user)678 void hostapd_config_free_eap_user(struct hostapd_eap_user *user)
679 {
680 hostapd_config_free_radius_attr(user->accept_attr);
681 os_free(user->identity);
682 bin_clear_free(user->password, user->password_len);
683 bin_clear_free(user->salt, user->salt_len);
684 os_free(user);
685 }
686
687
hostapd_config_free_eap_users(struct hostapd_eap_user * user)688 void hostapd_config_free_eap_users(struct hostapd_eap_user *user)
689 {
690 struct hostapd_eap_user *prev_user;
691
692 while (user) {
693 prev_user = user;
694 user = user->next;
695 hostapd_config_free_eap_user(prev_user);
696 }
697 }
698
699
700 #ifdef CONFIG_WEP
hostapd_config_free_wep(struct hostapd_wep_keys * keys)701 static void hostapd_config_free_wep(struct hostapd_wep_keys *keys)
702 {
703 int i;
704 for (i = 0; i < NUM_WEP_KEYS; i++) {
705 bin_clear_free(keys->key[i], keys->len[i]);
706 keys->key[i] = NULL;
707 }
708 }
709 #endif /* CONFIG_WEP */
710
711
hostapd_config_clear_wpa_psk(struct hostapd_wpa_psk ** l)712 void hostapd_config_clear_wpa_psk(struct hostapd_wpa_psk **l)
713 {
714 struct hostapd_wpa_psk *psk, *tmp;
715
716 for (psk = *l; psk;) {
717 tmp = psk;
718 psk = psk->next;
719 bin_clear_free(tmp, sizeof(*tmp));
720 }
721 *l = NULL;
722 }
723
724
725 #ifdef CONFIG_IEEE80211R_AP
726
hostapd_config_clear_rxkhs(struct hostapd_bss_config * conf)727 void hostapd_config_clear_rxkhs(struct hostapd_bss_config *conf)
728 {
729 struct ft_remote_r0kh *r0kh, *r0kh_prev;
730 struct ft_remote_r1kh *r1kh, *r1kh_prev;
731
732 r0kh = conf->r0kh_list;
733 conf->r0kh_list = NULL;
734 while (r0kh) {
735 r0kh_prev = r0kh;
736 r0kh = r0kh->next;
737 os_free(r0kh_prev);
738 }
739
740 r1kh = conf->r1kh_list;
741 conf->r1kh_list = NULL;
742 while (r1kh) {
743 r1kh_prev = r1kh;
744 r1kh = r1kh->next;
745 os_free(r1kh_prev);
746 }
747 }
748
749 #endif /* CONFIG_IEEE80211R_AP */
750
751
hostapd_config_free_anqp_elem(struct hostapd_bss_config * conf)752 static void hostapd_config_free_anqp_elem(struct hostapd_bss_config *conf)
753 {
754 struct anqp_element *elem;
755
756 while ((elem = dl_list_first(&conf->anqp_elem, struct anqp_element,
757 list))) {
758 dl_list_del(&elem->list);
759 wpabuf_free(elem->payload);
760 os_free(elem);
761 }
762 }
763
764
hostapd_config_free_fils_realms(struct hostapd_bss_config * conf)765 static void hostapd_config_free_fils_realms(struct hostapd_bss_config *conf)
766 {
767 #ifdef CONFIG_FILS
768 struct fils_realm *realm;
769
770 while ((realm = dl_list_first(&conf->fils_realms, struct fils_realm,
771 list))) {
772 dl_list_del(&realm->list);
773 os_free(realm);
774 }
775 #endif /* CONFIG_FILS */
776 }
777
778
hostapd_config_free_sae_passwords(struct hostapd_bss_config * conf)779 static void hostapd_config_free_sae_passwords(struct hostapd_bss_config *conf)
780 {
781 struct sae_password_entry *pw, *tmp;
782
783 pw = conf->sae_passwords;
784 conf->sae_passwords = NULL;
785 while (pw) {
786 tmp = pw;
787 pw = pw->next;
788 str_clear_free(tmp->password);
789 os_free(tmp->identifier);
790 #ifdef CONFIG_SAE
791 sae_deinit_pt(tmp->pt);
792 #endif /* CONFIG_SAE */
793 #ifdef CONFIG_SAE_PK
794 sae_deinit_pk(tmp->pk);
795 #endif /* CONFIG_SAE_PK */
796 os_free(tmp);
797 }
798 }
799
800
801 #ifdef CONFIG_DPP2
hostapd_dpp_controller_conf_free(struct dpp_controller_conf * conf)802 static void hostapd_dpp_controller_conf_free(struct dpp_controller_conf *conf)
803 {
804 struct dpp_controller_conf *prev;
805
806 while (conf) {
807 prev = conf;
808 conf = conf->next;
809 os_free(prev);
810 }
811 }
812 #endif /* CONFIG_DPP2 */
813
814
hostapd_config_free_bss(struct hostapd_bss_config * conf)815 void hostapd_config_free_bss(struct hostapd_bss_config *conf)
816 {
817 #if defined(CONFIG_WPS) || defined(CONFIG_HS20)
818 size_t i;
819 #endif
820
821 if (conf == NULL)
822 return;
823
824 hostapd_config_clear_wpa_psk(&conf->ssid.wpa_psk);
825
826 str_clear_free(conf->ssid.wpa_passphrase);
827 os_free(conf->ssid.wpa_psk_file);
828 #ifdef CONFIG_WEP
829 hostapd_config_free_wep(&conf->ssid.wep);
830 #endif /* CONFIG_WEP */
831 #ifdef CONFIG_FULL_DYNAMIC_VLAN
832 os_free(conf->ssid.vlan_tagged_interface);
833 #endif /* CONFIG_FULL_DYNAMIC_VLAN */
834 #ifdef CONFIG_SAE
835 sae_deinit_pt(conf->ssid.pt);
836 #endif /* CONFIG_SAE */
837
838 hostapd_config_free_eap_users(conf->eap_user);
839 os_free(conf->eap_user_sqlite);
840
841 os_free(conf->eap_req_id_text);
842 os_free(conf->erp_domain);
843 os_free(conf->accept_mac);
844 os_free(conf->deny_mac);
845 os_free(conf->nas_identifier);
846 if (conf->radius) {
847 hostapd_config_free_radius(conf->radius->auth_servers,
848 conf->radius->num_auth_servers);
849 hostapd_config_free_radius(conf->radius->acct_servers,
850 conf->radius->num_acct_servers);
851 os_free(conf->radius->force_client_dev);
852 }
853 hostapd_config_free_radius_attr(conf->radius_auth_req_attr);
854 hostapd_config_free_radius_attr(conf->radius_acct_req_attr);
855 os_free(conf->radius_req_attr_sqlite);
856 os_free(conf->rsn_preauth_interfaces);
857 os_free(conf->ctrl_interface);
858 os_free(conf->config_id);
859 os_free(conf->ca_cert);
860 os_free(conf->server_cert);
861 os_free(conf->server_cert2);
862 os_free(conf->private_key);
863 os_free(conf->private_key2);
864 os_free(conf->private_key_passwd);
865 os_free(conf->private_key_passwd2);
866 os_free(conf->check_cert_subject);
867 os_free(conf->ocsp_stapling_response);
868 os_free(conf->ocsp_stapling_response_multi);
869 os_free(conf->dh_file);
870 os_free(conf->openssl_ciphers);
871 os_free(conf->openssl_ecdh_curves);
872 os_free(conf->pac_opaque_encr_key);
873 os_free(conf->eap_fast_a_id);
874 os_free(conf->eap_fast_a_id_info);
875 os_free(conf->eap_sim_db);
876 os_free(conf->imsi_privacy_key);
877 os_free(conf->radius_server_clients);
878 os_free(conf->radius);
879 os_free(conf->radius_das_shared_secret);
880 hostapd_config_free_vlan(conf);
881 os_free(conf->time_zone);
882
883 #ifdef CONFIG_IEEE80211R_AP
884 hostapd_config_clear_rxkhs(conf);
885 os_free(conf->rxkh_file);
886 conf->rxkh_file = NULL;
887 #endif /* CONFIG_IEEE80211R_AP */
888
889 #ifdef CONFIG_WPS
890 os_free(conf->wps_pin_requests);
891 os_free(conf->device_name);
892 os_free(conf->manufacturer);
893 os_free(conf->model_name);
894 os_free(conf->model_number);
895 os_free(conf->serial_number);
896 os_free(conf->config_methods);
897 os_free(conf->ap_pin);
898 os_free(conf->extra_cred);
899 os_free(conf->ap_settings);
900 hostapd_config_clear_wpa_psk(&conf->multi_ap_backhaul_ssid.wpa_psk);
901 str_clear_free(conf->multi_ap_backhaul_ssid.wpa_passphrase);
902 os_free(conf->upnp_iface);
903 os_free(conf->friendly_name);
904 os_free(conf->manufacturer_url);
905 os_free(conf->model_description);
906 os_free(conf->model_url);
907 os_free(conf->upc);
908 for (i = 0; i < MAX_WPS_VENDOR_EXTENSIONS; i++)
909 wpabuf_free(conf->wps_vendor_ext[i]);
910 wpabuf_free(conf->wps_application_ext);
911 wpabuf_free(conf->wps_nfc_dh_pubkey);
912 wpabuf_free(conf->wps_nfc_dh_privkey);
913 wpabuf_free(conf->wps_nfc_dev_pw);
914 #endif /* CONFIG_WPS */
915
916 os_free(conf->roaming_consortium);
917 os_free(conf->venue_name);
918 os_free(conf->venue_url);
919 os_free(conf->nai_realm_data);
920 os_free(conf->network_auth_type);
921 os_free(conf->anqp_3gpp_cell_net);
922 os_free(conf->domain_name);
923 hostapd_config_free_anqp_elem(conf);
924
925 #ifdef CONFIG_RADIUS_TEST
926 os_free(conf->dump_msk_file);
927 #endif /* CONFIG_RADIUS_TEST */
928
929 #ifdef CONFIG_HS20
930 os_free(conf->hs20_oper_friendly_name);
931 os_free(conf->hs20_wan_metrics);
932 os_free(conf->hs20_connection_capability);
933 os_free(conf->hs20_operating_class);
934 os_free(conf->hs20_icons);
935 if (conf->hs20_osu_providers) {
936 for (i = 0; i < conf->hs20_osu_providers_count; i++) {
937 struct hs20_osu_provider *p;
938 size_t j;
939 p = &conf->hs20_osu_providers[i];
940 os_free(p->friendly_name);
941 os_free(p->server_uri);
942 os_free(p->method_list);
943 for (j = 0; j < p->icons_count; j++)
944 os_free(p->icons[j]);
945 os_free(p->icons);
946 os_free(p->osu_nai);
947 os_free(p->osu_nai2);
948 os_free(p->service_desc);
949 }
950 os_free(conf->hs20_osu_providers);
951 }
952 if (conf->hs20_operator_icon) {
953 for (i = 0; i < conf->hs20_operator_icon_count; i++)
954 os_free(conf->hs20_operator_icon[i]);
955 os_free(conf->hs20_operator_icon);
956 }
957 os_free(conf->subscr_remediation_url);
958 os_free(conf->hs20_sim_provisioning_url);
959 os_free(conf->t_c_filename);
960 os_free(conf->t_c_server_url);
961 #endif /* CONFIG_HS20 */
962
963 wpabuf_free(conf->vendor_elements);
964 wpabuf_free(conf->assocresp_elements);
965
966 os_free(conf->sae_groups);
967 #ifdef CONFIG_OWE
968 os_free(conf->owe_groups);
969 #endif /* CONFIG_OWE */
970
971 os_free(conf->wowlan_triggers);
972
973 os_free(conf->server_id);
974
975 #ifdef CONFIG_TESTING_OPTIONS
976 wpabuf_free(conf->own_ie_override);
977 wpabuf_free(conf->rsne_override);
978 wpabuf_free(conf->rsnoe_override);
979 wpabuf_free(conf->rsno2e_override);
980 wpabuf_free(conf->rsnxe_override);
981 wpabuf_free(conf->rsnxoe_override);
982 wpabuf_free(conf->sae_commit_override);
983 wpabuf_free(conf->rsne_override_eapol);
984 wpabuf_free(conf->rsnxe_override_eapol);
985 wpabuf_free(conf->rsne_override_ft);
986 wpabuf_free(conf->rsnxe_override_ft);
987 wpabuf_free(conf->gtk_rsc_override);
988 wpabuf_free(conf->igtk_rsc_override);
989 wpabuf_free(conf->eapol_m1_elements);
990 wpabuf_free(conf->eapol_m3_elements);
991 wpabuf_free(conf->presp_elements);
992 #endif /* CONFIG_TESTING_OPTIONS */
993
994 os_free(conf->no_probe_resp_if_seen_on);
995 os_free(conf->no_auth_if_seen_on);
996
997 hostapd_config_free_fils_realms(conf);
998
999 #ifdef CONFIG_DPP
1000 os_free(conf->dpp_name);
1001 os_free(conf->dpp_mud_url);
1002 os_free(conf->dpp_extra_conf_req_name);
1003 os_free(conf->dpp_extra_conf_req_value);
1004 os_free(conf->dpp_connector);
1005 wpabuf_free(conf->dpp_netaccesskey);
1006 wpabuf_free(conf->dpp_csign);
1007 #ifdef CONFIG_DPP2
1008 hostapd_dpp_controller_conf_free(conf->dpp_controller);
1009 #endif /* CONFIG_DPP2 */
1010 #endif /* CONFIG_DPP */
1011
1012 hostapd_config_free_sae_passwords(conf);
1013
1014 #ifdef CONFIG_AIRTIME_POLICY
1015 {
1016 struct airtime_sta_weight *wt, *wt_prev;
1017
1018 wt = conf->airtime_weight_list;
1019 conf->airtime_weight_list = NULL;
1020 while (wt) {
1021 wt_prev = wt;
1022 wt = wt->next;
1023 os_free(wt_prev);
1024 }
1025 }
1026 #endif /* CONFIG_AIRTIME_POLICY */
1027
1028 #ifdef CONFIG_PASN
1029 os_free(conf->pasn_groups);
1030 #endif /* CONFIG_PASN */
1031
1032 os_free(conf);
1033 }
1034
1035
1036 /**
1037 * hostapd_config_free - Free hostapd configuration
1038 * @conf: Configuration data from hostapd_config_read().
1039 */
hostapd_config_free(struct hostapd_config * conf)1040 void hostapd_config_free(struct hostapd_config *conf)
1041 {
1042 size_t i;
1043
1044 if (conf == NULL)
1045 return;
1046
1047 for (i = 0; i < conf->num_bss; i++)
1048 hostapd_config_free_bss(conf->bss[i]);
1049 os_free(conf->bss);
1050 os_free(conf->supported_rates);
1051 os_free(conf->basic_rates);
1052 os_free(conf->acs_ch_list.range);
1053 os_free(conf->acs_freq_list.range);
1054 os_free(conf->driver_params);
1055 #ifdef CONFIG_ACS
1056 os_free(conf->acs_chan_bias);
1057 #endif /* CONFIG_ACS */
1058 wpabuf_free(conf->lci);
1059 wpabuf_free(conf->civic);
1060
1061 os_free(conf);
1062 }
1063
1064
1065 /**
1066 * hostapd_maclist_found - Find a MAC address from a list
1067 * @list: MAC address list
1068 * @num_entries: Number of addresses in the list
1069 * @addr: Address to search for
1070 * @vlan_id: Buffer for returning VLAN ID or %NULL if not needed
1071 * Returns: 1 if address is in the list or 0 if not.
1072 *
1073 * Perform a binary search for given MAC address from a pre-sorted list.
1074 */
hostapd_maclist_found(struct mac_acl_entry * list,int num_entries,const u8 * addr,struct vlan_description * vlan_id)1075 int hostapd_maclist_found(struct mac_acl_entry *list, int num_entries,
1076 const u8 *addr, struct vlan_description *vlan_id)
1077 {
1078 int start, end, middle, res;
1079
1080 start = 0;
1081 end = num_entries - 1;
1082
1083 while (start <= end) {
1084 middle = (start + end) / 2;
1085 res = os_memcmp(list[middle].addr, addr, ETH_ALEN);
1086 if (res == 0) {
1087 if (vlan_id)
1088 *vlan_id = list[middle].vlan_id;
1089 return 1;
1090 }
1091 if (res < 0)
1092 start = middle + 1;
1093 else
1094 end = middle - 1;
1095 }
1096
1097 return 0;
1098 }
1099
1100
hostapd_rate_found(int * list,int rate)1101 int hostapd_rate_found(int *list, int rate)
1102 {
1103 int i;
1104
1105 if (list == NULL)
1106 return 0;
1107
1108 for (i = 0; list[i] >= 0; i++)
1109 if (list[i] == rate)
1110 return 1;
1111
1112 return 0;
1113 }
1114
1115
hostapd_vlan_valid(struct hostapd_vlan * vlan,struct vlan_description * vlan_desc)1116 int hostapd_vlan_valid(struct hostapd_vlan *vlan,
1117 struct vlan_description *vlan_desc)
1118 {
1119 struct hostapd_vlan *v = vlan;
1120 int i;
1121
1122 if (!vlan_desc->notempty || vlan_desc->untagged < 0 ||
1123 vlan_desc->untagged > MAX_VLAN_ID)
1124 return 0;
1125 for (i = 0; i < MAX_NUM_TAGGED_VLAN; i++) {
1126 if (vlan_desc->tagged[i] < 0 ||
1127 vlan_desc->tagged[i] > MAX_VLAN_ID)
1128 return 0;
1129 }
1130 if (!vlan_desc->untagged && !vlan_desc->tagged[0])
1131 return 0;
1132
1133 while (v) {
1134 if (!vlan_compare(&v->vlan_desc, vlan_desc) ||
1135 v->vlan_id == VLAN_ID_WILDCARD)
1136 return 1;
1137 v = v->next;
1138 }
1139 return 0;
1140 }
1141
1142
hostapd_get_vlan_id_ifname(struct hostapd_vlan * vlan,int vlan_id)1143 const char * hostapd_get_vlan_id_ifname(struct hostapd_vlan *vlan, int vlan_id)
1144 {
1145 struct hostapd_vlan *v = vlan;
1146 while (v) {
1147 if (v->vlan_id == vlan_id)
1148 return v->ifname;
1149 v = v->next;
1150 }
1151 return NULL;
1152 }
1153
1154
hostapd_get_psk(const struct hostapd_bss_config * conf,const u8 * addr,const u8 * p2p_dev_addr,const u8 * prev_psk,int * vlan_id)1155 const u8 * hostapd_get_psk(const struct hostapd_bss_config *conf,
1156 const u8 *addr, const u8 *p2p_dev_addr,
1157 const u8 *prev_psk, int *vlan_id)
1158 {
1159 struct hostapd_wpa_psk *psk;
1160 int next_ok = prev_psk == NULL;
1161
1162 if (vlan_id)
1163 *vlan_id = 0;
1164
1165 if (p2p_dev_addr && !is_zero_ether_addr(p2p_dev_addr)) {
1166 wpa_printf(MSG_DEBUG, "Searching a PSK for " MACSTR
1167 " p2p_dev_addr=" MACSTR " prev_psk=%p",
1168 MAC2STR(addr), MAC2STR(p2p_dev_addr), prev_psk);
1169 addr = NULL; /* Use P2P Device Address for matching */
1170 } else {
1171 wpa_printf(MSG_DEBUG, "Searching a PSK for " MACSTR
1172 " prev_psk=%p",
1173 MAC2STR(addr), prev_psk);
1174 }
1175
1176 for (psk = conf->ssid.wpa_psk; psk != NULL; psk = psk->next) {
1177 if (next_ok &&
1178 (psk->group ||
1179 (addr && ether_addr_equal(psk->addr, addr)) ||
1180 (!addr && p2p_dev_addr &&
1181 ether_addr_equal(psk->p2p_dev_addr, p2p_dev_addr)))) {
1182 if (vlan_id)
1183 *vlan_id = psk->vlan_id;
1184 return psk->psk;
1185 }
1186
1187 if (psk->psk == prev_psk)
1188 next_ok = 1;
1189 }
1190
1191 return NULL;
1192 }
1193
1194
1195 #ifdef CONFIG_SAE_PK
hostapd_sae_pk_password_without_pk(struct hostapd_bss_config * bss)1196 static bool hostapd_sae_pk_password_without_pk(struct hostapd_bss_config *bss)
1197 {
1198 struct sae_password_entry *pw;
1199 bool res = false;
1200
1201 if (bss->ssid.wpa_passphrase &&
1202 #ifdef CONFIG_TESTING_OPTIONS
1203 !bss->sae_pk_password_check_skip &&
1204 #endif /* CONFIG_TESTING_OPTIONS */
1205 sae_pk_valid_password(bss->ssid.wpa_passphrase))
1206 res = true;
1207
1208 for (pw = bss->sae_passwords; pw; pw = pw->next) {
1209 if (!pw->pk &&
1210 #ifdef CONFIG_TESTING_OPTIONS
1211 !bss->sae_pk_password_check_skip &&
1212 #endif /* CONFIG_TESTING_OPTIONS */
1213 sae_pk_valid_password(pw->password))
1214 return true;
1215
1216 if (bss->ssid.wpa_passphrase && res && pw->pk &&
1217 os_strcmp(bss->ssid.wpa_passphrase, pw->password) == 0)
1218 res = false;
1219 }
1220
1221 return res;
1222 }
1223 #endif /* CONFIG_SAE_PK */
1224
1225
hostapd_config_check_bss_6g(struct hostapd_bss_config * bss)1226 static bool hostapd_config_check_bss_6g(struct hostapd_bss_config *bss)
1227 {
1228 if (bss->wpa != WPA_PROTO_RSN) {
1229 wpa_printf(MSG_ERROR,
1230 "Pre-RSNA security methods are not allowed in 6 GHz");
1231 return false;
1232 }
1233
1234 if (bss->ieee80211w != MGMT_FRAME_PROTECTION_REQUIRED) {
1235 wpa_printf(MSG_ERROR,
1236 "Management frame protection is required in 6 GHz");
1237 return false;
1238 }
1239
1240 if (bss->wpa_key_mgmt & (WPA_KEY_MGMT_PSK |
1241 WPA_KEY_MGMT_FT_PSK |
1242 WPA_KEY_MGMT_PSK_SHA256)) {
1243 wpa_printf(MSG_ERROR, "Invalid AKM suite for 6 GHz");
1244 return false;
1245 }
1246
1247 if (bss->rsn_pairwise & (WPA_CIPHER_WEP40 |
1248 WPA_CIPHER_WEP104 |
1249 WPA_CIPHER_TKIP)) {
1250 wpa_printf(MSG_ERROR,
1251 "Invalid pairwise cipher suite for 6 GHz");
1252 return false;
1253 }
1254
1255 if (bss->wpa_group & (WPA_CIPHER_WEP40 |
1256 WPA_CIPHER_WEP104 |
1257 WPA_CIPHER_TKIP)) {
1258 wpa_printf(MSG_ERROR, "Invalid group cipher suite for 6 GHz");
1259 return false;
1260 }
1261
1262 #ifdef CONFIG_SAE
1263 if (wpa_key_mgmt_sae(bss->wpa_key_mgmt) &&
1264 bss->sae_pwe == SAE_PWE_HUNT_AND_PECK) {
1265 wpa_printf(MSG_INFO, "SAE: Enabling SAE H2E on 6 GHz");
1266 bss->sae_pwe = SAE_PWE_BOTH;
1267 }
1268 #endif /* CONFIG_SAE */
1269
1270 return true;
1271 }
1272
1273
hostapd_config_check_bss(struct hostapd_bss_config * bss,struct hostapd_config * conf,int full_config)1274 static int hostapd_config_check_bss(struct hostapd_bss_config *bss,
1275 struct hostapd_config *conf,
1276 int full_config)
1277 {
1278 if (full_config && is_6ghz_op_class(conf->op_class) &&
1279 !hostapd_config_check_bss_6g(bss))
1280 return -1;
1281
1282 if (full_config && bss->ieee802_1x && !bss->eap_server &&
1283 !bss->radius->auth_servers) {
1284 wpa_printf(MSG_ERROR, "Invalid IEEE 802.1X configuration (no "
1285 "EAP authenticator configured).");
1286 return -1;
1287 }
1288
1289 #ifdef CONFIG_WEP
1290 if (bss->wpa) {
1291 int wep, i;
1292
1293 wep = bss->default_wep_key_len > 0 ||
1294 bss->individual_wep_key_len > 0;
1295 for (i = 0; i < NUM_WEP_KEYS; i++) {
1296 if (bss->ssid.wep.keys_set) {
1297 wep = 1;
1298 break;
1299 }
1300 }
1301
1302 if (wep) {
1303 wpa_printf(MSG_ERROR, "WEP configuration in a WPA network is not supported");
1304 return -1;
1305 }
1306 }
1307 #endif /* CONFIG_WEP */
1308
1309 if (full_config && bss->wpa &&
1310 bss->wpa_psk_radius != PSK_RADIUS_IGNORED &&
1311 bss->wpa_psk_radius != PSK_RADIUS_DURING_4WAY_HS &&
1312 bss->macaddr_acl != USE_EXTERNAL_RADIUS_AUTH) {
1313 wpa_printf(MSG_ERROR, "WPA-PSK using RADIUS enabled, but no "
1314 "RADIUS checking (macaddr_acl=2) enabled.");
1315 return -1;
1316 }
1317
1318 if (full_config && bss->wpa &&
1319 wpa_key_mgmt_wpa_psk_no_sae(bss->wpa_key_mgmt) &&
1320 bss->ssid.wpa_psk == NULL && bss->ssid.wpa_passphrase == NULL &&
1321 bss->ssid.wpa_psk_file == NULL &&
1322 bss->wpa_psk_radius != PSK_RADIUS_DURING_4WAY_HS &&
1323 (bss->wpa_psk_radius != PSK_RADIUS_REQUIRED ||
1324 bss->macaddr_acl != USE_EXTERNAL_RADIUS_AUTH)) {
1325 wpa_printf(MSG_ERROR, "WPA-PSK enabled, but PSK or passphrase "
1326 "is not configured.");
1327 return -1;
1328 }
1329
1330 if (full_config && !is_zero_ether_addr(bss->bssid)) {
1331 size_t i;
1332
1333 for (i = 0; i < conf->num_bss; i++) {
1334 if (conf->bss[i] != bss &&
1335 (hostapd_mac_comp(conf->bss[i]->bssid,
1336 bss->bssid) == 0)) {
1337 wpa_printf(MSG_ERROR, "Duplicate BSSID " MACSTR
1338 " on interface '%s' and '%s'.",
1339 MAC2STR(bss->bssid),
1340 conf->bss[i]->iface, bss->iface);
1341 return -1;
1342 }
1343 }
1344 }
1345
1346 #ifdef CONFIG_IEEE80211R_AP
1347 if (full_config && wpa_key_mgmt_ft(bss->wpa_key_mgmt) &&
1348 (bss->nas_identifier == NULL ||
1349 os_strlen(bss->nas_identifier) < 1 ||
1350 os_strlen(bss->nas_identifier) > FT_R0KH_ID_MAX_LEN)) {
1351 wpa_printf(MSG_ERROR, "FT (IEEE 802.11r) requires "
1352 "nas_identifier to be configured as a 1..48 octet "
1353 "string");
1354 return -1;
1355 }
1356 #endif /* CONFIG_IEEE80211R_AP */
1357
1358 if (full_config && conf->ieee80211n &&
1359 conf->hw_mode == HOSTAPD_MODE_IEEE80211B) {
1360 bss->disable_11n = true;
1361 wpa_printf(MSG_ERROR, "HT (IEEE 802.11n) in 11b mode is not "
1362 "allowed, disabling HT capabilities");
1363 }
1364
1365 #ifdef CONFIG_WEP
1366 if (full_config && conf->ieee80211n &&
1367 bss->ssid.security_policy == SECURITY_STATIC_WEP) {
1368 bss->disable_11n = true;
1369 wpa_printf(MSG_ERROR, "HT (IEEE 802.11n) with WEP is not "
1370 "allowed, disabling HT capabilities");
1371 }
1372 #endif /* CONFIG_WEP */
1373
1374 if (full_config && conf->ieee80211n && bss->wpa &&
1375 !(bss->wpa_pairwise & WPA_CIPHER_CCMP) &&
1376 !(bss->rsn_pairwise & (WPA_CIPHER_CCMP | WPA_CIPHER_GCMP |
1377 WPA_CIPHER_CCMP_256 | WPA_CIPHER_GCMP_256)))
1378 {
1379 bss->disable_11n = true;
1380 wpa_printf(MSG_ERROR, "HT (IEEE 802.11n) with WPA/WPA2 "
1381 "requires CCMP/GCMP to be enabled, disabling HT "
1382 "capabilities");
1383 }
1384
1385 #ifdef CONFIG_IEEE80211AC
1386 #ifdef CONFIG_WEP
1387 if (full_config && conf->ieee80211ac &&
1388 bss->ssid.security_policy == SECURITY_STATIC_WEP) {
1389 bss->disable_11ac = true;
1390 wpa_printf(MSG_ERROR,
1391 "VHT (IEEE 802.11ac) with WEP is not allowed, disabling VHT capabilities");
1392 }
1393 #endif /* CONFIG_WEP */
1394
1395 if (full_config && conf->ieee80211ac && bss->wpa &&
1396 !(bss->wpa_pairwise & WPA_CIPHER_CCMP) &&
1397 !(bss->rsn_pairwise & (WPA_CIPHER_CCMP | WPA_CIPHER_GCMP |
1398 WPA_CIPHER_CCMP_256 | WPA_CIPHER_GCMP_256)))
1399 {
1400 bss->disable_11ac = true;
1401 wpa_printf(MSG_ERROR,
1402 "VHT (IEEE 802.11ac) with WPA/WPA2 requires CCMP/GCMP to be enabled, disabling VHT capabilities");
1403 }
1404 #endif /* CONFIG_IEEE80211AC */
1405
1406 #ifdef CONFIG_IEEE80211AX
1407 #ifdef CONFIG_WEP
1408 if (full_config && conf->ieee80211ax &&
1409 bss->ssid.security_policy == SECURITY_STATIC_WEP) {
1410 bss->disable_11ax = true;
1411 wpa_printf(MSG_ERROR,
1412 "HE (IEEE 802.11ax) with WEP is not allowed, disabling HE capabilities");
1413 }
1414 #endif /* CONFIG_WEP */
1415
1416 if (full_config && conf->ieee80211ax && bss->wpa &&
1417 !(bss->wpa_pairwise & WPA_CIPHER_CCMP) &&
1418 !(bss->rsn_pairwise & (WPA_CIPHER_CCMP | WPA_CIPHER_GCMP |
1419 WPA_CIPHER_CCMP_256 | WPA_CIPHER_GCMP_256)))
1420 {
1421 bss->disable_11ax = true;
1422 wpa_printf(MSG_ERROR,
1423 "HE (IEEE 802.11ax) with WPA/WPA2 requires CCMP/GCMP to be enabled, disabling HE capabilities");
1424 }
1425 #endif /* CONFIG_IEEE80211AX */
1426
1427 #ifdef CONFIG_WPS
1428 if (full_config && bss->wps_state && bss->ignore_broadcast_ssid) {
1429 wpa_printf(MSG_INFO, "WPS: ignore_broadcast_ssid "
1430 "configuration forced WPS to be disabled");
1431 bss->wps_state = 0;
1432 }
1433
1434 #ifdef CONFIG_WEP
1435 if (full_config && bss->wps_state &&
1436 bss->ssid.wep.keys_set && bss->wpa == 0) {
1437 wpa_printf(MSG_INFO, "WPS: WEP configuration forced WPS to be "
1438 "disabled");
1439 bss->wps_state = 0;
1440 }
1441 #endif /* CONFIG_WEP */
1442
1443 if (full_config && bss->wps_state && bss->wpa &&
1444 (!(bss->wpa & 2) ||
1445 !(bss->rsn_pairwise & (WPA_CIPHER_CCMP | WPA_CIPHER_GCMP |
1446 WPA_CIPHER_CCMP_256 |
1447 WPA_CIPHER_GCMP_256)))) {
1448 wpa_printf(MSG_INFO, "WPS: WPA/TKIP configuration without "
1449 "WPA2/CCMP/GCMP forced WPS to be disabled");
1450 bss->wps_state = 0;
1451 }
1452 #endif /* CONFIG_WPS */
1453
1454 #ifdef CONFIG_HS20
1455 if (full_config && bss->hs20 &&
1456 (!(bss->wpa & 2) ||
1457 !(bss->rsn_pairwise & (WPA_CIPHER_CCMP | WPA_CIPHER_GCMP |
1458 WPA_CIPHER_CCMP_256 |
1459 WPA_CIPHER_GCMP_256)))) {
1460 wpa_printf(MSG_ERROR, "HS 2.0: WPA2-Enterprise/CCMP "
1461 "configuration is required for Hotspot 2.0 "
1462 "functionality");
1463 return -1;
1464 }
1465 #endif /* CONFIG_HS20 */
1466
1467 #ifdef CONFIG_MBO
1468 if (full_config && bss->mbo_enabled && (bss->wpa & 2) &&
1469 bss->ieee80211w == NO_MGMT_FRAME_PROTECTION) {
1470 wpa_printf(MSG_ERROR,
1471 "MBO: PMF needs to be enabled whenever using WPA2 with MBO");
1472 return -1;
1473 }
1474 #endif /* CONFIG_MBO */
1475
1476 #ifdef CONFIG_OCV
1477 if (full_config && bss->ieee80211w == NO_MGMT_FRAME_PROTECTION &&
1478 bss->ocv) {
1479 wpa_printf(MSG_ERROR,
1480 "OCV: PMF needs to be enabled whenever using OCV");
1481 return -1;
1482 }
1483 #endif /* CONFIG_OCV */
1484
1485 #ifdef CONFIG_SAE_PK
1486 if (full_config && hostapd_sae_pk_in_use(bss) &&
1487 hostapd_sae_pk_password_without_pk(bss)) {
1488 wpa_printf(MSG_ERROR,
1489 "SAE-PK: SAE password uses SAE-PK style, but does not have PK configured");
1490 return -1;
1491 }
1492 #endif /* CONFIG_SAE_PK */
1493
1494 #ifdef CONFIG_FILS
1495 if (full_config && bss->fils_discovery_max_int &&
1496 (!conf->ieee80211ax || bss->disable_11ax)) {
1497 wpa_printf(MSG_ERROR,
1498 "Currently IEEE 802.11ax support is mandatory to enable FILS discovery transmission.");
1499 return -1;
1500 }
1501
1502 if (full_config && bss->fils_discovery_max_int &&
1503 bss->unsol_bcast_probe_resp_interval) {
1504 wpa_printf(MSG_ERROR,
1505 "Cannot enable both FILS discovery and unsolicited broadcast Probe Response at the same time");
1506 return -1;
1507 }
1508 #endif /* CONFIG_FILS */
1509
1510 #ifdef CONFIG_IEEE80211BE
1511 if (full_config && !bss->disable_11be && bss->disable_11ax) {
1512 bss->disable_11be = true;
1513 wpa_printf(MSG_INFO,
1514 "Disabling IEEE 802.11be as IEEE 802.11ax is disabled for this BSS");
1515 }
1516 #endif /* CONFIG_IEEE80211BE */
1517
1518 if (full_config && bss->ignore_broadcast_ssid && conf->mbssid) {
1519 wpa_printf(MSG_ERROR,
1520 "Hidden SSID is not suppored when MBSSID is enabled");
1521 return -1;
1522 }
1523
1524 return 0;
1525 }
1526
1527
hostapd_config_check_cw(struct hostapd_config * conf,int queue)1528 static int hostapd_config_check_cw(struct hostapd_config *conf, int queue)
1529 {
1530 int tx_cwmin = conf->tx_queue[queue].cwmin;
1531 int tx_cwmax = conf->tx_queue[queue].cwmax;
1532 int ac_cwmin = conf->wmm_ac_params[queue].cwmin;
1533 int ac_cwmax = conf->wmm_ac_params[queue].cwmax;
1534
1535 if (tx_cwmin > tx_cwmax) {
1536 wpa_printf(MSG_ERROR,
1537 "Invalid TX queue cwMin/cwMax values. cwMin(%d) greater than cwMax(%d)",
1538 tx_cwmin, tx_cwmax);
1539 return -1;
1540 }
1541 if (ac_cwmin > ac_cwmax) {
1542 wpa_printf(MSG_ERROR,
1543 "Invalid WMM AC cwMin/cwMax values. cwMin(%d) greater than cwMax(%d)",
1544 ac_cwmin, ac_cwmax);
1545 return -1;
1546 }
1547 return 0;
1548 }
1549
1550
hostapd_config_check(struct hostapd_config * conf,int full_config)1551 int hostapd_config_check(struct hostapd_config *conf, int full_config)
1552 {
1553 size_t i;
1554
1555 if (full_config && is_6ghz_op_class(conf->op_class) &&
1556 !conf->hw_mode_set) {
1557 /* Use the appropriate hw_mode value automatically when the
1558 * op_class parameter has been set, but hw_mode was not. */
1559 conf->hw_mode = HOSTAPD_MODE_IEEE80211A;
1560 }
1561
1562 if (full_config && conf->ieee80211d &&
1563 (!conf->country[0] || !conf->country[1])) {
1564 wpa_printf(MSG_ERROR, "Cannot enable IEEE 802.11d without "
1565 "setting the country_code");
1566 return -1;
1567 }
1568
1569 if (full_config && conf->ieee80211h && !conf->ieee80211d) {
1570 wpa_printf(MSG_ERROR, "Cannot enable IEEE 802.11h without "
1571 "IEEE 802.11d enabled");
1572 return -1;
1573 }
1574
1575 if (full_config && conf->local_pwr_constraint != -1 &&
1576 !conf->ieee80211d) {
1577 wpa_printf(MSG_ERROR, "Cannot add Power Constraint element without Country element");
1578 return -1;
1579 }
1580
1581 if (full_config && conf->spectrum_mgmt_required &&
1582 conf->local_pwr_constraint == -1) {
1583 wpa_printf(MSG_ERROR, "Cannot set Spectrum Management bit without Country and Power Constraint elements");
1584 return -1;
1585 }
1586
1587 #ifdef CONFIG_AIRTIME_POLICY
1588 if (full_config && conf->airtime_mode > AIRTIME_MODE_STATIC &&
1589 !conf->airtime_update_interval) {
1590 wpa_printf(MSG_ERROR, "Airtime update interval cannot be zero");
1591 return -1;
1592 }
1593 #endif /* CONFIG_AIRTIME_POLICY */
1594 for (i = 0; i < NUM_TX_QUEUES; i++) {
1595 if (hostapd_config_check_cw(conf, i))
1596 return -1;
1597 }
1598
1599 #ifdef CONFIG_IEEE80211BE
1600 if (full_config && conf->ieee80211be && !conf->ieee80211ax) {
1601 wpa_printf(MSG_ERROR,
1602 "Cannot set ieee80211be without ieee80211ax");
1603 return -1;
1604 }
1605
1606 if (full_config)
1607 hostapd_set_and_check_bw320_offset(conf,
1608 conf->eht_bw320_offset);
1609 #endif /* CONFIG_IEEE80211BE */
1610
1611 if (full_config && conf->mbssid && !conf->ieee80211ax) {
1612 wpa_printf(MSG_ERROR,
1613 "Cannot enable multiple BSSID support without ieee80211ax");
1614 return -1;
1615 }
1616
1617 for (i = 0; i < conf->num_bss; i++) {
1618 if (hostapd_config_check_bss(conf->bss[i], conf, full_config))
1619 return -1;
1620 }
1621
1622 return 0;
1623 }
1624
1625
hostapd_set_security_params(struct hostapd_bss_config * bss,int full_config)1626 void hostapd_set_security_params(struct hostapd_bss_config *bss,
1627 int full_config)
1628 {
1629 #ifdef CONFIG_WEP
1630 if (bss->individual_wep_key_len == 0) {
1631 /* individual keys are not use; can use key idx0 for
1632 * broadcast keys */
1633 bss->broadcast_key_idx_min = 0;
1634 }
1635 #endif /* CONFIG_WEP */
1636
1637 if ((bss->wpa & 2) && bss->rsn_pairwise == 0)
1638 bss->rsn_pairwise = bss->wpa_pairwise;
1639 if (bss->group_cipher)
1640 bss->wpa_group = bss->group_cipher;
1641 else
1642 bss->wpa_group = wpa_select_ap_group_cipher(bss->wpa,
1643 bss->wpa_pairwise,
1644 bss->rsn_pairwise);
1645 if (!bss->wpa_group_rekey_set)
1646 bss->wpa_group_rekey = bss->wpa_group == WPA_CIPHER_TKIP ?
1647 600 : 86400;
1648
1649 if (full_config) {
1650 bss->radius->auth_server = bss->radius->auth_servers;
1651 bss->radius->acct_server = bss->radius->acct_servers;
1652 }
1653
1654 if (bss->wpa && bss->ieee802_1x) {
1655 bss->ssid.security_policy = SECURITY_WPA;
1656 } else if (bss->wpa) {
1657 bss->ssid.security_policy = SECURITY_WPA_PSK;
1658 } else if (bss->ieee802_1x) {
1659 int cipher = WPA_CIPHER_NONE;
1660 bss->ssid.security_policy = SECURITY_IEEE_802_1X;
1661 #ifdef CONFIG_WEP
1662 bss->ssid.wep.default_len = bss->default_wep_key_len;
1663 if (full_config && bss->default_wep_key_len) {
1664 cipher = bss->default_wep_key_len >= 13 ?
1665 WPA_CIPHER_WEP104 : WPA_CIPHER_WEP40;
1666 } else if (full_config && bss->ssid.wep.keys_set) {
1667 if (bss->ssid.wep.len[0] >= 13)
1668 cipher = WPA_CIPHER_WEP104;
1669 else
1670 cipher = WPA_CIPHER_WEP40;
1671 }
1672 #endif /* CONFIG_WEP */
1673 bss->wpa_group = cipher;
1674 bss->wpa_pairwise = cipher;
1675 bss->rsn_pairwise = cipher;
1676 if (full_config)
1677 bss->wpa_key_mgmt = WPA_KEY_MGMT_IEEE8021X_NO_WPA;
1678 #ifdef CONFIG_WEP
1679 } else if (bss->ssid.wep.keys_set) {
1680 int cipher = WPA_CIPHER_WEP40;
1681 if (bss->ssid.wep.len[0] >= 13)
1682 cipher = WPA_CIPHER_WEP104;
1683 bss->ssid.security_policy = SECURITY_STATIC_WEP;
1684 bss->wpa_group = cipher;
1685 bss->wpa_pairwise = cipher;
1686 bss->rsn_pairwise = cipher;
1687 if (full_config)
1688 bss->wpa_key_mgmt = WPA_KEY_MGMT_NONE;
1689 #endif /* CONFIG_WEP */
1690 } else if (bss->osen) {
1691 bss->ssid.security_policy = SECURITY_OSEN;
1692 bss->wpa_group = WPA_CIPHER_CCMP;
1693 bss->wpa_pairwise = 0;
1694 bss->rsn_pairwise = WPA_CIPHER_CCMP;
1695 } else {
1696 bss->ssid.security_policy = SECURITY_PLAINTEXT;
1697 if (full_config) {
1698 bss->wpa_group = WPA_CIPHER_NONE;
1699 bss->wpa_pairwise = WPA_CIPHER_NONE;
1700 bss->rsn_pairwise = WPA_CIPHER_NONE;
1701 bss->wpa_key_mgmt = WPA_KEY_MGMT_NONE;
1702 }
1703 }
1704 }
1705
1706
hostapd_sae_pw_id_in_use(struct hostapd_bss_config * conf)1707 int hostapd_sae_pw_id_in_use(struct hostapd_bss_config *conf)
1708 {
1709 int with_id = 0, without_id = 0;
1710 struct sae_password_entry *pw;
1711
1712 if (conf->ssid.wpa_passphrase)
1713 without_id = 1;
1714
1715 for (pw = conf->sae_passwords; pw; pw = pw->next) {
1716 if (pw->identifier)
1717 with_id = 1;
1718 else
1719 without_id = 1;
1720 if (with_id && without_id)
1721 break;
1722 }
1723
1724 if (with_id && !without_id)
1725 return 2;
1726 return with_id;
1727 }
1728
1729
hostapd_sae_pk_in_use(struct hostapd_bss_config * conf)1730 bool hostapd_sae_pk_in_use(struct hostapd_bss_config *conf)
1731 {
1732 #ifdef CONFIG_SAE_PK
1733 struct sae_password_entry *pw;
1734
1735 for (pw = conf->sae_passwords; pw; pw = pw->next) {
1736 if (pw->pk)
1737 return true;
1738 }
1739 #endif /* CONFIG_SAE_PK */
1740
1741 return false;
1742 }
1743
1744
1745 #ifdef CONFIG_SAE_PK
hostapd_sae_pk_exclusively(struct hostapd_bss_config * conf)1746 bool hostapd_sae_pk_exclusively(struct hostapd_bss_config *conf)
1747 {
1748 bool with_pk = false;
1749 struct sae_password_entry *pw;
1750
1751 if (conf->ssid.wpa_passphrase)
1752 return false;
1753
1754 for (pw = conf->sae_passwords; pw; pw = pw->next) {
1755 if (!pw->pk)
1756 return false;
1757 with_pk = true;
1758 }
1759
1760 return with_pk;
1761 }
1762 #endif /* CONFIG_SAE_PK */
1763
1764
hostapd_acl_comp(const void * a,const void * b)1765 int hostapd_acl_comp(const void *a, const void *b)
1766 {
1767 const struct mac_acl_entry *aa = a;
1768 const struct mac_acl_entry *bb = b;
1769 return os_memcmp(aa->addr, bb->addr, sizeof(macaddr));
1770 }
1771
1772
hostapd_add_acl_maclist(struct mac_acl_entry ** acl,int * num,int vlan_id,const u8 * addr)1773 int hostapd_add_acl_maclist(struct mac_acl_entry **acl, int *num,
1774 int vlan_id, const u8 *addr)
1775 {
1776 struct mac_acl_entry *newacl;
1777
1778 newacl = os_realloc_array(*acl, *num + 1, sizeof(**acl));
1779 if (!newacl) {
1780 wpa_printf(MSG_ERROR, "MAC list reallocation failed");
1781 return -1;
1782 }
1783
1784 *acl = newacl;
1785 os_memcpy((*acl)[*num].addr, addr, ETH_ALEN);
1786 os_memset(&(*acl)[*num].vlan_id, 0, sizeof((*acl)[*num].vlan_id));
1787 (*acl)[*num].vlan_id.untagged = vlan_id;
1788 (*acl)[*num].vlan_id.notempty = !!vlan_id;
1789 (*num)++;
1790
1791 return 0;
1792 }
1793
1794
hostapd_remove_acl_mac(struct mac_acl_entry ** acl,int * num,const u8 * addr)1795 void hostapd_remove_acl_mac(struct mac_acl_entry **acl, int *num,
1796 const u8 *addr)
1797 {
1798 int i = 0;
1799
1800 while (i < *num) {
1801 if (ether_addr_equal((*acl)[i].addr, addr)) {
1802 os_remove_in_array(*acl, *num, sizeof(**acl), i);
1803 (*num)--;
1804 } else {
1805 i++;
1806 }
1807 }
1808 }
1809