1 /*
2  * hostapd / Configuration helper functions
3  * Copyright (c) 2003-2024, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "utils/includes.h"
10 
11 #include "utils/common.h"
12 #include "crypto/sha1.h"
13 #include "crypto/tls.h"
14 #include "radius/radius_client.h"
15 #include "common/ieee802_11_defs.h"
16 #include "common/ieee802_1x_defs.h"
17 #include "common/eapol_common.h"
18 #include "common/dhcp.h"
19 #include "common/sae.h"
20 #include "eap_common/eap_wsc_common.h"
21 #include "eap_server/eap.h"
22 #include "wpa_auth.h"
23 #include "sta_info.h"
24 #include "airtime_policy.h"
25 #include "ap_config.h"
26 
27 
hostapd_config_free_vlan(struct hostapd_bss_config * bss)28 static void hostapd_config_free_vlan(struct hostapd_bss_config *bss)
29 {
30 	struct hostapd_vlan *vlan, *prev;
31 
32 	vlan = bss->vlan;
33 	prev = NULL;
34 	while (vlan) {
35 		prev = vlan;
36 		vlan = vlan->next;
37 		os_free(prev);
38 	}
39 
40 	bss->vlan = NULL;
41 }
42 
43 
44 #ifndef DEFAULT_WPA_DISABLE_EAPOL_KEY_RETRIES
45 #define DEFAULT_WPA_DISABLE_EAPOL_KEY_RETRIES 0
46 #endif /* DEFAULT_WPA_DISABLE_EAPOL_KEY_RETRIES */
47 
hostapd_config_defaults_bss(struct hostapd_bss_config * bss)48 void hostapd_config_defaults_bss(struct hostapd_bss_config *bss)
49 {
50 	dl_list_init(&bss->anqp_elem);
51 
52 	bss->logger_syslog_level = HOSTAPD_LEVEL_INFO;
53 	bss->logger_stdout_level = HOSTAPD_LEVEL_INFO;
54 	bss->logger_syslog = (unsigned int) -1;
55 	bss->logger_stdout = (unsigned int) -1;
56 
57 #ifdef CONFIG_WEP
58 	bss->auth_algs = WPA_AUTH_ALG_OPEN | WPA_AUTH_ALG_SHARED;
59 
60 	bss->wep_rekeying_period = 300;
61 	/* use key0 in individual key and key1 in broadcast key */
62 	bss->broadcast_key_idx_min = 1;
63 	bss->broadcast_key_idx_max = 2;
64 #else /* CONFIG_WEP */
65 	bss->auth_algs = WPA_AUTH_ALG_OPEN;
66 #endif /* CONFIG_WEP */
67 	bss->eap_reauth_period = 3600;
68 
69 	bss->wpa_group_rekey = 600;
70 	bss->wpa_gmk_rekey = 86400;
71 	bss->wpa_deny_ptk0_rekey = PTK0_REKEY_ALLOW_ALWAYS;
72 	bss->wpa_group_update_count = 4;
73 	bss->wpa_pairwise_update_count = 4;
74 	bss->wpa_disable_eapol_key_retries =
75 		DEFAULT_WPA_DISABLE_EAPOL_KEY_RETRIES;
76 	bss->wpa_key_mgmt = WPA_KEY_MGMT_PSK;
77 #ifdef CONFIG_NO_TKIP
78 	bss->wpa_pairwise = WPA_CIPHER_CCMP;
79 	bss->wpa_group = WPA_CIPHER_CCMP;
80 #else /* CONFIG_NO_TKIP */
81 	bss->wpa_pairwise = WPA_CIPHER_TKIP;
82 	bss->wpa_group = WPA_CIPHER_TKIP;
83 #endif /* CONFIG_NO_TKIP */
84 	bss->rsn_pairwise = 0;
85 
86 	bss->max_num_sta = MAX_STA_COUNT;
87 
88 	bss->dtim_period = 2;
89 
90 	bss->radius_server_auth_port = 1812;
91 	bss->eap_sim_db_timeout = 1;
92 	bss->eap_sim_id = 3;
93 	bss->eap_sim_aka_fast_reauth_limit = 1000;
94 	bss->ap_max_inactivity = AP_MAX_INACTIVITY;
95 	bss->bss_max_idle = 1;
96 	bss->eapol_version = EAPOL_VERSION;
97 
98 	bss->max_listen_interval = 65535;
99 
100 	bss->pwd_group = 19; /* ECC: GF(p=256) */
101 
102 	bss->assoc_sa_query_max_timeout = 1000;
103 	bss->assoc_sa_query_retry_timeout = 201;
104 	bss->group_mgmt_cipher = WPA_CIPHER_AES_128_CMAC;
105 #ifdef EAP_SERVER_FAST
106 	 /* both anonymous and authenticated provisioning */
107 	bss->eap_fast_prov = 3;
108 	bss->pac_key_lifetime = 7 * 24 * 60 * 60;
109 	bss->pac_key_refresh_time = 1 * 24 * 60 * 60;
110 #endif /* EAP_SERVER_FAST */
111 
112 	/* Set to -1 as defaults depends on HT in setup */
113 	bss->wmm_enabled = -1;
114 
115 #ifdef CONFIG_IEEE80211R_AP
116 	bss->ft_over_ds = 1;
117 	bss->rkh_pos_timeout = 86400;
118 	bss->rkh_neg_timeout = 60;
119 	bss->rkh_pull_timeout = 1000;
120 	bss->rkh_pull_retries = 4;
121 	bss->r0_key_lifetime = 1209600;
122 #endif /* CONFIG_IEEE80211R_AP */
123 
124 	bss->radius_das_time_window = 300;
125 	bss->radius_require_message_authenticator = 1;
126 
127 	bss->anti_clogging_threshold = 5;
128 	bss->sae_sync = 3;
129 
130 	bss->gas_frag_limit = 1400;
131 
132 #ifdef CONFIG_FILS
133 	dl_list_init(&bss->fils_realms);
134 	bss->fils_hlp_wait_time = 30;
135 	bss->dhcp_server_port = DHCP_SERVER_PORT;
136 	bss->dhcp_relay_port = DHCP_SERVER_PORT;
137 	bss->fils_discovery_min_int = 20;
138 #endif /* CONFIG_FILS */
139 
140 	bss->broadcast_deauth = 1;
141 
142 #ifdef CONFIG_MBO
143 	bss->mbo_cell_data_conn_pref = -1;
144 #endif /* CONFIG_MBO */
145 
146 	/* Disable TLS v1.3 by default for now to avoid interoperability issue.
147 	 * This can be enabled by default once the implementation has been fully
148 	 * completed and tested with other implementations. */
149 	bss->tls_flags = TLS_CONN_DISABLE_TLSv1_3;
150 
151 	bss->max_auth_rounds = 100;
152 	bss->max_auth_rounds_short = 50;
153 
154 	bss->send_probe_response = 1;
155 
156 #ifdef CONFIG_HS20
157 	bss->hs20_release = (HS20_VERSION >> 4) + 1;
158 #endif /* CONFIG_HS20 */
159 
160 #ifdef CONFIG_MACSEC
161 	bss->mka_priority = DEFAULT_PRIO_NOT_KEY_SERVER;
162 	bss->macsec_port = 1;
163 #endif /* CONFIG_MACSEC */
164 
165 	/* Default to strict CRL checking. */
166 	bss->check_crl_strict = 1;
167 
168 	bss->multi_ap_profile = MULTI_AP_PROFILE_2;
169 
170 #ifdef CONFIG_TESTING_OPTIONS
171 	bss->sae_commit_status = -1;
172 	bss->test_assoc_comeback_type = -1;
173 #endif /* CONFIG_TESTING_OPTIONS */
174 
175 #ifdef CONFIG_PASN
176 	/* comeback after 10 TUs */
177 	bss->pasn_comeback_after = 10;
178 	bss->pasn_noauth = 1;
179 #endif /* CONFIG_PASN */
180 }
181 
182 
hostapd_config_defaults(void)183 struct hostapd_config * hostapd_config_defaults(void)
184 {
185 #define ecw2cw(ecw) ((1 << (ecw)) - 1)
186 
187 	struct hostapd_config *conf;
188 	struct hostapd_bss_config *bss;
189 	const int aCWmin = 4, aCWmax = 10;
190 	const struct hostapd_wmm_ac_params ac_bk =
191 		{ aCWmin, aCWmax, 7, 0, 0 }; /* background traffic */
192 	const struct hostapd_wmm_ac_params ac_be =
193 		{ aCWmin, aCWmax, 3, 0, 0 }; /* best effort traffic */
194 	const struct hostapd_wmm_ac_params ac_vi = /* video traffic */
195 		{ aCWmin - 1, aCWmin, 2, 3008 / 32, 0 };
196 	const struct hostapd_wmm_ac_params ac_vo = /* voice traffic */
197 		{ aCWmin - 2, aCWmin - 1, 2, 1504 / 32, 0 };
198 	const struct hostapd_tx_queue_params txq_bk =
199 		{ 7, ecw2cw(aCWmin), ecw2cw(aCWmax), 0 };
200 	const struct hostapd_tx_queue_params txq_be =
201 		{ 3, ecw2cw(aCWmin), 4 * (ecw2cw(aCWmin) + 1) - 1, 0};
202 	const struct hostapd_tx_queue_params txq_vi =
203 		{ 1, (ecw2cw(aCWmin) + 1) / 2 - 1, ecw2cw(aCWmin), 30};
204 	const struct hostapd_tx_queue_params txq_vo =
205 		{ 1, (ecw2cw(aCWmin) + 1) / 4 - 1,
206 		  (ecw2cw(aCWmin) + 1) / 2 - 1, 15};
207 
208 #undef ecw2cw
209 
210 	conf = os_zalloc(sizeof(*conf));
211 	bss = os_zalloc(sizeof(*bss));
212 	if (conf == NULL || bss == NULL) {
213 		wpa_printf(MSG_ERROR, "Failed to allocate memory for "
214 			   "configuration data.");
215 		os_free(conf);
216 		os_free(bss);
217 		return NULL;
218 	}
219 	conf->bss = os_calloc(1, sizeof(struct hostapd_bss_config *));
220 	if (conf->bss == NULL) {
221 		os_free(conf);
222 		os_free(bss);
223 		return NULL;
224 	}
225 	conf->bss[0] = bss;
226 
227 	bss->radius = os_zalloc(sizeof(*bss->radius));
228 	if (bss->radius == NULL) {
229 		os_free(conf->bss);
230 		os_free(conf);
231 		os_free(bss);
232 		return NULL;
233 	}
234 
235 	hostapd_config_defaults_bss(bss);
236 
237 	conf->num_bss = 1;
238 
239 	conf->beacon_int = 100;
240 	conf->rts_threshold = -2; /* use driver default: 2347 */
241 	conf->fragm_threshold = -2; /* user driver default: 2346 */
242 	/* Set to invalid value means do not add Power Constraint IE */
243 	conf->local_pwr_constraint = -1;
244 
245 	conf->wmm_ac_params[0] = ac_be;
246 	conf->wmm_ac_params[1] = ac_bk;
247 	conf->wmm_ac_params[2] = ac_vi;
248 	conf->wmm_ac_params[3] = ac_vo;
249 
250 	conf->tx_queue[0] = txq_vo;
251 	conf->tx_queue[1] = txq_vi;
252 	conf->tx_queue[2] = txq_be;
253 	conf->tx_queue[3] = txq_bk;
254 
255 	conf->ht_capab = HT_CAP_INFO_SMPS_DISABLED;
256 
257 	conf->ap_table_max_size = 255;
258 	conf->ap_table_expiration_time = 60;
259 	conf->track_sta_max_age = 180;
260 
261 #ifdef CONFIG_TESTING_OPTIONS
262 	conf->ignore_probe_probability = 0.0;
263 	conf->ignore_auth_probability = 0.0;
264 	conf->ignore_assoc_probability = 0.0;
265 	conf->ignore_reassoc_probability = 0.0;
266 	conf->corrupt_gtk_rekey_mic_probability = 0.0;
267 	conf->ecsa_ie_only = 0;
268 #endif /* CONFIG_TESTING_OPTIONS */
269 
270 	conf->acs = 0;
271 	conf->acs_ch_list.num = 0;
272 #ifdef CONFIG_ACS
273 	conf->acs_num_scans = 5;
274 #endif /* CONFIG_ACS */
275 
276 #ifdef CONFIG_IEEE80211AX
277 	conf->he_op.he_rts_threshold = HE_OPERATION_RTS_THRESHOLD_MASK >>
278 		HE_OPERATION_RTS_THRESHOLD_OFFSET;
279 	/* Set default basic MCS/NSS set to single stream MCS 0-7 */
280 	conf->he_op.he_basic_mcs_nss_set = 0xfffc;
281 	conf->he_op.he_bss_color_disabled = 1;
282 	conf->he_op.he_bss_color_partial = 0;
283 	conf->he_op.he_bss_color = os_random() % 63 + 1;
284 	conf->he_op.he_twt_responder = 1;
285 	conf->he_6ghz_max_mpdu = 2;
286 	conf->he_6ghz_max_ampdu_len_exp = 7;
287 	conf->he_6ghz_rx_ant_pat = 1;
288 	conf->he_6ghz_tx_ant_pat = 1;
289 	conf->he_6ghz_reg_pwr_type = HE_REG_INFO_6GHZ_AP_TYPE_VLP;
290 	conf->reg_def_cli_eirp_psd = -1;
291 	conf->reg_sub_cli_eirp_psd = -1;
292 	conf->reg_def_cli_eirp = -1;
293 #endif /* CONFIG_IEEE80211AX */
294 
295 	/* The third octet of the country string uses an ASCII space character
296 	 * by default to indicate that the regulations encompass all
297 	 * environments for the current frequency band in the country. */
298 	conf->country[2] = ' ';
299 
300 	conf->rssi_reject_assoc_rssi = 0;
301 	conf->rssi_reject_assoc_timeout = 30;
302 
303 #ifdef CONFIG_AIRTIME_POLICY
304 	conf->airtime_update_interval = AIRTIME_DEFAULT_UPDATE_INTERVAL;
305 #endif /* CONFIG_AIRTIME_POLICY */
306 
307 	hostapd_set_and_check_bw320_offset(conf, 0);
308 
309 	return conf;
310 }
311 
312 
hostapd_mac_comp(const void * a,const void * b)313 int hostapd_mac_comp(const void *a, const void *b)
314 {
315 	return os_memcmp(a, b, sizeof(macaddr));
316 }
317 
318 
hostapd_config_read_wpa_psk(const char * fname,struct hostapd_ssid * ssid)319 static int hostapd_config_read_wpa_psk(const char *fname,
320 				       struct hostapd_ssid *ssid)
321 {
322 	FILE *f;
323 	char buf[128], *pos;
324 	const char *keyid;
325 	char *context;
326 	char *context2;
327 	char *token;
328 	char *name;
329 	char *value;
330 	int line = 0, ret = 0, len, ok;
331 	u8 addr[ETH_ALEN];
332 	struct hostapd_wpa_psk *psk;
333 
334 	if (!fname)
335 		return 0;
336 
337 	f = fopen(fname, "r");
338 	if (!f) {
339 		wpa_printf(MSG_ERROR, "WPA PSK file '%s' not found.", fname);
340 		return -1;
341 	}
342 
343 	while (fgets(buf, sizeof(buf), f)) {
344 		int vlan_id = 0;
345 		int wps = 0;
346 
347 		line++;
348 
349 		if (buf[0] == '#')
350 			continue;
351 		pos = buf;
352 		while (*pos != '\0') {
353 			if (*pos == '\n') {
354 				*pos = '\0';
355 				break;
356 			}
357 			pos++;
358 		}
359 		if (buf[0] == '\0')
360 			continue;
361 
362 		context = NULL;
363 		keyid = NULL;
364 		while ((token = str_token(buf, " ", &context))) {
365 			if (!os_strchr(token, '='))
366 				break;
367 			context2 = NULL;
368 			name = str_token(token, "=", &context2);
369 			if (!name)
370 				break;
371 			value = str_token(token, "", &context2);
372 			if (!value)
373 				value = "";
374 			if (!os_strcmp(name, "keyid")) {
375 				keyid = value;
376 			} else if (!os_strcmp(name, "wps")) {
377 				wps = atoi(value);
378 			} else if (!os_strcmp(name, "vlanid")) {
379 				vlan_id = atoi(value);
380 			} else {
381 				wpa_printf(MSG_ERROR,
382 					   "Unrecognized '%s=%s' on line %d in '%s'",
383 					   name, value, line, fname);
384 				ret = -1;
385 				break;
386 			}
387 		}
388 
389 		if (ret == -1)
390 			break;
391 
392 		if (!token)
393 			token = "";
394 		if (hwaddr_aton(token, addr)) {
395 			wpa_printf(MSG_ERROR,
396 				   "Invalid MAC address '%s' on line %d in '%s'",
397 				   token, line, fname);
398 			ret = -1;
399 			break;
400 		}
401 
402 		psk = os_zalloc(sizeof(*psk));
403 		if (psk == NULL) {
404 			wpa_printf(MSG_ERROR, "WPA PSK allocation failed");
405 			ret = -1;
406 			break;
407 		}
408 		psk->vlan_id = vlan_id;
409 		if (is_zero_ether_addr(addr))
410 			psk->group = 1;
411 		else
412 			os_memcpy(psk->addr, addr, ETH_ALEN);
413 
414 		pos = str_token(buf, "", &context);
415 		if (!pos) {
416 			wpa_printf(MSG_ERROR, "No PSK on line %d in '%s'",
417 				   line, fname);
418 			os_free(psk);
419 			ret = -1;
420 			break;
421 		}
422 
423 		ok = 0;
424 		len = os_strlen(pos);
425 		if (len == 2 * PMK_LEN &&
426 		    hexstr2bin(pos, psk->psk, PMK_LEN) == 0)
427 			ok = 1;
428 		else if (len >= 8 && len < 64 &&
429 			 pbkdf2_sha1(pos, ssid->ssid, ssid->ssid_len,
430 				     4096, psk->psk, PMK_LEN) == 0)
431 			ok = 1;
432 		if (!ok) {
433 			wpa_printf(MSG_ERROR,
434 				   "Invalid PSK '%s' on line %d in '%s'",
435 				   pos, line, fname);
436 			os_free(psk);
437 			ret = -1;
438 			break;
439 		}
440 
441 		if (keyid) {
442 			len = os_strlcpy(psk->keyid, keyid, sizeof(psk->keyid));
443 			if ((size_t) len >= sizeof(psk->keyid)) {
444 				wpa_printf(MSG_ERROR,
445 					   "PSK keyid too long on line %d in '%s'",
446 					   line, fname);
447 				os_free(psk);
448 				ret = -1;
449 				break;
450 			}
451 		}
452 
453 		psk->wps = wps;
454 
455 		psk->next = ssid->wpa_psk;
456 		ssid->wpa_psk = psk;
457 	}
458 
459 	fclose(f);
460 
461 	return ret;
462 }
463 
464 
hostapd_derive_psk(struct hostapd_ssid * ssid)465 static int hostapd_derive_psk(struct hostapd_ssid *ssid)
466 {
467 	ssid->wpa_psk = os_zalloc(sizeof(struct hostapd_wpa_psk));
468 	if (ssid->wpa_psk == NULL) {
469 		wpa_printf(MSG_ERROR, "Unable to alloc space for PSK");
470 		return -1;
471 	}
472 	wpa_hexdump_ascii(MSG_DEBUG, "SSID",
473 			  (u8 *) ssid->ssid, ssid->ssid_len);
474 	wpa_hexdump_ascii_key(MSG_DEBUG, "PSK (ASCII passphrase)",
475 			      (u8 *) ssid->wpa_passphrase,
476 			      os_strlen(ssid->wpa_passphrase));
477 	if (pbkdf2_sha1(ssid->wpa_passphrase,
478 			ssid->ssid, ssid->ssid_len,
479 			4096, ssid->wpa_psk->psk, PMK_LEN) != 0) {
480 		wpa_printf(MSG_ERROR, "Error in pbkdf2_sha1()");
481 		return -1;
482 	}
483 	wpa_hexdump_key(MSG_DEBUG, "PSK (from passphrase)",
484 			ssid->wpa_psk->psk, PMK_LEN);
485 	return 0;
486 }
487 
488 
hostapd_setup_sae_pt(struct hostapd_bss_config * conf)489 int hostapd_setup_sae_pt(struct hostapd_bss_config *conf)
490 {
491 #ifdef CONFIG_SAE
492 	struct hostapd_ssid *ssid = &conf->ssid;
493 	struct sae_password_entry *pw;
494 	int *groups = conf->sae_groups;
495 	int default_groups[] = { 19, 0, 0 };
496 
497 	if ((conf->sae_pwe == SAE_PWE_HUNT_AND_PECK &&
498 	     !hostapd_sae_pw_id_in_use(conf) &&
499 	     !wpa_key_mgmt_sae_ext_key(conf->wpa_key_mgmt |
500 				       conf->rsn_override_key_mgmt |
501 				       conf->rsn_override_key_mgmt_2) &&
502 	     !hostapd_sae_pk_in_use(conf)) ||
503 	    conf->sae_pwe == SAE_PWE_FORCE_HUNT_AND_PECK ||
504 	    !wpa_key_mgmt_sae(conf->wpa_key_mgmt |
505 			      conf->rsn_override_key_mgmt |
506 			      conf->rsn_override_key_mgmt_2))
507 		return 0; /* PT not needed */
508 
509 	if (!groups) {
510 		groups = default_groups;
511 		if (wpa_key_mgmt_sae_ext_key(conf->wpa_key_mgmt |
512 					     conf->rsn_override_key_mgmt |
513 					     conf->rsn_override_key_mgmt_2))
514 			default_groups[1] = 20;
515 	}
516 
517 	sae_deinit_pt(ssid->pt);
518 	ssid->pt = NULL;
519 	if (ssid->wpa_passphrase) {
520 		ssid->pt = sae_derive_pt(groups, ssid->ssid, ssid->ssid_len,
521 					 (const u8 *) ssid->wpa_passphrase,
522 					 os_strlen(ssid->wpa_passphrase),
523 					 NULL);
524 		if (!ssid->pt)
525 			return -1;
526 	}
527 
528 	for (pw = conf->sae_passwords; pw; pw = pw->next) {
529 		sae_deinit_pt(pw->pt);
530 		pw->pt = sae_derive_pt(groups, ssid->ssid, ssid->ssid_len,
531 				       (const u8 *) pw->password,
532 				       os_strlen(pw->password),
533 				       pw->identifier);
534 		if (!pw->pt)
535 			return -1;
536 	}
537 #endif /* CONFIG_SAE */
538 
539 	return 0;
540 }
541 
542 
hostapd_setup_wpa_psk(struct hostapd_bss_config * conf)543 int hostapd_setup_wpa_psk(struct hostapd_bss_config *conf)
544 {
545 	struct hostapd_ssid *ssid = &conf->ssid;
546 
547 	if (hostapd_setup_sae_pt(conf) < 0)
548 		return -1;
549 
550 	if (ssid->wpa_passphrase != NULL) {
551 		if (ssid->wpa_psk != NULL) {
552 			wpa_printf(MSG_DEBUG, "Using pre-configured WPA PSK "
553 				   "instead of passphrase");
554 		} else {
555 			wpa_printf(MSG_DEBUG, "Deriving WPA PSK based on "
556 				   "passphrase");
557 			if (hostapd_derive_psk(ssid) < 0)
558 				return -1;
559 		}
560 		ssid->wpa_psk->group = 1;
561 	}
562 
563 	return hostapd_config_read_wpa_psk(ssid->wpa_psk_file, &conf->ssid);
564 }
565 
566 
hostapd_config_free_radius(struct hostapd_radius_server * servers,int num_servers)567 static void hostapd_config_free_radius(struct hostapd_radius_server *servers,
568 				       int num_servers)
569 {
570 	int i;
571 
572 	for (i = 0; i < num_servers; i++) {
573 		os_free(servers[i].shared_secret);
574 		os_free(servers[i].ca_cert);
575 		os_free(servers[i].client_cert);
576 		os_free(servers[i].private_key);
577 		os_free(servers[i].private_key_passwd);
578 	}
579 	os_free(servers);
580 }
581 
582 
583 struct hostapd_radius_attr *
hostapd_config_get_radius_attr(struct hostapd_radius_attr * attr,u8 type)584 hostapd_config_get_radius_attr(struct hostapd_radius_attr *attr, u8 type)
585 {
586 	for (; attr; attr = attr->next) {
587 		if (attr->type == type)
588 			return attr;
589 	}
590 	return NULL;
591 }
592 
593 
hostapd_parse_radius_attr(const char * value)594 struct hostapd_radius_attr * hostapd_parse_radius_attr(const char *value)
595 {
596 	const char *pos;
597 	char syntax;
598 	struct hostapd_radius_attr *attr;
599 	size_t len;
600 
601 	attr = os_zalloc(sizeof(*attr));
602 	if (!attr)
603 		return NULL;
604 
605 	attr->type = atoi(value);
606 
607 	pos = os_strchr(value, ':');
608 	if (!pos) {
609 		attr->val = wpabuf_alloc(1);
610 		if (!attr->val) {
611 			os_free(attr);
612 			return NULL;
613 		}
614 		wpabuf_put_u8(attr->val, 0);
615 		return attr;
616 	}
617 
618 	pos++;
619 	if (pos[0] == '\0' || pos[1] != ':') {
620 		os_free(attr);
621 		return NULL;
622 	}
623 	syntax = *pos++;
624 	pos++;
625 
626 	switch (syntax) {
627 	case 's':
628 		attr->val = wpabuf_alloc_copy(pos, os_strlen(pos));
629 		break;
630 	case 'x':
631 		len = os_strlen(pos);
632 		if (len & 1)
633 			break;
634 		len /= 2;
635 		attr->val = wpabuf_alloc(len);
636 		if (!attr->val)
637 			break;
638 		if (hexstr2bin(pos, wpabuf_put(attr->val, len), len) < 0) {
639 			wpabuf_free(attr->val);
640 			os_free(attr);
641 			return NULL;
642 		}
643 		break;
644 	case 'd':
645 		attr->val = wpabuf_alloc(4);
646 		if (attr->val)
647 			wpabuf_put_be32(attr->val, atoi(pos));
648 		break;
649 	default:
650 		os_free(attr);
651 		return NULL;
652 	}
653 
654 	if (!attr->val) {
655 		os_free(attr);
656 		return NULL;
657 	}
658 
659 	return attr;
660 }
661 
662 
hostapd_config_free_radius_attr(struct hostapd_radius_attr * attr)663 void hostapd_config_free_radius_attr(struct hostapd_radius_attr *attr)
664 {
665 	struct hostapd_radius_attr *prev;
666 
667 	while (attr) {
668 		prev = attr;
669 		attr = attr->next;
670 		wpabuf_free(prev->val);
671 		os_free(prev);
672 	}
673 }
674 
675 
hostapd_config_free_eap_user(struct hostapd_eap_user * user)676 void hostapd_config_free_eap_user(struct hostapd_eap_user *user)
677 {
678 	hostapd_config_free_radius_attr(user->accept_attr);
679 	os_free(user->identity);
680 	bin_clear_free(user->password, user->password_len);
681 	bin_clear_free(user->salt, user->salt_len);
682 	os_free(user);
683 }
684 
685 
hostapd_config_free_eap_users(struct hostapd_eap_user * user)686 void hostapd_config_free_eap_users(struct hostapd_eap_user *user)
687 {
688 	struct hostapd_eap_user *prev_user;
689 
690 	while (user) {
691 		prev_user = user;
692 		user = user->next;
693 		hostapd_config_free_eap_user(prev_user);
694 	}
695 }
696 
697 
698 #ifdef CONFIG_WEP
hostapd_config_free_wep(struct hostapd_wep_keys * keys)699 static void hostapd_config_free_wep(struct hostapd_wep_keys *keys)
700 {
701 	int i;
702 	for (i = 0; i < NUM_WEP_KEYS; i++) {
703 		bin_clear_free(keys->key[i], keys->len[i]);
704 		keys->key[i] = NULL;
705 	}
706 }
707 #endif /* CONFIG_WEP */
708 
709 
hostapd_config_clear_wpa_psk(struct hostapd_wpa_psk ** l)710 void hostapd_config_clear_wpa_psk(struct hostapd_wpa_psk **l)
711 {
712 	struct hostapd_wpa_psk *psk, *tmp;
713 
714 	for (psk = *l; psk;) {
715 		tmp = psk;
716 		psk = psk->next;
717 		bin_clear_free(tmp, sizeof(*tmp));
718 	}
719 	*l = NULL;
720 }
721 
722 
723 #ifdef CONFIG_IEEE80211R_AP
724 
hostapd_config_clear_rxkhs(struct hostapd_bss_config * conf)725 void hostapd_config_clear_rxkhs(struct hostapd_bss_config *conf)
726 {
727 	struct ft_remote_r0kh *r0kh, *r0kh_prev;
728 	struct ft_remote_r1kh *r1kh, *r1kh_prev;
729 
730 	r0kh = conf->r0kh_list;
731 	conf->r0kh_list = NULL;
732 	while (r0kh) {
733 		r0kh_prev = r0kh;
734 		r0kh = r0kh->next;
735 		os_free(r0kh_prev);
736 	}
737 
738 	r1kh = conf->r1kh_list;
739 	conf->r1kh_list = NULL;
740 	while (r1kh) {
741 		r1kh_prev = r1kh;
742 		r1kh = r1kh->next;
743 		os_free(r1kh_prev);
744 	}
745 }
746 
747 #endif /* CONFIG_IEEE80211R_AP */
748 
749 
hostapd_config_free_anqp_elem(struct hostapd_bss_config * conf)750 static void hostapd_config_free_anqp_elem(struct hostapd_bss_config *conf)
751 {
752 	struct anqp_element *elem;
753 
754 	while ((elem = dl_list_first(&conf->anqp_elem, struct anqp_element,
755 				     list))) {
756 		dl_list_del(&elem->list);
757 		wpabuf_free(elem->payload);
758 		os_free(elem);
759 	}
760 }
761 
762 
hostapd_config_free_fils_realms(struct hostapd_bss_config * conf)763 static void hostapd_config_free_fils_realms(struct hostapd_bss_config *conf)
764 {
765 #ifdef CONFIG_FILS
766 	struct fils_realm *realm;
767 
768 	while ((realm = dl_list_first(&conf->fils_realms, struct fils_realm,
769 				      list))) {
770 		dl_list_del(&realm->list);
771 		os_free(realm);
772 	}
773 #endif /* CONFIG_FILS */
774 }
775 
776 
hostapd_config_free_sae_passwords(struct hostapd_bss_config * conf)777 static void hostapd_config_free_sae_passwords(struct hostapd_bss_config *conf)
778 {
779 	struct sae_password_entry *pw, *tmp;
780 
781 	pw = conf->sae_passwords;
782 	conf->sae_passwords = NULL;
783 	while (pw) {
784 		tmp = pw;
785 		pw = pw->next;
786 		str_clear_free(tmp->password);
787 		os_free(tmp->identifier);
788 #ifdef CONFIG_SAE
789 		sae_deinit_pt(tmp->pt);
790 #endif /* CONFIG_SAE */
791 #ifdef CONFIG_SAE_PK
792 		sae_deinit_pk(tmp->pk);
793 #endif /* CONFIG_SAE_PK */
794 		os_free(tmp->success_mac);
795 		os_free(tmp->fail_mac);
796 		os_free(tmp);
797 	}
798 }
799 
800 
801 #ifdef CONFIG_DPP2
hostapd_dpp_controller_conf_free(struct dpp_controller_conf * conf)802 static void hostapd_dpp_controller_conf_free(struct dpp_controller_conf *conf)
803 {
804 	struct dpp_controller_conf *prev;
805 
806 	while (conf) {
807 		prev = conf;
808 		conf = conf->next;
809 		os_free(prev);
810 	}
811 }
812 #endif /* CONFIG_DPP2 */
813 
814 
hostapd_config_free_bss(struct hostapd_bss_config * conf)815 void hostapd_config_free_bss(struct hostapd_bss_config *conf)
816 {
817 #if defined(CONFIG_WPS) || defined(CONFIG_HS20)
818 	size_t i;
819 #endif
820 
821 	if (conf == NULL)
822 		return;
823 
824 	hostapd_config_clear_wpa_psk(&conf->ssid.wpa_psk);
825 
826 	str_clear_free(conf->ssid.wpa_passphrase);
827 	os_free(conf->ssid.wpa_psk_file);
828 #ifdef CONFIG_WEP
829 	hostapd_config_free_wep(&conf->ssid.wep);
830 #endif /* CONFIG_WEP */
831 #ifdef CONFIG_FULL_DYNAMIC_VLAN
832 	os_free(conf->ssid.vlan_tagged_interface);
833 #endif /* CONFIG_FULL_DYNAMIC_VLAN */
834 #ifdef CONFIG_SAE
835 	sae_deinit_pt(conf->ssid.pt);
836 #endif /* CONFIG_SAE */
837 
838 	hostapd_config_free_eap_users(conf->eap_user);
839 	os_free(conf->eap_user_sqlite);
840 
841 	os_free(conf->eap_req_id_text);
842 	os_free(conf->erp_domain);
843 	os_free(conf->accept_mac);
844 	os_free(conf->deny_mac);
845 	os_free(conf->nas_identifier);
846 	if (conf->radius) {
847 		hostapd_config_free_radius(conf->radius->auth_servers,
848 					   conf->radius->num_auth_servers);
849 		hostapd_config_free_radius(conf->radius->acct_servers,
850 					   conf->radius->num_acct_servers);
851 		os_free(conf->radius->force_client_dev);
852 	}
853 	hostapd_config_free_radius_attr(conf->radius_auth_req_attr);
854 	hostapd_config_free_radius_attr(conf->radius_acct_req_attr);
855 	os_free(conf->radius_req_attr_sqlite);
856 	os_free(conf->rsn_preauth_interfaces);
857 	os_free(conf->ctrl_interface);
858 	os_free(conf->config_id);
859 	os_free(conf->ca_cert);
860 	os_free(conf->server_cert);
861 	os_free(conf->server_cert2);
862 	os_free(conf->private_key);
863 	os_free(conf->private_key2);
864 	os_free(conf->private_key_passwd);
865 	os_free(conf->private_key_passwd2);
866 	os_free(conf->check_cert_subject);
867 	os_free(conf->ocsp_stapling_response);
868 	os_free(conf->ocsp_stapling_response_multi);
869 	os_free(conf->dh_file);
870 	os_free(conf->openssl_ciphers);
871 	os_free(conf->openssl_ecdh_curves);
872 	os_free(conf->pac_opaque_encr_key);
873 	os_free(conf->eap_fast_a_id);
874 	os_free(conf->eap_fast_a_id_info);
875 	os_free(conf->eap_sim_db);
876 	os_free(conf->imsi_privacy_key);
877 	os_free(conf->radius_server_clients);
878 	os_free(conf->radius);
879 	os_free(conf->radius_das_shared_secret);
880 	hostapd_config_free_vlan(conf);
881 	os_free(conf->time_zone);
882 
883 #ifdef CONFIG_IEEE80211R_AP
884 	hostapd_config_clear_rxkhs(conf);
885 	os_free(conf->rxkh_file);
886 	conf->rxkh_file = NULL;
887 #endif /* CONFIG_IEEE80211R_AP */
888 
889 #ifdef CONFIG_WPS
890 	os_free(conf->wps_pin_requests);
891 	os_free(conf->device_name);
892 	os_free(conf->manufacturer);
893 	os_free(conf->model_name);
894 	os_free(conf->model_number);
895 	os_free(conf->serial_number);
896 	os_free(conf->config_methods);
897 	os_free(conf->ap_pin);
898 	os_free(conf->extra_cred);
899 	os_free(conf->ap_settings);
900 	hostapd_config_clear_wpa_psk(&conf->multi_ap_backhaul_ssid.wpa_psk);
901 	str_clear_free(conf->multi_ap_backhaul_ssid.wpa_passphrase);
902 	os_free(conf->upnp_iface);
903 	os_free(conf->friendly_name);
904 	os_free(conf->manufacturer_url);
905 	os_free(conf->model_description);
906 	os_free(conf->model_url);
907 	os_free(conf->upc);
908 	for (i = 0; i < MAX_WPS_VENDOR_EXTENSIONS; i++)
909 		wpabuf_free(conf->wps_vendor_ext[i]);
910 	wpabuf_free(conf->wps_application_ext);
911 	wpabuf_free(conf->wps_nfc_dh_pubkey);
912 	wpabuf_free(conf->wps_nfc_dh_privkey);
913 	wpabuf_free(conf->wps_nfc_dev_pw);
914 #endif /* CONFIG_WPS */
915 
916 	os_free(conf->roaming_consortium);
917 	os_free(conf->venue_name);
918 	os_free(conf->venue_url);
919 	os_free(conf->nai_realm_data);
920 	os_free(conf->network_auth_type);
921 	os_free(conf->anqp_3gpp_cell_net);
922 	os_free(conf->domain_name);
923 	hostapd_config_free_anqp_elem(conf);
924 
925 #ifdef CONFIG_RADIUS_TEST
926 	os_free(conf->dump_msk_file);
927 #endif /* CONFIG_RADIUS_TEST */
928 
929 #ifdef CONFIG_HS20
930 	os_free(conf->hs20_oper_friendly_name);
931 	os_free(conf->hs20_wan_metrics);
932 	os_free(conf->hs20_connection_capability);
933 	os_free(conf->hs20_operating_class);
934 	os_free(conf->t_c_filename);
935 	os_free(conf->t_c_server_url);
936 #endif /* CONFIG_HS20 */
937 
938 	wpabuf_free(conf->vendor_elements);
939 	wpabuf_free(conf->assocresp_elements);
940 
941 	os_free(conf->sae_groups);
942 #ifdef CONFIG_OWE
943 	os_free(conf->owe_groups);
944 #endif /* CONFIG_OWE */
945 
946 	os_free(conf->wowlan_triggers);
947 
948 	os_free(conf->server_id);
949 
950 #ifdef CONFIG_TESTING_OPTIONS
951 	wpabuf_free(conf->own_ie_override);
952 	wpabuf_free(conf->rsne_override);
953 	wpabuf_free(conf->rsnoe_override);
954 	wpabuf_free(conf->rsno2e_override);
955 	wpabuf_free(conf->rsnxe_override);
956 	wpabuf_free(conf->rsnxoe_override);
957 	wpabuf_free(conf->sae_commit_override);
958 	wpabuf_free(conf->rsne_override_eapol);
959 	wpabuf_free(conf->rsnxe_override_eapol);
960 	wpabuf_free(conf->rsne_override_ft);
961 	wpabuf_free(conf->rsnxe_override_ft);
962 	wpabuf_free(conf->gtk_rsc_override);
963 	wpabuf_free(conf->igtk_rsc_override);
964 	wpabuf_free(conf->eapol_m1_elements);
965 	wpabuf_free(conf->eapol_m3_elements);
966 	wpabuf_free(conf->presp_elements);
967 #endif /* CONFIG_TESTING_OPTIONS */
968 
969 	os_free(conf->no_probe_resp_if_seen_on);
970 	os_free(conf->no_auth_if_seen_on);
971 
972 	hostapd_config_free_fils_realms(conf);
973 
974 #ifdef CONFIG_DPP
975 	os_free(conf->dpp_name);
976 	os_free(conf->dpp_mud_url);
977 	os_free(conf->dpp_extra_conf_req_name);
978 	os_free(conf->dpp_extra_conf_req_value);
979 	os_free(conf->dpp_connector);
980 	wpabuf_free(conf->dpp_netaccesskey);
981 	wpabuf_free(conf->dpp_csign);
982 #ifdef CONFIG_DPP2
983 	hostapd_dpp_controller_conf_free(conf->dpp_controller);
984 #endif /* CONFIG_DPP2 */
985 #endif /* CONFIG_DPP */
986 
987 	hostapd_config_free_sae_passwords(conf);
988 
989 #ifdef CONFIG_AIRTIME_POLICY
990 	{
991 		struct airtime_sta_weight *wt, *wt_prev;
992 
993 		wt = conf->airtime_weight_list;
994 		conf->airtime_weight_list = NULL;
995 		while (wt) {
996 			wt_prev = wt;
997 			wt = wt->next;
998 			os_free(wt_prev);
999 		}
1000 	}
1001 #endif /* CONFIG_AIRTIME_POLICY */
1002 
1003 #ifdef CONFIG_PASN
1004 	os_free(conf->pasn_groups);
1005 #endif /* CONFIG_PASN */
1006 
1007 	os_free(conf);
1008 }
1009 
1010 
1011 /**
1012  * hostapd_config_free - Free hostapd configuration
1013  * @conf: Configuration data from hostapd_config_read().
1014  */
hostapd_config_free(struct hostapd_config * conf)1015 void hostapd_config_free(struct hostapd_config *conf)
1016 {
1017 	size_t i;
1018 
1019 	if (conf == NULL)
1020 		return;
1021 
1022 	for (i = 0; i < conf->num_bss; i++)
1023 		hostapd_config_free_bss(conf->bss[i]);
1024 	os_free(conf->bss);
1025 	os_free(conf->supported_rates);
1026 	os_free(conf->basic_rates);
1027 	os_free(conf->acs_ch_list.range);
1028 	os_free(conf->acs_freq_list.range);
1029 	os_free(conf->driver_params);
1030 #ifdef CONFIG_ACS
1031 	os_free(conf->acs_chan_bias);
1032 #endif /* CONFIG_ACS */
1033 	wpabuf_free(conf->lci);
1034 	wpabuf_free(conf->civic);
1035 
1036 	os_free(conf);
1037 }
1038 
1039 
1040 /**
1041  * hostapd_maclist_found - Find a MAC address from a list
1042  * @list: MAC address list
1043  * @num_entries: Number of addresses in the list
1044  * @addr: Address to search for
1045  * @vlan_id: Buffer for returning VLAN ID or %NULL if not needed
1046  * Returns: 1 if address is in the list or 0 if not.
1047  *
1048  * Perform a binary search for given MAC address from a pre-sorted list.
1049  */
hostapd_maclist_found(struct mac_acl_entry * list,int num_entries,const u8 * addr,struct vlan_description * vlan_id)1050 int hostapd_maclist_found(struct mac_acl_entry *list, int num_entries,
1051 			  const u8 *addr, struct vlan_description *vlan_id)
1052 {
1053 	int start, end, middle, res;
1054 
1055 	start = 0;
1056 	end = num_entries - 1;
1057 
1058 	while (start <= end) {
1059 		middle = (start + end) / 2;
1060 		res = os_memcmp(list[middle].addr, addr, ETH_ALEN);
1061 		if (res == 0) {
1062 			if (vlan_id)
1063 				*vlan_id = list[middle].vlan_id;
1064 			return 1;
1065 		}
1066 		if (res < 0)
1067 			start = middle + 1;
1068 		else
1069 			end = middle - 1;
1070 	}
1071 
1072 	return 0;
1073 }
1074 
1075 
hostapd_rate_found(int * list,int rate)1076 int hostapd_rate_found(int *list, int rate)
1077 {
1078 	int i;
1079 
1080 	if (list == NULL)
1081 		return 0;
1082 
1083 	for (i = 0; list[i] >= 0; i++)
1084 		if (list[i] == rate)
1085 			return 1;
1086 
1087 	return 0;
1088 }
1089 
1090 
hostapd_vlan_valid(struct hostapd_vlan * vlan,struct vlan_description * vlan_desc)1091 int hostapd_vlan_valid(struct hostapd_vlan *vlan,
1092 		       struct vlan_description *vlan_desc)
1093 {
1094 	struct hostapd_vlan *v = vlan;
1095 	int i;
1096 
1097 	if (!vlan_desc->notempty || vlan_desc->untagged < 0 ||
1098 	    vlan_desc->untagged > MAX_VLAN_ID)
1099 		return 0;
1100 	for (i = 0; i < MAX_NUM_TAGGED_VLAN; i++) {
1101 		if (vlan_desc->tagged[i] < 0 ||
1102 		    vlan_desc->tagged[i] > MAX_VLAN_ID)
1103 			return 0;
1104 	}
1105 	if (!vlan_desc->untagged && !vlan_desc->tagged[0])
1106 		return 0;
1107 
1108 	while (v) {
1109 		if (!vlan_compare(&v->vlan_desc, vlan_desc) ||
1110 		    v->vlan_id == VLAN_ID_WILDCARD)
1111 			return 1;
1112 		v = v->next;
1113 	}
1114 	return 0;
1115 }
1116 
1117 
hostapd_get_vlan_id_ifname(struct hostapd_vlan * vlan,int vlan_id)1118 const char * hostapd_get_vlan_id_ifname(struct hostapd_vlan *vlan, int vlan_id)
1119 {
1120 	struct hostapd_vlan *v = vlan;
1121 	while (v) {
1122 		if (v->vlan_id == vlan_id)
1123 			return v->ifname;
1124 		v = v->next;
1125 	}
1126 	return NULL;
1127 }
1128 
1129 
hostapd_get_psk(const struct hostapd_bss_config * conf,const u8 * addr,const u8 * p2p_dev_addr,const u8 * prev_psk,int * vlan_id)1130 const u8 * hostapd_get_psk(const struct hostapd_bss_config *conf,
1131 			   const u8 *addr, const u8 *p2p_dev_addr,
1132 			   const u8 *prev_psk, int *vlan_id)
1133 {
1134 	struct hostapd_wpa_psk *psk;
1135 	int next_ok = prev_psk == NULL;
1136 
1137 	if (vlan_id)
1138 		*vlan_id = 0;
1139 
1140 	if (p2p_dev_addr && !is_zero_ether_addr(p2p_dev_addr)) {
1141 		wpa_printf(MSG_DEBUG, "Searching a PSK for " MACSTR
1142 			   " p2p_dev_addr=" MACSTR " prev_psk=%p",
1143 			   MAC2STR(addr), MAC2STR(p2p_dev_addr), prev_psk);
1144 		addr = NULL; /* Use P2P Device Address for matching */
1145 	} else {
1146 		wpa_printf(MSG_DEBUG, "Searching a PSK for " MACSTR
1147 			   " prev_psk=%p",
1148 			   MAC2STR(addr), prev_psk);
1149 	}
1150 
1151 	for (psk = conf->ssid.wpa_psk; psk != NULL; psk = psk->next) {
1152 		if (next_ok &&
1153 		    (psk->group ||
1154 		     (addr && ether_addr_equal(psk->addr, addr)) ||
1155 		     (!addr && p2p_dev_addr &&
1156 		      ether_addr_equal(psk->p2p_dev_addr, p2p_dev_addr)))) {
1157 			if (vlan_id)
1158 				*vlan_id = psk->vlan_id;
1159 			return psk->psk;
1160 		}
1161 
1162 		if (psk->psk == prev_psk)
1163 			next_ok = 1;
1164 	}
1165 
1166 	return NULL;
1167 }
1168 
1169 
1170 #ifdef CONFIG_SAE_PK
hostapd_sae_pk_password_without_pk(struct hostapd_bss_config * bss)1171 static bool hostapd_sae_pk_password_without_pk(struct hostapd_bss_config *bss)
1172 {
1173 	struct sae_password_entry *pw;
1174 	bool res = false;
1175 
1176 	if (bss->ssid.wpa_passphrase &&
1177 #ifdef CONFIG_TESTING_OPTIONS
1178 	    !bss->sae_pk_password_check_skip &&
1179 #endif /* CONFIG_TESTING_OPTIONS */
1180 	    sae_pk_valid_password(bss->ssid.wpa_passphrase))
1181 		res = true;
1182 
1183 	for (pw = bss->sae_passwords; pw; pw = pw->next) {
1184 		if (!pw->pk &&
1185 #ifdef CONFIG_TESTING_OPTIONS
1186 		    !bss->sae_pk_password_check_skip &&
1187 #endif /* CONFIG_TESTING_OPTIONS */
1188 		    sae_pk_valid_password(pw->password))
1189 			return true;
1190 
1191 		if (bss->ssid.wpa_passphrase && res && pw->pk &&
1192 		    os_strcmp(bss->ssid.wpa_passphrase, pw->password) == 0)
1193 			res = false;
1194 	}
1195 
1196 	return res;
1197 }
1198 #endif /* CONFIG_SAE_PK */
1199 
1200 
hostapd_config_check_bss_6g(struct hostapd_bss_config * bss)1201 static bool hostapd_config_check_bss_6g(struct hostapd_bss_config *bss)
1202 {
1203 	if (bss->wpa != WPA_PROTO_RSN) {
1204 		wpa_printf(MSG_ERROR,
1205 			   "Pre-RSNA security methods are not allowed in 6 GHz");
1206 		return false;
1207 	}
1208 
1209 	if (bss->ieee80211w != MGMT_FRAME_PROTECTION_REQUIRED) {
1210 		wpa_printf(MSG_ERROR,
1211 			   "Management frame protection is required in 6 GHz");
1212 		return false;
1213 	}
1214 
1215 	if (bss->wpa_key_mgmt & (WPA_KEY_MGMT_PSK |
1216 				 WPA_KEY_MGMT_FT_PSK |
1217 				 WPA_KEY_MGMT_PSK_SHA256)) {
1218 		wpa_printf(MSG_ERROR, "Invalid AKM suite for 6 GHz");
1219 		return false;
1220 	}
1221 
1222 	if (bss->rsn_pairwise & (WPA_CIPHER_WEP40 |
1223 				 WPA_CIPHER_WEP104 |
1224 				 WPA_CIPHER_TKIP)) {
1225 		wpa_printf(MSG_ERROR,
1226 			   "Invalid pairwise cipher suite for 6 GHz");
1227 		return false;
1228 	}
1229 
1230 	if (bss->wpa_group & (WPA_CIPHER_WEP40 |
1231 			      WPA_CIPHER_WEP104 |
1232 			      WPA_CIPHER_TKIP)) {
1233 		wpa_printf(MSG_ERROR, "Invalid group cipher suite for 6 GHz");
1234 		return false;
1235 	}
1236 
1237 #ifdef CONFIG_SAE
1238 	if (wpa_key_mgmt_sae(bss->wpa_key_mgmt) &&
1239 	    bss->sae_pwe == SAE_PWE_HUNT_AND_PECK) {
1240 		wpa_printf(MSG_INFO, "SAE: Enabling SAE H2E on 6 GHz");
1241 		bss->sae_pwe = SAE_PWE_BOTH;
1242 	}
1243 #endif /* CONFIG_SAE */
1244 
1245 	return true;
1246 }
1247 
1248 
hostapd_config_check_bss(struct hostapd_bss_config * bss,struct hostapd_config * conf,int full_config)1249 static int hostapd_config_check_bss(struct hostapd_bss_config *bss,
1250 				    struct hostapd_config *conf,
1251 				    int full_config)
1252 {
1253 	if (full_config && is_6ghz_op_class(conf->op_class) &&
1254 	    !hostapd_config_check_bss_6g(bss))
1255 		return -1;
1256 
1257 	if (full_config && bss->ieee802_1x && !bss->eap_server &&
1258 	    !bss->radius->auth_servers) {
1259 		wpa_printf(MSG_ERROR, "Invalid IEEE 802.1X configuration (no "
1260 			   "EAP authenticator configured).");
1261 		return -1;
1262 	}
1263 
1264 #ifdef CONFIG_WEP
1265 	if (bss->wpa) {
1266 		int wep, i;
1267 
1268 		wep = bss->default_wep_key_len > 0 ||
1269 		       bss->individual_wep_key_len > 0;
1270 		for (i = 0; i < NUM_WEP_KEYS; i++) {
1271 			if (bss->ssid.wep.keys_set) {
1272 				wep = 1;
1273 				break;
1274 			}
1275 		}
1276 
1277 		if (wep) {
1278 			wpa_printf(MSG_ERROR, "WEP configuration in a WPA network is not supported");
1279 			return -1;
1280 		}
1281 	}
1282 #endif /* CONFIG_WEP */
1283 
1284 	if (full_config && bss->wpa &&
1285 	    bss->wpa_psk_radius != PSK_RADIUS_IGNORED &&
1286 	    bss->wpa_psk_radius != PSK_RADIUS_DURING_4WAY_HS &&
1287 	    bss->macaddr_acl != USE_EXTERNAL_RADIUS_AUTH) {
1288 		wpa_printf(MSG_ERROR, "WPA-PSK using RADIUS enabled, but no "
1289 			   "RADIUS checking (macaddr_acl=2) enabled.");
1290 		return -1;
1291 	}
1292 
1293 	if (full_config && bss->wpa &&
1294 	    wpa_key_mgmt_wpa_psk_no_sae(bss->wpa_key_mgmt) &&
1295 	    bss->ssid.wpa_psk == NULL && bss->ssid.wpa_passphrase == NULL &&
1296 	    bss->ssid.wpa_psk_file == NULL &&
1297 	    bss->wpa_psk_radius != PSK_RADIUS_DURING_4WAY_HS &&
1298 	    (bss->wpa_psk_radius != PSK_RADIUS_REQUIRED ||
1299 	     bss->macaddr_acl != USE_EXTERNAL_RADIUS_AUTH)) {
1300 		wpa_printf(MSG_ERROR, "WPA-PSK enabled, but PSK or passphrase "
1301 			   "is not configured.");
1302 		return -1;
1303 	}
1304 
1305 	if (full_config && !is_zero_ether_addr(bss->bssid)) {
1306 		size_t i;
1307 
1308 		for (i = 0; i < conf->num_bss; i++) {
1309 			if (conf->bss[i] != bss &&
1310 			    (hostapd_mac_comp(conf->bss[i]->bssid,
1311 					      bss->bssid) == 0)) {
1312 				wpa_printf(MSG_ERROR, "Duplicate BSSID " MACSTR
1313 					   " on interface '%s' and '%s'.",
1314 					   MAC2STR(bss->bssid),
1315 					   conf->bss[i]->iface, bss->iface);
1316 				return -1;
1317 			}
1318 		}
1319 	}
1320 
1321 #ifdef CONFIG_IEEE80211R_AP
1322 	if (full_config && wpa_key_mgmt_ft(bss->wpa_key_mgmt) &&
1323 	    (bss->nas_identifier == NULL ||
1324 	     os_strlen(bss->nas_identifier) < 1 ||
1325 	     os_strlen(bss->nas_identifier) > FT_R0KH_ID_MAX_LEN)) {
1326 		wpa_printf(MSG_ERROR, "FT (IEEE 802.11r) requires "
1327 			   "nas_identifier to be configured as a 1..48 octet "
1328 			   "string");
1329 		return -1;
1330 	}
1331 #endif /* CONFIG_IEEE80211R_AP */
1332 
1333 	if (full_config && conf->ieee80211n &&
1334 	    conf->hw_mode == HOSTAPD_MODE_IEEE80211B) {
1335 		bss->disable_11n = true;
1336 		wpa_printf(MSG_ERROR, "HT (IEEE 802.11n) in 11b mode is not "
1337 			   "allowed, disabling HT capabilities");
1338 	}
1339 
1340 #ifdef CONFIG_WEP
1341 	if (full_config && conf->ieee80211n &&
1342 	    bss->ssid.security_policy == SECURITY_STATIC_WEP) {
1343 		bss->disable_11n = true;
1344 		wpa_printf(MSG_ERROR, "HT (IEEE 802.11n) with WEP is not "
1345 			   "allowed, disabling HT capabilities");
1346 	}
1347 #endif /* CONFIG_WEP */
1348 
1349 	if (full_config && conf->ieee80211n && bss->wpa &&
1350 	    !(bss->wpa_pairwise & WPA_CIPHER_CCMP) &&
1351 	    !(bss->rsn_pairwise & (WPA_CIPHER_CCMP | WPA_CIPHER_GCMP |
1352 				   WPA_CIPHER_CCMP_256 | WPA_CIPHER_GCMP_256)))
1353 	{
1354 		bss->disable_11n = true;
1355 		wpa_printf(MSG_ERROR, "HT (IEEE 802.11n) with WPA/WPA2 "
1356 			   "requires CCMP/GCMP to be enabled, disabling HT "
1357 			   "capabilities");
1358 	}
1359 
1360 #ifdef CONFIG_IEEE80211AC
1361 #ifdef CONFIG_WEP
1362 	if (full_config && conf->ieee80211ac &&
1363 	    bss->ssid.security_policy == SECURITY_STATIC_WEP) {
1364 		bss->disable_11ac = true;
1365 		wpa_printf(MSG_ERROR,
1366 			   "VHT (IEEE 802.11ac) with WEP is not allowed, disabling VHT capabilities");
1367 	}
1368 #endif /* CONFIG_WEP */
1369 
1370 	if (full_config && conf->ieee80211ac && bss->wpa &&
1371 	    !(bss->wpa_pairwise & WPA_CIPHER_CCMP) &&
1372 	    !(bss->rsn_pairwise & (WPA_CIPHER_CCMP | WPA_CIPHER_GCMP |
1373 				   WPA_CIPHER_CCMP_256 | WPA_CIPHER_GCMP_256)))
1374 	{
1375 		bss->disable_11ac = true;
1376 		wpa_printf(MSG_ERROR,
1377 			   "VHT (IEEE 802.11ac) with WPA/WPA2 requires CCMP/GCMP to be enabled, disabling VHT capabilities");
1378 	}
1379 #endif /* CONFIG_IEEE80211AC */
1380 
1381 #ifdef CONFIG_IEEE80211AX
1382 #ifdef CONFIG_WEP
1383 	if (full_config && conf->ieee80211ax &&
1384 	    bss->ssid.security_policy == SECURITY_STATIC_WEP) {
1385 		bss->disable_11ax = true;
1386 		wpa_printf(MSG_ERROR,
1387 			   "HE (IEEE 802.11ax) with WEP is not allowed, disabling HE capabilities");
1388 	}
1389 #endif /* CONFIG_WEP */
1390 
1391 	if (full_config && conf->ieee80211ax && bss->wpa &&
1392 	    !(bss->wpa_pairwise & WPA_CIPHER_CCMP) &&
1393 	    !(bss->rsn_pairwise & (WPA_CIPHER_CCMP | WPA_CIPHER_GCMP |
1394 				   WPA_CIPHER_CCMP_256 | WPA_CIPHER_GCMP_256)))
1395 	{
1396 		bss->disable_11ax = true;
1397 		wpa_printf(MSG_ERROR,
1398 			   "HE (IEEE 802.11ax) with WPA/WPA2 requires CCMP/GCMP to be enabled, disabling HE capabilities");
1399 	}
1400 #endif /* CONFIG_IEEE80211AX */
1401 
1402 #ifdef CONFIG_WPS
1403 	if (full_config && bss->wps_state && bss->ignore_broadcast_ssid) {
1404 		wpa_printf(MSG_INFO, "WPS: ignore_broadcast_ssid "
1405 			   "configuration forced WPS to be disabled");
1406 		bss->wps_state = 0;
1407 	}
1408 
1409 #ifdef CONFIG_WEP
1410 	if (full_config && bss->wps_state &&
1411 	    bss->ssid.wep.keys_set && bss->wpa == 0) {
1412 		wpa_printf(MSG_INFO, "WPS: WEP configuration forced WPS to be "
1413 			   "disabled");
1414 		bss->wps_state = 0;
1415 	}
1416 #endif /* CONFIG_WEP */
1417 
1418 	if (full_config && bss->wps_state && bss->wpa &&
1419 	    (!(bss->wpa & 2) ||
1420 	     !(bss->rsn_pairwise & (WPA_CIPHER_CCMP | WPA_CIPHER_GCMP |
1421 				    WPA_CIPHER_CCMP_256 |
1422 				    WPA_CIPHER_GCMP_256)))) {
1423 		wpa_printf(MSG_INFO, "WPS: WPA/TKIP configuration without "
1424 			   "WPA2/CCMP/GCMP forced WPS to be disabled");
1425 		bss->wps_state = 0;
1426 	}
1427 #endif /* CONFIG_WPS */
1428 
1429 #ifdef CONFIG_HS20
1430 	if (full_config && bss->hs20 &&
1431 	    (!(bss->wpa & 2) ||
1432 	     !(bss->rsn_pairwise & (WPA_CIPHER_CCMP | WPA_CIPHER_GCMP |
1433 				    WPA_CIPHER_CCMP_256 |
1434 				    WPA_CIPHER_GCMP_256)))) {
1435 		wpa_printf(MSG_ERROR, "HS 2.0: WPA2-Enterprise/CCMP "
1436 			   "configuration is required for Hotspot 2.0 "
1437 			   "functionality");
1438 		return -1;
1439 	}
1440 #endif /* CONFIG_HS20 */
1441 
1442 #ifdef CONFIG_MBO
1443 	if (full_config && bss->mbo_enabled && (bss->wpa & 2) &&
1444 	    bss->ieee80211w == NO_MGMT_FRAME_PROTECTION) {
1445 		wpa_printf(MSG_ERROR,
1446 			   "MBO: PMF needs to be enabled whenever using WPA2 with MBO");
1447 		return -1;
1448 	}
1449 #endif /* CONFIG_MBO */
1450 
1451 #ifdef CONFIG_OCV
1452 	if (full_config && bss->ieee80211w == NO_MGMT_FRAME_PROTECTION &&
1453 	    bss->ocv) {
1454 		wpa_printf(MSG_ERROR,
1455 			   "OCV: PMF needs to be enabled whenever using OCV");
1456 		return -1;
1457 	}
1458 #endif /* CONFIG_OCV */
1459 
1460 #ifdef CONFIG_SAE_PK
1461 	if (full_config && hostapd_sae_pk_in_use(bss) &&
1462 	    hostapd_sae_pk_password_without_pk(bss)) {
1463 		wpa_printf(MSG_ERROR,
1464 			   "SAE-PK: SAE password uses SAE-PK style, but does not have PK configured");
1465 		return -1;
1466 	}
1467 #endif /* CONFIG_SAE_PK */
1468 
1469 #ifdef CONFIG_FILS
1470 	if (full_config && bss->fils_discovery_max_int &&
1471 	    (!conf->ieee80211ax || bss->disable_11ax)) {
1472 		wpa_printf(MSG_ERROR,
1473 			   "Currently IEEE 802.11ax support is mandatory to enable FILS discovery transmission.");
1474 		return -1;
1475 	}
1476 
1477 	if (full_config && bss->fils_discovery_max_int &&
1478 	    bss->unsol_bcast_probe_resp_interval) {
1479 		wpa_printf(MSG_ERROR,
1480 			   "Cannot enable both FILS discovery and unsolicited broadcast Probe Response at the same time");
1481 		return -1;
1482 	}
1483 #endif /* CONFIG_FILS */
1484 
1485 #ifdef CONFIG_IEEE80211BE
1486 	if (full_config && !bss->disable_11be && bss->disable_11ax) {
1487 		bss->disable_11be = true;
1488 		wpa_printf(MSG_INFO,
1489 			   "Disabling IEEE 802.11be as IEEE 802.11ax is disabled for this BSS");
1490 	}
1491 
1492 	if (full_config && conf->ieee80211be && !bss->disable_11be &&
1493 	    !bss->beacon_prot && ap_pmf_enabled(bss)) {
1494 		bss->beacon_prot = 1;
1495 		wpa_printf(MSG_INFO,
1496 			   "Enabling beacon protection as IEEE 802.11be is enabled for this BSS");
1497 	}
1498 #endif /* CONFIG_IEEE80211BE */
1499 
1500 	if (full_config && bss->ignore_broadcast_ssid && conf->mbssid) {
1501 		wpa_printf(MSG_ERROR,
1502 			   "Hidden SSID is not suppored when MBSSID is enabled");
1503 		return -1;
1504 	}
1505 
1506 	/* Do not advertise SPP A-MSDU support if not using CCMP/GCMP */
1507 	if (full_config && bss->spp_amsdu &&
1508 	    !(bss->wpa &&
1509 	      bss->rsn_pairwise & (WPA_CIPHER_CCMP_256 | WPA_CIPHER_CCMP |
1510 				   WPA_CIPHER_GCMP_256 | WPA_CIPHER_GCMP)))
1511 		bss->spp_amsdu = false;
1512 
1513 	return 0;
1514 }
1515 
1516 
hostapd_config_check_cw(struct hostapd_config * conf,int queue)1517 static int hostapd_config_check_cw(struct hostapd_config *conf, int queue)
1518 {
1519 	int tx_cwmin = conf->tx_queue[queue].cwmin;
1520 	int tx_cwmax = conf->tx_queue[queue].cwmax;
1521 	int ac_cwmin = conf->wmm_ac_params[queue].cwmin;
1522 	int ac_cwmax = conf->wmm_ac_params[queue].cwmax;
1523 
1524 	if (tx_cwmin > tx_cwmax) {
1525 		wpa_printf(MSG_ERROR,
1526 			   "Invalid TX queue cwMin/cwMax values. cwMin(%d) greater than cwMax(%d)",
1527 			   tx_cwmin, tx_cwmax);
1528 		return -1;
1529 	}
1530 	if (ac_cwmin > ac_cwmax) {
1531 		wpa_printf(MSG_ERROR,
1532 			   "Invalid WMM AC cwMin/cwMax values. cwMin(%d) greater than cwMax(%d)",
1533 			   ac_cwmin, ac_cwmax);
1534 		return -1;
1535 	}
1536 	return 0;
1537 }
1538 
1539 
hostapd_config_check(struct hostapd_config * conf,int full_config)1540 int hostapd_config_check(struct hostapd_config *conf, int full_config)
1541 {
1542 	size_t i;
1543 
1544 	if (full_config && is_6ghz_op_class(conf->op_class) &&
1545 	    !conf->hw_mode_set) {
1546 		/* Use the appropriate hw_mode value automatically when the
1547 		 * op_class parameter has been set, but hw_mode was not. */
1548 		conf->hw_mode = HOSTAPD_MODE_IEEE80211A;
1549 	}
1550 
1551 	if (full_config && conf->ieee80211d &&
1552 	    (!conf->country[0] || !conf->country[1])) {
1553 		wpa_printf(MSG_ERROR, "Cannot enable IEEE 802.11d without "
1554 			   "setting the country_code");
1555 		return -1;
1556 	}
1557 
1558 	if (full_config && conf->ieee80211h && !conf->ieee80211d) {
1559 		wpa_printf(MSG_ERROR, "Cannot enable IEEE 802.11h without "
1560 			   "IEEE 802.11d enabled");
1561 		return -1;
1562 	}
1563 
1564 	if (full_config && conf->local_pwr_constraint != -1 &&
1565 	    !conf->ieee80211d) {
1566 		wpa_printf(MSG_ERROR, "Cannot add Power Constraint element without Country element");
1567 		return -1;
1568 	}
1569 
1570 	if (full_config && conf->spectrum_mgmt_required &&
1571 	    conf->local_pwr_constraint == -1) {
1572 		wpa_printf(MSG_ERROR, "Cannot set Spectrum Management bit without Country and Power Constraint elements");
1573 		return -1;
1574 	}
1575 
1576 #ifdef CONFIG_AIRTIME_POLICY
1577 	if (full_config && conf->airtime_mode > AIRTIME_MODE_STATIC &&
1578 	    !conf->airtime_update_interval) {
1579 		wpa_printf(MSG_ERROR, "Airtime update interval cannot be zero");
1580 		return -1;
1581 	}
1582 #endif /* CONFIG_AIRTIME_POLICY */
1583 	for (i = 0; i < NUM_TX_QUEUES; i++) {
1584 		if (hostapd_config_check_cw(conf, i))
1585 			return -1;
1586 	}
1587 
1588 #ifdef CONFIG_IEEE80211BE
1589 	if (full_config && conf->ieee80211be && !conf->ieee80211ax) {
1590 		wpa_printf(MSG_ERROR,
1591 			   "Cannot set ieee80211be without ieee80211ax");
1592 		return -1;
1593 	}
1594 
1595 	if (full_config)
1596 		hostapd_set_and_check_bw320_offset(conf,
1597 						   conf->eht_bw320_offset);
1598 #endif /* CONFIG_IEEE80211BE */
1599 
1600 	if (full_config && conf->mbssid && !conf->ieee80211ax) {
1601 		wpa_printf(MSG_ERROR,
1602 			   "Cannot enable multiple BSSID support without ieee80211ax");
1603 		return -1;
1604 	}
1605 
1606 	for (i = 0; i < conf->num_bss; i++) {
1607 		if (hostapd_config_check_bss(conf->bss[i], conf, full_config))
1608 			return -1;
1609 	}
1610 
1611 	return 0;
1612 }
1613 
1614 
hostapd_set_security_params(struct hostapd_bss_config * bss,int full_config)1615 void hostapd_set_security_params(struct hostapd_bss_config *bss,
1616 				 int full_config)
1617 {
1618 #ifdef CONFIG_WEP
1619 	if (bss->individual_wep_key_len == 0) {
1620 		/* individual keys are not use; can use key idx0 for
1621 		 * broadcast keys */
1622 		bss->broadcast_key_idx_min = 0;
1623 	}
1624 #endif /* CONFIG_WEP */
1625 
1626 	if ((bss->wpa & 2) && bss->rsn_pairwise == 0)
1627 		bss->rsn_pairwise = bss->wpa_pairwise;
1628 	if (bss->group_cipher)
1629 		bss->wpa_group = bss->group_cipher;
1630 	else
1631 		bss->wpa_group = wpa_select_ap_group_cipher(bss->wpa,
1632 							    bss->wpa_pairwise,
1633 							    bss->rsn_pairwise);
1634 	if (!bss->wpa_group_rekey_set)
1635 		bss->wpa_group_rekey = bss->wpa_group == WPA_CIPHER_TKIP ?
1636 			600 : 86400;
1637 
1638 	if (full_config) {
1639 		bss->radius->auth_server = bss->radius->auth_servers;
1640 		bss->radius->acct_server = bss->radius->acct_servers;
1641 	}
1642 
1643 	if (bss->wpa && bss->ieee802_1x) {
1644 		bss->ssid.security_policy = SECURITY_WPA;
1645 	} else if (bss->wpa) {
1646 		bss->ssid.security_policy = SECURITY_WPA_PSK;
1647 	} else if (bss->ieee802_1x) {
1648 		int cipher = WPA_CIPHER_NONE;
1649 		bss->ssid.security_policy = SECURITY_IEEE_802_1X;
1650 #ifdef CONFIG_WEP
1651 		bss->ssid.wep.default_len = bss->default_wep_key_len;
1652 		if (full_config && bss->default_wep_key_len) {
1653 			cipher = bss->default_wep_key_len >= 13 ?
1654 				WPA_CIPHER_WEP104 : WPA_CIPHER_WEP40;
1655 		} else if (full_config && bss->ssid.wep.keys_set) {
1656 			if (bss->ssid.wep.len[0] >= 13)
1657 				cipher = WPA_CIPHER_WEP104;
1658 			else
1659 				cipher = WPA_CIPHER_WEP40;
1660 		}
1661 #endif /* CONFIG_WEP */
1662 		bss->wpa_group = cipher;
1663 		bss->wpa_pairwise = cipher;
1664 		bss->rsn_pairwise = cipher;
1665 		if (full_config)
1666 			bss->wpa_key_mgmt = WPA_KEY_MGMT_IEEE8021X_NO_WPA;
1667 #ifdef CONFIG_WEP
1668 	} else if (bss->ssid.wep.keys_set) {
1669 		int cipher = WPA_CIPHER_WEP40;
1670 		if (bss->ssid.wep.len[0] >= 13)
1671 			cipher = WPA_CIPHER_WEP104;
1672 		bss->ssid.security_policy = SECURITY_STATIC_WEP;
1673 		bss->wpa_group = cipher;
1674 		bss->wpa_pairwise = cipher;
1675 		bss->rsn_pairwise = cipher;
1676 		if (full_config)
1677 			bss->wpa_key_mgmt = WPA_KEY_MGMT_NONE;
1678 #endif /* CONFIG_WEP */
1679 	} else {
1680 		bss->ssid.security_policy = SECURITY_PLAINTEXT;
1681 		if (full_config) {
1682 			bss->wpa_group = WPA_CIPHER_NONE;
1683 			bss->wpa_pairwise = WPA_CIPHER_NONE;
1684 			bss->rsn_pairwise = WPA_CIPHER_NONE;
1685 			bss->wpa_key_mgmt = WPA_KEY_MGMT_NONE;
1686 		}
1687 	}
1688 }
1689 
1690 
hostapd_sae_pw_id_in_use(struct hostapd_bss_config * conf)1691 int hostapd_sae_pw_id_in_use(struct hostapd_bss_config *conf)
1692 {
1693 	int with_id = 0, without_id = 0;
1694 	struct sae_password_entry *pw;
1695 
1696 	if (conf->ssid.wpa_passphrase)
1697 		without_id = 1;
1698 
1699 	for (pw = conf->sae_passwords; pw; pw = pw->next) {
1700 		if (pw->identifier)
1701 			with_id = 1;
1702 		else
1703 			without_id = 1;
1704 		if (with_id && without_id)
1705 			break;
1706 	}
1707 
1708 	if (with_id && !without_id)
1709 		return 2;
1710 	return with_id;
1711 }
1712 
1713 
hostapd_sae_pk_in_use(struct hostapd_bss_config * conf)1714 bool hostapd_sae_pk_in_use(struct hostapd_bss_config *conf)
1715 {
1716 #ifdef CONFIG_SAE_PK
1717 	struct sae_password_entry *pw;
1718 
1719 	for (pw = conf->sae_passwords; pw; pw = pw->next) {
1720 		if (pw->pk)
1721 			return true;
1722 	}
1723 #endif /* CONFIG_SAE_PK */
1724 
1725 	return false;
1726 }
1727 
1728 
1729 #ifdef CONFIG_SAE_PK
hostapd_sae_pk_exclusively(struct hostapd_bss_config * conf)1730 bool hostapd_sae_pk_exclusively(struct hostapd_bss_config *conf)
1731 {
1732 	bool with_pk = false;
1733 	struct sae_password_entry *pw;
1734 
1735 	if (conf->ssid.wpa_passphrase)
1736 		return false;
1737 
1738 	for (pw = conf->sae_passwords; pw; pw = pw->next) {
1739 		if (!pw->pk)
1740 			return false;
1741 		with_pk = true;
1742 	}
1743 
1744 	return with_pk;
1745 }
1746 #endif /* CONFIG_SAE_PK */
1747 
1748 
hostapd_acl_comp(const void * a,const void * b)1749 int hostapd_acl_comp(const void *a, const void *b)
1750 {
1751 	const struct mac_acl_entry *aa = a;
1752 	const struct mac_acl_entry *bb = b;
1753 	return os_memcmp(aa->addr, bb->addr, sizeof(macaddr));
1754 }
1755 
1756 
hostapd_add_acl_maclist(struct mac_acl_entry ** acl,int * num,int vlan_id,const u8 * addr)1757 int hostapd_add_acl_maclist(struct mac_acl_entry **acl, int *num,
1758 			    int vlan_id, const u8 *addr)
1759 {
1760 	struct mac_acl_entry *newacl;
1761 
1762 	newacl = os_realloc_array(*acl, *num + 1, sizeof(**acl));
1763 	if (!newacl) {
1764 		wpa_printf(MSG_ERROR, "MAC list reallocation failed");
1765 		return -1;
1766 	}
1767 
1768 	*acl = newacl;
1769 	os_memcpy((*acl)[*num].addr, addr, ETH_ALEN);
1770 	os_memset(&(*acl)[*num].vlan_id, 0, sizeof((*acl)[*num].vlan_id));
1771 	(*acl)[*num].vlan_id.untagged = vlan_id;
1772 	(*acl)[*num].vlan_id.notempty = !!vlan_id;
1773 	(*num)++;
1774 
1775 	return 0;
1776 }
1777 
1778 
hostapd_remove_acl_mac(struct mac_acl_entry ** acl,int * num,const u8 * addr)1779 void hostapd_remove_acl_mac(struct mac_acl_entry **acl, int *num,
1780 			    const u8 *addr)
1781 {
1782 	int i = 0;
1783 
1784 	while (i < *num) {
1785 		if (ether_addr_equal((*acl)[i].addr, addr)) {
1786 			os_remove_in_array(*acl, *num, sizeof(**acl), i);
1787 			(*num)--;
1788 		} else {
1789 			i++;
1790 		}
1791 	}
1792 }
1793