1 /* 2 * hostapd / Configuration helper functions 3 * Copyright (c) 2003-2024, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "utils/includes.h" 10 11 #include "utils/common.h" 12 #include "crypto/sha1.h" 13 #include "crypto/tls.h" 14 #include "radius/radius_client.h" 15 #include "common/ieee802_11_defs.h" 16 #include "common/ieee802_1x_defs.h" 17 #include "common/eapol_common.h" 18 #include "common/dhcp.h" 19 #include "common/sae.h" 20 #include "eap_common/eap_wsc_common.h" 21 #include "eap_server/eap.h" 22 #include "wpa_auth.h" 23 #include "sta_info.h" 24 #include "airtime_policy.h" 25 #include "ap_config.h" 26 27 hostapd_config_free_vlan(struct hostapd_bss_config * bss)28 static void hostapd_config_free_vlan(struct hostapd_bss_config *bss) 29 { 30 struct hostapd_vlan *vlan, *prev; 31 32 vlan = bss->vlan; 33 prev = NULL; 34 while (vlan) { 35 prev = vlan; 36 vlan = vlan->next; 37 os_free(prev); 38 } 39 40 bss->vlan = NULL; 41 } 42 43 44 #ifndef DEFAULT_WPA_DISABLE_EAPOL_KEY_RETRIES 45 #define DEFAULT_WPA_DISABLE_EAPOL_KEY_RETRIES 0 46 #endif /* DEFAULT_WPA_DISABLE_EAPOL_KEY_RETRIES */ 47 hostapd_config_defaults_bss(struct hostapd_bss_config * bss)48 void hostapd_config_defaults_bss(struct hostapd_bss_config *bss) 49 { 50 dl_list_init(&bss->anqp_elem); 51 52 bss->logger_syslog_level = HOSTAPD_LEVEL_INFO; 53 bss->logger_stdout_level = HOSTAPD_LEVEL_INFO; 54 bss->logger_syslog = (unsigned int) -1; 55 bss->logger_stdout = (unsigned int) -1; 56 57 #ifdef CONFIG_WEP 58 bss->auth_algs = WPA_AUTH_ALG_OPEN | WPA_AUTH_ALG_SHARED; 59 60 bss->wep_rekeying_period = 300; 61 /* use key0 in individual key and key1 in broadcast key */ 62 bss->broadcast_key_idx_min = 1; 63 bss->broadcast_key_idx_max = 2; 64 #else /* CONFIG_WEP */ 65 bss->auth_algs = WPA_AUTH_ALG_OPEN; 66 #endif /* CONFIG_WEP */ 67 bss->eap_reauth_period = 3600; 68 69 bss->wpa_group_rekey = 600; 70 bss->wpa_gmk_rekey = 86400; 71 bss->wpa_deny_ptk0_rekey = PTK0_REKEY_ALLOW_ALWAYS; 72 bss->wpa_group_update_count = 4; 73 bss->wpa_pairwise_update_count = 4; 74 bss->wpa_disable_eapol_key_retries = 75 DEFAULT_WPA_DISABLE_EAPOL_KEY_RETRIES; 76 bss->wpa_key_mgmt = WPA_KEY_MGMT_PSK; 77 #ifdef CONFIG_NO_TKIP 78 bss->wpa_pairwise = WPA_CIPHER_CCMP; 79 bss->wpa_group = WPA_CIPHER_CCMP; 80 #else /* CONFIG_NO_TKIP */ 81 bss->wpa_pairwise = WPA_CIPHER_TKIP; 82 bss->wpa_group = WPA_CIPHER_TKIP; 83 #endif /* CONFIG_NO_TKIP */ 84 bss->rsn_pairwise = 0; 85 86 bss->max_num_sta = MAX_STA_COUNT; 87 88 bss->dtim_period = 2; 89 90 bss->radius_server_auth_port = 1812; 91 bss->eap_sim_db_timeout = 1; 92 bss->eap_sim_id = 3; 93 bss->eap_sim_aka_fast_reauth_limit = 1000; 94 bss->ap_max_inactivity = AP_MAX_INACTIVITY; 95 bss->bss_max_idle = 1; 96 bss->eapol_version = EAPOL_VERSION; 97 98 bss->max_listen_interval = 65535; 99 100 bss->pwd_group = 19; /* ECC: GF(p=256) */ 101 102 bss->assoc_sa_query_max_timeout = 1000; 103 bss->assoc_sa_query_retry_timeout = 201; 104 bss->group_mgmt_cipher = WPA_CIPHER_AES_128_CMAC; 105 #ifdef EAP_SERVER_FAST 106 /* both anonymous and authenticated provisioning */ 107 bss->eap_fast_prov = 3; 108 bss->pac_key_lifetime = 7 * 24 * 60 * 60; 109 bss->pac_key_refresh_time = 1 * 24 * 60 * 60; 110 #endif /* EAP_SERVER_FAST */ 111 112 /* Set to -1 as defaults depends on HT in setup */ 113 bss->wmm_enabled = -1; 114 115 #ifdef CONFIG_IEEE80211R_AP 116 bss->ft_over_ds = 1; 117 bss->rkh_pos_timeout = 86400; 118 bss->rkh_neg_timeout = 60; 119 bss->rkh_pull_timeout = 1000; 120 bss->rkh_pull_retries = 4; 121 bss->r0_key_lifetime = 1209600; 122 #endif /* CONFIG_IEEE80211R_AP */ 123 124 bss->radius_das_time_window = 300; 125 bss->radius_require_message_authenticator = 1; 126 127 bss->anti_clogging_threshold = 5; 128 bss->sae_sync = 3; 129 130 bss->gas_frag_limit = 1400; 131 132 #ifdef CONFIG_FILS 133 dl_list_init(&bss->fils_realms); 134 bss->fils_hlp_wait_time = 30; 135 bss->dhcp_server_port = DHCP_SERVER_PORT; 136 bss->dhcp_relay_port = DHCP_SERVER_PORT; 137 bss->fils_discovery_min_int = 20; 138 #endif /* CONFIG_FILS */ 139 140 bss->broadcast_deauth = 1; 141 142 #ifdef CONFIG_MBO 143 bss->mbo_cell_data_conn_pref = -1; 144 #endif /* CONFIG_MBO */ 145 146 /* Disable TLS v1.3 by default for now to avoid interoperability issue. 147 * This can be enabled by default once the implementation has been fully 148 * completed and tested with other implementations. */ 149 bss->tls_flags = TLS_CONN_DISABLE_TLSv1_3; 150 151 bss->max_auth_rounds = 100; 152 bss->max_auth_rounds_short = 50; 153 154 bss->send_probe_response = 1; 155 156 #ifdef CONFIG_HS20 157 bss->hs20_release = (HS20_VERSION >> 4) + 1; 158 #endif /* CONFIG_HS20 */ 159 160 #ifdef CONFIG_MACSEC 161 bss->mka_priority = DEFAULT_PRIO_NOT_KEY_SERVER; 162 bss->macsec_port = 1; 163 #endif /* CONFIG_MACSEC */ 164 165 /* Default to strict CRL checking. */ 166 bss->check_crl_strict = 1; 167 168 bss->multi_ap_profile = MULTI_AP_PROFILE_2; 169 170 #ifdef CONFIG_TESTING_OPTIONS 171 bss->sae_commit_status = -1; 172 bss->test_assoc_comeback_type = -1; 173 #endif /* CONFIG_TESTING_OPTIONS */ 174 175 #ifdef CONFIG_PASN 176 /* comeback after 10 TUs */ 177 bss->pasn_comeback_after = 10; 178 bss->pasn_noauth = 1; 179 #endif /* CONFIG_PASN */ 180 } 181 182 hostapd_config_defaults(void)183 struct hostapd_config * hostapd_config_defaults(void) 184 { 185 #define ecw2cw(ecw) ((1 << (ecw)) - 1) 186 187 struct hostapd_config *conf; 188 struct hostapd_bss_config *bss; 189 const int aCWmin = 4, aCWmax = 10; 190 const struct hostapd_wmm_ac_params ac_bk = 191 { aCWmin, aCWmax, 7, 0, 0 }; /* background traffic */ 192 const struct hostapd_wmm_ac_params ac_be = 193 { aCWmin, aCWmax, 3, 0, 0 }; /* best effort traffic */ 194 const struct hostapd_wmm_ac_params ac_vi = /* video traffic */ 195 { aCWmin - 1, aCWmin, 2, 3008 / 32, 0 }; 196 const struct hostapd_wmm_ac_params ac_vo = /* voice traffic */ 197 { aCWmin - 2, aCWmin - 1, 2, 1504 / 32, 0 }; 198 const struct hostapd_tx_queue_params txq_bk = 199 { 7, ecw2cw(aCWmin), ecw2cw(aCWmax), 0 }; 200 const struct hostapd_tx_queue_params txq_be = 201 { 3, ecw2cw(aCWmin), 4 * (ecw2cw(aCWmin) + 1) - 1, 0}; 202 const struct hostapd_tx_queue_params txq_vi = 203 { 1, (ecw2cw(aCWmin) + 1) / 2 - 1, ecw2cw(aCWmin), 30}; 204 const struct hostapd_tx_queue_params txq_vo = 205 { 1, (ecw2cw(aCWmin) + 1) / 4 - 1, 206 (ecw2cw(aCWmin) + 1) / 2 - 1, 15}; 207 208 #undef ecw2cw 209 210 conf = os_zalloc(sizeof(*conf)); 211 bss = os_zalloc(sizeof(*bss)); 212 if (conf == NULL || bss == NULL) { 213 wpa_printf(MSG_ERROR, "Failed to allocate memory for " 214 "configuration data."); 215 os_free(conf); 216 os_free(bss); 217 return NULL; 218 } 219 conf->bss = os_calloc(1, sizeof(struct hostapd_bss_config *)); 220 if (conf->bss == NULL) { 221 os_free(conf); 222 os_free(bss); 223 return NULL; 224 } 225 conf->bss[0] = bss; 226 227 bss->radius = os_zalloc(sizeof(*bss->radius)); 228 if (bss->radius == NULL) { 229 os_free(conf->bss); 230 os_free(conf); 231 os_free(bss); 232 return NULL; 233 } 234 235 hostapd_config_defaults_bss(bss); 236 237 conf->num_bss = 1; 238 239 conf->beacon_int = 100; 240 conf->rts_threshold = -2; /* use driver default: 2347 */ 241 conf->fragm_threshold = -2; /* user driver default: 2346 */ 242 /* Set to invalid value means do not add Power Constraint IE */ 243 conf->local_pwr_constraint = -1; 244 245 conf->wmm_ac_params[0] = ac_be; 246 conf->wmm_ac_params[1] = ac_bk; 247 conf->wmm_ac_params[2] = ac_vi; 248 conf->wmm_ac_params[3] = ac_vo; 249 250 conf->tx_queue[0] = txq_vo; 251 conf->tx_queue[1] = txq_vi; 252 conf->tx_queue[2] = txq_be; 253 conf->tx_queue[3] = txq_bk; 254 255 conf->ht_capab = HT_CAP_INFO_SMPS_DISABLED; 256 257 conf->ap_table_max_size = 255; 258 conf->ap_table_expiration_time = 60; 259 conf->track_sta_max_age = 180; 260 261 #ifdef CONFIG_TESTING_OPTIONS 262 conf->ignore_probe_probability = 0.0; 263 conf->ignore_auth_probability = 0.0; 264 conf->ignore_assoc_probability = 0.0; 265 conf->ignore_reassoc_probability = 0.0; 266 conf->corrupt_gtk_rekey_mic_probability = 0.0; 267 conf->ecsa_ie_only = 0; 268 #endif /* CONFIG_TESTING_OPTIONS */ 269 270 conf->acs = 0; 271 conf->acs_ch_list.num = 0; 272 #ifdef CONFIG_ACS 273 conf->acs_num_scans = 5; 274 #endif /* CONFIG_ACS */ 275 276 #ifdef CONFIG_IEEE80211AX 277 conf->he_op.he_rts_threshold = HE_OPERATION_RTS_THRESHOLD_MASK >> 278 HE_OPERATION_RTS_THRESHOLD_OFFSET; 279 /* Set default basic MCS/NSS set to single stream MCS 0-7 */ 280 conf->he_op.he_basic_mcs_nss_set = 0xfffc; 281 conf->he_op.he_bss_color_disabled = 1; 282 conf->he_op.he_bss_color_partial = 0; 283 conf->he_op.he_bss_color = os_random() % 63 + 1; 284 conf->he_op.he_twt_responder = 1; 285 conf->he_6ghz_max_mpdu = 2; 286 conf->he_6ghz_max_ampdu_len_exp = 7; 287 conf->he_6ghz_rx_ant_pat = 1; 288 conf->he_6ghz_tx_ant_pat = 1; 289 conf->he_6ghz_reg_pwr_type = HE_REG_INFO_6GHZ_AP_TYPE_VLP; 290 conf->reg_def_cli_eirp_psd = -1; 291 conf->reg_sub_cli_eirp_psd = -1; 292 conf->reg_def_cli_eirp = -1; 293 #endif /* CONFIG_IEEE80211AX */ 294 295 /* The third octet of the country string uses an ASCII space character 296 * by default to indicate that the regulations encompass all 297 * environments for the current frequency band in the country. */ 298 conf->country[2] = ' '; 299 300 conf->rssi_reject_assoc_rssi = 0; 301 conf->rssi_reject_assoc_timeout = 30; 302 303 #ifdef CONFIG_AIRTIME_POLICY 304 conf->airtime_update_interval = AIRTIME_DEFAULT_UPDATE_INTERVAL; 305 #endif /* CONFIG_AIRTIME_POLICY */ 306 307 hostapd_set_and_check_bw320_offset(conf, 0); 308 309 return conf; 310 } 311 312 hostapd_mac_comp(const void * a,const void * b)313 int hostapd_mac_comp(const void *a, const void *b) 314 { 315 return os_memcmp(a, b, sizeof(macaddr)); 316 } 317 318 hostapd_config_read_wpa_psk(const char * fname,struct hostapd_ssid * ssid)319 static int hostapd_config_read_wpa_psk(const char *fname, 320 struct hostapd_ssid *ssid) 321 { 322 FILE *f; 323 char buf[128], *pos; 324 const char *keyid; 325 char *context; 326 char *context2; 327 char *token; 328 char *name; 329 char *value; 330 int line = 0, ret = 0, len, ok; 331 u8 addr[ETH_ALEN]; 332 struct hostapd_wpa_psk *psk; 333 334 if (!fname) 335 return 0; 336 337 f = fopen(fname, "r"); 338 if (!f) { 339 wpa_printf(MSG_ERROR, "WPA PSK file '%s' not found.", fname); 340 return -1; 341 } 342 343 while (fgets(buf, sizeof(buf), f)) { 344 int vlan_id = 0; 345 int wps = 0; 346 347 line++; 348 349 if (buf[0] == '#') 350 continue; 351 pos = buf; 352 while (*pos != '\0') { 353 if (*pos == '\n') { 354 *pos = '\0'; 355 break; 356 } 357 pos++; 358 } 359 if (buf[0] == '\0') 360 continue; 361 362 context = NULL; 363 keyid = NULL; 364 while ((token = str_token(buf, " ", &context))) { 365 if (!os_strchr(token, '=')) 366 break; 367 context2 = NULL; 368 name = str_token(token, "=", &context2); 369 if (!name) 370 break; 371 value = str_token(token, "", &context2); 372 if (!value) 373 value = ""; 374 if (!os_strcmp(name, "keyid")) { 375 keyid = value; 376 } else if (!os_strcmp(name, "wps")) { 377 wps = atoi(value); 378 } else if (!os_strcmp(name, "vlanid")) { 379 vlan_id = atoi(value); 380 } else { 381 wpa_printf(MSG_ERROR, 382 "Unrecognized '%s=%s' on line %d in '%s'", 383 name, value, line, fname); 384 ret = -1; 385 break; 386 } 387 } 388 389 if (ret == -1) 390 break; 391 392 if (!token) 393 token = ""; 394 if (hwaddr_aton(token, addr)) { 395 wpa_printf(MSG_ERROR, 396 "Invalid MAC address '%s' on line %d in '%s'", 397 token, line, fname); 398 ret = -1; 399 break; 400 } 401 402 psk = os_zalloc(sizeof(*psk)); 403 if (psk == NULL) { 404 wpa_printf(MSG_ERROR, "WPA PSK allocation failed"); 405 ret = -1; 406 break; 407 } 408 psk->vlan_id = vlan_id; 409 if (is_zero_ether_addr(addr)) 410 psk->group = 1; 411 else 412 os_memcpy(psk->addr, addr, ETH_ALEN); 413 414 pos = str_token(buf, "", &context); 415 if (!pos) { 416 wpa_printf(MSG_ERROR, "No PSK on line %d in '%s'", 417 line, fname); 418 os_free(psk); 419 ret = -1; 420 break; 421 } 422 423 ok = 0; 424 len = os_strlen(pos); 425 if (len == 2 * PMK_LEN && 426 hexstr2bin(pos, psk->psk, PMK_LEN) == 0) 427 ok = 1; 428 else if (len >= 8 && len < 64 && 429 pbkdf2_sha1(pos, ssid->ssid, ssid->ssid_len, 430 4096, psk->psk, PMK_LEN) == 0) 431 ok = 1; 432 if (!ok) { 433 wpa_printf(MSG_ERROR, 434 "Invalid PSK '%s' on line %d in '%s'", 435 pos, line, fname); 436 os_free(psk); 437 ret = -1; 438 break; 439 } 440 441 if (keyid) { 442 len = os_strlcpy(psk->keyid, keyid, sizeof(psk->keyid)); 443 if ((size_t) len >= sizeof(psk->keyid)) { 444 wpa_printf(MSG_ERROR, 445 "PSK keyid too long on line %d in '%s'", 446 line, fname); 447 os_free(psk); 448 ret = -1; 449 break; 450 } 451 } 452 453 psk->wps = wps; 454 455 psk->next = ssid->wpa_psk; 456 ssid->wpa_psk = psk; 457 } 458 459 fclose(f); 460 461 return ret; 462 } 463 464 hostapd_derive_psk(struct hostapd_ssid * ssid)465 static int hostapd_derive_psk(struct hostapd_ssid *ssid) 466 { 467 ssid->wpa_psk = os_zalloc(sizeof(struct hostapd_wpa_psk)); 468 if (ssid->wpa_psk == NULL) { 469 wpa_printf(MSG_ERROR, "Unable to alloc space for PSK"); 470 return -1; 471 } 472 wpa_hexdump_ascii(MSG_DEBUG, "SSID", 473 (u8 *) ssid->ssid, ssid->ssid_len); 474 wpa_hexdump_ascii_key(MSG_DEBUG, "PSK (ASCII passphrase)", 475 (u8 *) ssid->wpa_passphrase, 476 os_strlen(ssid->wpa_passphrase)); 477 if (pbkdf2_sha1(ssid->wpa_passphrase, 478 ssid->ssid, ssid->ssid_len, 479 4096, ssid->wpa_psk->psk, PMK_LEN) != 0) { 480 wpa_printf(MSG_ERROR, "Error in pbkdf2_sha1()"); 481 return -1; 482 } 483 wpa_hexdump_key(MSG_DEBUG, "PSK (from passphrase)", 484 ssid->wpa_psk->psk, PMK_LEN); 485 return 0; 486 } 487 488 hostapd_setup_sae_pt(struct hostapd_bss_config * conf)489 int hostapd_setup_sae_pt(struct hostapd_bss_config *conf) 490 { 491 #ifdef CONFIG_SAE 492 struct hostapd_ssid *ssid = &conf->ssid; 493 struct sae_password_entry *pw; 494 int *groups = conf->sae_groups; 495 int default_groups[] = { 19, 0, 0 }; 496 497 if ((conf->sae_pwe == SAE_PWE_HUNT_AND_PECK && 498 !hostapd_sae_pw_id_in_use(conf) && 499 !wpa_key_mgmt_sae_ext_key(conf->wpa_key_mgmt | 500 conf->rsn_override_key_mgmt | 501 conf->rsn_override_key_mgmt_2) && 502 !hostapd_sae_pk_in_use(conf)) || 503 conf->sae_pwe == SAE_PWE_FORCE_HUNT_AND_PECK || 504 !wpa_key_mgmt_sae(conf->wpa_key_mgmt | 505 conf->rsn_override_key_mgmt | 506 conf->rsn_override_key_mgmt_2)) 507 return 0; /* PT not needed */ 508 509 if (!groups) { 510 groups = default_groups; 511 if (wpa_key_mgmt_sae_ext_key(conf->wpa_key_mgmt | 512 conf->rsn_override_key_mgmt | 513 conf->rsn_override_key_mgmt_2)) 514 default_groups[1] = 20; 515 } 516 517 sae_deinit_pt(ssid->pt); 518 ssid->pt = NULL; 519 if (ssid->wpa_passphrase) { 520 ssid->pt = sae_derive_pt(groups, ssid->ssid, ssid->ssid_len, 521 (const u8 *) ssid->wpa_passphrase, 522 os_strlen(ssid->wpa_passphrase), 523 NULL); 524 if (!ssid->pt) 525 return -1; 526 } 527 528 for (pw = conf->sae_passwords; pw; pw = pw->next) { 529 sae_deinit_pt(pw->pt); 530 pw->pt = sae_derive_pt(groups, ssid->ssid, ssid->ssid_len, 531 (const u8 *) pw->password, 532 os_strlen(pw->password), 533 pw->identifier); 534 if (!pw->pt) 535 return -1; 536 } 537 #endif /* CONFIG_SAE */ 538 539 return 0; 540 } 541 542 hostapd_setup_wpa_psk(struct hostapd_bss_config * conf)543 int hostapd_setup_wpa_psk(struct hostapd_bss_config *conf) 544 { 545 struct hostapd_ssid *ssid = &conf->ssid; 546 547 if (hostapd_setup_sae_pt(conf) < 0) 548 return -1; 549 550 if (ssid->wpa_passphrase != NULL) { 551 if (ssid->wpa_psk != NULL) { 552 wpa_printf(MSG_DEBUG, "Using pre-configured WPA PSK " 553 "instead of passphrase"); 554 } else { 555 wpa_printf(MSG_DEBUG, "Deriving WPA PSK based on " 556 "passphrase"); 557 if (hostapd_derive_psk(ssid) < 0) 558 return -1; 559 } 560 ssid->wpa_psk->group = 1; 561 } 562 563 return hostapd_config_read_wpa_psk(ssid->wpa_psk_file, &conf->ssid); 564 } 565 566 hostapd_config_free_radius(struct hostapd_radius_server * servers,int num_servers)567 static void hostapd_config_free_radius(struct hostapd_radius_server *servers, 568 int num_servers) 569 { 570 int i; 571 572 for (i = 0; i < num_servers; i++) { 573 os_free(servers[i].shared_secret); 574 os_free(servers[i].ca_cert); 575 os_free(servers[i].client_cert); 576 os_free(servers[i].private_key); 577 os_free(servers[i].private_key_passwd); 578 } 579 os_free(servers); 580 } 581 582 583 struct hostapd_radius_attr * hostapd_config_get_radius_attr(struct hostapd_radius_attr * attr,u8 type)584 hostapd_config_get_radius_attr(struct hostapd_radius_attr *attr, u8 type) 585 { 586 for (; attr; attr = attr->next) { 587 if (attr->type == type) 588 return attr; 589 } 590 return NULL; 591 } 592 593 hostapd_parse_radius_attr(const char * value)594 struct hostapd_radius_attr * hostapd_parse_radius_attr(const char *value) 595 { 596 const char *pos; 597 char syntax; 598 struct hostapd_radius_attr *attr; 599 size_t len; 600 601 attr = os_zalloc(sizeof(*attr)); 602 if (!attr) 603 return NULL; 604 605 attr->type = atoi(value); 606 607 pos = os_strchr(value, ':'); 608 if (!pos) { 609 attr->val = wpabuf_alloc(1); 610 if (!attr->val) { 611 os_free(attr); 612 return NULL; 613 } 614 wpabuf_put_u8(attr->val, 0); 615 return attr; 616 } 617 618 pos++; 619 if (pos[0] == '\0' || pos[1] != ':') { 620 os_free(attr); 621 return NULL; 622 } 623 syntax = *pos++; 624 pos++; 625 626 switch (syntax) { 627 case 's': 628 attr->val = wpabuf_alloc_copy(pos, os_strlen(pos)); 629 break; 630 case 'x': 631 len = os_strlen(pos); 632 if (len & 1) 633 break; 634 len /= 2; 635 attr->val = wpabuf_alloc(len); 636 if (!attr->val) 637 break; 638 if (hexstr2bin(pos, wpabuf_put(attr->val, len), len) < 0) { 639 wpabuf_free(attr->val); 640 os_free(attr); 641 return NULL; 642 } 643 break; 644 case 'd': 645 attr->val = wpabuf_alloc(4); 646 if (attr->val) 647 wpabuf_put_be32(attr->val, atoi(pos)); 648 break; 649 default: 650 os_free(attr); 651 return NULL; 652 } 653 654 if (!attr->val) { 655 os_free(attr); 656 return NULL; 657 } 658 659 return attr; 660 } 661 662 hostapd_config_free_radius_attr(struct hostapd_radius_attr * attr)663 void hostapd_config_free_radius_attr(struct hostapd_radius_attr *attr) 664 { 665 struct hostapd_radius_attr *prev; 666 667 while (attr) { 668 prev = attr; 669 attr = attr->next; 670 wpabuf_free(prev->val); 671 os_free(prev); 672 } 673 } 674 675 hostapd_config_free_eap_user(struct hostapd_eap_user * user)676 void hostapd_config_free_eap_user(struct hostapd_eap_user *user) 677 { 678 hostapd_config_free_radius_attr(user->accept_attr); 679 os_free(user->identity); 680 bin_clear_free(user->password, user->password_len); 681 bin_clear_free(user->salt, user->salt_len); 682 os_free(user); 683 } 684 685 hostapd_config_free_eap_users(struct hostapd_eap_user * user)686 void hostapd_config_free_eap_users(struct hostapd_eap_user *user) 687 { 688 struct hostapd_eap_user *prev_user; 689 690 while (user) { 691 prev_user = user; 692 user = user->next; 693 hostapd_config_free_eap_user(prev_user); 694 } 695 } 696 697 698 #ifdef CONFIG_WEP hostapd_config_free_wep(struct hostapd_wep_keys * keys)699 static void hostapd_config_free_wep(struct hostapd_wep_keys *keys) 700 { 701 int i; 702 for (i = 0; i < NUM_WEP_KEYS; i++) { 703 bin_clear_free(keys->key[i], keys->len[i]); 704 keys->key[i] = NULL; 705 } 706 } 707 #endif /* CONFIG_WEP */ 708 709 hostapd_config_clear_wpa_psk(struct hostapd_wpa_psk ** l)710 void hostapd_config_clear_wpa_psk(struct hostapd_wpa_psk **l) 711 { 712 struct hostapd_wpa_psk *psk, *tmp; 713 714 for (psk = *l; psk;) { 715 tmp = psk; 716 psk = psk->next; 717 bin_clear_free(tmp, sizeof(*tmp)); 718 } 719 *l = NULL; 720 } 721 722 723 #ifdef CONFIG_IEEE80211R_AP 724 hostapd_config_clear_rxkhs(struct hostapd_bss_config * conf)725 void hostapd_config_clear_rxkhs(struct hostapd_bss_config *conf) 726 { 727 struct ft_remote_r0kh *r0kh, *r0kh_prev; 728 struct ft_remote_r1kh *r1kh, *r1kh_prev; 729 730 r0kh = conf->r0kh_list; 731 conf->r0kh_list = NULL; 732 while (r0kh) { 733 r0kh_prev = r0kh; 734 r0kh = r0kh->next; 735 os_free(r0kh_prev); 736 } 737 738 r1kh = conf->r1kh_list; 739 conf->r1kh_list = NULL; 740 while (r1kh) { 741 r1kh_prev = r1kh; 742 r1kh = r1kh->next; 743 os_free(r1kh_prev); 744 } 745 } 746 747 #endif /* CONFIG_IEEE80211R_AP */ 748 749 hostapd_config_free_anqp_elem(struct hostapd_bss_config * conf)750 static void hostapd_config_free_anqp_elem(struct hostapd_bss_config *conf) 751 { 752 struct anqp_element *elem; 753 754 while ((elem = dl_list_first(&conf->anqp_elem, struct anqp_element, 755 list))) { 756 dl_list_del(&elem->list); 757 wpabuf_free(elem->payload); 758 os_free(elem); 759 } 760 } 761 762 hostapd_config_free_fils_realms(struct hostapd_bss_config * conf)763 static void hostapd_config_free_fils_realms(struct hostapd_bss_config *conf) 764 { 765 #ifdef CONFIG_FILS 766 struct fils_realm *realm; 767 768 while ((realm = dl_list_first(&conf->fils_realms, struct fils_realm, 769 list))) { 770 dl_list_del(&realm->list); 771 os_free(realm); 772 } 773 #endif /* CONFIG_FILS */ 774 } 775 776 hostapd_config_free_sae_passwords(struct hostapd_bss_config * conf)777 static void hostapd_config_free_sae_passwords(struct hostapd_bss_config *conf) 778 { 779 struct sae_password_entry *pw, *tmp; 780 781 pw = conf->sae_passwords; 782 conf->sae_passwords = NULL; 783 while (pw) { 784 tmp = pw; 785 pw = pw->next; 786 str_clear_free(tmp->password); 787 os_free(tmp->identifier); 788 #ifdef CONFIG_SAE 789 sae_deinit_pt(tmp->pt); 790 #endif /* CONFIG_SAE */ 791 #ifdef CONFIG_SAE_PK 792 sae_deinit_pk(tmp->pk); 793 #endif /* CONFIG_SAE_PK */ 794 os_free(tmp->success_mac); 795 os_free(tmp->fail_mac); 796 os_free(tmp); 797 } 798 } 799 800 801 #ifdef CONFIG_DPP2 hostapd_dpp_controller_conf_free(struct dpp_controller_conf * conf)802 static void hostapd_dpp_controller_conf_free(struct dpp_controller_conf *conf) 803 { 804 struct dpp_controller_conf *prev; 805 806 while (conf) { 807 prev = conf; 808 conf = conf->next; 809 os_free(prev); 810 } 811 } 812 #endif /* CONFIG_DPP2 */ 813 814 hostapd_config_free_bss(struct hostapd_bss_config * conf)815 void hostapd_config_free_bss(struct hostapd_bss_config *conf) 816 { 817 #if defined(CONFIG_WPS) || defined(CONFIG_HS20) 818 size_t i; 819 #endif 820 821 if (conf == NULL) 822 return; 823 824 hostapd_config_clear_wpa_psk(&conf->ssid.wpa_psk); 825 826 str_clear_free(conf->ssid.wpa_passphrase); 827 os_free(conf->ssid.wpa_psk_file); 828 #ifdef CONFIG_WEP 829 hostapd_config_free_wep(&conf->ssid.wep); 830 #endif /* CONFIG_WEP */ 831 #ifdef CONFIG_FULL_DYNAMIC_VLAN 832 os_free(conf->ssid.vlan_tagged_interface); 833 #endif /* CONFIG_FULL_DYNAMIC_VLAN */ 834 #ifdef CONFIG_SAE 835 sae_deinit_pt(conf->ssid.pt); 836 #endif /* CONFIG_SAE */ 837 838 hostapd_config_free_eap_users(conf->eap_user); 839 os_free(conf->eap_user_sqlite); 840 841 os_free(conf->eap_req_id_text); 842 os_free(conf->erp_domain); 843 os_free(conf->accept_mac); 844 os_free(conf->deny_mac); 845 os_free(conf->nas_identifier); 846 if (conf->radius) { 847 hostapd_config_free_radius(conf->radius->auth_servers, 848 conf->radius->num_auth_servers); 849 hostapd_config_free_radius(conf->radius->acct_servers, 850 conf->radius->num_acct_servers); 851 os_free(conf->radius->force_client_dev); 852 } 853 hostapd_config_free_radius_attr(conf->radius_auth_req_attr); 854 hostapd_config_free_radius_attr(conf->radius_acct_req_attr); 855 os_free(conf->radius_req_attr_sqlite); 856 os_free(conf->rsn_preauth_interfaces); 857 os_free(conf->ctrl_interface); 858 os_free(conf->config_id); 859 os_free(conf->ca_cert); 860 os_free(conf->server_cert); 861 os_free(conf->server_cert2); 862 os_free(conf->private_key); 863 os_free(conf->private_key2); 864 os_free(conf->private_key_passwd); 865 os_free(conf->private_key_passwd2); 866 os_free(conf->check_cert_subject); 867 os_free(conf->ocsp_stapling_response); 868 os_free(conf->ocsp_stapling_response_multi); 869 os_free(conf->dh_file); 870 os_free(conf->openssl_ciphers); 871 os_free(conf->openssl_ecdh_curves); 872 os_free(conf->pac_opaque_encr_key); 873 os_free(conf->eap_fast_a_id); 874 os_free(conf->eap_fast_a_id_info); 875 os_free(conf->eap_sim_db); 876 os_free(conf->imsi_privacy_key); 877 os_free(conf->radius_server_clients); 878 os_free(conf->radius); 879 os_free(conf->radius_das_shared_secret); 880 hostapd_config_free_vlan(conf); 881 os_free(conf->time_zone); 882 883 #ifdef CONFIG_IEEE80211R_AP 884 hostapd_config_clear_rxkhs(conf); 885 os_free(conf->rxkh_file); 886 conf->rxkh_file = NULL; 887 #endif /* CONFIG_IEEE80211R_AP */ 888 889 #ifdef CONFIG_WPS 890 os_free(conf->wps_pin_requests); 891 os_free(conf->device_name); 892 os_free(conf->manufacturer); 893 os_free(conf->model_name); 894 os_free(conf->model_number); 895 os_free(conf->serial_number); 896 os_free(conf->config_methods); 897 os_free(conf->ap_pin); 898 os_free(conf->extra_cred); 899 os_free(conf->ap_settings); 900 hostapd_config_clear_wpa_psk(&conf->multi_ap_backhaul_ssid.wpa_psk); 901 str_clear_free(conf->multi_ap_backhaul_ssid.wpa_passphrase); 902 os_free(conf->upnp_iface); 903 os_free(conf->friendly_name); 904 os_free(conf->manufacturer_url); 905 os_free(conf->model_description); 906 os_free(conf->model_url); 907 os_free(conf->upc); 908 for (i = 0; i < MAX_WPS_VENDOR_EXTENSIONS; i++) 909 wpabuf_free(conf->wps_vendor_ext[i]); 910 wpabuf_free(conf->wps_application_ext); 911 wpabuf_free(conf->wps_nfc_dh_pubkey); 912 wpabuf_free(conf->wps_nfc_dh_privkey); 913 wpabuf_free(conf->wps_nfc_dev_pw); 914 #endif /* CONFIG_WPS */ 915 916 os_free(conf->roaming_consortium); 917 os_free(conf->venue_name); 918 os_free(conf->venue_url); 919 os_free(conf->nai_realm_data); 920 os_free(conf->network_auth_type); 921 os_free(conf->anqp_3gpp_cell_net); 922 os_free(conf->domain_name); 923 hostapd_config_free_anqp_elem(conf); 924 925 #ifdef CONFIG_RADIUS_TEST 926 os_free(conf->dump_msk_file); 927 #endif /* CONFIG_RADIUS_TEST */ 928 929 #ifdef CONFIG_HS20 930 os_free(conf->hs20_oper_friendly_name); 931 os_free(conf->hs20_wan_metrics); 932 os_free(conf->hs20_connection_capability); 933 os_free(conf->hs20_operating_class); 934 os_free(conf->t_c_filename); 935 os_free(conf->t_c_server_url); 936 #endif /* CONFIG_HS20 */ 937 938 wpabuf_free(conf->vendor_elements); 939 wpabuf_free(conf->assocresp_elements); 940 941 os_free(conf->sae_groups); 942 #ifdef CONFIG_OWE 943 os_free(conf->owe_groups); 944 #endif /* CONFIG_OWE */ 945 946 os_free(conf->wowlan_triggers); 947 948 os_free(conf->server_id); 949 950 #ifdef CONFIG_TESTING_OPTIONS 951 wpabuf_free(conf->own_ie_override); 952 wpabuf_free(conf->rsne_override); 953 wpabuf_free(conf->rsnoe_override); 954 wpabuf_free(conf->rsno2e_override); 955 wpabuf_free(conf->rsnxe_override); 956 wpabuf_free(conf->rsnxoe_override); 957 wpabuf_free(conf->sae_commit_override); 958 wpabuf_free(conf->rsne_override_eapol); 959 wpabuf_free(conf->rsnxe_override_eapol); 960 wpabuf_free(conf->rsne_override_ft); 961 wpabuf_free(conf->rsnxe_override_ft); 962 wpabuf_free(conf->gtk_rsc_override); 963 wpabuf_free(conf->igtk_rsc_override); 964 wpabuf_free(conf->eapol_m1_elements); 965 wpabuf_free(conf->eapol_m3_elements); 966 wpabuf_free(conf->presp_elements); 967 #endif /* CONFIG_TESTING_OPTIONS */ 968 969 os_free(conf->no_probe_resp_if_seen_on); 970 os_free(conf->no_auth_if_seen_on); 971 972 hostapd_config_free_fils_realms(conf); 973 974 #ifdef CONFIG_DPP 975 os_free(conf->dpp_name); 976 os_free(conf->dpp_mud_url); 977 os_free(conf->dpp_extra_conf_req_name); 978 os_free(conf->dpp_extra_conf_req_value); 979 os_free(conf->dpp_connector); 980 wpabuf_free(conf->dpp_netaccesskey); 981 wpabuf_free(conf->dpp_csign); 982 #ifdef CONFIG_DPP2 983 hostapd_dpp_controller_conf_free(conf->dpp_controller); 984 #endif /* CONFIG_DPP2 */ 985 #endif /* CONFIG_DPP */ 986 987 hostapd_config_free_sae_passwords(conf); 988 989 #ifdef CONFIG_AIRTIME_POLICY 990 { 991 struct airtime_sta_weight *wt, *wt_prev; 992 993 wt = conf->airtime_weight_list; 994 conf->airtime_weight_list = NULL; 995 while (wt) { 996 wt_prev = wt; 997 wt = wt->next; 998 os_free(wt_prev); 999 } 1000 } 1001 #endif /* CONFIG_AIRTIME_POLICY */ 1002 1003 #ifdef CONFIG_PASN 1004 os_free(conf->pasn_groups); 1005 #endif /* CONFIG_PASN */ 1006 1007 os_free(conf); 1008 } 1009 1010 1011 /** 1012 * hostapd_config_free - Free hostapd configuration 1013 * @conf: Configuration data from hostapd_config_read(). 1014 */ hostapd_config_free(struct hostapd_config * conf)1015 void hostapd_config_free(struct hostapd_config *conf) 1016 { 1017 size_t i; 1018 1019 if (conf == NULL) 1020 return; 1021 1022 for (i = 0; i < conf->num_bss; i++) 1023 hostapd_config_free_bss(conf->bss[i]); 1024 os_free(conf->bss); 1025 os_free(conf->supported_rates); 1026 os_free(conf->basic_rates); 1027 os_free(conf->acs_ch_list.range); 1028 os_free(conf->acs_freq_list.range); 1029 os_free(conf->driver_params); 1030 #ifdef CONFIG_ACS 1031 os_free(conf->acs_chan_bias); 1032 #endif /* CONFIG_ACS */ 1033 wpabuf_free(conf->lci); 1034 wpabuf_free(conf->civic); 1035 1036 os_free(conf); 1037 } 1038 1039 1040 /** 1041 * hostapd_maclist_found - Find a MAC address from a list 1042 * @list: MAC address list 1043 * @num_entries: Number of addresses in the list 1044 * @addr: Address to search for 1045 * @vlan_id: Buffer for returning VLAN ID or %NULL if not needed 1046 * Returns: 1 if address is in the list or 0 if not. 1047 * 1048 * Perform a binary search for given MAC address from a pre-sorted list. 1049 */ hostapd_maclist_found(struct mac_acl_entry * list,int num_entries,const u8 * addr,struct vlan_description * vlan_id)1050 int hostapd_maclist_found(struct mac_acl_entry *list, int num_entries, 1051 const u8 *addr, struct vlan_description *vlan_id) 1052 { 1053 int start, end, middle, res; 1054 1055 start = 0; 1056 end = num_entries - 1; 1057 1058 while (start <= end) { 1059 middle = (start + end) / 2; 1060 res = os_memcmp(list[middle].addr, addr, ETH_ALEN); 1061 if (res == 0) { 1062 if (vlan_id) 1063 *vlan_id = list[middle].vlan_id; 1064 return 1; 1065 } 1066 if (res < 0) 1067 start = middle + 1; 1068 else 1069 end = middle - 1; 1070 } 1071 1072 return 0; 1073 } 1074 1075 hostapd_rate_found(int * list,int rate)1076 int hostapd_rate_found(int *list, int rate) 1077 { 1078 int i; 1079 1080 if (list == NULL) 1081 return 0; 1082 1083 for (i = 0; list[i] >= 0; i++) 1084 if (list[i] == rate) 1085 return 1; 1086 1087 return 0; 1088 } 1089 1090 hostapd_vlan_valid(struct hostapd_vlan * vlan,struct vlan_description * vlan_desc)1091 int hostapd_vlan_valid(struct hostapd_vlan *vlan, 1092 struct vlan_description *vlan_desc) 1093 { 1094 struct hostapd_vlan *v = vlan; 1095 int i; 1096 1097 if (!vlan_desc->notempty || vlan_desc->untagged < 0 || 1098 vlan_desc->untagged > MAX_VLAN_ID) 1099 return 0; 1100 for (i = 0; i < MAX_NUM_TAGGED_VLAN; i++) { 1101 if (vlan_desc->tagged[i] < 0 || 1102 vlan_desc->tagged[i] > MAX_VLAN_ID) 1103 return 0; 1104 } 1105 if (!vlan_desc->untagged && !vlan_desc->tagged[0]) 1106 return 0; 1107 1108 while (v) { 1109 if (!vlan_compare(&v->vlan_desc, vlan_desc) || 1110 v->vlan_id == VLAN_ID_WILDCARD) 1111 return 1; 1112 v = v->next; 1113 } 1114 return 0; 1115 } 1116 1117 hostapd_get_vlan_id_ifname(struct hostapd_vlan * vlan,int vlan_id)1118 const char * hostapd_get_vlan_id_ifname(struct hostapd_vlan *vlan, int vlan_id) 1119 { 1120 struct hostapd_vlan *v = vlan; 1121 while (v) { 1122 if (v->vlan_id == vlan_id) 1123 return v->ifname; 1124 v = v->next; 1125 } 1126 return NULL; 1127 } 1128 1129 hostapd_get_psk(const struct hostapd_bss_config * conf,const u8 * addr,const u8 * p2p_dev_addr,const u8 * prev_psk,int * vlan_id)1130 const u8 * hostapd_get_psk(const struct hostapd_bss_config *conf, 1131 const u8 *addr, const u8 *p2p_dev_addr, 1132 const u8 *prev_psk, int *vlan_id) 1133 { 1134 struct hostapd_wpa_psk *psk; 1135 int next_ok = prev_psk == NULL; 1136 1137 if (vlan_id) 1138 *vlan_id = 0; 1139 1140 if (p2p_dev_addr && !is_zero_ether_addr(p2p_dev_addr)) { 1141 wpa_printf(MSG_DEBUG, "Searching a PSK for " MACSTR 1142 " p2p_dev_addr=" MACSTR " prev_psk=%p", 1143 MAC2STR(addr), MAC2STR(p2p_dev_addr), prev_psk); 1144 addr = NULL; /* Use P2P Device Address for matching */ 1145 } else { 1146 wpa_printf(MSG_DEBUG, "Searching a PSK for " MACSTR 1147 " prev_psk=%p", 1148 MAC2STR(addr), prev_psk); 1149 } 1150 1151 for (psk = conf->ssid.wpa_psk; psk != NULL; psk = psk->next) { 1152 if (next_ok && 1153 (psk->group || 1154 (addr && ether_addr_equal(psk->addr, addr)) || 1155 (!addr && p2p_dev_addr && 1156 ether_addr_equal(psk->p2p_dev_addr, p2p_dev_addr)))) { 1157 if (vlan_id) 1158 *vlan_id = psk->vlan_id; 1159 return psk->psk; 1160 } 1161 1162 if (psk->psk == prev_psk) 1163 next_ok = 1; 1164 } 1165 1166 return NULL; 1167 } 1168 1169 1170 #ifdef CONFIG_SAE_PK hostapd_sae_pk_password_without_pk(struct hostapd_bss_config * bss)1171 static bool hostapd_sae_pk_password_without_pk(struct hostapd_bss_config *bss) 1172 { 1173 struct sae_password_entry *pw; 1174 bool res = false; 1175 1176 if (bss->ssid.wpa_passphrase && 1177 #ifdef CONFIG_TESTING_OPTIONS 1178 !bss->sae_pk_password_check_skip && 1179 #endif /* CONFIG_TESTING_OPTIONS */ 1180 sae_pk_valid_password(bss->ssid.wpa_passphrase)) 1181 res = true; 1182 1183 for (pw = bss->sae_passwords; pw; pw = pw->next) { 1184 if (!pw->pk && 1185 #ifdef CONFIG_TESTING_OPTIONS 1186 !bss->sae_pk_password_check_skip && 1187 #endif /* CONFIG_TESTING_OPTIONS */ 1188 sae_pk_valid_password(pw->password)) 1189 return true; 1190 1191 if (bss->ssid.wpa_passphrase && res && pw->pk && 1192 os_strcmp(bss->ssid.wpa_passphrase, pw->password) == 0) 1193 res = false; 1194 } 1195 1196 return res; 1197 } 1198 #endif /* CONFIG_SAE_PK */ 1199 1200 hostapd_config_check_bss_6g(struct hostapd_bss_config * bss)1201 static bool hostapd_config_check_bss_6g(struct hostapd_bss_config *bss) 1202 { 1203 if (bss->wpa != WPA_PROTO_RSN) { 1204 wpa_printf(MSG_ERROR, 1205 "Pre-RSNA security methods are not allowed in 6 GHz"); 1206 return false; 1207 } 1208 1209 if (bss->ieee80211w != MGMT_FRAME_PROTECTION_REQUIRED) { 1210 wpa_printf(MSG_ERROR, 1211 "Management frame protection is required in 6 GHz"); 1212 return false; 1213 } 1214 1215 if (bss->wpa_key_mgmt & (WPA_KEY_MGMT_PSK | 1216 WPA_KEY_MGMT_FT_PSK | 1217 WPA_KEY_MGMT_PSK_SHA256)) { 1218 wpa_printf(MSG_ERROR, "Invalid AKM suite for 6 GHz"); 1219 return false; 1220 } 1221 1222 if (bss->rsn_pairwise & (WPA_CIPHER_WEP40 | 1223 WPA_CIPHER_WEP104 | 1224 WPA_CIPHER_TKIP)) { 1225 wpa_printf(MSG_ERROR, 1226 "Invalid pairwise cipher suite for 6 GHz"); 1227 return false; 1228 } 1229 1230 if (bss->wpa_group & (WPA_CIPHER_WEP40 | 1231 WPA_CIPHER_WEP104 | 1232 WPA_CIPHER_TKIP)) { 1233 wpa_printf(MSG_ERROR, "Invalid group cipher suite for 6 GHz"); 1234 return false; 1235 } 1236 1237 #ifdef CONFIG_SAE 1238 if (wpa_key_mgmt_sae(bss->wpa_key_mgmt) && 1239 bss->sae_pwe == SAE_PWE_HUNT_AND_PECK) { 1240 wpa_printf(MSG_INFO, "SAE: Enabling SAE H2E on 6 GHz"); 1241 bss->sae_pwe = SAE_PWE_BOTH; 1242 } 1243 #endif /* CONFIG_SAE */ 1244 1245 return true; 1246 } 1247 1248 hostapd_config_check_bss(struct hostapd_bss_config * bss,struct hostapd_config * conf,int full_config)1249 static int hostapd_config_check_bss(struct hostapd_bss_config *bss, 1250 struct hostapd_config *conf, 1251 int full_config) 1252 { 1253 if (full_config && is_6ghz_op_class(conf->op_class) && 1254 !hostapd_config_check_bss_6g(bss)) 1255 return -1; 1256 1257 if (full_config && bss->ieee802_1x && !bss->eap_server && 1258 !bss->radius->auth_servers) { 1259 wpa_printf(MSG_ERROR, "Invalid IEEE 802.1X configuration (no " 1260 "EAP authenticator configured)."); 1261 return -1; 1262 } 1263 1264 #ifdef CONFIG_WEP 1265 if (bss->wpa) { 1266 int wep, i; 1267 1268 wep = bss->default_wep_key_len > 0 || 1269 bss->individual_wep_key_len > 0; 1270 for (i = 0; i < NUM_WEP_KEYS; i++) { 1271 if (bss->ssid.wep.keys_set) { 1272 wep = 1; 1273 break; 1274 } 1275 } 1276 1277 if (wep) { 1278 wpa_printf(MSG_ERROR, "WEP configuration in a WPA network is not supported"); 1279 return -1; 1280 } 1281 } 1282 #endif /* CONFIG_WEP */ 1283 1284 if (full_config && bss->wpa && 1285 bss->wpa_psk_radius != PSK_RADIUS_IGNORED && 1286 bss->wpa_psk_radius != PSK_RADIUS_DURING_4WAY_HS && 1287 bss->macaddr_acl != USE_EXTERNAL_RADIUS_AUTH) { 1288 wpa_printf(MSG_ERROR, "WPA-PSK using RADIUS enabled, but no " 1289 "RADIUS checking (macaddr_acl=2) enabled."); 1290 return -1; 1291 } 1292 1293 if (full_config && bss->wpa && 1294 wpa_key_mgmt_wpa_psk_no_sae(bss->wpa_key_mgmt) && 1295 bss->ssid.wpa_psk == NULL && bss->ssid.wpa_passphrase == NULL && 1296 bss->ssid.wpa_psk_file == NULL && 1297 bss->wpa_psk_radius != PSK_RADIUS_DURING_4WAY_HS && 1298 (bss->wpa_psk_radius != PSK_RADIUS_REQUIRED || 1299 bss->macaddr_acl != USE_EXTERNAL_RADIUS_AUTH)) { 1300 wpa_printf(MSG_ERROR, "WPA-PSK enabled, but PSK or passphrase " 1301 "is not configured."); 1302 return -1; 1303 } 1304 1305 if (full_config && !is_zero_ether_addr(bss->bssid)) { 1306 size_t i; 1307 1308 for (i = 0; i < conf->num_bss; i++) { 1309 if (conf->bss[i] != bss && 1310 (hostapd_mac_comp(conf->bss[i]->bssid, 1311 bss->bssid) == 0)) { 1312 wpa_printf(MSG_ERROR, "Duplicate BSSID " MACSTR 1313 " on interface '%s' and '%s'.", 1314 MAC2STR(bss->bssid), 1315 conf->bss[i]->iface, bss->iface); 1316 return -1; 1317 } 1318 } 1319 } 1320 1321 #ifdef CONFIG_IEEE80211R_AP 1322 if (full_config && wpa_key_mgmt_ft(bss->wpa_key_mgmt) && 1323 (bss->nas_identifier == NULL || 1324 os_strlen(bss->nas_identifier) < 1 || 1325 os_strlen(bss->nas_identifier) > FT_R0KH_ID_MAX_LEN)) { 1326 wpa_printf(MSG_ERROR, "FT (IEEE 802.11r) requires " 1327 "nas_identifier to be configured as a 1..48 octet " 1328 "string"); 1329 return -1; 1330 } 1331 #endif /* CONFIG_IEEE80211R_AP */ 1332 1333 if (full_config && conf->ieee80211n && 1334 conf->hw_mode == HOSTAPD_MODE_IEEE80211B) { 1335 bss->disable_11n = true; 1336 wpa_printf(MSG_ERROR, "HT (IEEE 802.11n) in 11b mode is not " 1337 "allowed, disabling HT capabilities"); 1338 } 1339 1340 #ifdef CONFIG_WEP 1341 if (full_config && conf->ieee80211n && 1342 bss->ssid.security_policy == SECURITY_STATIC_WEP) { 1343 bss->disable_11n = true; 1344 wpa_printf(MSG_ERROR, "HT (IEEE 802.11n) with WEP is not " 1345 "allowed, disabling HT capabilities"); 1346 } 1347 #endif /* CONFIG_WEP */ 1348 1349 if (full_config && conf->ieee80211n && bss->wpa && 1350 !(bss->wpa_pairwise & WPA_CIPHER_CCMP) && 1351 !(bss->rsn_pairwise & (WPA_CIPHER_CCMP | WPA_CIPHER_GCMP | 1352 WPA_CIPHER_CCMP_256 | WPA_CIPHER_GCMP_256))) 1353 { 1354 bss->disable_11n = true; 1355 wpa_printf(MSG_ERROR, "HT (IEEE 802.11n) with WPA/WPA2 " 1356 "requires CCMP/GCMP to be enabled, disabling HT " 1357 "capabilities"); 1358 } 1359 1360 #ifdef CONFIG_IEEE80211AC 1361 #ifdef CONFIG_WEP 1362 if (full_config && conf->ieee80211ac && 1363 bss->ssid.security_policy == SECURITY_STATIC_WEP) { 1364 bss->disable_11ac = true; 1365 wpa_printf(MSG_ERROR, 1366 "VHT (IEEE 802.11ac) with WEP is not allowed, disabling VHT capabilities"); 1367 } 1368 #endif /* CONFIG_WEP */ 1369 1370 if (full_config && conf->ieee80211ac && bss->wpa && 1371 !(bss->wpa_pairwise & WPA_CIPHER_CCMP) && 1372 !(bss->rsn_pairwise & (WPA_CIPHER_CCMP | WPA_CIPHER_GCMP | 1373 WPA_CIPHER_CCMP_256 | WPA_CIPHER_GCMP_256))) 1374 { 1375 bss->disable_11ac = true; 1376 wpa_printf(MSG_ERROR, 1377 "VHT (IEEE 802.11ac) with WPA/WPA2 requires CCMP/GCMP to be enabled, disabling VHT capabilities"); 1378 } 1379 #endif /* CONFIG_IEEE80211AC */ 1380 1381 #ifdef CONFIG_IEEE80211AX 1382 #ifdef CONFIG_WEP 1383 if (full_config && conf->ieee80211ax && 1384 bss->ssid.security_policy == SECURITY_STATIC_WEP) { 1385 bss->disable_11ax = true; 1386 wpa_printf(MSG_ERROR, 1387 "HE (IEEE 802.11ax) with WEP is not allowed, disabling HE capabilities"); 1388 } 1389 #endif /* CONFIG_WEP */ 1390 1391 if (full_config && conf->ieee80211ax && bss->wpa && 1392 !(bss->wpa_pairwise & WPA_CIPHER_CCMP) && 1393 !(bss->rsn_pairwise & (WPA_CIPHER_CCMP | WPA_CIPHER_GCMP | 1394 WPA_CIPHER_CCMP_256 | WPA_CIPHER_GCMP_256))) 1395 { 1396 bss->disable_11ax = true; 1397 wpa_printf(MSG_ERROR, 1398 "HE (IEEE 802.11ax) with WPA/WPA2 requires CCMP/GCMP to be enabled, disabling HE capabilities"); 1399 } 1400 #endif /* CONFIG_IEEE80211AX */ 1401 1402 #ifdef CONFIG_WPS 1403 if (full_config && bss->wps_state && bss->ignore_broadcast_ssid) { 1404 wpa_printf(MSG_INFO, "WPS: ignore_broadcast_ssid " 1405 "configuration forced WPS to be disabled"); 1406 bss->wps_state = 0; 1407 } 1408 1409 #ifdef CONFIG_WEP 1410 if (full_config && bss->wps_state && 1411 bss->ssid.wep.keys_set && bss->wpa == 0) { 1412 wpa_printf(MSG_INFO, "WPS: WEP configuration forced WPS to be " 1413 "disabled"); 1414 bss->wps_state = 0; 1415 } 1416 #endif /* CONFIG_WEP */ 1417 1418 if (full_config && bss->wps_state && bss->wpa && 1419 (!(bss->wpa & 2) || 1420 !(bss->rsn_pairwise & (WPA_CIPHER_CCMP | WPA_CIPHER_GCMP | 1421 WPA_CIPHER_CCMP_256 | 1422 WPA_CIPHER_GCMP_256)))) { 1423 wpa_printf(MSG_INFO, "WPS: WPA/TKIP configuration without " 1424 "WPA2/CCMP/GCMP forced WPS to be disabled"); 1425 bss->wps_state = 0; 1426 } 1427 #endif /* CONFIG_WPS */ 1428 1429 #ifdef CONFIG_HS20 1430 if (full_config && bss->hs20 && 1431 (!(bss->wpa & 2) || 1432 !(bss->rsn_pairwise & (WPA_CIPHER_CCMP | WPA_CIPHER_GCMP | 1433 WPA_CIPHER_CCMP_256 | 1434 WPA_CIPHER_GCMP_256)))) { 1435 wpa_printf(MSG_ERROR, "HS 2.0: WPA2-Enterprise/CCMP " 1436 "configuration is required for Hotspot 2.0 " 1437 "functionality"); 1438 return -1; 1439 } 1440 #endif /* CONFIG_HS20 */ 1441 1442 #ifdef CONFIG_MBO 1443 if (full_config && bss->mbo_enabled && (bss->wpa & 2) && 1444 bss->ieee80211w == NO_MGMT_FRAME_PROTECTION) { 1445 wpa_printf(MSG_ERROR, 1446 "MBO: PMF needs to be enabled whenever using WPA2 with MBO"); 1447 return -1; 1448 } 1449 #endif /* CONFIG_MBO */ 1450 1451 #ifdef CONFIG_OCV 1452 if (full_config && bss->ieee80211w == NO_MGMT_FRAME_PROTECTION && 1453 bss->ocv) { 1454 wpa_printf(MSG_ERROR, 1455 "OCV: PMF needs to be enabled whenever using OCV"); 1456 return -1; 1457 } 1458 #endif /* CONFIG_OCV */ 1459 1460 #ifdef CONFIG_SAE_PK 1461 if (full_config && hostapd_sae_pk_in_use(bss) && 1462 hostapd_sae_pk_password_without_pk(bss)) { 1463 wpa_printf(MSG_ERROR, 1464 "SAE-PK: SAE password uses SAE-PK style, but does not have PK configured"); 1465 return -1; 1466 } 1467 #endif /* CONFIG_SAE_PK */ 1468 1469 #ifdef CONFIG_FILS 1470 if (full_config && bss->fils_discovery_max_int && 1471 (!conf->ieee80211ax || bss->disable_11ax)) { 1472 wpa_printf(MSG_ERROR, 1473 "Currently IEEE 802.11ax support is mandatory to enable FILS discovery transmission."); 1474 return -1; 1475 } 1476 1477 if (full_config && bss->fils_discovery_max_int && 1478 bss->unsol_bcast_probe_resp_interval) { 1479 wpa_printf(MSG_ERROR, 1480 "Cannot enable both FILS discovery and unsolicited broadcast Probe Response at the same time"); 1481 return -1; 1482 } 1483 #endif /* CONFIG_FILS */ 1484 1485 #ifdef CONFIG_IEEE80211BE 1486 if (full_config && !bss->disable_11be && bss->disable_11ax) { 1487 bss->disable_11be = true; 1488 wpa_printf(MSG_INFO, 1489 "Disabling IEEE 802.11be as IEEE 802.11ax is disabled for this BSS"); 1490 } 1491 1492 if (full_config && conf->ieee80211be && !bss->disable_11be && 1493 !bss->beacon_prot && ap_pmf_enabled(bss)) { 1494 bss->beacon_prot = 1; 1495 wpa_printf(MSG_INFO, 1496 "Enabling beacon protection as IEEE 802.11be is enabled for this BSS"); 1497 } 1498 #endif /* CONFIG_IEEE80211BE */ 1499 1500 if (full_config && bss->ignore_broadcast_ssid && conf->mbssid) { 1501 wpa_printf(MSG_ERROR, 1502 "Hidden SSID is not suppored when MBSSID is enabled"); 1503 return -1; 1504 } 1505 1506 /* Do not advertise SPP A-MSDU support if not using CCMP/GCMP */ 1507 if (full_config && bss->spp_amsdu && 1508 !(bss->wpa && 1509 bss->rsn_pairwise & (WPA_CIPHER_CCMP_256 | WPA_CIPHER_CCMP | 1510 WPA_CIPHER_GCMP_256 | WPA_CIPHER_GCMP))) 1511 bss->spp_amsdu = false; 1512 1513 return 0; 1514 } 1515 1516 hostapd_config_check_cw(struct hostapd_config * conf,int queue)1517 static int hostapd_config_check_cw(struct hostapd_config *conf, int queue) 1518 { 1519 int tx_cwmin = conf->tx_queue[queue].cwmin; 1520 int tx_cwmax = conf->tx_queue[queue].cwmax; 1521 int ac_cwmin = conf->wmm_ac_params[queue].cwmin; 1522 int ac_cwmax = conf->wmm_ac_params[queue].cwmax; 1523 1524 if (tx_cwmin > tx_cwmax) { 1525 wpa_printf(MSG_ERROR, 1526 "Invalid TX queue cwMin/cwMax values. cwMin(%d) greater than cwMax(%d)", 1527 tx_cwmin, tx_cwmax); 1528 return -1; 1529 } 1530 if (ac_cwmin > ac_cwmax) { 1531 wpa_printf(MSG_ERROR, 1532 "Invalid WMM AC cwMin/cwMax values. cwMin(%d) greater than cwMax(%d)", 1533 ac_cwmin, ac_cwmax); 1534 return -1; 1535 } 1536 return 0; 1537 } 1538 1539 hostapd_config_check(struct hostapd_config * conf,int full_config)1540 int hostapd_config_check(struct hostapd_config *conf, int full_config) 1541 { 1542 size_t i; 1543 1544 if (full_config && is_6ghz_op_class(conf->op_class) && 1545 !conf->hw_mode_set) { 1546 /* Use the appropriate hw_mode value automatically when the 1547 * op_class parameter has been set, but hw_mode was not. */ 1548 conf->hw_mode = HOSTAPD_MODE_IEEE80211A; 1549 } 1550 1551 if (full_config && conf->ieee80211d && 1552 (!conf->country[0] || !conf->country[1])) { 1553 wpa_printf(MSG_ERROR, "Cannot enable IEEE 802.11d without " 1554 "setting the country_code"); 1555 return -1; 1556 } 1557 1558 if (full_config && conf->ieee80211h && !conf->ieee80211d) { 1559 wpa_printf(MSG_ERROR, "Cannot enable IEEE 802.11h without " 1560 "IEEE 802.11d enabled"); 1561 return -1; 1562 } 1563 1564 if (full_config && conf->local_pwr_constraint != -1 && 1565 !conf->ieee80211d) { 1566 wpa_printf(MSG_ERROR, "Cannot add Power Constraint element without Country element"); 1567 return -1; 1568 } 1569 1570 if (full_config && conf->spectrum_mgmt_required && 1571 conf->local_pwr_constraint == -1) { 1572 wpa_printf(MSG_ERROR, "Cannot set Spectrum Management bit without Country and Power Constraint elements"); 1573 return -1; 1574 } 1575 1576 #ifdef CONFIG_AIRTIME_POLICY 1577 if (full_config && conf->airtime_mode > AIRTIME_MODE_STATIC && 1578 !conf->airtime_update_interval) { 1579 wpa_printf(MSG_ERROR, "Airtime update interval cannot be zero"); 1580 return -1; 1581 } 1582 #endif /* CONFIG_AIRTIME_POLICY */ 1583 for (i = 0; i < NUM_TX_QUEUES; i++) { 1584 if (hostapd_config_check_cw(conf, i)) 1585 return -1; 1586 } 1587 1588 #ifdef CONFIG_IEEE80211BE 1589 if (full_config && conf->ieee80211be && !conf->ieee80211ax) { 1590 wpa_printf(MSG_ERROR, 1591 "Cannot set ieee80211be without ieee80211ax"); 1592 return -1; 1593 } 1594 1595 if (full_config) 1596 hostapd_set_and_check_bw320_offset(conf, 1597 conf->eht_bw320_offset); 1598 #endif /* CONFIG_IEEE80211BE */ 1599 1600 if (full_config && conf->mbssid && !conf->ieee80211ax) { 1601 wpa_printf(MSG_ERROR, 1602 "Cannot enable multiple BSSID support without ieee80211ax"); 1603 return -1; 1604 } 1605 1606 for (i = 0; i < conf->num_bss; i++) { 1607 if (hostapd_config_check_bss(conf->bss[i], conf, full_config)) 1608 return -1; 1609 } 1610 1611 return 0; 1612 } 1613 1614 hostapd_set_security_params(struct hostapd_bss_config * bss,int full_config)1615 void hostapd_set_security_params(struct hostapd_bss_config *bss, 1616 int full_config) 1617 { 1618 #ifdef CONFIG_WEP 1619 if (bss->individual_wep_key_len == 0) { 1620 /* individual keys are not use; can use key idx0 for 1621 * broadcast keys */ 1622 bss->broadcast_key_idx_min = 0; 1623 } 1624 #endif /* CONFIG_WEP */ 1625 1626 if ((bss->wpa & 2) && bss->rsn_pairwise == 0) 1627 bss->rsn_pairwise = bss->wpa_pairwise; 1628 if (bss->group_cipher) 1629 bss->wpa_group = bss->group_cipher; 1630 else 1631 bss->wpa_group = wpa_select_ap_group_cipher(bss->wpa, 1632 bss->wpa_pairwise, 1633 bss->rsn_pairwise); 1634 if (!bss->wpa_group_rekey_set) 1635 bss->wpa_group_rekey = bss->wpa_group == WPA_CIPHER_TKIP ? 1636 600 : 86400; 1637 1638 if (full_config) { 1639 bss->radius->auth_server = bss->radius->auth_servers; 1640 bss->radius->acct_server = bss->radius->acct_servers; 1641 } 1642 1643 if (bss->wpa && bss->ieee802_1x) { 1644 bss->ssid.security_policy = SECURITY_WPA; 1645 } else if (bss->wpa) { 1646 bss->ssid.security_policy = SECURITY_WPA_PSK; 1647 } else if (bss->ieee802_1x) { 1648 int cipher = WPA_CIPHER_NONE; 1649 bss->ssid.security_policy = SECURITY_IEEE_802_1X; 1650 #ifdef CONFIG_WEP 1651 bss->ssid.wep.default_len = bss->default_wep_key_len; 1652 if (full_config && bss->default_wep_key_len) { 1653 cipher = bss->default_wep_key_len >= 13 ? 1654 WPA_CIPHER_WEP104 : WPA_CIPHER_WEP40; 1655 } else if (full_config && bss->ssid.wep.keys_set) { 1656 if (bss->ssid.wep.len[0] >= 13) 1657 cipher = WPA_CIPHER_WEP104; 1658 else 1659 cipher = WPA_CIPHER_WEP40; 1660 } 1661 #endif /* CONFIG_WEP */ 1662 bss->wpa_group = cipher; 1663 bss->wpa_pairwise = cipher; 1664 bss->rsn_pairwise = cipher; 1665 if (full_config) 1666 bss->wpa_key_mgmt = WPA_KEY_MGMT_IEEE8021X_NO_WPA; 1667 #ifdef CONFIG_WEP 1668 } else if (bss->ssid.wep.keys_set) { 1669 int cipher = WPA_CIPHER_WEP40; 1670 if (bss->ssid.wep.len[0] >= 13) 1671 cipher = WPA_CIPHER_WEP104; 1672 bss->ssid.security_policy = SECURITY_STATIC_WEP; 1673 bss->wpa_group = cipher; 1674 bss->wpa_pairwise = cipher; 1675 bss->rsn_pairwise = cipher; 1676 if (full_config) 1677 bss->wpa_key_mgmt = WPA_KEY_MGMT_NONE; 1678 #endif /* CONFIG_WEP */ 1679 } else { 1680 bss->ssid.security_policy = SECURITY_PLAINTEXT; 1681 if (full_config) { 1682 bss->wpa_group = WPA_CIPHER_NONE; 1683 bss->wpa_pairwise = WPA_CIPHER_NONE; 1684 bss->rsn_pairwise = WPA_CIPHER_NONE; 1685 bss->wpa_key_mgmt = WPA_KEY_MGMT_NONE; 1686 } 1687 } 1688 } 1689 1690 hostapd_sae_pw_id_in_use(struct hostapd_bss_config * conf)1691 int hostapd_sae_pw_id_in_use(struct hostapd_bss_config *conf) 1692 { 1693 int with_id = 0, without_id = 0; 1694 struct sae_password_entry *pw; 1695 1696 if (conf->ssid.wpa_passphrase) 1697 without_id = 1; 1698 1699 for (pw = conf->sae_passwords; pw; pw = pw->next) { 1700 if (pw->identifier) 1701 with_id = 1; 1702 else 1703 without_id = 1; 1704 if (with_id && without_id) 1705 break; 1706 } 1707 1708 if (with_id && !without_id) 1709 return 2; 1710 return with_id; 1711 } 1712 1713 hostapd_sae_pk_in_use(struct hostapd_bss_config * conf)1714 bool hostapd_sae_pk_in_use(struct hostapd_bss_config *conf) 1715 { 1716 #ifdef CONFIG_SAE_PK 1717 struct sae_password_entry *pw; 1718 1719 for (pw = conf->sae_passwords; pw; pw = pw->next) { 1720 if (pw->pk) 1721 return true; 1722 } 1723 #endif /* CONFIG_SAE_PK */ 1724 1725 return false; 1726 } 1727 1728 1729 #ifdef CONFIG_SAE_PK hostapd_sae_pk_exclusively(struct hostapd_bss_config * conf)1730 bool hostapd_sae_pk_exclusively(struct hostapd_bss_config *conf) 1731 { 1732 bool with_pk = false; 1733 struct sae_password_entry *pw; 1734 1735 if (conf->ssid.wpa_passphrase) 1736 return false; 1737 1738 for (pw = conf->sae_passwords; pw; pw = pw->next) { 1739 if (!pw->pk) 1740 return false; 1741 with_pk = true; 1742 } 1743 1744 return with_pk; 1745 } 1746 #endif /* CONFIG_SAE_PK */ 1747 1748 hostapd_acl_comp(const void * a,const void * b)1749 int hostapd_acl_comp(const void *a, const void *b) 1750 { 1751 const struct mac_acl_entry *aa = a; 1752 const struct mac_acl_entry *bb = b; 1753 return os_memcmp(aa->addr, bb->addr, sizeof(macaddr)); 1754 } 1755 1756 hostapd_add_acl_maclist(struct mac_acl_entry ** acl,int * num,int vlan_id,const u8 * addr)1757 int hostapd_add_acl_maclist(struct mac_acl_entry **acl, int *num, 1758 int vlan_id, const u8 *addr) 1759 { 1760 struct mac_acl_entry *newacl; 1761 1762 newacl = os_realloc_array(*acl, *num + 1, sizeof(**acl)); 1763 if (!newacl) { 1764 wpa_printf(MSG_ERROR, "MAC list reallocation failed"); 1765 return -1; 1766 } 1767 1768 *acl = newacl; 1769 os_memcpy((*acl)[*num].addr, addr, ETH_ALEN); 1770 os_memset(&(*acl)[*num].vlan_id, 0, sizeof((*acl)[*num].vlan_id)); 1771 (*acl)[*num].vlan_id.untagged = vlan_id; 1772 (*acl)[*num].vlan_id.notempty = !!vlan_id; 1773 (*num)++; 1774 1775 return 0; 1776 } 1777 1778 hostapd_remove_acl_mac(struct mac_acl_entry ** acl,int * num,const u8 * addr)1779 void hostapd_remove_acl_mac(struct mac_acl_entry **acl, int *num, 1780 const u8 *addr) 1781 { 1782 int i = 0; 1783 1784 while (i < *num) { 1785 if (ether_addr_equal((*acl)[i].addr, addr)) { 1786 os_remove_in_array(*acl, *num, sizeof(**acl), i); 1787 (*num)--; 1788 } else { 1789 i++; 1790 } 1791 } 1792 } 1793