1 /* 2 * hostapd / Configuration helper functions 3 * Copyright (c) 2003-2024, Jouni Malinen <j (at) w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "utils/includes.h" 10 11 #include "utils/common.h" 12 #include "crypto/sha1.h" 13 #include "crypto/tls.h" 14 #include "radius/radius_client.h" 15 #include "common/ieee802_11_defs.h" 16 #include "common/ieee802_1x_defs.h" 17 #include "common/eapol_common.h" 18 #include "common/dhcp.h" 19 #include "common/sae.h" 20 #include "eap_common/eap_wsc_common.h" 21 #include "eap_server/eap.h" 22 #include "wpa_auth.h" 23 #include "sta_info.h" 24 #include "airtime_policy.h" 25 #include "ap_config.h" 26 27 28 static void hostapd_config_free_vlan(struct hostapd_bss_config *bss) 29 { 30 struct hostapd_vlan *vlan, *prev; 31 32 vlan = bss->vlan; 33 prev = NULL; 34 while (vlan) { 35 prev = vlan; 36 vlan = vlan->next; 37 os_free(prev); 38 } 39 40 bss->vlan = NULL; 41 } 42 43 44 #ifndef DEFAULT_WPA_DISABLE_EAPOL_KEY_RETRIES 45 #define DEFAULT_WPA_DISABLE_EAPOL_KEY_RETRIES 0 46 #endif /* DEFAULT_WPA_DISABLE_EAPOL_KEY_RETRIES */ 47 48 void hostapd_config_defaults_bss(struct hostapd_bss_config *bss) 49 { 50 dl_list_init(&bss->anqp_elem); 51 52 bss->logger_syslog_level = HOSTAPD_LEVEL_INFO; 53 bss->logger_stdout_level = HOSTAPD_LEVEL_INFO; 54 bss->logger_syslog = (unsigned int) -1; 55 bss->logger_stdout = (unsigned int) -1; 56 57 #ifdef CONFIG_WEP 58 bss->auth_algs = WPA_AUTH_ALG_OPEN | WPA_AUTH_ALG_SHARED; 59 60 bss->wep_rekeying_period = 300; 61 /* use key0 in individual key and key1 in broadcast key */ 62 bss->broadcast_key_idx_min = 1; 63 bss->broadcast_key_idx_max = 2; 64 #else /* CONFIG_WEP */ 65 bss->auth_algs = WPA_AUTH_ALG_OPEN; 66 #endif /* CONFIG_WEP */ 67 bss->eap_reauth_period = 3600; 68 69 bss->wpa_group_rekey = 600; 70 bss->wpa_gmk_rekey = 86400; 71 bss->wpa_deny_ptk0_rekey = PTK0_REKEY_ALLOW_ALWAYS; 72 bss->wpa_group_update_count = 4; 73 bss->wpa_pairwise_update_count = 4; 74 bss->wpa_disable_eapol_key_retries = 75 DEFAULT_WPA_DISABLE_EAPOL_KEY_RETRIES; 76 bss->wpa_key_mgmt = WPA_KEY_MGMT_PSK; 77 #ifdef CONFIG_NO_TKIP 78 bss->wpa_pairwise = WPA_CIPHER_CCMP; 79 bss->wpa_group = WPA_CIPHER_CCMP; 80 #else /* CONFIG_NO_TKIP */ 81 bss->wpa_pairwise = WPA_CIPHER_TKIP; 82 bss->wpa_group = WPA_CIPHER_TKIP; 83 #endif /* CONFIG_NO_TKIP */ 84 bss->rsn_pairwise = 0; 85 86 bss->max_num_sta = MAX_STA_COUNT; 87 88 bss->dtim_period = 2; 89 90 bss->radius_server_auth_port = 1812; 91 bss->eap_sim_db_timeout = 1; 92 bss->eap_sim_id = 3; 93 bss->eap_sim_aka_fast_reauth_limit = 1000; 94 bss->ap_max_inactivity = AP_MAX_INACTIVITY; 95 bss->bss_max_idle = 1; 96 bss->eapol_version = EAPOL_VERSION; 97 98 bss->max_listen_interval = 65535; 99 100 bss->pwd_group = 19; /* ECC: GF(p=256) */ 101 102 bss->assoc_sa_query_max_timeout = 1000; 103 bss->assoc_sa_query_retry_timeout = 201; 104 bss->group_mgmt_cipher = WPA_CIPHER_AES_128_CMAC; 105 #ifdef EAP_SERVER_FAST 106 /* both anonymous and authenticated provisioning */ 107 bss->eap_fast_prov = 3; 108 bss->pac_key_lifetime = 7 * 24 * 60 * 60; 109 bss->pac_key_refresh_time = 1 * 24 * 60 * 60; 110 #endif /* EAP_SERVER_FAST */ 111 112 /* Set to -1 as defaults depends on HT in setup */ 113 bss->wmm_enabled = -1; 114 115 #ifdef CONFIG_IEEE80211R_AP 116 bss->ft_over_ds = 1; 117 bss->rkh_pos_timeout = 86400; 118 bss->rkh_neg_timeout = 60; 119 bss->rkh_pull_timeout = 1000; 120 bss->rkh_pull_retries = 4; 121 bss->r0_key_lifetime = 1209600; 122 #endif /* CONFIG_IEEE80211R_AP */ 123 124 bss->radius_das_time_window = 300; 125 bss->radius_require_message_authenticator = 1; 126 127 bss->anti_clogging_threshold = 5; 128 bss->sae_sync = 3; 129 130 bss->gas_frag_limit = 1400; 131 132 #ifdef CONFIG_FILS 133 dl_list_init(&bss->fils_realms); 134 bss->fils_hlp_wait_time = 30; 135 bss->dhcp_server_port = DHCP_SERVER_PORT; 136 bss->dhcp_relay_port = DHCP_SERVER_PORT; 137 bss->fils_discovery_min_int = 20; 138 #endif /* CONFIG_FILS */ 139 140 bss->broadcast_deauth = 1; 141 142 #ifdef CONFIG_MBO 143 bss->mbo_cell_data_conn_pref = -1; 144 #endif /* CONFIG_MBO */ 145 146 /* Disable TLS v1.3 by default for now to avoid interoperability issue. 147 * This can be enabled by default once the implementation has been fully 148 * completed and tested with other implementations. */ 149 bss->tls_flags = TLS_CONN_DISABLE_TLSv1_3; 150 151 bss->max_auth_rounds = 100; 152 bss->max_auth_rounds_short = 50; 153 154 bss->send_probe_response = 1; 155 156 #ifdef CONFIG_HS20 157 bss->hs20_release = (HS20_VERSION >> 4) + 1; 158 #endif /* CONFIG_HS20 */ 159 160 #ifdef CONFIG_MACSEC 161 bss->mka_priority = DEFAULT_PRIO_NOT_KEY_SERVER; 162 bss->macsec_port = 1; 163 #endif /* CONFIG_MACSEC */ 164 165 /* Default to strict CRL checking. */ 166 bss->check_crl_strict = 1; 167 168 bss->multi_ap_profile = MULTI_AP_PROFILE_2; 169 170 #ifdef CONFIG_TESTING_OPTIONS 171 bss->sae_commit_status = -1; 172 bss->test_assoc_comeback_type = -1; 173 #endif /* CONFIG_TESTING_OPTIONS */ 174 175 #ifdef CONFIG_PASN 176 /* comeback after 10 TUs */ 177 bss->pasn_comeback_after = 10; 178 bss->pasn_noauth = 1; 179 #endif /* CONFIG_PASN */ 180 } 181 182 183 struct hostapd_config * hostapd_config_defaults(void) 184 { 185 #define ecw2cw(ecw) ((1 << (ecw)) - 1) 186 187 struct hostapd_config *conf; 188 struct hostapd_bss_config *bss; 189 const int aCWmin = 4, aCWmax = 10; 190 const struct hostapd_wmm_ac_params ac_bk = 191 { aCWmin, aCWmax, 7, 0, 0 }; /* background traffic */ 192 const struct hostapd_wmm_ac_params ac_be = 193 { aCWmin, aCWmax, 3, 0, 0 }; /* best effort traffic */ 194 const struct hostapd_wmm_ac_params ac_vi = /* video traffic */ 195 { aCWmin - 1, aCWmin, 2, 3008 / 32, 0 }; 196 const struct hostapd_wmm_ac_params ac_vo = /* voice traffic */ 197 { aCWmin - 2, aCWmin - 1, 2, 1504 / 32, 0 }; 198 const struct hostapd_tx_queue_params txq_bk = 199 { 7, ecw2cw(aCWmin), ecw2cw(aCWmax), 0 }; 200 const struct hostapd_tx_queue_params txq_be = 201 { 3, ecw2cw(aCWmin), 4 * (ecw2cw(aCWmin) + 1) - 1, 0}; 202 const struct hostapd_tx_queue_params txq_vi = 203 { 1, (ecw2cw(aCWmin) + 1) / 2 - 1, ecw2cw(aCWmin), 30}; 204 const struct hostapd_tx_queue_params txq_vo = 205 { 1, (ecw2cw(aCWmin) + 1) / 4 - 1, 206 (ecw2cw(aCWmin) + 1) / 2 - 1, 15}; 207 208 #undef ecw2cw 209 210 conf = os_zalloc(sizeof(*conf)); 211 bss = os_zalloc(sizeof(*bss)); 212 if (conf == NULL || bss == NULL) { 213 wpa_printf(MSG_ERROR, "Failed to allocate memory for " 214 "configuration data."); 215 os_free(conf); 216 os_free(bss); 217 return NULL; 218 } 219 conf->bss = os_calloc(1, sizeof(struct hostapd_bss_config *)); 220 if (conf->bss == NULL) { 221 os_free(conf); 222 os_free(bss); 223 return NULL; 224 } 225 conf->bss[0] = bss; 226 227 bss->radius = os_zalloc(sizeof(*bss->radius)); 228 if (bss->radius == NULL) { 229 os_free(conf->bss); 230 os_free(conf); 231 os_free(bss); 232 return NULL; 233 } 234 235 hostapd_config_defaults_bss(bss); 236 237 conf->num_bss = 1; 238 239 conf->beacon_int = 100; 240 conf->rts_threshold = -2; /* use driver default: 2347 */ 241 conf->fragm_threshold = -2; /* user driver default: 2346 */ 242 /* Set to invalid value means do not add Power Constraint IE */ 243 conf->local_pwr_constraint = -1; 244 245 conf->wmm_ac_params[0] = ac_be; 246 conf->wmm_ac_params[1] = ac_bk; 247 conf->wmm_ac_params[2] = ac_vi; 248 conf->wmm_ac_params[3] = ac_vo; 249 250 conf->tx_queue[0] = txq_vo; 251 conf->tx_queue[1] = txq_vi; 252 conf->tx_queue[2] = txq_be; 253 conf->tx_queue[3] = txq_bk; 254 255 conf->ht_capab = HT_CAP_INFO_SMPS_DISABLED; 256 257 conf->ap_table_max_size = 255; 258 conf->ap_table_expiration_time = 60; 259 conf->track_sta_max_age = 180; 260 261 #ifdef CONFIG_TESTING_OPTIONS 262 conf->ignore_probe_probability = 0.0; 263 conf->ignore_auth_probability = 0.0; 264 conf->ignore_assoc_probability = 0.0; 265 conf->ignore_reassoc_probability = 0.0; 266 conf->corrupt_gtk_rekey_mic_probability = 0.0; 267 conf->ecsa_ie_only = 0; 268 #endif /* CONFIG_TESTING_OPTIONS */ 269 270 conf->acs = 0; 271 conf->acs_ch_list.num = 0; 272 #ifdef CONFIG_ACS 273 conf->acs_num_scans = 5; 274 #endif /* CONFIG_ACS */ 275 276 #ifdef CONFIG_IEEE80211AX 277 conf->he_op.he_rts_threshold = HE_OPERATION_RTS_THRESHOLD_MASK >> 278 HE_OPERATION_RTS_THRESHOLD_OFFSET; 279 /* Set default basic MCS/NSS set to single stream MCS 0-7 */ 280 conf->he_op.he_basic_mcs_nss_set = 0xfffc; 281 conf->he_op.he_bss_color_disabled = 1; 282 conf->he_op.he_bss_color_partial = 0; 283 conf->he_op.he_bss_color = os_random() % 63 + 1; 284 conf->he_op.he_twt_responder = 1; 285 conf->he_6ghz_max_mpdu = 2; 286 conf->he_6ghz_max_ampdu_len_exp = 7; 287 conf->he_6ghz_rx_ant_pat = 1; 288 conf->he_6ghz_tx_ant_pat = 1; 289 conf->he_6ghz_reg_pwr_type = HE_REG_INFO_6GHZ_AP_TYPE_VLP; 290 conf->reg_def_cli_eirp_psd = -1; 291 conf->reg_sub_cli_eirp_psd = -1; 292 conf->reg_def_cli_eirp = -1; 293 #endif /* CONFIG_IEEE80211AX */ 294 295 /* The third octet of the country string uses an ASCII space character 296 * by default to indicate that the regulations encompass all 297 * environments for the current frequency band in the country. */ 298 conf->country[2] = ' '; 299 300 conf->rssi_reject_assoc_rssi = 0; 301 conf->rssi_reject_assoc_timeout = 30; 302 303 #ifdef CONFIG_AIRTIME_POLICY 304 conf->airtime_update_interval = AIRTIME_DEFAULT_UPDATE_INTERVAL; 305 #endif /* CONFIG_AIRTIME_POLICY */ 306 307 hostapd_set_and_check_bw320_offset(conf, 0); 308 309 return conf; 310 } 311 312 313 int hostapd_mac_comp(const void *a, const void *b) 314 { 315 return os_memcmp(a, b, sizeof(macaddr)); 316 } 317 318 319 static int hostapd_config_read_wpa_psk(const char *fname, 320 struct hostapd_ssid *ssid) 321 { 322 FILE *f; 323 char buf[128], *pos; 324 const char *keyid; 325 char *context; 326 char *context2; 327 char *token; 328 char *name; 329 char *value; 330 int line = 0, ret = 0, len, ok; 331 u8 addr[ETH_ALEN]; 332 struct hostapd_wpa_psk *psk; 333 334 if (!fname) 335 return 0; 336 337 f = fopen(fname, "r"); 338 if (!f) { 339 wpa_printf(MSG_ERROR, "WPA PSK file '%s' not found.", fname); 340 return -1; 341 } 342 343 while (fgets(buf, sizeof(buf), f)) { 344 int vlan_id = 0; 345 int wps = 0; 346 347 line++; 348 349 if (buf[0] == '#') 350 continue; 351 pos = buf; 352 while (*pos != '\0') { 353 if (*pos == '\n') { 354 *pos = '\0'; 355 break; 356 } 357 pos++; 358 } 359 if (buf[0] == '\0') 360 continue; 361 362 context = NULL; 363 keyid = NULL; 364 while ((token = str_token(buf, " ", &context))) { 365 if (!os_strchr(token, '=')) 366 break; 367 context2 = NULL; 368 name = str_token(token, "=", &context2); 369 if (!name) 370 break; 371 value = str_token(token, "", &context2); 372 if (!value) 373 value = ""; 374 if (!os_strcmp(name, "keyid")) { 375 keyid = value; 376 } else if (!os_strcmp(name, "wps")) { 377 wps = atoi(value); 378 } else if (!os_strcmp(name, "vlanid")) { 379 vlan_id = atoi(value); 380 } else { 381 wpa_printf(MSG_ERROR, 382 "Unrecognized '%s=%s' on line %d in '%s'", 383 name, value, line, fname); 384 ret = -1; 385 break; 386 } 387 } 388 389 if (ret == -1) 390 break; 391 392 if (!token) 393 token = ""; 394 if (hwaddr_aton(token, addr)) { 395 wpa_printf(MSG_ERROR, 396 "Invalid MAC address '%s' on line %d in '%s'", 397 token, line, fname); 398 ret = -1; 399 break; 400 } 401 402 psk = os_zalloc(sizeof(*psk)); 403 if (psk == NULL) { 404 wpa_printf(MSG_ERROR, "WPA PSK allocation failed"); 405 ret = -1; 406 break; 407 } 408 psk->vlan_id = vlan_id; 409 if (is_zero_ether_addr(addr)) 410 psk->group = 1; 411 else 412 os_memcpy(psk->addr, addr, ETH_ALEN); 413 414 pos = str_token(buf, "", &context); 415 if (!pos) { 416 wpa_printf(MSG_ERROR, "No PSK on line %d in '%s'", 417 line, fname); 418 os_free(psk); 419 ret = -1; 420 break; 421 } 422 423 ok = 0; 424 len = os_strlen(pos); 425 if (len == 2 * PMK_LEN && 426 hexstr2bin(pos, psk->psk, PMK_LEN) == 0) 427 ok = 1; 428 else if (len >= 8 && len < 64 && 429 pbkdf2_sha1(pos, ssid->ssid, ssid->ssid_len, 430 4096, psk->psk, PMK_LEN) == 0) 431 ok = 1; 432 if (!ok) { 433 wpa_printf(MSG_ERROR, 434 "Invalid PSK '%s' on line %d in '%s'", 435 pos, line, fname); 436 os_free(psk); 437 ret = -1; 438 break; 439 } 440 441 if (keyid) { 442 len = os_strlcpy(psk->keyid, keyid, sizeof(psk->keyid)); 443 if ((size_t) len >= sizeof(psk->keyid)) { 444 wpa_printf(MSG_ERROR, 445 "PSK keyid too long on line %d in '%s'", 446 line, fname); 447 os_free(psk); 448 ret = -1; 449 break; 450 } 451 } 452 453 psk->wps = wps; 454 455 psk->next = ssid->wpa_psk; 456 ssid->wpa_psk = psk; 457 } 458 459 fclose(f); 460 461 return ret; 462 } 463 464 465 static int hostapd_derive_psk(struct hostapd_ssid *ssid) 466 { 467 ssid->wpa_psk = os_zalloc(sizeof(struct hostapd_wpa_psk)); 468 if (ssid->wpa_psk == NULL) { 469 wpa_printf(MSG_ERROR, "Unable to alloc space for PSK"); 470 return -1; 471 } 472 wpa_hexdump_ascii(MSG_DEBUG, "SSID", 473 (u8 *) ssid->ssid, ssid->ssid_len); 474 wpa_hexdump_ascii_key(MSG_DEBUG, "PSK (ASCII passphrase)", 475 (u8 *) ssid->wpa_passphrase, 476 os_strlen(ssid->wpa_passphrase)); 477 if (pbkdf2_sha1(ssid->wpa_passphrase, 478 ssid->ssid, ssid->ssid_len, 479 4096, ssid->wpa_psk->psk, PMK_LEN) != 0) { 480 wpa_printf(MSG_ERROR, "Error in pbkdf2_sha1()"); 481 return -1; 482 } 483 wpa_hexdump_key(MSG_DEBUG, "PSK (from passphrase)", 484 ssid->wpa_psk->psk, PMK_LEN); 485 return 0; 486 } 487 488 489 int hostapd_setup_sae_pt(struct hostapd_bss_config *conf) 490 { 491 #ifdef CONFIG_SAE 492 struct hostapd_ssid *ssid = &conf->ssid; 493 struct sae_password_entry *pw; 494 495 if ((conf->sae_pwe == SAE_PWE_HUNT_AND_PECK && 496 !hostapd_sae_pw_id_in_use(conf) && 497 !wpa_key_mgmt_sae_ext_key(conf->wpa_key_mgmt) && 498 !hostapd_sae_pk_in_use(conf)) || 499 conf->sae_pwe == SAE_PWE_FORCE_HUNT_AND_PECK || 500 !wpa_key_mgmt_sae(conf->wpa_key_mgmt)) 501 return 0; /* PT not needed */ 502 503 sae_deinit_pt(ssid->pt); 504 ssid->pt = NULL; 505 if (ssid->wpa_passphrase) { 506 ssid->pt = sae_derive_pt(conf->sae_groups, ssid->ssid, 507 ssid->ssid_len, 508 (const u8 *) ssid->wpa_passphrase, 509 os_strlen(ssid->wpa_passphrase), 510 NULL); 511 if (!ssid->pt) 512 return -1; 513 } 514 515 for (pw = conf->sae_passwords; pw; pw = pw->next) { 516 sae_deinit_pt(pw->pt); 517 pw->pt = sae_derive_pt(conf->sae_groups, ssid->ssid, 518 ssid->ssid_len, 519 (const u8 *) pw->password, 520 os_strlen(pw->password), 521 pw->identifier); 522 if (!pw->pt) 523 return -1; 524 } 525 #endif /* CONFIG_SAE */ 526 527 return 0; 528 } 529 530 531 int hostapd_setup_wpa_psk(struct hostapd_bss_config *conf) 532 { 533 struct hostapd_ssid *ssid = &conf->ssid; 534 535 if (hostapd_setup_sae_pt(conf) < 0) 536 return -1; 537 538 if (ssid->wpa_passphrase != NULL) { 539 if (ssid->wpa_psk != NULL) { 540 wpa_printf(MSG_DEBUG, "Using pre-configured WPA PSK " 541 "instead of passphrase"); 542 } else { 543 wpa_printf(MSG_DEBUG, "Deriving WPA PSK based on " 544 "passphrase"); 545 if (hostapd_derive_psk(ssid) < 0) 546 return -1; 547 } 548 ssid->wpa_psk->group = 1; 549 } 550 551 return hostapd_config_read_wpa_psk(ssid->wpa_psk_file, &conf->ssid); 552 } 553 554 555 static void hostapd_config_free_radius(struct hostapd_radius_server *servers, 556 int num_servers) 557 { 558 int i; 559 560 for (i = 0; i < num_servers; i++) { 561 os_free(servers[i].shared_secret); 562 os_free(servers[i].ca_cert); 563 os_free(servers[i].client_cert); 564 os_free(servers[i].private_key); 565 os_free(servers[i].private_key_passwd); 566 } 567 os_free(servers); 568 } 569 570 571 struct hostapd_radius_attr * 572 hostapd_config_get_radius_attr(struct hostapd_radius_attr *attr, u8 type) 573 { 574 for (; attr; attr = attr->next) { 575 if (attr->type == type) 576 return attr; 577 } 578 return NULL; 579 } 580 581 582 struct hostapd_radius_attr * hostapd_parse_radius_attr(const char *value) 583 { 584 const char *pos; 585 char syntax; 586 struct hostapd_radius_attr *attr; 587 size_t len; 588 589 attr = os_zalloc(sizeof(*attr)); 590 if (!attr) 591 return NULL; 592 593 attr->type = atoi(value); 594 595 pos = os_strchr(value, ':'); 596 if (!pos) { 597 attr->val = wpabuf_alloc(1); 598 if (!attr->val) { 599 os_free(attr); 600 return NULL; 601 } 602 wpabuf_put_u8(attr->val, 0); 603 return attr; 604 } 605 606 pos++; 607 if (pos[0] == '\0' || pos[1] != ':') { 608 os_free(attr); 609 return NULL; 610 } 611 syntax = *pos++; 612 pos++; 613 614 switch (syntax) { 615 case 's': 616 attr->val = wpabuf_alloc_copy(pos, os_strlen(pos)); 617 break; 618 case 'x': 619 len = os_strlen(pos); 620 if (len & 1) 621 break; 622 len /= 2; 623 attr->val = wpabuf_alloc(len); 624 if (!attr->val) 625 break; 626 if (hexstr2bin(pos, wpabuf_put(attr->val, len), len) < 0) { 627 wpabuf_free(attr->val); 628 os_free(attr); 629 return NULL; 630 } 631 break; 632 case 'd': 633 attr->val = wpabuf_alloc(4); 634 if (attr->val) 635 wpabuf_put_be32(attr->val, atoi(pos)); 636 break; 637 default: 638 os_free(attr); 639 return NULL; 640 } 641 642 if (!attr->val) { 643 os_free(attr); 644 return NULL; 645 } 646 647 return attr; 648 } 649 650 651 void hostapd_config_free_radius_attr(struct hostapd_radius_attr *attr) 652 { 653 struct hostapd_radius_attr *prev; 654 655 while (attr) { 656 prev = attr; 657 attr = attr->next; 658 wpabuf_free(prev->val); 659 os_free(prev); 660 } 661 } 662 663 664 void hostapd_config_free_eap_user(struct hostapd_eap_user *user) 665 { 666 hostapd_config_free_radius_attr(user->accept_attr); 667 os_free(user->identity); 668 bin_clear_free(user->password, user->password_len); 669 bin_clear_free(user->salt, user->salt_len); 670 os_free(user); 671 } 672 673 674 void hostapd_config_free_eap_users(struct hostapd_eap_user *user) 675 { 676 struct hostapd_eap_user *prev_user; 677 678 while (user) { 679 prev_user = user; 680 user = user->next; 681 hostapd_config_free_eap_user(prev_user); 682 } 683 } 684 685 686 #ifdef CONFIG_WEP 687 static void hostapd_config_free_wep(struct hostapd_wep_keys *keys) 688 { 689 int i; 690 for (i = 0; i < NUM_WEP_KEYS; i++) { 691 bin_clear_free(keys->key[i], keys->len[i]); 692 keys->key[i] = NULL; 693 } 694 } 695 #endif /* CONFIG_WEP */ 696 697 698 void hostapd_config_clear_wpa_psk(struct hostapd_wpa_psk **l) 699 { 700 struct hostapd_wpa_psk *psk, *tmp; 701 702 for (psk = *l; psk;) { 703 tmp = psk; 704 psk = psk->next; 705 bin_clear_free(tmp, sizeof(*tmp)); 706 } 707 *l = NULL; 708 } 709 710 711 #ifdef CONFIG_IEEE80211R_AP 712 713 void hostapd_config_clear_rxkhs(struct hostapd_bss_config *conf) 714 { 715 struct ft_remote_r0kh *r0kh, *r0kh_prev; 716 struct ft_remote_r1kh *r1kh, *r1kh_prev; 717 718 r0kh = conf->r0kh_list; 719 conf->r0kh_list = NULL; 720 while (r0kh) { 721 r0kh_prev = r0kh; 722 r0kh = r0kh->next; 723 os_free(r0kh_prev); 724 } 725 726 r1kh = conf->r1kh_list; 727 conf->r1kh_list = NULL; 728 while (r1kh) { 729 r1kh_prev = r1kh; 730 r1kh = r1kh->next; 731 os_free(r1kh_prev); 732 } 733 } 734 735 #endif /* CONFIG_IEEE80211R_AP */ 736 737 738 static void hostapd_config_free_anqp_elem(struct hostapd_bss_config *conf) 739 { 740 struct anqp_element *elem; 741 742 while ((elem = dl_list_first(&conf->anqp_elem, struct anqp_element, 743 list))) { 744 dl_list_del(&elem->list); 745 wpabuf_free(elem->payload); 746 os_free(elem); 747 } 748 } 749 750 751 static void hostapd_config_free_fils_realms(struct hostapd_bss_config *conf) 752 { 753 #ifdef CONFIG_FILS 754 struct fils_realm *realm; 755 756 while ((realm = dl_list_first(&conf->fils_realms, struct fils_realm, 757 list))) { 758 dl_list_del(&realm->list); 759 os_free(realm); 760 } 761 #endif /* CONFIG_FILS */ 762 } 763 764 765 static void hostapd_config_free_sae_passwords(struct hostapd_bss_config *conf) 766 { 767 struct sae_password_entry *pw, *tmp; 768 769 pw = conf->sae_passwords; 770 conf->sae_passwords = NULL; 771 while (pw) { 772 tmp = pw; 773 pw = pw->next; 774 str_clear_free(tmp->password); 775 os_free(tmp->identifier); 776 #ifdef CONFIG_SAE 777 sae_deinit_pt(tmp->pt); 778 #endif /* CONFIG_SAE */ 779 #ifdef CONFIG_SAE_PK 780 sae_deinit_pk(tmp->pk); 781 #endif /* CONFIG_SAE_PK */ 782 os_free(tmp); 783 } 784 } 785 786 787 #ifdef CONFIG_DPP2 788 static void hostapd_dpp_controller_conf_free(struct dpp_controller_conf *conf) 789 { 790 struct dpp_controller_conf *prev; 791 792 while (conf) { 793 prev = conf; 794 conf = conf->next; 795 os_free(prev); 796 } 797 } 798 #endif /* CONFIG_DPP2 */ 799 800 801 void hostapd_config_free_bss(struct hostapd_bss_config *conf) 802 { 803 #if defined(CONFIG_WPS) || defined(CONFIG_HS20) 804 size_t i; 805 #endif 806 807 if (conf == NULL) 808 return; 809 810 hostapd_config_clear_wpa_psk(&conf->ssid.wpa_psk); 811 812 str_clear_free(conf->ssid.wpa_passphrase); 813 os_free(conf->ssid.wpa_psk_file); 814 #ifdef CONFIG_WEP 815 hostapd_config_free_wep(&conf->ssid.wep); 816 #endif /* CONFIG_WEP */ 817 #ifdef CONFIG_FULL_DYNAMIC_VLAN 818 os_free(conf->ssid.vlan_tagged_interface); 819 #endif /* CONFIG_FULL_DYNAMIC_VLAN */ 820 #ifdef CONFIG_SAE 821 sae_deinit_pt(conf->ssid.pt); 822 #endif /* CONFIG_SAE */ 823 824 hostapd_config_free_eap_users(conf->eap_user); 825 os_free(conf->eap_user_sqlite); 826 827 os_free(conf->eap_req_id_text); 828 os_free(conf->erp_domain); 829 os_free(conf->accept_mac); 830 os_free(conf->deny_mac); 831 os_free(conf->nas_identifier); 832 if (conf->radius) { 833 hostapd_config_free_radius(conf->radius->auth_servers, 834 conf->radius->num_auth_servers); 835 hostapd_config_free_radius(conf->radius->acct_servers, 836 conf->radius->num_acct_servers); 837 os_free(conf->radius->force_client_dev); 838 } 839 hostapd_config_free_radius_attr(conf->radius_auth_req_attr); 840 hostapd_config_free_radius_attr(conf->radius_acct_req_attr); 841 os_free(conf->radius_req_attr_sqlite); 842 os_free(conf->rsn_preauth_interfaces); 843 os_free(conf->ctrl_interface); 844 os_free(conf->config_id); 845 os_free(conf->ca_cert); 846 os_free(conf->server_cert); 847 os_free(conf->server_cert2); 848 os_free(conf->private_key); 849 os_free(conf->private_key2); 850 os_free(conf->private_key_passwd); 851 os_free(conf->private_key_passwd2); 852 os_free(conf->check_cert_subject); 853 os_free(conf->ocsp_stapling_response); 854 os_free(conf->ocsp_stapling_response_multi); 855 os_free(conf->dh_file); 856 os_free(conf->openssl_ciphers); 857 os_free(conf->openssl_ecdh_curves); 858 os_free(conf->pac_opaque_encr_key); 859 os_free(conf->eap_fast_a_id); 860 os_free(conf->eap_fast_a_id_info); 861 os_free(conf->eap_sim_db); 862 os_free(conf->imsi_privacy_key); 863 os_free(conf->radius_server_clients); 864 os_free(conf->radius); 865 os_free(conf->radius_das_shared_secret); 866 hostapd_config_free_vlan(conf); 867 os_free(conf->time_zone); 868 869 #ifdef CONFIG_IEEE80211R_AP 870 hostapd_config_clear_rxkhs(conf); 871 os_free(conf->rxkh_file); 872 conf->rxkh_file = NULL; 873 #endif /* CONFIG_IEEE80211R_AP */ 874 875 #ifdef CONFIG_WPS 876 os_free(conf->wps_pin_requests); 877 os_free(conf->device_name); 878 os_free(conf->manufacturer); 879 os_free(conf->model_name); 880 os_free(conf->model_number); 881 os_free(conf->serial_number); 882 os_free(conf->config_methods); 883 os_free(conf->ap_pin); 884 os_free(conf->extra_cred); 885 os_free(conf->ap_settings); 886 hostapd_config_clear_wpa_psk(&conf->multi_ap_backhaul_ssid.wpa_psk); 887 str_clear_free(conf->multi_ap_backhaul_ssid.wpa_passphrase); 888 os_free(conf->upnp_iface); 889 os_free(conf->friendly_name); 890 os_free(conf->manufacturer_url); 891 os_free(conf->model_description); 892 os_free(conf->model_url); 893 os_free(conf->upc); 894 for (i = 0; i < MAX_WPS_VENDOR_EXTENSIONS; i++) 895 wpabuf_free(conf->wps_vendor_ext[i]); 896 wpabuf_free(conf->wps_application_ext); 897 wpabuf_free(conf->wps_nfc_dh_pubkey); 898 wpabuf_free(conf->wps_nfc_dh_privkey); 899 wpabuf_free(conf->wps_nfc_dev_pw); 900 #endif /* CONFIG_WPS */ 901 902 os_free(conf->roaming_consortium); 903 os_free(conf->venue_name); 904 os_free(conf->venue_url); 905 os_free(conf->nai_realm_data); 906 os_free(conf->network_auth_type); 907 os_free(conf->anqp_3gpp_cell_net); 908 os_free(conf->domain_name); 909 hostapd_config_free_anqp_elem(conf); 910 911 #ifdef CONFIG_RADIUS_TEST 912 os_free(conf->dump_msk_file); 913 #endif /* CONFIG_RADIUS_TEST */ 914 915 #ifdef CONFIG_HS20 916 os_free(conf->hs20_oper_friendly_name); 917 os_free(conf->hs20_wan_metrics); 918 os_free(conf->hs20_connection_capability); 919 os_free(conf->hs20_operating_class); 920 os_free(conf->hs20_icons); 921 if (conf->hs20_osu_providers) { 922 for (i = 0; i < conf->hs20_osu_providers_count; i++) { 923 struct hs20_osu_provider *p; 924 size_t j; 925 p = &conf->hs20_osu_providers[i]; 926 os_free(p->friendly_name); 927 os_free(p->server_uri); 928 os_free(p->method_list); 929 for (j = 0; j < p->icons_count; j++) 930 os_free(p->icons[j]); 931 os_free(p->icons); 932 os_free(p->osu_nai); 933 os_free(p->osu_nai2); 934 os_free(p->service_desc); 935 } 936 os_free(conf->hs20_osu_providers); 937 } 938 if (conf->hs20_operator_icon) { 939 for (i = 0; i < conf->hs20_operator_icon_count; i++) 940 os_free(conf->hs20_operator_icon[i]); 941 os_free(conf->hs20_operator_icon); 942 } 943 os_free(conf->subscr_remediation_url); 944 os_free(conf->hs20_sim_provisioning_url); 945 os_free(conf->t_c_filename); 946 os_free(conf->t_c_server_url); 947 #endif /* CONFIG_HS20 */ 948 949 wpabuf_free(conf->vendor_elements); 950 wpabuf_free(conf->assocresp_elements); 951 952 os_free(conf->sae_groups); 953 #ifdef CONFIG_OWE 954 os_free(conf->owe_groups); 955 #endif /* CONFIG_OWE */ 956 957 os_free(conf->wowlan_triggers); 958 959 os_free(conf->server_id); 960 961 #ifdef CONFIG_TESTING_OPTIONS 962 wpabuf_free(conf->own_ie_override); 963 wpabuf_free(conf->sae_commit_override); 964 wpabuf_free(conf->rsne_override_eapol); 965 wpabuf_free(conf->rsnxe_override_eapol); 966 wpabuf_free(conf->rsne_override_ft); 967 wpabuf_free(conf->rsnxe_override_ft); 968 wpabuf_free(conf->gtk_rsc_override); 969 wpabuf_free(conf->igtk_rsc_override); 970 wpabuf_free(conf->eapol_m1_elements); 971 wpabuf_free(conf->eapol_m3_elements); 972 wpabuf_free(conf->presp_elements); 973 #endif /* CONFIG_TESTING_OPTIONS */ 974 975 os_free(conf->no_probe_resp_if_seen_on); 976 os_free(conf->no_auth_if_seen_on); 977 978 hostapd_config_free_fils_realms(conf); 979 980 #ifdef CONFIG_DPP 981 os_free(conf->dpp_name); 982 os_free(conf->dpp_mud_url); 983 os_free(conf->dpp_extra_conf_req_name); 984 os_free(conf->dpp_extra_conf_req_value); 985 os_free(conf->dpp_connector); 986 wpabuf_free(conf->dpp_netaccesskey); 987 wpabuf_free(conf->dpp_csign); 988 #ifdef CONFIG_DPP2 989 hostapd_dpp_controller_conf_free(conf->dpp_controller); 990 #endif /* CONFIG_DPP2 */ 991 #endif /* CONFIG_DPP */ 992 993 hostapd_config_free_sae_passwords(conf); 994 995 #ifdef CONFIG_AIRTIME_POLICY 996 { 997 struct airtime_sta_weight *wt, *wt_prev; 998 999 wt = conf->airtime_weight_list; 1000 conf->airtime_weight_list = NULL; 1001 while (wt) { 1002 wt_prev = wt; 1003 wt = wt->next; 1004 os_free(wt_prev); 1005 } 1006 } 1007 #endif /* CONFIG_AIRTIME_POLICY */ 1008 1009 #ifdef CONFIG_PASN 1010 os_free(conf->pasn_groups); 1011 #endif /* CONFIG_PASN */ 1012 1013 os_free(conf); 1014 } 1015 1016 1017 /** 1018 * hostapd_config_free - Free hostapd configuration 1019 * @conf: Configuration data from hostapd_config_read(). 1020 */ 1021 void hostapd_config_free(struct hostapd_config *conf) 1022 { 1023 size_t i; 1024 1025 if (conf == NULL) 1026 return; 1027 1028 for (i = 0; i < conf->num_bss; i++) 1029 hostapd_config_free_bss(conf->bss[i]); 1030 os_free(conf->bss); 1031 os_free(conf->supported_rates); 1032 os_free(conf->basic_rates); 1033 os_free(conf->acs_ch_list.range); 1034 os_free(conf->acs_freq_list.range); 1035 os_free(conf->driver_params); 1036 #ifdef CONFIG_ACS 1037 os_free(conf->acs_chan_bias); 1038 #endif /* CONFIG_ACS */ 1039 wpabuf_free(conf->lci); 1040 wpabuf_free(conf->civic); 1041 1042 os_free(conf); 1043 } 1044 1045 1046 /** 1047 * hostapd_maclist_found - Find a MAC address from a list 1048 * @list: MAC address list 1049 * @num_entries: Number of addresses in the list 1050 * @addr: Address to search for 1051 * @vlan_id: Buffer for returning VLAN ID or %NULL if not needed 1052 * Returns: 1 if address is in the list or 0 if not. 1053 * 1054 * Perform a binary search for given MAC address from a pre-sorted list. 1055 */ 1056 int hostapd_maclist_found(struct mac_acl_entry *list, int num_entries, 1057 const u8 *addr, struct vlan_description *vlan_id) 1058 { 1059 int start, end, middle, res; 1060 1061 start = 0; 1062 end = num_entries - 1; 1063 1064 while (start <= end) { 1065 middle = (start + end) / 2; 1066 res = os_memcmp(list[middle].addr, addr, ETH_ALEN); 1067 if (res == 0) { 1068 if (vlan_id) 1069 *vlan_id = list[middle].vlan_id; 1070 return 1; 1071 } 1072 if (res < 0) 1073 start = middle + 1; 1074 else 1075 end = middle - 1; 1076 } 1077 1078 return 0; 1079 } 1080 1081 1082 int hostapd_rate_found(int *list, int rate) 1083 { 1084 int i; 1085 1086 if (list == NULL) 1087 return 0; 1088 1089 for (i = 0; list[i] >= 0; i++) 1090 if (list[i] == rate) 1091 return 1; 1092 1093 return 0; 1094 } 1095 1096 1097 int hostapd_vlan_valid(struct hostapd_vlan *vlan, 1098 struct vlan_description *vlan_desc) 1099 { 1100 struct hostapd_vlan *v = vlan; 1101 int i; 1102 1103 if (!vlan_desc->notempty || vlan_desc->untagged < 0 || 1104 vlan_desc->untagged > MAX_VLAN_ID) 1105 return 0; 1106 for (i = 0; i < MAX_NUM_TAGGED_VLAN; i++) { 1107 if (vlan_desc->tagged[i] < 0 || 1108 vlan_desc->tagged[i] > MAX_VLAN_ID) 1109 return 0; 1110 } 1111 if (!vlan_desc->untagged && !vlan_desc->tagged[0]) 1112 return 0; 1113 1114 while (v) { 1115 if (!vlan_compare(&v->vlan_desc, vlan_desc) || 1116 v->vlan_id == VLAN_ID_WILDCARD) 1117 return 1; 1118 v = v->next; 1119 } 1120 return 0; 1121 } 1122 1123 1124 const char * hostapd_get_vlan_id_ifname(struct hostapd_vlan *vlan, int vlan_id) 1125 { 1126 struct hostapd_vlan *v = vlan; 1127 while (v) { 1128 if (v->vlan_id == vlan_id) 1129 return v->ifname; 1130 v = v->next; 1131 } 1132 return NULL; 1133 } 1134 1135 1136 const u8 * hostapd_get_psk(const struct hostapd_bss_config *conf, 1137 const u8 *addr, const u8 *p2p_dev_addr, 1138 const u8 *prev_psk, int *vlan_id) 1139 { 1140 struct hostapd_wpa_psk *psk; 1141 int next_ok = prev_psk == NULL; 1142 1143 if (vlan_id) 1144 *vlan_id = 0; 1145 1146 if (p2p_dev_addr && !is_zero_ether_addr(p2p_dev_addr)) { 1147 wpa_printf(MSG_DEBUG, "Searching a PSK for " MACSTR 1148 " p2p_dev_addr=" MACSTR " prev_psk=%p", 1149 MAC2STR(addr), MAC2STR(p2p_dev_addr), prev_psk); 1150 addr = NULL; /* Use P2P Device Address for matching */ 1151 } else { 1152 wpa_printf(MSG_DEBUG, "Searching a PSK for " MACSTR 1153 " prev_psk=%p", 1154 MAC2STR(addr), prev_psk); 1155 } 1156 1157 for (psk = conf->ssid.wpa_psk; psk != NULL; psk = psk->next) { 1158 if (next_ok && 1159 (psk->group || 1160 (addr && ether_addr_equal(psk->addr, addr)) || 1161 (!addr && p2p_dev_addr && 1162 ether_addr_equal(psk->p2p_dev_addr, p2p_dev_addr)))) { 1163 if (vlan_id) 1164 *vlan_id = psk->vlan_id; 1165 return psk->psk; 1166 } 1167 1168 if (psk->psk == prev_psk) 1169 next_ok = 1; 1170 } 1171 1172 return NULL; 1173 } 1174 1175 1176 #ifdef CONFIG_SAE_PK 1177 static bool hostapd_sae_pk_password_without_pk(struct hostapd_bss_config *bss) 1178 { 1179 struct sae_password_entry *pw; 1180 bool res = false; 1181 1182 if (bss->ssid.wpa_passphrase && 1183 #ifdef CONFIG_TESTING_OPTIONS 1184 !bss->sae_pk_password_check_skip && 1185 #endif /* CONFIG_TESTING_OPTIONS */ 1186 sae_pk_valid_password(bss->ssid.wpa_passphrase)) 1187 res = true; 1188 1189 for (pw = bss->sae_passwords; pw; pw = pw->next) { 1190 if (!pw->pk && 1191 #ifdef CONFIG_TESTING_OPTIONS 1192 !bss->sae_pk_password_check_skip && 1193 #endif /* CONFIG_TESTING_OPTIONS */ 1194 sae_pk_valid_password(pw->password)) 1195 return true; 1196 1197 if (bss->ssid.wpa_passphrase && res && pw->pk && 1198 os_strcmp(bss->ssid.wpa_passphrase, pw->password) == 0) 1199 res = false; 1200 } 1201 1202 return res; 1203 } 1204 #endif /* CONFIG_SAE_PK */ 1205 1206 1207 static bool hostapd_config_check_bss_6g(struct hostapd_bss_config *bss) 1208 { 1209 if (bss->wpa != WPA_PROTO_RSN) { 1210 wpa_printf(MSG_ERROR, 1211 "Pre-RSNA security methods are not allowed in 6 GHz"); 1212 return false; 1213 } 1214 1215 if (bss->ieee80211w != MGMT_FRAME_PROTECTION_REQUIRED) { 1216 wpa_printf(MSG_ERROR, 1217 "Management frame protection is required in 6 GHz"); 1218 return false; 1219 } 1220 1221 if (bss->wpa_key_mgmt & (WPA_KEY_MGMT_PSK | 1222 WPA_KEY_MGMT_FT_PSK | 1223 WPA_KEY_MGMT_PSK_SHA256)) { 1224 wpa_printf(MSG_ERROR, "Invalid AKM suite for 6 GHz"); 1225 return false; 1226 } 1227 1228 if (bss->rsn_pairwise & (WPA_CIPHER_WEP40 | 1229 WPA_CIPHER_WEP104 | 1230 WPA_CIPHER_TKIP)) { 1231 wpa_printf(MSG_ERROR, 1232 "Invalid pairwise cipher suite for 6 GHz"); 1233 return false; 1234 } 1235 1236 if (bss->wpa_group & (WPA_CIPHER_WEP40 | 1237 WPA_CIPHER_WEP104 | 1238 WPA_CIPHER_TKIP)) { 1239 wpa_printf(MSG_ERROR, "Invalid group cipher suite for 6 GHz"); 1240 return false; 1241 } 1242 1243 #ifdef CONFIG_SAE 1244 if (wpa_key_mgmt_sae(bss->wpa_key_mgmt) && 1245 bss->sae_pwe == SAE_PWE_HUNT_AND_PECK) { 1246 wpa_printf(MSG_INFO, "SAE: Enabling SAE H2E on 6 GHz"); 1247 bss->sae_pwe = SAE_PWE_BOTH; 1248 } 1249 #endif /* CONFIG_SAE */ 1250 1251 return true; 1252 } 1253 1254 1255 static int hostapd_config_check_bss(struct hostapd_bss_config *bss, 1256 struct hostapd_config *conf, 1257 int full_config) 1258 { 1259 if (full_config && is_6ghz_op_class(conf->op_class) && 1260 !hostapd_config_check_bss_6g(bss)) 1261 return -1; 1262 1263 if (full_config && bss->ieee802_1x && !bss->eap_server && 1264 !bss->radius->auth_servers) { 1265 wpa_printf(MSG_ERROR, "Invalid IEEE 802.1X configuration (no " 1266 "EAP authenticator configured)."); 1267 return -1; 1268 } 1269 1270 #ifdef CONFIG_WEP 1271 if (bss->wpa) { 1272 int wep, i; 1273 1274 wep = bss->default_wep_key_len > 0 || 1275 bss->individual_wep_key_len > 0; 1276 for (i = 0; i < NUM_WEP_KEYS; i++) { 1277 if (bss->ssid.wep.keys_set) { 1278 wep = 1; 1279 break; 1280 } 1281 } 1282 1283 if (wep) { 1284 wpa_printf(MSG_ERROR, "WEP configuration in a WPA network is not supported"); 1285 return -1; 1286 } 1287 } 1288 #endif /* CONFIG_WEP */ 1289 1290 if (full_config && bss->wpa && 1291 bss->wpa_psk_radius != PSK_RADIUS_IGNORED && 1292 bss->wpa_psk_radius != PSK_RADIUS_DURING_4WAY_HS && 1293 bss->macaddr_acl != USE_EXTERNAL_RADIUS_AUTH) { 1294 wpa_printf(MSG_ERROR, "WPA-PSK using RADIUS enabled, but no " 1295 "RADIUS checking (macaddr_acl=2) enabled."); 1296 return -1; 1297 } 1298 1299 if (full_config && bss->wpa && 1300 wpa_key_mgmt_wpa_psk_no_sae(bss->wpa_key_mgmt) && 1301 bss->ssid.wpa_psk == NULL && bss->ssid.wpa_passphrase == NULL && 1302 bss->ssid.wpa_psk_file == NULL && 1303 bss->wpa_psk_radius != PSK_RADIUS_DURING_4WAY_HS && 1304 (bss->wpa_psk_radius != PSK_RADIUS_REQUIRED || 1305 bss->macaddr_acl != USE_EXTERNAL_RADIUS_AUTH)) { 1306 wpa_printf(MSG_ERROR, "WPA-PSK enabled, but PSK or passphrase " 1307 "is not configured."); 1308 return -1; 1309 } 1310 1311 if (full_config && !is_zero_ether_addr(bss->bssid)) { 1312 size_t i; 1313 1314 for (i = 0; i < conf->num_bss; i++) { 1315 if (conf->bss[i] != bss && 1316 (hostapd_mac_comp(conf->bss[i]->bssid, 1317 bss->bssid) == 0)) { 1318 wpa_printf(MSG_ERROR, "Duplicate BSSID " MACSTR 1319 " on interface '%s' and '%s'.", 1320 MAC2STR(bss->bssid), 1321 conf->bss[i]->iface, bss->iface); 1322 return -1; 1323 } 1324 } 1325 } 1326 1327 #ifdef CONFIG_IEEE80211R_AP 1328 if (full_config && wpa_key_mgmt_ft(bss->wpa_key_mgmt) && 1329 (bss->nas_identifier == NULL || 1330 os_strlen(bss->nas_identifier) < 1 || 1331 os_strlen(bss->nas_identifier) > FT_R0KH_ID_MAX_LEN)) { 1332 wpa_printf(MSG_ERROR, "FT (IEEE 802.11r) requires " 1333 "nas_identifier to be configured as a 1..48 octet " 1334 "string"); 1335 return -1; 1336 } 1337 #endif /* CONFIG_IEEE80211R_AP */ 1338 1339 if (full_config && conf->ieee80211n && 1340 conf->hw_mode == HOSTAPD_MODE_IEEE80211B) { 1341 bss->disable_11n = true; 1342 wpa_printf(MSG_ERROR, "HT (IEEE 802.11n) in 11b mode is not " 1343 "allowed, disabling HT capabilities"); 1344 } 1345 1346 #ifdef CONFIG_WEP 1347 if (full_config && conf->ieee80211n && 1348 bss->ssid.security_policy == SECURITY_STATIC_WEP) { 1349 bss->disable_11n = true; 1350 wpa_printf(MSG_ERROR, "HT (IEEE 802.11n) with WEP is not " 1351 "allowed, disabling HT capabilities"); 1352 } 1353 #endif /* CONFIG_WEP */ 1354 1355 if (full_config && conf->ieee80211n && bss->wpa && 1356 !(bss->wpa_pairwise & WPA_CIPHER_CCMP) && 1357 !(bss->rsn_pairwise & (WPA_CIPHER_CCMP | WPA_CIPHER_GCMP | 1358 WPA_CIPHER_CCMP_256 | WPA_CIPHER_GCMP_256))) 1359 { 1360 bss->disable_11n = true; 1361 wpa_printf(MSG_ERROR, "HT (IEEE 802.11n) with WPA/WPA2 " 1362 "requires CCMP/GCMP to be enabled, disabling HT " 1363 "capabilities"); 1364 } 1365 1366 #ifdef CONFIG_IEEE80211AC 1367 #ifdef CONFIG_WEP 1368 if (full_config && conf->ieee80211ac && 1369 bss->ssid.security_policy == SECURITY_STATIC_WEP) { 1370 bss->disable_11ac = true; 1371 wpa_printf(MSG_ERROR, 1372 "VHT (IEEE 802.11ac) with WEP is not allowed, disabling VHT capabilities"); 1373 } 1374 #endif /* CONFIG_WEP */ 1375 1376 if (full_config && conf->ieee80211ac && bss->wpa && 1377 !(bss->wpa_pairwise & WPA_CIPHER_CCMP) && 1378 !(bss->rsn_pairwise & (WPA_CIPHER_CCMP | WPA_CIPHER_GCMP | 1379 WPA_CIPHER_CCMP_256 | WPA_CIPHER_GCMP_256))) 1380 { 1381 bss->disable_11ac = true; 1382 wpa_printf(MSG_ERROR, 1383 "VHT (IEEE 802.11ac) with WPA/WPA2 requires CCMP/GCMP to be enabled, disabling VHT capabilities"); 1384 } 1385 #endif /* CONFIG_IEEE80211AC */ 1386 1387 #ifdef CONFIG_IEEE80211AX 1388 #ifdef CONFIG_WEP 1389 if (full_config && conf->ieee80211ax && 1390 bss->ssid.security_policy == SECURITY_STATIC_WEP) { 1391 bss->disable_11ax = true; 1392 wpa_printf(MSG_ERROR, 1393 "HE (IEEE 802.11ax) with WEP is not allowed, disabling HE capabilities"); 1394 } 1395 #endif /* CONFIG_WEP */ 1396 1397 if (full_config && conf->ieee80211ax && bss->wpa && 1398 !(bss->wpa_pairwise & WPA_CIPHER_CCMP) && 1399 !(bss->rsn_pairwise & (WPA_CIPHER_CCMP | WPA_CIPHER_GCMP | 1400 WPA_CIPHER_CCMP_256 | WPA_CIPHER_GCMP_256))) 1401 { 1402 bss->disable_11ax = true; 1403 wpa_printf(MSG_ERROR, 1404 "HE (IEEE 802.11ax) with WPA/WPA2 requires CCMP/GCMP to be enabled, disabling HE capabilities"); 1405 } 1406 #endif /* CONFIG_IEEE80211AX */ 1407 1408 #ifdef CONFIG_WPS 1409 if (full_config && bss->wps_state && bss->ignore_broadcast_ssid) { 1410 wpa_printf(MSG_INFO, "WPS: ignore_broadcast_ssid " 1411 "configuration forced WPS to be disabled"); 1412 bss->wps_state = 0; 1413 } 1414 1415 #ifdef CONFIG_WEP 1416 if (full_config && bss->wps_state && 1417 bss->ssid.wep.keys_set && bss->wpa == 0) { 1418 wpa_printf(MSG_INFO, "WPS: WEP configuration forced WPS to be " 1419 "disabled"); 1420 bss->wps_state = 0; 1421 } 1422 #endif /* CONFIG_WEP */ 1423 1424 if (full_config && bss->wps_state && bss->wpa && 1425 (!(bss->wpa & 2) || 1426 !(bss->rsn_pairwise & (WPA_CIPHER_CCMP | WPA_CIPHER_GCMP | 1427 WPA_CIPHER_CCMP_256 | 1428 WPA_CIPHER_GCMP_256)))) { 1429 wpa_printf(MSG_INFO, "WPS: WPA/TKIP configuration without " 1430 "WPA2/CCMP/GCMP forced WPS to be disabled"); 1431 bss->wps_state = 0; 1432 } 1433 #endif /* CONFIG_WPS */ 1434 1435 #ifdef CONFIG_HS20 1436 if (full_config && bss->hs20 && 1437 (!(bss->wpa & 2) || 1438 !(bss->rsn_pairwise & (WPA_CIPHER_CCMP | WPA_CIPHER_GCMP | 1439 WPA_CIPHER_CCMP_256 | 1440 WPA_CIPHER_GCMP_256)))) { 1441 wpa_printf(MSG_ERROR, "HS 2.0: WPA2-Enterprise/CCMP " 1442 "configuration is required for Hotspot 2.0 " 1443 "functionality"); 1444 return -1; 1445 } 1446 #endif /* CONFIG_HS20 */ 1447 1448 #ifdef CONFIG_MBO 1449 if (full_config && bss->mbo_enabled && (bss->wpa & 2) && 1450 bss->ieee80211w == NO_MGMT_FRAME_PROTECTION) { 1451 wpa_printf(MSG_ERROR, 1452 "MBO: PMF needs to be enabled whenever using WPA2 with MBO"); 1453 return -1; 1454 } 1455 #endif /* CONFIG_MBO */ 1456 1457 #ifdef CONFIG_OCV 1458 if (full_config && bss->ieee80211w == NO_MGMT_FRAME_PROTECTION && 1459 bss->ocv) { 1460 wpa_printf(MSG_ERROR, 1461 "OCV: PMF needs to be enabled whenever using OCV"); 1462 return -1; 1463 } 1464 #endif /* CONFIG_OCV */ 1465 1466 #ifdef CONFIG_SAE_PK 1467 if (full_config && hostapd_sae_pk_in_use(bss) && 1468 hostapd_sae_pk_password_without_pk(bss)) { 1469 wpa_printf(MSG_ERROR, 1470 "SAE-PK: SAE password uses SAE-PK style, but does not have PK configured"); 1471 return -1; 1472 } 1473 #endif /* CONFIG_SAE_PK */ 1474 1475 #ifdef CONFIG_FILS 1476 if (full_config && bss->fils_discovery_max_int && 1477 (!conf->ieee80211ax || bss->disable_11ax)) { 1478 wpa_printf(MSG_ERROR, 1479 "Currently IEEE 802.11ax support is mandatory to enable FILS discovery transmission."); 1480 return -1; 1481 } 1482 1483 if (full_config && bss->fils_discovery_max_int && 1484 bss->unsol_bcast_probe_resp_interval) { 1485 wpa_printf(MSG_ERROR, 1486 "Cannot enable both FILS discovery and unsolicited broadcast Probe Response at the same time"); 1487 return -1; 1488 } 1489 #endif /* CONFIG_FILS */ 1490 1491 #ifdef CONFIG_IEEE80211BE 1492 if (full_config && !bss->disable_11be && bss->disable_11ax) { 1493 bss->disable_11be = true; 1494 wpa_printf(MSG_INFO, 1495 "Disabling IEEE 802.11be as IEEE 802.11ax is disabled for this BSS"); 1496 } 1497 #endif /* CONFIG_IEEE80211BE */ 1498 1499 if (full_config && bss->ignore_broadcast_ssid && conf->mbssid) { 1500 wpa_printf(MSG_ERROR, 1501 "Hidden SSID is not suppored when MBSSID is enabled"); 1502 return -1; 1503 } 1504 1505 return 0; 1506 } 1507 1508 1509 static int hostapd_config_check_cw(struct hostapd_config *conf, int queue) 1510 { 1511 int tx_cwmin = conf->tx_queue[queue].cwmin; 1512 int tx_cwmax = conf->tx_queue[queue].cwmax; 1513 int ac_cwmin = conf->wmm_ac_params[queue].cwmin; 1514 int ac_cwmax = conf->wmm_ac_params[queue].cwmax; 1515 1516 if (tx_cwmin > tx_cwmax) { 1517 wpa_printf(MSG_ERROR, 1518 "Invalid TX queue cwMin/cwMax values. cwMin(%d) greater than cwMax(%d)", 1519 tx_cwmin, tx_cwmax); 1520 return -1; 1521 } 1522 if (ac_cwmin > ac_cwmax) { 1523 wpa_printf(MSG_ERROR, 1524 "Invalid WMM AC cwMin/cwMax values. cwMin(%d) greater than cwMax(%d)", 1525 ac_cwmin, ac_cwmax); 1526 return -1; 1527 } 1528 return 0; 1529 } 1530 1531 1532 int hostapd_config_check(struct hostapd_config *conf, int full_config) 1533 { 1534 size_t i; 1535 1536 if (full_config && is_6ghz_op_class(conf->op_class) && 1537 !conf->hw_mode_set) { 1538 /* Use the appropriate hw_mode value automatically when the 1539 * op_class parameter has been set, but hw_mode was not. */ 1540 conf->hw_mode = HOSTAPD_MODE_IEEE80211A; 1541 } 1542 1543 if (full_config && conf->ieee80211d && 1544 (!conf->country[0] || !conf->country[1])) { 1545 wpa_printf(MSG_ERROR, "Cannot enable IEEE 802.11d without " 1546 "setting the country_code"); 1547 return -1; 1548 } 1549 1550 if (full_config && conf->ieee80211h && !conf->ieee80211d) { 1551 wpa_printf(MSG_ERROR, "Cannot enable IEEE 802.11h without " 1552 "IEEE 802.11d enabled"); 1553 return -1; 1554 } 1555 1556 if (full_config && conf->local_pwr_constraint != -1 && 1557 !conf->ieee80211d) { 1558 wpa_printf(MSG_ERROR, "Cannot add Power Constraint element without Country element"); 1559 return -1; 1560 } 1561 1562 if (full_config && conf->spectrum_mgmt_required && 1563 conf->local_pwr_constraint == -1) { 1564 wpa_printf(MSG_ERROR, "Cannot set Spectrum Management bit without Country and Power Constraint elements"); 1565 return -1; 1566 } 1567 1568 #ifdef CONFIG_AIRTIME_POLICY 1569 if (full_config && conf->airtime_mode > AIRTIME_MODE_STATIC && 1570 !conf->airtime_update_interval) { 1571 wpa_printf(MSG_ERROR, "Airtime update interval cannot be zero"); 1572 return -1; 1573 } 1574 #endif /* CONFIG_AIRTIME_POLICY */ 1575 for (i = 0; i < NUM_TX_QUEUES; i++) { 1576 if (hostapd_config_check_cw(conf, i)) 1577 return -1; 1578 } 1579 1580 #ifdef CONFIG_IEEE80211BE 1581 if (full_config && conf->ieee80211be && !conf->ieee80211ax) { 1582 wpa_printf(MSG_ERROR, 1583 "Cannot set ieee80211be without ieee80211ax"); 1584 return -1; 1585 } 1586 1587 if (full_config) 1588 hostapd_set_and_check_bw320_offset(conf, 1589 conf->eht_bw320_offset); 1590 #endif /* CONFIG_IEEE80211BE */ 1591 1592 if (full_config && conf->mbssid && !conf->ieee80211ax) { 1593 wpa_printf(MSG_ERROR, 1594 "Cannot enable multiple BSSID support without ieee80211ax"); 1595 return -1; 1596 } 1597 1598 for (i = 0; i < conf->num_bss; i++) { 1599 if (hostapd_config_check_bss(conf->bss[i], conf, full_config)) 1600 return -1; 1601 } 1602 1603 return 0; 1604 } 1605 1606 1607 void hostapd_set_security_params(struct hostapd_bss_config *bss, 1608 int full_config) 1609 { 1610 #ifdef CONFIG_WEP 1611 if (bss->individual_wep_key_len == 0) { 1612 /* individual keys are not use; can use key idx0 for 1613 * broadcast keys */ 1614 bss->broadcast_key_idx_min = 0; 1615 } 1616 #endif /* CONFIG_WEP */ 1617 1618 if ((bss->wpa & 2) && bss->rsn_pairwise == 0) 1619 bss->rsn_pairwise = bss->wpa_pairwise; 1620 if (bss->group_cipher) 1621 bss->wpa_group = bss->group_cipher; 1622 else 1623 bss->wpa_group = wpa_select_ap_group_cipher(bss->wpa, 1624 bss->wpa_pairwise, 1625 bss->rsn_pairwise); 1626 if (!bss->wpa_group_rekey_set) 1627 bss->wpa_group_rekey = bss->wpa_group == WPA_CIPHER_TKIP ? 1628 600 : 86400; 1629 1630 if (full_config) { 1631 bss->radius->auth_server = bss->radius->auth_servers; 1632 bss->radius->acct_server = bss->radius->acct_servers; 1633 } 1634 1635 if (bss->wpa && bss->ieee802_1x) { 1636 bss->ssid.security_policy = SECURITY_WPA; 1637 } else if (bss->wpa) { 1638 bss->ssid.security_policy = SECURITY_WPA_PSK; 1639 } else if (bss->ieee802_1x) { 1640 int cipher = WPA_CIPHER_NONE; 1641 bss->ssid.security_policy = SECURITY_IEEE_802_1X; 1642 #ifdef CONFIG_WEP 1643 bss->ssid.wep.default_len = bss->default_wep_key_len; 1644 if (full_config && bss->default_wep_key_len) { 1645 cipher = bss->default_wep_key_len >= 13 ? 1646 WPA_CIPHER_WEP104 : WPA_CIPHER_WEP40; 1647 } else if (full_config && bss->ssid.wep.keys_set) { 1648 if (bss->ssid.wep.len[0] >= 13) 1649 cipher = WPA_CIPHER_WEP104; 1650 else 1651 cipher = WPA_CIPHER_WEP40; 1652 } 1653 #endif /* CONFIG_WEP */ 1654 bss->wpa_group = cipher; 1655 bss->wpa_pairwise = cipher; 1656 bss->rsn_pairwise = cipher; 1657 if (full_config) 1658 bss->wpa_key_mgmt = WPA_KEY_MGMT_IEEE8021X_NO_WPA; 1659 #ifdef CONFIG_WEP 1660 } else if (bss->ssid.wep.keys_set) { 1661 int cipher = WPA_CIPHER_WEP40; 1662 if (bss->ssid.wep.len[0] >= 13) 1663 cipher = WPA_CIPHER_WEP104; 1664 bss->ssid.security_policy = SECURITY_STATIC_WEP; 1665 bss->wpa_group = cipher; 1666 bss->wpa_pairwise = cipher; 1667 bss->rsn_pairwise = cipher; 1668 if (full_config) 1669 bss->wpa_key_mgmt = WPA_KEY_MGMT_NONE; 1670 #endif /* CONFIG_WEP */ 1671 } else if (bss->osen) { 1672 bss->ssid.security_policy = SECURITY_OSEN; 1673 bss->wpa_group = WPA_CIPHER_CCMP; 1674 bss->wpa_pairwise = 0; 1675 bss->rsn_pairwise = WPA_CIPHER_CCMP; 1676 } else { 1677 bss->ssid.security_policy = SECURITY_PLAINTEXT; 1678 if (full_config) { 1679 bss->wpa_group = WPA_CIPHER_NONE; 1680 bss->wpa_pairwise = WPA_CIPHER_NONE; 1681 bss->rsn_pairwise = WPA_CIPHER_NONE; 1682 bss->wpa_key_mgmt = WPA_KEY_MGMT_NONE; 1683 } 1684 } 1685 } 1686 1687 1688 int hostapd_sae_pw_id_in_use(struct hostapd_bss_config *conf) 1689 { 1690 int with_id = 0, without_id = 0; 1691 struct sae_password_entry *pw; 1692 1693 if (conf->ssid.wpa_passphrase) 1694 without_id = 1; 1695 1696 for (pw = conf->sae_passwords; pw; pw = pw->next) { 1697 if (pw->identifier) 1698 with_id = 1; 1699 else 1700 without_id = 1; 1701 if (with_id && without_id) 1702 break; 1703 } 1704 1705 if (with_id && !without_id) 1706 return 2; 1707 return with_id; 1708 } 1709 1710 1711 bool hostapd_sae_pk_in_use(struct hostapd_bss_config *conf) 1712 { 1713 #ifdef CONFIG_SAE_PK 1714 struct sae_password_entry *pw; 1715 1716 for (pw = conf->sae_passwords; pw; pw = pw->next) { 1717 if (pw->pk) 1718 return true; 1719 } 1720 #endif /* CONFIG_SAE_PK */ 1721 1722 return false; 1723 } 1724 1725 1726 #ifdef CONFIG_SAE_PK 1727 bool hostapd_sae_pk_exclusively(struct hostapd_bss_config *conf) 1728 { 1729 bool with_pk = false; 1730 struct sae_password_entry *pw; 1731 1732 if (conf->ssid.wpa_passphrase) 1733 return false; 1734 1735 for (pw = conf->sae_passwords; pw; pw = pw->next) { 1736 if (!pw->pk) 1737 return false; 1738 with_pk = true; 1739 } 1740 1741 return with_pk; 1742 } 1743 #endif /* CONFIG_SAE_PK */ 1744 1745 1746 int hostapd_acl_comp(const void *a, const void *b) 1747 { 1748 const struct mac_acl_entry *aa = a; 1749 const struct mac_acl_entry *bb = b; 1750 return os_memcmp(aa->addr, bb->addr, sizeof(macaddr)); 1751 } 1752 1753 1754 int hostapd_add_acl_maclist(struct mac_acl_entry **acl, int *num, 1755 int vlan_id, const u8 *addr) 1756 { 1757 struct mac_acl_entry *newacl; 1758 1759 newacl = os_realloc_array(*acl, *num + 1, sizeof(**acl)); 1760 if (!newacl) { 1761 wpa_printf(MSG_ERROR, "MAC list reallocation failed"); 1762 return -1; 1763 } 1764 1765 *acl = newacl; 1766 os_memcpy((*acl)[*num].addr, addr, ETH_ALEN); 1767 os_memset(&(*acl)[*num].vlan_id, 0, sizeof((*acl)[*num].vlan_id)); 1768 (*acl)[*num].vlan_id.untagged = vlan_id; 1769 (*acl)[*num].vlan_id.notempty = !!vlan_id; 1770 (*num)++; 1771 1772 return 0; 1773 } 1774 1775 1776 void hostapd_remove_acl_mac(struct mac_acl_entry **acl, int *num, 1777 const u8 *addr) 1778 { 1779 int i = 0; 1780 1781 while (i < *num) { 1782 if (ether_addr_equal((*acl)[i].addr, addr)) { 1783 os_remove_in_array(*acl, *num, sizeof(**acl), i); 1784 (*num)--; 1785 } else { 1786 i++; 1787 } 1788 } 1789 } 1790
Indexes created Tue Feb 24 08:35:24 UTC 2026