src/ap/ap_config.c

   1 /*
   2  * hostapd / Configuration helper functions
   3  * Copyright (c) 2003-2014, Jouni Malinen <j@w1.fi>
   4  *
   5  * This software may be distributed under the terms of the BSD license.
   6  * See README for more details.
   7  */
   8
   9 #include "utils/includes.h"
  10
  11 #include "utils/common.h"
  12 #include "crypto/sha1.h"
  13 #include "radius/radius_client.h"
  14 #include "common/ieee802_11_defs.h"
  15 #include "common/eapol_common.h"
  16 #include "common/dhcp.h"
  17 #include "eap_common/eap_wsc_common.h"
  18 #include "eap_server/eap.h"
  19 #include "wpa_auth.h"
  20 #include "sta_info.h"
  21 #include "ap_config.h"
  22
  23
  24 static void hostapd_config_free_vlan(struct hostapd_bss_config *bss)
  25 {
  26         struct hostapd_vlan *vlan, *prev;
  27
  28         vlan = bss->vlan;
  29         prev = NULL;
  30         while (vlan) {
  31                 prev = vlan;
  32                 vlan = vlan->next;
  33                 os_free(prev);
  34         }
  35
  36         bss->vlan = NULL;
  37 }
  38
  39
  40 #ifndef DEFAULT_WPA_DISABLE_EAPOL_KEY_RETRIES
  41 #define DEFAULT_WPA_DISABLE_EAPOL_KEY_RETRIES 0
  42 #endif /* DEFAULT_WPA_DISABLE_EAPOL_KEY_RETRIES */
  43
  44 void hostapd_config_defaults_bss(struct hostapd_bss_config *bss)
  45 {
  46         dl_list_init(&bss->anqp_elem);
  47
  48         bss->logger_syslog_level = HOSTAPD_LEVEL_INFO;
  49         bss->logger_stdout_level = HOSTAPD_LEVEL_INFO;
  50         bss->logger_syslog = (unsigned int) -1;
  51         bss->logger_stdout = (unsigned int) -1;
  52
  53         bss->auth_algs = WPA_AUTH_ALG_OPEN | WPA_AUTH_ALG_SHARED;
  54
  55         bss->wep_rekeying_period = 300;
  56         /* use key0 in individual key and key1 in broadcast key */
  57         bss->broadcast_key_idx_min = 1;
  58         bss->broadcast_key_idx_max = 2;
  59         bss->eap_reauth_period = 3600;
  60
  61         bss->wpa_group_rekey = 600;
  62         bss->wpa_gmk_rekey = 86400;
  63         bss->wpa_group_update_count = 4;
  64         bss->wpa_pairwise_update_count = 4;
  65         bss->wpa_disable_eapol_key_retries =
  66                 DEFAULT_WPA_DISABLE_EAPOL_KEY_RETRIES;
  67         bss->wpa_key_mgmt = WPA_KEY_MGMT_PSK;
  68         bss->wpa_pairwise = WPA_CIPHER_TKIP;
  69         bss->wpa_group = WPA_CIPHER_TKIP;
  70         bss->rsn_pairwise = 0;
  71
  72         bss->max_num_sta = MAX_STA_COUNT;
  73
  74         bss->dtim_period = 2;
  75
  76         bss->radius_server_auth_port = 1812;
  77         bss->eap_sim_db_timeout = 1;
  78         bss->ap_max_inactivity = AP_MAX_INACTIVITY;
  79         bss->eapol_version = EAPOL_VERSION;
  80
  81         bss->max_listen_interval = 65535;
  82
  83         bss->pwd_group = 19; /* ECC: GF(p=256) */
  84
  85 #ifdef CONFIG_IEEE80211W
  86         bss->assoc_sa_query_max_timeout = 1000;
  87         bss->assoc_sa_query_retry_timeout = 201;
  88         bss->group_mgmt_cipher = WPA_CIPHER_AES_128_CMAC;
  89 #endif /* CONFIG_IEEE80211W */
  90 #ifdef EAP_SERVER_FAST
  91          /* both anonymous and authenticated provisioning */
  92         bss->eap_fast_prov = 3;
  93         bss->pac_key_lifetime = 7 * 24 * 60 * 60;
  94         bss->pac_key_refresh_time = 1 * 24 * 60 * 60;
  95 #endif /* EAP_SERVER_FAST */
  96
  97         /* Set to -1 as defaults depends on HT in setup */
  98         bss->wmm_enabled = -1;
  99
 100 #ifdef CONFIG_IEEE80211R_AP
 101         bss->ft_over_ds = 1;
 102         bss->rkh_pos_timeout = 86400;
 103         bss->rkh_neg_timeout = 60;
 104         bss->rkh_pull_timeout = 1000;
 105         bss->rkh_pull_retries = 4;
 106 #endif /* CONFIG_IEEE80211R_AP */
 107
 108         bss->radius_das_time_window = 300;
 109
 110         bss->sae_anti_clogging_threshold = 5;
 111         bss->sae_sync = 5;
 112
 113         bss->gas_frag_limit = 1400;
 114
 115 #ifdef CONFIG_FILS
 116         dl_list_init(&bss->fils_realms);
 117         bss->fils_hlp_wait_time = 30;
 118         bss->dhcp_server_port = DHCP_SERVER_PORT;
 119         bss->dhcp_relay_port = DHCP_SERVER_PORT;
 120 #endif /* CONFIG_FILS */
 121
 122         bss->broadcast_deauth = 1;
 123
 124 #ifdef CONFIG_MBO
 125         bss->mbo_cell_data_conn_pref = -1;
 126 #endif /* CONFIG_MBO */
 127 }
 128
 129
 130 struct hostapd_config * hostapd_config_defaults(void)
 131 {
 132 #define ecw2cw(ecw) ((1 << (ecw)) - 1)
 133
 134         struct hostapd_config *conf;
 135         struct hostapd_bss_config *bss;
 136         const int aCWmin = 4, aCWmax = 10;
 137         const struct hostapd_wmm_ac_params ac_bk =
 138                 { aCWmin, aCWmax, 7, 0, 0 }; /* background traffic */
 139         const struct hostapd_wmm_ac_params ac_be =
 140                 { aCWmin, aCWmax, 3, 0, 0 }; /* best effort traffic */
 141         const struct hostapd_wmm_ac_params ac_vi = /* video traffic */
 142                 { aCWmin - 1, aCWmin, 2, 3008 / 32, 0 };
 143         const struct hostapd_wmm_ac_params ac_vo = /* voice traffic */
 144                 { aCWmin - 2, aCWmin - 1, 2, 1504 / 32, 0 };
 145         const struct hostapd_tx_queue_params txq_bk =
 146                 { 7, ecw2cw(aCWmin), ecw2cw(aCWmax), 0 };
 147         const struct hostapd_tx_queue_params txq_be =
 148                 { 3, ecw2cw(aCWmin), 4 * (ecw2cw(aCWmin) + 1) - 1, 0};
 149         const struct hostapd_tx_queue_params txq_vi =
 150                 { 1, (ecw2cw(aCWmin) + 1) / 2 - 1, ecw2cw(aCWmin), 30};
 151         const struct hostapd_tx_queue_params txq_vo =
 152                 { 1, (ecw2cw(aCWmin) + 1) / 4 - 1,
 153                   (ecw2cw(aCWmin) + 1) / 2 - 1, 15};
 154
 155 #undef ecw2cw
 156
 157         conf = os_zalloc(sizeof(*conf));
 158         bss = os_zalloc(sizeof(*bss));
 159         if (conf == NULL || bss == NULL) {
 160                 wpa_printf(MSG_ERROR, "Failed to allocate memory for "
 161                            "configuration data.");
 162                 os_free(conf);
 163                 os_free(bss);
 164                 return NULL;
 165         }
 166         conf->bss = os_calloc(1, sizeof(struct hostapd_bss_config *));
 167         if (conf->bss == NULL) {
 168                 os_free(conf);
 169                 os_free(bss);
 170                 return NULL;
 171         }
 172         conf->bss[0] = bss;
 173
 174         bss->radius = os_zalloc(sizeof(*bss->radius));
 175         if (bss->radius == NULL) {
 176                 os_free(conf->bss);
 177                 os_free(conf);
 178                 os_free(bss);
 179                 return NULL;
 180         }
 181
 182         hostapd_config_defaults_bss(bss);
 183
 184         conf->num_bss = 1;
 185
 186         conf->beacon_int = 100;
 187         conf->rts_threshold = -1; /* use driver default: 2347 */
 188         conf->fragm_threshold = -1; /* user driver default: 2346 */
 189         conf->send_probe_response = 1;
 190         /* Set to invalid value means do not add Power Constraint IE */
 191         conf->local_pwr_constraint = -1;
 192
 193         conf->wmm_ac_params[0] = ac_be;
 194         conf->wmm_ac_params[1] = ac_bk;
 195         conf->wmm_ac_params[2] = ac_vi;
 196         conf->wmm_ac_params[3] = ac_vo;
 197
 198         conf->tx_queue[0] = txq_vo;
 199         conf->tx_queue[1] = txq_vi;
 200         conf->tx_queue[2] = txq_be;
 201         conf->tx_queue[3] = txq_bk;
 202
 203         conf->ht_capab = HT_CAP_INFO_SMPS_DISABLED;
 204
 205         conf->ap_table_max_size = 255;
 206         conf->ap_table_expiration_time = 60;
 207         conf->track_sta_max_age = 180;
 208
 209 #ifdef CONFIG_TESTING_OPTIONS
 210         conf->ignore_probe_probability = 0.0;
 211         conf->ignore_auth_probability = 0.0;
 212         conf->ignore_assoc_probability = 0.0;
 213         conf->ignore_reassoc_probability = 0.0;
 214         conf->corrupt_gtk_rekey_mic_probability = 0.0;
 215         conf->ecsa_ie_only = 0;
 216 #endif /* CONFIG_TESTING_OPTIONS */
 217
 218         conf->acs = 0;
 219         conf->acs_ch_list.num = 0;
 220 #ifdef CONFIG_ACS
 221         conf->acs_num_scans = 5;
 222 #endif /* CONFIG_ACS */
 223
 224         /* The third octet of the country string uses an ASCII space character
 225          * by default to indicate that the regulations encompass all
 226          * environments for the current frequency band in the country. */
 227         conf->country[2] = ' ';
 228
 229         return conf;
 230 }
 231
 232
 233 int hostapd_mac_comp(const void *a, const void *b)
 234 {
 235         return os_memcmp(a, b, sizeof(macaddr));
 236 }
 237
 238
 239 static int hostapd_config_read_wpa_psk(const char *fname,
 240                                        struct hostapd_ssid *ssid)
 241 {
 242         FILE *f;
 243         char buf[128], *pos;
 244         int line = 0, ret = 0, len, ok;
 245         u8 addr[ETH_ALEN];
 246         struct hostapd_wpa_psk *psk;
 247
 248         if (!fname)
 249                 return 0;
 250
 251         f = fopen(fname, "r");
 252         if (!f) {
 253                 wpa_printf(MSG_ERROR, "WPA PSK file '%s' not found.", fname);
 254                 return -1;
 255         }
 256
 257         while (fgets(buf, sizeof(buf), f)) {
 258                 line++;
 259
 260                 if (buf[0] == '#')
 261                         continue;
 262                 pos = buf;
 263                 while (*pos != '\0') {
 264                         if (*pos == '\n') {
 265                                 *pos = '\0';
 266                                 break;
 267                         }
 268                         pos++;
 269                 }
 270                 if (buf[0] == '\0')
 271                         continue;
 272
 273                 if (hwaddr_aton(buf, addr)) {
 274                         wpa_printf(MSG_ERROR, "Invalid MAC address '%s' on "
 275                                    "line %d in '%s'", buf, line, fname);
 276                         ret = -1;
 277                         break;
 278                 }
 279
 280                 psk = os_zalloc(sizeof(*psk));
 281                 if (psk == NULL) {
 282                         wpa_printf(MSG_ERROR, "WPA PSK allocation failed");
 283                         ret = -1;
 284                         break;
 285                 }
 286                 if (is_zero_ether_addr(addr))
 287                         psk->group = 1;
 288                 else
 289                         os_memcpy(psk->addr, addr, ETH_ALEN);
 290
 291                 pos = buf + 17;
 292                 if (*pos == '\0') {
 293                         wpa_printf(MSG_ERROR, "No PSK on line %d in '%s'",
 294                                    line, fname);
 295                         os_free(psk);
 296                         ret = -1;
 297                         break;
 298                 }
 299                 pos++;
 300
 301                 ok = 0;
 302                 len = os_strlen(pos);
 303                 if (len == 64 && hexstr2bin(pos, psk->psk, PMK_LEN) == 0)
 304                         ok = 1;
 305                 else if (len >= 8 && len < 64) {
 306                         pbkdf2_sha1(pos, ssid->ssid, ssid->ssid_len,
 307                                     4096, psk->psk, PMK_LEN);
 308                         ok = 1;
 309                 }
 310                 if (!ok) {
 311                         wpa_printf(MSG_ERROR, "Invalid PSK '%s' on line %d in "
 312                                    "'%s'", pos, line, fname);
 313                         os_free(psk);
 314                         ret = -1;
 315                         break;
 316                 }
 317
 318                 psk->next = ssid->wpa_psk;
 319                 ssid->wpa_psk = psk;
 320         }
 321
 322         fclose(f);
 323
 324         return ret;
 325 }
 326
 327
 328 static int hostapd_derive_psk(struct hostapd_ssid *ssid)
 329 {
 330         ssid->wpa_psk = os_zalloc(sizeof(struct hostapd_wpa_psk));
 331         if (ssid->wpa_psk == NULL) {
 332                 wpa_printf(MSG_ERROR, "Unable to alloc space for PSK");
 333                 return -1;
 334         }
 335         wpa_hexdump_ascii(MSG_DEBUG, "SSID",
 336                           (u8 *) ssid->ssid, ssid->ssid_len);
 337         wpa_hexdump_ascii_key(MSG_DEBUG, "PSK (ASCII passphrase)",
 338                               (u8 *) ssid->wpa_passphrase,
 339                               os_strlen(ssid->wpa_passphrase));
 340         pbkdf2_sha1(ssid->wpa_passphrase,
 341                     ssid->ssid, ssid->ssid_len,
 342                     4096, ssid->wpa_psk->psk, PMK_LEN);
 343         wpa_hexdump_key(MSG_DEBUG, "PSK (from passphrase)",
 344                         ssid->wpa_psk->psk, PMK_LEN);
 345         return 0;
 346 }
 347
 348
 349 int hostapd_setup_wpa_psk(struct hostapd_bss_config *conf)
 350 {
 351         struct hostapd_ssid *ssid = &conf->ssid;
 352
 353         if (ssid->wpa_passphrase != NULL) {
 354                 if (ssid->wpa_psk != NULL) {
 355                         wpa_printf(MSG_DEBUG, "Using pre-configured WPA PSK "
 356                                    "instead of passphrase");
 357                 } else {
 358                         wpa_printf(MSG_DEBUG, "Deriving WPA PSK based on "
 359                                    "passphrase");
 360                         if (hostapd_derive_psk(ssid) < 0)
 361                                 return -1;
 362                 }
 363                 ssid->wpa_psk->group = 1;
 364         }
 365
 366         return hostapd_config_read_wpa_psk(ssid->wpa_psk_file, &conf->ssid);
 367 }
 368
 369
 370 static void hostapd_config_free_radius(struct hostapd_radius_server *servers,
 371                                        int num_servers)
 372 {
 373         int i;
 374
 375         for (i = 0; i < num_servers; i++) {
 376                 os_free(servers[i].shared_secret);
 377         }
 378         os_free(servers);
 379 }
 380
 381
 382 struct hostapd_radius_attr *
 383 hostapd_config_get_radius_attr(struct hostapd_radius_attr *attr, u8 type)
 384 {
 385         for (; attr; attr = attr->next) {
 386                 if (attr->type == type)
 387                         return attr;
 388         }
 389         return NULL;
 390 }
 391
 392
 393 static void hostapd_config_free_radius_attr(struct hostapd_radius_attr *attr)
 394 {
 395         struct hostapd_radius_attr *prev;
 396
 397         while (attr) {
 398                 prev = attr;
 399                 attr = attr->next;
 400                 wpabuf_free(prev->val);
 401                 os_free(prev);
 402         }
 403 }
 404
 405
 406 void hostapd_config_free_eap_user(struct hostapd_eap_user *user)
 407 {
 408         hostapd_config_free_radius_attr(user->accept_attr);
 409         os_free(user->identity);
 410         bin_clear_free(user->password, user->password_len);
 411         os_free(user);
 412 }
 413
 414
 415 void hostapd_config_free_eap_users(struct hostapd_eap_user *user)
 416 {
 417         struct hostapd_eap_user *prev_user;
 418
 419         while (user) {
 420                 prev_user = user;
 421                 user = user->next;
 422                 hostapd_config_free_eap_user(prev_user);
 423         }
 424 }
 425
 426
 427 static void hostapd_config_free_wep(struct hostapd_wep_keys *keys)
 428 {
 429         int i;
 430         for (i = 0; i < NUM_WEP_KEYS; i++) {
 431                 bin_clear_free(keys->key[i], keys->len[i]);
 432                 keys->key[i] = NULL;
 433         }
 434 }
 435
 436
 437 void hostapd_config_clear_wpa_psk(struct hostapd_wpa_psk **l)
 438 {
 439         struct hostapd_wpa_psk *psk, *tmp;
 440
 441         for (psk = *l; psk;) {
 442                 tmp = psk;
 443                 psk = psk->next;
 444                 bin_clear_free(tmp, sizeof(*tmp));
 445         }
 446         *l = NULL;
 447 }
 448
 449
 450 static void hostapd_config_free_anqp_elem(struct hostapd_bss_config *conf)
 451 {
 452         struct anqp_element *elem;
 453
 454         while ((elem = dl_list_first(&conf->anqp_elem, struct anqp_element,
 455                                      list))) {
 456                 dl_list_del(&elem->list);
 457                 wpabuf_free(elem->payload);
 458                 os_free(elem);
 459         }
 460 }
 461
 462
 463 static void hostapd_config_free_fils_realms(struct hostapd_bss_config *conf)
 464 {
 465 #ifdef CONFIG_FILS
 466         struct fils_realm *realm;
 467
 468         while ((realm = dl_list_first(&conf->fils_realms, struct fils_realm,
 469                                       list))) {
 470                 dl_list_del(&realm->list);
 471                 os_free(realm);
 472         }
 473 #endif /* CONFIG_FILS */
 474 }
 475
 476
 477 void hostapd_config_free_bss(struct hostapd_bss_config *conf)
 478 {
 479         if (conf == NULL)
 480                 return;
 481
 482         hostapd_config_clear_wpa_psk(&conf->ssid.wpa_psk);
 483
 484         str_clear_free(conf->ssid.wpa_passphrase);
 485         os_free(conf->ssid.wpa_psk_file);
 486         hostapd_config_free_wep(&conf->ssid.wep);
 487 #ifdef CONFIG_FULL_DYNAMIC_VLAN
 488         os_free(conf->ssid.vlan_tagged_interface);
 489 #endif /* CONFIG_FULL_DYNAMIC_VLAN */
 490
 491         hostapd_config_free_eap_users(conf->eap_user);
 492         os_free(conf->eap_user_sqlite);
 493
 494         os_free(conf->eap_req_id_text);
 495         os_free(conf->erp_domain);
 496         os_free(conf->accept_mac);
 497         os_free(conf->deny_mac);
 498         os_free(conf->nas_identifier);
 499         if (conf->radius) {
 500                 hostapd_config_free_radius(conf->radius->auth_servers,
 501                                            conf->radius->num_auth_servers);
 502                 hostapd_config_free_radius(conf->radius->acct_servers,
 503                                            conf->radius->num_acct_servers);
 504         }
 505         hostapd_config_free_radius_attr(conf->radius_auth_req_attr);
 506         hostapd_config_free_radius_attr(conf->radius_acct_req_attr);
 507         os_free(conf->rsn_preauth_interfaces);
 508         os_free(conf->ctrl_interface);
 509         os_free(conf->ca_cert);
 510         os_free(conf->server_cert);
 511         os_free(conf->private_key);
 512         os_free(conf->private_key_passwd);
 513         os_free(conf->ocsp_stapling_response);
 514         os_free(conf->ocsp_stapling_response_multi);
 515         os_free(conf->dh_file);
 516         os_free(conf->openssl_ciphers);
 517         os_free(conf->pac_opaque_encr_key);
 518         os_free(conf->eap_fast_a_id);
 519         os_free(conf->eap_fast_a_id_info);
 520         os_free(conf->eap_sim_db);
 521         os_free(conf->radius_server_clients);
 522         os_free(conf->radius);
 523         os_free(conf->radius_das_shared_secret);
 524         hostapd_config_free_vlan(conf);
 525         os_free(conf->time_zone);
 526
 527 #ifdef CONFIG_IEEE80211R_AP
 528         {
 529                 struct ft_remote_r0kh *r0kh, *r0kh_prev;
 530                 struct ft_remote_r1kh *r1kh, *r1kh_prev;
 531
 532                 r0kh = conf->r0kh_list;
 533                 conf->r0kh_list = NULL;
 534                 while (r0kh) {
 535                         r0kh_prev = r0kh;
 536                         r0kh = r0kh->next;
 537                         os_free(r0kh_prev);
 538                 }
 539
 540                 r1kh = conf->r1kh_list;
 541                 conf->r1kh_list = NULL;
 542                 while (r1kh) {
 543                         r1kh_prev = r1kh;
 544                         r1kh = r1kh->next;
 545                         os_free(r1kh_prev);
 546                 }
 547         }
 548 #endif /* CONFIG_IEEE80211R_AP */
 549
 550 #ifdef CONFIG_WPS
 551         os_free(conf->wps_pin_requests);
 552         os_free(conf->device_name);
 553         os_free(conf->manufacturer);
 554         os_free(conf->model_name);
 555         os_free(conf->model_number);
 556         os_free(conf->serial_number);
 557         os_free(conf->config_methods);
 558         os_free(conf->ap_pin);
 559         os_free(conf->extra_cred);
 560         os_free(conf->ap_settings);
 561         os_free(conf->upnp_iface);
 562         os_free(conf->friendly_name);
 563         os_free(conf->manufacturer_url);
 564         os_free(conf->model_description);
 565         os_free(conf->model_url);
 566         os_free(conf->upc);
 567         {
 568                 unsigned int i;
 569
 570                 for (i = 0; i < MAX_WPS_VENDOR_EXTENSIONS; i++)
 571                         wpabuf_free(conf->wps_vendor_ext[i]);
 572         }
 573         wpabuf_free(conf->wps_nfc_dh_pubkey);
 574         wpabuf_free(conf->wps_nfc_dh_privkey);
 575         wpabuf_free(conf->wps_nfc_dev_pw);
 576 #endif /* CONFIG_WPS */
 577
 578         os_free(conf->roaming_consortium);
 579         os_free(conf->venue_name);
 580         os_free(conf->nai_realm_data);
 581         os_free(conf->network_auth_type);
 582         os_free(conf->anqp_3gpp_cell_net);
 583         os_free(conf->domain_name);
 584         hostapd_config_free_anqp_elem(conf);
 585
 586 #ifdef CONFIG_RADIUS_TEST
 587         os_free(conf->dump_msk_file);
 588 #endif /* CONFIG_RADIUS_TEST */
 589
 590 #ifdef CONFIG_HS20
 591         os_free(conf->hs20_oper_friendly_name);
 592         os_free(conf->hs20_wan_metrics);
 593         os_free(conf->hs20_connection_capability);
 594         os_free(conf->hs20_operating_class);
 595         os_free(conf->hs20_icons);
 596         if (conf->hs20_osu_providers) {
 597                 size_t i;
 598                 for (i = 0; i < conf->hs20_osu_providers_count; i++) {
 599                         struct hs20_osu_provider *p;
 600                         size_t j;
 601                         p = &conf->hs20_osu_providers[i];
 602                         os_free(p->friendly_name);
 603                         os_free(p->server_uri);
 604                         os_free(p->method_list);
 605                         for (j = 0; j < p->icons_count; j++)
 606                                 os_free(p->icons[j]);
 607                         os_free(p->icons);
 608                         os_free(p->osu_nai);
 609                         os_free(p->service_desc);
 610                 }
 611                 os_free(conf->hs20_osu_providers);
 612         }
 613         os_free(conf->subscr_remediation_url);
 614 #endif /* CONFIG_HS20 */
 615
 616         wpabuf_free(conf->vendor_elements);
 617         wpabuf_free(conf->assocresp_elements);
 618
 619         os_free(conf->sae_groups);
 620 #ifdef CONFIG_OWE
 621         os_free(conf->owe_groups);
 622 #endif /* CONFIG_OWE */
 623
 624         os_free(conf->wowlan_triggers);
 625
 626         os_free(conf->server_id);
 627
 628 #ifdef CONFIG_TESTING_OPTIONS
 629         wpabuf_free(conf->own_ie_override);
 630         wpabuf_free(conf->sae_commit_override);
 631 #endif /* CONFIG_TESTING_OPTIONS */
 632
 633         os_free(conf->no_probe_resp_if_seen_on);
 634         os_free(conf->no_auth_if_seen_on);
 635
 636         hostapd_config_free_fils_realms(conf);
 637
 638 #ifdef CONFIG_DPP
 639         os_free(conf->dpp_connector);
 640         wpabuf_free(conf->dpp_netaccesskey);
 641         wpabuf_free(conf->dpp_csign);
 642 #endif /* CONFIG_DPP */
 643
 644         os_free(conf->sae_password);
 645
 646         os_free(conf);
 647 }
 648
 649
 650 /**
 651  * hostapd_config_free - Free hostapd configuration
 652  * @conf: Configuration data from hostapd_config_read().
 653  */
 654 void hostapd_config_free(struct hostapd_config *conf)
 655 {
 656         size_t i;
 657
 658         if (conf == NULL)
 659                 return;
 660
 661         for (i = 0; i < conf->num_bss; i++)
 662                 hostapd_config_free_bss(conf->bss[i]);
 663         os_free(conf->bss);
 664         os_free(conf->supported_rates);
 665         os_free(conf->basic_rates);
 666         os_free(conf->acs_ch_list.range);
 667         os_free(conf->driver_params);
 668 #ifdef CONFIG_ACS
 669         os_free(conf->acs_chan_bias);
 670 #endif /* CONFIG_ACS */
 671         wpabuf_free(conf->lci);
 672         wpabuf_free(conf->civic);
 673
 674         os_free(conf);
 675 }
 676
 677
 678 /**
 679  * hostapd_maclist_found - Find a MAC address from a list
 680  * @list: MAC address list
 681  * @num_entries: Number of addresses in the list
 682  * @addr: Address to search for
 683  * @vlan_id: Buffer for returning VLAN ID or %NULL if not needed
 684  * Returns: 1 if address is in the list or 0 if not.
 685  *
 686  * Perform a binary search for given MAC address from a pre-sorted list.
 687  */
 688 int hostapd_maclist_found(struct mac_acl_entry *list, int num_entries,
 689                           const u8 *addr, struct vlan_description *vlan_id)
 690 {
 691         int start, end, middle, res;
 692
 693         start = 0;
 694         end = num_entries - 1;
 695
 696         while (start <= end) {
 697                 middle = (start + end) / 2;
 698                 res = os_memcmp(list[middle].addr, addr, ETH_ALEN);
 699                 if (res == 0) {
 700                         if (vlan_id)
 701                                 *vlan_id = list[middle].vlan_id;
 702                         return 1;
 703                 }
 704                 if (res < 0)
 705                         start = middle + 1;
 706                 else
 707                         end = middle - 1;
 708         }
 709
 710         return 0;
 711 }
 712
 713
 714 int hostapd_rate_found(int *list, int rate)
 715 {
 716         int i;
 717
 718         if (list == NULL)
 719                 return 0;
 720
 721         for (i = 0; list[i] >= 0; i++)
 722                 if (list[i] == rate)
 723                         return 1;
 724
 725         return 0;
 726 }
 727
 728
 729 int hostapd_vlan_valid(struct hostapd_vlan *vlan,
 730                        struct vlan_description *vlan_desc)
 731 {
 732         struct hostapd_vlan *v = vlan;
 733         int i;
 734
 735         if (!vlan_desc->notempty || vlan_desc->untagged < 0 ||
 736             vlan_desc->untagged > MAX_VLAN_ID)
 737                 return 0;
 738         for (i = 0; i < MAX_NUM_TAGGED_VLAN; i++) {
 739                 if (vlan_desc->tagged[i] < 0 ||
 740                     vlan_desc->tagged[i] > MAX_VLAN_ID)
 741                         return 0;
 742         }
 743         if (!vlan_desc->untagged && !vlan_desc->tagged[0])
 744                 return 0;
 745
 746         while (v) {
 747                 if (!vlan_compare(&v->vlan_desc, vlan_desc) ||
 748                     v->vlan_id == VLAN_ID_WILDCARD)
 749                         return 1;
 750                 v = v->next;
 751         }
 752         return 0;
 753 }
 754
 755
 756 const char * hostapd_get_vlan_id_ifname(struct hostapd_vlan *vlan, int vlan_id)
 757 {
 758         struct hostapd_vlan *v = vlan;
 759         while (v) {
 760                 if (v->vlan_id == vlan_id)
 761                         return v->ifname;
 762                 v = v->next;
 763         }
 764         return NULL;
 765 }
 766
 767
 768 const u8 * hostapd_get_psk(const struct hostapd_bss_config *conf,
 769                            const u8 *addr, const u8 *p2p_dev_addr,
 770                            const u8 *prev_psk)
 771 {
 772         struct hostapd_wpa_psk *psk;
 773         int next_ok = prev_psk == NULL;
 774
 775         if (p2p_dev_addr && !is_zero_ether_addr(p2p_dev_addr)) {
 776                 wpa_printf(MSG_DEBUG, "Searching a PSK for " MACSTR
 777                            " p2p_dev_addr=" MACSTR " prev_psk=%p",
 778                            MAC2STR(addr), MAC2STR(p2p_dev_addr), prev_psk);
 779                 addr = NULL; /* Use P2P Device Address for matching */
 780         } else {
 781                 wpa_printf(MSG_DEBUG, "Searching a PSK for " MACSTR
 782                            " prev_psk=%p",
 783                            MAC2STR(addr), prev_psk);
 784         }
 785
 786         for (psk = conf->ssid.wpa_psk; psk != NULL; psk = psk->next) {
 787                 if (next_ok &&
 788                     (psk->group ||
 789                      (addr && os_memcmp(psk->addr, addr, ETH_ALEN) == 0) ||
 790                      (!addr && p2p_dev_addr &&
 791                       os_memcmp(psk->p2p_dev_addr, p2p_dev_addr, ETH_ALEN) ==
 792                       0)))
 793                         return psk->psk;
 794
 795                 if (psk->psk == prev_psk)
 796                         next_ok = 1;
 797         }
 798
 799         return NULL;
 800 }
 801
 802
 803 static int hostapd_config_check_bss(struct hostapd_bss_config *bss,
 804                                     struct hostapd_config *conf,
 805                                     int full_config)
 806 {
 807         if (full_config && bss->ieee802_1x && !bss->eap_server &&
 808             !bss->radius->auth_servers) {
 809                 wpa_printf(MSG_ERROR, "Invalid IEEE 802.1X configuration (no "
 810                            "EAP authenticator configured).");
 811                 return -1;
 812         }
 813
 814         if (bss->wpa) {
 815                 int wep, i;
 816
 817                 wep = bss->default_wep_key_len > 0 ||
 818                        bss->individual_wep_key_len > 0;
 819                 for (i = 0; i < NUM_WEP_KEYS; i++) {
 820                         if (bss->ssid.wep.keys_set) {
 821                                 wep = 1;
 822                                 break;
 823                         }
 824                 }
 825
 826                 if (wep) {
 827                         wpa_printf(MSG_ERROR, "WEP configuration in a WPA network is not supported");
 828                         return -1;
 829                 }
 830         }
 831
 832         if (full_config && bss->wpa &&
 833             bss->wpa_psk_radius != PSK_RADIUS_IGNORED &&
 834             bss->macaddr_acl != USE_EXTERNAL_RADIUS_AUTH) {
 835                 wpa_printf(MSG_ERROR, "WPA-PSK using RADIUS enabled, but no "
 836                            "RADIUS checking (macaddr_acl=2) enabled.");
 837                 return -1;
 838         }
 839
 840         if (full_config && bss->wpa && (bss->wpa_key_mgmt & WPA_KEY_MGMT_PSK) &&
 841             bss->ssid.wpa_psk == NULL && bss->ssid.wpa_passphrase == NULL &&
 842             bss->ssid.wpa_psk_file == NULL &&
 843             (bss->wpa_psk_radius != PSK_RADIUS_REQUIRED ||
 844              bss->macaddr_acl != USE_EXTERNAL_RADIUS_AUTH)) {
 845                 wpa_printf(MSG_ERROR, "WPA-PSK enabled, but PSK or passphrase "
 846                            "is not configured.");
 847                 return -1;
 848         }
 849
 850         if (full_config && !is_zero_ether_addr(bss->bssid)) {
 851                 size_t i;
 852
 853                 for (i = 0; i < conf->num_bss; i++) {
 854                         if (conf->bss[i] != bss &&
 855                             (hostapd_mac_comp(conf->bss[i]->bssid,
 856                                               bss->bssid) == 0)) {
 857                                 wpa_printf(MSG_ERROR, "Duplicate BSSID " MACSTR
 858                                            " on interface '%s' and '%s'.",
 859                                            MAC2STR(bss->bssid),
 860                                            conf->bss[i]->iface, bss->iface);
 861                                 return -1;
 862                         }
 863                 }
 864         }
 865
 866 #ifdef CONFIG_IEEE80211R_AP
 867         if (full_config && wpa_key_mgmt_ft(bss->wpa_key_mgmt) &&
 868             (bss->nas_identifier == NULL ||
 869              os_strlen(bss->nas_identifier) < 1 ||
 870              os_strlen(bss->nas_identifier) > FT_R0KH_ID_MAX_LEN)) {
 871                 wpa_printf(MSG_ERROR, "FT (IEEE 802.11r) requires "
 872                            "nas_identifier to be configured as a 1..48 octet "
 873                            "string");
 874                 return -1;
 875         }
 876 #endif /* CONFIG_IEEE80211R_AP */
 877
 878 #ifdef CONFIG_IEEE80211N
 879         if (full_config && conf->ieee80211n &&
 880             conf->hw_mode == HOSTAPD_MODE_IEEE80211B) {
 881                 bss->disable_11n = 1;
 882                 wpa_printf(MSG_ERROR, "HT (IEEE 802.11n) in 11b mode is not "
 883                            "allowed, disabling HT capabilities");
 884         }
 885
 886         if (full_config && conf->ieee80211n &&
 887             bss->ssid.security_policy == SECURITY_STATIC_WEP) {
 888                 bss->disable_11n = 1;
 889                 wpa_printf(MSG_ERROR, "HT (IEEE 802.11n) with WEP is not "
 890                            "allowed, disabling HT capabilities");
 891         }
 892
 893         if (full_config && conf->ieee80211n && bss->wpa &&
 894             !(bss->wpa_pairwise & WPA_CIPHER_CCMP) &&
 895             !(bss->rsn_pairwise & (WPA_CIPHER_CCMP | WPA_CIPHER_GCMP |
 896                                    WPA_CIPHER_CCMP_256 | WPA_CIPHER_GCMP_256)))
 897         {
 898                 bss->disable_11n = 1;
 899                 wpa_printf(MSG_ERROR, "HT (IEEE 802.11n) with WPA/WPA2 "
 900                            "requires CCMP/GCMP to be enabled, disabling HT "
 901                            "capabilities");
 902         }
 903 #endif /* CONFIG_IEEE80211N */
 904
 905 #ifdef CONFIG_IEEE80211AC
 906         if (full_config && conf->ieee80211ac &&
 907             bss->ssid.security_policy == SECURITY_STATIC_WEP) {
 908                 bss->disable_11ac = 1;
 909                 wpa_printf(MSG_ERROR,
 910                            "VHT (IEEE 802.11ac) with WEP is not allowed, disabling VHT capabilities");
 911         }
 912
 913         if (full_config && conf->ieee80211ac && bss->wpa &&
 914             !(bss->wpa_pairwise & WPA_CIPHER_CCMP) &&
 915             !(bss->rsn_pairwise & (WPA_CIPHER_CCMP | WPA_CIPHER_GCMP |
 916                                    WPA_CIPHER_CCMP_256 | WPA_CIPHER_GCMP_256)))
 917         {
 918                 bss->disable_11ac = 1;
 919                 wpa_printf(MSG_ERROR,
 920                            "VHT (IEEE 802.11ac) with WPA/WPA2 requires CCMP/GCMP to be enabled, disabling VHT capabilities");
 921         }
 922 #endif /* CONFIG_IEEE80211AC */
 923
 924 #ifdef CONFIG_WPS
 925         if (full_config && bss->wps_state && bss->ignore_broadcast_ssid) {
 926                 wpa_printf(MSG_INFO, "WPS: ignore_broadcast_ssid "
 927                            "configuration forced WPS to be disabled");
 928                 bss->wps_state = 0;
 929         }
 930
 931         if (full_config && bss->wps_state &&
 932             bss->ssid.wep.keys_set && bss->wpa == 0) {
 933                 wpa_printf(MSG_INFO, "WPS: WEP configuration forced WPS to be "
 934                            "disabled");
 935                 bss->wps_state = 0;
 936         }
 937
 938         if (full_config && bss->wps_state && bss->wpa &&
 939             (!(bss->wpa & 2) ||
 940              !(bss->rsn_pairwise & (WPA_CIPHER_CCMP | WPA_CIPHER_GCMP |
 941                                     WPA_CIPHER_CCMP_256 |
 942                                     WPA_CIPHER_GCMP_256)))) {
 943                 wpa_printf(MSG_INFO, "WPS: WPA/TKIP configuration without "
 944                            "WPA2/CCMP/GCMP forced WPS to be disabled");
 945                 bss->wps_state = 0;
 946         }
 947 #endif /* CONFIG_WPS */
 948
 949 #ifdef CONFIG_HS20
 950         if (full_config && bss->hs20 &&
 951             (!(bss->wpa & 2) ||
 952              !(bss->rsn_pairwise & (WPA_CIPHER_CCMP | WPA_CIPHER_GCMP |
 953                                     WPA_CIPHER_CCMP_256 |
 954                                     WPA_CIPHER_GCMP_256)))) {
 955                 wpa_printf(MSG_ERROR, "HS 2.0: WPA2-Enterprise/CCMP "
 956                            "configuration is required for Hotspot 2.0 "
 957                            "functionality");
 958                 return -1;
 959         }
 960 #endif /* CONFIG_HS20 */
 961
 962 #ifdef CONFIG_MBO
 963         if (full_config && bss->mbo_enabled && (bss->wpa & 2) &&
 964             bss->ieee80211w == NO_MGMT_FRAME_PROTECTION) {
 965                 wpa_printf(MSG_ERROR,
 966                            "MBO: PMF needs to be enabled whenever using WPA2 with MBO");
 967                 return -1;
 968         }
 969 #endif /* CONFIG_MBO */
 970
 971         return 0;
 972 }
 973
 974
 975 static int hostapd_config_check_cw(struct hostapd_config *conf, int queue)
 976 {
 977         int tx_cwmin = conf->tx_queue[queue].cwmin;
 978         int tx_cwmax = conf->tx_queue[queue].cwmax;
 979         int ac_cwmin = conf->wmm_ac_params[queue].cwmin;
 980         int ac_cwmax = conf->wmm_ac_params[queue].cwmax;
 981
 982         if (tx_cwmin > tx_cwmax) {
 983                 wpa_printf(MSG_ERROR,
 984                            "Invalid TX queue cwMin/cwMax values. cwMin(%d) greater than cwMax(%d)",
 985                            tx_cwmin, tx_cwmax);
 986                 return -1;
 987         }
 988         if (ac_cwmin > ac_cwmax) {
 989                 wpa_printf(MSG_ERROR,
 990                            "Invalid WMM AC cwMin/cwMax values. cwMin(%d) greater than cwMax(%d)",
 991                            ac_cwmin, ac_cwmax);
 992                 return -1;
 993         }
 994         return 0;
 995 }
 996
 997
 998 int hostapd_config_check(struct hostapd_config *conf, int full_config)
 999 {
1000         size_t i;
1001
1002         if (full_config && conf->ieee80211d &&
1003             (!conf->country[0] || !conf->country[1])) {
1004                 wpa_printf(MSG_ERROR, "Cannot enable IEEE 802.11d without "
1005                            "setting the country_code");
1006                 return -1;
1007         }
1008
1009         if (full_config && conf->ieee80211h && !conf->ieee80211d) {
1010                 wpa_printf(MSG_ERROR, "Cannot enable IEEE 802.11h without "
1011                            "IEEE 802.11d enabled");
1012                 return -1;
1013         }
1014
1015         if (full_config && conf->local_pwr_constraint != -1 &&
1016             !conf->ieee80211d) {
1017                 wpa_printf(MSG_ERROR, "Cannot add Power Constraint element without Country element");
1018                 return -1;
1019         }
1020
1021         if (full_config && conf->spectrum_mgmt_required &&
1022             conf->local_pwr_constraint == -1) {
1023                 wpa_printf(MSG_ERROR, "Cannot set Spectrum Management bit without Country and Power Constraint elements");
1024                 return -1;
1025         }
1026
1027         for (i = 0; i < NUM_TX_QUEUES; i++) {
1028                 if (hostapd_config_check_cw(conf, i))
1029                         return -1;
1030         }
1031
1032         for (i = 0; i < conf->num_bss; i++) {
1033                 if (hostapd_config_check_bss(conf->bss[i], conf, full_config))
1034                         return -1;
1035         }
1036
1037         return 0;
1038 }
1039
1040
1041 void hostapd_set_security_params(struct hostapd_bss_config *bss,
1042                                  int full_config)
1043 {
1044         if (bss->individual_wep_key_len == 0) {
1045                 /* individual keys are not use; can use key idx0 for
1046                  * broadcast keys */
1047                 bss->broadcast_key_idx_min = 0;
1048         }
1049
1050         if ((bss->wpa & 2) && bss->rsn_pairwise == 0)
1051                 bss->rsn_pairwise = bss->wpa_pairwise;
1052         if (bss->group_cipher)
1053                 bss->wpa_group = bss->group_cipher;
1054         else
1055                 bss->wpa_group = wpa_select_ap_group_cipher(bss->wpa,
1056                                                             bss->wpa_pairwise,
1057                                                             bss->rsn_pairwise);
1058         if (!bss->wpa_group_rekey_set)
1059                 bss->wpa_group_rekey = bss->wpa_group == WPA_CIPHER_TKIP ?
1060                         600 : 86400;
1061
1062         if (full_config) {
1063                 bss->radius->auth_server = bss->radius->auth_servers;
1064                 bss->radius->acct_server = bss->radius->acct_servers;
1065         }
1066
1067         if (bss->wpa && bss->ieee802_1x) {
1068                 bss->ssid.security_policy = SECURITY_WPA;
1069         } else if (bss->wpa) {
1070                 bss->ssid.security_policy = SECURITY_WPA_PSK;
1071         } else if (bss->ieee802_1x) {
1072                 int cipher = WPA_CIPHER_NONE;
1073                 bss->ssid.security_policy = SECURITY_IEEE_802_1X;
1074                 bss->ssid.wep.default_len = bss->default_wep_key_len;
1075                 if (full_config && bss->default_wep_key_len) {
1076                         cipher = bss->default_wep_key_len >= 13 ?
1077                                 WPA_CIPHER_WEP104 : WPA_CIPHER_WEP40;
1078                 } else if (full_config && bss->ssid.wep.keys_set) {
1079                         if (bss->ssid.wep.len[0] >= 13)
1080                                 cipher = WPA_CIPHER_WEP104;
1081                         else
1082                                 cipher = WPA_CIPHER_WEP40;
1083                 }
1084                 bss->wpa_group = cipher;
1085                 bss->wpa_pairwise = cipher;
1086                 bss->rsn_pairwise = cipher;
1087                 if (full_config)
1088                         bss->wpa_key_mgmt = WPA_KEY_MGMT_IEEE8021X_NO_WPA;
1089         } else if (bss->ssid.wep.keys_set) {
1090                 int cipher = WPA_CIPHER_WEP40;
1091                 if (bss->ssid.wep.len[0] >= 13)
1092                         cipher = WPA_CIPHER_WEP104;
1093                 bss->ssid.security_policy = SECURITY_STATIC_WEP;
1094                 bss->wpa_group = cipher;
1095                 bss->wpa_pairwise = cipher;
1096                 bss->rsn_pairwise = cipher;
1097                 if (full_config)
1098                         bss->wpa_key_mgmt = WPA_KEY_MGMT_NONE;
1099         } else if (bss->osen) {
1100                 bss->ssid.security_policy = SECURITY_OSEN;
1101                 bss->wpa_group = WPA_CIPHER_CCMP;
1102                 bss->wpa_pairwise = 0;
1103                 bss->rsn_pairwise = WPA_CIPHER_CCMP;
1104         } else {
1105                 bss->ssid.security_policy = SECURITY_PLAINTEXT;
1106                 if (full_config) {
1107                         bss->wpa_group = WPA_CIPHER_NONE;
1108                         bss->wpa_pairwise = WPA_CIPHER_NONE;
1109                         bss->rsn_pairwise = WPA_CIPHER_NONE;
1110                         bss->wpa_key_mgmt = WPA_KEY_MGMT_NONE;
1111                 }
1112         }
1113 }