]> git.ipfire.org Git - thirdparty/hostap.git/blob - src/ap/ap_config.c
projects / thirdparty / hostap.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
VLAN assignment based on used WPA/WPA2 passphrase/PSK
[thirdparty/hostap.git] / src / ap / ap_config.c
1 /*
2 * hostapd / Configuration helper functions
3 * Copyright (c) 2003-2014, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "utils/includes.h"
10
11 #include "utils/common.h"
12 #include "crypto/sha1.h"
13 #include "crypto/tls.h"
14 #include "radius/radius_client.h"
15 #include "common/ieee802_11_defs.h"
16 #include "common/eapol_common.h"
17 #include "common/dhcp.h"
18 #include "eap_common/eap_wsc_common.h"
19 #include "eap_server/eap.h"
20 #include "wpa_auth.h"
21 #include "sta_info.h"
22 #include "ap_config.h"
23
24
25 static void hostapd_config_free_vlan(struct hostapd_bss_config *bss)
26 {
27 struct hostapd_vlan *vlan, *prev;
28
29 vlan = bss->vlan;
30 prev = NULL;
31 while (vlan) {
32 prev = vlan;
33 vlan = vlan->next;
34 os_free(prev);
35 }
36
37 bss->vlan = NULL;
38 }
39
40
41 #ifndef DEFAULT_WPA_DISABLE_EAPOL_KEY_RETRIES
42 #define DEFAULT_WPA_DISABLE_EAPOL_KEY_RETRIES 0
43 #endif /* DEFAULT_WPA_DISABLE_EAPOL_KEY_RETRIES */
44
45 void hostapd_config_defaults_bss(struct hostapd_bss_config *bss)
46 {
47 dl_list_init(&bss->anqp_elem);
48
49 bss->logger_syslog_level = HOSTAPD_LEVEL_INFO;
50 bss->logger_stdout_level = HOSTAPD_LEVEL_INFO;
51 bss->logger_syslog = (unsigned int) -1;
52 bss->logger_stdout = (unsigned int) -1;
53
54 bss->auth_algs = WPA_AUTH_ALG_OPEN | WPA_AUTH_ALG_SHARED;
55
56 bss->wep_rekeying_period = 300;
57 /* use key0 in individual key and key1 in broadcast key */
58 bss->broadcast_key_idx_min = 1;
59 bss->broadcast_key_idx_max = 2;
60 bss->eap_reauth_period = 3600;
61
62 bss->wpa_group_rekey = 600;
63 bss->wpa_gmk_rekey = 86400;
64 bss->wpa_group_update_count = 4;
65 bss->wpa_pairwise_update_count = 4;
66 bss->wpa_disable_eapol_key_retries =
67 DEFAULT_WPA_DISABLE_EAPOL_KEY_RETRIES;
68 bss->wpa_key_mgmt = WPA_KEY_MGMT_PSK;
69 bss->wpa_pairwise = WPA_CIPHER_TKIP;
70 bss->wpa_group = WPA_CIPHER_TKIP;
71 bss->rsn_pairwise = 0;
72
73 bss->max_num_sta = MAX_STA_COUNT;
74
75 bss->dtim_period = 2;
76
77 bss->radius_server_auth_port = 1812;
78 bss->eap_sim_db_timeout = 1;
79 bss->ap_max_inactivity = AP_MAX_INACTIVITY;
80 bss->eapol_version = EAPOL_VERSION;
81
82 bss->max_listen_interval = 65535;
83
84 bss->pwd_group = 19; /* ECC: GF(p=256) */
85
86 #ifdef CONFIG_IEEE80211W
87 bss->assoc_sa_query_max_timeout = 1000;
88 bss->assoc_sa_query_retry_timeout = 201;
89 bss->group_mgmt_cipher = WPA_CIPHER_AES_128_CMAC;
90 #endif /* CONFIG_IEEE80211W */
91 #ifdef EAP_SERVER_FAST
92 /* both anonymous and authenticated provisioning */
93 bss->eap_fast_prov = 3;
94 bss->pac_key_lifetime = 7 * 24 * 60 * 60;
95 bss->pac_key_refresh_time = 1 * 24 * 60 * 60;
96 #endif /* EAP_SERVER_FAST */
97
98 /* Set to -1 as defaults depends on HT in setup */
99 bss->wmm_enabled = -1;
100
101 #ifdef CONFIG_IEEE80211R_AP
102 bss->ft_over_ds = 1;
103 bss->rkh_pos_timeout = 86400;
104 bss->rkh_neg_timeout = 60;
105 bss->rkh_pull_timeout = 1000;
106 bss->rkh_pull_retries = 4;
107 bss->r0_key_lifetime = 1209600;
108 #endif /* CONFIG_IEEE80211R_AP */
109
110 bss->radius_das_time_window = 300;
111
112 bss->sae_anti_clogging_threshold = 5;
113 bss->sae_sync = 5;
114
115 bss->gas_frag_limit = 1400;
116
117 #ifdef CONFIG_FILS
118 dl_list_init(&bss->fils_realms);
119 bss->fils_hlp_wait_time = 30;
120 bss->dhcp_server_port = DHCP_SERVER_PORT;
121 bss->dhcp_relay_port = DHCP_SERVER_PORT;
122 #endif /* CONFIG_FILS */
123
124 bss->broadcast_deauth = 1;
125
126 #ifdef CONFIG_MBO
127 bss->mbo_cell_data_conn_pref = -1;
128 #endif /* CONFIG_MBO */
129
130 /* Disable TLS v1.3 by default for now to avoid interoperability issue.
131 * This can be enabled by default once the implementation has been fully
132 * completed and tested with other implementations. */
133 bss->tls_flags = TLS_CONN_DISABLE_TLSv1_3;
134
135 bss->send_probe_response = 1;
136
137 #ifdef CONFIG_HS20
138 bss->hs20_release = (HS20_VERSION >> 4) + 1;
139 #endif /* CONFIG_HS20 */
140
141 /* Default to strict CRL checking. */
142 bss->check_crl_strict = 1;
143 }
144
145
146 struct hostapd_config * hostapd_config_defaults(void)
147 {
148 #define ecw2cw(ecw) ((1 << (ecw)) - 1)
149
150 struct hostapd_config *conf;
151 struct hostapd_bss_config *bss;
152 const int aCWmin = 4, aCWmax = 10;
153 const struct hostapd_wmm_ac_params ac_bk =
154 { aCWmin, aCWmax, 7, 0, 0 }; /* background traffic */
155 const struct hostapd_wmm_ac_params ac_be =
156 { aCWmin, aCWmax, 3, 0, 0 }; /* best effort traffic */
157 const struct hostapd_wmm_ac_params ac_vi = /* video traffic */
158 { aCWmin - 1, aCWmin, 2, 3008 / 32, 0 };
159 const struct hostapd_wmm_ac_params ac_vo = /* voice traffic */
160 { aCWmin - 2, aCWmin - 1, 2, 1504 / 32, 0 };
161 const struct hostapd_tx_queue_params txq_bk =
162 { 7, ecw2cw(aCWmin), ecw2cw(aCWmax), 0 };
163 const struct hostapd_tx_queue_params txq_be =
164 { 3, ecw2cw(aCWmin), 4 * (ecw2cw(aCWmin) + 1) - 1, 0};
165 const struct hostapd_tx_queue_params txq_vi =
166 { 1, (ecw2cw(aCWmin) + 1) / 2 - 1, ecw2cw(aCWmin), 30};
167 const struct hostapd_tx_queue_params txq_vo =
168 { 1, (ecw2cw(aCWmin) + 1) / 4 - 1,
169 (ecw2cw(aCWmin) + 1) / 2 - 1, 15};
170
171 #undef ecw2cw
172
173 conf = os_zalloc(sizeof(*conf));
174 bss = os_zalloc(sizeof(*bss));
175 if (conf == NULL || bss == NULL) {
176 wpa_printf(MSG_ERROR, "Failed to allocate memory for "
177 "configuration data.");
178 os_free(conf);
179 os_free(bss);
180 return NULL;
181 }
182 conf->bss = os_calloc(1, sizeof(struct hostapd_bss_config *));
183 if (conf->bss == NULL) {
184 os_free(conf);
185 os_free(bss);
186 return NULL;
187 }
188 conf->bss[0] = bss;
189
190 bss->radius = os_zalloc(sizeof(*bss->radius));
191 if (bss->radius == NULL) {
192 os_free(conf->bss);
193 os_free(conf);
194 os_free(bss);
195 return NULL;
196 }
197
198 hostapd_config_defaults_bss(bss);
199
200 conf->num_bss = 1;
201
202 conf->beacon_int = 100;
203 conf->rts_threshold = -1; /* use driver default: 2347 */
204 conf->fragm_threshold = -1; /* user driver default: 2346 */
205 /* Set to invalid value means do not add Power Constraint IE */
206 conf->local_pwr_constraint = -1;
207
208 conf->wmm_ac_params[0] = ac_be;
209 conf->wmm_ac_params[1] = ac_bk;
210 conf->wmm_ac_params[2] = ac_vi;
211 conf->wmm_ac_params[3] = ac_vo;
212
213 conf->tx_queue[0] = txq_vo;
214 conf->tx_queue[1] = txq_vi;
215 conf->tx_queue[2] = txq_be;
216 conf->tx_queue[3] = txq_bk;
217
218 conf->ht_capab = HT_CAP_INFO_SMPS_DISABLED;
219
220 conf->ap_table_max_size = 255;
221 conf->ap_table_expiration_time = 60;
222 conf->track_sta_max_age = 180;
223
224 #ifdef CONFIG_TESTING_OPTIONS
225 conf->ignore_probe_probability = 0.0;
226 conf->ignore_auth_probability = 0.0;
227 conf->ignore_assoc_probability = 0.0;
228 conf->ignore_reassoc_probability = 0.0;
229 conf->corrupt_gtk_rekey_mic_probability = 0.0;
230 conf->ecsa_ie_only = 0;
231 #endif /* CONFIG_TESTING_OPTIONS */
232
233 conf->acs = 0;
234 conf->acs_ch_list.num = 0;
235 #ifdef CONFIG_ACS
236 conf->acs_num_scans = 5;
237 #endif /* CONFIG_ACS */
238
239 /* The third octet of the country string uses an ASCII space character
240 * by default to indicate that the regulations encompass all
241 * environments for the current frequency band in the country. */
242 conf->country[2] = ' ';
243
244 conf->rssi_reject_assoc_rssi = 0;
245 conf->rssi_reject_assoc_timeout = 30;
246
247 return conf;
248 }
249
250
251 int hostapd_mac_comp(const void *a, const void *b)
252 {
253 return os_memcmp(a, b, sizeof(macaddr));
254 }
255
256
257 static int hostapd_config_read_wpa_psk(const char *fname,
258 struct hostapd_ssid *ssid)
259 {
260 FILE *f;
261 char buf[128], *pos;
262 const char *keyid;
263 char *context;
264 char *context2;
265 char *token;
266 char *name;
267 char *value;
268 int line = 0, ret = 0, len, ok;
269 u8 addr[ETH_ALEN];
270 struct hostapd_wpa_psk *psk;
271
272 if (!fname)
273 return 0;
274
275 f = fopen(fname, "r");
276 if (!f) {
277 wpa_printf(MSG_ERROR, "WPA PSK file '%s' not found.", fname);
278 return -1;
279 }
280
281 while (fgets(buf, sizeof(buf), f)) {
282 int vlan_id = 0;
283
284 line++;
285
286 if (buf[0] == '#')
287 continue;
288 pos = buf;
289 while (*pos != '\0') {
290 if (*pos == '\n') {
291 *pos = '\0';
292 break;
293 }
294 pos++;
295 }
296 if (buf[0] == '\0')
297 continue;
298
299 context = NULL;
300 keyid = NULL;
301 while ((token = str_token(buf, " ", &context))) {
302 if (!os_strchr(token, '='))
303 break;
304 context2 = NULL;
305 name = str_token(token, "=", &context2);
306 value = str_token(token, "", &context2);
307 if (!value)
308 value = "";
309 if (!os_strcmp(name, "keyid")) {
310 keyid = value;
311 } else if (!os_strcmp(name, "vlanid")) {
312 vlan_id = atoi(value);
313 } else {
314 wpa_printf(MSG_ERROR,
315 "Unrecognized '%s=%s' on line %d in '%s'",
316 name, value, line, fname);
317 ret = -1;
318 break;
319 }
320 }
321
322 if (ret == -1)
323 break;
324
325 if (!token)
326 token = "";
327 if (hwaddr_aton(token, addr)) {
328 wpa_printf(MSG_ERROR, "Invalid MAC address '%s' on "
329 "line %d in '%s'", token, line, fname);
330 ret = -1;
331 break;
332 }
333
334 psk = os_zalloc(sizeof(*psk));
335 if (psk == NULL) {
336 wpa_printf(MSG_ERROR, "WPA PSK allocation failed");
337 ret = -1;
338 break;
339 }
340 psk->vlan_id = vlan_id;
341 if (is_zero_ether_addr(addr))
342 psk->group = 1;
343 else
344 os_memcpy(psk->addr, addr, ETH_ALEN);
345
346 pos = str_token(buf, "", &context);
347 if (!pos) {
348 wpa_printf(MSG_ERROR, "No PSK on line %d in '%s'",
349 line, fname);
350 os_free(psk);
351 ret = -1;
352 break;
353 }
354
355 ok = 0;
356 len = os_strlen(pos);
357 if (len == 64 && hexstr2bin(pos, psk->psk, PMK_LEN) == 0)
358 ok = 1;
359 else if (len >= 8 && len < 64) {
360 pbkdf2_sha1(pos, ssid->ssid, ssid->ssid_len,
361 4096, psk->psk, PMK_LEN);
362 ok = 1;
363 }
364 if (!ok) {
365 wpa_printf(MSG_ERROR, "Invalid PSK '%s' on line %d in "
366 "'%s'", pos, line, fname);
367 os_free(psk);
368 ret = -1;
369 break;
370 }
371
372 if (keyid) {
373 len = os_strlcpy(psk->keyid, keyid, sizeof(psk->keyid));
374 if ((size_t) len >= sizeof(psk->keyid)) {
375 wpa_printf(MSG_ERROR,
376 "PSK keyid too long on line %d in '%s'",
377 line, fname);
378 os_free(psk);
379 ret = -1;
380 break;
381 }
382 }
383
384 psk->next = ssid->wpa_psk;
385 ssid->wpa_psk = psk;
386 }
387
388 fclose(f);
389
390 return ret;
391 }
392
393
394 static int hostapd_derive_psk(struct hostapd_ssid *ssid)
395 {
396 ssid->wpa_psk = os_zalloc(sizeof(struct hostapd_wpa_psk));
397 if (ssid->wpa_psk == NULL) {
398 wpa_printf(MSG_ERROR, "Unable to alloc space for PSK");
399 return -1;
400 }
401 wpa_hexdump_ascii(MSG_DEBUG, "SSID",
402 (u8 *) ssid->ssid, ssid->ssid_len);
403 wpa_hexdump_ascii_key(MSG_DEBUG, "PSK (ASCII passphrase)",
404 (u8 *) ssid->wpa_passphrase,
405 os_strlen(ssid->wpa_passphrase));
406 pbkdf2_sha1(ssid->wpa_passphrase,
407 ssid->ssid, ssid->ssid_len,
408 4096, ssid->wpa_psk->psk, PMK_LEN);
409 wpa_hexdump_key(MSG_DEBUG, "PSK (from passphrase)",
410 ssid->wpa_psk->psk, PMK_LEN);
411 return 0;
412 }
413
414
415 int hostapd_setup_wpa_psk(struct hostapd_bss_config *conf)
416 {
417 struct hostapd_ssid *ssid = &conf->ssid;
418
419 if (ssid->wpa_passphrase != NULL) {
420 if (ssid->wpa_psk != NULL) {
421 wpa_printf(MSG_DEBUG, "Using pre-configured WPA PSK "
422 "instead of passphrase");
423 } else {
424 wpa_printf(MSG_DEBUG, "Deriving WPA PSK based on "
425 "passphrase");
426 if (hostapd_derive_psk(ssid) < 0)
427 return -1;
428 }
429 ssid->wpa_psk->group = 1;
430 }
431
432 return hostapd_config_read_wpa_psk(ssid->wpa_psk_file, &conf->ssid);
433 }
434
435
436 static void hostapd_config_free_radius(struct hostapd_radius_server *servers,
437 int num_servers)
438 {
439 int i;
440
441 for (i = 0; i < num_servers; i++) {
442 os_free(servers[i].shared_secret);
443 }
444 os_free(servers);
445 }
446
447
448 struct hostapd_radius_attr *
449 hostapd_config_get_radius_attr(struct hostapd_radius_attr *attr, u8 type)
450 {
451 for (; attr; attr = attr->next) {
452 if (attr->type == type)
453 return attr;
454 }
455 return NULL;
456 }
457
458
459 static void hostapd_config_free_radius_attr(struct hostapd_radius_attr *attr)
460 {
461 struct hostapd_radius_attr *prev;
462
463 while (attr) {
464 prev = attr;
465 attr = attr->next;
466 wpabuf_free(prev->val);
467 os_free(prev);
468 }
469 }
470
471
472 void hostapd_config_free_eap_user(struct hostapd_eap_user *user)
473 {
474 hostapd_config_free_radius_attr(user->accept_attr);
475 os_free(user->identity);
476 bin_clear_free(user->password, user->password_len);
477 bin_clear_free(user->salt, user->salt_len);
478 os_free(user);
479 }
480
481
482 void hostapd_config_free_eap_users(struct hostapd_eap_user *user)
483 {
484 struct hostapd_eap_user *prev_user;
485
486 while (user) {
487 prev_user = user;
488 user = user->next;
489 hostapd_config_free_eap_user(prev_user);
490 }
491 }
492
493
494 static void hostapd_config_free_wep(struct hostapd_wep_keys *keys)
495 {
496 int i;
497 for (i = 0; i < NUM_WEP_KEYS; i++) {
498 bin_clear_free(keys->key[i], keys->len[i]);
499 keys->key[i] = NULL;
500 }
501 }
502
503
504 void hostapd_config_clear_wpa_psk(struct hostapd_wpa_psk **l)
505 {
506 struct hostapd_wpa_psk *psk, *tmp;
507
508 for (psk = *l; psk;) {
509 tmp = psk;
510 psk = psk->next;
511 bin_clear_free(tmp, sizeof(*tmp));
512 }
513 *l = NULL;
514 }
515
516
517 static void hostapd_config_free_anqp_elem(struct hostapd_bss_config *conf)
518 {
519 struct anqp_element *elem;
520
521 while ((elem = dl_list_first(&conf->anqp_elem, struct anqp_element,
522 list))) {
523 dl_list_del(&elem->list);
524 wpabuf_free(elem->payload);
525 os_free(elem);
526 }
527 }
528
529
530 static void hostapd_config_free_fils_realms(struct hostapd_bss_config *conf)
531 {
532 #ifdef CONFIG_FILS
533 struct fils_realm *realm;
534
535 while ((realm = dl_list_first(&conf->fils_realms, struct fils_realm,
536 list))) {
537 dl_list_del(&realm->list);
538 os_free(realm);
539 }
540 #endif /* CONFIG_FILS */
541 }
542
543
544 static void hostapd_config_free_sae_passwords(struct hostapd_bss_config *conf)
545 {
546 struct sae_password_entry *pw, *tmp;
547
548 pw = conf->sae_passwords;
549 conf->sae_passwords = NULL;
550 while (pw) {
551 tmp = pw;
552 pw = pw->next;
553 str_clear_free(tmp->password);
554 os_free(tmp->identifier);
555 os_free(tmp);
556 }
557 }
558
559
560 void hostapd_config_free_bss(struct hostapd_bss_config *conf)
561 {
562 if (conf == NULL)
563 return;
564
565 hostapd_config_clear_wpa_psk(&conf->ssid.wpa_psk);
566
567 str_clear_free(conf->ssid.wpa_passphrase);
568 os_free(conf->ssid.wpa_psk_file);
569 hostapd_config_free_wep(&conf->ssid.wep);
570 #ifdef CONFIG_FULL_DYNAMIC_VLAN
571 os_free(conf->ssid.vlan_tagged_interface);
572 #endif /* CONFIG_FULL_DYNAMIC_VLAN */
573
574 hostapd_config_free_eap_users(conf->eap_user);
575 os_free(conf->eap_user_sqlite);
576
577 os_free(conf->eap_req_id_text);
578 os_free(conf->erp_domain);
579 os_free(conf->accept_mac);
580 os_free(conf->deny_mac);
581 os_free(conf->nas_identifier);
582 if (conf->radius) {
583 hostapd_config_free_radius(conf->radius->auth_servers,
584 conf->radius->num_auth_servers);
585 hostapd_config_free_radius(conf->radius->acct_servers,
586 conf->radius->num_acct_servers);
587 }
588 hostapd_config_free_radius_attr(conf->radius_auth_req_attr);
589 hostapd_config_free_radius_attr(conf->radius_acct_req_attr);
590 os_free(conf->rsn_preauth_interfaces);
591 os_free(conf->ctrl_interface);
592 os_free(conf->ca_cert);
593 os_free(conf->server_cert);
594 os_free(conf->private_key);
595 os_free(conf->private_key_passwd);
596 os_free(conf->ocsp_stapling_response);
597 os_free(conf->ocsp_stapling_response_multi);
598 os_free(conf->dh_file);
599 os_free(conf->openssl_ciphers);
600 os_free(conf->openssl_ecdh_curves);
601 os_free(conf->pac_opaque_encr_key);
602 os_free(conf->eap_fast_a_id);
603 os_free(conf->eap_fast_a_id_info);
604 os_free(conf->eap_sim_db);
605 os_free(conf->radius_server_clients);
606 os_free(conf->radius);
607 os_free(conf->radius_das_shared_secret);
608 hostapd_config_free_vlan(conf);
609 os_free(conf->time_zone);
610
611 #ifdef CONFIG_IEEE80211R_AP
612 {
613 struct ft_remote_r0kh *r0kh, *r0kh_prev;
614 struct ft_remote_r1kh *r1kh, *r1kh_prev;
615
616 r0kh = conf->r0kh_list;
617 conf->r0kh_list = NULL;
618 while (r0kh) {
619 r0kh_prev = r0kh;
620 r0kh = r0kh->next;
621 os_free(r0kh_prev);
622 }
623
624 r1kh = conf->r1kh_list;
625 conf->r1kh_list = NULL;
626 while (r1kh) {
627 r1kh_prev = r1kh;
628 r1kh = r1kh->next;
629 os_free(r1kh_prev);
630 }
631 }
632 #endif /* CONFIG_IEEE80211R_AP */
633
634 #ifdef CONFIG_WPS
635 os_free(conf->wps_pin_requests);
636 os_free(conf->device_name);
637 os_free(conf->manufacturer);
638 os_free(conf->model_name);
639 os_free(conf->model_number);
640 os_free(conf->serial_number);
641 os_free(conf->config_methods);
642 os_free(conf->ap_pin);
643 os_free(conf->extra_cred);
644 os_free(conf->ap_settings);
645 os_free(conf->upnp_iface);
646 os_free(conf->friendly_name);
647 os_free(conf->manufacturer_url);
648 os_free(conf->model_description);
649 os_free(conf->model_url);
650 os_free(conf->upc);
651 {
652 unsigned int i;
653
654 for (i = 0; i < MAX_WPS_VENDOR_EXTENSIONS; i++)
655 wpabuf_free(conf->wps_vendor_ext[i]);
656 }
657 wpabuf_free(conf->wps_nfc_dh_pubkey);
658 wpabuf_free(conf->wps_nfc_dh_privkey);
659 wpabuf_free(conf->wps_nfc_dev_pw);
660 #endif /* CONFIG_WPS */
661
662 os_free(conf->roaming_consortium);
663 os_free(conf->venue_name);
664 os_free(conf->venue_url);
665 os_free(conf->nai_realm_data);
666 os_free(conf->network_auth_type);
667 os_free(conf->anqp_3gpp_cell_net);
668 os_free(conf->domain_name);
669 hostapd_config_free_anqp_elem(conf);
670
671 #ifdef CONFIG_RADIUS_TEST
672 os_free(conf->dump_msk_file);
673 #endif /* CONFIG_RADIUS_TEST */
674
675 #ifdef CONFIG_HS20
676 os_free(conf->hs20_oper_friendly_name);
677 os_free(conf->hs20_wan_metrics);
678 os_free(conf->hs20_connection_capability);
679 os_free(conf->hs20_operating_class);
680 os_free(conf->hs20_icons);
681 if (conf->hs20_osu_providers) {
682 size_t i;
683 for (i = 0; i < conf->hs20_osu_providers_count; i++) {
684 struct hs20_osu_provider *p;
685 size_t j;
686 p = &conf->hs20_osu_providers[i];
687 os_free(p->friendly_name);
688 os_free(p->server_uri);
689 os_free(p->method_list);
690 for (j = 0; j < p->icons_count; j++)
691 os_free(p->icons[j]);
692 os_free(p->icons);
693 os_free(p->osu_nai);
694 os_free(p->osu_nai2);
695 os_free(p->service_desc);
696 }
697 os_free(conf->hs20_osu_providers);
698 }
699 if (conf->hs20_operator_icon) {
700 size_t i;
701
702 for (i = 0; i < conf->hs20_operator_icon_count; i++)
703 os_free(conf->hs20_operator_icon[i]);
704 os_free(conf->hs20_operator_icon);
705 }
706 os_free(conf->subscr_remediation_url);
707 os_free(conf->hs20_sim_provisioning_url);
708 os_free(conf->t_c_filename);
709 os_free(conf->t_c_server_url);
710 #endif /* CONFIG_HS20 */
711
712 wpabuf_free(conf->vendor_elements);
713 wpabuf_free(conf->assocresp_elements);
714
715 os_free(conf->sae_groups);
716 #ifdef CONFIG_OWE
717 os_free(conf->owe_groups);
718 #endif /* CONFIG_OWE */
719
720 os_free(conf->wowlan_triggers);
721
722 os_free(conf->server_id);
723
724 #ifdef CONFIG_TESTING_OPTIONS
725 wpabuf_free(conf->own_ie_override);
726 wpabuf_free(conf->sae_commit_override);
727 #endif /* CONFIG_TESTING_OPTIONS */
728
729 os_free(conf->no_probe_resp_if_seen_on);
730 os_free(conf->no_auth_if_seen_on);
731
732 hostapd_config_free_fils_realms(conf);
733
734 #ifdef CONFIG_DPP
735 os_free(conf->dpp_connector);
736 wpabuf_free(conf->dpp_netaccesskey);
737 wpabuf_free(conf->dpp_csign);
738 #endif /* CONFIG_DPP */
739
740 hostapd_config_free_sae_passwords(conf);
741
742 os_free(conf);
743 }
744
745
746 /**
747 * hostapd_config_free - Free hostapd configuration
748 * @conf: Configuration data from hostapd_config_read().
749 */
750 void hostapd_config_free(struct hostapd_config *conf)
751 {
752 size_t i;
753
754 if (conf == NULL)
755 return;
756
757 for (i = 0; i < conf->num_bss; i++)
758 hostapd_config_free_bss(conf->bss[i]);
759 os_free(conf->bss);
760 os_free(conf->supported_rates);
761 os_free(conf->basic_rates);
762 os_free(conf->acs_ch_list.range);
763 os_free(conf->driver_params);
764 #ifdef CONFIG_ACS
765 os_free(conf->acs_chan_bias);
766 #endif /* CONFIG_ACS */
767 wpabuf_free(conf->lci);
768 wpabuf_free(conf->civic);
769
770 os_free(conf);
771 }
772
773
774 /**
775 * hostapd_maclist_found - Find a MAC address from a list
776 * @list: MAC address list
777 * @num_entries: Number of addresses in the list
778 * @addr: Address to search for
779 * @vlan_id: Buffer for returning VLAN ID or %NULL if not needed
780 * Returns: 1 if address is in the list or 0 if not.
781 *
782 * Perform a binary search for given MAC address from a pre-sorted list.
783 */
784 int hostapd_maclist_found(struct mac_acl_entry *list, int num_entries,
785 const u8 *addr, struct vlan_description *vlan_id)
786 {
787 int start, end, middle, res;
788
789 start = 0;
790 end = num_entries - 1;
791
792 while (start <= end) {
793 middle = (start + end) / 2;
794 res = os_memcmp(list[middle].addr, addr, ETH_ALEN);
795 if (res == 0) {
796 if (vlan_id)
797 *vlan_id = list[middle].vlan_id;
798 return 1;
799 }
800 if (res < 0)
801 start = middle + 1;
802 else
803 end = middle - 1;
804 }
805
806 return 0;
807 }
808
809
810 int hostapd_rate_found(int *list, int rate)
811 {
812 int i;
813
814 if (list == NULL)
815 return 0;
816
817 for (i = 0; list[i] >= 0; i++)
818 if (list[i] == rate)
819 return 1;
820
821 return 0;
822 }
823
824
825 int hostapd_vlan_valid(struct hostapd_vlan *vlan,
826 struct vlan_description *vlan_desc)
827 {
828 struct hostapd_vlan *v = vlan;
829 int i;
830
831 if (!vlan_desc->notempty || vlan_desc->untagged < 0 ||
832 vlan_desc->untagged > MAX_VLAN_ID)
833 return 0;
834 for (i = 0; i < MAX_NUM_TAGGED_VLAN; i++) {
835 if (vlan_desc->tagged[i] < 0 ||
836 vlan_desc->tagged[i] > MAX_VLAN_ID)
837 return 0;
838 }
839 if (!vlan_desc->untagged && !vlan_desc->tagged[0])
840 return 0;
841
842 while (v) {
843 if (!vlan_compare(&v->vlan_desc, vlan_desc) ||
844 v->vlan_id == VLAN_ID_WILDCARD)
845 return 1;
846 v = v->next;
847 }
848 return 0;
849 }
850
851
852 const char * hostapd_get_vlan_id_ifname(struct hostapd_vlan *vlan, int vlan_id)
853 {
854 struct hostapd_vlan *v = vlan;
855 while (v) {
856 if (v->vlan_id == vlan_id)
857 return v->ifname;
858 v = v->next;
859 }
860 return NULL;
861 }
862
863
864 const u8 * hostapd_get_psk(const struct hostapd_bss_config *conf,
865 const u8 *addr, const u8 *p2p_dev_addr,
866 const u8 *prev_psk, int *vlan_id)
867 {
868 struct hostapd_wpa_psk *psk;
869 int next_ok = prev_psk == NULL;
870
871 if (vlan_id)
872 *vlan_id = 0;
873
874 if (p2p_dev_addr && !is_zero_ether_addr(p2p_dev_addr)) {
875 wpa_printf(MSG_DEBUG, "Searching a PSK for " MACSTR
876 " p2p_dev_addr=" MACSTR " prev_psk=%p",
877 MAC2STR(addr), MAC2STR(p2p_dev_addr), prev_psk);
878 addr = NULL; /* Use P2P Device Address for matching */
879 } else {
880 wpa_printf(MSG_DEBUG, "Searching a PSK for " MACSTR
881 " prev_psk=%p",
882 MAC2STR(addr), prev_psk);
883 }
884
885 for (psk = conf->ssid.wpa_psk; psk != NULL; psk = psk->next) {
886 if (next_ok &&
887 (psk->group ||
888 (addr && os_memcmp(psk->addr, addr, ETH_ALEN) == 0) ||
889 (!addr && p2p_dev_addr &&
890 os_memcmp(psk->p2p_dev_addr, p2p_dev_addr, ETH_ALEN) ==
891 0))) {
892 if (vlan_id)
893 *vlan_id = psk->vlan_id;
894 return psk->psk;
895 }
896
897 if (psk->psk == prev_psk)
898 next_ok = 1;
899 }
900
901 return NULL;
902 }
903
904
905 static int hostapd_config_check_bss(struct hostapd_bss_config *bss,
906 struct hostapd_config *conf,
907 int full_config)
908 {
909 if (full_config && bss->ieee802_1x && !bss->eap_server &&
910 !bss->radius->auth_servers) {
911 wpa_printf(MSG_ERROR, "Invalid IEEE 802.1X configuration (no "
912 "EAP authenticator configured).");
913 return -1;
914 }
915
916 if (bss->wpa) {
917 int wep, i;
918
919 wep = bss->default_wep_key_len > 0 ||
920 bss->individual_wep_key_len > 0;
921 for (i = 0; i < NUM_WEP_KEYS; i++) {
922 if (bss->ssid.wep.keys_set) {
923 wep = 1;
924 break;
925 }
926 }
927
928 if (wep) {
929 wpa_printf(MSG_ERROR, "WEP configuration in a WPA network is not supported");
930 return -1;
931 }
932 }
933
934 if (full_config && bss->wpa &&
935 bss->wpa_psk_radius != PSK_RADIUS_IGNORED &&
936 bss->macaddr_acl != USE_EXTERNAL_RADIUS_AUTH) {
937 wpa_printf(MSG_ERROR, "WPA-PSK using RADIUS enabled, but no "
938 "RADIUS checking (macaddr_acl=2) enabled.");
939 return -1;
940 }
941
942 if (full_config && bss->wpa && (bss->wpa_key_mgmt & WPA_KEY_MGMT_PSK) &&
943 bss->ssid.wpa_psk == NULL && bss->ssid.wpa_passphrase == NULL &&
944 bss->ssid.wpa_psk_file == NULL &&
945 (bss->wpa_psk_radius != PSK_RADIUS_REQUIRED ||
946 bss->macaddr_acl != USE_EXTERNAL_RADIUS_AUTH)) {
947 wpa_printf(MSG_ERROR, "WPA-PSK enabled, but PSK or passphrase "
948 "is not configured.");
949 return -1;
950 }
951
952 if (full_config && !is_zero_ether_addr(bss->bssid)) {
953 size_t i;
954
955 for (i = 0; i < conf->num_bss; i++) {
956 if (conf->bss[i] != bss &&
957 (hostapd_mac_comp(conf->bss[i]->bssid,
958 bss->bssid) == 0)) {
959 wpa_printf(MSG_ERROR, "Duplicate BSSID " MACSTR
960 " on interface '%s' and '%s'.",
961 MAC2STR(bss->bssid),
962 conf->bss[i]->iface, bss->iface);
963 return -1;
964 }
965 }
966 }
967
968 #ifdef CONFIG_IEEE80211R_AP
969 if (full_config && wpa_key_mgmt_ft(bss->wpa_key_mgmt) &&
970 (bss->nas_identifier == NULL ||
971 os_strlen(bss->nas_identifier) < 1 ||
972 os_strlen(bss->nas_identifier) > FT_R0KH_ID_MAX_LEN)) {
973 wpa_printf(MSG_ERROR, "FT (IEEE 802.11r) requires "
974 "nas_identifier to be configured as a 1..48 octet "
975 "string");
976 return -1;
977 }
978 #endif /* CONFIG_IEEE80211R_AP */
979
980 #ifdef CONFIG_IEEE80211N
981 if (full_config && conf->ieee80211n &&
982 conf->hw_mode == HOSTAPD_MODE_IEEE80211B) {
983 bss->disable_11n = 1;
984 wpa_printf(MSG_ERROR, "HT (IEEE 802.11n) in 11b mode is not "
985 "allowed, disabling HT capabilities");
986 }
987
988 if (full_config && conf->ieee80211n &&
989 bss->ssid.security_policy == SECURITY_STATIC_WEP) {
990 bss->disable_11n = 1;
991 wpa_printf(MSG_ERROR, "HT (IEEE 802.11n) with WEP is not "
992 "allowed, disabling HT capabilities");
993 }
994
995 if (full_config && conf->ieee80211n && bss->wpa &&
996 !(bss->wpa_pairwise & WPA_CIPHER_CCMP) &&
997 !(bss->rsn_pairwise & (WPA_CIPHER_CCMP | WPA_CIPHER_GCMP |
998 WPA_CIPHER_CCMP_256 | WPA_CIPHER_GCMP_256)))
999 {
1000 bss->disable_11n = 1;
1001 wpa_printf(MSG_ERROR, "HT (IEEE 802.11n) with WPA/WPA2 "
1002 "requires CCMP/GCMP to be enabled, disabling HT "
1003 "capabilities");
1004 }
1005 #endif /* CONFIG_IEEE80211N */
1006
1007 #ifdef CONFIG_IEEE80211AC
1008 if (full_config && conf->ieee80211ac &&
1009 bss->ssid.security_policy == SECURITY_STATIC_WEP) {
1010 bss->disable_11ac = 1;
1011 wpa_printf(MSG_ERROR,
1012 "VHT (IEEE 802.11ac) with WEP is not allowed, disabling VHT capabilities");
1013 }
1014
1015 if (full_config && conf->ieee80211ac && bss->wpa &&
1016 !(bss->wpa_pairwise & WPA_CIPHER_CCMP) &&
1017 !(bss->rsn_pairwise & (WPA_CIPHER_CCMP | WPA_CIPHER_GCMP |
1018 WPA_CIPHER_CCMP_256 | WPA_CIPHER_GCMP_256)))
1019 {
1020 bss->disable_11ac = 1;
1021 wpa_printf(MSG_ERROR,
1022 "VHT (IEEE 802.11ac) with WPA/WPA2 requires CCMP/GCMP to be enabled, disabling VHT capabilities");
1023 }
1024 #endif /* CONFIG_IEEE80211AC */
1025
1026 #ifdef CONFIG_WPS
1027 if (full_config && bss->wps_state && bss->ignore_broadcast_ssid) {
1028 wpa_printf(MSG_INFO, "WPS: ignore_broadcast_ssid "
1029 "configuration forced WPS to be disabled");
1030 bss->wps_state = 0;
1031 }
1032
1033 if (full_config && bss->wps_state &&
1034 bss->ssid.wep.keys_set && bss->wpa == 0) {
1035 wpa_printf(MSG_INFO, "WPS: WEP configuration forced WPS to be "
1036 "disabled");
1037 bss->wps_state = 0;
1038 }
1039
1040 if (full_config && bss->wps_state && bss->wpa &&
1041 (!(bss->wpa & 2) ||
1042 !(bss->rsn_pairwise & (WPA_CIPHER_CCMP | WPA_CIPHER_GCMP |
1043 WPA_CIPHER_CCMP_256 |
1044 WPA_CIPHER_GCMP_256)))) {
1045 wpa_printf(MSG_INFO, "WPS: WPA/TKIP configuration without "
1046 "WPA2/CCMP/GCMP forced WPS to be disabled");
1047 bss->wps_state = 0;
1048 }
1049 #endif /* CONFIG_WPS */
1050
1051 #ifdef CONFIG_HS20
1052 if (full_config && bss->hs20 &&
1053 (!(bss->wpa & 2) ||
1054 !(bss->rsn_pairwise & (WPA_CIPHER_CCMP | WPA_CIPHER_GCMP |
1055 WPA_CIPHER_CCMP_256 |
1056 WPA_CIPHER_GCMP_256)))) {
1057 wpa_printf(MSG_ERROR, "HS 2.0: WPA2-Enterprise/CCMP "
1058 "configuration is required for Hotspot 2.0 "
1059 "functionality");
1060 return -1;
1061 }
1062 #endif /* CONFIG_HS20 */
1063
1064 #ifdef CONFIG_MBO
1065 if (full_config && bss->mbo_enabled && (bss->wpa & 2) &&
1066 bss->ieee80211w == NO_MGMT_FRAME_PROTECTION) {
1067 wpa_printf(MSG_ERROR,
1068 "MBO: PMF needs to be enabled whenever using WPA2 with MBO");
1069 return -1;
1070 }
1071 #endif /* CONFIG_MBO */
1072
1073 #ifdef CONFIG_OCV
1074 if (full_config && bss->ieee80211w == NO_MGMT_FRAME_PROTECTION &&
1075 bss->ocv) {
1076 wpa_printf(MSG_ERROR,
1077 "OCV: PMF needs to be enabled whenever using OCV");
1078 return -1;
1079 }
1080 #endif /* CONFIG_OCV */
1081
1082 return 0;
1083 }
1084
1085
1086 static int hostapd_config_check_cw(struct hostapd_config *conf, int queue)
1087 {
1088 int tx_cwmin = conf->tx_queue[queue].cwmin;
1089 int tx_cwmax = conf->tx_queue[queue].cwmax;
1090 int ac_cwmin = conf->wmm_ac_params[queue].cwmin;
1091 int ac_cwmax = conf->wmm_ac_params[queue].cwmax;
1092
1093 if (tx_cwmin > tx_cwmax) {
1094 wpa_printf(MSG_ERROR,
1095 "Invalid TX queue cwMin/cwMax values. cwMin(%d) greater than cwMax(%d)",
1096 tx_cwmin, tx_cwmax);
1097 return -1;
1098 }
1099 if (ac_cwmin > ac_cwmax) {
1100 wpa_printf(MSG_ERROR,
1101 "Invalid WMM AC cwMin/cwMax values. cwMin(%d) greater than cwMax(%d)",
1102 ac_cwmin, ac_cwmax);
1103 return -1;
1104 }
1105 return 0;
1106 }
1107
1108
1109 int hostapd_config_check(struct hostapd_config *conf, int full_config)
1110 {
1111 size_t i;
1112
1113 if (full_config && conf->ieee80211d &&
1114 (!conf->country[0] || !conf->country[1])) {
1115 wpa_printf(MSG_ERROR, "Cannot enable IEEE 802.11d without "
1116 "setting the country_code");
1117 return -1;
1118 }
1119
1120 if (full_config && conf->ieee80211h && !conf->ieee80211d) {
1121 wpa_printf(MSG_ERROR, "Cannot enable IEEE 802.11h without "
1122 "IEEE 802.11d enabled");
1123 return -1;
1124 }
1125
1126 if (full_config && conf->local_pwr_constraint != -1 &&
1127 !conf->ieee80211d) {
1128 wpa_printf(MSG_ERROR, "Cannot add Power Constraint element without Country element");
1129 return -1;
1130 }
1131
1132 if (full_config && conf->spectrum_mgmt_required &&
1133 conf->local_pwr_constraint == -1) {
1134 wpa_printf(MSG_ERROR, "Cannot set Spectrum Management bit without Country and Power Constraint elements");
1135 return -1;
1136 }
1137
1138 for (i = 0; i < NUM_TX_QUEUES; i++) {
1139 if (hostapd_config_check_cw(conf, i))
1140 return -1;
1141 }
1142
1143 for (i = 0; i < conf->num_bss; i++) {
1144 if (hostapd_config_check_bss(conf->bss[i], conf, full_config))
1145 return -1;
1146 }
1147
1148 return 0;
1149 }
1150
1151
1152 void hostapd_set_security_params(struct hostapd_bss_config *bss,
1153 int full_config)
1154 {
1155 if (bss->individual_wep_key_len == 0) {
1156 /* individual keys are not use; can use key idx0 for
1157 * broadcast keys */
1158 bss->broadcast_key_idx_min = 0;
1159 }
1160
1161 if ((bss->wpa & 2) && bss->rsn_pairwise == 0)
1162 bss->rsn_pairwise = bss->wpa_pairwise;
1163 if (bss->group_cipher)
1164 bss->wpa_group = bss->group_cipher;
1165 else
1166 bss->wpa_group = wpa_select_ap_group_cipher(bss->wpa,
1167 bss->wpa_pairwise,
1168 bss->rsn_pairwise);
1169 if (!bss->wpa_group_rekey_set)
1170 bss->wpa_group_rekey = bss->wpa_group == WPA_CIPHER_TKIP ?
1171 600 : 86400;
1172
1173 if (full_config) {
1174 bss->radius->auth_server = bss->radius->auth_servers;
1175 bss->radius->acct_server = bss->radius->acct_servers;
1176 }
1177
1178 if (bss->wpa && bss->ieee802_1x) {
1179 bss->ssid.security_policy = SECURITY_WPA;
1180 } else if (bss->wpa) {
1181 bss->ssid.security_policy = SECURITY_WPA_PSK;
1182 } else if (bss->ieee802_1x) {
1183 int cipher = WPA_CIPHER_NONE;
1184 bss->ssid.security_policy = SECURITY_IEEE_802_1X;
1185 bss->ssid.wep.default_len = bss->default_wep_key_len;
1186 if (full_config && bss->default_wep_key_len) {
1187 cipher = bss->default_wep_key_len >= 13 ?
1188 WPA_CIPHER_WEP104 : WPA_CIPHER_WEP40;
1189 } else if (full_config && bss->ssid.wep.keys_set) {
1190 if (bss->ssid.wep.len[0] >= 13)
1191 cipher = WPA_CIPHER_WEP104;
1192 else
1193 cipher = WPA_CIPHER_WEP40;
1194 }
1195 bss->wpa_group = cipher;
1196 bss->wpa_pairwise = cipher;
1197 bss->rsn_pairwise = cipher;
1198 if (full_config)
1199 bss->wpa_key_mgmt = WPA_KEY_MGMT_IEEE8021X_NO_WPA;
1200 } else if (bss->ssid.wep.keys_set) {
1201 int cipher = WPA_CIPHER_WEP40;
1202 if (bss->ssid.wep.len[0] >= 13)
1203 cipher = WPA_CIPHER_WEP104;
1204 bss->ssid.security_policy = SECURITY_STATIC_WEP;
1205 bss->wpa_group = cipher;
1206 bss->wpa_pairwise = cipher;
1207 bss->rsn_pairwise = cipher;
1208 if (full_config)
1209 bss->wpa_key_mgmt = WPA_KEY_MGMT_NONE;
1210 } else if (bss->osen) {
1211 bss->ssid.security_policy = SECURITY_OSEN;
1212 bss->wpa_group = WPA_CIPHER_CCMP;
1213 bss->wpa_pairwise = 0;
1214 bss->rsn_pairwise = WPA_CIPHER_CCMP;
1215 } else {
1216 bss->ssid.security_policy = SECURITY_PLAINTEXT;
1217 if (full_config) {
1218 bss->wpa_group = WPA_CIPHER_NONE;
1219 bss->wpa_pairwise = WPA_CIPHER_NONE;
1220 bss->rsn_pairwise = WPA_CIPHER_NONE;
1221 bss->wpa_key_mgmt = WPA_KEY_MGMT_NONE;
1222 }
1223 }
1224 }
1225
1226
1227 int hostapd_sae_pw_id_in_use(struct hostapd_bss_config *conf)
1228 {
1229 int with_id = 0, without_id = 0;
1230 struct sae_password_entry *pw;
1231
1232 if (conf->ssid.wpa_passphrase)
1233 without_id = 1;
1234
1235 for (pw = conf->sae_passwords; pw; pw = pw->next) {
1236 if (pw->identifier)
1237 with_id = 1;
1238 else
1239 without_id = 1;
1240 if (with_id && without_id)
1241 break;
1242 }
1243
1244 if (with_id && !without_id)
1245 return 2;
1246 return with_id;
1247 }
Unnamed repository; edit this file 'description' to name the repository.