ap_config.c 22 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918
  1. /*
  2. * hostapd / Configuration helper functions
  3. * Copyright (c) 2003-2014, Jouni Malinen <j@w1.fi>
  4. *
  5. * This software may be distributed under the terms of the BSD license.
  6. * See README for more details.
  7. */
  8. #include "utils/includes.h"
  9. #include "utils/common.h"
  10. #include "crypto/sha1.h"
  11. #include "radius/radius_client.h"
  12. #include "common/ieee802_11_defs.h"
  13. #include "common/eapol_common.h"
  14. #include "eap_common/eap_wsc_common.h"
  15. #include "eap_server/eap.h"
  16. #include "wpa_auth.h"
  17. #include "sta_info.h"
  18. #include "ap_config.h"
  19. static void hostapd_config_free_vlan(struct hostapd_bss_config *bss)
  20. {
  21. struct hostapd_vlan *vlan, *prev;
  22. vlan = bss->vlan;
  23. prev = NULL;
  24. while (vlan) {
  25. prev = vlan;
  26. vlan = vlan->next;
  27. os_free(prev);
  28. }
  29. bss->vlan = NULL;
  30. }
  31. void hostapd_config_defaults_bss(struct hostapd_bss_config *bss)
  32. {
  33. bss->logger_syslog_level = HOSTAPD_LEVEL_INFO;
  34. bss->logger_stdout_level = HOSTAPD_LEVEL_INFO;
  35. bss->logger_syslog = (unsigned int) -1;
  36. bss->logger_stdout = (unsigned int) -1;
  37. bss->auth_algs = WPA_AUTH_ALG_OPEN | WPA_AUTH_ALG_SHARED;
  38. bss->wep_rekeying_period = 300;
  39. /* use key0 in individual key and key1 in broadcast key */
  40. bss->broadcast_key_idx_min = 1;
  41. bss->broadcast_key_idx_max = 2;
  42. bss->eap_reauth_period = 3600;
  43. bss->wpa_group_rekey = 600;
  44. bss->wpa_gmk_rekey = 86400;
  45. bss->wpa_key_mgmt = WPA_KEY_MGMT_PSK;
  46. bss->wpa_pairwise = WPA_CIPHER_TKIP;
  47. bss->wpa_group = WPA_CIPHER_TKIP;
  48. bss->rsn_pairwise = 0;
  49. bss->max_num_sta = MAX_STA_COUNT;
  50. bss->dtim_period = 2;
  51. bss->radius_server_auth_port = 1812;
  52. bss->ap_max_inactivity = AP_MAX_INACTIVITY;
  53. bss->eapol_version = EAPOL_VERSION;
  54. bss->max_listen_interval = 65535;
  55. bss->pwd_group = 19; /* ECC: GF(p=256) */
  56. #ifdef CONFIG_IEEE80211W
  57. bss->assoc_sa_query_max_timeout = 1000;
  58. bss->assoc_sa_query_retry_timeout = 201;
  59. bss->group_mgmt_cipher = WPA_CIPHER_AES_128_CMAC;
  60. #endif /* CONFIG_IEEE80211W */
  61. #ifdef EAP_SERVER_FAST
  62. /* both anonymous and authenticated provisioning */
  63. bss->eap_fast_prov = 3;
  64. bss->pac_key_lifetime = 7 * 24 * 60 * 60;
  65. bss->pac_key_refresh_time = 1 * 24 * 60 * 60;
  66. #endif /* EAP_SERVER_FAST */
  67. /* Set to -1 as defaults depends on HT in setup */
  68. bss->wmm_enabled = -1;
  69. #ifdef CONFIG_IEEE80211R
  70. bss->ft_over_ds = 1;
  71. #endif /* CONFIG_IEEE80211R */
  72. bss->radius_das_time_window = 300;
  73. bss->sae_anti_clogging_threshold = 5;
  74. }
  75. struct hostapd_config * hostapd_config_defaults(void)
  76. {
  77. #define ecw2cw(ecw) ((1 << (ecw)) - 1)
  78. struct hostapd_config *conf;
  79. struct hostapd_bss_config *bss;
  80. const int aCWmin = 4, aCWmax = 10;
  81. const struct hostapd_wmm_ac_params ac_bk =
  82. { aCWmin, aCWmax, 7, 0, 0 }; /* background traffic */
  83. const struct hostapd_wmm_ac_params ac_be =
  84. { aCWmin, aCWmax, 3, 0, 0 }; /* best effort traffic */
  85. const struct hostapd_wmm_ac_params ac_vi = /* video traffic */
  86. { aCWmin - 1, aCWmin, 2, 3008 / 32, 0 };
  87. const struct hostapd_wmm_ac_params ac_vo = /* voice traffic */
  88. { aCWmin - 2, aCWmin - 1, 2, 1504 / 32, 0 };
  89. const struct hostapd_tx_queue_params txq_bk =
  90. { 7, ecw2cw(aCWmin), ecw2cw(aCWmax), 0 };
  91. const struct hostapd_tx_queue_params txq_be =
  92. { 3, ecw2cw(aCWmin), 4 * (ecw2cw(aCWmin) + 1) - 1, 0};
  93. const struct hostapd_tx_queue_params txq_vi =
  94. { 1, (ecw2cw(aCWmin) + 1) / 2 - 1, ecw2cw(aCWmin), 30};
  95. const struct hostapd_tx_queue_params txq_vo =
  96. { 1, (ecw2cw(aCWmin) + 1) / 4 - 1,
  97. (ecw2cw(aCWmin) + 1) / 2 - 1, 15};
  98. #undef ecw2cw
  99. conf = os_zalloc(sizeof(*conf));
  100. bss = os_zalloc(sizeof(*bss));
  101. if (conf == NULL || bss == NULL) {
  102. wpa_printf(MSG_ERROR, "Failed to allocate memory for "
  103. "configuration data.");
  104. os_free(conf);
  105. os_free(bss);
  106. return NULL;
  107. }
  108. conf->bss = os_calloc(1, sizeof(struct hostapd_bss_config *));
  109. if (conf->bss == NULL) {
  110. os_free(conf);
  111. os_free(bss);
  112. return NULL;
  113. }
  114. conf->bss[0] = bss;
  115. bss->radius = os_zalloc(sizeof(*bss->radius));
  116. if (bss->radius == NULL) {
  117. os_free(conf->bss);
  118. os_free(conf);
  119. os_free(bss);
  120. return NULL;
  121. }
  122. hostapd_config_defaults_bss(bss);
  123. conf->num_bss = 1;
  124. conf->beacon_int = 100;
  125. conf->rts_threshold = -1; /* use driver default: 2347 */
  126. conf->fragm_threshold = -1; /* user driver default: 2346 */
  127. conf->send_probe_response = 1;
  128. /* Set to invalid value means do not add Power Constraint IE */
  129. conf->local_pwr_constraint = -1;
  130. conf->wmm_ac_params[0] = ac_be;
  131. conf->wmm_ac_params[1] = ac_bk;
  132. conf->wmm_ac_params[2] = ac_vi;
  133. conf->wmm_ac_params[3] = ac_vo;
  134. conf->tx_queue[0] = txq_vo;
  135. conf->tx_queue[1] = txq_vi;
  136. conf->tx_queue[2] = txq_be;
  137. conf->tx_queue[3] = txq_bk;
  138. conf->ht_capab = HT_CAP_INFO_SMPS_DISABLED;
  139. conf->ap_table_max_size = 255;
  140. conf->ap_table_expiration_time = 60;
  141. #ifdef CONFIG_TESTING_OPTIONS
  142. conf->ignore_probe_probability = 0.0;
  143. conf->ignore_auth_probability = 0.0;
  144. conf->ignore_assoc_probability = 0.0;
  145. conf->ignore_reassoc_probability = 0.0;
  146. conf->corrupt_gtk_rekey_mic_probability = 0.0;
  147. #endif /* CONFIG_TESTING_OPTIONS */
  148. #ifdef CONFIG_ACS
  149. conf->acs_num_scans = 5;
  150. #endif /* CONFIG_ACS */
  151. return conf;
  152. }
  153. int hostapd_mac_comp(const void *a, const void *b)
  154. {
  155. return os_memcmp(a, b, sizeof(macaddr));
  156. }
  157. int hostapd_mac_comp_empty(const void *a)
  158. {
  159. macaddr empty = { 0 };
  160. return os_memcmp(a, empty, sizeof(macaddr));
  161. }
  162. static int hostapd_config_read_wpa_psk(const char *fname,
  163. struct hostapd_ssid *ssid)
  164. {
  165. FILE *f;
  166. char buf[128], *pos;
  167. int line = 0, ret = 0, len, ok;
  168. u8 addr[ETH_ALEN];
  169. struct hostapd_wpa_psk *psk;
  170. if (!fname)
  171. return 0;
  172. f = fopen(fname, "r");
  173. if (!f) {
  174. wpa_printf(MSG_ERROR, "WPA PSK file '%s' not found.", fname);
  175. return -1;
  176. }
  177. while (fgets(buf, sizeof(buf), f)) {
  178. line++;
  179. if (buf[0] == '#')
  180. continue;
  181. pos = buf;
  182. while (*pos != '\0') {
  183. if (*pos == '\n') {
  184. *pos = '\0';
  185. break;
  186. }
  187. pos++;
  188. }
  189. if (buf[0] == '\0')
  190. continue;
  191. if (hwaddr_aton(buf, addr)) {
  192. wpa_printf(MSG_ERROR, "Invalid MAC address '%s' on "
  193. "line %d in '%s'", buf, line, fname);
  194. ret = -1;
  195. break;
  196. }
  197. psk = os_zalloc(sizeof(*psk));
  198. if (psk == NULL) {
  199. wpa_printf(MSG_ERROR, "WPA PSK allocation failed");
  200. ret = -1;
  201. break;
  202. }
  203. if (is_zero_ether_addr(addr))
  204. psk->group = 1;
  205. else
  206. os_memcpy(psk->addr, addr, ETH_ALEN);
  207. pos = buf + 17;
  208. if (*pos == '\0') {
  209. wpa_printf(MSG_ERROR, "No PSK on line %d in '%s'",
  210. line, fname);
  211. os_free(psk);
  212. ret = -1;
  213. break;
  214. }
  215. pos++;
  216. ok = 0;
  217. len = os_strlen(pos);
  218. if (len == 64 && hexstr2bin(pos, psk->psk, PMK_LEN) == 0)
  219. ok = 1;
  220. else if (len >= 8 && len < 64) {
  221. pbkdf2_sha1(pos, ssid->ssid, ssid->ssid_len,
  222. 4096, psk->psk, PMK_LEN);
  223. ok = 1;
  224. }
  225. if (!ok) {
  226. wpa_printf(MSG_ERROR, "Invalid PSK '%s' on line %d in "
  227. "'%s'", pos, line, fname);
  228. os_free(psk);
  229. ret = -1;
  230. break;
  231. }
  232. psk->next = ssid->wpa_psk;
  233. ssid->wpa_psk = psk;
  234. }
  235. fclose(f);
  236. return ret;
  237. }
  238. static int hostapd_derive_psk(struct hostapd_ssid *ssid)
  239. {
  240. ssid->wpa_psk = os_zalloc(sizeof(struct hostapd_wpa_psk));
  241. if (ssid->wpa_psk == NULL) {
  242. wpa_printf(MSG_ERROR, "Unable to alloc space for PSK");
  243. return -1;
  244. }
  245. wpa_hexdump_ascii(MSG_DEBUG, "SSID",
  246. (u8 *) ssid->ssid, ssid->ssid_len);
  247. wpa_hexdump_ascii_key(MSG_DEBUG, "PSK (ASCII passphrase)",
  248. (u8 *) ssid->wpa_passphrase,
  249. os_strlen(ssid->wpa_passphrase));
  250. pbkdf2_sha1(ssid->wpa_passphrase,
  251. ssid->ssid, ssid->ssid_len,
  252. 4096, ssid->wpa_psk->psk, PMK_LEN);
  253. wpa_hexdump_key(MSG_DEBUG, "PSK (from passphrase)",
  254. ssid->wpa_psk->psk, PMK_LEN);
  255. return 0;
  256. }
  257. int hostapd_setup_wpa_psk(struct hostapd_bss_config *conf)
  258. {
  259. struct hostapd_ssid *ssid = &conf->ssid;
  260. if (ssid->wpa_passphrase != NULL) {
  261. if (ssid->wpa_psk != NULL) {
  262. wpa_printf(MSG_DEBUG, "Using pre-configured WPA PSK "
  263. "instead of passphrase");
  264. } else {
  265. wpa_printf(MSG_DEBUG, "Deriving WPA PSK based on "
  266. "passphrase");
  267. if (hostapd_derive_psk(ssid) < 0)
  268. return -1;
  269. }
  270. ssid->wpa_psk->group = 1;
  271. }
  272. if (ssid->wpa_psk_file) {
  273. if (hostapd_config_read_wpa_psk(ssid->wpa_psk_file,
  274. &conf->ssid))
  275. return -1;
  276. }
  277. return 0;
  278. }
  279. static void hostapd_config_free_radius(struct hostapd_radius_server *servers,
  280. int num_servers)
  281. {
  282. int i;
  283. for (i = 0; i < num_servers; i++) {
  284. os_free(servers[i].shared_secret);
  285. }
  286. os_free(servers);
  287. }
  288. struct hostapd_radius_attr *
  289. hostapd_config_get_radius_attr(struct hostapd_radius_attr *attr, u8 type)
  290. {
  291. for (; attr; attr = attr->next) {
  292. if (attr->type == type)
  293. return attr;
  294. }
  295. return NULL;
  296. }
  297. static void hostapd_config_free_radius_attr(struct hostapd_radius_attr *attr)
  298. {
  299. struct hostapd_radius_attr *prev;
  300. while (attr) {
  301. prev = attr;
  302. attr = attr->next;
  303. wpabuf_free(prev->val);
  304. os_free(prev);
  305. }
  306. }
  307. void hostapd_config_free_eap_user(struct hostapd_eap_user *user)
  308. {
  309. hostapd_config_free_radius_attr(user->accept_attr);
  310. os_free(user->identity);
  311. bin_clear_free(user->password, user->password_len);
  312. os_free(user);
  313. }
  314. static void hostapd_config_free_wep(struct hostapd_wep_keys *keys)
  315. {
  316. int i;
  317. for (i = 0; i < NUM_WEP_KEYS; i++) {
  318. bin_clear_free(keys->key[i], keys->len[i]);
  319. keys->key[i] = NULL;
  320. }
  321. }
  322. void hostapd_config_free_bss(struct hostapd_bss_config *conf)
  323. {
  324. struct hostapd_wpa_psk *psk, *prev;
  325. struct hostapd_eap_user *user, *prev_user;
  326. if (conf == NULL)
  327. return;
  328. psk = conf->ssid.wpa_psk;
  329. while (psk) {
  330. prev = psk;
  331. psk = psk->next;
  332. bin_clear_free(prev, sizeof(*prev));
  333. }
  334. str_clear_free(conf->ssid.wpa_passphrase);
  335. os_free(conf->ssid.wpa_psk_file);
  336. hostapd_config_free_wep(&conf->ssid.wep);
  337. #ifdef CONFIG_FULL_DYNAMIC_VLAN
  338. os_free(conf->ssid.vlan_tagged_interface);
  339. #endif /* CONFIG_FULL_DYNAMIC_VLAN */
  340. user = conf->eap_user;
  341. while (user) {
  342. prev_user = user;
  343. user = user->next;
  344. hostapd_config_free_eap_user(prev_user);
  345. }
  346. os_free(conf->eap_user_sqlite);
  347. os_free(conf->eap_req_id_text);
  348. os_free(conf->erp_domain);
  349. os_free(conf->accept_mac);
  350. os_free(conf->deny_mac);
  351. os_free(conf->nas_identifier);
  352. if (conf->radius) {
  353. hostapd_config_free_radius(conf->radius->auth_servers,
  354. conf->radius->num_auth_servers);
  355. hostapd_config_free_radius(conf->radius->acct_servers,
  356. conf->radius->num_acct_servers);
  357. }
  358. hostapd_config_free_radius_attr(conf->radius_auth_req_attr);
  359. hostapd_config_free_radius_attr(conf->radius_acct_req_attr);
  360. os_free(conf->rsn_preauth_interfaces);
  361. os_free(conf->ctrl_interface);
  362. os_free(conf->ca_cert);
  363. os_free(conf->server_cert);
  364. os_free(conf->private_key);
  365. os_free(conf->private_key_passwd);
  366. os_free(conf->ocsp_stapling_response);
  367. os_free(conf->dh_file);
  368. os_free(conf->openssl_ciphers);
  369. os_free(conf->pac_opaque_encr_key);
  370. os_free(conf->eap_fast_a_id);
  371. os_free(conf->eap_fast_a_id_info);
  372. os_free(conf->eap_sim_db);
  373. os_free(conf->radius_server_clients);
  374. os_free(conf->radius);
  375. os_free(conf->radius_das_shared_secret);
  376. hostapd_config_free_vlan(conf);
  377. os_free(conf->time_zone);
  378. #ifdef CONFIG_IEEE80211R
  379. {
  380. struct ft_remote_r0kh *r0kh, *r0kh_prev;
  381. struct ft_remote_r1kh *r1kh, *r1kh_prev;
  382. r0kh = conf->r0kh_list;
  383. conf->r0kh_list = NULL;
  384. while (r0kh) {
  385. r0kh_prev = r0kh;
  386. r0kh = r0kh->next;
  387. os_free(r0kh_prev);
  388. }
  389. r1kh = conf->r1kh_list;
  390. conf->r1kh_list = NULL;
  391. while (r1kh) {
  392. r1kh_prev = r1kh;
  393. r1kh = r1kh->next;
  394. os_free(r1kh_prev);
  395. }
  396. }
  397. #endif /* CONFIG_IEEE80211R */
  398. #ifdef CONFIG_WPS
  399. os_free(conf->wps_pin_requests);
  400. os_free(conf->device_name);
  401. os_free(conf->manufacturer);
  402. os_free(conf->model_name);
  403. os_free(conf->model_number);
  404. os_free(conf->serial_number);
  405. os_free(conf->config_methods);
  406. os_free(conf->ap_pin);
  407. os_free(conf->extra_cred);
  408. os_free(conf->ap_settings);
  409. os_free(conf->upnp_iface);
  410. os_free(conf->friendly_name);
  411. os_free(conf->manufacturer_url);
  412. os_free(conf->model_description);
  413. os_free(conf->model_url);
  414. os_free(conf->upc);
  415. wpabuf_free(conf->wps_nfc_dh_pubkey);
  416. wpabuf_free(conf->wps_nfc_dh_privkey);
  417. wpabuf_free(conf->wps_nfc_dev_pw);
  418. #endif /* CONFIG_WPS */
  419. os_free(conf->roaming_consortium);
  420. os_free(conf->venue_name);
  421. os_free(conf->nai_realm_data);
  422. os_free(conf->network_auth_type);
  423. os_free(conf->anqp_3gpp_cell_net);
  424. os_free(conf->domain_name);
  425. #ifdef CONFIG_RADIUS_TEST
  426. os_free(conf->dump_msk_file);
  427. #endif /* CONFIG_RADIUS_TEST */
  428. #ifdef CONFIG_HS20
  429. os_free(conf->hs20_oper_friendly_name);
  430. os_free(conf->hs20_wan_metrics);
  431. os_free(conf->hs20_connection_capability);
  432. os_free(conf->hs20_operating_class);
  433. os_free(conf->hs20_icons);
  434. if (conf->hs20_osu_providers) {
  435. size_t i;
  436. for (i = 0; i < conf->hs20_osu_providers_count; i++) {
  437. struct hs20_osu_provider *p;
  438. size_t j;
  439. p = &conf->hs20_osu_providers[i];
  440. os_free(p->friendly_name);
  441. os_free(p->server_uri);
  442. os_free(p->method_list);
  443. for (j = 0; j < p->icons_count; j++)
  444. os_free(p->icons[j]);
  445. os_free(p->icons);
  446. os_free(p->osu_nai);
  447. os_free(p->service_desc);
  448. }
  449. os_free(conf->hs20_osu_providers);
  450. }
  451. os_free(conf->subscr_remediation_url);
  452. #endif /* CONFIG_HS20 */
  453. wpabuf_free(conf->vendor_elements);
  454. os_free(conf->sae_groups);
  455. os_free(conf->wowlan_triggers);
  456. os_free(conf->server_id);
  457. os_free(conf);
  458. }
  459. /**
  460. * hostapd_config_free - Free hostapd configuration
  461. * @conf: Configuration data from hostapd_config_read().
  462. */
  463. void hostapd_config_free(struct hostapd_config *conf)
  464. {
  465. size_t i;
  466. if (conf == NULL)
  467. return;
  468. for (i = 0; i < conf->num_bss; i++)
  469. hostapd_config_free_bss(conf->bss[i]);
  470. os_free(conf->bss);
  471. os_free(conf->supported_rates);
  472. os_free(conf->basic_rates);
  473. os_free(conf->chanlist);
  474. os_free(conf->driver_params);
  475. os_free(conf);
  476. }
  477. /**
  478. * hostapd_maclist_found - Find a MAC address from a list
  479. * @list: MAC address list
  480. * @num_entries: Number of addresses in the list
  481. * @addr: Address to search for
  482. * @vlan_id: Buffer for returning VLAN ID or %NULL if not needed
  483. * Returns: 1 if address is in the list or 0 if not.
  484. *
  485. * Perform a binary search for given MAC address from a pre-sorted list.
  486. */
  487. int hostapd_maclist_found(struct mac_acl_entry *list, int num_entries,
  488. const u8 *addr, int *vlan_id)
  489. {
  490. int start, end, middle, res;
  491. start = 0;
  492. end = num_entries - 1;
  493. while (start <= end) {
  494. middle = (start + end) / 2;
  495. res = os_memcmp(list[middle].addr, addr, ETH_ALEN);
  496. if (res == 0) {
  497. if (vlan_id)
  498. *vlan_id = list[middle].vlan_id;
  499. return 1;
  500. }
  501. if (res < 0)
  502. start = middle + 1;
  503. else
  504. end = middle - 1;
  505. }
  506. return 0;
  507. }
  508. int hostapd_rate_found(int *list, int rate)
  509. {
  510. int i;
  511. if (list == NULL)
  512. return 0;
  513. for (i = 0; list[i] >= 0; i++)
  514. if (list[i] == rate)
  515. return 1;
  516. return 0;
  517. }
  518. int hostapd_vlan_id_valid(struct hostapd_vlan *vlan, int vlan_id)
  519. {
  520. struct hostapd_vlan *v = vlan;
  521. while (v) {
  522. if (v->vlan_id == vlan_id || v->vlan_id == VLAN_ID_WILDCARD)
  523. return 1;
  524. v = v->next;
  525. }
  526. return 0;
  527. }
  528. const char * hostapd_get_vlan_id_ifname(struct hostapd_vlan *vlan, int vlan_id)
  529. {
  530. struct hostapd_vlan *v = vlan;
  531. while (v) {
  532. if (v->vlan_id == vlan_id)
  533. return v->ifname;
  534. v = v->next;
  535. }
  536. return NULL;
  537. }
  538. const u8 * hostapd_get_psk(const struct hostapd_bss_config *conf,
  539. const u8 *addr, const u8 *p2p_dev_addr,
  540. const u8 *prev_psk)
  541. {
  542. struct hostapd_wpa_psk *psk;
  543. int next_ok = prev_psk == NULL;
  544. if (p2p_dev_addr && !is_zero_ether_addr(p2p_dev_addr)) {
  545. wpa_printf(MSG_DEBUG, "Searching a PSK for " MACSTR
  546. " p2p_dev_addr=" MACSTR " prev_psk=%p",
  547. MAC2STR(addr), MAC2STR(p2p_dev_addr), prev_psk);
  548. addr = NULL; /* Use P2P Device Address for matching */
  549. } else {
  550. wpa_printf(MSG_DEBUG, "Searching a PSK for " MACSTR
  551. " prev_psk=%p",
  552. MAC2STR(addr), prev_psk);
  553. }
  554. for (psk = conf->ssid.wpa_psk; psk != NULL; psk = psk->next) {
  555. if (next_ok &&
  556. (psk->group ||
  557. (addr && os_memcmp(psk->addr, addr, ETH_ALEN) == 0) ||
  558. (!addr && p2p_dev_addr &&
  559. os_memcmp(psk->p2p_dev_addr, p2p_dev_addr, ETH_ALEN) ==
  560. 0)))
  561. return psk->psk;
  562. if (psk->psk == prev_psk)
  563. next_ok = 1;
  564. }
  565. return NULL;
  566. }
  567. static int hostapd_config_check_bss(struct hostapd_bss_config *bss,
  568. struct hostapd_config *conf,
  569. int full_config)
  570. {
  571. if (full_config && bss->ieee802_1x && !bss->eap_server &&
  572. !bss->radius->auth_servers) {
  573. wpa_printf(MSG_ERROR, "Invalid IEEE 802.1X configuration (no "
  574. "EAP authenticator configured).");
  575. return -1;
  576. }
  577. if (bss->wpa) {
  578. int wep, i;
  579. wep = bss->default_wep_key_len > 0 ||
  580. bss->individual_wep_key_len > 0;
  581. for (i = 0; i < NUM_WEP_KEYS; i++) {
  582. if (bss->ssid.wep.keys_set) {
  583. wep = 1;
  584. break;
  585. }
  586. }
  587. if (wep) {
  588. wpa_printf(MSG_ERROR, "WEP configuration in a WPA network is not supported");
  589. return -1;
  590. }
  591. }
  592. if (full_config && bss->wpa &&
  593. bss->wpa_psk_radius != PSK_RADIUS_IGNORED &&
  594. bss->macaddr_acl != USE_EXTERNAL_RADIUS_AUTH) {
  595. wpa_printf(MSG_ERROR, "WPA-PSK using RADIUS enabled, but no "
  596. "RADIUS checking (macaddr_acl=2) enabled.");
  597. return -1;
  598. }
  599. if (full_config && bss->wpa && (bss->wpa_key_mgmt & WPA_KEY_MGMT_PSK) &&
  600. bss->ssid.wpa_psk == NULL && bss->ssid.wpa_passphrase == NULL &&
  601. bss->ssid.wpa_psk_file == NULL &&
  602. (bss->wpa_psk_radius != PSK_RADIUS_REQUIRED ||
  603. bss->macaddr_acl != USE_EXTERNAL_RADIUS_AUTH)) {
  604. wpa_printf(MSG_ERROR, "WPA-PSK enabled, but PSK or passphrase "
  605. "is not configured.");
  606. return -1;
  607. }
  608. if (full_config && hostapd_mac_comp_empty(bss->bssid) != 0) {
  609. size_t i;
  610. for (i = 0; i < conf->num_bss; i++) {
  611. if (conf->bss[i] != bss &&
  612. (hostapd_mac_comp(conf->bss[i]->bssid,
  613. bss->bssid) == 0)) {
  614. wpa_printf(MSG_ERROR, "Duplicate BSSID " MACSTR
  615. " on interface '%s' and '%s'.",
  616. MAC2STR(bss->bssid),
  617. conf->bss[i]->iface, bss->iface);
  618. return -1;
  619. }
  620. }
  621. }
  622. #ifdef CONFIG_IEEE80211R
  623. if (full_config && wpa_key_mgmt_ft(bss->wpa_key_mgmt) &&
  624. (bss->nas_identifier == NULL ||
  625. os_strlen(bss->nas_identifier) < 1 ||
  626. os_strlen(bss->nas_identifier) > FT_R0KH_ID_MAX_LEN)) {
  627. wpa_printf(MSG_ERROR, "FT (IEEE 802.11r) requires "
  628. "nas_identifier to be configured as a 1..48 octet "
  629. "string");
  630. return -1;
  631. }
  632. #endif /* CONFIG_IEEE80211R */
  633. #ifdef CONFIG_IEEE80211N
  634. if (full_config && conf->ieee80211n &&
  635. conf->hw_mode == HOSTAPD_MODE_IEEE80211B) {
  636. bss->disable_11n = 1;
  637. wpa_printf(MSG_ERROR, "HT (IEEE 802.11n) in 11b mode is not "
  638. "allowed, disabling HT capabilities");
  639. }
  640. if (full_config && conf->ieee80211n &&
  641. bss->ssid.security_policy == SECURITY_STATIC_WEP) {
  642. bss->disable_11n = 1;
  643. wpa_printf(MSG_ERROR, "HT (IEEE 802.11n) with WEP is not "
  644. "allowed, disabling HT capabilities");
  645. }
  646. if (full_config && conf->ieee80211n && bss->wpa &&
  647. !(bss->wpa_pairwise & WPA_CIPHER_CCMP) &&
  648. !(bss->rsn_pairwise & (WPA_CIPHER_CCMP | WPA_CIPHER_GCMP |
  649. WPA_CIPHER_CCMP_256 | WPA_CIPHER_GCMP_256)))
  650. {
  651. bss->disable_11n = 1;
  652. wpa_printf(MSG_ERROR, "HT (IEEE 802.11n) with WPA/WPA2 "
  653. "requires CCMP/GCMP to be enabled, disabling HT "
  654. "capabilities");
  655. }
  656. #endif /* CONFIG_IEEE80211N */
  657. #ifdef CONFIG_WPS
  658. if (full_config && bss->wps_state && bss->ignore_broadcast_ssid) {
  659. wpa_printf(MSG_INFO, "WPS: ignore_broadcast_ssid "
  660. "configuration forced WPS to be disabled");
  661. bss->wps_state = 0;
  662. }
  663. if (full_config && bss->wps_state &&
  664. bss->ssid.wep.keys_set && bss->wpa == 0) {
  665. wpa_printf(MSG_INFO, "WPS: WEP configuration forced WPS to be "
  666. "disabled");
  667. bss->wps_state = 0;
  668. }
  669. if (full_config && bss->wps_state && bss->wpa &&
  670. (!(bss->wpa & 2) ||
  671. !(bss->rsn_pairwise & WPA_CIPHER_CCMP))) {
  672. wpa_printf(MSG_INFO, "WPS: WPA/TKIP configuration without "
  673. "WPA2/CCMP forced WPS to be disabled");
  674. bss->wps_state = 0;
  675. }
  676. #endif /* CONFIG_WPS */
  677. #ifdef CONFIG_HS20
  678. if (full_config && bss->hs20 &&
  679. (!(bss->wpa & 2) ||
  680. !(bss->rsn_pairwise & (WPA_CIPHER_CCMP | WPA_CIPHER_GCMP |
  681. WPA_CIPHER_CCMP_256 |
  682. WPA_CIPHER_GCMP_256)))) {
  683. wpa_printf(MSG_ERROR, "HS 2.0: WPA2-Enterprise/CCMP "
  684. "configuration is required for Hotspot 2.0 "
  685. "functionality");
  686. return -1;
  687. }
  688. #endif /* CONFIG_HS20 */
  689. return 0;
  690. }
  691. int hostapd_config_check(struct hostapd_config *conf, int full_config)
  692. {
  693. size_t i;
  694. if (full_config && conf->ieee80211d &&
  695. (!conf->country[0] || !conf->country[1])) {
  696. wpa_printf(MSG_ERROR, "Cannot enable IEEE 802.11d without "
  697. "setting the country_code");
  698. return -1;
  699. }
  700. if (full_config && conf->ieee80211h && !conf->ieee80211d) {
  701. wpa_printf(MSG_ERROR, "Cannot enable IEEE 802.11h without "
  702. "IEEE 802.11d enabled");
  703. return -1;
  704. }
  705. if (full_config && conf->local_pwr_constraint != -1 &&
  706. !conf->ieee80211d) {
  707. wpa_printf(MSG_ERROR, "Cannot add Power Constraint element without Country element");
  708. return -1;
  709. }
  710. if (full_config && conf->spectrum_mgmt_required &&
  711. conf->local_pwr_constraint == -1) {
  712. wpa_printf(MSG_ERROR, "Cannot set Spectrum Management bit without Country and Power Constraint elements");
  713. return -1;
  714. }
  715. for (i = 0; i < conf->num_bss; i++) {
  716. if (hostapd_config_check_bss(conf->bss[i], conf, full_config))
  717. return -1;
  718. }
  719. return 0;
  720. }
  721. void hostapd_set_security_params(struct hostapd_bss_config *bss,
  722. int full_config)
  723. {
  724. if (bss->individual_wep_key_len == 0) {
  725. /* individual keys are not use; can use key idx0 for
  726. * broadcast keys */
  727. bss->broadcast_key_idx_min = 0;
  728. }
  729. if ((bss->wpa & 2) && bss->rsn_pairwise == 0)
  730. bss->rsn_pairwise = bss->wpa_pairwise;
  731. bss->wpa_group = wpa_select_ap_group_cipher(bss->wpa, bss->wpa_pairwise,
  732. bss->rsn_pairwise);
  733. if (full_config) {
  734. bss->radius->auth_server = bss->radius->auth_servers;
  735. bss->radius->acct_server = bss->radius->acct_servers;
  736. }
  737. if (bss->wpa && bss->ieee802_1x) {
  738. bss->ssid.security_policy = SECURITY_WPA;
  739. } else if (bss->wpa) {
  740. bss->ssid.security_policy = SECURITY_WPA_PSK;
  741. } else if (bss->ieee802_1x) {
  742. int cipher = WPA_CIPHER_NONE;
  743. bss->ssid.security_policy = SECURITY_IEEE_802_1X;
  744. bss->ssid.wep.default_len = bss->default_wep_key_len;
  745. if (bss->default_wep_key_len)
  746. cipher = bss->default_wep_key_len >= 13 ?
  747. WPA_CIPHER_WEP104 : WPA_CIPHER_WEP40;
  748. bss->wpa_group = cipher;
  749. bss->wpa_pairwise = cipher;
  750. bss->rsn_pairwise = cipher;
  751. } else if (bss->ssid.wep.keys_set) {
  752. int cipher = WPA_CIPHER_WEP40;
  753. if (bss->ssid.wep.len[0] >= 13)
  754. cipher = WPA_CIPHER_WEP104;
  755. bss->ssid.security_policy = SECURITY_STATIC_WEP;
  756. bss->wpa_group = cipher;
  757. bss->wpa_pairwise = cipher;
  758. bss->rsn_pairwise = cipher;
  759. } else if (bss->osen) {
  760. bss->ssid.security_policy = SECURITY_OSEN;
  761. bss->wpa_group = WPA_CIPHER_CCMP;
  762. bss->wpa_pairwise = 0;
  763. bss->rsn_pairwise = WPA_CIPHER_CCMP;
  764. } else {
  765. bss->ssid.security_policy = SECURITY_PLAINTEXT;
  766. bss->wpa_group = WPA_CIPHER_NONE;
  767. bss->wpa_pairwise = WPA_CIPHER_NONE;
  768. bss->rsn_pairwise = WPA_CIPHER_NONE;
  769. }
  770. }