1/*
2 * hostapd / IEEE 802.11 authentication (ACL)
3 * Copyright (c) 2003-2012, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 *
8 * Access control list for IEEE 802.11 authentication can uses statically
9 * configured ACL from configuration files or an external RADIUS server.
10 * Results from external RADIUS queries are cached to allow faster
11 * authentication frame processing.
12 */
13
14#include "utils/includes.h"
15
16#include "utils/common.h"
17#include "utils/eloop.h"
18#include "radius/radius.h"
19#include "radius/radius_client.h"
20#include "hostapd.h"
21#include "ap_config.h"
22#include "ap_drv_ops.h"
23#include "ieee802_11.h"
24#include "ieee802_1x.h"
25#include "ieee802_11_auth.h"
26
27#define RADIUS_ACL_TIMEOUT 30
28
29
30struct hostapd_cached_radius_acl {
31	struct os_reltime timestamp;
32	macaddr addr;
33	int accepted; /* HOSTAPD_ACL_* */
34	struct hostapd_cached_radius_acl *next;
35	u32 session_timeout;
36	u32 acct_interim_interval;
37	struct vlan_description vlan_id;
38	struct hostapd_sta_wpa_psk_short *psk;
39	char *identity;
40	char *radius_cui;
41};
42
43
44struct hostapd_acl_query_data {
45	struct os_reltime timestamp;
46	u8 radius_id;
47	macaddr addr;
48	u8 *auth_msg; /* IEEE 802.11 authentication frame from station */
49	size_t auth_msg_len;
50	struct hostapd_acl_query_data *next;
51};
52
53
54#ifndef CONFIG_NO_RADIUS
55static void hostapd_acl_cache_free_entry(struct hostapd_cached_radius_acl *e)
56{
57	os_free(e->identity);
58	os_free(e->radius_cui);
59	hostapd_free_psk_list(e->psk);
60	os_free(e);
61}
62
63
64static void hostapd_acl_cache_free(struct hostapd_cached_radius_acl *acl_cache)
65{
66	struct hostapd_cached_radius_acl *prev;
67
68	while (acl_cache) {
69		prev = acl_cache;
70		acl_cache = acl_cache->next;
71		hostapd_acl_cache_free_entry(prev);
72	}
73}
74
75
76static void copy_psk_list(struct hostapd_sta_wpa_psk_short **psk,
77			  struct hostapd_sta_wpa_psk_short *src)
78{
79	if (!psk)
80		return;
81
82	if (src)
83		src->ref++;
84
85	*psk = src;
86}
87
88
89static int hostapd_acl_cache_get(struct hostapd_data *hapd, const u8 *addr,
90				 u32 *session_timeout,
91				 u32 *acct_interim_interval,
92				 struct vlan_description *vlan_id,
93				 struct hostapd_sta_wpa_psk_short **psk,
94				 char **identity, char **radius_cui)
95{
96	struct hostapd_cached_radius_acl *entry;
97	struct os_reltime now;
98
99	os_get_reltime(&now);
100
101	for (entry = hapd->acl_cache; entry; entry = entry->next) {
102		if (os_memcmp(entry->addr, addr, ETH_ALEN) != 0)
103			continue;
104
105		if (os_reltime_expired(&now, &entry->timestamp,
106				       RADIUS_ACL_TIMEOUT))
107			return -1; /* entry has expired */
108		if (entry->accepted == HOSTAPD_ACL_ACCEPT_TIMEOUT)
109			if (session_timeout)
110				*session_timeout = entry->session_timeout;
111		if (acct_interim_interval)
112			*acct_interim_interval =
113				entry->acct_interim_interval;
114		if (vlan_id)
115			*vlan_id = entry->vlan_id;
116		copy_psk_list(psk, entry->psk);
117		if (identity) {
118			if (entry->identity)
119				*identity = os_strdup(entry->identity);
120			else
121				*identity = NULL;
122		}
123		if (radius_cui) {
124			if (entry->radius_cui)
125				*radius_cui = os_strdup(entry->radius_cui);
126			else
127				*radius_cui = NULL;
128		}
129		return entry->accepted;
130	}
131
132	return -1;
133}
134#endif /* CONFIG_NO_RADIUS */
135
136
137static void hostapd_acl_query_free(struct hostapd_acl_query_data *query)
138{
139	if (query == NULL)
140		return;
141	os_free(query->auth_msg);
142	os_free(query);
143}
144
145
146#ifndef CONFIG_NO_RADIUS
147static int hostapd_radius_acl_query(struct hostapd_data *hapd, const u8 *addr,
148				    struct hostapd_acl_query_data *query)
149{
150	struct radius_msg *msg;
151	char buf[128];
152
153	query->radius_id = radius_client_get_id(hapd->radius);
154	msg = radius_msg_new(RADIUS_CODE_ACCESS_REQUEST, query->radius_id);
155	if (msg == NULL)
156		return -1;
157
158	if (radius_msg_make_authenticator(msg) < 0) {
159		wpa_printf(MSG_INFO, "Could not make Request Authenticator");
160		goto fail;
161	}
162
163	os_snprintf(buf, sizeof(buf), RADIUS_ADDR_FORMAT, MAC2STR(addr));
164	if (!radius_msg_add_attr(msg, RADIUS_ATTR_USER_NAME, (u8 *) buf,
165				 os_strlen(buf))) {
166		wpa_printf(MSG_DEBUG, "Could not add User-Name");
167		goto fail;
168	}
169
170	if (!radius_msg_add_attr_user_password(
171		    msg, (u8 *) buf, os_strlen(buf),
172		    hapd->conf->radius->auth_server->shared_secret,
173		    hapd->conf->radius->auth_server->shared_secret_len)) {
174		wpa_printf(MSG_DEBUG, "Could not add User-Password");
175		goto fail;
176	}
177
178	if (add_common_radius_attr(hapd, hapd->conf->radius_auth_req_attr,
179				   NULL, msg) < 0)
180		goto fail;
181
182	os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT,
183		    MAC2STR(addr));
184	if (!radius_msg_add_attr(msg, RADIUS_ATTR_CALLING_STATION_ID,
185				 (u8 *) buf, os_strlen(buf))) {
186		wpa_printf(MSG_DEBUG, "Could not add Calling-Station-Id");
187		goto fail;
188	}
189
190	os_snprintf(buf, sizeof(buf), "CONNECT 11Mbps 802.11b");
191	if (!radius_msg_add_attr(msg, RADIUS_ATTR_CONNECT_INFO,
192				 (u8 *) buf, os_strlen(buf))) {
193		wpa_printf(MSG_DEBUG, "Could not add Connect-Info");
194		goto fail;
195	}
196
197	if (radius_client_send(hapd->radius, msg, RADIUS_AUTH, addr) < 0)
198		goto fail;
199	return 0;
200
201 fail:
202	radius_msg_free(msg);
203	return -1;
204}
205#endif /* CONFIG_NO_RADIUS */
206
207
208/**
209 * hostapd_check_acl - Check a specified STA against accept/deny ACLs
210 * @hapd: hostapd BSS data
211 * @addr: MAC address of the STA
212 * @vlan_id: Buffer for returning VLAN ID
213 * Returns: HOSTAPD_ACL_ACCEPT, HOSTAPD_ACL_REJECT, or HOSTAPD_ACL_PENDING
214 */
215int hostapd_check_acl(struct hostapd_data *hapd, const u8 *addr,
216		      struct vlan_description *vlan_id)
217{
218	if (hostapd_maclist_found(hapd->conf->accept_mac,
219				  hapd->conf->num_accept_mac, addr, vlan_id))
220		return HOSTAPD_ACL_ACCEPT;
221
222	if (hostapd_maclist_found(hapd->conf->deny_mac,
223				  hapd->conf->num_deny_mac, addr, vlan_id))
224		return HOSTAPD_ACL_REJECT;
225
226	if (hapd->conf->macaddr_acl == ACCEPT_UNLESS_DENIED)
227		return HOSTAPD_ACL_ACCEPT;
228	if (hapd->conf->macaddr_acl == DENY_UNLESS_ACCEPTED)
229		return HOSTAPD_ACL_REJECT;
230
231	return HOSTAPD_ACL_PENDING;
232}
233
234
235/**
236 * hostapd_allowed_address - Check whether a specified STA can be authenticated
237 * @hapd: hostapd BSS data
238 * @addr: MAC address of the STA
239 * @msg: Authentication message
240 * @len: Length of msg in octets
241 * @session_timeout: Buffer for returning session timeout (from RADIUS)
242 * @acct_interim_interval: Buffer for returning account interval (from RADIUS)
243 * @vlan_id: Buffer for returning VLAN ID
244 * @psk: Linked list buffer for returning WPA PSK
245 * @identity: Buffer for returning identity (from RADIUS)
246 * @radius_cui: Buffer for returning CUI (from RADIUS)
247 * Returns: HOSTAPD_ACL_ACCEPT, HOSTAPD_ACL_REJECT, or HOSTAPD_ACL_PENDING
248 *
249 * The caller is responsible for freeing the returned *identity and *radius_cui
250 * values with os_free().
251 */
252int hostapd_allowed_address(struct hostapd_data *hapd, const u8 *addr,
253			    const u8 *msg, size_t len, u32 *session_timeout,
254			    u32 *acct_interim_interval,
255			    struct vlan_description *vlan_id,
256			    struct hostapd_sta_wpa_psk_short **psk,
257			    char **identity, char **radius_cui)
258{
259	int res;
260
261	if (session_timeout)
262		*session_timeout = 0;
263	if (acct_interim_interval)
264		*acct_interim_interval = 0;
265	if (vlan_id)
266		os_memset(vlan_id, 0, sizeof(*vlan_id));
267	if (psk)
268		*psk = NULL;
269	if (identity)
270		*identity = NULL;
271	if (radius_cui)
272		*radius_cui = NULL;
273
274	res = hostapd_check_acl(hapd, addr, vlan_id);
275	if (res != HOSTAPD_ACL_PENDING)
276		return res;
277
278	if (hapd->conf->macaddr_acl == USE_EXTERNAL_RADIUS_AUTH) {
279#ifdef CONFIG_NO_RADIUS
280		return HOSTAPD_ACL_REJECT;
281#else /* CONFIG_NO_RADIUS */
282		struct hostapd_acl_query_data *query;
283
284		/* Check whether ACL cache has an entry for this station */
285		res = hostapd_acl_cache_get(hapd, addr, session_timeout,
286					    acct_interim_interval, vlan_id, psk,
287					    identity, radius_cui);
288		if (res == HOSTAPD_ACL_ACCEPT ||
289		    res == HOSTAPD_ACL_ACCEPT_TIMEOUT)
290			return res;
291		if (res == HOSTAPD_ACL_REJECT)
292			return HOSTAPD_ACL_REJECT;
293
294		query = hapd->acl_queries;
295		while (query) {
296			if (os_memcmp(query->addr, addr, ETH_ALEN) == 0) {
297				/* pending query in RADIUS retransmit queue;
298				 * do not generate a new one */
299				if (identity) {
300					os_free(*identity);
301					*identity = NULL;
302				}
303				if (radius_cui) {
304					os_free(*radius_cui);
305					*radius_cui = NULL;
306				}
307				return HOSTAPD_ACL_PENDING;
308			}
309			query = query->next;
310		}
311
312		if (!hapd->conf->radius->auth_server)
313			return HOSTAPD_ACL_REJECT;
314
315		/* No entry in the cache - query external RADIUS server */
316		query = os_zalloc(sizeof(*query));
317		if (query == NULL) {
318			wpa_printf(MSG_ERROR, "malloc for query data failed");
319			return HOSTAPD_ACL_REJECT;
320		}
321		os_get_reltime(&query->timestamp);
322		os_memcpy(query->addr, addr, ETH_ALEN);
323		if (hostapd_radius_acl_query(hapd, addr, query)) {
324			wpa_printf(MSG_DEBUG, "Failed to send Access-Request "
325				   "for ACL query.");
326			hostapd_acl_query_free(query);
327			return HOSTAPD_ACL_REJECT;
328		}
329
330		query->auth_msg = os_malloc(len);
331		if (query->auth_msg == NULL) {
332			wpa_printf(MSG_ERROR, "Failed to allocate memory for "
333				   "auth frame.");
334			hostapd_acl_query_free(query);
335			return HOSTAPD_ACL_REJECT;
336		}
337		os_memcpy(query->auth_msg, msg, len);
338		query->auth_msg_len = len;
339		query->next = hapd->acl_queries;
340		hapd->acl_queries = query;
341
342		/* Queued data will be processed in hostapd_acl_recv_radius()
343		 * when RADIUS server replies to the sent Access-Request. */
344		return HOSTAPD_ACL_PENDING;
345#endif /* CONFIG_NO_RADIUS */
346	}
347
348	return HOSTAPD_ACL_REJECT;
349}
350
351
352#ifndef CONFIG_NO_RADIUS
353static void hostapd_acl_expire_cache(struct hostapd_data *hapd,
354				     struct os_reltime *now)
355{
356	struct hostapd_cached_radius_acl *prev, *entry, *tmp;
357
358	prev = NULL;
359	entry = hapd->acl_cache;
360
361	while (entry) {
362		if (os_reltime_expired(now, &entry->timestamp,
363				       RADIUS_ACL_TIMEOUT)) {
364			wpa_printf(MSG_DEBUG, "Cached ACL entry for " MACSTR
365				   " has expired.", MAC2STR(entry->addr));
366			if (prev)
367				prev->next = entry->next;
368			else
369				hapd->acl_cache = entry->next;
370			hostapd_drv_set_radius_acl_expire(hapd, entry->addr);
371			tmp = entry;
372			entry = entry->next;
373			hostapd_acl_cache_free_entry(tmp);
374			continue;
375		}
376
377		prev = entry;
378		entry = entry->next;
379	}
380}
381
382
383static void hostapd_acl_expire_queries(struct hostapd_data *hapd,
384				       struct os_reltime *now)
385{
386	struct hostapd_acl_query_data *prev, *entry, *tmp;
387
388	prev = NULL;
389	entry = hapd->acl_queries;
390
391	while (entry) {
392		if (os_reltime_expired(now, &entry->timestamp,
393				       RADIUS_ACL_TIMEOUT)) {
394			wpa_printf(MSG_DEBUG, "ACL query for " MACSTR
395				   " has expired.", MAC2STR(entry->addr));
396			if (prev)
397				prev->next = entry->next;
398			else
399				hapd->acl_queries = entry->next;
400
401			tmp = entry;
402			entry = entry->next;
403			hostapd_acl_query_free(tmp);
404			continue;
405		}
406
407		prev = entry;
408		entry = entry->next;
409	}
410}
411
412
413/**
414 * hostapd_acl_expire - ACL cache expiration callback
415 * @hapd: struct hostapd_data *
416 */
417void hostapd_acl_expire(struct hostapd_data *hapd)
418{
419	struct os_reltime now;
420
421	os_get_reltime(&now);
422	hostapd_acl_expire_cache(hapd, &now);
423	hostapd_acl_expire_queries(hapd, &now);
424}
425
426
427static void decode_tunnel_passwords(struct hostapd_data *hapd,
428				    const u8 *shared_secret,
429				    size_t shared_secret_len,
430				    struct radius_msg *msg,
431				    struct radius_msg *req,
432				    struct hostapd_cached_radius_acl *cache)
433{
434	int passphraselen;
435	char *passphrase;
436	size_t i;
437	struct hostapd_sta_wpa_psk_short *psk;
438
439	/*
440	 * Decode all tunnel passwords as PSK and save them into a linked list.
441	 */
442	for (i = 0; ; i++) {
443		passphrase = radius_msg_get_tunnel_password(
444			msg, &passphraselen, shared_secret, shared_secret_len,
445			req, i);
446		/*
447		 * Passphrase is NULL iff there is no i-th Tunnel-Password
448		 * attribute in msg.
449		 */
450		if (passphrase == NULL)
451			break;
452
453		/*
454		 * Passphase should be 8..63 chars (to be hashed with SSID)
455		 * or 64 chars hex string (no separate hashing with SSID).
456		 */
457
458		if (passphraselen < MIN_PASSPHRASE_LEN ||
459		    passphraselen > MAX_PASSPHRASE_LEN + 1)
460			continue;
461
462		/*
463		 * passphrase does not contain the NULL termination.
464		 * Add it here as pbkdf2_sha1() requires it.
465		 */
466		psk = os_zalloc(sizeof(struct hostapd_sta_wpa_psk_short));
467		if (psk) {
468			if ((passphraselen == MAX_PASSPHRASE_LEN + 1) &&
469			    (hexstr2bin(passphrase, psk->psk, PMK_LEN) < 0)) {
470				hostapd_logger(hapd, cache->addr,
471					       HOSTAPD_MODULE_RADIUS,
472					       HOSTAPD_LEVEL_WARNING,
473					       "invalid hex string (%d chars) in Tunnel-Password",
474					       passphraselen);
475				goto skip;
476			} else if (passphraselen <= MAX_PASSPHRASE_LEN) {
477				os_memcpy(psk->passphrase, passphrase,
478					  passphraselen);
479				psk->is_passphrase = 1;
480			}
481			psk->next = cache->psk;
482			cache->psk = psk;
483			psk = NULL;
484		}
485skip:
486		os_free(psk);
487		os_free(passphrase);
488	}
489}
490
491
492/**
493 * hostapd_acl_recv_radius - Process incoming RADIUS Authentication messages
494 * @msg: RADIUS response message
495 * @req: RADIUS request message
496 * @shared_secret: RADIUS shared secret
497 * @shared_secret_len: Length of shared_secret in octets
498 * @data: Context data (struct hostapd_data *)
499 * Returns: RADIUS_RX_PROCESSED if RADIUS message was a reply to ACL query (and
500 * was processed here) or RADIUS_RX_UNKNOWN if not.
501 */
502static RadiusRxResult
503hostapd_acl_recv_radius(struct radius_msg *msg, struct radius_msg *req,
504			const u8 *shared_secret, size_t shared_secret_len,
505			void *data)
506{
507	struct hostapd_data *hapd = data;
508	struct hostapd_acl_query_data *query, *prev;
509	struct hostapd_cached_radius_acl *cache;
510	struct radius_hdr *hdr = radius_msg_get_hdr(msg);
511	int *untagged, *tagged, *notempty;
512
513	query = hapd->acl_queries;
514	prev = NULL;
515	while (query) {
516		if (query->radius_id == hdr->identifier)
517			break;
518		prev = query;
519		query = query->next;
520	}
521	if (query == NULL)
522		return RADIUS_RX_UNKNOWN;
523
524	wpa_printf(MSG_DEBUG, "Found matching Access-Request for RADIUS "
525		   "message (id=%d)", query->radius_id);
526
527	if (radius_msg_verify(msg, shared_secret, shared_secret_len, req, 0)) {
528		wpa_printf(MSG_INFO, "Incoming RADIUS packet did not have "
529			   "correct authenticator - dropped\n");
530		return RADIUS_RX_INVALID_AUTHENTICATOR;
531	}
532
533	if (hdr->code != RADIUS_CODE_ACCESS_ACCEPT &&
534	    hdr->code != RADIUS_CODE_ACCESS_REJECT) {
535		wpa_printf(MSG_DEBUG, "Unknown RADIUS message code %d to ACL "
536			   "query", hdr->code);
537		return RADIUS_RX_UNKNOWN;
538	}
539
540	/* Insert Accept/Reject info into ACL cache */
541	cache = os_zalloc(sizeof(*cache));
542	if (cache == NULL) {
543		wpa_printf(MSG_DEBUG, "Failed to add ACL cache entry");
544		goto done;
545	}
546	os_get_reltime(&cache->timestamp);
547	os_memcpy(cache->addr, query->addr, sizeof(cache->addr));
548	if (hdr->code == RADIUS_CODE_ACCESS_ACCEPT) {
549		u8 *buf;
550		size_t len;
551
552		if (radius_msg_get_attr_int32(msg, RADIUS_ATTR_SESSION_TIMEOUT,
553					      &cache->session_timeout) == 0)
554			cache->accepted = HOSTAPD_ACL_ACCEPT_TIMEOUT;
555		else
556			cache->accepted = HOSTAPD_ACL_ACCEPT;
557
558		if (radius_msg_get_attr_int32(
559			    msg, RADIUS_ATTR_ACCT_INTERIM_INTERVAL,
560			    &cache->acct_interim_interval) == 0 &&
561		    cache->acct_interim_interval < 60) {
562			wpa_printf(MSG_DEBUG, "Ignored too small "
563				   "Acct-Interim-Interval %d for STA " MACSTR,
564				   cache->acct_interim_interval,
565				   MAC2STR(query->addr));
566			cache->acct_interim_interval = 0;
567		}
568
569		notempty = &cache->vlan_id.notempty;
570		untagged = &cache->vlan_id.untagged;
571		tagged = cache->vlan_id.tagged;
572		*notempty = !!radius_msg_get_vlanid(msg, untagged,
573						    MAX_NUM_TAGGED_VLAN,
574						    tagged);
575
576		decode_tunnel_passwords(hapd, shared_secret, shared_secret_len,
577					msg, req, cache);
578
579		if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_USER_NAME,
580					    &buf, &len, NULL) == 0) {
581			cache->identity = os_zalloc(len + 1);
582			if (cache->identity)
583				os_memcpy(cache->identity, buf, len);
584		}
585		if (radius_msg_get_attr_ptr(
586			    msg, RADIUS_ATTR_CHARGEABLE_USER_IDENTITY,
587			    &buf, &len, NULL) == 0) {
588			cache->radius_cui = os_zalloc(len + 1);
589			if (cache->radius_cui)
590				os_memcpy(cache->radius_cui, buf, len);
591		}
592
593		if (hapd->conf->wpa_psk_radius == PSK_RADIUS_REQUIRED &&
594		    !cache->psk)
595			cache->accepted = HOSTAPD_ACL_REJECT;
596
597		if (cache->vlan_id.notempty &&
598		    !hostapd_vlan_valid(hapd->conf->vlan, &cache->vlan_id)) {
599			hostapd_logger(hapd, query->addr,
600				       HOSTAPD_MODULE_RADIUS,
601				       HOSTAPD_LEVEL_INFO,
602				       "Invalid VLAN %d%s received from RADIUS server",
603				       cache->vlan_id.untagged,
604				       cache->vlan_id.tagged[0] ? "+" : "");
605			os_memset(&cache->vlan_id, 0, sizeof(cache->vlan_id));
606		}
607		if (hapd->conf->ssid.dynamic_vlan == DYNAMIC_VLAN_REQUIRED &&
608		    !cache->vlan_id.notempty)
609			cache->accepted = HOSTAPD_ACL_REJECT;
610	} else
611		cache->accepted = HOSTAPD_ACL_REJECT;
612	cache->next = hapd->acl_cache;
613	hapd->acl_cache = cache;
614
615#ifdef CONFIG_DRIVER_RADIUS_ACL
616	hostapd_drv_set_radius_acl_auth(hapd, query->addr, cache->accepted,
617					cache->session_timeout);
618#else /* CONFIG_DRIVER_RADIUS_ACL */
619#ifdef NEED_AP_MLME
620	/* Re-send original authentication frame for 802.11 processing */
621	wpa_printf(MSG_DEBUG, "Re-sending authentication frame after "
622		   "successful RADIUS ACL query");
623	ieee802_11_mgmt(hapd, query->auth_msg, query->auth_msg_len, NULL);
624#endif /* NEED_AP_MLME */
625#endif /* CONFIG_DRIVER_RADIUS_ACL */
626
627 done:
628	if (prev == NULL)
629		hapd->acl_queries = query->next;
630	else
631		prev->next = query->next;
632
633	hostapd_acl_query_free(query);
634
635	return RADIUS_RX_PROCESSED;
636}
637#endif /* CONFIG_NO_RADIUS */
638
639
640/**
641 * hostapd_acl_init: Initialize IEEE 802.11 ACL
642 * @hapd: hostapd BSS data
643 * Returns: 0 on success, -1 on failure
644 */
645int hostapd_acl_init(struct hostapd_data *hapd)
646{
647#ifndef CONFIG_NO_RADIUS
648	if (radius_client_register(hapd->radius, RADIUS_AUTH,
649				   hostapd_acl_recv_radius, hapd))
650		return -1;
651#endif /* CONFIG_NO_RADIUS */
652
653	return 0;
654}
655
656
657/**
658 * hostapd_acl_deinit - Deinitialize IEEE 802.11 ACL
659 * @hapd: hostapd BSS data
660 */
661void hostapd_acl_deinit(struct hostapd_data *hapd)
662{
663	struct hostapd_acl_query_data *query, *prev;
664
665#ifndef CONFIG_NO_RADIUS
666	hostapd_acl_cache_free(hapd->acl_cache);
667#endif /* CONFIG_NO_RADIUS */
668
669	query = hapd->acl_queries;
670	while (query) {
671		prev = query;
672		query = query->next;
673		hostapd_acl_query_free(prev);
674	}
675}
676
677
678void hostapd_free_psk_list(struct hostapd_sta_wpa_psk_short *psk)
679{
680	if (psk && psk->ref) {
681		/* This will be freed when the last reference is dropped. */
682		psk->ref--;
683		return;
684	}
685
686	while (psk) {
687		struct hostapd_sta_wpa_psk_short *prev = psk;
688		psk = psk->next;
689		os_free(prev);
690	}
691}
692