From a49407ad791e513a6ee85c2347a6b89c26743815 Mon Sep 17 00:00:00 2001 From: Vivek Kumar Dutta Date: Tue, 11 Mar 2025 11:22:48 +0530 Subject: [PATCH 01/17] passwdqc: 2.0.3 --- passwdqc/Makefile | 47 +++++++++++++++++++++++++++++ passwdqc/files/passwdqc.uci_default | 19 ++++++++++++ 2 files changed, 66 insertions(+) create mode 100644 passwdqc/Makefile create mode 100644 passwdqc/files/passwdqc.uci_default diff --git a/passwdqc/Makefile b/passwdqc/Makefile new file mode 100644 index 000000000..a254a16c9 --- /dev/null +++ b/passwdqc/Makefile @@ -0,0 +1,47 @@ +include $(TOPDIR)/rules.mk + +PKG_NAME:=passwdqc +PKG_VERSION:=2.0.3 +PKG_RELEASE:=1 + +PKG_SOURCE_PROTO:=git +PKG_SOURCE_URL:=https://github.com/openwall/passwdqc.git +PKG_SOURCE_VERSION:=v$(PKG_VERSION) +PKG_MIRROR_HASH:=skip + +PKG_LICENSE:=BSD-3 +PKG_LICENSE_FILES:=LICENSE + +include $(INCLUDE_DIR)/package.mk + +define Package/$(PKG_NAME) + SECTION:=utils + CATEGORY:=Utilities + TITLE:=libpam password checking module + DEPENDS:=+libpam +endef + +define Package/$(PKG_NAME)/description + pam_passwdqc is a simple password strength checking module for + PAM-aware password changing programs +endef + +define Build/Compile + $(MAKE) -C $(PKG_BUILD_DIR) \ + CC="$(TARGET_CC)" \ + LDFLAGS="$(TARGET_LDFLAGS)" \ + pam_wrapped +endef + +define Package/$(PKG_NAME)/install + $(INSTALL_DIR) $(1)/usr/lib + $(CP) $(PKG_BUILD_DIR)/libpasswdqc.so* $(1)/usr/lib/ + + $(INSTALL_DIR) $(1)/usr/lib/security + $(INSTALL_BIN) $(PKG_BUILD_DIR)/pam_passwdqc.so $(1)/usr/lib/security/ + + $(INSTALL_DIR) $(1)/etc/uci-defaults/ + $(INSTALL_BIN) ./files/passwdqc.uci_default $(1)/etc/uci-defaults/99-add_passwdqc_pam +endef + +$(eval $(call BuildPackage,$(PKG_NAME))) diff --git a/passwdqc/files/passwdqc.uci_default b/passwdqc/files/passwdqc.uci_default new file mode 100644 index 000000000..40ae2c510 --- /dev/null +++ b/passwdqc/files/passwdqc.uci_default @@ -0,0 +1,19 @@ +#!/bin/sh + +CONFIG_FILE="/etc/pam.d/common-password" +# for some reason setting to 8 makes passwdqc accept minimum 12 letter password with this configuration +# if we set it to 12 then we need atleast 16 characters and so on +# passphrase = 0 means no space separated words +# rest can be figured out from passwdqc man page +MODULE_LINE="password requisite pam_passwdqc.so min=disabled,disabled,disabled,disabled,8 max=20 passphrase=0 retry=3 enforce=everyone" + +# Ensure the file exists before modifying +[ -f "$CONFIG_FILE" ] || exit 0 + +# Check if pam_passwdqc is already in the file +if ! grep -q "pam_passwdqc.so" "$CONFIG_FILE"; then + # Insert before pam_unix.so + sed -i "/pam_unix.so/ i\\$MODULE_LINE" "$CONFIG_FILE" +fi + +exit 0 From 2be4eeebb788736e2556b5cc75fea3123c8ae77d Mon Sep 17 00:00:00 2001 From: Vivek Kumar Dutta Date: Tue, 11 Mar 2025 11:23:45 +0530 Subject: [PATCH 02/17] linux-pam: 1.7.0 --- linux-pam/Makefile | 38 +++++++++++++++++++++ linux-pam/files/pam_faillock.uci_default | 43 ++++++++++++++++++++++++ 2 files changed, 81 insertions(+) create mode 100644 linux-pam/Makefile create mode 100644 linux-pam/files/pam_faillock.uci_default diff --git a/linux-pam/Makefile b/linux-pam/Makefile new file mode 100644 index 000000000..3ab1fc956 --- /dev/null +++ b/linux-pam/Makefile @@ -0,0 +1,38 @@ +include $(TOPDIR)/rules.mk + +PKG_NAME:=linux-pam +PKG_VERSION:=1.7.0 +PKG_RELEASE:=1 + +PKG_SOURCE_PROTO:=git +PKG_SOURCE_URL:=https://github.com/linux-pam/linux-pam.git +PKG_SOURCE_VERSION:=v$(PKG_VERSION) +PKG_MIRROR_HASH:=skip + +include $(INCLUDE_DIR)/package.mk +include $(INCLUDE_DIR)/meson.mk + +define Package/linux-pam + SECTION:=libs + CATEGORY:=Libraries + TITLE:=Linux PAM Module + DEPENDS:=+libpam +endef + +MESON_ARGS += \ + -Dprefix=/usr \ + -Ddefault_library=shared \ + -Ddocs=disabled \ + -Deconf=disabled \ + -Dselinux=disabled \ + -Dnis=disabled \ + -Dexamples=false \ + -Dxtests=false + +define Package/linux-pam/install + $(INSTALL_DIR) $(1)/usr/lib/security + $(INSTALL_DIR) $(1)/etc/uci-defaults/ + $(INSTALL_BIN) ./files/pam_faillock.uci_default $(1)/etc/uci-defaults/99-add_pam_faillock +endef + +$(eval $(call BuildPackage,linux-pam)) diff --git a/linux-pam/files/pam_faillock.uci_default b/linux-pam/files/pam_faillock.uci_default new file mode 100644 index 000000000..45af5dc45 --- /dev/null +++ b/linux-pam/files/pam_faillock.uci_default @@ -0,0 +1,43 @@ +#!/bin/sh + +create_faillock_files() +{ + # also create files needed by pam_faillock + touch /var/log/faillock + chmod 700 /var/log/faillock + touch /var/log/btmp + chmod 700 /var/log/btmp +} + +update_pam_common_auth() +{ + local file="/etc/pam.d/common-auth" + local deny=6 + local unlock_time=300 + + # update pam_unix.so line + sed -i -E 's|^.*pam_unix\.so.*|auth\t sufficient\tpam_unix.so nullok_secure|' "$file" + + # Insert pam_faillock lines before and after pam_unix.so + sed -i -E "/pam_unix.so nullok_secure/i auth required pam_faillock.so preauth deny=$deny even_deny_root unlock_time=$unlock_time" "$file" + sed -i -E "/pam_unix.so nullok_secure/a auth [default=die] pam_faillock.so authfail audit deny=$deny even_deny_root unlock_time=$unlock_time" "$file" +} + +update_pam_common_account() +{ + # update account file + sed -i "/pam_unix.so/ i account required pam_faillock.so" /etc/pam.d/common-account +} + +if [ -f "/usr/lib/security/pam_faillock.so" ]; then + update_pam_common_auth + update_pam_common_account + create_faillock_files +fi + +if [ -f /etc/config/sshd ]; then + uci -q set sshd.@sshd[0].UsePAM=1 + uci commit sshd +fi + +exit 0 From 74cbe1062a7e9d51c3b9e5a16fa8c902212257ab Mon Sep 17 00:00:00 2001 From: Suvendhu Hansa Date: Tue, 11 Mar 2025 07:42:11 +0000 Subject: [PATCH 03/17] gateway-info: Added support for USP events --- gateway-info/Makefile | 6 +- .../udhcpc.user.d/udhcpc_gateway_info.user | 115 ++++++++++++------ 2 files changed, 82 insertions(+), 39 deletions(-) diff --git a/gateway-info/Makefile b/gateway-info/Makefile index 129451be3..6796736dd 100644 --- a/gateway-info/Makefile +++ b/gateway-info/Makefile @@ -8,13 +8,13 @@ include $(TOPDIR)/rules.mk PKG_NAME:=gateway-info -PKG_VERSION:=1.0.0 +PKG_VERSION:=1.0.1 LOCAL_DEV:=0 ifneq ($(LOCAL_DEV),1) PKG_SOURCE_PROTO:=git PKG_SOURCE_URL:=https://dev.iopsys.eu/bbf/gateway-info.git -PKG_SOURCE_VERSION:=26e407a25b156da75e3941d54ddd74294cd9eae8 +PKG_SOURCE_VERSION:=b77871a883797db5c9fce232e2d2f183e59c682d PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz PKG_MIRROR_HASH:=skip endif @@ -29,7 +29,7 @@ define Package/gateway-info CATEGORY:=Utilities TITLE:=GatewayInfo Data Model Support DEPENDS:=+libuci +libubox +libubus +libblobmsg-json +umdns - DEPENDS+=+libbbfdm-api +libbbfdm-ubus +dm-service + DEPENDS+=+libbbfdm-api +libbbfdm-ubus +dm-service +iputils-arping endef define Package/gateway-info/description diff --git a/gateway-info/files/etc/udhcpc.user.d/udhcpc_gateway_info.user b/gateway-info/files/etc/udhcpc.user.d/udhcpc_gateway_info.user index f757a9874..f5defa664 100644 --- a/gateway-info/files/etc/udhcpc.user.d/udhcpc_gateway_info.user +++ b/gateway-info/files/etc/udhcpc.user.d/udhcpc_gateway_info.user @@ -243,11 +243,42 @@ get_usp_agent_id() { get_mac_address() { ip="${1}" + device="${2}" mac="$(cat /proc/net/arp | grep $ip | awk '{print $4}')" + if [ -z "${mac}" ]; then + arp_resp="$(arping -b -f -c 5 -I $device $ip | grep 'Unicast reply from' | awk '{print $5}')" + if [ -n "${arp_resp}" ]; then + mac=${arp_resp:1:-1} + fi + fi + echo "${mac}" } +send_unknown_gw_event() { + mac="${1}" + + cmd="ubus -t 5 send gateway-info.gateway.unknown '{\"hwaddr\":\"$mac\"}'" + eval $cmd +} + +send_cwmp_gw_event() { + oui="${1}" + class="${2}" + serial="${3}" + + cmd="ubus -t 5 send gateway-info.gateway.cwmp '{\"oui\":\"$oui\",\"class\":\"$class\",\"serial\":\"$serial\"}'" + eval $cmd +} + +send_usp_gw_event() { + endpoint="${1}" + + cmd="ubus -t 5 send gateway-info.gateway.usp '{\"endpoint\":\"$endpoint\"}'" + eval $cmd +} + config_load gateway config_get wan_intf global wan_interface "wan" @@ -257,39 +288,6 @@ if [ "${wan_intf}" == "${INTERFACE}" ]; then return 0 fi - if [ -z "$opt125" ]; then - return 0 - fi - - len=$(printf "$opt125"|wc -c) - get_vivsoi "$opt125" "$len" - - if [ "${GW_DISCOVERED}" -eq 0 ]; then - return 0 - fi - - mkdir -p /var/state - touch /var/state/gwinfo - sec=$(uci -q -c /var/state get gwinfo.gatewayinfo) - if [ -z "${sec}" ]; then - sec=$(uci -q -c /var/state add gwinfo gatewayinfo) - uci -q -c /var/state rename gwinfo."${sec}"="gatewayinfo" - fi - - uci -q -c /var/state set gwinfo.gatewayinfo.hwaddr="" - uci -q -c /var/state set gwinfo.gatewayinfo.endpoint="" - uci -q -c /var/state set gwinfo.gatewayinfo.class="$CLASS" - uci -q -c /var/state set gwinfo.gatewayinfo.oui="$OUI" - uci -q -c /var/state set gwinfo.gatewayinfo.serial="$SERIAL" - uci -q -c /var/state set gwinfo.gatewayinfo.proto="CWMP" - uci -q -c /var/state commit gwinfo - - # Check for USP parameters - ubus -t 15 wait_for umdns - if [ "${?}" -ne 0 ]; then - return 0 - fi - json_load "$(ifstatus ${INTERFACE})" json_get_var dev_name device "" json_select data @@ -300,20 +298,65 @@ if [ "${wan_intf}" == "${INTERFACE}" ]; then return 0 fi + MAC="$(get_mac_address $dhcp_ip $dev_name)" + + mkdir -p /var/state + touch /var/state/gwinfo + sec=$(uci -q -c /var/state get gwinfo.gatewayinfo) + if [ -z "${sec}" ]; then + sec=$(uci -q -c /var/state add gwinfo gatewayinfo) + uci -q -c /var/state rename gwinfo."${sec}"="gatewayinfo" + fi + + uci -q -c /var/state set gwinfo.gatewayinfo.hwaddr="$MAC" + uci -q -c /var/state set gwinfo.gatewayinfo.endpoint="" + uci -q -c /var/state set gwinfo.gatewayinfo.class="" + uci -q -c /var/state set gwinfo.gatewayinfo.oui="" + uci -q -c /var/state set gwinfo.gatewayinfo.serial="" + uci -q -c /var/state set gwinfo.gatewayinfo.proto="" + uci -q -c /var/state commit gwinfo + + if [ -z "$opt125" ]; then + send_unknown_gw_event "${MAC}" + return 0 + fi + + len=$(printf "$opt125"|wc -c) + get_vivsoi "$opt125" "$len" + + if [ "${GW_DISCOVERED}" -eq 0 ]; then + send_unknown_gw_event "${MAC}" + return 0 + fi + + uci -q -c /var/state set gwinfo.gatewayinfo.class="$CLASS" + uci -q -c /var/state set gwinfo.gatewayinfo.oui="$OUI" + uci -q -c /var/state set gwinfo.gatewayinfo.serial="$SERIAL" + uci -q -c /var/state set gwinfo.gatewayinfo.proto="CWMP" + uci -q -c /var/state commit gwinfo + + # Check for USP parameters + ubus -t 15 wait_for umdns + if [ "${?}" -ne 0 ]; then + send_cwmp_gw_event "${OUI}" "${CLASS}" "${SERIAL}" + return 0 + fi + resp=$(send_host_query $dev_name) if [ "${resp}" -ne 0 ]; then + send_cwmp_gw_event "${OUI}" "${CLASS}" "${SERIAL}" return 0 fi ID="$(get_usp_agent_id $dhcp_ip)" if [ -z "${ID}" ]; then + send_cwmp_gw_event "${OUI}" "${CLASS}" "${SERIAL}" return 0 fi - MAC="$(get_mac_address $dhcp_ip)" - - uci -q -c /var/state set gwinfo.gatewayinfo.hwaddr="$MAC" uci -q -c /var/state set gwinfo.gatewayinfo.endpoint="$ID" uci -q -c /var/state set gwinfo.gatewayinfo.proto="USP" uci -q -c /var/state commit gwinfo + + send_usp_gw_event "${ID}" fi From b6212b90d8054e10b4624afa20349feb8cc4a9f8 Mon Sep 17 00:00:00 2001 From: Vivek Kumar Dutta Date: Mon, 10 Mar 2025 11:54:40 +0530 Subject: [PATCH 04/17] owsd: Updated uci-default script --- owsd/uproxy-files/etc/uci-defaults/60-owsd-ubusproxy | 3 --- 1 file changed, 3 deletions(-) diff --git a/owsd/uproxy-files/etc/uci-defaults/60-owsd-ubusproxy b/owsd/uproxy-files/etc/uci-defaults/60-owsd-ubusproxy index a4ac0c6e9..3514d44fe 100644 --- a/owsd/uproxy-files/etc/uci-defaults/60-owsd-ubusproxy +++ b/owsd/uproxy-files/etc/uci-defaults/60-owsd-ubusproxy @@ -8,7 +8,6 @@ uci set owsd.ubusproxy.enable="1" uci set owsd.ubusproxy.peer_key="/etc/ubusx/ubusx_demo_only.key" uci set owsd.ubusproxy.peer_cert="/etc/ubusx/ubusx_demo_only.crt" uci set owsd.ubusproxy.peer_ca="/etc/ubusx/ubusxDemoCA.crt" -uci commit owsd # do not create wan_https section if it exists already [ "$(uci -q get owsd.wan_https)" == "owsd-listen" ] && exit 0 @@ -25,5 +24,3 @@ uci set owsd.wan_https.ca="/etc/ubusx/ubusxDemoCA.crt" uci set owsd.wan_https.whitelist_interface_as_origin="1" uci del_list owsd.wan_https.origin="*" uci add_list owsd.wan_https.origin="*" -uci commit owsd - From 7f17359913809b80f5263b96781a93da95ed2fc4 Mon Sep 17 00:00:00 2001 From: Vivek Dutta Date: Tue, 11 Mar 2025 08:59:28 +0000 Subject: [PATCH 05/17] libvoice-airoha: Updated uci-default script Uci default script should not commit the uci, as its committed by its handler/runner latter on, this is required to avoid race conditions. --- libvoice-airoha/files/etc/uci-defaults/991-libvoice-airoha | 1 - 1 file changed, 1 deletion(-) diff --git a/libvoice-airoha/files/etc/uci-defaults/991-libvoice-airoha b/libvoice-airoha/files/etc/uci-defaults/991-libvoice-airoha index cf9e29e70..68c931340 100644 --- a/libvoice-airoha/files/etc/uci-defaults/991-libvoice-airoha +++ b/libvoice-airoha/files/etc/uci-defaults/991-libvoice-airoha @@ -14,4 +14,3 @@ for p in $(seq 0 $((ports-1))); do uci set asterisk.extension${p}.txgain='10' uci set asterisk.extension${p}.rxgain='-15' done -uci commit asterisk From 67c4a3c317e890e86cfbcd498db1958ba94dec3b Mon Sep 17 00:00:00 2001 From: Jakob Olsson Date: Tue, 11 Mar 2025 10:37:38 +0100 Subject: [PATCH 06/17] map-agent: 6.3.3.5 --- map-agent/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/map-agent/Makefile b/map-agent/Makefile index 122c61525..ca1731059 100644 --- a/map-agent/Makefile +++ b/map-agent/Makefile @@ -5,9 +5,9 @@ include $(TOPDIR)/rules.mk PKG_NAME:=map-agent -PKG_VERSION:=6.3.3.4 +PKG_VERSION:=6.3.3.5 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION) -PKG_SOURCE_VERSION:=5216fab84585fd1bd9d25b5b1eea151aeb79071d +PKG_SOURCE_VERSION:=783e0b663bcb26bfbba1c95fb0a4517811c05076 PKG_MAINTAINER:=Jakob Olsson PKG_LICENSE:=BSD-3-Clause From 1c77fb2e76bba9065c2c346733c1e1a7e54fc1c1 Mon Sep 17 00:00:00 2001 From: Janusz Dziedzic Date: Tue, 11 Mar 2025 12:47:05 +0000 Subject: [PATCH 07/17] libwifi: 7.10.5 --- libwifi/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libwifi/Makefile b/libwifi/Makefile index c9e467f22..254309efc 100644 --- a/libwifi/Makefile +++ b/libwifi/Makefile @@ -5,12 +5,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=libwifi -PKG_VERSION:=7.10.4 +PKG_VERSION:=7.10.5 LOCAL_DEV=0 ifneq ($(LOCAL_DEV),1) PKG_SOURCE_PROTO:=git -PKG_SOURCE_VERSION:=853b68af7aa86ec6598bd6940cc4d281b631e6de +PKG_SOURCE_VERSION:=e904617a41d8dde97ac5434df670fa806ea48f4f PKG_SOURCE_URL:=https://dev.iopsys.eu/iopsys/libwifi.git PKG_MAINTAINER:=Anjan Chanda PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)_$(PKG_SOURCE_VERSION).tar.xz From 97830621a6ac095cce247da22b8e1d30696f7e7e Mon Sep 17 00:00:00 2001 From: Janusz Dziedzic Date: Tue, 11 Mar 2025 13:51:51 +0000 Subject: [PATCH 08/17] wifimngr: 17.5.9 --- wifimngr/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/wifimngr/Makefile b/wifimngr/Makefile index ceec77cde..942c584a1 100644 --- a/wifimngr/Makefile +++ b/wifimngr/Makefile @@ -5,12 +5,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=wifimngr -PKG_VERSION:=17.5.8 +PKG_VERSION:=17.5.9 LOCAL_DEV=0 ifneq ($(LOCAL_DEV),1) PKG_SOURCE_PROTO:=git -PKG_SOURCE_VERSION:=d06375af320eb0f3a75946d450a01e68bac3ed7b +PKG_SOURCE_VERSION:=dca2859f6bb2c0ba68dff996d693d00a4a21bdf0 PKG_SOURCE_URL:=https://dev.iopsys.eu/iopsys/wifimngr.git PKG_MAINTAINER:=Anjan Chanda PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)_$(PKG_SOURCE_VERSION).tar.xz From 9a7ff0bbf20c09e478ced2a15abc64dd536644fe Mon Sep 17 00:00:00 2001 From: Jakob Olsson Date: Tue, 11 Mar 2025 15:27:25 +0100 Subject: [PATCH 09/17] map-agent: 6.3.3.6 --- map-agent/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/map-agent/Makefile b/map-agent/Makefile index ca1731059..497f39258 100644 --- a/map-agent/Makefile +++ b/map-agent/Makefile @@ -5,9 +5,9 @@ include $(TOPDIR)/rules.mk PKG_NAME:=map-agent -PKG_VERSION:=6.3.3.5 +PKG_VERSION:=6.3.3.6 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION) -PKG_SOURCE_VERSION:=783e0b663bcb26bfbba1c95fb0a4517811c05076 +PKG_SOURCE_VERSION:=0d084ae70917e109c9e929464b170521e0547c3c PKG_MAINTAINER:=Jakob Olsson PKG_LICENSE:=BSD-3-Clause From e945226956f45b3c72f5b7feedb6b1a71e30eb16 Mon Sep 17 00:00:00 2001 From: Marina Maslova Date: Tue, 11 Mar 2025 20:22:24 +0400 Subject: [PATCH 10/17] libwifi: 7.10.6 --- libwifi/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libwifi/Makefile b/libwifi/Makefile index 254309efc..ef2a05df5 100644 --- a/libwifi/Makefile +++ b/libwifi/Makefile @@ -5,12 +5,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=libwifi -PKG_VERSION:=7.10.5 +PKG_VERSION:=7.10.6 LOCAL_DEV=0 ifneq ($(LOCAL_DEV),1) PKG_SOURCE_PROTO:=git -PKG_SOURCE_VERSION:=e904617a41d8dde97ac5434df670fa806ea48f4f +PKG_SOURCE_VERSION:=2b76a71eb99f41523ad86592e7efefa0a3682bba PKG_SOURCE_URL:=https://dev.iopsys.eu/iopsys/libwifi.git PKG_MAINTAINER:=Anjan Chanda PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)_$(PKG_SOURCE_VERSION).tar.xz From f2d4b6ff7d2f156509370f1ae6d442b32fb34f17 Mon Sep 17 00:00:00 2001 From: Suvendhu Hansa Date: Wed, 12 Mar 2025 03:35:28 +0000 Subject: [PATCH 11/17] obuspa: Support to DHCP on-boarding via Option 125 --- obuspa/Makefile | 1 + .../etc/uci-defaults/94-obuspa_set_credential | 29 +++++++++++++++++++ .../udhcpc.user.d/udhcpc_obuspa_opt125.user | 11 +++++++ 3 files changed, 41 insertions(+) create mode 100644 obuspa/files/etc/uci-defaults/94-obuspa_set_credential diff --git a/obuspa/Makefile b/obuspa/Makefile index 26b6a0312..26ccc03cd 100644 --- a/obuspa/Makefile +++ b/obuspa/Makefile @@ -133,6 +133,7 @@ define Package/obuspa/install $(INSTALL_BIN) ./files/etc/uci-defaults/obuspa-set-dhcp-option $(1)/etc/uci-defaults/ $(INSTALL_BIN) ./files/etc/uci-defaults/92-obuspa_firewall $(1)/etc/uci-defaults/ $(INSTALL_BIN) ./files/etc/uci-defaults/93-obuspa_mdns_adv $(1)/etc/uci-defaults/ + $(INSTALL_BIN) ./files/etc/uci-defaults/94-obuspa_set_credential $(1)/etc/uci-defaults/ $(INSTALL_BIN) ./files/etc/firewall.usp $(1)/etc/ $(INSTALL_BIN) ./files/etc/udhcpc.user.d/udhcpc_obuspa_opt125.user $(1)/etc/udhcpc.user.d/udhcpc_obuspa_opt125.user ifeq ($(CONFIG_OBUSPA_CWMP_DATAMODEL_SUPPORT),y) diff --git a/obuspa/files/etc/uci-defaults/94-obuspa_set_credential b/obuspa/files/etc/uci-defaults/94-obuspa_set_credential new file mode 100644 index 000000000..9f8dd3752 --- /dev/null +++ b/obuspa/files/etc/uci-defaults/94-obuspa_set_credential @@ -0,0 +1,29 @@ +#!/bin/sh + +. /lib/functions.sh + +# Get Manufacturer OUI. +oui=$(db -q get device.deviceinfo.ManufacturerOUI) +oui=$(echo "${oui}" | tr 'a-f' 'A-F') + +# Get system serial number. +serial=$(db -q get device.deviceinfo.SerialNumber) + +username="${oui}-${serial}" +password="iopsys" + +# Get userid values +config_load obuspa +config_get user global username "" +config_get pass global password "" + +# Only set if they are empty or not same +if [ -z "${user}" ] || [ "${user}" != "${username}" ]; then + uci -q set obuspa.global.username="${username}" +fi + +if [ -z "${pass}" ] || [ "${pass}" != "${password}" ]; then + uci -q set obuspa.global.password="${password}" +fi + +# No need for commit here, it is done by uci_apply_defaults(). diff --git a/obuspa/files/etc/udhcpc.user.d/udhcpc_obuspa_opt125.user b/obuspa/files/etc/udhcpc.user.d/udhcpc_obuspa_opt125.user index 95ae36c46..bafda3998 100644 --- a/obuspa/files/etc/udhcpc.user.d/udhcpc_obuspa_opt125.user +++ b/obuspa/files/etc/udhcpc.user.d/udhcpc_obuspa_opt125.user @@ -391,10 +391,15 @@ if [ "${wan_intf}" == "${INTERFACE}" ]; then uci_change=1 else if [ -z "${dhcp_mqtt}" ]; then + user="$(uci -q get obuspa.global.username)" + pass="$(uci -q get obuspa.global.password)" + sec=$(uci -q add obuspa mqtt) uci -q rename obuspa."${sec}"='dhcpmqtt' dhcp_mqtt="dhcpmqtt" uci -q set obuspa.$dhcp_mqtt.Enable='1' + uci -q set obuspa.$dhcp_mqtt.Username="${user}" + uci -q set obuspa.$dhcp_mqtt.Password="${pass}" fi uci -q set obuspa.$dhcp_mqtt.BrokerAddress="${ip}" @@ -476,6 +481,9 @@ if [ "${wan_intf}" == "${INTERFACE}" ]; then if [ -n "${offered_proto}" ]; then if [ "${offered_proto}" == "MQTT" ]; then + user="$(uci -q get obuspa.global.username)" + pass="$(uci -q get obuspa.global.password)" + uci -q set obuspa.dhcpcontroller.Topic="${topic}" uci -q set obuspa.dhcpcontroller.mqtt='dhcpmqtt' @@ -486,6 +494,9 @@ if [ "${wan_intf}" == "${INTERFACE}" ]; then uci -q set obuspa.dhcpmqtt.TransportProtocol="${mtp_encrypt}" uci -q set obuspa.dhcpmqtt.Enable='1' uci -q set obuspa.dhcpmqtt.ProtocolVersion='5.0' + uci -q set obuspa.dhcpmqtt.Username="${user}" + uci -q set obuspa.dhcpmqtt.Password="${pass}" + agent_topic=$(get_agent_topic) sec=$(uci -q add obuspa mtp) From 63c27601e53b2e3c6761f238a6c38815a4a5cda3 Mon Sep 17 00:00:00 2001 From: Vivek Kumar Dutta Date: Wed, 12 Mar 2025 09:10:59 +0530 Subject: [PATCH 12/17] gateway-info: documentation and CI pipeline --- gateway-info/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/gateway-info/Makefile b/gateway-info/Makefile index 6796736dd..b6bd92a4a 100644 --- a/gateway-info/Makefile +++ b/gateway-info/Makefile @@ -8,13 +8,13 @@ include $(TOPDIR)/rules.mk PKG_NAME:=gateway-info -PKG_VERSION:=1.0.1 +PKG_VERSION:=1.0.2 LOCAL_DEV:=0 ifneq ($(LOCAL_DEV),1) PKG_SOURCE_PROTO:=git PKG_SOURCE_URL:=https://dev.iopsys.eu/bbf/gateway-info.git -PKG_SOURCE_VERSION:=b77871a883797db5c9fce232e2d2f183e59c682d +PKG_SOURCE_VERSION:=dd15893a8291e556a8c49ff9e143c763db0379b5 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz PKG_MIRROR_HASH:=skip endif From 32ab2eb2ccfe507780dfc35f5c53e059e0da23af Mon Sep 17 00:00:00 2001 From: Amin Ben Romdhane Date: Tue, 11 Mar 2025 09:30:31 +0100 Subject: [PATCH 13/17] self-diagnostics: 1.0.14 --- self-diagnostics/Makefile | 2 +- .../share/self-diagnostics/spec/multiap.json | 2 +- .../share/self-diagnostics/spec/network.json | 14 +++++ .../share/self-diagnostics/spec/system.json | 14 +++++ .../share/self-diagnostics/spec/trx69.json | 60 ++++++++++++++++++- 5 files changed, 89 insertions(+), 3 deletions(-) diff --git a/self-diagnostics/Makefile b/self-diagnostics/Makefile index 2fa869253..969cfede7 100644 --- a/self-diagnostics/Makefile +++ b/self-diagnostics/Makefile @@ -1,7 +1,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=self-diagnostics -PKG_VERSION:=1.0.13 +PKG_VERSION:=1.0.14 PKG_RELEASE:=1 PKG_LICENSE:=GPL-2.0-only diff --git a/self-diagnostics/files/usr/share/self-diagnostics/spec/multiap.json b/self-diagnostics/files/usr/share/self-diagnostics/spec/multiap.json index 0f070c689..1a26b2690 100644 --- a/self-diagnostics/files/usr/share/self-diagnostics/spec/multiap.json +++ b/self-diagnostics/files/usr/share/self-diagnostics/spec/multiap.json @@ -65,7 +65,7 @@ }, { "description": "Data Elements Dump", - "cmd": "ubus call wifi.dataelements.collector refresh; sleep 2; ubus call wifi.dataelements.collector dump2" + "cmd": "ubus call wifi.dataelements refresh; sleep 2; ubus call wifi.dataelements dump" } ] } diff --git a/self-diagnostics/files/usr/share/self-diagnostics/spec/network.json b/self-diagnostics/files/usr/share/self-diagnostics/spec/network.json index 61953d080..e0bfaf822 100644 --- a/self-diagnostics/files/usr/share/self-diagnostics/spec/network.json +++ b/self-diagnostics/files/usr/share/self-diagnostics/spec/network.json @@ -80,6 +80,20 @@ { "description": "IGMP Snooping Table", "cmd": "ubus call mcast stats" + }, + { + "description": "DHCP Leases", + "cmd": "cat /tmp/dhcp.leases" + }, + { + "description": "DHCP Leases Options", + "cmd": "cat /tmp/dhcp.client.options", + "dependency": [ + { + "type": "file", + "file": "/tmp/dhcp.client.options" + } + ] } ] } diff --git a/self-diagnostics/files/usr/share/self-diagnostics/spec/system.json b/self-diagnostics/files/usr/share/self-diagnostics/spec/system.json index cf4933408..6faa36803 100644 --- a/self-diagnostics/files/usr/share/self-diagnostics/spec/system.json +++ b/self-diagnostics/files/usr/share/self-diagnostics/spec/system.json @@ -5,6 +5,16 @@ "description": "Firmware banks", "cmd": "ubus call fwbank dump" }, + { + "description": "Firmware banks via script", + "cmd": "/etc/sysmngr/fwbank call dump", + "dependency": [ + { + "type": "file", + "file": "/etc/sysmngr/fwbank" + } + ] + }, { "description": "System Info", "cmd": "ubus call system info" @@ -62,6 +72,10 @@ "dependency" : { "file": "/usr/sbin/ubinfo" } + }, + { + "description": "NTP Status", + "cmd": "ntpq -c 'rv 0 stratum'" } ] } diff --git a/self-diagnostics/files/usr/share/self-diagnostics/spec/trx69.json b/self-diagnostics/files/usr/share/self-diagnostics/spec/trx69.json index 9c787fc7b..5254050d1 100644 --- a/self-diagnostics/files/usr/share/self-diagnostics/spec/trx69.json +++ b/self-diagnostics/files/usr/share/self-diagnostics/spec/trx69.json @@ -7,13 +7,17 @@ } ], "exec" : [ + { + "description": "Datamodel UCI save list", + "cmd": "ls -laR /tmp/bbfdm/" + }, { "description": "Datamodel microservices", "cmd": "ubus call service list '{\"name\":\"bbfdm.services\"}'" }, { "description": "Datamodel microservices registration", - "cmd": "ubus call bbfdm service" + "cmd": "ubus call bbfdm services" }, { "description": "Datamodel plugins and services list", @@ -31,10 +35,64 @@ "description": "TR-181 Parameters via CWMP", "cmd": "icwmpd -c get Device." }, + { + "description": "TR-069 Internal Configs list", + "cmd": "ls -R /etc/icwmpd/" + }, { "description": "TR-069 status", "cmd": "ubus call tr069 status" }, + { + "description": "TR-069 Backup Session", + "cmd": "cat /etc/icwmpd/icwmpd_backup_session.xml", + "dependency": [ + { + "type": "file", + "file": "/etc/icwmpd/icwmpd_backup_session.xml" + } + ] + }, + { + "description": "TR-069 Temporary Config", + "cmd": "cat /var/state/icwmp", + "dependency": [ + { + "type": "file", + "file": "/var/state/icwmp" + } + ] + }, + { + "description": "TR-069 Internal Config", + "cmd": "cat /etc/icwmpd/cwmp", + "dependency": [ + { + "type": "file", + "file": "/etc/icwmpd/cwmp" + } + ] + }, + { + "description": "TR-069 Force Inform Parameters", + "cmd": "cat /etc/icwmpd/force_inform.json", + "dependency": [ + { + "type": "file", + "file": "/etc/icwmpd/force_inform.json" + } + ] + }, + { + "description": "TR-069 Obj/Param with Notification", + "cmd": "cat /etc/icwmpd/cwmp_notifications", + "dependency": [ + { + "type": "file", + "file": "/etc/icwmpd/cwmp_notifications" + } + ] + }, { "description": "TR-069 Logs", "cmd": "cat /var/log/icwmpd.log", From 9598258993f0f57d93dc4745ae05d4235024ed5b Mon Sep 17 00:00:00 2001 From: Vivek Kumar Dutta Date: Wed, 12 Mar 2025 11:24:18 +0530 Subject: [PATCH 14/17] usermngr: Remove ash from SupportedShell --- usermngr/Makefile | 2 +- usermngr/files/etc/uci-defaults/91-sync-shells | 9 +++++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/usermngr/Makefile b/usermngr/Makefile index ed2816771..0bb1048ba 100644 --- a/usermngr/Makefile +++ b/usermngr/Makefile @@ -5,7 +5,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=usermngr -PKG_VERSION:=1.3.4 +PKG_VERSION:=1.3.5 LOCAL_DEV:=0 ifneq ($(LOCAL_DEV),1) diff --git a/usermngr/files/etc/uci-defaults/91-sync-shells b/usermngr/files/etc/uci-defaults/91-sync-shells index cc5c3f958..489e420fe 100644 --- a/usermngr/files/etc/uci-defaults/91-sync-shells +++ b/usermngr/files/etc/uci-defaults/91-sync-shells @@ -6,6 +6,10 @@ add_system_shells() { system_shells=$(cat /etc/shells) for line in $system_shells do + if [ "${line}" = "/bin/ash" ]; then + continue + fi + shell_name=$(basename "${line}") # Add the shell in UCI if not exists sec=$(uci -q show users | grep -E "^users\.@shell\[[0-9]+\]\.name=\'$shell_name\'$") @@ -60,3 +64,8 @@ remove_shell() { config_load users add_system_shells config_foreach remove_shell shell + +# Remove ash +uci -q delete users.shell_ash + +exit 0 From ba3b00c78461395aa9d986765ede43a57f71b8e0 Mon Sep 17 00:00:00 2001 From: Meng Date: Tue, 4 Feb 2025 06:15:54 +0100 Subject: [PATCH 15/17] obuspa: Support ControllerTrust.SecuredRoles Patch for the obuspa: - Add DM_SECURE flag in usp_api.h. - Register Device.LocalAgent.ControllerTrust.SecuredRoles with Validate_SecuredRoles(). - Implement DEVICE_CTRUST_IsControllerSecured() to check controller trust. - Update DATA_MODEL_GetParameterValue() and group_get_vector functions to return an empty string for secure parameters when the controller is not secured. Updated usp_utils.sh to to add SecuredRole from role ACL files --- obuspa/Makefile | 4 +- obuspa/files/etc/obuspa/usp_utils.sh | 38 +- obuspa/patches/0005-CTrust-SecureRoles.patch | 562 +++++++++++++++++++ 3 files changed, 600 insertions(+), 4 deletions(-) create mode 100644 obuspa/patches/0005-CTrust-SecureRoles.patch diff --git a/obuspa/Makefile b/obuspa/Makefile index 26ccc03cd..384b01405 100644 --- a/obuspa/Makefile +++ b/obuspa/Makefile @@ -5,13 +5,13 @@ include $(TOPDIR)/rules.mk PKG_NAME:=obuspa -PKG_VERSION:=9.0.4.11 +PKG_VERSION:=9.0.4.12 LOCAL_DEV:=0 ifneq ($(LOCAL_DEV),1) PKG_SOURCE_PROTO:=git PKG_SOURCE_URL:=https://dev.iopsys.eu/bbf/obuspa.git -PKG_SOURCE_VERSION:=79e066a3997b46ea3bcc48c4589c5a4c4cb05630 +PKG_SOURCE_VERSION:=9bd0c3c895cbcf34b922329c55a8262180b1fa86 PKG_MAINTAINER:=Vivek Dutta PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz PKG_MIRROR_HASH:=skip diff --git a/obuspa/files/etc/obuspa/usp_utils.sh b/obuspa/files/etc/obuspa/usp_utils.sh index c32837015..b5c0c2ffe 100755 --- a/obuspa/files/etc/obuspa/usp_utils.sh +++ b/obuspa/files/etc/obuspa/usp_utils.sh @@ -3,6 +3,7 @@ CTRUST_RESET_FILE="/tmp/obuspa/ctrust_reset" VENDOR_PREFIX_FILE="/etc/obuspa/vendor_prefix" FW_DEFAULT_ROLE_DIR="/etc/users/roles" +SECURE_ROLES="" mkdir -p /tmp/obuspa/ @@ -145,7 +146,7 @@ configure_permission() configure_roles() { - local rinst rname + local rinst rname is_secure if [ "$#" -ne 2 ]; then echo "Illegal number of parameters" @@ -154,6 +155,7 @@ configure_roles() json_select $2 json_get_var rname name + json_get_var is_secure secure_role if [ "${rname}" = "full_access" ]; then rinst=1 @@ -167,13 +169,21 @@ configure_roles() db_add Device.LocalAgent.ControllerTrust.Role.${rinst}.Enable 1 db_add Device.LocalAgent.ControllerTrust.Role.${rinst}.Name ${rname} + if [ "${is_secure}" = "1" ] || [ "${is_secure}" = "true" ]; then + if [ -z "${SECURE_ROLES}" ]; then + SECURE_ROLES="Device.LocalAgent.ControllerTrust.Role.${rinst}" + else + SECURE_ROLES="${SECURE_ROLES},Device.LocalAgent.ControllerTrust.Role.${rinst}" + fi + fi + json_for_each_item configure_permission permission "${name}" ${rinst} json_select .. } configure_roles_dir() { - local rinst rname + local rinst rname is_secure if [ "$#" -ne 1 ]; then echo "Illegal number of parameters" @@ -195,11 +205,28 @@ configure_roles_dir() return 0 fi fi + json_get_var is_secure secure_role db_add Device.LocalAgent.ControllerTrust.Role.${rinst}.Alias cpe-${rinst} db_add Device.LocalAgent.ControllerTrust.Role.${rinst}.Enable 1 db_add Device.LocalAgent.ControllerTrust.Role.${rinst}.Name ${rname} + if [ "${is_secure}" = "1" ] || [ "${is_secure}" = "true" ]; then + if [ -z "${SECURE_ROLES}" ]; then + SECURE_ROLES="Device.LocalAgent.ControllerTrust.Role.${rinst}" + else + SECURE_ROLES="${SECURE_ROLES},Device.LocalAgent.ControllerTrust.Role.${rinst}" + fi + fi + + if [ "${is_secure}" = "1" ] || [ "${is_secure}" = "true" ]; then + if [ -z "${SECURE_ROLES}" ]; then + SECURE_ROLES="Device.LocalAgent.ControllerTrust.Role.${rinst}" + else + SECURE_ROLES="${SECURE_ROLES},Device.LocalAgent.ControllerTrust.Role.${rinst}" + fi + fi + json_for_each_item configure_permission permission "${name}" "$((rinst))" json_select .. } @@ -214,6 +241,8 @@ configure_ctrust_role() fi mkdir -p /tmp/obuspa/ + SECURE_ROLES="" + if [ -f "${1}" ]; then json_init json_load_file "${1}" @@ -227,6 +256,11 @@ configure_ctrust_role() configure_roles_dir "${f/.json/}" done fi + + if [ -n "${SECURE_ROLES}" ]; then + db_add Device.LocalAgent.ControllerTrust.SecuredRoles "${SECURE_ROLES}" + fi } # configure_ctrust_role "${@}" + diff --git a/obuspa/patches/0005-CTrust-SecureRoles.patch b/obuspa/patches/0005-CTrust-SecureRoles.patch new file mode 100644 index 000000000..c49e18b52 --- /dev/null +++ b/obuspa/patches/0005-CTrust-SecureRoles.patch @@ -0,0 +1,562 @@ +Index: obuspa-9.0.4.3/src/core/data_model.c +=================================================================== +--- obuspa-9.0.4.3.orig/src/core/data_model.c ++++ obuspa-9.0.4.3/src/core/data_model.c +@@ -57,6 +57,7 @@ + #include "iso8601.h" + #include "group_get_vector.h" + #include "plugin.h" ++#include "device_ctrust.h" + + #ifdef ENABLE_COAP + #include "usp_coap.h" +@@ -507,6 +508,14 @@ int DATA_MODEL_GetParameterValue(char *p + return USP_ERR_INVALID_PATH; + } + ++ // Check if the parameter is secured and the controller has a secured role, and if the SHOW_PASSWORD flag is not set ++ if (!(flags & SHOW_PASSWORD) && node->registered.param_info.type_flags & DM_SECURE && !DEVICE_CTRUST_IsControllerSecured()) ++ { ++ // Return an empty string for secured parameters when controller doesn't have secured role ++ *buf = '\0'; ++ return USP_ERR_OK; ++ } ++ + // NOTE: We do not check 'is_qualified_instance' here, because the only time it would be unqualified, is if the + // path represented a multi-instance object. If path does represent this, then it will be caught below (switch statement) + +@@ -537,8 +546,8 @@ int DATA_MODEL_GetParameterValue(char *p + break; + + case kDMNodeType_DBParam_Secure: +- // Return an empty string, if special flag is not set +- if ((flags & SHOW_PASSWORD)==0) ++ // Return an empty string if the parameter is secured and the controller has a secured role, and if the SHOW_PASSWORD flag is not set ++ if (!(flags & SHOW_PASSWORD) && node->registered.param_info.type_flags & DM_SECURE && !DEVICE_CTRUST_IsControllerSecured()) + { + *buf = '\0'; + break; +Index: obuspa-9.0.4.3/src/core/device_ctrust.c +=================================================================== +--- obuspa-9.0.4.3.orig/src/core/device_ctrust.c ++++ obuspa-9.0.4.3/src/core/device_ctrust.c +@@ -64,6 +64,7 @@ + #include "text_utils.h" + #include "dm_inst_vector.h" + #include "database.h" ++#include "device_ctrust.h" + + //------------------------------------------------------------------------------ + // Location of the controller trust tables within the data model +@@ -228,6 +229,7 @@ credential_t *FindCredentialByCertInstan + int Get_CredentialRole(dm_req_t *req, char *buf, int len); + int Get_CredentialCertificate(dm_req_t *req, char *buf, int len); + int Get_CredentialNumEntries(dm_req_t *req, char *buf, int len); ++int Validate_SecuredRoles(dm_req_t *req, char *value); + + #ifndef REMOVE_DEVICE_SECURITY + int InitChallengeTable(); +@@ -347,6 +349,10 @@ int DEVICE_CTRUST_Init(void) + challenge_response_input_args, NUM_ELEM(challenge_response_input_args), + NULL, 0); + #endif ++ ++ // Register Device.LocalAgent.ControllerTrust.SecuredRoles parameter ++ err |= USP_REGISTER_DBParam_ReadWrite(DEVICE_CTRUST_ROOT ".SecuredRoles", "", Validate_SecuredRoles, NULL, DM_STRING); ++ + // Exit if any errors occurred + if (err != USP_ERR_OK) + { +@@ -2793,3 +2799,128 @@ exit: + return err; + } + #endif // REMOVE_DEVICE_SECURITY ++ ++ ++/*********************************************************************//** ++** ++** Validate_SecuredRoles ++** ++** Validates Device.LocalAgent.ControllerTrust.SecuredRoles ++** Each list item MUST be the Path Name of a row in the Device.LocalAgent.ControllerTrust.Role table ++** ++** \param req - pointer to structure identifying the parameter ++** \param value - value that the controller would like to set the parameter to ++** ++** \return USP_ERR_OK if successful ++** ++**************************************************************************/ ++int Validate_SecuredRoles(dm_req_t *req, char *value) ++{ ++ char *role_path; ++ char *saveptr; ++ char *str; ++ char temp[MAX_DM_PATH]; ++ int role_instance; ++ int err; ++ ++ // Empty string is valid ++ if (*value == '\0') ++ { ++ return USP_ERR_OK; ++ } ++ ++ // Copy the value as strtok_r modifies the string ++ USP_STRNCPY(temp, value, sizeof(temp)); ++ ++ // Iterate through comma-separated list ++ str = temp; ++ role_path = strtok_r(str, ",", &saveptr); ++ while (role_path != NULL) ++ { ++ // Trim whitespace ++ role_path = TEXT_UTILS_TrimBuffer(role_path); ++ ++ // Verify that this path exists in the Role table using DM_ACCESS_ValidateReference ++ err = DM_ACCESS_ValidateReference(role_path, "Device.LocalAgent.ControllerTrust.Role.{i}", &role_instance); ++ if (err != USP_ERR_OK) ++ { ++ USP_ERR_SetMessage("%s: Role path '%s' does not exist in Device.LocalAgent.ControllerTrust.Role table", __FUNCTION__, role_path); ++ return USP_ERR_INVALID_VALUE; ++ } ++ ++ role_path = strtok_r(NULL, ",", &saveptr); ++ } ++ ++ return USP_ERR_OK; ++} ++ ++/*********************************************************************//** ++** ++** DEVICE_CTRUST_IsControllerSecured ++** ++** Determines whether the specified controller has a secured role ++** ++** \param combined_role - pointer to structure containing the role indexes for this controller ++** ++** \return true if the controller has a secured role, false otherwise ++** ++**************************************************************************/ ++bool DEVICE_CTRUST_IsControllerSecured() ++{ ++ char secured_roles[MAX_DM_PATH]; ++ char *role_path; ++ char *saveptr; ++ char *str; ++ char temp[MAX_DM_PATH]; ++ int err; ++ role_t *role; ++ int role_instance; ++ combined_role_t combined_role; ++ ++ // Exit if unable to get the secured roles ++ err = DATA_MODEL_GetParameterValue("Device.LocalAgent.ControllerTrust.SecuredRoles", secured_roles, sizeof(secured_roles), 0); ++ if (err != USP_ERR_OK) ++ { ++ return false; ++ } ++ ++ // Empty string means no secured roles ++ if (*secured_roles == '\0') ++ { ++ return false; ++ } ++ ++ MSG_HANDLER_GetMsgRole(&combined_role); ++ // Copy the value as strtok_r modifies the string ++ USP_STRNCPY(temp, secured_roles, sizeof(temp)); ++ ++ // Iterate through comma-separated list ++ str = temp; ++ role_path = strtok_r(str, ",", &saveptr); ++ while (role_path != NULL) ++ { ++ // Trim whitespace ++ role_path = TEXT_UTILS_TrimBuffer(role_path); ++ ++ // Extract the instance number from the role path ++ err = DM_ACCESS_ValidateReference(role_path, "Device.LocalAgent.ControllerTrust.Role.{i}", &role_instance); ++ if (err == USP_ERR_OK) ++ { ++ // Find the role in our internal array ++ role = FindRoleByInstance(role_instance); ++ if (role != NULL) ++ { ++ // Check if this role matches either the inherited or assigned role ++ if ((role - roles == combined_role.inherited_index) || ++ (role - roles == combined_role.assigned_index)) ++ { ++ return true; ++ } ++ } ++ } ++ ++ role_path = strtok_r(NULL, ",", &saveptr); ++ } ++ ++ return false; ++} +Index: obuspa-9.0.4.3/src/core/device_ctrust.h +=================================================================== +--- /dev/null ++++ obuspa-9.0.4.3/src/core/device_ctrust.h +@@ -0,0 +1,48 @@ ++/* ++ * ++ * Copyright (C) 2019-2025, Broadband Forum ++ * Copyright (C) 2016-2025, CommScope, Inc ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in the ++ * documentation and/or other materials provided with the distribution. ++ * ++ * 3. Neither the name of the copyright holder nor the names of its ++ * contributors may be used to endorse or promote products derived from ++ * this software without specific prior written permission. ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" ++ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ++ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE ++ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR ++ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF ++ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS ++ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN ++ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF ++ * THE POSSIBILITY OF SUCH DAMAGE. ++ * ++ */ ++ ++/** ++ * \file device_ctrust.h ++ * ++ * Header file containing the API functions provided by Controller Trust component ++ * ++ */ ++#ifndef DEVICE_CTRUST_H ++#define DEVICE_CTRUST_H ++ ++#include "device.h" ++ ++bool DEVICE_CTRUST_IsControllerSecured(void); ++ ++#endif +Index: obuspa-9.0.4.3/src/include/usp_api.h +=================================================================== +--- obuspa-9.0.4.3.orig/src/include/usp_api.h ++++ obuspa-9.0.4.3/src/include/usp_api.h +@@ -418,6 +418,7 @@ typedef struct + #define DM_DECIMAL 0x00000100 // 64 bit floating point number (double) + #define DM_LONG 0x00000200 // 64 bit signed integer (long long) + #define DM_VALUE_CHANGE_WILL_IGNORE 0x00000400 // Do not emit value change notifications for this parameter ++#define DM_SECURE 0x00000800 // secure parameter + + //------------------------------------------------------------------------- + // Functions to register the data model +Index: obuspa-9.0.4.3/src/core/group_get_vector.c +=================================================================== +--- obuspa-9.0.4.3.orig/src/core/group_get_vector.c ++++ obuspa-9.0.4.3/src/core/group_get_vector.c +@@ -49,6 +49,16 @@ + #include "group_get_vector.h" + #include "int_vector.h" + #include "data_model.h" ++#include "device_ctrust.h" // Added to use DEVICE_CTRUST_IsControllerSecured() ++ ++//------------------------------------------------------------------------------ ++// New function to check secure flag and controller state ++static int IsSecuredParamNotAccessible(char *path) ++{ ++ dm_instances_t inst; ++ dm_node_t *node = DM_PRIV_GetNodeFromPath(path, &inst, NULL, 0); ++ return (node && (node->registered.param_info.type_flags & DM_SECURE) && !DEVICE_CTRUST_IsControllerSecured()); ++} + + //------------------------------------------------------------------------------ + // Forward declarations. Note these are not static, because we need them in the symbol table for USP_LOG_Callstack() to show them +@@ -282,14 +292,14 @@ void GROUP_GET_VECTOR_GetValues(group_ge + return; + #endif + +- // Iterate over all parameters, getting them if non grouped, otherwise adding them to the relevant group to get ++ // Iterate over all parameters, getting them if non-grouped, otherwise adding them to the relevant group to get + memset(ggv_indexes, 0, sizeof(ggv_indexes)); + for (i=0; i < ggv->num_entries; i++) + { + gge = &ggv->vector[i]; + if (gge->group_id == NON_GROUPED) + { +- // If the parameter is not grouped, then get its value now. ++ // For non-grouped parameters, directly call DATA_MODEL_GetParameterValue which handles secure parameters internally + gge->err_code = DATA_MODEL_GetParameterValue(gge->path, buf, sizeof(buf), 0); + if (gge->err_code != USP_ERR_OK) + { +@@ -320,7 +330,6 @@ void GROUP_GET_VECTOR_GetValues(group_ge + chunk_size = MIN(GROUP_GET_CHUNK_SIZE, iv->num_entries - start_index); + GetParameterGroup(i, ggv, iv, start_index, chunk_size); + } +- + } + } + +@@ -378,88 +387,101 @@ void GetParameterGroup(int group_id, gro + return; + } + +- // Add all parameters to get in this group to a key value vector +- // NOTE: We form the key value vector manually to avoid copying the param paths. +- // Ownership of the param paths stay with the group get vector +- params.num_entries = chunk_size; +- params.vector = USP_MALLOC(sizeof(kv_pair_t) * chunk_size); ++ // Prepare a mapping for non-secure parameters and process secure ones directly ++ int non_secure_count = 0; ++ int *non_secure_map = USP_MALLOC(chunk_size * sizeof(int)); + for (i=0; i < chunk_size; i++) + { + index = iv->vector[start_index + i]; + gge = &ggv->vector[index]; + USP_ASSERT(gge->path != NULL); +- +- kv = ¶ms.vector[i]; +- kv->key = gge->path; +- kv->value = NULL; ++ if (IsSecuredParamNotAccessible(gge->path)) ++ { ++ // For secure parameter when controller is not secured, return empty value ++ gge->value = USP_STRDUP(""); ++ gge->err_code = USP_ERR_OK; ++ } ++ else ++ { ++ non_secure_map[non_secure_count] = index; ++ non_secure_count++; ++ } + } + +- // Exit if group callback fails +- USP_ERR_ClearMessage(); +- err = get_group_cb(group_id, ¶ms); +- if (err != USP_ERR_OK) ++ // If there are non-secure parameters, call the group callback for them ++ if (non_secure_count > 0) + { +- // Mark all results for params in this group with an error +- usp_err_msg = USP_ERR_GetMessage(); +- for (i=0; i < chunk_size; i++) ++ params.num_entries = non_secure_count; ++ params.vector = USP_MALLOC(sizeof(kv_pair_t) * non_secure_count); ++ for (i=0; i < non_secure_count; i++) + { +- index = iv->vector[start_index + i]; ++ index = non_secure_map[i]; + gge = &ggv->vector[index]; +- gge->err_code = USP_ERR_INTERNAL_ERROR; ++ USP_ASSERT(gge->path != NULL); ++ kv = ¶ms.vector[i]; ++ kv->key = gge->path; ++ kv->value = NULL; ++ } + +- // Assign an error message to this param +- if (usp_err_msg[0] != '\0') +- { +- gge->err_msg = USP_STRDUP(usp_err_msg); +- } +- else ++ USP_ERR_ClearMessage(); ++ err = get_group_cb(group_id, ¶ms); ++ if (err != USP_ERR_OK) ++ { ++ // Mark all non-secure results with an error ++ usp_err_msg = USP_ERR_GetMessage(); ++ for (i=0; i < non_secure_count; i++) + { +- // Form an error message if none was provided +- USP_SNPRINTF(err_msg, sizeof(err_msg), "%s: Get group callback failed for param %s", __FUNCTION__, gge->path); +- gge->err_msg = USP_STRDUP(err_msg); ++ index = non_secure_map[i]; ++ gge = &ggv->vector[index]; ++ gge->err_code = USP_ERR_INTERNAL_ERROR; ++ if (usp_err_msg[0] != '\0') ++ { ++ gge->err_msg = USP_STRDUP(usp_err_msg); ++ } ++ else ++ { ++ USP_SNPRINTF(err_msg, sizeof(err_msg), "%s: Get group callback failed for param %s", __FUNCTION__, gge->path); ++ gge->err_msg = USP_STRDUP(err_msg); ++ } ++ USP_SAFE_FREE(params.vector[i].value); + } +- +- // NOTE: The group get might have populated a value for some params, so free these values +- USP_SAFE_FREE(params.vector[i].value); ++ USP_FREE(params.vector); ++ USP_FREE(non_secure_map); ++ return; + } +- goto exit; +- } + +- // Move all parameter values obtained to the group get vector +- // NOTE: Ownership of the value string transfers from the params vector to the group get vector +- usp_err_msg = USP_ERR_GetMessage(); +- empty_count = 0; +- for (i=0; i < chunk_size; i++) +- { +- kv = ¶ms.vector[i]; +- index = iv->vector[start_index + i]; +- gge = &ggv->vector[index]; +- +- if (kv->value != NULL) +- { +- gge->value = kv->value; +- } +- else ++ // Move all parameter values obtained to the group get vector for non-secure parameters ++ usp_err_msg = USP_ERR_GetMessage(); ++ empty_count = 0; ++ for (i=0; i < non_secure_count; i++) + { +- // If this is the first parameter with no value, and an error message has been set, then use the error message +- if ((usp_err_msg[0] != '\0') && (empty_count == 0)) ++ index = non_secure_map[i]; ++ gge = &ggv->vector[index]; ++ kv = ¶ms.vector[i]; ++ ++ if (kv->value != NULL) + { +- USP_SNPRINTF(err_msg, sizeof(err_msg), "%s", usp_err_msg); ++ gge->value = kv->value; + } + else + { +- USP_SNPRINTF(err_msg, sizeof(err_msg), "%s: Get group callback did not provide a value for param %s", __FUNCTION__, gge->path); ++ if ((usp_err_msg[0] != '\0') && (empty_count == 0)) ++ { ++ USP_SNPRINTF(err_msg, sizeof(err_msg), "%s", usp_err_msg); ++ } ++ else ++ { ++ USP_SNPRINTF(err_msg, sizeof(err_msg), "%s: Get group callback did not provide a value for param %s", __FUNCTION__, gge->path); ++ } ++ gge->err_code = USP_ERR_INTERNAL_ERROR; ++ gge->err_msg = USP_STRDUP(err_msg); ++ empty_count++; + } +- gge->err_code = USP_ERR_INTERNAL_ERROR; +- gge->err_msg = USP_STRDUP(err_msg); +- empty_count++; + } ++ USP_FREE(params.vector); + } + +-exit: +- // Destroy the key-value vector. +- // As ownership of all strings in it have transferred to the group get vector, we only have to free the array itself +- USP_FREE(params.vector); ++ USP_FREE(non_secure_map); + } + + /*********************************************************************//** +@@ -486,9 +508,10 @@ void GetParametersIndividually(group_get + for (i=0; i < ggv->num_entries; i++) + { + gge = &ggv->vector[i]; ++ + if (gge->group_id == NON_GROUPED) + { +- // Non-grouped parameters can directly call DATA_MODEL_GetParameterValue() ++ // For non-grouped parameters, directly call DATA_MODEL_GetParameterValue which handles secure parameters internally + gge->err_code = DATA_MODEL_GetParameterValue(gge->path, buf, sizeof(buf), 0); + if (gge->err_code == USP_ERR_OK) + { +@@ -497,42 +520,51 @@ void GetParametersIndividually(group_get + } + else + { +- // Grouped parameters cannot call DATA_MODEL_GetParameterValue(), as that would cause infinite recursion +- get_group_cb = group_vendor_hooks[gge->group_id].get_group_cb; +- if (get_group_cb == NULL) ++ // For grouped parameters, check if the parameter is secure and the controller is not secured ++ if (IsSecuredParamNotAccessible(gge->path)) + { +- // Set an error message, if no group callback registered for this parameter +- USP_ERR_SetMessage("%s: No registered group callback to get param %s", __FUNCTION__, gge->path); +- gge->err_code = USP_ERR_INTERNAL_ERROR; ++ gge->value = USP_STRDUP(""); ++ gge->err_code = USP_ERR_OK; + } + else + { +- // Get this grouped parameter individually using the group get callback +- pv.num_entries = 1; +- pv.vector = ¶m; +- param.key = gge->path; +- param.value = NULL; +- +- USP_ERR_ClearMessage(); +- gge->err_code = get_group_cb(gge->group_id, &pv); +- if (gge->err_code != USP_ERR_OK) ++ // Grouped parameters cannot call DATA_MODEL_GetParameterValue(), as that would cause infinite recursion ++ get_group_cb = group_vendor_hooks[gge->group_id].get_group_cb; ++ if (get_group_cb == NULL) + { +- USP_ERR_ReplaceEmptyMessage("%s: group get failed for '%s' (%s)", __FUNCTION__, gge->path, USP_ERR_UspErrToString(gge->err_code)); +- USP_SAFE_FREE(param.value) ++ // Set an error message, if no group callback registered for this parameter ++ USP_ERR_SetMessage("%s: No registered group callback to get param %s", __FUNCTION__, gge->path); ++ gge->err_code = USP_ERR_INTERNAL_ERROR; + } + else + { +- if (param.value != NULL) ++ // Get this grouped parameter individually using the group get callback ++ pv.num_entries = 1; ++ pv.vector = ¶m; ++ param.key = gge->path; ++ param.value = NULL; ++ ++ USP_ERR_ClearMessage(); ++ gge->err_code = get_group_cb(gge->group_id, &pv); ++ if (gge->err_code != USP_ERR_OK) + { +- // Move ownership of the returned string from param.value to gge->value +- gge->value = param.value; +- param.value = NULL; // not strictly necessary ++ USP_ERR_ReplaceEmptyMessage("%s: group get failed for '%s' (%s)", __FUNCTION__, gge->path, USP_ERR_UspErrToString(gge->err_code)); ++ USP_SAFE_FREE(param.value) + } + else + { +- // If no value was returned, then this is also reported as an error in the group get array +- USP_ERR_ReplaceEmptyMessage("%s: Get group callback did not provide a value for param %s", __FUNCTION__, gge->path); +- gge->err_code = USP_ERR_INTERNAL_ERROR; ++ if (param.value != NULL) ++ { ++ // Move ownership of the returned string from param.value to gge->value ++ gge->value = param.value; ++ param.value = NULL; // not strictly necessary ++ } ++ else ++ { ++ // If no value was returned, then this is also reported as an error in the group get array ++ USP_ERR_ReplaceEmptyMessage("%s: Get group callback did not provide a value for param %s", __FUNCTION__, gge->path); ++ gge->err_code = USP_ERR_INTERNAL_ERROR; ++ } + } + } + } +@@ -545,3 +577,4 @@ void GetParametersIndividually(group_get + } + } + } ++ From 2219f2efba10cb88888119f3660e77e4d806163c Mon Sep 17 00:00:00 2001 From: Vivek Kumar Dutta Date: Mon, 10 Mar 2025 09:07:06 +0530 Subject: [PATCH 16/17] sulu: Enable SecureRole for admin ACL --- sulu/sulu-builder/files/etc/users/roles/admin.json | 1 + 1 file changed, 1 insertion(+) diff --git a/sulu/sulu-builder/files/etc/users/roles/admin.json b/sulu/sulu-builder/files/etc/users/roles/admin.json index 0165d3ff0..e859068a6 100644 --- a/sulu/sulu-builder/files/etc/users/roles/admin.json +++ b/sulu/sulu-builder/files/etc/users/roles/admin.json @@ -2,6 +2,7 @@ "tr181": { "name": "admin", "instance": 4, + "secure_role": true, "permission": [ { "object": "Device.", From 5b07fcce3389747b71a62337f30c5b20c1e8f23a Mon Sep 17 00:00:00 2001 From: Vivek Kumar Dutta Date: Wed, 12 Mar 2025 16:55:34 +0530 Subject: [PATCH 17/17] swmodd: 2.5.25 --- swmodd/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/swmodd/Makefile b/swmodd/Makefile index 65acce1b4..13c4b5f23 100755 --- a/swmodd/Makefile +++ b/swmodd/Makefile @@ -5,13 +5,13 @@ include $(TOPDIR)/rules.mk PKG_NAME:=swmodd -PKG_VERSION:=2.5.24 +PKG_VERSION:=2.5.25 LOCAL_DEV:=0 ifneq ($(LOCAL_DEV),1) PKG_SOURCE_PROTO:=git PKG_SOURCE_URL:=https://dev.iopsys.eu/lcm/swmodd.git -PKG_SOURCE_VERSION:=a5663a3f38868554c619d06cfc5f19aa8679d685 +PKG_SOURCE_VERSION:=9b3b87f6a24a39f8917576e3cda8d9dc5f4a8f18 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz PKG_MIRROR_HASH:=skip endif