Add a ucode API to hostapd and wpa_supplicant for external DPP frame
handling. This allows an external controller to intercept DPP frames
and handle the DPP protocol externally.
The API provides:
- RX callbacks (dpp_rx_action, dpp_rx_gas) called when DPP frames are
received, allowing external handling before internal processing
- TX methods (dpp_send_action, dpp_send_gas_resp/dpp_send_gas_req) for
transmitting DPP frames
- A ubus channel-based API (dpp_channel) for bidirectional communication
with exclusive hook registration per interface
- CCE control for hostapd (set_cce method)
The wpa_supplicant API mirrors hostapd but adapted for STA role:
- Uses tx_gas_req instead of tx_gas_resp
- GAS RX provides full frame instead of parsed query
- No CCE control (AP-only feature)
Both implementations include:
- Timeout handling with automatic channel disconnect after 3 failures
- Hook cleanup on interface removal
- Last-caller-wins semantics for hook registration
Signed-off-by: Felix Fietkau <nbd@nbd.name>
When storing device-level data, wdev_set_data() spread the entire wdev
object into handler_data. Since handler_config.data is set from the
previous handler_data[wdev.name] before each setup, this created
exponentially growing nesting with each reload, eventually causing
"nesting too deep" JSON parse errors.
Fix by initializing cur to a simple object containing only the device
name instead of the entire wdev object.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Add support for DPP (Device Provisioning Protocol) as both a primary
encryption type and as an optional addition to existing authentication.
Primary DPP mode (encryption=dpp):
- Sets WPA2 with key_mgmt=DPP
- Requires Management Frame Protection (ieee80211w=2)
- Supports dpp_connector, dpp_csign, dpp_netaccesskey options
Optional DPP mode (dpp=1 boolean on AP):
- Adds DPP to existing key management methods
- Allows AP to accept both DPP and other auth types
- Supports the same connector options
Both ucode and legacy shell implementations are updated for AP and STA
modes.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Allow callers of edit_create_destroy to pass additional named arguments
via info.named_args that get merged into the create command parameters.
Signed-off-by: John Crispin <john@phrozen.org>
When a remote peer's connection drops (device powered off, unetmsgd
crash, network failure), network_rx_cleanup_state silently removed
the remote publish/subscribe handles without notifying local
subscribers. This meant local clients had no way to detect that a
remote peer had disappeared.
Call handle_publish for each channel where a remote publish handle
is removed during connection cleanup, so local subscribers receive
the publisher change notification and can react accordingly.
Signed-off-by: John Crispin <john@phrozen.org>
handle_publish() notifies local subscribers about publisher state
changes. The publish/subscribe handler in network_socket_handle_request()
was calling it for both remote publish and subscribe changes, but
subscriber changes are not relevant to local subscribers.
Guard the handle_publish() calls with a msgtype == "publish" check,
matching the local client paths in unetmsgd-client.uc which already
have this guard.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
When both peers connect simultaneously, the RX side can authenticate
before the TX handshake completes. network_check_auth() was sending a
ping on the unauthenticated TX channel, which gets rejected by the
remote's pre-auth handler as "Auth failed", killing the connection and
triggering an endless reconnect cycle.
Check chan.auth before interacting with the TX channel. If TX auth
hasn't completed yet, just schedule a reconnect timer - auth_data_cb
already handles state sync when TX auth completes.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
network_close() only closed the listening socket without shutting down
established RX/TX connections. This left remote state in
core.remote_publish/core.remote_subscribe for hosts on the removed
network, causing stale entries in channel listings and failed routing
attempts.
Close all RX and TX channels before removing the network, which also
triggers remote state cleanup via network_rx_socket_close().
Signed-off-by: Felix Fietkau <nbd@nbd.name>
The cleanup condition checked != instead of ==, inverting the logic.
This caused two problems:
When an authenticated RX connection disconnected, remote state for that
host was never cleaned up since the stored entry matched the one being
closed.
When a stale unauthenticated connection from a peer closed, any existing
authenticated connection from the same peer was incorrectly deleted and
its remote state wiped.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
When a remote peer's publish registrations arrive via RX before the
local TX connection is authenticated, handle_publish fires but the
subscriber can't reach the remote publisher yet since the TX channel
isn't ready.
Suppress publish notifications on the RX side when no authenticated TX
channel exists for the remote host. After TX authentication completes,
re-trigger handle_publish only for topics that the specific peer
publishes and that have local subscribers.
Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
The condition checked !data.networks instead of !data.networks[name],
making it always false since data.networks was already validated earlier
in the function. Networks removed from unetd were never closed.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Check /var/run/uci/ before /etc/config/ so that overlay configs
also trigger service reload events.
The overlay directory takes precedence, and uci show already handles
merging overlay + base configuration correctly.
Signed-off-by: John Crispin <john@phrozen.org>
Changelog:
13701b5 libtraceevent: 1.9
6a3a815 libtraceevent: Add tep_load_modules() API
31fc91b libtraceevent: Add tep_parse_last_boot_info()
5e4ef1f libtraceevent: Add tep_btf_list_args()
aa49dce libtraceevent: Split out btf func init code from tep_btf_print_args()
239b063 libtraceevent: Do not change names of functions not of this library
c284dec libtraceevent: Handle __get_stacktrace()
1ba1262 libtraceevent: Move back to 1.8.99
263459e libtraceevent: Use BTF_INT_BITS/OFFSET() when parsing int parameters
0294b73 libtraceevent utest: Add simple test to test BTF parsing
38e03ac libtraceevent: Have BTF find functions with extra characters
b441fff libtraceevent: Add man page for the new BTF functions
87f30d9 libtraceevent: Add loading of BTF to the tep handle
3488dc9 libtraceevent: Move to 1.9 devel
Link: https://github.com/openwrt/openwrt/pull/21886
Signed-off-by: Nick Hainke <vincent@systemli.org>
Changelog:
6fad6a1 libtracefs: version 1.8.3
5505e14 libtracefs: Do not have utest fail debugfs/tracing not found
362574c libtracefs: Fix whitespace in enable_disable_all()
06c07be libtracefs: Make comm field a string
0a2a28f libtracefs/Documentation: Fix markup in the man page
57fcdc1 libtracefs: utest: Return non-zero exit code when something fails
ae03455 libtracefs: Fix tracefs_event_is_enabled() for all events
01a3fd3 libtracefs: Fix enum type in read_event_state
ef1656b libtracefs: Fix the /dev/null redirection compatibility in Makefile
Link: https://github.com/openwrt/openwrt/pull/21886
Signed-off-by: Nick Hainke <vincent@systemli.org>
Uninitialized memory led to bogus, huge timestamps being set on files
downloaded with the wget backend. This caused odd issues like 'ls -l'
crashing busybox when attempting to list the .apk file afterwards.
Link: 42f159e67b
Signed-off-by: Matt Merhar <mattmerhar@protonmail.com>
Link: https://github.com/openwrt/openwrt/pull/21874
Signed-off-by: Robert Marko <robimarko@gmail.com>
It's not the proper one. No of_platform_ APIs are being used.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/21164
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
follow-up to 148207730a
Schoolboy error on the peer_psk value.
Also fix an issue when joining peer IPv4 and IPv6 AllowedIPs
(${peer_a_ips/ /, } replaces only the first space, while
${peer_a_ips// /, } replaces all the spaces).
Closes: https://github.com/openwrt/openwrt/issues/21847
Signed-off-by: Paul Donald <newtwen+github@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/21851
Signed-off-by: Robert Marko <robimarko@gmail.com>
Add a status method to both hostapd and wpa_supplicant ubus objects
that lists all configured interfaces with their wiphy, MAC address,
and running/pending state. For MLO interfaces, links are grouped
under a single entry with per-link status.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
- preserve (active) interface (at reload)
Signed-off-by: Paul Donald <newtwen+github@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/21784
Signed-off-by: Robert Marko <robimarko@gmail.com>
- no longer write any temporary file for peer gen
- use wg syncconf to update active interfaces (not setconf)
Signed-off-by: Paul Donald <newtwen+github@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/21784
Signed-off-by: Robert Marko <robimarko@gmail.com>
- no longer write any temporary file for key gen
Signed-off-by: Paul Donald <newtwen+github@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/21784
Signed-off-by: Robert Marko <robimarko@gmail.com>
Proto handler now also detects changes to
- addresses
Tighten also assign address portion
Signed-off-by: Paul Donald <newtwen+github@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/21784
Signed-off-by: Robert Marko <robimarko@gmail.com>
Commit 168d5af added the possibility to configure netifd logging level.
The option is read from /etc/config/network and validated.
Supposedly the validation sets 2 as default.
But in case of a syntax error in /etc/config/network, the validation
result can be empty. Then the always passed option to netifd is
just '-l' instead of '-l 2'. That crashes netifd and prevents network
from launching.
Add a fallback value to the variable, so that there will always be
a proper value after the '-l' option.
Improves: 168d5af "netifd: add loglevel config option (fixes#18001)"
Fixes: #21816
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
Link: https://github.com/openwrt/openwrt/pull/21819
Signed-off-by: Robert Marko <robimarko@gmail.com>
Removing tmp/ after having built base-files or toolchain currently
breaks rootfs generation:
$ rm -rf tmp
$ make V=w
...
make[2] package/install
cat: .../openwrt/tmp/base-files.version: No such file or directory
cat: .../openwrt/openwrt/tmp/libc.version: No such file or directory
ERROR: 'base-files=' is not a valid world dependency, format is name(@tag)([<>~=]version)
make[2]: *** [package/Makefile💯 package/install] Error 99
The only way to recover from here is to clean toolchain and base-files via
$ make package/{base-files,toolchain}/clean
tmp is supposed to be ephemeral, so clearing it is an expected action,
which normally just triggers a regeneration of all files there.
Fix this by moving the version files to $(STAGING_DIR).
Fixes: 63e178f067 ("build: lock versions for special APK packages")
Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/21803
Signed-off-by: Robert Marko <robimarko@gmail.com>
The ucode wifi-scripts unconditionally set ieee80211w=1 for psk-sae
and eap-eap2 auth types, ignoring any user-configured value. This
caused ieee80211w=2 (MFP required) to be silently downgraded to 1
(MFP optional) when using sae-mixed encryption.
Change the logic to only set the default of 1 when ieee80211w is not
already configured by the user.
Fixes: https://github.com/openwrt/openwrt/issues/21751
Signed-off-by: Felix Fietkau <nbd@nbd.name>
b3ee1209a3d0 uclient-http: reset fd to -1 after close in disconnect
9c2ad269c42b uclient-http: fix seq field check to use correct field
80c9bd29c233 uclient-http: fix hang on HTTP to HTTPS redirect
931bbfeb2c92 ucode: fix memory leak when using ssl context
Fixes: https://github.com/openwrt/uclient/issues/11
Fixes: https://github.com/openwrt/uclient/issues/13
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Add a module for tpm-tis-spi for TCG TIS 1.3 TPM security chips
connected to a regular non-tcg SPI master.
Add imx target compatibility for kmod-tpm.
Signed-off-by: Tim Harvey <tharvey@gateworks.com>
Link: https://github.com/openwrt/openwrt/pull/21726
Signed-off-by: Robert Marko <robimarko@gmail.com>
Adding base64 encoded beacon data needs the base64 functions to be available
Fixes: b44d4290fe ("hostapd: add raw beacon report data to ubus notification")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
