Add a ucode API to hostapd and wpa_supplicant for external DPP frame
handling. This allows an external controller to intercept DPP frames
and handle the DPP protocol externally.
The API provides:
- RX callbacks (dpp_rx_action, dpp_rx_gas) called when DPP frames are
received, allowing external handling before internal processing
- TX methods (dpp_send_action, dpp_send_gas_resp/dpp_send_gas_req) for
transmitting DPP frames
- A ubus channel-based API (dpp_channel) for bidirectional communication
with exclusive hook registration per interface
- CCE control for hostapd (set_cce method)
The wpa_supplicant API mirrors hostapd but adapted for STA role:
- Uses tx_gas_req instead of tx_gas_resp
- GAS RX provides full frame instead of parsed query
- No CCE control (AP-only feature)
Both implementations include:
- Timeout handling with automatic channel disconnect after 3 failures
- Hook cleanup on interface removal
- Last-caller-wins semantics for hook registration
Signed-off-by: Felix Fietkau <nbd@nbd.name>
When a remote peer's connection drops (device powered off, unetmsgd
crash, network failure), network_rx_cleanup_state silently removed
the remote publish/subscribe handles without notifying local
subscribers. This meant local clients had no way to detect that a
remote peer had disappeared.
Call handle_publish for each channel where a remote publish handle
is removed during connection cleanup, so local subscribers receive
the publisher change notification and can react accordingly.
Signed-off-by: John Crispin <john@phrozen.org>
handle_publish() notifies local subscribers about publisher state
changes. The publish/subscribe handler in network_socket_handle_request()
was calling it for both remote publish and subscribe changes, but
subscriber changes are not relevant to local subscribers.
Guard the handle_publish() calls with a msgtype == "publish" check,
matching the local client paths in unetmsgd-client.uc which already
have this guard.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
When both peers connect simultaneously, the RX side can authenticate
before the TX handshake completes. network_check_auth() was sending a
ping on the unauthenticated TX channel, which gets rejected by the
remote's pre-auth handler as "Auth failed", killing the connection and
triggering an endless reconnect cycle.
Check chan.auth before interacting with the TX channel. If TX auth
hasn't completed yet, just schedule a reconnect timer - auth_data_cb
already handles state sync when TX auth completes.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
network_close() only closed the listening socket without shutting down
established RX/TX connections. This left remote state in
core.remote_publish/core.remote_subscribe for hosts on the removed
network, causing stale entries in channel listings and failed routing
attempts.
Close all RX and TX channels before removing the network, which also
triggers remote state cleanup via network_rx_socket_close().
Signed-off-by: Felix Fietkau <nbd@nbd.name>
The cleanup condition checked != instead of ==, inverting the logic.
This caused two problems:
When an authenticated RX connection disconnected, remote state for that
host was never cleaned up since the stored entry matched the one being
closed.
When a stale unauthenticated connection from a peer closed, any existing
authenticated connection from the same peer was incorrectly deleted and
its remote state wiped.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
When a remote peer's publish registrations arrive via RX before the
local TX connection is authenticated, handle_publish fires but the
subscriber can't reach the remote publisher yet since the TX channel
isn't ready.
Suppress publish notifications on the RX side when no authenticated TX
channel exists for the remote host. After TX authentication completes,
re-trigger handle_publish only for topics that the specific peer
publishes and that have local subscribers.
Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
The condition checked !data.networks instead of !data.networks[name],
making it always false since data.networks was already validated earlier
in the function. Networks removed from unetd were never closed.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Add a status method to both hostapd and wpa_supplicant ubus objects
that lists all configured interfaces with their wiphy, MAC address,
and running/pending state. For MLO interfaces, links are grouped
under a single entry with per-link status.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Adding base64 encoded beacon data needs the base64 functions to be available
Fixes: b44d4290fe ("hostapd: add raw beacon report data to ubus notification")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Extend the taxonomy subsystem to capture the complete association frame
in addition to the existing probe and association IE data.
This adds a new assoc_frame_taxonomy field to struct sta_info and exposes
it via the get_sta_ies ubus method as a base64-encoded "assoc_frame" field.
Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Extend the hostapd_rrm_beacon_req ubus method to support the optional
reporting_detail parameter as defined in IEEE 802.11-2016 section 9.4.2.21.7.
Also fix missing assignment operators (=) in the beacon_req_policy array
initialisation.
Signed-off-by: John Crispin <john@phrozen.org>
bump dnsmasq to latest 2.92
updated 200-ubus_dns.patch
no changes to 100-remove-old-runtime-kernel-support.patch
all remaining patches not required
Changelog for version 2.92 https://thekelleys.org.uk/dnsmasq/CHANGELOG
Signed-off-by: gongzi miao <miaogongzi0227@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/21598
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
channel.disconnect() already closes the fd via ubus_shutdown(),
so calling socket.close() afterwards is redundant and causes EBADF.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Add a 10-second timeout for outgoing auth requests to prevent
connections from getting stuck when the remote peer goes silent
after the hello handshake but before responding to auth.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
The network may be deleted before the disconnect callback fires.
Check for null to avoid crash when accessing net.tx_channels.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
The for-in loop variable 'name' was shadowing the function parameter,
causing remote subscription cleanup to fail when hosts disconnect.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Some packages with variants did not specify the default among the
alternatives, so were left without any apk 'provider_priority'
for that package. This caused the apk solver to select the wrong
variant, silently changing the requested package list.
Notable among these were busybox, procd and the hostapd/wpad suite.
This behavior presented in the imagebuilders when creating the
image as follows, silently replacing packages even when explicitly
requested:
$ make image PACKAGES=busybox
...
( 14/148) Installing busybox-selinux (1.37.0-r6)
...
We add 'DEFAULT_VARIANT:=1' to the packages that were missing one,
providing apk with sufficient information to choose the correct
package.
See link below for further examples and discussion.
Link: https://github.com/openwrt/openwrt/pull/21288#issuecomment-3704101422
Signed-off-by: Eric Fahlgren <ericfahlgren@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/21358
Signed-off-by: Robert Marko <robimarko@gmail.com>
- Security: Avoid privilege escalation via unix stream forwarding in Dropbear
server. Other programs on a system may authenticate unix sockets via
SO_PEERCRED, which would be root user for Dropbear forwarded connections,
allowing root privilege escalation.
Reported by Turistu, and thanks for advice on the fix.
This is tracked as CVE-2025-14282, and affects 2024.84 to 2025.88.
It is fixed by dropping privileges of the dropbear process after
authentication. Unix stream sockets are now disallowed when a
forced command is used, either with authorized_key restrictions or
"dropbear -c command".
In previous affected releases running with "dropbear -j" (will also disable
TCP fowarding) or building with localoptions.h/distrooptions.h
"#define DROPBEAR_SVR_LOCALSTREAMFWD 0" is a mitigation.
- Security: Include scp fix for CVE-2019-6111. This allowed
a malicious server to overwrite arbitrary local files.
The missing fix was reported by Ashish Kunwar.
- Server dropping privileges post-auth is enabled by default. This requires
setresgid() support, so some platforms such as netbsd or macos will have to
disable DROPBEAR_SVR_DROP_PRIVS in localoptions.h. Unix stream forwarding is
not available if DROPBEAR_SVR_DROP_PRIVS is disabled.
Remote server TCP socket forwarding will now use OS privileged port
restrictions rather than having a fixed "allow >=1024 for non-root" rule.
A future release may implement privilege dropping for netbsd/macos.
- Fix a regression in 2025.87 when RSA and DSS are not built. This would lead
to a crash at startup with bad_bufptr().
Reported by Dani Schmitt and Sebastian Priebe.
- Don't limit channel window to 500MB. That is could cause stuck connections
if peers advise a large window and don't send an increment within 500MB.
Affects SSH.NET https://github.com/sshnet/SSH.NET/issues/1671
Reported by Rob Hague.
- Ignore -g -s when passwords arent enabled. Patch from Norbert Lange.
Ignore -m (disable MOTD), -j/-k (tcp forwarding) when not enabled.
- Report SIGBUS and SIGTRAP signals. Patch from Loïc Mangeonjean.
- Fix incorrect server auth delay. Was meant to be 250-350ms, it was actually
150-350ms or possibly negative (zero). Reported by pickaxprograms.
- Fix building without public key options. Thanks to Konstantin Demin
- Fix building with proxycmd but without netcat. Thanks to Konstantin Demin
- Fix incorrect path documentation for distrooptions, thanks to Todd Zullinger
- Fix SO_REUSEADDR for TCP tests, reported by vt-alt.
Dropped:
* 050-dropbear-multihop-fix.patch as its included in the release 5cc0127000db5f
* 051-fix-pubkey-options.patch as its included in the release 1d4c4a542cd5df
* 052-fix-missing-depends-for-sntrup761x25519-sha512.patch as its included
in the release 1a2c1e649a1824
* 053-Don-t-limit-channel-window-to-500MB.patch as its included in the release a8610f7b98ad
Manually rebased:
* 110-change_user.patch
Fixes: CVE-2025-14282, CVE-2019-6111
Reviewed-by: Hauke Mehrtens <hauke@hauke-m.de>
Reviewed-by: Konstantin Demin <rockdrilla@gmail.com>
Tested-by: Konstantin Demin <rockdrilla@gmail.com> [mediatek/filogic (GL.iNet GL-MT6000)]
Link: https://github.com/openwrt/openwrt/pull/21186
Signed-off-by: Petr Štetiar <ynezz@true.cz>
cf51aeb93220 odhcpd: fix captive_portal_uri reset
e8b7fdea8d5e dhcpv4: fix DNS server option
b84553e496a3 router: Modify relayed RA PIO P flag according to interface policy
da3e2a9829cc router: Modify relayed RA PIO A flags according to interface policy
bad7138b70f0 README.md: update dhcp ubus events
ca00527e5f...cf51aeb932
Also remove duplicated /usr/share/libubox/jshn.sh include.
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
ca00527e5fc3 statefiles: don't write empty hosts files
24b70c5c2ff0 Revert "statefiles: fix escape sequence for broken hostname output"
5203ad13954c statefiles: fix stale pio handling for !ubus
a64760b30f67 odhcpd: rename piofolder to piodir
6779344a8c8a statefiles: use tmpfile functions for pio files
9f8abcc662d0 statefiles: rename prefix information functions
cb65b83e524e config: move pio json handling to statefiles.c
5b01849cc42c statefiles: add a dirfd helper function
eadde3d7dd74 statefiles: add tmp helper functions
c29aa7091498 statefiles: fix escape sequence for broken hostname output
00f2d7a4dbe5 dhcpv4: don't send zero IPv6-only preferred option
c86d29bb83d6 Revert "dhcpv6-ia: add some noise to the T1 and T2 periods"
b062769ab85f Revert "do not delegate ULA prefixes"
fd4714bb2dfe do not delegate ULA prefixes
81ea5bfef775 dhcpv6-ia: add some noise to the T1 and T2 periods
79252ed0c0...ca00527e5f
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
Currently its only possible to disable port forwarding only for specific
keys, via the OpenSSH-style restriction in `authorized_keys` file.
In some use cases it might be feasible to disable such features globally
on service level, so lets add new LocalPortForward and RemotePortForward
config knobs.
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Link: https://github.com/openwrt/openwrt/pull/21071
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
This will allow del_client with ban_time on a broadcast address
to also ban all clients temporarily.
Signed-off-by: Rany Hany <rany_hany@riseup.net>
Link: https://github.com/openwrt/openwrt/pull/18670
Signed-off-by: Robert Marko <robimarko@gmail.com>
Similar to the hostapd control interface, treat ff:ff:ff:ff:ff:ff
as a stand in for "all clients".
Signed-off-by: Rany Hany <rany_hany@riseup.net>
Link: https://github.com/openwrt/openwrt/pull/18670
Signed-off-by: Robert Marko <robimarko@gmail.com>
The CLI tools hostapd_cli and wpa_cli are compiled with
`TARGET_LDFLAGS_C` rather than the standard `TARGET_LDFLAGS`.
This variable is empty, leading to global linker options not being
applied.
Set this variable equal to `TARGET_LDFLAGS` right after the package.mk
include to make sure global linker options are applied, but local options
such as linking to crypto libraries are not.
Signed-off-by: Matthias Van Parys <matthias.vanparys@softathome.com>
Link: https://github.com/openwrt/openwrt/pull/20345
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
The function was using phydev.name (e.g., "phy0.0") instead of
phydev.phy (e.g., "phy0") when calling wpa_supplicant.phy_set_macaddr_list.
This is inconsistent with all other wpa_supplicant ubus calls in the same
file which correctly use phydev.phy.
Reported-by: Michael-cy Lee (李峻宇) <Michael-cy.Lee@mediatek.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Assign the address at wdev create time, similar to legacy interfaces.
Reported-by: Michael-cy Lee (李峻宇) <Michael-cy.Lee@mediatek.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Make it a little bit more consistant, and a bit more idiomatic.
Signed-off-by: David Härdeman <david@hardeman.nu>
Link: https://github.com/openwrt/openwrt/pull/20673
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
The support has been removed from odhcpd, so remove the Makefile options
related to homenet.
Signed-off-by: David Härdeman <david@hardeman.nu>
Link: https://github.com/openwrt/openwrt/pull/20673
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
"system" is used to get the current time zone, "network" is used to get
the global DUID.
Signed-off-by: David Härdeman <david@hardeman.nu>
Link: https://github.com/openwrt/openwrt/pull/20673
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
Support for this option has been removed from odhcpd, so remove it in
the defaults as well.
Signed-off-by: David Härdeman <david@hardeman.nu>
Link: https://github.com/openwrt/openwrt/pull/20673
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
`list address` entries in /etc/config/dhcp are sometimes (I'm not sure
about the exact conditions) passed to upstream resolver, bypassing local
resolution. Adding them (minus the IP) to --local prevents this. In the
configuration, this means that
# /etc/config/dhcp
list address '/hello.com/world.com/1.2.3.4'
list address '/foo.com/bar.com/4.3.2.1'
which previously translated into
# /var/etc/dnsmasq.conf.*
address=/hello.com/world.com/1.2.3.4
address=/foo.com/bar.com/4.3.2.1
now becomes
# /var/etc/dnsmasq.conf.*
address=/hello.com/world.com/1.2.3.4
local=/hello.com/world.com/
address=/foo.com/bar.com/4.3.2.1
local=/foo.com/bar.com/
This behaviour is controlled by the `address_as_local` boolean option, which
defaults to false (old behaviour). openwrt/luci#7957 adds support for this flag
to LuCI.
A workaround for a small list of domains is to add them to `option local`,
but this is very tedious to do for every `list address` entry and dnsmasq
limits this option to 1024 characters.
Signed-off-by: Marko Zajc <marko@zajc.tel>
Link: https://github.com/openwrt/openwrt/pull/18610
Signed-off-by: Robert Marko <robimarko@gmail.com>
