When a remote peer's publish registrations arrive via RX before the
local TX connection is authenticated, handle_publish fires but the
subscriber can't reach the remote publisher yet since the TX channel
isn't ready.
Suppress publish notifications on the RX side when no authenticated TX
channel exists for the remote host. After TX authentication completes,
re-trigger handle_publish only for topics that the specific peer
publishes and that have local subscribers.
Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit 3efcf444a1)
The condition checked !data.networks instead of !data.networks[name],
making it always false since data.networks was already validated earlier
in the function. Networks removed from unetd were never closed.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit a2368e0f69)
channel.disconnect() already closes the fd via ubus_shutdown(),
so calling socket.close() afterwards is redundant and causes EBADF.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit bdc3c1a820)
Add a 10-second timeout for outgoing auth requests to prevent
connections from getting stuck when the remote peer goes silent
after the hello handshake but before responding to auth.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit 8a304d051f)
The network may be deleted before the disconnect callback fires.
Check for null to avoid crash when accessing net.tx_channels.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit f631d1576d)
This should not be defaulted to anything in the schema.
What seemed like a minor cleanup actually broke this
as the schema defines a default value already. I did
not notice as I had this explictly set in my config.
Fixes: 70ba7512 ("wifi-scripts: ucode: allow sae_pwe to be modified for AP mode")
Signed-off-by: Rany Hany <rany_hany@riseup.net>
Link: https://github.com/openwrt/openwrt/pull/22043
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit f012e8d50a)
Some Android devices have issues with H2E causing downgrades to PSK
when using WPA2/3. With WPA3 it doesn't work reliably whatsoever.
My Samsung A55/6 for example has the following behavior:
daemon.info hostapd: lan5g: STA <redacted> IEEE 802.11: authenticated
daemon.notice hostapd: SAE: <redacted> indicates support for SAE H2E, but did not use it
daemon.info hostapd: lan2g: STA <redacted> IEEE 802.11: authenticated
daemon.info hostapd: lan2g: STA <redacted> IEEE 802.11: associated (aid 1)
daemon.notice hostapd: lan5g: Prune association for <redacted>
daemon.notice hostapd: lan2g: AP-STA-CONNECTED <redacted> auth_alg=open
daemon.info hostapd: lan2g: STA <redacted> RADIUS: starting accounting session 8234C696AAC1AE7D
daemon.info hostapd: lan2g: STA <redacted> WPA: pairwise key handshake completed (RSN)
daemon.notice hostapd: lan2g: EAPOL-4WAY-HS-COMPLETED <redacted>
This is also brought up in the issue: https://github.com/openwrt/openwrt/issues/9963
Ultimately this allows users to have the option to at the very least
disable H2E.
Unrelated: a minor cleanup was done so that ieee80211w uses set_default instead.
There is no functional change on that front.
Signed-off-by: Rany Hany <rany_hany@riseup.net>
Link: https://github.com/openwrt/openwrt/pull/22021
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 70ba7512e7)
- uclient-fetch timeout bumped from 5s to 15s. If we do not do this
we get flagged by HE as the update request is expensive and takes
more than 5s to execute. Currently 5s timeout causes uclient-fetch
to be killed prematurely as can be seen by the following log:
10:34:57 user.notice 6in4-henet: update 1/3: timeout
10:35:07 user.notice 6in4-henet: update 2/3: timeout
10:35:17 user.notice 6in4-henet: update 3/3: timeout
10:35:22 user.notice 6in4-henet: update failed
The above is the worst case, what usually happens is:
10:53:59 user.notice 6in4-henet: update 1/3: timeout
10:54:06 user.notice 6in4-henet: update 2/3: abuse
10:54:06 user.notice 6in4-henet: updated
- We now use an exponential backoff starting from 5 seconds.
- Detect ca-bundle so we don't use --no-check-certificates
unnecessarily.
- The while loop was changed so we don't retry unnecessarily
after the final failure.
- Worst-case total time the update operation might take before
bailing out is:
(sum(15 + (5 × (2^(x − 1))), 1, 2) + 15) seconds = 1 min
Signed-off-by: Rany Hany <rany_hany@riseup.net>
Link: https://github.com/openwrt/openwrt/pull/22016
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 862b46dd8f)
Mark T4240RDB u-boot variants as device-built and avoid installing them into rootfs.
Without this buildbot crashes during package install with:
ERROR: unable to select packages:
u-boot-fsl_T4240RDB-nor (no such package):
required by: world[u-boot-fsl_T4240RDB-nor]
u-boot-fsl_T4240RDB-sdboot (no such package):
required by: world[u-boot-fsl_T4240RDB-sdboot]
Fixes: c5d3d5fe28 ("package: u-boot: initial support for qoriq arch")
Signed-off-by: Pawel Dembicki <paweldembicki@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/21514
Signed-off-by: Robert Marko <robimarko@gmail.com>
(cherry picked from commit 20727f89d5)
Link: https://github.com/openwrt/openwrt/pull/21477
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This package adds initial u-boot support for qoriq target.
U-boot for qoriq devices must be compiled with 32-bit compiler and
linked with 32-bit linker. It's part of mpc 85xx target. But qoriq
target is 64-bit. As workaround, mpc85xx binary toolchain is downloaded
only for this u-boot.
Signed-off-by: Pawel Dembicki <paweldembicki@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/10941
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
(cherry picked from commit c5d3d5fe28)
Link: https://github.com/openwrt/openwrt/pull/21477
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
The build would continue even if the some of the intermediate commands
failed, as long as the last command in the final iteration of the loop
was successful.
Add 'set -e' to the subshell so that we immediately exit. Previously,
only the exit status of the final make-index-json.py mattered.
Fixes: https://github.com/openwrt/openwrt/issues/21981
Signed-off-by: Matt Merhar <mattmerhar@protonmail.com>
Link: https://github.com/openwrt/openwrt/pull/21993
Signed-off-by: Robert Marko <robimarko@gmail.com>
(cherry picked from commit fcb07b00ec)
This was a regression introduced in the recent alignment changes and led
to failures when reading (i.e. 'mkndx') certain packages like follows:
ERROR: python3-botocore-1.31.7-r1.apk: unexpected end of file
It affected packages with a header size greater than the read buffer
size of 128KB but less than 160KB (128KB + (128KB / 4)).
In those cases, we'd attempt a 0 byte read, leading to APKE_EOF.
Based on some tests of files across multiple archs and feeds, it seems
the only packages meeting those criteria were python3-botocore and
golang-github-jedisct1-dnscrypt-proxy2-dev.
Fixes: 64ec08eee1 ("apk: backport upstream fixes for unaligned access")
Signed-off-by: Matt Merhar <mattmerhar@protonmail.com>
Link: https://github.com/openwrt/openwrt/pull/21992
Signed-off-by: Robert Marko <robimarko@gmail.com>
(cherry picked from commit 8c6ed4e927)
Link: https://github.com/openwrt/openwrt/pull/22001
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
These devices share the same "compatible" in device tree causing some
incompatibilities (sysupgrades, ASU profile identification), assign a
unique "compatible" and "model" to each variant.
Context:
Commit [1] added each variant's dts compatible to the SUPPORTED_DEVICES
field of the other variant to make easy sysupgrades between these
physically indistinguishable devices variants possible.
But there were found three issues which does not allow this:
- the sysupgrade's stricter check still used in some sysupgrade
paths(this check is being replaced(and redundant) with the newer fwtool's
SUPPORTED_DEVICES check using the info in images METADATA), this check
will fail when sysupgrading from a different board_name(compatible dts)
that the image was created for (image profile name).[2]
- ASU needs unique "dts compatible" to identify the devices profile.
- and an ASU's profile identification limitation when several devices from
a common target share SUPPORTED_DEVICES entries.[3]
There is a proposal for these issues but not yet implemented [4][3].
Until these issues are fixed we won't allow "easy" sysupgrades between
these two device variants.
Commit [5] avoided the ASU profile identification limitation but
missed the required two unique dts compatibles in order to make the two
variants fully work, although not allowing easy sysupgrade between them.
[1]: 8d30e07180
[2]: sysupgrade stricter check https://github.com/openwrt/openwrt/issues/20566#issuecomment-3583555482
[3]: ASU proposal https://github.com/openwrt/asu/pull/1533
[4]: allow easy sysupgrade proposal https://github.com/openwrt/openwrt/pull/20947
[5]: b71f4665cd
Fixes: b71f466 ("mediatek: filogic: fix supported_devices list for gl-mt2500")
Fixes: 8d30e07 ("mediatek: filogic: fix for new GL.iNet GL-MT2500/GL-MT2500A hardware revision")
Fixes: https://github.com/openwrt/openwrt/issues/20566
Fixes: https://github.com/openwrt/asu/issues/1525
Signed-off-by: Mario Andrés Pérez <mapb_@outlook.com>
Link: https://github.com/openwrt/openwrt/pull/21842
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 7aa1f7e814)
When config_change is set during an active setup (e.g. by a concurrent
reconf call), wdev_mark_up() attempted to call setup() while still in
"setup" state. Since setup() requires state "up" or "down", it silently
returned, leaving the state as "setup". The subsequent wdev_setup_cb()
then treated this as a setup failure, triggering an unnecessary
teardown+restart cycle.
Fix this by removing the config_change handling from wdev_mark_up() and
moving it to wdev_setup_cb() instead. wdev_mark_up() now always
transitions to "up" state. When wdev_setup_cb() runs afterwards and
finds the device already "up" with config_change set, it initiates a
clean re-setup from the "up" state where setup() can run.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit 3553eda283)
- no longer write any temporary file for peer gen
- use wg syncconf to update active interfaces (not setconf)
Signed-off-by: Paul Donald <newtwen+github@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/21784
Signed-off-by: Robert Marko <robimarko@gmail.com>
(cherry picked from commit 148207730a)
Link: https://github.com/openwrt/openwrt/pull/21840
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Commit 01a87f4bd0 changed the encryption
setting of the default SSID "OpenWrt" from "none" to "open". The correct
setting as per the documentation [1] is "none", though.
While this invalid setting won't cause a wrong hostapd setup, it will
at least cause malfunction in LuCI.
Change the default encryption setting back to "none".
[1] https://openwrt.org/docs/guide-user/network/wifi/basic#encryption_modes
Fixes: 01a87f4bd0
Signed-off-by: Shine <4c.fce2@proton.me>
Link: https://github.com/openwrt/openwrt/pull/21925
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 4ab5fcc04f)
Uninitialized memory led to bogus, huge timestamps being set on files
downloaded with the wget backend. This caused odd issues like 'ls -l'
crashing busybox when attempting to list the .apk file afterwards.
Link: 42f159e67b
Signed-off-by: Matt Merhar <mattmerhar@protonmail.com>
Link: https://github.com/openwrt/openwrt/pull/21874
Signed-off-by: Robert Marko <robimarko@gmail.com>
(cherry picked from commit f750e3096f)
The ucode wifi-scripts unconditionally set ieee80211w=1 for psk-sae
and eap-eap2 auth types, ignoring any user-configured value. This
caused ieee80211w=2 (MFP required) to be silently downgraded to 1
(MFP optional) when using sae-mixed encryption.
Change the logic to only set the default of 1 when ieee80211w is not
already configured by the user.
Fixes: https://github.com/openwrt/openwrt/issues/21751
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit 1bbb60184d)
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Add a module for tpm-tis-spi for TCG TIS 1.3 TPM security chips
connected to a regular non-tcg SPI master.
Add imx target compatibility for kmod-tpm.
Signed-off-by: Tim Harvey <tharvey@gateworks.com>
Link: https://github.com/openwrt/openwrt/pull/21726
Signed-off-by: Robert Marko <robimarko@gmail.com>
(cherry picked from commit 92a94dc9b0)
Add pending uboot support for the HINLINK H28K.
This fixes the rockchip build again.
Signed-off-by: Chukun Pan <amadeus@jmu.edu.cn>
(cherry picked from commit 384127320e)
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
The mobility_domain value generated by ucode differed from the previous
shell script implementation. The legacy shell script used `echo` on the
SSID, which appended a trailing newline.
To maintain roaming compatibility with pre-25.12 releases and OpenWrt
forks in default configuration, update the ucode logic to include this
newline character when generating the default value.
Fixes: #21731
Signed-off-by: Youfu Zhang <zhangyoufu@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/21732
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 1d0e2859c5)
KERNEL_DCB was introduced in 40f1db9cb1, however the dcb utility is not
enabled for iproute2. Although DCB is not generally available among
Ethernet cards, not having the dcb utility renders it completely
unchangeable.
On aarch64, it takes ~85.3KiB.
Signed-off-by: David Yang <mmyangfl@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/21606
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit f0f5525b75)
The `syn_flood` option name is deprecated, `synflood_protect` should
be used instead. firewall3 and firewall4 both support this option since
a long time. LuCI already replaces the option name.
0abcb39b62
Suggested-by: rparge in OpenWrt forum
Link: https://github.com/openwrt/openwrt/pull/21642
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 2ae350b725)
Switchdev driver used by microchipsw supports DCB and has not storage
constraints, so enable kernel and driver DCB support by default.
Signed-off-by: Robert Marko <robert.marko@sartura.hr>
(cherry picked from commit 4c0c7442db)
