This is the old way of doing things, it's used as a means
to enable PSA Crypto as historically it was the only way.
But other PSA Crypto implementations than Mbed TLS are
available (for example, TF-M) and since CONFIG_PSA_CRYPTO
has been introduced it's what should be used when wanting
to enable PSA Crypto.
The build system automatically takes care of choosing
the correct implementation (and enabling
CONFIG_MBEDTLS_PSA_CRYPTO_C when relevant) under the hood.
Replace all occurrences by `CONFIG_PSA_CRYPTO` instead
(or just remove it in cases where nothing is needed).
Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>
Depending on what config options are enabled, it is possible
that LOG_MODULE_REGISTER() is not called. Make sure that we register
the logger at least once for the net_route logger.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
Mark old IPv6 specific route kconfig options as deprecated. They
are replaced by similar options that have IPV6 prefix in them.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
If IPv4 routing is enabled, then try to get the gateway address
from it if the target address is not in local subnet.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
Add initial routing support when sending IPv4 packets. This
is not implementing routing when forwarding packets.
Assisted-by: Copilot:gpt-5.4
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
As the route API is IPv6 specific, rename the functions to reflect that.
Renaming routing related Kconfig options and files and add IPv6
prefix there as the routing calls are IPv6 specific.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
Populate AF_PACKET recvfrom() source metadata from the packet's
actual ingress interface instead of the socket context iface.
Wildcard packet sockets can receive traffic from multiple interfaces,
so reusing the context iface reports the wrong sll_ifindex after a
packet arrives on another interface. Use net_pkt_iface(pkt) and only
fall back to the context iface when needed.
Assisted-by: Copilot:GPT-5.4
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
The disconnect result event's status field is overloaded with
wifi_disconn_reason values, but the shell printed it as a raw
integer and treated any non-zero value as a failure. A normal
user-initiated disconnect carries WIFI_REASON_DISCONN_USER_REQUEST
(2) and was reported as "Disconnection request failed (2)".
Add wifi_disconn_reason_txt() and use it. A user-initiated
disconnect that completes with USER_REQUEST or SUCCESS now
prints "Disconnection request done"; any other reason still
prints as a warning but with the reason text.
Signed-off-by: Sylvio Alves <sylvio.alves@espressif.com>
When converting from ticks to milliseconds for zsock_poll(), infinite
timeouts need to be checked before calling k_ticks_to_ms_ceil32().
The code previously used k_ticks_to_ms_floor32(), which likely hidden
the bug as the timeout was rounded down to a very large number, but with
rounding up, an infinite timeout was converted to 0, which caused
zsock_poll() to exit immediately and report timeout.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
Treat missing TX crypto context for Handshake and Application packet
protection as a transient not-ready condition instead of an invalid key
error.
This matches the earlier RX-side handling and avoids counting benign
teardown and timing cases as invalid_key failures. In practice this
removes false tx-no-crypto-context statistics hits seen in qemu_x86
runs and keeps the QUIC test suite stable.
Assisted-by: Copilot:gpt-5.4
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
A reordered 1-RTT or long packet can arrive before this endpoint
finishes installing application keys from the peer's handshake
flight. Ignore it without charging invalid-key/drop statistics.
This fixes the issues seen in CI which is processing packets
slower than when running the same tests locally.
Assisted-by: Copilot:gpt-5.4
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
Implement NEW_TOKEN handling in the Quic stack.
Add server-side NEW_TOKEN generation after handshake completion and
store received NEW_TOKEN values in a client-side cache for later use.
When the cache is full, replace older entries instead of dropping new
ones.
This also wires the NEW_TOKEN frame encoding to the existing varint
helpers so that emitted frames are built with the expected token
lengths.
Assisted-by: Copilot:gpt-5.4
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
Reinitialize the per-service HTTP version flags before processing each
service in http_server_init().
The h1, h2, and h3 booleans were reused across the HTTP_SERVICE_FOREACH()
loop. Without resetting them, one service's protocol selection could
carry over to the next service and enable listeners for HTTP versions
that the later service did not request.
Clear the flags at the top of each iteration so every service is
evaluated independently from its own configuration.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
Preserve partial data from peer control and QPACK unidirectional streams
across recv calls instead of parsing from a temporary buffer.
QUIC streams are byte streams, so the HTTP/3 stream type, frame header,
and frame payload can arrive split across multiple reads. The previous
code dropped incomplete control/QPACK data and could also lose bytes
received after the uni stream type during identification, which broke
SETTINGS and QPACK stream handling.
Add per-connection RX buffers for peer unidirectional streams, compact
unconsumed bytes when a frame is incomplete, retain bytes received after
the stream type varint, and defer peer uni identification to the normal
poll path so queued bytes flow through the buffered handlers.
Assisted-by: Copilot:gpt-5.4
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
Do not clear POLLIN after handling an identified HTTP/3 peer
unidirectional stream.
The control and QPACK streams can deliver more data later on the same
fd. Clearing the poll events after the first successful read leaves the
stream registered but no longer observable, so subsequent data is never
processed.
Keep the stream poll slot readable until the stream closes or errors.
Assisted-by: Copilot:gpt-5.4
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
Store HTTP/3 bidirectional request parsing state in the per-stream slot
instead of sharing the client-wide request buffer and metadata.
The HTTP/3 path reused client->buffer, client->data_len,
client->current_detail, client->url_buffer and client->method for every
active request stream on the connection. If one stream stopped on
partial frame data and another stream became readable, bytes and parsed
state from the two streams could be mixed, breaking request parsing and
dispatch.
Add per-stream HTTP/3 request state, restore it before handling a
stream, and save it back afterwards. Reset the slot state when streams
are added, closed, or cleaned up so reused slots start from a clean
state.
Assisted-by: Copilot:gpt-5.4
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
Keep the HTTP/3 "headers sent" state in the per-stream context instead
of using a local variable in the response path.
Dynamic HTTP/3 handlers can be called multiple times on the same stream,
for example when request DATA arrives in multiple frames or when the
handler produces the response in chunks. With a local headers_sent flag,
each call starts from false and the server can emit HEADERS more than
once on the same stream.
Store the flag alongside the tracked H3 stream fds and look it up from
the current stream socket before sending a response. Reset the flag when
the stream slot is released so reused slots start cleanly.
Assisted-by: Copilot:gpt-5.4
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
Handle HTTP/3 stream FIN as request completion instead of immediately
dropping the stream fd.
A bidirectional H3 request can legitimately stay open until the peer
closes the send side, especially for dynamic POST/PUT/PATCH handlers
that wait for end-of-stream before completing the transaction. Closing
the stream as soon as recv() returns 0 skips that final processing step
and can leave request completion callbacks unsent.
Process buffered H3 frames once more when FIN is observed, finalize
pending request bodies with an empty final DATA indication, and treat
FIN with incomplete frame data as an error. Also ignore POLLHUP-only
cleanup when POLLIN is present so the FIN path still gets a chance to
run.
Assisted-by: Copilot:gpt-5.4
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
Distinguish accepted HTTP/3 streams that should be ignored from
accepted streams that still need polling.
accept_h3_stream() can accept a peer unidirectional stream before
enough data is available to identify its type. The poll loop treated
that -EAGAIN path as "no stream queued" and returned without adding
the accepted fd to the poll set.
Add a separate ignored-stream return code and register accepted
streams whenever a valid fd is returned. This keeps peer control and
QPACK streams in the poll set while preserving the existing handling
for server-initiated, push, and unknown unidirectional streams.
This prevents accepted peer uni stream fds from being left open and
untracked.
Assisted-by: GitHub Copilot:gpt-5.4
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
When printing http services, show also what HTTP protocol
version is supported for that service.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
If ALPN list is enabled, and if HTTP/3 is enabled, then the
default ALPN list might be too small. ALPN is mandatory
for HTTP/3 so we need to increase the max limit.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
The http_server_run() function is very large and hard to read,
refactor it into smaller pieces. There is no functionality
changes by this commit.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
Use non-blocking cancellation when cancelling client inactivity
timer. This will avoid possible workqueue deadlock.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
Print information what failed for setsockopt calls. This
way it is easier to try to solve the issue.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
If user wants to use HTTP/2 but it is disabled, then give
a warning. The condition is ignored atm.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
When we linearize the incoming packet (when doing decryption),
we need to check that we are not receiving larger packet than
what is being configured in the system.
This is mainly concerning the case where user has lowered the
default value of CONFIG_WIREGUARD_BUF_LEN (1500 bytes) and we
are receiving data in Ethernet (MTU is 1500 bytes).
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
Both set_gc entries use row=0 which will result in the first entry being
overwritten and the configuration being deactivated. Activation takes
place only after the last entry has been configured.
Signed-off-by: Andre Heinemans <andre.heinemans@nxp.com>
`subsys/net/l2/ppp/misc.c` uses NET_DBG() inside
`validate_phase_transition()`, which is compiled only when
CONFIG_NET_L2_PPP_LOG_LEVEL is at LOG_LEVEL_DBG. The macro is
declared in <zephyr/net/net_log.h>, which the file does not include.
At log level INF (default) the function body is a no-op stub
(ARG_UNUSED), so the missing macro goes unnoticed. At log level DBG
the file fails to build:
misc.c: implicit declaration of function 'NET_DBG'
[-Wimplicit-function-declaration]
Other files in the same directory (e.g. `link.c`) include
<zephyr/net/net_log.h> correctly; only `misc.c` is missing it.
Signed-off-by: Petr Hlineny <development@hlineny.cz>
Rename the PTP UDP IPv4/IPv6 protocol Kconfig symbols to use
consistent all-uppercase IP version naming.
Signed-off-by: Philipp Steiner <philipp.steiner1987@gmail.com>
the name inside of struct net_if_config, that is
part of struct net_if does not need to be zeroed,
as that is already the initial value.
Signed-off-by: Fin Maaß <f.maass@vogl-electronic.com>
CONFIG_NET_SOCKETS_POLL_MAX was deprecated in v4.0 and removed in
v4.5 in favour of CONFIG_ZVFS_POLL_MAX. Update the SSH server
BUILD_ASSERT and the sample/test prj.conf files accordingly so the
symbol resolves and the assertion remains effective.
Signed-off-by: Sylvio Alves <sylvio.alves@espressif.com>
When the client connection to external peer is terminated,
close the client automatically so that user does not need
to do it manually by "net ssh stop"
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
Allow user to kill an active ssh connection. This is useful as
otherwise it is impossible to stop incoming connection without
affecting other incoming connections. It is always possible to
stop the ssh server but then that kills all incoming client
connections and that might not be desired.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
Add a list command that can show information about active
client and server ssh connections.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
If both CONFIG_NET_IPV6 and CONFIG_NET_IPV4 are disabled, then
the addr_len in resolve.c dns_resolve_init_locked() will be
unused which will cause a warning.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
Allow multiple incoming SSH connections if we are the server.
This is controlled by CONFIG_SSH_SERVER_SHELL_COUNT option, the
default value is 1 so only one simultaneous ssh connections by
default.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
The local channel ID was immediately memset to zero after being set.
This caused issues when allocating multiple channels
Signed-off-by: Grant Ramsay <grant.ramsay@hotmail.com>
