The volatile backend stores the credentials on the heap, so, explicitly
add a config option that can be overridden in case there are more certs
than the default.
Signed-off-by: Chaitanya Tata <Chaitanya.Tata@nordicsemi.no>
Using TLS credentials library add support for run-time certificates where
the installed certs are retrieved from the credential store (as of now
only volatile backend is tested).
This helps in production environments.
Implements #79564.
Signed-off-by: Chaitanya Tata <Chaitanya.Tata@nordicsemi.no>
Add a "net filter" command that will allow user to see the
current network packet filter configuration.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
Make sure that we check possible network packet filtering status
before accepting the packet.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
As the network packet filter drops packets without any indication
that the packet is dropped, it can be difficult to monitor what
is going on in the system when receiving data. The user can
now monitor the statistics and see if packets are being dropped
because of packet filter activity.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
The get_ip_rules() function is only used if IPv4 or IPv6
filtering is enabled so add checks to avoid unused function
warning.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
According to `f9901e8e` and validated by testing, the supplicant only
use case only requires 4 socket pairs. 6 pairs are required for the
`hostapd` use case.
Signed-off-by: Jordan Yates <jordan@embeint.com>
Increase the verbosity of the message when there is no source address
in `net_context_create_ipv4_new`. This is likely the first failure point
when attempting to send data on an interface that has not yet been
assigned an IP address. Burying the fault at the DBG level makes it much
more time consuming to determine the root cause of this error.
Signed-off-by: Jordan Yates <jordan@embeint.com>
The number of ports in gptp_domain.default_ds.nb_ports is a uint8_t.
A pointer to it is passed to gptp_add_port.
However, in this method, the pointer is cast to an int pointer.
The C compiler generates an int-size store for this.
In addition to potentially overwriting adjacent attributes, on platforms
such as RISC-V that do not support unaligned accesses, this causes an
exception on access.
This commit casts nb_ports to the correct type, uint8_t.
Signed-off-by: Eric Ackermann <eric.ackermann@cispa.de>
Declaration of variables after a label inside a switch statement is a
c23 extension, not c99.
This results in the following warning when compiling with clang:
> .../subsys/net/lib/zperf/zperf_shell.c:912:4: warning: label followed
> by a declaration is a C23 extension [-Wc23-extensions]
> 912 | int seconds = parse_arg(&i, argc, argv);
> | ^
> .../subsys/net/lib/zperf/zperf_shell.c:1145:4: warning: label followed
> by a declaration is a C23 extension [-Wc23-extensions]
> 1145 | int seconds = parse_arg(&i, argc, argv);
> | ^
> 2 warnings generated.
There are no practical reasons why the variable should be declared
inside the switch statement, therefore move the declaration and place it
together with declaration of other variables.
Signed-off-by: Torsten Rasmussen <Torsten.Rasmussen@nordicsemi.no>
Do not ignore return values of OT functions registering IPv6 addresses.
As this is called from the net_mgmt callback context, which returns
void, there's not much that can be done, other than logging the error.
To simplify the logging code and avoid the need to use extra buffer,
use net_sprint_ipv6_addr() networking utility function within the log
message to convert binary address to string.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
Fix credential store corruption issue caused by missing
security type checks. Add support for all valid security
types to ensure credentials are parsed correctly.
Fixes#88261.
Signed-off-by: Triveni Danda <triveni.danda@nordicsemi.no>
- Modified conditions in WIFI_CONNECT()
function to reject SAE password and
PSK based on length parameter
Signed-off-by: Nitin Pandey <nitin.pandey@silabs.com>
only accept new connections until the configured value for concurrent
connections is reached. Also set the backlog of the listening socket
to the configured value.
Signed-off-by: Gerhard Jörges <joerges@metratec.com>
Fix the kconfig check for enterprise crypto support in AP mode.
Also, remove the unnecessary Hostapd enterprise crypto check in
credentials code.
Signed-off-by: Triveni Danda <triveni.danda@nordicsemi.no>
IPPROTO_RAW is not a valid protocol type for AF_PACKET sockets, which
should only use IEEE 802.3 protocol numbers. Therefore remove support
for this type of sockets.
As an alternative, users can use AF_PACKET/SOCK_DGRAM or
AF_INET(6)/SOCK_RAW, depending on the actual use case.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
Introduce changes in the networking stack which allow to create raw IP
sockets, so that applications can send and receive raw IP datagrams.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
Register connection type along with family and protocol, so that it's
possible to differentiate between connection listening for raw IP
datagrams and TCP/UDP/other packets.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
Some OpenThread functions were called without verifying the return
value, which not only is not the best practice, but also could lead to
build warnings with llvm. This commit fixes it.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
The default thread priority for the CoAP client thread is set to
NUM_PREEMPT_PRIORITIES which is not a valid thread priority, as the
lowest application thread priority is actually
NUM_PREEMPT_PRIORITIES - 1. Because of this, CoAP client library gave an
assert on boot if assertions were enabled.
Kconfig does not allow for arithmetics when setting integer defaults,
therefore handle this at the preprocessor stage by limiting the actual
priority assigned to the CoAP client thread to a valid range.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
Add CONFIG_NET_CONN_PACKET_CLONE_TIMEOUT to allow for longer
timeouts. This can be used to prevent dropping packets when
transmitting large amounts of data (with PPP).
Signed-off-by: Markus Lassila <markus.lassila@nordicsemi.no>
When sending the close command as a server, the data is incorrectly
masked which violates RFC6455 section 5.1.
Use the is_client flag to avoid masking if the close is for a websocket
server.
Signed-off-by: Eric Holmberg <eric.holmberg@northriversystems.co.nz>
The current mapping gets the network interface into dormant state when
Thread is not attached. While the node is not capable of doing multi-hop
communication when it's not attached, it should be able to do link-local
communication. This commit changes the mapping to look at OpenThread's
own network interface state instead without further checking Thread's
device role, so that link-local communication is supported when a node
in detached state.
Signed-off-by: Yakun Xu <xyk@google.com>
The least significant bit of the first octet of a MAC address is a
unicast/multicast bit. The bit should be cleared when generating a
random link address for a virtual interface. Any frames from such
interface/address will be dropped by the network as invalid if
the multicast bit is set.
Signed-off-by: Jack Chistyakov <jack.chistyakov@outlook.com>
Allow only 0xc (0b11) as two highest bit to mark the compression
when parsing the CNAME response. See RFC 9267 ch. 2 for details.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
Make sure that the CNAME handling checks recursive name pointers
and fails the response if recursion is detected.
See RFC 9267 ch. 2 for details.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
The check for index out of bound is missing, It turns into a crash
for input channel more than WIFI_MGMT_SCAN_CHAN_MAX_MANUAL.
Signed-off-by: Kapil Bhatt <kapil.bhatt@nordicsemi.no>
This is a hack that is used until we have proper IP routing
in place. The code has now special check that makes sure that
we only route IP packets to VPN interface when the packet is
destined to that subnet. So if destination IP address does
not belong to VPN interface subnet, it is not routed there.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
Instead of calling various network interface API functions to get
the network interface and related source IP address, have a single
function that can return both data.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
Add support for setting up VPN enablers in the network stack.
These are to be used by the VPN implementation like Wireguard.
Signed-off-by: Jukka Rissanen <jukka.rissanen@gmail.com>
Currently we ignore the received domain name but make sure we
print it in order to avoid unknown option prints.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
Currently we ignore the received host name but make sure we
print it in order to avoid unknown option prints.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
Currently we ignore the broadcast address but make sure we
print it in order to avoid unknown option prints.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
Avoid compiler warnings for zero-length-arrays in the http-server. By using
memcpy instead of strcpy.
Signed-off-by: Cla Mattia Galliard <cla-mattia.galliard@zuehlke.com>
Fix compiler warning by adjusting the number of chars copied to the
destination. Compiler does not like if the destination size of the
`strncpy`-operation is the same as the number of characters written. Even
though it is not a bug in this case. Only copying size-1 characters fixes
the warning and exhibits the same behavior.
Signed-off-by: Cla Mattia Galliard <cla-mattia.galliard@zuehlke.com>
If socket call fails when mdns_responder creates listeners, then
print the return value to make it easier to figure out what is
wrong. Typically one needs to increase the size of
CONFIG_ZVFS_OPEN_MAX if errno is ENFILE.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
