Reading [1] and [2], it appears that the hard-coded value "2" is
incorrect and "10" should be used instead. [1] provides that:
Checks for the presence of a Service-Type == 'Call-Check' AVP as an
explicit indication that the NAS wants to do Mac-Auth.
"Call-Check" is defined in [2] as value 10.
[1]: https://wiki.freeradius.org/guide/mac-auth#web-auth-safe-mac-auth
[2]: https://freeradius.org/rfc/rfc2865.html#Service-Type
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
Now that accounting is entirely handled in accounting.uc, the rest of
the system no longer needs to carry around that information.
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
This commit introduces an "acct_start" ubus endpoint for accounting.uc
that is used to register a new client and start accounting.
This moves the entirety of accounting management under accounting.uc,
instead of having e.g. the RADIUS Start call separate in handler-uam.uc.
Furthermore, accounting.uc no longer needs to poll for new clients: they
are now registered from portal.allow_client().
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
RFC[1] says that Acct-Session-Id should be an UTF-8-encoded string.
Increase uniqueness by using hex values instead of decimal ones.
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
The RFC[1] says about Acct-Status-Type:
It MAY be used by the client to mark the start of accounting (for
example, upon booting) by specifying Accounting-On and to mark the
end of accounting (for example, just before a scheduled reboot) by
specifying Accounting-Off.
The RFC errata[2] further specifies that Accounting-On and
Accounting-Off messages apply to the whole NAS.
The RFC also mandates that[3]:
Either NAS-IP-Address or NAS-Identifier MUST be present in a
RADIUS Accounting-Request. It SHOULD contain a NAS-Port or NAS-
Port-Type attribute or both unless the service does not involve a
port or the NAS does not distinguish among its ports.
And[4]:
An Accounting-Request packet MUST have an Acct-Session-Id.
The Acct-Session-Id SHOULD contain UTF-8 encoded 10646 characters.
Finally the freeRADIUS recommendations here[5] suggest that:
1. Acct-Status-Type = Accounting-On should not be used to indicate
sub-system reboot.
2. IANA should allocate two new values for Acct-Status-Type:
Subsystem-On, and Subsystem-Off. These values have meaning similar
to Accounting-On and Accounting-Off, except that they apply to a
subystem of the NAS.
3. NASes should use these new values to indicate subsystem on/off.
4. The Called-Station-Id attribute should contain values unique to each
subsystem.
5. The NAS should signal that the entire system has rebooted by using
the existing Accounting-On and Accounting-Off values, with a value
for Called-Station-Id that is global to the NAS, or to omit it
entirely.
In order to reconcile all this, this commit implements Accounting-On and
Accounting-Off requests as follows:
- When accounting.uc is started, it loops through each uspot interface
and keeps track of the acct_server seen for each interface. Then for
each interface that do not use a previously seen server, it generates
a unique session ID, and sends an Accounting-On request to the
RADIUS server, using this session ID and the configured NAS-ID.
- When accounting.uc stops, it sends an Accounting-Off request for each
uspot interface for which an Accounting-On message was previously sent,
using the same global session ID.
If/when the Subsystem-On/Subsystem-Off values are implemented, this
commit can be revisited to simply lift the restriction on unique servers
and change the acct_type value accordingly.
Finally, it appears that while NAS-ID is provided in the request thus
making NAS-IP unnecessary, libradcli still includes this field in the
request. Likewise, it also insists on sending a NAS-Port attribute.
[1]: https://datatracker.ietf.org/doc/html/rfc2866#section-5.1
[2]: https://www.rfc-editor.org/errata_search.php?rfc=2866
[3]: https://datatracker.ietf.org/doc/html/rfc2866#section-4.1
[4]: https://datatracker.ietf.org/doc/html/rfc2866#section-5.5
[5]: https://freeradius.org/rfc/acct_status_type_subsystem.html
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
In order to send RADIUS accounting requests at the NAS level (for e.g.
Accounting-On/Off), radius_init() and radius_call() are made to accept a
null mac argument.
For radius_call() we fall back to the acct_session value (which is
required to be present per RFC) to construct the temporary file name.
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
NAS-ID is a mandatory setting in configuration. This will be useful to
support Accounting-Off frames.
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
Now that accounting.uc no longer needs the per-client radius server
information, there is no reason to publish these sensitive secrets in
cleartext in spotfiler data.
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
Address RADIUS accounting server from the global settings, and call
client_interim() only if accounting is globally enabled for that
interface.
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
Before this commit, interface-wide settings (mainly radius) were stored
per client, resulting in duplicate data.
This commit runs a first pass that renames the "clients" global variable
to "interfaces" which is expected to have the following content:
interfaces {
settings {},
clients {},
}
Thus the settings are stored per interface now, and the list of clients
belonging to that interface is stored within the object.
This change enables us to also remove direct calls to uci configuration
in the code and thus we no longer need to store it locally.
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
If a client "disappears" from wireless, spotfilter eventually wipes
their state data before the accounting removal occurs. Thus in
radius_acct(), the ubus call returns empty and no RADIUS accounting Stop
frame is sent in this condition, leaving a dangling accounting for the
client.
This commit solves this issue by maintaining a local copy of the most
recent accounting data and sending that when the live data is no longer
available.
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
Instead of running one timer per client, handle interim reports in the
main loop through a simple comparison between current time and expected
time of next report.
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
This enables CONNMARK'ing allowed traffic, and is used by accounting to
selectively delete conntrack entries on client removal.
To be used with the following fw4 config:
config include
option type 'nftables'
option path '/usr/share/uspot/firewall.nft'
option position 'chain-post'
option chain 'mangle_postrouting'
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
Per RFC: https://www.rfc-editor.org/rfc/rfc2869.html#section-2.1
It is also possible to statically configure an interim value on the
NAS itself. Note that a locally configured value on the NAS MUST
override the value found in an Access-Accept.
Don't start the interim reporting timer if no interval is configured.
Also add the config option to the documented config template
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
There is no point in setting up the interim timer if the relevant radius
data is not available. Furthermore, the return value check would only
fail if the client was unknown to spotfilter at the query time, which
isn't a failure to *send* data.
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
When looping through known clients:
- removal of client in spotfilter list is checked first
- checks for known client existence are redundant by construction
Also format the max_total check similarly to the timeout one
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
radius_stop() had nothing to do with RADIUS.
Simplify the function prototype by handling spotfilter args internally.
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
By construction:
- interface is one of clients[] keys
- clients[] is built from config uspot 'interface'
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
This dictionary uses vendor 14122, which is the WISPr vendor code. The
first few attributes defined in this dictionary as integers masked their
WISPr string counterparts, resulting in truncated attributes in RADIUS
requests.
From a quick Google Search, there is no CoovaChilli RADIUS vendor ID, it
seems to use the ChilliSpot ones:
https://support.ignitenet.com/portal/en/kb/articles/what-are-the-supported-radius-attributes-in-coovachilli-captive-portal
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
This commit introduces a helper function "ratelimit_client()", invoked
from allow_client(), which parses the radius reply for known
ratelimiting attributes:
- WISPr-Bandwidth-Max-{Up,Down}
- ChilliSpot-Bandwidth-Max-{Up,Down}
WISPr attributes are expressed in bits/s, ChilliSpot in kbits/s.
If none of the attributes are present, the function is a NOP.
If any of the -Up or -Down is missing, the corresponding limit is not
set. NB: ratelimit currently does not support setting only up OR down
ratelimiting if defaults are not set.
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
1. Using rtl8367c.c file for rtl8367S switch driver to support vlan
2. Configure eth0.1 as WAN and eth0.2 as LAN
3. Add mdio read/write in smi driver followed 5.4 kernel driver
4. add mido clock setting followed 5.4 kernel driver for 186w board
5. Add eth and wifi mac address allocation based of BaseMacAddress
6. Update new bdf for 2G radio
Fixes: WIFI-12650
Signed-off-by: Ken <xshi@actiontec.com>
27b1d45 cmd_upgrade: create /ucentral.upgrade
7109e62 add captive portal devices to the bridger block list
Signed-off-by: John Crispin <john@phrozen.org>
/openwrt/build_dir/target-arm_cortex-a7_musl_eabi/uspot/radius.c:264:4: error: label at end of compound statement
default:
^
Signed-off-by: John Crispin <john@phrozen.org>
This is required per documentation and may result in segfault if not
used.
Also remove the "servers" settings which is unnecessary in the context
of a single server.
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
Streamline the code to make it easier to extend supported attributes,
and to clarify code flow. Improve error checking.
Add licensing information (with permission from John Crispin, original
author).
NB: a few things are still hardcoded toward the end of radius(), to be
revisited.
Cc: John Crispin <john@phrozen.org>
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
This carries over two Chilli options used during mac authentication:
- macpasswd, which sets a static password when performing mac-auth
- macsuffix, which allows suffixing the mac address provided as username
These options are implemented in config uspot section as:
- option mac_passwd 'password'
- option mac_suffix 'suffix'
If unset, this commit is a NOP.
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
If debug is disabled, this commit deletes the temporary json files
passed to radius-client.
Furthermore, to reduce the risk of collision, use a different prefix in
accounting.uc ('uacct') vs common.uc ('acct').
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
For basic uspot setups, this commit implements a 'generate' verb to
uspot /usr/bin/captive that takes a config uspot section name, and
parses the following extra options to generate the relevant spotfilter
config:
option generate_spotfilter (bool) # if unset/false, generate is a NOP
option interface 'name' # config/network interface name to redirect to
option client_autoremove (bool) # if set/true, sets client_autoremove
list wl_hosts '*.example.com' # optional list of whitelist hostnames
list wl_addrs '1.2.3.4' # optional list of whitelist IPs
"captive generate" is called in spotfilter.init to optionally (depending
on 'generate_spotfilter') create the required spotfilter-XXX.json before
starting spotfilter.
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
The current uspot config uses a single named section to assign ifnames
to uspot interfaces like so:
config devices 'devices'
option wlanc0 'hotspot1'
option wlanc1 'hotspot1'
Where 'wlanc0' and 'wlanc1' are physical ifnames.
Code in common.uc also hardcodes a check to match ifnames with 'wlanc*'.
This comit gets rid of the "config device" sections and accepts in the
"config uspot" sections e.g.:
option ifname 'wlanc0'
or
list ifname 'wlanc0'
list ifname 'wlanc1'
The listed devices are then associated with the current uspot config
exactly as they were with the previous configuration system.
The hardcoded check in common.uc is also removed, allowing arbitrary
ifnames to be used.
Malformed sections are ignored with a warning. Subsequent duplicate
entries for a given ifname are be ignored with a warning.
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
This commit moves session id creation outside of radius_init() and
stores the identifier in ctx and client data, making it available to
various handlers.
The id is added to the list of uam_url parameters to be sent to the
backend.
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
Because _md[32] is defined as "char" instead of "unsigned char" in
uc_md5() and sprintf() is used instead of snprintf(), the resulting
string can be malformed (padded with FF for negative values) and
can overflow the target buffer, producing strings like:
21FFFF0D12FFFF6A48651050FFFF4CFFFFFFBA
FFFFFF16FF3EFF7C6560FFFF6BFFFFFFFFFFE7
The same issue affects the hex_to_str() helper function which uc_md5()
does not use.
This commit addresses these issues by:
- refactoring hex_to_str():
- accept a const void * input buffer internally cast to uchar
- use snprintf() and the correct format length modifier 'hh'
- use hex_to_str() in uc_md5()
- adjust uses in other callers to pass sizeof(inbuf)/2 instead of a
hardcoded number
str_to_hex() is also refactored with the same guidelines to simplify the
code and minimally address sscanf() failures by ending conversion.
While there, document these two helpers.
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
This adds support for dual-image ('rootfs' partitions rotation), for
the YunCore AX840 board. Implementation details are included in the
'base-files' patch this commit adds:
0060-base-files-minimal-support-for-QCA-runtime-failsafe.patch
Fixes: WIFI-12537
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
This is required for dual-image support ('rootfs' partitions rotation)
used for example on the YunCore AX840.
Fixes: WIFI-12537
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
a94e2df added the support to remove old public IP file once it is connected successfully to controller
Fixes: WIFI-12474
Signed-off-by: John Crispin <john@phrozen.org>
0af4f34 Added support of retrieval of public IP if not existed and reporting in state msg
Fixes: WIFI-12474
Signed-off-by: John Crispin <john@phrozen.org>
In case of MCU with multiple firmware slots support, change of active
slot requires reset. This obviously results in MCU entering the serial
recovery mode in bootloader, with 5 sec timeout, which in case of UART
based MCUs isn't automatically detected and handled in the same way as
USB based devices (hotplug).
Starting host side support script when the MCU is waiting for MCUmgr
commands during recovery is wrong. This fixes the problem by requesting
UART based MCU to boot the firmware after active slot change followed by
reset. While at it, change also how single slot type MCUs are handled
during upgrade (always request reset after the upgrade).
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
This includes shell script for host side support of the 'hci_uart' MCU
firmware type. The script calls 'btattach' with matching tty interface
and baud rate as arguments, resulting in new Bluetooth HCI controller
registration in the system. Both UART and USB interfaces are supported.
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
This adds support for executing a host side support script per firmware
type (in our case, full MCU firmware name is a combination of two terms:
'version__type', e.g. 'zephyr-v3.3.x__hci_uart') which currently runs on
the MCU. Additionally, support for calling the init script with 'stop'
argument is included.
The host side support scripts will be placed in '/etc/mcu.d/' and should
have executable flag set and be named after the firmware type, with 'sh'
extension (e.g. 'hci_uart.sh'). This solution assumes also that PID of a
running, related service will be stored in '/var/run/mcu.SN.pid' where
'SN' is the associated MCU serial number.
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
In case of some of the MCU firmware types, additional setup on the host
side is required before the target application can be used. Example of
such a requirement is a BLE HCI controller on UART bus (firmware type:
'hci_uart') which, before can be registered in system, needs to be
attached to Bluetooth stack (with e.g. 'btattach').
This includes code for generating hidden packages under 'mcu-firmware'
with all the files required for host side support (stored in directory
with the same name as firmware type, under local 'files' directory),
for a selected MCU firmware. For example, below tree:
./feeds/mcu/mcu-firmware/files/hci_uart/etc/...
would result in creation of new package 'zephyr-hci_uart-host-support',
included in dependencies lists for all MCU firmware versions of the
'hci_uart' type, with everything from '.../files/hci_uart/'.
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
This reduces amount of helper functions and fixes also global variables
handle inside 'mcu.sh' and 'mcu.hotplug' shell scripts. While at it,
provide additional debug information when fetching images list and
system information.
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
This includes simple upgrade (downgrade) capability in the MCU support
package. If hash of firmware installed on the MCU doesn't match the one
available on host's local file system, it will get upgraded.
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
Copy 'bluez' package from OpenWrt's packages master branch to 'ucentral'
feed so that we can use latest version and add custom, local changes.
Keep this within 'ucentral' feeds directory to override version provided
by community based 'packages' feed from OpenWrt 21.02.
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
54453a6 cmd_script: custom scripts with no uri failed to send the stdout to the server
Fixes: WIFI-12358
Signed-off-by: John Crispin <john@phrozen.org>
In case of some types of MCU firmware, additional tools, daemons, kernel
drivers, etc. are required on the host side. For example, for Bluetooth
HCI controller, at least kernel module and BlueZ should be included.
This adds a simple recipe which generates dependencies list per firmware
type/name and for existing 'hci_usb' and 'hci_uart', selects 3 packages:
'bluez-daemon', 'kmod-bluetooth' and 'kmod-crypto-user'.
Kernel crypto interface in user space has to be also included because
the BlueZ isn't able to create static address for LE-only controller
without it, which results in no registration of new BT interface:
bluetoothd[668]: src/adapter.c:get_static_addr() Failed to open crypto
bluetoothd[668]: No Bluetooth address for index 0
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
