Make sure to check return values of mbedtls hmac APIs so that
the digest is calculated properly.
Fixes#75259Fixes#75260Fixes#75261
Coverity-CID: 366271
Coverity-CID: 366277
Coverify-CID: 366279
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
Removed the declaration and assignment of `eth_ctx` variable from
`net_if_get_wifi_sta` and `net_if_get_wifi_sap` functions since
it was not being used.
Signed-off-by: Pisit Sawangvonganan <pisit@ndrsolution.com>
Delay an ACK in case no PSH flag is present in the data packet. as
described in RFC 813. This allows to reduce the number of ACK packets
we send and thus improve the TCP download throughput.
The results achieved on `nucleo_h723zg` board and the zperf sample
are as follows:
Before: 77.14 Mbps
After: 93.14 Mbps
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
OpenThread interfaces were not considered when default interface name
is assigned, so they ended up with a generic "netX" name. Since it
useful to have an option to identify interface easily by name, assign an
unique "threadX" name for OpenThread interfaces, just like it's done for
other interface types.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
Partial conditional compilation within tcpv4/6_init_isn() caused
errors in coverity, as hash variable seemed to be used w/o
initialization.
As those functions are not really used at all if
CONFIG_NET_TCP_ISN_RFC6528 is disabled, we can just conditionally
compile entire functions to avoid confusion.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
Utilize a code spell-checking tool to scan for and correct spelling errors
in all files within the `subsys/net/ip` directory.
Signed-off-by: Pisit Sawangvonganan <pisit@ndrsolution.com>
The minimum length for the network interface buffer is 2 so that we
can have terminating null there.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
Split wifi interface into station mode and soft-AP mode, as there may be
station and soft-AP two interfaces that work concurrently.
Signed-off-by: Maochen Wang <maochen.wang@nxp.com>
The Xilinx AXI Ethernet subsystem is capable of RX/Tx checksum
offloading. While it supports computing IP and UDP/TCP checksums, it
does not support computing ICMP checksums and only computes IP checksums
for ICMP messages. Thus, this patch adds an additional configuration for
ethernet drivers that indicates for which protocols checksum offloading
is (to be) supported. This flag is then considered by the IP subsystem
in determining when flags need to be computed in software.
Signed-off-by: Eric Ackermann <eric.ackermann@cispa.de>
While forwarding a multicast packet decrement hop limit in a common net
buffer. Also, packets with hop limit equal to 0 should not be forwarded.
Signed-off-by: Konrad Derda <konrad.derda@nordicsemi.no>
This is next commit from the set of patches that brings to the
Zephyr, SO_TIMESTAMPING socket level option. It stores timestamping
option bitmask that can be transfered to the net_pkt.
Signed-off-by: Adam Wojasinski <awojasinski@baylibre.com>
This is the first commit from the set of patches that brings to the
Zephyr, SO_TIMESTAMPING socket level option. This enables to pass to
the network driver information whether given network packet should
be timestamped or not.
Signed-off-by: Adam Wojasinski <awojasinski@baylibre.com>
Added incrementation of the packet reference count when puting
the packet on the queue used in tx timestamping thread. This fixes
an issue when user wants to access the packet data in the timestamp
callback context. Before the fix was introduced if sockets were used
packet has been unreferenced before execution reached timestamp callback
context.
Signed-off-by: Adam Wojasinski <awojasinski@baylibre.com>
Replaced tcp_out() with tcp_out_ext() when sending
SYN during tcp connect, so we can intercept error value,
beacuse in such case the packet would not be sent at all
and the stack would not trigger any mechanism to flush
this context so it ends up leaking. These scenarios can
arise when the underlaying interface is not properly
configured or is disconnected. The conn is marked to be
closed and is closed before exiting tcp_in().
Since we can now identify this case we can also exit
early in the net_tcp_connect() function and not wait
for any timeout.
Signed-off-by: Daniel Nejezchleb <dnejezchleb@hwg.cz>
The autoconf module can now reuse generic address conflict detection,
which was added for all address types.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
Add support for IPv4 conflict detection, as specified in RFC 5227.
The new feature is optional and disabled by default.
Address conflict detection was implemented as a part of the IPv4
autoconf feature can be generalized to be available for all address
types.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
Do not depend on init level but start the socket service
already in net core init because DNS init code depends on
socket service API to be ready to serve. And we call DNS
init at the net core init.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
Allow mDNS resolver and responder to to be used at the same
time so that both can use the port 5353. This requires
a DNS traffic dispatcher which affects also the normal DNS
resolver.
Fixes#72553
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
Supplicant create AF_PACKET proto ETH_P_PAE socket but receive other
frames like ICMP, UDP and causes following issues.
1. When frame len exceeds MTU, net_pkt_clone cannot clone pkt.
Thus dropped it and print warning log.
2. It will lower throughput performance as every packet is cloned.
Fix it by conn_raw_socket does not deliver pkts protocol not macted,
after l2 processed, unless conn is all packets.
Signed-off-by: Fengming Ye <frank.ye@nxp.com>
In an effort to shave off code size, remove out-of-the-box
enabling of crypto features (except SHA-256).
Configurations are adjusted to enable what they need.
Bonuses:
- When enabled, AES now defaults to using a smaller version
(`CONFIG_MBEDTLS_AES_ROM_TABLES` isn't default enabled anymore,
and if enabled, `CONFIG_MBEDTLS_AES_FEWER_TABLES` defaults to y).
- Conditions around Mbed TLS Kconfig options have been improved
to reflect the reality of the dependencies.
Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>
Some IPv4/IPv6 functions were ifdef-sliced internally, despite being
compiled in conditionally in top-level #ifdef block under the same
condition.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
In some cases the comment after #endif did not match the opening #if, in
some cases it was missing.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
Namespaced the generated headers with `zephyr` to prevent
potential conflict with other headers.
Introduce a temporary Kconfig `LEGACY_GENERATED_INCLUDE_PATH`
that is enabled by default. This allows the developers to
continue the use of the old include paths for the time being
until it is deprecated and eventually removed. The Kconfig will
generate a build-time warning message, similar to the
`CONFIG_TIMER_RANDOM_GENERATOR`.
Updated the includes path of in-tree sources accordingly.
Most of the changes here are scripted, check the PR for more
info.
Signed-off-by: Yong Cong Sin <ycsin@meta.com>
Filtering out received packets which source address matches one of our
own addresses has broken the duplicate address detection conflict
reporting.
In case Neighbor Advertisement is sent during DAD collision, the source
address of such packet might be set to the address that triggered the
collision. This address would also be set on our interface, marked as
tentative. Therefore in order to make duplicate address detection work,
we cannot filter out packets in case our own address is still in
tentative state.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
A support for RDNSS option should not force DNS subsystem being enabled
in the system, especially that the option is enabled by default. It
should work the other way around - the option is supported only if DNS
was enabled by the user.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
The input address originates from an RX net_buf which may
be unaligned. Consequently, word access to this unaligned buffer
can trigger an unaligned access exception on certain platforms,
such as the ARMv7 Cortex-A9.
Signed-off-by: Taras Zaporozhets <zaporozhets.taras@gmail.com>
When the network inteface goes operational DOWN (for example cable
unplugged), clear "joined" flag on all registered multicast addresses,
so that MLD report is sent for them when the interface goes back up.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
When bringing interface down, all IPv6 multicast addresses are removed
from the interface. However, when the interface was brought back up,
rejoin_ipv6_mcast_groups() would look only for solicited node mcast
addresses already present on the interface. In result, after going back
up, the interface was missing solicited-node mcast addresses for those
unicast addresses, that were already present on the interface when
bringing up.
As net_ipv6_mld_join() does similar checks to skip MLD when not needed,
we can just skip the lookup when rejoining, and use already defined
join_mcast_nodes().
Additionally, check for IPV6 and NO_ND flags on the interface before
attempting to add the address back, those multicast addresses are not
needed if ND is disabled on the interface.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
In case a network interface is brought down and back up, DAD was not
performed for link-local unicast address.
This happens because the logic in the network interface code assumed
that DAD for link-local address is triggered when the address is added,
and it's explicitly omited when looping over IPv6 address. This wasn't
the case however when interface was brought back up, as the address was
already present on the interface, hence DAD skipped.
In Linux, the link-local address is removed from the interface when the
interface is brought down. Such approach solves the issue described,
hence implement it in a similar way in Zephyr.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
There is no need to check our own context when going through
the used ports in the system. This prevents error when binding
in some corner cases.
Fixes#72035
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
According to the RFC, MODE_IS_INCLUDE/MODE_IS_EXCLUDE codes should be
used while sendling Multicast Listener Reports in response to a query.
When performing a transition between states (e.g., when joining or
leaving a multicast group) CHANGE_TO_INCLUDE_MODE/CHANGE_TO_EXCLUDE_MODE
have to be used.
Signed-off-by: Konrad Derda <konrad.derda@nordicsemi.no>
From RFC:
* "source list" is an unordered list of zero or more unicast
addresses from which multicast reception is desired or not desired [...]
It means that there is no need to add any special address to specify
"block all" and "allow all" states explicitly. This commit removes the
unnecessary addition.
Signed-off-by: Konrad Derda <konrad.derda@nordicsemi.no>
When BUILD_WITH_TFM is enabled we can dispatch hash computation
to TFM. This allows to remove the built-in support of SHA256 from
the non-secure side (if it's not used for any other purpose, of course).
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
It may happen that the interface is up but not yet running
when we issue the rejoin_ipv6_mcast_groups(). This can be
fixed by calling this function again right after the iface
is set to 'running' state in the notify_iface_up handler.
Signed-off-by: Marcin Kajor <marcin.kajor@nordicsemi.no>
When calling net_if_get_default(), print a warning if no
network interfaces are found. This helps debugging mysterious
crashes.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
When trying to get IPv6 prefix, if there are no network interfaces
then the net_if_get_default() will return NULL but we should not
crash at that point but return gracefully.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
Making default preferred time much closer to default valid time
so that the served addresses are much shorter time in deprecated
state where they cannot be utilized. This is important in Zephyr
as there are limited number of IPv6 addresses that can be allocated
to the network interface.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
We usually cannot use context->local for established TCP connections
because the local address is not updated for TCP if we are bound to
any address. So create helper that try to figure out the end point
addresses.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
Add support for IPv6 Source Address Selection defined in RFC 5014.
This commit does not add any address selection support to getaddrinfo()
as described in the RFC. The AI_EXTFLAGS symbol and also the ai_eflags
to hints is added but they are not used by the code.
The public/temporary address selection is only done internally by
the net_if_ipv6_select_src_addr_hint() according to flags set by
setsockopt().
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
Add reference counting to network interface address (for both
IPv4 and IPv6) so that the address is not removed if there are
sockets using it. If the interface address is removed while there
are sockets using it, the connectivity will fail for the said
socket.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
Add events to be generated when privacy extension is enabled
or disabled, or when allow/deny filter is added or deleted.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
If IPv6 privacy extension is enabled, then we need to select
proper public or temporary IPv6 source address when sending the
packet.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
This creates support for IPv6 privacy extensions which is described
in RFC 8981. This will also add API that can be used to add IPv6
prefixes to a allow or deny list privacy extension filter.
The code will create temporary IPv6 addresses from prefixes that
are advertised by Router Advertisement messages. The temporary
IPv6 addresses are then expired according to lifetime and removed.
Fixes#9349
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
