hostapd: add CUI to ACL RADIUS Access-Request

When radius_request_cui=1 is configured, the EAP path includes a
Chargeable-User-Identity attribute (RFC 4372) but the ACL path used
by psk2-radius / mpsk-radius does not.  Add a nul CUI to
hostapd_radius_acl_query() so the RADIUS server is solicited for CUI
in Access-Accept, matching the EAP initial-request behaviour.

Signed-off-by: John Crispin <john@phrozen.org>

feeds/qca-wifi-6/hostapd/patches/zzz-acl-radius-cui.patch

@@ -0,0 +1,17 @@
+--- a/src/ap/ieee802_11_auth.c
++++ b/src/ap/ieee802_11_auth.c
+@@ -149,6 +149,14 @@
+ 	if (add_common_radius_attr(hapd, hapd->conf->radius_auth_req_attr,
+ 				   NULL, msg) < 0)
+ 		goto fail;
++
++	if (hapd->conf->radius_request_cui &&
++	    !radius_msg_add_attr(msg,
++				 RADIUS_ATTR_CHARGEABLE_USER_IDENTITY,
++				 (const u8 *) "\0", 1)) {
++		wpa_printf(MSG_DEBUG, "Could not add CUI");
++		goto fail;
++	}
+
+ 	os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT,
+ 		    MAC2STR(addr));

feeds/ucentral/libwebsockets/patches/200-openssl-x509-truncate-CN-in-presence-of-other-attr.patch

@@ -0,0 +1,49 @@
+From 975ef85e3fc478dc96b19d9862a1ade383fe48f8 Mon Sep 17 00:00:00 2001
+From: Arif Alam <arif.alam@netexperience.com>
+Date: Thu, 12 Mar 2026 09:53:21 -0400
+Subject: [PATCH] openssl: x509: truncate CN in presence of other attr
+
+Backport of upstream commit 5124ffe9d431ca866ef90cb6f5167a837fdc4840.
+https://github.com/warmcat/libwebsockets/issues/2542
+
+Signed-off-by: Arif Alam <arif.alam@netexperience.com>
+---
+ lib/tls/openssl/openssl-x509.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/lib/tls/openssl/openssl-x509.c b/lib/tls/openssl/openssl-x509.c
+index 185a84a8..df324aa0 100644
+--- a/lib/tls/openssl/openssl-x509.c
++++ b/lib/tls/openssl/openssl-x509.c
+@@ -77,7 +77,8 @@ lws_tls_openssl_cert_info(X509 *x509, enum lws_tls_cert_info type,
+ {
+ 	X509_NAME *xn;
+ #if !defined(LWS_PLAT_OPTEE)
+-	char *p;
++	char *p, *p1;
++	size_t rl;
+ #endif
+ 
+ 	if (!x509)
+@@ -112,8 +113,16 @@ lws_tls_openssl_cert_info(X509 *x509, enum lws_tls_cert_info type,
+ 			return -1;
+ 		X509_NAME_oneline(xn, buf->ns.name, (int)len - 2);
+ 		p = strstr(buf->ns.name, "/CN=");
+-		if (p)
+-			memmove(buf->ns.name, p + 4, strlen(p + 4) + 1);
++		if (p) {
++			p += 4;
++			p1 = strchr(p, '/');
++			if (p1)
++				rl = (size_t)(p1 - p);
++			else
++				rl = strlen(p);
++			memmove(buf->ns.name, p, rl);
++			buf->ns.name[rl] = '\0';
++		}
+ 		buf->ns.len = (int)strlen(buf->ns.name);
+ 		return 0;
+ #endif
+-- 
+2.53.0
+

feeds/ucentral/ucentral-client/files/etc/init.d/ucentral

@@ -63,6 +63,8 @@ start_service() {
 	[ "$debug" -eq 0 ] || procd_append_param command -d
 	[ "$insecure" -eq 0 ] || procd_append_param command -i
 	[ -n "$cert" -a -n "$ca" ] && procd_append_param command -c $cert -C $ca
+	hostname_validate=$(cat /etc/ucentral/gateway.json | jsonfilter -e '@["hostname_validate"]')
+	[ "$hostname_validate" = "0" ] || procd_append_param command -h
 	[ -z "$(mount | grep 'tmpfs on / type tmpfs')" ] || procd_append_param command -r
 	procd_append_param command -b "$boot_cause"
 	procd_append_param command -f "$(cat /tmp/ucentral.version)"

patches-25.12/0101-hostapd-add-CUI-to-ACL-RADIUS-Access-Request.patch

@@ -0,0 +1,43 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: John Crispin <john@phrozen.org>
+Date: Fri, 14 Mar 2026 09:00:00 +0100
+Subject: [PATCH] hostapd: add CUI to ACL RADIUS Access-Request
+
+When radius_request_cui=1 is configured, hostapd includes the
+Chargeable-User-Identity attribute (RFC 4372) in EAP Access-Request
+messages but not in the ACL path used by psk2-radius / mpsk-radius.
+RADIUS servers expecting CUI for PSK-RADIUS therefore receive no CUI.
+
+Add a nul CUI to hostapd_radius_acl_query() so that the RADIUS server
+is solicited for a CUI in the Access-Accept, matching the initial-request
+behaviour of the EAP path when no prior CUI is known. The response side
+already extracts CUI from Access-Accept and stores it.
+
+Signed-off-by: John Crispin <john@phrozen.org>
+---
+ .../hostapd/patches/zzz-0018-acl-radius-cui.patch | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+ create mode 100644 package/network/services/hostapd/patches/zzz-0018-acl-radius-cui.patch
+
+diff --git a/package/network/services/hostapd/patches/zzz-0018-acl-radius-cui.patch b/package/network/services/hostapd/patches/zzz-0018-acl-radius-cui.patch
+new file mode 100644
+--- /dev/null
++++ b/package/network/services/hostapd/patches/zzz-0018-acl-radius-cui.patch
+@@ -0,0 +1,17 @@
++--- a/src/ap/ieee802_11_auth.c
+++++ b/src/ap/ieee802_11_auth.c
++@@ -149,6 +149,14 @@
++ 	if (add_common_radius_attr(hapd, hapd->conf->radius_auth_req_attr,
++ 				   NULL, msg) < 0)
++ 		goto fail;
+++
+++	if (hapd->conf->radius_request_cui &&
+++	    !radius_msg_add_attr(msg,
+++				 RADIUS_ATTR_CHARGEABLE_USER_IDENTITY,
+++				 (const u8 *) "\0", 1)) {
+++		wpa_printf(MSG_DEBUG, "Could not add CUI");
+++		goto fail;
+++	}
++
++ 	os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT,
++ 		    MAC2STR(addr));