ucentral-tools: the git repo is gone, move the code into the package

Signed-off-by: John Crispin <john@phrozen.org>

feeds/ipq807x_v5.4/hostapd/patches/zzz-FT-Store-PMK-R0-PMK-R1-after-EAPOL-Key-msg-2-4-MIC-v.patch

@@ -0,0 +1,411 @@
+From: Jouni Malinen <quic_jouni@quicinc.com>
+Date: Tue, 14 Feb 2023 11:29:30 +0200
+Subject: [PATCH] FT: Store PMK-R0/PMK-R1 after EAPOL-Key msg 2/4 MIC
+ validation
+
+hostapd was previously storing the derived PMK-R0 and PMK-R1 as soon as
+these keys were derived. While that is fine for most purposes, it is
+unnecessary to do that so quickly and if anything were to fail before
+the supplicant is able to return a valid EAPOL-Key msg 2/4, there would
+not really be any real use for the derived keys.
+
+For the special case of FT-PSK and VLAN determination based on the
+wpa_psk file, the VLAN information is set in the per-STA data structures
+only after the EAPOL-Key msg 2/4 MIC has been verified. This ended up
+storing the PMK-R0/PMK-R1 entries without correct VLAN assignment and as
+such, any use of the FT protocol would not be able to transfer the VLAN
+information through RRB.
+
+Split local storing of the FT key hierarchy for the cases using the FT
+4-way handshake so that PMK-R0 and PMK-R1 are first derived and then
+stored as a separate step after having verified the MIC in the EAPOL-Key
+msg 2/4 (i.e., after having confirmed the per-STA passphrase/PSK was
+selected) and VLAN update. This fixes VLAN information for the
+wpa_psk_file cases with FT-PSK.
+
+Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
+---
+
+--- a/src/ap/wpa_auth.c
++++ b/src/ap/wpa_auth.c
+@@ -58,7 +58,9 @@ static int wpa_group_config_group_keys(s
+ 				       struct wpa_group *group);
+ static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *snonce,
+ 			  const u8 *pmk, unsigned int pmk_len,
+-			  struct wpa_ptk *ptk, int force_sha256);
++			  struct wpa_ptk *ptk, int force_sha256,
++			  u8 *pmk_r0, u8 *pmk_r1, u8 *pmk_r0_name,
++			  size_t *key_len);
+ static void wpa_group_free(struct wpa_authenticator *wpa_auth,
+ 			   struct wpa_group *group);
+ static void wpa_group_get(struct wpa_authenticator *wpa_auth,
+@@ -940,6 +942,10 @@ static int wpa_try_alt_snonce(struct wpa
+ 	const u8 *pmk = NULL;
+ 	size_t pmk_len;
+ 	int vlan_id = 0;
++	u8 pmk_r0[PMK_LEN_MAX], pmk_r0_name[WPA_PMK_NAME_LEN];
++	u8 pmk_r1[PMK_LEN_MAX];
++	size_t key_len;
++	int ret = -1;
+ 
+ 	os_memset(&PTK, 0, sizeof(PTK));
+ 	for (;;) {
+@@ -961,8 +967,8 @@ static int wpa_try_alt_snonce(struct wpa
+ 			pmk_len = sm->pmk_len;
+ 		}
+ 
+-		if (wpa_derive_ptk(sm, sm->alt_SNonce, pmk, pmk_len, &PTK, 0) <
+-		    0)
++		if (wpa_derive_ptk(sm, sm->alt_SNonce, pmk, pmk_len, &PTK, 0,
++				   pmk_r0, pmk_r1, pmk_r0_name, &key_len) < 0)
+ 			break;
+ 
+ 		if (wpa_verify_key_mic(sm->wpa_key_mgmt, pmk_len, &PTK,
+@@ -983,7 +989,7 @@ static int wpa_try_alt_snonce(struct wpa
+ 	if (!ok) {
+ 		wpa_printf(MSG_DEBUG,
+ 			   "WPA: Earlier SNonce did not result in matching MIC");
+-		return -1;
++		goto fail;
+ 	}
+ 
+ 	wpa_printf(MSG_DEBUG,
+@@ -992,14 +998,26 @@ static int wpa_try_alt_snonce(struct wpa
+ 
+ 	if (vlan_id && wpa_key_mgmt_wpa_psk(sm->wpa_key_mgmt) &&
+ 	    wpa_auth_update_vlan(sm->wpa_auth, sm->addr, vlan_id) < 0)
+-		return -1;
++		goto fail;
++
++#ifdef CONFIG_IEEE80211R_AP
++	if (wpa_key_mgmt_ft(sm->wpa_key_mgmt) && !sm->ft_completed) {
++		wpa_printf(MSG_DEBUG, "FT: Store PMK-R0/PMK-R1");
++		wpa_auth_ft_store_keys(sm, pmk_r0, pmk_r1, pmk_r0_name,
++				       key_len);
++	}
++#endif /* CONFIG_IEEE80211R_AP */
+ 
+ 	os_memcpy(sm->SNonce, sm->alt_SNonce, WPA_NONCE_LEN);
+ 	os_memcpy(&sm->PTK, &PTK, sizeof(PTK));
+ 	forced_memzero(&PTK, sizeof(PTK));
+ 	sm->PTK_valid = true;
+ 
+-	return 0;
++	ret = 0;
++fail:
++	forced_memzero(pmk_r0, sizeof(pmk_r0));
++	forced_memzero(pmk_r1, sizeof(pmk_r1));
++	return ret;
+ }
+ 
+ 
+@@ -2283,7 +2301,9 @@ SM_STATE(WPA_PTK, PTKSTART)
+ 
+ static int wpa_derive_ptk(struct wpa_state_machine *sm, const u8 *snonce,
+ 			  const u8 *pmk, unsigned int pmk_len,
+-			  struct wpa_ptk *ptk, int force_sha256)
++			  struct wpa_ptk *ptk, int force_sha256,
++			  u8 *pmk_r0, u8 *pmk_r1, u8 *pmk_r0_name,
++			  size_t *key_len)
+ {
+ 	const u8 *z = NULL;
+ 	size_t z_len = 0, kdk_len;
+@@ -2311,7 +2331,8 @@ static int wpa_derive_ptk(struct wpa_sta
+ 						 sm->pairwise,
+ 						 kdk_len);
+ 		}
+-		return wpa_auth_derive_ptk_ft(sm, ptk);
++		return wpa_auth_derive_ptk_ft(sm, ptk, pmk_r0, pmk_r1,
++					      pmk_r0_name, key_len);
+ 	}
+ #endif /* CONFIG_IEEE80211R_AP */
+ 
+@@ -2934,6 +2955,9 @@ SM_STATE(WPA_PTK, PTKCALCNEGOTIATING)
+ 	struct wpa_eapol_ie_parse kde;
+ 	int vlan_id = 0;
+ 	int owe_ptk_workaround = !!wpa_auth->conf.owe_ptk_workaround;
++	u8 pmk_r0[PMK_LEN_MAX], pmk_r0_name[WPA_PMK_NAME_LEN];
++	u8 pmk_r1[PMK_LEN_MAX];
++	size_t key_len;
+ 
+ 	SM_ENTRY_MA(WPA_PTK, PTKCALCNEGOTIATING, wpa_ptk);
+ 	sm->EAPOLKeyReceived = false;
+@@ -2972,7 +2996,8 @@ SM_STATE(WPA_PTK, PTKCALCNEGOTIATING)
+ 		}
+ 
+ 		if (wpa_derive_ptk(sm, sm->SNonce, pmk, pmk_len, &PTK,
+-				   owe_ptk_workaround == 2) < 0)
++				   owe_ptk_workaround == 2, pmk_r0, pmk_r1,
++				   pmk_r0_name, &key_len) < 0)
+ 			break;
+ 
+ 		if (mic_len &&
+@@ -3021,7 +3046,7 @@ SM_STATE(WPA_PTK, PTKCALCNEGOTIATING)
+ 						 sm->last_rx_eapol_key,
+ 						 sm->last_rx_eapol_key_len);
+ 		sm->waiting_radius_psk = 1;
+-		return;
++		goto out;
+ 	}
+ 
+ 	if (!ok) {
+@@ -3029,7 +3054,7 @@ SM_STATE(WPA_PTK, PTKCALCNEGOTIATING)
+ 				"invalid MIC in msg 2/4 of 4-Way Handshake");
+ 		if (psk_found)
+ 			wpa_auth_psk_failure_report(sm->wpa_auth, sm->addr);
+-		return;
++		goto out;
+ 	}
+ 
+ 	/*
+@@ -3043,12 +3068,12 @@ SM_STATE(WPA_PTK, PTKCALCNEGOTIATING)
+ 	key_data_length = WPA_GET_BE16(mic + mic_len);
+ 	if (key_data_length > sm->last_rx_eapol_key_len - sizeof(*hdr) -
+ 	    sizeof(*key) - mic_len - 2)
+-		return;
++		goto out;
+ 
+ 	if (wpa_parse_kde_ies(key_data, key_data_length, &kde) < 0) {
+ 		wpa_auth_vlogger(wpa_auth, sm->addr, LOGGER_INFO,
+ 				 "received EAPOL-Key msg 2/4 with invalid Key Data contents");
+-		return;
++		goto out;
+ 	}
+ 	if (kde.rsn_ie) {
+ 		eapol_key_ie = kde.rsn_ie;
+@@ -3075,7 +3100,7 @@ SM_STATE(WPA_PTK, PTKCALCNEGOTIATING)
+ 		/* MLME-DEAUTHENTICATE.request */
+ 		wpa_sta_disconnect(wpa_auth, sm->addr,
+ 				   WLAN_REASON_PREV_AUTH_NOT_VALID);
+-		return;
++		goto out;
+ 	}
+ 	if ((!sm->rsnxe && kde.rsnxe) ||
+ 	    (sm->rsnxe && !kde.rsnxe) ||
+@@ -3091,7 +3116,7 @@ SM_STATE(WPA_PTK, PTKCALCNEGOTIATING)
+ 		/* MLME-DEAUTHENTICATE.request */
+ 		wpa_sta_disconnect(wpa_auth, sm->addr,
+ 				   WLAN_REASON_PREV_AUTH_NOT_VALID);
+-		return;
++		goto out;
+ 	}
+ #ifdef CONFIG_OCV
+ 	if (wpa_auth_uses_ocv(sm)) {
+@@ -3103,14 +3128,14 @@ SM_STATE(WPA_PTK, PTKCALCNEGOTIATING)
+ 		if (wpa_channel_info(wpa_auth, &ci) != 0) {
+ 			wpa_auth_logger(wpa_auth, sm->addr, LOGGER_INFO,
+ 					"Failed to get channel info to validate received OCI in EAPOL-Key 2/4");
+-			return;
++			goto out;
+ 		}
+ 
+ 		if (get_sta_tx_parameters(sm,
+ 					  channel_width_to_int(ci.chanwidth),
+ 					  ci.seg1_idx, &tx_chanwidth,
+ 					  &tx_seg1_idx) < 0)
+-			return;
++			goto out;
+ 
+ 		res = ocv_verify_tx_params(kde.oci, kde.oci_len, &ci,
+ 					   tx_chanwidth, tx_seg1_idx);
+@@ -3127,7 +3152,7 @@ SM_STATE(WPA_PTK, PTKCALCNEGOTIATING)
+ 					OCV_FAILURE "addr=" MACSTR
+ 					" frame=eapol-key-m2 error=%s",
+ 					MAC2STR(sm->addr), ocv_errorstr);
+-			return;
++			goto out;
+ 		}
+ 	}
+ #endif /* CONFIG_OCV */
+@@ -3135,7 +3160,7 @@ SM_STATE(WPA_PTK, PTKCALCNEGOTIATING)
+ 	if (ft && ft_check_msg_2_of_4(wpa_auth, sm, &kde) < 0) {
+ 		wpa_sta_disconnect(wpa_auth, sm->addr,
+ 				   WLAN_REASON_PREV_AUTH_NOT_VALID);
+-		return;
++		goto out;
+ 	}
+ #endif /* CONFIG_IEEE80211R_AP */
+ #ifdef CONFIG_P2P
+@@ -3171,7 +3196,7 @@ SM_STATE(WPA_PTK, PTKCALCNEGOTIATING)
+ 				   "DPP: Peer indicated it supports PFS and local configuration allows this, but PFS was not negotiated for the association");
+ 			wpa_sta_disconnect(wpa_auth, sm->addr,
+ 					   WLAN_REASON_PREV_AUTH_NOT_VALID);
+-			return;
++			goto out;
+ 		}
+ 	}
+ #endif /* CONFIG_DPP2 */
+@@ -3191,7 +3216,7 @@ SM_STATE(WPA_PTK, PTKCALCNEGOTIATING)
+ 				    sm->sup_pmk_r1_name, WPA_PMK_NAME_LEN);
+ 			wpa_hexdump(MSG_DEBUG, "FT: Derived PMKR1Name",
+ 				    sm->pmk_r1_name, WPA_PMK_NAME_LEN);
+-			return;
++			goto out;
+ 		}
+ 	}
+ #endif /* CONFIG_IEEE80211R_AP */
+@@ -3200,7 +3225,7 @@ SM_STATE(WPA_PTK, PTKCALCNEGOTIATING)
+ 	    wpa_auth_update_vlan(wpa_auth, sm->addr, vlan_id) < 0) {
+ 		wpa_sta_disconnect(wpa_auth, sm->addr,
+ 				   WLAN_REASON_PREV_AUTH_NOT_VALID);
+-		return;
++		goto out;
+ 	}
+ 
+ 	sm->pending_1_of_4_timeout = 0;
+@@ -3216,9 +3241,20 @@ SM_STATE(WPA_PTK, PTKCALCNEGOTIATING)
+ 
+ 	sm->MICVerified = true;
+ 
++#ifdef CONFIG_IEEE80211R_AP
++	if (wpa_key_mgmt_ft(sm->wpa_key_mgmt) && !sm->ft_completed) {
++		wpa_printf(MSG_DEBUG, "FT: Store PMK-R0/PMK-R1");
++		wpa_auth_ft_store_keys(sm, pmk_r0, pmk_r1, pmk_r0_name,
++				       key_len);
++	}
++#endif /* CONFIG_IEEE80211R_AP */
++
+ 	os_memcpy(&sm->PTK, &PTK, sizeof(PTK));
+ 	forced_memzero(&PTK, sizeof(PTK));
+ 	sm->PTK_valid = true;
++out:
++	forced_memzero(pmk_r0, sizeof(pmk_r0));
++	forced_memzero(pmk_r1, sizeof(pmk_r1));
+ }
+ 
+ 
+--- a/src/ap/wpa_auth_ft.c
++++ b/src/ap/wpa_auth_ft.c
+@@ -2175,13 +2175,13 @@ int wpa_ft_store_pmk_fils(struct wpa_sta
+ }
+ 
+ 
+-int wpa_auth_derive_ptk_ft(struct wpa_state_machine *sm, struct wpa_ptk *ptk)
++int wpa_auth_derive_ptk_ft(struct wpa_state_machine *sm, struct wpa_ptk *ptk,
++			   u8 *pmk_r0, u8 *pmk_r1, u8 *pmk_r0_name,
++			   size_t *key_len)
+ {
+-	u8 pmk_r0[PMK_LEN_MAX], pmk_r0_name[WPA_PMK_NAME_LEN];
+ 	size_t pmk_r0_len = wpa_key_mgmt_sha384(sm->wpa_key_mgmt) ?
+ 		SHA384_MAC_LEN : PMK_LEN;
+ 	size_t pmk_r1_len = pmk_r0_len;
+-	u8 pmk_r1[PMK_LEN_MAX];
+ 	u8 ptk_name[WPA_PMK_NAME_LEN];
+ 	const u8 *mdid = sm->wpa_auth->conf.mobility_domain;
+ 	const u8 *r0kh = sm->wpa_auth->conf.r0_key_holder;
+@@ -2189,13 +2189,6 @@ int wpa_auth_derive_ptk_ft(struct wpa_st
+ 	const u8 *r1kh = sm->wpa_auth->conf.r1_key_holder;
+ 	const u8 *ssid = sm->wpa_auth->conf.ssid;
+ 	size_t ssid_len = sm->wpa_auth->conf.ssid_len;
+-	int psk_local = sm->wpa_auth->conf.ft_psk_generate_local;
+-	int expires_in = sm->wpa_auth->conf.r0_key_lifetime;
+-	struct vlan_description vlan;
+-	struct rate_description rate;
+-	const u8 *identity, *radius_cui;
+-	size_t identity_len, radius_cui_len;
+-	int session_timeout;
+ 	const u8 *mpmk;
+ 	size_t mpmk_len;
+ 
+@@ -2211,10 +2204,41 @@ int wpa_auth_derive_ptk_ft(struct wpa_st
+ 		return -1;
+ 	}
+ 
++	*key_len = pmk_r0_len;
++	if (wpa_derive_pmk_r0(mpmk, mpmk_len, ssid, ssid_len, mdid,
++			      r0kh, r0kh_len, sm->addr,
++			      pmk_r0, pmk_r0_name,
++			      pmk_r0_len == SHA384_MAC_LEN) < 0 ||
++	    wpa_derive_pmk_r1(pmk_r0, pmk_r0_len, pmk_r0_name, r1kh, sm->addr,
++			      pmk_r1, sm->pmk_r1_name) < 0)
++		return -1;
++
++	return wpa_pmk_r1_to_ptk(pmk_r1, pmk_r1_len, sm->SNonce, sm->ANonce,
++				 sm->addr, sm->wpa_auth->addr, sm->pmk_r1_name,
++				 ptk, ptk_name, sm->wpa_key_mgmt, sm->pairwise,
++				 0);
++}
++
++
++void wpa_auth_ft_store_keys(struct wpa_state_machine *sm, const u8 *pmk_r0,
++			    const u8 *pmk_r1, const u8 *pmk_r0_name,
++			    size_t key_len)
++{
++	int psk_local = sm->wpa_auth->conf.ft_psk_generate_local;
++	int expires_in = sm->wpa_auth->conf.r0_key_lifetime;
++	struct vlan_description vlan;
++	struct rate_description rate;
++	const u8 *identity, *radius_cui;
++	size_t identity_len, radius_cui_len;
++	int session_timeout;
++
++	if (psk_local && wpa_key_mgmt_ft_psk(sm->wpa_key_mgmt))
++		return;
++
+ 	if (wpa_ft_get_vlan(sm->wpa_auth, sm->addr, &vlan) < 0) {
+ 		wpa_printf(MSG_DEBUG, "FT: vlan not available for STA " MACSTR,
+ 			   MAC2STR(sm->addr));
+-		return -1;
++		return;
+ 	}
+ 
+ 	wpa_ft_get_rate_limit(sm->wpa_auth, sm->addr, &rate);
+@@ -2224,32 +2248,16 @@ int wpa_auth_derive_ptk_ft(struct wpa_st
+ 					       &radius_cui);
+ 	session_timeout = wpa_ft_get_session_timeout(sm->wpa_auth, sm->addr);
+ 
+-	if (wpa_derive_pmk_r0(mpmk, mpmk_len, ssid, ssid_len, mdid,
+-			      r0kh, r0kh_len, sm->addr,
+-			      pmk_r0, pmk_r0_name,
+-			      wpa_key_mgmt_sha384(sm->wpa_key_mgmt)) < 0)
+-		return -1;
+-	if (!psk_local || !wpa_key_mgmt_ft_psk(sm->wpa_key_mgmt))
+-		wpa_ft_store_pmk_r0(sm->wpa_auth, sm->addr, pmk_r0, pmk_r0_len,
+-				    pmk_r0_name,
+-				    sm->pairwise, &vlan, expires_in,
+-				    session_timeout, identity, identity_len,
+-				    radius_cui, radius_cui_len, &rate);
+-
+-	if (wpa_derive_pmk_r1(pmk_r0, pmk_r0_len, pmk_r0_name, r1kh, sm->addr,
+-			      pmk_r1, sm->pmk_r1_name) < 0)
+-		return -1;
+-	if (!psk_local || !wpa_key_mgmt_ft_psk(sm->wpa_key_mgmt))
+-		wpa_ft_store_pmk_r1(sm->wpa_auth, sm->addr, pmk_r1, pmk_r1_len,
+-				    sm->pmk_r1_name, sm->pairwise, &vlan,
+-				    expires_in, session_timeout, identity,
+-				    identity_len, radius_cui, radius_cui_len,
+-				    &rate);
+-
+-	return wpa_pmk_r1_to_ptk(pmk_r1, pmk_r1_len, sm->SNonce, sm->ANonce,
+-				 sm->addr, sm->wpa_auth->addr, sm->pmk_r1_name,
+-				 ptk, ptk_name, sm->wpa_key_mgmt, sm->pairwise,
+-				 0);
++	wpa_ft_store_pmk_r0(sm->wpa_auth, sm->addr, pmk_r0, key_len,
++			    pmk_r0_name,
++			    sm->pairwise, &vlan, expires_in,
++			    session_timeout, identity, identity_len,
++			    radius_cui, radius_cui_len, &rate);
++
++	wpa_ft_store_pmk_r1(sm->wpa_auth, sm->addr, pmk_r1, key_len,
++			    sm->pmk_r1_name, sm->pairwise, &vlan,
++			    expires_in, session_timeout, identity,
++			    identity_len, radius_cui, radius_cui_len, &rate);
+ }
+ 
+ 
+--- a/src/ap/wpa_auth_i.h
++++ b/src/ap/wpa_auth_i.h
+@@ -302,7 +302,12 @@ int wpa_write_ftie(struct wpa_auth_confi
+ 		   const u8 *anonce, const u8 *snonce,
+ 		   u8 *buf, size_t len, const u8 *subelem,
+ 		   size_t subelem_len, int rsnxe_used);
+-int wpa_auth_derive_ptk_ft(struct wpa_state_machine *sm, struct wpa_ptk *ptk);
++int wpa_auth_derive_ptk_ft(struct wpa_state_machine *sm, struct wpa_ptk *ptk,
++			   u8 *pmk_r0, u8 *pmk_r1, u8 *pmk_r0_name,
++			   size_t *key_len);
++void wpa_auth_ft_store_keys(struct wpa_state_machine *sm, const u8 *pmk_r0,
++			    const u8 *pmk_r1, const u8 *pmk_r0_name,
++			    size_t key_len);
+ struct wpa_ft_pmk_cache * wpa_ft_pmk_cache_init(void);
+ void wpa_ft_pmk_cache_deinit(struct wpa_ft_pmk_cache *cache);
+ void wpa_ft_install_ptk(struct wpa_state_machine *sm, int retry);

feeds/ipq807x_v5.4/ipq50xx/base-files/etc/board.d/02_network

@@ -13,10 +13,10 @@ qcom_setup_interfaces()
 
 	case $board in
 	cig,wf186w)
-		ucidef_add_switch "switch0" "4:wan" "0:lan" "1:lan" "2:lan" "3:lan" "6@eth0"
+		ucidef_add_switch "switch0" "4:wan" "0:lan" "1:lan" "2:lan" "3:lan" "6u@eth0"
 		;;
 	cig,wf186h)
-		ucidef_add_switch "switch0" "4:wan" "1:lan" "2:lan" "6@eth0"
+		ucidef_add_switch "switch0" "4:wan" "1:lan" "2:lan" "6u@eth0"
 		;;
 	sonicfi,rap630c-311g|\
 	cybertan,eww631-a1)
@@ -25,7 +25,7 @@ qcom_setup_interfaces()
 		;;
 	sonicfi,rap630w-311g|\
 	cybertan,eww631-b1)
-		ucidef_add_switch "switch1" "5:wan" "2:lan" "3:lan" "4:lan" "6@eth0"
+		ucidef_add_switch "switch1" "5:wan" "2:lan" "3:lan" "4:lan" "6u@eth0"
 		;;
 	udaya,a6-id2)
 		ucidef_set_interface_wan "eth1"
@@ -46,7 +46,7 @@ qcom_setup_interfaces()
 	edgecore,eap104)
 		ucidef_set_interface_wan "eth0"
 		ucidef_add_switch "switch1" \
-			"6@eth1" "1:lan" "2:lan" "3:lan" "4:lan"
+			"6u@eth1" "1:lan" "2:lan" "3:lan" "4:lan"
 		;;
 	hfcl,ion4x_w|\
 	hfcl,ion4xi_w)
@@ -62,10 +62,10 @@ qcom_setup_interfaces()
 	sonicfi,rap630w-312g|\
 	yuncore,fap655)
 		ucidef_add_switch "switch1" \
-			"6@eth0" "1:lan" "2:lan" "3:lan" "4:lan" "5:wan"
+			"6u@eth0" "1:lan" "2:lan" "3:lan" "4:lan" "5:wan"
 		;;
 	glinet,b3000)
-		ucidef_add_switch "switch1" "6@eth1" "1:wan" "2:lan" "3:lan"
+		ucidef_add_switch "switch1" "6u@eth1" "1:wan" "2:lan" "3:lan"
 		;;
 	esac
 }

feeds/qca-wifi-7/ipq53xx/base-files/etc/init.d/smp-affinity

@@ -1,21 +0,0 @@
-#!/bin/sh /etc/rc.common
-
-START=99
-
-boot() {
-	for j in 68 69 70 71 75 88 92 96; do
-		echo 8 > /proc/irq/$j/smp_affinity
-	done
-
-	for j in 67 74 91 87; do
-		echo 4 > /proc/irq/$j/smp_affinity
-	done
-
-	for j in 66 73 86 90 93; do
-		echo 2 > /proc/irq/$j/smp_affinity
-	done
-
-	for j in 65 72 85 89; do
-		echo 1 > /proc/irq/$j/smp_affinity
-	done
-}

feeds/ucentral/ucentral-schema/Makefile

@@ -4,10 +4,10 @@ PKG_NAME:=ucentral-schema
 PKG_RELEASE:=1
 
 PKG_SOURCE_URL=https://github.com/Telecominfraproject/wlan-ucentral-schema.git
-PKG_MIRROR_HASH:=98b65df6853724a27a7a77ccbef38ca3b25c681c496fb97c7049e2476f09271b
+PKG_MIRROR_HASH:=fe33f072d7bcbbb14c7c3415e0750699bb5dae8a9af06c59c90c020f8b192a15
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_DATE:=2025-01-27
-PKG_SOURCE_VERSION:=43c73750ccb040b0a95fadfa2ea2d34e1841f652
+PKG_SOURCE_VERSION:=5a6d23b76bc51289ae99d22fdf406516b0c630e6
 PKG_MAINTAINER:=John Crispin <john@phrozen.org>
 PKG_LICENSE:=BSD-3-Clause
 

feeds/ucentral/ucentral-tools/Makefile

@@ -3,12 +3,6 @@ include $(TOPDIR)/rules.mk
 PKG_NAME:=ucentral-tools
 PKG_RELEASE:=1
 
-PKG_SOURCE_URL=https://github.com/blogic/ucentral-tools.git
-PKG_MIRROR_HASH:=9ae6a0cd431595871c233550427c4043c2ba7ddb3c5d87e46ab74a03b2b5a947
-PKG_SOURCE_PROTO:=git
-PKG_SOURCE_DATE:=2021-01-28
-PKG_SOURCE_VERSION:=b013fc636e48d407870a46aaa68a09ed74de8d6f
-
 PKG_MAINTAINER:=John Crispin <john@phrozen.org>
 PKG_LICENSE:=BSD-3-Clause
 

feeds/ucentral/ucentral-tools/src/CMakeLists.txt

@@ -0,0 +1,36 @@
+cmake_minimum_required(VERSION 2.6)
+
+PROJECT(openwifi-tools C)
+INCLUDE(GNUInstallDirs)
+ADD_DEFINITIONS(-Os -ggdb -Wall -Werror --std=gnu99 -Wmissing-declarations)
+
+SET(CMAKE_SHARED_LIBRARY_LINK_C_FLAGS "")
+
+ADD_EXECUTABLE(firstcontact firstcontact.c)
+TARGET_LINK_LIBRARIES(firstcontact curl crypto ssl ubox)
+INSTALL(TARGETS firstcontact
+	RUNTIME DESTINATION ${CMAKE_INSTALL_SBINDIR}
+)
+
+ADD_EXECUTABLE(dhcpdiscover dhcpdiscover.c)
+INSTALL(TARGETS dhcpdiscover
+	RUNTIME DESTINATION ${CMAKE_INSTALL_SBINDIR}
+)
+
+ADD_EXECUTABLE(dnsprobe dnsprobe.c)
+TARGET_LINK_LIBRARIES(dnsprobe ubox resolv)
+INSTALL(TARGETS dnsprobe
+	RUNTIME DESTINATION ${CMAKE_INSTALL_SBINDIR}
+)
+
+ADD_EXECUTABLE(radiusprobe radiusprobe.c)
+TARGET_LINK_LIBRARIES(radiusprobe radcli)
+INSTALL(TARGETS radiusprobe
+	RUNTIME DESTINATION ${CMAKE_INSTALL_SBINDIR}
+)
+
+ADD_EXECUTABLE(ip-collide ip-collide.c)
+TARGET_LINK_LIBRARIES(ip-collide ubox)
+INSTALL(TARGETS ip-collide
+	RUNTIME DESTINATION ${CMAKE_INSTALL_SBINDIR}
+)

feeds/ucentral/ucentral-tools/src/dnsprobe.c

@@ -0,0 +1,690 @@
+/*
+ * nslookup_lede - musl compatible replacement for busybox nslookup
+ *
+ * Copyright (C) 2017 Jo-Philipp Wich <jo@mein.io>
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+//config:config NSLOOKUP_OPENWRT
+//config:	bool "nslookup_openwrt"
+//config:	depends on !NSLOOKUP
+//config:	default y
+//config:	help
+//config:	  nslookup is a tool to query Internet name servers (LEDE flavor).
+//config:
+//config:config FEATURE_NSLOOKUP_OPENWRT_LONG_OPTIONS
+//config:       bool "Enable long options"
+//config:       default y
+//config:       depends on NSLOOKUP_OPENWRT && LONG_OPTS
+//config:       help
+//config:         Support long options for the nslookup applet.
+
+//applet:IF_NSLOOKUP_OPENWRT(APPLET(nslookup, BB_DIR_USR_BIN, BB_SUID_DROP))
+
+//kbuild:lib-$(CONFIG_NSLOOKUP_OPENWRT) += nslookup_lede.o
+
+//usage:#define nslookup_lede_trivial_usage
+//usage:       "[HOST] [SERVER]"
+//usage:#define nslookup_lede_full_usage "\n\n"
+//usage:       "Query the nameserver for the IP address of the given HOST\n"
+//usage:       "optionally using a specified DNS server"
+//usage:
+//usage:#define nslookup_lede_example_usage
+//usage:       "$ nslookup localhost\n"
+//usage:       "Server:     default\n"
+//usage:       "Address:    default\n"
+//usage:       "\n"
+//usage:       "Name:       debian\n"
+//usage:       "Address:    127.0.0.1\n"
+
+#include <stdio.h>
+#include <resolv.h>
+#include <string.h>
+#include <errno.h>
+#include <time.h>
+#include <poll.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <sys/socket.h>
+#include <arpa/inet.h>
+#include <net/if.h>
+#include <netdb.h>
+
+#include <libubox/ulog.h>
+
+#define ENABLE_FEATURE_IPV6	1
+
+typedef struct len_and_sockaddr {
+	socklen_t len;
+	union {
+		struct sockaddr sa;
+		struct sockaddr_in sin;
+#if ENABLE_FEATURE_IPV6
+		struct sockaddr_in6 sin6;
+#endif
+	} u;
+} len_and_sockaddr;
+
+struct ns {
+	const char *name;
+	len_and_sockaddr addr;
+	int failures;
+	int replies;
+};
+
+struct query {
+	const char *name;
+	size_t qlen, rlen;
+	unsigned char query[512], reply[512];
+	unsigned long latency;
+	int rcode, n_ns;
+};
+
+static const char *rcodes[] = {
+	"NOERROR",
+	"FORMERR",
+	"SERVFAIL",
+	"NXDOMAIN",
+	"NOTIMP",
+	"REFUSED",
+	"YXDOMAIN",
+	"YXRRSET",
+	"NXRRSET",
+	"NOTAUTH",
+	"NOTZONE",
+	"RESERVED11",
+	"RESERVED12",
+	"RESERVED13",
+	"RESERVED14",
+	"RESERVED15",
+	"BADVERS"
+};
+
+static unsigned int default_port = 53;
+static unsigned int default_retry = 1;
+static unsigned int default_timeout = 2;
+
+
+static int parse_reply(const unsigned char *msg, size_t len, int *bb_style_counter)
+{
+	ns_msg handle;
+	ns_rr rr;
+	int i, n, rdlen;
+	const char *format = NULL;
+	char astr[INET6_ADDRSTRLEN], dname[MAXDNAME];
+	const unsigned char *cp;
+
+	if (ns_initparse(msg, len, &handle) != 0) {
+		//fprintf(stderr, "Unable to parse reply: %s\n", strerror(errno));
+		return -1;
+	}
+
+	for (i = 0; i < ns_msg_count(handle, ns_s_an); i++) {
+		if (ns_parserr(&handle, ns_s_an, i, &rr) != 0) {
+			//fprintf(stderr, "Unable to parse resource record: %s\n", strerror(errno));
+			return -1;
+		}
+
+		rdlen = ns_rr_rdlen(rr);
+
+		switch (ns_rr_type(rr))
+		{
+		case ns_t_a:
+			if (rdlen != 4) {
+				//fprintf(stderr, "Unexpected A record length\n");
+				return -1;
+			}
+			inet_ntop(AF_INET, ns_rr_rdata(rr), astr, sizeof(astr));
+			printf("Name:\t%s\nAddress: %s\n", ns_rr_name(rr), astr);
+			break;
+
+#if ENABLE_FEATURE_IPV6
+		case ns_t_aaaa:
+			if (rdlen != 16) {
+				//fprintf(stderr, "Unexpected AAAA record length\n");
+				return -1;
+			}
+			inet_ntop(AF_INET6, ns_rr_rdata(rr), astr, sizeof(astr));
+			printf("%s\thas AAAA address %s\n", ns_rr_name(rr), astr);
+			break;
+#endif
+
+		case ns_t_ns:
+			if (!format)
+				format = "%s\tnameserver = %s\n";
+			/* fall through */
+
+		case ns_t_cname:
+			if (!format)
+				format = "%s\tcanonical name = %s\n";
+			/* fall through */
+
+		case ns_t_ptr:
+			if (!format)
+				format = "%s\tname = %s\n";
+			if (ns_name_uncompress(ns_msg_base(handle), ns_msg_end(handle),
+				ns_rr_rdata(rr), dname, sizeof(dname)) < 0) {
+				//fprintf(stderr, "Unable to uncompress domain: %s\n", strerror(errno));
+				return -1;
+			}
+			printf(format, ns_rr_name(rr), dname);
+			break;
+
+		case ns_t_mx:
+			if (rdlen < 2) {
+				fprintf(stderr, "MX record too short\n");
+				return -1;
+			}
+			n = ns_get16(ns_rr_rdata(rr));
+			if (ns_name_uncompress(ns_msg_base(handle), ns_msg_end(handle),
+				ns_rr_rdata(rr) + 2, dname, sizeof(dname)) < 0) {
+				//fprintf(stderr, "Cannot uncompress MX domain: %s\n", strerror(errno));
+				return -1;
+			}
+			printf("%s\tmail exchanger = %d %s\n", ns_rr_name(rr), n, dname);
+			break;
+
+		case ns_t_txt:
+			if (rdlen < 1) {
+				//fprintf(stderr, "TXT record too short\n");
+				return -1;
+			}
+			n = *(unsigned char *)ns_rr_rdata(rr);
+			if (n > 0) {
+				memset(dname, 0, sizeof(dname));
+				memcpy(dname, ns_rr_rdata(rr) + 1, n);
+				printf("%s\ttext = \"%s\"\n", ns_rr_name(rr), dname);
+			}
+			break;
+
+		case ns_t_soa:
+			if (rdlen < 20) {
+				//fprintf(stderr, "SOA record too short\n");
+				return -1;
+			}
+
+			printf("%s\n", ns_rr_name(rr));
+
+			cp = ns_rr_rdata(rr);
+			n = ns_name_uncompress(ns_msg_base(handle), ns_msg_end(handle),
+			                       cp, dname, sizeof(dname));
+
+			if (n < 0) {
+				//fprintf(stderr, "Unable to uncompress domain: %s\n", strerror(errno));
+				return -1;
+			}
+
+			printf("\torigin = %s\n", dname);
+			cp += n;
+
+			n = ns_name_uncompress(ns_msg_base(handle), ns_msg_end(handle),
+			                       cp, dname, sizeof(dname));
+
+			if (n < 0) {
+				//fprintf(stderr, "Unable to uncompress domain: %s\n", strerror(errno));
+				return -1;
+			}
+
+			printf("\tmail addr = %s\n", dname);
+			cp += n;
+
+			printf("\tserial = %lu\n", ns_get32(cp));
+			cp += 4;
+
+			printf("\trefresh = %lu\n", ns_get32(cp));
+			cp += 4;
+
+			printf("\tretry = %lu\n", ns_get32(cp));
+			cp += 4;
+
+			printf("\texpire = %lu\n", ns_get32(cp));
+			cp += 4;
+
+			printf("\tminimum = %lu\n", ns_get32(cp));
+			break;
+
+		default:
+			break;
+		}
+	}
+
+	return i;
+}
+
+static int parse_nsaddr(const char *addrstr, len_and_sockaddr *lsa)
+{
+	char *eptr, *hash, ifname[IFNAMSIZ];
+	unsigned int port = default_port;
+	unsigned int scope = 0;
+
+	hash = strchr(addrstr, '#');
+
+	if (hash) {
+		*hash++ = '\0';
+		port = strtoul(hash, &eptr, 10);
+
+		if (eptr == hash || *eptr != '\0' || port > 65535) {
+			errno = EINVAL;
+			return -1;
+		}
+	}
+
+	hash = strchr(addrstr, '%');
+
+	if (hash) {
+		for (eptr = ++hash; *eptr != '\0' && *eptr != '#'; eptr++) {
+			if ((eptr - hash) >= IFNAMSIZ) {
+				errno = ENODEV;
+				return -1;
+			}
+
+			ifname[eptr - hash] = *eptr;
+		}
+
+		ifname[eptr - hash] = '\0';
+		scope = if_nametoindex(ifname);
+
+		if (scope == 0) {
+			errno = ENODEV;
+			return -1;
+		}
+	}
+
+#if ENABLE_FEATURE_IPV6
+	if (inet_pton(AF_INET6, addrstr, &lsa->u.sin6.sin6_addr)) {
+		lsa->u.sin6.sin6_family = AF_INET6;
+		lsa->u.sin6.sin6_port = htons(port);
+		lsa->u.sin6.sin6_scope_id = scope;
+		lsa->len = sizeof(lsa->u.sin6);
+		return 0;
+	}
+#endif
+
+	if (!scope && inet_pton(AF_INET, addrstr, &lsa->u.sin.sin_addr)) {
+		lsa->u.sin.sin_family = AF_INET;
+		lsa->u.sin.sin_port = htons(port);
+		lsa->len = sizeof(lsa->u.sin);
+		return 0;
+	}
+
+	errno = EINVAL;
+	return -1;
+}
+
+static unsigned long mtime(void)
+{
+	struct timespec ts;
+	clock_gettime(CLOCK_REALTIME, &ts);
+	return (unsigned long)ts.tv_sec * 1000 + ts.tv_nsec / 1000000;
+}
+
+#if ENABLE_FEATURE_IPV6
+static void to_v4_mapped(len_and_sockaddr *a)
+{
+	if (a->u.sa.sa_family != AF_INET)
+		return;
+
+	memcpy(a->u.sin6.sin6_addr.s6_addr + 12,
+	       &a->u.sin.sin_addr, 4);
+
+	memcpy(a->u.sin6.sin6_addr.s6_addr,
+	       "\0\0\0\0\0\0\0\0\0\0\xff\xff", 12);
+
+	a->u.sin6.sin6_family = AF_INET6;
+	a->u.sin6.sin6_flowinfo = 0;
+	a->u.sin6.sin6_scope_id = 0;
+	a->len = sizeof(a->u.sin6);
+}
+#endif
+
+
+/*
+ * Function logic borrowed & modified from musl libc, res_msend.c
+ */
+
+static int send_queries(struct ns *ns, int n_ns, struct query *queries, int n_queries)
+{
+	int fd;
+	int timeout = default_timeout * 1000, retry_interval, servfail_retry = 0;
+	len_and_sockaddr from = { };
+#if ENABLE_FEATURE_IPV6
+	int one = 1;
+#endif
+	int recvlen = 0;
+	int n_replies = 0;
+	struct pollfd pfd;
+	unsigned long t0, t1, t2;
+	int nn, qn, next_query = 0;
+
+	from.u.sa.sa_family = AF_INET;
+	from.len = sizeof(from.u.sin);
+
+#if ENABLE_FEATURE_IPV6
+	for (nn = 0; nn < n_ns; nn++) {
+		if (ns[nn].addr.u.sa.sa_family == AF_INET6) {
+			from.u.sa.sa_family = AF_INET6;
+			from.len = sizeof(from.u.sin6);
+			break;
+		}
+	}
+#endif
+
+	/* Get local address and open/bind a socket */
+	fd = socket(from.u.sa.sa_family, SOCK_DGRAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0);
+
+#if ENABLE_FEATURE_IPV6
+	/* Handle case where system lacks IPv6 support */
+	if (fd < 0 && from.u.sa.sa_family == AF_INET6 && errno == EAFNOSUPPORT) {
+		fd = socket(AF_INET, SOCK_DGRAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0);
+		from.u.sa.sa_family = AF_INET;
+	}
+#endif
+
+	if (fd < 0)
+		return -1;
+
+	if (bind(fd, &from.u.sa, from.len) < 0) {
+		close(fd);
+		return -1;
+	}
+
+#if ENABLE_FEATURE_IPV6
+	/* Convert any IPv4 addresses in a mixed environment to v4-mapped */
+	if (from.u.sa.sa_family == AF_INET6) {
+		setsockopt(fd, IPPROTO_IPV6, IPV6_V6ONLY, &one, sizeof(one));
+
+		for (nn = 0; nn < n_ns; nn++)
+			to_v4_mapped(&ns[nn].addr);
+	}
+#endif
+
+	pfd.fd = fd;
+	pfd.events = POLLIN;
+	retry_interval = timeout / default_retry;
+	t0 = t2 = mtime();
+	t1 = t2 - retry_interval;
+
+	for (; t2 - t0 < timeout; t2 = mtime()) {
+		if (t2 - t1 >= retry_interval) {
+			for (qn = 0; qn < n_queries; qn++) {
+				if (queries[qn].rlen)
+					continue;
+
+				for (nn = 0; nn < n_ns; nn++) {
+					sendto(fd, queries[qn].query, queries[qn].qlen,
+					       MSG_NOSIGNAL, &ns[nn].addr.u.sa, ns[nn].addr.len);
+				}
+			}
+
+			t1 = t2;
+			servfail_retry = 2 * n_queries;
+		}
+
+		/* Wait for a response, or until time to retry */
+		if (poll(&pfd, 1, t1+retry_interval-t2) <= 0)
+			continue;
+
+		while (1) {
+			recvlen = recvfrom(fd, queries[next_query].reply,
+			                   sizeof(queries[next_query].reply), 0,
+			                   &from.u.sa, &from.len);
+
+			/* read error */
+			if (recvlen < 0)
+				break;
+
+			/* Ignore non-identifiable packets */
+			if (recvlen < 4)
+				continue;
+
+			/* Ignore replies from addresses we didn't send to */
+			for (nn = 0; nn < n_ns; nn++)
+				if (memcmp(&from.u.sa, &ns[nn].addr.u.sa, from.len) == 0)
+					break;
+
+			if (nn >= n_ns)
+				continue;
+
+			/* Find which query this answer goes with, if any */
+			for (qn = next_query; qn < n_queries; qn++)
+				if (!memcmp(queries[next_query].reply, queries[qn].query, 2))
+					break;
+
+			if (qn >= n_queries || queries[qn].rlen)
+				continue;
+
+			queries[qn].rcode = queries[next_query].reply[3] & 15;
+			queries[qn].latency = mtime() - t0;
+			queries[qn].n_ns = nn;
+
+			ns[nn].replies++;
+
+			/* Only accept positive or negative responses;
+			 * retry immediately on server failure, and ignore
+			 * all other codes such as refusal. */
+			switch (queries[qn].rcode) {
+			case 0:
+			case 3:
+				break;
+
+			case 2:
+				if (servfail_retry && servfail_retry--) {
+					ns[nn].failures++;
+					sendto(fd, queries[qn].query, queries[qn].qlen,
+					       MSG_NOSIGNAL, &ns[nn].addr.u.sa, ns[nn].addr.len);
+				}
+				/* fall through */
+
+			default:
+				continue;
+			}
+
+			/* Store answer */
+			n_replies++;
+
+			queries[qn].rlen = recvlen;
+
+			if (qn == next_query) {
+				while (next_query < n_queries) {
+					if (!queries[next_query].rlen)
+						break;
+
+					next_query++;
+				}
+			}
+			else {
+				memcpy(queries[qn].reply, queries[next_query].reply, recvlen);
+			}
+
+			if (next_query >= n_queries)
+				return n_replies;
+		}
+	}
+
+	return n_replies;
+}
+
+static struct ns *add_ns(struct ns **ns, int *n_ns, const char *addr)
+{
+	char portstr[sizeof("65535")], *p;
+	len_and_sockaddr a = { };
+	struct ns *tmp;
+	struct addrinfo *ai, *aip, hints = {
+		.ai_flags = AI_NUMERICSERV,
+		.ai_socktype = SOCK_DGRAM
+	};
+
+	if (parse_nsaddr(addr, &a)) {
+		/* Maybe we got a domain name, attempt to resolve it using the standard
+		 * resolver routines */
+
+		p = strchr(addr, '#');
+		snprintf(portstr, sizeof(portstr), "%hu",
+		         (unsigned short)(p ? strtoul(p, NULL, 10) : default_port));
+
+		if (!getaddrinfo(addr, portstr, &hints, &ai)) {
+			for (aip = ai; aip; aip = aip->ai_next) {
+				if (aip->ai_addr->sa_family != AF_INET &&
+				    aip->ai_addr->sa_family != AF_INET6)
+					continue;
+
+#if ! ENABLE_FEATURE_IPV6
+				if (aip->ai_addr->sa_family != AF_INET)
+					continue;
+#endif
+
+				tmp = realloc(*ns, sizeof(**ns) * (*n_ns + 1));
+
+				if (!tmp)
+					return NULL;
+
+				*ns = tmp;
+
+				(*ns)[*n_ns].name = addr;
+				(*ns)[*n_ns].replies = 0;
+				(*ns)[*n_ns].failures = 0;
+				(*ns)[*n_ns].addr.len = aip->ai_addrlen;
+
+				memcpy(&(*ns)[*n_ns].addr.u.sa, aip->ai_addr, aip->ai_addrlen);
+
+				(*n_ns)++;
+			}
+
+			freeaddrinfo(ai);
+
+			return &(*ns)[*n_ns];
+		}
+
+		return NULL;
+	}
+
+	tmp = realloc(*ns, sizeof(**ns) * (*n_ns + 1));
+
+	if (!tmp)
+		return NULL;
+
+	*ns = tmp;
+
+	(*ns)[*n_ns].addr = a;
+	(*ns)[*n_ns].name = addr;
+	(*ns)[*n_ns].replies = 0;
+	(*ns)[*n_ns].failures = 0;
+
+	return &(*ns)[(*n_ns)++];
+}
+
+static struct query *add_query(struct query **queries, int *n_queries,
+                               int type, const char *dname)
+{
+	struct query *tmp;
+	ssize_t qlen;
+
+	tmp = realloc(*queries, sizeof(**queries) * (*n_queries + 1));
+
+	if (!tmp)
+		return NULL;
+
+	memset(&tmp[*n_queries], 0, sizeof(*tmp));
+
+	qlen = res_mkquery(QUERY, dname, C_IN, type, NULL, 0, NULL,
+	                   tmp[*n_queries].query, sizeof(tmp[*n_queries].query));
+
+	tmp[*n_queries].qlen = qlen;
+	tmp[*n_queries].name = dname;
+	*queries = tmp;
+
+	return &tmp[(*n_queries)++];
+}
+
+int main(int argc, char **argv)
+{
+	int rc = 1;
+	struct ns *ns = NULL;
+	struct query *queries = NULL;
+	int n_ns = 0, n_queries = 0;
+	int c = 0;
+
+	char *url = "telecominfraproject.com";
+	char *server = "127.0.0.1";
+	int v6 = 0;
+
+	while (1) {
+		int option = getopt(argc, argv, "u:s:i:6");
+
+		if (option == -1)
+			break;
+
+		switch (option) {
+		case '6':
+			v6 = 1;
+			break;
+		case 'u':
+			url = optarg;
+			break;
+		case 's':
+			server = optarg;
+			break;
+		default:
+		case 'h':
+			printf("Usage: dnsprobe OPTIONS\n"
+			       "  -6 - use ipv6\n"
+			       "  -u <url>\n"
+			       "  -s <server>\n");
+			return -1;
+		}
+	}
+
+	ulog_open(ULOG_SYSLOG | ULOG_STDIO, LOG_DAEMON, "dnsprobe");
+
+	ULOG_INFO("attempting to probe dns - %s %s %s\n",
+		url, server, v6 ? "ipv6" : "");
+
+
+	add_query(&queries, &n_queries, v6 ? T_AAAA : T_A, url);
+
+	add_ns(&ns, &n_ns, server);
+
+	rc = send_queries(&ns[0], 1, queries, n_queries);
+	if (rc <= 0) {
+		fprintf(stderr, "Failed to send queries: %s\n", strerror(errno));
+		rc = -1;
+		goto out;
+	}
+
+	if (queries[0].rcode != 0) {
+		printf("** server can't find %s: %s\n", queries[0].name,
+		rcodes[queries[0].rcode]);
+		goto out;
+	}
+
+	if (queries[0].rlen) {
+		c = parse_reply(queries[0].reply, queries[0].rlen, NULL);
+	}
+
+	if (c == 0)
+		printf("*** Can't find %s: No answer\n", queries[0].name);
+	else if (c < 0)
+		printf("*** Can't find %s: Parse error\n", queries[0].name);
+	else
+		rc = 0;
+
+out:
+	if (n_ns)
+		free(ns);
+
+	if (n_queries)
+		free(queries);
+
+	return rc;
+}

feeds/ucentral/ucentral-tools/src/firstcontact.c

@@ -0,0 +1,100 @@
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <getopt.h>
+
+#include <curl/curl.h>
+
+#include <libubox/ulog.h>
+
+static const char *file_cert = "/etc/open-wifi/client.pem";
+static const char *file_key  = "/etc/open-wifi/client_dec.key";
+static const char *file_json = "/etc/open-wifi/redirector.json";
+static const char *file_dbg  = "/tmp/firstcontact.hdr";
+
+int main(int argc, char **argv)
+{
+	FILE *fp_json;
+	FILE *fp_dbg;
+	CURLcode res;
+	CURL *curl;
+	char *devid = NULL;
+	char *url;
+
+	while (1) {
+		int option = getopt(argc, argv, "k:c:o:hi:");
+
+		if (option == -1)
+			break;
+
+		switch (option) {
+		case 'k':
+			file_key = optarg;
+			break;
+		case 'c':
+			file_cert = optarg;
+			break;
+		case 'o':
+			file_json = optarg;
+			break;
+		case 'i':
+			devid = optarg;
+			break;
+		default:
+		case 'h':
+			printf("Usage: firstcontact OPTIONS\n"
+			       "  -k <keyfile>\n"
+			       "  -c <certfile>\n"
+			       "  -o <outfile>\n"
+			       "  -i <devid>\n");
+			return -1;
+		}
+	}
+
+	if (!devid) {
+		fprintf(stderr, "missing devid\n");
+		return -1;
+	}
+
+	ulog_open(ULOG_SYSLOG | ULOG_STDIO, LOG_DAEMON, "firstcontact");
+	ULOG_INFO("attempting first contact\n");
+
+	fp_dbg = fopen(file_dbg, "wb");
+	fp_json = fopen(file_json, "wb");
+	if (!fp_json) {
+		ULOG_ERR("failed to create %s\n", file_json);
+		return -1;
+	}
+
+	curl_global_init(CURL_GLOBAL_DEFAULT);
+	curl = curl_easy_init();
+	if (!curl) {
+		ULOG_ERR("curl_easy_init failed\n");
+		return -1;
+	}
+
+	if (asprintf(&url, "https://clientauth.demo.one.digicert.com/iot/api/v2/device/%s", devid) < 0) {
+		ULOG_ERR("failed to assemble url\n");
+		return -1;
+	}
+
+	curl_easy_setopt(curl, CURLOPT_URL, url);
+	curl_easy_setopt(curl, CURLOPT_WRITEDATA, fp_json);
+	curl_easy_setopt(curl, CURLOPT_HEADERDATA, fp_dbg);
+	curl_easy_setopt(curl, CURLOPT_SSLCERTTYPE, "PEM");
+	curl_easy_setopt(curl, CURLOPT_SSLCERT, file_cert);
+	curl_easy_setopt(curl, CURLOPT_SSLKEYTYPE, "PEM");
+	curl_easy_setopt(curl, CURLOPT_SSLKEY, file_key);
+	curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 1L);
+
+	res = curl_easy_perform(curl);
+	if (res != CURLE_OK)
+		ULOG_ERR("curl_easy_perform() failed: %s\n", curl_easy_strerror(res));
+	else
+		ULOG_INFO("downloaded first contact data\n");
+	curl_easy_cleanup(curl);
+	curl_global_cleanup();
+
+	ulog_close();
+
+	return (res != CURLE_OK);
+}

feeds/ucentral/ucentral-tools/src/ip-collide.c

@@ -0,0 +1,86 @@
+#include <arpa/inet.h>
+#include <net/if.h>
+
+#include <libubox/list.h>
+#include <libubox/ulog.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+struct route {
+	struct list_head list;
+	char devname[64];
+	uint32_t domain;
+	uint32_t mask;
+};
+
+static struct list_head routes = LIST_HEAD_INIT(routes);
+
+static int parse_routes(void)
+{
+	FILE *fp = fopen("/proc/net/route", "r");
+	int flgs, ref, use, metric, mtu, win, ir;
+	struct route *route;
+	unsigned long g;
+	int r;
+
+	r = fscanf(fp, "%*[^\n]\n");
+	if (r < 0) {
+		fprintf(stderr, "failed to parse routes\n");
+		return -1;
+	}
+	while (1) {
+		route = malloc(sizeof(*route));
+		if (!route)
+			break;
+		memset(route, 0, sizeof(*route));
+		r = fscanf(fp, "%63s%x%lx%X%d%d%d%x%d%d%d\n",
+			route->devname, &route->domain, &g, &flgs, &ref, &use, &metric, &route->mask,
+			&mtu, &win, &ir);
+		if (r != 11 && (r < 0) && feof(fp))
+			break;
+		list_add(&route->list, &routes);
+		printf("1 %s %x %x\n", route->devname, ntohl(route->domain), ntohl(route->mask));
+	}
+
+	fclose(fp);
+
+	return 0;
+}
+
+static int find_collisions(void)
+{
+	struct route *route;
+
+	list_for_each_entry(route, &routes, list) {
+		struct route *compare;
+
+		if (!route->domain || !route->mask)
+			continue;
+		list_for_each_entry(compare, &routes, list) {
+			if (!compare->domain || !compare->mask)
+				continue;
+			if (compare == route)
+				continue;
+			if (((route->domain & route->mask) == (compare->domain & route->mask)) ||
+			    ((route->domain & compare->mask) == (compare->domain & compare->mask))) {
+				ULOG_ERR("collision detected\n");
+				return 1;
+			}
+		}
+	}
+	ULOG_INFO("no collision detected\n");
+	return 0;
+}
+
+int main(int argc, char **argv)
+{
+	ulog_open(ULOG_SYSLOG | ULOG_STDIO, LOG_DAEMON, "ip-collide");
+
+	parse_routes();
+	if (!list_empty(&routes))
+		return find_collisions();
+
+	return 0;
+}

feeds/ucentral/ucentral-tools/src/radiusprobe.c

@@ -0,0 +1,47 @@
+#include <stdio.h>
+#include <string.h>
+#include <radcli/radcli.h>
+
+int
+main(int argc, char **argv)
+{
+	int result;
+	char username[128];
+	char passwd[AUTH_PASS_LEN + 1];
+	VALUE_PAIR *send, *received;
+	uint32_t service;
+	rc_handle *rh;
+
+	/* Not needed if you already used openlog() */
+	rc_openlog("radiusprobe");
+
+	if ((rh = rc_read_config("/tmp/radius.conf")) == NULL)
+		return ERROR_RC;
+
+	strcpy(username, "healthcheck");
+	strcpy(passwd, "uCentral");
+
+	send = NULL;
+
+	if (rc_avpair_add(rh, &send, PW_USER_NAME, username, -1, 0) == NULL)
+		return ERROR_RC;
+
+	if (rc_avpair_add(rh, &send, PW_USER_PASSWORD, passwd, -1, 0) == NULL)
+		return ERROR_RC;
+
+	service = PW_AUTHENTICATE_ONLY;
+	if (rc_avpair_add(rh, &send, PW_SERVICE_TYPE, &service, -1, 0) == NULL)
+		return ERROR_RC;
+
+	result = rc_auth(rh, 0, send, &received, NULL);
+
+	if (result == OK_RC || result == REJECT_RC) {
+		fprintf(stderr, "RADIUS server OK\n");
+		result = 0;
+	} else {
+		fprintf(stderr, "RADIUS server failure\n");
+		result = -1;
+	}
+
+	return result;
+}

feeds/ucentral/udhcpinject/src/udhcpinject.c

@@ -37,9 +37,6 @@ void cleanup_tc() {
         snprintf(cmd, sizeof(cmd), "tc filter del dev %s ingress pref 32 2>/dev/null",
                  iface_map[i].iface);
         system(cmd);
-        // snprintf(cmd, sizeof(cmd), "tc qdisc del dev %s ingress 2>/dev/null",
-        //          iface_map[i].iface);
-        // system(cmd);
     }
 }
 
@@ -261,7 +258,6 @@ int parse_ports(const char *port_list) {
     return 0;
 }
 
-// Function to setup tc rules (same as before but using iface_map)
 int setup_tc() {
     char cmd[1024];
 
@@ -314,7 +310,7 @@ void signal_handler(int sig) {
         exit(0);
     } else if (sig == SIGHUP) {
         syslog(LOG_INFO, "Received reload signal, reconfiguring...\n");
-        
+        sleep(5);
         // Clean up existing resources
         cleanup_tc();
         
@@ -565,6 +561,8 @@ int main(int argc, char *argv[]) {
     signal(SIGTERM, signal_handler);
     signal(SIGHUP, signal_handler);
 
+    sleep(5);
+
     provided_ssids = getenv("SSIDs");
     syslog(LOG_INFO, "Provided SSIDs: %s\n", provided_ssids);
     if (!provided_ssids && argc > 1) {