This commit implements rate limitation for the TCAT commands Present
PSKd Hash TLV (0x10), Present PSKc Hash TLV (0x11) and Present
Install-code Hash TLV (0x12) to prevent password guessing attacks.
It also removes the TCAT command Request PSKd Hash TLV (0x14), to
prevent offline password guessing attacks with a single Hash value
retrieved from the device.
Note: The commit does not remove the Request PSKd Hash TLV
implementation in the Python commissioner such that the non-existence
of the command TLV can still be tested.
Now signed by the correct 'Thread Certification DeviceCA'. A 'test'
target is added in the Makefile to test chaining. The Thread
certification CA certificate is also added in the 'CA' directory,
which was missing. Documentation is updated to clarify that the
'TcatCertCa' private key is not included in this repo; and other
clarifications.
Updates the TCAT class public methods for doing Commissioner
authorization checks and clarifies the code, with minor updates to
PSKc cases handling.
Unit tests are added for checking Commissioner authorization. To do
these checks, a new test class UnitTester is added which has access to
private members of the TcatAgent class. Validation/mock functions are
added in the test code to keep the unit tests readable.
Also reverts the CommCert4 fix that was made in #12151.
For more background information see JIRA BHC-766.
This commit adds lease and remaining lease information to the output
of `srp server host` and `srp server service` CLI commands.
The information includes:
- `lease`: The total lease time in seconds.
- `key-lease`: The total key lease time in seconds.
- `remaining lease`: The remaining lease time in seconds (with
millisecond precision).
- `remaining key-lease`: The remaining key lease time in seconds
(with millisecond precision).
A new utility method `OutputMsecDurationInSec()` is added to `Utils`
class to format durations in milliseconds as seconds with a
fractional part.
The SRP server host and service output parsers in
`tests/scripts/thread-cert/node.py`, `tests/toranj/cli/cli.py`, and
`tools/otci/otci/otci.py` are updated to correctly handle the new
fields for both active and deleted entries.
This enables the TCAT Commissioner to receive data such as TLS Alerts,
or asynchronously sent 'event' TLVs, over TLS. Processing TLS Alert
is required to detect the sending of Alert by the TCAT Device, which
is a requirement to be verified in cert tests. An async background
process is started to receive and log the received events.
Also some minor improvements in connection state management: when
certain commands are given after the TCAT link is disconnected, or
when a TCAT link could not be established, a message will be printed
to clearly say it's disconnected, instead of a cryptic error. Error
messages are now clearly prefixed with 'Error:'.
The CA certificate store for CommCert3 is extended with an additional
CA certificate, so that it can be verified in cert tests that a TCAT
Device rejects a wrong Commissioner with a TLS Alert (previously this
couldn't be tested).
Also includes a fix of the pyproject.toml such that Poetry does not
display the long warning on installation.
Also includes an improvement of TLV displaying to the user with a
STRING field, if the value is a string.
Also includes some syntax fixes that were flagged by the IDE, such as
missing return types for methods, or member variables that were not
initialized in the __init__().
When `OPENTHREAD_CONFIG_REFERENCE_DEVICE_ENABLE` is active, this
change mandates that the vendor name string MUST begin with the "RD:"
prefix. This ensures that reference devices are clearly and
consistently identifiable through network diagnostic queries.
The enforcement is applied at two levels:
- A compile-time `static_assert` is added to validate the default
`OPENTHREAD_CONFIG_NET_DIAG_VENDOR_NAME` at build time. This uses a
new `constexpr` helper utility `CheckConstStringPrefix()`.
- A runtime check is added to `otThreadSetVendorName()`, which will
now return `OT_ERROR_INVALID_ARGS` if an invalid name is provided
on a reference device build.
All related test configurations (`scan-build`, `toranj`, `nexus`) and
CLI tests are updated to reflect this new requirement and validate
it.
This commit validates that the Channel Mask TLVs in a TMF Energy
Scan request are non-zero.
Additionally, this commit clamps the Count TLV value to the valid
range (1, 2, and 3) as required by the Thread specification.
The `test_otci` is updated to use count 3 (previously 4).
An Energy Scan request with a zero `Channel Mask` is invalid and
can cause the device to start a scan that takes a long time or
never completes. This change rejects such requests, preventing the
device from getting stuck. This was discovered by
fuzzer test.
This fixes the issue that some required Python modules were missing in
pyproject.toml. To avoid Python version conflicts with the
cryptography module, the minimum Python version is raised to
3.10. Also, the name, version and description of the project are
updated. Module versions are updated to recent (2025) versions.
For Windows, a platform-specific import of pyreadline3 is added. Due
to this conditional dependency, the poetry.lock file is removed from
the repository: it is now necessarily specific to each platform and
has to be locally generated.
This commit provides more structured logging for ssl.py errors, and
displays the OpenSSL verify error code. This is used for certification
to validate reasons of handshake failure.
This improves debuggability of TCAT client and server, by using one
unified format (hex + ASCII) to show transmitted and received TCAT
data within the TLS session, as well as showing size of the encrypted
(TLS) data. For encrypted data, only size is now shown to avoid
clutter. Showing the hex + ASCII dump allows devs/testers to visually
read TCAT TLVs from screen and identify how all TCAT commands are
processed by the Thread device.
fix parsing of
* dns_resolve4 returns a synthesized ipv6 address, but parsing expected an ipv4 address
fix csl methods
* add support for getting csl uncertainty/accuracy
* add support for setting the csl channel
* remove the non existing get_csl_period
renames variables/arguments that had a python builtin name
Commit adds check if commissioning is possible and if the tcat device is already commissioned.
Adds advertisement update on disconnected and role change.
Fixes key handling for key references.
Fixes the authorization processing.
Implements recent changes of the application TLVs.
Added comprehensive Python virtual environment setup guide to the
cp-caps README.md file.
This includes detailed sections for creation, activation, dependency
installation, and deactivation of virtual environments to help users
properly set up their testing environment and avoid package conflicts.
With Thread 1.4 the cli application not can also (dns) resolve
IPv4 addresses. This commit adds the same support in otci
* dns_resolve4
Implements support for vendor operations in otci get/set
* vendor_name
* vendor_model
* vendor_sw_version
Implements network diagnostic commands
* get
* reset
* non_preferred_channels
Various other (small changes)"
* allow setting read timeout on serial connections
* allow replacing read routine filter
* expose latest thread versions in the public module api
* expand the definition of dns_get_config
* replaces mgmtget/mgmtset with the correct mgmtgetcommand and mgmtsetcommand
* replaces addressmode with the correct addrmode
* adds an `ignore_result` option to `execute_command`
* adds a missing `diag` command
* removes some unexisting getters
This commit refactors the cp-caps test as follows:
1. uses the unittest framework to refactor the cp-caps.
2. all tests are sorted alphabetically
3. all test names are changed to long names.
When running the command `diag receive 1 rlp`, the DUT may fail to
receive the frame, then the otci will try the command again and
again. These retries are useless, and they will take lots of time
before timeout.
This commit sets the number of retry to 0 before executing the
command, and restore the number of retry after the command is
executed. This commit also captures the timeout exception from the
adb_shell.
Commit adds implementation of:
- 0x40 Tcat tlv extraction of active dataset,
- 0x25 Tcat tlv extraction of commissioner certificate.
Includes also refactoring of `BleCommand` adds new method `process_response`.
This simplifies:
- `GetPskdHash`
- `GetRandomNumberChallenge`
The original code counts the number of received frames to check
whether the specified frame format is supported. It doesn't check
whether the sent and the received frames are the same. The test
results may have some deviation.
This commit compares the sent and received frame to check whether the
specified frame format is supported. This commit also add a case to
test the wake-up frame format.
`TransmitPacket()` should return an error from platform Radio
implementation, as for example Radio can be in incorrect state.
If error occurs, increase `mSentErrorInvalidStatePackets` stat.
Add wrong state case to tests and fix `diag repeat stop` called
too lata.
Signed-off-by: Maciej Baczmanski <maciej.baczmanski@nordicsemi.no>
The original `diag send` command is an asynchronous command. Users
must wait for a certain period of time and then run the `diag stats`
command to query how many packets have been sent to know whether all
packets have been sent. This is very inefficient, and it is not
convenient for scripts to process this command.
This commit changes the command `diag send` from an asynchronous
command to a synchronous command, and add the asynchronous command
`diag send async`.
This commit adds 'tlv' command tree to the BBTC CLI.
The 'tlv' command has two subcommands: 'list' and 'send'.
The 'tlv list' prints available TLVs types that can be used in the 'send' subcommand.
The 'tlv send <TLV_TYPE> <TLV_PAYLOAD>' allows sending specific TLV with arbitrary payloads.
Example:
`tlv send a 1234`
Send ping TLV(0x0a) with payload '1234'
The 'tlv' command tree is to gain the ability to send the TLV with any payload at any time.
This feature allows to check the behavior of TCAT device against:
- receiving of unexpected TLV
- receiving of TLV with corrupted payload
- receiving of TLVs sent in custom order
When configuration file defined in build parameter(command line argument),
ot-fct is wound't take into an account and accessed default path.
This commit fixes to access configuration file from path which is
defined from build command line parameter. Also, it fixes some
compilation issues while building from ot-br-posix.
Signed-off-by: ashish <ashish.vara@nxp.com>
When using the `diag frame -c xxxx` command to enable the CSMA-CA when
transmitting the frame, the command `diag send` won't output any message
the CCA failure happens. It is difficult for users to know whether
the CSMA-CA is actually effective via diag commands.
This commit counts the number of packets that are sent succeed and failed,
outputs the transmision failure reason and do not re-transmit the frame
after it fails to send.
The parameters of the method dataset_set_buffer() has been updated, but the
method create_dataset() still use previous defination of dataset_set_buffer().
It causes the crash when calling the method create_dataset().
This commit extends the 'dataset hex' command in the bbtc.py script by
allowing dataset TLVs to be set using a hex-encoded format.
Till now the 'dataset hex' command was only printing the
'ThreadDataset' object values in hex-encoded format, there was no
functionality to set the TLVs using hex-encoded format.
The 'dataset hex' command has been modified so the user can pass
dataset TLVs in hex-encoded format as an argument to this
command. This enables the script to set desired dataset TLVs in one
command, instead of calling dataset commands individually.
Example usage: 'dataset hex <hex-encoded TLVs>'
Added 'clear' command to the 'dataset' command tree. This allows to
remove all entries in the 'ThreadDataset' object used by the script to
store the dataset values.
The reason behind this feature is that in the current implementation
of the script, the 'ThreadDataset' object entries are always
initialized by 'initial_dataset' when running the script.
No command allows to clear/remove the particular entry, which makes
this script unable to send an active dataset to the target device
without specific dataset values(custom dataset).
To make this possible, the 'clear' command has been added to the
'dataset' command tree, which removes all entries from the
'ThreadDataset' object and, by using existing commands, sets the
desired entries in the 'ThreadDataset' object from scratch.
This enables the script to send custom active dataset values to the
target device.
Added '-a', '--adapter' arguments to the bbtc.py arguments
parser. This allows the selection of the HCI adapter for the scanning
procedure.
According to 'Bleak' documentation of the 'BleakClient'
class(https://bleak.readthedocs.io/en/latest/api/client.html#bleakclient-class),
it's better to use the 'BLEDevice' object in 'BleakClient' during the
object instantiation, therefore it has been changed for the scanning
Commit introduces implementation of missing general class commands:
- PresentPskdHash
- PresentPskcHash
- PresentInstallCodeHash
- RequestRandomNumChallenge
- RequestPskdHash
Also include minor fixes in Tcat python client and refactoring of expect
tests for tcat.
- Add Wake-up Channel TLV to the dataset.
- Add CLI support to handle the wake-up channel.
- Add MAC support for wake-up channel (to be used for sending
and receiving wake-up frames).
arnulfrupp