From 6cf210377474cf363c28a431540e9ea3660ac782 Mon Sep 17 00:00:00 2001 From: Dengfeng Liu Date: Sun, 28 May 2023 11:31:37 +0800 Subject: [PATCH] apfree-wifidog: Update to 6.02.1939 1. support fw4 2. support openssl3.0 Signed-off-by: Dengfeng Liu --- net/apfree-wifidog/Makefile | 10 +- net/apfree-wifidog/files/wifidogx.conf | 6 +- net/apfree-wifidog/files/wifidogx.init | 295 ++++-------------- .../patches/010-support-openssl-3.0.patch | 53 ---- 4 files changed, 62 insertions(+), 302 deletions(-) delete mode 100644 net/apfree-wifidog/patches/010-support-openssl-3.0.patch diff --git a/net/apfree-wifidog/Makefile b/net/apfree-wifidog/Makefile index d15d8493d7..f106385d3e 100644 --- a/net/apfree-wifidog/Makefile +++ b/net/apfree-wifidog/Makefile @@ -8,13 +8,13 @@ include $(TOPDIR)/rules.mk PKG_NAME:=apfree-wifidog -PKG_VERSION:=4.08.1771 -PKG_RELEASE:=7 +PKG_VERSION:=6.02.1939 +PKG_RELEASE:=6 PKG_SOURCE_PROTO:=git -PKG_SOURCE_URL:=https://github.com/liudf0716/apfree_wifidog.git +PKG_SOURCE_URL:=https://github.com/liudf0716/apfree-wifidog.git PKG_SOURCE_VERSION:=$(PKG_VERSION) -PKG_MIRROR_HASH:=0fadb7a0e139bf4a5c6daffdd0f200ee2a4c903aea71e46bc19212b054ca71a7 +PKG_MIRROR_HASH:=b9e059c06427ad87312ea8a63c47d713dbad82ab0875778efe9f889e9c6b9c20 PKG_MAINTAINER:=Dengfeng Liu PKG_LICENSE:=GPL-3.0-or-later @@ -27,7 +27,7 @@ define Package/apfree-wifidog SUBMENU:=Captive Portals SECTION:=net CATEGORY:=Network - DEPENDS:=+zlib +firewall4 +iptables +libip4tc +libjson-c +libevent2 +libevent2-openssl +libuci +px5g + DEPENDS:=+zlib +libjson-c +libevent2 +libevent2-openssl +libuci TITLE:=Apfree's wireless captive portal solution URL:=https://github.com/liudf0716/apfree_wifidog endef diff --git a/net/apfree-wifidog/files/wifidogx.conf b/net/apfree-wifidog/files/wifidogx.conf index b9cff56742..12e944ad47 100644 --- a/net/apfree-wifidog/files/wifidogx.conf +++ b/net/apfree-wifidog/files/wifidogx.conf @@ -1,9 +1,9 @@ -config wifidog +config wifidogx 'common' option gateway_interface 'br-lan' - option auth_server_hostname 'change wifidog.kunteng.org.cn to your auth server domain or ip' + option auth_server_hostname 'your auth server domain or ip' option auth_server_port 443 option auth_server_path '/wifidog/' option check_interval 60 option client_timeout 5 option wired_passed 0 - option disabled 1 + option enabled 0 diff --git a/net/apfree-wifidog/files/wifidogx.init b/net/apfree-wifidog/files/wifidogx.init index a7f85dd618..595ea2dec6 100644 --- a/net/apfree-wifidog/files/wifidogx.init +++ b/net/apfree-wifidog/files/wifidogx.init @@ -6,271 +6,79 @@ START=99 USE_PROCD=1 -PROG=/usr/bin/wifidogx +NAME=wifidogx +PROG=/usr/bin/${NAME} CONFIGFILE=/tmp/wifidogx.conf -extra_command "status" "Print the status of the service" - -PX5G_BIN="/usr/sbin/px5g" -OPENSSL_BIN="/usr/bin/openssl" -APFREE_CERT="/etc/apfree.crt" -APFREE_KEY="/etc/apfree.key" - -generate_keys() { - local days bits country state location commonname - local UNIQUEID GENKEY_CMD - - # Prefer px5g for certificate generation (existence evaluated last) - UNIQUEID=$(hexdump -n 4 -e '4/1 "%02x" "\n"' /dev/urandom) - [ -x "$OPENSSL_BIN" ] && GENKEY_CMD="$OPENSSL_BIN req -x509 -sha256 -outform pem -nodes" - [ -x "$PX5G_BIN" ] && GENKEY_CMD="$PX5G_BIN selfsigned -pem" - [ -n "$GENKEY_CMD" ] && { - $GENKEY_CMD \ - -days "${days:-720}" -newkey rsa:"${bits:-2048}" -keyout "${APFREE_KEY}.new" -out "${APFREE_CERT}.new" \ - -subj /C="${country:-CN}"/ST="${state:-Beijing}"/L="${location:-Unknown}"/O="${commonname:-ApFreeWiFidog}$UNIQUEID"/CN="${commonname:-ApFreeWiFidog}" - sync - mv "${APFREE_KEY}.new" "${APFREE_KEY}" - mv "${APFREE_CERT}.new" "${APFREE_CERT}" - } -} - service_trigger() { - procd_add_reload_trigger "wifidogx" -} - -echo_firewall_rule() { - echo " FirewallRule $1" -} - -prepare_mqtt_conf() { - local cfg=$1 - local serveraddr - local serverport - - config_get serveraddr "$cfg" "serveraddr" - config_get serverport "$cfg" "serverport" - [ -z "${serveraddr}" ] || [ -z "${serverport}" ] && return 1 - - cat <<-EOF >>${CONFIGFILE} - MQTT { - ServerAddr ${serveraddr} - ServerPort ${serverport} - } - EOF + procd_add_reload_trigger ${NAME} } prepare_wifidog_conf() { - local cfg=$1 - local disabled - local gateway_id - local gateway_interface - local auth_server_hostname - local auth_server_path - local auth_server_path_login - local auth_server_path_portal - local auth_server_path_msg - local auth_server_path_ping - local auth_server_path_auth - local delta_traffic - local check_interval - local client_timeout - local trusted_domains - local js_filter - local trusted_maclist - local untrusted_maclist - local pool_mode - local thread_number - local queue_size - local wired_passed - local trusted_iplist - local trusted_pan_domains - local proxy_port - local no_auth - local apple_cna - local update_domain_interval - local dns_timeout - local default_gateway_id - local external_interface - local auth_server_port [ -f ${CONFIGFILE} ] && rm -f ${CONFIGFILE} - config_get disabled "${cfg}" "disabled" 1 - if [ "${disabled}" = "1" ]; then - echo "wifidogx disabled in /etc/config/wifidogx file, please set disabled to 0 to enable it" >&2 - return - fi - - default_gateway_id=$(sed -e 's/://g' /sys/class/net/br-lan/address) - network_get_device external_interface wan - config_get gateway_id "${cfg}" "gateway_id" "${default_gateway_id}" - config_get gateway_interface "${cfg}" "gateway_interface" "br-lan" - config_get auth_server_hostname "${cfg}" "auth_server_hostname" - config_get auth_server_port "${cfg}" "auth_server_port" "80" - config_get auth_server_path "${cfg}" "auth_server_path" "/wifidog/" - config_get auth_server_path_login "${cfg}" "auth_server_path_login" - config_get auth_server_path_portal "${cfg}" "auth_server_path_portal" - config_get auth_server_path_msg "${cfg}" "auth_server_path_msg" - config_get auth_server_path_ping "${cfg}" "auth_server_path_ping" - config_get auth_server_path_auth "${cfg}" "auth_server_path_auth" - config_get delta_traffic "${cfg}" "delta_traffic" - config_get check_interval "${cfg}" "check_interval" "60" - config_get js_filter "${cfg}" "js_filter" 1 - config_get client_timeout "${cfg}" "client_timeout" "5" - config_get trusted_domains "${cfg}" "trusted_domains" - config_get trusted_maclist "${cfg}" "trusted_maclist" - config_get untrusted_maclist "${cfg}" "untrusted_maclist" - config_get pool_mode "${cfg}" "pool_mode" 0 - config_get thread_number "${cfg}" "thread_number" 20 - config_get queue_size "${cfg}" "queue_size" 200 - config_get wired_passed "${cfg}" "wired_passed" 1 - config_get trusted_iplist "${cfg}" "trusted_iplist" - config_get trusted_pan_domains "${cfg}" "trusted_pan_domains" - config_get proxy_port "${cfg}" "proxy_port" - config_get no_auth "${cfg}" "no_auth" - config_get apple_cna "${cfg}" "bypass_apple_cna" - config_get update_domain_interval "${cfg}" "update_domain_interval" - config_get dns_timeout "${cfg}" "dns_timeout" - - local set_auth_server_path_login - local set_auth_server_path_portal - local set_auth_server_path_msg - local set_auth_server_path_ping - local set_auth_server_path_auth - local set_delta_traffic - local set_trusted_maclist - local set_untrusted_maclist - local set_trusted_domains - local set_trusted_iplist - local set_trusted_pan_domains - local set_proxy_port - local set_no_auth - local set_firewall_rule_global - local set_firewall_rule_validating_users - local set_firewall_rule_known_users - local set_firewall_rule_auth_is_down - local set_firewall_rule_unknown_users - local set_firewall_rule_locked_users - local set_apple_cna - local set_update_domain_interval - local set_dns_timeout - - set_auth_server_path_login=$([ -n "$auth_server_path_login" ] && echo " LoginScriptPathFragment $auth_server_path_login") - set_auth_server_path_portal=$([ -n "$auth_server_path_portal" ] && echo " PortalScriptPathFragment $auth_server_path_portal") - set_auth_server_path_msg=$([ -n "$auth_server_path_msg" ] && echo " MsgScriptPathFragment $auth_server_path_msg") - set_auth_server_path_ping=$([ -n "$auth_server_path_ping" ] && echo " PingScriptPathFragment $auth_server_path_ping") - set_auth_server_path_auth=$([ -n "$auth_server_path_auth" ] && echo " AuthScriptPathFragment $auth_server_path_auth") - set_delta_traffic=$([ -n "$delta_traffic" ] && echo "DeltaTraffic $delta_traffic") - set_trusted_maclist=$([ -n "$trusted_maclist" ] && echo "TrustedMACList $trusted_maclist") - set_untrusted_maclist=$([ -n "$untrusted_maclist" ] && echo "UntrustedMACList $untrusted_maclist") - set_trusted_domains=$([ -n "$trusted_domains" ] && echo "TrustedDomains $trusted_domains") - set_trusted_iplist=$([ -n "$trusted_iplist" ] && echo "TrustedIpList $trusted_iplist") - set_trusted_pan_domains=$([ -n "$trusted_pan_domains" ] && echo "TrustedPanDomains $trusted_pan_domains") - set_proxy_port=$([ -n "$proxy_port" ] && echo "Proxyport $proxy_port") - set_no_auth=$([ -n "$no_auth" ] && echo "NoAuth $no_auth") - set_firewall_rule_global=$(config_list_foreach "$cfg" "firewall_rule_global" echo_firewall_rule) - set_firewall_rule_validating_users=$(config_list_foreach "$cfg" "firewall_rule_validating_users" echo_firewall_rule) - set_firewall_rule_known_users=$(config_list_foreach "$cfg" "firewall_rule_known_users" echo_firewall_rule) - set_firewall_rule_auth_is_down=$(config_list_foreach "$cfg" "firewall_rule_auth_is_down" echo_firewall_rule) - set_firewall_rule_unknown_users=$(config_list_foreach "$cfg" "firewall_rule_unknown_users" echo_firewall_rule) - set_firewall_rule_locked_users=$(config_list_foreach "$cfg" "firewall_rule_locked_users" echo_firewall_rule) - set_apple_cna=$([ -n "$apple_cna" ] && echo "BypassAppleCNA $apple_cna") - set_update_domain_interval=$([ -n "$update_domain_interval" ] && echo "UpdateDomainInterval $update_domain_interval") - set_dns_timeout=$([ -n "$dns_timeout" ] && echo "DNSTimeout $dns_timeout") - - cat <<-EOF >$CONFIGFILE - GatewayID $gateway_id - GatewayInterface $gateway_interface - Externalinterface $external_interface - - AuthServer { - Hostname $auth_server_hostname - HTTPPort $auth_server_port - Path $auth_server_path - $set_auth_server_path_login - $set_auth_server_path_portal - $set_auth_server_path_msg - $set_auth_server_path_ping - $set_auth_server_path_auth - } - - $set_delta_traffic - CheckInterval $check_interval - ClientTimeout $client_timeout - JsFilter $js_filter - WiredPassed $wired_passed - $set_trusted_domains - $set_untrusted_maclist - $set_trusted_maclist - $set_trusted_iplist - $set_trusted_pan_domains - $set_proxy_port - $set_no_auth - $set_apple_cna - $set_update_domain_interval - $set_dns_timeout - - FirewallRuleSet global { - $set_firewall_rule_global - } - - FirewallRuleSet validating-users { - $set_firewall_rule_validating_users - FirewallRule allow to 0.0.0.0/0 - } - - FirewallRuleSet known-users { - $set_firewall_rule_known_users - FirewallRule allow to 0.0.0.0/0 - } - - FirewallRuleSet auth-is-down { - $set_firewall_rule_auth_is_down - } - - FirewallRuleSet unknown-users { - $set_firewall_rule_unknown_users - FirewallRule allow udp port 53 - FirewallRule allow tcp port 53 - FirewallRule allow udp port 67 - FirewallRule allow tcp port 67 - } - - FirewallRuleSet locked-users { - $set_firewall_rule_locked_users - FirewallRule block to 0.0.0.0/0 - } -EOF + uci_validate_section ${NAME} ${NAME} common \ + 'enabled:bool:0' \ + 'gateway_id:string' \ + 'gateway_interface:string:br-lan' \ + 'external_interface:string:external_interface' \ + 'auth_server_hostname:string' \ + 'auth_server_port:port:443' \ + 'auth_server_path:string:/wifidog/' \ + 'check_interval:integer:60' \ + 'client_timeout:integer:5' \ + 'js_filter:bool:1' \ + 'wired_passed:bool:1' \ + 'apple_cna:bool:0' \ + 'js_filter:bool:1' + + # if gateway_id is not set, get it from br-lan + if [ -z "$gateway_id" ]; then + gateway_id=$(sed -e 's/://g' /sys/class/net/${gateway_interface}/address) + # uci add gateway_id to config file + uci set ${NAME}.common.gateway_id=$gateway_id + uci commit ${NAME} + fi + + # set above variables to config file + echo "GatewayID $gateway_id" > ${CONFIGFILE} + echo "GatewayInterface $gateway_interface" >> ${CONFIGFILE} + echo "ExternalInterface $external_interface" >> ${CONFIGFILE} + echo "AuthServer { + Hostname $auth_server_hostname + HTTPPort $auth_server_port + Path $auth_server_path +}" >> ${CONFIGFILE} + echo "CheckInterval $check_interval" >> ${CONFIGFILE} + echo "ClientTimeout $client_timeout" >> ${CONFIGFILE} + echo "JsFilter $js_filter" >> ${CONFIGFILE} + echo "WiredPassed $wired_passed" >> ${CONFIGFILE} + echo "BypassAppleCNA $apple_cna" >> ${CONFIGFILE} } init_config() { - config_load wifidogx - config_foreach prepare_wifidog_conf wifidog + + prepare_wifidog_conf if [ ! -f ${CONFIGFILE} ]; then echo "no wifidogx.conf, exit..." >&2 exit fi - - if [ ! -s "${APFREE_CERT}" ] || [ ! -s "${APFREE_KEY}" ]; then - generate_keys - fi - - if [ ! -s ${APFREE_KEY} ] || [ ! -s ${APFREE_CERT} ]; then - echo "no cert or key, exit..." >&2 - exit - fi - - config_foreach prepare_mqtt_conf mqtt - - sed -i -e '/^$/d' ${CONFIGFILE} } start_service() { + config_load $NAME + init_config + [ "$enabled" -eq 0 ] && { + echo "wifidogx is disabled, exit..." >&2 + exit 0 + } + procd_open_instance # -f: run in foreground procd_set_param command $PROG -c $CONFIGFILE -f -d 0 @@ -282,3 +90,8 @@ start_service() { status_service() { /usr/bin/wdctlx status } + +reload_service() { + stop + start +} \ No newline at end of file diff --git a/net/apfree-wifidog/patches/010-support-openssl-3.0.patch b/net/apfree-wifidog/patches/010-support-openssl-3.0.patch deleted file mode 100644 index 4c8147e0a8..0000000000 --- a/net/apfree-wifidog/patches/010-support-openssl-3.0.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 53a042836063e965f8df9fc85bb32e8e46da8a05 Mon Sep 17 00:00:00 2001 -From: staylightblow8 -Date: Thu, 20 Oct 2022 10:47:59 +0800 -Subject: [PATCH] support openssl > 3.0 - ---- - cmake/Modules/FindOpenSSL.cmake | 27 +++++++++++++++++++++++---- - 1 file changed, 23 insertions(+), 4 deletions(-) - ---- a/cmake/Modules/FindOpenSSL.cmake -+++ b/cmake/Modules/FindOpenSSL.cmake -@@ -282,11 +282,11 @@ function(from_hex HEX DEC) - set(${DEC} ${_res} PARENT_SCOPE) - endfunction() - --if (OPENSSL_INCLUDE_DIR) -- if(OPENSSL_INCLUDE_DIR AND EXISTS "${OPENSSL_INCLUDE_DIR}/openssl/opensslv.h") -- file(STRINGS "${OPENSSL_INCLUDE_DIR}/openssl/opensslv.h" openssl_version_str -- REGEX "^# *define[\t ]+OPENSSL_VERSION_NUMBER[\t ]+0x([0-9a-fA-F])+.*") -+if(OPENSSL_INCLUDE_DIR AND EXISTS "${OPENSSL_INCLUDE_DIR}/openssl/opensslv.h") -+ file(STRINGS "${OPENSSL_INCLUDE_DIR}/openssl/opensslv.h" openssl_version_str -+ REGEX "^#[\t ]*define[\t ]+OPENSSL_VERSION_NUMBER[\t ]+0x([0-9a-fA-F])+.*") - -+ if(openssl_version_str) - # The version number is encoded as 0xMNNFFPPS: major minor fix patch status - # The status gives if this is a developer or prerelease and is ignored here. - # Major, minor, and fix directly translate into the version numbers shown in -@@ -315,6 +315,25 @@ if (OPENSSL_INCLUDE_DIR) - endif () - - set(OPENSSL_VERSION "${OPENSSL_VERSION_MAJOR}.${OPENSSL_VERSION_MINOR}.${OPENSSL_VERSION_FIX}${OPENSSL_VERSION_PATCH_STRING}") -+ else () -+ # Since OpenSSL 3.0.0, the new version format is MAJOR.MINOR.PATCH and -+ # a new OPENSSL_VERSION_STR macro contains exactly that -+ file(STRINGS "${OPENSSL_INCLUDE_DIR}/openssl/opensslv.h" OPENSSL_VERSION_STR -+ REGEX "^#[\t ]*define[\t ]+OPENSSL_VERSION_STR[\t ]+\"([0-9])+\\.([0-9])+\\.([0-9])+\".*") -+ string(REGEX REPLACE "^.*OPENSSL_VERSION_STR[\t ]+\"([0-9]+\\.[0-9]+\\.[0-9]+)\".*$" -+ "\\1" OPENSSL_VERSION_STR "${OPENSSL_VERSION_STR}") -+ -+ set(OPENSSL_VERSION "${OPENSSL_VERSION_STR}") -+ -+ # Setting OPENSSL_VERSION_MAJOR OPENSSL_VERSION_MINOR and OPENSSL_VERSION_FIX -+ string(REGEX MATCHALL "([0-9])+" OPENSSL_VERSION_NUMBER "${OPENSSL_VERSION}") -+ list(POP_FRONT OPENSSL_VERSION_NUMBER -+ OPENSSL_VERSION_MAJOR -+ OPENSSL_VERSION_MINOR -+ OPENSSL_VERSION_FIX) -+ -+ unset(OPENSSL_VERSION_NUMBER) -+ unset(OPENSSL_VERSION_STR) - endif () - endif () - -- 2.30.2