apfree-wifidog: Update to 6.02.1939

1. support fw4 2. support openssl3.0 Signed-off-by: Dengfeng Liu <liudf0716@gmail.com>
2023-05-28 11:31:37 +08:00 · 2023-05-28 11:31:37 +08:00 · 6cf2103774
commit 6cf2103774
parent 574d43fca6
4 changed files with 61 additions and 301 deletions
--- a/net/apfree-wifidog/Makefile
+++ b/net/apfree-wifidog/Makefile
@ -8,13 +8,13 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=apfree-wifidog
-PKG_VERSION:=4.08.1771
-PKG_RELEASE:=7
+PKG_VERSION:=6.02.1939
+PKG_RELEASE:=6

 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_URL:=https://github.com/liudf0716/apfree_wifidog.git
+PKG_SOURCE_URL:=https://github.com/liudf0716/apfree-wifidog.git
 PKG_SOURCE_VERSION:=$(PKG_VERSION)
-PKG_MIRROR_HASH:=0fadb7a0e139bf4a5c6daffdd0f200ee2a4c903aea71e46bc19212b054ca71a7
+PKG_MIRROR_HASH:=b9e059c06427ad87312ea8a63c47d713dbad82ab0875778efe9f889e9c6b9c20

 PKG_MAINTAINER:=Dengfeng Liu <liudf0716@gmail.com>
 PKG_LICENSE:=GPL-3.0-or-later
@ -27,7 +27,7 @@ define Package/apfree-wifidog
  SUBMENU:=Captive Portals
  SECTION:=net
  CATEGORY:=Network
-  DEPENDS:=+zlib +firewall4 +iptables +libip4tc +libjson-c +libevent2 +libevent2-openssl +libuci +px5g
+  DEPENDS:=+zlib +libjson-c +libevent2 +libevent2-openssl +libuci 
  TITLE:=Apfree's wireless captive portal solution
  URL:=https://github.com/liudf0716/apfree_wifidog
 endef
--- a/net/apfree-wifidog/files/wifidogx.conf
+++ b/net/apfree-wifidog/files/wifidogx.conf
@ -1,9 +1,9 @@
-config wifidog
+config wifidogx 'common'
 	option gateway_interface 'br-lan'
-	option auth_server_hostname 'change wifidog.kunteng.org.cn to your auth server domain or ip'
+	option auth_server_hostname 'your auth server domain or ip'
 	option auth_server_port 443
 	option auth_server_path '/wifidog/'
 	option check_interval 60
 	option client_timeout 5
 	option wired_passed 0
-	option disabled 1
+	option enabled 0
--- a/net/apfree-wifidog/files/wifidogx.init
+++ b/net/apfree-wifidog/files/wifidogx.init
@ -6,271 +6,79 @@
 START=99

 USE_PROCD=1
-PROG=/usr/bin/wifidogx
+NAME=wifidogx
+PROG=/usr/bin/${NAME}
 CONFIGFILE=/tmp/wifidogx.conf

-extra_command "status" "Print the status of the service"
-
-PX5G_BIN="/usr/sbin/px5g"
-OPENSSL_BIN="/usr/bin/openssl"
-APFREE_CERT="/etc/apfree.crt"
-APFREE_KEY="/etc/apfree.key"
-
-generate_keys() {
-	local days bits country state location commonname
-	local UNIQUEID GENKEY_CMD
-
-	# Prefer px5g for certificate generation (existence evaluated last)
-	UNIQUEID=$(hexdump -n 4 -e '4/1 "%02x" "\n"' /dev/urandom)
-	[ -x "$OPENSSL_BIN" ] && GENKEY_CMD="$OPENSSL_BIN req -x509 -sha256 -outform pem -nodes"
-	[ -x "$PX5G_BIN" ] && GENKEY_CMD="$PX5G_BIN selfsigned -pem"
-	[ -n "$GENKEY_CMD" ] && {
-		$GENKEY_CMD \
-			-days "${days:-720}" -newkey rsa:"${bits:-2048}" -keyout "${APFREE_KEY}.new" -out "${APFREE_CERT}.new" \
-			-subj /C="${country:-CN}"/ST="${state:-Beijing}"/L="${location:-Unknown}"/O="${commonname:-ApFreeWiFidog}$UNIQUEID"/CN="${commonname:-ApFreeWiFidog}"
-		sync
-		mv "${APFREE_KEY}.new" "${APFREE_KEY}"
-		mv "${APFREE_CERT}.new" "${APFREE_CERT}"
-	}
-}
-
 service_trigger() {
-	procd_add_reload_trigger "wifidogx"
-}
-
-echo_firewall_rule() {
-	echo "    FirewallRule $1"
-}
-
-prepare_mqtt_conf() {
-	local cfg=$1
-	local serveraddr
-	local serverport
-
-	config_get serveraddr "$cfg" "serveraddr"
-	config_get serverport "$cfg" "serverport"
-	[ -z "${serveraddr}" ] || [ -z "${serverport}" ] && return 1
-
-	cat <<-EOF >>${CONFIGFILE}
-		MQTT {
-			ServerAddr ${serveraddr}
-			ServerPort ${serverport}
-		}
-	EOF
+	procd_add_reload_trigger ${NAME}
 }

 prepare_wifidog_conf() {
-	local cfg=$1
-	local disabled
-	local gateway_id
-	local gateway_interface
-	local auth_server_hostname
-	local auth_server_path
-	local auth_server_path_login
-	local auth_server_path_portal
-	local auth_server_path_msg
-	local auth_server_path_ping
-	local auth_server_path_auth
-	local delta_traffic
-	local check_interval
-	local client_timeout
-	local trusted_domains
-	local js_filter
-	local trusted_maclist
-	local untrusted_maclist
-	local pool_mode
-	local thread_number
-	local queue_size
-	local wired_passed
-	local trusted_iplist
-	local trusted_pan_domains
-	local proxy_port
-	local no_auth
-	local apple_cna
-	local update_domain_interval
-	local dns_timeout
-	local default_gateway_id
-	local external_interface
-	local auth_server_port

 	[ -f ${CONFIGFILE} ] && rm -f ${CONFIGFILE}

-	config_get disabled "${cfg}" "disabled" 1
-	if [ "${disabled}" = "1" ]; then
-		echo "wifidogx disabled in /etc/config/wifidogx file, please set disabled to 0 to enable it" >&2
-		return
-	fi
-
-	default_gateway_id=$(sed -e 's/://g' /sys/class/net/br-lan/address)
-
 	network_get_device external_interface wan

-	config_get gateway_id "${cfg}" "gateway_id" "${default_gateway_id}"
-	config_get gateway_interface "${cfg}" "gateway_interface" "br-lan"
-	config_get auth_server_hostname "${cfg}" "auth_server_hostname"
-	config_get auth_server_port "${cfg}" "auth_server_port" "80"
-	config_get auth_server_path "${cfg}" "auth_server_path" "/wifidog/"
-	config_get auth_server_path_login "${cfg}" "auth_server_path_login"
-	config_get auth_server_path_portal "${cfg}" "auth_server_path_portal"
-	config_get auth_server_path_msg "${cfg}" "auth_server_path_msg"
-	config_get auth_server_path_ping "${cfg}" "auth_server_path_ping"
-	config_get auth_server_path_auth "${cfg}" "auth_server_path_auth"
-	config_get delta_traffic "${cfg}" "delta_traffic"
-	config_get check_interval "${cfg}" "check_interval" "60"
-	config_get js_filter "${cfg}" "js_filter" 1
-	config_get client_timeout "${cfg}" "client_timeout"	"5"
-	config_get trusted_domains "${cfg}" "trusted_domains"
-	config_get trusted_maclist "${cfg}" "trusted_maclist"
-	config_get untrusted_maclist "${cfg}" "untrusted_maclist"
-	config_get pool_mode "${cfg}" "pool_mode" 0
-	config_get thread_number "${cfg}" "thread_number" 20
-	config_get queue_size "${cfg}" "queue_size" 200
-	config_get wired_passed "${cfg}" "wired_passed" 1
-	config_get trusted_iplist "${cfg}" "trusted_iplist"
-	config_get trusted_pan_domains "${cfg}" "trusted_pan_domains"
-	config_get proxy_port "${cfg}" "proxy_port"
-	config_get no_auth "${cfg}" "no_auth"
-	config_get apple_cna "${cfg}" "bypass_apple_cna"
-	config_get update_domain_interval "${cfg}" "update_domain_interval"
-	config_get dns_timeout "${cfg}" "dns_timeout"
+	uci_validate_section ${NAME} ${NAME} common \
+		'enabled:bool:0' \
+		'gateway_id:string' \
+		'gateway_interface:string:br-lan' \
+		'external_interface:string:external_interface' \
+		'auth_server_hostname:string' \
+		'auth_server_port:port:443' \
+		'auth_server_path:string:/wifidog/' \
+		'check_interval:integer:60' \
+		'client_timeout:integer:5' \
+		'js_filter:bool:1' \
+		'wired_passed:bool:1' \
+		'apple_cna:bool:0' \
+		'js_filter:bool:1' 

-	local set_auth_server_path_login
-	local set_auth_server_path_portal
-	local set_auth_server_path_msg
-	local set_auth_server_path_ping
-	local set_auth_server_path_auth
-	local set_delta_traffic
-	local set_trusted_maclist
-	local set_untrusted_maclist
-	local set_trusted_domains
-	local set_trusted_iplist
-	local set_trusted_pan_domains
-	local set_proxy_port
-	local set_no_auth
-	local set_firewall_rule_global
-	local set_firewall_rule_validating_users
-	local set_firewall_rule_known_users
-	local set_firewall_rule_auth_is_down
-	local set_firewall_rule_unknown_users
-	local set_firewall_rule_locked_users
-	local set_apple_cna
-	local set_update_domain_interval
-	local set_dns_timeout
-
-	set_auth_server_path_login=$([ -n "$auth_server_path_login" ] && echo "    LoginScriptPathFragment $auth_server_path_login")
-	set_auth_server_path_portal=$([ -n "$auth_server_path_portal" ] && echo "    PortalScriptPathFragment $auth_server_path_portal")
-	set_auth_server_path_msg=$([ -n "$auth_server_path_msg" ] && echo "    MsgScriptPathFragment $auth_server_path_msg")
-	set_auth_server_path_ping=$([ -n "$auth_server_path_ping" ] && echo "    PingScriptPathFragment $auth_server_path_ping")
-	set_auth_server_path_auth=$([ -n "$auth_server_path_auth" ] && echo "    AuthScriptPathFragment $auth_server_path_auth")
-	set_delta_traffic=$([ -n "$delta_traffic" ] && echo "DeltaTraffic $delta_traffic")
-	set_trusted_maclist=$([ -n "$trusted_maclist" ] && echo "TrustedMACList $trusted_maclist")
-	set_untrusted_maclist=$([ -n "$untrusted_maclist" ] && echo "UntrustedMACList $untrusted_maclist")
-	set_trusted_domains=$([ -n "$trusted_domains" ] && echo "TrustedDomains	$trusted_domains")
-	set_trusted_iplist=$([ -n "$trusted_iplist" ] && echo "TrustedIpList	$trusted_iplist")
-	set_trusted_pan_domains=$([ -n "$trusted_pan_domains" ] && echo "TrustedPanDomains	$trusted_pan_domains")
-	set_proxy_port=$([ -n "$proxy_port" ] && echo "Proxyport	$proxy_port")
-	set_no_auth=$([ -n "$no_auth"  ] && echo "NoAuth  $no_auth")
-	set_firewall_rule_global=$(config_list_foreach "$cfg" "firewall_rule_global" echo_firewall_rule)
-	set_firewall_rule_validating_users=$(config_list_foreach "$cfg" "firewall_rule_validating_users" echo_firewall_rule)
-	set_firewall_rule_known_users=$(config_list_foreach "$cfg" "firewall_rule_known_users" echo_firewall_rule)
-	set_firewall_rule_auth_is_down=$(config_list_foreach "$cfg" "firewall_rule_auth_is_down" echo_firewall_rule)
-	set_firewall_rule_unknown_users=$(config_list_foreach "$cfg" "firewall_rule_unknown_users" echo_firewall_rule)
-	set_firewall_rule_locked_users=$(config_list_foreach "$cfg" "firewall_rule_locked_users" echo_firewall_rule)
-	set_apple_cna=$([ -n "$apple_cna"  ] && echo "BypassAppleCNA $apple_cna")
-	set_update_domain_interval=$([ -n "$update_domain_interval" ] && echo "UpdateDomainInterval $update_domain_interval")
-	set_dns_timeout=$([ -n "$dns_timeout" ] && echo "DNSTimeout $dns_timeout")
-
-	cat <<-EOF >$CONFIGFILE
-		GatewayID $gateway_id
-		GatewayInterface $gateway_interface
-		Externalinterface $external_interface
-
-		AuthServer {
-			Hostname $auth_server_hostname
-			HTTPPort $auth_server_port
-			Path $auth_server_path
-			$set_auth_server_path_login
-			$set_auth_server_path_portal
-			$set_auth_server_path_msg
-			$set_auth_server_path_ping
-			$set_auth_server_path_auth
-		}
-
-		$set_delta_traffic
-		CheckInterval $check_interval
-		ClientTimeout $client_timeout
-		JsFilter $js_filter
-		WiredPassed $wired_passed
-		$set_trusted_domains
-		$set_untrusted_maclist
-		$set_trusted_maclist
-		$set_trusted_iplist
-		$set_trusted_pan_domains
-		$set_proxy_port
-		$set_no_auth
-		$set_apple_cna
-		$set_update_domain_interval
-		$set_dns_timeout
-
-		FirewallRuleSet global {
-			$set_firewall_rule_global
-		}
-
-		FirewallRuleSet validating-users {
-			$set_firewall_rule_validating_users
-			FirewallRule allow to 0.0.0.0/0
-		}
-
-		FirewallRuleSet known-users {
-			$set_firewall_rule_known_users
-			FirewallRule allow to 0.0.0.0/0
-		}
-
-		FirewallRuleSet auth-is-down {
-			$set_firewall_rule_auth_is_down
-		}
-
-		FirewallRuleSet unknown-users {
-			$set_firewall_rule_unknown_users
-			FirewallRule allow udp port 53
-			FirewallRule allow tcp port 53
-			FirewallRule allow udp port 67
-			FirewallRule allow tcp port 67
-		}
-
-		FirewallRuleSet locked-users {
-			$set_firewall_rule_locked_users
-			FirewallRule block to 0.0.0.0/0
-		}
-EOF
+	# if gateway_id is not set, get it from br-lan
+	if [ -z "$gateway_id" ]; then
+		gateway_id=$(sed -e 's/://g' /sys/class/net/${gateway_interface}/address)
+		# uci add gateway_id to config file
+		uci set ${NAME}.common.gateway_id=$gateway_id
+		uci commit ${NAME}
+	fi
+	
+	# set above variables to config file
+	echo "GatewayID $gateway_id" > ${CONFIGFILE}
+	echo "GatewayInterface $gateway_interface" >> ${CONFIGFILE}
+	echo "ExternalInterface $external_interface" >> ${CONFIGFILE}
+	echo "AuthServer {
+	Hostname $auth_server_hostname
+	HTTPPort $auth_server_port
+	Path $auth_server_path
+}" >> ${CONFIGFILE}
+	echo "CheckInterval $check_interval" >> ${CONFIGFILE}
+	echo "ClientTimeout $client_timeout" >> ${CONFIGFILE}
+	echo "JsFilter $js_filter" >> ${CONFIGFILE}
+	echo "WiredPassed $wired_passed" >> ${CONFIGFILE}
+	echo "BypassAppleCNA $apple_cna" >> ${CONFIGFILE}
 }

 init_config() {
-	config_load wifidogx
-	config_foreach prepare_wifidog_conf wifidog
+
+	prepare_wifidog_conf 

 	if [ ! -f ${CONFIGFILE} ]; then
 		echo "no wifidogx.conf, exit..." >&2
 		exit
 	fi
-
-	if [ ! -s "${APFREE_CERT}" ] || [ ! -s "${APFREE_KEY}" ]; then
-		generate_keys
-	fi
-
-	if [ ! -s ${APFREE_KEY} ] || [ ! -s ${APFREE_CERT} ]; then
-		echo "no cert or key, exit..." >&2
-		exit
-	fi
-
-	config_foreach prepare_mqtt_conf mqtt
-
-	sed -i -e '/^$/d' ${CONFIGFILE}
 }

 start_service() {
+	config_load $NAME
+
 	init_config

+	[ "$enabled" -eq 0 ] && {
+		echo "wifidogx is disabled, exit..." >&2
+		exit 0
+	}
+
 	procd_open_instance
 	# -f: run in foreground
 	procd_set_param command $PROG -c $CONFIGFILE -f -d 0
@ -282,3 +90,8 @@ start_service() {
 status_service() {
 	/usr/bin/wdctlx status
 }
+
+reload_service() {
+	stop 
+	start
+}
--- a/net/apfree-wifidog/patches/010-support-openssl-3.0.patch
+++ b/net/apfree-wifidog/patches/010-support-openssl-3.0.patch
@ -1,53 +0,0 @@
-From 53a042836063e965f8df9fc85bb32e8e46da8a05 Mon Sep 17 00:00:00 2001
-From: staylightblow8 <liudf0716@gmail.com>
-Date: Thu, 20 Oct 2022 10:47:59 +0800
-Subject: [PATCH] support openssl > 3.0
-
---
- cmake/Modules/FindOpenSSL.cmake | 27 +++++++++++++++++++++++----
- 1 file changed, 23 insertions(+), 4 deletions(-)
-
--- a/cmake/Modules/FindOpenSSL.cmake
-+++ b/cmake/Modules/FindOpenSSL.cmake
-@@ -282,11 +282,11 @@ function(from_hex HEX DEC)
-   set(${DEC} ${_res} PARENT_SCOPE)
- endfunction()
- 
-if (OPENSSL_INCLUDE_DIR)
-  if(OPENSSL_INCLUDE_DIR AND EXISTS "${OPENSSL_INCLUDE_DIR}/openssl/opensslv.h")
-    file(STRINGS "${OPENSSL_INCLUDE_DIR}/openssl/opensslv.h" openssl_version_str
-         REGEX "^# *define[\t ]+OPENSSL_VERSION_NUMBER[\t ]+0x([0-9a-fA-F])+.*")
-+if(OPENSSL_INCLUDE_DIR AND EXISTS "${OPENSSL_INCLUDE_DIR}/openssl/opensslv.h")
-+  file(STRINGS "${OPENSSL_INCLUDE_DIR}/openssl/opensslv.h" openssl_version_str
-+       REGEX "^#[\t ]*define[\t ]+OPENSSL_VERSION_NUMBER[\t ]+0x([0-9a-fA-F])+.*")
- 
-+  if(openssl_version_str)
-     # The version number is encoded as 0xMNNFFPPS: major minor fix patch status
-     # The status gives if this is a developer or prerelease and is ignored here.
-     # Major, minor, and fix directly translate into the version numbers shown in
-@@ -315,6 +315,25 @@ if (OPENSSL_INCLUDE_DIR)
-     endif ()
- 
-     set(OPENSSL_VERSION "${OPENSSL_VERSION_MAJOR}.${OPENSSL_VERSION_MINOR}.${OPENSSL_VERSION_FIX}${OPENSSL_VERSION_PATCH_STRING}")
-+  else ()
-+    # Since OpenSSL 3.0.0, the new version format is MAJOR.MINOR.PATCH and
-+    # a new OPENSSL_VERSION_STR macro contains exactly that
-+    file(STRINGS "${OPENSSL_INCLUDE_DIR}/openssl/opensslv.h" OPENSSL_VERSION_STR
-+         REGEX "^#[\t ]*define[\t ]+OPENSSL_VERSION_STR[\t ]+\"([0-9])+\\.([0-9])+\\.([0-9])+\".*")
-+    string(REGEX REPLACE "^.*OPENSSL_VERSION_STR[\t ]+\"([0-9]+\\.[0-9]+\\.[0-9]+)\".*$"
-+           "\\1" OPENSSL_VERSION_STR "${OPENSSL_VERSION_STR}")
-+
-+    set(OPENSSL_VERSION "${OPENSSL_VERSION_STR}")
-+
-+    # Setting OPENSSL_VERSION_MAJOR OPENSSL_VERSION_MINOR and OPENSSL_VERSION_FIX
-+    string(REGEX MATCHALL "([0-9])+" OPENSSL_VERSION_NUMBER "${OPENSSL_VERSION}")
-+    list(POP_FRONT OPENSSL_VERSION_NUMBER
-+      OPENSSL_VERSION_MAJOR
-+      OPENSSL_VERSION_MINOR
-+      OPENSSL_VERSION_FIX)
-+
-+    unset(OPENSSL_VERSION_NUMBER)
-+    unset(OPENSSL_VERSION_STR)
-   endif ()
- endif ()
-