apfree-wifidog: Update to 6.02.1939

1. support fw4 2. support openssl3.0 Signed-off-by: Dengfeng Liu <liudf0716@gmail.com>
2023-05-28 11:31:37 +08:00 · 2023-05-28 11:31:37 +08:00 · 6cf2103774
commit 6cf2103774
parent 574d43fca6
4 changed files with 61 additions and 301 deletions
--- a/net/apfree-wifidog/Makefile
+++ b/net/apfree-wifidog/Makefile
@ -8,13 +8,13 @@
 include $(TOPDIR)/rules.mk
 PKG_NAME:=apfree-wifidog
-PKG_VERSION:=4.08.1771
+PKG_VERSION:=6.02.1939
-PKG_RELEASE:=7
+PKG_RELEASE:=6
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_URL:=https://github.com/liudf0716/apfree_wifidog.git
+PKG_SOURCE_URL:=https://github.com/liudf0716/apfree-wifidog.git
 PKG_SOURCE_VERSION:=$(PKG_VERSION)
-PKG_MIRROR_HASH:=0fadb7a0e139bf4a5c6daffdd0f200ee2a4c903aea71e46bc19212b054ca71a7
+PKG_MIRROR_HASH:=b9e059c06427ad87312ea8a63c47d713dbad82ab0875778efe9f889e9c6b9c20
 PKG_MAINTAINER:=Dengfeng Liu <liudf0716@gmail.com>
 PKG_LICENSE:=GPL-3.0-or-later
@ -27,7 +27,7 @@ define Package/apfree-wifidog
  SUBMENU:=Captive Portals
  SECTION:=net
  CATEGORY:=Network
-  DEPENDS:=+zlib +firewall4 +iptables +libip4tc +libjson-c +libevent2 +libevent2-openssl +libuci +px5g
+  DEPENDS:=+zlib +libjson-c +libevent2 +libevent2-openssl +libuci 
  TITLE:=Apfree's wireless captive portal solution
  URL:=https://github.com/liudf0716/apfree_wifidog
 endef
--- a/net/apfree-wifidog/files/wifidogx.conf
+++ b/net/apfree-wifidog/files/wifidogx.conf
@ -1,9 +1,9 @@
-config wifidog
+config wifidogx 'common'
 	option gateway_interface 'br-lan'
-	option auth_server_hostname 'change wifidog.kunteng.org.cn to your auth server domain or ip'
+	option auth_server_hostname 'your auth server domain or ip'
 	option auth_server_port 443
 	option auth_server_path '/wifidog/'
 	option check_interval 60
 	option client_timeout 5
 	option wired_passed 0
-	option disabled 1
+	option enabled 0
--- a/net/apfree-wifidog/files/wifidogx.init
+++ b/net/apfree-wifidog/files/wifidogx.init
@ -6,271 +6,79 @@
 START=99
 USE_PROCD=1
-PROG=/usr/bin/wifidogx
+NAME=wifidogx
 PROG=/usr/bin/${NAME}
 CONFIGFILE=/tmp/wifidogx.conf
 extra_command "status" "Print the status of the service"
 PX5G_BIN="/usr/sbin/px5g"
 OPENSSL_BIN="/usr/bin/openssl"
 APFREE_CERT="/etc/apfree.crt"
 APFREE_KEY="/etc/apfree.key"
 generate_keys() {
 	local days bits country state location commonname
 	local UNIQUEID GENKEY_CMD
 	# Prefer px5g for certificate generation (existence evaluated last)
 	UNIQUEID=$(hexdump -n 4 -e '4/1 "%02x" "\n"' /dev/urandom)
 	[ -x "$OPENSSL_BIN" ] && GENKEY_CMD="$OPENSSL_BIN req -x509 -sha256 -outform pem -nodes"
 	[ -x "$PX5G_BIN" ] && GENKEY_CMD="$PX5G_BIN selfsigned -pem"
 	[ -n "$GENKEY_CMD" ] && {
 		$GENKEY_CMD \
 			-days "${days:-720}" -newkey rsa:"${bits:-2048}" -keyout "${APFREE_KEY}.new" -out "${APFREE_CERT}.new" \
 			-subj /C="${country:-CN}"/ST="${state:-Beijing}"/L="${location:-Unknown}"/O="${commonname:-ApFreeWiFidog}$UNIQUEID"/CN="${commonname:-ApFreeWiFidog}"
 		sync
 		mv "${APFREE_KEY}.new" "${APFREE_KEY}"
 		mv "${APFREE_CERT}.new" "${APFREE_CERT}"
 	}
 }
 service_trigger() {
-	procd_add_reload_trigger "wifidogx"
+	procd_add_reload_trigger ${NAME}
 }
 echo_firewall_rule() {
 	echo "    FirewallRule $1"
 }
 prepare_mqtt_conf() {
 	local cfg=$1
 	local serveraddr
 	local serverport
 	config_get serveraddr "$cfg" "serveraddr"
 	config_get serverport "$cfg" "serverport"
 	[ -z "${serveraddr}" ] || [ -z "${serverport}" ] && return 1
 	cat <<-EOF >>${CONFIGFILE}
 		MQTT {
 			ServerAddr ${serveraddr}
 			ServerPort ${serverport}
 		}
 	EOF
 }
 prepare_wifidog_conf() {
 	local cfg=$1
 	local disabled
 	local gateway_id
 	local gateway_interface
 	local auth_server_hostname
 	local auth_server_path
 	local auth_server_path_login
 	local auth_server_path_portal
 	local auth_server_path_msg
 	local auth_server_path_ping
 	local auth_server_path_auth
 	local delta_traffic
 	local check_interval
 	local client_timeout
 	local trusted_domains
 	local js_filter
 	local trusted_maclist
 	local untrusted_maclist
 	local pool_mode
 	local thread_number
 	local queue_size
 	local wired_passed
 	local trusted_iplist
 	local trusted_pan_domains
 	local proxy_port
 	local no_auth
 	local apple_cna
 	local update_domain_interval
 	local dns_timeout
 	local default_gateway_id
 	local external_interface
 	local auth_server_port
 	[ -f ${CONFIGFILE} ] && rm -f ${CONFIGFILE}
 	config_get disabled "${cfg}" "disabled" 1
 	if [ "${disabled}" = "1" ]; then
 		echo "wifidogx disabled in /etc/config/wifidogx file, please set disabled to 0 to enable it" >&2
 		return
 	fi
 	default_gateway_id=$(sed -e 's/://g' /sys/class/net/br-lan/address)
 	network_get_device external_interface wan
-	config_get gateway_id "${cfg}" "gateway_id" "${default_gateway_id}"
+	uci_validate_section ${NAME} ${NAME} common \
-	config_get gateway_interface "${cfg}" "gateway_interface" "br-lan"
+		'enabled:bool:0' \
-	config_get auth_server_hostname "${cfg}" "auth_server_hostname"
+		'gateway_id:string' \
-	config_get auth_server_port "${cfg}" "auth_server_port" "80"
+		'gateway_interface:string:br-lan' \
-	config_get auth_server_path "${cfg}" "auth_server_path" "/wifidog/"
+		'external_interface:string:external_interface' \
-	config_get auth_server_path_login "${cfg}" "auth_server_path_login"
+		'auth_server_hostname:string' \
-	config_get auth_server_path_portal "${cfg}" "auth_server_path_portal"
+		'auth_server_port:port:443' \
-	config_get auth_server_path_msg "${cfg}" "auth_server_path_msg"
+		'auth_server_path:string:/wifidog/' \
-	config_get auth_server_path_ping "${cfg}" "auth_server_path_ping"
+		'check_interval:integer:60' \
-	config_get auth_server_path_auth "${cfg}" "auth_server_path_auth"
+		'client_timeout:integer:5' \
-	config_get delta_traffic "${cfg}" "delta_traffic"
+		'js_filter:bool:1' \
-	config_get check_interval "${cfg}" "check_interval" "60"
+		'wired_passed:bool:1' \
-	config_get js_filter "${cfg}" "js_filter" 1
+		'apple_cna:bool:0' \
-	config_get client_timeout "${cfg}" "client_timeout"	"5"
+		'js_filter:bool:1' 
 	config_get trusted_domains "${cfg}" "trusted_domains"
 	config_get trusted_maclist "${cfg}" "trusted_maclist"
 	config_get untrusted_maclist "${cfg}" "untrusted_maclist"
 	config_get pool_mode "${cfg}" "pool_mode" 0
 	config_get thread_number "${cfg}" "thread_number" 20
 	config_get queue_size "${cfg}" "queue_size" 200
 	config_get wired_passed "${cfg}" "wired_passed" 1
 	config_get trusted_iplist "${cfg}" "trusted_iplist"
 	config_get trusted_pan_domains "${cfg}" "trusted_pan_domains"
 	config_get proxy_port "${cfg}" "proxy_port"
 	config_get no_auth "${cfg}" "no_auth"
 	config_get apple_cna "${cfg}" "bypass_apple_cna"
 	config_get update_domain_interval "${cfg}" "update_domain_interval"
 	config_get dns_timeout "${cfg}" "dns_timeout"
-	local set_auth_server_path_login
+	# if gateway_id is not set, get it from br-lan
-	local set_auth_server_path_portal
+	if [ -z "$gateway_id" ]; then
-	local set_auth_server_path_msg
+		gateway_id=$(sed -e 's/://g' /sys/class/net/${gateway_interface}/address)
-	local set_auth_server_path_ping
+		# uci add gateway_id to config file
-	local set_auth_server_path_auth
+		uci set ${NAME}.common.gateway_id=$gateway_id
-	local set_delta_traffic
+		uci commit ${NAME}
-	local set_trusted_maclist
+	fi
 	local set_untrusted_maclist
 	local set_trusted_domains
 	local set_trusted_iplist
 	local set_trusted_pan_domains
 	local set_proxy_port
 	local set_no_auth
 	local set_firewall_rule_global
 	local set_firewall_rule_validating_users
 	local set_firewall_rule_known_users
 	local set_firewall_rule_auth_is_down
 	local set_firewall_rule_unknown_users
 	local set_firewall_rule_locked_users
 	local set_apple_cna
 	local set_update_domain_interval
 	local set_dns_timeout
-	set_auth_server_path_login=$([ -n "$auth_server_path_login" ] && echo "    LoginScriptPathFragment $auth_server_path_login")
+	# set above variables to config file
-	set_auth_server_path_portal=$([ -n "$auth_server_path_portal" ] && echo "    PortalScriptPathFragment $auth_server_path_portal")
+	echo "GatewayID $gateway_id" > ${CONFIGFILE}
-	set_auth_server_path_msg=$([ -n "$auth_server_path_msg" ] && echo "    MsgScriptPathFragment $auth_server_path_msg")
+	echo "GatewayInterface $gateway_interface" >> ${CONFIGFILE}
-	set_auth_server_path_ping=$([ -n "$auth_server_path_ping" ] && echo "    PingScriptPathFragment $auth_server_path_ping")
+	echo "ExternalInterface $external_interface" >> ${CONFIGFILE}
-	set_auth_server_path_auth=$([ -n "$auth_server_path_auth" ] && echo "    AuthScriptPathFragment $auth_server_path_auth")
+	echo "AuthServer {
-	set_delta_traffic=$([ -n "$delta_traffic" ] && echo "DeltaTraffic $delta_traffic")
+	Hostname $auth_server_hostname
-	set_trusted_maclist=$([ -n "$trusted_maclist" ] && echo "TrustedMACList $trusted_maclist")
+	HTTPPort $auth_server_port
-	set_untrusted_maclist=$([ -n "$untrusted_maclist" ] && echo "UntrustedMACList $untrusted_maclist")
+	Path $auth_server_path
-	set_trusted_domains=$([ -n "$trusted_domains" ] && echo "TrustedDomains	$trusted_domains")
+}" >> ${CONFIGFILE}
-	set_trusted_iplist=$([ -n "$trusted_iplist" ] && echo "TrustedIpList	$trusted_iplist")
+	echo "CheckInterval $check_interval" >> ${CONFIGFILE}
-	set_trusted_pan_domains=$([ -n "$trusted_pan_domains" ] && echo "TrustedPanDomains	$trusted_pan_domains")
+	echo "ClientTimeout $client_timeout" >> ${CONFIGFILE}
-	set_proxy_port=$([ -n "$proxy_port" ] && echo "Proxyport	$proxy_port")
+	echo "JsFilter $js_filter" >> ${CONFIGFILE}
-	set_no_auth=$([ -n "$no_auth"  ] && echo "NoAuth  $no_auth")
+	echo "WiredPassed $wired_passed" >> ${CONFIGFILE}
-	set_firewall_rule_global=$(config_list_foreach "$cfg" "firewall_rule_global" echo_firewall_rule)
+	echo "BypassAppleCNA $apple_cna" >> ${CONFIGFILE}
 	set_firewall_rule_validating_users=$(config_list_foreach "$cfg" "firewall_rule_validating_users" echo_firewall_rule)
 	set_firewall_rule_known_users=$(config_list_foreach "$cfg" "firewall_rule_known_users" echo_firewall_rule)
 	set_firewall_rule_auth_is_down=$(config_list_foreach "$cfg" "firewall_rule_auth_is_down" echo_firewall_rule)
 	set_firewall_rule_unknown_users=$(config_list_foreach "$cfg" "firewall_rule_unknown_users" echo_firewall_rule)
 	set_firewall_rule_locked_users=$(config_list_foreach "$cfg" "firewall_rule_locked_users" echo_firewall_rule)
 	set_apple_cna=$([ -n "$apple_cna"  ] && echo "BypassAppleCNA $apple_cna")
 	set_update_domain_interval=$([ -n "$update_domain_interval" ] && echo "UpdateDomainInterval $update_domain_interval")
 	set_dns_timeout=$([ -n "$dns_timeout" ] && echo "DNSTimeout $dns_timeout")
 	cat <<-EOF >$CONFIGFILE
 		GatewayID $gateway_id
 		GatewayInterface $gateway_interface
 		Externalinterface $external_interface
 		AuthServer {
 			Hostname $auth_server_hostname
 			HTTPPort $auth_server_port
 			Path $auth_server_path
 			$set_auth_server_path_login
 			$set_auth_server_path_portal
 			$set_auth_server_path_msg
 			$set_auth_server_path_ping
 			$set_auth_server_path_auth
 		}
 		$set_delta_traffic
 		CheckInterval $check_interval
 		ClientTimeout $client_timeout
 		JsFilter $js_filter
 		WiredPassed $wired_passed
 		$set_trusted_domains
 		$set_untrusted_maclist
 		$set_trusted_maclist
 		$set_trusted_iplist
 		$set_trusted_pan_domains
 		$set_proxy_port
 		$set_no_auth
 		$set_apple_cna
 		$set_update_domain_interval
 		$set_dns_timeout
 		FirewallRuleSet global {
 			$set_firewall_rule_global
 		}
 		FirewallRuleSet validating-users {
 			$set_firewall_rule_validating_users
 			FirewallRule allow to 0.0.0.0/0
 		}
 		FirewallRuleSet known-users {
 			$set_firewall_rule_known_users
 			FirewallRule allow to 0.0.0.0/0
 		}
 		FirewallRuleSet auth-is-down {
 			$set_firewall_rule_auth_is_down
 		}
 		FirewallRuleSet unknown-users {
 			$set_firewall_rule_unknown_users
 			FirewallRule allow udp port 53
 			FirewallRule allow tcp port 53
 			FirewallRule allow udp port 67
 			FirewallRule allow tcp port 67
 		}
 		FirewallRuleSet locked-users {
 			$set_firewall_rule_locked_users
 			FirewallRule block to 0.0.0.0/0
 		}
 EOF
 }
 init_config() {
-	config_load wifidogx
+
-	config_foreach prepare_wifidog_conf wifidog
+	prepare_wifidog_conf 
 	if [ ! -f ${CONFIGFILE} ]; then
 		echo "no wifidogx.conf, exit..." >&2
 		exit
 	fi
 	if [ ! -s "${APFREE_CERT}" ] || [ ! -s "${APFREE_KEY}" ]; then
 		generate_keys
 	fi
 	if [ ! -s ${APFREE_KEY} ] || [ ! -s ${APFREE_CERT} ]; then
 		echo "no cert or key, exit..." >&2
 		exit
 	fi
 	config_foreach prepare_mqtt_conf mqtt
 	sed -i -e '/^$/d' ${CONFIGFILE}
 }
 start_service() {
 	config_load $NAME
 	init_config
 	[ "$enabled" -eq 0 ] && {
 		echo "wifidogx is disabled, exit..." >&2
 		exit 0
 	}
 	procd_open_instance
 	# -f: run in foreground
 	procd_set_param command $PROG -c $CONFIGFILE -f -d 0
@ -282,3 +90,8 @@ start_service() {
 status_service() {
 	/usr/bin/wdctlx status
 }
 reload_service() {
 	stop 
 	start
 }
--- a/net/apfree-wifidog/patches/010-support-openssl-3.0.patch
+++ b/net/apfree-wifidog/patches/010-support-openssl-3.0.patch
@ -1,53 +0,0 @@
 From 53a042836063e965f8df9fc85bb32e8e46da8a05 Mon Sep 17 00:00:00 2001
 From: staylightblow8 <liudf0716@gmail.com>
 Date: Thu, 20 Oct 2022 10:47:59 +0800
 Subject: [PATCH] support openssl > 3.0
 ---
 cmake/Modules/FindOpenSSL.cmake | 27 +++++++++++++++++++++++----
 1 file changed, 23 insertions(+), 4 deletions(-)
 --- a/cmake/Modules/FindOpenSSL.cmake
 +++ b/cmake/Modules/FindOpenSSL.cmake
@@ -282,11 +282,11 @@ function(from_hex HEX DEC)
   set(${DEC} ${_res} PARENT_SCOPE)
 endfunction()
 -if (OPENSSL_INCLUDE_DIR)
 -  if(OPENSSL_INCLUDE_DIR AND EXISTS "${OPENSSL_INCLUDE_DIR}/openssl/opensslv.h")
 -    file(STRINGS "${OPENSSL_INCLUDE_DIR}/openssl/opensslv.h" openssl_version_str
 -         REGEX "^# *define[\t ]+OPENSSL_VERSION_NUMBER[\t ]+0x([0-9a-fA-F])+.*")
 +if(OPENSSL_INCLUDE_DIR AND EXISTS "${OPENSSL_INCLUDE_DIR}/openssl/opensslv.h")
 +  file(STRINGS "${OPENSSL_INCLUDE_DIR}/openssl/opensslv.h" openssl_version_str
 +       REGEX "^#[\t ]*define[\t ]+OPENSSL_VERSION_NUMBER[\t ]+0x([0-9a-fA-F])+.*")
 +  if(openssl_version_str)
     # The version number is encoded as 0xMNNFFPPS: major minor fix patch status
     # The status gives if this is a developer or prerelease and is ignored here.
     # Major, minor, and fix directly translate into the version numbers shown in
@@ -315,6 +315,25 @@ if (OPENSSL_INCLUDE_DIR)
     endif ()
     set(OPENSSL_VERSION "${OPENSSL_VERSION_MAJOR}.${OPENSSL_VERSION_MINOR}.${OPENSSL_VERSION_FIX}${OPENSSL_VERSION_PATCH_STRING}")
 +  else ()
 +    # Since OpenSSL 3.0.0, the new version format is MAJOR.MINOR.PATCH and
 +    # a new OPENSSL_VERSION_STR macro contains exactly that
 +    file(STRINGS "${OPENSSL_INCLUDE_DIR}/openssl/opensslv.h" OPENSSL_VERSION_STR
 +         REGEX "^#[\t ]*define[\t ]+OPENSSL_VERSION_STR[\t ]+\"([0-9])+\\.([0-9])+\\.([0-9])+\".*")
 +    string(REGEX REPLACE "^.*OPENSSL_VERSION_STR[\t ]+\"([0-9]+\\.[0-9]+\\.[0-9]+)\".*$"
 +           "\\1" OPENSSL_VERSION_STR "${OPENSSL_VERSION_STR}")
 +
 +    set(OPENSSL_VERSION "${OPENSSL_VERSION_STR}")
 +
 +    # Setting OPENSSL_VERSION_MAJOR OPENSSL_VERSION_MINOR and OPENSSL_VERSION_FIX
 +    string(REGEX MATCHALL "([0-9])+" OPENSSL_VERSION_NUMBER "${OPENSSL_VERSION}")
 +    list(POP_FRONT OPENSSL_VERSION_NUMBER
 +      OPENSSL_VERSION_MAJOR
 +      OPENSSL_VERSION_MINOR
 +      OPENSSL_VERSION_FIX)
 +
 +    unset(OPENSSL_VERSION_NUMBER)
 +    unset(OPENSSL_VERSION_STR)
   endif ()
 endif ()