Merge pull request #712 from openNDS/11.0.0beta

11.0.0beta

forward_authentication_service/fas-aes/fas-aes.php

@@ -60,7 +60,7 @@ if (ob_get_level()){ob_end_clean();}
 
 #####################################################################################
 // The pre-shared key "faskey" (this must be the same as in the openNDS config):
-$key="c775e7b757ede630cd0aa1113bd102661ab38829ca52a6422ab782862f268646";
+$key="8a749260bfba87ca3706659d9beaabe928f84025a4ff7531a969e96ac4ee7cbc";
 #####################################################################################
 
 // Setup some basics:

forward_authentication_service/libs/client_params.sh

@@ -28,6 +28,37 @@ do_ndsctl () {
 	done
 }
 
+urlencode() {
+	entitylist="
+		s/%/%25/g
+		s/\s/%20/g
+		s/\"/%22/g
+		s/>/%3E/g
+		s/</%3C/g
+		s/'/%27/g
+		s/\`/%60/g
+	"
+	local buffer="$1"
+
+	for entity in $entitylist; do
+		urlencoded=$(echo "$buffer" | sed "$entity")
+		buffer=$urlencoded
+	done
+
+	urlencoded=$(echo "$buffer" | awk '{ gsub(/\$/, "\\%24"); print }')
+}
+
+get_option_from_config() {
+
+	if [ ! -z "$1" ]; then
+		param=$(/usr/lib/opennds/libopennds.sh get_option_from_config "$1")
+			# urlencode
+			urlencode "$param"
+			param=$urlencoded
+			eval $1="$param" &>/dev/null
+	fi
+}
+
 get_client_zone () {
 	# Gets the client zone, (if we don't already have it) ie the connection the client is using, such as:
 	# local interface (br-lan, wlan0, wlan0-1 etc.,
@@ -271,13 +302,24 @@ body() {
 		fi
 
 	elif [ "$status" = "err511" ]; then
+		get_option_from_config "fasremoteip"
+		get_option_from_config "fasremotefqdn"
 
-		pagebody="
-			<h1>To login, click or tap the Continue button</h1>
-			<form action=\"$url/login\" method=\"get\" target=\"_self\">
-			<input type=\"submit\" value=\"Continue\" >
-			</form>
-		"
+		if [ -z "$fasremoteip" ] && [ -z "$fasremotefqdn" ]; then
+			pagebody="
+				<h1>ERROR: Remote Portal Not Defined or Not Available.</h1>
+				<form action=\"$url/login\" method=\"get\" target=\"_self\">
+				<input type=\"submit\" value=\"Retry\" >
+				</form>
+			"
+		else
+			pagebody="
+				<h1>To login, click or tap the Continue button</h1>
+				<form action=\"$url/login\" method=\"get\" target=\"_self\">
+				<input type=\"submit\" value=\"Continue\" >
+				</form>
+			"
+		fi
 
 	else
 		exit 1

forward_authentication_service/libs/dnsconfig.sh

@@ -15,7 +15,13 @@ hosts="/etc/hosts"
 setconf="$1"
 uciconfig=$(uci show dhcp 2>/dev/null)
 
-ipset_to_nftset () {
+ipset_to_nftset() {
+	# Translate a legacy ipset to an nftset
+	# The legacy ipset might be dynamically updated eg by dnsmasq, so loop around for a set time
+	# Note: It loops after a sleep of one second so the call to this library function should probably always be forked into the background to prevent blocking
+	# (hint: use a trailing "&" when calling it)
+	# $ipsetname contains the name of the ipset
+	# $loopcount contains the number of loops to do
 
 	local timeout=$loopcount
 
@@ -32,7 +38,7 @@ ipset_to_nftset () {
 		elements=${elements:2}
 
 		if [ ! -z "$elements" ] && [ "$elements" != "$last_elements" ]; then
-			nft add element ip nds_filter "$ipsetname" {"$elements"}
+			nft add element inet nds_filter "$ipsetname" {"$elements"}
 		fi
 
 		last_elements="$elements"

forward_authentication_service/libs/get_client_interface.sh

@@ -98,7 +98,7 @@ if [ "$iwstatus" = true ]; then
 
 	if [ -z "$stations" ] && [ "$fast_client_scan" -eq 0 ]; then
 		# Not local wireless, so check in mesh11sd's vxtun
-		client_vtunif=$(type mesh11sd &>/dev/null && mesh11sd show_ap_data all | grep -w -B 1 "$mac" | grep "@" | awk -F "\"" 'NR==1 {printf "%s", $2}' | awk -F "@" '{printf "%s %s", $3, $1}')
+		client_vtunif=$(type mesh11sd &>/dev/null && mesh11sd show_ap_data all 2>/dev/null | grep -w -B 1 "$mac" | grep "@" | awk -F "\"" 'NR==1 {printf "%s", $2}' | awk -F "@" '{printf "%s %s", $3, $1}')
 		clientmeshif="$client_vtunif"
 	fi
 fi

forward_authentication_service/libs/libopennds.sh

@@ -1456,7 +1456,7 @@ nft_set () {
 
 		if [ "$nftsetmode" = "add" ] || [ "$nftsetmode" = "insert" ]; then
 			# Add the set, add/insert the rule and the Dnsmasq config
-			nft add set ip nds_filter "$nftsetname" { type ipv4_addr\; size 128\; }
+			nft add set inet nds_filter "$nftsetname" { type ipv4_addr\; size 128\; }
 			ret=$?
 
 			if [ "$ret" -ne 0 ]; then
@@ -1539,13 +1539,15 @@ nft_set () {
 
 				else
 					# OpenWrt
+					ucicmd="del dhcp.nds_$nftsetname"
+					echo $ucicmd | uci -q batch
 					ucicmd="set dhcp.nds_$nftsetname='ipset'"
 					echo $ucicmd | uci -q batch
 					ucicmd="add_list dhcp.nds_$nftsetname.name='$nftsetname'"
 					echo $ucicmd | uci -q batch
 					ucicmd="set dhcp.nds_$nftsetname.table='nds_filter'"
 					echo $ucicmd | uci -q batch
-					ucicmd="set dhcp.nds_$nftsetname.table_family='ip'"
+					ucicmd="set dhcp.nds_$nftsetname.table_family='inet'"
 					echo $ucicmd | uci -q batch
 
 					domains=$fqdns

src/auth.c

@@ -585,17 +585,13 @@ fw_refresh_client_list(void)
 	// If Walled Garden ipset exists, copy it to the nftset.
 	dnscmd = safe_calloc(STATUS_BUF);
 	safe_snprintf(dnscmd, STATUS_BUF, "/usr/lib/opennds/dnsconfig.sh \"ipset_to_nftset\" \"walledgarden\" %d &", config->checkinterval);
-	if (system(dnscmd) != 0) {
-		debug(LOG_DEBUG, "legacy ipset not defined: %s", dnscmd);
-	}
+	system(dnscmd);
 	free(dnscmd);
 
 	// If Block List ipset exists, copy it to the nftset.
 	dnscmd = safe_calloc(STATUS_BUF);
 	safe_snprintf(dnscmd, STATUS_BUF, "/usr/lib/opennds/dnsconfig.sh \"ipset_to_nftset\" \"blocklist\" %d &", config->checkinterval);
-	if (system(dnscmd) != 0) {
-		debug(LOG_DEBUG, "legacy ipset not defined: %s", dnscmd);
-	}
+	system(dnscmd);
 	free(dnscmd);
 
 	if (routercheck > 0) {

src/conf.c

@@ -348,13 +348,6 @@ config_init(int argc, char **argv)
 
 	debug(LOG_NOTICE, "Interface %s is at %s (%s)", config.gw_interface, config.gw_ip, config.gw_mac);
 
-	// Make sure fas_remoteip is set. Note: This does not enable FAS.
-	if (strcmp(config.fas_remoteip, "disabled") == 0) {
-		config.fas_remoteip = safe_strdup(config.gw_ip);
-	}
-
-	debug(LOG_DEBUG, "FAS remote ip address is [ %s ]", config.fas_remoteip);
-
 	// Generate a unique faskey if not set in config
 	if (strcmp(config.fas_key, DEFAULT_FASKEY) == 0) {
 		setupcmd = safe_calloc(STATUS_BUF);

src/conf.h

@@ -62,8 +62,8 @@
 #define DEFAULT_STATUSPATH "/usr/lib/opennds/client_params.sh"
 #define DEFAULT_LOG_MOUNTPOINT "/tmp"
 #define DEFAULT_MAX_PAGE_SIZE "10240"
-#define DEFAULT_FASPORT "0"
-#define DEFAULT_LOGIN_OPTION_ENABLED "0"
+#define DEFAULT_FASPORT "443"
+#define DEFAULT_LOGIN_OPTION_ENABLED "1"
 #define DEFAULT_MAX_LOG_ENTRIES "100"
 #define DEFAULT_USE_OUTDATED_MHD "0"
 #define DEFAULT_ALLOW_PREEMPTIVE_AUTHENTICATION "1"

src/http_microhttpd.c

@@ -18,7 +18,7 @@
  * @author Copyright (C) 2015-2025 Modifications and additions by BlueWave Projects and Services <opennds@blue-wave.net>
  */
 
-
+#include <sys/resource.h>
 #include <microhttpd.h>
 #include <syslog.h>
 #include <arpa/inet.h>
@@ -70,10 +70,21 @@ static const char *lookup_mimetype(const char *filename);
 
 struct MHD_Daemon * webserver = NULL;
 
-void stop_mhd(void)
-{
-	debug(LOG_INFO, "Calling MHD_stop_daemon [%lu]", webserver);
-	MHD_stop_daemon(webserver);
+void custom_logger(void *arg, const char *fmt, va_list ap) {
+	char buf[256];
+	vsnprintf(buf, sizeof(buf), fmt, ap);
+	debug(LOG_ERR, "MHD: %s (errno: %s)", buf, strerror(errno));
+}
+
+void stop_mhd(void) {
+    debug(LOG_INFO, "Quiescing MHD daemon [%lu]", webserver);
+    if (webserver) {
+        MHD_quiesce_daemon(webserver);
+        usleep(100000); // Wait 100ms for connections to close
+        debug(LOG_INFO, "Calling MHD_stop_daemon [%lu]", webserver);
+        MHD_stop_daemon(webserver);
+        webserver = NULL; // Prevent reuse of stale pointer
+    }
 }
 
 void start_mhd(void)
@@ -82,13 +93,20 @@ void start_mhd(void)
 	s_config *config;
 	config = config_get_config();
 
+	// Set ulimit to 4096
+	struct rlimit rl;
+	getrlimit(RLIMIT_NOFILE, &rl);
+	rl.rlim_cur = 4096;
+	setrlimit(RLIMIT_NOFILE, &rl);
+
 	if ((webserver = MHD_start_daemon(
-		MHD_USE_INTERNAL_POLLING_THREAD | MHD_USE_THREAD_PER_CONNECTION | MHD_USE_TCP_FASTOPEN,
+		MHD_USE_INTERNAL_POLLING_THREAD | MHD_USE_EPOLL | MHD_USE_TCP_FASTOPEN,
 		config->gw_port,
 		NULL,
 		NULL,
 		libmicrohttpd_cb,
 		NULL,
+		MHD_OPTION_EXTERNAL_LOGGER, custom_logger, NULL,
 		MHD_OPTION_CONNECTION_LIMIT, (unsigned int) 100,
 		MHD_OPTION_CONNECTION_TIMEOUT, (unsigned int) 10,
 		MHD_OPTION_PER_IP_CONNECTION_LIMIT, (unsigned int) 10,
@@ -1428,8 +1446,6 @@ static char *construct_querystring(struct MHD_Connection *connection, t_client *
 	debug(LOG_DEBUG, "gw_url: %s", gw_url);
 	free (gw_url_raw);
 
-	clienttype = safe_calloc(STATUS_BUF);
-
 	if (!client->client_type || strlen(client->client_type) == 0) {
 		clienttype = safe_strdup("cpd_can");
 	} else {
@@ -1595,7 +1611,7 @@ static char *construct_querystring(struct MHD_Connection *connection, t_client *
 
 		clientif = safe_calloc(STATUS_BUF);
 		get_client_interface(clientif, STATUS_BUF, client->mac);
-		debug(LOG_DEBUG, "clientif: [%s]", clientif);
+		debug(LOG_DEBUG, "clientif: [%s], gatewayaddress: [%s], gatewayurl: [%s]", clientif, config->gw_address, gw_url);
 		snprintf(querystr, QUERYMAXLEN,
 			"hid=%s%sclientip=%s%sclientmac=%s%sclient_type=%s%scpi_query=%s%sgatewayname=%s%sgatewayurl=%s%sversion=%s%sgatewayaddress=%s%sgatewaymac=%s%sauthdir=%s%soriginurl=%s%sclientif=%s%sthemespec=%s%s%s%s%s%s",
 			client->hid, QUERYSEPARATOR,

src/main.c

@@ -582,6 +582,22 @@ setup_from_config(void)
 		config->preauth = NULL;
 	}
 
+	// Check sha256sum command is available
+	msg = safe_calloc(SMALL_BUF);
+
+	if (execute_ret_url_encoded(msg, SMALL_BUF - 1, "printf 'test' | sha256sum") == 0) {
+		safe_asprintf(&fashid, "sha256sum");
+		debug(LOG_NOTICE, "sha256sum provider is available");
+	} else {
+		debug(LOG_ERR, "sha256sum provider not available - please install package to provide it");
+		debug(LOG_ERR, "Exiting...");
+		exit(1);
+	}
+
+	config->fas_hid = safe_strdup(fashid);
+	free(fashid);
+	free(msg);
+
 	// If fasport not set, override any FAS configuration
 	if (config->fas_port == 0) {
 		debug(LOG_NOTICE, "Preauth is Enabled - Overriding FAS configuration.\n");
@@ -600,13 +616,18 @@ setup_from_config(void)
 	// If FAS is enabled then set it up
 	if (config->fas_port) {
 		debug(LOG_INFO, "fas_secure_enabled is set to level %d", config->fas_secure_enabled);
+		debug(LOG_INFO, "fasremoteip is %s, fasremotefqdn is %s", config->fas_remoteip, config->fas_remotefqdn);
 
 		// Check the FAS remote IP address
-		if ((strcmp(config->fas_remoteip, "disabled") == 0)) {
+		if ((strcmp(config->fas_remoteip, "disabled") == 0) && (strcmp(config->fas_remotefqdn, "disabled") == 0)) {
+			debug(LOG_WARNING, "Remote FAS addressing is undefined, please configure it");
+			debug(LOG_DEBUG, "Setting undefined fas_remoteip");
 			config->fas_remoteip = safe_strdup(config->gw_ip);
+			config->fas_port = config->gw_port;
 		}
 
-		if (config->fas_remoteip) {
+		if (strcmp(config->fas_remoteip, "disabled") != 0) {
+
 			if (is_addr(config->fas_remoteip) == 1) {
 				debug(LOG_INFO, "fasremoteip - %s - is a valid IPv4 address...", config->fas_remoteip);
 			} else {
@@ -625,26 +646,6 @@ setup_from_config(void)
 			exit(1);
 		}
 
-		// If FAS key is set, then check the prerequisites
-
-		// FAS secure Level >=1
-		if (config->fas_key && config->fas_secure_enabled >= 1) {
-			// Check sha256sum command is available
-			msg = safe_calloc(SMALL_BUF);
-
-			if (execute_ret_url_encoded(msg, SMALL_BUF - 1, "printf 'test' | sha256sum") == 0) {
-				safe_asprintf(&fashid, "sha256sum");
-				debug(LOG_NOTICE, "sha256sum provider is available");
-			} else {
-				debug(LOG_ERR, "sha256sum provider not available - please install package to provide it");
-				debug(LOG_ERR, "Exiting...");
-				exit(1);
-			}
-			config->fas_hid = safe_strdup(fashid);
-			free(fashid);
-			free(msg);
-		}
-
 		// FAS secure Level 2 and 3
 		if (config->fas_key && config->fas_secure_enabled >= 2 && config->fas_secure_enabled <= 3) {
 			// PHP cli command can be php or php-cli depending on Linux version.