From 259ea4071b2bf5c76ed597dd2b1701781988bd21 Mon Sep 17 00:00:00 2001 From: zxlhhyccc Date: Sat, 16 Nov 2024 03:12:55 +0800 Subject: [PATCH] shadowsocks-libev: Add new package --- shadowsocks-libev/Makefile | 132 +++++ shadowsocks-libev/README.md | 185 ++++++ .../files/shadowsocks-libev.config | 60 ++ .../files/shadowsocks-libev.init | 320 +++++++++++ shadowsocks-libev/files/ss-rules/chain.uc | 122 ++++ shadowsocks-libev/files/ss-rules/set.uc | 114 ++++ shadowsocks-libev/files/ss-rules/ss-rules.uc | 8 + .../patches/100-Upgrade-PCRE-to-PCRE2.patch | 544 ++++++++++++++++++ .../patches/101-fix-mbedtls3.6-build.patch | 198 +++++++ 9 files changed, 1683 insertions(+) create mode 100644 shadowsocks-libev/Makefile create mode 100644 shadowsocks-libev/README.md create mode 100644 shadowsocks-libev/files/shadowsocks-libev.config create mode 100644 shadowsocks-libev/files/shadowsocks-libev.init create mode 100644 shadowsocks-libev/files/ss-rules/chain.uc create mode 100644 shadowsocks-libev/files/ss-rules/set.uc create mode 100644 shadowsocks-libev/files/ss-rules/ss-rules.uc create mode 100644 shadowsocks-libev/patches/100-Upgrade-PCRE-to-PCRE2.patch create mode 100644 shadowsocks-libev/patches/101-fix-mbedtls3.6-build.patch diff --git a/shadowsocks-libev/Makefile b/shadowsocks-libev/Makefile new file mode 100644 index 00000000000..631a9976c05 --- /dev/null +++ b/shadowsocks-libev/Makefile @@ -0,0 +1,132 @@ +# +# Copyright (C) 2017-2020 Yousong Zhou +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +include $(TOPDIR)/rules.mk + +# Checklist when bumping versions +# +# - update cipher list by checking src/crypto.c:crypto_init() +# - check if default mode has changed from being tcp_only +# +PKG_NAME:=shadowsocks-libev +PKG_VERSION:=3.3.5 +PKG_RELEASE:=12 + +PKG_SOURCE_PROTO:=git +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz +PKG_SOURCE_URL:=https://github.com/shadowsocks/shadowsocks-libev.git +PKG_SOURCE_VERSION:=d83ace0f0d9c05656c13d66aa4a449bf70143254 +PKG_MIRROR_HASH:=cfc8eded35360f4b67e18dc447b0c00cddb29cc57a3cec48b135e5fb87433488 + +PKG_MAINTAINER:=Yousong Zhou + +PKG_LICENSE:=GPL-3.0-or-later +PKG_LICENSE_FILES:=LICENSE +PKG_CPE_ID:=cpe:/a:shadowsocks:shadowsocks-libev + +PKG_FIXUP:=autoreconf +PKG_INSTALL:=1 +PKG_BUILD_FLAGS:=no-mips16 lto +PKG_BUILD_PARALLEL:=1 +PKG_BUILD_DEPENDS:=c-ares pcre2 + +include $(INCLUDE_DIR)/package.mk + + +define Package/shadowsocks-libev-config + SECTION:=net + CATEGORY:=Network + SUBMENU:=Web Servers/Proxies + TITLE:=shadowsocks-libev config scripts + URL:=https://github.com/shadowsocks/shadowsocks-libev +endef + +define Package/shadowsocks-libev-config/conffiles +/etc/config/shadowsocks-libev +endef + +define Package/shadowsocks-libev-config/install + $(INSTALL_DIR) $(1)/etc/config + $(INSTALL_DATA) ./files/shadowsocks-libev.config $(1)/etc/config/shadowsocks-libev + $(INSTALL_DIR) $(1)/etc/init.d + $(INSTALL_BIN) ./files/shadowsocks-libev.init $(1)/etc/init.d/shadowsocks-libev +endef + + +define Package/shadowsocks-libev/Default + define Package/shadowsocks-libev-$(1) + SECTION:=net + CATEGORY:=Network + SUBMENU:=Web Servers/Proxies + TITLE:=shadowsocks-libev $(1) + URL:=https://github.com/shadowsocks/shadowsocks-libev + DEPENDS:=+libev +libmbedtls +libpthread +libsodium +shadowsocks-libev-config $(DEPENDS_$(1)) + endef + + define Package/shadowsocks-libev-$(1)/install + $$(INSTALL_DIR) $$(1)/usr/bin + $$(INSTALL_BIN) $$(PKG_INSTALL_DIR)/usr/bin/$(1) $$(1)/usr/bin + endef + +endef + +DEPENDS_ss-local = +libpcre2 +DEPENDS_ss-server = +libcares +libpcre2 + +SHADOWSOCKS_COMPONENTS:=ss-local ss-redir ss-tunnel ss-server +define shadowsocks-libev/templates + $(foreach component,$(SHADOWSOCKS_COMPONENTS), + $(call Package/shadowsocks-libev/Default,$(component)) + ) +endef +$(eval $(call shadowsocks-libev/templates)) + + +define Package/shadowsocks-libev-ss-rules + SECTION:=net + CATEGORY:=Network + SUBMENU:=Web Servers/Proxies + TITLE:=shadowsocks-libev ss-rules + URL:=https://github.com/shadowsocks/shadowsocks-libev + DEPENDS:=+firewall4 \ + +ip \ + +resolveip \ + +ucode \ + +ucode-mod-fs \ + +shadowsocks-libev-ss-redir \ + +shadowsocks-libev-config \ + +kmod-nft-tproxy +endef + +define Package/shadowsocks-libev-ss-rules/install + $(INSTALL_DIR) $(1)/usr/share/ss-rules + $(INSTALL_DATA) ./files/ss-rules/* $(1)/usr/share/ss-rules/ +endef + +define Build/Prepare + $(call Build/Prepare/Default) + $(FIND) $(PKG_BUILD_DIR) \ + -name '*.o' \ + -o -name '*.lo' \ + -o -name '.deps' \ + -o -name '.libs' \ + | $(XARGS) rm -rvf +endef + +CONFIGURE_ARGS += \ + --disable-documentation \ + --disable-silent-rules \ + --disable-assert \ + --disable-ssp \ + +TARGET_LDFLAGS += -Wl,--gc-sections,--as-needed + +$(eval $(call BuildPackage,shadowsocks-libev-config)) +$(eval $(call BuildPackage,shadowsocks-libev-ss-rules)) +$(foreach component,$(SHADOWSOCKS_COMPONENTS), \ + $(eval $(call BuildPackage,shadowsocks-libev-$(component))) \ +) diff --git a/shadowsocks-libev/README.md b/shadowsocks-libev/README.md new file mode 100644 index 00000000000..c4a88254013 --- /dev/null +++ b/shadowsocks-libev/README.md @@ -0,0 +1,185 @@ +Skip to [recipes](#recipes) for quick setup instructions + +# components + +`ss-local` provides SOCKS5 proxy with UDP associate support. + + socks5 ss plain + --------> tcp:local_address:local_port ----> ss server -------> dest + +`ss-redir`. The REDIRECT and TPROXY part are to be provided by `ss-rules` script. REDIRECT is for tcp traffic (`SO_ORIGINAL_DST` only supports TCP). TPROXY is for udp messages, but it's only available in the PREROUTING chain and as such cannot proxy local out traffic. + + plain plain ss plain + ---------> REDIRECT ------> tcp:local_address:local_port ----> ss server -----> original dest + + plain plain ss plain + ---------> TPROXY -------> udp:local_address:local_port -----> ss server -----> original dest + +`ss-tunnel` provides ssh `-L` local-forwarding-like tunnel. Typically it's used to tunnel DNS traffic to the remote. + + plain ss plain + ---------> tcp|udp:local_address:local_port ------> ss server -------> tunnel_address + +`ss-server`, the "ss server" in the above diagram + +# uci + +Option names are the same as those used in json config files. Check `validate_xxx` func definition of the [service script](files/shadowsocks-libev.init) and shadowsocks-libev's own documentation for supported options and expected value types. A [sample config file](files/shadowsocks-libev.config) is also provided for reference. + +Every section have a `disabled` option to temporarily turn off the component instance or component instances referring to it. + +Section type `server` is for definition of remote shadowsocks servers. They will be referred to from other component sections and as such should be named (as compared to anonymous section). + +Section type `ss_local`, `ss_redir`, `ss_tunnel` are for specification of shadowsocks-libev components. They share mostly a common set of options like `local_port`, `verbose`, `fast_open`, `timeout`, etc. + +Plugin options should be specified in `server` section and will be inherited by other compoenents referring to it. + +We can have multiple instances of component and `server` sections. The relationship between them is many-to-one. This will have the following implications + + - It's possible to have both `ss_local` and `ss_redir` referring to the same `server` definition + - It's possible to have multiple instances of `ss_redir` listening on the same address:port with `reuse_port` enabled referring to the same or different `server` sections + +`ss_rules` section is for configuring the behaviour of `ss-rules` script. There can only exist at most one such section with the name also being `ss_rules` + + redir_tcp name of ss_redir section with mode tcp_only or tcp_and_udp + redir_udp name of ss_redir section with mode udp_only or tcp_and_udp + ifnames only apply rules on packets from these ifnames + + --- for incoming packets having source address in + + src_ips_bypass will bypass the redir chain + src_ips_forward will always go through the redir chain + src_ips_checkdst will continue to have their destination addresses checked + + --- otherwise, the default action can be specified with + + src_default bypass, forward, [checkdst] + + --- if the previous check result is checkdst, + --- then packets having destination address in + + dst_ips_bypass_file + dst_ips_bypass will bypass the redir chain + dst_ips_forward_file + dst_ips_forward will go through the redir chain + + --- otherwise, the default action can be specified with + + dst_default [bypass], forward + + --- for local out tcp packets, the default action can be specified with + + local_default [bypass], forward, checkdst + +ss-rules now uses nft set for storing addresses/networks. Those set names are also part of the API and can be populated by other programs, e.g. dnsmasq with builtin nft set support. Note that while nftables set supports storing cidr networks when `interval` flag is on, it rejects elements with overlaping intervals. + +Extra nftables expressions can be specified with `nft_tcp_extra` and `nft_udp_extra` to apply ss_rules only to selected tcp/udp traffics. E.g. `tcp dport { 80, 443 }`, `udp dport 53`, etc. + +# incompatible changes + +| Commit date | Commit ID | Subject | Comment | +| ----------- | --------- | ------- | ------- | +| 2022-03-01 | fdaf2de2a | shadowsocks-libev: ss-rules: convert to using nft | ss-rules now uses nftables. UCI option ipt_args and dst_forward_recentrst are now deprecated and removed | +| 2020-08-03 | 7d7cbae75 | shadowsocks-libev: support ss-server option local_address_{v4,v6} | ss_server bind_address now deprecated, use local_address | +| 2019-05-09 | afe7d3424 | shadowsocks-libev: move plugin options to server section | This is a revision against c19e949 committed 2019-05-06 | +| 2017-07-02 | b61af9703 | shadowsocks-libev: rewrite | Packaging of shadowsocks-libev was rewritten from scratch | + +# notes and faq + +Useful paths and commands for debugging + + # check current running status + ubus call service list '{"name": "shadowsocks-libev"}' + ubus call service list '{"name": "shadowsocks-libev", "verbose": true}' + + # dump validate definition + ubus call service validate '{"package": "shadowsocks-libev"}' + ubus call service validate '{"package": "shadowsocks-libev"}' \ + | jsonfilter -e '$["shadowsocks-libev"]["ss_tunnel"]' + + # check json config + ls -l /var/etc/shadowsocks-libev/ + + # set uci config option verbose to 1, restart the service and follow the log + logread -f + +ss-redir needs to open a new socket and setsockopt IP_TRANSPARENT when sending udp reply to client. This requires `CAP_NET_ADMIN` and as such the process cannot run as `nobody` + +ss-local, ss-redir, etc. supports specifying an array of remote ss server, but supporting this in uci seems to be overkill. The workaround can be defining multiple `server` sections and multiple `ss-redir` instances with `reuse_port` enabled + +# recipes + +## forward all + +This will setup firewall rules to forward almost all incoming tcp/udp and locally generated tcp traffic (excluding those to private addresses like 192.168.0.0/16 etc.) through remote shadowsocks server + +Install components. +Retry each command till it succeed + + opkg install shadowsocks-libev-ss-redir + opkg install shadowsocks-libev-ss-rules + opkg install shadowsocks-libev-ss-tunnel + +Edit uci config `/etc/config/shadowsocks-libev`. +Replace `config server 'sss0'` section with parameters of your own remote shadowsocks server. +As for other options, change them only when you know the effect. + + config server 'sss0' + option disabled 0 + option server '_sss_addr_' + option server_port '_sss_port_' + option password '********' + option method 'aes-256-cfb' + + config ss_tunnel + option disabled 0 + option server 'sss0' + option local_address '0.0.0.0' + option local_port '8053' + option tunnel_address '8.8.8.8:53' + option mode 'tcp_and_udp' + + config ss_redir ssr0 + option disabled 0 + option server 'sss0' + option local_address '0.0.0.0' + option local_port '1100' + option mode 'tcp_and_udp' + option reuse_port 1 + + config ss_rules 'ss_rules' + option disabled 0 + option redir_tcp 'ssr0' + option redir_udp 'ssr0' + option src_default 'checkdst' + option dst_default 'forward' + option local_default 'forward' + +Restart shadowsocks-libev components + + /etc/init.d/shadowsocks-libev restart + +Check if things are in place + + nft list ruleset | sed -r -n '/^\t[a-z]+ ss_rules[^ ]+ \{/,/^\t\}/p' + netstat -lntp | grep -E '8053|1100' + ps ww | grep ss- + +Edit `/etc/config/dhcp`, making sure options are present in the first dnsmasq section like the following to let it use local tunnel endpoint for upstream dns query. +Option `noresolv` instructs dnsmasq to not use other dns servers like advertised by local isp. +Option `localuse` intends to make sure the device you are configuring also uses this dnsmasq instance as the resolver, not the ones from other sources. + + config dnsmasq + ... + list server '127.0.0.1#8053' + option noresolv 1 + option localuse 1 + +Restart dnsmasq + + /etc/init.d/dnsmasq restart + +Check network on your computer + + nslookup www.google.com + curl -vv https://www.google.com diff --git a/shadowsocks-libev/files/shadowsocks-libev.config b/shadowsocks-libev/files/shadowsocks-libev.config new file mode 100644 index 00000000000..1d41127b6ad --- /dev/null +++ b/shadowsocks-libev/files/shadowsocks-libev.config @@ -0,0 +1,60 @@ +config ss_local + option disabled 1 + option server 'sss0' + option local_address '0.0.0.0' + option local_port '1080' + option timeout '30' + +config ss_tunnel + option disabled 1 + option server 'sss0' + option local_address '0.0.0.0' + option local_port '1090' + option tunnel_address 'example.com:80' + option mode 'tcp_and_udp' + option timeout '60' + +config ss_redir hi + option disabled 1 + option server 'sss0' + option local_address '0.0.0.0' + option local_port '1100' + option mode 'tcp_and_udp' + option timeout '60' + option fast_open 1 + option verbose 1 + option reuse_port 1 + +config ss_redir hj + option disabled 1 + option server 'sss0' + option local_address '0.0.0.0' + option local_port '1100' + option mode 'tcp_and_udp' + option timeout '60' + option fast_open 1 + option verbose 1 + option reuse_port 1 + +config ss_rules 'ss_rules' + option disabled 1 + option redir_tcp 'hi' + option redir_udp 'hi' + option src_default 'checkdst' + option dst_default 'bypass' + option local_default 'checkdst' + list src_ips_forward '192.168.1.4' + list dst_ips_forward '8.8.8.8' + +config server 'sss0' + option disabled 1 + option server '192.168.1.3' + option server_port '9001' + option password '********' + option method 'aes-256-cfb' + +config ss_server + option disabled 1 + option server_port '9001' + option password '********' + option method 'aes-256-cfb' diff --git a/shadowsocks-libev/files/shadowsocks-libev.init b/shadowsocks-libev/files/shadowsocks-libev.init new file mode 100644 index 00000000000..5330b873531 --- /dev/null +++ b/shadowsocks-libev/files/shadowsocks-libev.init @@ -0,0 +1,320 @@ +#!/bin/sh /etc/rc.common +# +# Copyright (C) 2017-2019 Yousong Zhou +# +# This is free software, licensed under the GNU General Public License v3. +# See /LICENSE for more information. +# + +USE_PROCD=1 +START=99 + +ss_confdir=/var/etc/shadowsocks-libev +ss_bindir=/usr/bin + +ssrules_uc="/usr/share/ss-rules/ss-rules.uc" +ssrules_nft="/etc/nftables.d/90-ss-rules.nft" + +ss_mkjson_server_conf() { + local cfgserver + + config_get cfgserver "$cfg" server + [ -n "$cfgserver" ] || return 1 + eval "$(validate_server_section "$cfg" ss_validate_mklocal)" + validate_server_section "$cfgserver" || return 1 + [ "$disabled" = 0 ] || return 1 + ss_mkjson_server_conf_ "$cfgserver" +} + +ss_mkjson_server_conf_() { + [ -n "$server_port" ] || return 1 + [ -z "$server" ] || json_add_string server "$server" + json_add_int server_port "$server_port" + [ -z "$method" ] || json_add_string method "$method" + [ -z "$key" ] || json_add_string key "$key" + [ -z "$password" ] || json_add_string password "$password" + [ -z "$plugin" ] || json_add_string plugin "$plugin" + [ -z "$plugin_opts" ] || json_add_string plugin_opts "$plugin_opts" +} + +ss_mkjson_ss_local_conf() { + ss_mkjson_server_conf +} + +ss_mkjson_ss_redir_conf() { + ss_mkjson_server_conf +} + +ss_mkjson_ss_server_conf() { + ss_mkjson_server_conf_ +} + +ss_mkjson_ss_tunnel_conf() { + ss_mkjson_server_conf || return 1 + [ -n "$tunnel_address" ] || return 1 + json_add_string tunnel_address "$tunnel_address" +} + +ss_xxx() { + local cfg="$1" + local cfgtype="$2" + local bin="$ss_bindir/${cfgtype/_/-}" + local confjson="$ss_confdir/$cfgtype.$cfg.json" + + [ -x "$bin" ] || return + eval "$("validate_${cfgtype}_section" "$cfg" ss_validate_mklocal)" + "validate_${cfgtype}_section" "$cfg" || return + [ "$disabled" = 0 ] || return + + json_init + ss_mkjson_${cfgtype}_conf || return + json_add_boolean use_syslog 1 + json_add_boolean ipv6_first "$ipv6_first" + json_add_boolean fast_open "$fast_open" + json_add_boolean reuse_port "$reuse_port" + json_add_boolean no_delay "$no_delay" + [ -z "$local_address" ] || json_add_string local_address "$local_address" + [ -z "$local_port" ] || json_add_int local_port "$local_port" + [ -z "$local_ipv4_address" ] || json_add_string local_ipv4_address "$local_ipv4_address" + [ -z "$local_ipv6_address" ] || json_add_string local_ipv6_address "$local_ipv6_address" + [ -z "$mode" ] || json_add_string mode "$mode" + [ -z "$mtu" ] || json_add_int mtu "$mtu" + [ -z "$timeout" ] || json_add_int timeout "$timeout" + [ -z "$user" ] || json_add_string user "$user" + [ -z "$acl" ] || json_add_string acl "$acl" + json_dump -i >"$confjson" + + procd_open_instance "$cfgtype.$cfg" + procd_set_param command "$bin" -c "$confjson" + [ "$verbose" = 0 ] || procd_append_param command -v + if [ -n "$bind_address" ]; then + echo "$cfgtype $cfg: uci option bind_address deprecated, please switch to local_address" >&2 + procd_append_param command -b "$bind_address" + fi + procd_set_param file "$confjson" + procd_set_param respawn + procd_close_instance + ss_rules_cb +} + +ss_rules_cb() { + local cfgserver server + + if [ "$cfgtype" = ss_redir ]; then + config_get cfgserver "$cfg" server + config_get server "$cfgserver" server + ss_redir_servers="$ss_redir_servers $server" + if [ "$mode" = tcp_only -o "$mode" = "tcp_and_udp" ]; then + eval "ss_rules_redir_tcp_$cfg=$local_port" + fi + if [ "$mode" = udp_only -o "$mode" = "tcp_and_udp" ]; then + eval "ss_rules_redir_udp_$cfg=$local_port" + fi + fi +} + +ss_rules_nft_gen() { + local cfg="ss_rules" + local cfgtype + local local_port_tcp local_port_udp + local remote_servers + + [ -s "$ssrules_uc" ] || return 1 + + config_get cfgtype "$cfg" TYPE + [ "$cfgtype" = ss_rules ] || return 1 + + eval "$(validate_ss_rules_section "$cfg" ss_validate_mklocal)" + validate_ss_rules_section "$cfg" || return 1 + [ "$disabled" = 0 ] || return 2 + + eval local_port_tcp="\$ss_rules_redir_tcp_$redir_tcp" + eval local_port_udp="\$ss_rules_redir_udp_$redir_udp" + [ -n "$local_port_tcp" -o -n "$local_port_udp" ] || return 1 + remote_servers="$(echo $ss_redir_servers \ + | tr ' ' '\n' \ + | sort -u \ + | xargs -n 1 resolveip \ + | sort -u)" + + local tmp="/tmp/ssrules" + json_init + json_add_string o_remote_servers "$remote_servers" + json_add_int o_redir_tcp_port "$local_port_tcp" + json_add_int o_redir_udp_port "$local_port_udp" + json_add_string o_ifnames "$ifnames" + json_add_string o_local_default "$local_default" + json_add_string o_src_bypass "$src_ips_bypass" + json_add_string o_src_forward "$src_ips_forward" + json_add_string o_src_checkdst "$src_ips_checkdst" + json_add_string o_src_default "$src_default" + json_add_string o_dst_bypass "$dst_ips_bypass" + json_add_string o_dst_forward "$dst_ips_forward" + json_add_string o_dst_bypass_file "$dst_ips_bypass_file" + json_add_string o_dst_forward_file "$dst_ips_forward_file" + json_add_string o_dst_default "$dst_default" + json_add_string o_nft_tcp_extra "$nft_tcp_extra" + json_add_string o_nft_udp_extra "$nft_udp_extra" + json_dump -i >"$tmp.json" + + if utpl -S -F "$tmp.json" "$ssrules_uc" >"$tmp.nft" \ + && ! cmp -s "$tmp.nft" "$ssrules_nft"; then + echo "table inet chk {include \"$tmp.nft\";}" >"$tmp.nft.chk" + if nft -f "$tmp.nft.chk" -c; then + mv "$tmp.nft" "$ssrules_nft" + fw4 restart + fi + rm -f "$tmp.nft.chk" + fi + rm -f "$tmp.json" + rm -f "$tmp.nft" +} + +ss_rules_nft_reset() { + if [ -f "$ssrules_nft" ]; then + rm -f "$ssrules_nft" + fw4 restart + fi +} + +ss_rules() { + if ! ss_rules_nft_gen; then + ss_rules_nft_reset + fi +} + +start_service() { + local cfgtype + + mkdir -p "$ss_confdir" + config_load shadowsocks-libev + for cfgtype in ss_local ss_redir ss_server ss_tunnel; do + config_foreach ss_xxx "$cfgtype" "$cfgtype" + done + ss_rules +} + +stop_service() { + ss_rules_nft_reset + rm -rf "$ss_confdir" +} + +service_triggers() { + procd_add_reload_interface_trigger wan + procd_add_reload_trigger shadowsocks-libev + procd_open_validate + validate_server_section + validate_ss_local_section + validate_ss_redir_section + validate_ss_rules_section + validate_ss_server_section + validate_ss_tunnel_section + procd_close_validate +} + +ss_validate_mklocal() { + local tuple opts + + shift 2 + for tuple in "$@"; do + opts="${tuple%%:*} $opts" + done + [ -z "$opts" ] || echo "local $opts" +} + +ss_validate() { + uci_validate_section shadowsocks-libev "$@" +} + +validate_common_server_options_() { + local cfgtype="$1"; shift + local cfg="$1"; shift + local func="$1"; shift + local stream_methods='"table", "rc4", "rc4-md5", "aes-128-cfb", "aes-192-cfb", "aes-256-cfb", "aes-128-ctr", "aes-192-ctr", "aes-256-ctr", "bf-cfb", "camellia-128-cfb", "camellia-192-cfb", "camellia-256-cfb", "salsa20", "chacha20", "chacha20-ietf"' + local aead_methods='"aes-128-gcm", "aes-192-gcm", "aes-256-gcm", "chacha20-ietf-poly1305", "xchacha20-ietf-poly1305"' + + "${func:-ss_validate}" "$cfgtype" "$cfg" "$@" \ + 'disabled:bool:0' \ + 'server:host' \ + 'server_port:port' \ + 'password:string' \ + 'key:string' \ + "method:or($stream_methods, $aead_methods)" \ + 'plugin:string' \ + 'plugin_opts:string' +} + +validate_common_client_options_() { + validate_common_options_ "$@" \ + 'server:uci("shadowsocks-libev", "@server")' \ + 'local_address:ipaddr:0.0.0.0' \ + 'local_port:port' +} + +validate_common_options_() { + local cfgtype="$1"; shift + local cfg="$1"; shift + local func="$1"; shift + + "${func:-ss_validate}" "$cfgtype" "$cfg" "$@" \ + 'disabled:bool:0' \ + 'fast_open:bool:0' \ + 'ipv6_first:bool:0' \ + 'no_delay:bool:0' \ + 'reuse_port:bool:0' \ + 'verbose:bool:0' \ + 'mode:or("tcp_only", "udp_only", "tcp_and_udp"):tcp_only' \ + 'mtu:uinteger' \ + 'timeout:uinteger' \ + 'user:string' +} + +validate_server_section() { + validate_common_server_options_ server "$1" "$2" +} + +validate_ss_local_section() { + validate_common_client_options_ ss_local "$1" "$2" \ + 'acl:file' +} + +validate_ss_redir_section() { + validate_common_client_options_ ss_redir "$1" "$2" +} + +validate_ss_rules_section() { + "${2:-ss_validate}" ss_rules "$1" \ + 'disabled:bool:0' \ + 'redir_tcp:uci("shadowsocks-libev", "@ss_redir")' \ + 'redir_udp:uci("shadowsocks-libev", "@ss_redir")' \ + 'src_ips_bypass:or(ipaddr,cidr)' \ + 'src_ips_forward:or(ipaddr,cidr)' \ + 'src_ips_checkdst:or(ipaddr,cidr)' \ + 'dst_ips_bypass_file:file' \ + 'dst_ips_bypass:or(ipaddr,cidr)' \ + 'dst_ips_forward_file:file' \ + 'dst_ips_forward:or(ipaddr,cidr)' \ + 'src_default:or("bypass", "forward", "checkdst"):checkdst' \ + 'dst_default:or("bypass", "forward"):bypass' \ + 'local_default:or("bypass", "forward", "checkdst"):bypass' \ + 'nft_tcp_extra:string' \ + 'nft_udp_extra:string' \ + 'ifnames:maxlength(15)' +} + +validate_ss_server_section() { + validate_common_server_options_ ss_server "$1" \ + validate_common_options_ \ + "$2" \ + 'local_address:ipaddr' \ + 'local_ipv4_address:ip4addr' \ + 'local_ipv6_address:ip6addr' \ + 'bind_address:ipaddr' \ + 'acl:file' +} + +validate_ss_tunnel_section() { + validate_common_client_options_ ss_tunnel "$1" \ + "$2" \ + 'tunnel_address:regex(".+\:[0-9]+")' +} diff --git a/shadowsocks-libev/files/ss-rules/chain.uc b/shadowsocks-libev/files/ss-rules/chain.uc new file mode 100644 index 00000000000..3047f16632e --- /dev/null +++ b/shadowsocks-libev/files/ss-rules/chain.uc @@ -0,0 +1,122 @@ +{% +function get_local_verdict() { + let v = o_local_default; + if (v == "checkdst") { + return "goto ss_rules_dst_" + proto; + } else if (v == "forward") { + return "goto ss_rules_forward_" + proto; + } else { + return null; + } +} + +function get_src_default_verdict() { + let v = o_src_default; + if (v == "checkdst") { + return "goto ss_rules_dst_" + proto; + } else if (v == "forward") { + return "goto ss_rules_forward_" + proto; + } else { + return "accept"; + } +} + +function get_dst_default_verdict() { + let v = o_dst_default; + if (v == "forward") { + return "goto ss_rules_forward_" + proto; + } else { + return "accept"; + } +} + +function get_ifnames() { + let res = []; + for (let ifname in split(o_ifnames, /[ \t\n]/)) { + ifname = trim(ifname); + if (ifname) push(res, ifname); + } + return res; +} + +let type, hook, priority, redir_port; +if (proto == "tcp") { + type = "nat"; + hook = "prerouting"; + priority = -1; + redir_port = o_redir_tcp_port; +} else if (proto == "udp") { + type = "filter"; + hook = "prerouting"; + priority = "mangle"; + redir_port = o_redir_udp_port; + if (system(" + set -o errexit + iprr() { + while ip $1 rule del fwmark 1 lookup 100 2>/dev/null; do true; done + ip $1 rule add fwmark 1 lookup 100 + ip $1 route flush table 100 2>/dev/null || true + ip $1 route add local default dev lo table 100 + } + iprr -4 + iprr -6 + ") != 0) { + return ; + } +} else { + return; +} + +%} +{% if (redir_port): %} + +chain ss_rules_pre_{{ proto }} { + type {{ type }} hook {{ hook }} priority {{ priority }}; + meta l4proto {{ proto }}{%- let ifnames=get_ifnames(); if (length(ifnames)): %} iifname { {{join(", ", ifnames)}} }{% endif %} goto ss_rules_pre_src_{{ proto }}; +} + +chain ss_rules_pre_src_{{ proto }} { + ip daddr @ss_rules_dst_bypass_ accept; + ip6 daddr @ss_rules6_dst_bypass_ accept; + goto ss_rules_src_{{ proto }}; +} + +chain ss_rules_src_{{ proto }} { + ip saddr @ss_rules_src_bypass accept; + ip saddr @ss_rules_src_forward goto ss_rules_forward_{{ proto }}; + ip saddr @ss_rules_src_checkdst goto ss_rules_dst_{{ proto }}; + ip6 saddr @ss_rules6_src_bypass accept; + ip6 saddr @ss_rules6_src_forward goto ss_rules_forward_{{ proto }}; + ip6 saddr @ss_rules6_src_checkdst goto ss_rules_dst_{{ proto }}; + {{ get_src_default_verdict() }}; +} + +chain ss_rules_dst_{{ proto }} { + ip daddr @ss_rules_dst_bypass accept; + ip daddr @ss_rules_dst_forward goto ss_rules_forward_{{ proto }}; + ip6 daddr @ss_rules6_dst_bypass accept; + ip6 daddr @ss_rules6_dst_forward goto ss_rules_forward_{{ proto }}; + {{ get_dst_default_verdict() }}; +} + +{% if (proto == "tcp"): %} +chain ss_rules_forward_{{ proto }} { + meta l4proto tcp {{ o_nft_tcp_extra }} redirect to :{{ redir_port }}; +} +{% let local_verdict = get_local_verdict(); if (local_verdict): %} +chain ss_rules_local_out { + type {{ type }} hook output priority -1; + meta l4proto != tcp accept; + ip daddr @ss_rules_dst_bypass_ accept; + ip daddr @ss_rules_dst_bypass accept; + ip6 daddr @ss_rules6_dst_bypass_ accept; + ip6 daddr @ss_rules6_dst_bypass accept; + {{ local_verdict }}; +} +{% endif %} +{% elif (proto == "udp"): %} +chain ss_rules_forward_{{ proto }} { + meta l4proto udp {{ o_nft_udp_extra }} meta mark set 1 tproxy to :{{ redir_port }}; +} +{% endif %} +{% endif %} diff --git a/shadowsocks-libev/files/ss-rules/set.uc b/shadowsocks-libev/files/ss-rules/set.uc new file mode 100644 index 00000000000..0decec5f1b7 --- /dev/null +++ b/shadowsocks-libev/files/ss-rules/set.uc @@ -0,0 +1,114 @@ +{% +let fs = require("fs"); + +let o_dst_bypass4_ = " + 0.0.0.0/8 + 10.0.0.0/8 + 100.64.0.0/10 + 127.0.0.0/8 + 169.254.0.0/16 + 172.16.0.0/12 + 192.0.0.0/24 + 192.0.2.0/24 + 192.31.196.0/24 + 192.52.193.0/24 + 192.88.99.0/24 + 192.168.0.0/16 + 192.175.48.0/24 + 198.18.0.0/15 + 198.51.100.0/24 + 203.0.113.0/24 + 224.0.0.0/4 + 240.0.0.0/4 +"; +let o_dst_bypass6_ = " + ::1/128 + ::/128 + ::ffff:0:0/96 + 64:ff9b:1::/48 + 100::/64 + fe80::/10 + 2001::/23 + fc00::/7 +"; +let o_dst_bypass_ = o_dst_bypass4_ + " " + o_dst_bypass6_; + +let set_suffix = { + "src_bypass": { + str: o_src_bypass, + }, + "src_forward": { + str: o_src_forward, + }, + "src_checkdst": { + str: o_src_checkdst, + }, + "dst_bypass": { + str: o_dst_bypass + " " + o_remote_servers, + file: o_dst_bypass_file, + }, + "dst_bypass_": { + str: o_dst_bypass_, + }, + "dst_forward": { + str: o_dst_forward, + file: o_dst_forward_file, + }, + "dst_forward_rrst_": {}, +}; + +function set_name(suf, af) { + if (af == 4) { + return "ss_rules_"+suf; + } else { + return "ss_rules6_"+suf; + } +} + +function set_elements_parse(res, str, af) { + for (let addr in split(str, /[ \t\n]/)) { + addr = trim(addr); + if (!addr) continue; + if (af == 4 && index(addr, ":") != -1) continue; + if (af == 6 && index(addr, ":") == -1) continue; + push(res, addr); + } +} + +function set_elements(suf, af) { + let obj = set_suffix[suf]; + let res = []; + let addr; + + let str = obj["str"]; + if (str) { + set_elements_parse(res, str, af); + } + + let file = obj["file"]; + if (file) { + let fd = fs.open(file); + if (fd) { + str = fd.read("all"); + set_elements_parse(res, str, af); + } + } + + return res; +} +%} + +{% for (let suf in set_suffix): for (let af in [4, 6]): %} +set {{ set_name(suf, af) }} { + type ipv{{af}}_addr; + flags interval; + auto-merge; +{% let elems = set_elements(suf, af); if (length(elems)): %} + elements = { +{% for (let i = 0; i < length(elems); i++): %} + {{ elems[i] }}{% if (i < length(elems) - 1): %},{% endif %}{% print("\n") %} +{% endfor %} + } +{% endif %} +} +{% endfor; endfor %} diff --git a/shadowsocks-libev/files/ss-rules/ss-rules.uc b/shadowsocks-libev/files/ss-rules/ss-rules.uc new file mode 100644 index 00000000000..f3955b2ef69 --- /dev/null +++ b/shadowsocks-libev/files/ss-rules/ss-rules.uc @@ -0,0 +1,8 @@ +{% + +include("set.uc"); +include("chain.uc", {proto: "tcp"}); +include("chain.uc", {proto: "udp"}); + +%} + diff --git a/shadowsocks-libev/patches/100-Upgrade-PCRE-to-PCRE2.patch b/shadowsocks-libev/patches/100-Upgrade-PCRE-to-PCRE2.patch new file mode 100644 index 00000000000..91b2e5b9d2a --- /dev/null +++ b/shadowsocks-libev/patches/100-Upgrade-PCRE-to-PCRE2.patch @@ -0,0 +1,544 @@ +From d4f4d9761cbd41c3ab6de79383ff39b9f97bf452 Mon Sep 17 00:00:00 2001 +From: Syrone Wong +Date: Sat, 18 Nov 2017 20:06:50 +0800 +Subject: [PATCH] Upgrade PCRE to PCRE2 + +- Use 8bit variant by default + +This comes from a PR closed and never reopen as at times PCRE2 was too +new(???.) + +Ref: https://github.com/shadowsocks/shadowsocks-libev/pull/1792 +Signed-off-by: Syrone Wong +[ squash the first 2 patch from PR, drop the last one ] +Signed-off-by: Christian Marangi +--- + .travis.yml | 9 ++- + configure.ac | 8 +-- + m4/pcre.m4 | 152 ------------------------------------------ + m4/pcre2.m4 | 181 +++++++++++++++++++++++++++++++++++++++++++++++++++ + src/rule.c | 53 ++++++++++++--- + src/rule.h | 23 +++++-- + 6 files changed, 253 insertions(+), 173 deletions(-) + delete mode 100644 m4/pcre.m4 + create mode 100644 m4/pcre2.m4 + +# diff --git a/.travis.yml b/.travis.yml +# index ee3424c..e7da08c 100644 +# --- a/.travis.yml +# +++ b/.travis.yml +# @@ -11,11 +11,12 @@ env: +# global: +# - LIBSODIUM_VER=1.0.12 +# - MBEDTLS_VER=2.4.0 +# + - PCRE2_VER=10.30 +# before_install: +# - | +# if [[ "$TRAVIS_OS_NAME" == "osx" ]]; then +# # All dependencies for macOS build. Some packages has been installed by travis so use reinstall. +# - brew reinstall autoconf automake xmlto c-ares libev mbedtls libsodium asciidoc >> /dev/null 2>&1; +# + brew reinstall autoconf automake xmlto pcre2 c-ares libev mbedtls libsodium asciidoc >> /dev/null 2>&1; +# else +# wget https://github.com/jedisct1/libsodium/releases/download/$LIBSODIUM_VER/libsodium-$LIBSODIUM_VER.tar.gz; +# tar xvf libsodium-$LIBSODIUM_VER.tar.gz; +# @@ -29,6 +30,12 @@ before_install: +# make SHARED=1; +# sudo make install; +# popd; +# + wget https://ftp.pcre.org/pub/pcre/pcre2-$PCRE2_VER.tar.gz; +# + tar xvf pcre2-$PCRE2_VER.tar.gz; +# + pushd pcre2-$PCRE2_VER; +# + ./configure --prefix=/usr --enable-pcre2-16 --enable-pcre2-32 && make; +# + sudo make install; +# + popd; +# # Load cached docker images +# if [[ -d $HOME/docker ]]; then +# ls $HOME/docker/*.tar.gz | xargs -I {file} sh -c "zcat {file} | docker load"; +--- a/configure.ac ++++ b/configure.ac +@@ -20,10 +20,10 @@ AC_DISABLE_STATIC + AC_DISABLE_SHARED + LT_INIT([dlopen]) + +-dnl Check for pcre library +-TS_CHECK_PCRE +-if test "x${enable_pcre}" != "xyes"; then +- AC_MSG_ERROR([Cannot find pcre library. Configure --with-pcre=DIR]) ++dnl Check for pcre2 library ++TS_CHECK_PCRE2 ++if test "x${enable_pcre2}" != "xyes"; then ++ AC_MSG_ERROR([Cannot find pcre2 library. Configure --with-pcre2=DIR]) + fi + + dnl Checks for using shared libraries from system +--- a/m4/pcre.m4 ++++ /dev/null +@@ -1,152 +0,0 @@ +-dnl -------------------------------------------------------- -*- autoconf -*- +-dnl Licensed to the Apache Software Foundation (ASF) under one or more +-dnl contributor license agreements. See the NOTICE file distributed with +-dnl this work for additional information regarding copyright ownership. +-dnl The ASF licenses this file to You under the Apache License, Version 2.0 +-dnl (the "License"); you may not use this file except in compliance with +-dnl the License. You may obtain a copy of the License at +-dnl +-dnl http://www.apache.org/licenses/LICENSE-2.0 +-dnl +-dnl Unless required by applicable law or agreed to in writing, software +-dnl distributed under the License is distributed on an "AS IS" BASIS, +-dnl WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +-dnl See the License for the specific language governing permissions and +-dnl limitations under the License. +- +-dnl +-dnl TS_ADDTO(variable, value) +-dnl +-dnl Add value to variable +-dnl +-AC_DEFUN([TS_ADDTO], [ +- if test "x$$1" = "x"; then +- test "x$verbose" = "xyes" && echo " setting $1 to \"$2\"" +- $1="$2" +- else +- ats_addto_bugger="$2" +- for i in $ats_addto_bugger; do +- ats_addto_duplicate="0" +- for j in $$1; do +- if test "x$i" = "x$j"; then +- ats_addto_duplicate="1" +- break +- fi +- done +- if test $ats_addto_duplicate = "0"; then +- test "x$verbose" = "xyes" && echo " adding \"$i\" to $1" +- $1="$$1 $i" +- fi +- done +- fi +-])dnl +- +-dnl +-dnl TS_ADDTO_RPATH(path) +-dnl +-dnl Adds path to variable with the '-rpath' directive. +-dnl +-AC_DEFUN([TS_ADDTO_RPATH], [ +- AC_MSG_NOTICE([adding $1 to RPATH]) +- TS_ADDTO(LIBTOOL_LINK_FLAGS, [-R$1]) +-])dnl +- +-dnl +-dnl pcre.m4: Trafficserver's pcre autoconf macros +-dnl +- +-dnl +-dnl TS_CHECK_PCRE: look for pcre libraries and headers +-dnl +-AC_DEFUN([TS_CHECK_PCRE], [ +-enable_pcre=no +-AC_ARG_WITH(pcre, [AC_HELP_STRING([--with-pcre=DIR],[use a specific pcre library])], +-[ +- if test "x$withval" != "xyes" && test "x$withval" != "x"; then +- pcre_base_dir="$withval" +- if test "$withval" != "no"; then +- enable_pcre=yes +- case "$withval" in +- *":"*) +- pcre_include="`echo $withval |sed -e 's/:.*$//'`" +- pcre_ldflags="`echo $withval |sed -e 's/^.*://'`" +- AC_MSG_CHECKING(checking for pcre includes in $pcre_include libs in $pcre_ldflags ) +- ;; +- *) +- pcre_include="$withval/include" +- pcre_ldflags="$withval/lib" +- AC_MSG_CHECKING(checking for pcre includes in $withval) +- ;; +- esac +- fi +- fi +-], +-[ +- AC_CHECK_PROG(PCRE_CONFIG, pcre-config, pcre-config) +- if test "x$PCRE_CONFIG" != "x"; then +- enable_pcre=yes +- pcre_base_dir="`$PCRE_CONFIG --prefix`" +- pcre_include="`$PCRE_CONFIG --cflags | sed -es/-I//`" +- pcre_ldflags="`$PCRE_CONFIG --libs | sed -es/-lpcre// -es/-L//`" +- fi +-]) +- +-if test "x$pcre_base_dir" = "x"; then +- AC_MSG_CHECKING([for pcre location]) +- AC_CACHE_VAL(ats_cv_pcre_dir,[ +- for dir in /usr/local /usr ; do +- if test -d $dir && ( test -f $dir/include/pcre.h || test -f $dir/include/pcre/pcre.h ); then +- ats_cv_pcre_dir=$dir +- break +- fi +- done +- ]) +- pcre_base_dir=$ats_cv_pcre_dir +- if test "x$pcre_base_dir" = "x"; then +- enable_pcre=no +- AC_MSG_RESULT([not found]) +- else +- enable_pcre=yes +- pcre_include="$pcre_base_dir/include" +- pcre_ldflags="$pcre_base_dir/lib" +- AC_MSG_RESULT([$pcre_base_dir]) +- fi +-else +- AC_MSG_CHECKING(for pcre headers in $pcre_include) +- if test -d $pcre_include && test -d $pcre_ldflags && ( test -f $pcre_include/pcre.h || test -f $pcre_include/pcre/pcre.h ); then +- AC_MSG_RESULT([ok]) +- else +- AC_MSG_RESULT([not found]) +- fi +-fi +- +-pcreh=0 +-pcre_pcreh=0 +-if test "$enable_pcre" != "no"; then +- saved_ldflags=$LDFLAGS +- saved_cppflags=$CFLAGS +- pcre_have_headers=0 +- pcre_have_libs=0 +- if test "$pcre_base_dir" != "/usr"; then +- TS_ADDTO(CFLAGS, [-I${pcre_include}]) +- TS_ADDTO(CFLAGS, [-DPCRE_STATIC]) +- TS_ADDTO(LDFLAGS, [-L${pcre_ldflags}]) +- TS_ADDTO_RPATH(${pcre_ldflags}) +- fi +- AC_SEARCH_LIBS([pcre_exec], [pcre], [pcre_have_libs=1]) +- if test "$pcre_have_libs" != "0"; then +- AC_CHECK_HEADERS(pcre.h, [pcre_have_headers=1]) +- AC_CHECK_HEADERS(pcre/pcre.h, [pcre_have_headers=1]) +- fi +- if test "$pcre_have_headers" != "0"; then +- AC_DEFINE(HAVE_LIBPCRE,1,[Compiling with pcre support]) +- AC_SUBST(LIBPCRE, [-lpcre]) +- else +- enable_pcre=no +- CFLAGS=$saved_cppflags +- LDFLAGS=$saved_ldflags +- fi +-fi +-AC_SUBST(pcreh) +-AC_SUBST(pcre_pcreh) +-]) +--- /dev/null ++++ b/m4/pcre2.m4 +@@ -0,0 +1,181 @@ ++dnl -------------------------------------------------------- -*- autoconf -*- ++dnl Licensed to the Apache Software Foundation (ASF) under one or more ++dnl contributor license agreements. See the NOTICE file distributed with ++dnl this work for additional information regarding copyright ownership. ++dnl The ASF licenses this file to You under the Apache License, Version 2.0 ++dnl (the "License"); you may not use this file except in compliance with ++dnl the License. You may obtain a copy of the License at ++dnl ++dnl http://www.apache.org/licenses/LICENSE-2.0 ++dnl ++dnl Unless required by applicable law or agreed to in writing, software ++dnl distributed under the License is distributed on an "AS IS" BASIS, ++dnl WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++dnl See the License for the specific language governing permissions and ++dnl limitations under the License. ++ ++dnl Modified by Syrone Wong to support pcre2 8bit variant only ++ ++dnl ++dnl TS_ADDTO(variable, value) ++dnl ++dnl Add value to variable ++dnl ++AC_DEFUN([TS_ADDTO], [ ++ if test "x$$1" = "x"; then ++ test "x$verbose" = "xyes" && echo " setting $1 to \"$2\"" ++ $1="$2" ++ else ++ ats_addto_bugger="$2" ++ for i in $ats_addto_bugger; do ++ ats_addto_duplicate="0" ++ for j in $$1; do ++ if test "x$i" = "x$j"; then ++ ats_addto_duplicate="1" ++ break ++ fi ++ done ++ if test $ats_addto_duplicate = "0"; then ++ test "x$verbose" = "xyes" && echo " adding \"$i\" to $1" ++ $1="$$1 $i" ++ fi ++ done ++ fi ++])dnl ++ ++dnl ++dnl TS_ADDTO_RPATH(path) ++dnl ++dnl Adds path to variable with the '-rpath' directive. ++dnl ++AC_DEFUN([TS_ADDTO_RPATH], [ ++ AC_MSG_NOTICE([adding $1 to RPATH]) ++ TS_ADDTO(LIBTOOL_LINK_FLAGS, [-R$1]) ++])dnl ++ ++dnl ++dnl pcre2.m4: Trafficserver's pcre2 autoconf macros ++dnl ++ ++dnl ++dnl TS_CHECK_PCRE2: look for pcre2 libraries and headers ++dnl ++AC_DEFUN([TS_CHECK_PCRE2], [ ++enable_pcre2=no ++AC_ARG_WITH(pcre2, [AC_HELP_STRING([--with-pcre2=DIR],[use a specific pcre2 library])], ++[ ++ if test "x$withval" != "xyes" && test "x$withval" != "x"; then ++ pcre2_base_dir="$withval" ++ if test "$withval" != "no"; then ++ enable_pcre2=yes ++ case "$withval" in ++ *":"*) ++ pcre2_include="`echo $withval |sed -e 's/:.*$//'`" ++ pcre2_ldflags="`echo $withval |sed -e 's/^.*://'`" ++ AC_MSG_CHECKING(checking for pcre2 includes in $pcre2_include libs in $pcre2_ldflags ) ++ ;; ++ *) ++ pcre2_include="$withval/include" ++ pcre2_ldflags="$withval/lib" ++ AC_MSG_CHECKING(checking for pcre2 includes in $withval) ++ ;; ++ esac ++ fi ++ fi ++], ++[ ++ AC_CHECK_PROG(PCRE2_CONFIG, pcre2-config, pcre2-config) ++ if test "x$PCRE2_CONFIG" != "x"; then ++ enable_pcre2=yes ++ pcre2_base_dir="`$PCRE2_CONFIG --prefix`" ++ pcre2_include="`$PCRE2_CONFIG --cflags | sed -es/-I//`" ++ pcre2_ldflags="`$PCRE2_CONFIG --libs8 | sed -es/-lpcre2-8// -es/-L//`" ++ fi ++]) ++ ++if test "x$pcre2_base_dir" = "x"; then ++ AC_MSG_CHECKING([for pcre2 location]) ++ AC_CACHE_VAL(ats_cv_pcre2_dir,[ ++ for dir in /usr/local /usr ; do ++ if test -d $dir && ( test -f $dir/include/pcre2.h || test -f $dir/include/pcre2/pcre2.h ); then ++ ats_cv_pcre2_dir=$dir ++ break ++ fi ++ done ++ ]) ++ pcre2_base_dir=$ats_cv_pcre2_dir ++ if test "x$pcre2_base_dir" = "x"; then ++ enable_pcre2=no ++ AC_MSG_RESULT([not found]) ++ else ++ enable_pcre2=yes ++ pcre2_include="$pcre2_base_dir/include" ++ pcre2_ldflags="$pcre2_base_dir/lib" ++ AC_MSG_RESULT([$pcre2_base_dir]) ++ fi ++else ++ AC_MSG_CHECKING(for pcre2 headers in $pcre2_include) ++ if test -d $pcre2_include && test -d $pcre2_ldflags && ( test -f $pcre2_include/pcre2.h || test -f $pcre2_include/pcre2/pcre2.h ); then ++ AC_MSG_RESULT([ok]) ++ else ++ AC_MSG_RESULT([not found]) ++ fi ++fi ++ ++pcre2h=0 ++pcre2_pcre2h=0 ++if test "$enable_pcre2" != "no"; then ++ saved_ldflags=$LDFLAGS ++ saved_cppflags=$CFLAGS ++ pcre2_have_headers=0 ++ pcre2_have_libs=0 ++ if test "$pcre2_base_dir" != "/usr"; then ++ TS_ADDTO(CFLAGS, [-I${pcre2_include}]) ++ TS_ADDTO(CFLAGS, [-DPCRE2_STATIC]) ++ TS_ADDTO(LDFLAGS, [-L${pcre2_ldflags}]) ++ TS_ADDTO_RPATH(${pcre2_ldflags}) ++ fi ++ AC_SEARCH_LIBS([pcre2_match_8], [pcre2-8], [pcre2_have_libs=1]) ++ if test "$pcre2_have_libs" != "0"; then ++ AC_MSG_CHECKING([pcre2.h]) ++ AC_COMPILE_IFELSE( ++ [AC_LANG_PROGRAM( ++ [[ ++#define PCRE2_CODE_UNIT_WIDTH 8 ++#include ++ ]], ++ [[ ++ ]] ++ )], ++ [pcre2_have_headers=1 ++ AC_MSG_RESULT([ok])], ++ [AC_MSG_RESULT([not found])] ++ ) ++ ++ AC_MSG_CHECKING([pcre2/pcre2.h]) ++ AC_COMPILE_IFELSE( ++ [AC_LANG_PROGRAM( ++ [[ ++#define PCRE2_CODE_UNIT_WIDTH 8 ++#include ++ ]], ++ [[ ++ ]] ++ )], ++ [pcre2_have_headers=1 ++ AC_MSG_RESULT([ok])], ++ [AC_MSG_RESULT([not found])] ++ ) ++ fi ++ if test "$pcre2_have_headers" != "0"; then ++ AC_DEFINE(HAVE_LIBPCRE2,1,[Compiling with pcre2 support]) ++ AC_SUBST(LIBPCRE2, [-lpcre2-8]) ++ else ++ enable_pcre2=no ++ CFLAGS=$saved_cppflags ++ LDFLAGS=$saved_ldflags ++ fi ++fi ++AC_SUBST(pcre2h) ++AC_SUBST(pcre2_pcre2h) ++]) +--- a/src/rule.c ++++ b/src/rule.c +@@ -1,6 +1,7 @@ + /* + * Copyright (c) 2011 and 2012, Dustin Lundquist + * Copyright (c) 2011 Manuel Kasper ++ * Copyright (c) 2017 Syrone Wong + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without +@@ -74,18 +75,37 @@ add_rule(struct cork_dllist *rules, rule + cork_dllist_add(rules, &rule->entries); + } + ++/* ++ * XXX: As pattern and subject are char arguments, they can be straightforwardly ++ * cast to PCRE2_SPTR as we are working in 8-bit code units. ++ */ ++ + int + init_rule(rule_t *rule) + { + if (rule->pattern_re == NULL) { +- const char *reerr; +- int reerroffset; ++ int errornumber; ++ PCRE2_SIZE erroroffset; ++ rule->pattern_re = pcre2_compile( ++ (PCRE2_SPTR)rule->pattern, /* the pattern */ ++ PCRE2_ZERO_TERMINATED, /* indicates pattern is zero-terminated */ ++ 0, /* default options */ ++ &errornumber, /* for error number */ ++ &erroroffset, /* for error offset */ ++ NULL); /* use default compile context */ + +- rule->pattern_re = +- pcre_compile(rule->pattern, 0, &reerr, &reerroffset, NULL); + if (rule->pattern_re == NULL) { +- LOGE("Regex compilation of \"%s\" failed: %s, offset %d", +- rule->pattern, reerr, reerroffset); ++ PCRE2_UCHAR errbuffer[512]; ++ pcre2_get_error_message(errornumber, errbuffer, sizeof(errbuffer)); ++ LOGE("PCRE2 regex compilation failed at offset %d: %s\n", (int)erroroffset, ++ errbuffer); ++ return 0; ++ } ++ ++ rule->pattern_re_match_data = pcre2_match_data_create_from_pattern(rule->pattern_re, NULL); ++ ++ if (rule->pattern_re_match_data == NULL) { ++ ERROR("PCRE2: the memory for the block could not be obtained"); + return 0; + } + } +@@ -105,8 +125,15 @@ lookup_rule(const struct cork_dllist *ru + + cork_dllist_foreach_void(rules, curr, next) { + rule_t *rule = cork_container_of(curr, rule_t, entries); +- if (pcre_exec(rule->pattern_re, NULL, +- name, name_len, 0, 0, NULL, 0) >= 0) ++ if (pcre2_match( ++ rule->pattern_re, /* the compiled pattern */ ++ (PCRE2_SPTR)name, /* the subject string */ ++ name_len, /* the length of the subject */ ++ 0, /* start at offset 0 in the subject */ ++ 0, /* default options */ ++ rule->pattern_re_match_data, /* block for storing the result */ ++ NULL /* use default match context */ ++ ) >= 0) + return rule; + } + +@@ -127,7 +154,13 @@ free_rule(rule_t *rule) + return; + + ss_free(rule->pattern); +- if (rule->pattern_re != NULL) +- pcre_free(rule->pattern_re); ++ if (rule->pattern_re != NULL) { ++ pcre2_code_free(rule->pattern_re); /* data and the compiled pattern. */ ++ rule->pattern_re = NULL; ++ } ++ if (rule->pattern_re_match_data != NULL) { ++ pcre2_match_data_free(rule->pattern_re_match_data); /* Release memory used for the match */ ++ rule->pattern_re_match_data = NULL; ++ } + ss_free(rule); + } +--- a/src/rule.h ++++ b/src/rule.h +@@ -1,6 +1,7 @@ + /* + * Copyright (c) 2011 and 2012, Dustin Lundquist + * Copyright (c) 2011 Manuel Kasper ++ * Copyright (c) 2017 Syrone Wong + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without +@@ -33,17 +34,27 @@ + + #include + +-#ifdef HAVE_PCRE_H +-#include +-#elif HAVE_PCRE_PCRE_H +-#include +-#endif ++/* ++ * The PCRE2_CODE_UNIT_WIDTH macro must be defined before including pcre2.h. ++ * For a program that uses only one code unit width, setting it to 8, 16, or 32 ++ * makes it possible to use generic function names such as pcre2_compile(). Note ++ * that just changing 8 to 16 (for example) is not sufficient to convert this ++ * program to process 16-bit characters. Even in a fully 16-bit environment, where ++ * string-handling functions such as strcmp() and printf() work with 16-bit ++ * characters, the code for handling the table of named substrings will still need ++ * to be modified. ++ */ ++/* we only need to support ASCII chartable, thus set it to 8 */ ++#define PCRE2_CODE_UNIT_WIDTH 8 ++ ++#include + + typedef struct rule { + char *pattern; + + /* Runtime fields */ +- pcre *pattern_re; ++ pcre2_code *pattern_re; ++ pcre2_match_data *pattern_re_match_data; + + struct cork_dllist_item entries; + } rule_t; diff --git a/shadowsocks-libev/patches/101-fix-mbedtls3.6-build.patch b/shadowsocks-libev/patches/101-fix-mbedtls3.6-build.patch new file mode 100644 index 00000000000..4e7f79f7a52 --- /dev/null +++ b/shadowsocks-libev/patches/101-fix-mbedtls3.6-build.patch @@ -0,0 +1,198 @@ +From c2bdb9847e374331a4f1c8fcd3d93e0b57d4c6fc Mon Sep 17 00:00:00 2001 +From: Zxl hhyccc +Date: Sun, 7 Jul 2024 17:08:27 +0800 +Subject: [PATCH] Fix in 'mbedtls 3.6.0 ver' compilation failure issue +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +*** The added patch is available in 'mbedtls 3.6 version'. + +*** fix *clen += tlen; may cause potential bounds error. + +Co-authored-by: Lu jicong +Signed-off-by: Zxl hhyccc +--- + m4/mbedtls.m4 | 20 +++++++++++++++++++ + src/aead.c | 17 ++++++++++++++++ + src/crypto.c | 2 +- + src/stream.c | 17 ++++++++++++++++ + + 4 files changed, 55 insertions(+), 1 deletion(-) + +--- a/m4/mbedtls.m4 ++++ b/m4/mbedtls.m4 +@@ -31,7 +31,12 @@ AC_DEFUN([ss_MBEDTLS], + AC_COMPILE_IFELSE( + [AC_LANG_PROGRAM( + [[ ++#include ++#if MBEDTLS_VERSION_NUMBER >= 0x03000000 ++#include ++#else + #include ++#endif + ]], + [[ + #ifndef MBEDTLS_CIPHER_MODE_CFB +@@ -48,7 +53,12 @@ AC_DEFUN([ss_MBEDTLS], + AC_COMPILE_IFELSE( + [AC_LANG_PROGRAM( + [[ ++#include ++#if MBEDTLS_VERSION_NUMBER >= 0x03000000 ++#include ++#else + #include ++#endif + ]], + [[ + #ifndef MBEDTLS_ARC4_C +@@ -64,7 +74,12 @@ AC_DEFUN([ss_MBEDTLS], + AC_COMPILE_IFELSE( + [AC_LANG_PROGRAM( + [[ ++#include ++#if MBEDTLS_VERSION_NUMBER >= 0x03000000 ++#include ++#else + #include ++#endif + ]], + [[ + #ifndef MBEDTLS_BLOWFISH_C +@@ -80,7 +95,12 @@ AC_DEFUN([ss_MBEDTLS], + AC_COMPILE_IFELSE( + [AC_LANG_PROGRAM( + [[ ++#include ++#if MBEDTLS_VERSION_NUMBER >= 0x03000000 ++#include ++#else + #include ++#endif + ]], + [[ + #ifndef MBEDTLS_CAMELLIA_C +--- a/src/aead.c ++++ b/src/aead.c +@@ -178,9 +178,14 @@ aead_cipher_encrypt(cipher_ctx_t *cipher + case AES192GCM: + case AES128GCM: + ++#if MBEDTLS_VERSION_NUMBER < 0x03000000 + err = mbedtls_cipher_auth_encrypt(cipher_ctx->evp, n, nlen, ad, adlen, + m, mlen, c, clen, c + mlen, tlen); + *clen += tlen; ++#else ++ err = mbedtls_cipher_auth_encrypt_ext(cipher_ctx->evp, n, nlen, ad, adlen, ++ m, mlen, c, mlen + tlen, clen, tlen); ++#endif + break; + case CHACHA20POLY1305IETF: + err = crypto_aead_chacha20poly1305_ietf_encrypt(c, &long_clen, m, mlen, +@@ -226,8 +231,13 @@ aead_cipher_decrypt(cipher_ctx_t *cipher + // Otherwise, just use the mbedTLS one with crappy AES-NI. + case AES192GCM: + case AES128GCM: ++#if MBEDTLS_VERSION_NUMBER < 0x03000000 + err = mbedtls_cipher_auth_decrypt(cipher_ctx->evp, n, nlen, ad, adlen, + m, mlen - tlen, p, plen, m + mlen - tlen, tlen); ++#else ++ err = mbedtls_cipher_auth_decrypt_ext(cipher_ctx->evp, n, nlen, ad, adlen, ++ m, mlen, p, mlen - tlen, plen, tlen); ++#endif + break; + case CHACHA20POLY1305IETF: + err = crypto_aead_chacha20poly1305_ietf_decrypt(p, &long_plen, NULL, m, mlen, +@@ -724,9 +734,26 @@ aead_key_init(int method, const char *pa + if (method >= CHACHA20POLY1305IETF) { + cipher_kt_t *cipher_info = (cipher_kt_t *)ss_malloc(sizeof(cipher_kt_t)); + cipher->info = cipher_info; ++#if MBEDTLS_VERSION_NUMBER < 0x03000000 + cipher->info->base = NULL; + cipher->info->key_bitlen = supported_aead_ciphers_key_size[method] * 8; + cipher->info->iv_size = supported_aead_ciphers_nonce_size[method]; ++#else ++ cipher->info->private_base_idx = 0; ++ ++#ifdef MBEDTLS_KEY_BITLEN_SHIFT ++ cipher->info->private_key_bitlen = supported_aead_ciphers_key_size[method] * 8 >> MBEDTLS_KEY_BITLEN_SHIFT; ++#else ++ cipher->info->private_key_bitlen = supported_aead_ciphers_key_size[method] * 8; ++#endif ++ ++#ifdef MBEDTLS_IV_SIZE_SHIFT ++ cipher->info->private_iv_size = supported_aead_ciphers_nonce_size[method] >> MBEDTLS_IV_SIZE_SHIFT; ++#else ++ cipher->info->private_iv_size = supported_aead_ciphers_nonce_size[method]; ++#endif ++ ++#endif + } else { + cipher->info = (cipher_kt_t *)aead_get_cipher_type(method); + } +--- a/src/crypto.c ++++ b/src/crypto.c +@@ -103,7 +103,7 @@ crypto_md5(const unsigned char *d, size_ + if (md == NULL) { + md = m; + } +-#if MBEDTLS_VERSION_NUMBER >= 0x02070000 ++#if MBEDTLS_VERSION_NUMBER < 0x03000000 && MBEDTLS_VERSION_NUMBER >= 0x02070000 + if (mbedtls_md5_ret(d, n, md) != 0) + FATAL("Failed to calculate MD5"); + #else +--- a/src/stream.c ++++ b/src/stream.c +@@ -174,7 +174,11 @@ cipher_nonce_size(const cipher_t *cipher + if (cipher == NULL) { + return 0; + } ++#if MBEDTLS_VERSION_NUMBER < 0x03000000 + return cipher->info->iv_size; ++#else ++ return (int)mbedtls_cipher_info_get_iv_size(cipher->info); ++#endif + } + + int +@@ -192,7 +196,11 @@ cipher_key_size(const cipher_t *cipher) + return 0; + } + /* From Version 1.2.7 released 2013-04-13 Default Blowfish keysize is now 128-bits */ ++#if MBEDTLS_VERSION_NUMBER < 0x03000000 + return cipher->info->key_bitlen / 8; ++#else ++ return (int)mbedtls_cipher_info_get_key_bitlen(cipher->info) / 8; ++#endif + } + + const cipher_kt_t * +@@ -645,9 +653,26 @@ stream_key_init(int method, const char * + if (method == SALSA20 || method == CHACHA20 || method == CHACHA20IETF) { + cipher_kt_t *cipher_info = (cipher_kt_t *)ss_malloc(sizeof(cipher_kt_t)); + cipher->info = cipher_info; ++#if MBEDTLS_VERSION_NUMBER < 0x03000000 + cipher->info->base = NULL; + cipher->info->key_bitlen = supported_stream_ciphers_key_size[method] * 8; + cipher->info->iv_size = supported_stream_ciphers_nonce_size[method]; ++#else ++ cipher->info->private_base_idx = 0; ++ ++#ifdef MBEDTLS_KEY_BITLEN_SHIFT ++ cipher->info->private_key_bitlen = supported_stream_ciphers_key_size[method] * 8 >> MBEDTLS_KEY_BITLEN_SHIFT; ++#else ++ cipher->info->private_key_bitlen = supported_stream_ciphers_key_size[method] * 8; ++#endif ++ ++#ifdef MBEDTLS_IV_SIZE_SHIFT ++ cipher->info->private_iv_size = supported_stream_ciphers_nonce_size[method] >> MBEDTLS_IV_SIZE_SHIFT; ++#else ++ cipher->info->private_iv_size = supported_stream_ciphers_nonce_size[method]; ++#endif ++ ++#endif + } else { + cipher->info = (cipher_kt_t *)stream_get_cipher_type(method); + }