From 30d288db002f4d46fe34d5d2f2f4298f7e6d9011 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Mon, 11 Sep 2023 14:52:04 +0800 Subject: [PATCH] update 2023-09-11 14:52:04 --- alac/Makefile | 59 + ariang/Makefile | 2 +- base-files/Makefile | 13 + base-files/files/bin/config_generate | 9 + base-files/files/bin/ipcalc.sh | 52 +- base-files/files/etc/init.d/led | 6 +- base-files/files/etc/init.d/sysfixtime | 22 +- base-files/files/etc/sysctl.d/10-default.conf | 1 + base-files/files/lib/functions/network.sh | 14 + base-files/files/lib/functions/system.sh | 58 +- .../files/lib/functions/uci-defaults.sh | 25 +- .../files/lib/preinit/10_indicate_preinit | 41 + base-files/files/lib/preinit/30_failsafe_wait | 60 +- .../files/lib/preinit/99_10_failsafe_login | 15 +- base-files/files/lib/upgrade/common.sh | 33 +- base-files/files/lib/upgrade/emmc.sh | 2 +- base-files/files/lib/upgrade/nand.sh | 498 +-- base-files/files/lib/upgrade/stage2 | 4 +- base-files/files/sbin/wifi | 27 +- base-files/image-config.in | 9 +- btop/Makefile | 59 + btop/files/btop.sh | 1 + btop/test.sh | 3 + coremark/Makefile | 10 +- cxxopts/Makefile | 44 + ddns-scripts/Makefile | 65 +- .../usr/lib/ddns/dynamic_dns_functions.sh | 71 +- .../usr/lib/ddns/dynamic_dns_lucihelper.sh | 8 +- .../files/usr/lib/ddns/dynamic_dns_updater.sh | 77 +- .../files/usr/lib/ddns/update_gandi_net.sh | 13 +- .../files/usr/lib/ddns/update_gcp_v1.sh | 272 ++ .../files/usr/lib/ddns/update_luadns_v1.sh | 191 ++ .../files/usr/lib/ddns/update_pdns.sh | 13 +- .../usr/share/ddns/default/able.or.kr.json | 6 - .../ddns/default/cloud.google.com-v1.json | 10 + .../usr/share/ddns/default/dtdns.com.json | 6 - .../usr/share/ddns/default/dyndnss.net.json | 6 - .../usr/share/ddns/default/dynsip.org.json | 6 - .../usr/share/ddns/default/easydns.com.json | 4 + .../usr/share/ddns/default/editdns.net.json | 6 - .../usr/share/ddns/default/hosting.de.json | 11 + .../usr/share/ddns/default/luadns.com-v1.json | 9 + .../usr/share/ddns/default/myip.co.ua.json | 7 - .../ddns/default/mythic-beasts.com-v2.json | 9 + .../usr/share/ddns/default/nettica.com.json | 6 - .../files/usr/share/ddns/default/njal.la.json | 9 + .../usr/share/ddns/default/simply.com.json | 11 + .../usr/share/ddns/default/strato.com.json | 4 + .../usr/share/ddns/default/zerigo.com.json | 11 - .../files/usr/share/ddns/default/zzzz.io.json | 11 - ddns-scripts/files/usr/share/ddns/list | 13 +- dnsmasq/Makefile | 25 +- dnsmasq/files/50-dnsmasq-migrate-ipset.sh | 32 + dnsmasq/files/dhcp.conf | 4 + dnsmasq/files/dnsmasq.init | 70 +- ...rite-after-free-error-in-DHCPv6-code.patch | 179 -- ...00-remove-old-runtime-kernel-support.patch | 8 +- dnsmasq/patches/200-ubus_dns.patch | 6 +- firewall/Makefile | 4 +- firewall/files/firewall.config | 2 +- firewall4/Makefile | 8 +- fullconenat-nft/Makefile | 50 + fullconenat/Makefile | 71 + fullconenat/patches/000-printk.patch | 16 + fullconenat/src/Makefile | 12 + homeredirect/Makefile | 80 + homeredirect/files/etc/config/homeredirect | 38 + .../files/etc/homeredirect/firewall.include | 1 + homeredirect/files/etc/homeredirect/script.sh | 45 + homeredirect/files/etc/init.d/homeredirect | 140 + libdouble-conversion/Makefile | 60 + libtorrent-rasterbar/Makefile | 91 + luci-app-homeredirect/Makefile | 18 + .../luasrc/controller/homeredirect.lua | 62 + .../model/cbi/homeredirect/settings.lua | 62 + .../luasrc/view/homeredirect/index.htm | 38 + .../po/zh-cn/homeredirect.po | 44 + luci-app-homeredirect/po/zh_Hans | 1 + .../root/etc/config/homeredirect_show | 0 .../etc/uci-defaults/luci-app-homeredirect | 19 + .../rpcd/acl.d/luci-app-homeredirect.json | 11 + luci-app-watchcat/po/lt/watchcat.po | 200 ++ mbedtls/Config.in | 203 -- mbedtls/Makefile | 167 - .../100-x509-crt-verify-SAN-iPAddress.patch | 197 -- mbedtls/patches/101-remove-test.patch | 15 - ...and-GCM-with-ARMv8-Crypto-Extensions.patch | 390 --- {miniupnpd => miniupnpd-iptables}/Makefile | 0 .../files/firewall.include | 0 .../files/miniupnpd.defaults | 0 .../files/miniupnpd.hotplug | 0 .../files/miniupnpd.init | 0 .../files/upnpd.config | 0 .../patches/100-no-daemon.patch | 0 .../patches/101-no-ssl-uuid.patch | 0 .../patches/102-ipv6-ext-port.patch | 0 .../patches/103-no-ipv6-autodetection.patch | 0 .../patches/104-always-libuuid.patch | 0 .../patches/105-build-with-kernel-5.4.patch | 0 .../patches/106-spam-syslog-ignoring.patch | 0 netdata/Makefile | 8 +- nginx/Config_ssl.in | 74 +- nginx/Makefile | 261 +- .../files-luci-support/60_nginx-luci-support | 8 +- nginx/files/nginx.init | 40 + .../lua-nginx/100-no_by_lua_block.patch | 177 +- .../patches/nginx/101-feature_test_fix.patch | 8 +- .../nginx/201-ignore-invalid-options.patch | 2 +- openssl/Config.in | 84 +- openssl/Makefile | 84 +- openssl/engine.mk | 46 - openssl/files/afalg.cnf | 2 +- openssl/files/devcrypto.cnf | 13 +- openssl/files/legacy.cnf | 3 + openssl/files/openssl.init | 79 +- openssl/files/padlock.cnf | 2 +- ...m-ppc-xlate.pl-add-linux64v2-flavour.patch | 55 - .../patches/100-Configure-afalg-support.patch | 2 +- openssl/patches/110-openwrt_targets.patch | 8 +- .../120-strip-cflags-from-binary.patch | 8 +- .../patches/130-dont-build-fuzz-docs.patch | 20 + .../patches/130-dont-build-tests-fuzz.patch | 29 - .../patches/140-allow-prefer-chacha20.patch | 60 +- .../150-openssl.cnf-add-engines-conf.patch | 32 +- ...o-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch | 58 - ..._devcrypto-add-configuration-options.patch | 566 ---- ...ypto-add-command-to-dump-driver-info.patch | 273 -- ...o-make-the-dev-crypto-engine-dynamic.patch | 2718 ----------------- ...default-to-not-use-digests-in-engine.patch | 4 +- ...to-ignore-error-when-closing-session.patch | 4 +- opkg/Makefile | 5 +- ppp/Makefile | 6 +- ppp/files/ppp.sh | 18 +- qt6base/Makefile | 215 ++ qt6base/patches/010-marco.patch | 12 + rp-pppoe/Makefile | 6 +- rp-pppoe/patches/110-Makefile.patch | 2 +- rp-pppoe/patches/130-static-lib-fix.patch | 2 +- tailscale/Makefile | 46 +- tailscale/README.md | 5 + tailscale/patches/010-fake_iptables.patch | 53 + .../020-tailscaled_fake_iptables.patch | 32 + .../030-default_to_netfilter_off.patch | 11 + tailscale/test.sh | 14 +- transmission-web-control/Makefile | 6 +- uwsgi/Makefile | 53 +- uwsgi/files-luci-support/luci-cgi_io.ini | 2 +- uwsgi/files-luci-support/luci-webui.ini | 2 +- ...03-hard-code-Linux-as-compilation-os.patch | 2 +- wireless-regdb/Makefile | 32 + .../patches/500-world-regd-5GHz.patch | 16 + .../600-custom-change-txpower-and-dfs.patch | 30 + 152 files changed, 3778 insertions(+), 5811 deletions(-) create mode 100644 alac/Makefile create mode 100644 btop/Makefile create mode 100644 btop/files/btop.sh create mode 100644 btop/test.sh create mode 100644 cxxopts/Makefile create mode 100755 ddns-scripts/files/usr/lib/ddns/update_gcp_v1.sh create mode 100644 ddns-scripts/files/usr/lib/ddns/update_luadns_v1.sh delete mode 100644 ddns-scripts/files/usr/share/ddns/default/able.or.kr.json create mode 100644 ddns-scripts/files/usr/share/ddns/default/cloud.google.com-v1.json delete mode 100644 ddns-scripts/files/usr/share/ddns/default/dtdns.com.json delete mode 100644 ddns-scripts/files/usr/share/ddns/default/dyndnss.net.json delete mode 100644 ddns-scripts/files/usr/share/ddns/default/dynsip.org.json delete mode 100644 ddns-scripts/files/usr/share/ddns/default/editdns.net.json create mode 100644 ddns-scripts/files/usr/share/ddns/default/hosting.de.json create mode 100644 ddns-scripts/files/usr/share/ddns/default/luadns.com-v1.json delete mode 100644 ddns-scripts/files/usr/share/ddns/default/myip.co.ua.json create mode 100644 ddns-scripts/files/usr/share/ddns/default/mythic-beasts.com-v2.json delete mode 100644 ddns-scripts/files/usr/share/ddns/default/nettica.com.json create mode 100644 ddns-scripts/files/usr/share/ddns/default/njal.la.json create mode 100644 ddns-scripts/files/usr/share/ddns/default/simply.com.json delete mode 100644 ddns-scripts/files/usr/share/ddns/default/zerigo.com.json delete mode 100644 ddns-scripts/files/usr/share/ddns/default/zzzz.io.json create mode 100755 dnsmasq/files/50-dnsmasq-migrate-ipset.sh delete mode 100644 dnsmasq/patches/001-CVE-2022-0934-Fix-write-after-free-error-in-DHCPv6-code.patch create mode 100644 fullconenat-nft/Makefile create mode 100644 fullconenat/Makefile create mode 100644 fullconenat/patches/000-printk.patch create mode 100644 fullconenat/src/Makefile create mode 100644 homeredirect/Makefile create mode 100644 homeredirect/files/etc/config/homeredirect create mode 100644 homeredirect/files/etc/homeredirect/firewall.include create mode 100644 homeredirect/files/etc/homeredirect/script.sh create mode 100644 homeredirect/files/etc/init.d/homeredirect create mode 100644 libdouble-conversion/Makefile create mode 100644 libtorrent-rasterbar/Makefile create mode 100644 luci-app-homeredirect/Makefile create mode 100644 luci-app-homeredirect/luasrc/controller/homeredirect.lua create mode 100644 luci-app-homeredirect/luasrc/model/cbi/homeredirect/settings.lua create mode 100644 luci-app-homeredirect/luasrc/view/homeredirect/index.htm create mode 100644 luci-app-homeredirect/po/zh-cn/homeredirect.po create mode 120000 luci-app-homeredirect/po/zh_Hans create mode 100644 luci-app-homeredirect/root/etc/config/homeredirect_show create mode 100644 luci-app-homeredirect/root/etc/uci-defaults/luci-app-homeredirect create mode 100644 luci-app-homeredirect/root/usr/share/rpcd/acl.d/luci-app-homeredirect.json create mode 100644 luci-app-watchcat/po/lt/watchcat.po delete mode 100644 mbedtls/Config.in delete mode 100644 mbedtls/Makefile delete mode 100644 mbedtls/patches/100-x509-crt-verify-SAN-iPAddress.patch delete mode 100644 mbedtls/patches/101-remove-test.patch delete mode 100644 mbedtls/patches/200-Implements-AES-and-GCM-with-ARMv8-Crypto-Extensions.patch rename {miniupnpd => miniupnpd-iptables}/Makefile (100%) rename {miniupnpd => miniupnpd-iptables}/files/firewall.include (100%) rename {miniupnpd => miniupnpd-iptables}/files/miniupnpd.defaults (100%) rename {miniupnpd => miniupnpd-iptables}/files/miniupnpd.hotplug (100%) rename {miniupnpd => miniupnpd-iptables}/files/miniupnpd.init (100%) rename {miniupnpd => miniupnpd-iptables}/files/upnpd.config (100%) rename {miniupnpd => miniupnpd-iptables}/patches/100-no-daemon.patch (100%) rename {miniupnpd => miniupnpd-iptables}/patches/101-no-ssl-uuid.patch (100%) rename {miniupnpd => miniupnpd-iptables}/patches/102-ipv6-ext-port.patch (100%) rename {miniupnpd => miniupnpd-iptables}/patches/103-no-ipv6-autodetection.patch (100%) rename {miniupnpd => miniupnpd-iptables}/patches/104-always-libuuid.patch (100%) rename {miniupnpd => miniupnpd-iptables}/patches/105-build-with-kernel-5.4.patch (100%) rename {miniupnpd => miniupnpd-iptables}/patches/106-spam-syslog-ignoring.patch (100%) delete mode 100644 openssl/engine.mk create mode 100644 openssl/files/legacy.cnf delete mode 100644 openssl/patches/001-crypto-perlasm-ppc-xlate.pl-add-linux64v2-flavour.patch create mode 100644 openssl/patches/130-dont-build-fuzz-docs.patch delete mode 100644 openssl/patches/130-dont-build-tests-fuzz.patch delete mode 100644 openssl/patches/400-eng_devcrypto-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch delete mode 100644 openssl/patches/410-eng_devcrypto-add-configuration-options.patch delete mode 100644 openssl/patches/420-eng_devcrypto-add-command-to-dump-driver-info.patch delete mode 100644 openssl/patches/430-e_devcrypto-make-the-dev-crypto-engine-dynamic.patch create mode 100644 qt6base/Makefile create mode 100644 qt6base/patches/010-marco.patch create mode 100644 tailscale/patches/010-fake_iptables.patch create mode 100644 tailscale/patches/020-tailscaled_fake_iptables.patch create mode 100644 tailscale/patches/030-default_to_netfilter_off.patch mode change 100644 => 100755 tailscale/test.sh create mode 100644 wireless-regdb/Makefile create mode 100644 wireless-regdb/patches/500-world-regd-5GHz.patch create mode 100644 wireless-regdb/patches/600-custom-change-txpower-and-dfs.patch diff --git a/alac/Makefile b/alac/Makefile new file mode 100644 index 000000000..bb6394922 --- /dev/null +++ b/alac/Makefile @@ -0,0 +1,59 @@ +# SPDX-Identifier-License: GPL-3.0-only +# +# Copyright (C) 2020 Lean +# Copyright (C) 2021 ImmortalWrt.org + +include $(TOPDIR)/rules.mk + +PKG_NAME:=alac +PKG_VERSION:=0.0.7 +PKG_RELEASE:=2 + +PKG_SOURCE_PROTO:=git +PKG_SOURCE_URL:=https://github.com/mikebrady/alac.git +PKG_SOURCE_DATE:=2019-02-13 +PKG_SOURCE_VERSION:=5d6d836ee5b025a5e538cfa62c88bc5bced506ed +PKG_MIRROR_HASH:=16da90956fb0ef41bb5d0089a543e08122c958afea69629dfa34ebdf00870a07 + +PKG_LICENSE:=Apache-2.0 +PKG_LICENSE_FILES:=LICENSE +PKG_MAINTAINER:=Tianling Shen + +PKG_FIXUP:=autoreconf +PKG_REMOVE_FILES:=autogen.sh +PKG_BUILD_PARALLEL:=1 +PKG_INSTALL:=1 + +include $(INCLUDE_DIR)/package.mk + +define Package/libalac + SECTION:=libs + CATEGORY:=Libraries + TITLE:=The Apple Lossless Audio Codec Library + URL:=https://github.com/mikebrady/alac + DEPENDS:=+libstdcpp +endef + +define Package/libalac/description + The Apple Lossless Audio Codec (ALAC) is an audio codec developed by + Apple and supported on iPhone, iPad, most iPods, Mac and iTunes. + ALAC is a data compression method which reduces the size of audio + files with no loss of information. A decoded ALAC stream is + bit-for-bit identical to the original uncompressed audio file. +endef + +define Build/InstallDev + $(INSTALL_DIR) $(1)/usr/lib + $(CP) $(PKG_INSTALL_DIR)/usr/lib/libalac.so* $(1)/usr/lib/ + $(INSTALL_DIR) $(1)/usr/lib/pkgconfig + $(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/alac.pc $(1)/usr/lib/pkgconfig/ + $(INSTALL_DIR) $(1)/usr/include + $(CP) $(PKG_INSTALL_DIR)/usr/include/alac $(1)/usr/include/ +endef + +define Package/libalac/install + $(INSTALL_DIR) $(1)/usr/lib + $(CP) $(PKG_INSTALL_DIR)/usr/lib/libalac.so* $(1)/usr/lib/ +endef + +$(eval $(call BuildPackage,libalac)) diff --git a/ariang/Makefile b/ariang/Makefile index af89ca8af..4787a0e0b 100644 --- a/ariang/Makefile +++ b/ariang/Makefile @@ -2,7 +2,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=ariang PKG_VERSION:=1.3.2 -PKG_RELEASE:=$(AUTORELEASE) +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).zip PKG_SOURCE_URL:=https://github.com/mayswind/AriaNg/releases/download/$(PKG_VERSION) diff --git a/base-files/Makefile b/base-files/Makefile index 914f0598f..8732f82fb 100644 --- a/base-files/Makefile +++ b/base-files/Makefile @@ -89,6 +89,19 @@ define ImageConfigOptions echo 'pi_preinit_net_messages="$(CONFIG_TARGET_PREINIT_SHOW_NETMSG)"' >>$(1)/lib/preinit/00_preinit.conf echo 'pi_preinit_no_failsafe_netmsg="$(CONFIG_TARGET_PREINIT_SUPPRESS_FAILSAFE_NETMSG)"' >>$(1)/lib/preinit/00_preinit.conf echo 'pi_preinit_no_failsafe="$(CONFIG_TARGET_PREINIT_DISABLE_FAILSAFE)"' >>$(1)/lib/preinit/00_preinit.conf +ifeq ($(CONFIG_TARGET_DEFAULT_LAN_IP_FROM_PREINIT),y) + mkdir -p $(1)/etc/board.d + echo '. /lib/functions/uci-defaults.sh' >$(1)/etc/board.d/99-lan-ip + echo 'logger -t 99-lan-ip "setting custom default LAN IP"' >>$(1)/etc/board.d/99-lan-ip + echo 'board_config_update' >>$(1)/etc/board.d/99-lan-ip + echo 'json_select network' >>$(1)/etc/board.d/99-lan-ip + echo 'json_select lan' >>$(1)/etc/board.d/99-lan-ip + echo 'json_add_string ipaddr $(if $(CONFIG_TARGET_PREINIT_IP),$(CONFIG_TARGET_PREINIT_IP),"192.168.1.1")' >>$(1)/etc/board.d/99-lan-ip + echo 'json_add_string netmask $(if $(CONFIG_TARGET_PREINIT_NETMASK),$(CONFIG_TARGET_PREINIT_NETMASK),"255.255.255.0")' >>$(1)/etc/board.d/99-lan-ip + echo 'json_select ..' >>$(1)/etc/board.d/99-lan-ip + echo 'json_select ..' >>$(1)/etc/board.d/99-lan-ip + echo 'board_config_flush' >>$(1)/etc/board.d/99-lan-ip +endif endef define Build/Prepare diff --git a/base-files/files/bin/config_generate b/base-files/files/bin/config_generate index 38362813d..be21d0079 100755 --- a/base-files/files/bin/config_generate +++ b/base-files/files/bin/config_generate @@ -207,6 +207,15 @@ generate_network() { EOF } ;; + + ncm|\ + qmi|\ + mbim) + uci -q batch <<-EOF + set network.$1.proto='${protocol}' + set network.$1.pdptype='ipv4' + EOF + ;; esac } diff --git a/base-files/files/bin/ipcalc.sh b/base-files/files/bin/ipcalc.sh index 5d5eac3ea..56854b410 100755 --- a/base-files/files/bin/ipcalc.sh +++ b/base-files/files/bin/ipcalc.sh @@ -1,6 +1,5 @@ -#!/bin/sh +#!/usr/bin/awk -f -awk -f - $* <limit) end=limit - print "IP="int2ip(ipaddr) print "NETMASK="int2ip(netmask) print "BROADCAST="int2ip(broadcast) print "NETWORK="int2ip(network) - print "PREFIX="32-bitcount(compl32(netmask)) + print "PREFIX="prefix # range calculations: # ipcalc - if (ARGC > 3) { - print "START="int2ip(start) - print "END="int2ip(end) + if (ARGC <= 3) + exit(0) + + start=or(network,and(ip2int(ARGV[3]),compl32(netmask))) + limit=network+1 + if (startlimit) end=limit + if (end==ipaddr) end=ipaddr-1 + + if (start>end) { + print "network ("int2ip(network)"/"prefix") too small" > "/dev/stderr" + exit(1) } + + if (ipaddr > start && ipaddr < end) { + print "ipaddr inside range" > "/dev/stderr" + exit(1) + } + + print "START="int2ip(start) + print "END="int2ip(end) } -EOF diff --git a/base-files/files/etc/init.d/led b/base-files/files/etc/init.d/led index 51cb8b517..08a1e6df3 100755 --- a/base-files/files/etc/init.d/led +++ b/base-files/files/etc/init.d/led @@ -29,7 +29,7 @@ load_led() { config_get delay $1 delay "150" config_get message $1 message "" config_get gpio $1 gpio "0" - config_get inverted $1 inverted "0" + config_get_bool inverted $1 inverted "0" # execute application led trigger [ -f "/usr/libexec/led-trigger/${trigger}" ] && { @@ -69,6 +69,10 @@ load_led() { return 1 } case "$trigger" in + "heartbeat") + echo "${inverted}" > "/sys/class/leds/${sysfs}/invert" + ;; + "netdev") [ -n "$dev" ] && { echo $dev > /sys/class/leds/${sysfs}/device_name diff --git a/base-files/files/etc/init.d/sysfixtime b/base-files/files/etc/init.d/sysfixtime index aab5b153d..93f792266 100755 --- a/base-files/files/etc/init.d/sysfixtime +++ b/base-files/files/etc/init.d/sysfixtime @@ -8,23 +8,33 @@ RTC_DEV=/dev/rtc0 HWCLOCK=/sbin/hwclock boot() { - start && exit 0 - - local maxtime="$(maxtime)" + hwclock_load + local maxtime="$(find_max_time)" local curtime="$(date +%s)" - [ $curtime -lt $maxtime ] && date -s @$maxtime + if [ $curtime -lt $maxtime ]; then + date -s @$maxtime + hwclock_save + fi } start() { - [ -e "$RTC_DEV" ] && [ -e "$HWCLOCK" ] && $HWCLOCK -s -u -f $RTC_DEV + hwclock_load } stop() { + hwclock_save +} + +hwclock_load() { + [ -e "$RTC_DEV" ] && [ -e "$HWCLOCK" ] && $HWCLOCK -s -u -f $RTC_DEV +} + +hwclock_save(){ [ -e "$RTC_DEV" ] && [ -e "$HWCLOCK" ] && $HWCLOCK -w -u -f $RTC_DEV && \ logger -t sysfixtime "saved '$(date)' to $RTC_DEV" } -maxtime() { +find_max_time() { local file newest for file in $( find /etc -type f ) ; do diff --git a/base-files/files/etc/sysctl.d/10-default.conf b/base-files/files/etc/sysctl.d/10-default.conf index bc8c57969..ee7df2bfa 100644 --- a/base-files/files/etc/sysctl.d/10-default.conf +++ b/base-files/files/etc/sysctl.d/10-default.conf @@ -9,6 +9,7 @@ fs.protected_hardlinks=1 fs.protected_symlinks=1 net.core.bpf_jit_enable=1 +net.core.bpf_jit_kallsyms=1 net.ipv4.conf.default.arp_ignore=1 net.ipv4.conf.all.arp_ignore=1 diff --git a/base-files/files/lib/functions/network.sh b/base-files/files/lib/functions/network.sh index 055f18c11..4851a5817 100644 --- a/base-files/files/lib/functions/network.sh +++ b/base-files/files/lib/functions/network.sh @@ -90,6 +90,13 @@ network_get_prefix6() { __network_ifstatus "$1" "$2" "['ipv6-prefix'][0]['address','mask']" "/" } +# determine first IPv6 prefix assignment of given logical interface +# 1: destination variable +# 2: interface +network_get_prefix_assignment6() { + __network_ifstatus "$1" "$2" "['ipv6-prefix-assignment'][0]['address','mask']" "/" +} + # determine all IPv4 addresses of given logical interface # 1: destination variable # 2: interface @@ -187,6 +194,13 @@ network_get_prefixes6() { __network_ifstatus "$1" "$2" "['ipv6-prefix'][*]['address','mask']" "/ " } +# determine all IPv6 prefix assignments of given logical interface +# 1: destination variable +# 2: interface +network_get_prefix_assignments6() { + __network_ifstatus "$1" "$2" "['ipv6-prefix-assignment'][*]['address','mask']" "/ " +} + # determine IPv4 gateway of given logical interface # 1: destination variable # 2: interface diff --git a/base-files/files/lib/functions/system.sh b/base-files/files/lib/functions/system.sh index c17354d94..d06354b01 100644 --- a/base-files/files/lib/functions/system.sh +++ b/base-files/files/lib/functions/system.sh @@ -110,11 +110,41 @@ mtd_get_mac_encrypted_arcadyan() { [ -n "$mac_dirty" ] && macaddr_canonicalize "$mac_dirty" } +mtd_get_mac_encrypted_deco() { + local mtdname="$1" + + if ! [ -e "$mtdname" ]; then + echo "mtd_get_mac_encrypted_deco: file $mtdname not found!" >&2 + return + fi + + tplink_key="3336303032384339" + + key=$(dd if=$mtdname bs=1 skip=16 count=8 2>/dev/null | \ + uencrypt -n -d -k $tplink_key -c des-ecb | hexdump -v -n 8 -e '1/1 "%02x"') + + macaddr=$(dd if=$mtdname bs=1 skip=32 count=8 2>/dev/null | \ + uencrypt -n -d -k $key -c des-ecb | hexdump -v -n 6 -e '5/1 "%02x:" 1/1 "%02x"') + + echo $macaddr +} + +mtd_get_mac_uci_config_ubi() { + local volumename="$1" + + . /lib/upgrade/nand.sh + + local ubidev=$(nand_attach_ubi $CI_UBIPART) + local part=$(nand_find_volume $ubidev $volumename) + + cat "/dev/$part" | sed -n 's/^\s*option macaddr\s*'"'"'\?\([0-9A-F:]\+\)'"'"'\?/\1/Ip' +} + mtd_get_mac_text() { - local mtdname=$1 - local offset=$(($2)) + local mtdname="$1" + local offset=$((${2:-0})) + local length="${3:-17}" local part - local mac_dirty part=$(find_mtd_part "$mtdname") if [ -z "$part" ]; then @@ -122,15 +152,9 @@ mtd_get_mac_text() { return fi - if [ -z "$offset" ]; then - echo "mtd_get_mac_text: offset missing!" >&2 - return - fi + [ $((offset + length)) -le $(mtd_get_part_size "$mtdname") ] || return - mac_dirty=$(dd if="$part" bs=1 skip="$offset" count=17 2>/dev/null) - - # "canonicalize" mac - [ -n "$mac_dirty" ] && macaddr_canonicalize "$mac_dirty" + macaddr_canonicalize $(dd bs=1 if="$part" skip="$offset" count="$length" 2>/dev/null) } mtd_get_mac_binary() { @@ -185,6 +209,14 @@ macaddr_add() { echo $oui:$nic } +macaddr_generate_from_mmc_cid() { + local mmc_dev=$1 + + local sd_hash=$(sha256sum /sys/class/block/$mmc_dev/device/cid) + local mac_base=$(macaddr_canonicalize "$(echo "${sd_hash}" | dd bs=1 count=12 2>/dev/null)") + echo "$(macaddr_unsetbit_mc "$(macaddr_setbit_la "${mac_base}")")" +} + macaddr_geteui() { local mac=$1 local sep=$2 @@ -264,3 +296,7 @@ macaddr_canonicalize() { printf "%02x:%02x:%02x:%02x:%02x:%02x" 0x${canon// / 0x} 2>/dev/null } + +dt_is_enabled() { + grep -q okay "/proc/device-tree/$1/status" +} diff --git a/base-files/files/lib/functions/uci-defaults.sh b/base-files/files/lib/functions/uci-defaults.sh index f96e645e7..a37e8cf82 100644 --- a/base-files/files/lib/functions/uci-defaults.sh +++ b/base-files/files/lib/functions/uci-defaults.sh @@ -96,7 +96,7 @@ ucidef_set_interfaces_lan_wan() { ucidef_set_bridge_device() { json_select_object bridge - json_add_string name "${1:switch0}" + json_add_string name "${1:-switch0}" json_select .. } @@ -114,6 +114,14 @@ ucidef_set_network_device_mac() { json_select .. } +ucidef_set_network_device_path() { + json_select_object "network_device" + json_select_object "$1" + json_add_string path "$2" + json_select .. + json_select .. +} + _ucidef_add_switch_port() { # inherited: $num $device $need_tag $want_untag $role $index $prev_role # inherited: $n_cpu $n_ports $n_vlan $cpu0 $cpu1 $cpu2 $cpu3 $cpu4 $cpu5 @@ -638,6 +646,21 @@ ucidef_set_ntpserver() { json_select .. } +ucidef_add_wlan() { + local path="$1"; shift + + ucidef_wlan_idx=${ucidef_wlan_idx:-0} + + json_select_object wlan + json_select_object "wl$ucidef_wlan_idx" + json_add_string path "$path" + json_add_fields "$@" + json_select .. + json_select .. + + ucidef_wlan_idx="$((ucidef_wlan_idx + 1))" +} + board_config_update() { json_init [ -f ${CFG} ] && json_load "$(cat ${CFG})" diff --git a/base-files/files/lib/preinit/10_indicate_preinit b/base-files/files/lib/preinit/10_indicate_preinit index debb3d448..a8f7758c8 100644 --- a/base-files/files/lib/preinit/10_indicate_preinit +++ b/base-files/files/lib/preinit/10_indicate_preinit @@ -63,6 +63,20 @@ preinit_config_switch() { json_select .. } +preinit_config_port() { + local original + + local netdev="$1" + local path="$2" + + [ -d "/sys/devices/$path/net" ] || return + original="$(ls "/sys/devices/$path/net" | head -1)" + + [ "$netdev" = "$original" ] && return + + ip link set "$original" name "$netdev" +} + preinit_config_board() { /bin/board_detect /tmp/board.json @@ -73,6 +87,33 @@ preinit_config_board() { json_init json_load "$(cat /tmp/board.json)" + # Find the current highest eth* + max_eth=$(grep -o '^ *eth[0-9]*:' /proc/net/dev | tr -dc '[0-9]\n' | sort -n | tail -1) + # Find and move netdevs using eth*s we are configuring + json_get_keys keys "network_device" + for netdev in $keys; do + json_select "network_device" + json_select "$netdev" + json_get_vars path path + if [ -n "$path" -a -h "/sys/class/net/$netdev" ]; then + ip link set "$netdev" down + ip link set "$netdev" name eth$((++max_eth)) + fi + json_select .. + json_select .. + done + + # Move interfaces by path to their netdev name + json_get_keys keys "network_device" + for netdev in $keys; do + json_select "network_device" + json_select "$netdev" + json_get_vars path path + [ -n "$path" ] && preinit_config_port "$netdev" "$path" + json_select .. + json_select .. + done + json_select network json_select "lan" json_get_vars device diff --git a/base-files/files/lib/preinit/30_failsafe_wait b/base-files/files/lib/preinit/30_failsafe_wait index f90de71d4..9ab2e8bd4 100644 --- a/base-files/files/lib/preinit/30_failsafe_wait +++ b/base-files/files/lib/preinit/30_failsafe_wait @@ -40,35 +40,39 @@ fs_wait_for_key () { rm -f $keypress_wait } & - [ "$pi_preinit_no_failsafe" != "y" ] && echo "Press the [$1] key and hit [enter] $2" - echo "Press the [1], [2], [3] or [4] key and hit [enter] to select the debug level" - # if we're on the console we wait for input - { - while [ -r $keypress_wait ]; do - timer="$(cat $keypress_sec)" + local consoles="$(sed -e 's/ /\n/g' /proc/cmdline | grep '^console=' | sed -e 's/^console=//' -e 's/,.*//')" + [ -n "$consoles" ] || consoles=console + for console in $consoles; do + [ -c "/dev/$console" ] || continue + [ "$pi_preinit_no_failsafe" != "y" ] && echo "Press the [$1] key and hit [enter] $2" > "/dev/$console" + echo "Press the [1], [2], [3] or [4] key and hit [enter] to select the debug level" > "/dev/$console" + { + while [ -r $keypress_wait ]; do + timer="$(cat $keypress_sec)" - [ -n "$timer" ] || timer=1 - timer="${timer%%\ *}" - [ $timer -ge 1 ] || timer=1 - do_keypress="" - { - read -t "$timer" do_keypress - case "$do_keypress" in - $1) - echo "true" >$keypress_true - ;; - 1 | 2 | 3 | 4) - echo "$do_keypress" >/tmp/debug_level - ;; - *) - continue; - ;; - esac - lock -u $keypress_wait - rm -f $keypress_wait - } - done - } + [ -n "$timer" ] || timer=1 + timer="${timer%%\ *}" + [ $timer -ge 1 ] || timer=1 + do_keypress="" + { + read -t "$timer" do_keypress < "/dev/$console" + case "$do_keypress" in + $1) + echo "true" >$keypress_true + ;; + 1 | 2 | 3 | 4) + echo "$do_keypress" >/tmp/debug_level + ;; + *) + continue; + ;; + esac + lock -u $keypress_wait + rm -f $keypress_wait + } + done + } & + done lock -w $keypress_wait keypressed=1 diff --git a/base-files/files/lib/preinit/99_10_failsafe_login b/base-files/files/lib/preinit/99_10_failsafe_login index 1410c5f0d..6f4af3f28 100644 --- a/base-files/files/lib/preinit/99_10_failsafe_login +++ b/base-files/files/lib/preinit/99_10_failsafe_login @@ -2,13 +2,14 @@ # Copyright (C) 2010 Vertical Communications failsafe_shell() { - local console="$(sed -e 's/ /\n/g' /proc/cmdline | grep '^console=' | head -1 | sed -e 's/^console=//' -e 's/,.*//')" - [ -n "$console" ] || console=console - [ -c "/dev/$console" ] || return 0 - while true; do - ash --login <"/dev/$console" >"/dev/$console" 2>"/dev/$console" - sleep 1 - done & + local consoles="$(sed -e 's/ /\n/g' /proc/cmdline | grep '^console=' | sed -e 's/^console=//' -e 's/,.*//')" + [ -n "$consoles" ] || consoles=console + for console in $consoles; do + [ -c "/dev/$console" ] && while true; do + ash --login <"/dev/$console" >"/dev/$console" 2>"/dev/$console" + sleep 1 + done & + done } boot_hook_add failsafe failsafe_shell diff --git a/base-files/files/lib/upgrade/common.sh b/base-files/files/lib/upgrade/common.sh index 24ff77a8b..af1182cb1 100644 --- a/base-files/files/lib/upgrade/common.sh +++ b/base-files/files/lib/upgrade/common.sh @@ -127,6 +127,33 @@ get_magic_fat32() { (get_image "$@" | dd bs=1 count=5 skip=82) 2>/dev/null } +identify_magic_long() { + local magic=$1 + case "$magic" in + "55424923") + echo "ubi" + ;; + "31181006") + echo "ubifs" + ;; + "68737173") + echo "squashfs" + ;; + "d00dfeed") + echo "fit" + ;; + "4349"*) + echo "combined" + ;; + "1f8b"*) + echo "gzip" + ;; + *) + echo "unknown $magic" + ;; + esac +} + part_magic_efi() { local magic=$(get_magic_gpt "$@") [ "$magic" = "EFI PART" ] @@ -155,9 +182,11 @@ export_bootdevice() { fi done ;; + PARTUUID=????????-????-????-????-??????????0?/PARTNROFF=1 | \ PARTUUID=????????-????-????-????-??????????02) uuid="${rootpart#PARTUUID=}" - uuid="${uuid%02}00" + uuid="${uuid%/PARTNROFF=1}" + uuid="${uuid%0?}00" for disk in $(find /dev -type b); do set -- $(dd if=$disk bs=1 skip=568 count=16 2>/dev/null | hexdump -v -e '8/1 "%02x "" "2/1 "%02x""-"6/1 "%02x"') if [ "$4$3$2$1-$6$5-$8$7-$9" = "$uuid" ]; then @@ -203,7 +232,7 @@ export_partdevice() { while read line; do export -n "$line" done < "$uevent" - if [ $BOOTDEV_MAJOR = $MAJOR -a $(($BOOTDEV_MINOR + $offset)) = $MINOR -a -b "/dev/$DEVNAME" ]; then + if [ "$BOOTDEV_MAJOR" = "$MAJOR" -a $(($BOOTDEV_MINOR + $offset)) = "$MINOR" -a -b "/dev/$DEVNAME" ]; then export "$var=$DEVNAME" return 0 fi diff --git a/base-files/files/lib/upgrade/emmc.sh b/base-files/files/lib/upgrade/emmc.sh index c3b02864a..49cffe1c6 100644 --- a/base-files/files/lib/upgrade/emmc.sh +++ b/base-files/files/lib/upgrade/emmc.sh @@ -58,7 +58,7 @@ emmc_copy_config() { } emmc_do_upgrade() { - local file_type=$(identify $1) + local file_type=$(identify_magic_long "$(get_magic_long "$1")") case "$file_type" in "fit") emmc_upgrade_fit $1;; diff --git a/base-files/files/lib/upgrade/nand.sh b/base-files/files/lib/upgrade/nand.sh index 8720a78b4..d910bf179 100644 --- a/base-files/files/lib/upgrade/nand.sh +++ b/base-files/files/lib/upgrade/nand.sh @@ -7,6 +7,8 @@ CI_KERNPART="${CI_KERNPART:-kernel}" # 'ubi' partition on NAND contains UBI +# There are also CI_KERN_UBIPART and CI_ROOT_UBIPART if kernel +# and rootfs are on separated UBIs. CI_UBIPART="${CI_UBIPART:-ubi}" # 'rootfs' UBI volume on NAND contains the rootfs @@ -26,7 +28,7 @@ ubi_mknod() { nand_find_volume() { local ubidevdir ubivoldir - ubidevdir="/sys/devices/virtual/ubi/$1" + ubidevdir="/sys/class/ubi/" [ ! -d "$ubidevdir" ] && return 1 for ubivoldir in $ubidevdir/${1}_*; do [ ! -d "$ubivoldir" ] && continue @@ -39,13 +41,12 @@ nand_find_volume() { } nand_find_ubi() { - local ubidevdir ubidev mtdnum + local ubidevdir ubidev mtdnum cmtdnum mtdnum="$( find_mtd_index $1 )" [ ! "$mtdnum" ] && return 1 - for ubidevdir in /sys/devices/virtual/ubi/ubi*; do - [ ! -d "$ubidevdir" ] && continue + for ubidevdir in /sys/class/ubi/ubi*; do + [ ! -e "$ubidevdir/mtd_num" ] && continue cmtdnum="$( cat $ubidevdir/mtd_num )" - [ ! "$mtdnum" ] && continue if [ "$mtdnum" = "$cmtdnum" ]; then ubidev=$( basename $ubidevdir ) ubi_mknod "$ubidevdir" @@ -56,134 +57,175 @@ nand_find_ubi() { } nand_get_magic_long() { - dd if="$1" skip=$2 bs=4 count=1 2>/dev/null | hexdump -v -n 4 -e '1/1 "%02x"' + (${3}cat "$1" | dd bs=4 "skip=${2:-0}" count=1 | hexdump -v -n 4 -e '1/1 "%02x"') 2> /dev/null } get_magic_long_tar() { - ( tar xf $1 $2 -O | dd bs=4 count=1 | hexdump -v -n 4 -e '1/1 "%02x"') 2> /dev/null + (tar xO${3}f "$1" "$2" | dd bs=4 count=1 | hexdump -v -n 4 -e '1/1 "%02x"') 2> /dev/null } -identify_magic() { - local magic=$1 - case "$magic" in - "55424923") - echo "ubi" - ;; - "31181006") - echo "ubifs" - ;; - "68737173") - echo "squashfs" - ;; - "d00dfeed") - echo "fit" - ;; - "4349"*) - echo "combined" - ;; - *) - echo "unknown $magic" - ;; - esac -} - - identify() { - identify_magic $(nand_get_magic_long "$1" "${2:-0}") + identify_magic_long $(nand_get_magic_long "$@") } identify_tar() { - identify_magic $(get_magic_long_tar "$1" "$2") + identify_magic_long $(get_magic_long_tar "$@") +} + +identify_if_gzip() { + if [ "$(identify "$1")" = gzip ]; then echo -n z; fi } nand_restore_config() { - sync - local ubidev=$( nand_find_ubi $CI_UBIPART ) + local ubidev=$( nand_find_ubi "${CI_ROOT_UBIPART:-$CI_UBIPART}" ) local ubivol="$( nand_find_volume $ubidev rootfs_data )" - [ ! "$ubivol" ] && - ubivol="$( nand_find_volume $ubidev $CI_ROOTPART )" + if [ ! "$ubivol" ]; then + ubivol="$( nand_find_volume $ubidev "$CI_ROOTPART" )" + if [ ! "$ubivol" ]; then + echo "cannot find ubifs data volume" + return 1 + fi + fi mkdir /tmp/new_root if ! mount -t ubifs /dev/$ubivol /tmp/new_root; then - echo "mounting ubifs $ubivol failed" + echo "cannot mount ubifs volume $ubivol" rmdir /tmp/new_root return 1 fi - mv "$1" "/tmp/new_root/$BACKUP_FILE" - umount /tmp/new_root - sync + if mv "$1" "/tmp/new_root/$BACKUP_FILE"; then + if umount /tmp/new_root; then + echo "configuration saved" + rmdir /tmp/new_root + return 0 + fi + else + umount /tmp/new_root + fi + echo "could not save configuration to ubifs volume $ubivol" rmdir /tmp/new_root + return 1 +} + +nand_remove_ubiblock() { + local ubivol="$1" + + local ubiblk="ubiblock${ubivol:3}" + if [ -e "/dev/$ubiblk" ]; then + umount "/dev/$ubiblk" && echo "unmounted /dev/$ubiblk" || : + if ! ubiblock -r "/dev/$ubivol"; then + echo "cannot remove $ubiblk" + return 1 + fi + fi +} + +nand_attach_ubi() { + local ubipart="$1" + local has_env="${2:-0}" + + local mtdnum="$( find_mtd_index "$ubipart" )" + if [ ! "$mtdnum" ]; then + >&2 echo "cannot find ubi mtd partition $ubipart" + return 1 + fi + + local ubidev="$( nand_find_ubi "$ubipart" )" + if [ ! "$ubidev" ]; then + >&2 ubiattach -m "$mtdnum" + ubidev="$( nand_find_ubi "$ubipart" )" + + if [ ! "$ubidev" ]; then + >&2 ubiformat /dev/mtd$mtdnum -y + >&2 ubiattach -m "$mtdnum" + ubidev="$( nand_find_ubi "$ubipart" )" + + if [ ! "$ubidev" ]; then + >&2 echo "cannot attach ubi mtd partition $ubipart" + return 1 + fi + + if [ "$has_env" -gt 0 ]; then + >&2 ubimkvol /dev/$ubidev -n 0 -N ubootenv -s 1MiB + >&2 ubimkvol /dev/$ubidev -n 1 -N ubootenv2 -s 1MiB + fi + fi + fi + + echo "$ubidev" + return 0 +} + +nand_detach_ubi() { + local ubipart="$1" + + local mtdnum="$( find_mtd_index "$ubipart" )" + if [ ! "$mtdnum" ]; then + echo "cannot find ubi mtd partition $ubipart" + return 1 + fi + + local ubidev="$( nand_find_ubi "$ubipart" )" + if [ "$ubidev" ]; then + for ubivol in $(find /dev -name "${ubidev}_*" -maxdepth 1 | sort); do + ubivol="${ubivol:5}" + nand_remove_ubiblock "$ubivol" || : + umount "/dev/$ubivol" && echo "unmounted /dev/$ubivol" || : + done + if ! ubidetach -m "$mtdnum"; then + echo "cannot detach ubi mtd partition $ubipart" + return 1 + fi + fi } nand_upgrade_prepare_ubi() { local rootfs_length="$1" local rootfs_type="$2" - local rootfs_data_max="$(fw_printenv -n rootfs_data_max 2>/dev/null)" + local rootfs_data_max="$(fw_printenv -n rootfs_data_max 2> /dev/null)" [ -n "$rootfs_data_max" ] && rootfs_data_max=$((rootfs_data_max)) local kernel_length="$3" local has_env="${4:-0}" + local kern_ubidev + local root_ubidev [ -n "$rootfs_length" -o -n "$kernel_length" ] || return 1 - local mtdnum="$( find_mtd_index "$CI_UBIPART" )" - if [ ! "$mtdnum" ]; then - echo "cannot find ubi mtd partition $CI_UBIPART" - return 1 + if [ -n "$CI_KERN_UBIPART" -a -n "$CI_ROOT_UBIPART" ]; then + kern_ubidev="$( nand_attach_ubi "$CI_KERN_UBIPART" "$has_env" )" + [ -n "$kern_ubidev" ] || return 1 + root_ubidev="$( nand_attach_ubi "$CI_ROOT_UBIPART" )" + [ -n "$root_ubidev" ] || return 1 + else + kern_ubidev="$( nand_attach_ubi "$CI_UBIPART" "$has_env" )" + [ -n "$kern_ubidev" ] || return 1 + root_ubidev="$kern_ubidev" fi - local ubidev="$( nand_find_ubi "$CI_UBIPART" )" - if [ ! "$ubidev" ]; then - ubiattach -m "$mtdnum" - sync - ubidev="$( nand_find_ubi "$CI_UBIPART" )" - fi + local kern_ubivol="$( nand_find_volume $kern_ubidev "$CI_KERNPART" )" + local root_ubivol="$( nand_find_volume $root_ubidev "$CI_ROOTPART" )" + local data_ubivol="$( nand_find_volume $root_ubidev rootfs_data )" + [ "$root_ubivol" = "$kern_ubivol" ] && root_ubivol= - if [ ! "$ubidev" ]; then - ubiformat /dev/mtd$mtdnum -y - ubiattach -m "$mtdnum" - sync - ubidev="$( nand_find_ubi "$CI_UBIPART" )" - [ ! "$ubidev" ] && return 1 - [ "$has_env" -gt 0 ] && { - ubimkvol /dev/$ubidev -n 0 -N ubootenv -s 1MiB - ubimkvol /dev/$ubidev -n 1 -N ubootenv2 -s 1MiB - } - fi - - local kern_ubivol="$( nand_find_volume $ubidev $CI_KERNPART )" - local root_ubivol="$( nand_find_volume $ubidev $CI_ROOTPART )" - local data_ubivol="$( nand_find_volume $ubidev rootfs_data )" - - local ubiblk ubiblkvol - for ubiblk in /dev/ubiblock${ubidev:3}_* ; do - [ -e "$ubiblk" ] || continue - case "$ubiblk" in - /dev/ubiblock*_*p*) - continue - ;; - esac - echo "removing ubiblock${ubiblk:13}" - ubiblkvol=ubi${ubiblk:13} - if ! ubiblock -r /dev/$ubiblkvol; then - echo "cannot remove $ubiblk" - return 1 - fi - done + # remove ubiblocks + [ "$kern_ubivol" ] && { nand_remove_ubiblock $kern_ubivol || return 1; } + [ "$root_ubivol" ] && { nand_remove_ubiblock $root_ubivol || return 1; } + [ "$data_ubivol" ] && { nand_remove_ubiblock $data_ubivol || return 1; } # kill volumes - [ "$kern_ubivol" ] && ubirmvol /dev/$ubidev -N $CI_KERNPART || : - [ "$root_ubivol" -a "$root_ubivol" != "$kern_ubivol" ] && ubirmvol /dev/$ubidev -N $CI_ROOTPART || : - [ "$data_ubivol" ] && ubirmvol /dev/$ubidev -N rootfs_data || : + [ "$kern_ubivol" ] && ubirmvol /dev/$kern_ubidev -N "$CI_KERNPART" || : + [ "$root_ubivol" ] && ubirmvol /dev/$root_ubidev -N "$CI_ROOTPART" || : + [ "$data_ubivol" ] && ubirmvol /dev/$root_ubidev -N rootfs_data || : - # update kernel + # create kernel vol if [ -n "$kernel_length" ]; then - if ! ubimkvol /dev/$ubidev -N $CI_KERNPART -s $kernel_length; then + if ! ubimkvol /dev/$kern_ubidev -N "$CI_KERNPART" -s $kernel_length; then echo "cannot create kernel volume" return 1; fi fi - # update rootfs + # create rootfs vol if [ -n "$rootfs_length" ]; then local rootfs_size_param if [ "$rootfs_type" = "ubifs" ]; then @@ -191,155 +233,224 @@ nand_upgrade_prepare_ubi() { else rootfs_size_param="-s $rootfs_length" fi - if ! ubimkvol /dev/$ubidev -N $CI_ROOTPART $rootfs_size_param; then + if ! ubimkvol /dev/$root_ubidev -N "$CI_ROOTPART" $rootfs_size_param; then echo "cannot create rootfs volume" return 1; fi fi - # create rootfs_data for non-ubifs rootfs + # create rootfs_data vol for non-ubifs rootfs if [ "$rootfs_type" != "ubifs" ]; then local rootfs_data_size_param="-m" if [ -n "$rootfs_data_max" ]; then rootfs_data_size_param="-s $rootfs_data_max" fi - if ! ubimkvol /dev/$ubidev -N rootfs_data $rootfs_data_size_param; then - if ! ubimkvol /dev/$ubidev -N rootfs_data -m; then + if ! ubimkvol /dev/$root_ubidev -N rootfs_data $rootfs_data_size_param; then + if ! ubimkvol /dev/$root_ubidev -N rootfs_data -m; then echo "cannot initialize rootfs_data volume" return 1 fi fi fi - sync + return 0 } -nand_do_upgrade_success() { - local conf_tar="/tmp/sysupgrade.tgz" - - sync - [ -f "$conf_tar" ] && nand_restore_config "$conf_tar" - echo "sysupgrade successful" - umount -a - reboot -f -} - -# Flash the UBI image to MTD partition +# Write the UBI image to MTD ubi partition nand_upgrade_ubinized() { local ubi_file="$1" - local mtdnum="$(find_mtd_index "$CI_UBIPART")" + local gz="$2" - [ ! "$mtdnum" ] && { - CI_UBIPART="rootfs" - mtdnum="$(find_mtd_index "$CI_UBIPART")" - } + local ubi_length=$( (${gz}cat "$ubi_file" | wc -c) 2> /dev/null) - if [ ! "$mtdnum" ]; then - echo "cannot find mtd device $CI_UBIPART" - umount -a - reboot -f - fi + nand_detach_ubi "$CI_UBIPART" || return 1 - local mtddev="/dev/mtd${mtdnum}" - ubidetach -p "${mtddev}" || true - sync - ubiformat "${mtddev}" -y -f "${ubi_file}" - ubiattach -p "${mtddev}" - nand_do_upgrade_success + local mtdnum="$( find_mtd_index "$CI_UBIPART" )" + ${gz}cat "$ubi_file" | ubiformat "/dev/mtd$mtdnum" -S "$ubi_length" -y -f - && ubiattach -m "$mtdnum" } -# Write the UBIFS image to UBI volume +# Write the UBIFS image to UBI rootfs volume nand_upgrade_ubifs() { - local rootfs_length=$( (cat $1 | wc -c) 2> /dev/null) + local ubifs_file="$1" + local gz="$2" - nand_upgrade_prepare_ubi "$rootfs_length" "ubifs" "" "" + local ubifs_length=$( (${gz}cat "$ubifs_file" | wc -c) 2> /dev/null) + + nand_upgrade_prepare_ubi "$ubifs_length" "ubifs" "" "" || return 1 local ubidev="$( nand_find_ubi "$CI_UBIPART" )" - local root_ubivol="$(nand_find_volume $ubidev $CI_ROOTPART)" - ubiupdatevol /dev/$root_ubivol -s $rootfs_length $1 - - nand_do_upgrade_success + local root_ubivol="$(nand_find_volume $ubidev "$CI_ROOTPART")" + ${gz}cat "$ubifs_file" | ubiupdatevol /dev/$root_ubivol -s "$ubifs_length" - } +# Write the FIT image to UBI kernel volume nand_upgrade_fit() { local fit_file="$1" - local fit_length="$(wc -c < "$fit_file")" + local gz="$2" - nand_upgrade_prepare_ubi "" "" "$fit_length" "1" + local fit_length=$( (${gz}cat "$fit_file" | wc -c) 2> /dev/null) + + nand_upgrade_prepare_ubi "" "" "$fit_length" "1" || return 1 local fit_ubidev="$(nand_find_ubi "$CI_UBIPART")" local fit_ubivol="$(nand_find_volume $fit_ubidev "$CI_KERNPART")" - ubiupdatevol /dev/$fit_ubivol -s $fit_length $fit_file - - nand_do_upgrade_success + ${gz}cat "$fit_file" | ubiupdatevol /dev/$fit_ubivol -s "$fit_length" - } +# Write images in the TAR file to MTD partitions and/or UBI volumes as required nand_upgrade_tar() { local tar_file="$1" - local kernel_mtd="$(find_mtd_index $CI_KERNPART)" + local gz="$2" + local jffs2_markers="${CI_JFFS2_CLEAN_MARKERS:-0}" - local board_dir=$(tar tf "$tar_file" | grep -m 1 '^sysupgrade-.*/$') - board_dir=${board_dir%/} + # WARNING: This fails if tar contains more than one 'sysupgrade-*' directory. + local board_dir="$(tar t${gz}f "$tar_file" | grep -m 1 '^sysupgrade-.*/$')" + board_dir="${board_dir%/}" - kernel_length=$( (tar xf "$tar_file" ${board_dir}/kernel -O | wc -c) 2> /dev/null) - local has_rootfs=0 - local rootfs_length + local kernel_mtd kernel_length + if [ "$CI_KERNPART" != "none" ]; then + kernel_mtd="$(find_mtd_index "$CI_KERNPART")" + kernel_length=$( (tar xO${gz}f "$tar_file" "$board_dir/kernel" | wc -c) 2> /dev/null) + [ "$kernel_length" = 0 ] && kernel_length= + fi + local rootfs_length=$( (tar xO${gz}f "$tar_file" "$board_dir/root" | wc -c) 2> /dev/null) + [ "$rootfs_length" = 0 ] && rootfs_length= local rootfs_type + [ "$rootfs_length" ] && rootfs_type="$(identify_tar "$tar_file" "$board_dir/root" "$gz")" - tar tf "$tar_file" ${board_dir}/root 1>/dev/null 2>/dev/null && has_rootfs=1 - [ "$has_rootfs" = "1" ] && { - rootfs_length=$( (tar xf "$tar_file" ${board_dir}/root -O | wc -c) 2> /dev/null) - rootfs_type="$(identify_tar "$tar_file" ${board_dir}/root)" - } + local ubi_kernel_length + if [ "$kernel_length" ]; then + if [ "$kernel_mtd" ]; then + # On some devices, the raw kernel and ubi partitions overlap. + # These devices brick if the kernel partition is erased. + # Hence only invalidate kernel for now. + dd if=/dev/zero bs=4096 count=1 2> /dev/null | \ + mtd write - "$CI_KERNPART" + else + ubi_kernel_length="$kernel_length" + fi + fi - local has_kernel=1 local has_env=0 + nand_upgrade_prepare_ubi "$rootfs_length" "$rootfs_type" "$ubi_kernel_length" "$has_env" || return 1 - [ "$kernel_length" != 0 -a -n "$kernel_mtd" ] && { - tar xf "$tar_file" ${board_dir}/kernel -O | mtd write - $CI_KERNPART - } - [ "$kernel_length" = 0 -o ! -z "$kernel_mtd" ] && has_kernel= - [ "$CI_KERNPART" = "none" ] && has_kernel= + if [ "$rootfs_length" ]; then + local ubidev="$( nand_find_ubi "${CI_ROOT_UBIPART:-$CI_UBIPART}" )" + local root_ubivol="$( nand_find_volume $ubidev "$CI_ROOTPART" )" + tar xO${gz}f "$tar_file" "$board_dir/root" | \ + ubiupdatevol /dev/$root_ubivol -s "$rootfs_length" - + fi + if [ "$kernel_length" ]; then + if [ "$kernel_mtd" ]; then + if [ "$jffs2_markers" = 1 ]; then + flash_erase -j "/dev/mtd${kernel_mtd}" 0 0 + tar xO${gz}f "$tar_file" "$board_dir/kernel" | \ + nandwrite "/dev/mtd${kernel_mtd}" - + else + tar xO${gz}f "$tar_file" "$board_dir/kernel" | \ + mtd write - "$CI_KERNPART" + fi + else + local ubidev="$( nand_find_ubi "${CI_KERN_UBIPART:-$CI_UBIPART}" )" + local kern_ubivol="$( nand_find_volume $ubidev "$CI_KERNPART" )" + tar xO${gz}f "$tar_file" "$board_dir/kernel" | \ + ubiupdatevol /dev/$kern_ubivol -s "$kernel_length" - + fi + fi - nand_upgrade_prepare_ubi "$rootfs_length" "$rootfs_type" "${has_kernel:+$kernel_length}" "$has_env" + return 0 +} - local ubidev="$( nand_find_ubi "$CI_UBIPART" )" - [ "$has_kernel" = "1" ] && { - local kern_ubivol="$( nand_find_volume $ubidev $CI_KERNPART )" - tar xf "$tar_file" ${board_dir}/kernel -O | \ - ubiupdatevol /dev/$kern_ubivol -s $kernel_length - - } +nand_verify_if_gzip_file() { + local file="$1" + local gz="$2" - [ "$has_rootfs" = "1" ] && { - local root_ubivol="$( nand_find_volume $ubidev $CI_ROOTPART )" - tar xf "$tar_file" ${board_dir}/root -O | \ - ubiupdatevol /dev/$root_ubivol -s $rootfs_length - - } - nand_do_upgrade_success + if [ "$gz" = z ]; then + echo "verifying compressed sysupgrade file integrity" + if ! gzip -t "$file"; then + echo "corrupted compressed sysupgrade file" + return 1 + fi + fi +} + +nand_verify_tar_file() { + local file="$1" + local gz="$2" + + echo "verifying sysupgrade tar file integrity" + if ! tar xO${gz}f "$file" > /dev/null; then + echo "corrupted sysupgrade tar file" + return 1 + fi +} + +nand_do_flash_file() { + local file="$1" + + local gz="$(identify_if_gzip "$file")" + local file_type="$(identify "$file" "" "$gz")" + + [ ! "$(find_mtd_index "$CI_UBIPART")" ] && CI_UBIPART=rootfs + + case "$file_type" in + "fit") + nand_verify_if_gzip_file "$file" "$gz" || return 1 + nand_upgrade_fit "$file" "$gz" + ;; + "ubi") + nand_verify_if_gzip_file "$file" "$gz" || return 1 + nand_upgrade_ubinized "$file" "$gz" + ;; + "ubifs") + nand_verify_if_gzip_file "$file" "$gz" || return 1 + nand_upgrade_ubifs "$file" "$gz" + ;; + *) + nand_verify_tar_file "$file" "$gz" || return 1 + nand_upgrade_tar "$file" "$gz" + ;; + esac +} + +nand_do_restore_config() { + local conf_tar="/tmp/sysupgrade.tgz" + [ ! -f "$conf_tar" ] || nand_restore_config "$conf_tar" } # Recognize type of passed file and start the upgrade process nand_do_upgrade() { - local file_type=$(identify $1) + local file="$1" - [ ! "$(find_mtd_index "$CI_UBIPART")" ] && CI_UBIPART="rootfs" - - case "$file_type" in - "fit") nand_upgrade_fit $1;; - "ubi") nand_upgrade_ubinized $1;; - "ubifs") nand_upgrade_ubifs $1;; - *) nand_upgrade_tar $1;; - esac + sync + nand_do_flash_file "$file" && nand_do_upgrade_success + nand_do_upgrade_failed } -# Check if passed file is a valid one for NAND sysupgrade. Currently it accepts -# 3 types of files: -# 1) UBI - should contain an ubinized image, header is checked for the proper -# MAGIC -# 2) UBIFS - should contain UBIFS partition that will replace "rootfs" volume, -# header is checked for the proper MAGIC -# 3) TAR - archive has to include "sysupgrade-BOARD" directory with a non-empty -# "CONTROL" file (at this point its content isn't verified) +nand_do_upgrade_success() { + if nand_do_restore_config && sync; then + echo "sysupgrade successful" + umount -a + reboot -f + fi + nand_do_upgrade_failed +} + +nand_do_upgrade_failed() { + sync + echo "sysupgrade failed" + # Should we reboot or bring up some failsafe mode instead? + umount -a + reboot -f +} + +# Check if passed file is a valid one for NAND sysupgrade. +# Currently it accepts 4 types of files: +# 1) UBI: a ubinized image containing required UBI volumes. +# 2) UBIFS: a UBIFS rootfs volume image. +# 3) FIT: a FIT image containing kernel and rootfs. +# 4) TAR: an archive that includes directory "sysupgrade-${BOARD_NAME}" containing +# a non-empty "CONTROL" file and required partition and/or volume images. # # You usually want to call this function in platform_check_image. # @@ -347,14 +458,25 @@ nand_do_upgrade() { # $(2): file to be checked nand_do_platform_check() { local board_name="$1" - local tar_file="$2" - local control_length=$( (tar xf $tar_file sysupgrade-$board_name/CONTROL -O | wc -c) 2> /dev/null) - local file_type="$(identify $2)" + local file="$2" - [ "$control_length" = 0 -a "$file_type" != "ubi" -a "$file_type" != "ubifs" -a "$file_type" != "fit" ] && { - echo "Invalid sysupgrade file." - return 1 - } + local gz="$(identify_if_gzip "$file")" + local file_type="$(identify "$file" "" "$gz")" + local control_length=$( (tar xO${gz}f "$file" "sysupgrade-${board_name//,/_}/CONTROL" | wc -c) 2> /dev/null) + + if [ "$control_length" = 0 ]; then + control_length=$( (tar xO${gz}f "$file" "sysupgrade-${board_name//_/,}/CONTROL" | wc -c) 2> /dev/null) + fi + + if [ "$control_length" != 0 ]; then + nand_verify_tar_file "$file" "$gz" || return 1 + else + nand_verify_if_gzip_file "$file" "$gz" || return 1 + if [ "$file_type" != "fit" -a "$file_type" != "ubi" -a "$file_type" != "ubifs" ]; then + echo "invalid sysupgrade file" + return 1 + fi + fi return 0 } diff --git a/base-files/files/lib/upgrade/stage2 b/base-files/files/lib/upgrade/stage2 index 0c1ffb514..f4db88d31 100755 --- a/base-files/files/lib/upgrade/stage2 +++ b/base-files/files/lib/upgrade/stage2 @@ -39,9 +39,9 @@ switch_to_ramfs() { for binary in \ /bin/busybox /bin/ash /bin/sh /bin/mount /bin/umount \ pivot_root mount_root reboot sync kill sleep \ - md5sum hexdump cat zcat dd tar \ + md5sum hexdump cat zcat dd tar gzip \ ls basename find cp mv rm mkdir rmdir mknod touch chmod \ - '[' printf wc grep awk sed cut tail \ + '[' printf wc grep awk sed cut sort tail \ mtd partx losetup mkfs.ext4 nandwrite flash_erase \ ubiupdatevol ubiattach ubiblock ubiformat \ ubidetach ubirsvol ubirmvol ubimkvol \ diff --git a/base-files/files/sbin/wifi b/base-files/files/sbin/wifi index 6b9662fe9..a3d3206ee 100755 --- a/base-files/files/sbin/wifi +++ b/base-files/files/sbin/wifi @@ -6,7 +6,7 @@ usage() { cat < +PKG_LICENSE:=Apache-2.0 +PKG_LICENSE_FILES:=LICENSE + +PKG_BUILD_FLAGS:=no-lto +PKG_BUILD_PARALLEL:=1 +PKG_INSTALL:=1 + +include $(INCLUDE_DIR)/package.mk + +define Package/btop + SECTION:=admin + CATEGORY:=Administration + TITLE:=A monitor of resources + URL:=https://github.com/aristocratos/btop + DEPENDS:=+libstdcpp +endef + +define Package/btop/description + Resource monitor that shows usage and stats for processor, memory, + disks, network and processes. + + C++ version and continuation of bashtop and bpytop. +endef + +MAKE_FLAGS+= \ + PLATFORM=Linux \ + OPTFLAGS="$(TARGET_CXXFLAGS)" \ + LDCXXFLAGS="$(TARGET_LDFLAGS) -pthread" + +ifneq ($(CONFIG_USE_MUSL),) + TARGET_CFLAGS += -D_LARGEFILE64_SOURCE +endif + +define Package/btop/install + $(INSTALL_DIR) $(1)/usr/bin + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/local/bin/btop $(1)/usr/bin/ + $(INSTALL_DIR) $(1)/usr/share + $(CP) $(PKG_INSTALL_DIR)/usr/local/share/btop $(1)/usr/share/ + + $(INSTALL_DIR) $(1)/etc/profile.d + $(CP) $(CURDIR)/files/btop.sh $(1)/etc/profile.d/ +endef + +$(eval $(call BuildPackage,btop)) diff --git a/btop/files/btop.sh b/btop/files/btop.sh new file mode 100644 index 000000000..d7aa44760 --- /dev/null +++ b/btop/files/btop.sh @@ -0,0 +1 @@ +alias btop="btop --utf-force" diff --git a/btop/test.sh b/btop/test.sh new file mode 100644 index 000000000..b7b21ab7c --- /dev/null +++ b/btop/test.sh @@ -0,0 +1,3 @@ +#!/bin/sh + +btop --version | grep "$PKG_VERSION" diff --git a/coremark/Makefile b/coremark/Makefile index 80431d2e4..06a05c875 100644 --- a/coremark/Makefile +++ b/coremark/Makefile @@ -8,13 +8,13 @@ include $(TOPDIR)/rules.mk PKG_NAME:=coremark -PKG_SOURCE_DATE:=2022-01-03 -PKG_SOURCE_VERSION:=b24e397f7103061b3673261d292a0667bd3bc1b8 +PKG_SOURCE_DATE:=2023-01-25 +PKG_SOURCE_VERSION:=d5fad6bd094899101a4e5fd53af7298160ced6ab PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_SOURCE_DATE).tar.gz PKG_SOURCE_URL:=https://codeload.github.com/eembc/coremark/tar.gz/$(PKG_SOURCE_VERSION)? -PKG_HASH:=1b8c36b202f39b4f8a872ed7d5db1dc4473ee27f7bc2885a9da20e72925c58c3 +PKG_HASH:=76f3b98fc940d277521023dc6e106551ef4a2180fa4c3da8cd5bf933aa494ef2 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_SOURCE_VERSION) PKG_MAINTAINER:=Lim Guo Wei \ @@ -22,7 +22,7 @@ PKG_MAINTAINER:=Lim Guo Wei \ PKG_LICENSE:=Apache-2.0 PKG_LICENSE_FILES:=LICENSE.md -PKG_USE_MIPS16:=0 +PKG_BUILD_FLAGS:=no-mips16 lto include $(INCLUDE_DIR)/package.mk @@ -60,8 +60,6 @@ define Package/coremark/config Number of threads to run in parallel endef -TARGET_CFLAGS += -flto - ifeq ($(CONFIG_COREMARK_OPTIMIZE_O3),y) TARGET_CFLAGS := $(filter-out -O%,$(TARGET_CFLAGS)) -O3 endif diff --git a/cxxopts/Makefile b/cxxopts/Makefile new file mode 100644 index 000000000..f891f8820 --- /dev/null +++ b/cxxopts/Makefile @@ -0,0 +1,44 @@ +# SPDX-License-Identifier: GPL-3.0-only +# +# Copyright (C) 2021 ImmortalWrt.org + +include $(TOPDIR)/rules.mk + +PKG_NAME:=cxxopts +PKG_VERSION:=3.1.1 +PKG_RELEASE:=1 + +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz +PKG_SOURCE_URL:=https://codeload.github.com/jarro2783/cxxopts/tar.gz/v$(PKG_VERSION)? +PKG_HASH:=523175f792eb0ff04f9e653c90746c12655f10cb70f1d5e6d6d9491420298a08 + +PKG_LICENSE:=MIT +PKG_LICENSE_FILES:=LICENSE +PKG_MAINTAINER:=Tianling Shen + +PKG_BUILD_PARALLEL:=1 +CMAKE_INSTALL:=1 + +include $(INCLUDE_DIR)/package.mk +include $(INCLUDE_DIR)/cmake.mk + +CMAKE_OPTIONS+= \ + -DCXXOPTS_ENABLE_INSTALL=ON \ + -DCXXOPTS_BUILD_EXAMPLES=OFF \ + -DCXXOPTS_BUILD_TESTS=OFF + +define Package/cxxopts + SECTION:=lib + CATEGORY:=Libraries + URL:=https://github.com/jarro2783/cxxopts + TITLE:=Lightweight C++ command line option parser + DEPENDS:=+libc + BUILDONLY:=1 +endef + +define Package/cxxopts/description + This is a lightweight C++ option parser library, supporting the + standard GNU style syntax for options. +endef + +$(eval $(call BuildPackage,cxxopts)) diff --git a/ddns-scripts/Makefile b/ddns-scripts/Makefile index 54dd32117..19bebeef0 100644 --- a/ddns-scripts/Makefile +++ b/ddns-scripts/Makefile @@ -8,7 +8,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=ddns-scripts PKG_VERSION:=2.8.2 -PKG_RELEASE:=25 +PKG_RELEASE:=37 PKG_LICENSE:=GPL-2.0 @@ -58,6 +58,16 @@ define Package/ddns-scripts-services/description endef +define Package/ddns-scripts-luadns + $(call Package/ddns-scripts/Default) + TITLE:=Extension for LuaDNS API v1 + DEPENDS:=ddns-scripts +curl +endef + +define Package/ddns-scripts-luadns/description + Dynamic DNS Client scripts extension for LuaDNS API v1 (require curl) +endef + define Package/ddns-scripts-cloudflare $(call Package/ddns-scripts/Default) TITLE:=Extension for cloudflare.com API v4 @@ -70,6 +80,17 @@ define Package/ddns-scripts-cloudflare/description endef +define Package/ddns-scripts-gcp + $(call Package/ddns-scripts/Default) + TITLE:=Extension for Google Cloud DNS API v1 + DEPENDS:=ddns-scripts +curl +openssl-util +endef + +define Package/ddns-scripts-gcp/description + Dynamic DNS Client scripts extension for Google Cloud DNS API v1 (requires curl) +endef + + define Package/ddns-scripts-freedns $(call Package/ddns-scripts/Default) TITLE:=Extension for freedns.42.pl @@ -322,7 +343,9 @@ define Package/ddns-scripts-services/install $(1)/usr/share/ddns/default # Remove special services + rm $(1)/usr/share/ddns/default/luadns.com-v1.json rm $(1)/usr/share/ddns/default/cloudflare.com-v4.json + rm $(1)/usr/share/ddns/default/cloud.google.com-v1.json rm $(1)/usr/share/ddns/default/freedns.42.pl.json rm $(1)/usr/share/ddns/default/godaddy.com-v1.json rm $(1)/usr/share/ddns/default/digitalocean.com-v2.json @@ -339,6 +362,25 @@ define Package/ddns-scripts-services/install endef +define Package/ddns-scripts-luadns/install + $(INSTALL_DIR) $(1)/usr/lib/ddns + $(INSTALL_BIN) ./files/usr/lib/ddns/update_luadns_v1.sh \ + $(1)/usr/lib/ddns + + $(INSTALL_DIR) $(1)/usr/share/ddns/default + $(INSTALL_DATA) ./files/usr/share/ddns/default/luadns.com-v1.json \ + $(1)/usr/share/ddns/default/ +endef + +define Package/ddns-scripts-luadns/prerm +#!/bin/sh +if [ -z "$${IPKG_INSTROOT}" ]; then + /etc/init.d/ddns stop +fi +exit 0 +endef + + define Package/ddns-scripts-cloudflare/install $(INSTALL_DIR) $(1)/usr/lib/ddns $(INSTALL_BIN) ./files/usr/lib/ddns/update_cloudflare_com_v4.sh \ @@ -358,6 +400,25 @@ exit 0 endef +define Package/ddns-scripts-gcp/install + $(INSTALL_DIR) $(1)/usr/lib/ddns + $(INSTALL_BIN) ./files/usr/lib/ddns/update_gcp_v1.sh \ + $(1)/usr/lib/ddns + + $(INSTALL_DIR) $(1)/usr/share/ddns/default + $(INSTALL_DATA) ./files/usr/share/ddns/default/cloud.google.com-v1.json \ + $(1)/usr/share/ddns/default/ +endef + +define Package/ddns-scripts-gcp/prerm +#!/bin/sh +if [ -z "$${IPKG_INSTROOT}" ]; then + /etc/init.d/ddns stop +fi +exit 0 +endef + + define Package/ddns-scripts-freedns/install $(INSTALL_DIR) $(1)/usr/lib/ddns $(INSTALL_BIN) ./files/usr/lib/ddns/update_freedns_42_pl.sh \ @@ -607,7 +668,9 @@ endef $(eval $(call BuildPackage,ddns-scripts)) $(eval $(call BuildPackage,ddns-scripts-services)) +$(eval $(call BuildPackage,ddns-scripts-luadns)) $(eval $(call BuildPackage,ddns-scripts-cloudflare)) +$(eval $(call BuildPackage,ddns-scripts-gcp)) $(eval $(call BuildPackage,ddns-scripts-freedns)) $(eval $(call BuildPackage,ddns-scripts-godaddy)) $(eval $(call BuildPackage,ddns-scripts-digitalocean)) diff --git a/ddns-scripts/files/usr/lib/ddns/dynamic_dns_functions.sh b/ddns-scripts/files/usr/lib/ddns/dynamic_dns_functions.sh index cb345e846..17475448b 100644 --- a/ddns-scripts/files/usr/lib/ddns/dynamic_dns_functions.sh +++ b/ddns-scripts/files/usr/lib/ddns/dynamic_dns_functions.sh @@ -28,6 +28,7 @@ else fi SECTION_ID="" # hold config's section name VERBOSE=0 # default mode is log to console, but easily changed with parameter +DRY_RUN=0 # run without actually doing (sending) any changes MYPROG=$(basename $0) # my program call name LOGFILE="" # logfile - all files are set in dynamic_dns_updater.sh @@ -47,8 +48,8 @@ CURR_TIME=0 # holds the current uptime NEXT_TIME=0 # calculated time for next FORCED update EPOCH_TIME=0 # seconds since 1.1.1970 00:00:00 +CURRENT_IP="" # holds the current IP read from the box REGISTERED_IP="" # holds the IP read from DNS -LOCAL_IP="" # holds the local IP read from the box URL_USER="" # url encoded $username from config file URL_PASS="" # url encoded $password from config file @@ -57,7 +58,7 @@ URL_PENC="" # url encoded $param_enc from config file UPD_ANSWER="" # Answer given by service on success ERR_LAST=0 # used to save $? return code of program and function calls -ERR_UPDATE=0 # error counter on different local and registered ip +RETRY_COUNT=0 # error counter on different current and registered IPs PID_SLEEP=0 # ProcessID of current background "sleep" @@ -627,11 +628,11 @@ verify_dns() { return $__ERR elif [ $__ERR -ne 0 ]; then __CNT=$(( $__CNT + 1 )) # increment error counter - # if error count > retry_count leave here - [ $retry_count -gt 0 -a $__CNT -gt $retry_count ] && \ - write_log 14 "Verify DNS server '$1' failed after $retry_count retries" + # if error count > retry_max_count leave here + [ $retry_max_count -gt 0 -a $__CNT -gt $retry_max_count ] && \ + write_log 14 "Verify DNS server '$1' failed after $retry_max_count retries" - write_log 4 "Verify DNS server '$1' failed - retry $__CNT/$retry_count in $RETRY_SECONDS seconds" + write_log 4 "Verify DNS server '$1' failed - retry $__CNT/$retry_max_count in $RETRY_SECONDS seconds" sleep $RETRY_SECONDS & PID_SLEEP=$! wait $PID_SLEEP # enable trap-handler @@ -687,11 +688,11 @@ verify_proxy() { return $__ERR elif [ $__ERR -gt 0 ]; then __CNT=$(( $__CNT + 1 )) # increment error counter - # if error count > retry_count leave here - [ $retry_count -gt 0 -a $__CNT -gt $retry_count ] && \ - write_log 14 "Verify Proxy server '$1' failed after $retry_count retries" + # if error count > retry_max_count leave here + [ $retry_max_count -gt 0 -a $__CNT -gt $retry_max_count ] && \ + write_log 14 "Verify Proxy server '$1' failed after $retry_max_count retries" - write_log 4 "Verify Proxy server '$1' failed - retry $__CNT/$retry_count in $RETRY_SECONDS seconds" + write_log 4 "Verify Proxy server '$1' failed - retry $__CNT/$retry_max_count in $RETRY_SECONDS seconds" sleep $RETRY_SECONDS & PID_SLEEP=$! wait $PID_SLEEP # enable trap-handler @@ -722,7 +723,7 @@ do_transfer() { # set correct program to detect IP [ $use_ipv6 -eq 0 ] && __RUNPROG="network_get_ipaddr" || __RUNPROG="network_get_ipaddr6" eval "$__RUNPROG __BINDIP $bind_network" || \ - write_log 13 "Can not detect local IP using '$__RUNPROG $bind_network' - Error: '$?'" + write_log 13 "Can not detect current IP using '$__RUNPROG $bind_network' - Error: '$?'" write_log 7 "Force communication via IP '$__BINDIP'" __PROG="$__PROG --bind-address=$__BINDIP" fi @@ -867,11 +868,11 @@ do_transfer() { } __CNT=$(( $__CNT + 1 )) # increment error counter - # if error count > retry_count leave here - [ $retry_count -gt 0 -a $__CNT -gt $retry_count ] && \ - write_log 14 "Transfer failed after $retry_count retries" + # if error count > retry_max_count leave here + [ $retry_max_count -gt 0 -a $__CNT -gt $retry_max_count ] && \ + write_log 14 "Transfer failed after $retry_max_count retries" - write_log 4 "Transfer failed - retry $__CNT/$retry_count in $RETRY_SECONDS seconds" + write_log 4 "Transfer failed - retry $__CNT/$retry_max_count in $RETRY_SECONDS seconds" sleep $RETRY_SECONDS & PID_SLEEP=$! wait $PID_SLEEP # enable trap-handler @@ -923,13 +924,13 @@ send_update() { fi } -get_local_ip () { - # $1 Name of Variable to store local IP (LOCAL_IP) +get_current_ip () { + # $1 Name of Variable to store current IP local __CNT=0 # error counter local __RUNPROG __DATA __URL __ERR - [ $# -ne 1 ] && write_log 12 "Error calling 'get_local_ip()' - wrong number of parameters" - write_log 7 "Detect local IP on '$ip_source'" + [ $# -ne 1 ] && write_log 12 "Error calling 'get_current_ip()' - wrong number of parameters" + write_log 7 "Detect current IP on '$ip_source'" while : ; do if [ -n "$ip_network" -a "$ip_source" = "network" ]; then @@ -938,8 +939,8 @@ get_local_ip () { [ $use_ipv6 -eq 0 ] && __RUNPROG="network_get_ipaddr" \ || __RUNPROG="network_get_ipaddr6" eval "$__RUNPROG __DATA $ip_network" || \ - write_log 13 "Can not detect local IP using $__RUNPROG '$ip_network' - Error: '$?'" - [ -n "$__DATA" ] && write_log 7 "Local IP '$__DATA' detected on network '$ip_network'" + write_log 13 "Can not detect current IP using $__RUNPROG '$ip_network' - Error: '$?'" + [ -n "$__DATA" ] && write_log 7 "Current IP '$__DATA' detected on network '$ip_network'" elif [ -n "$ip_interface" -a "$ip_source" = "interface" ]; then local __DATA4=""; local __DATA6="" if [ -n "$(command -v ip)" ]; then # ip program installed @@ -1018,14 +1019,14 @@ get_local_ip () { fi fi [ $use_ipv6 -eq 0 ] && __DATA="$__DATA4" || __DATA="$__DATA6" - [ -n "$__DATA" ] && write_log 7 "Local IP '$__DATA' detected on interface '$ip_interface'" + [ -n "$__DATA" ] && write_log 7 "Current IP '$__DATA' detected on interface '$ip_interface'" elif [ -n "$ip_script" -a "$ip_source" = "script" ]; then write_log 7 "#> $ip_script >$DATFILE 2>$ERRFILE" eval $ip_script >$DATFILE 2>$ERRFILE __ERR=$? if [ $__ERR -eq 0 ]; then __DATA=$(cat $DATFILE) - [ -n "$__DATA" ] && write_log 7 "Local IP '$__DATA' detected via script '$ip_script'" + [ -n "$__DATA" ] && write_log 7 "Current IP '$__DATA' detected via script '$ip_script'" else write_log 3 "$ip_script Error: '$__ERR'" write_log 7 "$(cat $ERRFILE)" # report error @@ -1036,9 +1037,9 @@ get_local_ip () { [ $use_ipv6 -eq 0 ] \ && __DATA=$(grep -m 1 -o "$IPV4_REGEX" $DATFILE) \ || __DATA=$(grep -m 1 -o "$IPV6_REGEX" $DATFILE) - [ -n "$__DATA" ] && write_log 7 "Local IP '$__DATA' detected on web at '$ip_url'" + [ -n "$__DATA" ] && write_log 7 "Current IP '$__DATA' detected on web at '$ip_url'" else - write_log 12 "Error in 'get_local_ip()' - unhandled ip_source '$ip_source'" + write_log 12 "Error in 'get_current_ip()' - unhandled ip_source '$ip_source'" fi # valid data found return here [ -n "$__DATA" ] && { @@ -1053,22 +1054,22 @@ get_local_ip () { [ $VERBOSE -gt 1 ] && { # VERBOSE > 1 then NO retry - write_log 4 "Get local IP via '$ip_source' failed - Verbose Mode: $VERBOSE - NO retry on error" + write_log 4 "Get current IP via '$ip_source' failed - Verbose Mode: $VERBOSE - NO retry on error" return 1 } __CNT=$(( $__CNT + 1 )) # increment error counter - # if error count > retry_count leave here - [ $retry_count -gt 0 -a $__CNT -gt $retry_count ] && \ - write_log 14 "Get local IP via '$ip_source' failed after $retry_count retries" - write_log 4 "Get local IP via '$ip_source' failed - retry $__CNT/$retry_count in $RETRY_SECONDS seconds" + # if error count > retry_max_count leave here + [ $retry_max_count -gt 0 -a $__CNT -gt $retry_max_count ] && \ + write_log 14 "Get current IP via '$ip_source' failed after $retry_max_count retries" + write_log 4 "Get current IP via '$ip_source' failed - retry $__CNT/$retry_max_count in $RETRY_SECONDS seconds" sleep $RETRY_SECONDS & PID_SLEEP=$! wait $PID_SLEEP # enable trap-handler PID_SLEEP=0 done # we should never come here there must be a programming error - write_log 12 "Error in 'get_local_ip()' - program coding error" + write_log 12 "Error in 'get_current_ip()' - program coding error" } get_registered_ip() { @@ -1200,11 +1201,11 @@ get_registered_ip() { } __CNT=$(( $__CNT + 1 )) # increment error counter - # if error count > retry_count leave here - [ $retry_count -gt 0 -a $__CNT -gt $retry_count ] && \ - write_log 14 "Get registered/public IP for '$lookup_host' failed after $retry_count retries" + # if error count > retry_max_count leave here + [ $retry_max_count -gt 0 -a $__CNT -gt $retry_max_count ] && \ + write_log 14 "Get registered/public IP for '$lookup_host' failed after $retry_max_count retries" - write_log 4 "Get registered/public IP for '$lookup_host' failed - retry $__CNT/$retry_count in $RETRY_SECONDS seconds" + write_log 4 "Get registered/public IP for '$lookup_host' failed - retry $__CNT/$retry_max_count in $RETRY_SECONDS seconds" sleep $RETRY_SECONDS & PID_SLEEP=$! wait $PID_SLEEP # enable trap-handler diff --git a/ddns-scripts/files/usr/lib/ddns/dynamic_dns_lucihelper.sh b/ddns-scripts/files/usr/lib/ddns/dynamic_dns_lucihelper.sh index ab3eb78e7..f76334848 100644 --- a/ddns-scripts/files/usr/lib/ddns/dynamic_dns_lucihelper.sh +++ b/ddns-scripts/files/usr/lib/ddns/dynamic_dns_lucihelper.sh @@ -137,11 +137,11 @@ case "$1" in if [ "$ip_source" = "web" -o "$ip_source" = "script" ]; then # we wait only 3 seconds for an # answer from "web" or "script" - write_log 7 "-----> timeout 3 -- get_local_ip IP" - timeout 3 -- get_local_ip IP + write_log 7 "-----> timeout 3 -- get_current_ip IP" + timeout 3 -- get_current_ip IP else - write_log 7 "-----> get_local_ip IP" - get_local_ip IP + write_log 7 "-----> get_current_ip IP" + get_current_ip IP fi __RET=$? ;; diff --git a/ddns-scripts/files/usr/lib/ddns/dynamic_dns_updater.sh b/ddns-scripts/files/usr/lib/ddns/dynamic_dns_updater.sh index 8176fa74c..71de1a7e0 100644 --- a/ddns-scripts/files/usr/lib/ddns/dynamic_dns_updater.sh +++ b/ddns-scripts/files/usr/lib/ddns/dynamic_dns_updater.sh @@ -37,9 +37,7 @@ Parameters: '1' output to console '2' output to console AND logfile + run once WITHOUT retry on error - '3' output to console AND logfile - + run once WITHOUT retry on error - + NOT sending update to DDNS service + -d dry run (don't send any changes) EOF } @@ -50,10 +48,11 @@ usage_err() { exit 1 } -while getopts ":hv:n:S:V" OPT; do +while getopts ":hv:dn:S:V" OPT; do case "$OPT" in h) usage; exit 0;; v) VERBOSE=$OPTARG;; + d) DRY_RUN=1;; n) NETWORK=$OPTARG;; S) SECTION_ID=$OPTARG;; V) printf %s\\n "ddns-scripts $VERSION"; exit 0;; @@ -108,6 +107,8 @@ LOGFILE="$ddns_logdir/$SECTION_ID.log" # log file # only with this data of this run for easier diagnostic # new one created by write_log function [ $VERBOSE -gt 1 -a -f $LOGFILE ] && rm -f $LOGFILE +# Previously -v 3 could we used for dry run +[ $VERBOSE -ge 3 ] && DRY_RUN=1 # TRAP handler trap "trap_handler 0 \$?" 0 # handle script exit with exit status @@ -145,10 +146,10 @@ trap "trap_handler 15" 15 # SIGTERM Termination # # use_syslog log activity to syslog # -# ip_source source to detect current local IP ('network' or 'web' or 'script' or 'interface') +# ip_source source to detect current IP ('network' or 'web' or 'script' or 'interface') # ip_network local defined network to read IP from i.e. 'wan' or 'wan6' -# ip_url URL to read local address from i.e. http://checkip.dyndns.com/ or http://checkipv6.dyndns.com/ -# ip_script full path and name of your script to detect local IP +# ip_url URL to read current IP from i.e. http://checkip.dyndns.com/ or http://checkipv6.dyndns.com/ +# ip_script full path and name of your script to detect current IP # ip_interface physical interface to use for detecting # # check_interval check for changes every !!! checks below 10 minutes make no sense because the Internet @@ -159,13 +160,13 @@ trap "trap_handler 15" 15 # SIGTERM Termination # # retry_interval if error was detected retry in # retry_unit 'days' 'hours' 'minutes' 'seconds' -# retry_count number of retries before scripts stops +# retry_max_count number of retries before scripts stops # # use_ipv6 detecting/sending IPv6 address # force_ipversion force usage of IPv4 or IPv6 for the whole detection and update communication # dns_server using a non default dns server to get Registered IP from Internet # force_dnstcp force communication with DNS server via TCP instead of default UDP -# proxy using a proxy for communication !!! ALSO used to detect local IP via web => return proxy's IP !!! +# proxy using a proxy for communication !!! ALSO used to detect current IP via web => return proxy's IP !!! # use_logfile self-explanatory "/var/log/ddns/$SECTION_ID.log" # is_glue the record that should be updated is a glue record # @@ -180,7 +181,7 @@ ERR_LAST=$? # save return code - equal 0 if SECTION_ID found # set defaults if not defined [ -z "$enabled" ] && enabled=0 -[ -z "$retry_count" ] && retry_count=0 # endless retry +[ -z "$retry_max_count" ] && retry_max_count=0 # endless retry [ -z "$use_syslog" ] && use_syslog=2 # syslog "Notice" [ -z "$use_https" ] && use_https=0 # not use https [ -z "$use_logfile" ] && use_logfile=1 # use logfile by default @@ -222,9 +223,9 @@ case $VERBOSE in 0) write_log 7 "verbose mode : 0 - run normal, NO console output";; 1) write_log 7 "verbose mode : 1 - run normal, console mode";; 2) write_log 7 "verbose mode : 2 - run once, NO retry on error";; - 3) write_log 7 "verbose mode : 3 - run once, NO retry on error, NOT sending update";; *) write_log 14 "error detecting VERBOSE '$VERBOSE'";; esac +[ $DRY_RUN -ge 1 ] && write_log 7 "Dry Run: NOT sending update" # check enabled state otherwise we don't need to continue [ $enabled -eq 0 ] && write_log 14 "Service section disabled!" @@ -280,8 +281,8 @@ esac # verify ip_source 'script' if script is configured and executable if [ "$ip_source" = "script" ]; then set -- $ip_script #handling script with parameters, we need a trick - [ -z "$1" ] && write_log 14 "No script defined to detect local IP!" - [ -x "$1" ] || write_log 14 "Script to detect local IP not executable!" + [ -z "$1" ] && write_log 14 "No script defined to detect current IP!" + [ -x "$1" ] || write_log 14 "Script to detect current IP not executable!" fi # compute update interval in seconds @@ -293,7 +294,7 @@ get_seconds RETRY_SECONDS ${retry_interval:-60} ${retry_unit:-"seconds"} # defau write_log 7 "check interval: $CHECK_SECONDS seconds" write_log 7 "force interval: $FORCE_SECONDS seconds" write_log 7 "retry interval: $RETRY_SECONDS seconds" -write_log 7 "retry counter : $retry_count times" +write_log 7 "retry max count : $retry_max_count times" # kill old process if it exists & set new pid file stop_section_processes "$SECTION_ID" @@ -347,8 +348,8 @@ ERR_LAST=$? write_log 6 "Starting main loop at $(eval $DATE_PROG)" while : ; do - get_local_ip LOCAL_IP # read local IP - [ $use_ipv6 -eq 1 ] && expand_ipv6 "$LOCAL_IP" LOCAL_IP # on IPv6 we use expanded version + get_current_ip CURRENT_IP # read current IP + [ $use_ipv6 -eq 1 ] && expand_ipv6 "$CURRENT_IP" CURRENT_IP # on IPv6 we use expanded version # prepare update # never updated or forced immediate then NEXT_TIME = 0 @@ -358,24 +359,23 @@ while : ; do get_uptime CURR_TIME # get current uptime - # send update when current time > next time or local ip different from registered ip - if [ $CURR_TIME -ge $NEXT_TIME -o "$LOCAL_IP" != "$REGISTERED_IP" ]; then - if [ $VERBOSE -gt 2 ]; then - write_log 7 "Verbose Mode: $VERBOSE - NO UPDATE send" - elif [ "$LOCAL_IP" != "$REGISTERED_IP" ]; then - write_log 7 "Update needed - L: '$LOCAL_IP' <> R: '$REGISTERED_IP'" + # send update when current time > next time or current ip different from registered ip + if [ $CURR_TIME -ge $NEXT_TIME -o "$CURRENT_IP" != "$REGISTERED_IP" ]; then + if [ $DRY_RUN -ge 1 ]; then + write_log 7 "Dry Run: NO UPDATE send" + elif [ "$CURRENT_IP" != "$REGISTERED_IP" ]; then + write_log 7 "Update needed - L: '$CURRENT_IP' <> R: '$REGISTERED_IP'" else - write_log 7 "Forced Update - L: '$LOCAL_IP' == R: '$REGISTERED_IP'" + write_log 7 "Forced Update - L: '$CURRENT_IP' == R: '$REGISTERED_IP'" fi ERR_LAST=0 - [ $VERBOSE -lt 3 ] && { - # only send if VERBOSE < 3 - send_update "$LOCAL_IP" + [ $DRY_RUN -eq 0 ] && { + send_update "$CURRENT_IP" ERR_LAST=$? # save return value } - # error sending local IP to provider + # error sending current IP to provider # we have no communication error (handled inside send_update/do_transfer) # but update was not recognized # do NOT retry after RETRY_SECONDS, do retry after CHECK_SECONDS @@ -384,9 +384,9 @@ while : ; do if [ $ERR_LAST -eq 0 ]; then get_uptime LAST_TIME # we send update, so echo $LAST_TIME > $UPDFILE # save LASTTIME to file - [ "$LOCAL_IP" != "$REGISTERED_IP" ] \ - && write_log 6 "Update successful - IP '$LOCAL_IP' send" \ - || write_log 6 "Forced update successful - IP: '$LOCAL_IP' send" + [ "$CURRENT_IP" != "$REGISTERED_IP" ] \ + && write_log 6 "Update successful - IP '$CURRENT_IP' send" \ + || write_log 6 "Forced update successful - IP: '$CURRENT_IP' send" elif [ $ERR_LAST -eq 127 ]; then write_log 3 "No update send to DDNS Provider" else @@ -395,26 +395,25 @@ while : ; do fi # now we wait for check interval before testing if update was recognized - # only sleep if VERBOSE <= 2 because otherwise nothing was send - [ $VERBOSE -le 2 ] && { + [ $DRY_RUN -eq 0 ] && { write_log 7 "Waiting $CHECK_SECONDS seconds (Check Interval)" sleep $CHECK_SECONDS & PID_SLEEP=$! wait $PID_SLEEP # enable trap-handler PID_SLEEP=0 - } || write_log 7 "Verbose Mode: $VERBOSE - NO Check Interval waiting" + } || write_log 7 "Dry Run: NO Check Interval waiting" REGISTERED_IP="" # clear variable get_registered_ip REGISTERED_IP # get registered/public IP [ $use_ipv6 -eq 1 ] && expand_ipv6 "$REGISTERED_IP" REGISTERED_IP # on IPv6 we use expanded version # IP's are still different - if [ "$LOCAL_IP" != "$REGISTERED_IP" ]; then + if [ "$CURRENT_IP" != "$REGISTERED_IP" ]; then if [ $VERBOSE -le 1 ]; then # VERBOSE <=1 then retry - ERR_UPDATE=$(( $ERR_UPDATE + 1 )) - [ $retry_count -gt 0 -a $ERR_UPDATE -gt $retry_count ] && \ - write_log 14 "Updating IP at DDNS provider failed after $retry_count retries" - write_log 4 "Updating IP at DDNS provider failed - starting retry $ERR_UPDATE/$retry_count" + RETRY_COUNT=$(( $RETRY_COUNT + 1 )) + [ $retry_max_count -gt 0 -a $RETRY_COUNT -gt $retry_max_count ] && \ + write_log 14 "Updating IP at DDNS provider failed after $retry_max_count retries" + write_log 4 "Updating IP at DDNS provider failed - starting retry $RETRY_COUNT/$retry_max_count" continue # loop to beginning else write_log 4 "Updating IP at DDNS provider failed" @@ -422,7 +421,7 @@ while : ; do fi else # we checked successful the last update - ERR_UPDATE=0 # reset error counter + RETRY_COUNT=0 # reset error counter fi # force_update=0 or VERBOSE > 1 - leave here diff --git a/ddns-scripts/files/usr/lib/ddns/update_gandi_net.sh b/ddns-scripts/files/usr/lib/ddns/update_gandi_net.sh index 8953072e4..321687d70 100644 --- a/ddns-scripts/files/usr/lib/ddns/update_gandi_net.sh +++ b/ddns-scripts/files/usr/lib/ddns/update_gandi_net.sh @@ -20,14 +20,23 @@ json_add_array rrset_values json_add_string "" "$__IP" json_close_array +# Log the curl command +write_log 7 "curl -s -X PUT \"$__ENDPOINT/domains/$domain/records/$username/$__RRTYPE\" \ + -H \"Authorization: Apikey $password\" \ + -H \"Content-Type: application/json\" \ + -d \"$(json_dump)\" \ + --connect-timeout 30" + __STATUS=$(curl -s -X PUT "$__ENDPOINT/domains/$domain/records/$username/$__RRTYPE" \ -H "Authorization: Apikey $password" \ -H "Content-Type: application/json" \ -d "$(json_dump)" \ + --connect-timeout 30 \ -w "%{http_code}\n" -o $DATFILE 2>$ERRFILE) -if [ $? -ne 0 ]; then - write_log 14 "Curl failed: $(cat $ERRFILE)" +local __ERRNO=$? +if [ $__ERRNO -ne 0 ]; then + write_log 14 "Curl failed with $__ERRNO: $(cat $ERRFILE)" return 1 elif [ -z $__STATUS ] || [ $__STATUS != 201 ]; then write_log 14 "LiveDNS failed: $__STATUS \ngandi.net answered: $(cat $DATFILE)" diff --git a/ddns-scripts/files/usr/lib/ddns/update_gcp_v1.sh b/ddns-scripts/files/usr/lib/ddns/update_gcp_v1.sh new file mode 100755 index 000000000..5bd096f46 --- /dev/null +++ b/ddns-scripts/files/usr/lib/ddns/update_gcp_v1.sh @@ -0,0 +1,272 @@ +#!/bin/sh +# +#.Distributed under the terms of the GNU General Public License (GPL) version 2.0 +#.2022 Chris Barrick +# +# This script sends DDNS updates using the Google Cloud DNS REST API. +# See: https://cloud.google.com/dns/docs/reference/v1 +# +# This script uses a GCP service account. The user is responsible for creating +# the service account, ensuring it has permission to update DNS records, and +# for generating a service account key to be used by this script. The records +# to be updated must already exist. +# +# Arguments: +# +# - $username: The service account name. +# Example: ddns-service-account@my-dns-project.iam.gserviceaccount.com +# +# - $password: The service account key. You can paste the key directly into the +# "password" field or upload the key file to the router and set the field +# equal to the file path. This script supports JSON keys or the raw private +# key as a PEM file. P12 keys are not supported. File names must end with +# `*.json` or `*.pem`. +# +# - $domain: The domain to update. +# +# - $param_enc: The additional required arguments, as form-urlencoded data, +# i.e. `key1=value1&key2=value2&...`. The required arguments are: +# - project: The name of the GCP project that owns the DNS records. +# - zone: The DNS zone in the GCP API. +# - Example: `project=my-dns-project&zone=my-dns-zone` +# +# - $param_opt: Optional TTL for the records, in seconds. Defaults to 3600 (1h). +# +# Dependencies: +# - ddns-scripts (for the base functionality) +# - openssl-util (for the authentication flow) +# - curl (for the GCP REST API) + +. /usr/share/libubox/jshn.sh + + +# Authentication +# --------------------------------------------------------------------------- +# The authentication flow works like this: +# +# 1. Construct a JWT claim for access to the DNS readwrite scope. +# 2. Sign the JWT with the service accout key, proving we have access. +# 3. Exchange the JWT for an access token, valid for 5m. +# 4. Use the access token for API calls. +# +# See https://developers.google.com/identity/protocols/oauth2/service-account + +# A URL-safe variant of base64 encoding, used by JWTs. +base64_urlencode() { + openssl base64 | tr '/+' '_-' | tr -d '=\n' +} + +# Prints the service account private key in PEM format. +get_service_account_key() { + # The "password" field provides us with the service account key. + # We allow the user to provide it to us in a few different formats. + # + # 1. If $password is a string ending in `*.json`, it is a file path, + # pointing to a JSON service account key as downloaded from GCP. + # + # 2. If $password is a string ending with `*.pem`, it is a PEM private + # key, extracted from the JSON service account key. + # + # 3. If $password starts with `{`, then the JSON service account key + # was pasted directly into the password field. + # + # 4. If $password starts with `---`, then the PEM private key was pasted + # directly into the password field. + # + # We do not support P12 service account keys. + case "${password}" in + (*".json") + jsonfilter -i "${password}" -e @.private_key + ;; + (*".pem") + cat "${password}" + ;; + ("{"*) + jsonfilter -s "${password}" -e @.private_key + ;; + ("---"*) + printf "%s" "${password}" + ;; + (*) + write_log 14 "Could not parse the service account key." + ;; + esac +} + +# Sign stdin using the service account key. Prints the signature. +# The input is the JWT header-payload. Used to construct a signed JWT. +sign() { + # Dump the private key to a tmp file so openssl can get to it. + local tmp_keyfile="$(mktemp -t gcp_dns_sak.pem.XXXXXX)" + chmod 600 ${tmp_keyfile} + get_service_account_key > ${tmp_keyfile} + openssl dgst -binary -sha256 -sign ${tmp_keyfile} + rm ${tmp_keyfile} +} + +# Print the JWT header in JSON format. +# Currently, Google only supports RS256. +jwt_header() { + json_init + json_add_string "alg" "RS256" + json_add_string "typ" "JWT" + json_dump +} + +# Prints the JWT claim-set in JSON format. +# The claim is for 5m of readwrite access to the Cloud DNS API. +jwt_claim_set() { + local iat=$(date -u +%s) # Current UNIX time, UTC. + local exp=$(( iat + 300 )) # Expiration is 5m in the future. + + json_init + json_add_string "iss" "${username}" + json_add_string "scope" "https://www.googleapis.com/auth/ndev.clouddns.readwrite" + json_add_string "aud" "https://oauth2.googleapis.com/token" + json_add_string "iat" "${iat}" + json_add_string "exp" "${exp}" + json_dump +} + +# Generate a JWT signed by the service account key, which can be exchanged for +# a Google Cloud access token, authorized for Cloud DNS. +get_jwt() { + local header=$(jwt_header | base64_urlencode) + local payload=$(jwt_claim_set | base64_urlencode) + local header_payload="${header}.${payload}" + local signature=$(printf "%s" ${header_payload} | sign | base64_urlencode) + echo "${header_payload}.${signature}" +} + +# Request an access token for the Google Cloud service account. +get_access_token_raw() { + local grant_type="urn:ietf:params:oauth:grant-type:jwt-bearer" + local assertion=$(get_jwt) + + ${CURL} -v https://oauth2.googleapis.com/token \ + --data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer' \ + --data-urlencode "assertion=${assertion}" \ + | jsonfilter -e @.access_token +} + +# Get the access token, stripping the trailing dots. +get_access_token() { + # Since tokens may contain internal dots, we only trim the suffix if it + # starts with at least 8 dots. (The access token has *many* trailing dots.) + local access_token="$(get_access_token_raw)" + echo "${access_token%%........*}" +} + + +# Google Cloud DNS API +# --------------------------------------------------------------------------- +# Cloud DNS offers a straight forward RESTful API. +# +# - The main class is a ResourceRecordSet. It's a collection of DNS records +# that share the same domain, type, TTL, etc. Within a record set, the only +# difference between the records are their values. +# +# - The record sets live under a ManagedZone, which in turn lives under a +# Project. All we need to know about these are their names. +# +# - This implementation only makes PATCH requests to update existing record +# sets. The user must have already created at least one A or AAAA record for +# the domain they are updating. It's fine to start with a dummy, like 0.0.0.0. +# +# - The API requires SSL, and this implementation uses curl. + +# Prints a ResourceRecordSet in JSON format. +format_record_set() { + local domain="$1" + local record_type="$2" + local ttl="$3" + shift 3 # The remaining arguments are the IP addresses for this record set. + + json_init + json_add_string "kind" "dns#resourceRecordSet" + json_add_string "name" "${domain}." # trailing dot on the domain + json_add_string "type" "${record_type}" + json_add_string "ttl" "${ttl}" + json_add_array "rrdatas" + for value in $@; do + json_add_string "" "${value}" + done + json_close_array + json_dump +} + +# Makes an HTTP PATCH request to the Cloud DNS API. +patch_record_set() { + local access_token="$1" + local project="$2" + local zone="$3" + local domain="$4" + local record_type="$5" + local ttl="$6" + shift 6 # The remaining arguments are the IP addresses for this record set. + + # Note the trailing dot after the domain name. It's fully qualified. + local url="https://dns.googleapis.com/dns/v1/projects/${project}/managedZones/${zone}/rrsets/${domain}./${record_type}" + local record_set=$(format_record_set ${domain} ${record_type} ${ttl} $@) + + ${CURL} -v ${url} \ + -X PATCH \ + -H "Content-Type: application/json" \ + -H "Authorization: Bearer ${access_token}" \ + -d "${record_set}" +} + + +# Main entrypoint +# --------------------------------------------------------------------------- + +# Parse the $param_enc into project and zone variables. +# The arguments are the names for those variables. +parse_project_zone() { + local project_var=$1 + local zone_var=$2 + + IFS='&' + for entry in $param_enc + do + case "${entry}" in + ('project='*) + local project_val=$(echo "${entry}" | cut -d'=' -f2) + eval "${project_var}=${project_val}" + ;; + ('zone='*) + local zone_val=$(echo "${entry}" | cut -d'=' -f2) + eval "${zone_var}=${zone_val}" + ;; + esac + done + unset IFS +} + +main() { + local access_token project zone ttl record_type + + # Dependency checking + [ -z "${CURL_SSL}" ] && write_log 14 "Google Cloud DNS requires cURL with SSL support" + [ -z "$(openssl version)" ] && write_log 14 "Google Cloud DNS update requires openssl-utils" + + # Argument parsing + [ -z ${param_opt} ] && ttl=3600 || ttl="${param_opt}" + [ $use_ipv6 -ne 0 ] && record_type="AAAA" || record_type="A" + parse_project_zone project zone + + # Sanity checks + [ -z "${username}" ] && write_log 14 "Config is missing 'username' (service account name)" + [ -z "${password}" ] && write_log 14 "Config is missing 'password' (service account key)" + [ -z "${domain}" ] && write_log 14 "Config is missing 'domain'" + [ -z "${project}" ] && write_log 14 "Could not parse project name from 'param_enc'" + [ -z "${zone}" ] && write_log 14 "Could not parse zone name from 'param_enc'" + [ -z "${ttl}" ] && write_log 14 "Could not parse TTL from 'param_opt'" + [ -z "${record_type}" ] && write_log 14 "Could not determine the record type" + + # Push the record! + access_token="$(get_access_token)" + patch_record_set "${access_token}" "${project}" "${zone}" "${domain}" "${record_type}" "${ttl}" "${__IP}" +} + +main $@ diff --git a/ddns-scripts/files/usr/lib/ddns/update_luadns_v1.sh b/ddns-scripts/files/usr/lib/ddns/update_luadns_v1.sh new file mode 100644 index 000000000..5d7954e12 --- /dev/null +++ b/ddns-scripts/files/usr/lib/ddns/update_luadns_v1.sh @@ -0,0 +1,191 @@ +#!/bin/sh +# +#.Distributed under the terms of the GNU General Public License (GPL) version 2.0 +#.2023 Jihoon Han +# +#.based on Christian Schoenebeck's update_cloudflare_com_v4.sh +#.and on Neilpang's acme.sh found at https://github.com/acmesh-official/acme.sh +# +# Script for sending DDNS updates using the LuaDNS API +# See: https://luadns.com/api +# +# using following options from /etc/config/ddns +# option username - "Emaii" as registered on LuaDNS +# option password - "API Key" as generated at https://api.luadns.com/api_keys +# option domain - The domain to update (e.g. my.example.com) +# + +# check parameters +[ -z "$CURL" ] && [ -z "$CURL_SSL" ] && write_log 14 "LuaDNS API require cURL with SSL support. Please install" +[ -z "$username" ] && write_log 14 "Service section not configured correctly! Missing e-mail as 'Username'" +[ -z "$password" ] && write_log 14 "Service section not configured correctly! Missing personal API key as 'Password'" +[ $use_https -eq 0 ] && use_https=1 # force HTTPS + +# used variables +local __HOST __DOMAIN __TYPE __URLBASE __PRGBASE __RUNPROG __DATA __IPV6 __ZONEID __RECID +local __URLBASE="https://api.luadns.com/v1" +local __TTL=300 + +# set record type +[ $use_ipv6 -eq 0 ] && __TYPE="A" || __TYPE="AAAA" + +# transfer function to use for LuaDNS +# all needed variables are set global here +# so we can use them directly +luadns_transfer() { + local __CNT=0 + local __STATUS __ERR + while : ; do + write_log 7 "#> $__RUNPROG" + __STATUS=$(eval "$__RUNPROG") + __ERR=$? # save communication error + [ $__ERR -eq 0 ] && break # no error break while + + write_log 3 "cURL Error: '$__ERR'" + write_log 7 "$(cat $ERRFILE)" # report error + + [ $VERBOSE_MODE -gt 1 ] && { + # VERBOSE_MODE > 1 then NO retry + write_log 4 "Transfer failed - Verbose Mode: $VERBOSE_MODE - NO retry on error" + break + } + + __CNT=$(( $__CNT + 1 )) # increment error counter + # if error count > retry_count leave here + [ $retry_count -gt 0 -a $__CNT -gt $retry_count ] && \ + write_log 14 "Transfer failed after $retry_count retries" + + write_log 4 "Transfer failed - retry $__CNT/$retry_count in $RETRY_SECONDS seconds" + sleep $RETRY_SECONDS & + PID_SLEEP=$! + wait $PID_SLEEP # enable trap-handler + PID_SLEEP=0 + done + + # handle HTTP error + [ $__STATUS -ne 200 ] && { + write_log 4 "LuaDNS reported an error:" + write_log 7 "$(cat $DATFILE)" + return 1 + } + return 0 +} + +# Build base command to use +__PRGBASE="$CURL -RsS -w '%{http_code}' -o $DATFILE --stderr $ERRFILE" +# force network/interface-device to use for communication +if [ -n "$bind_network" ]; then + local __DEVICE + network_get_physdev __DEVICE $bind_network || \ + write_log 13 "Can not detect local device using 'network_get_physdev $bind_network' - Error: '$?'" + write_log 7 "Force communication via device '$__DEVICE'" + __PRGBASE="$__PRGBASE --interface $__DEVICE" +fi +# force ip version to use +if [ $force_ipversion -eq 1 ]; then + [ $use_ipv6 -eq 0 ] && __PRGBASE="$__PRGBASE -4" || __PRGBASE="$__PRGBASE -6" # force IPv4/IPv6 +fi +# set certificate parameters +if [ "$cacert" = "IGNORE" ]; then # idea from Ticket #15327 to ignore server cert + __PRGBASE="$__PRGBASE --insecure" # but not empty better to use "IGNORE" +elif [ -f "$cacert" ]; then + __PRGBASE="$__PRGBASE --cacert $cacert" +elif [ -d "$cacert" ]; then + __PRGBASE="$__PRGBASE --capath $cacert" +elif [ -n "$cacert" ]; then # it's not a file and not a directory but given + write_log 14 "No valid certificate(s) found at '$cacert' for HTTPS communication" +fi +# disable proxy if not set (there might be .wgetrc or .curlrc or wrong environment set) +# or check if libcurl compiled with proxy support +if [ -z "$proxy" ]; then + __PRGBASE="$__PRGBASE --noproxy '*'" +elif [ -z "$CURL_PROXY" ]; then + # if libcurl has no proxy support and proxy should be used then force ERROR + write_log 13 "cURL: libcurl compiled without Proxy support" +fi +# set headers +__PRGBASE="$__PRGBASE --user '$username:$password' " +__PRGBASE="$__PRGBASE --header 'Accept: application/json' " + +if [ -n "$zone_id" ]; then + __ZONEID="$zone_id" +else + # read zone id for registered domain.TLD + __RUNPROG="$__PRGBASE --request GET '$__URLBASE/zones'" + luadns_transfer || return 1 + # extract zone id + i=1 + while : ; do + h=$(printf "%s" "$domain" | cut -d . -f $i-100 -s) + [ -z "$h" ] && { + write_log 4 "Could not detect 'Zone ID' for the domain provided: '$domain'" + return 127 + } + + __ZONEID=$(grep -o -e "\"id\":[^,]*,\"name\":\"$h\"" $DATFILE | cut -d : -f 2 | cut -d , -f 1) + [ -n "$__ZONEID" ] && { + # LuaDNS API needs: + # __DOMAIN = the base domain i.e. example.com + # __HOST = the FQDN of record to modify + # i.e. example.com for the "domain record" or host.sub.example.com for "host record" + __HOST="$domain" + __DOMAIN="$h" + write_log 7 "Domain : '$__DOMAIN'" + write_log 7 "Zone ID : '$__ZONEID'" + write_log 7 "Host : '$__HOST'" + break + } + i=$(expr "$i" + 1) + done +fi + +# read record id for A or AAAA record of host.domain.TLD +__RUNPROG="$__PRGBASE --request GET '$__URLBASE/zones/$__ZONEID/records'" +luadns_transfer || return 1 +# extract record id +__RECID=$(grep -o -e "\"id\":[^,]*,\"name\":\"$__HOST.\",\"type\":\"$__TYPE\"" $DATFILE | head -n 1 | cut -d : -f 2 | cut -d , -f 1) +[ -z "$__RECID" ] && { + write_log 4 "Could not detect 'Record ID' for the domain provided: '$__HOST'" + return 127 +} +write_log 7 "Record ID : '$__RECID'" + +# extract current stored IP +__DATA=$(grep -o -e "\"id\":$__RECID,\"name\":\"$__HOST.\",\"type\":\"$__TYPE\",\"content\":[^,]*" $DATFILE | grep -o '[^"]*' | tail -n 1) + +# check data +[ $use_ipv6 -eq 0 ] \ + && __DATA=$(printf "%s" "$__DATA" | grep -m 1 -o "$IPV4_REGEX") \ + || __DATA=$(printf "%s" "$__DATA" | grep -m 1 -o "$IPV6_REGEX") + +# we got data so verify +[ -n "$__DATA" ] && { + # expand IPv6 for compare + if [ $use_ipv6 -eq 1 ]; then + expand_ipv6 $__IP __IPV6 + expand_ipv6 $__DATA __DATA + [ "$__DATA" = "$__IPV6" ] && { # IPv6 no update needed + write_log 7 "IPv6 at LuaDNS already up to date" + return 0 + } + else + [ "$__DATA" = "$__IP" ] && { # IPv4 no update needed + write_log 7 "IPv4 at LuaDNS already up to date" + return 0 + } + fi +} + +# update is needed +# let's build data to send + +# use file to work around " needed for json +cat > $DATFILE << EOF +{"name":"$__HOST.","type":"$__TYPE","content":"$__IP","ttl":$__TTL} +EOF + +# let's complete transfer command +__RUNPROG="$__PRGBASE --request PUT --data @$DATFILE '$__URLBASE/zones/$__ZONEID/records/$__RECID'" +luadns_transfer || return 1 + +return 0 diff --git a/ddns-scripts/files/usr/lib/ddns/update_pdns.sh b/ddns-scripts/files/usr/lib/ddns/update_pdns.sh index d3fc2d2c9..a19ed13f1 100755 --- a/ddns-scripts/files/usr/lib/ddns/update_pdns.sh +++ b/ddns-scripts/files/usr/lib/ddns/update_pdns.sh @@ -5,6 +5,7 @@ local __TTL=600 local __RRTYPE local __STATUS +local __RNAME [ -z "$username" ] && write_log 14 "Service section not configured correctly! Missing subdomain as 'username'" [ -z "$password" ] && write_log 14 "Service section not configured correctly! Missing API Key as 'password'" @@ -16,11 +17,21 @@ local __ENDPOINT="$param_opt/api/v1/servers/localhost/zones" [ $use_ipv6 -ne 0 ] && __RRTYPE="AAAA" || __RRTYPE="A" +# Make sure domain is period terminated +if [ ${domain: -1} != '.' ]; then + domain="${domain}." +fi +if [ $username == '@' ]; then + __RNAME="$domain" +else + __RNAME="$username.$domain" +fi + # Build JSON payload json_init json_add_array rrsets json_add_object - json_add_string name "$username.$domain" + json_add_string name "$__RNAME" json_add_string type "$__RRTYPE" json_add_int ttl $__TTL json_add_string changetype "REPLACE" diff --git a/ddns-scripts/files/usr/share/ddns/default/able.or.kr.json b/ddns-scripts/files/usr/share/ddns/default/able.or.kr.json deleted file mode 100644 index f4f7c08d4..000000000 --- a/ddns-scripts/files/usr/share/ddns/default/able.or.kr.json +++ /dev/null @@ -1,6 +0,0 @@ -{ - "name": "able.or.kr", - "ipv4": { - "url": "http://able.or.kr/ddns/src/update.php?hostname=[DOMAIN]&myip=[IP]&ddnsuser=[USERNAME]&pwd=[PASSWORD]" - } -} diff --git a/ddns-scripts/files/usr/share/ddns/default/cloud.google.com-v1.json b/ddns-scripts/files/usr/share/ddns/default/cloud.google.com-v1.json new file mode 100644 index 000000000..eee707b3e --- /dev/null +++ b/ddns-scripts/files/usr/share/ddns/default/cloud.google.com-v1.json @@ -0,0 +1,10 @@ +{ + "name": "cloud.google.com-v1", + "ipv4": { + "url": "update_gcp_v1.sh" + }, + "ipv6": { + "url": "update_gcp_v1.sh" + } +} + diff --git a/ddns-scripts/files/usr/share/ddns/default/dtdns.com.json b/ddns-scripts/files/usr/share/ddns/default/dtdns.com.json deleted file mode 100644 index 14941c0c7..000000000 --- a/ddns-scripts/files/usr/share/ddns/default/dtdns.com.json +++ /dev/null @@ -1,6 +0,0 @@ -{ - "name": "dtdns.com", - "ipv4": { - "url": "http://www.dtdns.com/api/autodns.cfm?id=[DOMAIN]&pw=[PASSWORD]&ip=[IP]" - } -} diff --git a/ddns-scripts/files/usr/share/ddns/default/dyndnss.net.json b/ddns-scripts/files/usr/share/ddns/default/dyndnss.net.json deleted file mode 100644 index 65b335137..000000000 --- a/ddns-scripts/files/usr/share/ddns/default/dyndnss.net.json +++ /dev/null @@ -1,6 +0,0 @@ -{ - "name": "dyndnss.net", - "ipv4": { - "url": "http://www.dyndnss.net/?user=[USERNAME]&pass=[PASSWORD]&domain=[DOMAIN]&updater=other" - } -} diff --git a/ddns-scripts/files/usr/share/ddns/default/dynsip.org.json b/ddns-scripts/files/usr/share/ddns/default/dynsip.org.json deleted file mode 100644 index ceb2e1500..000000000 --- a/ddns-scripts/files/usr/share/ddns/default/dynsip.org.json +++ /dev/null @@ -1,6 +0,0 @@ -{ - "name": "dynsip.org", - "ipv4": { - "url": "http://[USERNAME]:[PASSWORD]@dynsip.org/nic/update?hostname=[DOMAIN]&myip=[IP]" - } -} diff --git a/ddns-scripts/files/usr/share/ddns/default/easydns.com.json b/ddns-scripts/files/usr/share/ddns/default/easydns.com.json index 6f6855d15..0642c38dd 100644 --- a/ddns-scripts/files/usr/share/ddns/default/easydns.com.json +++ b/ddns-scripts/files/usr/share/ddns/default/easydns.com.json @@ -3,5 +3,9 @@ "ipv4": { "url": "http://[USERNAME]:[PASSWORD]@api.cp.easydns.com/dyn/generic.php?hostname=[DOMAIN]&myip=[IP]", "answer": "OK|NOERROR" + }, + "ipv6": { + "url": "http://[USERNAME]:[PASSWORD]@api.cp.easydns.com/dyn/generic.php?hostname=[DOMAIN]&myip=[IP]", + "answer": "OK|NOERROR" } } diff --git a/ddns-scripts/files/usr/share/ddns/default/editdns.net.json b/ddns-scripts/files/usr/share/ddns/default/editdns.net.json deleted file mode 100644 index deb60fc0c..000000000 --- a/ddns-scripts/files/usr/share/ddns/default/editdns.net.json +++ /dev/null @@ -1,6 +0,0 @@ -{ - "name": "editdns.net", - "ipv4": { - "url": "http://dyndns-free.editdns.net/api/dynLinux.php?p=[PASSWORD]&r=[DOMAIN]" - } -} diff --git a/ddns-scripts/files/usr/share/ddns/default/hosting.de.json b/ddns-scripts/files/usr/share/ddns/default/hosting.de.json new file mode 100644 index 000000000..c41ee35e4 --- /dev/null +++ b/ddns-scripts/files/usr/share/ddns/default/hosting.de.json @@ -0,0 +1,11 @@ +{ + "name": "hosting.de", + "ipv4": { + "url": "https://[USERNAME]:[PASSWORD]@ddns.hosting.de/nic/update?hostname=[DOMAIN]&myip=[IP]", + "answer": "good|nochg" + }, + "ipv6": { + "url": "https://[USERNAME]:[PASSWORD]@ddns.hosting.de/nic/update?hostname=[DOMAIN]&myip=[IP]", + "answer": "good|nochg" + } +} diff --git a/ddns-scripts/files/usr/share/ddns/default/luadns.com-v1.json b/ddns-scripts/files/usr/share/ddns/default/luadns.com-v1.json new file mode 100644 index 000000000..c77d55be3 --- /dev/null +++ b/ddns-scripts/files/usr/share/ddns/default/luadns.com-v1.json @@ -0,0 +1,9 @@ +{ + "name": "luadns.com-v1", + "ipv4": { + "url": "update_luadns_v1.sh" + }, + "ipv6": { + "url": "update_luadns_v1.sh" + } +} diff --git a/ddns-scripts/files/usr/share/ddns/default/myip.co.ua.json b/ddns-scripts/files/usr/share/ddns/default/myip.co.ua.json deleted file mode 100644 index bf3609d9e..000000000 --- a/ddns-scripts/files/usr/share/ddns/default/myip.co.ua.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "name": "myip.co.ua", - "ipv4": { - "url": "http://[USERNAME]:[PASSWORD]@myip.co.ua/update?hostname=[DOMAIN]&myip=[IP]", - "answer": "good" - } -} diff --git a/ddns-scripts/files/usr/share/ddns/default/mythic-beasts.com-v2.json b/ddns-scripts/files/usr/share/ddns/default/mythic-beasts.com-v2.json new file mode 100644 index 000000000..e24622380 --- /dev/null +++ b/ddns-scripts/files/usr/share/ddns/default/mythic-beasts.com-v2.json @@ -0,0 +1,9 @@ +{ + "name": "mythic-beasts.com (API v2)", + "ipv4": { + "url": "https://[USERNAME]:[PASSWORD]@ipv4.api.mythic-beasts.com/dns/v2/dynamic/[DOMAIN]" + }, + "ipv6": { + "url": "https://[USERNAME]:[PASSWORD]@ipv6.api.mythic-beasts.com/dns/v2/dynamic/[DOMAIN]" + } +} diff --git a/ddns-scripts/files/usr/share/ddns/default/nettica.com.json b/ddns-scripts/files/usr/share/ddns/default/nettica.com.json deleted file mode 100644 index e0768ec4a..000000000 --- a/ddns-scripts/files/usr/share/ddns/default/nettica.com.json +++ /dev/null @@ -1,6 +0,0 @@ -{ - "name": "nettica.com", - "ipv4": { - "url": "http://www.nettica.com/Domain/Update.aspx?U=[USERNAME]&PC=[PASSWORD]&FQDN=[DOMAIN]&N=[IP]" - } -} diff --git a/ddns-scripts/files/usr/share/ddns/default/njal.la.json b/ddns-scripts/files/usr/share/ddns/default/njal.la.json new file mode 100644 index 000000000..5da8850d7 --- /dev/null +++ b/ddns-scripts/files/usr/share/ddns/default/njal.la.json @@ -0,0 +1,9 @@ +{ + "name": "njal.la", + "ipv4": { + "url": "https://njal.la/update/?h=[DOMAIN]&k=[PASSWORD]&a=[IP]" + }, + "ipv6": { + "url": "https://njal.la/update/?h=[DOMAIN]&k=[PASSWORD]&aaaa=[IP]" + } +} diff --git a/ddns-scripts/files/usr/share/ddns/default/simply.com.json b/ddns-scripts/files/usr/share/ddns/default/simply.com.json new file mode 100644 index 000000000..5ab9c8d51 --- /dev/null +++ b/ddns-scripts/files/usr/share/ddns/default/simply.com.json @@ -0,0 +1,11 @@ +{ + "name": "simply.com", + "ipv4": { + "url": "https://[USERNAME]:[PASSWORD]@api.simply.com/2/ddns/?hostname=[DOMAIN]&myip=[IP]", + "answer": "good|nochg" + }, + "ipv6": { + "url": "https://[USERNAME]:[PASSWORD]@api.simply.com/2/ddns/?hostname=[DOMAIN]&myip=[IP]", + "answer": "good|nochg" + } +} diff --git a/ddns-scripts/files/usr/share/ddns/default/strato.com.json b/ddns-scripts/files/usr/share/ddns/default/strato.com.json index a81c015ce..9ab43d247 100644 --- a/ddns-scripts/files/usr/share/ddns/default/strato.com.json +++ b/ddns-scripts/files/usr/share/ddns/default/strato.com.json @@ -3,5 +3,9 @@ "ipv4": { "url": "http://[USERNAME]:[PASSWORD]@dyndns.strato.com/nic/update?hostname=[DOMAIN]&myip=[IP]", "answer": "good|nochg" + }, + "ipv6": { + "url": "http://[USERNAME]:[PASSWORD]@dyndns.strato.com/nic/update?hostname=[DOMAIN]&myip=[IP]", + "answer": "good|nochg" } } diff --git a/ddns-scripts/files/usr/share/ddns/default/zerigo.com.json b/ddns-scripts/files/usr/share/ddns/default/zerigo.com.json deleted file mode 100644 index 0e07982a8..000000000 --- a/ddns-scripts/files/usr/share/ddns/default/zerigo.com.json +++ /dev/null @@ -1,11 +0,0 @@ -{ - "name": "zerigo.com", - "ipv4": { - "url": "http://update.zerigo.com/dynamic?user=[USERNAME]&password=[PASSWORD]&host=[DOMAIN]&ip=[IP]", - "answer": "ok" - }, - "ipv6": { - "url": "http://update.zerigo.com/dynamic?user=[USERNAME]&password=[PASSWORD]&host=[DOMAIN]&ip=[IP]", - "answer": "ok" - } -} diff --git a/ddns-scripts/files/usr/share/ddns/default/zzzz.io.json b/ddns-scripts/files/usr/share/ddns/default/zzzz.io.json deleted file mode 100644 index d3a9d20d8..000000000 --- a/ddns-scripts/files/usr/share/ddns/default/zzzz.io.json +++ /dev/null @@ -1,11 +0,0 @@ -{ - "name": "zzzz.io", - "ipv4": { - "url": "http://zzzz.io/api/v1/update/[DOMAIN]/?token=[PASSWORD]&ip=[IP]", - "answer": "Updated|No change" - }, - "ipv6": { - "url": "http://zzzz.io/api/v1/update/[DOMAIN]/?token=[PASSWORD]&type=aaaa&ip=[IP]", - "answer": "Updated|No change" - } -} diff --git a/ddns-scripts/files/usr/share/ddns/list b/ddns-scripts/files/usr/share/ddns/list index 041f55dbb..86902313a 100644 --- a/ddns-scripts/files/usr/share/ddns/list +++ b/ddns-scripts/files/usr/share/ddns/list @@ -1,5 +1,4 @@ 3322.org -able.or.kr afraid.org-basicauth afraid.org-keyauth afraid.org-v2-basic @@ -21,33 +20,30 @@ dnsomatic.com dnspark.com do.de domopoli.de -dtdns.com duckdns.org duiadns.net dy.fi dyn.com dyndns.it dyndns.org -dyndnss.net -dynsip.org dynu.com dynv6.com easydns.com -editdns.net goip.de google.com he.net +hosting.de infomaniak.com inwx.de joker.com loopia.se moniker.com mydns.jp -myip.co.ua myonlineportal.net mythic-beasts.com +mythic-beasts.com-v2 namecheap.com -nettica.com +njal.la no-ip.pl now-dns.com nsupdate.info @@ -57,6 +53,7 @@ ovh.com regfish.de schokokeks.org selfhost.de +simply.com sitelutions.com spdyn.de strato.com @@ -67,6 +64,4 @@ twodns.de udmedia.de variomedia.de xlhost.de -zerigo.com zoneedit.com -zzzz.io diff --git a/dnsmasq/Makefile b/dnsmasq/Makefile index c5a8930ea..4272398a9 100644 --- a/dnsmasq/Makefile +++ b/dnsmasq/Makefile @@ -8,13 +8,13 @@ include $(TOPDIR)/rules.mk PKG_NAME:=dnsmasq -PKG_UPSTREAM_VERSION:=2.86 +PKG_UPSTREAM_VERSION:=2.89 PKG_VERSION:=$(subst test,~~test,$(subst rc,~rc,$(PKG_UPSTREAM_VERSION))) -PKG_RELEASE:=$(AUTORELEASE) +PKG_RELEASE:=4 PKG_SOURCE:=$(PKG_NAME)-$(PKG_UPSTREAM_VERSION).tar.xz -PKG_SOURCE_URL:=http://thekelleys.org.uk/dnsmasq -PKG_HASH:=28d52cfc9e2004ac4f85274f52b32e1647b4dbc9761b82e7de1e41c49907eb08 +PKG_SOURCE_URL:=https://thekelleys.org.uk/dnsmasq/ +PKG_HASH:=02bd230346cf0b9d5909f5e151df168b2707103785eb616b56685855adebb609 PKG_LICENSE:=GPL-2.0 PKG_LICENSE_FILES:=COPYING @@ -24,12 +24,14 @@ PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_UPSTR PKG_INSTALL:=1 PKG_BUILD_PARALLEL:=1 +PKG_BUILD_FLAGS:=lto PKG_ASLR_PIE_REGULAR:=1 PKG_CONFIG_DEPENDS:= CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_dhcp \ CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_dhcpv6 \ CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_dnssec \ CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_auth \ CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_ipset \ + CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_nftset \ CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_conntrack \ CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_noid \ CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_broken_rtc \ @@ -61,10 +63,11 @@ endef define Package/dnsmasq-full $(call Package/dnsmasq/Default) - TITLE += (with DNSSEC, DHCPv6, Auth DNS, IPset, Conntrack, NO_ID enabled by default) + TITLE += (with DNSSEC, DHCPv6, Auth DNS, IPset, Nftset, Conntrack, NO_ID enabled by default) DEPENDS+=+PACKAGE_dnsmasq_full_dnssec:libnettle \ +PACKAGE_dnsmasq_full_ipset:kmod-ipt-ipset \ - +PACKAGE_dnsmasq_full_conntrack:libnetfilter-conntrack + +PACKAGE_dnsmasq_full_conntrack:libnetfilter-conntrack \ + +PACKAGE_dnsmasq_full_nftset:nftables-json VARIANT:=full PROVIDES:=dnsmasq endef @@ -83,7 +86,7 @@ define Package/dnsmasq-full/description $(call Package/dnsmasq/description) This is a fully configurable variant with DHCPv4, DHCPv6, DNSSEC, Authoritative DNS -and IPset, Conntrack support & NO_ID enabled by default. +and nftset, Conntrack support & NO_ID enabled by default. endef define Package/dnsmasq/conffiles @@ -109,6 +112,9 @@ define Package/dnsmasq-full/config default y config PACKAGE_dnsmasq_full_ipset bool "Build with IPset support." + default n + config PACKAGE_dnsmasq_full_nftset + bool "Build with Nftset support." default y config PACKAGE_dnsmasq_full_conntrack bool "Build with Conntrack support." @@ -128,9 +134,6 @@ endef Package/dnsmasq-dhcpv6/conffiles = $(Package/dnsmasq/conffiles) Package/dnsmasq-full/conffiles = $(Package/dnsmasq/conffiles) -TARGET_CFLAGS += -flto -TARGET_LDFLAGS += -flto=jobserver - COPTS = -DHAVE_UBUS -DHAVE_POLL_H \ $(if $(CONFIG_IPV6),,-DNO_IPV6) @@ -144,6 +147,7 @@ ifeq ($(BUILD_VARIANT),full) $(if $(CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_dnssec),-DHAVE_DNSSEC) \ $(if $(CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_auth),,-DNO_AUTH) \ $(if $(CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_ipset),,-DNO_IPSET) \ + $(if $(CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_nftset),-DHAVE_NFTSET,) \ $(if $(CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_conntrack),-DHAVE_CONNTRACK,) \ $(if $(CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_noid),-DNO_ID,) \ $(if $(CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_broken_rtc),-DHAVE_BROKEN_RTC) \ @@ -182,6 +186,7 @@ define Package/dnsmasq/install $(INSTALL_DATA) ./files/dnsmasq_acl.json $(1)/usr/share/acl.d/ $(INSTALL_DIR) $(1)/etc/uci-defaults $(INSTALL_BIN) ./files/50-dnsmasq-migrate-resolv-conf-auto.sh $(1)/etc/uci-defaults + $(INSTALL_BIN) ./files/50-dnsmasq-migrate-ipset.sh $(1)/etc/uci-defaults endef Package/dnsmasq-dhcpv6/install = $(Package/dnsmasq/install) diff --git a/dnsmasq/files/50-dnsmasq-migrate-ipset.sh b/dnsmasq/files/50-dnsmasq-migrate-ipset.sh new file mode 100755 index 000000000..aba73e7dd --- /dev/null +++ b/dnsmasq/files/50-dnsmasq-migrate-ipset.sh @@ -0,0 +1,32 @@ +#!/bin/sh + +ipsets=$(uci -q get dhcp.@dnsmasq[0].ipset) +[ -z "$ipsets" ] && exit 0 + +for ipset in $ipsets; do + names=${ipset##*/} + domains=${ipset%/*} + + [ -z "$names" ] || [ -z "$domains" ] && continue + + uci add dhcp ipset + + OLDIFS="$IFS" + + IFS="," + for name in $names; do + uci add_list dhcp.@ipset[-1].name="$name" + done + + IFS="/" + for domain in ${domains:1}; do + uci add_list dhcp.@ipset[-1].domain="$domain" + done + + IFS="$OLDIFS" + + uci del_list dhcp.@dnsmasq[0].ipset="$ipset" +done + +uci commit dhcp +exit 0 diff --git a/dnsmasq/files/dhcp.conf b/dnsmasq/files/dhcp.conf index 8c42ef782..d5b9dfa01 100644 --- a/dnsmasq/files/dhcp.conf +++ b/dnsmasq/files/dhcp.conf @@ -10,6 +10,7 @@ config dnsmasq option domain 'lan' option expandhosts 1 option nonegcache 0 + option cachesize 1000 option authoritative 1 option readethers 1 option leasefile '/tmp/dhcp.leases' @@ -21,6 +22,9 @@ config dnsmasq #list bogusnxdomain '64.94.110.11' option localservice 1 # disable to allow DNS requests from non-local subnets option ednspacket_max 1232 + option filter_aaaa 0 + option filter_a 0 + #list addnmount /some/path # read-only mount path to expose it to dnsmasq config dhcp lan option interface lan diff --git a/dnsmasq/files/dnsmasq.init b/dnsmasq/files/dnsmasq.init index d2bcca46e..2a3327b0c 100755 --- a/dnsmasq/files/dnsmasq.init +++ b/dnsmasq/files/dnsmasq.init @@ -33,6 +33,7 @@ dnsmasq_ignore_opt() { [ "${dnsmasq_features#* DNSSEC }" = "$dnsmasq_features" ] || dnsmasq_has_dnssec=1 [ "${dnsmasq_features#* TFTP }" = "$dnsmasq_features" ] || dnsmasq_has_tftp=1 [ "${dnsmasq_features#* ipset }" = "$dnsmasq_features" ] || dnsmasq_has_ipset=1 + [ "${dnsmasq_features#* nftset }" = "$dnsmasq_features" ] || dnsmasq_has_nftset=1 fi case "$opt" in @@ -55,6 +56,8 @@ dnsmasq_ignore_opt() { [ -z "$dnsmasq_has_tftp" ] ;; ipset) [ -z "$dnsmasq_has_ipset" ] ;; + nftset) + [ -z "$dnsmasq_has_nftset" ] ;; *) return 1 esac @@ -169,10 +172,6 @@ append_address() { xappend "--address=$1" } -append_ipset() { - xappend "--ipset=$1" -} - append_connmark_allowlist() { xappend "--connmark-allowlist=$1" } @@ -205,8 +204,12 @@ ismounted() { return 1 } -append_addnhosts() { +append_extramount() { ismounted "$1" || append EXTRA_MOUNT "$1" +} + +append_addnhosts() { + append_extramount "$1" xappend "--addn-hosts=$1" } @@ -554,6 +557,8 @@ dhcp_add() { config_get leasetime "$cfg" leasetime 12h config_get options "$cfg" options config_get_bool dynamicdhcp "$cfg" dynamicdhcp 1 + config_get_bool dynamicdhcpv4 "$cfg" dynamicdhcpv4 $dynamicdhcp + config_get_bool dynamicdhcpv6 "$cfg" dynamicdhcpv6 $dynamicdhcp config_get dhcpv4 "$cfg" dhcpv4 config_get dhcpv6 "$cfg" dhcpv6 @@ -581,21 +586,20 @@ dhcp_add() { limit=$((limit-1)) fi - eval "$(ipcalc.sh "${subnet%%/*}" $netmask $start $limit)" + # make sure the DHCP range is not empty + if [ "$dhcpv4" != "disabled" ] && eval "$(ipcalc.sh "${subnet%%/*}" "$netmask" "$start" "$limit")" ; then + [ "$dynamicdhcpv4" = "0" ] && END="static" - if [ "$dynamicdhcp" = "0" ] ; then - END="static" + xappend "--dhcp-range=$tags$nettag$START,$END,$NETMASK,$leasetime${options:+ $options}" + fi + + if [ "$dynamicdhcpv6" = "0" ] ; then dhcp6range="::,static" else dhcp6range="::1000,::ffff" fi - if [ "$dhcpv4" != "disabled" ] ; then - xappend "--dhcp-range=$tags$nettag$START,$END,$NETMASK,$leasetime${options:+ $options}" - fi - - if [ $DNSMASQ_DHCP_VER -eq 6 ] && [ "$ra" = "server" ] ; then # Note: dnsmasq cannot just be a DHCPv6 server (all-in-1) # and let some other machine(s) send RA pointing to it. @@ -796,25 +800,54 @@ dhcp_relay_add() { dnsmasq_ipset_add() { local cfg="$1" - local ipsets domains + local ipsets nftsets domains add_ipset() { ipsets="${ipsets:+$ipsets,}$1" } + add_nftset() { + local IFS=, + for set in $1; do + local fam="$family" + [ -n "$fam" ] || fam=$(echo "$set" | sed -nre \ + 's#^.*[^0-9]([46])$|^.*[-_]([46])[-_].*$|^([46])[^0-9].*$#\1\2\3#p') + [ -n "$fam" ] || \ + fam=$(nft -t list set "$table_family" "$table" "$set" 2>&1 | sed -nre \ + 's#^\t\ttype .*\bipv([46])_addr\b.*$#\1#p') + + [ -n "$fam" ] || \ + logger -t dnsmasq "Cannot infer address family from non-existent nftables set '$set'" + + nftsets="${nftsets:+$nftsets,}${fam:+$fam#}$table_family#$table#$set" + done + } + add_domain() { # leading '/' is expected domains="$domains/$1" } + config_get table "$cfg" table 'fw4' + config_get table_family "$cfg" table_family 'inet' + if [ "$table_family" = "ip" ] ; then + family="4" + elif [ "$table_family" = "ip6" ] ; then + family="6" + else + config_get family "$cfg" family + fi + config_list_foreach "$cfg" "name" add_ipset + config_list_foreach "$cfg" "name" add_nftset config_list_foreach "$cfg" "domain" add_domain - if [ -z "$ipsets" ] || [ -z "$domains" ]; then + if [ -z "$ipsets" ] || [ -z "$nftsets" ] || [ -z "$domains" ]; then return 0 fi xappend "--ipset=$domains/$ipsets" + xappend "--nftset=$domains/$nftsets" } dnsmasq_start() @@ -932,6 +965,9 @@ dnsmasq_start() append_bool "$cfg" rapidcommit "--dhcp-rapid-commit" append_bool "$cfg" scriptarp "--script-arp" + append_bool "$cfg" filter_aaaa "--filter-AAAA" + append_bool "$cfg" filter_a "--filter-A" + append_parm "$cfg" logfacility "--log-facility" config_get logfacility "$cfg" "logfacility" append_parm "$cfg" cachesize "--cache-size" @@ -948,7 +984,6 @@ dnsmasq_start() config_list_foreach "$cfg" "server" append_server config_list_foreach "$cfg" "rev_server" append_rev_server config_list_foreach "$cfg" "address" append_address - config_list_foreach "$cfg" "ipset" append_ipset local connmark_allowlist_enable config_get connmark_allowlist_enable "$cfg" connmark_allowlist_enable 0 @@ -1141,7 +1176,6 @@ dnsmasq_start() config_foreach filter_dnsmasq ipset dnsmasq_ipset_add "$cfg" echo >> $CONFIGFILE_TMP - echo >> $CONFIGFILE_TMP mv -f $CONFIGFILE_TMP $CONFIGFILE mv -f $HOSTFILE_TMP $HOSTFILE @@ -1157,6 +1191,8 @@ dnsmasq_start() done } + config_list_foreach "$cfg" addnmount append_extramount + procd_open_instance $cfg procd_set_param command $PROG -C $CONFIGFILE -k -x /var/run/dnsmasq/dnsmasq."${cfg}".pid procd_set_param file $CONFIGFILE diff --git a/dnsmasq/patches/001-CVE-2022-0934-Fix-write-after-free-error-in-DHCPv6-code.patch b/dnsmasq/patches/001-CVE-2022-0934-Fix-write-after-free-error-in-DHCPv6-code.patch deleted file mode 100644 index 4113be99a..000000000 --- a/dnsmasq/patches/001-CVE-2022-0934-Fix-write-after-free-error-in-DHCPv6-code.patch +++ /dev/null @@ -1,179 +0,0 @@ -From 03345ecefeb0d82e3c3a4c28f27c3554f0611b39 Mon Sep 17 00:00:00 2001 -From: Simon Kelley -Date: Thu, 31 Mar 2022 21:35:20 +0100 -Subject: Fix write-after-free error in DHCPv6 code. CVE-2022-0934 refers. - ---- - CHANGELOG | 3 +++ - src/rfc3315.c | 48 +++++++++++++++++++++++++++--------------------- - 2 files changed, 30 insertions(+), 21 deletions(-) - ---- a/CHANGELOG -+++ b/CHANGELOG -@@ -92,6 +92,9 @@ version 2.86 - of filename). Thanks to Ed Wildgoose for the initial patch - and motivation for this. - -+ Fix write-after-free error in DHCPv6 server code. -+ CVE-2022-0934 refers. -+ - - version 2.85 - Fix problem with DNS retries in 2.83/2.84. ---- a/src/rfc3315.c -+++ b/src/rfc3315.c -@@ -33,9 +33,9 @@ struct state { - unsigned int mac_len, mac_type; - }; - --static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz, -+static int dhcp6_maybe_relay(struct state *state, unsigned char *inbuff, size_t sz, - struct in6_addr *client_addr, int is_unicast, time_t now); --static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_t sz, int is_unicast, time_t now); -+static int dhcp6_no_relay(struct state *state, int msg_type, unsigned char *inbuff, size_t sz, int is_unicast, time_t now); - static void log6_opts(int nest, unsigned int xid, void *start_opts, void *end_opts); - static void log6_packet(struct state *state, char *type, struct in6_addr *addr, char *string); - static void log6_quiet(struct state *state, char *type, struct in6_addr *addr, char *string); -@@ -104,12 +104,12 @@ unsigned short dhcp6_reply(struct dhcp_c - } - - /* This cost me blood to write, it will probably cost you blood to understand - srk. */ --static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz, -+static int dhcp6_maybe_relay(struct state *state, unsigned char *inbuff, size_t sz, - struct in6_addr *client_addr, int is_unicast, time_t now) - { - void *end = inbuff + sz; - void *opts = inbuff + 34; -- int msg_type = *((unsigned char *)inbuff); -+ int msg_type = *inbuff; - unsigned char *outmsgtypep; - void *opt; - struct dhcp_vendor *vendor; -@@ -259,15 +259,15 @@ static int dhcp6_maybe_relay(struct stat - return 1; - } - --static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_t sz, int is_unicast, time_t now) -+static int dhcp6_no_relay(struct state *state, int msg_type, unsigned char *inbuff, size_t sz, int is_unicast, time_t now) - { - void *opt; -- int i, o, o1, start_opts; -+ int i, o, o1, start_opts, start_msg; - struct dhcp_opt *opt_cfg; - struct dhcp_netid *tagif; - struct dhcp_config *config = NULL; - struct dhcp_netid known_id, iface_id, v6_id; -- unsigned char *outmsgtypep; -+ unsigned char outmsgtype; - struct dhcp_vendor *vendor; - struct dhcp_context *context_tmp; - struct dhcp_mac *mac_opt; -@@ -296,12 +296,13 @@ static int dhcp6_no_relay(struct state * - v6_id.next = state->tags; - state->tags = &v6_id; - -- /* copy over transaction-id, and save pointer to message type */ -- if (!(outmsgtypep = put_opt6(inbuff, 4))) -+ start_msg = save_counter(-1); -+ /* copy over transaction-id */ -+ if (!put_opt6(inbuff, 4)) - return 0; - start_opts = save_counter(-1); -- state->xid = outmsgtypep[3] | outmsgtypep[2] << 8 | outmsgtypep[1] << 16; -- -+ state->xid = inbuff[3] | inbuff[2] << 8 | inbuff[1] << 16; -+ - /* We're going to be linking tags from all context we use. - mark them as unused so we don't link one twice and break the list */ - for (context_tmp = state->context; context_tmp; context_tmp = context_tmp->current) -@@ -347,7 +348,7 @@ static int dhcp6_no_relay(struct state * - (msg_type == DHCP6REQUEST || msg_type == DHCP6RENEW || msg_type == DHCP6RELEASE || msg_type == DHCP6DECLINE)) - - { -- *outmsgtypep = DHCP6REPLY; -+ outmsgtype = DHCP6REPLY; - o1 = new_opt6(OPTION6_STATUS_CODE); - put_opt6_short(DHCP6USEMULTI); - put_opt6_string("Use multicast"); -@@ -619,11 +620,11 @@ static int dhcp6_no_relay(struct state * - struct dhcp_netid *solicit_tags; - struct dhcp_context *c; - -- *outmsgtypep = DHCP6ADVERTISE; -+ outmsgtype = DHCP6ADVERTISE; - - if (opt6_find(state->packet_options, state->end, OPTION6_RAPID_COMMIT, 0)) - { -- *outmsgtypep = DHCP6REPLY; -+ outmsgtype = DHCP6REPLY; - state->lease_allocate = 1; - o = new_opt6(OPTION6_RAPID_COMMIT); - end_opt6(o); -@@ -809,7 +810,7 @@ static int dhcp6_no_relay(struct state * - int start = save_counter(-1); - - /* set reply message type */ -- *outmsgtypep = DHCP6REPLY; -+ outmsgtype = DHCP6REPLY; - state->lease_allocate = 1; - - log6_quiet(state, "DHCPREQUEST", NULL, ignore ? _("ignored") : NULL); -@@ -924,7 +925,7 @@ static int dhcp6_no_relay(struct state * - int address_assigned = 0; - - /* set reply message type */ -- *outmsgtypep = DHCP6REPLY; -+ outmsgtype = DHCP6REPLY; - - log6_quiet(state, msg_type == DHCP6RENEW ? "DHCPRENEW" : "DHCPREBIND", NULL, NULL); - -@@ -1057,7 +1058,7 @@ static int dhcp6_no_relay(struct state * - int good_addr = 0; - - /* set reply message type */ -- *outmsgtypep = DHCP6REPLY; -+ outmsgtype = DHCP6REPLY; - - log6_quiet(state, "DHCPCONFIRM", NULL, NULL); - -@@ -1121,7 +1122,7 @@ static int dhcp6_no_relay(struct state * - log6_quiet(state, "DHCPINFORMATION-REQUEST", NULL, ignore ? _("ignored") : state->hostname); - if (ignore) - return 0; -- *outmsgtypep = DHCP6REPLY; -+ outmsgtype = DHCP6REPLY; - tagif = add_options(state, 1); - break; - } -@@ -1130,7 +1131,7 @@ static int dhcp6_no_relay(struct state * - case DHCP6RELEASE: - { - /* set reply message type */ -- *outmsgtypep = DHCP6REPLY; -+ outmsgtype = DHCP6REPLY; - - log6_quiet(state, "DHCPRELEASE", NULL, NULL); - -@@ -1195,7 +1196,7 @@ static int dhcp6_no_relay(struct state * - case DHCP6DECLINE: - { - /* set reply message type */ -- *outmsgtypep = DHCP6REPLY; -+ outmsgtype = DHCP6REPLY; - - log6_quiet(state, "DHCPDECLINE", NULL, NULL); - -@@ -1275,7 +1276,12 @@ static int dhcp6_no_relay(struct state * - } - - } -- -+ -+ /* Fill in the message type. Note that we store the offset, -+ not a direct pointer, since the packet memory may have been -+ reallocated. */ -+ ((unsigned char *)(daemon->outpacket.iov_base))[start_msg] = outmsgtype; -+ - log_tags(tagif, state->xid); - log6_opts(0, state->xid, daemon->outpacket.iov_base + start_opts, daemon->outpacket.iov_base + save_counter(-1)); - diff --git a/dnsmasq/patches/100-remove-old-runtime-kernel-support.patch b/dnsmasq/patches/100-remove-old-runtime-kernel-support.patch index 4f8fe4ecb..59b8d02c0 100644 --- a/dnsmasq/patches/100-remove-old-runtime-kernel-support.patch +++ b/dnsmasq/patches/100-remove-old-runtime-kernel-support.patch @@ -13,7 +13,7 @@ Signed-off-by: Kevin Darbyshire-Bryant --- a/src/dnsmasq.c +++ b/src/dnsmasq.c -@@ -95,10 +95,6 @@ int main (int argc, char **argv) +@@ -103,10 +103,6 @@ int main (int argc, char **argv) read_opts(argc, argv, compile_opts); @@ -26,7 +26,7 @@ Signed-off-by: Kevin Darbyshire-Bryant --- a/src/dnsmasq.h +++ b/src/dnsmasq.h -@@ -1201,7 +1201,7 @@ extern struct daemon { +@@ -1248,7 +1248,7 @@ extern struct daemon { int inotifyfd; #endif #if defined(HAVE_LINUX_NETWORK) @@ -35,7 +35,7 @@ Signed-off-by: Kevin Darbyshire-Bryant #elif defined(HAVE_BSD_NETWORK) int dhcp_raw_fd, dhcp_icmp_fd, routefd; #endif -@@ -1388,9 +1388,6 @@ int read_write(int fd, unsigned char *pa +@@ -1453,9 +1453,6 @@ int read_write(int fd, unsigned char *pa void close_fds(long max_fd, int spare1, int spare2, int spare3); int wildcard_match(const char* wildcard, const char* match); int wildcard_matchn(const char* wildcard, const char* match, int num); @@ -140,7 +140,7 @@ Signed-off-by: Kevin Darbyshire-Bryant my_syslog(LOG_ERR, _("failed to update ipset %s: %s"), setname, strerror(errno)); --- a/src/util.c +++ b/src/util.c -@@ -796,22 +796,3 @@ int wildcard_matchn(const char* wildcard +@@ -855,22 +855,3 @@ int wildcard_matchn(const char* wildcard return (!num) || (*wildcard == *match); } diff --git a/dnsmasq/patches/200-ubus_dns.patch b/dnsmasq/patches/200-ubus_dns.patch index b8c4e4495..8a70bb8bd 100644 --- a/dnsmasq/patches/200-ubus_dns.patch +++ b/dnsmasq/patches/200-ubus_dns.patch @@ -1,6 +1,6 @@ --- a/src/dnsmasq.h +++ b/src/dnsmasq.h -@@ -1564,14 +1564,26 @@ void emit_dbus_signal(int action, struct +@@ -1631,14 +1631,26 @@ void emit_dbus_signal(int action, struct /* ubus.c */ #ifdef HAVE_UBUS @@ -151,7 +151,7 @@ if (!ADD_RDLEN(header, p, qlen, rdlen)) return 0; /* bad packet */ } -@@ -563,7 +632,7 @@ int extract_addresses(struct dns_header +@@ -570,7 +639,7 @@ int extract_addresses(struct dns_header cache_start_insert(); /* find_soa is needed for dns_doctor side effects, so don't call it lazily if there are any. */ @@ -269,7 +269,7 @@ struct ubus_context *ubus = (struct ubus_context *)daemon->ubus; --- a/src/dnsmasq.c +++ b/src/dnsmasq.c -@@ -1972,6 +1972,10 @@ static void check_dns_listeners(time_t n +@@ -2003,6 +2003,10 @@ static void check_dns_listeners(time_t n daemon->pipe_to_parent = pipefd[1]; } diff --git a/firewall/Makefile b/firewall/Makefile index e4a3ad97f..0e00f3868 100644 --- a/firewall/Makefile +++ b/firewall/Makefile @@ -21,6 +21,8 @@ PKG_LICENSE:=ISC PKG_CONFIG_DEPENDS := CONFIG_IPV6 +PKG_BUILD_FLAGS:=gc-sections lto + include $(INCLUDE_DIR)/package.mk include $(INCLUDE_DIR)/cmake.mk @@ -42,8 +44,6 @@ define Package/firewall/conffiles /etc/firewall.user endef -TARGET_CFLAGS += -ffunction-sections -fdata-sections -flto -TARGET_LDFLAGS += -Wl,--gc-sections -flto CMAKE_OPTIONS += $(if $(CONFIG_IPV6),,-DDISABLE_IPV6=1) define Package/firewall/install diff --git a/firewall/files/firewall.config b/firewall/files/firewall.config index 61cfe665e..b90ac7af0 100644 --- a/firewall/files/firewall.config +++ b/firewall/files/firewall.config @@ -1,6 +1,6 @@ config defaults option syn_flood 1 - option input ACCEPT + option input REJECT option output ACCEPT option forward REJECT # Uncomment this line to disable ipv6 rules diff --git a/firewall4/Makefile b/firewall4/Makefile index 47c2cc5bf..809f3d3f0 100644 --- a/firewall4/Makefile +++ b/firewall4/Makefile @@ -5,13 +5,13 @@ include $(TOPDIR)/rules.mk PKG_NAME:=firewall4 -PKG_RELEASE:=$(AUTORELEASE) +PKG_RELEASE:=1 PKG_SOURCE_PROTO:=git PKG_SOURCE_URL=$(PROJECT_GIT)/project/firewall4.git -PKG_SOURCE_DATE:=2022-10-18 -PKG_SOURCE_VERSION:=7ae5e14bbd7265cc67ec870c3bb0c8e197bb7ca9 -PKG_MIRROR_HASH:=ce190e526df915df65b40aa24fadf2a1b5badc57ab4e564d5f44575b11d18e26 +PKG_SOURCE_DATE:=2023-03-23 +PKG_SOURCE_VERSION:=04a06bd70b9808b14444cae81a2faba4708ee231 +PKG_MIRROR_HASH:=37c34facb733c50d0fdbfa238765a23e667e4daaae9728aaccbaba87a2a07bb9 PKG_MAINTAINER:=Jo-Philipp Wich PKG_LICENSE:=ISC diff --git a/fullconenat-nft/Makefile b/fullconenat-nft/Makefile new file mode 100644 index 000000000..7549df520 --- /dev/null +++ b/fullconenat-nft/Makefile @@ -0,0 +1,50 @@ +# SPDX-License-Identifier: GPL-2.0-only +# Copyright (c) 2018 Chion Tang +# Original xt_FULLCONENAT and related iptables extension author +# Copyright (c) 2019-2022 GitHub/llccd Twitter/@gNodeB +# Added IPv6 support for xt_FULLCONENAT and ip6tables extension +# Ported to recent kernel versions +# Copyright (c) 2022 Syrone Wong +# Massively rewrite the whole module, split the original code into library and nftables 'fullcone' expression module + +include $(TOPDIR)/rules.mk +include $(INCLUDE_DIR)/kernel.mk + +PKG_NAME:=fullconenat-nft +PKG_RELEASE:=1 + +PKG_SOURCE_PROTO:=git +PKG_SOURCE_URL:=https://github.com/fullcone-nat-nftables/nft-fullcone.git +PKG_SOURCE_DATE:=2023-01-10 +PKG_SOURCE_VERSION:=95ad79bc6d15c64b2770fe8b7092a64d5c2a293c +PKG_MIRROR_HASH:=56440d912625a26f1a6412c5399fccf89432d1cd35d2e6c9cc4d3a445e98b223 + +PKG_LICENSE:=GPL-2.0-only +PKG_LICENSE_FILES:=LICENSE +PKG_MAINTAINER:=Syrone Wong + +include $(INCLUDE_DIR)/package.mk + +define KernelPackage/nft-fullcone + SUBMENU:=Netfilter Extensions + DEPENDS:=+kmod-nft-nat + TITLE:=nftables fullcone expression support + FILES:= $(PKG_BUILD_DIR)/src/nft_fullcone.ko + KCONFIG:= \ + CONFIG_NF_CONNTRACK_EVENTS=y \ + CONFIG_NF_CONNTRACK_CHAIN_EVENTS=y + AUTOLOAD:=$(call AutoProbe,nft_fullcone) +endef + +define KernelPackage/nft-fullcone/Description + Kernel module adds the fullcone expression that you can use + to perform NAT in the RFC3489-compatible full cone SNAT flavour. + Currently only UDP traffic is supported for full-cone NAT. + For other protos FULLCONENAT is equivalent to MASQUERADE. +endef + +define Build/Compile + +$(KERNEL_MAKE) M="$(PKG_BUILD_DIR)/src" modules +endef + +$(eval $(call KernelPackage,nft-fullcone)) diff --git a/fullconenat/Makefile b/fullconenat/Makefile new file mode 100644 index 000000000..c206b06fb --- /dev/null +++ b/fullconenat/Makefile @@ -0,0 +1,71 @@ +# +# Copyright (C) 2018 Chion Tang +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +include $(TOPDIR)/rules.mk +include $(INCLUDE_DIR)/kernel.mk + +PKG_NAME:=fullconenat +PKG_RELEASE:=1 + +PKG_SOURCE_PROTO:=git +PKG_SOURCE_URL:=https://github.com/llccd/netfilter-full-cone-nat.git +PKG_SOURCE_DATE:=2023-01-01 +PKG_SOURCE_VERSION:=74c5e6f3c7faaf33ece451697537c81781781c20 +PKG_MIRROR_HASH:=3c254f1edba28eafdccac9cf95eb550fd2b05eeaaec8a02c73e1dcd2f98f9d93 + +PKG_LICENSE:=GPL-2.0 +PKG_LICENSE_FILES:=LICENSE +PKG_MAINTAINER:=Chion Tang + +include $(INCLUDE_DIR)/package.mk + +define Package/iptables-mod-fullconenat + SUBMENU:=Firewall + SECTION:=net + CATEGORY:=Network + TITLE:=FULLCONENAT iptables extension + DEPENDS:=+iptables +kmod-ipt-fullconenat +endef + +define Package/ip6tables-mod-fullconenat + SUBMENU:=Firewall + SECTION:=net + CATEGORY:=Network + TITLE:=FULLCONENAT ip6tables extension + DEPENDS:=ip6tables +kmod-nf-nat6 +kmod-ipt-fullconenat +ip6tables-mod-nat +endef + +define KernelPackage/ipt-fullconenat + SUBMENU:=Netfilter Extensions + TITLE:=FULLCONENAT netfilter module + DEPENDS:=+kmod-nf-ipt +kmod-nf-nat + KCONFIG:= \ + CONFIG_NF_CONNTRACK_EVENTS=y \ + CONFIG_NF_CONNTRACK_CHAIN_EVENTS=y + FILES:=$(PKG_BUILD_DIR)/xt_FULLCONENAT.ko +endef + +include $(INCLUDE_DIR)/kernel-defaults.mk + +define Build/Compile + +$(KERNEL_MAKE) M="$(PKG_BUILD_DIR)" modules + $(call Build/Compile/Default) +endef + +define Package/iptables-mod-fullconenat/install + $(INSTALL_DIR) $(1)/usr/lib/iptables + $(INSTALL_BIN) $(PKG_BUILD_DIR)/libipt_FULLCONENAT.so $(1)/usr/lib/iptables +endef + +define Package/ip6tables-mod-fullconenat/install + $(INSTALL_DIR) $(1)/usr/lib/iptables + $(INSTALL_BIN) $(PKG_BUILD_DIR)/libip6t_FULLCONENAT.so $(1)/usr/lib/iptables +endef + +$(eval $(call BuildPackage,iptables-mod-fullconenat)) +$(eval $(call BuildPackage,ip6tables-mod-fullconenat)) +$(eval $(call KernelPackage,ipt-fullconenat)) diff --git a/fullconenat/patches/000-printk.patch b/fullconenat/patches/000-printk.patch new file mode 100644 index 000000000..9e6a091c8 --- /dev/null +++ b/fullconenat/patches/000-printk.patch @@ -0,0 +1,16 @@ +--- a/xt_FULLCONENAT.c ++++ b/xt_FULLCONENAT.c +@@ -1345,9 +1345,12 @@ static struct xt_target tg_reg[] __read_ + static int __init fullconenat_tg_init(void) + { + int ret; ++ printk(KERN_INFO "xt_FULLCONENAT: RFC3489 Full Cone NAT module\n" ++ "xt_FULLCONENAT: Copyright (C) 2018 Chion Tang \n"); ++ + wq = create_singlethread_workqueue("xt_FULLCONENAT"); + if (wq == NULL) { +- printk("xt_FULLCONENAT: warning: failed to create workqueue\n"); ++ printk(KERN_WARNING "xt_FULLCONENAT: warning: failed to create workqueue\n"); + } + + #if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 2, 0) diff --git a/fullconenat/src/Makefile b/fullconenat/src/Makefile new file mode 100644 index 000000000..a48a513da --- /dev/null +++ b/fullconenat/src/Makefile @@ -0,0 +1,12 @@ +all: libipt_FULLCONENAT.so libip6t_FULLCONENAT.so + +libipt_FULLCONENAT.so: libipt_FULLCONENAT.o + $(CC) -shared -lxtables -o $@ $^; +libipt_FULLCONENAT.o: libipt_FULLCONENAT.c + $(CC) ${CFLAGS} -fPIC -c -o $@ $<; +libip6t_FULLCONENAT.so: libip6t_FULLCONENAT.o + $(CC) -shared -lxtables -o $@ $^; +libip6t_FULLCONENAT.o: libip6t_FULLCONENAT.c + $(CC) ${CFLAGS} -fPIC -c -o $@ $<; + +obj-m += xt_FULLCONENAT.o diff --git a/homeredirect/Makefile b/homeredirect/Makefile new file mode 100644 index 000000000..f6dacfa69 --- /dev/null +++ b/homeredirect/Makefile @@ -0,0 +1,80 @@ +# +# Copyright (c) 2020 xiaoqingfeng (xiaoqingfengatgm@gmail.com) +# Feed site - https://github.com/xiaoqingfengATGH/feeds-xiaoqingfeng +# This is free software, licensed under the GNU General Public License v3. +# +include $(TOPDIR)/rules.mk + +PKG_NAME:=HomeRedirect +PKG_VERSION:=1.4 +PKG_RELEASE:=1 +PKG_DATE:=20210226 + +PKG_MAINTAINER:=xiaoqingfeng +PKG_LICENSE:=GPL-3.0-or-later +PKG_LICENSE_FILES:=LICENSE + +include $(INCLUDE_DIR)/package.mk + +define Package/$(PKG_NAME) + SECTION:=net + CATEGORY:=Network + TITLE:=Port forwarding utility for HomeLede. + DEPENDS:=+bash +coreutils-nohup +socat + PKGARCH:=all + URL:=https://github.com/xiaoqingfengATGH/feeds-xiaoqingfeng +endef + +define Package/$(PKG_NAME)/config +help + $(PKG_NAME) + Version: $(PKG_VERSION)-$(PKG_RELEASE) + Port forwarding utility for HomeLede. Support TCP/UDP ipv4 & ipv6. +endef + +define Package/$(PKG_NAME)/description +Port forwarding utility for HomeLede. Support TCP/UDP ipv4 & ipv6. +endef + +define Package/$(PKG_NAME)/conffiles +/etc/config/homeredirect +endef + +define Package/$(PKG_NAME)/install + $(INSTALL_DIR) $(1)/etc/init.d + $(INSTALL_DIR) $(1)/etc/config + $(INSTALL_DIR) $(1)/etc/homeredirect + $(INSTALL_BIN) files/etc/init.d/homeredirect $(1)/etc/init.d + $(INSTALL_CONF) files/etc/config/homeredirect $(1)/etc/config + $(INSTALL_DATA) files/etc/homeredirect/firewall.include $(1)/etc/homeredirect/ + $(INSTALL_DATA) files/etc/homeredirect/script.sh $(1)/etc/homeredirect/ +endef + +define Package/$(PKG_NAME)/postinst +#!/bin/sh +exit 0 +endef + +define Package/$(PKG_NAME)/prerm +#!/bin/sh +/etc/init.d/homeredirect stop +uci -q batch <<-EOF >/dev/null + delete ucitrack.@homeredirect[-1] + commit ucitrack +EOF +uci -q batch <<-EOF >/dev/null + delete firewall.homeredirect +EOF +exit 0 +endef + +define Build/Configure +endef + +define Build/Prepare +endef + +define Build/Compile +endef + +$(eval $(call BuildPackage,$(PKG_NAME))) diff --git a/homeredirect/files/etc/config/homeredirect b/homeredirect/files/etc/config/homeredirect new file mode 100644 index 000000000..10afeb964 --- /dev/null +++ b/homeredirect/files/etc/config/homeredirect @@ -0,0 +1,38 @@ +config global + option enabled '1' + +config redirect + option proto 'tcp4' + option src_ip '0.0.0.0' + option src_dport '60609' + option dest_ip '192.168.1.100' + option dest_port '3389' + option name 'TCP_REDIRECT_IPV4' + option enabled '0' + +config redirect + option proto 'tcp6' + option src_ip '::' + option src_dport '60608' + option dest_ip 'fd5b:64cf:4ff4::1c4' + option dest_port '3389' + option name 'TCP_REDIRECT_IPV6' + option enabled '0' + +config redirect + option proto 'udp4' + option src_ip '0.0.0.0' + option src_dport '64511' + option dest_ip '192.168.1.100' + option dest_port '500' + option name 'UDP_REDIRECT_IPV4' + option enabled '0' + +config redirect + option proto 'udp6' + option src_ip '::' + option src_dport '64500' + option dest_ip 'fd5b:64cf:4ff4::1c4' + option dest_port '4500' + option name 'UDP_REDIRECT_IPV6' + option enabled '0' \ No newline at end of file diff --git a/homeredirect/files/etc/homeredirect/firewall.include b/homeredirect/files/etc/homeredirect/firewall.include new file mode 100644 index 000000000..1356ac934 --- /dev/null +++ b/homeredirect/files/etc/homeredirect/firewall.include @@ -0,0 +1 @@ +bash /etc/homeredirect/script.sh \ No newline at end of file diff --git a/homeredirect/files/etc/homeredirect/script.sh b/homeredirect/files/etc/homeredirect/script.sh new file mode 100644 index 000000000..f3707f739 --- /dev/null +++ b/homeredirect/files/etc/homeredirect/script.sh @@ -0,0 +1,45 @@ +#!/bin/bash + +del_rule() { + count=$(iptables -n -L INPUT 2>/dev/null | grep -c "HOME_REDIRECT") + if [ -n "$count" ]; then + until [ "$count" = 0 ] + do + rules=$(iptables -n -L INPUT --line-num 2>/dev/null | grep "HOME_REDIRECT" | awk '{print $1}') + for rule in $rules + do + iptables -D INPUT $rule 2>/dev/null + break + done + count=$(expr $count - 1) + done + fi + + iptables -F HOME_REDIRECT 2>/dev/null + iptables -X HOME_REDIRECT 2>/dev/null +} + +add_rule(){ + iptables -N HOME_REDIRECT + iptables -I INPUT -j HOME_REDIRECT + + maxRedirctCount=$(uci show homeredirect | grep @redirect | awk -F '[' '{print $2}' | awk -F ']' '{print $1}' | sort | tail -n 1) + + for ((i=($maxRedirctCount);i>=0;i--)); + do + enabled=$(uci get homeredirect.@redirect[$i].enabled) + if [ $enabled -eq 1 ]; then + protoAll=$(uci get homeredirect.@redirect[$i].proto) + proto=${protoAll:0:3} + port=$(uci get homeredirect.@redirect[$i].src_dport) + iptables -A HOME_REDIRECT -p $proto --dport $port -j ACCEPT + fi + done +} + +del_rule + +enable=$(uci get homeredirect.@global[0].enabled) +if [ $enable -eq 1 ]; then + add_rule +fi diff --git a/homeredirect/files/etc/init.d/homeredirect b/homeredirect/files/etc/init.d/homeredirect new file mode 100644 index 000000000..61dcf1fdc --- /dev/null +++ b/homeredirect/files/etc/init.d/homeredirect @@ -0,0 +1,140 @@ +#!/bin/sh /etc/rc.common + +START=99 + +RUNLOG_DIR=/tmp/hr + +PROCESSED_REDIRECT=0 + +log() +{ + logger -t homeredirect $1 +} + +setupDefaultSrcIP() { + if [ -z $src_ip ];then + if [ "$1" = "ipv4" ]; then + src_ip="0.0.0.0" + else + src_ip="::" + fi + fi +} + +setup() { + + config_get enabled $1 enabled + + id=$1 + config_get proto $1 proto + config_get src_ip $1 src_ip + config_get src_dport $1 src_dport + config_get dest_ip $1 dest_ip + config_get dest_port $1 dest_port + config_get name $1 name + + terminateRedirect $id + + [ "$enabled" != "1" ] && return 0 + + PROCESSED_REDIRECT=1 + + if [ "$proto" = "tcp4" ]; then + src_addresstype="TCP4-LISTEN" + dest_addresstype="TCP4" + setupDefaultSrcIP "ipv4" + elif [ "$proto" = "tcp6" ]; then + src_addresstype="TCP6-LISTEN" + dest_addresstype="TCP6" + setupDefaultSrcIP "ipv6" + src_ip="[$src_ip]" + dest_ip="[$dest_ip]" + elif [ "$proto" = "udp4" ]; then + src_addresstype="UDP4-LISTEN" + dest_addresstype="UDP4" + setupDefaultSrcIP "ipv4" + elif [ "$proto" = "udp6" ]; then + src_addresstype="UDP6-LISTEN" + dest_addresstype="UDP6" + setupDefaultSrcIP "ipv6" + src_ip="[$src_ip]" + dest_ip="[$dest_ip]" + fi + + #echo "nohup socat -lf $RUNLOG_DIR/$id.log $src_addresstype:$src_dport,bind=$src_ip,fork $dest_addresstype:$dest_ip:$dest_port > $RUNLOG_DIR/$id.log 2>&1 &" + nohup socat -lf $RUNLOG_DIR/$id.log $src_addresstype:$src_dport,bind=$src_ip,fork $dest_addresstype:$dest_ip:$dest_port > $RUNLOG_DIR/$id.log 2>&1 & + log "[HomeRedirect] Port redirect from $proto $src_ip:$src_dport==>$dest_addresstype:$dest_ip:$dest_port started." +} + +# param $1 is port +showTcpPortState() { + local process=$(netstat -ltnp | awk -F ' ' '{if(NR>2) print $1"/"$4"/"$7}' | grep :$1) + if [ -n "$process" ]; then + echo $process + else + echo 'TCP Port $1 is Free.' + fi +} +# param $1 is port +showUdpPortState() { + local process=$(netstat -lunp | awk -F ' ' '{if(NR>2) print $1"/"$4"/"$6}'|grep :$1) + if [ -n "$process" ]; then + echo $process + else + echo 'UDP Port $1 is Free.' + fi +} + +isRedirectRunning() { + local runningPID=$(ps | grep socat | grep $RUNLOG_DIR/$1 | sed '/grep/d' | awk -F ' ' '{print $1}') + if [ -n "$runningPID" ]; then + return 1 + else + return 0 + fi +} + +# param $1 is redirect id +terminateRedirect() { + isRedirectRunning $1 + [ "$?" = "1" ] && { + local runningPID=$(ps | grep socat | grep $RUNLOG_DIR/$1 | sed '/grep/d' | awk -F ' ' '{print $1}') + #echo "Going to kill process $runningPID" + kill $runningPID + } +} + +terminateAll() { + local runningPIDs=$(ps | grep socat | grep $RUNLOG_DIR | sed '/grep/d' | awk -F ' ' '{print $1}') + [ -n "$runningPIDs" ] && { + kill $runningPIDs + log "Redirect process : $runningPIDs stopped." + } +} + +start() { + local vt_enabled=$(uci -q get homeredirect.@global[0].enabled) + if [ "$vt_enabled" = 0 ]; then + terminateAll + fw3 reload + return 1 + fi + + rm -rf $RUNLOG_DIR + mkdir -p $RUNLOG_DIR + + config_load homeredirect + + PROCESSED_REDIRECT=0 + config_foreach setup redirect + [ "$PROCESSED_REDIRECT" == "1" ] && { + fw3 reload + } + log 'HomeRedirect started.' +} + +stop() { + terminateAll + fw3 reload + log 'HomeRedirect stopped.' +} diff --git a/libdouble-conversion/Makefile b/libdouble-conversion/Makefile new file mode 100644 index 000000000..60dcd5f04 --- /dev/null +++ b/libdouble-conversion/Makefile @@ -0,0 +1,60 @@ +# +# Copyright (C) 2008-2016 OpenWrt.org +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +include $(TOPDIR)/rules.mk + +PKG_NAME:=libdouble-conversion +PKG_VERSION:=3.2.1 +PKG_RELEASE:=1 + +PKG_SOURCE:=double-conversion-$(PKG_VERSION).tar.gz +PKG_SOURCE_URL:=https://codeload.github.com/google/double-conversion/tar.gz/v$(PKG_VERSION)? +PKG_HASH:=e40d236343cad807e83d192265f139481c51fc83a1c49e406ac6ce0a0ba7cd35 + +HOST_BUILD_DIR:=$(BUILD_DIR_HOST)/double-conversion-$(PKG_VERSION) +PKG_BUILD_DIR:=$(BUILD_DIR)/double-conversion-$(PKG_VERSION) + +PKG_MAINTAINER:= +PKG_LICENSE:=BSD-3c +PKG_LICENSE_FILES:=COPYING LICENSE + +PKG_BUILD_FLAGS:=gc-sections lto +CMAKE_INSTALL:=1 + +include $(INCLUDE_DIR)/package.mk +include $(INCLUDE_DIR)/host-build.mk +include $(INCLUDE_DIR)/cmake.mk + +define Package/libdouble-conversion + SECTION:=libs + CATEGORY:=Libraries + TITLE:=Efficient binary-decimal and decimal-binary conversion routines for IEEE doubles + URL:=https://github.com/google/double-conversion + DEPENDS:=+libstdcpp +endef + +define Package/libdouble-conversion/description + double-conversion provides binary-decimal and decimal-binary routines for IEEE doubles. + + The library consists of efficient conversion routines that have been extracted + from the V8 JavaScript engine. The code has been refactored and improved so that + it can be used more easily in other projects. +endef + +CMAKE_OPTIONS += \ + -DBUILD_SHARED_LIBS=ON \ + -DBUILD_TESTING=OFF + +TARGET_CXXFLAGS += -fno-rtti + +define Package/libdouble-conversion/install + $(INSTALL_DIR) $(1)/usr/lib + $(CP) $(PKG_INSTALL_DIR)/usr/lib/lib*.so* $(1)/usr/lib/ +endef + +$(eval $(call BuildPackage,libdouble-conversion)) +$(eval $(call HostBuild)) diff --git a/libtorrent-rasterbar/Makefile b/libtorrent-rasterbar/Makefile new file mode 100644 index 000000000..f497038e9 --- /dev/null +++ b/libtorrent-rasterbar/Makefile @@ -0,0 +1,91 @@ +include $(TOPDIR)/rules.mk + +PKG_NAME:=libtorrent-rasterbar +PKG_VERSION:=2.0.8 +PKG_RELEASE:=1 + +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz +PKG_SOURCE_URL:=https://codeload.github.com/arvidn/libtorrent/tar.gz/v$(PKG_VERSION)? +PKG_HASH:=29e5c5395de8126ed1b24d0540a9477fbb158b536021cd65aaf9de34d0aadb46 + +PKG_MAINTAINER:=David Yang +PKG_LICENSE:=BSD-3-Clause +PKG_LICENSE_FILES:=COPYING + +include $(INCLUDE_DIR)/package.mk +include $(INCLUDE_DIR)/cmake.mk + +define Package/libtorrent-rasterbar/Default + TITLE:=Rasterbar BitTorrent library + URL:=https://libtorrent.org/ +endef + +define Package/libtorrent-rasterbar + $(call Package/libtorrent-rasterbar/Default) + SECTION:=libs + CATEGORY:=Libraries + DEPENDS:=+boost +boost-system +libopenssl +libatomic +libstdcpp +endef + +#define Package/python3-libtorrent +# $(call Package/libtorrent-rasterbar/Default) +# SECTION:=lang +# CATEGORY:=Languages +# SUBMENU:=Python +# TITLE+= (Python 3) +# DEPENDS:=+libtorrent-rasterbar +boost-python +#endef + +define Package/libtorrent-rasterbar/description + Rasterbar libtorrent is a C++ library that aims to be a good alternative to + all the other bittorrent implementations around. +endef + +#define Package/python3-libtorrent/description +# $(call Package/libtorrent-rasterbar/description) +# This package contains Python 3 bindings for the libtorrent-rasterbar library. +#endef + +define Download/try_signal + VERSION:=105cce59972f925a33aa6b1c3109e4cd3caf583d + SUBDIR:=deps/try_signal + FILE:=$(PKG_NAME)-try_signal-$$(VERSION).tar.xz + URL:=https://github.com/arvidn/try_signal.git + MIRROR_HASH:=da81da67d52b7a731c21148573b68bf8dc7863616d6ae1f81845b7afb29e8f00 + PROTO:=git +endef +$(eval $(call Download,try_signal)) + +PKG_UNPACK:=$(HOST_TAR) -C $(PKG_BUILD_DIR) --strip-components=1 -xzf $(DL_DIR)/$(PKG_SOURCE) + +define Build/Prepare + $(Build/Prepare/Default) + $(eval $(Download/try_signal)) + xzcat $(DL_DIR)/$(FILE) | tar -C $(PKG_BUILD_DIR) $(TAR_OPTIONS) +endef + +#CMAKE_OPTIONS += \ +# -Dpython-bindings=ON \ +# -Dpython-egg-info=ON + +define Build/InstallDev + $(INSTALL_DIR) $(1)/usr/include + $(CP) $(PKG_INSTALL_DIR)/usr/include/libtorrent $(1)/usr/include/ + $(INSTALL_DIR) $(1)/usr/lib + $(CP) $(PKG_INSTALL_DIR)/usr/lib/libtorrent-rasterbar.so* $(1)/usr/lib/ + $(INSTALL_DIR) $(1)/usr/lib/pkgconfig + $(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/libtorrent-rasterbar.pc $(1)/usr/lib/pkgconfig/ +endef + +define Package/libtorrent-rasterbar/install + $(INSTALL_DIR) $(1)/usr/lib + $(CP) $(PKG_INSTALL_DIR)/usr/lib/libtorrent-rasterbar.so.* $(1)/usr/lib/ +endef + +#define Package/python3-libtorrent/install +# $(INSTALL_DIR) $(1)/usr/lib/python2.7/site-packages +# $(CP) $(PKG_INSTALL_DIR)/usr/lib/python2.7/site-packages/*.so* $(1)/usr/lib/python2.7/site-packages/ +#endef + +$(eval $(call BuildPackage,libtorrent-rasterbar)) +#$(eval $(call BuildPackage,python3-libtorrent)) diff --git a/luci-app-homeredirect/Makefile b/luci-app-homeredirect/Makefile new file mode 100644 index 000000000..7cabd0edf --- /dev/null +++ b/luci-app-homeredirect/Makefile @@ -0,0 +1,18 @@ +# Copyright (C) 2020 xiaoqingfeng +# +# This is free software, licensed under the Apache License, Version 2.0 . +# + +include $(TOPDIR)/rules.mk + +LUCI_TITLE:=LuCI for HomeRedirect +LUCI_DEPENDS:=+HomeRedirect +LUCI_PKGARCH:=all +PKG_NAME:=luci-app-homeredirect +PKG_VERSION:=1.0 +PKG_RELEASE:=1-20200805 +PKG_MAINTAINER:=Richard Yu + +include $(TOPDIR)/feeds/luci/luci.mk + +# call BuildPackage - OpenWrt buildroot signature diff --git a/luci-app-homeredirect/luasrc/controller/homeredirect.lua b/luci-app-homeredirect/luasrc/controller/homeredirect.lua new file mode 100644 index 000000000..d1a2ef478 --- /dev/null +++ b/luci-app-homeredirect/luasrc/controller/homeredirect.lua @@ -0,0 +1,62 @@ +-- Copyright 2020 Richard +-- feed site : https://github.com/xiaoqingfengATGH/feeds-xiaoqingfeng +module("luci.controller.homeredirect", package.seeall) +local appname = "homeredirect" +local RUNLOG_DIR = "/tmp/hr" +local ucic = luci.model.uci.cursor() +local http = require "luci.http" + +function index() + + entry({"admin", "services", "homeredirect", "show"}, call("show_menu")).leaf = true + entry({"admin", "services", "homeredirect", "hide"}, call("hide_menu")).leaf = true + + if nixio.fs.access("/etc/config/homeredirect") and + nixio.fs.access("/etc/config/homeredirect_show") then + entry({"admin", "services", "homeredirect"}, + alias("admin", "services", "homeredirect", "settings"), + _("Home Redirect"), 50).dependent = true + end + + entry({"admin", "services", "homeredirect", "settings"}, + cbi("homeredirect/settings")).leaf = true + entry({"admin", "services", "homeredirect", "status"}, call("status")).leaf = + true +end + +local function http_write_json(content) + http.prepare_content("application/json") + http.write_json(content or {code = 1}) +end + +function status() + local e = {} + e.enabled = ucic:get(appname, "@global[0]", "enabled") + ucic:foreach(appname, "redirect", function(redirect) + local state = -1 + local id = redirect['.name'] + local enabled = redirect['enabled'] + if enabled == "1" then + local pid = luci.sys.exec("ps | grep socat | grep " .. RUNLOG_DIR .. "/" .. id .. " | sed '/grep/d' | awk -F ' ' '{print $1}'") + if pid == "" then + state = 0 + else + state = tonumber(pid) + end + end + e[id] = state + end) + luci.http.prepare_content("application/json") + luci.http.write_json(e) +end + +function show_menu() + luci.sys.call("touch /etc/config/homeredirect_show") + luci.http.redirect(luci.dispatcher.build_url("admin", "services", "homeredirect")) +end + +function hide_menu() + luci.sys.call("rm -rf /etc/config/homeredirect_show") + luci.http.redirect(luci.dispatcher.build_url("admin", "status", "overview")) +end + diff --git a/luci-app-homeredirect/luasrc/model/cbi/homeredirect/settings.lua b/luci-app-homeredirect/luasrc/model/cbi/homeredirect/settings.lua new file mode 100644 index 000000000..f080056c2 --- /dev/null +++ b/luci-app-homeredirect/luasrc/model/cbi/homeredirect/settings.lua @@ -0,0 +1,62 @@ +local s = require "luci.sys" +local m, s, o +mp = Map("homeredirect", translate("Home Redirect - Port forwarding utility")) +mp.description = translate("HomeRedirect is a customized port forwarding utility for HomeLede. It supports TCP / UDP protocol, IPv4 and IPv6.") +mp:section(SimpleSection).template = "homeredirect/index" + +s = mp:section(TypedSection, "global") +s.anonymous = true + +enabled = s:option(Flag, "enabled", translate("Master switch")) +enabled.default = 0 +enabled.rmempty = false + +s = mp:section(TypedSection, "redirect", translate("Redirect Configuration")) +s.addremove = true +s.anonymous = true +s.template = "cbi/tblsection" +s.sortable = true + +enabled = s:option(Flag, "enabled", translate("Enabled")) +enabled.rmempty = false + +name = s:option(Value, "name", translate("Name")) +name.optional = false +name.rmempty = false + +proto = s:option(ListValue, "proto", translate("Transport Protocol")) +proto.default = "tcp4" +proto:value("tcp4", "TCP/IPv4") +proto:value("udp4", "UDP/IPv4") +proto:value("tcp6", "TCP/IPv6") +proto:value("udp6", "UDP/IPv6") + +-- src_ip = s:option(Value, "src_ip", translate("Source IP")) +-- src_ip.datatype = "ipaddr" +-- src_ip.optional = false +-- src_ip.rmempty = false + +src_dport = s:option(Value, "src_dport", translate("Source Port")) +src_dport.datatype = "port" +src_dport.optional = false +src_dport.rmempty = false + +dest_ip = s:option(Value, "dest_ip", translate("Destination Address")) +dest_ip.datatype = "ipaddr" +dest_ip.optional = false +dest_ip.rmempty = false + +dest_port = s:option(Value, "dest_port", translate("Destination Port")) +dest_port.datatype = "port" +dest_port.optional = false +dest_port.rmempty = false + +o = s:option(DummyValue, "rs", translate("Status")) +o.default = "检测中..." + +local apply=luci.http.formvalue("cbi.apply") +if apply then + io.popen("/etc/init.d/homeredirect restart") +end + +return mp diff --git a/luci-app-homeredirect/luasrc/view/homeredirect/index.htm b/luci-app-homeredirect/luasrc/view/homeredirect/index.htm new file mode 100644 index 000000000..c2788dd38 --- /dev/null +++ b/luci-app-homeredirect/luasrc/view/homeredirect/index.htm @@ -0,0 +1,38 @@ +<% include("cbi/map") %> + \ No newline at end of file diff --git a/luci-app-homeredirect/po/zh-cn/homeredirect.po b/luci-app-homeredirect/po/zh-cn/homeredirect.po new file mode 100644 index 000000000..5a10d14a6 --- /dev/null +++ b/luci-app-homeredirect/po/zh-cn/homeredirect.po @@ -0,0 +1,44 @@ +msgid "Home Redirect" +msgstr "端口转发" + +msgid "HomeRedirect is a customized port forwarding utility for HomeLede. It supports TCP / UDP protocol, IPv4 and IPv6." +msgstr "HomeRedirect是一款为HomeLede定制的端口转发工具,可以将路由上端口访问转发至任意位置,支持TCP/UDP协议,IPv4和IPv6。" + +msgid "Home Redirect - Port forwarding utility" +msgstr "Home Redirect 端口转发" + +msgid "Redirect Configuration" +msgstr "转发设置" + +msgid "Transport Protocol" +msgstr "传输协议" + +msgid "Source Port" +msgstr "路由器端口" + +msgid "Destination Address" +msgstr "转发目标地址" + +msgid "Destination Port" +msgstr "转发目标端口" + +msgid "Name" +msgstr "名称" + +msgid "Source IP" +msgstr "路由器IP" + +msgid "Status" +msgstr "状态" + +msgid "Master switch" +msgstr "总开关" + +msgid "Disabled" +msgstr "未启用" + +msgid "Not running" +msgstr "未运行" + +msgid "Running" +msgstr "运行中" diff --git a/luci-app-homeredirect/po/zh_Hans b/luci-app-homeredirect/po/zh_Hans new file mode 120000 index 000000000..41451e4a1 --- /dev/null +++ b/luci-app-homeredirect/po/zh_Hans @@ -0,0 +1 @@ +zh-cn \ No newline at end of file diff --git a/luci-app-homeredirect/root/etc/config/homeredirect_show b/luci-app-homeredirect/root/etc/config/homeredirect_show new file mode 100644 index 000000000..e69de29bb diff --git a/luci-app-homeredirect/root/etc/uci-defaults/luci-app-homeredirect b/luci-app-homeredirect/root/etc/uci-defaults/luci-app-homeredirect new file mode 100644 index 000000000..7a7c301b8 --- /dev/null +++ b/luci-app-homeredirect/root/etc/uci-defaults/luci-app-homeredirect @@ -0,0 +1,19 @@ +#!/bin/sh + +uci -q batch <<-EOF >/dev/null + delete firewall.homeredirect + set firewall.homeredirect=include + set firewall.homeredirect.type=script + set firewall.homeredirect.path=/etc/homeredirect/firewall.include + set firewall.homeredirect.reload=1 +EOF + +uci -q batch <<-EOF >/dev/null + delete ucitrack.@homeredirect[-1] + add ucitrack homeredirect + set ucitrack.@homeredirect[-1].init=homeredirect + commit ucitrack +EOF + +rm -rf /tmp/luci-*cache +exit 0 diff --git a/luci-app-homeredirect/root/usr/share/rpcd/acl.d/luci-app-homeredirect.json b/luci-app-homeredirect/root/usr/share/rpcd/acl.d/luci-app-homeredirect.json new file mode 100644 index 000000000..cea17c469 --- /dev/null +++ b/luci-app-homeredirect/root/usr/share/rpcd/acl.d/luci-app-homeredirect.json @@ -0,0 +1,11 @@ +{ + "luci-app-homeredirect": { + "description": "Grant UCI access for luci-app-homeredirect", + "read": { + "uci": [ "homeredirect" ] + }, + "write": { + "uci": [ "homeredirect" ] + } + } +} diff --git a/luci-app-watchcat/po/lt/watchcat.po b/luci-app-watchcat/po/lt/watchcat.po new file mode 100644 index 000000000..c3214ec59 --- /dev/null +++ b/luci-app-watchcat/po/lt/watchcat.po @@ -0,0 +1,200 @@ +msgid "" +msgstr "" +"Project-Id-Version: PACKAGE VERSION\n" +"PO-Revision-Date: 2023-08-28 01:55+0000\n" +"Last-Translator: Džiugas J \n" +"Language-Team: Lithuanian \n" +"Language: lt\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Plural-Forms: nplurals=3; plural=(n % 10 == 1 && (n % 100 < 11 || n % 100 > " +"19)) ? 0 : ((n % 10 >= 2 && n % 10 <= 9 && (n % 100 < 11 || n % 100 > 19)) ? " +"1 : 2);\n" +"X-Generator: Weblate 5.0.1-dev\n" + +#: applications/luci-app-watchcat/htdocs/luci-static/resources/view/watchcat.js:104 +msgid "" +"Applies to Ping Reboot, Restart Interface, and Run Script modes
Specify the interface to monitor and react if a ping over it fails." +msgstr "" + +#: applications/luci-app-watchcat/htdocs/luci-static/resources/view/watchcat.js:60 +msgid "Address family for pinging the host" +msgstr "" + +#: applications/luci-app-watchcat/htdocs/luci-static/resources/view/watchcat.js:94 +msgid "" +"Applies to Ping Reboot and Periodic Reboot modes
When rebooting " +"the router, the service will trigger a soft reboot. Entering a non-zero " +"value here will trigger a delayed hard reboot if the soft reboot were to " +"fail. Enter the number of seconds to wait for the soft reboot to fail or use " +"0 to disable the forced reboot delay." +msgstr "" + +#: applications/luci-app-watchcat/htdocs/luci-static/resources/view/watchcat.js:111 +msgid "" +"Applies to Ping Reboot and Restart Interface modes
If using " +"ModemManager, you can have Watchcat restart your ModemManger interface by " +"specifying its name." +msgstr "" + +#: applications/luci-app-watchcat/htdocs/luci-static/resources/view/watchcat.js:84 +msgid "Big: 248 bytes" +msgstr "" + +#: applications/luci-app-watchcat/htdocs/luci-static/resources/view/watchcat.js:70 +msgid "Check Interval" +msgstr "" + +#: applications/luci-app-watchcat/htdocs/luci-static/resources/view/watchcat.js:93 +msgid "Force Reboot Delay" +msgstr "" + +#: applications/luci-app-watchcat/htdocs/luci-static/resources/view/watchcat.js:19 +msgid "General Settings" +msgstr "Bendri nustatymai" + +#: applications/luci-app-watchcat/root/usr/share/rpcd/acl.d/luci-app-watchcat.json:3 +msgid "Grant access to LuCI app watchcat" +msgstr "" + +#: applications/luci-app-watchcat/htdocs/luci-static/resources/view/watchcat.js:12 +msgid "" +"Here you can set up several checks and actions to take in the event that a " +"host becomes unreachable. Click the Add button at the bottom to set " +"up more than one action." +msgstr "" + +#: applications/luci-app-watchcat/htdocs/luci-static/resources/view/watchcat.js:52 +msgid "Host To Check" +msgstr "" + +#: applications/luci-app-watchcat/htdocs/luci-static/resources/view/watchcat.js:71 +msgid "" +"How often to ping the host specified above.

The default unit is " +"seconds, without a suffix, but you can use the suffix m for minutes, " +"h for hours or d for days.

Examples:
  • 10 " +"seconds would be: 10 or 10s
  • 5 minutes would be: 5m
  • 1 hour would be: 1h
  • 1 week would be: 7d
      " +msgstr "" + +#: applications/luci-app-watchcat/htdocs/luci-static/resources/view/watchcat.js:85 +msgid "Huge: 1492 bytes" +msgstr "" + +#: applications/luci-app-watchcat/htdocs/luci-static/resources/view/watchcat.js:52 +msgid "IP address or hostname to ping." +msgstr "" + +#: applications/luci-app-watchcat/htdocs/luci-static/resources/view/watchcat.js:118 +msgid "" +"If using ModemManager, then before restarting the interface, set the modem " +"to be allowed to use any band." +msgstr "" + +#: applications/luci-app-watchcat/htdocs/luci-static/resources/view/watchcat.js:41 +msgid "" +"In Periodic Reboot mode, it defines how often to reboot.
      In Ping " +"Reboot mode, it defines the longest period of time without a reply from the " +"Host To Check before a reboot is engaged.
      In Network Restart or Run " +"Script mode, it defines the longest period of time without a reply from the " +"Host to Check before the interface is restarted or the script is run.

      The default unit is seconds, without a suffix, but you can use the " +"suffix m for minutes, h for hours or d for days.

      Examples:
      • 10 seconds would be: 10 or 10s
      • 5 minutes would be: 5m
      • 1 hour would be: 1h
      • 1 week would be: 7d
          • " +msgstr "" + +#: applications/luci-app-watchcat/htdocs/luci-static/resources/view/watchcat.js:102 +msgid "Interface" +msgstr "Sąsaja ir Sietuvas" + +#: applications/luci-app-watchcat/htdocs/luci-static/resources/view/watchcat.js:103 +msgid "Interface to monitor and/or restart" +msgstr "" + +#: applications/luci-app-watchcat/htdocs/luci-static/resources/view/watchcat.js:86 +msgid "Jumbo: 9000 bytes" +msgstr "" + +#: applications/luci-app-watchcat/htdocs/luci-static/resources/view/watchcat.js:22 +msgid "Mode" +msgstr "Režimas" + +#: applications/luci-app-watchcat/htdocs/luci-static/resources/view/watchcat.js:110 +msgid "Name of ModemManager Interface" +msgstr "" + +#: applications/luci-app-watchcat/htdocs/luci-static/resources/view/watchcat.js:40 +msgid "Period" +msgstr "" + +#: applications/luci-app-watchcat/htdocs/luci-static/resources/view/watchcat.js:28 +msgid "Periodic Reboot" +msgstr "" + +#: applications/luci-app-watchcat/htdocs/luci-static/resources/view/watchcat.js:80 +msgid "Ping Packet Size" +msgstr "" + +#: applications/luci-app-watchcat/htdocs/luci-static/resources/view/watchcat.js:27 +msgid "Ping Reboot" +msgstr "" + +#: applications/luci-app-watchcat/htdocs/luci-static/resources/view/watchcat.js:23 +msgid "" +"Ping Reboot: Reboot this device if a ping to a specified host fails for a " +"specified duration of time.
          Periodic Reboot: Reboot this device after " +"a specified interval of time.
          Restart Interface: Restart a network " +"interface if a ping to a specified host fails for a specified duration of " +"time.
          Run Script: Run a script if a ping to a specified host fails " +"for a specified duration of time.
          " +msgstr "" + +#: applications/luci-app-watchcat/htdocs/luci-static/resources/view/watchcat.js:29 +msgid "Restart Interface" +msgstr "" + +#: applications/luci-app-watchcat/htdocs/luci-static/resources/view/watchcat.js:30 +msgid "Run Script" +msgstr "" + +#: applications/luci-app-watchcat/htdocs/luci-static/resources/view/watchcat.js:33 +msgid "Script to run" +msgstr "" + +#: applications/luci-app-watchcat/htdocs/luci-static/resources/view/watchcat.js:34 +msgid "" +"Script to run when the host has not responded for the specified duration of " +"time. The script is passed the interface name as $1" +msgstr "" + +#: applications/luci-app-watchcat/htdocs/luci-static/resources/view/watchcat.js:81 +msgid "Small: 1 byte" +msgstr "" + +#: applications/luci-app-watchcat/htdocs/luci-static/resources/view/watchcat.js:83 +msgid "Standard: 56 bytes" +msgstr "" + +#: applications/luci-app-watchcat/htdocs/luci-static/resources/view/watchcat.js:15 +msgid "These rules will govern how this device reacts to network events." +msgstr "" + +#: applications/luci-app-watchcat/htdocs/luci-static/resources/view/watchcat.js:117 +msgid "Unlock Modem Bands" +msgstr "" + +#: applications/luci-app-watchcat/htdocs/luci-static/resources/view/watchcat.js:11 +#: applications/luci-app-watchcat/htdocs/luci-static/resources/view/watchcat.js:15 +#: applications/luci-app-watchcat/root/usr/share/luci/menu.d/luci-app-watchcat.json:3 +msgid "Watchcat" +msgstr "" + +#: applications/luci-app-watchcat/htdocs/luci-static/resources/view/watchcat.js:82 +msgid "Windows: 32 bytes" +msgstr "" diff --git a/mbedtls/Config.in b/mbedtls/Config.in deleted file mode 100644 index 92d7180f5..000000000 --- a/mbedtls/Config.in +++ /dev/null @@ -1,203 +0,0 @@ -if PACKAGE_libmbedtls - -comment "Option details in source code: include/mbedtls/mbedtls_config.h" - -comment "Ciphers - unselect old or less-used ciphers to reduce binary size" - -config MBEDTLS_AES_C - bool "MBEDTLS_AES_C" - default y - -config MBEDTLS_CAMELLIA_C - bool "MBEDTLS_CAMELLIA_C" - default n - -config MBEDTLS_CCM_C - bool "MBEDTLS_CCM_C" - default n - -config MBEDTLS_CMAC_C - bool "MBEDTLS_CMAC_C (old but used by hostapd)" - default y - -config MBEDTLS_DES_C - bool "MBEDTLS_DES_C (old but used by hostapd)" - default y - -config MBEDTLS_GCM_C - bool "MBEDTLS_GCM_C" - default y - -config MBEDTLS_NIST_KW_C - bool "MBEDTLS_NIST_KW_C (old but used by hostapd)" - default y - -config MBEDTLS_RIPEMD160_C - bool "MBEDTLS_RIPEMD160_C" - default n - -config MBEDTLS_XTEA_C - bool "MBEDTLS_XTEA_C" - default n - -config MBEDTLS_RSA_NO_CRT - bool "MBEDTLS_RSA_NO_CRT" - default y - -config MBEDTLS_KEY_EXCHANGE_PSK_ENABLED - bool "MBEDTLS_KEY_EXCHANGE_PSK_ENABLED" - default y - -config MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED - bool "MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED" - default n - -config MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED - bool "MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED" - default y - -config MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED - bool "MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED" - default n - -config MBEDTLS_KEY_EXCHANGE_RSA_ENABLED - bool "MBEDTLS_KEY_EXCHANGE_RSA_ENABLED" - default n - -config MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED - bool "MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED" - default n - -config MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED - bool "MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED" - default y - -config MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED - bool "MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED" - default y - -config MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED - bool "MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED" - default n - -config MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED - bool "MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED" - default n - -comment "Curves - unselect old or less-used curves to reduce binary size" - -config MBEDTLS_ECP_DP_SECP192R1_ENABLED - bool "MBEDTLS_ECP_DP_SECP192R1_ENABLED" - default n - -config MBEDTLS_ECP_DP_SECP224R1_ENABLED - bool "MBEDTLS_ECP_DP_SECP224R1_ENABLED" - default n - -config MBEDTLS_ECP_DP_SECP256R1_ENABLED - bool "MBEDTLS_ECP_DP_SECP256R1_ENABLED" - default y - -config MBEDTLS_ECP_DP_SECP384R1_ENABLED - bool "MBEDTLS_ECP_DP_SECP384R1_ENABLED" - default y - -config MBEDTLS_ECP_DP_SECP521R1_ENABLED - bool "MBEDTLS_ECP_DP_SECP521R1_ENABLED" - default n - -config MBEDTLS_ECP_DP_SECP192K1_ENABLED - bool "MBEDTLS_ECP_DP_SECP192K1_ENABLED" - default n - -config MBEDTLS_ECP_DP_SECP224K1_ENABLED - bool "MBEDTLS_ECP_DP_SECP224K1_ENABLED" - default n - -config MBEDTLS_ECP_DP_SECP256K1_ENABLED - bool "MBEDTLS_ECP_DP_SECP256K1_ENABLED" - default y - -config MBEDTLS_ECP_DP_BP256R1_ENABLED - bool "MBEDTLS_ECP_DP_BP256R1_ENABLED" - default n - -config MBEDTLS_ECP_DP_BP384R1_ENABLED - bool "MBEDTLS_ECP_DP_BP384R1_ENABLED" - default n - -config MBEDTLS_ECP_DP_BP512R1_ENABLED - bool "MBEDTLS_ECP_DP_BP512R1_ENABLED" - default n - -config MBEDTLS_ECP_DP_CURVE25519_ENABLED - bool "MBEDTLS_ECP_DP_CURVE25519_ENABLED" - default y - -config MBEDTLS_ECP_DP_CURVE448_ENABLED - bool "MBEDTLS_ECP_DP_CURVE448_ENABLED" - default n - -comment "Build Options - unselect features to reduce binary size" - -config MBEDTLS_ARMV8CE_AES_C - bool "MBEDTLS_ARMV8CE_AES_C" - default y - depends on aarch64 && !TARGET_bcm27xx - -config MBEDTLS_CERTS_C - bool "MBEDTLS_CERTS_C" - default n - -config MBEDTLS_CIPHER_MODE_OFB - bool "MBEDTLS_CIPHER_MODE_OFB" - default n - -config MBEDTLS_CIPHER_MODE_XTS - bool "MBEDTLS_CIPHER_MODE_XTS" - default n - -config MBEDTLS_DEBUG_C - bool "MBEDTLS_DEBUG_C" - default n - -config MBEDTLS_HAVE_SSE2 - bool "MBEDTLS_HAVE_SSE2" - default y - depends on TARGET_x86_generic || TARGET_x86_64 - -config MBEDTLS_HKDF_C - bool "MBEDTLS_HKDF_C" - default n - -config MBEDTLS_PLATFORM_C - bool "MBEDTLS_PLATFORM_C" - default n - -config MBEDTLS_SELF_TEST - bool "MBEDTLS_SELF_TEST" - default n - -config MBEDTLS_SSL_TRUNCATED_HMAC - bool "MBEDTLS_SSL_TRUNCATED_HMAC" - default n - -config MBEDTLS_VERSION_C - bool "MBEDTLS_VERSION_C" - default n - -config MBEDTLS_VERSION_FEATURES - bool "MBEDTLS_VERSION_FEATURES" - default n - -comment "Build Options" - -config MBEDTLS_ENTROPY_FORCE_SHA256 - bool "MBEDTLS_ENTROPY_FORCE_SHA256" - default y - -config MBEDTLS_SSL_RENEGOTIATION - bool "MBEDTLS_SSL_RENEGOTIATION" - default n - -endif diff --git a/mbedtls/Makefile b/mbedtls/Makefile deleted file mode 100644 index fe3f14e38..000000000 --- a/mbedtls/Makefile +++ /dev/null @@ -1,167 +0,0 @@ -# -# Copyright (C) 2011-2015 OpenWrt.org -# -# This is free software, licensed under the GNU General Public License v2. -# See /LICENSE for more information. -# - -include $(TOPDIR)/rules.mk - -PKG_NAME:=mbedtls -PKG_VERSION:=2.28.4 -PKG_RELEASE:=1 -PKG_BUILD_FLAGS:=no-mips16 gc-sections no-lto - -PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz -PKG_SOURCE_URL:=https://codeload.github.com/ARMmbed/mbedtls/tar.gz/v$(PKG_VERSION)? -PKG_HASH:=578c4dcd15bbff3f5cd56aa07cd4f850fc733634e3d5947be4f7157d5bfd81ac - -PKG_LICENSE:=GPL-2.0-or-later -PKG_LICENSE_FILES:=gpl-2.0.txt -PKG_CPE_ID:=cpe:/a:arm:mbed_tls - -MBEDTLS_BUILD_OPTS_CURVES= \ - CONFIG_MBEDTLS_ECP_DP_SECP192R1_ENABLED \ - CONFIG_MBEDTLS_ECP_DP_SECP224R1_ENABLED \ - CONFIG_MBEDTLS_ECP_DP_SECP256R1_ENABLED \ - CONFIG_MBEDTLS_ECP_DP_SECP384R1_ENABLED \ - CONFIG_MBEDTLS_ECP_DP_SECP521R1_ENABLED \ - CONFIG_MBEDTLS_ECP_DP_SECP192K1_ENABLED \ - CONFIG_MBEDTLS_ECP_DP_SECP224K1_ENABLED \ - CONFIG_MBEDTLS_ECP_DP_SECP256K1_ENABLED \ - CONFIG_MBEDTLS_ECP_DP_BP256R1_ENABLED \ - CONFIG_MBEDTLS_ECP_DP_BP384R1_ENABLED \ - CONFIG_MBEDTLS_ECP_DP_BP512R1_ENABLED \ - CONFIG_MBEDTLS_ECP_DP_CURVE25519_ENABLED \ - CONFIG_MBEDTLS_ECP_DP_CURVE448_ENABLED - -MBEDTLS_BUILD_OPTS_CIPHERS= \ - CONFIG_MBEDTLS_AES_C \ - CONFIG_MBEDTLS_CAMELLIA_C \ - CONFIG_MBEDTLS_CCM_C \ - CONFIG_MBEDTLS_CMAC_C \ - CONFIG_MBEDTLS_DES_C \ - CONFIG_MBEDTLS_GCM_C \ - CONFIG_MBEDTLS_KEY_EXCHANGE_PSK_ENABLED \ - CONFIG_MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED \ - CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED \ - CONFIG_MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \ - CONFIG_MBEDTLS_KEY_EXCHANGE_RSA_ENABLED \ - CONFIG_MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED \ - CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \ - CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED \ - CONFIG_MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED \ - CONFIG_MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED \ - CONFIG_MBEDTLS_NIST_KW_C \ - CONFIG_MBEDTLS_RIPEMD160_C \ - CONFIG_MBEDTLS_RSA_NO_CRT \ - CONFIG_MBEDTLS_XTEA_C - -MBEDTLS_BUILD_OPTS= \ - $(MBEDTLS_BUILD_OPTS_CURVES) \ - $(MBEDTLS_BUILD_OPTS_CIPHERS) \ - CONFIG_MBEDTLS_ARMV8CE_AES_C \ - CONFIG_MBEDTLS_CERTS_C \ - CONFIG_MBEDTLS_CIPHER_MODE_OFB \ - CONFIG_MBEDTLS_CIPHER_MODE_XTS \ - CONFIG_MBEDTLS_DEBUG_C \ - CONFIG_MBEDTLS_ENTROPY_FORCE_SHA256 \ - CONFIG_MBEDTLS_HAVE_SSE2 \ - CONFIG_MBEDTLS_HKDF_C \ - CONFIG_MBEDTLS_PLATFORM_C \ - CONFIG_MBEDTLS_SELF_TEST \ - CONFIG_MBEDTLS_SSL_RENEGOTIATION \ - CONFIG_MBEDTLS_SSL_TRUNCATED_HMAC \ - CONFIG_MBEDTLS_VERSION_C \ - CONFIG_MBEDTLS_VERSION_FEATURES - -PKG_CONFIG_DEPENDS := $(MBEDTLS_BUILD_OPTS) - -include $(INCLUDE_DIR)/package.mk -include $(INCLUDE_DIR)/cmake.mk - -define Package/mbedtls/Default - TITLE:=Embedded SSL - URL:=https://tls.mbed.org -endef - -define Package/mbedtls/Default/description -The aim of the mbedtls project is to provide a quality, open-source -cryptographic library written in C and targeted at embedded systems. -endef - -define Package/libmbedtls -$(call Package/mbedtls/Default) - SECTION:=libs - CATEGORY:=Libraries - SUBMENU:=SSL - TITLE+= (library) - ABI_VERSION:=12 - MENU:=1 -endef - -define Package/libmbedtls/config - source "$(SOURCE)/Config.in" -endef - -define Package/mbedtls-util -$(call Package/mbedtls/Default) - SECTION:=utils - CATEGORY:=Utilities - TITLE+= (utilities) - DEPENDS:=+libmbedtls -endef - -define Package/libmbedtls/description -$(call Package/mbedtls/Default/description) -This package contains the mbedtls library. -endef - -define Package/mbedtls-util/description -$(call Package/mbedtls/Default/description) -This package contains mbedtls helper programs for private key and -CSR generation (gen_key, cert_req) -endef - -TARGET_CFLAGS := $(filter-out -O%,$(TARGET_CFLAGS)) -ifneq ($(CONFIG_MBEDTLS_ARMV8CE_AES_C),) - TARGET_CFLAGS := $(filter-out -march=%,$(TARGET_CFLAGS)) -march=armv8-a+crypto -endif - -CMAKE_OPTIONS += \ - -DCMAKE_POSITION_INDEPENDENT_CODE=ON \ - -DUSE_SHARED_MBEDTLS_LIBRARY:Bool=ON \ - -DENABLE_TESTING:Bool=OFF \ - -DENABLE_PROGRAMS:Bool=ON - -define Build/Prepare - $(call Build/Prepare/Default) - - $(if $(strip $(foreach opt,$(MBEDTLS_BUILD_OPTS),$($(opt)))), - $(foreach opt,$(MBEDTLS_BUILD_OPTS), - $(PKG_BUILD_DIR)/scripts/config.py \ - -f $(PKG_BUILD_DIR)/include/mbedtls/config.h \ - $(if $($(opt)),set,unset) $(patsubst CONFIG_%,%,$(opt))),) -endef - -define Build/InstallDev - $(INSTALL_DIR) $(1)/usr/include - $(CP) $(PKG_INSTALL_DIR)/usr/include/mbedtls $(1)/usr/include/ - $(INSTALL_DIR) $(1)/usr/lib - $(CP) $(PKG_INSTALL_DIR)/usr/lib/lib*.so* $(1)/usr/lib/ - $(CP) $(PKG_INSTALL_DIR)/usr/lib/lib*.a $(1)/usr/lib/ -endef - -define Package/libmbedtls/install - $(INSTALL_DIR) $(1)/usr/lib - $(CP) $(PKG_INSTALL_DIR)/usr/lib/lib*.so.* $(1)/usr/lib/ -endef - -define Package/mbedtls-util/install - $(INSTALL_DIR) $(1)/usr/bin - $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/gen_key $(1)/usr/bin/ - $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/cert_req $(1)/usr/bin/ -endef - -$(eval $(call BuildPackage,libmbedtls)) -$(eval $(call BuildPackage,mbedtls-util)) diff --git a/mbedtls/patches/100-x509-crt-verify-SAN-iPAddress.patch b/mbedtls/patches/100-x509-crt-verify-SAN-iPAddress.patch deleted file mode 100644 index 02632cdb4..000000000 --- a/mbedtls/patches/100-x509-crt-verify-SAN-iPAddress.patch +++ /dev/null @@ -1,197 +0,0 @@ -From eb9d4fdf1846e688d51d86a9a50f0312aca2af25 Mon Sep 17 00:00:00 2001 -From: Glenn Strauss -Date: Sun, 23 Oct 2022 19:48:18 -0400 -Subject: [PATCH] x509 crt verify SAN iPAddress - -Signed-off-by: Glenn Strauss ---- - include/mbedtls/x509_crt.h | 2 +- - library/x509_crt.c | 126 ++++++++++++++++++++++++++++++------- - 2 files changed, 103 insertions(+), 25 deletions(-) - ---- a/include/mbedtls/x509_crt.h -+++ b/include/mbedtls/x509_crt.h -@@ -608,7 +608,7 @@ int mbedtls_x509_crt_verify_info(char *b - * \param cn The expected Common Name. This will be checked to be - * present in the certificate's subjectAltNames extension or, - * if this extension is absent, as a CN component in its -- * Subject name. Currently only DNS names are supported. This -+ * Subject name. DNS names and IP addresses are supported. This - * may be \c NULL if the CN need not be verified. - * \param flags The address at which to store the result of the verification. - * If the verification couldn't be completed, the flag value is ---- a/library/x509_crt.c -+++ b/library/x509_crt.c -@@ -57,6 +57,10 @@ - - #if defined(MBEDTLS_HAVE_TIME) - #if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32) -+#define WIN32_LEAN_AND_MEAN -+#ifndef _WIN32_WINNT -+#define _WIN32_WINNT 0x0600 -+#endif - #include - #else - #include -@@ -3001,6 +3005,61 @@ find_parent: - } - } - -+#ifdef _WIN32 -+#ifdef _MSC_VER -+#pragma comment(lib, "ws2_32.lib") -+#include -+#include -+#elif (defined(__MINGW32__) || defined(__MINGW64__)) && _WIN32_WINNT >= 0x0600 -+#include -+#include -+#endif -+#elif defined(__sun) -+/* Solaris requires -lsocket -lnsl for inet_pton() */ -+#elif defined(__has_include) -+#if __has_include() -+#include -+#endif -+#if __has_include() -+#include -+#endif -+#endif -+ -+/* Use whether or not AF_INET6 is defined to indicate whether or not to use -+ * the platform inet_pton() or a local implementation (below). The local -+ * implementation may be used even in cases where the platform provides -+ * inet_pton(), e.g. when there are different includes required and/or the -+ * platform implementation requires dependencies on additional libraries. -+ * Specifically, Windows requires custom includes and additional link -+ * dependencies, and Solaris requires additional link dependencies. -+ * Also, as a coarse heuristic, use the local implementation if the compiler -+ * does not support __has_include(), or if the definition of AF_INET6 is not -+ * provided by headers included (or not) via __has_include() above. */ -+#ifndef AF_INET6 -+ -+#define x509_cn_inet_pton(cn, dst) (0) -+ -+#else -+ -+static int x509_inet_pton_ipv6(const char *src, void *dst) -+{ -+ return inet_pton(AF_INET6, src, dst) == 1 ? 0 : -1; -+} -+ -+static int x509_inet_pton_ipv4(const char *src, void *dst) -+{ -+ return inet_pton(AF_INET, src, dst) == 1 ? 0 : -1; -+} -+ -+#endif /* AF_INET6 */ -+ -+static size_t x509_cn_inet_pton(const char *cn, void *dst) -+{ -+ return strchr(cn, ':') == NULL -+ ? x509_inet_pton_ipv4(cn, dst) == 0 ? 4 : 0 -+ : x509_inet_pton_ipv6(cn, dst) == 0 ? 16 : 0; -+} -+ - /* - * Check for CN match - */ -@@ -3021,24 +3080,51 @@ static int x509_crt_check_cn(const mbedt - return -1; - } - -+static int x509_crt_check_san_ip(const mbedtls_x509_sequence *san, -+ const char *cn, size_t cn_len) -+{ -+ uint32_t ip[4]; -+ cn_len = x509_cn_inet_pton(cn, ip); -+ if (cn_len == 0) { -+ return -1; -+ } -+ -+ for (const mbedtls_x509_sequence *cur = san; cur != NULL; cur = cur->next) { -+ const unsigned char san_type = (unsigned char) cur->buf.tag & -+ MBEDTLS_ASN1_TAG_VALUE_MASK; -+ if (san_type == MBEDTLS_X509_SAN_IP_ADDRESS && -+ cur->buf.len == cn_len && memcmp(cur->buf.p, ip, cn_len) == 0) { -+ return 0; -+ } -+ } -+ -+ return -1; -+} -+ - /* - * Check for SAN match, see RFC 5280 Section 4.2.1.6 - */ --static int x509_crt_check_san(const mbedtls_x509_buf *name, -+static int x509_crt_check_san(const mbedtls_x509_sequence *san, - const char *cn, size_t cn_len) - { -- const unsigned char san_type = (unsigned char) name->tag & -- MBEDTLS_ASN1_TAG_VALUE_MASK; -- -- /* dNSName */ -- if (san_type == MBEDTLS_X509_SAN_DNS_NAME) { -- return x509_crt_check_cn(name, cn, cn_len); -+ int san_ip = 0; -+ for (const mbedtls_x509_sequence *cur = san; cur != NULL; cur = cur->next) { -+ switch ((unsigned char) cur->buf.tag & MBEDTLS_ASN1_TAG_VALUE_MASK) { -+ case MBEDTLS_X509_SAN_DNS_NAME: /* dNSName */ -+ if (x509_crt_check_cn(&cur->buf, cn, cn_len) == 0) { -+ return 0; -+ } -+ break; -+ case MBEDTLS_X509_SAN_IP_ADDRESS: /* iPAddress */ -+ san_ip = 1; -+ break; -+ /* (We may handle other types here later.) */ -+ default: /* Unrecognized type */ -+ break; -+ } - } - -- /* (We may handle other types here later.) */ -- -- /* Unrecognized type */ -- return -1; -+ return san_ip ? x509_crt_check_san_ip(san, cn, cn_len) : -1; - } - - /* -@@ -3049,31 +3135,23 @@ static void x509_crt_verify_name(const m - uint32_t *flags) - { - const mbedtls_x509_name *name; -- const mbedtls_x509_sequence *cur; - size_t cn_len = strlen(cn); - - if (crt->ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME) { -- for (cur = &crt->subject_alt_names; cur != NULL; cur = cur->next) { -- if (x509_crt_check_san(&cur->buf, cn, cn_len) == 0) { -- break; -- } -- } -- -- if (cur == NULL) { -- *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH; -+ if (x509_crt_check_san(&crt->subject_alt_names, cn, cn_len) == 0) { -+ return; - } - } else { - for (name = &crt->subject; name != NULL; name = name->next) { - if (MBEDTLS_OID_CMP(MBEDTLS_OID_AT_CN, &name->oid) == 0 && - x509_crt_check_cn(&name->val, cn, cn_len) == 0) { -- break; -+ return; - } - } - -- if (name == NULL) { -- *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH; -- } - } -+ -+ *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH; - } - - /* diff --git a/mbedtls/patches/101-remove-test.patch b/mbedtls/patches/101-remove-test.patch deleted file mode 100644 index e43f8757d..000000000 --- a/mbedtls/patches/101-remove-test.patch +++ /dev/null @@ -1,15 +0,0 @@ ---- a/programs/CMakeLists.txt -+++ b/programs/CMakeLists.txt -@@ -1,12 +1,8 @@ - add_subdirectory(aes) --if (NOT WIN32) -- add_subdirectory(fuzz) --endif() - add_subdirectory(hash) - add_subdirectory(pkey) - add_subdirectory(psa) - add_subdirectory(random) - add_subdirectory(ssl) --add_subdirectory(test) - add_subdirectory(util) - add_subdirectory(x509) diff --git a/mbedtls/patches/200-Implements-AES-and-GCM-with-ARMv8-Crypto-Extensions.patch b/mbedtls/patches/200-Implements-AES-and-GCM-with-ARMv8-Crypto-Extensions.patch deleted file mode 100644 index 3633b35f6..000000000 --- a/mbedtls/patches/200-Implements-AES-and-GCM-with-ARMv8-Crypto-Extensions.patch +++ /dev/null @@ -1,390 +0,0 @@ -From dfb6015ca79a9fee28f7fcb0af7e350a83574b83 Mon Sep 17 00:00:00 2001 -From: "Markku-Juhani O. Saarinen" -Date: Mon, 20 Nov 2017 14:58:41 +0000 -Subject: Implements AES and GCM with ARMv8 Crypto Extensions - -A compact patch that provides AES and GCM implementations that utilize the -ARMv8 Crypto Extensions. The config flag is MBEDTLS_ARMV8CE_AES_C, which -is disabled by default as we don't do runtime checking for the feature. -The new implementation lives in armv8ce_aes.c. - -Provides similar functionality to https://github.com/ARMmbed/mbedtls/pull/432 -Thanks to Barry O'Rourke and others for that contribtion. - -Tested on a Cortex A53 device and QEMU. On a midrange phone the real AES-GCM -throughput increases about 4x, while raw AES speed is up to 10x faster. - -When cross-compiling, you want to set something like: - - export CC='aarch64-linux-gnu-gcc' - export CFLAGS='-Ofast -march=armv8-a+crypto' - scripts/config.pl set MBEDTLS_ARMV8CE_AES_C - -QEMU seems to also need - - export LDFLAGS='-static' - -Then run normal make or cmake etc. ---- - ---- /dev/null -+++ b/ChangeLog.d/armv8_crypto_extensions.txt -@@ -0,0 +1,2 @@ -+Features -+ * Support ARMv8 Cryptography Extensions for AES and GCM. ---- /dev/null -+++ b/include/mbedtls/armv8ce_aes.h -@@ -0,0 +1,63 @@ -+/** -+ * \file armv8ce_aes.h -+ * -+ * \brief ARMv8 Cryptography Extensions -- Optimized code for AES and GCM -+ */ -+ -+/* -+ * -+ * Copyright (C) 2006-2017, ARM Limited, All Rights Reserved -+ * SPDX-License-Identifier: Apache-2.0 -+ * -+ * Licensed under the Apache License, Version 2.0 (the "License"); you may -+ * not use this file except in compliance with the License. -+ * You may obtain a copy of the License at -+ * -+ * http://www.apache.org/licenses/LICENSE-2.0 -+ * -+ * Unless required by applicable law or agreed to in writing, software -+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -+ * See the License for the specific language governing permissions and -+ * limitations under the License. -+ * -+ * This file is part of mbed TLS (https://tls.mbed.org) -+ */ -+ -+#ifndef MBEDTLS_ARMV8CE_AES_H -+#define MBEDTLS_ARMV8CE_AES_H -+ -+#include "aes.h" -+ -+/** -+ * \brief [ARMv8 Crypto Extensions] AES-ECB block en(de)cryption -+ * -+ * \param ctx AES context -+ * \param mode MBEDTLS_AES_ENCRYPT or MBEDTLS_AES_DECRYPT -+ * \param input 16-byte input block -+ * \param output 16-byte output block -+ * -+ * \return 0 on success (cannot fail) -+ */ -+ -+int mbedtls_armv8ce_aes_crypt_ecb( mbedtls_aes_context *ctx, -+ int mode, -+ const unsigned char input[16], -+ unsigned char output[16] ); -+ -+/** -+ * \brief [ARMv8 Crypto Extensions] Multiply in GF(2^128) for GCM -+ * -+ * \param c Result -+ * \param a First operand -+ * \param b Second operand -+ * -+ * \note Both operands and result are bit strings interpreted as -+ * elements of GF(2^128) as per the GCM spec. -+ */ -+ -+void mbedtls_armv8ce_gcm_mult( unsigned char c[16], -+ const unsigned char a[16], -+ const unsigned char b[16] ); -+ -+#endif /* MBEDTLS_ARMV8CE_AES_H */ ---- a/include/mbedtls/check_config.h -+++ b/include/mbedtls/check_config.h -@@ -69,6 +69,10 @@ - #error "MBEDTLS_HAVE_TIME_DATE without MBEDTLS_HAVE_TIME does not make sense" - #endif - -+#if defined(MBEDTLS_ARMV8CE_AES_C) && !defined(MBEDTLS_HAVE_ASM) -+#error "MBEDTLS_ARMV8CE_AES_C defined, but not all prerequisites" -+#endif -+ - #if defined(MBEDTLS_CTR_DRBG_C) && !defined(MBEDTLS_AES_C) - #error "MBEDTLS_CTR_DRBG_C defined, but not all prerequisites" - #endif -@@ -959,3 +963,4 @@ typedef int mbedtls_iso_c_forbids_empty_ - - /* *INDENT-ON* */ - #endif /* MBEDTLS_CHECK_CONFIG_H */ -+ ---- a/include/mbedtls/config.h -+++ b/include/mbedtls/config.h -@@ -46,6 +46,7 @@ - * Requires support for asm() in compiler. - * - * Used in: -+ * library/armv8ce_aes.c - * library/aria.c - * library/timing.c - * include/mbedtls/bn_mul.h -@@ -2374,6 +2375,21 @@ - #define MBEDTLS_AESNI_C - - /** -+ * \def MBEDTLS_ARMV8CE_AES_C -+ * -+ * Enable ARMv8 Crypto Extensions for AES and GCM -+ * -+ * Module: library/armv8ce_aes.c -+ * Caller: library/aes.c -+ * library/gcm.c -+ * -+ * Requires: MBEDTLS_HAVE_ASM -+ * -+ * This module adds support for Armv8 Cryptography Extensions for AES and GCM. -+ */ -+//#define MBEDTLS_ARMV8CE_AES_C -+ -+/** - * \def MBEDTLS_AES_C - * - * Enable the AES block cipher. ---- a/library/aes.c -+++ b/library/aes.c -@@ -39,7 +39,9 @@ - #if defined(MBEDTLS_AESNI_C) - #include "mbedtls/aesni.h" - #endif -- -+#if defined(MBEDTLS_ARMV8CE_AES_C) -+#include "mbedtls/armv8ce_aes.h" -+#endif - #include "mbedtls/platform.h" - - #if !defined(MBEDTLS_AES_ALT) -@@ -1040,6 +1042,11 @@ int mbedtls_aes_crypt_ecb(mbedtls_aes_co - } - #endif - -+#if defined(MBEDTLS_ARMV8CE_AES_C) -+ // We don't do runtime checking for ARMv8 Crypto Extensions -+ return mbedtls_armv8ce_aes_crypt_ecb( ctx, mode, input, output ); -+#endif -+ - #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86) - if (aes_padlock_ace) { - return mbedtls_padlock_xcryptecb(ctx, mode, input, output); ---- /dev/null -+++ b/library/armv8ce_aes.c -@@ -0,0 +1,142 @@ -+/* -+ * ARMv8 Cryptography Extensions -- Optimized code for AES and GCM -+ * -+ * Copyright (C) 2006-2017, ARM Limited, All Rights Reserved -+ * SPDX-License-Identifier: Apache-2.0 -+ * -+ * Licensed under the Apache License, Version 2.0 (the "License"); you may -+ * not use this file except in compliance with the License. -+ * You may obtain a copy of the License at -+ * -+ * http://www.apache.org/licenses/LICENSE-2.0 -+ * -+ * Unless required by applicable law or agreed to in writing, software -+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -+ * See the License for the specific language governing permissions and -+ * limitations under the License. -+ * -+ * This file is part of mbed TLS (https://tls.mbed.org) -+ */ -+ -+#if !defined(MBEDTLS_CONFIG_FILE) -+#include "mbedtls/config.h" -+#else -+#include MBEDTLS_CONFIG_FILE -+#endif -+ -+#if defined(MBEDTLS_ARMV8CE_AES_C) -+ -+#include -+#include "mbedtls/armv8ce_aes.h" -+ -+#ifndef asm -+#define asm __asm -+#endif -+ -+/* -+ * [Armv8 Cryptography Extensions] AES-ECB block en(de)cryption -+ */ -+ -+#if defined(MBEDTLS_AES_C) -+ -+int mbedtls_armv8ce_aes_crypt_ecb( mbedtls_aes_context *ctx, -+ int mode, -+ const unsigned char input[16], -+ unsigned char output[16] ) -+{ -+ unsigned int i; -+ const uint8_t *rk; -+ uint8x16_t x, k; -+ -+ x = vld1q_u8( input ); /* input block */ -+ rk = (const uint8_t *) ctx->rk; /* round keys */ -+ -+ if( mode == MBEDTLS_AES_ENCRYPT ) -+ { -+ for( i = ctx->nr - 1; i != 0; i-- ) /* encryption loop */ -+ { -+ k = vld1q_u8( rk ); -+ rk += 16; -+ x = vaeseq_u8( x, k ); -+ x = vaesmcq_u8( x ); -+ } -+ k = vld1q_u8( rk ); -+ rk += 16; -+ x = vaeseq_u8( x, k ); -+ } -+ else -+ { -+ for( i = ctx->nr - 1; i != 0 ; i-- ) /* decryption loop */ -+ { -+ k = vld1q_u8( rk ); -+ rk += 16; -+ x = vaesdq_u8( x, k ); -+ x = vaesimcq_u8( x ); -+ } -+ k = vld1q_u8( rk ); -+ rk += 16; -+ x = vaesdq_u8( x, k ); -+ } -+ -+ k = vld1q_u8( rk ); /* final key just XORed */ -+ x = veorq_u8( x, k ); -+ vst1q_u8( output, x ); /* write out */ -+ -+ return ( 0 ); -+} -+ -+#endif /* MBEDTLS_AES_C */ -+ -+ -+/* -+ * [Armv8 Cryptography Extensions] Multiply in GF(2^128) for GCM -+ */ -+ -+#if defined(MBEDTLS_GCM_C) -+ -+void mbedtls_armv8ce_gcm_mult( unsigned char c[16], -+ const unsigned char a[16], -+ const unsigned char b[16] ) -+{ -+ /* GCM's GF(2^128) polynomial basis is x^128 + x^7 + x^2 + x + 1 */ -+ const uint64x2_t base = { 0, 0x86 }; /* note missing LS bit */ -+ -+ register uint8x16_t vc asm( "v0" ); /* named registers */ -+ register uint8x16_t va asm( "v1" ); /* (to avoid conflict) */ -+ register uint8x16_t vb asm( "v2" ); -+ register uint64x2_t vp asm( "v3" ); -+ -+ va = vld1q_u8( a ); /* load inputs */ -+ vb = vld1q_u8( b ); -+ vp = base; -+ -+ asm ( -+ "rbit %1.16b, %1.16b \n\t" /* reverse bit order */ -+ "rbit %2.16b, %2.16b \n\t" -+ "pmull2 %0.1q, %1.2d, %2.2d \n\t" /* v0 = a.hi * b.hi */ -+ "pmull2 v4.1q, %0.2d, %3.2d \n\t" /* mul v0 by x^64, reduce */ -+ "ext %0.16b, %0.16b, %0.16b, #8 \n\t" -+ "eor %0.16b, %0.16b, v4.16b \n\t" -+ "ext v5.16b, %2.16b, %2.16b, #8 \n\t" /* (swap hi and lo in b) */ -+ "pmull v4.1q, %1.1d, v5.1d \n\t" /* v0 ^= a.lo * b.hi */ -+ "eor %0.16b, %0.16b, v4.16b \n\t" -+ "pmull2 v4.1q, %1.2d, v5.2d \n\t" /* v0 ^= a.hi * b.lo */ -+ "eor %0.16b, %0.16b, v4.16b \n\t" -+ "pmull2 v4.1q, %0.2d, %3.2d \n\t" /* mul v0 by x^64, reduce */ -+ "ext %0.16b, %0.16b, %0.16b, #8 \n\t" -+ "eor %0.16b, %0.16b, v4.16b \n\t" -+ "pmull v4.1q, %1.1d, %2.1d \n\t" /* v0 ^= a.lo * b.lo */ -+ "eor %0.16b, %0.16b, v4.16b \n\t" -+ "rbit %0.16b, %0.16b \n\t" /* reverse bits for output */ -+ : "=w" (vc) /* q0: output */ -+ : "w" (va), "w" (vb), "w" (vp) /* q1, q2: input */ -+ : "v4", "v5" /* q4, q5: clobbered */ -+ ); -+ -+ vst1q_u8( c, vc ); /* write out */ -+} -+ -+#endif /* MBEDTLS_GCM_C */ -+ -+#endif /* MBEDTLS_ARMV8CE_AES_C */ ---- a/library/CMakeLists.txt -+++ b/library/CMakeLists.txt -@@ -15,6 +15,7 @@ set(src_crypto - aesni.c - arc4.c - aria.c -+ armv8ce_aes.c - asn1parse.c - asn1write.c - base64.c ---- a/library/gcm.c -+++ b/library/gcm.c -@@ -42,6 +42,10 @@ - #include "mbedtls/aesni.h" - #endif - -+#if defined(MBEDTLS_ARMV8CE_AES_C) -+#include "mbedtls/armv8ce_aes.h" -+#endif -+ - #if !defined(MBEDTLS_GCM_ALT) - - /* Parameter validation macros */ -@@ -80,6 +84,12 @@ static int gcm_gen_table(mbedtls_gcm_con - return ret; - } - -+#if defined(MBEDTLS_ARMV8CE_AES_C) -+ // we don't do feature testing with ARMv8 cryptography extensions -+ memcpy( ctx ->HL, h, 16 ); // put H at the beginning of buffer -+ return( 0 ); // that's all we need -+#endif -+ - /* pack h as two 64-bits ints, big-endian */ - hi = MBEDTLS_GET_UINT32_BE(h, 0); - lo = MBEDTLS_GET_UINT32_BE(h, 4); -@@ -190,6 +200,11 @@ static void gcm_mult(mbedtls_gcm_context - unsigned char lo, hi, rem; - uint64_t zh, zl; - -+#if defined(MBEDTLS_ARMV8CE_AES_C) -+ mbedtls_armv8ce_gcm_mult( output, x, (const unsigned char *) ctx->HL ); -+ return; -+#endif -+ - #if defined(MBEDTLS_AESNI_HAVE_CODE) - if (mbedtls_aesni_has_support(MBEDTLS_AESNI_CLMUL)) { - unsigned char h[16]; ---- a/library/Makefile -+++ b/library/Makefile -@@ -74,6 +74,7 @@ OBJS_CRYPTO= \ - aria.o \ - asn1parse.o \ - asn1write.o \ -+ armv8ce_aes.o \ - base64.o \ - bignum.o \ - blowfish.o \ ---- a/library/version_features.c -+++ b/library/version_features.c -@@ -624,6 +624,9 @@ static const char * const features[] = { - #if defined(MBEDTLS_AESNI_C) - "MBEDTLS_AESNI_C", - #endif /* MBEDTLS_AESNI_C */ -+#if defined(MBEDTLS_ARMV8CE_AES_C) -+ "MBEDTLS_ARMV8CE_AES_C", -+#endif /* MBEDTLS_ARMV8CE_AES_C */ - #if defined(MBEDTLS_AES_C) - "MBEDTLS_AES_C", - #endif /* MBEDTLS_AES_C */ diff --git a/miniupnpd/Makefile b/miniupnpd-iptables/Makefile similarity index 100% rename from miniupnpd/Makefile rename to miniupnpd-iptables/Makefile diff --git a/miniupnpd/files/firewall.include b/miniupnpd-iptables/files/firewall.include similarity index 100% rename from miniupnpd/files/firewall.include rename to miniupnpd-iptables/files/firewall.include diff --git a/miniupnpd/files/miniupnpd.defaults b/miniupnpd-iptables/files/miniupnpd.defaults similarity index 100% rename from miniupnpd/files/miniupnpd.defaults rename to miniupnpd-iptables/files/miniupnpd.defaults diff --git a/miniupnpd/files/miniupnpd.hotplug b/miniupnpd-iptables/files/miniupnpd.hotplug similarity index 100% rename from miniupnpd/files/miniupnpd.hotplug rename to miniupnpd-iptables/files/miniupnpd.hotplug diff --git a/miniupnpd/files/miniupnpd.init b/miniupnpd-iptables/files/miniupnpd.init similarity index 100% rename from miniupnpd/files/miniupnpd.init rename to miniupnpd-iptables/files/miniupnpd.init diff --git a/miniupnpd/files/upnpd.config b/miniupnpd-iptables/files/upnpd.config similarity index 100% rename from miniupnpd/files/upnpd.config rename to miniupnpd-iptables/files/upnpd.config diff --git a/miniupnpd/patches/100-no-daemon.patch b/miniupnpd-iptables/patches/100-no-daemon.patch similarity index 100% rename from miniupnpd/patches/100-no-daemon.patch rename to miniupnpd-iptables/patches/100-no-daemon.patch diff --git a/miniupnpd/patches/101-no-ssl-uuid.patch b/miniupnpd-iptables/patches/101-no-ssl-uuid.patch similarity index 100% rename from miniupnpd/patches/101-no-ssl-uuid.patch rename to miniupnpd-iptables/patches/101-no-ssl-uuid.patch diff --git a/miniupnpd/patches/102-ipv6-ext-port.patch b/miniupnpd-iptables/patches/102-ipv6-ext-port.patch similarity index 100% rename from miniupnpd/patches/102-ipv6-ext-port.patch rename to miniupnpd-iptables/patches/102-ipv6-ext-port.patch diff --git a/miniupnpd/patches/103-no-ipv6-autodetection.patch b/miniupnpd-iptables/patches/103-no-ipv6-autodetection.patch similarity index 100% rename from miniupnpd/patches/103-no-ipv6-autodetection.patch rename to miniupnpd-iptables/patches/103-no-ipv6-autodetection.patch diff --git a/miniupnpd/patches/104-always-libuuid.patch b/miniupnpd-iptables/patches/104-always-libuuid.patch similarity index 100% rename from miniupnpd/patches/104-always-libuuid.patch rename to miniupnpd-iptables/patches/104-always-libuuid.patch diff --git a/miniupnpd/patches/105-build-with-kernel-5.4.patch b/miniupnpd-iptables/patches/105-build-with-kernel-5.4.patch similarity index 100% rename from miniupnpd/patches/105-build-with-kernel-5.4.patch rename to miniupnpd-iptables/patches/105-build-with-kernel-5.4.patch diff --git a/miniupnpd/patches/106-spam-syslog-ignoring.patch b/miniupnpd-iptables/patches/106-spam-syslog-ignoring.patch similarity index 100% rename from miniupnpd/patches/106-spam-syslog-ignoring.patch rename to miniupnpd-iptables/patches/106-spam-syslog-ignoring.patch diff --git a/netdata/Makefile b/netdata/Makefile index e471f27b2..3552536e6 100644 --- a/netdata/Makefile +++ b/netdata/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=netdata PKG_VERSION:=1.33.1 -PKG_RELEASE:=$(AUTORELEASE) +PKG_RELEASE:=4 PKG_MAINTAINER:=Josef Schlehofer , Daniel Engberg PKG_LICENSE:=GPL-3.0-or-later @@ -24,7 +24,7 @@ PKG_BUILD_DIR=$(BUILD_DIR)/$(PKG_NAME)-v$(PKG_VERSION) PKG_INSTALL:=1 PKG_BUILD_PARALLEL:=1 PKG_FIXUP:=autoreconf -PKG_USE_MIPS16:=0 +PKG_BUILD_FLAGS:=no-mips16 gc-sections include $(INCLUDE_DIR)/package.mk @@ -44,9 +44,7 @@ define Package/netdata/description python3-urllib3 endef -TARGET_CFLAGS := $(filter-out -O%,$(TARGET_CFLAGS)) -TARGET_CFLAGS += -ffunction-sections -fdata-sections -O3 -TARGET_LDFLAGS += -Wl,--gc-sections +TARGET_CFLAGS := $(filter-out -O%,$(TARGET_CFLAGS)) -O3 CONFIGURE_ARGS += \ --with-zlib \ diff --git a/nginx/Config_ssl.in b/nginx/Config_ssl.in index 1c53dab6a..fbfb64ae7 100644 --- a/nginx/Config_ssl.in +++ b/nginx/Config_ssl.in @@ -15,13 +15,6 @@ config NGINX_DAV Enable the HTTP and WebDAV methods PUT, DELETE, MKCOL, COPY and MOVE. default n -config NGINX_UBUS - bool - prompt "Enable UBUS module" - help - Enable UBUS api support directly from the server. - default y - config NGINX_FLV bool prompt "Enable FLV module" @@ -46,6 +39,11 @@ config NGINX_HTTP_GZIP prompt "Enable HTTP gzip module" default y +config NGINX_HTTP_GZIP_STATIC + bool + prompt "Enable HTTP gzip static module" + default y + config NGINX_HTTP_SSI bool prompt "Enable HTTP ssi module" @@ -182,16 +180,6 @@ config NGINX_PCRE prompt "Enable PCRE library usage" default y -config NGINX_NAXSI - bool - prompt "Enable NAXSI module" - default y - -config NGINX_LUA - bool - prompt "Enable Lua module" - default n - config NGINX_HTTP_REAL_IP bool prompt "Enable HTTP real ip module" @@ -206,57 +194,5 @@ config NGINX_HTTP_SUB bool prompt "Enable HTTP sub module" default n - -config NGINX_HEADERS_MORE - bool - prompt "Enable Headers_more module" - help - Set and clear input and output headers...more than "add"! - default y - -config NGINX_HTTP_BROTLI - bool - prompt "Enable Brotli compression module" - help - Add support for brotli compression module. - default n - -config NGINX_STREAM_CORE_MODULE - bool - prompt "Enable stream support" - help - Add support for NGINX request streaming. - default n - -config NGINX_STREAM_SSL_MODULE - bool - prompt "Enable stream support with SSL/TLS termination" - depends on NGINX_STREAM_CORE_MODULE - help - Add support for NGINX request streaming with SSL/TLS termination. - default n - -config NGINX_STREAM_SSL_PREREAD_MODULE - bool - prompt "Enable stream support with SSL/TLS pre-read" - depends on NGINX_STREAM_CORE_MODULE - help - Add support for NGINX request streaming using information from the ClientHello message without terminating SSL/TLS. - default n - -config NGINX_RTMP_MODULE - bool - prompt "Enable RTMP module" - help - Add support for NGINX-based Media Streaming Server module. - DASH enhanced - https://github.com/ut0mt8/nginx-rtmp-module - default n - -config NGINX_TS_MODULE - bool - prompt "Enable TS module" - help - Add support for MPEG-TS Live Module module. - default n endmenu diff --git a/nginx/Makefile b/nginx/Makefile index 886c55db7..523229b87 100644 --- a/nginx/Makefile +++ b/nginx/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=nginx -PKG_VERSION:=1.21.3 -PKG_RELEASE:=1 +PKG_VERSION:=1.25.0 +PKG_RELEASE:=4 PKG_SOURCE:=nginx-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://nginx.org/download/ -PKG_HASH:=14774aae0d151da350417efc4afda5cce5035056e71894836797e1f6e2d1175a +PKG_HASH:=5ed44d45943272a4e8a5bcf4434237210f2de31b903fca5e381c1bbd7eee1e8c PKG_MAINTAINER:=Thomas Heil \ Ansuel Smith @@ -23,14 +23,15 @@ PKG_CPE_ID:=cpe:/a:nginx:nginx PKG_FIXUP:=autoreconf PKG_BUILD_PARALLEL:=1 PKG_INSTALL:=1 +PKG_BUILD_FLAGS:=gc-sections PKG_CONFIG_DEPENDS := \ CONFIG_NGINX_DAV \ CONFIG_NGINX_FLV \ - CONFIG_NGINX_UBUS \ CONFIG_NGINX_STUB_STATUS \ CONFIG_NGINX_HTTP_CHARSET \ CONFIG_NGINX_HTTP_GZIP \ + CONFIG_NGINX_HTTP_GZIP_STATIC \ CONFIG_NGINX_HTTP_SSI \ CONFIG_NGINX_HTTP_USERID \ CONFIG_NGINX_HTTP_ACCESS \ @@ -59,17 +60,8 @@ PKG_CONFIG_DEPENDS := \ CONFIG_NGINX_HTTP_CACHE \ CONFIG_NGINX_HTTP_V2 \ CONFIG_NGINX_PCRE \ - CONFIG_NGINX_NAXSI \ - CONFIG_NGINX_LUA \ CONFIG_NGINX_HTTP_REAL_IP \ CONFIG_NGINX_HTTP_SECURE_LINK \ - CONFIG_NGINX_HTTP_BROTLI \ - CONFIG_NGINX_HEADERS_MORE \ - CONFIG_NGINX_STREAM_CORE_MODULE \ - CONFIG_NGINX_STREAM_SSL_MODULE \ - CONFIG_NGINX_STREAM_SSL_PREREAD_MODULE \ - CONFIG_NGINX_RTMP_MODULE \ - CONFIG_NGINX_TS_MODULE \ CONFIG_OPENSSL_ENGINE \ CONFIG_OPENSSL_WITH_NPN @@ -98,27 +90,25 @@ define Package/nginx-ssl VARIANT:=ssl DEPENDS+= +NGINX_PCRE:libpcre \ +NGINX_PCRE:nginx-ssl-util +!NGINX_PCRE:nginx-ssl-util-nopcre \ - +NGINX_HTTP_GZIP:zlib +NGINX_LUA:liblua +NGINX_DAV:libxml2 \ - +NGINX_UBUS:libubus +NGINX_UBUS:libblobmsg-json +NGINX_UBUS:libjson-c + +NGINX_HTTP_GZIP:zlib +NGINX_DAV:libxml2 EXTRA_DEPENDS:=nginx-ssl-util$(if $(CONFIG_NGINX_PCRE),,-nopcre) (>=1.5-1) (<2) - CONFLICTS:=nginx-all-module + CONFLICTS:=nginx-full endef Package/nginx-ssl/description = $(Package/nginx/description) \ This variant is compiled with SSL support enabled. To enable additional module \ select them in the nginx default configuration menu. -define Package/nginx-all-module +define Package/nginx-full $(Package/nginx/default) TITLE += with ALL module selected - DEPENDS+=+libpcre +nginx-ssl-util +zlib +liblua +libxml2 +libubus \ - +libblobmsg-json +libjson-c + DEPENDS+=+libpcre +nginx-ssl-util +zlib +libxml2 EXTRA_DEPENDS:=nginx-ssl-util (>=1.5-1) (<2) VARIANT:=all-module PROVIDES += nginx-ssl endef -Package/nginx-all-module/description = $(Package/nginx/description) \ +Package/nginx-full/description = $(Package/nginx/description) \ This variant is compiled with ALL module selected. define Package/nginx-ssl/config @@ -132,8 +122,7 @@ define Package/nginx/conffiles endef Package/nginx-ssl/conffiles = $(Package/nginx/conffiles) -Package/nginx-all-module/conffiles = $(Package/nginx/conffiles) - +Package/nginx-full/conffiles = $(Package/nginx/conffiles) ADDITIONAL_MODULES:= --with-http_ssl_module @@ -152,6 +141,9 @@ ifneq ($(BUILD_VARIANT),all-module) ifneq ($(CONFIG_NGINX_HTTP_GZIP),y) ADDITIONAL_MODULES += --without-http_gzip_module endif + ifeq ($(CONFIG_NGINX_HTTP_GZIP_STATIC),y) + ADDITIONAL_MODULES += --with-http_gzip_static_module + endif ifneq ($(CONFIG_NGINX_HTTP_SSI),y) ADDITIONAL_MODULES += --without-http_ssi_module endif @@ -227,12 +219,6 @@ ifneq ($(BUILD_VARIANT),all-module) ifneq ($(CONFIG_NGINX_HTTP_UPSTREAM_KEEPALIVE),y) ADDITIONAL_MODULES += --without-http_upstream_keepalive_module endif - ifeq ($(CONFIG_NGINX_NAXSI),y) - ADDITIONAL_MODULES += --add-module=$(PKG_BUILD_DIR)/nginx-naxsi/naxsi_src - endif - ifeq ($(CONFIG_NGINX_LUA),y) - ADDITIONAL_MODULES += --add-module=$(PKG_BUILD_DIR)/lua-nginx - endif ifeq ($(CONFIG_IPV6),y) ADDITIONAL_MODULES += --with-ipv6 endif @@ -243,10 +229,7 @@ ifneq ($(BUILD_VARIANT),all-module) ADDITIONAL_MODULES += --with-http_flv_module endif ifeq ($(CONFIG_NGINX_DAV),y) - ADDITIONAL_MODULES += --with-http_dav_module --add-module=$(PKG_BUILD_DIR)/nginx-dav-ext-module - endif - ifeq ($(CONFIG_NGINX_UBUS),y) - ADDITIONAL_MODULES += --add-module=$(PKG_BUILD_DIR)/nginx-ubus-module + ADDITIONAL_MODULES += --with-http_dav_module endif ifeq ($(CONFIG_NGINX_HTTP_AUTH_REQUEST),y) ADDITIONAL_MODULES += --with-http_auth_request_module @@ -263,50 +246,45 @@ ifneq ($(BUILD_VARIANT),all-module) ifeq ($(CONFIG_NGINX_HTTP_SUB),y) ADDITIONAL_MODULES += --with-http_sub_module endif - ifeq ($(CONFIG_NGINX_STREAM_CORE_MODULE),y) - ADDITIONAL_MODULES += --with-stream - endif - ifeq ($(CONFIG_NGINX_STREAM_SSL_MODULE),y) - ADDITIONAL_MODULES += --with-stream_ssl_module - endif - ifeq ($(CONFIG_NGINX_STREAM_SSL_PREREAD_MODULE),y) - ADDITIONAL_MODULES += --with-stream_ssl_preread_module - endif - ifeq ($(CONFIG_NGINX_HEADERS_MORE),y) - ADDITIONAL_MODULES += --add-module=$(PKG_BUILD_DIR)/nginx-headers-more - endif - ifeq ($(CONFIG_NGINX_HTTP_BROTLI),y) - ADDITIONAL_MODULES += --add-module=$(PKG_BUILD_DIR)/nginx-brotli - endif - ifeq ($(CONFIG_NGINX_RTMP_MODULE),y) - ADDITIONAL_MODULES += --add-module=$(PKG_BUILD_DIR)/nginx-rtmp - endif - ifeq ($(CONFIG_NGINX_TS_MODULE),y) - ADDITIONAL_MODULES += --add-module=$(PKG_BUILD_DIR)/nginx-ts - endif else - CONFIG_NGINX_HEADERS_MORE:=y - CONFIG_NGINX_HTTP_BROTLI:=y - CONFIG_NGINX_RTMP_MODULE:=y - CONFIG_NGINX_TS_MODULE:=y - CONFIG_NGINX_NAXSI:=y - CONFIG_NGINX_LUA:=y - CONFIG_NGINX_DAV:=y - CONFIG_NGINX_UBUS:=y ADDITIONAL_MODULES += --with-ipv6 --with-http_stub_status_module --with-http_flv_module \ --with-http_dav_module \ --with-http_auth_request_module --with-http_v2_module --with-http_realip_module \ - --with-http_secure_link_module --with-http_sub_module \ - --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module \ - --add-module=$(PKG_BUILD_DIR)/nginx-headers-more \ - --add-module=$(PKG_BUILD_DIR)/nginx-naxsi/naxsi_src \ - --add-module=$(PKG_BUILD_DIR)/lua-nginx \ - --add-module=$(PKG_BUILD_DIR)/nginx-dav-ext-module \ - --add-module=$(PKG_BUILD_DIR)/nginx-brotli --add-module=$(PKG_BUILD_DIR)/nginx-rtmp \ - --add-module=$(PKG_BUILD_DIR)/nginx-ts --add-module=$(PKG_BUILD_DIR)/nginx-ubus-module + --with-http_secure_link_module --with-http_sub_module config_files += koi-utf koi-win win-utf fastcgi_params uwsgi_params endif +ifneq ($(CONFIG_PACKAGE_nginx-mod-naxsi),) + ADDITIONAL_MODULES += --add-dynamic-module=$(PKG_BUILD_DIR)/nginx-naxsi/naxsi_src +endif +ifneq ($(CONFIG_PACKAGE_nginx-mod-lua),) + ADDITIONAL_MODULES += --add-dynamic-module=$(PKG_BUILD_DIR)/lua-nginx +endif +ifneq ($(CONFIG_PACKAGE_nginx-mod-dav-ext),) + ADDITIONAL_MODULES += --add-dynamic-module=$(PKG_BUILD_DIR)/nginx-dav-ext-module +endif +ifneq ($(CONFIG_PACKAGE_nginx-mod-stream),) + ADDITIONAL_MODULES += --with-stream=dynamic --with-stream_ssl_module --with-stream_ssl_preread_module +endif +ifneq ($(CONFIG_PACKAGE_nginx-mod-ubus),) + ADDITIONAL_MODULES += --add-dynamic-module=$(PKG_BUILD_DIR)/nginx-ubus-module +endif +ifneq ($(CONFIG_PACKAGE_nginx-mod-headers-more),) + ADDITIONAL_MODULES += --add-dynamic-module=$(PKG_BUILD_DIR)/nginx-headers-more +endif +ifneq ($(CONFIG_PACKAGE_nginx-mod-brotli),) + ADDITIONAL_MODULES += --add-dynamic-module=$(PKG_BUILD_DIR)/nginx-brotli +endif +ifneq ($(CONFIG_PACKAGE_nginx-mod-rtmp),) + ADDITIONAL_MODULES += --add-dynamic-module=$(PKG_BUILD_DIR)/nginx-rtmp +endif +ifneq ($(CONFIG_PACKAGE_nginx-mod-ts),) + ADDITIONAL_MODULES += --add-dynamic-module=$(PKG_BUILD_DIR)/nginx-ts +endif +ifeq ($(CONFIG_NGINX_GEOIP_MODULE),y) + ADDITIONAL_MODULES += --with-http_geoip_module=dynamic +endif + define Package/nginx-mod-luci TITLE:=Nginx on LuCI SECTION:=net @@ -314,7 +292,7 @@ define Package/nginx-mod-luci SUBMENU:=Web Servers/Proxies TITLE:=Support file for Nginx URL:=http://nginx.org/ - DEPENDS:=+uwsgi +uwsgi-luci-support +nginx + DEPENDS:=+uwsgi +uwsgi-luci-support +nginx +nginx-mod-ubus # TODO: add PROVIDES when removing nginx-mod-luci-ssl # PROVIDES:=nginx-mod-luci-ssl endef @@ -323,13 +301,95 @@ define Package/nginx-mod-luci/description Support file for LuCI in nginx. Include custom nginx configuration, autostart script for uwsgi. endef +NGINX_MODULES := -TARGET_CFLAGS += -fvisibility=hidden -ffunction-sections -fdata-sections -DNGX_LUA_NO_BY_LUA_BLOCK -TARGET_LDFLAGS += -Wl,--gc-sections +# $(1) module name +# $(2) module additional dependency +# $(3) module so name (stripped of the finaly _module.so) +# $(4) module description +define module + define Package/nginx-mod-$(strip $(1)) + $(call Package/nginx/default) + DEPENDS:=+nginx-ssl $(2) + TITLE:=Nginx $(1) module + endef -ifeq ($(CONFIG_NGINX_LUA),y) - CONFIGURE_VARS += LUA_INC=$(STAGING_DIR)/usr/include \ - LUA_LIB=$(STAGING_DIR)/usr/lib + define Package/nginx-mod-$(strip $(1))/description + $(4) + endef + + define Package/nginx-mod-$(strip $(1))/install + $(INSTALL_DIR) $$(1)/usr/lib/nginx/modules + $(INSTALL_BIN) $$(PKG_INSTALL_DIR)/usr/lib/nginx/modules/$(3)_module.so $$(1)/usr/lib/nginx/modules + endef + + NGINX_MODULES += nginx-mod-$(strip $(1)) +endef + +define brotli + define Package/nginx-mod-brotli + $(call Package/nginx/default) + DEPENDS:=+nginx-ssl + TITLE:=Nginx Brotli module + endef + + define Package/nginx-mod-brotli/description + Add support for brotli compression module. + endef + + define Package/nginx-mod-brotli/install + $(INSTALL_DIR) $$(1)/usr/lib/nginx/modules + $(INSTALL_BIN) $$(PKG_INSTALL_DIR)/usr/lib/nginx/modules/ngx_http_brotli_filter_module.so $$(1)/usr/lib/nginx/modules + $(INSTALL_BIN) $$(PKG_INSTALL_DIR)/usr/lib/nginx/modules/ngx_http_brotli_static_module.so $$(1)/usr/lib/nginx/modules + endef + + NGINX_MODULES += nginx-mod-brotli +endef + +define naxsi + define Package/nginx-mod-naxsi + $(call Package/nginx/default) + DEPENDS:=+nginx-ssl + TITLE:=Nginx naxsi module + endef + + define Package/nginx-mod-naxsi/description + Enable NAXSI module. + endef + + define Package/nginx-mod-naxsi/install + $(INSTALL_DIR) $$(1)/usr/lib/nginx/modules + $(INSTALL_BIN) $$(PKG_INSTALL_DIR)/usr/lib/nginx/modules/ngx_http_naxsi_module.so $$(1)/usr/lib/nginx/modules + + $(INSTALL_DIR) $$(1)/etc/nginx + $(INSTALL_BIN) $$(PKG_BUILD_DIR)/nginx-naxsi/naxsi_config/naxsi_core.rules $$(1)/etc/nginx + chmod 0640 $$(1)/etc/nginx/naxsi_core.rules + + $(INSTALL_BIN) $$(PKG_BUILD_DIR)/nginx-naxsi/naxsi_config/naxsi_core.rules $$(1)/etc/nginx + chmod 0640 $$(1)/etc/nginx/naxsi_core.rules + endef + + NGINX_MODULES += nginx-mod-naxsi +endef + +$(eval $(call module,lua, +luajit,ngx_http_lua, Enable Lua module)) +$(eval $(call module,stream, +@NGINX_STREAM_CORE_MODULE,ngx_stream, Add support for NGINX request streaming.)) +$(eval $(call module,ubus, +libubus +libjson-c +libblobmsg-json +@NGINX_UBUS,ngx_http_ubus, Enable UBUS api support directly from the server.)) +$(eval $(call module,dav-ext, +@NGINX_DAV +libxml2,ngx_http_dav_ext, Enable the WebDAV methods PROPFIND OPTIONS LOCK UNLOCK.)) +$(eval $(call module,headers-more,,ngx_http_headers_more_filter, Set and clear input and output headers...more than "add"!)) +$(eval $(call module,rtmp,,ngx_rtmp, Add support for NGINX-based Media Streaming Server module. \ + DASH enhanced - https://github.com/ut0mt8/nginx-rtmp-module)) +$(eval $(call module, ts,,ngx_http_ts, Add support for MPEG-TS Live Module module.)) +$(eval $(call brotli)) +$(eval $(call naxsi)) + +PKG_CONFIG_DEPENDS += $(patsubst %,CONFIG_PACKAGE_%,$(NGINX_MODULES)) + +TARGET_CFLAGS += -DNGX_LUA_NO_BY_LUA_BLOCK + +ifneq ($(CONFIG_PACKAGE_nginx-mod-lua),) + CONFIGURE_VARS += LUAJIT_INC=$(STAGING_DIR)/usr/include/luajit-* \ + LUAJIT_LIB=$(STAGING_DIR)/usr/lib endif CONFIGURE_VARS += CONFIG_BIG_ENDIAN=$(CONFIG_BIG_ENDIAN) @@ -338,6 +398,8 @@ CONFIGURE_ARGS += \ --crossbuild=Linux::$(ARCH) \ --prefix=/usr \ --conf-path=/etc/nginx/nginx.conf \ + --modules-path=/usr/lib/nginx/modules \ + --with-compat \ $(ADDITIONAL_MODULES) \ --error-log-path=stderr \ --pid-path=/var/run/nginx.pid \ @@ -349,7 +411,8 @@ CONFIGURE_ARGS += \ --with-cc="$(TARGET_CC)" \ --with-cc-opt="$(TARGET_CPPFLAGS) $(TARGET_CFLAGS)" \ --with-ld-opt="$(TARGET_LDFLAGS)" \ - --without-http_upstream_zone_module + --without-http_upstream_zone_module \ + --without-pcre2 define Package/nginx-mod-luci/install $(INSTALL_DIR) $(1)/etc/nginx/conf.d @@ -361,20 +424,14 @@ endef define Package/nginx-ssl/install $(INSTALL_DIR) $(1)/usr/sbin $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/nginx $(1)/usr/sbin/ + $(INSTALL_DIR) $(1)/etc/nginx/module.d $(INSTALL_DIR) $(1)/etc/nginx/conf.d $(INSTALL_DATA) $(addprefix $(PKG_INSTALL_DIR)/etc/nginx/,$(config_files)) $(1)/etc/nginx/ $(INSTALL_DIR) $(1)/etc/init.d $(INSTALL_BIN) ./files/nginx.init $(1)/etc/init.d/nginx -ifeq ($(CONFIG_NGINX_NAXSI),y) - $(INSTALL_DIR) $(1)/etc/nginx - $(INSTALL_BIN) $(PKG_BUILD_DIR)/nginx-naxsi/naxsi_config/naxsi_core.rules $(1)/etc/nginx - chmod 0640 $(1)/etc/nginx/naxsi_core.rules -endif - $(if $(CONFIG_NGINX_NAXSI),$($(INSTALL_BIN) $(PKG_BUILD_DIR)/nginx-naxsi/naxsi_config/naxsi_core.rules $(1)/etc/nginx)) - $(if $(CONFIG_NGINX_NAXSI),$(chmod 0640 $(1)/etc/nginx/naxsi_core.rules)) endef -Package/nginx-all-module/install = $(Package/nginx-ssl/install) +Package/nginx-full/install = $(Package/nginx-ssl/install) define Package/nginx-ssl/prerm #!/bin/sh @@ -387,14 +444,14 @@ rm -f "$$(uci get "nginx.$${LAN_NAME}.ssl_certificate_key")" exit 0 endef -Package/nginx-all-module/prerm = $(Package/nginx-ssl/prerm) +Package/nginx-full/prerm = $(Package/nginx-ssl/prerm) define Download/nginx-headers-more - VERSION:=a9f7c7e86cc7441d04e2f11f01c2e3a9c4b0301d + VERSION:=bea1be3bbf6af28f6aa8cf0c01c07ee1637e2bd0 SUBDIR:=nginx-headers-more FILE:=headers-more-nginx-module-$$(VERSION).tar.xz URL:=https://github.com/openresty/headers-more-nginx-module.git - MIRROR_HASH:=ce0b9996ecb2cff790831644d6ab1adc087aa2771d77d3931c06246d11bc59fd + MIRROR_HASH:=3617bbf7a935208a1d8d5f86a8f9b770f6987e4d2b5663a9ab1b777217e3066b PROTO:=git endef @@ -460,11 +517,11 @@ define Prepare/nginx-naxsi endef define Download/lua-nginx - VERSION:=e94f2e5d64daa45ff396e262d8dab8e56f5f10e0 + VERSION:=68acad14e4a8f42e31d4a4bb5ed44d6f5b55fc1c SUBDIR:=lua-nginx FILE:=lua-nginx-module-$$(VERSION).tar.xz URL:=https://github.com/openresty/lua-nginx-module.git - MIRROR_HASH:=27729921964f066d97e99c263da153b34622a2f4b811114e4c3ee61c6fc71395 + MIRROR_HASH:=366f24e1ba6221e34f6ba20ab29146438438f88c89fd71f9500d169b3f5aedf0 PROTO:=git endef @@ -504,13 +561,13 @@ endef define Build/Patch $(if $(QUILT),rm -rf $(PKG_BUILD_DIR)/patches; mkdir -p $(PKG_BUILD_DIR)/patches) $(call PatchDir,$(PKG_BUILD_DIR),$(PATCH_DIR)/nginx,nginx/) -ifneq "$(or $(CONFIG_NGINX_DAV),$(QUILT))" "" +ifneq "$(or $(CONFIG_PACKAGE_nginx-mod-dav-ext),$(QUILT))" "" $(call PatchDir,$(PKG_BUILD_DIR),$(PATCH_DIR)/dav-nginx,dav-nginx/) endif -ifneq "$(or $(CONFIG_NGINX_LUA),$(QUILT))" "" +ifneq "$(or $(CONFIG_PACKAGE_nginx-mod-lua),$(QUILT))" "" $(call PatchDir,$(PKG_BUILD_DIR),$(PATCH_DIR)/lua-nginx,lua-nginx/) endif -ifneq "$(or $(CONFIG_NGINX_RTMP_MODULE),$(QUILT))" "" +ifneq "$(or $(CONFIG_PACKAGE_nginx-mod-rtmp),$(QUILT))" "" $(call PatchDir,$(PKG_BUILD_DIR),$(PATCH_DIR)/rtmp-nginx,rtmp-nginx/) endif $(if $(QUILT),touch $(PKG_BUILD_DIR)/.quilt_used) @@ -528,42 +585,42 @@ define Build/Prepare mkdir -p $(PKG_BUILD_DIR) $(PKG_UNPACK) -ifeq ($(CONFIG_NGINX_NAXSI),y) +ifneq ($(CONFIG_PACKAGE_nginx-mod-naxsi),) $(eval $(call Download,nginx-naxsi)) $(Prepare/nginx-naxsi) endif -ifneq "$(or $(CONFIG_NGINX_LUA),$(QUILT))" "" +ifneq "$(or $(CONFIG_PACKAGE_nginx-mod-lua),$(QUILT))" "" $(eval $(call Download,lua-nginx)) $(Prepare/lua-nginx) endif -ifeq ($(CONFIG_NGINX_HTTP_BROTLI),y) +ifneq ($(CONFIG_PACKAGE_nginx-mod-brotli),) $(eval $(call Download,nginx-brotli)) $(Prepare/nginx-brotli) endif -ifeq ($(CONFIG_NGINX_HEADERS_MORE),y) +ifneq ($(CONFIG_PACKAGE_nginx-mod-headers-more),) $(eval $(call Download,nginx-headers-more)) $(Prepare/nginx-headers-more) endif -ifneq "$(or $(CONFIG_NGINX_RTMP_MODULE),$(QUILT))" "" +ifneq "$(or $(CONFIG_PACKAGE_nginx-mod-rtmp),$(QUILT))" "" $(eval $(call Download,nginx-rtmp)) $(Prepare/nginx-rtmp) endif -ifeq ($(CONFIG_NGINX_TS_MODULE),y) +ifneq ($(CONFIG_PACKAGE_nginx-mod-ts),) $(eval $(call Download,nginx-ts)) $(Prepare/nginx-ts) endif -ifneq "$(or $(CONFIG_NGINX_DAV),$(QUILT))" "" +ifneq "$(or $(CONFIG_PACKAGE_nginx-mod-dav-ext),$(QUILT))" "" $(eval $(call Download,nginx-dav-ext-module)) $(Prepare/nginx-dav-ext-module) endif -ifeq ($(CONFIG_NGINX_UBUS),y) +ifneq ($(CONFIG_PACKAGE_nginx-mod-ubus),) $(eval $(call Download,nginx-ubus-module)) $(Prepare/nginx-ubus-module) endif @@ -572,9 +629,11 @@ endif endef $(eval $(call BuildPackage,nginx-ssl)) -$(eval $(call BuildPackage,nginx-all-module)) +$(eval $(call BuildPackage,nginx-full)) $(eval $(call BuildPackage,nginx-mod-luci)) +$(foreach m,$(NGINX_MODULES),$(eval $(call BuildPackage,$(m)))) + # TODO: remove after a transition period (together with pkg nginx-util): # It is for smoothly substituting nginx and nginx-mod-luci-ssl (by nginx-ssl # respectively nginx-mod-luci). Add above commented PROVIDES when removing. diff --git a/nginx/files-luci-support/60_nginx-luci-support b/nginx/files-luci-support/60_nginx-luci-support index b2564444c..22deb97a3 100644 --- a/nginx/files-luci-support/60_nginx-luci-support +++ b/nginx/files-luci-support/60_nginx-luci-support @@ -1,6 +1,6 @@ #!/bin/sh -if nginx -V 2>&1 | grep -q ubus; then +if nginx -V 2>&1 | grep -q ubus && [ -f /usr/lib/nginx/modules/ngx_http_ubus_module.so ]; then if [ -z "$(cat /etc/nginx/conf.d/luci.locations | grep ubus)" ]; then cat <> /etc/nginx/conf.d/luci.locations @@ -9,6 +9,12 @@ location /ubus { ubus_socket_path /var/run/ubus/ubus.sock; ubus_parallel_req 2; } +EOT + fi + + if [ ! -f "/etc/nginx/module.d/luci.module" ]; then + cat <> /etc/nginx/module.d/luci.module +load_module /usr/lib/nginx/modules/ngx_http_ubus_module.so; EOT fi fi diff --git a/nginx/files/nginx.init b/nginx/files/nginx.init index 300a8c657..c84e0496c 100644 --- a/nginx/files/nginx.init +++ b/nginx/files/nginx.init @@ -8,11 +8,42 @@ USE_PROCD=1 G_OPTS="daemon off;" NGINX_UTIL="/usr/bin/nginx-util" +UCI_CONF_TEMPLATE="/etc/nginx/uci.conf.template" +LATEST_UCI_CONF_VERSION="1.2" eval $("${NGINX_UTIL}" get_env) CONF="" +nginx_check_luci_template() { + UCI_CONF_VERSION="$(sed -nr 's/# UCI_CONF_VERSION=(.*)/\1/p' $UCI_CONF_TEMPLATE)" + + # No need to migrate already latest version + if [ "$UCI_CONF_VERSION" = "$LATEST_UCI_CONF_VERSION" ]; then + return + fi + + # Fix wrong entry for the module.d include + if [ "$UCI_CONF_VERSION" = "1.1" ]; then + # Remove any entry + sed -i '/^include module\.d\/\*\.module;/d' $UCI_CONF_TEMPLATE + # Put the include before events {} + sed -i 's/events {/include module.d\/*.module;\n\nevents {/' $UCI_CONF_TEMPLATE + fi + + if [ "$UCI_CONF_VERSION" != "$LATEST_UCI_CONF_VERSION" ]; then + sed -i "s/# UCI_CONF_VERSION=.*/# UCI_CONF_VERSION=$LATEST_UCI_CONF_VERSION/" $UCI_CONF_TEMPLATE + fi + + if [ -z "$UCI_CONF_VERSION" ]; then + # Handle funny case with template with the include module but no version + if ! grep -q -e '^include module\.d/\*\.module;$' $UCI_CONF_TEMPLATE; then + sed -i 's/events {/include module.d\/*.module;\n\nevents {/' $UCI_CONF_TEMPLATE + fi + echo "" >> $UCI_CONF_TEMPLATE + echo "# UCI_CONF_VERSION=1.2" >> $UCI_CONF_TEMPLATE + fi +} nginx_init() { [ -z "${CONF}" ] || return # already called. @@ -23,6 +54,10 @@ nginx_init() { rm -f "$(readlink "${UCI_CONF}")" ${NGINX_UTIL} init_lan + if [ -f $UCI_CONF_TEMPLATE ]; then + nginx_check_luci_template + fi + if [ -e "${UCI_CONF}" ] then CONF="${UCI_CONF}" else CONF="${NGINX_CONF}" @@ -66,6 +101,11 @@ reload_service() { } +service_triggers() { + procd_add_raw_trigger acme.renew 5000 /etc/init.d/nginx reload +} + + extra_command "relog" "Reopen log files (without reloading)" relog() { [ -d /var/log/nginx ] || mkdir -p /var/log/nginx diff --git a/nginx/patches/lua-nginx/100-no_by_lua_block.patch b/nginx/patches/lua-nginx/100-no_by_lua_block.patch index 968e12d58..1b4d1fef1 100644 --- a/nginx/patches/lua-nginx/100-no_by_lua_block.patch +++ b/nginx/patches/lua-nginx/100-no_by_lua_block.patch @@ -1,10 +1,9 @@ --- a/lua-nginx/src/ngx_http_lua_module.c +++ b/lua-nginx/src/ngx_http_lua_module.c -@@ -165,14 +165,14 @@ static ngx_command_t ngx_http_lua_cmds[] - NGX_HTTP_LOC_CONF_OFFSET, +@@ -207,12 +207,14 @@ static ngx_command_t ngx_http_lua_cmds[] offsetof(ngx_http_lua_loc_conf_t, log_socket_errors), NULL }, -- + +#ifndef NGX_LUA_NO_BY_LUA_BLOCK { ngx_string("init_by_lua_block"), NGX_HTTP_MAIN_CONF|NGX_CONF_BLOCK|NGX_CONF_NOARGS, @@ -12,16 +11,14 @@ NGX_HTTP_MAIN_CONF_OFFSET, 0, (void *) ngx_http_lua_init_by_inline }, -- +#endif + { ngx_string("init_by_lua"), NGX_HTTP_MAIN_CONF|NGX_CONF_TAKE1, - ngx_http_lua_init_by_lua, -@@ -186,14 +186,14 @@ static ngx_command_t ngx_http_lua_cmds[] - NGX_HTTP_MAIN_CONF_OFFSET, +@@ -228,12 +230,14 @@ static ngx_command_t ngx_http_lua_cmds[] 0, (void *) ngx_http_lua_init_by_file }, -- + +#ifndef NGX_LUA_NO_BY_LUA_BLOCK { ngx_string("init_worker_by_lua_block"), NGX_HTTP_MAIN_CONF|NGX_CONF_BLOCK|NGX_CONF_NOARGS, @@ -29,141 +26,157 @@ NGX_HTTP_MAIN_CONF_OFFSET, 0, (void *) ngx_http_lua_init_worker_by_inline }, -- +#endif + { ngx_string("init_worker_by_lua"), NGX_HTTP_MAIN_CONF|NGX_CONF_TAKE1, - ngx_http_lua_init_worker_by_lua, -@@ -209,6 +209,7 @@ static ngx_command_t ngx_http_lua_cmds[] +@@ -249,12 +253,14 @@ static ngx_command_t ngx_http_lua_cmds[] + 0, (void *) ngx_http_lua_init_worker_by_file }, ++#ifndef NGX_LUA_NO_BY_LUA_BLOCK + { ngx_string("exit_worker_by_lua_block"), + NGX_HTTP_MAIN_CONF|NGX_CONF_BLOCK|NGX_CONF_NOARGS, + ngx_http_lua_exit_worker_by_lua_block, + NGX_HTTP_MAIN_CONF_OFFSET, + 0, + (void *) ngx_http_lua_exit_worker_by_inline }, ++#endif + + { ngx_string("exit_worker_by_lua_file"), + NGX_HTTP_MAIN_CONF|NGX_CONF_TAKE1, +@@ -264,6 +270,7 @@ static ngx_command_t ngx_http_lua_cmds[] + (void *) ngx_http_lua_exit_worker_by_file }, + #if defined(NDK) && NDK +#ifndef NGX_LUA_NO_BY_LUA_BLOCK - /* set_by_lua $res { inline Lua code } [$arg1 [$arg2 [...]]] */ + /* set_by_lua_block $res { inline Lua code } */ { ngx_string("set_by_lua_block"), NGX_HTTP_SRV_CONF|NGX_HTTP_SIF_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF -@@ -217,7 +218,7 @@ static ngx_command_t ngx_http_lua_cmds[] +@@ -272,6 +279,7 @@ static ngx_command_t ngx_http_lua_cmds[] NGX_HTTP_LOC_CONF_OFFSET, 0, (void *) ngx_http_lua_filter_set_by_lua_inline }, -- +#endif + /* set_by_lua $res [$arg1 [$arg2 [...]]] */ { ngx_string("set_by_lua"), - NGX_HTTP_SRV_CONF|NGX_HTTP_SIF_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF -@@ -245,7 +246,7 @@ static ngx_command_t ngx_http_lua_cmds[] - NGX_HTTP_LOC_CONF_OFFSET, +@@ -292,6 +300,7 @@ static ngx_command_t ngx_http_lua_cmds[] + (void *) ngx_http_lua_filter_set_by_lua_file }, + #endif + ++#ifndef NGX_LUA_NO_BY_LUA_BLOCK + /* server_rewrite_by_lua_block { } */ + { ngx_string("server_rewrite_by_lua_block"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_BLOCK|NGX_CONF_NOARGS, +@@ -299,6 +308,7 @@ static ngx_command_t ngx_http_lua_cmds[] + NGX_HTTP_SRV_CONF_OFFSET, + 0, + (void *) ngx_http_lua_server_rewrite_handler_inline }, ++#endif + + /* server_rewrite_by_lua_file filename; */ + { ngx_string("server_rewrite_by_lua_file"), +@@ -317,6 +327,7 @@ static ngx_command_t ngx_http_lua_cmds[] 0, (void *) ngx_http_lua_rewrite_handler_inline }, -- + +#ifndef NGX_LUA_NO_BY_LUA_BLOCK /* rewrite_by_lua_block { } */ { ngx_string("rewrite_by_lua_block"), NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF -@@ -254,7 +255,7 @@ static ngx_command_t ngx_http_lua_cmds[] +@@ -325,6 +336,7 @@ static ngx_command_t ngx_http_lua_cmds[] NGX_HTTP_LOC_CONF_OFFSET, 0, (void *) ngx_http_lua_rewrite_handler_inline }, -- +#endif + /* access_by_lua "" */ { ngx_string("access_by_lua"), - NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF -@@ -263,7 +264,7 @@ static ngx_command_t ngx_http_lua_cmds[] - NGX_HTTP_LOC_CONF_OFFSET, +@@ -335,6 +347,7 @@ static ngx_command_t ngx_http_lua_cmds[] 0, (void *) ngx_http_lua_access_handler_inline }, -- + +#ifndef NGX_LUA_NO_BY_LUA_BLOCK /* access_by_lua_block { } */ { ngx_string("access_by_lua_block"), NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF -@@ -272,7 +273,7 @@ static ngx_command_t ngx_http_lua_cmds[] +@@ -343,6 +356,7 @@ static ngx_command_t ngx_http_lua_cmds[] NGX_HTTP_LOC_CONF_OFFSET, 0, (void *) ngx_http_lua_access_handler_inline }, -- +#endif + /* content_by_lua "" */ { ngx_string("content_by_lua"), - NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF|NGX_CONF_TAKE1, -@@ -280,7 +281,7 @@ static ngx_command_t ngx_http_lua_cmds[] - NGX_HTTP_LOC_CONF_OFFSET, +@@ -352,6 +366,7 @@ static ngx_command_t ngx_http_lua_cmds[] 0, (void *) ngx_http_lua_content_handler_inline }, -- + +#ifndef NGX_LUA_NO_BY_LUA_BLOCK /* content_by_lua_block { } */ { ngx_string("content_by_lua_block"), NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF|NGX_CONF_BLOCK|NGX_CONF_NOARGS, -@@ -288,7 +289,7 @@ static ngx_command_t ngx_http_lua_cmds[] +@@ -359,6 +374,7 @@ static ngx_command_t ngx_http_lua_cmds[] NGX_HTTP_LOC_CONF_OFFSET, 0, (void *) ngx_http_lua_content_handler_inline }, -- +#endif + /* log_by_lua */ { ngx_string("log_by_lua"), - NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF -@@ -297,7 +298,7 @@ static ngx_command_t ngx_http_lua_cmds[] - NGX_HTTP_LOC_CONF_OFFSET, +@@ -369,6 +385,7 @@ static ngx_command_t ngx_http_lua_cmds[] 0, (void *) ngx_http_lua_log_handler_inline }, -- + +#ifndef NGX_LUA_NO_BY_LUA_BLOCK /* log_by_lua_block { } */ { ngx_string("log_by_lua_block"), NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF -@@ -306,7 +307,7 @@ static ngx_command_t ngx_http_lua_cmds[] +@@ -377,6 +394,7 @@ static ngx_command_t ngx_http_lua_cmds[] NGX_HTTP_LOC_CONF_OFFSET, 0, (void *) ngx_http_lua_log_handler_inline }, -- +#endif + { ngx_string("rewrite_by_lua_file"), NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF - |NGX_CONF_TAKE1, -@@ -361,7 +362,7 @@ static ngx_command_t ngx_http_lua_cmds[] - NGX_HTTP_LOC_CONF_OFFSET, +@@ -433,6 +451,7 @@ static ngx_command_t ngx_http_lua_cmds[] 0, (void *) ngx_http_lua_header_filter_inline }, -- + +#ifndef NGX_LUA_NO_BY_LUA_BLOCK /* header_filter_by_lua_block { } */ { ngx_string("header_filter_by_lua_block"), NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF -@@ -370,7 +371,7 @@ static ngx_command_t ngx_http_lua_cmds[] +@@ -441,6 +460,7 @@ static ngx_command_t ngx_http_lua_cmds[] NGX_HTTP_LOC_CONF_OFFSET, 0, (void *) ngx_http_lua_header_filter_inline }, -- +#endif + { ngx_string("header_filter_by_lua_file"), NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF - |NGX_CONF_TAKE1, -@@ -386,7 +387,7 @@ static ngx_command_t ngx_http_lua_cmds[] - NGX_HTTP_LOC_CONF_OFFSET, +@@ -458,6 +478,7 @@ static ngx_command_t ngx_http_lua_cmds[] 0, (void *) ngx_http_lua_body_filter_inline }, -- + +#ifndef NGX_LUA_NO_BY_LUA_BLOCK /* body_filter_by_lua_block { } */ { ngx_string("body_filter_by_lua_block"), NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF -@@ -395,7 +396,7 @@ static ngx_command_t ngx_http_lua_cmds[] +@@ -466,6 +487,7 @@ static ngx_command_t ngx_http_lua_cmds[] NGX_HTTP_LOC_CONF_OFFSET, 0, (void *) ngx_http_lua_body_filter_inline }, -- +#endif + { ngx_string("body_filter_by_lua_file"), NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF - |NGX_CONF_TAKE1, -@@ -403,14 +404,14 @@ static ngx_command_t ngx_http_lua_cmds[] - NGX_HTTP_LOC_CONF_OFFSET, +@@ -475,12 +497,14 @@ static ngx_command_t ngx_http_lua_cmds[] 0, (void *) ngx_http_lua_body_filter_file }, -- + +#ifndef NGX_LUA_NO_BY_LUA_BLOCK { ngx_string("balancer_by_lua_block"), NGX_HTTP_UPS_CONF|NGX_CONF_BLOCK|NGX_CONF_NOARGS, @@ -171,16 +184,29 @@ NGX_HTTP_SRV_CONF_OFFSET, 0, (void *) ngx_http_lua_balancer_handler_inline }, -- +#endif + { ngx_string("balancer_by_lua_file"), NGX_HTTP_UPS_CONF|NGX_CONF_TAKE1, - ngx_http_lua_balancer_by_lua, -@@ -517,14 +518,14 @@ static ngx_command_t ngx_http_lua_cmds[] - NGX_HTTP_LOC_CONF_OFFSET, +@@ -585,12 +609,14 @@ static ngx_command_t ngx_http_lua_cmds[] offsetof(ngx_http_lua_loc_conf_t, ssl_ciphers), NULL }, -- + ++#ifndef NGX_LUA_NO_BY_LUA_BLOCK + { ngx_string("ssl_client_hello_by_lua_block"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_BLOCK|NGX_CONF_NOARGS, + ngx_http_lua_ssl_client_hello_by_lua_block, + NGX_HTTP_SRV_CONF_OFFSET, + 0, + (void *) ngx_http_lua_ssl_client_hello_handler_inline }, ++#endif + + { ngx_string("ssl_client_hello_by_lua_file"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, +@@ -599,12 +625,14 @@ static ngx_command_t ngx_http_lua_cmds[] + 0, + (void *) ngx_http_lua_ssl_client_hello_handler_file }, + +#ifndef NGX_LUA_NO_BY_LUA_BLOCK { ngx_string("ssl_certificate_by_lua_block"), NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_BLOCK|NGX_CONF_NOARGS, @@ -188,8 +214,37 @@ NGX_HTTP_SRV_CONF_OFFSET, 0, (void *) ngx_http_lua_ssl_cert_handler_inline }, -- +#endif + { ngx_string("ssl_certificate_by_lua_file"), NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, - ngx_http_lua_ssl_cert_by_lua, +@@ -613,12 +641,14 @@ static ngx_command_t ngx_http_lua_cmds[] + 0, + (void *) ngx_http_lua_ssl_cert_handler_file }, + ++#ifndef NGX_LUA_NO_BY_LUA_BLOCK + { ngx_string("ssl_session_store_by_lua_block"), + NGX_HTTP_MAIN_CONF|NGX_CONF_BLOCK|NGX_CONF_NOARGS, + ngx_http_lua_ssl_sess_store_by_lua_block, + NGX_HTTP_SRV_CONF_OFFSET, + 0, + (void *) ngx_http_lua_ssl_sess_store_handler_inline }, ++#endif + + { ngx_string("ssl_session_store_by_lua_file"), + NGX_HTTP_MAIN_CONF|NGX_CONF_TAKE1, +@@ -627,12 +657,14 @@ static ngx_command_t ngx_http_lua_cmds[] + 0, + (void *) ngx_http_lua_ssl_sess_store_handler_file }, + ++#ifndef NGX_LUA_NO_BY_LUA_BLOCK + { ngx_string("ssl_session_fetch_by_lua_block"), + NGX_HTTP_MAIN_CONF|NGX_CONF_BLOCK|NGX_CONF_NOARGS, + ngx_http_lua_ssl_sess_fetch_by_lua_block, + NGX_HTTP_SRV_CONF_OFFSET, + 0, + (void *) ngx_http_lua_ssl_sess_fetch_handler_inline }, ++#endif + + { ngx_string("ssl_session_fetch_by_lua_file"), + NGX_HTTP_MAIN_CONF|NGX_CONF_TAKE1, diff --git a/nginx/patches/nginx/101-feature_test_fix.patch b/nginx/patches/nginx/101-feature_test_fix.patch index f09f3af8c..e4d9a7183 100644 --- a/nginx/patches/nginx/101-feature_test_fix.patch +++ b/nginx/patches/nginx/101-feature_test_fix.patch @@ -78,7 +78,7 @@ ngx_feature_libs= --- a/auto/unix +++ b/auto/unix -@@ -805,7 +805,7 @@ ngx_feature_test="void *p; p = memalign( +@@ -853,7 +853,7 @@ ngx_feature_test="void *p; p = memalign( ngx_feature="mmap(MAP_ANON|MAP_SHARED)" ngx_feature_name="NGX_HAVE_MAP_ANON" @@ -87,7 +87,7 @@ ngx_feature_incs="#include " ngx_feature_path= ngx_feature_libs= -@@ -818,7 +818,7 @@ ngx_feature_test="void *p; +@@ -866,7 +866,7 @@ ngx_feature_test="void *p; ngx_feature='mmap("/dev/zero", MAP_SHARED)' ngx_feature_name="NGX_HAVE_MAP_DEVZERO" @@ -96,7 +96,7 @@ ngx_feature_incs="#include #include #include " -@@ -833,7 +833,7 @@ ngx_feature_test='void *p; int fd; +@@ -881,7 +881,7 @@ ngx_feature_test='void *p; int fd; ngx_feature="System V shared memory" ngx_feature_name="NGX_HAVE_SYSVSHM" @@ -105,7 +105,7 @@ ngx_feature_incs="#include #include " ngx_feature_path= -@@ -847,7 +847,7 @@ ngx_feature_test="int id; +@@ -895,7 +895,7 @@ ngx_feature_test="int id; ngx_feature="POSIX semaphores" ngx_feature_name="NGX_HAVE_POSIX_SEM" diff --git a/nginx/patches/nginx/201-ignore-invalid-options.patch b/nginx/patches/nginx/201-ignore-invalid-options.patch index d208bf507..af2bab15e 100644 --- a/nginx/patches/nginx/201-ignore-invalid-options.patch +++ b/nginx/patches/nginx/201-ignore-invalid-options.patch @@ -1,6 +1,6 @@ --- a/auto/options +++ b/auto/options -@@ -400,8 +400,7 @@ $0: warning: the \"--with-sha1-asm\" opt +@@ -411,8 +411,7 @@ $0: warning: the \"--with-sha1-asm\" opt --test-build-solaris-sendfilev) NGX_TEST_BUILD_SOLARIS_SENDFILEV=YES ;; *) diff --git a/openssl/Config.in b/openssl/Config.in index bc2f0584b..871080a4c 100644 --- a/openssl/Config.in +++ b/openssl/Config.in @@ -8,33 +8,33 @@ config OPENSSL_OPTIMIZE_SPEED prompt "Enable optimization for speed instead of size" select OPENSSL_WITH_ASM help - Enabling this option increases code size (around 20%) and - performance. The increase in performance and size depends on the - target CPU. EC and AES seem to benefit the most, with EC speed - increased by 20%-50% (mipsel & x86). - AES-GCM is supposed to be 3x faster on x86. YMMV. + Enabling this option increases code size and performance. + The increase in performance and size depends on the + target CPU. EC and AES seem to benefit the most. + +config OPENSSL_SMALL_FOOTPRINT + bool + depends on !OPENSSL_OPTIMIZE_SPEED + default y if SMALL_FLASH || LOW_MEMORY_FOOTPRINT + prompt "Build with OPENSSL_SMALL_FOOTPRINT (read help)" + help + This turns on -DOPENSSL_SMALL_FOOTPRINT. This will save only + 1-3% of of the ipk size. The performance drop depends on + architecture and algorithm. MIPS drops 13% of performance for + a 3% decrease in ipk size. On Aarch64, for a 1% reduction in + size, ghash and GCM performance decreases 90%, while + Chacha20-Poly1305 is 15% slower. X86_64 drops 1% of its size + for 3% of performance. Other arches have not been tested. config OPENSSL_WITH_ASM bool - default y if !SMALL_FLASH || !arm + default y prompt "Compile with optimized assembly code" depends on !arc help Disabling this option will reduce code size and performance. The increase in performance and size depends on the target - CPU and on the algorithms being optimized. As of 1.1.0i*: - - Platform Pkg Inc. Algorithms where assembly is used - ~% Speed Increase - aarch64 174K BN, aes, sha1, sha256, sha512, nist256, poly1305 - arm 152K BN, aes, sha1, sha256, sha512, nist256, poly1305 - i386 183K BN+147%, aes+300%, rc4+55%, sha1+160%, sha256+114%, sha512+270%, nist256+282%, poly1305+292% - mipsel 1.5K BN+97%, aes+4%, sha1+94%, sha256+60% - mips64 3.7K BN, aes, sha1, sha256, sha512, poly1305 - powerpc 20K BN, aes, sha1, sha256, sha512, poly1305 - x86_64 228K BN+220%, aes+173%, rc4+38%, sha1+40%, sha256+64%, sha512+31%, nist256+354%, poly1305+228% - - * Only most common algorithms shown. Your mileage may vary. - BN (bignum) performance was measured using RSA sign/verify. + CPU and on the algorithms being optimized. config OPENSSL_WITH_SSE2 bool @@ -42,21 +42,17 @@ config OPENSSL_WITH_SSE2 prompt "Enable use of x86 SSE2 instructions" depends on OPENSSL_WITH_ASM && i386 help - Use of SSE2 instructions greatly increase performance (up to - 3x faster) with a minimum (~0.2%, or 23KB) increase in package - size, but it will bring no benefit if your hardware does not - support them, such as Geode GX and LX. In this case you may - save 23KB by saying yes here. AMD Geode NX, and Intel - Pentium 4 and above support SSE2. + Use of SSE2 instructions greatly increase performance with a + minimum increase in package size, but it will bring no benefit + if your hardware does not support them, such as Geode GX and LX. + AMD Geode NX, and Intel Pentium 4 and above support SSE2. config OPENSSL_WITH_DEPRECATED bool default y - prompt "Include deprecated APIs (See help for a list of packages that need this)" + prompt "Include deprecated APIs" help - Since openssl 1.1.x is still new to openwrt, some packages - requiring this option do not list it as a requirement yet: - * freeswitch-stable, freeswitch, python, python3, squid. + This drops all deprecated API, including engine support. config OPENSSL_NO_DEPRECATED bool @@ -64,7 +60,7 @@ config OPENSSL_NO_DEPRECATED config OPENSSL_WITH_ERROR_MESSAGES bool - default y if !SMALL_FLASH && !LOW_MEMORY_FOOTPRINT + default y if !OPENSSL_SMALL_FOOTPRINT || (!SMALL_FLASH && !LOW_MEMORY_FOOTPRINT) prompt "Include error messages" help This option aids debugging, but increases package size and @@ -84,7 +80,6 @@ config OPENSSL_WITH_TLS13 protocol; * to increase performance by reducing the number of round-trips when performing a full handshake. - It increases package size by ~4KB. config OPENSSL_WITH_DTLS bool @@ -172,16 +167,24 @@ config OPENSSL_WITH_CAMELLIA config OPENSSL_WITH_IDEA bool - prompt "Enable IDEA cipher support" + default y if !SMALL_FLASH + prompt "Enable IDEA cipher support (needs legacy provider)" help IDEA is a block cipher with 128-bit keys. + To use the cipher, one must install the libopenssl-legacy + package, using a main libopenssl package compiled with this + option enabled as well. config OPENSSL_WITH_SEED bool - prompt "Enable SEED cipher support" + default y if !SMALL_FLASH + prompt "Enable SEED cipher support (needs legacy provider)" help SEED is a block cipher with 128-bit keys broadly used in South Korea, but seldom found elsewhere. + To use the cipher, one must install the libopenssl-legacy + package, using a main libopenssl package compiled with this + option enabled as well. config OPENSSL_WITH_SM234 bool @@ -202,11 +205,21 @@ config OPENSSL_WITH_BLAKE2 config OPENSSL_WITH_MDC2 bool - prompt "Enable MDC2 digest support" + default y if !SMALL_FLASH + prompt "Enable MDC2 digest support (needs legacy provider)" + help + To use the digest, one must install the libopenssl-legacy + package, using a main libopenssl package compiled with this + option enabled as well. config OPENSSL_WITH_WHIRLPOOL bool - prompt "Enable Whirlpool digest support" + default y if !SMALL_FLASH + prompt "Enable Whirlpool digest support (needs legacy provider)" + help + To use the digest, one must install the libopenssl-legacy + package, using a main libopenssl package compiled with this + option enabled as well. config OPENSSL_WITH_COMPRESSION bool @@ -233,6 +246,7 @@ comment "Engine/Hardware Support" config OPENSSL_ENGINE bool "Enable engine support" + select OPENSSL_WITH_DEPRECATED default y help This enables alternative cryptography implementations, diff --git a/openssl/Makefile b/openssl/Makefile index c6d241ed1..7bee24967 100644 --- a/openssl/Makefile +++ b/openssl/Makefile @@ -8,14 +8,13 @@ include $(TOPDIR)/rules.mk PKG_NAME:=openssl -PKG_BASE:=1.1.1 -PKG_BUGFIX:=v -PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX) +PKG_VERSION:=3.0.10 PKG_RELEASE:=1 -PKG_USE_MIPS16:=0 +PKG_BUILD_FLAGS:=no-mips16 gc-sections no-lto PKG_BUILD_PARALLEL:=1 +PKG_BASE:=$(subst $(space),.,$(wordlist 1,2,$(subst .,$(space),$(PKG_VERSION)))) PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:= \ http://www.openssl.org/source/ \ @@ -25,9 +24,9 @@ PKG_SOURCE_URL:= \ ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/ \ ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/old/$(PKG_BASE)/ -PKG_HASH:=d6697e2871e77238460402e9362d47d18382b15ef9f246aba6c7bd780d38a6b0 +PKG_HASH:=1761d4f5b13a1028b9b6f3d4b8e17feb0cedc9370f6afe61d7193d2cdce83323 -PKG_LICENSE:=OpenSSL +PKG_LICENSE:=Apache-2.0 PKG_LICENSE_FILES:=LICENSE PKG_MAINTAINER:=Eneas U de Queiroz PKG_CPE_ID:=cpe:/a:openssl:openssl @@ -40,6 +39,7 @@ PKG_CONFIG_DEPENDS:= \ CONFIG_OPENSSL_NO_DEPRECATED \ CONFIG_OPENSSL_OPTIMIZE_SPEED \ CONFIG_OPENSSL_PREFER_CHACHA_OVER_GCM \ + CONFIG_OPENSSL_SMALL_FOOTPRINT \ CONFIG_OPENSSL_WITH_ARIA \ CONFIG_OPENSSL_WITH_ASM \ CONFIG_OPENSSL_WITH_ASYNC \ @@ -64,7 +64,7 @@ PKG_CONFIG_DEPENDS:= \ CONFIG_OPENSSL_WITH_WHIRLPOOL include $(INCLUDE_DIR)/package.mk -include engine.mk +include $(INCLUDE_DIR)/openssl-module.mk ifneq ($(CONFIG_CCACHE),) HOSTCC=$(HOSTCC_NOCACHE) @@ -95,9 +95,10 @@ $(call Package/openssl/Default) DEPENDS:=+OPENSSL_WITH_COMPRESSION:zlib \ +OPENSSL_ENGINE_BUILTIN_AFALG:kmod-crypto-user \ +OPENSSL_ENGINE_BUILTIN_DEVCRYPTO:kmod-cryptodev \ - +OPENSSL_ENGINE_BUILTIN_PADLOCK:kmod-crypto-hw-padlock + +OPENSSL_ENGINE_BUILTIN_PADLOCK:kmod-crypto-hw-padlock \ + +(arm||armeb||mips||mipsel||powerpc||arc):libatomic TITLE+= (libraries) - ABI_VERSION:=1.1 + ABI_VERSION:=$(firstword $(subst .,$(space),$(PKG_VERSION))) MENU:=1 endef @@ -128,8 +129,8 @@ endef define Package/libopenssl-conf/conffiles /etc/ssl/openssl.cnf -$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO),/etc/ssl/engines.cnf.d/devcrypto.cnf) -$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK),/etc/ssl/engines.cnf.d/padlock.cnf) +$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO),/etc/ssl/modules.cnf.d/devcrypto.cnf) +$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK),/etc/ssl/modules.cnf.d/padlock.cnf) endef define Package/libopenssl-conf/description @@ -137,6 +138,37 @@ $(call Package/openssl/Default/description) This package installs the OpenSSL configuration file /etc/ssl/openssl.cnf. endef +ifneq ($(CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK)$(CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO),) +define Package/libopenssl-conf/postinst +#!/bin/sh + +add_engine_config() { + if [ -z "$${IPKG_INSTROOT}" ] && uci -q get "openssl.$$1" >/dev/null; then + [ "$$(uci -q get "openssl.$$1.builtin")" = 1 ] && return + uci set "openssl.$$1.builtin=1" && uci commit openssl + return + fi +} + +$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO),add_engine_config devcrypto) +$(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK),add_engine_config padlock) +endef +endif + +$(eval $(call Package/openssl/add-provider,legacy)) +define Package/libopenssl-legacy + $(call Package/openssl/Default) + $(call Package/openssl/module/Default) + TITLE:=OpenSSL legacy provider +endef + +define Package/libopenssl-legacy/description +The OpenSSL legacy provider supplies OpenSSL implementations of algorithms that +have been deemed legacy. Such algorithms have commonly fallen out of use, have +been deemed insecure by the cryptography community, or something similar. See +https://www.openssl.org/docs/man3.0/man7/OSSL_PROVIDER-legacy.html +endef + $(eval $(call Package/openssl/add-engine,afalg)) define Package/libopenssl-afalg $(call Package/openssl/Default) @@ -149,7 +181,7 @@ endef define Package/libopenssl-afalg/description This package adds an engine that enables hardware acceleration through the AF_ALG kernel interface. -See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module +See https://www.openssl.org/docs/man3.0/man5/config.html#Engine-Configuration and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "afalg" endef @@ -165,7 +197,7 @@ endef define Package/libopenssl-devcrypto/description This package adds an engine that enables hardware acceleration through the /dev/crypto kernel interface. -See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module +See https://www.openssl.org/docs/man3.0/man5/config.html#Engine-Configuration and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "devcrypto" endef @@ -181,12 +213,12 @@ endef define Package/libopenssl-padlock/description This package adds an engine that enables VIA Padlock hardware acceleration. -See https://www.openssl.org/docs/man1.1.1/man5/config.html#Engine-Configuration-Module +See https://www.openssl.org/docs/man3.0/man5/config.html#Engine-Configuration and https://openwrt.org/docs/techref/hardware/cryptographic.hardware.accelerators The engine_id is "padlock" endef -OPENSSL_OPTIONS:= shared +OPENSSL_OPTIONS:= shared no-tests ifndef CONFIG_OPENSSL_WITH_BLAKE2 OPENSSL_OPTIONS += no-blake2 @@ -258,7 +290,9 @@ endif ifeq ($(CONFIG_OPENSSL_OPTIMIZE_SPEED),y) TARGET_CFLAGS := $(filter-out -O%,$(TARGET_CFLAGS)) -O3 -else +endif + +ifeq ($(CONFIG_OPENSSL_SMALL_FOOTPRINT),y) OPENSSL_OPTIONS += -DOPENSSL_SMALL_FOOTPRINT endif @@ -272,7 +306,7 @@ ifdef CONFIG_OPENSSL_ENGINE OPENSSL_OPTIONS += enable-devcryptoeng endif ifndef CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK - OPENSSL_OPTIONS += no-hw-padlock + OPENSSL_OPTIONS += no-padlockeng endif else ifdef CONFIG_PACKAGE_libopenssl-devcrypto @@ -282,7 +316,7 @@ ifdef CONFIG_OPENSSL_ENGINE OPENSSL_OPTIONS += no-afalgeng endif ifndef CONFIG_PACKAGE_libopenssl-padlock - OPENSSL_OPTIONS += no-hw-padlock + OPENSSL_OPTIONS += no-padlockeng endif endif else @@ -340,8 +374,7 @@ define Build/Configure ) endef -TARGET_CFLAGS += $(FPIC) -ffunction-sections -fdata-sections -TARGET_LDFLAGS += -Wl,--gc-sections +TARGET_CFLAGS += $(FPIC) define Build/Compile +$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \ @@ -378,17 +411,17 @@ define Package/libopenssl/install endef define Package/libopenssl-conf/install - $(INSTALL_DIR) $(1)/etc/ssl/engines.cnf.d $(1)/etc/config $(1)/etc/init.d + $(INSTALL_DIR) $(1)/etc/ssl/modules.cnf.d $(1)/etc/config $(1)/etc/init.d $(CP) $(PKG_INSTALL_DIR)/etc/ssl/openssl.cnf $(1)/etc/ssl/ $(INSTALL_BIN) ./files/openssl.init $(1)/etc/init.d/openssl $(SED) 's!%ENGINES_DIR%!/usr/lib/$(ENGINES_DIR)!' $(1)/etc/init.d/openssl touch $(1)/etc/config/openssl $(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_DEVCRYPTO), - $(CP) ./files/devcrypto.cnf $(1)/etc/ssl/engines.cnf.d/ - echo -e "config engine 'devcrypto'\n\toption enabled '1'" >> $(1)/etc/config/openssl) + $(CP) ./files/devcrypto.cnf $(1)/etc/ssl/modules.cnf.d/ + echo -e "config engine 'devcrypto'\n\toption enabled '1'\n\toption builtin '1'" >> $(1)/etc/config/openssl) $(if $(CONFIG_OPENSSL_ENGINE_BUILTIN_PADLOCK), - $(CP) ./files/padlock.cnf $(1)/etc/ssl/engines.cnf.d/ - echo -e "\nconfig engine 'padlock'\n\toption enabled '1'" >> $(1)/etc/config/openssl) + $(CP) ./files/padlock.cnf $(1)/etc/ssl/modules.cnf.d/ + echo -e "\nconfig engine 'padlock'\n\toption enabled '1'\n\toption builtin '1'" >> $(1)/etc/config/openssl) endef define Package/openssl-util/install @@ -400,5 +433,6 @@ $(eval $(call BuildPackage,libopenssl)) $(eval $(call BuildPackage,libopenssl-conf)) $(eval $(call BuildPackage,libopenssl-afalg)) $(eval $(call BuildPackage,libopenssl-devcrypto)) +$(eval $(call BuildPackage,libopenssl-legacy)) $(eval $(call BuildPackage,libopenssl-padlock)) $(eval $(call BuildPackage,openssl-util)) diff --git a/openssl/engine.mk b/openssl/engine.mk deleted file mode 100644 index 973a98990..000000000 --- a/openssl/engine.mk +++ /dev/null @@ -1,46 +0,0 @@ -ENGINES_DIR=engines-1.1 - -define Package/openssl/engine/Default - SECTION:=libs - CATEGORY:=Libraries - SUBMENU:=SSL - DEPENDS:=libopenssl @OPENSSL_ENGINE +libopenssl-conf -endef - -# 1 = engine name -# 2 - package name, defaults to libopenssl-$(1) -define Package/openssl/add-engine - OSSL_ENG_PKG:=$(if $(2),$(2),libopenssl-$(1)) - Package/$$(OSSL_ENG_PKG)/conffiles:=/etc/ssl/engines.cnf.d/$(1).cnf - - define Package/$$(OSSL_ENG_PKG)/install - $$(INSTALL_DIR) $$(1)/usr/lib/$(ENGINES_DIR) - $$(INSTALL_BIN) $$(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/$(1).so \ - $$(1)/usr/lib/$(ENGINES_DIR) - $$(INSTALL_DIR) $$(1)/etc/ssl/engines.cnf.d - $$(INSTALL_DATA) ./files/$(1).cnf $$(1)/etc/ssl/engines.cnf.d/ - endef - - define Package/$$(OSSL_ENG_PKG)/postinst := -#!/bin/sh -OPENSSL_UCI="$$$${IPKG_INSTROOT}/etc/config/openssl" - -[ -z "$$$${IPKG_INSTROOT}" ] && uci -q get openssl.$(1) >/dev/null && exit 0 - -cat << EOF >> "$$$${OPENSSL_UCI}" - -config engine '$(1)' - option enabled '1' -EOF - -[ -n "$$$${IPKG_INSTROOT}" ] || /etc/init.d/openssl reload - endef - - define Package/$$(OSSL_ENG_PKG)/postrm := -#!/bin/sh -[ -n "$$$${IPKG_INSTROOT}" ] && exit 0 -uci delete openssl.$(1) -uci commit openssl -/etc/init.d/openssl reload - endef -endef diff --git a/openssl/files/afalg.cnf b/openssl/files/afalg.cnf index 4f573d757..fd206361b 100644 --- a/openssl/files/afalg.cnf +++ b/openssl/files/afalg.cnf @@ -1,3 +1,3 @@ -[afalg] +[afalg_sect] default_algorithms = ALL diff --git a/openssl/files/devcrypto.cnf b/openssl/files/devcrypto.cnf index 549275600..91d0eee17 100644 --- a/openssl/files/devcrypto.cnf +++ b/openssl/files/devcrypto.cnf @@ -1,4 +1,4 @@ -[devcrypto] +[devcrypto_sect] # Leave this alone and configure algorithms with CIPERS/DIGESTS below default_algorithms = ALL @@ -17,8 +17,9 @@ default_algorithms = ALL # It is recommended to disable the ECB ciphers; in most cases, it will # only be used for PRNG, in small blocks, where performance is poor, # and there may be problems with apps forking with open crypto -# contexts, leading to failures. The CBC ciphers work well: -#CIPHERS=DES-CBC, DES-EDE3-CBC, AES-128-CBC, AES-192-CBC, AES-256-CBC +# contexts, leading to failures. The CBC ciphers work well. +CIPHERS=DES-CBC, DES-EDE3-CBC, AES-128-CBC, AES-192-CBC, AES-256-CBC, \ + AES-128-CTR, AES-192-CTR, AES-256-CTR # DIGESTS: either ALL, NONE, or a comma-separated list of digests to # enable [default=NONE] @@ -26,6 +27,8 @@ default_algorithms = ALL # is poor, and there are many cases in which they will not work, # especially when calling fork with open crypto contexts. Openssh, # for example, does this, and you may not be able to login. -#DIGESTS = NONE - +# Sysupgrade will fail as well. If you're adventurous enough to change +# this, you should change it back to NONE, and reboot before running +# sysupgrade! +DIGESTS = NONE diff --git a/openssl/files/legacy.cnf b/openssl/files/legacy.cnf new file mode 100644 index 000000000..4c2061744 --- /dev/null +++ b/openssl/files/legacy.cnf @@ -0,0 +1,3 @@ +[legacy_sect] +activate = 1 + diff --git a/openssl/files/openssl.init b/openssl/files/openssl.init index 21e253e7a..1c1e8745f 100755 --- a/openssl/files/openssl.init +++ b/openssl/files/openssl.init @@ -1,31 +1,72 @@ #!/bin/sh /etc/rc.common START=13 -ENGINES_CNF_D="/etc/ssl/engines.cnf.d" -ENGINES_CNF="/var/etc/ssl/engines.cnf" -ENGINES_DIR="%ENGINES_DIR%" +ENGINES_CNF=/var/etc/ssl/engines.cnf +ENGINES_DIR=%ENGINES_DIR% +MODULES_DIR=/usr/lib/ossl-modules +PROVIDERS_CNF=/var/etc/ssl/providers.cnf -config_engine() { - local enabled force +#1: cnf file +write_cnf_header() { + mkdir -p "$(dirname "$1")" && \ + echo "# This file is automatically generated from /etc/config/openssl." >"$1" || { + echo "Error writing to $1." + return 1 + } +} + + +#1: module name +#2: output cnf file +#3: module.so +enable_module() { + local builtin enabled force + + config_get_bool builtin "$1" builtin 0 config_get_bool enabled "$1" enabled 1 config_get_bool force "$1" force 0 - [ "$enabled" = 0 ] && return - if [ "$force" = 0 ] && \ - [ ! -f "${ENGINES_CNF_D}/$1.cnf" ] && \ - [ ! -f "${ENGINES_DIR}/$1.so" ]; then - echo Skipping engine "$1": not installed - return + + if [ "$enabled" = 0 ]; then + [ "$builtin" = 0 ] && return 1 + echo "Engine $1 is built into the libcrypto library and can't be disabled through UCI." + echo "If the engine was not built-in, remove 'config builtin' from /etc/config/openssl." + elif [ "$force" = 1 ]; then + printf "[Forced] " + elif ! grep -q "\\[ *$1_sect *]" /etc/ssl/modules.cnf.d/*; then + echo "$1: Could not find section [$1] in config files." + return 1 + elif [ "$builtin" = 1 ]; then + printf "[Builtin] " + elif [ ! -f "$3" ];then + echo "Skipping $1: $3 not found." + return 1 fi - echo Enabling engine "$1" - echo "$1=$1" >> "${ENGINES_CNF}" + echo "Enabling $1" + echo "$1=$1_sect" >>"$2" +} + +config_engine() { + enable_module "$1" "$ENGINES_CNF" \ + "${ENGINES_DIR}/${1}.so" +} + +config_provider() { + enable_module "$1" "$PROVIDERS_CNF" \ + "${MODULES_DIR}/${1}.so" } start() { - mkdir -p "$(dirname "${ENGINES_CNF}")" || exit 1 - echo Generating engines.cnf - echo "# This file is automatically generated from /etc/config/openssl." \ - > "${ENGINES_CNF}" || \ - { echo Error writing ${ENGINES_CNF} >&2; exit 1; } + local ret=0 + config_load openssl - config_foreach config_engine engine + + echo Generating engines.cnf + write_cnf_header "${ENGINES_CNF}" && \ + config_foreach config_engine engine || ret=$? + + echo Generating providers.cnf + write_cnf_header "${PROVIDERS_CNF}" && \ + config_foreach config_provider provider || ret=$? + + return $ret } diff --git a/openssl/files/padlock.cnf b/openssl/files/padlock.cnf index ef91079e5..f4085d907 100644 --- a/openssl/files/padlock.cnf +++ b/openssl/files/padlock.cnf @@ -1,3 +1,3 @@ -[padlock] +[padlock_sect] default_algorithms = ALL diff --git a/openssl/patches/001-crypto-perlasm-ppc-xlate.pl-add-linux64v2-flavour.patch b/openssl/patches/001-crypto-perlasm-ppc-xlate.pl-add-linux64v2-flavour.patch deleted file mode 100644 index 3da67e25f..000000000 --- a/openssl/patches/001-crypto-perlasm-ppc-xlate.pl-add-linux64v2-flavour.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Andy Polyakov -Date: Sun, 5 May 2019 18:25:50 +0200 -Subject: crypto/perlasm/ppc-xlate.pl: add linux64v2 flavour -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This is a big endian ELFv2 configuration. ELFv2 was already being -used for little endian, and big endian was traditionally ELFv1 -but there are practical configurations that use ELFv2 with big -endian nowadays (Adélie Linux, Void Linux, possibly Gentoo, etc.) - -Reviewed-by: Paul Dale -Reviewed-by: Richard Levitte -(Merged from https://github.com/openssl/openssl/pull/8883) - ---- a/crypto/perlasm/ppc-xlate.pl -+++ b/crypto/perlasm/ppc-xlate.pl -@@ -49,7 +49,7 @@ my $globl = sub { - /osx/ && do { $name = "_$name"; - last; - }; -- /linux.*(32|64le)/ -+ /linux.*(32|64(le|v2))/ - && do { $ret .= ".globl $name"; - if (!$$type) { - $ret .= "\n.type $name,\@function"; -@@ -80,7 +80,7 @@ my $globl = sub { - }; - my $text = sub { - my $ret = ($flavour =~ /aix/) ? ".csect\t.text[PR],7" : ".text"; -- $ret = ".abiversion 2\n".$ret if ($flavour =~ /linux.*64le/); -+ $ret = ".abiversion 2\n".$ret if ($flavour =~ /linux.*64(le|v2)/); - $ret; - }; - my $machine = sub { -@@ -186,7 +186,7 @@ my $vmr = sub { - - # Some ABIs specify vrsave, special-purpose register #256, as reserved - # for system use. --my $no_vrsave = ($flavour =~ /aix|linux64le/); -+my $no_vrsave = ($flavour =~ /aix|linux64(le|v2)/); - my $mtspr = sub { - my ($f,$idx,$ra) = @_; - if ($idx == 256 && $no_vrsave) { -@@ -318,7 +318,7 @@ while($line=<>) { - if ($label) { - my $xlated = ($GLOBALS{$label} or $label); - print "$xlated:"; -- if ($flavour =~ /linux.*64le/) { -+ if ($flavour =~ /linux.*64(le|v2)/) { - if ($TYPES{$label} =~ /function/) { - printf "\n.localentry %s,0\n",$xlated; - } diff --git a/openssl/patches/100-Configure-afalg-support.patch b/openssl/patches/100-Configure-afalg-support.patch index 746c50621..307e23b80 100644 --- a/openssl/patches/100-Configure-afalg-support.patch +++ b/openssl/patches/100-Configure-afalg-support.patch @@ -10,7 +10,7 @@ Signed-off-by: Eneas U de Queiroz --- a/Configure +++ b/Configure -@@ -1548,7 +1548,9 @@ unless ($disabled{"crypto-mdebug-backtra +@@ -1674,7 +1674,9 @@ $config{CFLAGS} = [ map { $_ eq '--ossl- unless ($disabled{afalgeng}) { $config{afalgeng}=""; diff --git a/openssl/patches/110-openwrt_targets.patch b/openssl/patches/110-openwrt_targets.patch index 6b4fbad0a..a97c603fa 100644 --- a/openssl/patches/110-openwrt_targets.patch +++ b/openssl/patches/110-openwrt_targets.patch @@ -9,7 +9,7 @@ Signed-off-by: Eneas U de Queiroz --- /dev/null +++ b/Configurations/25-openwrt.conf -@@ -0,0 +1,52 @@ +@@ -0,0 +1,56 @@ +## Openwrt "CONFIG_ARCH" matching targets. + +# The targets need to end in '-openwrt' for the AFALG patch to work @@ -23,7 +23,7 @@ Signed-off-by: Eneas U de Queiroz + inherit_from => [ "linux-aarch64", "openwrt" ], + }, + "linux-arc-openwrt" => { -+ inherit_from => [ "linux-generic32", "openwrt" ], ++ inherit_from => [ "linux-latomic", "openwrt" ], + }, + "linux-arm-openwrt" => { + inherit_from => [ "linux-armv4", "openwrt" ], @@ -53,6 +53,10 @@ Signed-off-by: Eneas U de Queiroz + inherit_from => [ "linux-ppc64", "openwrt" ], + perlasm_scheme => "linux64v2", + }, ++ "linux-riscv64-openwrt" => { ++ inherit_from => [ "linux-generic64", "openwrt" ], ++ perlasm_scheme => "linux64", ++ }, + "linux-x86_64-openwrt" => { + inherit_from => [ "linux-x86_64", "openwrt" ], + }, diff --git a/openssl/patches/120-strip-cflags-from-binary.patch b/openssl/patches/120-strip-cflags-from-binary.patch index 90282706d..c4f254039 100644 --- a/openssl/patches/120-strip-cflags-from-binary.patch +++ b/openssl/patches/120-strip-cflags-from-binary.patch @@ -10,12 +10,12 @@ Signed-off-by: Eneas U de Queiroz --- a/crypto/build.info +++ b/crypto/build.info -@@ -10,7 +10,7 @@ EXTRA= ../ms/uplink-x86.pl ../ms/uplink - ppccpuid.pl pariscid.pl alphacpuid.pl arm64cpuid.pl armv4cpuid.pl +@@ -111,7 +111,7 @@ DEFINE[../libcrypto]=$UPLINKDEF + DEPEND[info.o]=buildinf.h DEPEND[cversion.o]=buildinf.h -GENERATE[buildinf.h]=../util/mkbuildinf.pl "$(CC) $(LIB_CFLAGS) $(CPPFLAGS_Q)" "$(PLATFORM)" +GENERATE[buildinf.h]=../util/mkbuildinf.pl "$(filter-out -I% -iremap% -fmacro-prefix-map% -ffile-prefix-map%,$(CC) $(LIB_CFLAGS) $(CPPFLAGS_Q))" "$(PLATFORM)" - DEPEND[buildinf.h]=../configdata.pm - GENERATE[uplink-x86.s]=../ms/uplink-x86.pl $(PERLASM_SCHEME) + GENERATE[uplink-x86.S]=../ms/uplink-x86.pl + GENERATE[uplink-x86_64.s]=../ms/uplink-x86_64.pl diff --git a/openssl/patches/130-dont-build-fuzz-docs.patch b/openssl/patches/130-dont-build-fuzz-docs.patch new file mode 100644 index 000000000..60c466392 --- /dev/null +++ b/openssl/patches/130-dont-build-fuzz-docs.patch @@ -0,0 +1,20 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Eneas U de Queiroz +Date: Thu, 27 Sep 2018 08:34:38 -0300 +Subject: Do not build tests and fuzz directories + +This shortens build time. + +Signed-off-by: Eneas U de Queiroz + +--- a/build.info ++++ b/build.info +@@ -1,7 +1,7 @@ + # Note that some of these directories are filtered in Configure. Look for + # %skipdir there for further explanations. + +-SUBDIRS=crypto ssl apps util tools fuzz providers doc ++SUBDIRS=crypto ssl apps util tools providers + IF[{- !$disabled{tests} -}] + SUBDIRS=test + ENDIF diff --git a/openssl/patches/130-dont-build-tests-fuzz.patch b/openssl/patches/130-dont-build-tests-fuzz.patch deleted file mode 100644 index baf8bca9e..000000000 --- a/openssl/patches/130-dont-build-tests-fuzz.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Eneas U de Queiroz -Date: Thu, 27 Sep 2018 08:34:38 -0300 -Subject: Do not build tests and fuzz directories - -This shortens build time. - -Signed-off-by: Eneas U de Queiroz - ---- a/Configure -+++ b/Configure -@@ -318,7 +318,7 @@ my $auto_threads=1; # enable threads - my $default_ranlib; - - # Top level directories to build --$config{dirs} = [ "crypto", "ssl", "engines", "apps", "test", "util", "tools", "fuzz" ]; -+$config{dirs} = [ "crypto", "ssl", "engines", "apps", "util", "tools" ]; - # crypto/ subdirectories to build - $config{sdirs} = [ - "objects", -@@ -330,7 +330,7 @@ $config{sdirs} = [ - "cms", "ts", "srp", "cmac", "ct", "async", "kdf", "store" - ]; - # test/ subdirectories to build --$config{tdirs} = [ "ossl_shim" ]; -+$config{tdirs} = []; - - # Known TLS and DTLS protocols - my @tls = qw(ssl3 tls1 tls1_1 tls1_2 tls1_3); diff --git a/openssl/patches/140-allow-prefer-chacha20.patch b/openssl/patches/140-allow-prefer-chacha20.patch index 99afd9acf..43fd92e38 100644 --- a/openssl/patches/140-allow-prefer-chacha20.patch +++ b/openssl/patches/140-allow-prefer-chacha20.patch @@ -14,30 +14,9 @@ when the client has it on top of its ciphersuite preference. Signed-off-by: Eneas U de Queiroz ---- a/include/openssl/ssl.h -+++ b/include/openssl/ssl.h -@@ -173,9 +173,15 @@ extern "C" { - # define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL" - /* This is the default set of TLSv1.3 ciphersuites */ - # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) --# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \ -- "TLS_CHACHA20_POLY1305_SHA256:" \ -- "TLS_AES_128_GCM_SHA256" -+# ifdef OPENSSL_PREFER_CHACHA_OVER_GCM -+# define TLS_DEFAULT_CIPHERSUITES "TLS_CHACHA20_POLY1305_SHA256:" \ -+ "TLS_AES_256_GCM_SHA384:" \ -+ "TLS_AES_128_GCM_SHA256" -+# else -+# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \ -+ "TLS_CHACHA20_POLY1305_SHA256:" \ -+ "TLS_AES_128_GCM_SHA256" -+# endif - # else - # define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \ - "TLS_AES_128_GCM_SHA256" --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c -@@ -1465,11 +1465,29 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ +@@ -1505,11 +1505,29 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head, &tail); @@ -67,7 +46,7 @@ Signed-off-by: Eneas U de Queiroz /* * ...and generally, our preferred cipher is AES. -@@ -1525,7 +1543,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ +@@ -1564,7 +1582,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ * Within each group, ciphers remain sorted by strength and previous * preference, i.e., * 1) ECDHE > DHE @@ -76,3 +55,38 @@ Signed-off-by: Eneas U de Queiroz * 3) AES > rest * 4) TLS 1.2 > legacy * +@@ -2235,7 +2253,13 @@ const char *OSSL_default_cipher_list(voi + */ + const char *OSSL_default_ciphersuites(void) + { ++#ifdef OPENSSL_PREFER_CHACHA_OVER_GCM ++ return "TLS_CHACHA20_POLY1305_SHA256:" ++ "TLS_AES_256_GCM_SHA384:" ++ "TLS_AES_128_GCM_SHA256"; ++#else + return "TLS_AES_256_GCM_SHA384:" + "TLS_CHACHA20_POLY1305_SHA256:" + "TLS_AES_128_GCM_SHA256"; ++#endif + } +--- a/include/openssl/ssl.h.in ++++ b/include/openssl/ssl.h.in +@@ -195,9 +195,15 @@ extern "C" { + * DEPRECATED IN 3.0.0, in favor of OSSL_default_ciphersuites() + * Update both macro and function simultaneously + */ +-# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \ +- "TLS_CHACHA20_POLY1305_SHA256:" \ +- "TLS_AES_128_GCM_SHA256" ++# ifdef OPENSSL_PREFER_CHACHA_OVER_GCM ++# define TLS_DEFAULT_CIPHERSUITES "TLS_CHACHA20_POLY1305_SHA256:" \ ++ "TLS_AES_256_GCM_SHA384:" \ ++ "TLS_AES_128_GCM_SHA256" ++# else ++# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \ ++ "TLS_CHACHA20_POLY1305_SHA256:" \ ++ "TLS_AES_128_GCM_SHA256" ++# endif + # endif + /* + * As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always diff --git a/openssl/patches/150-openssl.cnf-add-engines-conf.patch b/openssl/patches/150-openssl.cnf-add-engines-conf.patch index fa92fbe2a..9fe9cdf59 100644 --- a/openssl/patches/150-openssl.cnf-add-engines-conf.patch +++ b/openssl/patches/150-openssl.cnf-add-engines-conf.patch @@ -10,20 +10,32 @@ Signed-off-by: Eneas U de Queiroz --- a/apps/openssl.cnf +++ b/apps/openssl.cnf -@@ -22,6 +22,16 @@ oid_section = new_oids - # (Alternatively, use a configuration file that has only - # X.509v3 extensions in its main [= default] section.) +@@ -52,10 +52,13 @@ tsa_policy3 = 1.2.3.4.5.7 -+openssl_conf=openssl_conf + [openssl_init] + providers = provider_sect ++engines = engines_sect + + # List of providers to load + [provider_sect] + default = default_sect ++.include /var/etc/ssl/providers.cnf + -+[openssl_conf] -+engines=engines + # The fips section name should match the section name inside the + # included fipsmodule.cnf. + # fips = fips_sect +@@ -69,7 +72,13 @@ default = default_sect + # OpenSSL may not work correctly which could lead to significant system + # problems including inability to remotely access the system. + [default_sect] +-# activate = 1 ++activate = 1 + -+[engines] ++[engines_sect] +.include /var/etc/ssl/engines.cnf + -+.include /etc/ssl/engines.cnf.d ++.include /etc/ssl/modules.cnf.d + - [ new_oids ] - # We can add new OIDs in here for use by 'ca', 'req' and 'ts'. + + #################################################################### diff --git a/openssl/patches/400-eng_devcrypto-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch b/openssl/patches/400-eng_devcrypto-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch deleted file mode 100644 index ed8204c33..000000000 --- a/openssl/patches/400-eng_devcrypto-save-ioctl-if-EVP_MD_.FLAG_ONESHOT.patch +++ /dev/null @@ -1,58 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Eneas U de Queiroz -Date: Mon, 5 Nov 2018 15:54:17 -0200 -Subject: eng_devcrypto: save ioctl if EVP_MD_..FLAG_ONESHOT - -Since each ioctl causes a context switch, slowing things down, if -EVP_MD_CTX_FLAG_ONESHOT is set, then: - - call the ioctl in digest_update, saving the result; and - - just copy the result in digest_final, instead of using another ioctl. - -Signed-off-by: Eneas U de Queiroz - -Reviewed-by: Matthias St. Pierre -Reviewed-by: Richard Levitte -(Merged from https://github.com/openssl/openssl/pull/7585) - ---- a/crypto/engine/eng_devcrypto.c -+++ b/crypto/engine/eng_devcrypto.c -@@ -461,6 +461,7 @@ struct digest_ctx { - struct session_op sess; - /* This signals that the init function was called, not that it succeeded. */ - int init_called; -+ unsigned char digest_res[HASH_MAX_LEN]; - }; - - static const struct digest_data_st { -@@ -564,12 +565,15 @@ static int digest_update(EVP_MD_CTX *ctx - if (digest_ctx == NULL) - return 0; - -- if (digest_op(digest_ctx, data, count, NULL, COP_FLAG_UPDATE) < 0) { -- SYSerr(SYS_F_IOCTL, errno); -- return 0; -+ if (EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_ONESHOT)) { -+ if (digest_op(digest_ctx, data, count, digest_ctx->digest_res, 0) >= 0) -+ return 1; -+ } else if (digest_op(digest_ctx, data, count, NULL, COP_FLAG_UPDATE) >= 0) { -+ return 1; - } - -- return 1; -+ SYSerr(SYS_F_IOCTL, errno); -+ return 0; - } - - static int digest_final(EVP_MD_CTX *ctx, unsigned char *md) -@@ -579,7 +583,10 @@ static int digest_final(EVP_MD_CTX *ctx, - - if (md == NULL || digest_ctx == NULL) - return 0; -- if (digest_op(digest_ctx, NULL, 0, md, COP_FLAG_FINAL) < 0) { -+ -+ if (EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_ONESHOT)) { -+ memcpy(md, digest_ctx->digest_res, EVP_MD_CTX_size(ctx)); -+ } else if (digest_op(digest_ctx, NULL, 0, md, COP_FLAG_FINAL) < 0) { - SYSerr(SYS_F_IOCTL, errno); - return 0; - } diff --git a/openssl/patches/410-eng_devcrypto-add-configuration-options.patch b/openssl/patches/410-eng_devcrypto-add-configuration-options.patch deleted file mode 100644 index bad7a3725..000000000 --- a/openssl/patches/410-eng_devcrypto-add-configuration-options.patch +++ /dev/null @@ -1,566 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Eneas U de Queiroz -Date: Sat, 3 Nov 2018 15:41:10 -0300 -Subject: eng_devcrypto: add configuration options - -USE_SOFTDRIVERS: whether to use software (not accelerated) drivers -CIPHERS: list of ciphers to enable -DIGESTS: list of digests to enable - -Signed-off-by: Eneas U de Queiroz - -Reviewed-by: Matthias St. Pierre -Reviewed-by: Richard Levitte -(Merged from https://github.com/openssl/openssl/pull/7585) - ---- a/crypto/engine/eng_devcrypto.c -+++ b/crypto/engine/eng_devcrypto.c -@@ -16,6 +16,7 @@ - #include - #include - -+#include - #include - #include - #include -@@ -36,6 +37,30 @@ - * saner... why re-open /dev/crypto for every session? - */ - static int cfd; -+#define DEVCRYPTO_REQUIRE_ACCELERATED 0 /* require confirmation of acceleration */ -+#define DEVCRYPTO_USE_SOFTWARE 1 /* allow software drivers */ -+#define DEVCRYPTO_REJECT_SOFTWARE 2 /* only disallow confirmed software drivers */ -+ -+#define DEVCRYPTO_DEFAULT_USE_SOFDTRIVERS DEVCRYPTO_REJECT_SOFTWARE -+static int use_softdrivers = DEVCRYPTO_DEFAULT_USE_SOFDTRIVERS; -+ -+/* -+ * cipher/digest status & acceleration definitions -+ * Make sure the defaults are set to 0 -+ */ -+struct driver_info_st { -+ enum devcrypto_status_t { -+ DEVCRYPTO_STATUS_UNUSABLE = -1, /* session open failed */ -+ DEVCRYPTO_STATUS_UNKNOWN = 0, /* not tested yet */ -+ DEVCRYPTO_STATUS_USABLE = 1 /* algo can be used */ -+ } status; -+ -+ enum devcrypto_accelerated_t { -+ DEVCRYPTO_NOT_ACCELERATED = -1, /* software implemented */ -+ DEVCRYPTO_ACCELERATION_UNKNOWN = 0, /* acceleration support unkown */ -+ DEVCRYPTO_ACCELERATED = 1 /* hardware accelerated */ -+ } accelerated; -+}; - - static int clean_devcrypto_session(struct session_op *sess) { - if (ioctl(cfd, CIOCFSESSION, &sess->ses) < 0) { -@@ -119,13 +144,22 @@ static const struct cipher_data_st { - #endif - }; - --static size_t get_cipher_data_index(int nid) -+static size_t find_cipher_data_index(int nid) - { - size_t i; - - for (i = 0; i < OSSL_NELEM(cipher_data); i++) - if (nid == cipher_data[i].nid) - return i; -+ return (size_t)-1; -+} -+ -+static size_t get_cipher_data_index(int nid) -+{ -+ size_t i = find_cipher_data_index(nid); -+ -+ if (i != (size_t)-1) -+ return i; - - /* - * Code further down must make sure that only NIDs in the table above -@@ -333,19 +367,40 @@ static int cipher_cleanup(EVP_CIPHER_CTX - } - - /* -- * Keep a table of known nids and associated methods. -+ * Keep tables of known nids, associated methods, selected ciphers, and driver -+ * info. - * Note that known_cipher_nids[] isn't necessarily indexed the same way as -- * cipher_data[] above, which known_cipher_methods[] is. -+ * cipher_data[] above, which the other tables are. - */ - static int known_cipher_nids[OSSL_NELEM(cipher_data)]; - static int known_cipher_nids_amount = -1; /* -1 indicates not yet initialised */ - static EVP_CIPHER *known_cipher_methods[OSSL_NELEM(cipher_data)] = { NULL, }; -+static int selected_ciphers[OSSL_NELEM(cipher_data)]; -+static struct driver_info_st cipher_driver_info[OSSL_NELEM(cipher_data)]; -+ -+ -+static int devcrypto_test_cipher(size_t cipher_data_index) -+{ -+ return (cipher_driver_info[cipher_data_index].status == DEVCRYPTO_STATUS_USABLE -+ && selected_ciphers[cipher_data_index] == 1 -+ && (cipher_driver_info[cipher_data_index].accelerated -+ == DEVCRYPTO_ACCELERATED -+ || use_softdrivers == DEVCRYPTO_USE_SOFTWARE -+ || (cipher_driver_info[cipher_data_index].accelerated -+ != DEVCRYPTO_NOT_ACCELERATED -+ && use_softdrivers == DEVCRYPTO_REJECT_SOFTWARE))); -+} - - static void prepare_cipher_methods(void) - { - size_t i; - struct session_op sess; - unsigned long cipher_mode; -+#ifdef CIOCGSESSINFO -+ struct session_info_op siop; -+#endif -+ -+ memset(&cipher_driver_info, 0, sizeof(cipher_driver_info)); - - memset(&sess, 0, sizeof(sess)); - sess.key = (void *)"01234567890123456789012345678901234567890123456789"; -@@ -353,15 +408,16 @@ static void prepare_cipher_methods(void) - for (i = 0, known_cipher_nids_amount = 0; - i < OSSL_NELEM(cipher_data); i++) { - -+ selected_ciphers[i] = 1; - /* -- * Check that the algo is really availably by trying to open and close -- * a session. -+ * Check that the cipher is usable - */ - sess.cipher = cipher_data[i].devcryptoid; - sess.keylen = cipher_data[i].keylen; -- if (ioctl(cfd, CIOCGSESSION, &sess) < 0 -- || ioctl(cfd, CIOCFSESSION, &sess.ses) < 0) -+ if (ioctl(cfd, CIOCGSESSION, &sess) < 0) { -+ cipher_driver_info[i].status = DEVCRYPTO_STATUS_UNUSABLE; - continue; -+ } - - cipher_mode = cipher_data[i].flags & EVP_CIPH_MODE; - -@@ -387,15 +443,41 @@ static void prepare_cipher_methods(void) - cipher_cleanup) - || !EVP_CIPHER_meth_set_impl_ctx_size(known_cipher_methods[i], - sizeof(struct cipher_ctx))) { -+ cipher_driver_info[i].status = DEVCRYPTO_STATUS_UNUSABLE; - EVP_CIPHER_meth_free(known_cipher_methods[i]); - known_cipher_methods[i] = NULL; - } else { -+ cipher_driver_info[i].status = DEVCRYPTO_STATUS_USABLE; -+#ifdef CIOCGSESSINFO -+ siop.ses = sess.ses; -+ if (ioctl(cfd, CIOCGSESSINFO, &siop) < 0) -+ cipher_driver_info[i].accelerated = DEVCRYPTO_ACCELERATION_UNKNOWN; -+ else if (!(siop.flags & SIOP_FLAG_KERNEL_DRIVER_ONLY)) -+ cipher_driver_info[i].accelerated = DEVCRYPTO_NOT_ACCELERATED; -+ else -+ cipher_driver_info[i].accelerated = DEVCRYPTO_ACCELERATED; -+#endif /* CIOCGSESSINFO */ -+ } -+ ioctl(cfd, CIOCFSESSION, &sess.ses); -+ if (devcrypto_test_cipher(i)) { - known_cipher_nids[known_cipher_nids_amount++] = - cipher_data[i].nid; - } - } - } - -+static void rebuild_known_cipher_nids(ENGINE *e) -+{ -+ size_t i; -+ -+ for (i = 0, known_cipher_nids_amount = 0; i < OSSL_NELEM(cipher_data); i++) { -+ if (devcrypto_test_cipher(i)) -+ known_cipher_nids[known_cipher_nids_amount++] = cipher_data[i].nid; -+ } -+ ENGINE_unregister_ciphers(e); -+ ENGINE_register_ciphers(e); -+} -+ - static const EVP_CIPHER *get_cipher_method(int nid) - { - size_t i = get_cipher_data_index(nid); -@@ -438,6 +520,36 @@ static int devcrypto_ciphers(ENGINE *e, - return *cipher != NULL; - } - -+static void devcrypto_select_all_ciphers(int *cipher_list) -+{ -+ size_t i; -+ -+ for (i = 0; i < OSSL_NELEM(cipher_data); i++) -+ cipher_list[i] = 1; -+} -+ -+static int cryptodev_select_cipher_cb(const char *str, int len, void *usr) -+{ -+ int *cipher_list = (int *)usr; -+ char *name; -+ const EVP_CIPHER *EVP; -+ size_t i; -+ -+ if (len == 0) -+ return 1; -+ if (usr == NULL || (name = OPENSSL_strndup(str, len)) == NULL) -+ return 0; -+ EVP = EVP_get_cipherbyname(name); -+ if (EVP == NULL) -+ fprintf(stderr, "devcrypto: unknown cipher %s\n", name); -+ else if ((i = find_cipher_data_index(EVP_CIPHER_nid(EVP))) != (size_t)-1) -+ cipher_list[i] = 1; -+ else -+ fprintf(stderr, "devcrypto: cipher %s not available\n", name); -+ OPENSSL_free(name); -+ return 1; -+} -+ - /* - * We only support digests if the cryptodev implementation supports multiple - * data updates and session copying. Otherwise, we would be forced to maintain -@@ -493,13 +605,22 @@ static const struct digest_data_st { - #endif - }; - --static size_t get_digest_data_index(int nid) -+static size_t find_digest_data_index(int nid) - { - size_t i; - - for (i = 0; i < OSSL_NELEM(digest_data); i++) - if (nid == digest_data[i].nid) - return i; -+ return (size_t)-1; -+} -+ -+static size_t get_digest_data_index(int nid) -+{ -+ size_t i = find_digest_data_index(nid); -+ -+ if (i != (size_t)-1) -+ return i; - - /* - * Code further down must make sure that only NIDs in the table above -@@ -516,8 +637,8 @@ static const struct digest_data_st *get_ - } - - /* -- * Following are the four necessary functions to map OpenSSL functionality -- * with cryptodev. -+ * Following are the five necessary functions to map OpenSSL functionality -+ * with cryptodev: init, update, final, cleanup, and copy. - */ - - static int digest_init(EVP_MD_CTX *ctx) -@@ -630,52 +751,94 @@ static int digest_cleanup(EVP_MD_CTX *ct - return clean_devcrypto_session(&digest_ctx->sess); - } - --static int devcrypto_test_digest(size_t digest_data_index) --{ -- struct session_op sess1, sess2; -- struct cphash_op cphash; -- int ret=0; -- -- memset(&sess1, 0, sizeof(sess1)); -- memset(&sess2, 0, sizeof(sess2)); -- sess1.mac = digest_data[digest_data_index].devcryptoid; -- if (ioctl(cfd, CIOCGSESSION, &sess1) < 0) -- return 0; -- /* Make sure the driver is capable of hash state copy */ -- sess2.mac = sess1.mac; -- if (ioctl(cfd, CIOCGSESSION, &sess2) >= 0) { -- cphash.src_ses = sess1.ses; -- cphash.dst_ses = sess2.ses; -- if (ioctl(cfd, CIOCCPHASH, &cphash) >= 0) -- ret = 1; -- ioctl(cfd, CIOCFSESSION, &sess2.ses); -- } -- ioctl(cfd, CIOCFSESSION, &sess1.ses); -- return ret; --} -- - /* -- * Keep a table of known nids and associated methods. -+ * Keep tables of known nids, associated methods, selected digests, and -+ * driver info. - * Note that known_digest_nids[] isn't necessarily indexed the same way as -- * digest_data[] above, which known_digest_methods[] is. -+ * digest_data[] above, which the other tables are. - */ - static int known_digest_nids[OSSL_NELEM(digest_data)]; - static int known_digest_nids_amount = -1; /* -1 indicates not yet initialised */ - static EVP_MD *known_digest_methods[OSSL_NELEM(digest_data)] = { NULL, }; -+static int selected_digests[OSSL_NELEM(digest_data)]; -+static struct driver_info_st digest_driver_info[OSSL_NELEM(digest_data)]; -+ -+static int devcrypto_test_digest(size_t digest_data_index) -+{ -+ return (digest_driver_info[digest_data_index].status == DEVCRYPTO_STATUS_USABLE -+ && selected_digests[digest_data_index] == 1 -+ && (digest_driver_info[digest_data_index].accelerated -+ == DEVCRYPTO_ACCELERATED -+ || use_softdrivers == DEVCRYPTO_USE_SOFTWARE -+ || (digest_driver_info[digest_data_index].accelerated -+ != DEVCRYPTO_NOT_ACCELERATED -+ && use_softdrivers == DEVCRYPTO_REJECT_SOFTWARE))); -+} -+ -+static void rebuild_known_digest_nids(ENGINE *e) -+{ -+ size_t i; -+ -+ for (i = 0, known_digest_nids_amount = 0; i < OSSL_NELEM(digest_data); i++) { -+ if (devcrypto_test_digest(i)) -+ known_digest_nids[known_digest_nids_amount++] = digest_data[i].nid; -+ } -+ ENGINE_unregister_digests(e); -+ ENGINE_register_digests(e); -+} - - static void prepare_digest_methods(void) - { - size_t i; -+ struct session_op sess1, sess2; -+#ifdef CIOCGSESSINFO -+ struct session_info_op siop; -+#endif -+ struct cphash_op cphash; -+ -+ memset(&digest_driver_info, 0, sizeof(digest_driver_info)); -+ -+ memset(&sess1, 0, sizeof(sess1)); -+ memset(&sess2, 0, sizeof(sess2)); - - for (i = 0, known_digest_nids_amount = 0; i < OSSL_NELEM(digest_data); - i++) { - -+ selected_digests[i] = 1; -+ - /* -- * Check that the algo is usable -+ * Check that the digest is usable - */ -- if (!devcrypto_test_digest(i)) -- continue; -+ sess1.mac = digest_data[i].devcryptoid; -+ sess2.ses = 0; -+ if (ioctl(cfd, CIOCGSESSION, &sess1) < 0) { -+ digest_driver_info[i].status = DEVCRYPTO_STATUS_UNUSABLE; -+ goto finish; -+ } - -+#ifdef CIOCGSESSINFO -+ /* gather hardware acceleration info from the driver */ -+ siop.ses = sess1.ses; -+ if (ioctl(cfd, CIOCGSESSINFO, &siop) < 0) -+ digest_driver_info[i].accelerated = DEVCRYPTO_ACCELERATION_UNKNOWN; -+ else if (siop.flags & SIOP_FLAG_KERNEL_DRIVER_ONLY) -+ digest_driver_info[i].accelerated = DEVCRYPTO_ACCELERATED; -+ else -+ digest_driver_info[i].accelerated = DEVCRYPTO_NOT_ACCELERATED; -+#endif -+ -+ /* digest must be capable of hash state copy */ -+ sess2.mac = sess1.mac; -+ if (ioctl(cfd, CIOCGSESSION, &sess2) < 0) { -+ digest_driver_info[i].status = DEVCRYPTO_STATUS_UNUSABLE; -+ goto finish; -+ } -+ cphash.src_ses = sess1.ses; -+ cphash.dst_ses = sess2.ses; -+ if (ioctl(cfd, CIOCCPHASH, &cphash) < 0) { -+ digest_driver_info[i].status = DEVCRYPTO_STATUS_UNUSABLE; -+ goto finish; -+ } - if ((known_digest_methods[i] = EVP_MD_meth_new(digest_data[i].nid, - NID_undef)) == NULL - || !EVP_MD_meth_set_input_blocksize(known_digest_methods[i], -@@ -689,11 +852,18 @@ static void prepare_digest_methods(void) - || !EVP_MD_meth_set_cleanup(known_digest_methods[i], digest_cleanup) - || !EVP_MD_meth_set_app_datasize(known_digest_methods[i], - sizeof(struct digest_ctx))) { -+ digest_driver_info[i].status = DEVCRYPTO_STATUS_UNUSABLE; - EVP_MD_meth_free(known_digest_methods[i]); - known_digest_methods[i] = NULL; -- } else { -- known_digest_nids[known_digest_nids_amount++] = digest_data[i].nid; -+ goto finish; - } -+ digest_driver_info[i].status = DEVCRYPTO_STATUS_USABLE; -+finish: -+ ioctl(cfd, CIOCFSESSION, &sess1.ses); -+ if (sess2.ses != 0) -+ ioctl(cfd, CIOCFSESSION, &sess2.ses); -+ if (devcrypto_test_digest(i)) -+ known_digest_nids[known_digest_nids_amount++] = digest_data[i].nid; - } - } - -@@ -739,7 +909,153 @@ static int devcrypto_digests(ENGINE *e, - return *digest != NULL; - } - -+static void devcrypto_select_all_digests(int *digest_list) -+{ -+ size_t i; -+ -+ for (i = 0; i < OSSL_NELEM(digest_data); i++) -+ digest_list[i] = 1; -+} -+ -+static int cryptodev_select_digest_cb(const char *str, int len, void *usr) -+{ -+ int *digest_list = (int *)usr; -+ char *name; -+ const EVP_MD *EVP; -+ size_t i; -+ -+ if (len == 0) -+ return 1; -+ if (usr == NULL || (name = OPENSSL_strndup(str, len)) == NULL) -+ return 0; -+ EVP = EVP_get_digestbyname(name); -+ if (EVP == NULL) -+ fprintf(stderr, "devcrypto: unknown digest %s\n", name); -+ else if ((i = find_digest_data_index(EVP_MD_type(EVP))) != (size_t)-1) -+ digest_list[i] = 1; -+ else -+ fprintf(stderr, "devcrypto: digest %s not available\n", name); -+ OPENSSL_free(name); -+ return 1; -+} -+ -+#endif -+ -+/****************************************************************************** -+ * -+ * CONTROL COMMANDS -+ * -+ *****/ -+ -+#define DEVCRYPTO_CMD_USE_SOFTDRIVERS ENGINE_CMD_BASE -+#define DEVCRYPTO_CMD_CIPHERS (ENGINE_CMD_BASE + 1) -+#define DEVCRYPTO_CMD_DIGESTS (ENGINE_CMD_BASE + 2) -+#define DEVCRYPTO_CMD_DUMP_INFO (ENGINE_CMD_BASE + 3) -+ -+/* Helper macros for CPP string composition */ -+#ifndef OPENSSL_MSTR -+# define OPENSSL_MSTR_HELPER(x) #x -+# define OPENSSL_MSTR(x) OPENSSL_MSTR_HELPER(x) -+#endif -+ -+static const ENGINE_CMD_DEFN devcrypto_cmds[] = { -+#ifdef CIOCGSESSINFO -+ {DEVCRYPTO_CMD_USE_SOFTDRIVERS, -+ "USE_SOFTDRIVERS", -+ "specifies whether to use software (not accelerated) drivers (" -+ OPENSSL_MSTR(DEVCRYPTO_REQUIRE_ACCELERATED) "=use only accelerated drivers, " -+ OPENSSL_MSTR(DEVCRYPTO_USE_SOFTWARE) "=allow all drivers, " -+ OPENSSL_MSTR(DEVCRYPTO_REJECT_SOFTWARE) -+ "=use if acceleration can't be determined) [default=" -+ OPENSSL_MSTR(DEVCRYPTO_DEFAULT_USE_SOFDTRIVERS) "]", -+ ENGINE_CMD_FLAG_NUMERIC}, -+#endif -+ -+ {DEVCRYPTO_CMD_CIPHERS, -+ "CIPHERS", -+ "either ALL, NONE, or a comma-separated list of ciphers to enable [default=ALL]", -+ ENGINE_CMD_FLAG_STRING}, -+ -+#ifdef IMPLEMENT_DIGEST -+ {DEVCRYPTO_CMD_DIGESTS, -+ "DIGESTS", -+ "either ALL, NONE, or a comma-separated list of digests to enable [default=ALL]", -+ ENGINE_CMD_FLAG_STRING}, -+#endif -+ -+ {0, NULL, NULL, 0} -+}; -+ -+static int devcrypto_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f) (void)) -+{ -+ int *new_list; -+ switch (cmd) { -+#ifdef CIOCGSESSINFO -+ case DEVCRYPTO_CMD_USE_SOFTDRIVERS: -+ switch (i) { -+ case DEVCRYPTO_REQUIRE_ACCELERATED: -+ case DEVCRYPTO_USE_SOFTWARE: -+ case DEVCRYPTO_REJECT_SOFTWARE: -+ break; -+ default: -+ fprintf(stderr, "devcrypto: invalid value (%ld) for USE_SOFTDRIVERS\n", i); -+ return 0; -+ } -+ if (use_softdrivers == i) -+ return 1; -+ use_softdrivers = i; -+#ifdef IMPLEMENT_DIGEST -+ rebuild_known_digest_nids(e); - #endif -+ rebuild_known_cipher_nids(e); -+ return 1; -+#endif /* CIOCGSESSINFO */ -+ -+ case DEVCRYPTO_CMD_CIPHERS: -+ if (p == NULL) -+ return 1; -+ if (strcasecmp((const char *)p, "ALL") == 0) { -+ devcrypto_select_all_ciphers(selected_ciphers); -+ } else if (strcasecmp((const char*)p, "NONE") == 0) { -+ memset(selected_ciphers, 0, sizeof(selected_ciphers)); -+ } else { -+ new_list=OPENSSL_zalloc(sizeof(selected_ciphers)); -+ if (!CONF_parse_list(p, ',', 1, cryptodev_select_cipher_cb, new_list)) { -+ OPENSSL_free(new_list); -+ return 0; -+ } -+ memcpy(selected_ciphers, new_list, sizeof(selected_ciphers)); -+ OPENSSL_free(new_list); -+ } -+ rebuild_known_cipher_nids(e); -+ return 1; -+ -+#ifdef IMPLEMENT_DIGEST -+ case DEVCRYPTO_CMD_DIGESTS: -+ if (p == NULL) -+ return 1; -+ if (strcasecmp((const char *)p, "ALL") == 0) { -+ devcrypto_select_all_digests(selected_digests); -+ } else if (strcasecmp((const char*)p, "NONE") == 0) { -+ memset(selected_digests, 0, sizeof(selected_digests)); -+ } else { -+ new_list=OPENSSL_zalloc(sizeof(selected_digests)); -+ if (!CONF_parse_list(p, ',', 1, cryptodev_select_digest_cb, new_list)) { -+ OPENSSL_free(new_list); -+ return 0; -+ } -+ memcpy(selected_digests, new_list, sizeof(selected_digests)); -+ OPENSSL_free(new_list); -+ } -+ rebuild_known_digest_nids(e); -+ return 1; -+#endif /* IMPLEMENT_DIGEST */ -+ -+ default: -+ break; -+ } -+ return 0; -+} - - /****************************************************************************** - * -@@ -806,6 +1122,8 @@ void engine_load_devcrypto_int() - - if (!ENGINE_set_id(e, "devcrypto") - || !ENGINE_set_name(e, "/dev/crypto engine") -+ || !ENGINE_set_cmd_defns(e, devcrypto_cmds) -+ || !ENGINE_set_ctrl_function(e, devcrypto_ctrl) - - /* - * Asymmetric ciphers aren't well supported with /dev/crypto. Among the BSD diff --git a/openssl/patches/420-eng_devcrypto-add-command-to-dump-driver-info.patch b/openssl/patches/420-eng_devcrypto-add-command-to-dump-driver-info.patch deleted file mode 100644 index eee71c6c6..000000000 --- a/openssl/patches/420-eng_devcrypto-add-command-to-dump-driver-info.patch +++ /dev/null @@ -1,273 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Eneas U de Queiroz -Date: Tue, 6 Nov 2018 22:54:07 -0200 -Subject: eng_devcrypto: add command to dump driver info - -This is useful to determine the kernel driver running each algorithm. - -Signed-off-by: Eneas U de Queiroz - -Reviewed-by: Matthias St. Pierre -Reviewed-by: Richard Levitte -(Merged from https://github.com/openssl/openssl/pull/7585) - ---- a/crypto/engine/eng_devcrypto.c -+++ b/crypto/engine/eng_devcrypto.c -@@ -50,16 +50,20 @@ static int use_softdrivers = DEVCRYPTO_D - */ - struct driver_info_st { - enum devcrypto_status_t { -- DEVCRYPTO_STATUS_UNUSABLE = -1, /* session open failed */ -- DEVCRYPTO_STATUS_UNKNOWN = 0, /* not tested yet */ -- DEVCRYPTO_STATUS_USABLE = 1 /* algo can be used */ -+ DEVCRYPTO_STATUS_FAILURE = -3, /* unusable for other reason */ -+ DEVCRYPTO_STATUS_NO_CIOCCPHASH = -2, /* hash state copy not supported */ -+ DEVCRYPTO_STATUS_NO_CIOCGSESSION = -1, /* session open failed */ -+ DEVCRYPTO_STATUS_UNKNOWN = 0, /* not tested yet */ -+ DEVCRYPTO_STATUS_USABLE = 1 /* algo can be used */ - } status; - - enum devcrypto_accelerated_t { -- DEVCRYPTO_NOT_ACCELERATED = -1, /* software implemented */ -- DEVCRYPTO_ACCELERATION_UNKNOWN = 0, /* acceleration support unkown */ -- DEVCRYPTO_ACCELERATED = 1 /* hardware accelerated */ -+ DEVCRYPTO_NOT_ACCELERATED = -1, /* software implemented */ -+ DEVCRYPTO_ACCELERATION_UNKNOWN = 0, /* acceleration support unkown */ -+ DEVCRYPTO_ACCELERATED = 1 /* hardware accelerated */ - } accelerated; -+ -+ char *driver_name; - }; - - static int clean_devcrypto_session(struct session_op *sess) { -@@ -415,7 +419,7 @@ static void prepare_cipher_methods(void) - sess.cipher = cipher_data[i].devcryptoid; - sess.keylen = cipher_data[i].keylen; - if (ioctl(cfd, CIOCGSESSION, &sess) < 0) { -- cipher_driver_info[i].status = DEVCRYPTO_STATUS_UNUSABLE; -+ cipher_driver_info[i].status = DEVCRYPTO_STATUS_NO_CIOCGSESSION; - continue; - } - -@@ -443,19 +447,24 @@ static void prepare_cipher_methods(void) - cipher_cleanup) - || !EVP_CIPHER_meth_set_impl_ctx_size(known_cipher_methods[i], - sizeof(struct cipher_ctx))) { -- cipher_driver_info[i].status = DEVCRYPTO_STATUS_UNUSABLE; -+ cipher_driver_info[i].status = DEVCRYPTO_STATUS_FAILURE; - EVP_CIPHER_meth_free(known_cipher_methods[i]); - known_cipher_methods[i] = NULL; - } else { - cipher_driver_info[i].status = DEVCRYPTO_STATUS_USABLE; - #ifdef CIOCGSESSINFO - siop.ses = sess.ses; -- if (ioctl(cfd, CIOCGSESSINFO, &siop) < 0) -+ if (ioctl(cfd, CIOCGSESSINFO, &siop) < 0) { - cipher_driver_info[i].accelerated = DEVCRYPTO_ACCELERATION_UNKNOWN; -- else if (!(siop.flags & SIOP_FLAG_KERNEL_DRIVER_ONLY)) -- cipher_driver_info[i].accelerated = DEVCRYPTO_NOT_ACCELERATED; -- else -- cipher_driver_info[i].accelerated = DEVCRYPTO_ACCELERATED; -+ } else { -+ cipher_driver_info[i].driver_name = -+ OPENSSL_strndup(siop.cipher_info.cra_driver_name, -+ CRYPTODEV_MAX_ALG_NAME); -+ if (!(siop.flags & SIOP_FLAG_KERNEL_DRIVER_ONLY)) -+ cipher_driver_info[i].accelerated = DEVCRYPTO_NOT_ACCELERATED; -+ else -+ cipher_driver_info[i].accelerated = DEVCRYPTO_ACCELERATED; -+ } - #endif /* CIOCGSESSINFO */ - } - ioctl(cfd, CIOCFSESSION, &sess.ses); -@@ -505,8 +514,11 @@ static void destroy_all_cipher_methods(v - { - size_t i; - -- for (i = 0; i < OSSL_NELEM(cipher_data); i++) -+ for (i = 0; i < OSSL_NELEM(cipher_data); i++) { - destroy_cipher_method(cipher_data[i].nid); -+ OPENSSL_free(cipher_driver_info[i].driver_name); -+ cipher_driver_info[i].driver_name = NULL; -+ } - } - - static int devcrypto_ciphers(ENGINE *e, const EVP_CIPHER **cipher, -@@ -550,6 +562,40 @@ static int cryptodev_select_cipher_cb(co - return 1; - } - -+static void dump_cipher_info(void) -+{ -+ size_t i; -+ const char *name; -+ -+ fprintf (stderr, "Information about ciphers supported by the /dev/crypto" -+ " engine:\n"); -+#ifndef CIOCGSESSINFO -+ fprintf(stderr, "CIOCGSESSINFO (session info call) unavailable\n"); -+#endif -+ for (i = 0; i < OSSL_NELEM(cipher_data); i++) { -+ name = OBJ_nid2sn(cipher_data[i].nid); -+ fprintf (stderr, "Cipher %s, NID=%d, /dev/crypto info: id=%d, ", -+ name ? name : "unknown", cipher_data[i].nid, -+ cipher_data[i].devcryptoid); -+ if (cipher_driver_info[i].status == DEVCRYPTO_STATUS_NO_CIOCGSESSION ) { -+ fprintf (stderr, "CIOCGSESSION (session open call) failed\n"); -+ continue; -+ } -+ fprintf (stderr, "driver=%s ", cipher_driver_info[i].driver_name ? -+ cipher_driver_info[i].driver_name : "unknown"); -+ if (cipher_driver_info[i].accelerated == DEVCRYPTO_ACCELERATED) -+ fprintf(stderr, "(hw accelerated)"); -+ else if (cipher_driver_info[i].accelerated == DEVCRYPTO_NOT_ACCELERATED) -+ fprintf(stderr, "(software)"); -+ else -+ fprintf(stderr, "(acceleration status unknown)"); -+ if (cipher_driver_info[i].status == DEVCRYPTO_STATUS_FAILURE) -+ fprintf (stderr, ". Cipher setup failed"); -+ fprintf(stderr, "\n"); -+ } -+ fprintf(stderr, "\n"); -+} -+ - /* - * We only support digests if the cryptodev implementation supports multiple - * data updates and session copying. Otherwise, we would be forced to maintain -@@ -812,31 +858,36 @@ static void prepare_digest_methods(void) - sess1.mac = digest_data[i].devcryptoid; - sess2.ses = 0; - if (ioctl(cfd, CIOCGSESSION, &sess1) < 0) { -- digest_driver_info[i].status = DEVCRYPTO_STATUS_UNUSABLE; -+ digest_driver_info[i].status = DEVCRYPTO_STATUS_NO_CIOCGSESSION; - goto finish; - } - - #ifdef CIOCGSESSINFO - /* gather hardware acceleration info from the driver */ - siop.ses = sess1.ses; -- if (ioctl(cfd, CIOCGSESSINFO, &siop) < 0) -+ if (ioctl(cfd, CIOCGSESSINFO, &siop) < 0) { - digest_driver_info[i].accelerated = DEVCRYPTO_ACCELERATION_UNKNOWN; -- else if (siop.flags & SIOP_FLAG_KERNEL_DRIVER_ONLY) -- digest_driver_info[i].accelerated = DEVCRYPTO_ACCELERATED; -- else -- digest_driver_info[i].accelerated = DEVCRYPTO_NOT_ACCELERATED; -+ } else { -+ digest_driver_info[i].driver_name = -+ OPENSSL_strndup(siop.hash_info.cra_driver_name, -+ CRYPTODEV_MAX_ALG_NAME); -+ if (siop.flags & SIOP_FLAG_KERNEL_DRIVER_ONLY) -+ digest_driver_info[i].accelerated = DEVCRYPTO_ACCELERATED; -+ else -+ digest_driver_info[i].accelerated = DEVCRYPTO_NOT_ACCELERATED; -+ } - #endif - - /* digest must be capable of hash state copy */ - sess2.mac = sess1.mac; - if (ioctl(cfd, CIOCGSESSION, &sess2) < 0) { -- digest_driver_info[i].status = DEVCRYPTO_STATUS_UNUSABLE; -+ digest_driver_info[i].status = DEVCRYPTO_STATUS_FAILURE; - goto finish; - } - cphash.src_ses = sess1.ses; - cphash.dst_ses = sess2.ses; - if (ioctl(cfd, CIOCCPHASH, &cphash) < 0) { -- digest_driver_info[i].status = DEVCRYPTO_STATUS_UNUSABLE; -+ digest_driver_info[i].status = DEVCRYPTO_STATUS_NO_CIOCCPHASH; - goto finish; - } - if ((known_digest_methods[i] = EVP_MD_meth_new(digest_data[i].nid, -@@ -852,7 +903,7 @@ static void prepare_digest_methods(void) - || !EVP_MD_meth_set_cleanup(known_digest_methods[i], digest_cleanup) - || !EVP_MD_meth_set_app_datasize(known_digest_methods[i], - sizeof(struct digest_ctx))) { -- digest_driver_info[i].status = DEVCRYPTO_STATUS_UNUSABLE; -+ digest_driver_info[i].status = DEVCRYPTO_STATUS_FAILURE; - EVP_MD_meth_free(known_digest_methods[i]); - known_digest_methods[i] = NULL; - goto finish; -@@ -894,8 +945,11 @@ static void destroy_all_digest_methods(v - { - size_t i; - -- for (i = 0; i < OSSL_NELEM(digest_data); i++) -+ for (i = 0; i < OSSL_NELEM(digest_data); i++) { - destroy_digest_method(digest_data[i].nid); -+ OPENSSL_free(digest_driver_info[i].driver_name); -+ digest_driver_info[i].driver_name = NULL; -+ } - } - - static int devcrypto_digests(ENGINE *e, const EVP_MD **digest, -@@ -939,6 +993,43 @@ static int cryptodev_select_digest_cb(co - return 1; - } - -+static void dump_digest_info(void) -+{ -+ size_t i; -+ const char *name; -+ -+ fprintf (stderr, "Information about digests supported by the /dev/crypto" -+ " engine:\n"); -+#ifndef CIOCGSESSINFO -+ fprintf(stderr, "CIOCGSESSINFO (session info call) unavailable\n"); -+#endif -+ -+ for (i = 0; i < OSSL_NELEM(digest_data); i++) { -+ name = OBJ_nid2sn(digest_data[i].nid); -+ fprintf (stderr, "Digest %s, NID=%d, /dev/crypto info: id=%d, driver=%s", -+ name ? name : "unknown", digest_data[i].nid, -+ digest_data[i].devcryptoid, -+ digest_driver_info[i].driver_name ? digest_driver_info[i].driver_name : "unknown"); -+ if (digest_driver_info[i].status == DEVCRYPTO_STATUS_NO_CIOCGSESSION) { -+ fprintf (stderr, ". CIOCGSESSION (session open) failed\n"); -+ continue; -+ } -+ if (digest_driver_info[i].accelerated == DEVCRYPTO_ACCELERATED) -+ fprintf(stderr, " (hw accelerated)"); -+ else if (digest_driver_info[i].accelerated == DEVCRYPTO_NOT_ACCELERATED) -+ fprintf(stderr, " (software)"); -+ else -+ fprintf(stderr, " (acceleration status unknown)"); -+ if (cipher_driver_info[i].status == DEVCRYPTO_STATUS_FAILURE) -+ fprintf (stderr, ". Cipher setup failed\n"); -+ else if (digest_driver_info[i].status == DEVCRYPTO_STATUS_NO_CIOCCPHASH) -+ fprintf(stderr, ", CIOCCPHASH failed\n"); -+ else -+ fprintf(stderr, ", CIOCCPHASH capable\n"); -+ } -+ fprintf(stderr, "\n"); -+} -+ - #endif - - /****************************************************************************** -@@ -983,6 +1074,11 @@ static const ENGINE_CMD_DEFN devcrypto_c - ENGINE_CMD_FLAG_STRING}, - #endif - -+ {DEVCRYPTO_CMD_DUMP_INFO, -+ "DUMP_INFO", -+ "dump info about each algorithm to stderr; use 'openssl engine -pre DUMP_INFO devcrypto'", -+ ENGINE_CMD_FLAG_NO_INPUT}, -+ - {0, NULL, NULL, 0} - }; - -@@ -1051,6 +1147,13 @@ static int devcrypto_ctrl(ENGINE *e, int - return 1; - #endif /* IMPLEMENT_DIGEST */ - -+ case DEVCRYPTO_CMD_DUMP_INFO: -+ dump_cipher_info(); -+#ifdef IMPLEMENT_DIGEST -+ dump_digest_info(); -+#endif -+ return 1; -+ - default: - break; - } diff --git a/openssl/patches/430-e_devcrypto-make-the-dev-crypto-engine-dynamic.patch b/openssl/patches/430-e_devcrypto-make-the-dev-crypto-engine-dynamic.patch deleted file mode 100644 index 00c74972a..000000000 --- a/openssl/patches/430-e_devcrypto-make-the-dev-crypto-engine-dynamic.patch +++ /dev/null @@ -1,2718 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Eneas U de Queiroz -Date: Tue, 6 Nov 2018 10:57:03 -0200 -Subject: e_devcrypto: make the /dev/crypto engine dynamic - -Engine has been moved from crypto/engine/eng_devcrypto.c to -engines/e_devcrypto.c. - -Signed-off-by: Eneas U de Queiroz - ---- a/crypto/engine/build.info -+++ b/crypto/engine/build.info -@@ -6,6 +6,3 @@ SOURCE[../../libcrypto]=\ - tb_cipher.c tb_digest.c tb_pkmeth.c tb_asnmth.c tb_eckey.c \ - eng_openssl.c eng_cnf.c eng_dyn.c \ - eng_rdrand.c --IF[{- !$disabled{devcryptoeng} -}] -- SOURCE[../../libcrypto]=eng_devcrypto.c --ENDIF ---- a/crypto/init.c -+++ b/crypto/init.c -@@ -328,18 +328,6 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_engine_ - engine_load_openssl_int(); - return 1; - } --# ifndef OPENSSL_NO_DEVCRYPTOENG --static CRYPTO_ONCE engine_devcrypto = CRYPTO_ONCE_STATIC_INIT; --DEFINE_RUN_ONCE_STATIC(ossl_init_engine_devcrypto) --{ --# ifdef OPENSSL_INIT_DEBUG -- fprintf(stderr, "OPENSSL_INIT: ossl_init_engine_devcrypto: " -- "engine_load_devcrypto_int()\n"); --# endif -- engine_load_devcrypto_int(); -- return 1; --} --# endif - - # ifndef OPENSSL_NO_RDRAND - static CRYPTO_ONCE engine_rdrand = CRYPTO_ONCE_STATIC_INIT; -@@ -364,6 +352,18 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_engine_ - return 1; - } - # ifndef OPENSSL_NO_STATIC_ENGINE -+# ifndef OPENSSL_NO_DEVCRYPTOENG -+static CRYPTO_ONCE engine_devcrypto = CRYPTO_ONCE_STATIC_INIT; -+DEFINE_RUN_ONCE_STATIC(ossl_init_engine_devcrypto) -+{ -+# ifdef OPENSSL_INIT_DEBUG -+ fprintf(stderr, "OPENSSL_INIT: ossl_init_engine_devcrypto: " -+ "engine_load_devcrypto_int()\n"); -+# endif -+ engine_load_devcrypto_int(); -+ return 1; -+} -+# endif - # if !defined(OPENSSL_NO_HW) && !defined(OPENSSL_NO_HW_PADLOCK) - static CRYPTO_ONCE engine_padlock = CRYPTO_ONCE_STATIC_INIT; - DEFINE_RUN_ONCE_STATIC(ossl_init_engine_padlock) -@@ -704,11 +704,6 @@ int OPENSSL_init_crypto(uint64_t opts, c - if ((opts & OPENSSL_INIT_ENGINE_OPENSSL) - && !RUN_ONCE(&engine_openssl, ossl_init_engine_openssl)) - return 0; --# if !defined(OPENSSL_NO_HW) && !defined(OPENSSL_NO_DEVCRYPTOENG) -- if ((opts & OPENSSL_INIT_ENGINE_CRYPTODEV) -- && !RUN_ONCE(&engine_devcrypto, ossl_init_engine_devcrypto)) -- return 0; --# endif - # ifndef OPENSSL_NO_RDRAND - if ((opts & OPENSSL_INIT_ENGINE_RDRAND) - && !RUN_ONCE(&engine_rdrand, ossl_init_engine_rdrand)) -@@ -718,6 +713,11 @@ int OPENSSL_init_crypto(uint64_t opts, c - && !RUN_ONCE(&engine_dynamic, ossl_init_engine_dynamic)) - return 0; - # ifndef OPENSSL_NO_STATIC_ENGINE -+# ifndef OPENSSL_NO_DEVCRYPTOENG -+ if ((opts & OPENSSL_INIT_ENGINE_CRYPTODEV) -+ && !RUN_ONCE(&engine_devcrypto, ossl_init_engine_devcrypto)) -+ return 0; -+# endif - # if !defined(OPENSSL_NO_HW) && !defined(OPENSSL_NO_HW_PADLOCK) - if ((opts & OPENSSL_INIT_ENGINE_PADLOCK) - && !RUN_ONCE(&engine_padlock, ossl_init_engine_padlock)) ---- a/engines/build.info -+++ b/engines/build.info -@@ -11,6 +11,9 @@ IF[{- !$disabled{"engine"} -}] - IF[{- !$disabled{afalgeng} -}] - SOURCE[../libcrypto]=e_afalg.c - ENDIF -+ IF[{- !$disabled{"devcryptoeng"} -}] -+ SOURCE[../libcrypto]=e_devcrypto.c -+ ENDIF - ELSE - IF[{- !$disabled{hw} && !$disabled{'hw-padlock'} -}] - ENGINES=padlock -@@ -30,6 +33,12 @@ IF[{- !$disabled{"engine"} -}] - DEPEND[afalg]=../libcrypto - INCLUDE[afalg]= ../include - ENDIF -+ IF[{- !$disabled{"devcryptoeng"} -}] -+ ENGINES=devcrypto -+ SOURCE[devcrypto]=e_devcrypto.c -+ DEPEND[devcrypto]=../libcrypto -+ INCLUDE[devcrypto]=../include -+ ENDIF - - ENGINES_NO_INST=ossltest dasync - SOURCE[dasync]=e_dasync.c ---- a/crypto/engine/eng_devcrypto.c -+++ /dev/null -@@ -1,1277 +0,0 @@ --/* -- * Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. -- * -- * Licensed under the OpenSSL license (the "License"). You may not use -- * this file except in compliance with the License. You can obtain a copy -- * in the file LICENSE in the source distribution or at -- * https://www.openssl.org/source/license.html -- */ -- --#include "e_os.h" --#include --#include --#include --#include --#include --#include --#include -- --#include --#include --#include --#include --#include --#include -- --#include "crypto/engine.h" -- --/* #define ENGINE_DEVCRYPTO_DEBUG */ -- --#if CRYPTO_ALGORITHM_MIN < CRYPTO_ALGORITHM_MAX --# define CHECK_BSD_STYLE_MACROS --#endif -- --/* -- * ONE global file descriptor for all sessions. This allows operations -- * such as digest session data copying (see digest_copy()), but is also -- * saner... why re-open /dev/crypto for every session? -- */ --static int cfd; --#define DEVCRYPTO_REQUIRE_ACCELERATED 0 /* require confirmation of acceleration */ --#define DEVCRYPTO_USE_SOFTWARE 1 /* allow software drivers */ --#define DEVCRYPTO_REJECT_SOFTWARE 2 /* only disallow confirmed software drivers */ -- --#define DEVCRYPTO_DEFAULT_USE_SOFDTRIVERS DEVCRYPTO_REJECT_SOFTWARE --static int use_softdrivers = DEVCRYPTO_DEFAULT_USE_SOFDTRIVERS; -- --/* -- * cipher/digest status & acceleration definitions -- * Make sure the defaults are set to 0 -- */ --struct driver_info_st { -- enum devcrypto_status_t { -- DEVCRYPTO_STATUS_FAILURE = -3, /* unusable for other reason */ -- DEVCRYPTO_STATUS_NO_CIOCCPHASH = -2, /* hash state copy not supported */ -- DEVCRYPTO_STATUS_NO_CIOCGSESSION = -1, /* session open failed */ -- DEVCRYPTO_STATUS_UNKNOWN = 0, /* not tested yet */ -- DEVCRYPTO_STATUS_USABLE = 1 /* algo can be used */ -- } status; -- -- enum devcrypto_accelerated_t { -- DEVCRYPTO_NOT_ACCELERATED = -1, /* software implemented */ -- DEVCRYPTO_ACCELERATION_UNKNOWN = 0, /* acceleration support unkown */ -- DEVCRYPTO_ACCELERATED = 1 /* hardware accelerated */ -- } accelerated; -- -- char *driver_name; --}; -- --static int clean_devcrypto_session(struct session_op *sess) { -- if (ioctl(cfd, CIOCFSESSION, &sess->ses) < 0) { -- SYSerr(SYS_F_IOCTL, errno); -- return 0; -- } -- memset(sess, 0, sizeof(struct session_op)); -- return 1; --} -- --/****************************************************************************** -- * -- * Ciphers -- * -- * Because they all do the same basic operation, we have only one set of -- * method functions for them all to share, and a mapping table between -- * NIDs and cryptodev IDs, with all the necessary size data. -- * -- *****/ -- --struct cipher_ctx { -- struct session_op sess; -- int op; /* COP_ENCRYPT or COP_DECRYPT */ -- unsigned long mode; /* EVP_CIPH_*_MODE */ -- -- /* to handle ctr mode being a stream cipher */ -- unsigned char partial[EVP_MAX_BLOCK_LENGTH]; -- unsigned int blocksize, num; --}; -- --static const struct cipher_data_st { -- int nid; -- int blocksize; -- int keylen; -- int ivlen; -- int flags; -- int devcryptoid; --} cipher_data[] = { --#ifndef OPENSSL_NO_DES -- { NID_des_cbc, 8, 8, 8, EVP_CIPH_CBC_MODE, CRYPTO_DES_CBC }, -- { NID_des_ede3_cbc, 8, 24, 8, EVP_CIPH_CBC_MODE, CRYPTO_3DES_CBC }, --#endif --#ifndef OPENSSL_NO_BF -- { NID_bf_cbc, 8, 16, 8, EVP_CIPH_CBC_MODE, CRYPTO_BLF_CBC }, --#endif --#ifndef OPENSSL_NO_CAST -- { NID_cast5_cbc, 8, 16, 8, EVP_CIPH_CBC_MODE, CRYPTO_CAST_CBC }, --#endif -- { NID_aes_128_cbc, 16, 128 / 8, 16, EVP_CIPH_CBC_MODE, CRYPTO_AES_CBC }, -- { NID_aes_192_cbc, 16, 192 / 8, 16, EVP_CIPH_CBC_MODE, CRYPTO_AES_CBC }, -- { NID_aes_256_cbc, 16, 256 / 8, 16, EVP_CIPH_CBC_MODE, CRYPTO_AES_CBC }, --#ifndef OPENSSL_NO_RC4 -- { NID_rc4, 1, 16, 0, EVP_CIPH_STREAM_CIPHER, CRYPTO_ARC4 }, --#endif --#if !defined(CHECK_BSD_STYLE_MACROS) || defined(CRYPTO_AES_CTR) -- { NID_aes_128_ctr, 16, 128 / 8, 16, EVP_CIPH_CTR_MODE, CRYPTO_AES_CTR }, -- { NID_aes_192_ctr, 16, 192 / 8, 16, EVP_CIPH_CTR_MODE, CRYPTO_AES_CTR }, -- { NID_aes_256_ctr, 16, 256 / 8, 16, EVP_CIPH_CTR_MODE, CRYPTO_AES_CTR }, --#endif --#if 0 /* Not yet supported */ -- { NID_aes_128_xts, 16, 128 / 8 * 2, 16, EVP_CIPH_XTS_MODE, CRYPTO_AES_XTS }, -- { NID_aes_256_xts, 16, 256 / 8 * 2, 16, EVP_CIPH_XTS_MODE, CRYPTO_AES_XTS }, --#endif --#if !defined(CHECK_BSD_STYLE_MACROS) || defined(CRYPTO_AES_ECB) -- { NID_aes_128_ecb, 16, 128 / 8, 0, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB }, -- { NID_aes_192_ecb, 16, 192 / 8, 0, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB }, -- { NID_aes_256_ecb, 16, 256 / 8, 0, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB }, --#endif --#if 0 /* Not yet supported */ -- { NID_aes_128_gcm, 16, 128 / 8, 16, EVP_CIPH_GCM_MODE, CRYPTO_AES_GCM }, -- { NID_aes_192_gcm, 16, 192 / 8, 16, EVP_CIPH_GCM_MODE, CRYPTO_AES_GCM }, -- { NID_aes_256_gcm, 16, 256 / 8, 16, EVP_CIPH_GCM_MODE, CRYPTO_AES_GCM }, --#endif --#ifndef OPENSSL_NO_CAMELLIA -- { NID_camellia_128_cbc, 16, 128 / 8, 16, EVP_CIPH_CBC_MODE, -- CRYPTO_CAMELLIA_CBC }, -- { NID_camellia_192_cbc, 16, 192 / 8, 16, EVP_CIPH_CBC_MODE, -- CRYPTO_CAMELLIA_CBC }, -- { NID_camellia_256_cbc, 16, 256 / 8, 16, EVP_CIPH_CBC_MODE, -- CRYPTO_CAMELLIA_CBC }, --#endif --}; -- --static size_t find_cipher_data_index(int nid) --{ -- size_t i; -- -- for (i = 0; i < OSSL_NELEM(cipher_data); i++) -- if (nid == cipher_data[i].nid) -- return i; -- return (size_t)-1; --} -- --static size_t get_cipher_data_index(int nid) --{ -- size_t i = find_cipher_data_index(nid); -- -- if (i != (size_t)-1) -- return i; -- -- /* -- * Code further down must make sure that only NIDs in the table above -- * are used. If any other NID reaches this function, there's a grave -- * coding error further down. -- */ -- assert("Code that never should be reached" == NULL); -- return -1; --} -- --static const struct cipher_data_st *get_cipher_data(int nid) --{ -- return &cipher_data[get_cipher_data_index(nid)]; --} -- --/* -- * Following are the three necessary functions to map OpenSSL functionality -- * with cryptodev. -- */ -- --static int cipher_init(EVP_CIPHER_CTX *ctx, const unsigned char *key, -- const unsigned char *iv, int enc) --{ -- struct cipher_ctx *cipher_ctx = -- (struct cipher_ctx *)EVP_CIPHER_CTX_get_cipher_data(ctx); -- const struct cipher_data_st *cipher_d = -- get_cipher_data(EVP_CIPHER_CTX_nid(ctx)); -- -- /* cleanup a previous session */ -- if (cipher_ctx->sess.ses != 0 && -- clean_devcrypto_session(&cipher_ctx->sess) == 0) -- return 0; -- -- cipher_ctx->sess.cipher = cipher_d->devcryptoid; -- cipher_ctx->sess.keylen = cipher_d->keylen; -- cipher_ctx->sess.key = (void *)key; -- cipher_ctx->op = enc ? COP_ENCRYPT : COP_DECRYPT; -- cipher_ctx->mode = cipher_d->flags & EVP_CIPH_MODE; -- cipher_ctx->blocksize = cipher_d->blocksize; -- if (ioctl(cfd, CIOCGSESSION, &cipher_ctx->sess) < 0) { -- SYSerr(SYS_F_IOCTL, errno); -- return 0; -- } -- -- return 1; --} -- --static int cipher_do_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, -- const unsigned char *in, size_t inl) --{ -- struct cipher_ctx *cipher_ctx = -- (struct cipher_ctx *)EVP_CIPHER_CTX_get_cipher_data(ctx); -- struct crypt_op cryp; -- unsigned char *iv = EVP_CIPHER_CTX_iv_noconst(ctx); --#if !defined(COP_FLAG_WRITE_IV) -- unsigned char saved_iv[EVP_MAX_IV_LENGTH]; -- const unsigned char *ivptr; -- size_t nblocks, ivlen; --#endif -- -- memset(&cryp, 0, sizeof(cryp)); -- cryp.ses = cipher_ctx->sess.ses; -- cryp.len = inl; -- cryp.src = (void *)in; -- cryp.dst = (void *)out; -- cryp.iv = (void *)iv; -- cryp.op = cipher_ctx->op; --#if !defined(COP_FLAG_WRITE_IV) -- cryp.flags = 0; -- -- ivlen = EVP_CIPHER_CTX_iv_length(ctx); -- if (ivlen > 0) -- switch (cipher_ctx->mode) { -- case EVP_CIPH_CBC_MODE: -- assert(inl >= ivlen); -- if (!EVP_CIPHER_CTX_encrypting(ctx)) { -- ivptr = in + inl - ivlen; -- memcpy(saved_iv, ivptr, ivlen); -- } -- break; -- -- case EVP_CIPH_CTR_MODE: -- break; -- -- default: /* should not happen */ -- return 0; -- } --#else -- cryp.flags = COP_FLAG_WRITE_IV; --#endif -- -- if (ioctl(cfd, CIOCCRYPT, &cryp) < 0) { -- SYSerr(SYS_F_IOCTL, errno); -- return 0; -- } -- --#if !defined(COP_FLAG_WRITE_IV) -- if (ivlen > 0) -- switch (cipher_ctx->mode) { -- case EVP_CIPH_CBC_MODE: -- assert(inl >= ivlen); -- if (EVP_CIPHER_CTX_encrypting(ctx)) -- ivptr = out + inl - ivlen; -- else -- ivptr = saved_iv; -- -- memcpy(iv, ivptr, ivlen); -- break; -- -- case EVP_CIPH_CTR_MODE: -- nblocks = (inl + cipher_ctx->blocksize - 1) -- / cipher_ctx->blocksize; -- do { -- ivlen--; -- nblocks += iv[ivlen]; -- iv[ivlen] = (uint8_t) nblocks; -- nblocks >>= 8; -- } while (ivlen); -- break; -- -- default: /* should not happen */ -- return 0; -- } --#endif -- -- return 1; --} -- --static int ctr_do_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, -- const unsigned char *in, size_t inl) --{ -- struct cipher_ctx *cipher_ctx = -- (struct cipher_ctx *)EVP_CIPHER_CTX_get_cipher_data(ctx); -- size_t nblocks, len; -- -- /* initial partial block */ -- while (cipher_ctx->num && inl) { -- (*out++) = *(in++) ^ cipher_ctx->partial[cipher_ctx->num]; -- --inl; -- cipher_ctx->num = (cipher_ctx->num + 1) % cipher_ctx->blocksize; -- } -- -- /* full blocks */ -- if (inl > (unsigned int) cipher_ctx->blocksize) { -- nblocks = inl/cipher_ctx->blocksize; -- len = nblocks * cipher_ctx->blocksize; -- if (cipher_do_cipher(ctx, out, in, len) < 1) -- return 0; -- inl -= len; -- out += len; -- in += len; -- } -- -- /* final partial block */ -- if (inl) { -- memset(cipher_ctx->partial, 0, cipher_ctx->blocksize); -- if (cipher_do_cipher(ctx, cipher_ctx->partial, cipher_ctx->partial, -- cipher_ctx->blocksize) < 1) -- return 0; -- while (inl--) { -- out[cipher_ctx->num] = in[cipher_ctx->num] -- ^ cipher_ctx->partial[cipher_ctx->num]; -- cipher_ctx->num++; -- } -- } -- -- return 1; --} -- --static int cipher_ctrl(EVP_CIPHER_CTX *ctx, int type, int p1, void* p2) --{ -- struct cipher_ctx *cipher_ctx = -- (struct cipher_ctx *)EVP_CIPHER_CTX_get_cipher_data(ctx); -- EVP_CIPHER_CTX *to_ctx = (EVP_CIPHER_CTX *)p2; -- struct cipher_ctx *to_cipher_ctx; -- -- switch (type) { -- case EVP_CTRL_COPY: -- if (cipher_ctx == NULL) -- return 1; -- /* when copying the context, a new session needs to be initialized */ -- to_cipher_ctx = -- (struct cipher_ctx *)EVP_CIPHER_CTX_get_cipher_data(to_ctx); -- memset(&to_cipher_ctx->sess, 0, sizeof(to_cipher_ctx->sess)); -- return cipher_init(to_ctx, cipher_ctx->sess.key, EVP_CIPHER_CTX_iv(ctx), -- (cipher_ctx->op == COP_ENCRYPT)); -- -- case EVP_CTRL_INIT: -- memset(&cipher_ctx->sess, 0, sizeof(cipher_ctx->sess)); -- return 1; -- -- default: -- break; -- } -- -- return -1; --} -- --static int cipher_cleanup(EVP_CIPHER_CTX *ctx) --{ -- struct cipher_ctx *cipher_ctx = -- (struct cipher_ctx *)EVP_CIPHER_CTX_get_cipher_data(ctx); -- -- return clean_devcrypto_session(&cipher_ctx->sess); --} -- --/* -- * Keep tables of known nids, associated methods, selected ciphers, and driver -- * info. -- * Note that known_cipher_nids[] isn't necessarily indexed the same way as -- * cipher_data[] above, which the other tables are. -- */ --static int known_cipher_nids[OSSL_NELEM(cipher_data)]; --static int known_cipher_nids_amount = -1; /* -1 indicates not yet initialised */ --static EVP_CIPHER *known_cipher_methods[OSSL_NELEM(cipher_data)] = { NULL, }; --static int selected_ciphers[OSSL_NELEM(cipher_data)]; --static struct driver_info_st cipher_driver_info[OSSL_NELEM(cipher_data)]; -- -- --static int devcrypto_test_cipher(size_t cipher_data_index) --{ -- return (cipher_driver_info[cipher_data_index].status == DEVCRYPTO_STATUS_USABLE -- && selected_ciphers[cipher_data_index] == 1 -- && (cipher_driver_info[cipher_data_index].accelerated -- == DEVCRYPTO_ACCELERATED -- || use_softdrivers == DEVCRYPTO_USE_SOFTWARE -- || (cipher_driver_info[cipher_data_index].accelerated -- != DEVCRYPTO_NOT_ACCELERATED -- && use_softdrivers == DEVCRYPTO_REJECT_SOFTWARE))); --} -- --static void prepare_cipher_methods(void) --{ -- size_t i; -- struct session_op sess; -- unsigned long cipher_mode; --#ifdef CIOCGSESSINFO -- struct session_info_op siop; --#endif -- -- memset(&cipher_driver_info, 0, sizeof(cipher_driver_info)); -- -- memset(&sess, 0, sizeof(sess)); -- sess.key = (void *)"01234567890123456789012345678901234567890123456789"; -- -- for (i = 0, known_cipher_nids_amount = 0; -- i < OSSL_NELEM(cipher_data); i++) { -- -- selected_ciphers[i] = 1; -- /* -- * Check that the cipher is usable -- */ -- sess.cipher = cipher_data[i].devcryptoid; -- sess.keylen = cipher_data[i].keylen; -- if (ioctl(cfd, CIOCGSESSION, &sess) < 0) { -- cipher_driver_info[i].status = DEVCRYPTO_STATUS_NO_CIOCGSESSION; -- continue; -- } -- -- cipher_mode = cipher_data[i].flags & EVP_CIPH_MODE; -- -- if ((known_cipher_methods[i] = -- EVP_CIPHER_meth_new(cipher_data[i].nid, -- cipher_mode == EVP_CIPH_CTR_MODE ? 1 : -- cipher_data[i].blocksize, -- cipher_data[i].keylen)) == NULL -- || !EVP_CIPHER_meth_set_iv_length(known_cipher_methods[i], -- cipher_data[i].ivlen) -- || !EVP_CIPHER_meth_set_flags(known_cipher_methods[i], -- cipher_data[i].flags -- | EVP_CIPH_CUSTOM_COPY -- | EVP_CIPH_CTRL_INIT -- | EVP_CIPH_FLAG_DEFAULT_ASN1) -- || !EVP_CIPHER_meth_set_init(known_cipher_methods[i], cipher_init) -- || !EVP_CIPHER_meth_set_do_cipher(known_cipher_methods[i], -- cipher_mode == EVP_CIPH_CTR_MODE ? -- ctr_do_cipher : -- cipher_do_cipher) -- || !EVP_CIPHER_meth_set_ctrl(known_cipher_methods[i], cipher_ctrl) -- || !EVP_CIPHER_meth_set_cleanup(known_cipher_methods[i], -- cipher_cleanup) -- || !EVP_CIPHER_meth_set_impl_ctx_size(known_cipher_methods[i], -- sizeof(struct cipher_ctx))) { -- cipher_driver_info[i].status = DEVCRYPTO_STATUS_FAILURE; -- EVP_CIPHER_meth_free(known_cipher_methods[i]); -- known_cipher_methods[i] = NULL; -- } else { -- cipher_driver_info[i].status = DEVCRYPTO_STATUS_USABLE; --#ifdef CIOCGSESSINFO -- siop.ses = sess.ses; -- if (ioctl(cfd, CIOCGSESSINFO, &siop) < 0) { -- cipher_driver_info[i].accelerated = DEVCRYPTO_ACCELERATION_UNKNOWN; -- } else { -- cipher_driver_info[i].driver_name = -- OPENSSL_strndup(siop.cipher_info.cra_driver_name, -- CRYPTODEV_MAX_ALG_NAME); -- if (!(siop.flags & SIOP_FLAG_KERNEL_DRIVER_ONLY)) -- cipher_driver_info[i].accelerated = DEVCRYPTO_NOT_ACCELERATED; -- else -- cipher_driver_info[i].accelerated = DEVCRYPTO_ACCELERATED; -- } --#endif /* CIOCGSESSINFO */ -- } -- ioctl(cfd, CIOCFSESSION, &sess.ses); -- if (devcrypto_test_cipher(i)) { -- known_cipher_nids[known_cipher_nids_amount++] = -- cipher_data[i].nid; -- } -- } --} -- --static void rebuild_known_cipher_nids(ENGINE *e) --{ -- size_t i; -- -- for (i = 0, known_cipher_nids_amount = 0; i < OSSL_NELEM(cipher_data); i++) { -- if (devcrypto_test_cipher(i)) -- known_cipher_nids[known_cipher_nids_amount++] = cipher_data[i].nid; -- } -- ENGINE_unregister_ciphers(e); -- ENGINE_register_ciphers(e); --} -- --static const EVP_CIPHER *get_cipher_method(int nid) --{ -- size_t i = get_cipher_data_index(nid); -- -- if (i == (size_t)-1) -- return NULL; -- return known_cipher_methods[i]; --} -- --static int get_cipher_nids(const int **nids) --{ -- *nids = known_cipher_nids; -- return known_cipher_nids_amount; --} -- --static void destroy_cipher_method(int nid) --{ -- size_t i = get_cipher_data_index(nid); -- -- EVP_CIPHER_meth_free(known_cipher_methods[i]); -- known_cipher_methods[i] = NULL; --} -- --static void destroy_all_cipher_methods(void) --{ -- size_t i; -- -- for (i = 0; i < OSSL_NELEM(cipher_data); i++) { -- destroy_cipher_method(cipher_data[i].nid); -- OPENSSL_free(cipher_driver_info[i].driver_name); -- cipher_driver_info[i].driver_name = NULL; -- } --} -- --static int devcrypto_ciphers(ENGINE *e, const EVP_CIPHER **cipher, -- const int **nids, int nid) --{ -- if (cipher == NULL) -- return get_cipher_nids(nids); -- -- *cipher = get_cipher_method(nid); -- -- return *cipher != NULL; --} -- --static void devcrypto_select_all_ciphers(int *cipher_list) --{ -- size_t i; -- -- for (i = 0; i < OSSL_NELEM(cipher_data); i++) -- cipher_list[i] = 1; --} -- --static int cryptodev_select_cipher_cb(const char *str, int len, void *usr) --{ -- int *cipher_list = (int *)usr; -- char *name; -- const EVP_CIPHER *EVP; -- size_t i; -- -- if (len == 0) -- return 1; -- if (usr == NULL || (name = OPENSSL_strndup(str, len)) == NULL) -- return 0; -- EVP = EVP_get_cipherbyname(name); -- if (EVP == NULL) -- fprintf(stderr, "devcrypto: unknown cipher %s\n", name); -- else if ((i = find_cipher_data_index(EVP_CIPHER_nid(EVP))) != (size_t)-1) -- cipher_list[i] = 1; -- else -- fprintf(stderr, "devcrypto: cipher %s not available\n", name); -- OPENSSL_free(name); -- return 1; --} -- --static void dump_cipher_info(void) --{ -- size_t i; -- const char *name; -- -- fprintf (stderr, "Information about ciphers supported by the /dev/crypto" -- " engine:\n"); --#ifndef CIOCGSESSINFO -- fprintf(stderr, "CIOCGSESSINFO (session info call) unavailable\n"); --#endif -- for (i = 0; i < OSSL_NELEM(cipher_data); i++) { -- name = OBJ_nid2sn(cipher_data[i].nid); -- fprintf (stderr, "Cipher %s, NID=%d, /dev/crypto info: id=%d, ", -- name ? name : "unknown", cipher_data[i].nid, -- cipher_data[i].devcryptoid); -- if (cipher_driver_info[i].status == DEVCRYPTO_STATUS_NO_CIOCGSESSION ) { -- fprintf (stderr, "CIOCGSESSION (session open call) failed\n"); -- continue; -- } -- fprintf (stderr, "driver=%s ", cipher_driver_info[i].driver_name ? -- cipher_driver_info[i].driver_name : "unknown"); -- if (cipher_driver_info[i].accelerated == DEVCRYPTO_ACCELERATED) -- fprintf(stderr, "(hw accelerated)"); -- else if (cipher_driver_info[i].accelerated == DEVCRYPTO_NOT_ACCELERATED) -- fprintf(stderr, "(software)"); -- else -- fprintf(stderr, "(acceleration status unknown)"); -- if (cipher_driver_info[i].status == DEVCRYPTO_STATUS_FAILURE) -- fprintf (stderr, ". Cipher setup failed"); -- fprintf(stderr, "\n"); -- } -- fprintf(stderr, "\n"); --} -- --/* -- * We only support digests if the cryptodev implementation supports multiple -- * data updates and session copying. Otherwise, we would be forced to maintain -- * a cache, which is perilous if there's a lot of data coming in (if someone -- * wants to checksum an OpenSSL tarball, for example). -- */ --#if defined(CIOCCPHASH) && defined(COP_FLAG_UPDATE) && defined(COP_FLAG_FINAL) --#define IMPLEMENT_DIGEST -- --/****************************************************************************** -- * -- * Digests -- * -- * Because they all do the same basic operation, we have only one set of -- * method functions for them all to share, and a mapping table between -- * NIDs and cryptodev IDs, with all the necessary size data. -- * -- *****/ -- --struct digest_ctx { -- struct session_op sess; -- /* This signals that the init function was called, not that it succeeded. */ -- int init_called; -- unsigned char digest_res[HASH_MAX_LEN]; --}; -- --static const struct digest_data_st { -- int nid; -- int blocksize; -- int digestlen; -- int devcryptoid; --} digest_data[] = { --#ifndef OPENSSL_NO_MD5 -- { NID_md5, /* MD5_CBLOCK */ 64, 16, CRYPTO_MD5 }, --#endif -- { NID_sha1, SHA_CBLOCK, 20, CRYPTO_SHA1 }, --#ifndef OPENSSL_NO_RMD160 --# if !defined(CHECK_BSD_STYLE_MACROS) || defined(CRYPTO_RIPEMD160) -- { NID_ripemd160, /* RIPEMD160_CBLOCK */ 64, 20, CRYPTO_RIPEMD160 }, --# endif --#endif --#if !defined(CHECK_BSD_STYLE_MACROS) || defined(CRYPTO_SHA2_224) -- { NID_sha224, SHA256_CBLOCK, 224 / 8, CRYPTO_SHA2_224 }, --#endif --#if !defined(CHECK_BSD_STYLE_MACROS) || defined(CRYPTO_SHA2_256) -- { NID_sha256, SHA256_CBLOCK, 256 / 8, CRYPTO_SHA2_256 }, --#endif --#if !defined(CHECK_BSD_STYLE_MACROS) || defined(CRYPTO_SHA2_384) -- { NID_sha384, SHA512_CBLOCK, 384 / 8, CRYPTO_SHA2_384 }, --#endif --#if !defined(CHECK_BSD_STYLE_MACROS) || defined(CRYPTO_SHA2_512) -- { NID_sha512, SHA512_CBLOCK, 512 / 8, CRYPTO_SHA2_512 }, --#endif --}; -- --static size_t find_digest_data_index(int nid) --{ -- size_t i; -- -- for (i = 0; i < OSSL_NELEM(digest_data); i++) -- if (nid == digest_data[i].nid) -- return i; -- return (size_t)-1; --} -- --static size_t get_digest_data_index(int nid) --{ -- size_t i = find_digest_data_index(nid); -- -- if (i != (size_t)-1) -- return i; -- -- /* -- * Code further down must make sure that only NIDs in the table above -- * are used. If any other NID reaches this function, there's a grave -- * coding error further down. -- */ -- assert("Code that never should be reached" == NULL); -- return -1; --} -- --static const struct digest_data_st *get_digest_data(int nid) --{ -- return &digest_data[get_digest_data_index(nid)]; --} -- --/* -- * Following are the five necessary functions to map OpenSSL functionality -- * with cryptodev: init, update, final, cleanup, and copy. -- */ -- --static int digest_init(EVP_MD_CTX *ctx) --{ -- struct digest_ctx *digest_ctx = -- (struct digest_ctx *)EVP_MD_CTX_md_data(ctx); -- const struct digest_data_st *digest_d = -- get_digest_data(EVP_MD_CTX_type(ctx)); -- -- digest_ctx->init_called = 1; -- -- memset(&digest_ctx->sess, 0, sizeof(digest_ctx->sess)); -- digest_ctx->sess.mac = digest_d->devcryptoid; -- if (ioctl(cfd, CIOCGSESSION, &digest_ctx->sess) < 0) { -- SYSerr(SYS_F_IOCTL, errno); -- return 0; -- } -- -- return 1; --} -- --static int digest_op(struct digest_ctx *ctx, const void *src, size_t srclen, -- void *res, unsigned int flags) --{ -- struct crypt_op cryp; -- -- memset(&cryp, 0, sizeof(cryp)); -- cryp.ses = ctx->sess.ses; -- cryp.len = srclen; -- cryp.src = (void *)src; -- cryp.dst = NULL; -- cryp.mac = res; -- cryp.flags = flags; -- return ioctl(cfd, CIOCCRYPT, &cryp); --} -- --static int digest_update(EVP_MD_CTX *ctx, const void *data, size_t count) --{ -- struct digest_ctx *digest_ctx = -- (struct digest_ctx *)EVP_MD_CTX_md_data(ctx); -- -- if (count == 0) -- return 1; -- -- if (digest_ctx == NULL) -- return 0; -- -- if (EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_ONESHOT)) { -- if (digest_op(digest_ctx, data, count, digest_ctx->digest_res, 0) >= 0) -- return 1; -- } else if (digest_op(digest_ctx, data, count, NULL, COP_FLAG_UPDATE) >= 0) { -- return 1; -- } -- -- SYSerr(SYS_F_IOCTL, errno); -- return 0; --} -- --static int digest_final(EVP_MD_CTX *ctx, unsigned char *md) --{ -- struct digest_ctx *digest_ctx = -- (struct digest_ctx *)EVP_MD_CTX_md_data(ctx); -- -- if (md == NULL || digest_ctx == NULL) -- return 0; -- -- if (EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_ONESHOT)) { -- memcpy(md, digest_ctx->digest_res, EVP_MD_CTX_size(ctx)); -- } else if (digest_op(digest_ctx, NULL, 0, md, COP_FLAG_FINAL) < 0) { -- SYSerr(SYS_F_IOCTL, errno); -- return 0; -- } -- -- return 1; --} -- --static int digest_copy(EVP_MD_CTX *to, const EVP_MD_CTX *from) --{ -- struct digest_ctx *digest_from = -- (struct digest_ctx *)EVP_MD_CTX_md_data(from); -- struct digest_ctx *digest_to = -- (struct digest_ctx *)EVP_MD_CTX_md_data(to); -- struct cphash_op cphash; -- -- if (digest_from == NULL || digest_from->init_called != 1) -- return 1; -- -- if (!digest_init(to)) { -- SYSerr(SYS_F_IOCTL, errno); -- return 0; -- } -- -- cphash.src_ses = digest_from->sess.ses; -- cphash.dst_ses = digest_to->sess.ses; -- if (ioctl(cfd, CIOCCPHASH, &cphash) < 0) { -- SYSerr(SYS_F_IOCTL, errno); -- return 0; -- } -- return 1; --} -- --static int digest_cleanup(EVP_MD_CTX *ctx) --{ -- struct digest_ctx *digest_ctx = -- (struct digest_ctx *)EVP_MD_CTX_md_data(ctx); -- -- if (digest_ctx == NULL) -- return 1; -- -- return clean_devcrypto_session(&digest_ctx->sess); --} -- --/* -- * Keep tables of known nids, associated methods, selected digests, and -- * driver info. -- * Note that known_digest_nids[] isn't necessarily indexed the same way as -- * digest_data[] above, which the other tables are. -- */ --static int known_digest_nids[OSSL_NELEM(digest_data)]; --static int known_digest_nids_amount = -1; /* -1 indicates not yet initialised */ --static EVP_MD *known_digest_methods[OSSL_NELEM(digest_data)] = { NULL, }; --static int selected_digests[OSSL_NELEM(digest_data)]; --static struct driver_info_st digest_driver_info[OSSL_NELEM(digest_data)]; -- --static int devcrypto_test_digest(size_t digest_data_index) --{ -- return (digest_driver_info[digest_data_index].status == DEVCRYPTO_STATUS_USABLE -- && selected_digests[digest_data_index] == 1 -- && (digest_driver_info[digest_data_index].accelerated -- == DEVCRYPTO_ACCELERATED -- || use_softdrivers == DEVCRYPTO_USE_SOFTWARE -- || (digest_driver_info[digest_data_index].accelerated -- != DEVCRYPTO_NOT_ACCELERATED -- && use_softdrivers == DEVCRYPTO_REJECT_SOFTWARE))); --} -- --static void rebuild_known_digest_nids(ENGINE *e) --{ -- size_t i; -- -- for (i = 0, known_digest_nids_amount = 0; i < OSSL_NELEM(digest_data); i++) { -- if (devcrypto_test_digest(i)) -- known_digest_nids[known_digest_nids_amount++] = digest_data[i].nid; -- } -- ENGINE_unregister_digests(e); -- ENGINE_register_digests(e); --} -- --static void prepare_digest_methods(void) --{ -- size_t i; -- struct session_op sess1, sess2; --#ifdef CIOCGSESSINFO -- struct session_info_op siop; --#endif -- struct cphash_op cphash; -- -- memset(&digest_driver_info, 0, sizeof(digest_driver_info)); -- -- memset(&sess1, 0, sizeof(sess1)); -- memset(&sess2, 0, sizeof(sess2)); -- -- for (i = 0, known_digest_nids_amount = 0; i < OSSL_NELEM(digest_data); -- i++) { -- -- selected_digests[i] = 1; -- -- /* -- * Check that the digest is usable -- */ -- sess1.mac = digest_data[i].devcryptoid; -- sess2.ses = 0; -- if (ioctl(cfd, CIOCGSESSION, &sess1) < 0) { -- digest_driver_info[i].status = DEVCRYPTO_STATUS_NO_CIOCGSESSION; -- goto finish; -- } -- --#ifdef CIOCGSESSINFO -- /* gather hardware acceleration info from the driver */ -- siop.ses = sess1.ses; -- if (ioctl(cfd, CIOCGSESSINFO, &siop) < 0) { -- digest_driver_info[i].accelerated = DEVCRYPTO_ACCELERATION_UNKNOWN; -- } else { -- digest_driver_info[i].driver_name = -- OPENSSL_strndup(siop.hash_info.cra_driver_name, -- CRYPTODEV_MAX_ALG_NAME); -- if (siop.flags & SIOP_FLAG_KERNEL_DRIVER_ONLY) -- digest_driver_info[i].accelerated = DEVCRYPTO_ACCELERATED; -- else -- digest_driver_info[i].accelerated = DEVCRYPTO_NOT_ACCELERATED; -- } --#endif -- -- /* digest must be capable of hash state copy */ -- sess2.mac = sess1.mac; -- if (ioctl(cfd, CIOCGSESSION, &sess2) < 0) { -- digest_driver_info[i].status = DEVCRYPTO_STATUS_FAILURE; -- goto finish; -- } -- cphash.src_ses = sess1.ses; -- cphash.dst_ses = sess2.ses; -- if (ioctl(cfd, CIOCCPHASH, &cphash) < 0) { -- digest_driver_info[i].status = DEVCRYPTO_STATUS_NO_CIOCCPHASH; -- goto finish; -- } -- if ((known_digest_methods[i] = EVP_MD_meth_new(digest_data[i].nid, -- NID_undef)) == NULL -- || !EVP_MD_meth_set_input_blocksize(known_digest_methods[i], -- digest_data[i].blocksize) -- || !EVP_MD_meth_set_result_size(known_digest_methods[i], -- digest_data[i].digestlen) -- || !EVP_MD_meth_set_init(known_digest_methods[i], digest_init) -- || !EVP_MD_meth_set_update(known_digest_methods[i], digest_update) -- || !EVP_MD_meth_set_final(known_digest_methods[i], digest_final) -- || !EVP_MD_meth_set_copy(known_digest_methods[i], digest_copy) -- || !EVP_MD_meth_set_cleanup(known_digest_methods[i], digest_cleanup) -- || !EVP_MD_meth_set_app_datasize(known_digest_methods[i], -- sizeof(struct digest_ctx))) { -- digest_driver_info[i].status = DEVCRYPTO_STATUS_FAILURE; -- EVP_MD_meth_free(known_digest_methods[i]); -- known_digest_methods[i] = NULL; -- goto finish; -- } -- digest_driver_info[i].status = DEVCRYPTO_STATUS_USABLE; --finish: -- ioctl(cfd, CIOCFSESSION, &sess1.ses); -- if (sess2.ses != 0) -- ioctl(cfd, CIOCFSESSION, &sess2.ses); -- if (devcrypto_test_digest(i)) -- known_digest_nids[known_digest_nids_amount++] = digest_data[i].nid; -- } --} -- --static const EVP_MD *get_digest_method(int nid) --{ -- size_t i = get_digest_data_index(nid); -- -- if (i == (size_t)-1) -- return NULL; -- return known_digest_methods[i]; --} -- --static int get_digest_nids(const int **nids) --{ -- *nids = known_digest_nids; -- return known_digest_nids_amount; --} -- --static void destroy_digest_method(int nid) --{ -- size_t i = get_digest_data_index(nid); -- -- EVP_MD_meth_free(known_digest_methods[i]); -- known_digest_methods[i] = NULL; --} -- --static void destroy_all_digest_methods(void) --{ -- size_t i; -- -- for (i = 0; i < OSSL_NELEM(digest_data); i++) { -- destroy_digest_method(digest_data[i].nid); -- OPENSSL_free(digest_driver_info[i].driver_name); -- digest_driver_info[i].driver_name = NULL; -- } --} -- --static int devcrypto_digests(ENGINE *e, const EVP_MD **digest, -- const int **nids, int nid) --{ -- if (digest == NULL) -- return get_digest_nids(nids); -- -- *digest = get_digest_method(nid); -- -- return *digest != NULL; --} -- --static void devcrypto_select_all_digests(int *digest_list) --{ -- size_t i; -- -- for (i = 0; i < OSSL_NELEM(digest_data); i++) -- digest_list[i] = 1; --} -- --static int cryptodev_select_digest_cb(const char *str, int len, void *usr) --{ -- int *digest_list = (int *)usr; -- char *name; -- const EVP_MD *EVP; -- size_t i; -- -- if (len == 0) -- return 1; -- if (usr == NULL || (name = OPENSSL_strndup(str, len)) == NULL) -- return 0; -- EVP = EVP_get_digestbyname(name); -- if (EVP == NULL) -- fprintf(stderr, "devcrypto: unknown digest %s\n", name); -- else if ((i = find_digest_data_index(EVP_MD_type(EVP))) != (size_t)-1) -- digest_list[i] = 1; -- else -- fprintf(stderr, "devcrypto: digest %s not available\n", name); -- OPENSSL_free(name); -- return 1; --} -- --static void dump_digest_info(void) --{ -- size_t i; -- const char *name; -- -- fprintf (stderr, "Information about digests supported by the /dev/crypto" -- " engine:\n"); --#ifndef CIOCGSESSINFO -- fprintf(stderr, "CIOCGSESSINFO (session info call) unavailable\n"); --#endif -- -- for (i = 0; i < OSSL_NELEM(digest_data); i++) { -- name = OBJ_nid2sn(digest_data[i].nid); -- fprintf (stderr, "Digest %s, NID=%d, /dev/crypto info: id=%d, driver=%s", -- name ? name : "unknown", digest_data[i].nid, -- digest_data[i].devcryptoid, -- digest_driver_info[i].driver_name ? digest_driver_info[i].driver_name : "unknown"); -- if (digest_driver_info[i].status == DEVCRYPTO_STATUS_NO_CIOCGSESSION) { -- fprintf (stderr, ". CIOCGSESSION (session open) failed\n"); -- continue; -- } -- if (digest_driver_info[i].accelerated == DEVCRYPTO_ACCELERATED) -- fprintf(stderr, " (hw accelerated)"); -- else if (digest_driver_info[i].accelerated == DEVCRYPTO_NOT_ACCELERATED) -- fprintf(stderr, " (software)"); -- else -- fprintf(stderr, " (acceleration status unknown)"); -- if (cipher_driver_info[i].status == DEVCRYPTO_STATUS_FAILURE) -- fprintf (stderr, ". Cipher setup failed\n"); -- else if (digest_driver_info[i].status == DEVCRYPTO_STATUS_NO_CIOCCPHASH) -- fprintf(stderr, ", CIOCCPHASH failed\n"); -- else -- fprintf(stderr, ", CIOCCPHASH capable\n"); -- } -- fprintf(stderr, "\n"); --} -- --#endif -- --/****************************************************************************** -- * -- * CONTROL COMMANDS -- * -- *****/ -- --#define DEVCRYPTO_CMD_USE_SOFTDRIVERS ENGINE_CMD_BASE --#define DEVCRYPTO_CMD_CIPHERS (ENGINE_CMD_BASE + 1) --#define DEVCRYPTO_CMD_DIGESTS (ENGINE_CMD_BASE + 2) --#define DEVCRYPTO_CMD_DUMP_INFO (ENGINE_CMD_BASE + 3) -- --/* Helper macros for CPP string composition */ --#ifndef OPENSSL_MSTR --# define OPENSSL_MSTR_HELPER(x) #x --# define OPENSSL_MSTR(x) OPENSSL_MSTR_HELPER(x) --#endif -- --static const ENGINE_CMD_DEFN devcrypto_cmds[] = { --#ifdef CIOCGSESSINFO -- {DEVCRYPTO_CMD_USE_SOFTDRIVERS, -- "USE_SOFTDRIVERS", -- "specifies whether to use software (not accelerated) drivers (" -- OPENSSL_MSTR(DEVCRYPTO_REQUIRE_ACCELERATED) "=use only accelerated drivers, " -- OPENSSL_MSTR(DEVCRYPTO_USE_SOFTWARE) "=allow all drivers, " -- OPENSSL_MSTR(DEVCRYPTO_REJECT_SOFTWARE) -- "=use if acceleration can't be determined) [default=" -- OPENSSL_MSTR(DEVCRYPTO_DEFAULT_USE_SOFDTRIVERS) "]", -- ENGINE_CMD_FLAG_NUMERIC}, --#endif -- -- {DEVCRYPTO_CMD_CIPHERS, -- "CIPHERS", -- "either ALL, NONE, or a comma-separated list of ciphers to enable [default=ALL]", -- ENGINE_CMD_FLAG_STRING}, -- --#ifdef IMPLEMENT_DIGEST -- {DEVCRYPTO_CMD_DIGESTS, -- "DIGESTS", -- "either ALL, NONE, or a comma-separated list of digests to enable [default=ALL]", -- ENGINE_CMD_FLAG_STRING}, --#endif -- -- {DEVCRYPTO_CMD_DUMP_INFO, -- "DUMP_INFO", -- "dump info about each algorithm to stderr; use 'openssl engine -pre DUMP_INFO devcrypto'", -- ENGINE_CMD_FLAG_NO_INPUT}, -- -- {0, NULL, NULL, 0} --}; -- --static int devcrypto_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f) (void)) --{ -- int *new_list; -- switch (cmd) { --#ifdef CIOCGSESSINFO -- case DEVCRYPTO_CMD_USE_SOFTDRIVERS: -- switch (i) { -- case DEVCRYPTO_REQUIRE_ACCELERATED: -- case DEVCRYPTO_USE_SOFTWARE: -- case DEVCRYPTO_REJECT_SOFTWARE: -- break; -- default: -- fprintf(stderr, "devcrypto: invalid value (%ld) for USE_SOFTDRIVERS\n", i); -- return 0; -- } -- if (use_softdrivers == i) -- return 1; -- use_softdrivers = i; --#ifdef IMPLEMENT_DIGEST -- rebuild_known_digest_nids(e); --#endif -- rebuild_known_cipher_nids(e); -- return 1; --#endif /* CIOCGSESSINFO */ -- -- case DEVCRYPTO_CMD_CIPHERS: -- if (p == NULL) -- return 1; -- if (strcasecmp((const char *)p, "ALL") == 0) { -- devcrypto_select_all_ciphers(selected_ciphers); -- } else if (strcasecmp((const char*)p, "NONE") == 0) { -- memset(selected_ciphers, 0, sizeof(selected_ciphers)); -- } else { -- new_list=OPENSSL_zalloc(sizeof(selected_ciphers)); -- if (!CONF_parse_list(p, ',', 1, cryptodev_select_cipher_cb, new_list)) { -- OPENSSL_free(new_list); -- return 0; -- } -- memcpy(selected_ciphers, new_list, sizeof(selected_ciphers)); -- OPENSSL_free(new_list); -- } -- rebuild_known_cipher_nids(e); -- return 1; -- --#ifdef IMPLEMENT_DIGEST -- case DEVCRYPTO_CMD_DIGESTS: -- if (p == NULL) -- return 1; -- if (strcasecmp((const char *)p, "ALL") == 0) { -- devcrypto_select_all_digests(selected_digests); -- } else if (strcasecmp((const char*)p, "NONE") == 0) { -- memset(selected_digests, 0, sizeof(selected_digests)); -- } else { -- new_list=OPENSSL_zalloc(sizeof(selected_digests)); -- if (!CONF_parse_list(p, ',', 1, cryptodev_select_digest_cb, new_list)) { -- OPENSSL_free(new_list); -- return 0; -- } -- memcpy(selected_digests, new_list, sizeof(selected_digests)); -- OPENSSL_free(new_list); -- } -- rebuild_known_digest_nids(e); -- return 1; --#endif /* IMPLEMENT_DIGEST */ -- -- case DEVCRYPTO_CMD_DUMP_INFO: -- dump_cipher_info(); --#ifdef IMPLEMENT_DIGEST -- dump_digest_info(); --#endif -- return 1; -- -- default: -- break; -- } -- return 0; --} -- --/****************************************************************************** -- * -- * LOAD / UNLOAD -- * -- *****/ -- --static int devcrypto_unload(ENGINE *e) --{ -- destroy_all_cipher_methods(); --#ifdef IMPLEMENT_DIGEST -- destroy_all_digest_methods(); --#endif -- -- close(cfd); -- -- return 1; --} --/* -- * This engine is always built into libcrypto, so it doesn't offer any -- * ability to be dynamically loadable. -- */ --void engine_load_devcrypto_int() --{ -- ENGINE *e = NULL; -- int fd; -- -- if ((fd = open("/dev/crypto", O_RDWR, 0)) < 0) { --#ifndef ENGINE_DEVCRYPTO_DEBUG -- if (errno != ENOENT) --#endif -- fprintf(stderr, "Could not open /dev/crypto: %s\n", strerror(errno)); -- return; -- } -- --#ifdef CRIOGET -- if (ioctl(fd, CRIOGET, &cfd) < 0) { -- fprintf(stderr, "Could not create crypto fd: %s\n", strerror(errno)); -- close(fd); -- cfd = -1; -- return; -- } -- close(fd); --#else -- cfd = fd; --#endif -- -- if ((e = ENGINE_new()) == NULL -- || !ENGINE_set_destroy_function(e, devcrypto_unload)) { -- ENGINE_free(e); -- /* -- * We know that devcrypto_unload() won't be called when one of the -- * above two calls have failed, so we close cfd explicitly here to -- * avoid leaking resources. -- */ -- close(cfd); -- return; -- } -- -- prepare_cipher_methods(); --#ifdef IMPLEMENT_DIGEST -- prepare_digest_methods(); --#endif -- -- if (!ENGINE_set_id(e, "devcrypto") -- || !ENGINE_set_name(e, "/dev/crypto engine") -- || !ENGINE_set_cmd_defns(e, devcrypto_cmds) -- || !ENGINE_set_ctrl_function(e, devcrypto_ctrl) -- --/* -- * Asymmetric ciphers aren't well supported with /dev/crypto. Among the BSD -- * implementations, it seems to only exist in FreeBSD, and regarding the -- * parameters in its crypt_kop, the manual crypto(4) has this to say: -- * -- * The semantics of these arguments are currently undocumented. -- * -- * Reading through the FreeBSD source code doesn't give much more than -- * their CRK_MOD_EXP implementation for ubsec. -- * -- * It doesn't look much better with cryptodev-linux. They have the crypt_kop -- * structure as well as the command (CRK_*) in cryptodev.h, but no support -- * seems to be implemented at all for the moment. -- * -- * At the time of writing, it seems impossible to write proper support for -- * FreeBSD's asym features without some very deep knowledge and access to -- * specific kernel modules. -- * -- * /Richard Levitte, 2017-05-11 -- */ --#if 0 --# ifndef OPENSSL_NO_RSA -- || !ENGINE_set_RSA(e, devcrypto_rsa) --# endif --# ifndef OPENSSL_NO_DSA -- || !ENGINE_set_DSA(e, devcrypto_dsa) --# endif --# ifndef OPENSSL_NO_DH -- || !ENGINE_set_DH(e, devcrypto_dh) --# endif --# ifndef OPENSSL_NO_EC -- || !ENGINE_set_EC(e, devcrypto_ec) --# endif --#endif -- || !ENGINE_set_ciphers(e, devcrypto_ciphers) --#ifdef IMPLEMENT_DIGEST -- || !ENGINE_set_digests(e, devcrypto_digests) --#endif -- ) { -- ENGINE_free(e); -- return; -- } -- -- ENGINE_add(e); -- ENGINE_free(e); /* Loose our local reference */ -- ERR_clear_error(); --} ---- /dev/null -+++ b/engines/e_devcrypto.c -@@ -0,0 +1,1327 @@ -+/* -+ * Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. -+ * -+ * Licensed under the OpenSSL license (the "License"). You may not use -+ * this file except in compliance with the License. You can obtain a copy -+ * in the file LICENSE in the source distribution or at -+ * https://www.openssl.org/source/license.html -+ */ -+ -+#include "../e_os.h" -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#include "crypto/engine.h" -+ -+/* #define ENGINE_DEVCRYPTO_DEBUG */ -+ -+#if CRYPTO_ALGORITHM_MIN < CRYPTO_ALGORITHM_MAX -+# define CHECK_BSD_STYLE_MACROS -+#endif -+ -+#define engine_devcrypto_id "devcrypto" -+ -+/* -+ * ONE global file descriptor for all sessions. This allows operations -+ * such as digest session data copying (see digest_copy()), but is also -+ * saner... why re-open /dev/crypto for every session? -+ */ -+static int cfd = -1; -+#define DEVCRYPTO_REQUIRE_ACCELERATED 0 /* require confirmation of acceleration */ -+#define DEVCRYPTO_USE_SOFTWARE 1 /* allow software drivers */ -+#define DEVCRYPTO_REJECT_SOFTWARE 2 /* only disallow confirmed software drivers */ -+ -+#define DEVCRYPTO_DEFAULT_USE_SOFTDRIVERS DEVCRYPTO_REJECT_SOFTWARE -+static int use_softdrivers = DEVCRYPTO_DEFAULT_USE_SOFTDRIVERS; -+ -+/* -+ * cipher/digest status & acceleration definitions -+ * Make sure the defaults are set to 0 -+ */ -+struct driver_info_st { -+ enum devcrypto_status_t { -+ DEVCRYPTO_STATUS_FAILURE = -3, /* unusable for other reason */ -+ DEVCRYPTO_STATUS_NO_CIOCCPHASH = -2, /* hash state copy not supported */ -+ DEVCRYPTO_STATUS_NO_CIOCGSESSION = -1, /* session open failed */ -+ DEVCRYPTO_STATUS_UNKNOWN = 0, /* not tested yet */ -+ DEVCRYPTO_STATUS_USABLE = 1 /* algo can be used */ -+ } status; -+ -+ enum devcrypto_accelerated_t { -+ DEVCRYPTO_NOT_ACCELERATED = -1, /* software implemented */ -+ DEVCRYPTO_ACCELERATION_UNKNOWN = 0, /* acceleration support unkown */ -+ DEVCRYPTO_ACCELERATED = 1 /* hardware accelerated */ -+ } accelerated; -+ -+ char *driver_name; -+}; -+ -+static int clean_devcrypto_session(struct session_op *sess) { -+ if (ioctl(cfd, CIOCFSESSION, &sess->ses) < 0) { -+ SYSerr(SYS_F_IOCTL, errno); -+ return 0; -+ } -+ memset(sess, 0, sizeof(struct session_op)); -+ return 1; -+} -+ -+/****************************************************************************** -+ * -+ * Ciphers -+ * -+ * Because they all do the same basic operation, we have only one set of -+ * method functions for them all to share, and a mapping table between -+ * NIDs and cryptodev IDs, with all the necessary size data. -+ * -+ *****/ -+ -+struct cipher_ctx { -+ struct session_op sess; -+ int op; /* COP_ENCRYPT or COP_DECRYPT */ -+ unsigned long mode; /* EVP_CIPH_*_MODE */ -+ -+ /* to handle ctr mode being a stream cipher */ -+ unsigned char partial[EVP_MAX_BLOCK_LENGTH]; -+ unsigned int blocksize, num; -+}; -+ -+static const struct cipher_data_st { -+ int nid; -+ int blocksize; -+ int keylen; -+ int ivlen; -+ int flags; -+ int devcryptoid; -+} cipher_data[] = { -+#ifndef OPENSSL_NO_DES -+ { NID_des_cbc, 8, 8, 8, EVP_CIPH_CBC_MODE, CRYPTO_DES_CBC }, -+ { NID_des_ede3_cbc, 8, 24, 8, EVP_CIPH_CBC_MODE, CRYPTO_3DES_CBC }, -+#endif -+#ifndef OPENSSL_NO_BF -+ { NID_bf_cbc, 8, 16, 8, EVP_CIPH_CBC_MODE, CRYPTO_BLF_CBC }, -+#endif -+#ifndef OPENSSL_NO_CAST -+ { NID_cast5_cbc, 8, 16, 8, EVP_CIPH_CBC_MODE, CRYPTO_CAST_CBC }, -+#endif -+ { NID_aes_128_cbc, 16, 128 / 8, 16, EVP_CIPH_CBC_MODE, CRYPTO_AES_CBC }, -+ { NID_aes_192_cbc, 16, 192 / 8, 16, EVP_CIPH_CBC_MODE, CRYPTO_AES_CBC }, -+ { NID_aes_256_cbc, 16, 256 / 8, 16, EVP_CIPH_CBC_MODE, CRYPTO_AES_CBC }, -+#ifndef OPENSSL_NO_RC4 -+ { NID_rc4, 1, 16, 0, EVP_CIPH_STREAM_CIPHER, CRYPTO_ARC4 }, -+#endif -+#if !defined(CHECK_BSD_STYLE_MACROS) || defined(CRYPTO_AES_CTR) -+ { NID_aes_128_ctr, 16, 128 / 8, 16, EVP_CIPH_CTR_MODE, CRYPTO_AES_CTR }, -+ { NID_aes_192_ctr, 16, 192 / 8, 16, EVP_CIPH_CTR_MODE, CRYPTO_AES_CTR }, -+ { NID_aes_256_ctr, 16, 256 / 8, 16, EVP_CIPH_CTR_MODE, CRYPTO_AES_CTR }, -+#endif -+#if 0 /* Not yet supported */ -+ { NID_aes_128_xts, 16, 128 / 8 * 2, 16, EVP_CIPH_XTS_MODE, CRYPTO_AES_XTS }, -+ { NID_aes_256_xts, 16, 256 / 8 * 2, 16, EVP_CIPH_XTS_MODE, CRYPTO_AES_XTS }, -+#endif -+#if !defined(CHECK_BSD_STYLE_MACROS) || defined(CRYPTO_AES_ECB) -+ { NID_aes_128_ecb, 16, 128 / 8, 0, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB }, -+ { NID_aes_192_ecb, 16, 192 / 8, 0, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB }, -+ { NID_aes_256_ecb, 16, 256 / 8, 0, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB }, -+#endif -+#if 0 /* Not yet supported */ -+ { NID_aes_128_gcm, 16, 128 / 8, 16, EVP_CIPH_GCM_MODE, CRYPTO_AES_GCM }, -+ { NID_aes_192_gcm, 16, 192 / 8, 16, EVP_CIPH_GCM_MODE, CRYPTO_AES_GCM }, -+ { NID_aes_256_gcm, 16, 256 / 8, 16, EVP_CIPH_GCM_MODE, CRYPTO_AES_GCM }, -+#endif -+#ifndef OPENSSL_NO_CAMELLIA -+ { NID_camellia_128_cbc, 16, 128 / 8, 16, EVP_CIPH_CBC_MODE, -+ CRYPTO_CAMELLIA_CBC }, -+ { NID_camellia_192_cbc, 16, 192 / 8, 16, EVP_CIPH_CBC_MODE, -+ CRYPTO_CAMELLIA_CBC }, -+ { NID_camellia_256_cbc, 16, 256 / 8, 16, EVP_CIPH_CBC_MODE, -+ CRYPTO_CAMELLIA_CBC }, -+#endif -+}; -+ -+static size_t find_cipher_data_index(int nid) -+{ -+ size_t i; -+ -+ for (i = 0; i < OSSL_NELEM(cipher_data); i++) -+ if (nid == cipher_data[i].nid) -+ return i; -+ return (size_t)-1; -+} -+ -+static size_t get_cipher_data_index(int nid) -+{ -+ size_t i = find_cipher_data_index(nid); -+ -+ if (i != (size_t)-1) -+ return i; -+ -+ /* -+ * Code further down must make sure that only NIDs in the table above -+ * are used. If any other NID reaches this function, there's a grave -+ * coding error further down. -+ */ -+ assert("Code that never should be reached" == NULL); -+ return -1; -+} -+ -+static const struct cipher_data_st *get_cipher_data(int nid) -+{ -+ return &cipher_data[get_cipher_data_index(nid)]; -+} -+ -+/* -+ * Following are the three necessary functions to map OpenSSL functionality -+ * with cryptodev. -+ */ -+ -+static int cipher_init(EVP_CIPHER_CTX *ctx, const unsigned char *key, -+ const unsigned char *iv, int enc) -+{ -+ struct cipher_ctx *cipher_ctx = -+ (struct cipher_ctx *)EVP_CIPHER_CTX_get_cipher_data(ctx); -+ const struct cipher_data_st *cipher_d = -+ get_cipher_data(EVP_CIPHER_CTX_nid(ctx)); -+ -+ /* cleanup a previous session */ -+ if (cipher_ctx->sess.ses != 0 && -+ clean_devcrypto_session(&cipher_ctx->sess) == 0) -+ return 0; -+ -+ cipher_ctx->sess.cipher = cipher_d->devcryptoid; -+ cipher_ctx->sess.keylen = cipher_d->keylen; -+ cipher_ctx->sess.key = (void *)key; -+ cipher_ctx->op = enc ? COP_ENCRYPT : COP_DECRYPT; -+ cipher_ctx->mode = cipher_d->flags & EVP_CIPH_MODE; -+ cipher_ctx->blocksize = cipher_d->blocksize; -+ if (ioctl(cfd, CIOCGSESSION, &cipher_ctx->sess) < 0) { -+ SYSerr(SYS_F_IOCTL, errno); -+ return 0; -+ } -+ -+ return 1; -+} -+ -+static int cipher_do_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, -+ const unsigned char *in, size_t inl) -+{ -+ struct cipher_ctx *cipher_ctx = -+ (struct cipher_ctx *)EVP_CIPHER_CTX_get_cipher_data(ctx); -+ struct crypt_op cryp; -+ unsigned char *iv = EVP_CIPHER_CTX_iv_noconst(ctx); -+#if !defined(COP_FLAG_WRITE_IV) -+ unsigned char saved_iv[EVP_MAX_IV_LENGTH]; -+ const unsigned char *ivptr; -+ size_t nblocks, ivlen; -+#endif -+ -+ memset(&cryp, 0, sizeof(cryp)); -+ cryp.ses = cipher_ctx->sess.ses; -+ cryp.len = inl; -+ cryp.src = (void *)in; -+ cryp.dst = (void *)out; -+ cryp.iv = (void *)iv; -+ cryp.op = cipher_ctx->op; -+#if !defined(COP_FLAG_WRITE_IV) -+ cryp.flags = 0; -+ -+ ivlen = EVP_CIPHER_CTX_iv_length(ctx); -+ if (ivlen > 0) -+ switch (cipher_ctx->mode) { -+ case EVP_CIPH_CBC_MODE: -+ assert(inl >= ivlen); -+ if (!EVP_CIPHER_CTX_encrypting(ctx)) { -+ ivptr = in + inl - ivlen; -+ memcpy(saved_iv, ivptr, ivlen); -+ } -+ break; -+ -+ case EVP_CIPH_CTR_MODE: -+ break; -+ -+ default: /* should not happen */ -+ return 0; -+ } -+#else -+ cryp.flags = COP_FLAG_WRITE_IV; -+#endif -+ -+ if (ioctl(cfd, CIOCCRYPT, &cryp) < 0) { -+ SYSerr(SYS_F_IOCTL, errno); -+ return 0; -+ } -+ -+#if !defined(COP_FLAG_WRITE_IV) -+ if (ivlen > 0) -+ switch (cipher_ctx->mode) { -+ case EVP_CIPH_CBC_MODE: -+ assert(inl >= ivlen); -+ if (EVP_CIPHER_CTX_encrypting(ctx)) -+ ivptr = out + inl - ivlen; -+ else -+ ivptr = saved_iv; -+ -+ memcpy(iv, ivptr, ivlen); -+ break; -+ -+ case EVP_CIPH_CTR_MODE: -+ nblocks = (inl + cipher_ctx->blocksize - 1) -+ / cipher_ctx->blocksize; -+ do { -+ ivlen--; -+ nblocks += iv[ivlen]; -+ iv[ivlen] = (uint8_t) nblocks; -+ nblocks >>= 8; -+ } while (ivlen); -+ break; -+ -+ default: /* should not happen */ -+ return 0; -+ } -+#endif -+ -+ return 1; -+} -+ -+static int ctr_do_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, -+ const unsigned char *in, size_t inl) -+{ -+ struct cipher_ctx *cipher_ctx = -+ (struct cipher_ctx *)EVP_CIPHER_CTX_get_cipher_data(ctx); -+ size_t nblocks, len; -+ -+ /* initial partial block */ -+ while (cipher_ctx->num && inl) { -+ (*out++) = *(in++) ^ cipher_ctx->partial[cipher_ctx->num]; -+ --inl; -+ cipher_ctx->num = (cipher_ctx->num + 1) % cipher_ctx->blocksize; -+ } -+ -+ /* full blocks */ -+ if (inl > (unsigned int) cipher_ctx->blocksize) { -+ nblocks = inl/cipher_ctx->blocksize; -+ len = nblocks * cipher_ctx->blocksize; -+ if (cipher_do_cipher(ctx, out, in, len) < 1) -+ return 0; -+ inl -= len; -+ out += len; -+ in += len; -+ } -+ -+ /* final partial block */ -+ if (inl) { -+ memset(cipher_ctx->partial, 0, cipher_ctx->blocksize); -+ if (cipher_do_cipher(ctx, cipher_ctx->partial, cipher_ctx->partial, -+ cipher_ctx->blocksize) < 1) -+ return 0; -+ while (inl--) { -+ out[cipher_ctx->num] = in[cipher_ctx->num] -+ ^ cipher_ctx->partial[cipher_ctx->num]; -+ cipher_ctx->num++; -+ } -+ } -+ -+ return 1; -+} -+ -+static int cipher_ctrl(EVP_CIPHER_CTX *ctx, int type, int p1, void* p2) -+{ -+ struct cipher_ctx *cipher_ctx = -+ (struct cipher_ctx *)EVP_CIPHER_CTX_get_cipher_data(ctx); -+ EVP_CIPHER_CTX *to_ctx = (EVP_CIPHER_CTX *)p2; -+ struct cipher_ctx *to_cipher_ctx; -+ -+ switch (type) { -+ case EVP_CTRL_COPY: -+ if (cipher_ctx == NULL) -+ return 1; -+ /* when copying the context, a new session needs to be initialized */ -+ to_cipher_ctx = -+ (struct cipher_ctx *)EVP_CIPHER_CTX_get_cipher_data(to_ctx); -+ memset(&to_cipher_ctx->sess, 0, sizeof(to_cipher_ctx->sess)); -+ return cipher_init(to_ctx, cipher_ctx->sess.key, EVP_CIPHER_CTX_iv(ctx), -+ (cipher_ctx->op == COP_ENCRYPT)); -+ -+ case EVP_CTRL_INIT: -+ memset(&cipher_ctx->sess, 0, sizeof(cipher_ctx->sess)); -+ return 1; -+ -+ default: -+ break; -+ } -+ -+ return -1; -+} -+ -+static int cipher_cleanup(EVP_CIPHER_CTX *ctx) -+{ -+ struct cipher_ctx *cipher_ctx = -+ (struct cipher_ctx *)EVP_CIPHER_CTX_get_cipher_data(ctx); -+ -+ return clean_devcrypto_session(&cipher_ctx->sess); -+} -+ -+/* -+ * Keep tables of known nids, associated methods, selected ciphers, and driver -+ * info. -+ * Note that known_cipher_nids[] isn't necessarily indexed the same way as -+ * cipher_data[] above, which the other tables are. -+ */ -+static int known_cipher_nids[OSSL_NELEM(cipher_data)]; -+static int known_cipher_nids_amount = -1; /* -1 indicates not yet initialised */ -+static EVP_CIPHER *known_cipher_methods[OSSL_NELEM(cipher_data)] = { NULL, }; -+static int selected_ciphers[OSSL_NELEM(cipher_data)]; -+static struct driver_info_st cipher_driver_info[OSSL_NELEM(cipher_data)]; -+ -+ -+static int devcrypto_test_cipher(size_t cipher_data_index) -+{ -+ return (cipher_driver_info[cipher_data_index].status == DEVCRYPTO_STATUS_USABLE -+ && selected_ciphers[cipher_data_index] == 1 -+ && (cipher_driver_info[cipher_data_index].accelerated -+ == DEVCRYPTO_ACCELERATED -+ || use_softdrivers == DEVCRYPTO_USE_SOFTWARE -+ || (cipher_driver_info[cipher_data_index].accelerated -+ != DEVCRYPTO_NOT_ACCELERATED -+ && use_softdrivers == DEVCRYPTO_REJECT_SOFTWARE))); -+} -+ -+static void prepare_cipher_methods(void) -+{ -+ size_t i; -+ struct session_op sess; -+ unsigned long cipher_mode; -+#ifdef CIOCGSESSINFO -+ struct session_info_op siop; -+#endif -+ -+ memset(&cipher_driver_info, 0, sizeof(cipher_driver_info)); -+ -+ memset(&sess, 0, sizeof(sess)); -+ sess.key = (void *)"01234567890123456789012345678901234567890123456789"; -+ -+ for (i = 0, known_cipher_nids_amount = 0; -+ i < OSSL_NELEM(cipher_data); i++) { -+ -+ selected_ciphers[i] = 1; -+ /* -+ * Check that the cipher is usable -+ */ -+ sess.cipher = cipher_data[i].devcryptoid; -+ sess.keylen = cipher_data[i].keylen; -+ if (ioctl(cfd, CIOCGSESSION, &sess) < 0) { -+ cipher_driver_info[i].status = DEVCRYPTO_STATUS_NO_CIOCGSESSION; -+ continue; -+ } -+ -+ cipher_mode = cipher_data[i].flags & EVP_CIPH_MODE; -+ -+ if ((known_cipher_methods[i] = -+ EVP_CIPHER_meth_new(cipher_data[i].nid, -+ cipher_mode == EVP_CIPH_CTR_MODE ? 1 : -+ cipher_data[i].blocksize, -+ cipher_data[i].keylen)) == NULL -+ || !EVP_CIPHER_meth_set_iv_length(known_cipher_methods[i], -+ cipher_data[i].ivlen) -+ || !EVP_CIPHER_meth_set_flags(known_cipher_methods[i], -+ cipher_data[i].flags -+ | EVP_CIPH_CUSTOM_COPY -+ | EVP_CIPH_CTRL_INIT -+ | EVP_CIPH_FLAG_DEFAULT_ASN1) -+ || !EVP_CIPHER_meth_set_init(known_cipher_methods[i], cipher_init) -+ || !EVP_CIPHER_meth_set_do_cipher(known_cipher_methods[i], -+ cipher_mode == EVP_CIPH_CTR_MODE ? -+ ctr_do_cipher : -+ cipher_do_cipher) -+ || !EVP_CIPHER_meth_set_ctrl(known_cipher_methods[i], cipher_ctrl) -+ || !EVP_CIPHER_meth_set_cleanup(known_cipher_methods[i], -+ cipher_cleanup) -+ || !EVP_CIPHER_meth_set_impl_ctx_size(known_cipher_methods[i], -+ sizeof(struct cipher_ctx))) { -+ cipher_driver_info[i].status = DEVCRYPTO_STATUS_FAILURE; -+ EVP_CIPHER_meth_free(known_cipher_methods[i]); -+ known_cipher_methods[i] = NULL; -+ } else { -+ cipher_driver_info[i].status = DEVCRYPTO_STATUS_USABLE; -+#ifdef CIOCGSESSINFO -+ siop.ses = sess.ses; -+ if (ioctl(cfd, CIOCGSESSINFO, &siop) < 0) { -+ cipher_driver_info[i].accelerated = DEVCRYPTO_ACCELERATION_UNKNOWN; -+ } else { -+ cipher_driver_info[i].driver_name = -+ OPENSSL_strndup(siop.cipher_info.cra_driver_name, -+ CRYPTODEV_MAX_ALG_NAME); -+ if (!(siop.flags & SIOP_FLAG_KERNEL_DRIVER_ONLY)) -+ cipher_driver_info[i].accelerated = DEVCRYPTO_NOT_ACCELERATED; -+ else -+ cipher_driver_info[i].accelerated = DEVCRYPTO_ACCELERATED; -+ } -+#endif /* CIOCGSESSINFO */ -+ } -+ ioctl(cfd, CIOCFSESSION, &sess.ses); -+ if (devcrypto_test_cipher(i)) { -+ known_cipher_nids[known_cipher_nids_amount++] = -+ cipher_data[i].nid; -+ } -+ } -+} -+ -+static void rebuild_known_cipher_nids(ENGINE *e) -+{ -+ size_t i; -+ -+ for (i = 0, known_cipher_nids_amount = 0; i < OSSL_NELEM(cipher_data); i++) { -+ if (devcrypto_test_cipher(i)) -+ known_cipher_nids[known_cipher_nids_amount++] = cipher_data[i].nid; -+ } -+ ENGINE_unregister_ciphers(e); -+ ENGINE_register_ciphers(e); -+} -+ -+static const EVP_CIPHER *get_cipher_method(int nid) -+{ -+ size_t i = get_cipher_data_index(nid); -+ -+ if (i == (size_t)-1) -+ return NULL; -+ return known_cipher_methods[i]; -+} -+ -+static int get_cipher_nids(const int **nids) -+{ -+ *nids = known_cipher_nids; -+ return known_cipher_nids_amount; -+} -+ -+static void destroy_cipher_method(int nid) -+{ -+ size_t i = get_cipher_data_index(nid); -+ -+ EVP_CIPHER_meth_free(known_cipher_methods[i]); -+ known_cipher_methods[i] = NULL; -+} -+ -+static void destroy_all_cipher_methods(void) -+{ -+ size_t i; -+ -+ for (i = 0; i < OSSL_NELEM(cipher_data); i++) { -+ destroy_cipher_method(cipher_data[i].nid); -+ OPENSSL_free(cipher_driver_info[i].driver_name); -+ cipher_driver_info[i].driver_name = NULL; -+ } -+} -+ -+static int devcrypto_ciphers(ENGINE *e, const EVP_CIPHER **cipher, -+ const int **nids, int nid) -+{ -+ if (cipher == NULL) -+ return get_cipher_nids(nids); -+ -+ *cipher = get_cipher_method(nid); -+ -+ return *cipher != NULL; -+} -+ -+static void devcrypto_select_all_ciphers(int *cipher_list) -+{ -+ size_t i; -+ -+ for (i = 0; i < OSSL_NELEM(cipher_data); i++) -+ cipher_list[i] = 1; -+} -+ -+static int cryptodev_select_cipher_cb(const char *str, int len, void *usr) -+{ -+ int *cipher_list = (int *)usr; -+ char *name; -+ const EVP_CIPHER *EVP; -+ size_t i; -+ -+ if (len == 0) -+ return 1; -+ if (usr == NULL || (name = OPENSSL_strndup(str, len)) == NULL) -+ return 0; -+ EVP = EVP_get_cipherbyname(name); -+ if (EVP == NULL) -+ fprintf(stderr, "devcrypto: unknown cipher %s\n", name); -+ else if ((i = find_cipher_data_index(EVP_CIPHER_nid(EVP))) != (size_t)-1) -+ cipher_list[i] = 1; -+ else -+ fprintf(stderr, "devcrypto: cipher %s not available\n", name); -+ OPENSSL_free(name); -+ return 1; -+} -+ -+static void dump_cipher_info(void) -+{ -+ size_t i; -+ const char *name; -+ -+ fprintf (stderr, "Information about ciphers supported by the /dev/crypto" -+ " engine:\n"); -+#ifndef CIOCGSESSINFO -+ fprintf(stderr, "CIOCGSESSINFO (session info call) unavailable\n"); -+#endif -+ for (i = 0; i < OSSL_NELEM(cipher_data); i++) { -+ name = OBJ_nid2sn(cipher_data[i].nid); -+ fprintf (stderr, "Cipher %s, NID=%d, /dev/crypto info: id=%d, ", -+ name ? name : "unknown", cipher_data[i].nid, -+ cipher_data[i].devcryptoid); -+ if (cipher_driver_info[i].status == DEVCRYPTO_STATUS_NO_CIOCGSESSION ) { -+ fprintf (stderr, "CIOCGSESSION (session open call) failed\n"); -+ continue; -+ } -+ fprintf (stderr, "driver=%s ", cipher_driver_info[i].driver_name ? -+ cipher_driver_info[i].driver_name : "unknown"); -+ if (cipher_driver_info[i].accelerated == DEVCRYPTO_ACCELERATED) -+ fprintf(stderr, "(hw accelerated)"); -+ else if (cipher_driver_info[i].accelerated == DEVCRYPTO_NOT_ACCELERATED) -+ fprintf(stderr, "(software)"); -+ else -+ fprintf(stderr, "(acceleration status unknown)"); -+ if (cipher_driver_info[i].status == DEVCRYPTO_STATUS_FAILURE) -+ fprintf (stderr, ". Cipher setup failed"); -+ fprintf(stderr, "\n"); -+ } -+ fprintf(stderr, "\n"); -+} -+ -+/* -+ * We only support digests if the cryptodev implementation supports multiple -+ * data updates and session copying. Otherwise, we would be forced to maintain -+ * a cache, which is perilous if there's a lot of data coming in (if someone -+ * wants to checksum an OpenSSL tarball, for example). -+ */ -+#if defined(CIOCCPHASH) && defined(COP_FLAG_UPDATE) && defined(COP_FLAG_FINAL) -+#define IMPLEMENT_DIGEST -+ -+/****************************************************************************** -+ * -+ * Digests -+ * -+ * Because they all do the same basic operation, we have only one set of -+ * method functions for them all to share, and a mapping table between -+ * NIDs and cryptodev IDs, with all the necessary size data. -+ * -+ *****/ -+ -+struct digest_ctx { -+ struct session_op sess; -+ /* This signals that the init function was called, not that it succeeded. */ -+ int init_called; -+ unsigned char digest_res[HASH_MAX_LEN]; -+}; -+ -+static const struct digest_data_st { -+ int nid; -+ int blocksize; -+ int digestlen; -+ int devcryptoid; -+} digest_data[] = { -+#ifndef OPENSSL_NO_MD5 -+ { NID_md5, /* MD5_CBLOCK */ 64, 16, CRYPTO_MD5 }, -+#endif -+ { NID_sha1, SHA_CBLOCK, 20, CRYPTO_SHA1 }, -+#ifndef OPENSSL_NO_RMD160 -+# if !defined(CHECK_BSD_STYLE_MACROS) || defined(CRYPTO_RIPEMD160) -+ { NID_ripemd160, /* RIPEMD160_CBLOCK */ 64, 20, CRYPTO_RIPEMD160 }, -+# endif -+#endif -+#if !defined(CHECK_BSD_STYLE_MACROS) || defined(CRYPTO_SHA2_224) -+ { NID_sha224, SHA256_CBLOCK, 224 / 8, CRYPTO_SHA2_224 }, -+#endif -+#if !defined(CHECK_BSD_STYLE_MACROS) || defined(CRYPTO_SHA2_256) -+ { NID_sha256, SHA256_CBLOCK, 256 / 8, CRYPTO_SHA2_256 }, -+#endif -+#if !defined(CHECK_BSD_STYLE_MACROS) || defined(CRYPTO_SHA2_384) -+ { NID_sha384, SHA512_CBLOCK, 384 / 8, CRYPTO_SHA2_384 }, -+#endif -+#if !defined(CHECK_BSD_STYLE_MACROS) || defined(CRYPTO_SHA2_512) -+ { NID_sha512, SHA512_CBLOCK, 512 / 8, CRYPTO_SHA2_512 }, -+#endif -+}; -+ -+static size_t find_digest_data_index(int nid) -+{ -+ size_t i; -+ -+ for (i = 0; i < OSSL_NELEM(digest_data); i++) -+ if (nid == digest_data[i].nid) -+ return i; -+ return (size_t)-1; -+} -+ -+static size_t get_digest_data_index(int nid) -+{ -+ size_t i = find_digest_data_index(nid); -+ -+ if (i != (size_t)-1) -+ return i; -+ -+ /* -+ * Code further down must make sure that only NIDs in the table above -+ * are used. If any other NID reaches this function, there's a grave -+ * coding error further down. -+ */ -+ assert("Code that never should be reached" == NULL); -+ return -1; -+} -+ -+static const struct digest_data_st *get_digest_data(int nid) -+{ -+ return &digest_data[get_digest_data_index(nid)]; -+} -+ -+/* -+ * Following are the five necessary functions to map OpenSSL functionality -+ * with cryptodev: init, update, final, cleanup, and copy. -+ */ -+ -+static int digest_init(EVP_MD_CTX *ctx) -+{ -+ struct digest_ctx *digest_ctx = -+ (struct digest_ctx *)EVP_MD_CTX_md_data(ctx); -+ const struct digest_data_st *digest_d = -+ get_digest_data(EVP_MD_CTX_type(ctx)); -+ -+ digest_ctx->init_called = 1; -+ -+ memset(&digest_ctx->sess, 0, sizeof(digest_ctx->sess)); -+ digest_ctx->sess.mac = digest_d->devcryptoid; -+ if (ioctl(cfd, CIOCGSESSION, &digest_ctx->sess) < 0) { -+ SYSerr(SYS_F_IOCTL, errno); -+ return 0; -+ } -+ -+ return 1; -+} -+ -+static int digest_op(struct digest_ctx *ctx, const void *src, size_t srclen, -+ void *res, unsigned int flags) -+{ -+ struct crypt_op cryp; -+ -+ memset(&cryp, 0, sizeof(cryp)); -+ cryp.ses = ctx->sess.ses; -+ cryp.len = srclen; -+ cryp.src = (void *)src; -+ cryp.dst = NULL; -+ cryp.mac = res; -+ cryp.flags = flags; -+ return ioctl(cfd, CIOCCRYPT, &cryp); -+} -+ -+static int digest_update(EVP_MD_CTX *ctx, const void *data, size_t count) -+{ -+ struct digest_ctx *digest_ctx = -+ (struct digest_ctx *)EVP_MD_CTX_md_data(ctx); -+ -+ if (count == 0) -+ return 1; -+ -+ if (digest_ctx == NULL) -+ return 0; -+ -+ if (EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_ONESHOT)) { -+ if (digest_op(digest_ctx, data, count, digest_ctx->digest_res, 0) >= 0) -+ return 1; -+ } else if (digest_op(digest_ctx, data, count, NULL, COP_FLAG_UPDATE) >= 0) { -+ return 1; -+ } -+ -+ SYSerr(SYS_F_IOCTL, errno); -+ return 0; -+} -+ -+static int digest_final(EVP_MD_CTX *ctx, unsigned char *md) -+{ -+ struct digest_ctx *digest_ctx = -+ (struct digest_ctx *)EVP_MD_CTX_md_data(ctx); -+ -+ if (md == NULL || digest_ctx == NULL) -+ return 0; -+ -+ if (EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_ONESHOT)) { -+ memcpy(md, digest_ctx->digest_res, EVP_MD_CTX_size(ctx)); -+ } else if (digest_op(digest_ctx, NULL, 0, md, COP_FLAG_FINAL) < 0) { -+ SYSerr(SYS_F_IOCTL, errno); -+ return 0; -+ } -+ -+ return 1; -+} -+ -+static int digest_copy(EVP_MD_CTX *to, const EVP_MD_CTX *from) -+{ -+ struct digest_ctx *digest_from = -+ (struct digest_ctx *)EVP_MD_CTX_md_data(from); -+ struct digest_ctx *digest_to = -+ (struct digest_ctx *)EVP_MD_CTX_md_data(to); -+ struct cphash_op cphash; -+ -+ if (digest_from == NULL || digest_from->init_called != 1) -+ return 1; -+ -+ if (!digest_init(to)) { -+ SYSerr(SYS_F_IOCTL, errno); -+ return 0; -+ } -+ -+ cphash.src_ses = digest_from->sess.ses; -+ cphash.dst_ses = digest_to->sess.ses; -+ if (ioctl(cfd, CIOCCPHASH, &cphash) < 0) { -+ SYSerr(SYS_F_IOCTL, errno); -+ return 0; -+ } -+ return 1; -+} -+ -+static int digest_cleanup(EVP_MD_CTX *ctx) -+{ -+ struct digest_ctx *digest_ctx = -+ (struct digest_ctx *)EVP_MD_CTX_md_data(ctx); -+ -+ if (digest_ctx == NULL) -+ return 1; -+ -+ return clean_devcrypto_session(&digest_ctx->sess); -+} -+ -+/* -+ * Keep tables of known nids, associated methods, selected digests, and -+ * driver info. -+ * Note that known_digest_nids[] isn't necessarily indexed the same way as -+ * digest_data[] above, which the other tables are. -+ */ -+static int known_digest_nids[OSSL_NELEM(digest_data)]; -+static int known_digest_nids_amount = -1; /* -1 indicates not yet initialised */ -+static EVP_MD *known_digest_methods[OSSL_NELEM(digest_data)] = { NULL, }; -+static int selected_digests[OSSL_NELEM(digest_data)]; -+static struct driver_info_st digest_driver_info[OSSL_NELEM(digest_data)]; -+ -+static int devcrypto_test_digest(size_t digest_data_index) -+{ -+ return (digest_driver_info[digest_data_index].status == DEVCRYPTO_STATUS_USABLE -+ && selected_digests[digest_data_index] == 1 -+ && (digest_driver_info[digest_data_index].accelerated -+ == DEVCRYPTO_ACCELERATED -+ || use_softdrivers == DEVCRYPTO_USE_SOFTWARE -+ || (digest_driver_info[digest_data_index].accelerated -+ != DEVCRYPTO_NOT_ACCELERATED -+ && use_softdrivers == DEVCRYPTO_REJECT_SOFTWARE))); -+} -+ -+static void rebuild_known_digest_nids(ENGINE *e) -+{ -+ size_t i; -+ -+ for (i = 0, known_digest_nids_amount = 0; i < OSSL_NELEM(digest_data); i++) { -+ if (devcrypto_test_digest(i)) -+ known_digest_nids[known_digest_nids_amount++] = digest_data[i].nid; -+ } -+ ENGINE_unregister_digests(e); -+ ENGINE_register_digests(e); -+} -+ -+static void prepare_digest_methods(void) -+{ -+ size_t i; -+ struct session_op sess1, sess2; -+#ifdef CIOCGSESSINFO -+ struct session_info_op siop; -+#endif -+ struct cphash_op cphash; -+ -+ memset(&digest_driver_info, 0, sizeof(digest_driver_info)); -+ -+ memset(&sess1, 0, sizeof(sess1)); -+ memset(&sess2, 0, sizeof(sess2)); -+ -+ for (i = 0, known_digest_nids_amount = 0; i < OSSL_NELEM(digest_data); -+ i++) { -+ -+ selected_digests[i] = 1; -+ -+ /* -+ * Check that the digest is usable -+ */ -+ sess1.mac = digest_data[i].devcryptoid; -+ sess2.ses = 0; -+ if (ioctl(cfd, CIOCGSESSION, &sess1) < 0) { -+ digest_driver_info[i].status = DEVCRYPTO_STATUS_NO_CIOCGSESSION; -+ goto finish; -+ } -+ -+#ifdef CIOCGSESSINFO -+ /* gather hardware acceleration info from the driver */ -+ siop.ses = sess1.ses; -+ if (ioctl(cfd, CIOCGSESSINFO, &siop) < 0) { -+ digest_driver_info[i].accelerated = DEVCRYPTO_ACCELERATION_UNKNOWN; -+ } else { -+ digest_driver_info[i].driver_name = -+ OPENSSL_strndup(siop.hash_info.cra_driver_name, -+ CRYPTODEV_MAX_ALG_NAME); -+ if (siop.flags & SIOP_FLAG_KERNEL_DRIVER_ONLY) -+ digest_driver_info[i].accelerated = DEVCRYPTO_ACCELERATED; -+ else -+ digest_driver_info[i].accelerated = DEVCRYPTO_NOT_ACCELERATED; -+ } -+#endif -+ -+ /* digest must be capable of hash state copy */ -+ sess2.mac = sess1.mac; -+ if (ioctl(cfd, CIOCGSESSION, &sess2) < 0) { -+ digest_driver_info[i].status = DEVCRYPTO_STATUS_FAILURE; -+ goto finish; -+ } -+ cphash.src_ses = sess1.ses; -+ cphash.dst_ses = sess2.ses; -+ if (ioctl(cfd, CIOCCPHASH, &cphash) < 0) { -+ digest_driver_info[i].status = DEVCRYPTO_STATUS_NO_CIOCCPHASH; -+ goto finish; -+ } -+ if ((known_digest_methods[i] = EVP_MD_meth_new(digest_data[i].nid, -+ NID_undef)) == NULL -+ || !EVP_MD_meth_set_input_blocksize(known_digest_methods[i], -+ digest_data[i].blocksize) -+ || !EVP_MD_meth_set_result_size(known_digest_methods[i], -+ digest_data[i].digestlen) -+ || !EVP_MD_meth_set_init(known_digest_methods[i], digest_init) -+ || !EVP_MD_meth_set_update(known_digest_methods[i], digest_update) -+ || !EVP_MD_meth_set_final(known_digest_methods[i], digest_final) -+ || !EVP_MD_meth_set_copy(known_digest_methods[i], digest_copy) -+ || !EVP_MD_meth_set_cleanup(known_digest_methods[i], digest_cleanup) -+ || !EVP_MD_meth_set_app_datasize(known_digest_methods[i], -+ sizeof(struct digest_ctx))) { -+ digest_driver_info[i].status = DEVCRYPTO_STATUS_FAILURE; -+ EVP_MD_meth_free(known_digest_methods[i]); -+ known_digest_methods[i] = NULL; -+ goto finish; -+ } -+ digest_driver_info[i].status = DEVCRYPTO_STATUS_USABLE; -+finish: -+ ioctl(cfd, CIOCFSESSION, &sess1.ses); -+ if (sess2.ses != 0) -+ ioctl(cfd, CIOCFSESSION, &sess2.ses); -+ if (devcrypto_test_digest(i)) -+ known_digest_nids[known_digest_nids_amount++] = digest_data[i].nid; -+ } -+} -+ -+static const EVP_MD *get_digest_method(int nid) -+{ -+ size_t i = get_digest_data_index(nid); -+ -+ if (i == (size_t)-1) -+ return NULL; -+ return known_digest_methods[i]; -+} -+ -+static int get_digest_nids(const int **nids) -+{ -+ *nids = known_digest_nids; -+ return known_digest_nids_amount; -+} -+ -+static void destroy_digest_method(int nid) -+{ -+ size_t i = get_digest_data_index(nid); -+ -+ EVP_MD_meth_free(known_digest_methods[i]); -+ known_digest_methods[i] = NULL; -+} -+ -+static void destroy_all_digest_methods(void) -+{ -+ size_t i; -+ -+ for (i = 0; i < OSSL_NELEM(digest_data); i++) { -+ destroy_digest_method(digest_data[i].nid); -+ OPENSSL_free(digest_driver_info[i].driver_name); -+ digest_driver_info[i].driver_name = NULL; -+ } -+} -+ -+static int devcrypto_digests(ENGINE *e, const EVP_MD **digest, -+ const int **nids, int nid) -+{ -+ if (digest == NULL) -+ return get_digest_nids(nids); -+ -+ *digest = get_digest_method(nid); -+ -+ return *digest != NULL; -+} -+ -+static void devcrypto_select_all_digests(int *digest_list) -+{ -+ size_t i; -+ -+ for (i = 0; i < OSSL_NELEM(digest_data); i++) -+ digest_list[i] = 1; -+} -+ -+static int cryptodev_select_digest_cb(const char *str, int len, void *usr) -+{ -+ int *digest_list = (int *)usr; -+ char *name; -+ const EVP_MD *EVP; -+ size_t i; -+ -+ if (len == 0) -+ return 1; -+ if (usr == NULL || (name = OPENSSL_strndup(str, len)) == NULL) -+ return 0; -+ EVP = EVP_get_digestbyname(name); -+ if (EVP == NULL) -+ fprintf(stderr, "devcrypto: unknown digest %s\n", name); -+ else if ((i = find_digest_data_index(EVP_MD_type(EVP))) != (size_t)-1) -+ digest_list[i] = 1; -+ else -+ fprintf(stderr, "devcrypto: digest %s not available\n", name); -+ OPENSSL_free(name); -+ return 1; -+} -+ -+static void dump_digest_info(void) -+{ -+ size_t i; -+ const char *name; -+ -+ fprintf (stderr, "Information about digests supported by the /dev/crypto" -+ " engine:\n"); -+#ifndef CIOCGSESSINFO -+ fprintf(stderr, "CIOCGSESSINFO (session info call) unavailable\n"); -+#endif -+ -+ for (i = 0; i < OSSL_NELEM(digest_data); i++) { -+ name = OBJ_nid2sn(digest_data[i].nid); -+ fprintf (stderr, "Digest %s, NID=%d, /dev/crypto info: id=%d, driver=%s", -+ name ? name : "unknown", digest_data[i].nid, -+ digest_data[i].devcryptoid, -+ digest_driver_info[i].driver_name ? digest_driver_info[i].driver_name : "unknown"); -+ if (digest_driver_info[i].status == DEVCRYPTO_STATUS_NO_CIOCGSESSION) { -+ fprintf (stderr, ". CIOCGSESSION (session open) failed\n"); -+ continue; -+ } -+ if (digest_driver_info[i].accelerated == DEVCRYPTO_ACCELERATED) -+ fprintf(stderr, " (hw accelerated)"); -+ else if (digest_driver_info[i].accelerated == DEVCRYPTO_NOT_ACCELERATED) -+ fprintf(stderr, " (software)"); -+ else -+ fprintf(stderr, " (acceleration status unknown)"); -+ if (cipher_driver_info[i].status == DEVCRYPTO_STATUS_FAILURE) -+ fprintf (stderr, ". Cipher setup failed\n"); -+ else if (digest_driver_info[i].status == DEVCRYPTO_STATUS_NO_CIOCCPHASH) -+ fprintf(stderr, ", CIOCCPHASH failed\n"); -+ else -+ fprintf(stderr, ", CIOCCPHASH capable\n"); -+ } -+ fprintf(stderr, "\n"); -+} -+ -+#endif -+ -+/****************************************************************************** -+ * -+ * CONTROL COMMANDS -+ * -+ *****/ -+ -+#define DEVCRYPTO_CMD_USE_SOFTDRIVERS ENGINE_CMD_BASE -+#define DEVCRYPTO_CMD_CIPHERS (ENGINE_CMD_BASE + 1) -+#define DEVCRYPTO_CMD_DIGESTS (ENGINE_CMD_BASE + 2) -+#define DEVCRYPTO_CMD_DUMP_INFO (ENGINE_CMD_BASE + 3) -+ -+/* Helper macros for CPP string composition */ -+#ifndef OPENSSL_MSTR -+# define OPENSSL_MSTR_HELPER(x) #x -+# define OPENSSL_MSTR(x) OPENSSL_MSTR_HELPER(x) -+#endif -+ -+static const ENGINE_CMD_DEFN devcrypto_cmds[] = { -+#ifdef CIOCGSESSINFO -+ {DEVCRYPTO_CMD_USE_SOFTDRIVERS, -+ "USE_SOFTDRIVERS", -+ "specifies whether to use software (not accelerated) drivers (" -+ OPENSSL_MSTR(DEVCRYPTO_REQUIRE_ACCELERATED) "=use only accelerated drivers, " -+ OPENSSL_MSTR(DEVCRYPTO_USE_SOFTWARE) "=allow all drivers, " -+ OPENSSL_MSTR(DEVCRYPTO_REJECT_SOFTWARE) -+ "=use if acceleration can't be determined) [default=" -+ OPENSSL_MSTR(DEVCRYPTO_DEFAULT_USE_SOFTDRIVERS) "]", -+ ENGINE_CMD_FLAG_NUMERIC}, -+#endif -+ -+ {DEVCRYPTO_CMD_CIPHERS, -+ "CIPHERS", -+ "either ALL, NONE, or a comma-separated list of ciphers to enable [default=ALL]", -+ ENGINE_CMD_FLAG_STRING}, -+ -+#ifdef IMPLEMENT_DIGEST -+ {DEVCRYPTO_CMD_DIGESTS, -+ "DIGESTS", -+ "either ALL, NONE, or a comma-separated list of digests to enable [default=ALL]", -+ ENGINE_CMD_FLAG_STRING}, -+#endif -+ -+ {DEVCRYPTO_CMD_DUMP_INFO, -+ "DUMP_INFO", -+ "dump info about each algorithm to stderr; use 'openssl engine -pre DUMP_INFO devcrypto'", -+ ENGINE_CMD_FLAG_NO_INPUT}, -+ -+ {0, NULL, NULL, 0} -+}; -+ -+static int devcrypto_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f) (void)) -+{ -+ int *new_list; -+ switch (cmd) { -+#ifdef CIOCGSESSINFO -+ case DEVCRYPTO_CMD_USE_SOFTDRIVERS: -+ switch (i) { -+ case DEVCRYPTO_REQUIRE_ACCELERATED: -+ case DEVCRYPTO_USE_SOFTWARE: -+ case DEVCRYPTO_REJECT_SOFTWARE: -+ break; -+ default: -+ fprintf(stderr, "devcrypto: invalid value (%ld) for USE_SOFTDRIVERS\n", i); -+ return 0; -+ } -+ if (use_softdrivers == i) -+ return 1; -+ use_softdrivers = i; -+#ifdef IMPLEMENT_DIGEST -+ rebuild_known_digest_nids(e); -+#endif -+ rebuild_known_cipher_nids(e); -+ return 1; -+#endif /* CIOCGSESSINFO */ -+ -+ case DEVCRYPTO_CMD_CIPHERS: -+ if (p == NULL) -+ return 1; -+ if (strcasecmp((const char *)p, "ALL") == 0) { -+ devcrypto_select_all_ciphers(selected_ciphers); -+ } else if (strcasecmp((const char*)p, "NONE") == 0) { -+ memset(selected_ciphers, 0, sizeof(selected_ciphers)); -+ } else { -+ new_list=OPENSSL_zalloc(sizeof(selected_ciphers)); -+ if (!CONF_parse_list(p, ',', 1, cryptodev_select_cipher_cb, new_list)) { -+ OPENSSL_free(new_list); -+ return 0; -+ } -+ memcpy(selected_ciphers, new_list, sizeof(selected_ciphers)); -+ OPENSSL_free(new_list); -+ } -+ rebuild_known_cipher_nids(e); -+ return 1; -+ -+#ifdef IMPLEMENT_DIGEST -+ case DEVCRYPTO_CMD_DIGESTS: -+ if (p == NULL) -+ return 1; -+ if (strcasecmp((const char *)p, "ALL") == 0) { -+ devcrypto_select_all_digests(selected_digests); -+ } else if (strcasecmp((const char*)p, "NONE") == 0) { -+ memset(selected_digests, 0, sizeof(selected_digests)); -+ } else { -+ new_list=OPENSSL_zalloc(sizeof(selected_digests)); -+ if (!CONF_parse_list(p, ',', 1, cryptodev_select_digest_cb, new_list)) { -+ OPENSSL_free(new_list); -+ return 0; -+ } -+ memcpy(selected_digests, new_list, sizeof(selected_digests)); -+ OPENSSL_free(new_list); -+ } -+ rebuild_known_digest_nids(e); -+ return 1; -+#endif /* IMPLEMENT_DIGEST */ -+ -+ case DEVCRYPTO_CMD_DUMP_INFO: -+ dump_cipher_info(); -+#ifdef IMPLEMENT_DIGEST -+ dump_digest_info(); -+#endif -+ return 1; -+ -+ default: -+ break; -+ } -+ return 0; -+} -+ -+/****************************************************************************** -+ * -+ * LOAD / UNLOAD -+ * -+ *****/ -+ -+/* -+ * Opens /dev/crypto -+ */ -+static int open_devcrypto(void) -+{ -+ int fd; -+ -+ if (cfd >= 0) -+ return 1; -+ -+ if ((fd = open("/dev/crypto", O_RDWR, 0)) < 0) { -+#ifndef ENGINE_DEVCRYPTO_DEBUG -+ if (errno != ENOENT) -+#endif -+ fprintf(stderr, "Could not open /dev/crypto: %s\n", strerror(errno)); -+ return 0; -+ } -+ -+#ifdef CRIOGET -+ if (ioctl(fd, CRIOGET, &cfd) < 0) { -+ fprintf(stderr, "Could not create crypto fd: %s\n", strerror(errno)); -+ close(fd); -+ cfd = -1; -+ return 0; -+ } -+ close(fd); -+#else -+ cfd = fd; -+#endif -+ -+ return 1; -+} -+ -+static int close_devcrypto(void) -+{ -+ int ret; -+ -+ if (cfd < 0) -+ return 1; -+ ret = close(cfd); -+ cfd = -1; -+ if (ret != 0) { -+ fprintf(stderr, "Error closing /dev/crypto: %s\n", strerror(errno)); -+ return 0; -+ } -+ return 1; -+} -+ -+static int devcrypto_unload(ENGINE *e) -+{ -+ destroy_all_cipher_methods(); -+#ifdef IMPLEMENT_DIGEST -+ destroy_all_digest_methods(); -+#endif -+ -+ close_devcrypto(); -+ -+ return 1; -+} -+ -+static int bind_devcrypto(ENGINE *e) { -+ -+ if (!ENGINE_set_id(e, engine_devcrypto_id) -+ || !ENGINE_set_name(e, "/dev/crypto engine") -+ || !ENGINE_set_destroy_function(e, devcrypto_unload) -+ || !ENGINE_set_cmd_defns(e, devcrypto_cmds) -+ || !ENGINE_set_ctrl_function(e, devcrypto_ctrl)) -+ return 0; -+ -+ prepare_cipher_methods(); -+#ifdef IMPLEMENT_DIGEST -+ prepare_digest_methods(); -+#endif -+ -+ return (ENGINE_set_ciphers(e, devcrypto_ciphers) -+#ifdef IMPLEMENT_DIGEST -+ && ENGINE_set_digests(e, devcrypto_digests) -+#endif -+/* -+ * Asymmetric ciphers aren't well supported with /dev/crypto. Among the BSD -+ * implementations, it seems to only exist in FreeBSD, and regarding the -+ * parameters in its crypt_kop, the manual crypto(4) has this to say: -+ * -+ * The semantics of these arguments are currently undocumented. -+ * -+ * Reading through the FreeBSD source code doesn't give much more than -+ * their CRK_MOD_EXP implementation for ubsec. -+ * -+ * It doesn't look much better with cryptodev-linux. They have the crypt_kop -+ * structure as well as the command (CRK_*) in cryptodev.h, but no support -+ * seems to be implemented at all for the moment. -+ * -+ * At the time of writing, it seems impossible to write proper support for -+ * FreeBSD's asym features without some very deep knowledge and access to -+ * specific kernel modules. -+ * -+ * /Richard Levitte, 2017-05-11 -+ */ -+#if 0 -+# ifndef OPENSSL_NO_RSA -+ && ENGINE_set_RSA(e, devcrypto_rsa) -+# endif -+# ifndef OPENSSL_NO_DSA -+ && ENGINE_set_DSA(e, devcrypto_dsa) -+# endif -+# ifndef OPENSSL_NO_DH -+ && ENGINE_set_DH(e, devcrypto_dh) -+# endif -+# ifndef OPENSSL_NO_EC -+ && ENGINE_set_EC(e, devcrypto_ec) -+# endif -+#endif -+ ); -+} -+ -+#ifdef OPENSSL_NO_DYNAMIC_ENGINE -+/* -+ * In case this engine is built into libcrypto, then it doesn't offer any -+ * ability to be dynamically loadable. -+ */ -+void engine_load_devcrypto_int(void) -+{ -+ ENGINE *e = NULL; -+ -+ if (!open_devcrypto()) -+ return; -+ -+ if ((e = ENGINE_new()) == NULL -+ || !bind_devcrypto(e)) { -+ close_devcrypto(); -+ ENGINE_free(e); -+ return; -+ } -+ -+ ENGINE_add(e); -+ ENGINE_free(e); /* Loose our local reference */ -+ ERR_clear_error(); -+} -+ -+#else -+ -+static int bind_helper(ENGINE *e, const char *id) -+{ -+ if ((id && (strcmp(id, engine_devcrypto_id) != 0)) -+ || !open_devcrypto()) -+ return 0; -+ if (!bind_devcrypto(e)) { -+ close_devcrypto(); -+ return 0; -+ } -+ return 1; -+} -+ -+IMPLEMENT_DYNAMIC_CHECK_FN() -+IMPLEMENT_DYNAMIC_BIND_FN(bind_helper) -+ -+#endif diff --git a/openssl/patches/500-e_devcrypto-default-to-not-use-digests-in-engine.patch b/openssl/patches/500-e_devcrypto-default-to-not-use-digests-in-engine.patch index df5c16d8d..f18326385 100644 --- a/openssl/patches/500-e_devcrypto-default-to-not-use-digests-in-engine.patch +++ b/openssl/patches/500-e_devcrypto-default-to-not-use-digests-in-engine.patch @@ -21,7 +21,7 @@ Signed-off-by: Eneas U de Queiroz --- a/engines/e_devcrypto.c +++ b/engines/e_devcrypto.c -@@ -852,7 +852,7 @@ static void prepare_digest_methods(void) +@@ -905,7 +905,7 @@ static void prepare_digest_methods(void) for (i = 0, known_digest_nids_amount = 0; i < OSSL_NELEM(digest_data); i++) { @@ -30,7 +30,7 @@ Signed-off-by: Eneas U de Queiroz /* * Check that the digest is usable -@@ -1072,7 +1072,7 @@ static const ENGINE_CMD_DEFN devcrypto_c +@@ -1119,7 +1119,7 @@ static const ENGINE_CMD_DEFN devcrypto_c #ifdef IMPLEMENT_DIGEST {DEVCRYPTO_CMD_DIGESTS, "DIGESTS", diff --git a/openssl/patches/510-e_devcrypto-ignore-error-when-closing-session.patch b/openssl/patches/510-e_devcrypto-ignore-error-when-closing-session.patch index 87792cf9d..40b1dc78d 100644 --- a/openssl/patches/510-e_devcrypto-ignore-error-when-closing-session.patch +++ b/openssl/patches/510-e_devcrypto-ignore-error-when-closing-session.patch @@ -10,8 +10,8 @@ Signed-off-by: Eneas U de Queiroz --- a/engines/e_devcrypto.c +++ b/engines/e_devcrypto.c -@@ -195,9 +195,8 @@ static int cipher_init(EVP_CIPHER_CTX *c - get_cipher_data(EVP_CIPHER_CTX_nid(ctx)); +@@ -211,9 +211,8 @@ static int cipher_init(EVP_CIPHER_CTX *c + int ret; /* cleanup a previous session */ - if (cipher_ctx->sess.ses != 0 && diff --git a/opkg/Makefile b/opkg/Makefile index 83c9dab1b..3510e7435 100644 --- a/opkg/Makefile +++ b/opkg/Makefile @@ -7,7 +7,7 @@ include $(TOPDIR)/rules.mk include $(INCLUDE_DIR)/kernel.mk PKG_NAME:=opkg -PKG_RELEASE:=$(AUTORELEASE) +PKG_RELEASE:=2 PKG_FLAGS:=essential PKG_SOURCE_PROTO:=git @@ -28,6 +28,8 @@ PKG_CONFIG_DEPENDS += \ HOST_BUILD_DEPENDS:=libubox/host +PKG_BUILD_FLAGS:=gc-sections + include $(INCLUDE_DIR)/package.mk include $(INCLUDE_DIR)/host-build.mk include $(INCLUDE_DIR)/cmake.mk @@ -57,7 +59,6 @@ define Package/opkg/conffiles /etc/opkg/customfeeds.conf endef -TARGET_CFLAGS += -ffunction-sections -fdata-sections EXTRA_CFLAGS += $(TARGET_CPPFLAGS) CMAKE_OPTIONS += \ diff --git a/ppp/Makefile b/ppp/Makefile index 10e9bdfdf..80d5e46c3 100644 --- a/ppp/Makefile +++ b/ppp/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk include $(INCLUDE_DIR)/kernel.mk PKG_NAME:=ppp -PKG_RELEASE:=3 +PKG_RELEASE:=4 PKG_SOURCE_PROTO:=git PKG_SOURCE_URL:=https://github.com/paulusmack/ppp @@ -26,6 +26,7 @@ PKG_VERSION:=$(PKG_RELEASE_VERSION).git-$(PKG_SOURCE_DATE) PKG_BUILD_DEPENDS:=libpcap PKG_ASLR_PIE_REGULAR:=1 +PKG_BUILD_FLAGS:=gc-sections lto PKG_BUILD_PARALLEL:=1 PKG_INSTALL:=1 @@ -192,9 +193,6 @@ $(call Build/Configure/Default,, \ $(PKG_BUILD_DIR)/pppd/plugins/pppoatm/linux/ endef -TARGET_CFLAGS += -ffunction-sections -fdata-sections -flto -TARGET_LDFLAGS += -Wl,--gc-sections -flto -fuse-linker-plugin - MAKE_FLAGS += COPTS="$(TARGET_CFLAGS)" \ PRECOMPILED_FILTER=1 \ STAGING_DIR="$(STAGING_DIR)" diff --git a/ppp/files/ppp.sh b/ppp/files/ppp.sh index 7bbc497c4..6d3a8e29f 100755 --- a/ppp/files/ppp.sh +++ b/ppp/files/ppp.sh @@ -220,9 +220,7 @@ proto_pppoe_setup() { local config="$1" local iface="$2" - for module in slhc ppp_generic pppox pppoe; do - /sbin/insmod $module 2>&- >&- - done + /sbin/modprobe -qa slhc ppp_generic pppox pppoe json_get_var mtu mtu mtu="${mtu:-1492}" @@ -262,9 +260,7 @@ proto_pppoa_setup() { local config="$1" local iface="$2" - for module in slhc ppp_generic pppox pppoatm; do - /sbin/insmod $module 2>&- >&- - done + /sbin/modprobe -qa slhc ppp_generic pppox pppoatm json_get_vars atmdev vci vpi encaps @@ -311,13 +307,8 @@ proto_pptp_setup() { exit 1 } - local load - for module in slhc ppp_generic ppp_async ppp_mppe ip_gre gre pptp; do - grep -q "^$module " /proc/modules && continue - /sbin/insmod $module 2>&- >&- - load=1 - done - [ "$load" = "1" ] && sleep 1 + /sbin/modprobe -qa slhc ppp_generic ppp_async ppp_mppe ip_gre gre pptp + sleep 1 ppp_generic_setup "$config" \ plugin pptp.so \ @@ -335,4 +326,3 @@ proto_pptp_teardown() { [ -f /usr/lib/pppd/*/pppoatm.so ] && add_protocol pppoa [ -f /usr/lib/pppd/*/pptp.so ] && add_protocol pptp } - diff --git a/qt6base/Makefile b/qt6base/Makefile new file mode 100644 index 000000000..50dc76347 --- /dev/null +++ b/qt6base/Makefile @@ -0,0 +1,215 @@ +# +# Copyright (C) 2022 Krypton Lee +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +include $(TOPDIR)/rules.mk + +PKG_NAME:=qt6base +PKG_BASE:=6.5 +PKG_BUGFIX:=2 +PKG_VERSION:=$(PKG_BASE).$(PKG_BUGFIX) +PKG_RELEASE:=1 + +PKG_SOURCE:=qtbase-everywhere-src-$(PKG_VERSION).tar.xz +PKG_SOURCE_URL:=https://mirrors.tencent.com/qt/archive/qt/$(PKG_BASE)/$(PKG_VERSION)/submodules/ \ + https://mirrors.aliyun.com/qt/archive/qt/$(PKG_BASE)/$(PKG_VERSION)/submodules/ \ + http://download.qt-project.org/archive/qt/$(PKG_BASE)/$(PKG_VERSION)/submodules/ +PKG_HASH:=3db4c729b4d80a9d8fda8dd77128406353baff4755ca619177eda4cddae71269 + +HOST_BUILD_DIR:=$(BUILD_DIR_HOST)/qtbase-everywhere-src-$(PKG_VERSION) +PKG_BUILD_DIR:=$(BUILD_DIR)/qtbase-everywhere-src-$(PKG_VERSION) + +PKG_MAINTAINER:=Krypton Lee +PKG_LICENSE:=LGPL-2.1 +PKG_LICENSE_FILES:=COPYING +PKG_CPE_ID:=cpe:/a:qt:qt + +PKG_BUILD_DEPENDS:=qt6base/host +PKG_BUILD_PARALLEL:=1 +PKG_BUILD_FLAGS:=no-mips16 +CMAKE_INSTALL:=1 + +include $(INCLUDE_DIR)/package.mk +include $(INCLUDE_DIR)/host-build.mk +include $(INCLUDE_DIR)/cmake.mk + +STRIP:=$(TARGET_CROSS)strip $(call qstrip,$(CONFIG_STRIP_ARGS)) + +define Package/libQt6/Default + SECTION:=libs + CATEGORY:=Libraries + SUBMENU:=Qt6 + TITLE:=Qt6 + URL:=http://qt-project.org + DEPENDS:=@!(arc||TARGET_gemini) +libatomic +libdouble-conversion +libstdcpp +zlib +endef + +define Package/libQt6 + $(call Package/libQt6/Default) + HIDDEN:=1 +endef + +define Package/libQt6/install +endef + +TARGET_CFLAGS+= -I$(STAGING_DIR)/usr/include/libdrm +ifdef CONFIG_USE_GLIBC + ifeq ($(ARCH),x86_64) + TARGET_LDFLAGS+= -Wl,--sysroot=$(TOOLCHAIN_DIR) + endif +endif + +CMAKE_SHARED_LDFLAGS := $(filter-out -Wl$(comma)-Bsymbolic-functions,$(CMAKE_SHARED_LDFLAGS)) + +CMAKE_HOST_OPTIONS+= \ + -DBUILD_SHARED_LIBS=OFF \ + -DFEATURE_optimize_full=ON \ + -DFEATURE_glib=OFF \ + -DFEATURE_zstd=OFF \ + -DFEATURE_concurrent=OFF \ + -DFEATURE_dbus=ON \ + -DFEATURE_gui=OFF \ + -DFEATURE_network=ON \ + -DFEATURE_openssl=OFF \ + -DFEATURE_sql=OFF \ + -DFEATURE_testlib=OFF \ + -DFEATURE_xml=ON + +CMAKE_OPTIONS+= \ + -DBUILD_SHARED_LIBS=ON \ + -DCMAKE_SYSROOT=$(STAGING_DIR) \ + -DQT_HOST_PATH=$(STAGING_DIR_HOSTPKG) \ + -DINSTALL_PLUGINSDIR=/usr/lib/qt6plugins \ + -DQT_QMAKE_TARGET_MKSPEC=devices/linux-generic-g++ \ + -DQT_QMAKE_DEVICE_OPTIONS=CROSS_COMPILE="$(TARGET_CROSS);COMPILER_FLAGS=$(TARGET_CFLAGS) $(EXTRA_CFLAGS) $(TARGET_CPPFLAGS) $(EXTRA_CPPFLAGS);LINKER_FLAGS=$(TARGET_LDFLAGS) $(EXTRA_LDFLAGS)" \ + -DQT_BUILD_EXAMPLES=OFF \ + -DQT_BUILD_TESTS=OFF \ + -DQT_BUILD_TOOLS_WHEN_CROSSCOMPILING=OFF \ + -DINPUT_opengl=no \ + -DFEATURE_optimize_full=ON \ + -DFEATURE_system_zlib=ON \ + -DFEATURE_zstd=OFF \ + -DFEATURE_backtrace=OFF \ + -DFEATURE_system_doubleconversion=ON \ + -DFEATURE_glib=OFF \ + -DFEATURE_icu=OFF \ + -DFEATURE_mimetype_database=ON \ + -DFEATURE_system_pcre2=ON \ + -DFEATURE_concurrent=$(if $(CONFIG_PACKAGE_libQt6Concurrent),ON,OFF) \ + -DFEATURE_dbus=$(if $(CONFIG_PACKAGE_libQt6DBus),ON,OFF) \ + -DFEATURE_gui=$(if $(CONFIG_PACKAGE_libQt6Gui),ON,OFF) \ + -DFEATURE_fontconfig=OFF \ + -DFEATURE_system_freetype=ON \ + -DFEATURE_accessibility=OFF \ + -DFEATURE_harfbuzz=OFF \ + -DFEATURE_gif=OFF \ + -DFEATURE_ico=OFF \ + -DFEATURE_jpeg=OFF \ + -DFEATURE_png=OFF \ + -DFEATURE_texthtmlparser=OFF \ + -DFEATURE_cssparser=OFF \ + -DFEATURE_textodfwriter=OFF \ + -DFEATURE_textmarkdownreader=OFF \ + -DFEATURE_textmarkdownwriter=OFF \ + -DFEATURE_sessionmanager=OFF \ + -DFEATURE_evdev=OFF \ + -DFEATURE_vnc=OFF \ + -DFEATURE_linuxfb=OFF \ + -DFEATURE_network=$(if $(CONFIG_PACKAGE_libQt6Network),ON,OFF) \ + -DFEATURE_openssl=ON \ + -DFEATURE_openssl_runtime=ON \ + -DFEATURE_ocsp=OFF \ + -DFEATURE_printsupport=$(if $(CONFIG_PACKAGE_libQt6PrintSupport),ON,OFF) \ + -DFEATURE_sql=$(if $(CONFIG_PACKAGE_libQt6Sql),ON,OFF) \ + -DFEATURE_sqlmodel=OFF \ + -DFEATURE_sql_sqlite=ON \ + -DFEATURE_system_sqlite=ON \ + -DFEATURE_sql_db2=OFF \ + -DFEATURE_sql_ibase=OFF \ + -DFEATURE_sql_mysql=OFF \ + -DFEATURE_sql_oci=OFF \ + -DFEATURE_sql_odbc=OFF \ + -DFEATURE_sql_psql=OFF \ + -DFEATURE_testlib=$(if $(CONFIG_PACKAGE_libQt6Test),ON,OFF) \ + -DFEATURE_itemmodeltester=OFF \ + -DFEATURE_widgets=$(if $(CONFIG_PACKAGE_libQt6Widgets),ON,OFF) \ + -DFEATURE_xml=$(if $(CONFIG_PACKAGE_libQt6Xml),ON,OFF) \ + -DFEATURE_tuiotouch=$(if $(CONFIG_PACKAGE_qt6-plugin-libqtuiotouchplugin),ON,OFF) + +define Package/libQt6/Default/install + $(INSTALL_DIR) $(1)/usr/lib/ + $(CP) $(PKG_INSTALL_DIR)/usr/lib/libQt6$(2).so* $(1)/usr/lib/ +endef + +# 1: short name +# 2: dependencies on other qt6 libraries (short name) +# 3: dependencies on other packages +define DefineQt6Package + QT6BASE_LIBS+=$(1) + PKG_CONFIG_DEPENDS+=CONFIG_PACKAGE_libQt6$(1) + + define Package/libQt6$(1) + $(call Package/libQt6/Default) + TITLE+=$(1) Library + DEPENDS+=$(foreach lib,$(2),+libQt6$(lib)) $(3) + endef + + define Package/libQt6$(1)/description + This package provides the Qt6 $(1) v$(PKG_VERSION) library. + endef + + define Package/libQt6$(1)/install + $(call Package/libQt6/Default/install,$$(1),$(1)) + endef +endef + +$(eval $(call DefineQt6Package,Concurrent,Core,)) +$(eval $(call DefineQt6Package,Core,,+libpcre2-16)) +$(eval $(call DefineQt6Package,DBus,Core,)) +$(eval $(call DefineQt6Package,Gui,DBus,+libdrm +libfreetype)) +$(eval $(call DefineQt6Package,Network,Core,+libopenssl +krb5-libs)) +$(eval $(call DefineQt6Package,PrintSupport,Widgets,)) +$(eval $(call DefineQt6Package,Sql,Core,+libsqlite3)) +$(eval $(call DefineQt6Package,Test,Core,)) +$(eval $(call DefineQt6Package,Widgets,Gui,)) +$(eval $(call DefineQt6Package,Xml,Core,)) + +define Package/qt6-plugin/Default/install + $(INSTALL_DIR) $(1)/usr/lib/qt6plugins/$(2)/ + $(CP) $(PKG_INSTALL_DIR)/usr/lib/qt6plugins/$(2)/libq$(3).so $(1)/usr/lib/qt6plugins/$(2)/ +endef + +# 1: plugin diretory +# 2: plugin name (short name) +# 3: dependencies on other qt6 libraries (short name) +define DefineQt6PluginPackage + QT6_PLUGINS+=$(2) + + define Package/qt6-plugin-libq$(2) + $(call Package/libQt6/Default) + TITLE+=Plugin libq$(2) + DEPENDS+=$(foreach lib,$(3),+libQt6$(lib)) + endef + + define Package/qt6-plugin-libq$(2)/install + $(call Package/qt6-plugin/Default/install,$$(1),$(1),$(2)) + endef +endef + +$(eval $(call DefineQt6PluginPackage,generic,tuiotouchplugin,Gui Network)) +$(eval $(call DefineQt6PluginPackage,networkinformation,networkmanager,DBus Network)) +$(eval $(call DefineQt6PluginPackage,platforms,minimal,Gui)) +$(eval $(call DefineQt6PluginPackage,platforms,offscreen,Gui)) +$(eval $(call DefineQt6PluginPackage,platformthemes,xdgdesktopportal,Gui)) +$(eval $(call DefineQt6PluginPackage,sqldrivers,sqlite,Sql)) +$(eval $(call DefineQt6PluginPackage,tls,certonlybackend,Network)) +$(eval $(call DefineQt6PluginPackage,tls,opensslbackend,Network)) +PKG_CONFIG_DEPENDS+=CONFIG_PACKAGE_qt6-plugin-libqtuiotouchplugin + +$(foreach lib,$(QT6BASE_LIBS),$(eval $(call BuildPackage,libQt6$(lib)))) +$(foreach lib,$(QT6_PLUGINS),$(eval $(call BuildPackage,qt6-plugin-libq$(lib)))) +$(eval $(call BuildPackage,libQt6)) +$(eval $(call HostBuild)) diff --git a/qt6base/patches/010-marco.patch b/qt6base/patches/010-marco.patch new file mode 100644 index 000000000..6abac5e9e --- /dev/null +++ b/qt6base/patches/010-marco.patch @@ -0,0 +1,12 @@ +--- a/src/corelib/plugin/qelfparser_p.cpp ++++ b/src/corelib/plugin/qelfparser_p.cpp +@@ -382,7 +382,9 @@ Q_DECL_UNUSED Q_DECL_COLD_FUNCTION stati + case EM_ALPHA: d << ", Alpha"; break; + case EM_68K: d << ", MC68000"; break; + case EM_ARM: d << ", ARM"; break; ++#ifdef EM_AARCH64 + case EM_AARCH64: d << ", AArch64"; break; ++#endif + #ifdef EM_BLACKFIN + case EM_BLACKFIN: d << ", Blackfin"; break; + #endif diff --git a/rp-pppoe/Makefile b/rp-pppoe/Makefile index c5b6865e1..f062765ca 100644 --- a/rp-pppoe/Makefile +++ b/rp-pppoe/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=rp-pppoe -PKG_VERSION:=3.14 -PKG_RELEASE:=3 +PKG_VERSION:=3.15 +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://dianne.skoll.ca/projects/rp-pppoe/download -PKG_HASH:=7825232f64ab4d618ef074d62d145ae43d6edc91b9a718c6130a4742bac40e2a +PKG_HASH:=b1f318bc7e4e5b0fd8a8e23e8803f5e6e43165245a5a10a7162a92a6cf17829a PKG_MAINTAINER:= PKG_LICENSE:=LGPL-2.0-or-later diff --git a/rp-pppoe/patches/110-Makefile.patch b/rp-pppoe/patches/110-Makefile.patch index 0d4a341f8..013c35b65 100644 --- a/rp-pppoe/patches/110-Makefile.patch +++ b/rp-pppoe/patches/110-Makefile.patch @@ -1,6 +1,6 @@ --- a/src/Makefile.in +++ b/src/Makefile.in -@@ -72,7 +72,7 @@ pppoe-sniff: pppoe-sniff.o if.o common.o +@@ -73,7 +73,7 @@ pppoe-sniff: pppoe-sniff.o if.o common.o @CC@ -o $@ $^ $(LDFLAGS) pppoe-server: pppoe-server.o if.o debug.o common.o md5.o libevent/libevent.a @PPPOE_SERVER_DEPS@ diff --git a/rp-pppoe/patches/130-static-lib-fix.patch b/rp-pppoe/patches/130-static-lib-fix.patch index 1221c2b4b..d9a63da6a 100644 --- a/rp-pppoe/patches/130-static-lib-fix.patch +++ b/rp-pppoe/patches/130-static-lib-fix.patch @@ -1,6 +1,6 @@ --- a/src/Makefile.in +++ b/src/Makefile.in -@@ -140,7 +140,8 @@ plugin/plugin.o: plugin.c +@@ -141,7 +141,8 @@ plugin/plugin.o: plugin.c @CC@ -DPLUGIN=1 '-DRP_VERSION="$(RP_VERSION)"' $(CFLAGS) -I$(PPPD_INCDIR) -c -o $@ -fPIC $< plugin/libplugin.a: plugin/discovery.o plugin/if.o plugin/common.o plugin/debug.o diff --git a/tailscale/Makefile b/tailscale/Makefile index 92247e2ac..0801da238 100644 --- a/tailscale/Makefile +++ b/tailscale/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=tailscale -PKG_VERSION:=1.32.3 +PKG_VERSION:=1.44.0 PKG_RELEASE:=1 PKG_SOURCE:=tailscale-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://codeload.github.com/tailscale/tailscale/tar.gz/v$(PKG_VERSION)? -PKG_HASH:=4cf88a1d754240ce71b29d3a65ca480091ad9c614ac99c541cef6fdaf0585dd4 +PKG_HASH:=dc230cf3ac290140e573268a6e8f17124752ef064c8d3a86765a9dbb6f1bd354 PKG_MAINTAINER:=Jan Pavlinec PKG_LICENSE:=BSD-3-Clause @@ -22,13 +22,13 @@ PKG_LICENSE_FILES:=LICENSE PKG_BUILD_DIR:=$(BUILD_DIR)/tailscale-$(PKG_VERSION) PKG_BUILD_DEPENDS:=golang/host PKG_BUILD_PARALLEL:=1 -PKG_USE_MIPS16:=0 +PKG_BUILD_FLAGS:=no-mips16 GO_PKG:=\ tailscale.com/cmd/tailscale \ tailscale.com/cmd/tailscaled -GO_PKG_LDFLAGS:=-X 'tailscale.com/version.Long=$(PKG_VERSION)-$(PKG_RELEASE) (OpenWrt)' -GO_PKG_LDFLAGS_X:=tailscale.com/version.Short=$(PKG_VERSION) +GO_PKG_LDFLAGS:=-X 'tailscale.com/version.longStamp=$(PKG_VERSION)-$(PKG_RELEASE) (OpenWrt)' +GO_PKG_LDFLAGS_X:=tailscale.com/version.shortStamp=$(PKG_VERSION) include $(INCLUDE_DIR)/package.mk include $(TOPDIR)/feeds/packages/lang/golang/golang-package.mk @@ -61,24 +61,44 @@ endef Package/tailscaled/description:=$(Package/tailscale/description) +define Package/tailscaled/conffiles +/etc/config/tailscale +/etc/tailscale/tailscaled.state +endef + +GO_IPTABLES_VERSION:=0.6.0 +GO_IPTABLES_FILE:=$(PKG_NAME)-go-iptables-$(GO_IPTABLES_VERSION).tar.gz + +define Download/go-iptables + URL:=https://codeload.github.com/coreos/go-iptables/tar.gz/v$(GO_IPTABLES_VERSION)? + URL_FILE:=$(GO_IPTABLES_FILE) + FILE:=$(GO_IPTABLES_FILE) + HASH:=a784cc17fcb17879f073eae47bc4c2e899f59f6906dac5a0aa7a9cc9f95ea66d +endef + +define Build/Prepare + $(PKG_UNPACK) + [ ! -d ./src/ ] || $(CP) ./src/. $(PKG_BUILD_DIR) + $(eval $(call Download,go-iptables)) + ( \ + mkdir -p $(PKG_BUILD_DIR)/patched/ ; \ + gzip -dc $(DL_DIR)/$(GO_IPTABLES_FILE) | $(HOST_TAR) -C $(PKG_BUILD_DIR)/patched $(TAR_OPTIONS) ; \ + mv $(PKG_BUILD_DIR)/patched/go-iptables-$(GO_IPTABLES_VERSION) $(PKG_BUILD_DIR)/patched/go-iptables ; \ + ) + $(Build/Patch) +endef + define Package/tailscale/install $(INSTALL_DIR) $(1)/usr/sbin $(INSTALL_BIN) $(GO_PKG_BUILD_BIN_DIR)/tailscale $(1)/usr/sbin endef define Package/tailscaled/install - $(INSTALL_DIR) $(1)/usr/sbin + $(INSTALL_DIR) $(1)/usr/sbin $(1)/etc/init.d $(1)/etc/config $(INSTALL_BIN) $(GO_PKG_BUILD_BIN_DIR)/tailscaled $(1)/usr/sbin - $(INSTALL_DIR) $(1)/etc/init.d/ $(INSTALL_BIN) ./files//tailscale.init $(1)/etc/init.d/tailscale - $(INSTALL_DIR) $(1)/etc/config/ $(INSTALL_DATA) ./files//tailscale.conf $(1)/etc/config/tailscale endef -define Package/tailscaled/conffiles -/etc/config/tailscale -/etc/tailscale/tailscaled.state -endef - $(eval $(call BuildPackage,tailscale)) $(eval $(call BuildPackage,tailscaled)) diff --git a/tailscale/README.md b/tailscale/README.md index d3b58e7ce..eaffa57d7 100644 --- a/tailscale/README.md +++ b/tailscale/README.md @@ -25,4 +25,9 @@ Run command and finish device registration with the given URL. tailscale up ``` +If you are running with nftables, it is not supported by tailscale, +so disable it and configure firewall by yourself and add argument +--netfilter-mode off +to tailscale up command to disable iptables use. + After that, you should see your router in tailscale admin page. diff --git a/tailscale/patches/010-fake_iptables.patch b/tailscale/patches/010-fake_iptables.patch new file mode 100644 index 000000000..ca7086ed8 --- /dev/null +++ b/tailscale/patches/010-fake_iptables.patch @@ -0,0 +1,53 @@ +--- a/go.mod ++++ b/go.mod +@@ -2,6 +2,8 @@ module tailscale.com + + go 1.20 + ++replace github.com/coreos/go-iptables => ./patched/go-iptables ++ + require ( + filippo.io/mkcert v1.4.4 + github.com/Microsoft/go-winio v0.6.1 +--- a/patched/go-iptables/iptables/iptables.go ++++ b/patched/go-iptables/iptables/iptables.go +@@ -149,12 +149,39 @@ func New(opts ...option) (*IPTables, err + return ipt, nil + } + ++func NewFake(opts ...option) (*IPTables, error) { ++ ++ ipt := &IPTables{ ++ path: "/bin/false", ++ proto: ProtocolIPv4, ++ hasCheck: false, ++ hasWait: false, ++ waitSupportSecond: false, ++ hasRandomFully: false, ++ v1: 0, ++ v2: 0, ++ v3: 0, ++ mode: "legacy", ++ timeout: 0, ++ } ++ ++ for _, opt := range opts { ++ opt(ipt) ++ } ++ ++ return ipt, nil ++} ++ + // New creates a new IPTables for the given proto. + // The proto will determine which command is used, either "iptables" or "ip6tables". + func NewWithProtocol(proto Protocol) (*IPTables, error) { + return New(IPFamily(proto), Timeout(0)) + } + ++func NewFakeWithProtocol(proto Protocol) (*IPTables, error) { ++ return NewFake(IPFamily(proto), Timeout(0)) ++} ++ + // Proto returns the protocol used by this IPTables. + func (ipt *IPTables) Proto() Protocol { + return ipt.proto diff --git a/tailscale/patches/020-tailscaled_fake_iptables.patch b/tailscale/patches/020-tailscaled_fake_iptables.patch new file mode 100644 index 000000000..a4d54bdc6 --- /dev/null +++ b/tailscale/patches/020-tailscaled_fake_iptables.patch @@ -0,0 +1,32 @@ +--- a/wgengine/router/router_linux.go ++++ b/wgengine/router/router_linux.go +@@ -129,7 +129,7 @@ func newUserspaceRouter(logf logger.Logf + + ipt4, err := iptables.NewWithProtocol(iptables.ProtocolIPv4) + if err != nil { +- return nil, err ++ ipt4, err = iptables.NewFakeWithProtocol(iptables.ProtocolIPv4) + } + + v6err := checkIPv6(logf) +@@ -148,7 +148,7 @@ func newUserspaceRouter(logf logger.Logf + // if unavailable. We want that to be a non-fatal error. + ipt6, err = iptables.NewWithProtocol(iptables.ProtocolIPv6) + if err != nil { +- return nil, err ++ ipt6, err = iptables.NewFakeWithProtocol(iptables.ProtocolIPv6) + } + } + +@@ -1676,11 +1676,6 @@ func checkIPv6(logf logger.Logf) error { + return fmt.Errorf("kernel doesn't support IPv6 policy routing: %w", err) + } + +- // Some distros ship ip6tables separately from iptables. +- if _, err := exec.LookPath("ip6tables"); err != nil { +- return err +- } +- + return nil + } + diff --git a/tailscale/patches/030-default_to_netfilter_off.patch b/tailscale/patches/030-default_to_netfilter_off.patch new file mode 100644 index 000000000..1edd00225 --- /dev/null +++ b/tailscale/patches/030-default_to_netfilter_off.patch @@ -0,0 +1,11 @@ +--- a/cmd/tailscale/cli/up.go ++++ b/cmd/tailscale/cli/up.go +@@ -147,7 +147,7 @@ func defaultNetfilterMode() string { + if distro.Get() == distro.Synology { + return "off" + } +- return "on" ++ return "off" + } + + type upArgsT struct { diff --git a/tailscale/test.sh b/tailscale/test.sh old mode 100644 new mode 100755 index f50de6fc0..0130d4929 --- a/tailscale/test.sh +++ b/tailscale/test.sh @@ -1,8 +1,10 @@ #!/bin/sh -if command -v tailscale; then - tailscale version | grep "$2" || exit 1 -fi -if command -v tailscaled; then - tailscaled -version | grep "$2" -fi +case "$1" in + tailscale) + tailscale version | grep "$2" + ;; + tailscaled) + tailscaled -version | grep "$2" + ;; +esac diff --git a/transmission-web-control/Makefile b/transmission-web-control/Makefile index 30c494062..ce54415a3 100644 --- a/transmission-web-control/Makefile +++ b/transmission-web-control/Makefile @@ -1,7 +1,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=transmission-web-control -PKG_RELEASE:=2 +PKG_RELEASE:=3 PKG_SOURCE_PROTO:=git PKG_SOURCE_URL:=https://github.com/ronggang/transmission-web-control @@ -34,8 +34,8 @@ define Build/Compile endef define Package/transmission-web-control/install - $(INSTALL_DIR) $(1)/usr/share/transmission/web - $(CP) $(PKG_BUILD_DIR)/src/* $(1)/usr/share/transmission/web + $(INSTALL_DIR) $(1)/usr/share/transmission/public_html + $(CP) $(PKG_BUILD_DIR)/src/* $(1)/usr/share/transmission/public_html endef $(eval $(call BuildPackage,transmission-web-control)) diff --git a/uwsgi/Makefile b/uwsgi/Makefile index 1e1a6cd83..58256b315 100644 --- a/uwsgi/Makefile +++ b/uwsgi/Makefile @@ -1,18 +1,27 @@ include $(TOPDIR)/rules.mk PKG_NAME:=uwsgi -PKG_VERSION:=2.0.20 +PKG_VERSION:=2.0.21 PKG_RELEASE:=1 -PYPI_NAME:=uwsgi -PKG_HASH:=88ab9867d8973d8ae84719cf233b7dafc54326fcaec89683c3f9f77c002cdff9 -PKG_BUILD_DEPENDS:=python3/host -PYTHON3_PKG_BUILD:=0 +PYPI_NAME:=uWSGI +PYPI_SOURCE_NAME:=uwsgi +PKG_HASH:=35a30d83791329429bc04fe44183ce4ab512fcf6968070a7bfba42fc5a0552a9 PKG_LICENSE:=GPL-2.0-or-later PKG_LICENSE_FILES:=LICENSE PKG_MAINTAINER:=Ansuel Smith +PKG_BUILD_DEPENDS:=python3/host +PYTHON3_PKG_BUILD:=0 + +PKG_CONFIG_DEPENDS:= \ + CONFIG_PACKAGE_uwsgi-logfile-plugin \ + CONFIG_PACKAGE_uwsgi-syslog-plugin \ + CONFIG_PACKAGE_uwsgi-cgi-plugin \ + CONFIG_PACKAGE_uwsgi-python3-plugin \ + CONFIG_PACKAGE_uwsgi-luci-support + include $(TOPDIR)/feeds/packages/lang/python/pypi.mk include $(INCLUDE_DIR)/package.mk include $(TOPDIR)/feeds/packages/lang/python/python3-package.mk @@ -26,7 +35,6 @@ define Package/uwsgi TITLE:=The uWSGI server URL:=https://uwsgi-docs.readthedocs.io/en/latest/ DEPENDS:=+libpcre +libcap +libuuid - MENU:=1 endef define Package/uwsgi-logfile-plugin @@ -35,7 +43,6 @@ define Package/uwsgi-logfile-plugin SUBMENU:=Web Servers/Proxies TITLE:=The Logfile plugin for the uWSGI server DEPENDS:=uwsgi - MDEPENDS:=uwsgi endef define Package/uwsgi-syslog-plugin @@ -44,7 +51,6 @@ define Package/uwsgi-syslog-plugin SUBMENU:=Web Servers/Proxies TITLE:=The Syslog plugin for the uWSGI server DEPENDS:=uwsgi - MDEPENDS:=uwsgi endef define Package/uwsgi-cgi-plugin @@ -53,7 +59,6 @@ define Package/uwsgi-cgi-plugin SUBMENU:=Web Servers/Proxies TITLE:=The CGI plugin for the uWSGI server DEPENDS:=uwsgi - MDEPENDS:=uwsgi endef define Package/uwsgi-python3-plugin @@ -62,7 +67,6 @@ define Package/uwsgi-python3-plugin SUBMENU:=Web Servers/Proxies TITLE:=The Python3 plugin for the uWSGI server DEPENDS:=uwsgi +python3-light - MDEPENDS:=uwsgi endef define Package/uwsgi-luci-support @@ -71,7 +75,6 @@ define Package/uwsgi-luci-support SUBMENU:=Web Servers/Proxies TITLE:=Support files for LuCI on Nginx DEPENDS:=uwsgi +uwsgi-syslog-plugin +uwsgi-cgi-plugin - MDEPENDS:=uwsgi endef define Package/uwsgi/description @@ -98,23 +101,35 @@ define Package/uwsgi-luci-support/description Support files for LuCI on Nginx endef -MAKE_VARS+=\ +MAKE_VARS+= \ CPP=$(TARGET_CROSS)cpp \ - PYTHON=$(STAGING_DIR_HOSTPKG)/bin/python3 \ LINUX_UNAME_VERSION=$(LINUX_UNAME_VERSION) +MAKE_FLAGS+= PROFILE=openwrt + define Build/Compile - $(call Build/Compile/Default,PROFILE=openwrt) - $(call Build/Compile/Default,plugin.logfile PROFILE=openwrt) - $(call Build/Compile/Default,plugin.syslog PROFILE=openwrt) - $(call Build/Compile/Default,plugin.cgi PROFILE=openwrt) + $(call Build/Compile/Default) + + ifneq ($(CONFIG_PACKAGE_uwsgi-logfile-plugin),) + $(call Build/Compile/Default,plugin.logfile) + endif + + ifneq ($(CONFIG_PACKAGE_uwsgi-syslog-plugin),) + $(call Build/Compile/Default,plugin.syslog) + endif + + ifneq ($(CONFIG_PACKAGE_uwsgi-cgi-plugin),) + $(call Build/Compile/Default,plugin.cgi) + endif + + ifneq ($(CONFIG_PACKAGE_uwsgi-python3-plugin),) $(call Python3/Run, \ $(PKG_BUILD_DIR), \ uwsgiconfig.py --plugin plugins/python openwrt, \ - CPP="$(TARGET_CROSS)cpp" \ - LINUX_UNAME_VERSION=$(LINUX_UNAME_VERSION) \ + $(MAKE_VARS) \ CFLAGS="$(TARGET_CPPFLAGS) -I$(PYTHON3_INC_DIR) $(TARGET_CFLAGS)" \ ) + endif endef define Package/uwsgi/install diff --git a/uwsgi/files-luci-support/luci-cgi_io.ini b/uwsgi/files-luci-support/luci-cgi_io.ini index 98e54f2bc..8b3cdcf29 100644 --- a/uwsgi/files-luci-support/luci-cgi_io.ini +++ b/uwsgi/files-luci-support/luci-cgi_io.ini @@ -8,7 +8,7 @@ end-if = plugin = cgi cgi-mode = true cgi = /www/ -chdir = /usr/lib/lua/luci/ +chdir = /usr/lib/ucode/luci/ buffer-size = 10000 reload-mercy = 8 max-requests = 2000 diff --git a/uwsgi/files-luci-support/luci-webui.ini b/uwsgi/files-luci-support/luci-webui.ini index eb984b312..6c1e7a625 100644 --- a/uwsgi/files-luci-support/luci-webui.ini +++ b/uwsgi/files-luci-support/luci-webui.ini @@ -8,7 +8,7 @@ end-if = plugin = cgi cgi-mode = true cgi = /www/ -chdir = /usr/lib/lua/luci/ +chdir = /usr/lib/ucode/luci/ buffer-size = 10000 reload-mercy = 8 max-requests = 2000 diff --git a/uwsgi/patches/003-hard-code-Linux-as-compilation-os.patch b/uwsgi/patches/003-hard-code-Linux-as-compilation-os.patch index 81c11164b..8adc220dd 100644 --- a/uwsgi/patches/003-hard-code-Linux-as-compilation-os.patch +++ b/uwsgi/patches/003-hard-code-Linux-as-compilation-os.patch @@ -1,6 +1,6 @@ --- a/uwsgiconfig.py +++ b/uwsgiconfig.py -@@ -5,9 +5,9 @@ uwsgi_version = '2.0.20' +@@ -5,9 +5,9 @@ uwsgi_version = '2.0.21' import os import re import time diff --git a/wireless-regdb/Makefile b/wireless-regdb/Makefile new file mode 100644 index 000000000..dfff35ff4 --- /dev/null +++ b/wireless-regdb/Makefile @@ -0,0 +1,32 @@ +include $(TOPDIR)/rules.mk + +PKG_NAME:=wireless-regdb +PKG_VERSION:=2023.09.01 +PKG_RELEASE:=1 + +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz +PKG_SOURCE_URL:=@KERNEL/software/network/wireless-regdb/ +PKG_HASH:=26d4c2a727cc59239b84735aad856b7c7d0b04e30aa5c235c4f7f47f5f053491 + +PKG_MAINTAINER:=Felix Fietkau + +include $(INCLUDE_DIR)/package.mk + +define Package/wireless-regdb + PKGARCH:=all + SECTION:=firmware + CATEGORY:=Firmware + URL:=https://git.kernel.org/pub/scm/linux/kernel/git/sforshee/wireless-regdb.git/ + TITLE:=Wireless Regulatory Database +endef + +define Build/Compile + $(STAGING_DIR_HOST)/bin/$(PYTHON) $(PKG_BUILD_DIR)/db2fw.py $(PKG_BUILD_DIR)/regulatory.db $(PKG_BUILD_DIR)/db.txt +endef + +define Package/wireless-regdb/install + $(INSTALL_DIR) $(1)/lib/firmware + $(CP) $(PKG_BUILD_DIR)/regulatory.db $(1)/lib/firmware/ +endef + +$(eval $(call BuildPackage,wireless-regdb)) diff --git a/wireless-regdb/patches/500-world-regd-5GHz.patch b/wireless-regdb/patches/500-world-regd-5GHz.patch new file mode 100644 index 000000000..3f6d4c7e8 --- /dev/null +++ b/wireless-regdb/patches/500-world-regd-5GHz.patch @@ -0,0 +1,16 @@ +Remove the NO-IR flag from channels 36-48 on the World domain, +to make it usable for AP mode. + +Signed-off-by: Felix Fietkau +--- +--- a/db.txt ++++ b/db.txt +@@ -19,7 +19,7 @@ country 00: + # Channel 14. Only JP enables this and for 802.11b only + (2474 - 2494 @ 20), (20), NO-IR, NO-OFDM + # Channel 36 - 48 +- (5170 - 5250 @ 80), (20), NO-IR, AUTO-BW ++ (5170 - 5250 @ 80), (20), AUTO-BW + # Channel 52 - 64 + (5250 - 5330 @ 80), (20), NO-IR, DFS, AUTO-BW + # Channel 100 - 144 diff --git a/wireless-regdb/patches/600-custom-change-txpower-and-dfs.patch b/wireless-regdb/patches/600-custom-change-txpower-and-dfs.patch new file mode 100644 index 000000000..46590f4d2 --- /dev/null +++ b/wireless-regdb/patches/600-custom-change-txpower-and-dfs.patch @@ -0,0 +1,30 @@ +--- a/db.txt ++++ b/db.txt +@@ -353,8 +353,8 @@ country CL: DFS-JP + # https://wap.miit.gov.cn/cms_files/filemanager/1226211233/attach/20219/d125301b13454551b698ff5afa49ca28.pdf + # Note: The transmit power for 5150-5350MHz bands can be raised by 3dBm when TPC is implemented + country CN: DFS-FCC +- (2400 - 2483.5 @ 40), (20) +- (5150 - 5350 @ 80), (20), DFS, AUTO-BW ++ (2400 - 2483.5 @ 40), (30) ++ (5150 - 5350 @ 160), (30) + (5725 - 5850 @ 80), (33) + # 60 GHz band channels 1,4: 28dBm, channels 2,3: 44dBm + # ref: http://www.miit.gov.cn/n11293472/n11505629/n11506593/n11960250/n11960606/n11960700/n12330791.files/n12330790.pdf +@@ -1626,14 +1626,12 @@ country US: DFS-FCC + (920-928 @ 8), (30) + (2400 - 2472 @ 40), (30) + # 5.15 ~ 5.25 GHz: 30 dBm for master mode, 23 dBm for clients +- (5150 - 5250 @ 80), (23), AUTO-BW +- (5250 - 5350 @ 80), (24), DFS, AUTO-BW ++ (5150 - 5350 @ 160), (30) + # This range ends at 5725 MHz, but channel 144 extends to 5730 MHz. + # Since 5725 ~ 5730 MHz belongs to the next range which has looser + # requirements, we can extend the range by 5 MHz to make the kernel + # happy and be able to use channel 144. +- (5470 - 5730 @ 160), (24), DFS +- (5730 - 5850 @ 80), (30), AUTO-BW ++ (5470 - 5850 @ 160), (30) + # https://www.federalregister.gov/documents/2021/05/03/2021-08802/use-of-the-5850-5925-ghz-band + # max. 33 dBm AP @ 20MHz, 36 dBm AP @ 40Mhz+, 6 dB less for clients + (5850 - 5895 @ 40), (27), NO-OUTDOOR, AUTO-BW, NO-IR