From fc30e01f5e548c933349cea51784650763da83a3 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Fri, 24 Feb 2023 21:16:12 +0800 Subject: [PATCH] update 2023-02-24 21:16:12 --- libnftnl/Makefile | 76 ++++ ...ftnl-add-fullcone-expression-support.patch | 264 ++++++++++++ mbedtls/Config.in | 203 +++++++++ mbedtls/Makefile | 108 +++-- .../100-x509-crt-verify-SAN-iPAddress.patch | 181 ++++++++ ...and-GCM-with-ARMv8-Crypto-Extensions.patch | 390 ++++++++++++++++++ mbedtls/patches/200-config.patch | 228 ---------- mhz/Makefile | 28 ++ nftables/Makefile | 86 ++++ ...bles-add-fullcone-expression-support.patch | 209 ++++++++++ v2ray-geodata/Makefile | 4 +- 11 files changed, 1509 insertions(+), 268 deletions(-) create mode 100644 libnftnl/Makefile create mode 100644 libnftnl/patches/001-libnftnl-add-fullcone-expression-support.patch create mode 100644 mbedtls/Config.in create mode 100644 mbedtls/patches/100-x509-crt-verify-SAN-iPAddress.patch create mode 100644 mbedtls/patches/200-Implements-AES-and-GCM-with-ARMv8-Crypto-Extensions.patch delete mode 100644 mbedtls/patches/200-config.patch create mode 100644 mhz/Makefile create mode 100644 nftables/Makefile create mode 100644 nftables/patches/002-nftables-add-fullcone-expression-support.patch diff --git a/libnftnl/Makefile b/libnftnl/Makefile new file mode 100644 index 000000000..596a55b16 --- /dev/null +++ b/libnftnl/Makefile @@ -0,0 +1,76 @@ +# +# Copyright (C) 2014 OpenWrt.org +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +include $(TOPDIR)/rules.mk + +PKG_NAME:=libnftnl +PKG_CPE_ID:=cpe:/a:netfilter:libnftnl +PKG_VERSION:=1.2.4 +PKG_RELEASE:=$(AUTORELEASE) + +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 +PKG_SOURCE_URL:=https://netfilter.org/projects/$(PKG_NAME)/files +PKG_HASH:=c0fe233be4cdfd703e7d5977ef8eb63fcbf1d0052b6044e1b23d47ca3562477f + +PKG_MAINTAINER:=Steven Barth +PKG_LICENSE:=GPL-2.0-or-later +PKG_LICENSE_FILES:=COPYING + +PKG_FIXUP:=autoreconf +PKG_INSTALL:=1 +PKG_BUILD_PARALLEL:=1 + +include $(INCLUDE_DIR)/package.mk + +DISABLE_NLS:= + +define Package/libnftnl + SECTION:=libs + CATEGORY:=Libraries + DEPENDS:=+libmnl + TITLE:=Low-level netlink library for the nf_tables subsystem + URL:=http://www.netfilter.org/projects/libnftnl + ABI_VERSION:=11 +endef + +define Package/libnftnl/description + libnftnl is a userspace library providing a low-level netlink + programming interface (API) to the in-kernel nf_tables subsystem. +endef + +TARGET_CFLAGS += $(FPIC) -flto +TARGET_LDFLAGS += -flto + +CONFIGURE_ARGS += \ + --enable-static \ + --enable-shared + +define Build/InstallDev + $(INSTALL_DIR) $(1)/usr/include/libnftnl + $(CP) \ + $(PKG_INSTALL_DIR)/usr/include/libnftnl/*.h \ + $(1)/usr/include/libnftnl/ + + $(INSTALL_DIR) $(1)/usr/lib + $(CP) \ + $(PKG_INSTALL_DIR)/usr/lib/libnftnl.{so*,a,la} \ + $(1)/usr/lib/ + + $(INSTALL_DIR) $(1)/usr/lib/pkgconfig + $(CP) \ + $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/libnftnl.pc \ + $(1)/usr/lib/pkgconfig/ +endef + +define Package/libnftnl/install + $(INSTALL_DIR) $(1)/usr/lib + $(CP) \ + $(PKG_INSTALL_DIR)/usr/lib/libnftnl.so.* \ + $(1)/usr/lib/ +endef + +$(eval $(call BuildPackage,libnftnl)) diff --git a/libnftnl/patches/001-libnftnl-add-fullcone-expression-support.patch b/libnftnl/patches/001-libnftnl-add-fullcone-expression-support.patch new file mode 100644 index 000000000..7d2dbb67c --- /dev/null +++ b/libnftnl/patches/001-libnftnl-add-fullcone-expression-support.patch @@ -0,0 +1,264 @@ +From 6c39f04febd7cfdbd474233379416babcd0fc341 Mon Sep 17 00:00:00 2001 +From: Syrone Wong +Date: Fri, 8 Apr 2022 23:52:11 +0800 +Subject: [PATCH] libnftnl: add fullcone expression support + +Signed-off-by: Syrone Wong +--- + include/libnftnl/expr.h | 6 + + include/linux/netfilter/nf_tables.h | 16 +++ + src/Makefile.am | 1 + + src/expr/fullcone.c | 167 ++++++++++++++++++++++++++++ + src/expr_ops.c | 2 + + 5 files changed, 192 insertions(+) + create mode 100644 src/expr/fullcone.c + +diff --git a/include/libnftnl/expr.h b/include/libnftnl/expr.h +index 00c63ab..7dcf403 100644 +--- a/include/libnftnl/expr.h ++++ b/include/libnftnl/expr.h +@@ -244,6 +244,12 @@ enum { + NFTNL_EXPR_MASQ_REG_PROTO_MAX, + }; + ++enum { ++ NFTNL_EXPR_FULLCONE_FLAGS = NFTNL_EXPR_BASE, ++ NFTNL_EXPR_FULLCONE_REG_PROTO_MIN, ++ NFTNL_EXPR_FULLCONE_REG_PROTO_MAX, ++}; ++ + enum { + NFTNL_EXPR_REDIR_REG_PROTO_MIN = NFTNL_EXPR_BASE, + NFTNL_EXPR_REDIR_REG_PROTO_MAX, +diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h +index 0ae9120..8b8ae38 100644 +--- a/include/linux/netfilter/nf_tables.h ++++ b/include/linux/netfilter/nf_tables.h +@@ -1433,6 +1433,22 @@ enum nft_masq_attributes { + }; + #define NFTA_MASQ_MAX (__NFTA_MASQ_MAX - 1) + ++/** ++ * enum nft_fullcone_attributes - nf_tables fullcone expression attributes ++ * ++ * @NFTA_FULLCONE_FLAGS: NAT flags (see NF_NAT_RANGE_* in linux/netfilter/nf_nat.h) (NLA_U32) ++ * @NFTA_FULLCONE_REG_PROTO_MIN: source register of proto range start (NLA_U32: nft_registers) ++ * @NFTA_FULLCONE_REG_PROTO_MAX: source register of proto range end (NLA_U32: nft_registers) ++ */ ++enum nft_fullcone_attributes { ++ NFTA_FULLCONE_UNSPEC, ++ NFTA_FULLCONE_FLAGS, ++ NFTA_FULLCONE_REG_PROTO_MIN, ++ NFTA_FULLCONE_REG_PROTO_MAX, ++ __NFTA_FULLCONE_MAX ++}; ++#define NFTA_FULLCONE_MAX (__NFTA_FULLCONE_MAX - 1) ++ + /** + * enum nft_redir_attributes - nf_tables redirect expression netlink attributes + * +diff --git a/src/Makefile.am b/src/Makefile.am +index c3b0ab9..2718218 100644 +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -54,6 +54,7 @@ libnftnl_la_SOURCES = utils.c \ + expr/target.c \ + expr/tunnel.c \ + expr/masq.c \ ++ expr/fullcone.c \ + expr/redir.c \ + expr/hash.c \ + expr/socket.c \ +diff --git a/src/expr/fullcone.c b/src/expr/fullcone.c +new file mode 100644 +index 0000000..aaedd83 +--- /dev/null ++++ b/src/expr/fullcone.c +@@ -0,0 +1,167 @@ ++/* ++ * (C) 2022 wongsyrone ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License as published ++ * by the Free Software Foundation; either version 2 of the License, or ++ * (at your option) any later version. ++ */ ++ ++#include ++#include ++#include ++#include ++#include ++ ++#include ++ ++#include "internal.h" ++#include ++#include ++#include ++ ++struct nftnl_expr_fullcone { ++ uint32_t flags; ++ enum nft_registers sreg_proto_min; ++ enum nft_registers sreg_proto_max; ++}; ++ ++static int ++nftnl_expr_fullcone_set(struct nftnl_expr *e, uint16_t type, ++ const void *data, uint32_t data_len) ++{ ++ struct nftnl_expr_fullcone *fullcone = nftnl_expr_data(e); ++ ++ switch (type) { ++ case NFTNL_EXPR_FULLCONE_FLAGS: ++ memcpy(&fullcone->flags, data, sizeof(fullcone->flags)); ++ break; ++ case NFTNL_EXPR_FULLCONE_REG_PROTO_MIN: ++ memcpy(&fullcone->sreg_proto_min, data, sizeof(fullcone->sreg_proto_min)); ++ break; ++ case NFTNL_EXPR_FULLCONE_REG_PROTO_MAX: ++ memcpy(&fullcone->sreg_proto_max, data, sizeof(fullcone->sreg_proto_max)); ++ break; ++ default: ++ return -1; ++ } ++ return 0; ++} ++ ++static const void * ++nftnl_expr_fullcone_get(const struct nftnl_expr *e, uint16_t type, ++ uint32_t *data_len) ++{ ++ struct nftnl_expr_fullcone *fullcone = nftnl_expr_data(e); ++ ++ switch (type) { ++ case NFTNL_EXPR_FULLCONE_FLAGS: ++ *data_len = sizeof(fullcone->flags); ++ return &fullcone->flags; ++ case NFTNL_EXPR_FULLCONE_REG_PROTO_MIN: ++ *data_len = sizeof(fullcone->sreg_proto_min); ++ return &fullcone->sreg_proto_min; ++ case NFTNL_EXPR_FULLCONE_REG_PROTO_MAX: ++ *data_len = sizeof(fullcone->sreg_proto_max); ++ return &fullcone->sreg_proto_max; ++ } ++ return NULL; ++} ++ ++static int nftnl_expr_fullcone_cb(const struct nlattr *attr, void *data) ++{ ++ const struct nlattr **tb = data; ++ int type = mnl_attr_get_type(attr); ++ ++ if (mnl_attr_type_valid(attr, NFTA_FULLCONE_MAX) < 0) ++ return MNL_CB_OK; ++ ++ switch (type) { ++ case NFTA_FULLCONE_REG_PROTO_MIN: ++ case NFTA_FULLCONE_REG_PROTO_MAX: ++ case NFTA_FULLCONE_FLAGS: ++ if (mnl_attr_validate(attr, MNL_TYPE_U32) < 0) ++ abi_breakage(); ++ break; ++ } ++ ++ tb[type] = attr; ++ return MNL_CB_OK; ++} ++ ++static void ++nftnl_expr_fullcone_build(struct nlmsghdr *nlh, const struct nftnl_expr *e) ++{ ++ struct nftnl_expr_fullcone *fullcone = nftnl_expr_data(e); ++ ++ if (e->flags & (1 << NFTNL_EXPR_FULLCONE_FLAGS)) ++ mnl_attr_put_u32(nlh, NFTA_FULLCONE_FLAGS, htobe32(fullcone->flags)); ++ if (e->flags & (1 << NFTNL_EXPR_FULLCONE_REG_PROTO_MIN)) ++ mnl_attr_put_u32(nlh, NFTA_FULLCONE_REG_PROTO_MIN, ++ htobe32(fullcone->sreg_proto_min)); ++ if (e->flags & (1 << NFTNL_EXPR_FULLCONE_REG_PROTO_MAX)) ++ mnl_attr_put_u32(nlh, NFTA_FULLCONE_REG_PROTO_MAX, ++ htobe32(fullcone->sreg_proto_max)); ++} ++ ++static int ++nftnl_expr_fullcone_parse(struct nftnl_expr *e, struct nlattr *attr) ++{ ++ struct nftnl_expr_fullcone *fullcone = nftnl_expr_data(e); ++ struct nlattr *tb[NFTA_FULLCONE_MAX+1] = {}; ++ ++ if (mnl_attr_parse_nested(attr, nftnl_expr_fullcone_cb, tb) < 0) ++ return -1; ++ ++ if (tb[NFTA_FULLCONE_FLAGS]) { ++ fullcone->flags = be32toh(mnl_attr_get_u32(tb[NFTA_FULLCONE_FLAGS])); ++ e->flags |= (1 << NFTNL_EXPR_FULLCONE_FLAGS); ++ } ++ if (tb[NFTA_FULLCONE_REG_PROTO_MIN]) { ++ fullcone->sreg_proto_min = ++ be32toh(mnl_attr_get_u32(tb[NFTA_FULLCONE_REG_PROTO_MIN])); ++ e->flags |= (1 << NFTNL_EXPR_FULLCONE_REG_PROTO_MIN); ++ } ++ if (tb[NFTA_FULLCONE_REG_PROTO_MAX]) { ++ fullcone->sreg_proto_max = ++ be32toh(mnl_attr_get_u32(tb[NFTA_FULLCONE_REG_PROTO_MAX])); ++ e->flags |= (1 << NFTNL_EXPR_FULLCONE_REG_PROTO_MAX); ++ } ++ ++ return 0; ++} ++ ++static int nftnl_expr_fullcone_snprintf(char *buf, size_t remain, ++ uint32_t flags, const struct nftnl_expr *e) ++{ ++ struct nftnl_expr_fullcone *fullcone = nftnl_expr_data(e); ++ int offset = 0, ret = 0; ++ ++ if (e->flags & (1 << NFTNL_EXPR_FULLCONE_REG_PROTO_MIN)) { ++ ret = snprintf(buf + offset, remain, "proto_min reg %u ", ++ fullcone->sreg_proto_min); ++ SNPRINTF_BUFFER_SIZE(ret, remain, offset); ++ } ++ if (e->flags & (1 << NFTNL_EXPR_FULLCONE_REG_PROTO_MAX)) { ++ ret = snprintf(buf + offset, remain, "proto_max reg %u ", ++ fullcone->sreg_proto_max); ++ SNPRINTF_BUFFER_SIZE(ret, remain, offset); ++ } ++ if (e->flags & (1 << NFTNL_EXPR_FULLCONE_FLAGS)) { ++ ret = snprintf(buf + offset, remain, "flags 0x%x ", fullcone->flags); ++ SNPRINTF_BUFFER_SIZE(ret, remain, offset); ++ } ++ ++ return offset; ++} ++ ++struct expr_ops expr_ops_fullcone = { ++ .name = "fullcone", ++ .alloc_len = sizeof(struct nftnl_expr_fullcone), ++ .max_attr = NFTA_FULLCONE_MAX, ++ .set = nftnl_expr_fullcone_set, ++ .get = nftnl_expr_fullcone_get, ++ .parse = nftnl_expr_fullcone_parse, ++ .build = nftnl_expr_fullcone_build, ++ .output = nftnl_expr_fullcone_snprintf, ++}; +diff --git a/src/expr_ops.c b/src/expr_ops.c +index 7248e4f..9dee9f8 100644 +--- a/src/expr_ops.c ++++ b/src/expr_ops.c +@@ -19,6 +19,7 @@ extern struct expr_ops expr_ops_limit; + extern struct expr_ops expr_ops_log; + extern struct expr_ops expr_ops_lookup; + extern struct expr_ops expr_ops_masq; ++extern struct expr_ops expr_ops_fullcone; + extern struct expr_ops expr_ops_match; + extern struct expr_ops expr_ops_meta; + extern struct expr_ops expr_ops_ng; +@@ -63,6 +64,7 @@ static struct expr_ops *expr_ops[] = { + &expr_ops_log, + &expr_ops_lookup, + &expr_ops_masq, ++ &expr_ops_fullcone, + &expr_ops_match, + &expr_ops_meta, + &expr_ops_ng, diff --git a/mbedtls/Config.in b/mbedtls/Config.in new file mode 100644 index 000000000..92d7180f5 --- /dev/null +++ b/mbedtls/Config.in @@ -0,0 +1,203 @@ +if PACKAGE_libmbedtls + +comment "Option details in source code: include/mbedtls/mbedtls_config.h" + +comment "Ciphers - unselect old or less-used ciphers to reduce binary size" + +config MBEDTLS_AES_C + bool "MBEDTLS_AES_C" + default y + +config MBEDTLS_CAMELLIA_C + bool "MBEDTLS_CAMELLIA_C" + default n + +config MBEDTLS_CCM_C + bool "MBEDTLS_CCM_C" + default n + +config MBEDTLS_CMAC_C + bool "MBEDTLS_CMAC_C (old but used by hostapd)" + default y + +config MBEDTLS_DES_C + bool "MBEDTLS_DES_C (old but used by hostapd)" + default y + +config MBEDTLS_GCM_C + bool "MBEDTLS_GCM_C" + default y + +config MBEDTLS_NIST_KW_C + bool "MBEDTLS_NIST_KW_C (old but used by hostapd)" + default y + +config MBEDTLS_RIPEMD160_C + bool "MBEDTLS_RIPEMD160_C" + default n + +config MBEDTLS_XTEA_C + bool "MBEDTLS_XTEA_C" + default n + +config MBEDTLS_RSA_NO_CRT + bool "MBEDTLS_RSA_NO_CRT" + default y + +config MBEDTLS_KEY_EXCHANGE_PSK_ENABLED + bool "MBEDTLS_KEY_EXCHANGE_PSK_ENABLED" + default y + +config MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED + bool "MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED" + default n + +config MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED + bool "MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED" + default y + +config MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED + bool "MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED" + default n + +config MBEDTLS_KEY_EXCHANGE_RSA_ENABLED + bool "MBEDTLS_KEY_EXCHANGE_RSA_ENABLED" + default n + +config MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED + bool "MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED" + default n + +config MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED + bool "MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED" + default y + +config MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED + bool "MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED" + default y + +config MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED + bool "MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED" + default n + +config MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED + bool "MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED" + default n + +comment "Curves - unselect old or less-used curves to reduce binary size" + +config MBEDTLS_ECP_DP_SECP192R1_ENABLED + bool "MBEDTLS_ECP_DP_SECP192R1_ENABLED" + default n + +config MBEDTLS_ECP_DP_SECP224R1_ENABLED + bool "MBEDTLS_ECP_DP_SECP224R1_ENABLED" + default n + +config MBEDTLS_ECP_DP_SECP256R1_ENABLED + bool "MBEDTLS_ECP_DP_SECP256R1_ENABLED" + default y + +config MBEDTLS_ECP_DP_SECP384R1_ENABLED + bool "MBEDTLS_ECP_DP_SECP384R1_ENABLED" + default y + +config MBEDTLS_ECP_DP_SECP521R1_ENABLED + bool "MBEDTLS_ECP_DP_SECP521R1_ENABLED" + default n + +config MBEDTLS_ECP_DP_SECP192K1_ENABLED + bool "MBEDTLS_ECP_DP_SECP192K1_ENABLED" + default n + +config MBEDTLS_ECP_DP_SECP224K1_ENABLED + bool "MBEDTLS_ECP_DP_SECP224K1_ENABLED" + default n + +config MBEDTLS_ECP_DP_SECP256K1_ENABLED + bool "MBEDTLS_ECP_DP_SECP256K1_ENABLED" + default y + +config MBEDTLS_ECP_DP_BP256R1_ENABLED + bool "MBEDTLS_ECP_DP_BP256R1_ENABLED" + default n + +config MBEDTLS_ECP_DP_BP384R1_ENABLED + bool "MBEDTLS_ECP_DP_BP384R1_ENABLED" + default n + +config MBEDTLS_ECP_DP_BP512R1_ENABLED + bool "MBEDTLS_ECP_DP_BP512R1_ENABLED" + default n + +config MBEDTLS_ECP_DP_CURVE25519_ENABLED + bool "MBEDTLS_ECP_DP_CURVE25519_ENABLED" + default y + +config MBEDTLS_ECP_DP_CURVE448_ENABLED + bool "MBEDTLS_ECP_DP_CURVE448_ENABLED" + default n + +comment "Build Options - unselect features to reduce binary size" + +config MBEDTLS_ARMV8CE_AES_C + bool "MBEDTLS_ARMV8CE_AES_C" + default y + depends on aarch64 && !TARGET_bcm27xx + +config MBEDTLS_CERTS_C + bool "MBEDTLS_CERTS_C" + default n + +config MBEDTLS_CIPHER_MODE_OFB + bool "MBEDTLS_CIPHER_MODE_OFB" + default n + +config MBEDTLS_CIPHER_MODE_XTS + bool "MBEDTLS_CIPHER_MODE_XTS" + default n + +config MBEDTLS_DEBUG_C + bool "MBEDTLS_DEBUG_C" + default n + +config MBEDTLS_HAVE_SSE2 + bool "MBEDTLS_HAVE_SSE2" + default y + depends on TARGET_x86_generic || TARGET_x86_64 + +config MBEDTLS_HKDF_C + bool "MBEDTLS_HKDF_C" + default n + +config MBEDTLS_PLATFORM_C + bool "MBEDTLS_PLATFORM_C" + default n + +config MBEDTLS_SELF_TEST + bool "MBEDTLS_SELF_TEST" + default n + +config MBEDTLS_SSL_TRUNCATED_HMAC + bool "MBEDTLS_SSL_TRUNCATED_HMAC" + default n + +config MBEDTLS_VERSION_C + bool "MBEDTLS_VERSION_C" + default n + +config MBEDTLS_VERSION_FEATURES + bool "MBEDTLS_VERSION_FEATURES" + default n + +comment "Build Options" + +config MBEDTLS_ENTROPY_FORCE_SHA256 + bool "MBEDTLS_ENTROPY_FORCE_SHA256" + default y + +config MBEDTLS_SSL_RENEGOTIATION + bool "MBEDTLS_SSL_RENEGOTIATION" + default n + +endif diff --git a/mbedtls/Makefile b/mbedtls/Makefile index cfaa71c81..6fae08d27 100644 --- a/mbedtls/Makefile +++ b/mbedtls/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=mbedtls PKG_VERSION:=2.28.2 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_USE_MIPS16:=0 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz @@ -20,9 +20,62 @@ PKG_LICENSE:=GPL-2.0-or-later PKG_LICENSE_FILES:=gpl-2.0.txt PKG_CPE_ID:=cpe:/a:arm:mbed_tls -PKG_CONFIG_DEPENDS := \ - CONFIG_LIBMBEDTLS_DEBUG_C \ - CONFIG_LIBMBEDTLS_HKDF_C +MBEDTLS_BUILD_OPTS_CURVES= \ + CONFIG_MBEDTLS_ECP_DP_SECP192R1_ENABLED \ + CONFIG_MBEDTLS_ECP_DP_SECP224R1_ENABLED \ + CONFIG_MBEDTLS_ECP_DP_SECP256R1_ENABLED \ + CONFIG_MBEDTLS_ECP_DP_SECP384R1_ENABLED \ + CONFIG_MBEDTLS_ECP_DP_SECP521R1_ENABLED \ + CONFIG_MBEDTLS_ECP_DP_SECP192K1_ENABLED \ + CONFIG_MBEDTLS_ECP_DP_SECP224K1_ENABLED \ + CONFIG_MBEDTLS_ECP_DP_SECP256K1_ENABLED \ + CONFIG_MBEDTLS_ECP_DP_BP256R1_ENABLED \ + CONFIG_MBEDTLS_ECP_DP_BP384R1_ENABLED \ + CONFIG_MBEDTLS_ECP_DP_BP512R1_ENABLED \ + CONFIG_MBEDTLS_ECP_DP_CURVE25519_ENABLED \ + CONFIG_MBEDTLS_ECP_DP_CURVE448_ENABLED + +MBEDTLS_BUILD_OPTS_CIPHERS= \ + CONFIG_MBEDTLS_AES_C \ + CONFIG_MBEDTLS_CAMELLIA_C \ + CONFIG_MBEDTLS_CCM_C \ + CONFIG_MBEDTLS_CMAC_C \ + CONFIG_MBEDTLS_DES_C \ + CONFIG_MBEDTLS_GCM_C \ + CONFIG_MBEDTLS_KEY_EXCHANGE_PSK_ENABLED \ + CONFIG_MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED \ + CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED \ + CONFIG_MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \ + CONFIG_MBEDTLS_KEY_EXCHANGE_RSA_ENABLED \ + CONFIG_MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED \ + CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \ + CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED \ + CONFIG_MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED \ + CONFIG_MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED \ + CONFIG_MBEDTLS_NIST_KW_C \ + CONFIG_MBEDTLS_RIPEMD160_C \ + CONFIG_MBEDTLS_RSA_NO_CRT \ + CONFIG_MBEDTLS_XTEA_C + +MBEDTLS_BUILD_OPTS= \ + $(MBEDTLS_BUILD_OPTS_CURVES) \ + $(MBEDTLS_BUILD_OPTS_CIPHERS) \ + CONFIG_MBEDTLS_ARMV8CE_AES_C \ + CONFIG_MBEDTLS_CERTS_C \ + CONFIG_MBEDTLS_CIPHER_MODE_OFB \ + CONFIG_MBEDTLS_CIPHER_MODE_XTS \ + CONFIG_MBEDTLS_DEBUG_C \ + CONFIG_MBEDTLS_ENTROPY_FORCE_SHA256 \ + CONFIG_MBEDTLS_HAVE_SSE2 \ + CONFIG_MBEDTLS_HKDF_C \ + CONFIG_MBEDTLS_PLATFORM_C \ + CONFIG_MBEDTLS_SELF_TEST \ + CONFIG_MBEDTLS_SSL_RENEGOTIATION \ + CONFIG_MBEDTLS_SSL_TRUNCATED_HMAC \ + CONFIG_MBEDTLS_VERSION_C \ + CONFIG_MBEDTLS_VERSION_FEATURES + +PKG_CONFIG_DEPENDS := $(MBEDTLS_BUILD_OPTS) include $(INCLUDE_DIR)/package.mk include $(INCLUDE_DIR)/cmake.mk @@ -44,28 +97,11 @@ $(call Package/mbedtls/Default) SUBMENU:=SSL TITLE+= (library) ABI_VERSION:=12 + MENU:=1 endef define Package/libmbedtls/config -config LIBMBEDTLS_DEBUG_C - depends on PACKAGE_libmbedtls - bool "Enable debug functions" - default n - help - This option enables mbedtls library's debug functions. - - It increases the uncompressed libmbedtls binary size - by around 60 KiB (for an ARMv5 platform). - - Usually, you don't need this, so don't select this if you're unsure. - -config LIBMBEDTLS_HKDF_C - depends on PACKAGE_libmbedtls - bool "Enable the HKDF algorithm (RFC 5869)" - default n - help - This option adds support for the Hashed Message Authentication Code - (HMAC)-based key derivation function (HKDF). + source "$(SOURCE)/Config.in" endef define Package/mbedtls-util @@ -89,28 +125,24 @@ endef TARGET_CFLAGS += -ffunction-sections -fdata-sections TARGET_CFLAGS := $(filter-out -O%,$(TARGET_CFLAGS)) +ifneq ($(CONFIG_MBEDTLS_ARMV8CE_AES_C),) + TARGET_CFLAGS := $(filter-out -march=%,$(TARGET_CFLAGS)) -march=armv8-a+crypto +endif CMAKE_OPTIONS += \ + -DCMAKE_POSITION_INDEPENDENT_CODE=ON \ -DUSE_SHARED_MBEDTLS_LIBRARY:Bool=ON \ -DENABLE_TESTING:Bool=OFF \ -DENABLE_PROGRAMS:Bool=ON -define Build/Configure - $(Build/Configure/Default) +define Build/Prepare + $(call Build/Prepare/Default) - awk 'BEGIN { rc = 1 } \ - /#define MBEDTLS_DEBUG_C/ { $$$$0 = "$(if $(CONFIG_LIBMBEDTLS_DEBUG_C),,// )#define MBEDTLS_DEBUG_C"; rc = 0 } \ - { print } \ - END { exit(rc) }' $(PKG_BUILD_DIR)/include/mbedtls/config.h \ - >$(PKG_BUILD_DIR)/include/mbedtls/config.h.new && \ - mv $(PKG_BUILD_DIR)/include/mbedtls/config.h.new $(PKG_BUILD_DIR)/include/mbedtls/config.h - - awk 'BEGIN { rc = 1 } \ - /#define MBEDTLS_HKDF_C/ { $$$$0 = "$(if $(CONFIG_LIBMBEDTLS_HKDF_C),,// )#define MBEDTLS_HKDF_C"; rc = 0 } \ - { print } \ - END { exit(rc) }' $(PKG_BUILD_DIR)/include/mbedtls/config.h \ - >$(PKG_BUILD_DIR)/include/mbedtls/config.h.new && \ - mv $(PKG_BUILD_DIR)/include/mbedtls/config.h.new $(PKG_BUILD_DIR)/include/mbedtls/config.h + $(if $(strip $(foreach opt,$(MBEDTLS_BUILD_OPTS),$($(opt)))), + $(foreach opt,$(MBEDTLS_BUILD_OPTS), + $(PKG_BUILD_DIR)/scripts/config.py \ + -f $(PKG_BUILD_DIR)/include/mbedtls/config.h \ + $(if $($(opt)),set,unset) $(patsubst CONFIG_%,%,$(opt))),) endef define Build/InstallDev diff --git a/mbedtls/patches/100-x509-crt-verify-SAN-iPAddress.patch b/mbedtls/patches/100-x509-crt-verify-SAN-iPAddress.patch new file mode 100644 index 000000000..357ec4464 --- /dev/null +++ b/mbedtls/patches/100-x509-crt-verify-SAN-iPAddress.patch @@ -0,0 +1,181 @@ +From 272d48fe7a2ff00285d4ee166d3a9beca1d5122f Mon Sep 17 00:00:00 2001 +From: Glenn Strauss +Date: Sun, 23 Oct 2022 19:48:18 -0400 +Subject: [PATCH 1/4] x509 crt verify SAN iPAddress + +Signed-off-by: Glenn Strauss +--- + include/mbedtls/x509_crt.h | 2 +- + library/x509_crt.c | 115 +++++++++++++++++++++++++++++-------- + 2 files changed, 93 insertions(+), 24 deletions(-) + +--- a/include/mbedtls/x509_crt.h ++++ b/include/mbedtls/x509_crt.h +@@ -597,7 +597,7 @@ int mbedtls_x509_crt_verify_info( char * + * \param cn The expected Common Name. This will be checked to be + * present in the certificate's subjectAltNames extension or, + * if this extension is absent, as a CN component in its +- * Subject name. Currently only DNS names are supported. This ++ * Subject name. DNS names and IP addresses are supported. This + * may be \c NULL if the CN need not be verified. + * \param flags The address at which to store the result of the verification. + * If the verification couldn't be completed, the flag value is +--- a/library/x509_crt.c ++++ b/library/x509_crt.c +@@ -2986,6 +2986,54 @@ find_parent: + } + } + ++#ifdef _WIN32 ++/* ??? */ ++#elif defined(__sun) ++/* Solaris requires -lsocket -lnsl for inet_pton() */ ++#elif defined(__has_include) ++#if __has_include() ++#include ++#endif ++#if __has_include() ++#include ++#endif ++#endif ++ ++/* Use whether or not AF_INET6 is defined to indicate whether or not to use ++ * the platform inet_pton() or a local implementation (below). The local ++ * implementation may be used even in cases where the platform provides ++ * inet_pton(), e.g. when there are different includes required and/or the ++ * platform implementation requires dependencies on additional libraries. ++ * Specifically, Windows requires custom includes and additional link ++ * dependencies, and Solaris requires additional link dependencies. ++ * Also, as a coarse heuristic, use the local implementation if the compiler ++ * does not support __has_include(), or if the definition of AF_INET6 is not ++ * provided by headers included (or not) via __has_include() above. */ ++#ifndef AF_INET6 ++ ++#define x509_cn_inet_pton( cn, dst ) ( 0 ) ++ ++#else ++ ++static int x509_inet_pton_ipv6( const char *src, void *dst ) ++{ ++ return( inet_pton( AF_INET6, src, dst ) == 1 ? 0 : -1 ); ++} ++ ++static int x509_inet_pton_ipv4( const char *src, void *dst ) ++{ ++ return( inet_pton( AF_INET, src, dst ) == 1 ? 0 : -1 ); ++} ++ ++#endif /* AF_INET6 */ ++ ++static size_t x509_cn_inet_pton( const char *cn, void *dst ) ++{ ++ return( strchr( cn, ':' ) == NULL ++ ? x509_inet_pton_ipv4( cn, dst ) == 0 ? 4 : 0 ++ : x509_inet_pton_ipv6( cn, dst ) == 0 ? 16 : 0 ); ++} ++ + /* + * Check for CN match + */ +@@ -3008,23 +3056,51 @@ static int x509_crt_check_cn( const mbed + return( -1 ); + } + ++static int x509_crt_check_san_ip( const mbedtls_x509_sequence *san, ++ const char *cn, size_t cn_len ) ++{ ++ uint32_t ip[4]; ++ cn_len = x509_cn_inet_pton( cn, ip ); ++ if( cn_len == 0 ) ++ return( -1 ); ++ ++ for( const mbedtls_x509_sequence *cur = san; cur != NULL; cur = cur->next ) ++ { ++ const unsigned char san_type = (unsigned char) cur->buf.tag & ++ MBEDTLS_ASN1_TAG_VALUE_MASK; ++ if( san_type == MBEDTLS_X509_SAN_IP_ADDRESS && ++ cur->buf.len == cn_len && memcmp( cur->buf.p, ip, cn_len ) == 0 ) ++ return( 0 ); ++ } ++ ++ return( -1 ); ++} ++ + /* + * Check for SAN match, see RFC 5280 Section 4.2.1.6 + */ +-static int x509_crt_check_san( const mbedtls_x509_buf *name, ++static int x509_crt_check_san( const mbedtls_x509_sequence *san, + const char *cn, size_t cn_len ) + { +- const unsigned char san_type = (unsigned char) name->tag & +- MBEDTLS_ASN1_TAG_VALUE_MASK; +- +- /* dNSName */ +- if( san_type == MBEDTLS_X509_SAN_DNS_NAME ) +- return( x509_crt_check_cn( name, cn, cn_len ) ); +- +- /* (We may handle other types here later.) */ ++ int san_ip = 0; ++ for( const mbedtls_x509_sequence *cur = san; cur != NULL; cur = cur->next ) ++ { ++ switch( (unsigned char) cur->buf.tag & MBEDTLS_ASN1_TAG_VALUE_MASK ) ++ { ++ case MBEDTLS_X509_SAN_DNS_NAME: /* dNSName */ ++ if( x509_crt_check_cn( &cur->buf, cn, cn_len ) == 0 ) ++ return( 0 ); ++ break; ++ case MBEDTLS_X509_SAN_IP_ADDRESS: /* iPAddress */ ++ san_ip = 1; ++ break; ++ /* (We may handle other types here later.) */ ++ default: /* Unrecognized type */ ++ break; ++ } ++ } + +- /* Unrecognized type */ +- return( -1 ); ++ return( san_ip ? x509_crt_check_san_ip( san, cn, cn_len ) : -1 ); + } + + /* +@@ -3035,19 +3111,12 @@ static void x509_crt_verify_name( const + uint32_t *flags ) + { + const mbedtls_x509_name *name; +- const mbedtls_x509_sequence *cur; + size_t cn_len = strlen( cn ); + + if( crt->ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME ) + { +- for( cur = &crt->subject_alt_names; cur != NULL; cur = cur->next ) +- { +- if( x509_crt_check_san( &cur->buf, cn, cn_len ) == 0 ) +- break; +- } +- +- if( cur == NULL ) +- *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH; ++ if( x509_crt_check_san( &crt->subject_alt_names, cn, cn_len ) == 0 ) ++ return; + } + else + { +@@ -3056,13 +3125,13 @@ static void x509_crt_verify_name( const + if( MBEDTLS_OID_CMP( MBEDTLS_OID_AT_CN, &name->oid ) == 0 && + x509_crt_check_cn( &name->val, cn, cn_len ) == 0 ) + { +- break; ++ return; + } + } + +- if( name == NULL ) +- *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH; + } ++ ++ *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH; + } + + /* diff --git a/mbedtls/patches/200-Implements-AES-and-GCM-with-ARMv8-Crypto-Extensions.patch b/mbedtls/patches/200-Implements-AES-and-GCM-with-ARMv8-Crypto-Extensions.patch new file mode 100644 index 000000000..72f96d2a7 --- /dev/null +++ b/mbedtls/patches/200-Implements-AES-and-GCM-with-ARMv8-Crypto-Extensions.patch @@ -0,0 +1,390 @@ +From dfb6015ca79a9fee28f7fcb0af7e350a83574b83 Mon Sep 17 00:00:00 2001 +From: "Markku-Juhani O. Saarinen" +Date: Mon, 20 Nov 2017 14:58:41 +0000 +Subject: Implements AES and GCM with ARMv8 Crypto Extensions + +A compact patch that provides AES and GCM implementations that utilize the +ARMv8 Crypto Extensions. The config flag is MBEDTLS_ARMV8CE_AES_C, which +is disabled by default as we don't do runtime checking for the feature. +The new implementation lives in armv8ce_aes.c. + +Provides similar functionality to https://github.com/ARMmbed/mbedtls/pull/432 +Thanks to Barry O'Rourke and others for that contribtion. + +Tested on a Cortex A53 device and QEMU. On a midrange phone the real AES-GCM +throughput increases about 4x, while raw AES speed is up to 10x faster. + +When cross-compiling, you want to set something like: + + export CC='aarch64-linux-gnu-gcc' + export CFLAGS='-Ofast -march=armv8-a+crypto' + scripts/config.pl set MBEDTLS_ARMV8CE_AES_C + +QEMU seems to also need + + export LDFLAGS='-static' + +Then run normal make or cmake etc. +--- + +--- /dev/null ++++ b/ChangeLog.d/armv8_crypto_extensions.txt +@@ -0,0 +1,2 @@ ++Features ++ * Support ARMv8 Cryptography Extensions for AES and GCM. +--- /dev/null ++++ b/include/mbedtls/armv8ce_aes.h +@@ -0,0 +1,63 @@ ++/** ++ * \file armv8ce_aes.h ++ * ++ * \brief ARMv8 Cryptography Extensions -- Optimized code for AES and GCM ++ */ ++ ++/* ++ * ++ * Copyright (C) 2006-2017, ARM Limited, All Rights Reserved ++ * SPDX-License-Identifier: Apache-2.0 ++ * ++ * Licensed under the Apache License, Version 2.0 (the "License"); you may ++ * not use this file except in compliance with the License. ++ * You may obtain a copy of the License at ++ * ++ * http://www.apache.org/licenses/LICENSE-2.0 ++ * ++ * Unless required by applicable law or agreed to in writing, software ++ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT ++ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++ * See the License for the specific language governing permissions and ++ * limitations under the License. ++ * ++ * This file is part of mbed TLS (https://tls.mbed.org) ++ */ ++ ++#ifndef MBEDTLS_ARMV8CE_AES_H ++#define MBEDTLS_ARMV8CE_AES_H ++ ++#include "aes.h" ++ ++/** ++ * \brief [ARMv8 Crypto Extensions] AES-ECB block en(de)cryption ++ * ++ * \param ctx AES context ++ * \param mode MBEDTLS_AES_ENCRYPT or MBEDTLS_AES_DECRYPT ++ * \param input 16-byte input block ++ * \param output 16-byte output block ++ * ++ * \return 0 on success (cannot fail) ++ */ ++ ++int mbedtls_armv8ce_aes_crypt_ecb( mbedtls_aes_context *ctx, ++ int mode, ++ const unsigned char input[16], ++ unsigned char output[16] ); ++ ++/** ++ * \brief [ARMv8 Crypto Extensions] Multiply in GF(2^128) for GCM ++ * ++ * \param c Result ++ * \param a First operand ++ * \param b Second operand ++ * ++ * \note Both operands and result are bit strings interpreted as ++ * elements of GF(2^128) as per the GCM spec. ++ */ ++ ++void mbedtls_armv8ce_gcm_mult( unsigned char c[16], ++ const unsigned char a[16], ++ const unsigned char b[16] ); ++ ++#endif /* MBEDTLS_ARMV8CE_AES_H */ +--- a/include/mbedtls/check_config.h ++++ b/include/mbedtls/check_config.h +@@ -72,6 +72,10 @@ + #error "MBEDTLS_AESNI_C defined, but not all prerequisites" + #endif + ++#if defined(MBEDTLS_ARMV8CE_AES_C) && !defined(MBEDTLS_HAVE_ASM) ++#error "MBEDTLS_ARMV8CE_AES_C defined, but not all prerequisites" ++#endif ++ + #if defined(MBEDTLS_CTR_DRBG_C) && !defined(MBEDTLS_AES_C) + #error "MBEDTLS_CTR_DRBG_C defined, but not all prerequisites" + #endif +@@ -956,3 +960,4 @@ + typedef int mbedtls_iso_c_forbids_empty_translation_units; + + #endif /* MBEDTLS_CHECK_CONFIG_H */ ++ +--- a/include/mbedtls/config.h ++++ b/include/mbedtls/config.h +@@ -46,6 +46,7 @@ + * Requires support for asm() in compiler. + * + * Used in: ++ * library/armv8ce_aes.c + * library/aria.c + * library/timing.c + * include/mbedtls/bn_mul.h +@@ -2331,6 +2332,21 @@ + #define MBEDTLS_AESNI_C + + /** ++ * \def MBEDTLS_ARMV8CE_AES_C ++ * ++ * Enable ARMv8 Crypto Extensions for AES and GCM ++ * ++ * Module: library/armv8ce_aes.c ++ * Caller: library/aes.c ++ * library/gcm.c ++ * ++ * Requires: MBEDTLS_HAVE_ASM ++ * ++ * This module adds support for Armv8 Cryptography Extensions for AES and GCM. ++ */ ++//#define MBEDTLS_ARMV8CE_AES_C ++ ++/** + * \def MBEDTLS_AES_C + * + * Enable the AES block cipher. +--- a/library/aes.c ++++ b/library/aes.c +@@ -39,7 +39,9 @@ + #if defined(MBEDTLS_AESNI_C) + #include "mbedtls/aesni.h" + #endif +- ++#if defined(MBEDTLS_ARMV8CE_AES_C) ++#include "mbedtls/armv8ce_aes.h" ++#endif + #include "mbedtls/platform.h" + + #if !defined(MBEDTLS_AES_ALT) +@@ -992,6 +994,11 @@ int mbedtls_aes_crypt_ecb( mbedtls_aes_c + return( mbedtls_aesni_crypt_ecb( ctx, mode, input, output ) ); + #endif + ++#if defined(MBEDTLS_ARMV8CE_AES_C) ++ // We don't do runtime checking for ARMv8 Crypto Extensions ++ return mbedtls_armv8ce_aes_crypt_ecb( ctx, mode, input, output ); ++#endif ++ + #if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86) + if( aes_padlock_ace ) + { +--- /dev/null ++++ b/library/armv8ce_aes.c +@@ -0,0 +1,142 @@ ++/* ++ * ARMv8 Cryptography Extensions -- Optimized code for AES and GCM ++ * ++ * Copyright (C) 2006-2017, ARM Limited, All Rights Reserved ++ * SPDX-License-Identifier: Apache-2.0 ++ * ++ * Licensed under the Apache License, Version 2.0 (the "License"); you may ++ * not use this file except in compliance with the License. ++ * You may obtain a copy of the License at ++ * ++ * http://www.apache.org/licenses/LICENSE-2.0 ++ * ++ * Unless required by applicable law or agreed to in writing, software ++ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT ++ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++ * See the License for the specific language governing permissions and ++ * limitations under the License. ++ * ++ * This file is part of mbed TLS (https://tls.mbed.org) ++ */ ++ ++#if !defined(MBEDTLS_CONFIG_FILE) ++#include "mbedtls/config.h" ++#else ++#include MBEDTLS_CONFIG_FILE ++#endif ++ ++#if defined(MBEDTLS_ARMV8CE_AES_C) ++ ++#include ++#include "mbedtls/armv8ce_aes.h" ++ ++#ifndef asm ++#define asm __asm ++#endif ++ ++/* ++ * [Armv8 Cryptography Extensions] AES-ECB block en(de)cryption ++ */ ++ ++#if defined(MBEDTLS_AES_C) ++ ++int mbedtls_armv8ce_aes_crypt_ecb( mbedtls_aes_context *ctx, ++ int mode, ++ const unsigned char input[16], ++ unsigned char output[16] ) ++{ ++ unsigned int i; ++ const uint8_t *rk; ++ uint8x16_t x, k; ++ ++ x = vld1q_u8( input ); /* input block */ ++ rk = (const uint8_t *) ctx->rk; /* round keys */ ++ ++ if( mode == MBEDTLS_AES_ENCRYPT ) ++ { ++ for( i = ctx->nr - 1; i != 0; i-- ) /* encryption loop */ ++ { ++ k = vld1q_u8( rk ); ++ rk += 16; ++ x = vaeseq_u8( x, k ); ++ x = vaesmcq_u8( x ); ++ } ++ k = vld1q_u8( rk ); ++ rk += 16; ++ x = vaeseq_u8( x, k ); ++ } ++ else ++ { ++ for( i = ctx->nr - 1; i != 0 ; i-- ) /* decryption loop */ ++ { ++ k = vld1q_u8( rk ); ++ rk += 16; ++ x = vaesdq_u8( x, k ); ++ x = vaesimcq_u8( x ); ++ } ++ k = vld1q_u8( rk ); ++ rk += 16; ++ x = vaesdq_u8( x, k ); ++ } ++ ++ k = vld1q_u8( rk ); /* final key just XORed */ ++ x = veorq_u8( x, k ); ++ vst1q_u8( output, x ); /* write out */ ++ ++ return ( 0 ); ++} ++ ++#endif /* MBEDTLS_AES_C */ ++ ++ ++/* ++ * [Armv8 Cryptography Extensions] Multiply in GF(2^128) for GCM ++ */ ++ ++#if defined(MBEDTLS_GCM_C) ++ ++void mbedtls_armv8ce_gcm_mult( unsigned char c[16], ++ const unsigned char a[16], ++ const unsigned char b[16] ) ++{ ++ /* GCM's GF(2^128) polynomial basis is x^128 + x^7 + x^2 + x + 1 */ ++ const uint64x2_t base = { 0, 0x86 }; /* note missing LS bit */ ++ ++ register uint8x16_t vc asm( "v0" ); /* named registers */ ++ register uint8x16_t va asm( "v1" ); /* (to avoid conflict) */ ++ register uint8x16_t vb asm( "v2" ); ++ register uint64x2_t vp asm( "v3" ); ++ ++ va = vld1q_u8( a ); /* load inputs */ ++ vb = vld1q_u8( b ); ++ vp = base; ++ ++ asm ( ++ "rbit %1.16b, %1.16b \n\t" /* reverse bit order */ ++ "rbit %2.16b, %2.16b \n\t" ++ "pmull2 %0.1q, %1.2d, %2.2d \n\t" /* v0 = a.hi * b.hi */ ++ "pmull2 v4.1q, %0.2d, %3.2d \n\t" /* mul v0 by x^64, reduce */ ++ "ext %0.16b, %0.16b, %0.16b, #8 \n\t" ++ "eor %0.16b, %0.16b, v4.16b \n\t" ++ "ext v5.16b, %2.16b, %2.16b, #8 \n\t" /* (swap hi and lo in b) */ ++ "pmull v4.1q, %1.1d, v5.1d \n\t" /* v0 ^= a.lo * b.hi */ ++ "eor %0.16b, %0.16b, v4.16b \n\t" ++ "pmull2 v4.1q, %1.2d, v5.2d \n\t" /* v0 ^= a.hi * b.lo */ ++ "eor %0.16b, %0.16b, v4.16b \n\t" ++ "pmull2 v4.1q, %0.2d, %3.2d \n\t" /* mul v0 by x^64, reduce */ ++ "ext %0.16b, %0.16b, %0.16b, #8 \n\t" ++ "eor %0.16b, %0.16b, v4.16b \n\t" ++ "pmull v4.1q, %1.1d, %2.1d \n\t" /* v0 ^= a.lo * b.lo */ ++ "eor %0.16b, %0.16b, v4.16b \n\t" ++ "rbit %0.16b, %0.16b \n\t" /* reverse bits for output */ ++ : "=w" (vc) /* q0: output */ ++ : "w" (va), "w" (vb), "w" (vp) /* q1, q2: input */ ++ : "v4", "v5" /* q4, q5: clobbered */ ++ ); ++ ++ vst1q_u8( c, vc ); /* write out */ ++} ++ ++#endif /* MBEDTLS_GCM_C */ ++ ++#endif /* MBEDTLS_ARMV8CE_AES_C */ +--- a/library/CMakeLists.txt ++++ b/library/CMakeLists.txt +@@ -15,6 +15,7 @@ set(src_crypto + aesni.c + arc4.c + aria.c ++ armv8ce_aes.c + asn1parse.c + asn1write.c + base64.c +--- a/library/gcm.c ++++ b/library/gcm.c +@@ -42,6 +42,10 @@ + #include "mbedtls/aesni.h" + #endif + ++#if defined(MBEDTLS_ARMV8CE_AES_C) ++#include "mbedtls/armv8ce_aes.h" ++#endif ++ + #if !defined(MBEDTLS_GCM_ALT) + + /* Parameter validation macros */ +@@ -79,6 +83,12 @@ static int gcm_gen_table( mbedtls_gcm_co + if( ( ret = mbedtls_cipher_update( &ctx->cipher_ctx, h, 16, h, &olen ) ) != 0 ) + return( ret ); + ++#if defined(MBEDTLS_ARMV8CE_AES_C) ++ // we don't do feature testing with ARMv8 cryptography extensions ++ memcpy( ctx ->HL, h, 16 ); // put H at the beginning of buffer ++ return( 0 ); // that's all we need ++#endif ++ + /* pack h as two 64-bits ints, big-endian */ + hi = MBEDTLS_GET_UINT32_BE( h, 0 ); + lo = MBEDTLS_GET_UINT32_BE( h, 4 ); +@@ -188,6 +198,11 @@ static void gcm_mult( mbedtls_gcm_contex + unsigned char lo, hi, rem; + uint64_t zh, zl; + ++#if defined(MBEDTLS_ARMV8CE_AES_C) ++ mbedtls_armv8ce_gcm_mult( output, x, (const unsigned char *) ctx->HL ); ++ return; ++#endif ++ + #if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64) + if( mbedtls_aesni_has_support( MBEDTLS_AESNI_CLMUL ) ) { + unsigned char h[16]; +--- a/library/Makefile ++++ b/library/Makefile +@@ -74,6 +74,7 @@ OBJS_CRYPTO= \ + aria.o \ + asn1parse.o \ + asn1write.o \ ++ armv8ce_aes.o \ + base64.o \ + bignum.o \ + blowfish.o \ +--- a/library/version_features.c ++++ b/library/version_features.c +@@ -624,6 +624,9 @@ static const char * const features[] = { + #if defined(MBEDTLS_AESNI_C) + "MBEDTLS_AESNI_C", + #endif /* MBEDTLS_AESNI_C */ ++#if defined(MBEDTLS_ARMV8CE_AES_C) ++ "MBEDTLS_ARMV8CE_AES_C", ++#endif /* MBEDTLS_ARMV8CE_AES_C */ + #if defined(MBEDTLS_AES_C) + "MBEDTLS_AES_C", + #endif /* MBEDTLS_AES_C */ diff --git a/mbedtls/patches/200-config.patch b/mbedtls/patches/200-config.patch deleted file mode 100644 index 54d4cf431..000000000 --- a/mbedtls/patches/200-config.patch +++ /dev/null @@ -1,228 +0,0 @@ ---- a/include/mbedtls/config.h -+++ b/include/mbedtls/config.h -@@ -670,14 +670,14 @@ - * - * Enable Output Feedback mode (OFB) for symmetric ciphers. - */ --#define MBEDTLS_CIPHER_MODE_OFB -+//#define MBEDTLS_CIPHER_MODE_OFB - - /** - * \def MBEDTLS_CIPHER_MODE_XTS - * - * Enable Xor-encrypt-xor with ciphertext stealing mode (XTS) for AES. - */ --#define MBEDTLS_CIPHER_MODE_XTS -+//#define MBEDTLS_CIPHER_MODE_XTS - - /** - * \def MBEDTLS_CIPHER_NULL_CIPHER -@@ -795,20 +795,20 @@ - * Comment macros to disable the curve and functions for it - */ - /* Short Weierstrass curves (supporting ECP, ECDH, ECDSA) */ --#define MBEDTLS_ECP_DP_SECP192R1_ENABLED --#define MBEDTLS_ECP_DP_SECP224R1_ENABLED -+//#define MBEDTLS_ECP_DP_SECP192R1_ENABLED -+//#define MBEDTLS_ECP_DP_SECP224R1_ENABLED - #define MBEDTLS_ECP_DP_SECP256R1_ENABLED - #define MBEDTLS_ECP_DP_SECP384R1_ENABLED --#define MBEDTLS_ECP_DP_SECP521R1_ENABLED --#define MBEDTLS_ECP_DP_SECP192K1_ENABLED --#define MBEDTLS_ECP_DP_SECP224K1_ENABLED -+//#define MBEDTLS_ECP_DP_SECP521R1_ENABLED -+//#define MBEDTLS_ECP_DP_SECP192K1_ENABLED -+//#define MBEDTLS_ECP_DP_SECP224K1_ENABLED - #define MBEDTLS_ECP_DP_SECP256K1_ENABLED --#define MBEDTLS_ECP_DP_BP256R1_ENABLED --#define MBEDTLS_ECP_DP_BP384R1_ENABLED --#define MBEDTLS_ECP_DP_BP512R1_ENABLED -+//#define MBEDTLS_ECP_DP_BP256R1_ENABLED -+//#define MBEDTLS_ECP_DP_BP384R1_ENABLED -+//#define MBEDTLS_ECP_DP_BP512R1_ENABLED - /* Montgomery curves (supporting ECP) */ - #define MBEDTLS_ECP_DP_CURVE25519_ENABLED --#define MBEDTLS_ECP_DP_CURVE448_ENABLED -+//#define MBEDTLS_ECP_DP_CURVE448_ENABLED - - /** - * \def MBEDTLS_ECP_NIST_OPTIM -@@ -961,7 +961,7 @@ - * See dhm.h for more details. - * - */ --#define MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED -+//#define MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED - - /** - * \def MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED -@@ -981,7 +981,7 @@ - * MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA - * MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA - */ --#define MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED -+//#define MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED - - /** - * \def MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED -@@ -1006,7 +1006,7 @@ - * MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA - * MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA - */ --#define MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED -+//#define MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED - - /** - * \def MBEDTLS_KEY_EXCHANGE_RSA_ENABLED -@@ -1140,7 +1140,7 @@ - * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 - * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 - */ --#define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED -+//#define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED - - /** - * \def MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED -@@ -1164,7 +1164,7 @@ - * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 - * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 - */ --#define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED -+//#define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED - - /** - * \def MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED -@@ -1268,7 +1268,7 @@ - * This option is only useful if both MBEDTLS_SHA256_C and - * MBEDTLS_SHA512_C are defined. Otherwise the available hash module is used. - */ --//#define MBEDTLS_ENTROPY_FORCE_SHA256 -+#define MBEDTLS_ENTROPY_FORCE_SHA256 - - /** - * \def MBEDTLS_ENTROPY_NV_SEED -@@ -1483,14 +1483,14 @@ - * Uncomment this macro to disable the use of CRT in RSA. - * - */ --//#define MBEDTLS_RSA_NO_CRT -+#define MBEDTLS_RSA_NO_CRT - - /** - * \def MBEDTLS_SELF_TEST - * - * Enable the checkup functions (*_self_test). - */ --#define MBEDTLS_SELF_TEST -+//#define MBEDTLS_SELF_TEST - - /** - * \def MBEDTLS_SHA256_SMALLER -@@ -1761,7 +1761,7 @@ - * configuration of this extension). - * - */ --#define MBEDTLS_SSL_RENEGOTIATION -+//#define MBEDTLS_SSL_RENEGOTIATION - - /** - * \def MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO -@@ -2022,7 +2022,7 @@ - * - * Comment this macro to disable support for truncated HMAC in SSL - */ --#define MBEDTLS_SSL_TRUNCATED_HMAC -+//#define MBEDTLS_SSL_TRUNCATED_HMAC - - /** - * \def MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT -@@ -2201,7 +2201,7 @@ - * - * Comment this to disable run-time checking and save ROM space - */ --#define MBEDTLS_VERSION_FEATURES -+//#define MBEDTLS_VERSION_FEATURES - - /** - * \def MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3 -@@ -2550,7 +2550,7 @@ - * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 - * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 - */ --#define MBEDTLS_CAMELLIA_C -+//#define MBEDTLS_CAMELLIA_C - - /** - * \def MBEDTLS_ARIA_C -@@ -2616,7 +2616,7 @@ - * This module enables the AES-CCM ciphersuites, if other requisites are - * enabled as well. - */ --#define MBEDTLS_CCM_C -+//#define MBEDTLS_CCM_C - - /** - * \def MBEDTLS_CERTS_C -@@ -2628,7 +2628,7 @@ - * - * This module is used for testing (ssl_client/server). - */ --#define MBEDTLS_CERTS_C -+//#define MBEDTLS_CERTS_C - - /** - * \def MBEDTLS_CHACHA20_C -@@ -2741,7 +2741,7 @@ - * \warning DES is considered a weak cipher and its use constitutes a - * security risk. We recommend considering stronger ciphers instead. - */ --#define MBEDTLS_DES_C -+//#define MBEDTLS_DES_C - - /** - * \def MBEDTLS_DHM_C -@@ -2906,7 +2906,7 @@ - * This module adds support for the Hashed Message Authentication Code - * (HMAC)-based key derivation function (HKDF). - */ --#define MBEDTLS_HKDF_C -+//#define MBEDTLS_HKDF_C - - /** - * \def MBEDTLS_HMAC_DRBG_C -@@ -3219,7 +3219,7 @@ - * - * This module enables abstraction of common (libc) functions. - */ --#define MBEDTLS_PLATFORM_C -+//#define MBEDTLS_PLATFORM_C - - /** - * \def MBEDTLS_POLY1305_C -@@ -3295,7 +3295,7 @@ - * Caller: library/md.c - * - */ --#define MBEDTLS_RIPEMD160_C -+//#define MBEDTLS_RIPEMD160_C - - /** - * \def MBEDTLS_RSA_C -@@ -3506,7 +3506,7 @@ - * - * This module provides run-time version information. - */ --#define MBEDTLS_VERSION_C -+//#define MBEDTLS_VERSION_C - - /** - * \def MBEDTLS_X509_USE_C -@@ -3616,7 +3616,7 @@ - * Module: library/xtea.c - * Caller: - */ --#define MBEDTLS_XTEA_C -+//#define MBEDTLS_XTEA_C - - /** \} name SECTION: mbed TLS modules */ - diff --git a/mhz/Makefile b/mhz/Makefile new file mode 100644 index 000000000..b09d9906a --- /dev/null +++ b/mhz/Makefile @@ -0,0 +1,28 @@ +include $(TOPDIR)/rules.mk + +PKG_NAME:=mhz +PKG_RELEASE:=$(AUTORELEASE) + +PKG_SOURCE_PROTO:=git +PKG_SOURCE_URL=https://github.com/wtarreau/mhz.git +PKG_SOURCE_DATE:=2022-08-18 +PKG_SOURCE_VERSION:=6ec38cbb1371d20078a7a5059dd9faa5b281b2d9 +PKG_MIRROR_HASH:=37559cc8b5e08d23c09878d63cf81ea8d123be45408f3e76e1dc042766a746a7 + +PKG_MAINTAINER:=Robert Marko + +include $(INCLUDE_DIR)/package.mk + +define Package/mhz + SECTION:=utils + CATEGORY:=Utilities + TITLE:=CPU frequency measurement utility + URL:=https://github.com/wtarreau/mhz +endef + +define Package/mhz/install + $(INSTALL_DIR) $(1)/usr/sbin + $(INSTALL_BIN) $(PKG_BUILD_DIR)/mhz $(1)/usr/sbin/ +endef + +$(eval $(call BuildPackage,mhz)) diff --git a/nftables/Makefile b/nftables/Makefile new file mode 100644 index 000000000..2010aaf65 --- /dev/null +++ b/nftables/Makefile @@ -0,0 +1,86 @@ +# SPDX-License-Identifier: GPL-2.0-only +# +# Copyright (C) 2015 OpenWrt.org +# + +include $(TOPDIR)/rules.mk + +PKG_NAME:=nftables +PKG_VERSION:=1.0.6 +PKG_RELEASE:=1 + +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz +PKG_SOURCE_URL:=https://netfilter.org/projects/$(PKG_NAME)/files +PKG_HASH:=2407430ddd82987670e48dc2fda9e280baa8307abec04ab18d609df3db005e4c + +PKG_MAINTAINER:= +PKG_LICENSE:=GPL-2.0 +PKG_LICENSE_FILES:=COPYING + +PKG_FIXUP:=autoreconf +PKG_INSTALL:=1 + +include $(INCLUDE_DIR)/package.mk + +DISABLE_NLS:= + +CONFIGURE_ARGS += \ + --disable-debug \ + --disable-man-doc \ + --with-mini-gmp \ + --without-cli \ + --disable-python + +define Package/nftables/Default + SECTION:=net + CATEGORY:=Network + SUBMENU:=Firewall + TITLE:=nftables userspace utility + DEPENDS:=+kmod-nft-core +libnftnl + URL:=http://netfilter.org/projects/nftables/ + PROVIDES:=nftables +endef + +define Package/nftables-nojson + $(Package/nftables/Default) + TITLE+= no JSON support + VARIANT:=nojson + DEFAULT_VARIANT:=1 + CONFLICTS:=nftables-json +endef + +define Package/nftables-json + $(Package/nftables/Default) + TITLE+= with JSON support + VARIANT:=json + DEPENDS+=+jansson +endef + +ifeq ($(BUILD_VARIANT),json) + CONFIGURE_ARGS += --with-json +endif + +TARGET_CFLAGS += -flto +TARGET_LDFLAGS += -flto + +define Build/InstallDev + $(INSTALL_DIR) $(1)/usr/lib $(1)/usr/include + $(CP) $(PKG_INSTALL_DIR)/usr/lib/*.so* $(1)/usr/lib/ + $(CP) $(PKG_INSTALL_DIR)/usr/include/nftables $(1)/usr/include/ + $(INSTALL_DIR) $(1)/usr/lib/pkgconfig + $(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/libnftables.pc \ + $(1)/usr/lib/pkgconfig/ +endef + +define Package/nftables/install/Default + $(INSTALL_DIR) $(1)/usr/sbin + $(CP) $(PKG_INSTALL_DIR)/usr/sbin/nft $(1)/usr/sbin/ + $(INSTALL_DIR) $(1)/usr/lib + $(CP) $(PKG_INSTALL_DIR)/usr/lib/*.so* $(1)/usr/lib/ +endef + +Package/nftables-nojson/install = $(Package/nftables/install/Default) +Package/nftables-json/install = $(Package/nftables/install/Default) + +$(eval $(call BuildPackage,nftables-nojson)) +$(eval $(call BuildPackage,nftables-json)) diff --git a/nftables/patches/002-nftables-add-fullcone-expression-support.patch b/nftables/patches/002-nftables-add-fullcone-expression-support.patch new file mode 100644 index 000000000..ca483062e --- /dev/null +++ b/nftables/patches/002-nftables-add-fullcone-expression-support.patch @@ -0,0 +1,209 @@ +From 58c89e8768711a959fdc6e953df3ea2254ff93c1 Mon Sep 17 00:00:00 2001 +From: Syrone Wong +Date: Sat, 9 Apr 2022 00:38:51 +0800 +Subject: [PATCH] nftables: add fullcone expression support + +Signed-off-by: Syrone Wong +--- + include/linux/netfilter/nf_tables.h | 16 ++++++++++ + include/statement.h | 1 + + src/netlink_delinearize.c | 48 +++++++++++++++++++++++++++++ + src/netlink_linearize.c | 7 +++++ + src/parser_bison.y | 28 +++++++++++++++-- + src/scanner.l | 1 + + src/statement.c | 1 + + 7 files changed, 100 insertions(+), 2 deletions(-) + +--- a/include/linux/netfilter/nf_tables.h ++++ b/include/linux/netfilter/nf_tables.h +@@ -1436,6 +1436,22 @@ enum nft_masq_attributes { + #define NFTA_MASQ_MAX (__NFTA_MASQ_MAX - 1) + + /** ++ * enum nft_fullcone_attributes - nf_tables fullcone expression attributes ++ * ++ * @NFTA_FULLCONE_FLAGS: NAT flags (see NF_NAT_RANGE_* in linux/netfilter/nf_nat.h) (NLA_U32) ++ * @NFTA_FULLCONE_REG_PROTO_MIN: source register of proto range start (NLA_U32: nft_registers) ++ * @NFTA_FULLCONE_REG_PROTO_MAX: source register of proto range end (NLA_U32: nft_registers) ++ */ ++enum nft_fullcone_attributes { ++ NFTA_FULLCONE_UNSPEC, ++ NFTA_FULLCONE_FLAGS, ++ NFTA_FULLCONE_REG_PROTO_MIN, ++ NFTA_FULLCONE_REG_PROTO_MAX, ++ __NFTA_FULLCONE_MAX ++}; ++#define NFTA_FULLCONE_MAX (__NFTA_FULLCONE_MAX - 1) ++ ++/** + * enum nft_redir_attributes - nf_tables redirect expression netlink attributes + * + * @NFTA_REDIR_REG_PROTO_MIN: source register of proto range start (NLA_U32: nft_registers) +--- a/include/statement.h ++++ b/include/statement.h +@@ -122,6 +122,7 @@ enum nft_nat_etypes { + __NFT_NAT_SNAT = NFT_NAT_SNAT, + __NFT_NAT_DNAT = NFT_NAT_DNAT, + NFT_NAT_MASQ, ++ NFT_NAT_FULLCONE, + NFT_NAT_REDIR, + }; + +--- a/src/netlink_delinearize.c ++++ b/src/netlink_delinearize.c +@@ -1370,6 +1370,53 @@ out_err: + stmt_free(stmt); + } + ++static void netlink_parse_fullcone(struct netlink_parse_ctx *ctx, ++ const struct location *loc, ++ const struct nftnl_expr *nle) ++{ ++ enum nft_registers reg1, reg2; ++ struct expr *proto; ++ struct stmt *stmt; ++ uint32_t flags = 0; ++ ++ if (nftnl_expr_is_set(nle, NFTNL_EXPR_FULLCONE_FLAGS)) ++ flags = nftnl_expr_get_u32(nle, NFTNL_EXPR_FULLCONE_FLAGS); ++ ++ stmt = nat_stmt_alloc(loc, NFT_NAT_FULLCONE); ++ stmt->nat.flags = flags; ++ ++ reg1 = netlink_parse_register(nle, NFTNL_EXPR_FULLCONE_REG_PROTO_MIN); ++ if (reg1) { ++ proto = netlink_get_register(ctx, loc, reg1); ++ if (proto == NULL) { ++ netlink_error(ctx, loc, ++ "fullcone statement has no proto expression"); ++ goto out_err; ++ } ++ expr_set_type(proto, &inet_service_type, BYTEORDER_BIG_ENDIAN); ++ stmt->nat.proto = proto; ++ } ++ ++ reg2 = netlink_parse_register(nle, NFTNL_EXPR_FULLCONE_REG_PROTO_MAX); ++ if (reg2 && reg2 != reg1) { ++ proto = netlink_get_register(ctx, loc, reg2); ++ if (proto == NULL) { ++ netlink_error(ctx, loc, ++ "fullcone statement has no proto expression"); ++ goto out_err; ++ } ++ expr_set_type(proto, &inet_service_type, BYTEORDER_BIG_ENDIAN); ++ if (stmt->nat.proto != NULL) ++ proto = range_expr_alloc(loc, stmt->nat.proto, proto); ++ stmt->nat.proto = proto; ++ } ++ ++ ctx->stmt = stmt; ++ return; ++out_err: ++ stmt_free(stmt); ++} ++ + static void netlink_parse_redir(struct netlink_parse_ctx *ctx, + const struct location *loc, + const struct nftnl_expr *nle) +@@ -1796,6 +1843,7 @@ static const struct expr_handler netlink + { .name = "tproxy", .parse = netlink_parse_tproxy }, + { .name = "notrack", .parse = netlink_parse_notrack }, + { .name = "masq", .parse = netlink_parse_masq }, ++ { .name = "fullcone", .parse = netlink_parse_fullcone }, + { .name = "redir", .parse = netlink_parse_redir }, + { .name = "dup", .parse = netlink_parse_dup }, + { .name = "queue", .parse = netlink_parse_queue }, +--- a/src/netlink_linearize.c ++++ b/src/netlink_linearize.c +@@ -1140,6 +1140,13 @@ static void netlink_gen_nat_stmt(struct + nftnl_reg_pmin = NFTNL_EXPR_MASQ_REG_PROTO_MIN; + nftnl_reg_pmax = NFTNL_EXPR_MASQ_REG_PROTO_MAX; + break; ++ case NFT_NAT_FULLCONE: ++ nle = alloc_nft_expr("fullcone"); ++ ++ nftnl_flag_attr = NFTNL_EXPR_FULLCONE_FLAGS; ++ nftnl_reg_pmin = NFTNL_EXPR_FULLCONE_REG_PROTO_MIN; ++ nftnl_reg_pmax = NFTNL_EXPR_FULLCONE_REG_PROTO_MAX; ++ break; + case NFT_NAT_REDIR: + nle = alloc_nft_expr("redir"); + +--- a/src/parser_bison.y ++++ b/src/parser_bison.y +@@ -582,6 +582,7 @@ int nft_lex(void *, void *, void *); + %token SNAT "snat" + %token DNAT "dnat" + %token MASQUERADE "masquerade" ++%token FULLCONE "fullcone" + %token REDIRECT "redirect" + %token RANDOM "random" + %token FULLY_RANDOM "fully-random" +@@ -716,8 +717,8 @@ int nft_lex(void *, void *, void *); + %type limit_burst_pkts limit_burst_bytes limit_mode limit_bytes time_unit quota_mode + %type reject_stmt reject_stmt_alloc + %destructor { stmt_free($$); } reject_stmt reject_stmt_alloc +-%type nat_stmt nat_stmt_alloc masq_stmt masq_stmt_alloc redir_stmt redir_stmt_alloc +-%destructor { stmt_free($$); } nat_stmt nat_stmt_alloc masq_stmt masq_stmt_alloc redir_stmt redir_stmt_alloc ++%type nat_stmt nat_stmt_alloc masq_stmt masq_stmt_alloc fullcone_stmt fullcone_stmt_alloc redir_stmt redir_stmt_alloc ++%destructor { stmt_free($$); } nat_stmt nat_stmt_alloc masq_stmt masq_stmt_alloc fullcone_stmt fullcone_stmt_alloc redir_stmt redir_stmt_alloc + %type nf_nat_flags nf_nat_flag offset_opt + %type tproxy_stmt + %destructor { stmt_free($$); } tproxy_stmt +@@ -2877,6 +2878,7 @@ stmt : verdict_stmt + | queue_stmt + | ct_stmt + | masq_stmt close_scope_nat ++ | fullcone_stmt close_scope_nat + | redir_stmt close_scope_nat + | dup_stmt close_scope_dup + | fwd_stmt close_scope_fwd +@@ -3773,6 +3775,28 @@ masq_stmt_args : TO COLON stmt_expr + { + $0->nat.proto = $3; + } ++ | TO COLON stmt_expr nf_nat_flags ++ { ++ $0->nat.proto = $3; ++ $0->nat.flags = $4; ++ } ++ | nf_nat_flags ++ { ++ $0->nat.flags = $1; ++ } ++ ; ++ ++fullcone_stmt : fullcone_stmt_alloc fullcone_stmt_args ++ | fullcone_stmt_alloc ++ ; ++ ++fullcone_stmt_alloc : FULLCONE { $$ = nat_stmt_alloc(&@$, NFT_NAT_FULLCONE); } ++ ; ++ ++fullcone_stmt_args : TO COLON stmt_expr ++ { ++ $0->nat.proto = $3; ++ } + | TO COLON stmt_expr nf_nat_flags + { + $0->nat.proto = $3; +--- a/src/scanner.l ++++ b/src/scanner.l +@@ -449,6 +449,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr + "snat" { scanner_push_start_cond(yyscanner, SCANSTATE_STMT_NAT); return SNAT; } + "dnat" { scanner_push_start_cond(yyscanner, SCANSTATE_STMT_NAT); return DNAT; } + "masquerade" { scanner_push_start_cond(yyscanner, SCANSTATE_STMT_NAT); return MASQUERADE; } ++"fullcone" { scanner_push_start_cond(yyscanner, SCANSTATE_STMT_NAT); return FULLCONE; } + "redirect" { scanner_push_start_cond(yyscanner, SCANSTATE_STMT_NAT); return REDIRECT; } + "random" { return RANDOM; } + { +--- a/src/statement.c ++++ b/src/statement.c +@@ -650,6 +650,7 @@ const char *nat_etype2str(enum nft_nat_e + [NFT_NAT_SNAT] = "snat", + [NFT_NAT_DNAT] = "dnat", + [NFT_NAT_MASQ] = "masquerade", ++ [NFT_NAT_FULLCONE] = "fullcone", + [NFT_NAT_REDIR] = "redirect", + }; + diff --git a/v2ray-geodata/Makefile b/v2ray-geodata/Makefile index f988d4885..c029c7387 100644 --- a/v2ray-geodata/Makefile +++ b/v2ray-geodata/Makefile @@ -21,13 +21,13 @@ define Download/geoip HASH:=958b34017682aa28d2bf7f0368cdb62934c5623bf405d96ab12e54e320adfea0 endef -GEOSITE_VER:=20230223064004 +GEOSITE_VER:=20230224040844 GEOSITE_FILE:=dlc.dat.$(GEOSITE_VER) define Download/geosite URL:=https://github.com/v2fly/domain-list-community/releases/download/$(GEOSITE_VER)/ URL_FILE:=dlc.dat FILE:=$(GEOSITE_FILE) - HASH:=40e34b30913798af6fc9fe0ed4d051f914de1c67d4e8f0d24522673c1759f1bc + HASH:=f378ffb59ea2a97c47f897bec196b67de15066e84a182454630bceca2ef8d0b6 endef define Package/v2ray-geodata/template