fastd: update and add L2TP variant

This also drops the GMAC-based methods from gluon-mesh-vpn-fastd's
check_site.lua, as they are not supported anymore.

package/gluon-mesh-vpn-fastd/check_site.lua

@@ -1,4 +1,4 @@
-local fastd_methods = {'salsa2012+gmac', 'salsa2012+umac', 'null+salsa2012+gmac', 'null+salsa2012+umac', 'null'}
+local fastd_methods = {'salsa2012+umac', 'null+salsa2012+umac', 'null'}
 need_array_of({'mesh_vpn', 'fastd', 'methods'}, fastd_methods)
 need_boolean(in_site({'mesh_vpn', 'fastd', 'configurable'}), false)
 

patches/packages/packages/0001-fastd-simplify-Config.in.patch

@@ -0,0 +1,124 @@
+From: Matthias Schiffer <mschiffer@universe-factory.net>
+Date: Sun, 7 Mar 2021 11:48:32 +0100
+Subject: fastd: simplify Config.in
+
+Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
+(cherry picked from commit 45976ff31a9894dec35fc4a077c9652f6cb59a54)
+
+diff --git a/net/fastd/Config.in b/net/fastd/Config.in
+index 8302f7ee4dac874b1303ebeeb836551ef202c261..89ff6850aa5ab4ad0e762d8fb9473d5e5c820089 100644
+--- a/net/fastd/Config.in
++++ b/net/fastd/Config.in
+@@ -1,102 +1,79 @@
++if PACKAGE_fastd
++
+ menu "Configuration"
+-	depends on PACKAGE_fastd
+ 
+ config FASTD_ENABLE_METHOD_CIPHER_TEST
+ 	bool "Enable cipher-test method provider"
+-	depends on PACKAGE_fastd
+-	default n
+ 
+ config FASTD_ENABLE_METHOD_COMPOSED_GMAC
+ 	bool "Enable composed-gmac method provider"
+-	depends on PACKAGE_fastd
++	select FASTD_ENABLE_MAC_GHASH
+ 	default y
+ 
+ config FASTD_ENABLE_METHOD_COMPOSED_UMAC
+ 	bool "Enable composed-umac method provider"
+-	depends on PACKAGE_fastd
++	select FASTD_ENABLE_MAC_UHASH
+ 	default y
+ 
+ config FASTD_ENABLE_METHOD_GENERIC_GMAC
+ 	bool "Enable generic-gmac method provider"
+-	depends on PACKAGE_fastd
++	select FASTD_ENABLE_MAC_GHASH
+ 	default y
+ 
+ config FASTD_ENABLE_METHOD_GENERIC_POLY1305
+ 	bool "Enable generic-poly1305 method provider"
+-	depends on PACKAGE_fastd
+-	default n
+ 
+ config FASTD_ENABLE_METHOD_GENERIC_UMAC
+ 	bool "Enable generic-umac method provider"
+-	depends on PACKAGE_fastd
++	select FASTD_ENABLE_MAC_UHASH
+ 	default y
+ 
+ config FASTD_ENABLE_METHOD_NULL
+ 	bool "Enable null method"
+-	depends on PACKAGE_fastd
+ 	default y
+ 
+ 
+ config FASTD_ENABLE_CIPHER_NULL
+ 	bool "Enable the null cipher"
+-	depends on PACKAGE_fastd
+ 	default y
+ 
+ config FASTD_ENABLE_CIPHER_SALSA20
+ 	bool "Enable the Salsa20 cipher"
+-	depends on PACKAGE_fastd
+-	default n
+ 
+ config FASTD_ENABLE_CIPHER_SALSA2012
+ 	bool "Enable the Salsa20/12 cipher"
+-	depends on PACKAGE_fastd
+ 	default y
+ 
+ 
+ config FASTD_ENABLE_MAC_GHASH
+-	bool "Enable the GHASH message authentication code"
+-	depends on PACKAGE_fastd
+-	default y
++	bool
+ 
+ config FASTD_ENABLE_MAC_UHASH
+-	bool "Enable the UHASH message authentication code"
+-	depends on PACKAGE_fastd
+-	default y
++	bool
+ 
+ 
+ config FASTD_WITH_CAPABILITIES
+ 	bool "Enable POSIX capability support"
+-	depends on PACKAGE_fastd
+-	default n
+ 
+ config FASTD_WITH_CMDLINE_USER
+ 	bool "Include support for setting user/group related options on the command line"
+-	depends on PACKAGE_fastd
+-	default n
+ 
+ config FASTD_WITH_CMDLINE_LOGGING
+ 	bool "Include support for setting logging related options on the command line"
+-	depends on PACKAGE_fastd
+-	default n
+ 
+ config FASTD_WITH_CMDLINE_OPERATION
+ 	bool "Include support for setting options related to the VPN operation (like mode, interface, encryption method) on the command line"
+-	depends on PACKAGE_fastd
+-	default n
+ 
+ config FASTD_WITH_CMDLINE_COMMANDS
+ 	bool "Include support for setting handler scripts (e.g. --on-up) on the command line"
+-	depends on PACKAGE_fastd
+-	default n
+ 
+ config FASTD_WITH_DYNAMIC_PEERS
+ 	bool "Include support for dynamic peers (using on-verify handlers)"
+-	depends on PACKAGE_fastd
+-	default n
+ 
+ config FASTD_WITH_STATUS_SOCKET
+ 	bool "Include support for status sockets"
+-	depends on PACKAGE_fastd
+ 	default y
+ 
+ endmenu
++
++endif

patches/packages/packages/0002-fastd-disable-GMAC-based-methods-by-default.patch

@@ -0,0 +1,32 @@
+From: Matthias Schiffer <mschiffer@universe-factory.net>
+Date: Sun, 7 Mar 2021 11:50:04 +0100
+Subject: fastd: disable GMAC-based methods by default
+
+The UMAC-based methods provide higher performance than GMAC and aren't
+suspectible to timing attacks when implemented in software (which is
+always the case on OpenWrt, as OpenSSL support is disabled). Disable
+GMAC by default to save a few KiB.
+
+Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
+(cherry picked from commit 916a65781829d93856bfb82cf78ba333b8fbc973)
+
+diff --git a/net/fastd/Config.in b/net/fastd/Config.in
+index 89ff6850aa5ab4ad0e762d8fb9473d5e5c820089..b6d46246e53516cdb7fc6e4857ea62481b4e8276 100644
+--- a/net/fastd/Config.in
++++ b/net/fastd/Config.in
+@@ -8,7 +8,6 @@ config FASTD_ENABLE_METHOD_CIPHER_TEST
+ config FASTD_ENABLE_METHOD_COMPOSED_GMAC
+ 	bool "Enable composed-gmac method provider"
+ 	select FASTD_ENABLE_MAC_GHASH
+-	default y
+ 
+ config FASTD_ENABLE_METHOD_COMPOSED_UMAC
+ 	bool "Enable composed-umac method provider"
+@@ -18,7 +17,6 @@ config FASTD_ENABLE_METHOD_COMPOSED_UMAC
+ config FASTD_ENABLE_METHOD_GENERIC_GMAC
+ 	bool "Enable generic-gmac method provider"
+ 	select FASTD_ENABLE_MAC_GHASH
+-	default y
+ 
+ config FASTD_ENABLE_METHOD_GENERIC_POLY1305
+ 	bool "Enable generic-poly1305 method provider"

patches/packages/packages/0003-fastd-update-to-v22.patch

@@ -0,0 +1,59 @@
+From: Matthias Schiffer <mschiffer@universe-factory.net>
+Date: Sun, 27 Jun 2021 13:07:49 +0200
+Subject: fastd: update to v22
+
+Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
+(cherry picked from commit c8ca43865dcc7be0e3193f9b7d12f40d3441c258)
+
+diff --git a/net/fastd/Config.in b/net/fastd/Config.in
+index b6d46246e53516cdb7fc6e4857ea62481b4e8276..157d1e39931cc0163785212cb5eea7d8af4f46f2 100644
+--- a/net/fastd/Config.in
++++ b/net/fastd/Config.in
+@@ -30,6 +30,10 @@ config FASTD_ENABLE_METHOD_NULL
+ 	bool "Enable null method"
+ 	default y
+ 
++config FASTD_ENABLE_METHOD_NULL_L2TP
++	bool "Enable null@l2tp method"
++	default y
++
+ 
+ config FASTD_ENABLE_CIPHER_NULL
+ 	bool "Enable the null cipher"
+diff --git a/net/fastd/Makefile b/net/fastd/Makefile
+index c7ab056a9ae005a75a75911658607e64d6228aac..d1ed4cf9afbe2faf11a0fa3b7b4d281848a8df2d 100644
+--- a/net/fastd/Makefile
++++ b/net/fastd/Makefile
+@@ -8,12 +8,12 @@
+ include $(TOPDIR)/rules.mk
+ 
+ PKG_NAME:=fastd
+-PKG_VERSION:=21
++PKG_VERSION:=22
+ 
+ PKG_MAINTAINER:=Matthias Schiffer <mschiffer@universe-factory.net>
+ PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
+ PKG_SOURCE_URL:=https://github.com/NeoRaider/fastd/releases/download/v$(PKG_VERSION)
+-PKG_HASH:=942f33bcd794bcb8e19da4c30c875bdfd4d0f1c24ec4dcdf51237791bbfb0d4c
++PKG_HASH:=19750b88705d66811b7c21b672537909c19ae6b21350688cbd1a3a54d08a8951
+ 
+ PKG_LICENSE:=BSD-2-Clause
+ PKG_LICENSE_FILES:=COPYRIGHT
+@@ -26,6 +26,7 @@ PKG_CONFIG_DEPENDS:=\
+ 	CONFIG_FASTD_ENABLE_METHOD_GENERIC_POLY1305 \
+ 	CONFIG_FASTD_ENABLE_METHOD_GENERIC_UMAC \
+ 	CONFIG_FASTD_ENABLE_METHOD_NULL \
++	CONFIG_FASTD_ENABLE_METHOD_NULL_L2TP \
+ 	CONFIG_FASTD_ENABLE_CIPHER_NULL \
+ 	CONFIG_FASTD_ENABLE_CIPHER_SALSA20 \
+ 	CONFIG_FASTD_ENABLE_CIPHER_SALSA2012 \
+@@ -81,7 +82,9 @@ MESON_ARGS += \
+ 	-Dmethod_generic-poly1305=$(call feature,ENABLE_METHOD_GENERIC_POLY1305) \
+ 	-Dmethod_generic-umac=$(call feature,ENABLE_METHOD_GENERIC_UMAC) \
+ 	-Dmethod_null=$(call feature,ENABLE_METHOD_NULL) \
++	-Dmethod_null_l2tp=$(call feature,ENABLE_METHOD_NULL_L2TP) \
+ 	-Dstatus_socket=$(call feature,WITH_STATUS_SOCKET) \
++	-Doffload_l2tp=disabled \
+ 	-Dsystemd=disabled \
+ 	-Duse_nacl=true \
+ 	-Db_lto=true \

patches/packages/packages/0004-fastd-add-L2TP-variant.patch

@@ -0,0 +1,88 @@
+From: Matthias Schiffer <mschiffer@universe-factory.net>
+Date: Sun, 27 Jun 2021 13:26:26 +0200
+Subject: fastd: add L2TP variant
+
+Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
+(cherry picked from commit 7b9c04f95b5202d5eb75e4bf1c6831a667ac3d0f)
+
+diff --git a/net/fastd/Config.in b/net/fastd/Config.in
+index 157d1e39931cc0163785212cb5eea7d8af4f46f2..3da5e1f183c5400cc38650efad39edf31c6f18d0 100644
+--- a/net/fastd/Config.in
++++ b/net/fastd/Config.in
+@@ -1,4 +1,4 @@
+-if PACKAGE_fastd
++if PACKAGE_fastd || PACKAGE_fastd-l2tp
+ 
+ menu "Configuration"
+ 
+diff --git a/net/fastd/Makefile b/net/fastd/Makefile
+index d1ed4cf9afbe2faf11a0fa3b7b4d281848a8df2d..58255cb0ba1a3b00fbca7cfdd44abd3a923603f3 100644
+--- a/net/fastd/Makefile
++++ b/net/fastd/Makefile
+@@ -15,8 +15,8 @@ PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
+ PKG_SOURCE_URL:=https://github.com/NeoRaider/fastd/releases/download/v$(PKG_VERSION)
+ PKG_HASH:=19750b88705d66811b7c21b672537909c19ae6b21350688cbd1a3a54d08a8951
+ 
+-PKG_LICENSE:=BSD-2-Clause
+-PKG_LICENSE_FILES:=COPYRIGHT
++PKG_LICENSE:=BSD-2-Clause LGPL-2.1-or-later
++PKG_LICENSE_FILES:=COPYRIGHT src/dep/libmnl/COPYING
+ 
+ PKG_CONFIG_DEPENDS:=\
+ 	CONFIG_FASTD_ENABLE_METHOD_CIPHER_TEST \
+@@ -54,6 +54,14 @@ define Package/fastd
+   TITLE:=Fast and Secure Tunneling Daemon
+   URL:=https://github.com/NeoRaider/fastd/
+   SUBMENU:=VPN
++  VARIANT:=default
++endef
++define Package/fastd-l2tp
++$(Package/fastd)
++  DEPENDS+=+kmod-l2tp +kmod-l2tp-eth
++  TITLE+=(L2TP kernel offloading)
++  VARIANT:=l2tp
++  PROVIDES:=fastd
+ endef
+ 
+ define Package/fastd/config
+@@ -85,18 +93,31 @@ MESON_ARGS += \
+ 	-Dmethod_null_l2tp=$(call feature,ENABLE_METHOD_NULL_L2TP) \
+ 	-Dstatus_socket=$(call feature,WITH_STATUS_SOCKET) \
+ 	-Doffload_l2tp=disabled \
++	-Dlibmnl_builtin=true \
+ 	-Dsystemd=disabled \
+ 	-Duse_nacl=true \
+ 	-Db_lto=true \
+ 	-Dprefix=/usr
+ 
++ifeq ($(BUILD_VARIANT),l2tp)
++  MESON_ARGS += \
++	-Dmethod_null_l2tp=enabled \
++	-Doffload_l2tp=enabled
++endif
++
+ define Package/fastd/description
+- Fast and secure tunneling daemon, which is optimized on small code size and few dependencies
++Fast and secure tunneling daemon, which is optimized on small code size and few dependencies
++endef
++define Package/fastd-l2tp/description
++$(Package/fastd/description)
++
++This variant enables L2TP kernel offloadig support.
+ endef
+ 
+ define Package/fastd/conffiles
+ /etc/config/fastd
+ endef
++Package/fastd-l2tp/conffiles = $(Package/fastd/conffiles)
+ 
+ define Package/fastd/install
+ 	$(INSTALL_DIR) $(1)/usr/bin
+@@ -110,5 +131,7 @@ define Package/fastd/install
+ 	$(INSTALL_DIR) $(1)/lib/upgrade/keep.d
+ 	$(INSTALL_DATA) files/fastd.upgrade $(1)/lib/upgrade/keep.d/fastd
+ endef
++Package/fastd-l2tp/install = $(Package/fastd/install)
+ 
+ $(eval $(call BuildPackage,fastd))
++$(eval $(call BuildPackage,fastd-l2tp))

patches/packages/packages/0005-fastd-fix-start-of-non-L2TP-variant.patch

@@ -0,0 +1,63 @@
+From: Matthias Schiffer <mschiffer@universe-factory.net>
+Date: Sun, 27 Jun 2021 14:48:48 +0200
+Subject: fastd: fix start of non-L2TP variant
+
+Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
+(cherry picked from commit 62742985d7cf15029b4d6027a7ccfa0e480278ca)
+
+diff --git a/net/fastd/Makefile b/net/fastd/Makefile
+index 58255cb0ba1a3b00fbca7cfdd44abd3a923603f3..6fd316374d876834995f696fc63e7fbb98fb437c 100644
+--- a/net/fastd/Makefile
++++ b/net/fastd/Makefile
+@@ -9,6 +9,7 @@ include $(TOPDIR)/rules.mk
+ 
+ PKG_NAME:=fastd
+ PKG_VERSION:=22
++PKG_RELEASE=2
+ 
+ PKG_MAINTAINER:=Matthias Schiffer <mschiffer@universe-factory.net>
+ PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
+diff --git a/net/fastd/patches/0001-config-allow-disabling-L2TP-offload-when-fastd-doesn.patch b/net/fastd/patches/0001-config-allow-disabling-L2TP-offload-when-fastd-doesn.patch
+new file mode 100644
+index 0000000000000000000000000000000000000000..f2eabc95d61abf070907239b9d5d5935bd82966c
+--- /dev/null
++++ b/net/fastd/patches/0001-config-allow-disabling-L2TP-offload-when-fastd-doesn.patch
+@@ -0,0 +1,38 @@
++From d95ae843845760aecbbc62a734c2b93b401b1834 Mon Sep 17 00:00:00 2001
++Message-Id: <d95ae843845760aecbbc62a734c2b93b401b1834.1624798048.git.mschiffer@universe-factory.net>
++From: Matthias Schiffer <mschiffer@universe-factory.net>
++Date: Sun, 27 Jun 2021 14:45:46 +0200
++Subject: [PATCH] config: allow disabling L2TP offload when fastd doesn't
++ support it
++
++Only attempting to enable the offloading should raise an error when it
++is not supported.
++---
++ src/config.y | 8 +++++---
++ 1 file changed, 5 insertions(+), 3 deletions(-)
++
++diff --git a/src/config.y b/src/config.y
++index a107d7b9fda7..7a3ec6a32649 100644
++--- a/src/config.y
+++++ b/src/config.y
++@@ -282,12 +282,14 @@ offload:	TOK_L2TP boolean {
++ #ifdef WITH_OFFLOAD_L2TP
++ 			conf.offload_l2tp = $2;
++ #else
+++			if ($2) {
++ # ifdef __linux__
++-			fastd_config_error(&@$, state, "L2TP offload is not supported by this build of fastd");
+++				fastd_config_error(&@$, state, "L2TP offload is not supported by this build of fastd");
++ # else
++-			fastd_config_error(&@$, state, "L2TP offload is not supported on this platform");
+++				fastd_config_error(&@$, state, "L2TP offload is not supported on this platform");
++ # endif
++-			YYERROR;
+++				YYERROR;
+++			}
++ #endif
++ 		}
++ 	;
++-- 
++2.32.0
++

patches/packages/packages/0006-fastd-make-L2TP-support-a-config-option-instead-of-a-variant.patch

@@ -0,0 +1,112 @@
+From: Matthias Schiffer <mschiffer@universe-factory.net>
+Date: Sun, 27 Jun 2021 16:46:38 +0200
+Subject: fastd: make L2TP support a config option instead of a variant
+
+We enable the option by default, but do not depend on the kernel modules
+required for L2TP offloading to avoid wasting space when the feature is
+not needed. To use offloading, kmod-l2tp-eth must be installed.
+
+Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
+(cherry picked from commit 03ff71d5ba955ad2d3f23de30e526ab6452297d4)
+
+diff --git a/net/fastd/Config.in b/net/fastd/Config.in
+index 3da5e1f183c5400cc38650efad39edf31c6f18d0..67ae7c6b1390632735c5d26bade2cb2c570a9a43 100644
+--- a/net/fastd/Config.in
++++ b/net/fastd/Config.in
+@@ -1,4 +1,4 @@
+-if PACKAGE_fastd || PACKAGE_fastd-l2tp
++if PACKAGE_fastd
+ 
+ menu "Configuration"
+ 
+@@ -76,6 +76,10 @@ config FASTD_WITH_STATUS_SOCKET
+ 	bool "Include support for status sockets"
+ 	default y
+ 
++config FASTD_WITH_OFFLOAD_L2TP
++	bool "Enable L2TP offloading"
++	default y
++
+ endmenu
+ 
+ endif
+diff --git a/net/fastd/Makefile b/net/fastd/Makefile
+index 6fd316374d876834995f696fc63e7fbb98fb437c..9175227a5fe179bdb9d38d5e173f84908fb216ef 100644
+--- a/net/fastd/Makefile
++++ b/net/fastd/Makefile
+@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
+ 
+ PKG_NAME:=fastd
+ PKG_VERSION:=22
+-PKG_RELEASE=2
++PKG_RELEASE=3
+ 
+ PKG_MAINTAINER:=Matthias Schiffer <mschiffer@universe-factory.net>
+ PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
+@@ -39,7 +39,8 @@ PKG_CONFIG_DEPENDS:=\
+ 	CONFIG_FASTD_WITH_CMDLINE_OPERATION \
+ 	CONFIG_FASTD_WITH_CMDLINE_COMMANDS \
+ 	CONFIG_FASTD_WITH_DYNAMIC_PEERS \
+-	CONFIG_FASTD_WITH_STATUS_SOCKET
++	CONFIG_FASTD_WITH_STATUS_SOCKET \
++	CONFIG_FASTD_WITH_OFFLOAD_L2TP
+ 
+ 
+ PKG_BUILD_DEPENDS:=meson/host nacl
+@@ -55,14 +56,6 @@ define Package/fastd
+   TITLE:=Fast and Secure Tunneling Daemon
+   URL:=https://github.com/NeoRaider/fastd/
+   SUBMENU:=VPN
+-  VARIANT:=default
+-endef
+-define Package/fastd-l2tp
+-$(Package/fastd)
+-  DEPENDS+=+kmod-l2tp +kmod-l2tp-eth
+-  TITLE+=(L2TP kernel offloading)
+-  VARIANT:=l2tp
+-  PROVIDES:=fastd
+ endef
+ 
+ define Package/fastd/config
+@@ -93,32 +86,20 @@ MESON_ARGS += \
+ 	-Dmethod_null=$(call feature,ENABLE_METHOD_NULL) \
+ 	-Dmethod_null_l2tp=$(call feature,ENABLE_METHOD_NULL_L2TP) \
+ 	-Dstatus_socket=$(call feature,WITH_STATUS_SOCKET) \
+-	-Doffload_l2tp=disabled \
++	-Doffload_l2tp=$(call feature,WITH_OFFLOAD_L2TP) \
+ 	-Dlibmnl_builtin=true \
+ 	-Dsystemd=disabled \
+ 	-Duse_nacl=true \
+ 	-Db_lto=true \
+ 	-Dprefix=/usr
+ 
+-ifeq ($(BUILD_VARIANT),l2tp)
+-  MESON_ARGS += \
+-	-Dmethod_null_l2tp=enabled \
+-	-Doffload_l2tp=enabled
+-endif
+-
+ define Package/fastd/description
+ Fast and secure tunneling daemon, which is optimized on small code size and few dependencies
+ endef
+-define Package/fastd-l2tp/description
+-$(Package/fastd/description)
+-
+-This variant enables L2TP kernel offloadig support.
+-endef
+ 
+ define Package/fastd/conffiles
+ /etc/config/fastd
+ endef
+-Package/fastd-l2tp/conffiles = $(Package/fastd/conffiles)
+ 
+ define Package/fastd/install
+ 	$(INSTALL_DIR) $(1)/usr/bin
+@@ -132,7 +113,5 @@ define Package/fastd/install
+ 	$(INSTALL_DIR) $(1)/lib/upgrade/keep.d
+ 	$(INSTALL_DATA) files/fastd.upgrade $(1)/lib/upgrade/keep.d/fastd
+ endef
+-Package/fastd-l2tp/install = $(Package/fastd/install)
+ 
+ $(eval $(call BuildPackage,fastd))
+-$(eval $(call BuildPackage,fastd-l2tp))