From 9a06cac09f60126c68c563d16b245edbe982eda9 Mon Sep 17 00:00:00 2001 From: Matthias Schiffer Date: Sun, 7 Mar 2021 13:29:44 +0100 Subject: [PATCH] fastd: update and add L2TP variant This also drops the GMAC-based methods from gluon-mesh-vpn-fastd's check_site.lua, as they are not supported anymore. --- package/gluon-mesh-vpn-fastd/check_site.lua | 2 +- .../0003-fastd-simplify-Config.in.patch | 123 ++++++++++++++++++ ...isable-GMAC-based-methods-by-default.patch | 31 +++++ ...fastd-update-to-main-branch-snapshot.patch | 61 +++++++++ .../0006-fastd-add-L2TP-variant.patch | 87 +++++++++++++ 5 files changed, 303 insertions(+), 1 deletion(-) create mode 100644 patches/packages/packages/0003-fastd-simplify-Config.in.patch create mode 100644 patches/packages/packages/0004-fastd-disable-GMAC-based-methods-by-default.patch create mode 100644 patches/packages/packages/0005-fastd-update-to-main-branch-snapshot.patch create mode 100644 patches/packages/packages/0006-fastd-add-L2TP-variant.patch diff --git a/package/gluon-mesh-vpn-fastd/check_site.lua b/package/gluon-mesh-vpn-fastd/check_site.lua index 70c0d079..57cc7bb1 100644 --- a/package/gluon-mesh-vpn-fastd/check_site.lua +++ b/package/gluon-mesh-vpn-fastd/check_site.lua @@ -1,4 +1,4 @@ -local fastd_methods = {'salsa2012+gmac', 'salsa2012+umac', 'null+salsa2012+gmac', 'null+salsa2012+umac', 'null'} +local fastd_methods = {'salsa2012+umac', 'null+salsa2012+umac', 'null'} need_array_of({'mesh_vpn', 'fastd', 'methods'}, fastd_methods) need_boolean(in_site({'mesh_vpn', 'fastd', 'configurable'}), false) diff --git a/patches/packages/packages/0003-fastd-simplify-Config.in.patch b/patches/packages/packages/0003-fastd-simplify-Config.in.patch new file mode 100644 index 00000000..052d93a6 --- /dev/null +++ b/patches/packages/packages/0003-fastd-simplify-Config.in.patch @@ -0,0 +1,123 @@ +From: Matthias Schiffer +Date: Sun, 7 Mar 2021 11:48:32 +0100 +Subject: fastd: simplify Config.in + +Signed-off-by: Matthias Schiffer + +diff --git a/net/fastd/Config.in b/net/fastd/Config.in +index 8302f7ee4dac874b1303ebeeb836551ef202c261..89ff6850aa5ab4ad0e762d8fb9473d5e5c820089 100644 +--- a/net/fastd/Config.in ++++ b/net/fastd/Config.in +@@ -1,102 +1,79 @@ ++if PACKAGE_fastd ++ + menu "Configuration" +- depends on PACKAGE_fastd + + config FASTD_ENABLE_METHOD_CIPHER_TEST + bool "Enable cipher-test method provider" +- depends on PACKAGE_fastd +- default n + + config FASTD_ENABLE_METHOD_COMPOSED_GMAC + bool "Enable composed-gmac method provider" +- depends on PACKAGE_fastd ++ select FASTD_ENABLE_MAC_GHASH + default y + + config FASTD_ENABLE_METHOD_COMPOSED_UMAC + bool "Enable composed-umac method provider" +- depends on PACKAGE_fastd ++ select FASTD_ENABLE_MAC_UHASH + default y + + config FASTD_ENABLE_METHOD_GENERIC_GMAC + bool "Enable generic-gmac method provider" +- depends on PACKAGE_fastd ++ select FASTD_ENABLE_MAC_GHASH + default y + + config FASTD_ENABLE_METHOD_GENERIC_POLY1305 + bool "Enable generic-poly1305 method provider" +- depends on PACKAGE_fastd +- default n + + config FASTD_ENABLE_METHOD_GENERIC_UMAC + bool "Enable generic-umac method provider" +- depends on PACKAGE_fastd ++ select FASTD_ENABLE_MAC_UHASH + default y + + config FASTD_ENABLE_METHOD_NULL + bool "Enable null method" +- depends on PACKAGE_fastd + default y + + + config FASTD_ENABLE_CIPHER_NULL + bool "Enable the null cipher" +- depends on PACKAGE_fastd + default y + + config FASTD_ENABLE_CIPHER_SALSA20 + bool "Enable the Salsa20 cipher" +- depends on PACKAGE_fastd +- default n + + config FASTD_ENABLE_CIPHER_SALSA2012 + bool "Enable the Salsa20/12 cipher" +- depends on PACKAGE_fastd + default y + + + config FASTD_ENABLE_MAC_GHASH +- bool "Enable the GHASH message authentication code" +- depends on PACKAGE_fastd +- default y ++ bool + + config FASTD_ENABLE_MAC_UHASH +- bool "Enable the UHASH message authentication code" +- depends on PACKAGE_fastd +- default y ++ bool + + + config FASTD_WITH_CAPABILITIES + bool "Enable POSIX capability support" +- depends on PACKAGE_fastd +- default n + + config FASTD_WITH_CMDLINE_USER + bool "Include support for setting user/group related options on the command line" +- depends on PACKAGE_fastd +- default n + + config FASTD_WITH_CMDLINE_LOGGING + bool "Include support for setting logging related options on the command line" +- depends on PACKAGE_fastd +- default n + + config FASTD_WITH_CMDLINE_OPERATION + bool "Include support for setting options related to the VPN operation (like mode, interface, encryption method) on the command line" +- depends on PACKAGE_fastd +- default n + + config FASTD_WITH_CMDLINE_COMMANDS + bool "Include support for setting handler scripts (e.g. --on-up) on the command line" +- depends on PACKAGE_fastd +- default n + + config FASTD_WITH_DYNAMIC_PEERS + bool "Include support for dynamic peers (using on-verify handlers)" +- depends on PACKAGE_fastd +- default n + + config FASTD_WITH_STATUS_SOCKET + bool "Include support for status sockets" +- depends on PACKAGE_fastd + default y + + endmenu ++ ++endif diff --git a/patches/packages/packages/0004-fastd-disable-GMAC-based-methods-by-default.patch b/patches/packages/packages/0004-fastd-disable-GMAC-based-methods-by-default.patch new file mode 100644 index 00000000..730a97b1 --- /dev/null +++ b/patches/packages/packages/0004-fastd-disable-GMAC-based-methods-by-default.patch @@ -0,0 +1,31 @@ +From: Matthias Schiffer +Date: Sun, 7 Mar 2021 11:50:04 +0100 +Subject: fastd: disable GMAC-based methods by default + +The UMAC-based methods provide higher performance than GMAC and aren't +suspectible to timing attacks when implemented in software (which is +always the case on OpenWrt, as OpenSSL support is disabled). Disable +GMAC by default to save a few KiB. + +Signed-off-by: Matthias Schiffer + +diff --git a/net/fastd/Config.in b/net/fastd/Config.in +index 89ff6850aa5ab4ad0e762d8fb9473d5e5c820089..b6d46246e53516cdb7fc6e4857ea62481b4e8276 100644 +--- a/net/fastd/Config.in ++++ b/net/fastd/Config.in +@@ -8,7 +8,6 @@ config FASTD_ENABLE_METHOD_CIPHER_TEST + config FASTD_ENABLE_METHOD_COMPOSED_GMAC + bool "Enable composed-gmac method provider" + select FASTD_ENABLE_MAC_GHASH +- default y + + config FASTD_ENABLE_METHOD_COMPOSED_UMAC + bool "Enable composed-umac method provider" +@@ -18,7 +17,6 @@ config FASTD_ENABLE_METHOD_COMPOSED_UMAC + config FASTD_ENABLE_METHOD_GENERIC_GMAC + bool "Enable generic-gmac method provider" + select FASTD_ENABLE_MAC_GHASH +- default y + + config FASTD_ENABLE_METHOD_GENERIC_POLY1305 + bool "Enable generic-poly1305 method provider" diff --git a/patches/packages/packages/0005-fastd-update-to-main-branch-snapshot.patch b/patches/packages/packages/0005-fastd-update-to-main-branch-snapshot.patch new file mode 100644 index 00000000..a995fc8f --- /dev/null +++ b/patches/packages/packages/0005-fastd-update-to-main-branch-snapshot.patch @@ -0,0 +1,61 @@ +From: Matthias Schiffer +Date: Sun, 7 Mar 2021 11:56:31 +0100 +Subject: fastd: update to main branch snapshot + +Signed-off-by: Matthias Schiffer + +diff --git a/net/fastd/Config.in b/net/fastd/Config.in +index b6d46246e53516cdb7fc6e4857ea62481b4e8276..157d1e39931cc0163785212cb5eea7d8af4f46f2 100644 +--- a/net/fastd/Config.in ++++ b/net/fastd/Config.in +@@ -30,6 +30,10 @@ config FASTD_ENABLE_METHOD_NULL + bool "Enable null method" + default y + ++config FASTD_ENABLE_METHOD_NULL_L2TP ++ bool "Enable null@l2tp method" ++ default y ++ + + config FASTD_ENABLE_CIPHER_NULL + bool "Enable the null cipher" +diff --git a/net/fastd/Makefile b/net/fastd/Makefile +index c7ab056a9ae005a75a75911658607e64d6228aac..12c9dbc73a9a57d9518cf243674a4104cbacab5b 100644 +--- a/net/fastd/Makefile ++++ b/net/fastd/Makefile +@@ -8,12 +8,14 @@ + include $(TOPDIR)/rules.mk + + PKG_NAME:=fastd +-PKG_VERSION:=21 ++PKG_VERSION:=21.37.g7dc53ab69e49 + + PKG_MAINTAINER:=Matthias Schiffer + PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz +-PKG_SOURCE_URL:=https://github.com/NeoRaider/fastd/releases/download/v$(PKG_VERSION) +-PKG_HASH:=942f33bcd794bcb8e19da4c30c875bdfd4d0f1c24ec4dcdf51237791bbfb0d4c ++PKG_SOURCE_VERSION:=7dc53ab69e494b9bfb982f729d9f2c510b3629ec ++PKG_SOURCE_PROTO:=git ++PKG_SOURCE_URL:=https://github.com/NeoRaider/fastd.git ++PKG_MIRROR_HASH:=cae8b5d76305617c7946a67e1d21136d53b60a7fea67d45258ff566e1b787a90 + + PKG_LICENSE:=BSD-2-Clause + PKG_LICENSE_FILES:=COPYRIGHT +@@ -26,6 +28,7 @@ PKG_CONFIG_DEPENDS:=\ + CONFIG_FASTD_ENABLE_METHOD_GENERIC_POLY1305 \ + CONFIG_FASTD_ENABLE_METHOD_GENERIC_UMAC \ + CONFIG_FASTD_ENABLE_METHOD_NULL \ ++ CONFIG_FASTD_ENABLE_METHOD_NULL_L2TP \ + CONFIG_FASTD_ENABLE_CIPHER_NULL \ + CONFIG_FASTD_ENABLE_CIPHER_SALSA20 \ + CONFIG_FASTD_ENABLE_CIPHER_SALSA2012 \ +@@ -81,7 +84,9 @@ MESON_ARGS += \ + -Dmethod_generic-poly1305=$(call feature,ENABLE_METHOD_GENERIC_POLY1305) \ + -Dmethod_generic-umac=$(call feature,ENABLE_METHOD_GENERIC_UMAC) \ + -Dmethod_null=$(call feature,ENABLE_METHOD_NULL) \ ++ -Dmethod_null_l2tp=$(call feature,ENABLE_METHOD_NULL_L2TP) \ + -Dstatus_socket=$(call feature,WITH_STATUS_SOCKET) \ ++ -Doffload_l2tp=disabled \ + -Dsystemd=disabled \ + -Duse_nacl=true \ + -Db_lto=true \ diff --git a/patches/packages/packages/0006-fastd-add-L2TP-variant.patch b/patches/packages/packages/0006-fastd-add-L2TP-variant.patch new file mode 100644 index 00000000..8b8265da --- /dev/null +++ b/patches/packages/packages/0006-fastd-add-L2TP-variant.patch @@ -0,0 +1,87 @@ +From: Matthias Schiffer +Date: Sun, 7 Mar 2021 12:05:28 +0100 +Subject: fastd: add L2TP variant + +Signed-off-by: Matthias Schiffer + +diff --git a/net/fastd/Config.in b/net/fastd/Config.in +index 157d1e39931cc0163785212cb5eea7d8af4f46f2..3da5e1f183c5400cc38650efad39edf31c6f18d0 100644 +--- a/net/fastd/Config.in ++++ b/net/fastd/Config.in +@@ -1,4 +1,4 @@ +-if PACKAGE_fastd ++if PACKAGE_fastd || PACKAGE_fastd-l2tp + + menu "Configuration" + +diff --git a/net/fastd/Makefile b/net/fastd/Makefile +index 12c9dbc73a9a57d9518cf243674a4104cbacab5b..a9280562cb139418b21ecf72cc2c31a5893c3380 100644 +--- a/net/fastd/Makefile ++++ b/net/fastd/Makefile +@@ -17,8 +17,8 @@ PKG_SOURCE_PROTO:=git + PKG_SOURCE_URL:=https://github.com/NeoRaider/fastd.git + PKG_MIRROR_HASH:=cae8b5d76305617c7946a67e1d21136d53b60a7fea67d45258ff566e1b787a90 + +-PKG_LICENSE:=BSD-2-Clause +-PKG_LICENSE_FILES:=COPYRIGHT ++PKG_LICENSE:=BSD-2-Clause LGPL-2.1-or-later ++PKG_LICENSE_FILES:=COPYRIGHT src/dep/libmnl/COPYING + + PKG_CONFIG_DEPENDS:=\ + CONFIG_FASTD_ENABLE_METHOD_CIPHER_TEST \ +@@ -56,6 +56,14 @@ define Package/fastd + TITLE:=Fast and Secure Tunneling Daemon + URL:=https://github.com/NeoRaider/fastd/ + SUBMENU:=VPN ++ VARIANT:=default ++endef ++define Package/fastd-l2tp ++$(Package/fastd) ++ DEPENDS+=+kmod-l2tp +kmod-l2tp-eth ++ TITLE+=(L2TP kernel offloading) ++ VARIANT:=l2tp ++ PROVIDES:=fastd + endef + + define Package/fastd/config +@@ -87,18 +95,31 @@ MESON_ARGS += \ + -Dmethod_null_l2tp=$(call feature,ENABLE_METHOD_NULL_L2TP) \ + -Dstatus_socket=$(call feature,WITH_STATUS_SOCKET) \ + -Doffload_l2tp=disabled \ ++ -Dlibmnl_builtin=true \ + -Dsystemd=disabled \ + -Duse_nacl=true \ + -Db_lto=true \ + -Dprefix=/usr + ++ifeq ($(BUILD_VARIANT),l2tp) ++ MESON_ARGS += \ ++ -Dmethod_null_l2tp=enabled \ ++ -Doffload_l2tp=enabled ++endif ++ + define Package/fastd/description +- Fast and secure tunneling daemon, which is optimized on small code size and few dependencies ++Fast and secure tunneling daemon, which is optimized on small code size and few dependencies ++endef ++define Package/fastd-l2tp/description ++$(Package/fastd/description) ++ ++This variant enables L2TP kernel offloadig support. + endef + + define Package/fastd/conffiles + /etc/config/fastd + endef ++Package/fastd-l2tp/conffiles = $(Package/fastd/conffiles) + + define Package/fastd/install + $(INSTALL_DIR) $(1)/usr/bin +@@ -112,5 +133,7 @@ define Package/fastd/install + $(INSTALL_DIR) $(1)/lib/upgrade/keep.d + $(INSTALL_DATA) files/fastd.upgrade $(1)/lib/upgrade/keep.d/fastd + endef ++Package/fastd-l2tp/install = $(Package/fastd/install) + + $(eval $(call BuildPackage,fastd)) ++$(eval $(call BuildPackage,fastd-l2tp))