fastd: update and add L2TP variant

This also drops the GMAC-based methods from gluon-mesh-vpn-fastd's
check_site.lua, as they are not supported anymore.

package/gluon-mesh-vpn-fastd/check_site.lua

@@ -1,4 +1,4 @@
-local fastd_methods = {'salsa2012+gmac', 'salsa2012+umac', 'null+salsa2012+gmac', 'null+salsa2012+umac', 'null'}
+local fastd_methods = {'salsa2012+umac', 'null+salsa2012+umac', 'null'}
 need_array_of({'mesh_vpn', 'fastd', 'methods'}, fastd_methods)
 need_boolean(in_site({'mesh_vpn', 'fastd', 'configurable'}), false)
 

patches/packages/packages/0003-fastd-simplify-Config.in.patch

@@ -0,0 +1,123 @@
+From: Matthias Schiffer <mschiffer@universe-factory.net>
+Date: Sun, 7 Mar 2021 11:48:32 +0100
+Subject: fastd: simplify Config.in
+
+Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
+
+diff --git a/net/fastd/Config.in b/net/fastd/Config.in
+index 8302f7ee4dac874b1303ebeeb836551ef202c261..89ff6850aa5ab4ad0e762d8fb9473d5e5c820089 100644
+--- a/net/fastd/Config.in
++++ b/net/fastd/Config.in
+@@ -1,102 +1,79 @@
++if PACKAGE_fastd
++
+ menu "Configuration"
+-	depends on PACKAGE_fastd
+ 
+ config FASTD_ENABLE_METHOD_CIPHER_TEST
+ 	bool "Enable cipher-test method provider"
+-	depends on PACKAGE_fastd
+-	default n
+ 
+ config FASTD_ENABLE_METHOD_COMPOSED_GMAC
+ 	bool "Enable composed-gmac method provider"
+-	depends on PACKAGE_fastd
++	select FASTD_ENABLE_MAC_GHASH
+ 	default y
+ 
+ config FASTD_ENABLE_METHOD_COMPOSED_UMAC
+ 	bool "Enable composed-umac method provider"
+-	depends on PACKAGE_fastd
++	select FASTD_ENABLE_MAC_UHASH
+ 	default y
+ 
+ config FASTD_ENABLE_METHOD_GENERIC_GMAC
+ 	bool "Enable generic-gmac method provider"
+-	depends on PACKAGE_fastd
++	select FASTD_ENABLE_MAC_GHASH
+ 	default y
+ 
+ config FASTD_ENABLE_METHOD_GENERIC_POLY1305
+ 	bool "Enable generic-poly1305 method provider"
+-	depends on PACKAGE_fastd
+-	default n
+ 
+ config FASTD_ENABLE_METHOD_GENERIC_UMAC
+ 	bool "Enable generic-umac method provider"
+-	depends on PACKAGE_fastd
++	select FASTD_ENABLE_MAC_UHASH
+ 	default y
+ 
+ config FASTD_ENABLE_METHOD_NULL
+ 	bool "Enable null method"
+-	depends on PACKAGE_fastd
+ 	default y
+ 
+ 
+ config FASTD_ENABLE_CIPHER_NULL
+ 	bool "Enable the null cipher"
+-	depends on PACKAGE_fastd
+ 	default y
+ 
+ config FASTD_ENABLE_CIPHER_SALSA20
+ 	bool "Enable the Salsa20 cipher"
+-	depends on PACKAGE_fastd
+-	default n
+ 
+ config FASTD_ENABLE_CIPHER_SALSA2012
+ 	bool "Enable the Salsa20/12 cipher"
+-	depends on PACKAGE_fastd
+ 	default y
+ 
+ 
+ config FASTD_ENABLE_MAC_GHASH
+-	bool "Enable the GHASH message authentication code"
+-	depends on PACKAGE_fastd
+-	default y
++	bool
+ 
+ config FASTD_ENABLE_MAC_UHASH
+-	bool "Enable the UHASH message authentication code"
+-	depends on PACKAGE_fastd
+-	default y
++	bool
+ 
+ 
+ config FASTD_WITH_CAPABILITIES
+ 	bool "Enable POSIX capability support"
+-	depends on PACKAGE_fastd
+-	default n
+ 
+ config FASTD_WITH_CMDLINE_USER
+ 	bool "Include support for setting user/group related options on the command line"
+-	depends on PACKAGE_fastd
+-	default n
+ 
+ config FASTD_WITH_CMDLINE_LOGGING
+ 	bool "Include support for setting logging related options on the command line"
+-	depends on PACKAGE_fastd
+-	default n
+ 
+ config FASTD_WITH_CMDLINE_OPERATION
+ 	bool "Include support for setting options related to the VPN operation (like mode, interface, encryption method) on the command line"
+-	depends on PACKAGE_fastd
+-	default n
+ 
+ config FASTD_WITH_CMDLINE_COMMANDS
+ 	bool "Include support for setting handler scripts (e.g. --on-up) on the command line"
+-	depends on PACKAGE_fastd
+-	default n
+ 
+ config FASTD_WITH_DYNAMIC_PEERS
+ 	bool "Include support for dynamic peers (using on-verify handlers)"
+-	depends on PACKAGE_fastd
+-	default n
+ 
+ config FASTD_WITH_STATUS_SOCKET
+ 	bool "Include support for status sockets"
+-	depends on PACKAGE_fastd
+ 	default y
+ 
+ endmenu
++
++endif

patches/packages/packages/0004-fastd-disable-GMAC-based-methods-by-default.patch

@@ -0,0 +1,31 @@
+From: Matthias Schiffer <mschiffer@universe-factory.net>
+Date: Sun, 7 Mar 2021 11:50:04 +0100
+Subject: fastd: disable GMAC-based methods by default
+
+The UMAC-based methods provide higher performance than GMAC and aren't
+suspectible to timing attacks when implemented in software (which is
+always the case on OpenWrt, as OpenSSL support is disabled). Disable
+GMAC by default to save a few KiB.
+
+Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
+
+diff --git a/net/fastd/Config.in b/net/fastd/Config.in
+index 89ff6850aa5ab4ad0e762d8fb9473d5e5c820089..b6d46246e53516cdb7fc6e4857ea62481b4e8276 100644
+--- a/net/fastd/Config.in
++++ b/net/fastd/Config.in
+@@ -8,7 +8,6 @@ config FASTD_ENABLE_METHOD_CIPHER_TEST
+ config FASTD_ENABLE_METHOD_COMPOSED_GMAC
+ 	bool "Enable composed-gmac method provider"
+ 	select FASTD_ENABLE_MAC_GHASH
+-	default y
+ 
+ config FASTD_ENABLE_METHOD_COMPOSED_UMAC
+ 	bool "Enable composed-umac method provider"
+@@ -18,7 +17,6 @@ config FASTD_ENABLE_METHOD_COMPOSED_UMAC
+ config FASTD_ENABLE_METHOD_GENERIC_GMAC
+ 	bool "Enable generic-gmac method provider"
+ 	select FASTD_ENABLE_MAC_GHASH
+-	default y
+ 
+ config FASTD_ENABLE_METHOD_GENERIC_POLY1305
+ 	bool "Enable generic-poly1305 method provider"

patches/packages/packages/0005-fastd-update-to-main-branch-snapshot.patch

@@ -0,0 +1,61 @@
+From: Matthias Schiffer <mschiffer@universe-factory.net>
+Date: Sun, 7 Mar 2021 11:56:31 +0100
+Subject: fastd: update to main branch snapshot
+
+Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
+
+diff --git a/net/fastd/Config.in b/net/fastd/Config.in
+index b6d46246e53516cdb7fc6e4857ea62481b4e8276..157d1e39931cc0163785212cb5eea7d8af4f46f2 100644
+--- a/net/fastd/Config.in
++++ b/net/fastd/Config.in
+@@ -30,6 +30,10 @@ config FASTD_ENABLE_METHOD_NULL
+ 	bool "Enable null method"
+ 	default y
+ 
++config FASTD_ENABLE_METHOD_NULL_L2TP
++	bool "Enable null@l2tp method"
++	default y
++
+ 
+ config FASTD_ENABLE_CIPHER_NULL
+ 	bool "Enable the null cipher"
+diff --git a/net/fastd/Makefile b/net/fastd/Makefile
+index c7ab056a9ae005a75a75911658607e64d6228aac..12c9dbc73a9a57d9518cf243674a4104cbacab5b 100644
+--- a/net/fastd/Makefile
++++ b/net/fastd/Makefile
+@@ -8,12 +8,14 @@
+ include $(TOPDIR)/rules.mk
+ 
+ PKG_NAME:=fastd
+-PKG_VERSION:=21
++PKG_VERSION:=21.37.g7dc53ab69e49
+ 
+ PKG_MAINTAINER:=Matthias Schiffer <mschiffer@universe-factory.net>
+ PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
+-PKG_SOURCE_URL:=https://github.com/NeoRaider/fastd/releases/download/v$(PKG_VERSION)
+-PKG_HASH:=942f33bcd794bcb8e19da4c30c875bdfd4d0f1c24ec4dcdf51237791bbfb0d4c
++PKG_SOURCE_VERSION:=7dc53ab69e494b9bfb982f729d9f2c510b3629ec
++PKG_SOURCE_PROTO:=git
++PKG_SOURCE_URL:=https://github.com/NeoRaider/fastd.git
++PKG_MIRROR_HASH:=cae8b5d76305617c7946a67e1d21136d53b60a7fea67d45258ff566e1b787a90
+ 
+ PKG_LICENSE:=BSD-2-Clause
+ PKG_LICENSE_FILES:=COPYRIGHT
+@@ -26,6 +28,7 @@ PKG_CONFIG_DEPENDS:=\
+ 	CONFIG_FASTD_ENABLE_METHOD_GENERIC_POLY1305 \
+ 	CONFIG_FASTD_ENABLE_METHOD_GENERIC_UMAC \
+ 	CONFIG_FASTD_ENABLE_METHOD_NULL \
++	CONFIG_FASTD_ENABLE_METHOD_NULL_L2TP \
+ 	CONFIG_FASTD_ENABLE_CIPHER_NULL \
+ 	CONFIG_FASTD_ENABLE_CIPHER_SALSA20 \
+ 	CONFIG_FASTD_ENABLE_CIPHER_SALSA2012 \
+@@ -81,7 +84,9 @@ MESON_ARGS += \
+ 	-Dmethod_generic-poly1305=$(call feature,ENABLE_METHOD_GENERIC_POLY1305) \
+ 	-Dmethod_generic-umac=$(call feature,ENABLE_METHOD_GENERIC_UMAC) \
+ 	-Dmethod_null=$(call feature,ENABLE_METHOD_NULL) \
++	-Dmethod_null_l2tp=$(call feature,ENABLE_METHOD_NULL_L2TP) \
+ 	-Dstatus_socket=$(call feature,WITH_STATUS_SOCKET) \
++	-Doffload_l2tp=disabled \
+ 	-Dsystemd=disabled \
+ 	-Duse_nacl=true \
+ 	-Db_lto=true \

patches/packages/packages/0006-fastd-add-L2TP-variant.patch

@@ -0,0 +1,87 @@
+From: Matthias Schiffer <mschiffer@universe-factory.net>
+Date: Sun, 7 Mar 2021 12:05:28 +0100
+Subject: fastd: add L2TP variant
+
+Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
+
+diff --git a/net/fastd/Config.in b/net/fastd/Config.in
+index 157d1e39931cc0163785212cb5eea7d8af4f46f2..3da5e1f183c5400cc38650efad39edf31c6f18d0 100644
+--- a/net/fastd/Config.in
++++ b/net/fastd/Config.in
+@@ -1,4 +1,4 @@
+-if PACKAGE_fastd
++if PACKAGE_fastd || PACKAGE_fastd-l2tp
+ 
+ menu "Configuration"
+ 
+diff --git a/net/fastd/Makefile b/net/fastd/Makefile
+index 12c9dbc73a9a57d9518cf243674a4104cbacab5b..a9280562cb139418b21ecf72cc2c31a5893c3380 100644
+--- a/net/fastd/Makefile
++++ b/net/fastd/Makefile
+@@ -17,8 +17,8 @@ PKG_SOURCE_PROTO:=git
+ PKG_SOURCE_URL:=https://github.com/NeoRaider/fastd.git
+ PKG_MIRROR_HASH:=cae8b5d76305617c7946a67e1d21136d53b60a7fea67d45258ff566e1b787a90
+ 
+-PKG_LICENSE:=BSD-2-Clause
+-PKG_LICENSE_FILES:=COPYRIGHT
++PKG_LICENSE:=BSD-2-Clause LGPL-2.1-or-later
++PKG_LICENSE_FILES:=COPYRIGHT src/dep/libmnl/COPYING
+ 
+ PKG_CONFIG_DEPENDS:=\
+ 	CONFIG_FASTD_ENABLE_METHOD_CIPHER_TEST \
+@@ -56,6 +56,14 @@ define Package/fastd
+   TITLE:=Fast and Secure Tunneling Daemon
+   URL:=https://github.com/NeoRaider/fastd/
+   SUBMENU:=VPN
++  VARIANT:=default
++endef
++define Package/fastd-l2tp
++$(Package/fastd)
++  DEPENDS+=+kmod-l2tp +kmod-l2tp-eth
++  TITLE+=(L2TP kernel offloading)
++  VARIANT:=l2tp
++  PROVIDES:=fastd
+ endef
+ 
+ define Package/fastd/config
+@@ -87,18 +95,31 @@ MESON_ARGS += \
+ 	-Dmethod_null_l2tp=$(call feature,ENABLE_METHOD_NULL_L2TP) \
+ 	-Dstatus_socket=$(call feature,WITH_STATUS_SOCKET) \
+ 	-Doffload_l2tp=disabled \
++	-Dlibmnl_builtin=true \
+ 	-Dsystemd=disabled \
+ 	-Duse_nacl=true \
+ 	-Db_lto=true \
+ 	-Dprefix=/usr
+ 
++ifeq ($(BUILD_VARIANT),l2tp)
++  MESON_ARGS += \
++	-Dmethod_null_l2tp=enabled \
++	-Doffload_l2tp=enabled
++endif
++
+ define Package/fastd/description
+- Fast and secure tunneling daemon, which is optimized on small code size and few dependencies
++Fast and secure tunneling daemon, which is optimized on small code size and few dependencies
++endef
++define Package/fastd-l2tp/description
++$(Package/fastd/description)
++
++This variant enables L2TP kernel offloadig support.
+ endef
+ 
+ define Package/fastd/conffiles
+ /etc/config/fastd
+ endef
++Package/fastd-l2tp/conffiles = $(Package/fastd/conffiles)
+ 
+ define Package/fastd/install
+ 	$(INSTALL_DIR) $(1)/usr/bin
+@@ -112,5 +133,7 @@ define Package/fastd/install
+ 	$(INSTALL_DIR) $(1)/lib/upgrade/keep.d
+ 	$(INSTALL_DATA) files/fastd.upgrade $(1)/lib/upgrade/keep.d/fastd
+ endef
++Package/fastd-l2tp/install = $(Package/fastd/install)
+ 
+ $(eval $(call BuildPackage,fastd))
++$(eval $(call BuildPackage,fastd-l2tp))