nftbty
commented
4 months ago 这里是passwall luci的repo,具体packages相关的问题去 opemwrt-passwall-packages
Closed ted-zheng closed 4 months ago
nftbty
commented
4 months ago 这里是passwall luci的repo,具体packages相关的问题去 opemwrt-passwall-packages
sbwml
commented
4 months ago openwrt 升级了 mbedtls 3.6.0 导致的问题,https://github.com/openwrt/openwrt/blob/main/package/libs/mbedtls/Makefile#L11
但是他喵的,shadowsocks-libev 它是由 openwrt feeds 提供 https://github.com/openwrt/packages/tree/master/net/shadowsocks-libev ,passwall 的 packages repo 改动不了它。
建议是放弃使用 shadowsocks-libev,从而使用 shadowsocks-rust 替代。更旧的加密协议则使用 ssr 代替 https://github.com/xiaorouji/openwrt-passwall-packages/tree/main/shadowsocksr-libev
ted-zheng
commented
4 months ago https://github.com/openwrt/openwrt/issues/15338
openwrt 升级了 mbedtls 3.6.0 导致的问题,https://github.com/openwrt/openwrt/blob/main/package/libs/mbedtls/Makefile#L11
但是他喵的,shadowsocks-libev 它是由 openwrt feeds 提供 https://github.com/openwrt/packages/tree/master/net/shadowsocks-libev ,passwall 的 packages repo 改动不了它。
建议是放弃使用 shadowsocks-libev,从而使用 shadowsocks-rust 替代。更旧的加密协议则使用 ssr 代替 https://github.com/xiaorouji/openwrt-passwall-packages/tree/main/shadowsocksr-libev
https://github.com/openwrt/openwrt/issues/15338,确实,建议大神空了修改代码,放弃shadowsocks-libev
sbwml
commented
4 months ago https://github.com/openwrt/openwrt/issues/15338 ,确实,建议大神空了修改代码,放弃shadowsocks-libev
其实你在编译 openwrt main 时,添加这个配置就可以跳过编译 shadowsocks-libev 从而使用 shadowsocks-rust。
CONFIG_PACKAGE_luci-app-passwall_INCLUDE_Shadowsocks_Rust_Client=y
CONFIG_PACKAGE_luci-app-passwall_INCLUDE_Shadowsocks_Rust_Server=y
# CONFIG_PACKAGE_luci-app-passwall_INCLUDE_Shadowsocks_Libev_Client is not set
# CONFIG_PACKAGE_luci-app-passwall_INCLUDE_Shadowsocks_Libev_Server is not setpasswall 其实也可以去掉默认的选中
https://github.com/xiaorouji/openwrt-passwall/blob/main/luci-app-passwall/Makefile#L86 https://github.com/xiaorouji/openwrt-passwall/blob/main/luci-app-passwall/Makefile#L91
ted-zheng
commented
4 months ago https://github.com/openwrt/openwrt/issues/15338 ,确实,建议大神空了修改代码,放弃shadowsocks-libev
其实你在编译 openwrt main 时,添加这个配置就可以跳过编译 shadowsocks-libev 从而使用 shadowsocks-rust。
CONFIG_PACKAGE_luci-app-passwall_INCLUDE_Shadowsocks_Rust_Client=y CONFIG_PACKAGE_luci-app-passwall_INCLUDE_Shadowsocks_Rust_Server=y # CONFIG_PACKAGE_luci-app-passwall_INCLUDE_Shadowsocks_Libev_Client is not set # CONFIG_PACKAGE_luci-app-passwall_INCLUDE_Shadowsocks_Libev_Server is not setpasswall 其实也可以去掉默认的选中
https://github.com/xiaorouji/openwrt-passwall/blob/main/luci-app-passwall/Makefile#L86 https://github.com/xiaorouji/openwrt-passwall/blob/main/luci-app-passwall/Makefile#L91
make menuconfig 重新选,去掉shadowsocks_Libev就可以编译通过了,使用暂时还没有发现有什么问题。
nftbty
commented
4 months ago 官方源也会编译发布 shadowsocks-libev,因为升级了 mbedtls v3.6.0导致编译通不过,官方应该会及时适配更新吧。目前已经编译完的固件要用的话,opkg 从官方源直接安装应该可以装上。
zxlhhyccc
commented
4 months ago mbedtls官方3.60版本取消了mbedtls_aead_cipher_decrypt和mbedtls_cipher_auth_encrypt导致!
添加下面补丁:
diff --git a/m4/mbedtls.m4 b/m4/mbedtls.m4
index 2c478b9..e85be4b 100644
--- a/m4/mbedtls.m4
+++ b/m4/mbedtls.m4
@@ -31,7 +31,7 @@ AC_DEFUN([ss_MBEDTLS],
AC_COMPILE_IFELSE(
[AC_LANG_PROGRAM(
[[
-#include <mbedtls/config.h>
+#include <mbedtls/mbedtls_config.h>
]],
[[
#ifndef MBEDTLS_CIPHER_MODE_CFB
@@ -48,7 +48,7 @@ AC_DEFUN([ss_MBEDTLS],
AC_COMPILE_IFELSE(
[AC_LANG_PROGRAM(
[[
-#include <mbedtls/config.h>
+#include <mbedtls/mbedtls_config.h>
]],
[[
#ifndef MBEDTLS_ARC4_C
@@ -64,7 +64,7 @@ AC_DEFUN([ss_MBEDTLS],
AC_COMPILE_IFELSE(
[AC_LANG_PROGRAM(
[[
-#include <mbedtls/config.h>
+#include <mbedtls/mbedtls_config.h>
]],
[[
#ifndef MBEDTLS_BLOWFISH_C
@@ -80,7 +80,7 @@ AC_DEFUN([ss_MBEDTLS],
AC_COMPILE_IFELSE(
[AC_LANG_PROGRAM(
[[
-#include <mbedtls/config.h>
+#include <mbedtls/mbedtls_config.h>
]],
[[
#ifndef MBEDTLS_CAMELLIA_C
diff --git a/src/crypto.c b/src/crypto.c
index b44d867..3e76aff 100644
--- a/src/crypto.c
+++ b/src/crypto.c
@@ -104,7 +104,7 @@ crypto_md5(const unsigned char *d, size_t n, unsigned char *md)
md = m;
}
#if MBEDTLS_VERSION_NUMBER >= 0x02070000
- if (mbedtls_md5_ret(d, n, md) != 0)
+ if (mbedtls_md5(d, n, md) != 0)
FATAL("Failed to calculate MD5");
#else
mbedtls_md5(d, n, md);
--- a/src/aead.c
+++ b/src/aead.c
@@ -178,7 +178,7 @@ aead_cipher_encrypt(cipher_ctx_t *cipher_ctx,
case AES192GCM:
case AES128GCM:
- err = mbedtls_cipher_auth_encrypt(cipher_ctx->evp, n, nlen, ad, adlen,
+ err = mbedtls_cipher_auth_encrypt_ext(cipher_ctx->evp, n, nlen, ad, adlen,
m, mlen, c, clen, c + mlen, tlen);
*clen += tlen;
break;
@@ -226,7 +226,7 @@ aead_cipher_decrypt(cipher_ctx_t *cipher_ctx,
// Otherwise, just use the mbedTLS one with crappy AES-NI.
case AES192GCM:
case AES128GCM:
- err = mbedtls_cipher_auth_decrypt(cipher_ctx->evp, n, nlen, ad, adlen,
+ err = mbedtls_cipher_auth_decrypt_ext(cipher_ctx->evp, n, nlen, ad, adlen,
m, mlen - tlen, p, plen, m + mlen - tlen, tlen);
break;
case CHACHA20POLY1305IETF:如下报错:
o './'`aead.c
aead.c: In function 'aead_cipher_encrypt':
aead.c:182:55: error: passing argument 9 of 'mbedtls_cipher_auth_encrypt_ext' makes integer from pointer without a cast [-Werror=int-conversion]
182 | m, mlen, c, clen, c + mlen, tlen);
| ^~~~
| |
| size_t * {aka long unsigned int *}
In file included from crypto.h:43,
from aead.h:26,
from aead.c:39:
/home/lin/ax6-6.1/staging_dir/target-aarch64_cortex-a53_musl/usr/include/mbedtls/cipher.h:1110:67: note: expected 'size_t' {aka 'long unsigned int'} but argument is of type 'size_t *' {aka 'long unsigned int *'}
1110 | unsigned char *output, size_t output_len,
| ~~~~~~~^~~~~~~~~~
aead.c:182:63: error: passing argument 10 of 'mbedtls_cipher_auth_encrypt_ext' from incompatible pointer type [-Werror=incompatible-pointer-types]
182 | m, mlen, c, clen, c + mlen, tlen);
| ~~^~~~~~
| |
| uint8_t * {aka unsigned char *}
/home/lin/ax6-6.1/staging_dir/target-aarch64_cortex-a53_musl/usr/include/mbedtls/cipher.h:1111:45: note: expected 'size_t *' {aka 'long unsigned int *'} but argument is of type 'uint8_t *' {aka 'unsigned char *'}
1111 | size_t *olen, size_t tag_len);
| ~~~~~~~~^~~~
aead.c: In function 'aead_cipher_decrypt':
aead.c:230:62: error: passing argument 9 of 'mbedtls_cipher_auth_decrypt_ext' makes integer from pointer without a cast [-Werror=int-conversion]
230 | m, mlen - tlen, p, plen, m + mlen - tlen, tlen);
| ^~~~
| |
| size_t * {aka long unsigned int *}
/home/lin/ax6-6.1/staging_dir/target-aarch64_cortex-a53_musl/usr/include/mbedtls/cipher.h:1166:67: note: expected 'size_t' {aka 'long unsigned int'} but argument is of type 'size_t *' {aka 'long unsigned int *'}
1166 | unsigned char *output, size_t output_len,
| ~~~~~~~^~~~~~~~~~
aead.c:230:77: error: passing argument 10 of 'mbedtls_cipher_auth_decrypt_ext' from incompatible pointer type [-Werror=incompatible-pointer-types]
230 | m, mlen - tlen, p, plen, m + mlen - tlen, tlen);
| ~~~~~~~~~^~~~~~
| |
| uint8_t * {aka unsigned char *}
/home/lin/ax6-6.1/staging_dir/target-aarch64_cortex-a53_musl/usr/include/mbedtls/cipher.h:1167:45: note: expected 'size_t *' {aka 'long unsigned int *'} but argument is of type 'uint8_t *' {aka 'unsigned char *'}
1167 | size_t *olen, size_t tag_len);
| ~~~~~~~~^~~~
aead.c: In function 'aead_key_init':
aead.c:727:21: error: 'cipher_kt_t' {aka 'mbedtls_cipher_info_t'} has no member named 'base'
727 | cipher->info->base = NULL;
| ^~
aead.c:728:21: error: 'cipher_kt_t' {aka 'mbedtls_cipher_info_t'} has no member named 'key_bitlen'
728 | cipher->info->key_bitlen = supported_aead_ciphers_key_size[method] * 8;
| ^~
aead.c:729:21: error: 'cipher_kt_t' {aka 'mbedtls_cipher_info_t'} has no member named 'iv_size'
729 | cipher->info->iv_size = supported_aead_ciphers_nonce_size[method];
| ^~
cc1: all warnings being treated as errors
Makefile:1162: recipe for target 'ss_local-aead.o' failed
make[5]: *** [ss_local-aead.o] Error 1
make[5]: Leaving directory '/home/lin/ax6-6.1/build_dir/target-aarch64_cortex-a53_musl/shadowsocks-libev-3.3.5/src'
Makefile:490: recipe for target 'all-recursive' failed
make[4]: *** [all-recursive] Error 1
make[4]: Leaving directory '/home/lin/ax6-6.1/build_dir/target-aarch64_cortex-a53_musl/shadowsocks-libev-3.3.5'
Makefile:399: recipe for target 'all' failed
make[3]: *** [all] Error 2
qingtian110
commented
4 months ago mbedtls官方3.60版本取消了
mbedtls_aead_cipher_decrypt和mbedtls_cipher_auth_encrypt导致!添加下面补丁:
价值不大,结构成员很多都需要迁移。简单测试了一下,修完 aead.c 还有 stream.c,之后还有其它别的要改不得而知。
所以这个东西没有什么价值了,在力大砖飞的设备年代,ss rust 性能都不会孱弱,可以放弃硬 aes 了(更重要的是它已经失去维护)
zxlhhyccc
commented
2 months ago @nftbty 添加的补丁已可同时在mbedtls 3.6.0和2.28版本下编译且可正常使用,请有需要的使用者按需编译。 添加的补丁名字为:101-fix-mbedtls3.6-build.patch,把此补丁放入到目录为:/shadowsocks-libev/patches 中,补丁内容如下(根据mbedtls 3.6.0版本的文档,新的private_iv_size和private_key_bitlen需要右移,故补丁进行了修改完善,链接):
--- a/m4/mbedtls.m4
+++ b/m4/mbedtls.m4
@@ -31,7 +31,12 @@ AC_DEFUN([ss_MBEDTLS],
AC_COMPILE_IFELSE(
[AC_LANG_PROGRAM(
[[
+#include <mbedtls/version.h>
+#if MBEDTLS_VERSION_NUMBER >= 0x03000000
+#include <mbedtls/mbedtls_config.h>
+#else
#include <mbedtls/config.h>
+#endif
]],
[[
#ifndef MBEDTLS_CIPHER_MODE_CFB
@@ -48,7 +53,12 @@ AC_DEFUN([ss_MBEDTLS],
AC_COMPILE_IFELSE(
[AC_LANG_PROGRAM(
[[
+#include <mbedtls/version.h>
+#if MBEDTLS_VERSION_NUMBER >= 0x03000000
+#include <mbedtls/mbedtls_config.h>
+#else
#include <mbedtls/config.h>
+#endif
]],
[[
#ifndef MBEDTLS_ARC4_C
@@ -64,7 +74,12 @@ AC_DEFUN([ss_MBEDTLS],
AC_COMPILE_IFELSE(
[AC_LANG_PROGRAM(
[[
+#include <mbedtls/version.h>
+#if MBEDTLS_VERSION_NUMBER >= 0x03000000
+#include <mbedtls/mbedtls_config.h>
+#else
#include <mbedtls/config.h>
+#endif
]],
[[
#ifndef MBEDTLS_BLOWFISH_C
@@ -80,7 +95,12 @@ AC_DEFUN([ss_MBEDTLS],
AC_COMPILE_IFELSE(
[AC_LANG_PROGRAM(
[[
+#include <mbedtls/version.h>
+#if MBEDTLS_VERSION_NUMBER >= 0x03000000
+#include <mbedtls/mbedtls_config.h>
+#else
#include <mbedtls/config.h>
+#endif
]],
[[
#ifndef MBEDTLS_CAMELLIA_C
diff --git a/src/aead.c b/src/aead.c
index 358ec93..3388a54 100644
--- a/src/aead.c
+++ b/src/aead.c
@@ -178,9 +178,14 @@ aead_cipher_encrypt(cipher_ctx_t *cipher_ctx,
case AES192GCM:
case AES128GCM:
+#if MBEDTLS_VERSION_NUMBER < 0x03000000
err = mbedtls_cipher_auth_encrypt(cipher_ctx->evp, n, nlen, ad, adlen,
m, mlen, c, clen, c + mlen, tlen);
*clen += tlen;
+#else
+ err = mbedtls_cipher_auth_encrypt_ext(cipher_ctx->evp, n, nlen, ad, adlen,
+ m, mlen, c, mlen + tlen, clen, tlen);
+#endif
break;
case CHACHA20POLY1305IETF:
err = crypto_aead_chacha20poly1305_ietf_encrypt(c, &long_clen, m, mlen,
@@ -226,8 +231,13 @@ aead_cipher_decrypt(cipher_ctx_t *cipher_ctx,
// Otherwise, just use the mbedTLS one with crappy AES-NI.
case AES192GCM:
case AES128GCM:
+#if MBEDTLS_VERSION_NUMBER < 0x03000000
err = mbedtls_cipher_auth_decrypt(cipher_ctx->evp, n, nlen, ad, adlen,
m, mlen - tlen, p, plen, m + mlen - tlen, tlen);
+#else
+ err = mbedtls_cipher_auth_decrypt_ext(cipher_ctx->evp, n, nlen, ad, adlen,
+ m, mlen, p, mlen - tlen, plen, tlen);
+#endif
break;
case CHACHA20POLY1305IETF:
err = crypto_aead_chacha20poly1305_ietf_decrypt(p, &long_plen, NULL, m, mlen,
@@ -724,9 +734,26 @@ aead_key_init(int method, const char *pass, const char *key)
if (method >= CHACHA20POLY1305IETF) {
cipher_kt_t *cipher_info = (cipher_kt_t *)ss_malloc(sizeof(cipher_kt_t));
cipher->info = cipher_info;
+#if MBEDTLS_VERSION_NUMBER < 0x03000000
cipher->info->base = NULL;
cipher->info->key_bitlen = supported_aead_ciphers_key_size[method] * 8;
cipher->info->iv_size = supported_aead_ciphers_nonce_size[method];
+#else
+ cipher->info->private_base_idx = 0;
+
+#ifdef MBEDTLS_KEY_BITLEN_SHIFT
+ cipher->info->private_key_bitlen = supported_aead_ciphers_key_size[method] * 8 >> MBEDTLS_KEY_BITLEN_SHIFT;
+#else
+ cipher->info->private_key_bitlen = supported_aead_ciphers_key_size[method] * 8;
+#endif
+
+#ifdef MBEDTLS_IV_SIZE_SHIFT
+ cipher->info->private_iv_size = supported_aead_ciphers_nonce_size[method] >> MBEDTLS_IV_SIZE_SHIFT;
+#else
+ cipher->info->private_iv_size = supported_aead_ciphers_nonce_size[method];
+#endif
+
+#endif
} else {
cipher->info = (cipher_kt_t *)aead_get_cipher_type(method);
}
diff --git a/src/crypto.c b/src/crypto.c
index b44d867..76c426b 100644
--- a/src/crypto.c
+++ b/src/crypto.c
@@ -103,7 +103,7 @@ crypto_md5(const unsigned char *d, size_t n, unsigned char *md)
if (md == NULL) {
md = m;
}
-#if MBEDTLS_VERSION_NUMBER >= 0x02070000
+#if MBEDTLS_VERSION_NUMBER < 0x03000000 && MBEDTLS_VERSION_NUMBER >= 0x02070000
if (mbedtls_md5_ret(d, n, md) != 0)
FATAL("Failed to calculate MD5");
#else
diff --git a/src/stream.c b/src/stream.c
index 35d9050..4bb9598 100644
--- a/src/stream.c
+++ b/src/stream.c
@@ -174,7 +174,11 @@ cipher_nonce_size(const cipher_t *cipher)
if (cipher == NULL) {
return 0;
}
+#if MBEDTLS_VERSION_NUMBER < 0x03000000
return cipher->info->iv_size;
+#else
+ return (int)mbedtls_cipher_info_get_iv_size(cipher->info);
+#endif
}
int
@@ -192,7 +196,11 @@ cipher_key_size(const cipher_t *cipher)
return 0;
}
/* From Version 1.2.7 released 2013-04-13 Default Blowfish keysize is now 128-bits */
+#if MBEDTLS_VERSION_NUMBER < 0x03000000
return cipher->info->key_bitlen / 8;
+#else
+ return (int)mbedtls_cipher_info_get_key_bitlen(cipher->info) / 8;
+#endif
}
const cipher_kt_t *
@@ -645,9 +653,26 @@ stream_key_init(int method, const char *pass, const char *key)
if (method == SALSA20 || method == CHACHA20 || method == CHACHA20IETF) {
cipher_kt_t *cipher_info = (cipher_kt_t *)ss_malloc(sizeof(cipher_kt_t));
cipher->info = cipher_info;
+#if MBEDTLS_VERSION_NUMBER < 0x03000000
cipher->info->base = NULL;
cipher->info->key_bitlen = supported_stream_ciphers_key_size[method] * 8;
cipher->info->iv_size = supported_stream_ciphers_nonce_size[method];
+#else
+ cipher->info->private_base_idx = 0;
+
+#ifdef MBEDTLS_KEY_BITLEN_SHIFT
+ cipher->info->private_key_bitlen = supported_stream_ciphers_key_size[method] * 8 >> MBEDTLS_KEY_BITLEN_SHIFT;
+#else
+ cipher->info->private_key_bitlen = supported_stream_ciphers_key_size[method] * 8;
+#endif
+
+#ifdef MBEDTLS_IV_SIZE_SHIFT
+ cipher->info->private_iv_size = supported_stream_ciphers_nonce_size[method] >> MBEDTLS_IV_SIZE_SHIFT;
+#else
+ cipher->info->private_iv_size = supported_stream_ciphers_nonce_size[method];
+#endif
+
+#endif
} else {
cipher->info = (cipher_kt_t *)stream_get_cipher_type(method);
}@zxlhhyccc 这个需要去packages那边提,我只在 passwall 这边有协作者权限。
不过mbedtls新版好像造成很多软件错误啊,上次 curl 也是mbedtls版就报错,换其他tls库就没问题。
zxlhhyccc
commented
2 months ago @nftbty 我一般情况下编译的是openssl,不使用mbedtls版,因为有些软件需要openssl。
描述您遇到的bug
checking whether ln -s works... yes checking whether make sets $(MAKE)... (cached) yes checking for thread local storage (TLS) class... __thread checking for mbedtls_cipher_setup in -lmbedcrypto... yes checking whether mbedtls supports Cipher Feedback mode or not... configure: error: MBEDTLS_CIPHER_MODE_CFB required make[3]: [Makefile:130: /home/udb/openwrt/build_dir/target-x86_64_musl/shadowsocks-libev-3.3.5/.configured_68b329da9893e34099c7d8ad5cb9c940] Error 1 make[3]: Leaving directory '/home/udb/openwrt/feeds/packages/net/shadowsocks-libev' time: package/feeds/packages/shadowsocks-libev/compile#8.19#2.29#11.09 ERROR: package/feeds/packages/shadowsocks-libev failed to build. make[2]: [package/Makefile:129: package/feeds/packages/shadowsocks-libev/compile] Error 1 make[2]: Leaving directory '/home/udb/openwrt' make[1]: [package/Makefile:123: /home/udb/openwrt/staging_dir/target-x86_64_musl/stamp/.package_compile] Error 2 make[1]: Leaving directory '/home/udb/openwrt' make: [/home/udb/openwrt/include/toplevel.mk:233:world] 错误 2
复现此Bug的步骤
编译失败
您想要实现的目的
寻找解决方案
日志信息
checking whether ln -s works... yes checking whether make sets $(MAKE)... (cached) yes checking for thread local storage (TLS) class... __thread checking for mbedtls_cipher_setup in -lmbedcrypto... yes checking whether mbedtls supports Cipher Feedback mode or not... configure: error: MBEDTLS_CIPHER_MODE_CFB required make[3]: [Makefile:130: /home/udb/openwrt/build_dir/target-x86_64_musl/shadowsocks-libev-3.3.5/.configured_68b329da9893e34099c7d8ad5cb9c940] Error 1 make[3]: Leaving directory '/home/udb/openwrt/feeds/packages/net/shadowsocks-libev' time: package/feeds/packages/shadowsocks-libev/compile#8.19#2.29#11.09 ERROR: package/feeds/packages/shadowsocks-libev failed to build. make[2]: [package/Makefile:129: package/feeds/packages/shadowsocks-libev/compile] Error 1 make[2]: Leaving directory '/home/udb/openwrt' make[1]: [package/Makefile:123: /home/udb/openwrt/staging_dir/target-x86_64_musl/stamp/.package_compile] Error 2 make[1]: Leaving directory '/home/udb/openwrt' make: [/home/udb/openwrt/include/toplevel.mk:233:world] 错误 2
截图
No response
系统相关信息
4.77-5
其他信息
No response