shadow-tls: update to latest commit

Co-Authored-By: Tianling Shen <i@cnsztl.eu.org>
2026-01-27 02:19:53 +00:00 · 2025-07-05 14:16:39 +08:00
parent 0199e7da2f
commit 3ee23f6a63
4 changed files with 397 additions and 51 deletions
--- a/shadow-tls/Makefile
+++ b/shadow-tls/Makefile
@@ -1,67 +1,43 @@
 # SPDX-License-Identifier: GPL-2.0-only
+#
+# Copyright (C) 2025 ImmortalWrt.org

 include $(TOPDIR)/rules.mk
-include $(INCLUDE_DIR)/package.mk

 PKG_NAME:=shadow-tls
 PKG_VERSION:=0.2.25
 PKG_RELEASE:=1

-PKG_LICENSE_FILES:=LICENSE
-PKG_MAINTAINER:=FluffyTigerFear
-RELEASE_HEAD:=$(PKG_NAME)
-RELEASE_FOOT:=unknown-linux-musl
-ifeq ($(ARCH),aarch64)
-	RELEASE_ARCH:=$(RELEASE_HEAD)-aarch64-$(RELEASE_FOOT)
-	PKG_HASH:=3295476b37f549a68906519d3eaecb74bf3b6eaf9094cebb16ee84f0151373c6
-else ifeq ($(ARCH),arm)
-    ifeq ($(CONFIG_CPU_TYPE),cortex-a7)
-        RELEASE_ARCH:=$(RELEASE_HEAD)-armv7-$(RELEASE_FOOT)eabihf
-        PKG_HASH:=e6f918a072557c50fd0ea950af9a156a9b102af72c1d010ff85d08d13006c54f
-    else ifeq ($(CONFIG_CPU_TYPE),cortex-a9)
-        RELEASE_ARCH:=$(RELEASE_HEAD)-armv7-$(RELEASE_FOOT)eabihf
-        PKG_HASH:=e6f918a072557c50fd0ea950af9a156a9b102af72c1d010ff85d08d13006c54f
-    else
-        RELEASE_ARCH:=$(RELEASE_HEAD)-arm-$(RELEASE_FOOT)eabi
-        PKG_HASH:=b6743bc60e1727972ece0fd5acf3a931e5be05cedee6f637e7e3d8c5b8d58f16
-    endif
-else ifeq ($(ARCH),x86_64)
-	RELEASE_ARCH:=$(RELEASE_HEAD)-x86_64-$(RELEASE_FOOT)
-	PKG_HASH:=a173f5f2d57f45211b68e10ceeddc15b1791077b914fa89747bc705fddc71532
-else
-	PKG_SOURCE:=dummy
-	PKG_HASH:=dummy
-endif
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
+PKG_SOURCE_URL:=https://codeload.github.com/ihciah/shadow-tls/tar.gz/v$(PKG_VERSION)?
+PKG_HASH:=1d1d436734823ba0302de6e91883ed892ea710769c722a139990194ff5837224

-define Download/shadow-tls
-	URL:=https://github.com/ihciah/shadow-tls/releases/download/v$(PKG_VERSION)
-	URL_FILE:=$(RELEASE_ARCH)
-	FILE:=$(RELEASE_ARCH)
-	HASH:=$(PKG_HASH)
-endef
+PKG_MAINTAINER:=Tianling Shen <cnsztl@immortalwrt.org>
+PKG_LICENSE:=MIT
+PKG_LICENSE_FILES:=LICENSE
+
+PKG_BUILD_DEPENDS:=rust/host
+PKG_BUILD_PARALLEL:=1
+
+include $(INCLUDE_DIR)/package.mk
+include $(TOPDIR)/feeds/packages/lang/rust/rust-package.mk

 define Package/shadow-tls
-	SECTION:=net
-	CATEGORY:=Network
-	SUBMENU:=Web Servers/Proxies
-	TITLE:=A proxy to expose real tls handshake to the firewall.
-	URL:=https://github.com/ihciah/shadow-tls
-	DEPENDS:=@USE_MUSL @(aarch64||arm||x86_64) @!(TARGET_x86_geode||TARGET_x86_legacy)
+  SECTION:=net
+  CATEGORY:=Network
+  SUBMENU:=Web Servers/Proxies
+  TITLE:=A proxy to expose real tls handshake to the firewall
+  URL:=https://github.com/ihciah/shadow-tls
+  DEPENDS:=@(aarch64||arm||x86_64)
 endef

-define Build/Prepare
-	$(call Build/Prepare/Default)
-ifneq ($(CONFIG_PACKAGE_shadow-tls),)
-	$(call Download,shadow-tls)
-endif
-endef
-
-define Build/Compile
-endef
-
-define Package/shadow-tls/install
-	$(INSTALL_DIR) $(1)/usr/bin
-	$(INSTALL_BIN) $(DL_DIR)/$(RELEASE_ARCH) $(1)/usr/bin/shadow-tls
+define Package/shadow-tls/description
+  A proxy to expose real tls handshake to the firewall.
+
+  It works like trojan but it does not require signing certificate.
+  The firewall will see real tls handshake with valid certificate
+  that you choose.
 endef

+$(eval $(call RustBinPackage,shadow-tls))
 $(eval $(call BuildPackage,shadow-tls))
--- a/shadow-tls/patches/010-Fix-reading-WildcardSNI-from-sip003_arg-115.patch
+++ b/shadow-tls/patches/010-Fix-reading-WildcardSNI-from-sip003_arg-115.patch
@@ -0,0 +1,23 @@
+From 045014130570dd23d5a9cce124b78b2bb1ddaf5f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?=E1=A1=A0=E1=A0=B5=E1=A1=A0=E1=A1=B3=20=E1=A1=A0=E1=A0=B5?=
+ =?UTF-8?q?=E1=A1=A0=20=E1=A0=AE=E1=A0=A0=E1=A0=A8=E1=A1=A9=E1=A0=8B?=
+ =?UTF-8?q?=E1=A0=A0=E1=A0=A8?=
+ <125150101+UjuiUjuMandan@users.noreply.github.com>
+Date: Thu, 24 Apr 2025 22:39:07 +0000
+Subject: [PATCH] Fix reading WildcardSNI from sip003_arg (#115)
+
+---
+ src/main.rs | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/src/main.rs
+++ b/src/main.rs
+@@ -269,7 +269,7 @@ pub(crate) fn get_sip003_arg() -> Option
+         let tls_addrs = parse_server_addrs(tls_addr)
+             .expect("tls param parse failed(like tls=xxx.com:443 or tls=yyy.com:1.2.3.4:443;zzz.com:443;xxx.com)");
+         let wildcard_sni =
+-            WildcardSNI::from_str(opts.get("tls").map(AsRef::as_ref).unwrap_or_default(), true)
+            WildcardSNI::from_str(opts.get("wildcard-sni").map(AsRef::as_ref).unwrap_or("off"), true)
+                 .expect("wildcard_sni format error");
+         Args {
+             cmd: crate::Commands::Server {
--- a/shadow-tls/patches/011-fix-use-tls1-2-only-website-for-tls12-test-suites-129.patch
+++ b/shadow-tls/patches/011-fix-use-tls1-2-only-website-for-tls12-test-suites-129.patch
@@ -0,0 +1,230 @@
+From 02dd0bc7bae8a2011729f95021690e694fd8e43e Mon Sep 17 00:00:00 2001
+From: V <vendettareborn@proton.me>
+Date: Fri, 25 Apr 2025 18:27:13 +0200
+Subject: [PATCH] fix: use tls1.2 only website for tls12 test suites (#129)
+
+* fix: use tls1.2 only website for tls12 test suites
+---
+ src/helper_v2.rs |  2 ++
+ src/main.rs      | 12 +++++++-----
+ src/sip003.rs    |  6 +++---
+ src/util.rs      |  2 +-
+ tests/tls12.rs   | 32 ++++++++++++++++----------------
+ 5 files changed, 29 insertions(+), 25 deletions(-)
+
+--- a/src/helper_v2.rs
+++ b/src/helper_v2.rs
+@@ -26,6 +26,7 @@ use crate::util::prelude::*;
+ 
+ pub(crate) const HMAC_SIZE_V2: usize = 8;
+ 
+#[allow(unused)]
+ pub(crate) trait HashedStream {
+     fn hash_stream(&self) -> [u8; 20];
+ }
+@@ -98,6 +99,7 @@ impl<S> HashedWriteStream<S> {
+         })
+     }
+ 
+    #[allow(unused)]
+     pub(crate) fn hash(&self) -> [u8; 20] {
+         self.hmac
+             .borrow()
+--- a/src/main.rs
+++ b/src/main.rs
+@@ -252,7 +252,7 @@ pub(crate) fn get_sip003_arg() -> Option
+     let opts: HashMap<_, _> = opts.into_iter().collect();
+ 
+     let threads = opts.get("threads").map(|s| s.parse::<u8>().unwrap());
+-    let v3 = opts.get("v3").is_some();
+    let v3 = opts.contains_key("v3");
+     let passwd = opts
+         .get("passwd")
+         .expect("need passwd param(like passwd=123456)");
+@@ -262,15 +262,17 @@ pub(crate) fn get_sip003_arg() -> Option
+         v3,
+         ..Default::default()
+     };
+-    let args = if opts.get("server").is_some() {
+    let args = if opts.contains_key("server") {
+         let tls_addr = opts
+             .get("tls")
+             .expect("tls param must be specified(like tls=xxx.com:443)");
+         let tls_addrs = parse_server_addrs(tls_addr)
+             .expect("tls param parse failed(like tls=xxx.com:443 or tls=yyy.com:1.2.3.4:443;zzz.com:443;xxx.com)");
+-        let wildcard_sni =
+-            WildcardSNI::from_str(opts.get("wildcard-sni").map(AsRef::as_ref).unwrap_or("off"), true)
+-                .expect("wildcard_sni format error");
+        let wildcard_sni = WildcardSNI::from_str(
+            opts.get("wildcard-sni").map(AsRef::as_ref).unwrap_or("off"),
+            true,
+        )
+        .expect("wildcard_sni format error");
+         Args {
+             cmd: crate::Commands::Server {
+                 listen: format!("{ss_remote_host}:{ss_remote_port}"),
+--- a/src/sip003.rs
+++ b/src/sip003.rs
+@@ -6,7 +6,7 @@ pub fn parse_sip003_options(s: &str) ->
+     let mut i = 0;
+     while i < s.len() {
+         // read key
+-        let (offset, key) = index_unescaped(&s[i..], &[b'=', b';']).context("read key")?;
+        let (offset, key) = index_unescaped(&s[i..], b"=;").context("read key")?;
+         if key.is_empty() {
+             bail!("empty key in {}", &s[i..]);
+         }
+@@ -21,7 +21,7 @@ pub fn parse_sip003_options(s: &str) ->
+         // skip equals
+         i += 1;
+         // read value
+-        let (offset, value) = index_unescaped(&s[i..], &[b'=', b';']).context("read value")?;
+        let (offset, value) = index_unescaped(&s[i..], b"=;").context("read value")?;
+         i += offset;
+         opts.push((key, value));
+         // Skip the semicolon.
+@@ -36,7 +36,7 @@ fn index_unescaped(s: &str, term: &[u8])
+ 
+     while i < s.len() {
+         let mut b: u8 = s.as_bytes()[i];
+-        if term.iter().any(|&e| b == e) {
+        if term.contains(&b) {
+             break;
+         }
+         if b == b'\\' {
+--- a/src/util.rs
+++ b/src/util.rs
+@@ -599,7 +599,7 @@ pub(crate) async fn resolve(addr: &str)
+     addr_iter.next().ok_or_else(|| {
+         std::io::Error::new(
+             std::io::ErrorKind::InvalidInput,
+-            format!("unable to resolve addr: {}", addr),
+            format!("unable to resolve addr: {addr}"),
+         )
+     })
+ }
+--- a/tests/tls12.rs
+++ b/tests/tls12.rs
+@@ -4,7 +4,7 @@ use shadow_tls::{RunningArgs, TlsAddrs,
+ mod utils;
+ use utils::*;
+ 
+-// handshake: bing.com(tls1.2 only)
+// handshake: badssl.com(tls1.2 only)
+ // data: captive.apple.com:80
+ // protocol: v2
+ #[test]
+@@ -12,7 +12,7 @@ fn tls12_v2() {
+     let client = RunningArgs::Client {
+         listen_addr: "127.0.0.1:30000".to_string(),
+         target_addr: "127.0.0.1:30001".to_string(),
+-        tls_names: TlsNames::try_from("bing.com").unwrap(),
+        tls_names: TlsNames::try_from("badssl.com").unwrap(),
+         tls_ext: TlsExtConfig::new(None),
+         password: "test".to_string(),
+         nodelay: true,
+@@ -22,7 +22,7 @@ fn tls12_v2() {
+     let server = RunningArgs::Server {
+         listen_addr: "127.0.0.1:30001".to_string(),
+         target_addr: "captive.apple.com:80".to_string(),
+-        tls_addr: TlsAddrs::try_from("bing.com").unwrap(),
+        tls_addr: TlsAddrs::try_from("badssl.com").unwrap(),
+         password: "test".to_string(),
+         nodelay: true,
+         fastopen: true,
+@@ -31,7 +31,7 @@ fn tls12_v2() {
+     test_ok(client, server, CAPTIVE_HTTP_REQUEST, CAPTIVE_HTTP_RESP);
+ }
+ 
+-// handshake: bing.com(tls1.2 only)
+// handshake: badssl.com(tls1.2 only)
+ // data: captive.apple.com:80
+ // protocol: v3 lossy
+ #[test]
+@@ -39,7 +39,7 @@ fn tls12_v3_lossy() {
+     let client = RunningArgs::Client {
+         listen_addr: "127.0.0.1:30002".to_string(),
+         target_addr: "127.0.0.1:30003".to_string(),
+-        tls_names: TlsNames::try_from("bing.com").unwrap(),
+        tls_names: TlsNames::try_from("badssl.com").unwrap(),
+         tls_ext: TlsExtConfig::new(None),
+         password: "test".to_string(),
+         nodelay: true,
+@@ -49,7 +49,7 @@ fn tls12_v3_lossy() {
+     let server = RunningArgs::Server {
+         listen_addr: "127.0.0.1:30003".to_string(),
+         target_addr: "captive.apple.com:80".to_string(),
+-        tls_addr: TlsAddrs::try_from("bing.com").unwrap(),
+        tls_addr: TlsAddrs::try_from("badssl.com").unwrap(),
+         password: "test".to_string(),
+         nodelay: true,
+         fastopen: true,
+@@ -58,7 +58,7 @@ fn tls12_v3_lossy() {
+     utils::test_ok(client, server, CAPTIVE_HTTP_REQUEST, CAPTIVE_HTTP_RESP);
+ }
+ 
+-// handshake: bing.com(tls1.2 only)
+// handshake: badssl.com(tls1.2 only)
+ // data: captive.apple.com:80
+ // protocol: v3 strict
+ // v3 strict cannot work with tls1.2, so it must fail
+@@ -68,7 +68,7 @@ fn tls12_v3_strict() {
+     let client = RunningArgs::Client {
+         listen_addr: "127.0.0.1:30004".to_string(),
+         target_addr: "127.0.0.1:30005".to_string(),
+-        tls_names: TlsNames::try_from("bing.com").unwrap(),
+        tls_names: TlsNames::try_from("badssl.com").unwrap(),
+         tls_ext: TlsExtConfig::new(None),
+         password: "test".to_string(),
+         nodelay: true,
+@@ -78,7 +78,7 @@ fn tls12_v3_strict() {
+     let server = RunningArgs::Server {
+         listen_addr: "127.0.0.1:30005".to_string(),
+         target_addr: "captive.apple.com:80".to_string(),
+-        tls_addr: TlsAddrs::try_from("bing.com").unwrap(),
+        tls_addr: TlsAddrs::try_from("badssl.com").unwrap(),
+         password: "test".to_string(),
+         nodelay: true,
+         fastopen: true,
+@@ -87,8 +87,8 @@ fn tls12_v3_strict() {
+     utils::test_ok(client, server, CAPTIVE_HTTP_REQUEST, CAPTIVE_HTTP_RESP);
+ }
+ 
+-// handshake: bing.com(tls1.2 only)
+-// data: bing.com:443
+// handshake: badssl.com(tls1.2 only)
+// data: badssl.com:443
+ // protocol: v2
+ // Note: v2 can not defend against hijack attack.
+ // Here hijack means directly connect to the handshake server.
+@@ -98,8 +98,8 @@ fn tls12_v3_strict() {
+ fn tls12_v2_hijack() {
+     let client = RunningArgs::Client {
+         listen_addr: "127.0.0.1:30006".to_string(),
+-        target_addr: "bing.com:443".to_string(),
+-        tls_names: TlsNames::try_from("bing.com").unwrap(),
+        target_addr: "badssl.com:443".to_string(),
+        tls_names: TlsNames::try_from("badssl.com").unwrap(),
+         tls_ext: TlsExtConfig::new(None),
+         password: "test".to_string(),
+         nodelay: true,
+@@ -109,7 +109,7 @@ fn tls12_v2_hijack() {
+     test_hijack(client);
+ }
+ 
+-// handshake: bing.com(tls1.2 only)
+// handshake: badssl.com(tls1.2 only)
+ // data: captive.apple.com:80
+ // protocol: v3 lossy
+ // (v3 strict can not work with tls1.2)
+@@ -121,8 +121,8 @@ fn tls12_v2_hijack() {
+ fn tls12_v3_lossy_hijack() {
+     let client = RunningArgs::Client {
+         listen_addr: "127.0.0.1:30007".to_string(),
+-        target_addr: "bing.com:443".to_string(),
+-        tls_names: TlsNames::try_from("bing.com").unwrap(),
+        target_addr: "badssl.com:443".to_string(),
+        tls_names: TlsNames::try_from("badssl.com").unwrap(),
+         tls_ext: TlsExtConfig::new(None),
+         password: "test".to_string(),
+         nodelay: true,
--- a/shadow-tls/patches/100-update-monoio.patch
+++ b/shadow-tls/patches/100-update-monoio.patch
@@ -0,0 +1,117 @@
+--- a/Cargo.lock
+++ b/Cargo.lock
+@@ -1,6 +1,6 @@
+ # This file is automatically @generated by Cargo.
+ # It is not intended for manual editing.
+-version = 3
+version = 4
+ 
+ [[package]]
+ name = "aho-corasick"
+@@ -224,14 +224,13 @@ dependencies = [
+ 
+ [[package]]
+ name = "flume"
+-version = "0.10.14"
+version = "0.11.1"
+ source = "registry+https://github.com/rust-lang/crates.io-index"
+-checksum = "1657b4441c3403d9f7b3409e47575237dac27b1b5726df654a6ecbf92f0f7577"
+checksum = "da0e4dd2a88388a1f4ccc7c9ce104604dab68d9f408dc34cd45823d5a9069095"
+ dependencies = [
+  "futures-core",
+  "futures-sink",
+  "nanorand",
+- "pin-project",
+  "spin 0.9.8",
+ ]
+ 
+@@ -393,9 +392,9 @@ dependencies = [
+ 
+ [[package]]
+ name = "memchr"
+-version = "2.6.4"
+version = "2.7.5"
+ source = "registry+https://github.com/rust-lang/crates.io-index"
+-checksum = "f665ee40bc4a3c5590afb1e9677db74a508659dfd71e126420da8274909a0167"
+checksum = "32a282da65faaf38286cf3be983213fcf1d2e2a58700e808f83f4ea9a4804bc0"
+ 
+ [[package]]
+ name = "memoffset"
+@@ -420,9 +419,9 @@ dependencies = [
+ 
+ [[package]]
+ name = "monoio"
+-version = "0.2.0"
+version = "0.2.2"
+ source = "registry+https://github.com/rust-lang/crates.io-index"
+-checksum = "c91a9bcc2622991bc92f3b6d7dc495329c4863e4dc530d1748529b009bb2170a"
+checksum = "fd5be7ef0eea41e4e5b30fe55aa6fd15288c415118bcdceadd52fd3656816cc7"
+ dependencies = [
+  "auto-const-array",
+  "bytes",
+@@ -430,9 +429,11 @@ dependencies = [
+  "fxhash",
+  "io-uring",
+  "libc",
+ "memchr",
+  "mio",
+  "monoio-macros",
+  "nix 0.26.4",
+ "once_cell",
+  "pin-project-lite",
+  "socket2",
+  "threadpool",
+@@ -538,26 +539,6 @@ source = "registry+https://github.com/ru
+ checksum = "b15813163c1d831bf4a13c3610c05c0d03b39feb07f7e09fa234dac9b15aaf39"
+ 
+ [[package]]
+-name = "pin-project"
+-version = "1.1.3"
+-source = "registry+https://github.com/rust-lang/crates.io-index"
+-checksum = "fda4ed1c6c173e3fc7a83629421152e01d7b1f9b7f65fb301e490e8cfc656422"
+-dependencies = [
+- "pin-project-internal",
+-]
+-
+-[[package]]
+-name = "pin-project-internal"
+-version = "1.1.3"
+-source = "registry+https://github.com/rust-lang/crates.io-index"
+-checksum = "4359fd9c9171ec6e8c62926d6faaf553a8dc3f64e1507e76da7911b4f6a04405"
+-dependencies = [
+- "proc-macro2",
+- "quote",
+- "syn",
+-]
+-
+-[[package]]
+ name = "pin-project-lite"
+ version = "0.2.13"
+ source = "registry+https://github.com/rust-lang/crates.io-index"
+--- a/Cargo.toml
+++ b/Cargo.toml
+@@ -10,7 +10,7 @@ repository = "https://github.com/ihciah/
+ version = "0.2.25"
+ 
+ [dependencies]
+-monoio = { version = "0.2.0", features = ["sync"] }
+monoio = { version = "=0.2.2", features = ["sync"] }
+ monoio-rustls-fork-shadow-tls = { version = "0.3.0-mod.2" }
+ rustls-fork-shadow-tls = { version = "0.20.9-mod.2", default-features = false }
+ 
+--- a/src/lib.rs
+++ b/src/lib.rs
+@@ -1,5 +1,3 @@
+-#![feature(impl_trait_in_assoc_type)]
+-
+ mod client;
+ mod helper_v2;
+ mod server;
+--- a/src/main.rs
+++ b/src/main.rs
+@@ -1,5 +1,3 @@
+-#![feature(type_alias_impl_trait)]
+-
+ use std::{collections::HashMap, path::PathBuf, process::exit};
+ 
+ use clap::{Parser, Subcommand, ValueEnum};