From 3ee23f6a636001fa1658112475b9dfdd9447dcfa Mon Sep 17 00:00:00 2001 From: A-BO <86697442+lwb1978@users.noreply.github.com> Date: Sat, 5 Jul 2025 14:16:39 +0800 Subject: [PATCH] shadow-tls: update to latest commit Co-Authored-By: Tianling Shen --- shadow-tls/Makefile | 78 ++---- ...ding-WildcardSNI-from-sip003_arg-115.patch | 23 ++ ...ly-website-for-tls12-test-suites-129.patch | 230 ++++++++++++++++++ shadow-tls/patches/100-update-monoio.patch | 117 +++++++++ 4 files changed, 397 insertions(+), 51 deletions(-) create mode 100644 shadow-tls/patches/010-Fix-reading-WildcardSNI-from-sip003_arg-115.patch create mode 100644 shadow-tls/patches/011-fix-use-tls1-2-only-website-for-tls12-test-suites-129.patch create mode 100644 shadow-tls/patches/100-update-monoio.patch diff --git a/shadow-tls/Makefile b/shadow-tls/Makefile index cd21b7f..d642ce8 100644 --- a/shadow-tls/Makefile +++ b/shadow-tls/Makefile @@ -1,67 +1,43 @@ # SPDX-License-Identifier: GPL-2.0-only +# +# Copyright (C) 2025 ImmortalWrt.org include $(TOPDIR)/rules.mk -include $(INCLUDE_DIR)/package.mk PKG_NAME:=shadow-tls PKG_VERSION:=0.2.25 PKG_RELEASE:=1 -PKG_LICENSE_FILES:=LICENSE -PKG_MAINTAINER:=FluffyTigerFear -RELEASE_HEAD:=$(PKG_NAME) -RELEASE_FOOT:=unknown-linux-musl -ifeq ($(ARCH),aarch64) - RELEASE_ARCH:=$(RELEASE_HEAD)-aarch64-$(RELEASE_FOOT) - PKG_HASH:=3295476b37f549a68906519d3eaecb74bf3b6eaf9094cebb16ee84f0151373c6 -else ifeq ($(ARCH),arm) - ifeq ($(CONFIG_CPU_TYPE),cortex-a7) - RELEASE_ARCH:=$(RELEASE_HEAD)-armv7-$(RELEASE_FOOT)eabihf - PKG_HASH:=e6f918a072557c50fd0ea950af9a156a9b102af72c1d010ff85d08d13006c54f - else ifeq ($(CONFIG_CPU_TYPE),cortex-a9) - RELEASE_ARCH:=$(RELEASE_HEAD)-armv7-$(RELEASE_FOOT)eabihf - PKG_HASH:=e6f918a072557c50fd0ea950af9a156a9b102af72c1d010ff85d08d13006c54f - else - RELEASE_ARCH:=$(RELEASE_HEAD)-arm-$(RELEASE_FOOT)eabi - PKG_HASH:=b6743bc60e1727972ece0fd5acf3a931e5be05cedee6f637e7e3d8c5b8d58f16 - endif -else ifeq ($(ARCH),x86_64) - RELEASE_ARCH:=$(RELEASE_HEAD)-x86_64-$(RELEASE_FOOT) - PKG_HASH:=a173f5f2d57f45211b68e10ceeddc15b1791077b914fa89747bc705fddc71532 -else - PKG_SOURCE:=dummy - PKG_HASH:=dummy -endif +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz +PKG_SOURCE_URL:=https://codeload.github.com/ihciah/shadow-tls/tar.gz/v$(PKG_VERSION)? +PKG_HASH:=1d1d436734823ba0302de6e91883ed892ea710769c722a139990194ff5837224 -define Download/shadow-tls - URL:=https://github.com/ihciah/shadow-tls/releases/download/v$(PKG_VERSION) - URL_FILE:=$(RELEASE_ARCH) - FILE:=$(RELEASE_ARCH) - HASH:=$(PKG_HASH) -endef +PKG_MAINTAINER:=Tianling Shen +PKG_LICENSE:=MIT +PKG_LICENSE_FILES:=LICENSE + +PKG_BUILD_DEPENDS:=rust/host +PKG_BUILD_PARALLEL:=1 + +include $(INCLUDE_DIR)/package.mk +include $(TOPDIR)/feeds/packages/lang/rust/rust-package.mk define Package/shadow-tls - SECTION:=net - CATEGORY:=Network - SUBMENU:=Web Servers/Proxies - TITLE:=A proxy to expose real tls handshake to the firewall. - URL:=https://github.com/ihciah/shadow-tls - DEPENDS:=@USE_MUSL @(aarch64||arm||x86_64) @!(TARGET_x86_geode||TARGET_x86_legacy) + SECTION:=net + CATEGORY:=Network + SUBMENU:=Web Servers/Proxies + TITLE:=A proxy to expose real tls handshake to the firewall + URL:=https://github.com/ihciah/shadow-tls + DEPENDS:=@(aarch64||arm||x86_64) endef -define Build/Prepare - $(call Build/Prepare/Default) -ifneq ($(CONFIG_PACKAGE_shadow-tls),) - $(call Download,shadow-tls) -endif -endef - -define Build/Compile -endef - -define Package/shadow-tls/install - $(INSTALL_DIR) $(1)/usr/bin - $(INSTALL_BIN) $(DL_DIR)/$(RELEASE_ARCH) $(1)/usr/bin/shadow-tls +define Package/shadow-tls/description + A proxy to expose real tls handshake to the firewall. + + It works like trojan but it does not require signing certificate. + The firewall will see real tls handshake with valid certificate + that you choose. endef +$(eval $(call RustBinPackage,shadow-tls)) $(eval $(call BuildPackage,shadow-tls)) diff --git a/shadow-tls/patches/010-Fix-reading-WildcardSNI-from-sip003_arg-115.patch b/shadow-tls/patches/010-Fix-reading-WildcardSNI-from-sip003_arg-115.patch new file mode 100644 index 0000000..70287b5 --- /dev/null +++ b/shadow-tls/patches/010-Fix-reading-WildcardSNI-from-sip003_arg-115.patch @@ -0,0 +1,23 @@ +From 045014130570dd23d5a9cce124b78b2bb1ddaf5f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?=E1=A1=A0=E1=A0=B5=E1=A1=A0=E1=A1=B3=20=E1=A1=A0=E1=A0=B5?= + =?UTF-8?q?=E1=A1=A0=20=E1=A0=AE=E1=A0=A0=E1=A0=A8=E1=A1=A9=E1=A0=8B?= + =?UTF-8?q?=E1=A0=A0=E1=A0=A8?= + <125150101+UjuiUjuMandan@users.noreply.github.com> +Date: Thu, 24 Apr 2025 22:39:07 +0000 +Subject: [PATCH] Fix reading WildcardSNI from sip003_arg (#115) + +--- + src/main.rs | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/src/main.rs ++++ b/src/main.rs +@@ -269,7 +269,7 @@ pub(crate) fn get_sip003_arg() -> Option + let tls_addrs = parse_server_addrs(tls_addr) + .expect("tls param parse failed(like tls=xxx.com:443 or tls=yyy.com:1.2.3.4:443;zzz.com:443;xxx.com)"); + let wildcard_sni = +- WildcardSNI::from_str(opts.get("tls").map(AsRef::as_ref).unwrap_or_default(), true) ++ WildcardSNI::from_str(opts.get("wildcard-sni").map(AsRef::as_ref).unwrap_or("off"), true) + .expect("wildcard_sni format error"); + Args { + cmd: crate::Commands::Server { diff --git a/shadow-tls/patches/011-fix-use-tls1-2-only-website-for-tls12-test-suites-129.patch b/shadow-tls/patches/011-fix-use-tls1-2-only-website-for-tls12-test-suites-129.patch new file mode 100644 index 0000000..aae3fad --- /dev/null +++ b/shadow-tls/patches/011-fix-use-tls1-2-only-website-for-tls12-test-suites-129.patch @@ -0,0 +1,230 @@ +From 02dd0bc7bae8a2011729f95021690e694fd8e43e Mon Sep 17 00:00:00 2001 +From: V +Date: Fri, 25 Apr 2025 18:27:13 +0200 +Subject: [PATCH] fix: use tls1.2 only website for tls12 test suites (#129) + +* fix: use tls1.2 only website for tls12 test suites +--- + src/helper_v2.rs | 2 ++ + src/main.rs | 12 +++++++----- + src/sip003.rs | 6 +++--- + src/util.rs | 2 +- + tests/tls12.rs | 32 ++++++++++++++++---------------- + 5 files changed, 29 insertions(+), 25 deletions(-) + +--- a/src/helper_v2.rs ++++ b/src/helper_v2.rs +@@ -26,6 +26,7 @@ use crate::util::prelude::*; + + pub(crate) const HMAC_SIZE_V2: usize = 8; + ++#[allow(unused)] + pub(crate) trait HashedStream { + fn hash_stream(&self) -> [u8; 20]; + } +@@ -98,6 +99,7 @@ impl HashedWriteStream { + }) + } + ++ #[allow(unused)] + pub(crate) fn hash(&self) -> [u8; 20] { + self.hmac + .borrow() +--- a/src/main.rs ++++ b/src/main.rs +@@ -252,7 +252,7 @@ pub(crate) fn get_sip003_arg() -> Option + let opts: HashMap<_, _> = opts.into_iter().collect(); + + let threads = opts.get("threads").map(|s| s.parse::().unwrap()); +- let v3 = opts.get("v3").is_some(); ++ let v3 = opts.contains_key("v3"); + let passwd = opts + .get("passwd") + .expect("need passwd param(like passwd=123456)"); +@@ -262,15 +262,17 @@ pub(crate) fn get_sip003_arg() -> Option + v3, + ..Default::default() + }; +- let args = if opts.get("server").is_some() { ++ let args = if opts.contains_key("server") { + let tls_addr = opts + .get("tls") + .expect("tls param must be specified(like tls=xxx.com:443)"); + let tls_addrs = parse_server_addrs(tls_addr) + .expect("tls param parse failed(like tls=xxx.com:443 or tls=yyy.com:1.2.3.4:443;zzz.com:443;xxx.com)"); +- let wildcard_sni = +- WildcardSNI::from_str(opts.get("wildcard-sni").map(AsRef::as_ref).unwrap_or("off"), true) +- .expect("wildcard_sni format error"); ++ let wildcard_sni = WildcardSNI::from_str( ++ opts.get("wildcard-sni").map(AsRef::as_ref).unwrap_or("off"), ++ true, ++ ) ++ .expect("wildcard_sni format error"); + Args { + cmd: crate::Commands::Server { + listen: format!("{ss_remote_host}:{ss_remote_port}"), +--- a/src/sip003.rs ++++ b/src/sip003.rs +@@ -6,7 +6,7 @@ pub fn parse_sip003_options(s: &str) -> + let mut i = 0; + while i < s.len() { + // read key +- let (offset, key) = index_unescaped(&s[i..], &[b'=', b';']).context("read key")?; ++ let (offset, key) = index_unescaped(&s[i..], b"=;").context("read key")?; + if key.is_empty() { + bail!("empty key in {}", &s[i..]); + } +@@ -21,7 +21,7 @@ pub fn parse_sip003_options(s: &str) -> + // skip equals + i += 1; + // read value +- let (offset, value) = index_unescaped(&s[i..], &[b'=', b';']).context("read value")?; ++ let (offset, value) = index_unescaped(&s[i..], b"=;").context("read value")?; + i += offset; + opts.push((key, value)); + // Skip the semicolon. +@@ -36,7 +36,7 @@ fn index_unescaped(s: &str, term: &[u8]) + + while i < s.len() { + let mut b: u8 = s.as_bytes()[i]; +- if term.iter().any(|&e| b == e) { ++ if term.contains(&b) { + break; + } + if b == b'\\' { +--- a/src/util.rs ++++ b/src/util.rs +@@ -599,7 +599,7 @@ pub(crate) async fn resolve(addr: &str) + addr_iter.next().ok_or_else(|| { + std::io::Error::new( + std::io::ErrorKind::InvalidInput, +- format!("unable to resolve addr: {}", addr), ++ format!("unable to resolve addr: {addr}"), + ) + }) + } +--- a/tests/tls12.rs ++++ b/tests/tls12.rs +@@ -4,7 +4,7 @@ use shadow_tls::{RunningArgs, TlsAddrs, + mod utils; + use utils::*; + +-// handshake: bing.com(tls1.2 only) ++// handshake: badssl.com(tls1.2 only) + // data: captive.apple.com:80 + // protocol: v2 + #[test] +@@ -12,7 +12,7 @@ fn tls12_v2() { + let client = RunningArgs::Client { + listen_addr: "127.0.0.1:30000".to_string(), + target_addr: "127.0.0.1:30001".to_string(), +- tls_names: TlsNames::try_from("bing.com").unwrap(), ++ tls_names: TlsNames::try_from("badssl.com").unwrap(), + tls_ext: TlsExtConfig::new(None), + password: "test".to_string(), + nodelay: true, +@@ -22,7 +22,7 @@ fn tls12_v2() { + let server = RunningArgs::Server { + listen_addr: "127.0.0.1:30001".to_string(), + target_addr: "captive.apple.com:80".to_string(), +- tls_addr: TlsAddrs::try_from("bing.com").unwrap(), ++ tls_addr: TlsAddrs::try_from("badssl.com").unwrap(), + password: "test".to_string(), + nodelay: true, + fastopen: true, +@@ -31,7 +31,7 @@ fn tls12_v2() { + test_ok(client, server, CAPTIVE_HTTP_REQUEST, CAPTIVE_HTTP_RESP); + } + +-// handshake: bing.com(tls1.2 only) ++// handshake: badssl.com(tls1.2 only) + // data: captive.apple.com:80 + // protocol: v3 lossy + #[test] +@@ -39,7 +39,7 @@ fn tls12_v3_lossy() { + let client = RunningArgs::Client { + listen_addr: "127.0.0.1:30002".to_string(), + target_addr: "127.0.0.1:30003".to_string(), +- tls_names: TlsNames::try_from("bing.com").unwrap(), ++ tls_names: TlsNames::try_from("badssl.com").unwrap(), + tls_ext: TlsExtConfig::new(None), + password: "test".to_string(), + nodelay: true, +@@ -49,7 +49,7 @@ fn tls12_v3_lossy() { + let server = RunningArgs::Server { + listen_addr: "127.0.0.1:30003".to_string(), + target_addr: "captive.apple.com:80".to_string(), +- tls_addr: TlsAddrs::try_from("bing.com").unwrap(), ++ tls_addr: TlsAddrs::try_from("badssl.com").unwrap(), + password: "test".to_string(), + nodelay: true, + fastopen: true, +@@ -58,7 +58,7 @@ fn tls12_v3_lossy() { + utils::test_ok(client, server, CAPTIVE_HTTP_REQUEST, CAPTIVE_HTTP_RESP); + } + +-// handshake: bing.com(tls1.2 only) ++// handshake: badssl.com(tls1.2 only) + // data: captive.apple.com:80 + // protocol: v3 strict + // v3 strict cannot work with tls1.2, so it must fail +@@ -68,7 +68,7 @@ fn tls12_v3_strict() { + let client = RunningArgs::Client { + listen_addr: "127.0.0.1:30004".to_string(), + target_addr: "127.0.0.1:30005".to_string(), +- tls_names: TlsNames::try_from("bing.com").unwrap(), ++ tls_names: TlsNames::try_from("badssl.com").unwrap(), + tls_ext: TlsExtConfig::new(None), + password: "test".to_string(), + nodelay: true, +@@ -78,7 +78,7 @@ fn tls12_v3_strict() { + let server = RunningArgs::Server { + listen_addr: "127.0.0.1:30005".to_string(), + target_addr: "captive.apple.com:80".to_string(), +- tls_addr: TlsAddrs::try_from("bing.com").unwrap(), ++ tls_addr: TlsAddrs::try_from("badssl.com").unwrap(), + password: "test".to_string(), + nodelay: true, + fastopen: true, +@@ -87,8 +87,8 @@ fn tls12_v3_strict() { + utils::test_ok(client, server, CAPTIVE_HTTP_REQUEST, CAPTIVE_HTTP_RESP); + } + +-// handshake: bing.com(tls1.2 only) +-// data: bing.com:443 ++// handshake: badssl.com(tls1.2 only) ++// data: badssl.com:443 + // protocol: v2 + // Note: v2 can not defend against hijack attack. + // Here hijack means directly connect to the handshake server. +@@ -98,8 +98,8 @@ fn tls12_v3_strict() { + fn tls12_v2_hijack() { + let client = RunningArgs::Client { + listen_addr: "127.0.0.1:30006".to_string(), +- target_addr: "bing.com:443".to_string(), +- tls_names: TlsNames::try_from("bing.com").unwrap(), ++ target_addr: "badssl.com:443".to_string(), ++ tls_names: TlsNames::try_from("badssl.com").unwrap(), + tls_ext: TlsExtConfig::new(None), + password: "test".to_string(), + nodelay: true, +@@ -109,7 +109,7 @@ fn tls12_v2_hijack() { + test_hijack(client); + } + +-// handshake: bing.com(tls1.2 only) ++// handshake: badssl.com(tls1.2 only) + // data: captive.apple.com:80 + // protocol: v3 lossy + // (v3 strict can not work with tls1.2) +@@ -121,8 +121,8 @@ fn tls12_v2_hijack() { + fn tls12_v3_lossy_hijack() { + let client = RunningArgs::Client { + listen_addr: "127.0.0.1:30007".to_string(), +- target_addr: "bing.com:443".to_string(), +- tls_names: TlsNames::try_from("bing.com").unwrap(), ++ target_addr: "badssl.com:443".to_string(), ++ tls_names: TlsNames::try_from("badssl.com").unwrap(), + tls_ext: TlsExtConfig::new(None), + password: "test".to_string(), + nodelay: true, diff --git a/shadow-tls/patches/100-update-monoio.patch b/shadow-tls/patches/100-update-monoio.patch new file mode 100644 index 0000000..b5ee618 --- /dev/null +++ b/shadow-tls/patches/100-update-monoio.patch @@ -0,0 +1,117 @@ +--- a/Cargo.lock ++++ b/Cargo.lock +@@ -1,6 +1,6 @@ + # This file is automatically @generated by Cargo. + # It is not intended for manual editing. +-version = 3 ++version = 4 + + [[package]] + name = "aho-corasick" +@@ -224,14 +224,13 @@ dependencies = [ + + [[package]] + name = "flume" +-version = "0.10.14" ++version = "0.11.1" + source = "registry+https://github.com/rust-lang/crates.io-index" +-checksum = "1657b4441c3403d9f7b3409e47575237dac27b1b5726df654a6ecbf92f0f7577" ++checksum = "da0e4dd2a88388a1f4ccc7c9ce104604dab68d9f408dc34cd45823d5a9069095" + dependencies = [ + "futures-core", + "futures-sink", + "nanorand", +- "pin-project", + "spin 0.9.8", + ] + +@@ -393,9 +392,9 @@ dependencies = [ + + [[package]] + name = "memchr" +-version = "2.6.4" ++version = "2.7.5" + source = "registry+https://github.com/rust-lang/crates.io-index" +-checksum = "f665ee40bc4a3c5590afb1e9677db74a508659dfd71e126420da8274909a0167" ++checksum = "32a282da65faaf38286cf3be983213fcf1d2e2a58700e808f83f4ea9a4804bc0" + + [[package]] + name = "memoffset" +@@ -420,9 +419,9 @@ dependencies = [ + + [[package]] + name = "monoio" +-version = "0.2.0" ++version = "0.2.2" + source = "registry+https://github.com/rust-lang/crates.io-index" +-checksum = "c91a9bcc2622991bc92f3b6d7dc495329c4863e4dc530d1748529b009bb2170a" ++checksum = "fd5be7ef0eea41e4e5b30fe55aa6fd15288c415118bcdceadd52fd3656816cc7" + dependencies = [ + "auto-const-array", + "bytes", +@@ -430,9 +429,11 @@ dependencies = [ + "fxhash", + "io-uring", + "libc", ++ "memchr", + "mio", + "monoio-macros", + "nix 0.26.4", ++ "once_cell", + "pin-project-lite", + "socket2", + "threadpool", +@@ -538,26 +539,6 @@ source = "registry+https://github.com/ru + checksum = "b15813163c1d831bf4a13c3610c05c0d03b39feb07f7e09fa234dac9b15aaf39" + + [[package]] +-name = "pin-project" +-version = "1.1.3" +-source = "registry+https://github.com/rust-lang/crates.io-index" +-checksum = "fda4ed1c6c173e3fc7a83629421152e01d7b1f9b7f65fb301e490e8cfc656422" +-dependencies = [ +- "pin-project-internal", +-] +- +-[[package]] +-name = "pin-project-internal" +-version = "1.1.3" +-source = "registry+https://github.com/rust-lang/crates.io-index" +-checksum = "4359fd9c9171ec6e8c62926d6faaf553a8dc3f64e1507e76da7911b4f6a04405" +-dependencies = [ +- "proc-macro2", +- "quote", +- "syn", +-] +- +-[[package]] + name = "pin-project-lite" + version = "0.2.13" + source = "registry+https://github.com/rust-lang/crates.io-index" +--- a/Cargo.toml ++++ b/Cargo.toml +@@ -10,7 +10,7 @@ repository = "https://github.com/ihciah/ + version = "0.2.25" + + [dependencies] +-monoio = { version = "0.2.0", features = ["sync"] } ++monoio = { version = "=0.2.2", features = ["sync"] } + monoio-rustls-fork-shadow-tls = { version = "0.3.0-mod.2" } + rustls-fork-shadow-tls = { version = "0.20.9-mod.2", default-features = false } + +--- a/src/lib.rs ++++ b/src/lib.rs +@@ -1,5 +1,3 @@ +-#![feature(impl_trait_in_assoc_type)] +- + mod client; + mod helper_v2; + mod server; +--- a/src/main.rs ++++ b/src/main.rs +@@ -1,5 +1,3 @@ +-#![feature(type_alias_impl_trait)] +- + use std::{collections::HashMap, path::PathBuf, process::exit}; + + use clap::{Parser, Subcommand, ValueEnum};