Merge pull request #1 from yury-sannikov/master-merge

Master merge
2026-03-14 01:13:09 +00:00 · 2024-02-18 16:22:00 -05:00
parent 39bef8dbbb 616b574f6b
commit 8e4a5d93f3
6 changed files with 91 additions and 50 deletions
--- a/.github/workflows/build-module.yml
+++ b/.github/workflows/build-module.yml
@@ -12,17 +12,18 @@ jobs:
    strategy:
      matrix:
        #tag: ['v23.05.0', 'v23.05.2', 'v22.03.4']
-        tag: ['v22.03.4']
+        tag: ['v23.05.0']
+        # tag: ['v22.03.4']
        build_env:
-          - pkgarch: mips_24kc
-            target: ath79
-            subtarget: nand
+          # - pkgarch: mips_24kc
+          #   target: ath79
+          #   subtarget: nand
          # - pkgarch: mipsel_24kc
          #   target: ramips
          #   subtarget: mt7620
-          # - pkgarch: mipsel_24kc
-          #   target: ramips
-          #   subtarget: mt7621
+          - pkgarch: mipsel_24kc
+            target: ramips
+            subtarget: mt7621
          # - pkgarch: arm_cortex-a7
          #   target: mediatek
          #   subtarget: mt7629
--- a/amnezia-wg-tools/Makefile
+++ b/amnezia-wg-tools/Makefile
@@ -8,14 +8,14 @@

 include $(TOPDIR)/rules.mk

-PKG_NAME:=amneziawg-tools
+PKG_NAME:=amnezia-wg-tools

 PKG_VERSION:=0.0.1-kmod
 PKG_RELEASE:=$(AUTORELEASE)

 PKG_SOURCE:=v$(PKG_VERSION).tar.gz
-PKG_SOURCE_URL:=https://github.com/amnezia-vpn/amneziawg-tools/archive/refs/tags/
-PKG_HASH:=cc4f523f7ec171b7bb3bdd1bcf4ff2f6833364fab6cad309310a84f33eeafa9b
+PKG_SOURCE_URL:=https://github.com/amnezia-vpn/amnezia-wg-tools/archive/refs/tags/
+PKG_HASH:=0d8cdf6d767700cb6d2cc895d45b1f94668663b00138627329766bb9e36d894e

 PKG_LICENSE:=GPL-2.0
 PKG_LICENSE_FILES:=COPYING
@@ -26,7 +26,7 @@ include $(INCLUDE_DIR)/package.mk
 MAKE_PATH:=src
 MAKE_VARS += PLATFORM=linux

-define Package/amneziawg-tools
+define Package/amnezia-wg-tools
  CATEGORY:=Network
  URL:=https://www.wireguard.com
  MAINTAINER:=Jason A. Donenfeld <Jason@zx2c4.com>
@@ -36,7 +36,7 @@ define Package/amneziawg-tools
 	  +@BUSYBOX_CONFIG_FEATURE_IP_LINK
 endef

-define Package/amneziawg-tools/description
+define Package/amnezia-wg-tools/description
  WireGuard is a novel VPN that runs inside the Linux Kernel and utilizes
  state-of-the-art cryptography. It aims to be faster, simpler, leaner, and
  more useful than IPSec, while avoiding the massive headache. It intends to
@@ -48,7 +48,7 @@ define Package/amneziawg-tools/description
  `wg(8)`, a netifd protocol helper, and a re-resolve watchdog script.
 endef

-define Package/amneziawg-tools/install
+define Package/amnezia-wg-tools/install
 	$(INSTALL_DIR) $(1)/usr/bin/
 	$(INSTALL_BIN) $(PKG_BUILD_DIR)/src/wg $(1)/usr/bin/amneziawg
 	$(INSTALL_BIN) ./files/amneziawg_watchdog $(1)/usr/bin/
@@ -56,4 +56,4 @@ define Package/amneziawg-tools/install
 	$(INSTALL_BIN) ./files/amneziawg.sh $(1)/lib/netifd/proto/
 endef

-$(eval $(call BuildPackage,amneziawg-tools))
+$(eval $(call BuildPackage,amnezia-wg-tools))
--- a/amnezia-wg-tools/files/amneziawg.sh
+++ b/amnezia-wg-tools/files/amneziawg.sh
@@ -33,23 +33,23 @@ proto_amneziawg_init_config() {
 }

 proto_amneziawg_is_kernel_mode() {
-  if [ ! -e /sys/module/amneziawg ]; then
-    modprobe amneziawg > /dev/null 2&>1 || true
+	if [ ! -e /sys/module/amneziawg ]; then
+		modprobe amneziawg > /dev/null 2&>1 || true

-    if [ -e /sys/module/amneziawg ]; then
-      return 0
-    else
-      if [ ! command -v "${WG_QUICK_USERSPACE_IMPLEMENTATION:-amneziawg-go}" >/dev/null ]; then
-        ret=$?
-        echo "Please install either kernel module (kmod-amneziawg package) or user-space implementation in /usr/bin/amneziawg-go."
-        exit $?
-      else
-        return 1
-      fi
-    fi
-  else
-    return 0
-  fi
+		if [ -e /sys/module/amneziawg ]; then
+			return 0
+		else
+			if [ ! command -v "${WG_QUICK_USERSPACE_IMPLEMENTATION:-amneziawg-go}" >/dev/null ]; then
+				ret=$?
+				echo "Please install either kernel module (kmod-amneziawg package) or user-space implementation in /usr/bin/amneziawg-go."
+				exit $?
+			else
+				return 1
+			fi
+		fi
+	else
+		return 0
+	fi
 }

 proto_amneziawg_setup_peer() {
@@ -190,13 +190,13 @@ proto_amneziawg_setup() {
 	config_get awg_h3 "${config}" "awg_h3"
 	config_get awg_h4 "${config}" "awg_h4"

-	ip link del dev "${config}" 2>/dev/null
-
 	if proto_amneziawg_is_kernel_mode; then
 		logger -t "amneziawg" "info: using kernel-space kmod-amneziawg for ${WG}"
+  	ip link del dev "${config}" 2>/dev/null
 		ip link add dev "${config}" type amneziawg
 	else
 		logger -t "amneziawg" "info: using user-space amneziawg-go for ${WG}"
+		rm -f "/var/run/wireguard/${config}.sock"
 		amneziawg-go "${config}"
 	fi

@@ -245,7 +245,7 @@ proto_amneziawg_setup() {
 		echo "H4 = ${awg_h4}" >> "${wg_cfg}"
 	fi

-	config_foreach proto_amneziawg_setup_peer "wireguard_${config}"
+	config_foreach proto_amneziawg_setup_peer "amneziawg_${config}"

 	# apply configuration file
 	${WG} setconf ${config} "${wg_cfg}"
@@ -297,10 +297,10 @@ proto_amneziawg_teardown() {
 	local config="$1"
 	proto_amneziawg_check_installed
 	if proto_amneziawg_is_kernel_mode; then
-  	ip link del dev "${config}" >/dev/null 2>&1
-  else
-    rm -f /var/run/wireguard/${config}.sock
-  fi
+		ip link del dev "${config}" >/dev/null 2>&1
+	else
+		rm -f /var/run/wireguard/${config}.sock
+	fi
 }

 [ -n "$INCLUDE_ONLY" ] || {
--- a/amnezia-wg-tools/files/amneziawg_watchdog
+++ b/amnezia-wg-tools/files/amneziawg_watchdog
--- a/kmod-amneziawg/files/amnezia-sources.patch
+++ b/kmod-amneziawg/files/amnezia-sources.patch
@@ -44,22 +44,24 @@ diff --color -urN -x uapi -x compat -x crypto -x .idea -x tests -x Kbuild -x Kco
 	pr_debug("%s: Interface created\n", dev->name);
 	return ret;
 
-@@ -475,4 +480,79 @@
+@@ -475,4 +480,118 @@
 	unregister_random_vmfork_notifier(&vm_notifier);
 	unregister_pm_notifier(&pm_notifier);
 	rcu_barrier();
 +}
 +
-+void wg_device_handle_post_config(struct net_device *dev, struct amnezia_config *asc)
+int wg_device_handle_post_config(struct net_device *dev, struct amnezia_config *asc)
 +{
 +	struct wg_device *wg = netdev_priv(dev);
 +	bool a_sec_on = false;
+	int ret = 0;
 +
 +	if (!asc->advanced_security_enabled)
-+		return;
+		goto out;
 +
 +	if (asc->junk_packet_count < 0) {
-+		// TODO error
+		net_dbg_ratelimited("%s: JunkPacketCount should be non negative\n", dev->name);
+		ret = -EINVAL;
 +	}
 +
 +	wg->advanced_security_config.junk_packet_count = asc->junk_packet_count;
@@ -77,9 +79,15 @@ diff --color -urN -x uapi -x compat -x crypto -x .idea -x tests -x Kbuild -x Kco
 +		wg->advanced_security_config.junk_packet_min_size = 0;
 +		wg->advanced_security_config.junk_packet_max_size = 1;
 +
-+		// TODO error
+		net_dbg_ratelimited("%s: JunkPacketMaxSize: %d; should be smaller than maxSegmentSize: %d\n",
+							dev->name, asc->junk_packet_max_size,
+							MESSAGE_MAX_SIZE);
+		ret = -EINVAL;
 +	} else if (asc->junk_packet_max_size < asc->junk_packet_min_size) {
-+		// TODO error
+		net_dbg_ratelimited("%s: maxSize: %d; should be greater than minSize: %d\n",
+							dev->name, asc->junk_packet_max_size,
+							asc->junk_packet_min_size);
+		ret = -EINVAL;
 +	} else
 +		wg->advanced_security_config.junk_packet_max_size = asc->junk_packet_max_size;
 +
@@ -87,7 +95,10 @@ diff --color -urN -x uapi -x compat -x crypto -x .idea -x tests -x Kbuild -x Kco
 +		a_sec_on = true;
 +
 +	if (asc->init_packet_junk_size + MESSAGE_INITIATION_SIZE >= MESSAGE_MAX_SIZE) {
-+		// TODO error
+		net_dbg_ratelimited("%s: init header size (%d) + junkSize (%d) should be smaller than maxSegmentSize: %d\n",
+		                    dev->name, MESSAGE_INITIATION_SIZE,
+							asc->init_packet_junk_size, MESSAGE_MAX_SIZE);
+		ret = -EINVAL;
 +	} else
 +		wg->advanced_security_config.init_packet_junk_size = asc->init_packet_junk_size;
 +
@@ -95,7 +106,10 @@ diff --color -urN -x uapi -x compat -x crypto -x .idea -x tests -x Kbuild -x Kco
 +		a_sec_on = true;
 +
 +	if (asc->response_packet_junk_size + MESSAGE_RESPONSE_SIZE >= MESSAGE_MAX_SIZE) {
-+		// TODO error
+		net_dbg_ratelimited("%s: response header size (%d) + junkSize (%d) should be smaller than maxSegmentSize: %d\n",
+		                    dev->name, MESSAGE_RESPONSE_SIZE,
+		                    asc->response_packet_junk_size, MESSAGE_MAX_SIZE);
+		ret = -EINVAL;
 +	} else
 +		wg->advanced_security_config.response_packet_junk_size = asc->response_packet_junk_size;
 +
@@ -122,7 +136,32 @@ diff --color -urN -x uapi -x compat -x crypto -x .idea -x tests -x Kbuild -x Kco
 +		wg->advanced_security_config.transport_packet_magic_header = asc->transport_packet_magic_header;
 +	}
 +
+	if (asc->init_packet_magic_header == asc->response_packet_magic_header ||
+			asc->init_packet_magic_header == asc->cookie_packet_magic_header ||
+			asc->init_packet_magic_header == asc->transport_packet_magic_header ||
+			asc->response_packet_magic_header == asc->cookie_packet_magic_header ||
+			asc->response_packet_magic_header == asc->transport_packet_magic_header ||
+			asc->cookie_packet_magic_header == asc->transport_packet_magic_header) {
+		net_dbg_ratelimited("%s: magic headers should differ; got: init:%d; recv:%d; unde:%d; tran:%d\n",
+		                    dev->name,
+							asc->init_packet_magic_header,
+		                    asc->response_packet_magic_header,
+							asc->cookie_packet_magic_header,
+							asc->transport_packet_magic_header);
+		ret = -EINVAL;
+	}
+
+	if (MESSAGE_INITIATION_SIZE + asc->init_packet_junk_size == MESSAGE_RESPONSE_SIZE + asc->response_packet_junk_size) {
+		net_dbg_ratelimited("%s: new init size:%d; and new response size:%d; should differ\n",
+		                    dev->name,
+		                    MESSAGE_INITIATION_SIZE + asc->init_packet_junk_size,
+		                    MESSAGE_RESPONSE_SIZE + asc->response_packet_junk_size);
+		ret = -EINVAL;
+	}
+
 +	wg->advanced_security_config.advanced_security_enabled = a_sec_on;
+out:
+	return ret;
 }
 diff --color -urN -x uapi -x compat -x crypto -x .idea -x tests -x Kbuild -x Kconfig -x Makefile -x dkms.conf ../../linux-source-6.2.0/drivers/net/wireguard/device.h ./device.h
 --- ../../linux-source-6.2.0/drivers/net/wireguard/device.h	2023-11-10 18:10:29
@@ -159,7 +198,7 @@ diff --color -urN -x uapi -x compat -x crypto -x .idea -x tests -x Kbuild -x Kco
 
 int wg_device_init(void);
 void wg_device_uninit(void);
-+void wg_device_handle_post_config(struct net_device *dev, struct amnezia_config *asc);
+int wg_device_handle_post_config(struct net_device *dev, struct amnezia_config *asc);
 
 #endif /* _WG_DEVICE_H */
 diff --color -urN -x uapi -x compat -x crypto -x .idea -x tests -x Kbuild -x Kconfig -x Makefile -x dkms.conf ../../linux-source-6.2.0/drivers/net/wireguard/main.c ./main.c
@@ -334,11 +373,13 @@ diff --color -urN -x uapi -x compat -x crypto -x .idea -x tests -x Kbuild -x Kco
 	if (flags & WGDEVICE_F_REPLACE_PEERS)
 		wg_peer_remove_all(wg);
 
-@@ -597,10 +670,12 @@
+@@ -597,10 +670,14 @@
 	ret = 0;
 
 out:
-+	wg_device_handle_post_config(wg->dev, asc);
+	if (!ret)
+		ret = wg_device_handle_post_config(wg->dev, asc);
+
 	mutex_unlock(&wg->device_update_lock);
 	rtnl_unlock();
 	dev_put(wg->dev);
--- a/luci-app-amneziawg/htdocs/luci-static/resources/protocol/amneziawg.js
+++ b/luci-app-amneziawg/htdocs/luci-static/resources/protocol/amneziawg.js
@@ -385,8 +385,6 @@ return network.registerProtocol('amneziawg', {
 			    cancel = nodes.nextElementSibling.querySelector('.btn'),
 			    config = this.parseConfig(input);

-            console.log(input);
-
 			if (typeof(config) == 'string') {
 				error.firstChild.data = _('Cannot parse configuration: %s').format(config);
 				error.style.display = 'block';
@@ -748,6 +746,7 @@ return network.registerProtocol('amneziawg', {
 		o.createPeerConfig = function(section_id, endpoint, ips) {
 			var pub = s.formvalue(s.section, 'public_key'),
 			    port = s.formvalue(s.section, 'listen_port') || '51820',
+                jc = s.formvalue
 			    prv = this.section.formvalue(section_id, 'private_key'),
 			    psk = this.section.formvalue(section_id, 'preshared_key'),
 			    eport = this.section.formvalue(section_id, 'endpoint_port'),