nfqws2: allow any size iv_len in aes_gcm

.github/workflows/build.yml

@@ -113,7 +113,7 @@ jobs:
             wget -qO- https://www.lua.org/ftp/lua-${LUA_RELEASE}.tar.gz | tar -xz
             (
               cd lua-${LUA_RELEASE}
-              make CC=$CC CFLAGS="-Os -flto=auto $CFLAGS" linux -j$(nproc)
+              make CC=$CC CFLAGS="-Os -flto=auto -ffunction-sections -fdata-sections -fvisibility=hidden $CFLAGS" linux -j$(nproc)
               make install INSTALL_TOP=$DEPS_DIR INSTALL_BIN=$DEPS_DIR/bin INSTALL_INC=$DEPS_DIR/include/lua${LUA_VER} INSTALL_LIB=$DEPS_DIR/lib
             )
             LJIT=0
@@ -131,7 +131,7 @@ jobs:
             esac
             (
               cd luajit2-*
-              make BUILDMODE=static XCFLAGS=-DLUAJIT_DISABLE_FFI HOST_CC="$HOSTCC" CROSS= CC="$CC" TARGET_AR="$AR rcus" TARGET_STRIP=$STRIP CFLAGS="-Os -s -flto=auto $CFLAGS" -j$(nproc)
+              make BUILDMODE=static XCFLAGS=-DLUAJIT_DISABLE_FFI HOST_CC="$HOSTCC" CROSS= CC="$CC" TARGET_AR="$AR rcus" TARGET_STRIP=$STRIP CFLAGS="-Os -s -flto=auto -ffunction-sections -fdata-sections -fvisibility=hidden $CFLAGS" -j$(nproc)
               make install PREFIX= DESTDIR=$DEPS_DIR
             )
             LJIT=1
@@ -430,7 +430,7 @@ jobs:
           wget -q https://github.com/openresty/luajit2/archive/refs/tags/v${LUAJIT_RELEASE}.tar.gz &&
           tar -xzf v${LUAJIT_RELEASE}.tar.gz &&
           rm -f v${LUAJIT_RELEASE}.tar.gz &&
-          make -C luajit2-${LUAJIT_RELEASE} BUILDMODE=static XCFLAGS=-DLUAJIT_DISABLE_FFI CFLAGS="-Os -s" &&
+          make -C luajit2-${LUAJIT_RELEASE} BUILDMODE=static XCFLAGS="-DLUAJIT_DISABLE_FFI -ffat-lto-objects" CFLAGS="-Os -s -flto=auto -ffunction-sections -fdata-sections -fvisibility=hidden" &&
           make -C luajit2-${LUAJIT_RELEASE} install
 
       - name: Build winws

docs/changes.txt

@@ -224,16 +224,17 @@ v0.8.1
 
 0.9.2
 
-nfqws2: bt and utp_bt protocol detectors
-nfqws2: localtime,gmtime,timelocal,timegm luacalls
-winws2: load wlanapi.dll dynamically only if needed
-winws2: fixed lost windivert deinit on logical network disappear
+* nfqws2: bt and utp_bt protocol detectors
+* nfqws2: localtime,gmtime,timelocal,timegm luacalls
+* winws2: load wlanapi.dll dynamically only if needed
+* winws2: fixed lost windivert deinit on logical network disappear
 
 0.9.3
 
-nfqws2: handling of incoming fragmented packets (no reconstruct, raw ip payload)
-zapret-auto: per_instance_condition orchestrator
-zapret-auto: "instances" argument in condition orchestrator
-zapret-auto: cond_tcp_has_ts, cond_lua iff functions
-zapret-lib: replay_execution_plan and plan_clear max parameter
-init.d: use bitmap:port ipset for standard dports
+* nfqws2: handling of incoming fragmented packets (no reconstruct, raw ip payload)
+* zapret-auto: per_instance_condition orchestrator
+* zapret-auto: "instances" argument in condition orchestrator
+* zapret-auto: cond_tcp_has_ts, cond_lua iff functions
+* zapret-lib: replay_execution_plan and plan_clear max parameter
+* init.d: use bitmap:port ipset for standard dports
+* github: reduce executables files size

docs/compile/build_howto_windows.txt

@@ -13,7 +13,7 @@ setup-x86_64.exe --allow-unsupported-windows --no-verify --site http://ctm.crouc
 
 download latest releast, unpack, cd to it's directory
 
-make BUILDMODE=static CFLAGS="-Os"
+make BUILDMODE=static CFLAGS="-Os -DLUAJIT_DISABLE_FFI -ffat-lto-objects -flto=auto -ffunction-sections -fdata-sections -fvisibility=hidden"
 make install
 
 5) cd to %ZAPRET_BASE%/nfq2

nfq2/Makefile

@@ -1,11 +1,12 @@
 CC ?= cc
 PKG_CONFIG ?= pkg-config
 OPTIMIZE ?= -Os
-CFLAGS += -std=gnu99 $(OPTIMIZE) -flto=auto
+CFLAGS += -std=gnu99 $(OPTIMIZE) -flto=auto -Wl,--gc-sections
 CFLAGS_LINUX = -Wno-alloc-size-larger-than
 CFLAGS_SYSTEMD = -DUSE_SYSTEMD
 CFLAGS_BSD = -Wno-address-of-packed-member
 CFLAGS_CYGWIN = -Wno-address-of-packed-member -static
+CFLAGS_CYGWIN32 =
 CFLAGS_UBSAN = -fsanitize=undefined,alignment -fno-sanitize-recover=undefined,alignment
 LDFLAGS_ANDROID = -llog
 LIBS =
@@ -27,6 +28,7 @@ ifeq ($(LUA_JIT),1)
 LUAJIT_VER?=2.1
 LUAJIT_LUA_VER?=5.1
 LUA_PKG:=luajit
+CFLAGS_CYGWIN32 = -msse2 -mfpmath=sse
 
 $(info trying luajit $(LUAJIT_VER) lua $(LUAJIT_LUA_VER))
 
@@ -149,9 +151,9 @@ bsd: $(SRC_FILES)
 	$(CC) -s $(CFLAGS) $(LUA_CFL) $(CFLAGS_BSD) -o dvtws2 $(SRC_FILES) $(LIBS) $(LUA_LIB) $(LIBS_BSD) $(LDFLAGS)
 
 cygwin64:
-	$(CC) -s $(CFLAGS) $(LUA_CFL) $(CFLAGS_CYGWIN) -o winws2 $(SRC_FILES) $(LIBS) $(LUA_LIB) $(LIBS_CYGWIN) $(LIBS_CYGWIN64) $(RES_CYGWIN64) $(LDFLAGS)
+	$(CC) -s $(CFLAGS) $(LUA_CFL) $(CFLAGS_CYGWIN) -o winws2 $(SRC_FILES) $(RES_CYGWIN64) $(LIBS) $(LUA_LIB) $(LIBS_CYGWIN) $(LIBS_CYGWIN64) $(LDFLAGS)
 cygwin32:
-	$(CC) -s $(CFLAGS) $(LUA_CFL) $(CFLAGS_CYGWIN) -o winws2 $(SRC_FILES) $(LIBS) $(LUA_LIB) $(LIBS_CYGWIN) $(LIBS_CYGWIN32) $(RES_CYGWIN32) $(LDFLAGS)
+	$(CC) -s $(CFLAGS) $(LUA_CFL) $(CFLAGS_CYGWIN) $(CFLAGS_CYGWIN32) -o winws2 $(SRC_FILES) $(RES_CYGWIN32) $(LIBS) $(LUA_LIB) $(LIBS_CYGWIN) $(LIBS_CYGWIN32) $(LDFLAGS)
 cygwin: cygwin64
 
 clean:

nfq2/crypto/gcm.c

@@ -258,8 +258,6 @@ int gcm_start(gcm_context *ctx,    // pointer to user-provided GCM context
 	size_t use_len;     // byte count to process, up to 16 bytes
 	size_t i;           // local loop iterator
 
-	if (iv_len!=12) return -1;
-
 	// since the context might be reused under the same key
 	// we zero the working buffers for this next new process
 	memset(ctx->y, 0x00, sizeof(ctx->y));
@@ -447,7 +445,7 @@ int gcm_crypt_and_tag(
 	   prepare the gcm context with the keying material, we simply
 	   invoke each of the three GCM sub-functions in turn...
 	*/
-	if (iv_len!=12 || tag_len>16) return -1;
+	if (tag_len>16) return -1;
 
 	int ret;
 	if ((ret=gcm_start(ctx, mode, iv, iv_len, add, add_len))) return ret;
@@ -485,7 +483,7 @@ int gcm_auth_decrypt(
 	size_t i;                   // our local iterator
 	int ret;
 
-	if (iv_len!=12 || tag_len>16) return -1;
+	if (tag_len>16) return -1;
 
 	/*
 	   we use GCM_DECRYPT_AND_TAG (above) to perform our decryption

nfq2/crypto/hmac.c

@@ -102,9 +102,8 @@ int hmacReset(HMACContext *context, enum SHAversion whichSha,
 	 */
 	if (key_len > blocksize) {
 		USHAContext tcontext;
-		if (ret=USHAReset(&tcontext, whichSha)) return ret;
-		if (ret=USHAInput(&tcontext, key, key_len)) return ret;
-		if (ret=USHAResult(&tcontext, tempkey)) return ret;
+		if ((ret=USHAReset(&tcontext, whichSha)) || (ret=USHAInput(&tcontext, key, key_len)) || (ret=USHAResult(&tcontext, tempkey)))
+			return ret;
 
 		key = tempkey;
 		key_len = hashsize;

nfq2/lua.c

@@ -686,8 +686,8 @@ static int luacall_aes_gcm(lua_State *L)
 		luaL_error(L, "aes_gcm: wrong key length %u. should be 16,24,32.", (unsigned)key_len);
 	size_t iv_len;
 	const uint8_t *iv = (uint8_t*)lua_reqlstring(L,3,&iv_len);
-	if (iv_len!=12)
-		luaL_error(L, "aes_gcm: wrong iv length %u. should be 12.", (unsigned)iv_len);
+	if (!iv_len)
+		luaL_error(L, "aes_gcm: zero iv length");
 	size_t input_len;
 	const uint8_t *input = (uint8_t*)lua_reqlstring(L,4,&input_len);
 	size_t add_len=0;

nfq2/sec.c

@@ -6,6 +6,7 @@
 #include <unistd.h>
 #include <fcntl.h>
 #include <grp.h>
+#include <errno.h>
 
 #include "params.h"
 
@@ -18,7 +19,6 @@
 // __X32_SYSCALL_BIT defined in linux/unistd.h
 #include <linux/unistd.h>
 #include <syscall.h>
-#include <errno.h>
 
 /************ SECCOMP ************/