diff --git a/openwrt-trojan/README b/openwrt-trojan/README new file mode 100644 index 0000000..1e59773 --- /dev/null +++ b/openwrt-trojan/README @@ -0,0 +1,29 @@ +openwrt-trojan +============== + +Usage +--- + +1. copy these two folders to /package. + +2. install feeds from openwrt official package repository. + + ./scripts/feeds update -a + ./scripts/feeds install -a + +3. use 'make menuconfig' to select trojan package + +4. the buildroot generate trojan binary linked to our openssl. + You may use 'make package/trojan/{clean,compile} V=99' or + whatever you like. + +5. edit '/etc/config/trojan' file to enable it. + The init script is disabled by default to avoid startup + before configuration. + +FAQ +--- + +Q: May I use openssl from openwrt? +A: As long as you don't need cutting-edge features, e.g. TLS 1.3. + BTW, the Makefile doesn't depend on official openssl package. diff --git a/openwrt-trojan/openssl1.1/Makefile b/openwrt-trojan/openssl1.1/Makefile new file mode 100644 index 0000000..3da3983 --- /dev/null +++ b/openwrt-trojan/openssl1.1/Makefile @@ -0,0 +1,162 @@ +# +# Copyright (C) 2006-2016 OpenWrt.org +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +### Modified by wongsyrone to fit need of trojan-gfw/trojan + +include $(TOPDIR)/rules.mk + +PKG_NAME:=openssl1.1 + +PKG_BASE:=1.1.1 +PKG_BUGFIX:=l +PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX) +PKG_HASH:=0b7a3e5e59c34827fe0c3a74b7ec8baef302b98fa80088d7f9153aa16fa76bd1 +ENGINES_DIR=engines-1.1 + + +PKG_RELEASE:=1 +PKG_USE_MIPS16:=0 +PATCH_DIR=./patches/$(PKG_BASE) + +PKG_BUILD_PARALLEL:=0 +PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)/openssl-$(PKG_VERSION) + +PKG_SOURCE:=openssl-$(PKG_VERSION).tar.gz +PKG_SOURCE_URL:= \ + http://www.openssl.org/source/ \ + http://www.openssl.org/source/old/$(PKG_BASE)/ \ + http://ftp.fi.muni.cz/pub/openssl/source/ \ + http://ftp.fi.muni.cz/pub/openssl/source/old/$(PKG_BASE)/ \ + ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/ \ + ftp://ftp.pca.dfn.de/pub/tools/net/openssl/source/old/$(PKG_BASE)/ + +PKG_LICENSE:=OpenSSL +PKG_LICENSE_FILES:=LICENSE +PKG_CPE_ID:=cpe:/a:openssl:openssl + +include $(INCLUDE_DIR)/package.mk + +ifneq ($(CONFIG_CCACHE),) +HOSTCC=$(HOSTCC_NOCACHE) +HOSTCXX=$(HOSTCXX_NOCACHE) +endif + +define Package/$(PKG_NAME)/Default + TITLE:=Open source SSL toolkit + URL:=http://www.openssl.org/ + SECTION:=libs + CATEGORY:=Libraries +endef + +define Package/openssl1.1/Default/description +The OpenSSL Project is a collaborative effort to develop a robust, +commercial-grade, full-featured, and Open Source toolkit implementing the +Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols as well +as a full-strength general-purpose cryptography library. +endef + +define Package/libopenssl1.1 +$(call Package/openssl1.1/Default) + SUBMENU:=SSL + TITLE+= (libraries) + ABI_VERSION:=$(PKG_VERSION) + MENU:=1 +endef + +define Package/libopenssl1.1/description +$(call Package/openssl/Default/description) +This package contains the OpenSSL shared libraries, needed by other programs. +endef + + +define Package/libopenssl1.1/conffiles +/etc/ssl/openssl.cnf +endef + +# do NOT interfere original openssl staging dir +MY_PKG_STAGING_DIR:=$(BUILD_DIR)/openssl1.1_staging_dir + +OPENSSL_OPTIONS:= no-shared no-ssl3-method + +# https://github.com/openssl/openssl/issues/1607 +# it seems musl-libc doesn't support this +OPENSSL_OPTIONS += no-async + +OPENSSL_OPTIONS += no-sm2 no-sm3 no-sm4 + +OPENSSL_OPTIONS += no-idea + +OPENSSL_OPTIONS += no-seed + +OPENSSL_OPTIONS += no-whirlpool + +OPENSSL_OPTIONS += no-deprecated + +TARGET_CFLAGS := $(filter-out -O%,$(TARGET_CFLAGS)) -O3 + + + +OPENSSL_TARGET:=linux-$(call qstrip,$(CONFIG_ARCH))-openwrt + + +STAMP_CONFIGURED := $(STAMP_CONFIGURED)_$(shell echo $(OPENSSL_OPTIONS) | mkhash md5) + +define Build/Configure + [ -f $(STAMP_CONFIGURED) ] || { \ + rm -f $(PKG_BUILD_DIR)/*.so.* $(PKG_BUILD_DIR)/*.a; \ + find $(PKG_BUILD_DIR) -name \*.o | xargs rm -f; \ + rm -rf $(MY_PKG_STAGING_DIR); \ + } + (cd $(PKG_BUILD_DIR); \ + ./Configure $(OPENSSL_TARGET) \ + --prefix=/usr \ + --openssldir=/etc/ssl \ + --libdir=lib \ + $(TARGET_CPPFLAGS) \ + $(TARGET_LDFLAGS) \ + $(OPENSSL_OPTIONS) && \ + { [ -f $(STAMP_CONFIGURED) ] || make clean; } \ + ) + +endef + +TARGET_CFLAGS += $(FPIC) -ffunction-sections -fdata-sections +TARGET_LDFLAGS += -Wl,--gc-sections + +define Build/Compile + +$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \ + CROSS_COMPILE="$(TARGET_CROSS)" \ + CC="$(TARGET_CC)" \ + SOURCE_DATE_EPOCH=$(SOURCE_DATE_EPOCH) \ + OPENWRT_OPTIMIZATION_FLAGS="$(TARGET_CFLAGS)" \ + $(OPENSSL_MAKEFLAGS) \ + all + $(MAKE) -C $(PKG_BUILD_DIR) \ + CROSS_COMPILE="$(TARGET_CROSS)" \ + CC="$(TARGET_CC)" \ + DESTDIR="$(PKG_INSTALL_DIR)" \ + $(OPENSSL_MAKEFLAGS) \ + install_sw install_ssldirs +endef + +define Build/InstallDev + $(INSTALL_DIR) $(MY_PKG_STAGING_DIR)/usr/include + $(CP) $(PKG_INSTALL_DIR)/usr/include/openssl $(MY_PKG_STAGING_DIR)/usr/include/ + $(INSTALL_DIR) $(MY_PKG_STAGING_DIR)/usr/lib/ + $(CP) $(PKG_INSTALL_DIR)/usr/lib/lib{crypto,ssl}.a $(MY_PKG_STAGING_DIR)/usr/lib/ +endef + +define Build/Clean + rm -rf $(MY_PKG_STAGING_DIR) + $(call Build/Clean/Default) +endef + +define Package/libopenssl1.1/install +true +endef + +$(eval $(call BuildPackage,libopenssl1.1)) diff --git a/openwrt-trojan/openssl1.1/patches/1.1.1/100-Configure-afalg-support.patch b/openwrt-trojan/openssl1.1/patches/1.1.1/100-Configure-afalg-support.patch new file mode 100644 index 0000000..9894410 --- /dev/null +++ b/openwrt-trojan/openssl1.1/patches/1.1.1/100-Configure-afalg-support.patch @@ -0,0 +1,25 @@ +From 559fbff13af9ce2fbc0b9bc5727a7323e1db6217 Mon Sep 17 00:00:00 2001 +From: Eneas U de Queiroz +Date: Thu, 27 Sep 2018 08:29:21 -0300 +Subject: Do not use host kernel version to disable AFALG + +This patch prevents the Configure script from using the host kernel +version to disable building the AFALG engine on openwrt targets. + +Signed-off-by: Eneas U de Queiroz + +diff --git a/Configure b/Configure +index 5a699836f3..74d057c219 100755 +--- a/Configure ++++ b/Configure +@@ -1545,7 +1545,9 @@ unless ($disabled{"crypto-mdebug-backtrace"}) + + unless ($disabled{afalgeng}) { + $config{afalgeng}=""; +- if (grep { $_ eq 'afalgeng' } @{$target{enable}}) { ++ if ($target =~ m/openwrt$/) { ++ push @{$config{engdirs}}, "afalg"; ++ } elsif (grep { $_ eq 'afalgeng' } @{$target{enable}}) { + my $minver = 4*10000 + 1*100 + 0; + if ($config{CROSS_COMPILE} eq "") { + my $verstr = `uname -r`; diff --git a/openwrt-trojan/openssl1.1/patches/1.1.1/110-openwrt_targets.patch b/openwrt-trojan/openssl1.1/patches/1.1.1/110-openwrt_targets.patch new file mode 100644 index 0000000..d0530b4 --- /dev/null +++ b/openwrt-trojan/openssl1.1/patches/1.1.1/110-openwrt_targets.patch @@ -0,0 +1,63 @@ +From 3d43acc6068f00dbfc0c9a06355e2c8f7d302d0f Mon Sep 17 00:00:00 2001 +From: Eneas U de Queiroz +Date: Thu, 27 Sep 2018 08:30:24 -0300 +Subject: Add openwrt targets + +Targets are named: linux-$(CONFIG_ARCH)-openwrt + +Signed-off-by: Eneas U de Queiroz + +diff --git a/Configurations/25-openwrt.conf b/Configurations/25-openwrt.conf +new file mode 100644 +index 0000000000..86a86d31e4 +--- /dev/null ++++ b/Configurations/25-openwrt.conf +@@ -0,0 +1,48 @@ ++## Openwrt "CONFIG_ARCH" matching targets. ++ ++# The targets need to end in '-openwrt' for the AFALG patch to work ++ ++my %targets = ( ++ "openwrt" => { ++ template => 1, ++ CFLAGS => add("\$(OPENWRT_OPTIMIZATION_FLAGS)"), ++ }, ++ "linux-aarch64-openwrt" => { ++ inherit_from => [ "linux-aarch64", "openwrt" ], ++ }, ++ "linux-arc-openwrt" => { ++ inherit_from => [ "linux-generic32", "openwrt" ], ++ }, ++ "linux-arm-openwrt" => { ++ inherit_from => [ "linux-armv4", "openwrt" ], ++ }, ++ "linux-armeb-openwrt" => { ++ inherit_from => [ "linux-armv4", "openwrt" ], ++ }, ++ "linux-i386-openwrt" => { ++ inherit_from => [ "linux-x86", "openwrt" ], ++ }, ++ "linux-mips-openwrt" => { ++ inherit_from => [ "linux-mips32", "openwrt" ], ++ }, ++ "linux-mips64-openwrt" => { ++ inherit_from => [ "linux64-mips64", "openwrt" ], ++ }, ++ "linux-mips64el-openwrt" => { ++ inherit_from => [ "linux64-mips64", "openwrt" ], ++ }, ++ "linux-mipsel-openwrt" => { ++ inherit_from => [ "linux-mips32", "openwrt" ], ++ }, ++ "linux-powerpc-openwrt" => { ++ inherit_from => [ "linux-ppc", "openwrt" ], ++ }, ++ "linux-x86_64-openwrt" => { ++ inherit_from => [ "linux-x86_64", "openwrt" ], ++ }, ++ ++### Basic default option ++ "linux-generic32-openwrt" => { ++ inherit_from => [ "linux-generic32", "openwrt" ], ++ }, ++); diff --git a/openwrt-trojan/openssl1.1/patches/1.1.1/120-strip-cflags-from-binary.patch b/openwrt-trojan/openssl1.1/patches/1.1.1/120-strip-cflags-from-binary.patch new file mode 100644 index 0000000..7faec9a --- /dev/null +++ b/openwrt-trojan/openssl1.1/patches/1.1.1/120-strip-cflags-from-binary.patch @@ -0,0 +1,23 @@ +From 4ad8f2fe6bf3b91df7904fcbe960e5fdfca36336 Mon Sep 17 00:00:00 2001 +From: Eneas U de Queiroz +Date: Thu, 27 Sep 2018 08:31:38 -0300 +Subject: Avoid exposing build directories + +The CFLAGS contain the build directories, and are shown by calling +OpenSSL_version(OPENSSL_CFLAGS), or running openssl version -a + +Signed-off-by: Eneas U de Queiroz + +diff --git a/crypto/build.info b/crypto/build.info +index 2c619c62e8..893128345a 100644 +--- a/crypto/build.info ++++ b/crypto/build.info +@@ -10,7 +10,7 @@ EXTRA= ../ms/uplink-x86.pl ../ms/uplink.c ../ms/applink.c \ + ppccpuid.pl pariscid.pl alphacpuid.pl arm64cpuid.pl armv4cpuid.pl + + DEPEND[cversion.o]=buildinf.h +-GENERATE[buildinf.h]=../util/mkbuildinf.pl "$(CC) $(LIB_CFLAGS) $(CPPFLAGS_Q)" "$(PLATFORM)" ++GENERATE[buildinf.h]=../util/mkbuildinf.pl "$(filter-out -I% -iremap% -fmacro-prefix-map% -ffile-prefix-map%,$(CC) $(LIB_CFLAGS) $(CPPFLAGS_Q))" "$(PLATFORM)" + DEPEND[buildinf.h]=../configdata.pm + + GENERATE[uplink-x86.s]=../ms/uplink-x86.pl $(PERLASM_SCHEME) diff --git a/openwrt-trojan/openssl1.1/patches/1.1.1/130-dont-build-tests-fuzz.patch b/openwrt-trojan/openssl1.1/patches/1.1.1/130-dont-build-tests-fuzz.patch new file mode 100644 index 0000000..7f33cb9 --- /dev/null +++ b/openwrt-trojan/openssl1.1/patches/1.1.1/130-dont-build-tests-fuzz.patch @@ -0,0 +1,31 @@ +From ba2fe646f2d9104a18b066e43582154049e9ffcb Mon Sep 17 00:00:00 2001 +From: Eneas U de Queiroz +Date: Thu, 27 Sep 2018 08:34:38 -0300 +Subject: Do not build tests and fuzz directories + +This shortens build time. + +Signed-off-by: Eneas U de Queiroz + +diff --git a/Configure b/Configure +index 74d057c219..5813e9f8fe 100755 +--- a/Configure ++++ b/Configure +@@ -318,7 +318,7 @@ my $auto_threads=1; # enable threads automatically? true by default + my $default_ranlib; + + # Top level directories to build +-$config{dirs} = [ "crypto", "ssl", "engines", "apps", "test", "util", "tools", "fuzz" ]; ++$config{dirs} = [ "crypto", "ssl", "engines", "apps", "util", "tools" ]; + # crypto/ subdirectories to build + $config{sdirs} = [ + "objects", +@@ -330,7 +330,7 @@ $config{sdirs} = [ + "cms", "ts", "srp", "cmac", "ct", "async", "kdf", "store" + ]; + # test/ subdirectories to build +-$config{tdirs} = [ "ossl_shim" ]; ++$config{tdirs} = []; + + # Known TLS and DTLS protocols + my @tls = qw(ssl3 tls1 tls1_1 tls1_2 tls1_3); diff --git a/openwrt-trojan/trojan/Makefile b/openwrt-trojan/trojan/Makefile new file mode 100644 index 0000000..5720d37 --- /dev/null +++ b/openwrt-trojan/trojan/Makefile @@ -0,0 +1,80 @@ +# +# Copyright (C) 2018-2020 wongsyrone +# +# This is free software, licensed under the GNU General Public License v3. +# See /LICENSE for more information. +# +include $(TOPDIR)/rules.mk + +PKG_NAME:=trojan +PKG_VERSION:=1.16.0 +PKG_RELEASE:=1 + +PKG_SOURCE_PROTO:=git +PKG_SOURCE_URL:=https://github.com/trojan-gfw/trojan.git +PKG_MIRROR_HASH:=73367d53960b42af8a4d9680dbf2ef669d0f3c00d7859a736abfc522d9e0c625 +PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION) +PKG_SOURCE_VERSION:=3e7bb9aecdc694f9bcae8d646fae395f773d60f8 +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz +CMAKE_INSTALL:=1 +PKG_BUILD_PARALLEL:=1 + +PKG_BUILD_DEPENDS:=openssl + +PKG_LICENSE:=GPL-3.0 + +PKG_MAINTAINER:=GreaterFire + +include $(INCLUDE_DIR)/package.mk +include $(INCLUDE_DIR)/cmake.mk + +TARGET_CXXFLAGS += -Wall -Wextra +TARGET_CXXFLAGS += $(FPIC) + +# LTO +TARGET_CXXFLAGS += -flto +TARGET_LDFLAGS += -flto + +# CXX standard +TARGET_CXXFLAGS += -std=c++11 +TARGET_CXXFLAGS := $(filter-out -O%,$(TARGET_CXXFLAGS)) -O3 +TARGET_CXXFLAGS += -ffunction-sections -fdata-sections +TARGET_LDFLAGS += -Wl,--gc-sections + +CMAKE_OPTIONS += \ + -DENABLE_MYSQL=OFF \ + -DENABLE_NAT=ON \ + -DENABLE_REUSE_PORT=ON \ + -DENABLE_SSL_KEYLOG=ON \ + -DENABLE_TLS13_CIPHERSUITES=ON \ + -DFORCE_TCP_FASTOPEN=OFF \ + -DSYSTEMD_SERVICE=OFF \ + -DOPENSSL_USE_STATIC_LIBS=FALSE \ + -DBoost_DEBUG=ON \ + -DBoost_NO_BOOST_CMAKE=ON + +define Package/trojan + SECTION:=net + CATEGORY:=Network + TITLE:=An unidentifiable mechanism that helps you bypass GFW + URL:=https://github.com/trojan-gfw/trojan + DEPENDS:= +libpthread +libstdcpp +libopenssl \ + +boost +boost-system +boost-program_options +boost-date_time +endef + +define Package/trojan/install + $(INSTALL_DIR) $(1)/usr/sbin + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/trojan $(1)/usr/sbin/trojan + $(INSTALL_DIR) $(1)/etc/config + $(INSTALL_DATA) ./files/trojan.config $(1)/etc/config/trojan + $(INSTALL_DIR) $(1)/etc/init.d + $(INSTALL_BIN) ./files/trojan.init $(1)/etc/init.d/trojan + $(INSTALL_CONF) $(PKG_INSTALL_DIR)/etc/trojan/config.json $(1)/etc/trojan.json +endef + +define Package/trojan/conffiles +/etc/config/trojan +/etc/trojan.json +endef + +$(eval $(call BuildPackage,trojan)) diff --git a/openwrt-trojan/trojan/files/trojan.config b/openwrt-trojan/trojan/files/trojan.config new file mode 100644 index 0000000..b53fb62 --- /dev/null +++ b/openwrt-trojan/trojan/files/trojan.config @@ -0,0 +1,4 @@ + +config trojan + option enabled '0' + diff --git a/openwrt-trojan/trojan/files/trojan.init b/openwrt-trojan/trojan/files/trojan.init new file mode 100644 index 0000000..c2e5f0e --- /dev/null +++ b/openwrt-trojan/trojan/files/trojan.init @@ -0,0 +1,70 @@ +#!/bin/sh /etc/rc.common +# Copyright (C) 2018 wongsyrone + +. /lib/functions.sh +. /usr/share/libubox/jshn.sh + +START=95 +USE_PROCD=1 +#PROCD_DEBUG=1 + +PROG=/usr/sbin/trojan +CONF=/etc/trojan.json + +config_load "trojan" + +parse_trojan() { + config_get ENABLED "$section" "enabled" +} + +config_foreach parse_trojan 'trojan' + +check_multicore() { + local is_reuse_port= + json_init + json_load_file "${CONF}" + json_select "tcp" + json_get_var is_reuse_port "reuse_port" + json_select ".." + if [ "1" = "$is_reuse_port" ] || [ "true" = "$is_reuse_port" ]; then + multicore_ready=true + else + multicore_ready=false + fi + echo multicore_ready is $multicore_ready + local cpunum + cpunum=$(grep '^cpu\scores' /proc/cpuinfo | uniq | awk '{print $4}' ) + echo real cpu core num is $cpunum + if [ "x" = "x$cpunum" ]; then + cpunum=$(grep -c '^processor' /proc/cpuinfo ) + echo all cpu core num is $cpunum, including Hyper-threading virtual cores + fi + if [ "xtrue" = "x$multicore_ready" ]; then + return "$cpunum" + else + return 1 + fi +} + +start_service() { + check_multicore + local cpunum=$? + echo cpunum is $cpunum + if [ "1" = "$ENABLED" ] || [ "on" = "$ENABLED" ] || [ "true" = "$ENABLED" ]; then + for i in $(seq 1 ${cpunum}); + do + procd_open_instance + procd_set_param command $PROG --config $CONF + procd_set_param user root # run service as user root + procd_set_param stdout 1 # forward stdout of the command to logd + procd_set_param stderr 1 # same for stderr + procd_set_param limits nofile="1048576 1048576" # max allowed value can be fetched via /proc/sys/fs/nr_open + [ -e /proc/sys/kernel/core_pattern ] && { + procd_append_param limits core="unlimited" + } + procd_close_instance + done + else + echo "trojan is disabled, please check /etc/config/trojan" + fi +} diff --git a/openwrt-trojan/trojan/patches/001-force-openssl-version.patch b/openwrt-trojan/trojan/patches/001-force-openssl-version.patch new file mode 100644 index 0000000..b292955 --- /dev/null +++ b/openwrt-trojan/trojan/patches/001-force-openssl-version.patch @@ -0,0 +1,11 @@ +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -28,7 +28,7 @@ + add_definitions(-DBOOST_DATE_TIME_NO_LIB) + endif() + +-find_package(OpenSSL 1.1.0 REQUIRED) ++find_package(OpenSSL 1.1.1 REQUIRED) + target_include_directories(trojan PRIVATE ${OPENSSL_INCLUDE_DIR}) + target_link_libraries(trojan ${OPENSSL_LIBRARIES}) + if(OPENSSL_VERSION VERSION_GREATER_EQUAL 1.1.1)