Merge pull request #1 from yury-sannikov/master-merge

Master merge

.github/workflows/build-module.yml

@@ -12,17 +12,18 @@ jobs:
     strategy:
       matrix:
         #tag: ['v23.05.0', 'v23.05.2', 'v22.03.4']
-        tag: ['v22.03.4']
+        tag: ['v23.05.0']
+        # tag: ['v22.03.4']
         build_env:
-          - pkgarch: mips_24kc
-            target: ath79
-            subtarget: nand
+          # - pkgarch: mips_24kc
+          #   target: ath79
+          #   subtarget: nand
           # - pkgarch: mipsel_24kc
           #   target: ramips
           #   subtarget: mt7620
-          # - pkgarch: mipsel_24kc
-          #   target: ramips
-          #   subtarget: mt7621
+          - pkgarch: mipsel_24kc
+            target: ramips
+            subtarget: mt7621
           # - pkgarch: arm_cortex-a7
           #   target: mediatek
           #   subtarget: mt7629

amneziawg-tools/Makefile → amnezia-wg-tools/Makefile

@@ -8,14 +8,14 @@
 
 include $(TOPDIR)/rules.mk
 
-PKG_NAME:=amneziawg-tools
+PKG_NAME:=amnezia-wg-tools
 
 PKG_VERSION:=0.0.1-kmod
 PKG_RELEASE:=$(AUTORELEASE)
 
 PKG_SOURCE:=v$(PKG_VERSION).tar.gz
-PKG_SOURCE_URL:=https://github.com/amnezia-vpn/amneziawg-tools/archive/refs/tags/
-PKG_HASH:=cc4f523f7ec171b7bb3bdd1bcf4ff2f6833364fab6cad309310a84f33eeafa9b
+PKG_SOURCE_URL:=https://github.com/amnezia-vpn/amnezia-wg-tools/archive/refs/tags/
+PKG_HASH:=0d8cdf6d767700cb6d2cc895d45b1f94668663b00138627329766bb9e36d894e
 
 PKG_LICENSE:=GPL-2.0
 PKG_LICENSE_FILES:=COPYING
@@ -26,7 +26,7 @@ include $(INCLUDE_DIR)/package.mk
 MAKE_PATH:=src
 MAKE_VARS += PLATFORM=linux
 
-define Package/amneziawg-tools
+define Package/amnezia-wg-tools
   CATEGORY:=Network
   URL:=https://www.wireguard.com
   MAINTAINER:=Jason A. Donenfeld <[email protected]>
@@ -36,7 +36,7 @@ define Package/amneziawg-tools
 	  +@BUSYBOX_CONFIG_FEATURE_IP_LINK
 endef
 
-define Package/amneziawg-tools/description
+define Package/amnezia-wg-tools/description
   WireGuard is a novel VPN that runs inside the Linux Kernel and utilizes
   state-of-the-art cryptography. It aims to be faster, simpler, leaner, and
   more useful than IPSec, while avoiding the massive headache. It intends to
@@ -48,12 +48,12 @@ define Package/amneziawg-tools/description
   `wg(8)`, a netifd protocol helper, and a re-resolve watchdog script.
 endef
 
-define Package/amneziawg-tools/install
+define Package/amnezia-wg-tools/install
 	$(INSTALL_DIR) $(1)/usr/bin/
 	$(INSTALL_BIN) $(PKG_BUILD_DIR)/src/wg $(1)/usr/bin/amneziawg
 	$(INSTALL_BIN) ./files/amneziawg_watchdog $(1)/usr/bin/
 	$(INSTALL_DIR) $(1)/lib/netifd/proto/
 	$(INSTALL_BIN) ./files/amneziawg.sh $(1)/lib/netifd/proto/
 endef
 
-$(eval $(call BuildPackage,amneziawg-tools))
+$(eval $(call BuildPackage,amnezia-wg-tools))

amneziawg-tools/files/amneziawg.sh → amnezia-wg-tools/files/amneziawg.sh

@@ -33,23 +33,23 @@ proto_amneziawg_init_config() {
 }
 
 proto_amneziawg_is_kernel_mode() {
-  if [ ! -e /sys/module/amneziawg ]; then
-    modprobe amneziawg > /dev/null 2&>1 || true
-
-    if [ -e /sys/module/amneziawg ]; then
-      return 0
-    else
-      if [ ! command -v "${WG_QUICK_USERSPACE_IMPLEMENTATION:-amneziawg-go}" >/dev/null ]; then
-        ret=$?
-        echo "Please install either kernel module (kmod-amneziawg package) or user-space implementation in /usr/bin/amneziawg-go."
-        exit $?
-      else
-        return 1
-      fi
-    fi
-  else
-    return 0
-  fi
+	if [ ! -e /sys/module/amneziawg ]; then
+		modprobe amneziawg > /dev/null 2&>1 || true
+
+		if [ -e /sys/module/amneziawg ]; then
+			return 0
+		else
+			if [ ! command -v "${WG_QUICK_USERSPACE_IMPLEMENTATION:-amneziawg-go}" >/dev/null ]; then
+				ret=$?
+				echo "Please install either kernel module (kmod-amneziawg package) or user-space implementation in /usr/bin/amneziawg-go."
+				exit $?
+			else
+				return 1
+			fi
+		fi
+	else
+		return 0
+	fi
 }
 
 proto_amneziawg_setup_peer() {
@@ -190,13 +190,13 @@ proto_amneziawg_setup() {
 	config_get awg_h3 "${config}" "awg_h3"
 	config_get awg_h4 "${config}" "awg_h4"
 
-	ip link del dev "${config}" 2>/dev/null
-
 	if proto_amneziawg_is_kernel_mode; then
 		logger -t "amneziawg" "info: using kernel-space kmod-amneziawg for ${WG}"
+  	ip link del dev "${config}" 2>/dev/null
 		ip link add dev "${config}" type amneziawg
 	else
 		logger -t "amneziawg" "info: using user-space amneziawg-go for ${WG}"
+		rm -f "/var/run/wireguard/${config}.sock"
 		amneziawg-go "${config}"
 	fi
 
@@ -245,7 +245,7 @@ proto_amneziawg_setup() {
 		echo "H4 = ${awg_h4}" >> "${wg_cfg}"
 	fi
 
-	config_foreach proto_amneziawg_setup_peer "wireguard_${config}"
+	config_foreach proto_amneziawg_setup_peer "amneziawg_${config}"
 
 	# apply configuration file
 	${WG} setconf ${config} "${wg_cfg}"
@@ -297,10 +297,10 @@ proto_amneziawg_teardown() {
 	local config="$1"
 	proto_amneziawg_check_installed
 	if proto_amneziawg_is_kernel_mode; then
-  	ip link del dev "${config}" >/dev/null 2>&1
-  else
-    rm -f /var/run/wireguard/${config}.sock
-  fi
+		ip link del dev "${config}" >/dev/null 2>&1
+	else
+		rm -f /var/run/wireguard/${config}.sock
+	fi
 }
 
 [ -n "$INCLUDE_ONLY" ] || {

kmod-amneziawg/files/amnezia-sources.patch

@@ -44,22 +44,24 @@ diff --color -urN -x uapi -x compat -x crypto -x .idea -x tests -x Kbuild -x Kco
  	pr_debug("%s: Interface created\n", dev->name);
  	return ret;
 
-@@ -475,4 +480,79 @@
+@@ -475,4 +480,118 @@
  	unregister_random_vmfork_notifier(&vm_notifier);
  	unregister_pm_notifier(&pm_notifier);
  	rcu_barrier();
 +}
 +
-+void wg_device_handle_post_config(struct net_device *dev, struct amnezia_config *asc)
++int wg_device_handle_post_config(struct net_device *dev, struct amnezia_config *asc)
 +{
 +	struct wg_device *wg = netdev_priv(dev);
 +	bool a_sec_on = false;
++	int ret = 0;
 +
 +	if (!asc->advanced_security_enabled)
-+		return;
++		goto out;
 +
 +	if (asc->junk_packet_count < 0) {
-+		// TODO error
++		net_dbg_ratelimited("%s: JunkPacketCount should be non negative\n", dev->name);
++		ret = -EINVAL;
 +	}
 +
 +	wg->advanced_security_config.junk_packet_count = asc->junk_packet_count;
@@ -77,25 +79,37 @@ diff --color -urN -x uapi -x compat -x crypto -x .idea -x tests -x Kbuild -x Kco
 +		wg->advanced_security_config.junk_packet_min_size = 0;
 +		wg->advanced_security_config.junk_packet_max_size = 1;
 +
-+		// TODO error
++		net_dbg_ratelimited("%s: JunkPacketMaxSize: %d; should be smaller than maxSegmentSize: %d\n",
++							dev->name, asc->junk_packet_max_size,
++							MESSAGE_MAX_SIZE);
++		ret = -EINVAL;
 +	} else if (asc->junk_packet_max_size < asc->junk_packet_min_size) {
-+		// TODO error
++		net_dbg_ratelimited("%s: maxSize: %d; should be greater than minSize: %d\n",
++							dev->name, asc->junk_packet_max_size,
++							asc->junk_packet_min_size);
++		ret = -EINVAL;
 +	} else
 +		wg->advanced_security_config.junk_packet_max_size = asc->junk_packet_max_size;
 +
 +	if (asc->junk_packet_max_size != 0)
 +		a_sec_on = true;
 +
 +	if (asc->init_packet_junk_size + MESSAGE_INITIATION_SIZE >= MESSAGE_MAX_SIZE) {
-+		// TODO error
++		net_dbg_ratelimited("%s: init header size (%d) + junkSize (%d) should be smaller than maxSegmentSize: %d\n",
++		                    dev->name, MESSAGE_INITIATION_SIZE,
++							asc->init_packet_junk_size, MESSAGE_MAX_SIZE);
++		ret = -EINVAL;
 +	} else
 +		wg->advanced_security_config.init_packet_junk_size = asc->init_packet_junk_size;
 +
 +	if (asc->init_packet_junk_size != 0)
 +		a_sec_on = true;
 +
 +	if (asc->response_packet_junk_size + MESSAGE_RESPONSE_SIZE >= MESSAGE_MAX_SIZE) {
-+		// TODO error
++		net_dbg_ratelimited("%s: response header size (%d) + junkSize (%d) should be smaller than maxSegmentSize: %d\n",
++		                    dev->name, MESSAGE_RESPONSE_SIZE,
++		                    asc->response_packet_junk_size, MESSAGE_MAX_SIZE);
++		ret = -EINVAL;
 +	} else
 +		wg->advanced_security_config.response_packet_junk_size = asc->response_packet_junk_size;
 +
@@ -122,7 +136,32 @@ diff --color -urN -x uapi -x compat -x crypto -x .idea -x tests -x Kbuild -x Kco
 +		wg->advanced_security_config.transport_packet_magic_header = asc->transport_packet_magic_header;
 +	}
 +
++	if (asc->init_packet_magic_header == asc->response_packet_magic_header ||
++			asc->init_packet_magic_header == asc->cookie_packet_magic_header ||
++			asc->init_packet_magic_header == asc->transport_packet_magic_header ||
++			asc->response_packet_magic_header == asc->cookie_packet_magic_header ||
++			asc->response_packet_magic_header == asc->transport_packet_magic_header ||
++			asc->cookie_packet_magic_header == asc->transport_packet_magic_header) {
++		net_dbg_ratelimited("%s: magic headers should differ; got: init:%d; recv:%d; unde:%d; tran:%d\n",
++		                    dev->name,
++							asc->init_packet_magic_header,
++		                    asc->response_packet_magic_header,
++							asc->cookie_packet_magic_header,
++							asc->transport_packet_magic_header);
++		ret = -EINVAL;
++	}
++
++	if (MESSAGE_INITIATION_SIZE + asc->init_packet_junk_size == MESSAGE_RESPONSE_SIZE + asc->response_packet_junk_size) {
++		net_dbg_ratelimited("%s: new init size:%d; and new response size:%d; should differ\n",
++		                    dev->name,
++		                    MESSAGE_INITIATION_SIZE + asc->init_packet_junk_size,
++		                    MESSAGE_RESPONSE_SIZE + asc->response_packet_junk_size);
++		ret = -EINVAL;
++	}
++
 +	wg->advanced_security_config.advanced_security_enabled = a_sec_on;
++out:
++	return ret;
  }
 diff --color -urN -x uapi -x compat -x crypto -x .idea -x tests -x Kbuild -x Kconfig -x Makefile -x dkms.conf ../../linux-source-6.2.0/drivers/net/wireguard/device.h ./device.h
 --- ../../linux-source-6.2.0/drivers/net/wireguard/device.h	2023-11-10 18:10:29
@@ -159,7 +198,7 @@ diff --color -urN -x uapi -x compat -x crypto -x .idea -x tests -x Kbuild -x Kco
 
  int wg_device_init(void);
  void wg_device_uninit(void);
-+void wg_device_handle_post_config(struct net_device *dev, struct amnezia_config *asc);
++int wg_device_handle_post_config(struct net_device *dev, struct amnezia_config *asc);
 
  #endif /* _WG_DEVICE_H */
 diff --color -urN -x uapi -x compat -x crypto -x .idea -x tests -x Kbuild -x Kconfig -x Makefile -x dkms.conf ../../linux-source-6.2.0/drivers/net/wireguard/main.c ./main.c
@@ -334,11 +373,13 @@ diff --color -urN -x uapi -x compat -x crypto -x .idea -x tests -x Kbuild -x Kco
  	if (flags & WGDEVICE_F_REPLACE_PEERS)
  		wg_peer_remove_all(wg);
 
-@@ -597,10 +670,12 @@
+@@ -597,10 +670,14 @@
  	ret = 0;
 
  out:
-+	wg_device_handle_post_config(wg->dev, asc);
++	if (!ret)
++		ret = wg_device_handle_post_config(wg->dev, asc);
++
  	mutex_unlock(&wg->device_update_lock);
  	rtnl_unlock();
  	dev_put(wg->dev);

luci-app-amneziawg/htdocs/luci-static/resources/protocol/amneziawg.js

@@ -385,8 +385,6 @@ return network.registerProtocol('amneziawg', {
 			    cancel = nodes.nextElementSibling.querySelector('.btn'),
 			    config = this.parseConfig(input);
 
-            console.log(input);
-
 			if (typeof(config) == 'string') {
 				error.firstChild.data = _('Cannot parse configuration: %s').format(config);
 				error.style.display = 'block';
@@ -748,6 +746,7 @@ return network.registerProtocol('amneziawg', {
 		o.createPeerConfig = function(section_id, endpoint, ips) {
 			var pub = s.formvalue(s.section, 'public_key'),
 			    port = s.formvalue(s.section, 'listen_port') || '51820',
+                jc = s.formvalue
 			    prv = this.section.formvalue(section_id, 'private_key'),
 			    psk = this.section.formvalue(section_id, 'preshared_key'),
 			    eport = this.section.formvalue(section_id, 'endpoint_port'),