shadowsocks-libev: update to version 3.1.0 with patch for CVE-2017-15924

CVE-2017-15924 - Command Execution in ss-manager More at shadowsocks/shadowsocks-libev#1734
CZ-NIC · Nov 3, 2017 · 3183dab · 3183dab
1 parent c90d4fa
commit 3183dab
Show file tree

Hide file tree

Showing 8 changed files with 944 additions and 0 deletions.
diff --git a/net/shadowsocks-libev/Makefile b/net/shadowsocks-libev/Makefile
@@ -0,0 +1,125 @@
+#
+# Copyright (C) 2017 Yousong Zhou <yszhou4tech@gmail.com>
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+#
+
+include $(TOPDIR)/rules.mk
+
+# Checklist when bumping versions
+#
+# - update cipher list by checking src/crypto.c:crypto_init()
+# - check if default mode has changed from being tcp_only
+#
+PKG_NAME:=shadowsocks-libev
+PKG_VERSION:=3.1.0
+PKG_RELEASE:=1
+
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
+PKG_SOURCE_URL:=https://github.com/shadowsocks/shadowsocks-libev/releases/download/v$(PKG_VERSION)
+PKG_MD5SUM:=3b6493ebdcfff1eb31faf34d164d57049f7253ff5bffafa6ce2263c9ac123f31
+
+PKG_MAINTAINER:=Yousong Zhou <yszhou4tech@gmail.com>
+
+PKG_LICENSE:=GPL-3.0+
+PKG_LICENSE_FILES:=LICENSE
+
+PKG_FIXUP:=autoreconf
+PKG_INSTALL:=1
+PKG_USE_MIPS16:=0
+PKG_BUILD_PARALLEL:=1
+
+include $(INCLUDE_DIR)/package.mk
+
+
+define Package/shadowsocks-libev-config
+  SECTION:=net
+  CATEGORY:=Network
+  SUBMENU:=Web Servers/Proxies
+  TITLE:=shadowsocks-libev config scripts
+  URL:=https://github.com/shadowsocks/shadowsocks-libev
+endef
+
+define Package/shadowsocks-libev-config/install
+	$(INSTALL_DIR) $(1)/etc/config
+	$(INSTALL_DATA) ./files/shadowsocks-libev.config $(1)/etc/config/shadowsocks-libev
+	$(INSTALL_DIR) $(1)/etc/init.d
+	$(INSTALL_BIN) ./files/shadowsocks-libev.init $(1)/etc/init.d/shadowsocks-libev
+endef
+
+
+define Package/shadowsocks-libev/Default
+  define Package/shadowsocks-libev-$(1)
+    SECTION:=net
+    CATEGORY:=Network
+    SUBMENU:=Web Servers/Proxies
+    TITLE:=shadowsocks-libev $(1)
+    URL:=https://github.com/shadowsocks/shadowsocks-libev
+    DEPENDS:=+libcares +libev +libmbedtls +libpcre +libpthread +libsodium +shadowsocks-libev-config +zlib
+  endef
+
+  define Package/shadowsocks-libev-$(1)/install
+	$$(INSTALL_DIR) $$(1)/usr/bin
+	$$(INSTALL_BIN) $$(PKG_INSTALL_DIR)/usr/bin/$(1) $$(1)/usr/bin
+  endef
+
+endef
+
+SHADOWSOCKS_COMPONENTS:=ss-local ss-redir ss-tunnel ss-server
+define shadowsocks-libev/templates
+  $(foreach component,$(SHADOWSOCKS_COMPONENTS),
+    $(call Package/shadowsocks-libev/Default,$(component))
+  )
+endef
+$(eval $(call shadowsocks-libev/templates))
+
+
+define Package/shadowsocks-libev-ss-rules
+  SECTION:=net
+  CATEGORY:=Network
+  SUBMENU:=Web Servers/Proxies
+  TITLE:=shadowsocks-libev ss-rules
+  URL:=https://github.com/shadowsocks/shadowsocks-libev
+  DEPENDS:=+ip +ipset +iptables-mod-tproxy +resolveip +shadowsocks-libev-ss-redir +shadowsocks-libev-config
+endef
+
+define Package/shadowsocks-libev-ss-rules/install
+	$(INSTALL_DIR) $(1)/usr/bin
+	$(INSTALL_BIN) ./files/ss-rules $(1)/usr/bin
+	$(INSTALL_DIR) $(1)/etc/uci-defaults
+	$(INSTALL_DATA) ./files/firewall.ss-rules $(1)/etc
+	$(INSTALL_BIN) ./files/ss-rules.defaults $(1)/etc/uci-defaults
+endef
+
+define Package/shadowsocks-libev-ss-rules/prerm
+#!/bin/sh
+s=firewall.ss_rules
+uci get "$$s" >/dev/null || exit 0
+uci batch <<-EOF
+	delete $$s
+	commit firewall
+EOF
+endef
+
+define Build/Prepare
+	$(call Build/Prepare/Default)
+	$(FIND) $(PKG_BUILD_DIR) \
+			   -name '*.o' \
+			-o -name '*.lo' \
+			-o -name '.deps' \
+			-o -name '.libs' \
+		| $(XARGS) rm -rvf
+endef
+
+CONFIGURE_ARGS += \
+	--disable-documentation \
+	--disable-silent-rules \
+	--disable-assert \
+	--disable-ssp \
+
+$(eval $(call BuildPackage,shadowsocks-libev-config))
+$(eval $(call BuildPackage,shadowsocks-libev-ss-rules))
+$(foreach component,$(SHADOWSOCKS_COMPONENTS), \
+  $(eval $(call BuildPackage,shadowsocks-libev-$(component))) \
+)
diff --git a/net/shadowsocks-libev/README.md b/net/shadowsocks-libev/README.md
@@ -0,0 +1,97 @@
+## components
+
+`ss-local` provides SOCKS5 proxy with UDP associate support.
+
+	 socks5                                     ss              plain
+	--------> tcp:local_address:local_port ----> ss server -------> dest
+
+`ss-redir`.  The REDIRECT and TPROXY part are to be provided by `ss-rules` script.  REDIRECT only works for tcp traffic (see also darkk/redsocks).  TPROXY is used to proxy udp messages, but it's only available in the PREROUTING chain and as such cannot proxy local out traffic.
+
+	  plain             plain                                 ss              plain
+	---------> REDIRECT ------> tcp:local_address:local_port ----> ss server -----> original dest
+
+	  plain            plain                                 ss              plain
+	---------> TPROXY -------> udp:local_address:local_port -----> ss server -----> original dest
+
+`ss-tunnel` provides ssh `-L` local-forwarding-like tunnel.  Typically it's used to tunnel DNS traffic to the remote.
+
+	  plain                                       ss               plain
+	---------> tcp|udp:local_address:local_port ------> ss server -------> tunnel_address
+
+`ss-server`, the "ss server" in the above diagram
+
+## uci
+
+Option names are the same as those used in json config files.  Check `validate_xxx` func definition of the [service script](files/shadowsocks-libev.init) and shadowsocks-libev's own documentation for supported options and expected value types.  A [sample config file](files/shadowsocks-libev.config) is also provided for reference.
+
+Every section have a `disabled` option to temporarily turn off the component instance or component instances referring to it.
+
+Section type `server` is for definition of remote shadowsocks servers.  They will be referred to from other component sections and as such should be named (as compared to anonymous section).
+
+Section type `ss_local`, `ss_redir`, `ss_tunnel` are for specification of shadowsocks-libev components.  They share mostly a common set of options like `local_port`, `verbose`, `fast_open`, `timeout`, etc.
+
+We can have multiple instances of component and `server` sections.  The relationship between them is many-to-one.  This will have the following implications
+
+ - It's possible to have both `ss_local` and `ss_redir` referring to the same `server` definition
+ - It's possible to have multiple instances of `ss_redir` listening on the same address:port with `reuse_port` enabled referring to the same or different `server` sections
+
+`ss_rules` section is for configuring the behaviour of `ss-rules` script.  There can only exist at most one such section with the name also being `ss_rules`
+
+	redir_tcp		name of ss_redir section with mode tcp_only or tcp_and_udp
+	redir_udp		name of ss_redir section with mode udp_only or tcp_and_udp
+	ifnames			only apply rules on packets from these ifnames
+
+	--- for incoming packets having source address in
+
+	src_ips_bypass		will bypass the redir chain
+	src_ips_forward		will always go through the redir chain
+	src_ips_checkdst	will continue to have their destination addresses checked
+
+	--- otherwise, the default action can be specified with
+
+	src_default		bypass, forward, [checkdst]
+
+	--- if the previous check result is checkdst,
+	--- then packets having destination address in
+
+	dst_ips_bypass_file
+	dst_ips_bypass		will bypass the redir chain
+	dst_ips_forward_file
+	dst_ips_forward		will go through the redir chain
+
+	--- otherwise, the default action can be specified with
+
+	dst_default		[bypass], forward
+
+	--- for local out tcp packets, the default action can be specified with
+
+	local_default		[bypass], forward, checkdst
+
+Bool option `dst_forward_recentrst` requires iptables/netfilter `recent` match module (`opkg install iptables-mod-conntrack-extra`).  When enabled, `ss-rules` will setup iptables rules to forward through `ss-redir` those packets whose destination have recently sent to us multiple tcp-rst.
+
+ss-rules uses kernel ipset mechanism for storing addresses/networks.  Those ipsets are also part of the API and can be populated by other programs, e.g. dnsmasq with builtin ipset support.  For more details please read output of `ss-rules --help`
+
+Note also that `src_ips_xx` and `dst_ips_xx` actually also accepts cidr network representation.  Option names are retained in its current form for backward compatibility coniderations
+
+## notes and faq
+
+Useful paths and commands for debugging
+
+	# check current running status
+	ubus call service list '{"name": "shadowsocks-libev"}'
+	ubus call service list '{"name": "shadowsocks-libev", "verbose": true}'
+
+	# dump validate definition
+	ubus call service validate '{"package": "shadowsocks-libev"}'
+	ubus call service validate '{"package": "shadowsocks-libev"}' \
+		| jsonfilter -e '$["shadowsocks-libev"]["ss_tunnel"]'
+
+	# check json config
+	ls -l /var/etc/shadowsocks-libev/
+
+	# set uci config option verbose to 1, restart the service and follow the log
+	logread -f
+
+ss-redir needs to open a new socket and setsockopt IP_TRANSPARENT when sending udp reply to client.  This requires `CAP_NET_ADMIN` and as such the process cannot run as `nobody`
+
+ss-local, ss-redir, etc. supports specifying an array of remote ss server, but supporting this in uci seems to be overkill.  The workaround can be defining multiple `server` sections and multiple `ss-redir` instances with `reuse_port` enabled
diff --git a/net/shadowsocks-libev/files/firewall.ss-rules b/net/shadowsocks-libev/files/firewall.ss-rules
@@ -0,0 +1,2 @@
+#!/bin/sh
+/etc/init.d/shadowsocks-libev reload
diff --git a/net/shadowsocks-libev/files/shadowsocks-libev.config b/net/shadowsocks-libev/files/shadowsocks-libev.config
@@ -0,0 +1,61 @@
+config ss_local
+	option disabled 1
+	option server 'sss0'
+	option local_address '0.0.0.0'
+	option local_port '1080'
+	option timeout '30'
+
+config ss_tunnel
+	option disabled 1
+	option server 'sss0'
+	option local_address '0.0.0.0'
+	option local_port '1090'
+	option tunnel_address 'example.com:80'
+	option mode 'tcp_and_udp'
+	option timeout '60'
+
+config ss_redir hi
+	option disabled 1
+	option server 'sss0'
+	option local_address '0.0.0.0'
+	option local_port '1100'
+	option mode 'tcp_and_udp'
+	option timeout '60'
+	option fast_open 1
+	option verbose 1
+	option reuse_port 1
+
+config ss_redir hj
+	option disabled 1
+	option server 'sss0'
+	option local_address '0.0.0.0'
+	option local_port '1100'
+	option mode 'tcp_and_udp'
+	option timeout '60'
+	option fast_open 1
+	option verbose 1
+	option reuse_port 1
+
+config ss_rules 'ss_rules'
+	option disabled 1
+	option redir_tcp 'hi'
+	option redir_udp 'hi'
+	option src_default 'checkdst'
+	option dst_default 'bypass'
+	option local_default 'checkdst'
+	list src_ips_forward '192.168.1.4'
+	list dst_ips_forward '8.8.8.8'
+
+config server 'sss0'
+	option disabled 1
+	option server '192.168.1.3'
+	option server_port '9001'
+	option password '********'
+	option method 'aes-256-cfb'
+
+config ss_server
+	option disabled 1
+	option server_port '9001'
+	option password '********'
+	option method 'aes-256-cfb'
+	option bind_address '192.168.7.72'