commit e30c94678a680af73c4aea75807696ad3e7d94b212b3e2052b9b6f205c99de8d Author: Hillwood Yang Date: Thu Nov 14 07:24:07 2024 +0000 Add reproducible.patch to override build date (boo#1047218) OBS-URL: https://build.opensuse.org/package/show/server:proxy/shadowsocks-rust?expand=0&rev=31 diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/_constraints b/_constraints new file mode 100644 index 0000000..1444f5b --- /dev/null +++ b/_constraints @@ -0,0 +1,49 @@ + + + + + x86_64 + + + + 10 + + + + + + + aarch64 + s390x + + + + 12 + + + + + + + ppc64 + ppc64le + + + + 80 + + + + + + + riscv64 + + + + 13 + + + + + diff --git a/reproducible.patch b/reproducible.patch new file mode 100644 index 0000000..d494259 --- /dev/null +++ b/reproducible.patch @@ -0,0 +1,48 @@ +From 853a860dd9095b7ed2f95d5aac62f8f1dcc0d229 Mon Sep 17 00:00:00 2001 +From: "Bernhard M. Wiedemann" +Date: Wed, 28 Jun 2023 16:48:35 +0200 +Subject: [PATCH] Allow to override build date with SOURCE_DATE_EPOCH + +in order to make builds reproducible. +See https://reproducible-builds.org/ for why this is good +and https://reproducible-builds.org/specs/source-date-epoch/ +for the definition of this variable. + +This patch was done while working on reproducible builds for openSUSE. + +Index: shadowsocks-rust-1.20.4/Cargo.toml +=================================================================== +--- shadowsocks-rust-1.20.4.orig/Cargo.toml ++++ shadowsocks-rust-1.20.4/Cargo.toml +@@ -281,3 +281,6 @@ byteorder = "1.5" + env_logger = "0.11" + byte_string = "1.0" + tokio = { version = "1", features = ["net", "time", "macros", "io-util"] } ++ ++[patch.crates-io] ++build-time = { path="vendor/build-time" } +diff --git a/build-time/src/lib.rs b/build-time/src/lib.rs +index c3484307..7ae9e03e 100644 +--- a/vendor/build-time/src/lib.rs ++++ b/vendor/build-time/src/lib.rs +@@ -28,14 +28,18 @@ let local_build_time = build_time_local!("%Y-%m-%dT%H:%M:%S%.f%:z"); + ``` + */ + +-use chrono::{DateTime, Local, Utc}; ++use chrono::{DateTime, Local, TimeZone, Utc}; + use once_cell::sync::Lazy; + use proc_macro::TokenStream; + use proc_macro2::Span; + use quote::quote; ++use std::env; + use syn::{parse_macro_input, LitStr}; + +-static BUILD_TIME: Lazy> = Lazy::new(Utc::now); ++static BUILD_TIME: Lazy> = Lazy::new(|| match env::var("SOURCE_DATE_EPOCH") { ++ Ok(val) => { Utc.timestamp_opt(val.parse::().unwrap(), 0).unwrap() } ++ Err(_) => Utc::now(), ++ }); + + /// Build time in UTC. + /// diff --git a/shadowsocks-rust-1.20.0.tar.gz b/shadowsocks-rust-1.20.0.tar.gz new file mode 100644 index 0000000..f0dd99b --- /dev/null +++ b/shadowsocks-rust-1.20.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c818124252528886dd2a26c0f4730a34cdeb5764c3812cae0d98e9fc9c1d8ce9 +size 451311 diff --git a/shadowsocks-rust-1.20.4.tar.gz b/shadowsocks-rust-1.20.4.tar.gz new file mode 100644 index 0000000..6cf2dbc --- /dev/null +++ b/shadowsocks-rust-1.20.4.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:cf064ad157974b3e396aab3bb60aab380dbc4e11b736603bfbc8e7a138f6bb26 +size 453391 diff --git a/shadowsocks-rust-client.service b/shadowsocks-rust-client.service new file mode 100644 index 0000000..3d8dd01 --- /dev/null +++ b/shadowsocks-rust-client.service @@ -0,0 +1,28 @@ +[Unit] +Description=Daemon to start Shadowsocks-rust-client +Wants=network-online.target +After=network.target + +[Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions +Type=forking +PIDFile=/var/run/shadowsocks-rust-client.pid +ExecStart=/usr/bin/sslocal --log-without-time -c /etc/shadowsocks/shadowsocks-rust.json --tcp-fast-open +Restart=on-failure +User=shadowsocks +Group=shadowsocks + +[Install] +WantedBy=multi-user.target diff --git a/shadowsocks-rust-manager.service b/shadowsocks-rust-manager.service new file mode 100644 index 0000000..d91d52d --- /dev/null +++ b/shadowsocks-rust-manager.service @@ -0,0 +1,28 @@ +[Unit] +Description=Daemon to start Shadowsocks-rust-manager +Wants=network-online.target +After=network.target + +[Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions +Type=forking +PIDFile=/var/run/shadowsocks-rust-manager.pid +ExecStart=/usr/bin/ssmanager --log-without-time -c /etc/shadowsocks/shadowsocks-rust.json --tcp-fast-open +Restart=on-failure +User=shadowsocks +Group=shadowsocks + +[Install] +WantedBy=multi-user.target diff --git a/shadowsocks-rust-server.service b/shadowsocks-rust-server.service new file mode 100644 index 0000000..590a7a6 --- /dev/null +++ b/shadowsocks-rust-server.service @@ -0,0 +1,28 @@ +[Unit] +Description=Daemon to start Shadowsocks-rust-server +Wants=network-online.target +After=network.target + +[Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions +Type=forking +PIDFile=/var/run/shadowsocks-rust-server.pid +ExecStart=/usr/bin/ssserver --log-without-time -c /etc/shadowsocks/shadowsocks-rust.json --tcp-fast-open +Restart=on-failure +User=shadowsocks +Group=shadowsocks + +[Install] +WantedBy=multi-user.target diff --git a/shadowsocks-rust.changes b/shadowsocks-rust.changes new file mode 100644 index 0000000..4b0e13f --- /dev/null +++ b/shadowsocks-rust.changes @@ -0,0 +1,188 @@ +------------------------------------------------------------------- +Wed Nov 13 06:18:54 UTC 2024 - Bernhard Wiedemann + +- Add reproducible.patch to override build date (boo#1047218) + +------------------------------------------------------------------- +Thu Sep 12 13:19:28 UTC 2024 - Hillwood Yang + +- Update version to 1.20.4 + * Updated rustls to v0.23 with ring backend + * local-redir, server: Better approach to check current platform IP stack + capabilities like Go (IPv4, IPv6, IPv4-mapped-IPv6 supports) + * Explicitly enable dual-stack if listen addresses (server, local_address) + are IPv4-mapped-IPv6, by setting IPV6_V6ONLY=0 + * PingBalancer check Firefox portal allowing 200 HTTP status + * Ping Balancer scores replaced standard deviation with median absolute + deviation, which should help focusing less on outlying observations in + latency samples + * local: Allow configuring SOCKS5 UDP_ASSOCIATE address + * ProxyServerStream::from_stream made public + * Fix bugs + +------------------------------------------------------------------- +Sun Jun 16 09:07:43 UTC 2024 - Hillwood Yang + +- Update version to 1.20.0 + * Making HTTP requests with local-http's HttpClient implementation, mainly + for supporting outbound_* socket configurations. + * Support SIP008 Online Configuration. Pull servers from remote servers + automatically. (Experimental) + * Add basic, full, full-extra features makes building command line arguments + shorter + * Binaries support --plugin-mode command line argument + * local-tun is enabled by default for Windows targets in CI builds + * Fix bugs +- Drop fix-boo-1223239.patch, merged by upstream + +------------------------------------------------------------------- +Mon Apr 22 14:26:29 UTC 2024 - Hillwood Yang + +- Update version to 1.18.3 + * Support outbound_fwmark in server side to split outbound tunnel + * Default build for *-windows-* targets includes sswinservice + * local-fakedns: Add a basic implementation of Fake-DNS, which will + allocate IPs from pool for DNS queries. This experimental feature + could be useful when using local-tun, local-redir or other features + that could only receive IP destinations, the domain name that is + resolved by the Fake-DNS will be translated from IP back to domain + name when connecting to the remote + * Add launchd_udp_socket_name, launchd_tcp_socket_name to basic config format + * local-tun: Support tun_interface_destination configuration key + * Default logging framework changed to tracing-subscriber + * local: socks local server will support SOCKS5, SOCKS4a, HTTP proxy + protocols when local-http, local-socks4 features are enabled + * local: Support setting udp_mtu in configuration file to actively reject + packet.size > MTU + * Fix bugs +- Add fix-boo-1223239.patch, fix CVE-2024-32650 boo#1223239 + +------------------------------------------------------------------- +Wed Dec 13 13:55:57 UTC 2023 - Hillwood Yang + +- Set permissions as 640 for /etc/shadowsocks (boo#1216372) + +------------------------------------------------------------------- +Sun Dec 3 09:25:05 UTC 2023 - Hillwood Yang + +- Update version to 1.17.1 + * Trust-DNS is rebranded to Hickory-DNS + * Support DNS-over-H3 (Try with configuration "dns": "google_h3" + and compile with feature "dns-over-h3") + * Allow configuring local-dns client cache size + * local-tun supports Windows with Wintun + * Upgrade hyper + * Fix bugs + +------------------------------------------------------------------- +Tue Oct 24 14:38:46 UTC 2023 - Hillwood Yang + +- Fix boo#1216372 and boo#1216373, run systemd service as a dedicated user and group + +------------------------------------------------------------------- +Mon Sep 25 14:02:49 UTC 2023 - Hillwood Yang + +- Update version to 1.16.2 + * Fix bugs +- Update vendor, fix boo#1215658 CVE-2023-42811 + +------------------------------------------------------------------- +Wed Jun 21 17:34:03 UTC 2023 - Andreas Schwab + +- Update constraints for riscv64 + +------------------------------------------------------------------- +Tue Jun 20 06:46:10 UTC 2023 - opensuse-packaging + +- Add Recommends for shadowsocks-v2ray-plugin +- Update systemd services + +------------------------------------------------------------------- +Mon Jun 19 06:19:16 UTC 2023 - opensuse-packaging + +- Update version to 1.15.3 + * local-tun: Support tun_interface_destination for configuring Tun + device's destination address + * Support outbound_fwmark, outbound_user_cookie, outbound_bind_interface + and outbound_bind_addr in configuration file + * AEAD-2022 protoco + * SIP002 Extended Format: Allowing unencoded user-info in URL + * Manager standalone mode support bypassing ACL files + * Allow sslocal run without any servers, which will bypass all connections + and packets + * "password" is optional for none / plain method + * redir-local: Enable dual-stack support on Linux (TProxy) and FreeBSD + * Disable md5-asm and sha1-asm: shadowsocks/shadowsocks-crypto + * "acl" and "outbound_fwmark" are available in configuration file + * Properly handle IPv4-mapped-IPv6 addresses in UDP assocations + * Automatically bump RLIMIT_NOFILE on Unix (except Android) + * SOCKS5 protocol supports RFC1929 Username/Password Authentication + * HKDF-SHA1 uses ring's assembly implementation + * Set environment variable SS_SYSTEM_DNS_RESOLVER_FORCE_BUILTIN to use system's + builtin DNS resolver + * Allow setting "system" in DNS configuration key "dns" to use system provided + DNS API + * Support setting SO_USER_COOKIE on FreeBSD + * Local tun interface refactored the VirtDevice::poll strategy + * balancer.check_best_interval could let ping balancer to ping only the choosen + best server in this interval + * Set a shorter interval in balancer.check_best_interval than + balancer.check_interval to check much frequently the best server + * efactored local-tun, using smoltcp as a user-space network stack + * Support K8S deployment + * shadowsocks-crypto switch underlying encryption library to RustCrypto + * New binary ssservice with unified features in (sslocal, ssserver and + ssmanager) + * Removed direct dependency to mio, sending file descriptors through UDS now + with sendfd + * ACL regular expression rules will try to convert to || (sub-domains) and | + (exact match) rules + * TCP connects with Happy Eyeballs (RFC6555, RFC8305) strategy + * Basic support of tun interface in sslocal (Experimental) Tested on macOS and + Linux + * Local server will choose remote servers based on their "mode" + * ssmanager support --plugin and --plugin-opts as default plugin + configurations + * ssmanager support starting ssserver in standalone (independent process) mode + * ACL support | and || hash-set and domain-tree mode + * Support --outbound-bind-interface on Windows + * TFO on Linux queue length set to 1024 to match backlogs + * Completely remove Replay Attack Protection with Ping-Pong bloom filter in + default build configuration + * Support Snapcraft + * Multi-architecture Docker image for release + * Replaced futures::future::abortable with tokio's builtin + tokio::task::JoinHandle::abort + * Define binaries' exit code with standard in sysexits.h + * HTTP local listener supports TCP_NODELAY, SO_KEEPALIVE and dual-stack + * Remove slient dropping when replay was detected + * Enable TCP Keep Alive for inbound and outbound sockets + * Add disabled key for local servers in configuration + * Support TFO (TCP Fast Open) on Linux, Windows, macOS (iOS), FreeBSD + * Support customizing servers' weight for balancer + * HTTP Proxy preserves headers' title case + * Support non-standard AEAD ciphers sm4-gcm and sm4-ccm + * Support non-standard AEAD ciphers with crypto2, could be enabled by feature + aead-cipher-extra + * Support protocol in basic configuration format + * supports starting multiple instances in the same process + * Check repeated salt after first successful decryption + * Support setting SO_MARK, SO_BINDTODEVICE on Linux + * Support setting SO_SNDBUF and SO_RCVBUF for TCP sockets + * Support SIP008 extend server fields server, server_port, remarks + * Support sending TCP and UDP queries simutaneously + * Support connection reusability + * Remove mostly TCP timeout setting for tunnels, connections will only be + killed if clients or servers close + * Auto-reload DNS resolver configuration from /etc/resolv.conf on *NIX + platforms + * Allow customizing number of worker-threads for multi-threaded scheduler + * Support field disabled in extended server configuration + * Support customizing inbound and outbound sockets' SO_SNDBUF and SO_RCVBUF by + command line options + * Fix bugs + +------------------------------------------------------------------- +Sat Nov 13 12:01:57 UTC 2021 - opensuse-packaging + +- Initial package for version 1.8.23 diff --git a/shadowsocks-rust.json b/shadowsocks-rust.json new file mode 100644 index 0000000..3c329d8 --- /dev/null +++ b/shadowsocks-rust.json @@ -0,0 +1,10 @@ +{ + "server": "my_server_ip", + "server_port": 8388, + "password": "mypassword", + "method": "aes-256-gcm", + // ONLY FOR `sslocal` + // Delete these lines if you are running `ssserver` or `ssmanager` + "local_address": "127.0.0.1", + "local_port": 1080 +} diff --git a/shadowsocks-rust.spec b/shadowsocks-rust.spec new file mode 100644 index 0000000..e120b34 --- /dev/null +++ b/shadowsocks-rust.spec @@ -0,0 +1,114 @@ +# +# spec file for package shadowsocks-rust +# +# Copyright (c) 2024 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +Name: shadowsocks-rust +Version: 1.20.4 +Release: 0 +Summary: Rust port of Shadowsocks +License: MIT +Group: Productivity/Networking/Web/Proxy +URL: https://github.com/shadowsocks/shadowsocks-rust +Source0: https://github.com/shadowsocks/shadowsocks-rust/archive/v%{version}/%{name}-%{version}.tar.gz +Source1: vendor.tar.gz +Source2: %{name}.json +Source3: %{name}-client.service +Source4: %{name}-server.service +Source5: %{name}-manager.service +# PATCH-FIX-UPSTREAM https://github.com/AlephAlpha/build-time/pull/5 +Patch0: reproducible.patch +BuildRequires: cargo +BuildRequires: cargo-packaging +BuildRequires: systemd-rpm-macros +BuildRequires: pkgconfig(openssl) +Requires(pre): shadow +Recommends: shadowsocks-v2ray-plugin +# ExcludeArch: ppc ppc64 ppc64le s390 s390x +%{?systemd_ordering} + +%description +shadowsocks-rust is a rust port of shadowsocks. + +shadowsocks is a lightweight secured SOCKS5 proxy for embedded devices and +low-end boxes. + +%prep +%autosetup -p1 -a1 -n %{name}-%{version} +mkdir .cargo +cat >>.cargo/config.toml </dev/null || %{_sbindir}/groupadd --system shadowsocks +getent passwd shadowsocks >/dev/null || %{_sbindir}/useradd --system -c "shadowsocks User" \ + -d %{_localstatedir}/shadowsocks -m -g shadowsocks -s %{_sbindir}/nologin \ + shadowsocks + +%post +%service_add_post %{name}-client.service +%service_add_post %{name}-server.service +%service_add_post %{name}-manager.service +chown root:shadowsocks %{_sysconfdir}/shadowsocks -R +chmod 640 %{_sysconfdir}/shadowsocks -R + +%preun +%service_del_preun %{name}-client.service +%service_del_preun %{name}-server.service +%service_del_preun %{name}-manager.service + +%postun +%service_del_postun %{name}-client.service +%service_del_postun %{name}-server.service +%service_del_postun %{name}-manager.service + +%files +%doc README.md +%license LICENSE +%{_bindir}/ss* +%{_sbindir}/rc%{name}-* +%{_unitdir}/%{name}-*.service +%dir %{_sysconfdir}/shadowsocks +# %config(noreplace) %attr(660,%{name},root) %{_sysconfdir}/shadowsocks +%config %{_sysconfdir}/shadowsocks/%{name}.json + +%changelog diff --git a/vendor.tar.gz b/vendor.tar.gz new file mode 100644 index 0000000..b5f2c96 --- /dev/null +++ b/vendor.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e199a4cc1b03625deea230f9f890b12b498af274250891031727c6dfc2ecfb27 +size 84349967