- Update version to 1.21.2

* supports generic I/O socket type
  * Support OpenBSD Packet-Filter (pf)
  * Fix bugs

OBS-URL: https://build.opensuse.org/package/show/server:proxy/shadowsocks-rust?expand=0&rev=33

.gitattributes

@@ -0,0 +1,23 @@
+## Default LFS
+*.7z filter=lfs diff=lfs merge=lfs -text
+*.bsp filter=lfs diff=lfs merge=lfs -text
+*.bz2 filter=lfs diff=lfs merge=lfs -text
+*.gem filter=lfs diff=lfs merge=lfs -text
+*.gz filter=lfs diff=lfs merge=lfs -text
+*.jar filter=lfs diff=lfs merge=lfs -text
+*.lz filter=lfs diff=lfs merge=lfs -text
+*.lzma filter=lfs diff=lfs merge=lfs -text
+*.obscpio filter=lfs diff=lfs merge=lfs -text
+*.oxt filter=lfs diff=lfs merge=lfs -text
+*.pdf filter=lfs diff=lfs merge=lfs -text
+*.png filter=lfs diff=lfs merge=lfs -text
+*.rpm filter=lfs diff=lfs merge=lfs -text
+*.tbz filter=lfs diff=lfs merge=lfs -text
+*.tbz2 filter=lfs diff=lfs merge=lfs -text
+*.tgz filter=lfs diff=lfs merge=lfs -text
+*.ttf filter=lfs diff=lfs merge=lfs -text
+*.txz filter=lfs diff=lfs merge=lfs -text
+*.whl filter=lfs diff=lfs merge=lfs -text
+*.xz filter=lfs diff=lfs merge=lfs -text
+*.zip filter=lfs diff=lfs merge=lfs -text
+*.zst filter=lfs diff=lfs merge=lfs -text

.gitignore

@@ -0,0 +1 @@
+.osc

_constraints

@@ -0,0 +1,49 @@
+<constraints>
+
+<overwrite>
+  <conditions>
+    <arch>x86_64</arch>
+  </conditions>
+  <hardware>
+    <physicalmemory>
+    <size unit="G">10</size>
+    </physicalmemory>
+  </hardware>
+</overwrite>
+
+<overwrite>
+  <conditions>
+    <arch>aarch64</arch>
+    <arch>s390x</arch>
+  </conditions>
+  <hardware>
+    <physicalmemory>
+    <size unit="G">12</size>
+    </physicalmemory>
+  </hardware>
+</overwrite>
+
+<overwrite>
+  <conditions>
+    <arch>ppc64</arch>
+    <arch>ppc64le</arch>
+  </conditions>
+    <hardware>
+      <disk>
+        <size unit="G">80</size>
+      </disk>
+    </hardware>
+</overwrite>
+
+<overwrite>
+  <conditions>
+    <arch>riscv64</arch>
+  </conditions>
+  <hardware>
+    <memory>
+      <size unit="G">13</size>
+    </memory>
+  </hardware>
+</overwrite>
+
+</constraints>

reproducible.patch

@@ -0,0 +1,48 @@
+From 853a860dd9095b7ed2f95d5aac62f8f1dcc0d229 Mon Sep 17 00:00:00 2001
+From: "Bernhard M. Wiedemann" <bwiedemann@suse.de>
+Date: Wed, 28 Jun 2023 16:48:35 +0200
+Subject: [PATCH] Allow to override build date with SOURCE_DATE_EPOCH
+
+in order to make builds reproducible.
+See https://reproducible-builds.org/ for why this is good
+and https://reproducible-builds.org/specs/source-date-epoch/
+for the definition of this variable.
+
+This patch was done while working on reproducible builds for openSUSE.
+
+Index: shadowsocks-rust-1.20.4/Cargo.toml
+===================================================================
+--- shadowsocks-rust-1.20.4.orig/Cargo.toml
++++ shadowsocks-rust-1.20.4/Cargo.toml
+@@ -281,3 +281,6 @@ byteorder = "1.5"
+ env_logger = "0.11"
+ byte_string = "1.0"
+ tokio = { version = "1", features = ["net", "time", "macros", "io-util"] }
++
++[patch.crates-io]
++build-time = { path="vendor/build-time" }
+diff --git a/build-time/src/lib.rs b/build-time/src/lib.rs
+index c3484307..7ae9e03e 100644
+--- a/vendor/build-time/src/lib.rs
++++ b/vendor/build-time/src/lib.rs
+@@ -28,14 +28,18 @@ let local_build_time = build_time_local!("%Y-%m-%dT%H:%M:%S%.f%:z");
+ ```
+ */
+ 
+-use chrono::{DateTime, Local, Utc};
++use chrono::{DateTime, Local, TimeZone, Utc};
+ use once_cell::sync::Lazy;
+ use proc_macro::TokenStream;
+ use proc_macro2::Span;
+ use quote::quote;
++use std::env;
+ use syn::{parse_macro_input, LitStr};
+ 
+-static BUILD_TIME: Lazy<DateTime<Utc>> = Lazy::new(Utc::now);
++static BUILD_TIME: Lazy<DateTime<Utc>> = Lazy::new(|| match env::var("SOURCE_DATE_EPOCH") {
++        Ok(val) => { Utc.timestamp_opt(val.parse::<i64>().unwrap(), 0).unwrap() }
++        Err(_) => Utc::now(),
++    });
+ 
+ /// Build time in UTC.
+ ///

shadowsocks-rust-1.20.0.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c818124252528886dd2a26c0f4730a34cdeb5764c3812cae0d98e9fc9c1d8ce9
+size 451311

shadowsocks-rust-1.20.4.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:cf064ad157974b3e396aab3bb60aab380dbc4e11b736603bfbc8e7a138f6bb26
+size 453391

shadowsocks-rust-1.21.2.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:a2269e896a27a183dfd6d757d130978b46e1ac19f936c4229188d017b7ecf867
+size 496176

shadowsocks-rust-client.service

@@ -0,0 +1,28 @@
+[Unit]
+Description=Daemon to start Shadowsocks-rust-client
+Wants=network-online.target
+After=network.target
+
+[Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions
+Type=forking
+PIDFile=/var/run/shadowsocks-rust-client.pid
+ExecStart=/usr/bin/sslocal --log-without-time -c /etc/shadowsocks/shadowsocks-rust.json --tcp-fast-open
+Restart=on-failure
+User=shadowsocks
+Group=shadowsocks
+
+[Install]
+WantedBy=multi-user.target

shadowsocks-rust-manager.service

@@ -0,0 +1,28 @@
+[Unit]
+Description=Daemon to start Shadowsocks-rust-manager
+Wants=network-online.target
+After=network.target
+
+[Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions
+Type=forking
+PIDFile=/var/run/shadowsocks-rust-manager.pid
+ExecStart=/usr/bin/ssmanager --log-without-time -c /etc/shadowsocks/shadowsocks-rust.json --tcp-fast-open
+Restart=on-failure
+User=shadowsocks
+Group=shadowsocks
+
+[Install]
+WantedBy=multi-user.target

shadowsocks-rust-server.service

@@ -0,0 +1,28 @@
+[Unit]
+Description=Daemon to start Shadowsocks-rust-server
+Wants=network-online.target
+After=network.target
+
+[Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions
+Type=forking
+PIDFile=/var/run/shadowsocks-rust-server.pid
+ExecStart=/usr/bin/ssserver --log-without-time -c /etc/shadowsocks/shadowsocks-rust.json --tcp-fast-open
+Restart=on-failure
+User=shadowsocks
+Group=shadowsocks
+
+[Install]
+WantedBy=multi-user.target

shadowsocks-rust.changes

@@ -0,0 +1,196 @@
+-------------------------------------------------------------------
+Fri Nov 22 13:00:48 UTC 2024 - Hillwood Yang <hillwood@opensuse.org>
+
+- Update version to 1.21.2
+  * supports generic I/O socket type
+  * Support OpenBSD Packet-Filter (pf)
+  * Fix bugs
+
+-------------------------------------------------------------------
+Wed Nov 13 06:18:54 UTC 2024 - Bernhard Wiedemann <bwiedemann@suse.com>
+
+- Add reproducible.patch to override build date (boo#1047218)
+
+-------------------------------------------------------------------
+Thu Sep 12 13:19:28 UTC 2024 - Hillwood Yang <hillwood@opensuse.org>
+
+- Update version to 1.20.4
+  * Updated rustls to v0.23 with ring backend
+  * local-redir, server: Better approach to check current platform IP stack
+    capabilities like Go (IPv4, IPv6, IPv4-mapped-IPv6 supports)
+  * Explicitly enable dual-stack if listen addresses (server, local_address)
+    are IPv4-mapped-IPv6, by setting IPV6_V6ONLY=0
+  * PingBalancer check Firefox portal allowing 200 HTTP status
+  * Ping Balancer scores replaced standard deviation with median absolute
+    deviation, which should help focusing less on outlying observations in
+    latency samples
+  * local: Allow configuring SOCKS5 UDP_ASSOCIATE address
+  * ProxyServerStream::from_stream made public
+  * Fix bugs
+
+-------------------------------------------------------------------
+Sun Jun 16 09:07:43 UTC 2024 - Hillwood Yang <hillwood@opensuse.org>
+
+- Update version to 1.20.0
+  * Making HTTP requests with local-http's HttpClient implementation, mainly
+    for supporting outbound_* socket configurations.
+  * Support SIP008 Online Configuration. Pull servers from remote servers
+    automatically. (Experimental)
+  * Add basic, full, full-extra features makes building command line arguments
+    shorter
+  * Binaries support --plugin-mode command line argument
+  * local-tun is enabled by default for Windows targets in CI builds
+  * Fix bugs
+- Drop fix-boo-1223239.patch, merged by upstream
+
+-------------------------------------------------------------------
+Mon Apr 22 14:26:29 UTC 2024 - Hillwood Yang <hillwood@opensuse.org>
+
+- Update version to 1.18.3
+  * Support outbound_fwmark in server side to split outbound tunnel
+  * Default build for *-windows-* targets includes sswinservice
+  * local-fakedns: Add a basic implementation of Fake-DNS, which will
+    allocate IPs from pool for DNS queries. This experimental feature
+    could be useful when using local-tun, local-redir or other features
+    that could only receive IP destinations, the domain name that is
+    resolved by the Fake-DNS will be translated from IP back to domain
+    name when connecting to the remote
+  * Add launchd_udp_socket_name, launchd_tcp_socket_name to basic config format
+  * local-tun: Support tun_interface_destination configuration key
+  * Default logging framework changed to tracing-subscriber
+  * local: socks local server will support SOCKS5, SOCKS4a, HTTP proxy
+    protocols when local-http, local-socks4 features are enabled
+  * local: Support setting udp_mtu in configuration file to actively reject
+    packet.size > MTU
+  * Fix bugs
+- Add fix-boo-1223239.patch, fix CVE-2024-32650 boo#1223239
+
+-------------------------------------------------------------------
+Wed Dec 13 13:55:57 UTC 2023 - Hillwood Yang <hillwood@opensuse.org>
+
+- Set permissions as 640 for /etc/shadowsocks (boo#1216372)
+
+-------------------------------------------------------------------
+Sun Dec  3 09:25:05 UTC 2023 - Hillwood Yang <hillwood@opensuse.org>
+
+- Update version to 1.17.1
+  * Trust-DNS is rebranded to Hickory-DNS
+  * Support DNS-over-H3 (Try with configuration "dns": "google_h3" 
+    and compile with feature "dns-over-h3")
+  * Allow configuring local-dns client cache size
+  * local-tun supports Windows with Wintun
+  * Upgrade hyper
+  * Fix bugs
+
+-------------------------------------------------------------------
+Tue Oct 24 14:38:46 UTC 2023 - Hillwood Yang <hillwood@opensuse.org>
+
+- Fix boo#1216372 and boo#1216373, run systemd service as a dedicated user and group
+
+-------------------------------------------------------------------
+Mon Sep 25 14:02:49 UTC 2023 - Hillwood Yang <hillwood@opensuse.org>
+
+- Update version to 1.16.2
+  * Fix bugs
+- Update vendor, fix boo#1215658 CVE-2023-42811
+
+-------------------------------------------------------------------
+Wed Jun 21 17:34:03 UTC 2023 - Andreas Schwab <schwab@suse.de>
+
+- Update constraints for riscv64
+
+-------------------------------------------------------------------
+Tue Jun 20 06:46:10 UTC 2023 - opensuse-packaging <opensuse-packaging@opensuse.org>
+
+- Add Recommends for shadowsocks-v2ray-plugin
+- Update systemd services
+
+-------------------------------------------------------------------
+Mon Jun 19 06:19:16 UTC 2023 - opensuse-packaging <opensuse-packaging@opensuse.org>
+
+- Update version to 1.15.3
+  * local-tun: Support tun_interface_destination for configuring Tun 
+    device's destination address
+  * Support outbound_fwmark, outbound_user_cookie, outbound_bind_interface
+    and outbound_bind_addr in configuration file
+  * AEAD-2022 protoco
+  * SIP002 Extended Format: Allowing unencoded user-info in URL
+  * Manager standalone mode support bypassing ACL files
+  * Allow sslocal run without any servers, which will bypass all connections
+    and packets
+  * "password" is optional for none / plain method
+  * redir-local: Enable dual-stack support on Linux (TProxy) and FreeBSD
+  * Disable md5-asm and sha1-asm: shadowsocks/shadowsocks-crypto
+  * "acl" and "outbound_fwmark" are available in configuration file
+  * Properly handle IPv4-mapped-IPv6 addresses in UDP assocations
+  * Automatically bump RLIMIT_NOFILE on Unix (except Android)
+  * SOCKS5 protocol supports RFC1929 Username/Password Authentication
+  * HKDF-SHA1 uses ring's assembly implementation
+  * Set environment variable SS_SYSTEM_DNS_RESOLVER_FORCE_BUILTIN to use system's
+    builtin DNS resolver
+  * Allow setting "system" in DNS configuration key "dns" to use system provided
+    DNS API
+  * Support setting SO_USER_COOKIE on FreeBSD
+  * Local tun interface refactored the VirtDevice::poll strategy
+  * balancer.check_best_interval could let ping balancer to ping only the choosen
+    best server in this interval
+  * Set a shorter interval in balancer.check_best_interval than
+    balancer.check_interval to check much frequently the best server
+  * efactored local-tun, using smoltcp as a user-space network stack
+  * Support K8S deployment
+  * shadowsocks-crypto switch underlying encryption library to RustCrypto
+  * New binary ssservice with unified features in (sslocal, ssserver and
+    ssmanager)
+  * Removed direct dependency to mio, sending file descriptors through UDS now
+    with sendfd
+  * ACL regular expression rules will try to convert to || (sub-domains) and |
+    (exact match) rules
+  * TCP connects with Happy Eyeballs (RFC6555, RFC8305) strategy
+  * Basic support of tun interface in sslocal (Experimental) Tested on macOS and
+    Linux
+  * Local server will choose remote servers based on their "mode"
+  * ssmanager support --plugin and --plugin-opts as default plugin
+    configurations
+  * ssmanager support starting ssserver in standalone (independent process) mode
+  * ACL support | and || hash-set and domain-tree mode
+  * Support --outbound-bind-interface on Windows
+  * TFO on Linux queue length set to 1024 to match backlogs
+  * Completely remove Replay Attack Protection with Ping-Pong bloom filter in
+    default build configuration
+  * Support Snapcraft
+  * Multi-architecture Docker image for release
+  * Replaced futures::future::abortable with tokio's builtin
+    tokio::task::JoinHandle::abort
+  * Define binaries' exit code with standard in sysexits.h
+  * HTTP local listener supports TCP_NODELAY, SO_KEEPALIVE and dual-stack
+  * Remove slient dropping when replay was detected
+  * Enable TCP Keep Alive for inbound and outbound sockets
+  * Add disabled key for local servers in configuration
+  * Support TFO (TCP Fast Open) on Linux, Windows, macOS (iOS), FreeBSD
+  * Support customizing servers' weight for balancer
+  * HTTP Proxy preserves headers' title case
+  * Support non-standard AEAD ciphers sm4-gcm and sm4-ccm
+  * Support non-standard AEAD ciphers with crypto2, could be enabled by feature
+    aead-cipher-extra
+  * Support protocol in basic configuration format
+  * supports starting multiple instances in the same process
+  * Check repeated salt after first successful decryption
+  * Support setting SO_MARK, SO_BINDTODEVICE on Linux
+  * Support setting SO_SNDBUF and SO_RCVBUF for TCP sockets
+  * Support SIP008 extend server fields server, server_port, remarks
+  * Support sending TCP and UDP queries simutaneously
+  * Support connection reusability
+  * Remove mostly TCP timeout setting for tunnels, connections will only be
+    killed if clients or servers close
+  * Auto-reload DNS resolver configuration from /etc/resolv.conf on *NIX
+    platforms
+  * Allow customizing number of worker-threads for multi-threaded scheduler
+  * Support field disabled in extended server configuration
+  * Support customizing inbound and outbound sockets' SO_SNDBUF and SO_RCVBUF by
+    command line options
+  * Fix bugs
+
+-------------------------------------------------------------------
+Sat Nov 13 12:01:57 UTC 2021 - opensuse-packaging <opensuse-packaging@opensuse.org>
+
+- Initial package for version 1.8.23 

shadowsocks-rust.json

@@ -0,0 +1,10 @@
+{
+    "server": "my_server_ip",
+    "server_port": 8388,
+    "password": "mypassword",
+    "method": "aes-256-gcm",
+    // ONLY FOR `sslocal`
+    // Delete these lines if you are running `ssserver` or `ssmanager`
+    "local_address": "127.0.0.1",
+    "local_port": 1080
+}

shadowsocks-rust.spec

@@ -0,0 +1,114 @@
+#
+# spec file for package shadowsocks-rust
+#
+# Copyright (c) 2024 SUSE LLC
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+#
+
+
+Name:           shadowsocks-rust
+Version:        1.21.2
+Release:        0
+Summary:        Rust port of Shadowsocks
+License:        MIT
+Group:          Productivity/Networking/Web/Proxy
+URL:            https://github.com/shadowsocks/shadowsocks-rust
+Source0:        https://github.com/shadowsocks/shadowsocks-rust/archive/v%{version}/%{name}-%{version}.tar.gz
+Source1:        vendor.tar.gz
+Source2:        %{name}.json
+Source3:        %{name}-client.service
+Source4:        %{name}-server.service
+Source5:        %{name}-manager.service
+# PATCH-FIX-UPSTREAM  https://github.com/AlephAlpha/build-time/pull/5
+Patch0:         reproducible.patch
+BuildRequires:  cargo
+BuildRequires:  cargo-packaging
+BuildRequires:  systemd-rpm-macros
+BuildRequires:  pkgconfig(openssl)
+Requires(pre):  shadow
+Recommends:     shadowsocks-v2ray-plugin
+# ExcludeArch:    ppc ppc64 ppc64le s390 s390x
+%{?systemd_ordering}
+
+%description
+shadowsocks-rust is a rust port of shadowsocks.
+
+shadowsocks is a lightweight secured SOCKS5 proxy for embedded devices and
+low-end boxes.
+
+%prep
+%autosetup -p1 -a1 -n %{name}-%{version}
+mkdir .cargo
+cat >>.cargo/config.toml <<EOF
+[source.crates-io]
+registry = 'https://github.com/rust-lang/crates.io-index'
+replace-with = 'vendored-sources'
+[source.vendored-sources]
+directory = './vendor'
+EOF
+
+%build
+%cargo_build
+
+%install
+%cargo_install
+install -d %{buildroot}%{_sysconfdir}/shadowsocks/
+install -m 0644 %{SOURCE2} %{buildroot}%{_sysconfdir}/shadowsocks/
+
+install -d %{buildroot}%{_unitdir}
+install -m 0644 %{SOURCE3} %{buildroot}%{_unitdir}
+install -m 0644 %{SOURCE4} %{buildroot}%{_unitdir}
+install -m 0644 %{SOURCE5} %{buildroot}%{_unitdir}
+
+install -d %{buildroot}%{_sbindir}
+ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name}-client
+ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name}-server
+ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name}-manager
+
+%pre
+%service_add_pre %{name}-client.service
+%service_add_pre %{name}-server.service
+%service_add_pre %{name}-manager.service
+getent group shadowsocks >/dev/null || %{_sbindir}/groupadd --system shadowsocks
+getent passwd shadowsocks >/dev/null || %{_sbindir}/useradd --system -c "shadowsocks User" \
+         -d %{_localstatedir}/shadowsocks -m -g shadowsocks -s %{_sbindir}/nologin \
+         shadowsocks
+
+%post
+%service_add_post %{name}-client.service
+%service_add_post %{name}-server.service
+%service_add_post %{name}-manager.service
+chown root:shadowsocks %{_sysconfdir}/shadowsocks -R
+chmod 640 %{_sysconfdir}/shadowsocks -R
+
+%preun
+%service_del_preun %{name}-client.service
+%service_del_preun %{name}-server.service
+%service_del_preun %{name}-manager.service
+
+%postun
+%service_del_postun %{name}-client.service
+%service_del_postun %{name}-server.service
+%service_del_postun %{name}-manager.service
+
+%files
+%doc README.md
+%license LICENSE
+%{_bindir}/ss*
+%{_sbindir}/rc%{name}-*
+%{_unitdir}/%{name}-*.service
+%dir %{_sysconfdir}/shadowsocks
+# %config(noreplace) %attr(660,%{name},root) %{_sysconfdir}/shadowsocks
+%config %{_sysconfdir}/shadowsocks/%{name}.json
+
+%changelog

vendor.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:4d00851a12afd2655c1a75f0947136c2bf5d2c370c1f4d462fb88f15cdf412d5
+size 84245103