diff options
| author |   Jason A. Donenfeld <Jason@zx2c4.com> | 2017-12-20 04:56:17 +0100 |
|---|---|---|
| committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2017-12-20 05:47:45 +0100 |
| commit | f8f1739fc19d7201ae62ab643c89ec6d15390741 (patch) | |
| tree | a608076596cd34f17a63d2b0b06d21f9e14ca668 | |
| parent | standalone-tools: add make push (diff) | |
| download | android_kernel_wireguard-f8f1739fc19d7201ae62ab643c89ec6d15390741.tar.xz android_kernel_wireguard-f8f1739fc19d7201ae62ab643c89ec6d15390741.zip | |
Drastically simplify
| -rw-r--r-- | .gitignore | 2 | ||||
| -rw-r--r-- | Android.mk | 58 | ||||
| -rw-r--r-- | README.md | 47 | ||||
| -rw-r--r--[-rwxr-xr-x] | fetch.sh | 34 | ||||
| -rwxr-xr-x | generate-tools-filelist.sh | 5 | ||||
| -rwxr-xr-x | patch-kernel.sh (renamed from standalone-kernel/patch-kernel.sh) | 11 | ||||
| -rw-r--r-- | standalone-kernel/fetch.sh | 18 | ||||
| -rw-r--r-- | standalone-tools/.gitignore | 2 | ||||
| -rw-r--r-- | standalone-tools/Makefile | 39 | ||||
| -rw-r--r-- | standalone-tools/addonsd.sh | 37 | ||||
| -rw-r--r-- | standalone-tools/installer.sh | 74 | ||||
| -rwxr-xr-x | version-check.sh | 10 | ||||
| -rw-r--r-- | wg-quick.c | 649 |
13 files changed, 46 insertions, 940 deletions
diff --git a/.gitignore b/.gitignore deleted file mode 100644 index ecea3bb..0000000 --- a/.gitignore +++ /dev/null @@ -1,2 +0,0 @@ -libmnl/ -wireguard/ @@ -4,49 +4,21 @@ WIREGUARD_PATH := $(call my-dir) -fetch: - cd $(WIREGUARD_PATH) && ./fetch.sh - TARGET_KERNEL_BINARIES: patch-wireguard -ifeq ($(shell $(WIREGUARD_PATH)/version-check.sh "$(TARGET_KERNEL_SOURCE)" && echo compatible),compatible) -patch-wireguard: fetch - ln -vsfT "$$(realpath --relative-to="$(TARGET_KERNEL_SOURCE)/net)" "$(WIREGUARD_PATH)/wireguard/src" || readlink -f "$(WIREGUARD_PATH)/wireguard/src")" "$(TARGET_KERNEL_SOURCE)/net/wireguard" - grep -q wireguard "$(TARGET_KERNEL_SOURCE)/net/Makefile" || sed -i "/^obj-\\\$$(CONFIG_NETFILTER).*+=/a obj-\$$(CONFIG_WIREGUARD) += wireguard/" "$(TARGET_KERNEL_SOURCE)/net/Makefile" - grep -q wireguard "$(TARGET_KERNEL_SOURCE)/net/Kconfig" || sed -i "/^if INET\$$/a source \"net/wireguard/Kconfig\"" "$(TARGET_KERNEL_SOURCE)/net/Kconfig" - sed -i 's/tristate/bool/;s/default m/default y/;' "$(TARGET_KERNEL_SOURCE)/net/wireguard/Kconfig" -else patch-wireguard: - @echo -e "\e[1;37;41m=================================================\e[0m" >&2 - @echo -e "\e[1;37;41m+ WARNING WARNING WARNING +\e[0m" >&2 - @echo -e "\e[1;37;41m+ +\e[0m" >&2 - @echo -e "\e[1;37;41m+ You are trying to build WireGuard into a +\e[0m" >&2 - @echo -e "\e[1;37;41m+ kernel that is too old to run it. Please use +\e[0m" >&2 - @echo -e "\e[1;37;41m+ kernel >=3.10. This build will NOT have +\e[0m" >&2 - @echo -e "\e[1;37;41m+ WireGuard. You likely added this to your +\e[0m" >&2 - @echo -e "\e[1;37;41m+ local_manifest.xml without understanding this +\e[0m" >&2 - @echo -e "\e[1;37;41m+ requirement. Sorry for the inconvenience. +\e[0m" >&2 - @echo -e "\e[1;37;41m=================================================\e[0m" >&2 -endif - -.PHONY: patch-wireguard fetch - -LOCAL_PATH := $(WIREGUARD_PATH) -include $(CLEAR_VARS) -LOCAL_SRC_FILES := $(shell cd $(WIREGUARD_PATH) && ./generate-tools-filelist.sh) -$(foreach F,$(LOCAL_SRC_FILES),$(WIREGUARD_PATH)/$(F)): fetch -LOCAL_C_INCLUDES := $(WIREGUARD_PATH)/libmnl/src/ $(WIREGUARD_PATH)/libmnl/include/ $(WIREGUARD_PATH)/wireguard/src/tools/ -LOCAL_CFLAGS := -O3 -std=gnu11 -D_GNU_SOURCE -DHAVE_VISIBILITY_HIDDEN -DRUNSTATEDIR="\"/data/local/run\"" -Wno-pointer-arith -Wno-unused-parameter -LOCAL_MODULE := wg -LOCAL_MODULE_PATH := $(TARGET_OUT_OPTIONAL_EXECUTABLES) -LOCAL_MODULE_CLASS := EXECUTABLES -ALL_DEFAULT_INSTALLED_MODULES += wg -include $(BUILD_EXECUTABLE) + @WG_PATCHER_GIT_IGNORE=1 $(WIREGUARD_PATH)/patch-kernel.sh "$(TARGET_KERNEL_SOURCE)"; \ + ret=$$?; [ $$ret -eq 0 ] && exit 0; [ $$ret -ne 77 ] && exit $$ret; \ + echo -e "" \ + "\e[1;37;41m=================================================\e[0m\n" \ + "\e[1;37;41m+ WARNING WARNING WARNING +\e[0m\n" \ + "\e[1;37;41m+ +\e[0m\n" \ + "\e[1;37;41m+ You are trying to build WireGuard into a +\e[0m\n" \ + "\e[1;37;41m+ kernel that is too old to run it. Please use +\e[0m\n" \ + "\e[1;37;41m+ kernel >=3.10. This build will NOT have +\e[0m\n" \ + "\e[1;37;41m+ WireGuard. You likely added this to your +\e[0m\n" \ + "\e[1;37;41m+ local_manifest.xml without understanding this +\e[0m\n" \ + "\e[1;37;41m+ requirement. Sorry for the inconvenience. +\e[0m\n" \ + "\e[1;37;41m=================================================\e[0m" >&2 \ + exit 0 -include $(CLEAR_VARS) -LOCAL_SRC_FILES := wg-quick.c -LOCAL_CFLAGS := -O3 -std=gnu11 -Wall -pedantic -Wno-missing-field-initializers -LOCAL_MODULE := wg-quick -LOCAL_MODULE_PATH := $(TARGET_OUT_OPTIONAL_EXECUTABLES) -LOCAL_MODULE_CLASS := EXECUTABLES -ALL_DEFAULT_INSTALLED_MODULES += wg-quick -include $(BUILD_EXECUTABLE) +.PHONY: patch-wireguard @@ -1,51 +1,26 @@ # [WireGuard](https://www.wireguard.com/) for Android ROMs and Kernels -This repository contains various ways of integrating [WireGuard](https://www.wireguard.com/) into Android systems. The result may be used with [the WireGuard Android GUI app](https://play.google.com/apps/testing/com.wireguard.android). This is currently tested on Android 7 and kernels ≥3.10. +This repository contains various ways of integrating [WireGuard](https://www.wireguard.com/) into Android systems. The result may be used with [the WireGuard Android GUI app](https://play.google.com/apps/testing/com.wireguard.android). This is currently tested on Android 6, 7, and 8 and kernels ≥3.10. -## Integrating into ROMs Directly +Choose between **Method A** and **Method B**, below. Do not choose both methods at the same time. -This is the preferred approach. It is embedded into your ROM via a simple `local_manifest.xml`, so that WireGuard is built into the kernel and userland of an Android ROM. +## Method A: Adding to Kernel Trees -To use, add the following local manifest to your project, or include the `<remote>` and `<project>` lines in an existing manifest: +If you maintain your own kernel, you may easily patch your kernel tree to support WireGuard with the following command: ``` -<?xml version="1.0" encoding="UTF-8"?> -<manifest> - <remote name="zx2c4" fetch="https://git.zx2c4.com/" /> - <project remote="zx2c4" name="android_kernel_wireguard" path="kernel/wireguard" revision="master" sync-s="true" /> -</manifest> -``` - -After that calls to `repo sync` and `mka bacon` will do the right thing, giving you a WireGuard-enabled ROM. - -## Standalone Kernel Built-in Module - -If you do not wish to run a custom ROM, but would still like to build a kernel with WireGuard, you may patch WireGuard into your kernel using the following script: - -``` -$ cd standalone-kernel -$ ./patch-kernel.sh path/to/kernel +$ ./patch-kernel.sh path/to/kerneltree ``` -After this, WireGuard will be included as part of the ordinary kernel build. +This will patch your kernel and create a commit for you. -## Standalone Tools +## Method B: Integrating into ROMs -If your kernel already has WireGuard, perhaps via a standalone kernel module, but you need the tools for userland, you may build a flashable zip file, installable via recovery, with: +If you do not maintain your own kernel, but rather maintain a `local_manifest.xml` file, and would like to add WireGuard to your ROM, you can simply add these two lines to your `local_manifest.xml`: ``` -$ cd standalone-tools -$ make -j$(nproc) zip -$ adb sideload wireguard-tools.zip -``` - -Or, if you have your phone plugged in and booted up into the normal OS and have root access, you can build and push directly with: - -``` -$ cd standalone-tools -$ make push + <remote name="zx2c4" fetch="https://git.zx2c4.com/" /> + <project remote="zx2c4" name="android_kernel_wireguard" path="kernel/wireguard" revision="master" sync-s="true" /> ``` -## `wg-quick(8)` for Android - -All of the above approaches include [`wg-quick(8)`](https://git.zx2c4.com/WireGuard/about/src/tools/wg-quick.8) for Android, which works via calls to Android's `ndc` command. Compared to the ordinary wg-quick, this one does not support `SaveConfig` and `{Pre,Post}{Up,Down}`. Put your configuration files into `/data/misc/wireguard/`. After that, the normal `wg-quick up|down` commands will work as usual. This is used automatically via the [the WireGuard Android GUI app](https://play.google.com/apps/testing/com.wireguard.android). +Then, run `repo sync`. The kernel used by your ROM will automatically gain WireGuard support. @@ -1,28 +1,18 @@ #!/bin/bash -# SPDX-License-Identifier: GPL-2.0 -# -# Copyright (C) 2015-2017 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. - set -e -WIREGUARD_VERSION=0.0.20171211 -LIBMNL_VERSION=1.0.4 USER_AGENT="WireGuard-AndroidROMBuild/0.1 ($(uname -a))" -fetch_wireguard() { - [[ -d wireguard && -f wireguard/.version && $(< wireguard/.version) == "$WIREGUARD_VERSION" ]] && return 0 - rm -rf wireguard - mkdir wireguard - curl -A "$USER_AGENT" -LSs "https://git.zx2c4.com/WireGuard/snapshot/WireGuard-$WIREGUARD_VERSION.tar.xz" | tar -C "wireguard" --strip-components=1 -xJf - - echo "$WIREGUARD_VERSION" > wireguard/.version -} +[[ $(( $(date +%s) - $(stat -c %Y "net/wireguard/.check" 2>/dev/null || echo 0) )) -gt 86400 ]] || exit 0 + +[[ $(curl -A "$USER_AGENT" -LSs https://git.zx2c4.com/WireGuard/refs/) =~ snapshot/WireGuard-([0-9.]+)\.tar\.xz ]] -fetch_libmnl() { - [[ -d libmnl && -f libmnl/.version && $(< libmnl/.version) == "$LIBMNL_VERSION" ]] && return 0 - rm -rf libmnl - mkdir libmnl - curl -A "$USER_AGENT" -LSs "https://www.netfilter.org/projects/libmnl/files/libmnl-$LIBMNL_VERSION.tar.bz2" | tar -C libmnl --strip-components=1 -xjf - - echo "$LIBMNL_VERSION" > libmnl/.version -} +if [[ -f net/wireguard/version.h && $(< net/wireguard/version.h) == *${BASH_REMATCH[1]}* ]]; then + touch net/wireguard/.check + exit 0 +fi -fetch_wireguard -fetch_libmnl +rm -rf net/wireguard +mkdir -p net/wireguard +curl -A "$USER_AGENT" -LsS "https://git.zx2c4.com/WireGuard/snapshot/WireGuard-${BASH_REMATCH[1]}.tar.xz" | tar -C "net/wireguard" -xJf - --strip-components=2 "WireGuard-${BASH_REMATCH[1]}/src" +sed -i 's/tristate/bool/;s/default m/default y/;' net/wireguard/Kconfig +touch net/wireguard/.check diff --git a/generate-tools-filelist.sh b/generate-tools-filelist.sh deleted file mode 100755 index 34d8843..0000000 --- a/generate-tools-filelist.sh +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/bash -set -e - -. ./fetch.sh -echo wireguard/src/tools/*.c libmnl/src/*.c diff --git a/standalone-kernel/patch-kernel.sh b/patch-kernel.sh index 206ea32..fc57de8 100755 --- a/standalone-kernel/patch-kernel.sh +++ b/patch-kernel.sh @@ -17,7 +17,7 @@ if ! [[ $(< Makefile) =~ VERSION[[:space:]]*=[[:space:]]*([0-9]+).*PATCHLEVEL[[: fi if (( ((${BASH_REMATCH[1]} * 65536) + (${BASH_REMATCH[2]} * 256) + ${BASH_REMATCH[3]}) < ((3 * 65536) + (10 * 256) + 0) )); then echo "WireGuard requires kernels >= 3.10. This is kernel ${BASH_REMATCH[1]}.${BASH_REMATCH[2]}.${BASH_REMATCH[3]}." - exit 1 + exit 77 fi [[ $(< net/Makefile) == *wireguard* ]] || sed -i "/^obj-\\\$(CONFIG_NETFILTER).*+=/a obj-\$(CONFIG_WIREGUARD) += wireguard/" net/Makefile @@ -30,6 +30,11 @@ chmod +x scripts/fetch-latest-wireguard.sh [[ $(< scripts/Kbuild.include) == *fetch-latest-wireguard.sh* ]] || echo '$(shell cd "$(srctree)" && ./scripts/fetch-latest-wireguard.sh)' >> scripts/Kbuild.include if [[ -d .git ]]; then - git add scripts/Kbuild.include scripts/fetch-latest-wireguard.sh net/.gitignore net/Kconfig net/Makefile - git commit -s -m "net/wireguard: add wireguard importer" scripts/Kbuild.include scripts/fetch-latest-wireguard.sh net/.gitignore net/Kconfig net/Makefile + if [[ $WG_PATCHER_GIT_IGNORE -eq 1 ]]; then + echo -e 'scripts/fetch-latest-wireguard.sh\nnet/.gitignore' >> .gitignore + git update-index --assume-unchanged .gitignore scripts/Kbuild.include net/Kconfig net/Makefile + else + git add scripts/Kbuild.include scripts/fetch-latest-wireguard.sh net/.gitignore net/Kconfig net/Makefile + git commit -s -m "net/wireguard: add wireguard importer" scripts/Kbuild.include scripts/fetch-latest-wireguard.sh net/.gitignore net/Kconfig net/Makefile + fi fi diff --git a/standalone-kernel/fetch.sh b/standalone-kernel/fetch.sh deleted file mode 100644 index dcc25de..0000000 --- a/standalone-kernel/fetch.sh +++ /dev/null @@ -1,18 +0,0 @@ -#!/bin/bash -set -e -USER_AGENT="WireGuard-AndroidROMBuild/0.1 ($(uname -a))" - -[[ $(( $(date +%s) - $(stat -c %Y "net/wireguard/.check" 2>/dev/null || echo 0) )) -gt 86400 ]] || exit 0 - -[[ $(curl -A "$USER_AGENT" -LSs https://git.zx2c4.com/WireGuard/refs/) =~ snapshot/WireGuard-([0-9.]+)\.tar\.xz ]] - -if [[ -f net/wireguard/version.h && $(< net/wireguard/version.h) == *${BASH_REMATCH[1]}* ]]; then - touch net/wireguard/.check - exit 0 -fi - -rm -rf net/wireguard -mkdir -p net/wireguard -curl -A "$USER_AGENT" -LsS "https://git.zx2c4.com/WireGuard/snapshot/WireGuard-${BASH_REMATCH[1]}.tar.xz" | tar -C "net/wireguard" -xJf - --strip-components=2 "WireGuard-${BASH_REMATCH[1]}/src" -sed -i 's/tristate/bool/;s/default m/default y/;' net/wireguard/Kconfig -touch net/wireguard/.check diff --git a/standalone-tools/.gitignore b/standalone-tools/.gitignore deleted file mode 100644 index 030cc7a..0000000 --- a/standalone-tools/.gitignore +++ /dev/null @@ -1,2 +0,0 @@ -wireguard-tools.zip -build diff --git a/standalone-tools/Makefile b/standalone-tools/Makefile deleted file mode 100644 index 340233a..0000000 --- a/standalone-tools/Makefile +++ /dev/null @@ -1,39 +0,0 @@ -# SPDX-License-Identifier: GPL-2.0 -# -# Copyright (C) 2015-2017 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. - -ARCHS := $(shell ndk-build NDK_PROJECT_PATH=$(PWD)/build APP_BUILD_SCRIPT=$(PWD)/../Android.mk APP_PLATFORM=21 DUMP_NDK_KNOWN_DEVICE_ABIS 2>/dev/null) - -help: - @echo "Type \`make zip' to create a flashable zip, or type \`make push' to push tools to a running device using adb." - -clean: - rm -rf build wireguard-tools.zip - -wg-build: ../wg-quick.c - ndk-build NDK_PROJECT_PATH=$(PWD)/build APP_BUILD_SCRIPT=$(PWD)/../Android.mk APP_PLATFORM=21 - -$(foreach ARCH,$(ARCHS),build/libs/$(ARCH)/wg build/libs/$(ARCH)/wg-quick): wg-build - -wireguard-tools.zip: $(foreach ARCH,$(ARCHS),build/libs/$(ARCH)/wg-quick build/libs/$(ARCH)/wg) installer.sh addonsd.sh - rm -rf $@ build/zip build/*.zip - mkdir -p build/zip build/zip/addon.d build/zip/META-INF/com/google/android - ln -frs build/libs build/zip/arch - ln -frs addonsd.sh build/zip/addon.d/40-wireguard.sh - ln -frs installer.sh build/zip/META-INF/com/google/android/update-binary - touch build/zip/META-INF/com/google/android/updater-script - cd build/zip && zip -0Xr ../unaligned-$@ . - openssl req -x509 -nodes -newkey rsa:2048 -keyout build/key.pem -out build/cert.pem -days 3650 -subj /CN=$$(hostname)/ - openssl pkcs8 -topk8 -inform PEM -outform DER -in build/key.pem -out build/key.pk8 -nocrypt - $(ANDROID_HOME)/build-tools/27.0.1/zipalign -v -p 4 build/unaligned-$@ build/aligned-$@ - $(ANDROID_HOME)/build-tools/27.0.1/apksigner sign --key build/key.pk8 --cert build/cert.pem --min-sdk-version 21 --out $@ build/aligned-$@ - -zip: wireguard-tools.zip - -push: $(foreach ARCH,$(ARCHS),build/libs/$(ARCH)/wg-quick build/libs/$(ARCH)/wg) - ARCH="$$(adb shell 'su -c "mount -o rw,remount /system" && getprop ro.product.cpu.abi')" && \ - adb push "build/libs/$$ARCH/wg-quick" "build/libs/$$ARCH/wg" /sdcard && \ - adb shell 'su -c "mv /sdcard/wg /sdcard/wg-quick /system/xbin/ && chmod 755 /system/xbin/wg /system/xbin/wg-quick"' - -.PHONY: clean zip push -.SECONDARY: diff --git a/standalone-tools/addonsd.sh b/standalone-tools/addonsd.sh deleted file mode 100644 index 90865d0..0000000 --- a/standalone-tools/addonsd.sh +++ /dev/null @@ -1,37 +0,0 @@ -#!/sbin/sh - -. /tmp/backuptool.functions - -list_files() { -cat <<_EOF -xbin/wg -xbin/wg-quick -_EOF -} - -case "$1" in - backup) - list_files | while read FILE DUMMY; do - backup_file $S/"$FILE" - done - ;; - restore) - list_files | while read FILE REPLACEMENT; do - R="" - [ -n "$REPLACEMENT" ] && R="$S/$REPLACEMENT" - [ -f "$C/$S/$FILE" ] && restore_file $S/"$FILE" "$R" - done - ;; - pre-backup) - # Stub - ;; - post-backup) - # Stub - ;; - pre-restore) - # Stub - ;; - post-restore) - # Stub - ;; -esac diff --git a/standalone-tools/installer.sh b/standalone-tools/installer.sh deleted file mode 100644 index 11838a1..0000000 --- a/standalone-tools/installer.sh +++ /dev/null @@ -1,74 +0,0 @@ -#!/sbin/sh -# SPDX-License-Identifier: GPL-2.0 -# -# Copyright (C) 2015-2017 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. - -SCRIPT="$1" -OUTFD="$2" -ZIP="$3" -ARCH="$(getprop ro.product.cpu.abi)" - -print() { - echo "ui_print [+] $*" >&$OUTFD -} - -die() { - echo "ui_print [-] $*" >&$OUTFD - exit 1 -} - -cleanup() { - mount -o ro,remount /system - rm -rf /tmp/wireguard -} - -mount_system() { - local slot dev - - if grep -q /system /proc/mounts; then - print "Remounting system partition r/w" - mount -o rw,remount /system || die "Could not remount system partition r/w" - else - print "Mounting system partition" - - slot="$(getprop ro.boot.slot_suffix)" - [ -z "$slot" ] && slot="$(getprop ro.boot.slot)" - - dev="$(find /dev/block -iname "system$slot" -print | head -n 1)" - [ -n "$dev" ] || die "Could not find system partition" - - mount -o rw "$dev" /system || die "Could not mount system partition" - fi -} - -echo "ui_print ==================================" >&$OUTFD -echo "ui_print = WireGuard Tools =" >&$OUTFD -echo "ui_print = by zx2c4 =" >&$OUTFD -echo "ui_print = www.wireguard.com =" >&$OUTFD -echo "ui_print ==================================" >&$OUTFD - -[ -n $ARCH ] || die "Could not determine architecture" -[ -f "$ZIP" ] || die "Could not find zip file" - -trap cleanup INT TERM EXIT - -mount_system - -print "Extracting files" -rm -rf /tmp/wireguard -mkdir -p /tmp/wireguard -unzip -d /tmp/wireguard "$ZIP" - -print "Installing WireGuard tools" -[ -d /tmp/wireguard/arch/$ARCH ] || die "Not available for device's ABI" -cp -f /tmp/wireguard/arch/$ARCH/* /system/xbin/ || die "Could not copy binaries" -chmod 755 /system/xbin/wg /system/xbin/wg-quick || die "Could not mark binaries as executable" - -if [ -d /system/addon.d ]; then - print "Installing ROM flash survial script" - cp -f /tmp/wireguard/addon.d/40-wireguard.sh /system/addon.d/ || die "Could not copy survival script" - chmod 755 /system/addon.d/40-wireguard.sh || die "Could not mark survival script as executable" -fi - -mkdir -pm 700 /data/misc/wireguard -print "Success! Be sure your kernel has the WireGuard module enabled." diff --git a/version-check.sh b/version-check.sh deleted file mode 100755 index ecca6dc..0000000 --- a/version-check.sh +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash -# SPDX-License-Identifier: GPL-2.0 -# -# Copyright (C) 2015-2017 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. - -set -e -[[ -n $1 && -f $1/Makefile ]] -[[ $(< "$1/Makefile") =~ VERSION[[:space:]]*=[[:space:]]*([0-9]+).*PATCHLEVEL[[:space:]]*=[[:space:]]*([0-9]+).*SUBLEVEL[[:space:]]*=[[:space:]]*([0-9]+) ]] -LINUX_VERSION_CODE=$(( (${BASH_REMATCH[1]} * 65536) + (${BASH_REMATCH[2]} * 256) + ${BASH_REMATCH[3]} )) -(( LINUX_VERSION_CODE >= ((3 * 65536) + (10 * 256) + 0) )) diff --git a/wg-quick.c b/wg-quick.c deleted file mode 100644 index db744d3..0000000 --- a/wg-quick.c +++ /dev/null @@ -1,649 +0,0 @@ -/* SPDX-License-Identifier: GPL-2.0 - * - * Copyright (C) 2015-2017 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved. - * - * This is a shell script written in C. It very intentionally still functions like - * a shell script, calling out to external executables such as ip(8). - */ - -#define _GNU_SOURCE -#include <stdlib.h> -#include <stdio.h> -#include <stdbool.h> -#include <string.h> -#include <strings.h> -#include <stdarg.h> -#include <ctype.h> -#include <time.h> -#include <unistd.h> -#include <errno.h> -#include <regex.h> -#include <sys/types.h> -#include <sys/stat.h> -#include <sys/wait.h> -#include <sys/param.h> - -#ifndef WG_CONFIG_SEARCH_PATHS -#define WG_CONFIG_SEARCH_PATHS "/data/misc/wireguard /data/data/com.wireguard.android/files" -#endif - -#define _printf_(x, y) __attribute__((format(printf, x, y))) -#define _cleanup_(x) __attribute__((cleanup(x))) -#define ARRAY_SIZE(x) (sizeof(x) / sizeof(x[0])) - -static bool is_exiting = false; - -static void *xmalloc(size_t size) -{ - void *ret = malloc(size); - if (ret) - return ret; - perror("Error: malloc"); - exit(errno); -} - -static void *xstrdup(const char *str) -{ - char *ret = strdup(str); - if (ret) - return ret; - perror("Error: strdup"); - exit(errno); -} - -static void xregcomp(regex_t *preg, const char *regex, int cflags) -{ - if (regcomp(preg, regex, cflags)) { - fprintf(stderr, "Error: Regex compilation error\n"); - exit(EBADR); - } -} - -static char *concat(char *first, ...) -{ - va_list args; - size_t len = 0; - char *ret; - - va_start(args, first); - for (char *i = first; i; i = va_arg(args, char *)) - len += strlen(i); - va_end(args); - - ret = xmalloc(len + 1); - ret[0] = '\0'; - - va_start(args, first); - for (char *i = first; i; i = va_arg(args, char *)) - strcat(ret, i); - va_end(args); - - return ret; -} - -static char *concat_and_free(char *orig, const char *delim, const char *new_line) -{ - char *ret; - - if (!orig) - ret = xstrdup(new_line); - else - ret = concat(orig, delim, new_line, NULL); - free(orig); - return ret; -} - -struct command_buffer { - char *line; - size_t len; - FILE *stream; -}; - -static void free_command_buffer(struct command_buffer *c) -{ - if (!c) - return; - if (c->stream) - pclose(c->stream); - free(c->line); -} - -static void freep(void *p) -{ - free(*(void **)p); -} -static void fclosep(FILE **f) -{ - if (*f) - fclose(*f); -} -#define _cleanup_free_ _cleanup_(freep) -#define _cleanup_fclose_ _cleanup_(fclosep) - -#define DEFINE_CMD(name) _cleanup_(free_command_buffer) struct command_buffer name = { 0 }; - -static char *vcmd_ret(struct command_buffer *c, const char *cmd_fmt, va_list args) -{ - _cleanup_free_ char *cmd = NULL; - - if (!c->stream && !cmd_fmt) - return NULL; - if (c->stream && cmd_fmt) - pclose(c->stream); - - if (cmd_fmt) { - if (vasprintf(&cmd, cmd_fmt, args) < 0) { - perror("Error: vasprintf"); - exit(errno); - } - - c->stream = popen(cmd, "r"); - if (!c->stream) { - perror("Error: popen"); - exit(errno); - } - } - errno = 0; - if (getline(&c->line, &c->len, c->stream) < 0) { - if (errno) { - perror("Error: getline"); - exit(errno); - } - return NULL; - } - return c->line; -} - -_printf_(1, 2) static void cmd(const char *cmd_fmt, ...) -{ - _cleanup_free_ char *cmd = NULL; - va_list args; - int ret; - - va_start(args, cmd_fmt); - if (vasprintf(&cmd, cmd_fmt, args) < 0) { - perror("Error: vasprintf"); - exit(errno); - } - va_end(args); - - printf("[#] %s\n", cmd); - ret = system(cmd); - - if (ret < 0) - ret = ESRCH; - else if (ret > 0) - ret = WEXITSTATUS(ret); - - if (ret && !is_exiting) - exit(ret); -} - -_printf_(2, 3) static char *cmd_ret(struct command_buffer *c, const char *cmd_fmt, ...) -{ - va_list args; - char *ret; - - va_start(args, cmd_fmt); - ret = vcmd_ret(c, cmd_fmt, args); - va_end(args); - return ret; -} - -_printf_(1, 2) static void cndc(const char *cmd_fmt, ...) -{ - DEFINE_CMD(c); - int error_code; - char *ret; - va_list args; - _cleanup_free_ char *ndc_fmt = concat("ndc ", cmd_fmt, NULL); - - va_start(args, cmd_fmt); - printf("[#] "); - vprintf(ndc_fmt, args); - printf("\n"); - va_end(args); - - va_start(args, cmd_fmt); - ret = vcmd_ret(&c, ndc_fmt, args); - va_end(args); - - if (!ret) { - fprintf(stderr, "Error: could not call ndc\n"); - exit(ENOSYS); - } - - error_code = atoi(ret); - if (error_code >= 400 && error_code < 600) { - fprintf(stderr, "Error: %s\n", ret); - exit(ENONET); - } -} - -static void auto_su(int argc, char *argv[]) -{ - char *args[argc + 4]; - - if (!getuid()) - return; - - args[0] = "su"; - args[1] = "-p"; - args[2] = "-c"; - memcpy(&args[3], argv, argc * sizeof(*args)); - args[argc + 3] = NULL; - - printf("[$] su -p -c "); - for (int i = 0; i < argc; ++i) - printf("%s%c", argv[i], i == argc - 1 ? '\n' : ' '); - - execvp("su", args); - exit(errno); -} - -static void add_if(const char *iface) -{ - cmd("ip link add %s type wireguard", iface); -} - -static void del_if(const char *iface) -{ - DEFINE_CMD(c); - regex_t reg; - regmatch_t matches[2]; - char *netid = NULL; - _cleanup_free_ char *regex = concat("0xc([0-9a-f]+)/0xcffff lookup ", iface, NULL); - - xregcomp(®, regex, REG_EXTENDED); - - cmd("ip link del %s", iface); - for (char *ret = cmd_ret(&c, "ip rule show"); ret; ret = cmd_ret(&c, NULL)) { - if (!regexec(®, ret, ARRAY_SIZE(matches), matches, 0)) { - ret[matches[1].rm_eo] = '\0'; - netid = &ret[matches[1].rm_so]; - break; - } - } - - if (netid) - cndc("network destroy %lu", strtoul(netid, NULL, 16)); -} - -static void up_if(unsigned int *netid, const char *iface) -{ - srandom(time(NULL) ^ getpid()); /* Not real randomness. */ - - while (*netid < 4096) - *netid = random() & 0xfffe; - - cmd("wg set %s fwmark 0x20000", iface); - cndc("interface setcfg %s up", iface); - cndc("network create %u vpn 1 1", *netid); - cndc("network interface add %u %s", *netid, iface); - cndc("network users add %u 0-99999", *netid); -} - -static void set_dnses(unsigned int netid, const char *dnses) -{ - size_t len = strlen(dnses); - _cleanup_free_ char *mutable = xstrdup(dnses); - _cleanup_free_ char *arglist = xmalloc(len * 4 + 1); - _cleanup_free_ char *arg = xmalloc(len + 4); - - if (!len) - return; - arglist[0] = '\0'; - - for (char *dns = strtok(mutable, ", \t\n"); dns; dns = strtok(NULL, ", \t\n")) { - if (strchr(dns, '\'') || strchr(dns, '\\')) - continue; - snprintf(arg, len + 3, "'%s' ", dns); - strncat(arglist, arg, len * 4 - 1); - } - if (!strlen(arglist)) - return; - cndc("resolver setnetdns %u '' %s", netid, arglist); -} - -static void add_addr(const char *iface, const char *addr) -{ - if (strchr(addr, ':')) { - cndc("interface ipv6 %s enable", iface); - cmd("ip -6 addr add '%s' dev %s", addr, iface); - } else { - _cleanup_free_ char *mut_addr = strdup(addr); - char *slash = strchr(mut_addr, '/'); - unsigned char mask = 32; - - if (slash) { - *slash = '\0'; - mask = atoi(slash + 1); - } - cndc("interface setcfg %s '%s' %u", iface, mut_addr, mask); - } -} - -static void set_addr(const char *iface, const char *addrs) -{ - _cleanup_free_ char *mutable = xstrdup(addrs); - - for (char *addr = strtok(mutable, ", \t\n"); addr; addr = strtok(NULL, ", \t\n")) { - if (strchr(addr, '\'') || strchr(addr, '\\')) - continue; - add_addr(iface, addr); - } -} - -static int get_route_mtu(const char *endpoint) -{ - DEFINE_CMD(c_route); - DEFINE_CMD(c_dev); - regmatch_t matches[2]; - regex_t regex_mtu, regex_dev; - char *route, *mtu, *dev; - - xregcomp(®ex_mtu, "mtu ([0-9]+)", REG_EXTENDED); - xregcomp(®ex_dev, "dev ([^ ]+)", REG_EXTENDED); - - if (strcmp(endpoint, "default")) - route = cmd_ret(&c_route, "ip -o route get %s", endpoint); - else - route = cmd_ret(&c_route, "ip -o route show %s", endpoint); - if (!route) - return -1; - - if (!regexec(®ex_mtu, route, ARRAY_SIZE(matches), matches, 0)) { - route[matches[1].rm_eo] = '\0'; - mtu = &route[matches[1].rm_so]; - } else if (!regexec(®ex_dev, route, ARRAY_SIZE(matches), matches, 0)) { - route[matches[1].rm_eo] = '\0'; - dev = &route[matches[1].rm_so]; - route = cmd_ret(&c_dev, "ip -o link show dev %s", dev); - if (!route) - return -1; - if (regexec(®ex_mtu, route, ARRAY_SIZE(matches), matches, 0)) - return -1; - route[matches[1].rm_eo] = '\0'; - mtu = &route[matches[1].rm_so]; - } else - return -1; - return atoi(mtu); -} - -static void set_mtu(const char *iface, unsigned int mtu) -{ - DEFINE_CMD(c_endpoints); - regex_t regex_endpoint; - regmatch_t matches[2]; - int endpoint_mtu, next_mtu; - - if (mtu) { - cndc("interface setmtu %s %u", iface, mtu); - return; - } - - xregcomp(®ex_endpoint, "^\\[?([a-z0-9:.]+)\\]?:[0-9]+$", REG_EXTENDED); - - endpoint_mtu = get_route_mtu("default"); - if (endpoint_mtu == -1) - endpoint_mtu = 1500; - - for (char *endpoint = cmd_ret(&c_endpoints, "wg show %s endpoints", iface); endpoint; endpoint = cmd_ret(&c_endpoints, NULL)) { - if (regexec(®ex_endpoint, endpoint, ARRAY_SIZE(matches), matches, 0)) - continue; - endpoint[matches[1].rm_eo] = '\0'; - endpoint = &endpoint[matches[1].rm_so]; - - next_mtu = get_route_mtu(endpoint); - if (next_mtu > 0 && next_mtu < endpoint_mtu) - endpoint_mtu = next_mtu; - } - - cndc("interface setmtu %s %d", iface, endpoint_mtu - 80); -} - -static void add_route(const char *iface, unsigned int netid, const char *route) -{ - cndc("network route add %u %s %s", netid, iface, route); -} - -static void set_routes(const char *iface, unsigned int netid) -{ - DEFINE_CMD(c); - - for (char *allowedips = cmd_ret(&c, "wg show %s allowed-ips", iface); allowedips; allowedips = cmd_ret(&c, NULL)) { - char *start = strchr(allowedips, '\t'); - - if (!start) - continue; - ++start; - for (char *allowedip = strtok(start, " \n"); allowedip; allowedip = strtok(NULL, " \n")) - add_route(iface, netid, allowedip); - } -} - -static void set_config(const char *iface, const char *config) -{ - FILE *config_writer; - _cleanup_free_ char *cmd = concat("wg setconf ", iface, " /proc/self/fd/0", NULL); - - printf("[#] %s\n", cmd); - - config_writer = popen(cmd, "w"); - if (!config_writer) { - perror("Error: popen"); - exit(errno); - } - if (fputs(config, config_writer) < 0) { - perror("Error: fputs"); - exit(errno); - } - pclose(config_writer); -} - -static void print_search_paths(FILE *file, const char *prefix) -{ - _cleanup_free_ char *paths = strdup(WG_CONFIG_SEARCH_PATHS); - - for (char *path = strtok(paths, " "); path; path = strtok(NULL, " ")) - fprintf(file, "%s%s\n", prefix, path); -} - -static void cmd_usage(const char *program) -{ - printf( "Usage: %s [ up | down ] [ CONFIG_FILE | INTERFACE ]\n" - "\n" - " CONFIG_FILE is a configuration file, whose filename is the interface name\n" - " followed by `.conf'. Otherwise, INTERFACE is an interface name, with\n" - " configuration found at:\n\n", program); - print_search_paths(stdout, " - "); - printf( "\n It is to be readable by wg(8)'s `setconf' sub-command, with the exception\n" - " of the following additions to the [Interface] section, which are handled by\n" - " this program:\n\n" - " - Address: may be specified one or more times and contains one or more\n" - " IP addresses (with an optional CIDR mask) to be set for the interface.\n" - " - MTU: an optional MTU for the interface; if unspecified, auto-calculated.\n" - " - DNS: an optional DNS server to use while the device is up.\n\n" - " See wg-quick(8) for more info and examples.\n"); -} - -static char *cleanup_iface = NULL; - -static void cmd_up_cleanup(void) -{ - is_exiting = true; - if (cleanup_iface) - del_if(cleanup_iface); - free(cleanup_iface); -} - -static void cmd_up(const char *iface, const char *config, unsigned int mtu, const char *addrs, const char *dnses) -{ - DEFINE_CMD(c); - unsigned int netid = 0; - - if (cmd_ret(&c, "ip link show dev %s 2>/dev/null", iface)) { - fprintf(stderr, "Error: %s already exists\n", iface); - exit(EEXIST); - } - - cleanup_iface = xstrdup(iface); - atexit(cmd_up_cleanup); - - add_if(iface); - set_config(iface, config); - set_mtu(iface, mtu); - set_addr(iface, addrs); - up_if(&netid, iface); - set_dnses(netid, dnses); - set_routes(iface, netid); - - free(cleanup_iface); - cleanup_iface = NULL; - exit(EXIT_SUCCESS); -} - -static void cmd_down(const char *iface) -{ - DEFINE_CMD(c); - bool found = false; - - char *ifaces = cmd_ret(&c, "wg show interfaces"); - if (ifaces) { - for (char *eiface = strtok(ifaces, " \n"); eiface; eiface = strtok(NULL, " \n")) { - if (!strcmp(iface, eiface)) { - found = true; - break; - } - } - } - if (!found) { - fprintf(stderr, "Error: %s is not a WireGuard interface\n", iface); - exit(EMEDIUMTYPE); - } - - del_if(iface); - exit(EXIT_SUCCESS); -} - -static void parse_options(char **iface, char **config, unsigned int *mtu, char **addrs, char **dnses, const char *arg) -{ - _cleanup_fclose_ FILE *file = NULL; - _cleanup_free_ char *line = NULL; - _cleanup_free_ char *filename = NULL; - _cleanup_free_ char *paths = strdup(WG_CONFIG_SEARCH_PATHS); - regex_t regex_iface, regex_conf; - regmatch_t matches[2]; - struct stat sbuf; - size_t n = 0; - bool in_interface_section = false; - - *iface = *config = *addrs = *dnses = NULL; - *mtu = 0; - - xregcomp(®ex_iface, "^[a-zA-Z0-9_=+.-]{1,16}$", REG_EXTENDED | REG_NOSUB); - xregcomp(®ex_conf, "/?([a-zA-Z0-9_=+.-]{1,16})\\.conf$", REG_EXTENDED); - - if (!regexec(®ex_iface, arg, 0, NULL, 0)) { - for (char *path = strtok(paths, " "); path; path = strtok(NULL, " ")) { - free(filename); - if (asprintf(&filename, "%s/%s.conf", path, arg) < 0) { - perror("Error: asprintf"); - exit(errno); - } - file = fopen(filename, "r"); - if (file) - break; - } - if (!file) { - fprintf(stderr, "Error: Unable to find configuration file for `%s' in:\n", arg); - print_search_paths(stderr, "- "); - exit(errno); - } - } else { - filename = xstrdup(arg); - file = fopen(filename, "r"); - if (!file) { - fprintf(stderr, "Error: Unable to find configuration file at `%s'\n", filename); - exit(errno); - } - } - - if (regexec(®ex_conf, filename, ARRAY_SIZE(matches), matches, 0)) { - fprintf(stderr, "Error: The config file must be a valid interface name, followed by .conf\n"); - exit(EINVAL); - } - - if (fstat(fileno(file), &sbuf) < 0) { - perror("Error: fstat"); - exit(errno); - } - if (sbuf.st_mode & 0007) - fprintf(stderr, "Warning: `%s' is world accessible\n", filename); - - filename[matches[1].rm_eo] = 0; - *iface = xstrdup(&filename[matches[1].rm_so]); - - while (getline(&line, &n, file) >= 0) { - size_t len = strlen(line), j = 0; - _cleanup_free_ char *clean = xmalloc(len + 1); - - for (size_t i = 0; i < len; ++i) { - if (!isspace(line[i])) - clean[j++] = line[i]; - } - clean[j] = '\0'; - - if (clean[0] == '[') - in_interface_section = false; - if (!strcasecmp(clean, "[Interface]")) - in_interface_section = true; - if (in_interface_section) { - if (!strncasecmp(clean, "Address=", 8) && j > 8) { - *addrs = concat_and_free(*addrs, ",", clean + 8); - continue; - } else if (!strncasecmp(clean, "DNS=", 4) && j > 4) { - *dnses = concat_and_free(*dnses, ",", clean + 4); - continue; - } else if (!strncasecmp(clean, "MTU=", 4) && j > 4) { - *mtu = atoi(clean + 4); - continue; - } - } - *config = concat_and_free(*config, "", line); - } - - if (!*iface) - *iface = xstrdup(""); - if (!*config) - *config = xstrdup(""); - if (!*addrs) - *addrs = xstrdup(""); - if (!*dnses) - *dnses = xstrdup(""); -} - -int main(int argc, char *argv[]) -{ - _cleanup_free_ char *iface = NULL; - _cleanup_free_ char *config = NULL; - _cleanup_free_ char *addrs = NULL; - _cleanup_free_ char *dnses = NULL; - unsigned int mtu; - - if (argc == 2 && (!strcmp(argv[1], "help") || !strcmp(argv[1], "--help") || !strcmp(argv[1], "-h"))) - cmd_usage(argv[0]); - else if (argc == 3 && !strcmp(argv[1], "up")) { - auto_su(argc, argv); - parse_options(&iface, &config, &mtu, &addrs, &dnses, argv[2]); - cmd_up(iface, config, mtu, addrs, dnses); - } else if (argc == 3 && !strcmp(argv[1], "down")) { - auto_su(argc, argv); - parse_options(&iface, &config, &mtu, &addrs, &dnses, argv[2]); - cmd_down(iface); - } else { - cmd_usage(argv[0]); - return 1; - } - return 0; -} |