shadowsocks-libev: update mbedtls 3.6 build fixing patch

Current mbedtls 3.6 fix uses private fields in mbedtls,
which increases complexity and may break functionality in
future mbedtls versions. So rework this patch to remove them.

shadowsocks-libev/patches/101-fix-mbedtls3.6-build.patch

@@ -1,198 +0,0 @@
-From c2bdb9847e374331a4f1c8fcd3d93e0b57d4c6fc Mon Sep 17 00:00:00 2001
-From: Zxl hhyccc <[email protected]>
-Date: Sun, 7 Jul 2024 17:08:27 +0800
-Subject: [PATCH] Fix in 'mbedtls 3.6.0 ver' compilation failure issue
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-*** The added patch is available in 'mbedtls 3.6 version'.
-
-*** fix *clen += tlen; may cause potential bounds error.
-
-Co-authored-by: Lu jicong <[email protected]>
-Signed-off-by: Zxl hhyccc <[email protected]>
----
- m4/mbedtls.m4	| 20 +++++++++++++++++++
- src/aead.c	| 17 ++++++++++++++++
- src/crypto.c	|  2 +-
- src/stream.c	| 17 ++++++++++++++++
- 
- 4 files changed, 55 insertions(+), 1 deletion(-)
-
---- a/m4/mbedtls.m4
-+++ b/m4/mbedtls.m4
-@@ -31,7 +31,12 @@ AC_DEFUN([ss_MBEDTLS],
-   AC_COMPILE_IFELSE(
-     [AC_LANG_PROGRAM(
-       [[
-+#include <mbedtls/version.h>
-+#if MBEDTLS_VERSION_NUMBER >= 0x03000000
-+#include <mbedtls/mbedtls_config.h>
-+#else
- #include <mbedtls/config.h>
-+#endif
-       ]],
-       [[
- #ifndef MBEDTLS_CIPHER_MODE_CFB
-@@ -48,7 +53,12 @@ AC_DEFUN([ss_MBEDTLS],
-   AC_COMPILE_IFELSE(
-     [AC_LANG_PROGRAM(
-       [[
-+#include <mbedtls/version.h>
-+#if MBEDTLS_VERSION_NUMBER >= 0x03000000
-+#include <mbedtls/mbedtls_config.h>
-+#else
- #include <mbedtls/config.h>
-+#endif
-       ]],
-       [[
- #ifndef MBEDTLS_ARC4_C
-@@ -64,7 +74,12 @@ AC_DEFUN([ss_MBEDTLS],
-   AC_COMPILE_IFELSE(
-     [AC_LANG_PROGRAM(
-       [[
-+#include <mbedtls/version.h>
-+#if MBEDTLS_VERSION_NUMBER >= 0x03000000
-+#include <mbedtls/mbedtls_config.h>
-+#else
- #include <mbedtls/config.h>
-+#endif
-       ]],
-       [[
- #ifndef MBEDTLS_BLOWFISH_C
-@@ -80,7 +95,12 @@ AC_DEFUN([ss_MBEDTLS],
-   AC_COMPILE_IFELSE(
-     [AC_LANG_PROGRAM(
-       [[
-+#include <mbedtls/version.h>
-+#if MBEDTLS_VERSION_NUMBER >= 0x03000000
-+#include <mbedtls/mbedtls_config.h>
-+#else
- #include <mbedtls/config.h>
-+#endif
-       ]],
-       [[
- #ifndef MBEDTLS_CAMELLIA_C
---- a/src/aead.c
-+++ b/src/aead.c
-@@ -178,9 +178,14 @@ aead_cipher_encrypt(cipher_ctx_t *cipher
-     case AES192GCM:
-     case AES128GCM:
- 
-+#if MBEDTLS_VERSION_NUMBER < 0x03000000
-         err = mbedtls_cipher_auth_encrypt(cipher_ctx->evp, n, nlen, ad, adlen,
-                                           m, mlen, c, clen, c + mlen, tlen);
-         *clen += tlen;
-+#else
-+        err = mbedtls_cipher_auth_encrypt_ext(cipher_ctx->evp, n, nlen, ad, adlen,
-+                                              m, mlen, c, mlen + tlen, clen, tlen);
-+#endif
-         break;
-     case CHACHA20POLY1305IETF:
-         err = crypto_aead_chacha20poly1305_ietf_encrypt(c, &long_clen, m, mlen,
-@@ -226,8 +231,13 @@ aead_cipher_decrypt(cipher_ctx_t *cipher
-     // Otherwise, just use the mbedTLS one with crappy AES-NI.
-     case AES192GCM:
-     case AES128GCM:
-+#if MBEDTLS_VERSION_NUMBER < 0x03000000
-         err = mbedtls_cipher_auth_decrypt(cipher_ctx->evp, n, nlen, ad, adlen,
-                                           m, mlen - tlen, p, plen, m + mlen - tlen, tlen);
-+#else
-+        err = mbedtls_cipher_auth_decrypt_ext(cipher_ctx->evp, n, nlen, ad, adlen,
-+                                              m, mlen, p, mlen - tlen, plen, tlen);
-+#endif
-         break;
-     case CHACHA20POLY1305IETF:
-         err = crypto_aead_chacha20poly1305_ietf_decrypt(p, &long_plen, NULL, m, mlen,
-@@ -724,9 +734,26 @@ aead_key_init(int method, const char *pa
-     if (method >= CHACHA20POLY1305IETF) {
-         cipher_kt_t *cipher_info = (cipher_kt_t *)ss_malloc(sizeof(cipher_kt_t));
-         cipher->info             = cipher_info;
-+#if MBEDTLS_VERSION_NUMBER < 0x03000000
-         cipher->info->base       = NULL;
-         cipher->info->key_bitlen = supported_aead_ciphers_key_size[method] * 8;
-         cipher->info->iv_size    = supported_aead_ciphers_nonce_size[method];
-+#else
-+        cipher->info->private_base_idx   = 0;
-+
-+#ifdef MBEDTLS_KEY_BITLEN_SHIFT
-+        cipher->info->private_key_bitlen = supported_aead_ciphers_key_size[method] * 8 >> MBEDTLS_KEY_BITLEN_SHIFT;
-+#else
-+        cipher->info->private_key_bitlen = supported_aead_ciphers_key_size[method] * 8;
-+#endif
-+
-+#ifdef MBEDTLS_IV_SIZE_SHIFT
-+        cipher->info->private_iv_size    = supported_aead_ciphers_nonce_size[method] >> MBEDTLS_IV_SIZE_SHIFT;
-+#else
-+        cipher->info->private_iv_size    = supported_aead_ciphers_nonce_size[method];
-+#endif
-+
-+#endif
-     } else {
-         cipher->info = (cipher_kt_t *)aead_get_cipher_type(method);
-     }
---- a/src/crypto.c
-+++ b/src/crypto.c
-@@ -103,7 +103,7 @@ crypto_md5(const unsigned char *d, size_
-     if (md == NULL) {
-         md = m;
-     }
--#if MBEDTLS_VERSION_NUMBER >= 0x02070000
-+#if MBEDTLS_VERSION_NUMBER < 0x03000000 && MBEDTLS_VERSION_NUMBER >= 0x02070000
-     if (mbedtls_md5_ret(d, n, md) != 0)
-         FATAL("Failed to calculate MD5");
- #else
---- a/src/stream.c
-+++ b/src/stream.c
-@@ -174,7 +174,11 @@ cipher_nonce_size(const cipher_t *cipher
-     if (cipher == NULL) {
-         return 0;
-     }
-+#if MBEDTLS_VERSION_NUMBER < 0x03000000
-     return cipher->info->iv_size;
-+#else
-+    return (int)mbedtls_cipher_info_get_iv_size(cipher->info);
-+#endif
- }
- 
- int
-@@ -192,7 +196,11 @@ cipher_key_size(const cipher_t *cipher)
-         return 0;
-     }
-     /* From Version 1.2.7 released 2013-04-13 Default Blowfish keysize is now 128-bits */
-+#if MBEDTLS_VERSION_NUMBER < 0x03000000
-     return cipher->info->key_bitlen / 8;
-+#else
-+    return (int)mbedtls_cipher_info_get_key_bitlen(cipher->info) / 8;
-+#endif
- }
- 
- const cipher_kt_t *
-@@ -645,9 +653,26 @@ stream_key_init(int method, const char *
-     if (method == SALSA20 || method == CHACHA20 || method == CHACHA20IETF) {
-         cipher_kt_t *cipher_info = (cipher_kt_t *)ss_malloc(sizeof(cipher_kt_t));
-         cipher->info             = cipher_info;
-+#if MBEDTLS_VERSION_NUMBER < 0x03000000
-         cipher->info->base       = NULL;
-         cipher->info->key_bitlen = supported_stream_ciphers_key_size[method] * 8;
-         cipher->info->iv_size    = supported_stream_ciphers_nonce_size[method];
-+#else
-+        cipher->info->private_base_idx   = 0;
-+
-+#ifdef MBEDTLS_KEY_BITLEN_SHIFT
-+        cipher->info->private_key_bitlen = supported_stream_ciphers_key_size[method] * 8 >> MBEDTLS_KEY_BITLEN_SHIFT;
-+#else
-+        cipher->info->private_key_bitlen = supported_stream_ciphers_key_size[method] * 8;
-+#endif
-+
-+#ifdef MBEDTLS_IV_SIZE_SHIFT
-+        cipher->info->private_iv_size    = supported_stream_ciphers_nonce_size[method] >> MBEDTLS_IV_SIZE_SHIFT;
-+#else
-+        cipher->info->private_iv_size    = supported_stream_ciphers_nonce_size[method];
-+#endif
-+
-+#endif
-     } else {
-         cipher->info = (cipher_kt_t *)stream_get_cipher_type(method);
-     }

shadowsocks-libev/patches/102-Fix-in-mbedtls-3.6.0-ver-compilation-failure-issue.patch

@@ -0,0 +1,232 @@
+From 2b33e8e6778db08624dbf8ec6fe1e8f7b1a4bee8 Mon Sep 17 00:00:00 2001
+From: Lu jicong <[email protected]>
+Date: Fri, 10 Jan 2025 22:05:31 +0800
+Subject: [PATCH] Fix in 'mbedtls 3.6.0 ver' compilation failure issue
+
+Fix mbedtls 3.6 compatibility
+
+Co-authored-by: Zxl hhyccc <[email protected]>
+Signed-off-by: Lu jicong <[email protected]>
+---
+ m4/mbedtls.m4 | 20 ++++++++++++++++++++
+ src/aead.c    | 23 +++++++++++------------
+ src/crypto.c  |  2 +-
+ src/crypto.h  |  1 -
+ src/stream.c  | 51 ++++++---------------------------------------------
+ 5 files changed, 38 insertions(+), 59 deletions(-)
+
+diff --git a/m4/mbedtls.m4 b/m4/mbedtls.m4
+index 2c478b9..a795790 100644
+--- a/m4/mbedtls.m4
++++ b/m4/mbedtls.m4
+@@ -31,7 +31,12 @@ AC_DEFUN([ss_MBEDTLS],
+   AC_COMPILE_IFELSE(
+     [AC_LANG_PROGRAM(
+       [[
++#include <mbedtls/version.h>
++#if MBEDTLS_VERSION_NUMBER >= 0x03000000
++#include <mbedtls/mbedtls_config.h>
++#else
+ #include <mbedtls/config.h>
++#endif
+       ]],
+       [[
+ #ifndef MBEDTLS_CIPHER_MODE_CFB
+@@ -48,7 +53,12 @@ AC_DEFUN([ss_MBEDTLS],
+   AC_COMPILE_IFELSE(
+     [AC_LANG_PROGRAM(
+       [[
++#include <mbedtls/version.h>
++#if MBEDTLS_VERSION_NUMBER >= 0x03000000
++#include <mbedtls/mbedtls_config.h>
++#else
+ #include <mbedtls/config.h>
++#endif
+       ]],
+       [[
+ #ifndef MBEDTLS_ARC4_C
+@@ -64,7 +74,12 @@ AC_DEFUN([ss_MBEDTLS],
+   AC_COMPILE_IFELSE(
+     [AC_LANG_PROGRAM(
+       [[
++#include <mbedtls/version.h>
++#if MBEDTLS_VERSION_NUMBER >= 0x03000000
++#include <mbedtls/mbedtls_config.h>
++#else
+ #include <mbedtls/config.h>
++#endif
+       ]],
+       [[
+ #ifndef MBEDTLS_BLOWFISH_C
+@@ -80,7 +95,12 @@ AC_DEFUN([ss_MBEDTLS],
+   AC_COMPILE_IFELSE(
+     [AC_LANG_PROGRAM(
+       [[
++#include <mbedtls/version.h>
++#if MBEDTLS_VERSION_NUMBER >= 0x03000000
++#include <mbedtls/mbedtls_config.h>
++#else
+ #include <mbedtls/config.h>
++#endif
+       ]],
+       [[
+ #ifndef MBEDTLS_CAMELLIA_C
+diff --git a/src/aead.c b/src/aead.c
+index 358ec93..73349da 100644
+--- a/src/aead.c
++++ b/src/aead.c
+@@ -177,9 +177,13 @@ aead_cipher_encrypt(cipher_ctx_t *cipher_ctx,
+     // Otherwise, just use the mbedTLS one with crappy AES-NI.
+     case AES192GCM:
+     case AES128GCM:
+-
++#if MBEDTLS_VERSION_NUMBER < 0x03000000
+         err = mbedtls_cipher_auth_encrypt(cipher_ctx->evp, n, nlen, ad, adlen,
+                                           m, mlen, c, clen, c + mlen, tlen);
++#else
++        err = mbedtls_cipher_auth_encrypt_ext(cipher_ctx->evp, n, nlen, ad, adlen,
++                                              m, mlen, c, mlen + tlen, clen, tlen);
++#endif
+         *clen += tlen;
+         break;
+     case CHACHA20POLY1305IETF:
+@@ -226,8 +230,13 @@ aead_cipher_decrypt(cipher_ctx_t *cipher_ctx,
+     // Otherwise, just use the mbedTLS one with crappy AES-NI.
+     case AES192GCM:
+     case AES128GCM:
++#if MBEDTLS_VERSION_NUMBER < 0x03000000
+         err = mbedtls_cipher_auth_decrypt(cipher_ctx->evp, n, nlen, ad, adlen,
+                                           m, mlen - tlen, p, plen, m + mlen - tlen, tlen);
++#else
++        err = mbedtls_cipher_auth_decrypt_ext(cipher_ctx->evp, n, nlen, ad, adlen,
++                                              m, mlen, p, mlen - tlen, plen, tlen);
++#endif
+         break;
+     case CHACHA20POLY1305IETF:
+         err = crypto_aead_chacha20poly1305_ietf_decrypt(p, &long_plen, NULL, m, mlen,
+@@ -721,17 +730,7 @@ aead_key_init(int method, const char *pass, const char *key)
+     cipher_t *cipher = (cipher_t *)ss_malloc(sizeof(cipher_t));
+     memset(cipher, 0, sizeof(cipher_t));
+ 
+-    if (method >= CHACHA20POLY1305IETF) {
+-        cipher_kt_t *cipher_info = (cipher_kt_t *)ss_malloc(sizeof(cipher_kt_t));
+-        cipher->info             = cipher_info;
+-        cipher->info->base       = NULL;
+-        cipher->info->key_bitlen = supported_aead_ciphers_key_size[method] * 8;
+-        cipher->info->iv_size    = supported_aead_ciphers_nonce_size[method];
+-    } else {
+-        cipher->info = (cipher_kt_t *)aead_get_cipher_type(method);
+-    }
+-
+-    if (cipher->info == NULL && cipher->key_len == 0) {
++    if (method < CHACHA20POLY1305IETF && aead_get_cipher_type(method) == NULL) {
+         LOGE("Cipher %s not found in crypto library", supported_aead_ciphers[method]);
+         FATAL("Cannot initialize cipher");
+     }
+diff --git a/src/crypto.c b/src/crypto.c
+index b44d867..76c426b 100644
+--- a/src/crypto.c
++++ b/src/crypto.c
+@@ -103,7 +103,7 @@ crypto_md5(const unsigned char *d, size_t n, unsigned char *md)
+     if (md == NULL) {
+         md = m;
+     }
+-#if MBEDTLS_VERSION_NUMBER >= 0x02070000
++#if MBEDTLS_VERSION_NUMBER < 0x03000000 && MBEDTLS_VERSION_NUMBER >= 0x02070000
+     if (mbedtls_md5_ret(d, n, md) != 0)
+         FATAL("Failed to calculate MD5");
+ #else
+diff --git a/src/crypto.h b/src/crypto.h
+index 1791551..7070793 100644
+--- a/src/crypto.h
++++ b/src/crypto.h
+@@ -97,7 +97,6 @@ typedef struct buffer {
+ typedef struct {
+     int method;
+     int skey;
+-    cipher_kt_t *info;
+     size_t nonce_len;
+     size_t key_len;
+     size_t tag_len;
+diff --git a/src/stream.c b/src/stream.c
+index 35d9050..b2e2cea 100644
+--- a/src/stream.c
++++ b/src/stream.c
+@@ -168,33 +168,6 @@ crypto_stream_xor_ic(uint8_t *c, const uint8_t *m, uint64_t mlen,
+     return 0;
+ }
+ 
+-int
+-cipher_nonce_size(const cipher_t *cipher)
+-{
+-    if (cipher == NULL) {
+-        return 0;
+-    }
+-    return cipher->info->iv_size;
+-}
+-
+-int
+-cipher_key_size(const cipher_t *cipher)
+-{
+-    /*
+-     * Semi-API changes (technically public, morally prnonceate)
+-     * Renamed a few headers to include _internal in the name. Those headers are
+-     * not supposed to be included by users.
+-     * Changed md_info_t into an opaque structure (use md_get_xxx() accessors).
+-     * Changed pk_info_t into an opaque structure.
+-     * Changed cipher_base_t into an opaque structure.
+-     */
+-    if (cipher == NULL) {
+-        return 0;
+-    }
+-    /* From Version 1.2.7 released 2013-04-13 Default Blowfish keysize is now 128-bits */
+-    return cipher->info->key_bitlen / 8;
+-}
+-
+ const cipher_kt_t *
+ stream_get_cipher_type(int method)
+ {
+@@ -642,34 +615,22 @@ stream_key_init(int method, const char *pass, const char *key)
+     cipher_t *cipher = (cipher_t *)ss_malloc(sizeof(cipher_t));
+     memset(cipher, 0, sizeof(cipher_t));
+ 
+-    if (method == SALSA20 || method == CHACHA20 || method == CHACHA20IETF) {
+-        cipher_kt_t *cipher_info = (cipher_kt_t *)ss_malloc(sizeof(cipher_kt_t));
+-        cipher->info             = cipher_info;
+-        cipher->info->base       = NULL;
+-        cipher->info->key_bitlen = supported_stream_ciphers_key_size[method] * 8;
+-        cipher->info->iv_size    = supported_stream_ciphers_nonce_size[method];
+-    } else {
+-        cipher->info = (cipher_kt_t *)stream_get_cipher_type(method);
+-    }
+-
+-    if (cipher->info == NULL && cipher->key_len == 0) {
++    if (method < SALSA20 && stream_get_cipher_type(method) == NULL) {
+         LOGE("Cipher %s not found in crypto library", supported_stream_ciphers[method]);
+         FATAL("Cannot initialize cipher");
+     }
+ 
+     if (key != NULL)
+-        cipher->key_len = crypto_parse_key(key, cipher->key, cipher_key_size(cipher));
++        cipher->key_len = crypto_parse_key(key, cipher->key,
++                                           supported_stream_ciphers_key_size[method]);
+     else
+-        cipher->key_len = crypto_derive_key(pass, cipher->key, cipher_key_size(cipher));
++        cipher->key_len = crypto_derive_key(pass, cipher->key,
++                                            supported_stream_ciphers_key_size[method]);
+ 
+     if (cipher->key_len == 0) {
+         FATAL("Cannot generate key and NONCE");
+     }
+-    if (method == RC4_MD5) {
+-        cipher->nonce_len = 16;
+-    } else {
+-        cipher->nonce_len = cipher_nonce_size(cipher);
+-    }
++    cipher->nonce_len = supported_stream_ciphers_nonce_size[method];
+     cipher->method = method;
+ 
+     return cipher;
+-- 
+2.39.5
+