From 0ec2660dc086a4de69cd69d5ec0fdb528837b6eb Mon Sep 17 00:00:00 2001 From: Lu jicong Date: Sun, 19 Jan 2025 18:36:10 +0800 Subject: [PATCH 1/3] shadowsocks-libev: update mbedtls 3.6 build fixing patch Current mbedtls 3.6 fix uses private fields in mbedtls, which increases complexity and may break functionality in future mbedtls versions. So rework this patch to remove them. --- .../patches/101-fix-mbedtls3.6-build.patch | 200 --------------- ...-3.6.0-ver-compilation-failure-issue.patch | 232 ++++++++++++++++++ 2 files changed, 232 insertions(+), 200 deletions(-) delete mode 100644 shadowsocks-libev/patches/101-fix-mbedtls3.6-build.patch create mode 100644 shadowsocks-libev/patches/102-Fix-in-mbedtls-3.6.0-ver-compilation-failure-issue.patch diff --git a/shadowsocks-libev/patches/101-fix-mbedtls3.6-build.patch b/shadowsocks-libev/patches/101-fix-mbedtls3.6-build.patch deleted file mode 100644 index 7ec24650a..000000000 --- a/shadowsocks-libev/patches/101-fix-mbedtls3.6-build.patch +++ /dev/null @@ -1,200 +0,0 @@ -From c2bdb9847e374331a4f1c8fcd3d93e0b57d4c6fc Mon Sep 17 00:00:00 2001 -From: Zxl hhyccc -Date: Sun, 7 Jul 2024 17:08:27 +0800 -Subject: [PATCH] Fix in 'mbedtls 3.6.0 ver' compilation failure issue -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -*** The added patch is available in 'mbedtls 3.6 version'. - -*** fix *clen += tlen; may cause potential bounds error. - -Co-authored-by: Lu jicong -Signed-off-by: Zxl hhyccc ---- - m4/mbedtls.m4 | 20 +++++++++++++++++++ - src/aead.c | 17 ++++++++++++++++ - src/crypto.c | 2 +- - src/stream.c | 17 ++++++++++++++++ - - 4 files changed, 55 insertions(+), 1 deletion(-) - ---- a/m4/mbedtls.m4 -+++ b/m4/mbedtls.m4 -@@ -31,7 +31,12 @@ AC_DEFUN([ss_MBEDTLS], - AC_COMPILE_IFELSE( - [AC_LANG_PROGRAM( - [[ -+#include -+#if MBEDTLS_VERSION_NUMBER >= 0x03000000 -+#include -+#else - #include -+#endif - ]], - [[ - #ifndef MBEDTLS_CIPHER_MODE_CFB -@@ -48,7 +53,12 @@ AC_DEFUN([ss_MBEDTLS], - AC_COMPILE_IFELSE( - [AC_LANG_PROGRAM( - [[ -+#include -+#if MBEDTLS_VERSION_NUMBER >= 0x03000000 -+#include -+#else - #include -+#endif - ]], - [[ - #ifndef MBEDTLS_ARC4_C -@@ -64,7 +74,12 @@ AC_DEFUN([ss_MBEDTLS], - AC_COMPILE_IFELSE( - [AC_LANG_PROGRAM( - [[ -+#include -+#if MBEDTLS_VERSION_NUMBER >= 0x03000000 -+#include -+#else - #include -+#endif - ]], - [[ - #ifndef MBEDTLS_BLOWFISH_C -@@ -80,7 +95,12 @@ AC_DEFUN([ss_MBEDTLS], - AC_COMPILE_IFELSE( - [AC_LANG_PROGRAM( - [[ -+#include -+#if MBEDTLS_VERSION_NUMBER >= 0x03000000 -+#include -+#else - #include -+#endif - ]], - [[ - #ifndef MBEDTLS_CAMELLIA_C ---- a/src/aead.c -+++ b/src/aead.c -@@ -178,9 +178,14 @@ aead_cipher_encrypt(cipher_ctx_t *cipher_ctx, - case AES192GCM: - case AES128GCM: - -+#if MBEDTLS_VERSION_NUMBER < 0x03000000 - err = mbedtls_cipher_auth_encrypt(cipher_ctx->evp, n, nlen, ad, adlen, - m, mlen, c, clen, c + mlen, tlen); - *clen += tlen; -+#else -+ err = mbedtls_cipher_auth_encrypt_ext(cipher_ctx->evp, n, nlen, ad, adlen, -+ m, mlen, c, mlen + tlen, clen, tlen); -+#endif - break; - case CHACHA20POLY1305IETF: - err = crypto_aead_chacha20poly1305_ietf_encrypt(c, &long_clen, m, mlen, -@@ -226,8 +231,13 @@ aead_cipher_decrypt(cipher_ctx_t *cipher_ctx, - // Otherwise, just use the mbedTLS one with crappy AES-NI. - case AES192GCM: - case AES128GCM: -+#if MBEDTLS_VERSION_NUMBER < 0x03000000 - err = mbedtls_cipher_auth_decrypt(cipher_ctx->evp, n, nlen, ad, adlen, - m, mlen - tlen, p, plen, m + mlen - tlen, tlen); -+#else -+ err = mbedtls_cipher_auth_decrypt_ext(cipher_ctx->evp, n, nlen, ad, adlen, -+ m, mlen, p, mlen - tlen, plen, tlen); -+#endif - break; - case CHACHA20POLY1305IETF: - err = crypto_aead_chacha20poly1305_ietf_decrypt(p, &long_plen, NULL, m, mlen, -@@ -724,9 +734,26 @@ aead_key_init(int method, const char *pass, const char *key) - if (method >= CHACHA20POLY1305IETF) { - cipher_kt_t *cipher_info = (cipher_kt_t *)ss_malloc(sizeof(cipher_kt_t)); - cipher->info = cipher_info; -+#if MBEDTLS_VERSION_NUMBER < 0x03000000 - cipher->info->base = NULL; - cipher->info->key_bitlen = supported_aead_ciphers_key_size[method] * 8; - cipher->info->iv_size = supported_aead_ciphers_nonce_size[method]; -+#else -+ cipher->info->private_base_idx = 0; -+ -+#ifdef MBEDTLS_KEY_BITLEN_SHIFT -+ cipher->info->private_key_bitlen = supported_aead_ciphers_key_size[method] * 8 >> MBEDTLS_KEY_BITLEN_SHIFT; -+#else -+ cipher->info->private_key_bitlen = supported_aead_ciphers_key_size[method] * 8; -+#endif -+ -+#ifdef MBEDTLS_IV_SIZE_SHIFT -+ cipher->info->private_iv_size = supported_aead_ciphers_nonce_size[method] >> MBEDTLS_IV_SIZE_SHIFT; -+#else -+ cipher->info->private_iv_size = supported_aead_ciphers_nonce_size[method]; -+#endif -+ -+#endif - } else { - cipher->info = (cipher_kt_t *)aead_get_cipher_type(method); - } ---- a/src/crypto.c -+++ b/src/crypto.c -@@ -103,7 +103,7 @@ crypto_md5(const unsigned char *d, size_t n, unsigned char *md) - if (md == NULL) { - md = m; - } --#if MBEDTLS_VERSION_NUMBER >= 0x02070000 -+#if MBEDTLS_VERSION_NUMBER < 0x03000000 && MBEDTLS_VERSION_NUMBER >= 0x02070000 - if (mbedtls_md5_ret(d, n, md) != 0) - FATAL("Failed to calculate MD5"); - #else ---- a/src/stream.c -+++ b/src/stream.c -@@ -174,7 +174,11 @@ cipher_nonce_size(const cipher_t *cipher) - if (cipher == NULL) { - return 0; - } -+#if MBEDTLS_VERSION_NUMBER < 0x03000000 - return cipher->info->iv_size; -+#else -+ return (int)mbedtls_cipher_info_get_iv_size(cipher->info); -+#endif - } - - int -@@ -192,7 +196,11 @@ cipher_key_size(const cipher_t *cipher) - return 0; - } - /* From Version 1.2.7 released 2013-04-13 Default Blowfish keysize is now 128-bits */ -+#if MBEDTLS_VERSION_NUMBER < 0x03000000 - return cipher->info->key_bitlen / 8; -+#else -+ return (int)mbedtls_cipher_info_get_key_bitlen(cipher->info) / 8; -+#endif - } - - const cipher_kt_t * -@@ -645,9 +653,26 @@ stream_key_init(int method, const char *pass, const char *key) - if (method == SALSA20 || method == CHACHA20 || method == CHACHA20IETF) { - cipher_kt_t *cipher_info = (cipher_kt_t *)ss_malloc(sizeof(cipher_kt_t)); - cipher->info = cipher_info; -+#if MBEDTLS_VERSION_NUMBER < 0x03000000 - cipher->info->base = NULL; - cipher->info->key_bitlen = supported_stream_ciphers_key_size[method] * 8; - cipher->info->iv_size = supported_stream_ciphers_nonce_size[method]; -+#else -+ cipher->info->private_base_idx = 0; -+ -+#ifdef MBEDTLS_KEY_BITLEN_SHIFT -+ cipher->info->private_key_bitlen = supported_stream_ciphers_key_size[method] * 8 >> MBEDTLS_KEY_BITLEN_SHIFT; -+#else -+ cipher->info->private_key_bitlen = supported_stream_ciphers_key_size[method] * 8; -+#endif -+ -+#ifdef MBEDTLS_IV_SIZE_SHIFT -+ cipher->info->private_iv_size = supported_stream_ciphers_nonce_size[method] >> MBEDTLS_IV_SIZE_SHIFT; -+#else -+ cipher->info->private_iv_size = supported_stream_ciphers_nonce_size[method]; -+#endif -+ -+#endif - } else { - cipher->info = (cipher_kt_t *)stream_get_cipher_type(method); - } --- -2.17.1 diff --git a/shadowsocks-libev/patches/102-Fix-in-mbedtls-3.6.0-ver-compilation-failure-issue.patch b/shadowsocks-libev/patches/102-Fix-in-mbedtls-3.6.0-ver-compilation-failure-issue.patch new file mode 100644 index 000000000..9616ee9e4 --- /dev/null +++ b/shadowsocks-libev/patches/102-Fix-in-mbedtls-3.6.0-ver-compilation-failure-issue.patch @@ -0,0 +1,232 @@ +From 2b33e8e6778db08624dbf8ec6fe1e8f7b1a4bee8 Mon Sep 17 00:00:00 2001 +From: Lu jicong +Date: Fri, 10 Jan 2025 22:05:31 +0800 +Subject: [PATCH] Fix in 'mbedtls 3.6.0 ver' compilation failure issue + +Fix mbedtls 3.6 compatibility + +Co-authored-by: Zxl hhyccc +Signed-off-by: Lu jicong +--- + m4/mbedtls.m4 | 20 ++++++++++++++++++++ + src/aead.c | 23 +++++++++++------------ + src/crypto.c | 2 +- + src/crypto.h | 1 - + src/stream.c | 51 ++++++--------------------------------------------- + 5 files changed, 38 insertions(+), 59 deletions(-) + +diff --git a/m4/mbedtls.m4 b/m4/mbedtls.m4 +index 2c478b9..a795790 100644 +--- a/m4/mbedtls.m4 ++++ b/m4/mbedtls.m4 +@@ -31,7 +31,12 @@ AC_DEFUN([ss_MBEDTLS], + AC_COMPILE_IFELSE( + [AC_LANG_PROGRAM( + [[ ++#include ++#if MBEDTLS_VERSION_NUMBER >= 0x03000000 ++#include ++#else + #include ++#endif + ]], + [[ + #ifndef MBEDTLS_CIPHER_MODE_CFB +@@ -48,7 +53,12 @@ AC_DEFUN([ss_MBEDTLS], + AC_COMPILE_IFELSE( + [AC_LANG_PROGRAM( + [[ ++#include ++#if MBEDTLS_VERSION_NUMBER >= 0x03000000 ++#include ++#else + #include ++#endif + ]], + [[ + #ifndef MBEDTLS_ARC4_C +@@ -64,7 +74,12 @@ AC_DEFUN([ss_MBEDTLS], + AC_COMPILE_IFELSE( + [AC_LANG_PROGRAM( + [[ ++#include ++#if MBEDTLS_VERSION_NUMBER >= 0x03000000 ++#include ++#else + #include ++#endif + ]], + [[ + #ifndef MBEDTLS_BLOWFISH_C +@@ -80,7 +95,12 @@ AC_DEFUN([ss_MBEDTLS], + AC_COMPILE_IFELSE( + [AC_LANG_PROGRAM( + [[ ++#include ++#if MBEDTLS_VERSION_NUMBER >= 0x03000000 ++#include ++#else + #include ++#endif + ]], + [[ + #ifndef MBEDTLS_CAMELLIA_C +diff --git a/src/aead.c b/src/aead.c +index 358ec93..73349da 100644 +--- a/src/aead.c ++++ b/src/aead.c +@@ -177,9 +177,13 @@ aead_cipher_encrypt(cipher_ctx_t *cipher_ctx, + // Otherwise, just use the mbedTLS one with crappy AES-NI. + case AES192GCM: + case AES128GCM: +- ++#if MBEDTLS_VERSION_NUMBER < 0x03000000 + err = mbedtls_cipher_auth_encrypt(cipher_ctx->evp, n, nlen, ad, adlen, + m, mlen, c, clen, c + mlen, tlen); ++#else ++ err = mbedtls_cipher_auth_encrypt_ext(cipher_ctx->evp, n, nlen, ad, adlen, ++ m, mlen, c, mlen + tlen, clen, tlen); ++#endif + *clen += tlen; + break; + case CHACHA20POLY1305IETF: +@@ -226,8 +230,13 @@ aead_cipher_decrypt(cipher_ctx_t *cipher_ctx, + // Otherwise, just use the mbedTLS one with crappy AES-NI. + case AES192GCM: + case AES128GCM: ++#if MBEDTLS_VERSION_NUMBER < 0x03000000 + err = mbedtls_cipher_auth_decrypt(cipher_ctx->evp, n, nlen, ad, adlen, + m, mlen - tlen, p, plen, m + mlen - tlen, tlen); ++#else ++ err = mbedtls_cipher_auth_decrypt_ext(cipher_ctx->evp, n, nlen, ad, adlen, ++ m, mlen, p, mlen - tlen, plen, tlen); ++#endif + break; + case CHACHA20POLY1305IETF: + err = crypto_aead_chacha20poly1305_ietf_decrypt(p, &long_plen, NULL, m, mlen, +@@ -721,17 +730,7 @@ aead_key_init(int method, const char *pass, const char *key) + cipher_t *cipher = (cipher_t *)ss_malloc(sizeof(cipher_t)); + memset(cipher, 0, sizeof(cipher_t)); + +- if (method >= CHACHA20POLY1305IETF) { +- cipher_kt_t *cipher_info = (cipher_kt_t *)ss_malloc(sizeof(cipher_kt_t)); +- cipher->info = cipher_info; +- cipher->info->base = NULL; +- cipher->info->key_bitlen = supported_aead_ciphers_key_size[method] * 8; +- cipher->info->iv_size = supported_aead_ciphers_nonce_size[method]; +- } else { +- cipher->info = (cipher_kt_t *)aead_get_cipher_type(method); +- } +- +- if (cipher->info == NULL && cipher->key_len == 0) { ++ if (method < CHACHA20POLY1305IETF && aead_get_cipher_type(method) == NULL) { + LOGE("Cipher %s not found in crypto library", supported_aead_ciphers[method]); + FATAL("Cannot initialize cipher"); + } +diff --git a/src/crypto.c b/src/crypto.c +index b44d867..76c426b 100644 +--- a/src/crypto.c ++++ b/src/crypto.c +@@ -103,7 +103,7 @@ crypto_md5(const unsigned char *d, size_t n, unsigned char *md) + if (md == NULL) { + md = m; + } +-#if MBEDTLS_VERSION_NUMBER >= 0x02070000 ++#if MBEDTLS_VERSION_NUMBER < 0x03000000 && MBEDTLS_VERSION_NUMBER >= 0x02070000 + if (mbedtls_md5_ret(d, n, md) != 0) + FATAL("Failed to calculate MD5"); + #else +diff --git a/src/crypto.h b/src/crypto.h +index 1791551..7070793 100644 +--- a/src/crypto.h ++++ b/src/crypto.h +@@ -97,7 +97,6 @@ typedef struct buffer { + typedef struct { + int method; + int skey; +- cipher_kt_t *info; + size_t nonce_len; + size_t key_len; + size_t tag_len; +diff --git a/src/stream.c b/src/stream.c +index 35d9050..b2e2cea 100644 +--- a/src/stream.c ++++ b/src/stream.c +@@ -168,33 +168,6 @@ crypto_stream_xor_ic(uint8_t *c, const uint8_t *m, uint64_t mlen, + return 0; + } + +-int +-cipher_nonce_size(const cipher_t *cipher) +-{ +- if (cipher == NULL) { +- return 0; +- } +- return cipher->info->iv_size; +-} +- +-int +-cipher_key_size(const cipher_t *cipher) +-{ +- /* +- * Semi-API changes (technically public, morally prnonceate) +- * Renamed a few headers to include _internal in the name. Those headers are +- * not supposed to be included by users. +- * Changed md_info_t into an opaque structure (use md_get_xxx() accessors). +- * Changed pk_info_t into an opaque structure. +- * Changed cipher_base_t into an opaque structure. +- */ +- if (cipher == NULL) { +- return 0; +- } +- /* From Version 1.2.7 released 2013-04-13 Default Blowfish keysize is now 128-bits */ +- return cipher->info->key_bitlen / 8; +-} +- + const cipher_kt_t * + stream_get_cipher_type(int method) + { +@@ -642,34 +615,22 @@ stream_key_init(int method, const char *pass, const char *key) + cipher_t *cipher = (cipher_t *)ss_malloc(sizeof(cipher_t)); + memset(cipher, 0, sizeof(cipher_t)); + +- if (method == SALSA20 || method == CHACHA20 || method == CHACHA20IETF) { +- cipher_kt_t *cipher_info = (cipher_kt_t *)ss_malloc(sizeof(cipher_kt_t)); +- cipher->info = cipher_info; +- cipher->info->base = NULL; +- cipher->info->key_bitlen = supported_stream_ciphers_key_size[method] * 8; +- cipher->info->iv_size = supported_stream_ciphers_nonce_size[method]; +- } else { +- cipher->info = (cipher_kt_t *)stream_get_cipher_type(method); +- } +- +- if (cipher->info == NULL && cipher->key_len == 0) { ++ if (method < SALSA20 && stream_get_cipher_type(method) == NULL) { + LOGE("Cipher %s not found in crypto library", supported_stream_ciphers[method]); + FATAL("Cannot initialize cipher"); + } + + if (key != NULL) +- cipher->key_len = crypto_parse_key(key, cipher->key, cipher_key_size(cipher)); ++ cipher->key_len = crypto_parse_key(key, cipher->key, ++ supported_stream_ciphers_key_size[method]); + else +- cipher->key_len = crypto_derive_key(pass, cipher->key, cipher_key_size(cipher)); ++ cipher->key_len = crypto_derive_key(pass, cipher->key, ++ supported_stream_ciphers_key_size[method]); + + if (cipher->key_len == 0) { + FATAL("Cannot generate key and NONCE"); + } +- if (method == RC4_MD5) { +- cipher->nonce_len = 16; +- } else { +- cipher->nonce_len = cipher_nonce_size(cipher); +- } ++ cipher->nonce_len = supported_stream_ciphers_nonce_size[method]; + cipher->method = method; + + return cipher; +-- +2.39.5 + From 40a5fa1422842a8666a3af7266ad55c520799d05 Mon Sep 17 00:00:00 2001 From: Lu jicong Date: Sun, 19 Jan 2025 19:19:26 +0800 Subject: [PATCH 2/3] shadowsocks-libev: bump to the latest commit There are plenty of fixes after release 3.3.5 --- shadowsocks-libev/Makefile | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/shadowsocks-libev/Makefile b/shadowsocks-libev/Makefile index 1df3a0835..0647c8f81 100644 --- a/shadowsocks-libev/Makefile +++ b/shadowsocks-libev/Makefile @@ -14,11 +14,14 @@ include $(TOPDIR)/rules.mk # PKG_NAME:=shadowsocks-libev PKG_VERSION:=3.3.5 -PKG_RELEASE:=12 - -PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz -PKG_SOURCE_URL:=https://github.com/shadowsocks/shadowsocks-libev/releases/download/v$(PKG_VERSION) -PKG_HASH:=cfc8eded35360f4b67e18dc447b0c00cddb29cc57a3cec48b135e5fb87433488 +PKG_RELEASE:=13 + +PKG_SOURCE_PROTO:=git +PKG_SOURCE_URL:=https://github.com/shadowsocks/shadowsocks-libev.git +PKG_SOURCE_DATE:=2022-11-30 +PKG_SOURCE_VERSION:=d83ace0f0d9c05656c13d66aa4a449bf70143254 +PKG_MIRROR_HASH:=6ff973af37c20cf0430f106d360b94b8b91df6dd8d7be3908ee84b5a86c3319f +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.xz PKG_MAINTAINER:=Yousong Zhou From a835b409c50a972f18429917bf57f45108b0d9bc Mon Sep 17 00:00:00 2001 From: Lu jicong Date: Sun, 19 Jan 2025 19:20:47 +0800 Subject: [PATCH 3/3] shadowsocks-libev: backport not merged fix There is a not merged pull request for bug fixing --- ...of-incoming-socket-buffer.-It-must-b.patch | 152 ++++++++++++++++++ 1 file changed, 152 insertions(+) create mode 100644 shadowsocks-libev/patches/101-Fix-mishandling-of-incoming-socket-buffer.-It-must-b.patch diff --git a/shadowsocks-libev/patches/101-Fix-mishandling-of-incoming-socket-buffer.-It-must-b.patch b/shadowsocks-libev/patches/101-Fix-mishandling-of-incoming-socket-buffer.-It-must-b.patch new file mode 100644 index 000000000..6dc1c5692 --- /dev/null +++ b/shadowsocks-libev/patches/101-Fix-mishandling-of-incoming-socket-buffer.-It-must-b.patch @@ -0,0 +1,152 @@ +From 8be7a7cb00b9540e9be05d409191b0bc1ba424f0 Mon Sep 17 00:00:00 2001 +From: notsure2 +Date: Mon, 11 Dec 2023 09:15:47 +0200 +Subject: [PATCH] Fix mishandling of incoming socket buffer. It must be set on + the listening socket not the accepted socket. + +--- + src/local.c | 16 ++++++++-------- + src/redir.c | 16 ++++++++-------- + src/server.c | 16 ++++++++-------- + src/tunnel.c | 16 ++++++++-------- + 4 files changed, 32 insertions(+), 32 deletions(-) + +diff --git a/src/local.c b/src/local.c +index fa1ca7b..51f62c4 100644 +--- a/src/local.c ++++ b/src/local.c +@@ -205,6 +205,14 @@ create_and_bind(const char *addr, const char *port) + } + } + ++ if (tcp_incoming_sndbuf > 0) { ++ setsockopt(listen_sock, SOL_SOCKET, SO_SNDBUF, &tcp_incoming_sndbuf, sizeof(int)); ++ } ++ ++ if (tcp_incoming_rcvbuf > 0) { ++ setsockopt(listen_sock, SOL_SOCKET, SO_RCVBUF, &tcp_incoming_rcvbuf, sizeof(int)); ++ } ++ + s = bind(listen_sock, rp->ai_addr, rp->ai_addrlen); + if (s == 0) { + /* We managed to bind successfully! */ +@@ -1406,14 +1414,6 @@ accept_cb(EV_P_ ev_io *w, int revents) + setsockopt(serverfd, SOL_SOCKET, SO_NOSIGPIPE, &opt, sizeof(opt)); + #endif + +- if (tcp_incoming_sndbuf > 0) { +- setsockopt(serverfd, SOL_SOCKET, SO_SNDBUF, &tcp_incoming_sndbuf, sizeof(int)); +- } +- +- if (tcp_incoming_rcvbuf > 0) { +- setsockopt(serverfd, SOL_SOCKET, SO_RCVBUF, &tcp_incoming_rcvbuf, sizeof(int)); +- } +- + server_t *server = new_server(serverfd); + server->listener = listener; + +diff --git a/src/redir.c b/src/redir.c +index d36fe3f..86b7238 100644 +--- a/src/redir.c ++++ b/src/redir.c +@@ -201,6 +201,14 @@ create_and_bind(const char *addr, const char *port) + LOGI("tcp tproxy mode enabled"); + } + ++ if (tcp_incoming_sndbuf > 0) { ++ setsockopt(listen_sock, SOL_SOCKET, SO_SNDBUF, &tcp_incoming_sndbuf, sizeof(int)); ++ } ++ ++ if (tcp_incoming_rcvbuf > 0) { ++ setsockopt(listen_sock, SOL_SOCKET, SO_RCVBUF, &tcp_incoming_rcvbuf, sizeof(int)); ++ } ++ + s = bind(listen_sock, rp->ai_addr, rp->ai_addrlen); + if (s == 0) { + /* We managed to bind successfully! */ +@@ -759,14 +767,6 @@ accept_cb(EV_P_ ev_io *w, int revents) + setsockopt(serverfd, SOL_SOCKET, SO_NOSIGPIPE, &opt, sizeof(opt)); + #endif + +- if (tcp_incoming_sndbuf > 0) { +- setsockopt(serverfd, SOL_SOCKET, SO_SNDBUF, &tcp_incoming_sndbuf, sizeof(int)); +- } +- +- if (tcp_incoming_rcvbuf > 0) { +- setsockopt(serverfd, SOL_SOCKET, SO_RCVBUF, &tcp_incoming_rcvbuf, sizeof(int)); +- } +- + int index = rand() % listener->remote_num; + struct sockaddr *remote_addr = listener->remote_addr[index]; + +diff --git a/src/server.c b/src/server.c +index 73b6599..ef347a5 100644 +--- a/src/server.c ++++ b/src/server.c +@@ -620,6 +620,14 @@ create_and_bind(const char *host, const char *port, int mptcp) + } + } + ++ if (tcp_incoming_sndbuf > 0) { ++ setsockopt(listen_sock, SOL_SOCKET, SO_SNDBUF, &tcp_incoming_sndbuf, sizeof(int)); ++ } ++ ++ if (tcp_incoming_rcvbuf > 0) { ++ setsockopt(listen_sock, SOL_SOCKET, SO_RCVBUF, &tcp_incoming_rcvbuf, sizeof(int)); ++ } ++ + // Enable out-of-tree mptcp + if (mptcp == 1) { + int i = 0; +@@ -1769,14 +1777,6 @@ accept_cb(EV_P_ ev_io *w, int revents) + setsockopt(serverfd, SOL_SOCKET, SO_NOSIGPIPE, &opt, sizeof(opt)); + #endif + +- if (tcp_incoming_sndbuf > 0) { +- setsockopt(serverfd, SOL_SOCKET, SO_SNDBUF, &tcp_incoming_sndbuf, sizeof(int)); +- } +- +- if (tcp_incoming_rcvbuf > 0) { +- setsockopt(serverfd, SOL_SOCKET, SO_RCVBUF, &tcp_incoming_rcvbuf, sizeof(int)); +- } +- + setnonblocking(serverfd); + + server_t *server = new_server(serverfd, listener); +diff --git a/src/tunnel.c b/src/tunnel.c +index 99ed412..9f0dd57 100644 +--- a/src/tunnel.c ++++ b/src/tunnel.c +@@ -166,6 +166,14 @@ create_and_bind(const char *addr, const char *port) + } + } + ++ if (tcp_incoming_sndbuf > 0) { ++ setsockopt(listen_sock, SOL_SOCKET, SO_SNDBUF, &tcp_incoming_sndbuf, sizeof(int)); ++ } ++ ++ if (tcp_incoming_rcvbuf > 0) { ++ setsockopt(listen_sock, SOL_SOCKET, SO_RCVBUF, &tcp_incoming_rcvbuf, sizeof(int)); ++ } ++ + s = bind(listen_sock, rp->ai_addr, rp->ai_addrlen); + if (s == 0) { + /* We managed to bind successfully! */ +@@ -725,14 +733,6 @@ accept_cb(EV_P_ ev_io *w, int revents) + setsockopt(serverfd, SOL_SOCKET, SO_NOSIGPIPE, &opt, sizeof(opt)); + #endif + +- if (tcp_incoming_sndbuf > 0) { +- setsockopt(serverfd, SOL_SOCKET, SO_SNDBUF, &tcp_incoming_sndbuf, sizeof(int)); +- } +- +- if (tcp_incoming_rcvbuf > 0) { +- setsockopt(serverfd, SOL_SOCKET, SO_RCVBUF, &tcp_incoming_rcvbuf, sizeof(int)); +- } +- + int index = rand() % listener->remote_num; + struct sockaddr *remote_addr = listener->remote_addr[index]; + +-- +2.39.5 +