Aug 18

root 用户编译 toolchain 要加:

export FORCE_UNSAFE_CONFIGURE=1

直接上脚本:(https://gist.github.com/rampageX/28ca79a9812fe684650be9ac18df84fe)

#!/bin/bash

apt-get install -y distcc distcc-pump ccache

sed -ie 's/STARTDISTCC="false"/STARTDISTCC="true"/' /etc/default/distcc
sed -ie 's/ALLOWEDNETS="127.0.0.1"/ALLOWEDNETS="192.168.0.0\/16 172.16.0.0\/12 10.0.0.0\/8"/' /etc/default/distcc
sed -ie 's/LISTENER="127.0.0.1"/LISTENER="0.0.0.0"/' /etc/default/distcc
sed -ie "s/JOBS=\"\"/JOBS=\"`grep processor /proc/cpuinfo | wc -l`\"/" /etc/default/distcc
sed -ie 's/ZEROCONF="false"/ZEROCONF="true"/' /etc/default/distcc
#PATH here? https://midnightyell.wordpress.com/2012/10/14/a-good-compromise-cross-compiling-with-distcc/
echo "PATH=/opt/tomatoware/arm-soft-mmc/usr/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin" >> /etc/default/distcc

service distcc restart

echo 'CCACHE_PREFIX="distcc"' > /etc/profile.d/ccache-distcc.sh
echo 'CC="ccache gcc"' >> /etc/profile.d/ccache-distcc.sh

#for tomatoware, arm-linux-gcc etc. must in service path, or error code 110 on Router.
sed -ie 's~/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin~PATH=/opt/tomatoware/arm-soft-mmc/usr/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin~' /etc/init.d/distcc

#Tomatoware REF: https://github.com/lancethepants/tomatoware/wiki/Using-distcc

#apt-get install Error and Fix: https://github.com/distcc/distcc/issues/311
#`Traceback (most recent call last): File "/usr/bin/update-distcc-symlinks", line 39, in for gnu_host in os.listdir(gcccross_dir): FileNotFoundError: [Errno 2] No such file or directory: '/usr/lib/gcc-cross'`

#Fixed by disable following code:
#`for gnu_host in os.listdir(gcccross_dir): consider_gcc("%(gnu_host)s-" % vars(), "") for version in os.listdir(gcccross_dir + "/" + gnu_host): consider_gcc("", "-%(version)s" % vars()) consider_gcc("%(gnu_host)s-" % vars(), "-%(version)s" % vars())`


Mar 03

好吧,Tomatoware 1.7 已经基于 OpenSSL 1.1.1b 编译,本文可以不看了。

~~~~~


:mrgreen: :mrgreen: :mrgreen:


Jan 25

kdigknot-dns 中的类似 dig 的工具,使用 TLSv1.3 DoT 查询比起 dig 来要方便许多。静态编译它花了很多功夫,最终还是在 Tomatoware 作者的指导下才成功。

kdig 依赖:libedit, libunistring, gmp, nettle, gnutls,其中后三者 Tomatoware 都已自带,前两个需要下载源码编译。(注:Tomatoware 带的 gnutls 编译时未带证书,所以静态编译出来的 kdig 在运行时要指定 ca-file=/path/to/certfile,我个人为了偷懒是重新编译了带证书的 gnutls)

#libedit
./configure --prefix=/mmc/s --enable-shared=no

#libunistring
./configure --prefix=/mmc/s --enable-shared=no

#gnutls:
#opt
./configure --prefix=/mmc --enable-local-libopts --without-p11-kit --with-included-libtasn1 --enable-static --with-included-unistring --disable-doc --with-system-priority-file=/opt/etc/gnutls/default-priorities --with-default-trust-store-file=/opt/etc/ssl/certs/ca-certificates.crt --with-default-trust-store-dir=/opt/etc/ssl/certs --with-unbound-root-key-file=/opt/etc/unbound/root.key

/opt/etc/ssl/certs/ca-certificates.crt 这个证书文件可以通过 Entware 的 opkg install ca-bundle 来安装。

然后开始编译 knot-dns,我们只要其中的工具 kdig:

#knot-dns:
./configure --prefix=/opt --disable-daemon --disable-modules --disable-documentation --disable-fastparser --without-libidn
make V=99 LDFLAGS="-zmuldefs -all-static"

make V=99 用来查看编译中的详细信息,-zmuldefs 处理编译中出现的重复定义错误。

这个编译过程会出错停在开始编译 kdig 的时候,注意最后一句 gcc 相关的编译出错:

libtool: link: gcc -g -O2 -Wall -Werror=format-security -Werror=implicit -Wstrict-prototypes -zmuldefs -static -o kdig utils/kdig/kdig-kdig_exec.o utils/kdig/kdig-kdig_main.o utils/kdig/kdig-kdig_params.o ./.libs/libknotus.a /mmc/src/knot/knot-2.7.5/src/.libs/libknot.a -L/mmc/lib /mmc/src/knot/knot-2.7.5/src/.libs/libdnssec.a /mmc/lib/libedit.a -lncurses /mmc/lib/libgnutls.a -lnettle -lhogweed /mmc/lib/libgmp.a /mmc/lib/libintl.a /mmc/lib/libiconv.a -lc

复制下来,然后把外部调用的库用 -Wl,--whole-archive 和 -Wl,--no-whole-archive 包围起来,进入 src 目录手动编译:
cd src
gcc -g -O2 -Wall -Werror=format-security -Werror=implicit -Wstrict-prototypes -zmuldefs -static -o kdig utils/kdig/kdig-kdig_exec.o utils/kdig/kdig-kdig_main.o utils/kdig/kdig-kdig_params.o ./.libs/libknotus.a /mmc/src/knot/knot-2.7.5/src/.libs/libknot.a -L/mmc/lib /mmc/src/knot/knot-2.7.5/src/.libs/libdnssec.a -Wl,--whole-archive /mmc/lib/libedit.a -lncurses /mmc/lib/libgnutls.a -lnettle -lhogweed /mmc/lib/libgmp.a /mmc/lib/libintl.a /mmc/lib/libiconv.a -lc -Wl,--no-whole-archive

这样就可以编译出静态版本的 kdig 了:

file /opt/bin/kdig
/opt/bin/kdig: ELF 32-bit LSB executable, ARM, EABI5 version 1 (GNU/Linux), statically linked, no section header

测试:

kdig +tls -d @1.1.1.1 quakemachinex.com
;; DEBUG: Querying for owner(quakemachinex.com.), class(1), type(1), server(1.1.1.1), port(853), protocol(TCP)
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG: #1, C=US,ST=California,L=San Francisco,O=Cloudflare\, Inc.,CN=cloudflare-dns.com
;; DEBUG: SHA-256 PIN: TdBczz+YjD3Q/taSfHXL5n4LnRxzJk0WG0JAX7nRu6s=
;; DEBUG: #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure Server CA
;; DEBUG: SHA-256 PIN: PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, skipping certificate verification
;; TLS session (TLS1.3)-(ECDHE-SECP256R1)-(ECDSA-SECP256R1-SHA256)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 50261
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 1452 B; ext-rcode: NOERROR
;; PADDING: 402 B

;; QUESTION SECTION:
;; quakemachinex.com. IN A

;; ANSWER SECTION:
quakemachinex.com. 4 IN A 113.67.73.162

;; Received 468 B
;; Time 2019-01-25 08:57:44 CST
;; From 1.1.1.1@853(TCP) in 66.2 ms


Jan 25

用编译 Stubby 的方法行不通,因为 Curl 的编译配置文件会发现系统有两个版本的 OpenSSL 而导致编译失败。所以选择 WolfSSL

#wolfssl
./configure --prefix=/mmc --enable-static=yes
make && make install

#Curl
./configure --prefix=/opt --with-ca-bundle=/opt/etc/ssl/certs/ca-certificates.crt --with-wolfssl --without-ssl --with-nghttp2 --disable-ldap --disable-shared --enable-ares
make -j2 LDFLAGS="-all-static -s" LIBS="-ldl"

编译出来的 Curl:

curl2 -V
curl 7.63.0 (armv7l-unknown-linux-uclibceabi) libcurl/7.63.0 wolfSSL/3.15.7 zlib/1.2.11 c-ares/1.15.0 libpsl/0.12.0 (no IDNA support) nghttp2/1.35.1
Release-Date: 2018-12-12
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp smtp smtps telnet tftp
Features: AsynchDNS IPv6 Largefile SSL libz HTTP2 UnixSockets PSL

TLSv1.3 测试:

curl2 -I -v --tlsv1.3 https://quakemachinex.com
* Trying 113.67.73.162...
* TCP_NODELAY set
* Connected to quakemachinex.com (113.67.73.162) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: /opt/etc/ssl/certs/ca-certificates.crt
CApath: none
* SSL connection using TLSv1.3 / TLS13-AES256-GCM-SHA384


Dec 28

Stubby 是一款支持 DNS-over-TLS 的 DNS 服务器,详情可参考:

https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby

要支持 TLS 1.3,必须先编译 OpenSSL 1.1.1

cd /mnt/data/compile/openssl-1.1.1/
./config
make
mkdir lib
cp libssl.a libcrypto.a lib/
cp include/openssl/* include/

注意,为了不影响原系统,并不安装此 OpenSSL 版本!

还需要编译 libyaml 支持库:

cd /mnt/data/compile/yaml-0.2.1/
./configure --enable-static --disable-shared --prefix=/mmc
make install

然后通过 getdns 静态编译出 Stubby:

cd /mnt/data/compile/getdns-1.5.0/
LDFLAGS="-Wl,-static -static -static-libgcc -s" ./configure --disable-shared --without-libunbound --without-libidn --without-libidn2 --with-ssl=/mnt/data/compile/openssl-1.1.1 --with-stubby --with-piddir=/var/run --prefix=/opt
make

就可以在 src 下得到需要的文件:

file src/stubby
src/stubby: ELF 32-bit LSB executable, ARM, EABI5 version 1 (GNU/Linux), statically linked, stripped, with debug_info


[1/3]  1 2 3 >