sing-box: update to 1.13.13

[peterwillcn]

📦 Package Details

Maintainer: @brvphoenix

Description: Update to the latest version

changelog: https://github.com/SagerNet/sing-box/releases/tag/v1.13.13

---

🧪 Run Testing Details

• **OpenWrt Version: OpenWrt SNAPSHOT, r32807-168d5affc3
• **OpenWrt Target/Subtarget: rockchip/armv8
• **OpenWrt Device: FriendlyElec NanoPi R4S

---

✅ Formalities

• I have reviewed the CONTRIBUTING.md file for detailed contributing guidelines.

If your PR contains a patch:

• It can be applied using git am
• It has been refreshed to avoid offsets, fuzzes, etc., using

make package/<your-package>/refresh V=s

• It is structured in a way that it is potentially upstreamable
  _{(e.g., subject line, commit description, etc.)
  We must try to upstream patches to reduce maintenance burden.}

[NitroOxid]

It may be worth making CONFIG_SINGBOX_WITH_NAIVE optional, since this could reduce memory usage on routers with an A/B partition layout.
I may be wrong.

[NitroOxid]

1. There is a typo in Kconfig symbol definition. CONFIG_ should not be part of the symbol name:

- config CONFIG_SINGBOX_WITH_NAIVE
+ config SINGBOX_WITH_NAIVE

2. Package is not compiled with the SINGBOX_WITH_NAIVE option

openwrt_25.12/staging_dir/toolchain-aarch64_cortex-a53_gcc-14.3.0_musl/lib/gcc/aarch64-openwrt-linux-musl/14.3.0/../../../../aarch64-openwrt-linux-musl/bin/ld.bfd: skipping incompatible /builder/openwrt_25.12/dl/go-mod-cache/github.com/sagernet/cronet-go/lib/linux_arm64_musl@v0.0.0-20260513071149-ade33496efb8/libcronet.a when searching for -l:libcronet.a
collect2: error: ld returned 1 exit status

[Onotot]

@peterwillcn Why aren't there blocks for all new tags that allow selecting build flags in menuconfig?

define Package/sing-box/config
	menu "Select build options"
		depends on PACKAGE_sing-box

		config SINGBOX_BADLINKNAME
			bool "Enable go:linkname access to internal standard library \
				functions. Required because the Go standard library does \
				not expose many low-level APIs needed by this project, and \
				reimplementing them externally is impractical. Used for \
				kTLS (kernel TLS offload) and raw TLS record manipulation"
			default y

		config SINGBOX_TFOGO_CHECKLINKNAME0
			bool "Companion to badlinkname. Go 1.23+ enforces go:linkname \
				restrictions via the linker; this tag signals the build uses \
				-checklinkname=0 to bypass that enforcement"
			default y

		config SINGBOX_WITH_ACME
			bool "Build with ACME TLS certificate issuer support"

		config SINGBOX_WITH_CCM
			bool "Build with Claude Code Multiplexer service support"

		config SINGBOX_WITH_CLASH_API
			bool "Build with Clash API support"
			default y

		config SINGBOX_WITH_DHCP
			bool "Build with DHCP support, see DHCP DNS transport."

		config SINGBOX_WITH_EMBEDDED_TOR
			bool "Build with embedded Tor support"

		config SINGBOX_WITH_GRPC
			bool "Build with standard gRPC support"

		config SINGBOX_WITH_GVISOR
			bool "Build with gVisor support"
			default y

		config SINGBOX_WITH_NAIVE_OUTBOUND
			bool "Build with NaiveProxy outbound support"
			default y

		config SINGBOX_WITH_OCM
			bool "Build with OpenAI Codex Multiplexer service support"

		config SINGBOX_WITH_QUIC
			bool "Build with QUIC support"
			default y

		config SINGBOX_WITH_TAILSCALE
			bool "Build with Tailscale support"
			default y

		config SINGBOX_WITH_UTLS
			bool "Build with uTLS support for TLS outbound"
			default y

		config SINGBOX_WITH_V2RAY_API
			bool "Build with V2Ray API support"

		config SINGBOX_WITH_WIREGUARD
			bool "Build with WireGuard support"
			default y
	endmenu
endef

PKG_CONFIG_DEPENDS:= \
	CONFIG_SINGBOX_BADLINKNAME \
	CONFIG_SINGBOX_TFOGO_CHECKLINKNAME0 \
	CONFIG_SINGBOX_WITH_ACME \
	CONFIG_SINGBOX_WITH_CCM \
	CONFIG_SINGBOX_WITH_CLASH_API \
	CONFIG_SINGBOX_WITH_DHCP \
	CONFIG_SINGBOX_WITH_EMBEDDED_TOR \
	CONFIG_SINGBOX_WITH_GRPC \
	CONFIG_SINGBOX_WITH_GVISOR \
	CONFIG_SINGBOX_WITH_NAIVE_OUTBOUND \
	CONFIG_SINGBOX_WITH_OCM \
	CONFIG_SINGBOX_WITH_QUIC \
	CONFIG_SINGBOX_WITH_TAILSCALE \
	CONFIG_SINGBOX_WITH_UTLS \
	CONFIG_SINGBOX_WITH_V2RAY_API \
	CONFIG_SINGBOX_WITH_WIREGUARD

ifeq ($(BUILD_VARIANT),tiny)
ifeq ($(CONFIG_SMALL_FLASH),)
GO_PKG_TAGS:=with_gvisor
endif
GO_PKG_TAGS:=$(GO_PKG_TAGS)badlinkname,tfogo_checklinkname0,with_quic,with_utls,with_clash_api
else
GO_PKG_TAGS:=$(subst $(space),$(comma),$(strip \
	$(if $(CONFIG_SINGBOX_BADLINKNAME),badlinkname) \
	$(if $(CONFIG_SINGBOX_TFOGO_CHECKLINKNAME0),tfogo_checklinkname0) \
	$(if $(CONFIG_SINGBOX_WITH_ACME),with_acme) \
	$(if $(CONFIG_SINGBOX_WITH_CCM),with_ccm) \
	$(if $(CONFIG_SINGBOX_WITH_CLASH_API),with_clash_api) \
	$(if $(CONFIG_SINGBOX_WITH_DHCP),with_dhcp) \
	$(if $(CONFIG_SINGBOX_WITH_EMBEDDED_TOR),with_embedded_tor) \
	$(if $(CONFIG_SINGBOX_WITH_GRPC),with_grpc) \
	$(if $(CONFIG_SINGBOX_WITH_GVISOR),with_gvisor) \
	$(if $(CONFIG_SINGBOX_WITH_MUSL),with_musl) \
	$(if $(CONFIG_SINGBOX_WITH_NAIVE_OUTBOUND),with_naive_outbound) \
	$(if $(CONFIG_SINGBOX_WITH_NAIVE_OUTBOUND),with_musl) \
	$(if $(CONFIG_SINGBOX_WITH_OCM),with_ocm) \
	$(if $(CONFIG_SINGBOX_WITH_QUIC),with_quic) \
	$(if $(CONFIG_SINGBOX_WITH_TAILSCALE),with_tailscale) \
	$(if $(CONFIG_SINGBOX_WITH_UTLS),with_utls) \
	$(if $(CONFIG_SINGBOX_WITH_V2RAY_API),with_v2ray_api) \
	$(if $(CONFIG_SINGBOX_WITH_WIREGUARD),with_wireguard) \
))
endif

For Naive, a separate package in the form of a library might be required, along with the with_musl flag and CGO_ENABLED = 1.

I don't know the right way to build for the with_naive_outbound flag, as it requires extra steps since libcronet.ko isn't there for musl.

I also don't know, as the badlinkname and tfogo_checklinkname0 flags relate to changes in the golang build. Should they be added to the tiny variant? The package builds without them, but I don't yet know what they affect during runtime.

I also had to add the following line for the build:

GO_PKG_LDFLAGS:=-checklinkname=0

Does it build without it for you?

[NitroOxid]

The update to sing-box itself looks useful, but Naive support appears to be a separate issue:

• libcronet.a is very large (10-16 MB).
• Cronet is based on Chromium and building it for musl requires the Chromium toolchain.
• Depending on prebuilt Cronet binaries may not be acceptable for OpenWrt packaging.

Given these constraints, perhaps it would be better to update sing-box first and leave Naive outbound disabled or unsupported until there is a maintainable OpenWrt solution for Cronet.

[peterwillcn]

I also don't know, as the badlinkname and tfogo_checklinkname0 flags relate to changes in the golang build. Should they be added to the tiny variant? The package builds without them, but I don't yet know what they affect during runtime.

I also had to add the following line for the build:

GO_PKG_LDFLAGS:=-checklinkname=0

NaiveProxy: No official prebuilt libcronet for musl. The easiest fix is to disable this feature. If you need NaiveProxy, set CGO_ENABLED=0 for purego mode;
badlinkname / tfogo_checklinkname0: Keep them in tiny variant to avoid hidden runtime issues;
GO_PKG_LDFLAGS:=-checklinkname=0: Mandatory for Go 1.23+. Build will fail without it. It works with the two build tags and causes no conflicts.

[openips]

build naiveproxy should use https://github.com/SagerNet/cronet-go . Makefile should make more work