New Port: dns/dnscrypt-wrapper

This is a port of dnscrypt-wrapper, which adds dnscrypt support to any name
resolver. It is the server-side counterpart of dnscrypt-proxy, and is in
fact derived from its source.

PR:		200015
Submitted by:	freebsd@toyingwithfate.com
Approved by:	feld (mentor)
Differential Revision:	https://reviews.freebsd.org/D3535
This commit is contained in:
Jason Unovitch 2015-09-02 22:17:45 +00:00
parent 8156e93505
commit c017caeb38
Notes: svn2git 2021-03-31 03:12:20 +00:00
svn path=/head/; revision=395912
7 changed files with 152 additions and 0 deletions

1
UIDs
View file

@ -226,6 +226,7 @@ riak:*:667:667::0:0:Riak user:/usr/local/lib/riak:/bin/sh
bnetd:*:700:700::0:0:Bnetd user:/nonexistent:/usr/sbin/nologin
fastnetmon:*:701:701::0:0:FastNetMon user:/nonexistent:/usr/sbin/nologin
bopm:*:717:717::0:0:Blitzed Open Proxy Monitor:/nonexistent:/bin/sh
_dnscrypt-wrapper:*:718:65534::0:0:dnscrypt-wrapper user:/var/empty:/usr/sbin/nologin
openxpki:*:777:777::0:0:OpenXPKI Owner:/nonexistent:/usr/sbin/nologin
zetacoin:*:780:780::0:0:ZetaCoin Daemon:/nonexistent:/usr/sbin/nologin
foreman_proxy:*:812:812::0:0:Foreman Smart Proxy:/usr/local/share/foreman-proxy:/usr/sbin/nologin

View file

@ -34,6 +34,7 @@
SUBDIR += dnscheck
SUBDIR += dnscheckengine
SUBDIR += dnscrypt-proxy
SUBDIR += dnscrypt-wrapper
SUBDIR += dnsdbck
SUBDIR += dnsdist
SUBDIR += dnsflood

View file

@ -0,0 +1,32 @@
# $FreeBSD$
PORTNAME= dnscrypt-wrapper
PORTVERSION= 0.2
CATEGORIES= dns
MAINTAINER= freebsd@toyingwithfate.com
COMMENT= Adds dnscrypt support to any name resolver
LICENSE= GPLv2
LICENSE_FILE= ${WRKSRC}/COPYING
LIB_DEPENDS= libsodium.so:${PORTSDIR}/security/libsodium \
libevent.so:${PORTSDIR}/devel/libevent2
USE_GITHUB= yes
GH_ACCOUNT= Cofyc
GH_TAGNAME= v${PORTVERSION}
USERS= _dnscrypt-wrapper
ETCDNSCRYPTWRAPPER= ${PREFIX}/etc/${PORTNAME}
SUB_LIST+= ETCDNSCRYPTWRAPPER="${ETCDNSCRYPTWRAPPER}" USERS="${USERS}"
USE_RC_SUBR= ${PORTNAME}
USES= gmake
MAKE_ARGS= LDFLAGS="-L${LOCALBASE}/lib" CFLAGS="-I${LOCALBASE}/include" PREFIX="${STAGEDIR}${PREFIX}"
post-install:
${STRIP_CMD} ${STAGEDIR}${PREFIX}/sbin/*
${MKDIR} ${STAGEDIR}${ETCDNSCRYPTWRAPPER}
.include <bsd.port.mk>

View file

@ -0,0 +1,2 @@
SHA256 (Cofyc-dnscrypt-wrapper-0.2-v0.2_GH0.tar.gz) = 36612c5eb440658a27619ae6e345582e6e3be7a40e9215ea82ac6f65c15de95f
SIZE (Cofyc-dnscrypt-wrapper-0.2-v0.2_GH0.tar.gz) = 50925

View file

@ -0,0 +1,109 @@
#!/bin/sh
#
# $FreeBSD$
#
# PROVIDE: dnscrypt_wrapper
# REQUIRE: LOGIN
# KEYWORD: shutdown
# Add the following lines to /etc/rc.conf to enable dnscrypt-wrapper:
#
# dnscrypt_wrapper_enable (bool): Set to "NO" by default.
# Set it to "YES" to enable dnscrypt_wrapper.
# dnscrypt_wrapper_uid (str): Set to "%%USERS%%" by default.
# User to switch to after starting.
# dnscrypt_wrapper_pidfile (str): Set to "/var/run/dnscrypt-wrapper.pid" by default.
# Path of the pid file.
# dnscrypt_wrapper_logfile (str): Set to "/var/log/dnscrypt-wrapper.log" by default.
# Path of the log file.
# dnscrypt_wrapper_resolver (str): Set to "127.0.0.1:53" by default.
# <address:port> to reach the upstream DNS resolver at.
# dnscrypt_wrapper_listen (str): Set to "0.0.0.0:54" by default.
# <address:port> to listen on.
# dnscrypt_wrapper_crypt_secretkey_file (str): Set to "%%ETCDNSCRYPTWRAPPER%%/crypt_secret.key" by default.
# Path of the secret crypt key.
# dnscrypt_wrapper_provider_cert_file (str): Set to "%%ETCDNSCRYPTWRAPPER%%/dnscrypt.cert" by default.
# Path of the pre-signed certificate.
# dnscrypt_wrapper_provider_name (str): Set to "2.dnscrypt-cert.`/bin/hostname`" by default.
# Provider name.
. /etc/rc.subr
name=dnscrypt_wrapper
rcvar=dnscrypt_wrapper_enable
# read configuration and set defaults
load_rc_config ${name}
: ${dnscrypt_wrapper_enable:=NO}
: ${dnscrypt_wrapper_uid=%%USERS%%}
: ${dnscrypt_wrapper_pidfile=/var/run/dnscrypt-wrapper.pid}
: ${dnscrypt_wrapper_logfile=/var/log/dnscrypt-wrapper.log}
: ${dnscrypt_wrapper_resolver=127.0.0.1:53}
: ${dnscrypt_wrapper_listen=0.0.0.0:54}
: ${dnscrypt_wrapper_crypt_secretkey_file=%%ETCDNSCRYPTWRAPPER%%/crypt_secret.key}
: ${dnscrypt_wrapper_provider_cert_file=%%ETCDNSCRYPTWRAPPER%%/dnscrypt.cert}
: ${dnscrypt_wrapper_provider_name=2.dnscrypt-cert.`/bin/hostname`}
command=%%PREFIX%%/sbin/dnscrypt-wrapper
extra_commands="checks check_name keygen"
start_precmd="${name}_checks"
command_args="-a ${dnscrypt_wrapper_listen} -r ${dnscrypt_wrapper_resolver} -u ${dnscrypt_wrapper_uid} -d -p ${dnscrypt_wrapper_pidfile} -l ${dnscrypt_wrapper_logfile} --crypt-secretkey-file=${dnscrypt_wrapper_crypt_secretkey_file} --provider-cert-file=${dnscrypt_wrapper_provider_cert_file} --provider-name=${dnscrypt_wrapper_provider_name} -V"
procname=%%PREFIX%%/sbin/dnscrypt-wrapper
pidfile=${dnscrypt_wrapper_pidfile}
dnscrypt_wrapper_check_name()
{
if [ -z "${dnscrypt_wrapper_provider_name}" ]; then
err 1 '${dnscrypt_wrapper_provider_name} must be set in /etc/rc.conf'
fi
}
dnscrypt_wrapper_keygen()
{
if [ -f %%ETCDNSCRYPTWRAPPER%%/crypt_secret.key -a \
-f %%ETCDNSCRYPTWRAPPER%%/dnscrypt.cert ]; then
return 0
fi
cd %%ETCDNSCRYPTWRAPPER%%/
umask 077
# Can't do anything if dnscrypt-wrapper is not installed
[ -x %%PREFIX%%/sbin/dnscrypt-wrapper ] ||
err 1 "%%PREFIX%%/sbin/dnscrypt-wrapper does not exist."
if [ -f %%ETCDNSCRYPTWRAPPER%%/public.key -a \
-f %%ETCDNSCRYPTWRAPPER%%/secret.key ]; then
echo "You already have a provider keypair in:"
echo " %%ETCDNSCRYPTWRAPPER%%/public.key and %%ETCDNSCRYPTWRAPPER%%/secret.key"
echo "Skipping provider keypair generation."
else
%%PREFIX%%/sbin/dnscrypt-wrapper --gen-provider-keypair
fi
if [ -f %%ETCDNSCRYPTWRAPPER%%/crypt_public.key -a \
-f %%ETCDNSCRYPTWRAPPER%%/crypt_secret.key ]; then
echo "You already have a crypt keypair in:"
echo " %%ETCDNSCRYPTWRAPPER%%/crypt_public.key and %%ETCDNSCRYPTWRAPPER%%/crypt_secret.key"
echo "Skipping crypt keypair generation."
else
%%PREFIX%%/sbin/dnscrypt-wrapper --gen-crypt-keypair
fi
if [ -f %%ETCDNSCRYPTWRAPPER%%/dnscrypt.cert ]; then
echo "You already have a pre-signed certificate in:"
echo " %%ETCDNSCRYPTWRAPPER%%/dnscrypt.cert"
echo "Skipping pre-signed certificate generation."
else
%%PREFIX%%/sbin/dnscrypt-wrapper --crypt-secretkey-file %%ETCDNSCRYPTWRAPPER%%/crypt_secret.key --provider-publickey-file=%%ETCDNSCRYPTWRAPPER%%/public.key --provider-secretkey-file=%%ETCDNSCRYPTWRAPPER%%/secret.key --gen-cert-file
fi
}
dnscrypt_wrapper_checks()
{
dnscrypt_wrapper_check_name
dnscrypt_wrapper_keygen
}
run_rc_command "$1"

View file

@ -0,0 +1,5 @@
This is a port of dnscrypt-wrapper, which adds dnscrypt support to any name
resolver. It is the server-side counterpart of dnscrypt-proxy, and is in fact
derived from its source.
WWW: https://github.com/Cofyc/dnscrypt-wrapper/

View file

@ -0,0 +1,2 @@
sbin/dnscrypt-wrapper
@dir etc/dnscrypt-wrapper