From c017caeb38c0e11b36fea2255864f9c1f9d1a57b Mon Sep 17 00:00:00 2001 From: Jason Unovitch Date: Wed, 2 Sep 2015 22:17:45 +0000 Subject: [PATCH] New Port: dns/dnscrypt-wrapper This is a port of dnscrypt-wrapper, which adds dnscrypt support to any name resolver. It is the server-side counterpart of dnscrypt-proxy, and is in fact derived from its source. PR: 200015 Submitted by: freebsd@toyingwithfate.com Approved by: feld (mentor) Differential Revision: https://reviews.freebsd.org/D3535 --- UIDs | 1 + dns/Makefile | 1 + dns/dnscrypt-wrapper/Makefile | 32 +++++ dns/dnscrypt-wrapper/distinfo | 2 + .../files/dnscrypt-wrapper.in | 109 ++++++++++++++++++ dns/dnscrypt-wrapper/pkg-descr | 5 + dns/dnscrypt-wrapper/pkg-plist | 2 + 7 files changed, 152 insertions(+) create mode 100644 dns/dnscrypt-wrapper/Makefile create mode 100644 dns/dnscrypt-wrapper/distinfo create mode 100644 dns/dnscrypt-wrapper/files/dnscrypt-wrapper.in create mode 100644 dns/dnscrypt-wrapper/pkg-descr create mode 100644 dns/dnscrypt-wrapper/pkg-plist diff --git a/UIDs b/UIDs index 95b1cdfd9cec..d46e54642686 100644 --- a/UIDs +++ b/UIDs @@ -226,6 +226,7 @@ riak:*:667:667::0:0:Riak user:/usr/local/lib/riak:/bin/sh bnetd:*:700:700::0:0:Bnetd user:/nonexistent:/usr/sbin/nologin fastnetmon:*:701:701::0:0:FastNetMon user:/nonexistent:/usr/sbin/nologin bopm:*:717:717::0:0:Blitzed Open Proxy Monitor:/nonexistent:/bin/sh +_dnscrypt-wrapper:*:718:65534::0:0:dnscrypt-wrapper user:/var/empty:/usr/sbin/nologin openxpki:*:777:777::0:0:OpenXPKI Owner:/nonexistent:/usr/sbin/nologin zetacoin:*:780:780::0:0:ZetaCoin Daemon:/nonexistent:/usr/sbin/nologin foreman_proxy:*:812:812::0:0:Foreman Smart Proxy:/usr/local/share/foreman-proxy:/usr/sbin/nologin diff --git a/dns/Makefile b/dns/Makefile index 3e800337b303..39ba997b78bd 100644 --- a/dns/Makefile +++ b/dns/Makefile @@ -34,6 +34,7 @@ SUBDIR += dnscheck SUBDIR += dnscheckengine SUBDIR += dnscrypt-proxy + SUBDIR += dnscrypt-wrapper SUBDIR += dnsdbck SUBDIR += dnsdist SUBDIR += dnsflood diff --git a/dns/dnscrypt-wrapper/Makefile b/dns/dnscrypt-wrapper/Makefile new file mode 100644 index 000000000000..efc6aaa2f9ae --- /dev/null +++ b/dns/dnscrypt-wrapper/Makefile @@ -0,0 +1,32 @@ +# $FreeBSD$ + +PORTNAME= dnscrypt-wrapper +PORTVERSION= 0.2 +CATEGORIES= dns + +MAINTAINER= freebsd@toyingwithfate.com +COMMENT= Adds dnscrypt support to any name resolver + +LICENSE= GPLv2 +LICENSE_FILE= ${WRKSRC}/COPYING + +LIB_DEPENDS= libsodium.so:${PORTSDIR}/security/libsodium \ + libevent.so:${PORTSDIR}/devel/libevent2 + +USE_GITHUB= yes +GH_ACCOUNT= Cofyc +GH_TAGNAME= v${PORTVERSION} + +USERS= _dnscrypt-wrapper +ETCDNSCRYPTWRAPPER= ${PREFIX}/etc/${PORTNAME} +SUB_LIST+= ETCDNSCRYPTWRAPPER="${ETCDNSCRYPTWRAPPER}" USERS="${USERS}" +USE_RC_SUBR= ${PORTNAME} + +USES= gmake +MAKE_ARGS= LDFLAGS="-L${LOCALBASE}/lib" CFLAGS="-I${LOCALBASE}/include" PREFIX="${STAGEDIR}${PREFIX}" + +post-install: + ${STRIP_CMD} ${STAGEDIR}${PREFIX}/sbin/* + ${MKDIR} ${STAGEDIR}${ETCDNSCRYPTWRAPPER} + +.include diff --git a/dns/dnscrypt-wrapper/distinfo b/dns/dnscrypt-wrapper/distinfo new file mode 100644 index 000000000000..5aa0e3d56c3f --- /dev/null +++ b/dns/dnscrypt-wrapper/distinfo @@ -0,0 +1,2 @@ +SHA256 (Cofyc-dnscrypt-wrapper-0.2-v0.2_GH0.tar.gz) = 36612c5eb440658a27619ae6e345582e6e3be7a40e9215ea82ac6f65c15de95f +SIZE (Cofyc-dnscrypt-wrapper-0.2-v0.2_GH0.tar.gz) = 50925 diff --git a/dns/dnscrypt-wrapper/files/dnscrypt-wrapper.in b/dns/dnscrypt-wrapper/files/dnscrypt-wrapper.in new file mode 100644 index 000000000000..5acb1ce6b974 --- /dev/null +++ b/dns/dnscrypt-wrapper/files/dnscrypt-wrapper.in @@ -0,0 +1,109 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +# PROVIDE: dnscrypt_wrapper +# REQUIRE: LOGIN +# KEYWORD: shutdown + +# Add the following lines to /etc/rc.conf to enable dnscrypt-wrapper: +# +# dnscrypt_wrapper_enable (bool): Set to "NO" by default. +# Set it to "YES" to enable dnscrypt_wrapper. +# dnscrypt_wrapper_uid (str): Set to "%%USERS%%" by default. +# User to switch to after starting. +# dnscrypt_wrapper_pidfile (str): Set to "/var/run/dnscrypt-wrapper.pid" by default. +# Path of the pid file. +# dnscrypt_wrapper_logfile (str): Set to "/var/log/dnscrypt-wrapper.log" by default. +# Path of the log file. +# dnscrypt_wrapper_resolver (str): Set to "127.0.0.1:53" by default. +# to reach the upstream DNS resolver at. +# dnscrypt_wrapper_listen (str): Set to "0.0.0.0:54" by default. +# to listen on. +# dnscrypt_wrapper_crypt_secretkey_file (str): Set to "%%ETCDNSCRYPTWRAPPER%%/crypt_secret.key" by default. +# Path of the secret crypt key. +# dnscrypt_wrapper_provider_cert_file (str): Set to "%%ETCDNSCRYPTWRAPPER%%/dnscrypt.cert" by default. +# Path of the pre-signed certificate. +# dnscrypt_wrapper_provider_name (str): Set to "2.dnscrypt-cert.`/bin/hostname`" by default. +# Provider name. + +. /etc/rc.subr + +name=dnscrypt_wrapper +rcvar=dnscrypt_wrapper_enable + +# read configuration and set defaults +load_rc_config ${name} +: ${dnscrypt_wrapper_enable:=NO} +: ${dnscrypt_wrapper_uid=%%USERS%%} +: ${dnscrypt_wrapper_pidfile=/var/run/dnscrypt-wrapper.pid} +: ${dnscrypt_wrapper_logfile=/var/log/dnscrypt-wrapper.log} +: ${dnscrypt_wrapper_resolver=127.0.0.1:53} +: ${dnscrypt_wrapper_listen=0.0.0.0:54} +: ${dnscrypt_wrapper_crypt_secretkey_file=%%ETCDNSCRYPTWRAPPER%%/crypt_secret.key} +: ${dnscrypt_wrapper_provider_cert_file=%%ETCDNSCRYPTWRAPPER%%/dnscrypt.cert} +: ${dnscrypt_wrapper_provider_name=2.dnscrypt-cert.`/bin/hostname`} + +command=%%PREFIX%%/sbin/dnscrypt-wrapper +extra_commands="checks check_name keygen" +start_precmd="${name}_checks" +command_args="-a ${dnscrypt_wrapper_listen} -r ${dnscrypt_wrapper_resolver} -u ${dnscrypt_wrapper_uid} -d -p ${dnscrypt_wrapper_pidfile} -l ${dnscrypt_wrapper_logfile} --crypt-secretkey-file=${dnscrypt_wrapper_crypt_secretkey_file} --provider-cert-file=${dnscrypt_wrapper_provider_cert_file} --provider-name=${dnscrypt_wrapper_provider_name} -V" +procname=%%PREFIX%%/sbin/dnscrypt-wrapper +pidfile=${dnscrypt_wrapper_pidfile} + +dnscrypt_wrapper_check_name() +{ + if [ -z "${dnscrypt_wrapper_provider_name}" ]; then + err 1 '${dnscrypt_wrapper_provider_name} must be set in /etc/rc.conf' + fi +} + +dnscrypt_wrapper_keygen() +{ + if [ -f %%ETCDNSCRYPTWRAPPER%%/crypt_secret.key -a \ + -f %%ETCDNSCRYPTWRAPPER%%/dnscrypt.cert ]; then + return 0 + fi + + cd %%ETCDNSCRYPTWRAPPER%%/ + umask 077 + + # Can't do anything if dnscrypt-wrapper is not installed + [ -x %%PREFIX%%/sbin/dnscrypt-wrapper ] || + err 1 "%%PREFIX%%/sbin/dnscrypt-wrapper does not exist." + + if [ -f %%ETCDNSCRYPTWRAPPER%%/public.key -a \ + -f %%ETCDNSCRYPTWRAPPER%%/secret.key ]; then + echo "You already have a provider keypair in:" + echo " %%ETCDNSCRYPTWRAPPER%%/public.key and %%ETCDNSCRYPTWRAPPER%%/secret.key" + echo "Skipping provider keypair generation." + else + %%PREFIX%%/sbin/dnscrypt-wrapper --gen-provider-keypair + fi + + if [ -f %%ETCDNSCRYPTWRAPPER%%/crypt_public.key -a \ + -f %%ETCDNSCRYPTWRAPPER%%/crypt_secret.key ]; then + echo "You already have a crypt keypair in:" + echo " %%ETCDNSCRYPTWRAPPER%%/crypt_public.key and %%ETCDNSCRYPTWRAPPER%%/crypt_secret.key" + echo "Skipping crypt keypair generation." + else + %%PREFIX%%/sbin/dnscrypt-wrapper --gen-crypt-keypair + fi + + if [ -f %%ETCDNSCRYPTWRAPPER%%/dnscrypt.cert ]; then + echo "You already have a pre-signed certificate in:" + echo " %%ETCDNSCRYPTWRAPPER%%/dnscrypt.cert" + echo "Skipping pre-signed certificate generation." + else + %%PREFIX%%/sbin/dnscrypt-wrapper --crypt-secretkey-file %%ETCDNSCRYPTWRAPPER%%/crypt_secret.key --provider-publickey-file=%%ETCDNSCRYPTWRAPPER%%/public.key --provider-secretkey-file=%%ETCDNSCRYPTWRAPPER%%/secret.key --gen-cert-file + fi +} + +dnscrypt_wrapper_checks() +{ + dnscrypt_wrapper_check_name + dnscrypt_wrapper_keygen +} + +run_rc_command "$1" diff --git a/dns/dnscrypt-wrapper/pkg-descr b/dns/dnscrypt-wrapper/pkg-descr new file mode 100644 index 000000000000..393fd04168bf --- /dev/null +++ b/dns/dnscrypt-wrapper/pkg-descr @@ -0,0 +1,5 @@ +This is a port of dnscrypt-wrapper, which adds dnscrypt support to any name +resolver. It is the server-side counterpart of dnscrypt-proxy, and is in fact +derived from its source. + +WWW: https://github.com/Cofyc/dnscrypt-wrapper/ diff --git a/dns/dnscrypt-wrapper/pkg-plist b/dns/dnscrypt-wrapper/pkg-plist new file mode 100644 index 000000000000..dab4c82a59c4 --- /dev/null +++ b/dns/dnscrypt-wrapper/pkg-plist @@ -0,0 +1,2 @@ +sbin/dnscrypt-wrapper +@dir etc/dnscrypt-wrapper