diff options
Diffstat (limited to 'network/dnscrypt-wrapper/rc.dnscrypt-wrapper')
-rw-r--r-- | network/dnscrypt-wrapper/rc.dnscrypt-wrapper | 114 |
1 files changed, 108 insertions, 6 deletions
diff --git a/network/dnscrypt-wrapper/rc.dnscrypt-wrapper b/network/dnscrypt-wrapper/rc.dnscrypt-wrapper index 78e5a27349b56..3b88342f4ea15 100644 --- a/network/dnscrypt-wrapper/rc.dnscrypt-wrapper +++ b/network/dnscrypt-wrapper/rc.dnscrypt-wrapper @@ -39,6 +39,12 @@ start_instance() { fi fi + mkdir -p $(dirname ${PIDFILE[$1]}) + # The child (unprivileged) process needs write access or the PID will not + # be written. + chmod 0700 $(dirname ${PIDFILE[$1]}) + chown ${USER[$1]} $(dirname ${PIDFILE[$1]}) + OPTIONS="-d" if [ -n "${LISTENADDRESS[$1]}" ]; then OPTIONS="${OPTIONS} --listen-address=${LISTENADDRESS[$1]}" @@ -50,7 +56,11 @@ start_instance() { OPTIONS="${OPTIONS} --user=${USER[$1]}" fi if [ -n "${DNSCRYPTDIR[$1]}" ]; then - OPTIONS="${OPTIONS} --crypt-secretkey-file=${DNSCRYPTDIR[$1]}/crypt_secret.key" + if [ -n "$2" ] && [ "$2" == "rotate" ]; then + OPTIONS="${OPTIONS} --crypt-secretkey-file=${DNSCRYPTDIR[$1]}/crypt_secret.key,${DNSCRYPTDIR[$1]}/crypt_secret.key_prev" + else + OPTIONS="${OPTIONS} --crypt-secretkey-file=${DNSCRYPTDIR[$1]}/crypt_secret.key" + fi OPTIONS="${OPTIONS} --provider-publickey-file=${DNSCRYPTDIR[$1]}/public.key" OPTIONS="${OPTIONS} --provider-secretkey-file=${DNSCRYPTDIR[$1]}/secret.key" fi @@ -70,7 +80,11 @@ start_instance() { OPTIONS="${OPTIONS} --provider-name=${PROVIDERNAME[$1]}" fi if [ -n "${PROVIDERCERTFILE[$1]}" ]; then - OPTIONS="${OPTIONS} --provider-cert-file=${PROVIDERCERTFILE[$1]}" + if [ -n "$2" ] && [ "$2" == "rotate" ]; then + OPTIONS="${OPTIONS} --provider-cert-file=${PROVIDERCERTFILE[$1]},${PROVIDERCERTFILE[$1]}_prev" + else + OPTIONS="${OPTIONS} --provider-cert-file=${PROVIDERCERTFILE[$1]}" + fi fi if [ "${UNAUTHENTICATED[$1]}" == "yes" ]; then OPTIONS="${OPTIONS} --unauthenticated" @@ -123,13 +137,41 @@ generate-keys_instance() { echo "DNSCRYPTDIR not set for instance $1! Either set DNSCRYPTDIR or generate keys manually." return fi + OPTIONS="" + if [ "${NOLOG[$1]}" == "yes" ]; then + OPTIONS="${OPTIONS} --nolog" + fi + if [ "${DNSSEC[$1]}" == "yes" ]; then + OPTIONS="${OPTIONS} --dnssec" + fi ( echo "Generating keys for instance $1. You should record the fingerprint, since this will be used by clients." cd ${DNSCRYPTDIR[$1]} - rm -f crypt_secret.key public.key secret.key - $DAEMON --gen-provider-keypair + rm -f public.key secret.key + $DAEMON $OPTIONS --gen-provider-keypair \ + --provider-name=${PROVIDERNAME[$1]} \ + --ext-address=${EXTADDRESS[$1]} + + chmod 0600 public.key secret.key + ) +} + +generate-cryptkeys_instance() { + if [ -z ${PIDFILE[$1]} ]; then + echo "No configuration for instance $1 found!" + return + fi + if [ -z ${DNSCRYPTDIR[$1]} ]; then + echo "DNSCRYPTDIR not set for instance $1! Either set DNSCRYPTDIR or generate keys manually." + return + fi + ( + echo "Generating cryptkeys for instance $1." + cd ${DNSCRYPTDIR[$1]} + rm -f crypt_secret.key + $DAEMON --gen-crypt-keypair - chmod 0600 crypt_secret.key public.key secret.key + chmod 0600 crypt_secret.key ) } @@ -157,6 +199,9 @@ generate-cert_instance() { if [ -z "${DNSCRYPTDIR[$1]}" ] && [ -n "${PROVIDERSECRETKEYFILE[$1]}" ]; then OPTIONS="${OPTIONS} --provider-secretkey-file=${PROVIDERSECRETKEYFILE[$1]}" fi + if [ -n "${CERTEXPIRATION[$1]}" ]; then + OPTIONS="${OPTIONS} --cert-file-expire-days=${CERTEXPIRATION[$1]}" + fi ( echo "Generating certificate for instance $1." mkdir /tmp/dnscrypt-wrapper-$$ @@ -169,6 +214,35 @@ generate-cert_instance() { ) } +rotate-keys_instance() { + if [ -z ${PIDFILE[$1]} ]; then + echo "No configuration for instance $1 found!" + return + fi + if [ -z ${DNSCRYPTDIR[$1]} ]; then + echo "DNSCRYPTDIR not set for instance $1! Either set DNSCRYPTDIR or rotate keys manually." + return + fi + if [ -z ${PROVIDERCERTFILE[$1]} ]; then + echo "PROVIDERCERTFILE for instance $1 not set! Set PROVIDERCERTFILE before rotating keys." + return + fi + ( + echo "Backing up existing keys for instance $1." + cd ${DNSCRYPTDIR[$1]} + cp -f crypt_secret.key crypt_secret.key_prev + cp -f ${PROVIDERCERTFILE[$1]} ${PROVIDERCERTFILE[$1]}_prev + + chmod 0600 crypt_secret.key_prev ${PROVIDERCERTFILE[$1]}_prev + + generate-cryptkeys_instance $1 + generate-cert_instance $1 + stop_instance $1 + sleep 1 + start_instance $1 "rotate" + ) +} + start() { for i in `/usr/bin/seq 0 $((${#PIDFILE[@]}-1))` do @@ -197,6 +271,13 @@ generate-keys() { done } +generate-cryptkeys() { + for i in `/usr/bin/seq 0 $((${#PIDFILE[@]}-1))` + do + generate-cryptkeys_instance $i + done +} + generate-cert() { for i in `/usr/bin/seq 0 $((${#PIDFILE[@]}-1))` do @@ -204,6 +285,13 @@ generate-cert() { done } +rotate-keys() { + for i in `/usr/bin/seq 0 $((${#PIDFILE[@]}-1))` + do + rotate-keys_instance $i + done +} + case "$1" in 'start') start @@ -221,9 +309,15 @@ case "$1" in 'generate-keys') generate-keys ;; + 'generate-cryptkeys') + generate-cryptkeys + ;; 'generate-cert') generate-cert ;; + 'rotate-keys') + rotate-keys + ;; *_start) INSTANCE=`echo $1 | /bin/cut -d '_' -f 1` start_instance $INSTANCE @@ -246,12 +340,20 @@ case "$1" in INSTANCE=`echo $1 | /bin/cut -d '_' -f 1` generate-keys_instance $INSTANCE ;; + *_generate-cryptkeys) + INSTANCE=`echo $1 | /bin/cut -d '_' -f 1` + generate-cryptkeys_instance $INSTANCE + ;; *_generate-cert) INSTANCE=`echo $1 | /bin/cut -d '_' -f 1` generate-cert_instance $INSTANCE ;; + *_rotate-keys) + INSTANCE=`echo $1 | /bin/cut -d '_' -f 1` + rotate-keys_instance $INSTANCE + ;; *) - echo "Usage: $0 {start|stop|restart|status|generate-keys|generate-cert|#_start|#_stop|#_restart|#_status|#_generate-keys|#_generate-cert}" + echo "Usage: $0 {start|stop|restart|status|generate-keys|generate-cryptkeys|generate-cert|rotate-keys|#_start|#_stop|#_restart|#_status|#_generate-keys|#_generate-cryptkeys|#_generate-cert|#_rotate-keys}" exit 1 ;; esac |