aboutsummaryrefslogtreecommitdiff
path: root/network
diff options
context:
space:
mode:
Diffstat (limited to 'network')
-rw-r--r--network/dnscrypt-wrapper/README.Slackware22
-rw-r--r--network/dnscrypt-wrapper/dnscrypt-wrapper.SlackBuild14
-rw-r--r--network/dnscrypt-wrapper/dnscrypt-wrapper.default21
-rw-r--r--network/dnscrypt-wrapper/dnscrypt-wrapper.info6
-rw-r--r--network/dnscrypt-wrapper/rc.dnscrypt-wrapper114
5 files changed, 155 insertions, 22 deletions
diff --git a/network/dnscrypt-wrapper/README.Slackware b/network/dnscrypt-wrapper/README.Slackware
index 0c162404a3e14..b302317d46091 100644
--- a/network/dnscrypt-wrapper/README.Slackware
+++ b/network/dnscrypt-wrapper/README.Slackware
@@ -24,10 +24,28 @@ keys, and a provider certificate. These can all be generated manually (see
automatically by configuring /etc/default/dnscrypt-wrapper and running
/etc/rc.d/rc.dnscrypt-wrapper generate-keys
+ /etc/rc.d/rc.dnscrypt-wrapper generate-cryptkeys
/etc/rc.d/rc.dnscrypt-wrapper generate-cert
-You will need to note the provider key fingerprint(s) when running that
-command, since clients will need it for verification.
+You will need to note the provider key fingerprint(s) and/or stamp(s) when
+running that command, since clients will need them for
+identification/verification. Automatically generated keys have a 24-hour expiry
+period by default. Unless you change this to something longer in
+/etc/default/dnscrypt-wrapper, you will almost certainly need a key rotation
+mechanism to automatically update the encryption key and certificate. This can
+be done by running
+
+ /etc/rc.d/rc.dnscrypt-wrapper rotate-keys
+
+This command backs up the old key/cert, creates a new key/cert, and restarts a
+running server to support both old and new key/cert. Since clients typically
+fetch new certificates hourly, support for the old key/cert should be removed
+an hour after the keys are rotated by restarting the server:
+
+ /etc/rc.d/rc.dnscrypt-wrapper restart
+
+Typically one cron job, run daily, would rotate the keys, and another, run an
+hour later, would restart the server.
In order for clients to forward queries through dnscrypt-wrapper, they will
need to run dnscrypt-proxy configured to connect to the server running
diff --git a/network/dnscrypt-wrapper/dnscrypt-wrapper.SlackBuild b/network/dnscrypt-wrapper/dnscrypt-wrapper.SlackBuild
index aa9acc397ec01..537451dbc1c03 100644
--- a/network/dnscrypt-wrapper/dnscrypt-wrapper.SlackBuild
+++ b/network/dnscrypt-wrapper/dnscrypt-wrapper.SlackBuild
@@ -2,7 +2,7 @@
# Slackware build script for dnscrypt-wrapper
-# Copyright 2017 T3slider <t3slider@gmail.com>
+# Copyright 2018 T3slider <t3slider@gmail.com>
# All rights reserved.
#
# Redistribution and use of this script, with or without modification, is
@@ -25,7 +25,7 @@
# Thanks to Larry Hajali for the logrotate configuration
PRGNAM=dnscrypt-wrapper
-VERSION=${VERSION:-0.3}
+VERSION=${VERSION:-0.4.1}
BUILD=${BUILD:-1}
TAG=${TAG:-_SBo}
@@ -62,11 +62,7 @@ rm -rf $PKG
mkdir -p $TMP $PKG $OUTPUT
cd $TMP
rm -rf $PRGNAM-$VERSION
-if [ -e $CWD/v$VERSION.tar.gz ]; then
- tar xvf $CWD/v$VERSION.tar.gz
-else
- tar xvf $CWD/$PRGNAM-$VERSION.tar.gz
-fi
+tar xvf $CWD/$PRGNAM-$VERSION.tar.gz
cd $PRGNAM-$VERSION
chown -R root:root .
find -L . \
@@ -96,8 +92,8 @@ find $PKG -print0 | xargs -0 file | grep -e "executable" -e "shared object" | gr
mkdir -p $PKG/usr/man/man8
gzip -9c debian/$PRGNAM.8 > $PKG/usr/man/man8/$PRGNAM.8.gz
-mkdir -p $PKG/var/{lib,run,log}/$PRGNAM $PKG/etc/default
-chmod 0700 $PKG/var/{lib,run,log}/$PRGNAM
+mkdir -p $PKG/var/{lib,log}/$PRGNAM $PKG/etc/default
+chmod 0700 $PKG/var/{lib,log}/$PRGNAM
sed "s/@VERSION@/$VERSION/" $CWD/$PRGNAM.default > $PKG/etc/default/$PRGNAM.new
install -D -m 0755 $CWD/rc.$PRGNAM $PKG/etc/rc.d/rc.$PRGNAM.new
install -D -m 0644 $CWD/$PRGNAM.logrotate $PKG/etc/logrotate.d/$PRGNAM.new
diff --git a/network/dnscrypt-wrapper/dnscrypt-wrapper.default b/network/dnscrypt-wrapper/dnscrypt-wrapper.default
index 2d3a85bad3d9e..cb3f6eded58a5 100644
--- a/network/dnscrypt-wrapper/dnscrypt-wrapper.default
+++ b/network/dnscrypt-wrapper/dnscrypt-wrapper.default
@@ -14,9 +14,13 @@ CHROOTDIR[0]="/run/dnscrypt"
# The address and (optional) port to listen on. The default port is 53.
LISTENADDRESS[0]="0.0.0.0:53"
+# The external IP address and (optional) port to listen on. This is used to
+# create the stamp to give to clients. The default port is 53.
+EXTADDRESS[0]="127.0.0.1:53"
+
# The pid file for this instance. PIDFILE must always be specified for each
# instance!
-PIDFILE[0]="/var/run/dnscrypt-wrapper/dnscrypt-wrapper-0.pid"
+PIDFILE[0]="/run/dnscrypt-wrapper/dnscrypt-wrapper-0.pid"
# Runs the daemon as the following user and chroots to that user's home
# directory (this is a security feature -- it is best not to change this!)
@@ -61,10 +65,23 @@ RESOLVERADDRESS[0]="8.8.8.8:53"
# Where to log.
LOGFILE[0]="/var/log/dnscrypt-wrapper/dnscrypt-wrapper.log"
+# Whether or not the server stores logs (self-reported to clients). Default is
+# no, i.e. logs are kept.
+#NOLOG[0]="no"
+
+# Whether or not the server supports DNSSEC. Default is no, i.e. DNSSEC is not
+# supported.
+#DNSSEC[0]="no"
+
+# The number of days the certificate is valid (i.e. expiration date). By
+# default, if unset, this is 1 day (24 hours).
+#CERTEXPIRATION[0]="1"
+
# A simple example configuration for a second instance
#CHROOTDIR[1]="/run/dnscrypt"
#LISTENADDRESS[1]="0.0.0.0:5353"
-#PIDFILE[1]="/var/run/dnscrypt-wrapper/dnscrypt-wrapper-1.pid"
+#EXTADDRESS[1]="127.0.0.2:5353"
+#PIDFILE[1]="/run/dnscrypt-wrapper/dnscrypt-wrapper-1.pid"
#USER[1]="dnscrypt"
#DNSCRYPTDIR[1]="/var/lib/dnscrypt-wrapper/1"
#PROVIDERNAME[1]="2.dnscrypt-cert.hostname.localdomain"
diff --git a/network/dnscrypt-wrapper/dnscrypt-wrapper.info b/network/dnscrypt-wrapper/dnscrypt-wrapper.info
index 59ac8c3cb75f2..4f2f01fa0a263 100644
--- a/network/dnscrypt-wrapper/dnscrypt-wrapper.info
+++ b/network/dnscrypt-wrapper/dnscrypt-wrapper.info
@@ -1,8 +1,8 @@
PRGNAM="dnscrypt-wrapper"
-VERSION="0.3"
+VERSION="0.4.1"
HOMEPAGE="https://github.com/cofyc/dnscrypt-wrapper"
-DOWNLOAD="https://github.com/cofyc/dnscrypt-wrapper/archive/v0.3.tar.gz"
-MD5SUM="4f567a4e5a852f72a6be57c7de251c85"
+DOWNLOAD="https://github.com/cofyc/dnscrypt-wrapper/archive/v0.4.1/dnscrypt-wrapper-0.4.1.tar.gz"
+MD5SUM="ddeb68c548a310d037d5d251ea2abb51"
DOWNLOAD_x86_64=""
MD5SUM_x86_64=""
REQUIRES="libsodium"
diff --git a/network/dnscrypt-wrapper/rc.dnscrypt-wrapper b/network/dnscrypt-wrapper/rc.dnscrypt-wrapper
index 78e5a27349b56..3b88342f4ea15 100644
--- a/network/dnscrypt-wrapper/rc.dnscrypt-wrapper
+++ b/network/dnscrypt-wrapper/rc.dnscrypt-wrapper
@@ -39,6 +39,12 @@ start_instance() {
fi
fi
+ mkdir -p $(dirname ${PIDFILE[$1]})
+ # The child (unprivileged) process needs write access or the PID will not
+ # be written.
+ chmod 0700 $(dirname ${PIDFILE[$1]})
+ chown ${USER[$1]} $(dirname ${PIDFILE[$1]})
+
OPTIONS="-d"
if [ -n "${LISTENADDRESS[$1]}" ]; then
OPTIONS="${OPTIONS} --listen-address=${LISTENADDRESS[$1]}"
@@ -50,7 +56,11 @@ start_instance() {
OPTIONS="${OPTIONS} --user=${USER[$1]}"
fi
if [ -n "${DNSCRYPTDIR[$1]}" ]; then
- OPTIONS="${OPTIONS} --crypt-secretkey-file=${DNSCRYPTDIR[$1]}/crypt_secret.key"
+ if [ -n "$2" ] && [ "$2" == "rotate" ]; then
+ OPTIONS="${OPTIONS} --crypt-secretkey-file=${DNSCRYPTDIR[$1]}/crypt_secret.key,${DNSCRYPTDIR[$1]}/crypt_secret.key_prev"
+ else
+ OPTIONS="${OPTIONS} --crypt-secretkey-file=${DNSCRYPTDIR[$1]}/crypt_secret.key"
+ fi
OPTIONS="${OPTIONS} --provider-publickey-file=${DNSCRYPTDIR[$1]}/public.key"
OPTIONS="${OPTIONS} --provider-secretkey-file=${DNSCRYPTDIR[$1]}/secret.key"
fi
@@ -70,7 +80,11 @@ start_instance() {
OPTIONS="${OPTIONS} --provider-name=${PROVIDERNAME[$1]}"
fi
if [ -n "${PROVIDERCERTFILE[$1]}" ]; then
- OPTIONS="${OPTIONS} --provider-cert-file=${PROVIDERCERTFILE[$1]}"
+ if [ -n "$2" ] && [ "$2" == "rotate" ]; then
+ OPTIONS="${OPTIONS} --provider-cert-file=${PROVIDERCERTFILE[$1]},${PROVIDERCERTFILE[$1]}_prev"
+ else
+ OPTIONS="${OPTIONS} --provider-cert-file=${PROVIDERCERTFILE[$1]}"
+ fi
fi
if [ "${UNAUTHENTICATED[$1]}" == "yes" ]; then
OPTIONS="${OPTIONS} --unauthenticated"
@@ -123,13 +137,41 @@ generate-keys_instance() {
echo "DNSCRYPTDIR not set for instance $1! Either set DNSCRYPTDIR or generate keys manually."
return
fi
+ OPTIONS=""
+ if [ "${NOLOG[$1]}" == "yes" ]; then
+ OPTIONS="${OPTIONS} --nolog"
+ fi
+ if [ "${DNSSEC[$1]}" == "yes" ]; then
+ OPTIONS="${OPTIONS} --dnssec"
+ fi
(
echo "Generating keys for instance $1. You should record the fingerprint, since this will be used by clients."
cd ${DNSCRYPTDIR[$1]}
- rm -f crypt_secret.key public.key secret.key
- $DAEMON --gen-provider-keypair
+ rm -f public.key secret.key
+ $DAEMON $OPTIONS --gen-provider-keypair \
+ --provider-name=${PROVIDERNAME[$1]} \
+ --ext-address=${EXTADDRESS[$1]}
+
+ chmod 0600 public.key secret.key
+ )
+}
+
+generate-cryptkeys_instance() {
+ if [ -z ${PIDFILE[$1]} ]; then
+ echo "No configuration for instance $1 found!"
+ return
+ fi
+ if [ -z ${DNSCRYPTDIR[$1]} ]; then
+ echo "DNSCRYPTDIR not set for instance $1! Either set DNSCRYPTDIR or generate keys manually."
+ return
+ fi
+ (
+ echo "Generating cryptkeys for instance $1."
+ cd ${DNSCRYPTDIR[$1]}
+ rm -f crypt_secret.key
+
$DAEMON --gen-crypt-keypair
- chmod 0600 crypt_secret.key public.key secret.key
+ chmod 0600 crypt_secret.key
)
}
@@ -157,6 +199,9 @@ generate-cert_instance() {
if [ -z "${DNSCRYPTDIR[$1]}" ] && [ -n "${PROVIDERSECRETKEYFILE[$1]}" ]; then
OPTIONS="${OPTIONS} --provider-secretkey-file=${PROVIDERSECRETKEYFILE[$1]}"
fi
+ if [ -n "${CERTEXPIRATION[$1]}" ]; then
+ OPTIONS="${OPTIONS} --cert-file-expire-days=${CERTEXPIRATION[$1]}"
+ fi
(
echo "Generating certificate for instance $1."
mkdir /tmp/dnscrypt-wrapper-$$
@@ -169,6 +214,35 @@ generate-cert_instance() {
)
}
+rotate-keys_instance() {
+ if [ -z ${PIDFILE[$1]} ]; then
+ echo "No configuration for instance $1 found!"
+ return
+ fi
+ if [ -z ${DNSCRYPTDIR[$1]} ]; then
+ echo "DNSCRYPTDIR not set for instance $1! Either set DNSCRYPTDIR or rotate keys manually."
+ return
+ fi
+ if [ -z ${PROVIDERCERTFILE[$1]} ]; then
+ echo "PROVIDERCERTFILE for instance $1 not set! Set PROVIDERCERTFILE before rotating keys."
+ return
+ fi
+ (
+ echo "Backing up existing keys for instance $1."
+ cd ${DNSCRYPTDIR[$1]}
+ cp -f crypt_secret.key crypt_secret.key_prev
+ cp -f ${PROVIDERCERTFILE[$1]} ${PROVIDERCERTFILE[$1]}_prev
+
+ chmod 0600 crypt_secret.key_prev ${PROVIDERCERTFILE[$1]}_prev
+
+ generate-cryptkeys_instance $1
+ generate-cert_instance $1
+ stop_instance $1
+ sleep 1
+ start_instance $1 "rotate"
+ )
+}
+
start() {
for i in `/usr/bin/seq 0 $((${#PIDFILE[@]}-1))`
do
@@ -197,6 +271,13 @@ generate-keys() {
done
}
+generate-cryptkeys() {
+ for i in `/usr/bin/seq 0 $((${#PIDFILE[@]}-1))`
+ do
+ generate-cryptkeys_instance $i
+ done
+}
+
generate-cert() {
for i in `/usr/bin/seq 0 $((${#PIDFILE[@]}-1))`
do
@@ -204,6 +285,13 @@ generate-cert() {
done
}
+rotate-keys() {
+ for i in `/usr/bin/seq 0 $((${#PIDFILE[@]}-1))`
+ do
+ rotate-keys_instance $i
+ done
+}
+
case "$1" in
'start')
start
@@ -221,9 +309,15 @@ case "$1" in
'generate-keys')
generate-keys
;;
+ 'generate-cryptkeys')
+ generate-cryptkeys
+ ;;
'generate-cert')
generate-cert
;;
+ 'rotate-keys')
+ rotate-keys
+ ;;
*_start)
INSTANCE=`echo $1 | /bin/cut -d '_' -f 1`
start_instance $INSTANCE
@@ -246,12 +340,20 @@ case "$1" in
INSTANCE=`echo $1 | /bin/cut -d '_' -f 1`
generate-keys_instance $INSTANCE
;;
+ *_generate-cryptkeys)
+ INSTANCE=`echo $1 | /bin/cut -d '_' -f 1`
+ generate-cryptkeys_instance $INSTANCE
+ ;;
*_generate-cert)
INSTANCE=`echo $1 | /bin/cut -d '_' -f 1`
generate-cert_instance $INSTANCE
;;
+ *_rotate-keys)
+ INSTANCE=`echo $1 | /bin/cut -d '_' -f 1`
+ rotate-keys_instance $INSTANCE
+ ;;
*)
- echo "Usage: $0 {start|stop|restart|status|generate-keys|generate-cert|#_start|#_stop|#_restart|#_status|#_generate-keys|#_generate-cert}"
+ echo "Usage: $0 {start|stop|restart|status|generate-keys|generate-cryptkeys|generate-cert|rotate-keys|#_start|#_stop|#_restart|#_status|#_generate-keys|#_generate-cryptkeys|#_generate-cert|#_rotate-keys}"
exit 1
;;
esac