From 56819171bcf0e2ccb5ae7b47364befd22eeb385c Mon Sep 17 00:00:00 2001 From: T3slider Date: Fri, 21 Sep 2018 22:57:09 +0100 Subject: network/dnscrypt-wrapper: Updated for version 0.4.1. Signed-off-by: David Spencer --- network/dnscrypt-wrapper/README.Slackware | 22 +++- .../dnscrypt-wrapper/dnscrypt-wrapper.SlackBuild | 14 +-- network/dnscrypt-wrapper/dnscrypt-wrapper.default | 21 +++- network/dnscrypt-wrapper/dnscrypt-wrapper.info | 6 +- network/dnscrypt-wrapper/rc.dnscrypt-wrapper | 114 +++++++++++++++++++-- 5 files changed, 155 insertions(+), 22 deletions(-) (limited to 'network') diff --git a/network/dnscrypt-wrapper/README.Slackware b/network/dnscrypt-wrapper/README.Slackware index 0c162404a3..b302317d46 100644 --- a/network/dnscrypt-wrapper/README.Slackware +++ b/network/dnscrypt-wrapper/README.Slackware @@ -24,10 +24,28 @@ keys, and a provider certificate. These can all be generated manually (see automatically by configuring /etc/default/dnscrypt-wrapper and running /etc/rc.d/rc.dnscrypt-wrapper generate-keys + /etc/rc.d/rc.dnscrypt-wrapper generate-cryptkeys /etc/rc.d/rc.dnscrypt-wrapper generate-cert -You will need to note the provider key fingerprint(s) when running that -command, since clients will need it for verification. +You will need to note the provider key fingerprint(s) and/or stamp(s) when +running that command, since clients will need them for +identification/verification. Automatically generated keys have a 24-hour expiry +period by default. Unless you change this to something longer in +/etc/default/dnscrypt-wrapper, you will almost certainly need a key rotation +mechanism to automatically update the encryption key and certificate. This can +be done by running + + /etc/rc.d/rc.dnscrypt-wrapper rotate-keys + +This command backs up the old key/cert, creates a new key/cert, and restarts a +running server to support both old and new key/cert. Since clients typically +fetch new certificates hourly, support for the old key/cert should be removed +an hour after the keys are rotated by restarting the server: + + /etc/rc.d/rc.dnscrypt-wrapper restart + +Typically one cron job, run daily, would rotate the keys, and another, run an +hour later, would restart the server. In order for clients to forward queries through dnscrypt-wrapper, they will need to run dnscrypt-proxy configured to connect to the server running diff --git a/network/dnscrypt-wrapper/dnscrypt-wrapper.SlackBuild b/network/dnscrypt-wrapper/dnscrypt-wrapper.SlackBuild index aa9acc397e..537451dbc1 100644 --- a/network/dnscrypt-wrapper/dnscrypt-wrapper.SlackBuild +++ b/network/dnscrypt-wrapper/dnscrypt-wrapper.SlackBuild @@ -2,7 +2,7 @@ # Slackware build script for dnscrypt-wrapper -# Copyright 2017 T3slider +# Copyright 2018 T3slider # All rights reserved. # # Redistribution and use of this script, with or without modification, is @@ -25,7 +25,7 @@ # Thanks to Larry Hajali for the logrotate configuration PRGNAM=dnscrypt-wrapper -VERSION=${VERSION:-0.3} +VERSION=${VERSION:-0.4.1} BUILD=${BUILD:-1} TAG=${TAG:-_SBo} @@ -62,11 +62,7 @@ rm -rf $PKG mkdir -p $TMP $PKG $OUTPUT cd $TMP rm -rf $PRGNAM-$VERSION -if [ -e $CWD/v$VERSION.tar.gz ]; then - tar xvf $CWD/v$VERSION.tar.gz -else - tar xvf $CWD/$PRGNAM-$VERSION.tar.gz -fi +tar xvf $CWD/$PRGNAM-$VERSION.tar.gz cd $PRGNAM-$VERSION chown -R root:root . find -L . \ @@ -96,8 +92,8 @@ find $PKG -print0 | xargs -0 file | grep -e "executable" -e "shared object" | gr mkdir -p $PKG/usr/man/man8 gzip -9c debian/$PRGNAM.8 > $PKG/usr/man/man8/$PRGNAM.8.gz -mkdir -p $PKG/var/{lib,run,log}/$PRGNAM $PKG/etc/default -chmod 0700 $PKG/var/{lib,run,log}/$PRGNAM +mkdir -p $PKG/var/{lib,log}/$PRGNAM $PKG/etc/default +chmod 0700 $PKG/var/{lib,log}/$PRGNAM sed "s/@VERSION@/$VERSION/" $CWD/$PRGNAM.default > $PKG/etc/default/$PRGNAM.new install -D -m 0755 $CWD/rc.$PRGNAM $PKG/etc/rc.d/rc.$PRGNAM.new install -D -m 0644 $CWD/$PRGNAM.logrotate $PKG/etc/logrotate.d/$PRGNAM.new diff --git a/network/dnscrypt-wrapper/dnscrypt-wrapper.default b/network/dnscrypt-wrapper/dnscrypt-wrapper.default index 2d3a85bad3..cb3f6eded5 100644 --- a/network/dnscrypt-wrapper/dnscrypt-wrapper.default +++ b/network/dnscrypt-wrapper/dnscrypt-wrapper.default @@ -14,9 +14,13 @@ CHROOTDIR[0]="/run/dnscrypt" # The address and (optional) port to listen on. The default port is 53. LISTENADDRESS[0]="0.0.0.0:53" +# The external IP address and (optional) port to listen on. This is used to +# create the stamp to give to clients. The default port is 53. +EXTADDRESS[0]="127.0.0.1:53" + # The pid file for this instance. PIDFILE must always be specified for each # instance! -PIDFILE[0]="/var/run/dnscrypt-wrapper/dnscrypt-wrapper-0.pid" +PIDFILE[0]="/run/dnscrypt-wrapper/dnscrypt-wrapper-0.pid" # Runs the daemon as the following user and chroots to that user's home # directory (this is a security feature -- it is best not to change this!) @@ -61,10 +65,23 @@ RESOLVERADDRESS[0]="8.8.8.8:53" # Where to log. LOGFILE[0]="/var/log/dnscrypt-wrapper/dnscrypt-wrapper.log" +# Whether or not the server stores logs (self-reported to clients). Default is +# no, i.e. logs are kept. +#NOLOG[0]="no" + +# Whether or not the server supports DNSSEC. Default is no, i.e. DNSSEC is not +# supported. +#DNSSEC[0]="no" + +# The number of days the certificate is valid (i.e. expiration date). By +# default, if unset, this is 1 day (24 hours). +#CERTEXPIRATION[0]="1" + # A simple example configuration for a second instance #CHROOTDIR[1]="/run/dnscrypt" #LISTENADDRESS[1]="0.0.0.0:5353" -#PIDFILE[1]="/var/run/dnscrypt-wrapper/dnscrypt-wrapper-1.pid" +#EXTADDRESS[1]="127.0.0.2:5353" +#PIDFILE[1]="/run/dnscrypt-wrapper/dnscrypt-wrapper-1.pid" #USER[1]="dnscrypt" #DNSCRYPTDIR[1]="/var/lib/dnscrypt-wrapper/1" #PROVIDERNAME[1]="2.dnscrypt-cert.hostname.localdomain" diff --git a/network/dnscrypt-wrapper/dnscrypt-wrapper.info b/network/dnscrypt-wrapper/dnscrypt-wrapper.info index 59ac8c3cb7..4f2f01fa0a 100644 --- a/network/dnscrypt-wrapper/dnscrypt-wrapper.info +++ b/network/dnscrypt-wrapper/dnscrypt-wrapper.info @@ -1,8 +1,8 @@ PRGNAM="dnscrypt-wrapper" -VERSION="0.3" +VERSION="0.4.1" HOMEPAGE="https://github.com/cofyc/dnscrypt-wrapper" -DOWNLOAD="https://github.com/cofyc/dnscrypt-wrapper/archive/v0.3.tar.gz" -MD5SUM="4f567a4e5a852f72a6be57c7de251c85" +DOWNLOAD="https://github.com/cofyc/dnscrypt-wrapper/archive/v0.4.1/dnscrypt-wrapper-0.4.1.tar.gz" +MD5SUM="ddeb68c548a310d037d5d251ea2abb51" DOWNLOAD_x86_64="" MD5SUM_x86_64="" REQUIRES="libsodium" diff --git a/network/dnscrypt-wrapper/rc.dnscrypt-wrapper b/network/dnscrypt-wrapper/rc.dnscrypt-wrapper index 78e5a27349..3b88342f4e 100644 --- a/network/dnscrypt-wrapper/rc.dnscrypt-wrapper +++ b/network/dnscrypt-wrapper/rc.dnscrypt-wrapper @@ -39,6 +39,12 @@ start_instance() { fi fi + mkdir -p $(dirname ${PIDFILE[$1]}) + # The child (unprivileged) process needs write access or the PID will not + # be written. + chmod 0700 $(dirname ${PIDFILE[$1]}) + chown ${USER[$1]} $(dirname ${PIDFILE[$1]}) + OPTIONS="-d" if [ -n "${LISTENADDRESS[$1]}" ]; then OPTIONS="${OPTIONS} --listen-address=${LISTENADDRESS[$1]}" @@ -50,7 +56,11 @@ start_instance() { OPTIONS="${OPTIONS} --user=${USER[$1]}" fi if [ -n "${DNSCRYPTDIR[$1]}" ]; then - OPTIONS="${OPTIONS} --crypt-secretkey-file=${DNSCRYPTDIR[$1]}/crypt_secret.key" + if [ -n "$2" ] && [ "$2" == "rotate" ]; then + OPTIONS="${OPTIONS} --crypt-secretkey-file=${DNSCRYPTDIR[$1]}/crypt_secret.key,${DNSCRYPTDIR[$1]}/crypt_secret.key_prev" + else + OPTIONS="${OPTIONS} --crypt-secretkey-file=${DNSCRYPTDIR[$1]}/crypt_secret.key" + fi OPTIONS="${OPTIONS} --provider-publickey-file=${DNSCRYPTDIR[$1]}/public.key" OPTIONS="${OPTIONS} --provider-secretkey-file=${DNSCRYPTDIR[$1]}/secret.key" fi @@ -70,7 +80,11 @@ start_instance() { OPTIONS="${OPTIONS} --provider-name=${PROVIDERNAME[$1]}" fi if [ -n "${PROVIDERCERTFILE[$1]}" ]; then - OPTIONS="${OPTIONS} --provider-cert-file=${PROVIDERCERTFILE[$1]}" + if [ -n "$2" ] && [ "$2" == "rotate" ]; then + OPTIONS="${OPTIONS} --provider-cert-file=${PROVIDERCERTFILE[$1]},${PROVIDERCERTFILE[$1]}_prev" + else + OPTIONS="${OPTIONS} --provider-cert-file=${PROVIDERCERTFILE[$1]}" + fi fi if [ "${UNAUTHENTICATED[$1]}" == "yes" ]; then OPTIONS="${OPTIONS} --unauthenticated" @@ -123,13 +137,41 @@ generate-keys_instance() { echo "DNSCRYPTDIR not set for instance $1! Either set DNSCRYPTDIR or generate keys manually." return fi + OPTIONS="" + if [ "${NOLOG[$1]}" == "yes" ]; then + OPTIONS="${OPTIONS} --nolog" + fi + if [ "${DNSSEC[$1]}" == "yes" ]; then + OPTIONS="${OPTIONS} --dnssec" + fi ( echo "Generating keys for instance $1. You should record the fingerprint, since this will be used by clients." cd ${DNSCRYPTDIR[$1]} - rm -f crypt_secret.key public.key secret.key - $DAEMON --gen-provider-keypair + rm -f public.key secret.key + $DAEMON $OPTIONS --gen-provider-keypair \ + --provider-name=${PROVIDERNAME[$1]} \ + --ext-address=${EXTADDRESS[$1]} + + chmod 0600 public.key secret.key + ) +} + +generate-cryptkeys_instance() { + if [ -z ${PIDFILE[$1]} ]; then + echo "No configuration for instance $1 found!" + return + fi + if [ -z ${DNSCRYPTDIR[$1]} ]; then + echo "DNSCRYPTDIR not set for instance $1! Either set DNSCRYPTDIR or generate keys manually." + return + fi + ( + echo "Generating cryptkeys for instance $1." + cd ${DNSCRYPTDIR[$1]} + rm -f crypt_secret.key + $DAEMON --gen-crypt-keypair - chmod 0600 crypt_secret.key public.key secret.key + chmod 0600 crypt_secret.key ) } @@ -157,6 +199,9 @@ generate-cert_instance() { if [ -z "${DNSCRYPTDIR[$1]}" ] && [ -n "${PROVIDERSECRETKEYFILE[$1]}" ]; then OPTIONS="${OPTIONS} --provider-secretkey-file=${PROVIDERSECRETKEYFILE[$1]}" fi + if [ -n "${CERTEXPIRATION[$1]}" ]; then + OPTIONS="${OPTIONS} --cert-file-expire-days=${CERTEXPIRATION[$1]}" + fi ( echo "Generating certificate for instance $1." mkdir /tmp/dnscrypt-wrapper-$$ @@ -169,6 +214,35 @@ generate-cert_instance() { ) } +rotate-keys_instance() { + if [ -z ${PIDFILE[$1]} ]; then + echo "No configuration for instance $1 found!" + return + fi + if [ -z ${DNSCRYPTDIR[$1]} ]; then + echo "DNSCRYPTDIR not set for instance $1! Either set DNSCRYPTDIR or rotate keys manually." + return + fi + if [ -z ${PROVIDERCERTFILE[$1]} ]; then + echo "PROVIDERCERTFILE for instance $1 not set! Set PROVIDERCERTFILE before rotating keys." + return + fi + ( + echo "Backing up existing keys for instance $1." + cd ${DNSCRYPTDIR[$1]} + cp -f crypt_secret.key crypt_secret.key_prev + cp -f ${PROVIDERCERTFILE[$1]} ${PROVIDERCERTFILE[$1]}_prev + + chmod 0600 crypt_secret.key_prev ${PROVIDERCERTFILE[$1]}_prev + + generate-cryptkeys_instance $1 + generate-cert_instance $1 + stop_instance $1 + sleep 1 + start_instance $1 "rotate" + ) +} + start() { for i in `/usr/bin/seq 0 $((${#PIDFILE[@]}-1))` do @@ -197,6 +271,13 @@ generate-keys() { done } +generate-cryptkeys() { + for i in `/usr/bin/seq 0 $((${#PIDFILE[@]}-1))` + do + generate-cryptkeys_instance $i + done +} + generate-cert() { for i in `/usr/bin/seq 0 $((${#PIDFILE[@]}-1))` do @@ -204,6 +285,13 @@ generate-cert() { done } +rotate-keys() { + for i in `/usr/bin/seq 0 $((${#PIDFILE[@]}-1))` + do + rotate-keys_instance $i + done +} + case "$1" in 'start') start @@ -221,9 +309,15 @@ case "$1" in 'generate-keys') generate-keys ;; + 'generate-cryptkeys') + generate-cryptkeys + ;; 'generate-cert') generate-cert ;; + 'rotate-keys') + rotate-keys + ;; *_start) INSTANCE=`echo $1 | /bin/cut -d '_' -f 1` start_instance $INSTANCE @@ -246,12 +340,20 @@ case "$1" in INSTANCE=`echo $1 | /bin/cut -d '_' -f 1` generate-keys_instance $INSTANCE ;; + *_generate-cryptkeys) + INSTANCE=`echo $1 | /bin/cut -d '_' -f 1` + generate-cryptkeys_instance $INSTANCE + ;; *_generate-cert) INSTANCE=`echo $1 | /bin/cut -d '_' -f 1` generate-cert_instance $INSTANCE ;; + *_rotate-keys) + INSTANCE=`echo $1 | /bin/cut -d '_' -f 1` + rotate-keys_instance $INSTANCE + ;; *) - echo "Usage: $0 {start|stop|restart|status|generate-keys|generate-cert|#_start|#_stop|#_restart|#_status|#_generate-keys|#_generate-cert}" + echo "Usage: $0 {start|stop|restart|status|generate-keys|generate-cryptkeys|generate-cert|rotate-keys|#_start|#_stop|#_restart|#_status|#_generate-keys|#_generate-cryptkeys|#_generate-cert|#_rotate-keys}" exit 1 ;; esac -- cgit v1.2.3