Difuse/packages
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge pull request #8954 from jonathanunderwood/openwrt-18.06-getdns-stubby-from-master

Browse source 
[18.06] stubby and getdns: cherry pick commits from master
This commit is contained in:
Rosen Penev 2019-05-11 12:14:15 -07:00 committed by GitHub
commit ec5e894ce7
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
6 changed files with 145 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
libs/getdns/Makefile
View file

@ -5,7 +5,7 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=getdns
PKG_VERSION:=1.5.0
PKG_VERSION:=1.5.2
PKG_RELEASE:=1
PKG_LICENSE:=BSD-3-Clause
@ -14,7 +14,7 @@ PKG_MAINTAINER:=Jonathan Underwood <jonathan.underwood@gmail.com>
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://getdnsapi.net/dist/
PKG_HASH:=577182c3ace919ee70cee5629505581a10dc530bd53fe5c241603ea91c84fa84
PKG_HASH:=1826a6a221ea9e9301f2c1f5d25f6f5588e841f08b967645bf50c53b970694c0
PKG_FIXUP:=autoreconf

7
net/stubby/Makefile
View file

@ -5,7 +5,7 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=stubby
PKG_VERSION:=0.2.4
PKG_VERSION:=0.2.6
PKG_RELEASE:=1
PKG_LICENSE:=BSD-3-Clause
@ -13,10 +13,9 @@ PKG_LICENSE_FILES:=COPYING
PKG_MAINTAINER:=Jonathan Underwood <jonathan.underwood@gmail.com>
PKG_SOURCE_PROTO:=git
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
PKG_SOURCE_URL:=https://github.com/getdnsapi/$(PKG_NAME)
PKG_SOURCE_VERSION:=58200cadec6371f95e31a7f3735225c5a46ecf75
PKG_MIRROR_HASH:=28c46f4464cb41cf59264d10da63dc25ece9a1d00b4dfb05a9276594658e5eb9
PKG_SOURCE_VERSION:=v$(PKG_VERSION)
PKG_MIRROR_HASH:=af896c471ac67b31c2263d11fcdfcdb32a213621c2f8789f4b0a4ceca4437108
PKG_FIXUP:=autoreconf

58
net/stubby/files/README.md
View file

@ -373,6 +373,32 @@ The possible levels are:
This option specifies additional command line arguments for
stubby daemon. By default, this is an empty string.
#### `option tls_cipher_list`
If set, this specifies the acceptable ciphers for DNS over TLS. With OpenSSL
1.1.1 this list is for TLS1.2 and older only. Ciphers for TLS1.3 should be set
with the `tls_ciphersuites` option. This option can also be given per upstream
resolver. By default, this option is not set.
#### `option tls_ciphersuites`
If set, this specifies the acceptable cipher for DNS over TLS1.3. OpenSSL
version 1.1.1 or greater is required for this option. This option can also be
given per upstream resolver. By default, this option is not set.
#### `option tls_min_version`
If set, this specifies the minimum acceptable TLS version. Works with OpenSSL
1.1.1 or greater only. This option can also be given per upstream resolver. By
default, this option is not set.
#### `option tls_max_version`
If set, this specifies the maximum acceptable TLS version. Works with OpenSSL
1.1.1 or greater only. This option can also be given per upstream resolver. By
default, this option is not set.
### `resolver` section options
#### `option address`
@ -385,10 +411,40 @@ IPv6 address.
This option specifies the upstream domain name used for TLS authentication with
the supplied server certificate
#### `option tls_port`
This option specifies the TLS port for the upstream resolver. If not specified,
this defaults to 853.
#### `option tls_cipher_list`
If set, this specifies the acceptable ciphers for DNS over TLS. With OpenSSL
1.1.1 this list is for TLS1.2 and older only. Ciphers for TLS1.3 should be set
with the `tls_ciphersuites` option. By default, this option is not set. If set,
this overrides the global value.
#### `option tls_ciphersuites`
If set, this specifies the acceptable cipher for DNS over TLS1.3. OpenSSL
version 1.1.1 or greater is required for this option. By default, this option is
not set. If set, this overrides the global value.
#### `option tls_min_version`
If set, this specifies the minimum acceptable TLS version. Works with OpenSSL
1.1.1 or greater only. By default, this option is not set. If set, this
overrides the global value.
#### `option tls_max_version`
If set, this specifies the maximum acceptable TLS version. Works with OpenSSL
1.1.1 or greater only. By default, this options is not set. If set, this
overrides the global value.
#### `list spki`
This list specifies the SPKI pinset which is verified against the keys in the
server cerrtificate. The values takes the form `'<digest type>/value>'`, where
server cerrtificate. The value takes the form `'<digest type>/value>'`, where
the `digest type` is the hashing algorithm used, and the value is the Base64
encoded hash of the public key. At present, only `sha256` is
supported for the digest type.

24
net/stubby/files/stubby.conf
View file

@ -19,24 +19,48 @@ config stubby 'global'
list listen_address '0::1@5453'
# option log_level '7'
# option command_line_arguments ''
# option tls_cipher_list 'EECDH+AESGCM:EECDH+CHACHA20'
# option tls_ciphersuites 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256'
# option tls_min_version '1.2'
# option tls_max_version '1.3'
# Upstream resolvers are specified using 'resolver' sections.
config resolver
option address '2606:4700:4700::1111'
option tls_auth_name 'cloudflare-dns.com'
# option tls_port 853
# list spki 'sha256/yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc='
# option tls_cipher_list 'EECDH+AESGCM:EECDH+CHACHA20'
# option tls_ciphersuites 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256'
# option tls_min_version '1.2'
# option tls_max_version '1.3'
config resolver
option address '2606:4700:4700::1001'
option tls_auth_name 'cloudflare-dns.com'
# option tls_port 853
# list spki 'sha256/yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc='
# option tls_cipher_list 'EECDH+AESGCM:EECDH+CHACHA20'
# option tls_ciphersuites 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256'
# option tls_min_version '1.2'
# option tls_max_version '1.3'
config resolver
option address '1.1.1.1'
option tls_auth_name 'cloudflare-dns.com'
# option tls_port 853
# list spki 'sha256/yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc='
# option tls_cipher_list 'EECDH+AESGCM:EECDH+CHACHA20'
# option tls_ciphersuites 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256'
# option tls_min_version '1.2'
# option tls_max_version '1.3'
config resolver
option address '1.0.0.1'
option tls_auth_name 'cloudflare-dns.com'
# option tls_port 853
# list spki 'sha256/yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc='
# option tls_cipher_list 'EECDH+AESGCM:EECDH+CHACHA20'
# option tls_ciphersuites 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256'
# option tls_min_version '1.2'
# option tls_max_version '1.3'

59
net/stubby/files/stubby.init
View file

@ -38,6 +38,10 @@ generate_config()
local upstream_recursive_servers_section=0
local command_line_arguments
local log_level
local tls_cipher_list
local tls_ciphersuites
local tls_min_version
local tls_max_version
# Generate configuration. See: https://github.com/getdnsapi/stubby/blob/develop/stubby.yml.example
echo "# Autogenerated configuration from uci data" > "$config_file"
@ -93,6 +97,26 @@ generate_config()
config_get idle_timeout "global" idle_timeout "10000"
echo "idle_timeout: $idle_timeout" >> "$config_file"
config_get tls_cipher_list "global" tls_cipher_list ""
if [ -n "$tls_cipher_list" ]; then
echo "tls_cipher_list: \"$tls_cipher_list\"" >> "$config_file"
fi
config_get tls_ciphersuites "global" tls_ciphersuites ""
if [ -n "$tls_ciphersuites" ]; then
echo "tls_ciphersuites: \"$tls_ciphersuites\"" >> "$config_file"
fi
config_get tls_min_version "global" tls_min_version ""
if [ -n "$tls_min_version" ]; then
echo "tls_min_version: GETDNS_TLS${tls_min_version/\./_}" >> "$config_file"
fi
config_get tls_max_version "global" tls_max_version ""
if [ -n "$tls_max_version" ]; then
echo "tls_max_version: GETDNS_TLS${tls_max_version/\./_}" >> "$config_file"
fi
handle_listen_address_value()
{
local value="$1"
@ -122,21 +146,52 @@ generate_config()
local config=$1
local address
local tls_auth_name
local tls_port
local tls_pubkey_pinset_section=0
local tls_cipher_list
local tls_ciphersuites
local tls_min_version
local tls_max_version
if [ "$upstream_recursive_servers_section" = 0 ]; then
echo "upstream_recursive_servers:" >> "$config_file"
upstream_recursive_servers_section=1
fi
config_get address "$config" address
config_get tls_auth_name "$config" tls_auth_name
echo " - address_data: $address" >> "$config_file"
config_get tls_auth_name "$config" tls_auth_name
echo " tls_auth_name: \"$tls_auth_name\"" >> "$config_file"
config_get tls_auth_port "$config" tls_port ""
if [ -n "$tls_port" ]; then
echo " tls_port: $tls_port" >> "$config_file"
fi
config_get tls_cipher_list "$config" tls_cipher_list ""
if [ -n "$tls_cipher_list" ]; then
echo " tls_cipher_list: \"$tls_cipher_list\"" >> "$config_file"
fi
config_get tls_ciphersuites "$config" tls_ciphersuites ""
if [ -n "$tls_ciphersuites" ]; then
echo " tls_ciphersuites: \"$tls_ciphersuites\"" >> "$config_file"
fi
config_get tls_min_version "$config" tls_min_version ""
if [ -n "$tls_min_version" ]; then
echo " tls_min_version: GETDNS_TLS${tls_min_version/\./_}" >> "$config_file"
fi
config_get tls_max_version "$config" tls_max_version ""
if [ -n "$tls_max_version" ]; then
echo " tls_max_version: GETDNS_TLS${tls_max_version/\./_}" >> "$config_file"
fi
handle_resolver_spki()
{
local val="$1"
local digest="${val%/*}"
local digest="${val%%/*}"
local value="${val#*/}"
if [ "$tls_pubkey_pinset_section" = 0 ]; then

2
net/stubby/files/stubby.yml
View file

@ -17,7 +17,7 @@ dns_transport_list:
upstream_recursive_servers:
- address_data: 2606:4700:4700::1111
tls_auth_name: "cloudflare-dns.com"
- address_data: 2606:4700:4700::1111
- address_data: 2606:4700:4700::1001
tls_auth_name: "cloudflare-dns.com"
- address_data: 1.1.1.1
tls_auth_name: "cloudflare-dns.com"