From 95daecd8150e67701d4a0e41700051cb442bff37 Mon Sep 17 00:00:00 2001 From: Jannik Vieten Date: Mon, 18 Mar 2019 12:07:22 +0100 Subject: [PATCH 1/9] stubby: fixed duplicate IPv6 address in stubby.yml; fixed typo in README.md Signed-off-by: Jannik Vieten --- net/stubby/files/README.md | 2 +- net/stubby/files/stubby.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/net/stubby/files/README.md b/net/stubby/files/README.md index 9703573ec0..800e9545eb 100644 --- a/net/stubby/files/README.md +++ b/net/stubby/files/README.md @@ -388,7 +388,7 @@ the supplied server certificate #### `list spki` This list specifies the SPKI pinset which is verified against the keys in the -server cerrtificate. The values takes the form `'/value>'`, where +server cerrtificate. The value takes the form `'/value>'`, where the `digest type` is the hashing algorithm used, and the value is the Base64 encoded hash of the public key. At present, only `sha256` is supported for the digest type. diff --git a/net/stubby/files/stubby.yml b/net/stubby/files/stubby.yml index 655352deb2..b935f3169f 100644 --- a/net/stubby/files/stubby.yml +++ b/net/stubby/files/stubby.yml @@ -17,7 +17,7 @@ dns_transport_list: upstream_recursive_servers: - address_data: 2606:4700:4700::1111 tls_auth_name: "cloudflare-dns.com" - - address_data: 2606:4700:4700::1111 + - address_data: 2606:4700:4700::1001 tls_auth_name: "cloudflare-dns.com" - address_data: 1.1.1.1 tls_auth_name: "cloudflare-dns.com" From 3b498844ac7871060ee3fa99cb337a66474ac65b Mon Sep 17 00:00:00 2001 From: "Jonathan G. Underwood" Date: Fri, 10 May 2019 00:26:38 +0100 Subject: [PATCH 2/9] stubby: fix handling of pkis in config (#8888) Signed-off-by: Jonathan G. Underwood --- net/stubby/files/stubby.init | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/stubby/files/stubby.init b/net/stubby/files/stubby.init index 4a975e39d5..ff2f0ef3ea 100755 --- a/net/stubby/files/stubby.init +++ b/net/stubby/files/stubby.init @@ -136,7 +136,7 @@ generate_config() handle_resolver_spki() { local val="$1" - local digest="${val%/*}" + local digest="${val%%/*}" local value="${val#*/}" if [ "$tls_pubkey_pinset_section" = 0 ]; then From 813d49c69f524cb1148543fdc1b2e1aee1929aa1 Mon Sep 17 00:00:00 2001 From: Rosen Penev Date: Fri, 10 May 2019 01:00:48 -0700 Subject: [PATCH 3/9] stubby: Update PKG_RELEASE Signed-off-by: Rosen Penev --- net/stubby/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/stubby/Makefile b/net/stubby/Makefile index afda53ed8c..0303415092 100644 --- a/net/stubby/Makefile +++ b/net/stubby/Makefile @@ -6,7 +6,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=stubby PKG_VERSION:=0.2.4 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_LICENSE:=BSD-3-Clause PKG_LICENSE_FILES:=COPYING From b1cc26adf2181adf8947c567b168cf34e367f58d Mon Sep 17 00:00:00 2001 From: "Jonathan G. Underwood" Date: Fri, 10 May 2019 19:32:10 +0100 Subject: [PATCH 4/9] getdns: update to version 1.5.2 Signed-off-by: Jonathan G. Underwood --- libs/getdns/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libs/getdns/Makefile b/libs/getdns/Makefile index a7f9576194..40e559ef45 100644 --- a/libs/getdns/Makefile +++ b/libs/getdns/Makefile @@ -5,7 +5,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=getdns -PKG_VERSION:=1.5.0 +PKG_VERSION:=1.5.2 PKG_RELEASE:=1 PKG_LICENSE:=BSD-3-Clause @@ -14,7 +14,7 @@ PKG_MAINTAINER:=Jonathan Underwood PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://getdnsapi.net/dist/ -PKG_HASH:=577182c3ace919ee70cee5629505581a10dc530bd53fe5c241603ea91c84fa84 +PKG_HASH:=1826a6a221ea9e9301f2c1f5d25f6f5588e841f08b967645bf50c53b970694c0 PKG_FIXUP:=autoreconf From 5415cc7b29956d2e48afeae18a88b75c22ed3e97 Mon Sep 17 00:00:00 2001 From: "Jonathan G. Underwood" Date: Fri, 10 May 2019 19:58:48 +0100 Subject: [PATCH 5/9] stubby: update to 0.2.6 Signed-off-by: Jonathan G. Underwood --- net/stubby/Makefile | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/net/stubby/Makefile b/net/stubby/Makefile index 0303415092..adc9962301 100644 --- a/net/stubby/Makefile +++ b/net/stubby/Makefile @@ -5,8 +5,8 @@ include $(TOPDIR)/rules.mk PKG_NAME:=stubby -PKG_VERSION:=0.2.4 -PKG_RELEASE:=2 +PKG_VERSION:=0.2.6 +PKG_RELEASE:=1 PKG_LICENSE:=BSD-3-Clause PKG_LICENSE_FILES:=COPYING @@ -15,8 +15,8 @@ PKG_MAINTAINER:=Jonathan Underwood PKG_SOURCE_PROTO:=git PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=https://github.com/getdnsapi/$(PKG_NAME) -PKG_SOURCE_VERSION:=58200cadec6371f95e31a7f3735225c5a46ecf75 -PKG_MIRROR_HASH:=28c46f4464cb41cf59264d10da63dc25ece9a1d00b4dfb05a9276594658e5eb9 +PKG_SOURCE_VERSION:=b0d3154af61e1b46a30b56d239dc074273642217 +PKG_MIRROR_HASH:=af896c471ac67b31c2263d11fcdfcdb32a213621c2f8789f4b0a4ceca4437108 PKG_FIXUP:=autoreconf From eec23a91b35b43f45d86136c9d5893592ba6d60b Mon Sep 17 00:00:00 2001 From: "Jonathan G. Underwood" Date: Fri, 10 May 2019 20:22:12 +0100 Subject: [PATCH 6/9] stubby: add support for tls_port resolver config option (#8889) Signed-off-by: Jonathan G. Underwood --- net/stubby/files/README.md | 5 +++++ net/stubby/files/stubby.conf | 4 ++++ net/stubby/files/stubby.init | 5 +++++ 3 files changed, 14 insertions(+) diff --git a/net/stubby/files/README.md b/net/stubby/files/README.md index 800e9545eb..1a1f2a2a3d 100644 --- a/net/stubby/files/README.md +++ b/net/stubby/files/README.md @@ -385,6 +385,11 @@ IPv6 address. This option specifies the upstream domain name used for TLS authentication with the supplied server certificate +#### `option tls_port` + +This option specifies the TLS port for the upstream resolver. If not specified, +this defaults to 853. + #### `list spki` This list specifies the SPKI pinset which is verified against the keys in the diff --git a/net/stubby/files/stubby.conf b/net/stubby/files/stubby.conf index a02936da13..69240772b7 100644 --- a/net/stubby/files/stubby.conf +++ b/net/stubby/files/stubby.conf @@ -24,19 +24,23 @@ config stubby 'global' config resolver option address '2606:4700:4700::1111' option tls_auth_name 'cloudflare-dns.com' + # option tls_port 853 # list spki 'sha256/yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=' config resolver option address '2606:4700:4700::1001' option tls_auth_name 'cloudflare-dns.com' + # option tls_port 853 # list spki 'sha256/yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=' config resolver option address '1.1.1.1' option tls_auth_name 'cloudflare-dns.com' + # option tls_port 853 # list spki 'sha256/yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=' config resolver option address '1.0.0.1' option tls_auth_name 'cloudflare-dns.com' + # option tls_port 853 # list spki 'sha256/yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=' diff --git a/net/stubby/files/stubby.init b/net/stubby/files/stubby.init index ff2f0ef3ea..3bd2e65646 100755 --- a/net/stubby/files/stubby.init +++ b/net/stubby/files/stubby.init @@ -122,6 +122,7 @@ generate_config() local config=$1 local address local tls_auth_name + local tls_port local tls_pubkey_pinset_section=0 if [ "$upstream_recursive_servers_section" = 0 ]; then @@ -130,8 +131,12 @@ generate_config() fi config_get address "$config" address config_get tls_auth_name "$config" tls_auth_name + config_get tls_auth_port "$config" tls_port "" echo " - address_data: $address" >> "$config_file" echo " tls_auth_name: \"$tls_auth_name\"" >> "$config_file" + if [ -n "$tls_port" ]; then + echo " tls_port: $tls_port" >> "$config_file" + fi handle_resolver_spki() { From 28c328d666875ec50e3c43007c7d1c991bbdde25 Mon Sep 17 00:00:00 2001 From: "Jonathan G. Underwood" Date: Fri, 10 May 2019 21:16:05 +0100 Subject: [PATCH 7/9] stubby: add support for TLS configuration options - tls_cipher_list - tls_ciphersuites - tls_min_version - tls_max_version Signed-off-by: Jonathan G. Underwood --- net/stubby/files/README.md | 53 ++++++++++++++++++++++++++++++++++- net/stubby/files/stubby.conf | 20 +++++++++++++ net/stubby/files/stubby.init | 54 ++++++++++++++++++++++++++++++++++-- 3 files changed, 124 insertions(+), 3 deletions(-) diff --git a/net/stubby/files/README.md b/net/stubby/files/README.md index 1a1f2a2a3d..bc5344cd80 100644 --- a/net/stubby/files/README.md +++ b/net/stubby/files/README.md @@ -372,7 +372,33 @@ The possible levels are: This option specifies additional command line arguments for stubby daemon. By default, this is an empty string. - + +#### `option tls_cipher_list` + +If set, this specifies the acceptable ciphers for DNS over TLS. With OpenSSL +1.1.1 this list is for TLS1.2 and older only. Ciphers for TLS1.3 should be set +with the `tls_ciphersuites` option. This option can also be given per upstream +resolver. By default, this option is not set. + +#### `option tls_ciphersuites` + +If set, this specifies the acceptable cipher for DNS over TLS1.3. OpenSSL +version 1.1.1 or greater is required for this option. This option can also be +given per upstream resolver. By default, this option is not set. + +#### `option tls_min_version` + +If set, this specifies the minimum acceptable TLS version. Works with OpenSSL +1.1.1 or greater only. This option can also be given per upstream resolver. By +default, this option is not set. + +#### `option tls_max_version` + +If set, this specifies the maximum acceptable TLS version. Works with OpenSSL +1.1.1 or greater only. This option can also be given per upstream resolver. By +default, this option is not set. + + ### `resolver` section options #### `option address` @@ -390,6 +416,31 @@ the supplied server certificate This option specifies the TLS port for the upstream resolver. If not specified, this defaults to 853. +#### `option tls_cipher_list` + +If set, this specifies the acceptable ciphers for DNS over TLS. With OpenSSL +1.1.1 this list is for TLS1.2 and older only. Ciphers for TLS1.3 should be set +with the `tls_ciphersuites` option. By default, this option is not set. If set, +this overrides the global value. + +#### `option tls_ciphersuites` + +If set, this specifies the acceptable cipher for DNS over TLS1.3. OpenSSL +version 1.1.1 or greater is required for this option. By default, this option is +not set. If set, this overrides the global value. + +#### `option tls_min_version` + +If set, this specifies the minimum acceptable TLS version. Works with OpenSSL +1.1.1 or greater only. By default, this option is not set. If set, this +overrides the global value. + +#### `option tls_max_version` + +If set, this specifies the maximum acceptable TLS version. Works with OpenSSL +1.1.1 or greater only. By default, this options is not set. If set, this +overrides the global value. + #### `list spki` This list specifies the SPKI pinset which is verified against the keys in the diff --git a/net/stubby/files/stubby.conf b/net/stubby/files/stubby.conf index 69240772b7..f722a43046 100644 --- a/net/stubby/files/stubby.conf +++ b/net/stubby/files/stubby.conf @@ -19,6 +19,10 @@ config stubby 'global' list listen_address '0::1@5453' # option log_level '7' # option command_line_arguments '' + # option tls_cipher_list 'EECDH+AESGCM:EECDH+CHACHA20' + # option tls_ciphersuites 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256' + # option tls_min_version '1.2' + # option tls_max_version '1.3' # Upstream resolvers are specified using 'resolver' sections. config resolver @@ -26,21 +30,37 @@ config resolver option tls_auth_name 'cloudflare-dns.com' # option tls_port 853 # list spki 'sha256/yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=' + # option tls_cipher_list 'EECDH+AESGCM:EECDH+CHACHA20' + # option tls_ciphersuites 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256' + # option tls_min_version '1.2' + # option tls_max_version '1.3' config resolver option address '2606:4700:4700::1001' option tls_auth_name 'cloudflare-dns.com' # option tls_port 853 # list spki 'sha256/yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=' + # option tls_cipher_list 'EECDH+AESGCM:EECDH+CHACHA20' + # option tls_ciphersuites 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256' + # option tls_min_version '1.2' + # option tls_max_version '1.3' config resolver option address '1.1.1.1' option tls_auth_name 'cloudflare-dns.com' # option tls_port 853 # list spki 'sha256/yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=' + # option tls_cipher_list 'EECDH+AESGCM:EECDH+CHACHA20' + # option tls_ciphersuites 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256' + # option tls_min_version '1.2' + # option tls_max_version '1.3' config resolver option address '1.0.0.1' option tls_auth_name 'cloudflare-dns.com' # option tls_port 853 # list spki 'sha256/yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=' + # option tls_cipher_list 'EECDH+AESGCM:EECDH+CHACHA20' + # option tls_ciphersuites 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256' + # option tls_min_version '1.2' + # option tls_max_version '1.3' diff --git a/net/stubby/files/stubby.init b/net/stubby/files/stubby.init index 3bd2e65646..cf051a1404 100755 --- a/net/stubby/files/stubby.init +++ b/net/stubby/files/stubby.init @@ -38,6 +38,10 @@ generate_config() local upstream_recursive_servers_section=0 local command_line_arguments local log_level + local tls_cipher_list + local tls_ciphersuites + local tls_min_version + local tls_max_version # Generate configuration. See: https://github.com/getdnsapi/stubby/blob/develop/stubby.yml.example echo "# Autogenerated configuration from uci data" > "$config_file" @@ -93,6 +97,26 @@ generate_config() config_get idle_timeout "global" idle_timeout "10000" echo "idle_timeout: $idle_timeout" >> "$config_file" + config_get tls_cipher_list "global" tls_cipher_list "" + if [ -n "$tls_cipher_list" ]; then + echo "tls_cipher_list: \"$tls_cipher_list\"" >> "$config_file" + fi + + config_get tls_ciphersuites "global" tls_ciphersuites "" + if [ -n "$tls_ciphersuites" ]; then + echo "tls_ciphersuites: \"$tls_ciphersuites\"" >> "$config_file" + fi + + config_get tls_min_version "global" tls_min_version "" + if [ -n "$tls_min_version" ]; then + echo "tls_min_version: GETDNS_TLS${tls_min_version/\./_}" >> "$config_file" + fi + + config_get tls_max_version "global" tls_max_version "" + if [ -n "$tls_max_version" ]; then + echo "tls_max_version: GETDNS_TLS${tls_max_version/\./_}" >> "$config_file" + fi + handle_listen_address_value() { local value="$1" @@ -124,20 +148,46 @@ generate_config() local tls_auth_name local tls_port local tls_pubkey_pinset_section=0 + local tls_cipher_list + local tls_ciphersuites + local tls_min_version + local tls_max_version if [ "$upstream_recursive_servers_section" = 0 ]; then echo "upstream_recursive_servers:" >> "$config_file" upstream_recursive_servers_section=1 fi config_get address "$config" address - config_get tls_auth_name "$config" tls_auth_name - config_get tls_auth_port "$config" tls_port "" echo " - address_data: $address" >> "$config_file" + + config_get tls_auth_name "$config" tls_auth_name echo " tls_auth_name: \"$tls_auth_name\"" >> "$config_file" + + config_get tls_auth_port "$config" tls_port "" if [ -n "$tls_port" ]; then echo " tls_port: $tls_port" >> "$config_file" fi + config_get tls_cipher_list "$config" tls_cipher_list "" + if [ -n "$tls_cipher_list" ]; then + echo " tls_cipher_list: \"$tls_cipher_list\"" >> "$config_file" + fi + + config_get tls_ciphersuites "$config" tls_ciphersuites "" + if [ -n "$tls_ciphersuites" ]; then + echo " tls_ciphersuites: \"$tls_ciphersuites\"" >> "$config_file" + fi + + config_get tls_min_version "$config" tls_min_version "" + if [ -n "$tls_min_version" ]; then + echo " tls_min_version: GETDNS_TLS${tls_min_version/\./_}" >> "$config_file" + fi + + config_get tls_max_version "$config" tls_max_version "" + if [ -n "$tls_max_version" ]; then + echo " tls_max_version: GETDNS_TLS${tls_max_version/\./_}" >> "$config_file" + fi + handle_resolver_spki() { local val="$1" From f8c8b96e78221c53375b3e827a927a27eae09818 Mon Sep 17 00:00:00 2001 From: "Jonathan G. Underwood" Date: Fri, 10 May 2019 21:19:09 +0100 Subject: [PATCH 8/9] stubby: remove PKG_SOURCE from Makefile Signed-off-by: Jonathan G. Underwood --- net/stubby/Makefile | 1 - 1 file changed, 1 deletion(-) diff --git a/net/stubby/Makefile b/net/stubby/Makefile index adc9962301..9491896f12 100644 --- a/net/stubby/Makefile +++ b/net/stubby/Makefile @@ -13,7 +13,6 @@ PKG_LICENSE_FILES:=COPYING PKG_MAINTAINER:=Jonathan Underwood PKG_SOURCE_PROTO:=git -PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=https://github.com/getdnsapi/$(PKG_NAME) PKG_SOURCE_VERSION:=b0d3154af61e1b46a30b56d239dc074273642217 PKG_MIRROR_HASH:=af896c471ac67b31c2263d11fcdfcdb32a213621c2f8789f4b0a4ceca4437108 From 09e18eef726d6f0d96851451d815242a73323451 Mon Sep 17 00:00:00 2001 From: "Jonathan G. Underwood" Date: Fri, 10 May 2019 21:50:58 +0100 Subject: [PATCH 9/9] stubby: set PKG_SOURCE_VERSION using PKG_VERSION Signed-off-by: Jonathan G. Underwood --- net/stubby/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/stubby/Makefile b/net/stubby/Makefile index 9491896f12..20e60ad6ca 100644 --- a/net/stubby/Makefile +++ b/net/stubby/Makefile @@ -14,7 +14,7 @@ PKG_MAINTAINER:=Jonathan Underwood PKG_SOURCE_PROTO:=git PKG_SOURCE_URL:=https://github.com/getdnsapi/$(PKG_NAME) -PKG_SOURCE_VERSION:=b0d3154af61e1b46a30b56d239dc074273642217 +PKG_SOURCE_VERSION:=v$(PKG_VERSION) PKG_MIRROR_HASH:=af896c471ac67b31c2263d11fcdfcdb32a213621c2f8789f4b0a4ceca4437108 PKG_FIXUP:=autoreconf