Merge pull request #8947 from jonathanunderwood/stubby-0.2.6

stubby: update to 0.2.6

4 files changed, 141 insertions, 7 deletions

diff --git a/net/stubby/Makefile b/net/stubby/Makefile
index 030341509..20e60ad6c 100644
--- a/net/stubby/Makefile
+++ b/net/stubby/Makefile
@@ -5,18 +5,17 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=stubby
-PKG_VERSION:=0.2.4
-PKG_RELEASE:=2
+PKG_VERSION:=0.2.6
+PKG_RELEASE:=1
 
 PKG_LICENSE:=BSD-3-Clause
 PKG_LICENSE_FILES:=COPYING
 PKG_MAINTAINER:=Jonathan Underwood <jonathan.underwood@gmail.com>
 
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
 PKG_SOURCE_URL:=https://github.com/getdnsapi/$(PKG_NAME)
-PKG_SOURCE_VERSION:=58200cadec6371f95e31a7f3735225c5a46ecf75
-PKG_MIRROR_HASH:=28c46f4464cb41cf59264d10da63dc25ece9a1d00b4dfb05a9276594658e5eb9
+PKG_SOURCE_VERSION:=v$(PKG_VERSION)
+PKG_MIRROR_HASH:=af896c471ac67b31c2263d11fcdfcdb32a213621c2f8789f4b0a4ceca4437108
 
 PKG_FIXUP:=autoreconf
 
diff --git a/net/stubby/files/README.md b/net/stubby/files/README.md
index 800e9545e..bc5344cd8 100644
--- a/net/stubby/files/README.md
+++ b/net/stubby/files/README.md
@@ -372,7 +372,33 @@ The possible levels are:
 
 This option specifies additional command line arguments for
 stubby daemon. By default, this is an empty string.
-       
+
+#### `option tls_cipher_list`
+
+If set, this specifies the acceptable ciphers for DNS over TLS. With OpenSSL
+1.1.1 this list is for TLS1.2 and older only. Ciphers for TLS1.3 should be set
+with the `tls_ciphersuites` option. This option can also be given per upstream
+resolver. By default, this option is not set.
+
+#### `option tls_ciphersuites`
+
+If set, this specifies the acceptable cipher for DNS over TLS1.3. OpenSSL
+version 1.1.1 or greater is required for this option. This option can also be
+given per upstream resolver. By default, this option is not set.
+
+#### `option tls_min_version`
+
+If set, this specifies the minimum acceptable TLS version. Works with OpenSSL
+1.1.1 or greater only. This option can also be given per upstream resolver. By
+default, this option is not set.
+
+#### `option tls_max_version`
+
+If set, this specifies the maximum acceptable TLS version. Works with OpenSSL
+1.1.1 or greater only. This option can also be given per upstream resolver. By
+default, this option is not set.
+
+
 ### `resolver` section options
 
 #### `option address`
@@ -385,6 +411,36 @@ IPv6 address.
 This option specifies the upstream domain name used for TLS authentication with
 the supplied server certificate
 
+#### `option tls_port`
+
+This option specifies the TLS port for the upstream resolver. If not specified,
+this defaults to 853.
+
+#### `option tls_cipher_list`
+
+If set, this specifies the acceptable ciphers for DNS over TLS. With OpenSSL
+1.1.1 this list is for TLS1.2 and older only. Ciphers for TLS1.3 should be set
+with the `tls_ciphersuites` option. By default, this option is not set. If set,
+this overrides the global value.
+
+#### `option tls_ciphersuites`
+
+If set, this specifies the acceptable cipher for DNS over TLS1.3. OpenSSL
+version 1.1.1 or greater is required for this option. By default, this option is
+not set. If set, this overrides the global value.
+
+#### `option tls_min_version`
+
+If set, this specifies the minimum acceptable TLS version. Works with OpenSSL
+1.1.1 or greater only. By default, this option is not set. If set, this
+overrides the global value.
+
+#### `option tls_max_version`
+
+If set, this specifies the maximum acceptable TLS version. Works with OpenSSL
+1.1.1 or greater only. By default, this options is not set. If set, this
+overrides the global value.
+
 #### `list spki`
 
 This list specifies the SPKI pinset which is verified against the keys in the
diff --git a/net/stubby/files/stubby.conf b/net/stubby/files/stubby.conf
index a02936da1..f722a4304 100644
--- a/net/stubby/files/stubby.conf
+++ b/net/stubby/files/stubby.conf
@@ -19,24 +19,48 @@ config stubby 'global'
        list listen_address '0::1@5453'
        # option log_level '7'
        # option command_line_arguments ''
+       # option tls_cipher_list 'EECDH+AESGCM:EECDH+CHACHA20'
+       # option tls_ciphersuites 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256'
+       # option tls_min_version '1.2'
+       # option tls_max_version '1.3'
 
 # Upstream resolvers are specified using 'resolver' sections.
 config resolver
        option address '2606:4700:4700::1111'
        option tls_auth_name 'cloudflare-dns.com'
+       # option tls_port 853
        # list spki 'sha256/yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc='
+       # option tls_cipher_list 'EECDH+AESGCM:EECDH+CHACHA20'
+       # option tls_ciphersuites 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256'
+       # option tls_min_version '1.2'
+       # option tls_max_version '1.3'
 
 config resolver
        option address '2606:4700:4700::1001'
        option tls_auth_name 'cloudflare-dns.com'
+       # option tls_port 853
        # list spki 'sha256/yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc='
+       # option tls_cipher_list 'EECDH+AESGCM:EECDH+CHACHA20'
+       # option tls_ciphersuites 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256'
+       # option tls_min_version '1.2'
+       # option tls_max_version '1.3'
 
 config resolver
        option address '1.1.1.1'
        option tls_auth_name 'cloudflare-dns.com'
+       # option tls_port 853
        # list spki 'sha256/yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc='
+       # option tls_cipher_list 'EECDH+AESGCM:EECDH+CHACHA20'
+       # option tls_ciphersuites 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256'
+       # option tls_min_version '1.2'
+       # option tls_max_version '1.3'
 
 config resolver
        option address '1.0.0.1'
        option tls_auth_name 'cloudflare-dns.com'
+       # option tls_port 853
        # list spki 'sha256/yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc='
+       # option tls_cipher_list 'EECDH+AESGCM:EECDH+CHACHA20'
+       # option tls_ciphersuites 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256'
+       # option tls_min_version '1.2'
+       # option tls_max_version '1.3'
diff --git a/net/stubby/files/stubby.init b/net/stubby/files/stubby.init
index ff2f0ef3e..cf051a140 100755
--- a/net/stubby/files/stubby.init
+++ b/net/stubby/files/stubby.init
@@ -38,6 +38,10 @@ generate_config()
     local upstream_recursive_servers_section=0
     local command_line_arguments
     local log_level
+    local tls_cipher_list
+    local tls_ciphersuites
+    local tls_min_version
+    local tls_max_version
 
     # Generate configuration. See: https://github.com/getdnsapi/stubby/blob/develop/stubby.yml.example
     echo "# Autogenerated configuration from uci data" > "$config_file"
@@ -93,6 +97,26 @@ generate_config()
     config_get idle_timeout "global" idle_timeout "10000"
     echo "idle_timeout: $idle_timeout" >> "$config_file"
 
+    config_get tls_cipher_list "global" tls_cipher_list ""
+    if [ -n "$tls_cipher_list" ]; then
+        echo "tls_cipher_list: \"$tls_cipher_list\"" >> "$config_file"
+    fi
+
+    config_get tls_ciphersuites "global" tls_ciphersuites ""
+    if [ -n "$tls_ciphersuites" ]; then
+        echo "tls_ciphersuites: \"$tls_ciphersuites\"" >> "$config_file"
+    fi
+
+    config_get tls_min_version "global" tls_min_version ""
+    if [ -n "$tls_min_version" ]; then
+        echo "tls_min_version: GETDNS_TLS${tls_min_version/\./_}" >> "$config_file"
+    fi
+
+    config_get tls_max_version "global" tls_max_version ""
+    if [ -n "$tls_max_version" ]; then
+        echo "tls_max_version: GETDNS_TLS${tls_max_version/\./_}" >> "$config_file"
+    fi
+
     handle_listen_address_value()
     {
         local value="$1"
@@ -122,17 +146,48 @@ generate_config()
         local config=$1
         local address
         local tls_auth_name
+        local tls_port
         local tls_pubkey_pinset_section=0
+        local tls_cipher_list
+        local tls_ciphersuites
+        local tls_min_version
+        local tls_max_version
 
         if [ "$upstream_recursive_servers_section" = 0 ]; then
             echo "upstream_recursive_servers:" >> "$config_file"
             upstream_recursive_servers_section=1
         fi
         config_get address "$config" address
-        config_get tls_auth_name "$config" tls_auth_name
         echo "  - address_data: $address" >> "$config_file"
+
+        config_get tls_auth_name "$config" tls_auth_name
         echo "    tls_auth_name: \"$tls_auth_name\"" >> "$config_file"
 
+        config_get tls_auth_port "$config" tls_port ""
+        if [ -n "$tls_port" ]; then
+            echo "    tls_port: $tls_port"  >> "$config_file"
+        fi
+
+        config_get tls_cipher_list "$config" tls_cipher_list ""
+        if [ -n "$tls_cipher_list" ]; then
+            echo "    tls_cipher_list: \"$tls_cipher_list\"" >> "$config_file"
+        fi
+
+        config_get tls_ciphersuites "$config" tls_ciphersuites ""
+        if [ -n "$tls_ciphersuites" ]; then
+            echo "    tls_ciphersuites: \"$tls_ciphersuites\"" >> "$config_file"
+        fi
+
+        config_get tls_min_version "$config" tls_min_version ""
+        if [ -n "$tls_min_version" ]; then
+            echo "    tls_min_version: GETDNS_TLS${tls_min_version/\./_}" >> "$config_file"
+        fi
+
+        config_get tls_max_version "$config" tls_max_version ""
+        if [ -n "$tls_max_version" ]; then
+            echo "    tls_max_version: GETDNS_TLS${tls_max_version/\./_}" >> "$config_file"
+        fi
+
         handle_resolver_spki()
         {
             local val="$1"