Add dns/dnscrypt-proxy2: Flexible DNS proxy with support for encrypted protocols

A flexible DNS proxy, with support for modern encrypted DNS protocols such as
DNSCrypt v2 and DNS-over-HTTP/2.

WWW: https://github.com/jedisct1/dnscrypt-proxy

Without a repocopy because it's a new port, rewritten from scratch.

PR:		225821
Submitted by:	Vinícius Zavam <egypcio@googlemail.com>
Differential Revision:	https://reviews.freebsd.org/D14319

8 files changed, 156 insertions, 1 deletions

diff --git a/dns/Makefile b/dns/Makefile
index fce194f16234..fa99ca5364c1 100644
--- a/dns/Makefile
+++ b/dns/Makefile
@@ -37,6 +37,7 @@
     SUBDIR += dnscheck
     SUBDIR += dnscheckengine
     SUBDIR += dnscrypt-proxy
+    SUBDIR += dnscrypt-proxy2
     SUBDIR += dnscrypt-wrapper
     SUBDIR += dnsdbck
     SUBDIR += dnsdbq
diff --git a/dns/dnscrypt-proxy/Makefile b/dns/dnscrypt-proxy/Makefile
index 7ef8ebbaaad4..9f0161baa492 100644
--- a/dns/dnscrypt-proxy/Makefile
+++ b/dns/dnscrypt-proxy/Makefile
@@ -13,20 +13,25 @@ COMMENT=	Boost privacy and security of DNS
 LICENSE=	MIT
 LICENSE_FILE=	${WRKSRC}/COPYING
 
+DEPRECATED=		Deprecated by upstream, use dns/dnscrypt-proxy2 instead
+EXPIRATION_DATE=	2018-09-25
 BROKEN_powerpc64=	fails to compile: fpst.c: error: redefinition of typedef 'FPST'
 
 LIB_DEPENDS=	libsodium.so:security/libsodium
 
+USES=		gmake
+
 USERS=		_dnscrypt-proxy
 GROUPS=		_dnscrypt-proxy
 
 GNU_CONFIGURE=	yes
-USES=		gmake
 
 INSTALL_TARGET=	install-strip
 
 PORTDOCS=	AUTHORS ChangeLog INSTALL NEWS README* THANKS
 
+CONFLICTS_INSTALL=	dnscrypt-proxy2
+
 OPTIONS_DEFINE=	DOCS PLUGINS PLUGINS_RELAXED PLUGINS_ROOT
 OPTIONS_SINGLE=	RCWHICH
 OPTIONS_SINGLE_RCWHICH=	RCSINGLE RCMULTI
diff --git a/dns/dnscrypt-proxy2/Makefile b/dns/dnscrypt-proxy2/Makefile
new file mode 100644
index 000000000000..8b6197a41f78
--- /dev/null
+++ b/dns/dnscrypt-proxy2/Makefile
@@ -0,0 +1,57 @@
+# $FreeBSD$
+
+PORTNAME=	dnscrypt-proxy
+PORTVERSION=	2.0.7
+CATEGORIES=	dns security
+PKGNAMESUFFIX=	2
+
+MAINTAINER=	egypcio@googlemail.com
+COMMENT=	Flexible DNS proxy with support for encrypted protocols
+
+LICENSE=	ISCL
+LICENSE_FILE=	${WRKSRC}/LICENSE
+
+BUILD_DEPENDS=	go:lang/go
+RUN_DEPENDS=	ca_root_nss>=3.35:security/ca_root_nss
+
+USE_RC_SUBR=	${PORTNAME}
+
+USE_GITHUB=	yes
+GH_ACCOUNT=	jedisct1
+
+USERS=		_dnscrypt-proxy
+GROUPS=		_dnscrypt-proxy
+
+PORTDOCS=	${WRKSRC}/README.*
+PORTEXAMPLES=	${WRKSRC}/${PORTNAME}/example*
+
+CONFLICTS_INSTALL=	dnscrypt-proxy
+
+OPTIONS_DEFINE=	DOCS EXAMPLES
+
+do-build:
+	${RLN} ${WRKSRC}/vendor ${WRKSRC}/src
+	cd ${WRKSRC}/${PORTNAME} && \
+		${SETENV} ${MAKE_ENV} ${BUILD_ENV} GOPATH=${WRKSRC} \
+		go build -ldflags "-s -w" -o ${WRKDIR}/sbin/${PORTNAME}
+
+do-install:
+	${INSTALL_PROGRAM} ${WRKDIR}/sbin/${PORTNAME} ${STAGEDIR}${LOCALBASE}/sbin
+
+do-install-DOCS-on:
+	${MKDIR} ${STAGEDIR}${DOCSDIR}
+	${INSTALL_DATA} ${PORTDOCS} ${STAGEDIR}${DOCSDIR}
+
+do-install-EXAMPLES-on:
+	${MKDIR} ${STAGEDIR}${EXAMPLESDIR}
+	${INSTALL_DATA} ${PORTEXAMPLES} ${STAGEDIR}${EXAMPLESDIR}
+
+post-install:
+	# After install examples because of the priv drop issue with Go
+	@${REINPLACE_CMD} -e \
+		"s#\['127.0.0.1:53', '\[::1\]:53'\]#\['127.0.0.1:5353'\]#" \
+		${WRKSRC}/${PORTNAME}/example-${PORTNAME}.toml
+	${INSTALL_DATA} ${WRKSRC}/${PORTNAME}/example-${PORTNAME}.toml \
+		${STAGEDIR}${LOCALBASE}/etc/${PORTNAME}.toml.sample
+
+.include <bsd.port.mk>
diff --git a/dns/dnscrypt-proxy2/distinfo b/dns/dnscrypt-proxy2/distinfo
new file mode 100644
index 000000000000..e1ac3f421967
--- /dev/null
+++ b/dns/dnscrypt-proxy2/distinfo
@@ -0,0 +1,3 @@
+TIMESTAMP = 1521930002
+SHA256 (jedisct1-dnscrypt-proxy-2.0.7_GH0.tar.gz) = 7278f592217e89e3650d6b70dbd7103cb1a7c7d87bfc38c361664d522e053b5b
+SIZE (jedisct1-dnscrypt-proxy-2.0.7_GH0.tar.gz) = 746018
diff --git a/dns/dnscrypt-proxy2/files/dnscrypt-proxy.in b/dns/dnscrypt-proxy2/files/dnscrypt-proxy.in
new file mode 100644
index 000000000000..7a7f42dd5adf
--- /dev/null
+++ b/dns/dnscrypt-proxy2/files/dnscrypt-proxy.in
@@ -0,0 +1,32 @@
+#!/bin/sh
+#
+# $FreeBSD$
+#
+# PROVIDE: dnscrypt_proxy
+# REQUIRE: cleanvar SERVERS
+# BEFORE:  dnsmasq local_unbound unbound named
+#
+# These are some lines to configure dnscrypt-proxy on /etc/rc.conf:
+#
+# dnscrypt_proxy_enable	(bool):	Enable service on boot.	Default: NO
+# dnscrypt_proxy_conf	(str):	Config file to use.	Default: %%PREFIX%%/etc/dnscrypt-proxy.toml
+# dnscrypt_proxy_uid	(str):	Set to "_dnscrypt-proxy" by default.
+#
+
+. /etc/rc.subr
+
+name="dnscrypt_proxy"
+rcvar="dnscrypt_proxy_enable"
+pidfile="/var/run/dnscrypt-proxy.pid"
+procname="%%PREFIX%%/sbin/dnscrypt-proxy"
+
+load_rc_config $name
+
+: ${dnscrypt_proxy_enable:=NO}
+: ${dnscrypt_proxy_conf:=%%PREFIX%%/etc/dnscrypt-proxy.toml}
+: ${dnscrypt_proxy_uid:=_dnscrypt-proxy}
+
+command="/usr/sbin/daemon"
+command_args="-p ${pidfile} -u ${dnscrypt_proxy_uid} -f ${procname} -config ${dnscrypt_proxy_conf}"
+
+run_rc_command "$1"
diff --git a/dns/dnscrypt-proxy2/pkg-descr b/dns/dnscrypt-proxy2/pkg-descr
new file mode 100644
index 000000000000..67f163267560
--- /dev/null
+++ b/dns/dnscrypt-proxy2/pkg-descr
@@ -0,0 +1,4 @@
+A flexible DNS proxy, with support for modern encrypted DNS protocols such as 
+DNSCrypt v2 and DNS-over-HTTP/2.
+
+WWW: https://github.com/jedisct1/dnscrypt-proxy
diff --git a/dns/dnscrypt-proxy2/pkg-message b/dns/dnscrypt-proxy2/pkg-message
new file mode 100644
index 000000000000..100965fbac53
--- /dev/null
+++ b/dns/dnscrypt-proxy2/pkg-message
@@ -0,0 +1,46 @@
+=====================================================================
+Version 2 of dnscrypt-proxy is written in Go and in FreeBSD it's
+not capable to drop root privileges after binding a low port (53),
+Go issue [1][2].
+
+For default dnscrypt-proxy2 is listening in port 5353 using username
+_dnscrypt-proxy.
+
+You can change your rc.conf/config to use port 53 and root but it's
+not recommended.
+
+It's needed some tweaks to use dnscrypt-proxy2 on port 5353 on your
+machine, some examples below to redirect localhost port 53 to 5353:
+
+[ipfw]
+
+  ipfw nat 1 config if lo0 reset same_ports \
+    redirect_port tcp 127.0.0.1:5353 53 \
+    redirect_port udp 127.0.0.1:5353 53
+  ipfw add nat 1 ip from any to 127.0.0.1 via lo0
+
+  /etc/rc.conf:
+    firewall_nat_enable="YES"
+
+  /etc/sysctl.conf:
+    net.inet.ip.fw.one_pass=0
+
+[pf]
+
+  rdr pass on lo0 proto { tcp udp } from any to port 53 -> 127.0.0.1 port 5353
+
+[unbound]
+
+  server:
+    interface: 127.0.0.1
+    do-not-query-localhost: no
+    hide-identity: yes
+    hide-version: yes
+
+  forward-zone:
+    name: "."
+    forward-addr: 127.0.0.1@5353
+
+[1] - https://github.com/jedisct1/dnscrypt-proxy/issues/199
+[2] - https://github.com/golang/go/issues/13838
+=====================================================================
diff --git a/dns/dnscrypt-proxy2/pkg-plist b/dns/dnscrypt-proxy2/pkg-plist
new file mode 100644
index 000000000000..985ee7f289bc
--- /dev/null
+++ b/dns/dnscrypt-proxy2/pkg-plist
@@ -0,0 +1,7 @@
+@sample etc/dnscrypt-proxy.toml.sample
+%%PORTDOCS%%%%DOCSDIR%%/README.md
+%%PORTEXAMPLES%%%%EXAMPLESDIR%%/example-blacklist.txt
+%%PORTEXAMPLES%%%%EXAMPLESDIR%%/example-cloaking-rules.txt
+%%PORTEXAMPLES%%%%EXAMPLESDIR%%/example-dnscrypt-proxy.toml
+%%PORTEXAMPLES%%%%EXAMPLESDIR%%/example-forwarding-rules.txt
+sbin/dnscrypt-proxy