Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Initial public release.

  • Loading branch information...
commit 248796fb1e90ca537494f5ad8efa6652d96a3212 0 parents
Frank Denis jedisct1 authored
Showing with 22,437 additions and 0 deletions.
  1. +42 −0 .gitignore
  2. 0  AUTHORS
  3. +33 −0 COPYING
  4. 0  ChangeLog
  5. +12 −0 Makefile.am
  6. 0  NEWS
  7. +1 −0  README
  8. +169 −0 README.markdown
  9. +6 −0 autogen.sh
  10. +265 −0 configure.ac
  11. +72 −0 m4/ax_check_compile_flag.m4
  12. +78 −0 m4/ax_check_gnu_make.m4
  13. +71 −0 m4/ax_check_link_flag.m4
  14. +302 −0 m4/ax_pthread.m4
  15. +9 −0 man/Makefile.am
  16. +96 −0 man/dnscrypt-proxy.8
  17. +88 −0 man/dnscrypt-proxy.8.markdown
  18. +37 −0 packages/FreeBSD/dns/dnscrypt-proxy/Makefile
  19. +2 −0  packages/FreeBSD/dns/dnscrypt-proxy/distinfo
  20. +27 −0 packages/FreeBSD/dns/dnscrypt-proxy/files/dnscrypt-proxy.sh.in
  21. +17 −0 packages/FreeBSD/dns/dnscrypt-proxy/pkg-descr
  22. +10 −0 packages/FreeBSD/dns/dnscrypt-proxy/pkg-message
  23. +25 −0 packages/OpenBSD/net/dnscrypt-proxy/Makefile
  24. +5 −0 packages/OpenBSD/net/dnscrypt-proxy/distinfo
  25. +17 −0 packages/OpenBSD/net/dnscrypt-proxy/pkg/DESCR
  26. +10 −0 packages/OpenBSD/net/dnscrypt-proxy/pkg/MESSAGE
  27. +7 −0 packages/OpenBSD/net/dnscrypt-proxy/pkg/PLIST
  28. +12 −0 packages/OpenBSD/net/dnscrypt-proxy/pkg/dnscrypt_proxy.rc
  29. +15 −0 packages/fpm/fpm.sh
  30. +17 −0 packages/pkgsrc/net/dnscrypt-proxy/DESCR
  31. +10 −0 packages/pkgsrc/net/dnscrypt-proxy/MESSAGE
  32. +30 −0 packages/pkgsrc/net/dnscrypt-proxy/Makefile
  33. +6 −0 packages/pkgsrc/net/dnscrypt-proxy/PLIST
  34. +5 −0 packages/pkgsrc/net/dnscrypt-proxy/distinfo
  35. +16 −0 packages/pkgsrc/net/dnscrypt-proxy/files/dnscrypt_proxy.sh
  36. +5 −0 src/Makefile.am
  37. +75 −0 src/dnscrypt-proxy/Makefile.am
  38. +302 −0 src/dnscrypt-proxy/alt_arc4random.c
  39. +28 −0 src/dnscrypt-proxy/alt_arc4random.h
  40. +166 −0 src/dnscrypt-proxy/app.c
  41. +9 −0 src/dnscrypt-proxy/app.h
  42. +322 −0 src/dnscrypt-proxy/cert.c
  43. +25 −0 src/dnscrypt-proxy/cert.h
  44. +34 −0 src/dnscrypt-proxy/cert_p.h
  45. +177 −0 src/dnscrypt-proxy/dnscrypt.c
  46. +35 −0 src/dnscrypt-proxy/dnscrypt.h
  47. +203 −0 src/dnscrypt-proxy/dnscrypt_client.c
  48. +44 −0 src/dnscrypt-proxy/dnscrypt_client.h
  49. +94 −0 src/dnscrypt-proxy/dnscrypt_proxy.h
  50. +142 −0 src/dnscrypt-proxy/edns.c
  51. +18 −0 src/dnscrypt-proxy/edns.h
  52. +129 −0 src/dnscrypt-proxy/logger.c
  53. +43 −0 src/dnscrypt-proxy/logger.h
  54. +271 −0 src/dnscrypt-proxy/options.c
  55. +10 −0 src/dnscrypt-proxy/options.h
  56. +13 −0 src/dnscrypt-proxy/pathnames.h
  57. +154 −0 src/dnscrypt-proxy/pid_file.c
  58. +8 −0 src/dnscrypt-proxy/pid_file.h
  59. +43 −0 src/dnscrypt-proxy/probes_dnscrypt_proxy.d
  60. +130 −0 src/dnscrypt-proxy/probes_no_dtrace.h
  61. +72 −0 src/dnscrypt-proxy/safe_rw.c
  62. +15 −0 src/dnscrypt-proxy/safe_rw.h
  63. +143 −0 src/dnscrypt-proxy/stack_trace.c
  64. +8 −0 src/dnscrypt-proxy/stack_trace.h
  65. +490 −0 src/dnscrypt-proxy/tcp_request.c
  66. +17 −0 src/dnscrypt-proxy/tcp_request.h
  67. +44 −0 src/dnscrypt-proxy/tcp_request_p.h
  68. +407 −0 src/dnscrypt-proxy/udp_request.c
  69. +15 −0 src/dnscrypt-proxy/udp_request.h
  70. +36 −0 src/dnscrypt-proxy/udp_request_p.h
  71. +78 −0 src/dnscrypt-proxy/utils.c
  72. +8 −0 src/dnscrypt-proxy/utils.h
  73. +49 −0 src/dnscrypt-proxy/uv_alloc.c
  74. +18 −0 src/dnscrypt-proxy/uv_alloc.h
  75. +56 −0 src/libnacl/MACROS
  76. +44 −0 src/libnacl/Makefile.in
  77. +11 −0 src/libnacl/OPERATIONS
  78. +26 −0 src/libnacl/PROTOTYPES.c
  79. +17 −0 src/libnacl/PROTOTYPES.cpp
  80. +64 −0 src/libnacl/commandline/nacl-sha256.c
  81. +64 −0 src/libnacl/commandline/nacl-sha512.c
  82. +80 −0 src/libnacl/cpucycles/alpha.c
  83. +27 −0 src/libnacl/cpucycles/alpha.h
  84. +16 −0 src/libnacl/cpucycles/amd64cpuinfo.c
  85. +27 −0 src/libnacl/cpucycles/amd64cpuinfo.h
  86. +25 −0 src/libnacl/cpucycles/amd64cpuspeed.c
  87. +27 −0 src/libnacl/cpucycles/amd64cpuspeed.h
  88. +18 −0 src/libnacl/cpucycles/amd64tscfreq.c
  89. +27 −0 src/libnacl/cpucycles/amd64tscfreq.h
  90. +83 −0 src/libnacl/cpucycles/celllinux.c
  91. +27 −0 src/libnacl/cpucycles/celllinux.h
  92. +73 −0 src/libnacl/cpucycles/cortex.c
  93. +27 −0 src/libnacl/cpucycles/cortex.h
  94. +62 −0 src/libnacl/cpucycles/dev4ns.c
  95. +27 −0 src/libnacl/cpucycles/dev4ns.h
  96. +105 −0 src/libnacl/cpucycles/do
  97. +32 −0 src/libnacl/cpucycles/gettimeofday.c
  98. +27 −0 src/libnacl/cpucycles/gettimeofday.h
  99. +26 −0 src/libnacl/cpucycles/hppapstat.c
  100. +27 −0 src/libnacl/cpucycles/hppapstat.h
  101. +15 −0 src/libnacl/cpucycles/ia64cpuinfo.c
  102. +27 −0 src/libnacl/cpucycles/ia64cpuinfo.h
  103. +65 −0 src/libnacl/cpucycles/mips.c
  104. +27 −0 src/libnacl/cpucycles/mips.h
  105. +34 −0 src/libnacl/cpucycles/monotonic.c
  106. +27 −0 src/libnacl/cpucycles/monotonic.h
  107. +33 −0 src/libnacl/cpucycles/monotoniccpuinfo.c
  108. +27 −0 src/libnacl/cpucycles/monotoniccpuinfo.h
  109. +65 −0 src/libnacl/cpucycles/osfreq.c
  110. +95 −0 src/libnacl/cpucycles/powerpccpuinfo.c
  111. +27 −0 src/libnacl/cpucycles/powerpccpuinfo.h
  112. +42 −0 src/libnacl/cpucycles/powerpcmacos.c
  113. +27 −0 src/libnacl/cpucycles/powerpcmacos.h
  114. +38 −0 src/libnacl/cpucycles/sgi.c
  115. +27 −0 src/libnacl/cpucycles/sgi.h
  116. +16 −0 src/libnacl/cpucycles/sparc32cpuinfo.c
  117. +27 −0 src/libnacl/cpucycles/sparc32cpuinfo.h
  118. +15 −0 src/libnacl/cpucycles/sparccpuinfo.c
  119. +27 −0 src/libnacl/cpucycles/sparccpuinfo.h
  120. +77 −0 src/libnacl/cpucycles/test.c
  121. +15 −0 src/libnacl/cpucycles/x86cpuinfo.c
  122. +27 −0 src/libnacl/cpucycles/x86cpuinfo.h
  123. +24 −0 src/libnacl/cpucycles/x86cpuspeed.c
  124. +27 −0 src/libnacl/cpucycles/x86cpuspeed.h
  125. +59 −0 src/libnacl/cpucycles/x86estimate.c
  126. +27 −0 src/libnacl/cpucycles/x86estimate.h
  127. +17 −0 src/libnacl/cpucycles/x86tscfreq.c
  128. +27 −0 src/libnacl/cpucycles/x86tscfreq.h
  129. +16 −0 src/libnacl/cpuid/cbytes.c
  130. +41 −0 src/libnacl/cpuid/cpuid.c
  131. +37 −0 src/libnacl/cpuid/do
  132. +7 −0 src/libnacl/cpuid/unknown.c
  133. +41 −0 src/libnacl/cpuid/x86.c
  134. +1 −0  src/libnacl/crypto_auth/hmacsha256/checksum
  135. +2 −0  src/libnacl/crypto_auth/hmacsha256/ref/api.h
  136. +83 −0 src/libnacl/crypto_auth/hmacsha256/ref/hmac.c
  137. +9 −0 src/libnacl/crypto_auth/hmacsha256/ref/verify.c
  138. 0  src/libnacl/crypto_auth/hmacsha256/used
  139. +1 −0  src/libnacl/crypto_auth/hmacsha512256/checksum
  140. +2 −0  src/libnacl/crypto_auth/hmacsha512256/ref/api.h
  141. +86 −0 src/libnacl/crypto_auth/hmacsha512256/ref/hmac.c
  142. +9 −0 src/libnacl/crypto_auth/hmacsha512256/ref/verify.c
  143. 0  src/libnacl/crypto_auth/hmacsha512256/selected
  144. 0  src/libnacl/crypto_auth/hmacsha512256/used
  145. +69 −0 src/libnacl/crypto_auth/measure.c
  146. +119 −0 src/libnacl/crypto_auth/try.c
  147. +11 −0 src/libnacl/crypto_auth/wrapper-auth.cpp
  148. +14 −0 src/libnacl/crypto_auth/wrapper-verify.cpp
  149. +1 −0  src/libnacl/crypto_box/curve25519xsalsa20poly1305/checksum
  150. +22 −0 src/libnacl/crypto_box/curve25519xsalsa20poly1305/ref/after.c
  151. +6 −0 src/libnacl/crypto_box/curve25519xsalsa20poly1305/ref/api.h
  152. +17 −0 src/libnacl/crypto_box/curve25519xsalsa20poly1305/ref/before.c
  153. +27 −0 src/libnacl/crypto_box/curve25519xsalsa20poly1305/ref/box.c
  154. +12 −0 src/libnacl/crypto_box/curve25519xsalsa20poly1305/ref/keypair.c
  155. 0  src/libnacl/crypto_box/curve25519xsalsa20poly1305/selected
  156. 0  src/libnacl/crypto_box/curve25519xsalsa20poly1305/used
  157. +137 −0 src/libnacl/crypto_box/measure.c
  158. +195 −0 src/libnacl/crypto_box/try.c
  159. +24 −0 src/libnacl/crypto_box/wrapper-box.cpp
  160. +12 −0 src/libnacl/crypto_box/wrapper-keypair.cpp
  161. +27 −0 src/libnacl/crypto_box/wrapper-open.cpp
  162. +1 −0  src/libnacl/crypto_core/hsalsa20/checksum
  163. +4 −0 src/libnacl/crypto_core/hsalsa20/ref/api.h
  164. +135 −0 src/libnacl/crypto_core/hsalsa20/ref/core.c
  165. +1 −0  src/libnacl/crypto_core/hsalsa20/ref/implementors
  166. +4 −0 src/libnacl/crypto_core/hsalsa20/ref2/api.h
  167. +108 −0 src/libnacl/crypto_core/hsalsa20/ref2/core.c
  168. +1 −0  src/libnacl/crypto_core/hsalsa20/ref2/implementors
  169. 0  src/libnacl/crypto_core/hsalsa20/used
  170. +18 −0 src/libnacl/crypto_core/measure.c
  171. +1 −0  src/libnacl/crypto_core/salsa20/checksum
  172. +4 −0 src/libnacl/crypto_core/salsa20/ref/api.h
  173. +134 −0 src/libnacl/crypto_core/salsa20/ref/core.c
  174. +1 −0  src/libnacl/crypto_core/salsa20/ref/implementors
  175. 0  src/libnacl/crypto_core/salsa20/used
  176. +1 −0  src/libnacl/crypto_core/salsa2012/checksum
  177. +4 −0 src/libnacl/crypto_core/salsa2012/ref/api.h
  178. +134 −0 src/libnacl/crypto_core/salsa2012/ref/core.c
  179. +1 −0  src/libnacl/crypto_core/salsa2012/ref/implementors
  180. 0  src/libnacl/crypto_core/salsa2012/used
  181. +1 −0  src/libnacl/crypto_core/salsa208/checksum
  182. +4 −0 src/libnacl/crypto_core/salsa208/ref/api.h
  183. +134 −0 src/libnacl/crypto_core/salsa208/ref/core.c
  184. +1 −0  src/libnacl/crypto_core/salsa208/ref/implementors
  185. 0  src/libnacl/crypto_core/salsa208/used
  186. +116 −0 src/libnacl/crypto_core/try.c
  187. 0  src/libnacl/crypto_core/wrapper-empty.cpp
  188. +66 −0 src/libnacl/crypto_hash/measure.c
  189. +1 −0  src/libnacl/crypto_hash/sha256/checksum
  190. +1 −0  src/libnacl/crypto_hash/sha256/ref/api.h
  191. +69 −0 src/libnacl/crypto_hash/sha256/ref/hash.c
  192. +1 −0  src/libnacl/crypto_hash/sha256/ref/implementors
  193. 0  src/libnacl/crypto_hash/sha256/used
  194. +1 −0  src/libnacl/crypto_hash/sha512/checksum
  195. +1 −0  src/libnacl/crypto_hash/sha512/ref/api.h
  196. +71 −0 src/libnacl/crypto_hash/sha512/ref/hash.c
  197. +1 −0  src/libnacl/crypto_hash/sha512/ref/implementors
  198. 0  src/libnacl/crypto_hash/sha512/selected
  199. 0  src/libnacl/crypto_hash/sha512/used
  200. +77 −0 src/libnacl/crypto_hash/try.c
  201. +10 −0 src/libnacl/crypto_hash/wrapper-hash.cpp
  202. +18 −0 src/libnacl/crypto_hashblocks/measure.c
  203. +1 −0  src/libnacl/crypto_hashblocks/sha256/checksum
  204. +2 −0  src/libnacl/crypto_hashblocks/sha256/inplace/api.h
  205. +228 −0 src/libnacl/crypto_hashblocks/sha256/inplace/blocks.c
  206. +1 −0  src/libnacl/crypto_hashblocks/sha256/inplace/implementors
  207. +2 −0  src/libnacl/crypto_hashblocks/sha256/ref/api.h
  208. +212 −0 src/libnacl/crypto_hashblocks/sha256/ref/blocks.c
  209. +1 −0  src/libnacl/crypto_hashblocks/sha256/ref/implementors
  210. 0  src/libnacl/crypto_hashblocks/sha256/used
  211. +1 −0  src/libnacl/crypto_hashblocks/sha512/checksum
  212. +2 −0  src/libnacl/crypto_hashblocks/sha512/inplace/api.h
  213. +256 −0 src/libnacl/crypto_hashblocks/sha512/inplace/blocks.c
  214. +1 −0  src/libnacl/crypto_hashblocks/sha512/inplace/implementors
  215. +2 −0  src/libnacl/crypto_hashblocks/sha512/ref/api.h
  216. +239 −0 src/libnacl/crypto_hashblocks/sha512/ref/blocks.c
  217. +1 −0  src/libnacl/crypto_hashblocks/sha512/ref/implementors
  218. 0  src/libnacl/crypto_hashblocks/sha512/selected
  219. 0  src/libnacl/crypto_hashblocks/sha512/used
  220. +79 −0 src/libnacl/crypto_hashblocks/try.c
  221. 0  src/libnacl/crypto_hashblocks/wrapper-empty.cpp
  222. +69 −0 src/libnacl/crypto_onetimeauth/measure.c
  223. +2 −0  src/libnacl/crypto_onetimeauth/poly1305/53/api.h
  224. +1,616 −0 src/libnacl/crypto_onetimeauth/poly1305/53/auth.c
  225. +9 −0 src/libnacl/crypto_onetimeauth/poly1305/53/verify.c
  226. +2 −0  src/libnacl/crypto_onetimeauth/poly1305/amd64/api.h
  227. +2,787 −0 src/libnacl/crypto_onetimeauth/poly1305/amd64/auth.s
  228. +85 −0 src/libnacl/crypto_onetimeauth/poly1305/amd64/constants.s
  229. +9 −0 src/libnacl/crypto_onetimeauth/poly1305/amd64/verify.c
  230. +1 −0  src/libnacl/crypto_onetimeauth/poly1305/checksum
  231. +2 −0  src/libnacl/crypto_onetimeauth/poly1305/ref/api.h
  232. +104 −0 src/libnacl/crypto_onetimeauth/poly1305/ref/auth.c
  233. +9 −0 src/libnacl/crypto_onetimeauth/poly1305/ref/verify.c
  234. 0  src/libnacl/crypto_onetimeauth/poly1305/selected
  235. 0  src/libnacl/crypto_onetimeauth/poly1305/used
  236. +2 −0  src/libnacl/crypto_onetimeauth/poly1305/x86/api.h
  237. +2,779 −0 src/libnacl/crypto_onetimeauth/poly1305/x86/auth.s
  238. +85 −0 src/libnacl/crypto_onetimeauth/poly1305/x86/constants.s
  239. +9 −0 src/libnacl/crypto_onetimeauth/poly1305/x86/verify.c
  240. +119 −0 src/libnacl/crypto_onetimeauth/try.c
  241. +11 −0 src/libnacl/crypto_onetimeauth/wrapper-auth.cpp
  242. +14 −0 src/libnacl/crypto_onetimeauth/wrapper-verify.cpp
  243. +1 −0  src/libnacl/crypto_scalarmult/curve25519/checksum
  244. +2 −0  src/libnacl/crypto_scalarmult/curve25519/donna_c64/api.h
  245. +8 −0 src/libnacl/crypto_scalarmult/curve25519/donna_c64/base.c
  246. +1 −0  src/libnacl/crypto_scalarmult/curve25519/donna_c64/implementors
  247. +477 −0 src/libnacl/crypto_scalarmult/curve25519/donna_c64/smult.c
  248. +2 −0  src/libnacl/crypto_scalarmult/curve25519/ref/api.h
  249. +16 −0 src/libnacl/crypto_scalarmult/curve25519/ref/base.c
  250. +1 −0  src/libnacl/crypto_scalarmult/curve25519/ref/implementors
  251. +265 −0 src/libnacl/crypto_scalarmult/curve25519/ref/smult.c
  252. 0  src/libnacl/crypto_scalarmult/curve25519/used
  253. +61 −0 src/libnacl/crypto_scalarmult/measure.c
  254. +126 −0 src/libnacl/crypto_scalarmult/try.c
  255. +11 −0 src/libnacl/crypto_scalarmult/wrapper-base.cpp
  256. +12 −0 src/libnacl/crypto_scalarmult/wrapper-mult.cpp
  257. +75 −0 src/libnacl/crypto_secretbox/measure.c
  258. +129 −0 src/libnacl/crypto_secretbox/try.c
  259. +19 −0 src/libnacl/crypto_secretbox/wrapper-box.cpp
  260. +22 −0 src/libnacl/crypto_secretbox/wrapper-open.cpp
  261. +1 −0  src/libnacl/crypto_secretbox/xsalsa20poly1305/checksum
  262. +4 −0 src/libnacl/crypto_secretbox/xsalsa20poly1305/ref/api.h
  263. +35 −0 src/libnacl/crypto_secretbox/xsalsa20poly1305/ref/box.c
  264. 0  src/libnacl/crypto_secretbox/xsalsa20poly1305/selected
  265. 0  src/libnacl/crypto_secretbox/xsalsa20poly1305/used
  266. +3 −0  src/libnacl/crypto_sign/edwards25519sha512batch/ref/api.h
  267. +345 −0 src/libnacl/crypto_sign/edwards25519sha512batch/ref/fe25519.c
  268. +54 −0 src/libnacl/crypto_sign/edwards25519sha512batch/ref/fe25519.h
  269. +227 −0 src/libnacl/crypto_sign/edwards25519sha512batch/ref/ge25519.c
  270. +34 −0 src/libnacl/crypto_sign/edwards25519sha512batch/ref/ge25519.h
  271. +146 −0 src/libnacl/crypto_sign/edwards25519sha512batch/ref/sc25519.c
  272. +51 −0 src/libnacl/crypto_sign/edwards25519sha512batch/ref/sc25519.h
  273. +103 −0 src/libnacl/crypto_sign/edwards25519sha512batch/ref/sign.c
  274. 0  src/libnacl/crypto_sign/edwards25519sha512batch/selected
  275. 0  src/libnacl/crypto_sign/edwards25519sha512batch/used
  276. +83 −0 src/libnacl/crypto_sign/measure.c
  277. +86 −0 src/libnacl/crypto_sign/try.c
  278. +12 −0 src/libnacl/crypto_sign/wrapper-keypair.cpp
  279. +24 −0 src/libnacl/crypto_sign/wrapper-sign-open.cpp
  280. +22 −0 src/libnacl/crypto_sign/wrapper-sign.cpp
  281. +1 −0  src/libnacl/crypto_stream/aes128ctr/checksum
  282. +158 −0 src/libnacl/crypto_stream/aes128ctr/portable/afternm.c
  283. +3 −0  src/libnacl/crypto_stream/aes128ctr/portable/api.h
  284. +59 −0 src/libnacl/crypto_stream/aes128ctr/portable/beforenm.c
  285. +64 −0 src/libnacl/crypto_stream/aes128ctr/portable/common.c
  286. +788 −0 src/libnacl/crypto_stream/aes128ctr/portable/common.h
  287. +14 −0 src/libnacl/crypto_stream/aes128ctr/portable/consts.c
  288. +28 −0 src/libnacl/crypto_stream/aes128ctr/portable/consts.h
  289. +128 −0 src/libnacl/crypto_stream/aes128ctr/portable/int128.c
  290. +47 −0 src/libnacl/crypto_stream/aes128ctr/portable/int128.h
  291. +28 −0 src/libnacl/crypto_stream/aes128ctr/portable/stream.c
  292. +10 −0 src/libnacl/crypto_stream/aes128ctr/portable/types.h
  293. +180 −0 src/libnacl/crypto_stream/aes128ctr/portable/xor_afternm.c
  294. 0  src/libnacl/crypto_stream/aes128ctr/used
  295. +73 −0 src/libnacl/crypto_stream/measure.c
  296. +1 −0  src/libnacl/crypto_stream/salsa20/checksum
  297. +2 −0  src/libnacl/crypto_stream/salsa20/ref/api.h
  298. +1 −0  src/libnacl/crypto_stream/salsa20/ref/implementors
  299. +49 −0 src/libnacl/crypto_stream/salsa20/ref/stream.c
  300. +52 −0 src/libnacl/crypto_stream/salsa20/ref/xor.c
Sorry, we could not display the entire diff because too many files (833) changed.
42 .gitignore
@@ -0,0 +1,42 @@
+*.dSYM
+*.cmake
+*.log
+*.o
+*.s
+*.scan
+*.status
+*.tar.*
+*~
+.deps
+.done
+INSTALL
+Makefile
+Makefile.in
+aclocal.m4
+autom4te.cache
+build
+compile
+confdefs.h
+config.*
+configure
+depcomp
+install-sh
+libtool
+ltmain.sh
+man/*.html
+man/Makefile.in
+missing
+probes.h
+probes_dnscrypt_proxy.h
+src/*.la
+src/*.lo
+src/*.o
+src/.deps
+src/.libs
+src/Makefile.in
+src/dnscrypt-proxy/Makefile.in
+src/dnscrypt-proxy/dnscrypt-proxy
+src/libnacl/okcompilers/c
+src/libnacl/okcompilers/do
+stamp-*
+testing
0  AUTHORS
No changes.
33 COPYING
@@ -0,0 +1,33 @@
+
+dnscrypt-proxy is covered by the following license :
+
+/*
+ * Copyright (c) 2011 OpenDNS, Inc.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+====
+
+This license applies to all parts of dnscrypt-proxy that are not externally
+maintained libraries.
+
+The externally maintained libraries used by dnscrypt-proxy are:
+
+ - NaCl (http://nacl.cr.yp.to/). Public domain.
+
+ - libuv (https://github.com/joyent/libuv). MIT license.
+ + libuv dependencies, see src/libuv/LICENSE.
+
+ - alt_arc4random.c reuses code from OpenBSD. BSD license,
+ see the alt_arc4random.c header.
0  ChangeLog
No changes.
12 Makefile.am
@@ -0,0 +1,12 @@
+ACLOCAL_AMFLAGS = -I m4
+
+AUTOMAKE_OPTIONS = gnu
+
+EXTRA_DIST = \
+ autogen.sh \
+ README.markdown
+
+SUBDIRS = \
+ man \
+ src \
+ test
0  NEWS
No changes.
1  README
@@ -0,0 +1 @@
+See README.markdown
169 README.markdown
@@ -0,0 +1,169 @@
+DNSCrypt
+========
+
+A tool for securing communications between a client and a DNS resolver.
+
+Description
+-----------
+
+DNSCrypt is a slight variation on [DNSCurve](http://www.dnscurve.org/).
+
+DNSCurve improves the confidentiality and integrity of DNS requests using
+high-speed high-security elliptic-curve cryptography. Best of all,
+DNSCurve has very low overhead and adds virtually no latency to
+queries.
+
+DNSCurve aims at securing the entire chain down to authoritative
+servers. However, it only works with authoritative servers that explicitly
+support the protocol. And unfortunately, DNSCurve hasn't received much
+adoption yet.
+
+The DNSCrypt protocol is very similar to DNSCurve, but focuses on
+securing communications between a client and its first-level resolver.
+While not providing end-to-end security, it protects the local
+network (which is often the weakest link in the chain) against
+man-in-the-middle attacks. It also provides some confidentiality to
+DNS queries.
+
+The DNSCrypt daemon acts as a DNS proxy between a regular client, like
+a DNS cache or an operating system stub resolver, and a DNSCrypt-aware
+resolver, like OpenDNS.
+
+Installation
+------------
+
+The daemon is known to work on recent versions of OSX, OpenBSD,
+NetBSD, Dragonfly BSD, FreeBSD and Linux.
+
+Compile and install it using the standard procedure:
+
+ $ ./configure && make -j2
+ # make install
+
+Replace `-j2` with whatever CPU cores you want to use for the
+compilation process.
+
+Running `make -j2 test` in the `src/libnacl` directory is also highly
+recommended.
+
+On BSD systems, _GNU Make_ should be installed prior to running the
+`./configure` script.
+
+The proxy will be installed as `/usr/local/sbin/dnscrypt-proxy` by default.
+
+Command-line switches are documented in the `dnscrypt-proxy(8)` man page.
+
+Usage
+-----
+
+Having a dedicated system user, with no privileges and with an empty
+home directory, is highly recommended. For extra security, DNSCrypt
+will chroot() to this user's home directory and drop root privileges
+for this user's uid as soon as possible.
+
+The easiest way to start the daemon is:
+
+ # dnscrypt-proxy --daemonize
+
+The proxy will accept incoming requests on 127.0.0.1 and
+encrypt/decrypt them from/to OpenDNS resolvers.
+
+Given such a setup, in order to actually start using DNSCrypt, you
+need to update your `/etc/resolv.conf` file and replace your current
+set of resolvers with:
+
+ nameserver 127.0.0.1
+
+Other common command-line switches include:
+
+* `--daemonize` in order to run the server as a background process.
+* `--local-address=<ip>` in order to locally bind a different IP address than
+ 127.0.0.1
+* `--local-port=<port>` to change the local port to listen to.
+* `--logfile=<file>` in order to write log data to a dedicated file. By
+ default, logs are sent to stdout if the server is running in foreground,
+ and to syslog if it is running in background.
+* `--max-active-requests=<count>` to set the maximum number of active
+ requests. The default value is 250.
+* `--pid-file=<file>` in order to store the PID number to a file.
+* `--user=<user name>` in order to chroot()/drop privileges.
+
+DNSCrypt comes pre-configured for OpenDNS, although the
+`--resolver-address=<ip>`, `--provider-name=<certificate provider FQDN>`
+and `--provider-key=<provider public key>` can be specified in
+order to change the default settings.
+
+Using DNSCrypt in combination with a DNS cache
+----------------------------------------------
+
+The DNSCrypt proxy is **not** a DNS cache. This means that incoming
+queries will **not** be cached and every single query will require a
+round-trip to the upstream resolver.
+
+For optimal performance, the recommended way of running DNSCrypt is to
+run it as a forwarder for a local DNS cache, like `unbound`, `pdns` or
+`dnscache`.
+
+Both can safely run on the same machine as long as they are listening
+to different IP addresses or different ports.
+
+If your DNS cache is unbound, all you need is to edit the
+`unbound.conf` file and add the following lines to the `server`
+section:
+
+ forward-zone:
+ name: "."
+ forward-addr: 127.0.0.1@40
+
+Then start `dnscrypt-proxy`, telling it to use a specific port (`40`, in
+this example):
+
+ # dnscrypt-proxy --local-port=40 --daemonize
+
+Queries over TCP
+----------------
+
+Some routers and firewalls can block outgoing DNS queries or
+transparently redirect them to their own resolver. This especially
+happens on public Wifi hotspots, such as coffee shops.
+
+As a workaround, the DNSCrypt proxy can force outgoing queries to be
+sent over TCP. For example, TCP port 443, which is commonly used for
+communication over HTTPS, may not be filtered.
+
+The `tcp-port=<port>` command-line switch forces this behavior. When
+an incoming query is received, the daemon immediately replies with a
+"response truncated" message, forcing the client to retry over TCP.
+The daemon then encrypts and signs the query and forwards it over TCP
+to the resolver.
+
+TCP is slower than UDP, and this workaround should never be used
+except when bypassing a filter is actually required. Moreover,
+multiple queries over a single TCP connections aren't supported yet.
+
+EDNS payload size
+-----------------
+
+DNS packets sent over UDP have been historically limited to 512 bytes,
+which is usually fine for queries, but sometimes a bit short for
+replies.
+
+Most modern authoritative servers, resolvers and stub resolvers
+support the Extension Mechanism for DNS (EDNS) that, among other
+things, allows a client to specify how large a reply over UDP can be.
+
+Unfortunately, this feature is disabled by default on a lot of
+operating systems. It has to be explicitly enabled, for example by
+adding `options edns0` to the `/etc/resolv.conf` file on most
+Unix-like operating systems.
+
+`dnscrypt-proxy` can transparently rewrite outgoing packets before
+signing and encrypting them, in order to add the EDNS0 mechanism. By
+default, a conservative payload size of 1280 bytes is advertised.
+
+This size can be made larger by starting the proxy with the
+`--edns-payload-size=<bytes>` command-line switch. Values up to 4096
+are usually safe.
+
+A value below or equal to 512 will disable this mechanism, unless a
+client sends a packet with an OPT section providing a payload size.
6 autogen.sh
@@ -0,0 +1,6 @@
+#! /bin/sh
+
+aclocal -I m4 && \
+autoheader && \
+automake --gnu --add-missing --include-deps && \
+autoconf -I m4
265 configure.ac
@@ -0,0 +1,265 @@
+AC_PREREQ(2.61)
+AC_INIT(dnscrypt-proxy, 0.7, bugs at opendns dot com)
+AC_CONFIG_MACRO_DIR([m4])
+AC_CONFIG_SRCDIR([src/dnscrypt-proxy/app.c])
+AC_CONFIG_HEADER([config.h])
+AM_INIT_AUTOMAKE([1.9 dist-bzip2])
+AM_MAINTAINER_MODE
+AM_DEP_TRACK
+
+AC_SUBST(VERSION)
+ISODATE=`date +%Y-%m-%d`
+AC_SUBST(ISODATE)
+
+# Checks for programs.
+AX_CHECK_GNU_MAKE
+AS_IF([test -n "${ifGNUmake}"],[
+ AC_MSG_ERROR([
+Found: ${MAKE}
+GNU make is required and was not found. If GNU make is not installed,
+please install it. www.gnu.org. If GNU make is installed, please adjust
+your PATH to make sure that GNU make is found before any other version
+of make that is installed on your system. rm config.cache and then
+re-run configure again.])
+],[
+ AC_SUBST(MAKE, $_cv_gnu_make_command)
+])
+
+LX_CFLAGS=${CFLAGS-NONE}
+AC_PROG_CC_C99
+AC_USE_SYSTEM_EXTENSIONS
+CPPFLAGS="$CPPFLAGS -D_XPG4_2=1 -D_GNU_SOURCE=1"
+
+AX_PTHREAD
+
+AX_CHECK_COMPILE_FLAG([-fPIE], [CFLAGS="$CFLAGS -fPIE"])
+AX_CHECK_COMPILE_FLAG([-fcatch-undefined-c99-behavior], [CFLAGS="$CFLAGS -fcatch-undefined-c99-behavior"])
+AX_CHECK_COMPILE_FLAG([-fno-strict-aliasing], [CFLAGS="$CFLAGS -fno-strict-aliasing"])
+AX_CHECK_COMPILE_FLAG([-fno-strict-overflow], [CFLAGS="$CFLAGS -fno-strict-overflow"])
+AX_CHECK_COMPILE_FLAG([-fstack-protector-all], [CFLAGS="$CFLAGS -fstack-protector-all"])
+
+AS_IF([test "x$ac_compiler_gnu" = "xyes"],[
+ AS_IF([$CC --version 2>/dev/null | $GREP "Free Software Foundation" > /dev/null 2>&1],[
+ CPPFLAGS="$CPPFLAGS -D_FORTIFY_SOURCE=2"
+ AX_CHECK_COMPILE_FLAG([--param ssp-buffer-size=1], [CFLAGS="$CFLAGS --param ssp-buffer-size=1"])
+ ])
+])
+
+AX_CHECK_COMPILE_FLAG([-Wbounded], [CFLAGS="$CFLAGS -Wbounded"])
+AX_CHECK_COMPILE_FLAG([-Winit-self], [CFLAGS="$CFLAGS -Winit-self"])
+AX_CHECK_COMPILE_FLAG([-Wwrite-strings], [CFLAGS="$CFLAGS -Wwrite-strings"])
+AX_CHECK_COMPILE_FLAG([-Wdiv-by-zero], [CFLAGS="$CFLAGS -Wdiv-by-zero"])
+
+AC_ARG_VAR([CWFLAGS], [define to compilation flags for generating extra warnings])
+AX_CHECK_COMPILE_FLAG([-Wall], [CWFLAGS="$CWFLAGS -Wall"])
+AX_CHECK_COMPILE_FLAG([-Wbad-function-cast], [CWFLAGS="$CWFLAGS -Wbad-function-cast"])
+AX_CHECK_COMPILE_FLAG([-Wcast-align], [CWFLAGS="$CWFLAGS -Wcast-align"])
+AX_CHECK_COMPILE_FLAG([-Wcast-qual], [CWFLAGS="$CWFLAGS -Wcast-qual"])
+AX_CHECK_COMPILE_FLAG([-Wchar-subscripts], [CWFLAGS="$CWFLAGS -Wchar-subscripts"])
+AX_CHECK_COMPILE_FLAG([-Wcomment], [CWFLAGS="$CWFLAGS -Wcomment"])
+AX_CHECK_COMPILE_FLAG([-Wextra], [CWFLAGS="$CWFLAGS -Wextra"])
+AX_CHECK_COMPILE_FLAG([-Wfloat-equal], [CWFLAGS="$CWFLAGS -Wfloat-equal"])
+AX_CHECK_COMPILE_FLAG([-Wformat=2], [CWFLAGS="$CWFLAGS -Wformat=2"])
+AX_CHECK_COMPILE_FLAG([-Wimplicit], [CWFLAGS="$CWFLAGS -Wimplicit"])
+AX_CHECK_COMPILE_FLAG([-Wmissing-declarations], [CWFLAGS="$CWFLAGS -Wmissing-declarations"])
+AX_CHECK_COMPILE_FLAG([-Wmissing-noreturn], [CWFLAGS="$CWFLAGS -Wmissing-noreturn"])
+AX_CHECK_COMPILE_FLAG([-Wmissing-prototypes], [CWFLAGS="$CWFLAGS -Wmissing-prototypes"])
+AX_CHECK_COMPILE_FLAG([-Wnormalized=id], [CWFLAGS="$CWFLAGS -Wnormalized=id"])
+AX_CHECK_COMPILE_FLAG([-Woverride-init], [CWFLAGS="$CWFLAGS -Woverride-init"])
+AX_CHECK_COMPILE_FLAG([-Wparentheses], [CWFLAGS="$CWFLAGS -Wparentheses"])
+AX_CHECK_COMPILE_FLAG([-Wpointer-arith], [CWFLAGS="$CWFLAGS -Wpointer-arith"])
+AX_CHECK_COMPILE_FLAG([-Wredundant-decls], [CWFLAGS="$CWFLAGS -Wredundant-decls"])
+AX_CHECK_COMPILE_FLAG([-Wstrict-prototypes], [CWFLAGS="$CWFLAGS -Wstrict-prototypes"])
+AX_CHECK_COMPILE_FLAG([-Wswitch-enum], [CWFLAGS="$CWFLAGS -Wswitch-enum"])
+AX_CHECK_COMPILE_FLAG([-Wvariable-decl], [CWFLAGS="$CWFLAGS -Wvariable-decl"])
+
+AX_CHECK_LINK_FLAG([-pie], [LDFLAGS="$LDFLAGS -pie"])
+AX_CHECK_LINK_FLAG([-z relro], [LDFLAGS="$LDFLAGS -z relro"])
+AX_CHECK_LINK_FLAG([-z now], [LDFLAGS="$LDFLAGS -z now"])
+
+AC_ARG_VAR([RONN], [path to the ronn text processor])
+AC_PATH_PROG([RONN], [ronn], [#])
+
+AC_ARG_VAR([AR], [path to the ar utility])
+AC_CHECK_TOOL([AR], [ar], [ar])
+
+AS_IF([test `(uname -s) 2>/dev/null` = "Darwin"], [
+ AC_ARG_VAR([DTRACE], [path to dtrace if you have it])
+ AC_PATH_PROG([DTRACE], [dtrace])
+])
+AS_IF([test -n "$DTRACE"],[
+ PROBES_SOURCE="probes_dnscrypt_proxy.h"
+],[
+ DTRACE="#"
+ PROBES_SOURCE="probes_no_dtrace.h"
+])
+
+AS_IF([test -d /usr/local/include], [
+ CPPFLAGS="$CPPFLAGS -I/usr/local/include"
+])
+
+AS_IF([test -d /usr/local/lib], [
+ LDFLAGS="$LDFLAGS -L/usr/local/lib"
+])
+
+LIBS="$PTHREAD_LIBS $LIBS"
+CFLAGS="$CFLAGS $PTHREAD_CFLAGS"
+CC="$PTHREAD_CC"
+
+# Checks for header files.
+AC_SYS_LARGEFILE
+AC_CHECK_HEADERS([execinfo.h paths.h sys/cdefs.h sys/feature_tests.h])
+
+# Checks for typedefs, structures, and compiler characteristics.
+AC_C_RESTRICT
+
+AC_MSG_CHECKING([whether sin_len is defined])
+AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
+#include <stdio.h>
+#ifdef HAVE_UNISTD_H
+# include <unistd.h>
+#endif
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+]], [[
+do {
+ struct sockaddr_in a;
+ (void) a.sin_len;
+} while(0)
+]])],[
+ AC_MSG_RESULT(yes)
+ AC_DEFINE(HAVE_SIN_LEN,,[define if you have sin_len])
+],[
+ AC_MSG_RESULT(no)
+])
+
+AC_MSG_CHECKING([whether __ss_family is defined])
+AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
+#include <stdio.h>
+#ifdef HAVE_UNISTD_H
+# include <unistd.h>
+#endif
+#include <sys/types.h>
+#include <sys/socket.h>
+]], [[
+do {
+ struct sockaddr_storage a;
+ (void) a.__ss_family;
+} while(0)
+]])],[
+ AC_MSG_RESULT(yes)
+ AC_DEFINE(HAVE___SS_FAMILY,,[define if you have __ss_family])
+],[
+ AC_MSG_RESULT(no)
+])
+
+AC_MSG_CHECKING([whether ss_len is defined])
+AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
+#include <stdio.h>
+#ifdef HAVE_UNISTD_H
+# include <unistd.h>
+#endif
+#include <sys/types.h>
+#include <sys/socket.h>
+]], [[
+do {
+ struct sockaddr_storage a;
+ (void) a.ss_len;
+} while(0)
+]])],[
+ AC_MSG_RESULT(yes)
+ AC_DEFINE(HAVE_SS_LEN,,[define if you have ss_len])
+],[
+ AC_MSG_RESULT(no)
+])
+
+AC_MSG_CHECKING([whether __ss_len is defined])
+AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
+#include <stdio.h>
+#ifdef HAVE_UNISTD_H
+# include <unistd.h>
+#endif
+#include <sys/types.h>
+#include <sys/socket.h>
+]], [[
+do {
+ struct sockaddr_storage a;
+ (void) a.__ss_len;
+} while(0)
+]])],[
+ AC_MSG_RESULT(yes)
+ AC_DEFINE(HAVE___SS_LEN,,[define if you have __ss_len])
+],[
+ AC_MSG_RESULT(no)
+])
+
+# Checks for library functions.
+AC_SEARCH_LIBS(pow, [m])
+AC_SEARCH_LIBS(dlopen, [dl])
+AC_SEARCH_LIBS(clock_gettime, [rt],
+ [AC_DEFINE(HAVE_CLOCK_GETTIME,,[define if you have clock_gettime()])])
+
+AC_SEARCH_LIBS(backtrace, [execinfo],
+ [AC_DEFINE(HAVE_BACKTRACE,,[define if you have backtrace()])])
+
+AC_SEARCH_LIBS(gethostbyname, [resolv nsl])
+AC_SEARCH_LIBS(recvfrom, [socket])
+
+AC_CHECK_HEADER([CoreServices/CoreServices.h],
+ [LIBS="$LIBS -framework CoreFoundation -framework CoreServices"])
+
+# Switches
+AC_HEADER_ASSERT
+
+AC_ARG_WITH(debug,
+[AS_HELP_STRING(--with-debug,For maintainers only - please do not use)],
+[ AS_IF(["x$withval" = "xyes"], [
+ AS_IF([test "x$LX_CFLAGS" = "xNONE"], [
+ nxflags=""
+ for flag in `echo $CFLAGS`; do
+ case "$flag" in
+ -O*) ;;
+ -g*) ;;
+ *) nxflags="$nxflags $flag"
+ esac
+ done
+ CFLAGS="$nxflags -O0 -g3"
+ ])
+ AM_CFLAGS="$AM_CFLAGS -DDEBUG=1"
+ ])
+])
+
+AC_ARG_WITH(safecode,
+[AS_HELP_STRING(--with-safecode,For maintainers only - please do not use)],
+[ AS_IF([test "x$withval" = "xyes"], [
+ AC_ARG_VAR([SAFECODE_HOME], [set to the safecode base directory])
+ : ${SAFECODE_HOME:=/opt/safecode}
+ LDFLAGS="$LDFLAGS -L${SAFECODE_HOME}/lib"
+ LIBS="$LIBS -lsc_dbg_rt -lpoolalloc_bitmap -lstdc++"
+ AM_CFLAGS="$AM_CFLAGS -fmemsafety"
+ ])
+])
+
+NACL_HOSTNAME=`hostname | sed 's/\..*//' | tr -cd '[a-z][A-Z][0-9]'`
+NACL_PATH=libnacl/build/${NACL_HOSTNAME}
+
+AC_SUBST([MAINT])
+AC_SUBST([NACL_PATH])
+AC_SUBST([PROBES_SOURCE])
+
+AC_CONFIG_FILES([Makefile
+ man/Makefile
+ src/Makefile
+ src/dnscrypt-proxy/Makefile
+ src/libnacl/Makefile
+ src/libnacl/tests/Makefile
+ src/libnacl/okcompilers/c
+ src/libnacl/okcompilers/do
+ src/libuv/Makefile
+ test/Makefile])
+
+AC_OUTPUT
+
+chmod +x src/libnacl/okcompilers/do
+
72 m4/ax_check_compile_flag.m4
@@ -0,0 +1,72 @@
+# ===========================================================================
+# http://www.gnu.org/software/autoconf-archive/ax_check_compile_flag.html
+# ===========================================================================
+#
+# SYNOPSIS
+#
+# AX_CHECK_COMPILE_FLAG(FLAG, [ACTION-SUCCESS], [ACTION-FAILURE], [EXTRA-FLAGS])
+#
+# DESCRIPTION
+#
+# Check whether the given FLAG works with the current language's compiler
+# or gives an error. (Warnings, however, are ignored)
+#
+# ACTION-SUCCESS/ACTION-FAILURE are shell commands to execute on
+# success/failure.
+#
+# If EXTRA-FLAGS is defined, it is added to the current language's default
+# flags (e.g. CFLAGS) when the check is done. The check is thus made with
+# the flags: "CFLAGS EXTRA-FLAGS FLAG". This can for example be used to
+# force the compiler to issue an error when a bad flag is given.
+#
+# NOTE: Implementation based on AX_CFLAGS_GCC_OPTION. Please keep this
+# macro in sync with AX_CHECK_{PREPROC,LINK}_FLAG.
+#
+# LICENSE
+#
+# Copyright (c) 2008 Guido U. Draheim <guidod@gmx.de>
+# Copyright (c) 2011 Maarten Bosmans <mkbosmans@gmail.com>
+#
+# This program is free software: you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation, either version 3 of the License, or (at your
+# option) any later version.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
+# Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+# As a special exception, the respective Autoconf Macro's copyright owner
+# gives unlimited permission to copy, distribute and modify the configure
+# scripts that are the output of Autoconf when processing the Macro. You
+# need not follow the terms of the GNU General Public License when using
+# or distributing such scripts, even though portions of the text of the
+# Macro appear in them. The GNU General Public License (GPL) does govern
+# all other use of the material that constitutes the Autoconf Macro.
+#
+# This special exception to the GPL applies to versions of the Autoconf
+# Macro released by the Autoconf Archive. When you make and distribute a
+# modified version of the Autoconf Macro, you may extend this special
+# exception to the GPL to apply to your modified version as well.
+
+#serial 2
+
+AC_DEFUN([AX_CHECK_COMPILE_FLAG],
+[AC_PREREQ(2.59)dnl for _AC_LANG_PREFIX
+AS_VAR_PUSHDEF([CACHEVAR],[ax_cv_check_[]_AC_LANG_ABBREV[]flags_$4_$1])dnl
+AC_CACHE_CHECK([whether _AC_LANG compiler accepts $1], CACHEVAR, [
+ ax_check_save_flags=$[]_AC_LANG_PREFIX[]FLAGS
+ _AC_LANG_PREFIX[]FLAGS="$[]_AC_LANG_PREFIX[]FLAGS $4 $1"
+ AC_COMPILE_IFELSE([AC_LANG_PROGRAM()],
+ [AS_VAR_SET(CACHEVAR,[yes])],
+ [AS_VAR_SET(CACHEVAR,[no])])
+ _AC_LANG_PREFIX[]FLAGS=$ax_check_save_flags])
+AS_IF([test x"AS_VAR_GET(CACHEVAR)" = xyes],
+ [m4_default([$2], :)],
+ [m4_default([$3], :)])
+AS_VAR_POPDEF([CACHEVAR])dnl
+])dnl AX_CHECK_COMPILE_FLAGS
78 m4/ax_check_gnu_make.m4
@@ -0,0 +1,78 @@
+# ===========================================================================
+# http://www.gnu.org/software/autoconf-archive/ax_check_gnu_make.html
+# ===========================================================================
+#
+# SYNOPSIS
+#
+# AX_CHECK_GNU_MAKE()
+#
+# DESCRIPTION
+#
+# This macro searches for a GNU version of make. If a match is found, the
+# makefile variable `ifGNUmake' is set to the empty string, otherwise it
+# is set to "#". This is useful for including a special features in a
+# Makefile, which cannot be handled by other versions of make. The
+# variable _cv_gnu_make_command is set to the command to invoke GNU make
+# if it exists, the empty string otherwise.
+#
+# Here is an example of its use:
+#
+# Makefile.in might contain:
+#
+# # A failsafe way of putting a dependency rule into a makefile
+# $(DEPEND):
+# $(CC) -MM $(srcdir)/*.c > $(DEPEND)
+#
+# @ifGNUmake@ ifeq ($(DEPEND),$(wildcard $(DEPEND)))
+# @ifGNUmake@ include $(DEPEND)
+# @ifGNUmake@ endif
+#
+# Then configure.in would normally contain:
+#
+# AX_CHECK_GNU_MAKE()
+# AC_OUTPUT(Makefile)
+#
+# Then perhaps to cause gnu make to override any other make, we could do
+# something like this (note that GNU make always looks for GNUmakefile
+# first):
+#
+# if ! test x$_cv_gnu_make_command = x ; then
+# mv Makefile GNUmakefile
+# echo .DEFAULT: > Makefile ;
+# echo \ $_cv_gnu_make_command \$@ >> Makefile;
+# fi
+#
+# Then, if any (well almost any) other make is called, and GNU make also
+# exists, then the other make wraps the GNU make.
+#
+# LICENSE
+#
+# Copyright (c) 2008 John Darrington <j.darrington@elvis.murdoch.edu.au>
+#
+# Copying and distribution of this file, with or without modification, are
+# permitted in any medium without royalty provided the copyright notice
+# and this notice are preserved. This file is offered as-is, without any
+# warranty.
+
+#serial 7
+
+AC_DEFUN([AX_CHECK_GNU_MAKE], [ AC_CACHE_CHECK( for GNU make,_cv_gnu_make_command,
+ _cv_gnu_make_command='' ;
+dnl Search all the common names for GNU make
+ for a in "$MAKE" make gmake gnumake ; do
+ if test -z "$a" ; then continue ; fi ;
+ if ( sh -c "$a --version" 2> /dev/null | grep GNU 2>&1 > /dev/null ) ; then
+ _cv_gnu_make_command=$a ;
+ break;
+ fi
+ done ;
+ ) ;
+dnl If there was a GNU version, then set @ifGNUmake@ to the empty string, '#' otherwise
+ if test "x$_cv_gnu_make_command" != "x" ; then
+ ifGNUmake='' ;
+ else
+ ifGNUmake='#' ;
+ AC_MSG_RESULT("Not found");
+ fi
+ AC_SUBST(ifGNUmake)
+] )
71 m4/ax_check_link_flag.m4
@@ -0,0 +1,71 @@
+# ===========================================================================
+# http://www.gnu.org/software/autoconf-archive/ax_check_link_flag.html
+# ===========================================================================
+#
+# SYNOPSIS
+#
+# AX_CHECK_LINK_FLAG(FLAG, [ACTION-SUCCESS], [ACTION-FAILURE], [EXTRA-FLAGS])
+#
+# DESCRIPTION
+#
+# Check whether the given FLAG works with the linker or gives an error.
+# (Warnings, however, are ignored)
+#
+# ACTION-SUCCESS/ACTION-FAILURE are shell commands to execute on
+# success/failure.
+#
+# If EXTRA-FLAGS is defined, it is added to the linker's default flags
+# when the check is done. The check is thus made with the flags: "LDFLAGS
+# EXTRA-FLAGS FLAG". This can for example be used to force the linker to
+# issue an error when a bad flag is given.
+#
+# NOTE: Implementation based on AX_CFLAGS_GCC_OPTION. Please keep this
+# macro in sync with AX_CHECK_{PREPROC,COMPILE}_FLAG.
+#
+# LICENSE
+#
+# Copyright (c) 2008 Guido U. Draheim <guidod@gmx.de>
+# Copyright (c) 2011 Maarten Bosmans <mkbosmans@gmail.com>
+#
+# This program is free software: you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation, either version 3 of the License, or (at your
+# option) any later version.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
+# Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+# As a special exception, the respective Autoconf Macro's copyright owner
+# gives unlimited permission to copy, distribute and modify the configure
+# scripts that are the output of Autoconf when processing the Macro. You
+# need not follow the terms of the GNU General Public License when using
+# or distributing such scripts, even though portions of the text of the
+# Macro appear in them. The GNU General Public License (GPL) does govern
+# all other use of the material that constitutes the Autoconf Macro.
+#
+# This special exception to the GPL applies to versions of the Autoconf
+# Macro released by the Autoconf Archive. When you make and distribute a
+# modified version of the Autoconf Macro, you may extend this special
+# exception to the GPL to apply to your modified version as well.
+
+#serial 2
+
+AC_DEFUN([AX_CHECK_LINK_FLAG],
+[AS_VAR_PUSHDEF([CACHEVAR],[ax_cv_check_ldflags_$4_$1])dnl
+AC_CACHE_CHECK([whether the linker accepts $1], CACHEVAR, [
+ ax_check_save_flags=$LDFLAGS
+ LDFLAGS="$LDFLAGS $4 $1"
+ AC_LINK_IFELSE([AC_LANG_PROGRAM()],
+ [AS_VAR_SET(CACHEVAR,[yes])],
+ [AS_VAR_SET(CACHEVAR,[no])])
+ LDFLAGS=$ax_check_save_flags])
+AS_IF([test x"AS_VAR_GET(CACHEVAR)" = xyes],
+ [m4_default([$2], :)],
+ [m4_default([$3], :)])
+AS_VAR_POPDEF([CACHEVAR])dnl
+])dnl AX_CHECK_LINK_FLAGS
302 m4/ax_pthread.m4
@@ -0,0 +1,302 @@
+# ===========================================================================
+# http://www.gnu.org/software/autoconf-archive/ax_pthread.html
+# ===========================================================================
+#
+# SYNOPSIS
+#
+# AX_PTHREAD([ACTION-IF-FOUND[, ACTION-IF-NOT-FOUND]])
+#
+# DESCRIPTION
+#
+# This macro figures out how to build C programs using POSIX threads. It
+# sets the PTHREAD_LIBS output variable to the threads library and linker
+# flags, and the PTHREAD_CFLAGS output variable to any special C compiler
+# flags that are needed. (The user can also force certain compiler
+# flags/libs to be tested by setting these environment variables.)
+#
+# Also sets PTHREAD_CC to any special C compiler that is needed for
+# multi-threaded programs (defaults to the value of CC otherwise). (This
+# is necessary on AIX to use the special cc_r compiler alias.)
+#
+# NOTE: You are assumed to not only compile your program with these flags,
+# but also link it with them as well. e.g. you should link with
+# $PTHREAD_CC $CFLAGS $PTHREAD_CFLAGS $LDFLAGS ... $PTHREAD_LIBS $LIBS
+#
+# If you are only building threads programs, you may wish to use these
+# variables in your default LIBS, CFLAGS, and CC:
+#
+# LIBS="$PTHREAD_LIBS $LIBS"
+# CFLAGS="$CFLAGS $PTHREAD_CFLAGS"
+# CC="$PTHREAD_CC"
+#
+# In addition, if the PTHREAD_CREATE_JOINABLE thread-attribute constant
+# has a nonstandard name, defines PTHREAD_CREATE_JOINABLE to that name
+# (e.g. PTHREAD_CREATE_UNDETACHED on AIX).
+#
+# Also HAVE_PTHREAD_PRIO_INHERIT is defined if pthread is found and the
+# PTHREAD_PRIO_INHERIT symbol is defined when compiling with
+# PTHREAD_CFLAGS.
+#
+# ACTION-IF-FOUND is a list of shell commands to run if a threads library
+# is found, and ACTION-IF-NOT-FOUND is a list of commands to run it if it
+# is not found. If ACTION-IF-FOUND is not specified, the default action
+# will define HAVE_PTHREAD.
+#
+# Please let the authors know if this macro fails on any platform, or if
+# you have any other suggestions or comments. This macro was based on work
+# by SGJ on autoconf scripts for FFTW (http://www.fftw.org/) (with help
+# from M. Frigo), as well as ac_pthread and hb_pthread macros posted by
+# Alejandro Forero Cuervo to the autoconf macro repository. We are also
+# grateful for the helpful feedback of numerous users.
+#
+# Updated for Autoconf 2.68 by Daniel Richard G.
+#
+# LICENSE
+#
+# Copyright (c) 2008 Steven G. Johnson <stevenj@alum.mit.edu>
+# Copyright (c) 2011 Daniel Richard G. <skunk@iSKUNK.ORG>
+#
+# This program is free software: you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation, either version 3 of the License, or (at your
+# option) any later version.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
+# Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+# As a special exception, the respective Autoconf Macro's copyright owner
+# gives unlimited permission to copy, distribute and modify the configure
+# scripts that are the output of Autoconf when processing the Macro. You
+# need not follow the terms of the GNU General Public License when using
+# or distributing such scripts, even though portions of the text of the
+# Macro appear in them. The GNU General Public License (GPL) does govern
+# all other use of the material that constitutes the Autoconf Macro.
+#
+# This special exception to the GPL applies to versions of the Autoconf
+# Macro released by the Autoconf Archive. When you make and distribute a
+# modified version of the Autoconf Macro, you may extend this special
+# exception to the GPL to apply to your modified version as well.
+
+#serial 16
+
+AU_ALIAS([ACX_PTHREAD], [AX_PTHREAD])
+AC_DEFUN([AX_PTHREAD], [
+AC_REQUIRE([AC_CANONICAL_HOST])
+AC_LANG_PUSH([C])
+ax_pthread_ok=no
+
+# We used to check for pthread.h first, but this fails if pthread.h
+# requires special compiler flags (e.g. on True64 or Sequent).
+# It gets checked for in the link test anyway.
+
+# First of all, check if the user has set any of the PTHREAD_LIBS,
+# etcetera environment variables, and if threads linking works using
+# them:
+if test x"$PTHREAD_LIBS$PTHREAD_CFLAGS" != x; then
+ save_CFLAGS="$CFLAGS"
+ CFLAGS="$CFLAGS $PTHREAD_CFLAGS"
+ save_LIBS="$LIBS"
+ LIBS="$PTHREAD_LIBS $LIBS"
+ AC_MSG_CHECKING([for pthread_join in LIBS=$PTHREAD_LIBS with CFLAGS=$PTHREAD_CFLAGS])
+ AC_TRY_LINK_FUNC(pthread_join, ax_pthread_ok=yes)
+ AC_MSG_RESULT($ax_pthread_ok)
+ if test x"$ax_pthread_ok" = xno; then
+ PTHREAD_LIBS=""
+ PTHREAD_CFLAGS=""
+ fi
+ LIBS="$save_LIBS"
+ CFLAGS="$save_CFLAGS"
+fi
+
+# We must check for the threads library under a number of different
+# names; the ordering is very important because some systems
+# (e.g. DEC) have both -lpthread and -lpthreads, where one of the
+# libraries is broken (non-POSIX).
+
+# Create a list of thread flags to try. Items starting with a "-" are
+# C compiler flags, and other items are library names, except for "none"
+# which indicates that we try without any flags at all, and "pthread-config"
+# which is a program returning the flags for the Pth emulation library.
+
+ax_pthread_flags="pthreads none -Kthread -kthread lthread -pthread -pthreads -mthreads pthread --thread-safe -mt pthread-config"
+
+# The ordering *is* (sometimes) important. Some notes on the
+# individual items follow:
+
+# pthreads: AIX (must check this before -lpthread)
+# none: in case threads are in libc; should be tried before -Kthread and
+# other compiler flags to prevent continual compiler warnings
+# -Kthread: Sequent (threads in libc, but -Kthread needed for pthread.h)
+# -kthread: FreeBSD kernel threads (preferred to -pthread since SMP-able)
+# lthread: LinuxThreads port on FreeBSD (also preferred to -pthread)
+# -pthread: Linux/gcc (kernel threads), BSD/gcc (userland threads)
+# -pthreads: Solaris/gcc
+# -mthreads: Mingw32/gcc, Lynx/gcc
+# -mt: Sun Workshop C (may only link SunOS threads [-lthread], but it
+# doesn't hurt to check since this sometimes defines pthreads too;
+# also defines -D_REENTRANT)
+# ... -mt is also the pthreads flag for HP/aCC
+# pthread: Linux, etcetera
+# --thread-safe: KAI C++
+# pthread-config: use pthread-config program (for GNU Pth library)
+
+case "${host_cpu}-${host_os}" in
+ *solaris*)
+
+ # On Solaris (at least, for some versions), libc contains stubbed
+ # (non-functional) versions of the pthreads routines, so link-based
+ # tests will erroneously succeed. (We need to link with -pthreads/-mt/
+ # -lpthread.) (The stubs are missing pthread_cleanup_push, or rather
+ # a function called by this macro, so we could check for that, but
+ # who knows whether they'll stub that too in a future libc.) So,
+ # we'll just look for -pthreads and -lpthread first:
+
+ ax_pthread_flags="-pthreads pthread -mt -pthread $ax_pthread_flags"
+ ;;
+
+ *-darwin*)
+ ax_pthread_flags="-pthread $ax_pthread_flags"
+ ;;
+esac
+
+if test x"$ax_pthread_ok" = xno; then
+for flag in $ax_pthread_flags; do
+
+ case $flag in
+ none)
+ AC_MSG_CHECKING([whether pthreads work without any flags])
+ ;;
+
+ -*)
+ AC_MSG_CHECKING([whether pthreads work with $flag])
+ PTHREAD_CFLAGS="$flag"
+ ;;
+
+ pthread-config)
+ AC_CHECK_PROG(ax_pthread_config, pthread-config, yes, no)
+ if test x"$ax_pthread_config" = xno; then continue; fi
+ PTHREAD_CFLAGS="`pthread-config --cflags`"
+ PTHREAD_LIBS="`pthread-config --ldflags` `pthread-config --libs`"
+ ;;
+
+ *)
+ AC_MSG_CHECKING([for the pthreads library -l$flag])
+ PTHREAD_LIBS="-l$flag"
+ ;;
+ esac
+
+ save_LIBS="$LIBS"
+ save_CFLAGS="$CFLAGS"
+ LIBS="$PTHREAD_LIBS $LIBS"
+ CFLAGS="$CFLAGS $PTHREAD_CFLAGS"
+
+ # Check for various functions. We must include pthread.h,
+ # since some functions may be macros. (On the Sequent, we
+ # need a special flag -Kthread to make this header compile.)
+ # We check for pthread_join because it is in -lpthread on IRIX
+ # while pthread_create is in libc. We check for pthread_attr_init
+ # due to DEC craziness with -lpthreads. We check for
+ # pthread_cleanup_push because it is one of the few pthread
+ # functions on Solaris that doesn't have a non-functional libc stub.
+ # We try pthread_create on general principles.
+ AC_LINK_IFELSE([AC_LANG_PROGRAM([#include <pthread.h>
+ static void routine(void *a) { a = 0; }
+ static void *start_routine(void *a) { return a; }],
+ [pthread_t th; pthread_attr_t attr;
+ pthread_create(&th, 0, start_routine, 0);
+ pthread_join(th, 0);
+ pthread_attr_init(&attr);
+ pthread_cleanup_push(routine, 0);
+ pthread_cleanup_pop(0) /* ; */])],
+ [ax_pthread_ok=yes],
+ [])
+
+ LIBS="$save_LIBS"
+ CFLAGS="$save_CFLAGS"
+
+ AC_MSG_RESULT($ax_pthread_ok)
+ if test "x$ax_pthread_ok" = xyes; then
+ break;
+ fi
+
+ PTHREAD_LIBS=""
+ PTHREAD_CFLAGS=""
+done
+fi
+
+# Various other checks:
+if test "x$ax_pthread_ok" = xyes; then
+ save_LIBS="$LIBS"
+ LIBS="$PTHREAD_LIBS $LIBS"
+ save_CFLAGS="$CFLAGS"
+ CFLAGS="$CFLAGS $PTHREAD_CFLAGS"
+
+ # Detect AIX lossage: JOINABLE attribute is called UNDETACHED.
+ AC_MSG_CHECKING([for joinable pthread attribute])
+ attr_name=unknown
+ for attr in PTHREAD_CREATE_JOINABLE PTHREAD_CREATE_UNDETACHED; do
+ AC_LINK_IFELSE([AC_LANG_PROGRAM([#include <pthread.h>],
+ [int attr = $attr; return attr /* ; */])],
+ [attr_name=$attr; break],
+ [])
+ done
+ AC_MSG_RESULT($attr_name)
+ if test "$attr_name" != PTHREAD_CREATE_JOINABLE; then
+ AC_DEFINE_UNQUOTED(PTHREAD_CREATE_JOINABLE, $attr_name,
+ [Define to necessary symbol if this constant
+ uses a non-standard name on your system.])
+ fi
+
+ AC_MSG_CHECKING([if more special flags are required for pthreads])
+ flag=no
+ case "${host_cpu}-${host_os}" in
+ *-aix* | *-freebsd* | *-darwin*) flag="-D_THREAD_SAFE";;
+ *solaris* | *-osf* | *-hpux*) flag="-D_REENTRANT";;
+ esac
+ AC_MSG_RESULT(${flag})
+ if test "x$flag" != xno; then
+ PTHREAD_CFLAGS="$flag $PTHREAD_CFLAGS"
+ fi
+
+ AC_CACHE_CHECK([for PTHREAD_PRIO_INHERIT],
+ ax_cv_PTHREAD_PRIO_INHERIT, [
+ AC_LINK_IFELSE([
+ AC_LANG_PROGRAM([[#include <pthread.h>]], [[int i = PTHREAD_PRIO_INHERIT;]])],
+ [ax_cv_PTHREAD_PRIO_INHERIT=yes],
+ [ax_cv_PTHREAD_PRIO_INHERIT=no])
+ ])
+ AS_IF([test "x$ax_cv_PTHREAD_PRIO_INHERIT" = "xyes"],
+ AC_DEFINE([HAVE_PTHREAD_PRIO_INHERIT], 1, [Have PTHREAD_PRIO_INHERIT.]))
+
+ LIBS="$save_LIBS"
+ CFLAGS="$save_CFLAGS"
+
+ # More AIX lossage: must compile with xlc_r or cc_r
+ if test x"$GCC" != xyes; then
+ AC_CHECK_PROGS(PTHREAD_CC, xlc_r cc_r, ${CC})
+ else
+ PTHREAD_CC=$CC
+ fi
+else
+ PTHREAD_CC="$CC"
+fi
+
+AC_SUBST(PTHREAD_LIBS)
+AC_SUBST(PTHREAD_CFLAGS)
+AC_SUBST(PTHREAD_CC)
+
+# Finally, execute ACTION-IF-FOUND/ACTION-IF-NOT-FOUND:
+if test x"$ax_pthread_ok" = xyes; then
+ ifelse([$1],,AC_DEFINE(HAVE_PTHREAD,1,[Define if you have POSIX threads libraries and header files.]),[$1])
+ :
+else
+ ax_pthread_ok=no
+ $2
+fi
+AC_LANG_POP
+])dnl AX_PTHREAD
9 man/Makefile.am
@@ -0,0 +1,9 @@
+man_MANS = \
+ dnscrypt-proxy.8
+
+EXTRA_DIST= \
+ dnscrypt-proxy.8 \
+ dnscrypt-proxy.8.markdown
+
+dnscrypt-proxy.8: dnscrypt-proxy.8.markdown
+ @RONN@ dnscrypt-proxy.8.markdown
96 man/dnscrypt-proxy.8
@@ -0,0 +1,96 @@
+.\" generated with Ronn/v0.7.3
+.\" http://github.com/rtomayko/ronn/tree/0.7.3
+.
+.TH "DNSCRYPT\-PROXY" "8" "December 2011" "" ""
+.
+.SH "NAME"
+\fBdnscrypt\-proxy\fR \- A DNSCrypt forwarder
+.
+.SH "SYNOPSIS"
+\fBdnscrypt\-proxy\fR [\fIoptions\fR]
+.
+.SH "DESCRIPTION"
+\fBdnscrypt\-proxy\fR accepts DNS requests, encrypts and signs them using dnscrypt and forwards them to a remote dnscrypt\-enabled resolver\.
+.
+.P
+Replies from the resolver are expected also to be encrypted and signed\.
+.
+.P
+The proxy verifies the signature of replies, decrypts them, and transparently forwards them to the local stub resolver\.
+.
+.P
+\fBdnscrypt\-proxy\fR listens to \fB127\.0\.0\.1\fR / port \fB53\fR by default\.
+.
+.SH "WARNING"
+\fBdnscrypt\-proxy\fR is not a DNS cache\. Unless your operating system already provides a decent built\-in cache (and by default, most systems don\'t), clients shouldn\'t directly send requests to \fBdnscrypt\-proxy\fR\.
+.
+.P
+Intead, run a DNS cache like \fBUnbound\fR, and configure it to use \fBdnscrypt\-proxy\fR as a forwarder\. Both can safely run on the same machine as long as they use different IP addresses and/or different ports\.
+.
+.SH "OPTIONS"
+.
+.IP "\(bu" 4
+\fB\-a\fR, \fB\-\-local\-address=<ip>\fR: what local IP the daemon will listen to\.
+.
+.IP "\(bu" 4
+\fB\-d\fR, \fB\-\-daemonize\fR: detach from the current terminal and run the server in background\.
+.
+.IP "\(bu" 4
+\fB\-e\fR, \fB\-\-edns\-payload\-size=<bytes>\fR: transparently add an OPT pseudo\-RR to outgoing queries in order to enable the EDNS0 extension mechanism\. The payload size is the size of the largest response we accept from the resolver before retrying over TCP\. This feature is enabled by default, with a payload size of 1280 bytes\. Any value below 512 disables it\.
+.
+.IP "\(bu" 4
+\fB\-h\fR, \fB\-\-help\fR: show usage\.
+.
+.IP "\(bu" 4
+\fB\-k\fR, \fB\-\-provider\-key=<key>\fR: specify the provider public key (see below)\.
+.
+.IP "\(bu" 4
+\fB\-l\fR, \fB\-\-logfile=<file>\fR: log events to this file instead of the standard output\.
+.
+.IP "\(bu" 4
+\fB\-n\fR, \fB\-\-max\-active\-requests=<count>\fR: set the maximum number of simultaneous active requests\. The default value is 250\.
+.
+.IP "\(bu" 4
+\fB\-p\fR, \fB\-\-pidfile=<file>\fR: write the PID number to a file\.
+.
+.IP "\(bu" 4
+\fB\-r\fR, \fB\-\-resolver\-address=<ip>\fR: a DNSCrypt\-capable resolver IP address\.
+.
+.IP "\(bu" 4
+\fB\-t\fR, \fB\-\-tcp\-port=<port>\fR: connect to the resolver on port \fIport\fR over TCP, as a workaround if UDP over port 53 is filtered\.
+.
+.IP "\(bu" 4
+\fB\-u\fR, \fB\-\-user=<user name>\fR: chroot(2) to this user\'s home directory and drop privileges\.
+.
+.IP "\(bu" 4
+\fB\-N\fR, \fB\-\-provider\-name=<FQDN>\fR: the fully\-qualified name of the dnscrypt certificate provider\.
+.
+.IP "\(bu" 4
+\fB\-P\fR, \fB\-\-local\-port=<port>\fR: local port to listen to\.
+.
+.IP "\(bu" 4
+\fB\-V\fR, \fB\-\-version\fR: show version number\.
+.
+.IP "" 0
+.
+.P
+A public key is 256\-bit long, and it has to be specified as a hexadecimal string, with optional columns\.
+.
+.SH "SIMPLE USAGE EXAMPLE"
+.
+.nf
+
+$ dnscrypt\-proxy \-\-daemonize
+.
+.fi
+.
+.SH "ADVANCED USAGE EXAMPLE"
+.
+.nf
+
+$ dnscrypt\-proxy \-\-provider\-key=3D5B:E53A:F5CB:0538:2E7A:7561:A5A1:9DF2:8D95:43F8:C617:E552:4360:D0BE:91EC:7FEA \-\-provider\-name=dnscrypt\-cert\.dnscrypt\.org\. \-\-resolver\-ip=208\.67\.220\.220 \-\-daemonize
+.
+.fi
+.
+.SH "COPYRIGHT"
+dnscrypt\-proxy is Copyright (C) 2011 OpenDNS, Inc\. \fBhttp://www\.opendns\.com/\fR
88 man/dnscrypt-proxy.8.markdown
@@ -0,0 +1,88 @@
+dnscrypt-proxy(8) -- A DNSCrypt forwarder
+=========================================
+
+## SYNOPSIS
+
+`dnscrypt-proxy` [<options>]
+
+## DESCRIPTION
+
+**dnscrypt-proxy** accepts DNS requests, encrypts and signs them using
+dnscrypt and forwards them to a remote dnscrypt-enabled resolver.
+
+Replies from the resolver are expected also to be encrypted and signed.
+
+The proxy verifies the signature of replies, decrypts them, and transparently
+forwards them to the local stub resolver.
+
+`dnscrypt-proxy` listens to `127.0.0.1` / port `53` by default.
+
+## WARNING
+
+**dnscrypt-proxy** is not a DNS cache. Unless your operating system
+already provides a decent built-in cache (and by default, most systems
+don't), clients shouldn't directly send requests to **dnscrypt-proxy**.
+
+Intead, run a DNS cache like **Unbound**, and configure it to use
+**dnscrypt-proxy** as a forwarder. Both can safely run on the same
+machine as long as they use different IP addresses and/or different
+ports.
+
+## OPTIONS
+
+ * `-a`, `--local-address=<ip>`: what local IP the daemon will listen to.
+
+ * `-d`, `--daemonize`: detach from the current terminal and run the server
+ in background.
+
+ * `-e`, `--edns-payload-size=<bytes>`: transparently add an OPT
+ pseudo-RR to outgoing queries in order to enable the EDNS0
+ extension mechanism. The payload size is the size of the largest
+ response we accept from the resolver before retrying over TCP.
+ This feature is enabled by default, with a payload size of 1280
+ bytes. Any value below 512 disables it.
+
+ * `-h`, `--help`: show usage.
+
+ * `-k`, `--provider-key=<key>`: specify the provider public key (see below).
+
+ * `-l`, `--logfile=<file>`: log events to this file instead of the
+ standard output.
+
+ * `-n`, `--max-active-requests=<count>`: set the maximum number of
+ simultaneous active requests. The default value is 250.
+
+ * `-p`, `--pidfile=<file>`: write the PID number to a file.
+
+ * `-r`, `--resolver-address=<ip>`: a DNSCrypt-capable resolver IP
+ address.
+
+ * `-t`, `--tcp-port=<port>`: connect to the resolver on port <port>
+ over TCP, as a workaround if UDP over port 53 is filtered.
+
+ * `-u`, `--user=<user name>`: chroot(2) to this user's home directory
+ and drop privileges.
+
+ * `-N`, `--provider-name=<FQDN>`: the fully-qualified name of the
+ dnscrypt certificate provider.
+
+ * `-P`, `--local-port=<port>`: local port to listen to.
+
+ * `-V`, `--version`: show version number.
+
+A public key is 256-bit long, and it has to be specified as a hexadecimal
+string, with optional columns.
+
+## SIMPLE USAGE EXAMPLE
+
+ $ dnscrypt-proxy --daemonize
+
+## ADVANCED USAGE EXAMPLE
+
+ $ dnscrypt-proxy --provider-key=3D5B:E53A:F5CB:0538:2E7A:7561:A5A1:9DF2:8D95:43F8:C617:E552:4360:D0BE:91EC:7FEA --provider-name=dnscrypt-cert.dnscrypt.org. --resolver-ip=208.67.220.220 --daemonize
+
+## COPYRIGHT
+
+dnscrypt-proxy is Copyright (C) 2011 OpenDNS, Inc.
+`http://www.opendns.com/`
+
37 packages/FreeBSD/dns/dnscrypt-proxy/Makefile
@@ -0,0 +1,37 @@
+# New ports collection makefile for: dnscrypt-proxy
+# Date created: 27 November 2011
+# Whom: OpenDNS Inc.
+#
+
+PORTNAME= dnscrypt-proxy
+PORTVERSION= 0.7
+CATEGORIES= dns
+MASTER_SITES= file:///tmp/
+LICENSE= BSD
+
+MAINTAINER= dnscrypt@opendns.com
+COMMENT= secure communications between a client and a DNS resolver
+
+USE_BZIP2= yes
+USE_RC_SUBR= dnscrypt-proxy.sh
+GNU_CONFIGURE= yes
+MAKE_JOBS_SAFE= yes
+CONFIGURE_ARGS= --sysconfdir=${PREFIX}/etc \
+ --localstatedir=/var
+
+MAN8= dnscrypt-proxy.8
+
+.include <bsd.port.pre.mk>
+
+PORTDOCS= AUTHORS COPYING README.markdown
+
+post-install:
+.if !defined(NOPORTDOCS)
+ @${MKDIR} ${DOCSDIR}
+. for doc in ${PORTDOCS}
+ ${INSTALL_DATA} ${WRKSRC}/${doc} ${DOCSDIR}
+. endfor
+.endif
+ @${CAT} ${PKGMESSAGE}
+
+.include <bsd.port.post.mk>
2  packages/FreeBSD/dns/dnscrypt-proxy/distinfo
@@ -0,0 +1,2 @@
+SHA256 (dnscrypt-proxy-0.1.tar.bz2) = 8940b42190e4c943abdc233bd23ad00184a0524dca32129ddad88b752e244cbe
+SIZE (dnscrypt-proxy-0.1.tar.bz2) = 842210
27 packages/FreeBSD/dns/dnscrypt-proxy/files/dnscrypt-proxy.sh.in
@@ -0,0 +1,27 @@
+#!/bin/sh
+
+# PROVIDE: dnscrypt-proxy
+# REQUIRE: NETWORKING SERVERS
+# BEFORE: DAEMON
+# KEYWORD: shutdown
+
+#
+# Add the following lines to /etc/rc.conf to enable dnscrypt-proxy:
+#
+# dnscrypt_proxy_enable="YES"
+#
+
+. /etc/rc.subr
+
+name=dnscrypt_proxy
+rcvar=`set_rcvar`
+
+load_rc_config $name
+
+command=%%PREFIX%%/sbin/dnscrypt-proxy
+pidfile=/var/run/dnscrypt-proxy.pid
+
+dnscrypt_proxy_enable=${dnscrypt_proxy_enable:-"NO"}
+command_args="${dnscrypt_proxy_config} --daemonize --pidfile=${pidfile}"
+
+run_rc_command "$1"
17 packages/FreeBSD/dns/dnscrypt-proxy/pkg-descr
@@ -0,0 +1,17 @@
+DNSCrypt is a slight variation on DNSCurve.
+
+DNSCurve improves confidentiality and integrity of DNS requests using
+high-speed high-security elliptic-curve cryptography. Best of all,
+DNSCurve has a very low overhead and adds virtually no latency to
+queries.
+
+DNSCurve aims at securing the entiere chain down to authoritative
+servers. But it only works with authoritative servers that explicitly
+support the protocol.
+
+The DNSCrypt protocol is very similar to DNSCurve, but focuses on
+securing communications between a client and its first-level resolver.
+While not providing end-to-end security, it protects the local
+network, which is often the weakest point of the chain, against
+man-in-the-middle attacks. It also provides some confidentiality to
+DNS queries.
10 packages/FreeBSD/dns/dnscrypt-proxy/pkg-message
@@ -0,0 +1,10 @@
+In order to perform queries over DNSCrypt, using OpenDNS as a
+resolver, the easiest way is to change your /etc/resolv.conf file to:
+
+nameserver 127.0.0.1
+lookup file bind
+options edns0
+
+But DNSCrypt does _not_ cache queries. So the recommended way to use
+it is as a forwarder for a DNS cache like Unbound.
+Both can safely run on the same host.
25 packages/OpenBSD/net/dnscrypt-proxy/Makefile
@@ -0,0 +1,25 @@
+
+COMMENT= secure communications between a client and a DNS resolver
+
+DISTNAME= dnscrypt-proxy-0.7
+CATEGORIES= net
+MASTER_SITES= file:///tmp/
+
+HOMEPAGE= http://www.dnscrypt.org/
+
+MAINTAINER= OpenDNS Inc. <dnscrypt@opendns.com>
+
+PERMIT_PACKAGE_CDROM= No
+PERMIT_PACKAGE_FTP= No
+PERMIT_DISTFILES_CDROM= No
+PERMIT_DISTFILES_FTP= No
+WANTLIB= c m
+
+CONFIGURE_STYLE= gnu
+
+DOCS+= README.markdown
+
+post-install:
+ cd ${WRKSRC}; ${INSTALL_DATA} ${DOCS} ${PREFIX}/share/doc/dnscrypt-proxy
+
+.include <bsd.port.mk>
5 packages/OpenBSD/net/dnscrypt-proxy/distinfo
@@ -0,0 +1,5 @@
+MD5 (dnscrypt-proxy-0.4.tar.gz) = eBzTWTZb7psqCAVANBevNg==
+RMD160 (dnscrypt-proxy-0.4.tar.gz) = QhRmoCKQOVyuazAkljmvMLNgzbU=
+SHA1 (dnscrypt-proxy-0.4.tar.gz) = DW/uYmGHYIu8XQ1lYe/nzO34gMw=
+SHA256 (dnscrypt-proxy-0.4.tar.gz) = s0uTPtxw6hwberEN9+4icuqb+Nt8DBNDLH9++Y+D1fc=
+SIZE (dnscrypt-proxy-0.4.tar.gz) = 1161895
17 packages/OpenBSD/net/dnscrypt-proxy/pkg/DESCR
@@ -0,0 +1,17 @@
+DNSCrypt is a slight variation on DNSCurve.
+
+DNSCurve improves confidentiality and integrity of DNS requests using
+high-speed high-security elliptic-curve cryptography. Best of all,
+DNSCurve has a very low overhead and adds virtually no latency to
+queries.
+
+DNSCurve aims at securing the entiere chain down to authoritative
+servers. But it only works with authoritative servers that explicitly
+support the protocol.
+
+The DNSCrypt protocol is very similar to DNSCurve, but focuses on
+securing communications between a client and its first-level resolver.
+While not providing end-to-end security, it protects the local
+network, which is often the weakest point of the chain, against
+man-in-the-middle attacks. It also provides some confidentiality to
+DNS queries.
10 packages/OpenBSD/net/dnscrypt-proxy/pkg/MESSAGE
@@ -0,0 +1,10 @@
+In order to perform queries over DNSCrypt, using OpenDNS as a
+resolver, the easiest way is change your /etc/resolv.conf file to:
+
+nameserver 127.0.0.1
+lookup file bind
+options edns0
+
+But DNSCrypt does _not_ cache queries. So the recommended way to use
+it is as a forwarder for a DNS cache like Unbound.
+Both can safely run on the same host.
7 packages/OpenBSD/net/dnscrypt-proxy/pkg/PLIST
@@ -0,0 +1,7 @@
+@comment $OpenBSD$
+@newgroup _dnscrypt-proxy:686
+@newuser _dnscrypt-proxy:686:_dnscrypt-proxy:daemon:dnscrypt-proxy user:/nonexistent:/sbin/nologin
+@man man/man8/dnscrypt-proxy.8
+@bin sbin/dnscrypt-proxy
+share/doc/dnscrypt-proxy
+@rcscript ${RCDIR}/dnscrypt_proxy
12 packages/OpenBSD/net/dnscrypt-proxy/pkg/dnscrypt_proxy.rc
@@ -0,0 +1,12 @@
+#!/bin/sh
+
+daemon="${TRUEPREFIX}/sbin/dnscrypt-proxy"
+
+# Use OpenDNS resolvers
+daemon_flags="--user=_dnscrypt-proxy"
+
+. /etc/rc.d/rc.subr
+
+rc_reload=NO
+
+rc_cmd $1
15 packages/fpm/fpm.sh
@@ -0,0 +1,15 @@
+#! /bin/sh
+
+VERSION="0.7"
+TMPDIR=${TMPDIR:-/tmp}
+BASE_DIR=$(mktemp -d "$TMPDIR"/dnscrypt.XXXXXX)
+INSTALL_DIR="$BASE_DIR/usr/local"
+
+./configure --prefix="$INSTALL_DIR" && make -j4 install
+
+sudo chown -R 0:0 $BASE_DIR
+find $BASE_DIR -type d -exec chmod 755 {} \;
+
+for t in deb rpm; do
+ fpm -s dir -t "$t" -n dnscrypt-proxy -v "$VERSION" -C "$BASE_DIR"
+done
17 packages/pkgsrc/net/dnscrypt-proxy/DESCR
@@ -0,0 +1,17 @@
+DNSCrypt is a slight variation on DNSCurve.
+
+DNSCurve improves confidentiality and integrity of DNS requests using
+high-speed high-security elliptic-curve cryptography. Best of all,
+DNSCurve has a very low overhead and adds virtually no latency to
+queries.
+
+DNSCurve aims at securing the entiere chain down to authoritative
+servers. But it only works with authoritative servers that explicitly
+support the protocol.
+
+The DNSCrypt protocol is very similar to DNSCurve, but focuses on
+securing communications between a client and its first-level resolver.
+While not providing end-to-end security, it protects the local
+network, which is often the weakest point of the chain, against
+man-in-the-middle attacks. It also provides some confidentiality to
+DNS queries.
10 packages/pkgsrc/net/dnscrypt-proxy/MESSAGE
@@ -0,0 +1,10 @@
+In order to perform queries over DNSCrypt, using OpenDNS as a
+resolver, the easiest way is change your /etc/resolv.conf file to:
+
+nameserver 127.0.0.1
+lookup file bind
+options edns0
+
+But DNSCrypt does _not_ cache queries. So the recommended way to use
+it is as a forwarder for a DNS cache like Unbound.
+Both can safely run on the same host.
30 packages/pkgsrc/net/dnscrypt-proxy/Makefile
@@ -0,0 +1,30 @@
+
+DISTNAME= dnscrypt-proxy-0.7
+CATEGORIES= net
+MASTER_SITES= file:///tmp/
+EXTRACT_SUFX= .tar.bz2
+
+MAINTAINER= dnscrypt@opendns.com
+HOMEPAGE= http://www.dnscrypt.org
+COMMENT= secure communications between a client and a DNS resolver
+LICENSE= modified-bsd
+
+PKG_DESTDIR_SUPPORT= user-destdir
+
+GNU_CONFIGURE= yes
+CONFIGURE_ARGS+= --sysconfdir=${PKG_SYSCONFDIR}
+CONFIGURE_ARGS+= --localstatedir=${VARBASE}
+
+BUILD_DEFS+= VARBASE
+
+.include "../../mk/bsd.prefs.mk"
+
+RCD_SCRIPTS= dnscrypt_proxy
+INSTALLATION_DIRS= share/doc/dnscrypt-proxy
+
+post-install:
+ cd ${WRKSRC} && \
+ ${INSTALL_DATA} README.markdown \
+ ${DESTDIR}${PREFIX}/share/doc/dnscrypt-proxy
+
+.include "../../mk/bsd.pkg.mk"
6 packages/pkgsrc/net/dnscrypt-proxy/PLIST
@@ -0,0 +1,6 @@
+@comment $NetBSD$
+sbin/dnscrypt-proxy
+man/man8/dnscrypt-proxy.8
+share/doc/dnscrypt-proxy/README.markdown
+share/examples/rc.d/dnscrypt_proxy
+
5 packages/pkgsrc/net/dnscrypt-proxy/distinfo
@@ -0,0 +1,5 @@
+$NetBSD$
+
+SHA1 (dnscrypt-proxy-0.1.tar.bz2) = 0f633d34d9385306f769faa0733ad9737ca4dafa
+RMD160 (dnscrypt-proxy-0.1.tar.bz2) = 397549f50ee8271b49f52e42f0bf76ac0716a2fb
+Size (dnscrypt-proxy-0.1.tar.bz2) = 838889 bytes
16 packages/pkgsrc/net/dnscrypt-proxy/files/dnscrypt_proxy.sh
@@ -0,0 +1,16 @@
+#!@RCD_SCRIPTS_SHELL@
+#
+# PROVIDE: dnscrypt_proxy
+# REQUIRE: DAEMON
+
+. /etc/rc.subr
+
+name="dnscrypt_proxy"
+help_name="dnscrypt-proxy"
+rcvar=$name
+command="@PREFIX@/sbin/${help_name}"
+pidfile="@VARBASE@/run/${help_name}.pid"
+command_args="--daemonize --pidfile={$pidfile}"
+
+load_rc_config $name
+run_rc_command "$1"
5 src/Makefile.am
@@ -0,0 +1,5 @@
+
+SUBDIRS = \
+ dnscrypt-proxy \
+ libuv \
+ libnacl
75 src/dnscrypt-proxy/Makefile.am
@@ -0,0 +1,75 @@
+
+sbin_PROGRAMS = \
+ dnscrypt-proxy
+
+dnscrypt_proxy_SOURCES = \
+ alt_arc4random.c \
+ alt_arc4random.h \
+ app.c \
+ app.h \
+ cert.c \
+ cert.h \
+ cert_p.h \
+ dnscrypt.c \
+ dnscrypt.h \
+ dnscrypt_client.c \
+ dnscrypt_client.h \
+ dnscrypt_proxy.h \
+ edns.c \
+ edns.h \
+ logger.c \
+ logger.h \
+ options.c \
+ options.h \
+ pid_file.c \
+ pid_file.h \
+ pathnames.h \
+ probes_dnscrypt_proxy.d \
+ probes_no_dtrace.h \
+ safe_rw.c \
+ safe_rw.h \
+ stack_trace.c \
+ stack_trace.h \
+ tcp_request.c \
+ tcp_request.h \
+ tcp_request_p.h \
+ udp_request.c \
+ udp_request.h \
+ udp_request_p.h \
+ utils.c \
+ utils.h \
+ uv_alloc.c \
+ uv_alloc.h
+
+AM_CFLAGS = @CWFLAGS@
+
+AM_CPPFLAGS = \
+ -I../libuv/include \
+ -I../@NACL_PATH@/include/local
+
+dnscrypt_proxy_LDADD = \
+ ../libuv/uv.a \
+ ../@NACL_PATH@/lib/local/libnacl.a
+
+dnscrypt_proxy_DEPENDENCIES = \
+ ../libuv/.done
+
+BUILT_SOURCES = \
+ ../libnacl/.done \
+ probes.h
+
+../libnacl/.done:
+ cd ../libnacl && $(MAKE) $(AM_MAKEFLAGS)
+
+../libuv/.done:
+ cd ../libuv && $(MAKE) $(AM_MAKEFLAGS)
+
+probes.h: @PROBES_SOURCE@
+ cat @PROBES_SOURCE@ > $@
+
+probes_dnscrypt_proxy.h: probes_dnscrypt_proxy.d
+ @DTRACE@ -o $@ -h -s probes_dnscrypt_proxy.d
+
+CLEANFILES = \
+ probes.h \
+ probes_dnscrypt_proxy.h
302 src/dnscrypt-proxy/alt_arc4random.c
@@ -0,0 +1,302 @@
+/*
+ * Copyright (c) 1996, David Mazieres <dm@uun.org>
+ * Copyright (c) 2008, Damien Miller <djm@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * Arc4 random number generator for OpenBSD.
+ *
+ * This code is derived from section 17.1 of Applied Cryptography,
+ * second edition, which describes a stream cipher allegedly
+ * compatible with RSA Labs "RC4" cipher (the actual description of
+ * which is a trade secret). The same algorithm is used as a stream
+ * cipher called "arcfour" in Tatu Ylonen's ssh package.
+ *
+ * RC4 is a registered trademark of RSA Laboratories.
+ */
+
+/*
+ * OpenBSD can fetch random data through a sysctl call, but other operating
+ * systems require reading a device.
+ * This modified version of the arc4random*() functions keeps an open file
+ * descriptor, so that we can still reseed the PRNG after a chroot() call.
+ */
+
+#ifndef __OpenBSD__
+
+#include <config.h>
+#include <sys/types.h>
+
+#include <fcntl.h>
+#include <limits.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+#include "alt_arc4random.h"
+#include "safe_rw.h"
+
+struct alt_arc4_stream {
+ uint8_t i;
+ uint8_t j;
+ uint8_t s[256];
+};
+
+static int rs_initialized;
+static struct alt_arc4_stream rs;
+static pid_t alt_arc4_stir_pid;
+static int alt_arc4_count;
+static int random_data_source_fd = -1;
+static uint8_t alt_arc4_getbyte(void);
+
+/* Warning: no thread safety. But we don't need any */
+#define _alt_arc4_LOCK() do { } while(0)
+#define _alt_arc4_UNLOCK() do { } while(0)
+
+static int
+alt_arc4_random_dev_open(void)
+{
+ static const char * const devices[] = {
+ "/dev/arandom", "/dev/urandom", "/dev/random", NULL
+ };
+ const char * const *device = devices;
+
+ do {
+ if (access(*device, F_OK | R_OK) == 0) {
+ return open(*device, O_RDONLY);
+ }
+ device++;
+ } while (*device != NULL);
+
+ return -1;
+}
+
+static void
+alt_arc4_init(void)
+{
+ int n;
+
+ for (n = 0; n < 256; n++) {
+ rs.s[n] = n;
+ }
+ rs.i = 0;
+ rs.j = 0;
+
+ if (random_data_source_fd != -1) {
+ return;
+ }
+ if ((random_data_source_fd = alt_arc4_random_dev_open()) == -1) {
+ abort();
+ }
+}
+
+static void
+alt_arc4_addrandom(unsigned char *dat, int datlen)
+{
+ int n;
+ uint8_t si;
+
+ rs.i--;
+ for (n = 0; n < 256; n++) {
+ rs.i = (rs.i + 1);
+ si = rs.s[rs.i];
+ rs.j = (rs.j + si + dat[n % datlen]);
+ rs.s[rs.i] = rs.s[rs.j];
+ rs.s[rs.j] = si;
+ }
+ rs.j = rs.i;
+}
+
+static void
+alt_arc4_stir(void)
+{
+ int i;
+ unsigned char rnd[128];
+
+ if (!rs_initialized) {
+ alt_arc4_init();
+ rs_initialized = 1;
+ }
+
+ safe_read(random_data_source_fd, rnd, sizeof(rnd));
+
+ alt_arc4_addrandom(rnd, sizeof(rnd));
+
+ /*
+ * Discard early keystream, as per recommendations in:
+ * http://www.wisdom.weizmann.ac.il/~itsik/RC4/Papers/Rc4_ksa.ps
+ */
+ for (i = 0; i < 256; i++) {
+ (void)alt_arc4_getbyte();
+ }
+ alt_arc4_count = 1600000;
+}
+
+static void
+alt_arc4_stir_if_needed(void)
+{
+ pid_t pid = getpid();
+
+ if (alt_arc4_count <= 0 || !rs_initialized || alt_arc4_stir_pid != pid) {
+ alt_arc4_stir_pid = pid;
+ alt_arc4_stir();
+ }
+}
+
+static uint8_t
+alt_arc4_getbyte(void)
+{
+ uint8_t si, sj;
+
+ rs.i = (rs.i + 1);
+ si = rs.s[rs.i];
+ rs.j = (rs.j + si);
+ sj = rs.s[rs.j];
+ rs.s[rs.i] = sj;
+ rs.s[rs.j] = si;
+
+ return (rs.s[(si + sj) & 0xff]);
+}
+
+static uint32_t
+alt_arc4_getword(void)
+{
+ uint32_t val;
+ val = ((uint32_t) alt_arc4_getbyte()) << 24;
+ val |= ((uint32_t) alt_arc4_getbyte()) << 16;
+ val |= ((uint32_t) alt_arc4_getbyte()) << 8;
+ val |= ((uint32_t) alt_arc4_getbyte());
+
+ return val;
+}
+
+void
+alt_arc4random_stir(void)
+{
+ _alt_arc4_LOCK();
+ alt_arc4_stir();
+ _alt_arc4_UNLOCK();
+}
+
+int
+alt_arc4random_close(void)
+{
+ int ret = -1;
+
+ _alt_arc4_LOCK();
+ if (random_data_source_fd != -1 && close(random_data_source_fd) == 0) {
+ random_data_source_fd = -1;
+ ret = 0;
+ }
+ _alt_arc4_UNLOCK();
+
+ return ret;
+}
+
+void
+alt_arc4random_addrandom(unsigned char *dat, int datlen)
+{
+ _alt_arc4_LOCK();
+ if (!rs_initialized) {
+ alt_arc4_stir();
+ }
+ alt_arc4_addrandom(dat, datlen);
+ _alt_arc4_UNLOCK();
+}
+
+uint32_t
+alt_arc4random(void)
+{
+ uint32_t val;
+ _alt_arc4_LOCK();
+ alt_arc4_count -= 4;
+ alt_arc4_stir_if_needed();
+ val = alt_arc4_getword();
+ _alt_arc4_UNLOCK();
+
+ return val;
+}
+
+void
+alt_arc4random_buf(void *_buf, size_t n)
+{
+ unsigned char *buf = (unsigned char *)_buf;
+ _alt_arc4_LOCK();
+ alt_arc4_stir_if_needed();
+ while (n--) {
+ if (--alt_arc4_count <= 0) {
+ alt_arc4_stir();
+ }
+ buf[n] = alt_arc4_getbyte();
+ }
+ _alt_arc4_UNLOCK();
+}
+
+/*
+ * Calculate a uniformly distributed random number less than upper_bound
+ * avoiding "modulo bias".
+ *
+ * Uniformity is achieved by generating new random numbers until the one
+ * returned is outside the range [0, 2**32 % upper_bound). This
+ * guarantees the selected random number will be inside
+ * [2**32 % upper_bound, 2**32) which maps back to [0, upper_bound)
+ * after reduction modulo upper_bound.
+ */
+uint32_t
+alt_arc4random_uniform(uint32_t upper_bound)
+{
+ uint32_t r, min;
+
+ if (upper_bound < 2) {
+ return 0;
+ }
+
+#if (ULONG_MAX > 0xffffffffUL)
+ min = (uint32_t) (0x100000000UL % upper_bound);
+#else
+ /* Calculate (2**32 % upper_bound) avoiding 64-bit math */
+ if (upper_bound > 0x80000000)
+ min = 1 + ~upper_bound; /* 2**32 - upper_bound */
+ else {
+ /* (2**32 - (x * 2)) % x == 2**32 % x when x <= 2**31 */
+ min = ((0xffffffff - (upper_bound * 2)) + 1) % upper_bound;
+ }
+#endif
+
+ /*
+ * This could theoretically loop forever but each retry has
+ * p > 0.5 (worst case, usually far better) of selecting a
+ * number inside the range we need, so it should rarely need
+ * to re-roll.
+ */
+ for (;;) {
+ r = alt_arc4random();
+ if (r >= min) {
+ break;
+ }
+ }
+
+ return r % upper_bound;
+}
+
+#else
+
+int
+alt_arc4random_close(void)
+{
+ return 0;
+}
+
+#endif
28 src/dnscrypt-proxy/alt_arc4random.h
@@ -0,0 +1,28 @@
+
+#ifndef __ALT_ARC4RANDOM_H__
+#define __ALT_ARC4RANDOM_H__ 1
+
+#include <stdint.h>
+#include <stdlib.h>
+
+#ifdef __OpenBSD__
+
+#define alt_arc4random() arc4random()
+#define alt_arc4random_stir() arc4random_stir()
+#define alt_arc4random_addrandom(A, B) arc4random_addrandom(A, B)
+#define alt_arc4random_uniform(A) arc4random_uniform(A)
+#define alt_arc4random_buf(A, B) arc4random_buf(A, B)
+
+#else
+
+uint32_t alt_arc4random(void);
+void alt_arc4random_stir(void);
+void alt_arc4random_addrandom(unsigned char *, int);
+uint32_t alt_arc4random_uniform(uint32_t);
+void alt_arc4random_buf(void *, size_t);
+
+#endif
+
+int alt_arc4random_close(void);
+
+#endif
166 src/dnscrypt-proxy/app.c
@@ -0,0 +1,166 @@
+
+#include <config.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+
+#include <errno.h>
+#include <signal.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include <unistd.h>
+
+#include "app.h"
+#include "dnscrypt_client.h"
+#include "dnscrypt_proxy.h"
+#include "alt_arc4random.h"
+#include "logger.h"
+#include "options.h"
+#include "stack_trace.h"
+#include "tcp_request.h"
+#include "udp_request.h"
+#include "uv.h"
+#include "uv_alloc.h"
+
+static AppContext app_context;
+
+static int
+proxy_context_init(ProxyContext * const proxy_context,
+ uv_loop_t * const event_loop, int argc, char *argv[])
+{
+ struct sockaddr_in resolver_addr;
+
+ memset(proxy_context, 0, sizeof *proxy_context);
+ options_parse(&app_context, proxy_context, argc, argv);
+ resolver_addr = uv_ip4_addr(proxy_context->resolver_ip,
+ proxy_context->resolver_port);
+ proxy_context->event_loop = event_loop;
+ proxy_context->resolver_addr_len = sizeof(struct sockaddr_in);
+ memcpy(&proxy_context->resolver_addr, &resolver_addr,
+ proxy_context->resolver_addr_len);
+ uv_alloc_init(proxy_context);
+
+ return 0;
+}
+
+static void
+proxy_context_free(ProxyContext * const proxy_context)
+{
+ if (proxy_context == NULL) {
+ return;
+ }
+ uv_alloc_free(proxy_context);
+ options_free(proxy_context);
+ logger_close(proxy_context);
+}
+
+static
+int init_tz(void)
+{
+ static char default_tz_for_putenv[] = "TZ=UTC+00:00";
+ char stbuf[10U];
+ struct tm *tm;
+ time_t now;
+
+ tzset();
+ time(&now);
+ if ((tm = localtime(&now)) == NULL ||
+ strftime(stbuf, sizeof stbuf, "%z", tm) != (size_t) 5U) {
+ return -1;
+ }
+ snprintf(default_tz_for_putenv, sizeof default_tz_for_putenv,
+ "TZ=UTC%c%c%c:%c%c", (*stbuf == '-' ? '+' : '-'),
+ stbuf[1], stbuf[2], stbuf[3], stbuf[4]);
+ putenv(default_tz_for_putenv);
+ (void) gmtime(&now);
+
+ return 0;
+}
+
+static void
+revoke_privileges(ProxyContext * const proxy_context)
+{
+#ifdef DEBUG
+ (void) proxy_context;
+#else
+ alt_arc4random_stir();
+ init_tz();
+ (void) strerror(ENOENT);
+ if (proxy_context->user_dir != NULL) {
+ if (chdir(proxy_context->user_dir) != 0 ||
+ chroot(proxy_context->user_dir) != 0 || chdir("/") != 0) {
+ logger(proxy_context, LOG_ERR, "Unable to chroot to [%s]",
+ proxy_context->user_dir);
+ exit(1);
+ }
+ }
+ if (proxy_context->user_id != (uid_t) 0) {
+ if (setgid(proxy_context->user_group) != 0 ||
+ setegid(proxy_context->user_group) != 0 ||
+ setuid(proxy_context->user_id) != 0 ||
+ seteuid(proxy_context->user_id) != 0) {
+ logger(proxy_context, LOG_ERR, "Unable to switch to user id [%lu]",
+ (unsigned long) proxy_context->user_id);
+ exit(1);
+ }
+ }
+#endif
+}
+
+int
+dnscrypt_proxy_start_listeners(ProxyContext * const proxy_context)
+{
+ if (proxy_context->listeners_started != 0) {
+ return 0;
+ }
+ if (tcp_listener_start(proxy_context) != 0 ||
+ udp_listener_start(proxy_context) != 0) {
+ exit(1);
+ }
+ logger(proxy_context, LOG_INFO,
+ PACKAGE " is ready: proxying from [%s] to [%s]",
+ proxy_context->listen_ip, proxy_context->resolver_ip);
+
+ proxy_context->listeners_started = 1;
+
+ return 0;
+}
+
+int
+main(int argc, char *argv[])
+{
+ ProxyContext proxy_context;
+ uv_loop_t *event_loop = uv_loop_new();
+
+ stack_trace_on_crash();
+ proxy_context_init(&proxy_context, event_loop, argc, argv);
+ app_context.proxy_context = &proxy_context;
+ logger_noformat(&proxy_context, LOG_INFO, "Generating a new key pair");
+ dnscrypt_client_init_with_new_key_pair(&proxy_context.dnscrypt_client);
+ logger_noformat(&proxy_context, LOG_INFO, "Done");
+
+ if (cert_updater_init(&proxy_context) != 0 ||
+ tcp_listener_bind(&proxy_context) != 0 ||
+ udp_listener_bind(&proxy_context) != 0) {
+ exit(1);
+ }
+
+ signal(SIGPIPE, SIG_IGN);
+ revoke_privileges(&proxy_context);
+
+ if (cert_updater_start(&proxy_context) != 0) {
+ exit(1);
+ }
+ uv_run(event_loop);
+
+ logger_noformat(&proxy_context, LOG_INFO, "Stopping proxy");
+ cert_updater_stop(&proxy_context);
+ tcp_listener_stop(&proxy_context);
+ udp_listener_stop(&proxy_context);
+ uv_loop_delete(event_loop);
+ proxy_context_free(&proxy_context);
+ alt_arc4random_close();
+
+ return 0;
+}
9 src/dnscrypt-proxy/app.h
@@ -0,0 +1,9 @@
+
+#ifndef __APP_H__
+#define __APP_H__ 1
+
+typedef struct AppContext_ {
+ struct ProxyContext_ *proxy_context;
+} AppContext;
+
+#endif
322 src/dnscrypt-proxy/cert.c
@@ -0,0 +1,322 @@
+
+#include <config.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <arpa/inet.h>
+
+#include <assert.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "cert.h"
+#include "cert_p.h"
+#include "crypto_sign.h"
+#include "dnscrypt_proxy.h"
+#include "logger.h"
+#include "probes.h"
+
+static int
+cert_parse_version(ProxyContext * const proxy_context,