From c814238af4b68241308578c5dee69b04f54930bf Mon Sep 17 00:00:00 2001
From: Adam Schultz <adam.schultz@live.com>
Date: Tue, 29 Jul 2025 17:55:27 -0400
Subject: [PATCH] Update stubby to bookworm base image for newer OpenSSL

---
 stubby/Dockerfile | 70 ++++++++++++++++++++++++++---------------------
 1 file changed, 39 insertions(+), 31 deletions(-)

diff --git a/stubby/Dockerfile b/stubby/Dockerfile
index f2eb118..985dc38 100644
--- a/stubby/Dockerfile
+++ b/stubby/Dockerfile
@@ -1,9 +1,25 @@
-FROM debian:buster as openssl
+FROM debian:bookworm AS openssl
+LABEL maintainer="Matthew Vance"
 
-ENV VERSION_OPENSSL=openssl-1.1.1k \
-    SHA256_OPENSSL=892a0875b9872acd04a9fde79b1f943075d5ea162415de3047c327df33fbaee5 \
+ENV VERSION_OPENSSL=openssl-3.3.2 \
+    SHA256_OPENSSL=2e8a40b01979afe8be0bbfb3de5dc1c6709fedb46d6c89c10da114ab5fc3d281 \
     SOURCE_OPENSSL=https://www.openssl.org/source/ \
-    OPGP_OPENSSL=8657ABB260F056B1E5190839D9C4D26D0E604491
+    # OpenSSL OMC
+    OPGP_OPENSSL_1=EFC0A467D613CB83C7ED6D30D894E2CE8B3D79F5 \
+    # Richard Levitte
+    OPGP_OPENSSL_2=7953AC1FBC3DC8B3B292393ED5E9E43F7DF9EE8C \
+    # Matt Caswell
+    OPGP_OPENSSL_3=8657ABB260F056B1E5190839D9C4D26D0E604491 \
+    # Paul Dale
+    OPGP_OPENSSL_4=B7C1C14360F353A36862E4D5231C84CDDCC69C45 \
+    # Tomas Mraz
+    OPGP_OPENSSL_5=A21FAB74B0088AA361152586B8EF1A6BA9DA2D5C \
+    # Tim Hudson
+    OPGP_OPENSSL_6=C1F33DD8CE1D4CC613AF14DA9195C48241FBF7DD \
+    # Kurt Roeckx
+    OPGP_OPENSSL_7=E5E52560DD91C556DDBDA5D02064C53641C25E5D \
+    # OpenSSL
+    OPGP_OPENSSL_8=BA5473A2B0587B07FB27CF2D216094DFD0CB81EF
 
 WORKDIR /tmp/src
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
@@ -11,36 +27,27 @@ SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 RUN set -e -x && \
     build_deps="build-essential ca-certificates curl dirmngr gnupg libidn2-0-dev libssl-dev" && \
     DEBIAN_FRONTEND=noninteractive apt-get update && apt-get install -y --no-install-recommends \
-        build-essential \
-        ca-certificates \
-        curl \
-        dirmngr \
-        gnupg \
-        libidn2-0-dev \
-        libssl-dev && \
+      $build_deps && \
     curl -L $SOURCE_OPENSSL$VERSION_OPENSSL.tar.gz -o openssl.tar.gz && \
     echo "${SHA256_OPENSSL} ./openssl.tar.gz" | sha256sum -c - && \
     curl -L $SOURCE_OPENSSL$VERSION_OPENSSL.tar.gz.asc -o openssl.tar.gz.asc && \
     GNUPGHOME="$(mktemp -d)" && \
     export GNUPGHOME && \
-    gpg --no-tty --keyserver keys.openpgp.org --recv-keys "$OPGP_OPENSSL" && \
+    gpg --no-tty --keyserver keyserver.ubuntu.com --recv-keys "$OPGP_OPENSSL_1" "$OPGP_OPENSSL_2" "$OPGP_OPENSSL_3" "$OPGP_OPENSSL_4" "$OPGP_OPENSSL_5" "$OPGP_OPENSSL_6" "$OPGP_OPENSSL_7" "$OPGP_OPENSSL_8" && \
     gpg --batch --verify openssl.tar.gz.asc openssl.tar.gz && \
     tar xzf openssl.tar.gz && \
-    cd "${VERSION_OPENSSL}" && \
-    /bin/sh -c 'if gcc -dM -E - </dev/null | grep -q __SIZEOF_INT128__; then export ECFLAG="enable-ec_nistp_64_gcc_128"; else export ECFLAG=""; fi' && \
+    cd $VERSION_OPENSSL && \
     ./config \
-        -Wl,-rpath=/opt/openssl/lib \
-        --prefix=/opt/openssl \
-        --openssldir=/opt/openssl \
-        $ECFLAG \
-        -DOPENSSL_NO_HEARTBEATS \
-        no-weak-ssl-ciphers \
-        no-ssl2 \
-        no-ssl3 \
-        shared \
-        -fstack-protector-strong && \
+      --prefix=/opt/openssl \
+      --openssldir=/opt/openssl \
+      no-weak-ssl-ciphers \
+      no-ssl3 \
+      no-shared \
+      enable-ec_nistp_64_gcc_128 \
+      -DOPENSSL_NO_HEARTBEATS \
+      -fstack-protector-strong && \
     make depend && \
-    make && \
+    nproc | xargs -I % make -j% && \
     make install_sw && \
     apt-get purge -y --auto-remove \
       $build_deps && \
@@ -49,10 +56,10 @@ RUN set -e -x && \
         /var/tmp/* \
         /var/lib/apt/lists/*
 
-FROM debian:buster as stubby
+FROM debian:bookworm AS stubby
 LABEL maintainer="Matthew Vance"
 
-ENV VERSION_GETDNS=v1.7.0
+ENV VERSION_GETDNS=v1.7.3
 
 WORKDIR /tmp/src
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
@@ -60,7 +67,7 @@ SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 COPY --from=openssl /opt/openssl /opt/openssl
 
 RUN set -e -x && \
-    build_deps="autoconf build-essential check cmake dh-autoreconf git libssl-dev libyaml-dev make m4" && \
+    build_deps="build-essential cmake dh-autoreconf git libssl-dev libyaml-dev libunbound-dev libidn2-dev make m4" && \
     debian_frontend=noninteractive apt-get update && apt-get install -y --no-install-recommends \
       ${build_deps} \
       ca-certificates \
@@ -78,8 +85,9 @@ RUN set -e -x && \
         -DENABLE_STUB_ONLY=ON \
         -DCMAKE_INSTALL_PREFIX=/opt/stubby \
         -DOPENSSL_INCLUDE_DIR=/opt/openssl \
-        -DOPENSSL_CRYPTO_LIBRARY=/opt/openssl/lib/libcrypto.so \
-        -DOPENSSL_SSL_LIBRARY=/opt/openssl/lib/libssl.so \
+        -DOPENSSL_ROOT_DIR=/opt/openssl \
+        -DOPENSSL_CRYPTO_LIBRARIES=/opt/openssl/lib \
+        -DOPENSSL_SSL_LIBRARIES=/opt/openssl/lib \
         -DUSE_LIBIDN2=OFF \
         -DBUILD_LIBEV=OFF \
         -DBUILD_LIBEVENT2=OFF \
@@ -88,7 +96,7 @@ RUN set -e -x && \
     make && \
     make install
 
-FROM debian:buster
+FROM debian:bookworm
 
 COPY --from=openssl /opt/openssl /opt/openssl
 COPY --from=stubby /opt/stubby /opt/stubby