Commit 1f0a0f6c authored by Vladimír Čunát's avatar Vladimír Čunát

Merge branch 'master'

parents 5f0b840d 446343ee
---
Checks: 'bugprone-*,cert-*,-clang-analyzer-unix.Malloc,-clang-analyzer-deadcode.DeadStores,-clang-analyzer-valist.Uninitialized,readability-*,-readability-braces-*,-readability-else-after-return,-readability-redundant-declaration,-readability-non-const-parameter,google-readability-casting,misc-*,-misc-macro-parentheses,-misc-unused-parameters'
WarningsAsErrors: 'cert-*,misc-*,readability-*,clang-analyzer-*,-readability-non-const-parameter'
HeaderFilterRegex: 'contrib/ucw/*.h'
CheckOptions:
- key: readability-identifier-naming
value: 'lower_case'
- key: readability-function-size.StatementThreshold
value: '400'
- key: readability-function-size.LineThreshold
value: '500'
\ No newline at end of file
image: cznic/ci-debian-kresd
image: $CI_REGISTRY/knot/knot-resolver/ci:debian-stable
variables:
DEBIAN_FRONTEND: noninteractive
......@@ -15,8 +15,8 @@ stages:
build:linux:amd64:
stage: build
script:
- PREFIX=$(pwd)/.local make -k all
- PREFIX=$(pwd)/.local make install
- PREFIX=$(pwd)/.local make -k all CFLAGS=-Werror
- PREFIX=$(pwd)/.local make install CFLAGS=-Werror
artifacts:
untracked: true
tags:
......@@ -24,11 +24,46 @@ build:linux:amd64:
- linux
- amd64
build:clang:linux:amd64:
stage: build
image: $CI_REGISTRY/knot/knot-resolver/ci:debian-unstable # newer Debian for newer Clang
script:
- CXX=clang++-5.0 CC=clang-5.0 PREFIX=$(pwd)/.local make -k all "CFLAGS=-Werror -Wno-error=unused-command-line-argument"
- CXX=clang++-5.0 CC=clang-5.0 PREFIX=$(pwd)/.local make install CFLAGS=-Werror
tags:
- docker
- linux
- amd64
lint:lua:
stage: test
dependencies: [] # do not download build artifacts
script:
- make lint
- make lint-lua
tags:
- docker
lint:c:
stage: test
image: $CI_REGISTRY/knot/knot-resolver/ci:debian-unstable # newer Debian for newer Clang
dependencies: [] # do not download build artifacts
script:
- make lint-c CLANG_TIDY="clang-tidy-5.0 -quiet"
tags:
- docker
lint:clang-scan-build:
allow_failure: true # for now it is just informative
stage: test
image: $CI_REGISTRY/knot/knot-resolver/ci:debian-unstable # newer Debian for newer Clang
dependencies: [] # do not download build artifacts
script:
- MAKEFLAGS="-k -j$(nproc)" SCAN_BUILD="/usr/lib/llvm-5.0/bin/scan-build -o scan-results --status-bugs -no-failure-reports" ./tests/clang_scan_build.sh make
artifacts:
when: on_failure
expire_in: '1 day'
paths:
- scan-results
tags:
- docker
......
......@@ -76,4 +76,4 @@ files['daemon/lua/kres-gen.lua'].ignore = {'631'} -- Allow overly long lines
-- Tests and scripts can use global variables
files['scripts'].ignore = {'111', '112', '113'}
files['tests'].ignore = {'111', '112', '113'}
files['modules/*/*_test.lua'].ignore = {'111', '112', '113', '121', '122'}
\ No newline at end of file
files['modules/**/*.test.lua'].ignore = {'111', '112', '113', '121', '122'}
......@@ -8,7 +8,9 @@ check: all tests
clean: contrib-clean lib-clean daemon-clean client-clean modules-clean \
tests-clean doc-clean bench-clean coverage-clean
doc: doc-html
lint: $(patsubst %.lua.in,%.lua,$(wildcard */*/*.lua.in))
lint: lint-lua lint-c
lint-c: libkres-lint kresd-lint kresc-lint
lint-lua: $(patsubst %.lua.in,%.lua,$(wildcard */*/*.lua.in))
luacheck --codes --formatter TAP .
.PHONY: all install check clean doc info lint
......
Knot Resolver 1.5.3 (2018-01-23)
================================
Bugfixes
--------
- fix the hints module on some systems, e.g. Fedora.
Symptom: `undefined symbol: engine_hint_root_file`
Knot Resolver 1.5.2 (2018-01-22)
================================
Security
--------
- fix CVE-2018-1000002: insufficient DNSSEC validation, allowing
attackers to deny existence of some data by forging packets.
Some combinations pointed out in RFC 6840 sections 4.1 and 4.3
were not taken into account.
Bugfixes
--------
- memcached: fix fallout from module rename in 1.5.1
Knot Resolver 1.5.1 (2017-12-12)
================================
......
......@@ -52,6 +52,10 @@ RUN mv /tmp/resolver-benchmarking/response_differences/respdiff /var/opt/respdif
RUN pip3 install -r /tmp/resolver-benchmarking/requirements.txt
RUN rm -rf /tmp/resolver-benchmarking
# Python static analysis for respdiff
RUN pip3 install mypy
RUN pip3 install flake8
# Unbound for respdiff
RUN apt-get install unbound unbound-anchor -y -qqq
RUN printf "server:\n interface: 127.0.0.1@53535\n use-syslog: yes\nremote-control:\n control-enable: no\n" >> /etc/unbound/unbound.conf
......
FROM debian:unstable
MAINTAINER Knot Resolver <knot-resolver@labs.nic.cz>
WORKDIR /root
CMD ["/bin/bash"]
# generic cleanup
RUN apt-get update -qq
RUN apt-get upgrade -y -qqq
# Knot and Knot Resolver dependecies
RUN apt-get install -y -qqq make cmake pkg-config git build-essential bsdmainutils libtool autoconf make pkg-config liburcu-dev libgnutls28-dev libedit-dev liblmdb-dev libcap-ng-dev libsystemd-dev libidn11-dev protobuf-c-compiler libfstrm-dev pkg-config libuv1-dev libcmocka-dev libluajit-5.1-dev lua-sec lua-socket lua-http
# Python packags required for Deckard CI
# Python: grab latest versions from PyPi
# (dnspython and Augeas binding in Debian packages are slow and buggy)
RUN apt-get install -y -qqq python3-pip wget
RUN pip3 install --upgrade pip
RUN pip3 install pylint
RUN pip3 install pep8
# C dependencies for python-augeas
RUN apt-get install -y -qqq libaugeas-dev libffi-dev
# Python dependencies for Deckard
RUN wget https://gitlab.labs.nic.cz/knot/deckard/raw/master/requirements.txt -O /tmp/deckard-req.txt
RUN pip3 install -r /tmp/deckard-req.txt
# build and install latest version of Knot DNS
# (kresd depends on libknot and libdnssec)
RUN git clone --depth=1 --branch=2.6 https://gitlab.labs.nic.cz/knot/knot-dns.git /tmp/knot
WORKDIR /tmp/knot
RUN pwd
RUN autoreconf -if
RUN ./configure
RUN make
RUN make install
RUN ldconfig
# Valgrind for kresd CI
RUN apt-get install valgrind -y -qqq
RUN wget https://raw.githubusercontent.com/LuaJIT/LuaJIT/v2.0.4/src/lj.supp -O /lj.supp
# TODO: rebuild LuaJIT with Valgrind support
# Lua lint for kresd CI
RUN apt-get install luarocks -y -qqq
RUN luarocks install luacheck
# respdiff for kresd CI
RUN pip3 install dnspython python-augeas
RUN git clone --depth=1 https://gitlab.labs.nic.cz/knot/resolver-benchmarking.git /tmp/resolver-benchmarking
RUN mv /tmp/resolver-benchmarking/response_differences/respdiff /var/opt/respdiff
RUN pip3 install -r /tmp/resolver-benchmarking/requirements.txt
RUN rm -rf /tmp/resolver-benchmarking
# Unbound for respdiff
RUN apt-get install unbound unbound-anchor -y -qqq
RUN printf "server:\n interface: 127.0.0.1@53535\n use-syslog: yes\nremote-control:\n control-enable: no\n" >> /etc/unbound/unbound.conf
# BIND for respdiff
RUN apt-get install bind9 -y -qqq
RUN printf 'options {\n directory "/var/cache/bind";\n listen-on port 53533 { 127.0.0.1; };\n listen-on-v6 port 53533 { ::1; };\n};\n' > /etc/bind/named.conf.options
# PowerDNS Recursor for Deckard CI
RUN apt-get install pdns-recursor -y -qqq
# code coverage
RUN apt-get install -y -qqq lcov
RUN luarocks install luacov
# LuaJIT binary for stand-alone scripting
RUN apt-get install -y -qqq luajit
# clang for kresd CI
RUN apt-get install -y -qqq clang-5.0 clang-tools-5.0 clang-tidy-5.0
Clang in Debian stable is old so we have separate image with Clang.
This Dockerfile should be the same as ci/Dockerfile, with two differences:
- FROM points to debian:unstable
- last step adds Clang and its analysis tools
......@@ -35,7 +35,7 @@
FILE *g_tty = NULL; //!< connection to the daemon
static char *run_cmd(const char *cmd, size_t * msg_len);
static char *run_cmd(const char *cmd, size_t * out_len);
const char *prompt(EditLine * e)
{
......@@ -273,14 +273,14 @@ static unsigned char complete(EditLine * el, int ch)
//Get position of last dot in current line (useful for parsing table).
char *dot = strrchr(argv[0], '.');
if (strncmp(type, "table", 5) && !dot) {
if (strncmp(type, "table", 5) != 0 && !dot) {
//Line is not a name of some table and there is no dot in it.
complete_globals(el, argv[0], pos);
} else if ((dot && !strncmp(type, "nil", 3))
|| !strncmp(type, "table", 5)) {
} else if ((dot && strncmp(type, "nil", 3) == 0)
|| strncmp(type, "table", 5) == 0) {
//Current line (or part of it) is a name of some table.
complete_members(el, argv[0], type, pos, dot);
} else if (!strncmp(type, "function", 8)) {
} else if (strncmp(type, "function", 8) == 0) {
//Current line is a function.
complete_function(el);
}
......
# Project
MAJOR := 1
MINOR := 5
PATCH := 1
PATCH := 2
EXTRA :=
ABIVER := 4
BUILDMODE := dynamic
......@@ -23,6 +23,7 @@ ROOTHINTS ?= $(ETCDIR)/root.hints
COVERAGE_STAGE ?= gcov
COVERAGE_STATSDIR ?= $(CURDIR)/coverage.stats
TOPSRCDIR := $(CURDIR)
KEYFILE_DEFAULT ?=
# Tools
CC ?= cc
......@@ -33,8 +34,17 @@ INSTALL := install
# Flags
BUILD_LDFLAGS += $(LDFLAGS)
BUILD_CFLAGS := $(CFLAGS) -std=c99 -D_GNU_SOURCE -Wno-unused -Wtype-limits -Wformat -Wformat-security -Wall -I$(abspath .) -I$(abspath lib/generic) -I$(abspath contrib) -I$(abspath contrib/lmdb)
BUILD_CFLAGS := $(CFLAGS) -std=c99 -D_GNU_SOURCE
BUILD_CFLAGS += -Wno-unused -Wtype-limits -Wformat -Wformat-security -Wall
BUILD_CFLAGS += -I$(abspath .) -I$(abspath lib/generic) -I$(abspath contrib)
BUILD_CFLAGS += -DPACKAGE_VERSION="\"$(VERSION)\"" -DPREFIX="\"$(PREFIX)\"" -DMODULEDIR="\"$(MODULEDIR)\""
BUILD_CFLAGS += -fvisibility=hidden
# Otherwise Fedora is making kresd symbols inaccessible for modules
# TODO: clang needs different flag name, etc.
BUILD_CFLAGS += -rdynamic
BUILD_LDFLAGS += -export-dynamic
ifeq (,$(findstring -O,$(CFLAGS)))
BUILD_CFLAGS += -O2
endif
......
......@@ -17,6 +17,7 @@ contrib_SOURCES += contrib/lmdb/mdb.c \
contrib/lmdb/midl.c
contrib_CFLAGS += -pthread
contrib_LIBS += -pthread
lmdb_CFLAGS += -I$(abspath contrib/lmdb)
endif
$(eval $(call make_static,contrib,contrib))
************************
Knot DNS Resolver daemon
Knot DNS Resolver daemon
************************
The server is in the `daemon` directory, it works out of the box without any configuration.
......@@ -22,9 +22,12 @@ To enable it, you need to provide trusted root keys. Bootstrapping of the keys i
$ kresd -k root-new.keys # File for root keys
[ ta ] keyfile 'root-new.keys': doesn't exist, bootstrapping
[ ta ] Root trust anchors bootstrapped over https with pinned certificate.
You may want to verify them manually, as described on:
https://data.iana.org/root-anchors/old/draft-icann-dnssec-trust-anchor.html#sigs
[ ta ] next refresh for . in 23.912361111111 hours
You SHOULD verify them manually against original source:
https://www.iana.org/dnssec/files
[ ta ] Current root trust anchors are:
. 0 IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
. 0 IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D
[ ta ] next refresh for . in 24 hours
Alternatively, you can set it in configuration file with ``trust_anchors.file = 'root.keys'``. If the file doesn't exist, it will be automatically populated with root keys validated using root anchors retrieved over HTTPS.
......@@ -58,6 +61,8 @@ The root anchors bootstrap may fail for various reasons, in this case you need t
You've just enabled DNSSEC!
.. note:: Bootstrapping and automatic update need write access to keyfile direcory. If you want to manage root anchors manually you should use ``trust_anchors.add_file('root.keys', true)``.
CLI interface
=============
......@@ -65,7 +70,7 @@ The daemon features a CLI interface, type ``help()`` to see the list of availabl
.. code-block:: bash
$ kresd /var/run/knot-resolver
$ kresd /var/cache/knot-resolver
[system] started in interactive mode, type 'help()'
> cache.count()
53
......@@ -155,7 +160,7 @@ comfortable in the current working directory.
.. code-block:: sh
$ kresd /var/run/kresd
$ kresd /var/cache/knot-resolver
And you're good to go for most use cases! If you want to use modules or configure daemon behavior, read on.
......@@ -264,7 +269,7 @@ to download cache from parent, to avoid cold-cache start.
if cache.count() == 0 then
-- download cache from parent
http.request {
http.request {
url = 'http://parent/cache.mdb',
sink = ltn12.sink.file(io.open('cache.mdb', 'w'))
}
......@@ -371,7 +376,7 @@ Environment
If called with a parameter, it will change kresd's directory for
looking up the dynamic modules. If called without a parameter, it
will return kresd's modules directory.
.. function:: verbose(true | false)
:return: Toggle verbose logging.
......@@ -591,6 +596,8 @@ For when listening on ``localhost`` just doesn't cut it.
> net.tcp_pipeline(50)
50
.. _tls-server-config:
.. function:: net.tls([cert_path], [key_path])
Get/set path to a server TLS certificate and private key for DNS/TLS.
......@@ -835,7 +842,7 @@ daemons or manipulated from other processes, making for example synchronised loa
Close the cache.
.. note:: This may or may not clear the cache, depending on the used backend. See :func:`cache.clear()`.
.. note:: This may or may not clear the cache, depending on the used backend. See :func:`cache.clear()`.
.. function:: cache.stats()
......@@ -940,7 +947,7 @@ daemons or manipulated from other processes, making for example synchronised loa
Timers and events
^^^^^^^^^^^^^^^^^
The timer represents exactly the thing described in the examples - it allows you to execute closures
The timer represents exactly the thing described in the examples - it allows you to execute closures
after specified time, or event recurrent events. Time is always described in milliseconds,
but there are convenient variables that you can use - ``sec, minute, hour``.
For example, ``5 * hour`` represents five hours, or 5*60*60*100 milliseconds.
......@@ -962,14 +969,14 @@ For example, ``5 * hour`` represents five hours, or 5*60*60*100 milliseconds.
:return: event id
Similar to :func:`event.after()`, periodically execute function after ``interval`` passes.
Similar to :func:`event.after()`, periodically execute function after ``interval`` passes.
Example:
.. code-block:: lua
msg_count = 0
event.recurrent(5 * sec, function(e)
event.recurrent(5 * sec, function(e)
msg_count = msg_count + 1
print('Hi #'..msg_count)
end)
......
......@@ -85,7 +85,7 @@ static int mod_load(lua_State *L)
lua_error(L);
}
/* Parse precedence declaration */
auto_free char *declaration = strdup(lua_tostring(L, 1));
char *declaration = strdup(lua_tostring(L, 1));
if (!declaration) {
return kr_error(ENOMEM);
}
......@@ -95,6 +95,7 @@ static int mod_load(lua_State *L)
/* Load engine module */
struct engine *engine = engine_luaget(L);
int ret = engine_register(engine, name, precedence, ref);
free(declaration);
if (ret != 0) {
if (ret == kr_error(EIDRM)) {
format_error(L, "referenced module not found");
......@@ -390,7 +391,7 @@ static int net_tls(lua_State *L)
int r = tls_certificate_set(net, lua_tostring(L, 1), lua_tostring(L, 2));
if (r != 0) {
lua_pushstring(L, strerror(ENOMEM));
lua_pushstring(L, kr_strerror(r));
lua_error(L);
}
......@@ -510,7 +511,7 @@ static int net_tls_client(lua_State *L)
int r = tls_client_params_set(&net->tls_client_params,
addr, port, NULL, NULL, NULL);
if (r != 0) {
lua_pushstring(L, strerror(ENOMEM));
lua_pushstring(L, kr_strerror(r));
lua_error(L);
}
......@@ -528,7 +529,7 @@ static int net_tls_client(lua_State *L)
int r = tls_client_params_set(&net->tls_client_params,
addr, port, NULL, NULL, pin);
if (r != 0) {
lua_pushstring(L, strerror(ENOMEM));
lua_pushstring(L, kr_strerror(r));
lua_error(L);
}
lua_pop(L, 1);
......@@ -554,7 +555,7 @@ static int net_tls_client(lua_State *L)
int r = tls_client_params_set(&net->tls_client_params,
addr, port, ca_file, NULL, NULL);
if (r != 0) {
lua_pushstring(L, strerror(ENOMEM));
lua_pushstring(L, kr_strerror(r));
lua_error(L);
}
/* removes 'value'; keeps 'key' for next iteration */
......@@ -568,7 +569,7 @@ static int net_tls_client(lua_State *L)
int r = tls_client_params_set(&net->tls_client_params,
addr, port, NULL, hostname, NULL);
if (r != 0) {
lua_pushstring(L, strerror(ENOMEM));
lua_pushstring(L, kr_strerror(r));
lua_error(L);
}
/* removes 'value'; keeps 'key' for next iteration */
......@@ -913,7 +914,7 @@ static int cache_prefixed(struct kr_cache *cache, const char *args, knot_db_val_
{
/* Decode parameters */
uint8_t namespace = 'R';
char *extra = (char *)strchr(args, ' ');
char *extra = strchr(args, ' ');
if (extra != NULL) {
extra[0] = '\0';
namespace = extra[1];
......@@ -1403,7 +1404,7 @@ static int wrk_resolve(lua_State *L)
/* Create query packet */
knot_pkt_t *pkt = knot_pkt_new(NULL, KNOT_EDNS_MAX_UDP_PAYLOAD, NULL);
if (!pkt) {
lua_pushstring(L, strerror(ENOMEM));
lua_pushstring(L, kr_strerror(ENOMEM));
lua_error(L);
}
knot_pkt_put_question(pkt, dname, rrclass, rrtype);
......
......@@ -19,6 +19,7 @@ ifeq ($(AMALG), yes)
kresd.amalg.c: daemon/lua/sandbox.inc daemon/lua/config.inc
else
daemon/engine.o: daemon/lua/sandbox.inc daemon/lua/config.inc
kresd-lint: daemon/lua/sandbox.inc daemon/lua/config.inc
endif
# Installed FFI bindings
......@@ -55,6 +56,7 @@ daemon-install: kresd-install bindings-install
ifneq ($(SED),)
$(SED) -e "s/@VERSION@/$(VERSION)/" -e "s/@DATE@/$(date)/" \
-e "s|@MODULEDIR@|$(MODULEDIR)|" \
-e "s|@KEYFILE_DEFAULT@|$(KEYFILE_DEFAULT)|" \
doc/kresd.8.in > doc/kresd.8
$(INSTALL) -d -m 0755 $(DESTDIR)$(MANDIR)/man8/
$(INSTALL) -m 0644 doc/kresd.8 $(DESTDIR)$(MANDIR)/man8/
......@@ -64,7 +66,7 @@ daemon-clean: kresd-clean
daemon/lua/zonefile.lua
daemon/lua/trust_anchors.lua: daemon/lua/trust_anchors.lua.in
@$(call quiet,SED,$<) -e "s|@ETCDIR@|$(ETCDIR)|g" $< > $@
@$(call quiet,SED,$<) -e "s|@ETCDIR@|$(ETCDIR)|g;s|@KEYFILE_DEFAULT@|$(KEYFILE_DEFAULT)|g" $< > $@
LIBZSCANNER_COMMENTS := \
$(shell pkg-config libzscanner --atleast-version=2.4.2 && echo true || echo false)
......
......@@ -704,6 +704,7 @@ int engine_init(struct engine *engine, knot_mm_t *pool)
int ret = init_state(engine);
if (ret != 0) {
engine_deinit(engine);
return ret;
}
init_measurement(engine);
/* Initialize resolver */
......@@ -811,9 +812,8 @@ int engine_ipc(struct engine *engine, const char *expr)
}
}
static int engine_loadconf(struct engine *engine, const char *config_path)
int engine_load_sandbox(struct engine *engine)
{
int ret = 0;
/* Init environment */
static const char sandbox_bytecode[] = {
#include "daemon/lua/sandbox.inc"
......@@ -823,22 +823,13 @@ static int engine_loadconf(struct engine *engine, const char *config_path)
lua_pop(engine->L, 1);
return kr_error(ENOEXEC);
}
/* Load config file */
if (config_path) {
if (strcmp(config_path, "-") == 0) {
return ret; /* No config and no defaults. */
}
ret = l_dosandboxfile(engine->L, config_path);
}
if (ret == 0) {
/* Load defaults */
static const char config_bytecode[] = {
#include "daemon/lua/config.inc"
};
ret = l_dobytecode(engine->L, config_bytecode, sizeof(config_bytecode), "config");
}
return kr_ok();
}
/* Evaluate */
int engine_loadconf(struct engine *engine, const char *config_path)
{
assert(config_path != NULL);
int ret = l_dosandboxfile(engine->L, config_path);
if (ret != 0) {
fprintf(stderr, "%s\n", lua_tostring(engine->L, -1));
lua_pop(engine->L, 1);
......@@ -846,14 +837,22 @@ static int engine_loadconf(struct engine *engine, const char *config_path)
return ret;
}
int engine_start(struct engine *engine, const char *config_path)
int engine_load_defaults(struct engine *engine)
{
/* Load configuration. */
int ret = engine_loadconf(engine, config_path);
/* Load defaults */
static const char config_bytecode[] = {
#include "daemon/lua/config.inc"
};
int ret = l_dobytecode(engine->L, config_bytecode, sizeof(config_bytecode), "config");
if (ret != 0) {
return ret;
fprintf(stderr, "%s\n", lua_tostring(engine->L, -1));
lua_pop(engine->L, 1);
}
return ret;
}
int engine_start(struct engine *engine)
{
/* Clean up stack and restart GC */
lua_settop(engine->L, 0);
lua_gc(engine->L, LUA_GCCOLLECT, 0);
......
......@@ -27,7 +27,11 @@
#define LRU_COOKIES_SIZE LRU_RTT_SIZE /**< DNS cookies cache size. */
#endif
#ifndef MP_FREELIST_SIZE
#define MP_FREELIST_SIZE 64 /**< Maximum length of the worker mempool freelist */
# ifdef __clang_analyzer__
# define MP_FREELIST_SIZE 0
# else
# define MP_FREELIST_SIZE 64 /**< Maximum length of the worker mempool freelist */
# endif
#endif
#ifndef RECVMMSG_BATCH
#define RECVMMSG_BATCH 4
......@@ -79,15 +83,16 @@ int engine_pcall(struct lua_State *L, int argc);
int engine_ipc(struct engine *engine, const char *expr);
/** Start the lua engine and execute the config.
*
* @note Special path "-" means that even default config won't be done
* (like listening on localhost).
*/
int engine_start(struct engine *engine, const char *config_path);
int engine_load_sandbox(struct engine *engine);
int engine_loadconf(struct engine *engine, const char *config_path);
int engine_load_defaults(struct engine *engine);
/** Start the lua engine and execute the config. */
int engine_start(struct engine *engine);
void engine_stop(struct engine *engine);
int engine_register(struct engine *engine, const char *module, const char *precedence, const char* ref);
int engine_unregister(struct engine *engine, const char *module);
int engine_register(struct engine *engine, const char *name, const char *precedence, const char* ref);
int engine_unregister(struct engine *engine, const char *name);
void engine_lualib(struct engine *engine, const char *name, int (*lib_cb) (struct lua_State *));
......@@ -105,6 +110,8 @@ int engine_set_moduledir(struct engine *engine, const char *moduledir);
/** Load root hints from a zonefile (or config-time default if NULL).
*
* @return error message or NULL (statically allocated)
* @note exported to be usable from the hints module.
*/
KR_EXPORT
const char* engine_hint_root_file(struct kr_context *ctx, const char *file);
......@@ -170,14 +170,14 @@ void udp_recv(uv_udp_t *handle, ssize_t nread, const uv_buf_t *buf,
static int udp_bind_finalize(uv_handle_t *handle)
{
check_bufsize((uv_handle_t *)handle);
check_bufsize(handle);
/* Handle is already created, just create context. */
struct session *session = session_new();
assert(session);
session->outgoing = false;
session->handle = handle;
handle->data = session;
return io_start_read((uv_handle_t *)handle);
return io_start_read(handle);
}
int udp_bind(uv_udp_t *handle, struct sockaddr *addr)
......
......@@ -18,3 +18,13 @@ end
if kres.context().root_hints.nsset.root == nil then
_hint_root_file()
end
if not trust_anchors.keysets['\0'] and trust_anchors.keyfile_default then
if io.open(trust_anchors.keyfile_default, 'r') then
trust_anchors.config(trust_anchors.keyfile_default, true)
else
panic("cannot open default trust anchor file:'%s'",
trust_anchors.keyfile_default
)
end
end
......@@ -266,6 +266,7 @@ uint32_t kr_rand_uint(uint32_t);
void kr_pkt_make_auth_header(knot_pkt_t *);
int kr_pkt_put(knot_pkt_t *, const knot_dname_t *, uint32_t, uint16_t, uint16_t, const uint8_t *, uint16_t);
int kr_pkt_recycle(knot_pkt_t *);
int kr_pkt_clear_payload(knot_pkt_t *);
const char *kr_inaddr(const struct sockaddr *);
int kr_inaddr_family(const struct sockaddr *);
int kr_inaddr_len(const struct sockaddr *);
......
......@@ -134,6 +134,7 @@ EOF
kr_pkt_make_auth_header
kr_pkt_put
kr_pkt_recycle
kr_pkt_clear_payload
kr_inaddr
kr_inaddr_family
kr_inaddr_len
......
......@@ -475,6 +475,12 @@ ffi.metatype( knot_pkt_t, {
if ret ~= 0 then return nil, knot_strerror(ret) end
return true
end,
clear_payload = function (pkt)
assert(pkt ~= nil)
local ret = C.kr_pkt_clear_payload(pkt)
if ret ~= 0 then return nil, knot_strerror(ret) end
return true
end,
question = function(pkt, qname, qclass, qtype)
assert(pkt ~= nil)
assert(qclass ~= nil, string.format('invalid class: %s', qclass))
......
......@@ -235,9 +235,11 @@ end
-- Load embedded modules
trust_anchors = require('trust_anchors')
modules.load('ta_signal_query')
modules.load('policy')
modules.load('priming')
modules.load('detect_time_skew')
modules.load('detect_time_jump')
modules.load('ta_sentinel')
-- Interactive command evaluation
function eval_cmd(line, raw)
......
......@@ -42,8 +42,10 @@ local function bootstrap(url, ca)
return false, string.format('[ ta ] failed to get any record from "%s"', url)
end
local msg = '[ ta ] Root trust anchors bootstrapped over https with pinned certificate.\n'
.. ' You may want to verify them manually, as described on:\n'
.. ' https://data.iana.org/root-anchors/old/draft-icann-dnssec-trust-anchor.html#sigs'
.. ' You SHOULD verify them manually against original source:\n'
.. ' https://www.iana.org/dnssec/files\n'
.. '[ ta ] Current root trust anchors are:'
.. rr
return rr, msg
end
......@@ -367,9 +369,16 @@ update = function (keyset, new_keys, is_initial)
end
local add_file = function (path, unmanaged)
-- Bootstrap if requested and keyfile doesn't exist
if not unmanaged then
if not io.open(path .. '.lock', 'w') then
error("[ ta ] ERROR: write access needed to keyfile dir '"..path.."'")
end
os.remove(path .. ".lock")
end