1. 12 Oct, 2018 2 commits
  2. 14 Sep, 2018 2 commits
    • Vladimír Čunát's avatar
      misc nitpicks · 9d05c1f0
      Vladimír Čunát authored
      - \param family, esp. don't rely on AF_UNSPEC being zero
      - kres_gnutls_vec_push(): don't uv_write() if ENOMEM
      - tls_client_params_clear(): remove unused function
      9d05c1f0
    • Marek Vavruša's avatar
      daemon/worker: fixes error handling from TLS writes · f52231b6
      Marek Vavruša authored
      The error handling loop for uncorking TLS data was wrong, as the
      underlying push function is asynchronous and there's no relationship
      between completed DNS packet writes and number of TLS message writes.
      In case of the asynchronous function, the buffered data must be valid
      until the write is complete, currently this is not guaranteed and
      loading the resolver with pipelined requests results in memory errors:
      
      ```
      $ getdns_query @127.0.0.1#853 -s -a -s -l L -B -F queries -q
      ...
      ==47111==ERROR: AddressSanitizer: heap-use-after-free on address 0x6290040a1253 at pc 0x00010da960d3 bp 0x7ffee2628b30 sp 0x7ffee26282e0
      READ of size 499 at 0x6290040a1253 thread T0
          #0 0x10da960d2 in wrap_write (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x1f0d2)
          #1 0x10d855971 in uv__write (libuv.1.dylib:x86_64+0xf971)
          #2 0x10d85422e in uv__stream_io (libuv.1.dylib:x86_64+0xe22e)
          #3 0x10d85b35a in uv__io_poll (libuv.1.dylib:x86_64+0x1535a)
          #4 0x10d84c644 in uv_run (libuv.1.dylib:x86_64+0x6644)
          #5 0x10d602ddf in main main.c:422
          #6 0x7fff6a28a014 in start (libdyld.dylib:x86_64+0x1014)
      
      0x6290040a1253 is located 83 bytes inside of 16895-byte region [0x6290040a1200,0x6290040a53ff)
      freed by thread T0 here:
          #0 0x10dacdfdd in wrap_free (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56fdd)
          #1 0x10d913c2e in _mbuffer_head_remove_bytes (libgnutls.30.dylib:x86_64+0xbc2e)
          #2 0x10d915080 in _gnutls_io_write_flush (libgnutls.30.dylib:x86_64+0xd080)
          #3 0x10d90ca18 in _gnutls_send_tlen_int (libgnutls.30.dylib:x86_64+0x4a18)
          #4 0x10d90edde in gnutls_record_send2 (libgnutls.30.dylib:x86_64+0x6dde)
          #5 0x10d90f085 in gnutls_record_uncork (libgnutls.30.dylib:x86_64+0x7085)
          #6 0x10d5f6569 in tls_push tls.c:238
          #7 0x10d5e5b2a in qr_task_send worker.c:1002
          #8 0x10d5e2ea6 in qr_task_finalize worker.c:1562
          #9 0x10d5dab99 in qr_task_step worker.c
          #10 0x10d5e12fe in worker_process_tcp worker.c:2410
      ```
      
      The current implementation adds opportunistic uv_try_write which
      either writes the requested data, or returns UV_EAGAIN or an error,
      which then falls back to slower asynchronous write that copies the buffered data.
      
      The function signature is changed from simple write to vectorized write.
      
      This also enables TLS False Start to save 1RTT when possible.
      f52231b6
  3. 23 Jul, 2018 1 commit
  4. 13 Jun, 2018 2 commits
  5. 06 Jun, 2018 1 commit
  6. 08 Feb, 2018 4 commits
  7. 12 Jan, 2018 1 commit
  8. 08 Jan, 2018 5 commits
  9. 12 Sep, 2017 1 commit
    • Vladimír Čunát's avatar
      gnutls logging improvements · 3467ee81
      Vladimír Čunát authored
      - move it to utils.c, so it's sensitive to later changes in verbosity
      - don't mark the lines with [tls], as they may come through libdnssec
      - use stdout like other verbose messages, instead of stderr (real errors)
      3467ee81
  10. 09 Jan, 2017 1 commit
  11. 06 Jan, 2017 2 commits
    • Daniel Kahn Gillmor's avatar
      Use ephemeral X.509 credentials if none are configured · a405b874
      Daniel Kahn Gillmor authored
      If kresd is configured to listen using TLS, but it has no credentials,
      it should fall back to generating ephemeral credentials and using
      them.
      
      It stores the ephemerally-generated secret key in the same directory
      as the cache, using the name "ephemeral_key.pem".  If the cache
      persists, then the key will too, even if the daemon dies.  This means
      that any set of daemons that share a cache will also share an
      ephemeral secret key.
      
      The ephemeral X.509 certificate that corresponds to the key will be
      automatically generated (self-signed), will have a lifetime of about
      90 days (matching Let's Encrypt policy).  The ephemeral cert is
      never written to disk; it is always dynamically-generated by kresd.
      
      This should make it very easy to get DNS-over-TLS working in
      opportunistic mode.
      a405b874
    • Daniel Kahn Gillmor's avatar
      Record expiration date of our certificate. · 4c4ff26f
      Daniel Kahn Gillmor authored
      This can be useful for scheduling checks in the future, for logging
      when we're using an expired cert, requesting a new cert, refreshing an
      ephemeral cert, etc.
      4c4ff26f
  12. 14 Nov, 2016 1 commit
  13. 05 Aug, 2016 10 commits
  14. 16 Jul, 2016 1 commit
  15. 20 May, 2016 1 commit
    • Marek Vavrusa's avatar
      lib: cache api v2, removed dep on libknot db.h · e68c3a0a
      Marek Vavrusa authored
      this change introduces new API for cache backends,
      that is a subset of knot_db_api_t from libknot
      with several cache-specific operations
      
      major changes are:
      * merged 'cachectl' module into 'cache' as it is
        99% default-on and it simplifies things
      * not transaction oriented, transactions may be
        reused and cached for higher performance
      * scatter/gather API, this is important for
        latency and performance of non-local backends
        like Redis
      * faster and reliable cache clearing
      * cache-specific operations (prefix scan, ...) in
        the API not hacked in
      * simpler code for both backends and caller
      e68c3a0a
  16. 18 Mar, 2015 1 commit
  17. 10 Mar, 2015 1 commit
  18. 23 Feb, 2015 1 commit
  19. 30 Dec, 2014 1 commit
  20. 29 Dec, 2014 1 commit