1. 18 Apr, 2019 2 commits
    • Vladimír Čunát's avatar
      simplify approach to bind() · 8cecbf0d
      Vladimír Čunát authored
      The complication is that we need to work with addresses and
      just file-descriptors passed from some parent process.
      The former approach lead to logical duplication of some steps;
      now we add a step converting addresses to file-descriptors.
      Thanks to that we always do bind() without touching libuv,
      so the problem with forking disappears :-)
      8cecbf0d
    • Vladimír Čunát's avatar
      lib/generic/lru: try to resolve alignof warnings · ee67a8a3
      Vladimír Čunát authored
      We run meson with -std=gnu11, but apparently some compiler still
      complained about it.  Unfortunately it wouldn't be easy to use
      standard C11 in this case.
      ee67a8a3
  2. 17 Apr, 2019 2 commits
    • Vladimír Čunát's avatar
      7168201b
    • Vladimír Čunát's avatar
      module API+ABI: remove one level of indirection · 176b1c28
      Vladimír Čunát authored
      ... for layers and props.  This breaks C module API+ABI.
      
      It seemed weird to repeatedly call a function that returns a pointer
      to a structure in which we find the function we want to actually call.
      We've never used changing these functions AFAIK, and the target
      functions could easily be written to change their behavior instead
      (i.e. move the indirection *inside* the function).
      
      When breaking this, I also removed these two (_layers and _props)
      from the dynamic symbols (to be) exported from the C modules.
      They always pointed to memory belonging inside the module,
      and they seem quite sensible to be set up by the _init symbol instead.
      176b1c28
  3. 11 Apr, 2019 4 commits
    • Vladimír Čunát's avatar
      lib/utils kr_straddr_socket(): support mempools · 39d1e63b
      Vladimír Čunát authored
      "Unfortunately", for FFI-bound C functions there it doesn't hold that
      missing parameters would be converted to nil/NULL.
      Still, this function seems unlikely to have been used outside the repo.
      39d1e63b
    • Petr Špaček's avatar
      doh: remember source transport · f784831f
      Petr Špaček authored
      f784831f
    • Vladimír Čunát's avatar
      cache: fix incorrect TTL of positive packets in cache · eb40d0a0
      Vladimír Čunát authored
      It's a regression of b00ee5fa (v3.0.0).  Fortunately, since that
      version we use cache for positive packets only when they are BOGUS
      (see `bool want_pkt =`) so that they're available for +cd queries.
      Therefore the impact was really negligible, until the DoT module.
      eb40d0a0
    • Petr Špaček's avatar
      DoH experiment · 53fef489
      Petr Špaček authored
      First version which actually works with Firefox DoH in default
      configuration.
      
      Limitations:
      - does not support HTTP GET method
      - headers for HTTP cache are not generated
      - error handling is largely missing
      - no tests
      - ACLs will not work, modules do not see source IP address of the HTTP
      endpoint
      53fef489
  4. 08 Apr, 2019 1 commit
    • Vladimír Čunát's avatar
      validate nitpick fix: unsupported algo edge case · 2bd31a48
      Vladimír Čunát authored
      kr_dnskeys_trusted() semantics is changed, but I do NOT consider that
      a part of public API.
      
      Go insecure due to algorithm support even if DNSKEY is NODATA.
      I can't see how that's relevant to practical usage, but I think this new
      behavior makes more sense.  We still do try to fetch the DNSKEY even
      though we have information about its un-usability beforehand.
      I'd consider fixing that a premature optimization.
      We'll still be affected if the DNSKEY query SERVFAILs or something.
      
      Thanks to PowerDNS people for catching this!
      2bd31a48
  5. 12 Mar, 2019 17 commits
  6. 08 Mar, 2019 2 commits
  7. 06 Mar, 2019 5 commits
  8. 05 Mar, 2019 4 commits
  9. 25 Feb, 2019 1 commit
  10. 22 Feb, 2019 2 commits
    • Vladimír Čunát's avatar
      daemon: rework handling of TLS authentication params · 81b1450e
      Vladimír Čunát authored
      It's mainly about the way we parse and validate them.
      
      Almost all of the parts of validation that were being done
      in modules/policy/policy.lua and daemon/tls.c got moved
      to daemon/bindings/net.c, so it's easier to follow that.
      Also more checks are being done now, e.g. contents of .pin_sha256
      and .hostname strings.
      81b1450e
    • Vladimír Čunát's avatar
      policy.TLS_FORWARD: send SNI on wire if configured · a4284580
      Vladimír Čunát authored
      In https world it's standard to do that, and it's relied on.
      Real-life example: 8.8.8.8#853 over TLSv1.3 won't send a certificate
      if we don't send SNI (no idea why; also they do send it with TLSv1.2).
      
      As a consequence, we no longer allow multiple hostnames per
      address-port tuple, but that didn't seem useful.
      a4284580