(Tiny nitpicks addressed by vcunat.)

Vladimír Čunát authored 4 years ago and Petr Špaček committed 4 years ago

... in case of usage from kresd (GC does it a bit differently).

It is very useful when debugging. This code gets executed only with
special DEBUG policy so we do not need to worry about maximum performance.

In particular this gets rid of last light user data inside kresd.

It was still causing problems on some systems, for example Debian Sid.
The error was the same: "bad light userdata pointer" from luajit,
but note that the problem can still be triggered by lua libraries,
e.g. cqueues.

It was only generating noise in test logs, especially when network is
not abvailable/is intentionally disabled.

Vladimír Čunát authored 4 years ago and Petr Špaček committed 4 years ago

Attacker might generate fake NS records pointing to victim's DNS zone.
If the zone contains wildcard the attacker might force us into packet
exchange with a (lame) DNS server on that IP address.

We now limit number of consecuctive failures and kill whole request if
limit is exceeded.

Vladimír Čunát authored 5 years ago and Petr Špaček committed 4 years ago

CWE-406: Insufficient Control of Network Message Volume (Network Amplification)

We now limit number of failed NS name resolution attempts for each
request. This does not prevent attacker from spoofing delegations
but it puts upper bound on amplification factor.

Now it works again with the latest gdb-9.1.
As a side effect, some simplification was possible, so that some
typedefs are newly defined at once with the underlying type.

Otherwise people could get confusing errors like:
> attempt to index field 'bg_worker' (a nil value)

Some rules need it and it was nil until now.

The new allocation approach isn't perfectly optimal, but it seems
relatively easy to understand and handles OOM conditions OK (I think).

This new approach uses per-request variables in Lua and creates new
callback for each DEBUG_IF call instead of each request.

It creates new callback functions for every request which
uses "callback chaining" but these should be rare.

It seems there is no reason to keep this function private in policy
module.

Attempt to avoid duplicating ten lines in debug_logfinish_cb lead me
to splitting kr_log_qverbose_impl into two functions kr_log_q and kr_log_req.
This is another minor change to API exposed to modules.

Formerly both logs used slightly different formats and duplicated code.
From now on verbose log and request tracing are generated using the same
code.

This required a small change to request trace_log_f definition so it
might affect external modules.

Petr Špaček authored 5 years ago and Vladimír Čunát committed 5 years ago

These files did not have GNU GPL v3 boilderplate in them so
I've added machine readable tag with appropriate license.

The preconfig is used to set distro-specific values to avoid messing
with user config, in partciular:

- binding to control sockets under systemd
- setting default cache location

Petr Špaček authored 5 years ago and Tomas Krizek committed 5 years ago

Also remove extra headers for trust anchors and mode(), this is an
implementation detail not important for users.

Petr Špaček authored 5 years ago and Lukas Jezek committed 5 years ago

It also improves error reporting from store:add() call.
Sometimes the error message from lua-ossl is incomplete. This is fixed
by https://github.com/wahern/luaossl/pull/176.

Petr Špaček authored 5 years ago and Lukas Jezek committed 5 years ago

Previous code inconsistently thrown some errors and returned as string
other ones, so we now return all errors as strings in classic Lua-style.