daemon/worker: worker_process_tcp: cleanup; there are no need in special processing for qr_task_step return code

layer/iterate: forwarding; repeat query to upstream if SERVFAIL\REFUSE has been received

See merge request !451

ci: add flake8 to Dockerfile

See merge request !449

Tomas Krizek authored 7 years ago and Petr Špaček committed 7 years ago

We do not use Infer after all (see MR !435) so it does not make sense to
have it in the image.

daemon/worker: clean up some unnecessary asserts

See merge request !450

TLS polish

See merge request !447

gnutls-3.3.26-9.el7.x86_64 and libgnutls30-3.5.8-5+deb9u3 do not support
@SYSTEM keyword and CentOS 7 has problem with -VERS-DTLS-ALL.

We do not configure DTLS sockets so it should be harmless to delete
the DTLS keyword.

@SYSTEM is replaced by NORMAL, oh well.

fixup! TLS client: enforce minimal TLS version and no compression

Same change as in a625a0ea1ce03b0707fd421633f21c0aacb786da but for
client.

Server side now enforces security requirements from
draft-ietf-dprive-dtls-and-tls-profiles-11 section 9

GnuTLS manual for some functions do not declare that error return code
must be negative, so we should use constants to avoid potential
problems.

gnutls_certificate_set_x509_trust_file could theoretically return 0
to indicate nothing was read, so we need to check for this as well.

tmpfiles: create cache and use proper tmpfiles name

See merge request !440

policy TLS_FORWARD: add checks and documentation

See merge request !445

The pin parameter contains SHA-256 encoded using Base64, but this is not
the only option. Explicit name allows us to add alternative formats
later on, and is consistent with GnuTLS naming.

Policy handling was split into smaller functions to allow easier
checking. The code needs further refactoring, it seems that
net_tls_client is just a thin wrapper around tls_client_params_set in C,
which is unnecessary and error prone.

Apparently some corner cases are not handled properly.
We need to fix these in follow-up patches.

fix some errors found by static analyzer

See merge request !446

Clang right now does not support cleanup attribute which is causing
false positives, so the check is now disabled.
https://bugs.llvm.org/show_bug.cgi?id=3888

At the same time I've enabled all other checkers to see what happens. We
need to go though them and disable them one-by-one if necessary.

this helps avoid false positive leaks caused by combination of
cleanup functions and goto

refs #291

attribute cleanup (auto_free) gets called when variable goes out of
scope, not on longjmp (in lua_error), so the variable never gets freed

Dockerfile: add static analysis tools

See merge request !444

daemon: TLS-handshake timeout timer was not properly activated; fix

See merge request !441

ci: add -Werror to CFLAGS, added clang build target

See merge request !432

this checks things such as inconsistent declarations and definitions