gnutls_certificate_set_x509_trust_file could theoretically return 0
to indicate nothing was read, so we need to check for this as well.

tmpfiles: create cache and use proper tmpfiles name

See merge request !440

policy TLS_FORWARD: add checks and documentation

See merge request !445

The pin parameter contains SHA-256 encoded using Base64, but this is not
the only option. Explicit name allows us to add alternative formats
later on, and is consistent with GnuTLS naming.

Policy handling was split into smaller functions to allow easier
checking. The code needs further refactoring, it seems that
net_tls_client is just a thin wrapper around tls_client_params_set in C,
which is unnecessary and error prone.

Apparently some corner cases are not handled properly.
We need to fix these in follow-up patches.

fix some errors found by static analyzer

See merge request !446

Clang right now does not support cleanup attribute which is causing
false positives, so the check is now disabled.
https://bugs.llvm.org/show_bug.cgi?id=3888

At the same time I've enabled all other checkers to see what happens. We
need to go though them and disable them one-by-one if necessary.

this helps avoid false positive leaks caused by combination of
cleanup functions and goto

refs #291

attribute cleanup (auto_free) gets called when variable goes out of
scope, not on longjmp (in lua_error), so the variable never gets freed

Dockerfile: add static analysis tools

See merge request !444

daemon: TLS-handshake timeout timer was not properly activated; fix

See merge request !441

ci: add -Werror to CFLAGS, added clang build target

See merge request !432

this checks things such as inconsistent declarations and definitions

This supports linting of C code using clang-tidy to fix common
security and code quality issues early in the development workflow.
The benefit is that less time has to be spent in code reviews to
point out obvious problems, and ideally when the outstanding issues
are fixed, clang-tidy (and clang-format) can also be used to to
automatically fix basic problems and enforce common code style,
similarly to `go vet && go fmt` workflow.

fixup! CI: add Clang scan-build to the pipeline

See merge request !438

Forgot to `git add` Dockerfile with Clang tools.

Systemd modifications

See merge request !436

Tomas Krizek authored 7 years ago and Petr Špaček committed 7 years ago

The `knot-resolver` name is used for paths and user name. Creating a
systemd alias with the same name is user-friendly to end users who won't
have to remember another name (`kresd`).

Note: Systemd Alias is only created after service is enabled. Packagers
are thus advised to create symlinks for unit files during package installation
so users can use `knot-resolver` name right from the start.

Tomas Krizek authored 7 years ago and Petr Špaček committed 7 years ago

The /run directory is non-persistent. Use /var/cache/knot-resolver
as a persistent cache.