Merging upstream version 5.7.2.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

13 files changed, 101 insertions, 58 deletions

diff --git a/NEWS b/NEWS
index dd8137a..f1e5d30 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,11 @@
+Knot Resolver 5.7.2 (2024-03-27)
+================================
+
+Bugfixes
+--------
+- fix on 32-bit systems with 64-bit time_t (!1510)
+
+
 Knot Resolver 5.7.1 (2024-02-13)
 ================================
 
diff --git a/daemon/lua/kres-gen-30.lua b/daemon/lua/kres-gen-30.lua
index 7639e79..f3f8a49 100644
--- a/daemon/lua/kres-gen-30.lua
+++ b/daemon/lua/kres-gen-30.lua
@@ -2,9 +2,10 @@
 
 local ffi = require('ffi')
 --[[ This file is generated by ./kres-gen.sh ]] ffi.cdef[[
-typedef long time_t;
-typedef long __time_t;
-typedef long __suseconds_t;
+
+typedef @time_t@ time_t;
+typedef @time_t@ __time_t;
+typedef @time_t@ __suseconds_t;
 struct timeval {
 	__time_t tv_sec;
 	__suseconds_t tv_usec;
diff --git a/daemon/lua/kres-gen-31.lua b/daemon/lua/kres-gen-31.lua
index e555a6a..46b349e 100644
--- a/daemon/lua/kres-gen-31.lua
+++ b/daemon/lua/kres-gen-31.lua
@@ -2,9 +2,10 @@
 
 local ffi = require('ffi')
 --[[ This file is generated by ./kres-gen.sh ]] ffi.cdef[[
-typedef long time_t;
-typedef long __time_t;
-typedef long __suseconds_t;
+
+typedef @time_t@ time_t;
+typedef @time_t@ __time_t;
+typedef @time_t@ __suseconds_t;
 struct timeval {
 	__time_t tv_sec;
 	__suseconds_t tv_usec;
diff --git a/daemon/lua/kres-gen-32.lua b/daemon/lua/kres-gen-32.lua
index 31a5c5d..88b50de 100644
--- a/daemon/lua/kres-gen-32.lua
+++ b/daemon/lua/kres-gen-32.lua
@@ -2,9 +2,10 @@
 
 local ffi = require('ffi')
 --[[ This file is generated by ./kres-gen.sh ]] ffi.cdef[[
-typedef long time_t;
-typedef long __time_t;
-typedef long __suseconds_t;
+
+typedef @time_t@ time_t;
+typedef @time_t@ __time_t;
+typedef @time_t@ __suseconds_t;
 struct timeval {
 	__time_t tv_sec;
 	__suseconds_t tv_usec;
diff --git a/daemon/lua/kres-gen.sh b/daemon/lua/kres-gen.sh
index 70afb40..3befd5d 100755
--- a/daemon/lua/kres-gen.sh
+++ b/daemon/lua/kres-gen.sh
@@ -53,12 +53,15 @@ printf -- "local ffi = require('ffi')\n"
 printf -- "--[[ This file is generated by ./kres-gen.sh ]] ffi.cdef[[\n"
 
 # Some system dependencies.  TODO: this generated part isn't perfectly portable.
-${CDEFS} ${LIBKRES} types <<-EOF
-	typedef time_t
-	__time_t
-	__suseconds_t
-	struct timeval
-EOF
+printf "
+typedef @time_t@ time_t;
+typedef @time_t@ __time_t;
+typedef @time_t@ __suseconds_t;
+struct timeval {
+	__time_t tv_sec;
+	__suseconds_t tv_usec;
+};
+"
 
 ## Various types (mainly), from libknot and libkres
 
diff --git a/daemon/lua/meson.build b/daemon/lua/meson.build
index b19777c..6df5bc5 100644
--- a/daemon/lua/meson.build
+++ b/daemon/lua/meson.build
@@ -47,10 +47,23 @@ else
   kres_gen_fname = 'kres-gen-30.lua'
 endif
 
+# Exact types around time_t aren't easy to detect, but at least we need the same size.
+time_t_size = meson.get_compiler('c').sizeof('time_t', prefix: '#include <sys/time.h>')
+kres_gen_config = {}
+foreach t: [ 'long', 'long long' ]
+  if meson.get_compiler('c').sizeof(t) == time_t_size
+    kres_gen_config = { 'time_t': t }
+    break
+  endif
+endforeach
+if kres_gen_config == {}
+  error('Unexpected sizeof(time_t) == @0@'.format(time_t_size))
+endif
+
 kres_gen_lua = configure_file(
   input: kres_gen_fname,
   output: 'kres-gen.lua',
-  copy: true,
+  configuration: kres_gen_config,
 )
 
 run_target(  # run manually to re-generate kres-gen.lua
@@ -72,9 +85,9 @@ if get_option('kres_gen_test') and not meson.is_cross_build()
   ]
   # Construct the lua tester as a meson string.
   kres_gen_test_luastr = '''
-    dofile('@0@')
+    dofile('@0@/../../@1@')
     local ffi = require('ffi')
-  '''.format(meson.current_source_dir() / kres_gen_fname)
+  '''.format(meson.current_build_dir(), kres_gen_lua)
   foreach ttc: types_to_check
     # We're careful with adding just includes; otherwise it's more fragile (e.g. linking flags).
     if 'dep' in ttc
diff --git a/daemon/proxyv2.c b/daemon/proxyv2.c
index f977ccb..aedbb91 100644
--- a/daemon/proxyv2.c
+++ b/daemon/proxyv2.c
@@ -2,6 +2,9 @@
  *  SPDX-License-Identifier: GPL-3.0-or-later
  */
 
+#include "daemon/session.h"
+#include "daemon/network.h"
+
 #include "daemon/proxyv2.h"
 
 #include "lib/generic/trie.h"
@@ -91,12 +94,12 @@ static inline enum proxy2_family proxy2_header_protocol(const struct proxy2_head
 
 static inline union proxy2_address *proxy2_get_address(const struct proxy2_header *h)
 {
-	return (union proxy2_address *) ((uint8_t *) h + sizeof(struct proxy2_header));
+	return (union proxy2_address *)((uint8_t *)h + sizeof(struct proxy2_header));
 }
 
 static inline struct proxy2_tlv *get_tlvs(const struct proxy2_header *h, size_t addr_len)
 {
-	return (struct proxy2_tlv *) ((uint8_t *) proxy2_get_address(h) + addr_len);
+	return (struct proxy2_tlv *)((uint8_t *)proxy2_get_address(h) + addr_len);
 }
 
 /** Gets the length of the TLV's `value` attribute. */
@@ -111,20 +114,20 @@ static inline bool has_tlv(const struct proxy2_header *h,
 	uint64_t addr_length = ntohs(h->length);
 	ptrdiff_t hdr_len = sizeof(struct proxy2_header) + addr_length;
 
-	uint8_t *tlv_hdr_end = (uint8_t *) tlv + sizeof(struct proxy2_tlv);
-	ptrdiff_t distance = tlv_hdr_end - (uint8_t *) h;
+	uint8_t *tlv_hdr_end = (uint8_t *)tlv + sizeof(struct proxy2_tlv);
+	ptrdiff_t distance = tlv_hdr_end - (uint8_t *)h;
 	if (hdr_len < distance)
 		return false;
 
 	uint8_t *tlv_end = tlv_hdr_end + proxy2_tlv_length(tlv);
-	distance = tlv_end - (uint8_t *) h;
+	distance = tlv_end - (uint8_t *)h;
 	return hdr_len >= distance;
 }
 
 static inline void next_tlv(struct proxy2_tlv **tlv)
 {
-	uint8_t *next = ((uint8_t *) *tlv + sizeof(struct proxy2_tlv) + proxy2_tlv_length(*tlv));
-	*tlv = (struct proxy2_tlv *) next;
+	uint8_t *next = ((uint8_t *)*tlv + sizeof(struct proxy2_tlv) + proxy2_tlv_length(*tlv));
+	*tlv = (struct proxy2_tlv *)next;
 }
 
 
@@ -140,7 +143,7 @@ bool proxy_allowed(const struct network *net, const struct sockaddr *saddr)
 
 		trie = net->proxy_addrs4;
 		addr_size = sizeof(addr.ip4);
-		addr.ip4 = ((struct sockaddr_in *) saddr)->sin_addr;
+		addr.ip4 = ((struct sockaddr_in *)saddr)->sin_addr;
 		break;
 	case AF_INET6:
 		if (net->proxy_all6)
@@ -148,7 +151,7 @@ bool proxy_allowed(const struct network *net, const struct sockaddr *saddr)
 
 		trie = net->proxy_addrs6;
 		addr_size = sizeof(addr.ip6);
-		addr.ip6 = ((struct sockaddr_in6 *) saddr)->sin6_addr;
+		addr.ip6 = ((struct sockaddr_in6 *)saddr)->sin6_addr;
 		break;
 	default:
 		kr_assert(false); // Only IPv4 and IPv6 proxy addresses supported
@@ -156,14 +159,14 @@ bool proxy_allowed(const struct network *net, const struct sockaddr *saddr)
 	}
 
 	trie_val_t *val;
-	int ret = trie_get_leq(trie, (char *) &addr, addr_size, &val);
+	int ret = trie_get_leq(trie, (char *)&addr, addr_size, &val);
 	if (ret != kr_ok() && ret != 1)
 		return false;
 
 	kr_assert(val);
 	const struct net_proxy_data *found = *val;
 	kr_assert(found);
-	return kr_bitcmp((char *) &addr, (char *) &found->addr, found->netmask) == 0;
+	return kr_bitcmp((char *)&addr, (char *)&found->addr, found->netmask) == 0;
 }
 
 ssize_t proxy_process_header(struct proxy_result *out, struct session *s,
@@ -172,7 +175,7 @@ ssize_t proxy_process_header(struct proxy_result *out, struct session *s,
 	if (!buf)
 		return kr_error(EINVAL);
 
-	const struct proxy2_header *hdr = (struct proxy2_header *) buf;
+	const struct proxy2_header *hdr = (struct proxy2_header *)buf;
 
 	uint64_t content_length = ntohs(hdr->length);
 	ssize_t hdr_len = sizeof(struct proxy2_header) + content_length;
@@ -191,7 +194,7 @@ ssize_t proxy_process_header(struct proxy_result *out, struct session *s,
 	enum proxy2_command command = proxy2_header_command(hdr);
 	if (command == PROXY2_CMD_LOCAL) {
 		/* Addresses for LOCAL are to be discarded */
-		*out = (struct proxy_result) { .command = PROXY2_CMD_LOCAL };
+		*out = (struct proxy_result){ .command = PROXY2_CMD_LOCAL };
 		goto fill_wirebuf;
 	}
 
@@ -200,13 +203,14 @@ ssize_t proxy_process_header(struct proxy_result *out, struct session *s,
 		return kr_error(KNOT_EMALF);
 	}
 
-	*out = (struct proxy_result) { .command = PROXY2_CMD_PROXY };
+	*out = (struct proxy_result){ .command = PROXY2_CMD_PROXY };
 
 	/* Parse flags */
 	enum proxy2_family family = proxy2_header_family(hdr);
 	switch(family) {
 	case PROXY2_AF_UNSPEC:
-	case PROXY2_AF_UNIX: /* UNIX is unsupported, fall back to UNSPEC */
+	case PROXY2_AF_UNIX:
+		/* UNIX is unsupported, fall back to UNSPEC */
 		out->family = AF_UNSPEC;
 		break;
 	case PROXY2_AF_INET:
@@ -215,7 +219,8 @@ ssize_t proxy_process_header(struct proxy_result *out, struct session *s,
 	case PROXY2_AF_INET6:
 		out->family = AF_INET6;
 		break;
-	default: /* PROXYv2 prohibits other values */
+	default:
+		/* PROXYv2 prohibits other values */
 		return kr_error(KNOT_EMALF);
 	}
 
@@ -227,7 +232,8 @@ ssize_t proxy_process_header(struct proxy_result *out, struct session *s,
 	case PROXY2_PROTOCOL_STREAM:
 		out->protocol = SOCK_STREAM;
 		break;
-	default: /* PROXYv2 prohibits other values */
+	default:
+		/* PROXYv2 prohibits other values */
 		return kr_error(KNOT_EMALF);
 	}
 
@@ -240,12 +246,12 @@ ssize_t proxy_process_header(struct proxy_result *out, struct session *s,
 		if (content_length < addr_length)
 			return kr_error(KNOT_EMALF);
 
-		out->src_addr.ip4 = (struct sockaddr_in) {
+		out->src_addr.ip4 = (struct sockaddr_in){
 			.sin_family = AF_INET,
 			.sin_addr = { .s_addr = addr->ipv4_addr.src_addr },
 			.sin_port = addr->ipv4_addr.src_port,
 		};
-		out->dst_addr.ip4 = (struct sockaddr_in) {
+		out->dst_addr.ip4 = (struct sockaddr_in){
 			.sin_family = AF_INET,
 			.sin_addr = { .s_addr = addr->ipv4_addr.dst_addr },
 			.sin_port = addr->ipv4_addr.dst_port,
@@ -256,7 +262,7 @@ ssize_t proxy_process_header(struct proxy_result *out, struct session *s,
 		if (content_length < addr_length)
 			return kr_error(KNOT_EMALF);
 
-		out->src_addr.ip6 = (struct sockaddr_in6) {
+		out->src_addr.ip6 = (struct sockaddr_in6){
 			.sin6_family = AF_INET6,
 			.sin6_port = addr->ipv6_addr.src_port
 		};
@@ -264,7 +270,7 @@ ssize_t proxy_process_header(struct proxy_result *out, struct session *s,
 				&out->src_addr.ip6.sin6_addr.s6_addr,
 				&addr->ipv6_addr.src_addr,
 				sizeof(out->src_addr.ip6.sin6_addr.s6_addr));
-		out->dst_addr.ip6 = (struct sockaddr_in6) {
+		out->dst_addr.ip6 = (struct sockaddr_in6){
 			.sin6_family = AF_INET6,
 			.sin6_port = addr->ipv6_addr.dst_port
 		};
diff --git a/daemon/proxyv2.h b/daemon/proxyv2.h
index 2d57744..fdee126 100644
--- a/daemon/proxyv2.h
+++ b/daemon/proxyv2.h
@@ -6,10 +6,11 @@
 
 #include <stdint.h>
 
-#include "daemon/session.h"
-#include "daemon/network.h"
 #include "lib/utils.h"
 
+struct network;
+struct session;
+
 extern const char PROXY2_SIGNATURE[12];
 
 #define PROXY2_MIN_SIZE 16
@@ -21,14 +22,20 @@ enum proxy2_command {
 
 /** Parsed result of the PROXY protocol */
 struct proxy_result {
-	enum proxy2_command command;  /**< Proxy command - PROXY or LOCAL. */
-	int family;                   /**< Address family from netinet library (e.g. AF_INET6). */
-	int protocol;                 /**< Protocol type from socket library (e.g. SOCK_STREAM). */
-	union kr_sockaddr src_addr;   /**< Parsed source address and port. */
-	union kr_sockaddr dst_addr;   /**< Parsed destination address and port. */
-	bool has_tls : 1;             /**< `true` = client has used TLS with the proxy.
-	                                   If TLS padding is enabled, it will be used even if
-	                                   the proxy did not use TLS with kresd. */
+	/** Proxy command - PROXY or LOCAL. */
+	enum proxy2_command command;
+	/** Address family from netinet library (e.g. AF_INET6). */
+	int family;
+	/** Protocol type from socket library (e.g. SOCK_STREAM). */
+	int protocol;
+	/** Parsed source address and port. */
+	union kr_sockaddr src_addr;
+	/** Parsed destination address and port. */
+	union kr_sockaddr dst_addr;
+	/** `true` = client has used TLS with the proxy. If TLS padding is
+	 * enabled, it will be used even if the communication between kresd and
+	 * the proxy is unencrypted. */
+	bool has_tls : 1;
 };
 
 /** Checks for a PROXY protocol version 2 signature in the specified buffer. */
diff --git a/lib/cache/api.c b/lib/cache/api.c
index bb627ea..f71a8d0 100644
--- a/lib/cache/api.c
+++ b/lib/cache/api.c
@@ -40,7 +40,7 @@
 
 
 /** Cache version */
-static const uint16_t CACHE_VERSION = 6;
+static const uint16_t CACHE_VERSION = 7;
 /** Key size */
 #define KEY_HSIZE (sizeof(uint8_t) + sizeof(uint16_t))
 #define KEY_SIZE (KEY_HSIZE + KNOT_DNAME_MAXLEN)
diff --git a/lib/dnssec.c b/lib/dnssec.c
index 262570c..12b8f20 100644
--- a/lib/dnssec.c
+++ b/lib/dnssec.c
@@ -240,8 +240,11 @@ fail:
 	return NULL;
 }
 
-/// Return if we want to afford yet another crypto-validation (and account it).
-static bool check_crypto_limit(const kr_rrset_validation_ctx_t *vctx)
+/** Checks whether we want to allow yet another crypto-validation and if yes,
+ * decrements the remaining number of allowed validations.
+ *
+ * Returns `true` if the crypto-validation is allowed; otherwise false */
+static bool account_crypto_limit(kr_rrset_validation_ctx_t *vctx)
 {
 	if (vctx->limit_crypto_remains == NULL)
 		return true; // no limiting
@@ -281,7 +284,7 @@ static int kr_svldr_rrset_with_key(knot_rrset_t *rrs, const knot_rdataset_t *rrs
 		} else if (retv != 0) {
 			continue;
 		}
-		if (!check_crypto_limit(vctx))
+		if (!account_crypto_limit(vctx))
 			return vctx->result = kr_error(E2BIG);
 		// We only expect non-expanded wildcard records in input;
 		// that also means we don't need to perform non-existence proofs.
@@ -392,7 +395,7 @@ static int kr_rrset_validate_with_key(kr_rrset_validation_ctx_t *vctx,
 					break;
 				}
 			}
-			if (!check_crypto_limit(vctx)) {
+			if (!account_crypto_limit(vctx)) {
 				vctx->result = kr_error(E2BIG);
 				goto finish;
 			}
@@ -477,7 +480,7 @@ int kr_dnskeys_trusted(kr_rrset_validation_ctx_t *vctx, const knot_rdataset_t *s
 			ret = kr_svldr_rrset_with_key(keys, sigs, vctx, &key);
 		svldr_key_del(&key);
 		if (ret == 0 || ret == kr_error(E2BIG)) {
-			kr_assert(vctx->result == 0);
+			kr_assert(vctx->result == ret);
 			return vctx->result;
 		}
 	}
diff --git a/meson.build b/meson.build
index 12c5eb3..8e22e17 100644
--- a/meson.build
+++ b/meson.build
@@ -4,7 +4,7 @@ project(
   'knot-resolver',
   ['c', 'cpp'],
   license: 'GPLv3+',
-  version: '5.7.1',
+  version: '5.7.2',
   default_options: ['c_std=gnu11', 'b_ndebug=true'],
   meson_version: '>=0.49',
 )
diff --git a/scripts/update-authors.sh b/scripts/update-authors.sh
index fe1d857..a2ddc27 100755
--- a/scripts/update-authors.sh
+++ b/scripts/update-authors.sh
@@ -15,7 +15,7 @@ TEMP_FILE="$(mktemp AUTHORS.XXXXXXXXXX)"
 # drop all names from the current file
 sed '/^People who contributed commits to our Git repo are/q' "${AUTHORS_FILE}" > "${TEMP_FILE}"
 # append to the new file
-git log --format="%aN <%aE>" | sort -u | git check-mailmap --stdin | sort -u >> "${TEMP_FILE}"
+git log --no-show-signature --format="%aN <%aE>" | sort -u | git check-mailmap --stdin | sort -u >> "${TEMP_FILE}"
 
 echo '' >> "${TEMP_FILE}"
 echo 'Knot Resolver source tree also bundles code and content published by:' >> "${TEMP_FILE}"
diff --git a/tests/integration/meson.build b/tests/integration/meson.build
index ffe3403..98b661f 100644
--- a/tests/integration/meson.build
+++ b/tests/integration/meson.build
@@ -9,7 +9,7 @@ augeas = dependency('augeas')
 
 # python3 dependencies
 py3_deps += [
-  ['augeas', 'augeas (for deckard)'],
+  ['augeas', 'python-augeas (for deckard)'],
   ['dns', 'dnspython (for deckard)'],
   ['dpkt', 'dpkt (for deckard)'],
   ['jinja2', 'jinja2 (for deckard)'],