From: Vladimír Čunát <vladimir.cunat@nic.cz>
Date: Fri, 17 May 2019 17:06:39 +0000 (+0200)
Subject: add FORCE_PADDING option for requests
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=68b2bcc44bab1db5f25aaca18ec84860fa0868e7;p=thirdparty%2Fknot-resolver.git

add FORCE_PADDING option for requests
---

diff --git a/daemon/bindings/net.rst b/daemon/bindings/net.rst
index 1109ed114..fe3ed374b 100644
--- a/daemon/bindings/net.rst
+++ b/daemon/bindings/net.rst
@@ -332,14 +332,19 @@ by a trusted CA. This is done using function :c:func:`net.tls()`.
 
 .. function:: net.tls_padding([true | false])
 
-   Get/set EDNS(0) padding of answers to queries that arrive over TLS
-   transport.  If set to `true` (the default), it will use a sensible
+   Get/set padding of answers to queries that arrive over TLS
+   transport, as defined in :rfc:`7830`.
+
+   If set to `true` (the default), it will use a sensible
    default padding scheme, as implemented by libknot if available at
    compile time.  If set to a numeric value >= 2 it will pad the
    answers to nearest *padding* boundary, e.g. if set to `64`, the
    answer will have size of a multiple of 64 (64, 128, 192, ...).  If
    set to `false` (or a number < 2), it will disable padding entirely.
 
+   You may force padding even on unencrypted answers via ``policy.FLAGS('FORCE_PADDING')``,
+   e.g. in conditioned on the request coming from a TLS-stripping proxy.
+
 .. function:: net.tls_sticket_secret([string with pre-shared secret])
 
    Set secret for TLS session resumption via tickets, by :rfc:`5077`.
diff --git a/daemon/lua/kres-gen.lua b/daemon/lua/kres-gen.lua
index bac7fbff5..9ad6d1add 100644
--- a/daemon/lua/kres-gen.lua
+++ b/daemon/lua/kres-gen.lua
@@ -120,6 +120,7 @@ struct kr_qflags {
 	_Bool DNS64_MARK : 1;
 	_Bool CACHE_TRIED : 1;
 	_Bool NO_NS_FOUND : 1;
+	_Bool FORCE_PADDING : 1;
 };
 typedef struct {
 	knot_rrset_t **at;
diff --git a/lib/resolve.h b/lib/resolve.h
index ae695b913..d4fcc531e 100644
--- a/lib/resolve.h
+++ b/lib/resolve.h
@@ -170,7 +170,7 @@ struct kr_context
 	 * module because of better access. */
 	struct kr_cookie_ctx cookie_ctx;
 	kr_cookie_lru_t *cache_cookie;
-	int32_t tls_padding; /**< See net.tls_padding in ../daemon/README.rst -- -1 is "true" (default policy), 0 is "false" (no padding) */
+	int32_t tls_padding; /**< See net.tls_padding in ../daemon/bindings/net.rst -- -1 is "true" (default policy), 0 is "false" (no padding) */
 	knot_mm_t *pool;
 };
 
diff --git a/lib/rplan.h b/lib/rplan.h
index 6e93afc71..e98ee3e8c 100644
--- a/lib/rplan.h
+++ b/lib/rplan.h
@@ -64,6 +64,7 @@ struct kr_qflags {
 	bool DNS64_MARK : 1;     /**< Internal mark for dns64 module. */
 	bool CACHE_TRIED : 1;    /**< Internal to cache module. */
 	bool NO_NS_FOUND : 1;    /**< No valid NS found during last PRODUCE stage. */
+	bool FORCE_PADDING : 1;  /**< Force use of EDNS(0) padding even if TLS isn't used.  */
 };
 
 /** Combine flags together.  This means set union for simple flags. */