Re: unwind(8): WIP support using a custom CA

Thu, 22 Jul 2021 15:33:25 -0700 

Florian Obser <flor...@openbsd.org> wrote:
> I'm not a fan and I'm not personally interested in the functionality.
> 
> I'd suggest getting a certificate from a recognized CA or add your CA to
> /etc/ssl/cert.pem if it's trustworthy enough.
> 
> Removing the unveil(2) call shows that you don't understand what that
> does. Hint: you opened up the whole filesystem to the resolver process.

Before I give up, I'll try with the following approach. It keeps
unveil(2) in place, doesn't mess with yacc and it feels a bit more
cleaner than the previous one.

Thanks for the review anyway. :)

-Lucas


Index: resolver.c
===================================================================
RCS file: /home/cvs/src/sbin/unwind/resolver.c,v
retrieving revision 1.144
diff -u -p -r1.144 resolver.c
--- resolver.c  12 Jul 2021 15:09:19 -0000      1.144
+++ resolver.c  22 Jul 2021 19:33:03 -0000
@@ -335,6 +335,8 @@ const char   bogus_past[]   = "validation f
 const char      bogus_future[] = "validation failure <. NS IN>: signature "
                                  "before inception date";
 
+static const char      *resolver_cafile = TLS_DEFAULT_CA_CERT_FILE;
+
 void
 resolver_sig_handler(int sig, short event, void *arg)
 {
@@ -353,7 +355,7 @@ resolver_sig_handler(int sig, short even
 }
 
 void
-resolver(int debug, int verbose)
+resolver(int debug, int verbose, const char *cafile)
 {
        struct event             ev_sigint, ev_sigterm;
        struct passwd           *pw;
@@ -376,8 +378,10 @@ resolver(int debug, int verbose)
            setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid))
                fatal("can't drop privileges");
 
-       if (unveil(TLS_DEFAULT_CA_CERT_FILE, "r") == -1)
-               fatal("unveil %s", TLS_DEFAULT_CA_CERT_FILE);
+       if (cafile != NULL)
+               resolver_cafile = cafile;
+       if (unveil(resolver_cafile, "r") == -1)
+               fatal("unveil %s", resolver_cafile);
 
        if (pledge("stdio inet dns rpath recvfd", NULL) == -1)
                fatal("pledge");
@@ -1321,7 +1325,7 @@ create_resolver(enum uw_resolver_type ty
        case UW_RES_ODOT_DHCP:
                set_forwarders(res, &autoconf_forwarder_list, 853);
                ub_ctx_set_option(res->ctx, "tls-cert-bundle:",
-                   TLS_DEFAULT_CA_CERT_FILE);
+                   resolver_cafile);
                ub_ctx_set_tls(res->ctx, 1);
                break;
        case UW_RES_FORWARDER:
@@ -1330,13 +1334,13 @@ create_resolver(enum uw_resolver_type ty
        case UW_RES_ODOT_FORWARDER:
                set_forwarders(res, &resolver_conf->uw_forwarder_list, 853);
                ub_ctx_set_option(res->ctx, "tls-cert-bundle:",
-                   TLS_DEFAULT_CA_CERT_FILE);
+                   resolver_cafile);
                ub_ctx_set_tls(res->ctx, 1);
                break;
        case UW_RES_DOT:
                set_forwarders(res, &resolver_conf->uw_dot_forwarder_list, 0);
                ub_ctx_set_option(res->ctx, "tls-cert-bundle:",
-                   TLS_DEFAULT_CA_CERT_FILE);
+                   resolver_cafile);
                ub_ctx_set_tls(res->ctx, 1);
                break;
        default:
Index: resolver.h
===================================================================
RCS file: /home/cvs/src/sbin/unwind/resolver.h,v
retrieving revision 1.17
diff -u -p -r1.17 resolver.h
--- resolver.h  18 Dec 2019 09:18:27 -0000      1.17
+++ resolver.h  22 Jul 2021 19:09:35 -0000
@@ -71,6 +71,6 @@ struct ctl_mem_info {
        size_t           neg_cache_max;
 };
 
-void    resolver(int, int);
+void    resolver(int, int, const char *);
 int     resolver_imsg_compose_main(int, pid_t, void *, uint16_t);
 int     resolver_imsg_compose_frontend(int, pid_t, void *, uint16_t);
Index: unwind.8
===================================================================
RCS file: /home/cvs/src/sbin/unwind/unwind.8,v
retrieving revision 1.10
diff -u -p -r1.10 unwind.8
--- unwind.8    25 Jan 2021 16:57:00 -0000      1.10
+++ unwind.8    22 Jul 2021 22:27:51 -0000
@@ -24,6 +24,7 @@
 .Sh SYNOPSIS
 .Nm
 .Op Fl dnv
+.Op Fl C Ar file
 .Op Fl f Ar file
 .Op Fl s Ar socket
 .Sh DESCRIPTION
@@ -80,6 +81,8 @@ If this option is specified,
 .Nm
 will run in the foreground and log to
 .Em stderr .
+.It Fl C Ar file
+Specify an alternative CA certificates file.
 .It Fl f Ar file
 Specify an alternative configuration file.
 .It Fl n
@@ -107,6 +110,8 @@ Trust anchor for DNSSEC validation.
 .Ux Ns -domain
 socket used for communication with
 .Xr unwindctl 8 .
+.It Pa /etc/ssl/cert.pem
+Default CA file.
 .El
 .Sh SEE ALSO
 .Xr unwind.conf 5 ,
Index: unwind.c
===================================================================
RCS file: /home/cvs/src/sbin/unwind/unwind.c,v
retrieving revision 1.61
diff -u -p -r1.61 unwind.c
--- unwind.c    27 Feb 2021 10:32:28 -0000      1.61
+++ unwind.c    22 Jul 2021 19:45:20 -0000
@@ -61,7 +61,7 @@ __dead void   main_shutdown(void);
 
 void           main_sig_handler(int, short, void *);
 
-static pid_t   start_child(enum uw_process, char *, int, int, int);
+static pid_t   start_child(enum uw_process, char *, int, int, int, char *);
 
 void           main_dispatch_frontend(int, short, void *);
 void           main_dispatch_resolver(int, short, void *);
@@ -113,7 +113,7 @@ usage(void)
 {
        extern char *__progname;
 
-       fprintf(stderr, "usage: %s [-dnv] [-f file] [-s socket]\n",
+       fprintf(stderr, "usage: %s [-dnv] [-C file] [-f file] [-s socket]\n",
            __progname);
        exit(1);
 }
@@ -126,7 +126,7 @@ main(int argc, char *argv[])
        int              frontend_routesock, rtfilter;
        int              pipe_main2frontend[2], pipe_main2resolver[2];
        int              control_fd, ta_fd;
-       char            *csock, *saved_argv0;
+       char            *csock, *saved_argv0, *cafile = NULL;
 
        csock = _PATH_UNWIND_SOCKET;
 
@@ -137,8 +137,11 @@ main(int argc, char *argv[])
        if (saved_argv0 == NULL)
                saved_argv0 = "unwind";
 
-       while ((ch = getopt(argc, argv, "dEFf:ns:v")) != -1) {
+       while ((ch = getopt(argc, argv, "C:dEFf:ns:v")) != -1) {
                switch (ch) {
+               case 'C':
+                       cafile = optarg;
+                       break;
                case 'd':
                        debug = 1;
                        break;
@@ -176,7 +179,7 @@ main(int argc, char *argv[])
 
        if (resolver_flag)
                resolver(debug, cmd_opts & (OPT_VERBOSE | OPT_VERBOSE2 |
-                   OPT_VERBOSE3));
+                   OPT_VERBOSE3), cafile);
        else if (frontend_flag)
                frontend(debug, cmd_opts & (OPT_VERBOSE | OPT_VERBOSE2 |
                    OPT_VERBOSE3));
@@ -216,10 +219,10 @@ main(int argc, char *argv[])
        /* Start children. */
        resolver_pid = start_child(PROC_RESOLVER, saved_argv0,
            pipe_main2resolver[1], debug, cmd_opts & (OPT_VERBOSE |
-           OPT_VERBOSE2 | OPT_VERBOSE3));
+           OPT_VERBOSE2 | OPT_VERBOSE3), cafile);
        frontend_pid = start_child(PROC_FRONTEND, saved_argv0,
            pipe_main2frontend[1], debug, cmd_opts & (OPT_VERBOSE |
-           OPT_VERBOSE2 | OPT_VERBOSE3));
+           OPT_VERBOSE2 | OPT_VERBOSE3), cafile);
 
        log_procinit("main");
 
@@ -339,9 +342,10 @@ main_shutdown(void)
 }
 
 static pid_t
-start_child(enum uw_process p, char *argv0, int fd, int debug, int verbose)
+start_child(enum uw_process p, char *argv0, int fd, int debug, int verbose,
+    char *cafile)
 {
-       char    *argv[7];
+       char    *argv[9];
        int      argc = 0;
        pid_t    pid;
 
@@ -380,6 +384,10 @@ start_child(enum uw_process p, char *arg
                argv[argc++] = "-v";
        if (verbose & OPT_VERBOSE3)
                argv[argc++] = "-v";
+       if (cafile != NULL) {
+               argv[argc++] = "-C";
+               argv[argc++] = cafile;
+       }
        argv[argc++] = NULL;
 
        execvp(argv0, argv);

Reply via email to