From: florian Date: Sat, 6 Feb 2021 18:01:02 +0000 (+0000) Subject: Revert delayed opening of trust anchor file. The code was somewhat X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=abb043571bb946d6999c67e98f953a53e501c1e9;p=openbsd Revert delayed opening of trust anchor file. The code was somewhat ugly and the underlying problem (dhclient and unwind playing well together) should be solved differently. Final straw was jca reporting that it breaks his setup. --- diff --git a/sbin/unwind/frontend.c b/sbin/unwind/frontend.c index 603acede2a7..123d181415f 100644 --- a/sbin/unwind/frontend.c +++ b/sbin/unwind/frontend.c @@ -1,4 +1,4 @@ -/* $OpenBSD: frontend.c,v 1.67 2021/01/30 10:31:51 florian Exp $ */ +/* $OpenBSD: frontend.c,v 1.68 2021/02/06 18:01:02 florian Exp $ */ /* * Copyright (c) 2018 Florian Obser @@ -258,6 +258,8 @@ frontend(int debug, int verbose) TAILQ_INIT(&trust_anchors); TAILQ_INIT(&new_trust_anchors); + add_new_ta(&trust_anchors, KSK2017); + event_dispatch(); frontend_shutdown(); @@ -446,21 +448,10 @@ frontend_dispatch_main(int fd, short event, void *bula) control_listen(fd); break; case IMSG_TAFD: - if ((ta_fd = imsg.fd) == -1) - fatalx("%s: expected to receive imsg trust " - "anchor fd but didn't receive any", - __func__); - if (TAILQ_EMPTY(&trust_anchors)) { - /* - * We did not receive a trustanchor from DNS, - * maybe the built-in one is out of date, try - * with the one from disk. - */ + if ((ta_fd = imsg.fd) != -1) parse_trust_anchor(&trust_anchors, ta_fd); - if (!TAILQ_EMPTY(&trust_anchors)) - send_trust_anchors(&trust_anchors); - } else - write_trust_anchors(&trust_anchors, ta_fd); + if (!TAILQ_EMPTY(&trust_anchors)) + send_trust_anchors(&trust_anchors); break; case IMSG_BLFD: if ((fd = imsg.fd) == -1) diff --git a/sbin/unwind/resolver.c b/sbin/unwind/resolver.c index 137f428df94..cc9019bf8c5 100644 --- a/sbin/unwind/resolver.c +++ b/sbin/unwind/resolver.c @@ -1,4 +1,4 @@ -/* $OpenBSD: resolver.c,v 1.141 2021/01/31 16:07:27 florian Exp $ */ +/* $OpenBSD: resolver.c,v 1.142 2021/02/06 18:01:02 florian Exp $ */ /* * Copyright (c) 2018 Florian Obser @@ -423,8 +423,6 @@ resolver(int debug, int verbose) TAILQ_INIT(&new_trust_anchors); TAILQ_INIT(&running_queries); - add_new_ta(&trust_anchors, KSK2017); - event_dispatch(); resolver_shutdown(); diff --git a/sbin/unwind/unwind.c b/sbin/unwind/unwind.c index 93c5c039466..d75c0baa9b0 100644 --- a/sbin/unwind/unwind.c +++ b/sbin/unwind/unwind.c @@ -1,4 +1,4 @@ -/* $OpenBSD: unwind.c,v 1.59 2021/01/30 10:31:52 florian Exp $ */ +/* $OpenBSD: unwind.c,v 1.60 2021/02/06 18:01:02 florian Exp $ */ /* * Copyright (c) 2018 Florian Obser @@ -49,8 +49,6 @@ #include "control.h" #define TRUST_ANCHOR_FILE "/var/db/unwind.key" -#define WAIT_TA_FD_TIMEOUT 5 -#define WAIT_TA_FD_MAX_RETRY 3 enum uw_process { PROC_MAIN, @@ -76,8 +74,6 @@ int main_sendall(enum imsg_type, void *, uint16_t); void open_ports(void); void solicit_dns_proposals(void); void send_blocklist_fd(void); -void open_trustanchor(void); -void open_trustanchor_timeout(int, short, void *); struct uw_conf *main_conf; static struct imsgev *iev_frontend; @@ -87,7 +83,6 @@ pid_t frontend_pid; pid_t resolver_pid; uint32_t cmd_opts; int routesock; -struct event ta_timo_ev; void main_sig_handler(int sig, short event, void *arg) @@ -130,7 +125,7 @@ main(int argc, char *argv[]) int ch, debug = 0, resolver_flag = 0, frontend_flag = 0; int frontend_routesock, rtfilter; int pipe_main2frontend[2], pipe_main2resolver[2]; - int control_fd; + int control_fd, ta_fd; char *csock, *saved_argv0; csock = UNWIND_SOCKET; @@ -285,6 +280,12 @@ main(int argc, char *argv[]) fatal("route socket"); shutdown(SHUT_RD, routesock); + if ((ta_fd = open(TRUST_ANCHOR_FILE, O_RDWR | O_CREAT, 0644)) == -1) + log_warn("%s", TRUST_ANCHOR_FILE); + + /* receiver handles failed open correctly */ + main_imsg_compose_frontend_fd(IMSG_TAFD, 0, ta_fd); + main_imsg_compose_frontend_fd(IMSG_CONTROLFD, 0, control_fd); main_imsg_compose_frontend_fd(IMSG_ROUTESOCK, 0, frontend_routesock); main_imsg_send_config(main_conf); @@ -292,17 +293,9 @@ main(int argc, char *argv[]) if (main_conf->blocklist_file != NULL) send_blocklist_fd(); - /* this is the best we can do, when we startup /var is not mounted */ - if (unveil("/var", "rwc") == -1) - fatal("unveil"); - if (unveil("/", "r") == -1) - fatal("unveil"); - if (pledge("stdio rpath wpath cpath sendfd", NULL) == -1) + if (pledge("stdio rpath sendfd", NULL) == -1) fatal("pledge"); - evtimer_set(&ta_timo_ev, open_trustanchor_timeout, NULL); - open_trustanchor(); - main_imsg_compose_frontend(IMSG_STARTUP, 0, NULL, 0); main_imsg_compose_resolver(IMSG_STARTUP, 0, NULL, 0); @@ -966,31 +959,3 @@ imsg_receive_config(struct imsg *imsg, struct uw_conf **xconf) break; } } - -void -open_trustanchor(void) -{ - static int retry; - static const struct timeval timeout = { WAIT_TA_FD_TIMEOUT, 0}; - int fd; - - fd = open(TRUST_ANCHOR_FILE, O_RDWR | O_CREAT, 0644); - - if (fd != -1) - main_imsg_compose_frontend_fd(IMSG_TAFD, 0, fd); - else if (retry++ < WAIT_TA_FD_MAX_RETRY) { - /* /var is not mounted yet, try a bit later */ - evtimer_add(&ta_timo_ev, &timeout); - return; - } else - log_warn("giving up on %s", TRUST_ANCHOR_FILE); - - if (pledge("stdio rpath sendfd", NULL) == -1) - fatal("pledge"); -} - -void -open_trustanchor_timeout(int fd, short events, void *arg) -{ - open_trustanchor(); -}