while debugging a pebkac in -portable, I noticed that in various places we use fatal() for libtls failures. errno doesn't generally contains anything useful after libtls functions, and in most it's explicitly cleared to avoid misuse.
just to provide a quick example, with `listen on ... ciphers foobar': % doas smtpd -d info: OpenSMTPD 7.0.0 starting dispatcher: no ciphers for 'foobar': No such file or directory smtpd: process dispatcher socket closed So change most of them to fatalx which doesn't append errno. While here I'm also logging the actual error, via tls_config_error() or tls_error(), that before was missing. tls_config_new(), tls_server() and tls_client() failures are still logged with fatal(), which I believe it's correct. ok? diff /usr/src commit - 27d3d13aceb86ba91128d3f12ca9fc893d83fa86 path + /usr/src blob - dbcf2c0158186f1a3077c25d746c9a8d7a8ad9d0 file + usr.sbin/smtpd/mta.c --- usr.sbin/smtpd/mta.c +++ usr.sbin/smtpd/mta.c @@ -489,38 +489,41 @@ mta_setup_dispatcher(struct dispatcher *dispatcher) if (remote->tls_ciphers) ciphers = remote->tls_ciphers; if (ciphers && tls_config_set_ciphers(config, ciphers) == -1) - fatal("%s", tls_config_error(config)); + fatalx("%s", tls_config_error(config)); if (remote->tls_protocols) { if (tls_config_parse_protocols(&protos, remote->tls_protocols) == -1) - fatal("failed to parse protocols \"%s\"", + fatalx("failed to parse protocols \"%s\"", remote->tls_protocols); if (tls_config_set_protocols(config, protos) == -1) - fatal("%s", tls_config_error(config)); + fatalx("%s", tls_config_error(config)); } if (remote->pki) { pki = dict_get(env->sc_pki_dict, remote->pki); if (pki == NULL) - fatal("client pki \"%s\" not found ", remote->pki); + fatalx("client pki \"%s\" not found", remote->pki); tls_config_set_dheparams(config, dheparams[pki->pki_dhe]); tls_config_use_fake_private_key(config); if (tls_config_set_keypair_mem(config, pki->pki_cert, pki->pki_cert_len, NULL, 0) == -1) - fatal("tls_config_set_keypair_mem"); + fatalx("tls_config_set_keypair_mem: %s", + tls_config_error(config)); } if (remote->ca) { ca = dict_get(env->sc_ca_dict, remote->ca); if (tls_config_set_ca_mem(config, ca->ca_cert, ca->ca_cert_len) == -1) - fatal("tls_config_set_ca_mem"); + fatalx("tls_config_set_ca_mem: %s", + tls_config_error(config)); } else if (tls_config_set_ca_file(config, tls_default_ca_cert_file()) == -1) - fatal("tls_config_set_ca_file"); + fatalx("tls_config_set_ca_file: %s", + tls_config_error(config)); if (remote->tls_verify) { tls_config_verify(config); blob - a9b7d48c8a5fe3e1af6d32429556f09b7579583b file + usr.sbin/smtpd/smtp.c --- usr.sbin/smtpd/smtp.c +++ usr.sbin/smtpd/smtp.c @@ -166,14 +166,14 @@ smtp_setup_listener_tls(struct listener *l) if (l->tls_ciphers) ciphers = l->tls_ciphers; if (ciphers && tls_config_set_ciphers(config, ciphers) == -1) - fatal("%s", tls_config_error(config)); + fatalx("%s", tls_config_error(config)); if (l->tls_protocols) { if (tls_config_parse_protocols(&protos, l->tls_protocols) == -1) - fatal("failed to parse protocols \"%s\"", + fatalx("failed to parse protocols \"%s\"", l->tls_protocols); if (tls_config_set_protocols(config, protos) == -1) - fatal("%s", tls_config_error(config)); + fatalx("%s", tls_config_error(config)); } pki = l->pki[0]; @@ -181,7 +181,8 @@ smtp_setup_listener_tls(struct listener *l) fatal("no pki defined"); if (tls_config_set_dheparams(config, dheparams[pki->pki_dhe]) == -1) - fatal("tls_config_set_dheparams"); + fatalx("tls_config_set_dheparams: %s", + tls_config_error(config)); tls_config_use_fake_private_key(config); for (i = 0; i < l->pkicount; i++) { @@ -189,11 +190,13 @@ smtp_setup_listener_tls(struct listener *l) if (i == 0) { if (tls_config_set_keypair_mem(config, pki->pki_cert, pki->pki_cert_len, NULL, 0) == -1) - fatal("tls_config_set_keypair_mem"); + fatalx("tls_config_set_keypair_mem: %s", + tls_config_error(config)); } else { if (tls_config_add_keypair_mem(config, pki->pki_cert, pki->pki_cert_len, NULL, 0) == -1) - fatal("tls_config_add_keypair_mem"); + fatalx("tls_config_add_keypair_mem: %s", + tls_config_error(config)); } } free(l->pki); @@ -203,7 +206,8 @@ smtp_setup_listener_tls(struct listener *l) ca = dict_get(env->sc_ca_dict, l->ca_name); if (tls_config_set_ca_mem(config, ca->ca_cert, ca->ca_cert_len) == -1) - fatal("tls_config_set_ca_mem"); + fatalx("tls_config_set_ca_mem: %s", + tls_config_error(config)); } else if (tls_config_set_ca_file(config, tls_default_ca_cert_file()) == -1) @@ -216,7 +220,7 @@ smtp_setup_listener_tls(struct listener *l) if (l->tls == NULL) fatal("tls_server"); if (tls_configure(l->tls, config) == -1) { - fatal("tls_configure: %s", tls_error(l->tls)); + fatalx("tls_configure: %s", tls_error(l->tls)); } tls_config_free(config); } blob - 46ecf7ed33bac4c9705d3ebca1138b426aa0fc39 file + usr.sbin/smtpd/smtpc.c --- usr.sbin/smtpd/smtpc.c +++ usr.sbin/smtpd/smtpc.c @@ -237,7 +237,7 @@ main(int argc, char **argv) if (cafile == NULL) cafile = tls_default_ca_cert_file(); if (tls_config_set_ca_file(tls_config, cafile) == -1) - fatal("tls_set_ca_file"); + fatalx("tls_set_ca_file: %s", tls_config_error(tls_config)); if (!params.tls_verify) { tls_config_insecure_noverifycert(tls_config); tls_config_insecure_noverifyname(tls_config); @@ -455,7 +455,7 @@ smtp_require_tls(void *tag, struct smtp_client *proto) fatal("tls_client"); if (tls_configure(tls, tls_config) == -1) - fatal("tls_configure"); + fatalx("tls_configure: %s", tls_error(tls)); smtp_set_tls(proto, tls); }