while debugging a pebkac in -portable, I noticed that in various
places we use fatal() for libtls failures. errno doesn't generally
contains anything useful after libtls functions, and in most it's
explicitly cleared to avoid misuse.
just to provide a quick example, with `listen on ... ciphers foobar':
% doas smtpd -d
info: OpenSMTPD 7.0.0 starting
dispatcher: no ciphers for 'foobar': No such file or directory
smtpd: process dispatcher socket closed
So change most of them to fatalx which doesn't append errno. While
here I'm also logging the actual error, via tls_config_error() or
tls_error(), that before was missing.
tls_config_new(), tls_server() and tls_client() failures are still
logged with fatal(), which I believe it's correct.
ok?
diff /usr/src
commit - 27d3d13aceb86ba91128d3f12ca9fc893d83fa86
path + /usr/src
blob - dbcf2c0158186f1a3077c25d746c9a8d7a8ad9d0
file + usr.sbin/smtpd/mta.c
--- usr.sbin/smtpd/mta.c
+++ usr.sbin/smtpd/mta.c
@@ -489,38 +489,41 @@ mta_setup_dispatcher(struct dispatcher *dispatcher)
if (remote->tls_ciphers)
ciphers = remote->tls_ciphers;
if (ciphers && tls_config_set_ciphers(config, ciphers) == -1)
- fatal("%s", tls_config_error(config));
+ fatalx("%s", tls_config_error(config));
if (remote->tls_protocols) {
if (tls_config_parse_protocols(&protos,
remote->tls_protocols) == -1)
- fatal("failed to parse protocols \"%s\"",
+ fatalx("failed to parse protocols \"%s\"",
remote->tls_protocols);
if (tls_config_set_protocols(config, protos) == -1)
- fatal("%s", tls_config_error(config));
+ fatalx("%s", tls_config_error(config));
}
if (remote->pki) {
pki = dict_get(env->sc_pki_dict, remote->pki);
if (pki == NULL)
- fatal("client pki \"%s\" not found ", remote->pki);
+ fatalx("client pki \"%s\" not found", remote->pki);
tls_config_set_dheparams(config, dheparams[pki->pki_dhe]);
tls_config_use_fake_private_key(config);
if (tls_config_set_keypair_mem(config, pki->pki_cert,
pki->pki_cert_len, NULL, 0) == -1)
- fatal("tls_config_set_keypair_mem");
+ fatalx("tls_config_set_keypair_mem: %s",
+ tls_config_error(config));
}
if (remote->ca) {
ca = dict_get(env->sc_ca_dict, remote->ca);
if (tls_config_set_ca_mem(config, ca->ca_cert, ca->ca_cert_len)
== -1)
- fatal("tls_config_set_ca_mem");
+ fatalx("tls_config_set_ca_mem: %s",
+ tls_config_error(config));
}
else if (tls_config_set_ca_file(config, tls_default_ca_cert_file())
== -1)
- fatal("tls_config_set_ca_file");
+ fatalx("tls_config_set_ca_file: %s",
+ tls_config_error(config));
if (remote->tls_verify) {
tls_config_verify(config);
blob - a9b7d48c8a5fe3e1af6d32429556f09b7579583b
file + usr.sbin/smtpd/smtp.c
--- usr.sbin/smtpd/smtp.c
+++ usr.sbin/smtpd/smtp.c
@@ -166,14 +166,14 @@ smtp_setup_listener_tls(struct listener *l)
if (l->tls_ciphers)
ciphers = l->tls_ciphers;
if (ciphers && tls_config_set_ciphers(config, ciphers) == -1)
- fatal("%s", tls_config_error(config));
+ fatalx("%s", tls_config_error(config));
if (l->tls_protocols) {
if (tls_config_parse_protocols(&protos, l->tls_protocols) == -1)
- fatal("failed to parse protocols \"%s\"",
+ fatalx("failed to parse protocols \"%s\"",
l->tls_protocols);
if (tls_config_set_protocols(config, protos) == -1)
- fatal("%s", tls_config_error(config));
+ fatalx("%s", tls_config_error(config));
}
pki = l->pki[0];
@@ -181,7 +181,8 @@ smtp_setup_listener_tls(struct listener *l)
fatal("no pki defined");
if (tls_config_set_dheparams(config, dheparams[pki->pki_dhe]) == -1)
- fatal("tls_config_set_dheparams");
+ fatalx("tls_config_set_dheparams: %s",
+ tls_config_error(config));
tls_config_use_fake_private_key(config);
for (i = 0; i < l->pkicount; i++) {
@@ -189,11 +190,13 @@ smtp_setup_listener_tls(struct listener *l)
if (i == 0) {
if (tls_config_set_keypair_mem(config, pki->pki_cert,
pki->pki_cert_len, NULL, 0) == -1)
- fatal("tls_config_set_keypair_mem");
+ fatalx("tls_config_set_keypair_mem: %s",
+ tls_config_error(config));
} else {
if (tls_config_add_keypair_mem(config, pki->pki_cert,
pki->pki_cert_len, NULL, 0) == -1)
- fatal("tls_config_add_keypair_mem");
+ fatalx("tls_config_add_keypair_mem: %s",
+ tls_config_error(config));
}
}
free(l->pki);
@@ -203,7 +206,8 @@ smtp_setup_listener_tls(struct listener *l)
ca = dict_get(env->sc_ca_dict, l->ca_name);
if (tls_config_set_ca_mem(config, ca->ca_cert, ca->ca_cert_len)
== -1)
- fatal("tls_config_set_ca_mem");
+ fatalx("tls_config_set_ca_mem: %s",
+ tls_config_error(config));
}
else if (tls_config_set_ca_file(config, tls_default_ca_cert_file())
== -1)
@@ -216,7 +220,7 @@ smtp_setup_listener_tls(struct listener *l)
if (l->tls == NULL)
fatal("tls_server");
if (tls_configure(l->tls, config) == -1) {
- fatal("tls_configure: %s", tls_error(l->tls));
+ fatalx("tls_configure: %s", tls_error(l->tls));
}
tls_config_free(config);
}
blob - 46ecf7ed33bac4c9705d3ebca1138b426aa0fc39
file + usr.sbin/smtpd/smtpc.c
--- usr.sbin/smtpd/smtpc.c
+++ usr.sbin/smtpd/smtpc.c
@@ -237,7 +237,7 @@ main(int argc, char **argv)
if (cafile == NULL)
cafile = tls_default_ca_cert_file();
if (tls_config_set_ca_file(tls_config, cafile) == -1)
- fatal("tls_set_ca_file");
+ fatalx("tls_set_ca_file: %s", tls_config_error(tls_config));
if (!params.tls_verify) {
tls_config_insecure_noverifycert(tls_config);
tls_config_insecure_noverifyname(tls_config);
@@ -455,7 +455,7 @@ smtp_require_tls(void *tag, struct smtp_client *proto)
fatal("tls_client");
if (tls_configure(tls, tls_config) == -1)
- fatal("tls_configure");
+ fatalx("tls_configure: %s", tls_error(tls));
smtp_set_tls(proto, tls);
}
