Synopsis: Multiple instances of err(), errx(), warn(), and warnx() from
err.h bypass daemon logging infrastructure from log.c
Category: sbin
Description:
The iked daemon uses err(), errx(), warn(), and warnx()
functions in many places throughout the code. When running as a
daemon, these functions write directly to stderr instead of
using the daemon's logging infrastructure, causing important log
messages to be lost. These messages should instead use the
fatal(), fatalx(), log_warn(), and log_warnx() to ensure proper
logging when running in daemon mode.
The affected instances can be found with:
grep -nE '(warn|err)x?\(' $(find . -name '*.[ych]' -a ! \( $(find .
-name '*.y' | sed 's/\(.*\)\.y$/-path \1.c/') \) ) | fgrep -v log_
Fix:
The attached diff makes the following key changes:
1. Removes all err.h includes throughout the codebase
2. Maps existing error functions to their logging equivalents:
- err(1, ...) -> fatal() when errno is relevant
- errx(1, ...) -> fatalx() for unrecoverable errors without
errno
- warn() -> log_warn()
- warnx() -> log_warnx()
3. When converting from err.h functions to logging functions, the error
messages were improved by:
- Adding __func__ to provide call site context
- Adding the grammar rule name to the applicable messages
- Making messages more specific (e.g. "cannot stat" -> "failed
to stat keyfile")
- Adding missing parameters like filenames to error context
4. Splits check_file_secrecy() into two variants:
- check_file_secrecy() - Returns -1 on error, uses log_warn()
- check_file_secrecy_fatal() - Calls fatal() on error
The changes to check_file_secrecy were the most significant as
they required careful consideration of error handling behavior
to preserve the original control flow while ensuring proper
logging.
Please review the error handling flow in check_file_secrecy
particularly carefully.
Index: ca.c
===================================================================
RCS file: /cvs/src/sbin/iked/ca.c,v
diff -u -p -u -r1.102 ca.c
--- ca.c 18 Jun 2024 05:08:41 -0000 1.102
+++ ca.c 3 Jan 2025 16:01:44 -0000
@@ -28,7 +28,6 @@
#include <signal.h>
#include <syslog.h>
#include <errno.h>
-#include <err.h>
#include <event.h>
#include <openssl/bio.h>
Index: config.c
===================================================================
RCS file: /cvs/src/sbin/iked/config.c,v
diff -u -p -u -r1.99 config.c
--- config.c 15 Sep 2024 11:08:50 -0000 1.99
+++ config.c 3 Jan 2025 16:01:44 -0000
@@ -27,7 +27,6 @@
#include <string.h>
#include <signal.h>
#include <errno.h>
-#include <err.h>
#include <event.h>
#include <openssl/evp.h>
Index: eap.c
===================================================================
RCS file: /cvs/src/sbin/iked/eap.c,v
diff -u -p -u -r1.27 eap.c
--- eap.c 13 Jul 2024 12:22:46 -0000 1.27
+++ eap.c 3 Jan 2025 16:01:44 -0000
@@ -30,7 +30,6 @@
#include <signal.h>
#include <endian.h>
#include <errno.h>
-#include <err.h>
#include <event.h>
#include <openssl/sha.h>
Index: iked.c
===================================================================
RCS file: /cvs/src/sbin/iked/iked.c,v
diff -u -p -u -r1.71 iked.c
--- iked.c 13 Jul 2024 12:22:46 -0000 1.71
+++ iked.c 3 Jan 2025 16:01:44 -0000
@@ -30,7 +30,6 @@
#include <signal.h>
#include <syslog.h>
#include <errno.h>
-#include <err.h>
#include <pwd.h>
#include <event.h>
@@ -120,10 +119,10 @@ main(int argc, char *argv[])
break;
case 'p':
if (natt_mode == NATT_DISABLE)
- errx(1, "-T and -p are mutually exclusive");
+ fatalx("options -T and -p are mutually
exclusive");
port = strtonum(optarg, 1, UINT16_MAX, &errstr);
if (errstr != NULL)
- errx(1, "port is %s: %s", errstr, optarg);
+ fatalx("port value is %s: %s", errstr, optarg);
natt_mode = NATT_FORCE;
break;
case 'S':
@@ -134,12 +133,12 @@ main(int argc, char *argv[])
break;
case 'T':
if (natt_mode == NATT_FORCE)
- errx(1, "-T and -t/-p are mutually exclusive");
+ fatalx("options -T and -t/-p are mutually
exclusive");
natt_mode = NATT_DISABLE;
break;
case 't':
if (natt_mode == NATT_DISABLE)
- errx(1, "-T and -t are mutually exclusive");
+ fatalx("options -T and -t are mutually
exclusive");
natt_mode = NATT_FORCE;
break;
case 'v':
@@ -173,17 +172,17 @@ main(int argc, char *argv[])
ps->ps_env = env;
if (strlcpy(env->sc_conffile, conffile, PATH_MAX) >= PATH_MAX)
- errx(1, "config file exceeds PATH_MAX");
+ fatalx("configuration file path length exceeds PATH_MAX of %d",
PATH_MAX);
group_init();
policy_init(env);
/* check for root privileges */
if (geteuid())
- errx(1, "need root privileges");
+ fatalx("need root privileges");
if ((ps->ps_pw = getpwnam(IKED_USER)) == NULL)
- errx(1, "unknown user %s", IKED_USER);
+ fatalx("unknown user %s", IKED_USER);
/* Configure the control socket */
ps->ps_csock.cs_name = sock;
Index: ikev2.c
===================================================================
RCS file: /cvs/src/sbin/iked/ikev2.c,v
diff -u -p -u -r1.388 ikev2.c
--- ikev2.c 15 Sep 2024 11:08:50 -0000 1.388
+++ ikev2.c 3 Jan 2025 16:01:44 -0000
@@ -34,7 +34,6 @@
#include <signal.h>
#include <endian.h>
#include <errno.h>
-#include <err.h>
#include <event.h>
#include <time.h>
Index: ikev2_msg.c
===================================================================
RCS file: /cvs/src/sbin/iked/ikev2_msg.c,v
diff -u -p -u -r1.102 ikev2_msg.c
--- ikev2_msg.c 13 Jul 2024 12:22:46 -0000 1.102
+++ ikev2_msg.c 3 Jan 2025 16:01:44 -0000
@@ -33,7 +33,6 @@
#include <signal.h>
#include <endian.h>
#include <errno.h>
-#include <err.h>
#include <event.h>
#include <openssl/sha.h>
Index: ikev2_pld.c
===================================================================
RCS file: /cvs/src/sbin/iked/ikev2_pld.c,v
diff -u -p -u -r1.136 ikev2_pld.c
--- ikev2_pld.c 13 Jul 2024 12:22:46 -0000 1.136
+++ ikev2_pld.c 3 Jan 2025 16:01:44 -0000
@@ -32,7 +32,6 @@
#include <signal.h>
#include <endian.h>
#include <errno.h>
-#include <err.h>
#include <event.h>
#include <openssl/sha.h>
Index: parse.y
===================================================================
RCS file: /cvs/src/sbin/iked/parse.y,v
diff -u -p -u -r1.147 parse.y
--- parse.y 13 Jul 2024 12:22:46 -0000 1.147
+++ parse.y 3 Jan 2025 16:01:45 -0000
@@ -34,8 +34,6 @@
#include <arpa/inet.h>
#include <ctype.h>
-#include <err.h>
-#include <errno.h>
#include <fcntl.h>
#include <ifaddrs.h>
#include <inttypes.h>
@@ -69,7 +67,6 @@ static struct file {
} *file, *topfile;
struct file *pushfile(const char *, int);
int popfile(void);
-int check_file_secrecy(int, const char *);
+static int check_file_secrecy(int, const char *);
+static int check_file_secrecy_fatal(int, const char *);
int yyparse(void);
int yylex(void);
int yyerror(const char *, ...)
@@ -669,7 +646,7 @@ protoval : STRING {
}
if (($$ = calloc(1, sizeof(*$$))) == NULL)
- err(1, "protoval: calloc");
+ fatalx("%s (protoval): failed to allocate
memory for protocol value", __func__);
$$->type = p->p_proto;
$$->tail = $$;
@@ -681,7 +658,7 @@ protoval : STRING {
YYERROR;
}
if (($$ = calloc(1, sizeof(*$$))) == NULL)
- err(1, "protoval: calloc");
+ fatalx("%s (protoval): failed to allocate
memory for protocol value", __func__);
$$->type = $1;
$$->tail = $$;
@@ -726,7 +703,7 @@ hosts : FROM host port TO host port
{
}
if (($$ = calloc(1, sizeof(*$$))) == NULL)
- err(1, "hosts: calloc");
+ fatalx("%s (hosts): failed to allocate memory
for host structure", __func__);
$$->src = $2;
$$->src->port = $3;
@@ -744,7 +721,7 @@ hosts : FROM host port TO host port
{
}
}
if (($$ = calloc(1, sizeof(*$$))) == NULL)
- err(1, "hosts: calloc");
+ fatalx("%s (hosts): failed to allocate memory
for host structure", __func__);
$$->src = $5;
$$->src->port = $6;
@@ -817,7 +794,7 @@ host_spec : STRING {
char *buf;
if (asprintf(&buf, "%s/%lld", $1, $3) == -1)
- err(1, "host: asprintf");
+ fatalx("%s (host_spec): failed to create host
specification string", __func__);
free($1);
if (($$ = host(buf)) == NULL) {
free(buf);
@@ -870,7 +847,7 @@ id : STRING { $$ = $1; }
transforms : {
if ((ipsec_transforms = calloc(1,
sizeof(struct ipsec_transforms))) == NULL)
- err(1, "transforms: calloc");
+ fatalx("%s (transforms): failed to allocate
memory for transforms structure", __func__);
}
transforms_l {
$$ = ipsec_transforms;
@@ -890,7 +867,7 @@ transform : AUTHXF STRING {
xfs = recallocarray(xfs, nxfs, nxfs + 1,
sizeof(struct ipsec_xf *));
if (xfs == NULL)
- err(1, "transform: recallocarray");
+ fatalx("%s (transform): failed to reallocate
memory for auth transform", __func__);
if ((xfs[nxfs] = parse_xf($2, 0, authxfs)) == NULL) {
yyerror("%s not a valid transform", $2);
YYERROR;
@@ -905,7 +882,7 @@ transform : AUTHXF STRING {
xfs = recallocarray(xfs, nxfs, nxfs + 1,
sizeof(struct ipsec_xf *));
if (xfs == NULL)
- err(1, "transform: recallocarray");
+ fatalx("%s (transform): failed to reallocate
memory for encryption transform", __func__);
if ((xfs[nxfs] = parse_xf($2, 0, encxfs)) == NULL) {
yyerror("%s not a valid transform", $2);
YYERROR;
@@ -920,7 +897,7 @@ transform : AUTHXF STRING {
xfs = recallocarray(xfs, nxfs, nxfs + 1,
sizeof(struct ipsec_xf *));
if (xfs == NULL)
- err(1, "transform: recallocarray");
+ fatalx("%s (transform): failed to reallocate
memory for PRF transform", __func__);
if ((xfs[nxfs] = parse_xf($2, 0, prfxfs)) == NULL) {
yyerror("%s not a valid transform", $2);
YYERROR;
@@ -935,7 +912,7 @@ transform : AUTHXF STRING {
xfs = recallocarray(xfs, nxfs, nxfs + 1,
sizeof(struct ipsec_xf *));
if (xfs == NULL)
- err(1, "transform: recallocarray");
+ fatalx("%s (transform): failed to reallocate
memory for group transform", __func__);
if ((xfs[nxfs] = parse_xf($2, 0, groupxfs)) == NULL) {
yyerror("%s not a valid transform", $2);
YYERROR;
@@ -950,7 +927,7 @@ transform : AUTHXF STRING {
xfs = recallocarray(xfs, nxfs, nxfs + 1,
sizeof(struct ipsec_xf *));
if (xfs == NULL)
- err(1, "transform: recallocarray");
+ fatalx("%s (transform): failed to reallocate
memory for ESN transform", __func__);
if ((xfs[nxfs] = parse_xf($1, 0, esnxfs)) == NULL) {
yyerror("%s not a valid transform", $1);
YYERROR;
@@ -967,7 +944,7 @@ transform_esn : ESN { $$ = "esn"; }
ike_sas : {
if ((ipsec_mode = calloc(1,
sizeof(struct ipsec_mode))) == NULL)
- err(1, "ike_sas: calloc");
+ fatalx("%s (ike_sas): failed to allocate memory
for IKE SA structure", __func__);
}
ike_sas_l {
$$ = ipsec_mode;
@@ -985,7 +962,7 @@ ike_sa : IKESA {
if ((ipsec_mode->xfs = recallocarray(ipsec_mode->xfs,
ipsec_mode->nxfs, ipsec_mode->nxfs + 1,
sizeof(struct ipsec_transforms *))) == NULL)
- err(1, "ike_sa: recallocarray");
+ fatalx("%s (ike_sa): failed to reallocate
memory for IKE SA transforms", __func__);
ipsec_mode->nxfs++;
encxfs = ikeencxfs;
} transforms {
@@ -996,7 +973,7 @@ ike_sa : IKESA {
child_sas : {
if ((ipsec_mode = calloc(1,
sizeof(struct ipsec_mode))) == NULL)
- err(1, "child_sas: calloc");
+ fatalx("%s (child_sas): failed to allocate
memory for Child SA structure", __func__);
}
child_sas_l {
$$ = ipsec_mode;
@@ -1014,7 +991,7 @@ child_sa : CHILDSA {
if ((ipsec_mode->xfs = recallocarray(ipsec_mode->xfs,
ipsec_mode->nxfs, ipsec_mode->nxfs + 1,
sizeof(struct ipsec_transforms *))) == NULL)
- err(1, "child_sa: recallocarray");
+ fatalx("%s (child_sa): failed to reallocate
memory for Child SA transforms", __func__);
ipsec_mode->nxfs++;
encxfs = ipsecencxfs;
} transforms {
@@ -1212,7 +1189,7 @@ keyspec : STRING {
filters : {
if ((ipsec_filters = calloc(1,
sizeof(struct ipsec_filters))) == NULL)
- err(1, "filters: calloc");
+ fatalx("%s (filters): failed to allocate memory
for filters structure", __func__);
}
filters_l {
$$ = ipsec_filters;
@@ -1263,7 +1240,7 @@ iface : {
string : string STRING
{
if (asprintf(&$$, "%s %s", $1, $2) == -1)
- err(1, "string: asprintf");
+ fatalx("%s (string): failed to concatenate
strings", __func__);
free($1);
free($2);
}
@@ -1480,7 +1457,7 @@ varset : STRING '=' string
}
}
if (symset($1, $3, 0) == -1)
- err(1, "cannot store variable");
+ fatalx("%s (varset): failed to store variable",
__func__);
free($1);
free($3);
}
@@ -1529,7 +1506,7 @@ copy_sockaddrtoipa(struct ipsec_addr_wra
else if (sa->sa_family == AF_INET)
memcpy(&ipa->address, sa, sizeof(struct sockaddr_in));
else
- warnx("unhandled af %d", sa->sa_family);
+ log_warnx("%s: unhandled address family %d", __func__,
sa->sa_family);
}
int
@@ -1732,7 +1709,7 @@ lungetc(int c)
if (file->ungetpos >= file->ungetsize) {
void *p = reallocarray(file->ungetbuf, file->ungetsize, 2);
if (p == NULL)
- err(1, "lungetc");
+ fatalx("%s: failed to reallocate unget buffer",
__func__);
file->ungetbuf = p;
file->ungetsize *= 2;
}
@@ -1842,7 +1819,7 @@ top:
}
yylval.v.string = strdup(buf);
if (yylval.v.string == NULL)
- err(1, "%s", __func__);
+ log_warnx("%s: failed to allocate memory for command
line symbol", __func__);
return (STRING);
}
@@ -1900,7 +1877,7 @@ nodigits:
*p = '\0';
if ((token = lookup(buf)) == STRING)
if ((yylval.v.string = strdup(buf)) == NULL)
- err(1, "%s", __func__);
+ fatalx("%s (file): failed to allocate memory
for file structure", __func__);
return (token);
}
if (c == '\n') {
@@ -1912,37 +1889,44 @@ nodigits:
return (c);
}
-int
-check_file_secrecy(int fd, const char *fname)
-{
- struct stat st;
-
- if (fstat(fd, &st)) {
- warn("cannot stat %s", fname);
- return (-1);
- }
- if (st.st_uid != 0 && st.st_uid != getuid()) {
- warnx("%s: owner not root or current user", fname);
- return (-1);
- }
- if (st.st_mode & (S_IWGRP | S_IXGRP | S_IRWXO)) {
- warnx("%s: group writable or world read/writable", fname);
- return (-1);
- }
- return (0);
+#define CHECK_FILE_SECRECY(logger, ret) { \
+ struct stat st; \
+ if (fstat(fd, &st)) { \
+ logger("%s: cannot stat %s", __func__, fname); \
+ ret (-1); \
+ } \
+ if (st.st_uid != 0 && st.st_uid != getuid()) { \
+ logger##x("%s: %s owner not root or current user", __func__, fname); \
+ ret (-1); \
+ } \
+ if (st.st_mode & (S_IWGRP | S_IXGRP | S_IRWXO)) { \
+ logger##x("%s: %s group writable or world read/writable", __func__,
fname); \
+ ret (-1); \
+ } \
+ ret (0); \
}
+static void ignore(int _){}
+
+static void
+check_file_secrecy_fatal(int fd, const char *fname) CHECK_FILE_SECRECY(fatal,
ignore)
+
+static int
+check_file_secrecy(int fd, const char *fname) CHECK_FILE_SECRECY(log_warn,
return)
+
+#undef CHECK_FILE_SECRECY
+
struct file *
pushfile(const char *name, int secret)
{
struct file *nfile;
if ((nfile = calloc(1, sizeof(struct file))) == NULL) {
- warn("%s", __func__);
+ log_warn("%s: failed to allocate memory for file structure",
__func__);
return (NULL);
}
if ((nfile->name = strdup(name)) == NULL) {
- warn("%s", __func__);
+ log_warn("%s: failed to duplicate filename", __func__);
free(nfile);
return (NULL);
}
@@ -1950,12 +1934,12 @@ pushfile(const char *name, int secret)
nfile->stream = stdin;
free(nfile->name);
if ((nfile->name = strdup("stdin")) == NULL) {
- warn("%s", __func__);
+ log_warn("%s: failed to duplicate stdin filename",
__func__);
free(nfile);
return (NULL);
}
} else if ((nfile->stream = fopen(nfile->name, "r")) == NULL) {
- warn("%s: %s", __func__, nfile->name);
+ log_warn("%s: cannot open file %s", __func__, nfile->name);
free(nfile->name);
free(nfile);
return (NULL);
@@ -1970,7 +1954,7 @@ pushfile(const char *name, int secret)
nfile->ungetsize = 16;
nfile->ungetbuf = malloc(nfile->ungetsize);
if (nfile->ungetbuf == NULL) {
- warn("%s", __func__);
+ log_warn("%s: failed to allocate unget buffer", __func__);
fclose(nfile->stream);
free(nfile->name);
free(nfile);
@@ -2125,7 +2109,7 @@ cmdline_symset(char *s)
sym = strndup(s, val - s);
if (sym == NULL)
- err(1, "%s", __func__);
+ fatalx("%s: failed to allocate memory for hash key", __func__);
ret = symset(sym, val + 1, 1);
free(sym);
@@ -2186,18 +2170,16 @@ parsekeyfile(char *filename, struct iked
unsigned char *hex;
if ((fd = open(filename, O_RDONLY)) == -1)
- err(1, "open %s", filename);
- if (check_file_secrecy(fd, filename) == -1)
- exit(1);
+ fatal("%s: failed to open keyfile %s", __func__, filename);
+ check_file_secrecy_fatal(fd, filename);
if (fstat(fd, &sb) == -1)
- err(1, "parsekeyfile: stat %s", filename);
+ fatal("%s: failed to stat keyfile %s", __func__, filename);
if ((sb.st_size > KEYSIZE_LIMIT) || (sb.st_size == 0))
- errx(1, "%s: key too %s", filename, sb.st_size ? "large" :
- "small");
+ fatalx("%s: %s: key size too %s", __func__, filename,
sb.st_size ? "large" : "small");
if ((hex = calloc(sb.st_size, sizeof(unsigned char))) == NULL)
- err(1, "parsekeyfile: calloc");
+ fatal("%s: failed to allocate memory for key data", __func__);
if (read(fd, hex, sb.st_size) < sb.st_size)
- err(1, "parsekeyfile: read");
+ fatal("%s: failed to read keyfile", __func__);
close(fd);
ret = parsekey(hex, sb.st_size, auth);
free(hex);
@@ -2233,7 +2215,7 @@ host(const char *s)
const char *errstr;
if ((ps = strdup(s)) == NULL)
- err(1, "%s: strdup", __func__);
+ fatalx("%s: failed to duplicate hostname string", __func__);
if ((p = strchr(ps, '/')) != NULL) {
mask = strtonum(p+1, 0, 128, &errstr);
@@ -2268,11 +2250,11 @@ host_ip(const char *s, int mask)
if (getaddrinfo(s, NULL, &hints, &res))
return (NULL);
if (res->ai_next)
- err(1, "%s: %s expanded to multiple item", __func__, s);
+ fatalx("%s: hostname %s expanded to multiple addresses",
__func__, s);
ipa = calloc(1, sizeof(struct ipsec_addr_wrap));
if (ipa == NULL)
- err(1, "%s", __func__);
+ fatalx("%s: failed to allocate memory for address wrapper",
__func__);
ipa->af = res->ai_family;
copy_sockaddrtoipa(ipa, res->ai_addr);
ipa->next = NULL;
@@ -2281,16 +2263,16 @@ host_ip(const char *s, int mask)
set_ipmask(ipa, mask);
if (getnameinfo(res->ai_addr, res->ai_addrlen,
hbuf, sizeof(hbuf), NULL, 0, NI_NUMERICHOST)) {
- errx(1, "could not get a numeric hostname");
+ fatalx("%s: failed to convert address to numeric hostname",
__func__);
}
if (mask > -1) {
ipa->netaddress = 1;
if (asprintf(&ipa->name, "%s/%d", hbuf, mask) == -1)
- err(1, "%s", __func__);
+ fatalx("%s: failed to create address string with
netmask", __func__);
} else {
if ((ipa->name = strdup(hbuf)) == NULL)
- err(1, "%s", __func__);
+ fatalx("%s: failed to duplicate hostname", __func__);
}
freeaddrinfo(res);
@@ -2320,15 +2302,15 @@ host_dns(const char *s, int mask)
ipa = calloc(1, sizeof(struct ipsec_addr_wrap));
if (ipa == NULL)
- err(1, "%s", __func__);
+ fatalx("%s: failed to allocate memory for DNS host
entry", __func__);
copy_sockaddrtoipa(ipa, res->ai_addr);
error = getnameinfo(res->ai_addr, res->ai_addrlen, hbuf,
sizeof(hbuf), NULL, 0, NI_NUMERICHOST);
if (error)
- err(1, "host_dns: getnameinfo");
+ fatal("%s: failed to convert address to hostname",
__func__);
ipa->name = strdup(hbuf);
if (ipa->name == NULL)
- err(1, "%s", __func__);
+ fatalx("%s: failed to duplicate hostname", __func__);
ipa->af = res->ai_family;
ipa->next = NULL;
ipa->tail = ipa;
@@ -2349,8 +2331,7 @@ host_dns(const char *s, int mask)
set_ipmask(ipa, mask == -1 ? 32 : mask);
else
if (mask != -1)
- err(1, "host_dns: cannot apply netmask "
- "on non-IPv4 address");
+ fatalx("%s: cannot apply netmask on non-IPv4
address", __func__);
}
freeaddrinfo(res0);
@@ -2375,7 +2356,7 @@ host_any(void)
ipa = calloc(1, sizeof(struct ipsec_addr_wrap));
if (ipa == NULL)
- err(1, "%s", __func__);
+ fatalx("%s: failed to allocate memory for ANY address",
__func__);
ipa->af = AF_UNSPEC;
ipa->netaddress = 1;
ipa->tail = ipa;
@@ -2390,7 +2371,7 @@ host_dynamic(void)
ipa = calloc(1, sizeof(struct ipsec_addr_wrap));
if (ipa == NULL)
- err(1, "%s", __func__);
+ fatalx("%s: failed to allocate memory for DYNAMIC address",
__func__);
ipa->af = AF_UNSPEC;
ipa->tail = ipa;
ipa->type = IPSEC_ADDR_DYNAMIC;
@@ -2406,7 +2387,7 @@ ifa_load(void)
struct sockaddr_in6 *sa_in6;
if (getifaddrs(&ifap) == -1)
- err(1, "ifa_load: getifaddrs");
+ fatal("%s: failed to get interface addresses", __func__);
for (ifa = ifap; ifa; ifa = ifa->ifa_next) {
if (ifa->ifa_addr == NULL ||
@@ -2416,10 +2397,10 @@ ifa_load(void)
continue;
n = calloc(1, sizeof(struct ipsec_addr_wrap));
if (n == NULL)
- err(1, "%s", __func__);
+ fatalx("%s: failed to allocate memory for interface
address", __func__);
n->af = ifa->ifa_addr->sa_family;
if ((n->name = strdup(ifa->ifa_name)) == NULL)
- err(1, "%s", __func__);
+ fatalx("%s: failed to duplicate interface name",
__func__);
if (n->af == AF_INET) {
sa_in = (struct sockaddr_in *)ifa->ifa_addr;
memcpy(&n->address, sa_in, sizeof(*sa_in));
@@ -2457,7 +2438,7 @@ ifa_exists(const char *ifa_name)
/* check wether this is a group */
if ((s = socket(AF_INET, SOCK_DGRAM, 0)) == -1)
- err(1, "ifa_exists: socket");
+ fatal("%s: failed to create socket for interface lookup",
__func__);
bzero(&ifgr, sizeof(ifgr));
strlcpy(ifgr.ifgr_name, ifa_name, sizeof(ifgr.ifgr_name));
if (ioctl(s, SIOCGIFGMEMB, (caddr_t)&ifgr) == 0) {
@@ -2485,7 +2466,7 @@ ifa_grouplookup(const char *ifa_name)
struct ipsec_addr_wrap *n, *h = NULL, *hn;
if ((s = socket(AF_INET, SOCK_DGRAM, 0)) == -1)
- err(1, "socket");
+ fatal("%s: failed to create socket for interface group lookup",
__func__);
bzero(&ifgr, sizeof(ifgr));
strlcpy(ifgr.ifgr_name, ifa_name, sizeof(ifgr.ifgr_name));
if (ioctl(s, SIOCGIFGMEMB, (caddr_t)&ifgr) == -1) {
@@ -2495,9 +2476,9 @@ ifa_grouplookup(const char *ifa_name)
len = ifgr.ifgr_len;
if ((ifgr.ifgr_groups = calloc(1, len)) == NULL)
- err(1, "%s", __func__);
+ fatal("%s: failed to allocate memory for interface group",
__func__);
if (ioctl(s, SIOCGIFGMEMB, (caddr_t)&ifgr) == -1)
- err(1, "ioctl");
+ fatal("%s: failed to get interface group members", __func__);
for (ifg = ifgr.ifgr_groups; ifg && len >= sizeof(struct ifg_req);
ifg++) {
@@ -2539,10 +2520,10 @@ ifa_lookup(const char *ifa_name)
continue;
n = calloc(1, sizeof(struct ipsec_addr_wrap));
if (n == NULL)
- err(1, "%s", __func__);
+ fatalx("%s: failed to allocate memory for flow",
__func__);
memcpy(n, p, sizeof(struct ipsec_addr_wrap));
if ((n->name = strdup(p->name)) == NULL)
- err(1, "%s", __func__);
+ fatalx("%s: failed to allocate memory for flow",
__func__);
switch (n->af) {
case AF_INET:
set_ipmask(n, 32);
@@ -2595,6 +2576,23 @@ set_ipmask(struct ipsec_addr_wrap *addre
address->mask = b;
}
+static struct ipsec_addr_wrap *
+parse_cfg_option(char *str, struct ipsec_addr_wrap *host, int action)
+{
+ const struct ipsec_xf *xf;
+
+ if ((xf = parse_xf(str, host->af, cpxfs)) == NULL) {
+ yyerror("not a valid ikecfg option");
+ free(str);
+ free(host);
+ return NULL;
+ }
+ free(str);
+ host->type = xf->id;
+ host->action = action;
+ return host;
+}
+
const struct ipsec_xf *
parse_xf(const char *name, unsigned int length, const struct ipsec_xf xfs[])
{
@@ -2678,7 +2676,7 @@ copy_transforms(unsigned int type,
*dst = recallocarray(*dst, *ndst,
*ndst + 1, sizeof(struct iked_transform));
if (*dst == NULL)
- err(1, "%s", __func__);
+ fatalx("%s: failed to allocate memory for
proposal", __func__);
b = *dst + (*ndst)++;
b->xform_type = type;
@@ -2696,7 +2694,7 @@ copy_transforms(unsigned int type,
*dst = recallocarray(*dst, *ndst,
*ndst + 1, sizeof(struct iked_transform));
if (*dst == NULL)
- err(1, "%s", __func__);
+ fatalx("%s: failed to allocate memory for transform",
__func__);
b = *dst + (*ndst)++;
memcpy(b, a, sizeof(*b));
}
@@ -2871,7 +2869,7 @@ create_ike(char *name, int af, struct ip
if (ike_sa == NULL || ike_sa->nxfs == 0) {
/* AES-GCM proposal */
if ((p = calloc(1, sizeof(*p))) == NULL)
- err(1, "%s", __func__);
+ fatalx("%s: failed to allocate memory for proposal",
__func__);
p->prop_id = ikepropid++;
p->prop_protoid = IKEV2_SAPROTO_IKE;
p->prop_nxforms = ikev2_default_nike_transforms_noauth;
@@ -2881,7 +2879,7 @@ create_ike(char *name, int af, struct ip
/* Non GCM proposal */
if ((p = calloc(1, sizeof(*p))) == NULL)
- err(1, "%s", __func__);
+ fatalx("%s: failed to allocate memory for proposal",
__func__);
p->prop_id = ikepropid++;
p->prop_protoid = IKEV2_SAPROTO_IKE;
p->prop_nxforms = ikev2_default_nike_transforms;
@@ -2924,7 +2922,7 @@ create_ike(char *name, int af, struct ip
if (!auth) {
if ((p = calloc(1, sizeof(*p))) == NULL)
- err(1, "%s", __func__);
+ fatalx("%s: failed to allocate memory
for proposal", __func__);
xf = NULL;
xfi = 0;
@@ -2953,7 +2951,7 @@ create_ike(char *name, int af, struct ip
}
if (!noauth) {
if ((p = calloc(1, sizeof(*p))) == NULL)
- err(1, "%s", __func__);
+ fatalx("%s: failed to allocate memory
for proposal", __func__);
xf = NULL;
xfi = 0;
@@ -2990,7 +2988,7 @@ create_ike(char *name, int af, struct ip
if (ipsec_sa == NULL || ipsec_sa->nxfs == 0) {
if ((p = calloc(1, sizeof(*p))) == NULL)
- err(1, "%s", __func__);
+ fatalx("%s: failed to allocate memory for proposal",
__func__);
p->prop_id = ipsecpropid++;
p->prop_protoid = saproto;
p->prop_nxforms = ikev2_default_nesp_transforms_noauth;
@@ -2999,7 +2997,7 @@ create_ike(char *name, int af, struct ip
pol.pol_nproposals++;
if ((p = calloc(1, sizeof(*p))) == NULL)
- err(1, "%s", __func__);
+ fatalx("%s: failed to allocate memory for proposal",
__func__);
p->prop_id = ipsecpropid++;
p->prop_protoid = saproto;
p->prop_nxforms = ikev2_default_nesp_transforms;
@@ -3031,7 +3029,7 @@ create_ike(char *name, int af, struct ip
if (!auth) {
if ((p = calloc(1, sizeof(*p))) == NULL)
- err(1, "%s", __func__);
+ fatalx("%s: failed to allocate memory
for proposal", __func__);
xf = NULL;
xfi = 0;
@@ -3060,7 +3058,7 @@ create_ike(char *name, int af, struct ip
}
if (!noauth) {
if ((p = calloc(1, sizeof(*p))) == NULL)
- err(1, "%s", __func__);
+ fatalx("%s: failed to allocate memory
for proposal", __func__);
xf = NULL;
xfi = 0;
@@ -3251,7 +3249,7 @@ create_flow(struct iked_policy *pol, int
if (RB_INSERT(iked_flows, &pol->pol_flows, flow) == NULL)
pol->pol_nflows++;
else {
- warnx("create_ike: duplicate flow");
+ log_warnx("%s: duplicate flow detected", __func__);
free(flow);
}
Index: pfkey.c
===================================================================
RCS file: /cvs/src/sbin/iked/pfkey.c,v
diff -u -p -u -r1.85 pfkey.c
--- pfkey.c 13 Jul 2024 12:22:46 -0000 1.85
+++ pfkey.c 3 Jan 2025 16:01:45 -0000
@@ -28,7 +28,6 @@
#include <net/if.h>
#include <net/pfkeyv2.h>
-#include <err.h>
#include <errno.h>
#include <stdio.h>
#include <poll.h>
Index: vroute.c
===================================================================
RCS file: /cvs/src/sbin/iked/vroute.c,v
diff -u -p -u -r1.20 vroute.c
--- vroute.c 14 Jul 2024 13:13:33 -0000 1.20
+++ vroute.c 3 Jan 2025 16:01:45 -0000
@@ -25,7 +25,6 @@
#include <netinet6/nd6.h>
#include <event.h>
-#include <err.h>
#include <errno.h>
#include <poll.h>
#include <string.h>
@@ -876,17 +875,17 @@ vroute_process(struct iked *env, int msg
#define rtm m_rtmsg->vm_rtm
if (rtm.rtm_version != RTM_VERSION) {
- warnx("routing message version %u not understood",
+ log_warnx("%s: routing message version %u not understood",
__func__,
rtm.rtm_version);
return (-1);
}
if (rtm.rtm_msglen > msglen) {
- warnx("message length mismatch, in packet %u, returned %d",
+ log_warnx("%s: message length mismatch, in packet %u, returned
%d", __func__,
rtm.rtm_msglen, msglen);
return (-1);
}
if (rtm.rtm_errno) {
- warnx("RTM_GET: %s (errno %d)",
+ log_warnx("%s: RTM_GET: %s (errno %d)", __func__,
strerror(rtm.rtm_errno), rtm.rtm_errno);
return (-1);
}
