upstream: better debug diagnostics when loading keys. Will now list

key fingerprint and algorithm (not just algorithm number) as well as making
it explicit which keys didn't load.

OpenBSD-Commit-ID: ee3e77a0271ab502e653922c6d161b1e091f8fee

diff --git a/ssh.c b/ssh.c
index b2172b810a61c3e51b359f15972cb006869a9e63..b44a943134ee673168ce4ad9b7d655a2aecb212a 100644 (file)
--- a/ssh.c
+++ b/ssh.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh.c,v 1.613 2025/05/06 05:40:56 djm Exp $ */
+/* $OpenBSD: ssh.c,v 1.614 2025/06/19 05:49:05 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -529,16 +529,28 @@ resolve_canonicalize(char **hostp, int port)
 static void
 check_load(int r, struct sshkey **k, const char *path, const char *message)
 {
+       char *fp;
+
        switch (r) {
        case 0:
+               if (k == NULL || *k == NULL)
+                       return;
                /* Check RSA keys size and discard if undersized */
-               if (k != NULL && *k != NULL &&
-                   (r = sshkey_check_rsa_length(*k,
+               if ((r = sshkey_check_rsa_length(*k,
                    options.required_rsa_size)) != 0) {
                        error_r(r, "load %s \"%s\"", message, path);
                        free(*k);
                        *k = NULL;
+                       break;
+               }
+               if ((fp = sshkey_fingerprint(*k,
+                   options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) {
+                       fatal_f("failed to fingerprint %s %s key from %s",
+                           sshkey_type(*k), message, path);
                }
+               debug("loaded %s from %s: %s %s", message, path,
+                   sshkey_type(*k), fp);
+               free(fp);
                break;
        case SSH_ERR_INTERNAL_ERROR:
        case SSH_ERR_ALLOC_FAIL:
@@ -552,6 +564,8 @@ check_load(int r, struct sshkey **k, const char *path, const char *message)
                error_r(r, "load %s \"%s\"", message, path);
                break;
        }
+       if (k != NULL && *k == NULL)
+               debug("no %s loaded from %s", message, path);
 }
 
 /*
@@ -1723,10 +1737,9 @@ main(int ac, char **av)
        if ((o) >= sensitive_data.nkeys) \
                fatal_f("pubkey out of array bounds"); \
        check_load(sshkey_load_public(p, &(sensitive_data.keys[o]), NULL), \
-           &(sensitive_data.keys[o]), p, "pubkey"); \
+           &(sensitive_data.keys[o]), p, "hostbased pubkey"); \
        if (sensitive_data.keys[o] != NULL) { \
-               debug2("hostbased key %d: %s key from \"%s\"", o, \
-                   sshkey_ssh_name(sensitive_data.keys[o]), p); \
+               debug2("hostbased pubkey \"%s\" in slot %d", p, o); \
                loaded++; \
        } \
 } while (0)
@@ -1734,10 +1747,9 @@ main(int ac, char **av)
        if ((o) >= sensitive_data.nkeys) \
                fatal_f("cert out of array bounds"); \
        check_load(sshkey_load_cert(p, &(sensitive_data.keys[o])), \
-           &(sensitive_data.keys[o]), p, "cert"); \
+           &(sensitive_data.keys[o]), p, "hostbased cert"); \
        if (sensitive_data.keys[o] != NULL) { \
-               debug2("hostbased key %d: %s cert from \"%s\"", o, \
-                   sshkey_ssh_name(sensitive_data.keys[o]), p); \
+               debug2("hostbased cert \"%s\" in slot %d", p, o); \
                loaded++; \
        } \
 } while (0)
@@ -2442,9 +2454,7 @@ load_public_identity_files(const struct ssh_conn_info *cinfo)
                        continue;
                xasprintf(&cp, "%s-cert", filename);
                check_load(sshkey_load_public(cp, &public, NULL),
-                   &public, filename, "pubkey");
-               debug("identity file %s type %d", cp,
-                   public ? public->type : -1);
+                   &public, filename, "identity pubkey");
                if (public == NULL) {
                        free(cp);
                        continue;
@@ -2473,9 +2483,7 @@ load_public_identity_files(const struct ssh_conn_info *cinfo)
                free(cp);
 
                check_load(sshkey_load_public(filename, &public, NULL),
-                   &public, filename, "certificate");
-               debug("certificate file %s type %d", filename,
-                   public ? public->type : -1);
+                   &public, filename, "identity cert");
                free(options.certificate_files[i]);
                options.certificate_files[i] = NULL;
                if (public == NULL) {