From: dtucker@openbsd.org Date: Fri, 6 Feb 2026 23:31:29 +0000 (+0000) Subject: upstream: Fetch the error reason from libcrypto X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9c4949c11d8da1a5422e2174afb1a4f5b3dc8914;p=thirdparty%2Fopenssh-portable.git upstream: Fetch the error reason from libcrypto if available, append it to the corresponding ssh error message and optionall print the libcrypto full error stack (at debug1). with & ok tb@ djm@ millert@ schwarze@ Note that the quality of errors obtainable from libcrypto is somewhat variable, so these may be any of: useful, misleading, incomplete or missing entirely. As a result we reserve the right to change what is returned or even stop returning it if it does more harm than good. OpenBSD-Commit-ID: 1ad599ac3eeddbe254fec6b9c1cf658fa70d572e --- diff --git a/Makefile.in b/Makefile.in index 7f7d2c5dd..2aac879c1 100644 --- a/Makefile.in +++ b/Makefile.in @@ -107,7 +107,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ kexgexc.o kexgexs.o \ kexsntrup761x25519.o kexmlkem768x25519.o sntrup761.o kexgen.o \ sftp-realpath.o platform-pledge.o platform-tracing.o platform-misc.o \ - sshbuf-io.o misc-agent.o + sshbuf-io.o misc-agent.o ssherr-libcrypto.o P11OBJS= ssh-pkcs11-client.o @@ -150,7 +150,7 @@ SSHD_AUTH_OBJS=sshd-auth.o \ sftp-server.o sftp-common.o \ uidswap.o $(P11OBJS) $(SKOBJS) -SFTP_CLIENT_OBJS=sftp-common.o sftp-client.o sftp-glob.o +SFTP_CLIENT_OBJS=sftp-common.o sftp-client.o sftp-glob.o ssherr-nolibcrypto.o SCP_OBJS= scp.o progressmeter.o $(SFTP_CLIENT_OBJS) @@ -164,11 +164,11 @@ SSHKEYSIGN_OBJS=ssh-keysign.o readconf.o uidswap.o $(P11OBJS) $(SKOBJS) P11HELPER_OBJS= ssh-pkcs11-helper.o ssh-pkcs11.o $(SKOBJS) -SKHELPER_OBJS= ssh-sk-helper.o ssh-sk.o sk-usbhid.o +SKHELPER_OBJS= ssh-sk-helper.o ssh-sk.o sk-usbhid.o ssherr-nolibcrypto.o SSHKEYSCAN_OBJS=ssh-keyscan.o $(P11OBJS) $(SKOBJS) -SFTPSERVER_OBJS=sftp-common.o sftp-server.o sftp-server-main.o +SFTPSERVER_OBJS=sftp-common.o sftp-server.o sftp-server-main.o ssherr-nolibcrypto.o SFTP_OBJS= sftp.o sftp-usergroup.o progressmeter.o $(SFTP_CLIENT_OBJS) diff --git a/ssherr-libcrypto.c b/ssherr-libcrypto.c new file mode 100644 index 000000000..5b817e54a --- /dev/null +++ b/ssherr-libcrypto.c @@ -0,0 +1,59 @@ +/* $OpenBSD: ssherr-libcrypto.c,v 1.1 2026/02/06 23:31:29 dtucker Exp $ */ +/* + * Copyright (c) 2026 Darren Tucker + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include "includes.h" + +#include + +#include +#include + +#include "log.h" + +#ifdef WITH_OPENSSL +#include + +const char * +ssherr_libcrypto(void) +{ + unsigned long e; + static char buf[512]; + char msg[4096]; + const char *reason = NULL, *file, *data; + int ln, fl; + + ERR_load_crypto_strings(); + while ((e = ERR_get_error_line_data(&file, &ln, &data, &fl)) != 0) { + ERR_error_string_n(e, buf, sizeof(buf)); + snprintf(msg, sizeof(msg), "%s:%s:%d:%s", buf, file, ln, + (fl & ERR_TXT_STRING) ? data : ""); + debug("libcrypto: '%s'", msg); + if ((reason = ERR_reason_error_string(e)) != NULL) + snprintf(buf, sizeof(buf), "error in libcrypto: %s", + reason); + } + if (reason == NULL) + return NULL; + return buf; +} +#else +const char * +ssherr_libcrypto(void) +{ + return NULL; +} +#endif diff --git a/ssherr-nolibcrypto.c b/ssherr-nolibcrypto.c new file mode 100644 index 000000000..039d69d06 --- /dev/null +++ b/ssherr-nolibcrypto.c @@ -0,0 +1,26 @@ +/* $OpenBSD: ssherr-nolibcrypto.c,v 1.1 2026/02/06 23:31:29 dtucker Exp $ */ +/* + * Copyright (c) 2026 Darren Tucker + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include + +#include "ssherr.h" + +const char * +ssherr_libcrypto(void) +{ + return NULL; +} diff --git a/ssherr.c b/ssherr.c index bd954aadd..d22072de7 100644 --- a/ssherr.c +++ b/ssherr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssherr.c,v 1.10 2020/01/25 23:13:09 djm Exp $ */ +/* $OpenBSD: ssherr.c,v 1.11 2026/02/06 23:31:29 dtucker Exp $ */ /* * Copyright (c) 2011 Damien Miller * @@ -22,6 +22,8 @@ const char * ssh_err(int n) { + const char *msg = NULL; + switch (n) { case SSH_ERR_SUCCESS: return "success"; @@ -68,7 +70,8 @@ ssh_err(int n) case SSH_ERR_SIGNATURE_INVALID: return "incorrect signature"; case SSH_ERR_LIBCRYPTO_ERROR: - return "error in libcrypto"; /* XXX fetch and return */ + msg = ssherr_libcrypto(); + return msg != NULL ? msg : "error in libcrypto"; case SSH_ERR_UNEXPECTED_TRAILING_DATA: return "unexpected bytes remain after decoding"; case SSH_ERR_SYSTEM_ERROR: diff --git a/ssherr.h b/ssherr.h index 085e75274..3dac27ab0 100644 --- a/ssherr.h +++ b/ssherr.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssherr.h,v 1.8 2020/01/25 23:13:09 djm Exp $ */ +/* $OpenBSD: ssherr.h,v 1.9 2026/02/06 23:31:29 dtucker Exp $ */ /* * Copyright (c) 2011 Damien Miller * @@ -85,5 +85,7 @@ /* Translate a numeric error code to a human-readable error string */ const char *ssh_err(int n); +/* Return most recent error from libcrypto. */ +const char *ssherr_libcrypto(void); #endif /* _SSHERR_H */