From 2282e9f646be9bc088d52e8c9020a2f8e87fdb71 Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Mon, 21 Oct 2024 13:36:43 +0200 Subject: [PATCH] Provide details on crypto error instead of "error in libcrypto" Resolves: RHEL-52293 --- openssh-8.7p1-openssl-log.patch | 65 +++++++++++++++++++++++++++++++++ openssh.spec | 4 ++ 2 files changed, 69 insertions(+) create mode 100644 openssh-8.7p1-openssl-log.patch diff --git a/openssh-8.7p1-openssl-log.patch b/openssh-8.7p1-openssl-log.patch new file mode 100644 index 0000000..9c9a3f5 --- /dev/null +++ b/openssh-8.7p1-openssl-log.patch @@ -0,0 +1,65 @@ +diff -up openssh-8.7p1/log.c.xxx openssh-8.7p1/log.c +--- openssh-8.7p1/log.c.xxx 2024-10-18 13:00:56.419560563 +0200 ++++ openssh-8.7p1/log.c 2024-10-18 13:22:35.954819016 +0200 +@@ -438,6 +438,26 @@ sshlog(const char *file, const char *fun + va_end(args); + } + ++#ifdef WITH_OPENSSL ++static int ++openssl_error_print_cb(const char *str, size_t len, void *u) ++{ ++ sshlogdirect(SYSLOG_LEVEL_DEBUG1, 0, "openssl error %s", str); ++ return 0; ++} ++#endif ++ ++void ++sshlog_openssl(int r) ++{ ++#ifdef WITH_OPENSSL ++ if (r != SSH_ERR_LIBCRYPTO_ERROR) return; ++ ++ ERR_print_errors_cb(openssl_error_print_cb, NULL); ++#endif ++ return; ++} ++ + void + sshlogdie(const char *file, const char *func, int line, int showfunc, + LogLevel level, const char *suffix, const char *fmt, ...) +diff -up openssh-8.7p1/log.h.xxx openssh-8.7p1/log.h +--- openssh-8.7p1/log.h.xxx 2024-10-18 12:56:18.944971946 +0200 ++++ openssh-8.7p1/log.h 2024-10-18 13:03:38.324351416 +0200 +@@ -71,6 +71,7 @@ void cleanup_exit(int) __attribute__((n + void sshlog(const char *, const char *, int, int, + LogLevel, const char *, const char *, ...) + __attribute__((format(printf, 7, 8))); ++void sshlog_openssl(int); + void sshlogv(const char *, const char *, int, int, + LogLevel, const char *, const char *, va_list); + void sshsigdie(const char *, const char *, int, int, +diff -up openssh-8.7p1/auth2-pubkey.c.yyy openssh-8.7p1/auth2-pubkey.c +--- openssh-8.7p1/auth2-pubkey.c.yyy 2024-10-18 13:27:00.709055845 +0200 ++++ openssh-8.7p1/auth2-pubkey.c 2024-10-18 13:27:31.638784460 +0200 +@@ -131,6 +131,7 @@ userauth_pubkey(struct ssh *ssh) + goto done; + } + if ((r = sshkey_from_blob(pkblob, blen, &key)) != 0) { ++ sshlog_openssl(r); + error_fr(r, "parse key"); + goto done; + } +diff -up openssh-8.7p1/dispatch.c.yyy openssh-8.7p1/dispatch.c +--- openssh-8.7p1/dispatch.c.yyy 2024-10-18 13:27:56.349366570 +0200 ++++ openssh-8.7p1/dispatch.c 2024-10-18 13:28:17.921874757 +0200 +@@ -130,6 +130,8 @@ ssh_dispatch_run_fatal(struct ssh *ssh, + { + int r; + +- if ((r = ssh_dispatch_run(ssh, mode, done)) != 0) ++ if ((r = ssh_dispatch_run(ssh, mode, done)) != 0) { ++ sshlog_openssl(r); + sshpkt_fatal(ssh, r, "%s", __func__); ++ } + } diff --git a/openssh.spec b/openssh.spec index 731fc5d..0b4918e 100644 --- a/openssh.spec +++ b/openssh.spec @@ -294,6 +294,7 @@ Patch1019: openssh-9.6p1-CVE-2023-51385.patch Patch1020: openssh-8.7p1-sigpipe.patch Patch1021: openssh-9.8p1-upstream-cve-2024-6387.patch Patch1022: openssh-8.7p1-redhat-help.patch +Patch1023: openssh-8.7p1-openssl-log.patch License: BSD Requires: /sbin/nologin @@ -521,6 +522,7 @@ popd %patch1020 -p1 -b .earlypipe %patch1021 -p1 -b .cve-2024-6387 %patch1022 -p1 -b .redhat-help +%patch1023 -p1 -b .openssl-log autoreconf pushd pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver} @@ -811,6 +813,8 @@ test -f %{sysconfig_anaconda} && \ * Mon Oct 21 2024 Dmitry Belyavskiy - 8.7p1-44 - Add extra help information on ssh early failure Resolves: RHEL-33809 +- Provide details on crypto error instead of "error in libcrypto" + Resolves: RHEL-52293 * Tue Jul 09 2024 Dmitry Belyavskiy - 8.7p1-43 - Possible remote code execution due to a race condition (CVE-2024-6409)