rpms/openssh
5
0
Fork 1
Code Issues Pull Requests Releases Activity

Provide details on crypto error instead of "error in libcrypto"

Browse Source 
Resolves: RHEL-52293
This commit is contained in:
Dmitry Belyavskiy 2024-10-21 13:36:43 +02:00
parent 48c1a09ba9
commit 2282e9f646
2 changed files with 69 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

65
openssh-8.7p1-openssl-log.patch Normal file
View File

@ -0,0 +1,65 @@
diff -up openssh-8.7p1/log.c.xxx openssh-8.7p1/log.c
--- openssh-8.7p1/log.c.xxx 2024-10-18 13:00:56.419560563 +0200
+++ openssh-8.7p1/log.c 2024-10-18 13:22:35.954819016 +0200
@@ -438,6 +438,26 @@ sshlog(const char *file, const char *fun
va_end(args);
}
+#ifdef WITH_OPENSSL
+static int
+openssl_error_print_cb(const char *str, size_t len, void *u)
+{
+ sshlogdirect(SYSLOG_LEVEL_DEBUG1, 0, "openssl error %s", str);
+ return 0;
+}
+#endif
+
+void
+sshlog_openssl(int r)
+{
+#ifdef WITH_OPENSSL
+ if (r != SSH_ERR_LIBCRYPTO_ERROR) return;
+
+ ERR_print_errors_cb(openssl_error_print_cb, NULL);
+#endif
+ return;
+}
+
void
sshlogdie(const char *file, const char *func, int line, int showfunc,
LogLevel level, const char *suffix, const char *fmt, ...)
diff -up openssh-8.7p1/log.h.xxx openssh-8.7p1/log.h
--- openssh-8.7p1/log.h.xxx 2024-10-18 12:56:18.944971946 +0200
+++ openssh-8.7p1/log.h 2024-10-18 13:03:38.324351416 +0200
@@ -71,6 +71,7 @@ void cleanup_exit(int) __attribute__((n
void sshlog(const char *, const char *, int, int,
LogLevel, const char *, const char *, ...)
__attribute__((format(printf, 7, 8)));
+void sshlog_openssl(int);
void sshlogv(const char *, const char *, int, int,
LogLevel, const char *, const char *, va_list);
void sshsigdie(const char *, const char *, int, int,
diff -up openssh-8.7p1/auth2-pubkey.c.yyy openssh-8.7p1/auth2-pubkey.c
--- openssh-8.7p1/auth2-pubkey.c.yyy 2024-10-18 13:27:00.709055845 +0200
+++ openssh-8.7p1/auth2-pubkey.c 2024-10-18 13:27:31.638784460 +0200
@@ -131,6 +131,7 @@ userauth_pubkey(struct ssh *ssh)
goto done;
}
if ((r = sshkey_from_blob(pkblob, blen, &key)) != 0) {
+ sshlog_openssl(r);
error_fr(r, "parse key");
goto done;
}
diff -up openssh-8.7p1/dispatch.c.yyy openssh-8.7p1/dispatch.c
--- openssh-8.7p1/dispatch.c.yyy 2024-10-18 13:27:56.349366570 +0200
+++ openssh-8.7p1/dispatch.c 2024-10-18 13:28:17.921874757 +0200
@@ -130,6 +130,8 @@ ssh_dispatch_run_fatal(struct ssh *ssh,
{
int r;
- if ((r = ssh_dispatch_run(ssh, mode, done)) != 0)
+ if ((r = ssh_dispatch_run(ssh, mode, done)) != 0) {
+ sshlog_openssl(r);
sshpkt_fatal(ssh, r, "%s", __func__);
+ }
}

4
openssh.spec
View File

@ -294,6 +294,7 @@ Patch1019: openssh-9.6p1-CVE-2023-51385.patch
Patch1020: openssh-8.7p1-sigpipe.patch
Patch1021: openssh-9.8p1-upstream-cve-2024-6387.patch
Patch1022: openssh-8.7p1-redhat-help.patch
Patch1023: openssh-8.7p1-openssl-log.patch
License: BSD
Requires: /sbin/nologin
@ -521,6 +522,7 @@ popd
%patch1020 -p1 -b .earlypipe
%patch1021 -p1 -b .cve-2024-6387
%patch1022 -p1 -b .redhat-help
%patch1023 -p1 -b .openssl-log
autoreconf
pushd pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver}
@ -811,6 +813,8 @@ test -f %{sysconfig_anaconda} && \
* Mon Oct 21 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-44
- Add extra help information on ssh early failure
Resolves: RHEL-33809
- Provide details on crypto error instead of "error in libcrypto"
Resolves: RHEL-52293
* Tue Jul 09 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-43
- Possible remote code execution due to a race condition (CVE-2024-6409)