[openssh-commits] [openssh] 03/04: upstream: Fetch the error reason from libcrypto

Sat Feb 7 11:14:41 AEDT 2026

This is an automated email from the git hooks/post-receive script.

dtucker pushed a commit to branch master
in repository openssh.

commit 9c4949c11d8da1a5422e2174afb1a4f5b3dc8914
Author: dtucker at openbsd.org <dtucker at openbsd.org>
AuthorDate: Fri Feb 6 23:31:29 2026 +0000

    upstream: Fetch the error reason from libcrypto
    
    if available, append it to the corresponding ssh error message and
    optionall print the libcrypto full error stack (at debug1).  with &
    ok tb@ djm@ millert@ schwarze@
    
    Note that the quality of errors obtainable from libcrypto is somewhat
    variable, so these may be any of: useful, misleading, incomplete
    or missing entirely. As a result we reserve the right to change
    what is returned or even stop returning it if it does more harm than
    good.
    
    OpenBSD-Commit-ID: 1ad599ac3eeddbe254fec6b9c1cf658fa70d572e
---
 Makefile.in          |  8 +++----
 ssherr-libcrypto.c   | 59 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 ssherr-nolibcrypto.c | 26 +++++++++++++++++++++++
 ssherr.c             |  7 +++++--
 ssherr.h             |  4 +++-
 5 files changed, 97 insertions(+), 7 deletions(-)

diff --git a/Makefile.in b/Makefile.in
index 7f7d2c5dd..2aac879c1 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -107,7 +107,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
 	kexgexc.o kexgexs.o \
 	kexsntrup761x25519.o kexmlkem768x25519.o sntrup761.o kexgen.o \
 	sftp-realpath.o platform-pledge.o platform-tracing.o platform-misc.o \
-	sshbuf-io.o misc-agent.o
+	sshbuf-io.o misc-agent.o ssherr-libcrypto.o
 
 P11OBJS= ssh-pkcs11-client.o
 
@@ -150,7 +150,7 @@ SSHD_AUTH_OBJS=sshd-auth.o \
 	sftp-server.o sftp-common.o \
 	uidswap.o $(P11OBJS) $(SKOBJS)
 
-SFTP_CLIENT_OBJS=sftp-common.o sftp-client.o sftp-glob.o
+SFTP_CLIENT_OBJS=sftp-common.o sftp-client.o sftp-glob.o ssherr-nolibcrypto.o
 
 SCP_OBJS=	scp.o progressmeter.o $(SFTP_CLIENT_OBJS)
 
@@ -164,11 +164,11 @@ SSHKEYSIGN_OBJS=ssh-keysign.o readconf.o uidswap.o $(P11OBJS) $(SKOBJS)
 
 P11HELPER_OBJS=	ssh-pkcs11-helper.o ssh-pkcs11.o $(SKOBJS)
 
-SKHELPER_OBJS=	ssh-sk-helper.o ssh-sk.o sk-usbhid.o
+SKHELPER_OBJS=	ssh-sk-helper.o ssh-sk.o sk-usbhid.o ssherr-nolibcrypto.o
 
 SSHKEYSCAN_OBJS=ssh-keyscan.o $(P11OBJS) $(SKOBJS)
 
-SFTPSERVER_OBJS=sftp-common.o sftp-server.o sftp-server-main.o
+SFTPSERVER_OBJS=sftp-common.o sftp-server.o sftp-server-main.o ssherr-nolibcrypto.o
 
 SFTP_OBJS=	sftp.o sftp-usergroup.o progressmeter.o $(SFTP_CLIENT_OBJS)
 
diff --git a/ssherr-libcrypto.c b/ssherr-libcrypto.c
new file mode 100644
index 000000000..5b817e54a
--- /dev/null
+++ b/ssherr-libcrypto.c
@@ -0,0 +1,59 @@
+/* $OpenBSD: ssherr-libcrypto.c,v 1.1 2026/02/06 23:31:29 dtucker Exp $ */
+/*
+ * Copyright (c) 2026 Darren Tucker
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include "includes.h"
+
+#include <sys/types.h>
+
+#include <errno.h>
+#include <string.h>
+
+#include "log.h"
+
+#ifdef WITH_OPENSSL
+#include <openssl/err.h>
+
+const char *
+ssherr_libcrypto(void)
+{
+	unsigned long e;
+	static char buf[512];
+	char msg[4096];
+	const char *reason = NULL, *file, *data;
+	int ln, fl;
+
+	ERR_load_crypto_strings();
+	while ((e = ERR_get_error_line_data(&file, &ln, &data, &fl)) != 0) {
+		ERR_error_string_n(e, buf, sizeof(buf));
+		snprintf(msg, sizeof(msg), "%s:%s:%d:%s", buf, file, ln,
+		    (fl & ERR_TXT_STRING) ? data : "");
+		debug("libcrypto: '%s'", msg);
+		if ((reason = ERR_reason_error_string(e)) != NULL)
+			snprintf(buf, sizeof(buf), "error in libcrypto: %s",
+			    reason);
+	}
+	if (reason == NULL)
+		return NULL;
+	return buf;
+}
+#else
+const char *
+ssherr_libcrypto(void)
+{
+	return NULL;
+}
+#endif
diff --git a/ssherr-nolibcrypto.c b/ssherr-nolibcrypto.c
new file mode 100644
index 000000000..039d69d06
--- /dev/null
+++ b/ssherr-nolibcrypto.c
@@ -0,0 +1,26 @@
+/* $OpenBSD: ssherr-nolibcrypto.c,v 1.1 2026/02/06 23:31:29 dtucker Exp $ */
+/*
+ * Copyright (c) 2026 Darren Tucker
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <stddef.h>
+
+#include "ssherr.h"
+
+const char *
+ssherr_libcrypto(void)
+{
+	return NULL;
+}
diff --git a/ssherr.c b/ssherr.c
index bd954aadd..d22072de7 100644
--- a/ssherr.c
+++ b/ssherr.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ssherr.c,v 1.10 2020/01/25 23:13:09 djm Exp $	*/
+/*	$OpenBSD: ssherr.c,v 1.11 2026/02/06 23:31:29 dtucker Exp $	*/
 /*
  * Copyright (c) 2011 Damien Miller
  *
@@ -22,6 +22,8 @@
 const char *
 ssh_err(int n)
 {
+	const char *msg = NULL;
+
 	switch (n) {
 	case SSH_ERR_SUCCESS:
 		return "success";
@@ -68,7 +70,8 @@ ssh_err(int n)
 	case SSH_ERR_SIGNATURE_INVALID:
 		return "incorrect signature";
 	case SSH_ERR_LIBCRYPTO_ERROR:
-		return "error in libcrypto";  /* XXX fetch and return */
+		msg = ssherr_libcrypto();
+		return msg != NULL ? msg : "error in libcrypto";
 	case SSH_ERR_UNEXPECTED_TRAILING_DATA:
 		return "unexpected bytes remain after decoding";
 	case SSH_ERR_SYSTEM_ERROR:
diff --git a/ssherr.h b/ssherr.h
index 085e75274..3dac27ab0 100644
--- a/ssherr.h
+++ b/ssherr.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ssherr.h,v 1.8 2020/01/25 23:13:09 djm Exp $	*/
+/*	$OpenBSD: ssherr.h,v 1.9 2026/02/06 23:31:29 dtucker Exp $	*/
 /*
  * Copyright (c) 2011 Damien Miller
  *
@@ -85,5 +85,7 @@
 
 /* Translate a numeric error code to a human-readable error string */
 const char *ssh_err(int n);
+/* Return most recent error from libcrypto. */
+const char *ssherr_libcrypto(void);
 
 #endif /* _SSHERR_H */

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.
