1 # |
|
2 # Add missing error() upon identity_sign() failure, fix typos in ssherr() calls. |
|
3 # |
|
4 # After OpenSSH code was refactored recently, DSA_do_sign() and RSA_sign() |
|
5 # failures no longer result in error messages printed out. This is particularly |
|
6 # inconvenient for FIPS mode, were these calls can fail due to non-compliant |
|
7 # crypto algorithm options. |
|
8 # |
|
9 # Investigating other missing error messages spotted two calls to ssherr() |
|
10 # with wrong error codes. |
|
11 # |
|
12 # Patch has been submitted upstream: |
|
13 # https://bugzilla.mindrot.org/show_bug.cgi?id=2507 |
|
14 # |
|
15 # Update: patch has been accepted upstream, will be part of 7.2: |
|
16 # https://github.com/openssh/openssh-portable/commit/39736be |
|
17 # |
|
18 # On uprev to 7.2+ we will drop this patch. |
|
19 # |
|
20 diff -pur old/ssh-agent.c new/ssh-agent.c |
|
21 --- old/ssh-agent.c |
|
22 +++ new/ssh-agent.c |
|
23 @@ -389,7 +389,7 @@ process_sign_request2(SocketEntry *e) |
|
24 if (flags & SSH_AGENT_OLD_SIGNATURE) |
|
25 compat = SSH_BUG_SIGBLOB; |
|
26 if ((r = sshkey_from_blob(blob, blen, &key)) != 0) { |
|
27 - error("%s: cannot parse key blob: %s", __func__, ssh_err(ok)); |
|
28 + error("%s: cannot parse key blob: %s", __func__, ssh_err(r)); |
|
29 goto send; |
|
30 } |
|
31 if ((id = lookup_identity(key, 2)) == NULL) { |
|
32 @@ -402,7 +402,7 @@ process_sign_request2(SocketEntry *e) |
|
33 } |
|
34 if ((r = sshkey_sign(id->key, &signature, &slen, |
|
35 data, dlen, compat)) != 0) { |
|
36 - error("%s: sshkey_sign: %s", __func__, ssh_err(ok)); |
|
37 + error("%s: sshkey_sign: %s", __func__, ssh_err(r)); |
|
38 goto send; |
|
39 } |
|
40 /* Success */ |
|
41 diff -pur old/sshconnect2.c new/sshconnect2.c |
|
42 --- old/sshconnect2.c |
|
43 +++ new/sshconnect2.c |
|
44 @@ -1167,6 +1167,7 @@ sign_and_send_pubkey(Authctxt *authctxt, |
|
45 ret = identity_sign(id, &signature, &slen, |
|
46 buffer_ptr(&b), buffer_len(&b), datafellows); |
|
47 if (ret != 0) { |
|
48 + error("%s: signing failed: %s", __func__, ssh_err(ret)); |
|
49 free(blob); |
|
50 buffer_free(&b); |
|
51 return 0; |
|