upstream: LogVerbose keyword for ssh and sshd

Allows forcing maximum debug logging by file/function/line pattern-
lists.

ok markus@

OpenBSD-Commit-ID: c294c25732d1b4fe7e345cb3e044df00531a6356

10 files changed, 99 insertions, 17 deletions

diff --git a/auth.c b/auth.c
index 9a5498b6..6e988424 100644
--- a/auth.c
+++ b/auth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth.c,v 1.147 2020/08/27 01:07:09 djm Exp $ */
+/* $OpenBSD: auth.c,v 1.148 2020/10/16 13:26:13 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -569,11 +569,15 @@ getpwnamallow(struct ssh *ssh, const char *user)
 #endif
 	struct passwd *pw;
 	struct connection_info *ci;
+	u_int i;
 
 	ci = get_connection_info(ssh, 1, options.use_dns);
 	ci->user = user;
 	parse_server_match_config(&options, &includes, ci);
 	log_change_level(options.log_level);
+	log_verbose_reset();
+	for (i = 0; i < options.num_log_verbose; i++)
+		log_verbose_add(options.log_verbose[i]);
 	process_permitopen(ssh, &options);
 
 #if defined(_AIX) && defined(HAVE_SETAUTHDB)
diff --git a/monitor_wrap.c b/monitor_wrap.c
index c18ee181..b425cab1 100644
--- a/monitor_wrap.c
+++ b/monitor_wrap.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: monitor_wrap.c,v 1.119 2020/10/16 13:24:45 djm Exp $ */
+/* $OpenBSD: monitor_wrap.c,v 1.120 2020/10/16 13:26:13 djm Exp $ */
 /*
  * Copyright 2002 Niels Provos <provos@citi.umich.edu>
  * Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -332,6 +332,9 @@ out:
 
 	copy_set_server_options(&options, newopts, 1);
 	log_change_level(options.log_level);
+	log_verbose_reset();
+	for (i = 0; i < options.num_log_verbose; i++)
+		log_verbose_add(options.log_verbose[i]);
 	process_permitopen(ssh, &options);
 	free(newopts);
 
diff --git a/readconf.c b/readconf.c
index 8655646b..ea13bf99 100644
--- a/readconf.c
+++ b/readconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.c,v 1.338 2020/10/07 02:18:45 djm Exp $ */
+/* $OpenBSD: readconf.c,v 1.339 2020/10/16 13:26:13 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -152,7 +152,7 @@ typedef enum {
 	oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts,
 	oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression,
 	oTCPKeepAlive, oNumberOfPasswordPrompts,
-	oLogFacility, oLogLevel, oCiphers, oMacs,
+	oLogFacility, oLogLevel, oLogVerbose, oCiphers, oMacs,
 	oPubkeyAuthentication,
 	oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
 	oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
@@ -263,6 +263,7 @@ static struct {
 	{ "numberofpasswordprompts", oNumberOfPasswordPrompts },
 	{ "syslogfacility", oLogFacility },
 	{ "loglevel", oLogLevel },
+	{ "logverbose", oLogVerbose },
 	{ "dynamicforward", oDynamicForward },
 	{ "preferredauthentications", oPreferredAuthentications },
 	{ "hostkeyalgorithms", oHostKeyAlgorithms },
@@ -901,7 +902,7 @@ process_config_line_depth(Options *options, struct passwd *pw, const char *host,
     int linenum, int *activep, int flags, int *want_final_pass, int depth)
 {
 	char *s, **charptr, *endofnumber, *keyword, *arg, *arg2;
-	char **cpptr, fwdarg[256];
+	char **cpptr, ***cppptr, fwdarg[256];
 	u_int i, *uintptr, max_entries = 0;
 	int r, oactive, negated, opcode, *intptr, value, value2, cmdline = 0;
 	int remotefwd, dynamicfwd;
@@ -1349,6 +1350,18 @@ parse_keytypes:
 			*log_facility_ptr = (SyslogFacility) value;
 		break;
 
+	case oLogVerbose:
+		cppptr = &options->log_verbose;
+		uintptr = &options->num_log_verbose;
+		if (*activep && *uintptr == 0) {
+			while ((arg = strdelim(&s)) != NULL && *arg != '\0') {
+				*cppptr = xrecallocarray(*cppptr, *uintptr,
+				    *uintptr + 1, sizeof(**cppptr));
+				(*cppptr)[(*uintptr)++] = xstrdup(arg);
+			}
+		}
+		return 0;
+
 	case oLocalForward:
 	case oRemoteForward:
 	case oDynamicForward:
@@ -2004,6 +2017,8 @@ initialize_options(Options * options)
 	options->num_remote_forwards = 0;
 	options->log_facility = SYSLOG_FACILITY_NOT_SET;
 	options->log_level = SYSLOG_LEVEL_NOT_SET;
+	options->num_log_verbose = 0;
+	options->log_verbose = NULL;
 	options->preferred_authentications = NULL;
 	options->bind_address = NULL;
 	options->bind_interface = NULL;
@@ -2839,6 +2854,8 @@ dump_client_config(Options *o, const char *host)
 	dump_cfg_strarray_oneline(oUserKnownHostsFile, o->num_user_hostfiles, o->user_hostfiles);
 	dump_cfg_strarray(oSendEnv, o->num_send_env, o->send_env);
 	dump_cfg_strarray(oSetEnv, o->num_setenv, o->setenv);
+	dump_cfg_strarray_oneline(oLogVerbose,
+	    o->num_log_verbose, o->log_verbose);
 
 	/* Special cases */
 
diff --git a/readconf.h b/readconf.h
index d6a15550..be9154da 100644
--- a/readconf.h
+++ b/readconf.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.h,v 1.134 2020/08/11 09:49:57 djm Exp $ */
+/* $OpenBSD: readconf.h,v 1.135 2020/10/16 13:26:13 djm Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -55,7 +55,8 @@ typedef struct {
 	int	ip_qos_bulk;		/* IP ToS/DSCP/class for bulk traffic */
 	SyslogFacility log_facility;	/* Facility for system logging. */
 	LogLevel log_level;	/* Level for logging. */
-
+	u_int	num_log_verbose;	/* Verbose log overrides */
+	char   **log_verbose;
 	int     port;		/* Port to connect. */
 	int     address_family;
 	int     connection_attempts;	/* Max attempts (seconds) before
diff --git a/servconf.c b/servconf.c
index f08e3747..cd5834df 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,5 +1,5 @@
 
-/* $OpenBSD: servconf.c,v 1.369 2020/08/28 03:15:52 dtucker Exp $ */
+/* $OpenBSD: servconf.c,v 1.370 2020/10/16 13:26:13 djm Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -122,6 +122,8 @@ initialize_server_options(ServerOptions *options)
 	options->tcp_keep_alive = -1;
 	options->log_facility = SYSLOG_FACILITY_NOT_SET;
 	options->log_level = SYSLOG_LEVEL_NOT_SET;
+	options->num_log_verbose = 0;
+	options->log_verbose = NULL;
 	options->hostbased_authentication = -1;
 	options->hostbased_uses_name_from_packet_only = -1;
 	options->hostbased_key_types = NULL;
@@ -504,7 +506,7 @@ typedef enum {
 	sUsePAM,
 	/* Standard Options */
 	sPort, sHostKeyFile, sLoginGraceTime,
-	sPermitRootLogin, sLogFacility, sLogLevel,
+	sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
 	sRhostsRSAAuthentication, sRSAAuthentication,
 	sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
 	sKerberosGetAFSToken, sChallengeResponseAuthentication,
@@ -569,6 +571,7 @@ static struct {
 	{ "permitrootlogin", sPermitRootLogin, SSHCFG_ALL },
 	{ "syslogfacility", sLogFacility, SSHCFG_GLOBAL },
 	{ "loglevel", sLogLevel, SSHCFG_ALL },
+	{ "logverbose", sLogVerbose, SSHCFG_ALL },
 	{ "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL },
 	{ "rhostsrsaauthentication", sDeprecated, SSHCFG_ALL },
 	{ "hostbasedauthentication", sHostbasedAuthentication, SSHCFG_ALL },
@@ -1717,6 +1720,16 @@ process_server_config_line_depth(ServerOptions *options, char *line,
 			*log_level_ptr = (LogLevel) value;
 		break;
 
+	case sLogVerbose:
+		while ((arg = strdelim(&cp)) && *arg != '\0') {
+			if (!*activep)
+				continue;
+			array_append(filename, linenum, "oLogVerbose",
+			    &options->log_verbose, &options->num_log_verbose,
+			    arg);
+		}
+		break;
+
 	case sAllowTcpForwarding:
 		intptr = &options->allow_tcp_forwarding;
 		multistate_ptr = multistate_tcpfwd;
@@ -2884,6 +2897,8 @@ dump_config(ServerOptions *o)
 	dump_cfg_strarray(sSetEnv, o->num_setenv, o->setenv);
 	dump_cfg_strarray_oneline(sAuthenticationMethods,
 	    o->num_auth_methods, o->auth_methods);
+	dump_cfg_strarray_oneline(sLogVerbose,
+	    o->num_log_verbose, o->log_verbose);
 
 	/* other arguments */
 	for (i = 0; i < o->num_subsystems; i++)
diff --git a/servconf.h b/servconf.h
index 1df8f3db..7005aea9 100644
--- a/servconf.h
+++ b/servconf.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.h,v 1.146 2020/08/27 01:07:10 djm Exp $ */
+/* $OpenBSD: servconf.h,v 1.147 2020/10/16 13:26:13 djm Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -118,6 +118,8 @@ typedef struct {
 	struct ForwardOptions fwd_opts;	/* forwarding options */
 	SyslogFacility log_facility;	/* Facility for system logging. */
 	LogLevel log_level;	/* Level for system logging. */
+	u_int	num_log_verbose;	/* Verbose log overrides */
+	char	**log_verbose;
 	int     hostbased_authentication;	/* If true, permit ssh2 hostbased auth */
 	int     hostbased_uses_name_from_packet_only; /* experimental */
 	char   *hostbased_key_types;	/* Key types allowed for hostbased */
@@ -280,6 +282,7 @@ TAILQ_HEAD(include_list, include_item);
 		M_CP_STRARRAYOPT(auth_methods, num_auth_methods); \
 		M_CP_STRARRAYOPT(permitted_opens, num_permitted_opens); \
 		M_CP_STRARRAYOPT(permitted_listens, num_permitted_listens); \
+		M_CP_STRARRAYOPT(log_verbose, num_log_verbose); \
 	} while (0)
 
 struct connection_info *get_connection_info(struct ssh *, int, int);
diff --git a/ssh.c b/ssh.c
index 563f4cdf..3d5ca9b0 100644
--- a/ssh.c
+++ b/ssh.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh.c,v 1.538 2020/10/12 08:36:36 kn Exp $ */
+/* $OpenBSD: ssh.c,v 1.539 2020/10/16 13:26:13 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1355,6 +1355,8 @@ main(int ac, char **av)
 
 	/* reinit */
 	log_init(argv0, options.log_level, options.log_facility, !use_syslog);
+	for (j = 0; j < options.num_log_verbose; j++)
+		log_verbose_add(options.log_verbose[j]);
 
 	if (options.request_tty == REQUEST_TTY_YES ||
 	    options.request_tty == REQUEST_TTY_FORCE)
diff --git a/ssh_config.5 b/ssh_config.5
index 8e427765..c0ebe37a 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.336 2020/10/08 00:31:05 djm Exp $
-.Dd $Mdocdate: October 8 2020 $
+.\" $OpenBSD: ssh_config.5,v 1.337 2020/10/16 13:26:13 djm Exp $
+.Dd $Mdocdate: October 16 2020 $
 .Dt SSH_CONFIG 5
 .Os
 .Sh NAME
@@ -1183,6 +1183,23 @@ QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.
 The default is INFO.
 DEBUG and DEBUG1 are equivalent.
 DEBUG2 and DEBUG3 each specify higher levels of verbose output.
+.It Cm LogVerbose
+Specify one or more overrides to LogLevel.
+An override consists of a pattern lists that matches the source file, function
+and line number to force detailed logging for.
+For example, an override pattern of:
+.Bd -literal -offset indent
+kex.c:*:1000,*:kex_exchange_identification():*,packet.c:*
+.Ed
+.Pp
+would enable detailed logging for line 1000 of
+.Pa kex.c,
+everything in the
+.Fn kex_exchange_identification
+function, and all code in the
+.Pa packet.c
+file.
+This option is intended for debugging and no overrides are enabled by default.
 .It Cm MACs
 Specifies the MAC (message authentication code) algorithms
 in order of preference.
diff --git a/sshd.c b/sshd.c
index 6c990759..a1964410 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshd.c,v 1.562 2020/10/03 09:22:26 djm Exp $ */
+/* $OpenBSD: sshd.c,v 1.563 2020/10/16 13:26:13 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -2006,7 +2006,10 @@ main(int ac, char **av)
 	/* Initialize the log (it is reinitialized below in case we forked). */
 	if (debug_flag && (!inetd_flag || rexeced_flag))
 		log_stderr = 1;
-	log_init(__progname, options.log_level, options.log_facility, log_stderr);
+	log_init(__progname, options.log_level,
+	    options.log_facility, log_stderr);
+	for (i = 0; i < options.num_log_verbose; i++)
+		log_verbose_add(options.log_verbose[i]);
 
 	/*
 	 * If not in debugging mode, not started from inetd and not already
diff --git a/sshd_config.5 b/sshd_config.5
index f68369f8..b5d201dc 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.316 2020/10/03 04:15:06 djm Exp $
-.Dd $Mdocdate: October 3 2020 $
+.\" $OpenBSD: sshd_config.5,v 1.317 2020/10/16 13:26:13 djm Exp $
+.Dd $Mdocdate: October 16 2020 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -1028,6 +1028,23 @@ The default is INFO.
 DEBUG and DEBUG1 are equivalent.
 DEBUG2 and DEBUG3 each specify higher levels of debugging output.
 Logging with a DEBUG level violates the privacy of users and is not recommended.
+.It Cm LogVerbose
+Specify one or more overrides to LogLevel.
+An override consists of a pattern lists that matches the source file, function
+and line number to force detailed logging for.
+For example, an override pattern of:
+.Bd -literal -offset indent
+kex.c:*:1000,*:kex_exchange_identification():*,packet.c:*
+.Ed
+.Pp
+would enable detailed logging for line 1000 of
+.Pa kex.c,
+everything in the
+.Fn kex_exchange_identification
+function, and all code in the
+.Pa packet.c
+file.
+This option is intended for debugging and no overrides are enabled by default.
 .It Cm MACs
 Specifies the available MAC (message authentication code) algorithms.
 The MAC algorithm is used for data integrity protection.