When signature_algorithm extension is omitted, use more relevant alerts

Resolves: rhbz#1965017
3 years ago · ecb6630fd3
parent c5d8025ca8
commit ecb6630fd3
2 changed files with 29 additions and 1 deletions
--- a/0020-sigalgs-fix-alerts.patch
+++ b/0020-sigalgs-fix-alerts.patch
@ -0,0 +1,22 @@
+diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
+index 3579202c22..134c948bcb 100644
+--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
+@@ -3302,7 +3302,7 @@ int tls_choose_sigalg(SSL *s, int fatalerrs)
+                 if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) {
+                     if (!fatalerrs)
+                         return 1;
+-                    SSLfatal(s, SSL_AD_INTERNAL_ERROR,
+                    SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
+                              SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM);
+                     return 0;
+                 }
+@@ -3317,7 +3317,7 @@ int tls_choose_sigalg(SSL *s, int fatalerrs)
+                 if (i == sent_sigslen) {
+                     if (!fatalerrs)
+                         return 1;
+-                    SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
+                    SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
+                              SSL_R_WRONG_SIGNATURE_TYPE);
+                     return 0;
+                 }
--- a/openssl.spec
+++ b/openssl.spec
@ -15,7 +15,7 @@
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 3.0.0
-Release: 0.beta2.1%{?dist}
+Release: 0.beta2.2%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@ -54,6 +54,8 @@ Patch8: 0008-Add-FIPS_mode-compatibility-macro.patch
 Patch11: 0011-Remove-EC-curves.patch
 # Temporary dual-ABI build patch
 Patch19: 0019-dual-abi.patch
+# Update alerts according to #1965017
+Patch20: 0020-sigalgs-fix-alerts.patch

 License: ASL 2.0
 URL: http://www.openssl.org/
@ -376,6 +378,10 @@ install -m644 %{SOURCE9} \
 %ldconfig_scriptlets libs

 %changelog
+* Wed Aug 04 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 3.0.0-0.beta2.2
+- When signature_algorithm extension is omitted, use more relevant alerts
+- Resolves: rhbz#1965017
+
 * Tue Aug 03 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.beta2.1
 - Rebase to upstream version beta2
 - Related: rhbz#1903209