From ecb6630fd3dd1a4a22d0f0dcc1c5fbf0c8d3a8cd Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
Date: Wed, 4 Aug 2021 15:55:01 +0200
Subject: [PATCH] When signature_algorithm extension is omitted, use more
 relevant alerts

Resolves: rhbz#1965017
---
 0020-sigalgs-fix-alerts.patch | 22 ++++++++++++++++++++++
 openssl.spec                  |  8 +++++++-
 2 files changed, 29 insertions(+), 1 deletion(-)
 create mode 100644 0020-sigalgs-fix-alerts.patch

diff --git a/0020-sigalgs-fix-alerts.patch b/0020-sigalgs-fix-alerts.patch
new file mode 100644
index 0000000..b1d571a
--- /dev/null
+++ b/0020-sigalgs-fix-alerts.patch
@@ -0,0 +1,22 @@
+diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
+index 3579202c22..134c948bcb 100644
+--- a/ssl/t1_lib.c
++++ b/ssl/t1_lib.c
+@@ -3302,7 +3302,7 @@ int tls_choose_sigalg(SSL *s, int fatalerrs)
+                 if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) {
+                     if (!fatalerrs)
+                         return 1;
+-                    SSLfatal(s, SSL_AD_INTERNAL_ERROR,
++                    SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
+                              SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM);
+                     return 0;
+                 }
+@@ -3317,7 +3317,7 @@ int tls_choose_sigalg(SSL *s, int fatalerrs)
+                 if (i == sent_sigslen) {
+                     if (!fatalerrs)
+                         return 1;
+-                    SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
++                    SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
+                              SSL_R_WRONG_SIGNATURE_TYPE);
+                     return 0;
+                 }
diff --git a/openssl.spec b/openssl.spec
index 2f2642a..5bb6f7d 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -15,7 +15,7 @@
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 3.0.0
-Release: 0.beta2.1%{?dist}
+Release: 0.beta2.2%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@@ -54,6 +54,8 @@ Patch8: 0008-Add-FIPS_mode-compatibility-macro.patch
 Patch11: 0011-Remove-EC-curves.patch
 # Temporary dual-ABI build patch
 Patch19: 0019-dual-abi.patch
+# Update alerts according to #1965017
+Patch20: 0020-sigalgs-fix-alerts.patch
 
 License: ASL 2.0
 URL: http://www.openssl.org/
@@ -376,6 +378,10 @@ install -m644 %{SOURCE9} \
 %ldconfig_scriptlets libs
 
 %changelog
+* Wed Aug 04 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 3.0.0-0.beta2.2
+- When signature_algorithm extension is omitted, use more relevant alerts
+- Resolves: rhbz#1965017
+
 * Tue Aug 03 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.beta2.1
 - Rebase to upstream version beta2
 - Related: rhbz#1903209