diff --git a/0045-FIPS-services-minimize.patch b/0045-FIPS-services-minimize.patch index abb13e0..8308990 100644 --- a/0045-FIPS-services-minimize.patch +++ b/0045-FIPS-services-minimize.patch @@ -717,3 +717,35 @@ diff -up openssl-3.0.1/providers/implementations/signature/rsa_sig.c.fipskeylen if (!ossl_prov_is_running()) return 0; +diff -up openssl-3.0.1/ssl/t1_lib.c.groupnames openssl-3.0.1/ssl/t1_lib.c +--- openssl-3.0.1/ssl/t1_lib.c.groupnames 2022-06-17 09:42:50.866748854 +0200 ++++ openssl-3.0.1/ssl/t1_lib.c 2022-06-17 09:49:07.715973172 +0200 +@@ -345,6 +345,7 @@ static int add_provider_groups(const OSS + * it. + */ + ret = 1; ++ (void)ERR_set_mark(); + keymgmt = EVP_KEYMGMT_fetch(ctx->libctx, ginf->algorithm, ctx->propq); + if (keymgmt != NULL) { + /* +@@ -366,6 +367,7 @@ static int add_provider_groups(const OSS + } + EVP_KEYMGMT_free(keymgmt); + } ++ (void)ERR_pop_to_mark(); + err: + if (ginf != NULL) { + OPENSSL_free(ginf->tlsname); +@@ -725,8 +727,11 @@ static int gid_cb(const char *elem, int + etmp[len] = 0; + + gid = tls1_group_name2id(garg->ctx, etmp); +- if (gid == 0) ++ if (gid == 0) { ++ ERR_raise_data(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT, ++ "group '%s' cannot be set", etmp); + return 0; ++ } + for (i = 0; i < garg->gidcnt; i++) + if (garg->gid_arr[i] == gid) + return 0; diff --git a/openssl.spec b/openssl.spec index 6b7b2ef..7a92ccf 100644 --- a/openssl.spec +++ b/openssl.spec @@ -464,6 +464,8 @@ install -m644 %{SOURCE9} \ - FIPS provider should block RSA encryption for key transport. - Other RSA encryption options should still be available if key length is enough - Related: rhbz#2053289 +- Improve diagnostics when passing unsupported groups in TLS +- Related: rhbz#2070197 * Wed Jun 08 2022 Clemens Lang - 1:3.0.1-35 - Add explicit indicators for signatures in FIPS mode and mark signature