From f4e1bded66b6eadd8ca0feb47ce188387aa976ce Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
Date: Fri, 17 Jun 2022 10:30:01 +0200
Subject: [PATCH] Improve diagnostics when passing unsupported groups in TLS

Related: rhbz#2070197
---
 0045-FIPS-services-minimize.patch | 32 +++++++++++++++++++++++++++++++
 openssl.spec                      |  2 ++
 2 files changed, 34 insertions(+)

diff --git a/0045-FIPS-services-minimize.patch b/0045-FIPS-services-minimize.patch
index abb13e0..8308990 100644
--- a/0045-FIPS-services-minimize.patch
+++ b/0045-FIPS-services-minimize.patch
@@ -717,3 +717,35 @@ diff -up openssl-3.0.1/providers/implementations/signature/rsa_sig.c.fipskeylen
  
      if (!ossl_prov_is_running())
          return 0;
+diff -up openssl-3.0.1/ssl/t1_lib.c.groupnames openssl-3.0.1/ssl/t1_lib.c
+--- openssl-3.0.1/ssl/t1_lib.c.groupnames	2022-06-17 09:42:50.866748854 +0200
++++ openssl-3.0.1/ssl/t1_lib.c	2022-06-17 09:49:07.715973172 +0200
+@@ -345,6 +345,7 @@ static int add_provider_groups(const OSS
+      * it.
+      */
+     ret = 1;
++    (void)ERR_set_mark();
+     keymgmt = EVP_KEYMGMT_fetch(ctx->libctx, ginf->algorithm, ctx->propq);
+     if (keymgmt != NULL) {
+         /*
+@@ -366,6 +367,7 @@ static int add_provider_groups(const OSS
+         }
+         EVP_KEYMGMT_free(keymgmt);
+     }
++    (void)ERR_pop_to_mark();
+  err:
+     if (ginf != NULL) {
+         OPENSSL_free(ginf->tlsname);
+@@ -725,8 +727,11 @@ static int gid_cb(const char *elem, int
+     etmp[len] = 0;
+ 
+     gid = tls1_group_name2id(garg->ctx, etmp);
+-    if (gid == 0)
++    if (gid == 0) {
++        ERR_raise_data(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT,
++                       "group '%s' cannot be set", etmp);
+         return 0;
++    }
+     for (i = 0; i < garg->gidcnt; i++)
+         if (garg->gid_arr[i] == gid)
+             return 0;
diff --git a/openssl.spec b/openssl.spec
index 6b7b2ef..7a92ccf 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -464,6 +464,8 @@ install -m644 %{SOURCE9} \
 - FIPS provider should block RSA encryption for key transport.
 - Other RSA encryption options should still be available if key length is enough
 - Related: rhbz#2053289
+- Improve diagnostics when passing unsupported groups in TLS
+- Related: rhbz#2070197
 
 * Wed Jun 08 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-35
 - Add explicit indicators for signatures in FIPS mode and mark signature