Improve diagnostics when passing unsupported groups in TLS

Related: rhbz#2070197
2 years ago · f4e1bded66
parent cbe5a9ff12
commit f4e1bded66
2 changed files with 34 additions and 0 deletions
--- a/0045-FIPS-services-minimize.patch
+++ b/0045-FIPS-services-minimize.patch
@ -717,3 +717,35 @@ diff -up openssl-3.0.1/providers/implementations/signature/rsa_sig.c.fipskeylen
 
     if (!ossl_prov_is_running())
         return 0;
+diff -up openssl-3.0.1/ssl/t1_lib.c.groupnames openssl-3.0.1/ssl/t1_lib.c
+--- openssl-3.0.1/ssl/t1_lib.c.groupnames	2022-06-17 09:42:50.866748854 +0200
+++ openssl-3.0.1/ssl/t1_lib.c	2022-06-17 09:49:07.715973172 +0200
+@@ -345,6 +345,7 @@ static int add_provider_groups(const OSS
+      * it.
+      */
+     ret = 1;
+    (void)ERR_set_mark();
+     keymgmt = EVP_KEYMGMT_fetch(ctx->libctx, ginf->algorithm, ctx->propq);
+     if (keymgmt != NULL) {
+         /*
+@@ -366,6 +367,7 @@ static int add_provider_groups(const OSS
+         }
+         EVP_KEYMGMT_free(keymgmt);
+     }
+    (void)ERR_pop_to_mark();
+  err:
+     if (ginf != NULL) {
+         OPENSSL_free(ginf->tlsname);
+@@ -725,8 +727,11 @@ static int gid_cb(const char *elem, int
+     etmp[len] = 0;
+ 
+     gid = tls1_group_name2id(garg->ctx, etmp);
+-    if (gid == 0)
+    if (gid == 0) {
+        ERR_raise_data(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT,
+                       "group '%s' cannot be set", etmp);
+         return 0;
+    }
+     for (i = 0; i < garg->gidcnt; i++)
+         if (garg->gid_arr[i] == gid)
+             return 0;
--- a/openssl.spec
+++ b/openssl.spec
@ -464,6 +464,8 @@ install -m644 %{SOURCE9} \
 - FIPS provider should block RSA encryption for key transport.
 - Other RSA encryption options should still be available if key length is enough
 - Related: rhbz#2053289
+- Improve diagnostics when passing unsupported groups in TLS
+- Related: rhbz#2070197

 * Wed Jun 08 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-35
 - Add explicit indicators for signatures in FIPS mode and mark signature