Make error reason for disallowed legacy sigalg more specific

The internal error reason is confusing and indicating an error
in OpenSSL and not a configuration problem.

Fixes #19867

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19875)

diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
index 06e1eb310ef59b3b03984a778d916c89823616f9..aae928d99dd7d6d05c343238925961f373b9e3c6 100644 (file)
--- a/crypto/err/openssl.txt
+++ b/crypto/err/openssl.txt
@@ -1404,6 +1404,8 @@ SSL_R_INVALID_SESSION_ID:999:invalid session id
 SSL_R_INVALID_SRP_USERNAME:357:invalid srp username
 SSL_R_INVALID_STATUS_RESPONSE:328:invalid status response
 SSL_R_INVALID_TICKET_KEYS_LENGTH:325:invalid ticket keys length
+SSL_R_LEGACY_SIGALG_DISALLOWED_OR_UNSUPPORTED:333:\
+       legacy sigalg disallowed or unsupported
 SSL_R_LENGTH_MISMATCH:159:length mismatch
 SSL_R_LENGTH_TOO_LONG:404:length too long
 SSL_R_LENGTH_TOO_SHORT:160:length too short

diff --git a/include/openssl/sslerr.h b/include/openssl/sslerr.h
index 8c5d1be86ab9aa4de9ac7ec67927622627114ce8..b8809ad28abd09fdfd114615dc841a845a82c8e3 100644 (file)
--- a/include/openssl/sslerr.h
+++ b/include/openssl/sslerr.h
@@ -153,6 +153,7 @@
 # define SSL_R_INVALID_SRP_USERNAME                       357
 # define SSL_R_INVALID_STATUS_RESPONSE                    328
 # define SSL_R_INVALID_TICKET_KEYS_LENGTH                 325
+# define SSL_R_LEGACY_SIGALG_DISALLOWED_OR_UNSUPPORTED    333
 # define SSL_R_LENGTH_MISMATCH                            159
 # define SSL_R_LENGTH_TOO_LONG                            404
 # define SSL_R_LENGTH_TOO_SHORT                           160

diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
index 7345a3f5e2571191ab94b525b9b83422f00d63e5..73dedbc5b3fabe6adb18051219f1accb7bb9e8e7 100644 (file)
--- a/ssl/ssl_err.c
+++ b/ssl/ssl_err.c
@@ -230,6 +230,8 @@ static const ERR_STRING_DATA SSL_str_reasons[] = {
     "invalid status response"},
     {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_TICKET_KEYS_LENGTH),
     "invalid ticket keys length"},
+    {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_LEGACY_SIGALG_DISALLOWED_OR_UNSUPPORTED),
+    "legacy sigalg disallowed or unsupported"},
     {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_LENGTH_MISMATCH), "length mismatch"},
     {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_LENGTH_TOO_LONG), "length too long"},
     {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_LENGTH_TOO_SHORT), "length too short"},

diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index 4114131435b614bb3fd408843a6ff44a1f2c0cda..a1b7954a669253232cef07fa53d6758cdcb83efd 100644 (file)
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -2349,7 +2349,8 @@ MSG_PROCESS_RETURN tls_process_key_exchange(SSL_CONNECTION *s, PACKET *pkt)
                 goto err;
             }
         } else if (!tls1_set_peer_legacy_sigalg(s, pkey)) {
-            SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
+            SSLfatal(s, SSL_AD_INTERNAL_ERROR,
+                     SSL_R_LEGACY_SIGALG_DISALLOWED_OR_UNSUPPORTED);
             goto err;
         }
 

diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
index 155afd5d91c702bdb3faedde8fd83885022514b4..10e6ef9edd58b38fad7af89158e8d40716a02f65 100644 (file)
--- a/ssl/statem/statem_lib.c
+++ b/ssl/statem/statem_lib.c
@@ -442,7 +442,8 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL_CONNECTION *s, PACKET *pkt)
             goto err;
         }
     } else if (!tls1_set_peer_legacy_sigalg(s, pkey)) {
-            SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
+            SSLfatal(s, SSL_AD_INTERNAL_ERROR,
+                     SSL_R_LEGACY_SIGALG_DISALLOWED_OR_UNSUPPORTED);
             goto err;
     }