From 97b8db1af2f71059ecea986e4d12fc6a23699a74 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 9 Dec 2022 13:27:02 +0100 Subject: [PATCH] Make error reason for disallowed legacy sigalg more specific The internal error reason is confusing and indicating an error in OpenSSL and not a configuration problem. Fixes #19867 Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/19875) --- crypto/err/openssl.txt | 2 ++ include/openssl/sslerr.h | 1 + ssl/ssl_err.c | 2 ++ ssl/statem/statem_clnt.c | 3 ++- ssl/statem/statem_lib.c | 3 ++- 5 files changed, 9 insertions(+), 2 deletions(-) diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt index 06e1eb310e..aae928d99d 100644 --- a/crypto/err/openssl.txt +++ b/crypto/err/openssl.txt @@ -1404,6 +1404,8 @@ SSL_R_INVALID_SESSION_ID:999:invalid session id SSL_R_INVALID_SRP_USERNAME:357:invalid srp username SSL_R_INVALID_STATUS_RESPONSE:328:invalid status response SSL_R_INVALID_TICKET_KEYS_LENGTH:325:invalid ticket keys length +SSL_R_LEGACY_SIGALG_DISALLOWED_OR_UNSUPPORTED:333:\ + legacy sigalg disallowed or unsupported SSL_R_LENGTH_MISMATCH:159:length mismatch SSL_R_LENGTH_TOO_LONG:404:length too long SSL_R_LENGTH_TOO_SHORT:160:length too short diff --git a/include/openssl/sslerr.h b/include/openssl/sslerr.h index 8c5d1be86a..b8809ad28a 100644 --- a/include/openssl/sslerr.h +++ b/include/openssl/sslerr.h @@ -153,6 +153,7 @@ # define SSL_R_INVALID_SRP_USERNAME 357 # define SSL_R_INVALID_STATUS_RESPONSE 328 # define SSL_R_INVALID_TICKET_KEYS_LENGTH 325 +# define SSL_R_LEGACY_SIGALG_DISALLOWED_OR_UNSUPPORTED 333 # define SSL_R_LENGTH_MISMATCH 159 # define SSL_R_LENGTH_TOO_LONG 404 # define SSL_R_LENGTH_TOO_SHORT 160 diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c index 7345a3f5e2..73dedbc5b3 100644 --- a/ssl/ssl_err.c +++ b/ssl/ssl_err.c @@ -230,6 +230,8 @@ static const ERR_STRING_DATA SSL_str_reasons[] = { "invalid status response"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_TICKET_KEYS_LENGTH), "invalid ticket keys length"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_LEGACY_SIGALG_DISALLOWED_OR_UNSUPPORTED), + "legacy sigalg disallowed or unsupported"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_LENGTH_MISMATCH), "length mismatch"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_LENGTH_TOO_LONG), "length too long"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_LENGTH_TOO_SHORT), "length too short"}, diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index 4114131435..a1b7954a66 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -2349,7 +2349,8 @@ MSG_PROCESS_RETURN tls_process_key_exchange(SSL_CONNECTION *s, PACKET *pkt) goto err; } } else if (!tls1_set_peer_legacy_sigalg(s, pkey)) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_R_LEGACY_SIGALG_DISALLOWED_OR_UNSUPPORTED); goto err; } diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c index 155afd5d91..10e6ef9edd 100644 --- a/ssl/statem/statem_lib.c +++ b/ssl/statem/statem_lib.c @@ -442,7 +442,8 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL_CONNECTION *s, PACKET *pkt) goto err; } } else if (!tls1_set_peer_legacy_sigalg(s, pkey)) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_R_LEGACY_SIGALG_DISALLOWED_OR_UNSUPPORTED); goto err; } -- 2.34.1