ssl: use BAD_KEY_SHARE for invalid key share encoding

Replace BAD_ECPOINT with BAD_KEY_SHARE in tls_accept_ksgroup so alerts
are correct for non EC groups too.

Signed-off-by: Joshua Rogers <MegaManSec@users.noreply.github.com>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28876)

diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
index 0dc418a8cbb4ed61cd987c8808c795aec554ad09..4e89c963ddc134d4824b356ebb5c222cede9d783 100644 (file)
--- a/ssl/statem/extensions_clnt.c
+++ b/ssl/statem/extensions_clnt.c
@@ -2008,7 +2008,7 @@ int tls_parse_stoc_key_share(SSL_CONNECTION *s, PACKET *pkt,
 
         if (tls13_set_encoded_pub_key(skey, PACKET_data(&encoded_pt),
                                       PACKET_remaining(&encoded_pt)) <= 0) {
-            SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_ECPOINT);
+            SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
             EVP_PKEY_free(skey);
             return 0;
         }

diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
index 09f653d03d4f3127008390e2a9bb950391169380..c616ee0c9774029acf207ea4ac6482d3d49fdf0c 100644 (file)
--- a/ssl/statem/extensions_srvr.c
+++ b/ssl/statem/extensions_srvr.c
@@ -638,7 +638,7 @@ static int tls_accept_ksgroup(SSL_CONNECTION *s, uint16_t ksgroup, PACKET *encod
     if (tls13_set_encoded_pub_key(s->s3.peer_tmp,
                                   PACKET_data(encoded_pubkey),
                                   PACKET_remaining(encoded_pubkey)) <= 0) {
-        SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_ECPOINT);
+        SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
         return 0;
     }
     return 1;