From 5fcb97c61e6796b20c8ee1b0daab25151bf65bd0 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Fri, 20 Mar 2020 12:00:12 +0000 Subject: [PATCH] Ignore some fetch failures Some fetch failurs are ok and should be ignored. Reviewed-by: Tomas Mraz Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/11405) --- crypto/evp/pmeth_lib.c | 6 +++++- providers/common/provider_util.c | 11 +++++++++++ ssl/ssl_lib.c | 16 +++++++++++++--- 3 files changed, 29 insertions(+), 4 deletions(-) diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c index ecaaec41c7..da50ebf18a 100644 --- a/crypto/evp/pmeth_lib.c +++ b/crypto/evp/pmeth_lib.c @@ -226,8 +226,12 @@ static EVP_PKEY_CTX *int_ctx_new(OPENSSL_CTX *libctx, * If there's no engine and there's a name, we try fetching a provider * implementation. */ - if (e == NULL && keytype != NULL) + if (e == NULL && keytype != NULL) { + /* This could fail so ignore errors */ + ERR_set_mark(); keymgmt = EVP_KEYMGMT_fetch(libctx, keytype, propquery); + ERR_pop_to_mark(); + } ret = OPENSSL_zalloc(sizeof(*ret)); if (ret == NULL) { diff --git a/providers/common/provider_util.c b/providers/common/provider_util.c index 504463df19..041d64929d 100644 --- a/providers/common/provider_util.c +++ b/providers/common/provider_util.c @@ -9,6 +9,7 @@ #include #include +#include #include "prov/provider_util.h" void ossl_prov_cipher_reset(PROV_CIPHER *pc) @@ -76,12 +77,17 @@ int ossl_prov_cipher_load_from_params(PROV_CIPHER *pc, return 0; EVP_CIPHER_free(pc->alloc_cipher); + ERR_set_mark(); pc->cipher = pc->alloc_cipher = EVP_CIPHER_fetch(ctx, p->data, propquery); /* TODO legacy stuff, to be removed */ #ifndef FIPS_MODE /* Inside the FIPS module, we don't support legacy ciphers */ if (pc->cipher == NULL) pc->cipher = EVP_get_cipherbyname(p->data); #endif + if (pc->cipher != NULL) + ERR_pop_to_mark(); + else + ERR_clear_last_mark(); return pc->cipher != NULL; } @@ -131,12 +137,17 @@ int ossl_prov_digest_load_from_params(PROV_DIGEST *pd, return 0; EVP_MD_free(pd->alloc_md); + ERR_set_mark(); pd->md = pd->alloc_md = EVP_MD_fetch(ctx, p->data, propquery); /* TODO legacy stuff, to be removed */ #ifndef FIPS_MODE /* Inside the FIPS module, we don't support legacy digests */ if (pd->md == NULL) pd->md = EVP_get_digestbyname(p->data); #endif + if (pd->md != NULL) + ERR_pop_to_mark(); + else + ERR_clear_last_mark(); return pd->md != NULL; } diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index a1c3987962..a08ddb138b 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -5848,6 +5848,8 @@ const EVP_CIPHER *ssl_evp_cipher_fetch(OPENSSL_CTX *libctx, int nid, const char *properties) { + EVP_CIPHER *ciph; + #ifndef OPENSSL_NO_ENGINE ENGINE *eng; @@ -5862,8 +5864,11 @@ const EVP_CIPHER *ssl_evp_cipher_fetch(OPENSSL_CTX *libctx, } #endif - /* Otherwise we do an explicit fetch */ - return EVP_CIPHER_fetch(libctx, OBJ_nid2sn(nid), properties); + /* Otherwise we do an explicit fetch. This may fail and that could be ok */ + ERR_set_mark(); + ciph = EVP_CIPHER_fetch(libctx, OBJ_nid2sn(nid), properties); + ERR_pop_to_mark(); + return ciph; } @@ -5898,6 +5903,8 @@ const EVP_MD *ssl_evp_md_fetch(OPENSSL_CTX *libctx, int nid, const char *properties) { + EVP_MD *md; + #ifndef OPENSSL_NO_ENGINE ENGINE *eng; @@ -5913,7 +5920,10 @@ const EVP_MD *ssl_evp_md_fetch(OPENSSL_CTX *libctx, #endif /* Otherwise we do an explicit fetch */ - return EVP_MD_fetch(libctx, OBJ_nid2sn(nid), properties); + ERR_set_mark(); + md = EVP_MD_fetch(libctx, OBJ_nid2sn(nid), properties); + ERR_pop_to_mark(); + return md; } int ssl_evp_md_up_ref(const EVP_MD *md) -- 2.25.1