Ignore some fetch failures

Some fetch failurs are ok and should be ignored.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11405)

diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c
index ecaaec41c747952d2a5c1177e22ba160e0719093..da50ebf18adf762fc93a0e632d98f7977c1ff8d7 100644 (file)
--- a/crypto/evp/pmeth_lib.c
+++ b/crypto/evp/pmeth_lib.c
@@ -226,8 +226,12 @@ static EVP_PKEY_CTX *int_ctx_new(OPENSSL_CTX *libctx,
      * If there's no engine and there's a name, we try fetching a provider
      * implementation.
      */
-    if (e == NULL && keytype != NULL)
+    if (e == NULL && keytype != NULL) {
+        /* This could fail so ignore errors */
+        ERR_set_mark();
         keymgmt = EVP_KEYMGMT_fetch(libctx, keytype, propquery);
+        ERR_pop_to_mark();
+    }
 
     ret = OPENSSL_zalloc(sizeof(*ret));
     if (ret == NULL) {

diff --git a/providers/common/provider_util.c b/providers/common/provider_util.c
index 504463df19bcf2d9763fb54dff22e4ee34e59cd5..041d64929d0209e2caa60af9bf95942cac478ac2 100644 (file)
--- a/providers/common/provider_util.c
+++ b/providers/common/provider_util.c
@@ -9,6 +9,7 @@
 
 #include <openssl/evp.h>
 #include <openssl/core_names.h>
+#include <openssl/err.h>
 #include "prov/provider_util.h"
 
 void ossl_prov_cipher_reset(PROV_CIPHER *pc)
@@ -76,12 +77,17 @@ int ossl_prov_cipher_load_from_params(PROV_CIPHER *pc,
         return 0;
 
     EVP_CIPHER_free(pc->alloc_cipher);
+    ERR_set_mark();
     pc->cipher = pc->alloc_cipher = EVP_CIPHER_fetch(ctx, p->data, propquery);
     /* TODO legacy stuff, to be removed */
 #ifndef FIPS_MODE /* Inside the FIPS module, we don't support legacy ciphers */
     if (pc->cipher == NULL)
         pc->cipher = EVP_get_cipherbyname(p->data);
 #endif
+    if (pc->cipher != NULL)
+        ERR_pop_to_mark();
+    else
+        ERR_clear_last_mark();
     return pc->cipher != NULL;
 }
 
@@ -131,12 +137,17 @@ int ossl_prov_digest_load_from_params(PROV_DIGEST *pd,
         return 0;
 
     EVP_MD_free(pd->alloc_md);
+    ERR_set_mark();
     pd->md = pd->alloc_md = EVP_MD_fetch(ctx, p->data, propquery);
     /* TODO legacy stuff, to be removed */
 #ifndef FIPS_MODE /* Inside the FIPS module, we don't support legacy digests */
     if (pd->md == NULL)
         pd->md = EVP_get_digestbyname(p->data);
 #endif
+    if (pd->md != NULL)
+        ERR_pop_to_mark();
+    else
+        ERR_clear_last_mark();
     return pd->md != NULL;
 }
 

diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index a1c398796248fe51029b484794e538ed89eebd06..a08ddb138bb0ded023c27ac4768a390dfbd9418d 100644 (file)
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -5848,6 +5848,8 @@ const EVP_CIPHER *ssl_evp_cipher_fetch(OPENSSL_CTX *libctx,
                                        int nid,
                                        const char *properties)
 {
+    EVP_CIPHER *ciph;
+
 #ifndef OPENSSL_NO_ENGINE
     ENGINE *eng;
 
@@ -5862,8 +5864,11 @@ const EVP_CIPHER *ssl_evp_cipher_fetch(OPENSSL_CTX *libctx,
     }
 #endif
 
-    /* Otherwise we do an explicit fetch */
-    return EVP_CIPHER_fetch(libctx, OBJ_nid2sn(nid), properties);
+    /* Otherwise we do an explicit fetch. This may fail and that could be ok */
+    ERR_set_mark();
+    ciph = EVP_CIPHER_fetch(libctx, OBJ_nid2sn(nid), properties);
+    ERR_pop_to_mark();
+    return ciph;
 }
 
 
@@ -5898,6 +5903,8 @@ const EVP_MD *ssl_evp_md_fetch(OPENSSL_CTX *libctx,
                                int nid,
                                const char *properties)
 {
+    EVP_MD *md;
+
 #ifndef OPENSSL_NO_ENGINE
     ENGINE *eng;
 
@@ -5913,7 +5920,10 @@ const EVP_MD *ssl_evp_md_fetch(OPENSSL_CTX *libctx,
 #endif
 
     /* Otherwise we do an explicit fetch */
-    return EVP_MD_fetch(libctx, OBJ_nid2sn(nid), properties);
+    ERR_set_mark();
+    md = EVP_MD_fetch(libctx, OBJ_nid2sn(nid), properties);
+    ERR_pop_to_mark();
+    return md;
 }
 
 int ssl_evp_md_up_ref(const EVP_MD *md)