Ignore some fetch failures

Some fetch failurs are ok and should be ignored. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11405)
2025-03-31 20:10:45 +08:00 · 2020-03-20 12:00:12 +00:00 · 2020-03-20 12:00:12 +00:00 · 5fcb97c61e
commit 5fcb97c61e
parent 6b1e5fa487
3 changed files with 29 additions and 4 deletions
--- a/crypto/evp/pmeth_lib.c
+++ b/crypto/evp/pmeth_lib.c
@ -226,8 +226,12 @@ static EVP_PKEY_CTX *int_ctx_new(OPENSSL_CTX *libctx,
     * If there's no engine and there's a name, we try fetching a provider
     * implementation.
     */
-    if (e == NULL && keytype != NULL)
+    if (e == NULL && keytype != NULL) {
+        /* This could fail so ignore errors */
+        ERR_set_mark();
        keymgmt = EVP_KEYMGMT_fetch(libctx, keytype, propquery);
+        ERR_pop_to_mark();
+    }

    ret = OPENSSL_zalloc(sizeof(*ret));
    if (ret == NULL) {
--- a/providers/common/provider_util.c
+++ b/providers/common/provider_util.c
@ -9,6 +9,7 @@

 #include <openssl/evp.h>
 #include <openssl/core_names.h>
+#include <openssl/err.h>
 #include "prov/provider_util.h"

 void ossl_prov_cipher_reset(PROV_CIPHER *pc)
@ -76,12 +77,17 @@ int ossl_prov_cipher_load_from_params(PROV_CIPHER *pc,
        return 0;

    EVP_CIPHER_free(pc->alloc_cipher);
+    ERR_set_mark();
    pc->cipher = pc->alloc_cipher = EVP_CIPHER_fetch(ctx, p->data, propquery);
    /* TODO legacy stuff, to be removed */
 #ifndef FIPS_MODE /* Inside the FIPS module, we don't support legacy ciphers */
    if (pc->cipher == NULL)
        pc->cipher = EVP_get_cipherbyname(p->data);
 #endif
+    if (pc->cipher != NULL)
+        ERR_pop_to_mark();
+    else
+        ERR_clear_last_mark();
    return pc->cipher != NULL;
 }

@ -131,12 +137,17 @@ int ossl_prov_digest_load_from_params(PROV_DIGEST *pd,
        return 0;

    EVP_MD_free(pd->alloc_md);
+    ERR_set_mark();
    pd->md = pd->alloc_md = EVP_MD_fetch(ctx, p->data, propquery);
    /* TODO legacy stuff, to be removed */
 #ifndef FIPS_MODE /* Inside the FIPS module, we don't support legacy digests */
    if (pd->md == NULL)
        pd->md = EVP_get_digestbyname(p->data);
 #endif
+    if (pd->md != NULL)
+        ERR_pop_to_mark();
+    else
+        ERR_clear_last_mark();
    return pd->md != NULL;
 }

--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@ -5848,6 +5848,8 @@ const EVP_CIPHER *ssl_evp_cipher_fetch(OPENSSL_CTX *libctx,
                                       int nid,
                                       const char *properties)
 {
+    EVP_CIPHER *ciph;
+
 #ifndef OPENSSL_NO_ENGINE
    ENGINE *eng;

@ -5862,8 +5864,11 @@ const EVP_CIPHER *ssl_evp_cipher_fetch(OPENSSL_CTX *libctx,
    }
 #endif

-    /* Otherwise we do an explicit fetch */
-    return EVP_CIPHER_fetch(libctx, OBJ_nid2sn(nid), properties);
+    /* Otherwise we do an explicit fetch. This may fail and that could be ok */
+    ERR_set_mark();
+    ciph = EVP_CIPHER_fetch(libctx, OBJ_nid2sn(nid), properties);
+    ERR_pop_to_mark();
+    return ciph;
 }


@ -5898,6 +5903,8 @@ const EVP_MD *ssl_evp_md_fetch(OPENSSL_CTX *libctx,
                               int nid,
                               const char *properties)
 {
+    EVP_MD *md;
+
 #ifndef OPENSSL_NO_ENGINE
    ENGINE *eng;

@ -5913,7 +5920,10 @@ const EVP_MD *ssl_evp_md_fetch(OPENSSL_CTX *libctx,
 #endif

    /* Otherwise we do an explicit fetch */
-    return EVP_MD_fetch(libctx, OBJ_nid2sn(nid), properties);
+    ERR_set_mark();
+    md = EVP_MD_fetch(libctx, OBJ_nid2sn(nid), properties);
+    ERR_pop_to_mark();
+    return md;
 }

 int ssl_evp_md_up_ref(const EVP_MD *md)