Fix PKCS12_create() so that a fetch error is not added to the error stack.

Fixes #15392 PBE algorithms such as NID_pbe_WithSHA1And3_Key_TripleDES_CBC will currently always fail to the EVP_CIPHER_fetch() call, so the fallback to a legacy algorithm always happens. In this case the error stack should ignore the fetch error. Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15473)
author: Shane Lontis <shane.lontis@oracle.com> 2021-05-26 02:26:27 +0200
committer: Tomas Mraz <tomas@openssl.org> 2021-05-28 13:54:19 +0200
commit: da5f770ae31e0df17b1b8a143d13fee805d8deb3 (patch)
tree: afdbfaad00cf99fa4180a98e7161ba108ddef5d2 /crypto
parent: Fix typo about SSL_CONF_FLAG_CMDLINE (diff)
download: openssl-da5f770ae31e0df17b1b8a143d13fee805d8deb3.tar.xz
openssl-da5f770ae31e0df17b1b8a143d13fee805d8deb3.zip
1 files changed, 2 insertions, 0 deletions
diff --git a/crypto/pkcs12/p12_sbag.c b/crypto/pkcs12/p12_sbag.c
index 888736d16b..7574c54120 100644
--- a/crypto/pkcs12/p12_sbag.c
+++ b/crypto/pkcs12/p12_sbag.c
@@ -212,9 +212,11 @@ PKCS12_SAFEBAG *PKCS12_SAFEBAG_create_pkcs8_encrypt_ex(int pbe_nid,
     EVP_CIPHER *pbe_ciph_fetch = NULL;
     X509_SIG *p8;
 
+    ERR_set_mark();
     pbe_ciph = pbe_ciph_fetch = EVP_CIPHER_fetch(ctx, OBJ_nid2sn(pbe_nid), propq);
     if (pbe_ciph == NULL)
         pbe_ciph = EVP_get_cipherbynid(pbe_nid);
+    ERR_pop_to_mark();
 
     if (pbe_ciph != NULL)
         pbe_nid = -1;
author	Shane Lontis <shane.lontis@oracle.com>	2021-05-26 02:26:27 +0200
committer	Tomas Mraz <tomas@openssl.org>	2021-05-28 13:54:19 +0200
commit	da5f770ae31e0df17b1b8a143d13fee805d8deb3 (patch)
tree	afdbfaad00cf99fa4180a98e7161ba108ddef5d2 /crypto
parent	Fix typo about SSL_CONF_FLAG_CMDLINE (diff)
download	openssl-da5f770ae31e0df17b1b8a143d13fee805d8deb3.tar.xz openssl-da5f770ae31e0df17b1b8a143d13fee805d8deb3.zip