From da5f770ae31e0df17b1b8a143d13fee805d8deb3 Mon Sep 17 00:00:00 2001 From: Shane Lontis Date: Wed, 26 May 2021 10:26:27 +1000 Subject: Fix PKCS12_create() so that a fetch error is not added to the error stack. Fixes #15392 PBE algorithms such as NID_pbe_WithSHA1And3_Key_TripleDES_CBC will currently always fail to the EVP_CIPHER_fetch() call, so the fallback to a legacy algorithm always happens. In this case the error stack should ignore the fetch error. Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/15473) --- crypto/pkcs12/p12_sbag.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'crypto') diff --git a/crypto/pkcs12/p12_sbag.c b/crypto/pkcs12/p12_sbag.c index 888736d16b..7574c54120 100644 --- a/crypto/pkcs12/p12_sbag.c +++ b/crypto/pkcs12/p12_sbag.c @@ -212,9 +212,11 @@ PKCS12_SAFEBAG *PKCS12_SAFEBAG_create_pkcs8_encrypt_ex(int pbe_nid, EVP_CIPHER *pbe_ciph_fetch = NULL; X509_SIG *p8; + ERR_set_mark(); pbe_ciph = pbe_ciph_fetch = EVP_CIPHER_fetch(ctx, OBJ_nid2sn(pbe_nid), propq); if (pbe_ciph == NULL) pbe_ciph = EVP_get_cipherbynid(pbe_nid); + ERR_pop_to_mark(); if (pbe_ciph != NULL) pbe_nid = -1; -- cgit v1.2.3