From da5f770ae31e0df17b1b8a143d13fee805d8deb3 Mon Sep 17 00:00:00 2001
From: Shane Lontis <shane.lontis@oracle.com>
Date: Wed, 26 May 2021 10:26:27 +1000
Subject: Fix PKCS12_create() so that a fetch error is not added to the error
 stack.

Fixes #15392

PBE algorithms such as NID_pbe_WithSHA1And3_Key_TripleDES_CBC will
currently always fail to the EVP_CIPHER_fetch() call, so the fallback to
a legacy algorithm always happens. In this case the error stack should
ignore the fetch error.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15473)
---
 crypto/pkcs12/p12_sbag.c | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'crypto/pkcs12')

diff --git a/crypto/pkcs12/p12_sbag.c b/crypto/pkcs12/p12_sbag.c
index 888736d16b..7574c54120 100644
--- a/crypto/pkcs12/p12_sbag.c
+++ b/crypto/pkcs12/p12_sbag.c
@@ -212,9 +212,11 @@ PKCS12_SAFEBAG *PKCS12_SAFEBAG_create_pkcs8_encrypt_ex(int pbe_nid,
     EVP_CIPHER *pbe_ciph_fetch = NULL;
     X509_SIG *p8;
 
+    ERR_set_mark();
     pbe_ciph = pbe_ciph_fetch = EVP_CIPHER_fetch(ctx, OBJ_nid2sn(pbe_nid), propq);
     if (pbe_ciph == NULL)
         pbe_ciph = EVP_get_cipherbynid(pbe_nid);
+    ERR_pop_to_mark();
 
     if (pbe_ciph != NULL)
         pbe_nid = -1;
-- 
cgit v1.2.3