From: Mark Andrews <marka@isc.org>
Date: Thu, 13 Jul 2023 03:24:10 +0000 (+1000)
Subject: Clear OpenSSL errors on OSSL_PROVIDER_load failures
X-Git-Tag: v9.19.17~17^2~13
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=279973363e5935eb2258690970824076cc1455ee;p=thirdparty%2Fbind9.git

Clear OpenSSL errors on OSSL_PROVIDER_load failures
---

diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c
index 461701fbc9c..6e5dd347696 100644
--- a/bin/dnssec/dnssec-keygen.c
+++ b/bin/dnssec/dnssec-keygen.c
@@ -61,6 +61,7 @@
 #include <isccfg/kaspconf.h>
 #include <isccfg/namedconf.h>
 #if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
+#include <openssl/err.h>
 #include <openssl/provider.h>
 #endif
 
@@ -1146,11 +1147,13 @@ main(int argc, char **argv) {
 #if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
 		fips = OSSL_PROVIDER_load(NULL, "fips");
 		if (fips == NULL) {
+			ERR_clear_error();
 			fatal("Failed to load FIPS provider");
 		}
 		base = OSSL_PROVIDER_load(NULL, "base");
 		if (base == NULL) {
 			OSSL_PROVIDER_unload(fips);
+			ERR_clear_error();
 			fatal("Failed to load base provider");
 		}
 #endif
diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
index 6f6df5406ce..e16db1a24c6 100644
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -89,6 +89,7 @@
 
 #include <dst/dst.h>
 #if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
+#include <openssl/err.h>
 #include <openssl/provider.h>
 #endif
 
@@ -3737,11 +3738,13 @@ main(int argc, char *argv[]) {
 #if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
 		fips = OSSL_PROVIDER_load(NULL, "fips");
 		if (fips == NULL) {
+			ERR_clear_error();
 			fatal("Failed to load FIPS provider");
 		}
 		base = OSSL_PROVIDER_load(NULL, "base");
 		if (base == NULL) {
 			OSSL_PROVIDER_unload(fips);
+			ERR_clear_error();
 			fatal("Failed to load base provider");
 		}
 #endif
diff --git a/bin/named/main.c b/bin/named/main.c
index af87594080a..4a38f69fd7d 100644
--- a/bin/named/main.c
+++ b/bin/named/main.c
@@ -89,6 +89,7 @@
 #include <openssl/evp.h>
 #include <openssl/opensslv.h>
 #if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
+#include <openssl/err.h>
 #include <openssl/provider.h>
 #endif
 #ifdef HAVE_LIBXML2
@@ -962,12 +963,14 @@ parse_command_line(int argc, char *argv[]) {
 #if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
 			fips = OSSL_PROVIDER_load(NULL, "fips");
 			if (fips == NULL) {
+				ERR_clear_error();
 				named_main_earlyfatal(
 					"Failed to load FIPS provider");
 			}
 			base = OSSL_PROVIDER_load(NULL, "base");
 			if (base == NULL) {
 				OSSL_PROVIDER_unload(fips);
+				ERR_clear_error();
 				named_main_earlyfatal(
 					"Failed to load base provider");
 			}