From 85c7ca37b20202c2e7e143a25489e51719de7f5e Mon Sep 17 00:00:00 2001 From: Daniel Gustafsson Date: Fri, 22 Apr 2022 14:56:33 +0200 Subject: [PATCH v1] Clear the OpenSSL error queue before cryptohash operations Setting up an EVP context for ciphers banned under FIPS generate two OpenSSL errors in the queue, and as we only consume one from the queue the other is at the head for the next invocation: postgres=# select md5('foo'); ERROR: could not compute MD5 hash: unsupported postgres=# select md5('foo'); ERROR: could not compute MD5 hash: initialization error Clearing the error queue when creating the context ensures that we don't pull in an error from an earlier operation. --- src/common/cryptohash_openssl.c | 2 ++ src/common/hmac_openssl.c | 2 ++ 2 files changed, 4 insertions(+) diff --git a/src/common/cryptohash_openssl.c b/src/common/cryptohash_openssl.c index 6c98f1cf95..aef3ef0476 100644 --- a/src/common/cryptohash_openssl.c +++ b/src/common/cryptohash_openssl.c @@ -115,6 +115,8 @@ pg_cryptohash_create(pg_cryptohash_type type) ctx->error = PG_CRYPTOHASH_ERROR_NONE; ctx->errreason = NULL; + ERR_clear_error(); + /* * Initialization takes care of assigning the correct type for OpenSSL. */ diff --git a/src/common/hmac_openssl.c b/src/common/hmac_openssl.c index 44f36d51dc..5eda902024 100644 --- a/src/common/hmac_openssl.c +++ b/src/common/hmac_openssl.c @@ -106,6 +106,8 @@ pg_hmac_create(pg_cryptohash_type type) ctx->error = PG_HMAC_ERROR_NONE; ctx->errreason = NULL; + ERR_clear_error(); + /* * Initialization takes care of assigning the correct type for OpenSSL. */ -- 2.32.0 (Apple Git-132)