v2-0001-Clear-the-OpenSSL-error-queue-before-cryptohash-o.patch
application/octet-stream
Filename: v2-0001-Clear-the-OpenSSL-error-queue-before-cryptohash-o.patch
Type: application/octet-stream
Part: 2
Patch
Format: format-patch
Series: patch v2-0001
Subject: Clear the OpenSSL error queue before cryptohash operations
| File | + | − |
|---|---|---|
| src/common/cryptohash_openssl.c | 9 | 0 |
| src/common/hmac_openssl.c | 4 | 0 |
From 7753e7a816ce454e50decac2b99f33fce2a11da7 Mon Sep 17 00:00:00 2001
From: Daniel Gustafsson <daniel@yesql.se>
Date: Fri, 22 Apr 2022 14:56:33 +0200
Subject: [PATCH v2 1/3] Clear the OpenSSL error queue before cryptohash
operations
Setting up an EVP context for ciphers banned under FIPS generate
two OpenSSL errors in the queue, and as we only consume one from
the queue the other is at the head for the next invocation:
postgres=# select md5('foo');
ERROR: could not compute MD5 hash: unsupported
postgres=# select md5('foo');
ERROR: could not compute MD5 hash: initialization error
Clearing the error queue when creating the context ensures that
we don't pull in an error from an earlier operation.
---
src/common/cryptohash_openssl.c | 9 +++++++++
src/common/hmac_openssl.c | 4 ++++
2 files changed, 13 insertions(+)
diff --git a/src/common/cryptohash_openssl.c b/src/common/cryptohash_openssl.c
index 6c98f1cf95..0a44b64b5e 100644
--- a/src/common/cryptohash_openssl.c
+++ b/src/common/cryptohash_openssl.c
@@ -117,7 +117,10 @@ pg_cryptohash_create(pg_cryptohash_type type)
/*
* Initialization takes care of assigning the correct type for OpenSSL.
+ * Also ensure that there aren't any unconsumed errors in the queue from
+ * previous runs.
*/
+ ERR_clear_error();
ctx->evpctx = EVP_MD_CTX_create();
if (ctx->evpctx == NULL)
@@ -182,6 +185,12 @@ pg_cryptohash_init(pg_cryptohash_ctx *ctx)
{
ctx->errreason = SSLerrmessage(ERR_get_error());
ctx->error = PG_CRYPTOHASH_ERROR_OPENSSL;
+ /*
+ * The OpenSSL error queue should normally be empty since we've
+ * consumed an error, but cipher initialization can in FIPS enabled
+ * OpenSSL builds generate two errors so clear the queue here as well.
+ */
+ ERR_clear_error();
return -1;
}
return 0;
diff --git a/src/common/hmac_openssl.c b/src/common/hmac_openssl.c
index 44f36d51dc..8874d6a240 100644
--- a/src/common/hmac_openssl.c
+++ b/src/common/hmac_openssl.c
@@ -106,9 +106,13 @@ pg_hmac_create(pg_cryptohash_type type)
ctx->error = PG_HMAC_ERROR_NONE;
ctx->errreason = NULL;
+
/*
* Initialization takes care of assigning the correct type for OpenSSL.
+ * Also ensure that there aren't any unconsumed errors in the queue from
+ * previous runs.
*/
+ ERR_clear_error();
#ifdef HAVE_HMAC_CTX_NEW
#ifndef FRONTEND
ResourceOwnerEnlargeHMAC(CurrentResourceOwner);
--
2.32.0 (Apple Git-132)