NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commit17ec5fa

committed

Clear the OpenSSL error queue before cryptohash operations

Setting up an EVP context for ciphers banned under FIPS generatetwo OpenSSL errors in the queue, and as we only consume one fromthe queue the other is at the head for the next invocation: postgres=# select md5('foo'); ERROR: could not compute MD5 hash: unsupported postgres=# select md5('foo'); ERROR: could not compute MD5 hash: initialization errorClearing the error queue when creating the context ensures thatwe don't pull in an error from an earlier operation.Discussion:https://postgr.es/m/C89D932C-501E-4473-9750-638CFCD9095E@yesql.se

1 parent59a32f0 commit17ec5faCopy full SHA for 17ec5fa

File tree

2 files changed

+13

-0

lines changed

src/common
- cryptohash_openssl.c
- hmac_openssl.c

2 files changed

+13

-0

lines changed

`‎src/common/cryptohash_openssl.c`

Lines changed: 9 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -117,7 +117,10 @@ pg_cryptohash_create(pg_cryptohash_type type)`
`117`	`117`
`118`	`118`	`/*`
`119`	`119`	`* Initialization takes care of assigning the correct type for OpenSSL.`
	`120`	`+ * Also ensure that there aren't any unconsumed errors in the queue from`
	`121`	`+ * previous runs.`
`120`	`122`	`*/`
	`123`	`+ERR_clear_error();`
`121`	`124`	`ctx->evpctx=EVP_MD_CTX_create();`
`122`	`125`
`123`	`126`	`if (ctx->evpctx==NULL)`
`@@ -182,6 +185,12 @@ pg_cryptohash_init(pg_cryptohash_ctx *ctx)`
`182`	`185`	`{`
`183`	`186`	`ctx->errreason=SSLerrmessage(ERR_get_error());`
`184`	`187`	`ctx->error=PG_CRYPTOHASH_ERROR_OPENSSL;`
	`188`	`+/*`
	`189`	`+ * The OpenSSL error queue should normally be empty since we've`
	`190`	`+ * consumed an error, but cipher initialization can in FIPS-enabled`
	`191`	`+ * OpenSSL builds generate two errors so clear the queue here as well.`
	`192`	`+ */`
	`193`	`+ERR_clear_error();`
`185`	`194`	`return-1;`
`186`	`195`	`}`
`187`	`196`	`return0;`

`‎src/common/hmac_openssl.c`

Lines changed: 4 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -106,9 +106,13 @@ pg_hmac_create(pg_cryptohash_type type)`
`106`	`106`	`ctx->error=PG_HMAC_ERROR_NONE;`
`107`	`107`	`ctx->errreason=NULL;`
`108`	`108`
	`109`	`+`
`109`	`110`	`/*`
`110`	`111`	`* Initialization takes care of assigning the correct type for OpenSSL.`
	`112`	`+ * Also ensure that there aren't any unconsumed errors in the queue from`
	`113`	`+ * previous runs.`
`111`	`114`	`*/`
	`115`	`+ERR_clear_error();`
`112`	`116`	`#ifdefHAVE_HMAC_CTX_NEW`
`113`	`117`	`#ifndefFRONTEND`
`114`	`118`	`ResourceOwnerEnlargeHMAC(CurrentResourceOwner);`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit17ec5fa

File tree

2 files changed

2 files changed

`‎src/common/cryptohash_openssl.c`

`‎src/common/hmac_openssl.c`

0 commit comments