From 4ea926934a8d08cece0469406357bbd9fd8492d8 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Tue, 11 Jul 2023 14:10:49 +1000
Subject: [PATCH] Clear OpenSSL errors on EVP failures

---
 lib/isc/hmac.c          | 5 +++++
 lib/isc/iterated_hash.c | 1 +
 lib/isc/md.c            | 4 ++++
 3 files changed, 10 insertions(+)

diff --git a/lib/isc/hmac.c b/lib/isc/hmac.c
index 15a217f218..bc35befc1e 100644
--- a/lib/isc/hmac.c
+++ b/lib/isc/hmac.c
@@ -11,6 +11,7 @@
  * information regarding copyright ownership.
  */
 
+#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/opensslv.h>
 
@@ -61,6 +62,7 @@ isc_hmac_init(isc_hmac_t *hmac, const void *key, const size_t keylen,
 
 	if (EVP_DigestSignInit(hmac, NULL, md_type, NULL, pkey) != 1) {
 		EVP_PKEY_free(pkey);
+		ERR_clear_error();
 		return (ISC_R_CRYPTOFAILURE);
 	}
 
@@ -74,6 +76,7 @@ isc_hmac_reset(isc_hmac_t *hmac) {
 	REQUIRE(hmac != NULL);
 
 	if (EVP_MD_CTX_reset(hmac) != 1) {
+		ERR_clear_error();
 		return (ISC_R_CRYPTOFAILURE);
 	}
 
@@ -89,6 +92,7 @@ isc_hmac_update(isc_hmac_t *hmac, const unsigned char *buf, const size_t len) {
 	}
 
 	if (EVP_DigestSignUpdate(hmac, buf, len) != 1) {
+		ERR_clear_error();
 		return (ISC_R_CRYPTOFAILURE);
 	}
 
@@ -105,6 +109,7 @@ isc_hmac_final(isc_hmac_t *hmac, unsigned char *digest,
 	size_t len = *digestlen;
 
 	if (EVP_DigestSignFinal(hmac, digest, &len) != 1) {
+		ERR_clear_error();
 		return (ISC_R_CRYPTOFAILURE);
 	}
 
diff --git a/lib/isc/iterated_hash.c b/lib/isc/iterated_hash.c
index 3127b6dc59..e402e42221 100644
--- a/lib/isc/iterated_hash.c
+++ b/lib/isc/iterated_hash.c
@@ -130,6 +130,7 @@ isc_iterated_hash(unsigned char *out, const unsigned int hashalg,
 	return (outlength);
 
 fail:
+	ERR_clear_error();
 	return (0);
 }
 
diff --git a/lib/isc/md.c b/lib/isc/md.c
index 4efaee4466..da655c2e58 100644
--- a/lib/isc/md.c
+++ b/lib/isc/md.c
@@ -47,6 +47,7 @@ isc_md_init(isc_md_t *md, const isc_md_type_t *md_type) {
 	}
 
 	if (EVP_DigestInit_ex(md, md_type, NULL) != 1) {
+		ERR_clear_error();
 		return (ISC_R_CRYPTOFAILURE);
 	}
 
@@ -58,6 +59,7 @@ isc_md_reset(isc_md_t *md) {
 	REQUIRE(md != NULL);
 
 	if (EVP_MD_CTX_reset(md) != 1) {
+		ERR_clear_error();
 		return (ISC_R_CRYPTOFAILURE);
 	}
 
@@ -73,6 +75,7 @@ isc_md_update(isc_md_t *md, const unsigned char *buf, const size_t len) {
 	}
 
 	if (EVP_DigestUpdate(md, buf, len) != 1) {
+		ERR_clear_error();
 		return (ISC_R_CRYPTOFAILURE);
 	}
 
@@ -85,6 +88,7 @@ isc_md_final(isc_md_t *md, unsigned char *digest, unsigned int *digestlen) {
 	REQUIRE(digest != NULL);
 
 	if (EVP_DigestFinal_ex(md, digest, digestlen) != 1) {
+		ERR_clear_error();
 		return (ISC_R_CRYPTOFAILURE);
 	}