Call ERR_clear_error on EVP_MD_fetch or EVP_##alg error

.gitlab-ci.yml

@@ -760,7 +760,7 @@ gcc:9fips:amd64:
     EXTRA_CONFIGURE: "--with-libidn2 --enable-fips-mode --disable-leak-detection --disable-tracing"
   <<: *oraclelinux_9fips_amd64_image
   <<: *build_job
-  <<: *api_schedules_tags_triggers_web_triggering_rules
+#  <<: *api_schedules_tags_triggers_web_triggering_rules
 
 system:gcc:9fips:amd64:
   <<: *oraclelinux_9fips_amd64_image
@@ -773,7 +773,7 @@ system:gcc:9fips:amd64:
 unit:gcc:9fips:amd64:
   <<: *oraclelinux_9fips_amd64_image
   <<: *unit_test_job
-  <<: *api_schedules_tags_triggers_web_triggering_rules
+#  <<: *api_schedules_tags_triggers_web_triggering_rules
   needs:
     - job: gcc:9fips:amd64
       artifacts: true

bin/named/main.c

@@ -545,6 +545,24 @@ format_supported_algorithms(void (*emit)(isc_buffer_t *b)) {
 	(*emit)(&b);
 }
 
+static void
+detect_uncleared_libcrypto_error(const char *xfile, int xline) {
+	const char *file, *func, *data;
+	int line, flags;
+	long err;
+	bool leak = false;
+	while ((err = ERR_get_error_all(&file, &line, &func, &data, &flags)) !=
+	       0L)
+	{
+		fprintf(stderr,
+			"# Uncleared libcrypto error: %s:%d %s:%d %s %s %ld "
+			"%x\n",
+			xfile, xline, file, line, func, data, err, flags);
+		leak = true;
+	}
+	INSIST(!leak);
+}
+
 static void
 printversion(bool verbose) {
 	char rndcconf[PATH_MAX], *dot = NULL;
@@ -625,6 +643,7 @@ printversion(bool verbose) {
 	printf("threads support is enabled\n");
 
 	isc_mem_create(&mctx);
+	detect_uncleared_libcrypto_error(__FILE__, __LINE__);
 	result = dst_lib_init(mctx, named_g_engine);
 	if (result == ISC_R_SUCCESS) {
 		isc_buffer_init(&b, buf, sizeof(buf));
@@ -833,6 +852,8 @@ parse_command_line(int argc, char *argv[]) {
 	int ch;
 	const char *p;
 
+	detect_uncleared_libcrypto_error(__FILE__, __LINE__);
+
 	save_command_line(argc, argv);
 
 	/*
@@ -1457,6 +1478,7 @@ main(int argc, char *argv[]) {
 #ifdef HAVE_GPERFTOOLS_PROFILER
 	(void)ProfilerStart(NULL);
 #endif /* ifdef HAVE_GPERFTOOLS_PROFILER */
+	detect_uncleared_libcrypto_error(__FILE__, __LINE__);
 
 	/*
 	 * Technically, this call is superfluous because on startup of the main
@@ -1487,12 +1509,13 @@ main(int argc, char *argv[]) {
 		named_main_earlyfatal("program name too long");
 	}
 
+	detect_uncleared_libcrypto_error(__FILE__, __LINE__);
 	isc_assertion_setcallback(assertion_failed);
 	isc_error_setfatal(library_fatal_error);
 	isc_error_setunexpected(library_unexpected_error);
-
+	detect_uncleared_libcrypto_error(__FILE__, __LINE__);
 	named_os_init(program_name);
-
+	detect_uncleared_libcrypto_error(__FILE__, __LINE__);
 	parse_command_line(argc, argv);
 
 #ifdef ENABLE_AFL

lib/dns/dst_api.c

@@ -188,6 +188,23 @@ addsuffix(char *filename, int len, const char *dirname, const char *ofilename,
 			return ((_r));      \
 	} while (0);
 
+static void
+detect_uncleared_libcrypto_error(const char *xfile, int xline) {
+	const char *file, *func, *data;
+	int line, flags;
+	long err;
+	bool leak = false;
+	while ((err = ERR_get_error_all(&file, &line, &func, &data, &flags)) !=
+	       0L)
+	{
+		fprintf(stderr,
+			"# Uncleared libcrypto error: %s:%d %s:%d %s %s %ld %x\n",
+			xfile, xline, file, line, func, data, err, flags);
+		leak = true;
+	}
+	INSIST(!leak);
+}
+
 isc_result_t
 dst_lib_init(isc_mem_t *mctx, const char *engine) {
 	isc_result_t result;
@@ -199,30 +216,45 @@ dst_lib_init(isc_mem_t *mctx, const char *engine) {
 
 	memset(dst_t_func, 0, sizeof(dst_t_func));
 	RETERR(dst__openssl_init(engine)); /* Sets FIPS mode. */
+	detect_uncleared_libcrypto_error(__FILE__, __LINE__);
 	RETERR(dst__hmacmd5_init(&dst_t_func[DST_ALG_HMACMD5]));
+	detect_uncleared_libcrypto_error(__FILE__, __LINE__);
 	RETERR(dst__hmacsha1_init(&dst_t_func[DST_ALG_HMACSHA1]));
+	detect_uncleared_libcrypto_error(__FILE__, __LINE__);
 	RETERR(dst__hmacsha224_init(&dst_t_func[DST_ALG_HMACSHA224]));
+	detect_uncleared_libcrypto_error(__FILE__, __LINE__);
 	RETERR(dst__hmacsha256_init(&dst_t_func[DST_ALG_HMACSHA256]));
+	detect_uncleared_libcrypto_error(__FILE__, __LINE__);
 	RETERR(dst__hmacsha384_init(&dst_t_func[DST_ALG_HMACSHA384]));
+	detect_uncleared_libcrypto_error(__FILE__, __LINE__);
 	RETERR(dst__hmacsha512_init(&dst_t_func[DST_ALG_HMACSHA512]));
+	detect_uncleared_libcrypto_error(__FILE__, __LINE__);
 	/* RSASHA1 (NSEC3RSASHA1) is verify only in FIPS mode. */
 	RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA1],
 				    DST_ALG_RSASHA1));
+	detect_uncleared_libcrypto_error(__FILE__, __LINE__);
 	RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_NSEC3RSASHA1],
 				    DST_ALG_NSEC3RSASHA1));
+	detect_uncleared_libcrypto_error(__FILE__, __LINE__);
 	RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA256],
 				    DST_ALG_RSASHA256));
+	detect_uncleared_libcrypto_error(__FILE__, __LINE__);
 	RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA512],
 				    DST_ALG_RSASHA512));
+	detect_uncleared_libcrypto_error(__FILE__, __LINE__);
 	RETERR(dst__opensslecdsa_init(&dst_t_func[DST_ALG_ECDSA256]));
+	detect_uncleared_libcrypto_error(__FILE__, __LINE__);
 	RETERR(dst__opensslecdsa_init(&dst_t_func[DST_ALG_ECDSA384]));
+	detect_uncleared_libcrypto_error(__FILE__, __LINE__);
 #ifdef HAVE_OPENSSL_ED25519
 	RETERR(dst__openssleddsa_init(&dst_t_func[DST_ALG_ED25519],
 				      DST_ALG_ED25519));
 #endif /* ifdef HAVE_OPENSSL_ED25519 */
+	detect_uncleared_libcrypto_error(__FILE__, __LINE__);
 #ifdef HAVE_OPENSSL_ED448
 	RETERR(dst__openssleddsa_init(&dst_t_func[DST_ALG_ED448],
 				      DST_ALG_ED448));
+	detect_uncleared_libcrypto_error(__FILE__, __LINE__);
 #endif /* ifdef HAVE_OPENSSL_ED448 */
 
 #if HAVE_GSSAPI
@@ -233,6 +265,7 @@ dst_lib_init(isc_mem_t *mctx, const char *engine) {
 	return (ISC_R_SUCCESS);
 
 out:
+	detect_uncleared_libcrypto_error(__FILE__, __LINE__);
 	/* avoid immediate crash! */
 	dst_initialized = true;
 	dst_lib_destroy();

lib/dns/openssl_link.c

@@ -79,9 +79,29 @@ enable_fips_mode(void) {
 #endif
 }
 
+static void
+detect_uncleared_libcrypto_error(const char *xfile, int xline) {
+	const char *file, *func, *data;
+	int line, flags;
+	long err;
+	bool leak = false;
+	while ((err = ERR_get_error_all(&file, &line, &func, &data, &flags)) !=
+	       0L)
+	{
+		fprintf(stderr,
+			"# Uncleared libcrypto error: %s:%d %s:%d %s %s %ld "
+			"%x\n",
+			xfile, xline, file, line, func, data, err, flags);
+		leak = true;
+	}
+	INSIST(!leak);
+}
+
 isc_result_t
 dst__openssl_init(const char *engine) {
+	detect_uncleared_libcrypto_error(__FILE__, __LINE__);
 	enable_fips_mode();
+	detect_uncleared_libcrypto_error(__FILE__, __LINE__);
 
 	if (engine != NULL && *engine == '\0') {
 		engine = NULL;

lib/isc/lib.c

@@ -41,18 +41,48 @@ isc__initialize(void) ISC_CONSTRUCTOR;
 void
 isc__shutdown(void) ISC_DESTRUCTOR;
 
+#include <openssl/err.h>
+
+static void
+detect_uncleared_libcrypto_error(const char *xfile, int xline) {
+       const char *file, *func, *data;
+       int line, flags;
+       long err;
+       bool leak = false;
+       while ((err = ERR_get_error_all(&file, &line, &func, &data, &flags)) !=
+              0L)
+       {
+               fprintf(stderr,
+                       "# Uncleared libcrypto error: %s:%d %s:%d %s %s %ld "
+                       "%x\n",
+                       xfile, xline, file, line, func, data, err, flags);
+               leak = true;
+       }
+       INSIST(!leak);
+}
+
 void
 isc__initialize(void) {
 	isc__os_initialize();
+	detect_uncleared_libcrypto_error(__FILE__, __LINE__);
 	isc__mutex_initialize();
+	detect_uncleared_libcrypto_error(__FILE__, __LINE__);
 	isc__mem_initialize();
+	detect_uncleared_libcrypto_error(__FILE__, __LINE__);
 	isc__tls_initialize();
+	detect_uncleared_libcrypto_error(__FILE__, __LINE__);
 	isc__uv_initialize();
+	detect_uncleared_libcrypto_error(__FILE__, __LINE__);
 	isc__xml_initialize();
+	detect_uncleared_libcrypto_error(__FILE__, __LINE__);
 	isc__md_initialize();
+	detect_uncleared_libcrypto_error(__FILE__, __LINE__);
 	isc__iterated_hash_initialize();
+	detect_uncleared_libcrypto_error(__FILE__, __LINE__);
 	(void)isc_os_ncpus();
+	detect_uncleared_libcrypto_error(__FILE__, __LINE__);
 	rcu_register_thread();
+	detect_uncleared_libcrypto_error(__FILE__, __LINE__);
 }
 
 void

lib/isc/md.c

@@ -181,6 +181,9 @@ const isc_md_type_t *isc__md_sha512 = NULL;
 	{                                                          \
 		REQUIRE(isc__md_##alg == NULL);                    \
 		isc__md_##alg = EVP_MD_fetch(NULL, algname, NULL); \
+		if (isc__md_##alg == NULL) {                       \
+			ERR_clear_error();                         \
+		}                                                  \
 	}
 
 #define md_unregister_algorithm(alg)                                    \
@@ -195,6 +198,9 @@ const isc_md_type_t *isc__md_sha512 = NULL;
 #define md_register_algorithm(alg, algname)  \
 	{                                    \
 		isc__md_##alg = EVP_##alg(); \
+		if (isc__md_##alg == NULL) { \
+			ERR_clear_error();   \
+		}                            \
 	}
 #define md_unregister_algorithm(alg)
 #endif

lib/isc/tls.c

@@ -160,6 +160,24 @@ isc__tls_free(void *ptr) {
 
 #endif /* !defined(LIBRESSL_VERSION_NUMBER) */
 
+static void
+detect_uncleared_libcrypto_error(const char *xfile, int xline) {
+	const char *file, *func, *data;
+	int line, flags;
+	long err;
+	bool leak = false;
+	while ((err = ERR_get_error_all(&file, &line, &func, &data, &flags)) !=
+	       0L)
+	{
+		fprintf(stderr,
+			"# Uncleared libcrypto error: %s:%d %s:%d %s %s %ld "
+			"%x\n",
+			xfile, xline, file, line, func, data, err, flags);
+		leak = true;
+	}
+	INSIST(!leak);
+}
+
 void
 isc__tls_initialize(void) {
 	isc_mem_create(&isc__tls_mctx);
@@ -180,6 +198,7 @@ isc__tls_initialize(void) {
 					  isc__tls_realloc_ex, isc__tls_free);
 #endif
 #endif /* !defined(LIBRESSL_VERSION_NUMBER) */
+	detect_uncleared_libcrypto_error(__FILE__, __LINE__);
 
 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
 	uint64_t opts = OPENSSL_INIT_ENGINE_ALL_BUILTIN |
@@ -193,6 +212,7 @@ isc__tls_initialize(void) {
 #endif
 
 	RUNTIME_CHECK(OPENSSL_init_ssl(opts, NULL) == 1);
+	detect_uncleared_libcrypto_error(__FILE__, __LINE__);
 #else
 	nlocks = CRYPTO_num_locks();
 	locks = isc_mem_cget(isc__tls_mctx, nlocks, sizeof(locks[0]));
@@ -222,6 +242,7 @@ isc__tls_initialize(void) {
 			    "cannot be initialized (see the `PRNG not "
 			    "seeded' message in the OpenSSL FAQ)");
 	}
+	detect_uncleared_libcrypto_error(__FILE__, __LINE__);
 }
 
 void

tests/dns/rdata_test.c

@@ -789,6 +789,7 @@ static void
 check_rdata(const text_ok_t *text_ok, const wire_ok_t *wire_ok,
 	    const compare_ok_t *compare_ok, bool empty_ok,
 	    dns_rdataclass_t rdclass, dns_rdatatype_t type, size_t structsize) {
+	detect_uncleared_libcrypto_error();
 	if (text_ok != NULL) {
 		check_text_ok(text_ok, rdclass, type, structsize);
 	}