From fb503aa27587b9ae935e4554e03fca2359bcc6ae Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Tue, 11 Jul 2023 14:00:29 +1000
Subject: [PATCH] Clear OpenSSL errors on EVP_MD_CTX_create failures

(cherry picked from commit 8529be30bbbb65f8e1661466cd5c3bab2422d7a7)
---
 lib/dns/opensslecdsa_link.c | 2 +-
 lib/dns/opensslrsa_link.c   | 2 +-
 util/gen-rsa-sha-vectors.c  | 6 ++++++
 3 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c
index c83ba5c919..d468492f3d 100644
--- a/lib/dns/opensslecdsa_link.c
+++ b/lib/dns/opensslecdsa_link.c
@@ -175,7 +175,7 @@ opensslecdsa_createctx(dst_key_t *key, dst_context_t *dctx) {
 
 	evp_md_ctx = EVP_MD_CTX_create();
 	if (evp_md_ctx == NULL) {
-		DST_RET(ISC_R_NOMEMORY);
+		DST_RET(dst__openssl_toresult(ISC_R_NOMEMORY));
 	}
 	if (dctx->key->key_alg == DST_ALG_ECDSA256) {
 		type = EVP_sha256();
diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c
index f1af259959..17b8368379 100644
--- a/lib/dns/opensslrsa_link.c
+++ b/lib/dns/opensslrsa_link.c
@@ -88,7 +88,7 @@ opensslrsa_createctx(dst_key_t *key, dst_context_t *dctx) {
 
 	evp_md_ctx = EVP_MD_CTX_create();
 	if (evp_md_ctx == NULL) {
-		return (ISC_R_NOMEMORY);
+		return (dst__openssl_toresult(ISC_R_NOMEMORY));
 	}
 
 	switch (dctx->key->key_alg) {
diff --git a/util/gen-rsa-sha-vectors.c b/util/gen-rsa-sha-vectors.c
index 7f76036b84..4d4d5137a5 100644
--- a/util/gen-rsa-sha-vectors.c
+++ b/util/gen-rsa-sha-vectors.c
@@ -51,6 +51,7 @@ main() {
 	unsigned int siglen = sizeof(buf);
 
 	if (e == NULL || n == NULL || ctx == NULL || evp_md_ctx == NULL) {
+		ERR_clear_error();
 		return (1);
 	}
 
@@ -62,11 +63,13 @@ main() {
 	    EVP_PKEY_CTX_set1_rsa_keygen_pubexp(ctx, e) != 1 ||
 	    EVP_PKEY_keygen(ctx, &pkey) != 1 || pkey == NULL)
 	{
+		ERR_clear_error();
 		return (1);
 	}
 
 	EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_N, &n);
 	if (n == NULL) {
+		ERR_clear_error();
 		return (1);
 	}
 
@@ -90,6 +93,7 @@ main() {
 	    EVP_DigestUpdate(evp_md_ctx, "test", 4) != 1 ||
 	    EVP_SignFinal(evp_md_ctx, buf, &siglen, pkey) != 1)
 	{
+		ERR_clear_error();
 		return (1);
 	}
 	bytes = siglen;
@@ -103,6 +107,7 @@ main() {
 	    EVP_DigestUpdate(evp_md_ctx, "test", 4) != 1 ||
 	    EVP_SignFinal(evp_md_ctx, buf, &siglen, pkey) != 1)
 	{
+		ERR_clear_error();
 		return (1);
 	}
 	bytes = siglen;
@@ -116,6 +121,7 @@ main() {
 	    EVP_DigestUpdate(evp_md_ctx, "test", 4) != 1 ||
 	    EVP_SignFinal(evp_md_ctx, buf, &siglen, pkey) != 1)
 	{
+		ERR_clear_error();
 		return (1);
 	}
 	bytes = siglen;