2 files changed, 13 insertions, 0 deletions

diff --git a/src/common/cryptohash_openssl.c b/src/common/cryptohash_openssl.c
index 6c98f1cf95a..8e76ffdee99 100644
--- a/src/common/cryptohash_openssl.c
+++ b/src/common/cryptohash_openssl.c
@@ -117,7 +117,10 @@ pg_cryptohash_create(pg_cryptohash_type type)
 
 	/*
 	 * Initialization takes care of assigning the correct type for OpenSSL.
+	 * Also ensure that there aren't any unconsumed errors in the queue from
+	 * previous runs.
 	 */
+	ERR_clear_error();
 	ctx->evpctx = EVP_MD_CTX_create();
 
 	if (ctx->evpctx == NULL)
@@ -182,6 +185,12 @@ pg_cryptohash_init(pg_cryptohash_ctx *ctx)
 	{
 		ctx->errreason = SSLerrmessage(ERR_get_error());
 		ctx->error = PG_CRYPTOHASH_ERROR_OPENSSL;
+		/*
+		 * The OpenSSL error queue should normally be empty since we've
+		 * consumed an error, but cipher initialization can in FIPS-enabled
+		 * OpenSSL builds generate two errors so clear the queue here as well.
+		 */
+		ERR_clear_error();
 		return -1;
 	}
 	return 0;
diff --git a/src/common/hmac_openssl.c b/src/common/hmac_openssl.c
index 44f36d51dcb..8874d6a240c 100644
--- a/src/common/hmac_openssl.c
+++ b/src/common/hmac_openssl.c
@@ -106,9 +106,13 @@ pg_hmac_create(pg_cryptohash_type type)
 	ctx->error = PG_HMAC_ERROR_NONE;
 	ctx->errreason = NULL;
 
+
 	/*
 	 * Initialization takes care of assigning the correct type for OpenSSL.
+	 * Also ensure that there aren't any unconsumed errors in the queue from
+	 * previous runs.
 	 */
+	ERR_clear_error();
 #ifdef HAVE_HMAC_CTX_NEW
 #ifndef FRONTEND
 	ResourceOwnerEnlargeHMAC(CurrentResourceOwner);