While reviewing the NSS patch [1], I noticed that the cryptohash implementation for OpenSSL doesn't set up any locking callbacks in frontend code. I think there has to be a call to OPENSSL_set_locking_callback() before libpq starts reaching into the EVP_* API, if ENABLE_THREAD_SAFETY and HAVE_CRYPTO_LOCK are both true.
This would only affect threaded libpq clients running OpenSSL 1.0.2 and below, and it looks like the most likely code path to be affected is the OpenSSL error stack. So if anything went wrong with one of those hash calls, it's possible that libpq would crash (or worse, silently misbehave somewhere in the TLS stack) instead of gracefully reporting an error. [2] is an example of this in the wild. --Jacob [1] https://www.postgresql.org/message-id/40095f48c3c6d556293cb0ecf80ea10cdf7d26b3.camel%40vmware.com [2] https://github.com/openssl/openssl/issues/4690
