From: Mark Andrews <marka@isc.org>
Date: Thu, 20 Jul 2023 03:32:50 +0000 (+1000)
Subject: Clear OpenSSL errors on TSL error paths
X-Git-Tag: v9.19.17~17^2~10
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=4f790b6c585eb9f2c81c887633d11b970e8320e0;p=thirdparty%2Fbind9.git

Clear OpenSSL errors on TSL error paths
---

diff --git a/lib/isc/tls.c b/lib/isc/tls.c
index b740af7023a..314de8b6a60 100644
--- a/lib/isc/tls.c
+++ b/lib/isc/tls.c
@@ -1043,6 +1043,7 @@ isc_tlsctx_enable_peer_verification(isc_tlsctx_t *tlsctx, const bool is_server,
 			ret = X509_VERIFY_PARAM_set1_host(param, hostname, 0);
 		}
 		if (ret != 1) {
+			ERR_clear_error();
 			return (ISC_R_FAILURE);
 		}
 
@@ -1093,6 +1094,7 @@ isc_tlsctx_load_client_ca_names(isc_tlsctx_t *ctx, const char *ca_bundle_file) {
 
 	cert_names = SSL_load_client_CA_file(ca_bundle_file);
 	if (cert_names == NULL) {
+		ERR_clear_error();
 		return (ISC_R_FAILURE);
 	}
 
@@ -1133,6 +1135,7 @@ isc_tls_cert_store_create(const char *ca_bundle_filename,
 	return (ISC_R_SUCCESS);
 
 error:
+	ERR_clear_error();
 	if (store != NULL) {
 		X509_STORE_free(store);
 	}
@@ -1614,6 +1617,7 @@ isc_tlsctx_client_session_cache_keep(isc_tlsctx_client_session_cache_t *cache,
 
 	sess = SSL_get1_session(tls);
 	if (sess == NULL) {
+		ERR_clear_error();
 		return;
 	} else if (!ssl_session_seems_resumable(sess)) {
 		SSL_SESSION_free(sess);