Ensure that we clear the libssl error stack before we make a function call

that we will pass the result through tls_ssl_error() on failure. Otherwise
we can end up reporting spurious errors due to their being unrelated errors
already on the error stack.

Spotted by Marko Kreen.

ok beck@

3 files changed, 12 insertions, 5 deletions

diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c
index aa49641ab2..65103f106d 100644
--- a/src/lib/libtls/tls.c
+++ b/src/lib/libtls/tls.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.c,v 1.25 2015/09/11 09:24:54 jsing Exp $ */
+/* $OpenBSD: tls.c,v 1.26 2015/09/12 19:54:31 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -405,12 +405,13 @@ tls_read(struct tls *ctx, void *buf, size_t buflen)
                 goto out;
         }
 
+        ERR_clear_error();
         if ((ssl_ret = SSL_read(ctx->ssl_conn, buf, buflen)) > 0) {
                 rv = (ssize_t)ssl_ret;
                 goto out;
         }
-
         rv = (ssize_t)tls_ssl_error(ctx, ctx->ssl_conn, ssl_ret, "read");
+
  out:
         /* Prevent callers from performing incorrect error handling */
         errno = 0;
@@ -433,12 +434,13 @@ tls_write(struct tls *ctx, const void *buf, size_t buflen)
                 goto out;
         }
 
+        ERR_clear_error();
         if ((ssl_ret = SSL_write(ctx->ssl_conn, buf, buflen)) > 0) {
                 rv = (ssize_t)ssl_ret;
                 goto out;
         }
-
         rv =  (ssize_t)tls_ssl_error(ctx, ctx->ssl_conn, ssl_ret, "write");
+
  out:
         /* Prevent callers from performing incorrect error handling */
         errno = 0;
@@ -452,6 +454,7 @@ tls_close(struct tls *ctx)
         int rv = 0;
 
         if (ctx->ssl_conn != NULL) {
+                ERR_clear_error();
                 ssl_ret = SSL_shutdown(ctx->ssl_conn);
                 if (ssl_ret < 0) {
                         rv = tls_ssl_error(ctx, ctx->ssl_conn, ssl_ret,
diff --git a/src/lib/libtls/tls_client.c b/src/lib/libtls/tls_client.c
index 2aca519f8b..047831e59f 100644
--- a/src/lib/libtls/tls_client.c
+++ b/src/lib/libtls/tls_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_client.c,v 1.27 2015/09/11 12:56:55 beck Exp $ */
+/* $OpenBSD: tls_client.c,v 1.28 2015/09/12 19:54:31 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -25,6 +25,7 @@
 #include <stdlib.h>
 #include <unistd.h>
 
+#include <openssl/err.h>
 #include <openssl/x509.h>
 
 #include <tls.h>
@@ -251,6 +252,7 @@ tls_handshake_client(struct tls *ctx)
                 goto err;
         }
 
+        ERR_clear_error();
         if ((ssl_ret = SSL_connect(ctx->ssl_conn)) != 1) {
                 rv = tls_ssl_error(ctx, ctx->ssl_conn, ssl_ret, "handshake");
                 goto err;
diff --git a/src/lib/libtls/tls_server.c b/src/lib/libtls/tls_server.c
index 69baf5c1c2..1baf717c90 100644
--- a/src/lib/libtls/tls_server.c
+++ b/src/lib/libtls/tls_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_server.c,v 1.16 2015/09/11 08:31:26 beck Exp $ */
+/* $OpenBSD: tls_server.c,v 1.17 2015/09/12 19:54:31 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -16,6 +16,7 @@
  */
 
 #include <openssl/ec.h>
+#include <openssl/err.h>
 #include <openssl/ssl.h>
 
 #include <tls.h>
@@ -167,6 +168,7 @@ tls_handshake_server(struct tls *ctx)
                 goto err;
         }
 
+        ERR_clear_error();
         if ((ssl_ret = SSL_accept(ctx->ssl_conn)) != 1) {
                 rv = tls_ssl_error(ctx, ctx->ssl_conn, ssl_ret, "handshake");
                 goto err;