From 11277d790262bfb3e147758afd8e7cfec21cafe0 Mon Sep 17 00:00:00 2001
From: tb <>
Date: Tue, 1 Sep 2020 05:38:48 +0000
Subject: Hoist ERR_clear_error() call into the derr: label

The only path that sets TLS1_TICKET_NOT_DECRPYTED is through this label
and the ERR_clear_error() is called conditionally on this. We clear the
errors to make decrypt errors non-fatal.  The free functions should not
set the errors and if they do, we don't want to hide that.

discussed with jsing
---
 src/lib/libssl/t1_lib.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c
index 64e64bf902..8162259c66 100644
--- a/src/lib/libssl/t1_lib.c
+++ b/src/lib/libssl/t1_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_lib.c,v 1.172 2020/09/01 05:32:11 tb Exp $ */
+/* $OpenBSD: t1_lib.c,v 1.173 2020/09/01 05:38:48 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1012,6 +1012,7 @@ tls_decrypt_ticket(SSL *s, CBS *session_id, CBS *ticket, int *alert,
 	goto done;
 
  derr:
+	ERR_clear_error();
 	s->internal->tlsext_ticket_expected = 1;
 	ret = TLS1_TICKET_NOT_DECRYPTED;
 	goto done;
@@ -1027,8 +1028,5 @@ tls_decrypt_ticket(SSL *s, CBS *session_id, CBS *ticket, int *alert,
 	HMAC_CTX_free(hctx);
 	SSL_SESSION_free(sess);
 
-	if (ret == TLS1_TICKET_NOT_DECRYPTED)
-		ERR_clear_error();
-
 	return ret;
 }
-- 
cgit v1.2.3-55-g6feb