Clear out extraneous errors before SSL_connect() (see #3916)

Call ERR_clear_error() just before the call to SSL_connect() to make
sure the error queue doesn't have any old errors in it.

PEM_read_X509() sets an error PEM_R_NO_START_LINE on end-of-file.
Clear that out so it doesn't show up as the SSL_connect() error
message.

diff --git a/mutt_ssl.c b/mutt_ssl.c
index dcfada833efdac43f4e6a282685993289d7e4b61..457ea091c0a16c3b7a28011b63d82308d4274f45 100644 (file)
--- a/mutt_ssl.c
+++ b/mutt_ssl.c
@@ -99,6 +99,7 @@ static int ssl_load_certificates (SSL_CTX *ctx)
   X509 *cert = NULL;
   X509_STORE *store;
   char buf[STRING];
+  int rv = 1;
 
   dprint (2, (debugfile, "ssl_load_certificates: loading trusted certificates\n"));
   store = SSL_CTX_get_cert_store (ctx);
@@ -124,10 +125,15 @@ static int ssl_load_certificates (SSL_CTX *ctx)
       X509_STORE_add_cert (store, cert);
     }
   }
+  /* PEM_read_X509 sets the error NO_START_LINE on eof */
+  if (ERR_GET_REASON(ERR_peek_last_error()) != PEM_R_NO_START_LINE)
+    rv = 0;
+  ERR_clear_error();
+
   X509_free (cert);
   safe_fclose (&fp);
 
-  return 1;
+  return rv;
 }
 
 /* mutt_ssl_starttls: Negotiate TLS over an already opened connection.
@@ -485,6 +491,7 @@ static int ssl_negotiate (CONNECTION *conn, sslsockdata* ssldata)
 
   SSL_set_verify (ssldata->ssl, SSL_VERIFY_PEER, ssl_verify_callback);
   SSL_set_mode (ssldata->ssl, SSL_MODE_AUTO_RETRY);
+  ERR_clear_error ();
 
   if ((err = SSL_connect (ssldata->ssl)) != 1)
   {
@@ -771,6 +778,9 @@ static int check_certificate_by_digest (X509 *peercert)
     if (pass)
       break;
   }
+  /* PEM_read_X509 sets an error on eof */
+  if (!pass)
+    ERR_clear_error();
   X509_free (cert);
   safe_fclose (&fp);