openssl: explicitly clear error queue

https://libwebsockets.org/pipermail/libwebsockets/2019-July/008033.html

lib/tls/openssl/openssl-client.c

@@ -279,8 +279,11 @@ lws_tls_client_connect(struct lws *wsi)
 	char a[32];
 	unsigned int len;
 #endif
-	int m, n = SSL_connect(wsi->tls.ssl);
+	int m, n;
 
+	errno = 0;
+	ERR_clear_error();
+	n = SSL_connect(wsi->tls.ssl);
 	if (n == 1) {
 #if defined(LWS_HAVE_SSL_set_alpn_protos) && \
     defined(LWS_HAVE_SSL_get0_alpn_selected)
@@ -325,6 +328,8 @@ lws_tls_client_confirm_peer_cert(struct lws *wsi, char *ebuf, int ebuf_len)
 	int n;
 
 	lws_latency_pre(wsi->context, wsi);
+	errno = 0;
+	ERR_clear_error();
 	n = SSL_get_verify_result(wsi->tls.ssl);
 	lws_latency(wsi->context, wsi,
 		"SSL_get_verify_result LWS_CONNMODE..HANDSHAKE", n, n > 0);
@@ -496,6 +501,8 @@ lws_tls_client_create_vhost_context(struct lws_vhost *vh,
 
 	/* no existing one the same... create new client SSL_CTX */
 
+	errno = 0;
+	ERR_clear_error();
 	vh->tls.ssl_client_ctx = SSL_CTX_new(method);
 	if (!vh->tls.ssl_client_ctx) {
 		error = ERR_get_error();

lib/tls/openssl/openssl-server.c

@@ -557,6 +557,7 @@ lws_tls_server_new_nonblocking(struct lws *wsi, lws_sockfd_type accept_fd)
 #endif
 
 	errno = 0;
+	ERR_clear_error();
 	wsi->tls.ssl = SSL_new(wsi->vhost->tls.ssl_ctx);
 	if (wsi->tls.ssl == NULL) {
 		lwsl_err("SSL_new failed: %d (errno %d)\n",
@@ -611,9 +612,13 @@ lws_tls_server_abort_connection(struct lws *wsi)
 enum lws_ssl_capable_status
 lws_tls_server_accept(struct lws *wsi)
 {
-	union lws_tls_cert_info_results ir;
-	int m, n = SSL_accept(wsi->tls.ssl);
 	struct lws_context_per_thread *pt = &wsi->context->pt[(int)wsi->tsi];
+	union lws_tls_cert_info_results ir;
+	int m, n;
+
+	errno = 0;
+	ERR_clear_error();
+	n = SSL_accept(wsi->tls.ssl);
 
 	if (n == 1) {
 		n = lws_tls_peer_cert_info(wsi, LWS_TLS_CERT_INFO_COMMON_NAME, &ir,

lib/tls/openssl/ssl.c

@@ -181,6 +181,7 @@ lws_ssl_capable_read(struct lws *wsi, unsigned char *buf, int len)
 	lws_stats_atomic_bump(context, pt, LWSSTATS_C_API_READ, 1);
 
 	errno = 0;
+	ERR_clear_error();
 	n = SSL_read(wsi->tls.ssl, buf, len);
 #if defined(LWS_WITH_ESP32)
 	if (!n && errno == LWS_ENOTCONN) {
@@ -307,6 +308,8 @@ lws_ssl_capable_write(struct lws *wsi, unsigned char *buf, int len)
 	if (!wsi->tls.ssl)
 		return lws_ssl_capable_write_no_ssl(wsi, buf, len);
 
+	errno = 0;
+	ERR_clear_error();
 	n = SSL_write(wsi->tls.ssl, buf, len);
 	if (n > 0)
 		return n;
@@ -380,7 +383,7 @@ lws_ssl_close(struct lws *wsi)
 		return 0; /* not handled */
 
 #if defined (LWS_HAVE_SSL_SET_INFO_CALLBACK)
-	/* kill ssl callbacks, becausse we will remove the fd from the
+	/* kill ssl callbacks, because we will remove the fd from the
 	 * table linking it to the wsi
 	 */
 	if (wsi->vhost->tls.ssl_info_event_mask)
@@ -465,6 +468,8 @@ __lws_tls_shutdown(struct lws *wsi)
 {
 	int n;
 
+	errno = 0;
+	ERR_clear_error();
 	n = SSL_shutdown(wsi->tls.ssl);
 	lwsl_debug("SSL_shutdown=%d for fd %d\n", n, wsi->desc.sockfd);
 	switch (n) {

lib/tls/openssl/tls.c

@@ -71,7 +71,7 @@ lws_tls_err_describe(void)
 	unsigned long l;
 
 	do {
-		l = ERR_get_error();
+		l = ERR_peek_error();
 		if (!l)
 			break;
 		ERR_error_string_n(l, buf, sizeof(buf));