From 7d79cd827fb17db7b03858b06f03c514d25cdfea Mon Sep 17 00:00:00 2001
From: Tim Costen <tim.costen@isode.com>
Date: Wed, 13 Nov 2019 12:52:44 +0000
Subject: Clear internal error state after cert chain parse

When parsing a PEM string containing a chain of
certificates, createCertificateChain calls
PEM_read_bio_X509 until it returns NULL (end of chain). But
this will have set OpenSSL's internal error chain. Creating
a new OpenSSL context has the side effect of clearing this chain,
but if you are using a context which has already been created,
the context sees that the error chain is set and fails.

All that is needed is for createCertificateChain to clear the
OpenSSL error chain before returning.
JIRA: LINK-1868

Change-Id: Ife2a3dabfeecff9e430648d63e4b4ba001e80a00

diff --git a/Swiften/TLS/OpenSSL/OpenSSLCertificateFactory.cpp b/Swiften/TLS/OpenSSL/OpenSSLCertificateFactory.cpp
index fd94ec8..73058a5 100644
--- a/Swiften/TLS/OpenSSL/OpenSSLCertificateFactory.cpp
+++ b/Swiften/TLS/OpenSSL/OpenSSLCertificateFactory.cpp
@@ -7,6 +7,7 @@
 #include <Swiften/TLS/OpenSSL/OpenSSLCertificateFactory.h>
 
 #include <openssl/pem.h>
+#include <openssl/err.h>
 
 namespace Swift {
 
@@ -44,6 +45,11 @@ std::vector<std::shared_ptr<Certificate>> OpenSSLCertificateFactory::createCerti
         }
     }
 
+    // Clear any (expected) errors which resulted from PEM parsing
+    // If we don't do this, any existing TLS context will detect these
+    // spurious errors and fail to work
+    ERR_clear_error();
+
     return certificateChain;
 }
 
-- 
cgit v0.10.2-6-g49f6