Flush the OpenSSL error queue after a successful PKCS12 parse in case there is some garbage in it.
diff --git a/OpenSSL/crypto/pkcs12.c b/OpenSSL/crypto/pkcs12.c
index 6f795c5..a3319c0 100644
--- a/OpenSSL/crypto/pkcs12.c
+++ b/OpenSSL/crypto/pkcs12.c
@@ -337,15 +337,25 @@
}
/* parse the PKCS12 lump */
- if (p12 && !PKCS12_parse(p12, passphrase, &pkey, &cert, &cacerts)) {
- /*
- * If PKCS12_parse fails, and it allocated cacerts, it seems to free
- * cacerts, but not re-NULL the pointer. Zounds! Make sure it is
- * re-set to NULL here, else we'll have a double-free below.
- */
- cacerts = NULL;
- exception_from_error_queue(crypto_Error);
- goto error;
+ if (p12) {
+ if (!PKCS12_parse(p12, passphrase, &pkey, &cert, &cacerts)) {
+ /*
+ * If PKCS12_parse fails, and it allocated cacerts, it seems to
+ * free cacerts, but not re-NULL the pointer. Zounds! Make sure
+ * it is re-set to NULL here, else we'll have a double-free below.
+ */
+ cacerts = NULL;
+ exception_from_error_queue(crypto_Error);
+ goto error;
+ } else {
+ /*
+ * OpenSSL 1.0.0 sometimes leaves an X509_check_private_key error in
+ * the queue for no particular reason. This error isn't interesting
+ * to anyone outside this function. It's not even interesting to
+ * us. Get rid of it.
+ */
+ flush_error_queue();
+ }
}
if (!(self = PyObject_GC_New(crypto_PKCS12Obj, &crypto_PKCS12_Type))) {