Summary: NodeJS up to 19.2.0 does not clear the OpenSSL error stack after operations that may set it
Description: NodeJS up to 19.2.0 does not clear the OpenSSL error stack after operations that may set it. This may lead to false positive errors during subsequent cryptographic operations that happen to be on the same thread.
The following issues have reproduction cases:
https://github.com/nodejs/node/pull/45495
https://github.com/nodejs/node/pull/45377
Upon reviewing the code in crypto_x509.cc, at least one other function lacks use of ClearErrorOnReturn - X509Certificate::CheckPrivateKey.
On our application, JWTs failed to sign after a certificate fails to verify on the same thread.
If the server verifies certificates using Node’s X509Certificate API, it may fail to sign other users’ auth tokens: if a certificate fails to verify, the error from the previous failing call is applied to the next call that should succeed. It is worth auditing all OpenSSL entry points to see if they can cause errors to be raised.