From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 6 Oct 2025 08:39:29 +0000 (+0200)
Subject: openssl: call SSL_get_error() with proper error
X-Git-Tag: rc-8_17_0-3~333
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e7a5184fa1ebcd68ead0e3e9b78340296acac350;p=thirdparty%2Fcurl.git

openssl: call SSL_get_error() with proper error

The error function should be called with the return code from the
previous call to SSL_shutdown() as argument.

Closes #18872
---

diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 0714ce7c6a..409c9c0946 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -2169,14 +2169,16 @@ static CURLcode ossl_shutdown(struct Curl_cfilter *cf,
   /* SSL should now have started the shutdown from our side. Since it
    * was not complete, we are lacking the close notify from the server. */
   if(send_shutdown && !(SSL_get_shutdown(octx->ssl) & SSL_SENT_SHUTDOWN)) {
+    int rc;
     ERR_clear_error();
     CURL_TRC_CF(data, cf, "send SSL close notify");
-    if(SSL_shutdown(octx->ssl) == 1) {
+    rc = SSL_shutdown(octx->ssl);
+    if(rc == 1) {
       CURL_TRC_CF(data, cf, "SSL shutdown finished");
       *done = TRUE;
       goto out;
     }
-    if(SSL_ERROR_WANT_WRITE == SSL_get_error(octx->ssl, nread)) {
+    if(SSL_ERROR_WANT_WRITE == SSL_get_error(octx->ssl, rc)) {
       CURL_TRC_CF(data, cf, "SSL shutdown still wants to send");
       connssl->io_need = CURL_SSL_IO_NEED_SEND;
       goto out;