openssl: error on SSL_ERROR_SYSCALL

Convert the debug-only handling of SSL_ERROR_SYSCALL so that it is
enabled in all builds with openssl. This should not make a difference in
supported OpenSSL versions, but if whatever version or fork we link
against *does* return SSL_ERROR_SYSCALL, handle this as a fatal error.

Fixes #17471
Reported-by: Michael Kaufmann
Closes #17531

diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 0ce09ca06b756d8f7fd694142067bbbc3760e1ec..6d02b00408447d6d0c4eeb85b4edecac3a5c459a 100644 (file)
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -5364,31 +5364,32 @@ static ssize_t ossl_recv(struct Curl_cfilter *cf,
         nread = -1;
         goto out;
       }
-      /* For debug builds be a little stricter and error on any
-         SSL_ERROR_SYSCALL. For example a server may have closed the connection
-         abruptly without a close_notify alert. For compatibility with older
-         peers we do not do this by default. #4624
-
-         We can use this to gauge how many users may be affected, and
-         if it goes ok eventually transition to allow in dev and release with
-         the newest OpenSSL: #if (OPENSSL_VERSION_NUMBER >= 0x10101000L) */
-#ifdef DEBUGBUILD
-      if(err == SSL_ERROR_SYSCALL) {
-        int sockerr = SOCKERRNO;
-        if(sockerr)
-          Curl_strerror(sockerr, error_buffer, sizeof(error_buffer));
+      else if(err == SSL_ERROR_SYSCALL) {
+        if(octx->io_result) {
+          /* logging handling in underlying filter already */
+          *curlcode = octx->io_result;
+        }
+        else if(connssl->peer_closed) {
+          failf(data, "Connection closed abruptly");
+          *curlcode = CURLE_RECV_ERROR;
+        }
         else {
-          msnprintf(error_buffer, sizeof(error_buffer),
-                    "Connection closed abruptly");
+          /* We should no longer get here nowadays. But handle
+           * the error in case of some weirdness in the OSSL stack */
+          int sockerr = SOCKERRNO;
+          if(sockerr)
+            Curl_strerror(sockerr, error_buffer, sizeof(error_buffer));
+          else {
+            msnprintf(error_buffer, sizeof(error_buffer),
+                      "Connection closed abruptly");
+          }
+          failf(data, OSSL_PACKAGE " SSL_read: %s, errno %d",
+                error_buffer, sockerr);
+          *curlcode = CURLE_RECV_ERROR;
         }
-        failf(data, OSSL_PACKAGE " SSL_read: %s, errno %d"
-              " (Fatal because this is a curl debug build)",
-              error_buffer, sockerr);
-        *curlcode = CURLE_RECV_ERROR;
         nread = -1;
         goto out;
       }
-#endif
     }
   }
 

diff --git a/lib/vtls/wolfssl.c b/lib/vtls/wolfssl.c
index 9c6f51826058c08b7307476027a564ad457b737f..9a654ed60f1be3bbc41e300e331c257d0fa0b68f 100644 (file)
--- a/lib/vtls/wolfssl.c
+++ b/lib/vtls/wolfssl.c
@@ -2027,8 +2027,7 @@ static ssize_t wssl_recv(struct Curl_cfilter *cf,
       }
       else if(!wssl->io_result && connssl->peer_closed) {
         CURL_TRC_CF(data, cf, "wssl_recv(len=%zu) -> CLOSED", blen);
-        *curlcode = CURLE_OK;
-        return 0;
+        failf(data, "Connection closed abruptly");
       }
       else {
         char error_buffer[256];

diff --git a/tests/http/test_05_errors.py b/tests/http/test_05_errors.py
index 995ae37727928155538eafa9a0798b479b9394dc..f6aae1ad15848fce7761f405adf0221037d4e5ac 100644 (file)
--- a/tests/http/test_05_errors.py
+++ b/tests/http/test_05_errors.py
@@ -120,9 +120,7 @@ class TestErrors:
         r = curl.http_download(urls=[url], alpn_proto=proto, extra_args=[
             '--parallel', '--trace-config', 'ssl'
         ])
-        if proto == 'http/1.0' and not env.curl_uses_lib('wolfssl') and \
-                (env.curl_is_debug() or
-                not env.curl_uses_any_libs(['openssl', 'libressl', 'aws-lc'])):
+        if proto == 'http/1.0':
             # we are inconsistent if we fail or not in missing TLS shutdown
             # openssl code ignore such errors intentionally in non-debug builds
             r.check_exit_code(56)