From 3ce51b0b3eef9580126e1e1e159077c5b7fab970 Mon Sep 17 00:00:00 2001
From: Georg Richter <georg@mariadb.com>
Date: Wed, 20 Apr 2022 18:48:54 +0200
Subject: [PATCH] Fix for CONC-587:

Since alerts may happen after handshake (for example with described
test in CONC-587 using TLSv1.3 protocol or by renegotiation) the
tls error message needs to be retrieved if error is a protocol error
(SSL_ERROR_SSL) and/or if errno was not set.
---
 libmariadb/mariadb_lib.c    | 14 ++++++++++----
 libmariadb/secure/openssl.c | 14 ++++++++++++++
 2 files changed, 24 insertions(+), 4 deletions(-)

diff --git a/libmariadb/mariadb_lib.c b/libmariadb/mariadb_lib.c
index b3edfe2e2..095d1cb59 100644
--- a/libmariadb/mariadb_lib.c
+++ b/libmariadb/mariadb_lib.c
@@ -202,10 +202,16 @@ ma_net_safe_read(MYSQL *mysql)
   if (len == packet_error || len == 0)
   {
     end_server(mysql);
-    my_set_error(mysql, net->last_errno == ER_NET_PACKET_TOO_LARGE ?
-		     CR_NET_PACKET_TOO_LARGE:
-		     CR_SERVER_LOST,
-         SQLSTATE_UNKNOWN, 0, errno);
+#ifdef HAVE_TLS
+    /* don't overwrite possible tls protocol errors */
+    if (net->last_errno != CR_SSL_CONNECTION_ERROR)
+#endif
+    {
+      my_set_error(mysql, net->last_errno == ER_NET_PACKET_TOO_LARGE ?
+                   CR_NET_PACKET_TOO_LARGE:
+                   CR_SERVER_LOST,
+                   SQLSTATE_UNKNOWN, 0, errno);
+    }
     return(packet_error);
   }
   if (net->read_pos[0] == 255)
diff --git a/libmariadb/secure/openssl.c b/libmariadb/secure/openssl.c
index 9196a0cb1..5e29ef6f3 100644
--- a/libmariadb/secure/openssl.c
+++ b/libmariadb/secure/openssl.c
@@ -591,7 +591,14 @@ ssize_t ma_tls_read(MARIADB_TLS *ctls, const uchar* buffer, size_t length)
   {
     int error= SSL_get_error((SSL *)ctls->ssl, rc);
     if (error != SSL_ERROR_WANT_READ)
+    {
+      if (error == SSL_ERROR_SSL || errno == 0)
+      {
+        MYSQL *mysql= SSL_get_app_data(ctls->ssl);
+        ma_tls_set_error(mysql);
+      }
       return rc;
+    }
     if (pvio->methods->wait_io_or_timeout(pvio, TRUE, pvio->mysql->options.read_timeout) < 1)
       return rc;
   }
@@ -607,7 +614,14 @@ ssize_t ma_tls_write(MARIADB_TLS *ctls, const uchar* buffer, size_t length)
   {
     int error= SSL_get_error((SSL *)ctls->ssl, rc);
     if (error != SSL_ERROR_WANT_WRITE)
+    {
+      if (error == SSL_ERROR_SSL || errno == 0)
+      {
+        MYSQL *mysql= SSL_get_app_data(ctls->ssl);
+        ma_tls_set_error(mysql);
+      }
       return rc;
+    }
     if (pvio->methods->wait_io_or_timeout(pvio, TRUE, pvio->mysql->options.write_timeout) < 1)
       return rc;
   }