Always throw error when OpenSSL returns SSL_ERROR_SYSCALL.

Previously an error was only thrown when errno was set but in practice this is usually not the case. This may have something to do with getting errno late but attempts to get it earlier have not been successful. It appears that errno usually gets cleared and spot research seems to indicate that other users have similar issues. An error at this point indicates unexpected EOF so it seems better to just throw an error all the time and be consistent. To test this properly our test server needs to call SSL_shutdown() except when the client expects this error.
pgbackrest · Apr 14, 2020 · 71fb28b · 71fb28b
1 parent 9f2d647
commit 71fb28b
Show file tree

Hide file tree

Showing 5 changed files with 37 additions and 5 deletions.
diff --git a/doc/xml/release.xml b/doc/xml/release.xml
@@ -50,6 +50,14 @@
                         <p>Split session functionality of <code>TlsClient</code> out into <code>TlsSession</code>.</p>
                     </release-item>
 
+                    <release-item>
+                        <release-item-contributor-list>
+                             <release-item-reviewer id="cynthia.shang"/>
+                        </release-item-contributor-list>
+
+                        <p>Always throw error when <proper>OpenSSL</proper> returns <code>SSL_ERROR_SYSCALL</code>.</p>
+                    </release-item>
+
                     <release-item>
                         <release-item-contributor-list>
                              <release-item-reviewer id="cynthia.shang"/>

diff --git a/src/common/io/tls/session.c b/src/common/io/tls/session.c
@@ -101,17 +101,15 @@ tlsSessionError(TlsSession *this, int code)
             break;
         }
 
-        // A syscall failed (this usually indicates eof)
+        // A syscall failed (usually indicates unexpected eof)
         case SSL_ERROR_SYSCALL:
         {
             // Get the error before closing so it is not cleared
             int errNo = errno;
             tlsSessionClose(this);
 
-            // Throw the sys error if there is one
-            THROW_ON_SYS_ERROR(errNo, KernelError, "tls failed syscall");
-
-            break;
+            // Throw the sys error
+            THROW_SYS_ERROR_CODE(errNo, KernelError, "tls failed syscall");
         }
 
         // Some other tls error that cannot be handled

diff --git a/test/src/common/harnessTls.c b/test/src/common/harnessTls.c
@@ -170,6 +170,15 @@ Close the connection
 ***********************************************************************************************************************************/
 void
 harnessTlsServerClose(void)
+{
+    SSL_shutdown(testClientSSL);
+    SSL_free(testClientSSL);
+    close(testClientSocket);
+}
+
+/**********************************************************************************************************************************/
+void
+harnessTlsServerAbort(void)
 {
     SSL_free(testClientSSL);
     close(testClientSocket);

diff --git a/test/src/common/harnessTls.h b/test/src/common/harnessTls.h
@@ -31,6 +31,9 @@ void harnessTlsServerExpect(const char *expected);
 void harnessTlsServerReply(const char *reply);
 void harnessTlsServerClose(void);
 
+// Abort the server session (i.e. don't perform proper TLS shutdown)
+void harnessTlsServerAbort(void);
+
 /***********************************************************************************************************************************
 Getters/Setters
 ***********************************************************************************************************************************/

diff --git a/test/src/module/common/ioTlsTest.c b/test/src/module/common/ioTlsTest.c
@@ -82,6 +82,11 @@ testTlsServer(void)
     harnessTlsServerReply("0123456789AB");
     harnessTlsServerClose();
 
+    // Test aborted connection before read complete
+    harnessTlsServerAccept();
+    harnessTlsServerReply("0123456789AB");
+    harnessTlsServerAbort();
+
     // Need data in read buffer to test tlsWriteContinue()
     harnessTlsServerAccept();
     harnessTlsServerReply("0123456789AB");
@@ -397,7 +402,16 @@ testRun(void)
                 TEST_ERROR(tlsSessionError(session, SSL_ERROR_WANT_X509_LOOKUP), ServiceError, "tls error [4]");
 
                 // -----------------------------------------------------------------------------------------------------------------
+                TEST_TITLE("aborted connection before read complete");
+
                 TEST_ASSIGN(session, tlsClientOpen(client), "open client again (was closed by server)");
+
+                output = bufNew(13);
+                TEST_ERROR(ioRead(tlsSessionIoRead(session), output), KernelError, "tls failed syscall");
+
+                // -----------------------------------------------------------------------------------------------------------------
+                TEST_ASSIGN(session, tlsClientOpen(client), "open client again (was closed by server)");
+
                 TEST_RESULT_BOOL(tlsSessionWriteContinue(session, -1, SSL_ERROR_WANT_READ, 1), true, "continue on WANT_READ");
                 TEST_RESULT_BOOL(tlsSessionWriteContinue(session, 0, SSL_ERROR_NONE, 1), true, "continue on WANT_READ");
                 TEST_ERROR(