io.sockets.secure.openssl: ignore unexpected eof error

some web servers close the socket early. we want to not error out
if this happens. there is a potential of a truncation attack;
we should investigate that.

fixes #2806

diff --git a/basis/io/sockets/secure/openssl/openssl.factor b/basis/io/sockets/secure/openssl/openssl.factor
index 623b78af8c137a1c95e28399f2a2b1fa6da58a92..956ea6a1acdbec39331d66d561097338d78e9fee 100644 (file)
--- a/basis/io/sockets/secure/openssl/openssl.factor
+++ b/basis/io/sockets/secure/openssl/openssl.factor
@@ -80,10 +80,16 @@ PRIVATE>
     dup length
     f BN_bin2bn ; inline
 
+: add-to-ctx ( ctx flag -- )
+    [ handle>> ] dip
+    [ [ SSL_CTX_get_options ] dip bitor ]
+    [ drop swap SSL_CTX_set_options ssl-error ] 2bi ;
+
 : disable-old-tls ( ctx -- )
-    handle>>
-    SSL_OP_NO_TLSv1 SSL_OP_NO_TLSv1_1 bitor
-    SSL_CTX_set_options ssl-error ;
+    SSL_OP_NO_TLSv1 SSL_OP_NO_TLSv1_1 bitor add-to-ctx ;
+
+: ignore-unexpected-eof ( ctx -- )
+    SSL_OP_IGNORE_UNEXPECTED_EOF add-to-ctx ;
 
 : set-session-cache ( ctx -- )
     handle>>
@@ -195,6 +201,7 @@ M: openssl <secure-context>
             [ set-verify-depth ]
             [ load-dh-params ]
             [ set-ecdh-params ]
+            [ ignore-unexpected-eof ]
             [ ]
         } cleave
     ] with-destructors ;