Fix a potential DOS when using SSL. Bump revision.

3 files changed, 94 insertions, 1 deletions

diff --git a/www/lighttpd/distinfo b/www/lighttpd/distinfo
index 75fdcc9cb17..435f2eae953 100644
--- a/www/lighttpd/distinfo
+++ b/www/lighttpd/distinfo
@@ -1,6 +1,8 @@
-$NetBSD: distinfo,v 1.13 2008/03/15 10:53:50 joerg Exp $
+$NetBSD: distinfo,v 1.14 2008/04/25 19:58:17 joerg Exp $
 
 SHA1 (lighttpd-1.4.19.tar.gz) = 79e2d61dd9017c3c50c0fe98b2289cae5c1255ee
 RMD160 (lighttpd-1.4.19.tar.gz) = 7dbe2a22051e18f4037b48ee4811e2c9738d20cf
 Size (lighttpd-1.4.19.tar.gz) = 815568 bytes
+SHA1 (patch-aa) = 4e3a6bf761bc0e0b8b2ff75fbec739d2cad145ab
 SHA1 (patch-ab) = b02003db1b2ac978846eb0f7be178b91f59fc176
+SHA1 (patch-ac) = eca334f430362b2095727e28b9cc15f757fd440d
diff --git a/www/lighttpd/patches/patch-aa b/www/lighttpd/patches/patch-aa
new file mode 100644
index 00000000000..1ab9dbad3da
--- /dev/null
+++ b/www/lighttpd/patches/patch-aa
@@ -0,0 +1,69 @@
+$NetBSD: patch-aa,v 1.9 2008/04/25 19:58:17 joerg Exp $
+
+From SVN: Fix potential DOS by clearing SSL error queue.
+
+--- src/connections.c.orig	2008-04-25 18:28:26.000000000 +0200
++++ src/connections.c
+@@ -199,6 +199,7 @@ static int connection_handle_read_ssl(se
+ 
+ 	/* don't resize the buffer if we were in SSL_ERROR_WANT_* */
+ 
++	ERR_clear_error();
+ 	do {
+ 		if (!con->ssl_error_want_reuse_buffer) {
+ 			b = buffer_init();
+@@ -1668,19 +1669,47 @@ int connection_state_machine(server *srv
+ 			}
+ #ifdef USE_OPENSSL
+ 			if (srv_sock->is_ssl) {
+-				int ret;
++				int ret, ssl_r;
++				unsigned long err;
++				ERR_clear_error();
+ 				switch ((ret = SSL_shutdown(con->ssl))) {
+ 				case 1:
+ 					/* ok */
+ 					break;
+ 				case 0:
+-					SSL_shutdown(con->ssl);
+-					break;
++					ERR_clear_error();
++					if (-1 != (ret = SSL_shutdown(con->ssl))) break;
++
++					// fall through
+ 				default:
+-					log_error_write(srv, __FILE__, __LINE__, "sds", "SSL:",
+-							SSL_get_error(con->ssl, ret),
+-							ERR_error_string(ERR_get_error(), NULL));
+-					return -1;
++
++					switch ((ssl_r = SSL_get_error(con->ssl, ret))) {
++					case SSL_ERROR_WANT_WRITE:
++					case SSL_ERROR_WANT_READ:
++						break;
++					case SSL_ERROR_SYSCALL:
++						/* perhaps we have error waiting in our error-queue */
++						if (0 != (err = ERR_get_error())) {
++							do {
++								log_error_write(srv, __FILE__, __LINE__, "sdds", "SSL:",
++										ssl_r, ret,
++										ERR_error_string(err, NULL));
++							} while ((err = ERR_get_error()));
++						} else {
++							log_error_write(srv, __FILE__, __LINE__, "sddds", "SSL (error):",
++								  ssl_r, r, errno,
++								  strerror(errno));    
++						}
++						break;
++
++					default:
++						while ((err = ERR_get_error())) {
++							log_error_write(srv, __FILE__, __LINE__, "sdds", "SSL:",
++									ssl_r, ret,
++									ERR_error_string(err, NULL));
++						}
++						break;
++					}
+ 				}
+ 			}
+ #endif
diff --git a/www/lighttpd/patches/patch-ac b/www/lighttpd/patches/patch-ac
new file mode 100644
index 00000000000..2f5f47fbde8
--- /dev/null
+++ b/www/lighttpd/patches/patch-ac
@@ -0,0 +1,22 @@
+$NetBSD: patch-ac,v 1.5 2008/04/25 19:58:17 joerg Exp $
+
+From SVN: Fix potential DOS by clearing SSL error queue.
+
+--- src/network_openssl.c.orig	2008-04-25 18:29:42.000000000 +0200
++++ src/network_openssl.c
+@@ -85,6 +85,7 @@ int network_write_chunkqueue_openssl(ser
+ 			 *
+ 			 */
+ 
++			ERR_clear_error();
+ 			if ((r = SSL_write(ssl, offset, toSend)) <= 0) {
+ 				unsigned long err;
+ 
+@@ -187,6 +188,7 @@ int network_write_chunkqueue_openssl(ser
+ 
+ 				close(ifd);
+ 
++				ERR_clear_error();
+ 				if ((r = SSL_write(ssl, s, toSend)) <= 0) {
+ 					unsigned long err;
+