kissbac
/
packages
Volgen 1
Ster 0
Vork 0
Code Kwesties 0 Pull-aanvragen 0 Publicaties 0 Wiki Activiteit
Bladeren bron

haproxy: patches from upstream 

- [PATCH 5/6] BUG/MEDIUM: http: tarpit timeout is reset
- [PATCH 6/6] MEDIUM: connection: add new bit in Proxy Protocol V2

Signed-off-by: Thomas Heil <heil@terminal-consulting.de>
Thomas Heil 10 jaren geleden
bovenliggende
1735f13d22
commit
7c167bfd16
3 gewijzigde bestanden met toevoegingen van 158 en 1 verwijderingen
Zij-aan-zij weergave Toon Diff Stats
  1. 1
    1
      net/haproxy/Makefile
  2. 45
    0
      net/haproxy/patches/0005-BUG-MEDIUM-http-tarpit-timeout-is-reset.patch
  3. 112
    0
      net/haproxy/patches/0006-MEDIUM-connection-add-new-bit-in-Proxy-Protocol-V2.patch

+ 1
- 1
net/haproxy/Makefile Bestand weergeven 

@@ -10,7 +10,7 @@ include $(TOPDIR)/rules.mk
10 10
11 11 
 PKG_NAME:=haproxy
12 12 
 PKG_VERSION:=1.5.3
13 
-PKG_RELEASE:=04
13 
+PKG_RELEASE:=06
14 14 
 PKG_SOURCE:=haproxy-$(PKG_VERSION).tar.gz
15 15 
 PKG_SOURCE_URL:=http://haproxy.1wt.eu/download/1.5/src/
16 16 
 PKG_MD5SUM:=e999a547d57445d5a5ab7eb6a06df9a1

+ 45
- 0
net/haproxy/patches/0005-BUG-MEDIUM-http-tarpit-timeout-is-reset.patch Bestand weergeven 

@@ -0,0 +1,45 @@
1 
+From fc566b541e4c67cfbd8d6b40b627ce27dfc8a7cb Mon Sep 17 00:00:00 2001
2 
+From: Thierry FOURNIER <tfournier@exceliance.fr>
3 
+Date: Fri, 22 Aug 2014 06:55:26 +0200
4 
+Subject: [PATCH 5/6] BUG/MEDIUM: http: tarpit timeout is reset
5 
+
6 
+Before the commit bbba2a8ecc35daf99317aaff7015c1931779c33b
7 
+(1.5-dev24-8), the tarpit section set timeout and return, after this
8 
+commit, the tarpit section set the timeout, and go to the "done" label
9 
+which reset the timeout.
10 
+
11 
+Thanks Bryan Talbot for the bug report and analysis.
12 
+
13 
+This should be backported in 1.5.
14 
+(cherry picked from commit 7566e30477bf5ea4206bda5950d2d83108c4a3dc)
15 
+---
16 
+ src/proto_http.c | 5 +++--
17 
+ 1 file changed, 3 insertions(+), 2 deletions(-)
18 
+
19 
+diff --git a/src/proto_http.c b/src/proto_http.c
20 
+index 2b75b32..bebc8bf 100644
21 
+--- a/src/proto_http.c
22 
++++ b/src/proto_http.c
23 
+@@ -4117,8 +4117,9 @@ int http_process_req_common(struct session *s, struct channel *req, int an_bit,
24 
+  done:	/* done with this analyser, continue with next ones that the calling
25 
+ 	 * points will have set, if any.
26 
+ 	 */
27 
+-	req->analysers &= ~an_bit;
28 
+ 	req->analyse_exp = TICK_ETERNITY;
29 
++ done_without_exp: /* done with this analyser, but dont reset the analyse_exp. */
30 
++	req->analysers &= ~an_bit;
31 
+ 	return 1;
32 
+
33 
+  tarpit:
34 
+@@ -4144,7 +4145,7 @@ int http_process_req_common(struct session *s, struct channel *req, int an_bit,
35 
+ 		s->be->be_counters.denied_req++;
36 
+ 	if (s->listener->counters)
37 
+ 		s->listener->counters->denied_req++;
38 
+-	goto done;
39 
++	goto done_without_exp;
40 
+
41 
+  deny:	/* this request was blocked (denied) */
42 
+ 	txn->flags |= TX_CLDENY;
43 
+--
44 
+1.8.5.5
45 
+

+ 112
- 0
net/haproxy/patches/0006-MEDIUM-connection-add-new-bit-in-Proxy-Protocol-V2.patch Bestand weergeven 

@@ -0,0 +1,112 @@
1 
+From d6ec605d2059191163cad27b7d7b215ed8d3725b Mon Sep 17 00:00:00 2001
2 
+From: Dave McCowan <11235david@gmail.com>
3 
+Date: Wed, 30 Jul 2014 10:39:13 -0400
4 
+Subject: [PATCH 6/6] MEDIUM: connection: add new bit in Proxy Protocol V2
5 
+
6 
+There are two sample commands to get information about the presence of a
7 
+client certificate.
8 
+ssl_fc_has_crt is true if there is a certificate present in the current
9 
+connection
10 
+ssl_c_used is true if there is a certificate present in the session.
11 
+If a session has stopped and resumed, then ssl_c_used could be true, while
12 
+ssl_fc_has_crt is false.
13 
+
14 
+In the client byte of the TLS TLV of Proxy Protocol V2, there is only one
15 
+bit to indicate whether a certificate is present on the connection.  The
16 
+attached patch adds a second bit to indicate the presence for the session.
17 
+
18 
+This maintains backward compatibility.
19 
+
20 
+[wt: this should be backported to 1.5 to help maintain compatibility
21 
+ between versions]
22 
+(cherry picked from commit 328fb58d745c03a0dc706da9e2fcd4e9f860a14b)
23 
+---
24 
+ include/proto/ssl_sock.h   |  3 ++-
25 
+ include/types/connection.h |  5 +++--
26 
+ src/connection.c           |  6 ++++--
27 
+ src/ssl_sock.c             | 21 +++++++++++++++++++--
28 
+ 4 files changed, 28 insertions(+), 7 deletions(-)
29 
+
30 
+diff --git a/include/proto/ssl_sock.h b/include/proto/ssl_sock.h
31 
+index 3e111cd..10541ed 100644
32 
+--- a/include/proto/ssl_sock.h
33 
++++ b/include/proto/ssl_sock.h
34 
+@@ -51,7 +51,8 @@ void ssl_sock_free_all_ctx(struct bind_conf *bind_conf);
35 
+ const char *ssl_sock_get_cipher_name(struct connection *conn);
36 
+ const char *ssl_sock_get_proto_version(struct connection *conn);
37 
+ char *ssl_sock_get_version(struct connection *conn);
38 
+-int ssl_sock_get_cert_used(struct connection *conn);
39 
++int ssl_sock_get_cert_used_sess(struct connection *conn);
40 
++int ssl_sock_get_cert_used_conn(struct connection *conn);
41 
+ int ssl_sock_get_remote_common_name(struct connection *conn, struct chunk *out);
42 
+ unsigned int ssl_sock_get_verify_result(struct connection *conn);
43 
+ #ifdef SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB
44 
+diff --git a/include/types/connection.h b/include/types/connection.h
45 
+index 2ae16d7..b317007 100644
46 
+--- a/include/types/connection.h
47 
++++ b/include/types/connection.h
48 
+@@ -345,8 +345,9 @@ struct tlv_ssl {
49 
+ 	uint8_t sub_tlv[0];
50 
+ }__attribute__((packed));
51 
+
52 
+-#define PP2_CLIENT_SSL      0x01
53 
+-#define PP2_CLIENT_CERT     0x02
54 
++#define PP2_CLIENT_SSL           0x01
55 
++#define PP2_CLIENT_CERT_CONN     0x02
56 
++#define PP2_CLIENT_CERT_SESS     0x04
57 
+
58 
+ #endif /* _TYPES_CONNECTION_H */
59 
+
60 
+diff --git a/src/connection.c b/src/connection.c
61 
+index 2dd2c02..3af6d9a 100644
62 
+--- a/src/connection.c
63 
++++ b/src/connection.c
64 
+@@ -678,9 +678,11 @@ int make_proxy_line_v2(char *buf, int buf_len, struct server *srv, struct connec
65 
+ 				tlv_len = make_tlv(&buf[ret+ssl_tlv_len], (buf_len-ret-ssl_tlv_len), PP2_TYPE_SSL_VERSION, strlen(value), value);
66 
+ 				ssl_tlv_len += tlv_len;
67 
+ 			}
68 
+-			if (ssl_sock_get_cert_used(remote)) {
69 
+-				tlv->client |= PP2_CLIENT_CERT;
70 
++			if (ssl_sock_get_cert_used_sess(remote)) {
71 
++				tlv->client |= PP2_CLIENT_CERT_SESS;
72 
+ 				tlv->verify = htonl(ssl_sock_get_verify_result(remote));
73 
++				if (ssl_sock_get_cert_used_conn(remote))
74 
++					tlv->client |= PP2_CLIENT_CERT_CONN;
75 
+ 			}
76 
+ 			if (srv->pp_opts & SRV_PP_V2_SSL_CN) {
77 
+ 				cn_trash = get_trash_chunk();
78 
+diff --git a/src/ssl_sock.c b/src/ssl_sock.c
79 
+index cf8adc7..da99a30 100644
80 
+--- a/src/ssl_sock.c
81 
++++ b/src/ssl_sock.c
82 
+@@ -2720,8 +2720,25 @@ out:
83 
+ 	return result;
84 
+ }
85 
+
86 
+-/* returns 1 if client passed a certificate, 0 if not */
87 
+-int ssl_sock_get_cert_used(struct connection *conn)
88 
++/* returns 1 if client passed a certificate for this session, 0 if not */
89 
++int ssl_sock_get_cert_used_sess(struct connection *conn)
90 
++{
91 
++	X509 *crt = NULL;
92 
++
93 
++	if (!ssl_sock_is_ssl(conn))
94 
++		return 0;
95 
++
96 
++	/* SSL_get_peer_certificate, it increase X509 * ref count */
97 
++	crt = SSL_get_peer_certificate(conn->xprt_ctx);
98 
++	if (!crt)
99 
++		return 0;
100 
++
101 
++	X509_free(crt);
102 
++	return 1;
103 
++}
104 
++
105 
++/* returns 1 if client passed a certificate for this connection, 0 if not */
106 
++int ssl_sock_get_cert_used_conn(struct connection *conn)
107 
+ {
108 
+ 	if (!ssl_sock_is_ssl(conn))
109 
+ 		return 0;
110 
+--
111 
+1.8.5.5
112 
+