LILiK
/
openwrt-packages-dist
5
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4648 Commits
1 Branch
46 MiB
Tree: 4b5b6874b0
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '4b5b6874b0'
${ noResults }
openwrt-packages-dist/net/haproxy/patches/0002-BUG-MINOR-acl-don-t-us...

69 lines
2.6 KiB
Raw Normal View History

haproxy: bump to version 1.5.15 - integrate pending patches Signed-off-by: heil <heil@terminal-consulting.de>
9 years ago
 
  1. From 1af6a324c3206902f69bd2c9838e94ffb4cee3ae Mon Sep 17 00:00:00 2001
  2. From: Lukas Tribus <luky-37@hotmail.com>
  3. Date: Thu, 5 Nov 2015 13:59:30 +0100
  4. Subject: [PATCH 02/10] BUG/MINOR: acl: don't use record layer in req_ssl_ver
  5. MIME-Version: 1.0
  6. Content-Type: text/plain; charset=UTF-8
  7. Content-Transfer-Encoding: 8bit
  8. 

  9. The initial record layer version in a SSL handshake may be set to TLSv1.0
  10. or similar for compatibility reasons, this is allowed as per RFC5246
  11. Appendix E.1 [1]. Some implementations are Openssl [2] and NSS [3].
  12. 

  13. A related issue has been fixed some time ago in commit 57d229747
  14. ("BUG/MINOR: acl: req_ssl_sni fails with SSLv3 record version").
  15. 

  16. Fix this by using the real client hello version instead of the record
  17. layer version.
  18. 

  19. This was reported by Julien Vehent and analyzed by Cyril Bonté.
  20. The initial patch is from Julien Vehent as well.
  21. 

  22. This should be backported to stable series, the req_ssl_ver keyword was
  23. first introduced in 1.3.16.
  24. 

  25. [1] https://tools.ietf.org/html/rfc5246#appendix-E.1
  26. [2] https://github.com/openssl/openssl/commit/4a1cf50187659e60c5867ecbbc36e37b2605d2c3
  27. [3] https://bugzilla.mozilla.org/show_bug.cgi?id=774547
  28. (cherry picked from commit c93242cab986087f06a4655d14fec18eecb7f5f4)
  29. (cherry picked from commit b048a6eb3d9cb518e4a378e20ba2a801afec553c)
  30. ---

  31.  src/payload.c | 11 +++++++----
  32.  1 file changed, 7 insertions(+), 4 deletions(-)
  33. 

  34. diff --git a/src/payload.c b/src/payload.c

  35. index f62163c..b8f1ca3 100644

  36. --- a/src/payload.c

  37. +++ b/src/payload.c

  38. @@ -148,21 +148,24 @@ smp_fetch_req_ssl_ver(struct proxy *px, struct session *s, void *l7, unsigned in

  39.  	data = (const unsigned char *)s->req->buf->p;
  40.  	if ((*data >= 0x14 && *data <= 0x17) || (*data == 0xFF)) {
  41.  		/* SSLv3 header format */
  42. -		if (bleft < 5)

  43. +		if (bleft < 11)

  44.  			goto too_short;
  45.  
  46. -		version = (data[1] << 16) + data[2]; /* version: major, minor */

  47. +		version = (data[1] << 16) + data[2]; /* record layer version: major, minor */

  48.  		msg_len = (data[3] <<  8) + data[4]; /* record length */
  49.  
  50.  		/* format introduced with SSLv3 */
  51.  		if (version < 0x00030000)
  52.  			goto not_ssl;
  53.  
  54. -		/* message length between 1 and 2^14 + 2048 */

  55. -		if (msg_len < 1 || msg_len > ((1<<14) + 2048))

  56. +		/* message length between 6 and 2^14 + 2048 */

  57. +		if (msg_len < 6 || msg_len > ((1<<14) + 2048))

  58.  			goto not_ssl;
  59.  
  60.  		bleft -= 5; data += 5;
  61. +

  62. +		/* return the client hello client version, not the record layer version */

  63. +		version = (data[4] << 16) + data[5]; /* client hello version: major, minor */

  64.  	} else {
  65.  		/* SSLv2 header format, only supported for hello (msg type 1) */
  66.  		int rlen, plen, cilen, silen, chlen;
  67. -- 

  68. 2.4.10
  69.