LILiK
/
openwrt-packages-dist
5
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3280 Commits
1 Branch
46 MiB
Tree: 95f5cf9c04
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '95f5cf9c04'
${ noResults }
openwrt-packages-dist/net/haproxy/patches/0012-BUG-MEDIUM-ssl-fix-tun...

98 lines
3.3 KiB
Raw Normal View History

haproxy: add patches from upstream - [PATCH 1/2] BUG/MEDIUM: stats: properly initialize the scope before - [PATCH 2/2] BUG/MEDIUM: http: don't forward client shutdown without - [PATCH 3/8] BUG/MINOR: check: fix tcpcheck error message - [PATCH 4/8] CLEANUP: checks: fix double usage of cur / current_step - [PATCH 5/8] BUG/MEDIUM: checks: do not dereference head of a - [PATCH 6/8] CLEANUP: checks: simplify the loop processing of - [PATCH 7/8] BUG/MAJOR: checks: always check for end of list before - [PATCH 8/8] BUG/MEDIUM: checks: do not dereference a list as a - [PATCH 09/10] BUG/MEDIUM: peers: apply a random reconnection timeout - [PATCH 10/10] DOC: Update doc about weight, act and bck fields in the - [PATCH 11/14] MINOR: ssl: add a destructor to free allocated SSL - [PATCH 12/14] BUG/MEDIUM: ssl: fix tune.ssl.default-dh-param value - [PATCH 13/14] BUG/MINOR: cfgparse: fix typo in 'option httplog' error - [PATCH 14/14] BUG/MEDIUM: cfgparse: segfault when userlist is misused Signed-off-by: heil <heil@terminal-consulting.de>
10 years ago
 
  1. From 5d769ca828fdb055052b3dbc232864bdf2853c9f Mon Sep 17 00:00:00 2001
  2. From: Remi Gacogne <rgacogne@aquaray.fr>
  3. Date: Thu, 28 May 2015 16:23:00 +0200
  4. Subject: [PATCH 12/14] BUG/MEDIUM: ssl: fix tune.ssl.default-dh-param value
  5.  being overwritten
  6. MIME-Version: 1.0
  7. Content-Type: text/plain; charset=UTF-8
  8. Content-Transfer-Encoding: 8bit
  9. 

  10. Hervé Commowick reported that the logic used to avoid complaining about
  11. ssl-default-dh-param not being set when static DH params are present
  12. in the certificate file was clearly wrong when more than one sni_ctx
  13. is used.
  14. This patch stores whether static DH params are being used for each
  15. SSL_CTX individually, and does not overwrite the value of
  16. tune.ssl.default-dh-param.
  17. (cherry picked from commit 4f902b88323927c9d25d391a809e3678ac31df41)
  18. ---

  19.  src/ssl_sock.c | 28 +++++++++++++++++++++++-----
  20.  1 file changed, 23 insertions(+), 5 deletions(-)
  21. 

  22. diff --git a/src/ssl_sock.c b/src/ssl_sock.c

  23. index a78fc6a..0f7819b 100644

  24. --- a/src/ssl_sock.c

  25. +++ b/src/ssl_sock.c

  26. @@ -47,6 +47,9 @@

  27.  #ifdef SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB
  28.  #include <openssl/ocsp.h>
  29.  #endif
  30. +#ifndef OPENSSL_NO_DH

  31. +#include <openssl/dh.h>

  32. +#endif

  33.  
  34.  #include <common/buffer.h>
  35.  #include <common/compat.h>
  36. @@ -107,6 +110,7 @@ int sslconns = 0;

  37.  int totalsslconns = 0;
  38.  
  39.  #ifndef OPENSSL_NO_DH
  40. +static int ssl_dh_ptr_index = -1;

  41.  static DH *local_dh_1024 = NULL;
  42.  static DH *local_dh_2048 = NULL;
  43.  static DH *local_dh_4096 = NULL;
  44. @@ -1076,10 +1080,12 @@ int ssl_sock_load_dh_params(SSL_CTX *ctx, const char *file)

  45.  	if (dh) {
  46.  		ret = 1;
  47.  		SSL_CTX_set_tmp_dh(ctx, dh);
  48. -		/* Setting ssl default dh param to the size of the static DH params

  49. -		   found in the file. This way we know that there is no use

  50. -		   complaining later about ssl-default-dh-param not being set. */

  51. -		global.tune.ssl_default_dh_param = DH_size(dh) * 8;

  52. +

  53. +		if (ssl_dh_ptr_index >= 0) {

  54. +			/* store a pointer to the DH params to avoid complaining about

  55. +			   ssl-default-dh-param not being set for this SSL_CTX */

  56. +			SSL_CTX_set_ex_data(ctx, ssl_dh_ptr_index, dh);

  57. +		}

  58.  	}
  59.  	else {
  60.  		/* Clear openssl global errors stack */
  61. @@ -1274,6 +1280,12 @@ static int ssl_sock_load_cert_file(const char *path, struct bind_conf *bind_conf

  62.  	 * the tree, so it will be discovered and cleaned in time.
  63.  	 */
  64.  #ifndef OPENSSL_NO_DH
  65. +	/* store a NULL pointer to indicate we have not yet loaded

  66. +	   a custom DH param file */

  67. +	if (ssl_dh_ptr_index >= 0) {

  68. +		SSL_CTX_set_ex_data(ctx, ssl_dh_ptr_index, NULL);

  69. +	}

  70. +

  71.  	ret = ssl_sock_load_dh_params(ctx, path);
  72.  	if (ret < 0) {
  73.  		if (err)
  74. @@ -1593,7 +1605,9 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx, struct proxy

  75.  
  76.  	/* If tune.ssl.default-dh-param has not been set and
  77.  	   no static DH params were in the certificate file. */
  78. -	if (global.tune.ssl_default_dh_param == 0) {

  79. +	if (global.tune.ssl_default_dh_param == 0 &&

  80. +	    (ssl_dh_ptr_index == -1 ||

  81. +	     SSL_CTX_get_ex_data(ctx, ssl_dh_ptr_index) == NULL)) {

  82.  		ciphers = ctx->cipher_list;
  83.  
  84.  		if (ciphers) {
  85. @@ -4715,6 +4729,10 @@ static void __ssl_sock_init(void)

  86.  	bind_register_keywords(&bind_kws);
  87.  	srv_register_keywords(&srv_kws);
  88.  	cfg_register_keywords(&cfg_kws);
  89. +

  90. +#ifndef OPENSSL_NO_DH

  91. +	ssl_dh_ptr_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, NULL);

  92. +#endif

  93.  }
  94.  
  95.  __attribute__((destructor))
  96. -- 

  97. 2.0.5
  98.