LILiK
/
openwrt-packages-dist
5
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
26524 Commits
1 Branch
46 MiB
Tree: bb801a5a6f
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'bb801a5a6f'
${ noResults }
openwrt-packages-dist/net/haproxy/patches/005-BUG-MEDIUM-ssl-initiali...

188 lines
6.4 KiB
Raw Normal View History

haproxy: Update HAProxy to v2.4.10 - Update haproxy download URL and hash - Updated upstream patches Signed-off-by: Christian Lachner <gladiac@gmail.com>
3 years ago
 
  1. commit 6338b7d4a884639f98823e885325a50750f72e04
  2. Author: William Lallemand <wlallemand@haproxy.org>
  3. Date:   Tue Dec 28 18:47:17 2021 +0100
  4. 

  5.     BUG/MEDIUM: ssl: initialize correctly ssl w/ default-server
  6.     
  7.     This bug was introduced by d817dc73 ("MEDIUM: ssl: Load client
  8.     certificates in a ckch for backend servers") in which the creation of
  9.     the SSL_CTX for a server was moved to the configuration parser when
  10.     using a "crt" keyword instead of being done in ssl_sock_prepare_srv_ctx().
  11.     
  12.     The patch 0498fa40 ("BUG/MINOR: ssl: Default-server configuration ignored by
  13.     server") made it worse by setting the same SSL_CTX for every servers
  14.     using a default-server. Resulting in any SSL option on a server applied
  15.     to every server in its backend.
  16.     
  17.     This patch fixes the issue by reintroducing a string which store the
  18.     path of certificate inside the server structure, and loading the
  19.     certificate in ssl_sock_prepare_srv_ctx() again.
  20.     
  21.     This is a quick fix to backport, a cleaner way can be achieve by always
  22.     creating the SSL_CTX in ssl_sock_prepare_srv_ctx() and splitting
  23.     properly the ssl_sock_load_srv_cert() function.
  24.     
  25.     This patch fixes issue #1488.
  26.     
  27.     Must be backported as far as 2.4.
  28.     
  29.     (cherry picked from commit 2c776f1c30c85be11c9ba8ca8d9a7d62690d1a32)
  30.     Signed-off-by: Willy Tarreau <w@1wt.eu>
  31.     (cherry picked from commit 2f3c354b6cdc21ee185e263b5c7422c86ae58c98)
  32.     [wt: ssl_sock_load_srv_cert() doesn't take the create_if_none arg in 2.4,
  33.          thus adjust context and make sure ssl_sock_prepare_srv_ctx() matches
  34.          what srv_parse_crt() used to do]
  35.     Signed-off-by: Willy Tarreau <w@1wt.eu>
  36. 

  37. --- a/include/haproxy/server-t.h

  38. +++ b/include/haproxy/server-t.h

  39. @@ -364,6 +364,7 @@ struct server {

  40.  		char *verify_host;              /* hostname of certificate must match this host */
  41.  		char *ca_file;			/* CAfile to use on verify */
  42.  		char *crl_file;			/* CRLfile to use on verify */
  43. +		char *client_crt;		/* client certificate to send */

  44.  		struct sample_expr *sni;        /* sample expression for SNI */
  45.  #ifdef OPENSSL_NPN_NEGOTIATED
  46.  		char *npn_str;                  /* NPN protocol string */
  47. --- a/reg-tests/ssl/ssl_default_server.vtc

  48. +++ b/reg-tests/ssl/ssl_default_server.vtc

  49. @@ -15,7 +15,7 @@ feature cmd "$HAPROXY_PROGRAM -cc 'versi

  50.  feature cmd "$HAPROXY_PROGRAM -cc 'feature(OPENSSL)'"
  51.  feature ignore_unknown_macro
  52.  
  53. -server s1 -repeat 7 {

  54. +server s1 -repeat 10 {

  55.    rxreq
  56.    txresp
  57.  } -start
  58. @@ -56,7 +56,10 @@ haproxy h1 -conf {

  59.  
  60.      backend third_be
  61.          default-server ssl crt client1.pem ca-file ca-auth.crt verify none
  62. -        server s1 "${tmpdir}/ssl.sock" crt client2_expired.pem

  63. +        server s1 "${tmpdir}/ssl.sock"

  64. +        server s2 "${tmpdir}/ssl.sock" crt client2_expired.pem

  65. +        server s3 "${tmpdir}/ssl.sock"

  66. +        server s4 "${tmpdir}/ssl.sock"

  67.  
  68.      backend fourth_be
  69.          default-server ssl crt client1.pem verify none
  70. @@ -106,9 +109,25 @@ client c1 -connect ${h1_clearlst_sock} {

  71.      txreq
  72.      rxresp
  73.      expect resp.status == 200
  74. +    expect resp.http.x-ssl == "Ok"

  75. +} -run

  76. +

  77. +client c1 -connect ${h1_clearlst_sock} {

  78. +    txreq -url "/third"

  79. +    txreq

  80. +    rxresp

  81. +    expect resp.status == 200

  82.      expect resp.http.x-ssl == "Expired"
  83.  } -run
  84.  
  85. +client c1 -connect ${h1_clearlst_sock} -repeat 2 {

  86. +    txreq -url "/third"

  87. +    txreq

  88. +    rxresp

  89. +    expect resp.status == 200

  90. +    expect resp.http.x-ssl == "Ok"

  91. +} -run

  92. +

  93.  client c1 -connect ${h1_clearlst_sock} {
  94.      txreq -url "/fourth"
  95.      txreq
  96. --- a/src/cfgparse-ssl.c

  97. +++ b/src/cfgparse-ssl.c

  98. @@ -1450,25 +1450,17 @@ static int srv_parse_crl_file(char **arg

  99.  /* parse the "crt" server keyword */
  100.  static int srv_parse_crt(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
  101.  {
  102. -	int retval = -1;

  103. -	char *path = NULL;

  104. -

  105.  	if (!*args[*cur_arg + 1]) {
  106.  		memprintf(err, "'%s' : missing certificate file path", args[*cur_arg]);
  107.  		return ERR_ALERT | ERR_FATAL;
  108.  	}
  109.  
  110.  	if ((*args[*cur_arg + 1] != '/') && global_ssl.crt_base)
  111. -		memprintf(&path, "%s/%s", global_ssl.crt_base, args[*cur_arg + 1]);

  112. +		memprintf(&newsrv->ssl_ctx.client_crt, "%s/%s", global_ssl.crt_base, args[*cur_arg + 1]);

  113.  	else
  114. -		memprintf(&path, "%s", args[*cur_arg + 1]);

  115. -

  116. -	if (path) {

  117. -		retval = ssl_sock_load_srv_cert(path, newsrv, err);

  118. -		free(path);

  119. -	}

  120. +		memprintf(&newsrv->ssl_ctx.client_crt, "%s", args[*cur_arg + 1]);

  121.  
  122. -	return retval;

  123. +	return 0;

  124.  }
  125.  
  126.  /* parse the "no-check-ssl" server keyword */
  127. --- a/src/server.c

  128. +++ b/src/server.c

  129. @@ -2063,6 +2063,8 @@ static void srv_conn_src_cpy(struct serv

  130.  static void srv_ssl_settings_cpy(struct server *srv, struct server *src)
  131.  {
  132.  	/* <src> is the current proxy's default server and SSL is enabled */
  133. +	BUG_ON(src->ssl_ctx.ctx != NULL); /* the SSL_CTX must never be initialized in a default-server */

  134. +

  135.  	if (src == &srv->proxy->defsrv && src->use_ssl == 1)
  136.  		srv->flags |= SRV_F_DEFSRV_USE_SSL;
  137.  
  138. @@ -2070,10 +2072,11 @@ static void srv_ssl_settings_cpy(struct

  139.  		srv->ssl_ctx.ca_file = strdup(src->ssl_ctx.ca_file);
  140.  	if (src->ssl_ctx.crl_file != NULL)
  141.  		srv->ssl_ctx.crl_file = strdup(src->ssl_ctx.crl_file);
  142. +	if (src->ssl_ctx.client_crt != NULL)

  143. +		srv->ssl_ctx.client_crt = strdup(src->ssl_ctx.client_crt);

  144.  
  145.  	srv->ssl_ctx.verify = src->ssl_ctx.verify;
  146.  
  147. -	srv->ssl_ctx.ctx = src->ssl_ctx.ctx;

  148.  
  149.  	if (src->ssl_ctx.verify_host != NULL)
  150.  		srv->ssl_ctx.verify_host = strdup(src->ssl_ctx.verify_host);
  151. --- a/src/ssl_sock.c

  152. +++ b/src/ssl_sock.c

  153. @@ -4669,7 +4669,7 @@ int ssl_sock_prepare_srv_ctx(struct serv

  154.  {
  155.  	struct proxy *curproxy = srv->proxy;
  156.  	int cfgerr = 0;
  157. -	SSL_CTX *ctx = srv->ssl_ctx.ctx;

  158. +	SSL_CTX *ctx;

  159.  
  160.  	/* Make sure openssl opens /dev/urandom before the chroot */
  161.  	if (!ssl_initialize_random()) {
  162. @@ -4693,6 +4693,26 @@ int ssl_sock_prepare_srv_ctx(struct serv

  163.  	if (srv->use_ssl == 1)
  164.  		srv->xprt = &ssl_sock;
  165.  
  166. +	if (srv->ssl_ctx.client_crt) {

  167. +		char *err = NULL;

  168. +		int err_code = 0;

  169. +

  170. +		/* If there is a crt keyword there, the SSL_CTX will be created here. */

  171. +		err_code = ssl_sock_load_srv_cert(srv->ssl_ctx.client_crt, srv, &err);

  172. +		if (err_code != ERR_NONE) {

  173. +			if ((err_code & ERR_WARN) && !(err_code & ERR_ALERT))

  174. +				ha_warning("%s", err);

  175. +			else

  176. +				ha_alert("%s", err);

  177. +

  178. +			if (err_code & (ERR_FATAL|ERR_ABORT))

  179. +				cfgerr++;

  180. +		}

  181. +		ha_free(&err);

  182. +	}

  183. +

  184. +	ctx = srv->ssl_ctx.ctx;

  185. +

  186.  	/* The context will be uninitialized if there wasn't any "cert" option
  187.  	 * in the server line. */
  188.  	if (!ctx) {