diff --git a/net/haproxy/Makefile b/net/haproxy/Makefile index 71fa81d1d..cd37fc776 100644 --- a/net/haproxy/Makefile +++ b/net/haproxy/Makefile @@ -9,12 +9,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=haproxy -PKG_VERSION:=1.5.12 -PKG_RELEASE:=18 +PKG_VERSION:=1.5.13 +PKG_RELEASE:=00 PKG_SOURCE:=haproxy-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=http://haproxy.1wt.eu/download/1.5/src/ PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION) -PKG_MD5SUM:=4b94b257f16d88c315716b062b22e48a +PKG_MD5SUM:=30cf07875ecae4fd6c4c309627afa8f1 PKG_MAINTAINER:=Thomas Heil PKG_LICENSE:=GPL-2.0 diff --git a/net/haproxy/patches/0001-BUG-MEDIUM-stats-properly-initialize-the-scope-befor.patch b/net/haproxy/patches/0001-BUG-MEDIUM-stats-properly-initialize-the-scope-befor.patch deleted file mode 100644 index 4ae6c9a84..000000000 --- a/net/haproxy/patches/0001-BUG-MEDIUM-stats-properly-initialize-the-scope-befor.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 0aa5899911bbc765ba16ce52a80fa76230781779 Mon Sep 17 00:00:00 2001 -From: Willy Tarreau -Date: Mon, 4 May 2015 18:07:56 +0200 -Subject: [PATCH 1/2] BUG/MEDIUM: stats: properly initialize the scope before - dumping stats - -Issuing a "show sess all" prior to a "show stat" on the CLI results in no -proxy being dumped because the scope_len union member was not properly -reinitialized. - -This fix must be backported into 1.5. -(cherry picked from commit 6bcb95da5b9cb143088102b460c7bcb37c1b3d81) ---- - src/dumpstats.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/src/dumpstats.c b/src/dumpstats.c -index b616478..ca084ac 100644 ---- a/src/dumpstats.c -+++ b/src/dumpstats.c -@@ -1109,6 +1109,8 @@ static int stats_sock_parse_request(struct stream_interface *si, char *line) - arg++; - } - -+ appctx->ctx.stats.scope_str = 0; -+ appctx->ctx.stats.scope_len = 0; - appctx->ctx.stats.flags = 0; - if (strcmp(args[0], "show") == 0) { - if (strcmp(args[1], "stat") == 0) { --- -2.0.5 - diff --git a/net/haproxy/patches/0002-BUG-MEDIUM-http-don-t-forward-client-shutdown-withou.patch b/net/haproxy/patches/0002-BUG-MEDIUM-http-don-t-forward-client-shutdown-withou.patch deleted file mode 100644 index 3875b8879..000000000 --- a/net/haproxy/patches/0002-BUG-MEDIUM-http-don-t-forward-client-shutdown-withou.patch +++ /dev/null @@ -1,82 +0,0 @@ -From 294e4676a3b775a7accb50eb8428f293c218b5e2 Mon Sep 17 00:00:00 2001 -From: Willy Tarreau -Date: Mon, 11 May 2015 18:30:33 +0200 -Subject: [PATCH 2/2] BUG/MEDIUM: http: don't forward client shutdown without - NOLINGER except for tunnels - -There's an issue related with shutting down POST transfers or closing the -connection after the end of the upload : the shutdown is forwarded to the -server regardless of the abortonclose option. The problem it causes is that -during a scan, brute force or whatever, it becomes possible that all source -ports are exhausted with all sockets in TIME_WAIT state. - -There are multiple issues at once in fact : - - no action is done for the close, it automatically happens at the lower - layers thanks for channel_auto_close(), so we cannot act on NOLINGER ; - - - we *do* want to continue to send a clean shutdown in tunnel mode because - some protocols transported over HTTP may need this, regardless of option - abortonclose, thus we can't set the option inconditionally - - - for all other modes, we do want to close the dirty way because we're - certain whether we've sent everything or not, and we don't want to eat - all source ports. - -The solution is a bit complex and applies to DONE/TUNNEL states : - - 1) disable automatic close for everything not a tunnel and not just - keep-alive / server-close. Force-close is now covered, as is HTTP/1.0 - which implicitly works in force-close mode ; - - 2) when processing option abortonclose, we know we can disable lingering - if the client has closed and the connection is not in tunnel mode. - -Since the last case above leads to a situation where the client side reports -an error, we know the connection will not be reused, so leaving the flag on -the stream-interface is safe. A client closing in the middle of the data -transmission already aborts the transaction so this case is not a problem. - -This fix must be backported to 1.5 where the problem was detected. -(cherry picked from commit bbfb6c40854925367ae5f9e8b22c5c9a18dc69d5) ---- - src/proto_http.c | 14 ++++++++++---- - 1 file changed, 10 insertions(+), 4 deletions(-) - -diff --git a/src/proto_http.c b/src/proto_http.c -index 0ac3a47..5db64b5 100644 ---- a/src/proto_http.c -+++ b/src/proto_http.c -@@ -5452,9 +5452,10 @@ int http_request_forward_body(struct session *s, struct channel *req, int an_bit - msg->sov -= msg->next; - msg->next = 0; - -- /* for keep-alive we don't want to forward closes on DONE */ -- if ((txn->flags & TX_CON_WANT_MSK) == TX_CON_WANT_KAL || -- (txn->flags & TX_CON_WANT_MSK) == TX_CON_WANT_SCL) -+ /* we don't want to forward closes on DONE except in -+ * tunnel mode. -+ */ -+ if ((txn->flags & TX_CON_WANT_MSK) != TX_CON_WANT_TUN) - channel_dont_close(req); - if (http_resync_states(s)) { - /* some state changes occurred, maybe the analyser -@@ -5478,10 +5479,15 @@ int http_request_forward_body(struct session *s, struct channel *req, int an_bit - * want to monitor the client's connection and forward - * any shutdown notification to the server, which will - * decide whether to close or to go on processing the -- * request. -+ * request. We only do that in tunnel mode, and not in -+ * other modes since it can be abused to exhaust source -+ * ports. - */ - if (s->be->options & PR_O_ABRT_CLOSE) { - channel_auto_read(req); -+ if ((req->flags & (CF_SHUTR|CF_READ_NULL)) && -+ ((txn->flags & TX_CON_WANT_MSK) != TX_CON_WANT_TUN)) -+ s->si[1].flags |= SI_FL_NOLINGER; - channel_auto_close(req); - } - else if (s->txn.meth == HTTP_METH_POST) { --- -2.0.5 - diff --git a/net/haproxy/patches/0003-BUG-MINOR-check-fix-tcpcheck-error-message.patch b/net/haproxy/patches/0003-BUG-MINOR-check-fix-tcpcheck-error-message.patch deleted file mode 100644 index 9bb33119e..000000000 --- a/net/haproxy/patches/0003-BUG-MINOR-check-fix-tcpcheck-error-message.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 68e4fc2b9910dd090c5e729203b72444f75aaa75 Mon Sep 17 00:00:00 2001 -From: Baptiste Assmann -Date: Fri, 1 May 2015 08:09:29 +0200 -Subject: [PATCH 3/8] BUG/MINOR: check: fix tcpcheck error message - -add the keyword 'string' when required (error in a tcpcheck expect -string) -(cherry picked from commit 96a5c9b57738c05ecce7822093b9c4118123dc1e) ---- - src/checks.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/checks.c b/src/checks.c -index 71debb6..8b53f97 100644 ---- a/src/checks.c -+++ b/src/checks.c -@@ -614,7 +614,7 @@ static void chk_report_conn_err(struct connection *conn, int errno_bck, int expi - } - else if (check->last_started_step && check->last_started_step->action == TCPCHK_ACT_EXPECT) { - if (check->last_started_step->string) -- chunk_appendf(chk, " (string '%s')", check->last_started_step->string); -+ chunk_appendf(chk, " (expect string '%s')", check->last_started_step->string); - else if (check->last_started_step->expect_regex) - chunk_appendf(chk, " (expect regex)"); - } --- -2.0.5 - diff --git a/net/haproxy/patches/0004-CLEANUP-checks-fix-double-usage-of-cur-current_step-.patch b/net/haproxy/patches/0004-CLEANUP-checks-fix-double-usage-of-cur-current_step-.patch deleted file mode 100644 index 6acba4e87..000000000 --- a/net/haproxy/patches/0004-CLEANUP-checks-fix-double-usage-of-cur-current_step-.patch +++ /dev/null @@ -1,178 +0,0 @@ -From 4f889006269e4d3f802de46f280ed198a15e3a69 Mon Sep 17 00:00:00 2001 -From: Willy Tarreau -Date: Wed, 13 May 2015 11:23:01 +0200 -Subject: [PATCH 4/8] CLEANUP: checks: fix double usage of cur / current_step - in tcp-checks - -This cleanup is a preliminary requirement to the upcoming fixes for -the bug that affect tcp-check's improper use of lists. It will have -to be backported to 1.5 though it will not easily apply. - -There are two variables pointing to the current rule within the loop, -and either one or the other is used depending on the code blocks, -making it much harder to apply checks to fix the list walking bug. -So first get rid of "cur" and only focus on current_step. -(cherry picked from commit ce8c42a37a44a1e0cb94e81abb7cc2baf3d0ef80) - -[wt: 1.5 doesn't have comments so this patch differs significantly - from 1.6, but it's needed for the next batch of fixes] ---- - src/checks.c | 57 ++++++++++++++++++++++++++++----------------------------- - 1 file changed, 28 insertions(+), 29 deletions(-) - -diff --git a/src/checks.c b/src/checks.c -index 8b53f97..cfdfe8c 100644 ---- a/src/checks.c -+++ b/src/checks.c -@@ -1859,7 +1859,7 @@ static int tcpcheck_get_step_id(struct server *s) - static void tcpcheck_main(struct connection *conn) - { - char *contentptr; -- struct tcpcheck_rule *cur, *next; -+ struct tcpcheck_rule *next; - int done = 0, ret = 0; - struct check *check = conn->owner; - struct server *s = check->server; -@@ -1916,15 +1916,11 @@ static void tcpcheck_main(struct connection *conn) - check->bo->o = 0; - check->bi->p = check->bi->data; - check->bi->i = 0; -- cur = check->current_step = LIST_ELEM(head->n, struct tcpcheck_rule *, list); -+ check->current_step = LIST_ELEM(head->n, struct tcpcheck_rule *, list); - t->expire = tick_add(now_ms, MS_TO_TICKS(check->inter)); - if (s->proxy->timeout.check) - t->expire = tick_add_ifset(now_ms, s->proxy->timeout.check); - } -- /* keep on processing step */ -- else { -- cur = check->current_step; -- } - - /* It's only the rules which will enable send/recv */ - __conn_data_stop_both(conn); -@@ -1934,7 +1930,7 @@ static void tcpcheck_main(struct connection *conn) - * or if we're about to send a string that does not fit in the remaining space. - */ - if (check->bo->o && -- (&cur->list == head || -+ (&check->current_step->list == head || - check->current_step->action != TCPCHK_ACT_SEND || - check->current_step->string_len >= buffer_total_space(check->bo))) { - -@@ -1949,14 +1945,17 @@ static void tcpcheck_main(struct connection *conn) - } - - /* did we reach the end ? If so, let's check that everything was sent */ -- if (&cur->list == head) { -+ if (&check->current_step->list == head) { - if (check->bo->o) - goto out_need_io; - break; - } - -- /* have 'next' point to the next rule or NULL if we're on the last one */ -- next = (struct tcpcheck_rule *)cur->list.n; -+ /* have 'next' point to the next rule or NULL if we're on the -+ * last one, connect() needs this. -+ */ -+ next = (struct tcpcheck_rule *)check->current_step->list.n; -+ - if (&next->list == head) - next = NULL; - -@@ -2058,8 +2057,7 @@ static void tcpcheck_main(struct connection *conn) - } - - /* allow next rule */ -- cur = (struct tcpcheck_rule *)cur->list.n; -- check->current_step = cur; -+ check->current_step = (struct tcpcheck_rule *)check->current_step->list.n; - - /* don't do anything until the connection is established */ - if (!(conn->flags & CO_FL_CONNECTED)) { -@@ -2113,8 +2111,7 @@ static void tcpcheck_main(struct connection *conn) - *check->bo->p = '\0'; /* to make gdb output easier to read */ - - /* go to next rule and try to send */ -- cur = (struct tcpcheck_rule *)cur->list.n; -- check->current_step = cur; -+ check->current_step = (struct tcpcheck_rule *)check->current_step->list.n; - } /* end 'send' */ - else if (check->current_step->action == TCPCHK_ACT_EXPECT) { - if (unlikely(check->result == CHK_RES_FAILED)) -@@ -2167,14 +2164,14 @@ static void tcpcheck_main(struct connection *conn) - goto out_end_tcpcheck; - } - -- if (!done && (cur->string != NULL) && (check->bi->i < cur->string_len) ) -+ if (!done && (check->current_step->string != NULL) && (check->bi->i < check->current_step->string_len) ) - continue; /* try to read more */ - - tcpcheck_expect: -- if (cur->string != NULL) -- ret = my_memmem(contentptr, check->bi->i, cur->string, cur->string_len) != NULL; -- else if (cur->expect_regex != NULL) -- ret = regex_exec(cur->expect_regex, contentptr); -+ if (check->current_step->string != NULL) -+ ret = my_memmem(contentptr, check->bi->i, check->current_step->string, check->current_step->string_len) != NULL; -+ else if (check->current_step->expect_regex != NULL) -+ ret = regex_exec(check->current_step->expect_regex, contentptr); - - if (!ret && !done) - continue; /* try to read more */ -@@ -2182,11 +2179,11 @@ static void tcpcheck_main(struct connection *conn) - /* matched */ - if (ret) { - /* matched but we did not want to => ERROR */ -- if (cur->inverse) { -+ if (check->current_step->inverse) { - /* we were looking for a string */ -- if (cur->string != NULL) { -+ if (check->current_step->string != NULL) { - chunk_printf(&trash, "TCPCHK matched unwanted content '%s' at step %d", -- cur->string, tcpcheck_get_step_id(s)); -+ check->current_step->string, tcpcheck_get_step_id(s)); - } - else { - /* we were looking for a regex */ -@@ -2198,8 +2195,9 @@ static void tcpcheck_main(struct connection *conn) - } - /* matched and was supposed to => OK, next step */ - else { -- cur = (struct tcpcheck_rule*)cur->list.n; -- check->current_step = cur; -+ /* allow next rule */ -+ check->current_step = (struct tcpcheck_rule *)check->current_step->list.n; -+ - if (check->current_step->action == TCPCHK_ACT_EXPECT) - goto tcpcheck_expect; - __conn_data_stop_recv(conn); -@@ -2208,9 +2206,10 @@ static void tcpcheck_main(struct connection *conn) - else { - /* not matched */ - /* not matched and was not supposed to => OK, next step */ -- if (cur->inverse) { -- cur = (struct tcpcheck_rule*)cur->list.n; -- check->current_step = cur; -+ if (check->current_step->inverse) { -+ /* allow next rule */ -+ check->current_step = (struct tcpcheck_rule *)check->current_step->list.n; -+ - if (check->current_step->action == TCPCHK_ACT_EXPECT) - goto tcpcheck_expect; - __conn_data_stop_recv(conn); -@@ -2218,9 +2217,9 @@ static void tcpcheck_main(struct connection *conn) - /* not matched but was supposed to => ERROR */ - else { - /* we were looking for a string */ -- if (cur->string != NULL) { -+ if (check->current_step->string != NULL) { - chunk_printf(&trash, "TCPCHK did not match content '%s' at step %d", -- cur->string, tcpcheck_get_step_id(s)); -+ check->current_step->string, tcpcheck_get_step_id(s)); - } - else { - /* we were looking for a regex */ --- -2.0.5 - diff --git a/net/haproxy/patches/0005-BUG-MEDIUM-checks-do-not-dereference-head-of-a-tcp-c.patch b/net/haproxy/patches/0005-BUG-MEDIUM-checks-do-not-dereference-head-of-a-tcp-c.patch deleted file mode 100644 index f4bc68315..000000000 --- a/net/haproxy/patches/0005-BUG-MEDIUM-checks-do-not-dereference-head-of-a-tcp-c.patch +++ /dev/null @@ -1,53 +0,0 @@ -From b94a6d5a37499ce6649ad58f4a8c4664779abd8b Mon Sep 17 00:00:00 2001 -From: Willy Tarreau -Date: Wed, 13 May 2015 11:38:17 +0200 -Subject: [PATCH 5/8] BUG/MEDIUM: checks: do not dereference head of a - tcp-check at the end - -When the end of the list is reached, the current step's action is checked -to know if we must poll or not. Unfortunately, the main reason for going -there is that we walked past the end of list and current_step points to -the head. We cannot dereference ->action since it does not belong to this -structure and can definitely crash if the address is not mapped. - -This bug is unlikely to cause a crash since the action appears just after -the list, and corresponds to the "char *check_req" pointer in the proxy -struct, and it seems that we can't go there with current_step being null. -At worst it can cause the check to register for recv events. - -This fix needs to be backported to 1.5 since the code is incorrect there -as well. -(cherry picked from commit 53c5a049e1f4dbf67412472e23690dc6b3c8d0f8) ---- - src/checks.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/src/checks.c b/src/checks.c -index cfdfe8c..a887be1 100644 ---- a/src/checks.c -+++ b/src/checks.c -@@ -2237,10 +2237,12 @@ static void tcpcheck_main(struct connection *conn) - goto out_end_tcpcheck; - - out_need_io: -+ /* warning, current_step may now point to the head */ - if (check->bo->o) - __conn_data_want_send(conn); - -- if (check->current_step->action == TCPCHK_ACT_EXPECT) -+ if (&check->current_step->list != head && -+ check->current_step->action == TCPCHK_ACT_EXPECT) - __conn_data_want_recv(conn); - return; - -@@ -2256,7 +2258,6 @@ static void tcpcheck_main(struct connection *conn) - conn->flags |= CO_FL_ERROR; - - __conn_data_stop_both(conn); -- - return; - } - --- -2.0.5 - diff --git a/net/haproxy/patches/0006-CLEANUP-checks-simplify-the-loop-processing-of-tcp-c.patch b/net/haproxy/patches/0006-CLEANUP-checks-simplify-the-loop-processing-of-tcp-c.patch deleted file mode 100644 index 45ba96022..000000000 --- a/net/haproxy/patches/0006-CLEANUP-checks-simplify-the-loop-processing-of-tcp-c.patch +++ /dev/null @@ -1,82 +0,0 @@ -From ebb2bceb34d7787453548627ed0e99c60354672b Mon Sep 17 00:00:00 2001 -From: Willy Tarreau -Date: Wed, 13 May 2015 11:59:14 +0200 -Subject: [PATCH 6/8] CLEANUP: checks: simplify the loop processing of - tcp-checks - -There is some unobvious redundancy between the various ways we can leave -the loop. Some of them can be factored out. So now we leave the loop when -we can't go further, whether it's caused by reaching the end of the rules -or by a blocking I/O. -(cherry picked from commit 263013d031d754c9f96de0d0cb5afcc011af6441) -[wt: this patch is required for the next fix] ---- - src/checks.c | 26 ++++++++++++++------------ - 1 file changed, 14 insertions(+), 12 deletions(-) - -diff --git a/src/checks.c b/src/checks.c -index a887be1..a0c42f2 100644 ---- a/src/checks.c -+++ b/src/checks.c -@@ -1926,8 +1926,10 @@ static void tcpcheck_main(struct connection *conn) - __conn_data_stop_both(conn); - - while (1) { -- /* we have to try to flush the output buffer before reading, at the end, -- * or if we're about to send a string that does not fit in the remaining space. -+ /* We have to try to flush the output buffer before reading, at -+ * the end, or if we're about to send a string that does not fit -+ * in the remaining space. That explains why we break out of the -+ * loop after this control. - */ - if (check->bo->o && - (&check->current_step->list == head || -@@ -1940,16 +1942,12 @@ static void tcpcheck_main(struct connection *conn) - __conn_data_stop_both(conn); - goto out_end_tcpcheck; - } -- goto out_need_io; -+ break; - } - } - -- /* did we reach the end ? If so, let's check that everything was sent */ -- if (&check->current_step->list == head) { -- if (check->bo->o) -- goto out_need_io; -+ if (&check->current_step->list == head) - break; -- } - - /* have 'next' point to the next rule or NULL if we're on the - * last one, connect() needs this. -@@ -2131,7 +2129,7 @@ static void tcpcheck_main(struct connection *conn) - } - } - else -- goto out_need_io; -+ break; - } - - /* mark the step as started */ -@@ -2233,10 +2231,14 @@ static void tcpcheck_main(struct connection *conn) - } /* end expect */ - } /* end loop over double chained step list */ - -- set_server_check_status(check, HCHK_STATUS_L7OKD, "(tcp-check)"); -- goto out_end_tcpcheck; -+ /* We're waiting for some I/O to complete, we've reached the end of the -+ * rules, or both. Do what we have to do, otherwise we're done. -+ */ -+ if (&check->current_step->list == head && !check->bo->o) { -+ set_server_check_status(check, HCHK_STATUS_L7OKD, "(tcp-check)"); -+ goto out_end_tcpcheck; -+ } - -- out_need_io: - /* warning, current_step may now point to the head */ - if (check->bo->o) - __conn_data_want_send(conn); --- -2.0.5 - diff --git a/net/haproxy/patches/0007-BUG-MAJOR-checks-always-check-for-end-of-list-before.patch b/net/haproxy/patches/0007-BUG-MAJOR-checks-always-check-for-end-of-list-before.patch deleted file mode 100644 index 7c2d562f3..000000000 --- a/net/haproxy/patches/0007-BUG-MAJOR-checks-always-check-for-end-of-list-before.patch +++ /dev/null @@ -1,90 +0,0 @@ -From 97fccc87f1297d189ee80735e5b8746c34956eda Mon Sep 17 00:00:00 2001 -From: Willy Tarreau -Date: Wed, 13 May 2015 12:08:21 +0200 -Subject: [PATCH 7/8] BUG/MAJOR: checks: always check for end of list before - proceeding - -This is the most important fix of this series. There's a risk of endless -loop and crashes caused by the fact that we go past the head of the list -when skipping to next rule, without checking if it's still a valid element. -Most of the time, the ->action field is checked, which points to the proxy's -check_req pointer (generally NULL), meaning the element is confused with a -TCPCHK_ACT_SEND action. - -The situation was accidently made worse with the addition of tcp-check -comment since it also skips list elements. However, since the action that -makes it go forward is TCPCHK_ACT_COMMENT (3), there's little chance to -see this as a valid pointer, except on 64-bit machines where it can match -the end of a check_req string pointer. - -This fix heavily depends on previous cleanup and both must be backported -to 1.5 where the bug is present. -(cherry picked from commit f2c87353a7f8160930b5f342bb6d6ad0991ee3d1) -[wt: this patch differs significantly from 1.6 since we don't have comments] ---- - src/cfgparse.c | 4 +++- - src/checks.c | 12 ++++++++++++ - 2 files changed, 15 insertions(+), 1 deletion(-) - -diff --git a/src/cfgparse.c b/src/cfgparse.c -index 746c7eb..dba59d1 100644 ---- a/src/cfgparse.c -+++ b/src/cfgparse.c -@@ -4368,7 +4368,9 @@ stats_error_parsing: - l = (struct list *)&curproxy->tcpcheck_rules; - if (l->p != l->n) { - tcpcheck = (struct tcpcheck_rule *)l->n; -- if (tcpcheck && tcpcheck->action != TCPCHK_ACT_CONNECT) { -+ -+ if (&tcpcheck->list != &curproxy->tcpcheck_rules -+ && tcpcheck->action != TCPCHK_ACT_CONNECT) { - Alert("parsing [%s:%d] : first step MUST also be a 'connect' when there is a 'connect' step in the tcp-check ruleset.\n", - file, linenum); - err_code |= ERR_ALERT | ERR_FATAL; -diff --git a/src/checks.c b/src/checks.c -index a0c42f2..e13d561 100644 ---- a/src/checks.c -+++ b/src/checks.c -@@ -2057,6 +2057,9 @@ static void tcpcheck_main(struct connection *conn) - /* allow next rule */ - check->current_step = (struct tcpcheck_rule *)check->current_step->list.n; - -+ if (&check->current_step->list == head) -+ break; -+ - /* don't do anything until the connection is established */ - if (!(conn->flags & CO_FL_CONNECTED)) { - /* update expire time, should be done by process_chk */ -@@ -2110,6 +2113,9 @@ static void tcpcheck_main(struct connection *conn) - - /* go to next rule and try to send */ - check->current_step = (struct tcpcheck_rule *)check->current_step->list.n; -+ -+ if (&check->current_step->list == head) -+ break; - } /* end 'send' */ - else if (check->current_step->action == TCPCHK_ACT_EXPECT) { - if (unlikely(check->result == CHK_RES_FAILED)) -@@ -2196,6 +2202,9 @@ static void tcpcheck_main(struct connection *conn) - /* allow next rule */ - check->current_step = (struct tcpcheck_rule *)check->current_step->list.n; - -+ if (&check->current_step->list == head) -+ break; -+ - if (check->current_step->action == TCPCHK_ACT_EXPECT) - goto tcpcheck_expect; - __conn_data_stop_recv(conn); -@@ -2208,6 +2217,9 @@ static void tcpcheck_main(struct connection *conn) - /* allow next rule */ - check->current_step = (struct tcpcheck_rule *)check->current_step->list.n; - -+ if (&check->current_step->list == head) -+ break; -+ - if (check->current_step->action == TCPCHK_ACT_EXPECT) - goto tcpcheck_expect; - __conn_data_stop_recv(conn); --- -2.0.5 - diff --git a/net/haproxy/patches/0008-BUG-MEDIUM-checks-do-not-dereference-a-list-as-a-tcp.patch b/net/haproxy/patches/0008-BUG-MEDIUM-checks-do-not-dereference-a-list-as-a-tcp.patch deleted file mode 100644 index 454026097..000000000 --- a/net/haproxy/patches/0008-BUG-MEDIUM-checks-do-not-dereference-a-list-as-a-tcp.patch +++ /dev/null @@ -1,116 +0,0 @@ -From 5bff05986c501d9ffb67873b60472f9c2a2e41be Mon Sep 17 00:00:00 2001 -From: Willy Tarreau -Date: Wed, 13 May 2015 12:24:53 +0200 -Subject: [PATCH 8/8] BUG/MEDIUM: checks: do not dereference a list as a - tcpcheck struct - -The method used to skip to next rule in the list is wrong, it assumes -that the list element starts at the same offset as the rule. It happens -to be true on most architectures since the list is the first element for -now but it's definitely wrong. Now the code doesn't crash anymore when -the struct list is moved anywhere else in the struct tcpcheck_rule. - -This fix must be backported to 1.5. -(cherry picked from commit 5581c27b579cbfc53afb0ca04cdeebe7e2200131) -[wt: changes from 1.6 : no tcp-check comments, check becomes s->proxy] ---- - src/cfgparse.c | 18 +++++++----------- - src/checks.c | 15 +++++++++------ - 2 files changed, 16 insertions(+), 17 deletions(-) - -diff --git a/src/cfgparse.c b/src/cfgparse.c -index dba59d1..e04eff8 100644 ---- a/src/cfgparse.c -+++ b/src/cfgparse.c -@@ -4362,20 +4362,16 @@ stats_error_parsing: - const char *ptr_arg; - int cur_arg; - struct tcpcheck_rule *tcpcheck; -- struct list *l; - - /* check if first rule is also a 'connect' action */ -- l = (struct list *)&curproxy->tcpcheck_rules; -- if (l->p != l->n) { -- tcpcheck = (struct tcpcheck_rule *)l->n; -+ tcpcheck = LIST_NEXT(&curproxy->tcpcheck_rules, struct tcpcheck_rule *, list); - -- if (&tcpcheck->list != &curproxy->tcpcheck_rules -- && tcpcheck->action != TCPCHK_ACT_CONNECT) { -- Alert("parsing [%s:%d] : first step MUST also be a 'connect' when there is a 'connect' step in the tcp-check ruleset.\n", -- file, linenum); -- err_code |= ERR_ALERT | ERR_FATAL; -- goto out; -- } -+ if (&tcpcheck->list != &curproxy->tcpcheck_rules -+ && tcpcheck->action != TCPCHK_ACT_CONNECT) { -+ Alert("parsing [%s:%d] : first step MUST also be a 'connect' when there is a 'connect' step in the tcp-check ruleset.\n", -+ file, linenum); -+ err_code |= ERR_ALERT | ERR_FATAL; -+ goto out; - } - - cur_arg = 2; -diff --git a/src/checks.c b/src/checks.c -index e13d561..27a23b2 100644 ---- a/src/checks.c -+++ b/src/checks.c -@@ -1444,7 +1444,10 @@ static int connect_chk(struct task *t) - quickack = check->type == 0 || check->type == PR_O2_TCPCHK_CHK; - - if (check->type == PR_O2_TCPCHK_CHK && !LIST_ISEMPTY(&s->proxy->tcpcheck_rules)) { -- struct tcpcheck_rule *r = (struct tcpcheck_rule *) s->proxy->tcpcheck_rules.n; -+ struct tcpcheck_rule *r; -+ -+ r = LIST_NEXT(&s->proxy->tcpcheck_rules, struct tcpcheck_rule *, list); -+ - /* if first step is a 'connect', then tcpcheck_main must run it */ - if (r->action == TCPCHK_ACT_CONNECT) { - tcpcheck_main(conn); -@@ -1952,7 +1955,7 @@ static void tcpcheck_main(struct connection *conn) - /* have 'next' point to the next rule or NULL if we're on the - * last one, connect() needs this. - */ -- next = (struct tcpcheck_rule *)check->current_step->list.n; -+ next = LIST_NEXT(&check->current_step->list, struct tcpcheck_rule *, list); - - if (&next->list == head) - next = NULL; -@@ -2055,7 +2058,7 @@ static void tcpcheck_main(struct connection *conn) - } - - /* allow next rule */ -- check->current_step = (struct tcpcheck_rule *)check->current_step->list.n; -+ check->current_step = LIST_NEXT(&check->current_step->list, struct tcpcheck_rule *, list); - - if (&check->current_step->list == head) - break; -@@ -2112,7 +2115,7 @@ static void tcpcheck_main(struct connection *conn) - *check->bo->p = '\0'; /* to make gdb output easier to read */ - - /* go to next rule and try to send */ -- check->current_step = (struct tcpcheck_rule *)check->current_step->list.n; -+ check->current_step = LIST_NEXT(&check->current_step->list, struct tcpcheck_rule *, list); - - if (&check->current_step->list == head) - break; -@@ -2200,7 +2203,7 @@ static void tcpcheck_main(struct connection *conn) - /* matched and was supposed to => OK, next step */ - else { - /* allow next rule */ -- check->current_step = (struct tcpcheck_rule *)check->current_step->list.n; -+ check->current_step = LIST_NEXT(&check->current_step->list, struct tcpcheck_rule *, list); - - if (&check->current_step->list == head) - break; -@@ -2215,7 +2218,7 @@ static void tcpcheck_main(struct connection *conn) - /* not matched and was not supposed to => OK, next step */ - if (check->current_step->inverse) { - /* allow next rule */ -- check->current_step = (struct tcpcheck_rule *)check->current_step->list.n; -+ check->current_step = LIST_NEXT(&check->current_step->list, struct tcpcheck_rule *, list); - - if (&check->current_step->list == head) - break; --- -2.0.5 - diff --git a/net/haproxy/patches/0009-BUG-MEDIUM-peers-apply-a-random-reconnection-timeout.patch b/net/haproxy/patches/0009-BUG-MEDIUM-peers-apply-a-random-reconnection-timeout.patch deleted file mode 100644 index 96aa743aa..000000000 --- a/net/haproxy/patches/0009-BUG-MEDIUM-peers-apply-a-random-reconnection-timeout.patch +++ /dev/null @@ -1,77 +0,0 @@ -From 76a06b2804bcdba0fb2c19f834bdb511ce3cf344 Mon Sep 17 00:00:00 2001 -From: Willy Tarreau -Date: Wed, 20 May 2015 10:39:04 +0200 -Subject: [PATCH 09/10] BUG/MEDIUM: peers: apply a random reconnection timeout - -Commit 9ff95bb ("BUG/MEDIUM: peers: correctly configure the client timeout") -uncovered an old bug in the peers : upon disconnect, we reconnect immediately. -This sometimes results in both ends to do the same thing in parallel causing -a loop of connect/accept/close/close that can last several seconds. The risk -of occurrence of the trouble increases with latency, and is emphasized by the -fact that idle connections are now frequently recycled (after 5s of idle). - -In order to avoid this we must apply a random delay before reconnecting. -Fortunately the mechanism already supports a reconnect delay, so here we -compute the random timeout when killing a session. The delay is 50ms plus -a random between 0 and 2 seconds. Ideally an exponential back-off would -be preferred but it's preferable to keep the fix simple. - -This bug was reported by Marco Corte. - -This fix must be backported to 1.5 since the fix above was backported into -1.5.12. -(cherry picked from commit b4e34da692d8a7f6837ad16b3389f5830dbc11d2) ---- - src/peers.c | 14 +++++++++++--- - 1 file changed, 11 insertions(+), 3 deletions(-) - -diff --git a/src/peers.c b/src/peers.c -index b196d88..159f0a4 100644 ---- a/src/peers.c -+++ b/src/peers.c -@@ -1063,6 +1063,7 @@ static void peer_session_forceshutdown(struct session * session) - { - struct stream_interface *oldsi = NULL; - struct appctx *appctx = NULL; -+ struct peer_session *ps; - int i; - - for (i = 0; i <= 1; i++) { -@@ -1079,6 +1080,14 @@ static void peer_session_forceshutdown(struct session * session) - if (!appctx) - return; - -+ ps = (struct peer_session *)appctx->ctx.peers.ptr; -+ /* we're killing a connection, we must apply a random delay before -+ * retrying otherwise the other end will do the same and we can loop -+ * for a while. -+ */ -+ if (ps) -+ ps->reconnect = tick_add(now_ms, MS_TO_TICKS(50 + random() % 2000)); -+ - /* call release to reinit resync states if needed */ - peer_session_release(oldsi); - appctx->st0 = PEER_SESS_ST_END; -@@ -1352,8 +1361,8 @@ static struct task *process_peer_sync(struct task * task) - if (!ps->session) { - /* no active session */ - if (ps->statuscode == 0 || -- ps->statuscode == PEER_SESS_SC_SUCCESSCODE || - ((ps->statuscode == PEER_SESS_SC_CONNECTCODE || -+ ps->statuscode == PEER_SESS_SC_SUCCESSCODE || - ps->statuscode == PEER_SESS_SC_CONNECTEDCODE) && - tick_is_expired(ps->reconnect, now_ms))) { - /* connection never tried -@@ -1364,8 +1373,7 @@ static struct task *process_peer_sync(struct task * task) - /* retry a connect */ - ps->session = peer_session_create(ps->peer, ps); - } -- else if (ps->statuscode == PEER_SESS_SC_CONNECTCODE || -- ps->statuscode == PEER_SESS_SC_CONNECTEDCODE) { -+ else if (!tick_is_expired(ps->reconnect, now_ms)) { - /* If previous session failed during connection - * but reconnection timer is not expired */ - --- -2.0.5 - diff --git a/net/haproxy/patches/0010-DOC-Update-doc-about-weight-act-and-bck-fields-in-th.patch b/net/haproxy/patches/0010-DOC-Update-doc-about-weight-act-and-bck-fields-in-th.patch deleted file mode 100644 index 563ed64b8..000000000 --- a/net/haproxy/patches/0010-DOC-Update-doc-about-weight-act-and-bck-fields-in-th.patch +++ /dev/null @@ -1,33 +0,0 @@ -From ac372e18c422841a9f1197b4238637c470e8edca Mon Sep 17 00:00:00 2001 -From: Pavlos Parissis -Date: Sat, 2 May 2015 20:30:44 +0200 -Subject: [PATCH 10/10] DOC: Update doc about weight, act and bck fields in the - statistics - -Reorder description of the mentioned fields in order to match the -order of types -(cherry picked from commit 1f673c72c11d011bbd24e309d3155384eddf7a46) ---- - doc/configuration.txt | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/doc/configuration.txt b/doc/configuration.txt -index a9d497e..6f5eeb1 100644 ---- a/doc/configuration.txt -+++ b/doc/configuration.txt -@@ -13240,9 +13240,9 @@ S (Servers). - server. The server value counts the number of times that server was - switched away from. - 17. status [LFBS]: status (UP/DOWN/NOLB/MAINT/MAINT(via)...) -- 18. weight [..BS]: server weight (server), total weight (backend) -- 19. act [..BS]: server is active (server), number of active servers (backend) -- 20. bck [..BS]: server is backup (server), number of backup servers (backend) -+ 18. weight [..BS]: total weight (backend), server weight (server) -+ 19. act [..BS]: number of active servers (backend), server is active (server) -+ 20. bck [..BS]: number of backup servers (backend), server is backup (server) - 21. chkfail [...S]: number of failed checks. (Only counts checks failed when - the server is up.) - 22. chkdown [..BS]: number of UP->DOWN transitions. The backend counter counts --- -2.0.5 - diff --git a/net/haproxy/patches/0011-MINOR-ssl-add-a-destructor-to-free-allocated-SSL-res.patch b/net/haproxy/patches/0011-MINOR-ssl-add-a-destructor-to-free-allocated-SSL-res.patch deleted file mode 100644 index 86be3b965..000000000 --- a/net/haproxy/patches/0011-MINOR-ssl-add-a-destructor-to-free-allocated-SSL-res.patch +++ /dev/null @@ -1,64 +0,0 @@ -From 269a02fbb332da8faf6c2a614d45d5b5018816d1 Mon Sep 17 00:00:00 2001 -From: Remi Gacogne -Date: Thu, 28 May 2015 16:39:47 +0200 -Subject: [PATCH 11/14] MINOR: ssl: add a destructor to free allocated SSL - ressources - -Using valgrind or another memory leak tracking tool is easier -when the memory internally allocated by OpenSSL is cleanly released -at shutdown. -(cherry picked from commit d3a23c3eb8c0950d26204568a133207099923494) ---- - src/ssl_sock.c | 36 ++++++++++++++++++++++++++++++++++++ - 1 file changed, 36 insertions(+) - -diff --git a/src/ssl_sock.c b/src/ssl_sock.c -index d0f4d01..a78fc6a 100644 ---- a/src/ssl_sock.c -+++ b/src/ssl_sock.c -@@ -4717,6 +4717,42 @@ static void __ssl_sock_init(void) - cfg_register_keywords(&cfg_kws); - } - -+__attribute__((destructor)) -+static void __ssl_sock_deinit(void) -+{ -+#ifndef OPENSSL_NO_DH -+ if (local_dh_1024) { -+ DH_free(local_dh_1024); -+ local_dh_1024 = NULL; -+ } -+ -+ if (local_dh_2048) { -+ DH_free(local_dh_2048); -+ local_dh_2048 = NULL; -+ } -+ -+ if (local_dh_4096) { -+ DH_free(local_dh_4096); -+ local_dh_4096 = NULL; -+ } -+ -+ if (local_dh_8192) { -+ DH_free(local_dh_8192); -+ local_dh_8192 = NULL; -+ } -+#endif -+ -+ ERR_remove_state(0); -+ ERR_free_strings(); -+ -+ EVP_cleanup(); -+ -+#if OPENSSL_VERSION_NUMBER >= 0x00907000L -+ CRYPTO_cleanup_all_ex_data(); -+#endif -+} -+ -+ - /* - * Local variables: - * c-indent-level: 8 --- -2.0.5 - diff --git a/net/haproxy/patches/0012-BUG-MEDIUM-ssl-fix-tune.ssl.default-dh-param-value-b.patch b/net/haproxy/patches/0012-BUG-MEDIUM-ssl-fix-tune.ssl.default-dh-param-value-b.patch deleted file mode 100644 index 37600c8a2..000000000 --- a/net/haproxy/patches/0012-BUG-MEDIUM-ssl-fix-tune.ssl.default-dh-param-value-b.patch +++ /dev/null @@ -1,98 +0,0 @@ -From 5d769ca828fdb055052b3dbc232864bdf2853c9f Mon Sep 17 00:00:00 2001 -From: Remi Gacogne -Date: Thu, 28 May 2015 16:23:00 +0200 -Subject: [PATCH 12/14] BUG/MEDIUM: ssl: fix tune.ssl.default-dh-param value - being overwritten -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Hervé Commowick reported that the logic used to avoid complaining about -ssl-default-dh-param not being set when static DH params are present -in the certificate file was clearly wrong when more than one sni_ctx -is used. -This patch stores whether static DH params are being used for each -SSL_CTX individually, and does not overwrite the value of -tune.ssl.default-dh-param. -(cherry picked from commit 4f902b88323927c9d25d391a809e3678ac31df41) ---- - src/ssl_sock.c | 28 +++++++++++++++++++++++----- - 1 file changed, 23 insertions(+), 5 deletions(-) - -diff --git a/src/ssl_sock.c b/src/ssl_sock.c -index a78fc6a..0f7819b 100644 ---- a/src/ssl_sock.c -+++ b/src/ssl_sock.c -@@ -47,6 +47,9 @@ - #ifdef SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB - #include - #endif -+#ifndef OPENSSL_NO_DH -+#include -+#endif - - #include - #include -@@ -107,6 +110,7 @@ int sslconns = 0; - int totalsslconns = 0; - - #ifndef OPENSSL_NO_DH -+static int ssl_dh_ptr_index = -1; - static DH *local_dh_1024 = NULL; - static DH *local_dh_2048 = NULL; - static DH *local_dh_4096 = NULL; -@@ -1076,10 +1080,12 @@ int ssl_sock_load_dh_params(SSL_CTX *ctx, const char *file) - if (dh) { - ret = 1; - SSL_CTX_set_tmp_dh(ctx, dh); -- /* Setting ssl default dh param to the size of the static DH params -- found in the file. This way we know that there is no use -- complaining later about ssl-default-dh-param not being set. */ -- global.tune.ssl_default_dh_param = DH_size(dh) * 8; -+ -+ if (ssl_dh_ptr_index >= 0) { -+ /* store a pointer to the DH params to avoid complaining about -+ ssl-default-dh-param not being set for this SSL_CTX */ -+ SSL_CTX_set_ex_data(ctx, ssl_dh_ptr_index, dh); -+ } - } - else { - /* Clear openssl global errors stack */ -@@ -1274,6 +1280,12 @@ static int ssl_sock_load_cert_file(const char *path, struct bind_conf *bind_conf - * the tree, so it will be discovered and cleaned in time. - */ - #ifndef OPENSSL_NO_DH -+ /* store a NULL pointer to indicate we have not yet loaded -+ a custom DH param file */ -+ if (ssl_dh_ptr_index >= 0) { -+ SSL_CTX_set_ex_data(ctx, ssl_dh_ptr_index, NULL); -+ } -+ - ret = ssl_sock_load_dh_params(ctx, path); - if (ret < 0) { - if (err) -@@ -1593,7 +1605,9 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx, struct proxy - - /* If tune.ssl.default-dh-param has not been set and - no static DH params were in the certificate file. */ -- if (global.tune.ssl_default_dh_param == 0) { -+ if (global.tune.ssl_default_dh_param == 0 && -+ (ssl_dh_ptr_index == -1 || -+ SSL_CTX_get_ex_data(ctx, ssl_dh_ptr_index) == NULL)) { - ciphers = ctx->cipher_list; - - if (ciphers) { -@@ -4715,6 +4729,10 @@ static void __ssl_sock_init(void) - bind_register_keywords(&bind_kws); - srv_register_keywords(&srv_kws); - cfg_register_keywords(&cfg_kws); -+ -+#ifndef OPENSSL_NO_DH -+ ssl_dh_ptr_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, NULL); -+#endif - } - - __attribute__((destructor)) --- -2.0.5 - diff --git a/net/haproxy/patches/0013-BUG-MINOR-cfgparse-fix-typo-in-option-httplog-error-.patch b/net/haproxy/patches/0013-BUG-MINOR-cfgparse-fix-typo-in-option-httplog-error-.patch deleted file mode 100644 index d09f18df5..000000000 --- a/net/haproxy/patches/0013-BUG-MINOR-cfgparse-fix-typo-in-option-httplog-error-.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 629b1c000b26f0031246b9b529680b275a14118f Mon Sep 17 00:00:00 2001 -From: William Lallemand -Date: Thu, 28 May 2015 18:02:48 +0200 -Subject: [PATCH 13/14] BUG/MINOR: cfgparse: fix typo in 'option httplog' error - message - -The error message was displaying the wrong argument when 'option -httplog' took a wrong argument. -(cherry picked from commit 77063bc0c6ceb4257c4e2c08411811ecc48be1aa) ---- - src/cfgparse.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/cfgparse.c b/src/cfgparse.c -index e04eff8..3c3383d 100644 ---- a/src/cfgparse.c -+++ b/src/cfgparse.c -@@ -3792,7 +3792,7 @@ stats_error_parsing: - curproxy->options2 |= PR_O2_CLFLOG; - logformat = clf_http_log_format; - } else { -- Alert("parsing [%s:%d] : keyword '%s' only supports option 'clf'.\n", file, linenum, args[2]); -+ Alert("parsing [%s:%d] : keyword '%s' only supports option 'clf'.\n", file, linenum, args[1]); - err_code |= ERR_ALERT | ERR_FATAL; - goto out; - } --- -2.0.5 - diff --git a/net/haproxy/patches/0014-BUG-MEDIUM-cfgparse-segfault-when-userlist-is-misuse.patch b/net/haproxy/patches/0014-BUG-MEDIUM-cfgparse-segfault-when-userlist-is-misuse.patch deleted file mode 100644 index 329505b7b..000000000 --- a/net/haproxy/patches/0014-BUG-MEDIUM-cfgparse-segfault-when-userlist-is-misuse.patch +++ /dev/null @@ -1,41 +0,0 @@ -From faf3315f77c527e6e1d027deb7e853cdf6af5858 Mon Sep 17 00:00:00 2001 -From: William Lallemand -Date: Thu, 28 May 2015 18:03:51 +0200 -Subject: [PATCH 14/14] BUG/MEDIUM: cfgparse: segfault when userlist is misused - -If the 'userlist' keyword parsing returns an error and no userlist were -previously created. The parsing of 'user' and 'group' leads to NULL -derefence. - -The userlist pointer is now tested to prevent this issue. -(cherry picked from commit 4ac9f546120d42be8147e3d90588e7b9738af0cc) ---- - src/cfgparse.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/src/cfgparse.c b/src/cfgparse.c -index 3c3383d..392a78d 100644 ---- a/src/cfgparse.c -+++ b/src/cfgparse.c -@@ -5668,6 +5668,9 @@ cfg_parse_users(const char *file, int linenum, char **args, int kwm) - goto out; - } - -+ if (!userlist) -+ goto out; -+ - for (ag = userlist->groups; ag; ag = ag->next) - if (!strcmp(ag->name, args[1])) { - Warning("parsing [%s:%d]: ignoring duplicated group '%s' in userlist '%s'.\n", -@@ -5718,6 +5721,8 @@ cfg_parse_users(const char *file, int linenum, char **args, int kwm) - err_code |= ERR_ALERT | ERR_FATAL; - goto out; - } -+ if (!userlist) -+ goto out; - - for (newuser = userlist->users; newuser; newuser = newuser->next) - if (!strcmp(newuser->user, args[1])) { --- -2.0.5 - diff --git a/net/haproxy/patches/0015-MEDIUM-ssl-replace-standards-DH-groups-with-custom-o.patch b/net/haproxy/patches/0015-MEDIUM-ssl-replace-standards-DH-groups-with-custom-o.patch deleted file mode 100644 index 2d1415bee..000000000 --- a/net/haproxy/patches/0015-MEDIUM-ssl-replace-standards-DH-groups-with-custom-o.patch +++ /dev/null @@ -1,427 +0,0 @@ -From 2ad3ec1ab5379a16b16aba48a42ced27b170534e Mon Sep 17 00:00:00 2001 -From: Remi Gacogne -Date: Fri, 29 May 2015 16:26:17 +0200 -Subject: [PATCH 15/18] MEDIUM: ssl: replace standards DH groups with custom - ones -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -It is likely that powerful adversaries have been pre-computing the -standardized DH groups, because being widely used have made them -valuable targets. While users are advised to generate their own -DH parameters, replace the ones we ship by values been randomly -generated for this product only. - -[wt: replaced dh1024_p, dh2048_p, and dh4096_p with locally-generated - ones as recommended by Rémi] - -(cherry picked from commit d3a341a96fb6107d2b8e3d7a9c0afa2ff43bb0b6) ---- - src/ssl_sock.c | 340 +++++++++++++++++---------------------------------------- - 1 file changed, 102 insertions(+), 238 deletions(-) - -diff --git a/src/ssl_sock.c b/src/ssl_sock.c -index 0f7819b..93aab8b 100644 ---- a/src/ssl_sock.c -+++ b/src/ssl_sock.c -@@ -114,7 +114,6 @@ static int ssl_dh_ptr_index = -1; - static DH *local_dh_1024 = NULL; - static DH *local_dh_2048 = NULL; - static DH *local_dh_4096 = NULL; --static DH *local_dh_8192 = NULL; - #endif /* OPENSSL_NO_DH */ - - #ifdef SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB -@@ -766,32 +765,28 @@ static int ssl_sock_switchctx_cbk(SSL *ssl, int *al, struct bind_conf *s) - - static DH * ssl_get_dh_1024(void) - { --#if OPENSSL_VERSION_NUMBER < 0x0090801fL -- static const unsigned char rfc_2409_prime_1024[] = { -- 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2, -- 0x21,0x68,0xC2,0x34,0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1, -- 0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,0x02,0x0B,0xBE,0xA6, -- 0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD, -- 0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D, -- 0xF2,0x5F,0x14,0x37,0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45, -- 0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,0xF4,0x4C,0x42,0xE9, -- 0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED, -- 0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11, -- 0x7C,0x4B,0x1F,0xE6,0x49,0x28,0x66,0x51,0xEC,0xE6,0x53,0x81, -- 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, -- }; --#endif -+ static unsigned char dh1024_p[]={ -+ 0xFA,0xF9,0x2A,0x22,0x2A,0xA7,0x7F,0xE1,0x67,0x4E,0x53,0xF7, -+ 0x56,0x13,0xC3,0xB1,0xE3,0x29,0x6B,0x66,0x31,0x6A,0x7F,0xB3, -+ 0xC2,0x68,0x6B,0xCB,0x1D,0x57,0x39,0x1D,0x1F,0xFF,0x1C,0xC9, -+ 0xA6,0xA4,0x98,0x82,0x31,0x5D,0x25,0xFF,0x8A,0xE0,0x73,0x96, -+ 0x81,0xC8,0x83,0x79,0xC1,0x5A,0x04,0xF8,0x37,0x0D,0xA8,0x3D, -+ 0xAE,0x74,0xBC,0xDB,0xB6,0xA4,0x75,0xD9,0x71,0x8A,0xA0,0x17, -+ 0x9E,0x2D,0xC8,0xA8,0xDF,0x2C,0x5F,0x82,0x95,0xF8,0x92,0x9B, -+ 0xA7,0x33,0x5F,0x89,0x71,0xC8,0x2D,0x6B,0x18,0x86,0xC4,0x94, -+ 0x22,0xA5,0x52,0x8D,0xF6,0xF6,0xD2,0x37,0x92,0x0F,0xA5,0xCC, -+ 0xDB,0x7B,0x1D,0x3D,0xA1,0x31,0xB7,0x80,0x8F,0x0B,0x67,0x5E, -+ 0x36,0xA5,0x60,0x0C,0xF1,0x95,0x33,0x8B, -+ }; -+ static unsigned char dh1024_g[]={ -+ 0x02, -+ }; -+ - DH *dh = DH_new(); - if (dh) { --#if OPENSSL_VERSION_NUMBER >= 0x0090801fL -- dh->p = get_rfc2409_prime_1024(NULL); --#else -- dh->p = BN_bin2bn(rfc_2409_prime_1024, sizeof rfc_2409_prime_1024, NULL); --#endif -- /* See RFC 2409, Section 6 "Oakley Groups" -- for the reason why 2 is used as generator. -- */ -- BN_dec2bn(&dh->g, "2"); -+ dh->p = BN_bin2bn(dh1024_p, sizeof dh1024_p, NULL); -+ dh->g = BN_bin2bn(dh1024_g, sizeof dh1024_g, NULL); -+ - if (!dh->p || !dh->g) { - DH_free(dh); - dh = NULL; -@@ -802,43 +797,39 @@ static DH * ssl_get_dh_1024(void) - - static DH *ssl_get_dh_2048(void) - { --#if OPENSSL_VERSION_NUMBER < 0x0090801fL -- static const unsigned char rfc_3526_prime_2048[] = { -- 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2, -- 0x21,0x68,0xC2,0x34,0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1, -- 0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,0x02,0x0B,0xBE,0xA6, -- 0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD, -- 0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D, -- 0xF2,0x5F,0x14,0x37,0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45, -- 0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,0xF4,0x4C,0x42,0xE9, -- 0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED, -- 0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11, -- 0x7C,0x4B,0x1F,0xE6,0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D, -- 0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,0x98,0xDA,0x48,0x36, -- 0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F, -- 0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56, -- 0x20,0x85,0x52,0xBB,0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D, -- 0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,0xF1,0x74,0x6C,0x08, -- 0xCA,0x18,0x21,0x7C,0x32,0x90,0x5E,0x46,0x2E,0x36,0xCE,0x3B, -- 0xE3,0x9E,0x77,0x2C,0x18,0x0E,0x86,0x03,0x9B,0x27,0x83,0xA2, -- 0xEC,0x07,0xA2,0x8F,0xB5,0xC5,0x5D,0xF0,0x6F,0x4C,0x52,0xC9, -- 0xDE,0x2B,0xCB,0xF6,0x95,0x58,0x17,0x18,0x39,0x95,0x49,0x7C, -- 0xEA,0x95,0x6A,0xE5,0x15,0xD2,0x26,0x18,0x98,0xFA,0x05,0x10, -- 0x15,0x72,0x8E,0x5A,0x8A,0xAC,0xAA,0x68,0xFF,0xFF,0xFF,0xFF, -- 0xFF,0xFF,0xFF,0xFF, -- }; --#endif -+ static unsigned char dh2048_p[]={ -+ 0xEC,0x86,0xF8,0x70,0xA0,0x33,0x16,0xEC,0x05,0x1A,0x73,0x59, -+ 0xCD,0x1F,0x8B,0xF8,0x29,0xE4,0xD2,0xCF,0x52,0xDD,0xC2,0x24, -+ 0x8D,0xB5,0x38,0x9A,0xFB,0x5C,0xA4,0xE4,0xB2,0xDA,0xCE,0x66, -+ 0x50,0x74,0xA6,0x85,0x4D,0x4B,0x1D,0x30,0xB8,0x2B,0xF3,0x10, -+ 0xE9,0xA7,0x2D,0x05,0x71,0xE7,0x81,0xDF,0x8B,0x59,0x52,0x3B, -+ 0x5F,0x43,0x0B,0x68,0xF1,0xDB,0x07,0xBE,0x08,0x6B,0x1B,0x23, -+ 0xEE,0x4D,0xCC,0x9E,0x0E,0x43,0xA0,0x1E,0xDF,0x43,0x8C,0xEC, -+ 0xBE,0xBE,0x90,0xB4,0x51,0x54,0xB9,0x2F,0x7B,0x64,0x76,0x4E, -+ 0x5D,0xD4,0x2E,0xAE,0xC2,0x9E,0xAE,0x51,0x43,0x59,0xC7,0x77, -+ 0x9C,0x50,0x3C,0x0E,0xED,0x73,0x04,0x5F,0xF1,0x4C,0x76,0x2A, -+ 0xD8,0xF8,0xCF,0xFC,0x34,0x40,0xD1,0xB4,0x42,0x61,0x84,0x66, -+ 0x42,0x39,0x04,0xF8,0x68,0xB2,0x62,0xD7,0x55,0xED,0x1B,0x74, -+ 0x75,0x91,0xE0,0xC5,0x69,0xC1,0x31,0x5C,0xDB,0x7B,0x44,0x2E, -+ 0xCE,0x84,0x58,0x0D,0x1E,0x66,0x0C,0xC8,0x44,0x9E,0xFD,0x40, -+ 0x08,0x67,0x5D,0xFB,0xA7,0x76,0x8F,0x00,0x11,0x87,0xE9,0x93, -+ 0xF9,0x7D,0xC4,0xBC,0x74,0x55,0x20,0xD4,0x4A,0x41,0x2F,0x43, -+ 0x42,0x1A,0xC1,0xF2,0x97,0x17,0x49,0x27,0x37,0x6B,0x2F,0x88, -+ 0x7E,0x1C,0xA0,0xA1,0x89,0x92,0x27,0xD9,0x56,0x5A,0x71,0xC1, -+ 0x56,0x37,0x7E,0x3A,0x9D,0x05,0xE7,0xEE,0x5D,0x8F,0x82,0x17, -+ 0xBC,0xE9,0xC2,0x93,0x30,0x82,0xF9,0xF4,0xC9,0xAE,0x49,0xDB, -+ 0xD0,0x54,0xB4,0xD9,0x75,0x4D,0xFA,0x06,0xB8,0xD6,0x38,0x41, -+ 0xB7,0x1F,0x77,0xF3, -+ }; -+ static unsigned char dh2048_g[]={ -+ 0x02, -+ }; -+ - DH *dh = DH_new(); - if (dh) { --#if OPENSSL_VERSION_NUMBER >= 0x0090801fL -- dh->p = get_rfc3526_prime_2048(NULL); --#else -- dh->p = BN_bin2bn(rfc_3526_prime_2048, sizeof rfc_3526_prime_2048, NULL); --#endif -- /* See RFC 3526, Section 3 "2048-bit MODP Group" -- for the reason why 2 is used as generator. -- */ -- BN_dec2bn(&dh->g, "2"); -+ dh->p = BN_bin2bn(dh2048_p, sizeof dh2048_p, NULL); -+ dh->g = BN_bin2bn(dh2048_g, sizeof dh2048_g, NULL); -+ - if (!dh->p || !dh->g) { - DH_free(dh); - dh = NULL; -@@ -849,175 +840,60 @@ static DH *ssl_get_dh_2048(void) - - static DH *ssl_get_dh_4096(void) - { --#if OPENSSL_VERSION_NUMBER < 0x0090801fL -- static const unsigned char rfc_3526_prime_4096[] = { -- 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2, -- 0x21,0x68,0xC2,0x34,0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1, -- 0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,0x02,0x0B,0xBE,0xA6, -- 0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD, -- 0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D, -- 0xF2,0x5F,0x14,0x37,0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45, -- 0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,0xF4,0x4C,0x42,0xE9, -- 0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED, -- 0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11, -- 0x7C,0x4B,0x1F,0xE6,0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D, -- 0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,0x98,0xDA,0x48,0x36, -- 0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F, -- 0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56, -- 0x20,0x85,0x52,0xBB,0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D, -- 0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,0xF1,0x74,0x6C,0x08, -- 0xCA,0x18,0x21,0x7C,0x32,0x90,0x5E,0x46,0x2E,0x36,0xCE,0x3B, -- 0xE3,0x9E,0x77,0x2C,0x18,0x0E,0x86,0x03,0x9B,0x27,0x83,0xA2, -- 0xEC,0x07,0xA2,0x8F,0xB5,0xC5,0x5D,0xF0,0x6F,0x4C,0x52,0xC9, -- 0xDE,0x2B,0xCB,0xF6,0x95,0x58,0x17,0x18,0x39,0x95,0x49,0x7C, -- 0xEA,0x95,0x6A,0xE5,0x15,0xD2,0x26,0x18,0x98,0xFA,0x05,0x10, -- 0x15,0x72,0x8E,0x5A,0x8A,0xAA,0xC4,0x2D,0xAD,0x33,0x17,0x0D, -- 0x04,0x50,0x7A,0x33,0xA8,0x55,0x21,0xAB,0xDF,0x1C,0xBA,0x64, -- 0xEC,0xFB,0x85,0x04,0x58,0xDB,0xEF,0x0A,0x8A,0xEA,0x71,0x57, -- 0x5D,0x06,0x0C,0x7D,0xB3,0x97,0x0F,0x85,0xA6,0xE1,0xE4,0xC7, -- 0xAB,0xF5,0xAE,0x8C,0xDB,0x09,0x33,0xD7,0x1E,0x8C,0x94,0xE0, -- 0x4A,0x25,0x61,0x9D,0xCE,0xE3,0xD2,0x26,0x1A,0xD2,0xEE,0x6B, -- 0xF1,0x2F,0xFA,0x06,0xD9,0x8A,0x08,0x64,0xD8,0x76,0x02,0x73, -- 0x3E,0xC8,0x6A,0x64,0x52,0x1F,0x2B,0x18,0x17,0x7B,0x20,0x0C, -- 0xBB,0xE1,0x17,0x57,0x7A,0x61,0x5D,0x6C,0x77,0x09,0x88,0xC0, -- 0xBA,0xD9,0x46,0xE2,0x08,0xE2,0x4F,0xA0,0x74,0xE5,0xAB,0x31, -- 0x43,0xDB,0x5B,0xFC,0xE0,0xFD,0x10,0x8E,0x4B,0x82,0xD1,0x20, -- 0xA9,0x21,0x08,0x01,0x1A,0x72,0x3C,0x12,0xA7,0x87,0xE6,0xD7, -- 0x88,0x71,0x9A,0x10,0xBD,0xBA,0x5B,0x26,0x99,0xC3,0x27,0x18, -- 0x6A,0xF4,0xE2,0x3C,0x1A,0x94,0x68,0x34,0xB6,0x15,0x0B,0xDA, -- 0x25,0x83,0xE9,0xCA,0x2A,0xD4,0x4C,0xE8,0xDB,0xBB,0xC2,0xDB, -- 0x04,0xDE,0x8E,0xF9,0x2E,0x8E,0xFC,0x14,0x1F,0xBE,0xCA,0xA6, -- 0x28,0x7C,0x59,0x47,0x4E,0x6B,0xC0,0x5D,0x99,0xB2,0x96,0x4F, -- 0xA0,0x90,0xC3,0xA2,0x23,0x3B,0xA1,0x86,0x51,0x5B,0xE7,0xED, -- 0x1F,0x61,0x29,0x70,0xCE,0xE2,0xD7,0xAF,0xB8,0x1B,0xDD,0x76, -- 0x21,0x70,0x48,0x1C,0xD0,0x06,0x91,0x27,0xD5,0xB0,0x5A,0xA9, -- 0x93,0xB4,0xEA,0x98,0x8D,0x8F,0xDD,0xC1,0x86,0xFF,0xB7,0xDC, -- 0x90,0xA6,0xC0,0x8F,0x4D,0xF4,0x35,0xC9,0x34,0x06,0x31,0x99, -- 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, -+ static unsigned char dh4096_p[]={ -+ 0xDE,0x16,0x94,0xCD,0x99,0x58,0x07,0xF1,0xF7,0x32,0x96,0x11, -+ 0x04,0x82,0xD4,0x84,0x72,0x80,0x99,0x06,0xCA,0xF0,0xA3,0x68, -+ 0x07,0xCE,0x64,0x50,0xE7,0x74,0x45,0x20,0x80,0x5E,0x4D,0xAD, -+ 0xA5,0xB6,0xED,0xFA,0x80,0x6C,0x3B,0x35,0xC4,0x9A,0x14,0x6B, -+ 0x32,0xBB,0xFD,0x1F,0x17,0x8E,0xB7,0x1F,0xD6,0xFA,0x3F,0x7B, -+ 0xEE,0x16,0xA5,0x62,0x33,0x0D,0xED,0xBC,0x4E,0x58,0xE5,0x47, -+ 0x4D,0xE9,0xAB,0x8E,0x38,0xD3,0x6E,0x90,0x57,0xE3,0x22,0x15, -+ 0x33,0xBD,0xF6,0x43,0x45,0xB5,0x10,0x0A,0xBE,0x2C,0xB4,0x35, -+ 0xB8,0x53,0x8D,0xAD,0xFB,0xA7,0x1F,0x85,0x58,0x41,0x7A,0x79, -+ 0x20,0x68,0xB3,0xE1,0x3D,0x08,0x76,0xBF,0x86,0x0D,0x49,0xE3, -+ 0x82,0x71,0x8C,0xB4,0x8D,0x81,0x84,0xD4,0xE7,0xBE,0x91,0xDC, -+ 0x26,0x39,0x48,0x0F,0x35,0xC4,0xCA,0x65,0xE3,0x40,0x93,0x52, -+ 0x76,0x58,0x7D,0xDD,0x51,0x75,0xDC,0x69,0x61,0xBF,0x47,0x2C, -+ 0x16,0x68,0x2D,0xC9,0x29,0xD3,0xE6,0xC0,0x99,0x48,0xA0,0x9A, -+ 0xC8,0x78,0xC0,0x6D,0x81,0x67,0x12,0x61,0x3F,0x71,0xBA,0x41, -+ 0x1F,0x6C,0x89,0x44,0x03,0xBA,0x3B,0x39,0x60,0xAA,0x28,0x55, -+ 0x59,0xAE,0xB8,0xFA,0xCB,0x6F,0xA5,0x1A,0xF7,0x2B,0xDD,0x52, -+ 0x8A,0x8B,0xE2,0x71,0xA6,0x5E,0x7E,0xD8,0x2E,0x18,0xE0,0x66, -+ 0xDF,0xDD,0x22,0x21,0x99,0x52,0x73,0xA6,0x33,0x20,0x65,0x0E, -+ 0x53,0xE7,0x6B,0x9B,0xC5,0xA3,0x2F,0x97,0x65,0x76,0xD3,0x47, -+ 0x23,0x77,0x12,0xB6,0x11,0x7B,0x24,0xED,0xF1,0xEF,0xC0,0xE2, -+ 0xA3,0x7E,0x67,0x05,0x3E,0x96,0x4D,0x45,0xC2,0x18,0xD1,0x73, -+ 0x9E,0x07,0xF3,0x81,0x6E,0x52,0x63,0xF6,0x20,0x76,0xB9,0x13, -+ 0xD2,0x65,0x30,0x18,0x16,0x09,0x16,0x9E,0x8F,0xF1,0xD2,0x10, -+ 0x5A,0xD3,0xD4,0xAF,0x16,0x61,0xDA,0x55,0x2E,0x18,0x5E,0x14, -+ 0x08,0x54,0x2E,0x2A,0x25,0xA2,0x1A,0x9B,0x8B,0x32,0xA9,0xFD, -+ 0xC2,0x48,0x96,0xE1,0x80,0xCA,0xE9,0x22,0x17,0xBB,0xCE,0x3E, -+ 0x9E,0xED,0xC7,0xF1,0x1F,0xEC,0x17,0x21,0xDC,0x7B,0x82,0x48, -+ 0x8E,0xBB,0x4B,0x9D,0x5B,0x04,0x04,0xDA,0xDB,0x39,0xDF,0x01, -+ 0x40,0xC3,0xAA,0x26,0x23,0x89,0x75,0xC6,0x0B,0xD0,0xA2,0x60, -+ 0x6A,0xF1,0xCC,0x65,0x18,0x98,0x1B,0x52,0xD2,0x74,0x61,0xCC, -+ 0xBD,0x60,0xAE,0xA3,0xA0,0x66,0x6A,0x16,0x34,0x92,0x3F,0x41, -+ 0x40,0x31,0x29,0xC0,0x2C,0x63,0xB2,0x07,0x8D,0xEB,0x94,0xB8, -+ 0xE8,0x47,0x92,0x52,0x93,0x6A,0x1B,0x7E,0x1A,0x61,0xB3,0x1B, -+ 0xF0,0xD6,0x72,0x9B,0xF1,0xB0,0xAF,0xBF,0x3E,0x65,0xEF,0x23, -+ 0x1D,0x6F,0xFF,0x70,0xCD,0x8A,0x4C,0x8A,0xA0,0x72,0x9D,0xBE, -+ 0xD4,0xBB,0x24,0x47,0x4A,0x68,0xB5,0xF5,0xC6,0xD5,0x7A,0xCD, -+ 0xCA,0x06,0x41,0x07,0xAD,0xC2,0x1E,0xE6,0x54,0xA7,0xAD,0x03, -+ 0xD9,0x12,0xC1,0x9C,0x13,0xB1,0xC9,0x0A,0x43,0x8E,0x1E,0x08, -+ 0xCE,0x50,0x82,0x73,0x5F,0xA7,0x55,0x1D,0xD9,0x59,0xAC,0xB5, -+ 0xEA,0x02,0x7F,0x6C,0x5B,0x74,0x96,0x98,0x67,0x24,0xA3,0x0F, -+ 0x15,0xFC,0xA9,0x7D,0x3E,0x67,0xD1,0x70,0xF8,0x97,0xF3,0x67, -+ 0xC5,0x8C,0x88,0x44,0x08,0x02,0xC7,0x2B, - }; --#endif -- DH *dh = DH_new(); -- if (dh) { --#if OPENSSL_VERSION_NUMBER >= 0x0090801fL -- dh->p = get_rfc3526_prime_4096(NULL); --#else -- dh->p = BN_bin2bn(rfc_3526_prime_4096, sizeof rfc_3526_prime_4096, NULL); --#endif -- /* See RFC 3526, Section 5 "4096-bit MODP Group" -- for the reason why 2 is used as generator. -- */ -- BN_dec2bn(&dh->g, "2"); -- if (!dh->p || !dh->g) { -- DH_free(dh); -- dh = NULL; -- } -- } -- return dh; --} -+ static unsigned char dh4096_g[]={ -+ 0x02, -+ }; - --static DH *ssl_get_dh_8192(void) --{ --#if OPENSSL_VERSION_NUMBER < 0x0090801fL -- static const unsigned char rfc_3526_prime_8192[] = { -- 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2, -- 0x21,0x68,0xC2,0x34,0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1, -- 0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,0x02,0x0B,0xBE,0xA6, -- 0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD, -- 0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D, -- 0xF2,0x5F,0x14,0x37,0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45, -- 0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,0xF4,0x4C,0x42,0xE9, -- 0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED, -- 0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11, -- 0x7C,0x4B,0x1F,0xE6,0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D, -- 0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,0x98,0xDA,0x48,0x36, -- 0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F, -- 0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56, -- 0x20,0x85,0x52,0xBB,0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D, -- 0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,0xF1,0x74,0x6C,0x08, -- 0xCA,0x18,0x21,0x7C,0x32,0x90,0x5E,0x46,0x2E,0x36,0xCE,0x3B, -- 0xE3,0x9E,0x77,0x2C,0x18,0x0E,0x86,0x03,0x9B,0x27,0x83,0xA2, -- 0xEC,0x07,0xA2,0x8F,0xB5,0xC5,0x5D,0xF0,0x6F,0x4C,0x52,0xC9, -- 0xDE,0x2B,0xCB,0xF6,0x95,0x58,0x17,0x18,0x39,0x95,0x49,0x7C, -- 0xEA,0x95,0x6A,0xE5,0x15,0xD2,0x26,0x18,0x98,0xFA,0x05,0x10, -- 0x15,0x72,0x8E,0x5A,0x8A,0xAA,0xC4,0x2D,0xAD,0x33,0x17,0x0D, -- 0x04,0x50,0x7A,0x33,0xA8,0x55,0x21,0xAB,0xDF,0x1C,0xBA,0x64, -- 0xEC,0xFB,0x85,0x04,0x58,0xDB,0xEF,0x0A,0x8A,0xEA,0x71,0x57, -- 0x5D,0x06,0x0C,0x7D,0xB3,0x97,0x0F,0x85,0xA6,0xE1,0xE4,0xC7, -- 0xAB,0xF5,0xAE,0x8C,0xDB,0x09,0x33,0xD7,0x1E,0x8C,0x94,0xE0, -- 0x4A,0x25,0x61,0x9D,0xCE,0xE3,0xD2,0x26,0x1A,0xD2,0xEE,0x6B, -- 0xF1,0x2F,0xFA,0x06,0xD9,0x8A,0x08,0x64,0xD8,0x76,0x02,0x73, -- 0x3E,0xC8,0x6A,0x64,0x52,0x1F,0x2B,0x18,0x17,0x7B,0x20,0x0C, -- 0xBB,0xE1,0x17,0x57,0x7A,0x61,0x5D,0x6C,0x77,0x09,0x88,0xC0, -- 0xBA,0xD9,0x46,0xE2,0x08,0xE2,0x4F,0xA0,0x74,0xE5,0xAB,0x31, -- 0x43,0xDB,0x5B,0xFC,0xE0,0xFD,0x10,0x8E,0x4B,0x82,0xD1,0x20, -- 0xA9,0x21,0x08,0x01,0x1A,0x72,0x3C,0x12,0xA7,0x87,0xE6,0xD7, -- 0x88,0x71,0x9A,0x10,0xBD,0xBA,0x5B,0x26,0x99,0xC3,0x27,0x18, -- 0x6A,0xF4,0xE2,0x3C,0x1A,0x94,0x68,0x34,0xB6,0x15,0x0B,0xDA, -- 0x25,0x83,0xE9,0xCA,0x2A,0xD4,0x4C,0xE8,0xDB,0xBB,0xC2,0xDB, -- 0x04,0xDE,0x8E,0xF9,0x2E,0x8E,0xFC,0x14,0x1F,0xBE,0xCA,0xA6, -- 0x28,0x7C,0x59,0x47,0x4E,0x6B,0xC0,0x5D,0x99,0xB2,0x96,0x4F, -- 0xA0,0x90,0xC3,0xA2,0x23,0x3B,0xA1,0x86,0x51,0x5B,0xE7,0xED, -- 0x1F,0x61,0x29,0x70,0xCE,0xE2,0xD7,0xAF,0xB8,0x1B,0xDD,0x76, -- 0x21,0x70,0x48,0x1C,0xD0,0x06,0x91,0x27,0xD5,0xB0,0x5A,0xA9, -- 0x93,0xB4,0xEA,0x98,0x8D,0x8F,0xDD,0xC1,0x86,0xFF,0xB7,0xDC, -- 0x90,0xA6,0xC0,0x8F,0x4D,0xF4,0x35,0xC9,0x34,0x02,0x84,0x92, -- 0x36,0xC3,0xFA,0xB4,0xD2,0x7C,0x70,0x26,0xC1,0xD4,0xDC,0xB2, -- 0x60,0x26,0x46,0xDE,0xC9,0x75,0x1E,0x76,0x3D,0xBA,0x37,0xBD, -- 0xF8,0xFF,0x94,0x06,0xAD,0x9E,0x53,0x0E,0xE5,0xDB,0x38,0x2F, -- 0x41,0x30,0x01,0xAE,0xB0,0x6A,0x53,0xED,0x90,0x27,0xD8,0x31, -- 0x17,0x97,0x27,0xB0,0x86,0x5A,0x89,0x18,0xDA,0x3E,0xDB,0xEB, -- 0xCF,0x9B,0x14,0xED,0x44,0xCE,0x6C,0xBA,0xCE,0xD4,0xBB,0x1B, -- 0xDB,0x7F,0x14,0x47,0xE6,0xCC,0x25,0x4B,0x33,0x20,0x51,0x51, -- 0x2B,0xD7,0xAF,0x42,0x6F,0xB8,0xF4,0x01,0x37,0x8C,0xD2,0xBF, -- 0x59,0x83,0xCA,0x01,0xC6,0x4B,0x92,0xEC,0xF0,0x32,0xEA,0x15, -- 0xD1,0x72,0x1D,0x03,0xF4,0x82,0xD7,0xCE,0x6E,0x74,0xFE,0xF6, -- 0xD5,0x5E,0x70,0x2F,0x46,0x98,0x0C,0x82,0xB5,0xA8,0x40,0x31, -- 0x90,0x0B,0x1C,0x9E,0x59,0xE7,0xC9,0x7F,0xBE,0xC7,0xE8,0xF3, -- 0x23,0xA9,0x7A,0x7E,0x36,0xCC,0x88,0xBE,0x0F,0x1D,0x45,0xB7, -- 0xFF,0x58,0x5A,0xC5,0x4B,0xD4,0x07,0xB2,0x2B,0x41,0x54,0xAA, -- 0xCC,0x8F,0x6D,0x7E,0xBF,0x48,0xE1,0xD8,0x14,0xCC,0x5E,0xD2, -- 0x0F,0x80,0x37,0xE0,0xA7,0x97,0x15,0xEE,0xF2,0x9B,0xE3,0x28, -- 0x06,0xA1,0xD5,0x8B,0xB7,0xC5,0xDA,0x76,0xF5,0x50,0xAA,0x3D, -- 0x8A,0x1F,0xBF,0xF0,0xEB,0x19,0xCC,0xB1,0xA3,0x13,0xD5,0x5C, -- 0xDA,0x56,0xC9,0xEC,0x2E,0xF2,0x96,0x32,0x38,0x7F,0xE8,0xD7, -- 0x6E,0x3C,0x04,0x68,0x04,0x3E,0x8F,0x66,0x3F,0x48,0x60,0xEE, -- 0x12,0xBF,0x2D,0x5B,0x0B,0x74,0x74,0xD6,0xE6,0x94,0xF9,0x1E, -- 0x6D,0xBE,0x11,0x59,0x74,0xA3,0x92,0x6F,0x12,0xFE,0xE5,0xE4, -- 0x38,0x77,0x7C,0xB6,0xA9,0x32,0xDF,0x8C,0xD8,0xBE,0xC4,0xD0, -- 0x73,0xB9,0x31,0xBA,0x3B,0xC8,0x32,0xB6,0x8D,0x9D,0xD3,0x00, -- 0x74,0x1F,0xA7,0xBF,0x8A,0xFC,0x47,0xED,0x25,0x76,0xF6,0x93, -- 0x6B,0xA4,0x24,0x66,0x3A,0xAB,0x63,0x9C,0x5A,0xE4,0xF5,0x68, -- 0x34,0x23,0xB4,0x74,0x2B,0xF1,0xC9,0x78,0x23,0x8F,0x16,0xCB, -- 0xE3,0x9D,0x65,0x2D,0xE3,0xFD,0xB8,0xBE,0xFC,0x84,0x8A,0xD9, -- 0x22,0x22,0x2E,0x04,0xA4,0x03,0x7C,0x07,0x13,0xEB,0x57,0xA8, -- 0x1A,0x23,0xF0,0xC7,0x34,0x73,0xFC,0x64,0x6C,0xEA,0x30,0x6B, -- 0x4B,0xCB,0xC8,0x86,0x2F,0x83,0x85,0xDD,0xFA,0x9D,0x4B,0x7F, -- 0xA2,0xC0,0x87,0xE8,0x79,0x68,0x33,0x03,0xED,0x5B,0xDD,0x3A, -- 0x06,0x2B,0x3C,0xF5,0xB3,0xA2,0x78,0xA6,0x6D,0x2A,0x13,0xF8, -- 0x3F,0x44,0xF8,0x2D,0xDF,0x31,0x0E,0xE0,0x74,0xAB,0x6A,0x36, -- 0x45,0x97,0xE8,0x99,0xA0,0x25,0x5D,0xC1,0x64,0xF3,0x1C,0xC5, -- 0x08,0x46,0x85,0x1D,0xF9,0xAB,0x48,0x19,0x5D,0xED,0x7E,0xA1, -- 0xB1,0xD5,0x10,0xBD,0x7E,0xE7,0x4D,0x73,0xFA,0xF3,0x6B,0xC3, -- 0x1E,0xCF,0xA2,0x68,0x35,0x90,0x46,0xF4,0xEB,0x87,0x9F,0x92, -- 0x40,0x09,0x43,0x8B,0x48,0x1C,0x6C,0xD7,0x88,0x9A,0x00,0x2E, -- 0xD5,0xEE,0x38,0x2B,0xC9,0x19,0x0D,0xA6,0xFC,0x02,0x6E,0x47, -- 0x95,0x58,0xE4,0x47,0x56,0x77,0xE9,0xAA,0x9E,0x30,0x50,0xE2, -- 0x76,0x56,0x94,0xDF,0xC8,0x1F,0x56,0xE8,0x80,0xB9,0x6E,0x71, -- 0x60,0xC9,0x80,0xDD,0x98,0xED,0xD3,0xDF,0xFF,0xFF,0xFF,0xFF, -- 0xFF,0xFF,0xFF,0xFF, -- }; --#endif - DH *dh = DH_new(); - if (dh) { --#if OPENSSL_VERSION_NUMBER >= 0x0090801fL -- dh->p = get_rfc3526_prime_8192(NULL); --#else -- dh->p = BN_bin2bn(rfc_3526_prime_8192, sizeof rfc_3526_prime_8192, NULL); --#endif -- /* See RFC 3526, Section 7 "8192-bit MODP Group" -- for the reason why 2 is used as generator. -- */ -- BN_dec2bn(&dh->g, "2"); -+ dh->p = BN_bin2bn(dh4096_p, sizeof dh4096_p, NULL); -+ dh->g = BN_bin2bn(dh4096_g, sizeof dh4096_g, NULL); -+ - if (!dh->p || !dh->g) { - DH_free(dh); - dh = NULL; -@@ -1045,10 +921,7 @@ static DH *ssl_get_tmp_dh(SSL *ssl, int export, int keylen) - keylen = global.tune.ssl_default_dh_param; - } - -- if (keylen >= 8192) { -- dh = local_dh_8192; -- } -- else if (keylen >= 4096) { -+ if (keylen >= 4096) { - dh = local_dh_4096; - } - else if (keylen >= 2048) { -@@ -1643,10 +1516,6 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx, struct proxy - if (local_dh_4096 == NULL) { - local_dh_4096 = ssl_get_dh_4096(); - } -- if (global.tune.ssl_default_dh_param >= 8192 && -- local_dh_8192 == NULL) { -- local_dh_8192 = ssl_get_dh_8192(); -- } - } - } - } -@@ -4753,11 +4622,6 @@ static void __ssl_sock_deinit(void) - DH_free(local_dh_4096); - local_dh_4096 = NULL; - } -- -- if (local_dh_8192) { -- DH_free(local_dh_8192); -- local_dh_8192 = NULL; -- } - #endif - - ERR_remove_state(0); --- -2.3.6 - diff --git a/net/haproxy/patches/0016-BUG-MINOR-debug-display-null-in-place-of-meth.patch b/net/haproxy/patches/0016-BUG-MINOR-debug-display-null-in-place-of-meth.patch deleted file mode 100644 index f40d72317..000000000 --- a/net/haproxy/patches/0016-BUG-MINOR-debug-display-null-in-place-of-meth.patch +++ /dev/null @@ -1,28 +0,0 @@ -From c51fe0fb249db735c5b103ec99559a0254d58441 Mon Sep 17 00:00:00 2001 -From: Thierry FOURNIER -Date: Wed, 3 Jun 2015 20:12:04 +0200 -Subject: [PATCH 16/18] BUG/MINOR: debug: display (null) in place of "meth" - -The array which contains names of types, miss the METH entry. - -[wt: should be backported to 1.5 as well] -(cherry picked from commit 4c2479e1c455e2cc46c02cfc28ea2a185f9a7747) ---- - src/sample.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/sample.c b/src/sample.c -index 87c9f60..59c80b2 100644 ---- a/src/sample.c -+++ b/src/sample.c -@@ -40,6 +40,7 @@ const char *smp_to_type[SMP_TYPES] = { - [SMP_T_IPV6] = "ipv6", - [SMP_T_STR] = "str", - [SMP_T_BIN] = "bin", -+ [SMP_T_METH] = "meth", - }; - - /* static sample used in sample_process() when

is NULL */ --- -2.3.6 - diff --git a/net/haproxy/patches/0017-CLEANUP-deinit-remove-codes-for-cleaning-p-block_rul.patch b/net/haproxy/patches/0017-CLEANUP-deinit-remove-codes-for-cleaning-p-block_rul.patch deleted file mode 100644 index bbacca4af..000000000 --- a/net/haproxy/patches/0017-CLEANUP-deinit-remove-codes-for-cleaning-p-block_rul.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 793a74065926b0da87120d4b1e6330234475505c Mon Sep 17 00:00:00 2001 -From: Godbach -Date: Tue, 9 Jun 2015 19:41:52 +0800 -Subject: [PATCH 17/18] CLEANUP: deinit: remove codes for cleaning - p->block_rules - -Since all rules listed in p->block_rules have been moved to the beginning of -the http-request rules in check_config_validity(), there is no need to clean -p->block_rules in deinit(). - -Signed-off-by: Godbach -(cherry picked from commit 28b48ccbc879a552f988e6e1db22941e3362b4db) ---- - src/haproxy.c | 6 ------ - 1 file changed, 6 deletions(-) - -diff --git a/src/haproxy.c b/src/haproxy.c -index 0dddd53..eac6f44 100644 ---- a/src/haproxy.c -+++ b/src/haproxy.c -@@ -1020,12 +1020,6 @@ void deinit(void) - free(cwl); - } - -- list_for_each_entry_safe(cond, condb, &p->block_rules, list) { -- LIST_DEL(&cond->list); -- prune_acl_cond(cond); -- free(cond); -- } -- - list_for_each_entry_safe(cond, condb, &p->mon_fail_cond, list) { - LIST_DEL(&cond->list); - prune_acl_cond(cond); --- -2.3.6 - diff --git a/net/haproxy/patches/0018-BUG-MINOR-ssl-fix-smp_fetch_ssl_fc_session_id.patch b/net/haproxy/patches/0018-BUG-MINOR-ssl-fix-smp_fetch_ssl_fc_session_id.patch deleted file mode 100644 index b6113a359..000000000 --- a/net/haproxy/patches/0018-BUG-MINOR-ssl-fix-smp_fetch_ssl_fc_session_id.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 69760db11dfca4a8d8fbd34cec25c334f77add67 Mon Sep 17 00:00:00 2001 -From: Willy Tarreau -Date: Wed, 17 Jun 2015 18:34:14 +0200 -Subject: [PATCH 18/18] BUG/MINOR: ssl: fix smp_fetch_ssl_fc_session_id - -Dmitry Sivachenko reported the following build warning using Clang -which is a real bug : - -src/ssl_sock.c:4104:44: warning: address of 'smp->data.str.len' will always - evaluate to 'true' [-Wpointer-bool-conversion] - if (!smp->data.str.str || !&smp->data.str.len) - -The impact is very low however, it will return an empty session_id -instead of no session id when none is found. - -The fix should be backported to 1.5. -(cherry picked from commit 745d4127582a8c66e2e8ce35f746a78e867960af) ---- - src/ssl_sock.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/ssl_sock.c b/src/ssl_sock.c -index 93aab8b..7d77d36 100644 ---- a/src/ssl_sock.c -+++ b/src/ssl_sock.c -@@ -3540,7 +3540,7 @@ smp_fetch_ssl_fc_session_id(struct proxy *px, struct session *l4, void *l7, unsi - return 0; - - smp->data.str.str = (char *)SSL_SESSION_get_id(sess, (unsigned int *)&smp->data.str.len); -- if (!smp->data.str.str || !&smp->data.str.len) -+ if (!smp->data.str.str || !smp->data.str.len) - return 0; - - return 1; --- -2.3.6 -