Browse Source
haproxy: patches from upstream
- [PATCH 5/6] BUG/MEDIUM: http: tarpit timeout is reset - [PATCH 6/6] MEDIUM: connection: add new bit in Proxy Protocol V2 Signed-off-by: Thomas Heil <heil@terminal-consulting.de>lilik-openwrt-22.03
Thomas Heil
10 years ago
3 changed files with 158 additions and 1 deletions
Split View
Diff Options
-
+1 -1net/haproxy/Makefile
-
+45 -0net/haproxy/patches/0005-BUG-MEDIUM-http-tarpit-timeout-is-reset.patch
-
+112 -0net/haproxy/patches/0006-MEDIUM-connection-add-new-bit-in-Proxy-Protocol-V2.patch
+ 1
- 1
net/haproxy/Makefile
View File
+ 45
- 0
net/haproxy/patches/0005-BUG-MEDIUM-http-tarpit-timeout-is-reset.patch
View File
| @ -0,0 +1,45 @@ | |||
| From fc566b541e4c67cfbd8d6b40b627ce27dfc8a7cb Mon Sep 17 00:00:00 2001 | |||
| From: Thierry FOURNIER <tfournier@exceliance.fr> | |||
| Date: Fri, 22 Aug 2014 06:55:26 +0200 | |||
| Subject: [PATCH 5/6] BUG/MEDIUM: http: tarpit timeout is reset | |||
| Before the commit bbba2a8ecc35daf99317aaff7015c1931779c33b | |||
| (1.5-dev24-8), the tarpit section set timeout and return, after this | |||
| commit, the tarpit section set the timeout, and go to the "done" label | |||
| which reset the timeout. | |||
| Thanks Bryan Talbot for the bug report and analysis. | |||
| This should be backported in 1.5. | |||
| (cherry picked from commit 7566e30477bf5ea4206bda5950d2d83108c4a3dc) | |||
| --- | |||
| src/proto_http.c | 5 +++-- | |||
| 1 file changed, 3 insertions(+), 2 deletions(-) | |||
| diff --git a/src/proto_http.c b/src/proto_http.c | |||
| index 2b75b32..bebc8bf 100644 | |||
| --- a/src/proto_http.c | |||
| +++ b/src/proto_http.c | |||
| @@ -4117,8 +4117,9 @@ int http_process_req_common(struct session *s, struct channel *req, int an_bit, | |||
| done: /* done with this analyser, continue with next ones that the calling | |||
| * points will have set, if any. | |||
| */ | |||
| - req->analysers &= ~an_bit; | |||
| req->analyse_exp = TICK_ETERNITY; | |||
| + done_without_exp: /* done with this analyser, but dont reset the analyse_exp. */ | |||
| + req->analysers &= ~an_bit; | |||
| return 1; | |||
| tarpit: | |||
| @@ -4144,7 +4145,7 @@ int http_process_req_common(struct session *s, struct channel *req, int an_bit, | |||
| s->be->be_counters.denied_req++; | |||
| if (s->listener->counters) | |||
| s->listener->counters->denied_req++; | |||
| - goto done; | |||
| + goto done_without_exp; | |||
| deny: /* this request was blocked (denied) */ | |||
| txn->flags |= TX_CLDENY; | |||
| -- | |||
| 1.8.5.5 | |||
+ 112
- 0
net/haproxy/patches/0006-MEDIUM-connection-add-new-bit-in-Proxy-Protocol-V2.patch
View File
| @ -0,0 +1,112 @@ | |||
| From d6ec605d2059191163cad27b7d7b215ed8d3725b Mon Sep 17 00:00:00 2001 | |||
| From: Dave McCowan <11235david@gmail.com> | |||
| Date: Wed, 30 Jul 2014 10:39:13 -0400 | |||
| Subject: [PATCH 6/6] MEDIUM: connection: add new bit in Proxy Protocol V2 | |||
| There are two sample commands to get information about the presence of a | |||
| client certificate. | |||
| ssl_fc_has_crt is true if there is a certificate present in the current | |||
| connection | |||
| ssl_c_used is true if there is a certificate present in the session. | |||
| If a session has stopped and resumed, then ssl_c_used could be true, while | |||
| ssl_fc_has_crt is false. | |||
| In the client byte of the TLS TLV of Proxy Protocol V2, there is only one | |||
| bit to indicate whether a certificate is present on the connection. The | |||
| attached patch adds a second bit to indicate the presence for the session. | |||
| This maintains backward compatibility. | |||
| [wt: this should be backported to 1.5 to help maintain compatibility | |||
| between versions] | |||
| (cherry picked from commit 328fb58d745c03a0dc706da9e2fcd4e9f860a14b) | |||
| --- | |||
| include/proto/ssl_sock.h | 3 ++- | |||
| include/types/connection.h | 5 +++-- | |||
| src/connection.c | 6 ++++-- | |||
| src/ssl_sock.c | 21 +++++++++++++++++++-- | |||
| 4 files changed, 28 insertions(+), 7 deletions(-) | |||
| diff --git a/include/proto/ssl_sock.h b/include/proto/ssl_sock.h | |||
| index 3e111cd..10541ed 100644 | |||
| --- a/include/proto/ssl_sock.h | |||
| +++ b/include/proto/ssl_sock.h | |||
| @@ -51,7 +51,8 @@ void ssl_sock_free_all_ctx(struct bind_conf *bind_conf); | |||
| const char *ssl_sock_get_cipher_name(struct connection *conn); | |||
| const char *ssl_sock_get_proto_version(struct connection *conn); | |||
| char *ssl_sock_get_version(struct connection *conn); | |||
| -int ssl_sock_get_cert_used(struct connection *conn); | |||
| +int ssl_sock_get_cert_used_sess(struct connection *conn); | |||
| +int ssl_sock_get_cert_used_conn(struct connection *conn); | |||
| int ssl_sock_get_remote_common_name(struct connection *conn, struct chunk *out); | |||
| unsigned int ssl_sock_get_verify_result(struct connection *conn); | |||
| #ifdef SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB | |||
| diff --git a/include/types/connection.h b/include/types/connection.h | |||
| index 2ae16d7..b317007 100644 | |||
| --- a/include/types/connection.h | |||
| +++ b/include/types/connection.h | |||
| @@ -345,8 +345,9 @@ struct tlv_ssl { | |||
| uint8_t sub_tlv[0]; | |||
| }__attribute__((packed)); | |||
| -#define PP2_CLIENT_SSL 0x01 | |||
| -#define PP2_CLIENT_CERT 0x02 | |||
| +#define PP2_CLIENT_SSL 0x01 | |||
| +#define PP2_CLIENT_CERT_CONN 0x02 | |||
| +#define PP2_CLIENT_CERT_SESS 0x04 | |||
| #endif /* _TYPES_CONNECTION_H */ | |||
| diff --git a/src/connection.c b/src/connection.c | |||
| index 2dd2c02..3af6d9a 100644 | |||
| --- a/src/connection.c | |||
| +++ b/src/connection.c | |||
| @@ -678,9 +678,11 @@ int make_proxy_line_v2(char *buf, int buf_len, struct server *srv, struct connec | |||
| tlv_len = make_tlv(&buf[ret+ssl_tlv_len], (buf_len-ret-ssl_tlv_len), PP2_TYPE_SSL_VERSION, strlen(value), value); | |||
| ssl_tlv_len += tlv_len; | |||
| } | |||
| - if (ssl_sock_get_cert_used(remote)) { | |||
| - tlv->client |= PP2_CLIENT_CERT; | |||
| + if (ssl_sock_get_cert_used_sess(remote)) { | |||
| + tlv->client |= PP2_CLIENT_CERT_SESS; | |||
| tlv->verify = htonl(ssl_sock_get_verify_result(remote)); | |||
| + if (ssl_sock_get_cert_used_conn(remote)) | |||
| + tlv->client |= PP2_CLIENT_CERT_CONN; | |||
| } | |||
| if (srv->pp_opts & SRV_PP_V2_SSL_CN) { | |||
| cn_trash = get_trash_chunk(); | |||
| diff --git a/src/ssl_sock.c b/src/ssl_sock.c | |||
| index cf8adc7..da99a30 100644 | |||
| --- a/src/ssl_sock.c | |||
| +++ b/src/ssl_sock.c | |||
| @@ -2720,8 +2720,25 @@ out: | |||
| return result; | |||
| } | |||
| -/* returns 1 if client passed a certificate, 0 if not */ | |||
| -int ssl_sock_get_cert_used(struct connection *conn) | |||
| +/* returns 1 if client passed a certificate for this session, 0 if not */ | |||
| +int ssl_sock_get_cert_used_sess(struct connection *conn) | |||
| +{ | |||
| + X509 *crt = NULL; | |||
| + | |||
| + if (!ssl_sock_is_ssl(conn)) | |||
| + return 0; | |||
| + | |||
| + /* SSL_get_peer_certificate, it increase X509 * ref count */ | |||
| + crt = SSL_get_peer_certificate(conn->xprt_ctx); | |||
| + if (!crt) | |||
| + return 0; | |||
| + | |||
| + X509_free(crt); | |||
| + return 1; | |||
| +} | |||
| + | |||
| +/* returns 1 if client passed a certificate for this connection, 0 if not */ | |||
| +int ssl_sock_get_cert_used_conn(struct connection *conn) | |||
| { | |||
| if (!ssl_sock_is_ssl(conn)) | |||
| return 0; | |||
| -- | |||
| 1.8.5.5 | |||