Browse Source

haproxy: patches from upstream

- [PATCH 5/6] BUG/MEDIUM: http: tarpit timeout is reset
- [PATCH 6/6] MEDIUM: connection: add new bit in Proxy Protocol V2

Signed-off-by: Thomas Heil <heil@terminal-consulting.de>
lilik-openwrt-22.03
Thomas Heil 10 years ago
parent
commit
7c167bfd16
3 changed files with 158 additions and 1 deletions
  1. +1
    -1
      net/haproxy/Makefile
  2. +45
    -0
      net/haproxy/patches/0005-BUG-MEDIUM-http-tarpit-timeout-is-reset.patch
  3. +112
    -0
      net/haproxy/patches/0006-MEDIUM-connection-add-new-bit-in-Proxy-Protocol-V2.patch

+ 1
- 1
net/haproxy/Makefile View File

@ -10,7 +10,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=haproxy
PKG_VERSION:=1.5.3
PKG_RELEASE:=04
PKG_RELEASE:=06
PKG_SOURCE:=haproxy-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=http://haproxy.1wt.eu/download/1.5/src/
PKG_MD5SUM:=e999a547d57445d5a5ab7eb6a06df9a1


+ 45
- 0
net/haproxy/patches/0005-BUG-MEDIUM-http-tarpit-timeout-is-reset.patch View File

@ -0,0 +1,45 @@
From fc566b541e4c67cfbd8d6b40b627ce27dfc8a7cb Mon Sep 17 00:00:00 2001
From: Thierry FOURNIER <tfournier@exceliance.fr>
Date: Fri, 22 Aug 2014 06:55:26 +0200
Subject: [PATCH 5/6] BUG/MEDIUM: http: tarpit timeout is reset
Before the commit bbba2a8ecc35daf99317aaff7015c1931779c33b
(1.5-dev24-8), the tarpit section set timeout and return, after this
commit, the tarpit section set the timeout, and go to the "done" label
which reset the timeout.
Thanks Bryan Talbot for the bug report and analysis.
This should be backported in 1.5.
(cherry picked from commit 7566e30477bf5ea4206bda5950d2d83108c4a3dc)
---
src/proto_http.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/proto_http.c b/src/proto_http.c
index 2b75b32..bebc8bf 100644
--- a/src/proto_http.c
+++ b/src/proto_http.c
@@ -4117,8 +4117,9 @@ int http_process_req_common(struct session *s, struct channel *req, int an_bit,
done: /* done with this analyser, continue with next ones that the calling
* points will have set, if any.
*/
- req->analysers &= ~an_bit;
req->analyse_exp = TICK_ETERNITY;
+ done_without_exp: /* done with this analyser, but dont reset the analyse_exp. */
+ req->analysers &= ~an_bit;
return 1;
tarpit:
@@ -4144,7 +4145,7 @@ int http_process_req_common(struct session *s, struct channel *req, int an_bit,
s->be->be_counters.denied_req++;
if (s->listener->counters)
s->listener->counters->denied_req++;
- goto done;
+ goto done_without_exp;
deny: /* this request was blocked (denied) */
txn->flags |= TX_CLDENY;
--
1.8.5.5

+ 112
- 0
net/haproxy/patches/0006-MEDIUM-connection-add-new-bit-in-Proxy-Protocol-V2.patch View File

@ -0,0 +1,112 @@
From d6ec605d2059191163cad27b7d7b215ed8d3725b Mon Sep 17 00:00:00 2001
From: Dave McCowan <11235david@gmail.com>
Date: Wed, 30 Jul 2014 10:39:13 -0400
Subject: [PATCH 6/6] MEDIUM: connection: add new bit in Proxy Protocol V2
There are two sample commands to get information about the presence of a
client certificate.
ssl_fc_has_crt is true if there is a certificate present in the current
connection
ssl_c_used is true if there is a certificate present in the session.
If a session has stopped and resumed, then ssl_c_used could be true, while
ssl_fc_has_crt is false.
In the client byte of the TLS TLV of Proxy Protocol V2, there is only one
bit to indicate whether a certificate is present on the connection. The
attached patch adds a second bit to indicate the presence for the session.
This maintains backward compatibility.
[wt: this should be backported to 1.5 to help maintain compatibility
between versions]
(cherry picked from commit 328fb58d745c03a0dc706da9e2fcd4e9f860a14b)
---
include/proto/ssl_sock.h | 3 ++-
include/types/connection.h | 5 +++--
src/connection.c | 6 ++++--
src/ssl_sock.c | 21 +++++++++++++++++++--
4 files changed, 28 insertions(+), 7 deletions(-)
diff --git a/include/proto/ssl_sock.h b/include/proto/ssl_sock.h
index 3e111cd..10541ed 100644
--- a/include/proto/ssl_sock.h
+++ b/include/proto/ssl_sock.h
@@ -51,7 +51,8 @@ void ssl_sock_free_all_ctx(struct bind_conf *bind_conf);
const char *ssl_sock_get_cipher_name(struct connection *conn);
const char *ssl_sock_get_proto_version(struct connection *conn);
char *ssl_sock_get_version(struct connection *conn);
-int ssl_sock_get_cert_used(struct connection *conn);
+int ssl_sock_get_cert_used_sess(struct connection *conn);
+int ssl_sock_get_cert_used_conn(struct connection *conn);
int ssl_sock_get_remote_common_name(struct connection *conn, struct chunk *out);
unsigned int ssl_sock_get_verify_result(struct connection *conn);
#ifdef SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB
diff --git a/include/types/connection.h b/include/types/connection.h
index 2ae16d7..b317007 100644
--- a/include/types/connection.h
+++ b/include/types/connection.h
@@ -345,8 +345,9 @@ struct tlv_ssl {
uint8_t sub_tlv[0];
}__attribute__((packed));
-#define PP2_CLIENT_SSL 0x01
-#define PP2_CLIENT_CERT 0x02
+#define PP2_CLIENT_SSL 0x01
+#define PP2_CLIENT_CERT_CONN 0x02
+#define PP2_CLIENT_CERT_SESS 0x04
#endif /* _TYPES_CONNECTION_H */
diff --git a/src/connection.c b/src/connection.c
index 2dd2c02..3af6d9a 100644
--- a/src/connection.c
+++ b/src/connection.c
@@ -678,9 +678,11 @@ int make_proxy_line_v2(char *buf, int buf_len, struct server *srv, struct connec
tlv_len = make_tlv(&buf[ret+ssl_tlv_len], (buf_len-ret-ssl_tlv_len), PP2_TYPE_SSL_VERSION, strlen(value), value);
ssl_tlv_len += tlv_len;
}
- if (ssl_sock_get_cert_used(remote)) {
- tlv->client |= PP2_CLIENT_CERT;
+ if (ssl_sock_get_cert_used_sess(remote)) {
+ tlv->client |= PP2_CLIENT_CERT_SESS;
tlv->verify = htonl(ssl_sock_get_verify_result(remote));
+ if (ssl_sock_get_cert_used_conn(remote))
+ tlv->client |= PP2_CLIENT_CERT_CONN;
}
if (srv->pp_opts & SRV_PP_V2_SSL_CN) {
cn_trash = get_trash_chunk();
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index cf8adc7..da99a30 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -2720,8 +2720,25 @@ out:
return result;
}
-/* returns 1 if client passed a certificate, 0 if not */
-int ssl_sock_get_cert_used(struct connection *conn)
+/* returns 1 if client passed a certificate for this session, 0 if not */
+int ssl_sock_get_cert_used_sess(struct connection *conn)
+{
+ X509 *crt = NULL;
+
+ if (!ssl_sock_is_ssl(conn))
+ return 0;
+
+ /* SSL_get_peer_certificate, it increase X509 * ref count */
+ crt = SSL_get_peer_certificate(conn->xprt_ctx);
+ if (!crt)
+ return 0;
+
+ X509_free(crt);
+ return 1;
+}
+
+/* returns 1 if client passed a certificate for this connection, 0 if not */
+int ssl_sock_get_cert_used_conn(struct connection *conn)
{
if (!ssl_sock_is_ssl(conn))
return 0;
--
1.8.5.5

Loading…
Cancel
Save