From 7c167bfd161d0b36a9b4462697162719f1649c55 Mon Sep 17 00:00:00 2001 From: Thomas Heil Date: Sun, 24 Aug 2014 20:46:00 +0200 Subject: [PATCH] haproxy: patches from upstream - [PATCH 5/6] BUG/MEDIUM: http: tarpit timeout is reset - [PATCH 6/6] MEDIUM: connection: add new bit in Proxy Protocol V2 Signed-off-by: Thomas Heil --- net/haproxy/Makefile | 2 +- ...-MEDIUM-http-tarpit-timeout-is-reset.patch | 45 +++++++ ...ion-add-new-bit-in-Proxy-Protocol-V2.patch | 112 ++++++++++++++++++ 3 files changed, 158 insertions(+), 1 deletion(-) create mode 100644 net/haproxy/patches/0005-BUG-MEDIUM-http-tarpit-timeout-is-reset.patch create mode 100644 net/haproxy/patches/0006-MEDIUM-connection-add-new-bit-in-Proxy-Protocol-V2.patch diff --git a/net/haproxy/Makefile b/net/haproxy/Makefile index a0d8e39c4..d4f4aad73 100644 --- a/net/haproxy/Makefile +++ b/net/haproxy/Makefile @@ -10,7 +10,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=haproxy PKG_VERSION:=1.5.3 -PKG_RELEASE:=04 +PKG_RELEASE:=06 PKG_SOURCE:=haproxy-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=http://haproxy.1wt.eu/download/1.5/src/ PKG_MD5SUM:=e999a547d57445d5a5ab7eb6a06df9a1 diff --git a/net/haproxy/patches/0005-BUG-MEDIUM-http-tarpit-timeout-is-reset.patch b/net/haproxy/patches/0005-BUG-MEDIUM-http-tarpit-timeout-is-reset.patch new file mode 100644 index 000000000..439cc1e80 --- /dev/null +++ b/net/haproxy/patches/0005-BUG-MEDIUM-http-tarpit-timeout-is-reset.patch @@ -0,0 +1,45 @@ +From fc566b541e4c67cfbd8d6b40b627ce27dfc8a7cb Mon Sep 17 00:00:00 2001 +From: Thierry FOURNIER +Date: Fri, 22 Aug 2014 06:55:26 +0200 +Subject: [PATCH 5/6] BUG/MEDIUM: http: tarpit timeout is reset + +Before the commit bbba2a8ecc35daf99317aaff7015c1931779c33b +(1.5-dev24-8), the tarpit section set timeout and return, after this +commit, the tarpit section set the timeout, and go to the "done" label +which reset the timeout. + +Thanks Bryan Talbot for the bug report and analysis. + +This should be backported in 1.5. +(cherry picked from commit 7566e30477bf5ea4206bda5950d2d83108c4a3dc) +--- + src/proto_http.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/proto_http.c b/src/proto_http.c +index 2b75b32..bebc8bf 100644 +--- a/src/proto_http.c ++++ b/src/proto_http.c +@@ -4117,8 +4117,9 @@ int http_process_req_common(struct session *s, struct channel *req, int an_bit, + done: /* done with this analyser, continue with next ones that the calling + * points will have set, if any. + */ +- req->analysers &= ~an_bit; + req->analyse_exp = TICK_ETERNITY; ++ done_without_exp: /* done with this analyser, but dont reset the analyse_exp. */ ++ req->analysers &= ~an_bit; + return 1; + + tarpit: +@@ -4144,7 +4145,7 @@ int http_process_req_common(struct session *s, struct channel *req, int an_bit, + s->be->be_counters.denied_req++; + if (s->listener->counters) + s->listener->counters->denied_req++; +- goto done; ++ goto done_without_exp; + + deny: /* this request was blocked (denied) */ + txn->flags |= TX_CLDENY; +-- +1.8.5.5 + diff --git a/net/haproxy/patches/0006-MEDIUM-connection-add-new-bit-in-Proxy-Protocol-V2.patch b/net/haproxy/patches/0006-MEDIUM-connection-add-new-bit-in-Proxy-Protocol-V2.patch new file mode 100644 index 000000000..c9a55fd4f --- /dev/null +++ b/net/haproxy/patches/0006-MEDIUM-connection-add-new-bit-in-Proxy-Protocol-V2.patch @@ -0,0 +1,112 @@ +From d6ec605d2059191163cad27b7d7b215ed8d3725b Mon Sep 17 00:00:00 2001 +From: Dave McCowan <11235david@gmail.com> +Date: Wed, 30 Jul 2014 10:39:13 -0400 +Subject: [PATCH 6/6] MEDIUM: connection: add new bit in Proxy Protocol V2 + +There are two sample commands to get information about the presence of a +client certificate. +ssl_fc_has_crt is true if there is a certificate present in the current +connection +ssl_c_used is true if there is a certificate present in the session. +If a session has stopped and resumed, then ssl_c_used could be true, while +ssl_fc_has_crt is false. + +In the client byte of the TLS TLV of Proxy Protocol V2, there is only one +bit to indicate whether a certificate is present on the connection. The +attached patch adds a second bit to indicate the presence for the session. + +This maintains backward compatibility. + +[wt: this should be backported to 1.5 to help maintain compatibility + between versions] +(cherry picked from commit 328fb58d745c03a0dc706da9e2fcd4e9f860a14b) +--- + include/proto/ssl_sock.h | 3 ++- + include/types/connection.h | 5 +++-- + src/connection.c | 6 ++++-- + src/ssl_sock.c | 21 +++++++++++++++++++-- + 4 files changed, 28 insertions(+), 7 deletions(-) + +diff --git a/include/proto/ssl_sock.h b/include/proto/ssl_sock.h +index 3e111cd..10541ed 100644 +--- a/include/proto/ssl_sock.h ++++ b/include/proto/ssl_sock.h +@@ -51,7 +51,8 @@ void ssl_sock_free_all_ctx(struct bind_conf *bind_conf); + const char *ssl_sock_get_cipher_name(struct connection *conn); + const char *ssl_sock_get_proto_version(struct connection *conn); + char *ssl_sock_get_version(struct connection *conn); +-int ssl_sock_get_cert_used(struct connection *conn); ++int ssl_sock_get_cert_used_sess(struct connection *conn); ++int ssl_sock_get_cert_used_conn(struct connection *conn); + int ssl_sock_get_remote_common_name(struct connection *conn, struct chunk *out); + unsigned int ssl_sock_get_verify_result(struct connection *conn); + #ifdef SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB +diff --git a/include/types/connection.h b/include/types/connection.h +index 2ae16d7..b317007 100644 +--- a/include/types/connection.h ++++ b/include/types/connection.h +@@ -345,8 +345,9 @@ struct tlv_ssl { + uint8_t sub_tlv[0]; + }__attribute__((packed)); + +-#define PP2_CLIENT_SSL 0x01 +-#define PP2_CLIENT_CERT 0x02 ++#define PP2_CLIENT_SSL 0x01 ++#define PP2_CLIENT_CERT_CONN 0x02 ++#define PP2_CLIENT_CERT_SESS 0x04 + + #endif /* _TYPES_CONNECTION_H */ + +diff --git a/src/connection.c b/src/connection.c +index 2dd2c02..3af6d9a 100644 +--- a/src/connection.c ++++ b/src/connection.c +@@ -678,9 +678,11 @@ int make_proxy_line_v2(char *buf, int buf_len, struct server *srv, struct connec + tlv_len = make_tlv(&buf[ret+ssl_tlv_len], (buf_len-ret-ssl_tlv_len), PP2_TYPE_SSL_VERSION, strlen(value), value); + ssl_tlv_len += tlv_len; + } +- if (ssl_sock_get_cert_used(remote)) { +- tlv->client |= PP2_CLIENT_CERT; ++ if (ssl_sock_get_cert_used_sess(remote)) { ++ tlv->client |= PP2_CLIENT_CERT_SESS; + tlv->verify = htonl(ssl_sock_get_verify_result(remote)); ++ if (ssl_sock_get_cert_used_conn(remote)) ++ tlv->client |= PP2_CLIENT_CERT_CONN; + } + if (srv->pp_opts & SRV_PP_V2_SSL_CN) { + cn_trash = get_trash_chunk(); +diff --git a/src/ssl_sock.c b/src/ssl_sock.c +index cf8adc7..da99a30 100644 +--- a/src/ssl_sock.c ++++ b/src/ssl_sock.c +@@ -2720,8 +2720,25 @@ out: + return result; + } + +-/* returns 1 if client passed a certificate, 0 if not */ +-int ssl_sock_get_cert_used(struct connection *conn) ++/* returns 1 if client passed a certificate for this session, 0 if not */ ++int ssl_sock_get_cert_used_sess(struct connection *conn) ++{ ++ X509 *crt = NULL; ++ ++ if (!ssl_sock_is_ssl(conn)) ++ return 0; ++ ++ /* SSL_get_peer_certificate, it increase X509 * ref count */ ++ crt = SSL_get_peer_certificate(conn->xprt_ctx); ++ if (!crt) ++ return 0; ++ ++ X509_free(crt); ++ return 1; ++} ++ ++/* returns 1 if client passed a certificate for this connection, 0 if not */ ++int ssl_sock_get_cert_used_conn(struct connection *conn) + { + if (!ssl_sock_is_ssl(conn)) + return 0; +-- +1.8.5.5 +