haproxy: patches from upstream
- [PATCH 5/6] BUG/MEDIUM: http: tarpit timeout is reset - [PATCH 6/6] MEDIUM: connection: add new bit in Proxy Protocol V2 Signed-off-by: Thomas Heil <heil@terminal-consulting.de>
This commit is contained in:
Thomas Heil
parent
1735f13d22
commit
7c167bfd16
3 changed files with 158 additions and 1 deletions
|
|
@ -10,7 +10,7 @@ include $(TOPDIR)/rules.mk
|
|||
|
||||
PKG_NAME:=haproxy
|
||||
PKG_VERSION:=1.5.3
|
||||
PKG_RELEASE:=04
|
||||
PKG_RELEASE:=06
|
||||
PKG_SOURCE:=haproxy-$(PKG_VERSION).tar.gz
|
||||
PKG_SOURCE_URL:=http://haproxy.1wt.eu/download/1.5/src/
|
||||
PKG_MD5SUM:=e999a547d57445d5a5ab7eb6a06df9a1
|
||||
|
|
|
|||
|
|
@ -0,0 +1,45 @@
|
|||
From fc566b541e4c67cfbd8d6b40b627ce27dfc8a7cb Mon Sep 17 00:00:00 2001
|
||||
From: Thierry FOURNIER <tfournier@exceliance.fr>
|
||||
Date: Fri, 22 Aug 2014 06:55:26 +0200
|
||||
Subject: [PATCH 5/6] BUG/MEDIUM: http: tarpit timeout is reset
|
||||
|
||||
Before the commit bbba2a8ecc35daf99317aaff7015c1931779c33b
|
||||
(1.5-dev24-8), the tarpit section set timeout and return, after this
|
||||
commit, the tarpit section set the timeout, and go to the "done" label
|
||||
which reset the timeout.
|
||||
|
||||
Thanks Bryan Talbot for the bug report and analysis.
|
||||
|
||||
This should be backported in 1.5.
|
||||
(cherry picked from commit 7566e30477bf5ea4206bda5950d2d83108c4a3dc)
|
||||
---
|
||||
src/proto_http.c | 5 +++--
|
||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/proto_http.c b/src/proto_http.c
|
||||
index 2b75b32..bebc8bf 100644
|
||||
--- a/src/proto_http.c
|
||||
+++ b/src/proto_http.c
|
||||
@@ -4117,8 +4117,9 @@ int http_process_req_common(struct session *s, struct channel *req, int an_bit,
|
||||
done: /* done with this analyser, continue with next ones that the calling
|
||||
* points will have set, if any.
|
||||
*/
|
||||
- req->analysers &= ~an_bit;
|
||||
req->analyse_exp = TICK_ETERNITY;
|
||||
+ done_without_exp: /* done with this analyser, but dont reset the analyse_exp. */
|
||||
+ req->analysers &= ~an_bit;
|
||||
return 1;
|
||||
|
||||
tarpit:
|
||||
@@ -4144,7 +4145,7 @@ int http_process_req_common(struct session *s, struct channel *req, int an_bit,
|
||||
s->be->be_counters.denied_req++;
|
||||
if (s->listener->counters)
|
||||
s->listener->counters->denied_req++;
|
||||
- goto done;
|
||||
+ goto done_without_exp;
|
||||
|
||||
deny: /* this request was blocked (denied) */
|
||||
txn->flags |= TX_CLDENY;
|
||||
--
|
||||
1.8.5.5
|
||||
|
||||
|
|
@ -0,0 +1,112 @@
|
|||
From d6ec605d2059191163cad27b7d7b215ed8d3725b Mon Sep 17 00:00:00 2001
|
||||
From: Dave McCowan <11235david@gmail.com>
|
||||
Date: Wed, 30 Jul 2014 10:39:13 -0400
|
||||
Subject: [PATCH 6/6] MEDIUM: connection: add new bit in Proxy Protocol V2
|
||||
|
||||
There are two sample commands to get information about the presence of a
|
||||
client certificate.
|
||||
ssl_fc_has_crt is true if there is a certificate present in the current
|
||||
connection
|
||||
ssl_c_used is true if there is a certificate present in the session.
|
||||
If a session has stopped and resumed, then ssl_c_used could be true, while
|
||||
ssl_fc_has_crt is false.
|
||||
|
||||
In the client byte of the TLS TLV of Proxy Protocol V2, there is only one
|
||||
bit to indicate whether a certificate is present on the connection. The
|
||||
attached patch adds a second bit to indicate the presence for the session.
|
||||
|
||||
This maintains backward compatibility.
|
||||
|
||||
[wt: this should be backported to 1.5 to help maintain compatibility
|
||||
between versions]
|
||||
(cherry picked from commit 328fb58d745c03a0dc706da9e2fcd4e9f860a14b)
|
||||
---
|
||||
include/proto/ssl_sock.h | 3 ++-
|
||||
include/types/connection.h | 5 +++--
|
||||
src/connection.c | 6 ++++--
|
||||
src/ssl_sock.c | 21 +++++++++++++++++++--
|
||||
4 files changed, 28 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/include/proto/ssl_sock.h b/include/proto/ssl_sock.h
|
||||
index 3e111cd..10541ed 100644
|
||||
--- a/include/proto/ssl_sock.h
|
||||
+++ b/include/proto/ssl_sock.h
|
||||
@@ -51,7 +51,8 @@ void ssl_sock_free_all_ctx(struct bind_conf *bind_conf);
|
||||
const char *ssl_sock_get_cipher_name(struct connection *conn);
|
||||
const char *ssl_sock_get_proto_version(struct connection *conn);
|
||||
char *ssl_sock_get_version(struct connection *conn);
|
||||
-int ssl_sock_get_cert_used(struct connection *conn);
|
||||
+int ssl_sock_get_cert_used_sess(struct connection *conn);
|
||||
+int ssl_sock_get_cert_used_conn(struct connection *conn);
|
||||
int ssl_sock_get_remote_common_name(struct connection *conn, struct chunk *out);
|
||||
unsigned int ssl_sock_get_verify_result(struct connection *conn);
|
||||
#ifdef SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB
|
||||
diff --git a/include/types/connection.h b/include/types/connection.h
|
||||
index 2ae16d7..b317007 100644
|
||||
--- a/include/types/connection.h
|
||||
+++ b/include/types/connection.h
|
||||
@@ -345,8 +345,9 @@ struct tlv_ssl {
|
||||
uint8_t sub_tlv[0];
|
||||
}__attribute__((packed));
|
||||
|
||||
-#define PP2_CLIENT_SSL 0x01
|
||||
-#define PP2_CLIENT_CERT 0x02
|
||||
+#define PP2_CLIENT_SSL 0x01
|
||||
+#define PP2_CLIENT_CERT_CONN 0x02
|
||||
+#define PP2_CLIENT_CERT_SESS 0x04
|
||||
|
||||
#endif /* _TYPES_CONNECTION_H */
|
||||
|
||||
diff --git a/src/connection.c b/src/connection.c
|
||||
index 2dd2c02..3af6d9a 100644
|
||||
--- a/src/connection.c
|
||||
+++ b/src/connection.c
|
||||
@@ -678,9 +678,11 @@ int make_proxy_line_v2(char *buf, int buf_len, struct server *srv, struct connec
|
||||
tlv_len = make_tlv(&buf[ret+ssl_tlv_len], (buf_len-ret-ssl_tlv_len), PP2_TYPE_SSL_VERSION, strlen(value), value);
|
||||
ssl_tlv_len += tlv_len;
|
||||
}
|
||||
- if (ssl_sock_get_cert_used(remote)) {
|
||||
- tlv->client |= PP2_CLIENT_CERT;
|
||||
+ if (ssl_sock_get_cert_used_sess(remote)) {
|
||||
+ tlv->client |= PP2_CLIENT_CERT_SESS;
|
||||
tlv->verify = htonl(ssl_sock_get_verify_result(remote));
|
||||
+ if (ssl_sock_get_cert_used_conn(remote))
|
||||
+ tlv->client |= PP2_CLIENT_CERT_CONN;
|
||||
}
|
||||
if (srv->pp_opts & SRV_PP_V2_SSL_CN) {
|
||||
cn_trash = get_trash_chunk();
|
||||
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
|
||||
index cf8adc7..da99a30 100644
|
||||
--- a/src/ssl_sock.c
|
||||
+++ b/src/ssl_sock.c
|
||||
@@ -2720,8 +2720,25 @@ out:
|
||||
return result;
|
||||
}
|
||||
|
||||
-/* returns 1 if client passed a certificate, 0 if not */
|
||||
-int ssl_sock_get_cert_used(struct connection *conn)
|
||||
+/* returns 1 if client passed a certificate for this session, 0 if not */
|
||||
+int ssl_sock_get_cert_used_sess(struct connection *conn)
|
||||
+{
|
||||
+ X509 *crt = NULL;
|
||||
+
|
||||
+ if (!ssl_sock_is_ssl(conn))
|
||||
+ return 0;
|
||||
+
|
||||
+ /* SSL_get_peer_certificate, it increase X509 * ref count */
|
||||
+ crt = SSL_get_peer_certificate(conn->xprt_ctx);
|
||||
+ if (!crt)
|
||||
+ return 0;
|
||||
+
|
||||
+ X509_free(crt);
|
||||
+ return 1;
|
||||
+}
|
||||
+
|
||||
+/* returns 1 if client passed a certificate for this connection, 0 if not */
|
||||
+int ssl_sock_get_cert_used_conn(struct connection *conn)
|
||||
{
|
||||
if (!ssl_sock_is_ssl(conn))
|
||||
return 0;
|
||||
--
|
||||
1.8.5.5
|
||||
|
||||
Loading…
Reference in a new issue