Your message dated Sun, 2 Nov 2014 13:47:46 +0000 with message-id <20141102134746.GB18934@lupin.home.powdarrmonkey.net> and subject line Re: Bug#767674: unblock: haproxy/1.5.8-1 has caused the Debian Bug report #767674, regarding unblock: haproxy/1.5.8-1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 767674: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=767674 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: unblock: haproxy/1.5.8-1
- From: Vincent Bernat <bernat@debian.org>
- Date: Sat, 01 Nov 2014 20:53:22 +0100
- Message-id: <[🔎] 20141101195322.20294.15996.reportbug@neo.luffy.cx>
Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi! I would like to upload haproxy 1.5.8 in unstable. This would solve #767670. There are other fixes included in 1.5.7 and 1.5.8 as well as support to disable globally SSLv3. The default configuration file now does that. Find the debdiff attached. unblock haproxy/1.5.8-1 - -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable'), (101, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16-3-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJUVToyAAoJEJWkL+g1NSX5w0MP/1hBNJQKktASza+gjeMLQjZS YZQcLWIP6pgKIQxaI0XKQOo0UgK/ofy1eA3ouFhzGdhp15cocqT9jVXoq9na1WEv wP08c93iU1iBI4GyXH5/ka2+ND0l6X6N9c8CT7YIVA6fBa8gdooo80HpZTYmabtA VHXBbeKLu72OFUDuO6iblGTJ+cRzSv/klL2jAYAU9EC1DKJiTc6gjDkqO89xn5MU jQVGloEllYTXQ6VlgkDS56PgcScFn7i8xVRory8Ph4kaHQQmz6WYJJs6bOE8qyon /5w+Rj1Z0v9ydXXQZNULl60CU9qVh2iA9RiN8vbjKoTO+Ri7kgIQNSR64LKsdv2g 2efYXTJO2bwfYpxIq2y+J1rJvRzuZioBbvuIV0E0muCUEskh4CbVC++pFSpR8bUp bv3zpx/Mi7i/zVOBYtlIxkDQ+XlmA81gTIqjK8fp6ceeeK/YS+bZpv4A+xQT2avL aqdK8nnKCvbn/tSggEBb1PmHCbwHrX0XqJCWcbBFvZWFUii2X9TNsFbfiPc4J8+X ZqfuR7zuXew25x0wbbcBR7FVnOlvAM+ozN3LBJL68WMnB+jz3MtGg/M8kTXK8hon UuGnWnh2ttY1Imw2DRDrzeFXL5sF/jyBcZ+rXN/ei5kuslPRnle++nKrGTbayjPI zOVtJ5S9tLmWB42MOk/Q =3GWB -----END PGP SIGNATURE-----CHANGELOG | 15 ++++ README | 4 +- VERDATE | 2 +- VERSION | 2 +- debian/changelog | 21 ++++++ debian/haproxy.cfg | 1 + doc/configuration.txt | 91 ++++++++++++++++------- examples/haproxy.spec | 8 +- include/types/global.h | 2 + src/buffer.c | 5 ++ src/dumpstats.c | 3 + src/proto_http.c | 5 +- src/proto_tcp.c | 25 +++++-- src/regex.c | 2 +- src/ssl_sock.c | 195 ++++++++++++++++++++++++++++++++++++++++++++++++- 15 files changed, 338 insertions(+), 43 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index 418dada3727f..5c45b7e44565 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,6 +1,21 @@ ChangeLog : =========== +2014/10/31 : 1.5.8 + - BUG/MAJOR: buffer: check the space left is enough or not when input data in a buffer is wrapped + - BUG/BUILD: revert accidental change in the makefile from latest SSL fix + +2014/10/30 : 1.5.7 + - BUG/MEDIUM: regex: fix pcre_study error handling + - BUG/MINOR: log: fix request flags when keep-alive is enabled + - MINOR: ssl: add fetchs 'ssl_c_der' and 'ssl_f_der' to return DER formatted certs + - MINOR: ssl: add statement to force some ssl options in global. + - BUG/MINOR: ssl: correctly initialize ssl ctx for invalid certificates + - BUG/MEDIUM: http: don't dump debug headers on MSG_ERROR + - BUG/MAJOR: cli: explicitly call cli_release_handler() upon error + - BUG/MEDIUM: tcp: fix outgoing polling based on proxy protocol + - BUG/MEDIUM: tcp: don't use SO_ORIGINAL_DST on non-AF_INET sockets + 2014/10/18 : 1.5.6 - BUG/MEDIUM: systemd: set KillMode to 'mixed' - MINOR: systemd: Check configuration before start diff --git a/README b/README index d111b4344087..2dd8e832ef62 100644 --- a/README +++ b/README @@ -1,9 +1,9 @@ ---------------------- HAProxy how-to ---------------------- - version 1.5.6 + version 1.5.8 willy tarreau - 2014/10/18 + 2014/10/31 1) How to build it diff --git a/VERDATE b/VERDATE index 4fa775a2bb6f..3953fe55fa40 100644 --- a/VERDATE +++ b/VERDATE @@ -1,2 +1,2 @@ $Format:%ci$ -2014/10/18 +2014/10/31 diff --git a/VERSION b/VERSION index eac1e0ada6d8..1cc9c180e266 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.5.6 +1.5.8 diff --git a/debian/changelog b/debian/changelog index 7e7bbb4de908..ede628a86187 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,24 @@ +haproxy (1.5.8-1) unstable; urgency=medium + + * New upstream stable release including the following fixes: + + + BUG/MAJOR: buffer: check the space left is enough or not when input + data in a buffer is wrapped + + BUG/MINOR: ssl: correctly initialize ssl ctx for invalid certificates + + BUG/MEDIUM: tcp: don't use SO_ORIGINAL_DST on non-AF_INET sockets + + BUG/MEDIUM: regex: fix pcre_study error handling + + BUG/MEDIUM: tcp: fix outgoing polling based on proxy protocol + + BUG/MINOR: log: fix request flags when keep-alive is enabled + + BUG/MAJOR: cli: explicitly call cli_release_handler() upon error + + BUG/MEDIUM: http: don't dump debug headers on MSG_ERROR + * Also includes the following new features: + + MINOR: ssl: add statement to force some ssl options in global. + + MINOR: ssl: add fetchs 'ssl_c_der' and 'ssl_f_der' to return DER + formatted certs + * Disable SSLv3 in the default configuration file. + + -- Vincent Bernat <bernat@debian.org> Fri, 31 Oct 2014 13:48:19 +0100 + haproxy (1.5.6-1) unstable; urgency=medium * New upstream stable release including the following fixes: diff --git a/debian/haproxy.cfg b/debian/haproxy.cfg index 9df24dc7b516..f84a37c9b428 100644 --- a/debian/haproxy.cfg +++ b/debian/haproxy.cfg @@ -15,6 +15,7 @@ global # Default ciphers to use on SSL-enabled listening sockets. # For more information, see ciphers(1SSL). ssl-default-bind-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL + ssl-default-bind-options no-sslv3 defaults log global diff --git a/doc/configuration.txt b/doc/configuration.txt index d2887589cbef..7c4e18bf51d9 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -2,9 +2,9 @@ HAProxy Configuration Manual ---------------------- - version 1.5.6 + version 1.5.8 willy tarreau - 2014/10/18 + 2014/10/31 This document covers the configuration language as implemented in the version @@ -657,6 +657,15 @@ ssl-default-bind-ciphers <ciphers> as "AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH" (without quotes). Please check the "bind" keyword for more information. +ssl-default-bind-options [<option>]... + This setting is only available when support for OpenSSL was built in. It sets + default ssl-options to force on all "bind" lines. Please check the "bind" + keyword to see available options. + + Example: + global + ssl-default-bind-options no-sslv3 no-tls-tickets + ssl-default-server-ciphers <ciphers> This setting is only available when support for OpenSSL was built in. It sets the default string describing the list of cipher algorithms that are @@ -665,6 +674,11 @@ ssl-default-server-ciphers <ciphers> defined in "man 1 ciphers". Please check the "server" keyword for more information. +ssl-default-server-options [<option>]... + This setting is only available when support for OpenSSL was built in. It sets + default ssl-options to force on all "server" lines. Please check the "server" + keyword to see available options. + ssl-server-verify [none|required] The default behavior for SSL verify on servers side. If specified to 'none', servers certificates are not verified. The default is 'required' except if @@ -8379,19 +8393,23 @@ defer-accept force-sslv3 This option enforces use of SSLv3 only on SSL connections instantiated from this listener. SSLv3 is generally less expensive than the TLS counterparts - for high connection rates. See also "force-tls*", "no-sslv3", and "no-tls*". + for high connection rates. This option is also available on global statement + "ssl-default-bind-options". See also "no-tlsv*" and "no-sslv3". force-tlsv10 This option enforces use of TLSv1.0 only on SSL connections instantiated from - this listener. See also "force-tls*", "no-sslv3", and "no-tls*". + this listener. This option is also available on global statement + "ssl-default-bind-options". See also "no-tlsv*" and "no-sslv3". force-tlsv11 This option enforces use of TLSv1.1 only on SSL connections instantiated from - this listener. See also "force-tls*", "no-sslv3", and "no-tls*". + this listener. This option is also available on global statement + "ssl-default-bind-options". See also "no-tlsv*", and "no-sslv3". force-tlsv12 This option enforces use of TLSv1.2 only on SSL connections instantiated from - this listener. See also "force-tls*", "no-sslv3", and "no-tls*". + this listener. This option is also available on global statement + "ssl-default-bind-options". See also "no-tlsv*", and "no-sslv3". gid <gid> Sets the group of the UNIX sockets to the designated system gid. It can also @@ -8484,35 +8502,40 @@ no-sslv3 This setting is only available when support for OpenSSL was built in. It disables support for SSLv3 on any sockets instantiated from the listener when SSL is supported. Note that SSLv2 is forced disabled in the code and cannot - be enabled using any configuration option. See also "force-tls*", + be enabled using any configuration option. This option is also available on + global statement "ssl-default-bind-options". See also "force-tls*", and "force-sslv3". no-tls-tickets This setting is only available when support for OpenSSL was built in. It disables the stateless session resumption (RFC 5077 TLS Ticket extension) and force to use stateful session resumption. Stateless - session resumption is more expensive in CPU usage. + session resumption is more expensive in CPU usage. This option is also + available on global statement "ssl-default-bind-options". no-tlsv10 This setting is only available when support for OpenSSL was built in. It disables support for TLSv1.0 on any sockets instantiated from the listener when SSL is supported. Note that SSLv2 is forced disabled in the code and - cannot be enabled using any configuration option. See also "force-tls*", - and "force-sslv3". + cannot be enabled using any configuration option. This option is also + available on global statement "ssl-default-bind-options". See also + "force-tlsv*", and "force-sslv3". no-tlsv11 This setting is only available when support for OpenSSL was built in. It disables support for TLSv1.1 on any sockets instantiated from the listener when SSL is supported. Note that SSLv2 is forced disabled in the code and - cannot be enabled using any configuration option. See also "force-tls*", - and "force-sslv3". + cannot be enabled using any configuration option. This option is also + available on global statement "ssl-default-bind-options". See also + "force-tlsv*", and "force-sslv3". no-tlsv12 This setting is only available when support for OpenSSL was built in. It disables support for TLSv1.2 on any sockets instantiated from the listener when SSL is supported. Note that SSLv2 is forced disabled in the code and - cannot be enabled using any configuration option. See also "force-tls*", - and "force-sslv3". + cannot be enabled using any configuration option. This option is also + available on global statement "ssl-default-bind-options". See also + "force-tlsv*", and "force-sslv3". npn <protocols> This enables the NPN TLS extension and advertises the specified protocol list @@ -8845,25 +8868,29 @@ fall <count> force-sslv3 This option enforces use of SSLv3 only when SSL is used to communicate with the server. SSLv3 is generally less expensive than the TLS counterparts for - high connection rates. See also "no-tlsv*", "no-sslv3". + high connection rates. This option is also available on global statement + "ssl-default-server-options". See also "no-tlsv*", "no-sslv3". Supported in default-server: No force-tlsv10 This option enforces use of TLSv1.0 only when SSL is used to communicate with - the server. See also "no-tlsv*", "no-sslv3". + the server. This option is also available on global statement + "ssl-default-server-options". See also "no-tlsv*", "no-sslv3". Supported in default-server: No force-tlsv11 This option enforces use of TLSv1.1 only when SSL is used to communicate with - the server. See also "no-tlsv*", "no-sslv3". + the server. This option is also available on global statement + "ssl-default-server-options". See also "no-tlsv*", "no-sslv3". Supported in default-server: No force-tlsv12 This option enforces use of TLSv1.2 only when SSL is used to communicate with - the server. See also "no-tlsv*", "no-sslv3". + the server. This option is also available on global statement + "ssl-default-server-options". See also "no-tlsv*", "no-sslv3". Supported in default-server: No @@ -8951,7 +8978,8 @@ no-tls-tickets This setting is only available when support for OpenSSL was built in. It disables the stateless session resumption (RFC 5077 TLS Ticket extension) and force to use stateful session resumption. Stateless - session resumption is more expensive in CPU usage for servers. + session resumption is more expensive in CPU usage for servers. This option + is also available on global statement "ssl-default-server-options". Supported in default-server: No @@ -8959,8 +8987,9 @@ no-tlsv10 This option disables support for TLSv1.0 when SSL is used to communicate with the server. Note that SSLv2 is disabled in the code and cannot be enabled using any configuration option. TLSv1 is more expensive than SSLv3 so it - often makes sense to disable it when communicating with local servers. See - also "force-sslv3", "force-tlsv*". + often makes sense to disable it when communicating with local servers. This + option is also available on global statement "ssl-default-server-options". + See also "force-sslv3", "force-tlsv*". Supported in default-server: No @@ -8968,8 +8997,9 @@ no-tlsv11 This option disables support for TLSv1.1 when SSL is used to communicate with the server. Note that SSLv2 is disabled in the code and cannot be enabled using any configuration option. TLSv1 is more expensive than SSLv3 so it - often makes sense to disable it when communicating with local servers. See - also "force-sslv3", "force-tlsv*". + often makes sense to disable it when communicating with local servers. This + option is also available on global statement "ssl-default-server-options". + See also "force-sslv3", "force-tlsv*". Supported in default-server: No @@ -8977,8 +9007,9 @@ no-tlsv12 This option disables support for TLSv1.2 when SSL is used to communicate with the server. Note that SSLv2 is disabled in the code and cannot be enabled using any configuration option. TLSv1 is more expensive than SSLv3 so it - often makes sense to disable it when communicating with local servers. See - also "force-sslv3", "force-tlsv*". + often makes sense to disable it when communicating with local servers. This + option is also available on global statement "ssl-default-server-options". + See also "force-sslv3", "force-tlsv*". Supported in default-server: No @@ -10681,6 +10712,11 @@ ssl_c_ca_err_depth : integer verification of the client certificate. If no error is encountered, 0 is returned. +ssl_c_der : binary + Returns the DER formatted certificate presented by the client when the + incoming connection was made over an SSL/TLS transport layer. When used for + an ACL, the value(s) to match against can be passed in hexadecimal form. + ssl_c_err : integer When the incoming connection was made over an SSL/TLS transport layer, returns the ID of the first error detected during verification at depth 0, or @@ -10756,6 +10792,11 @@ ssl_c_version : integer Returns the version of the certificate presented by the client when the incoming connection was made over an SSL/TLS transport layer. +ssl_f_der : binary + Returns the DER formatted certificate presented by the frontend when the + incoming connection was made over an SSL/TLS transport layer. When used for + an ACL, the value(s) to match against can be passed in hexadecimal form. + ssl_f_i_dn([<entry>[,<occ>]]) : string When the incoming connection was made over an SSL/TLS transport layer, returns the full distinguished name of the issuer of the certificate diff --git a/examples/haproxy.spec b/examples/haproxy.spec index df6169e62555..b39e7809797c 100644 --- a/examples/haproxy.spec +++ b/examples/haproxy.spec @@ -1,6 +1,6 @@ Summary: HA-Proxy is a TCP/HTTP reverse proxy for high availability environments Name: haproxy -Version: 1.5.6 +Version: 1.5.8 Release: 1 License: GPL Group: System Environment/Daemons @@ -76,6 +76,12 @@ fi %attr(0755,root,root) %config %{_sysconfdir}/rc.d/init.d/%{name} %changelog +* Fri Oct 31 2014 Willy Tarreau <w@1wt.eu> +- updated to 1.5.8 + +* Thu Oct 30 2014 Willy Tarreau <w@1wt.eu> +- updated to 1.5.7 + * Sat Oct 18 2014 Willy Tarreau <w@1wt.eu> - updated to 1.5.6 diff --git a/include/types/global.h b/include/types/global.h index 77df1ddb3f86..f1525ae32778 100644 --- a/include/types/global.h +++ b/include/types/global.h @@ -85,6 +85,8 @@ struct global { int maxsslconn; char *listen_default_ciphers; char *connect_default_ciphers; + int listen_default_ssloptions; + int connect_default_ssloptions; #endif unsigned int ssl_server_verify; /* default verify mode on servers side */ struct freq_ctr conn_per_sec; diff --git a/src/buffer.c b/src/buffer.c index 91bee637be25..9037dd3febfc 100644 --- a/src/buffer.c +++ b/src/buffer.c @@ -88,6 +88,11 @@ int buffer_insert_line2(struct buffer *b, char *pos, const char *str, int len) if (bi_end(b) + delta >= b->data + b->size) return 0; /* no space left */ + if (buffer_not_empty(b) && + bi_end(b) + delta > bo_ptr(b) && + bo_ptr(b) >= bi_end(b)) + return 0; /* no space left before wrapping data */ + /* first, protect the end of the buffer */ memmove(pos + delta, pos, bi_end(b) - pos); diff --git a/src/dumpstats.c b/src/dumpstats.c index 09bc7f64e9a3..446663926981 100644 --- a/src/dumpstats.c +++ b/src/dumpstats.c @@ -131,6 +131,7 @@ static int stats_dump_stat_to_buffer(struct stream_interface *si, struct uri_aut static int stats_pats_list(struct stream_interface *si); static int stats_pat_list(struct stream_interface *si); static int stats_map_lookup(struct stream_interface *si); +static void cli_release_handler(struct stream_interface *si); /* * cli_io_handler() @@ -2336,6 +2337,7 @@ static void cli_io_handler(struct stream_interface *si) } else { /* output functions: first check if the output buffer is closed then abort */ if (res->flags & (CF_SHUTR_NOW|CF_SHUTR)) { + cli_release_handler(si); appctx->st0 = STAT_CLI_END; continue; } @@ -2389,6 +2391,7 @@ static void cli_io_handler(struct stream_interface *si) appctx->st0 = STAT_CLI_PROMPT; break; default: /* abnormal state */ + cli_release_handler(si); appctx->st0 = STAT_CLI_PROMPT; break; } diff --git a/src/proto_http.c b/src/proto_http.c index 20e70881cef7..e442b57f34eb 100644 --- a/src/proto_http.c +++ b/src/proto_http.c @@ -2546,7 +2546,7 @@ int http_wait_for_request(struct session *s, struct channel *req, int an_bit) /* 1: we might have to print this header in debug mode */ if (unlikely((global.mode & MODE_DEBUG) && (!(global.mode & MODE_QUIET) || (global.mode & MODE_VERBOSE)) && - (msg->msg_state >= HTTP_MSG_BODY || msg->msg_state == HTTP_MSG_ERROR))) { + msg->msg_state >= HTTP_MSG_BODY)) { char *eol, *sol; sol = req->buf->p; @@ -4893,6 +4893,7 @@ void http_end_txn_clean_session(struct session *s) s->rep->flags &= ~(CF_SHUTR|CF_SHUTR_NOW|CF_READ_ATTACHED|CF_READ_ERROR|CF_READ_NOEXP|CF_STREAMER|CF_STREAMER_FAST|CF_WRITE_PARTIAL|CF_NEVER_WAIT|CF_WROTE_DATA); s->flags &= ~(SN_DIRECT|SN_ASSIGNED|SN_ADDR_SET|SN_BE_ASSIGNED|SN_FORCE_PRST|SN_IGNORE_PRST); s->flags &= ~(SN_CURR_SESS|SN_REDIRECTABLE|SN_SRV_REUSED); + s->flags &= ~(SN_ERR_MASK|SN_FINST_MASK|SN_REDISP); s->txn.meth = 0; http_reset_txn(s); @@ -5661,7 +5662,7 @@ int http_wait_for_response(struct session *s, struct channel *rep, int an_bit) /* 1: we might have to print this header in debug mode */ if (unlikely((global.mode & MODE_DEBUG) && (!(global.mode & MODE_QUIET) || (global.mode & MODE_VERBOSE)) && - (msg->msg_state >= HTTP_MSG_BODY || msg->msg_state == HTTP_MSG_ERROR))) { + msg->msg_state >= HTTP_MSG_BODY)) { char *eol, *sol; sol = rep->buf->p; diff --git a/src/proto_tcp.c b/src/proto_tcp.c index acabbcd548a6..cfa62f72223c 100644 --- a/src/proto_tcp.c +++ b/src/proto_tcp.c @@ -450,15 +450,12 @@ int tcp_connect_server(struct connection *conn, int data, int delack) } } - /* if a send_proxy is there, there are data */ - data |= conn->send_proxy_ofs; - #if defined(TCP_QUICKACK) /* disabling tcp quick ack now allows the first request to leave the * machine with the first ACK. We only do this if there are pending * data in the buffer. */ - if (delack == 2 || ((delack || data) && (be->options2 & PR_O2_SMARTCON))) + if (delack == 2 || ((delack || data || conn->send_proxy_ofs) && (be->options2 & PR_O2_SMARTCON))) setsockopt(fd, IPPROTO_TCP, TCP_QUICKACK, &zero, sizeof(zero)); #endif @@ -558,12 +555,24 @@ int tcp_get_dst(int fd, struct sockaddr *sa, socklen_t salen, int dir) { if (dir) return getpeername(fd, sa, &salen); + else { + int ret = getsockname(fd, sa, &salen); + + if (ret < 0) + return ret; + #if defined(TPROXY) && defined(SO_ORIGINAL_DST) - else if (getsockopt(fd, SOL_IP, SO_ORIGINAL_DST, sa, &salen) == 0) - return 0; + /* For TPROXY and Netfilter's NAT, we can retrieve the original + * IPv4 address before DNAT/REDIRECT. We must not do that with + * other families because v6-mapped IPv4 addresses are still + * reported as v4. + */ + if (((struct sockaddr_storage *)sa)->ss_family == AF_INET + && getsockopt(fd, SOL_IP, SO_ORIGINAL_DST, sa, &salen) == 0) + return 0; #endif - else - return getsockname(fd, sa, &salen); + return ret; + } } /* Tries to drain any pending incoming data from the socket to reach the diff --git a/src/regex.c b/src/regex.c index dda666db2208..c0b23cb12515 100644 --- a/src/regex.c +++ b/src/regex.c @@ -290,7 +290,7 @@ int regex_comp(const char *str, struct my_regex *regex, int cs, int cap, char ** #ifdef USE_PCRE_JIT regex->extra = pcre_study(regex->reg, PCRE_STUDY_JIT_COMPILE, &error); - if (!regex->extra) { + if (!regex->extra && error != NULL) { pcre_free(regex->reg); memprintf(err, "failed to compile regex '%s' (error=%s)", str, error); return 0; diff --git a/src/ssl_sock.c b/src/ssl_sock.c index da99a300fce4..f8bfbe758222 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -56,6 +56,7 @@ #include <common/standard.h> #include <common/ticks.h> #include <common/time.h> +#include <common/cfgparse.h> #include <ebsttree.h> @@ -1948,10 +1949,15 @@ int ssl_sock_prepare_all_ctx(struct bind_conf *bind_conf, struct proxy *px) if (!bind_conf || !bind_conf->is_ssl) return 0; + if (bind_conf->default_ctx) + err += ssl_sock_prepare_ctx(bind_conf, bind_conf->default_ctx, px); + node = ebmb_first(&bind_conf->sni_ctx); while (node) { sni = ebmb_entry(node, struct sni_ctx, name); - if (!sni->order) /* only initialize the CTX on its first occurrence */ + if (!sni->order && sni->ctx != bind_conf->default_ctx) + /* only initialize the CTX on its first occurrence and + if it is not the default_ctx */ err += ssl_sock_prepare_ctx(bind_conf, sni->ctx, px); node = ebmb_next(node); } @@ -1959,7 +1965,9 @@ int ssl_sock_prepare_all_ctx(struct bind_conf *bind_conf, struct proxy *px) node = ebmb_first(&bind_conf->sni_w_ctx); while (node) { sni = ebmb_entry(node, struct sni_ctx, name); - if (!sni->order) /* only initialize the CTX on its first occurrence */ + if (!sni->order && sni->ctx != bind_conf->default_ctx) + /* only initialize the CTX on its first occurrence and + if it is not the default_ctx */ err += ssl_sock_prepare_ctx(bind_conf, sni->ctx, px); node = ebmb_next(node); } @@ -2543,6 +2551,28 @@ ssl_sock_get_serial(X509 *crt, struct chunk *out) return 1; } +/* Extract a cert to der, and copy it to a chunk. + * Returns 1 if cert is found and copied, 0 on der convertion failure and + * -1 if output is not large enough. + */ +static int +ssl_sock_crt2der(X509 *crt, struct chunk *out) +{ + int len; + unsigned char *p = (unsigned char *)out->str;; + + len =i2d_X509(crt, NULL); + if (len <= 0) + return 1; + + if (out->size < len) + return -1; + + i2d_X509(crt,&p); + out->len = len; + return 1; +} + /* Copy Date in ASN1_UTCTIME format in struct chunk out. * Returns 1 if serial is found and copied, 0 if no valid time found @@ -2783,6 +2813,54 @@ smp_fetch_ssl_fc_has_crt(struct proxy *px, struct session *l4, void *l7, unsigne return 1; } +/* binary, returns a certificate in a binary chunk (der/raw). + * The 5th keyword char is used to know if SSL_get_certificate or SSL_get_peer_certificate + * should be use. + */ +static int +smp_fetch_ssl_x_der(struct proxy *px, struct session *l4, void *l7, unsigned int opt, + const struct arg *args, struct sample *smp, const char *kw) +{ + int cert_peer = (kw[4] == 'c') ? 1 : 0; + X509 *crt = NULL; + int ret = 0; + struct chunk *smp_trash; + struct connection *conn; + + if (!l4) + return 0; + + conn = objt_conn(l4->si[0].end); + if (!conn || conn->xprt != &ssl_sock) + return 0; + + if (!(conn->flags & CO_FL_CONNECTED)) { + smp->flags |= SMP_F_MAY_CHANGE; + return 0; + } + + if (cert_peer) + crt = SSL_get_peer_certificate(conn->xprt_ctx); + else + crt = SSL_get_certificate(conn->xprt_ctx); + + if (!crt) + goto out; + + smp_trash = get_trash_chunk(); + if (ssl_sock_crt2der(crt, smp_trash) <= 0) + goto out; + + smp->data.str = *smp_trash; + smp->type = SMP_T_BIN; + ret = 1; +out: + /* SSL_get_peer_certificate, it increase X509 * ref count */ + if (cert_peer && crt) + X509_free(crt); + return ret; +} + /* binary, returns serial of certificate in a binary chunk. * The 5th keyword char is used to know if SSL_get_certificate or SSL_get_peer_certificate * should be use. @@ -4039,6 +4117,7 @@ static int bind_parse_ssl(char **args, int cur_arg, struct proxy *px, struct bin if (global.listen_default_ciphers && !conf->ciphers) conf->ciphers = strdup(global.listen_default_ciphers); + conf->ssl_options |= global.listen_default_ssloptions; list_for_each_entry(l, &conf->listeners, by_bind) l->xprt = &ssl_sock; @@ -4103,6 +4182,7 @@ static int srv_parse_check_ssl(char **args, int *cur_arg, struct proxy *px, stru newsrv->check.use_ssl = 1; if (global.connect_default_ciphers && !newsrv->ssl_ctx.ciphers) newsrv->ssl_ctx.ciphers = strdup(global.connect_default_ciphers); + newsrv->ssl_ctx.options |= global.connect_default_ssloptions; return 0; } @@ -4296,6 +4376,106 @@ static int srv_parse_verifyhost(char **args, int *cur_arg, struct proxy *px, str return 0; } +/* parse the "ssl-default-bind-options" keyword in global section */ +static int ssl_parse_default_bind_options(char **args, int section_type, struct proxy *curpx, + struct proxy *defpx, const char *file, int line, + char **err) { + int i = 1; + + if (*(args[i]) == 0) { + memprintf(err, "global statement '%s' expects an option as an argument.", args[0]); + return -1; + } + while (*(args[i])) { + if (!strcmp(args[i], "no-sslv3")) + global.listen_default_ssloptions |= BC_SSL_O_NO_SSLV3; + else if (!strcmp(args[i], "no-tlsv10")) + global.listen_default_ssloptions |= BC_SSL_O_NO_TLSV10; + else if (!strcmp(args[i], "no-tlsv11")) + global.listen_default_ssloptions |= BC_SSL_O_NO_TLSV11; + else if (!strcmp(args[i], "no-tlsv12")) + global.listen_default_ssloptions |= BC_SSL_O_NO_TLSV12; + else if (!strcmp(args[i], "force-sslv3")) + global.listen_default_ssloptions |= BC_SSL_O_USE_SSLV3; + else if (!strcmp(args[i], "force-tlsv10")) + global.listen_default_ssloptions |= BC_SSL_O_USE_TLSV10; + else if (!strcmp(args[i], "force-tlsv11")) { +#if SSL_OP_NO_TLSv1_1 + global.listen_default_ssloptions |= BC_SSL_O_USE_TLSV11; +#else + memprintf(err, "'%s' '%s': library does not support protocol TLSv1.1", args[0], args[i]); + return -1; +#endif + } + else if (!strcmp(args[i], "force-tlsv12")) { +#if SSL_OP_NO_TLSv1_2 + global.listen_default_ssloptions |= BC_SSL_O_USE_TLSV12; +#else + memprintf(err, "'%s' '%s': library does not support protocol TLSv1.2", args[0], args[i]); + return -1; +#endif + } + else if (!strcmp(args[i], "no-tls-tickets")) + global.listen_default_ssloptions |= BC_SSL_O_NO_TLS_TICKETS; + else { + memprintf(err, "unknown option '%s' on global statement '%s'.", args[i], args[0]); + return -1; + } + i++; + } + return 0; +} + +/* parse the "ssl-default-server-options" keyword in global section */ +static int ssl_parse_default_server_options(char **args, int section_type, struct proxy *curpx, + struct proxy *defpx, const char *file, int line, + char **err) { + int i = 1; + + if (*(args[i]) == 0) { + memprintf(err, "global statement '%s' expects an option as an argument.", args[0]); + return -1; + } + while (*(args[i])) { + if (!strcmp(args[i], "no-sslv3")) + global.connect_default_ssloptions |= SRV_SSL_O_NO_SSLV3; + else if (!strcmp(args[i], "no-tlsv10")) + global.connect_default_ssloptions |= SRV_SSL_O_NO_TLSV10; + else if (!strcmp(args[i], "no-tlsv11")) + global.connect_default_ssloptions |= SRV_SSL_O_NO_TLSV11; + else if (!strcmp(args[i], "no-tlsv12")) + global.connect_default_ssloptions |= SRV_SSL_O_NO_TLSV12; + else if (!strcmp(args[i], "force-sslv3")) + global.connect_default_ssloptions |= SRV_SSL_O_USE_SSLV3; + else if (!strcmp(args[i], "force-tlsv10")) + global.connect_default_ssloptions |= SRV_SSL_O_USE_TLSV10; + else if (!strcmp(args[i], "force-tlsv11")) { +#if SSL_OP_NO_TLSv1_1 + global.connect_default_ssloptions |= SRV_SSL_O_USE_TLSV11; +#else + memprintf(err, "'%s' '%s': library does not support protocol TLSv1.1", args[0], args[i]); + return -1; +#endif + } + else if (!strcmp(args[i], "force-tlsv12")) { +#if SSL_OP_NO_TLSv1_2 + global.connect_default_ssloptions |= SRV_SSL_O_USE_TLSV12; +#else + memprintf(err, "'%s' '%s': library does not support protocol TLSv1.2", args[0], args[i]); + return -1; +#endif + } + else if (!strcmp(args[i], "no-tls-tickets")) + global.connect_default_ssloptions |= SRV_SSL_O_NO_TLS_TICKETS; + else { + memprintf(err, "unknown option '%s' on global statement '%s'.", args[i], args[0]); + return -1; + } + i++; + } + return 0; +} + /* Note: must not be declared <const> as its list will be overwritten. * Please take care of keeping this list alphabetically sorted. */ @@ -4309,6 +4489,7 @@ static struct sample_fetch_kw_list sample_fetch_keywords = {ILH, { { "ssl_bc_session_id", smp_fetch_ssl_fc_session_id, 0, NULL, SMP_T_BIN, SMP_USE_L5SRV }, { "ssl_c_ca_err", smp_fetch_ssl_c_ca_err, 0, NULL, SMP_T_UINT, SMP_USE_L5CLI }, { "ssl_c_ca_err_depth", smp_fetch_ssl_c_ca_err_depth, 0, NULL, SMP_T_UINT, SMP_USE_L5CLI }, + { "ssl_c_der", smp_fetch_ssl_x_der, 0, NULL, SMP_T_BIN, SMP_USE_L5CLI }, { "ssl_c_err", smp_fetch_ssl_c_err, 0, NULL, SMP_T_UINT, SMP_USE_L5CLI }, { "ssl_c_i_dn", smp_fetch_ssl_x_i_dn, ARG2(0,STR,SINT), NULL, SMP_T_STR, SMP_USE_L5CLI }, { "ssl_c_key_alg", smp_fetch_ssl_x_key_alg, 0, NULL, SMP_T_STR, SMP_USE_L5CLI }, @@ -4321,6 +4502,7 @@ static struct sample_fetch_kw_list sample_fetch_keywords = {ILH, { { "ssl_c_used", smp_fetch_ssl_c_used, 0, NULL, SMP_T_BOOL, SMP_USE_L5CLI }, { "ssl_c_verify", smp_fetch_ssl_c_verify, 0, NULL, SMP_T_UINT, SMP_USE_L5CLI }, { "ssl_c_version", smp_fetch_ssl_x_version, 0, NULL, SMP_T_UINT, SMP_USE_L5CLI }, + { "ssl_f_der", smp_fetch_ssl_x_der, 0, NULL, SMP_T_BIN, SMP_USE_L5CLI }, { "ssl_f_i_dn", smp_fetch_ssl_x_i_dn, ARG2(0,STR,SINT), NULL, SMP_T_STR, SMP_USE_L5CLI }, { "ssl_f_key_alg", smp_fetch_ssl_x_key_alg, 0, NULL, SMP_T_STR, SMP_USE_L5CLI }, { "ssl_f_notafter", smp_fetch_ssl_x_notafter, 0, NULL, SMP_T_STR, SMP_USE_L5CLI }, @@ -4421,6 +4603,12 @@ static struct srv_kw_list srv_kws = { "SSL", { }, { { NULL, NULL, 0, 0 }, }}; +static struct cfg_kw_list cfg_kws = {ILH, { + { CFG_GLOBAL, "ssl-default-bind-options", ssl_parse_default_bind_options }, + { CFG_GLOBAL, "ssl-default-server-options", ssl_parse_default_server_options }, + { 0, NULL, NULL }, +}}; + /* transport-layer operations for SSL sockets */ struct xprt_ops ssl_sock = { .snd_buf = ssl_sock_from_buf, @@ -4448,6 +4636,8 @@ static void __ssl_sock_init(void) global.listen_default_ciphers = strdup(global.listen_default_ciphers); if (global.connect_default_ciphers) global.connect_default_ciphers = strdup(global.connect_default_ciphers); + global.listen_default_ssloptions = BC_SSL_O_NONE; + global.connect_default_ssloptions = SRV_SSL_O_NONE; SSL_library_init(); cm = SSL_COMP_get_compression_methods(); @@ -4456,6 +4646,7 @@ static void __ssl_sock_init(void) acl_register_keywords(&acl_kws); bind_register_keywords(&bind_kws); srv_register_keywords(&srv_kws); + cfg_register_keywords(&cfg_kws); } /*
--- End Message ---
--- Begin Message ---
- To: Vincent Bernat <bernat@debian.org>, 767674-done@bugs.debian.org
- Subject: Re: Bug#767674: unblock: haproxy/1.5.8-1
- From: Jonathan Wiltshire <jmw@debian.org>
- Date: Sun, 2 Nov 2014 13:47:46 +0000
- Message-id: <20141102134746.GB18934@lupin.home.powdarrmonkey.net>
- In-reply-to: <[🔎] 87r3xmfmub.fsf@zoro.exoscale.ch>
- References: <[🔎] 20141101195322.20294.15996.reportbug@neo.luffy.cx> <[🔎] 20141101201908.GB3806@lupin.home.powdarrmonkey.net> <[🔎] 87r3xmfmub.fsf@zoro.exoscale.ch>
On Sun, Nov 02, 2014 at 01:49:32AM +0100, Vincent Bernat wrote: > ❦ 1 novembre 2014 20:19 GMT, Jonathan Wiltshire <jmw@debian.org> : > > >> I would like to upload haproxy 1.5.8 in unstable. This would solve > >> #767670. There are other fixes included in 1.5.7 and 1.5.8 as well as > >> support to disable globally SSLv3. The default configuration file now > >> does that. > > > > Ok, but I can't unblock it until you've uploaded it. Please ping this bug > > when that's happened. > > Hi! > > It is now uploaded in unstable. Unblocked, thanks. -- Jonathan Wiltshire jmw@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51Attachment: signature.asc
Description: Digital signature
--- End Message ---