mirror
/
openwrt-packages
mirror of https://git.openwrt.org/feed/packages.git
1
0
Fork 0
Code Releases Activity

haproxy: patches from upstream (ssl,counter,stick-table, track) 

- BUG/MINOR: ssl: Fix external function in order not to return a pointer
   on an internal trash buffer
 - BUG/MINOR: counters: do not untrack counters before logging
 - BUG/MAJOR: sample: correctly reinitialize sample fetch context before
   calling sample_process()
 - MINOR: stick-table: make stktable_fetch_key() indicate why it failed
 - BUG/MEDIUM: counters: fix track-sc* to wait on unstable contents

Signed-off-by: Thomas Heil <heil@terminal-consulting.de>
This commit is contained in:
Thomas Heil 2014-06-26 06:22:41 +02:00
parent bcd2e39bfa
commit 2d9af2967c
6 changed files with 375 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
net/haproxy/Makefile
View File

@ -10,7 +10,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=haproxy
PKG_VERSION:=1.5.1
PKG_RELEASE:=01
PKG_RELEASE:=06
PKG_SOURCE:=haproxy-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=http://haproxy.1wt.eu/download/1.5/src/
PKG_MD5SUM:=49640cf3ddd793a05fbd3394481a1ed4

101
net/haproxy/patches/0002-BUG-MINOR-ssl-Fix-external-function-in-order-not-to-.patch Normal file
View File

@ -0,0 +1,101 @@
From 4910098653e356f814924663b4ddf71c971a71d6 Mon Sep 17 00:00:00 2001
From: Emeric Brun <ebrun@haproxy.com>
Date: Tue, 24 Jun 2014 18:26:41 +0200
Subject: [PATCH 2/6] BUG/MINOR: ssl: Fix external function in order not to
return a pointer on an internal trash buffer.
'ssl_sock_get_common_name' applied to a connection was also renamed
'ssl_sock_get_remote_common_name'. Currently, this function is only used
with protocol PROXYv2 to retrieve the client certificate's common name.
A further usage could be to retrieve the server certificate's common name
on an outgoing connection.
(cherry picked from commit 0abf836ecb32767fa1f9ad598f3e236e073491bd)
---
include/proto/ssl_sock.h | 2 +-
src/connection.c | 5 ++---
src/ssl_sock.c | 23 +++++++++++------------
3 files changed, 14 insertions(+), 16 deletions(-)
diff --git a/include/proto/ssl_sock.h b/include/proto/ssl_sock.h
index 0902fde..3e111cd 100644
--- a/include/proto/ssl_sock.h
+++ b/include/proto/ssl_sock.h
@@ -52,7 +52,7 @@ const char *ssl_sock_get_cipher_name(struct connection *conn);
const char *ssl_sock_get_proto_version(struct connection *conn);
char *ssl_sock_get_version(struct connection *conn);
int ssl_sock_get_cert_used(struct connection *conn);
-char *ssl_sock_get_common_name(struct connection *conn);
+int ssl_sock_get_remote_common_name(struct connection *conn, struct chunk *out);
unsigned int ssl_sock_get_verify_result(struct connection *conn);
#ifdef SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB
int ssl_sock_update_ocsp_response(struct chunk *ocsp_response, char **err);
diff --git a/src/connection.c b/src/connection.c
index 0b154d8..20a911b 100644
--- a/src/connection.c
+++ b/src/connection.c
@@ -682,9 +682,8 @@ int make_proxy_line_v2(char *buf, int buf_len, struct server *srv, struct connec
tlv->verify = htonl(ssl_sock_get_verify_result(remote));
}
if (srv->pp_opts & SRV_PP_V2_SSL_CN) {
- value = ssl_sock_get_common_name(remote);
- if (value) {
- tlv_len = make_tlv(&buf[ret+ssl_tlv_len], (buf_len - ret - ssl_tlv_len), PP2_TYPE_SSL_CN, strlen(value), value);
+ if (ssl_sock_get_remote_common_name(remote, &trash) > 0) {
+ tlv_len = make_tlv(&buf[ret+ssl_tlv_len], (buf_len - ret - ssl_tlv_len), PP2_TYPE_SSL_CN, trash.len, trash.str);
ssl_tlv_len += tlv_len;
}
}
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 328b978..375225d 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -2654,21 +2654,25 @@ char *ssl_sock_get_version(struct connection *conn)
return (char *)SSL_get_version(conn->xprt_ctx);
}
-/* returns common name, NULL terminated, from client certificate, or NULL if none */
-char *ssl_sock_get_common_name(struct connection *conn)
+/* Extract peer certificate's common name into the chunk dest
+ * Returns
+ * the len of the extracted common name
+ * or 0 if no CN found in DN
+ * or -1 on error case (i.e. no peer certificate)
+ */
+int ssl_sock_get_remote_common_name(struct connection *conn, struct chunk *dest)
{
X509 *crt = NULL;
X509_NAME *name;
- struct chunk *cn_trash;
const char find_cn[] = "CN";
const struct chunk find_cn_chunk = {
.str = (char *)&find_cn,
.len = sizeof(find_cn)-1
};
- char *result = NULL;
+ int result = -1;
if (!ssl_sock_is_ssl(conn))
- return NULL;
+ goto out;
/* SSL_get_peer_certificate, it increase X509 * ref count */
crt = SSL_get_peer_certificate(conn->xprt_ctx);
@@ -2679,13 +2683,8 @@ char *ssl_sock_get_common_name(struct connection *conn)
if (!name)
goto out;
- cn_trash = get_trash_chunk();
- if (ssl_sock_get_dn_entry(name, &find_cn_chunk, 1, cn_trash) <= 0)
- goto out;
- cn_trash->str[cn_trash->len] = '\0';
- result = cn_trash->str;
-
- out:
+ result = ssl_sock_get_dn_entry(name, &find_cn_chunk, 1, dest);
+out:
if (crt)
X509_free(crt);
--
1.8.5.5

42
net/haproxy/patches/0003-BUG-MINOR-counters-do-not-untrack-counters-before-lo.patch Normal file
View File

@ -0,0 +1,42 @@
From c177ea7187bc1918a1900c1b0e3fc67c559987a2 Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Wed, 25 Jun 2014 15:36:04 +0200
Subject: [PATCH 3/6] BUG/MINOR: counters: do not untrack counters before
logging
Baptiste Assmann reported a corner case in the releasing of stick-counters:
we release content-aware counters before logging. In the past it was not a
problem, but since now we can log them it, it prevents one from logging
their value. Simply switching the log production and the release of the
counter fixes the issue.
This should be backported into 1.5.
(cherry picked from commit d713bcc326da5d1ac80adab666d7710f3e37650c)
---
src/proto_http.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/proto_http.c b/src/proto_http.c
index 5321f7d..d566bcc 100644
--- a/src/proto_http.c
+++ b/src/proto_http.c
@@ -4808,7 +4808,6 @@ void http_end_txn_clean_session(struct session *s)
s->logs.t_close = tv_ms_elapsed(&s->logs.tv_accept, &now);
session_process_counters(s);
- session_stop_content_counters(s);
if (s->txn.status) {
int n;
@@ -4842,6 +4841,8 @@ void http_end_txn_clean_session(struct session *s)
s->do_log(s);
}
+ /* stop tracking content-based counters */
+ session_stop_content_counters(s);
session_update_time_stats(s);
s->logs.accept_date = date; /* user-visible date for logging */
--
1.8.5.5

65
net/haproxy/patches/0004-BUG-MAJOR-sample-correctly-reinitialize-sample-fetch.patch Normal file
View File

@ -0,0 +1,65 @@
From a4ba9dbfc688576ffb7e0a3ce43ac0b420211bf6 Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Wed, 25 Jun 2014 16:56:41 +0200
Subject: [PATCH 4/6] BUG/MAJOR: sample: correctly reinitialize sample fetch
context before calling sample_process()
We used to only clear flags when reusing the static sample before calling
sample_process(), but that's not enough because there's a context in samples
that can be used by some fetch functions such as auth, headers and cookies,
and not reinitializing it risks that a pointer of a different type is used
in the wrong context.
An example configuration which triggers the case consists in mixing hdr()
and http_auth_group() which both make use of contexts :
http-request add-header foo2 %[hdr(host)],%[http_auth_group(foo)]
The solution is simple, initialize all the sample and not just the flags.
This fix must be backported into 1.5 since it was introduced in 1.5-dev19.
(cherry picked from commit 6c616e0b96106dd33d183afbda31e72799e967c3)
---
src/proto_http.c | 3 +++
src/sample.c | 5 +++--
2 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/src/proto_http.c b/src/proto_http.c
index d566bcc..01fe62d 100644
--- a/src/proto_http.c
+++ b/src/proto_http.c
@@ -9748,6 +9748,9 @@ smp_prefetch_http(struct proxy *px, struct session *s, void *l7, unsigned int op
return 1;
}
+/* Note: these functinos *do* modify the sample. Even in case of success, at
+ * least the type and uint value are modified.
+ */
#define CHECK_HTTP_MESSAGE_FIRST() \
do { int r = smp_prefetch_http(px, l4, l7, opt, args, smp, 1); if (r <= 0) return r; } while (0)
diff --git a/src/sample.c b/src/sample.c
index 9f22ef9..3a0f3fb 100644
--- a/src/sample.c
+++ b/src/sample.c
@@ -905,7 +905,7 @@ struct sample *sample_process(struct proxy *px, struct session *l4, void *l7,
if (p == NULL) {
p = &temp_smp;
- p->flags = 0;
+ memset(p, 0, sizeof(*p));
}
if (!expr->fetch->process(px, l4, l7, opt, expr->arg_p, p, expr->fetch->kw))
@@ -1160,7 +1160,8 @@ struct sample *sample_fetch_string(struct proxy *px, struct session *l4, void *l
{
struct sample *smp = &temp_smp;
- smp->flags = 0;
+ memset(smp, 0, sizeof(*smp));
+
if (!sample_process(px, l4, l7, opt, expr, smp)) {
if ((smp->flags & SMP_F_MAY_CHANGE) && !(opt & SMP_OPT_FINAL))
return smp;
--
1.8.5.5

109
net/haproxy/patches/0005-MINOR-stick-table-make-stktable_fetch_key-indicate-w.patch Normal file
View File

@ -0,0 +1,109 @@
From d008394057c4fe46ca6eb775c66cc0ff986a5495 Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Wed, 25 Jun 2014 16:20:53 +0200
Subject: [PATCH 5/6] MINOR: stick-table: make stktable_fetch_key() indicate
why it failed
stktable_fetch_key() does not indicate whether it returns NULL because
the input sample was not found or because it's unstable. It causes trouble
with track-sc* rules. Just like with sample_fetch_string(), we want it to
be able to give more information to the caller about what it found. Thus,
now we use the pointer to a sample passed by the caller, and fill it with
the information we have about the sample. That way, even if we return NULL,
the caller has the ability to check whether a sample was found and if it is
still changing or not.
(cherry picked from commit b5975defba61e7ef37ae771614166d0970ede04e)
---
include/proto/stick_table.h | 2 +-
src/proto_tcp.c | 4 ++--
src/session.c | 4 ++--
src/stick_table.c | 12 +++++++-----
4 files changed, 12 insertions(+), 10 deletions(-)
diff --git a/include/proto/stick_table.h b/include/proto/stick_table.h
index 0c26fbe..57ca223 100644
--- a/include/proto/stick_table.h
+++ b/include/proto/stick_table.h
@@ -48,7 +48,7 @@ struct stksess *stktable_lookup_key(struct stktable *t, struct stktable_key *key
struct stksess *stktable_update_key(struct stktable *table, struct stktable_key *key);
struct stktable_key *stktable_fetch_key(struct stktable *t, struct proxy *px,
struct session *l4, void *l7, unsigned int opt,
- struct sample_expr *expr);
+ struct sample_expr *expr, struct sample *smp);
int stktable_compatible_sample(struct sample_expr *expr, unsigned long table_type);
int stktable_get_data_type(char *name);
struct proxy *find_stktable(const char *name);
diff --git a/src/proto_tcp.c b/src/proto_tcp.c
index 65c4fda..1aac0d9 100644
--- a/src/proto_tcp.c
+++ b/src/proto_tcp.c
@@ -1027,7 +1027,7 @@ int tcp_inspect_request(struct session *s, struct channel *req, int an_bit)
continue;
t = rule->act_prm.trk_ctr.table.t;
- key = stktable_fetch_key(t, s->be, s, &s->txn, SMP_OPT_DIR_REQ|SMP_OPT_FINAL, rule->act_prm.trk_ctr.expr);
+ key = stktable_fetch_key(t, s->be, s, &s->txn, SMP_OPT_DIR_REQ|SMP_OPT_FINAL, rule->act_prm.trk_ctr.expr, NULL);
if (key && (ts = stktable_get_entry(t, key))) {
session_track_stkctr(&s->stkctr[tcp_trk_idx(rule->action)], t, ts);
@@ -1228,7 +1228,7 @@ int tcp_exec_req_rules(struct session *s)
continue;
t = rule->act_prm.trk_ctr.table.t;
- key = stktable_fetch_key(t, s->be, s, &s->txn, SMP_OPT_DIR_REQ|SMP_OPT_FINAL, rule->act_prm.trk_ctr.expr);
+ key = stktable_fetch_key(t, s->be, s, &s->txn, SMP_OPT_DIR_REQ|SMP_OPT_FINAL, rule->act_prm.trk_ctr.expr, NULL);
if (key && (ts = stktable_get_entry(t, key)))
session_track_stkctr(&s->stkctr[tcp_trk_idx(rule->action)], t, ts);
diff --git a/src/session.c b/src/session.c
index e26f5ad..df85170 100644
--- a/src/session.c
+++ b/src/session.c
@@ -1458,7 +1458,7 @@ static int process_sticking_rules(struct session *s, struct channel *req, int an
if (ret) {
struct stktable_key *key;
- key = stktable_fetch_key(rule->table.t, px, s, &s->txn, SMP_OPT_DIR_REQ|SMP_OPT_FINAL, rule->expr);
+ key = stktable_fetch_key(rule->table.t, px, s, &s->txn, SMP_OPT_DIR_REQ|SMP_OPT_FINAL, rule->expr, NULL);
if (!key)
continue;
@@ -1561,7 +1561,7 @@ static int process_store_rules(struct session *s, struct channel *rep, int an_bi
if (ret) {
struct stktable_key *key;
- key = stktable_fetch_key(rule->table.t, px, s, &s->txn, SMP_OPT_DIR_RES|SMP_OPT_FINAL, rule->expr);
+ key = stktable_fetch_key(rule->table.t, px, s, &s->txn, SMP_OPT_DIR_RES|SMP_OPT_FINAL, rule->expr, NULL);
if (!key)
continue;
diff --git a/src/stick_table.c b/src/stick_table.c
index c6463ec..a708d3c 100644
--- a/src/stick_table.c
+++ b/src/stick_table.c
@@ -601,15 +601,17 @@ static sample_to_key_fct sample_to_key[SMP_TYPES][STKTABLE_TYPES] = {
* Process a fetch + format conversion as defined by the sample expression <expr>
* on request or response considering the <opt> parameter. Returns either NULL if
* no key could be extracted, or a pointer to the converted result stored in
- * static_table_key in format <table_type>.
+ * static_table_key in format <table_type>. If <smp> is not NULL, it will be reset
+ * and its flags will be initialized so that the caller gets a copy of the input
+ * sample, and knows why it was not accepted (eg: SMP_F_MAY_CHANGE is present).
*/
struct stktable_key *stktable_fetch_key(struct stktable *t, struct proxy *px, struct session *l4, void *l7,
- unsigned int opt,
- struct sample_expr *expr)
+ unsigned int opt, struct sample_expr *expr, struct sample *smp)
{
- struct sample *smp;
+ if (smp)
+ memset(smp, 0, sizeof(*smp));
- smp = sample_process(px, l4, l7, opt, expr, NULL);
+ smp = sample_process(px, l4, l7, opt, expr, smp);
if (!smp)
return NULL;
--
1.8.5.5

57
net/haproxy/patches/0006-BUG-MEDIUM-counters-fix-track-sc-to-wait-on-unstable.patch Normal file
View File

@ -0,0 +1,57 @@
From 86bd33a9f842caf1788b61d1f99e95f8ad866660 Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Wed, 25 Jun 2014 17:01:56 +0200
Subject: [PATCH 6/6] BUG/MEDIUM: counters: fix track-sc* to wait on unstable
contents
I've been facing multiple configurations which involved track-sc* rules
in tcp-request content without the "if ..." to force it to wait for the
contents, resulting in random behaviour with contents sometimes retrieved
and sometimes not.
Reading the doc doesn't make it clear either that the tracking will be
performed only if data are already there and that waiting on an ACL is
the only way to avoid this.
Since this behaviour is not natural and we now have the ability to fix
it, this patch ensures that if input data are still moving, instead of
silently dropping them, we naturally wait for them to stabilize up to
the inspect-delay. This way it's not needed anymore to implement an
ACL-based condition to force to wait for data, eventhough the behaviour
is not changed for when an ACL is present.
The most obvious usage will be when track-sc is followed by any HTTP
sample expression, there's no need anymore for adding "if HTTP".
It's probably worth backporting this to 1.5 to avoid further configuration
issues. Note that it requires previous patch.
(cherry picked from commit 1b71eb581ec1637879f725421efb95ad69f0ea4f)
---
src/proto_tcp.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/src/proto_tcp.c b/src/proto_tcp.c
index 1aac0d9..e9dbc9c 100644
--- a/src/proto_tcp.c
+++ b/src/proto_tcp.c
@@ -1022,12 +1022,16 @@ int tcp_inspect_request(struct session *s, struct channel *req, int an_bit)
* applies.
*/
struct stktable_key *key;
+ struct sample smp;
if (stkctr_entry(&s->stkctr[tcp_trk_idx(rule->action)]))
continue;
t = rule->act_prm.trk_ctr.table.t;
- key = stktable_fetch_key(t, s->be, s, &s->txn, SMP_OPT_DIR_REQ|SMP_OPT_FINAL, rule->act_prm.trk_ctr.expr, NULL);
+ key = stktable_fetch_key(t, s->be, s, &s->txn, SMP_OPT_DIR_REQ | partial, rule->act_prm.trk_ctr.expr, &smp);
+
+ if (smp.flags & SMP_F_MAY_CHANGE)
+ goto missing_data;
if (key && (ts = stktable_get_entry(t, key))) {
session_track_stkctr(&s->stkctr[tcp_trk_idx(rule->action)], t, ts);
--
1.8.5.5