Commit Graph

11700 Commits

Author SHA1 Message Date
Willy Tarreau
09568fd54d BUG/MINOR: tools: fix the i386 version of the div64_32 function
As reported in issue #596, the edx register isn't marked as clobbered
in div64_32(), which could technically allow gcc to try to reuse it
if it needed a copy of the 32 highest bits of the o1 register after
the operation.

Two attempts were tried, one using a dummy 32-bit local variable to
store the intermediary edx and another one switching to "=A" and making
result a long long. It turns out the former makes the resulting object
code significantly dirtier while the latter makes it better and was
kept. This is due to gcc's difficulties at working with register pairs
mixing 32- and 64- bit values on i386. It was verified that no code
change happened at all on x86_64, armv7, aarch64 nor mips32.

In practice it's only used by the frequency counters so this bug
cannot even be triggered but better fix it.

This may be backported to stable branches though it will not fix any
issue.
2020-04-23 17:21:37 +02:00
William Lallemand
d7f8bd9b40 DOC: internals: update the SSL architecture schema
This commit updates the SSL files architecture schema and adds the
crtlist structures in it.
2020-04-23 16:30:12 +02:00
Olivier Houchard
9df188695f BUG/MEDIUM: http-ana: Handle NTLM messages correctly.
When checking www-authenticate headers, we don't want to just accept
"NTLM" as value, because the server may send "HTLM <base64 value>". Instead,
just check that it starts with NTLM.

This should be backported to 2.1, 2.0, 1.9 and 1.8.
2020-04-22 22:03:32 +02:00
Jerome Magnin
b203ff6e20 MINOR: config: add a global directive to set default SSL curves
This commit adds a new keyword to the global section to set default
curves for ssl binds:
  - ssl-default-bind-curves
2020-04-22 17:26:08 +02:00
Jerome Magnin
2e8d52f869 BUG/MINOR: ssl: default settings for ssl server options are not used
Documentation states that default settings for ssl server options can be set
using either ssl-default-server-options or default-server directives. In practice,
not all ssl server options can have default values, such as ssl-min-ver, ssl-max-ver,
etc..

This patch adds the missing ssl options in srv_ssl_settings_cpy() and srv_parse_ssl(),
making it possible to write configurations like the following examples, and have them
behave as expected.

   global
     ssl-default-server-options ssl-max-ver TLSv1.2

   defaults
     mode http

   listen l1
     bind 1.2.3.4:80
     default-server ssl verify none
     server s1 1.2.3.5:443

   listen l2
     bind 2.2.3.4:80
     default-server ssl verify none ssl-max-ver TLSv1.3 ssl-min-ver TLSv1.2
     server s1 1.2.3.6:443

This should be backported as far as 1.8.
This fixes issue #595.
2020-04-22 15:43:03 +02:00
Emmanuel Hocdet
c3b7e74455 MINOR: ssl: add ssl-skip-self-issued-ca global option
This option activate the feature introduce in commit 16739778:
"MINOR: ssl: skip self issued CA in cert chain for ssl_ctx".
The patch disable the feature per default.
2020-04-22 15:35:56 +02:00
William Lallemand
916d0b523d MINOR: ssl/cli: restrain certificate path when inserting into a directory
When trying to insert a new certificate into a directory with "add ssl
crt-list", no check were done on the path of the new certificate.

To be more consistent with the HAProxy reload, when adding a file to
a crt-list, if this crt-list is a directory, the certificate will need
to have the directory in its path.
2020-04-21 18:42:42 +02:00
William Lallemand
b74d564043 MINOR: ssl/cli: disallow SSL options for directory in 'add ssl crt-list'
Allowing the use of SSL options and filters when adding a file in a
directory is not really consistent with the reload of HAProxy. Disable
the ability to use these options if one try to use them with a directory.
2020-04-21 17:23:54 +02:00
Olivier Doucet
56e3120f9e DOC: Improve documentation on http-request set-src
This patch adds more explanation on how to use "http-request set-src"
and a link to "option forwardfor".

This patch can be applied to all previous version starting at 1.6

Reviewed-by: Tim Duesterhus <tim@bastelstu.be>
2020-04-21 17:02:35 +02:00
Ilya Shipitsin
ae40dbc93c CLEANUP: log: fix comment of parse_logformat_string()
"fmt" is passed to parse_logformat_string, adjust comment
accordingly
2020-04-21 10:52:25 +02:00
Ilya Shipitsin
82e01b9437 CI: run weekly OpenSSL "no-deprecated" builds
OpenWRT uses such OpenSSL builds (those builds are smaller)

some details might be found at ML: https://www.mail-archive.com/haproxy@formilux.org/msg35759.html
                               GH: https://github.com/haproxy/haproxy/issues/367
2020-04-21 10:27:41 +02:00
Tim Duesterhus
dfad6a41ad MINOR: version: Show uname output in display_version()
This patch adds the sysname, release, version and machine fields from
the uname results to the version output. It intentionally leaves out the
machine name, because it is usually not useful and users might not want to
expose their machine names for privacy reasons.

May be backported if it is considered useful for debugging.
2020-04-18 22:04:29 +02:00
Willy Tarreau
d008930265 [RELEASE] Released version 2.2-dev6
Released version 2.2-dev6 with the following main changes :
    - BUG/MINOR: ssl: memory leak when find_chain is NULL
    - CLEANUP: ssl: rename ssl_get_issuer_chain to ssl_get0_issuer_chain
    - MINOR: ssl: rework add cert chain to CTX to be libssl independent
    - BUG/MINOR: peers: init bind_proc to 1 if it wasn't initialized
    - BUG/MINOR: peers: avoid an infinite loop with peers_fe is NULL
    - BUG/MINOR: peers: Use after free of "peers" section.
    - CI: github actions: add weekly h2spec test
    - BUG/MEDIUM: mux_h1: Process a new request if we already received it.
    - MINOR: build: Fix build in mux_h1
    - CLEANUP: remove obsolete comments
    - BUG/MEDIUM: dns: improper parsing of aditional records
    - MINOR: ssl: skip self issued CA in cert chain for ssl_ctx
    - MINOR: listener: add so_name sample fetch
    - MEDIUM: stream: support use-server rules with dynamic names
    - MINOR: servers: Add a counter for the number of currently used connections.
    - MEDIUM: connections: Revamp the way idle connections are killed
    - MINOR: cli: add a general purpose pointer in the CLI struct
    - MINOR: ssl: add a list of bind_conf in struct crtlist
    - REORG: ssl: move SETCERT enum to ssl_sock.h
    - BUG/MINOR: ssl: ckch_inst wrongly inserted in crtlist_entry
    - REORG: ssl: move some functions above crtlist_load_cert_dir()
    - MINOR: ssl: use crtlist_free() upon error in directory loading
    - MINOR: ssl: add a list of crtlist_entry in ckch_store
    - MINOR: ssl: store a ptr to crtlist in crtlist_entry
    - MINOR: ssl/cli: update pointer to store in 'commit ssl cert'
    - MEDIUM: ssl/cli: 'add ssl crt-list' command
    - REGTEST: ssl/cli: test the 'add ssl crt-list' command
    - BUG/MINOR: ssl: entry->ckch_inst not initialized
    - REGTEST: ssl/cli: change test type to devel
    - REGTEST: make the PROXY TLV validation depend on version 2.2
    - CLEANUP: assorted typo fixes in the code and comments
    - BUG/MINOR: stats: Fix color of draining servers on stats page
    - DOC: internals: Fix spelling errors in filters.txt
    - MINOR: connections: Don't mark conn flags 0x00000001 and 0x00000002 as unused.
    - REGTEST: make the unique-id test depend on version 2.0
    - BUG/MEDIUM: dns: Consider the fact that dns answers are case-insensitive
    - MINOR: ssl: split the line parsing of the crt-list
    - MINOR: ssl/cli: support filters and options in add ssl crt-list
    - MINOR: ssl: add a comment above the ssl_bind_conf keywords
    - REGTEST: ssl/cli: tests options and filters w/ add ssl crt-list
    - REGTEST: ssl: pollute the crt-list file
    - BUG/CRITICAL: hpack: never index a header into the headroom after wrapping
    - BUG/MINOR: protocol_buffer: Wrong maximum shifting.
    - CLEANUP: src/fd.c: mask setsockopt with DISGUISE
    - BUG/MINOR: ssl/cli: initialize fcount int crtlist_entry
    - REGTEST: ssl/cli: add other cases of 'add ssl crt-list'
    - CLEANUP: assorted typo fixes in the code and comments
    - DOC: management: add the new crt-list CLI commands
    - BUG/MINOR: ssl/cli: fix spaces in 'show ssl crt-list'
    - MINOR: ssl/cli: 'del ssl crt-list' delete an entry
    - MINOR: ssl/cli: replace dump/show ssl crt-list by '-n' option
    - CI: use better SSL library definition
    - CI: travis-ci: enable DEBUG_STRICT=1 for CI builds
    - CI: travis-ci: upgrade openssl to 1.1.1f
    - MINOR: ssl: improve the errors when a crt can't be open
    - CI: cirrus-ci: rename openssl package after it is renamed in FreeBSD
    - CI: adopt openssl download script to download all versions
    - BUG/MINOR: ssl/cli: lock the ckch structures during crt-list delete
    - MINOR: ssl/cli: improve error for bundle in add/del ssl crt-list
    - MINOR: ssl/cli: 'del ssl cert' deletes a certificate
    - BUG/MINOR: ssl: trailing slashes in directory names wrongly cached
    - BUG/MINOR: ssl/cli: memory leak in 'set ssl cert'
    - CLEANUP: ssl: use the refcount for the SSL_CTX'
    - CLEANUP: ssl/cli: use the list of filters in the crtlist_entry
    - BUG/MINOR: ssl: memleak of the struct cert_key_and_chain
    - CLEANUP: ssl: remove a commentary in struct ckch_inst
    - MINOR: ssl: initialize all list in ckch_inst_new()
    - MINOR: ssl: free instances and SNIs with ckch_inst_free()
    - MINOR: ssl: replace ckchs_free() by ckch_store_free()
    - BUG/MEDIUM: ssl/cli: trying to access to free'd memory
    - MINOR: ssl: ckch_store_new() alloc and init a ckch_store
    - MINOR: ssl: crtlist_new() alloc and initialize a struct crtlist
    - REORG: ssl: move some free/new functions
    - MINOR: ssl: crtlist_entry_{new, free}
    - BUG/MINOR: ssl: ssl_conf always set to NULL on crt-list parsing
    - MINOR: ssl: don't alloc ssl_conf if no option found
    - BUG/MINOR: connection: always send address-less LOCAL PROXY connections
    - BUG/MINOR: peers: Incomplete peers sections should be validated.
    - MINOR: init: report in "haproxy -c" whether there were warnings or not
    - MINOR: init: add -dW and "zero-warning" to reject configs with warnings
    - MINOR: init: report the compiler version in haproxy -vv
    - CLEANUP: assorted typo fixes in the code and comments
    - MINOR: init: report the haproxy version and executable path once on errors
    - DOC: Make how "option redispatch" works more explicit
    - BUILD: Makefile: add linux-musl to TARGET
    - CLEANUP: assorted typo fixes in the code and comments
    - CLEANUP: http: Fixed small typo in parse_http_return
    - DOC: hashing: update link to hashing functions
2020-04-17 14:19:38 +02:00
Adam Mills
bbf697e752 DOC: hashing: update link to hashing functions
Bret Mulvey, the author of the article cited in this pulication
has migrated his work to papa.bretmulvey.com. I was able to
view an archival version of Bret M.'s original post
(http://home.comcast.net/~bretm/hash/3.html) and have validated
that this is the same paper that is originally cited.
2020-04-17 13:59:46 +02:00
Dominik Froehlich
30d49ab61a CLEANUP: http: Fixed small typo in parse_http_return
It's only two typos in a warning (ober vs over, and rewritting vs rewriting).
2020-04-17 13:50:11 +02:00
Ilya Shipitsin
856aabcda5 CLEANUP: assorted typo fixes in the code and comments
This is 8th iteration of typo fixes
2020-04-17 09:37:36 +02:00
Willy Tarreau
39b2fda915 BUILD: Makefile: add linux-musl to TARGET
Other users are using musl, namely on Docker. It builds fine with
linux-glibc-legacy but not linux-glibc, which needs to first disable
USE_BACKTRACE. Better add a valid entry for it instead of hacking
around another libc.
2020-04-16 15:17:13 +02:00
Olivier Carrre
6e6f59b7e0 DOC: Make how "option redispatch" works more explicit
People are often misled and think that this option can redirect
connections to backup servers.

This patch makes the documentation more specific about how the option
handles backup servers.
2020-04-16 11:03:57 +02:00
Willy Tarreau
bb86986253 MINOR: init: report the haproxy version and executable path once on errors
If haproxy fails to start and emits an alert, then it can be useful
to have it also emit the version and the path used to load it. Some
users may be mistakenly launching the wrong binary due to a misconfigured
PATH variable and this will save them some troubleshooting time when it
reports that some keywords are not understood.

What we do here is that we *try* to extract the binary name from the
AUX vector on glibc, and we report this as a NOTICE tag before the
very first alert is emitted.
2020-04-16 10:52:41 +02:00
Ilya Shipitsin
d425950c68 CLEANUP: assorted typo fixes in the code and comments
This is 7th iteration of typo fixes
2020-04-16 10:04:36 +02:00
Willy Tarreau
bb1b63c079 MINOR: init: report the compiler version in haproxy -vv
Some portability issues were met a few times in the past depending on
compiler versions, but this one was not reported in haproxy -vv output
while it's trivial to add it. This patch tries to be the most accurate
by explicitly reporting the clang version if detected, otherwise the
gcc version.
2020-04-15 17:00:03 +02:00
Willy Tarreau
3eb10b8e98 MINOR: init: add -dW and "zero-warning" to reject configs with warnings
Since some systems switched to service managers which hide all warnings
by default, some users are not aware of some possibly important warnings
and get caught too late with errors that could have been detected earlier.

This patch adds a new global keyword, "zero-warning" and an equivalent
command-line option "-dW" to refuse to start in case any warning is
detected. It is recommended to use these with configurations that are
managed by humans in order to catch mistakes very early.
2020-04-15 16:42:39 +02:00
Willy Tarreau
bebd212064 MINOR: init: report in "haproxy -c" whether there were warnings or not
This helps quickly checking if the config produces any warning. For
this we reuse the "warned" bit field to add a new WARN_ANY bit that is
set by ha_warning(). The rest of the bit field was also cleaned from
unused bits.
2020-04-15 16:42:00 +02:00
Frdric Lcaille
8ba10fea69 BUG/MINOR: peers: Incomplete peers sections should be validated.
Before supporting "server" line in "peers" section, such sections without
any local peer were removed from the configuration to get it validated.

This patch fixes the issue where a "server" line without address and port which
is a remote peer without address and port makes the configuration parsing fail.
When encoutering such cases we now ignore such lines remove them from the
configuration.

Thank you to Jrme Magnin for having reported this bug.

Must be backported to 2.1 and 2.0.
2020-04-15 10:47:39 +02:00
Willy Tarreau
02c88036a6 BUG/MINOR: connection: always send address-less LOCAL PROXY connections
Commit 7f26391bc5 ("BUG/MINOR: connection: make sure to correctly tag
local PROXY connections") revealed that some implementations do not
properly ignore addresses in LOCAL connections (at least Dovecot was
spotted). More context information in the thread below:

   https://www.mail-archive.com/haproxy@formilux.org/msg36890.html

The patch above was using LOCAL on top of local addresses in order to
minimize the risk of breakage but revealed worse than a clean fix. So
let's partially revert it and send pure LOCAL connections instead now.

After a bit of observation, this patch should be progressively backported
to stable branches. However if it reveals new breakage, the backport of
the patch above will have to be reverted from stable branches while other
products work on fixing their code based on the master branch.
2020-04-14 16:02:50 +02:00
William Lallemand
1b2988bc42 MINOR: ssl: don't alloc ssl_conf if no option found
When no SSL options were found between brackets, the structure ssl_conf
was still allocated for nothing.
2020-04-10 17:43:58 +02:00
William Lallemand
87a0db9993 BUG/MINOR: ssl: ssl_conf always set to NULL on crt-list parsing
When reading a crt-list file, the SSL options betweeen square brackets
are parsed, however the calling function sets the ssl_conf ptr to NULL
leading to all options being ignored, and a memory leak.

This is a remaining of the previous code which was forgotten.

This bug was introduced by 97b0810 ("MINOR: ssl: split the line parsing
of the crt-list").
2020-04-10 17:43:58 +02:00
William Lallemand
e718dfb4c2 MINOR: ssl: crtlist_entry_{new, free}
New functions that create and delete a crtlist_entry in order to remove
duplicated code.
2020-04-10 11:14:01 +02:00
William Lallemand
82b21bbe86 REORG: ssl: move some free/new functions
Move crtlist_free_filters(), crtlist_dup_filters(),
crtlist_free(), crtlist_new(), ssl_sock_free_ssl_conf() upper in the
file.
2020-04-10 11:14:01 +02:00
William Lallemand
ec2d493621 MINOR: ssl: crtlist_new() alloc and initialize a struct crtlist
Allocate and initialize a struct crtlist with crtlist_new() to remove
duplicated code.
2020-04-10 11:14:01 +02:00
William Lallemand
8a874e4c6a MINOR: ssl: ckch_store_new() alloc and init a ckch_store
Create a ckch_store_new() function which alloc and initialize a
ckch_store, allowing us to remove duplicated code and avoiding wrong
initialization in the future.
2020-04-10 11:14:01 +02:00
William Lallemand
d5e9377312 BUG/MEDIUM: ssl/cli: trying to access to free'd memory
Bug introduced by d9d5d1b ("MINOR: ssl: free instances and SNIs with
ckch_inst_free()").

Upon an 'commit ssl cert' the HA_RWLOCK_WRUNLOCK of the SNI lock is done
with using the bind_conf pointer of the ckch_inst which was freed.

Fix the problem by using an intermediate variable to store the
bind_conf pointer.
2020-04-09 17:12:16 +02:00
William Lallemand
ba1c33f826 MINOR: ssl: replace ckchs_free() by ckch_store_free()
Replace ckchs_free() by ckch_store_free() which frees the ckch_store but
now also all its ckch_inst with ckch_inst_free().

Also remove the "ckchs" naming since its confusing.
2020-04-09 17:00:18 +02:00
William Lallemand
d9d5d1b1df MINOR: ssl: free instances and SNIs with ckch_inst_free()
Remove duplicated code by creating a new function ckch_inst_free() which
deals with the SNIs linked in a ckch_inst and free the ckch_inst.
2020-04-09 16:51:29 +02:00
William Lallemand
9cef2e2c06 MINOR: ssl: initialize all list in ckch_inst_new()
The ckch_inst_new() function is not up to date with the latest
list added into the structure. Update the list of structure to
initialize.
2020-04-09 16:46:50 +02:00
William Lallemand
b7296c42bd CLEANUP: ssl: remove a commentary in struct ckch_inst
The struct ckch_inst now handles the ssl_bind_conf so this commentary is
obsolete
2020-04-09 16:13:42 +02:00
William Lallemand
8621ac5570 BUG/MINOR: ssl: memleak of the struct cert_key_and_chain
Free the struct cert_key_and_chain when calling ckchs_free(),
a memory leak can occur when using 'commit ssl cert'.

Must be backported to 2.1.
2020-04-09 15:40:26 +02:00
William Lallemand
caa161982f CLEANUP: ssl/cli: use the list of filters in the crtlist_entry
In 'commit ssl cert', instead of trying to regenerate a list of filters
from the SNIs, use the list provided by the crtlist_entry used to
generate the ckch_inst.

This list of filters doesn't need to be free'd anymore since they are
always reused from the crtlist_entry.
2020-04-08 16:52:51 +02:00
William Lallemand
02e19a5c7b CLEANUP: ssl: use the refcount for the SSL_CTX'
Use the refcount of the SSL_CTX' to free them instead of freeing them on
certains conditions. That way we can free the SSL_CTX everywhere its
pointer is used.
2020-04-08 16:52:51 +02:00
William Lallemand
24be710609 BUG/MINOR: ssl/cli: memory leak in 'set ssl cert'
When deleting the previous SNI entries with 'set ssl cert', the old
SSL_CTX' were not free'd, which probably prevent the completion of the
free of the X509 in the old ckch_store, because of the refcounts in the
SSL library.

This bug was introduced by 150bfa8 ("MEDIUM: cli/ssl: handle the
creation of SSL_CTX in an IO handler").

Must be backported to 2.1.
2020-04-08 15:29:10 +02:00
William Lallemand
41ca930e58 BUG/MINOR: ssl: trailing slashes in directory names wrongly cached
The crtlist_load_cert_dir() caches the directory name without trailing
slashes when ssl_sock_load_cert_list_file() tries to lookup without
cleaning the trailing slashes.

This bug leads to creating the crtlist twice and prevents to remove
correctly a crtlist_entry since it exists in the serveral crtlists
created by accident.

Move the trailing slashes cleanup in ssl_sock_load_cert_list_file() to
fix the problem.

This bug was introduced by 6be66ec ("MINOR: ssl: directories are loaded
like crt-list")
2020-04-08 13:28:07 +02:00
William Lallemand
419e6349f6 MINOR: ssl/cli: 'del ssl cert' deletes a certificate
Delete a certificate store from HAProxy and free its memory. The
certificate must be unused and removed from any crt-list or directory.
The deletion doesn't work with a certificate referenced directly with
the "crt" directive in the configuration.
2020-04-08 12:08:03 +02:00
William Lallemand
36ccc3922d MINOR: ssl/cli: improve error for bundle in add/del ssl crt-list
Bundles are deprecated and can't be used with the crt-list command of
the CLI, improve the error output when trying to use them so the users
can disable them.
2020-04-08 11:01:44 +02:00
William Lallemand
463b524298 BUG/MINOR: ssl/cli: lock the ckch structures during crt-list delete
The cli_parse_del_crtlist() does unlock the ckch big lock, but it does
not lock it at the beginning of the function which is dangerous.
As a side effect it let the structures locked once it called the unlock.

This bug was introduced by 0a9b941 ("MINOR: ssl/cli: 'del ssl crt-list'
delete an entry")
2020-04-08 10:39:38 +02:00
Ilya Shipitsin
6e18f92d4f CI: adopt openssl download script to download all versions
with recent change, OpenSSL download URL was changed in
incompatiable way. i.e. only the most recent openssl version
might be downloaded using previous script.

older versions are available under different URLs. as we need
several openssl versions, let us adopt script accordingly.

bug was caught after travis-ci cache was purged for some reason.
2020-04-07 22:02:41 +02:00
Ilya Shipitsin
2c64a1713d CI: cirrus-ci: rename openssl package after it is renamed in FreeBSD
for the reason yet to be determined FreeBSD has renamed openssl111
to openssl. let us rename as well
2020-04-07 21:58:35 +02:00
William Lallemand
7fd01b3625 MINOR: ssl: improve the errors when a crt can't be open
Issue #574 reported an unclear error when trying to open a file with not
enough permission.

  [ALERT] 096/032117 (835) : parsing [/etc/haproxy/haproxy.cfg:54] : 'bind :443' : error encountered while processing 'crt'.
  [ALERT] 096/032117 (835) : Error(s) found in configuration file : /etc/haproxy/haproxy.cfg
  [ALERT] 096/032117 (835) : Fatal errors found in configuration.

Improve the error to give us more information:

  [ALERT] 097/142030 (240089) : parsing [test.cfg:22] : 'bind :443' : cannot open the file 'kikyo.pem.rsa'.
  [ALERT] 097/142030 (240089) : Error(s) found in configuration file : test.cfg
  [ALERT] 097/142030 (240089) : Fatal errors found in configuration.

This patch could be backported in 2.1.
2020-04-07 14:26:54 +02:00
Ilya Shipitsin
197af01a9e CI: travis-ci: upgrade openssl to 1.1.1f
openssl has changed download path after 1.1.1f release
2020-04-07 07:26:21 +02:00
Ilya Shipitsin
2f9802b24b CI: travis-ci: enable DEBUG_STRICT=1 for CI builds
DEBUG_STRICT enables the BUG_ON() macro which validates some developers'
assertions in the code that are not enabled for production build but
may sometimes help catch certain rare bugs.

DEBUG_STRICT is set to all builds except one
2020-04-07 07:26:21 +02:00
Ilya Shipitsin
b2931b1670 CI: use better SSL library definition
SSL_LIB is already added to LDFLAGS in Makefile, no need to define it
rpath better be defined using ADDLIB variable
2020-04-07 07:26:21 +02:00