haproxy public development tree
Go to file
Willy Tarreau 468c000db0 BUG/MEDIUM: jwt: fix base64 decoding error detection
Tim reported that a decoding error from the base64 function wouldn't
be matched in case of bad input, and could possibly cause trouble
with -1 being passed in decoded_sig->data. In the case of HMAC+SHA
it is harmless as the comparison is made using memcmp() after checking
for length equality, but in the case of RSA/ECDSA this result is passed
as a size_t to EVP_DigetVerifyFinal() and may depend on the lib's mood.

The fix simply consists in checking the intermediary result before
storing it.

That's precisely what happens with one of the regtests which returned
0 instead of 4 on the intentionally defective token, so the regtest
was fixed as well.

No backport is needed as this is new in this release.
2021-10-15 11:41:16 +02:00
.github CI: github: switch to OpenSSL 3.0.0 2021-10-13 10:21:22 +02:00
addons REORG: time: move time-keeping code and variables to clock.c 2021-10-08 17:22:26 +02:00
admin BUILD: halog: fix a -Wundef warning on non-glibc systems 2021-09-13 09:32:01 +02:00
dev DEV: coccinelle: Add xalloc_cast.cocci 2021-09-17 17:22:05 +02:00
doc MEDIUM: listener: add the "shards" bind keyword 2021-10-14 21:27:48 +02:00
examples MEDIUM: proxy: remove long-broken 'option http_proxy' 2021-07-18 19:35:32 +02:00
include MINOR: resolvers: merge address and target into a union "data" 2021-10-14 22:52:04 +02:00
reg-tests BUG/MEDIUM: jwt: fix base64 decoding error detection 2021-10-15 11:41:16 +02:00
scripts BUILD: adopt script/build-ssl.sh for OpenSSL-3.0.0beta2 2021-08-25 05:16:00 +02:00
src BUG/MEDIUM: jwt: fix base64 decoding error detection 2021-10-15 11:41:16 +02:00
tests CLEANUP: assorted typo fixes in the code and comments 2021-08-16 12:37:59 +02:00
.cirrus.yml CI: introduce scripts/build-vtest.sh for installing VTest 2021-05-18 10:48:30 +02:00
.gitattributes MINOR: Configure the cpp userdiff driver for *.[ch] in .gitattributes 2021-02-22 18:17:57 +01:00
.gitignore DOC: lua-api: Add documentation about lua filters 2021-08-15 20:56:44 +02:00
.mailmap DOC: update Tim's address in .mailmap 2021-09-16 09:14:14 +02:00
.travis.yml CI: travis-ci: temporarily disable arm64 builds 2021-08-07 07:28:15 +02:00
BRANCHES DOC: fix some spelling issues over multiple files 2021-01-08 14:53:47 +01:00
CHANGELOG [RELEASE] Released version 2.5-dev9 2021-10-08 18:22:24 +02:00
CONTRIBUTING CLEANUP: assorted typo fixes in the code and comments 2021-08-16 12:37:59 +02:00
INSTALL CLEANUP: assorted typo fixes in the code and comments 2021-08-16 12:37:59 +02:00
LICENSE
MAINTAINERS CONTRIB: move spoa_example out of the tree 2021-04-21 09:39:06 +02:00
Makefile MINOR: jwt: Parse JWT alg field 2021-10-14 16:38:08 +02:00
README DOC: create a BRANCHES file to explain the life cycle 2019-06-15 22:00:14 +02:00
ROADMAP DOC: update the outdated ROADMAP file 2019-06-15 21:59:54 +02:00
SUBVERS
VERDATE [RELEASE] Released version 2.5-dev9 2021-10-08 18:22:24 +02:00
VERSION [RELEASE] Released version 2.5-dev9 2021-10-08 18:22:24 +02:00

The HAProxy documentation has been split into a number of different files for
ease of use.

Please refer to the following files depending on what you're looking for :

  - INSTALL for instructions on how to build and install HAProxy
  - BRANCHES to understand the project's life cycle and what version to use
  - LICENSE for the project's license
  - CONTRIBUTING for the process to follow to submit contributions

The more detailed documentation is located into the doc/ directory :

  - doc/intro.txt for a quick introduction on HAProxy
  - doc/configuration.txt for the configuration's reference manual
  - doc/lua.txt for the Lua's reference manual
  - doc/SPOE.txt for how to use the SPOE engine
  - doc/network-namespaces.txt for how to use network namespaces under Linux
  - doc/management.txt for the management guide
  - doc/regression-testing.txt for how to use the regression testing suite
  - doc/peers.txt for the peers protocol reference
  - doc/coding-style.txt for how to adopt HAProxy's coding style
  - doc/internals for developer-specific documentation (not all up to date)