Hello community,
here is the log from the commit of package haproxy for openSUSE:Factory checked in at 2014-08-05 21:11:18
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/haproxy (Old)
and /work/SRC/openSUSE:Factory/.haproxy.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "haproxy"
Changes:
--------
--- /work/SRC/openSUSE:Factory/haproxy/haproxy.changes 2014-07-21 22:34:38.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.haproxy.new/haproxy.changes 2014-08-05 21:11:27.000000000 +0200
@@ -1,0 +2,39 @@
+Wed Jul 30 09:47:38 UTC 2014 - mrueckert@suse.de
+
+- pull important fixes from git:
+ 0001-BUG-MINOR-server-move-the-directive-endif-to-the-end.patch
+ 0002-BUG-MINOR-Fix-search-for-p-argument-in-systemd-wrapp.patch
+ 0003-BUG-MAJOR-tcp-fix-a-possible-busy-spinning-loop-in-c.patch
+ Especially the last patch is important:
+ As a consequence of various recent changes on the sample
+ conversion, a corner case has emerged where it is possible to
+ wait forever for a sample in track-sc*.
+
+-------------------------------------------------------------------
+Mon Jul 28 11:33:14 UTC 2014 - kgronlund@suse.com
+
+- update to 1.5.3
+ - DOC: fix typo in Unix Socket commands
+ - BUG/MEDIUM: connection: fix memory corruption when building a proxy v2 header
+ - BUG/MEDIUM: ssl: Fix a memory leak in DHE key exchange
+ - DOC: mention that Squid correctly responds 400 to PPv2 header
+ - BUG/MINOR: http: base32+src should use the big endian version of base32
+ - BUG/MEDIUM: connection: fix proxy v2 header again!
+- Removed backported patches:
+ - 0001-DOC-mention-that-Squid-correctly-responds-400-to-PPv.patch
+ - 0002-DOC-fix-typo-in-Unix-Socket-commands.patch
+ - 0003-BUG-MEDIUM-ssl-Fix-a-memory-leak-in-DHE-key-exchange.patch
+ - 0004-BUG-MINOR-http-base32-src-should-use-the-big-endian-.patch
+ - 0005-BUG-MEDIUM-connection-fix-memory-corruption-when-bui.patch
+ - 0006-BUG-MEDIUM-connection-fix-proxy-v2-header-again.patch
+
+-------------------------------------------------------------------
+Mon Jul 21 13:45:40 UTC 2014 - mrueckert@suse.de
+
+- added 0006-BUG-MEDIUM-connection-fix-proxy-v2-header-again.patch:
+ Last commit 77d1f01 ("BUG/MEDIUM: connection: fix memory
+ corruption when building a proxy v2 header") was wrong, using
+ &cn_trash instead of cn_trash resulting in a warning and the
+ client's SSL cert CN not being stored at the proper location.
+
+-------------------------------------------------------------------
Old:
----
0001-DOC-mention-that-Squid-correctly-responds-400-to-PPv.patch
0002-DOC-fix-typo-in-Unix-Socket-commands.patch
0003-BUG-MEDIUM-ssl-Fix-a-memory-leak-in-DHE-key-exchange.patch
0004-BUG-MINOR-http-base32-src-should-use-the-big-endian-.patch
0005-BUG-MEDIUM-connection-fix-memory-corruption-when-bui.patch
haproxy-1.5.2.tar.gz
New:
----
0001-BUG-MINOR-server-move-the-directive-endif-to-the-end.patch
0002-BUG-MINOR-Fix-search-for-p-argument-in-systemd-wrapp.patch
0003-BUG-MAJOR-tcp-fix-a-possible-busy-spinning-loop-in-c.patch
haproxy-1.5.3.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ haproxy.spec ++++++
--- /var/tmp/diff_new_pack.GUnyrA/_old 2014-08-05 21:11:28.000000000 +0200
+++ /var/tmp/diff_new_pack.GUnyrA/_new 2014-08-05 21:11:28.000000000 +0200
@@ -33,7 +33,7 @@
%bcond_without apparmor
Name: haproxy
-Version: 1.5.2
+Version: 1.5.3
Release: 0
#
#
@@ -61,11 +61,9 @@
Patch2: haproxy-makefile_lib.patch
Patch3: sec-options.patch
Patch4: haproxy-1.5_check_config_before_start.patch
-Patch5: 0001-DOC-mention-that-Squid-correctly-responds-400-to-PPv.patch
-Patch6: 0002-DOC-fix-typo-in-Unix-Socket-commands.patch
-Patch7: 0003-BUG-MEDIUM-ssl-Fix-a-memory-leak-in-DHE-key-exchange.patch
-Patch8: 0004-BUG-MINOR-http-base32-src-should-use-the-big-endian-.patch
-Patch9: 0005-BUG-MEDIUM-connection-fix-memory-corruption-when-bui.patch
+Patch5: 0001-BUG-MINOR-server-move-the-directive-endif-to-the-end.patch
+Patch6: 0002-BUG-MINOR-Fix-search-for-p-argument-in-systemd-wrapp.patch
+Patch7: 0003-BUG-MAJOR-tcp-fix-a-possible-busy-spinning-loop-in-c.patch
Source99: haproxy-rpmlintrc
#
Summary: The Reliable, High Performance TCP/HTTP Load Balancer
@@ -102,8 +100,6 @@
%patch5 -p1
%patch6 -p1
%patch7 -p1
-%patch8 -p1
-%patch9 -p1
%build
%{__make} \
++++++ 0001-BUG-MINOR-server-move-the-directive-endif-to-the-end.patch ++++++
From ad65af7dab9b8d8033fd09d8031cc774a6fbf768 Mon Sep 17 00:00:00 2001
From: Godbach
Date: Mon, 28 Jul 2014 17:31:57 +0800
Subject: [PATCH 1/3] BUG/MINOR: server: move the directive #endif to the end
of file
If a source file includes proto/server.h twice or more, redefinition errors will
be triggered for such inline functions as server_throttle_rate(),
server_is_draining(), srv_adm_set_maint() and so on. Just move #endif directive
to the end of file to solve this issue.
Signed-off-by: Godbach
(cherry picked from commit e468d55998e134dac1b18d5d9d075ffd5691c827)
---
include/proto/server.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/include/proto/server.h b/include/proto/server.h
index 9893266..71c8b13 100644
--- a/include/proto/server.h
+++ b/include/proto/server.h
@@ -54,8 +54,6 @@ static void inline srv_set_sess_last(struct server *s)
s->counters.last_sess = now.tv_sec;
}
-#endif /* _PROTO_SERVER_H */
-
/*
* Registers the server keyword list <kwl> as a list of valid keywords for next
* parsing sessions.
@@ -200,6 +198,8 @@ static inline void srv_adm_set_ready(struct server *s)
srv_clr_admin_flag(s, SRV_ADMF_FMAINT);
}
+#endif /* _PROTO_SERVER_H */
+
/*
* Local variables:
* c-indent-level: 8
--
1.8.4.5
++++++ 0002-BUG-MINOR-Fix-search-for-p-argument-in-systemd-wrapp.patch ++++++
From 715e9b892f564e58489f86c125aed2a8994f16e9 Mon Sep 17 00:00:00 2001
From: Conrad Hoffmann
Date: Mon, 28 Jul 2014 23:22:43 +0200
Subject: [PATCH 2/3] BUG/MINOR: Fix search for -p argument in systemd wrapper.
Searching for the pid file in the list of arguments did not
take flags without parameters into account, like e.g. -de. Because
of this, the wrapper would use a different pid file than haproxy
if such an argument was specified before -p.
The new version can still yield a false positive for some crazy
situations, like your config file name starting with "-p", but
I think this is as good as it gets without using getopt or some
library.
Signed-off-by: Conrad Hoffmann
(cherry picked from commit eb2cf45b72a7e14c581276247381dc1ac76be2c0)
---
src/haproxy-systemd-wrapper.c | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/src/haproxy-systemd-wrapper.c b/src/haproxy-systemd-wrapper.c
index ba07ebe..529b213 100644
--- a/src/haproxy-systemd-wrapper.c
+++ b/src/haproxy-systemd-wrapper.c
@@ -130,11 +130,8 @@ static void sigint_handler(int signum __attribute__((unused)))
static void init(int argc, char **argv)
{
while (argc > 1) {
- if (**argv == '-') {
- char *flag = *argv + 1;
- --argc; ++argv;
- if (*flag == 'p')
- pid_file = *argv;
+ if ((*argv)[0] == '-' && (*argv)[1] == 'p') {
+ pid_file = *(argv + 1);
}
--argc; ++argv;
}
--
1.8.4.5
++++++ 0003-BUG-MAJOR-tcp-fix-a-possible-busy-spinning-loop-in-c.patch ++++++
From f94735eb76e634d7531f9c903113f64820c4cec0 Mon Sep 17 00:00:00 2001
From: Willy Tarreau
Date: Wed, 30 Jul 2014 08:56:35 +0200
Subject: [PATCH 3/3] BUG/MAJOR: tcp: fix a possible busy spinning loop in
content track-sc*
As a consequence of various recent changes on the sample conversion,
a corner case has emerged where it is possible to wait forever for a
sample in track-sc*.
The issue is caused by the fact that functions relying on sample_process()
don't all exactly work the same regarding the SMP_F_MAY_CHANGE flag and
the output result. Here it was possible to wait forever for an output
sample from stktable_fetch_key() without checking the SMP_OPT_FINAL flag.
As a result, if the client connects and closes without sending the data
and haproxy expects a sample which is capable of coming, it will ignore
this impossible case and will continue to wait.
This change adds control for SMP_OPT_FINAL before waiting for extra data.
The various relevant functions have been better documented regarding their
output values.
This fix must be backported to 1.5 since it appeared there.
(cherry picked from commit 6bcb0a84e7256f00793fa8ec8a0d6c19c3b22935)
---
src/proto_tcp.c | 4 ++--
src/sample.c | 23 ++++++++++++++++++++++-
src/stick_table.c | 11 ++++++++++-
3 files changed, 34 insertions(+), 4 deletions(-)
diff --git a/src/proto_tcp.c b/src/proto_tcp.c
index 9778856..72dc92b 100644
--- a/src/proto_tcp.c
+++ b/src/proto_tcp.c
@@ -1048,8 +1048,8 @@ int tcp_inspect_request(struct session *s, struct channel *req, int an_bit)
t = rule->act_prm.trk_ctr.table.t;
key = stktable_fetch_key(t, s->be, s, &s->txn, SMP_OPT_DIR_REQ | partial, rule->act_prm.trk_ctr.expr, &smp);
- if (smp.flags & SMP_F_MAY_CHANGE)
- goto missing_data;
+ if ((smp.flags & SMP_F_MAY_CHANGE) && !(partial & SMP_OPT_FINAL))
+ goto missing_data; /* key might appear later */
if (key && (ts = stktable_get_entry(t, key))) {
session_track_stkctr(&s->stkctr[tcp_trk_idx(rule->action)], t, ts);
diff --git a/src/sample.c b/src/sample.c
index 3a0f3fb..8e62640 100644
--- a/src/sample.c
+++ b/src/sample.c
@@ -896,6 +896,18 @@ out_error:
* Note: the fetch functions are required to properly set the return type. The
* conversion functions must do so too. However the cast functions do not need
* to since they're made to cast mutiple types according to what is required.
+ *
+ * The caller may indicate in <opt> if it considers the result final or not.
+ * The caller needs to check the SMP_F_MAY_CHANGE flag in p->flags to verify
+ * if the result is stable or not, according to the following table :
+ *
+ * return MAY_CHANGE FINAL Meaning for the sample
+ * NULL 0 * Not present and will never be (eg: header)
+ * NULL 1 0 Not present yet, could change (eg: POST param)
+ * NULL 1 1 Not present yet, will not change anymore
+ * smp 0 * Present and will not change (eg: header)
+ * smp 1 0 Present, may change (eg: request length)
+ * smp 1 1 Present, last known value (eg: request length)
*/
struct sample *sample_process(struct proxy *px, struct session *l4, void *l7,
unsigned int opt,
@@ -1153,7 +1165,16 @@ int smp_resolve_args(struct proxy *p)
* and <opt> does not contain SMP_OPT_FINAL, then the sample is returned as-is
* with its SMP_F_MAY_CHANGE flag so that the caller can check it and decide to
* take actions (eg: wait longer). If a sample could not be found or could not
- * be converted, NULL is returned.
+ * be converted, NULL is returned. The caller MUST NOT use the sample if the
+ * SMP_F_MAY_CHANGE flag is present, as it is used only as a hint that there is
+ * still hope to get it after waiting longer, and is not converted to string.
+ * The possible output combinations are the following :
+ *
+ * return MAY_CHANGE FINAL Meaning for the sample
+ * NULL * * Not present and will never be (eg: header)
+ * smp 0 * Final value converted (eg: header)
+ * smp 1 0 Not present yet, may appear later (eg: header)
+ * smp 1 1 never happens (either flag is cleared on output)
*/
struct sample *sample_fetch_string(struct proxy *px, struct session *l4, void *l7,
unsigned int opt, struct sample_expr *expr)
diff --git a/src/stick_table.c b/src/stick_table.c
index a708d3c..d39b4ff 100644
--- a/src/stick_table.c
+++ b/src/stick_table.c
@@ -603,7 +603,16 @@ static sample_to_key_fct sample_to_key[SMP_TYPES][STKTABLE_TYPES] = {
* no key could be extracted, or a pointer to the converted result stored in
* static_table_key in format . If <smp> is not NULL, it will be reset
* and its flags will be initialized so that the caller gets a copy of the input
- * sample, and knows why it was not accepted (eg: SMP_F_MAY_CHANGE is present).
+ * sample, and knows why it was not accepted (eg: SMP_F_MAY_CHANGE is present
+ * without SMP_OPT_FINAL). The output will be usable like this :
+ *
+ * return MAY_CHANGE FINAL Meaning for the sample
+ * NULL 0 * Not present and will never be (eg: header)
+ * NULL 1 0 Not present or unstable, could change (eg: req_len)
+ * NULL 1 1 Not present, will not change anymore
+ * smp 0 * Present and will not change (eg: header)
+ * smp 1 0 not possible
+ * smp 1 1 Present, last known value (eg: request length)
*/
struct stktable_key *stktable_fetch_key(struct stktable *t, struct proxy *px, struct session *l4, void *l7,
unsigned int opt, struct sample_expr *expr, struct sample *smp)
--
1.8.4.5
++++++ haproxy-1.5.2.tar.gz -> haproxy-1.5.3.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.2/CHANGELOG new/haproxy-1.5.3/CHANGELOG
--- old/haproxy-1.5.2/CHANGELOG 2014-07-12 16:40:52.000000000 +0200
+++ new/haproxy-1.5.3/CHANGELOG 2014-07-25 08:56:07.000000000 +0200
@@ -1,6 +1,14 @@
ChangeLog :
===========
+2014/07/25 : 1.5.3
+ - DOC: fix typo in Unix Socket commands
+ - BUG/MEDIUM: connection: fix memory corruption when building a proxy v2 header
+ - BUG/MEDIUM: ssl: Fix a memory leak in DHE key exchange
+ - DOC: mention that Squid correctly responds 400 to PPv2 header
+ - BUG/MINOR: http: base32+src should use the big endian version of base32
+ - BUG/MEDIUM: connection: fix proxy v2 header again!
+
2014/07/12 : 1.5.2
- BUG/MEDIUM: backend: Update hash to use unsigned int throughout
- BUG/MINOR: ssl: Fix external function in order not to return a pointer on an internal trash buffer.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.2/README new/haproxy-1.5.3/README
--- old/haproxy-1.5.2/README 2014-07-12 16:40:52.000000000 +0200
+++ new/haproxy-1.5.3/README 2014-07-25 08:56:07.000000000 +0200
@@ -1,9 +1,9 @@
----------------------
HAProxy how-to
----------------------
- version 1.5.2
+ version 1.5.3
willy tarreau
- 2014/07/12
+ 2014/07/25
1) How to build it
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.2/VERDATE new/haproxy-1.5.3/VERDATE
--- old/haproxy-1.5.2/VERDATE 2014-07-12 16:40:52.000000000 +0200
+++ new/haproxy-1.5.3/VERDATE 2014-07-25 08:56:07.000000000 +0200
@@ -1,2 +1,2 @@
$Format:%ci$
-2014/07/12
+2014/07/25
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.2/VERSION new/haproxy-1.5.3/VERSION
--- old/haproxy-1.5.2/VERSION 2014-07-12 16:40:52.000000000 +0200
+++ new/haproxy-1.5.3/VERSION 2014-07-25 08:56:07.000000000 +0200
@@ -1 +1 @@
-1.5.2
+1.5.3
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.2/doc/configuration.txt new/haproxy-1.5.3/doc/configuration.txt
--- old/haproxy-1.5.2/doc/configuration.txt 2014-07-12 16:40:52.000000000 +0200
+++ new/haproxy-1.5.3/doc/configuration.txt 2014-07-25 08:56:07.000000000 +0200
@@ -2,9 +2,9 @@
HAProxy
Configuration Manual
----------------------
- version 1.5.2
+ version 1.5.3
willy tarreau
- 2014/07/12
+ 2014/07/25
This document covers the configuration language as implemented in the version
@@ -13869,7 +13869,7 @@
endless transfer is ongoing. Such terminated sessions are reported with a 'K'
flag in the logs.
-shutdown sessions <backend>/<server>
+shutdown sessions server <backend>/<server>
Immediately terminate all the sessions attached to the specified server. This
can be used to terminate long-running sessions after a server is put into
maintenance mode, for instance. Such terminated sessions are reported with a
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.2/doc/proxy-protocol.txt new/haproxy-1.5.3/doc/proxy-protocol.txt
--- old/haproxy-1.5.2/doc/proxy-protocol.txt 2014-07-12 16:40:52.000000000 +0200
+++ new/haproxy-1.5.3/doc/proxy-protocol.txt 2014-07-25 08:56:07.000000000 +0200
@@ -1,4 +1,4 @@
-2014/06/14 Willy Tarreau
+2014/07/25 Willy Tarreau
HAProxy Technologies
The PROXY protocol
Versions 1 & 2
@@ -21,6 +21,7 @@
2014/05/18 - modify and extend PROXY protocol version 2
2014/06/11 - fix example code to consider ver+cmd merge
2014/06/14 - fix v2 header check in example code, and update Forwarded spec
+ 2014/07/12 - update list of implementations (add Squid)
1. Background
@@ -692,6 +693,7 @@
- thttpd 2.20c : 400 Bad Request + abort => pass/optimal
- mini-httpd-1.19 : 400 Bad Request + abort => pass/optimal
- haproxy 1.4.21 : 400 Bad Request + abort => pass/optimal
+ - Squid 3 : 400 Bad Request + abort => pass/optimal
- SSL :
- stud 0.3.47 : connection abort => pass/optimal
- stunnel 4.45 : connection abort => pass/optimal
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.2/examples/haproxy.spec new/haproxy-1.5.3/examples/haproxy.spec
--- old/haproxy-1.5.2/examples/haproxy.spec 2014-07-12 16:40:52.000000000 +0200
+++ new/haproxy-1.5.3/examples/haproxy.spec 2014-07-25 08:56:07.000000000 +0200
@@ -1,6 +1,6 @@
Summary: HA-Proxy is a TCP/HTTP reverse proxy for high availability environments
Name: haproxy
-Version: 1.5.2
+Version: 1.5.3
Release: 1
License: GPL
Group: System Environment/Daemons
@@ -76,6 +76,9 @@
%attr(0755,root,root) %config %{_sysconfdir}/rc.d/init.d/%{name}
%changelog
+* Fri Jul 25 2014 Willy Tarreau
+- updated to 1.5.3
+
* Sat Jul 12 2014 Willy Tarreau
- updated to 1.5.2
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.2/src/connection.c new/haproxy-1.5.3/src/connection.c
--- old/haproxy-1.5.2/src/connection.c 2014-07-12 16:40:52.000000000 +0200
+++ new/haproxy-1.5.3/src/connection.c 2014-07-25 08:56:07.000000000 +0200
@@ -622,6 +622,7 @@
char *value = NULL;
struct tlv_ssl *tlv;
int ssl_tlv_len = 0;
+ struct chunk *cn_trash;
#endif
if (buf_len < PP2_HEADER_LEN)
@@ -682,8 +683,9 @@
tlv->verify = htonl(ssl_sock_get_verify_result(remote));
}
if (srv->pp_opts & SRV_PP_V2_SSL_CN) {
- if (ssl_sock_get_remote_common_name(remote, &trash) > 0) {
- tlv_len = make_tlv(&buf[ret+ssl_tlv_len], (buf_len - ret - ssl_tlv_len), PP2_TYPE_SSL_CN, trash.len, trash.str);
+ cn_trash = get_trash_chunk();
+ if (ssl_sock_get_remote_common_name(remote, cn_trash) > 0) {
+ tlv_len = make_tlv(&buf[ret+ssl_tlv_len], (buf_len - ret - ssl_tlv_len), PP2_TYPE_SSL_CN, cn_trash->len, cn_trash->str);
ssl_tlv_len += tlv_len;
}
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.2/src/proto_http.c new/haproxy-1.5.3/src/proto_http.c
--- old/haproxy-1.5.2/src/proto_http.c 2014-07-12 16:40:52.000000000 +0200
+++ new/haproxy-1.5.3/src/proto_http.c 2014-07-25 08:56:07.000000000 +0200
@@ -10358,8 +10358,8 @@
return 0;
temp = get_trash_chunk();
- memcpy(temp->str + temp->len, &smp->data.uint, sizeof(smp->data.uint));
- temp->len += sizeof(smp->data.uint);
+ *(unsigned int *)temp->str = htonl(smp->data.uint);
+ temp->len += sizeof(unsigned int);
switch (cli_conn->addr.from.ss_family) {
case AF_INET:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.5.2/src/ssl_sock.c new/haproxy-1.5.3/src/ssl_sock.c
--- old/haproxy-1.5.2/src/ssl_sock.c 2014-07-12 16:40:52.000000000 +0200
+++ new/haproxy-1.5.3/src/ssl_sock.c 2014-07-25 08:56:07.000000000 +0200
@@ -105,6 +105,13 @@
int sslconns = 0;
int totalsslconns = 0;
+#ifndef OPENSSL_NO_DH
+static DH *local_dh_1024 = NULL;
+static DH *local_dh_2048 = NULL;
+static DH *local_dh_4096 = NULL;
+static DH *local_dh_8192 = NULL;
+#endif /* OPENSSL_NO_DH */
+
#ifdef SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB
struct certificate_ocsp {
struct ebmb_node key;
@@ -1034,16 +1041,16 @@
}
if (keylen >= 8192) {
- dh = ssl_get_dh_8192();
+ dh = local_dh_8192;
}
else if (keylen >= 4096) {
- dh = ssl_get_dh_4096();
+ dh = local_dh_4096;
}
else if (keylen >= 2048) {
- dh = ssl_get_dh_2048();
+ dh = local_dh_2048;
}
else {
- dh = ssl_get_dh_1024();
+ dh = local_dh_1024;
}
return dh;
@@ -1079,11 +1086,11 @@
if (global.tune.ssl_default_dh_param <= 1024) {
/* we are limited to DH parameter of 1024 bits anyway */
- dh = ssl_get_dh_1024();
- if (dh == NULL)
+ local_dh_1024 = ssl_get_dh_1024();
+ if (local_dh_1024 == NULL)
goto end;
- SSL_CTX_set_tmp_dh(ctx, dh);
+ SSL_CTX_set_tmp_dh(ctx, local_dh_1024);
}
else {
SSL_CTX_set_tmp_dh_callback(ctx, ssl_get_tmp_dh);
@@ -1594,6 +1601,28 @@
global.tune.ssl_default_dh_param = 1024;
}
+#ifndef OPENSSL_NO_DH
+ if (global.tune.ssl_default_dh_param >= 1024) {
+ if (local_dh_1024 == NULL) {
+ local_dh_1024 = ssl_get_dh_1024();
+ }
+ if (global.tune.ssl_default_dh_param >= 2048) {
+ if (local_dh_2048 == NULL) {
+ local_dh_2048 = ssl_get_dh_2048();
+ }
+ if (global.tune.ssl_default_dh_param >= 4096) {
+ if (local_dh_4096 == NULL) {
+ local_dh_4096 = ssl_get_dh_4096();
+ }
+ if (global.tune.ssl_default_dh_param >= 8192 &&
+ local_dh_8192 == NULL) {
+ local_dh_8192 = ssl_get_dh_8192();
+ }
+ }
+ }
+ }
+#endif /* OPENSSL_NO_DH */
+
SSL_CTX_set_info_callback(ctx, ssl_sock_infocbk);
#if OPENSSL_VERSION_NUMBER >= 0x00907000L
SSL_CTX_set_msg_callback(ctx, ssl_sock_msgcbk);
--
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org