Add .gitignore
[pound.git] / debian / patches / 0007-anti_poodle.patch
1 From: Brett Parker <brettp@mythic-beasts.com>
2 Date: Sun, 19 Oct 2014 23:11:14 +0100
3 Subject: anti_poodle
4
5   - Allow disabling of SSLv2 and SSLv3
6 ---
7  config.c |   21 ++++++++++++++++++++-
8  pound.h  |    2 ++
9  2 files changed, 22 insertions(+), 1 deletion(-)
10
11 diff --git a/config.c b/config.c
12 index 9adbe9d..3f871ec 100755
13 --- a/config.c
14 +++ b/config.c
15 @@ -76,7 +76,7 @@ static regex_t  ListenHTTP, ListenHTTPS, End, Address, Port, Cert, xHTTP, Client
16  static regex_t  Err414, Err500, Err501, Err503, MaxRequest, HeadRemove, RewriteLocation, RewriteDestination;
17  static regex_t  Service, ServiceName, URL, HeadRequire, HeadDeny, BackEnd, Emergency, Priority, HAport, HAportAddr;
18  static regex_t  Redirect, RedirectN, TimeOut, Session, Type, TTL, ID, DynScale;
19 -static regex_t  ClientCert, AddHeader, SSLAllowClientRenegotiation, SSLHonorCipherOrder, Ciphers, CAlist, VerifyList, CRLlist, NoHTTPS11;
20 +static regex_t  ClientCert, AddHeader, DisableSSLv2, DisableSSLv3, SSLAllowClientRenegotiation, SSLHonorCipherOrder, Ciphers, CAlist, VerifyList, CRLlist, NoHTTPS11;
21  static regex_t  Grace, Include, ConnTO, IgnoreCase, HTTPS, HTTPSCert, Disabled, Threads, CNName;
22  
23  static regmatch_t   matches[5];
24 @@ -864,6 +864,8 @@ parse_HTTPS(void)
25      res->err501 = "This method may not be used.";
26      res->err503 = "The service is not available. Please try again later.";
27      res->allow_client_reneg = 0;
28 +    res->disable_ssl_v2 = 0;
29 +    res->disable_ssl_v3 = 0;
30      res->log_level = log_level;
31      if(regcomp(&res->verb, xhttp[0], REG_ICASE | REG_NEWLINE | REG_EXTENDED))
32          conf_err("xHTTP bad default pattern - aborted");
33 @@ -1049,6 +1051,10 @@ parse_HTTPS(void)
34                  strcat(res->add_head, "\r\n");
35                  strcat(res->add_head, lin + matches[1].rm_so);
36              }
37 +       } else if(!regexec(&DisableSSLv2, lin, 4, matches, 0)) {
38 +           res->disable_ssl_v2 = 1;
39 +       } else if(!regexec(&DisableSSLv3, lin, 4, matches, 0)) {
40 +           res->disable_ssl_v3 = 1;
41          } else if(!regexec(&SSLAllowClientRenegotiation, lin, 4, matches, 0)) {
42              res->allow_client_reneg = atoi(lin + matches[1].rm_so);
43              if (res->allow_client_reneg == 2) {
44 @@ -1145,7 +1151,16 @@ parse_HTTPS(void)
45                  SSL_CTX_set_app_data(pc->ctx, res);
46                  SSL_CTX_set_mode(pc->ctx, SSL_MODE_AUTO_RETRY);
47                  SSL_CTX_set_options(pc->ctx, ssl_op_enable);
48 +                SSL_CTX_set_options(pc->ctx, SSL_OP_NO_COMPRESSION);
49                  SSL_CTX_clear_options(pc->ctx, ssl_op_disable);
50 +               if (res->disable_ssl_v2 == 1)
51 +               {
52 +                   SSL_CTX_set_options(pc->ctx, SSL_OP_NO_SSLv2);
53 +               }
54 +               if (res->disable_ssl_v3 == 1)
55 +               {
56 +                   SSL_CTX_set_options(pc->ctx, SSL_OP_NO_SSLv3);
57 +               }
58                  sprintf(lin, "%d-Pound-%ld", getpid(), random());
59                  SSL_CTX_set_session_id_context(pc->ctx, (unsigned char *)lin, strlen(lin));
60                  SSL_CTX_set_tmp_rsa_callback(pc->ctx, RSA_tmp_callback);
61 @@ -1346,6 +1361,8 @@ config_parse(const int argc, char **const argv)
62      || regcomp(&ClientCert, "^[ \t]*ClientCert[ \t]+([0-3])[ \t]+([1-9])[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED)
63      || regcomp(&AddHeader, "^[ \t]*AddHeader[ \t]+\"(.+)\"[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED)
64      || regcomp(&SSLAllowClientRenegotiation, "^[ \t]*SSLAllowClientRenegotiation[ \t]+([012])[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED)
65 +    || regcomp(&DisableSSLv2, "^[ \t]*DisableSSLv2[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED)
66 +    || regcomp(&DisableSSLv3, "^[ \t]*DisableSSLv3[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED)
67      || regcomp(&SSLHonorCipherOrder, "^[ \t]*SSLHonorCipherOrder[ \t]+([01])[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED)
68      || regcomp(&Ciphers, "^[ \t]*Ciphers[ \t]+\"(.+)\"[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED)
69      || regcomp(&CAlist, "^[ \t]*CAlist[ \t]+\"(.+)\"[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED)
70 @@ -1506,6 +1523,8 @@ config_parse(const int argc, char **const argv)
71      regfree(&ClientCert);
72      regfree(&AddHeader);
73      regfree(&SSLAllowClientRenegotiation);
74 +    regfree(&DisableSSLv2);
75 +    regfree(&DisableSSLv3);
76      regfree(&SSLHonorCipherOrder);
77      regfree(&Ciphers);
78      regfree(&CAlist);
79 diff --git a/pound.h b/pound.h
80 index 5d0c880..2417aaa 100755
81 --- a/pound.h
82 +++ b/pound.h
83 @@ -405,6 +405,8 @@ typedef struct _listener {
84      int                 disabled;       /* true if the listener is disabled */
85      int                 log_level;      /* log level for this listener */
86      int                 allow_client_reneg; /* Allow Client SSL Renegotiation */
87 +    int                disable_ssl_v2; /* Disable SSL version 2 */
88 +    int                disable_ssl_v3; /* Disable SSL version 3 */
89      SERVICE             *services;
90      struct _listener    *next;
91  }   LISTENER;