Package: release.debian.org Severity: normal Tags: jessie User: release.debian....@packages.debian.org Usertags: pu
Hi, I'd like to update pound in jessie to fix the ability to disable ssl client renegotiation (#765649). The same patch has been uploaded to sid a few days ago. Wheezy and earlier are not affected by this specific issue. After this patch is applied I can get an "A" score at SSLlabs with pound. Cheers, Thijs -- System Information: Debian Release: stretch/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init)
diff -Nru pound-2.6/debian/changelog pound-2.6/debian/changelog --- pound-2.6/debian/changelog 2014-10-19 23:49:01.000000000 +0000 +++ pound-2.6/debian/changelog 2015-05-07 16:30:55.000000000 +0000 @@ -1,3 +1,11 @@ +pound (2.6-6+deb8u1) jessie; urgency=medium + + * Non-maintainer upload by the security team with maintainer approval. + * Add missing part of anti_beast patch to fix disabling of client + renegotiation. (Closes: #765649) + + -- Thijs Kinkhorst <th...@debian.org> Tue, 05 May 2015 13:27:06 +0000 + pound (2.6-6) unstable; urgency=low * Add options to disable SSLv2 and SSLv3. diff -Nru pound-2.6/debian/patches/0008-disable_client_initiated_renegotiation.patch pound-2.6/debian/patches/0008-disable_client_initiated_renegotiation.patch --- pound-2.6/debian/patches/0008-disable_client_initiated_renegotiation.patch 1970-01-01 00:00:00.000000000 +0000 +++ pound-2.6/debian/patches/0008-disable_client_initiated_renegotiation.patch 2015-05-07 16:30:22.000000000 +0000 @@ -0,0 +1,120 @@ +Added the missing parts that makes the option SSLAllowClientRenegotiation +work as advertised, allowing client initiated renegotiation to be turned off. +This patch is a compliment to the changes introduced in the 0001-anti_beast.patch, +which was missing the changes to http.c as seen in the original patch from +Joe Gooch <mrwiz...@k12system.com> at: +http://goochfriend.org/pound_2.6f_ssl_renegotiation_and_ciphers.patch + +--- a/http.c ++++ b/http.c +@@ -273,6 +273,11 @@ + + static int err_to = -1; + ++typedef struct { ++ int timeout; ++ RENEG_STATE *reneg_state; ++} BIO_ARG; ++ + /* + * Time-out for client read/gets + * the SSL manual says not to do it, but it works well enough anyway... +@@ -280,6 +285,7 @@ + static long + bio_callback(BIO *const bio, const int cmd, const char *argp, int argi, long argl, long ret) + { ++ BIO_ARG *bio_arg; + struct pollfd p; + int to, p_res, p_err; + +@@ -287,11 +293,22 @@ + return ret; + + /* a time-out already occured */ +- if((to = *((int *)BIO_get_callback_arg(bio)) * 1000) < 0) { ++ if((bio_arg = (BIO_ARG*)BIO_get_callback_arg(bio))==NULL) return ret; ++ if((to = bio_arg->timeout * 1000) < 0) { + errno = ETIMEDOUT; + return -1; + } + ++ /* Renegotiations */ ++ if (bio_arg->reneg_state != NULL && *bio_arg->reneg_state == RENEG_ABORT) { ++ logmsg(LOG_NOTICE, "REJECTING renegotiated session"); ++ errno = ECONNABORTED; ++ return -1; ++ } ++ ++ //logmsg(LOG_NOTICE, "TO %d", to); ++ if (to == 0) return ret; ++ + for(;;) { + memset(&p, 0, sizeof(p)); + BIO_get_fd(bio, &p.fd); +@@ -326,7 +343,7 @@ + return -1; + case 0: + /* timeout - mark the BIO as unusable for the future */ +- BIO_set_callback_arg(bio, (char *)&err_to); ++ bio_arg->timeout = err_to; + #ifdef EBUG + logmsg(LOG_WARNING, "(%lx) CALLBACK timeout poll after %d secs: %s", + pthread_self(), to / 1000, strerror(p_err)); +@@ -531,6 +548,15 @@ + struct linger l; + double start_req, end_req; + ++ RENEG_STATE reneg_state; ++ BIO_ARG ba1, ba2; ++ ++ reneg_state = RENEG_INIT; ++ ba1.reneg_state = &reneg_state; ++ ba2.reneg_state = &reneg_state; ++ ba1.timeout = 0; ++ ba2.timeout = 0; ++ + from_host = ((thr_arg *)arg)->from_host; + memcpy(&from_host_addr, from_host.ai_addr, from_host.ai_addrlen); + from_host.ai_addr = (struct sockaddr *)&from_host_addr; +@@ -539,6 +565,8 @@ + free(((thr_arg *)arg)->from_host.ai_addr); + free(arg); + ++ if(lstn->allow_client_reneg) reneg_state = RENEG_ALLOW; ++ + n = 1; + setsockopt(sock, SOL_SOCKET, SO_KEEPALIVE, (void *)&n, sizeof(n)); + l.l_onoff = 1; +@@ -562,10 +590,10 @@ + close(sock); + return; + } +- if(lstn->to > 0) { +- BIO_set_callback_arg(cl, (char *)&lstn->to); +- BIO_set_callback(cl, bio_callback); +- } ++ ++ ba1.timeout = lstn->to; ++ BIO_set_callback_arg(cl, (char *)&ba1); ++ BIO_set_callback(cl, bio_callback); + + if(lstn->ctx != NULL) { + if((ssl = SSL_new(lstn->ctx->ctx)) == NULL) { +@@ -574,6 +602,7 @@ + BIO_free_all(cl); + return; + } ++ SSL_set_app_data(ssl, &reneg_state); + SSL_set_bio(ssl, cl, cl); + if((bb = BIO_new(BIO_f_ssl())) == NULL) { + logmsg(LOG_WARNING, "(%lx) BIO_new(Bio_f_ssl()) failed", pthread_self()); +@@ -875,7 +904,8 @@ + } + BIO_set_close(be, BIO_CLOSE); + if(backend->to > 0) { +- BIO_set_callback_arg(be, (char *)&backend->to); ++ ba2.timeout = backend->to; ++ BIO_set_callback_arg(be, (char *)&ba2); + BIO_set_callback(be, bio_callback); + } + if(backend->ctx != NULL) { diff -Nru pound-2.6/debian/patches/series pound-2.6/debian/patches/series --- pound-2.6/debian/patches/series 2014-10-19 23:50:51.000000000 +0000 +++ pound-2.6/debian/patches/series 2015-05-07 16:30:22.000000000 +0000 @@ -5,3 +5,4 @@ 0005-wait_on_semaphore_fix.patch 0006-add_mkcalendar_support.patch 0007-anti_poodle.patch +0008-disable_client_initiated_renegotiation.patch