From 45f40bac4cd256935d3157cd03f9434609d7a36a Mon Sep 17 00:00:00 2001
From: Amaury Denoyelle <adenoyelle@haproxy.com>
Date: Wed, 22 May 2024 14:21:16 +0200
Subject: [PATCH] MEDIUM: config: prevent communication with privileged ports

This commit introduces a new global setting named
harden.reject_privileged_ports.{tcp|quic}. When active, communications
with clients which use privileged source ports are forbidden. Such
behavior is considered suspicious as it can be used as spoofing or
DNS/NTP amplication attack.

Value is configured per transport protocol. For each TCP and QUIC
distinct code locations are impacted by this setting. The first one is
in sock_accept_conn() which acts as a filter for all TCP based
communications just after accept() returns a new connection. The second
one is dedicated for QUIC communication in quic_recv(). In both cases,
if a privileged source port is used and setting is disabled, received
message is silently dropped.

By default, protection are disabled for both protocols. This is to be
able to backport it without breaking changes on stable release.

This should be backported as it is an interesting security feature yet
relatively simple to implement.
---
 doc/configuration.txt        |  8 ++++++
 include/haproxy/global-t.h   |  2 ++
 include/haproxy/protocol-t.h | 11 ++++++++
 include/haproxy/tools.h      | 16 +++++++++++
 src/cfgparse-global.c        | 51 ++++++++++++++++++++++++++++++++++++
 src/haproxy.c                |  2 ++
 src/quic_sock.c              |  6 +++++
 src/sock.c                   |  4 +++
 8 files changed, 100 insertions(+)

diff --git a/doc/configuration.txt b/doc/configuration.txt
index 804a77e98..ef0cf8ea2 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -1276,6 +1276,8 @@ The following keywords are supported in the "global" section :
    - h1-case-adjust-file
    - h2-workaround-bogus-websocket-clients
    - hard-stop-after
+   - harden.reject-privileged-ports.tcp
+   - harden.reject-privileged-ports.quic
    - insecure-fork-wanted
    - insecure-setuid-wanted
    - issuers-chain-path
@@ -1944,6 +1946,12 @@ hard-stop-after <time>
 
   See also: grace
 
+harden.reject-privileged-ports.tcp { on | off }
+harden.reject-privileged-ports.quic { on | off }
+  Toggle per protocol protection which forbid communication with clients which
+  use privileged ports as their source port. This range of ports is defined
+  according to RFC 6335. Protection is inactive by default on both protocols.
+
 http-err-codes [+-]<range>[,...] [...]
   Replace, reduce or extend the list of status codes that define an error as
   considered by the termination codes and the "http_err_cnt" counter in stick
diff --git a/include/haproxy/global-t.h b/include/haproxy/global-t.h
index f38c28eae..7665ef24d 100644
--- a/include/haproxy/global-t.h
+++ b/include/haproxy/global-t.h
@@ -216,6 +216,8 @@ struct global {
 	int numa_cpu_mapping;
 	int thread_limit;               /* hard limit on the number of threads */
 	int prealloc_fd;
+	uchar clt_privileged_ports;     /* bitmask to allow client privileged ports exchanges per protocol */
+	/* 3-bytes hole */
 	int cfg_curr_line;              /* line number currently being parsed */
 	const char *cfg_curr_file;      /* config file currently being parsed or NULL */
 	char *cfg_curr_section;         /* config section name currently being parsed or NULL */
diff --git a/include/haproxy/protocol-t.h b/include/haproxy/protocol-t.h
index b85f29cc0..0c5bd9e1c 100644
--- a/include/haproxy/protocol-t.h
+++ b/include/haproxy/protocol-t.h
@@ -138,6 +138,17 @@ struct protocol {
 	struct list list;				/* list of registered protocols (under proto_lock) */
 };
 
+/* Transport protocol identifiers which can be used as masked values. */
+enum ha_proto {
+	HA_PROTO_NONE = 0x00,
+
+	HA_PROTO_TCP  = 0x01,
+	HA_PROTO_UDP  = 0x02,
+	HA_PROTO_QUIC = 0x04,
+
+	HA_PROTO_ANY  = 0xff,
+};
+
 #endif /* _HAPROXY_PROTOCOL_T_H */
 
 /*
diff --git a/include/haproxy/tools.h b/include/haproxy/tools.h
index fc1b576f3..937adaaf7 100644
--- a/include/haproxy/tools.h
+++ b/include/haproxy/tools.h
@@ -42,6 +42,7 @@
 #include <haproxy/api.h>
 #include <haproxy/chunk.h>
 #include <haproxy/intops.h>
+#include <haproxy/global.h>
 #include <haproxy/namespace-t.h>
 #include <haproxy/protocol-t.h>
 #include <haproxy/tools-t.h>
@@ -781,6 +782,21 @@ static inline int set_host_port(struct sockaddr_storage *addr, int port)
 	return 0;
 }
 
+/* Returns true if <addr> port is forbidden as client source using <proto>. */
+static inline int port_is_restricted(const struct sockaddr_storage *addr,
+                                     enum ha_proto proto)
+{
+	const uint16_t port = get_host_port(addr);
+
+	BUG_ON_HOT(proto != HA_PROTO_TCP && proto != HA_PROTO_QUIC);
+
+	/* RFC 6335 6. Port Number Ranges */
+	if (unlikely(port < 1024 && port > 0))
+		return !(global.clt_privileged_ports & proto);
+
+	return 0;
+}
+
 /* Convert mask from bit length form to in_addr form.
  * This function never fails.
  */
diff --git a/src/cfgparse-global.c b/src/cfgparse-global.c
index d93d5ffb4..452c0e545 100644
--- a/src/cfgparse-global.c
+++ b/src/cfgparse-global.c
@@ -1376,8 +1376,59 @@ static int cfg_parse_prealloc_fd(char **args, int section_type, struct proxy *cu
 	return 0;
 }
 
+/* Parser for harden.reject-privileged-ports.{tcp|quic}. */
+static int cfg_parse_reject_privileged_ports(char **args, int section_type,
+                                             struct proxy *curpx,
+                                             const struct proxy *defpx,
+                                             const char *file, int line, char **err)
+{
+	struct ist proto;
+	char onoff;
+
+	if (!*(args[1])) {
+		memprintf(err, "'%s' expects either 'on' or 'off'.", args[0]);
+		return -1;
+	}
+
+	proto = ist(args[0]);
+	while (istlen(istfind(proto, '.')))
+		proto = istadv(istfind(proto, '.'), 1);
+
+	if (strcmp(args[1], "on") == 0) {
+		onoff = 1;
+	}
+	else if (strcmp(args[1], "off") == 0) {
+		onoff = 0;
+	}
+	else {
+		memprintf(err, "'%s' expects either 'on' or 'off'.", args[0]);
+		return -1;
+	}
+
+	if (istmatch(proto, ist("tcp"))) {
+		if (!onoff)
+			global.clt_privileged_ports |= HA_PROTO_TCP;
+		else
+			global.clt_privileged_ports &= ~HA_PROTO_TCP;
+	}
+	else if (istmatch(proto, ist("quic"))) {
+		if (!onoff)
+			global.clt_privileged_ports |= HA_PROTO_QUIC;
+		else
+			global.clt_privileged_ports &= ~HA_PROTO_QUIC;
+	}
+	else {
+		memprintf(err, "invalid protocol for '%s'.", args[0]);
+		return -1;
+	}
+
+	return 0;
+}
+
 static struct cfg_kw_list cfg_kws = {ILH, {
 	{ CFG_GLOBAL, "prealloc-fd", cfg_parse_prealloc_fd },
+	{ CFG_GLOBAL, "harden.reject-privileged-ports.tcp",  cfg_parse_reject_privileged_ports },
+	{ CFG_GLOBAL, "harden.reject-privileged-ports.quic", cfg_parse_reject_privileged_ports },
 	{ 0, NULL, NULL },
 }};
 
diff --git a/src/haproxy.c b/src/haproxy.c
index 90db4e798..30df816ff 100644
--- a/src/haproxy.c
+++ b/src/haproxy.c
@@ -210,6 +210,8 @@ struct global global = {
 	.maxsslconn = DEFAULT_MAXSSLCONN,
 #endif
 #endif
+	/* by default do not protect against clients using privileged port */
+	.clt_privileged_ports = HA_PROTO_ANY,
 	/* others NULL OK */
 };
 
diff --git a/src/quic_sock.c b/src/quic_sock.c
index 31ba2497d..b21fe8cac 100644
--- a/src/quic_sock.c
+++ b/src/quic_sock.c
@@ -29,6 +29,7 @@
 #include <haproxy/listener.h>
 #include <haproxy/log.h>
 #include <haproxy/pool.h>
+#include <haproxy/protocol-t.h>
 #include <haproxy/proto_quic.h>
 #include <haproxy/proxy-t.h>
 #include <haproxy/quic_cid.h>
@@ -393,6 +394,11 @@ static ssize_t quic_recv(int fd, void *out, size_t len,
 	if (ret < 0)
 		goto end;
 
+	if (unlikely(port_is_restricted((struct sockaddr_storage *)from, HA_PROTO_QUIC))) {
+		ret = -1;
+		goto end;
+	}
+
 	for (cmsg = CMSG_FIRSTHDR(&msg); cmsg; cmsg = CMSG_NXTHDR(&msg, cmsg)) {
 		switch (cmsg->cmsg_level) {
 		case IPPROTO_IP:
diff --git a/src/sock.c b/src/sock.c
index fba92bd7c..df82c6ea7 100644
--- a/src/sock.c
+++ b/src/sock.c
@@ -30,6 +30,7 @@
 #include <haproxy/listener.h>
 #include <haproxy/log.h>
 #include <haproxy/namespace.h>
+#include <haproxy/protocol-t.h>
 #include <haproxy/proto_sockpair.h>
 #include <haproxy/sock.h>
 #include <haproxy/sock_inet.h>
@@ -109,6 +110,9 @@ struct connection *sock_accept_conn(struct listener *l, int *status)
 			goto fail_conn;
 		}
 
+		if (unlikely(port_is_restricted(addr, HA_PROTO_TCP)))
+			goto fail_conn;
+
 		/* Perfect, the connection was accepted */
 		conn = conn_new(&l->obj_type);
 		if (!conn)