diff options
| author | Christian Lachner <gladiac@gmail.com> | 2018-12-13 10:59:51 +0100 |
|---|---|---|
| committer | Christian Lachner <gladiac@gmail.com> | 2018-12-13 10:59:51 +0100 |
| commit | a854729155c248d7fd2d629adf1b5af65946fff9 (patch) | |
| tree | b7ae850ea5734b5aef0958b9f8f36447c99dbd6e /net | |
| parent | 5c823596dd4f51969425b7a39f9b3c2730aa4e72 (diff) | |
haproxy: Update HAProxy to v1.8.15
- Update haproxy download URL and hash
- Removed all obsolete patches
Signed-off-by: Christian Lachner <gladiac@gmail.com>
Diffstat (limited to 'net')
48 files changed, 10 insertions, 2592 deletions
diff --git a/net/haproxy/Makefile b/net/haproxy/Makefile index a4a4483b4..1328136a1 100644 --- a/net/haproxy/Makefile +++ b/net/haproxy/Makefile @@ -10,12 +10,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=haproxy -PKG_VERSION:=1.8.14 -PKG_RELEASE:=5 +PKG_VERSION:=1.8.15 +PKG_RELEASE:=1 PKG_SOURCE:=haproxy-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://www.haproxy.org/download/1.8/src/ -PKG_HASH:=b17e402578be85e58af7a3eac99b1f675953bea9f67af2e964cf8bdbd1bd3fdf +PKG_HASH:=7113862f1146d7de8b8e64f45826ab3533c7f7f7b7767e24c08f7c762202a032 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION) PKG_LICENSE:=GPL-2.0 diff --git a/net/haproxy/get-latest-patches.sh b/net/haproxy/get-latest-patches.sh index 4612ccdae..39e46a4f3 100755 --- a/net/haproxy/get-latest-patches.sh +++ b/net/haproxy/get-latest-patches.sh @@ -1,7 +1,7 @@ #!/bin/bash CLONEURL=http://git.haproxy.org/git/haproxy-1.8.git -BASE_TAG=v1.8.14 +BASE_TAG=v1.8.15 TMP_REPODIR=tmprepo PATCHESDIR=patches diff --git a/net/haproxy/patches/0000-MINOR-threads-Make-sure-threads_sync_pipe-is-initialized-before-using-it.patch b/net/haproxy/patches/0000-MINOR-threads-Make-sure-threads_sync_pipe-is-initialized-before-using-it.patch deleted file mode 100644 index 00bc94490..000000000 --- a/net/haproxy/patches/0000-MINOR-threads-Make-sure-threads_sync_pipe-is-initialized-before-using-it.patch +++ /dev/null @@ -1,38 +0,0 @@ -commit 14844e448b637fea2770bcb03a43a010c4c8176d -Author: Olivier Houchard <ohouchard@haproxy.com> -Date: Thu Sep 27 14:55:34 2018 +0200 - - MINOR: threads: Make sure threads_sync_pipe is initialized before using it. - - thread_want_sync() might be called before thread_sync_init() was called, - at least when reading the server state file, as apply_server_state() is called - before thread_sync_init(). So make sure the threads_sync_pipe was initialized - before writing to it, if it was not, there's no thread, so no need to sync - anything anyway, and if we don't check it we'll end up writing a 'S' on - stdin. - - this only applies to 1.8. - -diff --git a/src/hathreads.c b/src/hathreads.c -index 97ed31c5..9dba4356 100644 ---- a/src/hathreads.c -+++ b/src/hathreads.c -@@ -28,7 +28,7 @@ void thread_sync_io_handler(int fd) - #ifdef USE_THREAD - - static HA_SPINLOCK_T sync_lock; --static int threads_sync_pipe[2]; -+static int threads_sync_pipe[2] = {-1, -1}; - static unsigned long threads_want_sync = 0; - volatile unsigned long threads_want_rdv_mask = 0; - volatile unsigned long threads_harmless_mask = 0; -@@ -76,7 +76,8 @@ void thread_want_sync() - if (all_threads_mask & (all_threads_mask - 1)) { - if (threads_want_sync & tid_bit) - return; -- if (HA_ATOMIC_OR(&threads_want_sync, tid_bit) == tid_bit) -+ if (HA_ATOMIC_OR(&threads_want_sync, tid_bit) == tid_bit && -+ threads_sync_pipe[1] != -1) - shut_your_big_mouth_gcc(write(threads_sync_pipe[1], "S", 1)); - } - else { diff --git a/net/haproxy/patches/0001-DOC-clarify-force-private-cache-is-an-option.patch b/net/haproxy/patches/0001-DOC-clarify-force-private-cache-is-an-option.patch deleted file mode 100644 index 3358f6337..000000000 --- a/net/haproxy/patches/0001-DOC-clarify-force-private-cache-is-an-option.patch +++ /dev/null @@ -1,39 +0,0 @@ -commit 18aff2297ce844362f28ea5317c289ba154bd33d -Author: Lukas Tribus <lukas@ltri.eu> -Date: Mon Oct 1 02:00:16 2018 +0200 - - DOC: clarify force-private-cache is an option - - "boolean" may confuse users into thinking they need to provide - additional arguments, like false or true. This is a simple option - like many others, so lets not confuse the users with internals. - - Also fixes an additional typo. - - Should be backported to 1.8 and 1.7. - - (cherry picked from commit 2793578eaf934bbf28f742a35f3a1ae656280324) - Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> - -diff --git a/doc/configuration.txt b/doc/configuration.txt -index c69033b1..580194ec 100644 ---- a/doc/configuration.txt -+++ b/doc/configuration.txt -@@ -1651,7 +1651,7 @@ tune.ssl.cachesize <number> - this value to 0 disables the SSL session cache. - - tune.ssl.force-private-cache -- This boolean disables SSL session cache sharing between all processes. It -+ This option disables SSL session cache sharing between all processes. It - should normally not be used since it will force many renegotiations due to - clients hitting a random process. But it may be required on some operating - systems where none of the SSL cache synchronization method may be used. In -@@ -6535,7 +6535,7 @@ option smtpchk <hello> <domain> - yes | no | yes | yes - Arguments : - <hello> is an optional argument. It is the "hello" command to use. It can -- be either "HELO" (for SMTP) or "EHLO" (for ESTMP). All other -+ be either "HELO" (for SMTP) or "EHLO" (for ESMTP). All other - values will be turned into the default command ("HELO"). - - <domain> is the domain name to present to the server. It may only be diff --git a/net/haproxy/patches/0002-BUG-MINOR-connection-avoid-null-pointer-dereference-in-send-proxy-v2.patch b/net/haproxy/patches/0002-BUG-MINOR-connection-avoid-null-pointer-dereference-in-send-proxy-v2.patch deleted file mode 100644 index 9ab8e34f1..000000000 --- a/net/haproxy/patches/0002-BUG-MINOR-connection-avoid-null-pointer-dereference-in-send-proxy-v2.patch +++ /dev/null @@ -1,47 +0,0 @@ -commit f6d20e718131aa2b468ff0a6c42e20c0b900e58b -Author: Ilya Shipitsin <chipitsine@gmail.com> -Date: Sat Sep 15 00:50:05 2018 +0500 - - BUG/MINOR: connection: avoid null pointer dereference in send-proxy-v2 - - found by coverity. - - [wt: this bug was introduced by commit 404d978 ("MINOR: add ALPN - information to send-proxy-v2"). It might be triggered by a health - check on a server using ppv2 or by an applet making use of such a - server, if at all configurable]. - - This needs to be backported to 1.8. - - (cherry picked from commit ca56fce8bd271928b18d38b439bd35bd273fe8d4) - Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> - -diff --git a/src/connection.c b/src/connection.c -index 8c5af156..7403e8ae 100644 ---- a/src/connection.c -+++ b/src/connection.c -@@ -874,6 +874,7 @@ int conn_recv_netscaler_cip(struct connection *conn, int flag) - return 0; - } - -+/* Note: <remote> is explicitly allowed to be NULL */ - int make_proxy_line(char *buf, int buf_len, struct server *srv, struct connection *remote) - { - int ret = 0; -@@ -985,6 +986,7 @@ static int make_tlv(char *dest, int dest_len, char type, uint16_t length, const - return length + sizeof(*tlv); - } - -+/* Note: <remote> is explicitly allowed to be NULL */ - int make_proxy_line_v2(char *buf, int buf_len, struct server *srv, struct connection *remote) - { - const char pp2_signature[] = PP2_SIGNATURE; -@@ -1060,7 +1062,7 @@ int make_proxy_line_v2(char *buf, int buf_len, struct server *srv, struct connec - } - } - -- if (conn_get_alpn(remote, &value, &value_len)) { -+ if (remote && conn_get_alpn(remote, &value, &value_len)) { - if ((buf_len - ret) < sizeof(struct tlv)) - return 0; - ret += make_tlv(&buf[ret], (buf_len - ret), PP2_TYPE_ALPN, value_len, value); diff --git a/net/haproxy/patches/0003-BUG-MINOR-backend-check-that-the-mux-installed-properly.patch b/net/haproxy/patches/0003-BUG-MINOR-backend-check-that-the-mux-installed-properly.patch deleted file mode 100644 index d63a9216c..000000000 --- a/net/haproxy/patches/0003-BUG-MINOR-backend-check-that-the-mux-installed-properly.patch +++ /dev/null @@ -1,43 +0,0 @@ -commit e725a7f9bfd8b7fe2e74c62c7c6bf2b9ebf83772 -Author: Willy Tarreau <w@1wt.eu> -Date: Wed Oct 3 10:20:19 2018 +0200 - - BUG/MINOR: backend: check that the mux installed properly - - The return value from conn_install_mux() was not checked, so if an - inconsistency happens in the code, or a memory allocation fails while - initializing the mux, we can crash while using an uninitialized mux. - In practice the code inconsistency does not really happen since we - cannot configure such a situation, except during development, but - the out of memory condition could definitely happen. - - This should be backported to 1.8 (the code is a bit different there, - there are two calls to conn_install_mux()). - - (cherry picked from commit 33dd4ef81245bb868b22f99b9be45d0791131eec) - Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> - -diff --git a/src/backend.c b/src/backend.c -index 2b6167dc..fc1eac0d 100644 ---- a/src/backend.c -+++ b/src/backend.c -@@ -1163,7 +1163,8 @@ int connect_server(struct stream *s) - if (srv) { - conn_prepare(srv_conn, protocol_by_family(srv_conn->addr.to.ss_family), srv->xprt); - /* XXX: Pick the right mux, when we finally have one */ -- conn_install_mux(srv_conn, &mux_pt_ops, srv_cs); -+ if (conn_install_mux(srv_conn, &mux_pt_ops, srv_cs) < 0) -+ return SF_ERR_INTERNAL; - } - else if (obj_type(s->target) == OBJ_TYPE_PROXY) { - /* proxies exclusively run on raw_sock right now */ -@@ -1171,7 +1172,8 @@ int connect_server(struct stream *s) - if (!objt_cs(s->si[1].end) || !objt_cs(s->si[1].end)->conn->ctrl) - return SF_ERR_INTERNAL; - /* XXX: Pick the right mux, when we finally have one */ -- conn_install_mux(srv_conn, &mux_pt_ops, srv_cs); -+ if (conn_install_mux(srv_conn, &mux_pt_ops, srv_cs) < 0) -+ return SF_ERR_INTERNAL; - } - else - return SF_ERR_INTERNAL; /* how did we get there ? */ diff --git a/net/haproxy/patches/0004-BUG-MEDIUM-buffers-Make-sure-we-dont-wrap-in-buffer_insert_line2-replace2.patch b/net/haproxy/patches/0004-BUG-MEDIUM-buffers-Make-sure-we-dont-wrap-in-buffer_insert_line2-replace2.patch deleted file mode 100644 index e365cd5c8..000000000 --- a/net/haproxy/patches/0004-BUG-MEDIUM-buffers-Make-sure-we-dont-wrap-in-buffer_insert_line2-replace2.patch +++ /dev/null @@ -1,40 +0,0 @@ -commit 45e9f3c660c872e93588cf1c0b74c192f2c8c3d5 -Author: Olivier Houchard <ohouchard@haproxy.com> -Date: Wed Sep 26 15:09:58 2018 +0200 - - BUG/MEDIUM: buffers: Make sure we don't wrap in buffer_insert_line2/replace2. - - In buffer_insert_line2() and buffer_replace2(), we can't afford to wrap, - so don't use b_tail to check if we do, directly use b->p + b->i instead. - - This should be backported to previous versions. - - (cherry picked from commit 363c745569b6ffd8f095d2b7758131d08aa27219) - Signed-off-by: Christopher Faulet <cfaulet@haproxy.com> - - [cf: This patch was adapted and its commit message too. Because of the - refactoring of the buffer's API in 1.9, the original patch fixes same bug in - ci_insert_line2/b_rep_blk.] - -diff --git a/src/buffer.c b/src/buffer.c -index 167b75ae..6ad38a02 100644 ---- a/src/buffer.c -+++ b/src/buffer.c -@@ -107,7 +107,7 @@ int buffer_replace2(struct buffer *b, char *pos, char *end, const char *str, int - - delta = len - (end - pos); - -- if (bi_end(b) + delta > b->data + b->size) -+ if (b->p + b->i + delta > b->data + b->size) - return 0; /* no space left */ - - if (buffer_not_empty(b) && -@@ -146,7 +146,7 @@ int buffer_insert_line2(struct buffer *b, char *pos, const char *str, int len) - - delta = len + 2; - -- if (bi_end(b) + delta >= b->data + b->size) -+ if (b->p + b->i + delta >= b->data + b->size) - return 0; /* no space left */ - - if (buffer_not_empty(b) && diff --git a/net/haproxy/patches/0005-MEDIUM-ssl-add-support-for-ciphersuites-option-for-TLSv1-3.patch b/net/haproxy/patches/0005-MEDIUM-ssl-add-support-for-ciphersuites-option-for-TLSv1-3.patch deleted file mode 100644 index ac2cd136f..000000000 --- a/net/haproxy/patches/0005-MEDIUM-ssl-add-support-for-ciphersuites-option-for-TLSv1-3.patch +++ /dev/null @@ -1,473 +0,0 @@ -commit 4be76416751aa22992a44f2f5cfdba506809fd89 -Author: Dirkjan Bussink <d.bussink@gmail.com> -Date: Fri Sep 14 11:14:21 2018 +0200 - - MEDIUM: ssl: add support for ciphersuites option for TLSv1.3 - - OpenSSL released support for TLSv1.3. It also added a separate function - SSL_CTX_set_ciphersuites that is used to set the ciphers used in the - TLS 1.3 handshake. This change adds support for that new configuration - option by adding a ciphersuites configuration variable that works - essentially the same as the existing ciphers setting. - - Note that it should likely be backported to 1.8 in order to ease usage - of the now released openssl-1.1.1. - - (cherry picked from commit 415150f7640b06740fa832363d186c5c6565338e) - Signed-off-by: Willy Tarreau <w@1wt.eu> - -diff --git a/doc/configuration.txt b/doc/configuration.txt -index 580194ec..7a268386 100644 ---- a/doc/configuration.txt -+++ b/doc/configuration.txt -@@ -580,8 +580,10 @@ The following keywords are supported in the "global" section : - - setenv - - stats - - ssl-default-bind-ciphers -+ - ssl-default-bind-ciphersuites - - ssl-default-bind-options - - ssl-default-server-ciphers -+ - ssl-default-server-ciphersuites - - ssl-default-server-options - - ssl-dh-param-file - - ssl-server-verify -@@ -984,11 +986,25 @@ setenv <name> <value> - ssl-default-bind-ciphers <ciphers> - This setting is only available when support for OpenSSL was built in. It sets - the default string describing the list of cipher algorithms ("cipher suite") -- that are negotiated during the SSL/TLS handshake for all "bind" lines which -- do not explicitly define theirs. The format of the string is defined in -- "man 1 ciphers" from OpenSSL man pages, and can be for instance a string such -- as "AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH" (without quotes). Please check the -- "bind" keyword for more information. -+ that are negotiated during the SSL/TLS handshake except for TLSv1.3 for all -+ "bind" lines which do not explicitly define theirs. The format of the string -+ is defined in "man 1 ciphers" from OpenSSL man pages, and can be for instance -+ a string such as "AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH" (without quotes). For -+ TLSv1.3 cipher configuration, please check the "ssl-default-bind-ciphersuites" -+ keyword. Please check the "bind" keyword for more information. -+ -+ssl-default-bind-ciphersuites <ciphersuites> -+ This setting is only available when support for OpenSSL was built in and -+ OpenSSL 1.1.1 or later was used to build HAProxy. It sets the default string -+ describing the list of cipher algorithms ("cipher suite") that are negotiated -+ during the TLSv1.3 handshake for all "bind" lines which do not explicitly define -+ theirs. The format of the string is defined in -+ "man 1 ciphers" from OpenSSL man pages under the section "ciphersuites", and can -+ be for instance a string such as -+ "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" -+ (without quotes). For cipher configuration for TLSv1.2 and earlier, please check -+ the "ssl-default-bind-ciphers" keyword. Please check the "bind" keyword for more -+ information. - - ssl-default-bind-options [<option>]... - This setting is only available when support for OpenSSL was built in. It sets -@@ -1002,10 +1018,21 @@ ssl-default-bind-options [<option>]... - ssl-default-server-ciphers <ciphers> - This setting is only available when support for OpenSSL was built in. It - sets the default string describing the list of cipher algorithms that are -- negotiated during the SSL/TLS handshake with the server, for all "server" -- lines which do not explicitly define theirs. The format of the string is -- defined in "man 1 ciphers". Please check the "server" keyword for more -- information. -+ negotiated during the SSL/TLS handshake except for TLSv1.3 with the server, -+ for all "server" lines which do not explicitly define theirs. The format of -+ the string is defined in "man 1 ciphers". For TLSv1.3 cipher configuration, -+ please check the "ssl-default-server-ciphersuites" keyword. Please check the -+ "server" keyword for more information. -+ -+ssl-default-server-ciphersuites <ciphersuites> -+ This setting is only available when support for OpenSSL was built in and -+ OpenSSL 1.1.1 or later was used to build HAProxy. It sets the default -+ string describing the list of cipher algorithms that are negotiated during -+ the TLSv1.3 handshake with the server, for all "server" lines which do not -+ explicitly define theirs. The format of the string is defined in -+ "man 1 ciphers" under the "ciphersuites" section. For cipher configuration for -+ TLSv1.2 and earlier, please check the "ssl-default-server-ciphers" keyword. -+ Please check the "server" keyword for more information. - - ssl-default-server-options [<option>]... - This setting is only available when support for OpenSSL was built in. It sets -@@ -10510,13 +10537,26 @@ ca-sign-pass <passphrase> - ciphers <ciphers> - This setting is only available when support for OpenSSL was built in. It sets - the string describing the list of cipher algorithms ("cipher suite") that are -- negotiated during the SSL/TLS handshake. The format of the string is defined -- in "man 1 ciphers" from OpenSSL man pages, and can be for instance a string -- such as "AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH" (without quotes). -- Depending on the compatibility and security requirements, the list of suitable -- ciphers depends on a variety of variables. For background information and -- recommendations see e. g. (https://wiki.mozilla.org/Security/Server_Side_TLS) -- and (https://mozilla.github.io/server-side-tls/ssl-config-generator/). -+ negotiated during the SSL/TLS handshake except for TLSv1.3. The format of the -+ string is defined in "man 1 ciphers" from OpenSSL man pages, and can be for -+ instance a string such as "AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH" (without -+ quotes). Depending on the compatibility and security requirements, the list -+ of suitable ciphers depends on a variety of variables. For background -+ information and recommendations see e.g. -+ (https://wiki.mozilla.org/Security/Server_Side_TLS) and -+ (https://mozilla.github.io/server-side-tls/ssl-config-generator/). For TLSv1.3 -+ cipher configuration, please check the "ciphersuites" keyword. -+ -+ciphersuites <ciphersuites> -+ This setting is only available when support for OpenSSL was built in and -+ OpenSSL 1.1.1 or later was used to build HAProxy. It sets the string describing -+ the list of cipher algorithms ("cipher suite") that are negotiated during the -+ TLSv1.3 handshake. The format of the string is defined in "man 1 ciphers" from -+ OpenSSL man pages under the "ciphersuites" section, and can be for instance a -+ string such as -+ "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" -+ (without quotes). For cipher configuration for TLSv1.2 and earlier, please check -+ the "ciphers" keyword. - - crl-file <crlfile> - This setting is only available when support for OpenSSL was built in. It -@@ -11226,8 +11266,9 @@ check-ssl - this option. - - ciphers <ciphers> -- This option sets the string describing the list of cipher algorithms that is -- is negotiated during the SSL/TLS handshake with the server. The format of the -+ This setting is only available when support for OpenSSL was built in. This -+ option sets the string describing the list of cipher algorithms that is -+ negotiated during the SSL/TLS handshake with the server. The format of the - string is defined in "man 1 ciphers". When SSL is used to communicate with - servers on the local network, it is common to see a weaker set of algorithms - than what is used over the internet. Doing so reduces CPU usage on both the -@@ -11235,6 +11276,13 @@ ciphers <ciphers> - Some algorithms such as RC4-SHA1 are reasonably cheap. If no security at all - is needed and just connectivity, using DES can be appropriate. - -+ciphersuites <ciphersuites> -+ This setting is only available when support for OpenSSL was built in and -+ OpenSSL 1.1.1 or later was used to build HAProxy. This option sets the string -+ describing the list of cipher algorithms that is negotiated during the TLS -+ 1.3 handshake with the server. The format of the string is defined in -+ "man 1 ciphers" under the "ciphersuites" section. -+ - cookie <value> - The "cookie" parameter sets the cookie value assigned to the server to - <value>. This value will be checked in incoming requests, and the first -diff --git a/include/common/defaults.h b/include/common/defaults.h -index f53c611e..a45ab0da 100644 ---- a/include/common/defaults.h -+++ b/include/common/defaults.h -@@ -234,11 +234,21 @@ - #define CONNECT_DEFAULT_CIPHERS NULL - #endif - -+/* ciphers used as defaults on TLS 1.3 connect */ -+#ifndef CONNECT_DEFAULT_CIPHERSUITES -+#define CONNECT_DEFAULT_CIPHERSUITES NULL -+#endif -+ - /* ciphers used as defaults on listeners */ - #ifndef LISTEN_DEFAULT_CIPHERS - #define LISTEN_DEFAULT_CIPHERS NULL - #endif - -+/* cipher suites used as defaults on TLS 1.3 listeners */ -+#ifndef LISTEN_DEFAULT_CIPHERSUITES -+#define LISTEN_DEFAULT_CIPHERSUITES NULL -+#endif -+ - /* named curve used as defaults for ECDHE ciphers */ - #ifndef ECDHE_DEFAULT_CURVE - #define ECDHE_DEFAULT_CURVE "prime256v1" -diff --git a/include/types/listener.h b/include/types/listener.h -index c55569cd..ea2eadb5 100644 ---- a/include/types/listener.h -+++ b/include/types/listener.h -@@ -128,6 +128,9 @@ struct ssl_bind_conf { - char *ca_file; /* CAfile to use on verify */ - char *crl_file; /* CRLfile to use on verify */ - char *ciphers; /* cipher suite to use if non-null */ -+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER) -+ char *ciphersuites; /* TLS 1.3 cipher suite to use if non-null */ -+#endif - char *curves; /* curves suite to use for ECDHE */ - char *ecdhe; /* named curve to use for ECDHE */ - struct tls_version_filter ssl_methods; /* ssl methods */ -diff --git a/include/types/server.h b/include/types/server.h -index fd3c8bad..79ae7b72 100644 ---- a/include/types/server.h -+++ b/include/types/server.h -@@ -281,6 +281,9 @@ struct server { - int allocated_size; - } * reused_sess; - char *ciphers; /* cipher suite to use if non-null */ -+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER) -+ char *ciphersuites; /* TLS 1.3 cipher suite to use if non-null */ -+#endif - int options; /* ssl options */ - int verify; /* verify method (set of SSL_VERIFY_* flags) */ - struct tls_version_filter methods; /* ssl methods */ -diff --git a/src/server.c b/src/server.c -index 842e4149..4941bd03 100644 ---- a/src/server.c -+++ b/src/server.c -@@ -1380,6 +1380,10 @@ static void srv_ssl_settings_cpy(struct server *srv, struct server *src) - srv->ssl_ctx.verify_host = strdup(src->ssl_ctx.verify_host); - if (src->ssl_ctx.ciphers != NULL) - srv->ssl_ctx.ciphers = strdup(src->ssl_ctx.ciphers); -+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER) -+ if (src->ssl_ctx.ciphersuites != NULL) -+ srv->ssl_ctx.ciphersuites = strdup(src->ssl_ctx.ciphersuites); -+#endif - if (src->sni_expr != NULL) - srv->sni_expr = strdup(src->sni_expr); - } -diff --git a/src/ssl_sock.c b/src/ssl_sock.c -index 08fdffab..2da0df68 100644 ---- a/src/ssl_sock.c -+++ b/src/ssl_sock.c -@@ -169,6 +169,10 @@ static struct { - - char *listen_default_ciphers; - char *connect_default_ciphers; -+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER) -+ char *listen_default_ciphersuites; -+ char *connect_default_ciphersuites; -+#endif - int listen_default_ssloptions; - int connect_default_ssloptions; - struct tls_version_filter listen_default_sslmethods; -@@ -186,6 +190,14 @@ static struct { - #endif - #ifdef CONNECT_DEFAULT_CIPHERS - .connect_default_ciphers = CONNECT_DEFAULT_CIPHERS, -+#endif -+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER) -+#ifdef LISTEN_DEFAULT_CIPHERSUITES -+ .listen_default_ciphersuites = LISTEN_DEFAULT_CIPHERSUITES, -+#endif -+#ifdef CONNECT_DEFAULT_CIPHERSUITES -+ .connect_default_ciphersuites = CONNECT_DEFAULT_CIPHERSUITES, -+#endif - #endif - .listen_default_ssloptions = BC_SSL_O_NONE, - .connect_default_ssloptions = SRV_SSL_O_NONE, -@@ -3528,6 +3540,10 @@ void ssl_sock_free_ssl_conf(struct ssl_bind_conf *conf) - conf->crl_file = NULL; - free(conf->ciphers); - conf->ciphers = NULL; -+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER) -+ free(conf->ciphersuites); -+ conf->ciphersuites = NULL; -+#endif - free(conf->curves); - conf->curves = NULL; - free(conf->ecdhe); -@@ -4061,6 +4077,9 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, struct ssl_bind_conf *ssl_ - int verify = SSL_VERIFY_NONE; - struct ssl_bind_conf __maybe_unused *ssl_conf_cur; - const char *conf_ciphers; -+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER) -+ const char *conf_ciphersuites; -+#endif - const char *conf_curves = NULL; - - if (ssl_conf) { -@@ -4160,6 +4179,16 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, struct ssl_bind_conf *ssl_ - cfgerr++; - } - -+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER) -+ conf_ciphersuites = (ssl_conf && ssl_conf->ciphersuites) ? ssl_conf->ciphersuites : bind_conf->ssl_conf.ciphersuites; -+ if (conf_ciphersuites && -+ !SSL_CTX_set_ciphersuites(ctx, conf_ciphersuites)) { -+ ha_alert("Proxy '%s': unable to set TLS 1.3 cipher suites to '%s' for bind '%s' at [%s:%d].\n", -+ curproxy->id, conf_ciphersuites, bind_conf->arg, bind_conf->file, bind_conf->line); -+ cfgerr++; -+ } -+#endif -+ - #ifndef OPENSSL_NO_DH - /* If tune.ssl.default-dh-param has not been set, - neither has ssl-default-dh-file and no static DH -@@ -4642,6 +4671,16 @@ int ssl_sock_prepare_srv_ctx(struct server *srv) - cfgerr++; - } - -+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER) -+ if (srv->ssl_ctx.ciphersuites && -+ !SSL_CTX_set_cipher_list(srv->ssl_ctx.ctx, srv->ssl_ctx.ciphersuites)) { -+ ha_alert("Proxy '%s', server '%s' [%s:%d] : unable to set TLS 1.3 cipher suites to '%s'.\n", -+ curproxy->id, srv->id, -+ srv->conf.file, srv->conf.line, srv->ssl_ctx.ciphersuites); -+ cfgerr++; -+ } -+#endif -+ - return cfgerr; - } - -@@ -7101,6 +7140,26 @@ static int bind_parse_ciphers(char **args, int cur_arg, struct proxy *px, struct - { - return ssl_bind_parse_ciphers(args, cur_arg, px, &conf->ssl_conf, err); - } -+ -+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER) -+/* parse the "ciphersuites" bind keyword */ -+static int ssl_bind_parse_ciphersuites(char **args, int cur_arg, struct proxy *px, struct ssl_bind_conf *conf, char **err) -+{ -+ if (!*args[cur_arg + 1]) { -+ memprintf(err, "'%s' : missing cipher suite", args[cur_arg]); -+ return ERR_ALERT | ERR_FATAL; -+ } -+ -+ free(conf->ciphersuites); -+ conf->ciphersuites = strdup(args[cur_arg + 1]); -+ return 0; -+} -+static int bind_parse_ciphersuites(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err) -+{ -+ return ssl_bind_parse_ciphersuites(args, cur_arg, px, &conf->ssl_conf, err); -+} -+#endif -+ - /* parse the "crt" bind keyword */ - static int bind_parse_crt(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err) - { -@@ -7492,6 +7551,10 @@ static int bind_parse_ssl(char **args, int cur_arg, struct proxy *px, struct bin - - if (global_ssl.listen_default_ciphers && !conf->ssl_conf.ciphers) - conf->ssl_conf.ciphers = strdup(global_ssl.listen_default_ciphers); -+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER) -+ if (global_ssl.listen_default_ciphersuites && !conf->ssl_conf.ciphersuites) -+ conf->ssl_conf.ciphersuites = strdup(global_ssl.listen_default_ciphersuites); -+#endif - conf->ssl_options |= global_ssl.listen_default_ssloptions; - conf->ssl_conf.ssl_methods.flags |= global_ssl.listen_default_sslmethods.flags; - if (!conf->ssl_conf.ssl_methods.min) -@@ -7689,6 +7752,10 @@ static int srv_parse_check_ssl(char **args, int *cur_arg, struct proxy *px, stru - newsrv->check.use_ssl = 1; - if (global_ssl.connect_default_ciphers && !newsrv->ssl_ctx.ciphers) - newsrv->ssl_ctx.ciphers = strdup(global_ssl.connect_default_ciphers); -+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER) -+ if (global_ssl.connect_default_ciphersuites && !newsrv->ssl_ctx.ciphersuites) -+ newsrv->ssl_ctx.ciphersuites = strdup(global_ssl.connect_default_ciphersuites); -+#endif - newsrv->ssl_ctx.options |= global_ssl.connect_default_ssloptions; - newsrv->ssl_ctx.methods.flags |= global_ssl.connect_default_sslmethods.flags; - if (!newsrv->ssl_ctx.methods.min) -@@ -7712,6 +7779,21 @@ static int srv_parse_ciphers(char **args, int *cur_arg, struct proxy *px, struct - return 0; - } - -+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER) -+/* parse the "ciphersuites" server keyword */ -+static int srv_parse_ciphersuites(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err) -+{ -+ if (!*args[*cur_arg + 1]) { -+ memprintf(err, "'%s' : missing cipher suite", args[*cur_arg]); -+ return ERR_ALERT | ERR_FATAL; -+ } -+ -+ free(newsrv->ssl_ctx.ciphersuites); -+ newsrv->ssl_ctx.ciphersuites = strdup(args[*cur_arg + 1]); -+ return 0; -+} -+#endif -+ - /* parse the "crl-file" server keyword */ - static int srv_parse_crl_file(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err) - { -@@ -7853,6 +7935,10 @@ static int srv_parse_ssl(char **args, int *cur_arg, struct proxy *px, struct ser - newsrv->use_ssl = 1; - if (global_ssl.connect_default_ciphers && !newsrv->ssl_ctx.ciphers) - newsrv->ssl_ctx.ciphers = strdup(global_ssl.connect_default_ciphers); -+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER) -+ if (global_ssl.connect_default_ciphersuites && !newsrv->ssl_ctx.ciphersuites) -+ newsrv->ssl_ctx.ciphersuites = strdup(global_ssl.connect_default_ciphersuites); -+#endif - return 0; - } - -@@ -8092,6 +8178,32 @@ static int ssl_parse_global_ciphers(char **args, int section_type, struct proxy - return 0; - } - -+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER) -+/* parse the "ssl-default-bind-ciphersuites" / "ssl-default-server-ciphersuites" keywords -+ * in global section. Returns <0 on alert, >0 on warning, 0 on success. -+ */ -+static int ssl_parse_global_ciphersuites(char **args, int section_type, struct proxy *curpx, -+ struct proxy *defpx, const char *file, int line, -+ char **err) -+{ -+ char **target; -+ -+ target = (args[0][12] == 'b') ? &global_ssl.listen_default_ciphersuites : &global_ssl.connect_default_ciphersuites; -+ -+ if (too_many_args(1, args, err, NULL)) -+ return -1; -+ -+ if (*(args[1]) == 0) { -+ memprintf(err, "global statement '%s' expects a cipher suite as an argument.", args[0]); -+ return -1; -+ } -+ -+ free(*target); -+ *target = strdup(args[1]); -+ return 0; -+} -+#endif -+ - /* parse various global tune.ssl settings consisting in positive integers. - * Returns <0 on alert, >0 on warning, 0 on success. - */ -@@ -8599,6 +8711,9 @@ static struct ssl_bind_kw ssl_bind_kws[] = { - { "alpn", ssl_bind_parse_alpn, 1 }, /* set ALPN supported protocols */ - { "ca-file", ssl_bind_parse_ca_file, 1 }, /* set CAfile to process verify on client cert */ - { "ciphers", ssl_bind_parse_ciphers, 1 }, /* set SSL cipher suite */ -+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER) -+ { "ciphersuites", ssl_bind_parse_ciphersuites, 1 }, /* set TLS 1.3 cipher suite */ -+#endif - { "crl-file", ssl_bind_parse_crl_file, 1 }, /* set certificat revocation list file use on client cert verify */ - { "curves", ssl_bind_parse_curves, 1 }, /* set SSL curve suite */ - { "ecdhe", ssl_bind_parse_ecdhe, 1 }, /* defines named curve for elliptic curve Diffie-Hellman */ -@@ -8618,6 +8733,9 @@ static struct bind_kw_list bind_kws = { "SSL", { }, { - { "ca-sign-file", bind_parse_ca_sign_file, 1 }, /* set CAFile used to generate and sign server certs */ - { "ca-sign-pass", bind_parse_ca_sign_pass, 1 }, /* set CAKey passphrase */ - { "ciphers", bind_parse_ciphers, 1 }, /* set SSL cipher suite */ -+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER) -+ { "ciphersuites", bind_parse_ciphersuites, 1 }, /* set TLS 1.3 cipher suite */ -+#endif - { "crl-file", bind_parse_crl_file, 1 }, /* set certificat revocation list file use on client cert verify */ - { "crt", bind_parse_crt, 1 }, /* load SSL certificates from this location */ - { "crt-ignore-err", bind_parse_ignore_err, 1 }, /* set error IDs to ingore on verify depth == 0 */ -@@ -8661,6 +8779,9 @@ static struct srv_kw_list srv_kws = { "SSL", { }, { - { "check-sni", srv_parse_check_sni, 1, 1 }, /* set SNI */ - { "check-ssl", srv_parse_check_ssl, 0, 1 }, /* enable SSL for health checks */ - { "ciphers", srv_parse_ciphers, 1, 1 }, /* select the cipher suite */ -+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER) -+ { "ciphersuites", srv_parse_ciphersuites, 1, 1 }, /* select the cipher suite */ -+#endif - { "crl-file", srv_parse_crl_file, 1, 1 }, /* set certificate revocation list file use on server cert verify */ - { "crt", srv_parse_crt, 1, 1 }, /* set client certificate */ - { "force-sslv3", srv_parse_tls_method_options, 0, 1 }, /* force SSLv3 */ -@@ -8716,6 +8837,10 @@ static struct cfg_kw_list cfg_kws = {ILH, { - { CFG_GLOBAL, "tune.ssl.capture-cipherlist-size", ssl_parse_global_capture_cipherlist }, - { CFG_GLOBAL, "ssl-default-bind-ciphers", ssl_parse_global_ciphers }, - { CFG_GLOBAL, "ssl-default-server-ciphers", ssl_parse_global_ciphers }, -+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER) -+ { CFG_GLOBAL, "ssl-default-bind-ciphersuites", ssl_parse_global_ciphersuites }, -+ { CFG_GLOBAL, "ssl-default-server-ciphersuites", ssl_parse_global_ciphersuites }, -+#endif - { 0, NULL, NULL }, - }}; - -@@ -8793,6 +8918,12 @@ static void __ssl_sock_init(void) - global_ssl.listen_default_ciphers = strdup(global_ssl.listen_default_ciphers); - if (global_ssl.connect_default_ciphers) - global_ssl.connect_default_ciphers = strdup(global_ssl.connect_default_ciphers); -+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER) -+ if (global_ssl.listen_default_ciphersuites) -+ global_ssl.listen_default_ciphersuites = strdup(global_ssl.listen_default_ciphersuites); -+ if (global_ssl.connect_default_ciphersuites) -+ global_ssl.connect_default_ciphersuites = strdup(global_ssl.connect_default_ciphersuites); -+#endif - - xprt_register(XPRT_SSL, &ssl_sock); - SSL_library_init(); diff --git a/net/haproxy/patches/0006-BUG-MEDIUM-Cur-CumSslConns-counters-not-threadsafe.patch b/net/haproxy/patches/0006-BUG-MEDIUM-Cur-CumSslConns-counters-not-threadsafe.patch deleted file mode 100644 index 50943bb71..000000000 --- a/net/haproxy/patches/0006-BUG-MEDIUM-Cur-CumSslConns-counters-not-threadsafe.patch +++ /dev/null @@ -1,62 +0,0 @@ -commit 30ba96df349ace825749a57490defeb50001a550 -Author: Emeric Brun <ebrun@haproxy.com> -Date: Wed Oct 10 14:51:02 2018 +0200 - - BUG/MEDIUM: Cur/CumSslConns counters not threadsafe. - - CurSslConns inc/dec operations are not threadsafe. The unsigned CurSslConns - counter can wrap to a negative value. So we could notice connection rejects - because of MaxSslConns limit artificially exceeded. - - CumSslConns inc operation are also not threadsafe so we could miss - some connections and show inconsistenties values compared to CumConns. - - This fix should be backported to v1.8. - - (cherry picked from commit 7ad43e7928c9a61b40332e4d5e9a7ccc33e6b65b) - Signed-off-by: Willy Tarreau <w@1wt.eu> - -diff --git a/src/ssl_sock.c b/src/ssl_sock.c -index 2da0df68..6eed8022 100644 ---- a/src/ssl_sock.c -+++ b/src/ssl_sock.c -@@ -491,7 +491,7 @@ static void ssl_async_fd_free(int fd) - - /* Now we can safely call SSL_free, no more pending job in engines */ - SSL_free(ssl); -- sslconns--; -+ HA_ATOMIC_SUB(&sslconns, 1); - HA_ATOMIC_SUB(&jobs, 1); - } - /* -@@ -5011,8 +5011,8 @@ static int ssl_sock_init(struct connection *conn) - /* leave init state and start handshake */ - conn->flags |= CO_FL_SSL_WAIT_HS | CO_FL_WAIT_L6_CONN; - -- sslconns++; -- totalsslconns++; -+ HA_ATOMIC_ADD(&sslconns, 1); -+ HA_ATOMIC_ADD(&totalsslconns, 1); - return 0; - } - else if (objt_listener(conn->target)) { -@@ -5062,8 +5062,8 @@ static int ssl_sock_init(struct connection *conn) - conn->flags |= CO_FL_EARLY_SSL_HS; - #endif - -- sslconns++; -- totalsslconns++; -+ HA_ATOMIC_ADD(&sslconns, 1); -+ HA_ATOMIC_ADD(&totalsslconns, 1); - return 0; - } - /* don't know how to handle such a target */ -@@ -5713,7 +5713,7 @@ static void ssl_sock_close(struct connection *conn) { - #endif - SSL_free(conn->xprt_ctx); - conn->xprt_ctx = NULL; -- sslconns--; -+ HA_ATOMIC_SUB(&sslconns, 1); - } - } - diff --git a/net/haproxy/patches/0007-BUG-MINOR-checks-queues-null-deref.patch b/net/haproxy/patches/0007-BUG-MINOR-checks-queues-null-deref.patch deleted file mode 100644 index 76ef68356..000000000 --- a/net/haproxy/patches/0007-BUG-MINOR-checks-queues-null-deref.patch +++ /dev/null @@ -1,33 +0,0 @@ -commit 8a6c4ff3f407b916bc08da4e76ed7813768ac937 -Author: mildis <me@mildis.org> -Date: Tue Oct 2 16:46:34 2018 +0200 - - BUG/MINOR: checks: queues null-deref - - queues can be null if calloc() failed. - Bypass free* calls when calloc did fail. - - (cherry picked from commit 5ab01cb01114065a3573570a48e84815e751bf14) - Signed-off-by: Willy Tarreau <w@1wt.eu> - -diff --git a/src/checks.c b/src/checks.c -index 098ddecf..74958b2d 100644 ---- a/src/checks.c -+++ b/src/checks.c -@@ -3182,7 +3182,7 @@ int init_email_alert(struct mailers *mls, struct proxy *p, char **err) - - if ((queues = calloc(mls->count, sizeof(*queues))) == NULL) { - memprintf(err, "out of memory while allocating mailer alerts queues"); -- goto error; -+ goto fail_no_queue; - } - - for (mailer = mls->mailer_list; mailer; i++, mailer = mailer->next) { -@@ -3239,6 +3239,7 @@ int init_email_alert(struct mailers *mls, struct proxy *p, char **err) - free_check(check); - } - free(queues); -+ fail_no_queue: - return 1; - } - diff --git a/net/haproxy/patches/0008-BUG-MEDIUM-mworker-segfault-receiving-SIGUSR1-followed-by-SIGTERM.patch b/net/haproxy/patches/0008-BUG-MEDIUM-mworker-segfault-receiving-SIGUSR1-followed-by-SIGTERM.patch deleted file mode 100644 index ed70760e0..000000000 --- a/net/haproxy/patches/0008-BUG-MEDIUM-mworker-segfault-receiving-SIGUSR1-followed-by-SIGTERM.patch +++ /dev/null @@ -1,52 +0,0 @@ -commit df4822ea169adc5c7c987fa077438f0ded1ac39b -Author: Emeric Brun <ebrun@haproxy.com> -Date: Thu Oct 11 15:27:07 2018 +0200 - - BUG/MEDIUM: mworker: segfault receiving SIGUSR1 followed by SIGTERM. - - This bug appeared only if nbthread > 1. Handling the pipe with the - master, multiple threads of the same worker could process the deinit(). - - In addition, deinit() was called while some other threads were still - performing some tasks. - - This patch assign the handler of the pipe with master to only the first - thread and removes the call to deinit() before exiting with an error. - - This patch should be backported in v1.8. - - (cherry picked from commit c8c0ed91cb4436491efd2ce2c4b4b1694aeeccca) - [wt: adjusted context] - Signed-off-by: Willy Tarreau <w@1wt.eu> - -diff --git a/src/haproxy.c b/src/haproxy.c -index e0186ff9..1959dd0f 100644 ---- a/src/haproxy.c -+++ b/src/haproxy.c -@@ -2349,7 +2349,13 @@ void mworker_pipe_handler(int fd) - break; - } - -- deinit(); -+ /* At this step the master is down before -+ * this worker perform a 'normal' exit. -+ * So we want to exit with an error but -+ * other threads could currently process -+ * some stuff so we can't perform a clean -+ * deinit(). -+ */ - exit(EXIT_FAILURE); - return; - } -@@ -2364,7 +2370,10 @@ void mworker_pipe_register() - fcntl(mworker_pipe[0], F_SETFL, O_NONBLOCK); - fdtab[mworker_pipe[0]].owner = mworker_pipe; - fdtab[mworker_pipe[0]].iocb = mworker_pipe_handler; -- fd_insert(mworker_pipe[0], MAX_THREADS_MASK); -+ /* In multi-tread, we need only one thread to process -+ * events on the pipe with master -+ */ -+ fd_insert(mworker_pipe[0], 1); - fd_want_recv(mworker_pipe[0]); - } - diff --git a/net/haproxy/patches/0009-BUG-MEDIUM-stream-dont-crash-on-out-of-memory.patch b/net/haproxy/patches/0009-BUG-MEDIUM-stream-dont-crash-on-out-of-memory.patch deleted file mode 100644 index d2e8b6600..000000000 --- a/net/haproxy/patches/0009-BUG-MEDIUM-stream-dont-crash-on-out-of-memory.patch +++ /dev/null @@ -1,29 +0,0 @@ -commit 4bf6d76a22b9b601fd57df4aa0f4fba62733cb07 -Author: Willy Tarreau <w@1wt.eu> -Date: Mon Oct 15 11:08:55 2018 +0200 - - BUG/MEDIUM: stream: don't crash on out-of-memory - - In case pool_alloc() fails in stream_new(), we try to detach the stream - from the list before it has been added, dereferencing a NULL. In order - to fix it, simply move the LIST_DEL call upwards. - - This must be backported to 1.8. - - (cherry picked from commit e5f229e6392fd54aaba7fe58f457723c16b9d15f) - Signed-off-by: Willy Tarreau <w@1wt.eu> - -diff --git a/src/stream.c b/src/stream.c -index 11c9dbf3..ef7cff5c 100644 ---- a/src/stream.c -+++ b/src/stream.c -@@ -282,8 +282,8 @@ struct stream *stream_new(struct session *sess, enum obj_type *origin) - out_fail_accept: - flt_stream_release(s, 0); - task_free(t); -- out_fail_alloc: - LIST_DEL(&s->list); -+ out_fail_alloc: - pool_free(pool_head_stream, s); - return NULL; - } diff --git a/net/haproxy/patches/0045-deprecated-openssl.patch b/net/haproxy/patches/001-deprecated-openssl.patch index a6f4b16fa..cd1950c66 100644 --- a/net/haproxy/patches/0045-deprecated-openssl.patch +++ b/net/haproxy/patches/001-deprecated-openssl.patch @@ -40,7 +40,7 @@ index cfbc38b..025a144 100644 return 0; } -@@ -1702,8 +1706,13 @@ ssl_sock_do_create_cert(const char *servername, struct bind_conf *bind_conf, SSL +@@ -1711,8 +1715,13 @@ ssl_sock_do_create_cert(const char *servername, struct bind_conf *bind_conf, SSL ASN1_INTEGER_set(X509_get_serialNumber(newcrt), HA_ATOMIC_ADD(&ssl_ctx_serial, 1)); /* Set duration for the certificate */ @@ -54,7 +54,7 @@ index cfbc38b..025a144 100644 goto mkcert_error; /* set public key in the certificate */ -@@ -6276,7 +6285,11 @@ smp_fetch_ssl_x_notafter(const struct arg *args, struct sample *smp, const char +@@ -6285,7 +6294,11 @@ smp_fetch_ssl_x_notafter(const struct arg *args, struct sample *smp, const char goto out; smp_trash = get_trash_chunk(); @@ -66,7 +66,7 @@ index cfbc38b..025a144 100644 goto out; smp->data.u.str = *smp_trash; -@@ -6376,7 +6389,11 @@ smp_fetch_ssl_x_notbefore(const struct arg *args, struct sample *smp, const char +@@ -6385,7 +6398,11 @@ smp_fetch_ssl_x_notbefore(const struct arg *args, struct sample *smp, const char goto out; smp_trash = get_trash_chunk(); @@ -78,7 +78,7 @@ index cfbc38b..025a144 100644 goto out; smp->data.u.str = *smp_trash; -@@ -8926,7 +8943,11 @@ static void __ssl_sock_init(void) +@@ -8935,7 +8952,11 @@ static void __ssl_sock_init(void) #endif xprt_register(XPRT_SSL, &ssl_sock); @@ -90,7 +90,7 @@ index cfbc38b..025a144 100644 cm = SSL_COMP_get_compression_methods(); sk_SSL_COMP_zero(cm); #ifdef USE_THREAD -@@ -8958,8 +8979,13 @@ static void __ssl_sock_init(void) +@@ -8967,8 +8988,13 @@ static void __ssl_sock_init(void) #else /* OPENSSL_IS_BORINGSSL */ OPENSSL_VERSION_TEXT "\nRunning on OpenSSL version : %s%s", @@ -104,7 +104,7 @@ index cfbc38b..025a144 100644 #endif memprintf(&ptr, "%s\nOpenSSL library supports TLS extensions : " #if OPENSSL_VERSION_NUMBER < 0x00907000L -@@ -9051,11 +9077,14 @@ static void __ssl_sock_deinit(void) +@@ -9060,11 +9086,14 @@ static void __ssl_sock_deinit(void) #endif ERR_remove_state(0); diff --git a/net/haproxy/patches/0010-BUILD-ssl-fix-null-deref-warning-in-ssl_fc_cipherlist_str-sample-fetch.patch b/net/haproxy/patches/0010-BUILD-ssl-fix-null-deref-warning-in-ssl_fc_cipherlist_str-sample-fetch.patch deleted file mode 100644 index 5279e52a3..000000000 --- a/net/haproxy/patches/0010-BUILD-ssl-fix-null-deref-warning-in-ssl_fc_cipherlist_str-sample-fetch.patch +++ /dev/null @@ -1,29 +0,0 @@ -commit d332b12b262ad7df1c8bdda52dad100f40399d24 -Author: Willy Tarreau <w@1wt.eu> -Date: Mon Oct 15 11:01:59 2018 +0200 - - BUILD: ssl: fix null-deref warning in ssl_fc_cipherlist_str sample fetch - - Gcc 6.4 detects a potential null-deref warning in smp_fetch_ssl_fc_cl_str(). - This one is not real since already addressed a few lines above. Let's use - __objt_conn() instead of objt_conn() to avoid the extra test that confuses - it. - - This could be backported to 1.8. - - (cherry picked from commit b729077710b14c75936909409e27a4fa0badcb54) - Signed-off-by: Willy Tarreau <w@1wt.eu> - -diff --git a/src/ssl_sock.c b/src/ssl_sock.c -index 6eed8022..4577fef4 100644 ---- a/src/ssl_sock.c -+++ b/src/ssl_sock.c -@@ -6929,7 +6929,7 @@ smp_fetch_ssl_fc_cl_str(const struct arg *args, struct sample *smp, const char * - #if defined(OPENSSL_IS_BORINGSSL) - cipher = SSL_get_cipher_by_value(id); - #else -- struct connection *conn = objt_conn(smp->sess->origin); -+ struct connection *conn = __objt_conn(smp->sess->origin); - cipher = SSL_CIPHER_find(conn->xprt_ctx, bin); - #endif - str = SSL_CIPHER_get_name(cipher); diff --git a/net/haproxy/patches/0011-BUILD-ssl-fix-another-null-deref-warning-in-ssl_sock_switchctx_cbk.patch b/net/haproxy/patches/0011-BUILD-ssl-fix-another-null-deref-warning-in-ssl_sock_switchctx_cbk.patch deleted file mode 100644 index 29e87dd13..000000000 --- a/net/haproxy/patches/0011-BUILD-ssl-fix-another-null-deref-warning-in-ssl_sock_switchctx_cbk.patch +++ /dev/null @@ -1,28 +0,0 @@ -commit 892c21240adb9ac230d4bd27cc8be4767b4902aa -Author: Willy Tarreau <w@1wt.eu> -Date: Mon Oct 15 13:20:07 2018 +0200 - - BUILD: ssl: fix another null-deref warning in ssl_sock_switchctx_cbk() - - This null-deref cannot happen either as there necesarily is a listener - where this function is called. Let's use __objt_listener() to address - this. - - This may be backported to 1.8. - - (cherry picked from commit a8825520b785d592467c45e183ad8213cb7bf891) - Signed-off-by: Willy Tarreau <w@1wt.eu> - -diff --git a/src/ssl_sock.c b/src/ssl_sock.c -index 4577fef4..cfbc38b7 100644 ---- a/src/ssl_sock.c -+++ b/src/ssl_sock.c -@@ -2113,7 +2113,7 @@ static int ssl_sock_switchctx_cbk(SSL *ssl, int *al, void *arg) - int i; - - conn = SSL_get_ex_data(ssl, ssl_app_data_index); -- s = objt_listener(conn->target)->bind_conf; -+ s = __objt_listener(conn->target)->bind_conf; - - if (s->ssl_conf.early_data) - allow_early = 1; diff --git a/net/haproxy/patches/0012-BUILD-stick-table-make-sure-not-to-fail-on-task_new-during-initialization.patch b/net/haproxy/patches/0012-BUILD-stick-table-make-sure-not-to-fail-on-task_new-during-initialization.patch deleted file mode 100644 index 67e0436e5..000000000 --- a/net/haproxy/patches/0012-BUILD-stick-table-make-sure-not-to-fail-on-task_new-during-initialization.patch +++ /dev/null @@ -1,26 +0,0 @@ -commit eb72c1faedc39c68fb1246ea8a97d1f96831756c -Author: Willy Tarreau <w@1wt.eu> -Date: Mon Oct 15 11:12:15 2018 +0200 - - BUILD: stick-table: make sure not to fail on task_new() during initialization - - Gcc reports a potential null-deref error in the stick-table init code. - While not critical there, it's trivial to fix. This check has been - missing since 1.4 so this fix can be backported to all supported versions. - - (cherry picked from commit 848522f05df9e60eea9274e11f1e9fcd19594a5c) - Signed-off-by: Willy Tarreau <w@1wt.eu> - -diff --git a/src/stick_table.c b/src/stick_table.c -index 5a2f1295..653a1ffb 100644 ---- a/src/stick_table.c -+++ b/src/stick_table.c -@@ -602,6 +602,8 @@ int stktable_init(struct stktable *t) - t->exp_next = TICK_ETERNITY; - if ( t->expire ) { - t->exp_task = task_new(MAX_THREADS_MASK); -+ if (!t->exp_task) -+ return 0; - t->exp_task->process = process_table_expire; - t->exp_task->context = (void *)t; - } diff --git a/net/haproxy/patches/0013-BUILD-peers-check-allocation-error-during-peers_init_sync.patch b/net/haproxy/patches/0013-BUILD-peers-check-allocation-error-during-peers_init_sync.patch deleted file mode 100644 index 48cbf64a1..000000000 --- a/net/haproxy/patches/0013-BUILD-peers-check-allocation-error-during-peers_init_sync.patch +++ /dev/null @@ -1,77 +0,0 @@ -commit d28afe3631e20a9fcca47efde031d62e501eff48 -Author: Willy Tarreau <w@1wt.eu> -Date: Mon Oct 15 11:18:03 2018 +0200 - - BUILD: peers: check allocation error during peers_init_sync() - - peers_init_sync() doesn't check task_new()'s return value and doesn't - return any result to indicate success or failure. Let's make it return - an int and check it from the caller. - - This can be backported as far as 1.6. - - (cherry picked from commit d944344f01d9ea914d94c45f6ac7c224c6143fc9) - Signed-off-by: Willy Tarreau <w@1wt.eu> - -diff --git a/include/proto/peers.h b/include/proto/peers.h -index 782b66e4..9d4aaff2 100644 ---- a/include/proto/peers.h -+++ b/include/proto/peers.h -@@ -28,7 +28,7 @@ - #include <types/stream.h> - #include <types/peers.h> - --void peers_init_sync(struct peers *peers); -+int peers_init_sync(struct peers *peers); - void peers_register_table(struct peers *, struct stktable *table); - void peers_setup_frontend(struct proxy *fe); - -diff --git a/src/cfgparse.c b/src/cfgparse.c -index d1474d4b..7414b60d 100644 ---- a/src/cfgparse.c -+++ b/src/cfgparse.c -@@ -9111,7 +9111,12 @@ out_uri_auth_compat: - curpeers->peers_fe = NULL; - } - else { -- peers_init_sync(curpeers); -+ if (!peers_init_sync(curpeers)) { -+ ha_alert("Peers section '%s': out of memory, giving up on peers.\n", -+ curpeers->id); -+ cfgerr++; -+ break; -+ } - last = &curpeers->next; - continue; - } -diff --git a/src/peers.c b/src/peers.c -index c56ed3af..0cd56da3 100644 ---- a/src/peers.c -+++ b/src/peers.c -@@ -2159,9 +2159,9 @@ static struct task *process_peer_sync(struct task * task) - - - /* -- * -+ * returns 0 in case of error. - */ --void peers_init_sync(struct peers *peers) -+int peers_init_sync(struct peers *peers) - { - struct peer * curpeer; - struct listener *listener; -@@ -2173,10 +2173,14 @@ void peers_init_sync(struct peers *peers) - list_for_each_entry(listener, &peers->peers_fe->conf.listeners, by_fe) - listener->maxconn = peers->peers_fe->maxconn; - peers->sync_task = task_new(MAX_THREADS_MASK); -+ if (!peers->sync_task) -+ return 0; -+ - peers->sync_task->process = process_peer_sync; - peers->sync_task->context = (void *)peers; - peers->sighandler = signal_register_task(0, peers->sync_task, 0); - task_wakeup(peers->sync_task, TASK_WOKEN_INIT); -+ return 1; - } - - diff --git a/net/haproxy/patches/0014-DOC-Fix-a-few-typos.patch b/net/haproxy/patches/0014-DOC-Fix-a-few-typos.patch deleted file mode 100644 index 6c8519415..000000000 --- a/net/haproxy/patches/0014-DOC-Fix-a-few-typos.patch +++ /dev/null @@ -1,56 +0,0 @@ -commit c6eb147201c1d05afaadc5fd248b17be91f97331 -Author: Bertrand Jacquin <bertrand@jacquin.bzh> -Date: Sat Oct 13 16:06:18 2018 +0100 - - DOC: Fix a few typos - - these are mostly spelling mistakes, some of them might be candidate for - backporting as well. - - (cherry picked from commit d5e4de8e5f99108e31dc7a23a0e91c4231e37974) - Signed-off-by: Willy Tarreau <w@1wt.eu> - -diff --git a/CONTRIBUTING b/CONTRIBUTING -index b2c2b493..cd97e69b 100644 ---- a/CONTRIBUTING -+++ b/CONTRIBUTING -@@ -309,7 +309,7 @@ do not think about them anymore after a few patches. - A good rule of thumb is that if your identifiers start to contain more than - 3 words or more than 15 characters, they can become confusing. For function - names it's less important especially if these functions are rarely used or -- are used in a complex context where it is important to differenciate between -+ are used in a complex context where it is important to differentiate between - their multiple variants. - - 9) Unified diff only -@@ -318,7 +318,7 @@ do not think about them anymore after a few patches. - that you have committed your patch to a local branch, with an appropriate - subject line and a useful commit message explaining what the patch attempts - to do. It is not strictly required to use git, but what is strictly required -- is to have all these elements in the same mail, easily distinguishible, and -+ is to have all these elements in the same mail, easily distinguishable, and - a patch in "diff -up" format (which is also the format used by Git). This - means the "unified" diff format must be used exclusively, and with the - function name printed in the diff header of each block. That significantly -@@ -761,7 +761,7 @@ sent to the mailing list : haproxy@formilux.org and CCed to relevant subsystem - maintainers or authors of the modified files if their address appears at the - top of the file. - --Please don't send pull-requests, they are really unconvenient. First, a pull -+Please don't send pull-requests, they are really inconvenient. First, a pull - implies a merge operation and the code doesn't move fast enough to justify the - use of merges. Second, pull requests are not easily commented on by the - project's participants, contrary to e-mails where anyone is allowed to have an -diff --git a/include/types/connection.h b/include/types/connection.h -index 5e8af3e7..b9e46048 100644 ---- a/include/types/connection.h -+++ b/include/types/connection.h -@@ -45,7 +45,7 @@ struct server; - struct pipe; - - --/* A connection handle is how we differenciate two connections on the lower -+/* A connection handle is how we differentiate two connections on the lower - * layers. It usually is a file descriptor but can be a connection id. - */ - union conn_handle { diff --git a/net/haproxy/patches/0015-BUG-MEDIUM-threads-fix-thread_release-at-the-end-of-the-rendez-vous-point.patch b/net/haproxy/patches/0015-BUG-MEDIUM-threads-fix-thread_release-at-the-end-of-the-rendez-vous-point.patch deleted file mode 100644 index f7e4ba6fa..000000000 --- a/net/haproxy/patches/0015-BUG-MEDIUM-threads-fix-thread_release-at-the-end-of-the-rendez-vous-point.patch +++ /dev/null @@ -1,36 +0,0 @@ -commit 75795017480da0f0a1157e945043249fe625f92f -Author: Willy Tarreau <w@1wt.eu> -Date: Tue Oct 16 16:11:56 2018 +0200 - - BUG/MEDIUM: threads: fix thread_release() at the end of the rendez-vous point - - There is a bug in this function used to release other threads. It leaves - the current thread marked as harmless. If after this another thread does - a thread_isolate(), but before the first one reaches poll(), the second - thread will believe it's alone while it's not. - - This must be backported to 1.8 since the rendez-vous point was merged - into 1.8.14. - - (cherry picked from commit a9c0252b2e8ff7bb728b84d977ac6e9581ea12f8) - Signed-off-by: Willy Tarreau <w@1wt.eu> - -diff --git a/src/hathreads.c b/src/hathreads.c -index 9dba4356..0a7c12f7 100644 ---- a/src/hathreads.c -+++ b/src/hathreads.c -@@ -221,12 +221,8 @@ void thread_isolate() - */ - void thread_release() - { -- while (1) { -- HA_ATOMIC_AND(&threads_want_rdv_mask, ~tid_bit); -- if (!(threads_want_rdv_mask & all_threads_mask)) -- break; -- thread_harmless_till_end(); -- } -+ HA_ATOMIC_AND(&threads_want_rdv_mask, ~tid_bit); -+ thread_harmless_end(); - } - - __attribute__((constructor)) diff --git a/net/haproxy/patches/0016-BUG-MEDIUM-threads-make-sure-threads_want_sync-is-marked-volatile.patch b/net/haproxy/patches/0016-BUG-MEDIUM-threads-make-sure-threads_want_sync-is-marked-volatile.patch deleted file mode 100644 index 34e899950..000000000 --- a/net/haproxy/patches/0016-BUG-MEDIUM-threads-make-sure-threads_want_sync-is-marked-volatile.patch +++ /dev/null @@ -1,29 +0,0 @@ -commit 4805c249aabc45cd59386694f962e19ab50e8ca9 -Author: Willy Tarreau <w@1wt.eu> -Date: Tue Oct 16 16:57:40 2018 +0200 - - BUG/MEDIUM: threads: make sure threads_want_sync is marked volatile - - The threads_want_sync variable is not volatile, which allows the compiler - to cache old copies of it for long parts of code and possibly optimize - some tests away. This could result in deadlocks when using heavy queue - activity or health check state changes. - - There is no upstream commit for this fix because the sync point was - completely removed from 1.9. This fix is exclusively for 1.8. - - Signed-off-by: Willy Tarreau <w@1wt.eu> - -diff --git a/src/hathreads.c b/src/hathreads.c -index 0a7c12f7..730ebee4 100644 ---- a/src/hathreads.c -+++ b/src/hathreads.c -@@ -29,7 +29,7 @@ void thread_sync_io_handler(int fd) - - static HA_SPINLOCK_T sync_lock; - static int threads_sync_pipe[2] = {-1, -1}; --static unsigned long threads_want_sync = 0; -+volatile static unsigned long threads_want_sync = 0; - volatile unsigned long threads_want_rdv_mask = 0; - volatile unsigned long threads_harmless_mask = 0; - volatile unsigned long all_threads_mask = 1; // nbthread 1 assumed by default diff --git a/net/haproxy/patches/0017-BUILD-compiler-add-a-new-statement-__unreachable.patch b/net/haproxy/patches/0017-BUILD-compiler-add-a-new-statement-__unreachable.patch deleted file mode 100644 index 3ac0edc69..000000000 --- a/net/haproxy/patches/0017-BUILD-compiler-add-a-new-statement-__unreachable.patch +++ /dev/null @@ -1,38 +0,0 @@ -commit d26a40412197ba61a72368c71e8a8582d686d28c -Author: Willy Tarreau <w@1wt.eu> -Date: Mon Oct 15 11:53:34 2018 +0200 - - BUILD: compiler: add a new statement "__unreachable()" - - This statement is used as a hint for the compiler so that it knows that - the location where it's placed cannot be reached. It will mostly be used - after longjmp() or equivalent statements that deal with error processing - and that the compiler doesn't know will not return on certain conditions, - so that it doesn't complain about null dereferences on error paths. - - (cherry picked from commit 8d26f02e693121764bfa0cb48c9a7ab31e17225d) - Signed-off-by: Willy Tarreau <w@1wt.eu> - -diff --git a/include/common/compiler.h b/include/common/compiler.h -index a13aad5c..6f4f5a67 100644 ---- a/include/common/compiler.h -+++ b/include/common/compiler.h -@@ -82,6 +82,18 @@ - */ - #define __maybe_unused __attribute__((unused)) - -+/* This allows gcc to know that some locations are never reached, for example -+ * after a longjmp() in the Lua code, hence that some errors caught by such -+ * methods cannot propagate further. This is important with gcc versions 6 and -+ * above which can more aggressively detect null dereferences. The builtin -+ * below was introduced in gcc 4.5, and before it we didn't care. -+ */ -+#if __GNUC__ >= 5 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 5) -+#define __unreachable() __builtin_unreachable() -+#else -+#define __unreachable() -+#endif -+ - /* - * Gcc >= 3 provides the ability for the programme to give hints to the - * compiler about what branch of an if is most likely to be taken. This diff --git a/net/haproxy/patches/0018-MINOR-lua-all-functions-calling-lua_yieldk-may-return.patch b/net/haproxy/patches/0018-MINOR-lua-all-functions-calling-lua_yieldk-may-return.patch deleted file mode 100644 index 5f5affc0d..000000000 --- a/net/haproxy/patches/0018-MINOR-lua-all-functions-calling-lua_yieldk-may-return.patch +++ /dev/null @@ -1,304 +0,0 @@ -commit 330e08dfc588dc9b0ad42203123fab6c191ca2f8 -Author: Willy Tarreau <w@1wt.eu> -Date: Tue Oct 16 17:52:55 2018 +0200 - - MINOR: lua: all functions calling lua_yieldk() may return - - There was a mistake when tagging functions which always use longjmp and - those which may use it in that all those supposed to call lua_yieldk() - may return without calling longjmp. Thus they must not use WILL_LJMP() - but MAY_LJMP(). It has zero impact on the code emitted as such, but - prevents other fixes from being properly implemented : this was the - cause of the previous failure with the __unreachable() calls. - - This may be backported to older versions. It may or may not apply - well depending on the context, though the change simply consists in - replacing "WILL_LJMP(hlua_yieldk" with "MAY_LJMP(hlua_yieldk", and - same with the single call to lua_yieldk() in hlua_yieldk(). - - (cherry picked from commit 9635e03c41e95dff38731f67cc9d8b00e3731d2a) - Signed-off-by: Willy Tarreau <w@1wt.eu> - -diff --git a/src/hlua.c b/src/hlua.c -index 60ba94ea..64102e8a 100644 ---- a/src/hlua.c -+++ b/src/hlua.c -@@ -852,7 +852,7 @@ __LJMP void hlua_yieldk(lua_State *L, int nresults, int ctx, - hlua->flags |= flags; - - /* Process the yield. */ -- WILL_LJMP(lua_yieldk(L, nresults, ctx, k)); -+ MAY_LJMP(lua_yieldk(L, nresults, ctx, k)); - } - - /* This function initialises the Lua environment stored in the stream. -@@ -1003,7 +1003,7 @@ void hlua_hook(lua_State *L, lua_Debug *ar) - * If the state is not yieldable, trying yield causes an error. - */ - if (lua_isyieldable(L)) -- WILL_LJMP(hlua_yieldk(L, 0, 0, NULL, TICK_ETERNITY, HLUA_CTRLYIELD)); -+ MAY_LJMP(hlua_yieldk(L, 0, 0, NULL, TICK_ETERNITY, HLUA_CTRLYIELD)); - - /* If we cannot yield, update the clock and check the timeout. */ - tv_update_date(0, 1); -@@ -1883,7 +1883,7 @@ connection_empty: - WILL_LJMP(luaL_error(L, "out of memory")); - } - xref_unlock(&socket->xref, peer); -- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_socket_receive_yield, TICK_ETERNITY, 0)); -+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_socket_receive_yield, TICK_ETERNITY, 0)); - return 0; - } - -@@ -2082,7 +2082,7 @@ hlua_socket_write_yield_return: - WILL_LJMP(luaL_error(L, "out of memory")); - } - xref_unlock(&socket->xref, peer); -- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_socket_write_yield, TICK_ETERNITY, 0)); -+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_socket_write_yield, TICK_ETERNITY, 0)); - return 0; - } - -@@ -2375,7 +2375,7 @@ __LJMP static int hlua_socket_connect_yield(struct lua_State *L, int status, lua - WILL_LJMP(luaL_error(L, "out of memory error")); - } - xref_unlock(&socket->xref, peer); -- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_socket_connect_yield, TICK_ETERNITY, 0)); -+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_socket_connect_yield, TICK_ETERNITY, 0)); - return 0; - } - -@@ -2493,7 +2493,7 @@ __LJMP static int hlua_socket_connect(struct lua_State *L) - task_wakeup(s->task, TASK_WOKEN_INIT); - /* Return yield waiting for connection. */ - -- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_socket_connect_yield, TICK_ETERNITY, 0)); -+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_socket_connect_yield, TICK_ETERNITY, 0)); - - return 0; - } -@@ -2819,7 +2819,7 @@ __LJMP static int hlua_channel_dup_yield(lua_State *L, int status, lua_KContext - chn = MAY_LJMP(hlua_checkchannel(L, 1)); - - if (_hlua_channel_dup(chn, L) == 0) -- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_channel_dup_yield, TICK_ETERNITY, 0)); -+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_channel_dup_yield, TICK_ETERNITY, 0)); - return 1; - } - -@@ -2845,7 +2845,7 @@ __LJMP static int hlua_channel_get_yield(lua_State *L, int status, lua_KContext - - ret = _hlua_channel_dup(chn, L); - if (unlikely(ret == 0)) -- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_channel_get_yield, TICK_ETERNITY, 0)); -+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_channel_get_yield, TICK_ETERNITY, 0)); - - if (unlikely(ret == -1)) - return 1; -@@ -2883,7 +2883,7 @@ __LJMP static int hlua_channel_getline_yield(lua_State *L, int status, lua_KCont - - ret = ci_getline_nc(chn, &blk1, &len1, &blk2, &len2); - if (ret == 0) -- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_channel_getline_yield, TICK_ETERNITY, 0)); -+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_channel_getline_yield, TICK_ETERNITY, 0)); - - if (ret == -1) { - lua_pushnil(L); -@@ -2932,7 +2932,7 @@ __LJMP static int hlua_channel_append_yield(lua_State *L, int status, lua_KConte - */ - if (chn->buf->size == 0) { - si_applet_cant_put(chn_prod(chn)); -- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_channel_append_yield, TICK_ETERNITY, 0)); -+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_channel_append_yield, TICK_ETERNITY, 0)); - } - - max = channel_recv_limit(chn) - buffer_len(chn->buf); -@@ -2946,7 +2946,7 @@ __LJMP static int hlua_channel_append_yield(lua_State *L, int status, lua_KConte - } - if (ret == -1) { - chn->flags |= CF_WAKE_WRITE; -- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_channel_append_yield, TICK_ETERNITY, 0)); -+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_channel_append_yield, TICK_ETERNITY, 0)); - } - l += ret; - lua_pop(L, 1); -@@ -2962,7 +2962,7 @@ __LJMP static int hlua_channel_append_yield(lua_State *L, int status, lua_KConte - return 1; - } - if (l < len) -- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_channel_append_yield, TICK_ETERNITY, 0)); -+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_channel_append_yield, TICK_ETERNITY, 0)); - return 1; - } - -@@ -3026,7 +3026,7 @@ __LJMP static int hlua_channel_send_yield(lua_State *L, int status, lua_KContext - */ - if (chn->buf->size == 0) { - si_applet_cant_put(chn_prod(chn)); -- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_channel_send_yield, TICK_ETERNITY, 0)); -+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_channel_send_yield, TICK_ETERNITY, 0)); - } - - /* the writed data will be immediatly sent, so we can check -@@ -3082,7 +3082,7 @@ __LJMP static int hlua_channel_send_yield(lua_State *L, int status, lua_KContext - HLUA_SET_WAKERESWR(hlua); - else - HLUA_SET_WAKEREQWR(hlua); -- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_channel_send_yield, TICK_ETERNITY, 0)); -+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_channel_send_yield, TICK_ETERNITY, 0)); - } - - return 1; -@@ -3146,7 +3146,7 @@ __LJMP static int hlua_channel_forward_yield(lua_State *L, int status, lua_KCont - HLUA_SET_WAKEREQWR(hlua); - - /* Otherwise, we can yield waiting for new data in the inpout side. */ -- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_channel_forward_yield, TICK_ETERNITY, 0)); -+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_channel_forward_yield, TICK_ETERNITY, 0)); - } - - return 1; -@@ -3654,7 +3654,7 @@ __LJMP static int hlua_applet_tcp_getline_yield(lua_State *L, int status, lua_KC - /* Data not yet avalaible. return yield. */ - if (ret == 0) { - si_applet_cant_get(si); -- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_tcp_getline_yield, TICK_ETERNITY, 0)); -+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_tcp_getline_yield, TICK_ETERNITY, 0)); - } - - /* End of data: commit the total strings and return. */ -@@ -3709,7 +3709,7 @@ __LJMP static int hlua_applet_tcp_recv_yield(lua_State *L, int status, lua_KCont - /* Data not yet avalaible. return yield. */ - if (ret == 0) { - si_applet_cant_get(si); -- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_tcp_recv_yield, TICK_ETERNITY, 0)); -+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_tcp_recv_yield, TICK_ETERNITY, 0)); - } - - /* End of data: commit the total strings and return. */ -@@ -3732,7 +3732,7 @@ __LJMP static int hlua_applet_tcp_recv_yield(lua_State *L, int status, lua_KCont - luaL_addlstring(&appctx->b, blk2, len2); - co_skip(si_oc(si), len1 + len2); - si_applet_cant_get(si); -- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_tcp_recv_yield, TICK_ETERNITY, 0)); -+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_tcp_recv_yield, TICK_ETERNITY, 0)); - - } else { - -@@ -3756,7 +3756,7 @@ __LJMP static int hlua_applet_tcp_recv_yield(lua_State *L, int status, lua_KCont - lua_pushinteger(L, len); - lua_replace(L, 2); - si_applet_cant_get(si); -- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_tcp_recv_yield, TICK_ETERNITY, 0)); -+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_tcp_recv_yield, TICK_ETERNITY, 0)); - } - - /* return the result. */ -@@ -3825,7 +3825,7 @@ __LJMP static int hlua_applet_tcp_send_yield(lua_State *L, int status, lua_KCont - */ - if (l < len) { - si_applet_cant_put(si); -- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_tcp_send_yield, TICK_ETERNITY, 0)); -+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_tcp_send_yield, TICK_ETERNITY, 0)); - } - - return 1; -@@ -4122,7 +4122,7 @@ __LJMP static int hlua_applet_http_getline_yield(lua_State *L, int status, lua_K - */ - if (ret == -1) { - si_applet_cant_put(si); -- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_http_getline_yield, TICK_ETERNITY, 0)); -+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_http_getline_yield, TICK_ETERNITY, 0)); - } - appctx->appctx->ctx.hlua_apphttp.flags &= ~APPLET_100C; - } -@@ -4139,7 +4139,7 @@ __LJMP static int hlua_applet_http_getline_yield(lua_State *L, int status, lua_K - /* Data not yet avalaible. return yield. */ - if (ret == 0) { - si_applet_cant_get(si); -- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_http_getline_yield, TICK_ETERNITY, 0)); -+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_http_getline_yield, TICK_ETERNITY, 0)); - } - - /* End of data: commit the total strings and return. */ -@@ -4208,7 +4208,7 @@ __LJMP static int hlua_applet_http_recv_yield(lua_State *L, int status, lua_KCon - */ - if (ret == -1) { - si_applet_cant_put(si); -- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_http_recv_yield, TICK_ETERNITY, 0)); -+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_http_recv_yield, TICK_ETERNITY, 0)); - } - appctx->appctx->ctx.hlua_apphttp.flags &= ~APPLET_100C; - } -@@ -4219,7 +4219,7 @@ __LJMP static int hlua_applet_http_recv_yield(lua_State *L, int status, lua_KCon - /* Data not yet avalaible. return yield. */ - if (ret == 0) { - si_applet_cant_get(si); -- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_http_recv_yield, TICK_ETERNITY, 0)); -+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_http_recv_yield, TICK_ETERNITY, 0)); - } - - /* End of data: commit the total strings and return. */ -@@ -4254,7 +4254,7 @@ __LJMP static int hlua_applet_http_recv_yield(lua_State *L, int status, lua_KCon - lua_pushinteger(L, len); - lua_replace(L, 2); - si_applet_cant_get(si); -- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_http_recv_yield, TICK_ETERNITY, 0)); -+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_http_recv_yield, TICK_ETERNITY, 0)); - } - - /* return the result. */ -@@ -4320,7 +4320,7 @@ __LJMP static int hlua_applet_http_send_yield(lua_State *L, int status, lua_KCon - */ - if (l < len) { - si_applet_cant_put(si); -- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_http_send_yield, TICK_ETERNITY, 0)); -+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_http_send_yield, TICK_ETERNITY, 0)); - } - - return 1; -@@ -4460,7 +4460,7 @@ __LJMP static int hlua_applet_http_start_response_yield(lua_State *L, int status - /* If ret is -1, we dont have room in the buffer, so we yield. */ - if (ret == -1) { - si_applet_cant_put(si); -- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_http_start_response_yield, TICK_ETERNITY, 0)); -+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_http_start_response_yield, TICK_ETERNITY, 0)); - } - - /* Headers sent, set the flag. */ -@@ -5510,7 +5510,7 @@ __LJMP static int hlua_sleep_yield(lua_State *L, int status, lua_KContext ctx) - { - int wakeup_ms = lua_tointeger(L, -1); - if (now_ms < wakeup_ms) -- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_sleep_yield, wakeup_ms, 0)); -+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_sleep_yield, wakeup_ms, 0)); - return 0; - } - -@@ -5525,7 +5525,7 @@ __LJMP static int hlua_sleep(lua_State *L) - wakeup_ms = tick_add(now_ms, delay); - lua_pushinteger(L, wakeup_ms); - -- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_sleep_yield, wakeup_ms, 0)); -+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_sleep_yield, wakeup_ms, 0)); - return 0; - } - -@@ -5540,7 +5540,7 @@ __LJMP static int hlua_msleep(lua_State *L) - wakeup_ms = tick_add(now_ms, delay); - lua_pushinteger(L, wakeup_ms); - -- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_sleep_yield, wakeup_ms, 0)); -+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_sleep_yield, wakeup_ms, 0)); - return 0; - } - -@@ -5555,7 +5555,7 @@ __LJMP static int hlua_yield_yield(lua_State *L, int status, lua_KContext ctx) - - __LJMP static int hlua_yield(lua_State *L) - { -- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_yield_yield, TICK_ETERNITY, HLUA_CTRLYIELD)); -+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_yield_yield, TICK_ETERNITY, HLUA_CTRLYIELD)); - return 0; - } - diff --git a/net/haproxy/patches/0019-BUILD-lua-silence-some-compiler-warnings-about-potential-null-derefs-2.patch b/net/haproxy/patches/0019-BUILD-lua-silence-some-compiler-warnings-about-potential-null-derefs-2.patch deleted file mode 100644 index ca353879b..000000000 --- a/net/haproxy/patches/0019-BUILD-lua-silence-some-compiler-warnings-about-potential-null-derefs-2.patch +++ /dev/null @@ -1,48 +0,0 @@ -commit 8019e88dd1ac73a3baa71e9acfbc1b7a3fbc7442 -Author: Willy Tarreau <w@1wt.eu> -Date: Tue Oct 16 17:37:12 2018 +0200 - - BUILD: lua: silence some compiler warnings about potential null derefs (#2) - - Here we make sure that appctx is always taken from the unchecked value - since we know it's an appctx, which explains why it's immediately - dereferenced. A missing test was added to ensure that task_new() does - not return a NULL. - - This may be backported to 1.8. - - (cherry picked from commit e09101e8d92b0c0ef8674fbc791e309112ab7f1c) - Signed-off-by: Willy Tarreau <w@1wt.eu> - -diff --git a/src/hlua.c b/src/hlua.c -index 64102e8a..ad9238ef 100644 ---- a/src/hlua.c -+++ b/src/hlua.c -@@ -2361,7 +2361,7 @@ __LJMP static int hlua_socket_connect_yield(struct lua_State *L, int status, lua - return 2; - } - -- appctx = objt_appctx(s->si[0].end); -+ appctx = __objt_appctx(s->si[0].end); - - /* Check for connection established. */ - if (appctx->ctx.hlua_cosocket.connected) { -@@ -2473,7 +2473,7 @@ __LJMP static int hlua_socket_connect(struct lua_State *L) - } - - hlua = hlua_gethlua(L); -- appctx = objt_appctx(s->si[0].end); -+ appctx = __objt_appctx(s->si[0].end); - - /* inform the stream that we want to be notified whenever the - * connection completes. -@@ -5693,6 +5693,9 @@ static int hlua_register_task(lua_State *L) - WILL_LJMP(luaL_error(L, "lua out of memory error.")); - - task = task_new(MAX_THREADS_MASK); -+ if (!task) -+ WILL_LJMP(luaL_error(L, "Lua out of memory error.")); -+ - task->context = hlua; - task->process = hlua_process_task; - diff --git a/net/haproxy/patches/0020-BUILD-lua-silence-some-compiler-warnings-after-WILL_LJMP.patch b/net/haproxy/patches/0020-BUILD-lua-silence-some-compiler-warnings-after-WILL_LJMP.patch deleted file mode 100644 index 21ff9c4bd..000000000 --- a/net/haproxy/patches/0020-BUILD-lua-silence-some-compiler-warnings-after-WILL_LJMP.patch +++ /dev/null @@ -1,39 +0,0 @@ -commit 3f39e1d4b5ca37e57247034421c69bc301d996b2 -Author: Willy Tarreau <w@1wt.eu> -Date: Tue Oct 16 17:57:36 2018 +0200 - - BUILD: lua: silence some compiler warnings after WILL_LJMP - - These ones are on error paths that are properly handled by luaL_error() - which does a longjmp() but the compiler cannot know it. By adding an - __unreachable() statement in WILL_LJMP(), there is no ambiguity anymore. - - This may be backported to 1.8 but these previous patches are needed first : - - BUILD: compiler: add a new statement "__unreachable()" - - MINOR: lua: all functions calling lua_yieldk() may return - - BUILD: lua: silence some compiler warnings about potential null derefs (#2) - - (cherry picked from commit b059b894cdf795f134b6e53ff95ea7f907feb846) - Signed-off-by: Willy Tarreau <w@1wt.eu> - -diff --git a/src/hlua.c b/src/hlua.c -index ad9238ef..c3bb269a 100644 ---- a/src/hlua.c -+++ b/src/hlua.c -@@ -24,6 +24,7 @@ - #include <ebpttree.h> - - #include <common/cfgparse.h> -+#include <common/compiler.h> - #include <common/xref.h> - #include <common/hathreads.h> - -@@ -63,7 +64,7 @@ - * MAY_LJMP() marks an lua function that may use longjmp. - */ - #define __LJMP --#define WILL_LJMP(func) func -+#define WILL_LJMP(func) do { func; __unreachable(); } while(0) - #define MAY_LJMP(func) func - - /* This couple of function executes securely some Lua calls outside of diff --git a/net/haproxy/patches/0021-CLEANUP-stick-tables-Remove-unneeded-double-around-conditional-clause.patch b/net/haproxy/patches/0021-CLEANUP-stick-tables-Remove-unneeded-double-around-conditional-clause.patch deleted file mode 100644 index a1c1c5c86..000000000 --- a/net/haproxy/patches/0021-CLEANUP-stick-tables-Remove-unneeded-double-around-conditional-clause.patch +++ /dev/null @@ -1,27 +0,0 @@ -commit b884ba5222a765b395e8ac93971639a0452d6422 -Author: Dirkjan Bussink <d.bussink@gmail.com> -Date: Fri Sep 14 14:31:22 2018 +0200 - - CLEANUP: stick-tables: Remove unneeded double (()) around conditional clause - - In the past this conditional had multiple conditionals which is why the - additional parentheses were needed. The conditional was simplified but - the duplicate parentheses were not cleaned up. - - (cherry picked from commit ff57f1bbcf8af1e6389520aa845df5aa97ef55b6) - [wt: fixes build warnings with clang] - Signed-off-by: Willy Tarreau <w@1wt.eu> - -diff --git a/src/stick_table.c b/src/stick_table.c -index 653a1ffb..f1442603 100644 ---- a/src/stick_table.c -+++ b/src/stick_table.c -@@ -1860,7 +1860,7 @@ smp_fetch_sc_tracked(const struct arg *args, struct sample *smp, const char *kw, - smp->data.u.sint = !!stkctr; - - /* release the ref count */ -- if ((stkctr == &tmpstkctr)) -+ if (stkctr == &tmpstkctr) - stktable_release(stkctr->table, stkctr_entry(stkctr)); - - return 1; diff --git a/net/haproxy/patches/0022-BUILD-Makefile-add-a-make-opts-target-to-simply-show-the-build-options.patch b/net/haproxy/patches/0022-BUILD-Makefile-add-a-make-opts-target-to-simply-show-the-build-options.patch deleted file mode 100644 index 7904d180e..000000000 --- a/net/haproxy/patches/0022-BUILD-Makefile-add-a-make-opts-target-to-simply-show-the-build-options.patch +++ /dev/null @@ -1,41 +0,0 @@ -commit 0820ab24974cd2bad84c8ec5a90f7ce0e1681cf0 -Author: Willy Tarreau <w@1wt.eu> -Date: Wed Oct 3 09:40:22 2018 +0200 - - BUILD: Makefile: add a "make opts" target to simply show the build options - - We're often missing an easy way to map input variables to output ones. - The "opts" build target will simply show the input variables and the ones - passed to the compiler and linker. This way it's easier to quickly see - what a given build script or package will use, or the detected warnings - supported by the compiler. - - (cherry picked from commit a8b12c6bb73b924f6429c3ae4d20b96992e92c2e) - [wt: this is not needed but significantly helps for packaging] - Signed-off-by: Willy Tarreau <w@1wt.eu> - -diff --git a/Makefile b/Makefile -index 5d170041..d3615060 100644 ---- a/Makefile -+++ b/Makefile -@@ -996,3 +996,20 @@ update-version: - echo "$(VERSION)" > VERSION - echo "$(SUBVERS)" > SUBVERS - echo "$(VERDATE)" > VERDATE -+ -+# just display the build options -+opts: -+ @echo -n 'Using: ' -+ @echo -n 'TARGET="$(strip $(TARGET))" ' -+ @echo -n 'ARCH="$(strip $(ARCH))" ' -+ @echo -n 'CPU="$(strip $(CPU))" ' -+ @echo -n 'CC="$(strip $(CC))" ' -+ @echo -n 'ARCH_FLAGS="$(strip $(ARCH_FLAGS))" ' -+ @echo -n 'CPU_CFLAGS="$(strip $(CPU_CFLAGS))" ' -+ @echo -n 'DEBUG_CFLAGS="$(strip $(DEBUG_CFLAGS))" ' -+ @echo "$(strip $(BUILD_OPTIONS))" -+ @echo 'COPTS="$(strip $(COPTS))"' -+ @echo 'LDFLAGS="$(strip $(LDFLAGS))"' -+ @echo 'LDOPTS="$(strip $(LDOPTS))"' -+ @echo 'OPTIONS_OBJS="$(strip $(OPTIONS_OBJS))"' -+ @echo 'OBJS="$(strip $(OBJS))"' diff --git a/net/haproxy/patches/0023-BUILD-Makefile-speed-up-compiler-options-detection.patch b/net/haproxy/patches/0023-BUILD-Makefile-speed-up-compiler-options-detection.patch deleted file mode 100644 index c8fcb2203..000000000 --- a/net/haproxy/patches/0023-BUILD-Makefile-speed-up-compiler-options-detection.patch +++ /dev/null @@ -1,38 +0,0 @@ -commit 5df1480da4c4e58830d108f4f0f3347598c55ab3 -Author: Willy Tarreau <w@1wt.eu> -Date: Wed Oct 3 09:52:51 2018 +0200 - - BUILD: Makefile: speed up compiler options detection - - Commits b78016649 and d3a7f4035 brought the ability to detect the build - options and warnings that the compiler supports. However, they're detected - using "$(CC) -c", which is 50% slower than "$(CC) -E" for the same result, - just because it starts the assembler at the end. Given that we're starting - to check for a number of warnings, this detection alone starts to become - visible, taking a bit more than 300 ms on the build time. Let's switch to - -E instead to shrink this incompressible time by roughly 100 ms. - - (cherry picked from commit f11ca5e7a43c772637018ec2ad981a9fd7d3816f) - [wt: only backported for context and consistency with next patch] - Signed-off-by: Willy Tarreau <w@1wt.eu> - -diff --git a/Makefile b/Makefile -index d3615060..1a971f92 100644 ---- a/Makefile -+++ b/Makefile -@@ -96,13 +96,13 @@ - # Usage: CFLAGS += $(call cc-opt,option). Eg: $(call cc-opt,-fwrapv) - # Note: ensure the referencing variable is assigned using ":=" and not "=" to - # call it only once. --cc-opt = $(shell set -e; if $(CC) $(1) -c -xc - -o /dev/null </dev/null >&0 2>&0; then echo "$(1)"; fi;) -+cc-opt = $(shell set -e; if $(CC) $(1) -E -xc - -o /dev/null </dev/null >&0 2>&0; then echo "$(1)"; fi;) - - # Disable a warning when supported by the compiler. Don't put spaces around the - # warning! And don't use cc-opt which doesn't always report an error until - # another one is also returned. - # Usage: CFLAGS += $(call cc-nowarn,warning). Eg: $(call cc-opt,format-truncation) --cc-nowarn = $(shell set -e; if $(CC) -W$(1) -c -xc - -o /dev/null </dev/null >&0 2>&0; then echo "-Wno-$(1)"; fi;) -+cc-nowarn = $(shell set -e; if $(CC) -W$(1) -E -xc - -o /dev/null </dev/null >&0 2>&0; then echo "-Wno-$(1)"; fi;) - - #### Installation options. - DESTDIR = diff --git a/net/haproxy/patches/0024-BUILD-Makefile-silence-an-option-conflict-warning-with-clang.patch b/net/haproxy/patches/0024-BUILD-Makefile-silence-an-option-conflict-warning-with-clang.patch deleted file mode 100644 index 761c10057..000000000 --- a/net/haproxy/patches/0024-BUILD-Makefile-silence-an-option-conflict-warning-with-clang.patch +++ /dev/null @@ -1,38 +0,0 @@ -commit a7e9853db925b12b1d040be8b04bafc11d84d685 -Author: Willy Tarreau <w@1wt.eu> -Date: Tue Oct 16 18:11:34 2018 +0200 - - BUILD: Makefile: silence an option conflict warning with clang - - clang complains that -fno-strict-overflow is not used when -fwrapv is - used, which breaks the build when -Werror is used. Let's introduce a - cc-opt-alt function to emit the former only then the latter is not - supported (since it implies the former). - - (cherry picked from commit 0d7a2ae4f5199ec37ead6914fa24d40ec0989a4d) - Signed-off-by: Willy Tarreau <w@1wt.eu> - -diff --git a/Makefile b/Makefile -index 1a971f92..6ffc1b06 100644 ---- a/Makefile -+++ b/Makefile -@@ -98,6 +98,9 @@ - # call it only once. - cc-opt = $(shell set -e; if $(CC) $(1) -E -xc - -o /dev/null </dev/null >&0 2>&0; then echo "$(1)"; fi;) - -+# same but emits $2 if $1 is not supported -+cc-opt-alt = $(shell set -e; if $(CC) $(1) -E -xc - -o /dev/null </dev/null >&0 2>&0; then echo "$(1)"; else echo "$(2)"; fi;) -+ - # Disable a warning when supported by the compiler. Don't put spaces around the - # warning! And don't use cc-opt which doesn't always report an error until - # another one is also returned. -@@ -147,8 +150,7 @@ DEBUG_CFLAGS = -g - # can do whatever it wants since it's an undefined behavior, so use -fwrapv - # to be sure we get the intended behavior. - SPEC_CFLAGS := -fno-strict-aliasing -Wdeclaration-after-statement --SPEC_CFLAGS += $(call cc-opt,-fwrapv) --SPEC_CFLAGS += $(call cc-opt,-fno-strict-overflow) -+SPEC_CFLAGS += $(call cc-opt-alt,-fwrapv,$(call cc-opt,-fno-strict-overflow)) - SPEC_CFLAGS += $(call cc-nowarn,format-truncation) - SPEC_CFLAGS += $(call cc-nowarn,address-of-packed-member) - SPEC_CFLAGS += $(call cc-nowarn,null-dereference) diff --git a/net/haproxy/patches/0025-MINOR-server-Use-memcpy-instead-of-strncpy.patch b/net/haproxy/patches/0025-MINOR-server-Use-memcpy-instead-of-strncpy.patch deleted file mode 100644 index c424cba00..000000000 --- a/net/haproxy/patches/0025-MINOR-server-Use-memcpy-instead-of-strncpy.patch +++ /dev/null @@ -1,34 +0,0 @@ -commit 541e3b40b394fb6bde563ff8ce4c882dafca4eb1 -Author: Olivier Houchard <ohouchard@haproxy.com> -Date: Tue Oct 16 18:35:01 2018 +0200 - - MINOR: server: Use memcpy() instead of strncpy(). - - Use memcpy instead of strncpy, strncpy buys us nothing, and gcc is being - annoying. - - (cherry picked from commit 17f8b90736d811ac9a04af198a3aee34e9935cec) - Signed-off-by: Willy Tarreau <w@1wt.eu> - -diff --git a/src/server.c b/src/server.c -index 4941bd03..208f21da 100644 ---- a/src/server.c -+++ b/src/server.c -@@ -3078,7 +3078,7 @@ void apply_server_state(void) - globalfilepathlen = 0; - goto globalfileerror; - } -- strncpy(globalfilepath, global.server_state_base, len); -+ memcpy(globalfilepath, global.server_state_base, len); - globalfilepath[globalfilepathlen] = 0; - - /* append a slash if needed */ -@@ -3147,7 +3147,7 @@ void apply_server_state(void) - localfilepathlen = 0; - goto localfileerror; - } -- strncpy(localfilepath, global.server_state_base, len); -+ memcpy(localfilepath, global.server_state_base, len); - localfilepath[localfilepathlen] = 0; - - /* append a slash if needed */ diff --git a/net/haproxy/patches/0026-MINOR-cfgparse-Write-130-as-128-as-0x82-and-0x80.patch b/net/haproxy/patches/0026-MINOR-cfgparse-Write-130-as-128-as-0x82-and-0x80.patch deleted file mode 100644 index ddcb4f8fb..000000000 --- a/net/haproxy/patches/0026-MINOR-cfgparse-Write-130-as-128-as-0x82-and-0x80.patch +++ /dev/null @@ -1,34 +0,0 @@ -commit 1993e23d59e37ee7befbc64bf1535640a16354bc -Author: Olivier Houchard <ohouchard@haproxy.com> -Date: Tue Oct 16 18:39:38 2018 +0200 - - MINOR: cfgparse: Write 130 as 128 as 0x82 and 0x80. - - Write 130 and 128 as 8x82 and 0x80, to avoid warnings about casting from - int to size. "check_req" should probably be unsigned, but it's hard to do so. - - (cherry picked from commit 3332090a2d3e9e84bac67af79fb03be111359429) - Signed-off-by: Willy Tarreau <w@1wt.eu> - -diff --git a/src/cfgparse.c b/src/cfgparse.c -index 7414b60d..87a4d803 100644 ---- a/src/cfgparse.c -+++ b/src/cfgparse.c -@@ -5082,7 +5082,7 @@ stats_error_parsing: - ((unsigned char) (packetlen >> 16) & 0xff)); - - curproxy->check_req[3] = 1; -- curproxy->check_req[5] = 130; -+ curproxy->check_req[5] = 0x82; // 130 - curproxy->check_req[11] = 1; - curproxy->check_req[12] = 33; - memcpy(&curproxy->check_req[36], mysqluser, userlen); -@@ -5108,7 +5108,7 @@ stats_error_parsing: - ((unsigned char) (packetlen >> 16) & 0xff)); - - curproxy->check_req[3] = 1; -- curproxy->check_req[5] = 128; -+ curproxy->check_req[5] = 0x80; - curproxy->check_req[8] = 1; - memcpy(&curproxy->check_req[9], mysqluser, userlen); - curproxy->check_req[9 + userlen + 1 + 1] = 1; diff --git a/net/haproxy/patches/0027-MINOR-peers-use-defines-instead-of-enums-to-appease-clang.patch b/net/haproxy/patches/0027-MINOR-peers-use-defines-instead-of-enums-to-appease-clang.patch deleted file mode 100644 index ba1b47783..000000000 --- a/net/haproxy/patches/0027-MINOR-peers-use-defines-instead-of-enums-to-appease-clang.patch +++ /dev/null @@ -1,39 +0,0 @@ -commit 0d31b8e1dae2bd0ad73c90748a03f9cfeed837d8 -Author: Olivier Houchard <ohouchard@haproxy.com> -Date: Tue Oct 16 18:49:26 2018 +0200 - - MINOR: peers: use defines instead of enums to appease clang. - - Clang (rightfully) warns that we're trying to set chars to values >= 128. - Use defines with hex values instead of an enum to address this. - - (cherry picked from commit 33992267aac00d7e8ae67e0703bf7fffc9cf9b54) - Signed-off-by: Willy Tarreau <w@1wt.eu> - -diff --git a/src/peers.c b/src/peers.c -index 0cd56da3..465ffe85 100644 ---- a/src/peers.c -+++ b/src/peers.c -@@ -122,15 +122,13 @@ enum { - /* Note: ids >= 128 contains */ - /* id message cotains data */ - /*******************************/ --enum { -- PEER_MSG_STKT_UPDATE = 128, -- PEER_MSG_STKT_INCUPDATE, -- PEER_MSG_STKT_DEFINE, -- PEER_MSG_STKT_SWITCH, -- PEER_MSG_STKT_ACK, -- PEER_MSG_STKT_UPDATE_TIMED, -- PEER_MSG_STKT_INCUPDATE_TIMED, --}; -+#define PEER_MSG_STKT_UPDATE 0x80 -+#define PEER_MSG_STKT_INCUPDATE 0x81 -+#define PEER_MSG_STKT_DEFINE 0x82 -+#define PEER_MSG_STKT_SWITCH 0x83 -+#define PEER_MSG_STKT_ACK 0x84 -+#define PEER_MSG_STKT_UPDATE_TIMED 0x85 -+#define PEER_MSG_STKT_INCUPDATE_TIMED 0x86 - - /**********************************/ - /* Peer Session IO handler states */ diff --git a/net/haproxy/patches/0028-DOC-fix-reference-to-map-files-in-MAINTAINERS.patch b/net/haproxy/patches/0028-DOC-fix-reference-to-map-files-in-MAINTAINERS.patch deleted file mode 100644 index cb9f7cce6..000000000 --- a/net/haproxy/patches/0028-DOC-fix-reference-to-map-files-in-MAINTAINERS.patch +++ /dev/null @@ -1,24 +0,0 @@ -commit c1ef9f5389e5debb132b7e2ab40f178ed413a978 -Author: Lukas Tribus <lukas@ltri.eu> -Date: Wed Oct 17 01:40:11 2018 +0200 - - DOC: fix reference to map files in MAINTAINERS - - s/maps/map - - (cherry picked from commit b75e828b298c958beb10c830a1ccb3df0840c30c) - Signed-off-by: Willy Tarreau <w@1wt.eu> - -diff --git a/MAINTAINERS b/MAINTAINERS -index 3a9e435a..df7cc336 100644 ---- a/MAINTAINERS -+++ b/MAINTAINERS -@@ -24,7 +24,7 @@ Files: src/hlua.c, include/*/hlua.h - - Maps and pattern matching - Maintainer: Thierry Fournier <tfournier@arpalert.org> --Files: src/maps.c, src/pattern.c, include/*/maps.h, include/*/pattern.h -+Files: src/map.c, src/pattern.c, include/*/map.h, include/*/pattern.h - - DNS - Maintainer: Baptiste Assmann <bedis9@gmail.com> diff --git a/net/haproxy/patches/0029-BUILD-compiler-rename-__unreachable-to-my_unreachable.patch b/net/haproxy/patches/0029-BUILD-compiler-rename-__unreachable-to-my_unreachable.patch deleted file mode 100644 index 3c6b7b721..000000000 --- a/net/haproxy/patches/0029-BUILD-compiler-rename-__unreachable-to-my_unreachable.patch +++ /dev/null @@ -1,41 +0,0 @@ -commit 9011ff6c9fb5128dd50b4210e05199ea6337b82b -Author: Willy Tarreau <w@1wt.eu> -Date: Sat Oct 20 17:45:48 2018 +0200 - - BUILD: compiler: rename __unreachable() to my_unreachable() - - Olivier reported that on FreeBSD __unreachable is already defined - and causes build warnings. Let's rename it then. - - (cherry picked from commit 4e7cc3381b27e3971b02b73a113ecc13916e1f20) - Signed-off-by: Willy Tarreau <w@1wt.eu> - -diff --git a/include/common/compiler.h b/include/common/compiler.h -index 6f4f5a67..60549307 100644 ---- a/include/common/compiler.h -+++ b/include/common/compiler.h -@@ -89,9 +89,9 @@ - * below was introduced in gcc 4.5, and before it we didn't care. - */ - #if __GNUC__ >= 5 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 5) --#define __unreachable() __builtin_unreachable() -+#define my_unreachable() __builtin_unreachable() - #else --#define __unreachable() -+#define my_unreachable() - #endif - - /* -diff --git a/src/hlua.c b/src/hlua.c -index c3bb269a..085544dc 100644 ---- a/src/hlua.c -+++ b/src/hlua.c -@@ -64,7 +64,7 @@ - * MAY_LJMP() marks an lua function that may use longjmp. - */ - #define __LJMP --#define WILL_LJMP(func) do { func; __unreachable(); } while(0) -+#define WILL_LJMP(func) do { func; my_unreachable(); } while(0) - #define MAY_LJMP(func) func - - /* This couple of function executes securely some Lua calls outside of diff --git a/net/haproxy/patches/0030-BUG-MEDIUM-pools-Fix-the-usage-of-mmap-with-DEBUG_UAF.patch b/net/haproxy/patches/0030-BUG-MEDIUM-pools-Fix-the-usage-of-mmap-with-DEBUG_UAF.patch deleted file mode 100644 index cf258df86..000000000 --- a/net/haproxy/patches/0030-BUG-MEDIUM-pools-Fix-the-usage-of-mmap-with-DEBUG_UAF.patch +++ /dev/null @@ -1,33 +0,0 @@ -commit 7e751a3c24a7021075fb298025c4a1ce98a5b049 -Author: Olivier Houchard <cognet@ci0.org> -Date: Sun Oct 21 01:33:11 2018 +0200 - - BUG/MEDIUM: pools: Fix the usage of mmap()) with DEBUG_UAF. - - When mapping memory with mmap(), we should use a fd of -1, not 0. 0 may - work on linux, but it doesn't work on FreeBSD, and probably other OSes. - - It would be nice to backport this to 1.8 to help debugging there. - - (cherry picked from commit 62975a7740cba4bdaf1c096dd246feba854d2410) - Signed-off-by: Willy Tarreau <w@1wt.eu> - -diff --git a/include/common/memory.h b/include/common/memory.h -index a2237da5..da0641de 100644 ---- a/include/common/memory.h -+++ b/include/common/memory.h -@@ -186,12 +186,13 @@ static inline void pool_free_area(void *area, size_t __maybe_unused size) - * some padding is added, the area's start address is copied at the end of the - * padding to help detect underflows. - */ -+#include <errno.h> - static inline void *pool_alloc_area(size_t size) - { - size_t pad = (4096 - size) & 0xFF0; - void *ret; - -- ret = mmap(NULL, (size + 4095) & -4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, 0, 0); -+ ret = mmap(NULL, (size + 4095) & -4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0); - if (ret == MAP_FAILED) - return NULL; - if (pad >= sizeof(void *)) diff --git a/net/haproxy/patches/0031-BUG-MEDIUM-h2-Close-connection-if-no-stream-is-left-an-GOAWAY-was-sent.patch b/net/haproxy/patches/0031-BUG-MEDIUM-h2-Close-connection-if-no-stream-is-left-an-GOAWAY-was-sent.patch deleted file mode 100644 index 69eb6cf54..000000000 --- a/net/haproxy/patches/0031-BUG-MEDIUM-h2-Close-connection-if-no-stream-is-left-an-GOAWAY-was-sent.patch +++ /dev/null @@ -1,28 +0,0 @@ -commit 105abe2f7a2e518afda9eb3bda5cceb60f6fd1b2 -Author: Olivier Houchard <cognet@ci0.org> -Date: Sun Oct 21 03:01:20 2018 +0200 - - BUG/MEDIUM: h2: Close connection if no stream is left an GOAWAY was sent. - - When we're closing a stream, is there's no stream left and a goaway was sent, - close the connection, there's no reason to keep it open. - - [wt: it's likely that this is needed in 1.8 as well, though it's unclear - how to trigger this issue, some tests are needed] - - (cherry picked from commit 52b946686c28891a4359e9361676dc62af4fffad) - Signed-off-by: Willy Tarreau <w@1wt.eu> - -diff --git a/src/mux_h2.c b/src/mux_h2.c -index b1b039fe..6881302b 100644 ---- a/src/mux_h2.c -+++ b/src/mux_h2.c -@@ -2540,7 +2540,7 @@ static void h2_detach(struct conn_stream *cs) - if (eb_is_empty(&h2c->streams_by_id) && /* don't close if streams exist */ - ((h2c->conn->flags & CO_FL_ERROR) || /* errors close immediately */ - (h2c->st0 >= H2_CS_ERROR && !h2c->task) || /* a timeout stroke earlier */ -- (h2c->flags & H2_CF_GOAWAY_FAILED) || -+ (h2c->flags & (H2_CF_GOAWAY_FAILED | H2_CF_GOAWAY_SENT)) || - (!h2c->mbuf->o && /* mux buffer empty, also process clean events below */ - (conn_xprt_read0_pending(h2c->conn) || - (h2c->last_sid >= 0 && h2c->max_id >= h2c->last_sid))))) { diff --git a/net/haproxy/patches/0032-BUILD-Makefile-add-the-new-ERR-variable-to-force--Werror.patch b/net/haproxy/patches/0032-BUILD-Makefile-add-the-new-ERR-variable-to-force--Werror.patch deleted file mode 100644 index 8edd76e98..000000000 --- a/net/haproxy/patches/0032-BUILD-Makefile-add-the-new-ERR-variable-to-force--Werror.patch +++ /dev/null @@ -1,46 +0,0 @@ -commit e1b3aa5613a5edbb52a44d69b3e6007d9d631981 -Author: Willy Tarreau <w@1wt.eu> -Date: Mon Oct 22 06:22:46 2018 +0200 - - BUILD: Makefile: add the new ERR variable to force -Werror - - Instead of having to fiddle with the CFLAGS, let's have ERR=1 to enable - -Werror. - - (cherry picked from commit 23cd43e2d6fa2b6892a786a1a720c5f24e657f10) - Signed-off-by: Willy Tarreau <w@1wt.eu> - -diff --git a/Makefile b/Makefile -index 6ffc1b06..94e04738 100644 ---- a/Makefile -+++ b/Makefile -@@ -57,6 +57,7 @@ - # DEP may be cleared to ignore changes to include files during development - # SMALL_OPTS may be used to specify some options to shrink memory usage. - # DEBUG may be used to set some internal debugging options. -+# ERR may be set to non-empty to pass -Werror to the compiler - # ADDINC may be used to complete the include path in the form -Ipath. - # ADDLIB may be used to complete the library list in the form -Lpath -llib. - # DEFINE may be used to specify any additional define, which will be reported -@@ -143,6 +144,9 @@ LD = $(CC) - # Those flags only feed CFLAGS so it is not mandatory to use this form. - DEBUG_CFLAGS = -g - -+#### Add -Werror when set to non-empty -+ERR = -+ - #### Compiler-specific flags that may be used to disable some negative over- - # optimization or to silence some warnings. -fno-strict-aliasing is needed with - # gcc >= 4.4. -@@ -807,6 +811,11 @@ EBTREE_DIR := ebtree - #### Global compile options - VERBOSE_CFLAGS = $(CFLAGS) $(TARGET_CFLAGS) $(SMALL_OPTS) $(DEFINE) - COPTS = -Iinclude -I$(EBTREE_DIR) -Wall -+ -+ifneq ($(ERR),) -+COPTS += -Werror -+endif -+ - COPTS += $(CFLAGS) $(TARGET_CFLAGS) $(SMALL_OPTS) $(DEFINE) $(SILENT_DEFINE) - COPTS += $(DEBUG) $(OPTIONS_CFLAGS) $(ADDINC) - diff --git a/net/haproxy/patches/0033-BUG-MINOR-cache-Crashes-with-total-max-size-2047MB.patch b/net/haproxy/patches/0033-BUG-MINOR-cache-Crashes-with-total-max-size-2047MB.patch deleted file mode 100644 index 886b8a87d..000000000 --- a/net/haproxy/patches/0033-BUG-MINOR-cache-Crashes-with-total-max-size-2047MB.patch +++ /dev/null @@ -1,55 +0,0 @@ -commit bf7b382e528ab62a9f695b07e659d2f77545e93d -Author: Frédéric Lécaille <flecaille@haproxy.com> -Date: Thu Oct 25 20:17:45 2018 +0200 - - BUG/MINOR: cache: Crashes with "total-max-size" > 2047(MB). - - With this patch we support cache size larger than 2047 (MB) and prevent haproxy from crashing when "total-max-size" is parsed as negative values by atoi(). - - The limit at parsing time is 4095 MB (UINT_MAX >> 20). - - May be backported to 1.8. - - (cherry picked from commit b9b8b6b6beb84b6b942d24eda56bfbe3812cc294) - Signed-off-by: Willy Tarreau <w@1wt.eu> - -diff --git a/src/cache.c b/src/cache.c -index 39e0bad4..df3649ea 100644 ---- a/src/cache.c -+++ b/src/cache.c -@@ -770,17 +770,32 @@ int cfg_parse_cache(const char *file, int linenum, char **args, int kwm) - tmp_cache_config->maxblocks = 0; - } - } else if (strcmp(args[0], "total-max-size") == 0) { -- int maxsize; -+ unsigned long int maxsize; -+ char *err; - - if (alertif_too_many_args(1, file, linenum, args, &err_code)) { - err_code |= ERR_ABORT; - goto out; - } - -+ maxsize = strtoul(args[1], &err, 10); -+ if (err == args[1] || *err != '\0') { -+ ha_warning("parsing [%s:%d]: total-max-size wrong value '%s'\n", -+ file, linenum, args[1]); -+ err_code |= ERR_ABORT; -+ goto out; -+ } -+ -+ if (maxsize > (UINT_MAX >> 20)) { -+ ha_warning("parsing [%s:%d]: \"total-max-size\" (%s) must not be greater than %u\n", -+ file, linenum, args[1], UINT_MAX >> 20); -+ err_code |= ERR_ABORT; -+ goto out; -+ } -+ - /* size in megabytes */ -- maxsize = atoi(args[1]) * 1024 * 1024 / CACHE_BLOCKSIZE; -+ maxsize *= 1024 * 1024 / CACHE_BLOCKSIZE; - tmp_cache_config->maxblocks = maxsize; -- - } else if (strcmp(args[0], "max-age") == 0) { - if (alertif_too_many_args(1, file, linenum, args, &err_code)) { - err_code |= ERR_ABORT; diff --git a/net/haproxy/patches/0034-BUG-MINOR-cache-Wrong-usage-of-shctx_init.patch b/net/haproxy/patches/0034-BUG-MINOR-cache-Wrong-usage-of-shctx_init.patch deleted file mode 100644 index ba799e7bd..000000000 --- a/net/haproxy/patches/0034-BUG-MINOR-cache-Wrong-usage-of-shctx_init.patch +++ /dev/null @@ -1,28 +0,0 @@ -commit 68c23dedaaae8f29d26c4791b30d138ed1411548 -Author: Frédéric Lécaille <flecaille@haproxy.com> -Date: Thu Oct 25 20:18:59 2018 +0200 - - BUG/MINOR: cache: Wrong usage of shctx_init(). - - With this patch we check that shctx_init() does not returns 0. - This is possible if the maxblocks argument, which is passed as an - int, is negative due to an implicit conversion. - - Must be backported to 1.8. - - (cherry picked from commit bc584494e625983f16f35982aa6dd6889e8dd222) - Signed-off-by: Willy Tarreau <w@1wt.eu> - -diff --git a/src/cache.c b/src/cache.c -index df3649ea..667cede3 100644 ---- a/src/cache.c -+++ b/src/cache.c -@@ -837,7 +837,7 @@ int cfg_post_parse_section_cache() - - ret_shctx = shctx_init(&shctx, tmp_cache_config->maxblocks, CACHE_BLOCKSIZE, sizeof(struct cache), 1); - -- if (ret_shctx < 0) { -+ if (ret_shctx <= 0) { - if (ret_shctx == SHCTX_E_INIT_LOCK) - ha_alert("Unable to initialize the lock for the cache.\n"); - else diff --git a/net/haproxy/patches/0035-BUG-MINOR-ssl-Wrong-usage-of-shctx_init.patch b/net/haproxy/patches/0035-BUG-MINOR-ssl-Wrong-usage-of-shctx_init.patch deleted file mode 100644 index a07575c02..000000000 --- a/net/haproxy/patches/0035-BUG-MINOR-ssl-Wrong-usage-of-shctx_init.patch +++ /dev/null @@ -1,26 +0,0 @@ -commit 49f82640bf3c9a9c808568344bfa94d279c95b7e -Author: Frédéric Lécaille <flecaille@haproxy.com> -Date: Thu Oct 25 20:22:46 2018 +0200 - - BUG/MINOR: ssl: Wrong usage of shctx_init(). - - With this patch we check that shctx_init() does not return 0. - - Must be backported to 1.8. - - (cherry picked from commit 4c8aa117f9bda3b5253f03ad5a7135a9165060f5) - Signed-off-by: Willy Tarreau <w@1wt.eu> - -diff --git a/src/ssl_sock.c b/src/ssl_sock.c -index cfbc38b7..19e41743 100644 ---- a/src/ssl_sock.c -+++ b/src/ssl_sock.c -@@ -4768,7 +4768,7 @@ int ssl_sock_prepare_bind_conf(struct bind_conf *bind_conf) - sizeof(struct sh_ssl_sess_hdr) + SHSESS_BLOCK_MIN_SIZE, - sizeof(*sh_ssl_sess_tree), - ((global.nbthread > 1) || (!global_ssl.private_cache && (global.nbproc > 1))) ? 1 : 0); -- if (alloc_ctx < 0) { -+ if (alloc_ctx <= 0) { - if (alloc_ctx == SHCTX_E_INIT_LOCK) - ha_alert("Unable to initialize the lock for the shared SSL session cache. You can retry using the global statement 'tune.ssl.force-private-cache' but it could increase CPU usage due to renegotiations if nbproc > 1.\n"); - else diff --git a/net/haproxy/patches/0036-DOC-cache-Missing-information-about-total-max-size.patch b/net/haproxy/patches/0036-DOC-cache-Missing-information-about-total-max-size.patch deleted file mode 100644 index 2373a6521..000000000 --- a/net/haproxy/patches/0036-DOC-cache-Missing-information-about-total-max-size.patch +++ /dev/null @@ -1,24 +0,0 @@ -commit 9c416cf3cc449fd46880d5a7c3fdd1bb98447b68 -Author: Frédéric Lécaille <flecaille@haproxy.com> -Date: Thu Oct 25 10:46:40 2018 +0200 - - DOC: cache: Missing information about "total-max-size" - - (cherry picked from commit e3c83d80e3aadb7b2641b861725c9d1dd7dc6713) - [wt: this only retrieves from the original patch the part related to - the max configurable size for total-max-size] - Signed-off-by: Willy Tarreau <w@1wt.eu> - -diff --git a/doc/configuration.txt b/doc/configuration.txt -index 7a268386..09980248 100644 ---- a/doc/configuration.txt -+++ b/doc/configuration.txt -@@ -17132,7 +17132,7 @@ cache <name> - - total-max-size <megabytes> - Define the size in RAM of the cache in megabytes. This size is split in -- blocks of 1kB which are used by the cache entries. -+ blocks of 1kB which are used by the cache entries. Its maximum value is 4095. - - max-age <seconds> - Define the maximum expiration duration. The expiration is set has the lowest diff --git a/net/haproxy/patches/0037-BUG-MINOR-only-mark-connections-private-if-NTLM-is-detected.patch b/net/haproxy/patches/0037-BUG-MINOR-only-mark-connections-private-if-NTLM-is-detected.patch deleted file mode 100644 index dd3748f82..000000000 --- a/net/haproxy/patches/0037-BUG-MINOR-only-mark-connections-private-if-NTLM-is-detected.patch +++ /dev/null @@ -1,94 +0,0 @@ -commit 7b728d616e417f0a8cd25375f70b8a332ad23a71 -Author: Lukas Tribus <lukas@ltri.eu> -Date: Sat Oct 27 20:06:59 2018 +0200 - - BUG/MINOR: only mark connections private if NTLM is detected - - Instead of marking all connections that see a 401/407 response private - (for connection reuse), this patch detects a RFC4559/NTLM authentication - scheme and restricts the private setting to those connections. - - This is so we can reuse connections with 401/407 responses with - deterministic load balancing algorithms later (which requires another fix). - - This fixes the problem reported here by Elliot Barlas : - - https://discourse.haproxy.org/t/unable-to-configure-load-balancing-per-request-over-persistent-connection/3144 - - Should be backported to 1.8. - - (cherry picked from commit fd9b68c48ecdba5e7971899f4eec315c8e3a3cfe) - Signed-off-by: Willy Tarreau <w@1wt.eu> - -diff --git a/doc/configuration.txt b/doc/configuration.txt -index 09980248..43b1b822 100644 ---- a/doc/configuration.txt -+++ b/doc/configuration.txt -@@ -4798,10 +4798,8 @@ http-reuse { never | safe | aggressive | always } - - connections sent to a server with a TLS SNI extension are marked private - and are never shared; - -- - connections receiving a status code 401 or 407 expect some authentication -- to be sent in return. Due to certain bogus authentication schemes (such -- as NTLM) relying on the connection, these connections are marked private -- and are never shared; -+ - connections with certain bogus authentication schemes (relying on the -+ connection) like NTLM are detected, marked private and are never shared; - - No connection pool is involved, once a session dies, the last idle connection - it was attached to is deleted at the same time. This ensures that connections -diff --git a/src/proto_http.c b/src/proto_http.c -index 8f86422d..cde2dbf7 100644 ---- a/src/proto_http.c -+++ b/src/proto_http.c -@@ -4388,8 +4388,6 @@ void http_end_txn_clean_session(struct stream *s) - * it's better to do it (at least it helps with debugging). - */ - s->txn->flags |= TX_PREFER_LAST; -- if (srv_conn) -- srv_conn->flags |= CO_FL_PRIVATE; - } - - /* Never ever allow to reuse a connection from a non-reuse backend */ -@@ -5053,10 +5051,13 @@ int http_wait_for_response(struct stream *s, struct channel *rep, int an_bit) - struct http_txn *txn = s->txn; - struct http_msg *msg = &txn->rsp; - struct hdr_ctx ctx; -+ struct connection *srv_conn; - int use_close_only; - int cur_idx; - int n; - -+ srv_conn = cs_conn(objt_cs(s->si[1].end)); -+ - DPRINTF(stderr,"[%u] %s: stream=%p b=%p, exp(r,w)=%u,%u bf=%08x bh=%d analysers=%02x\n", - now_ms, __FUNCTION__, - s, -@@ -5588,6 +5589,27 @@ int http_wait_for_response(struct stream *s, struct channel *rep, int an_bit) - msg->body_len = msg->chunk_len = cl; - } - -+ /* check for NTML authentication headers in 401 (WWW-Authenticate) and -+ * 407 (Proxy-Authenticate) responses and set the connection to private -+ */ -+ if (srv_conn && txn->status == 401) { -+ /* check for Negotiate/NTLM WWW-Authenticate headers */ -+ ctx.idx = 0; -+ while (http_find_header2("WWW-Authenticate", 16, rep->buf->p, &txn->hdr_idx, &ctx)) { -+ if ((ctx.vlen >= 9 && word_match(ctx.line + ctx.val, ctx.vlen, "Negotiate", 9)) || -+ (ctx.vlen >= 4 && word_match(ctx.line + ctx.val, ctx.vlen, "NTLM", 4))) -+ srv_conn->flags |= CO_FL_PRIVATE; -+ } -+ } else if (srv_conn && txn->status == 407) { -+ /* check for Negotiate/NTLM Proxy-Authenticate headers */ -+ ctx.idx = 0; -+ while (http_find_header2("Proxy-Authenticate", 18, rep->buf->p, &txn->hdr_idx, &ctx)) { -+ if ((ctx.vlen >= 9 && word_match(ctx.line + ctx.val, ctx.vlen, "Negotiate", 9)) || -+ (ctx.vlen >= 4 && word_match(ctx.line + ctx.val, ctx.vlen, "NTLM", 4))) -+ srv_conn->flags |= CO_FL_PRIVATE; -+ } -+ } -+ - skip_content_length: - /* Now we have to check if we need to modify the Connection header. - * This is more difficult on the response than it is on the request, diff --git a/net/haproxy/patches/0038-BUG-MINOR-only-auto-prefer-last-server-if-lb-alg-is-non-deterministic.patch b/net/haproxy/patches/0038-BUG-MINOR-only-auto-prefer-last-server-if-lb-alg-is-non-deterministic.patch deleted file mode 100644 index e3f8a1456..000000000 --- a/net/haproxy/patches/0038-BUG-MINOR-only-auto-prefer-last-server-if-lb-alg-is-non-deterministic.patch +++ /dev/null @@ -1,76 +0,0 @@ -commit a100980f50f92e588c2b60f20571e84bf749f3e3 -Author: Lukas Tribus <lukas@ltri.eu> -Date: Sat Oct 27 20:07:40 2018 +0200 - - BUG/MINOR: only auto-prefer last server if lb-alg is non-deterministic - - While "option prefer-last-server" only applies to non-deterministic load - balancing algorithms, 401/407 responses actually caused haproxy to prefer - the last server unconditionally. - - As this breaks deterministic load balancing algorithms like uri, this - patch applies the same condition here. - - Should be backported to 1.8 (together with "BUG/MINOR: only mark - connections private if NTLM is detected"). - - (cherry picked from commit 80512b186fd7f4ef3bc7d9c92b281c549d72aa8a) - Signed-off-by: Willy Tarreau <w@1wt.eu> - -diff --git a/doc/configuration.txt b/doc/configuration.txt -index 43b1b822..f0558d5e 100644 ---- a/doc/configuration.txt -+++ b/doc/configuration.txt -@@ -2498,6 +2498,11 @@ balance url_param <param> [check_post] - algorithm, mode nor option have been set. The algorithm may only be set once - for each backend. - -+ With authentication schemes that require the same connection like NTLM, URI -+ based alghoritms must not be used, as they would cause subsequent requests -+ to be routed to different backend servers, breaking the invalid assumptions -+ NTLM relies on. -+ - Examples : - balance roundrobin - balance url_param userid -@@ -6486,8 +6491,9 @@ no option prefer-last-server - close of the connection. This can make sense for static file servers. It does - not make much sense to use this in combination with hashing algorithms. Note, - haproxy already automatically tries to stick to a server which sends a 401 or -- to a proxy which sends a 407 (authentication required). This is mandatory for -- use with the broken NTLM authentication challenge, and significantly helps in -+ to a proxy which sends a 407 (authentication required), when the load -+ balancing algorithm is not deterministic. This is mandatory for use with the -+ broken NTLM authentication challenge, and significantly helps in - troubleshooting some faulty applications. Option prefer-last-server might be - desirable in these environments as well, to avoid redistributing the traffic - after every other response. -diff --git a/src/backend.c b/src/backend.c -index fc1eac0d..b3fd6c67 100644 ---- a/src/backend.c -+++ b/src/backend.c -@@ -572,9 +572,9 @@ int assign_server(struct stream *s) - if (conn && - (conn->flags & CO_FL_CONNECTED) && - objt_server(conn->target) && __objt_server(conn->target)->proxy == s->be && -+ (s->be->lbprm.algo & BE_LB_KIND) != BE_LB_KIND_HI && - ((s->txn && s->txn->flags & TX_PREFER_LAST) || - ((s->be->options & PR_O_PREF_LAST) && -- (s->be->lbprm.algo & BE_LB_KIND) != BE_LB_KIND_HI && - (!s->be->max_ka_queue || - server_has_room(__objt_server(conn->target)) || - (__objt_server(conn->target)->nbpend + 1) < s->be->max_ka_queue))) && -diff --git a/src/proto_http.c b/src/proto_http.c -index cde2dbf7..a48c4fdb 100644 ---- a/src/proto_http.c -+++ b/src/proto_http.c -@@ -4385,7 +4385,8 @@ void http_end_txn_clean_session(struct stream *s) - * server over the same connection. This is required by some - * broken protocols such as NTLM, and anyway whenever there is - * an opportunity for sending the challenge to the proper place, -- * it's better to do it (at least it helps with debugging). -+ * it's better to do it (at least it helps with debugging), at -+ * least for non-deterministic load balancing algorithms. - */ - s->txn->flags |= TX_PREFER_LAST; - } diff --git a/net/haproxy/patches/0039-BUG-MAJOR-http-http_txn_get_path-may-deference-an-inexisting-buffer.patch b/net/haproxy/patches/0039-BUG-MAJOR-http-http_txn_get_path-may-deference-an-inexisting-buffer.patch deleted file mode 100644 index 920eac52a..000000000 --- a/net/haproxy/patches/0039-BUG-MAJOR-http-http_txn_get_path-may-deference-an-inexisting-buffer.patch +++ /dev/null @@ -1,39 +0,0 @@ -commit 69d4ddf919fc4bc6d296a743baeccdd44fb89be6 -Author: Willy Tarreau <w@1wt.eu> -Date: Sun Oct 28 20:13:12 2018 +0100 - - BUG/MAJOR: http: http_txn_get_path() may deference an inexisting buffer - - When the "path" sample fetch function is called without any path, the - function doesn't check that the request buffer is allocated. While this - doesn't happen with the request during processing, it can definitely - happen when mistakenly trying to reference a path from the response - since the request channel is not allocated anymore. - - It's certain that this bug was emphasized by the buffer changes that - went in 1.9 and the HTTP refactoring, but at first glance, 1.8 doesn't - seem 100% safe either so it's possible that older version are affected - as well. - - Thanks to PiBa-NL for reporting this bug with a reproducer. - - (cherry picked from commit 9d9ccdbf8b1178fefa2843c83bc6612733f9eca6) - [wt: minor adaptation to older buffer API. There are some call places - which don't look structurally safe though in their context the - buffer always ought to be there] - Signed-off-by: Willy Tarreau <w@1wt.eu> - -diff --git a/src/proto_http.c b/src/proto_http.c -index a48c4fdb..fb18357b 100644 ---- a/src/proto_http.c -+++ b/src/proto_http.c -@@ -985,6 +985,9 @@ char *http_get_path(struct http_txn *txn) - { - char *ptr, *end; - -+ if (!txn->req.chn->buf->size) -+ return NULL; -+ - ptr = txn->req.chn->buf->p + txn->req.sl.rq.u; - end = ptr + txn->req.sl.rq.u_l; - diff --git a/net/haproxy/patches/0040-BUG-MEDIUM-auth-threads-use-of-crypt-is-not-thread-safe.patch b/net/haproxy/patches/0040-BUG-MEDIUM-auth-threads-use-of-crypt-is-not-thread-safe.patch deleted file mode 100644 index b5531c5e1..000000000 --- a/net/haproxy/patches/0040-BUG-MEDIUM-auth-threads-use-of-crypt-is-not-thread-safe.patch +++ /dev/null @@ -1,77 +0,0 @@ -commit a873c161d251abd025008034c0ddef8cd7f39511 -Author: Willy Tarreau <w@1wt.eu> -Date: Mon Oct 29 18:02:54 2018 +0100 - - BUG/MEDIUM: auth/threads: use of crypt() is not thread-safe - - It was reported here that authentication may fail when threads are - enabled : - - https://bugzilla.redhat.com/show_bug.cgi?id=1643941 - - While I couldn't reproduce the issue, it's obvious that there is a - problem with the use of the non-reentrant crypt() function there. - On Linux systems there's crypt_r() but not on the vast majority of - other ones. Thus a first approach consists in placing a lock around - this crypt() call. Another patch may relax it when crypt_r() is - available. - - This fix must be backported to 1.8. Thanks to Ryan O'Hara for the - quick notification. - - (cherry picked from commit 34d4b525a129baa6f52a930ae629ddb1ba4255c2) - Signed-off-by: Willy Tarreau <w@1wt.eu> - -diff --git a/include/common/hathreads.h b/include/common/hathreads.h -index 44bd66d1..24fb1d1a 100644 ---- a/include/common/hathreads.h -+++ b/include/common/hathreads.h -@@ -373,6 +373,7 @@ enum lock_label { - START_LOCK, - TLSKEYS_REF_LOCK, - PENDCONN_LOCK, -+ AUTH_LOCK, - LOCK_LABELS - }; - struct lock_stat { -@@ -495,6 +496,7 @@ static inline const char *lock_label(enum lock_label label) - case START_LOCK: return "START"; - case TLSKEYS_REF_LOCK: return "TLSKEYS_REF"; - case PENDCONN_LOCK: return "PENDCONN"; -+ case AUTH_LOCK: return "AUTH"; - case LOCK_LABELS: break; /* keep compiler happy */ - }; - /* only way to come here is consecutive to an internal bug */ -diff --git a/src/auth.c b/src/auth.c -index a2c689f7..e0fb1352 100644 ---- a/src/auth.c -+++ b/src/auth.c -@@ -28,6 +28,7 @@ - #include <types/global.h> - #include <common/config.h> - #include <common/errors.h> -+#include <common/hathreads.h> - - #include <proto/acl.h> - #include <proto/log.h> -@@ -37,6 +38,10 @@ - - struct userlist *userlist = NULL; /* list of all existing userlists */ - -+#ifdef CONFIG_HAP_CRYPT -+__decl_hathreads(static HA_SPINLOCK_T auth_lock); -+#endif -+ - /* find targets for selected gropus. The function returns pointer to - * the userlist struct ot NULL if name is NULL/empty or unresolvable. - */ -@@ -245,7 +250,9 @@ check_user(struct userlist *ul, const char *user, const char *pass) - - if (!(u->flags & AU_O_INSECURE)) { - #ifdef CONFIG_HAP_CRYPT -+ HA_SPIN_LOCK(AUTH_LOCK, &auth_lock); - ep = crypt(pass, u->pass); -+ HA_SPIN_UNLOCK(AUTH_LOCK, &auth_lock); - #else - return 0; - #endif diff --git a/net/haproxy/patches/0041-BUG-MINOR-config-better-detect-the-presence-of-the-h2-pattern-in-npn-alpn.patch b/net/haproxy/patches/0041-BUG-MINOR-config-better-detect-the-presence-of-the-h2-pattern-in-npn-alpn.patch deleted file mode 100644 index 787f60c14..000000000 --- a/net/haproxy/patches/0041-BUG-MINOR-config-better-detect-the-presence-of-the-h2-pattern-in-npn-alpn.patch +++ /dev/null @@ -1,43 +0,0 @@ -commit c990c7fe448248c4e2a34b84b593cc1b3536b328 -Author: Willy Tarreau <w@1wt.eu> -Date: Sun Nov 11 10:36:25 2018 +0100 - - BUG/MINOR: config: better detect the presence of the h2 pattern in npn/alpn - - In 1.8, commit 45a66cc ("MEDIUM: config: ensure that tune.bufsize is at - least 16384 when using HTTP/2") tried to avoid an annoying issue making - H2 fail when haproxy is built with default buffer sizes smaller than 16kB, - which used to be the case for a very long time. Sadly, the test only sees - when NPN/ALPN exactly match "h2" and not when it's combined like - "h2,http/1.1" nor "http/1.1,h2". We can safely use strstr() there because - the string is prefixed by the token's length (0x02) which is unambiguous - as it cannot be part of any other token. - - This fix should be backported to 1.8 as a safety guard against bad - configurations. - - (cherry picked from commit 4db49c0704898e51892a176505299de3e022c5ea) - Signed-off-by: William Lallemand <wlallemand@haproxy.org> - -diff --git a/src/cfgparse.c b/src/cfgparse.c -index 87a4d803..618ffd39 100644 ---- a/src/cfgparse.c -+++ b/src/cfgparse.c -@@ -7629,7 +7629,7 @@ int check_config_validity() - if (curproxy->mode == PR_MODE_HTTP && global.tune.bufsize < 16384) { - #ifdef OPENSSL_NPN_NEGOTIATED - /* check NPN */ -- if (bind_conf->ssl_conf.npn_str && strcmp(bind_conf->ssl_conf.npn_str, "\002h2") == 0) { -+ if (bind_conf->ssl_conf.npn_str && strstr(bind_conf->ssl_conf.npn_str, "\002h2")) { - ha_alert("config : HTTP frontend '%s' enables HTTP/2 via NPN at [%s:%d], so global.tune.bufsize must be at least 16384 bytes (%d now).\n", - curproxy->id, bind_conf->file, bind_conf->line, global.tune.bufsize); - cfgerr++; -@@ -7637,7 +7637,7 @@ int check_config_validity() - #endif - #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation - /* check ALPN */ -- if (bind_conf->ssl_conf.alpn_str && strcmp(bind_conf->ssl_conf.alpn_str, "\002h2") == 0) { -+ if (bind_conf->ssl_conf.alpn_str && strstr(bind_conf->ssl_conf.alpn_str, "\002h2")) { - ha_alert("config : HTTP frontend '%s' enables HTTP/2 via ALPN at [%s:%d], so global.tune.bufsize must be at least 16384 bytes (%d now).\n", - curproxy->id, bind_conf->file, bind_conf->line, global.tune.bufsize); - cfgerr++; diff --git a/net/haproxy/patches/0042-BUG-MEDIUM-Make-sure-stksess-is-properly-aligned.patch b/net/haproxy/patches/0042-BUG-MEDIUM-Make-sure-stksess-is-properly-aligned.patch deleted file mode 100644 index b70b00bcc..000000000 --- a/net/haproxy/patches/0042-BUG-MEDIUM-Make-sure-stksess-is-properly-aligned.patch +++ /dev/null @@ -1,61 +0,0 @@ -commit 5b259db1160fa12820cc5ba6399e4dbcefa6ab22 -Author: Olivier Houchard <ohouchard@haproxy.com> -Date: Wed Nov 14 17:54:36 2018 +0100 - - BUG/MEDIUM: Make sure stksess is properly aligned. - - When we allocate struct stksess, we also allocate memory to store the - associated data before the struct itself. - As the data can be of different types, they can have different size. However, - we need the struct stksess to be properly aligned, as it can do 64bits - load/store (including atomic load/stores) on 64bits platforms, and some of - them doesn't support unaligned access. - So, when allocating the struct stksess, round the size up to the next - multiple of sizeof(void *), and make sure the struct stksess itself is - properly aligned. - Many thanks to Paul Martin for investigating and reporting that bug. - - This should be backported to earlier releases. - - (cherry picked from commit 52dabbc4fad338233c7f0c96f977a43f8f81452a) - Signed-off-by: William Lallemand <wlallemand@haproxy.org> - -diff --git a/src/stick_table.c b/src/stick_table.c -index f1442603..0a238378 100644 ---- a/src/stick_table.c -+++ b/src/stick_table.c -@@ -44,6 +44,7 @@ - /* structure used to return a table key built from a sample */ - static THREAD_LOCAL struct stktable_key static_table_key; - -+#define round_ptr_size(i) (((i) + (sizeof(void *) - 1)) &~ (sizeof(void *) - 1)) - /* - * Free an allocated sticky session <ts>, and decrease sticky sessions counter - * in table <t>. -@@ -51,7 +52,7 @@ static THREAD_LOCAL struct stktable_key static_table_key; - void __stksess_free(struct stktable *t, struct stksess *ts) - { - t->current--; -- pool_free(t->pool, (void *)ts - t->data_size); -+ pool_free(t->pool, (void *)ts - round_ptr_size(t->data_size)); - } - - /* -@@ -229,7 +230,7 @@ struct stksess *__stksess_new(struct stktable *t, struct stktable_key *key) - ts = pool_alloc(t->pool); - if (ts) { - t->current++; -- ts = (void *)ts + t->data_size; -+ ts = (void *)ts + round_ptr_size(t->data_size); - __stksess_init(t, ts); - if (key) - stksess_setkey(t, ts, key); -@@ -597,7 +598,7 @@ int stktable_init(struct stktable *t) - t->updates = EB_ROOT_UNIQUE; - HA_SPIN_INIT(&t->lock); - -- t->pool = create_pool("sticktables", sizeof(struct stksess) + t->data_size + t->key_size, MEM_F_SHARED); -+ t->pool = create_pool("sticktables", sizeof(struct stksess) + round_ptr_size(t->data_size) + t->key_size, MEM_F_SHARED); - - t->exp_next = TICK_ETERNITY; - if ( t->expire ) { diff --git a/net/haproxy/patches/0043-BUG-MINOR-config-Copy-default-error-messages-when-parsing-of-a-backend-starts.patch b/net/haproxy/patches/0043-BUG-MINOR-config-Copy-default-error-messages-when-parsing-of-a-backend-starts.patch deleted file mode 100644 index 21200bf4f..000000000 --- a/net/haproxy/patches/0043-BUG-MINOR-config-Copy-default-error-messages-when-parsing-of-a-backend-starts.patch +++ /dev/null @@ -1,38 +0,0 @@ -commit 54824cf35520b11ff97e0937beeb429dcdc55fd0 -Author: Christopher Faulet <cfaulet@haproxy.com> -Date: Mon Nov 12 11:57:31 2018 +0100 - - BUG/MINOR: config: Copy default error messages when parsing of a backend starts - - To be used, error messages declared in a default section must be copied when the - parsing of a proxy section starts. But this was only done for frontends. - - This patch may be backported to older versions. - - (cherry picked from commit 6b44975fbd2f7d81074e20bc07fc0e01466cc9c9) - Signed-off-by: William Lallemand <wlallemand@haproxy.org> - -diff --git a/src/cfgparse.c b/src/cfgparse.c -index 618ffd39..6bc6b259 100644 ---- a/src/cfgparse.c -+++ b/src/cfgparse.c -@@ -2787,15 +2787,15 @@ int cfg_parse_listen(const char *file, int linenum, char **args, int kwm) - curproxy->server_id_hdr_name = strdup(defproxy.server_id_hdr_name); - } - -+ /* initialize error relocations */ -+ for (rc = 0; rc < HTTP_ERR_SIZE; rc++) -+ chunk_dup(&curproxy->errmsg[rc], &defproxy.errmsg[rc]); -+ - if (curproxy->cap & PR_CAP_FE) { - curproxy->maxconn = defproxy.maxconn; - curproxy->backlog = defproxy.backlog; - curproxy->fe_sps_lim = defproxy.fe_sps_lim; - -- /* initialize error relocations */ -- for (rc = 0; rc < HTTP_ERR_SIZE; rc++) -- chunk_dup(&curproxy->errmsg[rc], &defproxy.errmsg[rc]); -- - curproxy->to_log = defproxy.to_log & ~LW_COOKIE & ~LW_REQHDR & ~ LW_RSPHDR; - } - diff --git a/net/haproxy/patches/0044-BUG-MEDIUM-hpack-fix-encoding-of-accept-ranges-field.patch b/net/haproxy/patches/0044-BUG-MEDIUM-hpack-fix-encoding-of-accept-ranges-field.patch deleted file mode 100644 index e170b140c..000000000 --- a/net/haproxy/patches/0044-BUG-MEDIUM-hpack-fix-encoding-of-accept-ranges-field.patch +++ /dev/null @@ -1,32 +0,0 @@ -commit 64a7cbf4ea3276b72ffb121acab676542cebde1b -Author: Willy Tarreau <w@1wt.eu> -Date: Tue Nov 20 04:47:38 2018 +0100 - - BUG/MEDIUM: hpack: fix encoding of "accept-ranges" field - - James Brown reported that when an "accept-ranges" header field is sent - through haproxy and converted from HTTP/1.1 to H2, it's mis-encoded as - "accept-language". It happens that it's one of the few very common header - fields encoded using its index value and that this index value was misread - in the spec as 17 instead of 18, resulting in the wrong name being sent. - Thanks to Lukas for spotting the issue in the HPACK encoder itself. - - This fix must be backported to 1.8. - - (cherry picked from commit 4bf194cbdbcda8ec4ce83d7f12d2fe9b08483c94) - [wla: buffer API edit] - Signed-off-by: William Lallemand <wlallemand@haproxy.org> - -diff --git a/src/hpack-enc.c b/src/hpack-enc.c -index d1f68c58..99c73103 100644 ---- a/src/hpack-enc.c -+++ b/src/hpack-enc.c -@@ -101,7 +101,7 @@ int hpack_encode_header(struct chunk *out, const struct ist n, const struct ist - else if (isteq(n, ist("last-modified"))) - out->str[len++] = 0x6c; // literal with indexing -- name="last-modified" (idx 44) - else if (isteq(n, ist("accept-ranges"))) -- out->str[len++] = 0x51; // literal with indexing -- name="accept-ranges" (idx 17) -+ out->str[len++] = 0x52; // literal with indexing -- name="accept-ranges" (idx 18) - else if (isteq(n, ist("cache-control"))) - out->str[len++] = 0x58; // literal with indexing -- name="cache-control" (idx 24) - else if (isteq(n, ist("content-length"))) |