diff --git a/net/haproxy/Makefile b/net/haproxy/Makefile index e5d124b97..21a2d1260 100644 --- a/net/haproxy/Makefile +++ b/net/haproxy/Makefile @@ -9,17 +9,21 @@ include $(TOPDIR)/rules.mk PKG_NAME:=haproxy -PKG_VERSION:=1.8.4 -PKG_RELEASE:=01 +PKG_VERSION:=1.8.9 +PKG_RELEASE:=00 PKG_SOURCE:=haproxy-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://www.haproxy.org/download/1.8/src/ -PKG_HASH:=e305b0a4e7dec08072841eef6ac6dcd1b5586b1eff09c2d51e152a912e8884a6 +PKG_HASH:=436b77927cd85bcd4c2cb3cbf7fb539a5362d9686fdcfa34f37550ca1f5db102 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION) PKG_LICENSE:=GPL-2.0 MAINTAINER:=Thomas Heil +ifneq ($(PKG_RELEASE),00) + BUILD_VERSION:=-patch$(PKG_RELEASE) +endif + include $(INCLUDE_DIR)/package.mk define Package/haproxy/Default @@ -94,13 +98,6 @@ endef ENABLE_LUA:=y ENABLE_REGPARM:=n -ifeq ($(CONFIG_mips),y) - ENABLE_LUA:=n -endif -ifeq ($(CONFIG_mipsel),y) - ENABLE_LUA:=n -endif - ifeq ($(CONFIG_TARGET_x86),y) ENABLE_REGPARM:=y endif @@ -150,8 +147,9 @@ define Build/Compile SMALL_OPTS="-DBUFSIZE=16384 -DMAXREWRITE=1030 -DSYSTEM_MAXCONN=165530 " \ USE_LINUX_TPROXY=1 USE_LINUX_SPLICE=1 USE_TFO=1 \ USE_ZLIB=yes USE_PCRE=1 USE_PCRE_JIT=1 USE_GETADDRINFO=1 \ - VERSION="$(PKG_VERSION)-patch$(PKG_RELEASE)" \ + VERSION="$(PKG_VERSION)$(BUILD_VERSION)" \ $(ADDON) \ + CFLAGS="$(TARGET_CFLAGS)" \ LD="$(TARGET_CC)" \ LDFLAGS="$(TARGET_LDFLAGS) -latomic" \ IGNOREGIT=1 diff --git a/net/haproxy/get-latest-patches.sh b/net/haproxy/get-latest-patches.sh new file mode 100755 index 000000000..98ce2c79b --- /dev/null +++ b/net/haproxy/get-latest-patches.sh @@ -0,0 +1,27 @@ +#!/bin/bash + +CLONEURL=http://git.haproxy.org/git/haproxy-1.8.git +BASE_TAG=v1.8.9 +TMP_REPODIR=tmprepo +PATCHESDIR=patches + +if test -d "${TMP_REPODIR}"; then rm -rf "${TMP_REPODIR}"; fi + +git clone "${CLONEURL}" "${TMP_REPODIR}" + +printf "Cleaning patches\n" +find ${PATCHESDIR} -type f -name "*.patch" -exec rm -f "{}" \; + +i=0 +for cid in $(git -C "${TMP_REPODIR}" rev-list ${BASE_TAG}..HEAD | tac); do + filename="$(printf "%04d" $i)-$(git -C "${TMP_REPODIR}" log --format=%s -n 1 $cid | sed -e"s/[()']//g" -e's/[^_a-zA-Z0-9+-]\+/-/g' -e's/-$//').patch" + printf "Creating ${filename}\n" + git -C "${TMP_REPODIR}" show $cid > "${PATCHESDIR}/$filename" + git add "${PATCHESDIR}/$filename" + let i++ +done + +rm -rf "${TMP_REPODIR}" + +printf "finished\n" + diff --git a/net/haproxy/patches/0001-BUG-MEDIUM-ssl-Dont-always-treat-SSL_ERROR_SYSCALL-as-unrecovarable.patch b/net/haproxy/patches/0001-BUG-MEDIUM-ssl-Dont-always-treat-SSL_ERROR_SYSCALL-as-unrecovarable.patch deleted file mode 100644 index 93b51dc40..000000000 --- a/net/haproxy/patches/0001-BUG-MEDIUM-ssl-Dont-always-treat-SSL_ERROR_SYSCALL-as-unrecovarable.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 2fcd544272a5498ffa49544e9f06b51bc93e55d1 Mon Sep 17 00:00:00 2001 -From: Olivier Houchard -Date: Tue, 13 Feb 2018 15:17:23 +0100 -Subject: [PATCH] BUG/MEDIUM: ssl: Don't always treat SSL_ERROR_SYSCALL as - unrecovarable. - -Bart Geesink reported some random errors appearing under the form of -termination flags SD in the logs for connections involving SSL traffic -to reach the servers. - -Tomek Gacek and Mateusz Malek finally narrowed down the problem to commit -c2aae74 ("MEDIUM: ssl: Handle early data with OpenSSL 1.1.1"). It happens -that the special case of SSL_ERROR_SYSCALL isn't handled anymore since -this commit. - -SSL_read() might return <= 0, and SSL_get_erro() return SSL_ERROR_SYSCALL, -without meaning the connection is gone. Before flagging the connection -as in error, check the errno value. - -This should be backported to 1.8. - -(cherry picked from commit 7e2e505006feb8f3b4a7f9e0ac5e89b5a8c4895e) -Signed-off-by: Willy Tarreau ---- - src/ssl_sock.c | 9 ++++++++- - 1 file changed, 8 insertions(+), 1 deletion(-) - -diff --git a/src/ssl_sock.c b/src/ssl_sock.c -index aecf3dd..f118724 100644 ---- a/src/ssl_sock.c -+++ b/src/ssl_sock.c -@@ -5437,6 +5437,12 @@ static int ssl_sock_to_buf(struct connection *conn, struct buffer *buf, int coun - break; - } else if (ret == SSL_ERROR_ZERO_RETURN) - goto read0; -+ /* For SSL_ERROR_SYSCALL, make sure the error is -+ * unrecoverable before flagging the connection as -+ * in error. -+ */ -+ if (ret == SSL_ERROR_SYSCALL && (!errno || errno == EAGAIN)) -+ goto clear_ssl_error; - /* otherwise it's a real error */ - goto out_error; - } -@@ -5451,11 +5457,12 @@ static int ssl_sock_to_buf(struct connection *conn, struct buffer *buf, int coun - conn_sock_read0(conn); - goto leave; - out_error: -+ conn->flags |= CO_FL_ERROR; -+clear_ssl_error: - /* Clear openssl global errors stack */ - ssl_sock_dump_errors(conn); - ERR_clear_error(); - -- conn->flags |= CO_FL_ERROR; - goto leave; - } - --- -1.7.10.4 - diff --git a/net/haproxy/patches/0002-BUG-MEDIUM-ssl-Shutdown-the-connection-for-reading-on-SSL_ERROR_SYSCALL.patch b/net/haproxy/patches/0002-BUG-MEDIUM-ssl-Shutdown-the-connection-for-reading-on-SSL_ERROR_SYSCALL.patch deleted file mode 100644 index 22274d366..000000000 --- a/net/haproxy/patches/0002-BUG-MEDIUM-ssl-Shutdown-the-connection-for-reading-on-SSL_ERROR_SYSCALL.patch +++ /dev/null @@ -1,63 +0,0 @@ -From f7fa1d461aa71bbc8a6c23fdcfc305f2e52ce5dd Mon Sep 17 00:00:00 2001 -From: Christopher Faulet -Date: Mon, 19 Feb 2018 14:25:15 +0100 -Subject: [PATCH] BUG/MEDIUM: ssl: Shutdown the connection for reading on - SSL_ERROR_SYSCALL - -When SSL_read returns SSL_ERROR_SYSCALL and errno is unset or set to EAGAIN, the -connection must be shut down for reading. Else, the connection loops infinitly, -consuming all the CPU. - -The bug was introduced in the commit 7e2e50500 ("BUG/MEDIUM: ssl: Don't always -treat SSL_ERROR_SYSCALL as unrecovarable."). This patch must be backported in -1.8 too. - -(cherry picked from commit 4ac77a98cda3d0f9b1d9de7bbbda2c91357f0767) -Signed-off-by: Willy Tarreau ---- - src/ssl_sock.c | 14 ++++++++------ - 1 file changed, 8 insertions(+), 6 deletions(-) - -diff --git a/src/ssl_sock.c b/src/ssl_sock.c -index f118724..a065bbb 100644 ---- a/src/ssl_sock.c -+++ b/src/ssl_sock.c -@@ -5437,10 +5437,9 @@ static int ssl_sock_to_buf(struct connection *conn, struct buffer *buf, int coun - break; - } else if (ret == SSL_ERROR_ZERO_RETURN) - goto read0; -- /* For SSL_ERROR_SYSCALL, make sure the error is -- * unrecoverable before flagging the connection as -- * in error. -- */ -+ /* For SSL_ERROR_SYSCALL, make sure to clear the error -+ * stack before shutting down the connection for -+ * reading. */ - if (ret == SSL_ERROR_SYSCALL && (!errno || errno == EAGAIN)) - goto clear_ssl_error; - /* otherwise it's a real error */ -@@ -5453,16 +5452,19 @@ static int ssl_sock_to_buf(struct connection *conn, struct buffer *buf, int coun - conn_cond_update_sock_polling(conn); - return done; - -+ clear_ssl_error: -+ /* Clear openssl global errors stack */ -+ ssl_sock_dump_errors(conn); -+ ERR_clear_error(); - read0: - conn_sock_read0(conn); - goto leave; -+ - out_error: - conn->flags |= CO_FL_ERROR; --clear_ssl_error: - /* Clear openssl global errors stack */ - ssl_sock_dump_errors(conn); - ERR_clear_error(); -- - goto leave; - } - --- -1.7.10.4 - diff --git a/net/haproxy/patches/0003-BUG-MEDIUM-http-Switch-the-HTTP-response-in-tunnel-mode-as-earlier-as-possible.patch b/net/haproxy/patches/0003-BUG-MEDIUM-http-Switch-the-HTTP-response-in-tunnel-mode-as-earlier-as-possible.patch deleted file mode 100644 index 446a6107d..000000000 --- a/net/haproxy/patches/0003-BUG-MEDIUM-http-Switch-the-HTTP-response-in-tunnel-mode-as-earlier-as-possible.patch +++ /dev/null @@ -1,69 +0,0 @@ -From 8a5949f2d74c3a3a6c6da25449992c312b183ef3 Mon Sep 17 00:00:00 2001 -From: Christopher Faulet -Date: Fri, 2 Feb 2018 15:54:15 +0100 -Subject: [PATCH] BUG/MEDIUM: http: Switch the HTTP response in tunnel mode as - earlier as possible - -When the body length is undefined (no Content-Length or Transfer-Encoding -headers), The reponse remains in ending mode, waiting the request is done. So, -most of time this is not a problem because the resquest is done before the -response. But when a client sends data to a server that replies without waiting -all the data, it is really not desirable to wait the end of the request to -finish the response. - -This bug was introduced when the tunneling of the request and the reponse was -refactored, in commit 4be980391 ("MINOR: http: Switch requests/responses in -TUNNEL mode only by checking txn flag"). - -This patch should be backported in 1.8 and 1.7. - -(cherry picked from commit fd04fcf5edb0a24cd29ce8f4d4dc2aa3a0e2e82c) -Signed-off-by: Willy Tarreau ---- - src/proto_http.c | 15 +++++---------- - 1 file changed, 5 insertions(+), 10 deletions(-) - -diff --git a/src/proto_http.c b/src/proto_http.c -index 64bd410..29880ea 100644 ---- a/src/proto_http.c -+++ b/src/proto_http.c -@@ -4634,16 +4634,8 @@ int http_sync_res_state(struct stream *s) - * let's enforce it now that we're not expecting any new - * data to come. The caller knows the stream is complete - * once both states are CLOSED. -- * -- * However, there is an exception if the response length -- * is undefined. In this case, we switch in TUNNEL mode. - */ -- if (!(txn->rsp.flags & HTTP_MSGF_XFER_LEN)) { -- channel_auto_read(chn); -- txn->rsp.msg_state = HTTP_MSG_TUNNEL; -- chn->flags |= CF_NEVER_WAIT; -- } -- else if (!(chn->flags & (CF_SHUTW|CF_SHUTW_NOW))) { -+ if (!(chn->flags & (CF_SHUTW|CF_SHUTW_NOW))) { - channel_shutr_now(chn); - channel_shutw_now(chn); - } -@@ -6241,6 +6233,8 @@ http_msg_forward_body(struct stream *s, struct http_msg *msg) - /* The server still sending data that should be filtered */ - if (!(chn->flags & CF_SHUTR) && HAS_DATA_FILTERS(s, chn)) - goto missing_data_or_waiting; -+ msg->msg_state = HTTP_MSG_TUNNEL; -+ goto ending; - } - - msg->msg_state = HTTP_MSG_ENDING; -@@ -6262,7 +6256,8 @@ http_msg_forward_body(struct stream *s, struct http_msg *msg) - /* default_ret */ 1, - /* on_error */ goto error, - /* on_wait */ goto waiting); -- msg->msg_state = HTTP_MSG_DONE; -+ if (msg->msg_state == HTTP_MSG_ENDING) -+ msg->msg_state = HTTP_MSG_DONE; - return 1; - - missing_data_or_waiting: --- -1.7.10.4 - diff --git a/net/haproxy/patches/0004-BUG-MEDIUM-ssl-sample-ssl_bc_-fetch-keywords-are-broken.patch b/net/haproxy/patches/0004-BUG-MEDIUM-ssl-sample-ssl_bc_-fetch-keywords-are-broken.patch deleted file mode 100644 index 11d2ef9c0..000000000 --- a/net/haproxy/patches/0004-BUG-MEDIUM-ssl-sample-ssl_bc_-fetch-keywords-are-broken.patch +++ /dev/null @@ -1,103 +0,0 @@ -From 7ccf7c9791f2b2329f3940d1347618af3a77bebc Mon Sep 17 00:00:00 2001 -From: Emeric Brun -Date: Mon, 19 Feb 2018 15:59:48 +0100 -Subject: [PATCH] BUG/MEDIUM: ssl/sample: ssl_bc_* fetch keywords are broken. - -Since the split between connections and conn-stream objects, this -keywords are broken. - -This patch must be backported in 1.8 - -(cherry picked from commit eb8def9f34c37537d56a69fcd211d4c4c8006bea) -Signed-off-by: Willy Tarreau ---- - src/ssl_sock.c | 31 ++++++++++++++----------------- - 1 file changed, 14 insertions(+), 17 deletions(-) - -diff --git a/src/ssl_sock.c b/src/ssl_sock.c -index 4d0d5db..d832d76 100644 ---- a/src/ssl_sock.c -+++ b/src/ssl_sock.c -@@ -6580,8 +6580,8 @@ smp_fetch_ssl_x_key_alg(const struct arg *args, struct sample *smp, const char * - static int - smp_fetch_ssl_fc(const struct arg *args, struct sample *smp, const char *kw, void *private) - { -- struct connection *conn = objt_conn((kw[4] != 'b') ? smp->sess->origin : -- smp->strm ? smp->strm->si[1].end : NULL); -+ struct connection *conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) : -+ smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL; - - smp->data.type = SMP_T_BOOL; - smp->data.u.sint = (conn && conn->xprt == &ssl_sock); -@@ -6625,8 +6625,8 @@ smp_fetch_ssl_fc_is_resumed(const struct arg *args, struct sample *smp, const ch - static int - smp_fetch_ssl_fc_cipher(const struct arg *args, struct sample *smp, const char *kw, void *private) - { -- struct connection *conn = objt_conn((kw[4] != 'b') ? smp->sess->origin : -- smp->strm ? smp->strm->si[1].end : NULL); -+ struct connection *conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) : -+ smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL; - - smp->flags = 0; - if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock) -@@ -6651,9 +6651,8 @@ smp_fetch_ssl_fc_cipher(const struct arg *args, struct sample *smp, const char * - static int - smp_fetch_ssl_fc_alg_keysize(const struct arg *args, struct sample *smp, const char *kw, void *private) - { -- struct connection *conn = objt_conn((kw[4] != 'b') ? smp->sess->origin : -- smp->strm ? smp->strm->si[1].end : NULL); -- -+ struct connection *conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) : -+ smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL; - int sint; - - smp->flags = 0; -@@ -6676,8 +6675,8 @@ smp_fetch_ssl_fc_alg_keysize(const struct arg *args, struct sample *smp, const c - static int - smp_fetch_ssl_fc_use_keysize(const struct arg *args, struct sample *smp, const char *kw, void *private) - { -- struct connection *conn = objt_conn((kw[4] != 'b') ? smp->sess->origin : -- smp->strm ? smp->strm->si[1].end : NULL); -+ struct connection *conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) : -+ smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL; - - smp->flags = 0; - if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock) -@@ -6747,8 +6746,8 @@ smp_fetch_ssl_fc_alpn(const struct arg *args, struct sample *smp, const char *kw - static int - smp_fetch_ssl_fc_protocol(const struct arg *args, struct sample *smp, const char *kw, void *private) - { -- struct connection *conn = objt_conn((kw[4] != 'b') ? smp->sess->origin : -- smp->strm ? smp->strm->si[1].end : NULL); -+ struct connection *conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) : -+ smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL; - - smp->flags = 0; - if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock) -@@ -6773,9 +6772,8 @@ static int - smp_fetch_ssl_fc_session_id(const struct arg *args, struct sample *smp, const char *kw, void *private) - { - #if OPENSSL_VERSION_NUMBER > 0x0090800fL -- struct connection *conn = objt_conn((kw[4] != 'b') ? smp->sess->origin : -- smp->strm ? smp->strm->si[1].end : NULL); -- -+ struct connection *conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) : -+ smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL; - SSL_SESSION *ssl_sess; - - smp->flags = SMP_F_CONST; -@@ -6917,9 +6915,8 @@ static int - smp_fetch_ssl_fc_unique_id(const struct arg *args, struct sample *smp, const char *kw, void *private) - { - #if OPENSSL_VERSION_NUMBER > 0x0090800fL -- struct connection *conn = objt_conn((kw[4] != 'b') ? smp->sess->origin : -- smp->strm ? smp->strm->si[1].end : NULL); -- -+ struct connection *conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) : -+ smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL; - int finished_len; - struct chunk *finished_trash; - --- -1.7.10.4 -