Difuse/packages
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

haproxy: Update HAProxy to v1.8.15

Browse source 
- Update haproxy download URL and hash
- Removed all obsolete patches

Signed-off-by: Christian Lachner <gladiac@gmail.com>
This commit is contained in:
Christian Lachner 2018-12-13 10:59:51 +01:00
parent 5c823596dd
commit a854729155
48 changed files with 10 additions and 2592 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
net/haproxy/Makefile
View file

@ -10,12 +10,12 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=haproxy
PKG_VERSION:=1.8.14
PKG_RELEASE:=5
PKG_VERSION:=1.8.15
PKG_RELEASE:=1
PKG_SOURCE:=haproxy-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://www.haproxy.org/download/1.8/src/
PKG_HASH:=b17e402578be85e58af7a3eac99b1f675953bea9f67af2e964cf8bdbd1bd3fdf
PKG_HASH:=7113862f1146d7de8b8e64f45826ab3533c7f7f7b7767e24c08f7c762202a032
PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION)
PKG_LICENSE:=GPL-2.0

2
net/haproxy/get-latest-patches.sh
View file

@ -1,7 +1,7 @@
#!/bin/bash
CLONEURL=http://git.haproxy.org/git/haproxy-1.8.git
BASE_TAG=v1.8.14
BASE_TAG=v1.8.15
TMP_REPODIR=tmprepo
PATCHESDIR=patches

38
net/haproxy/patches/0000-MINOR-threads-Make-sure-threads_sync_pipe-is-initialized-before-using-it.patch
View file

@ -1,38 +0,0 @@
commit 14844e448b637fea2770bcb03a43a010c4c8176d
Author: Olivier Houchard <ohouchard@haproxy.com>
Date: Thu Sep 27 14:55:34 2018 +0200
MINOR: threads: Make sure threads_sync_pipe is initialized before using it.
thread_want_sync() might be called before thread_sync_init() was called,
at least when reading the server state file, as apply_server_state() is called
before thread_sync_init(). So make sure the threads_sync_pipe was initialized
before writing to it, if it was not, there's no thread, so no need to sync
anything anyway, and if we don't check it we'll end up writing a 'S' on
stdin.
this only applies to 1.8.
diff --git a/src/hathreads.c b/src/hathreads.c
index 97ed31c5..9dba4356 100644
--- a/src/hathreads.c
+++ b/src/hathreads.c
@@ -28,7 +28,7 @@ void thread_sync_io_handler(int fd)
#ifdef USE_THREAD
static HA_SPINLOCK_T sync_lock;
-static int threads_sync_pipe[2];
+static int threads_sync_pipe[2] = {-1, -1};
static unsigned long threads_want_sync = 0;
volatile unsigned long threads_want_rdv_mask = 0;
volatile unsigned long threads_harmless_mask = 0;
@@ -76,7 +76,8 @@ void thread_want_sync()
if (all_threads_mask & (all_threads_mask - 1)) {
if (threads_want_sync & tid_bit)
return;
- if (HA_ATOMIC_OR(&threads_want_sync, tid_bit) == tid_bit)
+ if (HA_ATOMIC_OR(&threads_want_sync, tid_bit) == tid_bit &&
+ threads_sync_pipe[1] != -1)
shut_your_big_mouth_gcc(write(threads_sync_pipe[1], "S", 1));
}
else {

39
net/haproxy/patches/0001-DOC-clarify-force-private-cache-is-an-option.patch
View file

@ -1,39 +0,0 @@
commit 18aff2297ce844362f28ea5317c289ba154bd33d
Author: Lukas Tribus <lukas@ltri.eu>
Date: Mon Oct 1 02:00:16 2018 +0200
DOC: clarify force-private-cache is an option
"boolean" may confuse users into thinking they need to provide
additional arguments, like false or true. This is a simple option
like many others, so lets not confuse the users with internals.
Also fixes an additional typo.
Should be backported to 1.8 and 1.7.
(cherry picked from commit 2793578eaf934bbf28f742a35f3a1ae656280324)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
diff --git a/doc/configuration.txt b/doc/configuration.txt
index c69033b1..580194ec 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -1651,7 +1651,7 @@ tune.ssl.cachesize <number>
this value to 0 disables the SSL session cache.
tune.ssl.force-private-cache
- This boolean disables SSL session cache sharing between all processes. It
+ This option disables SSL session cache sharing between all processes. It
should normally not be used since it will force many renegotiations due to
clients hitting a random process. But it may be required on some operating
systems where none of the SSL cache synchronization method may be used. In
@@ -6535,7 +6535,7 @@ option smtpchk <hello> <domain>
yes | no | yes | yes
Arguments :
<hello> is an optional argument. It is the "hello" command to use. It can
- be either "HELO" (for SMTP) or "EHLO" (for ESTMP). All other
+ be either "HELO" (for SMTP) or "EHLO" (for ESMTP). All other
values will be turned into the default command ("HELO").
<domain> is the domain name to present to the server. It may only be

47
net/haproxy/patches/0002-BUG-MINOR-connection-avoid-null-pointer-dereference-in-send-proxy-v2.patch
View file

@ -1,47 +0,0 @@
commit f6d20e718131aa2b468ff0a6c42e20c0b900e58b
Author: Ilya Shipitsin <chipitsine@gmail.com>
Date: Sat Sep 15 00:50:05 2018 +0500
BUG/MINOR: connection: avoid null pointer dereference in send-proxy-v2
found by coverity.
[wt: this bug was introduced by commit 404d978 ("MINOR: add ALPN
information to send-proxy-v2"). It might be triggered by a health
check on a server using ppv2 or by an applet making use of such a
server, if at all configurable].
This needs to be backported to 1.8.
(cherry picked from commit ca56fce8bd271928b18d38b439bd35bd273fe8d4)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
diff --git a/src/connection.c b/src/connection.c
index 8c5af156..7403e8ae 100644
--- a/src/connection.c
+++ b/src/connection.c
@@ -874,6 +874,7 @@ int conn_recv_netscaler_cip(struct connection *conn, int flag)
return 0;
}
+/* Note: <remote> is explicitly allowed to be NULL */
int make_proxy_line(char *buf, int buf_len, struct server *srv, struct connection *remote)
{
int ret = 0;
@@ -985,6 +986,7 @@ static int make_tlv(char *dest, int dest_len, char type, uint16_t length, const
return length + sizeof(*tlv);
}
+/* Note: <remote> is explicitly allowed to be NULL */
int make_proxy_line_v2(char *buf, int buf_len, struct server *srv, struct connection *remote)
{
const char pp2_signature[] = PP2_SIGNATURE;
@@ -1060,7 +1062,7 @@ int make_proxy_line_v2(char *buf, int buf_len, struct server *srv, struct connec
}
}
- if (conn_get_alpn(remote, &value, &value_len)) {
+ if (remote && conn_get_alpn(remote, &value, &value_len)) {
if ((buf_len - ret) < sizeof(struct tlv))
return 0;
ret += make_tlv(&buf[ret], (buf_len - ret), PP2_TYPE_ALPN, value_len, value);

43
net/haproxy/patches/0003-BUG-MINOR-backend-check-that-the-mux-installed-properly.patch
View file

@ -1,43 +0,0 @@
commit e725a7f9bfd8b7fe2e74c62c7c6bf2b9ebf83772
Author: Willy Tarreau <w@1wt.eu>
Date: Wed Oct 3 10:20:19 2018 +0200
BUG/MINOR: backend: check that the mux installed properly
The return value from conn_install_mux() was not checked, so if an
inconsistency happens in the code, or a memory allocation fails while
initializing the mux, we can crash while using an uninitialized mux.
In practice the code inconsistency does not really happen since we
cannot configure such a situation, except during development, but
the out of memory condition could definitely happen.
This should be backported to 1.8 (the code is a bit different there,
there are two calls to conn_install_mux()).
(cherry picked from commit 33dd4ef81245bb868b22f99b9be45d0791131eec)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
diff --git a/src/backend.c b/src/backend.c
index 2b6167dc..fc1eac0d 100644
--- a/src/backend.c
+++ b/src/backend.c
@@ -1163,7 +1163,8 @@ int connect_server(struct stream *s)
if (srv) {
conn_prepare(srv_conn, protocol_by_family(srv_conn->addr.to.ss_family), srv->xprt);
/* XXX: Pick the right mux, when we finally have one */
- conn_install_mux(srv_conn, &mux_pt_ops, srv_cs);
+ if (conn_install_mux(srv_conn, &mux_pt_ops, srv_cs) < 0)
+ return SF_ERR_INTERNAL;
}
else if (obj_type(s->target) == OBJ_TYPE_PROXY) {
/* proxies exclusively run on raw_sock right now */
@@ -1171,7 +1172,8 @@ int connect_server(struct stream *s)
if (!objt_cs(s->si[1].end) || !objt_cs(s->si[1].end)->conn->ctrl)
return SF_ERR_INTERNAL;
/* XXX: Pick the right mux, when we finally have one */
- conn_install_mux(srv_conn, &mux_pt_ops, srv_cs);
+ if (conn_install_mux(srv_conn, &mux_pt_ops, srv_cs) < 0)
+ return SF_ERR_INTERNAL;
}
else
return SF_ERR_INTERNAL; /* how did we get there ? */

40
net/haproxy/patches/0004-BUG-MEDIUM-buffers-Make-sure-we-dont-wrap-in-buffer_insert_line2-replace2.patch
View file

@ -1,40 +0,0 @@
commit 45e9f3c660c872e93588cf1c0b74c192f2c8c3d5
Author: Olivier Houchard <ohouchard@haproxy.com>
Date: Wed Sep 26 15:09:58 2018 +0200
BUG/MEDIUM: buffers: Make sure we don't wrap in buffer_insert_line2/replace2.
In buffer_insert_line2() and buffer_replace2(), we can't afford to wrap,
so don't use b_tail to check if we do, directly use b->p + b->i instead.
This should be backported to previous versions.
(cherry picked from commit 363c745569b6ffd8f095d2b7758131d08aa27219)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
[cf: This patch was adapted and its commit message too. Because of the
refactoring of the buffer's API in 1.9, the original patch fixes same bug in
ci_insert_line2/b_rep_blk.]
diff --git a/src/buffer.c b/src/buffer.c
index 167b75ae..6ad38a02 100644
--- a/src/buffer.c
+++ b/src/buffer.c
@@ -107,7 +107,7 @@ int buffer_replace2(struct buffer *b, char *pos, char *end, const char *str, int
delta = len - (end - pos);
- if (bi_end(b) + delta > b->data + b->size)
+ if (b->p + b->i + delta > b->data + b->size)
return 0; /* no space left */
if (buffer_not_empty(b) &&
@@ -146,7 +146,7 @@ int buffer_insert_line2(struct buffer *b, char *pos, const char *str, int len)
delta = len + 2;
- if (bi_end(b) + delta >= b->data + b->size)
+ if (b->p + b->i + delta >= b->data + b->size)
return 0; /* no space left */
if (buffer_not_empty(b) &&

473
net/haproxy/patches/0005-MEDIUM-ssl-add-support-for-ciphersuites-option-for-TLSv1-3.patch
View file

@ -1,473 +0,0 @@
commit 4be76416751aa22992a44f2f5cfdba506809fd89
Author: Dirkjan Bussink <d.bussink@gmail.com>
Date: Fri Sep 14 11:14:21 2018 +0200
MEDIUM: ssl: add support for ciphersuites option for TLSv1.3
OpenSSL released support for TLSv1.3. It also added a separate function
SSL_CTX_set_ciphersuites that is used to set the ciphers used in the
TLS 1.3 handshake. This change adds support for that new configuration
option by adding a ciphersuites configuration variable that works
essentially the same as the existing ciphers setting.
Note that it should likely be backported to 1.8 in order to ease usage
of the now released openssl-1.1.1.
(cherry picked from commit 415150f7640b06740fa832363d186c5c6565338e)
Signed-off-by: Willy Tarreau <w@1wt.eu>
diff --git a/doc/configuration.txt b/doc/configuration.txt
index 580194ec..7a268386 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -580,8 +580,10 @@ The following keywords are supported in the "global" section :
- setenv
- stats
- ssl-default-bind-ciphers
+ - ssl-default-bind-ciphersuites
- ssl-default-bind-options
- ssl-default-server-ciphers
+ - ssl-default-server-ciphersuites
- ssl-default-server-options
- ssl-dh-param-file
- ssl-server-verify
@@ -984,11 +986,25 @@ setenv <name> <value>
ssl-default-bind-ciphers <ciphers>
This setting is only available when support for OpenSSL was built in. It sets
the default string describing the list of cipher algorithms ("cipher suite")
- that are negotiated during the SSL/TLS handshake for all "bind" lines which
- do not explicitly define theirs. The format of the string is defined in
- "man 1 ciphers" from OpenSSL man pages, and can be for instance a string such
- as "AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH" (without quotes). Please check the
- "bind" keyword for more information.
+ that are negotiated during the SSL/TLS handshake except for TLSv1.3 for all
+ "bind" lines which do not explicitly define theirs. The format of the string
+ is defined in "man 1 ciphers" from OpenSSL man pages, and can be for instance
+ a string such as "AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH" (without quotes). For
+ TLSv1.3 cipher configuration, please check the "ssl-default-bind-ciphersuites"
+ keyword. Please check the "bind" keyword for more information.
+
+ssl-default-bind-ciphersuites <ciphersuites>
+ This setting is only available when support for OpenSSL was built in and
+ OpenSSL 1.1.1 or later was used to build HAProxy. It sets the default string
+ describing the list of cipher algorithms ("cipher suite") that are negotiated
+ during the TLSv1.3 handshake for all "bind" lines which do not explicitly define
+ theirs. The format of the string is defined in
+ "man 1 ciphers" from OpenSSL man pages under the section "ciphersuites", and can
+ be for instance a string such as
+ "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"
+ (without quotes). For cipher configuration for TLSv1.2 and earlier, please check
+ the "ssl-default-bind-ciphers" keyword. Please check the "bind" keyword for more
+ information.
ssl-default-bind-options [<option>]...
This setting is only available when support for OpenSSL was built in. It sets
@@ -1002,10 +1018,21 @@ ssl-default-bind-options [<option>]...
ssl-default-server-ciphers <ciphers>
This setting is only available when support for OpenSSL was built in. It
sets the default string describing the list of cipher algorithms that are
- negotiated during the SSL/TLS handshake with the server, for all "server"
- lines which do not explicitly define theirs. The format of the string is
- defined in "man 1 ciphers". Please check the "server" keyword for more
- information.
+ negotiated during the SSL/TLS handshake except for TLSv1.3 with the server,
+ for all "server" lines which do not explicitly define theirs. The format of
+ the string is defined in "man 1 ciphers". For TLSv1.3 cipher configuration,
+ please check the "ssl-default-server-ciphersuites" keyword. Please check the
+ "server" keyword for more information.
+
+ssl-default-server-ciphersuites <ciphersuites>
+ This setting is only available when support for OpenSSL was built in and
+ OpenSSL 1.1.1 or later was used to build HAProxy. It sets the default
+ string describing the list of cipher algorithms that are negotiated during
+ the TLSv1.3 handshake with the server, for all "server" lines which do not
+ explicitly define theirs. The format of the string is defined in
+ "man 1 ciphers" under the "ciphersuites" section. For cipher configuration for
+ TLSv1.2 and earlier, please check the "ssl-default-server-ciphers" keyword.
+ Please check the "server" keyword for more information.
ssl-default-server-options [<option>]...
This setting is only available when support for OpenSSL was built in. It sets
@@ -10510,13 +10537,26 @@ ca-sign-pass <passphrase>
ciphers <ciphers>
This setting is only available when support for OpenSSL was built in. It sets
the string describing the list of cipher algorithms ("cipher suite") that are
- negotiated during the SSL/TLS handshake. The format of the string is defined
- in "man 1 ciphers" from OpenSSL man pages, and can be for instance a string
- such as "AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH" (without quotes).
- Depending on the compatibility and security requirements, the list of suitable
- ciphers depends on a variety of variables. For background information and
- recommendations see e. g. (https://wiki.mozilla.org/Security/Server_Side_TLS)
- and (https://mozilla.github.io/server-side-tls/ssl-config-generator/).
+ negotiated during the SSL/TLS handshake except for TLSv1.3. The format of the
+ string is defined in "man 1 ciphers" from OpenSSL man pages, and can be for
+ instance a string such as "AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH" (without
+ quotes). Depending on the compatibility and security requirements, the list
+ of suitable ciphers depends on a variety of variables. For background
+ information and recommendations see e.g.
+ (https://wiki.mozilla.org/Security/Server_Side_TLS) and
+ (https://mozilla.github.io/server-side-tls/ssl-config-generator/). For TLSv1.3
+ cipher configuration, please check the "ciphersuites" keyword.
+
+ciphersuites <ciphersuites>
+ This setting is only available when support for OpenSSL was built in and
+ OpenSSL 1.1.1 or later was used to build HAProxy. It sets the string describing
+ the list of cipher algorithms ("cipher suite") that are negotiated during the
+ TLSv1.3 handshake. The format of the string is defined in "man 1 ciphers" from
+ OpenSSL man pages under the "ciphersuites" section, and can be for instance a
+ string such as
+ "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"
+ (without quotes). For cipher configuration for TLSv1.2 and earlier, please check
+ the "ciphers" keyword.
crl-file <crlfile>
This setting is only available when support for OpenSSL was built in. It
@@ -11226,8 +11266,9 @@ check-ssl
this option.
ciphers <ciphers>
- This option sets the string describing the list of cipher algorithms that is
- is negotiated during the SSL/TLS handshake with the server. The format of the
+ This setting is only available when support for OpenSSL was built in. This
+ option sets the string describing the list of cipher algorithms that is
+ negotiated during the SSL/TLS handshake with the server. The format of the
string is defined in "man 1 ciphers". When SSL is used to communicate with
servers on the local network, it is common to see a weaker set of algorithms
than what is used over the internet. Doing so reduces CPU usage on both the
@@ -11235,6 +11276,13 @@ ciphers <ciphers>
Some algorithms such as RC4-SHA1 are reasonably cheap. If no security at all
is needed and just connectivity, using DES can be appropriate.
+ciphersuites <ciphersuites>
+ This setting is only available when support for OpenSSL was built in and
+ OpenSSL 1.1.1 or later was used to build HAProxy. This option sets the string
+ describing the list of cipher algorithms that is negotiated during the TLS
+ 1.3 handshake with the server. The format of the string is defined in
+ "man 1 ciphers" under the "ciphersuites" section.
+
cookie <value>
The "cookie" parameter sets the cookie value assigned to the server to
<value>. This value will be checked in incoming requests, and the first
diff --git a/include/common/defaults.h b/include/common/defaults.h
index f53c611e..a45ab0da 100644
--- a/include/common/defaults.h
+++ b/include/common/defaults.h
@@ -234,11 +234,21 @@
#define CONNECT_DEFAULT_CIPHERS NULL
#endif
+/* ciphers used as defaults on TLS 1.3 connect */
+#ifndef CONNECT_DEFAULT_CIPHERSUITES
+#define CONNECT_DEFAULT_CIPHERSUITES NULL
+#endif
+
/* ciphers used as defaults on listeners */
#ifndef LISTEN_DEFAULT_CIPHERS
#define LISTEN_DEFAULT_CIPHERS NULL
#endif
+/* cipher suites used as defaults on TLS 1.3 listeners */
+#ifndef LISTEN_DEFAULT_CIPHERSUITES
+#define LISTEN_DEFAULT_CIPHERSUITES NULL
+#endif
+
/* named curve used as defaults for ECDHE ciphers */
#ifndef ECDHE_DEFAULT_CURVE
#define ECDHE_DEFAULT_CURVE "prime256v1"
diff --git a/include/types/listener.h b/include/types/listener.h
index c55569cd..ea2eadb5 100644
--- a/include/types/listener.h
+++ b/include/types/listener.h
@@ -128,6 +128,9 @@ struct ssl_bind_conf {
char *ca_file; /* CAfile to use on verify */
char *crl_file; /* CRLfile to use on verify */
char *ciphers; /* cipher suite to use if non-null */
+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
+ char *ciphersuites; /* TLS 1.3 cipher suite to use if non-null */
+#endif
char *curves; /* curves suite to use for ECDHE */
char *ecdhe; /* named curve to use for ECDHE */
struct tls_version_filter ssl_methods; /* ssl methods */
diff --git a/include/types/server.h b/include/types/server.h
index fd3c8bad..79ae7b72 100644
--- a/include/types/server.h
+++ b/include/types/server.h
@@ -281,6 +281,9 @@ struct server {
int allocated_size;
} * reused_sess;
char *ciphers; /* cipher suite to use if non-null */
+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
+ char *ciphersuites; /* TLS 1.3 cipher suite to use if non-null */
+#endif
int options; /* ssl options */
int verify; /* verify method (set of SSL_VERIFY_* flags) */
struct tls_version_filter methods; /* ssl methods */
diff --git a/src/server.c b/src/server.c
index 842e4149..4941bd03 100644
--- a/src/server.c
+++ b/src/server.c
@@ -1380,6 +1380,10 @@ static void srv_ssl_settings_cpy(struct server *srv, struct server *src)
srv->ssl_ctx.verify_host = strdup(src->ssl_ctx.verify_host);
if (src->ssl_ctx.ciphers != NULL)
srv->ssl_ctx.ciphers = strdup(src->ssl_ctx.ciphers);
+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
+ if (src->ssl_ctx.ciphersuites != NULL)
+ srv->ssl_ctx.ciphersuites = strdup(src->ssl_ctx.ciphersuites);
+#endif
if (src->sni_expr != NULL)
srv->sni_expr = strdup(src->sni_expr);
}
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 08fdffab..2da0df68 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -169,6 +169,10 @@ static struct {
char *listen_default_ciphers;
char *connect_default_ciphers;
+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
+ char *listen_default_ciphersuites;
+ char *connect_default_ciphersuites;
+#endif
int listen_default_ssloptions;
int connect_default_ssloptions;
struct tls_version_filter listen_default_sslmethods;
@@ -186,6 +190,14 @@ static struct {
#endif
#ifdef CONNECT_DEFAULT_CIPHERS
.connect_default_ciphers = CONNECT_DEFAULT_CIPHERS,
+#endif
+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
+#ifdef LISTEN_DEFAULT_CIPHERSUITES
+ .listen_default_ciphersuites = LISTEN_DEFAULT_CIPHERSUITES,
+#endif
+#ifdef CONNECT_DEFAULT_CIPHERSUITES
+ .connect_default_ciphersuites = CONNECT_DEFAULT_CIPHERSUITES,
+#endif
#endif
.listen_default_ssloptions = BC_SSL_O_NONE,
.connect_default_ssloptions = SRV_SSL_O_NONE,
@@ -3528,6 +3540,10 @@ void ssl_sock_free_ssl_conf(struct ssl_bind_conf *conf)
conf->crl_file = NULL;
free(conf->ciphers);
conf->ciphers = NULL;
+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
+ free(conf->ciphersuites);
+ conf->ciphersuites = NULL;
+#endif
free(conf->curves);
conf->curves = NULL;
free(conf->ecdhe);
@@ -4061,6 +4077,9 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, struct ssl_bind_conf *ssl_
int verify = SSL_VERIFY_NONE;
struct ssl_bind_conf __maybe_unused *ssl_conf_cur;
const char *conf_ciphers;
+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
+ const char *conf_ciphersuites;
+#endif
const char *conf_curves = NULL;
if (ssl_conf) {
@@ -4160,6 +4179,16 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, struct ssl_bind_conf *ssl_
cfgerr++;
}
+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
+ conf_ciphersuites = (ssl_conf && ssl_conf->ciphersuites) ? ssl_conf->ciphersuites : bind_conf->ssl_conf.ciphersuites;
+ if (conf_ciphersuites &&
+ !SSL_CTX_set_ciphersuites(ctx, conf_ciphersuites)) {
+ ha_alert("Proxy '%s': unable to set TLS 1.3 cipher suites to '%s' for bind '%s' at [%s:%d].\n",
+ curproxy->id, conf_ciphersuites, bind_conf->arg, bind_conf->file, bind_conf->line);
+ cfgerr++;
+ }
+#endif
+
#ifndef OPENSSL_NO_DH
/* If tune.ssl.default-dh-param has not been set,
neither has ssl-default-dh-file and no static DH
@@ -4642,6 +4671,16 @@ int ssl_sock_prepare_srv_ctx(struct server *srv)
cfgerr++;
}
+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
+ if (srv->ssl_ctx.ciphersuites &&
+ !SSL_CTX_set_cipher_list(srv->ssl_ctx.ctx, srv->ssl_ctx.ciphersuites)) {
+ ha_alert("Proxy '%s', server '%s' [%s:%d] : unable to set TLS 1.3 cipher suites to '%s'.\n",
+ curproxy->id, srv->id,
+ srv->conf.file, srv->conf.line, srv->ssl_ctx.ciphersuites);
+ cfgerr++;
+ }
+#endif
+
return cfgerr;
}
@@ -7101,6 +7140,26 @@ static int bind_parse_ciphers(char **args, int cur_arg, struct proxy *px, struct
{
return ssl_bind_parse_ciphers(args, cur_arg, px, &conf->ssl_conf, err);
}
+
+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
+/* parse the "ciphersuites" bind keyword */
+static int ssl_bind_parse_ciphersuites(char **args, int cur_arg, struct proxy *px, struct ssl_bind_conf *conf, char **err)
+{
+ if (!*args[cur_arg + 1]) {
+ memprintf(err, "'%s' : missing cipher suite", args[cur_arg]);
+ return ERR_ALERT | ERR_FATAL;
+ }
+
+ free(conf->ciphersuites);
+ conf->ciphersuites = strdup(args[cur_arg + 1]);
+ return 0;
+}
+static int bind_parse_ciphersuites(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
+{
+ return ssl_bind_parse_ciphersuites(args, cur_arg, px, &conf->ssl_conf, err);
+}
+#endif
+
/* parse the "crt" bind keyword */
static int bind_parse_crt(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
{
@@ -7492,6 +7551,10 @@ static int bind_parse_ssl(char **args, int cur_arg, struct proxy *px, struct bin
if (global_ssl.listen_default_ciphers && !conf->ssl_conf.ciphers)
conf->ssl_conf.ciphers = strdup(global_ssl.listen_default_ciphers);
+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
+ if (global_ssl.listen_default_ciphersuites && !conf->ssl_conf.ciphersuites)
+ conf->ssl_conf.ciphersuites = strdup(global_ssl.listen_default_ciphersuites);
+#endif
conf->ssl_options |= global_ssl.listen_default_ssloptions;
conf->ssl_conf.ssl_methods.flags |= global_ssl.listen_default_sslmethods.flags;
if (!conf->ssl_conf.ssl_methods.min)
@@ -7689,6 +7752,10 @@ static int srv_parse_check_ssl(char **args, int *cur_arg, struct proxy *px, stru
newsrv->check.use_ssl = 1;
if (global_ssl.connect_default_ciphers && !newsrv->ssl_ctx.ciphers)
newsrv->ssl_ctx.ciphers = strdup(global_ssl.connect_default_ciphers);
+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
+ if (global_ssl.connect_default_ciphersuites && !newsrv->ssl_ctx.ciphersuites)
+ newsrv->ssl_ctx.ciphersuites = strdup(global_ssl.connect_default_ciphersuites);
+#endif
newsrv->ssl_ctx.options |= global_ssl.connect_default_ssloptions;
newsrv->ssl_ctx.methods.flags |= global_ssl.connect_default_sslmethods.flags;
if (!newsrv->ssl_ctx.methods.min)
@@ -7712,6 +7779,21 @@ static int srv_parse_ciphers(char **args, int *cur_arg, struct proxy *px, struct
return 0;
}
+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
+/* parse the "ciphersuites" server keyword */
+static int srv_parse_ciphersuites(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
+{
+ if (!*args[*cur_arg + 1]) {
+ memprintf(err, "'%s' : missing cipher suite", args[*cur_arg]);
+ return ERR_ALERT | ERR_FATAL;
+ }
+
+ free(newsrv->ssl_ctx.ciphersuites);
+ newsrv->ssl_ctx.ciphersuites = strdup(args[*cur_arg + 1]);
+ return 0;
+}
+#endif
+
/* parse the "crl-file" server keyword */
static int srv_parse_crl_file(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
{
@@ -7853,6 +7935,10 @@ static int srv_parse_ssl(char **args, int *cur_arg, struct proxy *px, struct ser
newsrv->use_ssl = 1;
if (global_ssl.connect_default_ciphers && !newsrv->ssl_ctx.ciphers)
newsrv->ssl_ctx.ciphers = strdup(global_ssl.connect_default_ciphers);
+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
+ if (global_ssl.connect_default_ciphersuites && !newsrv->ssl_ctx.ciphersuites)
+ newsrv->ssl_ctx.ciphersuites = strdup(global_ssl.connect_default_ciphersuites);
+#endif
return 0;
}
@@ -8092,6 +8178,32 @@ static int ssl_parse_global_ciphers(char **args, int section_type, struct proxy
return 0;
}
+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
+/* parse the "ssl-default-bind-ciphersuites" / "ssl-default-server-ciphersuites" keywords
+ * in global section. Returns <0 on alert, >0 on warning, 0 on success.
+ */
+static int ssl_parse_global_ciphersuites(char **args, int section_type, struct proxy *curpx,
+ struct proxy *defpx, const char *file, int line,
+ char **err)
+{
+ char **target;
+
+ target = (args[0][12] == 'b') ? &global_ssl.listen_default_ciphersuites : &global_ssl.connect_default_ciphersuites;
+
+ if (too_many_args(1, args, err, NULL))
+ return -1;
+
+ if (*(args[1]) == 0) {
+ memprintf(err, "global statement '%s' expects a cipher suite as an argument.", args[0]);
+ return -1;
+ }
+
+ free(*target);
+ *target = strdup(args[1]);
+ return 0;
+}
+#endif
+
/* parse various global tune.ssl settings consisting in positive integers.
* Returns <0 on alert, >0 on warning, 0 on success.
*/
@@ -8599,6 +8711,9 @@ static struct ssl_bind_kw ssl_bind_kws[] = {
{ "alpn", ssl_bind_parse_alpn, 1 }, /* set ALPN supported protocols */
{ "ca-file", ssl_bind_parse_ca_file, 1 }, /* set CAfile to process verify on client cert */
{ "ciphers", ssl_bind_parse_ciphers, 1 }, /* set SSL cipher suite */
+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
+ { "ciphersuites", ssl_bind_parse_ciphersuites, 1 }, /* set TLS 1.3 cipher suite */
+#endif
{ "crl-file", ssl_bind_parse_crl_file, 1 }, /* set certificat revocation list file use on client cert verify */
{ "curves", ssl_bind_parse_curves, 1 }, /* set SSL curve suite */
{ "ecdhe", ssl_bind_parse_ecdhe, 1 }, /* defines named curve for elliptic curve Diffie-Hellman */
@@ -8618,6 +8733,9 @@ static struct bind_kw_list bind_kws = { "SSL", { }, {
{ "ca-sign-file", bind_parse_ca_sign_file, 1 }, /* set CAFile used to generate and sign server certs */
{ "ca-sign-pass", bind_parse_ca_sign_pass, 1 }, /* set CAKey passphrase */
{ "ciphers", bind_parse_ciphers, 1 }, /* set SSL cipher suite */
+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
+ { "ciphersuites", bind_parse_ciphersuites, 1 }, /* set TLS 1.3 cipher suite */
+#endif
{ "crl-file", bind_parse_crl_file, 1 }, /* set certificat revocation list file use on client cert verify */
{ "crt", bind_parse_crt, 1 }, /* load SSL certificates from this location */
{ "crt-ignore-err", bind_parse_ignore_err, 1 }, /* set error IDs to ingore on verify depth == 0 */
@@ -8661,6 +8779,9 @@ static struct srv_kw_list srv_kws = { "SSL", { }, {
{ "check-sni", srv_parse_check_sni, 1, 1 }, /* set SNI */
{ "check-ssl", srv_parse_check_ssl, 0, 1 }, /* enable SSL for health checks */
{ "ciphers", srv_parse_ciphers, 1, 1 }, /* select the cipher suite */
+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
+ { "ciphersuites", srv_parse_ciphersuites, 1, 1 }, /* select the cipher suite */
+#endif
{ "crl-file", srv_parse_crl_file, 1, 1 }, /* set certificate revocation list file use on server cert verify */
{ "crt", srv_parse_crt, 1, 1 }, /* set client certificate */
{ "force-sslv3", srv_parse_tls_method_options, 0, 1 }, /* force SSLv3 */
@@ -8716,6 +8837,10 @@ static struct cfg_kw_list cfg_kws = {ILH, {
{ CFG_GLOBAL, "tune.ssl.capture-cipherlist-size", ssl_parse_global_capture_cipherlist },
{ CFG_GLOBAL, "ssl-default-bind-ciphers", ssl_parse_global_ciphers },
{ CFG_GLOBAL, "ssl-default-server-ciphers", ssl_parse_global_ciphers },
+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
+ { CFG_GLOBAL, "ssl-default-bind-ciphersuites", ssl_parse_global_ciphersuites },
+ { CFG_GLOBAL, "ssl-default-server-ciphersuites", ssl_parse_global_ciphersuites },
+#endif
{ 0, NULL, NULL },
}};
@@ -8793,6 +8918,12 @@ static void __ssl_sock_init(void)
global_ssl.listen_default_ciphers = strdup(global_ssl.listen_default_ciphers);
if (global_ssl.connect_default_ciphers)
global_ssl.connect_default_ciphers = strdup(global_ssl.connect_default_ciphers);
+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
+ if (global_ssl.listen_default_ciphersuites)
+ global_ssl.listen_default_ciphersuites = strdup(global_ssl.listen_default_ciphersuites);
+ if (global_ssl.connect_default_ciphersuites)
+ global_ssl.connect_default_ciphersuites = strdup(global_ssl.connect_default_ciphersuites);
+#endif
xprt_register(XPRT_SSL, &ssl_sock);
SSL_library_init();

62
net/haproxy/patches/0006-BUG-MEDIUM-Cur-CumSslConns-counters-not-threadsafe.patch
View file

@ -1,62 +0,0 @@
commit 30ba96df349ace825749a57490defeb50001a550
Author: Emeric Brun <ebrun@haproxy.com>
Date: Wed Oct 10 14:51:02 2018 +0200
BUG/MEDIUM: Cur/CumSslConns counters not threadsafe.
CurSslConns inc/dec operations are not threadsafe. The unsigned CurSslConns
counter can wrap to a negative value. So we could notice connection rejects
because of MaxSslConns limit artificially exceeded.
CumSslConns inc operation are also not threadsafe so we could miss
some connections and show inconsistenties values compared to CumConns.
This fix should be backported to v1.8.
(cherry picked from commit 7ad43e7928c9a61b40332e4d5e9a7ccc33e6b65b)
Signed-off-by: Willy Tarreau <w@1wt.eu>
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 2da0df68..6eed8022 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -491,7 +491,7 @@ static void ssl_async_fd_free(int fd)
/* Now we can safely call SSL_free, no more pending job in engines */
SSL_free(ssl);
- sslconns--;
+ HA_ATOMIC_SUB(&sslconns, 1);
HA_ATOMIC_SUB(&jobs, 1);
}
/*
@@ -5011,8 +5011,8 @@ static int ssl_sock_init(struct connection *conn)
/* leave init state and start handshake */
conn->flags |= CO_FL_SSL_WAIT_HS | CO_FL_WAIT_L6_CONN;
- sslconns++;
- totalsslconns++;
+ HA_ATOMIC_ADD(&sslconns, 1);
+ HA_ATOMIC_ADD(&totalsslconns, 1);
return 0;
}
else if (objt_listener(conn->target)) {
@@ -5062,8 +5062,8 @@ static int ssl_sock_init(struct connection *conn)
conn->flags |= CO_FL_EARLY_SSL_HS;
#endif
- sslconns++;
- totalsslconns++;
+ HA_ATOMIC_ADD(&sslconns, 1);
+ HA_ATOMIC_ADD(&totalsslconns, 1);
return 0;
}
/* don't know how to handle such a target */
@@ -5713,7 +5713,7 @@ static void ssl_sock_close(struct connection *conn) {
#endif
SSL_free(conn->xprt_ctx);
conn->xprt_ctx = NULL;
- sslconns--;
+ HA_ATOMIC_SUB(&sslconns, 1);
}
}

33
net/haproxy/patches/0007-BUG-MINOR-checks-queues-null-deref.patch
View file

@ -1,33 +0,0 @@
commit 8a6c4ff3f407b916bc08da4e76ed7813768ac937
Author: mildis <me@mildis.org>
Date: Tue Oct 2 16:46:34 2018 +0200
BUG/MINOR: checks: queues null-deref
queues can be null if calloc() failed.
Bypass free* calls when calloc did fail.
(cherry picked from commit 5ab01cb01114065a3573570a48e84815e751bf14)
Signed-off-by: Willy Tarreau <w@1wt.eu>
diff --git a/src/checks.c b/src/checks.c
index 098ddecf..74958b2d 100644
--- a/src/checks.c
+++ b/src/checks.c
@@ -3182,7 +3182,7 @@ int init_email_alert(struct mailers *mls, struct proxy *p, char **err)
if ((queues = calloc(mls->count, sizeof(*queues))) == NULL) {
memprintf(err, "out of memory while allocating mailer alerts queues");
- goto error;
+ goto fail_no_queue;
}
for (mailer = mls->mailer_list; mailer; i++, mailer = mailer->next) {
@@ -3239,6 +3239,7 @@ int init_email_alert(struct mailers *mls, struct proxy *p, char **err)
free_check(check);
}
free(queues);
+ fail_no_queue:
return 1;
}

52
net/haproxy/patches/0008-BUG-MEDIUM-mworker-segfault-receiving-SIGUSR1-followed-by-SIGTERM.patch
View file

@ -1,52 +0,0 @@
commit df4822ea169adc5c7c987fa077438f0ded1ac39b
Author: Emeric Brun <ebrun@haproxy.com>
Date: Thu Oct 11 15:27:07 2018 +0200
BUG/MEDIUM: mworker: segfault receiving SIGUSR1 followed by SIGTERM.
This bug appeared only if nbthread > 1. Handling the pipe with the
master, multiple threads of the same worker could process the deinit().
In addition, deinit() was called while some other threads were still
performing some tasks.
This patch assign the handler of the pipe with master to only the first
thread and removes the call to deinit() before exiting with an error.
This patch should be backported in v1.8.
(cherry picked from commit c8c0ed91cb4436491efd2ce2c4b4b1694aeeccca)
[wt: adjusted context]
Signed-off-by: Willy Tarreau <w@1wt.eu>
diff --git a/src/haproxy.c b/src/haproxy.c
index e0186ff9..1959dd0f 100644
--- a/src/haproxy.c
+++ b/src/haproxy.c
@@ -2349,7 +2349,13 @@ void mworker_pipe_handler(int fd)
break;
}
- deinit();
+ /* At this step the master is down before
+ * this worker perform a 'normal' exit.
+ * So we want to exit with an error but
+ * other threads could currently process
+ * some stuff so we can't perform a clean
+ * deinit().
+ */
exit(EXIT_FAILURE);
return;
}
@@ -2364,7 +2370,10 @@ void mworker_pipe_register()
fcntl(mworker_pipe[0], F_SETFL, O_NONBLOCK);
fdtab[mworker_pipe[0]].owner = mworker_pipe;
fdtab[mworker_pipe[0]].iocb = mworker_pipe_handler;
- fd_insert(mworker_pipe[0], MAX_THREADS_MASK);
+ /* In multi-tread, we need only one thread to process
+ * events on the pipe with master
+ */
+ fd_insert(mworker_pipe[0], 1);
fd_want_recv(mworker_pipe[0]);
}

29
net/haproxy/patches/0009-BUG-MEDIUM-stream-dont-crash-on-out-of-memory.patch
View file

@ -1,29 +0,0 @@
commit 4bf6d76a22b9b601fd57df4aa0f4fba62733cb07
Author: Willy Tarreau <w@1wt.eu>
Date: Mon Oct 15 11:08:55 2018 +0200
BUG/MEDIUM: stream: don't crash on out-of-memory
In case pool_alloc() fails in stream_new(), we try to detach the stream
from the list before it has been added, dereferencing a NULL. In order
to fix it, simply move the LIST_DEL call upwards.
This must be backported to 1.8.
(cherry picked from commit e5f229e6392fd54aaba7fe58f457723c16b9d15f)
Signed-off-by: Willy Tarreau <w@1wt.eu>
diff --git a/src/stream.c b/src/stream.c
index 11c9dbf3..ef7cff5c 100644
--- a/src/stream.c
+++ b/src/stream.c
@@ -282,8 +282,8 @@ struct stream *stream_new(struct session *sess, enum obj_type *origin)
out_fail_accept:
flt_stream_release(s, 0);
task_free(t);
- out_fail_alloc:
LIST_DEL(&s->list);
+ out_fail_alloc:
pool_free(pool_head_stream, s);
return NULL;
}

12
net/haproxy/patches/0045-deprecated-openssl.patch → net/haproxy/patches/001-deprecated-openssl.patch
View file

@ -40,7 +40,7 @@ index cfbc38b..025a144 100644
return 0;
}
@@ -1702,8 +1706,13 @@ ssl_sock_do_create_cert(const char *servername, struct bind_conf *bind_conf, SSL
@@ -1711,8 +1715,13 @@ ssl_sock_do_create_cert(const char *servername, struct bind_conf *bind_conf, SSL
ASN1_INTEGER_set(X509_get_serialNumber(newcrt), HA_ATOMIC_ADD(&ssl_ctx_serial, 1));
/* Set duration for the certificate */
@ -54,7 +54,7 @@ index cfbc38b..025a144 100644
goto mkcert_error;
/* set public key in the certificate */
@@ -6276,7 +6285,11 @@ smp_fetch_ssl_x_notafter(const struct arg *args, struct sample *smp, const char
@@ -6285,7 +6294,11 @@ smp_fetch_ssl_x_notafter(const struct arg *args, struct sample *smp, const char
goto out;
smp_trash = get_trash_chunk();
@ -66,7 +66,7 @@ index cfbc38b..025a144 100644
goto out;
smp->data.u.str = *smp_trash;
@@ -6376,7 +6389,11 @@ smp_fetch_ssl_x_notbefore(const struct arg *args, struct sample *smp, const char
@@ -6385,7 +6398,11 @@ smp_fetch_ssl_x_notbefore(const struct arg *args, struct sample *smp, const char
goto out;
smp_trash = get_trash_chunk();
@ -78,7 +78,7 @@ index cfbc38b..025a144 100644
goto out;
smp->data.u.str = *smp_trash;
@@ -8926,7 +8943,11 @@ static void __ssl_sock_init(void)
@@ -8935,7 +8952,11 @@ static void __ssl_sock_init(void)
#endif
xprt_register(XPRT_SSL, &ssl_sock);
@ -90,7 +90,7 @@ index cfbc38b..025a144 100644
cm = SSL_COMP_get_compression_methods();
sk_SSL_COMP_zero(cm);
#ifdef USE_THREAD
@@ -8958,8 +8979,13 @@ static void __ssl_sock_init(void)
@@ -8967,8 +8988,13 @@ static void __ssl_sock_init(void)
#else /* OPENSSL_IS_BORINGSSL */
OPENSSL_VERSION_TEXT
"\nRunning on OpenSSL version : %s%s",
@ -104,7 +104,7 @@ index cfbc38b..025a144 100644
#endif
memprintf(&ptr, "%s\nOpenSSL library supports TLS extensions : "
#if OPENSSL_VERSION_NUMBER < 0x00907000L
@@ -9051,11 +9077,14 @@ static void __ssl_sock_deinit(void)
@@ -9060,11 +9086,14 @@ static void __ssl_sock_deinit(void)
#endif
ERR_remove_state(0);

29
net/haproxy/patches/0010-BUILD-ssl-fix-null-deref-warning-in-ssl_fc_cipherlist_str-sample-fetch.patch
View file

@ -1,29 +0,0 @@
commit d332b12b262ad7df1c8bdda52dad100f40399d24
Author: Willy Tarreau <w@1wt.eu>
Date: Mon Oct 15 11:01:59 2018 +0200
BUILD: ssl: fix null-deref warning in ssl_fc_cipherlist_str sample fetch
Gcc 6.4 detects a potential null-deref warning in smp_fetch_ssl_fc_cl_str().
This one is not real since already addressed a few lines above. Let's use
__objt_conn() instead of objt_conn() to avoid the extra test that confuses
it.
This could be backported to 1.8.
(cherry picked from commit b729077710b14c75936909409e27a4fa0badcb54)
Signed-off-by: Willy Tarreau <w@1wt.eu>
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 6eed8022..4577fef4 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -6929,7 +6929,7 @@ smp_fetch_ssl_fc_cl_str(const struct arg *args, struct sample *smp, const char *
#if defined(OPENSSL_IS_BORINGSSL)
cipher = SSL_get_cipher_by_value(id);
#else
- struct connection *conn = objt_conn(smp->sess->origin);
+ struct connection *conn = __objt_conn(smp->sess->origin);
cipher = SSL_CIPHER_find(conn->xprt_ctx, bin);
#endif
str = SSL_CIPHER_get_name(cipher);

28
net/haproxy/patches/0011-BUILD-ssl-fix-another-null-deref-warning-in-ssl_sock_switchctx_cbk.patch
View file

@ -1,28 +0,0 @@
commit 892c21240adb9ac230d4bd27cc8be4767b4902aa
Author: Willy Tarreau <w@1wt.eu>
Date: Mon Oct 15 13:20:07 2018 +0200
BUILD: ssl: fix another null-deref warning in ssl_sock_switchctx_cbk()
This null-deref cannot happen either as there necesarily is a listener
where this function is called. Let's use __objt_listener() to address
this.
This may be backported to 1.8.
(cherry picked from commit a8825520b785d592467c45e183ad8213cb7bf891)
Signed-off-by: Willy Tarreau <w@1wt.eu>
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 4577fef4..cfbc38b7 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -2113,7 +2113,7 @@ static int ssl_sock_switchctx_cbk(SSL *ssl, int *al, void *arg)
int i;
conn = SSL_get_ex_data(ssl, ssl_app_data_index);
- s = objt_listener(conn->target)->bind_conf;
+ s = __objt_listener(conn->target)->bind_conf;
if (s->ssl_conf.early_data)
allow_early = 1;

26
net/haproxy/patches/0012-BUILD-stick-table-make-sure-not-to-fail-on-task_new-during-initialization.patch
View file

@ -1,26 +0,0 @@
commit eb72c1faedc39c68fb1246ea8a97d1f96831756c
Author: Willy Tarreau <w@1wt.eu>
Date: Mon Oct 15 11:12:15 2018 +0200
BUILD: stick-table: make sure not to fail on task_new() during initialization
Gcc reports a potential null-deref error in the stick-table init code.
While not critical there, it's trivial to fix. This check has been
missing since 1.4 so this fix can be backported to all supported versions.
(cherry picked from commit 848522f05df9e60eea9274e11f1e9fcd19594a5c)
Signed-off-by: Willy Tarreau <w@1wt.eu>
diff --git a/src/stick_table.c b/src/stick_table.c
index 5a2f1295..653a1ffb 100644
--- a/src/stick_table.c
+++ b/src/stick_table.c
@@ -602,6 +602,8 @@ int stktable_init(struct stktable *t)
t->exp_next = TICK_ETERNITY;
if ( t->expire ) {
t->exp_task = task_new(MAX_THREADS_MASK);
+ if (!t->exp_task)
+ return 0;
t->exp_task->process = process_table_expire;
t->exp_task->context = (void *)t;
}

77
net/haproxy/patches/0013-BUILD-peers-check-allocation-error-during-peers_init_sync.patch
View file

@ -1,77 +0,0 @@
commit d28afe3631e20a9fcca47efde031d62e501eff48
Author: Willy Tarreau <w@1wt.eu>
Date: Mon Oct 15 11:18:03 2018 +0200
BUILD: peers: check allocation error during peers_init_sync()
peers_init_sync() doesn't check task_new()'s return value and doesn't
return any result to indicate success or failure. Let's make it return
an int and check it from the caller.
This can be backported as far as 1.6.
(cherry picked from commit d944344f01d9ea914d94c45f6ac7c224c6143fc9)
Signed-off-by: Willy Tarreau <w@1wt.eu>
diff --git a/include/proto/peers.h b/include/proto/peers.h
index 782b66e4..9d4aaff2 100644
--- a/include/proto/peers.h
+++ b/include/proto/peers.h
@@ -28,7 +28,7 @@
#include <types/stream.h>
#include <types/peers.h>
-void peers_init_sync(struct peers *peers);
+int peers_init_sync(struct peers *peers);
void peers_register_table(struct peers *, struct stktable *table);
void peers_setup_frontend(struct proxy *fe);
diff --git a/src/cfgparse.c b/src/cfgparse.c
index d1474d4b..7414b60d 100644
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@@ -9111,7 +9111,12 @@ out_uri_auth_compat:
curpeers->peers_fe = NULL;
}
else {
- peers_init_sync(curpeers);
+ if (!peers_init_sync(curpeers)) {
+ ha_alert("Peers section '%s': out of memory, giving up on peers.\n",
+ curpeers->id);
+ cfgerr++;
+ break;
+ }
last = &curpeers->next;
continue;
}
diff --git a/src/peers.c b/src/peers.c
index c56ed3af..0cd56da3 100644
--- a/src/peers.c
+++ b/src/peers.c
@@ -2159,9 +2159,9 @@ static struct task *process_peer_sync(struct task * task)
/*
- *
+ * returns 0 in case of error.
*/
-void peers_init_sync(struct peers *peers)
+int peers_init_sync(struct peers *peers)
{
struct peer * curpeer;
struct listener *listener;
@@ -2173,10 +2173,14 @@ void peers_init_sync(struct peers *peers)
list_for_each_entry(listener, &peers->peers_fe->conf.listeners, by_fe)
listener->maxconn = peers->peers_fe->maxconn;
peers->sync_task = task_new(MAX_THREADS_MASK);
+ if (!peers->sync_task)
+ return 0;
+
peers->sync_task->process = process_peer_sync;
peers->sync_task->context = (void *)peers;
peers->sighandler = signal_register_task(0, peers->sync_task, 0);
task_wakeup(peers->sync_task, TASK_WOKEN_INIT);
+ return 1;
}

56
net/haproxy/patches/0014-DOC-Fix-a-few-typos.patch
View file

@ -1,56 +0,0 @@
commit c6eb147201c1d05afaadc5fd248b17be91f97331
Author: Bertrand Jacquin <bertrand@jacquin.bzh>
Date: Sat Oct 13 16:06:18 2018 +0100
DOC: Fix a few typos
these are mostly spelling mistakes, some of them might be candidate for
backporting as well.
(cherry picked from commit d5e4de8e5f99108e31dc7a23a0e91c4231e37974)
Signed-off-by: Willy Tarreau <w@1wt.eu>
diff --git a/CONTRIBUTING b/CONTRIBUTING
index b2c2b493..cd97e69b 100644
--- a/CONTRIBUTING
+++ b/CONTRIBUTING
@@ -309,7 +309,7 @@ do not think about them anymore after a few patches.
A good rule of thumb is that if your identifiers start to contain more than
3 words or more than 15 characters, they can become confusing. For function
names it's less important especially if these functions are rarely used or
- are used in a complex context where it is important to differenciate between
+ are used in a complex context where it is important to differentiate between
their multiple variants.
9) Unified diff only
@@ -318,7 +318,7 @@ do not think about them anymore after a few patches.
that you have committed your patch to a local branch, with an appropriate
subject line and a useful commit message explaining what the patch attempts
to do. It is not strictly required to use git, but what is strictly required
- is to have all these elements in the same mail, easily distinguishible, and
+ is to have all these elements in the same mail, easily distinguishable, and
a patch in "diff -up" format (which is also the format used by Git). This
means the "unified" diff format must be used exclusively, and with the
function name printed in the diff header of each block. That significantly
@@ -761,7 +761,7 @@ sent to the mailing list : haproxy@formilux.org and CCed to relevant subsystem
maintainers or authors of the modified files if their address appears at the
top of the file.
-Please don't send pull-requests, they are really unconvenient. First, a pull
+Please don't send pull-requests, they are really inconvenient. First, a pull
implies a merge operation and the code doesn't move fast enough to justify the
use of merges. Second, pull requests are not easily commented on by the
project's participants, contrary to e-mails where anyone is allowed to have an
diff --git a/include/types/connection.h b/include/types/connection.h
index 5e8af3e7..b9e46048 100644
--- a/include/types/connection.h
+++ b/include/types/connection.h
@@ -45,7 +45,7 @@ struct server;
struct pipe;
-/* A connection handle is how we differenciate two connections on the lower
+/* A connection handle is how we differentiate two connections on the lower
* layers. It usually is a file descriptor but can be a connection id.
*/
union conn_handle {

36
net/haproxy/patches/0015-BUG-MEDIUM-threads-fix-thread_release-at-the-end-of-the-rendez-vous-point.patch
View file

@ -1,36 +0,0 @@
commit 75795017480da0f0a1157e945043249fe625f92f
Author: Willy Tarreau <w@1wt.eu>
Date: Tue Oct 16 16:11:56 2018 +0200
BUG/MEDIUM: threads: fix thread_release() at the end of the rendez-vous point
There is a bug in this function used to release other threads. It leaves
the current thread marked as harmless. If after this another thread does
a thread_isolate(), but before the first one reaches poll(), the second
thread will believe it's alone while it's not.
This must be backported to 1.8 since the rendez-vous point was merged
into 1.8.14.
(cherry picked from commit a9c0252b2e8ff7bb728b84d977ac6e9581ea12f8)
Signed-off-by: Willy Tarreau <w@1wt.eu>
diff --git a/src/hathreads.c b/src/hathreads.c
index 9dba4356..0a7c12f7 100644
--- a/src/hathreads.c
+++ b/src/hathreads.c
@@ -221,12 +221,8 @@ void thread_isolate()
*/
void thread_release()
{
- while (1) {
- HA_ATOMIC_AND(&threads_want_rdv_mask, ~tid_bit);
- if (!(threads_want_rdv_mask & all_threads_mask))
- break;
- thread_harmless_till_end();
- }
+ HA_ATOMIC_AND(&threads_want_rdv_mask, ~tid_bit);
+ thread_harmless_end();
}
__attribute__((constructor))

29
net/haproxy/patches/0016-BUG-MEDIUM-threads-make-sure-threads_want_sync-is-marked-volatile.patch
View file

@ -1,29 +0,0 @@
commit 4805c249aabc45cd59386694f962e19ab50e8ca9
Author: Willy Tarreau <w@1wt.eu>
Date: Tue Oct 16 16:57:40 2018 +0200
BUG/MEDIUM: threads: make sure threads_want_sync is marked volatile
The threads_want_sync variable is not volatile, which allows the compiler
to cache old copies of it for long parts of code and possibly optimize
some tests away. This could result in deadlocks when using heavy queue
activity or health check state changes.
There is no upstream commit for this fix because the sync point was
completely removed from 1.9. This fix is exclusively for 1.8.
Signed-off-by: Willy Tarreau <w@1wt.eu>
diff --git a/src/hathreads.c b/src/hathreads.c
index 0a7c12f7..730ebee4 100644
--- a/src/hathreads.c
+++ b/src/hathreads.c
@@ -29,7 +29,7 @@ void thread_sync_io_handler(int fd)
static HA_SPINLOCK_T sync_lock;
static int threads_sync_pipe[2] = {-1, -1};
-static unsigned long threads_want_sync = 0;
+volatile static unsigned long threads_want_sync = 0;
volatile unsigned long threads_want_rdv_mask = 0;
volatile unsigned long threads_harmless_mask = 0;
volatile unsigned long all_threads_mask = 1; // nbthread 1 assumed by default

38
net/haproxy/patches/0017-BUILD-compiler-add-a-new-statement-__unreachable.patch
View file

@ -1,38 +0,0 @@
commit d26a40412197ba61a72368c71e8a8582d686d28c
Author: Willy Tarreau <w@1wt.eu>
Date: Mon Oct 15 11:53:34 2018 +0200
BUILD: compiler: add a new statement "__unreachable()"
This statement is used as a hint for the compiler so that it knows that
the location where it's placed cannot be reached. It will mostly be used
after longjmp() or equivalent statements that deal with error processing
and that the compiler doesn't know will not return on certain conditions,
so that it doesn't complain about null dereferences on error paths.
(cherry picked from commit 8d26f02e693121764bfa0cb48c9a7ab31e17225d)
Signed-off-by: Willy Tarreau <w@1wt.eu>
diff --git a/include/common/compiler.h b/include/common/compiler.h
index a13aad5c..6f4f5a67 100644
--- a/include/common/compiler.h
+++ b/include/common/compiler.h
@@ -82,6 +82,18 @@
*/
#define __maybe_unused __attribute__((unused))
+/* This allows gcc to know that some locations are never reached, for example
+ * after a longjmp() in the Lua code, hence that some errors caught by such
+ * methods cannot propagate further. This is important with gcc versions 6 and
+ * above which can more aggressively detect null dereferences. The builtin
+ * below was introduced in gcc 4.5, and before it we didn't care.
+ */
+#if __GNUC__ >= 5 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 5)
+#define __unreachable() __builtin_unreachable()
+#else
+#define __unreachable()
+#endif
+
/*
* Gcc >= 3 provides the ability for the programme to give hints to the
* compiler about what branch of an if is most likely to be taken. This

304
net/haproxy/patches/0018-MINOR-lua-all-functions-calling-lua_yieldk-may-return.patch
View file

@ -1,304 +0,0 @@
commit 330e08dfc588dc9b0ad42203123fab6c191ca2f8
Author: Willy Tarreau <w@1wt.eu>
Date: Tue Oct 16 17:52:55 2018 +0200
MINOR: lua: all functions calling lua_yieldk() may return
There was a mistake when tagging functions which always use longjmp and
those which may use it in that all those supposed to call lua_yieldk()
may return without calling longjmp. Thus they must not use WILL_LJMP()
but MAY_LJMP(). It has zero impact on the code emitted as such, but
prevents other fixes from being properly implemented : this was the
cause of the previous failure with the __unreachable() calls.
This may be backported to older versions. It may or may not apply
well depending on the context, though the change simply consists in
replacing "WILL_LJMP(hlua_yieldk" with "MAY_LJMP(hlua_yieldk", and
same with the single call to lua_yieldk() in hlua_yieldk().
(cherry picked from commit 9635e03c41e95dff38731f67cc9d8b00e3731d2a)
Signed-off-by: Willy Tarreau <w@1wt.eu>
diff --git a/src/hlua.c b/src/hlua.c
index 60ba94ea..64102e8a 100644
--- a/src/hlua.c
+++ b/src/hlua.c
@@ -852,7 +852,7 @@ __LJMP void hlua_yieldk(lua_State *L, int nresults, int ctx,
hlua->flags |= flags;
/* Process the yield. */
- WILL_LJMP(lua_yieldk(L, nresults, ctx, k));
+ MAY_LJMP(lua_yieldk(L, nresults, ctx, k));
}
/* This function initialises the Lua environment stored in the stream.
@@ -1003,7 +1003,7 @@ void hlua_hook(lua_State *L, lua_Debug *ar)
* If the state is not yieldable, trying yield causes an error.
*/
if (lua_isyieldable(L))
- WILL_LJMP(hlua_yieldk(L, 0, 0, NULL, TICK_ETERNITY, HLUA_CTRLYIELD));
+ MAY_LJMP(hlua_yieldk(L, 0, 0, NULL, TICK_ETERNITY, HLUA_CTRLYIELD));
/* If we cannot yield, update the clock and check the timeout. */
tv_update_date(0, 1);
@@ -1883,7 +1883,7 @@ connection_empty:
WILL_LJMP(luaL_error(L, "out of memory"));
}
xref_unlock(&socket->xref, peer);
- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_socket_receive_yield, TICK_ETERNITY, 0));
+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_socket_receive_yield, TICK_ETERNITY, 0));
return 0;
}
@@ -2082,7 +2082,7 @@ hlua_socket_write_yield_return:
WILL_LJMP(luaL_error(L, "out of memory"));
}
xref_unlock(&socket->xref, peer);
- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_socket_write_yield, TICK_ETERNITY, 0));
+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_socket_write_yield, TICK_ETERNITY, 0));
return 0;
}
@@ -2375,7 +2375,7 @@ __LJMP static int hlua_socket_connect_yield(struct lua_State *L, int status, lua
WILL_LJMP(luaL_error(L, "out of memory error"));
}
xref_unlock(&socket->xref, peer);
- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_socket_connect_yield, TICK_ETERNITY, 0));
+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_socket_connect_yield, TICK_ETERNITY, 0));
return 0;
}
@@ -2493,7 +2493,7 @@ __LJMP static int hlua_socket_connect(struct lua_State *L)
task_wakeup(s->task, TASK_WOKEN_INIT);
/* Return yield waiting for connection. */
- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_socket_connect_yield, TICK_ETERNITY, 0));
+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_socket_connect_yield, TICK_ETERNITY, 0));
return 0;
}
@@ -2819,7 +2819,7 @@ __LJMP static int hlua_channel_dup_yield(lua_State *L, int status, lua_KContext
chn = MAY_LJMP(hlua_checkchannel(L, 1));
if (_hlua_channel_dup(chn, L) == 0)
- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_channel_dup_yield, TICK_ETERNITY, 0));
+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_channel_dup_yield, TICK_ETERNITY, 0));
return 1;
}
@@ -2845,7 +2845,7 @@ __LJMP static int hlua_channel_get_yield(lua_State *L, int status, lua_KContext
ret = _hlua_channel_dup(chn, L);
if (unlikely(ret == 0))
- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_channel_get_yield, TICK_ETERNITY, 0));
+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_channel_get_yield, TICK_ETERNITY, 0));
if (unlikely(ret == -1))
return 1;
@@ -2883,7 +2883,7 @@ __LJMP static int hlua_channel_getline_yield(lua_State *L, int status, lua_KCont
ret = ci_getline_nc(chn, &blk1, &len1, &blk2, &len2);
if (ret == 0)
- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_channel_getline_yield, TICK_ETERNITY, 0));
+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_channel_getline_yield, TICK_ETERNITY, 0));
if (ret == -1) {
lua_pushnil(L);
@@ -2932,7 +2932,7 @@ __LJMP static int hlua_channel_append_yield(lua_State *L, int status, lua_KConte
*/
if (chn->buf->size == 0) {
si_applet_cant_put(chn_prod(chn));
- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_channel_append_yield, TICK_ETERNITY, 0));
+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_channel_append_yield, TICK_ETERNITY, 0));
}
max = channel_recv_limit(chn) - buffer_len(chn->buf);
@@ -2946,7 +2946,7 @@ __LJMP static int hlua_channel_append_yield(lua_State *L, int status, lua_KConte
}
if (ret == -1) {
chn->flags |= CF_WAKE_WRITE;
- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_channel_append_yield, TICK_ETERNITY, 0));
+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_channel_append_yield, TICK_ETERNITY, 0));
}
l += ret;
lua_pop(L, 1);
@@ -2962,7 +2962,7 @@ __LJMP static int hlua_channel_append_yield(lua_State *L, int status, lua_KConte
return 1;
}
if (l < len)
- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_channel_append_yield, TICK_ETERNITY, 0));
+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_channel_append_yield, TICK_ETERNITY, 0));
return 1;
}
@@ -3026,7 +3026,7 @@ __LJMP static int hlua_channel_send_yield(lua_State *L, int status, lua_KContext
*/
if (chn->buf->size == 0) {
si_applet_cant_put(chn_prod(chn));
- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_channel_send_yield, TICK_ETERNITY, 0));
+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_channel_send_yield, TICK_ETERNITY, 0));
}
/* the writed data will be immediatly sent, so we can check
@@ -3082,7 +3082,7 @@ __LJMP static int hlua_channel_send_yield(lua_State *L, int status, lua_KContext
HLUA_SET_WAKERESWR(hlua);
else
HLUA_SET_WAKEREQWR(hlua);
- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_channel_send_yield, TICK_ETERNITY, 0));
+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_channel_send_yield, TICK_ETERNITY, 0));
}
return 1;
@@ -3146,7 +3146,7 @@ __LJMP static int hlua_channel_forward_yield(lua_State *L, int status, lua_KCont
HLUA_SET_WAKEREQWR(hlua);
/* Otherwise, we can yield waiting for new data in the inpout side. */
- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_channel_forward_yield, TICK_ETERNITY, 0));
+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_channel_forward_yield, TICK_ETERNITY, 0));
}
return 1;
@@ -3654,7 +3654,7 @@ __LJMP static int hlua_applet_tcp_getline_yield(lua_State *L, int status, lua_KC
/* Data not yet avalaible. return yield. */
if (ret == 0) {
si_applet_cant_get(si);
- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_tcp_getline_yield, TICK_ETERNITY, 0));
+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_tcp_getline_yield, TICK_ETERNITY, 0));
}
/* End of data: commit the total strings and return. */
@@ -3709,7 +3709,7 @@ __LJMP static int hlua_applet_tcp_recv_yield(lua_State *L, int status, lua_KCont
/* Data not yet avalaible. return yield. */
if (ret == 0) {
si_applet_cant_get(si);
- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_tcp_recv_yield, TICK_ETERNITY, 0));
+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_tcp_recv_yield, TICK_ETERNITY, 0));
}
/* End of data: commit the total strings and return. */
@@ -3732,7 +3732,7 @@ __LJMP static int hlua_applet_tcp_recv_yield(lua_State *L, int status, lua_KCont
luaL_addlstring(&appctx->b, blk2, len2);
co_skip(si_oc(si), len1 + len2);
si_applet_cant_get(si);
- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_tcp_recv_yield, TICK_ETERNITY, 0));
+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_tcp_recv_yield, TICK_ETERNITY, 0));
} else {
@@ -3756,7 +3756,7 @@ __LJMP static int hlua_applet_tcp_recv_yield(lua_State *L, int status, lua_KCont
lua_pushinteger(L, len);
lua_replace(L, 2);
si_applet_cant_get(si);
- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_tcp_recv_yield, TICK_ETERNITY, 0));
+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_tcp_recv_yield, TICK_ETERNITY, 0));
}
/* return the result. */
@@ -3825,7 +3825,7 @@ __LJMP static int hlua_applet_tcp_send_yield(lua_State *L, int status, lua_KCont
*/
if (l < len) {
si_applet_cant_put(si);
- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_tcp_send_yield, TICK_ETERNITY, 0));
+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_tcp_send_yield, TICK_ETERNITY, 0));
}
return 1;
@@ -4122,7 +4122,7 @@ __LJMP static int hlua_applet_http_getline_yield(lua_State *L, int status, lua_K
*/
if (ret == -1) {
si_applet_cant_put(si);
- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_http_getline_yield, TICK_ETERNITY, 0));
+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_http_getline_yield, TICK_ETERNITY, 0));
}
appctx->appctx->ctx.hlua_apphttp.flags &= ~APPLET_100C;
}
@@ -4139,7 +4139,7 @@ __LJMP static int hlua_applet_http_getline_yield(lua_State *L, int status, lua_K
/* Data not yet avalaible. return yield. */
if (ret == 0) {
si_applet_cant_get(si);
- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_http_getline_yield, TICK_ETERNITY, 0));
+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_http_getline_yield, TICK_ETERNITY, 0));
}
/* End of data: commit the total strings and return. */
@@ -4208,7 +4208,7 @@ __LJMP static int hlua_applet_http_recv_yield(lua_State *L, int status, lua_KCon
*/
if (ret == -1) {
si_applet_cant_put(si);
- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_http_recv_yield, TICK_ETERNITY, 0));
+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_http_recv_yield, TICK_ETERNITY, 0));
}
appctx->appctx->ctx.hlua_apphttp.flags &= ~APPLET_100C;
}
@@ -4219,7 +4219,7 @@ __LJMP static int hlua_applet_http_recv_yield(lua_State *L, int status, lua_KCon
/* Data not yet avalaible. return yield. */
if (ret == 0) {
si_applet_cant_get(si);
- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_http_recv_yield, TICK_ETERNITY, 0));
+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_http_recv_yield, TICK_ETERNITY, 0));
}
/* End of data: commit the total strings and return. */
@@ -4254,7 +4254,7 @@ __LJMP static int hlua_applet_http_recv_yield(lua_State *L, int status, lua_KCon
lua_pushinteger(L, len);
lua_replace(L, 2);
si_applet_cant_get(si);
- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_http_recv_yield, TICK_ETERNITY, 0));
+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_http_recv_yield, TICK_ETERNITY, 0));
}
/* return the result. */
@@ -4320,7 +4320,7 @@ __LJMP static int hlua_applet_http_send_yield(lua_State *L, int status, lua_KCon
*/
if (l < len) {
si_applet_cant_put(si);
- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_http_send_yield, TICK_ETERNITY, 0));
+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_http_send_yield, TICK_ETERNITY, 0));
}
return 1;
@@ -4460,7 +4460,7 @@ __LJMP static int hlua_applet_http_start_response_yield(lua_State *L, int status
/* If ret is -1, we dont have room in the buffer, so we yield. */
if (ret == -1) {
si_applet_cant_put(si);
- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_http_start_response_yield, TICK_ETERNITY, 0));
+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_http_start_response_yield, TICK_ETERNITY, 0));
}
/* Headers sent, set the flag. */
@@ -5510,7 +5510,7 @@ __LJMP static int hlua_sleep_yield(lua_State *L, int status, lua_KContext ctx)
{
int wakeup_ms = lua_tointeger(L, -1);
if (now_ms < wakeup_ms)
- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_sleep_yield, wakeup_ms, 0));
+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_sleep_yield, wakeup_ms, 0));
return 0;
}
@@ -5525,7 +5525,7 @@ __LJMP static int hlua_sleep(lua_State *L)
wakeup_ms = tick_add(now_ms, delay);
lua_pushinteger(L, wakeup_ms);
- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_sleep_yield, wakeup_ms, 0));
+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_sleep_yield, wakeup_ms, 0));
return 0;
}
@@ -5540,7 +5540,7 @@ __LJMP static int hlua_msleep(lua_State *L)
wakeup_ms = tick_add(now_ms, delay);
lua_pushinteger(L, wakeup_ms);
- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_sleep_yield, wakeup_ms, 0));
+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_sleep_yield, wakeup_ms, 0));
return 0;
}
@@ -5555,7 +5555,7 @@ __LJMP static int hlua_yield_yield(lua_State *L, int status, lua_KContext ctx)
__LJMP static int hlua_yield(lua_State *L)
{
- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_yield_yield, TICK_ETERNITY, HLUA_CTRLYIELD));
+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_yield_yield, TICK_ETERNITY, HLUA_CTRLYIELD));
return 0;
}

48
net/haproxy/patches/0019-BUILD-lua-silence-some-compiler-warnings-about-potential-null-derefs-2.patch
View file

@ -1,48 +0,0 @@
commit 8019e88dd1ac73a3baa71e9acfbc1b7a3fbc7442
Author: Willy Tarreau <w@1wt.eu>
Date: Tue Oct 16 17:37:12 2018 +0200
BUILD: lua: silence some compiler warnings about potential null derefs (#2)
Here we make sure that appctx is always taken from the unchecked value
since we know it's an appctx, which explains why it's immediately
dereferenced. A missing test was added to ensure that task_new() does
not return a NULL.
This may be backported to 1.8.
(cherry picked from commit e09101e8d92b0c0ef8674fbc791e309112ab7f1c)
Signed-off-by: Willy Tarreau <w@1wt.eu>
diff --git a/src/hlua.c b/src/hlua.c
index 64102e8a..ad9238ef 100644
--- a/src/hlua.c
+++ b/src/hlua.c
@@ -2361,7 +2361,7 @@ __LJMP static int hlua_socket_connect_yield(struct lua_State *L, int status, lua
return 2;
}
- appctx = objt_appctx(s->si[0].end);
+ appctx = __objt_appctx(s->si[0].end);
/* Check for connection established. */
if (appctx->ctx.hlua_cosocket.connected) {
@@ -2473,7 +2473,7 @@ __LJMP static int hlua_socket_connect(struct lua_State *L)
}
hlua = hlua_gethlua(L);
- appctx = objt_appctx(s->si[0].end);
+ appctx = __objt_appctx(s->si[0].end);
/* inform the stream that we want to be notified whenever the
* connection completes.
@@ -5693,6 +5693,9 @@ static int hlua_register_task(lua_State *L)
WILL_LJMP(luaL_error(L, "lua out of memory error."));
task = task_new(MAX_THREADS_MASK);
+ if (!task)
+ WILL_LJMP(luaL_error(L, "Lua out of memory error."));
+
task->context = hlua;
task->process = hlua_process_task;

39
net/haproxy/patches/0020-BUILD-lua-silence-some-compiler-warnings-after-WILL_LJMP.patch
View file

@ -1,39 +0,0 @@
commit 3f39e1d4b5ca37e57247034421c69bc301d996b2
Author: Willy Tarreau <w@1wt.eu>
Date: Tue Oct 16 17:57:36 2018 +0200
BUILD: lua: silence some compiler warnings after WILL_LJMP
These ones are on error paths that are properly handled by luaL_error()
which does a longjmp() but the compiler cannot know it. By adding an
__unreachable() statement in WILL_LJMP(), there is no ambiguity anymore.
This may be backported to 1.8 but these previous patches are needed first :
- BUILD: compiler: add a new statement "__unreachable()"
- MINOR: lua: all functions calling lua_yieldk() may return
- BUILD: lua: silence some compiler warnings about potential null derefs (#2)
(cherry picked from commit b059b894cdf795f134b6e53ff95ea7f907feb846)
Signed-off-by: Willy Tarreau <w@1wt.eu>
diff --git a/src/hlua.c b/src/hlua.c
index ad9238ef..c3bb269a 100644
--- a/src/hlua.c
+++ b/src/hlua.c
@@ -24,6 +24,7 @@
#include <ebpttree.h>
#include <common/cfgparse.h>
+#include <common/compiler.h>
#include <common/xref.h>
#include <common/hathreads.h>
@@ -63,7 +64,7 @@
* MAY_LJMP() marks an lua function that may use longjmp.
*/
#define __LJMP
-#define WILL_LJMP(func) func
+#define WILL_LJMP(func) do { func; __unreachable(); } while(0)
#define MAY_LJMP(func) func
/* This couple of function executes securely some Lua calls outside of

27
net/haproxy/patches/0021-CLEANUP-stick-tables-Remove-unneeded-double-around-conditional-clause.patch
View file

@ -1,27 +0,0 @@
commit b884ba5222a765b395e8ac93971639a0452d6422
Author: Dirkjan Bussink <d.bussink@gmail.com>
Date: Fri Sep 14 14:31:22 2018 +0200
CLEANUP: stick-tables: Remove unneeded double (()) around conditional clause
In the past this conditional had multiple conditionals which is why the
additional parentheses were needed. The conditional was simplified but
the duplicate parentheses were not cleaned up.
(cherry picked from commit ff57f1bbcf8af1e6389520aa845df5aa97ef55b6)
[wt: fixes build warnings with clang]
Signed-off-by: Willy Tarreau <w@1wt.eu>
diff --git a/src/stick_table.c b/src/stick_table.c
index 653a1ffb..f1442603 100644
--- a/src/stick_table.c
+++ b/src/stick_table.c
@@ -1860,7 +1860,7 @@ smp_fetch_sc_tracked(const struct arg *args, struct sample *smp, const char *kw,
smp->data.u.sint = !!stkctr;
/* release the ref count */
- if ((stkctr == &tmpstkctr))
+ if (stkctr == &tmpstkctr)
stktable_release(stkctr->table, stkctr_entry(stkctr));
return 1;

41
net/haproxy/patches/0022-BUILD-Makefile-add-a-make-opts-target-to-simply-show-the-build-options.patch
View file

@ -1,41 +0,0 @@
commit 0820ab24974cd2bad84c8ec5a90f7ce0e1681cf0
Author: Willy Tarreau <w@1wt.eu>
Date: Wed Oct 3 09:40:22 2018 +0200
BUILD: Makefile: add a "make opts" target to simply show the build options
We're often missing an easy way to map input variables to output ones.
The "opts" build target will simply show the input variables and the ones
passed to the compiler and linker. This way it's easier to quickly see
what a given build script or package will use, or the detected warnings
supported by the compiler.
(cherry picked from commit a8b12c6bb73b924f6429c3ae4d20b96992e92c2e)
[wt: this is not needed but significantly helps for packaging]
Signed-off-by: Willy Tarreau <w@1wt.eu>
diff --git a/Makefile b/Makefile
index 5d170041..d3615060 100644
--- a/Makefile
+++ b/Makefile
@@ -996,3 +996,20 @@ update-version:
echo "$(VERSION)" > VERSION
echo "$(SUBVERS)" > SUBVERS
echo "$(VERDATE)" > VERDATE
+
+# just display the build options
+opts:
+ @echo -n 'Using: '
+ @echo -n 'TARGET="$(strip $(TARGET))" '
+ @echo -n 'ARCH="$(strip $(ARCH))" '
+ @echo -n 'CPU="$(strip $(CPU))" '
+ @echo -n 'CC="$(strip $(CC))" '
+ @echo -n 'ARCH_FLAGS="$(strip $(ARCH_FLAGS))" '
+ @echo -n 'CPU_CFLAGS="$(strip $(CPU_CFLAGS))" '
+ @echo -n 'DEBUG_CFLAGS="$(strip $(DEBUG_CFLAGS))" '
+ @echo "$(strip $(BUILD_OPTIONS))"
+ @echo 'COPTS="$(strip $(COPTS))"'
+ @echo 'LDFLAGS="$(strip $(LDFLAGS))"'
+ @echo 'LDOPTS="$(strip $(LDOPTS))"'
+ @echo 'OPTIONS_OBJS="$(strip $(OPTIONS_OBJS))"'
+ @echo 'OBJS="$(strip $(OBJS))"'

38
net/haproxy/patches/0023-BUILD-Makefile-speed-up-compiler-options-detection.patch
View file

@ -1,38 +0,0 @@
commit 5df1480da4c4e58830d108f4f0f3347598c55ab3
Author: Willy Tarreau <w@1wt.eu>
Date: Wed Oct 3 09:52:51 2018 +0200
BUILD: Makefile: speed up compiler options detection
Commits b78016649 and d3a7f4035 brought the ability to detect the build
options and warnings that the compiler supports. However, they're detected
using "$(CC) -c", which is 50% slower than "$(CC) -E" for the same result,
just because it starts the assembler at the end. Given that we're starting
to check for a number of warnings, this detection alone starts to become
visible, taking a bit more than 300 ms on the build time. Let's switch to
-E instead to shrink this incompressible time by roughly 100 ms.
(cherry picked from commit f11ca5e7a43c772637018ec2ad981a9fd7d3816f)
[wt: only backported for context and consistency with next patch]
Signed-off-by: Willy Tarreau <w@1wt.eu>
diff --git a/Makefile b/Makefile
index d3615060..1a971f92 100644
--- a/Makefile
+++ b/Makefile
@@ -96,13 +96,13 @@
# Usage: CFLAGS += $(call cc-opt,option). Eg: $(call cc-opt,-fwrapv)
# Note: ensure the referencing variable is assigned using ":=" and not "=" to
# call it only once.
-cc-opt = $(shell set -e; if $(CC) $(1) -c -xc - -o /dev/null </dev/null >&0 2>&0; then echo "$(1)"; fi;)
+cc-opt = $(shell set -e; if $(CC) $(1) -E -xc - -o /dev/null </dev/null >&0 2>&0; then echo "$(1)"; fi;)
# Disable a warning when supported by the compiler. Don't put spaces around the
# warning! And don't use cc-opt which doesn't always report an error until
# another one is also returned.
# Usage: CFLAGS += $(call cc-nowarn,warning). Eg: $(call cc-opt,format-truncation)
-cc-nowarn = $(shell set -e; if $(CC) -W$(1) -c -xc - -o /dev/null </dev/null >&0 2>&0; then echo "-Wno-$(1)"; fi;)
+cc-nowarn = $(shell set -e; if $(CC) -W$(1) -E -xc - -o /dev/null </dev/null >&0 2>&0; then echo "-Wno-$(1)"; fi;)
#### Installation options.
DESTDIR =

38
net/haproxy/patches/0024-BUILD-Makefile-silence-an-option-conflict-warning-with-clang.patch
View file

@ -1,38 +0,0 @@
commit a7e9853db925b12b1d040be8b04bafc11d84d685
Author: Willy Tarreau <w@1wt.eu>
Date: Tue Oct 16 18:11:34 2018 +0200
BUILD: Makefile: silence an option conflict warning with clang
clang complains that -fno-strict-overflow is not used when -fwrapv is
used, which breaks the build when -Werror is used. Let's introduce a
cc-opt-alt function to emit the former only then the latter is not
supported (since it implies the former).
(cherry picked from commit 0d7a2ae4f5199ec37ead6914fa24d40ec0989a4d)
Signed-off-by: Willy Tarreau <w@1wt.eu>
diff --git a/Makefile b/Makefile
index 1a971f92..6ffc1b06 100644
--- a/Makefile
+++ b/Makefile
@@ -98,6 +98,9 @@
# call it only once.
cc-opt = $(shell set -e; if $(CC) $(1) -E -xc - -o /dev/null </dev/null >&0 2>&0; then echo "$(1)"; fi;)
+# same but emits $2 if $1 is not supported
+cc-opt-alt = $(shell set -e; if $(CC) $(1) -E -xc - -o /dev/null </dev/null >&0 2>&0; then echo "$(1)"; else echo "$(2)"; fi;)
+
# Disable a warning when supported by the compiler. Don't put spaces around the
# warning! And don't use cc-opt which doesn't always report an error until
# another one is also returned.
@@ -147,8 +150,7 @@ DEBUG_CFLAGS = -g
# can do whatever it wants since it's an undefined behavior, so use -fwrapv
# to be sure we get the intended behavior.
SPEC_CFLAGS := -fno-strict-aliasing -Wdeclaration-after-statement
-SPEC_CFLAGS += $(call cc-opt,-fwrapv)
-SPEC_CFLAGS += $(call cc-opt,-fno-strict-overflow)
+SPEC_CFLAGS += $(call cc-opt-alt,-fwrapv,$(call cc-opt,-fno-strict-overflow))
SPEC_CFLAGS += $(call cc-nowarn,format-truncation)
SPEC_CFLAGS += $(call cc-nowarn,address-of-packed-member)
SPEC_CFLAGS += $(call cc-nowarn,null-dereference)

34
net/haproxy/patches/0025-MINOR-server-Use-memcpy-instead-of-strncpy.patch
View file

@ -1,34 +0,0 @@
commit 541e3b40b394fb6bde563ff8ce4c882dafca4eb1
Author: Olivier Houchard <ohouchard@haproxy.com>
Date: Tue Oct 16 18:35:01 2018 +0200
MINOR: server: Use memcpy() instead of strncpy().
Use memcpy instead of strncpy, strncpy buys us nothing, and gcc is being
annoying.
(cherry picked from commit 17f8b90736d811ac9a04af198a3aee34e9935cec)
Signed-off-by: Willy Tarreau <w@1wt.eu>
diff --git a/src/server.c b/src/server.c
index 4941bd03..208f21da 100644
--- a/src/server.c
+++ b/src/server.c
@@ -3078,7 +3078,7 @@ void apply_server_state(void)
globalfilepathlen = 0;
goto globalfileerror;
}
- strncpy(globalfilepath, global.server_state_base, len);
+ memcpy(globalfilepath, global.server_state_base, len);
globalfilepath[globalfilepathlen] = 0;
/* append a slash if needed */
@@ -3147,7 +3147,7 @@ void apply_server_state(void)
localfilepathlen = 0;
goto localfileerror;
}
- strncpy(localfilepath, global.server_state_base, len);
+ memcpy(localfilepath, global.server_state_base, len);
localfilepath[localfilepathlen] = 0;
/* append a slash if needed */

34
net/haproxy/patches/0026-MINOR-cfgparse-Write-130-as-128-as-0x82-and-0x80.patch
View file

@ -1,34 +0,0 @@
commit 1993e23d59e37ee7befbc64bf1535640a16354bc
Author: Olivier Houchard <ohouchard@haproxy.com>
Date: Tue Oct 16 18:39:38 2018 +0200
MINOR: cfgparse: Write 130 as 128 as 0x82 and 0x80.
Write 130 and 128 as 8x82 and 0x80, to avoid warnings about casting from
int to size. "check_req" should probably be unsigned, but it's hard to do so.
(cherry picked from commit 3332090a2d3e9e84bac67af79fb03be111359429)
Signed-off-by: Willy Tarreau <w@1wt.eu>
diff --git a/src/cfgparse.c b/src/cfgparse.c
index 7414b60d..87a4d803 100644
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@@ -5082,7 +5082,7 @@ stats_error_parsing:
((unsigned char) (packetlen >> 16) & 0xff));
curproxy->check_req[3] = 1;
- curproxy->check_req[5] = 130;
+ curproxy->check_req[5] = 0x82; // 130
curproxy->check_req[11] = 1;
curproxy->check_req[12] = 33;
memcpy(&curproxy->check_req[36], mysqluser, userlen);
@@ -5108,7 +5108,7 @@ stats_error_parsing:
((unsigned char) (packetlen >> 16) & 0xff));
curproxy->check_req[3] = 1;
- curproxy->check_req[5] = 128;
+ curproxy->check_req[5] = 0x80;
curproxy->check_req[8] = 1;
memcpy(&curproxy->check_req[9], mysqluser, userlen);
curproxy->check_req[9 + userlen + 1 + 1] = 1;

39
net/haproxy/patches/0027-MINOR-peers-use-defines-instead-of-enums-to-appease-clang.patch
View file

@ -1,39 +0,0 @@
commit 0d31b8e1dae2bd0ad73c90748a03f9cfeed837d8
Author: Olivier Houchard <ohouchard@haproxy.com>
Date: Tue Oct 16 18:49:26 2018 +0200
MINOR: peers: use defines instead of enums to appease clang.
Clang (rightfully) warns that we're trying to set chars to values >= 128.
Use defines with hex values instead of an enum to address this.
(cherry picked from commit 33992267aac00d7e8ae67e0703bf7fffc9cf9b54)
Signed-off-by: Willy Tarreau <w@1wt.eu>
diff --git a/src/peers.c b/src/peers.c
index 0cd56da3..465ffe85 100644
--- a/src/peers.c
+++ b/src/peers.c
@@ -122,15 +122,13 @@ enum {
/* Note: ids >= 128 contains */
/* id message cotains data */
/*******************************/
-enum {
- PEER_MSG_STKT_UPDATE = 128,
- PEER_MSG_STKT_INCUPDATE,
- PEER_MSG_STKT_DEFINE,
- PEER_MSG_STKT_SWITCH,
- PEER_MSG_STKT_ACK,
- PEER_MSG_STKT_UPDATE_TIMED,
- PEER_MSG_STKT_INCUPDATE_TIMED,
-};
+#define PEER_MSG_STKT_UPDATE 0x80
+#define PEER_MSG_STKT_INCUPDATE 0x81
+#define PEER_MSG_STKT_DEFINE 0x82
+#define PEER_MSG_STKT_SWITCH 0x83
+#define PEER_MSG_STKT_ACK 0x84
+#define PEER_MSG_STKT_UPDATE_TIMED 0x85
+#define PEER_MSG_STKT_INCUPDATE_TIMED 0x86
/**********************************/
/* Peer Session IO handler states */

24
net/haproxy/patches/0028-DOC-fix-reference-to-map-files-in-MAINTAINERS.patch
View file

@ -1,24 +0,0 @@
commit c1ef9f5389e5debb132b7e2ab40f178ed413a978
Author: Lukas Tribus <lukas@ltri.eu>
Date: Wed Oct 17 01:40:11 2018 +0200
DOC: fix reference to map files in MAINTAINERS
s/maps/map
(cherry picked from commit b75e828b298c958beb10c830a1ccb3df0840c30c)
Signed-off-by: Willy Tarreau <w@1wt.eu>
diff --git a/MAINTAINERS b/MAINTAINERS
index 3a9e435a..df7cc336 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -24,7 +24,7 @@ Files: src/hlua.c, include/*/hlua.h
Maps and pattern matching
Maintainer: Thierry Fournier <tfournier@arpalert.org>
-Files: src/maps.c, src/pattern.c, include/*/maps.h, include/*/pattern.h
+Files: src/map.c, src/pattern.c, include/*/map.h, include/*/pattern.h
DNS
Maintainer: Baptiste Assmann <bedis9@gmail.com>

41
net/haproxy/patches/0029-BUILD-compiler-rename-__unreachable-to-my_unreachable.patch
View file

@ -1,41 +0,0 @@
commit 9011ff6c9fb5128dd50b4210e05199ea6337b82b
Author: Willy Tarreau <w@1wt.eu>
Date: Sat Oct 20 17:45:48 2018 +0200
BUILD: compiler: rename __unreachable() to my_unreachable()
Olivier reported that on FreeBSD __unreachable is already defined
and causes build warnings. Let's rename it then.
(cherry picked from commit 4e7cc3381b27e3971b02b73a113ecc13916e1f20)
Signed-off-by: Willy Tarreau <w@1wt.eu>
diff --git a/include/common/compiler.h b/include/common/compiler.h
index 6f4f5a67..60549307 100644
--- a/include/common/compiler.h
+++ b/include/common/compiler.h
@@ -89,9 +89,9 @@
* below was introduced in gcc 4.5, and before it we didn't care.
*/
#if __GNUC__ >= 5 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 5)
-#define __unreachable() __builtin_unreachable()
+#define my_unreachable() __builtin_unreachable()
#else
-#define __unreachable()
+#define my_unreachable()
#endif
/*
diff --git a/src/hlua.c b/src/hlua.c
index c3bb269a..085544dc 100644
--- a/src/hlua.c
+++ b/src/hlua.c
@@ -64,7 +64,7 @@
* MAY_LJMP() marks an lua function that may use longjmp.
*/
#define __LJMP
-#define WILL_LJMP(func) do { func; __unreachable(); } while(0)
+#define WILL_LJMP(func) do { func; my_unreachable(); } while(0)
#define MAY_LJMP(func) func
/* This couple of function executes securely some Lua calls outside of

33
net/haproxy/patches/0030-BUG-MEDIUM-pools-Fix-the-usage-of-mmap-with-DEBUG_UAF.patch
View file

@ -1,33 +0,0 @@
commit 7e751a3c24a7021075fb298025c4a1ce98a5b049
Author: Olivier Houchard <cognet@ci0.org>
Date: Sun Oct 21 01:33:11 2018 +0200
BUG/MEDIUM: pools: Fix the usage of mmap()) with DEBUG_UAF.
When mapping memory with mmap(), we should use a fd of -1, not 0. 0 may
work on linux, but it doesn't work on FreeBSD, and probably other OSes.
It would be nice to backport this to 1.8 to help debugging there.
(cherry picked from commit 62975a7740cba4bdaf1c096dd246feba854d2410)
Signed-off-by: Willy Tarreau <w@1wt.eu>
diff --git a/include/common/memory.h b/include/common/memory.h
index a2237da5..da0641de 100644
--- a/include/common/memory.h
+++ b/include/common/memory.h
@@ -186,12 +186,13 @@ static inline void pool_free_area(void *area, size_t __maybe_unused size)
* some padding is added, the area's start address is copied at the end of the
* padding to help detect underflows.
*/
+#include <errno.h>
static inline void *pool_alloc_area(size_t size)
{
size_t pad = (4096 - size) & 0xFF0;
void *ret;
- ret = mmap(NULL, (size + 4095) & -4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, 0, 0);
+ ret = mmap(NULL, (size + 4095) & -4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
if (ret == MAP_FAILED)
return NULL;
if (pad >= sizeof(void *))

28
net/haproxy/patches/0031-BUG-MEDIUM-h2-Close-connection-if-no-stream-is-left-an-GOAWAY-was-sent.patch
View file

@ -1,28 +0,0 @@
commit 105abe2f7a2e518afda9eb3bda5cceb60f6fd1b2
Author: Olivier Houchard <cognet@ci0.org>
Date: Sun Oct 21 03:01:20 2018 +0200
BUG/MEDIUM: h2: Close connection if no stream is left an GOAWAY was sent.
When we're closing a stream, is there's no stream left and a goaway was sent,
close the connection, there's no reason to keep it open.
[wt: it's likely that this is needed in 1.8 as well, though it's unclear
how to trigger this issue, some tests are needed]
(cherry picked from commit 52b946686c28891a4359e9361676dc62af4fffad)
Signed-off-by: Willy Tarreau <w@1wt.eu>
diff --git a/src/mux_h2.c b/src/mux_h2.c
index b1b039fe..6881302b 100644
--- a/src/mux_h2.c
+++ b/src/mux_h2.c
@@ -2540,7 +2540,7 @@ static void h2_detach(struct conn_stream *cs)
if (eb_is_empty(&h2c->streams_by_id) && /* don't close if streams exist */
((h2c->conn->flags & CO_FL_ERROR) || /* errors close immediately */
(h2c->st0 >= H2_CS_ERROR && !h2c->task) || /* a timeout stroke earlier */
- (h2c->flags & H2_CF_GOAWAY_FAILED) ||
+ (h2c->flags & (H2_CF_GOAWAY_FAILED | H2_CF_GOAWAY_SENT)) ||
(!h2c->mbuf->o && /* mux buffer empty, also process clean events below */
(conn_xprt_read0_pending(h2c->conn) ||
(h2c->last_sid >= 0 && h2c->max_id >= h2c->last_sid))))) {

46
net/haproxy/patches/0032-BUILD-Makefile-add-the-new-ERR-variable-to-force--Werror.patch
View file

@ -1,46 +0,0 @@
commit e1b3aa5613a5edbb52a44d69b3e6007d9d631981
Author: Willy Tarreau <w@1wt.eu>
Date: Mon Oct 22 06:22:46 2018 +0200
BUILD: Makefile: add the new ERR variable to force -Werror
Instead of having to fiddle with the CFLAGS, let's have ERR=1 to enable
-Werror.
(cherry picked from commit 23cd43e2d6fa2b6892a786a1a720c5f24e657f10)
Signed-off-by: Willy Tarreau <w@1wt.eu>
diff --git a/Makefile b/Makefile
index 6ffc1b06..94e04738 100644
--- a/Makefile
+++ b/Makefile
@@ -57,6 +57,7 @@
# DEP may be cleared to ignore changes to include files during development
# SMALL_OPTS may be used to specify some options to shrink memory usage.
# DEBUG may be used to set some internal debugging options.
+# ERR may be set to non-empty to pass -Werror to the compiler
# ADDINC may be used to complete the include path in the form -Ipath.
# ADDLIB may be used to complete the library list in the form -Lpath -llib.
# DEFINE may be used to specify any additional define, which will be reported
@@ -143,6 +144,9 @@ LD = $(CC)
# Those flags only feed CFLAGS so it is not mandatory to use this form.
DEBUG_CFLAGS = -g
+#### Add -Werror when set to non-empty
+ERR =
+
#### Compiler-specific flags that may be used to disable some negative over-
# optimization or to silence some warnings. -fno-strict-aliasing is needed with
# gcc >= 4.4.
@@ -807,6 +811,11 @@ EBTREE_DIR := ebtree
#### Global compile options
VERBOSE_CFLAGS = $(CFLAGS) $(TARGET_CFLAGS) $(SMALL_OPTS) $(DEFINE)
COPTS = -Iinclude -I$(EBTREE_DIR) -Wall
+
+ifneq ($(ERR),)
+COPTS += -Werror
+endif
+
COPTS += $(CFLAGS) $(TARGET_CFLAGS) $(SMALL_OPTS) $(DEFINE) $(SILENT_DEFINE)
COPTS += $(DEBUG) $(OPTIONS_CFLAGS) $(ADDINC)

55
net/haproxy/patches/0033-BUG-MINOR-cache-Crashes-with-total-max-size-2047MB.patch
View file

@ -1,55 +0,0 @@
commit bf7b382e528ab62a9f695b07e659d2f77545e93d
Author: Frédéric Lécaille <flecaille@haproxy.com>
Date: Thu Oct 25 20:17:45 2018 +0200
BUG/MINOR: cache: Crashes with "total-max-size" > 2047(MB).
With this patch we support cache size larger than 2047 (MB) and prevent haproxy from crashing when "total-max-size" is parsed as negative values by atoi().
The limit at parsing time is 4095 MB (UINT_MAX >> 20).
May be backported to 1.8.
(cherry picked from commit b9b8b6b6beb84b6b942d24eda56bfbe3812cc294)
Signed-off-by: Willy Tarreau <w@1wt.eu>
diff --git a/src/cache.c b/src/cache.c
index 39e0bad4..df3649ea 100644
--- a/src/cache.c
+++ b/src/cache.c
@@ -770,17 +770,32 @@ int cfg_parse_cache(const char *file, int linenum, char **args, int kwm)
tmp_cache_config->maxblocks = 0;
}
} else if (strcmp(args[0], "total-max-size") == 0) {
- int maxsize;
+ unsigned long int maxsize;
+ char *err;
if (alertif_too_many_args(1, file, linenum, args, &err_code)) {
err_code |= ERR_ABORT;
goto out;
}
+ maxsize = strtoul(args[1], &err, 10);
+ if (err == args[1] || *err != '\0') {
+ ha_warning("parsing [%s:%d]: total-max-size wrong value '%s'\n",
+ file, linenum, args[1]);
+ err_code |= ERR_ABORT;
+ goto out;
+ }
+
+ if (maxsize > (UINT_MAX >> 20)) {
+ ha_warning("parsing [%s:%d]: \"total-max-size\" (%s) must not be greater than %u\n",
+ file, linenum, args[1], UINT_MAX >> 20);
+ err_code |= ERR_ABORT;
+ goto out;
+ }
+
/* size in megabytes */
- maxsize = atoi(args[1]) * 1024 * 1024 / CACHE_BLOCKSIZE;
+ maxsize *= 1024 * 1024 / CACHE_BLOCKSIZE;
tmp_cache_config->maxblocks = maxsize;
-
} else if (strcmp(args[0], "max-age") == 0) {
if (alertif_too_many_args(1, file, linenum, args, &err_code)) {
err_code |= ERR_ABORT;

28
net/haproxy/patches/0034-BUG-MINOR-cache-Wrong-usage-of-shctx_init.patch
View file

@ -1,28 +0,0 @@
commit 68c23dedaaae8f29d26c4791b30d138ed1411548
Author: Frédéric Lécaille <flecaille@haproxy.com>
Date: Thu Oct 25 20:18:59 2018 +0200
BUG/MINOR: cache: Wrong usage of shctx_init().
With this patch we check that shctx_init() does not returns 0.
This is possible if the maxblocks argument, which is passed as an
int, is negative due to an implicit conversion.
Must be backported to 1.8.
(cherry picked from commit bc584494e625983f16f35982aa6dd6889e8dd222)
Signed-off-by: Willy Tarreau <w@1wt.eu>
diff --git a/src/cache.c b/src/cache.c
index df3649ea..667cede3 100644
--- a/src/cache.c
+++ b/src/cache.c
@@ -837,7 +837,7 @@ int cfg_post_parse_section_cache()
ret_shctx = shctx_init(&shctx, tmp_cache_config->maxblocks, CACHE_BLOCKSIZE, sizeof(struct cache), 1);
- if (ret_shctx < 0) {
+ if (ret_shctx <= 0) {
if (ret_shctx == SHCTX_E_INIT_LOCK)
ha_alert("Unable to initialize the lock for the cache.\n");
else

26
net/haproxy/patches/0035-BUG-MINOR-ssl-Wrong-usage-of-shctx_init.patch
View file

@ -1,26 +0,0 @@
commit 49f82640bf3c9a9c808568344bfa94d279c95b7e
Author: Frédéric Lécaille <flecaille@haproxy.com>
Date: Thu Oct 25 20:22:46 2018 +0200
BUG/MINOR: ssl: Wrong usage of shctx_init().
With this patch we check that shctx_init() does not return 0.
Must be backported to 1.8.
(cherry picked from commit 4c8aa117f9bda3b5253f03ad5a7135a9165060f5)
Signed-off-by: Willy Tarreau <w@1wt.eu>
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index cfbc38b7..19e41743 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -4768,7 +4768,7 @@ int ssl_sock_prepare_bind_conf(struct bind_conf *bind_conf)
sizeof(struct sh_ssl_sess_hdr) + SHSESS_BLOCK_MIN_SIZE,
sizeof(*sh_ssl_sess_tree),
((global.nbthread > 1) || (!global_ssl.private_cache && (global.nbproc > 1))) ? 1 : 0);
- if (alloc_ctx < 0) {
+ if (alloc_ctx <= 0) {
if (alloc_ctx == SHCTX_E_INIT_LOCK)
ha_alert("Unable to initialize the lock for the shared SSL session cache. You can retry using the global statement 'tune.ssl.force-private-cache' but it could increase CPU usage due to renegotiations if nbproc > 1.\n");
else

24
net/haproxy/patches/0036-DOC-cache-Missing-information-about-total-max-size.patch
View file

@ -1,24 +0,0 @@
commit 9c416cf3cc449fd46880d5a7c3fdd1bb98447b68
Author: Frédéric Lécaille <flecaille@haproxy.com>
Date: Thu Oct 25 10:46:40 2018 +0200
DOC: cache: Missing information about "total-max-size"
(cherry picked from commit e3c83d80e3aadb7b2641b861725c9d1dd7dc6713)
[wt: this only retrieves from the original patch the part related to
the max configurable size for total-max-size]
Signed-off-by: Willy Tarreau <w@1wt.eu>
diff --git a/doc/configuration.txt b/doc/configuration.txt
index 7a268386..09980248 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -17132,7 +17132,7 @@ cache <name>
total-max-size <megabytes>
Define the size in RAM of the cache in megabytes. This size is split in
- blocks of 1kB which are used by the cache entries.
+ blocks of 1kB which are used by the cache entries. Its maximum value is 4095.
max-age <seconds>
Define the maximum expiration duration. The expiration is set has the lowest

94
net/haproxy/patches/0037-BUG-MINOR-only-mark-connections-private-if-NTLM-is-detected.patch
View file

@ -1,94 +0,0 @@
commit 7b728d616e417f0a8cd25375f70b8a332ad23a71
Author: Lukas Tribus <lukas@ltri.eu>
Date: Sat Oct 27 20:06:59 2018 +0200
BUG/MINOR: only mark connections private if NTLM is detected
Instead of marking all connections that see a 401/407 response private
(for connection reuse), this patch detects a RFC4559/NTLM authentication
scheme and restricts the private setting to those connections.
This is so we can reuse connections with 401/407 responses with
deterministic load balancing algorithms later (which requires another fix).
This fixes the problem reported here by Elliot Barlas :
https://discourse.haproxy.org/t/unable-to-configure-load-balancing-per-request-over-persistent-connection/3144
Should be backported to 1.8.
(cherry picked from commit fd9b68c48ecdba5e7971899f4eec315c8e3a3cfe)
Signed-off-by: Willy Tarreau <w@1wt.eu>
diff --git a/doc/configuration.txt b/doc/configuration.txt
index 09980248..43b1b822 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -4798,10 +4798,8 @@ http-reuse { never | safe | aggressive | always }
- connections sent to a server with a TLS SNI extension are marked private
and are never shared;
- - connections receiving a status code 401 or 407 expect some authentication
- to be sent in return. Due to certain bogus authentication schemes (such
- as NTLM) relying on the connection, these connections are marked private
- and are never shared;
+ - connections with certain bogus authentication schemes (relying on the
+ connection) like NTLM are detected, marked private and are never shared;
No connection pool is involved, once a session dies, the last idle connection
it was attached to is deleted at the same time. This ensures that connections
diff --git a/src/proto_http.c b/src/proto_http.c
index 8f86422d..cde2dbf7 100644
--- a/src/proto_http.c
+++ b/src/proto_http.c
@@ -4388,8 +4388,6 @@ void http_end_txn_clean_session(struct stream *s)
* it's better to do it (at least it helps with debugging).
*/
s->txn->flags |= TX_PREFER_LAST;
- if (srv_conn)
- srv_conn->flags |= CO_FL_PRIVATE;
}
/* Never ever allow to reuse a connection from a non-reuse backend */
@@ -5053,10 +5051,13 @@ int http_wait_for_response(struct stream *s, struct channel *rep, int an_bit)
struct http_txn *txn = s->txn;
struct http_msg *msg = &txn->rsp;
struct hdr_ctx ctx;
+ struct connection *srv_conn;
int use_close_only;
int cur_idx;
int n;
+ srv_conn = cs_conn(objt_cs(s->si[1].end));
+
DPRINTF(stderr,"[%u] %s: stream=%p b=%p, exp(r,w)=%u,%u bf=%08x bh=%d analysers=%02x\n",
now_ms, __FUNCTION__,
s,
@@ -5588,6 +5589,27 @@ int http_wait_for_response(struct stream *s, struct channel *rep, int an_bit)
msg->body_len = msg->chunk_len = cl;
}
+ /* check for NTML authentication headers in 401 (WWW-Authenticate) and
+ * 407 (Proxy-Authenticate) responses and set the connection to private
+ */
+ if (srv_conn && txn->status == 401) {
+ /* check for Negotiate/NTLM WWW-Authenticate headers */
+ ctx.idx = 0;
+ while (http_find_header2("WWW-Authenticate", 16, rep->buf->p, &txn->hdr_idx, &ctx)) {
+ if ((ctx.vlen >= 9 && word_match(ctx.line + ctx.val, ctx.vlen, "Negotiate", 9)) ||
+ (ctx.vlen >= 4 && word_match(ctx.line + ctx.val, ctx.vlen, "NTLM", 4)))
+ srv_conn->flags |= CO_FL_PRIVATE;
+ }
+ } else if (srv_conn && txn->status == 407) {
+ /* check for Negotiate/NTLM Proxy-Authenticate headers */
+ ctx.idx = 0;
+ while (http_find_header2("Proxy-Authenticate", 18, rep->buf->p, &txn->hdr_idx, &ctx)) {
+ if ((ctx.vlen >= 9 && word_match(ctx.line + ctx.val, ctx.vlen, "Negotiate", 9)) ||
+ (ctx.vlen >= 4 && word_match(ctx.line + ctx.val, ctx.vlen, "NTLM", 4)))
+ srv_conn->flags |= CO_FL_PRIVATE;
+ }
+ }
+
skip_content_length:
/* Now we have to check if we need to modify the Connection header.
* This is more difficult on the response than it is on the request,

76
net/haproxy/patches/0038-BUG-MINOR-only-auto-prefer-last-server-if-lb-alg-is-non-deterministic.patch
View file

@ -1,76 +0,0 @@
commit a100980f50f92e588c2b60f20571e84bf749f3e3
Author: Lukas Tribus <lukas@ltri.eu>
Date: Sat Oct 27 20:07:40 2018 +0200
BUG/MINOR: only auto-prefer last server if lb-alg is non-deterministic
While "option prefer-last-server" only applies to non-deterministic load
balancing algorithms, 401/407 responses actually caused haproxy to prefer
the last server unconditionally.
As this breaks deterministic load balancing algorithms like uri, this
patch applies the same condition here.
Should be backported to 1.8 (together with "BUG/MINOR: only mark
connections private if NTLM is detected").
(cherry picked from commit 80512b186fd7f4ef3bc7d9c92b281c549d72aa8a)
Signed-off-by: Willy Tarreau <w@1wt.eu>
diff --git a/doc/configuration.txt b/doc/configuration.txt
index 43b1b822..f0558d5e 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -2498,6 +2498,11 @@ balance url_param <param> [check_post]
algorithm, mode nor option have been set. The algorithm may only be set once
for each backend.
+ With authentication schemes that require the same connection like NTLM, URI
+ based alghoritms must not be used, as they would cause subsequent requests
+ to be routed to different backend servers, breaking the invalid assumptions
+ NTLM relies on.
+
Examples :
balance roundrobin
balance url_param userid
@@ -6486,8 +6491,9 @@ no option prefer-last-server
close of the connection. This can make sense for static file servers. It does
not make much sense to use this in combination with hashing algorithms. Note,
haproxy already automatically tries to stick to a server which sends a 401 or
- to a proxy which sends a 407 (authentication required). This is mandatory for
- use with the broken NTLM authentication challenge, and significantly helps in
+ to a proxy which sends a 407 (authentication required), when the load
+ balancing algorithm is not deterministic. This is mandatory for use with the
+ broken NTLM authentication challenge, and significantly helps in
troubleshooting some faulty applications. Option prefer-last-server might be
desirable in these environments as well, to avoid redistributing the traffic
after every other response.
diff --git a/src/backend.c b/src/backend.c
index fc1eac0d..b3fd6c67 100644
--- a/src/backend.c
+++ b/src/backend.c
@@ -572,9 +572,9 @@ int assign_server(struct stream *s)
if (conn &&
(conn->flags & CO_FL_CONNECTED) &&
objt_server(conn->target) && __objt_server(conn->target)->proxy == s->be &&
+ (s->be->lbprm.algo & BE_LB_KIND) != BE_LB_KIND_HI &&
((s->txn && s->txn->flags & TX_PREFER_LAST) ||
((s->be->options & PR_O_PREF_LAST) &&
- (s->be->lbprm.algo & BE_LB_KIND) != BE_LB_KIND_HI &&
(!s->be->max_ka_queue ||
server_has_room(__objt_server(conn->target)) ||
(__objt_server(conn->target)->nbpend + 1) < s->be->max_ka_queue))) &&
diff --git a/src/proto_http.c b/src/proto_http.c
index cde2dbf7..a48c4fdb 100644
--- a/src/proto_http.c
+++ b/src/proto_http.c
@@ -4385,7 +4385,8 @@ void http_end_txn_clean_session(struct stream *s)
* server over the same connection. This is required by some
* broken protocols such as NTLM, and anyway whenever there is
* an opportunity for sending the challenge to the proper place,
- * it's better to do it (at least it helps with debugging).
+ * it's better to do it (at least it helps with debugging), at
+ * least for non-deterministic load balancing algorithms.
*/
s->txn->flags |= TX_PREFER_LAST;
}

39
net/haproxy/patches/0039-BUG-MAJOR-http-http_txn_get_path-may-deference-an-inexisting-buffer.patch
View file

@ -1,39 +0,0 @@
commit 69d4ddf919fc4bc6d296a743baeccdd44fb89be6
Author: Willy Tarreau <w@1wt.eu>
Date: Sun Oct 28 20:13:12 2018 +0100
BUG/MAJOR: http: http_txn_get_path() may deference an inexisting buffer
When the "path" sample fetch function is called without any path, the
function doesn't check that the request buffer is allocated. While this
doesn't happen with the request during processing, it can definitely
happen when mistakenly trying to reference a path from the response
since the request channel is not allocated anymore.
It's certain that this bug was emphasized by the buffer changes that
went in 1.9 and the HTTP refactoring, but at first glance, 1.8 doesn't
seem 100% safe either so it's possible that older version are affected
as well.
Thanks to PiBa-NL for reporting this bug with a reproducer.
(cherry picked from commit 9d9ccdbf8b1178fefa2843c83bc6612733f9eca6)
[wt: minor adaptation to older buffer API. There are some call places
which don't look structurally safe though in their context the
buffer always ought to be there]
Signed-off-by: Willy Tarreau <w@1wt.eu>
diff --git a/src/proto_http.c b/src/proto_http.c
index a48c4fdb..fb18357b 100644
--- a/src/proto_http.c
+++ b/src/proto_http.c
@@ -985,6 +985,9 @@ char *http_get_path(struct http_txn *txn)
{
char *ptr, *end;
+ if (!txn->req.chn->buf->size)
+ return NULL;
+
ptr = txn->req.chn->buf->p + txn->req.sl.rq.u;
end = ptr + txn->req.sl.rq.u_l;

77
net/haproxy/patches/0040-BUG-MEDIUM-auth-threads-use-of-crypt-is-not-thread-safe.patch
View file

@ -1,77 +0,0 @@
commit a873c161d251abd025008034c0ddef8cd7f39511
Author: Willy Tarreau <w@1wt.eu>
Date: Mon Oct 29 18:02:54 2018 +0100
BUG/MEDIUM: auth/threads: use of crypt() is not thread-safe
It was reported here that authentication may fail when threads are
enabled :
https://bugzilla.redhat.com/show_bug.cgi?id=1643941
While I couldn't reproduce the issue, it's obvious that there is a
problem with the use of the non-reentrant crypt() function there.
On Linux systems there's crypt_r() but not on the vast majority of
other ones. Thus a first approach consists in placing a lock around
this crypt() call. Another patch may relax it when crypt_r() is
available.
This fix must be backported to 1.8. Thanks to Ryan O'Hara for the
quick notification.
(cherry picked from commit 34d4b525a129baa6f52a930ae629ddb1ba4255c2)
Signed-off-by: Willy Tarreau <w@1wt.eu>
diff --git a/include/common/hathreads.h b/include/common/hathreads.h
index 44bd66d1..24fb1d1a 100644
--- a/include/common/hathreads.h
+++ b/include/common/hathreads.h
@@ -373,6 +373,7 @@ enum lock_label {
START_LOCK,
TLSKEYS_REF_LOCK,
PENDCONN_LOCK,
+ AUTH_LOCK,
LOCK_LABELS
};
struct lock_stat {
@@ -495,6 +496,7 @@ static inline const char *lock_label(enum lock_label label)
case START_LOCK: return "START";
case TLSKEYS_REF_LOCK: return "TLSKEYS_REF";
case PENDCONN_LOCK: return "PENDCONN";
+ case AUTH_LOCK: return "AUTH";
case LOCK_LABELS: break; /* keep compiler happy */
};
/* only way to come here is consecutive to an internal bug */
diff --git a/src/auth.c b/src/auth.c
index a2c689f7..e0fb1352 100644
--- a/src/auth.c
+++ b/src/auth.c
@@ -28,6 +28,7 @@
#include <types/global.h>
#include <common/config.h>
#include <common/errors.h>
+#include <common/hathreads.h>
#include <proto/acl.h>
#include <proto/log.h>
@@ -37,6 +38,10 @@
struct userlist *userlist = NULL; /* list of all existing userlists */
+#ifdef CONFIG_HAP_CRYPT
+__decl_hathreads(static HA_SPINLOCK_T auth_lock);
+#endif
+
/* find targets for selected gropus. The function returns pointer to
* the userlist struct ot NULL if name is NULL/empty or unresolvable.
*/
@@ -245,7 +250,9 @@ check_user(struct userlist *ul, const char *user, const char *pass)
if (!(u->flags & AU_O_INSECURE)) {
#ifdef CONFIG_HAP_CRYPT
+ HA_SPIN_LOCK(AUTH_LOCK, &auth_lock);
ep = crypt(pass, u->pass);
+ HA_SPIN_UNLOCK(AUTH_LOCK, &auth_lock);
#else
return 0;
#endif

43
net/haproxy/patches/0041-BUG-MINOR-config-better-detect-the-presence-of-the-h2-pattern-in-npn-alpn.patch
View file

@ -1,43 +0,0 @@
commit c990c7fe448248c4e2a34b84b593cc1b3536b328
Author: Willy Tarreau <w@1wt.eu>
Date: Sun Nov 11 10:36:25 2018 +0100
BUG/MINOR: config: better detect the presence of the h2 pattern in npn/alpn
In 1.8, commit 45a66cc ("MEDIUM: config: ensure that tune.bufsize is at
least 16384 when using HTTP/2") tried to avoid an annoying issue making
H2 fail when haproxy is built with default buffer sizes smaller than 16kB,
which used to be the case for a very long time. Sadly, the test only sees
when NPN/ALPN exactly match "h2" and not when it's combined like
"h2,http/1.1" nor "http/1.1,h2". We can safely use strstr() there because
the string is prefixed by the token's length (0x02) which is unambiguous
as it cannot be part of any other token.
This fix should be backported to 1.8 as a safety guard against bad
configurations.
(cherry picked from commit 4db49c0704898e51892a176505299de3e022c5ea)
Signed-off-by: William Lallemand <wlallemand@haproxy.org>
diff --git a/src/cfgparse.c b/src/cfgparse.c
index 87a4d803..618ffd39 100644
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@@ -7629,7 +7629,7 @@ int check_config_validity()
if (curproxy->mode == PR_MODE_HTTP && global.tune.bufsize < 16384) {
#ifdef OPENSSL_NPN_NEGOTIATED
/* check NPN */
- if (bind_conf->ssl_conf.npn_str && strcmp(bind_conf->ssl_conf.npn_str, "\002h2") == 0) {
+ if (bind_conf->ssl_conf.npn_str && strstr(bind_conf->ssl_conf.npn_str, "\002h2")) {
ha_alert("config : HTTP frontend '%s' enables HTTP/2 via NPN at [%s:%d], so global.tune.bufsize must be at least 16384 bytes (%d now).\n",
curproxy->id, bind_conf->file, bind_conf->line, global.tune.bufsize);
cfgerr++;
@@ -7637,7 +7637,7 @@ int check_config_validity()
#endif
#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
/* check ALPN */
- if (bind_conf->ssl_conf.alpn_str && strcmp(bind_conf->ssl_conf.alpn_str, "\002h2") == 0) {
+ if (bind_conf->ssl_conf.alpn_str && strstr(bind_conf->ssl_conf.alpn_str, "\002h2")) {
ha_alert("config : HTTP frontend '%s' enables HTTP/2 via ALPN at [%s:%d], so global.tune.bufsize must be at least 16384 bytes (%d now).\n",
curproxy->id, bind_conf->file, bind_conf->line, global.tune.bufsize);
cfgerr++;

61
net/haproxy/patches/0042-BUG-MEDIUM-Make-sure-stksess-is-properly-aligned.patch
View file

@ -1,61 +0,0 @@
commit 5b259db1160fa12820cc5ba6399e4dbcefa6ab22
Author: Olivier Houchard <ohouchard@haproxy.com>
Date: Wed Nov 14 17:54:36 2018 +0100
BUG/MEDIUM: Make sure stksess is properly aligned.
When we allocate struct stksess, we also allocate memory to store the
associated data before the struct itself.
As the data can be of different types, they can have different size. However,
we need the struct stksess to be properly aligned, as it can do 64bits
load/store (including atomic load/stores) on 64bits platforms, and some of
them doesn't support unaligned access.
So, when allocating the struct stksess, round the size up to the next
multiple of sizeof(void *), and make sure the struct stksess itself is
properly aligned.
Many thanks to Paul Martin for investigating and reporting that bug.
This should be backported to earlier releases.
(cherry picked from commit 52dabbc4fad338233c7f0c96f977a43f8f81452a)
Signed-off-by: William Lallemand <wlallemand@haproxy.org>
diff --git a/src/stick_table.c b/src/stick_table.c
index f1442603..0a238378 100644
--- a/src/stick_table.c
+++ b/src/stick_table.c
@@ -44,6 +44,7 @@
/* structure used to return a table key built from a sample */
static THREAD_LOCAL struct stktable_key static_table_key;
+#define round_ptr_size(i) (((i) + (sizeof(void *) - 1)) &~ (sizeof(void *) - 1))
/*
* Free an allocated sticky session <ts>, and decrease sticky sessions counter
* in table <t>.
@@ -51,7 +52,7 @@ static THREAD_LOCAL struct stktable_key static_table_key;
void __stksess_free(struct stktable *t, struct stksess *ts)
{
t->current--;
- pool_free(t->pool, (void *)ts - t->data_size);
+ pool_free(t->pool, (void *)ts - round_ptr_size(t->data_size));
}
/*
@@ -229,7 +230,7 @@ struct stksess *__stksess_new(struct stktable *t, struct stktable_key *key)
ts = pool_alloc(t->pool);
if (ts) {
t->current++;
- ts = (void *)ts + t->data_size;
+ ts = (void *)ts + round_ptr_size(t->data_size);
__stksess_init(t, ts);
if (key)
stksess_setkey(t, ts, key);
@@ -597,7 +598,7 @@ int stktable_init(struct stktable *t)
t->updates = EB_ROOT_UNIQUE;
HA_SPIN_INIT(&t->lock);
- t->pool = create_pool("sticktables", sizeof(struct stksess) + t->data_size + t->key_size, MEM_F_SHARED);
+ t->pool = create_pool("sticktables", sizeof(struct stksess) + round_ptr_size(t->data_size) + t->key_size, MEM_F_SHARED);
t->exp_next = TICK_ETERNITY;
if ( t->expire ) {

38
net/haproxy/patches/0043-BUG-MINOR-config-Copy-default-error-messages-when-parsing-of-a-backend-starts.patch
View file

@ -1,38 +0,0 @@
commit 54824cf35520b11ff97e0937beeb429dcdc55fd0
Author: Christopher Faulet <cfaulet@haproxy.com>
Date: Mon Nov 12 11:57:31 2018 +0100
BUG/MINOR: config: Copy default error messages when parsing of a backend starts
To be used, error messages declared in a default section must be copied when the
parsing of a proxy section starts. But this was only done for frontends.
This patch may be backported to older versions.
(cherry picked from commit 6b44975fbd2f7d81074e20bc07fc0e01466cc9c9)
Signed-off-by: William Lallemand <wlallemand@haproxy.org>
diff --git a/src/cfgparse.c b/src/cfgparse.c
index 618ffd39..6bc6b259 100644
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@@ -2787,15 +2787,15 @@ int cfg_parse_listen(const char *file, int linenum, char **args, int kwm)
curproxy->server_id_hdr_name = strdup(defproxy.server_id_hdr_name);
}
+ /* initialize error relocations */
+ for (rc = 0; rc < HTTP_ERR_SIZE; rc++)
+ chunk_dup(&curproxy->errmsg[rc], &defproxy.errmsg[rc]);
+
if (curproxy->cap & PR_CAP_FE) {
curproxy->maxconn = defproxy.maxconn;
curproxy->backlog = defproxy.backlog;
curproxy->fe_sps_lim = defproxy.fe_sps_lim;
- /* initialize error relocations */
- for (rc = 0; rc < HTTP_ERR_SIZE; rc++)
- chunk_dup(&curproxy->errmsg[rc], &defproxy.errmsg[rc]);
-
curproxy->to_log = defproxy.to_log & ~LW_COOKIE & ~LW_REQHDR & ~ LW_RSPHDR;
}

32
net/haproxy/patches/0044-BUG-MEDIUM-hpack-fix-encoding-of-accept-ranges-field.patch
View file

@ -1,32 +0,0 @@
commit 64a7cbf4ea3276b72ffb121acab676542cebde1b
Author: Willy Tarreau <w@1wt.eu>
Date: Tue Nov 20 04:47:38 2018 +0100
BUG/MEDIUM: hpack: fix encoding of "accept-ranges" field
James Brown reported that when an "accept-ranges" header field is sent
through haproxy and converted from HTTP/1.1 to H2, it's mis-encoded as
"accept-language". It happens that it's one of the few very common header
fields encoded using its index value and that this index value was misread
in the spec as 17 instead of 18, resulting in the wrong name being sent.
Thanks to Lukas for spotting the issue in the HPACK encoder itself.
This fix must be backported to 1.8.
(cherry picked from commit 4bf194cbdbcda8ec4ce83d7f12d2fe9b08483c94)
[wla: buffer API edit]
Signed-off-by: William Lallemand <wlallemand@haproxy.org>
diff --git a/src/hpack-enc.c b/src/hpack-enc.c
index d1f68c58..99c73103 100644
--- a/src/hpack-enc.c
+++ b/src/hpack-enc.c
@@ -101,7 +101,7 @@ int hpack_encode_header(struct chunk *out, const struct ist n, const struct ist
else if (isteq(n, ist("last-modified")))
out->str[len++] = 0x6c; // literal with indexing -- name="last-modified" (idx 44)
else if (isteq(n, ist("accept-ranges")))
- out->str[len++] = 0x51; // literal with indexing -- name="accept-ranges" (idx 17)
+ out->str[len++] = 0x52; // literal with indexing -- name="accept-ranges" (idx 18)
else if (isteq(n, ist("cache-control")))
out->str[len++] = 0x58; // literal with indexing -- name="cache-control" (idx 24)
else if (isteq(n, ist("content-length")))