git \
libncurses5-dev \
libssl-dev \
+python \
subversion \
zlib1g-dev \
&& rm -rf /var/lib/apt/lists/*
jobs:
build:
docker:
- - image: champtar/openwrtpackagesci@sha256:ba41678f7bd9dea5f1caef9594167588c306caf08bc2f90e779a91e57a9fc7bd
+ - image: champtar/openwrtpackagesci@sha256:4d8bea09b6fd51e015f417a8f0056b914d0db6aa9829b0049065a077f52a91e9
environment:
- SDK_BASE_URL: "https://downloads.lede-project.org/snapshots/targets/ar71xx/generic"
- SDK_FILE: "openwrt-sdk-ar71xx-generic_gcc-7.3.0_musl.Linux-x86_64.tar.xz"
- branches:
- only: /pull.*/
steps:
- run:
name: Download the SDK
name: Download & check & compile
working_directory: ~/build_dir
command: |
- PKGS=$(cd ~/openwrt_packages; git diff --diff-filter=d --name-only "origin/master" | grep 'Makefile$' | grep -v '/files/' | awk -F/ '{ print $(NF-1) }')
+ PKGS=$(cd ~/openwrt_packages; git diff --diff-filter=d --name-only "origin/master..." | grep 'Makefile$' | grep -v '/files/' | awk -F/ '{ print $(NF-1) }')
echo "Packages: $PKGS"
for PKG in $PKGS ; do
make "package/$PKG/download" V=s
- store_artifacts:
path: ~/build_dir/bin
+workflows:
+ version: 2
+ buildpr:
+ jobs:
+ - build:
+ filters:
+ branches:
+ ignore: master
include $(TOPDIR)/rules.mk
PKG_NAME:=c-ares
-PKG_VERSION:=1.14.0
+PKG_VERSION:=1.15.0
PKG_RELEASE:=4
PKG_LICENSE:=MIT
PKG_CPE_ID:=cpe:/a:c-ares_project:c-ares
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://c-ares.haxx.se/download
-PKG_HASH:=45d3c1fd29263ceec2afc8ff9cd06d5f8f889636eb4e80ce3cc7f0eaf7aadc6e
+PKG_HASH:=6cdb97871f2930530c97deb7cf5c8fa4be5a0b02c7cea6e7c7667672a39d6852
PKG_FIXUP:=autoreconf
PKG_INSTALL:=1
include $(TOPDIR)/rules.mk
PKG_NAME:=libpam
-PKG_VERSION:=1.2.0
-PKG_RELEASE:=2
+PKG_VERSION:=1.3.0
+PKG_RELEASE:=1
PKG_SOURCE:=Linux-PAM-$(PKG_VERSION).tar.bz2
PKG_SOURCE_URL:=http://www.linux-pam.org/library/
-PKG_HASH:=cd8beac5961e942e9c73b32a3cd1a3457755f8fb35d07c9ec64511e19e135ea4
+PKG_HASH:=241aed1ef522f66ed672719ecf2205ec513fd0075ed80cda8e086a5b1a01d1bb
PKG_INSTALL:=1
PKG_FIXUP:=autoreconf
PKG_MAINTAINER:=Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
fi
- if test ${libdir} = '${exec_prefix}/lib'
- then
-- case "`uname -m`" in
+- case "$host_cpu" in
- x86_64|ppc64|s390x|sparc64)
- libdir="/lib64" ;;
- *)
index 306b6e2..084071a 100644
--- a/configure.ac
+++ b/configure.ac
-@@ -534,7 +534,10 @@ AC_CHECK_FUNCS(fseeko getdomainname gethostname gettimeofday lckpwdf mkdir selec
+@@ -524,7 +524,10 @@ AC_CHECK_FUNCS(fseeko getdomainname gethostname gettimeofday lckpwdf mkdir selec
AC_CHECK_FUNCS(strcspn strdup strspn strstr strtol uname)
AC_CHECK_FUNCS(getutent_r getpwnam_r getpwuid_r getgrnam_r getgrgid_r getspnam_r)
AC_CHECK_FUNCS(getgrouplist getline getdelim)
index 084071a..ca4bf5b 100644
--- a/configure.ac
+++ b/configure.ac
-@@ -536,8 +536,10 @@ AC_CHECK_FUNCS(getutent_r getpwnam_r getpwuid_r getgrnam_r getgrgid_r getspnam_r
+@@ -526,8 +526,10 @@ AC_CHECK_FUNCS(getutent_r getpwnam_r getpwuid_r getgrnam_r getgrgid_r getspnam_r
AC_CHECK_FUNCS(getgrouplist getline getdelim)
AC_CHECK_FUNCS(inet_ntop inet_pton innetgr)
AC_CHECK_FUNCS([ruserok_af ruserok], [break])
+++ /dev/null
-From a35daea1b8be768d1b0be6eae157fbf3e5380f92 Mon Sep 17 00:00:00 2001
-From: Yousong Zhou <yszhou4tech@gmail.com>
-Date: Wed, 17 Jun 2015 18:22:31 +0800
-Subject: [PATCH 4/7] build: fix build when crypt() is not part of crypt_libs.
-
-* configure.ac: ditto.
-
-Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
----
- configure.ac | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/configure.ac b/configure.ac
-index ca4bf5b..6553c78 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -408,7 +408,7 @@ AS_IF([test "x$ac_cv_header_xcrypt_h" = "xyes"],
- [crypt_libs="crypt"])
-
- BACKUP_LIBS=$LIBS
--AC_SEARCH_LIBS([crypt],[$crypt_libs], LIBCRYPT="-l$ac_lib", LIBCRYPT="")
-+AC_SEARCH_LIBS([crypt],[$crypt_libs], LIBCRYPT="${ac_lib:+-l$ac_lib}", LIBCRYPT="")
- AC_CHECK_FUNCS(crypt_r crypt_gensalt_r)
- LIBS=$BACKUP_LIBS
- AC_SUBST(LIBCRYPT)
---
-1.7.10.4
-
index 2d330e5..970724a 100644
--- a/modules/pam_unix/pam_unix_passwd.c
+++ b/modules/pam_unix/pam_unix_passwd.c
-@@ -336,7 +336,7 @@ static int _do_setpass(pam_handle_t* pamh, const char *forwho,
+@@ -410,7 +410,7 @@ static int _do_setpass(pam_handle_t* pamh, const char *forwho,
}
if (on(UNIX_NIS, ctrl) && _unix_comesfromsource(pamh, forwho, 0, 1)) {
+++ /dev/null
-From c681bd104627139eac2f40fe303e1f67676233e8 Mon Sep 17 00:00:00 2001
-From: Yousong Zhou <yszhou4tech@gmail.com>
-Date: Wed, 17 Jun 2015 15:33:43 +0800
-Subject: [PATCH 7/7] Check if innetgr is available at compile time.
-
-innetgr may not be there so make sure that when innetgr is not present
-then we inform about it and not use it.
-
-* modules/pam_group/pam_group.c: ditto
-* modules/pam_succeed_if/pam_succeed_if.c: ditto
-* modules/pam_time/pam_time.c: ditto
-
-Signed-off-by: Khem Raj <raj.khem at gmail.com>
-Signed-off-by: Yousong Zhou <yszhou4tech at gmail.com>
----
- modules/pam_group/pam_group.c | 4 ++++
- modules/pam_succeed_if/pam_succeed_if.c | 17 +++++++++++++----
- modules/pam_time/pam_time.c | 4 ++++
- 3 files changed, 21 insertions(+), 4 deletions(-)
-
-diff --git a/modules/pam_group/pam_group.c b/modules/pam_group/pam_group.c
-index be5f20f..6a065ca 100644
---- a/modules/pam_group/pam_group.c
-+++ b/modules/pam_group/pam_group.c
-@@ -656,7 +656,11 @@ static int check_account(pam_handle_t *pamh, const char *service,
- }
- /* If buffer starts with @, we are using netgroups */
- if (buffer[0] == '@')
-+#ifdef HAVE_INNETGR
- good &= innetgr (&buffer[1], NULL, user, NULL);
-+#else
-+ pam_syslog (pamh, LOG_ERR, "pam_group does not have netgroup support");
-+#endif
- /* otherwise, if the buffer starts with %, it's a UNIX group */
- else if (buffer[0] == '%')
- good &= pam_modutil_user_in_group_nam_nam(pamh, user, &buffer[1]);
-diff --git a/modules/pam_succeed_if/pam_succeed_if.c b/modules/pam_succeed_if/pam_succeed_if.c
-index aa828fc..c0c68a0 100644
---- a/modules/pam_succeed_if/pam_succeed_if.c
-+++ b/modules/pam_succeed_if/pam_succeed_if.c
-@@ -231,18 +231,27 @@ evaluate_notingroup(pam_handle_t *pamh, const char *user, const char *group)
- }
- /* Return PAM_SUCCESS if the (host,user) is in the netgroup. */
- static int
--evaluate_innetgr(const char *host, const char *user, const char *group)
-+evaluate_innetgr(const pam_handle_t* pamh, const char *host, const char *user, const char *group)
- {
-+#ifdef HAVE_INNETGR
- if (innetgr(group, host, user, NULL) == 1)
- return PAM_SUCCESS;
-+#else
-+ pam_syslog (pamh, LOG_ERR, "pam_succeed_if does not have netgroup support");
-+#endif
-+
- return PAM_AUTH_ERR;
- }
- /* Return PAM_SUCCESS if the (host,user) is NOT in the netgroup. */
- static int
--evaluate_notinnetgr(const char *host, const char *user, const char *group)
-+evaluate_notinnetgr(const pam_handle_t* pamh, const char *host, const char *user, const char *group)
- {
-+#ifdef HAVE_INNETGR
- if (innetgr(group, host, user, NULL) == 0)
- return PAM_SUCCESS;
-+#else
-+ pam_syslog (pamh, LOG_ERR, "pam_succeed_if does not have netgroup support");
-+#endif
- return PAM_AUTH_ERR;
- }
-
-@@ -387,14 +396,14 @@ evaluate(pam_handle_t *pamh, int debug,
- const void *rhost;
- if (pam_get_item(pamh, PAM_RHOST, &rhost) != PAM_SUCCESS)
- rhost = NULL;
-- return evaluate_innetgr(rhost, user, right);
-+ return evaluate_innetgr(pamh, rhost, user, right);
- }
- /* (Rhost, user) is not in this group. */
- if (strcasecmp(qual, "notinnetgr") == 0) {
- const void *rhost;
- if (pam_get_item(pamh, PAM_RHOST, &rhost) != PAM_SUCCESS)
- rhost = NULL;
-- return evaluate_notinnetgr(rhost, user, right);
-+ return evaluate_notinnetgr(pamh, rhost, user, right);
- }
- /* Fail closed. */
- return PAM_SERVICE_ERR;
-diff --git a/modules/pam_time/pam_time.c b/modules/pam_time/pam_time.c
-index c94737c..0b34a14 100644
---- a/modules/pam_time/pam_time.c
-+++ b/modules/pam_time/pam_time.c
-@@ -555,7 +555,11 @@ check_account(pam_handle_t *pamh, const char *service,
- }
- /* If buffer starts with @, we are using netgroups */
- if (buffer[0] == '@')
-+#ifdef HAVE_INNETGR
- good &= innetgr (&buffer[1], NULL, user, NULL);
-+#else
-+ pam_syslog (pamh, LOG_ERR, "pam_time does not have netgroup support");
-+#endif
- else
- good &= logic_field(pamh, user, buffer, count, is_same);
- D(("with user: %s", good ? "passes":"fails" ));
---
-1.7.10.4
-
--- /dev/null
+From 9f23ba5a40b42acf4463b593bffd73caee8b527c Mon Sep 17 00:00:00 2001
+From: Rosen Penev <rosenp@gmail.com>
+Date: Sun, 15 Jul 2018 20:43:44 -0700
+Subject: [PATCH] Replace strndupa with strcpy
+
+glibc only. A static string is better.
+
+Signed-off-by: Rosen Penev <rosenp@gmail.com>
+---
+ modules/pam_exec/pam_exec.c | 31 +++++++++++--------------------
+ 1 file changed, 11 insertions(+), 20 deletions(-)
+
+diff --git a/modules/pam_exec/pam_exec.c b/modules/pam_exec/pam_exec.c
+index 0ab6548..2fbab4f 100644
+--- a/modules/pam_exec/pam_exec.c
++++ b/modules/pam_exec/pam_exec.c
+@@ -102,7 +102,7 @@ call_exec (const char *pam_type, pam_handle_t *pamh,
+ int use_stdout = 0;
+ int optargc;
+ const char *logfile = NULL;
+- const char *authtok = NULL;
++ char authtok[PAM_MAX_RESP_SIZE];
+ pid_t pid;
+ int fds[2];
+ int stdout_fds[2];
+@@ -178,11 +178,11 @@ call_exec (const char *pam_type, pam_handle_t *pamh,
+ }
+
+ pam_set_item (pamh, PAM_AUTHTOK, resp);
+- authtok = strndupa (resp, PAM_MAX_RESP_SIZE);
++ strcpy (authtok, resp);
+ _pam_drop (resp);
+ }
+ else
+- authtok = strndupa (void_pass, PAM_MAX_RESP_SIZE);
++ strcpy (authtok, void_pass);
+
+ if (pipe(fds) != 0)
+ {
+@@ -222,23 +222,14 @@ call_exec (const char *pam_type, pam_handle_t *pamh,
+
+ if (expose_authtok) /* send the password to the child */
+ {
+- if (authtok != NULL)
+- { /* send the password to the child */
+- if (debug)
+- pam_syslog (pamh, LOG_DEBUG, "send password to child");
+- if (write(fds[1], authtok, strlen(authtok)+1) == -1)
+- pam_syslog (pamh, LOG_ERR,
+- "sending password to child failed: %m");
+- authtok = NULL;
+- }
+- else
+- {
+- if (write(fds[1], "", 1) == -1) /* blank password */
+- pam_syslog (pamh, LOG_ERR,
+- "sending password to child failed: %m");
+- }
+- close(fds[0]); /* close here to avoid possible SIGPIPE above */
+- close(fds[1]);
++ if (debug)
++ pam_syslog (pamh, LOG_DEBUG, "send password to child");
++ if (write(fds[1], authtok, strlen(authtok)) == -1)
++ pam_syslog (pamh, LOG_ERR,
++ "sending password to child failed: %m");
++
++ close(fds[0]); /* close here to avoid possible SIGPIPE above */
++ close(fds[1]);
+ }
+
+ if (use_stdout)
+--
+2.19.1
+
PKG_MAINTAINER:=Mislav Novakovic <mislav.novakovic@sartura.hr>
PKG_NAME:=libssh
-PKG_VERSION:=0.7.5
-PKG_RELEASE:=2
+PKG_VERSION:=0.7.6
+PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
-PKG_SOURCE_URL:=https://red.libssh.org/attachments/download/218/
-PKG_HASH:=54e86dd5dc20e5367e58f3caab337ce37675f863f80df85b6b1614966a337095
+PKG_SOURCE_URL:=https://www.libssh.org/files/0.7/
+PKG_HASH:=1d607d3859274f755942324afb0f887ee22edd157f9596a2e69e3a28ec6d1092
+
+PKG_CPE_ID:=cpe:/a:libssh:libssh
CMAKE_INSTALL:=1
PKG_BUILD_PARALLEL:=1
-PKG_INSTALL:=1
PKG_USE_MIPS16:=0
include $(INCLUDE_DIR)/package.mk
CATEGORY:=Libraries
URL:=$(PKG_SOURCE_URL)
TITLE:=SSH library
- DEPENDS:=+libpthread +librt +zlib +libopenssl @BROKEN
+ DEPENDS:=+libpthread +librt +zlib +libopenssl
endef
define Package/libssh/description
endef
CMAKE_OPTIONS = \
- -DCMAKE_INSTALL_PREFIX:PATH=/usr \
- -DCMAKE_BUILD_TYPE:STRING=Release \
-DHAVE_STRTOULL=1 \
-DHAVE_GETADDRINFO=1 \
-DHAVE_TERMIOS_H=1 \
--- /dev/null
+From f81ca6161223e3566ce78a427571235fb6848fe9 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@cryptomilk.org>
+Date: Wed, 29 Aug 2018 18:41:15 +0200
+Subject: [PATCH 1/8] misc: Add strndup implementation if not provides by the
+ OS
+
+Fixes T112
+
+Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
+(cherry picked from commit 247983e9820fd264cb5a59c14cc12846c028bd08)
+Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
+---
+ ConfigureChecks.cmake | 1 +
+ config.h.cmake | 3 +++
+ include/libssh/priv.h | 4 ++++
+ src/misc.c | 21 +++++++++++++++++++++
+ 4 files changed, 29 insertions(+)
+
+--- a/ConfigureChecks.cmake
++++ b/ConfigureChecks.cmake
+@@ -115,6 +115,7 @@ endif (NOT WITH_GCRYPT)
+
+ check_function_exists(isblank HAVE_ISBLANK)
+ check_function_exists(strncpy HAVE_STRNCPY)
++check_function_exists(strndup HAVE_STRNDUP)
+ check_function_exists(strtoull HAVE_STRTOULL)
+
+ if (NOT WIN32)
+--- a/config.h.cmake
++++ b/config.h.cmake
+@@ -103,6 +103,9 @@
+ /* Define to 1 if you have the `strncpy' function. */
+ #cmakedefine HAVE_STRNCPY 1
+
++/* Define to 1 if you have the `strndup' function. */
++#cmakedefine HAVE_STRNDUP 1
++
+ /* Define to 1 if you have the `cfmakeraw' function. */
+ #cmakedefine HAVE_CFMAKERAW 1
+
+--- a/include/libssh/priv.h
++++ b/include/libssh/priv.h
+@@ -43,6 +43,10 @@
+ # endif
+ #endif /* !defined(HAVE_STRTOULL) */
+
++#if !defined(HAVE_STRNDUP)
++char *strndup(const char *s, size_t n);
++#endif /* ! HAVE_STRNDUP */
++
+ #ifdef HAVE_BYTESWAP_H
+ #include <byteswap.h>
+ #endif
+--- a/src/misc.c
++++ b/src/misc.c
+@@ -1028,6 +1028,27 @@ int ssh_match_group(const char *group, c
+ return 0;
+ }
+
++#if !defined(HAVE_STRNDUP)
++char *strndup(const char *s, size_t n)
++{
++ char *x = NULL;
++
++ if (n + 1 < n) {
++ return NULL;
++ }
++
++ x = malloc(n + 1);
++ if (x == NULL) {
++ return NULL;
++ }
++
++ memcpy(x, s, n);
++ x[n] = '\0';
++
++ return x;
++}
++#endif /* ! HAVE_STRNDUP */
++
+ /** @} */
+
+ /* vim: set ts=4 sw=4 et cindent: */
--- /dev/null
+From e4c6d591df6a9c34c1ff3ec9f367c7257122bef3 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@cryptomilk.org>
+Date: Wed, 17 Oct 2018 07:23:10 +0200
+Subject: [PATCH 2/8] packet: Add missing break in ssh_packet_incoming_filter()
+
+CID 1396239
+
+Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
+(cherry picked from commit fe618a35dc4be3e73ddf29d0c4a96b98d3b9c48f)
+Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
+---
+ src/packet.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/src/packet.c
++++ b/src/packet.c
+@@ -285,6 +285,7 @@ static enum ssh_packet_filter_result_e s
+ (session->dh_handshake_state != DH_STATE_FINISHED))
+ {
+ rc = SSH_PACKET_DENIED;
++ break;
+ }
+
+ rc = SSH_PACKET_ALLOWED;
--- /dev/null
+From 734e3ce6747a5ed120b93a1ff253b3fde5f20024 Mon Sep 17 00:00:00 2001
+From: Meng Tan <mtan@wallix.com>
+Date: Wed, 17 Oct 2018 14:50:08 +0200
+Subject: [PATCH 3/8] server: Set correct state after sending INFO_REQUEST (Kbd
+ Interactive)
+
+Signed-off-by: Meng Tan <mtan@wallix.com>
+Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
+(cherry picked from commit 4ea46eecce9f4e676150fe27fec34e1570b70ace)
+Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
+---
+ src/server.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/src/server.c
++++ b/src/server.c
+@@ -976,6 +976,7 @@ int ssh_message_auth_interactive_request
+ msg->session->kbdint->prompts = NULL;
+ msg->session->kbdint->echo = NULL;
+ }
++ msg->session->auth.state = SSH_AUTH_STATE_INFO;
+
+ return rc;
+ }
--- /dev/null
+From 3fe7510b261098e3937ab5417935916a46e6727b Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@cryptomilk.org>
+Date: Fri, 19 Oct 2018 11:40:44 +0200
+Subject: [PATCH 4/8] messages: Check that the requested service is
+ 'ssh-connection'
+
+Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
+(cherry picked from commit 9c200d3ef4f62d724d3bae2563b81c38cc31e215)
+Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
+---
+ src/messages.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/src/messages.c
++++ b/src/messages.c
+@@ -649,6 +649,7 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_
+ ssh_message msg = NULL;
+ char *service = NULL;
+ char *method = NULL;
++ int cmp;
+ int rc;
+
+ (void)user;
+@@ -675,6 +676,13 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_
+ service, method,
+ msg->auth_request.username);
+
++ cmp = strcmp(service, "ssh-connection");
++ if (cmp != 0) {
++ SSH_LOG(SSH_LOG_WARNING,
++ "Invalid service request: %s",
++ service);
++ goto end;
++ }
+
+ if (strcmp(method, "none") == 0) {
+ msg->auth_request.method = SSH_AUTH_METHOD_NONE;
--- /dev/null
+From acb0e4f401440ca325e441064d2cb4b896fb9a3d Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@cryptomilk.org>
+Date: Wed, 17 Oct 2018 17:32:54 +0200
+Subject: [PATCH 5/8] examples: Explicitly track auth state in
+ samplesshd-kbdint
+
+Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
+(cherry picked from commit 0ff566b6dde5cd27653aa35280feceefad5d5224)
+Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
+---
+ examples/samplesshd-kbdint.c | 20 ++++++++++++++++----
+ 1 file changed, 16 insertions(+), 4 deletions(-)
+
+--- a/examples/samplesshd-kbdint.c
++++ b/examples/samplesshd-kbdint.c
+@@ -23,6 +23,7 @@ clients must be made or how a client sho
+ #include <stdlib.h>
+ #include <string.h>
+ #include <stdio.h>
++#include <stdbool.h>
+
+ #define SSHD_USER "libssh"
+ #define SSHD_PASSWORD "libssh"
+@@ -36,6 +37,7 @@ clients must be made or how a client sho
+ #endif
+
+ static int port = 22;
++static bool authenticated = false;
+
+ #ifdef WITH_PCAP
+ static const char *pcap_file = "debug.server.pcap";
+@@ -61,11 +63,20 @@ static void cleanup_pcap(void) {
+ #endif
+
+
+-static int auth_password(const char *user, const char *password){
+- if(strcmp(user, SSHD_USER))
++static int auth_password(const char *user, const char *password)
++{
++ int cmp;
++
++ cmp = strcmp(user, SSHD_USER);
++ if (cmp != 0) {
+ return 0;
+- if(strcmp(password, SSHD_PASSWORD))
++ }
++ cmp = strcmp(password, SSHD_PASSWORD);
++ if (cmp != 0) {
+ return 0;
++ }
++
++ authenticated = true;
+ return 1; // authenticated
+ }
+ #ifdef HAVE_ARGP_H
+@@ -200,6 +211,7 @@ static int kbdint_check_response(ssh_ses
+ return 0;
+ }
+
++ authenticated = true;
+ return 1;
+ }
+
+@@ -328,7 +340,7 @@ int main(int argc, char **argv){
+
+ /* proceed to authentication */
+ auth = authenticate(session);
+- if(!auth){
++ if (!auth || !authenticated) {
+ printf("Authentication error: %s\n", ssh_get_error(session));
+ ssh_disconnect(session);
+ return 1;
--- /dev/null
+From 7ad80ba1cc48f7af1f192692d100a6255d97b843 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@cryptomilk.org>
+Date: Wed, 24 Oct 2018 19:57:17 +0200
+Subject: [PATCH 6/8] server: Fix compile error
+
+Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
+Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
+---
+ src/server.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/src/server.c
++++ b/src/server.c
+@@ -976,7 +976,7 @@ int ssh_message_auth_interactive_request
+ msg->session->kbdint->prompts = NULL;
+ msg->session->kbdint->echo = NULL;
+ }
+- msg->session->auth.state = SSH_AUTH_STATE_INFO;
++ msg->session->auth_state = SSH_AUTH_STATE_INFO;
+
+ return rc;
+ }
--- /dev/null
+From 103973215443f6e02e010114a3f7ac19eb6f3c8c Mon Sep 17 00:00:00 2001
+From: Meng Tan <mtan@wallix.com>
+Date: Thu, 25 Oct 2018 17:06:06 +0200
+Subject: [PATCH 7/8] gssapi: Set correct state after sending GSSAPI_RESPONSE
+ (select mechanism OID)
+
+Signed-off-by: Meng Tan <mtan@wallix.com>
+Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
+(cherry picked from commit bce8d567053232debd6ec490af5a7d27e1160f39)
+Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
+---
+ src/gssapi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/src/gssapi.c
++++ b/src/gssapi.c
+@@ -120,6 +120,7 @@ static int ssh_gssapi_send_response(ssh_
+ ssh_set_error_oom(session);
+ return SSH_ERROR;
+ }
++ session->auth_state = SSH_AUTH_STATE_GSSAPI_TOKEN;
+
+ packet_send(session);
+ SSH_LOG(SSH_LOG_PACKET,
--- /dev/null
+From 9d5cf209df4c260546e1468cc15fbbbfba3097c6 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@cryptomilk.org>
+Date: Sat, 27 Oct 2018 22:15:56 +0200
+Subject: [PATCH 8/8] libcrypto: Fix memory leak in evp_final()
+
+Fixes T116
+
+Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
+(cherry picked from commit a2807474621e51b386ea26ce2a01d2b1aa295c7b)
+Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
+---
+ src/libcrypto.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/src/libcrypto.c
++++ b/src/libcrypto.c
+@@ -165,6 +165,7 @@ void evp_update(EVPCTX ctx, const void *
+ void evp_final(EVPCTX ctx, unsigned char *md, unsigned int *mdlen)
+ {
+ EVP_DigestFinal(ctx, md, mdlen);
++ EVP_MD_CTX_free(ctx);
+ }
+ #endif
+
set(PACKAGE ${APPLICATION_NAME})
set(VERSION ${APPLICATION_VERSION})
-@@ -270,6 +269,8 @@ if (WITH_GSSAPI AND NOT GSSAPI_FOUND)
+@@ -272,6 +271,8 @@ if (WITH_GSSAPI AND NOT GSSAPI_FOUND)
endif (WITH_GSSAPI AND NOT GSSAPI_FOUND)
# ENDIAN
+++ /dev/null
---- a/src/libcrypto.c
-+++ b/src/libcrypto.c
-@@ -43,10 +43,12 @@
- #include <openssl/hmac.h>
- #include <openssl/opensslv.h>
- #include <openssl/rand.h>
-+#include "libcrypto-compat.h"
-
- #ifdef HAVE_OPENSSL_AES_H
- #define HAS_AES
- #include <openssl/aes.h>
-+#include <openssl/modes.h>
- #endif
- #ifdef HAVE_OPENSSL_BLOWFISH_H
- #define HAS_BLOWFISH
-@@ -133,18 +135,20 @@ static const EVP_MD *nid_to_evpmd(int ni
- void evp(int nid, unsigned char *digest, int len, unsigned char *hash, unsigned int *hlen)
- {
- const EVP_MD *evp_md = nid_to_evpmd(nid);
-- EVP_MD_CTX md;
-+ EVP_MD_CTX *md;
-
-- EVP_DigestInit(&md, evp_md);
-- EVP_DigestUpdate(&md, digest, len);
-- EVP_DigestFinal(&md, hash, hlen);
-+ md = EVP_MD_CTX_new();
-+ EVP_DigestInit(md, evp_md);
-+ EVP_DigestUpdate(md, digest, len);
-+ EVP_DigestFinal(md, hash, hlen);
-+ EVP_MD_CTX_free(md);
- }
-
- EVPCTX evp_init(int nid)
- {
- const EVP_MD *evp_md = nid_to_evpmd(nid);
-
-- EVPCTX ctx = malloc(sizeof(EVP_MD_CTX));
-+ EVPCTX ctx = EVP_MD_CTX_new();
- if (ctx == NULL) {
- return NULL;
- }
-@@ -322,32 +326,33 @@ void ssh_mac_final(unsigned char *md, ss
- HMACCTX hmac_init(const void *key, int len, enum ssh_hmac_e type) {
- HMACCTX ctx = NULL;
-
-- ctx = malloc(sizeof(*ctx));
-+ ctx = HMAC_CTX_new();
- if (ctx == NULL) {
- return NULL;
- }
-
- #ifndef OLD_CRYPTO
-- HMAC_CTX_init(ctx); // openssl 0.9.7 requires it.
-+ HMAC_CTX_reset(ctx); // openssl 0.9.7 requires it.
- #endif
-
- switch(type) {
- case SSH_HMAC_SHA1:
-- HMAC_Init(ctx, key, len, EVP_sha1());
-+ HMAC_Init_ex(ctx, key, len, EVP_sha1(), NULL);
- break;
- case SSH_HMAC_SHA256:
-- HMAC_Init(ctx, key, len, EVP_sha256());
-+ HMAC_Init_ex(ctx, key, len, EVP_sha256(), NULL);
- break;
- case SSH_HMAC_SHA384:
-- HMAC_Init(ctx, key, len, EVP_sha384());
-+ HMAC_Init_ex(ctx, key, len, EVP_sha384(), NULL);
- break;
- case SSH_HMAC_SHA512:
-- HMAC_Init(ctx, key, len, EVP_sha512());
-+ HMAC_Init_ex(ctx, key, len, EVP_sha512(), NULL);
- break;
- case SSH_HMAC_MD5:
-- HMAC_Init(ctx, key, len, EVP_md5());
-+ HMAC_Init_ex(ctx, key, len, EVP_md5(), NULL);
- break;
- default:
-+ HMAC_CTX_free(ctx);
- SAFE_FREE(ctx);
- ctx = NULL;
- }
-@@ -363,7 +368,8 @@ void hmac_final(HMACCTX ctx, unsigned ch
- HMAC_Final(ctx,hashmacbuf,len);
-
- #ifndef OLD_CRYPTO
-- HMAC_CTX_cleanup(ctx);
-+ HMAC_CTX_free(ctx);
-+ ctx = NULL;
- #else
- HMAC_cleanup(ctx);
- #endif
-@@ -455,7 +461,11 @@ static void aes_ctr128_encrypt(struct ss
- * Same for num, which is being used to store the current offset in blocksize in CTR
- * function.
- */
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
- AES_ctr128_encrypt(in, out, len, cipher->key, cipher->IV, tmp_buffer, &num);
-+#else
-+ CRYPTO_ctr128_encrypt(in, out, len, cipher->key, cipher->IV, tmp_buffer, &num, (block128_f)AES_encrypt);
-+#endif
- }
- #endif /* BROKEN_AES_CTR */
- #endif /* HAS_AES */
---- a/src/pki_crypto.c
-+++ b/src/pki_crypto.c
-@@ -31,6 +31,7 @@
- #include <openssl/dsa.h>
- #include <openssl/err.h>
- #include <openssl/rsa.h>
-+#include "libcrypto-compat.h"
-
- #ifdef HAVE_OPENSSL_EC_H
- #include <openssl/ec.h>
-@@ -230,7 +231,10 @@ ssh_key pki_key_dup(const ssh_key key, i
- }
-
- switch (key->type) {
-- case SSH_KEYTYPE_DSS:
-+ case SSH_KEYTYPE_DSS: {
-+ const BIGNUM *p = NULL, *q = NULL, *g = NULL,
-+ *pub_key = NULL, *priv_key = NULL;
-+ BIGNUM *np, *nq, *ng, *npub_key, *npriv_key;
- new->dsa = DSA_new();
- if (new->dsa == NULL) {
- goto fail;
-@@ -243,36 +247,54 @@ ssh_key pki_key_dup(const ssh_key key, i
- * pub_key = public key y = g^x
- * priv_key = private key x
- */
-- new->dsa->p = BN_dup(key->dsa->p);
-- if (new->dsa->p == NULL) {
-+ DSA_get0_pqg(key->dsa, &p, &q, &g);
-+ np = BN_dup(p);
-+ nq = BN_dup(q);
-+ ng = BN_dup(g);
-+ if (np == NULL || nq == NULL || ng == NULL) {
-+ BN_free(np);
-+ BN_free(nq);
-+ BN_free(ng);
- goto fail;
- }
-
-- new->dsa->q = BN_dup(key->dsa->q);
-- if (new->dsa->q == NULL) {
-+ rc = DSA_set0_pqg(new->dsa, np, nq, ng);
-+ if (rc == 0) {
-+ BN_free(np);
-+ BN_free(nq);
-+ BN_free(ng);
- goto fail;
- }
-
-- new->dsa->g = BN_dup(key->dsa->g);
-- if (new->dsa->g == NULL) {
-+ DSA_get0_key(key->dsa, &pub_key, &priv_key);
-+ npub_key = BN_dup(pub_key);
-+ if (npub_key == NULL) {
- goto fail;
- }
-
-- new->dsa->pub_key = BN_dup(key->dsa->pub_key);
-- if (new->dsa->pub_key == NULL) {
-+ rc = DSA_set0_key(new->dsa, npub_key, NULL);
-+ if (rc == 0) {
- goto fail;
- }
-
- if (!demote && (key->flags & SSH_KEY_FLAG_PRIVATE)) {
-- new->dsa->priv_key = BN_dup(key->dsa->priv_key);
-- if (new->dsa->priv_key == NULL) {
-+ npriv_key = BN_dup(priv_key);
-+ if (npriv_key == NULL) {
-+ goto fail;
-+ }
-+
-+ rc = DSA_set0_key(new->dsa, NULL, npriv_key);
-+ if (rc == 0) {
- goto fail;
- }
- }
-
- break;
-+ }
- case SSH_KEYTYPE_RSA:
-- case SSH_KEYTYPE_RSA1:
-+ case SSH_KEYTYPE_RSA1: {
-+ const BIGNUM *n = NULL, *e = NULL, *d = NULL;
-+ BIGNUM *nn, *ne, *nd;
- new->rsa = RSA_new();
- if (new->rsa == NULL) {
- goto fail;
-@@ -288,62 +310,82 @@ ssh_key pki_key_dup(const ssh_key key, i
- * dmq1 = d mod (q-1)
- * iqmp = q^-1 mod p
- */
-- new->rsa->n = BN_dup(key->rsa->n);
-- if (new->rsa->n == NULL) {
-+ RSA_get0_key(key->rsa, &n, &e, &d);
-+ nn = BN_dup(n);
-+ ne = BN_dup(e);
-+ if (nn == NULL || ne == NULL) {
-+ BN_free(nn);
-+ BN_free(ne);
- goto fail;
- }
-
-- new->rsa->e = BN_dup(key->rsa->e);
-- if (new->rsa->e == NULL) {
-+ rc = RSA_set0_key(new->rsa, nn, ne, NULL);
-+ if (rc == 0) {
-+ BN_free(nn);
-+ BN_free(ne);
- goto fail;
- }
-
- if (!demote && (key->flags & SSH_KEY_FLAG_PRIVATE)) {
-- new->rsa->d = BN_dup(key->rsa->d);
-- if (new->rsa->d == NULL) {
-+ const BIGNUM *p = NULL, *q = NULL, *dmp1 = NULL,
-+ *dmq1 = NULL, *iqmp = NULL;
-+ BIGNUM *np, *nq, *ndmp1, *ndmq1, *niqmp;
-+
-+ nd = BN_dup(d);
-+ if (nd == NULL) {
-+ goto fail;
-+ }
-+
-+ rc = RSA_set0_key(new->rsa, NULL, NULL, nd);
-+ if (rc == 0) {
- goto fail;
- }
-
- /* p, q, dmp1, dmq1 and iqmp may be NULL in private keys, but the
- * RSA operations are much faster when these values are available.
- */
-- if (key->rsa->p != NULL) {
-- new->rsa->p = BN_dup(key->rsa->p);
-- if (new->rsa->p == NULL) {
-+ RSA_get0_factors(key->rsa, &p, &q);
-+ if (p != NULL && q != NULL) { /* need to set both of them */
-+ np = BN_dup(p);
-+ nq = BN_dup(q);
-+ if (np == NULL || nq == NULL) {
-+ BN_free(np);
-+ BN_free(nq);
- goto fail;
- }
-- }
-
-- if (key->rsa->q != NULL) {
-- new->rsa->q = BN_dup(key->rsa->q);
-- if (new->rsa->q == NULL) {
-+ rc = RSA_set0_factors(new->rsa, np, nq);
-+ if (rc == 0) {
-+ BN_free(np);
-+ BN_free(nq);
- goto fail;
- }
- }
-
-- if (key->rsa->dmp1 != NULL) {
-- new->rsa->dmp1 = BN_dup(key->rsa->dmp1);
-- if (new->rsa->dmp1 == NULL) {
-+ RSA_get0_crt_params(key->rsa, &dmp1, &dmq1, &iqmp);
-+ if (dmp1 != NULL || dmq1 != NULL || iqmp != NULL) {
-+ ndmp1 = BN_dup(dmp1);
-+ ndmq1 = BN_dup(dmq1);
-+ niqmp = BN_dup(iqmp);
-+ if (ndmp1 == NULL || ndmq1 == NULL || niqmp == NULL) {
-+ BN_free(ndmp1);
-+ BN_free(ndmq1);
-+ BN_free(niqmp);
- goto fail;
- }
-- }
-
-- if (key->rsa->dmq1 != NULL) {
-- new->rsa->dmq1 = BN_dup(key->rsa->dmq1);
-- if (new->rsa->dmq1 == NULL) {
-- goto fail;
-- }
-- }
--
-- if (key->rsa->iqmp != NULL) {
-- new->rsa->iqmp = BN_dup(key->rsa->iqmp);
-- if (new->rsa->iqmp == NULL) {
-+ rc = RSA_set0_crt_params(new->rsa, ndmp1, ndmq1, niqmp);
-+ if (rc == 0) {
-+ BN_free(ndmp1);
-+ BN_free(ndmq1);
-+ BN_free(niqmp);
- goto fail;
- }
- }
- }
-
- break;
-+ }
- case SSH_KEYTYPE_ECDSA:
- #ifdef HAVE_OPENSSL_ECC
- new->ecdsa_nid = key->ecdsa_nid;
-@@ -409,11 +451,30 @@ int pki_key_generate_rsa(ssh_key key, in
-
- int pki_key_generate_dss(ssh_key key, int parameter){
- int rc;
-+#if OPENSSL_VERSION_NUMBER > 0x10100000L
-+ key->dsa = DSA_new();
-+ if (key->dsa == NULL) {
-+ return SSH_ERROR;
-+ }
-+ rc = DSA_generate_parameters_ex(key->dsa,
-+ parameter,
-+ NULL, /* seed */
-+ 0, /* seed_len */
-+ NULL, /* counter_ret */
-+ NULL, /* h_ret */
-+ NULL); /* cb */
-+ if (rc != 1) {
-+ DSA_free(key->dsa);
-+ key->dsa = NULL;
-+ return SSH_ERROR;
-+ }
-+#else
- key->dsa = DSA_generate_parameters(parameter, NULL, 0, NULL, NULL,
- NULL, NULL);
- if(key->dsa == NULL){
- return SSH_ERROR;
- }
-+#endif
- rc = DSA_generate_key(key->dsa);
- if (rc != 1){
- DSA_free(key->dsa);
-@@ -466,51 +527,64 @@ int pki_key_compare(const ssh_key k1,
- enum ssh_keycmp_e what)
- {
- switch (k1->type) {
-- case SSH_KEYTYPE_DSS:
-+ case SSH_KEYTYPE_DSS: {
-+ const BIGNUM *p1, *p2, *q1, *q2, *g1, *g2,
-+ *pub_key1, *pub_key2, *priv_key1, *priv_key2;
- if (DSA_size(k1->dsa) != DSA_size(k2->dsa)) {
- return 1;
- }
-- if (bignum_cmp(k1->dsa->p, k2->dsa->p) != 0) {
-+ DSA_get0_pqg(k1->dsa, &p1, &q1, &g1);
-+ DSA_get0_pqg(k2->dsa, &p2, &q2, &g2);
-+ if (bignum_cmp(p1, p2) != 0) {
- return 1;
- }
-- if (bignum_cmp(k1->dsa->q, k2->dsa->q) != 0) {
-+ if (bignum_cmp(q1, q2) != 0) {
- return 1;
- }
-- if (bignum_cmp(k1->dsa->g, k2->dsa->g) != 0) {
-+ if (bignum_cmp(g1, g2) != 0) {
- return 1;
- }
-- if (bignum_cmp(k1->dsa->pub_key, k2->dsa->pub_key) != 0) {
-+ DSA_get0_key(k1->dsa, &pub_key1, &priv_key1);
-+ DSA_get0_key(k2->dsa, &pub_key2, &priv_key2);
-+ if (bignum_cmp(pub_key1, pub_key2) != 0) {
- return 1;
- }
-
- if (what == SSH_KEY_CMP_PRIVATE) {
-- if (bignum_cmp(k1->dsa->priv_key, k2->dsa->priv_key) != 0) {
-+ if (bignum_cmp(priv_key1, priv_key2) != 0) {
- return 1;
- }
- }
- break;
-+ }
- case SSH_KEYTYPE_RSA:
-- case SSH_KEYTYPE_RSA1:
-+ case SSH_KEYTYPE_RSA1: {
-+ const BIGNUM *e1, *e2, *n1, *n2, *p1, *p2, *q1, *q2;
- if (RSA_size(k1->rsa) != RSA_size(k2->rsa)) {
- return 1;
- }
-- if (bignum_cmp(k1->rsa->e, k2->rsa->e) != 0) {
-+ RSA_get0_key(k1->rsa, &n1, &e1, NULL);
-+ RSA_get0_key(k2->rsa, &n2, &e2, NULL);
-+ if (bignum_cmp(e1, e2) != 0) {
- return 1;
- }
-- if (bignum_cmp(k1->rsa->n, k2->rsa->n) != 0) {
-+ if (bignum_cmp(n1, n2) != 0) {
- return 1;
- }
-
- if (what == SSH_KEY_CMP_PRIVATE) {
-- if (bignum_cmp(k1->rsa->p, k2->rsa->p) != 0) {
-+ RSA_get0_factors(k1->rsa, &p1, &q1);
-+ RSA_get0_factors(k2->rsa, &p2, &q2);
-+ if (bignum_cmp(p1, p2) != 0) {
- return 1;
- }
-
-- if (bignum_cmp(k1->rsa->q, k2->rsa->q) != 0) {
-+ if (bignum_cmp(q1, q2) != 0) {
- return 1;
- }
- }
- break;
-+ }
- case SSH_KEYTYPE_ECDSA:
- #ifdef HAVE_OPENSSL_ECC
- {
-@@ -586,7 +660,7 @@ ssh_string pki_private_key_to_pem(const
- } else {
- rc = PEM_write_bio_DSAPrivateKey(mem,
- key->dsa,
-- NULL, /* cipher */
-+ EVP_aes_128_cbc(),
- NULL, /* kstr */
- 0, /* klen */
- NULL, /* auth_fn */
-@@ -611,7 +685,7 @@ ssh_string pki_private_key_to_pem(const
- } else {
- rc = PEM_write_bio_RSAPrivateKey(mem,
- key->rsa,
-- NULL, /* cipher */
-+ EVP_aes_128_cbc(),
- NULL, /* kstr */
- 0, /* klen */
- NULL, /* auth_fn */
-@@ -621,8 +695,8 @@ ssh_string pki_private_key_to_pem(const
- goto err;
- }
- break;
-- case SSH_KEYTYPE_ECDSA:
- #ifdef HAVE_ECC
-+ case SSH_KEYTYPE_ECDSA:
- if (passphrase == NULL) {
- struct pem_get_password_struct pgp = { auth_fn, auth_data };
-
-@@ -636,7 +710,7 @@ ssh_string pki_private_key_to_pem(const
- } else {
- rc = PEM_write_bio_ECPrivateKey(mem,
- key->ecdsa,
-- NULL, /* cipher */
-+ EVP_aes_128_cbc(),
- NULL, /* kstr */
- 0, /* klen */
- NULL, /* auth_fn */
-@@ -819,43 +893,65 @@ int pki_pubkey_build_dss(ssh_key key,
- ssh_string q,
- ssh_string g,
- ssh_string pubkey) {
-+ int rc;
-+ BIGNUM *bp, *bq, *bg, *bpub_key;
-+
- key->dsa = DSA_new();
- if (key->dsa == NULL) {
- return SSH_ERROR;
- }
-
-- key->dsa->p = make_string_bn(p);
-- key->dsa->q = make_string_bn(q);
-- key->dsa->g = make_string_bn(g);
-- key->dsa->pub_key = make_string_bn(pubkey);
-- if (key->dsa->p == NULL ||
-- key->dsa->q == NULL ||
-- key->dsa->g == NULL ||
-- key->dsa->pub_key == NULL) {
-- DSA_free(key->dsa);
-- return SSH_ERROR;
-+ bp = make_string_bn(p);
-+ bq = make_string_bn(q);
-+ bg = make_string_bn(g);
-+ bpub_key = make_string_bn(pubkey);
-+ if (bp == NULL || bq == NULL ||
-+ bg == NULL || bpub_key == NULL) {
-+ goto fail;
-+ }
-+
-+ rc = DSA_set0_pqg(key->dsa, bp, bq, bg);
-+ if (rc == 0) {
-+ goto fail;
-+ }
-+
-+ rc = DSA_set0_key(key->dsa, bpub_key, NULL);
-+ if (rc == 0) {
-+ goto fail;
- }
-
- return SSH_OK;
-+fail:
-+ DSA_free(key->dsa);
-+ return SSH_ERROR;
- }
-
- int pki_pubkey_build_rsa(ssh_key key,
- ssh_string e,
- ssh_string n) {
-+ int rc;
-+ BIGNUM *be, *bn;
-+
- key->rsa = RSA_new();
- if (key->rsa == NULL) {
- return SSH_ERROR;
- }
-
-- key->rsa->e = make_string_bn(e);
-- key->rsa->n = make_string_bn(n);
-- if (key->rsa->e == NULL ||
-- key->rsa->n == NULL) {
-- RSA_free(key->rsa);
-- return SSH_ERROR;
-+ be = make_string_bn(e);
-+ bn = make_string_bn(n);
-+ if (be == NULL || bn == NULL) {
-+ goto fail;
-+ }
-+
-+ rc = RSA_set0_key(key->rsa, bn, be, NULL);
-+ if (rc == 0) {
-+ goto fail;
- }
-
- return SSH_OK;
-+fail:
-+ RSA_free(key->rsa);
-+ return SSH_ERROR;
- }
-
- ssh_string pki_publickey_to_blob(const ssh_key key)
-@@ -889,23 +985,26 @@ ssh_string pki_publickey_to_blob(const s
- }
-
- switch (key->type) {
-- case SSH_KEYTYPE_DSS:
-- p = make_bignum_string(key->dsa->p);
-+ case SSH_KEYTYPE_DSS: {
-+ const BIGNUM *bp, *bq, *bg, *bpub_key;
-+ DSA_get0_pqg(key->dsa, &bp, &bq, &bg);
-+ p = make_bignum_string((BIGNUM *)bp);
- if (p == NULL) {
- goto fail;
- }
-
-- q = make_bignum_string(key->dsa->q);
-+ q = make_bignum_string((BIGNUM *)bq);
- if (q == NULL) {
- goto fail;
- }
-
-- g = make_bignum_string(key->dsa->g);
-+ g = make_bignum_string((BIGNUM *)bg);
- if (g == NULL) {
- goto fail;
- }
-
-- n = make_bignum_string(key->dsa->pub_key);
-+ DSA_get0_key(key->dsa, &bpub_key, NULL);
-+ n = make_bignum_string((BIGNUM *)bpub_key);
- if (n == NULL) {
- goto fail;
- }
-@@ -937,14 +1036,17 @@ ssh_string pki_publickey_to_blob(const s
- n = NULL;
-
- break;
-+ }
- case SSH_KEYTYPE_RSA:
-- case SSH_KEYTYPE_RSA1:
-- e = make_bignum_string(key->rsa->e);
-+ case SSH_KEYTYPE_RSA1: {
-+ const BIGNUM *be, *bn;
-+ RSA_get0_key(key->rsa, &bn, &be, NULL);
-+ e = make_bignum_string((BIGNUM *)be);
- if (e == NULL) {
- goto fail;
- }
-
-- n = make_bignum_string(key->rsa->n);
-+ n = make_bignum_string((BIGNUM *)bn);
- if (n == NULL) {
- goto fail;
- }
-@@ -964,6 +1066,7 @@ ssh_string pki_publickey_to_blob(const s
- n = NULL;
-
- break;
-+ }
- case SSH_KEYTYPE_ECDSA:
- #ifdef HAVE_OPENSSL_ECC
- rc = ssh_buffer_reinit(buffer);
-@@ -1065,13 +1168,15 @@ int pki_export_pubkey_rsa1(const ssh_key
- char *e;
- char *n;
- int rsa_size = RSA_size(key->rsa);
-+ const BIGNUM *be, *bn;
-
-- e = bignum_bn2dec(key->rsa->e);
-+ RSA_get0_key(key->rsa, &bn, &be, NULL);
-+ e = bignum_bn2dec(be);
- if (e == NULL) {
- return SSH_ERROR;
- }
-
-- n = bignum_bn2dec(key->rsa->n);
-+ n = bignum_bn2dec(bn);
- if (n == NULL) {
- OPENSSL_free(e);
- return SSH_ERROR;
-@@ -1136,6 +1241,7 @@ static ssh_string pki_dsa_signature_to_b
- {
- char buffer[40] = { 0 };
- ssh_string sig_blob = NULL;
-+ const BIGNUM *pr, *ps;
-
- ssh_string r;
- int r_len, r_offset_in, r_offset_out;
-@@ -1143,12 +1249,13 @@ static ssh_string pki_dsa_signature_to_b
- ssh_string s;
- int s_len, s_offset_in, s_offset_out;
-
-- r = make_bignum_string(sig->dsa_sig->r);
-+ DSA_SIG_get0(sig->dsa_sig, &pr, &ps);
-+ r = make_bignum_string((BIGNUM *)pr);
- if (r == NULL) {
- return NULL;
- }
-
-- s = make_bignum_string(sig->dsa_sig->s);
-+ s = make_bignum_string((BIGNUM *)ps);
- if (s == NULL) {
- ssh_string_free(r);
- return NULL;
-@@ -1201,13 +1308,15 @@ ssh_string pki_signature_to_blob(const s
- ssh_string s;
- ssh_buffer b;
- int rc;
-+ const BIGNUM *pr, *ps;
-
- b = ssh_buffer_new();
- if (b == NULL) {
- return NULL;
- }
-
-- r = make_bignum_string(sig->ecdsa_sig->r);
-+ ECDSA_SIG_get0(sig->ecdsa_sig, &pr, &ps);
-+ r = make_bignum_string((BIGNUM *)pr);
- if (r == NULL) {
- ssh_buffer_free(b);
- return NULL;
-@@ -1219,7 +1328,7 @@ ssh_string pki_signature_to_blob(const s
- return NULL;
- }
-
-- s = make_bignum_string(sig->ecdsa_sig->s);
-+ s = make_bignum_string((BIGNUM *)ps);
- if (s == NULL) {
- ssh_buffer_free(b);
- return NULL;
-@@ -1324,6 +1433,7 @@ ssh_signature pki_signature_from_blob(co
- ssh_string s;
- size_t len;
- int rc;
-+ BIGNUM *pr = NULL, *ps = NULL;
-
- sig = ssh_signature_new();
- if (sig == NULL) {
-@@ -1363,9 +1473,9 @@ ssh_signature pki_signature_from_blob(co
- }
- ssh_string_fill(r, ssh_string_data(sig_blob), 20);
-
-- sig->dsa_sig->r = make_string_bn(r);
-+ pr = make_string_bn(r);
- ssh_string_free(r);
-- if (sig->dsa_sig->r == NULL) {
-+ if (pr == NULL) {
- ssh_signature_free(sig);
- return NULL;
- }
-@@ -1377,9 +1487,15 @@ ssh_signature pki_signature_from_blob(co
- }
- ssh_string_fill(s, (char *)ssh_string_data(sig_blob) + 20, 20);
-
-- sig->dsa_sig->s = make_string_bn(s);
-+ ps = make_string_bn(s);
- ssh_string_free(s);
-- if (sig->dsa_sig->s == NULL) {
-+ if (ps == NULL) {
-+ ssh_signature_free(sig);
-+ return NULL;
-+ }
-+
-+ rc = DSA_SIG_set0(sig->dsa_sig, pr, ps);
-+ if (rc == 0) {
- ssh_signature_free(sig);
- return NULL;
- }
-@@ -1427,17 +1543,17 @@ ssh_signature pki_signature_from_blob(co
- ssh_print_hexa("r", ssh_string_data(r), ssh_string_len(r));
- #endif
-
-- make_string_bn_inplace(r, sig->ecdsa_sig->r);
-+ pr = make_string_bn(r);
- ssh_string_burn(r);
- ssh_string_free(r);
-- if (sig->ecdsa_sig->r == NULL) {
-+ if (pr == NULL) {
- ssh_buffer_free(b);
- ssh_signature_free(sig);
- return NULL;
- }
-
- s = buffer_get_ssh_string(b);
-- rlen = buffer_get_rest_len(b);
-+ rlen = buffer_get_len(b);
- ssh_buffer_free(b);
- if (s == NULL) {
- ssh_signature_free(sig);
-@@ -1448,10 +1564,16 @@ ssh_signature pki_signature_from_blob(co
- ssh_print_hexa("s", ssh_string_data(s), ssh_string_len(s));
- #endif
-
-- make_string_bn_inplace(s, sig->ecdsa_sig->s);
-+ ps = make_string_bn(s);
- ssh_string_burn(s);
- ssh_string_free(s);
-- if (sig->ecdsa_sig->s == NULL) {
-+ if (ps == NULL) {
-+ ssh_signature_free(sig);
-+ return NULL;
-+ }
-+
-+ rc = ECDSA_SIG_set0(sig->ecdsa_sig, pr, ps);
-+ if (rc == 0) {
- ssh_signature_free(sig);
- return NULL;
- }
-@@ -1578,8 +1700,12 @@ ssh_signature pki_do_sign(const ssh_key
- }
-
- #ifdef DEBUG_CRYPTO
-- ssh_print_bignum("r", sig->dsa_sig->r);
-- ssh_print_bignum("s", sig->dsa_sig->s);
-+ {
-+ const BIGNUM *pr, *ps;
-+ DSA_SIG_get0(sig->dsa_sig, &pr, &ps);
-+ ssh_print_bignum("r", (BIGNUM *) pr);
-+ ssh_print_bignum("s", (BIGNUM *) ps);
-+ }
- #endif
-
- break;
-@@ -1601,8 +1727,12 @@ ssh_signature pki_do_sign(const ssh_key
- }
-
- # ifdef DEBUG_CRYPTO
-- ssh_print_bignum("r", sig->ecdsa_sig->r);
-- ssh_print_bignum("s", sig->ecdsa_sig->s);
-+ {
-+ const BIGNUM *pr, *ps;
-+ ECDSA_SIG_get0(sig->ecdsa_sig, &pr, &ps);
-+ ssh_print_bignum("r", (BIGNUM *) pr);
-+ ssh_print_bignum("s", (BIGNUM *) ps);
-+ }
- # endif /* DEBUG_CRYPTO */
-
- break;
---- a/src/CMakeLists.txt
-+++ b/src/CMakeLists.txt
-@@ -164,6 +164,9 @@ else (WITH_GCRYPT)
- ${libssh_SRCS}
- pki_crypto.c
- )
-+ if(OPENSSL_VERSION VERSION_LESS "1.1.0")
-+ set(libssh_SRCS ${libssh_SRCS} libcrypto-compat.c)
-+ endif()
- endif (WITH_GCRYPT)
-
- if (WITH_SFTP)
---- /dev/null
-+++ b/src/libcrypto-compat.c
-@@ -0,0 +1,334 @@
-+/*
-+ * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
-+ *
-+ * Licensed under the OpenSSL license (the "License"). You may not use
-+ * this file except in compliance with the License. You can obtain a copy
-+ * in the file LICENSE in the source distribution or at
-+ * https://www.openssl.org/source/license.html
-+ */
-+
-+#include "config.h"
-+
-+#include <string.h>
-+#include <openssl/engine.h>
-+#include "libcrypto-compat.h"
-+
-+static void *OPENSSL_zalloc(size_t num)
-+{
-+ void *ret = OPENSSL_malloc(num);
-+
-+ if (ret != NULL)
-+ memset(ret, 0, num);
-+ return ret;
-+}
-+
-+int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d)
-+{
-+ /* If the fields n and e in r are NULL, the corresponding input
-+ * parameters MUST be non-NULL for n and e. d may be
-+ * left NULL (in case only the public key is used).
-+ */
-+ if ((r->n == NULL && n == NULL)
-+ || (r->e == NULL && e == NULL))
-+ return 0;
-+
-+ if (n != NULL) {
-+ BN_free(r->n);
-+ r->n = n;
-+ }
-+ if (e != NULL) {
-+ BN_free(r->e);
-+ r->e = e;
-+ }
-+ if (d != NULL) {
-+ BN_free(r->d);
-+ r->d = d;
-+ }
-+
-+ return 1;
-+}
-+
-+int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q)
-+{
-+ /* If the fields p and q in r are NULL, the corresponding input
-+ * parameters MUST be non-NULL.
-+ */
-+ if ((r->p == NULL && p == NULL)
-+ || (r->q == NULL && q == NULL))
-+ return 0;
-+
-+ if (p != NULL) {
-+ BN_free(r->p);
-+ r->p = p;
-+ }
-+ if (q != NULL) {
-+ BN_free(r->q);
-+ r->q = q;
-+ }
-+
-+ return 1;
-+}
-+
-+int RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp)
-+{
-+ /* If the fields dmp1, dmq1 and iqmp in r are NULL, the corresponding input
-+ * parameters MUST be non-NULL.
-+ */
-+ if ((r->dmp1 == NULL && dmp1 == NULL)
-+ || (r->dmq1 == NULL && dmq1 == NULL)
-+ || (r->iqmp == NULL && iqmp == NULL))
-+ return 0;
-+
-+ if (dmp1 != NULL) {
-+ BN_free(r->dmp1);
-+ r->dmp1 = dmp1;
-+ }
-+ if (dmq1 != NULL) {
-+ BN_free(r->dmq1);
-+ r->dmq1 = dmq1;
-+ }
-+ if (iqmp != NULL) {
-+ BN_free(r->iqmp);
-+ r->iqmp = iqmp;
-+ }
-+
-+ return 1;
-+}
-+
-+void RSA_get0_key(const RSA *r,
-+ const BIGNUM **n, const BIGNUM **e, const BIGNUM **d)
-+{
-+ if (n != NULL)
-+ *n = r->n;
-+ if (e != NULL)
-+ *e = r->e;
-+ if (d != NULL)
-+ *d = r->d;
-+}
-+
-+void RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q)
-+{
-+ if (p != NULL)
-+ *p = r->p;
-+ if (q != NULL)
-+ *q = r->q;
-+}
-+
-+void RSA_get0_crt_params(const RSA *r,
-+ const BIGNUM **dmp1, const BIGNUM **dmq1,
-+ const BIGNUM **iqmp)
-+{
-+ if (dmp1 != NULL)
-+ *dmp1 = r->dmp1;
-+ if (dmq1 != NULL)
-+ *dmq1 = r->dmq1;
-+ if (iqmp != NULL)
-+ *iqmp = r->iqmp;
-+}
-+
-+void DSA_get0_pqg(const DSA *d,
-+ const BIGNUM **p, const BIGNUM **q, const BIGNUM **g)
-+{
-+ if (p != NULL)
-+ *p = d->p;
-+ if (q != NULL)
-+ *q = d->q;
-+ if (g != NULL)
-+ *g = d->g;
-+}
-+
-+int DSA_set0_pqg(DSA *d, BIGNUM *p, BIGNUM *q, BIGNUM *g)
-+{
-+ /* If the fields p, q and g in d are NULL, the corresponding input
-+ * parameters MUST be non-NULL.
-+ */
-+ if ((d->p == NULL && p == NULL)
-+ || (d->q == NULL && q == NULL)
-+ || (d->g == NULL && g == NULL))
-+ return 0;
-+
-+ if (p != NULL) {
-+ BN_free(d->p);
-+ d->p = p;
-+ }
-+ if (q != NULL) {
-+ BN_free(d->q);
-+ d->q = q;
-+ }
-+ if (g != NULL) {
-+ BN_free(d->g);
-+ d->g = g;
-+ }
-+
-+ return 1;
-+}
-+
-+void DSA_get0_key(const DSA *d,
-+ const BIGNUM **pub_key, const BIGNUM **priv_key)
-+{
-+ if (pub_key != NULL)
-+ *pub_key = d->pub_key;
-+ if (priv_key != NULL)
-+ *priv_key = d->priv_key;
-+}
-+
-+int DSA_set0_key(DSA *d, BIGNUM *pub_key, BIGNUM *priv_key)
-+{
-+ /* If the field pub_key in d is NULL, the corresponding input
-+ * parameters MUST be non-NULL. The priv_key field may
-+ * be left NULL.
-+ */
-+ if (d->pub_key == NULL && pub_key == NULL)
-+ return 0;
-+
-+ if (pub_key != NULL) {
-+ BN_free(d->pub_key);
-+ d->pub_key = pub_key;
-+ }
-+ if (priv_key != NULL) {
-+ BN_free(d->priv_key);
-+ d->priv_key = priv_key;
-+ }
-+
-+ return 1;
-+}
-+
-+void DSA_SIG_get0(const DSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps)
-+{
-+ if (pr != NULL)
-+ *pr = sig->r;
-+ if (ps != NULL)
-+ *ps = sig->s;
-+}
-+
-+int DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s)
-+{
-+ if (r == NULL || s == NULL)
-+ return 0;
-+ BN_clear_free(sig->r);
-+ BN_clear_free(sig->s);
-+ sig->r = r;
-+ sig->s = s;
-+ return 1;
-+}
-+
-+void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps)
-+{
-+ if (pr != NULL)
-+ *pr = sig->r;
-+ if (ps != NULL)
-+ *ps = sig->s;
-+}
-+
-+int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s)
-+{
-+ if (r == NULL || s == NULL)
-+ return 0;
-+ BN_clear_free(sig->r);
-+ BN_clear_free(sig->s);
-+ sig->r = r;
-+ sig->s = s;
-+ return 1;
-+}
-+
-+EVP_MD_CTX *EVP_MD_CTX_new(void)
-+{
-+ return OPENSSL_zalloc(sizeof(EVP_MD_CTX));
-+}
-+
-+static void OPENSSL_clear_free(void *str, size_t num)
-+{
-+ if (str == NULL)
-+ return;
-+ if (num)
-+ OPENSSL_cleanse(str, num);
-+ OPENSSL_free(str);
-+}
-+
-+/* This call frees resources associated with the context */
-+int EVP_MD_CTX_reset(EVP_MD_CTX *ctx)
-+{
-+ if (ctx == NULL)
-+ return 1;
-+
-+ /*
-+ * Don't assume ctx->md_data was cleaned in EVP_Digest_Final, because
-+ * sometimes only copies of the context are ever finalised.
-+ */
-+ if (ctx->digest && ctx->digest->cleanup
-+ && !EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_CLEANED))
-+ ctx->digest->cleanup(ctx);
-+ if (ctx->digest && ctx->digest->ctx_size && ctx->md_data
-+ && !EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_REUSE)) {
-+ OPENSSL_clear_free(ctx->md_data, ctx->digest->ctx_size);
-+ }
-+ EVP_PKEY_CTX_free(ctx->pctx);
-+#ifndef OPENSSL_NO_ENGINE
-+ ENGINE_finish(ctx->engine);
-+#endif
-+ OPENSSL_cleanse(ctx, sizeof(*ctx));
-+
-+ return 1;
-+}
-+
-+void EVP_MD_CTX_free(EVP_MD_CTX *ctx)
-+{
-+ EVP_MD_CTX_reset(ctx);
-+ OPENSSL_free(ctx);
-+}
-+
-+HMAC_CTX *HMAC_CTX_new(void)
-+{
-+ HMAC_CTX *ctx = OPENSSL_zalloc(sizeof(HMAC_CTX));
-+
-+ if (ctx != NULL) {
-+ if (!HMAC_CTX_reset(ctx)) {
-+ HMAC_CTX_free(ctx);
-+ return NULL;
-+ }
-+ }
-+ return ctx;
-+}
-+
-+static void hmac_ctx_cleanup(HMAC_CTX *ctx)
-+{
-+ EVP_MD_CTX_reset(&ctx->i_ctx);
-+ EVP_MD_CTX_reset(&ctx->o_ctx);
-+ EVP_MD_CTX_reset(&ctx->md_ctx);
-+ ctx->md = NULL;
-+ ctx->key_length = 0;
-+ OPENSSL_cleanse(ctx->key, sizeof(ctx->key));
-+}
-+
-+void HMAC_CTX_free(HMAC_CTX *ctx)
-+{
-+ if (ctx != NULL) {
-+ hmac_ctx_cleanup(ctx);
-+#if OPENSSL_VERSION_NUMBER > 0x10100000L
-+ EVP_MD_CTX_free(&ctx->i_ctx);
-+ EVP_MD_CTX_free(&ctx->o_ctx);
-+ EVP_MD_CTX_free(&ctx->md_ctx);
-+#endif
-+ OPENSSL_free(ctx);
-+ }
-+}
-+
-+int HMAC_CTX_reset(HMAC_CTX *ctx)
-+{
-+ HMAC_CTX_init(ctx);
-+ return 1;
-+}
-+
-+#ifndef HAVE_OPENSSL_EVP_CIPHER_CTX_NEW
-+EVP_CIPHER_CTX *EVP_CIPHER_CTX_new(void)
-+{
-+ return OPENSSL_zalloc(sizeof(EVP_CIPHER_CTX));
-+}
-+
-+void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx)
-+{
-+ /* EVP_CIPHER_CTX_reset(ctx); alias */
-+ EVP_CIPHER_CTX_init(ctx);
-+ OPENSSL_free(ctx);
-+}
-+#endif
---- /dev/null
-+++ b/src/libcrypto-compat.h
-@@ -0,0 +1,42 @@
-+#ifndef LIBCRYPTO_COMPAT_H
-+#define LIBCRYPTO_COMPAT_H
-+
-+#include <openssl/opensslv.h>
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+
-+#include <openssl/rsa.h>
-+#include <openssl/dsa.h>
-+#include <openssl/ecdsa.h>
-+#include <openssl/dh.h>
-+#include <openssl/evp.h>
-+#include <openssl/hmac.h>
-+
-+int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d);
-+int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q);
-+int RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp);
-+void RSA_get0_key(const RSA *r, const BIGNUM **n, const BIGNUM **e, const BIGNUM **d);
-+void RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q);
-+void RSA_get0_crt_params(const RSA *r, const BIGNUM **dmp1, const BIGNUM **dmq1, const BIGNUM **iqmp);
-+
-+void DSA_get0_pqg(const DSA *d, const BIGNUM **p, const BIGNUM **q, const BIGNUM **g);
-+int DSA_set0_pqg(DSA *d, BIGNUM *p, BIGNUM *q, BIGNUM *g);
-+void DSA_get0_key(const DSA *d, const BIGNUM **pub_key, const BIGNUM **priv_key);
-+int DSA_set0_key(DSA *d, BIGNUM *pub_key, BIGNUM *priv_key);
-+
-+void DSA_SIG_get0(const DSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps);
-+int DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s);
-+
-+void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps);
-+int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s);
-+
-+int EVP_MD_CTX_reset(EVP_MD_CTX *ctx);
-+EVP_MD_CTX *EVP_MD_CTX_new(void);
-+void EVP_MD_CTX_free(EVP_MD_CTX *ctx);
-+
-+HMAC_CTX *HMAC_CTX_new(void);
-+int HMAC_CTX_reset(HMAC_CTX *ctx);
-+void HMAC_CTX_free(HMAC_CTX *ctx);
-+
-+#endif /* OPENSSL_VERSION_NUMBER */
-+
-+#endif /* LIBCRYPTO_COMPAT_H */
--- /dev/null
+#
+# Copyright (C) 2018 Bruno Randolf (br1@einfach.org)
+#
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=websocketpp
+PKG_VERSION:=0.8.1
+PKG_RELEASE:=1
+
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
+PKG_SOURCE_URL:=https://github.com/zaphoyd/websocketpp/archive/$(PKG_VERSION)/
+PKG_HASH:=178899de48c02853b55b1ea8681599641cedcdfce59e56beaff3dd0874bf0286
+
+PKG_MAINTAINER:=Bruno Randolf <br1@einfach.org>
+PKG_LICENSE:=BSD-3-Clause
+PKG_LICENSE_FILES:=COPYING
+
+include $(INCLUDE_DIR)/package.mk
+include $(INCLUDE_DIR)/cmake.mk
+
+CMAKE_INSTALL:=1
+
+define Package/websocketpp
+ SECTION:=libs
+ CATEGORY:=Libraries
+ TITLE:=WebSocket++
+ URL:=https://www.zaphoyd.com/websocketpp
+endef
+
+define Package/websocketpp/description
+ WebSocket++ is a header only C++ library that implements RFC6455
+ The WebSocket Protocol.
+endef
+
+$(eval $(call BuildPackage,websocketpp))
include $(TOPDIR)/rules.mk
PKG_NAME:=bind
-PKG_VERSION:=9.11.3
-PKG_RELEASE:=2
+PKG_VERSION:=9.11.5
+PKG_RELEASE:=1
USERID:=bind=57:bind=57
PKG_MAINTAINER:=Noah Meyerhans <frodo@morgul.net>
PKG_SOURCE_URL:= \
http://www.mirrorservice.org/sites/ftp.isc.org/isc/bind9/$(PKG_VERSION) \
http://ftp.isc.org/isc/bind9/$(PKG_VERSION)
-PKG_HASH:=0d9dde14b2ec7f9cdc3b69f19540c7a2e4eee7b6c727965dfae48810965876f5
+PKG_HASH:=a4cae11dad954bdd4eb592178f875bfec09fcc7e29fe0f6b7a4e5b5c6bc61322
PKG_FIXUP:=autoreconf
PKG_REMOVE_FILES:=aclocal.m4 libtool.m4
define Package/bind-server
$(call Package/bind/Default)
TITLE+= DNS server
- DEPENDS+= +@OPENSSL_WITH_DEPRECATED
endef
define Package/bind-server/config
./files/bind/db.255 \
./files/bind/db.local \
./files/bind/db.root \
+ ./files/bind/bind.keys \
$(1)/etc/bind/
$(CP) ./files/bind/named.conf.example $(1)/etc/bind/named.conf
$(INSTALL_DIR) $(1)/etc/init.d
$(INSTALL_DIR) $(1)/usr/bin
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/dig $(1)/usr/bin/
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/host $(1)/usr/bin/
+ $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/delv $(1)/usr/bin/
$(INSTALL_DIR) $(1)/usr/sbin
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/dnssec-keygen $(1)/usr/sbin/
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/dnssec-settime $(1)/usr/sbin/
--- /dev/null
+# The bind.keys file is used to override the built-in DNSSEC trust anchors
+# which are included as part of BIND 9. As of the current release, the only
+# trust anchors it contains are those for the DNS root zone ("."), and for
+# the ISC DNSSEC Lookaside Validation zone ("dlv.isc.org"). Trust anchors
+# for any other zones MUST be configured elsewhere; if they are configured
+# here, they will not be recognized or used by named.
+#
+# The built-in trust anchors are provided for convenience of configuration.
+# They are not activated within named.conf unless specifically switched on.
+# To use the built-in root key, set "dnssec-validation auto;" in
+# named.conf options. To use the built-in DLV key, set
+# "dnssec-lookaside auto;". Without these options being set,
+# the keys in this file are ignored.
+#
+# This file is NOT expected to be user-configured.
+#
+# These keys are current as of Feburary 2017. If any key fails to
+# initialize correctly, it may have expired. In that event you should
+# replace this file with a current version. The latest version of
+# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.
+
+managed-keys {
+ # ISC DLV: See https://www.isc.org/solutions/dlv for details.
+ #
+ # NOTE: The ISC DLV zone is being phased out as of February 2017;
+ # the key will remain in place but the zone will be otherwise empty.
+ # Configuring "dnssec-lookaside auto;" to activate this key is
+ # harmless, but is no longer useful and is not recommended.
+ dlv.isc.org. initial-key 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2
+ brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+
+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5
+ ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk
+ Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM
+ QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt
+ TDN0YUuWrBNh";
+
+ # ROOT KEYS: See https://data.iana.org/root-anchors/root-anchors.xml
+ # for current trust anchor information.
+ #
+ # These keys are activated by setting "dnssec-validation auto;"
+ # in named.conf.
+ #
+ # This key (19036) is to be phased out starting in 2017. It will
+ # remain in the root zone for some time after its successor key
+ # has been added. It will remain this file until it is removed from
+ # the root zone.
+ . initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
+ FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
+ bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
+ X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
+ W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
+ Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
+ QxA+Uk1ihz0=";
+
+ # This key (20326) is to be published in the root zone in 2017.
+ # Servers which were already using the old key (19036) should
+ # roll seamlessly to this new one via RFC 5011 rollover. Servers
+ # being set up for the first time can use the contents of this
+ # file as initializing keys; thereafter, the keys in the
+ # managed key database will be trusted and maintained
+ # automatically.
+ . initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
+ +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
+ ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
+ 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
+ oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
+ RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN
+ R1AkUTV74bU=";
+};
-Index: bind-9.10.4-P3/bin/Makefile.in
+Index: bind-9.11.5/bin/Makefile.in
===================================================================
---- bind-9.10.4-P3.orig/bin/Makefile.in
-+++ bind-9.10.4-P3/bin/Makefile.in
-@@ -10,7 +10,7 @@ srcdir = @srcdir@
- VPATH = @srcdir@
+--- bind-9.11.5.orig/bin/Makefile.in
++++ bind-9.11.5/bin/Makefile.in
+@@ -12,7 +12,7 @@ VPATH = @srcdir@
top_srcdir = @top_srcdir@
--SUBDIRS = named rndc dig delv dnssec tools tests nsupdate \
-+SUBDIRS = named rndc dig delv dnssec tools nsupdate \
- check confgen @NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@
- TARGETS =
-
-Index: bind-9.10.4-P3/lib/Makefile.in
-===================================================================
---- bind-9.10.4-P3.orig/lib/Makefile.in
-+++ bind-9.10.4-P3/lib/Makefile.in
-@@ -14,7 +14,7 @@ top_srcdir = @top_srcdir@
- # Attempt to disable parallel processing.
- .NOTPARALLEL:
- .NO_PARALLEL:
--SUBDIRS = isc isccc dns isccfg bind9 lwres irs tests samples
-+SUBDIRS = isc isccc dns isccfg bind9 lwres irs samples
+ SUBDIRS = named rndc dig delv dnssec tools nsupdate check confgen \
+- @NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@ tests
++ @NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@
TARGETS =
@BIND9_MAKE_RULES@
-Index: bind-9.10.4-P3/configure.in
+Index: bind-9.11.5/configure.in
===================================================================
---- bind-9.10.4-P3.orig/configure.in
-+++ bind-9.10.4-P3/configure.in
-@@ -157,26 +157,11 @@ esac
+--- bind-9.11.5.orig/configure.in
++++ bind-9.11.5/configure.in
+@@ -181,26 +181,11 @@ esac
#
AC_CONFIG_FILES([make/rules make/includes])
PKG_NAME:=haproxy
PKG_VERSION:=1.8.14
-PKG_RELEASE:=1
+PKG_RELEASE:=2
PKG_SOURCE:=haproxy-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://www.haproxy.org/download/1.8/src/
--- /dev/null
+commit 14844e448b637fea2770bcb03a43a010c4c8176d
+Author: Olivier Houchard <ohouchard@haproxy.com>
+Date: Thu Sep 27 14:55:34 2018 +0200
+
+ MINOR: threads: Make sure threads_sync_pipe is initialized before using it.
+
+ thread_want_sync() might be called before thread_sync_init() was called,
+ at least when reading the server state file, as apply_server_state() is called
+ before thread_sync_init(). So make sure the threads_sync_pipe was initialized
+ before writing to it, if it was not, there's no thread, so no need to sync
+ anything anyway, and if we don't check it we'll end up writing a 'S' on
+ stdin.
+
+ this only applies to 1.8.
+
+diff --git a/src/hathreads.c b/src/hathreads.c
+index 97ed31c5..9dba4356 100644
+--- a/src/hathreads.c
++++ b/src/hathreads.c
+@@ -28,7 +28,7 @@ void thread_sync_io_handler(int fd)
+ #ifdef USE_THREAD
+
+ static HA_SPINLOCK_T sync_lock;
+-static int threads_sync_pipe[2];
++static int threads_sync_pipe[2] = {-1, -1};
+ static unsigned long threads_want_sync = 0;
+ volatile unsigned long threads_want_rdv_mask = 0;
+ volatile unsigned long threads_harmless_mask = 0;
+@@ -76,7 +76,8 @@ void thread_want_sync()
+ if (all_threads_mask & (all_threads_mask - 1)) {
+ if (threads_want_sync & tid_bit)
+ return;
+- if (HA_ATOMIC_OR(&threads_want_sync, tid_bit) == tid_bit)
++ if (HA_ATOMIC_OR(&threads_want_sync, tid_bit) == tid_bit &&
++ threads_sync_pipe[1] != -1)
+ shut_your_big_mouth_gcc(write(threads_sync_pipe[1], "S", 1));
+ }
+ else {
--- /dev/null
+commit 18aff2297ce844362f28ea5317c289ba154bd33d
+Author: Lukas Tribus <lukas@ltri.eu>
+Date: Mon Oct 1 02:00:16 2018 +0200
+
+ DOC: clarify force-private-cache is an option
+
+ "boolean" may confuse users into thinking they need to provide
+ additional arguments, like false or true. This is a simple option
+ like many others, so lets not confuse the users with internals.
+
+ Also fixes an additional typo.
+
+ Should be backported to 1.8 and 1.7.
+
+ (cherry picked from commit 2793578eaf934bbf28f742a35f3a1ae656280324)
+ Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
+
+diff --git a/doc/configuration.txt b/doc/configuration.txt
+index c69033b1..580194ec 100644
+--- a/doc/configuration.txt
++++ b/doc/configuration.txt
+@@ -1651,7 +1651,7 @@ tune.ssl.cachesize <number>
+ this value to 0 disables the SSL session cache.
+
+ tune.ssl.force-private-cache
+- This boolean disables SSL session cache sharing between all processes. It
++ This option disables SSL session cache sharing between all processes. It
+ should normally not be used since it will force many renegotiations due to
+ clients hitting a random process. But it may be required on some operating
+ systems where none of the SSL cache synchronization method may be used. In
+@@ -6535,7 +6535,7 @@ option smtpchk <hello> <domain>
+ yes | no | yes | yes
+ Arguments :
+ <hello> is an optional argument. It is the "hello" command to use. It can
+- be either "HELO" (for SMTP) or "EHLO" (for ESTMP). All other
++ be either "HELO" (for SMTP) or "EHLO" (for ESMTP). All other
+ values will be turned into the default command ("HELO").
+
+ <domain> is the domain name to present to the server. It may only be
--- /dev/null
+commit f6d20e718131aa2b468ff0a6c42e20c0b900e58b
+Author: Ilya Shipitsin <chipitsine@gmail.com>
+Date: Sat Sep 15 00:50:05 2018 +0500
+
+ BUG/MINOR: connection: avoid null pointer dereference in send-proxy-v2
+
+ found by coverity.
+
+ [wt: this bug was introduced by commit 404d978 ("MINOR: add ALPN
+ information to send-proxy-v2"). It might be triggered by a health
+ check on a server using ppv2 or by an applet making use of such a
+ server, if at all configurable].
+
+ This needs to be backported to 1.8.
+
+ (cherry picked from commit ca56fce8bd271928b18d38b439bd35bd273fe8d4)
+ Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
+
+diff --git a/src/connection.c b/src/connection.c
+index 8c5af156..7403e8ae 100644
+--- a/src/connection.c
++++ b/src/connection.c
+@@ -874,6 +874,7 @@ int conn_recv_netscaler_cip(struct connection *conn, int flag)
+ return 0;
+ }
+
++/* Note: <remote> is explicitly allowed to be NULL */
+ int make_proxy_line(char *buf, int buf_len, struct server *srv, struct connection *remote)
+ {
+ int ret = 0;
+@@ -985,6 +986,7 @@ static int make_tlv(char *dest, int dest_len, char type, uint16_t length, const
+ return length + sizeof(*tlv);
+ }
+
++/* Note: <remote> is explicitly allowed to be NULL */
+ int make_proxy_line_v2(char *buf, int buf_len, struct server *srv, struct connection *remote)
+ {
+ const char pp2_signature[] = PP2_SIGNATURE;
+@@ -1060,7 +1062,7 @@ int make_proxy_line_v2(char *buf, int buf_len, struct server *srv, struct connec
+ }
+ }
+
+- if (conn_get_alpn(remote, &value, &value_len)) {
++ if (remote && conn_get_alpn(remote, &value, &value_len)) {
+ if ((buf_len - ret) < sizeof(struct tlv))
+ return 0;
+ ret += make_tlv(&buf[ret], (buf_len - ret), PP2_TYPE_ALPN, value_len, value);
--- /dev/null
+commit e725a7f9bfd8b7fe2e74c62c7c6bf2b9ebf83772
+Author: Willy Tarreau <w@1wt.eu>
+Date: Wed Oct 3 10:20:19 2018 +0200
+
+ BUG/MINOR: backend: check that the mux installed properly
+
+ The return value from conn_install_mux() was not checked, so if an
+ inconsistency happens in the code, or a memory allocation fails while
+ initializing the mux, we can crash while using an uninitialized mux.
+ In practice the code inconsistency does not really happen since we
+ cannot configure such a situation, except during development, but
+ the out of memory condition could definitely happen.
+
+ This should be backported to 1.8 (the code is a bit different there,
+ there are two calls to conn_install_mux()).
+
+ (cherry picked from commit 33dd4ef81245bb868b22f99b9be45d0791131eec)
+ Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
+
+diff --git a/src/backend.c b/src/backend.c
+index 2b6167dc..fc1eac0d 100644
+--- a/src/backend.c
++++ b/src/backend.c
+@@ -1163,7 +1163,8 @@ int connect_server(struct stream *s)
+ if (srv) {
+ conn_prepare(srv_conn, protocol_by_family(srv_conn->addr.to.ss_family), srv->xprt);
+ /* XXX: Pick the right mux, when we finally have one */
+- conn_install_mux(srv_conn, &mux_pt_ops, srv_cs);
++ if (conn_install_mux(srv_conn, &mux_pt_ops, srv_cs) < 0)
++ return SF_ERR_INTERNAL;
+ }
+ else if (obj_type(s->target) == OBJ_TYPE_PROXY) {
+ /* proxies exclusively run on raw_sock right now */
+@@ -1171,7 +1172,8 @@ int connect_server(struct stream *s)
+ if (!objt_cs(s->si[1].end) || !objt_cs(s->si[1].end)->conn->ctrl)
+ return SF_ERR_INTERNAL;
+ /* XXX: Pick the right mux, when we finally have one */
+- conn_install_mux(srv_conn, &mux_pt_ops, srv_cs);
++ if (conn_install_mux(srv_conn, &mux_pt_ops, srv_cs) < 0)
++ return SF_ERR_INTERNAL;
+ }
+ else
+ return SF_ERR_INTERNAL; /* how did we get there ? */
--- /dev/null
+commit 45e9f3c660c872e93588cf1c0b74c192f2c8c3d5
+Author: Olivier Houchard <ohouchard@haproxy.com>
+Date: Wed Sep 26 15:09:58 2018 +0200
+
+ BUG/MEDIUM: buffers: Make sure we don't wrap in buffer_insert_line2/replace2.
+
+ In buffer_insert_line2() and buffer_replace2(), we can't afford to wrap,
+ so don't use b_tail to check if we do, directly use b->p + b->i instead.
+
+ This should be backported to previous versions.
+
+ (cherry picked from commit 363c745569b6ffd8f095d2b7758131d08aa27219)
+ Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
+
+ [cf: This patch was adapted and its commit message too. Because of the
+ refactoring of the buffer's API in 1.9, the original patch fixes same bug in
+ ci_insert_line2/b_rep_blk.]
+
+diff --git a/src/buffer.c b/src/buffer.c
+index 167b75ae..6ad38a02 100644
+--- a/src/buffer.c
++++ b/src/buffer.c
+@@ -107,7 +107,7 @@ int buffer_replace2(struct buffer *b, char *pos, char *end, const char *str, int
+
+ delta = len - (end - pos);
+
+- if (bi_end(b) + delta > b->data + b->size)
++ if (b->p + b->i + delta > b->data + b->size)
+ return 0; /* no space left */
+
+ if (buffer_not_empty(b) &&
+@@ -146,7 +146,7 @@ int buffer_insert_line2(struct buffer *b, char *pos, const char *str, int len)
+
+ delta = len + 2;
+
+- if (bi_end(b) + delta >= b->data + b->size)
++ if (b->p + b->i + delta >= b->data + b->size)
+ return 0; /* no space left */
+
+ if (buffer_not_empty(b) &&
--- /dev/null
+commit 4be76416751aa22992a44f2f5cfdba506809fd89
+Author: Dirkjan Bussink <d.bussink@gmail.com>
+Date: Fri Sep 14 11:14:21 2018 +0200
+
+ MEDIUM: ssl: add support for ciphersuites option for TLSv1.3
+
+ OpenSSL released support for TLSv1.3. It also added a separate function
+ SSL_CTX_set_ciphersuites that is used to set the ciphers used in the
+ TLS 1.3 handshake. This change adds support for that new configuration
+ option by adding a ciphersuites configuration variable that works
+ essentially the same as the existing ciphers setting.
+
+ Note that it should likely be backported to 1.8 in order to ease usage
+ of the now released openssl-1.1.1.
+
+ (cherry picked from commit 415150f7640b06740fa832363d186c5c6565338e)
+ Signed-off-by: Willy Tarreau <w@1wt.eu>
+
+diff --git a/doc/configuration.txt b/doc/configuration.txt
+index 580194ec..7a268386 100644
+--- a/doc/configuration.txt
++++ b/doc/configuration.txt
+@@ -580,8 +580,10 @@ The following keywords are supported in the "global" section :
+ - setenv
+ - stats
+ - ssl-default-bind-ciphers
++ - ssl-default-bind-ciphersuites
+ - ssl-default-bind-options
+ - ssl-default-server-ciphers
++ - ssl-default-server-ciphersuites
+ - ssl-default-server-options
+ - ssl-dh-param-file
+ - ssl-server-verify
+@@ -984,11 +986,25 @@ setenv <name> <value>
+ ssl-default-bind-ciphers <ciphers>
+ This setting is only available when support for OpenSSL was built in. It sets
+ the default string describing the list of cipher algorithms ("cipher suite")
+- that are negotiated during the SSL/TLS handshake for all "bind" lines which
+- do not explicitly define theirs. The format of the string is defined in
+- "man 1 ciphers" from OpenSSL man pages, and can be for instance a string such
+- as "AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH" (without quotes). Please check the
+- "bind" keyword for more information.
++ that are negotiated during the SSL/TLS handshake except for TLSv1.3 for all
++ "bind" lines which do not explicitly define theirs. The format of the string
++ is defined in "man 1 ciphers" from OpenSSL man pages, and can be for instance
++ a string such as "AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH" (without quotes). For
++ TLSv1.3 cipher configuration, please check the "ssl-default-bind-ciphersuites"
++ keyword. Please check the "bind" keyword for more information.
++
++ssl-default-bind-ciphersuites <ciphersuites>
++ This setting is only available when support for OpenSSL was built in and
++ OpenSSL 1.1.1 or later was used to build HAProxy. It sets the default string
++ describing the list of cipher algorithms ("cipher suite") that are negotiated
++ during the TLSv1.3 handshake for all "bind" lines which do not explicitly define
++ theirs. The format of the string is defined in
++ "man 1 ciphers" from OpenSSL man pages under the section "ciphersuites", and can
++ be for instance a string such as
++ "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"
++ (without quotes). For cipher configuration for TLSv1.2 and earlier, please check
++ the "ssl-default-bind-ciphers" keyword. Please check the "bind" keyword for more
++ information.
+
+ ssl-default-bind-options [<option>]...
+ This setting is only available when support for OpenSSL was built in. It sets
+@@ -1002,10 +1018,21 @@ ssl-default-bind-options [<option>]...
+ ssl-default-server-ciphers <ciphers>
+ This setting is only available when support for OpenSSL was built in. It
+ sets the default string describing the list of cipher algorithms that are
+- negotiated during the SSL/TLS handshake with the server, for all "server"
+- lines which do not explicitly define theirs. The format of the string is
+- defined in "man 1 ciphers". Please check the "server" keyword for more
+- information.
++ negotiated during the SSL/TLS handshake except for TLSv1.3 with the server,
++ for all "server" lines which do not explicitly define theirs. The format of
++ the string is defined in "man 1 ciphers". For TLSv1.3 cipher configuration,
++ please check the "ssl-default-server-ciphersuites" keyword. Please check the
++ "server" keyword for more information.
++
++ssl-default-server-ciphersuites <ciphersuites>
++ This setting is only available when support for OpenSSL was built in and
++ OpenSSL 1.1.1 or later was used to build HAProxy. It sets the default
++ string describing the list of cipher algorithms that are negotiated during
++ the TLSv1.3 handshake with the server, for all "server" lines which do not
++ explicitly define theirs. The format of the string is defined in
++ "man 1 ciphers" under the "ciphersuites" section. For cipher configuration for
++ TLSv1.2 and earlier, please check the "ssl-default-server-ciphers" keyword.
++ Please check the "server" keyword for more information.
+
+ ssl-default-server-options [<option>]...
+ This setting is only available when support for OpenSSL was built in. It sets
+@@ -10510,13 +10537,26 @@ ca-sign-pass <passphrase>
+ ciphers <ciphers>
+ This setting is only available when support for OpenSSL was built in. It sets
+ the string describing the list of cipher algorithms ("cipher suite") that are
+- negotiated during the SSL/TLS handshake. The format of the string is defined
+- in "man 1 ciphers" from OpenSSL man pages, and can be for instance a string
+- such as "AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH" (without quotes).
+- Depending on the compatibility and security requirements, the list of suitable
+- ciphers depends on a variety of variables. For background information and
+- recommendations see e. g. (https://wiki.mozilla.org/Security/Server_Side_TLS)
+- and (https://mozilla.github.io/server-side-tls/ssl-config-generator/).
++ negotiated during the SSL/TLS handshake except for TLSv1.3. The format of the
++ string is defined in "man 1 ciphers" from OpenSSL man pages, and can be for
++ instance a string such as "AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH" (without
++ quotes). Depending on the compatibility and security requirements, the list
++ of suitable ciphers depends on a variety of variables. For background
++ information and recommendations see e.g.
++ (https://wiki.mozilla.org/Security/Server_Side_TLS) and
++ (https://mozilla.github.io/server-side-tls/ssl-config-generator/). For TLSv1.3
++ cipher configuration, please check the "ciphersuites" keyword.
++
++ciphersuites <ciphersuites>
++ This setting is only available when support for OpenSSL was built in and
++ OpenSSL 1.1.1 or later was used to build HAProxy. It sets the string describing
++ the list of cipher algorithms ("cipher suite") that are negotiated during the
++ TLSv1.3 handshake. The format of the string is defined in "man 1 ciphers" from
++ OpenSSL man pages under the "ciphersuites" section, and can be for instance a
++ string such as
++ "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"
++ (without quotes). For cipher configuration for TLSv1.2 and earlier, please check
++ the "ciphers" keyword.
+
+ crl-file <crlfile>
+ This setting is only available when support for OpenSSL was built in. It
+@@ -11226,8 +11266,9 @@ check-ssl
+ this option.
+
+ ciphers <ciphers>
+- This option sets the string describing the list of cipher algorithms that is
+- is negotiated during the SSL/TLS handshake with the server. The format of the
++ This setting is only available when support for OpenSSL was built in. This
++ option sets the string describing the list of cipher algorithms that is
++ negotiated during the SSL/TLS handshake with the server. The format of the
+ string is defined in "man 1 ciphers". When SSL is used to communicate with
+ servers on the local network, it is common to see a weaker set of algorithms
+ than what is used over the internet. Doing so reduces CPU usage on both the
+@@ -11235,6 +11276,13 @@ ciphers <ciphers>
+ Some algorithms such as RC4-SHA1 are reasonably cheap. If no security at all
+ is needed and just connectivity, using DES can be appropriate.
+
++ciphersuites <ciphersuites>
++ This setting is only available when support for OpenSSL was built in and
++ OpenSSL 1.1.1 or later was used to build HAProxy. This option sets the string
++ describing the list of cipher algorithms that is negotiated during the TLS
++ 1.3 handshake with the server. The format of the string is defined in
++ "man 1 ciphers" under the "ciphersuites" section.
++
+ cookie <value>
+ The "cookie" parameter sets the cookie value assigned to the server to
+ <value>. This value will be checked in incoming requests, and the first
+diff --git a/include/common/defaults.h b/include/common/defaults.h
+index f53c611e..a45ab0da 100644
+--- a/include/common/defaults.h
++++ b/include/common/defaults.h
+@@ -234,11 +234,21 @@
+ #define CONNECT_DEFAULT_CIPHERS NULL
+ #endif
+
++/* ciphers used as defaults on TLS 1.3 connect */
++#ifndef CONNECT_DEFAULT_CIPHERSUITES
++#define CONNECT_DEFAULT_CIPHERSUITES NULL
++#endif
++
+ /* ciphers used as defaults on listeners */
+ #ifndef LISTEN_DEFAULT_CIPHERS
+ #define LISTEN_DEFAULT_CIPHERS NULL
+ #endif
+
++/* cipher suites used as defaults on TLS 1.3 listeners */
++#ifndef LISTEN_DEFAULT_CIPHERSUITES
++#define LISTEN_DEFAULT_CIPHERSUITES NULL
++#endif
++
+ /* named curve used as defaults for ECDHE ciphers */
+ #ifndef ECDHE_DEFAULT_CURVE
+ #define ECDHE_DEFAULT_CURVE "prime256v1"
+diff --git a/include/types/listener.h b/include/types/listener.h
+index c55569cd..ea2eadb5 100644
+--- a/include/types/listener.h
++++ b/include/types/listener.h
+@@ -128,6 +128,9 @@ struct ssl_bind_conf {
+ char *ca_file; /* CAfile to use on verify */
+ char *crl_file; /* CRLfile to use on verify */
+ char *ciphers; /* cipher suite to use if non-null */
++#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
++ char *ciphersuites; /* TLS 1.3 cipher suite to use if non-null */
++#endif
+ char *curves; /* curves suite to use for ECDHE */
+ char *ecdhe; /* named curve to use for ECDHE */
+ struct tls_version_filter ssl_methods; /* ssl methods */
+diff --git a/include/types/server.h b/include/types/server.h
+index fd3c8bad..79ae7b72 100644
+--- a/include/types/server.h
++++ b/include/types/server.h
+@@ -281,6 +281,9 @@ struct server {
+ int allocated_size;
+ } * reused_sess;
+ char *ciphers; /* cipher suite to use if non-null */
++#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
++ char *ciphersuites; /* TLS 1.3 cipher suite to use if non-null */
++#endif
+ int options; /* ssl options */
+ int verify; /* verify method (set of SSL_VERIFY_* flags) */
+ struct tls_version_filter methods; /* ssl methods */
+diff --git a/src/server.c b/src/server.c
+index 842e4149..4941bd03 100644
+--- a/src/server.c
++++ b/src/server.c
+@@ -1380,6 +1380,10 @@ static void srv_ssl_settings_cpy(struct server *srv, struct server *src)
+ srv->ssl_ctx.verify_host = strdup(src->ssl_ctx.verify_host);
+ if (src->ssl_ctx.ciphers != NULL)
+ srv->ssl_ctx.ciphers = strdup(src->ssl_ctx.ciphers);
++#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
++ if (src->ssl_ctx.ciphersuites != NULL)
++ srv->ssl_ctx.ciphersuites = strdup(src->ssl_ctx.ciphersuites);
++#endif
+ if (src->sni_expr != NULL)
+ srv->sni_expr = strdup(src->sni_expr);
+ }
+diff --git a/src/ssl_sock.c b/src/ssl_sock.c
+index 08fdffab..2da0df68 100644
+--- a/src/ssl_sock.c
++++ b/src/ssl_sock.c
+@@ -169,6 +169,10 @@ static struct {
+
+ char *listen_default_ciphers;
+ char *connect_default_ciphers;
++#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
++ char *listen_default_ciphersuites;
++ char *connect_default_ciphersuites;
++#endif
+ int listen_default_ssloptions;
+ int connect_default_ssloptions;
+ struct tls_version_filter listen_default_sslmethods;
+@@ -186,6 +190,14 @@ static struct {
+ #endif
+ #ifdef CONNECT_DEFAULT_CIPHERS
+ .connect_default_ciphers = CONNECT_DEFAULT_CIPHERS,
++#endif
++#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
++#ifdef LISTEN_DEFAULT_CIPHERSUITES
++ .listen_default_ciphersuites = LISTEN_DEFAULT_CIPHERSUITES,
++#endif
++#ifdef CONNECT_DEFAULT_CIPHERSUITES
++ .connect_default_ciphersuites = CONNECT_DEFAULT_CIPHERSUITES,
++#endif
+ #endif
+ .listen_default_ssloptions = BC_SSL_O_NONE,
+ .connect_default_ssloptions = SRV_SSL_O_NONE,
+@@ -3528,6 +3540,10 @@ void ssl_sock_free_ssl_conf(struct ssl_bind_conf *conf)
+ conf->crl_file = NULL;
+ free(conf->ciphers);
+ conf->ciphers = NULL;
++#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
++ free(conf->ciphersuites);
++ conf->ciphersuites = NULL;
++#endif
+ free(conf->curves);
+ conf->curves = NULL;
+ free(conf->ecdhe);
+@@ -4061,6 +4077,9 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, struct ssl_bind_conf *ssl_
+ int verify = SSL_VERIFY_NONE;
+ struct ssl_bind_conf __maybe_unused *ssl_conf_cur;
+ const char *conf_ciphers;
++#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
++ const char *conf_ciphersuites;
++#endif
+ const char *conf_curves = NULL;
+
+ if (ssl_conf) {
+@@ -4160,6 +4179,16 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, struct ssl_bind_conf *ssl_
+ cfgerr++;
+ }
+
++#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
++ conf_ciphersuites = (ssl_conf && ssl_conf->ciphersuites) ? ssl_conf->ciphersuites : bind_conf->ssl_conf.ciphersuites;
++ if (conf_ciphersuites &&
++ !SSL_CTX_set_ciphersuites(ctx, conf_ciphersuites)) {
++ ha_alert("Proxy '%s': unable to set TLS 1.3 cipher suites to '%s' for bind '%s' at [%s:%d].\n",
++ curproxy->id, conf_ciphersuites, bind_conf->arg, bind_conf->file, bind_conf->line);
++ cfgerr++;
++ }
++#endif
++
+ #ifndef OPENSSL_NO_DH
+ /* If tune.ssl.default-dh-param has not been set,
+ neither has ssl-default-dh-file and no static DH
+@@ -4642,6 +4671,16 @@ int ssl_sock_prepare_srv_ctx(struct server *srv)
+ cfgerr++;
+ }
+
++#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
++ if (srv->ssl_ctx.ciphersuites &&
++ !SSL_CTX_set_cipher_list(srv->ssl_ctx.ctx, srv->ssl_ctx.ciphersuites)) {
++ ha_alert("Proxy '%s', server '%s' [%s:%d] : unable to set TLS 1.3 cipher suites to '%s'.\n",
++ curproxy->id, srv->id,
++ srv->conf.file, srv->conf.line, srv->ssl_ctx.ciphersuites);
++ cfgerr++;
++ }
++#endif
++
+ return cfgerr;
+ }
+
+@@ -7101,6 +7140,26 @@ static int bind_parse_ciphers(char **args, int cur_arg, struct proxy *px, struct
+ {
+ return ssl_bind_parse_ciphers(args, cur_arg, px, &conf->ssl_conf, err);
+ }
++
++#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
++/* parse the "ciphersuites" bind keyword */
++static int ssl_bind_parse_ciphersuites(char **args, int cur_arg, struct proxy *px, struct ssl_bind_conf *conf, char **err)
++{
++ if (!*args[cur_arg + 1]) {
++ memprintf(err, "'%s' : missing cipher suite", args[cur_arg]);
++ return ERR_ALERT | ERR_FATAL;
++ }
++
++ free(conf->ciphersuites);
++ conf->ciphersuites = strdup(args[cur_arg + 1]);
++ return 0;
++}
++static int bind_parse_ciphersuites(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
++{
++ return ssl_bind_parse_ciphersuites(args, cur_arg, px, &conf->ssl_conf, err);
++}
++#endif
++
+ /* parse the "crt" bind keyword */
+ static int bind_parse_crt(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
+ {
+@@ -7492,6 +7551,10 @@ static int bind_parse_ssl(char **args, int cur_arg, struct proxy *px, struct bin
+
+ if (global_ssl.listen_default_ciphers && !conf->ssl_conf.ciphers)
+ conf->ssl_conf.ciphers = strdup(global_ssl.listen_default_ciphers);
++#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
++ if (global_ssl.listen_default_ciphersuites && !conf->ssl_conf.ciphersuites)
++ conf->ssl_conf.ciphersuites = strdup(global_ssl.listen_default_ciphersuites);
++#endif
+ conf->ssl_options |= global_ssl.listen_default_ssloptions;
+ conf->ssl_conf.ssl_methods.flags |= global_ssl.listen_default_sslmethods.flags;
+ if (!conf->ssl_conf.ssl_methods.min)
+@@ -7689,6 +7752,10 @@ static int srv_parse_check_ssl(char **args, int *cur_arg, struct proxy *px, stru
+ newsrv->check.use_ssl = 1;
+ if (global_ssl.connect_default_ciphers && !newsrv->ssl_ctx.ciphers)
+ newsrv->ssl_ctx.ciphers = strdup(global_ssl.connect_default_ciphers);
++#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
++ if (global_ssl.connect_default_ciphersuites && !newsrv->ssl_ctx.ciphersuites)
++ newsrv->ssl_ctx.ciphersuites = strdup(global_ssl.connect_default_ciphersuites);
++#endif
+ newsrv->ssl_ctx.options |= global_ssl.connect_default_ssloptions;
+ newsrv->ssl_ctx.methods.flags |= global_ssl.connect_default_sslmethods.flags;
+ if (!newsrv->ssl_ctx.methods.min)
+@@ -7712,6 +7779,21 @@ static int srv_parse_ciphers(char **args, int *cur_arg, struct proxy *px, struct
+ return 0;
+ }
+
++#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
++/* parse the "ciphersuites" server keyword */
++static int srv_parse_ciphersuites(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
++{
++ if (!*args[*cur_arg + 1]) {
++ memprintf(err, "'%s' : missing cipher suite", args[*cur_arg]);
++ return ERR_ALERT | ERR_FATAL;
++ }
++
++ free(newsrv->ssl_ctx.ciphersuites);
++ newsrv->ssl_ctx.ciphersuites = strdup(args[*cur_arg + 1]);
++ return 0;
++}
++#endif
++
+ /* parse the "crl-file" server keyword */
+ static int srv_parse_crl_file(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
+ {
+@@ -7853,6 +7935,10 @@ static int srv_parse_ssl(char **args, int *cur_arg, struct proxy *px, struct ser
+ newsrv->use_ssl = 1;
+ if (global_ssl.connect_default_ciphers && !newsrv->ssl_ctx.ciphers)
+ newsrv->ssl_ctx.ciphers = strdup(global_ssl.connect_default_ciphers);
++#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
++ if (global_ssl.connect_default_ciphersuites && !newsrv->ssl_ctx.ciphersuites)
++ newsrv->ssl_ctx.ciphersuites = strdup(global_ssl.connect_default_ciphersuites);
++#endif
+ return 0;
+ }
+
+@@ -8092,6 +8178,32 @@ static int ssl_parse_global_ciphers(char **args, int section_type, struct proxy
+ return 0;
+ }
+
++#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
++/* parse the "ssl-default-bind-ciphersuites" / "ssl-default-server-ciphersuites" keywords
++ * in global section. Returns <0 on alert, >0 on warning, 0 on success.
++ */
++static int ssl_parse_global_ciphersuites(char **args, int section_type, struct proxy *curpx,
++ struct proxy *defpx, const char *file, int line,
++ char **err)
++{
++ char **target;
++
++ target = (args[0][12] == 'b') ? &global_ssl.listen_default_ciphersuites : &global_ssl.connect_default_ciphersuites;
++
++ if (too_many_args(1, args, err, NULL))
++ return -1;
++
++ if (*(args[1]) == 0) {
++ memprintf(err, "global statement '%s' expects a cipher suite as an argument.", args[0]);
++ return -1;
++ }
++
++ free(*target);
++ *target = strdup(args[1]);
++ return 0;
++}
++#endif
++
+ /* parse various global tune.ssl settings consisting in positive integers.
+ * Returns <0 on alert, >0 on warning, 0 on success.
+ */
+@@ -8599,6 +8711,9 @@ static struct ssl_bind_kw ssl_bind_kws[] = {
+ { "alpn", ssl_bind_parse_alpn, 1 }, /* set ALPN supported protocols */
+ { "ca-file", ssl_bind_parse_ca_file, 1 }, /* set CAfile to process verify on client cert */
+ { "ciphers", ssl_bind_parse_ciphers, 1 }, /* set SSL cipher suite */
++#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
++ { "ciphersuites", ssl_bind_parse_ciphersuites, 1 }, /* set TLS 1.3 cipher suite */
++#endif
+ { "crl-file", ssl_bind_parse_crl_file, 1 }, /* set certificat revocation list file use on client cert verify */
+ { "curves", ssl_bind_parse_curves, 1 }, /* set SSL curve suite */
+ { "ecdhe", ssl_bind_parse_ecdhe, 1 }, /* defines named curve for elliptic curve Diffie-Hellman */
+@@ -8618,6 +8733,9 @@ static struct bind_kw_list bind_kws = { "SSL", { }, {
+ { "ca-sign-file", bind_parse_ca_sign_file, 1 }, /* set CAFile used to generate and sign server certs */
+ { "ca-sign-pass", bind_parse_ca_sign_pass, 1 }, /* set CAKey passphrase */
+ { "ciphers", bind_parse_ciphers, 1 }, /* set SSL cipher suite */
++#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
++ { "ciphersuites", bind_parse_ciphersuites, 1 }, /* set TLS 1.3 cipher suite */
++#endif
+ { "crl-file", bind_parse_crl_file, 1 }, /* set certificat revocation list file use on client cert verify */
+ { "crt", bind_parse_crt, 1 }, /* load SSL certificates from this location */
+ { "crt-ignore-err", bind_parse_ignore_err, 1 }, /* set error IDs to ingore on verify depth == 0 */
+@@ -8661,6 +8779,9 @@ static struct srv_kw_list srv_kws = { "SSL", { }, {
+ { "check-sni", srv_parse_check_sni, 1, 1 }, /* set SNI */
+ { "check-ssl", srv_parse_check_ssl, 0, 1 }, /* enable SSL for health checks */
+ { "ciphers", srv_parse_ciphers, 1, 1 }, /* select the cipher suite */
++#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
++ { "ciphersuites", srv_parse_ciphersuites, 1, 1 }, /* select the cipher suite */
++#endif
+ { "crl-file", srv_parse_crl_file, 1, 1 }, /* set certificate revocation list file use on server cert verify */
+ { "crt", srv_parse_crt, 1, 1 }, /* set client certificate */
+ { "force-sslv3", srv_parse_tls_method_options, 0, 1 }, /* force SSLv3 */
+@@ -8716,6 +8837,10 @@ static struct cfg_kw_list cfg_kws = {ILH, {
+ { CFG_GLOBAL, "tune.ssl.capture-cipherlist-size", ssl_parse_global_capture_cipherlist },
+ { CFG_GLOBAL, "ssl-default-bind-ciphers", ssl_parse_global_ciphers },
+ { CFG_GLOBAL, "ssl-default-server-ciphers", ssl_parse_global_ciphers },
++#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
++ { CFG_GLOBAL, "ssl-default-bind-ciphersuites", ssl_parse_global_ciphersuites },
++ { CFG_GLOBAL, "ssl-default-server-ciphersuites", ssl_parse_global_ciphersuites },
++#endif
+ { 0, NULL, NULL },
+ }};
+
+@@ -8793,6 +8918,12 @@ static void __ssl_sock_init(void)
+ global_ssl.listen_default_ciphers = strdup(global_ssl.listen_default_ciphers);
+ if (global_ssl.connect_default_ciphers)
+ global_ssl.connect_default_ciphers = strdup(global_ssl.connect_default_ciphers);
++#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
++ if (global_ssl.listen_default_ciphersuites)
++ global_ssl.listen_default_ciphersuites = strdup(global_ssl.listen_default_ciphersuites);
++ if (global_ssl.connect_default_ciphersuites)
++ global_ssl.connect_default_ciphersuites = strdup(global_ssl.connect_default_ciphersuites);
++#endif
+
+ xprt_register(XPRT_SSL, &ssl_sock);
+ SSL_library_init();
--- /dev/null
+commit 30ba96df349ace825749a57490defeb50001a550
+Author: Emeric Brun <ebrun@haproxy.com>
+Date: Wed Oct 10 14:51:02 2018 +0200
+
+ BUG/MEDIUM: Cur/CumSslConns counters not threadsafe.
+
+ CurSslConns inc/dec operations are not threadsafe. The unsigned CurSslConns
+ counter can wrap to a negative value. So we could notice connection rejects
+ because of MaxSslConns limit artificially exceeded.
+
+ CumSslConns inc operation are also not threadsafe so we could miss
+ some connections and show inconsistenties values compared to CumConns.
+
+ This fix should be backported to v1.8.
+
+ (cherry picked from commit 7ad43e7928c9a61b40332e4d5e9a7ccc33e6b65b)
+ Signed-off-by: Willy Tarreau <w@1wt.eu>
+
+diff --git a/src/ssl_sock.c b/src/ssl_sock.c
+index 2da0df68..6eed8022 100644
+--- a/src/ssl_sock.c
++++ b/src/ssl_sock.c
+@@ -491,7 +491,7 @@ static void ssl_async_fd_free(int fd)
+
+ /* Now we can safely call SSL_free, no more pending job in engines */
+ SSL_free(ssl);
+- sslconns--;
++ HA_ATOMIC_SUB(&sslconns, 1);
+ HA_ATOMIC_SUB(&jobs, 1);
+ }
+ /*
+@@ -5011,8 +5011,8 @@ static int ssl_sock_init(struct connection *conn)
+ /* leave init state and start handshake */
+ conn->flags |= CO_FL_SSL_WAIT_HS | CO_FL_WAIT_L6_CONN;
+
+- sslconns++;
+- totalsslconns++;
++ HA_ATOMIC_ADD(&sslconns, 1);
++ HA_ATOMIC_ADD(&totalsslconns, 1);
+ return 0;
+ }
+ else if (objt_listener(conn->target)) {
+@@ -5062,8 +5062,8 @@ static int ssl_sock_init(struct connection *conn)
+ conn->flags |= CO_FL_EARLY_SSL_HS;
+ #endif
+
+- sslconns++;
+- totalsslconns++;
++ HA_ATOMIC_ADD(&sslconns, 1);
++ HA_ATOMIC_ADD(&totalsslconns, 1);
+ return 0;
+ }
+ /* don't know how to handle such a target */
+@@ -5713,7 +5713,7 @@ static void ssl_sock_close(struct connection *conn) {
+ #endif
+ SSL_free(conn->xprt_ctx);
+ conn->xprt_ctx = NULL;
+- sslconns--;
++ HA_ATOMIC_SUB(&sslconns, 1);
+ }
+ }
+
--- /dev/null
+commit 8a6c4ff3f407b916bc08da4e76ed7813768ac937
+Author: mildis <me@mildis.org>
+Date: Tue Oct 2 16:46:34 2018 +0200
+
+ BUG/MINOR: checks: queues null-deref
+
+ queues can be null if calloc() failed.
+ Bypass free* calls when calloc did fail.
+
+ (cherry picked from commit 5ab01cb01114065a3573570a48e84815e751bf14)
+ Signed-off-by: Willy Tarreau <w@1wt.eu>
+
+diff --git a/src/checks.c b/src/checks.c
+index 098ddecf..74958b2d 100644
+--- a/src/checks.c
++++ b/src/checks.c
+@@ -3182,7 +3182,7 @@ int init_email_alert(struct mailers *mls, struct proxy *p, char **err)
+
+ if ((queues = calloc(mls->count, sizeof(*queues))) == NULL) {
+ memprintf(err, "out of memory while allocating mailer alerts queues");
+- goto error;
++ goto fail_no_queue;
+ }
+
+ for (mailer = mls->mailer_list; mailer; i++, mailer = mailer->next) {
+@@ -3239,6 +3239,7 @@ int init_email_alert(struct mailers *mls, struct proxy *p, char **err)
+ free_check(check);
+ }
+ free(queues);
++ fail_no_queue:
+ return 1;
+ }
+
--- /dev/null
+commit df4822ea169adc5c7c987fa077438f0ded1ac39b
+Author: Emeric Brun <ebrun@haproxy.com>
+Date: Thu Oct 11 15:27:07 2018 +0200
+
+ BUG/MEDIUM: mworker: segfault receiving SIGUSR1 followed by SIGTERM.
+
+ This bug appeared only if nbthread > 1. Handling the pipe with the
+ master, multiple threads of the same worker could process the deinit().
+
+ In addition, deinit() was called while some other threads were still
+ performing some tasks.
+
+ This patch assign the handler of the pipe with master to only the first
+ thread and removes the call to deinit() before exiting with an error.
+
+ This patch should be backported in v1.8.
+
+ (cherry picked from commit c8c0ed91cb4436491efd2ce2c4b4b1694aeeccca)
+ [wt: adjusted context]
+ Signed-off-by: Willy Tarreau <w@1wt.eu>
+
+diff --git a/src/haproxy.c b/src/haproxy.c
+index e0186ff9..1959dd0f 100644
+--- a/src/haproxy.c
++++ b/src/haproxy.c
+@@ -2349,7 +2349,13 @@ void mworker_pipe_handler(int fd)
+ break;
+ }
+
+- deinit();
++ /* At this step the master is down before
++ * this worker perform a 'normal' exit.
++ * So we want to exit with an error but
++ * other threads could currently process
++ * some stuff so we can't perform a clean
++ * deinit().
++ */
+ exit(EXIT_FAILURE);
+ return;
+ }
+@@ -2364,7 +2370,10 @@ void mworker_pipe_register()
+ fcntl(mworker_pipe[0], F_SETFL, O_NONBLOCK);
+ fdtab[mworker_pipe[0]].owner = mworker_pipe;
+ fdtab[mworker_pipe[0]].iocb = mworker_pipe_handler;
+- fd_insert(mworker_pipe[0], MAX_THREADS_MASK);
++ /* In multi-tread, we need only one thread to process
++ * events on the pipe with master
++ */
++ fd_insert(mworker_pipe[0], 1);
+ fd_want_recv(mworker_pipe[0]);
+ }
+
--- /dev/null
+commit 4bf6d76a22b9b601fd57df4aa0f4fba62733cb07
+Author: Willy Tarreau <w@1wt.eu>
+Date: Mon Oct 15 11:08:55 2018 +0200
+
+ BUG/MEDIUM: stream: don't crash on out-of-memory
+
+ In case pool_alloc() fails in stream_new(), we try to detach the stream
+ from the list before it has been added, dereferencing a NULL. In order
+ to fix it, simply move the LIST_DEL call upwards.
+
+ This must be backported to 1.8.
+
+ (cherry picked from commit e5f229e6392fd54aaba7fe58f457723c16b9d15f)
+ Signed-off-by: Willy Tarreau <w@1wt.eu>
+
+diff --git a/src/stream.c b/src/stream.c
+index 11c9dbf3..ef7cff5c 100644
+--- a/src/stream.c
++++ b/src/stream.c
+@@ -282,8 +282,8 @@ struct stream *stream_new(struct session *sess, enum obj_type *origin)
+ out_fail_accept:
+ flt_stream_release(s, 0);
+ task_free(t);
+- out_fail_alloc:
+ LIST_DEL(&s->list);
++ out_fail_alloc:
+ pool_free(pool_head_stream, s);
+ return NULL;
+ }
--- /dev/null
+commit d332b12b262ad7df1c8bdda52dad100f40399d24
+Author: Willy Tarreau <w@1wt.eu>
+Date: Mon Oct 15 11:01:59 2018 +0200
+
+ BUILD: ssl: fix null-deref warning in ssl_fc_cipherlist_str sample fetch
+
+ Gcc 6.4 detects a potential null-deref warning in smp_fetch_ssl_fc_cl_str().
+ This one is not real since already addressed a few lines above. Let's use
+ __objt_conn() instead of objt_conn() to avoid the extra test that confuses
+ it.
+
+ This could be backported to 1.8.
+
+ (cherry picked from commit b729077710b14c75936909409e27a4fa0badcb54)
+ Signed-off-by: Willy Tarreau <w@1wt.eu>
+
+diff --git a/src/ssl_sock.c b/src/ssl_sock.c
+index 6eed8022..4577fef4 100644
+--- a/src/ssl_sock.c
++++ b/src/ssl_sock.c
+@@ -6929,7 +6929,7 @@ smp_fetch_ssl_fc_cl_str(const struct arg *args, struct sample *smp, const char *
+ #if defined(OPENSSL_IS_BORINGSSL)
+ cipher = SSL_get_cipher_by_value(id);
+ #else
+- struct connection *conn = objt_conn(smp->sess->origin);
++ struct connection *conn = __objt_conn(smp->sess->origin);
+ cipher = SSL_CIPHER_find(conn->xprt_ctx, bin);
+ #endif
+ str = SSL_CIPHER_get_name(cipher);
--- /dev/null
+commit 892c21240adb9ac230d4bd27cc8be4767b4902aa
+Author: Willy Tarreau <w@1wt.eu>
+Date: Mon Oct 15 13:20:07 2018 +0200
+
+ BUILD: ssl: fix another null-deref warning in ssl_sock_switchctx_cbk()
+
+ This null-deref cannot happen either as there necesarily is a listener
+ where this function is called. Let's use __objt_listener() to address
+ this.
+
+ This may be backported to 1.8.
+
+ (cherry picked from commit a8825520b785d592467c45e183ad8213cb7bf891)
+ Signed-off-by: Willy Tarreau <w@1wt.eu>
+
+diff --git a/src/ssl_sock.c b/src/ssl_sock.c
+index 4577fef4..cfbc38b7 100644
+--- a/src/ssl_sock.c
++++ b/src/ssl_sock.c
+@@ -2113,7 +2113,7 @@ static int ssl_sock_switchctx_cbk(SSL *ssl, int *al, void *arg)
+ int i;
+
+ conn = SSL_get_ex_data(ssl, ssl_app_data_index);
+- s = objt_listener(conn->target)->bind_conf;
++ s = __objt_listener(conn->target)->bind_conf;
+
+ if (s->ssl_conf.early_data)
+ allow_early = 1;
--- /dev/null
+commit eb72c1faedc39c68fb1246ea8a97d1f96831756c
+Author: Willy Tarreau <w@1wt.eu>
+Date: Mon Oct 15 11:12:15 2018 +0200
+
+ BUILD: stick-table: make sure not to fail on task_new() during initialization
+
+ Gcc reports a potential null-deref error in the stick-table init code.
+ While not critical there, it's trivial to fix. This check has been
+ missing since 1.4 so this fix can be backported to all supported versions.
+
+ (cherry picked from commit 848522f05df9e60eea9274e11f1e9fcd19594a5c)
+ Signed-off-by: Willy Tarreau <w@1wt.eu>
+
+diff --git a/src/stick_table.c b/src/stick_table.c
+index 5a2f1295..653a1ffb 100644
+--- a/src/stick_table.c
++++ b/src/stick_table.c
+@@ -602,6 +602,8 @@ int stktable_init(struct stktable *t)
+ t->exp_next = TICK_ETERNITY;
+ if ( t->expire ) {
+ t->exp_task = task_new(MAX_THREADS_MASK);
++ if (!t->exp_task)
++ return 0;
+ t->exp_task->process = process_table_expire;
+ t->exp_task->context = (void *)t;
+ }
--- /dev/null
+commit d28afe3631e20a9fcca47efde031d62e501eff48
+Author: Willy Tarreau <w@1wt.eu>
+Date: Mon Oct 15 11:18:03 2018 +0200
+
+ BUILD: peers: check allocation error during peers_init_sync()
+
+ peers_init_sync() doesn't check task_new()'s return value and doesn't
+ return any result to indicate success or failure. Let's make it return
+ an int and check it from the caller.
+
+ This can be backported as far as 1.6.
+
+ (cherry picked from commit d944344f01d9ea914d94c45f6ac7c224c6143fc9)
+ Signed-off-by: Willy Tarreau <w@1wt.eu>
+
+diff --git a/include/proto/peers.h b/include/proto/peers.h
+index 782b66e4..9d4aaff2 100644
+--- a/include/proto/peers.h
++++ b/include/proto/peers.h
+@@ -28,7 +28,7 @@
+ #include <types/stream.h>
+ #include <types/peers.h>
+
+-void peers_init_sync(struct peers *peers);
++int peers_init_sync(struct peers *peers);
+ void peers_register_table(struct peers *, struct stktable *table);
+ void peers_setup_frontend(struct proxy *fe);
+
+diff --git a/src/cfgparse.c b/src/cfgparse.c
+index d1474d4b..7414b60d 100644
+--- a/src/cfgparse.c
++++ b/src/cfgparse.c
+@@ -9111,7 +9111,12 @@ out_uri_auth_compat:
+ curpeers->peers_fe = NULL;
+ }
+ else {
+- peers_init_sync(curpeers);
++ if (!peers_init_sync(curpeers)) {
++ ha_alert("Peers section '%s': out of memory, giving up on peers.\n",
++ curpeers->id);
++ cfgerr++;
++ break;
++ }
+ last = &curpeers->next;
+ continue;
+ }
+diff --git a/src/peers.c b/src/peers.c
+index c56ed3af..0cd56da3 100644
+--- a/src/peers.c
++++ b/src/peers.c
+@@ -2159,9 +2159,9 @@ static struct task *process_peer_sync(struct task * task)
+
+
+ /*
+- *
++ * returns 0 in case of error.
+ */
+-void peers_init_sync(struct peers *peers)
++int peers_init_sync(struct peers *peers)
+ {
+ struct peer * curpeer;
+ struct listener *listener;
+@@ -2173,10 +2173,14 @@ void peers_init_sync(struct peers *peers)
+ list_for_each_entry(listener, &peers->peers_fe->conf.listeners, by_fe)
+ listener->maxconn = peers->peers_fe->maxconn;
+ peers->sync_task = task_new(MAX_THREADS_MASK);
++ if (!peers->sync_task)
++ return 0;
++
+ peers->sync_task->process = process_peer_sync;
+ peers->sync_task->context = (void *)peers;
+ peers->sighandler = signal_register_task(0, peers->sync_task, 0);
+ task_wakeup(peers->sync_task, TASK_WOKEN_INIT);
++ return 1;
+ }
+
+
--- /dev/null
+commit c6eb147201c1d05afaadc5fd248b17be91f97331
+Author: Bertrand Jacquin <bertrand@jacquin.bzh>
+Date: Sat Oct 13 16:06:18 2018 +0100
+
+ DOC: Fix a few typos
+
+ these are mostly spelling mistakes, some of them might be candidate for
+ backporting as well.
+
+ (cherry picked from commit d5e4de8e5f99108e31dc7a23a0e91c4231e37974)
+ Signed-off-by: Willy Tarreau <w@1wt.eu>
+
+diff --git a/CONTRIBUTING b/CONTRIBUTING
+index b2c2b493..cd97e69b 100644
+--- a/CONTRIBUTING
++++ b/CONTRIBUTING
+@@ -309,7 +309,7 @@ do not think about them anymore after a few patches.
+ A good rule of thumb is that if your identifiers start to contain more than
+ 3 words or more than 15 characters, they can become confusing. For function
+ names it's less important especially if these functions are rarely used or
+- are used in a complex context where it is important to differenciate between
++ are used in a complex context where it is important to differentiate between
+ their multiple variants.
+
+ 9) Unified diff only
+@@ -318,7 +318,7 @@ do not think about them anymore after a few patches.
+ that you have committed your patch to a local branch, with an appropriate
+ subject line and a useful commit message explaining what the patch attempts
+ to do. It is not strictly required to use git, but what is strictly required
+- is to have all these elements in the same mail, easily distinguishible, and
++ is to have all these elements in the same mail, easily distinguishable, and
+ a patch in "diff -up" format (which is also the format used by Git). This
+ means the "unified" diff format must be used exclusively, and with the
+ function name printed in the diff header of each block. That significantly
+@@ -761,7 +761,7 @@ sent to the mailing list : haproxy@formilux.org and CCed to relevant subsystem
+ maintainers or authors of the modified files if their address appears at the
+ top of the file.
+
+-Please don't send pull-requests, they are really unconvenient. First, a pull
++Please don't send pull-requests, they are really inconvenient. First, a pull
+ implies a merge operation and the code doesn't move fast enough to justify the
+ use of merges. Second, pull requests are not easily commented on by the
+ project's participants, contrary to e-mails where anyone is allowed to have an
+diff --git a/include/types/connection.h b/include/types/connection.h
+index 5e8af3e7..b9e46048 100644
+--- a/include/types/connection.h
++++ b/include/types/connection.h
+@@ -45,7 +45,7 @@ struct server;
+ struct pipe;
+
+
+-/* A connection handle is how we differenciate two connections on the lower
++/* A connection handle is how we differentiate two connections on the lower
+ * layers. It usually is a file descriptor but can be a connection id.
+ */
+ union conn_handle {
--- /dev/null
+commit 75795017480da0f0a1157e945043249fe625f92f
+Author: Willy Tarreau <w@1wt.eu>
+Date: Tue Oct 16 16:11:56 2018 +0200
+
+ BUG/MEDIUM: threads: fix thread_release() at the end of the rendez-vous point
+
+ There is a bug in this function used to release other threads. It leaves
+ the current thread marked as harmless. If after this another thread does
+ a thread_isolate(), but before the first one reaches poll(), the second
+ thread will believe it's alone while it's not.
+
+ This must be backported to 1.8 since the rendez-vous point was merged
+ into 1.8.14.
+
+ (cherry picked from commit a9c0252b2e8ff7bb728b84d977ac6e9581ea12f8)
+ Signed-off-by: Willy Tarreau <w@1wt.eu>
+
+diff --git a/src/hathreads.c b/src/hathreads.c
+index 9dba4356..0a7c12f7 100644
+--- a/src/hathreads.c
++++ b/src/hathreads.c
+@@ -221,12 +221,8 @@ void thread_isolate()
+ */
+ void thread_release()
+ {
+- while (1) {
+- HA_ATOMIC_AND(&threads_want_rdv_mask, ~tid_bit);
+- if (!(threads_want_rdv_mask & all_threads_mask))
+- break;
+- thread_harmless_till_end();
+- }
++ HA_ATOMIC_AND(&threads_want_rdv_mask, ~tid_bit);
++ thread_harmless_end();
+ }
+
+ __attribute__((constructor))
--- /dev/null
+commit 4805c249aabc45cd59386694f962e19ab50e8ca9
+Author: Willy Tarreau <w@1wt.eu>
+Date: Tue Oct 16 16:57:40 2018 +0200
+
+ BUG/MEDIUM: threads: make sure threads_want_sync is marked volatile
+
+ The threads_want_sync variable is not volatile, which allows the compiler
+ to cache old copies of it for long parts of code and possibly optimize
+ some tests away. This could result in deadlocks when using heavy queue
+ activity or health check state changes.
+
+ There is no upstream commit for this fix because the sync point was
+ completely removed from 1.9. This fix is exclusively for 1.8.
+
+ Signed-off-by: Willy Tarreau <w@1wt.eu>
+
+diff --git a/src/hathreads.c b/src/hathreads.c
+index 0a7c12f7..730ebee4 100644
+--- a/src/hathreads.c
++++ b/src/hathreads.c
+@@ -29,7 +29,7 @@ void thread_sync_io_handler(int fd)
+
+ static HA_SPINLOCK_T sync_lock;
+ static int threads_sync_pipe[2] = {-1, -1};
+-static unsigned long threads_want_sync = 0;
++volatile static unsigned long threads_want_sync = 0;
+ volatile unsigned long threads_want_rdv_mask = 0;
+ volatile unsigned long threads_harmless_mask = 0;
+ volatile unsigned long all_threads_mask = 1; // nbthread 1 assumed by default
--- /dev/null
+commit d26a40412197ba61a72368c71e8a8582d686d28c
+Author: Willy Tarreau <w@1wt.eu>
+Date: Mon Oct 15 11:53:34 2018 +0200
+
+ BUILD: compiler: add a new statement "__unreachable()"
+
+ This statement is used as a hint for the compiler so that it knows that
+ the location where it's placed cannot be reached. It will mostly be used
+ after longjmp() or equivalent statements that deal with error processing
+ and that the compiler doesn't know will not return on certain conditions,
+ so that it doesn't complain about null dereferences on error paths.
+
+ (cherry picked from commit 8d26f02e693121764bfa0cb48c9a7ab31e17225d)
+ Signed-off-by: Willy Tarreau <w@1wt.eu>
+
+diff --git a/include/common/compiler.h b/include/common/compiler.h
+index a13aad5c..6f4f5a67 100644
+--- a/include/common/compiler.h
++++ b/include/common/compiler.h
+@@ -82,6 +82,18 @@
+ */
+ #define __maybe_unused __attribute__((unused))
+
++/* This allows gcc to know that some locations are never reached, for example
++ * after a longjmp() in the Lua code, hence that some errors caught by such
++ * methods cannot propagate further. This is important with gcc versions 6 and
++ * above which can more aggressively detect null dereferences. The builtin
++ * below was introduced in gcc 4.5, and before it we didn't care.
++ */
++#if __GNUC__ >= 5 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 5)
++#define __unreachable() __builtin_unreachable()
++#else
++#define __unreachable()
++#endif
++
+ /*
+ * Gcc >= 3 provides the ability for the programme to give hints to the
+ * compiler about what branch of an if is most likely to be taken. This
--- /dev/null
+commit 330e08dfc588dc9b0ad42203123fab6c191ca2f8
+Author: Willy Tarreau <w@1wt.eu>
+Date: Tue Oct 16 17:52:55 2018 +0200
+
+ MINOR: lua: all functions calling lua_yieldk() may return
+
+ There was a mistake when tagging functions which always use longjmp and
+ those which may use it in that all those supposed to call lua_yieldk()
+ may return without calling longjmp. Thus they must not use WILL_LJMP()
+ but MAY_LJMP(). It has zero impact on the code emitted as such, but
+ prevents other fixes from being properly implemented : this was the
+ cause of the previous failure with the __unreachable() calls.
+
+ This may be backported to older versions. It may or may not apply
+ well depending on the context, though the change simply consists in
+ replacing "WILL_LJMP(hlua_yieldk" with "MAY_LJMP(hlua_yieldk", and
+ same with the single call to lua_yieldk() in hlua_yieldk().
+
+ (cherry picked from commit 9635e03c41e95dff38731f67cc9d8b00e3731d2a)
+ Signed-off-by: Willy Tarreau <w@1wt.eu>
+
+diff --git a/src/hlua.c b/src/hlua.c
+index 60ba94ea..64102e8a 100644
+--- a/src/hlua.c
++++ b/src/hlua.c
+@@ -852,7 +852,7 @@ __LJMP void hlua_yieldk(lua_State *L, int nresults, int ctx,
+ hlua->flags |= flags;
+
+ /* Process the yield. */
+- WILL_LJMP(lua_yieldk(L, nresults, ctx, k));
++ MAY_LJMP(lua_yieldk(L, nresults, ctx, k));
+ }
+
+ /* This function initialises the Lua environment stored in the stream.
+@@ -1003,7 +1003,7 @@ void hlua_hook(lua_State *L, lua_Debug *ar)
+ * If the state is not yieldable, trying yield causes an error.
+ */
+ if (lua_isyieldable(L))
+- WILL_LJMP(hlua_yieldk(L, 0, 0, NULL, TICK_ETERNITY, HLUA_CTRLYIELD));
++ MAY_LJMP(hlua_yieldk(L, 0, 0, NULL, TICK_ETERNITY, HLUA_CTRLYIELD));
+
+ /* If we cannot yield, update the clock and check the timeout. */
+ tv_update_date(0, 1);
+@@ -1883,7 +1883,7 @@ connection_empty:
+ WILL_LJMP(luaL_error(L, "out of memory"));
+ }
+ xref_unlock(&socket->xref, peer);
+- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_socket_receive_yield, TICK_ETERNITY, 0));
++ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_socket_receive_yield, TICK_ETERNITY, 0));
+ return 0;
+ }
+
+@@ -2082,7 +2082,7 @@ hlua_socket_write_yield_return:
+ WILL_LJMP(luaL_error(L, "out of memory"));
+ }
+ xref_unlock(&socket->xref, peer);
+- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_socket_write_yield, TICK_ETERNITY, 0));
++ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_socket_write_yield, TICK_ETERNITY, 0));
+ return 0;
+ }
+
+@@ -2375,7 +2375,7 @@ __LJMP static int hlua_socket_connect_yield(struct lua_State *L, int status, lua
+ WILL_LJMP(luaL_error(L, "out of memory error"));
+ }
+ xref_unlock(&socket->xref, peer);
+- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_socket_connect_yield, TICK_ETERNITY, 0));
++ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_socket_connect_yield, TICK_ETERNITY, 0));
+ return 0;
+ }
+
+@@ -2493,7 +2493,7 @@ __LJMP static int hlua_socket_connect(struct lua_State *L)
+ task_wakeup(s->task, TASK_WOKEN_INIT);
+ /* Return yield waiting for connection. */
+
+- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_socket_connect_yield, TICK_ETERNITY, 0));
++ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_socket_connect_yield, TICK_ETERNITY, 0));
+
+ return 0;
+ }
+@@ -2819,7 +2819,7 @@ __LJMP static int hlua_channel_dup_yield(lua_State *L, int status, lua_KContext
+ chn = MAY_LJMP(hlua_checkchannel(L, 1));
+
+ if (_hlua_channel_dup(chn, L) == 0)
+- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_channel_dup_yield, TICK_ETERNITY, 0));
++ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_channel_dup_yield, TICK_ETERNITY, 0));
+ return 1;
+ }
+
+@@ -2845,7 +2845,7 @@ __LJMP static int hlua_channel_get_yield(lua_State *L, int status, lua_KContext
+
+ ret = _hlua_channel_dup(chn, L);
+ if (unlikely(ret == 0))
+- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_channel_get_yield, TICK_ETERNITY, 0));
++ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_channel_get_yield, TICK_ETERNITY, 0));
+
+ if (unlikely(ret == -1))
+ return 1;
+@@ -2883,7 +2883,7 @@ __LJMP static int hlua_channel_getline_yield(lua_State *L, int status, lua_KCont
+
+ ret = ci_getline_nc(chn, &blk1, &len1, &blk2, &len2);
+ if (ret == 0)
+- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_channel_getline_yield, TICK_ETERNITY, 0));
++ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_channel_getline_yield, TICK_ETERNITY, 0));
+
+ if (ret == -1) {
+ lua_pushnil(L);
+@@ -2932,7 +2932,7 @@ __LJMP static int hlua_channel_append_yield(lua_State *L, int status, lua_KConte
+ */
+ if (chn->buf->size == 0) {
+ si_applet_cant_put(chn_prod(chn));
+- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_channel_append_yield, TICK_ETERNITY, 0));
++ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_channel_append_yield, TICK_ETERNITY, 0));
+ }
+
+ max = channel_recv_limit(chn) - buffer_len(chn->buf);
+@@ -2946,7 +2946,7 @@ __LJMP static int hlua_channel_append_yield(lua_State *L, int status, lua_KConte
+ }
+ if (ret == -1) {
+ chn->flags |= CF_WAKE_WRITE;
+- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_channel_append_yield, TICK_ETERNITY, 0));
++ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_channel_append_yield, TICK_ETERNITY, 0));
+ }
+ l += ret;
+ lua_pop(L, 1);
+@@ -2962,7 +2962,7 @@ __LJMP static int hlua_channel_append_yield(lua_State *L, int status, lua_KConte
+ return 1;
+ }
+ if (l < len)
+- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_channel_append_yield, TICK_ETERNITY, 0));
++ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_channel_append_yield, TICK_ETERNITY, 0));
+ return 1;
+ }
+
+@@ -3026,7 +3026,7 @@ __LJMP static int hlua_channel_send_yield(lua_State *L, int status, lua_KContext
+ */
+ if (chn->buf->size == 0) {
+ si_applet_cant_put(chn_prod(chn));
+- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_channel_send_yield, TICK_ETERNITY, 0));
++ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_channel_send_yield, TICK_ETERNITY, 0));
+ }
+
+ /* the writed data will be immediatly sent, so we can check
+@@ -3082,7 +3082,7 @@ __LJMP static int hlua_channel_send_yield(lua_State *L, int status, lua_KContext
+ HLUA_SET_WAKERESWR(hlua);
+ else
+ HLUA_SET_WAKEREQWR(hlua);
+- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_channel_send_yield, TICK_ETERNITY, 0));
++ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_channel_send_yield, TICK_ETERNITY, 0));
+ }
+
+ return 1;
+@@ -3146,7 +3146,7 @@ __LJMP static int hlua_channel_forward_yield(lua_State *L, int status, lua_KCont
+ HLUA_SET_WAKEREQWR(hlua);
+
+ /* Otherwise, we can yield waiting for new data in the inpout side. */
+- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_channel_forward_yield, TICK_ETERNITY, 0));
++ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_channel_forward_yield, TICK_ETERNITY, 0));
+ }
+
+ return 1;
+@@ -3654,7 +3654,7 @@ __LJMP static int hlua_applet_tcp_getline_yield(lua_State *L, int status, lua_KC
+ /* Data not yet avalaible. return yield. */
+ if (ret == 0) {
+ si_applet_cant_get(si);
+- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_tcp_getline_yield, TICK_ETERNITY, 0));
++ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_tcp_getline_yield, TICK_ETERNITY, 0));
+ }
+
+ /* End of data: commit the total strings and return. */
+@@ -3709,7 +3709,7 @@ __LJMP static int hlua_applet_tcp_recv_yield(lua_State *L, int status, lua_KCont
+ /* Data not yet avalaible. return yield. */
+ if (ret == 0) {
+ si_applet_cant_get(si);
+- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_tcp_recv_yield, TICK_ETERNITY, 0));
++ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_tcp_recv_yield, TICK_ETERNITY, 0));
+ }
+
+ /* End of data: commit the total strings and return. */
+@@ -3732,7 +3732,7 @@ __LJMP static int hlua_applet_tcp_recv_yield(lua_State *L, int status, lua_KCont
+ luaL_addlstring(&appctx->b, blk2, len2);
+ co_skip(si_oc(si), len1 + len2);
+ si_applet_cant_get(si);
+- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_tcp_recv_yield, TICK_ETERNITY, 0));
++ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_tcp_recv_yield, TICK_ETERNITY, 0));
+
+ } else {
+
+@@ -3756,7 +3756,7 @@ __LJMP static int hlua_applet_tcp_recv_yield(lua_State *L, int status, lua_KCont
+ lua_pushinteger(L, len);
+ lua_replace(L, 2);
+ si_applet_cant_get(si);
+- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_tcp_recv_yield, TICK_ETERNITY, 0));
++ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_tcp_recv_yield, TICK_ETERNITY, 0));
+ }
+
+ /* return the result. */
+@@ -3825,7 +3825,7 @@ __LJMP static int hlua_applet_tcp_send_yield(lua_State *L, int status, lua_KCont
+ */
+ if (l < len) {
+ si_applet_cant_put(si);
+- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_tcp_send_yield, TICK_ETERNITY, 0));
++ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_tcp_send_yield, TICK_ETERNITY, 0));
+ }
+
+ return 1;
+@@ -4122,7 +4122,7 @@ __LJMP static int hlua_applet_http_getline_yield(lua_State *L, int status, lua_K
+ */
+ if (ret == -1) {
+ si_applet_cant_put(si);
+- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_http_getline_yield, TICK_ETERNITY, 0));
++ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_http_getline_yield, TICK_ETERNITY, 0));
+ }
+ appctx->appctx->ctx.hlua_apphttp.flags &= ~APPLET_100C;
+ }
+@@ -4139,7 +4139,7 @@ __LJMP static int hlua_applet_http_getline_yield(lua_State *L, int status, lua_K
+ /* Data not yet avalaible. return yield. */
+ if (ret == 0) {
+ si_applet_cant_get(si);
+- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_http_getline_yield, TICK_ETERNITY, 0));
++ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_http_getline_yield, TICK_ETERNITY, 0));
+ }
+
+ /* End of data: commit the total strings and return. */
+@@ -4208,7 +4208,7 @@ __LJMP static int hlua_applet_http_recv_yield(lua_State *L, int status, lua_KCon
+ */
+ if (ret == -1) {
+ si_applet_cant_put(si);
+- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_http_recv_yield, TICK_ETERNITY, 0));
++ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_http_recv_yield, TICK_ETERNITY, 0));
+ }
+ appctx->appctx->ctx.hlua_apphttp.flags &= ~APPLET_100C;
+ }
+@@ -4219,7 +4219,7 @@ __LJMP static int hlua_applet_http_recv_yield(lua_State *L, int status, lua_KCon
+ /* Data not yet avalaible. return yield. */
+ if (ret == 0) {
+ si_applet_cant_get(si);
+- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_http_recv_yield, TICK_ETERNITY, 0));
++ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_http_recv_yield, TICK_ETERNITY, 0));
+ }
+
+ /* End of data: commit the total strings and return. */
+@@ -4254,7 +4254,7 @@ __LJMP static int hlua_applet_http_recv_yield(lua_State *L, int status, lua_KCon
+ lua_pushinteger(L, len);
+ lua_replace(L, 2);
+ si_applet_cant_get(si);
+- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_http_recv_yield, TICK_ETERNITY, 0));
++ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_http_recv_yield, TICK_ETERNITY, 0));
+ }
+
+ /* return the result. */
+@@ -4320,7 +4320,7 @@ __LJMP static int hlua_applet_http_send_yield(lua_State *L, int status, lua_KCon
+ */
+ if (l < len) {
+ si_applet_cant_put(si);
+- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_http_send_yield, TICK_ETERNITY, 0));
++ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_http_send_yield, TICK_ETERNITY, 0));
+ }
+
+ return 1;
+@@ -4460,7 +4460,7 @@ __LJMP static int hlua_applet_http_start_response_yield(lua_State *L, int status
+ /* If ret is -1, we dont have room in the buffer, so we yield. */
+ if (ret == -1) {
+ si_applet_cant_put(si);
+- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_http_start_response_yield, TICK_ETERNITY, 0));
++ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_http_start_response_yield, TICK_ETERNITY, 0));
+ }
+
+ /* Headers sent, set the flag. */
+@@ -5510,7 +5510,7 @@ __LJMP static int hlua_sleep_yield(lua_State *L, int status, lua_KContext ctx)
+ {
+ int wakeup_ms = lua_tointeger(L, -1);
+ if (now_ms < wakeup_ms)
+- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_sleep_yield, wakeup_ms, 0));
++ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_sleep_yield, wakeup_ms, 0));
+ return 0;
+ }
+
+@@ -5525,7 +5525,7 @@ __LJMP static int hlua_sleep(lua_State *L)
+ wakeup_ms = tick_add(now_ms, delay);
+ lua_pushinteger(L, wakeup_ms);
+
+- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_sleep_yield, wakeup_ms, 0));
++ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_sleep_yield, wakeup_ms, 0));
+ return 0;
+ }
+
+@@ -5540,7 +5540,7 @@ __LJMP static int hlua_msleep(lua_State *L)
+ wakeup_ms = tick_add(now_ms, delay);
+ lua_pushinteger(L, wakeup_ms);
+
+- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_sleep_yield, wakeup_ms, 0));
++ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_sleep_yield, wakeup_ms, 0));
+ return 0;
+ }
+
+@@ -5555,7 +5555,7 @@ __LJMP static int hlua_yield_yield(lua_State *L, int status, lua_KContext ctx)
+
+ __LJMP static int hlua_yield(lua_State *L)
+ {
+- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_yield_yield, TICK_ETERNITY, HLUA_CTRLYIELD));
++ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_yield_yield, TICK_ETERNITY, HLUA_CTRLYIELD));
+ return 0;
+ }
+
--- /dev/null
+commit 8019e88dd1ac73a3baa71e9acfbc1b7a3fbc7442
+Author: Willy Tarreau <w@1wt.eu>
+Date: Tue Oct 16 17:37:12 2018 +0200
+
+ BUILD: lua: silence some compiler warnings about potential null derefs (#2)
+
+ Here we make sure that appctx is always taken from the unchecked value
+ since we know it's an appctx, which explains why it's immediately
+ dereferenced. A missing test was added to ensure that task_new() does
+ not return a NULL.
+
+ This may be backported to 1.8.
+
+ (cherry picked from commit e09101e8d92b0c0ef8674fbc791e309112ab7f1c)
+ Signed-off-by: Willy Tarreau <w@1wt.eu>
+
+diff --git a/src/hlua.c b/src/hlua.c
+index 64102e8a..ad9238ef 100644
+--- a/src/hlua.c
++++ b/src/hlua.c
+@@ -2361,7 +2361,7 @@ __LJMP static int hlua_socket_connect_yield(struct lua_State *L, int status, lua
+ return 2;
+ }
+
+- appctx = objt_appctx(s->si[0].end);
++ appctx = __objt_appctx(s->si[0].end);
+
+ /* Check for connection established. */
+ if (appctx->ctx.hlua_cosocket.connected) {
+@@ -2473,7 +2473,7 @@ __LJMP static int hlua_socket_connect(struct lua_State *L)
+ }
+
+ hlua = hlua_gethlua(L);
+- appctx = objt_appctx(s->si[0].end);
++ appctx = __objt_appctx(s->si[0].end);
+
+ /* inform the stream that we want to be notified whenever the
+ * connection completes.
+@@ -5693,6 +5693,9 @@ static int hlua_register_task(lua_State *L)
+ WILL_LJMP(luaL_error(L, "lua out of memory error."));
+
+ task = task_new(MAX_THREADS_MASK);
++ if (!task)
++ WILL_LJMP(luaL_error(L, "Lua out of memory error."));
++
+ task->context = hlua;
+ task->process = hlua_process_task;
+
--- /dev/null
+commit 3f39e1d4b5ca37e57247034421c69bc301d996b2
+Author: Willy Tarreau <w@1wt.eu>
+Date: Tue Oct 16 17:57:36 2018 +0200
+
+ BUILD: lua: silence some compiler warnings after WILL_LJMP
+
+ These ones are on error paths that are properly handled by luaL_error()
+ which does a longjmp() but the compiler cannot know it. By adding an
+ __unreachable() statement in WILL_LJMP(), there is no ambiguity anymore.
+
+ This may be backported to 1.8 but these previous patches are needed first :
+ - BUILD: compiler: add a new statement "__unreachable()"
+ - MINOR: lua: all functions calling lua_yieldk() may return
+ - BUILD: lua: silence some compiler warnings about potential null derefs (#2)
+
+ (cherry picked from commit b059b894cdf795f134b6e53ff95ea7f907feb846)
+ Signed-off-by: Willy Tarreau <w@1wt.eu>
+
+diff --git a/src/hlua.c b/src/hlua.c
+index ad9238ef..c3bb269a 100644
+--- a/src/hlua.c
++++ b/src/hlua.c
+@@ -24,6 +24,7 @@
+ #include <ebpttree.h>
+
+ #include <common/cfgparse.h>
++#include <common/compiler.h>
+ #include <common/xref.h>
+ #include <common/hathreads.h>
+
+@@ -63,7 +64,7 @@
+ * MAY_LJMP() marks an lua function that may use longjmp.
+ */
+ #define __LJMP
+-#define WILL_LJMP(func) func
++#define WILL_LJMP(func) do { func; __unreachable(); } while(0)
+ #define MAY_LJMP(func) func
+
+ /* This couple of function executes securely some Lua calls outside of
--- /dev/null
+commit b884ba5222a765b395e8ac93971639a0452d6422
+Author: Dirkjan Bussink <d.bussink@gmail.com>
+Date: Fri Sep 14 14:31:22 2018 +0200
+
+ CLEANUP: stick-tables: Remove unneeded double (()) around conditional clause
+
+ In the past this conditional had multiple conditionals which is why the
+ additional parentheses were needed. The conditional was simplified but
+ the duplicate parentheses were not cleaned up.
+
+ (cherry picked from commit ff57f1bbcf8af1e6389520aa845df5aa97ef55b6)
+ [wt: fixes build warnings with clang]
+ Signed-off-by: Willy Tarreau <w@1wt.eu>
+
+diff --git a/src/stick_table.c b/src/stick_table.c
+index 653a1ffb..f1442603 100644
+--- a/src/stick_table.c
++++ b/src/stick_table.c
+@@ -1860,7 +1860,7 @@ smp_fetch_sc_tracked(const struct arg *args, struct sample *smp, const char *kw,
+ smp->data.u.sint = !!stkctr;
+
+ /* release the ref count */
+- if ((stkctr == &tmpstkctr))
++ if (stkctr == &tmpstkctr)
+ stktable_release(stkctr->table, stkctr_entry(stkctr));
+
+ return 1;
--- /dev/null
+commit 0820ab24974cd2bad84c8ec5a90f7ce0e1681cf0
+Author: Willy Tarreau <w@1wt.eu>
+Date: Wed Oct 3 09:40:22 2018 +0200
+
+ BUILD: Makefile: add a "make opts" target to simply show the build options
+
+ We're often missing an easy way to map input variables to output ones.
+ The "opts" build target will simply show the input variables and the ones
+ passed to the compiler and linker. This way it's easier to quickly see
+ what a given build script or package will use, or the detected warnings
+ supported by the compiler.
+
+ (cherry picked from commit a8b12c6bb73b924f6429c3ae4d20b96992e92c2e)
+ [wt: this is not needed but significantly helps for packaging]
+ Signed-off-by: Willy Tarreau <w@1wt.eu>
+
+diff --git a/Makefile b/Makefile
+index 5d170041..d3615060 100644
+--- a/Makefile
++++ b/Makefile
+@@ -996,3 +996,20 @@ update-version:
+ echo "$(VERSION)" > VERSION
+ echo "$(SUBVERS)" > SUBVERS
+ echo "$(VERDATE)" > VERDATE
++
++# just display the build options
++opts:
++ @echo -n 'Using: '
++ @echo -n 'TARGET="$(strip $(TARGET))" '
++ @echo -n 'ARCH="$(strip $(ARCH))" '
++ @echo -n 'CPU="$(strip $(CPU))" '
++ @echo -n 'CC="$(strip $(CC))" '
++ @echo -n 'ARCH_FLAGS="$(strip $(ARCH_FLAGS))" '
++ @echo -n 'CPU_CFLAGS="$(strip $(CPU_CFLAGS))" '
++ @echo -n 'DEBUG_CFLAGS="$(strip $(DEBUG_CFLAGS))" '
++ @echo "$(strip $(BUILD_OPTIONS))"
++ @echo 'COPTS="$(strip $(COPTS))"'
++ @echo 'LDFLAGS="$(strip $(LDFLAGS))"'
++ @echo 'LDOPTS="$(strip $(LDOPTS))"'
++ @echo 'OPTIONS_OBJS="$(strip $(OPTIONS_OBJS))"'
++ @echo 'OBJS="$(strip $(OBJS))"'
--- /dev/null
+commit 5df1480da4c4e58830d108f4f0f3347598c55ab3
+Author: Willy Tarreau <w@1wt.eu>
+Date: Wed Oct 3 09:52:51 2018 +0200
+
+ BUILD: Makefile: speed up compiler options detection
+
+ Commits b78016649 and d3a7f4035 brought the ability to detect the build
+ options and warnings that the compiler supports. However, they're detected
+ using "$(CC) -c", which is 50% slower than "$(CC) -E" for the same result,
+ just because it starts the assembler at the end. Given that we're starting
+ to check for a number of warnings, this detection alone starts to become
+ visible, taking a bit more than 300 ms on the build time. Let's switch to
+ -E instead to shrink this incompressible time by roughly 100 ms.
+
+ (cherry picked from commit f11ca5e7a43c772637018ec2ad981a9fd7d3816f)
+ [wt: only backported for context and consistency with next patch]
+ Signed-off-by: Willy Tarreau <w@1wt.eu>
+
+diff --git a/Makefile b/Makefile
+index d3615060..1a971f92 100644
+--- a/Makefile
++++ b/Makefile
+@@ -96,13 +96,13 @@
+ # Usage: CFLAGS += $(call cc-opt,option). Eg: $(call cc-opt,-fwrapv)
+ # Note: ensure the referencing variable is assigned using ":=" and not "=" to
+ # call it only once.
+-cc-opt = $(shell set -e; if $(CC) $(1) -c -xc - -o /dev/null </dev/null >&0 2>&0; then echo "$(1)"; fi;)
++cc-opt = $(shell set -e; if $(CC) $(1) -E -xc - -o /dev/null </dev/null >&0 2>&0; then echo "$(1)"; fi;)
+
+ # Disable a warning when supported by the compiler. Don't put spaces around the
+ # warning! And don't use cc-opt which doesn't always report an error until
+ # another one is also returned.
+ # Usage: CFLAGS += $(call cc-nowarn,warning). Eg: $(call cc-opt,format-truncation)
+-cc-nowarn = $(shell set -e; if $(CC) -W$(1) -c -xc - -o /dev/null </dev/null >&0 2>&0; then echo "-Wno-$(1)"; fi;)
++cc-nowarn = $(shell set -e; if $(CC) -W$(1) -E -xc - -o /dev/null </dev/null >&0 2>&0; then echo "-Wno-$(1)"; fi;)
+
+ #### Installation options.
+ DESTDIR =
--- /dev/null
+commit a7e9853db925b12b1d040be8b04bafc11d84d685
+Author: Willy Tarreau <w@1wt.eu>
+Date: Tue Oct 16 18:11:34 2018 +0200
+
+ BUILD: Makefile: silence an option conflict warning with clang
+
+ clang complains that -fno-strict-overflow is not used when -fwrapv is
+ used, which breaks the build when -Werror is used. Let's introduce a
+ cc-opt-alt function to emit the former only then the latter is not
+ supported (since it implies the former).
+
+ (cherry picked from commit 0d7a2ae4f5199ec37ead6914fa24d40ec0989a4d)
+ Signed-off-by: Willy Tarreau <w@1wt.eu>
+
+diff --git a/Makefile b/Makefile
+index 1a971f92..6ffc1b06 100644
+--- a/Makefile
++++ b/Makefile
+@@ -98,6 +98,9 @@
+ # call it only once.
+ cc-opt = $(shell set -e; if $(CC) $(1) -E -xc - -o /dev/null </dev/null >&0 2>&0; then echo "$(1)"; fi;)
+
++# same but emits $2 if $1 is not supported
++cc-opt-alt = $(shell set -e; if $(CC) $(1) -E -xc - -o /dev/null </dev/null >&0 2>&0; then echo "$(1)"; else echo "$(2)"; fi;)
++
+ # Disable a warning when supported by the compiler. Don't put spaces around the
+ # warning! And don't use cc-opt which doesn't always report an error until
+ # another one is also returned.
+@@ -147,8 +150,7 @@ DEBUG_CFLAGS = -g
+ # can do whatever it wants since it's an undefined behavior, so use -fwrapv
+ # to be sure we get the intended behavior.
+ SPEC_CFLAGS := -fno-strict-aliasing -Wdeclaration-after-statement
+-SPEC_CFLAGS += $(call cc-opt,-fwrapv)
+-SPEC_CFLAGS += $(call cc-opt,-fno-strict-overflow)
++SPEC_CFLAGS += $(call cc-opt-alt,-fwrapv,$(call cc-opt,-fno-strict-overflow))
+ SPEC_CFLAGS += $(call cc-nowarn,format-truncation)
+ SPEC_CFLAGS += $(call cc-nowarn,address-of-packed-member)
+ SPEC_CFLAGS += $(call cc-nowarn,null-dereference)
--- /dev/null
+commit 541e3b40b394fb6bde563ff8ce4c882dafca4eb1
+Author: Olivier Houchard <ohouchard@haproxy.com>
+Date: Tue Oct 16 18:35:01 2018 +0200
+
+ MINOR: server: Use memcpy() instead of strncpy().
+
+ Use memcpy instead of strncpy, strncpy buys us nothing, and gcc is being
+ annoying.
+
+ (cherry picked from commit 17f8b90736d811ac9a04af198a3aee34e9935cec)
+ Signed-off-by: Willy Tarreau <w@1wt.eu>
+
+diff --git a/src/server.c b/src/server.c
+index 4941bd03..208f21da 100644
+--- a/src/server.c
++++ b/src/server.c
+@@ -3078,7 +3078,7 @@ void apply_server_state(void)
+ globalfilepathlen = 0;
+ goto globalfileerror;
+ }
+- strncpy(globalfilepath, global.server_state_base, len);
++ memcpy(globalfilepath, global.server_state_base, len);
+ globalfilepath[globalfilepathlen] = 0;
+
+ /* append a slash if needed */
+@@ -3147,7 +3147,7 @@ void apply_server_state(void)
+ localfilepathlen = 0;
+ goto localfileerror;
+ }
+- strncpy(localfilepath, global.server_state_base, len);
++ memcpy(localfilepath, global.server_state_base, len);
+ localfilepath[localfilepathlen] = 0;
+
+ /* append a slash if needed */
--- /dev/null
+commit 1993e23d59e37ee7befbc64bf1535640a16354bc
+Author: Olivier Houchard <ohouchard@haproxy.com>
+Date: Tue Oct 16 18:39:38 2018 +0200
+
+ MINOR: cfgparse: Write 130 as 128 as 0x82 and 0x80.
+
+ Write 130 and 128 as 8x82 and 0x80, to avoid warnings about casting from
+ int to size. "check_req" should probably be unsigned, but it's hard to do so.
+
+ (cherry picked from commit 3332090a2d3e9e84bac67af79fb03be111359429)
+ Signed-off-by: Willy Tarreau <w@1wt.eu>
+
+diff --git a/src/cfgparse.c b/src/cfgparse.c
+index 7414b60d..87a4d803 100644
+--- a/src/cfgparse.c
++++ b/src/cfgparse.c
+@@ -5082,7 +5082,7 @@ stats_error_parsing:
+ ((unsigned char) (packetlen >> 16) & 0xff));
+
+ curproxy->check_req[3] = 1;
+- curproxy->check_req[5] = 130;
++ curproxy->check_req[5] = 0x82; // 130
+ curproxy->check_req[11] = 1;
+ curproxy->check_req[12] = 33;
+ memcpy(&curproxy->check_req[36], mysqluser, userlen);
+@@ -5108,7 +5108,7 @@ stats_error_parsing:
+ ((unsigned char) (packetlen >> 16) & 0xff));
+
+ curproxy->check_req[3] = 1;
+- curproxy->check_req[5] = 128;
++ curproxy->check_req[5] = 0x80;
+ curproxy->check_req[8] = 1;
+ memcpy(&curproxy->check_req[9], mysqluser, userlen);
+ curproxy->check_req[9 + userlen + 1 + 1] = 1;
--- /dev/null
+commit 0d31b8e1dae2bd0ad73c90748a03f9cfeed837d8
+Author: Olivier Houchard <ohouchard@haproxy.com>
+Date: Tue Oct 16 18:49:26 2018 +0200
+
+ MINOR: peers: use defines instead of enums to appease clang.
+
+ Clang (rightfully) warns that we're trying to set chars to values >= 128.
+ Use defines with hex values instead of an enum to address this.
+
+ (cherry picked from commit 33992267aac00d7e8ae67e0703bf7fffc9cf9b54)
+ Signed-off-by: Willy Tarreau <w@1wt.eu>
+
+diff --git a/src/peers.c b/src/peers.c
+index 0cd56da3..465ffe85 100644
+--- a/src/peers.c
++++ b/src/peers.c
+@@ -122,15 +122,13 @@ enum {
+ /* Note: ids >= 128 contains */
+ /* id message cotains data */
+ /*******************************/
+-enum {
+- PEER_MSG_STKT_UPDATE = 128,
+- PEER_MSG_STKT_INCUPDATE,
+- PEER_MSG_STKT_DEFINE,
+- PEER_MSG_STKT_SWITCH,
+- PEER_MSG_STKT_ACK,
+- PEER_MSG_STKT_UPDATE_TIMED,
+- PEER_MSG_STKT_INCUPDATE_TIMED,
+-};
++#define PEER_MSG_STKT_UPDATE 0x80
++#define PEER_MSG_STKT_INCUPDATE 0x81
++#define PEER_MSG_STKT_DEFINE 0x82
++#define PEER_MSG_STKT_SWITCH 0x83
++#define PEER_MSG_STKT_ACK 0x84
++#define PEER_MSG_STKT_UPDATE_TIMED 0x85
++#define PEER_MSG_STKT_INCUPDATE_TIMED 0x86
+
+ /**********************************/
+ /* Peer Session IO handler states */
PKG_NAME:=isc-dhcp
UPSTREAM_NAME:=dhcp
PKG_VERSION:=4.4.1
-PKG_RELEASE:=2
+PKG_RELEASE:=3
PKG_LICENSE:=BSD-3-Clause
PKG_LICENSE_FILES:=LICENSE
$(INSTALL_DIR) $(1)/usr/sbin
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/dhcrelay $(1)/usr/sbin
$(INSTALL_DIR) $(1)/etc/config
- $(INSTALL_DATA) ./files/dhcrelay.conf $(1)/etc/config
+ $(INSTALL_DATA) ./files/dhcrelay.conf $(1)/etc/config/dhcrelay
$(INSTALL_DIR) $(1)/etc/init.d
$(INSTALL_BIN) ./files/dhcrelay4.init $(1)/etc/init.d/dhcrelay4
endef
# - Check and update kmod dependencies when necessary (runtime module load check in the least)
#
PKG_NAME:=openvswitch
-PKG_VERSION:=2.10.0
-PKG_RELEASE:=4
+PKG_VERSION:=2.10.1
+PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://www.openvswitch.org/releases/
-PKG_HASH:=64f7cdcfffc73b2e09980d04ee22731eadd6453698b92d7397c9e45c7c174050
+PKG_HASH:=4f93c764295952848a924271250d7c6a6a53747d0019ef6ff880aa8ea6897c80
PKG_LICENSE:=Apache-2.0
PKG_LICENSE_FILES:=LICENSE
include $(TOPDIR)/rules.mk
PKG_NAME:=hdparm
-PKG_VERSION:=9.57
+PKG_VERSION:=9.58
PKG_RELEASE:=1
PKG_USE_MIPS16:=0
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=@SF/$(PKG_NAME)
-PKG_HASH:=9d568db955a5428797f0b1677ef7cc8bab7756c6e7ff39f6c4a2b2c3640fe870
+PKG_HASH:=9ae78e883f3ce071d32ee0f1b9a2845a634fc4dd94a434e653fdbef551c5e10f
-PKG_MAINTAINER:=Richard Kunze <richard.kunze@web.de>
+PKG_MAINTAINER:=Rosen Penev <rosenp@gmail.com>
PKG_LICENSE:=BSD-Style Open Source License
include $(INCLUDE_DIR)/package.mk