include $(TOPDIR)/rules.mk
PKG_NAME:=haproxy
-PKG_VERSION:=1.8.14
-PKG_RELEASE:=5
+PKG_VERSION:=1.8.15
+PKG_RELEASE:=1
PKG_SOURCE:=haproxy-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://www.haproxy.org/download/1.8/src/
-PKG_HASH:=b17e402578be85e58af7a3eac99b1f675953bea9f67af2e964cf8bdbd1bd3fdf
+PKG_HASH:=7113862f1146d7de8b8e64f45826ab3533c7f7f7b7767e24c08f7c762202a032
PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION)
PKG_LICENSE:=GPL-2.0
#!/bin/bash
CLONEURL=http://git.haproxy.org/git/haproxy-1.8.git
-BASE_TAG=v1.8.14
+BASE_TAG=v1.8.15
TMP_REPODIR=tmprepo
PATCHESDIR=patches
+++ /dev/null
-commit 14844e448b637fea2770bcb03a43a010c4c8176d
-Author: Olivier Houchard <ohouchard@haproxy.com>
-Date: Thu Sep 27 14:55:34 2018 +0200
-
- MINOR: threads: Make sure threads_sync_pipe is initialized before using it.
-
- thread_want_sync() might be called before thread_sync_init() was called,
- at least when reading the server state file, as apply_server_state() is called
- before thread_sync_init(). So make sure the threads_sync_pipe was initialized
- before writing to it, if it was not, there's no thread, so no need to sync
- anything anyway, and if we don't check it we'll end up writing a 'S' on
- stdin.
-
- this only applies to 1.8.
-
-diff --git a/src/hathreads.c b/src/hathreads.c
-index 97ed31c5..9dba4356 100644
---- a/src/hathreads.c
-+++ b/src/hathreads.c
-@@ -28,7 +28,7 @@ void thread_sync_io_handler(int fd)
- #ifdef USE_THREAD
-
- static HA_SPINLOCK_T sync_lock;
--static int threads_sync_pipe[2];
-+static int threads_sync_pipe[2] = {-1, -1};
- static unsigned long threads_want_sync = 0;
- volatile unsigned long threads_want_rdv_mask = 0;
- volatile unsigned long threads_harmless_mask = 0;
-@@ -76,7 +76,8 @@ void thread_want_sync()
- if (all_threads_mask & (all_threads_mask - 1)) {
- if (threads_want_sync & tid_bit)
- return;
-- if (HA_ATOMIC_OR(&threads_want_sync, tid_bit) == tid_bit)
-+ if (HA_ATOMIC_OR(&threads_want_sync, tid_bit) == tid_bit &&
-+ threads_sync_pipe[1] != -1)
- shut_your_big_mouth_gcc(write(threads_sync_pipe[1], "S", 1));
- }
- else {
+++ /dev/null
-commit 18aff2297ce844362f28ea5317c289ba154bd33d
-Author: Lukas Tribus <lukas@ltri.eu>
-Date: Mon Oct 1 02:00:16 2018 +0200
-
- DOC: clarify force-private-cache is an option
-
- "boolean" may confuse users into thinking they need to provide
- additional arguments, like false or true. This is a simple option
- like many others, so lets not confuse the users with internals.
-
- Also fixes an additional typo.
-
- Should be backported to 1.8 and 1.7.
-
- (cherry picked from commit 2793578eaf934bbf28f742a35f3a1ae656280324)
- Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
-
-diff --git a/doc/configuration.txt b/doc/configuration.txt
-index c69033b1..580194ec 100644
---- a/doc/configuration.txt
-+++ b/doc/configuration.txt
-@@ -1651,7 +1651,7 @@ tune.ssl.cachesize <number>
- this value to 0 disables the SSL session cache.
-
- tune.ssl.force-private-cache
-- This boolean disables SSL session cache sharing between all processes. It
-+ This option disables SSL session cache sharing between all processes. It
- should normally not be used since it will force many renegotiations due to
- clients hitting a random process. But it may be required on some operating
- systems where none of the SSL cache synchronization method may be used. In
-@@ -6535,7 +6535,7 @@ option smtpchk <hello> <domain>
- yes | no | yes | yes
- Arguments :
- <hello> is an optional argument. It is the "hello" command to use. It can
-- be either "HELO" (for SMTP) or "EHLO" (for ESTMP). All other
-+ be either "HELO" (for SMTP) or "EHLO" (for ESMTP). All other
- values will be turned into the default command ("HELO").
-
- <domain> is the domain name to present to the server. It may only be
+++ /dev/null
-commit f6d20e718131aa2b468ff0a6c42e20c0b900e58b
-Author: Ilya Shipitsin <chipitsine@gmail.com>
-Date: Sat Sep 15 00:50:05 2018 +0500
-
- BUG/MINOR: connection: avoid null pointer dereference in send-proxy-v2
-
- found by coverity.
-
- [wt: this bug was introduced by commit 404d978 ("MINOR: add ALPN
- information to send-proxy-v2"). It might be triggered by a health
- check on a server using ppv2 or by an applet making use of such a
- server, if at all configurable].
-
- This needs to be backported to 1.8.
-
- (cherry picked from commit ca56fce8bd271928b18d38b439bd35bd273fe8d4)
- Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
-
-diff --git a/src/connection.c b/src/connection.c
-index 8c5af156..7403e8ae 100644
---- a/src/connection.c
-+++ b/src/connection.c
-@@ -874,6 +874,7 @@ int conn_recv_netscaler_cip(struct connection *conn, int flag)
- return 0;
- }
-
-+/* Note: <remote> is explicitly allowed to be NULL */
- int make_proxy_line(char *buf, int buf_len, struct server *srv, struct connection *remote)
- {
- int ret = 0;
-@@ -985,6 +986,7 @@ static int make_tlv(char *dest, int dest_len, char type, uint16_t length, const
- return length + sizeof(*tlv);
- }
-
-+/* Note: <remote> is explicitly allowed to be NULL */
- int make_proxy_line_v2(char *buf, int buf_len, struct server *srv, struct connection *remote)
- {
- const char pp2_signature[] = PP2_SIGNATURE;
-@@ -1060,7 +1062,7 @@ int make_proxy_line_v2(char *buf, int buf_len, struct server *srv, struct connec
- }
- }
-
-- if (conn_get_alpn(remote, &value, &value_len)) {
-+ if (remote && conn_get_alpn(remote, &value, &value_len)) {
- if ((buf_len - ret) < sizeof(struct tlv))
- return 0;
- ret += make_tlv(&buf[ret], (buf_len - ret), PP2_TYPE_ALPN, value_len, value);
+++ /dev/null
-commit e725a7f9bfd8b7fe2e74c62c7c6bf2b9ebf83772
-Author: Willy Tarreau <w@1wt.eu>
-Date: Wed Oct 3 10:20:19 2018 +0200
-
- BUG/MINOR: backend: check that the mux installed properly
-
- The return value from conn_install_mux() was not checked, so if an
- inconsistency happens in the code, or a memory allocation fails while
- initializing the mux, we can crash while using an uninitialized mux.
- In practice the code inconsistency does not really happen since we
- cannot configure such a situation, except during development, but
- the out of memory condition could definitely happen.
-
- This should be backported to 1.8 (the code is a bit different there,
- there are two calls to conn_install_mux()).
-
- (cherry picked from commit 33dd4ef81245bb868b22f99b9be45d0791131eec)
- Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
-
-diff --git a/src/backend.c b/src/backend.c
-index 2b6167dc..fc1eac0d 100644
---- a/src/backend.c
-+++ b/src/backend.c
-@@ -1163,7 +1163,8 @@ int connect_server(struct stream *s)
- if (srv) {
- conn_prepare(srv_conn, protocol_by_family(srv_conn->addr.to.ss_family), srv->xprt);
- /* XXX: Pick the right mux, when we finally have one */
-- conn_install_mux(srv_conn, &mux_pt_ops, srv_cs);
-+ if (conn_install_mux(srv_conn, &mux_pt_ops, srv_cs) < 0)
-+ return SF_ERR_INTERNAL;
- }
- else if (obj_type(s->target) == OBJ_TYPE_PROXY) {
- /* proxies exclusively run on raw_sock right now */
-@@ -1171,7 +1172,8 @@ int connect_server(struct stream *s)
- if (!objt_cs(s->si[1].end) || !objt_cs(s->si[1].end)->conn->ctrl)
- return SF_ERR_INTERNAL;
- /* XXX: Pick the right mux, when we finally have one */
-- conn_install_mux(srv_conn, &mux_pt_ops, srv_cs);
-+ if (conn_install_mux(srv_conn, &mux_pt_ops, srv_cs) < 0)
-+ return SF_ERR_INTERNAL;
- }
- else
- return SF_ERR_INTERNAL; /* how did we get there ? */
+++ /dev/null
-commit 45e9f3c660c872e93588cf1c0b74c192f2c8c3d5
-Author: Olivier Houchard <ohouchard@haproxy.com>
-Date: Wed Sep 26 15:09:58 2018 +0200
-
- BUG/MEDIUM: buffers: Make sure we don't wrap in buffer_insert_line2/replace2.
-
- In buffer_insert_line2() and buffer_replace2(), we can't afford to wrap,
- so don't use b_tail to check if we do, directly use b->p + b->i instead.
-
- This should be backported to previous versions.
-
- (cherry picked from commit 363c745569b6ffd8f095d2b7758131d08aa27219)
- Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
-
- [cf: This patch was adapted and its commit message too. Because of the
- refactoring of the buffer's API in 1.9, the original patch fixes same bug in
- ci_insert_line2/b_rep_blk.]
-
-diff --git a/src/buffer.c b/src/buffer.c
-index 167b75ae..6ad38a02 100644
---- a/src/buffer.c
-+++ b/src/buffer.c
-@@ -107,7 +107,7 @@ int buffer_replace2(struct buffer *b, char *pos, char *end, const char *str, int
-
- delta = len - (end - pos);
-
-- if (bi_end(b) + delta > b->data + b->size)
-+ if (b->p + b->i + delta > b->data + b->size)
- return 0; /* no space left */
-
- if (buffer_not_empty(b) &&
-@@ -146,7 +146,7 @@ int buffer_insert_line2(struct buffer *b, char *pos, const char *str, int len)
-
- delta = len + 2;
-
-- if (bi_end(b) + delta >= b->data + b->size)
-+ if (b->p + b->i + delta >= b->data + b->size)
- return 0; /* no space left */
-
- if (buffer_not_empty(b) &&
+++ /dev/null
-commit 4be76416751aa22992a44f2f5cfdba506809fd89
-Author: Dirkjan Bussink <d.bussink@gmail.com>
-Date: Fri Sep 14 11:14:21 2018 +0200
-
- MEDIUM: ssl: add support for ciphersuites option for TLSv1.3
-
- OpenSSL released support for TLSv1.3. It also added a separate function
- SSL_CTX_set_ciphersuites that is used to set the ciphers used in the
- TLS 1.3 handshake. This change adds support for that new configuration
- option by adding a ciphersuites configuration variable that works
- essentially the same as the existing ciphers setting.
-
- Note that it should likely be backported to 1.8 in order to ease usage
- of the now released openssl-1.1.1.
-
- (cherry picked from commit 415150f7640b06740fa832363d186c5c6565338e)
- Signed-off-by: Willy Tarreau <w@1wt.eu>
-
-diff --git a/doc/configuration.txt b/doc/configuration.txt
-index 580194ec..7a268386 100644
---- a/doc/configuration.txt
-+++ b/doc/configuration.txt
-@@ -580,8 +580,10 @@ The following keywords are supported in the "global" section :
- - setenv
- - stats
- - ssl-default-bind-ciphers
-+ - ssl-default-bind-ciphersuites
- - ssl-default-bind-options
- - ssl-default-server-ciphers
-+ - ssl-default-server-ciphersuites
- - ssl-default-server-options
- - ssl-dh-param-file
- - ssl-server-verify
-@@ -984,11 +986,25 @@ setenv <name> <value>
- ssl-default-bind-ciphers <ciphers>
- This setting is only available when support for OpenSSL was built in. It sets
- the default string describing the list of cipher algorithms ("cipher suite")
-- that are negotiated during the SSL/TLS handshake for all "bind" lines which
-- do not explicitly define theirs. The format of the string is defined in
-- "man 1 ciphers" from OpenSSL man pages, and can be for instance a string such
-- as "AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH" (without quotes). Please check the
-- "bind" keyword for more information.
-+ that are negotiated during the SSL/TLS handshake except for TLSv1.3 for all
-+ "bind" lines which do not explicitly define theirs. The format of the string
-+ is defined in "man 1 ciphers" from OpenSSL man pages, and can be for instance
-+ a string such as "AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH" (without quotes). For
-+ TLSv1.3 cipher configuration, please check the "ssl-default-bind-ciphersuites"
-+ keyword. Please check the "bind" keyword for more information.
-+
-+ssl-default-bind-ciphersuites <ciphersuites>
-+ This setting is only available when support for OpenSSL was built in and
-+ OpenSSL 1.1.1 or later was used to build HAProxy. It sets the default string
-+ describing the list of cipher algorithms ("cipher suite") that are negotiated
-+ during the TLSv1.3 handshake for all "bind" lines which do not explicitly define
-+ theirs. The format of the string is defined in
-+ "man 1 ciphers" from OpenSSL man pages under the section "ciphersuites", and can
-+ be for instance a string such as
-+ "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"
-+ (without quotes). For cipher configuration for TLSv1.2 and earlier, please check
-+ the "ssl-default-bind-ciphers" keyword. Please check the "bind" keyword for more
-+ information.
-
- ssl-default-bind-options [<option>]...
- This setting is only available when support for OpenSSL was built in. It sets
-@@ -1002,10 +1018,21 @@ ssl-default-bind-options [<option>]...
- ssl-default-server-ciphers <ciphers>
- This setting is only available when support for OpenSSL was built in. It
- sets the default string describing the list of cipher algorithms that are
-- negotiated during the SSL/TLS handshake with the server, for all "server"
-- lines which do not explicitly define theirs. The format of the string is
-- defined in "man 1 ciphers". Please check the "server" keyword for more
-- information.
-+ negotiated during the SSL/TLS handshake except for TLSv1.3 with the server,
-+ for all "server" lines which do not explicitly define theirs. The format of
-+ the string is defined in "man 1 ciphers". For TLSv1.3 cipher configuration,
-+ please check the "ssl-default-server-ciphersuites" keyword. Please check the
-+ "server" keyword for more information.
-+
-+ssl-default-server-ciphersuites <ciphersuites>
-+ This setting is only available when support for OpenSSL was built in and
-+ OpenSSL 1.1.1 or later was used to build HAProxy. It sets the default
-+ string describing the list of cipher algorithms that are negotiated during
-+ the TLSv1.3 handshake with the server, for all "server" lines which do not
-+ explicitly define theirs. The format of the string is defined in
-+ "man 1 ciphers" under the "ciphersuites" section. For cipher configuration for
-+ TLSv1.2 and earlier, please check the "ssl-default-server-ciphers" keyword.
-+ Please check the "server" keyword for more information.
-
- ssl-default-server-options [<option>]...
- This setting is only available when support for OpenSSL was built in. It sets
-@@ -10510,13 +10537,26 @@ ca-sign-pass <passphrase>
- ciphers <ciphers>
- This setting is only available when support for OpenSSL was built in. It sets
- the string describing the list of cipher algorithms ("cipher suite") that are
-- negotiated during the SSL/TLS handshake. The format of the string is defined
-- in "man 1 ciphers" from OpenSSL man pages, and can be for instance a string
-- such as "AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH" (without quotes).
-- Depending on the compatibility and security requirements, the list of suitable
-- ciphers depends on a variety of variables. For background information and
-- recommendations see e. g. (https://wiki.mozilla.org/Security/Server_Side_TLS)
-- and (https://mozilla.github.io/server-side-tls/ssl-config-generator/).
-+ negotiated during the SSL/TLS handshake except for TLSv1.3. The format of the
-+ string is defined in "man 1 ciphers" from OpenSSL man pages, and can be for
-+ instance a string such as "AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH" (without
-+ quotes). Depending on the compatibility and security requirements, the list
-+ of suitable ciphers depends on a variety of variables. For background
-+ information and recommendations see e.g.
-+ (https://wiki.mozilla.org/Security/Server_Side_TLS) and
-+ (https://mozilla.github.io/server-side-tls/ssl-config-generator/). For TLSv1.3
-+ cipher configuration, please check the "ciphersuites" keyword.
-+
-+ciphersuites <ciphersuites>
-+ This setting is only available when support for OpenSSL was built in and
-+ OpenSSL 1.1.1 or later was used to build HAProxy. It sets the string describing
-+ the list of cipher algorithms ("cipher suite") that are negotiated during the
-+ TLSv1.3 handshake. The format of the string is defined in "man 1 ciphers" from
-+ OpenSSL man pages under the "ciphersuites" section, and can be for instance a
-+ string such as
-+ "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"
-+ (without quotes). For cipher configuration for TLSv1.2 and earlier, please check
-+ the "ciphers" keyword.
-
- crl-file <crlfile>
- This setting is only available when support for OpenSSL was built in. It
-@@ -11226,8 +11266,9 @@ check-ssl
- this option.
-
- ciphers <ciphers>
-- This option sets the string describing the list of cipher algorithms that is
-- is negotiated during the SSL/TLS handshake with the server. The format of the
-+ This setting is only available when support for OpenSSL was built in. This
-+ option sets the string describing the list of cipher algorithms that is
-+ negotiated during the SSL/TLS handshake with the server. The format of the
- string is defined in "man 1 ciphers". When SSL is used to communicate with
- servers on the local network, it is common to see a weaker set of algorithms
- than what is used over the internet. Doing so reduces CPU usage on both the
-@@ -11235,6 +11276,13 @@ ciphers <ciphers>
- Some algorithms such as RC4-SHA1 are reasonably cheap. If no security at all
- is needed and just connectivity, using DES can be appropriate.
-
-+ciphersuites <ciphersuites>
-+ This setting is only available when support for OpenSSL was built in and
-+ OpenSSL 1.1.1 or later was used to build HAProxy. This option sets the string
-+ describing the list of cipher algorithms that is negotiated during the TLS
-+ 1.3 handshake with the server. The format of the string is defined in
-+ "man 1 ciphers" under the "ciphersuites" section.
-+
- cookie <value>
- The "cookie" parameter sets the cookie value assigned to the server to
- <value>. This value will be checked in incoming requests, and the first
-diff --git a/include/common/defaults.h b/include/common/defaults.h
-index f53c611e..a45ab0da 100644
---- a/include/common/defaults.h
-+++ b/include/common/defaults.h
-@@ -234,11 +234,21 @@
- #define CONNECT_DEFAULT_CIPHERS NULL
- #endif
-
-+/* ciphers used as defaults on TLS 1.3 connect */
-+#ifndef CONNECT_DEFAULT_CIPHERSUITES
-+#define CONNECT_DEFAULT_CIPHERSUITES NULL
-+#endif
-+
- /* ciphers used as defaults on listeners */
- #ifndef LISTEN_DEFAULT_CIPHERS
- #define LISTEN_DEFAULT_CIPHERS NULL
- #endif
-
-+/* cipher suites used as defaults on TLS 1.3 listeners */
-+#ifndef LISTEN_DEFAULT_CIPHERSUITES
-+#define LISTEN_DEFAULT_CIPHERSUITES NULL
-+#endif
-+
- /* named curve used as defaults for ECDHE ciphers */
- #ifndef ECDHE_DEFAULT_CURVE
- #define ECDHE_DEFAULT_CURVE "prime256v1"
-diff --git a/include/types/listener.h b/include/types/listener.h
-index c55569cd..ea2eadb5 100644
---- a/include/types/listener.h
-+++ b/include/types/listener.h
-@@ -128,6 +128,9 @@ struct ssl_bind_conf {
- char *ca_file; /* CAfile to use on verify */
- char *crl_file; /* CRLfile to use on verify */
- char *ciphers; /* cipher suite to use if non-null */
-+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
-+ char *ciphersuites; /* TLS 1.3 cipher suite to use if non-null */
-+#endif
- char *curves; /* curves suite to use for ECDHE */
- char *ecdhe; /* named curve to use for ECDHE */
- struct tls_version_filter ssl_methods; /* ssl methods */
-diff --git a/include/types/server.h b/include/types/server.h
-index fd3c8bad..79ae7b72 100644
---- a/include/types/server.h
-+++ b/include/types/server.h
-@@ -281,6 +281,9 @@ struct server {
- int allocated_size;
- } * reused_sess;
- char *ciphers; /* cipher suite to use if non-null */
-+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
-+ char *ciphersuites; /* TLS 1.3 cipher suite to use if non-null */
-+#endif
- int options; /* ssl options */
- int verify; /* verify method (set of SSL_VERIFY_* flags) */
- struct tls_version_filter methods; /* ssl methods */
-diff --git a/src/server.c b/src/server.c
-index 842e4149..4941bd03 100644
---- a/src/server.c
-+++ b/src/server.c
-@@ -1380,6 +1380,10 @@ static void srv_ssl_settings_cpy(struct server *srv, struct server *src)
- srv->ssl_ctx.verify_host = strdup(src->ssl_ctx.verify_host);
- if (src->ssl_ctx.ciphers != NULL)
- srv->ssl_ctx.ciphers = strdup(src->ssl_ctx.ciphers);
-+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
-+ if (src->ssl_ctx.ciphersuites != NULL)
-+ srv->ssl_ctx.ciphersuites = strdup(src->ssl_ctx.ciphersuites);
-+#endif
- if (src->sni_expr != NULL)
- srv->sni_expr = strdup(src->sni_expr);
- }
-diff --git a/src/ssl_sock.c b/src/ssl_sock.c
-index 08fdffab..2da0df68 100644
---- a/src/ssl_sock.c
-+++ b/src/ssl_sock.c
-@@ -169,6 +169,10 @@ static struct {
-
- char *listen_default_ciphers;
- char *connect_default_ciphers;
-+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
-+ char *listen_default_ciphersuites;
-+ char *connect_default_ciphersuites;
-+#endif
- int listen_default_ssloptions;
- int connect_default_ssloptions;
- struct tls_version_filter listen_default_sslmethods;
-@@ -186,6 +190,14 @@ static struct {
- #endif
- #ifdef CONNECT_DEFAULT_CIPHERS
- .connect_default_ciphers = CONNECT_DEFAULT_CIPHERS,
-+#endif
-+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
-+#ifdef LISTEN_DEFAULT_CIPHERSUITES
-+ .listen_default_ciphersuites = LISTEN_DEFAULT_CIPHERSUITES,
-+#endif
-+#ifdef CONNECT_DEFAULT_CIPHERSUITES
-+ .connect_default_ciphersuites = CONNECT_DEFAULT_CIPHERSUITES,
-+#endif
- #endif
- .listen_default_ssloptions = BC_SSL_O_NONE,
- .connect_default_ssloptions = SRV_SSL_O_NONE,
-@@ -3528,6 +3540,10 @@ void ssl_sock_free_ssl_conf(struct ssl_bind_conf *conf)
- conf->crl_file = NULL;
- free(conf->ciphers);
- conf->ciphers = NULL;
-+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
-+ free(conf->ciphersuites);
-+ conf->ciphersuites = NULL;
-+#endif
- free(conf->curves);
- conf->curves = NULL;
- free(conf->ecdhe);
-@@ -4061,6 +4077,9 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, struct ssl_bind_conf *ssl_
- int verify = SSL_VERIFY_NONE;
- struct ssl_bind_conf __maybe_unused *ssl_conf_cur;
- const char *conf_ciphers;
-+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
-+ const char *conf_ciphersuites;
-+#endif
- const char *conf_curves = NULL;
-
- if (ssl_conf) {
-@@ -4160,6 +4179,16 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, struct ssl_bind_conf *ssl_
- cfgerr++;
- }
-
-+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
-+ conf_ciphersuites = (ssl_conf && ssl_conf->ciphersuites) ? ssl_conf->ciphersuites : bind_conf->ssl_conf.ciphersuites;
-+ if (conf_ciphersuites &&
-+ !SSL_CTX_set_ciphersuites(ctx, conf_ciphersuites)) {
-+ ha_alert("Proxy '%s': unable to set TLS 1.3 cipher suites to '%s' for bind '%s' at [%s:%d].\n",
-+ curproxy->id, conf_ciphersuites, bind_conf->arg, bind_conf->file, bind_conf->line);
-+ cfgerr++;
-+ }
-+#endif
-+
- #ifndef OPENSSL_NO_DH
- /* If tune.ssl.default-dh-param has not been set,
- neither has ssl-default-dh-file and no static DH
-@@ -4642,6 +4671,16 @@ int ssl_sock_prepare_srv_ctx(struct server *srv)
- cfgerr++;
- }
-
-+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
-+ if (srv->ssl_ctx.ciphersuites &&
-+ !SSL_CTX_set_cipher_list(srv->ssl_ctx.ctx, srv->ssl_ctx.ciphersuites)) {
-+ ha_alert("Proxy '%s', server '%s' [%s:%d] : unable to set TLS 1.3 cipher suites to '%s'.\n",
-+ curproxy->id, srv->id,
-+ srv->conf.file, srv->conf.line, srv->ssl_ctx.ciphersuites);
-+ cfgerr++;
-+ }
-+#endif
-+
- return cfgerr;
- }
-
-@@ -7101,6 +7140,26 @@ static int bind_parse_ciphers(char **args, int cur_arg, struct proxy *px, struct
- {
- return ssl_bind_parse_ciphers(args, cur_arg, px, &conf->ssl_conf, err);
- }
-+
-+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
-+/* parse the "ciphersuites" bind keyword */
-+static int ssl_bind_parse_ciphersuites(char **args, int cur_arg, struct proxy *px, struct ssl_bind_conf *conf, char **err)
-+{
-+ if (!*args[cur_arg + 1]) {
-+ memprintf(err, "'%s' : missing cipher suite", args[cur_arg]);
-+ return ERR_ALERT | ERR_FATAL;
-+ }
-+
-+ free(conf->ciphersuites);
-+ conf->ciphersuites = strdup(args[cur_arg + 1]);
-+ return 0;
-+}
-+static int bind_parse_ciphersuites(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
-+{
-+ return ssl_bind_parse_ciphersuites(args, cur_arg, px, &conf->ssl_conf, err);
-+}
-+#endif
-+
- /* parse the "crt" bind keyword */
- static int bind_parse_crt(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
- {
-@@ -7492,6 +7551,10 @@ static int bind_parse_ssl(char **args, int cur_arg, struct proxy *px, struct bin
-
- if (global_ssl.listen_default_ciphers && !conf->ssl_conf.ciphers)
- conf->ssl_conf.ciphers = strdup(global_ssl.listen_default_ciphers);
-+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
-+ if (global_ssl.listen_default_ciphersuites && !conf->ssl_conf.ciphersuites)
-+ conf->ssl_conf.ciphersuites = strdup(global_ssl.listen_default_ciphersuites);
-+#endif
- conf->ssl_options |= global_ssl.listen_default_ssloptions;
- conf->ssl_conf.ssl_methods.flags |= global_ssl.listen_default_sslmethods.flags;
- if (!conf->ssl_conf.ssl_methods.min)
-@@ -7689,6 +7752,10 @@ static int srv_parse_check_ssl(char **args, int *cur_arg, struct proxy *px, stru
- newsrv->check.use_ssl = 1;
- if (global_ssl.connect_default_ciphers && !newsrv->ssl_ctx.ciphers)
- newsrv->ssl_ctx.ciphers = strdup(global_ssl.connect_default_ciphers);
-+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
-+ if (global_ssl.connect_default_ciphersuites && !newsrv->ssl_ctx.ciphersuites)
-+ newsrv->ssl_ctx.ciphersuites = strdup(global_ssl.connect_default_ciphersuites);
-+#endif
- newsrv->ssl_ctx.options |= global_ssl.connect_default_ssloptions;
- newsrv->ssl_ctx.methods.flags |= global_ssl.connect_default_sslmethods.flags;
- if (!newsrv->ssl_ctx.methods.min)
-@@ -7712,6 +7779,21 @@ static int srv_parse_ciphers(char **args, int *cur_arg, struct proxy *px, struct
- return 0;
- }
-
-+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
-+/* parse the "ciphersuites" server keyword */
-+static int srv_parse_ciphersuites(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
-+{
-+ if (!*args[*cur_arg + 1]) {
-+ memprintf(err, "'%s' : missing cipher suite", args[*cur_arg]);
-+ return ERR_ALERT | ERR_FATAL;
-+ }
-+
-+ free(newsrv->ssl_ctx.ciphersuites);
-+ newsrv->ssl_ctx.ciphersuites = strdup(args[*cur_arg + 1]);
-+ return 0;
-+}
-+#endif
-+
- /* parse the "crl-file" server keyword */
- static int srv_parse_crl_file(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
- {
-@@ -7853,6 +7935,10 @@ static int srv_parse_ssl(char **args, int *cur_arg, struct proxy *px, struct ser
- newsrv->use_ssl = 1;
- if (global_ssl.connect_default_ciphers && !newsrv->ssl_ctx.ciphers)
- newsrv->ssl_ctx.ciphers = strdup(global_ssl.connect_default_ciphers);
-+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
-+ if (global_ssl.connect_default_ciphersuites && !newsrv->ssl_ctx.ciphersuites)
-+ newsrv->ssl_ctx.ciphersuites = strdup(global_ssl.connect_default_ciphersuites);
-+#endif
- return 0;
- }
-
-@@ -8092,6 +8178,32 @@ static int ssl_parse_global_ciphers(char **args, int section_type, struct proxy
- return 0;
- }
-
-+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
-+/* parse the "ssl-default-bind-ciphersuites" / "ssl-default-server-ciphersuites" keywords
-+ * in global section. Returns <0 on alert, >0 on warning, 0 on success.
-+ */
-+static int ssl_parse_global_ciphersuites(char **args, int section_type, struct proxy *curpx,
-+ struct proxy *defpx, const char *file, int line,
-+ char **err)
-+{
-+ char **target;
-+
-+ target = (args[0][12] == 'b') ? &global_ssl.listen_default_ciphersuites : &global_ssl.connect_default_ciphersuites;
-+
-+ if (too_many_args(1, args, err, NULL))
-+ return -1;
-+
-+ if (*(args[1]) == 0) {
-+ memprintf(err, "global statement '%s' expects a cipher suite as an argument.", args[0]);
-+ return -1;
-+ }
-+
-+ free(*target);
-+ *target = strdup(args[1]);
-+ return 0;
-+}
-+#endif
-+
- /* parse various global tune.ssl settings consisting in positive integers.
- * Returns <0 on alert, >0 on warning, 0 on success.
- */
-@@ -8599,6 +8711,9 @@ static struct ssl_bind_kw ssl_bind_kws[] = {
- { "alpn", ssl_bind_parse_alpn, 1 }, /* set ALPN supported protocols */
- { "ca-file", ssl_bind_parse_ca_file, 1 }, /* set CAfile to process verify on client cert */
- { "ciphers", ssl_bind_parse_ciphers, 1 }, /* set SSL cipher suite */
-+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
-+ { "ciphersuites", ssl_bind_parse_ciphersuites, 1 }, /* set TLS 1.3 cipher suite */
-+#endif
- { "crl-file", ssl_bind_parse_crl_file, 1 }, /* set certificat revocation list file use on client cert verify */
- { "curves", ssl_bind_parse_curves, 1 }, /* set SSL curve suite */
- { "ecdhe", ssl_bind_parse_ecdhe, 1 }, /* defines named curve for elliptic curve Diffie-Hellman */
-@@ -8618,6 +8733,9 @@ static struct bind_kw_list bind_kws = { "SSL", { }, {
- { "ca-sign-file", bind_parse_ca_sign_file, 1 }, /* set CAFile used to generate and sign server certs */
- { "ca-sign-pass", bind_parse_ca_sign_pass, 1 }, /* set CAKey passphrase */
- { "ciphers", bind_parse_ciphers, 1 }, /* set SSL cipher suite */
-+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
-+ { "ciphersuites", bind_parse_ciphersuites, 1 }, /* set TLS 1.3 cipher suite */
-+#endif
- { "crl-file", bind_parse_crl_file, 1 }, /* set certificat revocation list file use on client cert verify */
- { "crt", bind_parse_crt, 1 }, /* load SSL certificates from this location */
- { "crt-ignore-err", bind_parse_ignore_err, 1 }, /* set error IDs to ingore on verify depth == 0 */
-@@ -8661,6 +8779,9 @@ static struct srv_kw_list srv_kws = { "SSL", { }, {
- { "check-sni", srv_parse_check_sni, 1, 1 }, /* set SNI */
- { "check-ssl", srv_parse_check_ssl, 0, 1 }, /* enable SSL for health checks */
- { "ciphers", srv_parse_ciphers, 1, 1 }, /* select the cipher suite */
-+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
-+ { "ciphersuites", srv_parse_ciphersuites, 1, 1 }, /* select the cipher suite */
-+#endif
- { "crl-file", srv_parse_crl_file, 1, 1 }, /* set certificate revocation list file use on server cert verify */
- { "crt", srv_parse_crt, 1, 1 }, /* set client certificate */
- { "force-sslv3", srv_parse_tls_method_options, 0, 1 }, /* force SSLv3 */
-@@ -8716,6 +8837,10 @@ static struct cfg_kw_list cfg_kws = {ILH, {
- { CFG_GLOBAL, "tune.ssl.capture-cipherlist-size", ssl_parse_global_capture_cipherlist },
- { CFG_GLOBAL, "ssl-default-bind-ciphers", ssl_parse_global_ciphers },
- { CFG_GLOBAL, "ssl-default-server-ciphers", ssl_parse_global_ciphers },
-+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
-+ { CFG_GLOBAL, "ssl-default-bind-ciphersuites", ssl_parse_global_ciphersuites },
-+ { CFG_GLOBAL, "ssl-default-server-ciphersuites", ssl_parse_global_ciphersuites },
-+#endif
- { 0, NULL, NULL },
- }};
-
-@@ -8793,6 +8918,12 @@ static void __ssl_sock_init(void)
- global_ssl.listen_default_ciphers = strdup(global_ssl.listen_default_ciphers);
- if (global_ssl.connect_default_ciphers)
- global_ssl.connect_default_ciphers = strdup(global_ssl.connect_default_ciphers);
-+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
-+ if (global_ssl.listen_default_ciphersuites)
-+ global_ssl.listen_default_ciphersuites = strdup(global_ssl.listen_default_ciphersuites);
-+ if (global_ssl.connect_default_ciphersuites)
-+ global_ssl.connect_default_ciphersuites = strdup(global_ssl.connect_default_ciphersuites);
-+#endif
-
- xprt_register(XPRT_SSL, &ssl_sock);
- SSL_library_init();
+++ /dev/null
-commit 30ba96df349ace825749a57490defeb50001a550
-Author: Emeric Brun <ebrun@haproxy.com>
-Date: Wed Oct 10 14:51:02 2018 +0200
-
- BUG/MEDIUM: Cur/CumSslConns counters not threadsafe.
-
- CurSslConns inc/dec operations are not threadsafe. The unsigned CurSslConns
- counter can wrap to a negative value. So we could notice connection rejects
- because of MaxSslConns limit artificially exceeded.
-
- CumSslConns inc operation are also not threadsafe so we could miss
- some connections and show inconsistenties values compared to CumConns.
-
- This fix should be backported to v1.8.
-
- (cherry picked from commit 7ad43e7928c9a61b40332e4d5e9a7ccc33e6b65b)
- Signed-off-by: Willy Tarreau <w@1wt.eu>
-
-diff --git a/src/ssl_sock.c b/src/ssl_sock.c
-index 2da0df68..6eed8022 100644
---- a/src/ssl_sock.c
-+++ b/src/ssl_sock.c
-@@ -491,7 +491,7 @@ static void ssl_async_fd_free(int fd)
-
- /* Now we can safely call SSL_free, no more pending job in engines */
- SSL_free(ssl);
-- sslconns--;
-+ HA_ATOMIC_SUB(&sslconns, 1);
- HA_ATOMIC_SUB(&jobs, 1);
- }
- /*
-@@ -5011,8 +5011,8 @@ static int ssl_sock_init(struct connection *conn)
- /* leave init state and start handshake */
- conn->flags |= CO_FL_SSL_WAIT_HS | CO_FL_WAIT_L6_CONN;
-
-- sslconns++;
-- totalsslconns++;
-+ HA_ATOMIC_ADD(&sslconns, 1);
-+ HA_ATOMIC_ADD(&totalsslconns, 1);
- return 0;
- }
- else if (objt_listener(conn->target)) {
-@@ -5062,8 +5062,8 @@ static int ssl_sock_init(struct connection *conn)
- conn->flags |= CO_FL_EARLY_SSL_HS;
- #endif
-
-- sslconns++;
-- totalsslconns++;
-+ HA_ATOMIC_ADD(&sslconns, 1);
-+ HA_ATOMIC_ADD(&totalsslconns, 1);
- return 0;
- }
- /* don't know how to handle such a target */
-@@ -5713,7 +5713,7 @@ static void ssl_sock_close(struct connection *conn) {
- #endif
- SSL_free(conn->xprt_ctx);
- conn->xprt_ctx = NULL;
-- sslconns--;
-+ HA_ATOMIC_SUB(&sslconns, 1);
- }
- }
-
+++ /dev/null
-commit 8a6c4ff3f407b916bc08da4e76ed7813768ac937
-Author: mildis <me@mildis.org>
-Date: Tue Oct 2 16:46:34 2018 +0200
-
- BUG/MINOR: checks: queues null-deref
-
- queues can be null if calloc() failed.
- Bypass free* calls when calloc did fail.
-
- (cherry picked from commit 5ab01cb01114065a3573570a48e84815e751bf14)
- Signed-off-by: Willy Tarreau <w@1wt.eu>
-
-diff --git a/src/checks.c b/src/checks.c
-index 098ddecf..74958b2d 100644
---- a/src/checks.c
-+++ b/src/checks.c
-@@ -3182,7 +3182,7 @@ int init_email_alert(struct mailers *mls, struct proxy *p, char **err)
-
- if ((queues = calloc(mls->count, sizeof(*queues))) == NULL) {
- memprintf(err, "out of memory while allocating mailer alerts queues");
-- goto error;
-+ goto fail_no_queue;
- }
-
- for (mailer = mls->mailer_list; mailer; i++, mailer = mailer->next) {
-@@ -3239,6 +3239,7 @@ int init_email_alert(struct mailers *mls, struct proxy *p, char **err)
- free_check(check);
- }
- free(queues);
-+ fail_no_queue:
- return 1;
- }
-
+++ /dev/null
-commit df4822ea169adc5c7c987fa077438f0ded1ac39b
-Author: Emeric Brun <ebrun@haproxy.com>
-Date: Thu Oct 11 15:27:07 2018 +0200
-
- BUG/MEDIUM: mworker: segfault receiving SIGUSR1 followed by SIGTERM.
-
- This bug appeared only if nbthread > 1. Handling the pipe with the
- master, multiple threads of the same worker could process the deinit().
-
- In addition, deinit() was called while some other threads were still
- performing some tasks.
-
- This patch assign the handler of the pipe with master to only the first
- thread and removes the call to deinit() before exiting with an error.
-
- This patch should be backported in v1.8.
-
- (cherry picked from commit c8c0ed91cb4436491efd2ce2c4b4b1694aeeccca)
- [wt: adjusted context]
- Signed-off-by: Willy Tarreau <w@1wt.eu>
-
-diff --git a/src/haproxy.c b/src/haproxy.c
-index e0186ff9..1959dd0f 100644
---- a/src/haproxy.c
-+++ b/src/haproxy.c
-@@ -2349,7 +2349,13 @@ void mworker_pipe_handler(int fd)
- break;
- }
-
-- deinit();
-+ /* At this step the master is down before
-+ * this worker perform a 'normal' exit.
-+ * So we want to exit with an error but
-+ * other threads could currently process
-+ * some stuff so we can't perform a clean
-+ * deinit().
-+ */
- exit(EXIT_FAILURE);
- return;
- }
-@@ -2364,7 +2370,10 @@ void mworker_pipe_register()
- fcntl(mworker_pipe[0], F_SETFL, O_NONBLOCK);
- fdtab[mworker_pipe[0]].owner = mworker_pipe;
- fdtab[mworker_pipe[0]].iocb = mworker_pipe_handler;
-- fd_insert(mworker_pipe[0], MAX_THREADS_MASK);
-+ /* In multi-tread, we need only one thread to process
-+ * events on the pipe with master
-+ */
-+ fd_insert(mworker_pipe[0], 1);
- fd_want_recv(mworker_pipe[0]);
- }
-
+++ /dev/null
-commit 4bf6d76a22b9b601fd57df4aa0f4fba62733cb07
-Author: Willy Tarreau <w@1wt.eu>
-Date: Mon Oct 15 11:08:55 2018 +0200
-
- BUG/MEDIUM: stream: don't crash on out-of-memory
-
- In case pool_alloc() fails in stream_new(), we try to detach the stream
- from the list before it has been added, dereferencing a NULL. In order
- to fix it, simply move the LIST_DEL call upwards.
-
- This must be backported to 1.8.
-
- (cherry picked from commit e5f229e6392fd54aaba7fe58f457723c16b9d15f)
- Signed-off-by: Willy Tarreau <w@1wt.eu>
-
-diff --git a/src/stream.c b/src/stream.c
-index 11c9dbf3..ef7cff5c 100644
---- a/src/stream.c
-+++ b/src/stream.c
-@@ -282,8 +282,8 @@ struct stream *stream_new(struct session *sess, enum obj_type *origin)
- out_fail_accept:
- flt_stream_release(s, 0);
- task_free(t);
-- out_fail_alloc:
- LIST_DEL(&s->list);
-+ out_fail_alloc:
- pool_free(pool_head_stream, s);
- return NULL;
- }
--- /dev/null
+diff --git a/src/ssl_sock.c b/src/ssl_sock.c
+index cfbc38b..025a144 100644
+--- a/src/ssl_sock.c
++++ b/src/ssl_sock.c
+@@ -39,6 +39,7 @@
+ #include <netdb.h>
+ #include <netinet/tcp.h>
+
++#include <openssl/bn.h>
+ #include <openssl/crypto.h>
+ #include <openssl/ssl.h>
+ #include <openssl/x509.h>
+@@ -229,6 +230,7 @@ unsigned long ssl_id_function(void)
+
+ void ssl_locking_function(int mode, int n, const char * file, int line)
+ {
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ if (mode & CRYPTO_LOCK) {
+ if (mode & CRYPTO_READ)
+ HA_RWLOCK_RDLOCK(SSL_LOCK, &ssl_rwlocks[n]);
+@@ -241,10 +243,12 @@ void ssl_locking_function(int mode, int n, const char * file, int line)
+ else
+ HA_RWLOCK_WRUNLOCK(SSL_LOCK, &ssl_rwlocks[n]);
+ }
++#endif
+ }
+
+ static int ssl_locking_init(void)
+ {
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ int i;
+
+ ssl_rwlocks = malloc(sizeof(HA_RWLOCK_T)*CRYPTO_num_locks());
+@@ -256,7 +260,7 @@ static int ssl_locking_init(void)
+
+ CRYPTO_set_id_callback(ssl_id_function);
+ CRYPTO_set_locking_callback(ssl_locking_function);
+-
++#endif
+ return 0;
+ }
+
+@@ -1711,8 +1715,13 @@ ssl_sock_do_create_cert(const char *servername, struct bind_conf *bind_conf, SSL
+ ASN1_INTEGER_set(X509_get_serialNumber(newcrt), HA_ATOMIC_ADD(&ssl_ctx_serial, 1));
+
+ /* Set duration for the certificate */
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ if (!X509_gmtime_adj(X509_get_notBefore(newcrt), (long)-60*60*24) ||
+ !X509_gmtime_adj(X509_get_notAfter(newcrt),(long)60*60*24*365))
++#else
++ if (!X509_gmtime_adj(X509_getm_notBefore(newcrt), (long)-60*60*24) ||
++ !X509_gmtime_adj(X509_getm_notAfter(newcrt),(long)60*60*24*365))
++#endif
+ goto mkcert_error;
+
+ /* set public key in the certificate */
+@@ -6285,7 +6294,11 @@ smp_fetch_ssl_x_notafter(const struct arg *args, struct sample *smp, const char
+ goto out;
+
+ smp_trash = get_trash_chunk();
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ if (ssl_sock_get_time(X509_get_notAfter(crt), smp_trash) <= 0)
++#else
++ if (ssl_sock_get_time(X509_getm_notAfter(crt), smp_trash) <= 0)
++#endif
+ goto out;
+
+ smp->data.u.str = *smp_trash;
+@@ -6385,7 +6398,11 @@ smp_fetch_ssl_x_notbefore(const struct arg *args, struct sample *smp, const char
+ goto out;
+
+ smp_trash = get_trash_chunk();
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ if (ssl_sock_get_time(X509_get_notBefore(crt), smp_trash) <= 0)
++#else
++ if (ssl_sock_get_time(X509_getm_notBefore(crt), smp_trash) <= 0)
++#endif
+ goto out;
+
+ smp->data.u.str = *smp_trash;
+@@ -8935,7 +8952,11 @@ static void __ssl_sock_init(void)
+ #endif
+
+ xprt_register(XPRT_SSL, &ssl_sock);
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ SSL_library_init();
++#else
++ OPENSSL_init_ssl(0, NULL);
++#endif
+ cm = SSL_COMP_get_compression_methods();
+ sk_SSL_COMP_zero(cm);
+ #ifdef USE_THREAD
+@@ -8967,8 +8988,13 @@ static void __ssl_sock_init(void)
+ #else /* OPENSSL_IS_BORINGSSL */
+ OPENSSL_VERSION_TEXT
+ "\nRunning on OpenSSL version : %s%s",
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ SSLeay_version(SSLEAY_VERSION),
+ ((OPENSSL_VERSION_NUMBER ^ SSLeay()) >> 8) ? " (VERSIONS DIFFER!)" : "");
++#else
++ OpenSSL_version(OPENSSL_VERSION),
++ ((OPENSSL_VERSION_NUMBER ^ OpenSSL_version_num()) >> 8) ? " (VERSIONS DIFFER!)" : "");
++#endif
+ #endif
+ memprintf(&ptr, "%s\nOpenSSL library supports TLS extensions : "
+ #if OPENSSL_VERSION_NUMBER < 0x00907000L
+@@ -9060,11 +9086,14 @@ static void __ssl_sock_deinit(void)
+ #endif
+
+ ERR_remove_state(0);
++
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ ERR_free_strings();
+
+ EVP_cleanup();
++#endif
+
+-#if OPENSSL_VERSION_NUMBER >= 0x00907000L
++#if OPENSSL_VERSION_NUMBER >= 0x00907000L && OPENSSL_VERSION_NUMBER < 0x10100000L
+ CRYPTO_cleanup_all_ex_data();
+ #endif
+ }
+++ /dev/null
-commit d332b12b262ad7df1c8bdda52dad100f40399d24
-Author: Willy Tarreau <w@1wt.eu>
-Date: Mon Oct 15 11:01:59 2018 +0200
-
- BUILD: ssl: fix null-deref warning in ssl_fc_cipherlist_str sample fetch
-
- Gcc 6.4 detects a potential null-deref warning in smp_fetch_ssl_fc_cl_str().
- This one is not real since already addressed a few lines above. Let's use
- __objt_conn() instead of objt_conn() to avoid the extra test that confuses
- it.
-
- This could be backported to 1.8.
-
- (cherry picked from commit b729077710b14c75936909409e27a4fa0badcb54)
- Signed-off-by: Willy Tarreau <w@1wt.eu>
-
-diff --git a/src/ssl_sock.c b/src/ssl_sock.c
-index 6eed8022..4577fef4 100644
---- a/src/ssl_sock.c
-+++ b/src/ssl_sock.c
-@@ -6929,7 +6929,7 @@ smp_fetch_ssl_fc_cl_str(const struct arg *args, struct sample *smp, const char *
- #if defined(OPENSSL_IS_BORINGSSL)
- cipher = SSL_get_cipher_by_value(id);
- #else
-- struct connection *conn = objt_conn(smp->sess->origin);
-+ struct connection *conn = __objt_conn(smp->sess->origin);
- cipher = SSL_CIPHER_find(conn->xprt_ctx, bin);
- #endif
- str = SSL_CIPHER_get_name(cipher);
+++ /dev/null
-commit 892c21240adb9ac230d4bd27cc8be4767b4902aa
-Author: Willy Tarreau <w@1wt.eu>
-Date: Mon Oct 15 13:20:07 2018 +0200
-
- BUILD: ssl: fix another null-deref warning in ssl_sock_switchctx_cbk()
-
- This null-deref cannot happen either as there necesarily is a listener
- where this function is called. Let's use __objt_listener() to address
- this.
-
- This may be backported to 1.8.
-
- (cherry picked from commit a8825520b785d592467c45e183ad8213cb7bf891)
- Signed-off-by: Willy Tarreau <w@1wt.eu>
-
-diff --git a/src/ssl_sock.c b/src/ssl_sock.c
-index 4577fef4..cfbc38b7 100644
---- a/src/ssl_sock.c
-+++ b/src/ssl_sock.c
-@@ -2113,7 +2113,7 @@ static int ssl_sock_switchctx_cbk(SSL *ssl, int *al, void *arg)
- int i;
-
- conn = SSL_get_ex_data(ssl, ssl_app_data_index);
-- s = objt_listener(conn->target)->bind_conf;
-+ s = __objt_listener(conn->target)->bind_conf;
-
- if (s->ssl_conf.early_data)
- allow_early = 1;
+++ /dev/null
-commit eb72c1faedc39c68fb1246ea8a97d1f96831756c
-Author: Willy Tarreau <w@1wt.eu>
-Date: Mon Oct 15 11:12:15 2018 +0200
-
- BUILD: stick-table: make sure not to fail on task_new() during initialization
-
- Gcc reports a potential null-deref error in the stick-table init code.
- While not critical there, it's trivial to fix. This check has been
- missing since 1.4 so this fix can be backported to all supported versions.
-
- (cherry picked from commit 848522f05df9e60eea9274e11f1e9fcd19594a5c)
- Signed-off-by: Willy Tarreau <w@1wt.eu>
-
-diff --git a/src/stick_table.c b/src/stick_table.c
-index 5a2f1295..653a1ffb 100644
---- a/src/stick_table.c
-+++ b/src/stick_table.c
-@@ -602,6 +602,8 @@ int stktable_init(struct stktable *t)
- t->exp_next = TICK_ETERNITY;
- if ( t->expire ) {
- t->exp_task = task_new(MAX_THREADS_MASK);
-+ if (!t->exp_task)
-+ return 0;
- t->exp_task->process = process_table_expire;
- t->exp_task->context = (void *)t;
- }
+++ /dev/null
-commit d28afe3631e20a9fcca47efde031d62e501eff48
-Author: Willy Tarreau <w@1wt.eu>
-Date: Mon Oct 15 11:18:03 2018 +0200
-
- BUILD: peers: check allocation error during peers_init_sync()
-
- peers_init_sync() doesn't check task_new()'s return value and doesn't
- return any result to indicate success or failure. Let's make it return
- an int and check it from the caller.
-
- This can be backported as far as 1.6.
-
- (cherry picked from commit d944344f01d9ea914d94c45f6ac7c224c6143fc9)
- Signed-off-by: Willy Tarreau <w@1wt.eu>
-
-diff --git a/include/proto/peers.h b/include/proto/peers.h
-index 782b66e4..9d4aaff2 100644
---- a/include/proto/peers.h
-+++ b/include/proto/peers.h
-@@ -28,7 +28,7 @@
- #include <types/stream.h>
- #include <types/peers.h>
-
--void peers_init_sync(struct peers *peers);
-+int peers_init_sync(struct peers *peers);
- void peers_register_table(struct peers *, struct stktable *table);
- void peers_setup_frontend(struct proxy *fe);
-
-diff --git a/src/cfgparse.c b/src/cfgparse.c
-index d1474d4b..7414b60d 100644
---- a/src/cfgparse.c
-+++ b/src/cfgparse.c
-@@ -9111,7 +9111,12 @@ out_uri_auth_compat:
- curpeers->peers_fe = NULL;
- }
- else {
-- peers_init_sync(curpeers);
-+ if (!peers_init_sync(curpeers)) {
-+ ha_alert("Peers section '%s': out of memory, giving up on peers.\n",
-+ curpeers->id);
-+ cfgerr++;
-+ break;
-+ }
- last = &curpeers->next;
- continue;
- }
-diff --git a/src/peers.c b/src/peers.c
-index c56ed3af..0cd56da3 100644
---- a/src/peers.c
-+++ b/src/peers.c
-@@ -2159,9 +2159,9 @@ static struct task *process_peer_sync(struct task * task)
-
-
- /*
-- *
-+ * returns 0 in case of error.
- */
--void peers_init_sync(struct peers *peers)
-+int peers_init_sync(struct peers *peers)
- {
- struct peer * curpeer;
- struct listener *listener;
-@@ -2173,10 +2173,14 @@ void peers_init_sync(struct peers *peers)
- list_for_each_entry(listener, &peers->peers_fe->conf.listeners, by_fe)
- listener->maxconn = peers->peers_fe->maxconn;
- peers->sync_task = task_new(MAX_THREADS_MASK);
-+ if (!peers->sync_task)
-+ return 0;
-+
- peers->sync_task->process = process_peer_sync;
- peers->sync_task->context = (void *)peers;
- peers->sighandler = signal_register_task(0, peers->sync_task, 0);
- task_wakeup(peers->sync_task, TASK_WOKEN_INIT);
-+ return 1;
- }
-
-
+++ /dev/null
-commit c6eb147201c1d05afaadc5fd248b17be91f97331
-Author: Bertrand Jacquin <bertrand@jacquin.bzh>
-Date: Sat Oct 13 16:06:18 2018 +0100
-
- DOC: Fix a few typos
-
- these are mostly spelling mistakes, some of them might be candidate for
- backporting as well.
-
- (cherry picked from commit d5e4de8e5f99108e31dc7a23a0e91c4231e37974)
- Signed-off-by: Willy Tarreau <w@1wt.eu>
-
-diff --git a/CONTRIBUTING b/CONTRIBUTING
-index b2c2b493..cd97e69b 100644
---- a/CONTRIBUTING
-+++ b/CONTRIBUTING
-@@ -309,7 +309,7 @@ do not think about them anymore after a few patches.
- A good rule of thumb is that if your identifiers start to contain more than
- 3 words or more than 15 characters, they can become confusing. For function
- names it's less important especially if these functions are rarely used or
-- are used in a complex context where it is important to differenciate between
-+ are used in a complex context where it is important to differentiate between
- their multiple variants.
-
- 9) Unified diff only
-@@ -318,7 +318,7 @@ do not think about them anymore after a few patches.
- that you have committed your patch to a local branch, with an appropriate
- subject line and a useful commit message explaining what the patch attempts
- to do. It is not strictly required to use git, but what is strictly required
-- is to have all these elements in the same mail, easily distinguishible, and
-+ is to have all these elements in the same mail, easily distinguishable, and
- a patch in "diff -up" format (which is also the format used by Git). This
- means the "unified" diff format must be used exclusively, and with the
- function name printed in the diff header of each block. That significantly
-@@ -761,7 +761,7 @@ sent to the mailing list : haproxy@formilux.org and CCed to relevant subsystem
- maintainers or authors of the modified files if their address appears at the
- top of the file.
-
--Please don't send pull-requests, they are really unconvenient. First, a pull
-+Please don't send pull-requests, they are really inconvenient. First, a pull
- implies a merge operation and the code doesn't move fast enough to justify the
- use of merges. Second, pull requests are not easily commented on by the
- project's participants, contrary to e-mails where anyone is allowed to have an
-diff --git a/include/types/connection.h b/include/types/connection.h
-index 5e8af3e7..b9e46048 100644
---- a/include/types/connection.h
-+++ b/include/types/connection.h
-@@ -45,7 +45,7 @@ struct server;
- struct pipe;
-
-
--/* A connection handle is how we differenciate two connections on the lower
-+/* A connection handle is how we differentiate two connections on the lower
- * layers. It usually is a file descriptor but can be a connection id.
- */
- union conn_handle {
+++ /dev/null
-commit 75795017480da0f0a1157e945043249fe625f92f
-Author: Willy Tarreau <w@1wt.eu>
-Date: Tue Oct 16 16:11:56 2018 +0200
-
- BUG/MEDIUM: threads: fix thread_release() at the end of the rendez-vous point
-
- There is a bug in this function used to release other threads. It leaves
- the current thread marked as harmless. If after this another thread does
- a thread_isolate(), but before the first one reaches poll(), the second
- thread will believe it's alone while it's not.
-
- This must be backported to 1.8 since the rendez-vous point was merged
- into 1.8.14.
-
- (cherry picked from commit a9c0252b2e8ff7bb728b84d977ac6e9581ea12f8)
- Signed-off-by: Willy Tarreau <w@1wt.eu>
-
-diff --git a/src/hathreads.c b/src/hathreads.c
-index 9dba4356..0a7c12f7 100644
---- a/src/hathreads.c
-+++ b/src/hathreads.c
-@@ -221,12 +221,8 @@ void thread_isolate()
- */
- void thread_release()
- {
-- while (1) {
-- HA_ATOMIC_AND(&threads_want_rdv_mask, ~tid_bit);
-- if (!(threads_want_rdv_mask & all_threads_mask))
-- break;
-- thread_harmless_till_end();
-- }
-+ HA_ATOMIC_AND(&threads_want_rdv_mask, ~tid_bit);
-+ thread_harmless_end();
- }
-
- __attribute__((constructor))
+++ /dev/null
-commit 4805c249aabc45cd59386694f962e19ab50e8ca9
-Author: Willy Tarreau <w@1wt.eu>
-Date: Tue Oct 16 16:57:40 2018 +0200
-
- BUG/MEDIUM: threads: make sure threads_want_sync is marked volatile
-
- The threads_want_sync variable is not volatile, which allows the compiler
- to cache old copies of it for long parts of code and possibly optimize
- some tests away. This could result in deadlocks when using heavy queue
- activity or health check state changes.
-
- There is no upstream commit for this fix because the sync point was
- completely removed from 1.9. This fix is exclusively for 1.8.
-
- Signed-off-by: Willy Tarreau <w@1wt.eu>
-
-diff --git a/src/hathreads.c b/src/hathreads.c
-index 0a7c12f7..730ebee4 100644
---- a/src/hathreads.c
-+++ b/src/hathreads.c
-@@ -29,7 +29,7 @@ void thread_sync_io_handler(int fd)
-
- static HA_SPINLOCK_T sync_lock;
- static int threads_sync_pipe[2] = {-1, -1};
--static unsigned long threads_want_sync = 0;
-+volatile static unsigned long threads_want_sync = 0;
- volatile unsigned long threads_want_rdv_mask = 0;
- volatile unsigned long threads_harmless_mask = 0;
- volatile unsigned long all_threads_mask = 1; // nbthread 1 assumed by default
+++ /dev/null
-commit d26a40412197ba61a72368c71e8a8582d686d28c
-Author: Willy Tarreau <w@1wt.eu>
-Date: Mon Oct 15 11:53:34 2018 +0200
-
- BUILD: compiler: add a new statement "__unreachable()"
-
- This statement is used as a hint for the compiler so that it knows that
- the location where it's placed cannot be reached. It will mostly be used
- after longjmp() or equivalent statements that deal with error processing
- and that the compiler doesn't know will not return on certain conditions,
- so that it doesn't complain about null dereferences on error paths.
-
- (cherry picked from commit 8d26f02e693121764bfa0cb48c9a7ab31e17225d)
- Signed-off-by: Willy Tarreau <w@1wt.eu>
-
-diff --git a/include/common/compiler.h b/include/common/compiler.h
-index a13aad5c..6f4f5a67 100644
---- a/include/common/compiler.h
-+++ b/include/common/compiler.h
-@@ -82,6 +82,18 @@
- */
- #define __maybe_unused __attribute__((unused))
-
-+/* This allows gcc to know that some locations are never reached, for example
-+ * after a longjmp() in the Lua code, hence that some errors caught by such
-+ * methods cannot propagate further. This is important with gcc versions 6 and
-+ * above which can more aggressively detect null dereferences. The builtin
-+ * below was introduced in gcc 4.5, and before it we didn't care.
-+ */
-+#if __GNUC__ >= 5 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 5)
-+#define __unreachable() __builtin_unreachable()
-+#else
-+#define __unreachable()
-+#endif
-+
- /*
- * Gcc >= 3 provides the ability for the programme to give hints to the
- * compiler about what branch of an if is most likely to be taken. This
+++ /dev/null
-commit 330e08dfc588dc9b0ad42203123fab6c191ca2f8
-Author: Willy Tarreau <w@1wt.eu>
-Date: Tue Oct 16 17:52:55 2018 +0200
-
- MINOR: lua: all functions calling lua_yieldk() may return
-
- There was a mistake when tagging functions which always use longjmp and
- those which may use it in that all those supposed to call lua_yieldk()
- may return without calling longjmp. Thus they must not use WILL_LJMP()
- but MAY_LJMP(). It has zero impact on the code emitted as such, but
- prevents other fixes from being properly implemented : this was the
- cause of the previous failure with the __unreachable() calls.
-
- This may be backported to older versions. It may or may not apply
- well depending on the context, though the change simply consists in
- replacing "WILL_LJMP(hlua_yieldk" with "MAY_LJMP(hlua_yieldk", and
- same with the single call to lua_yieldk() in hlua_yieldk().
-
- (cherry picked from commit 9635e03c41e95dff38731f67cc9d8b00e3731d2a)
- Signed-off-by: Willy Tarreau <w@1wt.eu>
-
-diff --git a/src/hlua.c b/src/hlua.c
-index 60ba94ea..64102e8a 100644
---- a/src/hlua.c
-+++ b/src/hlua.c
-@@ -852,7 +852,7 @@ __LJMP void hlua_yieldk(lua_State *L, int nresults, int ctx,
- hlua->flags |= flags;
-
- /* Process the yield. */
-- WILL_LJMP(lua_yieldk(L, nresults, ctx, k));
-+ MAY_LJMP(lua_yieldk(L, nresults, ctx, k));
- }
-
- /* This function initialises the Lua environment stored in the stream.
-@@ -1003,7 +1003,7 @@ void hlua_hook(lua_State *L, lua_Debug *ar)
- * If the state is not yieldable, trying yield causes an error.
- */
- if (lua_isyieldable(L))
-- WILL_LJMP(hlua_yieldk(L, 0, 0, NULL, TICK_ETERNITY, HLUA_CTRLYIELD));
-+ MAY_LJMP(hlua_yieldk(L, 0, 0, NULL, TICK_ETERNITY, HLUA_CTRLYIELD));
-
- /* If we cannot yield, update the clock and check the timeout. */
- tv_update_date(0, 1);
-@@ -1883,7 +1883,7 @@ connection_empty:
- WILL_LJMP(luaL_error(L, "out of memory"));
- }
- xref_unlock(&socket->xref, peer);
-- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_socket_receive_yield, TICK_ETERNITY, 0));
-+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_socket_receive_yield, TICK_ETERNITY, 0));
- return 0;
- }
-
-@@ -2082,7 +2082,7 @@ hlua_socket_write_yield_return:
- WILL_LJMP(luaL_error(L, "out of memory"));
- }
- xref_unlock(&socket->xref, peer);
-- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_socket_write_yield, TICK_ETERNITY, 0));
-+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_socket_write_yield, TICK_ETERNITY, 0));
- return 0;
- }
-
-@@ -2375,7 +2375,7 @@ __LJMP static int hlua_socket_connect_yield(struct lua_State *L, int status, lua
- WILL_LJMP(luaL_error(L, "out of memory error"));
- }
- xref_unlock(&socket->xref, peer);
-- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_socket_connect_yield, TICK_ETERNITY, 0));
-+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_socket_connect_yield, TICK_ETERNITY, 0));
- return 0;
- }
-
-@@ -2493,7 +2493,7 @@ __LJMP static int hlua_socket_connect(struct lua_State *L)
- task_wakeup(s->task, TASK_WOKEN_INIT);
- /* Return yield waiting for connection. */
-
-- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_socket_connect_yield, TICK_ETERNITY, 0));
-+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_socket_connect_yield, TICK_ETERNITY, 0));
-
- return 0;
- }
-@@ -2819,7 +2819,7 @@ __LJMP static int hlua_channel_dup_yield(lua_State *L, int status, lua_KContext
- chn = MAY_LJMP(hlua_checkchannel(L, 1));
-
- if (_hlua_channel_dup(chn, L) == 0)
-- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_channel_dup_yield, TICK_ETERNITY, 0));
-+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_channel_dup_yield, TICK_ETERNITY, 0));
- return 1;
- }
-
-@@ -2845,7 +2845,7 @@ __LJMP static int hlua_channel_get_yield(lua_State *L, int status, lua_KContext
-
- ret = _hlua_channel_dup(chn, L);
- if (unlikely(ret == 0))
-- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_channel_get_yield, TICK_ETERNITY, 0));
-+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_channel_get_yield, TICK_ETERNITY, 0));
-
- if (unlikely(ret == -1))
- return 1;
-@@ -2883,7 +2883,7 @@ __LJMP static int hlua_channel_getline_yield(lua_State *L, int status, lua_KCont
-
- ret = ci_getline_nc(chn, &blk1, &len1, &blk2, &len2);
- if (ret == 0)
-- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_channel_getline_yield, TICK_ETERNITY, 0));
-+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_channel_getline_yield, TICK_ETERNITY, 0));
-
- if (ret == -1) {
- lua_pushnil(L);
-@@ -2932,7 +2932,7 @@ __LJMP static int hlua_channel_append_yield(lua_State *L, int status, lua_KConte
- */
- if (chn->buf->size == 0) {
- si_applet_cant_put(chn_prod(chn));
-- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_channel_append_yield, TICK_ETERNITY, 0));
-+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_channel_append_yield, TICK_ETERNITY, 0));
- }
-
- max = channel_recv_limit(chn) - buffer_len(chn->buf);
-@@ -2946,7 +2946,7 @@ __LJMP static int hlua_channel_append_yield(lua_State *L, int status, lua_KConte
- }
- if (ret == -1) {
- chn->flags |= CF_WAKE_WRITE;
-- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_channel_append_yield, TICK_ETERNITY, 0));
-+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_channel_append_yield, TICK_ETERNITY, 0));
- }
- l += ret;
- lua_pop(L, 1);
-@@ -2962,7 +2962,7 @@ __LJMP static int hlua_channel_append_yield(lua_State *L, int status, lua_KConte
- return 1;
- }
- if (l < len)
-- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_channel_append_yield, TICK_ETERNITY, 0));
-+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_channel_append_yield, TICK_ETERNITY, 0));
- return 1;
- }
-
-@@ -3026,7 +3026,7 @@ __LJMP static int hlua_channel_send_yield(lua_State *L, int status, lua_KContext
- */
- if (chn->buf->size == 0) {
- si_applet_cant_put(chn_prod(chn));
-- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_channel_send_yield, TICK_ETERNITY, 0));
-+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_channel_send_yield, TICK_ETERNITY, 0));
- }
-
- /* the writed data will be immediatly sent, so we can check
-@@ -3082,7 +3082,7 @@ __LJMP static int hlua_channel_send_yield(lua_State *L, int status, lua_KContext
- HLUA_SET_WAKERESWR(hlua);
- else
- HLUA_SET_WAKEREQWR(hlua);
-- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_channel_send_yield, TICK_ETERNITY, 0));
-+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_channel_send_yield, TICK_ETERNITY, 0));
- }
-
- return 1;
-@@ -3146,7 +3146,7 @@ __LJMP static int hlua_channel_forward_yield(lua_State *L, int status, lua_KCont
- HLUA_SET_WAKEREQWR(hlua);
-
- /* Otherwise, we can yield waiting for new data in the inpout side. */
-- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_channel_forward_yield, TICK_ETERNITY, 0));
-+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_channel_forward_yield, TICK_ETERNITY, 0));
- }
-
- return 1;
-@@ -3654,7 +3654,7 @@ __LJMP static int hlua_applet_tcp_getline_yield(lua_State *L, int status, lua_KC
- /* Data not yet avalaible. return yield. */
- if (ret == 0) {
- si_applet_cant_get(si);
-- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_tcp_getline_yield, TICK_ETERNITY, 0));
-+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_tcp_getline_yield, TICK_ETERNITY, 0));
- }
-
- /* End of data: commit the total strings and return. */
-@@ -3709,7 +3709,7 @@ __LJMP static int hlua_applet_tcp_recv_yield(lua_State *L, int status, lua_KCont
- /* Data not yet avalaible. return yield. */
- if (ret == 0) {
- si_applet_cant_get(si);
-- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_tcp_recv_yield, TICK_ETERNITY, 0));
-+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_tcp_recv_yield, TICK_ETERNITY, 0));
- }
-
- /* End of data: commit the total strings and return. */
-@@ -3732,7 +3732,7 @@ __LJMP static int hlua_applet_tcp_recv_yield(lua_State *L, int status, lua_KCont
- luaL_addlstring(&appctx->b, blk2, len2);
- co_skip(si_oc(si), len1 + len2);
- si_applet_cant_get(si);
-- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_tcp_recv_yield, TICK_ETERNITY, 0));
-+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_tcp_recv_yield, TICK_ETERNITY, 0));
-
- } else {
-
-@@ -3756,7 +3756,7 @@ __LJMP static int hlua_applet_tcp_recv_yield(lua_State *L, int status, lua_KCont
- lua_pushinteger(L, len);
- lua_replace(L, 2);
- si_applet_cant_get(si);
-- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_tcp_recv_yield, TICK_ETERNITY, 0));
-+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_tcp_recv_yield, TICK_ETERNITY, 0));
- }
-
- /* return the result. */
-@@ -3825,7 +3825,7 @@ __LJMP static int hlua_applet_tcp_send_yield(lua_State *L, int status, lua_KCont
- */
- if (l < len) {
- si_applet_cant_put(si);
-- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_tcp_send_yield, TICK_ETERNITY, 0));
-+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_tcp_send_yield, TICK_ETERNITY, 0));
- }
-
- return 1;
-@@ -4122,7 +4122,7 @@ __LJMP static int hlua_applet_http_getline_yield(lua_State *L, int status, lua_K
- */
- if (ret == -1) {
- si_applet_cant_put(si);
-- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_http_getline_yield, TICK_ETERNITY, 0));
-+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_http_getline_yield, TICK_ETERNITY, 0));
- }
- appctx->appctx->ctx.hlua_apphttp.flags &= ~APPLET_100C;
- }
-@@ -4139,7 +4139,7 @@ __LJMP static int hlua_applet_http_getline_yield(lua_State *L, int status, lua_K
- /* Data not yet avalaible. return yield. */
- if (ret == 0) {
- si_applet_cant_get(si);
-- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_http_getline_yield, TICK_ETERNITY, 0));
-+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_http_getline_yield, TICK_ETERNITY, 0));
- }
-
- /* End of data: commit the total strings and return. */
-@@ -4208,7 +4208,7 @@ __LJMP static int hlua_applet_http_recv_yield(lua_State *L, int status, lua_KCon
- */
- if (ret == -1) {
- si_applet_cant_put(si);
-- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_http_recv_yield, TICK_ETERNITY, 0));
-+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_http_recv_yield, TICK_ETERNITY, 0));
- }
- appctx->appctx->ctx.hlua_apphttp.flags &= ~APPLET_100C;
- }
-@@ -4219,7 +4219,7 @@ __LJMP static int hlua_applet_http_recv_yield(lua_State *L, int status, lua_KCon
- /* Data not yet avalaible. return yield. */
- if (ret == 0) {
- si_applet_cant_get(si);
-- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_http_recv_yield, TICK_ETERNITY, 0));
-+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_http_recv_yield, TICK_ETERNITY, 0));
- }
-
- /* End of data: commit the total strings and return. */
-@@ -4254,7 +4254,7 @@ __LJMP static int hlua_applet_http_recv_yield(lua_State *L, int status, lua_KCon
- lua_pushinteger(L, len);
- lua_replace(L, 2);
- si_applet_cant_get(si);
-- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_http_recv_yield, TICK_ETERNITY, 0));
-+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_http_recv_yield, TICK_ETERNITY, 0));
- }
-
- /* return the result. */
-@@ -4320,7 +4320,7 @@ __LJMP static int hlua_applet_http_send_yield(lua_State *L, int status, lua_KCon
- */
- if (l < len) {
- si_applet_cant_put(si);
-- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_http_send_yield, TICK_ETERNITY, 0));
-+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_http_send_yield, TICK_ETERNITY, 0));
- }
-
- return 1;
-@@ -4460,7 +4460,7 @@ __LJMP static int hlua_applet_http_start_response_yield(lua_State *L, int status
- /* If ret is -1, we dont have room in the buffer, so we yield. */
- if (ret == -1) {
- si_applet_cant_put(si);
-- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_http_start_response_yield, TICK_ETERNITY, 0));
-+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_applet_http_start_response_yield, TICK_ETERNITY, 0));
- }
-
- /* Headers sent, set the flag. */
-@@ -5510,7 +5510,7 @@ __LJMP static int hlua_sleep_yield(lua_State *L, int status, lua_KContext ctx)
- {
- int wakeup_ms = lua_tointeger(L, -1);
- if (now_ms < wakeup_ms)
-- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_sleep_yield, wakeup_ms, 0));
-+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_sleep_yield, wakeup_ms, 0));
- return 0;
- }
-
-@@ -5525,7 +5525,7 @@ __LJMP static int hlua_sleep(lua_State *L)
- wakeup_ms = tick_add(now_ms, delay);
- lua_pushinteger(L, wakeup_ms);
-
-- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_sleep_yield, wakeup_ms, 0));
-+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_sleep_yield, wakeup_ms, 0));
- return 0;
- }
-
-@@ -5540,7 +5540,7 @@ __LJMP static int hlua_msleep(lua_State *L)
- wakeup_ms = tick_add(now_ms, delay);
- lua_pushinteger(L, wakeup_ms);
-
-- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_sleep_yield, wakeup_ms, 0));
-+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_sleep_yield, wakeup_ms, 0));
- return 0;
- }
-
-@@ -5555,7 +5555,7 @@ __LJMP static int hlua_yield_yield(lua_State *L, int status, lua_KContext ctx)
-
- __LJMP static int hlua_yield(lua_State *L)
- {
-- WILL_LJMP(hlua_yieldk(L, 0, 0, hlua_yield_yield, TICK_ETERNITY, HLUA_CTRLYIELD));
-+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_yield_yield, TICK_ETERNITY, HLUA_CTRLYIELD));
- return 0;
- }
-
+++ /dev/null
-commit 8019e88dd1ac73a3baa71e9acfbc1b7a3fbc7442
-Author: Willy Tarreau <w@1wt.eu>
-Date: Tue Oct 16 17:37:12 2018 +0200
-
- BUILD: lua: silence some compiler warnings about potential null derefs (#2)
-
- Here we make sure that appctx is always taken from the unchecked value
- since we know it's an appctx, which explains why it's immediately
- dereferenced. A missing test was added to ensure that task_new() does
- not return a NULL.
-
- This may be backported to 1.8.
-
- (cherry picked from commit e09101e8d92b0c0ef8674fbc791e309112ab7f1c)
- Signed-off-by: Willy Tarreau <w@1wt.eu>
-
-diff --git a/src/hlua.c b/src/hlua.c
-index 64102e8a..ad9238ef 100644
---- a/src/hlua.c
-+++ b/src/hlua.c
-@@ -2361,7 +2361,7 @@ __LJMP static int hlua_socket_connect_yield(struct lua_State *L, int status, lua
- return 2;
- }
-
-- appctx = objt_appctx(s->si[0].end);
-+ appctx = __objt_appctx(s->si[0].end);
-
- /* Check for connection established. */
- if (appctx->ctx.hlua_cosocket.connected) {
-@@ -2473,7 +2473,7 @@ __LJMP static int hlua_socket_connect(struct lua_State *L)
- }
-
- hlua = hlua_gethlua(L);
-- appctx = objt_appctx(s->si[0].end);
-+ appctx = __objt_appctx(s->si[0].end);
-
- /* inform the stream that we want to be notified whenever the
- * connection completes.
-@@ -5693,6 +5693,9 @@ static int hlua_register_task(lua_State *L)
- WILL_LJMP(luaL_error(L, "lua out of memory error."));
-
- task = task_new(MAX_THREADS_MASK);
-+ if (!task)
-+ WILL_LJMP(luaL_error(L, "Lua out of memory error."));
-+
- task->context = hlua;
- task->process = hlua_process_task;
-
+++ /dev/null
-commit 3f39e1d4b5ca37e57247034421c69bc301d996b2
-Author: Willy Tarreau <w@1wt.eu>
-Date: Tue Oct 16 17:57:36 2018 +0200
-
- BUILD: lua: silence some compiler warnings after WILL_LJMP
-
- These ones are on error paths that are properly handled by luaL_error()
- which does a longjmp() but the compiler cannot know it. By adding an
- __unreachable() statement in WILL_LJMP(), there is no ambiguity anymore.
-
- This may be backported to 1.8 but these previous patches are needed first :
- - BUILD: compiler: add a new statement "__unreachable()"
- - MINOR: lua: all functions calling lua_yieldk() may return
- - BUILD: lua: silence some compiler warnings about potential null derefs (#2)
-
- (cherry picked from commit b059b894cdf795f134b6e53ff95ea7f907feb846)
- Signed-off-by: Willy Tarreau <w@1wt.eu>
-
-diff --git a/src/hlua.c b/src/hlua.c
-index ad9238ef..c3bb269a 100644
---- a/src/hlua.c
-+++ b/src/hlua.c
-@@ -24,6 +24,7 @@
- #include <ebpttree.h>
-
- #include <common/cfgparse.h>
-+#include <common/compiler.h>
- #include <common/xref.h>
- #include <common/hathreads.h>
-
-@@ -63,7 +64,7 @@
- * MAY_LJMP() marks an lua function that may use longjmp.
- */
- #define __LJMP
--#define WILL_LJMP(func) func
-+#define WILL_LJMP(func) do { func; __unreachable(); } while(0)
- #define MAY_LJMP(func) func
-
- /* This couple of function executes securely some Lua calls outside of
+++ /dev/null
-commit b884ba5222a765b395e8ac93971639a0452d6422
-Author: Dirkjan Bussink <d.bussink@gmail.com>
-Date: Fri Sep 14 14:31:22 2018 +0200
-
- CLEANUP: stick-tables: Remove unneeded double (()) around conditional clause
-
- In the past this conditional had multiple conditionals which is why the
- additional parentheses were needed. The conditional was simplified but
- the duplicate parentheses were not cleaned up.
-
- (cherry picked from commit ff57f1bbcf8af1e6389520aa845df5aa97ef55b6)
- [wt: fixes build warnings with clang]
- Signed-off-by: Willy Tarreau <w@1wt.eu>
-
-diff --git a/src/stick_table.c b/src/stick_table.c
-index 653a1ffb..f1442603 100644
---- a/src/stick_table.c
-+++ b/src/stick_table.c
-@@ -1860,7 +1860,7 @@ smp_fetch_sc_tracked(const struct arg *args, struct sample *smp, const char *kw,
- smp->data.u.sint = !!stkctr;
-
- /* release the ref count */
-- if ((stkctr == &tmpstkctr))
-+ if (stkctr == &tmpstkctr)
- stktable_release(stkctr->table, stkctr_entry(stkctr));
-
- return 1;
+++ /dev/null
-commit 0820ab24974cd2bad84c8ec5a90f7ce0e1681cf0
-Author: Willy Tarreau <w@1wt.eu>
-Date: Wed Oct 3 09:40:22 2018 +0200
-
- BUILD: Makefile: add a "make opts" target to simply show the build options
-
- We're often missing an easy way to map input variables to output ones.
- The "opts" build target will simply show the input variables and the ones
- passed to the compiler and linker. This way it's easier to quickly see
- what a given build script or package will use, or the detected warnings
- supported by the compiler.
-
- (cherry picked from commit a8b12c6bb73b924f6429c3ae4d20b96992e92c2e)
- [wt: this is not needed but significantly helps for packaging]
- Signed-off-by: Willy Tarreau <w@1wt.eu>
-
-diff --git a/Makefile b/Makefile
-index 5d170041..d3615060 100644
---- a/Makefile
-+++ b/Makefile
-@@ -996,3 +996,20 @@ update-version:
- echo "$(VERSION)" > VERSION
- echo "$(SUBVERS)" > SUBVERS
- echo "$(VERDATE)" > VERDATE
-+
-+# just display the build options
-+opts:
-+ @echo -n 'Using: '
-+ @echo -n 'TARGET="$(strip $(TARGET))" '
-+ @echo -n 'ARCH="$(strip $(ARCH))" '
-+ @echo -n 'CPU="$(strip $(CPU))" '
-+ @echo -n 'CC="$(strip $(CC))" '
-+ @echo -n 'ARCH_FLAGS="$(strip $(ARCH_FLAGS))" '
-+ @echo -n 'CPU_CFLAGS="$(strip $(CPU_CFLAGS))" '
-+ @echo -n 'DEBUG_CFLAGS="$(strip $(DEBUG_CFLAGS))" '
-+ @echo "$(strip $(BUILD_OPTIONS))"
-+ @echo 'COPTS="$(strip $(COPTS))"'
-+ @echo 'LDFLAGS="$(strip $(LDFLAGS))"'
-+ @echo 'LDOPTS="$(strip $(LDOPTS))"'
-+ @echo 'OPTIONS_OBJS="$(strip $(OPTIONS_OBJS))"'
-+ @echo 'OBJS="$(strip $(OBJS))"'
+++ /dev/null
-commit 5df1480da4c4e58830d108f4f0f3347598c55ab3
-Author: Willy Tarreau <w@1wt.eu>
-Date: Wed Oct 3 09:52:51 2018 +0200
-
- BUILD: Makefile: speed up compiler options detection
-
- Commits b78016649 and d3a7f4035 brought the ability to detect the build
- options and warnings that the compiler supports. However, they're detected
- using "$(CC) -c", which is 50% slower than "$(CC) -E" for the same result,
- just because it starts the assembler at the end. Given that we're starting
- to check for a number of warnings, this detection alone starts to become
- visible, taking a bit more than 300 ms on the build time. Let's switch to
- -E instead to shrink this incompressible time by roughly 100 ms.
-
- (cherry picked from commit f11ca5e7a43c772637018ec2ad981a9fd7d3816f)
- [wt: only backported for context and consistency with next patch]
- Signed-off-by: Willy Tarreau <w@1wt.eu>
-
-diff --git a/Makefile b/Makefile
-index d3615060..1a971f92 100644
---- a/Makefile
-+++ b/Makefile
-@@ -96,13 +96,13 @@
- # Usage: CFLAGS += $(call cc-opt,option). Eg: $(call cc-opt,-fwrapv)
- # Note: ensure the referencing variable is assigned using ":=" and not "=" to
- # call it only once.
--cc-opt = $(shell set -e; if $(CC) $(1) -c -xc - -o /dev/null </dev/null >&0 2>&0; then echo "$(1)"; fi;)
-+cc-opt = $(shell set -e; if $(CC) $(1) -E -xc - -o /dev/null </dev/null >&0 2>&0; then echo "$(1)"; fi;)
-
- # Disable a warning when supported by the compiler. Don't put spaces around the
- # warning! And don't use cc-opt which doesn't always report an error until
- # another one is also returned.
- # Usage: CFLAGS += $(call cc-nowarn,warning). Eg: $(call cc-opt,format-truncation)
--cc-nowarn = $(shell set -e; if $(CC) -W$(1) -c -xc - -o /dev/null </dev/null >&0 2>&0; then echo "-Wno-$(1)"; fi;)
-+cc-nowarn = $(shell set -e; if $(CC) -W$(1) -E -xc - -o /dev/null </dev/null >&0 2>&0; then echo "-Wno-$(1)"; fi;)
-
- #### Installation options.
- DESTDIR =
+++ /dev/null
-commit a7e9853db925b12b1d040be8b04bafc11d84d685
-Author: Willy Tarreau <w@1wt.eu>
-Date: Tue Oct 16 18:11:34 2018 +0200
-
- BUILD: Makefile: silence an option conflict warning with clang
-
- clang complains that -fno-strict-overflow is not used when -fwrapv is
- used, which breaks the build when -Werror is used. Let's introduce a
- cc-opt-alt function to emit the former only then the latter is not
- supported (since it implies the former).
-
- (cherry picked from commit 0d7a2ae4f5199ec37ead6914fa24d40ec0989a4d)
- Signed-off-by: Willy Tarreau <w@1wt.eu>
-
-diff --git a/Makefile b/Makefile
-index 1a971f92..6ffc1b06 100644
---- a/Makefile
-+++ b/Makefile
-@@ -98,6 +98,9 @@
- # call it only once.
- cc-opt = $(shell set -e; if $(CC) $(1) -E -xc - -o /dev/null </dev/null >&0 2>&0; then echo "$(1)"; fi;)
-
-+# same but emits $2 if $1 is not supported
-+cc-opt-alt = $(shell set -e; if $(CC) $(1) -E -xc - -o /dev/null </dev/null >&0 2>&0; then echo "$(1)"; else echo "$(2)"; fi;)
-+
- # Disable a warning when supported by the compiler. Don't put spaces around the
- # warning! And don't use cc-opt which doesn't always report an error until
- # another one is also returned.
-@@ -147,8 +150,7 @@ DEBUG_CFLAGS = -g
- # can do whatever it wants since it's an undefined behavior, so use -fwrapv
- # to be sure we get the intended behavior.
- SPEC_CFLAGS := -fno-strict-aliasing -Wdeclaration-after-statement
--SPEC_CFLAGS += $(call cc-opt,-fwrapv)
--SPEC_CFLAGS += $(call cc-opt,-fno-strict-overflow)
-+SPEC_CFLAGS += $(call cc-opt-alt,-fwrapv,$(call cc-opt,-fno-strict-overflow))
- SPEC_CFLAGS += $(call cc-nowarn,format-truncation)
- SPEC_CFLAGS += $(call cc-nowarn,address-of-packed-member)
- SPEC_CFLAGS += $(call cc-nowarn,null-dereference)
+++ /dev/null
-commit 541e3b40b394fb6bde563ff8ce4c882dafca4eb1
-Author: Olivier Houchard <ohouchard@haproxy.com>
-Date: Tue Oct 16 18:35:01 2018 +0200
-
- MINOR: server: Use memcpy() instead of strncpy().
-
- Use memcpy instead of strncpy, strncpy buys us nothing, and gcc is being
- annoying.
-
- (cherry picked from commit 17f8b90736d811ac9a04af198a3aee34e9935cec)
- Signed-off-by: Willy Tarreau <w@1wt.eu>
-
-diff --git a/src/server.c b/src/server.c
-index 4941bd03..208f21da 100644
---- a/src/server.c
-+++ b/src/server.c
-@@ -3078,7 +3078,7 @@ void apply_server_state(void)
- globalfilepathlen = 0;
- goto globalfileerror;
- }
-- strncpy(globalfilepath, global.server_state_base, len);
-+ memcpy(globalfilepath, global.server_state_base, len);
- globalfilepath[globalfilepathlen] = 0;
-
- /* append a slash if needed */
-@@ -3147,7 +3147,7 @@ void apply_server_state(void)
- localfilepathlen = 0;
- goto localfileerror;
- }
-- strncpy(localfilepath, global.server_state_base, len);
-+ memcpy(localfilepath, global.server_state_base, len);
- localfilepath[localfilepathlen] = 0;
-
- /* append a slash if needed */
+++ /dev/null
-commit 1993e23d59e37ee7befbc64bf1535640a16354bc
-Author: Olivier Houchard <ohouchard@haproxy.com>
-Date: Tue Oct 16 18:39:38 2018 +0200
-
- MINOR: cfgparse: Write 130 as 128 as 0x82 and 0x80.
-
- Write 130 and 128 as 8x82 and 0x80, to avoid warnings about casting from
- int to size. "check_req" should probably be unsigned, but it's hard to do so.
-
- (cherry picked from commit 3332090a2d3e9e84bac67af79fb03be111359429)
- Signed-off-by: Willy Tarreau <w@1wt.eu>
-
-diff --git a/src/cfgparse.c b/src/cfgparse.c
-index 7414b60d..87a4d803 100644
---- a/src/cfgparse.c
-+++ b/src/cfgparse.c
-@@ -5082,7 +5082,7 @@ stats_error_parsing:
- ((unsigned char) (packetlen >> 16) & 0xff));
-
- curproxy->check_req[3] = 1;
-- curproxy->check_req[5] = 130;
-+ curproxy->check_req[5] = 0x82; // 130
- curproxy->check_req[11] = 1;
- curproxy->check_req[12] = 33;
- memcpy(&curproxy->check_req[36], mysqluser, userlen);
-@@ -5108,7 +5108,7 @@ stats_error_parsing:
- ((unsigned char) (packetlen >> 16) & 0xff));
-
- curproxy->check_req[3] = 1;
-- curproxy->check_req[5] = 128;
-+ curproxy->check_req[5] = 0x80;
- curproxy->check_req[8] = 1;
- memcpy(&curproxy->check_req[9], mysqluser, userlen);
- curproxy->check_req[9 + userlen + 1 + 1] = 1;
+++ /dev/null
-commit 0d31b8e1dae2bd0ad73c90748a03f9cfeed837d8
-Author: Olivier Houchard <ohouchard@haproxy.com>
-Date: Tue Oct 16 18:49:26 2018 +0200
-
- MINOR: peers: use defines instead of enums to appease clang.
-
- Clang (rightfully) warns that we're trying to set chars to values >= 128.
- Use defines with hex values instead of an enum to address this.
-
- (cherry picked from commit 33992267aac00d7e8ae67e0703bf7fffc9cf9b54)
- Signed-off-by: Willy Tarreau <w@1wt.eu>
-
-diff --git a/src/peers.c b/src/peers.c
-index 0cd56da3..465ffe85 100644
---- a/src/peers.c
-+++ b/src/peers.c
-@@ -122,15 +122,13 @@ enum {
- /* Note: ids >= 128 contains */
- /* id message cotains data */
- /*******************************/
--enum {
-- PEER_MSG_STKT_UPDATE = 128,
-- PEER_MSG_STKT_INCUPDATE,
-- PEER_MSG_STKT_DEFINE,
-- PEER_MSG_STKT_SWITCH,
-- PEER_MSG_STKT_ACK,
-- PEER_MSG_STKT_UPDATE_TIMED,
-- PEER_MSG_STKT_INCUPDATE_TIMED,
--};
-+#define PEER_MSG_STKT_UPDATE 0x80
-+#define PEER_MSG_STKT_INCUPDATE 0x81
-+#define PEER_MSG_STKT_DEFINE 0x82
-+#define PEER_MSG_STKT_SWITCH 0x83
-+#define PEER_MSG_STKT_ACK 0x84
-+#define PEER_MSG_STKT_UPDATE_TIMED 0x85
-+#define PEER_MSG_STKT_INCUPDATE_TIMED 0x86
-
- /**********************************/
- /* Peer Session IO handler states */
+++ /dev/null
-commit c1ef9f5389e5debb132b7e2ab40f178ed413a978
-Author: Lukas Tribus <lukas@ltri.eu>
-Date: Wed Oct 17 01:40:11 2018 +0200
-
- DOC: fix reference to map files in MAINTAINERS
-
- s/maps/map
-
- (cherry picked from commit b75e828b298c958beb10c830a1ccb3df0840c30c)
- Signed-off-by: Willy Tarreau <w@1wt.eu>
-
-diff --git a/MAINTAINERS b/MAINTAINERS
-index 3a9e435a..df7cc336 100644
---- a/MAINTAINERS
-+++ b/MAINTAINERS
-@@ -24,7 +24,7 @@ Files: src/hlua.c, include/*/hlua.h
-
- Maps and pattern matching
- Maintainer: Thierry Fournier <tfournier@arpalert.org>
--Files: src/maps.c, src/pattern.c, include/*/maps.h, include/*/pattern.h
-+Files: src/map.c, src/pattern.c, include/*/map.h, include/*/pattern.h
-
- DNS
- Maintainer: Baptiste Assmann <bedis9@gmail.com>
+++ /dev/null
-commit 9011ff6c9fb5128dd50b4210e05199ea6337b82b
-Author: Willy Tarreau <w@1wt.eu>
-Date: Sat Oct 20 17:45:48 2018 +0200
-
- BUILD: compiler: rename __unreachable() to my_unreachable()
-
- Olivier reported that on FreeBSD __unreachable is already defined
- and causes build warnings. Let's rename it then.
-
- (cherry picked from commit 4e7cc3381b27e3971b02b73a113ecc13916e1f20)
- Signed-off-by: Willy Tarreau <w@1wt.eu>
-
-diff --git a/include/common/compiler.h b/include/common/compiler.h
-index 6f4f5a67..60549307 100644
---- a/include/common/compiler.h
-+++ b/include/common/compiler.h
-@@ -89,9 +89,9 @@
- * below was introduced in gcc 4.5, and before it we didn't care.
- */
- #if __GNUC__ >= 5 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 5)
--#define __unreachable() __builtin_unreachable()
-+#define my_unreachable() __builtin_unreachable()
- #else
--#define __unreachable()
-+#define my_unreachable()
- #endif
-
- /*
-diff --git a/src/hlua.c b/src/hlua.c
-index c3bb269a..085544dc 100644
---- a/src/hlua.c
-+++ b/src/hlua.c
-@@ -64,7 +64,7 @@
- * MAY_LJMP() marks an lua function that may use longjmp.
- */
- #define __LJMP
--#define WILL_LJMP(func) do { func; __unreachable(); } while(0)
-+#define WILL_LJMP(func) do { func; my_unreachable(); } while(0)
- #define MAY_LJMP(func) func
-
- /* This couple of function executes securely some Lua calls outside of
+++ /dev/null
-commit 7e751a3c24a7021075fb298025c4a1ce98a5b049
-Author: Olivier Houchard <cognet@ci0.org>
-Date: Sun Oct 21 01:33:11 2018 +0200
-
- BUG/MEDIUM: pools: Fix the usage of mmap()) with DEBUG_UAF.
-
- When mapping memory with mmap(), we should use a fd of -1, not 0. 0 may
- work on linux, but it doesn't work on FreeBSD, and probably other OSes.
-
- It would be nice to backport this to 1.8 to help debugging there.
-
- (cherry picked from commit 62975a7740cba4bdaf1c096dd246feba854d2410)
- Signed-off-by: Willy Tarreau <w@1wt.eu>
-
-diff --git a/include/common/memory.h b/include/common/memory.h
-index a2237da5..da0641de 100644
---- a/include/common/memory.h
-+++ b/include/common/memory.h
-@@ -186,12 +186,13 @@ static inline void pool_free_area(void *area, size_t __maybe_unused size)
- * some padding is added, the area's start address is copied at the end of the
- * padding to help detect underflows.
- */
-+#include <errno.h>
- static inline void *pool_alloc_area(size_t size)
- {
- size_t pad = (4096 - size) & 0xFF0;
- void *ret;
-
-- ret = mmap(NULL, (size + 4095) & -4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, 0, 0);
-+ ret = mmap(NULL, (size + 4095) & -4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
- if (ret == MAP_FAILED)
- return NULL;
- if (pad >= sizeof(void *))
+++ /dev/null
-commit 105abe2f7a2e518afda9eb3bda5cceb60f6fd1b2
-Author: Olivier Houchard <cognet@ci0.org>
-Date: Sun Oct 21 03:01:20 2018 +0200
-
- BUG/MEDIUM: h2: Close connection if no stream is left an GOAWAY was sent.
-
- When we're closing a stream, is there's no stream left and a goaway was sent,
- close the connection, there's no reason to keep it open.
-
- [wt: it's likely that this is needed in 1.8 as well, though it's unclear
- how to trigger this issue, some tests are needed]
-
- (cherry picked from commit 52b946686c28891a4359e9361676dc62af4fffad)
- Signed-off-by: Willy Tarreau <w@1wt.eu>
-
-diff --git a/src/mux_h2.c b/src/mux_h2.c
-index b1b039fe..6881302b 100644
---- a/src/mux_h2.c
-+++ b/src/mux_h2.c
-@@ -2540,7 +2540,7 @@ static void h2_detach(struct conn_stream *cs)
- if (eb_is_empty(&h2c->streams_by_id) && /* don't close if streams exist */
- ((h2c->conn->flags & CO_FL_ERROR) || /* errors close immediately */
- (h2c->st0 >= H2_CS_ERROR && !h2c->task) || /* a timeout stroke earlier */
-- (h2c->flags & H2_CF_GOAWAY_FAILED) ||
-+ (h2c->flags & (H2_CF_GOAWAY_FAILED | H2_CF_GOAWAY_SENT)) ||
- (!h2c->mbuf->o && /* mux buffer empty, also process clean events below */
- (conn_xprt_read0_pending(h2c->conn) ||
- (h2c->last_sid >= 0 && h2c->max_id >= h2c->last_sid))))) {
+++ /dev/null
-commit e1b3aa5613a5edbb52a44d69b3e6007d9d631981
-Author: Willy Tarreau <w@1wt.eu>
-Date: Mon Oct 22 06:22:46 2018 +0200
-
- BUILD: Makefile: add the new ERR variable to force -Werror
-
- Instead of having to fiddle with the CFLAGS, let's have ERR=1 to enable
- -Werror.
-
- (cherry picked from commit 23cd43e2d6fa2b6892a786a1a720c5f24e657f10)
- Signed-off-by: Willy Tarreau <w@1wt.eu>
-
-diff --git a/Makefile b/Makefile
-index 6ffc1b06..94e04738 100644
---- a/Makefile
-+++ b/Makefile
-@@ -57,6 +57,7 @@
- # DEP may be cleared to ignore changes to include files during development
- # SMALL_OPTS may be used to specify some options to shrink memory usage.
- # DEBUG may be used to set some internal debugging options.
-+# ERR may be set to non-empty to pass -Werror to the compiler
- # ADDINC may be used to complete the include path in the form -Ipath.
- # ADDLIB may be used to complete the library list in the form -Lpath -llib.
- # DEFINE may be used to specify any additional define, which will be reported
-@@ -143,6 +144,9 @@ LD = $(CC)
- # Those flags only feed CFLAGS so it is not mandatory to use this form.
- DEBUG_CFLAGS = -g
-
-+#### Add -Werror when set to non-empty
-+ERR =
-+
- #### Compiler-specific flags that may be used to disable some negative over-
- # optimization or to silence some warnings. -fno-strict-aliasing is needed with
- # gcc >= 4.4.
-@@ -807,6 +811,11 @@ EBTREE_DIR := ebtree
- #### Global compile options
- VERBOSE_CFLAGS = $(CFLAGS) $(TARGET_CFLAGS) $(SMALL_OPTS) $(DEFINE)
- COPTS = -Iinclude -I$(EBTREE_DIR) -Wall
-+
-+ifneq ($(ERR),)
-+COPTS += -Werror
-+endif
-+
- COPTS += $(CFLAGS) $(TARGET_CFLAGS) $(SMALL_OPTS) $(DEFINE) $(SILENT_DEFINE)
- COPTS += $(DEBUG) $(OPTIONS_CFLAGS) $(ADDINC)
-
+++ /dev/null
-commit bf7b382e528ab62a9f695b07e659d2f77545e93d
-Author: Frédéric Lécaille <flecaille@haproxy.com>
-Date: Thu Oct 25 20:17:45 2018 +0200
-
- BUG/MINOR: cache: Crashes with "total-max-size" > 2047(MB).
-
- With this patch we support cache size larger than 2047 (MB) and prevent haproxy from crashing when "total-max-size" is parsed as negative values by atoi().
-
- The limit at parsing time is 4095 MB (UINT_MAX >> 20).
-
- May be backported to 1.8.
-
- (cherry picked from commit b9b8b6b6beb84b6b942d24eda56bfbe3812cc294)
- Signed-off-by: Willy Tarreau <w@1wt.eu>
-
-diff --git a/src/cache.c b/src/cache.c
-index 39e0bad4..df3649ea 100644
---- a/src/cache.c
-+++ b/src/cache.c
-@@ -770,17 +770,32 @@ int cfg_parse_cache(const char *file, int linenum, char **args, int kwm)
- tmp_cache_config->maxblocks = 0;
- }
- } else if (strcmp(args[0], "total-max-size") == 0) {
-- int maxsize;
-+ unsigned long int maxsize;
-+ char *err;
-
- if (alertif_too_many_args(1, file, linenum, args, &err_code)) {
- err_code |= ERR_ABORT;
- goto out;
- }
-
-+ maxsize = strtoul(args[1], &err, 10);
-+ if (err == args[1] || *err != '\0') {
-+ ha_warning("parsing [%s:%d]: total-max-size wrong value '%s'\n",
-+ file, linenum, args[1]);
-+ err_code |= ERR_ABORT;
-+ goto out;
-+ }
-+
-+ if (maxsize > (UINT_MAX >> 20)) {
-+ ha_warning("parsing [%s:%d]: \"total-max-size\" (%s) must not be greater than %u\n",
-+ file, linenum, args[1], UINT_MAX >> 20);
-+ err_code |= ERR_ABORT;
-+ goto out;
-+ }
-+
- /* size in megabytes */
-- maxsize = atoi(args[1]) * 1024 * 1024 / CACHE_BLOCKSIZE;
-+ maxsize *= 1024 * 1024 / CACHE_BLOCKSIZE;
- tmp_cache_config->maxblocks = maxsize;
--
- } else if (strcmp(args[0], "max-age") == 0) {
- if (alertif_too_many_args(1, file, linenum, args, &err_code)) {
- err_code |= ERR_ABORT;
+++ /dev/null
-commit 68c23dedaaae8f29d26c4791b30d138ed1411548
-Author: Frédéric Lécaille <flecaille@haproxy.com>
-Date: Thu Oct 25 20:18:59 2018 +0200
-
- BUG/MINOR: cache: Wrong usage of shctx_init().
-
- With this patch we check that shctx_init() does not returns 0.
- This is possible if the maxblocks argument, which is passed as an
- int, is negative due to an implicit conversion.
-
- Must be backported to 1.8.
-
- (cherry picked from commit bc584494e625983f16f35982aa6dd6889e8dd222)
- Signed-off-by: Willy Tarreau <w@1wt.eu>
-
-diff --git a/src/cache.c b/src/cache.c
-index df3649ea..667cede3 100644
---- a/src/cache.c
-+++ b/src/cache.c
-@@ -837,7 +837,7 @@ int cfg_post_parse_section_cache()
-
- ret_shctx = shctx_init(&shctx, tmp_cache_config->maxblocks, CACHE_BLOCKSIZE, sizeof(struct cache), 1);
-
-- if (ret_shctx < 0) {
-+ if (ret_shctx <= 0) {
- if (ret_shctx == SHCTX_E_INIT_LOCK)
- ha_alert("Unable to initialize the lock for the cache.\n");
- else
+++ /dev/null
-commit 49f82640bf3c9a9c808568344bfa94d279c95b7e
-Author: Frédéric Lécaille <flecaille@haproxy.com>
-Date: Thu Oct 25 20:22:46 2018 +0200
-
- BUG/MINOR: ssl: Wrong usage of shctx_init().
-
- With this patch we check that shctx_init() does not return 0.
-
- Must be backported to 1.8.
-
- (cherry picked from commit 4c8aa117f9bda3b5253f03ad5a7135a9165060f5)
- Signed-off-by: Willy Tarreau <w@1wt.eu>
-
-diff --git a/src/ssl_sock.c b/src/ssl_sock.c
-index cfbc38b7..19e41743 100644
---- a/src/ssl_sock.c
-+++ b/src/ssl_sock.c
-@@ -4768,7 +4768,7 @@ int ssl_sock_prepare_bind_conf(struct bind_conf *bind_conf)
- sizeof(struct sh_ssl_sess_hdr) + SHSESS_BLOCK_MIN_SIZE,
- sizeof(*sh_ssl_sess_tree),
- ((global.nbthread > 1) || (!global_ssl.private_cache && (global.nbproc > 1))) ? 1 : 0);
-- if (alloc_ctx < 0) {
-+ if (alloc_ctx <= 0) {
- if (alloc_ctx == SHCTX_E_INIT_LOCK)
- ha_alert("Unable to initialize the lock for the shared SSL session cache. You can retry using the global statement 'tune.ssl.force-private-cache' but it could increase CPU usage due to renegotiations if nbproc > 1.\n");
- else
+++ /dev/null
-commit 9c416cf3cc449fd46880d5a7c3fdd1bb98447b68
-Author: Frédéric Lécaille <flecaille@haproxy.com>
-Date: Thu Oct 25 10:46:40 2018 +0200
-
- DOC: cache: Missing information about "total-max-size"
-
- (cherry picked from commit e3c83d80e3aadb7b2641b861725c9d1dd7dc6713)
- [wt: this only retrieves from the original patch the part related to
- the max configurable size for total-max-size]
- Signed-off-by: Willy Tarreau <w@1wt.eu>
-
-diff --git a/doc/configuration.txt b/doc/configuration.txt
-index 7a268386..09980248 100644
---- a/doc/configuration.txt
-+++ b/doc/configuration.txt
-@@ -17132,7 +17132,7 @@ cache <name>
-
- total-max-size <megabytes>
- Define the size in RAM of the cache in megabytes. This size is split in
-- blocks of 1kB which are used by the cache entries.
-+ blocks of 1kB which are used by the cache entries. Its maximum value is 4095.
-
- max-age <seconds>
- Define the maximum expiration duration. The expiration is set has the lowest
+++ /dev/null
-commit 7b728d616e417f0a8cd25375f70b8a332ad23a71
-Author: Lukas Tribus <lukas@ltri.eu>
-Date: Sat Oct 27 20:06:59 2018 +0200
-
- BUG/MINOR: only mark connections private if NTLM is detected
-
- Instead of marking all connections that see a 401/407 response private
- (for connection reuse), this patch detects a RFC4559/NTLM authentication
- scheme and restricts the private setting to those connections.
-
- This is so we can reuse connections with 401/407 responses with
- deterministic load balancing algorithms later (which requires another fix).
-
- This fixes the problem reported here by Elliot Barlas :
-
- https://discourse.haproxy.org/t/unable-to-configure-load-balancing-per-request-over-persistent-connection/3144
-
- Should be backported to 1.8.
-
- (cherry picked from commit fd9b68c48ecdba5e7971899f4eec315c8e3a3cfe)
- Signed-off-by: Willy Tarreau <w@1wt.eu>
-
-diff --git a/doc/configuration.txt b/doc/configuration.txt
-index 09980248..43b1b822 100644
---- a/doc/configuration.txt
-+++ b/doc/configuration.txt
-@@ -4798,10 +4798,8 @@ http-reuse { never | safe | aggressive | always }
- - connections sent to a server with a TLS SNI extension are marked private
- and are never shared;
-
-- - connections receiving a status code 401 or 407 expect some authentication
-- to be sent in return. Due to certain bogus authentication schemes (such
-- as NTLM) relying on the connection, these connections are marked private
-- and are never shared;
-+ - connections with certain bogus authentication schemes (relying on the
-+ connection) like NTLM are detected, marked private and are never shared;
-
- No connection pool is involved, once a session dies, the last idle connection
- it was attached to is deleted at the same time. This ensures that connections
-diff --git a/src/proto_http.c b/src/proto_http.c
-index 8f86422d..cde2dbf7 100644
---- a/src/proto_http.c
-+++ b/src/proto_http.c
-@@ -4388,8 +4388,6 @@ void http_end_txn_clean_session(struct stream *s)
- * it's better to do it (at least it helps with debugging).
- */
- s->txn->flags |= TX_PREFER_LAST;
-- if (srv_conn)
-- srv_conn->flags |= CO_FL_PRIVATE;
- }
-
- /* Never ever allow to reuse a connection from a non-reuse backend */
-@@ -5053,10 +5051,13 @@ int http_wait_for_response(struct stream *s, struct channel *rep, int an_bit)
- struct http_txn *txn = s->txn;
- struct http_msg *msg = &txn->rsp;
- struct hdr_ctx ctx;
-+ struct connection *srv_conn;
- int use_close_only;
- int cur_idx;
- int n;
-
-+ srv_conn = cs_conn(objt_cs(s->si[1].end));
-+
- DPRINTF(stderr,"[%u] %s: stream=%p b=%p, exp(r,w)=%u,%u bf=%08x bh=%d analysers=%02x\n",
- now_ms, __FUNCTION__,
- s,
-@@ -5588,6 +5589,27 @@ int http_wait_for_response(struct stream *s, struct channel *rep, int an_bit)
- msg->body_len = msg->chunk_len = cl;
- }
-
-+ /* check for NTML authentication headers in 401 (WWW-Authenticate) and
-+ * 407 (Proxy-Authenticate) responses and set the connection to private
-+ */
-+ if (srv_conn && txn->status == 401) {
-+ /* check for Negotiate/NTLM WWW-Authenticate headers */
-+ ctx.idx = 0;
-+ while (http_find_header2("WWW-Authenticate", 16, rep->buf->p, &txn->hdr_idx, &ctx)) {
-+ if ((ctx.vlen >= 9 && word_match(ctx.line + ctx.val, ctx.vlen, "Negotiate", 9)) ||
-+ (ctx.vlen >= 4 && word_match(ctx.line + ctx.val, ctx.vlen, "NTLM", 4)))
-+ srv_conn->flags |= CO_FL_PRIVATE;
-+ }
-+ } else if (srv_conn && txn->status == 407) {
-+ /* check for Negotiate/NTLM Proxy-Authenticate headers */
-+ ctx.idx = 0;
-+ while (http_find_header2("Proxy-Authenticate", 18, rep->buf->p, &txn->hdr_idx, &ctx)) {
-+ if ((ctx.vlen >= 9 && word_match(ctx.line + ctx.val, ctx.vlen, "Negotiate", 9)) ||
-+ (ctx.vlen >= 4 && word_match(ctx.line + ctx.val, ctx.vlen, "NTLM", 4)))
-+ srv_conn->flags |= CO_FL_PRIVATE;
-+ }
-+ }
-+
- skip_content_length:
- /* Now we have to check if we need to modify the Connection header.
- * This is more difficult on the response than it is on the request,
+++ /dev/null
-commit a100980f50f92e588c2b60f20571e84bf749f3e3
-Author: Lukas Tribus <lukas@ltri.eu>
-Date: Sat Oct 27 20:07:40 2018 +0200
-
- BUG/MINOR: only auto-prefer last server if lb-alg is non-deterministic
-
- While "option prefer-last-server" only applies to non-deterministic load
- balancing algorithms, 401/407 responses actually caused haproxy to prefer
- the last server unconditionally.
-
- As this breaks deterministic load balancing algorithms like uri, this
- patch applies the same condition here.
-
- Should be backported to 1.8 (together with "BUG/MINOR: only mark
- connections private if NTLM is detected").
-
- (cherry picked from commit 80512b186fd7f4ef3bc7d9c92b281c549d72aa8a)
- Signed-off-by: Willy Tarreau <w@1wt.eu>
-
-diff --git a/doc/configuration.txt b/doc/configuration.txt
-index 43b1b822..f0558d5e 100644
---- a/doc/configuration.txt
-+++ b/doc/configuration.txt
-@@ -2498,6 +2498,11 @@ balance url_param <param> [check_post]
- algorithm, mode nor option have been set. The algorithm may only be set once
- for each backend.
-
-+ With authentication schemes that require the same connection like NTLM, URI
-+ based alghoritms must not be used, as they would cause subsequent requests
-+ to be routed to different backend servers, breaking the invalid assumptions
-+ NTLM relies on.
-+
- Examples :
- balance roundrobin
- balance url_param userid
-@@ -6486,8 +6491,9 @@ no option prefer-last-server
- close of the connection. This can make sense for static file servers. It does
- not make much sense to use this in combination with hashing algorithms. Note,
- haproxy already automatically tries to stick to a server which sends a 401 or
-- to a proxy which sends a 407 (authentication required). This is mandatory for
-- use with the broken NTLM authentication challenge, and significantly helps in
-+ to a proxy which sends a 407 (authentication required), when the load
-+ balancing algorithm is not deterministic. This is mandatory for use with the
-+ broken NTLM authentication challenge, and significantly helps in
- troubleshooting some faulty applications. Option prefer-last-server might be
- desirable in these environments as well, to avoid redistributing the traffic
- after every other response.
-diff --git a/src/backend.c b/src/backend.c
-index fc1eac0d..b3fd6c67 100644
---- a/src/backend.c
-+++ b/src/backend.c
-@@ -572,9 +572,9 @@ int assign_server(struct stream *s)
- if (conn &&
- (conn->flags & CO_FL_CONNECTED) &&
- objt_server(conn->target) && __objt_server(conn->target)->proxy == s->be &&
-+ (s->be->lbprm.algo & BE_LB_KIND) != BE_LB_KIND_HI &&
- ((s->txn && s->txn->flags & TX_PREFER_LAST) ||
- ((s->be->options & PR_O_PREF_LAST) &&
-- (s->be->lbprm.algo & BE_LB_KIND) != BE_LB_KIND_HI &&
- (!s->be->max_ka_queue ||
- server_has_room(__objt_server(conn->target)) ||
- (__objt_server(conn->target)->nbpend + 1) < s->be->max_ka_queue))) &&
-diff --git a/src/proto_http.c b/src/proto_http.c
-index cde2dbf7..a48c4fdb 100644
---- a/src/proto_http.c
-+++ b/src/proto_http.c
-@@ -4385,7 +4385,8 @@ void http_end_txn_clean_session(struct stream *s)
- * server over the same connection. This is required by some
- * broken protocols such as NTLM, and anyway whenever there is
- * an opportunity for sending the challenge to the proper place,
-- * it's better to do it (at least it helps with debugging).
-+ * it's better to do it (at least it helps with debugging), at
-+ * least for non-deterministic load balancing algorithms.
- */
- s->txn->flags |= TX_PREFER_LAST;
- }
+++ /dev/null
-commit 69d4ddf919fc4bc6d296a743baeccdd44fb89be6
-Author: Willy Tarreau <w@1wt.eu>
-Date: Sun Oct 28 20:13:12 2018 +0100
-
- BUG/MAJOR: http: http_txn_get_path() may deference an inexisting buffer
-
- When the "path" sample fetch function is called without any path, the
- function doesn't check that the request buffer is allocated. While this
- doesn't happen with the request during processing, it can definitely
- happen when mistakenly trying to reference a path from the response
- since the request channel is not allocated anymore.
-
- It's certain that this bug was emphasized by the buffer changes that
- went in 1.9 and the HTTP refactoring, but at first glance, 1.8 doesn't
- seem 100% safe either so it's possible that older version are affected
- as well.
-
- Thanks to PiBa-NL for reporting this bug with a reproducer.
-
- (cherry picked from commit 9d9ccdbf8b1178fefa2843c83bc6612733f9eca6)
- [wt: minor adaptation to older buffer API. There are some call places
- which don't look structurally safe though in their context the
- buffer always ought to be there]
- Signed-off-by: Willy Tarreau <w@1wt.eu>
-
-diff --git a/src/proto_http.c b/src/proto_http.c
-index a48c4fdb..fb18357b 100644
---- a/src/proto_http.c
-+++ b/src/proto_http.c
-@@ -985,6 +985,9 @@ char *http_get_path(struct http_txn *txn)
- {
- char *ptr, *end;
-
-+ if (!txn->req.chn->buf->size)
-+ return NULL;
-+
- ptr = txn->req.chn->buf->p + txn->req.sl.rq.u;
- end = ptr + txn->req.sl.rq.u_l;
-
+++ /dev/null
-commit a873c161d251abd025008034c0ddef8cd7f39511
-Author: Willy Tarreau <w@1wt.eu>
-Date: Mon Oct 29 18:02:54 2018 +0100
-
- BUG/MEDIUM: auth/threads: use of crypt() is not thread-safe
-
- It was reported here that authentication may fail when threads are
- enabled :
-
- https://bugzilla.redhat.com/show_bug.cgi?id=1643941
-
- While I couldn't reproduce the issue, it's obvious that there is a
- problem with the use of the non-reentrant crypt() function there.
- On Linux systems there's crypt_r() but not on the vast majority of
- other ones. Thus a first approach consists in placing a lock around
- this crypt() call. Another patch may relax it when crypt_r() is
- available.
-
- This fix must be backported to 1.8. Thanks to Ryan O'Hara for the
- quick notification.
-
- (cherry picked from commit 34d4b525a129baa6f52a930ae629ddb1ba4255c2)
- Signed-off-by: Willy Tarreau <w@1wt.eu>
-
-diff --git a/include/common/hathreads.h b/include/common/hathreads.h
-index 44bd66d1..24fb1d1a 100644
---- a/include/common/hathreads.h
-+++ b/include/common/hathreads.h
-@@ -373,6 +373,7 @@ enum lock_label {
- START_LOCK,
- TLSKEYS_REF_LOCK,
- PENDCONN_LOCK,
-+ AUTH_LOCK,
- LOCK_LABELS
- };
- struct lock_stat {
-@@ -495,6 +496,7 @@ static inline const char *lock_label(enum lock_label label)
- case START_LOCK: return "START";
- case TLSKEYS_REF_LOCK: return "TLSKEYS_REF";
- case PENDCONN_LOCK: return "PENDCONN";
-+ case AUTH_LOCK: return "AUTH";
- case LOCK_LABELS: break; /* keep compiler happy */
- };
- /* only way to come here is consecutive to an internal bug */
-diff --git a/src/auth.c b/src/auth.c
-index a2c689f7..e0fb1352 100644
---- a/src/auth.c
-+++ b/src/auth.c
-@@ -28,6 +28,7 @@
- #include <types/global.h>
- #include <common/config.h>
- #include <common/errors.h>
-+#include <common/hathreads.h>
-
- #include <proto/acl.h>
- #include <proto/log.h>
-@@ -37,6 +38,10 @@
-
- struct userlist *userlist = NULL; /* list of all existing userlists */
-
-+#ifdef CONFIG_HAP_CRYPT
-+__decl_hathreads(static HA_SPINLOCK_T auth_lock);
-+#endif
-+
- /* find targets for selected gropus. The function returns pointer to
- * the userlist struct ot NULL if name is NULL/empty or unresolvable.
- */
-@@ -245,7 +250,9 @@ check_user(struct userlist *ul, const char *user, const char *pass)
-
- if (!(u->flags & AU_O_INSECURE)) {
- #ifdef CONFIG_HAP_CRYPT
-+ HA_SPIN_LOCK(AUTH_LOCK, &auth_lock);
- ep = crypt(pass, u->pass);
-+ HA_SPIN_UNLOCK(AUTH_LOCK, &auth_lock);
- #else
- return 0;
- #endif
+++ /dev/null
-commit c990c7fe448248c4e2a34b84b593cc1b3536b328
-Author: Willy Tarreau <w@1wt.eu>
-Date: Sun Nov 11 10:36:25 2018 +0100
-
- BUG/MINOR: config: better detect the presence of the h2 pattern in npn/alpn
-
- In 1.8, commit 45a66cc ("MEDIUM: config: ensure that tune.bufsize is at
- least 16384 when using HTTP/2") tried to avoid an annoying issue making
- H2 fail when haproxy is built with default buffer sizes smaller than 16kB,
- which used to be the case for a very long time. Sadly, the test only sees
- when NPN/ALPN exactly match "h2" and not when it's combined like
- "h2,http/1.1" nor "http/1.1,h2". We can safely use strstr() there because
- the string is prefixed by the token's length (0x02) which is unambiguous
- as it cannot be part of any other token.
-
- This fix should be backported to 1.8 as a safety guard against bad
- configurations.
-
- (cherry picked from commit 4db49c0704898e51892a176505299de3e022c5ea)
- Signed-off-by: William Lallemand <wlallemand@haproxy.org>
-
-diff --git a/src/cfgparse.c b/src/cfgparse.c
-index 87a4d803..618ffd39 100644
---- a/src/cfgparse.c
-+++ b/src/cfgparse.c
-@@ -7629,7 +7629,7 @@ int check_config_validity()
- if (curproxy->mode == PR_MODE_HTTP && global.tune.bufsize < 16384) {
- #ifdef OPENSSL_NPN_NEGOTIATED
- /* check NPN */
-- if (bind_conf->ssl_conf.npn_str && strcmp(bind_conf->ssl_conf.npn_str, "\002h2") == 0) {
-+ if (bind_conf->ssl_conf.npn_str && strstr(bind_conf->ssl_conf.npn_str, "\002h2")) {
- ha_alert("config : HTTP frontend '%s' enables HTTP/2 via NPN at [%s:%d], so global.tune.bufsize must be at least 16384 bytes (%d now).\n",
- curproxy->id, bind_conf->file, bind_conf->line, global.tune.bufsize);
- cfgerr++;
-@@ -7637,7 +7637,7 @@ int check_config_validity()
- #endif
- #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
- /* check ALPN */
-- if (bind_conf->ssl_conf.alpn_str && strcmp(bind_conf->ssl_conf.alpn_str, "\002h2") == 0) {
-+ if (bind_conf->ssl_conf.alpn_str && strstr(bind_conf->ssl_conf.alpn_str, "\002h2")) {
- ha_alert("config : HTTP frontend '%s' enables HTTP/2 via ALPN at [%s:%d], so global.tune.bufsize must be at least 16384 bytes (%d now).\n",
- curproxy->id, bind_conf->file, bind_conf->line, global.tune.bufsize);
- cfgerr++;
+++ /dev/null
-commit 5b259db1160fa12820cc5ba6399e4dbcefa6ab22
-Author: Olivier Houchard <ohouchard@haproxy.com>
-Date: Wed Nov 14 17:54:36 2018 +0100
-
- BUG/MEDIUM: Make sure stksess is properly aligned.
-
- When we allocate struct stksess, we also allocate memory to store the
- associated data before the struct itself.
- As the data can be of different types, they can have different size. However,
- we need the struct stksess to be properly aligned, as it can do 64bits
- load/store (including atomic load/stores) on 64bits platforms, and some of
- them doesn't support unaligned access.
- So, when allocating the struct stksess, round the size up to the next
- multiple of sizeof(void *), and make sure the struct stksess itself is
- properly aligned.
- Many thanks to Paul Martin for investigating and reporting that bug.
-
- This should be backported to earlier releases.
-
- (cherry picked from commit 52dabbc4fad338233c7f0c96f977a43f8f81452a)
- Signed-off-by: William Lallemand <wlallemand@haproxy.org>
-
-diff --git a/src/stick_table.c b/src/stick_table.c
-index f1442603..0a238378 100644
---- a/src/stick_table.c
-+++ b/src/stick_table.c
-@@ -44,6 +44,7 @@
- /* structure used to return a table key built from a sample */
- static THREAD_LOCAL struct stktable_key static_table_key;
-
-+#define round_ptr_size(i) (((i) + (sizeof(void *) - 1)) &~ (sizeof(void *) - 1))
- /*
- * Free an allocated sticky session <ts>, and decrease sticky sessions counter
- * in table <t>.
-@@ -51,7 +52,7 @@ static THREAD_LOCAL struct stktable_key static_table_key;
- void __stksess_free(struct stktable *t, struct stksess *ts)
- {
- t->current--;
-- pool_free(t->pool, (void *)ts - t->data_size);
-+ pool_free(t->pool, (void *)ts - round_ptr_size(t->data_size));
- }
-
- /*
-@@ -229,7 +230,7 @@ struct stksess *__stksess_new(struct stktable *t, struct stktable_key *key)
- ts = pool_alloc(t->pool);
- if (ts) {
- t->current++;
-- ts = (void *)ts + t->data_size;
-+ ts = (void *)ts + round_ptr_size(t->data_size);
- __stksess_init(t, ts);
- if (key)
- stksess_setkey(t, ts, key);
-@@ -597,7 +598,7 @@ int stktable_init(struct stktable *t)
- t->updates = EB_ROOT_UNIQUE;
- HA_SPIN_INIT(&t->lock);
-
-- t->pool = create_pool("sticktables", sizeof(struct stksess) + t->data_size + t->key_size, MEM_F_SHARED);
-+ t->pool = create_pool("sticktables", sizeof(struct stksess) + round_ptr_size(t->data_size) + t->key_size, MEM_F_SHARED);
-
- t->exp_next = TICK_ETERNITY;
- if ( t->expire ) {
+++ /dev/null
-commit 54824cf35520b11ff97e0937beeb429dcdc55fd0
-Author: Christopher Faulet <cfaulet@haproxy.com>
-Date: Mon Nov 12 11:57:31 2018 +0100
-
- BUG/MINOR: config: Copy default error messages when parsing of a backend starts
-
- To be used, error messages declared in a default section must be copied when the
- parsing of a proxy section starts. But this was only done for frontends.
-
- This patch may be backported to older versions.
-
- (cherry picked from commit 6b44975fbd2f7d81074e20bc07fc0e01466cc9c9)
- Signed-off-by: William Lallemand <wlallemand@haproxy.org>
-
-diff --git a/src/cfgparse.c b/src/cfgparse.c
-index 618ffd39..6bc6b259 100644
---- a/src/cfgparse.c
-+++ b/src/cfgparse.c
-@@ -2787,15 +2787,15 @@ int cfg_parse_listen(const char *file, int linenum, char **args, int kwm)
- curproxy->server_id_hdr_name = strdup(defproxy.server_id_hdr_name);
- }
-
-+ /* initialize error relocations */
-+ for (rc = 0; rc < HTTP_ERR_SIZE; rc++)
-+ chunk_dup(&curproxy->errmsg[rc], &defproxy.errmsg[rc]);
-+
- if (curproxy->cap & PR_CAP_FE) {
- curproxy->maxconn = defproxy.maxconn;
- curproxy->backlog = defproxy.backlog;
- curproxy->fe_sps_lim = defproxy.fe_sps_lim;
-
-- /* initialize error relocations */
-- for (rc = 0; rc < HTTP_ERR_SIZE; rc++)
-- chunk_dup(&curproxy->errmsg[rc], &defproxy.errmsg[rc]);
--
- curproxy->to_log = defproxy.to_log & ~LW_COOKIE & ~LW_REQHDR & ~ LW_RSPHDR;
- }
-
+++ /dev/null
-commit 64a7cbf4ea3276b72ffb121acab676542cebde1b
-Author: Willy Tarreau <w@1wt.eu>
-Date: Tue Nov 20 04:47:38 2018 +0100
-
- BUG/MEDIUM: hpack: fix encoding of "accept-ranges" field
-
- James Brown reported that when an "accept-ranges" header field is sent
- through haproxy and converted from HTTP/1.1 to H2, it's mis-encoded as
- "accept-language". It happens that it's one of the few very common header
- fields encoded using its index value and that this index value was misread
- in the spec as 17 instead of 18, resulting in the wrong name being sent.
- Thanks to Lukas for spotting the issue in the HPACK encoder itself.
-
- This fix must be backported to 1.8.
-
- (cherry picked from commit 4bf194cbdbcda8ec4ce83d7f12d2fe9b08483c94)
- [wla: buffer API edit]
- Signed-off-by: William Lallemand <wlallemand@haproxy.org>
-
-diff --git a/src/hpack-enc.c b/src/hpack-enc.c
-index d1f68c58..99c73103 100644
---- a/src/hpack-enc.c
-+++ b/src/hpack-enc.c
-@@ -101,7 +101,7 @@ int hpack_encode_header(struct chunk *out, const struct ist n, const struct ist
- else if (isteq(n, ist("last-modified")))
- out->str[len++] = 0x6c; // literal with indexing -- name="last-modified" (idx 44)
- else if (isteq(n, ist("accept-ranges")))
-- out->str[len++] = 0x51; // literal with indexing -- name="accept-ranges" (idx 17)
-+ out->str[len++] = 0x52; // literal with indexing -- name="accept-ranges" (idx 18)
- else if (isteq(n, ist("cache-control")))
- out->str[len++] = 0x58; // literal with indexing -- name="cache-control" (idx 24)
- else if (isteq(n, ist("content-length")))
+++ /dev/null
-diff --git a/src/ssl_sock.c b/src/ssl_sock.c
-index cfbc38b..025a144 100644
---- a/src/ssl_sock.c
-+++ b/src/ssl_sock.c
-@@ -39,6 +39,7 @@
- #include <netdb.h>
- #include <netinet/tcp.h>
-
-+#include <openssl/bn.h>
- #include <openssl/crypto.h>
- #include <openssl/ssl.h>
- #include <openssl/x509.h>
-@@ -229,6 +230,7 @@ unsigned long ssl_id_function(void)
-
- void ssl_locking_function(int mode, int n, const char * file, int line)
- {
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
- if (mode & CRYPTO_LOCK) {
- if (mode & CRYPTO_READ)
- HA_RWLOCK_RDLOCK(SSL_LOCK, &ssl_rwlocks[n]);
-@@ -241,10 +243,12 @@ void ssl_locking_function(int mode, int n, const char * file, int line)
- else
- HA_RWLOCK_WRUNLOCK(SSL_LOCK, &ssl_rwlocks[n]);
- }
-+#endif
- }
-
- static int ssl_locking_init(void)
- {
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
- int i;
-
- ssl_rwlocks = malloc(sizeof(HA_RWLOCK_T)*CRYPTO_num_locks());
-@@ -256,7 +260,7 @@ static int ssl_locking_init(void)
-
- CRYPTO_set_id_callback(ssl_id_function);
- CRYPTO_set_locking_callback(ssl_locking_function);
--
-+#endif
- return 0;
- }
-
-@@ -1702,8 +1706,13 @@ ssl_sock_do_create_cert(const char *servername, struct bind_conf *bind_conf, SSL
- ASN1_INTEGER_set(X509_get_serialNumber(newcrt), HA_ATOMIC_ADD(&ssl_ctx_serial, 1));
-
- /* Set duration for the certificate */
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
- if (!X509_gmtime_adj(X509_get_notBefore(newcrt), (long)-60*60*24) ||
- !X509_gmtime_adj(X509_get_notAfter(newcrt),(long)60*60*24*365))
-+#else
-+ if (!X509_gmtime_adj(X509_getm_notBefore(newcrt), (long)-60*60*24) ||
-+ !X509_gmtime_adj(X509_getm_notAfter(newcrt),(long)60*60*24*365))
-+#endif
- goto mkcert_error;
-
- /* set public key in the certificate */
-@@ -6276,7 +6285,11 @@ smp_fetch_ssl_x_notafter(const struct arg *args, struct sample *smp, const char
- goto out;
-
- smp_trash = get_trash_chunk();
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
- if (ssl_sock_get_time(X509_get_notAfter(crt), smp_trash) <= 0)
-+#else
-+ if (ssl_sock_get_time(X509_getm_notAfter(crt), smp_trash) <= 0)
-+#endif
- goto out;
-
- smp->data.u.str = *smp_trash;
-@@ -6376,7 +6389,11 @@ smp_fetch_ssl_x_notbefore(const struct arg *args, struct sample *smp, const char
- goto out;
-
- smp_trash = get_trash_chunk();
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
- if (ssl_sock_get_time(X509_get_notBefore(crt), smp_trash) <= 0)
-+#else
-+ if (ssl_sock_get_time(X509_getm_notBefore(crt), smp_trash) <= 0)
-+#endif
- goto out;
-
- smp->data.u.str = *smp_trash;
-@@ -8926,7 +8943,11 @@ static void __ssl_sock_init(void)
- #endif
-
- xprt_register(XPRT_SSL, &ssl_sock);
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
- SSL_library_init();
-+#else
-+ OPENSSL_init_ssl(0, NULL);
-+#endif
- cm = SSL_COMP_get_compression_methods();
- sk_SSL_COMP_zero(cm);
- #ifdef USE_THREAD
-@@ -8958,8 +8979,13 @@ static void __ssl_sock_init(void)
- #else /* OPENSSL_IS_BORINGSSL */
- OPENSSL_VERSION_TEXT
- "\nRunning on OpenSSL version : %s%s",
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
- SSLeay_version(SSLEAY_VERSION),
- ((OPENSSL_VERSION_NUMBER ^ SSLeay()) >> 8) ? " (VERSIONS DIFFER!)" : "");
-+#else
-+ OpenSSL_version(OPENSSL_VERSION),
-+ ((OPENSSL_VERSION_NUMBER ^ OpenSSL_version_num()) >> 8) ? " (VERSIONS DIFFER!)" : "");
-+#endif
- #endif
- memprintf(&ptr, "%s\nOpenSSL library supports TLS extensions : "
- #if OPENSSL_VERSION_NUMBER < 0x00907000L
-@@ -9051,11 +9077,14 @@ static void __ssl_sock_deinit(void)
- #endif
-
- ERR_remove_state(0);
-+
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
- ERR_free_strings();
-
- EVP_cleanup();
-+#endif
-
--#if OPENSSL_VERSION_NUMBER >= 0x00907000L
-+#if OPENSSL_VERSION_NUMBER >= 0x00907000L && OPENSSL_VERSION_NUMBER < 0x10100000L
- CRYPTO_cleanup_all_ex_data();
- #endif
- }
projects / feed / packages.git / commitdiff