include $(TOPDIR)/rules.mk
PKG_NAME:=haproxy
-PKG_VERSION:=1.8.4
-PKG_RELEASE:=01
+PKG_VERSION:=1.8.9
+PKG_RELEASE:=00
PKG_SOURCE:=haproxy-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://www.haproxy.org/download/1.8/src/
-PKG_HASH:=e305b0a4e7dec08072841eef6ac6dcd1b5586b1eff09c2d51e152a912e8884a6
+PKG_HASH:=436b77927cd85bcd4c2cb3cbf7fb539a5362d9686fdcfa34f37550ca1f5db102
PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION)
PKG_LICENSE:=GPL-2.0
MAINTAINER:=Thomas Heil <heil@terminal-consulting.de>
+ifneq ($(PKG_RELEASE),00)
+ BUILD_VERSION:=-patch$(PKG_RELEASE)
+endif
+
include $(INCLUDE_DIR)/package.mk
define Package/haproxy/Default
ENABLE_LUA:=y
ENABLE_REGPARM:=n
-ifeq ($(CONFIG_mips),y)
- ENABLE_LUA:=n
-endif
-ifeq ($(CONFIG_mipsel),y)
- ENABLE_LUA:=n
-endif
-
ifeq ($(CONFIG_TARGET_x86),y)
ENABLE_REGPARM:=y
endif
SMALL_OPTS="-DBUFSIZE=16384 -DMAXREWRITE=1030 -DSYSTEM_MAXCONN=165530 " \
USE_LINUX_TPROXY=1 USE_LINUX_SPLICE=1 USE_TFO=1 \
USE_ZLIB=yes USE_PCRE=1 USE_PCRE_JIT=1 USE_GETADDRINFO=1 \
- VERSION="$(PKG_VERSION)-patch$(PKG_RELEASE)" \
+ VERSION="$(PKG_VERSION)$(BUILD_VERSION)" \
$(ADDON) \
+ CFLAGS="$(TARGET_CFLAGS)" \
LD="$(TARGET_CC)" \
LDFLAGS="$(TARGET_LDFLAGS) -latomic" \
IGNOREGIT=1
--- /dev/null
+#!/bin/bash
+
+CLONEURL=http://git.haproxy.org/git/haproxy-1.8.git
+BASE_TAG=v1.8.9
+TMP_REPODIR=tmprepo
+PATCHESDIR=patches
+
+if test -d "${TMP_REPODIR}"; then rm -rf "${TMP_REPODIR}"; fi
+
+git clone "${CLONEURL}" "${TMP_REPODIR}"
+
+printf "Cleaning patches\n"
+find ${PATCHESDIR} -type f -name "*.patch" -exec rm -f "{}" \;
+
+i=0
+for cid in $(git -C "${TMP_REPODIR}" rev-list ${BASE_TAG}..HEAD | tac); do
+ filename="$(printf "%04d" $i)-$(git -C "${TMP_REPODIR}" log --format=%s -n 1 $cid | sed -e"s/[()']//g" -e's/[^_a-zA-Z0-9+-]\+/-/g' -e's/-$//').patch"
+ printf "Creating ${filename}\n"
+ git -C "${TMP_REPODIR}" show $cid > "${PATCHESDIR}/$filename"
+ git add "${PATCHESDIR}/$filename"
+ let i++
+done
+
+rm -rf "${TMP_REPODIR}"
+
+printf "finished\n"
+
+++ /dev/null
-From 2fcd544272a5498ffa49544e9f06b51bc93e55d1 Mon Sep 17 00:00:00 2001
-From: Olivier Houchard <ohouchard@haproxy.com>
-Date: Tue, 13 Feb 2018 15:17:23 +0100
-Subject: [PATCH] BUG/MEDIUM: ssl: Don't always treat SSL_ERROR_SYSCALL as
- unrecovarable.
-
-Bart Geesink reported some random errors appearing under the form of
-termination flags SD in the logs for connections involving SSL traffic
-to reach the servers.
-
-Tomek Gacek and Mateusz Malek finally narrowed down the problem to commit
-c2aae74 ("MEDIUM: ssl: Handle early data with OpenSSL 1.1.1"). It happens
-that the special case of SSL_ERROR_SYSCALL isn't handled anymore since
-this commit.
-
-SSL_read() might return <= 0, and SSL_get_erro() return SSL_ERROR_SYSCALL,
-without meaning the connection is gone. Before flagging the connection
-as in error, check the errno value.
-
-This should be backported to 1.8.
-
-(cherry picked from commit 7e2e505006feb8f3b4a7f9e0ac5e89b5a8c4895e)
-Signed-off-by: Willy Tarreau <w@1wt.eu>
----
- src/ssl_sock.c | 9 ++++++++-
- 1 file changed, 8 insertions(+), 1 deletion(-)
-
-diff --git a/src/ssl_sock.c b/src/ssl_sock.c
-index aecf3dd..f118724 100644
---- a/src/ssl_sock.c
-+++ b/src/ssl_sock.c
-@@ -5437,6 +5437,12 @@ static int ssl_sock_to_buf(struct connection *conn, struct buffer *buf, int coun
- break;
- } else if (ret == SSL_ERROR_ZERO_RETURN)
- goto read0;
-+ /* For SSL_ERROR_SYSCALL, make sure the error is
-+ * unrecoverable before flagging the connection as
-+ * in error.
-+ */
-+ if (ret == SSL_ERROR_SYSCALL && (!errno || errno == EAGAIN))
-+ goto clear_ssl_error;
- /* otherwise it's a real error */
- goto out_error;
- }
-@@ -5451,11 +5457,12 @@ static int ssl_sock_to_buf(struct connection *conn, struct buffer *buf, int coun
- conn_sock_read0(conn);
- goto leave;
- out_error:
-+ conn->flags |= CO_FL_ERROR;
-+clear_ssl_error:
- /* Clear openssl global errors stack */
- ssl_sock_dump_errors(conn);
- ERR_clear_error();
-
-- conn->flags |= CO_FL_ERROR;
- goto leave;
- }
-
---
-1.7.10.4
-
+++ /dev/null
-From f7fa1d461aa71bbc8a6c23fdcfc305f2e52ce5dd Mon Sep 17 00:00:00 2001
-From: Christopher Faulet <cfaulet@haproxy.com>
-Date: Mon, 19 Feb 2018 14:25:15 +0100
-Subject: [PATCH] BUG/MEDIUM: ssl: Shutdown the connection for reading on
- SSL_ERROR_SYSCALL
-
-When SSL_read returns SSL_ERROR_SYSCALL and errno is unset or set to EAGAIN, the
-connection must be shut down for reading. Else, the connection loops infinitly,
-consuming all the CPU.
-
-The bug was introduced in the commit 7e2e50500 ("BUG/MEDIUM: ssl: Don't always
-treat SSL_ERROR_SYSCALL as unrecovarable."). This patch must be backported in
-1.8 too.
-
-(cherry picked from commit 4ac77a98cda3d0f9b1d9de7bbbda2c91357f0767)
-Signed-off-by: Willy Tarreau <w@1wt.eu>
----
- src/ssl_sock.c | 14 ++++++++------
- 1 file changed, 8 insertions(+), 6 deletions(-)
-
-diff --git a/src/ssl_sock.c b/src/ssl_sock.c
-index f118724..a065bbb 100644
---- a/src/ssl_sock.c
-+++ b/src/ssl_sock.c
-@@ -5437,10 +5437,9 @@ static int ssl_sock_to_buf(struct connection *conn, struct buffer *buf, int coun
- break;
- } else if (ret == SSL_ERROR_ZERO_RETURN)
- goto read0;
-- /* For SSL_ERROR_SYSCALL, make sure the error is
-- * unrecoverable before flagging the connection as
-- * in error.
-- */
-+ /* For SSL_ERROR_SYSCALL, make sure to clear the error
-+ * stack before shutting down the connection for
-+ * reading. */
- if (ret == SSL_ERROR_SYSCALL && (!errno || errno == EAGAIN))
- goto clear_ssl_error;
- /* otherwise it's a real error */
-@@ -5453,16 +5452,19 @@ static int ssl_sock_to_buf(struct connection *conn, struct buffer *buf, int coun
- conn_cond_update_sock_polling(conn);
- return done;
-
-+ clear_ssl_error:
-+ /* Clear openssl global errors stack */
-+ ssl_sock_dump_errors(conn);
-+ ERR_clear_error();
- read0:
- conn_sock_read0(conn);
- goto leave;
-+
- out_error:
- conn->flags |= CO_FL_ERROR;
--clear_ssl_error:
- /* Clear openssl global errors stack */
- ssl_sock_dump_errors(conn);
- ERR_clear_error();
--
- goto leave;
- }
-
---
-1.7.10.4
-
+++ /dev/null
-From 8a5949f2d74c3a3a6c6da25449992c312b183ef3 Mon Sep 17 00:00:00 2001
-From: Christopher Faulet <cfaulet@haproxy.com>
-Date: Fri, 2 Feb 2018 15:54:15 +0100
-Subject: [PATCH] BUG/MEDIUM: http: Switch the HTTP response in tunnel mode as
- earlier as possible
-
-When the body length is undefined (no Content-Length or Transfer-Encoding
-headers), The reponse remains in ending mode, waiting the request is done. So,
-most of time this is not a problem because the resquest is done before the
-response. But when a client sends data to a server that replies without waiting
-all the data, it is really not desirable to wait the end of the request to
-finish the response.
-
-This bug was introduced when the tunneling of the request and the reponse was
-refactored, in commit 4be980391 ("MINOR: http: Switch requests/responses in
-TUNNEL mode only by checking txn flag").
-
-This patch should be backported in 1.8 and 1.7.
-
-(cherry picked from commit fd04fcf5edb0a24cd29ce8f4d4dc2aa3a0e2e82c)
-Signed-off-by: Willy Tarreau <w@1wt.eu>
----
- src/proto_http.c | 15 +++++----------
- 1 file changed, 5 insertions(+), 10 deletions(-)
-
-diff --git a/src/proto_http.c b/src/proto_http.c
-index 64bd410..29880ea 100644
---- a/src/proto_http.c
-+++ b/src/proto_http.c
-@@ -4634,16 +4634,8 @@ int http_sync_res_state(struct stream *s)
- * let's enforce it now that we're not expecting any new
- * data to come. The caller knows the stream is complete
- * once both states are CLOSED.
-- *
-- * However, there is an exception if the response length
-- * is undefined. In this case, we switch in TUNNEL mode.
- */
-- if (!(txn->rsp.flags & HTTP_MSGF_XFER_LEN)) {
-- channel_auto_read(chn);
-- txn->rsp.msg_state = HTTP_MSG_TUNNEL;
-- chn->flags |= CF_NEVER_WAIT;
-- }
-- else if (!(chn->flags & (CF_SHUTW|CF_SHUTW_NOW))) {
-+ if (!(chn->flags & (CF_SHUTW|CF_SHUTW_NOW))) {
- channel_shutr_now(chn);
- channel_shutw_now(chn);
- }
-@@ -6241,6 +6233,8 @@ http_msg_forward_body(struct stream *s, struct http_msg *msg)
- /* The server still sending data that should be filtered */
- if (!(chn->flags & CF_SHUTR) && HAS_DATA_FILTERS(s, chn))
- goto missing_data_or_waiting;
-+ msg->msg_state = HTTP_MSG_TUNNEL;
-+ goto ending;
- }
-
- msg->msg_state = HTTP_MSG_ENDING;
-@@ -6262,7 +6256,8 @@ http_msg_forward_body(struct stream *s, struct http_msg *msg)
- /* default_ret */ 1,
- /* on_error */ goto error,
- /* on_wait */ goto waiting);
-- msg->msg_state = HTTP_MSG_DONE;
-+ if (msg->msg_state == HTTP_MSG_ENDING)
-+ msg->msg_state = HTTP_MSG_DONE;
- return 1;
-
- missing_data_or_waiting:
---
-1.7.10.4
-
+++ /dev/null
-From 7ccf7c9791f2b2329f3940d1347618af3a77bebc Mon Sep 17 00:00:00 2001
-From: Emeric Brun <ebrun@haproxy.com>
-Date: Mon, 19 Feb 2018 15:59:48 +0100
-Subject: [PATCH] BUG/MEDIUM: ssl/sample: ssl_bc_* fetch keywords are broken.
-
-Since the split between connections and conn-stream objects, this
-keywords are broken.
-
-This patch must be backported in 1.8
-
-(cherry picked from commit eb8def9f34c37537d56a69fcd211d4c4c8006bea)
-Signed-off-by: Willy Tarreau <w@1wt.eu>
----
- src/ssl_sock.c | 31 ++++++++++++++-----------------
- 1 file changed, 14 insertions(+), 17 deletions(-)
-
-diff --git a/src/ssl_sock.c b/src/ssl_sock.c
-index 4d0d5db..d832d76 100644
---- a/src/ssl_sock.c
-+++ b/src/ssl_sock.c
-@@ -6580,8 +6580,8 @@ smp_fetch_ssl_x_key_alg(const struct arg *args, struct sample *smp, const char *
- static int
- smp_fetch_ssl_fc(const struct arg *args, struct sample *smp, const char *kw, void *private)
- {
-- struct connection *conn = objt_conn((kw[4] != 'b') ? smp->sess->origin :
-- smp->strm ? smp->strm->si[1].end : NULL);
-+ struct connection *conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
-+ smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
-
- smp->data.type = SMP_T_BOOL;
- smp->data.u.sint = (conn && conn->xprt == &ssl_sock);
-@@ -6625,8 +6625,8 @@ smp_fetch_ssl_fc_is_resumed(const struct arg *args, struct sample *smp, const ch
- static int
- smp_fetch_ssl_fc_cipher(const struct arg *args, struct sample *smp, const char *kw, void *private)
- {
-- struct connection *conn = objt_conn((kw[4] != 'b') ? smp->sess->origin :
-- smp->strm ? smp->strm->si[1].end : NULL);
-+ struct connection *conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
-+ smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
-
- smp->flags = 0;
- if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock)
-@@ -6651,9 +6651,8 @@ smp_fetch_ssl_fc_cipher(const struct arg *args, struct sample *smp, const char *
- static int
- smp_fetch_ssl_fc_alg_keysize(const struct arg *args, struct sample *smp, const char *kw, void *private)
- {
-- struct connection *conn = objt_conn((kw[4] != 'b') ? smp->sess->origin :
-- smp->strm ? smp->strm->si[1].end : NULL);
--
-+ struct connection *conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
-+ smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
- int sint;
-
- smp->flags = 0;
-@@ -6676,8 +6675,8 @@ smp_fetch_ssl_fc_alg_keysize(const struct arg *args, struct sample *smp, const c
- static int
- smp_fetch_ssl_fc_use_keysize(const struct arg *args, struct sample *smp, const char *kw, void *private)
- {
-- struct connection *conn = objt_conn((kw[4] != 'b') ? smp->sess->origin :
-- smp->strm ? smp->strm->si[1].end : NULL);
-+ struct connection *conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
-+ smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
-
- smp->flags = 0;
- if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock)
-@@ -6747,8 +6746,8 @@ smp_fetch_ssl_fc_alpn(const struct arg *args, struct sample *smp, const char *kw
- static int
- smp_fetch_ssl_fc_protocol(const struct arg *args, struct sample *smp, const char *kw, void *private)
- {
-- struct connection *conn = objt_conn((kw[4] != 'b') ? smp->sess->origin :
-- smp->strm ? smp->strm->si[1].end : NULL);
-+ struct connection *conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
-+ smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
-
- smp->flags = 0;
- if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock)
-@@ -6773,9 +6772,8 @@ static int
- smp_fetch_ssl_fc_session_id(const struct arg *args, struct sample *smp, const char *kw, void *private)
- {
- #if OPENSSL_VERSION_NUMBER > 0x0090800fL
-- struct connection *conn = objt_conn((kw[4] != 'b') ? smp->sess->origin :
-- smp->strm ? smp->strm->si[1].end : NULL);
--
-+ struct connection *conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
-+ smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
- SSL_SESSION *ssl_sess;
-
- smp->flags = SMP_F_CONST;
-@@ -6917,9 +6915,8 @@ static int
- smp_fetch_ssl_fc_unique_id(const struct arg *args, struct sample *smp, const char *kw, void *private)
- {
- #if OPENSSL_VERSION_NUMBER > 0x0090800fL
-- struct connection *conn = objt_conn((kw[4] != 'b') ? smp->sess->origin :
-- smp->strm ? smp->strm->si[1].end : NULL);
--
-+ struct connection *conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
-+ smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
- int finished_len;
- struct chunk *finished_trash;
-
---
-1.7.10.4
-