Merge pull request #5807 from gladiac1337/feature-haproxy-v1.8.5

Update HAProxy to v1.8.9

net/haproxy/Makefile

@@ -9,17 +9,21 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=haproxy
-PKG_VERSION:=1.8.4
-PKG_RELEASE:=01
+PKG_VERSION:=1.8.9
+PKG_RELEASE:=00
 
 PKG_SOURCE:=haproxy-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://www.haproxy.org/download/1.8/src/
-PKG_HASH:=e305b0a4e7dec08072841eef6ac6dcd1b5586b1eff09c2d51e152a912e8884a6
+PKG_HASH:=436b77927cd85bcd4c2cb3cbf7fb539a5362d9686fdcfa34f37550ca1f5db102
 
 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION)
 PKG_LICENSE:=GPL-2.0
 MAINTAINER:=Thomas Heil <heil@terminal-consulting.de>
 
+ifneq ($(PKG_RELEASE),00)
+	BUILD_VERSION:=-patch$(PKG_RELEASE)
+endif
+
 include $(INCLUDE_DIR)/package.mk
 
 define Package/haproxy/Default
@@ -94,13 +98,6 @@ endef
 ENABLE_LUA:=y
 ENABLE_REGPARM:=n
 
-ifeq ($(CONFIG_mips),y)
-  ENABLE_LUA:=n
-endif
-ifeq ($(CONFIG_mipsel),y)
-  ENABLE_LUA:=n
-endif
-
 ifeq ($(CONFIG_TARGET_x86),y)
   ENABLE_REGPARM:=y
 endif
@@ -150,8 +147,9 @@ define Build/Compile
 		SMALL_OPTS="-DBUFSIZE=16384 -DMAXREWRITE=1030 -DSYSTEM_MAXCONN=165530 " \
 		USE_LINUX_TPROXY=1 USE_LINUX_SPLICE=1 USE_TFO=1 \
 		USE_ZLIB=yes USE_PCRE=1 USE_PCRE_JIT=1 USE_GETADDRINFO=1 \
-		VERSION="$(PKG_VERSION)-patch$(PKG_RELEASE)" \
+		VERSION="$(PKG_VERSION)$(BUILD_VERSION)" \
 		$(ADDON) \
+		CFLAGS="$(TARGET_CFLAGS)" \
 		LD="$(TARGET_CC)" \
 		LDFLAGS="$(TARGET_LDFLAGS) -latomic" \
 		IGNOREGIT=1

net/haproxy/get-latest-patches.sh

@@ -0,0 +1,27 @@
+#!/bin/bash
+
+CLONEURL=http://git.haproxy.org/git/haproxy-1.8.git
+BASE_TAG=v1.8.9
+TMP_REPODIR=tmprepo
+PATCHESDIR=patches
+
+if test -d "${TMP_REPODIR}"; then rm -rf "${TMP_REPODIR}"; fi
+
+git clone "${CLONEURL}" "${TMP_REPODIR}"
+
+printf "Cleaning patches\n"
+find ${PATCHESDIR} -type f -name "*.patch" -exec rm -f "{}" \;
+
+i=0
+for cid in $(git -C "${TMP_REPODIR}" rev-list ${BASE_TAG}..HEAD | tac); do
+	filename="$(printf "%04d" $i)-$(git -C "${TMP_REPODIR}" log --format=%s -n 1 $cid | sed -e"s/[()']//g" -e's/[^_a-zA-Z0-9+-]\+/-/g' -e's/-$//').patch"
+	printf "Creating ${filename}\n"
+	git -C "${TMP_REPODIR}" show $cid > "${PATCHESDIR}/$filename"
+	git add "${PATCHESDIR}/$filename"
+	let i++
+done
+
+rm -rf "${TMP_REPODIR}"
+
+printf "finished\n"
+

net/haproxy/patches/0001-BUG-MEDIUM-ssl-Dont-always-treat-SSL_ERROR_SYSCALL-as-unrecovarable.patch

@@ -1,61 +0,0 @@
-From 2fcd544272a5498ffa49544e9f06b51bc93e55d1 Mon Sep 17 00:00:00 2001
-From: Olivier Houchard <ohouchard@haproxy.com>
-Date: Tue, 13 Feb 2018 15:17:23 +0100
-Subject: [PATCH] BUG/MEDIUM: ssl: Don't always treat SSL_ERROR_SYSCALL as
- unrecovarable.
-
-Bart Geesink reported some random errors appearing under the form of
-termination flags SD in the logs for connections involving SSL traffic
-to reach the servers.
-
-Tomek Gacek and Mateusz Malek finally narrowed down the problem to commit
-c2aae74 ("MEDIUM: ssl: Handle early data with OpenSSL 1.1.1"). It happens
-that the special case of SSL_ERROR_SYSCALL isn't handled anymore since
-this commit.
-
-SSL_read() might return <= 0, and SSL_get_erro() return SSL_ERROR_SYSCALL,
-without meaning the connection is gone. Before flagging the connection
-as in error, check the errno value.
-
-This should be backported to 1.8.
-
-(cherry picked from commit 7e2e505006feb8f3b4a7f9e0ac5e89b5a8c4895e)
-Signed-off-by: Willy Tarreau <w@1wt.eu>
----
- src/ssl_sock.c |    9 ++++++++-
- 1 file changed, 8 insertions(+), 1 deletion(-)
-
-diff --git a/src/ssl_sock.c b/src/ssl_sock.c
-index aecf3dd..f118724 100644
---- a/src/ssl_sock.c
-+++ b/src/ssl_sock.c
-@@ -5437,6 +5437,12 @@ static int ssl_sock_to_buf(struct connection *conn, struct buffer *buf, int coun
- 				break;
- 			} else if (ret == SSL_ERROR_ZERO_RETURN)
- 				goto read0;
-+			/* For SSL_ERROR_SYSCALL, make sure the error is
-+			 * unrecoverable before flagging the connection as
-+			 * in error.
-+			 */
-+			if (ret == SSL_ERROR_SYSCALL && (!errno || errno == EAGAIN))
-+				goto clear_ssl_error;
- 			/* otherwise it's a real error */
- 			goto out_error;
- 		}
-@@ -5451,11 +5457,12 @@ static int ssl_sock_to_buf(struct connection *conn, struct buffer *buf, int coun
- 	conn_sock_read0(conn);
- 	goto leave;
-  out_error:
-+	conn->flags |= CO_FL_ERROR;
-+clear_ssl_error:
- 	/* Clear openssl global errors stack */
- 	ssl_sock_dump_errors(conn);
- 	ERR_clear_error();
- 
--	conn->flags |= CO_FL_ERROR;
- 	goto leave;
- }
- 
--- 
-1.7.10.4
-

net/haproxy/patches/0002-BUG-MEDIUM-ssl-Shutdown-the-connection-for-reading-on-SSL_ERROR_SYSCALL.patch

@@ -1,63 +0,0 @@
-From f7fa1d461aa71bbc8a6c23fdcfc305f2e52ce5dd Mon Sep 17 00:00:00 2001
-From: Christopher Faulet <cfaulet@haproxy.com>
-Date: Mon, 19 Feb 2018 14:25:15 +0100
-Subject: [PATCH] BUG/MEDIUM: ssl: Shutdown the connection for reading on
- SSL_ERROR_SYSCALL
-
-When SSL_read returns SSL_ERROR_SYSCALL and errno is unset or set to EAGAIN, the
-connection must be shut down for reading. Else, the connection loops infinitly,
-consuming all the CPU.
-
-The bug was introduced in the commit 7e2e50500 ("BUG/MEDIUM: ssl: Don't always
-treat SSL_ERROR_SYSCALL as unrecovarable."). This patch must be backported in
-1.8 too.
-
-(cherry picked from commit 4ac77a98cda3d0f9b1d9de7bbbda2c91357f0767)
-Signed-off-by: Willy Tarreau <w@1wt.eu>
----
- src/ssl_sock.c |   14 ++++++++------
- 1 file changed, 8 insertions(+), 6 deletions(-)
-
-diff --git a/src/ssl_sock.c b/src/ssl_sock.c
-index f118724..a065bbb 100644
---- a/src/ssl_sock.c
-+++ b/src/ssl_sock.c
-@@ -5437,10 +5437,9 @@ static int ssl_sock_to_buf(struct connection *conn, struct buffer *buf, int coun
- 				break;
- 			} else if (ret == SSL_ERROR_ZERO_RETURN)
- 				goto read0;
--			/* For SSL_ERROR_SYSCALL, make sure the error is
--			 * unrecoverable before flagging the connection as
--			 * in error.
--			 */
-+			/* For SSL_ERROR_SYSCALL, make sure to clear the error
-+			 * stack before shutting down the connection for
-+			 * reading. */
- 			if (ret == SSL_ERROR_SYSCALL && (!errno || errno == EAGAIN))
- 				goto clear_ssl_error;
- 			/* otherwise it's a real error */
-@@ -5453,16 +5452,19 @@ static int ssl_sock_to_buf(struct connection *conn, struct buffer *buf, int coun
- 	conn_cond_update_sock_polling(conn);
- 	return done;
- 
-+ clear_ssl_error:
-+	/* Clear openssl global errors stack */
-+	ssl_sock_dump_errors(conn);
-+	ERR_clear_error();
-  read0:
- 	conn_sock_read0(conn);
- 	goto leave;
-+
-  out_error:
- 	conn->flags |= CO_FL_ERROR;
--clear_ssl_error:
- 	/* Clear openssl global errors stack */
- 	ssl_sock_dump_errors(conn);
- 	ERR_clear_error();
--
- 	goto leave;
- }
- 
--- 
-1.7.10.4
-

net/haproxy/patches/0003-BUG-MEDIUM-http-Switch-the-HTTP-response-in-tunnel-mode-as-earlier-as-possible.patch

@@ -1,69 +0,0 @@
-From 8a5949f2d74c3a3a6c6da25449992c312b183ef3 Mon Sep 17 00:00:00 2001
-From: Christopher Faulet <cfaulet@haproxy.com>
-Date: Fri, 2 Feb 2018 15:54:15 +0100
-Subject: [PATCH] BUG/MEDIUM: http: Switch the HTTP response in tunnel mode as
- earlier as possible
-
-When the body length is undefined (no Content-Length or Transfer-Encoding
-headers), The reponse remains in ending mode, waiting the request is done. So,
-most of time this is not a problem because the resquest is done before the
-response. But when a client sends data to a server that replies without waiting
-all the data, it is really not desirable to wait the end of the request to
-finish the response.
-
-This bug was introduced when the tunneling of the request and the reponse was
-refactored, in commit 4be980391 ("MINOR: http: Switch requests/responses in
-TUNNEL mode only by checking txn flag").
-
-This patch should be backported in 1.8 and 1.7.
-
-(cherry picked from commit fd04fcf5edb0a24cd29ce8f4d4dc2aa3a0e2e82c)
-Signed-off-by: Willy Tarreau <w@1wt.eu>
----
- src/proto_http.c |   15 +++++----------
- 1 file changed, 5 insertions(+), 10 deletions(-)
-
-diff --git a/src/proto_http.c b/src/proto_http.c
-index 64bd410..29880ea 100644
---- a/src/proto_http.c
-+++ b/src/proto_http.c
-@@ -4634,16 +4634,8 @@ int http_sync_res_state(struct stream *s)
- 			 * let's enforce it now that we're not expecting any new
- 			 * data to come. The caller knows the stream is complete
- 			 * once both states are CLOSED.
--			 *
--			 * However, there is an exception if the response length
--			 * is undefined. In this case, we switch in TUNNEL mode.
- 			 */
--			if (!(txn->rsp.flags & HTTP_MSGF_XFER_LEN)) {
--				channel_auto_read(chn);
--				txn->rsp.msg_state = HTTP_MSG_TUNNEL;
--				chn->flags |= CF_NEVER_WAIT;
--			}
--			else if (!(chn->flags & (CF_SHUTW|CF_SHUTW_NOW))) {
-+			if (!(chn->flags & (CF_SHUTW|CF_SHUTW_NOW))) {
- 				channel_shutr_now(chn);
- 				channel_shutw_now(chn);
- 			}
-@@ -6241,6 +6233,8 @@ http_msg_forward_body(struct stream *s, struct http_msg *msg)
- 		/* The server still sending data that should be filtered */
- 		if (!(chn->flags & CF_SHUTR) && HAS_DATA_FILTERS(s, chn))
- 			goto missing_data_or_waiting;
-+		msg->msg_state = HTTP_MSG_TUNNEL;
-+		goto ending;
- 	}
- 
- 	msg->msg_state = HTTP_MSG_ENDING;
-@@ -6262,7 +6256,8 @@ http_msg_forward_body(struct stream *s, struct http_msg *msg)
- 			 /* default_ret */ 1,
- 			 /* on_error    */ goto error,
- 			 /* on_wait     */ goto waiting);
--	msg->msg_state = HTTP_MSG_DONE;
-+	if (msg->msg_state == HTTP_MSG_ENDING)
-+		msg->msg_state = HTTP_MSG_DONE;
- 	return 1;
- 
-   missing_data_or_waiting:
--- 
-1.7.10.4
-

net/haproxy/patches/0004-BUG-MEDIUM-ssl-sample-ssl_bc_-fetch-keywords-are-broken.patch

@@ -1,103 +0,0 @@
-From 7ccf7c9791f2b2329f3940d1347618af3a77bebc Mon Sep 17 00:00:00 2001
-From: Emeric Brun <ebrun@haproxy.com>
-Date: Mon, 19 Feb 2018 15:59:48 +0100
-Subject: [PATCH] BUG/MEDIUM: ssl/sample: ssl_bc_* fetch keywords are broken.
-
-Since the split between connections and conn-stream objects, this
-keywords are broken.
-
-This patch must be backported in 1.8
-
-(cherry picked from commit eb8def9f34c37537d56a69fcd211d4c4c8006bea)
-Signed-off-by: Willy Tarreau <w@1wt.eu>
----
- src/ssl_sock.c |   31 ++++++++++++++-----------------
- 1 file changed, 14 insertions(+), 17 deletions(-)
-
-diff --git a/src/ssl_sock.c b/src/ssl_sock.c
-index 4d0d5db..d832d76 100644
---- a/src/ssl_sock.c
-+++ b/src/ssl_sock.c
-@@ -6580,8 +6580,8 @@ smp_fetch_ssl_x_key_alg(const struct arg *args, struct sample *smp, const char *
- static int
- smp_fetch_ssl_fc(const struct arg *args, struct sample *smp, const char *kw, void *private)
- {
--	struct connection *conn = objt_conn((kw[4] != 'b') ? smp->sess->origin :
--	                                    smp->strm ? smp->strm->si[1].end : NULL);
-+	struct connection *conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
-+	                                    smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
- 
- 	smp->data.type = SMP_T_BOOL;
- 	smp->data.u.sint = (conn && conn->xprt == &ssl_sock);
-@@ -6625,8 +6625,8 @@ smp_fetch_ssl_fc_is_resumed(const struct arg *args, struct sample *smp, const ch
- static int
- smp_fetch_ssl_fc_cipher(const struct arg *args, struct sample *smp, const char *kw, void *private)
- {
--	struct connection *conn = objt_conn((kw[4] != 'b') ? smp->sess->origin :
--	                                    smp->strm ? smp->strm->si[1].end : NULL);
-+	struct connection *conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
-+	                                    smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
- 
- 	smp->flags = 0;
- 	if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock)
-@@ -6651,9 +6651,8 @@ smp_fetch_ssl_fc_cipher(const struct arg *args, struct sample *smp, const char *
- static int
- smp_fetch_ssl_fc_alg_keysize(const struct arg *args, struct sample *smp, const char *kw, void *private)
- {
--	struct connection *conn = objt_conn((kw[4] != 'b') ? smp->sess->origin :
--	                                    smp->strm ? smp->strm->si[1].end : NULL);
--
-+	struct connection *conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
-+	                                    smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
- 	int sint;
- 
- 	smp->flags = 0;
-@@ -6676,8 +6675,8 @@ smp_fetch_ssl_fc_alg_keysize(const struct arg *args, struct sample *smp, const c
- static int
- smp_fetch_ssl_fc_use_keysize(const struct arg *args, struct sample *smp, const char *kw, void *private)
- {
--	struct connection *conn = objt_conn((kw[4] != 'b') ? smp->sess->origin :
--	                                    smp->strm ? smp->strm->si[1].end : NULL);
-+	struct connection *conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
-+	                                    smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
- 
- 	smp->flags = 0;
- 	if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock)
-@@ -6747,8 +6746,8 @@ smp_fetch_ssl_fc_alpn(const struct arg *args, struct sample *smp, const char *kw
- static int
- smp_fetch_ssl_fc_protocol(const struct arg *args, struct sample *smp, const char *kw, void *private)
- {
--	struct connection *conn = objt_conn((kw[4] != 'b') ? smp->sess->origin :
--	                                    smp->strm ? smp->strm->si[1].end : NULL);
-+	struct connection *conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
-+	                                    smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
- 
- 	smp->flags = 0;
- 	if (!conn || !conn->xprt_ctx || conn->xprt != &ssl_sock)
-@@ -6773,9 +6772,8 @@ static int
- smp_fetch_ssl_fc_session_id(const struct arg *args, struct sample *smp, const char *kw, void *private)
- {
- #if OPENSSL_VERSION_NUMBER > 0x0090800fL
--	struct connection *conn = objt_conn((kw[4] != 'b') ? smp->sess->origin :
--	                                    smp->strm ? smp->strm->si[1].end : NULL);
--
-+	struct connection *conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
-+	                                    smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
- 	SSL_SESSION *ssl_sess;
- 
- 	smp->flags = SMP_F_CONST;
-@@ -6917,9 +6915,8 @@ static int
- smp_fetch_ssl_fc_unique_id(const struct arg *args, struct sample *smp, const char *kw, void *private)
- {
- #if OPENSSL_VERSION_NUMBER > 0x0090800fL
--	struct connection *conn = objt_conn((kw[4] != 'b') ? smp->sess->origin :
--	                                    smp->strm ? smp->strm->si[1].end : NULL);
--
-+	struct connection *conn = (kw[4] != 'b') ? objt_conn(smp->sess->origin) :
-+	                                    smp->strm ? cs_conn(objt_cs(smp->strm->si[1].end)) : NULL;
- 	int finished_len;
- 	struct chunk *finished_trash;
- 
--- 
-1.7.10.4
-