Hello community, here is the log from the commit of package haproxy for openSUSE:Factory checked in at 2019-02-14 14:32:25 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/haproxy (Old) and /work/SRC/openSUSE:Factory/.haproxy.new.28833 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "haproxy" Thu Feb 14 14:32:25 2019 rev:69 rq:674410 version:1.8.19~git0.ebf033b4 Changes: -------- --- /work/SRC/openSUSE:Factory/haproxy/haproxy.changes 2019-01-11 14:05:24.199805224 +0100 +++ /work/SRC/openSUSE:Factory/.haproxy.new.28833/haproxy.changes 2019-02-14 14:32:42.543670397 +0100 @@ -1,0 +2,55 @@ +Mon Feb 11 15:16:38 UTC 2019 - [email protected] + +- Update to version 1.8.19~git0.ebf033b4: + * [RELEASE] Released version 1.8.19 + * BUG/MINOR: config: Reinforce validity check when a process number is parsed + * BUG/MAJOR: stream: avoid double free on unique_id + * BUG/MAJOR: spoe: Don't try to get agent config during SPOP healthcheck + * BUG/MEDIUM: server: initialize the idle conns list after parsing the config + * BUG/MEDIUM: spoe: initialization depending on nbthread must be done last + * BUG/MINOR: lua: initialize the correct idle conn lists for the SSL sockets + * BUG/MINOR: spoe: do not assume agent->rt is valid on exit + * DOC: ssl: Stop documenting ciphers example to use + * DOC: ssl: Clarify when pre TLSv1.3 cipher can be used + * [RELEASE] Released version 1.8.18 + * BUG/MINOR: config: make sure to count the error on incorrect track-sc/stick rules + * BUG/MAJOR: spoe: verify that backends used by SPOE cover all their callers' processes + * BUG/MAJOR: config: verify that targets of track-sc and stick rules are present + * BUG/MINOR: config: fix bind line thread mask validation + * BUG/MEDIUM: stream: Don't forget to free s->unique_id in stream_free(). + * BUG/MEDIUM: mux-h2: do not close the connection on aborted streams + * MINOR: connstream: have a new flag CS_FL_KILL_CONN to kill a connection + * MINOR: stream-int: add a new flag to mention that we want the connection to be killed + * MINOR: stream-int: expand the flags to 32-bit + * BUG/MEDIUM: mux-h2: wait for the mux buffer to be empty before closing the connection + * BUG/MEDIUM: mux-h2: make sure never to send GOAWAY on too old streams + * BUG/MEDIUM: mux-h2: fix two half-closed to closed transitions + * BUG/MEDIUM: mux-h2: wake up flow-controlled streams on initial window update + * MINOR: xref: Add missing barriers. + * BUG/MINOR: stream: don't close the front connection when facing a backend error + * SCRIPTS: add the issue tracker URL to the announce script + * SCRIPTS: add the slack channel URL to the announce script + * BUG/MINOR: deinit: tcp_rep.inspect_rules not deinit, add to deinit + * BUG/MINOR: spoe: corrected fragmentation string size + * DOC: nbthread is no longer experimental. + * BUG/MINOR: hpack: return a compression error on invalid table size updates + * BUG/MINOR: mux-h2: make it possible to set the error code on an already closed stream + * BUG/MINOR: mux-h2: headers-type frames in HREM are always a connection error + * BUG/MINOR: mux-h2: CONTINUATION in closed state must always return GOAWAY + * MINOR: h2: declare new sets of frame types + * MINOR: h2: add a bit-based frame type representation + * DOC: mention the effect of nf_conntrack_tcp_loose on src/dst + * BUG/MEDIUM: ssl: Fix handling of TLS 1.3 KeyUpdate messages + * BUG/MINOR: check: Wake the check task if the check is finished in wake_srv_chk() + * BUG/MINOR: server: don't always trust srv_check_health when loading a server state + * BUG/MINOR: stick_table: Prevent conn_cur from underflowing + * BUG/MINOR: backend: BE_LB_LKUP_CHTREE is a value, not a bit + * BUG/MINOR: backend: balance uri specific options were lost across defaults + * BUG/MINOR: backend: don't use url_param_name as a hint for BE_LB_ALGO_PH + * BUG/MEDIUM: ssl: missing allocation failure checks loading tls key file + * DOC: Be a bit more explicit about allow-0rtt security implications. + * BUG/MEDIUM: ssl: Disable anti-replay protection and set max data with 0RTT. + * BUG/MAJOR: cache: fix confusion between zero and uninitialized cache key + * DOC: http-request cache-use / http-response cache-store expects cache name + +------------------------------------------------------------------- Old: ---- haproxy-1.8.17~git0.e89d25b2.tar.gz New: ---- haproxy-1.8.19~git0.ebf033b4.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ haproxy.spec ++++++ --- /var/tmp/diff_new_pack.KJJk9a/_old 2019-02-14 14:32:44.251669618 +0100 +++ /var/tmp/diff_new_pack.KJJk9a/_new 2019-02-14 14:32:44.251669618 +0100 @@ -47,7 +47,7 @@ %endif Name: haproxy -Version: 1.8.17~git0.e89d25b2 +Version: 1.8.19~git0.ebf033b4 Release: 0 # # ++++++ _service ++++++ --- /var/tmp/diff_new_pack.KJJk9a/_old 2019-02-14 14:32:44.275669607 +0100 +++ /var/tmp/diff_new_pack.KJJk9a/_new 2019-02-14 14:32:44.279669605 +0100 @@ -6,7 +6,7 @@ <param name="versionformat">@PARENT_TAG@~git@TAG_OFFSET@.%h</param> <param name="versionrewrite-pattern">v(.*)</param> <param name="versionrewrite-replacement">\1</param> - <param name="revision">v1.8.17</param> + <param name="revision">v1.8.19</param> <param name="changesgenerate">enable</param> </service> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.KJJk9a/_old 2019-02-14 14:32:44.295669598 +0100 +++ /var/tmp/diff_new_pack.KJJk9a/_new 2019-02-14 14:32:44.299669596 +0100 @@ -5,4 +5,4 @@ <param name="url">http://git.haproxy.org/git/haproxy-1.7.git</param> <param name="changesrevision">640d526f8cdad00f7f5043b51f6a34f3f6ebb49f</param></service><service name="tar_scm"> <param name="url">http://git.haproxy.org/git/haproxy-1.8.git</param> - <param name="changesrevision">e89d25b22da1eefa88ef5aa8ad6fa21e1bd4c801</param></service></servicedata> \ No newline at end of file + <param name="changesrevision">ebf033b47d58aa04ae9913038c9369dab8740411</param></service></servicedata> \ No newline at end of file ++++++ haproxy-1.8.17~git0.e89d25b2.tar.gz -> haproxy-1.8.19~git0.ebf033b4.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.8.17~git0.e89d25b2/CHANGELOG new/haproxy-1.8.19~git0.ebf033b4/CHANGELOG --- old/haproxy-1.8.17~git0.e89d25b2/CHANGELOG 2019-01-08 14:11:02.000000000 +0100 +++ new/haproxy-1.8.19~git0.ebf033b4/CHANGELOG 2019-02-11 14:16:19.000000000 +0100 @@ -1,6 +1,58 @@ ChangeLog : =========== +2019/02/11 : 1.8.19 + - DOC: ssl: Clarify when pre TLSv1.3 cipher can be used + - DOC: ssl: Stop documenting ciphers example to use + - BUG/MINOR: spoe: do not assume agent->rt is valid on exit + - BUG/MINOR: lua: initialize the correct idle conn lists for the SSL sockets + - BUG/MEDIUM: spoe: initialization depending on nbthread must be done last + - BUG/MEDIUM: server: initialize the idle conns list after parsing the config + - BUG/MAJOR: spoe: Don't try to get agent config during SPOP healthcheck + - BUG/MAJOR: stream: avoid double free on unique_id + - BUG/MINOR: config: Reinforce validity check when a process number is parsed + +2019/02/06 : 1.8.18 + - DOC: http-request cache-use / http-response cache-store expects cache name + - BUG/MAJOR: cache: fix confusion between zero and uninitialized cache key + - BUG/MEDIUM: ssl: Disable anti-replay protection and set max data with 0RTT. + - DOC: Be a bit more explicit about allow-0rtt security implications. + - BUG/MEDIUM: ssl: missing allocation failure checks loading tls key file + - BUG/MINOR: backend: don't use url_param_name as a hint for BE_LB_ALGO_PH + - BUG/MINOR: backend: balance uri specific options were lost across defaults + - BUG/MINOR: backend: BE_LB_LKUP_CHTREE is a value, not a bit + - BUG/MINOR: stick_table: Prevent conn_cur from underflowing + - BUG/MINOR: server: don't always trust srv_check_health when loading a server state + - BUG/MINOR: check: Wake the check task if the check is finished in wake_srv_chk() + - BUG/MEDIUM: ssl: Fix handling of TLS 1.3 KeyUpdate messages + - DOC: mention the effect of nf_conntrack_tcp_loose on src/dst + - MINOR: h2: add a bit-based frame type representation + - MINOR: h2: declare new sets of frame types + - BUG/MINOR: mux-h2: CONTINUATION in closed state must always return GOAWAY + - BUG/MINOR: mux-h2: headers-type frames in HREM are always a connection error + - BUG/MINOR: mux-h2: make it possible to set the error code on an already closed stream + - BUG/MINOR: hpack: return a compression error on invalid table size updates + - DOC: nbthread is no longer experimental. + - BUG/MINOR: spoe: corrected fragmentation string size + - BUG/MINOR: deinit: tcp_rep.inspect_rules not deinit, add to deinit + - SCRIPTS: add the slack channel URL to the announce script + - SCRIPTS: add the issue tracker URL to the announce script + - BUG/MINOR: stream: don't close the front connection when facing a backend error + - MINOR: xref: Add missing barriers. + - BUG/MEDIUM: mux-h2: wake up flow-controlled streams on initial window update + - BUG/MEDIUM: mux-h2: fix two half-closed to closed transitions + - BUG/MEDIUM: mux-h2: make sure never to send GOAWAY on too old streams + - BUG/MEDIUM: mux-h2: wait for the mux buffer to be empty before closing the connection + - MINOR: stream-int: expand the flags to 32-bit + - MINOR: stream-int: add a new flag to mention that we want the connection to be killed + - MINOR: connstream: have a new flag CS_FL_KILL_CONN to kill a connection + - BUG/MEDIUM: mux-h2: do not close the connection on aborted streams + - BUG/MEDIUM: stream: Don't forget to free s->unique_id in stream_free(). + - BUG/MINOR: config: fix bind line thread mask validation + - BUG/MAJOR: config: verify that targets of track-sc and stick rules are present + - BUG/MAJOR: spoe: verify that backends used by SPOE cover all their callers' processes + - BUG/MINOR: config: make sure to count the error on incorrect track-sc/stick rules + 2019/01/08 : 1.8.17 - BUG/MAJOR: stream-int: Update the stream expiration date in stream_int_notify() - MINOR: mux-h2: only increase the connection window with the first update diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.8.17~git0.e89d25b2/README new/haproxy-1.8.19~git0.ebf033b4/README --- old/haproxy-1.8.17~git0.e89d25b2/README 2019-01-08 14:11:02.000000000 +0100 +++ new/haproxy-1.8.19~git0.ebf033b4/README 2019-02-11 14:16:19.000000000 +0100 @@ -3,7 +3,7 @@ ---------------------- version 1.8 willy tarreau - 2019/01/08 + 2019/02/11 1) How to build it diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.8.17~git0.e89d25b2/VERDATE new/haproxy-1.8.19~git0.ebf033b4/VERDATE --- old/haproxy-1.8.17~git0.e89d25b2/VERDATE 2019-01-08 14:11:02.000000000 +0100 +++ new/haproxy-1.8.19~git0.ebf033b4/VERDATE 2019-02-11 14:16:19.000000000 +0100 @@ -1,2 +1,2 @@ $Format:%ci$ -2019/01/08 +2019/02/11 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.8.17~git0.e89d25b2/VERSION new/haproxy-1.8.19~git0.ebf033b4/VERSION --- old/haproxy-1.8.17~git0.e89d25b2/VERSION 2019-01-08 14:11:02.000000000 +0100 +++ new/haproxy-1.8.19~git0.ebf033b4/VERSION 2019-02-11 14:16:19.000000000 +0100 @@ -1 +1 @@ -1.8.17 +1.8.19 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.8.17~git0.e89d25b2/doc/configuration.txt new/haproxy-1.8.19~git0.ebf033b4/doc/configuration.txt --- old/haproxy-1.8.17~git0.e89d25b2/doc/configuration.txt 2019-01-08 14:11:02.000000000 +0100 +++ new/haproxy-1.8.19~git0.ebf033b4/doc/configuration.txt 2019-02-11 14:16:19.000000000 +0100 @@ -4,7 +4,7 @@ ---------------------- version 1.8 willy tarreau - 2019/01/08 + 2019/02/11 This document covers the configuration language as implemented in the version @@ -917,14 +917,14 @@ mode. By default, only one process is created, which is the recommended mode of operation. For systems limited to small sets of file descriptors per process, it may be needed to fork multiple daemons. USING MULTIPLE PROCESSES - IS HARDER TO DEBUG AND IS REALLY DISCOURAGED. See also "daemon". + IS HARDER TO DEBUG AND IS REALLY DISCOURAGED. See also "daemon" and + "nbthread". nbthread <number> This setting is only available when support for threads was built in. It creates <number> threads for each created processes. It means if HAProxy is started in foreground, it only creates <number> threads for the first - process. FOR NOW, THREADS SUPPORT IN HAPROXY IS HIGHLY EXPERIMENTAL AND IT - MUST BE ENABLED WITH CAUTION AND AT YOUR OWN RISK. See also "nbproc". + process. See also "nbproc". pidfile <pidfile> Writes PIDs of all daemons into file <pidfile>. This option is equivalent to @@ -986,12 +986,14 @@ ssl-default-bind-ciphers <ciphers> This setting is only available when support for OpenSSL was built in. It sets the default string describing the list of cipher algorithms ("cipher suite") - that are negotiated during the SSL/TLS handshake except for TLSv1.3 for all + that are negotiated during the SSL/TLS handshake up to TLSv1.2 for all "bind" lines which do not explicitly define theirs. The format of the string - is defined in "man 1 ciphers" from OpenSSL man pages, and can be for instance - a string such as "AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH" (without quotes). For - TLSv1.3 cipher configuration, please check the "ssl-default-bind-ciphersuites" - keyword. Please check the "bind" keyword for more information. + is defined in "man 1 ciphers" from OpenSSL man pages. For background + information and recommendations see e.g. + (https://wiki.mozilla.org/Security/Server_Side_TLS) and + (https://mozilla.github.io/server-side-tls/ssl-config-generator/). For TLSv1.3 + cipher configuration, please check the "ssl-default-bind-ciphersuites" keyword. + Please check the "bind" keyword for more information. ssl-default-bind-ciphersuites <ciphersuites> This setting is only available when support for OpenSSL was built in and @@ -999,11 +1001,9 @@ describing the list of cipher algorithms ("cipher suite") that are negotiated during the TLSv1.3 handshake for all "bind" lines which do not explicitly define theirs. The format of the string is defined in - "man 1 ciphers" from OpenSSL man pages under the section "ciphersuites", and can - be for instance a string such as - "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" - (without quotes). For cipher configuration for TLSv1.2 and earlier, please check - the "ssl-default-bind-ciphers" keyword. Please check the "bind" keyword for more + "man 1 ciphers" from OpenSSL man pages under the section "ciphersuites". For + cipher configuration for TLSv1.2 and earlier, please check the + "ssl-default-bind-ciphers" keyword. Please check the "bind" keyword for more information. ssl-default-bind-options [<option>]... @@ -1018,11 +1018,15 @@ ssl-default-server-ciphers <ciphers> This setting is only available when support for OpenSSL was built in. It sets the default string describing the list of cipher algorithms that are - negotiated during the SSL/TLS handshake except for TLSv1.3 with the server, + negotiated during the SSL/TLS handshake up to TLSv1.2 with the server, for all "server" lines which do not explicitly define theirs. The format of - the string is defined in "man 1 ciphers". For TLSv1.3 cipher configuration, - please check the "ssl-default-server-ciphersuites" keyword. Please check the - "server" keyword for more information. + the string is defined in "man 1 ciphers" from OpenSSL man pages. For background + information and recommendations see e.g. + (https://wiki.mozilla.org/Security/Server_Side_TLS) and + (https://mozilla.github.io/server-side-tls/ssl-config-generator/). + For TLSv1.3 cipher configuration, please check the + "ssl-default-server-ciphersuites" keyword. Please check the "server" keyword + for more information. ssl-default-server-ciphersuites <ciphersuites> This setting is only available when support for OpenSSL was built in and @@ -1030,9 +1034,10 @@ string describing the list of cipher algorithms that are negotiated during the TLSv1.3 handshake with the server, for all "server" lines which do not explicitly define theirs. The format of the string is defined in - "man 1 ciphers" under the "ciphersuites" section. For cipher configuration for - TLSv1.2 and earlier, please check the "ssl-default-server-ciphers" keyword. - Please check the "server" keyword for more information. + "man 1 ciphers" from OpenSSL man pages under the section "ciphersuites". For + cipher configuration for TLSv1.2 and earlier, please check the + "ssl-default-server-ciphers" keyword. Please check the "server" keyword for + more information. ssl-default-server-options [<option>]... This setting is only available when support for OpenSSL was built in. It sets @@ -10483,7 +10488,10 @@ allow-0rtt Allow receiving early data when using TLSv1.3. This is disabled by default, - due to security considerations. + due to security considerations. Because it is vulnerable to replay attacks, + you should only allow if for requests that are safe to replay, ie requests + that are idempotent. You can use the "wait-for-handshake" action for any + request that wouldn't be safe with early data. alpn <protocols> This enables the TLS ALPN extension and advertises the specified protocol @@ -10545,11 +10553,8 @@ ciphers <ciphers> This setting is only available when support for OpenSSL was built in. It sets the string describing the list of cipher algorithms ("cipher suite") that are - negotiated during the SSL/TLS handshake except for TLSv1.3. The format of the - string is defined in "man 1 ciphers" from OpenSSL man pages, and can be for - instance a string such as "AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH" (without - quotes). Depending on the compatibility and security requirements, the list - of suitable ciphers depends on a variety of variables. For background + negotiated during the SSL/TLS handshake up to TLSv1.2. The format of the + string is defined in "man 1 ciphers" from OpenSSL man pages. For background information and recommendations see e.g. (https://wiki.mozilla.org/Security/Server_Side_TLS) and (https://mozilla.github.io/server-side-tls/ssl-config-generator/). For TLSv1.3 @@ -10560,11 +10565,8 @@ OpenSSL 1.1.1 or later was used to build HAProxy. It sets the string describing the list of cipher algorithms ("cipher suite") that are negotiated during the TLSv1.3 handshake. The format of the string is defined in "man 1 ciphers" from - OpenSSL man pages under the "ciphersuites" section, and can be for instance a - string such as - "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" - (without quotes). For cipher configuration for TLSv1.2 and earlier, please check - the "ciphers" keyword. + OpenSSL man pages under the "ciphersuites" section. For cipher configuration + for TLSv1.2 and earlier, please check the "ciphers" keyword. crl-file <crlfile> This setting is only available when support for OpenSSL was built in. It @@ -11278,19 +11280,20 @@ This setting is only available when support for OpenSSL was built in. This option sets the string describing the list of cipher algorithms that is negotiated during the SSL/TLS handshake with the server. The format of the - string is defined in "man 1 ciphers". When SSL is used to communicate with - servers on the local network, it is common to see a weaker set of algorithms - than what is used over the internet. Doing so reduces CPU usage on both the - server and haproxy while still keeping it compatible with deployed software. - Some algorithms such as RC4-SHA1 are reasonably cheap. If no security at all - is needed and just connectivity, using DES can be appropriate. + string is defined in "man 1 ciphers" from OpenSSL man pages. For background + information and recommendations see e.g. + (https://wiki.mozilla.org/Security/Server_Side_TLS) and + (https://mozilla.github.io/server-side-tls/ssl-config-generator/). For TLSv1.3 + cipher configuration, please check the "ciphersuites" keyword. ciphersuites <ciphersuites> This setting is only available when support for OpenSSL was built in and OpenSSL 1.1.1 or later was used to build HAProxy. This option sets the string describing the list of cipher algorithms that is negotiated during the TLS 1.3 handshake with the server. The format of the string is defined in - "man 1 ciphers" under the "ciphersuites" section. + "man 1 ciphers" from OpenSSL man pages under the "ciphersuites" section. + For cipher configuration for TLSv1.2 and earlier, please check the "ciphers" + keyword. cookie <value> The "cookie" parameter sets the cookie value assigned to the server to @@ -13819,7 +13822,12 @@ which is the address the client connected to. It can be useful when running in transparent mode. It is of type IP and works on both IPv4 and IPv6 tables. On IPv6 tables, IPv4 address is mapped to its IPv6 equivalent, according to - RFC 4291. + RFC 4291. When the incoming connection passed through address translation or + redirection involving connection tracking, the original destination address + before the redirection will be reported. On Linux systems, the source and + destination may seldom appear reversed if the nf_conntrack_tcp_loose sysctl + is set, because a late response may reopen a timed out connection and switch + what is believed to be the source and the destination. dst_conn : integer Returns an integer value corresponding to the number of currently established @@ -14124,7 +14132,13 @@ behind a proxy. However if the "accept-proxy" or "accept-netscaler-cip" bind directive is used, it can be the address of a client behind another PROXY-protocol compatible component for all rule sets except - "tcp-request connection" which sees the real address. + "tcp-request connection" which sees the real address. When the incoming + connection passed through address translation or redirection involving + connection tracking, the original destination address before the redirection + will be reported. On Linux systems, the source and destination may seldom + appear reversed if the nf_conntrack_tcp_loose sysctl is set, because a late + response may reopen a timed out connection and switch what is believed to be + the source and the destination. Example: # add an HTTP header in requests with the originating address' country @@ -17157,13 +17171,13 @@ 10.2.2. Proxy section --------------------- -http-request cache-use <name> +http-request cache-use <name> [ { if | unless } <condition> ] Try to deliver a cached object from the cache <name>. This directive is also mandatory to store the cache as it calculates the cache hash. If you want to use a condition for both storage and delivering that's a good idea to put it after this one. -http-response cache-store <name> +http-response cache-store <name> [ { if | unless } <condition> ] Store an http-response within the cache. The storage of the response headers is done at this step, which means you can use others http-response actions to modify headers before or after the storage of the response. This action diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.8.17~git0.e89d25b2/examples/haproxy.spec new/haproxy-1.8.19~git0.ebf033b4/examples/haproxy.spec --- old/haproxy-1.8.17~git0.e89d25b2/examples/haproxy.spec 2019-01-08 14:11:02.000000000 +0100 +++ new/haproxy-1.8.19~git0.ebf033b4/examples/haproxy.spec 2019-02-11 14:16:19.000000000 +0100 @@ -1,6 +1,6 @@ Summary: HA-Proxy is a TCP/HTTP reverse proxy for high availability environments Name: haproxy -Version: 1.8.17 +Version: 1.8.19 Release: 1 License: GPL Group: System Environment/Daemons @@ -74,6 +74,12 @@ %attr(0755,root,root) %config %{_sysconfdir}/rc.d/init.d/%{name} %changelog +* Mon Feb 11 2019 Willy Tarreau <[email protected]> +- updated to 1.8.19 + +* Wed Feb 6 2019 Willy Tarreau <[email protected]> +- updated to 1.8.18 + * Tue Jan 8 2019 Willy Tarreau <[email protected]> - updated to 1.8.17 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.8.17~git0.e89d25b2/include/common/h2.h new/haproxy-1.8.19~git0.ebf033b4/include/common/h2.h --- old/haproxy-1.8.17~git0.e89d25b2/include/common/h2.h 2019-01-08 14:11:02.000000000 +0100 +++ new/haproxy-1.8.19~git0.ebf033b4/include/common/h2.h 2019-02-11 14:16:19.000000000 +0100 @@ -81,6 +81,30 @@ H2_FT_ENTRIES /* must be last */ } __attribute__((packed)); +/* frame types, turned to bits or bit fields */ +enum { + /* one bit per frame type */ + H2_FT_DATA_BIT = 1U << H2_FT_DATA, + H2_FT_HEADERS_BIT = 1U << H2_FT_HEADERS, + H2_FT_PRIORITY_BIT = 1U << H2_FT_PRIORITY, + H2_FT_RST_STREAM_BIT = 1U << H2_FT_RST_STREAM, + H2_FT_SETTINGS_BIT = 1U << H2_FT_SETTINGS, + H2_FT_PUSH_PROMISE_BIT = 1U << H2_FT_PUSH_PROMISE, + H2_FT_PING_BIT = 1U << H2_FT_PING, + H2_FT_GOAWAY_BIT = 1U << H2_FT_GOAWAY, + H2_FT_WINDOW_UPDATE_BIT = 1U << H2_FT_WINDOW_UPDATE, + H2_FT_CONTINUATION_BIT = 1U << H2_FT_CONTINUATION, + /* padded frames */ + H2_FT_PADDED_MASK = H2_FT_DATA_BIT | H2_FT_HEADERS_BIT | H2_FT_PUSH_PROMISE_BIT, + /* flow controlled frames */ + H2_FT_FC_MASK = H2_FT_DATA_BIT, + /* header frames */ + H2_FT_HDR_MASK = H2_FT_HEADERS_BIT | H2_FT_PUSH_PROMISE_BIT | H2_FT_CONTINUATION_BIT, + /* frames allowed to arrive late on a stream */ + H2_FT_LATE_MASK = H2_FT_WINDOW_UPDATE_BIT | H2_FT_RST_STREAM_BIT | H2_FT_PRIORITY_BIT, +}; + + /* flags defined for each frame type */ // RFC7540 #6.1 @@ -109,6 +133,9 @@ // RFC7540 #6.8 : GOAWAY defines no flags // RFC7540 #6.9 : WINDOW_UPDATE defines no flags +// PADDED is the exact same among DATA, HEADERS and PUSH_PROMISE (8) +#define H2_F_PADDED 0x08 + /* HTTP/2 error codes - RFC7540 #7 */ enum h2_err { H2_ERR_NO_ERROR = 0x0, @@ -159,6 +186,12 @@ * Some helpful debugging functions. */ +/* returns a bit corresponding to the frame type */ +static inline unsigned int h2_ft_bit(enum h2_ft ft) +{ + return 1U << ft; +} + /* returns the frame type as a string */ static inline const char *h2_ft_str(int type) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.8.17~git0.e89d25b2/include/common/hpack-tbl.h new/haproxy-1.8.19~git0.ebf033b4/include/common/hpack-tbl.h --- old/haproxy-1.8.17~git0.e89d25b2/include/common/hpack-tbl.h 2019-01-08 14:11:02.000000000 +0100 +++ new/haproxy-1.8.19~git0.ebf033b4/include/common/hpack-tbl.h 2019-02-11 14:16:19.000000000 +0100 @@ -127,6 +127,7 @@ HPACK_ERR_MISSING_AUTHORITY, /* :authority is missing with CONNECT */ HPACK_ERR_SCHEME_NOT_ALLOWED, /* :scheme not allowed with CONNECT */ HPACK_ERR_PATH_NOT_ALLOWED, /* :path not allowed with CONNECT */ + HPACK_ERR_INVALID_ARGUMENT, /* an invalid argument was passed */ }; /* static header table as in RFC7541 Appendix A. [0] unused. */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.8.17~git0.e89d25b2/include/common/xref.h new/haproxy-1.8.19~git0.ebf033b4/include/common/xref.h --- old/haproxy-1.8.17~git0.e89d25b2/include/common/xref.h 2019-01-08 14:11:02.000000000 +0100 +++ new/haproxy-1.8.19~git0.ebf033b4/include/common/xref.h 2019-02-11 14:16:19.000000000 +0100 @@ -32,6 +32,7 @@ /* Get the local pointer to the peer. */ local = HA_ATOMIC_XCHG(&xref->peer, XREF_BUSY); + __ha_barrier_store(); /* If the local pointer is NULL, the peer no longer exists. */ if (local == NULL) { @@ -53,6 +54,7 @@ /* The remote lock is BUSY, We retry the process. */ if (remote == XREF_BUSY) { xref->peer = local; + __ha_barrier_store(); continue; } @@ -66,6 +68,8 @@ /* Release the peer. */ peer->peer = xref; + __ha_barrier_store(); + /* Release myself. */ xref->peer = peer; } @@ -73,6 +77,7 @@ static inline void xref_disconnect(struct xref *xref, struct xref *peer) { peer->peer = NULL; + __ha_barrier_store(); xref->peer = NULL; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.8.17~git0.e89d25b2/include/proto/session.h new/haproxy-1.8.19~git0.ebf033b4/include/proto/session.h --- old/haproxy-1.8.17~git0.e89d25b2/include/proto/session.h 2019-01-08 14:11:02.000000000 +0100 +++ new/haproxy-1.8.19~git0.ebf033b4/include/proto/session.h 2019-02-11 14:16:19.000000000 +0100 @@ -59,7 +59,8 @@ if (ptr) { HA_RWLOCK_WRLOCK(STK_SESS_LOCK, &ts->lock); - stktable_data_cast(ptr, conn_cur)--; + if (stktable_data_cast(ptr, conn_cur) > 0) + stktable_data_cast(ptr, conn_cur)--; HA_RWLOCK_WRUNLOCK(STK_SESS_LOCK, &ts->lock); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.8.17~git0.e89d25b2/include/proto/stream.h new/haproxy-1.8.19~git0.ebf033b4/include/proto/stream.h --- old/haproxy-1.8.17~git0.e89d25b2/include/proto/stream.h 2019-01-08 14:11:02.000000000 +0100 +++ new/haproxy-1.8.19~git0.ebf033b4/include/proto/stream.h 2019-02-11 14:16:19.000000000 +0100 @@ -104,7 +104,8 @@ if (ptr) { HA_RWLOCK_WRLOCK(STK_SESS_LOCK, &ts->lock); - stktable_data_cast(ptr, conn_cur)--; + if (stktable_data_cast(ptr, conn_cur) > 0) + stktable_data_cast(ptr, conn_cur)--; HA_RWLOCK_WRUNLOCK(STK_SESS_LOCK, &ts->lock); @@ -142,7 +143,8 @@ if (ptr) { HA_RWLOCK_WRLOCK(STK_SESS_LOCK, &ts->lock); - stktable_data_cast(ptr, conn_cur)--; + if (stktable_data_cast(ptr, conn_cur) > 0) + stktable_data_cast(ptr, conn_cur)--; HA_RWLOCK_WRUNLOCK(STK_SESS_LOCK, &ts->lock); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.8.17~git0.e89d25b2/include/proto/stream_interface.h new/haproxy-1.8.19~git0.ebf033b4/include/proto/stream_interface.h --- old/haproxy-1.8.17~git0.e89d25b2/include/proto/stream_interface.h 2019-01-08 14:11:02.000000000 +0100 +++ new/haproxy-1.8.19~git0.ebf033b4/include/proto/stream_interface.h 2019-02-11 14:16:19.000000000 +0100 @@ -320,6 +320,12 @@ si->ops->shutw(si); } +/* Marks on the stream-interface that next shutw must kill the whole connection */ +static inline void si_must_kill_conn(struct stream_interface *si) +{ + si->flags |= SI_FL_KILL_CONN; +} + /* Updates the stream interface and timers, then updates the data layer below */ static inline void si_update(struct stream_interface *si) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.8.17~git0.e89d25b2/include/types/connection.h new/haproxy-1.8.19~git0.ebf033b4/include/types/connection.h --- old/haproxy-1.8.17~git0.e89d25b2/include/types/connection.h 2019-01-08 14:11:02.000000000 +0100 +++ new/haproxy-1.8.19~git0.ebf033b4/include/types/connection.h 2019-02-11 14:16:19.000000000 +0100 @@ -70,6 +70,7 @@ CS_FL_ERROR = 0x00000100, /* a fatal error was reported */ CS_FL_RCV_MORE = 0x00000200, /* more bytes to receive but not enough room */ CS_FL_EOS = 0x00001000, /* End of stream */ + CS_FL_KILL_CONN = 0x00002000, /* must kill the connection when the CS closes */ }; /* cs_shutr() modes */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.8.17~git0.e89d25b2/include/types/stream_interface.h new/haproxy-1.8.19~git0.ebf033b4/include/types/stream_interface.h --- old/haproxy-1.8.17~git0.e89d25b2/include/types/stream_interface.h 2019-01-08 14:11:02.000000000 +0100 +++ new/haproxy-1.8.19~git0.ebf033b4/include/types/stream_interface.h 2019-02-11 14:16:19.000000000 +0100 @@ -59,22 +59,23 @@ SI_ET_DATA_ABRT = 0x0400, /* data phase aborted by external cause */ }; -/* flags set after I/O (16 bit) */ +/* flags set after I/O (32 bit) */ enum { - SI_FL_NONE = 0x0000, /* nothing */ - SI_FL_EXP = 0x0001, /* timeout has expired */ - SI_FL_ERR = 0x0002, /* a non-recoverable error has occurred */ - SI_FL_WAIT_ROOM = 0x0004, /* waiting for space to store incoming data */ - SI_FL_WAIT_DATA = 0x0008, /* waiting for more data to send */ - SI_FL_ISBACK = 0x0010, /* 0 for front-side SI, 1 for back-side */ - SI_FL_DONT_WAKE = 0x0020, /* resync in progress, don't wake up */ - SI_FL_INDEP_STR = 0x0040, /* independent streams = don't update rex on write */ - SI_FL_NOLINGER = 0x0080, /* may close without lingering. One-shot. */ - SI_FL_NOHALF = 0x0100, /* no half close, close both sides at once */ - SI_FL_SRC_ADDR = 0x1000, /* get the source ip/port with getsockname */ - SI_FL_WANT_PUT = 0x2000, /* an applet would like to put some data into the buffer */ - SI_FL_WANT_GET = 0x4000, /* an applet would like to get some data from the buffer */ - SI_FL_CLEAN_ABRT = 0x8000, /* SI_FL_ERR is used to report aborts, and not SHUTR */ + SI_FL_NONE = 0x00000000, /* nothing */ + SI_FL_EXP = 0x00000001, /* timeout has expired */ + SI_FL_ERR = 0x00000002, /* a non-recoverable error has occurred */ + SI_FL_WAIT_ROOM = 0x00000004, /* waiting for space to store incoming data */ + SI_FL_WAIT_DATA = 0x00000008, /* waiting for more data to send */ + SI_FL_ISBACK = 0x00000010, /* 0 for front-side SI, 1 for back-side */ + SI_FL_DONT_WAKE = 0x00000020, /* resync in progress, don't wake up */ + SI_FL_INDEP_STR = 0x00000040, /* independent streams = don't update rex on write */ + SI_FL_NOLINGER = 0x00000080, /* may close without lingering. One-shot. */ + SI_FL_NOHALF = 0x00000100, /* no half close, close both sides at once */ + SI_FL_SRC_ADDR = 0x00001000, /* get the source ip/port with getsockname */ + SI_FL_WANT_PUT = 0x00002000, /* an applet would like to put some data into the buffer */ + SI_FL_WANT_GET = 0x00004000, /* an applet would like to get some data from the buffer */ + SI_FL_CLEAN_ABRT = 0x00008000, /* SI_FL_ERR is used to report aborts, and not SHUTR */ + SI_FL_KILL_CONN = 0x00010000, /* next shutw must kill the whole conn, not just the stream */ }; /* A stream interface has 3 parts : @@ -92,10 +93,11 @@ /* struct members used by the "buffer" side */ enum si_state state; /* SI_ST* */ enum si_state prev_state;/* SI_ST*, copy of previous state */ - unsigned short flags; /* SI_FL_* */ - unsigned int exp; /* wake up time for connect, queue, turn-around, ... */ + /* 16-bit hole here */ + unsigned int flags; /* SI_FL_* */ enum obj_type *end; /* points to the end point (connection or appctx) */ struct si_ops *ops; /* general operations at the stream interface layer */ + unsigned int exp; /* wake up time for connect, queue, turn-around, ... */ /* struct members below are the "remote" part, as seen from the buffer side */ unsigned int err_type; /* first error detected, one of SI_ET_* */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.8.17~git0.e89d25b2/scripts/announce-release new/haproxy-1.8.19~git0.ebf033b4/scripts/announce-release --- old/haproxy-1.8.17~git0.e89d25b2/scripts/announce-release 2019-01-08 14:11:02.000000000 +0100 +++ new/haproxy-1.8.19~git0.ebf033b4/scripts/announce-release 2019-02-11 14:16:19.000000000 +0100 @@ -155,6 +155,8 @@ (echo "Please find the usual URLs below :" echo " Site index : http://www.haproxy.org/"; echo " Discourse : http://discourse.haproxy.org/"; + echo " Slack channel : https://slack.haproxy.org/"; + echo " Issue tracker : https://github.com/haproxy/haproxy/issues"; echo " Sources : http://www.haproxy.org/download/${BRANCH}/src/"; echo " Git repository : http://git.haproxy.org/git/${gitdir}/"; echo " Git Web browsing : http://git.haproxy.org/?p=${gitdir}"; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.8.17~git0.e89d25b2/src/action.c new/haproxy-1.8.19~git0.ebf033b4/src/action.c --- old/haproxy-1.8.17~git0.e89d25b2/src/action.c 2019-01-08 14:11:02.000000000 +0100 +++ new/haproxy-1.8.19~git0.ebf033b4/src/action.c 2019-02-11 14:16:19.000000000 +0100 @@ -51,6 +51,11 @@ trk_idx(rule->action)); return 0; } + else if (px->bind_proc & ~target->bind_proc) { + memprintf(err, "stick-table '%s' referenced by 'track-sc%d' rule not present on all processes covered by proxy '%s'", + target->id, trk_idx(rule->action), px->id); + return 0; + } else { free(rule->arg.trk_ctr.table.n); rule->arg.trk_ctr.table.t = &target->table; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.8.17~git0.e89d25b2/src/backend.c new/haproxy-1.8.19~git0.ebf033b4/src/backend.c --- old/haproxy-1.8.17~git0.e89d25b2/src/backend.c 2019-01-08 14:11:02.000000000 +0100 +++ new/haproxy-1.8.19~git0.ebf033b4/src/backend.c 2019-02-11 14:16:19.000000000 +0100 @@ -183,7 +183,7 @@ if ((px->lbprm.algo & BE_LB_HASH_MOD) == BE_LB_HMOD_AVAL) h = full_hash(h); hash_done: - if (px->lbprm.algo & BE_LB_LKUP_CHTREE) + if ((px->lbprm.algo & BE_LB_LKUP) == BE_LB_LKUP_CHTREE) return chash_get_server_hash(px, h, avoid); else return map_get_server_hash(px, h); @@ -236,7 +236,7 @@ if ((px->lbprm.algo & BE_LB_HASH_MOD) == BE_LB_HMOD_AVAL) hash = full_hash(hash); hash_done: - if (px->lbprm.algo & BE_LB_LKUP_CHTREE) + if ((px->lbprm.algo & BE_LB_LKUP) == BE_LB_LKUP_CHTREE) return chash_get_server_hash(px, hash, avoid); else return map_get_server_hash(px, hash); @@ -293,7 +293,7 @@ if ((px->lbprm.algo & BE_LB_HASH_MOD) == BE_LB_HMOD_AVAL) hash = full_hash(hash); - if (px->lbprm.algo & BE_LB_LKUP_CHTREE) + if ((px->lbprm.algo & BE_LB_LKUP) == BE_LB_LKUP_CHTREE) return chash_get_server_hash(px, hash, avoid); else return map_get_server_hash(px, hash); @@ -367,7 +367,7 @@ if ((px->lbprm.algo & BE_LB_HASH_MOD) == BE_LB_HMOD_AVAL) hash = full_hash(hash); - if (px->lbprm.algo & BE_LB_LKUP_CHTREE) + if ((px->lbprm.algo & BE_LB_LKUP) == BE_LB_LKUP_CHTREE) return chash_get_server_hash(px, hash, avoid); else return map_get_server_hash(px, hash); @@ -463,7 +463,7 @@ if ((px->lbprm.algo & BE_LB_HASH_MOD) == BE_LB_HMOD_AVAL) hash = full_hash(hash); hash_done: - if (px->lbprm.algo & BE_LB_LKUP_CHTREE) + if ((px->lbprm.algo & BE_LB_LKUP) == BE_LB_LKUP_CHTREE) return chash_get_server_hash(px, hash, avoid); else return map_get_server_hash(px, hash); @@ -507,7 +507,7 @@ if ((px->lbprm.algo & BE_LB_HASH_MOD) == BE_LB_HMOD_AVAL) hash = full_hash(hash); hash_done: - if (px->lbprm.algo & BE_LB_LKUP_CHTREE) + if ((px->lbprm.algo & BE_LB_LKUP) == BE_LB_LKUP_CHTREE) return chash_get_server_hash(px, hash, avoid); else return map_get_server_hash(px, hash); @@ -615,7 +615,7 @@ case BE_LB_LKUP_CHTREE: case BE_LB_LKUP_MAP: if ((s->be->lbprm.algo & BE_LB_KIND) == BE_LB_KIND_RR) { - if (s->be->lbprm.algo & BE_LB_LKUP_CHTREE) + if ((s->be->lbprm.algo & BE_LB_LKUP) == BE_LB_LKUP_CHTREE) srv = chash_get_next_server(s->be, prev_srv); else srv = map_get_server_rr(s->be, prev_srv); @@ -691,7 +691,7 @@ * back to round robin on the map. */ if (!srv) { - if (s->be->lbprm.algo & BE_LB_LKUP_CHTREE) + if ((s->be->lbprm.algo & BE_LB_LKUP) == BE_LB_LKUP_CHTREE) srv = chash_get_next_server(s->be, prev_srv); else srv = map_get_server_rr(s->be, prev_srv); @@ -1516,6 +1516,8 @@ curproxy->lbprm.algo |= BE_LB_ALGO_UH; curproxy->uri_whole = 0; + curproxy->uri_len_limit = 0; + curproxy->uri_dirs_depth1 = 0; while (*args[arg]) { if (!strcmp(args[arg], "len")) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.8.17~git0.e89d25b2/src/cache.c new/haproxy-1.8.19~git0.ebf033b4/src/cache.c --- old/haproxy-1.8.17~git0.e89d25b2/src/cache.c 2019-01-08 14:11:02.000000000 +0100 +++ new/haproxy-1.8.19~git0.ebf033b4/src/cache.c 2019-02-11 14:16:19.000000000 +0100 @@ -400,7 +400,7 @@ struct cache *cache = (struct cache *)rule->arg.act.p[0]; struct shared_context *shctx = shctx_ptr(cache); struct cache_entry *object; - + unsigned int key = *(unsigned int *)txn->cache_hash; /* Don't cache if the response came from a cache */ if ((obj_type(s->target) == OBJ_TYPE_APPLET) && @@ -420,6 +420,10 @@ if (txn->meth != HTTP_METH_GET) goto out; + /* cache key was not computed */ + if (!key) + goto out; + /* cache only 200 status code */ if (txn->status != 200) goto out; @@ -478,7 +482,7 @@ cache_ctx->first_block = first; - object->eb.key = (*(unsigned int *)&txn->cache_hash); + object->eb.key = key; memcpy(object->hash, txn->cache_hash, sizeof(object->hash)); /* Insert the node later on caching success */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.8.17~git0.e89d25b2/src/cfgparse.c new/haproxy-1.8.19~git0.ebf033b4/src/cfgparse.c --- old/haproxy-1.8.17~git0.e89d25b2/src/cfgparse.c 2019-01-08 14:11:02.000000000 +0100 +++ new/haproxy-1.8.19~git0.ebf033b4/src/cfgparse.c 2019-02-11 14:16:19.000000000 +0100 @@ -613,16 +613,20 @@ else if (strcmp(arg, "even") == 0) *proc |= (~0UL/3UL) << 1; /* 0xAAA...AAA */ else { - char *dash; + const char *p, *dash = NULL; unsigned int low, high; - if (!isdigit((int)*arg)) { - memprintf(err, "'%s' is not a valid number.\n", arg); - return -1; + for (p = arg; *p; p++) { + if (*p == '-' && !dash) + dash = p; + else if (!isdigit((int)*p)) { + memprintf(err, "'%s' is not a valid number/range.", arg); + return -1; + } } low = high = str2uic(arg); - if ((dash = strchr(arg, '-')) != NULL) + if (dash) high = ((!*(dash+1)) ? LONGBITS : str2uic(dash + 1)); if (high < low) { @@ -2844,7 +2848,10 @@ if (defproxy.url_param_name) curproxy->url_param_name = strdup(defproxy.url_param_name); - curproxy->url_param_len = defproxy.url_param_len; + curproxy->url_param_len = defproxy.url_param_len; + curproxy->uri_whole = defproxy.uri_whole; + curproxy->uri_len_limit = defproxy.uri_len_limit; + curproxy->uri_dirs_depth1 = defproxy.uri_dirs_depth1; if (defproxy.hh_name) curproxy->hh_name = strdup(defproxy.hh_name); @@ -7648,9 +7655,9 @@ /* detect and address thread affinity inconsistencies */ nbproc = 0; if (bind_conf->bind_proc) - nbproc = my_ffsl(bind_conf->bind_proc); + nbproc = my_ffsl(bind_conf->bind_proc) - 1; - mask = bind_conf->bind_thread[nbproc - 1]; + mask = bind_conf->bind_thread[nbproc]; if (mask && !(mask & all_threads_mask)) { unsigned long new_mask = 0; @@ -7996,6 +8003,11 @@ curproxy->id, mrule->table.name ? mrule->table.name : curproxy->id); cfgerr++; } + else if (curproxy->bind_proc & ~target->bind_proc) { + ha_alert("Proxy '%s': stick-table '%s' referenced 'stick-store' rule not present on all processes covered by proxy '%s'.\n", + curproxy->id, target->id, curproxy->id); + cfgerr++; + } else { free((void *)mrule->table.name); mrule->table.t = &(target->table); @@ -8029,6 +8041,11 @@ curproxy->id, mrule->table.name ? mrule->table.name : curproxy->id); cfgerr++; } + else if (curproxy->bind_proc & ~target->bind_proc) { + ha_alert("Proxy '%s': stick-table '%s' referenced 'stick-store' rule not present on all processes covered by proxy '%s'.\n", + curproxy->id, target->id, curproxy->id); + cfgerr++; + } else { free((void *)mrule->table.name); mrule->table.t = &(target->table); @@ -8829,6 +8846,33 @@ } } } + + /* initialize idle conns lists */ + for (newsrv = curproxy->srv; newsrv; newsrv = newsrv->next) { + int i; + + newsrv->priv_conns = calloc(global.nbthread, sizeof(*newsrv->priv_conns)); + newsrv->idle_conns = calloc(global.nbthread, sizeof(*newsrv->idle_conns)); + newsrv->safe_conns = calloc(global.nbthread, sizeof(*newsrv->safe_conns)); + + if (!newsrv->priv_conns || !newsrv->idle_conns || !newsrv->safe_conns) { + free(newsrv->safe_conns); newsrv->safe_conns = NULL; + free(newsrv->idle_conns); newsrv->idle_conns = NULL; + free(newsrv->priv_conns); newsrv->priv_conns = NULL; + ha_alert("parsing [%s:%d] : failed to allocate idle connections for server '%s'.\n", + newsrv->conf.file, newsrv->conf.line, newsrv->id); + cfgerr++; + continue; + } + + for (i = 0; i < global.nbthread; i++) { + LIST_INIT(&newsrv->priv_conns[i]); + LIST_INIT(&newsrv->idle_conns[i]); + LIST_INIT(&newsrv->safe_conns[i]); + } + + LIST_INIT(&newsrv->update_status); + } } /***********************************************************/ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.8.17~git0.e89d25b2/src/checks.c new/haproxy-1.8.19~git0.ebf033b4/src/checks.c --- old/haproxy-1.8.17~git0.e89d25b2/src/checks.c 2019-01-08 14:11:02.000000000 +0100 +++ new/haproxy-1.8.19~git0.ebf033b4/src/checks.c 2019-02-11 14:16:19.000000000 +0100 @@ -1403,12 +1403,13 @@ } if (check->result != CHK_RES_UNKNOWN) { - /* We're here because nobody wants to handle the error, so we - * sure want to abort the hard way. - */ + /* Check complete or aborted. If connection not yet closed do it + * now and wake the check task up to be sure the result is + * handled ASAP. */ conn_sock_drain(conn); cs_close(cs); ret = -1; + task_wakeup(check->task, TASK_WOKEN_IO); } HA_SPIN_UNLOCK(SERVER_LOCK, &check->server->lock); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.8.17~git0.e89d25b2/src/flt_spoe.c new/haproxy-1.8.19~git0.ebf033b4/src/flt_spoe.c --- old/haproxy-1.8.17~git0.e89d25b2/src/flt_spoe.c 2019-01-08 14:11:02.000000000 +0100 +++ new/haproxy-1.8.19~git0.ebf033b4/src/flt_spoe.c 2019-02-11 14:16:19.000000000 +0100 @@ -170,8 +170,10 @@ LIST_DEL(&grp->list); spoe_release_group(grp); } - for (i = 0; i < global.nbthread; ++i) - HA_SPIN_DESTROY(&agent->rt[i].lock); + if (agent->rt) { + for (i = 0; i < global.nbthread; ++i) + HA_SPIN_DESTROY(&agent->rt[i].lock); + } free(agent->rt); free(agent); } @@ -444,7 +446,7 @@ if (agent != NULL && (agent->flags & SPOE_FL_RCV_FRAGMENTATION)) { if (chk->len) chk->str[chk->len++] = ','; memcpy(chk->str+chk->len, "fragmentation", 13); - chk->len += 5; + chk->len += 13; } if (spoe_encode_buffer(chk->str, chk->len, &p, end) == -1) goto too_big; @@ -817,10 +819,14 @@ SPOE_APPCTX(appctx)->status_code = SPOE_FRM_ERR_NO_FRAME_SIZE; return -1; } - if ((flags & SPOE_APPCTX_FL_PIPELINING) && !(agent->flags & SPOE_FL_PIPELINING)) - flags &= ~SPOE_APPCTX_FL_PIPELINING; - if ((flags & SPOE_APPCTX_FL_ASYNC) && !(agent->flags & SPOE_FL_ASYNC)) - flags &= ~SPOE_APPCTX_FL_ASYNC; + if (!agent) + flags &= ~(SPOE_APPCTX_FL_PIPELINING|SPOE_APPCTX_FL_ASYNC); + else { + if ((flags & SPOE_APPCTX_FL_PIPELINING) && !(agent->flags & SPOE_FL_PIPELINING)) + flags &= ~SPOE_APPCTX_FL_PIPELINING; + if ((flags & SPOE_APPCTX_FL_ASYNC) && !(agent->flags & SPOE_FL_ASYNC)) + flags &= ~SPOE_APPCTX_FL_ASYNC; + } SPOE_APPCTX(appctx)->version = (unsigned int)vsn; SPOE_APPCTX(appctx)->max_frame_size = (unsigned int)max_frame_size; @@ -2881,6 +2887,7 @@ struct flt_conf *f; struct spoe_config *conf = fconf->conf; struct proxy *target; + int i; /* Check all SPOE filters for proxy <px> to be sure all SPOE agent names * are uniq */ @@ -2918,6 +2925,34 @@ return 1; } + if (px->bind_proc & ~target->bind_proc) { + ha_alert("Proxy %s : backend '%s' used by SPOE agent '%s' declared" + " at %s:%d does not cover all of its processes.\n", + px->id, target->id, conf->agent->id, + conf->agent->conf.file, conf->agent->conf.line); + return 1; + } + + /* finish per-thread agent initialization */ + if (global.nbthread == 1) + conf->agent->flags |= SPOE_FL_ASYNC; + + if ((curagent->rt = calloc(global.nbthread, sizeof(*curagent->rt))) == NULL) { + ha_alert("Proxy %s : out of memory initializing SPOE agent '%s' declared at %s:%d.\n", + px->id, conf->agent->id, conf->agent->conf.file, conf->agent->conf.line); + return 1; + } + for (i = 0; i < global.nbthread; ++i) { + curagent->rt[i].frame_size = curagent->max_frame_size; + curagent->rt[i].applets_act = 0; + curagent->rt[i].applets_idle = 0; + curagent->rt[i].sending_rate = 0; + LIST_INIT(&curagent->rt[i].applets); + LIST_INIT(&curagent->rt[i].sending_queue); + LIST_INIT(&curagent->rt[i].waiting_queue); + HA_SPIN_INIT(&curagent->rt[i].lock); + } + free(conf->agent->b.name); conf->agent->b.name = NULL; conf->agent->b.be = target; @@ -3196,8 +3231,6 @@ curagent->var_pfx = NULL; curagent->var_on_error = NULL; curagent->flags = (SPOE_FL_PIPELINING | SPOE_FL_SND_FRAGMENTATION); - if (global.nbthread == 1) - curagent->flags |= SPOE_FL_ASYNC; curagent->cps_max = 0; curagent->eps_max = 0; curagent->max_frame_size = MAX_FRAME_SIZE; @@ -3208,22 +3241,6 @@ LIST_INIT(&curagent->events[i]); LIST_INIT(&curagent->groups); LIST_INIT(&curagent->messages); - - if ((curagent->rt = calloc(global.nbthread, sizeof(*curagent->rt))) == NULL) { - ha_alert("parsing [%s:%d] : out of memory.\n", file, linenum); - err_code |= ERR_ALERT | ERR_ABORT; - goto out; - } - for (i = 0; i < global.nbthread; ++i) { - curagent->rt[i].frame_size = curagent->max_frame_size; - curagent->rt[i].applets_act = 0; - curagent->rt[i].applets_idle = 0; - curagent->rt[i].sending_rate = 0; - LIST_INIT(&curagent->rt[i].applets); - LIST_INIT(&curagent->rt[i].sending_queue); - LIST_INIT(&curagent->rt[i].waiting_queue); - HA_SPIN_INIT(&curagent->rt[i].lock); - } } else if (!strcmp(args[0], "use-backend")) { if (!*args[1]) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.8.17~git0.e89d25b2/src/haproxy.c new/haproxy-1.8.19~git0.ebf033b4/src/haproxy.c --- old/haproxy-1.8.17~git0.e89d25b2/src/haproxy.c 2019-01-08 14:11:02.000000000 +0100 +++ new/haproxy-1.8.19~git0.ebf033b4/src/haproxy.c 2019-02-11 14:16:19.000000000 +0100 @@ -2155,6 +2155,7 @@ } deinit_tcp_rules(&p->tcp_req.inspect_rules); + deinit_tcp_rules(&p->tcp_rep.inspect_rules); deinit_tcp_rules(&p->tcp_req.l4_rules); deinit_stick_rules(&p->storersp_rules); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.8.17~git0.e89d25b2/src/hlua.c new/haproxy-1.8.19~git0.ebf033b4/src/hlua.c --- old/haproxy-1.8.17~git0.e89d25b2/src/hlua.c 2019-01-08 14:11:02.000000000 +0100 +++ new/haproxy-1.8.19~git0.ebf033b4/src/hlua.c 2019-02-11 14:16:19.000000000 +0100 @@ -7984,9 +7984,9 @@ socket_ssl.obj_type = OBJ_TYPE_SERVER; LIST_INIT(&socket_ssl.actconns); LIST_INIT(&socket_ssl.pendconns); - socket_tcp.priv_conns = NULL; - socket_tcp.idle_conns = NULL; - socket_tcp.safe_conns = NULL; + socket_ssl.priv_conns = NULL; + socket_ssl.idle_conns = NULL; + socket_ssl.safe_conns = NULL; socket_ssl.next_state = SRV_ST_RUNNING; /* early server setup */ socket_ssl.last_change = 0; socket_ssl.id = "LUA-SSL-CONN"; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.8.17~git0.e89d25b2/src/hpack-dec.c new/haproxy-1.8.19~git0.ebf033b4/src/hpack-dec.c --- old/haproxy-1.8.17~git0.e89d25b2/src/hpack-dec.c 2019-01-08 14:11:02.000000000 +0100 +++ new/haproxy-1.8.19~git0.ebf033b4/src/hpack-dec.c 2019-02-11 14:16:19.000000000 +0100 @@ -213,6 +213,12 @@ ret = -HPACK_ERR_TRUNCATED; goto leave; } + + if (idx > dht->size) { + hpack_debug_printf("##ERR@%d##\n", __LINE__); + ret = -HPACK_ERR_INVALID_ARGUMENT; + goto leave; + } continue; } else if (!(*raw & (*raw - 0x10))) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.8.17~git0.e89d25b2/src/mux_h2.c new/haproxy-1.8.19~git0.ebf033b4/src/mux_h2.c --- old/haproxy-1.8.17~git0.e89d25b2/src/mux_h2.c 2019-01-08 14:11:02.000000000 +0100 +++ new/haproxy-1.8.19~git0.ebf033b4/src/mux_h2.c 2019-02-11 14:16:19.000000000 +0100 @@ -548,12 +548,15 @@ h2c->st0 = H2_CS_ERROR; } -/* marks an error on the stream */ +/* marks an error on the stream. It may also update an already closed stream + * (e.g. to report an error after an RST was received). + */ static inline __maybe_unused void h2s_error(struct h2s *h2s, enum h2_err err) { - if (h2s->st > H2_SS_IDLE && h2s->st < H2_SS_ERROR) { + if (h2s->id && h2s->st != H2_SS_ERROR) { h2s->errcode = err; - h2s->st = H2_SS_ERROR; + if (h2s->st < H2_SS_ERROR) + h2s->st = H2_SS_ERROR; if (h2s->cs) h2s->cs->flags |= CS_FL_ERROR; } @@ -1140,6 +1143,14 @@ while (node) { h2s = container_of(node, struct h2s, by_id); h2s->mws += diff; + + if (h2s->mws > 0 && (h2s->flags & H2_SF_BLK_SFCTL)) { + h2s->flags &= ~H2_SF_BLK_SFCTL; + if (h2s->cs && LIST_ISEMPTY(&h2s->list) && + (h2s->cs->flags & CS_FL_DATA_WR_ENA)) + LIST_ADDQ(&h2c->send_list, &h2s->list); + } + node = eb32_next(node); } } @@ -1766,7 +1777,11 @@ /* last frame */ if (h2c->dff & H2_F_DATA_END_STREAM) { - h2s->st = H2_SS_HREM; + if (h2s->st == H2_SS_OPEN) + h2s->st = H2_SS_HREM; + else + h2s_close(h2s); + h2s->flags |= H2_SF_ES_RCVD; } @@ -1891,10 +1906,14 @@ if (h2s->st == H2_SS_HREM && h2c->dft != H2_FT_WINDOW_UPDATE && h2c->dft != H2_FT_RST_STREAM && h2c->dft != H2_FT_PRIORITY) { /* RFC7540#5.1: any frame other than WU/PRIO/RST in - * this state MUST be treated as a stream error + * this state MUST be treated as a stream error. + * 6.2, 6.6 and 6.10 further mandate that HEADERS/ + * PUSH_PROMISE/CONTINUATION cause connection errors. */ - h2s_error(h2s, H2_ERR_STREAM_CLOSED); - h2c->st0 = H2_CS_FRAME_E; + if (h2_ft_bit(h2c->dft) & H2_FT_HDR_MASK) + h2c_error(h2c, H2_ERR_PROTOCOL_ERROR); + else + h2s_error(h2s, H2_ERR_STREAM_CLOSED); goto strm_err; } @@ -1910,7 +1929,7 @@ * Some frames have to be silently ignored as well. */ if (h2s->st == H2_SS_CLOSED && h2c->dsi) { - if (h2c->dft == H2_FT_HEADERS || h2c->dft == H2_FT_PUSH_PROMISE) { + if (h2_ft_bit(h2c->dft) & H2_FT_HDR_MASK) { /* #5.1.1: The identifier of a newly * established stream MUST be numerically * greater than all streams that the initiating @@ -1949,7 +1968,7 @@ * over which it ignores frames and treat frames that * arrive after this time as being in error. */ - if (!(h2s->flags & H2_SF_RST_SENT)) { + if (h2s->id && !(h2s->flags & H2_SF_RST_SENT)) { /* RFC7540#5.1:closed: any frame other than * PRIO/WU/RST in this state MUST be treated as * a connection error @@ -2561,7 +2580,6 @@ if (eb_is_empty(&h2c->streams_by_id) && /* don't close if streams exist */ ((h2c->conn->flags & CO_FL_ERROR) || /* errors close immediately */ (h2c->st0 >= H2_CS_ERROR && !h2c->task) || /* a timeout stroke earlier */ - (h2c->flags & (H2_CF_GOAWAY_FAILED | H2_CF_GOAWAY_SENT)) || (!h2c->mbuf->o && /* mux buffer empty, also process clean events below */ (conn_xprt_read0_pending(h2c->conn) || (h2c->last_sid >= 0 && h2c->max_id >= h2c->last_sid))))) { @@ -2588,11 +2606,17 @@ if (h2s->st == H2_SS_HLOC || h2s->st == H2_SS_ERROR || h2s->st == H2_SS_CLOSED) return; - /* if no outgoing data was seen on this stream, it means it was - * closed with a "tcp-request content" rule that is normally - * used to kill the connection ASAP (eg: limit abuse). In this - * case we send a goaway to close the connection. + /* a connstream may require us to immediately kill the whole connection + * for example because of a "tcp-request content reject" rule that is + * normally used to limit abuse. In this case we schedule a goaway to + * close the connection. */ + if ((h2s->cs->flags & CS_FL_KILL_CONN) && + !(h2s->h2c->flags & (H2_CF_GOAWAY_SENT|H2_CF_GOAWAY_FAILED))) { + h2c_error(h2s->h2c, H2_ERR_ENHANCE_YOUR_CALM); + h2s_error(h2s, H2_ERR_ENHANCE_YOUR_CALM); + } + if (!(h2s->flags & H2_SF_RST_SENT) && h2s_send_rst_stream(h2s->h2c, h2s) <= 0) goto add_to_list; @@ -2635,11 +2659,17 @@ else h2s->st = H2_SS_HLOC; } else { - /* if no outgoing data was seen on this stream, it means it was - * closed with a "tcp-request content" rule that is normally - * used to kill the connection ASAP (eg: limit abuse). In this - * case we send a goaway to close the connection. + /* a connstream may require us to immediately kill the whole connection + * for example because of a "tcp-request content reject" rule that is + * normally used to limit abuse. In this case we schedule a goaway to + * close the connection. */ + if ((h2s->cs->flags & CS_FL_KILL_CONN) && + !(h2s->h2c->flags & (H2_CF_GOAWAY_SENT|H2_CF_GOAWAY_FAILED))) { + h2c_error(h2s->h2c, H2_ERR_ENHANCE_YOUR_CALM); + h2s_error(h2s, H2_ERR_ENHANCE_YOUR_CALM); + } + if (!(h2s->flags & H2_SF_RST_SENT) && h2s_send_rst_stream(h2s->h2c, h2s) <= 0) goto add_to_list; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.8.17~git0.e89d25b2/src/proto_http.c new/haproxy-1.8.19~git0.ebf033b4/src/proto_http.c --- old/haproxy-1.8.17~git0.e89d25b2/src/proto_http.c 2019-01-08 14:11:02.000000000 +0100 +++ new/haproxy-1.8.19~git0.ebf033b4/src/proto_http.c 2019-02-11 14:16:19.000000000 +0100 @@ -3935,7 +3935,8 @@ * that parameter. This will be done in another analyser. */ if (!(s->flags & (SF_ASSIGNED|SF_DIRECT)) && - s->txn->meth == HTTP_METH_POST && s->be->url_param_name != NULL && + s->txn->meth == HTTP_METH_POST && + (s->be->lbprm.algo & BE_LB_ALGO) == BE_LB_ALGO_PH && (msg->flags & (HTTP_MSGF_CNT_LEN|HTTP_MSGF_TE_CHNK))) { channel_dont_connect(req); req->analysers |= AN_REQ_HTTP_BODY; @@ -8210,6 +8211,7 @@ txn->flags = 0; txn->status = -1; + *(unsigned int *)txn->cache_hash = 0; txn->cookie_first_date = 0; txn->cookie_last_date = 0; @@ -12106,6 +12108,7 @@ enum act_return http_action_reject(struct act_rule *rule, struct proxy *px, struct session *sess, struct stream *s, int flags) { + si_must_kill_conn(chn_prod(&s->req)); channel_abort(&s->req); channel_abort(&s->res); s->req.analysers = 0; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.8.17~git0.e89d25b2/src/sample.c new/haproxy-1.8.19~git0.ebf033b4/src/sample.c --- old/haproxy-1.8.17~git0.e89d25b2/src/sample.c 2019-01-08 14:11:02.000000000 +0100 +++ new/haproxy-1.8.19~git0.ebf033b4/src/sample.c 2019-02-11 14:16:19.000000000 +0100 @@ -1261,6 +1261,13 @@ break; } + if (p->bind_proc & ~px->bind_proc) { + ha_alert("parsing [%s:%d] : stick-table '%s' not present on all processes covered by proxy '%s'.\n", + cur->file, cur->line, px->id, p->id); + cfgerr++; + break; + } + free(arg->data.str.str); arg->data.str.str = NULL; arg->unresolved = 0; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.8.17~git0.e89d25b2/src/server.c new/haproxy-1.8.19~git0.ebf033b4/src/server.c --- old/haproxy-1.8.17~git0.e89d25b2/src/server.c 2019-01-08 14:11:02.000000000 +0100 +++ new/haproxy-1.8.19~git0.ebf033b4/src/server.c 2019-02-11 14:16:19.000000000 +0100 @@ -1534,7 +1534,6 @@ static struct server *new_server(struct proxy *proxy) { struct server *srv; - int i; srv = calloc(1, sizeof *srv); if (!srv) @@ -1545,21 +1544,6 @@ LIST_INIT(&srv->actconns); LIST_INIT(&srv->pendconns); - if ((srv->priv_conns = calloc(global.nbthread, sizeof(*srv->priv_conns))) == NULL) - goto free_srv; - if ((srv->idle_conns = calloc(global.nbthread, sizeof(*srv->idle_conns))) == NULL) - goto free_priv_conns; - if ((srv->safe_conns = calloc(global.nbthread, sizeof(*srv->safe_conns))) == NULL) - goto free_idle_conns; - - for (i = 0; i < global.nbthread; i++) { - LIST_INIT(&srv->priv_conns[i]); - LIST_INIT(&srv->idle_conns[i]); - LIST_INIT(&srv->safe_conns[i]); - } - - LIST_INIT(&srv->update_status); - srv->next_state = SRV_ST_RUNNING; /* early server setup */ srv->last_change = now.tv_sec; @@ -1572,14 +1556,6 @@ srv->xprt = srv->check.xprt = srv->agent.xprt = xprt_get(XPRT_RAW); return srv; - - free_idle_conns: - free(srv->idle_conns); - free_priv_conns: - free(srv->priv_conns); - free_srv: - free(srv); - return NULL; } /* @@ -2843,16 +2819,37 @@ HA_SPIN_LOCK(SERVER_LOCK, &srv->lock); /* recover operational state and apply it to this server * and all servers tracking this one */ + srv->check.health = srv_check_health; switch (srv_op_state) { case SRV_ST_STOPPED: srv->check.health = 0; srv_set_stopped(srv, "changed from server-state after a reload", NULL); break; case SRV_ST_STARTING: + /* If rise == 1 there is no STARTING state, let's switch to + * RUNNING + */ + if (srv->check.rise == 1) { + srv->check.health = srv->check.rise + srv->check.fall - 1; + srv_set_running(srv, "", NULL); + break; + } + if (srv->check.health < 1 || srv->check.health >= srv->check.rise) + srv->check.health = srv->check.rise - 1; srv->next_state = srv_op_state; break; case SRV_ST_STOPPING: - srv->check.health = srv->check.rise + srv->check.fall - 1; + /* If fall == 1 there is no STOPPING state, let's switch to + * STOPPED + */ + if (srv->check.fall == 1) { + srv->check.health = 0; + srv_set_stopped(srv, "changed from server-state after a reload", NULL); + break; + } + if (srv->check.health < srv->check.rise || + srv->check.health > srv->check.rise + srv->check.fall - 2) + srv->check.health = srv->check.rise; srv_set_stopping(srv, "changed from server-state after a reload", NULL); break; case SRV_ST_RUNNING: @@ -2906,7 +2903,6 @@ srv->last_change = date.tv_sec - srv_last_time_change; srv->check.status = srv_check_status; srv->check.result = srv_check_result; - srv->check.health = srv_check_health; /* Only case we want to apply is removing ENABLED flag which could have been * done by the "disable health" command over the stats socket diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.8.17~git0.e89d25b2/src/ssl_sock.c new/haproxy-1.8.19~git0.ebf033b4/src/ssl_sock.c --- old/haproxy-1.8.17~git0.e89d25b2/src/ssl_sock.c 2019-01-08 14:11:02.000000000 +0100 +++ new/haproxy-1.8.19~git0.ebf033b4/src/ssl_sock.c 2019-02-11 14:16:19.000000000 +0100 @@ -1406,6 +1406,10 @@ BIO *write_bio; (void)ret; /* shut gcc stupid warning */ +#ifndef SSL_OP_NO_RENEGOTIATION + /* Please note that BoringSSL defines this macro to zero so don't + * change this to #if and do not assign a default value to this macro! + */ if (where & SSL_CB_HANDSHAKE_START) { /* Disable renegotiation (CVE-2009-3555) */ if ((conn->flags & (CO_FL_CONNECTED | CO_FL_EARLY_SSL_HS | CO_FL_EARLY_DATA)) == CO_FL_CONNECTED) { @@ -1413,6 +1417,7 @@ conn->err_code = CO_ER_SSL_RENEG; } } +#endif if ((where & SSL_CB_ACCEPT_LOOP) == SSL_CB_ACCEPT_LOOP) { if (!(conn->xprt_st & SSL_SOCK_ST_FL_16K_WBFSIZE)) { @@ -3806,6 +3811,11 @@ options |= SSL_OP_NO_TICKET; if (bind_conf->ssl_options & BC_SSL_O_PREF_CLIE_CIPH) options &= ~SSL_OP_CIPHER_SERVER_PREFERENCE; + +#ifdef SSL_OP_NO_RENEGOTIATION + options |= SSL_OP_NO_RENEGOTIATION; +#endif + SSL_CTX_set_options(ctx, options); #if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) @@ -3821,6 +3831,10 @@ SSL_CTX_set_select_certificate_cb(ctx, ssl_sock_switchctx_cbk); SSL_CTX_set_tlsext_servername_callback(ctx, ssl_sock_switchctx_err_cbk); #elif (OPENSSL_VERSION_NUMBER >= 0x10101000L) + if (bind_conf->ssl_conf.early_data) { + SSL_CTX_set_options(ctx, SSL_OP_NO_ANTI_REPLAY); + SSL_CTX_set_max_early_data(ctx, global.tune.bufsize - global.tune.maxrewrite); + } SSL_CTX_set_client_hello_cb(ctx, ssl_sock_switchctx_cbk, NULL); SSL_CTX_set_tlsext_servername_callback(ctx, ssl_sock_switchctx_err_cbk); #else @@ -7623,15 +7637,36 @@ } keys_ref = malloc(sizeof(*keys_ref)); + if (!keys_ref) { + if (err) + memprintf(err, "'%s' : allocation error", args[cur_arg+1]); + return ERR_ALERT | ERR_FATAL; + } + keys_ref->tlskeys = malloc(TLS_TICKETS_NO * sizeof(struct tls_sess_key)); + if (!keys_ref->tlskeys) { + free(keys_ref); + if (err) + memprintf(err, "'%s' : allocation error", args[cur_arg+1]); + return ERR_ALERT | ERR_FATAL; + } if ((f = fopen(args[cur_arg + 1], "r")) == NULL) { + free(keys_ref->tlskeys); + free(keys_ref); if (err) memprintf(err, "'%s' : unable to load ssl tickets keys file", args[cur_arg+1]); return ERR_ALERT | ERR_FATAL; } keys_ref->filename = strdup(args[cur_arg + 1]); + if (!keys_ref->filename) { + free(keys_ref->tlskeys); + free(keys_ref); + if (err) + memprintf(err, "'%s' : allocation error", args[cur_arg+1]); + return ERR_ALERT | ERR_FATAL; + } while (fgets(thisline, sizeof(thisline), f) != NULL) { int len = strlen(thisline); @@ -7643,6 +7678,9 @@ thisline[--len] = 0; if (base64dec(thisline, len, (char *) (keys_ref->tlskeys + i % TLS_TICKETS_NO), sizeof(struct tls_sess_key)) != sizeof(struct tls_sess_key)) { + free(keys_ref->filename); + free(keys_ref->tlskeys); + free(keys_ref); if (err) memprintf(err, "'%s' : unable to decode base64 key on line %d", args[cur_arg+1], i + 1); fclose(f); @@ -7652,6 +7690,9 @@ } if (i < TLS_TICKETS_NO) { + free(keys_ref->filename); + free(keys_ref->tlskeys); + free(keys_ref); if (err) memprintf(err, "'%s' : please supply at least %d keys in the tls-tickets-file", args[cur_arg+1], TLS_TICKETS_NO); fclose(f); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.8.17~git0.e89d25b2/src/stream.c new/haproxy-1.8.19~git0.ebf033b4/src/stream.c --- old/haproxy-1.8.17~git0.e89d25b2/src/stream.c 2019-01-08 14:11:02.000000000 +0100 +++ new/haproxy-1.8.19~git0.ebf033b4/src/stream.c 2019-02-11 14:16:19.000000000 +0100 @@ -339,6 +339,9 @@ offer_buffers(NULL, tasks_run_queue + applets_active_queue); } + pool_free(pool_head_uniqueid, s->unique_id); + s->unique_id = NULL; + hlua_ctx_destroy(s->hlua); s->hlua = NULL; if (s->txn) @@ -593,7 +596,8 @@ */ si->state = SI_ST_EST; si->err_type = SI_ET_DATA_ERR; - rep->flags |= CF_READ_ERROR | CF_WRITE_ERROR; + req->flags |= CF_WRITE_ERROR; + rep->flags |= CF_READ_ERROR; return 1; } si->exp = TICK_ETERNITY; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.8.17~git0.e89d25b2/src/stream_interface.c new/haproxy-1.8.19~git0.ebf033b4/src/stream_interface.c --- old/haproxy-1.8.17~git0.e89d25b2/src/stream_interface.c 2019-01-08 14:11:02.000000000 +0100 +++ new/haproxy-1.8.19~git0.ebf033b4/src/stream_interface.c 2019-02-11 14:16:19.000000000 +0100 @@ -830,6 +830,9 @@ if (si->state != SI_ST_EST && si->state != SI_ST_CON) return; + if (si->flags & SI_FL_KILL_CONN) + cs->flags |= CS_FL_KILL_CONN; + if (si_oc(si)->flags & CF_SHUTW) { cs_close(cs); si->state = SI_ST_DIS; @@ -880,6 +883,9 @@ * However, if SI_FL_NOLINGER is explicitly set, we know there is * no risk so we close both sides immediately. */ + if (si->flags & SI_FL_KILL_CONN) + cs->flags |= CS_FL_KILL_CONN; + if (si->flags & SI_FL_ERR) { /* quick close, the socket is alredy shut anyway */ } @@ -914,6 +920,8 @@ /* we may have to close a pending connection, and mark the * response buffer as shutr */ + if (si->flags & SI_FL_KILL_CONN) + cs->flags |= CS_FL_KILL_CONN; cs_close(cs); /* fall through */ case SI_ST_CER: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/haproxy-1.8.17~git0.e89d25b2/src/tcp_rules.c new/haproxy-1.8.19~git0.ebf033b4/src/tcp_rules.c --- old/haproxy-1.8.17~git0.e89d25b2/src/tcp_rules.c 2019-01-08 14:11:02.000000000 +0100 +++ new/haproxy-1.8.19~git0.ebf033b4/src/tcp_rules.c 2019-02-11 14:16:19.000000000 +0100 @@ -162,6 +162,7 @@ break; } else if (rule->action == ACT_ACTION_DENY) { + si_must_kill_conn(chn_prod(req)); channel_abort(req); channel_abort(&s->res); req->analysers = 0; @@ -340,6 +341,7 @@ break; } else if (rule->action == ACT_ACTION_DENY) { + si_must_kill_conn(chn_prod(rep)); channel_abort(rep); channel_abort(&s->req); rep->analysers = 0; @@ -357,6 +359,7 @@ } else if (rule->action == ACT_TCP_CLOSE) { chn_prod(rep)->flags |= SI_FL_NOLINGER | SI_FL_NOHALF; + si_must_kill_conn(chn_prod(rep)); si_shutr(chn_prod(rep)); si_shutw(chn_prod(rep)); break;
