haproxy: bugfix release 1.5.13

  Released version 1.5.13 with the following main changes :
  - BUG/MINOR: check: fix tcpcheck error message
  - CLEANUP: deinit: remove codes for cleaning p->block_rules
  - DOC: Update doc about weight, act and bck fields in the statistics
  - MINOR: ssl: add a destructor to free allocated SSL ressources
  - BUG/MEDIUM: ssl: fix tune.ssl.default-dh-param value being overwritten
  - MEDIUM: ssl: replace standards DH groups with custom ones
  - BUG/MINOR: debug: display (null) in place of "meth"
  - BUG/MINOR: cfgparse: fix typo in 'option httplog' error message
  - BUG/MEDIUM: cfgparse: segfault when userlist is misused
  - BUG/MEDIUM: stats: properly initialize the scope before dumping stats
  - BUG/MEDIUM: http: don't forward client shutdown without NOLINGER except for tunnels
  - CLEANUP: checks: fix double usage of cur / current_step in tcp-checks
  - BUG/MEDIUM: checks: do not dereference head of a tcp-check at the end
  - CLEANUP: checks: simplify the loop processing of tcp-checks
  - BUG/MAJOR: checks: always check for end of list before proceeding
  - BUG/MEDIUM: checks: do not dereference a list as a tcpcheck struct
  - BUG/MEDIUM: peers: apply a random reconnection timeout
  - BUG/MINOR: ssl: fix smp_fetch_ssl_fc_session_id
  - MEDIUM: init: don't stop proxies in parent process when exiting
  - MINOR: peers: store the pointer to the signal handler
  - MEDIUM: peers: unregister peers that were never started
  - MEDIUM: config: propagate the table's process list to the peers sections
  - MEDIUM: init: stop any peers section not bound to the correct process
  - MEDIUM: config: validate that peers sections are bound to exactly one process
  - MAJOR: peers: allow peers section to be used with nbproc > 1
  - DOC: relax the peers restriction to single-process
  - CLEANUP: config: fix misleading information in error message.
  - MINOR: config: report the number of processes using a peers section in the error case
  - BUG/MEDIUM: config: properly compute the default number of processes for a proxy

Signed-off-by: heil <redacted>

diff --git a/net/haproxy/Makefile b/net/haproxy/Makefile
index 71fa81d1dd514f9d21730ef12a80cc712e79223d..cd37fc776ceefc326a53f77c86b6964a286ffe4e 100644 (file)
--- a/net/haproxy/Makefile
+++ b/net/haproxy/Makefile
@@ -9,12 +9,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=haproxy
-PKG_VERSION:=1.5.12
-PKG_RELEASE:=18
+PKG_VERSION:=1.5.13
+PKG_RELEASE:=00
 PKG_SOURCE:=haproxy-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=http://haproxy.1wt.eu/download/1.5/src/
 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION)
-PKG_MD5SUM:=4b94b257f16d88c315716b062b22e48a
+PKG_MD5SUM:=30cf07875ecae4fd6c4c309627afa8f1
 PKG_MAINTAINER:=Thomas Heil <heil@terminal-consulting.de>
 PKG_LICENSE:=GPL-2.0
 

diff --git a/net/haproxy/patches/0001-BUG-MEDIUM-stats-properly-initialize-the-scope-befor.patch b/net/haproxy/patches/0001-BUG-MEDIUM-stats-properly-initialize-the-scope-befor.patch
deleted file mode 100644 (file)
index 4ae6c9a..0000000
--- a/net/haproxy/patches/0001-BUG-MEDIUM-stats-properly-initialize-the-scope-befor.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From 0aa5899911bbc765ba16ce52a80fa76230781779 Mon Sep 17 00:00:00 2001
-From: Willy Tarreau <w@1wt.eu>
-Date: Mon, 4 May 2015 18:07:56 +0200
-Subject: [PATCH 1/2] BUG/MEDIUM: stats: properly initialize the scope before
- dumping stats
-
-Issuing a "show sess all" prior to a "show stat" on the CLI results in no
-proxy being dumped because the scope_len union member was not properly
-reinitialized.
-
-This fix must be backported into 1.5.
-(cherry picked from commit 6bcb95da5b9cb143088102b460c7bcb37c1b3d81)
----
- src/dumpstats.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/src/dumpstats.c b/src/dumpstats.c
-index b616478..ca084ac 100644
---- a/src/dumpstats.c
-+++ b/src/dumpstats.c
-@@ -1109,6 +1109,8 @@ static int stats_sock_parse_request(struct stream_interface *si, char *line)
-               arg++;
-       }
- 
-+      appctx->ctx.stats.scope_str = 0;
-+      appctx->ctx.stats.scope_len = 0;
-       appctx->ctx.stats.flags = 0;
-       if (strcmp(args[0], "show") == 0) {
-               if (strcmp(args[1], "stat") == 0) {
--- 
-2.0.5
-

diff --git a/net/haproxy/patches/0002-BUG-MEDIUM-http-don-t-forward-client-shutdown-withou.patch b/net/haproxy/patches/0002-BUG-MEDIUM-http-don-t-forward-client-shutdown-withou.patch
deleted file mode 100644 (file)
index 3875b88..0000000
--- a/net/haproxy/patches/0002-BUG-MEDIUM-http-don-t-forward-client-shutdown-withou.patch
+++ /dev/null
@@ -1,82 +0,0 @@
-From 294e4676a3b775a7accb50eb8428f293c218b5e2 Mon Sep 17 00:00:00 2001
-From: Willy Tarreau <w@1wt.eu>
-Date: Mon, 11 May 2015 18:30:33 +0200
-Subject: [PATCH 2/2] BUG/MEDIUM: http: don't forward client shutdown without
- NOLINGER except for tunnels
-
-There's an issue related with shutting down POST transfers or closing the
-connection after the end of the upload : the shutdown is forwarded to the
-server regardless of the abortonclose option. The problem it causes is that
-during a scan, brute force or whatever, it becomes possible that all source
-ports are exhausted with all sockets in TIME_WAIT state.
-
-There are multiple issues at once in fact :
-  - no action is done for the close, it automatically happens at the lower
-    layers thanks for channel_auto_close(), so we cannot act on NOLINGER ;
-
-  - we *do* want to continue to send a clean shutdown in tunnel mode because
-    some protocols transported over HTTP may need this, regardless of option
-    abortonclose, thus we can't set the option inconditionally
-
-  - for all other modes, we do want to close the dirty way because we're
-    certain whether we've sent everything or not, and we don't want to eat
-    all source ports.
-
-The solution is a bit complex and applies to DONE/TUNNEL states :
-
-  1) disable automatic close for everything not a tunnel and not just
-     keep-alive / server-close. Force-close is now covered, as is HTTP/1.0
-     which implicitly works in force-close mode ;
-
-  2) when processing option abortonclose, we know we can disable lingering
-     if the client has closed and the connection is not in tunnel mode.
-
-Since the last case above leads to a situation where the client side reports
-an error, we know the connection will not be reused, so leaving the flag on
-the stream-interface is safe. A client closing in the middle of the data
-transmission already aborts the transaction so this case is not a problem.
-
-This fix must be backported to 1.5 where the problem was detected.
-(cherry picked from commit bbfb6c40854925367ae5f9e8b22c5c9a18dc69d5)
----
- src/proto_http.c | 14 ++++++++++----
- 1 file changed, 10 insertions(+), 4 deletions(-)
-
-diff --git a/src/proto_http.c b/src/proto_http.c
-index 0ac3a47..5db64b5 100644
---- a/src/proto_http.c
-+++ b/src/proto_http.c
-@@ -5452,9 +5452,10 @@ int http_request_forward_body(struct session *s, struct channel *req, int an_bit
-                               msg->sov -= msg->next;
-                       msg->next = 0;
- 
--                      /* for keep-alive we don't want to forward closes on DONE */
--                      if ((txn->flags & TX_CON_WANT_MSK) == TX_CON_WANT_KAL ||
--                          (txn->flags & TX_CON_WANT_MSK) == TX_CON_WANT_SCL)
-+                      /* we don't want to forward closes on DONE except in
-+                       * tunnel mode.
-+                       */
-+                      if ((txn->flags & TX_CON_WANT_MSK) != TX_CON_WANT_TUN)
-                               channel_dont_close(req);
-                       if (http_resync_states(s)) {
-                               /* some state changes occurred, maybe the analyser
-@@ -5478,10 +5479,15 @@ int http_request_forward_body(struct session *s, struct channel *req, int an_bit
-                        * want to monitor the client's connection and forward
-                        * any shutdown notification to the server, which will
-                        * decide whether to close or to go on processing the
--                       * request.
-+                       * request. We only do that in tunnel mode, and not in
-+                       * other modes since it can be abused to exhaust source
-+                       * ports.
-                        */
-                       if (s->be->options & PR_O_ABRT_CLOSE) {
-                               channel_auto_read(req);
-+                              if ((req->flags & (CF_SHUTR|CF_READ_NULL)) &&
-+                                  ((txn->flags & TX_CON_WANT_MSK) != TX_CON_WANT_TUN))
-+                                      s->si[1].flags |= SI_FL_NOLINGER;
-                               channel_auto_close(req);
-                       }
-                       else if (s->txn.meth == HTTP_METH_POST) {
--- 
-2.0.5
-

diff --git a/net/haproxy/patches/0003-BUG-MINOR-check-fix-tcpcheck-error-message.patch b/net/haproxy/patches/0003-BUG-MINOR-check-fix-tcpcheck-error-message.patch
deleted file mode 100644 (file)
index 9bb3311..0000000
--- a/net/haproxy/patches/0003-BUG-MINOR-check-fix-tcpcheck-error-message.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From 68e4fc2b9910dd090c5e729203b72444f75aaa75 Mon Sep 17 00:00:00 2001
-From: Baptiste Assmann <bedis9@gmail.com>
-Date: Fri, 1 May 2015 08:09:29 +0200
-Subject: [PATCH 3/8] BUG/MINOR: check: fix tcpcheck error message
-
-add the keyword 'string' when required (error in a tcpcheck expect
-string)
-(cherry picked from commit 96a5c9b57738c05ecce7822093b9c4118123dc1e)
----
- src/checks.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/checks.c b/src/checks.c
-index 71debb6..8b53f97 100644
---- a/src/checks.c
-+++ b/src/checks.c
-@@ -614,7 +614,7 @@ static void chk_report_conn_err(struct connection *conn, int errno_bck, int expi
-                       }
-                       else if (check->last_started_step && check->last_started_step->action == TCPCHK_ACT_EXPECT) {
-                               if (check->last_started_step->string)
--                                      chunk_appendf(chk, " (string '%s')", check->last_started_step->string);
-+                                      chunk_appendf(chk, " (expect string '%s')", check->last_started_step->string);
-                               else if (check->last_started_step->expect_regex)
-                                       chunk_appendf(chk, " (expect regex)");
-                       }
--- 
-2.0.5
-

diff --git a/net/haproxy/patches/0004-CLEANUP-checks-fix-double-usage-of-cur-current_step-.patch b/net/haproxy/patches/0004-CLEANUP-checks-fix-double-usage-of-cur-current_step-.patch
deleted file mode 100644 (file)
index 6acba4e..0000000
--- a/net/haproxy/patches/0004-CLEANUP-checks-fix-double-usage-of-cur-current_step-.patch
+++ /dev/null
@@ -1,178 +0,0 @@
-From 4f889006269e4d3f802de46f280ed198a15e3a69 Mon Sep 17 00:00:00 2001
-From: Willy Tarreau <w@1wt.eu>
-Date: Wed, 13 May 2015 11:23:01 +0200
-Subject: [PATCH 4/8] CLEANUP: checks: fix double usage of cur / current_step
- in tcp-checks
-
-This cleanup is a preliminary requirement to the upcoming fixes for
-the bug that affect tcp-check's improper use of lists. It will have
-to be backported to 1.5 though it will not easily apply.
-
-There are two variables pointing to the current rule within the loop,
-and either one or the other is used depending on the code blocks,
-making it much harder to apply checks to fix the list walking bug.
-So first get rid of "cur" and only focus on current_step.
-(cherry picked from commit ce8c42a37a44a1e0cb94e81abb7cc2baf3d0ef80)
-
-[wt: 1.5 doesn't have comments so this patch differs significantly
- from 1.6, but it's needed for the next batch of fixes]
----
- src/checks.c | 57 ++++++++++++++++++++++++++++-----------------------------
- 1 file changed, 28 insertions(+), 29 deletions(-)
-
-diff --git a/src/checks.c b/src/checks.c
-index 8b53f97..cfdfe8c 100644
---- a/src/checks.c
-+++ b/src/checks.c
-@@ -1859,7 +1859,7 @@ static int tcpcheck_get_step_id(struct server *s)
- static void tcpcheck_main(struct connection *conn)
- {
-       char *contentptr;
--      struct tcpcheck_rule *cur, *next;
-+      struct tcpcheck_rule *next;
-       int done = 0, ret = 0;
-       struct check *check = conn->owner;
-       struct server *s = check->server;
-@@ -1916,15 +1916,11 @@ static void tcpcheck_main(struct connection *conn)
-               check->bo->o = 0;
-               check->bi->p = check->bi->data;
-               check->bi->i = 0;
--              cur = check->current_step = LIST_ELEM(head->n, struct tcpcheck_rule *, list);
-+              check->current_step = LIST_ELEM(head->n, struct tcpcheck_rule *, list);
-               t->expire = tick_add(now_ms, MS_TO_TICKS(check->inter));
-               if (s->proxy->timeout.check)
-                       t->expire = tick_add_ifset(now_ms, s->proxy->timeout.check);
-       }
--      /* keep on processing step */
--      else {
--              cur = check->current_step;
--      }
- 
-       /* It's only the rules which will enable send/recv */
-       __conn_data_stop_both(conn);
-@@ -1934,7 +1930,7 @@ static void tcpcheck_main(struct connection *conn)
-                * or if we're about to send a string that does not fit in the remaining space.
-                */
-               if (check->bo->o &&
--                  (&cur->list == head ||
-+                  (&check->current_step->list == head ||
-                    check->current_step->action != TCPCHK_ACT_SEND ||
-                    check->current_step->string_len >= buffer_total_space(check->bo))) {
- 
-@@ -1949,14 +1945,17 @@ static void tcpcheck_main(struct connection *conn)
-               }
- 
-               /* did we reach the end ? If so, let's check that everything was sent */
--              if (&cur->list == head) {
-+              if (&check->current_step->list == head) {
-                       if (check->bo->o)
-                               goto out_need_io;
-                       break;
-               }
- 
--              /* have 'next' point to the next rule or NULL if we're on the last one */
--              next = (struct tcpcheck_rule *)cur->list.n;
-+              /* have 'next' point to the next rule or NULL if we're on the
-+               * last one, connect() needs this.
-+               */
-+              next = (struct tcpcheck_rule *)check->current_step->list.n;
-+
-               if (&next->list == head)
-                       next = NULL;
- 
-@@ -2058,8 +2057,7 @@ static void tcpcheck_main(struct connection *conn)
-                       }
- 
-                       /* allow next rule */
--                      cur = (struct tcpcheck_rule *)cur->list.n;
--                      check->current_step = cur;
-+                      check->current_step = (struct tcpcheck_rule *)check->current_step->list.n;
- 
-                       /* don't do anything until the connection is established */
-                       if (!(conn->flags & CO_FL_CONNECTED)) {
-@@ -2113,8 +2111,7 @@ static void tcpcheck_main(struct connection *conn)
-                       *check->bo->p = '\0'; /* to make gdb output easier to read */
- 
-                       /* go to next rule and try to send */
--                      cur = (struct tcpcheck_rule *)cur->list.n;
--                      check->current_step = cur;
-+                      check->current_step = (struct tcpcheck_rule *)check->current_step->list.n;
-               } /* end 'send' */
-               else if (check->current_step->action == TCPCHK_ACT_EXPECT) {
-                       if (unlikely(check->result == CHK_RES_FAILED))
-@@ -2167,14 +2164,14 @@ static void tcpcheck_main(struct connection *conn)
-                               goto out_end_tcpcheck;
-                       }
- 
--                      if (!done && (cur->string != NULL) && (check->bi->i < cur->string_len) )
-+                      if (!done && (check->current_step->string != NULL) && (check->bi->i < check->current_step->string_len) )
-                               continue; /* try to read more */
- 
-               tcpcheck_expect:
--                      if (cur->string != NULL)
--                              ret = my_memmem(contentptr, check->bi->i, cur->string, cur->string_len) != NULL;
--                      else if (cur->expect_regex != NULL)
--                              ret = regex_exec(cur->expect_regex, contentptr);
-+                      if (check->current_step->string != NULL)
-+                              ret = my_memmem(contentptr, check->bi->i, check->current_step->string, check->current_step->string_len) != NULL;
-+                      else if (check->current_step->expect_regex != NULL)
-+                              ret = regex_exec(check->current_step->expect_regex, contentptr);
- 
-                       if (!ret && !done)
-                               continue; /* try to read more */
-@@ -2182,11 +2179,11 @@ static void tcpcheck_main(struct connection *conn)
-                       /* matched */
-                       if (ret) {
-                               /* matched but we did not want to => ERROR */
--                              if (cur->inverse) {
-+                              if (check->current_step->inverse) {
-                                       /* we were looking for a string */
--                                      if (cur->string != NULL) {
-+                                      if (check->current_step->string != NULL) {
-                                               chunk_printf(&trash, "TCPCHK matched unwanted content '%s' at step %d",
--                                                              cur->string, tcpcheck_get_step_id(s));
-+                                                           check->current_step->string, tcpcheck_get_step_id(s));
-                                       }
-                                       else {
-                                       /* we were looking for a regex */
-@@ -2198,8 +2195,9 @@ static void tcpcheck_main(struct connection *conn)
-                               }
-                               /* matched and was supposed to => OK, next step */
-                               else {
--                                      cur = (struct tcpcheck_rule*)cur->list.n;
--                                      check->current_step = cur;
-+                                      /* allow next rule */
-+                                      check->current_step = (struct tcpcheck_rule *)check->current_step->list.n;
-+
-                                       if (check->current_step->action == TCPCHK_ACT_EXPECT)
-                                               goto tcpcheck_expect;
-                                       __conn_data_stop_recv(conn);
-@@ -2208,9 +2206,10 @@ static void tcpcheck_main(struct connection *conn)
-                       else {
-                       /* not matched */
-                               /* not matched and was not supposed to => OK, next step */
--                              if (cur->inverse) {
--                                      cur = (struct tcpcheck_rule*)cur->list.n;
--                                      check->current_step = cur;
-+                              if (check->current_step->inverse) {
-+                                      /* allow next rule */
-+                                      check->current_step = (struct tcpcheck_rule *)check->current_step->list.n;
-+
-                                       if (check->current_step->action == TCPCHK_ACT_EXPECT)
-                                               goto tcpcheck_expect;
-                                       __conn_data_stop_recv(conn);
-@@ -2218,9 +2217,9 @@ static void tcpcheck_main(struct connection *conn)
-                               /* not matched but was supposed to => ERROR */
-                               else {
-                                       /* we were looking for a string */
--                                      if (cur->string != NULL) {
-+                                      if (check->current_step->string != NULL) {
-                                               chunk_printf(&trash, "TCPCHK did not match content '%s' at step %d",
--                                                              cur->string, tcpcheck_get_step_id(s));
-+                                                           check->current_step->string, tcpcheck_get_step_id(s));
-                                       }
-                                       else {
-                                       /* we were looking for a regex */
--- 
-2.0.5
-

diff --git a/net/haproxy/patches/0005-BUG-MEDIUM-checks-do-not-dereference-head-of-a-tcp-c.patch b/net/haproxy/patches/0005-BUG-MEDIUM-checks-do-not-dereference-head-of-a-tcp-c.patch
deleted file mode 100644 (file)
index f4bc683..0000000
--- a/net/haproxy/patches/0005-BUG-MEDIUM-checks-do-not-dereference-head-of-a-tcp-c.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-From b94a6d5a37499ce6649ad58f4a8c4664779abd8b Mon Sep 17 00:00:00 2001
-From: Willy Tarreau <w@1wt.eu>
-Date: Wed, 13 May 2015 11:38:17 +0200
-Subject: [PATCH 5/8] BUG/MEDIUM: checks: do not dereference head of a
- tcp-check at the end
-
-When the end of the list is reached, the current step's action is checked
-to know if we must poll or not. Unfortunately, the main reason for going
-there is that we walked past the end of list and current_step points to
-the head. We cannot dereference ->action since it does not belong to this
-structure and can definitely crash if the address is not mapped.
-
-This bug is unlikely to cause a crash since the action appears just after
-the list, and corresponds to the "char *check_req" pointer in the proxy
-struct, and it seems that we can't go there with current_step being null.
-At worst it can cause the check to register for recv events.
-
-This fix needs to be backported to 1.5 since the code is incorrect there
-as well.
-(cherry picked from commit 53c5a049e1f4dbf67412472e23690dc6b3c8d0f8)
----
- src/checks.c | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/src/checks.c b/src/checks.c
-index cfdfe8c..a887be1 100644
---- a/src/checks.c
-+++ b/src/checks.c
-@@ -2237,10 +2237,12 @@ static void tcpcheck_main(struct connection *conn)
-       goto out_end_tcpcheck;
- 
-  out_need_io:
-+      /* warning, current_step may now point to the head */
-       if (check->bo->o)
-               __conn_data_want_send(conn);
- 
--      if (check->current_step->action == TCPCHK_ACT_EXPECT)
-+      if (&check->current_step->list != head &&
-+          check->current_step->action == TCPCHK_ACT_EXPECT)
-               __conn_data_want_recv(conn);
-       return;
- 
-@@ -2256,7 +2258,6 @@ static void tcpcheck_main(struct connection *conn)
-               conn->flags |= CO_FL_ERROR;
- 
-       __conn_data_stop_both(conn);
--
-       return;
- }
- 
--- 
-2.0.5
-

diff --git a/net/haproxy/patches/0006-CLEANUP-checks-simplify-the-loop-processing-of-tcp-c.patch b/net/haproxy/patches/0006-CLEANUP-checks-simplify-the-loop-processing-of-tcp-c.patch
deleted file mode 100644 (file)
index 45ba960..0000000
--- a/net/haproxy/patches/0006-CLEANUP-checks-simplify-the-loop-processing-of-tcp-c.patch
+++ /dev/null
@@ -1,82 +0,0 @@
-From ebb2bceb34d7787453548627ed0e99c60354672b Mon Sep 17 00:00:00 2001
-From: Willy Tarreau <w@1wt.eu>
-Date: Wed, 13 May 2015 11:59:14 +0200
-Subject: [PATCH 6/8] CLEANUP: checks: simplify the loop processing of
- tcp-checks
-
-There is some unobvious redundancy between the various ways we can leave
-the loop. Some of them can be factored out. So now we leave the loop when
-we can't go further, whether it's caused by reaching the end of the rules
-or by a blocking I/O.
-(cherry picked from commit 263013d031d754c9f96de0d0cb5afcc011af6441)
-[wt: this patch is required for the next fix]
----
- src/checks.c | 26 ++++++++++++++------------
- 1 file changed, 14 insertions(+), 12 deletions(-)
-
-diff --git a/src/checks.c b/src/checks.c
-index a887be1..a0c42f2 100644
---- a/src/checks.c
-+++ b/src/checks.c
-@@ -1926,8 +1926,10 @@ static void tcpcheck_main(struct connection *conn)
-       __conn_data_stop_both(conn);
- 
-       while (1) {
--              /* we have to try to flush the output buffer before reading, at the end,
--               * or if we're about to send a string that does not fit in the remaining space.
-+              /* We have to try to flush the output buffer before reading, at
-+               * the end, or if we're about to send a string that does not fit
-+               * in the remaining space. That explains why we break out of the
-+               * loop after this control.
-                */
-               if (check->bo->o &&
-                   (&check->current_step->list == head ||
-@@ -1940,16 +1942,12 @@ static void tcpcheck_main(struct connection *conn)
-                                       __conn_data_stop_both(conn);
-                                       goto out_end_tcpcheck;
-                               }
--                              goto out_need_io;
-+                              break;
-                       }
-               }
- 
--              /* did we reach the end ? If so, let's check that everything was sent */
--              if (&check->current_step->list == head) {
--                      if (check->bo->o)
--                              goto out_need_io;
-+              if (&check->current_step->list == head)
-                       break;
--              }
- 
-               /* have 'next' point to the next rule or NULL if we're on the
-                * last one, connect() needs this.
-@@ -2131,7 +2129,7 @@ static void tcpcheck_main(struct connection *conn)
-                                       }
-                               }
-                               else
--                                      goto out_need_io;
-+                                      break;
-                       }
- 
-                       /* mark the step as started */
-@@ -2233,10 +2231,14 @@ static void tcpcheck_main(struct connection *conn)
-               } /* end expect */
-       } /* end loop over double chained step list */
- 
--      set_server_check_status(check, HCHK_STATUS_L7OKD, "(tcp-check)");
--      goto out_end_tcpcheck;
-+      /* We're waiting for some I/O to complete, we've reached the end of the
-+       * rules, or both. Do what we have to do, otherwise we're done.
-+       */
-+      if (&check->current_step->list == head && !check->bo->o) {
-+              set_server_check_status(check, HCHK_STATUS_L7OKD, "(tcp-check)");
-+              goto out_end_tcpcheck;
-+      }
- 
-- out_need_io:
-       /* warning, current_step may now point to the head */
-       if (check->bo->o)
-               __conn_data_want_send(conn);
--- 
-2.0.5
-

diff --git a/net/haproxy/patches/0007-BUG-MAJOR-checks-always-check-for-end-of-list-before.patch b/net/haproxy/patches/0007-BUG-MAJOR-checks-always-check-for-end-of-list-before.patch
deleted file mode 100644 (file)
index 7c2d562..0000000
--- a/net/haproxy/patches/0007-BUG-MAJOR-checks-always-check-for-end-of-list-before.patch
+++ /dev/null
@@ -1,90 +0,0 @@
-From 97fccc87f1297d189ee80735e5b8746c34956eda Mon Sep 17 00:00:00 2001
-From: Willy Tarreau <w@1wt.eu>
-Date: Wed, 13 May 2015 12:08:21 +0200
-Subject: [PATCH 7/8] BUG/MAJOR: checks: always check for end of list before
- proceeding
-
-This is the most important fix of this series. There's a risk of endless
-loop and crashes caused by the fact that we go past the head of the list
-when skipping to next rule, without checking if it's still a valid element.
-Most of the time, the ->action field is checked, which points to the proxy's
-check_req pointer (generally NULL), meaning the element is confused with a
-TCPCHK_ACT_SEND action.
-
-The situation was accidently made worse with the addition of tcp-check
-comment since it also skips list elements. However, since the action that
-makes it go forward is TCPCHK_ACT_COMMENT (3), there's little chance to
-see this as a valid pointer, except on 64-bit machines where it can match
-the end of a check_req string pointer.
-
-This fix heavily depends on previous cleanup and both must be backported
-to 1.5 where the bug is present.
-(cherry picked from commit f2c87353a7f8160930b5f342bb6d6ad0991ee3d1)
-[wt: this patch differs significantly from 1.6 since we don't have comments]
----
- src/cfgparse.c |  4 +++-
- src/checks.c   | 12 ++++++++++++
- 2 files changed, 15 insertions(+), 1 deletion(-)
-
-diff --git a/src/cfgparse.c b/src/cfgparse.c
-index 746c7eb..dba59d1 100644
---- a/src/cfgparse.c
-+++ b/src/cfgparse.c
-@@ -4368,7 +4368,9 @@ stats_error_parsing:
-                       l = (struct list *)&curproxy->tcpcheck_rules;
-                       if (l->p != l->n) {
-                               tcpcheck = (struct tcpcheck_rule *)l->n;
--                              if (tcpcheck && tcpcheck->action != TCPCHK_ACT_CONNECT) {
-+
-+                              if (&tcpcheck->list != &curproxy->tcpcheck_rules
-+                                  && tcpcheck->action != TCPCHK_ACT_CONNECT) {
-                                       Alert("parsing [%s:%d] : first step MUST also be a 'connect' when there is a 'connect' step in the tcp-check ruleset.\n",
-                                             file, linenum);
-                                       err_code |= ERR_ALERT | ERR_FATAL;
-diff --git a/src/checks.c b/src/checks.c
-index a0c42f2..e13d561 100644
---- a/src/checks.c
-+++ b/src/checks.c
-@@ -2057,6 +2057,9 @@ static void tcpcheck_main(struct connection *conn)
-                       /* allow next rule */
-                       check->current_step = (struct tcpcheck_rule *)check->current_step->list.n;
- 
-+                      if (&check->current_step->list == head)
-+                              break;
-+
-                       /* don't do anything until the connection is established */
-                       if (!(conn->flags & CO_FL_CONNECTED)) {
-                               /* update expire time, should be done by process_chk */
-@@ -2110,6 +2113,9 @@ static void tcpcheck_main(struct connection *conn)
- 
-                       /* go to next rule and try to send */
-                       check->current_step = (struct tcpcheck_rule *)check->current_step->list.n;
-+
-+                      if (&check->current_step->list == head)
-+                              break;
-               } /* end 'send' */
-               else if (check->current_step->action == TCPCHK_ACT_EXPECT) {
-                       if (unlikely(check->result == CHK_RES_FAILED))
-@@ -2196,6 +2202,9 @@ static void tcpcheck_main(struct connection *conn)
-                                       /* allow next rule */
-                                       check->current_step = (struct tcpcheck_rule *)check->current_step->list.n;
- 
-+                                      if (&check->current_step->list == head)
-+                                              break;
-+
-                                       if (check->current_step->action == TCPCHK_ACT_EXPECT)
-                                               goto tcpcheck_expect;
-                                       __conn_data_stop_recv(conn);
-@@ -2208,6 +2217,9 @@ static void tcpcheck_main(struct connection *conn)
-                                       /* allow next rule */
-                                       check->current_step = (struct tcpcheck_rule *)check->current_step->list.n;
- 
-+                                      if (&check->current_step->list == head)
-+                                              break;
-+
-                                       if (check->current_step->action == TCPCHK_ACT_EXPECT)
-                                               goto tcpcheck_expect;
-                                       __conn_data_stop_recv(conn);
--- 
-2.0.5
-

diff --git a/net/haproxy/patches/0008-BUG-MEDIUM-checks-do-not-dereference-a-list-as-a-tcp.patch b/net/haproxy/patches/0008-BUG-MEDIUM-checks-do-not-dereference-a-list-as-a-tcp.patch
deleted file mode 100644 (file)
index 4540260..0000000
--- a/net/haproxy/patches/0008-BUG-MEDIUM-checks-do-not-dereference-a-list-as-a-tcp.patch
+++ /dev/null
@@ -1,116 +0,0 @@
-From 5bff05986c501d9ffb67873b60472f9c2a2e41be Mon Sep 17 00:00:00 2001
-From: Willy Tarreau <w@1wt.eu>
-Date: Wed, 13 May 2015 12:24:53 +0200
-Subject: [PATCH 8/8] BUG/MEDIUM: checks: do not dereference a list as a
- tcpcheck struct
-
-The method used to skip to next rule in the list is wrong, it assumes
-that the list element starts at the same offset as the rule. It happens
-to be true on most architectures since the list is the first element for
-now but it's definitely wrong. Now the code doesn't crash anymore when
-the struct list is moved anywhere else in the struct tcpcheck_rule.
-
-This fix must be backported to 1.5.
-(cherry picked from commit 5581c27b579cbfc53afb0ca04cdeebe7e2200131)
-[wt: changes from 1.6 : no tcp-check comments, check becomes s->proxy]
----
- src/cfgparse.c | 18 +++++++-----------
- src/checks.c   | 15 +++++++++------
- 2 files changed, 16 insertions(+), 17 deletions(-)
-
-diff --git a/src/cfgparse.c b/src/cfgparse.c
-index dba59d1..e04eff8 100644
---- a/src/cfgparse.c
-+++ b/src/cfgparse.c
-@@ -4362,20 +4362,16 @@ stats_error_parsing:
-                       const char *ptr_arg;
-                       int cur_arg;
-                       struct tcpcheck_rule *tcpcheck;
--                      struct list *l;
- 
-                       /* check if first rule is also a 'connect' action */
--                      l = (struct list *)&curproxy->tcpcheck_rules;
--                      if (l->p != l->n) {
--                              tcpcheck = (struct tcpcheck_rule *)l->n;
-+                      tcpcheck = LIST_NEXT(&curproxy->tcpcheck_rules, struct tcpcheck_rule *, list);
- 
--                              if (&tcpcheck->list != &curproxy->tcpcheck_rules
--                                  && tcpcheck->action != TCPCHK_ACT_CONNECT) {
--                                      Alert("parsing [%s:%d] : first step MUST also be a 'connect' when there is a 'connect' step in the tcp-check ruleset.\n",
--                                            file, linenum);
--                                      err_code |= ERR_ALERT | ERR_FATAL;
--                                      goto out;
--                              }
-+                      if (&tcpcheck->list != &curproxy->tcpcheck_rules
-+                          && tcpcheck->action != TCPCHK_ACT_CONNECT) {
-+                              Alert("parsing [%s:%d] : first step MUST also be a 'connect' when there is a 'connect' step in the tcp-check ruleset.\n",
-+                                    file, linenum);
-+                              err_code |= ERR_ALERT | ERR_FATAL;
-+                              goto out;
-                       }
- 
-                       cur_arg = 2;
-diff --git a/src/checks.c b/src/checks.c
-index e13d561..27a23b2 100644
---- a/src/checks.c
-+++ b/src/checks.c
-@@ -1444,7 +1444,10 @@ static int connect_chk(struct task *t)
-       quickack = check->type == 0 || check->type == PR_O2_TCPCHK_CHK;
- 
-       if (check->type == PR_O2_TCPCHK_CHK && !LIST_ISEMPTY(&s->proxy->tcpcheck_rules)) {
--              struct tcpcheck_rule *r = (struct tcpcheck_rule *) s->proxy->tcpcheck_rules.n;
-+              struct tcpcheck_rule *r;
-+
-+              r = LIST_NEXT(&s->proxy->tcpcheck_rules, struct tcpcheck_rule *, list);
-+
-               /* if first step is a 'connect', then tcpcheck_main must run it */
-               if (r->action == TCPCHK_ACT_CONNECT) {
-                       tcpcheck_main(conn);
-@@ -1952,7 +1955,7 @@ static void tcpcheck_main(struct connection *conn)
-               /* have 'next' point to the next rule or NULL if we're on the
-                * last one, connect() needs this.
-                */
--              next = (struct tcpcheck_rule *)check->current_step->list.n;
-+              next = LIST_NEXT(&check->current_step->list, struct tcpcheck_rule *, list);
- 
-               if (&next->list == head)
-                       next = NULL;
-@@ -2055,7 +2058,7 @@ static void tcpcheck_main(struct connection *conn)
-                       }
- 
-                       /* allow next rule */
--                      check->current_step = (struct tcpcheck_rule *)check->current_step->list.n;
-+                      check->current_step = LIST_NEXT(&check->current_step->list, struct tcpcheck_rule *, list);
- 
-                       if (&check->current_step->list == head)
-                               break;
-@@ -2112,7 +2115,7 @@ static void tcpcheck_main(struct connection *conn)
-                       *check->bo->p = '\0'; /* to make gdb output easier to read */
- 
-                       /* go to next rule and try to send */
--                      check->current_step = (struct tcpcheck_rule *)check->current_step->list.n;
-+                      check->current_step = LIST_NEXT(&check->current_step->list, struct tcpcheck_rule *, list);
- 
-                       if (&check->current_step->list == head)
-                               break;
-@@ -2200,7 +2203,7 @@ static void tcpcheck_main(struct connection *conn)
-                               /* matched and was supposed to => OK, next step */
-                               else {
-                                       /* allow next rule */
--                                      check->current_step = (struct tcpcheck_rule *)check->current_step->list.n;
-+                                      check->current_step = LIST_NEXT(&check->current_step->list, struct tcpcheck_rule *, list);
- 
-                                       if (&check->current_step->list == head)
-                                               break;
-@@ -2215,7 +2218,7 @@ static void tcpcheck_main(struct connection *conn)
-                               /* not matched and was not supposed to => OK, next step */
-                               if (check->current_step->inverse) {
-                                       /* allow next rule */
--                                      check->current_step = (struct tcpcheck_rule *)check->current_step->list.n;
-+                                      check->current_step = LIST_NEXT(&check->current_step->list, struct tcpcheck_rule *, list);
- 
-                                       if (&check->current_step->list == head)
-                                               break;
--- 
-2.0.5
-

diff --git a/net/haproxy/patches/0009-BUG-MEDIUM-peers-apply-a-random-reconnection-timeout.patch b/net/haproxy/patches/0009-BUG-MEDIUM-peers-apply-a-random-reconnection-timeout.patch
deleted file mode 100644 (file)
index 96aa743..0000000
--- a/net/haproxy/patches/0009-BUG-MEDIUM-peers-apply-a-random-reconnection-timeout.patch
+++ /dev/null
@@ -1,77 +0,0 @@
-From 76a06b2804bcdba0fb2c19f834bdb511ce3cf344 Mon Sep 17 00:00:00 2001
-From: Willy Tarreau <w@1wt.eu>
-Date: Wed, 20 May 2015 10:39:04 +0200
-Subject: [PATCH 09/10] BUG/MEDIUM: peers: apply a random reconnection timeout
-
-Commit 9ff95bb ("BUG/MEDIUM: peers: correctly configure the client timeout")
-uncovered an old bug in the peers : upon disconnect, we reconnect immediately.
-This sometimes results in both ends to do the same thing in parallel causing
-a loop of connect/accept/close/close that can last several seconds. The risk
-of occurrence of the trouble increases with latency, and is emphasized by the
-fact that idle connections are now frequently recycled (after 5s of idle).
-
-In order to avoid this we must apply a random delay before reconnecting.
-Fortunately the mechanism already supports a reconnect delay, so here we
-compute the random timeout when killing a session. The delay is 50ms plus
-a random between 0 and 2 seconds. Ideally an exponential back-off would
-be preferred but it's preferable to keep the fix simple.
-
-This bug was reported by Marco Corte.
-
-This fix must be backported to 1.5 since the fix above was backported into
-1.5.12.
-(cherry picked from commit b4e34da692d8a7f6837ad16b3389f5830dbc11d2)
----
- src/peers.c | 14 +++++++++++---
- 1 file changed, 11 insertions(+), 3 deletions(-)
-
-diff --git a/src/peers.c b/src/peers.c
-index b196d88..159f0a4 100644
---- a/src/peers.c
-+++ b/src/peers.c
-@@ -1063,6 +1063,7 @@ static void peer_session_forceshutdown(struct session * session)
- {
-       struct stream_interface *oldsi = NULL;
-       struct appctx *appctx = NULL;
-+      struct peer_session *ps;
-       int i;
- 
-       for (i = 0; i <= 1; i++) {
-@@ -1079,6 +1080,14 @@ static void peer_session_forceshutdown(struct session * session)
-       if (!appctx)
-               return;
- 
-+      ps = (struct peer_session *)appctx->ctx.peers.ptr;
-+      /* we're killing a connection, we must apply a random delay before
-+       * retrying otherwise the other end will do the same and we can loop
-+       * for a while.
-+       */
-+      if (ps)
-+              ps->reconnect = tick_add(now_ms, MS_TO_TICKS(50 + random() % 2000));
-+
-       /* call release to reinit resync states if needed */
-       peer_session_release(oldsi);
-       appctx->st0 = PEER_SESS_ST_END;
-@@ -1352,8 +1361,8 @@ static struct task *process_peer_sync(struct task * task)
-                               if (!ps->session) {
-                                       /* no active session */
-                                       if (ps->statuscode == 0 ||
--                                          ps->statuscode == PEER_SESS_SC_SUCCESSCODE ||
-                                           ((ps->statuscode == PEER_SESS_SC_CONNECTCODE ||
-+                                            ps->statuscode == PEER_SESS_SC_SUCCESSCODE ||
-                                             ps->statuscode == PEER_SESS_SC_CONNECTEDCODE) &&
-                                            tick_is_expired(ps->reconnect, now_ms))) {
-                                               /* connection never tried
-@@ -1364,8 +1373,7 @@ static struct task *process_peer_sync(struct task * task)
-                                               /* retry a connect */
-                                               ps->session = peer_session_create(ps->peer, ps);
-                                       }
--                                      else if (ps->statuscode == PEER_SESS_SC_CONNECTCODE ||
--                                               ps->statuscode == PEER_SESS_SC_CONNECTEDCODE) {
-+                                      else if (!tick_is_expired(ps->reconnect, now_ms)) {
-                                               /* If previous session failed during connection
-                                                * but reconnection timer is not expired */
- 
--- 
-2.0.5
-

diff --git a/net/haproxy/patches/0010-DOC-Update-doc-about-weight-act-and-bck-fields-in-th.patch b/net/haproxy/patches/0010-DOC-Update-doc-about-weight-act-and-bck-fields-in-th.patch
deleted file mode 100644 (file)
index 563ed64..0000000
--- a/net/haproxy/patches/0010-DOC-Update-doc-about-weight-act-and-bck-fields-in-th.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From ac372e18c422841a9f1197b4238637c470e8edca Mon Sep 17 00:00:00 2001
-From: Pavlos Parissis <pavlos.parissis@gmail.com>
-Date: Sat, 2 May 2015 20:30:44 +0200
-Subject: [PATCH 10/10] DOC: Update doc about weight, act and bck fields in the
- statistics
-
-Reorder description of the mentioned fields in order to match the
-order of types
-(cherry picked from commit 1f673c72c11d011bbd24e309d3155384eddf7a46)
----
- doc/configuration.txt | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/doc/configuration.txt b/doc/configuration.txt
-index a9d497e..6f5eeb1 100644
---- a/doc/configuration.txt
-+++ b/doc/configuration.txt
-@@ -13240,9 +13240,9 @@ S (Servers).
-      server. The server value counts the number of times that server was
-      switched away from.
-  17. status [LFBS]: status (UP/DOWN/NOLB/MAINT/MAINT(via)...)
-- 18. weight [..BS]: server weight (server), total weight (backend)
-- 19. act [..BS]: server is active (server), number of active servers (backend)
-- 20. bck [..BS]: server is backup (server), number of backup servers (backend)
-+ 18. weight [..BS]: total weight (backend), server weight (server)
-+ 19. act [..BS]: number of active servers (backend), server is active (server)
-+ 20. bck [..BS]: number of backup servers (backend), server is backup (server)
-  21. chkfail [...S]: number of failed checks. (Only counts checks failed when
-      the server is up.)
-  22. chkdown [..BS]: number of UP->DOWN transitions. The backend counter counts
--- 
-2.0.5
-

diff --git a/net/haproxy/patches/0011-MINOR-ssl-add-a-destructor-to-free-allocated-SSL-res.patch b/net/haproxy/patches/0011-MINOR-ssl-add-a-destructor-to-free-allocated-SSL-res.patch
deleted file mode 100644 (file)
index 86be3b9..0000000
--- a/net/haproxy/patches/0011-MINOR-ssl-add-a-destructor-to-free-allocated-SSL-res.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-From 269a02fbb332da8faf6c2a614d45d5b5018816d1 Mon Sep 17 00:00:00 2001
-From: Remi Gacogne <rgacogne@aquaray.fr>
-Date: Thu, 28 May 2015 16:39:47 +0200
-Subject: [PATCH 11/14] MINOR: ssl: add a destructor to free allocated SSL
- ressources
-
-Using valgrind or another memory leak tracking tool is easier
-when the memory internally allocated by OpenSSL is cleanly released
-at shutdown.
-(cherry picked from commit d3a23c3eb8c0950d26204568a133207099923494)
----
- src/ssl_sock.c | 36 ++++++++++++++++++++++++++++++++++++
- 1 file changed, 36 insertions(+)
-
-diff --git a/src/ssl_sock.c b/src/ssl_sock.c
-index d0f4d01..a78fc6a 100644
---- a/src/ssl_sock.c
-+++ b/src/ssl_sock.c
-@@ -4717,6 +4717,42 @@ static void __ssl_sock_init(void)
-       cfg_register_keywords(&cfg_kws);
- }
- 
-+__attribute__((destructor))
-+static void __ssl_sock_deinit(void)
-+{
-+#ifndef OPENSSL_NO_DH
-+        if (local_dh_1024) {
-+                DH_free(local_dh_1024);
-+                local_dh_1024 = NULL;
-+        }
-+
-+        if (local_dh_2048) {
-+                DH_free(local_dh_2048);
-+                local_dh_2048 = NULL;
-+        }
-+
-+        if (local_dh_4096) {
-+                DH_free(local_dh_4096);
-+                local_dh_4096 = NULL;
-+        }
-+
-+        if (local_dh_8192) {
-+                DH_free(local_dh_8192);
-+                local_dh_8192 = NULL;
-+        }
-+#endif
-+
-+        ERR_remove_state(0);
-+        ERR_free_strings();
-+
-+        EVP_cleanup();
-+
-+#if OPENSSL_VERSION_NUMBER >= 0x00907000L
-+        CRYPTO_cleanup_all_ex_data();
-+#endif
-+}
-+
-+
- /*
-  * Local variables:
-  *  c-indent-level: 8
--- 
-2.0.5
-

diff --git a/net/haproxy/patches/0012-BUG-MEDIUM-ssl-fix-tune.ssl.default-dh-param-value-b.patch b/net/haproxy/patches/0012-BUG-MEDIUM-ssl-fix-tune.ssl.default-dh-param-value-b.patch
deleted file mode 100644 (file)
index 37600c8..0000000
--- a/net/haproxy/patches/0012-BUG-MEDIUM-ssl-fix-tune.ssl.default-dh-param-value-b.patch
+++ /dev/null
@@ -1,98 +0,0 @@
-From 5d769ca828fdb055052b3dbc232864bdf2853c9f Mon Sep 17 00:00:00 2001
-From: Remi Gacogne <rgacogne@aquaray.fr>
-Date: Thu, 28 May 2015 16:23:00 +0200
-Subject: [PATCH 12/14] BUG/MEDIUM: ssl: fix tune.ssl.default-dh-param value
- being overwritten
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Hervé Commowick reported that the logic used to avoid complaining about
-ssl-default-dh-param not being set when static DH params are present
-in the certificate file was clearly wrong when more than one sni_ctx
-is used.
-This patch stores whether static DH params are being used for each
-SSL_CTX individually, and does not overwrite the value of
-tune.ssl.default-dh-param.
-(cherry picked from commit 4f902b88323927c9d25d391a809e3678ac31df41)
----
- src/ssl_sock.c | 28 +++++++++++++++++++++++-----
- 1 file changed, 23 insertions(+), 5 deletions(-)
-
-diff --git a/src/ssl_sock.c b/src/ssl_sock.c
-index a78fc6a..0f7819b 100644
---- a/src/ssl_sock.c
-+++ b/src/ssl_sock.c
-@@ -47,6 +47,9 @@
- #ifdef SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB
- #include <openssl/ocsp.h>
- #endif
-+#ifndef OPENSSL_NO_DH
-+#include <openssl/dh.h>
-+#endif
- 
- #include <common/buffer.h>
- #include <common/compat.h>
-@@ -107,6 +110,7 @@ int sslconns = 0;
- int totalsslconns = 0;
- 
- #ifndef OPENSSL_NO_DH
-+static int ssl_dh_ptr_index = -1;
- static DH *local_dh_1024 = NULL;
- static DH *local_dh_2048 = NULL;
- static DH *local_dh_4096 = NULL;
-@@ -1076,10 +1080,12 @@ int ssl_sock_load_dh_params(SSL_CTX *ctx, const char *file)
-       if (dh) {
-               ret = 1;
-               SSL_CTX_set_tmp_dh(ctx, dh);
--              /* Setting ssl default dh param to the size of the static DH params
--                 found in the file. This way we know that there is no use
--                 complaining later about ssl-default-dh-param not being set. */
--              global.tune.ssl_default_dh_param = DH_size(dh) * 8;
-+
-+              if (ssl_dh_ptr_index >= 0) {
-+                      /* store a pointer to the DH params to avoid complaining about
-+                         ssl-default-dh-param not being set for this SSL_CTX */
-+                      SSL_CTX_set_ex_data(ctx, ssl_dh_ptr_index, dh);
-+              }
-       }
-       else {
-               /* Clear openssl global errors stack */
-@@ -1274,6 +1280,12 @@ static int ssl_sock_load_cert_file(const char *path, struct bind_conf *bind_conf
-        * the tree, so it will be discovered and cleaned in time.
-        */
- #ifndef OPENSSL_NO_DH
-+      /* store a NULL pointer to indicate we have not yet loaded
-+         a custom DH param file */
-+      if (ssl_dh_ptr_index >= 0) {
-+              SSL_CTX_set_ex_data(ctx, ssl_dh_ptr_index, NULL);
-+      }
-+
-       ret = ssl_sock_load_dh_params(ctx, path);
-       if (ret < 0) {
-               if (err)
-@@ -1593,7 +1605,9 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx, struct proxy
- 
-       /* If tune.ssl.default-dh-param has not been set and
-          no static DH params were in the certificate file. */
--      if (global.tune.ssl_default_dh_param == 0) {
-+      if (global.tune.ssl_default_dh_param == 0 &&
-+          (ssl_dh_ptr_index == -1 ||
-+           SSL_CTX_get_ex_data(ctx, ssl_dh_ptr_index) == NULL)) {
-               ciphers = ctx->cipher_list;
- 
-               if (ciphers) {
-@@ -4715,6 +4729,10 @@ static void __ssl_sock_init(void)
-       bind_register_keywords(&bind_kws);
-       srv_register_keywords(&srv_kws);
-       cfg_register_keywords(&cfg_kws);
-+
-+#ifndef OPENSSL_NO_DH
-+      ssl_dh_ptr_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, NULL);
-+#endif
- }
- 
- __attribute__((destructor))
--- 
-2.0.5
-

diff --git a/net/haproxy/patches/0013-BUG-MINOR-cfgparse-fix-typo-in-option-httplog-error-.patch b/net/haproxy/patches/0013-BUG-MINOR-cfgparse-fix-typo-in-option-httplog-error-.patch
deleted file mode 100644 (file)
index d09f18d..0000000
--- a/net/haproxy/patches/0013-BUG-MINOR-cfgparse-fix-typo-in-option-httplog-error-.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From 629b1c000b26f0031246b9b529680b275a14118f Mon Sep 17 00:00:00 2001
-From: William Lallemand <wlallemand@haproxy.com>
-Date: Thu, 28 May 2015 18:02:48 +0200
-Subject: [PATCH 13/14] BUG/MINOR: cfgparse: fix typo in 'option httplog' error
- message
-
-The error message was displaying the wrong argument when 'option
-httplog' took a wrong argument.
-(cherry picked from commit 77063bc0c6ceb4257c4e2c08411811ecc48be1aa)
----
- src/cfgparse.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/cfgparse.c b/src/cfgparse.c
-index e04eff8..3c3383d 100644
---- a/src/cfgparse.c
-+++ b/src/cfgparse.c
-@@ -3792,7 +3792,7 @@ stats_error_parsing:
-                                       curproxy->options2 |= PR_O2_CLFLOG;
-                                       logformat = clf_http_log_format;
-                               } else {
--                                      Alert("parsing [%s:%d] : keyword '%s' only supports option 'clf'.\n", file, linenum, args[2]);
-+                                      Alert("parsing [%s:%d] : keyword '%s' only supports option 'clf'.\n", file, linenum, args[1]);
-                                       err_code |= ERR_ALERT | ERR_FATAL;
-                                       goto out;
-                               }
--- 
-2.0.5
-

diff --git a/net/haproxy/patches/0014-BUG-MEDIUM-cfgparse-segfault-when-userlist-is-misuse.patch b/net/haproxy/patches/0014-BUG-MEDIUM-cfgparse-segfault-when-userlist-is-misuse.patch
deleted file mode 100644 (file)
index 329505b..0000000
--- a/net/haproxy/patches/0014-BUG-MEDIUM-cfgparse-segfault-when-userlist-is-misuse.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From faf3315f77c527e6e1d027deb7e853cdf6af5858 Mon Sep 17 00:00:00 2001
-From: William Lallemand <wlallemand@haproxy.com>
-Date: Thu, 28 May 2015 18:03:51 +0200
-Subject: [PATCH 14/14] BUG/MEDIUM: cfgparse: segfault when userlist is misused
-
-If the 'userlist' keyword parsing returns an error and no userlist were
-previously created. The parsing of 'user' and 'group' leads to NULL
-derefence.
-
-The userlist pointer is now tested to prevent this issue.
-(cherry picked from commit 4ac9f546120d42be8147e3d90588e7b9738af0cc)
----
- src/cfgparse.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/src/cfgparse.c b/src/cfgparse.c
-index 3c3383d..392a78d 100644
---- a/src/cfgparse.c
-+++ b/src/cfgparse.c
-@@ -5668,6 +5668,9 @@ cfg_parse_users(const char *file, int linenum, char **args, int kwm)
-                       goto out;
-               }
- 
-+              if (!userlist)
-+                      goto out;
-+
-               for (ag = userlist->groups; ag; ag = ag->next)
-                       if (!strcmp(ag->name, args[1])) {
-                               Warning("parsing [%s:%d]: ignoring duplicated group '%s' in userlist '%s'.\n",
-@@ -5718,6 +5721,8 @@ cfg_parse_users(const char *file, int linenum, char **args, int kwm)
-                       err_code |= ERR_ALERT | ERR_FATAL;
-                       goto out;
-               }
-+              if (!userlist)
-+                      goto out;
- 
-               for (newuser = userlist->users; newuser; newuser = newuser->next)
-                       if (!strcmp(newuser->user, args[1])) {
--- 
-2.0.5
-

diff --git a/net/haproxy/patches/0015-MEDIUM-ssl-replace-standards-DH-groups-with-custom-o.patch b/net/haproxy/patches/0015-MEDIUM-ssl-replace-standards-DH-groups-with-custom-o.patch
deleted file mode 100644 (file)
index 2d1415b..0000000
--- a/net/haproxy/patches/0015-MEDIUM-ssl-replace-standards-DH-groups-with-custom-o.patch
+++ /dev/null
@@ -1,427 +0,0 @@
-From 2ad3ec1ab5379a16b16aba48a42ced27b170534e Mon Sep 17 00:00:00 2001
-From: Remi Gacogne <rgacogne@aquaray.fr>
-Date: Fri, 29 May 2015 16:26:17 +0200
-Subject: [PATCH 15/18] MEDIUM: ssl: replace standards DH groups with custom
- ones
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-It is likely that powerful adversaries have been pre-computing the
-standardized DH groups, because being widely used have made them
-valuable targets. While users are advised to generate their own
-DH parameters, replace the ones we ship by values been randomly
-generated for this product only.
-
-[wt: replaced dh1024_p, dh2048_p, and dh4096_p with locally-generated
- ones as recommended by Rémi]
-
-(cherry picked from commit d3a341a96fb6107d2b8e3d7a9c0afa2ff43bb0b6)
----
- src/ssl_sock.c | 340 +++++++++++++++++----------------------------------------
- 1 file changed, 102 insertions(+), 238 deletions(-)
-
-diff --git a/src/ssl_sock.c b/src/ssl_sock.c
-index 0f7819b..93aab8b 100644
---- a/src/ssl_sock.c
-+++ b/src/ssl_sock.c
-@@ -114,7 +114,6 @@ static int ssl_dh_ptr_index = -1;
- static DH *local_dh_1024 = NULL;
- static DH *local_dh_2048 = NULL;
- static DH *local_dh_4096 = NULL;
--static DH *local_dh_8192 = NULL;
- #endif /* OPENSSL_NO_DH */
- 
- #ifdef SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB
-@@ -766,32 +765,28 @@ static int ssl_sock_switchctx_cbk(SSL *ssl, int *al, struct bind_conf *s)
- 
- static DH * ssl_get_dh_1024(void)
- {
--#if OPENSSL_VERSION_NUMBER < 0x0090801fL
--      static const unsigned char rfc_2409_prime_1024[] = {
--              0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,
--              0x21,0x68,0xC2,0x34,0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,
--              0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,0x02,0x0B,0xBE,0xA6,
--              0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
--              0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,
--              0xF2,0x5F,0x14,0x37,0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,
--              0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,0xF4,0x4C,0x42,0xE9,
--              0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,
--              0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,
--              0x7C,0x4B,0x1F,0xE6,0x49,0x28,0x66,0x51,0xEC,0xE6,0x53,0x81,
--              0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
--      };
--#endif
-+      static unsigned char dh1024_p[]={
-+              0xFA,0xF9,0x2A,0x22,0x2A,0xA7,0x7F,0xE1,0x67,0x4E,0x53,0xF7,
-+              0x56,0x13,0xC3,0xB1,0xE3,0x29,0x6B,0x66,0x31,0x6A,0x7F,0xB3,
-+              0xC2,0x68,0x6B,0xCB,0x1D,0x57,0x39,0x1D,0x1F,0xFF,0x1C,0xC9,
-+              0xA6,0xA4,0x98,0x82,0x31,0x5D,0x25,0xFF,0x8A,0xE0,0x73,0x96,
-+              0x81,0xC8,0x83,0x79,0xC1,0x5A,0x04,0xF8,0x37,0x0D,0xA8,0x3D,
-+              0xAE,0x74,0xBC,0xDB,0xB6,0xA4,0x75,0xD9,0x71,0x8A,0xA0,0x17,
-+              0x9E,0x2D,0xC8,0xA8,0xDF,0x2C,0x5F,0x82,0x95,0xF8,0x92,0x9B,
-+              0xA7,0x33,0x5F,0x89,0x71,0xC8,0x2D,0x6B,0x18,0x86,0xC4,0x94,
-+              0x22,0xA5,0x52,0x8D,0xF6,0xF6,0xD2,0x37,0x92,0x0F,0xA5,0xCC,
-+              0xDB,0x7B,0x1D,0x3D,0xA1,0x31,0xB7,0x80,0x8F,0x0B,0x67,0x5E,
-+              0x36,0xA5,0x60,0x0C,0xF1,0x95,0x33,0x8B,
-+              };
-+      static unsigned char dh1024_g[]={
-+              0x02,
-+              };
-+
-       DH *dh = DH_new();
-       if (dh) {
--#if OPENSSL_VERSION_NUMBER >= 0x0090801fL
--              dh->p = get_rfc2409_prime_1024(NULL);
--#else
--              dh->p = BN_bin2bn(rfc_2409_prime_1024, sizeof rfc_2409_prime_1024, NULL);
--#endif
--              /* See RFC 2409, Section 6 "Oakley Groups"
--                 for the reason why 2 is used as generator.
--              */
--              BN_dec2bn(&dh->g, "2");
-+              dh->p = BN_bin2bn(dh1024_p, sizeof dh1024_p, NULL);
-+              dh->g = BN_bin2bn(dh1024_g, sizeof dh1024_g, NULL);
-+
-               if (!dh->p || !dh->g) {
-                       DH_free(dh);
-                       dh = NULL;
-@@ -802,43 +797,39 @@ static DH * ssl_get_dh_1024(void)
- 
- static DH *ssl_get_dh_2048(void)
- {
--#if OPENSSL_VERSION_NUMBER < 0x0090801fL
--      static const unsigned char rfc_3526_prime_2048[] = {
--              0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,
--              0x21,0x68,0xC2,0x34,0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,
--              0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,0x02,0x0B,0xBE,0xA6,
--              0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
--              0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,
--              0xF2,0x5F,0x14,0x37,0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,
--              0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,0xF4,0x4C,0x42,0xE9,
--              0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,
--              0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,
--              0x7C,0x4B,0x1F,0xE6,0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D,
--              0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,0x98,0xDA,0x48,0x36,
--              0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F,
--              0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56,
--              0x20,0x85,0x52,0xBB,0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D,
--              0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,0xF1,0x74,0x6C,0x08,
--              0xCA,0x18,0x21,0x7C,0x32,0x90,0x5E,0x46,0x2E,0x36,0xCE,0x3B,
--              0xE3,0x9E,0x77,0x2C,0x18,0x0E,0x86,0x03,0x9B,0x27,0x83,0xA2,
--              0xEC,0x07,0xA2,0x8F,0xB5,0xC5,0x5D,0xF0,0x6F,0x4C,0x52,0xC9,
--              0xDE,0x2B,0xCB,0xF6,0x95,0x58,0x17,0x18,0x39,0x95,0x49,0x7C,
--              0xEA,0x95,0x6A,0xE5,0x15,0xD2,0x26,0x18,0x98,0xFA,0x05,0x10,
--              0x15,0x72,0x8E,0x5A,0x8A,0xAC,0xAA,0x68,0xFF,0xFF,0xFF,0xFF,
--              0xFF,0xFF,0xFF,0xFF,
--      };
--#endif
-+      static unsigned char dh2048_p[]={
-+              0xEC,0x86,0xF8,0x70,0xA0,0x33,0x16,0xEC,0x05,0x1A,0x73,0x59,
-+              0xCD,0x1F,0x8B,0xF8,0x29,0xE4,0xD2,0xCF,0x52,0xDD,0xC2,0x24,
-+              0x8D,0xB5,0x38,0x9A,0xFB,0x5C,0xA4,0xE4,0xB2,0xDA,0xCE,0x66,
-+              0x50,0x74,0xA6,0x85,0x4D,0x4B,0x1D,0x30,0xB8,0x2B,0xF3,0x10,
-+              0xE9,0xA7,0x2D,0x05,0x71,0xE7,0x81,0xDF,0x8B,0x59,0x52,0x3B,
-+              0x5F,0x43,0x0B,0x68,0xF1,0xDB,0x07,0xBE,0x08,0x6B,0x1B,0x23,
-+              0xEE,0x4D,0xCC,0x9E,0x0E,0x43,0xA0,0x1E,0xDF,0x43,0x8C,0xEC,
-+              0xBE,0xBE,0x90,0xB4,0x51,0x54,0xB9,0x2F,0x7B,0x64,0x76,0x4E,
-+              0x5D,0xD4,0x2E,0xAE,0xC2,0x9E,0xAE,0x51,0x43,0x59,0xC7,0x77,
-+              0x9C,0x50,0x3C,0x0E,0xED,0x73,0x04,0x5F,0xF1,0x4C,0x76,0x2A,
-+              0xD8,0xF8,0xCF,0xFC,0x34,0x40,0xD1,0xB4,0x42,0x61,0x84,0x66,
-+              0x42,0x39,0x04,0xF8,0x68,0xB2,0x62,0xD7,0x55,0xED,0x1B,0x74,
-+              0x75,0x91,0xE0,0xC5,0x69,0xC1,0x31,0x5C,0xDB,0x7B,0x44,0x2E,
-+              0xCE,0x84,0x58,0x0D,0x1E,0x66,0x0C,0xC8,0x44,0x9E,0xFD,0x40,
-+              0x08,0x67,0x5D,0xFB,0xA7,0x76,0x8F,0x00,0x11,0x87,0xE9,0x93,
-+              0xF9,0x7D,0xC4,0xBC,0x74,0x55,0x20,0xD4,0x4A,0x41,0x2F,0x43,
-+              0x42,0x1A,0xC1,0xF2,0x97,0x17,0x49,0x27,0x37,0x6B,0x2F,0x88,
-+              0x7E,0x1C,0xA0,0xA1,0x89,0x92,0x27,0xD9,0x56,0x5A,0x71,0xC1,
-+              0x56,0x37,0x7E,0x3A,0x9D,0x05,0xE7,0xEE,0x5D,0x8F,0x82,0x17,
-+              0xBC,0xE9,0xC2,0x93,0x30,0x82,0xF9,0xF4,0xC9,0xAE,0x49,0xDB,
-+              0xD0,0x54,0xB4,0xD9,0x75,0x4D,0xFA,0x06,0xB8,0xD6,0x38,0x41,
-+              0xB7,0x1F,0x77,0xF3,
-+              };
-+      static unsigned char dh2048_g[]={
-+              0x02,
-+              };
-+
-       DH *dh = DH_new();
-       if (dh) {
--#if OPENSSL_VERSION_NUMBER >= 0x0090801fL
--              dh->p = get_rfc3526_prime_2048(NULL);
--#else
--              dh->p = BN_bin2bn(rfc_3526_prime_2048, sizeof rfc_3526_prime_2048, NULL);
--#endif
--              /* See RFC 3526, Section 3 "2048-bit MODP Group"
--                 for the reason why 2 is used as generator.
--              */
--              BN_dec2bn(&dh->g, "2");
-+              dh->p = BN_bin2bn(dh2048_p, sizeof dh2048_p, NULL);
-+              dh->g = BN_bin2bn(dh2048_g, sizeof dh2048_g, NULL);
-+
-               if (!dh->p || !dh->g) {
-                       DH_free(dh);
-                       dh = NULL;
-@@ -849,175 +840,60 @@ static DH *ssl_get_dh_2048(void)
- 
- static DH *ssl_get_dh_4096(void)
- {
--#if OPENSSL_VERSION_NUMBER < 0x0090801fL
--      static const unsigned char rfc_3526_prime_4096[] = {
--                0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,
--                0x21,0x68,0xC2,0x34,0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,
--                0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,0x02,0x0B,0xBE,0xA6,
--                0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
--                0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,
--                0xF2,0x5F,0x14,0x37,0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,
--                0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,0xF4,0x4C,0x42,0xE9,
--                0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,
--                0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,
--                0x7C,0x4B,0x1F,0xE6,0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D,
--                0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,0x98,0xDA,0x48,0x36,
--                0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F,
--                0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56,
--                0x20,0x85,0x52,0xBB,0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D,
--                0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,0xF1,0x74,0x6C,0x08,
--                0xCA,0x18,0x21,0x7C,0x32,0x90,0x5E,0x46,0x2E,0x36,0xCE,0x3B,
--                0xE3,0x9E,0x77,0x2C,0x18,0x0E,0x86,0x03,0x9B,0x27,0x83,0xA2,
--                0xEC,0x07,0xA2,0x8F,0xB5,0xC5,0x5D,0xF0,0x6F,0x4C,0x52,0xC9,
--                0xDE,0x2B,0xCB,0xF6,0x95,0x58,0x17,0x18,0x39,0x95,0x49,0x7C,
--                0xEA,0x95,0x6A,0xE5,0x15,0xD2,0x26,0x18,0x98,0xFA,0x05,0x10,
--                0x15,0x72,0x8E,0x5A,0x8A,0xAA,0xC4,0x2D,0xAD,0x33,0x17,0x0D,
--                0x04,0x50,0x7A,0x33,0xA8,0x55,0x21,0xAB,0xDF,0x1C,0xBA,0x64,
--                0xEC,0xFB,0x85,0x04,0x58,0xDB,0xEF,0x0A,0x8A,0xEA,0x71,0x57,
--                0x5D,0x06,0x0C,0x7D,0xB3,0x97,0x0F,0x85,0xA6,0xE1,0xE4,0xC7,
--                0xAB,0xF5,0xAE,0x8C,0xDB,0x09,0x33,0xD7,0x1E,0x8C,0x94,0xE0,
--                0x4A,0x25,0x61,0x9D,0xCE,0xE3,0xD2,0x26,0x1A,0xD2,0xEE,0x6B,
--                0xF1,0x2F,0xFA,0x06,0xD9,0x8A,0x08,0x64,0xD8,0x76,0x02,0x73,
--                0x3E,0xC8,0x6A,0x64,0x52,0x1F,0x2B,0x18,0x17,0x7B,0x20,0x0C,
--                0xBB,0xE1,0x17,0x57,0x7A,0x61,0x5D,0x6C,0x77,0x09,0x88,0xC0,
--                0xBA,0xD9,0x46,0xE2,0x08,0xE2,0x4F,0xA0,0x74,0xE5,0xAB,0x31,
--                0x43,0xDB,0x5B,0xFC,0xE0,0xFD,0x10,0x8E,0x4B,0x82,0xD1,0x20,
--                0xA9,0x21,0x08,0x01,0x1A,0x72,0x3C,0x12,0xA7,0x87,0xE6,0xD7,
--                0x88,0x71,0x9A,0x10,0xBD,0xBA,0x5B,0x26,0x99,0xC3,0x27,0x18,
--                0x6A,0xF4,0xE2,0x3C,0x1A,0x94,0x68,0x34,0xB6,0x15,0x0B,0xDA,
--                0x25,0x83,0xE9,0xCA,0x2A,0xD4,0x4C,0xE8,0xDB,0xBB,0xC2,0xDB,
--                0x04,0xDE,0x8E,0xF9,0x2E,0x8E,0xFC,0x14,0x1F,0xBE,0xCA,0xA6,
--                0x28,0x7C,0x59,0x47,0x4E,0x6B,0xC0,0x5D,0x99,0xB2,0x96,0x4F,
--                0xA0,0x90,0xC3,0xA2,0x23,0x3B,0xA1,0x86,0x51,0x5B,0xE7,0xED,
--                0x1F,0x61,0x29,0x70,0xCE,0xE2,0xD7,0xAF,0xB8,0x1B,0xDD,0x76,
--                0x21,0x70,0x48,0x1C,0xD0,0x06,0x91,0x27,0xD5,0xB0,0x5A,0xA9,
--                0x93,0xB4,0xEA,0x98,0x8D,0x8F,0xDD,0xC1,0x86,0xFF,0xB7,0xDC,
--                0x90,0xA6,0xC0,0x8F,0x4D,0xF4,0x35,0xC9,0x34,0x06,0x31,0x99,
--                0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
-+      static unsigned char dh4096_p[]={
-+              0xDE,0x16,0x94,0xCD,0x99,0x58,0x07,0xF1,0xF7,0x32,0x96,0x11,
-+              0x04,0x82,0xD4,0x84,0x72,0x80,0x99,0x06,0xCA,0xF0,0xA3,0x68,
-+              0x07,0xCE,0x64,0x50,0xE7,0x74,0x45,0x20,0x80,0x5E,0x4D,0xAD,
-+              0xA5,0xB6,0xED,0xFA,0x80,0x6C,0x3B,0x35,0xC4,0x9A,0x14,0x6B,
-+              0x32,0xBB,0xFD,0x1F,0x17,0x8E,0xB7,0x1F,0xD6,0xFA,0x3F,0x7B,
-+              0xEE,0x16,0xA5,0x62,0x33,0x0D,0xED,0xBC,0x4E,0x58,0xE5,0x47,
-+              0x4D,0xE9,0xAB,0x8E,0x38,0xD3,0x6E,0x90,0x57,0xE3,0x22,0x15,
-+              0x33,0xBD,0xF6,0x43,0x45,0xB5,0x10,0x0A,0xBE,0x2C,0xB4,0x35,
-+              0xB8,0x53,0x8D,0xAD,0xFB,0xA7,0x1F,0x85,0x58,0x41,0x7A,0x79,
-+              0x20,0x68,0xB3,0xE1,0x3D,0x08,0x76,0xBF,0x86,0x0D,0x49,0xE3,
-+              0x82,0x71,0x8C,0xB4,0x8D,0x81,0x84,0xD4,0xE7,0xBE,0x91,0xDC,
-+              0x26,0x39,0x48,0x0F,0x35,0xC4,0xCA,0x65,0xE3,0x40,0x93,0x52,
-+              0x76,0x58,0x7D,0xDD,0x51,0x75,0xDC,0x69,0x61,0xBF,0x47,0x2C,
-+              0x16,0x68,0x2D,0xC9,0x29,0xD3,0xE6,0xC0,0x99,0x48,0xA0,0x9A,
-+              0xC8,0x78,0xC0,0x6D,0x81,0x67,0x12,0x61,0x3F,0x71,0xBA,0x41,
-+              0x1F,0x6C,0x89,0x44,0x03,0xBA,0x3B,0x39,0x60,0xAA,0x28,0x55,
-+              0x59,0xAE,0xB8,0xFA,0xCB,0x6F,0xA5,0x1A,0xF7,0x2B,0xDD,0x52,
-+              0x8A,0x8B,0xE2,0x71,0xA6,0x5E,0x7E,0xD8,0x2E,0x18,0xE0,0x66,
-+              0xDF,0xDD,0x22,0x21,0x99,0x52,0x73,0xA6,0x33,0x20,0x65,0x0E,
-+              0x53,0xE7,0x6B,0x9B,0xC5,0xA3,0x2F,0x97,0x65,0x76,0xD3,0x47,
-+              0x23,0x77,0x12,0xB6,0x11,0x7B,0x24,0xED,0xF1,0xEF,0xC0,0xE2,
-+              0xA3,0x7E,0x67,0x05,0x3E,0x96,0x4D,0x45,0xC2,0x18,0xD1,0x73,
-+              0x9E,0x07,0xF3,0x81,0x6E,0x52,0x63,0xF6,0x20,0x76,0xB9,0x13,
-+              0xD2,0x65,0x30,0x18,0x16,0x09,0x16,0x9E,0x8F,0xF1,0xD2,0x10,
-+              0x5A,0xD3,0xD4,0xAF,0x16,0x61,0xDA,0x55,0x2E,0x18,0x5E,0x14,
-+              0x08,0x54,0x2E,0x2A,0x25,0xA2,0x1A,0x9B,0x8B,0x32,0xA9,0xFD,
-+              0xC2,0x48,0x96,0xE1,0x80,0xCA,0xE9,0x22,0x17,0xBB,0xCE,0x3E,
-+              0x9E,0xED,0xC7,0xF1,0x1F,0xEC,0x17,0x21,0xDC,0x7B,0x82,0x48,
-+              0x8E,0xBB,0x4B,0x9D,0x5B,0x04,0x04,0xDA,0xDB,0x39,0xDF,0x01,
-+              0x40,0xC3,0xAA,0x26,0x23,0x89,0x75,0xC6,0x0B,0xD0,0xA2,0x60,
-+              0x6A,0xF1,0xCC,0x65,0x18,0x98,0x1B,0x52,0xD2,0x74,0x61,0xCC,
-+              0xBD,0x60,0xAE,0xA3,0xA0,0x66,0x6A,0x16,0x34,0x92,0x3F,0x41,
-+              0x40,0x31,0x29,0xC0,0x2C,0x63,0xB2,0x07,0x8D,0xEB,0x94,0xB8,
-+              0xE8,0x47,0x92,0x52,0x93,0x6A,0x1B,0x7E,0x1A,0x61,0xB3,0x1B,
-+              0xF0,0xD6,0x72,0x9B,0xF1,0xB0,0xAF,0xBF,0x3E,0x65,0xEF,0x23,
-+              0x1D,0x6F,0xFF,0x70,0xCD,0x8A,0x4C,0x8A,0xA0,0x72,0x9D,0xBE,
-+              0xD4,0xBB,0x24,0x47,0x4A,0x68,0xB5,0xF5,0xC6,0xD5,0x7A,0xCD,
-+              0xCA,0x06,0x41,0x07,0xAD,0xC2,0x1E,0xE6,0x54,0xA7,0xAD,0x03,
-+              0xD9,0x12,0xC1,0x9C,0x13,0xB1,0xC9,0x0A,0x43,0x8E,0x1E,0x08,
-+              0xCE,0x50,0x82,0x73,0x5F,0xA7,0x55,0x1D,0xD9,0x59,0xAC,0xB5,
-+              0xEA,0x02,0x7F,0x6C,0x5B,0x74,0x96,0x98,0x67,0x24,0xA3,0x0F,
-+              0x15,0xFC,0xA9,0x7D,0x3E,0x67,0xD1,0x70,0xF8,0x97,0xF3,0x67,
-+              0xC5,0x8C,0x88,0x44,0x08,0x02,0xC7,0x2B,
-       };
--#endif
--      DH *dh = DH_new();
--      if (dh) {
--#if OPENSSL_VERSION_NUMBER >= 0x0090801fL
--              dh->p = get_rfc3526_prime_4096(NULL);
--#else
--              dh->p = BN_bin2bn(rfc_3526_prime_4096, sizeof rfc_3526_prime_4096, NULL);
--#endif
--              /* See RFC 3526, Section 5 "4096-bit MODP Group"
--                 for the reason why 2 is used as generator.
--              */
--              BN_dec2bn(&dh->g, "2");
--              if (!dh->p || !dh->g) {
--                      DH_free(dh);
--                      dh = NULL;
--              }
--      }
--      return dh;
--}
-+      static unsigned char dh4096_g[]={
-+              0x02,
-+              };
- 
--static DH *ssl_get_dh_8192(void)
--{
--#if OPENSSL_VERSION_NUMBER < 0x0090801fL
--      static const unsigned char rfc_3526_prime_8192[] = {
--                0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2,
--                0x21,0x68,0xC2,0x34,0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1,
--                0x29,0x02,0x4E,0x08,0x8A,0x67,0xCC,0x74,0x02,0x0B,0xBE,0xA6,
--                0x3B,0x13,0x9B,0x22,0x51,0x4A,0x08,0x79,0x8E,0x34,0x04,0xDD,
--                0xEF,0x95,0x19,0xB3,0xCD,0x3A,0x43,0x1B,0x30,0x2B,0x0A,0x6D,
--                0xF2,0x5F,0x14,0x37,0x4F,0xE1,0x35,0x6D,0x6D,0x51,0xC2,0x45,
--                0xE4,0x85,0xB5,0x76,0x62,0x5E,0x7E,0xC6,0xF4,0x4C,0x42,0xE9,
--                0xA6,0x37,0xED,0x6B,0x0B,0xFF,0x5C,0xB6,0xF4,0x06,0xB7,0xED,
--                0xEE,0x38,0x6B,0xFB,0x5A,0x89,0x9F,0xA5,0xAE,0x9F,0x24,0x11,
--                0x7C,0x4B,0x1F,0xE6,0x49,0x28,0x66,0x51,0xEC,0xE4,0x5B,0x3D,
--                0xC2,0x00,0x7C,0xB8,0xA1,0x63,0xBF,0x05,0x98,0xDA,0x48,0x36,
--                0x1C,0x55,0xD3,0x9A,0x69,0x16,0x3F,0xA8,0xFD,0x24,0xCF,0x5F,
--                0x83,0x65,0x5D,0x23,0xDC,0xA3,0xAD,0x96,0x1C,0x62,0xF3,0x56,
--                0x20,0x85,0x52,0xBB,0x9E,0xD5,0x29,0x07,0x70,0x96,0x96,0x6D,
--                0x67,0x0C,0x35,0x4E,0x4A,0xBC,0x98,0x04,0xF1,0x74,0x6C,0x08,
--                0xCA,0x18,0x21,0x7C,0x32,0x90,0x5E,0x46,0x2E,0x36,0xCE,0x3B,
--                0xE3,0x9E,0x77,0x2C,0x18,0x0E,0x86,0x03,0x9B,0x27,0x83,0xA2,
--                0xEC,0x07,0xA2,0x8F,0xB5,0xC5,0x5D,0xF0,0x6F,0x4C,0x52,0xC9,
--                0xDE,0x2B,0xCB,0xF6,0x95,0x58,0x17,0x18,0x39,0x95,0x49,0x7C,
--                0xEA,0x95,0x6A,0xE5,0x15,0xD2,0x26,0x18,0x98,0xFA,0x05,0x10,
--                0x15,0x72,0x8E,0x5A,0x8A,0xAA,0xC4,0x2D,0xAD,0x33,0x17,0x0D,
--                0x04,0x50,0x7A,0x33,0xA8,0x55,0x21,0xAB,0xDF,0x1C,0xBA,0x64,
--                0xEC,0xFB,0x85,0x04,0x58,0xDB,0xEF,0x0A,0x8A,0xEA,0x71,0x57,
--                0x5D,0x06,0x0C,0x7D,0xB3,0x97,0x0F,0x85,0xA6,0xE1,0xE4,0xC7,
--                0xAB,0xF5,0xAE,0x8C,0xDB,0x09,0x33,0xD7,0x1E,0x8C,0x94,0xE0,
--                0x4A,0x25,0x61,0x9D,0xCE,0xE3,0xD2,0x26,0x1A,0xD2,0xEE,0x6B,
--                0xF1,0x2F,0xFA,0x06,0xD9,0x8A,0x08,0x64,0xD8,0x76,0x02,0x73,
--                0x3E,0xC8,0x6A,0x64,0x52,0x1F,0x2B,0x18,0x17,0x7B,0x20,0x0C,
--                0xBB,0xE1,0x17,0x57,0x7A,0x61,0x5D,0x6C,0x77,0x09,0x88,0xC0,
--                0xBA,0xD9,0x46,0xE2,0x08,0xE2,0x4F,0xA0,0x74,0xE5,0xAB,0x31,
--                0x43,0xDB,0x5B,0xFC,0xE0,0xFD,0x10,0x8E,0x4B,0x82,0xD1,0x20,
--                0xA9,0x21,0x08,0x01,0x1A,0x72,0x3C,0x12,0xA7,0x87,0xE6,0xD7,
--                0x88,0x71,0x9A,0x10,0xBD,0xBA,0x5B,0x26,0x99,0xC3,0x27,0x18,
--                0x6A,0xF4,0xE2,0x3C,0x1A,0x94,0x68,0x34,0xB6,0x15,0x0B,0xDA,
--                0x25,0x83,0xE9,0xCA,0x2A,0xD4,0x4C,0xE8,0xDB,0xBB,0xC2,0xDB,
--                0x04,0xDE,0x8E,0xF9,0x2E,0x8E,0xFC,0x14,0x1F,0xBE,0xCA,0xA6,
--                0x28,0x7C,0x59,0x47,0x4E,0x6B,0xC0,0x5D,0x99,0xB2,0x96,0x4F,
--                0xA0,0x90,0xC3,0xA2,0x23,0x3B,0xA1,0x86,0x51,0x5B,0xE7,0xED,
--                0x1F,0x61,0x29,0x70,0xCE,0xE2,0xD7,0xAF,0xB8,0x1B,0xDD,0x76,
--                0x21,0x70,0x48,0x1C,0xD0,0x06,0x91,0x27,0xD5,0xB0,0x5A,0xA9,
--                0x93,0xB4,0xEA,0x98,0x8D,0x8F,0xDD,0xC1,0x86,0xFF,0xB7,0xDC,
--                0x90,0xA6,0xC0,0x8F,0x4D,0xF4,0x35,0xC9,0x34,0x02,0x84,0x92,
--                0x36,0xC3,0xFA,0xB4,0xD2,0x7C,0x70,0x26,0xC1,0xD4,0xDC,0xB2,
--                0x60,0x26,0x46,0xDE,0xC9,0x75,0x1E,0x76,0x3D,0xBA,0x37,0xBD,
--                0xF8,0xFF,0x94,0x06,0xAD,0x9E,0x53,0x0E,0xE5,0xDB,0x38,0x2F,
--                0x41,0x30,0x01,0xAE,0xB0,0x6A,0x53,0xED,0x90,0x27,0xD8,0x31,
--                0x17,0x97,0x27,0xB0,0x86,0x5A,0x89,0x18,0xDA,0x3E,0xDB,0xEB,
--                0xCF,0x9B,0x14,0xED,0x44,0xCE,0x6C,0xBA,0xCE,0xD4,0xBB,0x1B,
--                0xDB,0x7F,0x14,0x47,0xE6,0xCC,0x25,0x4B,0x33,0x20,0x51,0x51,
--                0x2B,0xD7,0xAF,0x42,0x6F,0xB8,0xF4,0x01,0x37,0x8C,0xD2,0xBF,
--                0x59,0x83,0xCA,0x01,0xC6,0x4B,0x92,0xEC,0xF0,0x32,0xEA,0x15,
--                0xD1,0x72,0x1D,0x03,0xF4,0x82,0xD7,0xCE,0x6E,0x74,0xFE,0xF6,
--                0xD5,0x5E,0x70,0x2F,0x46,0x98,0x0C,0x82,0xB5,0xA8,0x40,0x31,
--                0x90,0x0B,0x1C,0x9E,0x59,0xE7,0xC9,0x7F,0xBE,0xC7,0xE8,0xF3,
--                0x23,0xA9,0x7A,0x7E,0x36,0xCC,0x88,0xBE,0x0F,0x1D,0x45,0xB7,
--                0xFF,0x58,0x5A,0xC5,0x4B,0xD4,0x07,0xB2,0x2B,0x41,0x54,0xAA,
--                0xCC,0x8F,0x6D,0x7E,0xBF,0x48,0xE1,0xD8,0x14,0xCC,0x5E,0xD2,
--                0x0F,0x80,0x37,0xE0,0xA7,0x97,0x15,0xEE,0xF2,0x9B,0xE3,0x28,
--                0x06,0xA1,0xD5,0x8B,0xB7,0xC5,0xDA,0x76,0xF5,0x50,0xAA,0x3D,
--                0x8A,0x1F,0xBF,0xF0,0xEB,0x19,0xCC,0xB1,0xA3,0x13,0xD5,0x5C,
--                0xDA,0x56,0xC9,0xEC,0x2E,0xF2,0x96,0x32,0x38,0x7F,0xE8,0xD7,
--                0x6E,0x3C,0x04,0x68,0x04,0x3E,0x8F,0x66,0x3F,0x48,0x60,0xEE,
--                0x12,0xBF,0x2D,0x5B,0x0B,0x74,0x74,0xD6,0xE6,0x94,0xF9,0x1E,
--                0x6D,0xBE,0x11,0x59,0x74,0xA3,0x92,0x6F,0x12,0xFE,0xE5,0xE4,
--                0x38,0x77,0x7C,0xB6,0xA9,0x32,0xDF,0x8C,0xD8,0xBE,0xC4,0xD0,
--                0x73,0xB9,0x31,0xBA,0x3B,0xC8,0x32,0xB6,0x8D,0x9D,0xD3,0x00,
--                0x74,0x1F,0xA7,0xBF,0x8A,0xFC,0x47,0xED,0x25,0x76,0xF6,0x93,
--                0x6B,0xA4,0x24,0x66,0x3A,0xAB,0x63,0x9C,0x5A,0xE4,0xF5,0x68,
--                0x34,0x23,0xB4,0x74,0x2B,0xF1,0xC9,0x78,0x23,0x8F,0x16,0xCB,
--                0xE3,0x9D,0x65,0x2D,0xE3,0xFD,0xB8,0xBE,0xFC,0x84,0x8A,0xD9,
--                0x22,0x22,0x2E,0x04,0xA4,0x03,0x7C,0x07,0x13,0xEB,0x57,0xA8,
--                0x1A,0x23,0xF0,0xC7,0x34,0x73,0xFC,0x64,0x6C,0xEA,0x30,0x6B,
--                0x4B,0xCB,0xC8,0x86,0x2F,0x83,0x85,0xDD,0xFA,0x9D,0x4B,0x7F,
--                0xA2,0xC0,0x87,0xE8,0x79,0x68,0x33,0x03,0xED,0x5B,0xDD,0x3A,
--                0x06,0x2B,0x3C,0xF5,0xB3,0xA2,0x78,0xA6,0x6D,0x2A,0x13,0xF8,
--                0x3F,0x44,0xF8,0x2D,0xDF,0x31,0x0E,0xE0,0x74,0xAB,0x6A,0x36,
--                0x45,0x97,0xE8,0x99,0xA0,0x25,0x5D,0xC1,0x64,0xF3,0x1C,0xC5,
--                0x08,0x46,0x85,0x1D,0xF9,0xAB,0x48,0x19,0x5D,0xED,0x7E,0xA1,
--                0xB1,0xD5,0x10,0xBD,0x7E,0xE7,0x4D,0x73,0xFA,0xF3,0x6B,0xC3,
--                0x1E,0xCF,0xA2,0x68,0x35,0x90,0x46,0xF4,0xEB,0x87,0x9F,0x92,
--                0x40,0x09,0x43,0x8B,0x48,0x1C,0x6C,0xD7,0x88,0x9A,0x00,0x2E,
--                0xD5,0xEE,0x38,0x2B,0xC9,0x19,0x0D,0xA6,0xFC,0x02,0x6E,0x47,
--                0x95,0x58,0xE4,0x47,0x56,0x77,0xE9,0xAA,0x9E,0x30,0x50,0xE2,
--                0x76,0x56,0x94,0xDF,0xC8,0x1F,0x56,0xE8,0x80,0xB9,0x6E,0x71,
--                0x60,0xC9,0x80,0xDD,0x98,0xED,0xD3,0xDF,0xFF,0xFF,0xFF,0xFF,
--                0xFF,0xFF,0xFF,0xFF,
--      };
--#endif
-       DH *dh = DH_new();
-       if (dh) {
--#if OPENSSL_VERSION_NUMBER >= 0x0090801fL
--              dh->p = get_rfc3526_prime_8192(NULL);
--#else
--              dh->p = BN_bin2bn(rfc_3526_prime_8192, sizeof rfc_3526_prime_8192, NULL);
--#endif
--              /* See RFC 3526, Section 7 "8192-bit MODP Group"
--                 for the reason why 2 is used as generator.
--              */
--              BN_dec2bn(&dh->g, "2");
-+              dh->p = BN_bin2bn(dh4096_p, sizeof dh4096_p, NULL);
-+              dh->g = BN_bin2bn(dh4096_g, sizeof dh4096_g, NULL);
-+
-               if (!dh->p || !dh->g) {
-                       DH_free(dh);
-                       dh = NULL;
-@@ -1045,10 +921,7 @@ static DH *ssl_get_tmp_dh(SSL *ssl, int export, int keylen)
-               keylen = global.tune.ssl_default_dh_param;
-       }
- 
--      if (keylen >= 8192) {
--              dh = local_dh_8192;
--      }
--      else if (keylen >= 4096) {
-+      if (keylen >= 4096) {
-               dh = local_dh_4096;
-       }
-       else if (keylen >= 2048) {
-@@ -1643,10 +1516,6 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx, struct proxy
-                               if (local_dh_4096 == NULL) {
-                                       local_dh_4096 = ssl_get_dh_4096();
-                               }
--                              if (global.tune.ssl_default_dh_param >= 8192 &&
--                                  local_dh_8192 == NULL) {
--                                      local_dh_8192 = ssl_get_dh_8192();
--                              }
-                       }
-               }
-       }
-@@ -4753,11 +4622,6 @@ static void __ssl_sock_deinit(void)
-                 DH_free(local_dh_4096);
-                 local_dh_4096 = NULL;
-         }
--
--        if (local_dh_8192) {
--                DH_free(local_dh_8192);
--                local_dh_8192 = NULL;
--        }
- #endif
- 
-         ERR_remove_state(0);
--- 
-2.3.6
-

diff --git a/net/haproxy/patches/0016-BUG-MINOR-debug-display-null-in-place-of-meth.patch b/net/haproxy/patches/0016-BUG-MINOR-debug-display-null-in-place-of-meth.patch
deleted file mode 100644 (file)
index f40d723..0000000
--- a/net/haproxy/patches/0016-BUG-MINOR-debug-display-null-in-place-of-meth.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From c51fe0fb249db735c5b103ec99559a0254d58441 Mon Sep 17 00:00:00 2001
-From: Thierry FOURNIER <tfournier@haproxy.com>
-Date: Wed, 3 Jun 2015 20:12:04 +0200
-Subject: [PATCH 16/18] BUG/MINOR: debug: display (null) in place of "meth"
-
-The array which contains names of types, miss the METH entry.
-
-[wt: should be backported to 1.5 as well]
-(cherry picked from commit 4c2479e1c455e2cc46c02cfc28ea2a185f9a7747)
----
- src/sample.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/src/sample.c b/src/sample.c
-index 87c9f60..59c80b2 100644
---- a/src/sample.c
-+++ b/src/sample.c
-@@ -40,6 +40,7 @@ const char *smp_to_type[SMP_TYPES] = {
-       [SMP_T_IPV6] = "ipv6",
-       [SMP_T_STR]  = "str",
-       [SMP_T_BIN]  = "bin",
-+      [SMP_T_METH] = "meth",
- };
- 
- /* static sample used in sample_process() when <p> is NULL */
--- 
-2.3.6
-

diff --git a/net/haproxy/patches/0017-CLEANUP-deinit-remove-codes-for-cleaning-p-block_rul.patch b/net/haproxy/patches/0017-CLEANUP-deinit-remove-codes-for-cleaning-p-block_rul.patch
deleted file mode 100644 (file)
index bbacca4..0000000
--- a/net/haproxy/patches/0017-CLEANUP-deinit-remove-codes-for-cleaning-p-block_rul.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From 793a74065926b0da87120d4b1e6330234475505c Mon Sep 17 00:00:00 2001
-From: Godbach <nylzhaowei@gmail.com>
-Date: Tue, 9 Jun 2015 19:41:52 +0800
-Subject: [PATCH 17/18] CLEANUP: deinit: remove codes for cleaning
- p->block_rules
-
-Since all rules listed in p->block_rules have been moved to the beginning of
-the http-request rules in check_config_validity(), there is no need to clean
-p->block_rules in deinit().
-
-Signed-off-by: Godbach <nylzhaowei@gmail.com>
-(cherry picked from commit 28b48ccbc879a552f988e6e1db22941e3362b4db)
----
- src/haproxy.c | 6 ------
- 1 file changed, 6 deletions(-)
-
-diff --git a/src/haproxy.c b/src/haproxy.c
-index 0dddd53..eac6f44 100644
---- a/src/haproxy.c
-+++ b/src/haproxy.c
-@@ -1020,12 +1020,6 @@ void deinit(void)
-                       free(cwl);
-               }
- 
--              list_for_each_entry_safe(cond, condb, &p->block_rules, list) {
--                      LIST_DEL(&cond->list);
--                      prune_acl_cond(cond);
--                      free(cond);
--              }
--
-               list_for_each_entry_safe(cond, condb, &p->mon_fail_cond, list) {
-                       LIST_DEL(&cond->list);
-                       prune_acl_cond(cond);
--- 
-2.3.6
-

diff --git a/net/haproxy/patches/0018-BUG-MINOR-ssl-fix-smp_fetch_ssl_fc_session_id.patch b/net/haproxy/patches/0018-BUG-MINOR-ssl-fix-smp_fetch_ssl_fc_session_id.patch
deleted file mode 100644 (file)
index b6113a3..0000000
--- a/net/haproxy/patches/0018-BUG-MINOR-ssl-fix-smp_fetch_ssl_fc_session_id.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From 69760db11dfca4a8d8fbd34cec25c334f77add67 Mon Sep 17 00:00:00 2001
-From: Willy Tarreau <w@1wt.eu>
-Date: Wed, 17 Jun 2015 18:34:14 +0200
-Subject: [PATCH 18/18] BUG/MINOR: ssl: fix smp_fetch_ssl_fc_session_id
-
-Dmitry Sivachenko reported the following build warning using Clang
-which is a real bug :
-
-src/ssl_sock.c:4104:44: warning: address of 'smp->data.str.len' will always
-      evaluate to 'true' [-Wpointer-bool-conversion]
-        if (!smp->data.str.str || !&smp->data.str.len)
-
-The impact is very low however, it will return an empty session_id
-instead of no session id when none is found.
-
-The fix should be backported to 1.5.
-(cherry picked from commit 745d4127582a8c66e2e8ce35f746a78e867960af)
----
- src/ssl_sock.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/ssl_sock.c b/src/ssl_sock.c
-index 93aab8b..7d77d36 100644
---- a/src/ssl_sock.c
-+++ b/src/ssl_sock.c
-@@ -3540,7 +3540,7 @@ smp_fetch_ssl_fc_session_id(struct proxy *px, struct session *l4, void *l7, unsi
-               return 0;
- 
-       smp->data.str.str = (char *)SSL_SESSION_get_id(sess, (unsigned int *)&smp->data.str.len);
--      if (!smp->data.str.str || !&smp->data.str.len)
-+      if (!smp->data.str.str || !smp->data.str.len)
-               return 0;
- 
-       return 1;
--- 
-2.3.6
-