From 904a8b70d15e35efe0163e8b554edf778f9eace6 Mon Sep 17 00:00:00 2001 From: heil Date: Mon, 24 Aug 2015 10:44:59 +0200 Subject: [PATCH] haproxy: fixes for upstream version 1.5.14 - [PATCH 1/4] BUG/MINOR: log: missing some ARGC_* entries in - [PATCH 2/4] DOC: usesrc root privileges requirements - [PATCH 3/4] BUILD: ssl: Allow building against libssl without SSLv3. - [PATCH 4/4] DOC/MINOR: fix OpenBSD versions where haproxy works Signed-off-by: heil --- net/haproxy/Makefile | 2 +- ...ssing-some-ARGC_-entries-in-fmt_dire.patch | 64 +++++++++++++++++++ ...-usesrc-root-privileges-requirements.patch | 27 ++++++++ ...building-against-libssl-without-SSLv.patch | 51 +++++++++++++++ ...OpenBSD-versions-where-haproxy-works.patch | 26 ++++++++ 5 files changed, 169 insertions(+), 1 deletion(-) create mode 100644 net/haproxy/patches/0001-BUG-MINOR-log-missing-some-ARGC_-entries-in-fmt_dire.patch create mode 100644 net/haproxy/patches/0002-DOC-usesrc-root-privileges-requirements.patch create mode 100644 net/haproxy/patches/0003-BUILD-ssl-Allow-building-against-libssl-without-SSLv.patch create mode 100644 net/haproxy/patches/0004-DOC-MINOR-fix-OpenBSD-versions-where-haproxy-works.patch diff --git a/net/haproxy/Makefile b/net/haproxy/Makefile index 6ac8a3a634..40d6411415 100644 --- a/net/haproxy/Makefile +++ b/net/haproxy/Makefile @@ -10,7 +10,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=haproxy PKG_VERSION:=1.5.14 -PKG_RELEASE:=00 +PKG_RELEASE:=04 PKG_SOURCE:=haproxy-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=http://haproxy.1wt.eu/download/1.5/src/ PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION) diff --git a/net/haproxy/patches/0001-BUG-MINOR-log-missing-some-ARGC_-entries-in-fmt_dire.patch b/net/haproxy/patches/0001-BUG-MINOR-log-missing-some-ARGC_-entries-in-fmt_dire.patch new file mode 100644 index 0000000000..72db4528b8 --- /dev/null +++ b/net/haproxy/patches/0001-BUG-MINOR-log-missing-some-ARGC_-entries-in-fmt_dire.patch @@ -0,0 +1,64 @@ +From df0a5960987b3cb663dcfa93d29c21acc13cd3e3 Mon Sep 17 00:00:00 2001 +From: Willy Tarreau +Date: Thu, 9 Jul 2015 11:20:00 +0200 +Subject: [PATCH 1/4] BUG/MINOR: log: missing some ARGC_* entries in + fmt_directives() + +ARGC_CAP was not added to fmt_directives() which is used to format +error messages when failing to parse log format expressions. The +whole switch/case has been reorganized to match the declaration +order making it easier to spot missing values. The default is not +the "log" directive anymore but "undefined" asking to report the +bug. + +Backport to 1.5 is not strictly needed but is desirable at least +for code sanity. +(cherry picked from commit 53e1a6d31743b1bef6063ff30b812521391ae3c3) +--- + src/log.c | 24 ++++++++++++++---------- + 1 file changed, 14 insertions(+), 10 deletions(-) + +diff --git a/src/log.c b/src/log.c +index 1a5ad25..f0a3072 100644 +--- a/src/log.c ++++ b/src/log.c +@@ -167,22 +167,26 @@ struct logformat_var_args var_args_list[] = { + static inline const char *fmt_directive(const struct proxy *curproxy) + { + switch (curproxy->conf.args.ctx) { +- case ARGC_UIF: +- return "unique-id-format"; ++ case ARGC_ACL: ++ return "acl"; ++ case ARGC_STK: ++ return "stick"; ++ case ARGC_TRK: ++ return "track-sc"; ++ case ARGC_LOG: ++ return "log-format"; + case ARGC_HRQ: + return "http-request"; + case ARGC_HRS: + return "http-response"; +- case ARGC_STK: +- return "stick"; +- case ARGC_TRK: +- return "track-sc"; break; ++ case ARGC_UIF: ++ return "unique-id-format"; + case ARGC_RDR: +- return "redirect"; break; +- case ARGC_ACL: +- return "acl"; break; ++ return "redirect"; ++ case ARGC_CAP: ++ return "capture"; + default: +- return "log-format"; ++ return "undefined(please report this bug)"; /* must never happen */ + } + } + +-- +2.3.6 + diff --git a/net/haproxy/patches/0002-DOC-usesrc-root-privileges-requirements.patch b/net/haproxy/patches/0002-DOC-usesrc-root-privileges-requirements.patch new file mode 100644 index 0000000000..0af6565800 --- /dev/null +++ b/net/haproxy/patches/0002-DOC-usesrc-root-privileges-requirements.patch @@ -0,0 +1,27 @@ +From ea31f225c2c93a25b8bef7a9241a89cecfd9d350 Mon Sep 17 00:00:00 2001 +From: Baptiste Assmann +Date: Fri, 17 Jul 2015 21:59:42 +0200 +Subject: [PATCH 2/4] DOC: usesrc root privileges requirements + +The "usesrc" parameter of the source statement requires root privileges. +(cherry picked from commit 91bd337d90cb347feda34b01402f3471c8a4833c) +--- + doc/configuration.txt | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/doc/configuration.txt b/doc/configuration.txt +index 6714afb..64697a4 100644 +--- a/doc/configuration.txt ++++ b/doc/configuration.txt +@@ -6117,6 +6117,8 @@ source [:] [interface ] + is possible at the server level using the "source" server option. Refer to + section 5 for more information. + ++ In order to work, "usesrc" requires root privileges. ++ + Examples : + backend private + # Connect to the servers using our 192.168.1.200 source address +-- +2.3.6 + diff --git a/net/haproxy/patches/0003-BUILD-ssl-Allow-building-against-libssl-without-SSLv.patch b/net/haproxy/patches/0003-BUILD-ssl-Allow-building-against-libssl-without-SSLv.patch new file mode 100644 index 0000000000..074cedc84f --- /dev/null +++ b/net/haproxy/patches/0003-BUILD-ssl-Allow-building-against-libssl-without-SSLv.patch @@ -0,0 +1,51 @@ +From eee374c28ea8ea22834ff14515b5584bc3e0c7b5 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?J=C3=A9r=C3=A9mie=20Courr=C3=A8ges-Anglas?= +Date: Sat, 25 Jul 2015 16:50:52 -0600 +Subject: [PATCH 3/4] BUILD: ssl: Allow building against libssl without SSLv3. + +If SSLv3 is explicitely requested but not available, warn the user and +bail out. +(cherry picked from commit 17c3f6284cf605e47f6525c077bc644c45272849) +--- + src/ssl_sock.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/src/ssl_sock.c b/src/ssl_sock.c +index 7d77d36..2ae45ec 100644 +--- a/src/ssl_sock.c ++++ b/src/ssl_sock.c +@@ -1405,8 +1405,14 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx, struct proxy + ssloptions |= SSL_OP_NO_TLSv1_2; + if (bind_conf->ssl_options & BC_SSL_O_NO_TLS_TICKETS) + ssloptions |= SSL_OP_NO_TICKET; +- if (bind_conf->ssl_options & BC_SSL_O_USE_SSLV3) ++ if (bind_conf->ssl_options & BC_SSL_O_USE_SSLV3) { ++#ifndef OPENSSL_NO_SSL3 + SSL_CTX_set_ssl_version(ctx, SSLv3_server_method()); ++#else ++ Alert("SSLv3 support requested but unavailable.\n"); ++ cfgerr++; ++#endif ++ } + if (bind_conf->ssl_options & BC_SSL_O_USE_TLSV10) + SSL_CTX_set_ssl_version(ctx, TLSv1_server_method()); + #if SSL_OP_NO_TLSv1_1 +@@ -1750,8 +1756,14 @@ int ssl_sock_prepare_srv_ctx(struct server *srv, struct proxy *curproxy) + options |= SSL_OP_NO_TLSv1_2; + if (srv->ssl_ctx.options & SRV_SSL_O_NO_TLS_TICKETS) + options |= SSL_OP_NO_TICKET; +- if (srv->ssl_ctx.options & SRV_SSL_O_USE_SSLV3) ++ if (srv->ssl_ctx.options & SRV_SSL_O_USE_SSLV3) { ++#ifndef OPENSSL_NO_SSL3 + SSL_CTX_set_ssl_version(srv->ssl_ctx.ctx, SSLv3_client_method()); ++#else ++ Alert("SSLv3 support requested but unavailable."); ++ cfgerr++; ++#endif ++ } + if (srv->ssl_ctx.options & SRV_SSL_O_USE_TLSV10) + SSL_CTX_set_ssl_version(srv->ssl_ctx.ctx, TLSv1_client_method()); + #if SSL_OP_NO_TLSv1_1 +-- +2.3.6 + diff --git a/net/haproxy/patches/0004-DOC-MINOR-fix-OpenBSD-versions-where-haproxy-works.patch b/net/haproxy/patches/0004-DOC-MINOR-fix-OpenBSD-versions-where-haproxy-works.patch new file mode 100644 index 0000000000..c769228fa5 --- /dev/null +++ b/net/haproxy/patches/0004-DOC-MINOR-fix-OpenBSD-versions-where-haproxy-works.patch @@ -0,0 +1,26 @@ +From e4766ba031e1fea8f2ca139316dc4e8209e960c2 Mon Sep 17 00:00:00 2001 +From: Daniel Jakots +Date: Wed, 29 Jul 2015 08:03:08 +0200 +Subject: [PATCH 4/4] DOC/MINOR: fix OpenBSD versions where haproxy works + +(cherry picked from commit 17d228be14762b282e5262262c45ecee4c265552) +--- + README | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/README b/README +index add7f06..e267730 100644 +--- a/README ++++ b/README +@@ -39,7 +39,7 @@ and assign it to the TARGET variable : + - solaris for Solaris 8 or 10 (others untested) + - freebsd for FreeBSD 5 to 10 (others untested) + - osx for Mac OS/X +- - openbsd for OpenBSD 3.1 to 5.2 (others untested) ++ - openbsd for OpenBSD 3.1 and above + - aix51 for AIX 5.1 + - aix52 for AIX 5.2 + - cygwin for Cygwin +-- +2.3.6 + -- 2.30.2