Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package haproxy for openSUSE:Factory checked
in at 2024-06-11 18:27:29
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/haproxy (Old)
and /work/SRC/openSUSE:Factory/.haproxy.new.19518 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "haproxy"
Tue Jun 11 18:27:29 2024 rev:144 rq:1179720 version:3.0.1+git0.471a1b2f1
Changes:
--------
--- /work/SRC/openSUSE:Factory/haproxy/haproxy.changes 2024-06-03
17:41:44.919227508 +0200
+++ /work/SRC/openSUSE:Factory/.haproxy.new.19518/haproxy.changes
2024-06-11 18:27:56.701916368 +0200
@@ -1,0 +2,29 @@
+Mon Jun 10 14:52:46 UTC 2024 - mrueck...@suse.de
+
+- Update to version 3.0.1+git0.471a1b2f1:
+ * [RELEASE] Released version 3.0.1
+ * BUG/MINOR: mux-h1: Use the right variable to set NEGO_FF_FL_EXACT_SIZE flag
+ * BUG/MAJOR: mux-h1: Properly copy chunked input data during zero-copy nego
+ * BUG/MEDIUM: stconn/mux-h1: Fix suspect change causing timeouts
+ * BUG/MINOR: quic: ensure Tx buf is always purged
+ * BUG/MINOR: quic: fix computed length of emitted STREAM frames
+ * BUG/MEDIUM: ssl: bad auth selection with TLS1.2 and WolfSSL
+ * BUG/MEDIUM: ssl: wrong priority whem limiting ECDSA ciphers in ECDSA+RSA
configuration
+ * BUG/MEDIUM: mux-quic: Don't unblock zero-copy fwding if blocked during nego
+ * CLEANUP: hlua: simplify ambiguous lua_insert() usage in hlua_ctx_resume()
+ * BUG/MINOR: hlua: fix leak in hlua_ckch_set() error path
+ * BUG/MINOR: hlua: prevent LJMP in hlua_traceback()
+ * BUG/MINOR: hlua: fix unsafe hlua_pusherror() usage
+ * BUG/MINOR: hlua: don't use lua_pushfstring() when we don't expect LJMP
+ * CLEANUP: hlua: use hlua_pusherror() where relevant
+ * BUG/MINOR: quic: prevent crash on qc_kill_conn()
+ * BUG/MEDIUM: mux-quic: Unblock zero-copy forwarding if the txbuf can be
released
+ * MEDIUM: stconn: Be able to unblock zero-copy data forwarding from
done_fastfwd
+ * BUG/MEDIUM: h1-htx: Don't state interim responses are bodyless
+ * BUG/MINOR: hlua: use CertCache.set() from various hlua contexts
+ * DOC: configuration: add an example for keywords from crt-store
+ * BUG/MINOR: tools: fix possible null-deref in env_expand() on out-of-memory
+ * BUG/MINOR: tcpcheck: report correct error in tcp-check rule parser
+ * BUG/MINOR: cfgparse: remove the correct option on httpcheck send-state
warning
+
+-------------------------------------------------------------------
Old:
----
haproxy-3.0.0+git0.5590ada47.tar.gz
New:
----
haproxy-3.0.1+git0.471a1b2f1.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ haproxy.spec ++++++
--- /var/tmp/diff_new_pack.y7VcPL/_old 2024-06-11 18:27:59.370013737 +0200
+++ /var/tmp/diff_new_pack.y7VcPL/_new 2024-06-11 18:27:59.370013737 +0200
@@ -53,7 +53,7 @@
%endif
Name: haproxy
-Version: 3.0.0+git0.5590ada47
+Version: 3.0.1+git0.471a1b2f1
Release: 0
#
#
++++++ _service ++++++
--- /var/tmp/diff_new_pack.y7VcPL/_old 2024-06-11 18:27:59.410015197 +0200
+++ /var/tmp/diff_new_pack.y7VcPL/_new 2024-06-11 18:27:59.418015489 +0200
@@ -6,7 +6,7 @@
<param name="versionformat">@PARENT_TAG@+git@TAG_OFFSET@.%h</param>
<param name="versionrewrite-pattern">v(.*)</param>
<param name="versionrewrite-replacement">\1</param>
- <param name="revision">v3.0.0</param>
+ <param name="revision">v3.0.1</param>
<param name="changesgenerate">enable</param>
</service>
++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.y7VcPL/_old 2024-06-11 18:27:59.438016219 +0200
+++ /var/tmp/diff_new_pack.y7VcPL/_new 2024-06-11 18:27:59.442016364 +0200
@@ -1,7 +1,8 @@
<servicedata>
<service name="tar_scm">
<param name="url">http://git.haproxy.org/git/haproxy-3.0.git/</param>
- <param
name="changesrevision">5590ada4731a1f75004675680b4bdca61fa4c507</param>
+ <param
name="changesrevision">471a1b2f11d7367ac03056a3d840146741341b64</param>
</service>
</servicedata>
+(No newline at EOF)
++++++ haproxy-3.0.0+git0.5590ada47.tar.gz ->
haproxy-3.0.1+git0.471a1b2f1.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/haproxy-3.0.0+git0.5590ada47/CHANGELOG
new/haproxy-3.0.1+git0.471a1b2f1/CHANGELOG
--- old/haproxy-3.0.0+git0.5590ada47/CHANGELOG 2024-05-29 14:43:38.000000000
+0200
+++ new/haproxy-3.0.1+git0.471a1b2f1/CHANGELOG 2024-06-10 16:15:30.000000000
+0200
@@ -1,6 +1,31 @@
ChangeLog :
===========
+2024/06/10 : 3.0.1
+ - BUG/MINOR: cfgparse: remove the correct option on httpcheck send-state
warning
+ - BUG/MINOR: tcpcheck: report correct error in tcp-check rule parser
+ - BUG/MINOR: tools: fix possible null-deref in env_expand() on
out-of-memory
+ - DOC: configuration: add an example for keywords from crt-store
+ - BUG/MINOR: hlua: use CertCache.set() from various hlua contexts
+ - BUG/MEDIUM: h1-htx: Don't state interim responses are bodyless
+ - MEDIUM: stconn: Be able to unblock zero-copy data forwarding from
done_fastfwd
+ - BUG/MEDIUM: mux-quic: Unblock zero-copy forwarding if the txbuf can be
released
+ - BUG/MINOR: quic: prevent crash on qc_kill_conn()
+ - CLEANUP: hlua: use hlua_pusherror() where relevant
+ - BUG/MINOR: hlua: don't use lua_pushfstring() when we don't expect LJMP
+ - BUG/MINOR: hlua: fix unsafe hlua_pusherror() usage
+ - BUG/MINOR: hlua: prevent LJMP in hlua_traceback()
+ - BUG/MINOR: hlua: fix leak in hlua_ckch_set() error path
+ - CLEANUP: hlua: simplify ambiguous lua_insert() usage in hlua_ctx_resume()
+ - BUG/MEDIUM: mux-quic: Don't unblock zero-copy fwding if blocked during
nego
+ - BUG/MEDIUM: ssl: wrong priority whem limiting ECDSA ciphers in ECDSA+RSA
configuration
+ - BUG/MEDIUM: ssl: bad auth selection with TLS1.2 and WolfSSL
+ - BUG/MINOR: quic: fix computed length of emitted STREAM frames
+ - BUG/MINOR: quic: ensure Tx buf is always purged
+ - BUG/MEDIUM: stconn/mux-h1: Fix suspect change causing timeouts
+ - BUG/MAJOR: mux-h1: Properly copy chunked input data during zero-copy
nego
+ - BUG/MINOR: mux-h1: Use the right variable to set NEGO_FF_FL_EXACT_SIZE
flag
+
2024/05/29 : 3.0.0
- MINOR: sample: implement the uptime sample fetch
- CI: scripts: fix build of vtest regarding option -C
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/haproxy-3.0.0+git0.5590ada47/VERDATE
new/haproxy-3.0.1+git0.471a1b2f1/VERDATE
--- old/haproxy-3.0.0+git0.5590ada47/VERDATE 2024-05-29 14:43:38.000000000
+0200
+++ new/haproxy-3.0.1+git0.471a1b2f1/VERDATE 2024-06-10 16:15:30.000000000
+0200
@@ -1,2 +1,2 @@
$Format:%ci$
-2024/05/29
+2024/06/10
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/haproxy-3.0.0+git0.5590ada47/VERSION
new/haproxy-3.0.1+git0.471a1b2f1/VERSION
--- old/haproxy-3.0.0+git0.5590ada47/VERSION 2024-05-29 14:43:38.000000000
+0200
+++ new/haproxy-3.0.1+git0.471a1b2f1/VERSION 2024-06-10 16:15:30.000000000
+0200
@@ -1 +1 @@
-3.0.0
+3.0.1
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/haproxy-3.0.0+git0.5590ada47/doc/configuration.txt
new/haproxy-3.0.1+git0.471a1b2f1/doc/configuration.txt
--- old/haproxy-3.0.0+git0.5590ada47/doc/configuration.txt 2024-05-29
14:43:38.000000000 +0200
+++ new/haproxy-3.0.1+git0.471a1b2f1/doc/configuration.txt 2024-06-10
16:15:30.000000000 +0200
@@ -3,7 +3,7 @@
Configuration Manual
----------------------
version 3.0
- 2024/05/29
+ 2024/06/10
This document covers the configuration language as implemented in the version
@@ -16141,6 +16141,7 @@
certS.pem [curves X25519:P-256 ciphers ECDHE-ECDSA-AES256-GCM-SHA384]
secure.domain.tld
default.pem.rsa *
default.pem.ecdsa *
+ foo.crt [key bar.pem ocsp foo.ocsp ocsp-update on] foo.bar.com
default-crt <cert>
This option does the same as the "crt" option, with the difference that this
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/haproxy-3.0.0+git0.5590ada47/doc/lua-api/index.rst
new/haproxy-3.0.1+git0.471a1b2f1/doc/lua-api/index.rst
--- old/haproxy-3.0.0+git0.5590ada47/doc/lua-api/index.rst 2024-05-29
14:43:38.000000000 +0200
+++ new/haproxy-3.0.1+git0.471a1b2f1/doc/lua-api/index.rst 2024-06-10
16:15:30.000000000 +0200
@@ -4463,6 +4463,10 @@
:param string certificate.issuer: The certificate of the OCSP issuer.
:param string certificate.sctl: An SCTL file.
+ .. Note::
+ This function may be slow. As such, it may only be used during startup
+ (main or init context) or from a yield-capable runtime context.
+
.. code-block:: lua
CertCache.set{filename="certs/localhost9994.pem.rsa", crt=crt}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/haproxy-3.0.0+git0.5590ada47/include/haproxy/stconn-t.h
new/haproxy-3.0.1+git0.471a1b2f1/include/haproxy/stconn-t.h
--- old/haproxy-3.0.0+git0.5590ada47/include/haproxy/stconn-t.h 2024-05-29
14:43:38.000000000 +0200
+++ new/haproxy-3.0.1+git0.471a1b2f1/include/haproxy/stconn-t.h 2024-06-10
16:15:30.000000000 +0200
@@ -39,6 +39,7 @@
* .done_fastfwd() on consumer
side must take care of this flag
*/
IOBUF_FL_EOI = 0x00000010, /* A EOI was encountered on
producer side */
+ IOBUF_FL_FF_WANT_ROOM = 0x00000020, /* Producer need more room in
the IOBUF to forward data */
};
/* Flags used */
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/haproxy-3.0.0+git0.5590ada47/include/haproxy/stconn.h
new/haproxy-3.0.1+git0.471a1b2f1/include/haproxy/stconn.h
--- old/haproxy-3.0.0+git0.5590ada47/include/haproxy/stconn.h 2024-05-29
14:43:38.000000000 +0200
+++ new/haproxy-3.0.1+git0.471a1b2f1/include/haproxy/stconn.h 2024-06-10
16:15:30.000000000 +0200
@@ -474,7 +474,7 @@
if (se_fl_test(se, SE_FL_T_MUX)) {
const struct mux_ops *mux = se->conn->mux;
- se->iobuf.flags &= ~IOBUF_FL_FF_BLOCKED;
+ se->iobuf.flags &= ~(IOBUF_FL_FF_BLOCKED|IOBUF_FL_FF_WANT_ROOM);
if (mux->nego_fastfwd && mux->done_fastfwd) {
/* Disable zero-copy forwarding if EOS or an error was
reported. */
if (se_fl_test(se,
SE_FL_EOS|SE_FL_ERROR|SE_FL_ERR_PENDING)) {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/haproxy-3.0.0+git0.5590ada47/src/applet.c
new/haproxy-3.0.1+git0.471a1b2f1/src/applet.c
--- old/haproxy-3.0.0+git0.5590ada47/src/applet.c 2024-05-29
14:43:38.000000000 +0200
+++ new/haproxy-3.0.1+git0.471a1b2f1/src/applet.c 2024-06-10
16:15:30.000000000 +0200
@@ -694,7 +694,7 @@
if (se_fl_test(appctx->sedesc, SE_FL_WANT_ROOM)) {
/* The applet request more room, report the info at the iobuf
level */
- sdo->iobuf.flags |= IOBUF_FL_FF_BLOCKED;
+ sdo->iobuf.flags |= (IOBUF_FL_FF_BLOCKED|IOBUF_FL_FF_WANT_ROOM);
TRACE_STATE("waiting for more room",
APPLET_EV_RECV|APPLET_EV_BLK, appctx);
}
@@ -716,8 +716,9 @@
/* else */
/* applet_have_more_data(appctx); */
- if (se_done_ff(sdo) != 0) {
- /* Something was forwarding, don't reclaim more room */
+ if (se_done_ff(sdo) != 0 || !(sdo->iobuf.flags &
(IOBUF_FL_FF_BLOCKED|IOBUF_FL_FF_WANT_ROOM))) {
+ /* Something was forwarding or the consumer states it is not
+ * blocked anyore, don't reclaim more room */
se_fl_clr(appctx->sedesc, SE_FL_WANT_ROOM);
TRACE_STATE("more room available",
APPLET_EV_RECV|APPLET_EV_BLK, appctx);
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/haproxy-3.0.0+git0.5590ada47/src/cfgparse.c
new/haproxy-3.0.1+git0.471a1b2f1/src/cfgparse.c
--- old/haproxy-3.0.0+git0.5590ada47/src/cfgparse.c 2024-05-29
14:43:38.000000000 +0200
+++ new/haproxy-3.0.1+git0.471a1b2f1/src/cfgparse.c 2024-06-10
16:15:30.000000000 +0200
@@ -3053,7 +3053,7 @@
ha_warning("'%s' will be ignored for %s '%s'
(requires 'option httpchk').\n",
"send-state",
proxy_type_str(curproxy), curproxy->id);
err_code |= ERR_WARN;
- curproxy->options &= ~PR_O2_CHK_SNDST;
+ curproxy->options2 &= ~PR_O2_CHK_SNDST;
}
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/haproxy-3.0.0+git0.5590ada47/src/h1_htx.c
new/haproxy-3.0.1+git0.471a1b2f1/src/h1_htx.c
--- old/haproxy-3.0.0+git0.5590ada47/src/h1_htx.c 2024-05-29
14:43:38.000000000 +0200
+++ new/haproxy-3.0.1+git0.471a1b2f1/src/h1_htx.c 2024-06-10
16:15:30.000000000 +0200
@@ -295,7 +295,8 @@
/* Responses known to have no body. */
h1m->flags |= H1_MF_XFER_LEN;
h1m->curr_len = h1m->body_len = 0;
- flags |= HTX_SL_F_BODYLESS_RESP;
+ if (code >= 200)
+ flags |= HTX_SL_F_BODYLESS_RESP;
}
else if (h1m->flags & (H1_MF_CLEN|H1_MF_CHNK)) {
/* Responses with a known body length. */
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/haproxy-3.0.0+git0.5590ada47/src/hlua.c
new/haproxy-3.0.1+git0.471a1b2f1/src/hlua.c
--- old/haproxy-3.0.0+git0.5590ada47/src/hlua.c 2024-05-29 14:43:38.000000000
+0200
+++ new/haproxy-3.0.1+git0.471a1b2f1/src/hlua.c 2024-06-10 16:15:30.000000000
+0200
@@ -260,6 +260,70 @@
return str;
}
+/* below is an helper function similar to lua_pushvfstring() to push a
+ * formatted string on Lua stack but in a safe way (function may not LJMP).
+ * It can be useful to push allocated strings (ie: error messages) on the
+ * stack and ensure proper cleanup.
+ *
+ * Returns a pointer to the internal copy of the string on success and NULL
+ * on error.
+ *
+ * It is assumed that the calling function is allowed to manipulate <L>
+ */
+__LJMP static int _hlua_pushvfstring_safe(lua_State *L)
+{
+ const char **dst = lua_touserdata(L, 1);
+ const char *fmt = lua_touserdata(L, 2);
+ va_list *argp = lua_touserdata(L, 3);
+
+ *dst = lua_pushvfstring(L, fmt, *argp);
+ return 1;
+}
+static const char *hlua_pushvfstring_safe(lua_State *L, const char *fmt,
va_list argp)
+{
+ const char *dst = NULL;
+ va_list cpy_argp; /* required if argp is implemented as array type */
+
+ if (!lua_checkstack(L, 4))
+ return NULL;
+
+ va_copy(cpy_argp, argp);
+
+ /* push our custom _hlua_pushvfstring_safe() function on the stack, then
+ * push our destination string pointer, fmt and arg list
+ */
+ lua_pushcfunction(L, _hlua_pushvfstring_safe);
+ lua_pushlightuserdata(L, &dst); // 1st func argument = dst
string pointer
+ lua_pushlightuserdata(L, (void *)fmt); // 2nd func argument = fmt
+ lua_pushlightuserdata(L, &cpy_argp); // 3rd func argument = arg list
+
+ /* call our custom function with proper arguments using pcall() to catch
+ * exceptions (if any)
+ */
+ switch (lua_pcall(L, 3, 1, 0)) {
+ case LUA_OK:
+ break;
+ default:
+ /* error was caught */
+ dst = NULL;
+ }
+ va_end(cpy_argp);
+
+ return dst;
+}
+
+static const char *hlua_pushfstring_safe(lua_State *L, const char *fmt, ...)
+{
+ va_list argp;
+ const char *dst;
+
+ va_start(argp, fmt);
+ dst = hlua_pushvfstring_safe(L, fmt, argp);
+ va_end(argp);
+
+ return dst;
+}
+
#define SET_SAFE_LJMP_L(__L, __HLUA) \
({ \
int ret; \
@@ -784,20 +848,41 @@
luaL_unref(L, LUA_REGISTRYINDEX, ref);
}
-__LJMP const char *hlua_traceback(lua_State *L, const char* sep)
+__LJMP static int _hlua_traceback(lua_State *L)
+{
+ lua_Debug *ar = lua_touserdata(L, 1);
+
+ /* Fill fields:
+ * 'S': fills in the fields source, short_src, linedefined,
lastlinedefined, and what;
+ * 'l': fills in the field currentline;
+ * 'n': fills in the field name and namewhat;
+ * 't': fills in the field istailcall;
+ */
+ return lua_getinfo(L, "Slnt", ar);
+}
+
+
+/* This function cannot fail (output will simply be truncated upon errors) */
+const char *hlua_traceback(lua_State *L, const char* sep)
{
lua_Debug ar;
int level = 0;
struct buffer *msg = get_trash_chunk();
while (lua_getstack(L, level++, &ar)) {
- /* Fill fields:
- * 'S': fills in the fields source, short_src, linedefined,
lastlinedefined, and what;
- * 'l': fills in the field currentline;
- * 'n': fills in the field name and namewhat;
- * 't': fills in the field istailcall;
- */
- lua_getinfo(L, "Slnt", &ar);
+ if (!lua_checkstack(L, 2))
+ goto end; // abort
+
+ lua_pushcfunction(L, _hlua_traceback);
+ lua_pushlightuserdata(L, &ar);
+
+ /* safe getinfo */
+ switch (lua_pcall(L, 1, 1, 0)) {
+ case LUA_OK:
+ break;
+ default:
+ goto end; // abort
+ }
/* skip these empty entries, usually they come from deep C
functions */
if (ar.currentline < 0 && *ar.what == 'C' && !*ar.namewhat &&
!ar.name)
@@ -838,6 +923,7 @@
chunk_appendf(msg, " ...");
}
+ end:
return msg->area;
}
@@ -855,16 +941,50 @@
/* This function pushes an error string prefixed by the file name
* and the line number where the error is encountered.
+ *
+ * It returns 1 on success and 0 on failure (function won't LJMP)
*/
+__LJMP static int _hlua_pusherror(lua_State *L)
+{
+ const char *fmt = lua_touserdata(L, 1);
+ va_list *argp = lua_touserdata(L, 2);
+
+ luaL_where(L, 2);
+ lua_pushvfstring(L, fmt, *argp);
+ lua_concat(L, 2);
+
+ return 1;
+}
static int hlua_pusherror(lua_State *L, const char *fmt, ...)
{
va_list argp;
+ int ret = 1;
+
+ if (!lua_checkstack(L, 3))
+ return 0;
+
va_start(argp, fmt);
- luaL_where(L, 1);
- lua_pushvfstring(L, fmt, argp);
+
+ /* push our custom _hlua_pusherror() function on the stack, then
+ * push fmt and arg list
+ */
+ lua_pushcfunction(L, _hlua_pusherror);
+ lua_pushlightuserdata(L, (void *)fmt); // 1st func argument = fmt
+ lua_pushlightuserdata(L, &argp); // 2nd func argument = arg list
+
+ /* call our custom function with proper arguments using pcall() to catch
+ * exceptions (if any)
+ */
+ switch (lua_pcall(L, 2, 1, 0)) {
+ case LUA_OK:
+ break;
+ default:
+ ret = 0;
+ }
+
va_end(argp);
- lua_concat(L, 2);
- return 1;
+
+ return ret;
}
/* This functions is used with sample fetch and converters. It
@@ -1367,8 +1487,8 @@
}
reg = regex_comp(argp[idx].data.str.area,
!(argp[idx].type_flags & ARGF_REG_ICASE), 1, &err);
if (!reg) {
- msg = lua_pushfstring(L, "error compiling regex
'%s' : '%s'",
- argp[idx].data.str.area,
err);
+ msg = hlua_pushfstring_safe(L, "error compiling
regex '%s' : '%s'",
+
argp[idx].data.str.area, err);
free(err);
goto error;
}
@@ -1388,7 +1508,8 @@
ul =
auth_find_userlist(argp[idx].data.str.area);
if (!ul) {
- msg = lua_pushfstring(L, "unable to find
userlist '%s'", argp[idx].data.str.area);
+ msg = hlua_pushfstring_safe(L, "unable to find
userlist '%s'",
+
argp[idx].data.str.area);
goto error;
}
argp[idx].type = ARGT_USR;
@@ -1412,9 +1533,9 @@
/* Check for type of argument. */
if ((mask & ARGT_MASK) != argp[idx].type) {
- msg = lua_pushfstring(L, "'%s' expected, got '%s'",
- arg_type_names[(mask &
ARGT_MASK)],
- arg_type_names[argp[idx].type &
ARGT_MASK]);
+ msg = hlua_pushfstring_safe(L, "'%s' expected, got
'%s'",
+ arg_type_names[(mask &
ARGT_MASK)],
+
arg_type_names[argp[idx].type & ARGT_MASK]);
goto error;
}
@@ -1960,12 +2081,14 @@
msg = hlua_tostring_safe(lua->T, -1);
trace = hlua_traceback(lua->T, ", ");
if (msg)
- lua_pushfstring(lua->T, "[state-id %d] runtime error:
%s from %s", lua->state_id, msg, trace);
+ hlua_pushfstring_safe(lua->T, "[state-id %d] runtime
error: %s from %s",
+ lua->state_id, msg, trace);
else
- lua_pushfstring(lua->T, "[state-id %d] unknown runtime
error from %s", lua->state_id, trace);
+ hlua_pushfstring_safe(lua->T, "[state-id %d] unknown
runtime error from %s",
+ lua->state_id, trace);
- /* Move the error msg at the top and then empty the stack
except last msg */
- lua_insert(lua->T, -lua_gettop(lua->T));
+ /* Move the error msg at the bottom and then empty the stack
except last msg */
+ lua_insert(lua->T, 1);
lua_settop(lua->T, 1);
ret = HLUA_E_ERRMSG;
break;
@@ -1984,12 +2107,14 @@
}
msg = hlua_tostring_safe(lua->T, -1);
if (msg)
- lua_pushfstring(lua->T, "[state-id %d] message handler
error: %s", lua->state_id, msg);
+ hlua_pushfstring_safe(lua->T, "[state-id %d] message
handler error: %s",
+ lua->state_id, msg);
else
- lua_pushfstring(lua->T, "[state-id %d] message handler
error", lua->state_id);
+ hlua_pushfstring_safe(lua->T, "[state-id %d] message
handler error",
+ lua->state_id);
- /* Move the error msg at the top and then empty the stack
except last msg */
- lua_insert(lua->T, -lua_gettop(lua->T));
+ /* Move the error msg at the bottom and then empty the stack
except last msg */
+ lua_insert(lua->T, 1);
lua_settop(lua->T, 1);
ret = HLUA_E_ERRMSG;
break;
@@ -2369,9 +2494,7 @@
/* error case: we can't use luaL_error because we must
* free the err variable.
*/
- luaL_where(L, 1);
- lua_pushfstring(L, "'new': %s.", err);
- lua_concat(L, 2);
+ hlua_pusherror(L, "'new': %s.", err);
free(err);
chunk_destroy(&args[0].data.str);
WILL_LJMP(lua_error(L));
@@ -4702,7 +4825,7 @@
/* Run the special args checker. */
if (f->val_args && !f->val_args(args, NULL)) {
- lua_pushfstring(L, "error in arguments");
+ hlua_pushfstring_safe(L, "error in arguments");
goto error;
}
@@ -12989,8 +13112,10 @@
list_for_each_entry_from(ckchi, &old_ckchs->ckch_inst, by_ckchs) {
struct ckch_inst *new_inst;
- /* it takes a lot of CPU to creates SSL_CTXs, so we yield every
10 CKCH instances */
- if (y % 10 == 0) {
+ /* it takes a lot of CPU to creates SSL_CTXs, so we yield every
10 CKCH instances
+ * during runtime
+ */
+ if (hlua && (y % 10) == 0) {
*lua_ckchi = ckchi;
@@ -13018,8 +13143,9 @@
error:
ckch_store_free(new_ckchs);
HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock);
- WILL_LJMP(luaL_error(L, "%s", err));
+ hlua_pushfstring_safe(L, "%s", err);
free(err);
+ WILL_LJMP(lua_error(L));
return 0;
}
@@ -13053,6 +13179,14 @@
WILL_LJMP(luaL_error(L, "'CertCache.set' needs a table as
argument"));
hlua = hlua_gethlua(L);
+ if (hlua && HLUA_CANT_YIELD(hlua)) {
+ /* using hlua_ckch_set() during runtime from a context that
+ * doesn't allow yielding (e.g.: fetches) is not supported
+ * as it may cause contention.
+ */
+ WILL_LJMP(luaL_error(L, "Cannot use CertCache.set from a "
+ "non-yield capable runtime context"));
+ }
/* FIXME: this should not return an error but should come back later */
if (HA_SPIN_TRYLOCK(CKCH_LOCK, &ckch_lock))
@@ -13135,15 +13269,28 @@
lua_ckchi = lua_newuserdata(L, sizeof(struct ckch_inst *));
*lua_ckchi = NULL;
- task_wakeup(hlua->task, TASK_WOKEN_MSG);
- MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_ckch_commit_yield, TICK_ETERNITY,
0));
+ if (hlua) {
+ /* yield right away to let hlua_ckch_commit_yield() benefit from
+ * a fresh task cycle on next wakeup
+ */
+ task_wakeup(hlua->task, TASK_WOKEN_MSG);
+ MAY_LJMP(hlua_yieldk(L, 0, 0, hlua_ckch_commit_yield,
TICK_ETERNITY, 0));
+ } else {
+ /* body/init context: yielding not available, perform the
commit as a
+ * 1-shot operation (may be slow, but haproxy process is
starting so
+ * it is acceptable)
+ */
+ hlua_ckch_commit_yield(L, LUA_OK, 0);
+ }
end:
HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock);
if (errcode & ERR_CODE) {
ckch_store_free(new_ckchs);
- WILL_LJMP(luaL_error(L, "%s", err));
+ hlua_pushfstring_safe(L, "%s", err);
+ free(err);
+ WILL_LJMP(lua_error(L));
}
free(err);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/haproxy-3.0.0+git0.5590ada47/src/mux_h1.c
new/haproxy-3.0.1+git0.471a1b2f1/src/mux_h1.c
--- old/haproxy-3.0.0+git0.5590ada47/src/mux_h1.c 2024-05-29
14:43:38.000000000 +0200
+++ new/haproxy-3.0.1+git0.471a1b2f1/src/mux_h1.c 2024-06-10
16:15:30.000000000 +0200
@@ -4376,7 +4376,7 @@
do_shutw:
h1_close(h1c);
- if (mode & SE_SHW_NORMAL)
+ if (!(mode & SE_SHW_NORMAL))
h1c->flags |= H1C_F_SILENT_SHUT;
if (!b_data(&h1c->obuf))
@@ -4724,7 +4724,9 @@
if (xfer > b_data(input))
xfer = b_data(input);
+ h1c->obuf.head += offset;
h1s->sd->iobuf.data = b_xfer(&h1c->obuf, input, xfer);
+ h1c->obuf.head -= offset;
/* Cannot forward more data, wait for room */
if (b_data(input))
@@ -4860,7 +4862,7 @@
ret = 0;
if (h1m->state == H1_MSG_DATA && (h1m->flags & (H1_MF_CHNK|H1_MF_CLEN))
&& count > h1m->curr_len) {
- flags |= NEGO_FF_FL_EXACT_SIZE;
+ nego_flags |= NEGO_FF_FL_EXACT_SIZE;
count = h1m->curr_len;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/haproxy-3.0.0+git0.5590ada47/src/mux_quic.c
new/haproxy-3.0.1+git0.471a1b2f1/src/mux_quic.c
--- old/haproxy-3.0.0+git0.5590ada47/src/mux_quic.c 2024-05-29
14:43:38.000000000 +0200
+++ new/haproxy-3.0.1+git0.471a1b2f1/src/mux_quic.c 2024-06-10
16:15:30.000000000 +0200
@@ -3046,8 +3046,17 @@
qcs->flags |= QC_SF_FIN_STREAM;
}
- if (!(qcs->flags & QC_SF_FIN_STREAM) && !sd->iobuf.data)
+ if (!(qcs->flags & QC_SF_FIN_STREAM) && !sd->iobuf.data) {
+ TRACE_STATE("no data sent", QMUX_EV_STRM_SEND, qcs->qcc->conn,
qcs);
+
+ /* There is nothing to forward and the SD was blocked after a
+ * successful nego by the producer. We can try to release the
+ * TXBUF to retry. In this case, the TX buf MUST exist.
+ */
+ if ((qcs->sd->iobuf.flags & IOBUF_FL_FF_WANT_ROOM) &&
!qcc_release_stream_txbuf(qcs))
+ qcs->sd->iobuf.flags &=
~(IOBUF_FL_FF_BLOCKED|IOBUF_FL_FF_WANT_ROOM);
goto end;
+ }
data += sd->iobuf.offset;
total = qcs->qcc->app_ops->done_ff(qcs);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/haproxy-3.0.0+git0.5590ada47/src/quic_conn.c
new/haproxy-3.0.1+git0.471a1b2f1/src/quic_conn.c
--- old/haproxy-3.0.0+git0.5590ada47/src/quic_conn.c 2024-05-29
14:43:38.000000000 +0200
+++ new/haproxy-3.0.1+git0.471a1b2f1/src/quic_conn.c 2024-06-10
16:15:30.000000000 +0200
@@ -161,7 +161,9 @@
TRACE_PROTO("killing the connection", QUIC_EV_CONN_KILL, qc);
qc->flags |= QUIC_FL_CONN_TO_KILL;
qc->flags &= ~QUIC_FL_CONN_RETRANS_NEEDED;
- task_wakeup(qc->idle_timer_task, TASK_WOKEN_OTHER);
+
+ if (!(qc->flags & QUIC_FL_CONN_EXP_TIMER))
+ task_wakeup(qc->idle_timer_task, TASK_WOKEN_OTHER);
qc_notify_err(qc);
@@ -549,11 +551,8 @@
{
struct list send_list = LIST_HEAD_INIT(send_list);
struct quic_conn *qc = context;
- struct quic_enc_level *qel;
TRACE_ENTER(QUIC_EV_CONN_IO_CB, qc);
-
- qel = qc->ael;
TRACE_STATE("connection handshake state", QUIC_EV_CONN_IO_CB, qc,
&qc->state);
if (qc_test_fd(qc))
@@ -592,11 +591,10 @@
goto out;
}
- if (!qel_need_sending(qel, qc))
- goto out;
-
/* XXX TODO: how to limit the list frames to send */
- qel_register_send(&send_list, qel, &qel->pktns->tx.frms);
+ if (qel_need_sending(qc->ael, qc))
+ qel_register_send(&send_list, qc->ael,
&qc->ael->pktns->tx.frms);
+
if (!qc_send(qc, 0, &send_list)) {
TRACE_DEVEL("qc_send() failed", QUIC_EV_CONN_IO_CB, qc);
goto out;
@@ -802,10 +800,6 @@
qel_register_send(&send_list, qel,
&qel->pktns->tx.frms);
}
- /* Skip sending if no QEL with frames to sent. */
- if (LIST_ISEMPTY(&send_list))
- goto out;
-
if (!qc_send(qc, 0, &send_list)) {
TRACE_DEVEL("qc_send() failed", QUIC_EV_CONN_IO_CB, qc);
goto out;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/haproxy-3.0.0+git0.5590ada47/src/quic_tx.c
new/haproxy-3.0.1+git0.471a1b2f1/src/quic_tx.c
--- old/haproxy-3.0.0+git0.5590ada47/src/quic_tx.c 2024-05-29
14:43:38.000000000 +0200
+++ new/haproxy-3.0.1+git0.471a1b2f1/src/quic_tx.c 2024-06-10
16:15:30.000000000 +0200
@@ -691,7 +691,7 @@
int qc_send(struct quic_conn *qc, int old_data, struct list *send_list)
{
struct quic_enc_level *qel, *tmp_qel;
- int ret, status = 0;
+ int ret = 0, status = 0;
struct buffer *buf;
TRACE_ENTER(QUIC_EV_CONN_TXPKT, qc);
@@ -713,7 +713,7 @@
}
/* Prepare and send packets until we could not further prepare packets.
*/
- do {
+ while (!LIST_ISEMPTY(send_list)) {
/* Buffer must always be empty before qc_prep_pkts() usage.
* qc_send_ppkts() ensures it is cleared on success.
*/
@@ -727,7 +727,12 @@
qc_txb_release(qc);
goto out;
}
- } while (ret > 0 && !LIST_ISEMPTY(send_list));
+
+ if (ret <= 0) {
+ TRACE_DEVEL("stopping on qc_prep_pkts() return",
QUIC_EV_CONN_TXPKT, qc);
+ break;
+ }
+ }
qc_txb_release(qc);
if (ret < 0)
@@ -1425,6 +1430,7 @@
ret = 0;
if (*len > room)
goto leave;
+ room -= *len;
/* If we are not probing we must take into an account the congestion
* control window.
@@ -1458,8 +1464,8 @@
QUIC_EV_CONN_BCFRMS, qc, &room, len);
/* Compute the length of this CRYPTO frame header */
hlen = 1 + quic_int_getsize(cf->crypto.offset);
- /* Compute the data length of this CRyPTO frame. */
- dlen = max_stream_data_size(room, *len + hlen,
cf->crypto.len);
+ /* Compute the data length of this CRYPTO frame. */
+ dlen = max_stream_data_size(room, hlen, cf->crypto.len);
TRACE_DEVEL(" CRYPTO data length (hlen, crypto.len,
dlen)",
QUIC_EV_CONN_BCFRMS, qc, &hlen,
&cf->crypto.len, &dlen);
if (!dlen)
@@ -1550,7 +1556,7 @@
hlen = 1 + quic_int_getsize(cf->stream.id) +
((cf->type & QUIC_STREAM_FRAME_TYPE_OFF_BIT) ?
quic_int_getsize(cf->stream.offset.key) : 0);
/* Compute the data length of this STREAM frame. */
- avail_room = room - hlen - *len;
+ avail_room = room - hlen;
if ((ssize_t)avail_room <= 0)
continue;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/haproxy-3.0.0+git0.5590ada47/src/ssl_sock.c
new/haproxy-3.0.1+git0.471a1b2f1/src/ssl_sock.c
--- old/haproxy-3.0.0+git0.5590ada47/src/ssl_sock.c 2024-05-29
14:43:38.000000000 +0200
+++ new/haproxy-3.0.1+git0.471a1b2f1/src/ssl_sock.c 2024-06-10
16:15:30.000000000 +0200
@@ -2268,10 +2268,14 @@
}
if (has_ecdsa_sig) { /* in very rare case: has ecdsa sign but not a
ECDSA cipher */
const SSL_CIPHER *cipher;
+ STACK_OF(SSL_CIPHER) *ha_ciphers; /* haproxy side ciphers */
uint32_t cipher_id;
size_t len;
const uint8_t *cipher_suites;
+
+ ha_ciphers = SSL_get_ciphers(ssl);
has_ecdsa_sig = 0;
+
#ifdef OPENSSL_IS_BORINGSSL
len = ctx->cipher_suites_len;
cipher_suites = ctx->cipher_suites;
@@ -2290,6 +2294,10 @@
if (!cipher)
continue;
+ /* check if this cipher is available in haproxy
configuration */
+ if (sk_SSL_CIPHER_find(ha_ciphers, cipher) == -1)
+ continue;
+
cipher_id = SSL_CIPHER_get_id(cipher);
/* skip the SCSV "fake" signaling ciphersuites because
they are NID_auth_any (RFC 7507) */
if (cipher_id == SSL3_CK_SCSV || cipher_id ==
SSL3_CK_FALLBACK_SCSV)
@@ -2556,6 +2564,10 @@
return 0;
if (SSL_version(ssl) != TLS1_3_VERSION) {
+
+ /* with TLS <= 1.2, we must use the auth which is
provided by the cipher, but we don't need to
+ * consider the auth provided by the signature
algorithms */
+
for (idx = 0; idx < suiteSz; idx += 2) {
WOLFSSL_CIPHERSUITE_INFO info;
info =
wolfSSL_get_ciphersuite_info(suites[idx], suites[idx+1]);
@@ -2564,23 +2576,22 @@
else if (info.eccAuth)
has_ecdsa_sig = 1;
}
- }
+ } else {
+ /* with TLS >= 1.3, we must use the auth which is
provided by the signature algorithms because
+ * the ciphers does not provide the auth */
- if (hashSigAlgoSz > 0) {
- /* sigalgs extension takes precedence over ciphersuites
*/
- has_ecdsa_sig = 0;
- has_rsa_sig = 0;
- }
- for (idx = 0; idx < hashSigAlgoSz; idx += 2) {
- int hashAlgo;
- int sigAlgo;
-
- wolfSSL_get_sigalg_info(hashSigAlgo[idx+0],
hashSigAlgo[idx+1], &hashAlgo, &sigAlgo);
-
- if (sigAlgo == RSAk || sigAlgo == RSAPSSk)
- has_rsa_sig = 1;
- else if (sigAlgo == ECDSAk)
- has_ecdsa_sig = 1;
+ for (idx = 0; idx < hashSigAlgoSz; idx += 2) {
+ int hashAlgo;
+ int sigAlgo;
+
+ wolfSSL_get_sigalg_info(hashSigAlgo[idx+0],
hashSigAlgo[idx+1], &hashAlgo, &sigAlgo);
+
+ if (sigAlgo == RSAk || sigAlgo == RSAPSSk)
+ has_rsa_sig = 1;
+ else if (sigAlgo == ECDSAk)
+ has_ecdsa_sig = 1;
+
+ }
}
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/haproxy-3.0.0+git0.5590ada47/src/tcpcheck.c
new/haproxy-3.0.1+git0.471a1b2f1/src/tcpcheck.c
--- old/haproxy-3.0.0+git0.5590ada47/src/tcpcheck.c 2024-05-29
14:43:38.000000000 +0200
+++ new/haproxy-3.0.1+git0.471a1b2f1/src/tcpcheck.c 2024-06-10
16:15:30.000000000 +0200
@@ -3434,7 +3434,7 @@
px->conf.args.ctx = ARGC_SRV;
lf_expr_init(&chk->expect.hdr.value_fmt);
if (!parse_logformat_string(vpat, px,
&chk->expect.hdr.value_fmt, 0, SMP_VAL_BE_CHK_RUL, errmsg)) {
- memprintf(errmsg, "'%s' invalid log-format
string (%s).\n", npat, *errmsg);
+ memprintf(errmsg, "'%s' invalid log-format
string (%s).\n", vpat, *errmsg);
goto error;
}
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/haproxy-3.0.0+git0.5590ada47/src/tools.c
new/haproxy-3.0.1+git0.471a1b2f1/src/tools.c
--- old/haproxy-3.0.0+git0.5590ada47/src/tools.c 2024-05-29
14:43:38.000000000 +0200
+++ new/haproxy-3.0.1+git0.471a1b2f1/src/tools.c 2024-06-10
16:15:30.000000000 +0200
@@ -4627,8 +4627,9 @@
* corresponding value. A variable is identified as a series of alphanumeric
* characters or underscores following a '$' sign. The <in> string must be
* free()able. NULL returns NULL. The resulting string might be reallocated if
- * some expansion is made. Variable names may also be enclosed into braces if
- * needed (eg: to concatenate alphanum characters).
+ * some expansion is made (an NULL will be returned on failure). Variable names
+ * may also be enclosed into braces if needed (eg: to concatenate alphanum
+ * characters).
*/
char *env_expand(char *in)
{
@@ -4683,6 +4684,9 @@
}
out = my_realloc2(out, out_len + (txt_end - txt_beg) + val_len
+ 1);
+ if (!out)
+ goto leave;
+
if (txt_end > txt_beg) {
memcpy(out + out_len, txt_beg, txt_end - txt_beg);
out_len += txt_end - txt_beg;
@@ -4697,6 +4701,7 @@
/* here we know that <out> was allocated and that we don't need <in>
anymore */
free(in);
+leave:
return out;
}
