haproxy: update to 1.8.11.

resolves #478
2018-06-27 23:45:45 +00:00 · 2018-06-27 23:45:45 +00:00 · 7335f49caf
parent 98bbbad6b6
commit 7335f49caf
4 changed files with 106 additions and 63 deletions
--- a/srcpkgs/haproxy/patches/fix-libressl-2.5.patch
+++ b/srcpkgs/haproxy/patches/fix-libressl-2.5.patch
@ -1,46 +0,0 @@
--- src/ssl_sock.c.orig	2017-01-13 09:03:00 UTC
-+++ src/ssl_sock.c
-@@ -792,8 +792,11 @@ static int ssl_sock_load_ocsp(SSL_CTX *c
- 		ocsp = NULL;
- 
- #ifndef SSL_CTX_get_tlsext_status_cb
-# define SSL_CTX_get_tlsext_status_cb(ctx, cb) \
-	*cb = (void (*) (void))ctx->tlsext_status_cb;
-+#ifndef SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB
-+#define SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB 128
-+#endif
-+#define SSL_CTX_get_tlsext_status_cb(ctx, cb) \
-+	*cb = SSL_CTX_ctrl(ctx,SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB,0, (void (**)(void))cb)
- #endif
- 	SSL_CTX_get_tlsext_status_cb(ctx, &callback);
- 
-@@ -821,7 +824,10 @@ static int ssl_sock_load_ocsp(SSL_CTX *c
- 		int key_type;
- 		EVP_PKEY *pkey;
- 
-#ifdef SSL_CTX_get_tlsext_status_arg
-+#if defined(SSL_CTX_get_tlsext_status_arg) || defined(LIBRESSL_VERSION_NUMBER)
-+#ifndef SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG
-+#define SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG 129
-+#endif
- 		SSL_CTX_ctrl(ctx, SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG, 0, &cb_arg);
- #else
- 		cb_arg = ctx->tlsext_status_arg;
-@@ -3537,7 +3543,7 @@ int ssl_sock_handshake(struct connection
- 					OSSL_HANDSHAKE_STATE state = SSL_get_state((SSL *)conn->xprt_ctx);
- 					empty_handshake = state == TLS_ST_BEFORE;
- #else
-					empty_handshake = !((SSL *)conn->xprt_ctx)->packet_length;
-+					empty_handshake = SSL_state((SSL *)conn->xprt_ctx) == SSL_ST_BEFORE;
- #endif
- 
- 					if (empty_handshake) {
-@@ -3615,7 +3621,7 @@ int ssl_sock_handshake(struct connection
- 			state = SSL_get_state((SSL *)conn->xprt_ctx);
- 			empty_handshake = state == TLS_ST_BEFORE;
- #else
-			empty_handshake = !((SSL *)conn->xprt_ctx)->packet_length;
-+			empty_handshake = SSL_state((SSL *)conn->xprt_ctx) == SSL_ST_BEFORE;
- #endif
- 			if (empty_handshake) {
- 				if (!errno) {
--- a/srcpkgs/haproxy/patches/libressl-2.7.patch
+++ b/srcpkgs/haproxy/patches/libressl-2.7.patch
@ -0,0 +1,104 @@
+diff --git a/include/proto/openssl-compat.h include/proto/openssl-compat.h
+index b6fe1d2..551cae2 100644
+--- a/include/proto/openssl-compat.h
+++ include/proto/openssl-compat.h
+@@ -89,7 +89,7 @@ static inline int SSL_SESSION_set1_id_context(SSL_SESSION *s, const unsigned cha
+ }
+ #endif
+ 
+-#if (OPENSSL_VERSION_NUMBER < 0x1010000fL) || defined(LIBRESSL_VERSION_NUMBER) || defined(OPENSSL_IS_BORINGSSL)
+#if (OPENSSL_VERSION_NUMBER < 0x1010000fL) || (defined(LIBRESSL_VERSION_NUMBER) && (LIBRESSL_VERSION_NUMBER < 0x20700000L)) || defined(OPENSSL_IS_BORINGSSL)
+ /*
+  * Functions introduced in OpenSSL 1.1.0 and not yet present in LibreSSL / BoringSSL
+  */
+@@ -121,7 +121,7 @@ static inline const OCSP_CERTID *OCSP_SINGLERESP_get0_id(const OCSP_SINGLERESP *
+ 
+ #endif
+ 
+-#if (OPENSSL_VERSION_NUMBER < 0x1010000fL) || defined(LIBRESSL_VERSION_NUMBER)
+#if (OPENSSL_VERSION_NUMBER < 0x1010000fL) || (defined(LIBRESSL_VERSION_NUMBER) && (LIBRESSL_VERSION_NUMBER < 0x20700000L))
+ /*
+  * Functions introduced in OpenSSL 1.1.0 and not yet present in LibreSSL
+  */
+diff --git a/src/ssl_sock.c src/ssl_sock.c
+index c2b5bf6..ebde76d 100644
+--- a/src/ssl_sock.c
+++ src/ssl_sock.c
+@@ -56,6 +56,14 @@
+ #include <openssl/engine.h>
+ #endif
+ 
+#if defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_NO_ASYNC)
+#define OPENSSL_NO_ASYNC
+#endif
+
+#if defined(SSL_READ_EARLY_DATA_ERROR) && defined(SSL_READ_EARLY_DATA_SUCCESS)
+#define HAVE_SSL_READ_EARLY
+#endif
+
+ #if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC)
+ #include <openssl/async.h>
+ #endif
+@@ -2066,7 +2074,7 @@ static void ssl_sock_switchctx_set(SSL *ssl, SSL_CTX *ctx)
+ 	SSL_set_SSL_CTX(ssl, ctx);
+ }
+ 
+-#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) || defined(OPENSSL_IS_BORINGSSL)
+#if ((OPENSSL_VERSION_NUMBER >= 0x10101000L) || defined(OPENSSL_IS_BORINGSSL)) && !defined(LIBRESSL_VERSION_NUMBER)
+ 
+ static int ssl_sock_switchctx_err_cbk(SSL *ssl, int *al, void *priv)
+ {
+@@ -3798,7 +3806,7 @@ ssl_sock_initial_ctx(struct bind_conf *bind_conf)
+ #ifdef OPENSSL_IS_BORINGSSL
+ 	SSL_CTX_set_select_certificate_cb(ctx, ssl_sock_switchctx_cbk);
+ 	SSL_CTX_set_tlsext_servername_callback(ctx, ssl_sock_switchctx_err_cbk);
+-#elif (OPENSSL_VERSION_NUMBER >= 0x10101000L)
+#elif (OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined(LIBRESSL_VERSION_NUMBER)
+ 	SSL_CTX_set_client_hello_cb(ctx, ssl_sock_switchctx_cbk, NULL);
+ 	SSL_CTX_set_tlsext_servername_callback(ctx, ssl_sock_switchctx_err_cbk);
+ #else
+@@ -5052,7 +5060,7 @@ int ssl_sock_handshake(struct connection *conn, unsigned int flag)
+ 	if (!conn->xprt_ctx)
+ 		goto out_error;
+ 
+-#if OPENSSL_VERSION_NUMBER >= 0x10101000L
+#if HAVE_SSL_READ_EARLY
+ 	/*
+ 	 * Check if we have early data. If we do, we have to read them
+ 	 * before SSL_do_handshake() is called, And there's no way to
+@@ -5252,7 +5260,7 @@ check_error:
+ 			goto out_error;
+ 		}
+ 	}
+-#if (OPENSSL_VERSION_NUMBER >= 0x10101000L)
+#if HAVE_SSL_READ_EARLY
+ 	else {
+ 		/*
+ 		 * If the server refused the early data, we have to send a
+@@ -5375,7 +5383,7 @@ static int ssl_sock_to_buf(struct connection *conn, struct buffer *buf, int coun
+ 			continue;
+ 		}
+ 
+-#if (OPENSSL_VERSION_NUMBER >= 0x10101000L)
+#if OPENSSL_READ_EARLY
+ 		if (conn->flags & CO_FL_EARLY_SSL_HS) {
+ 			size_t read_length;
+ 
+@@ -5512,7 +5520,7 @@ static int ssl_sock_from_buf(struct connection *conn, struct buffer *buf, int fl
+ 	 * in which case we accept to do it once again.
+ 	 */
+ 	while (buf->o) {
+-#if (OPENSSL_VERSION_NUMBER >= 0x10101000L)
+#if HAVE_SSL_EARLY_DATA
+ 		size_t written_data;
+ #endif
+ 
+@@ -5531,7 +5539,7 @@ static int ssl_sock_from_buf(struct connection *conn, struct buffer *buf, int fl
+ 			conn->xprt_st |= SSL_SOCK_SEND_UNLIMITED;
+ 		}
+ 
+-#if (OPENSSL_VERSION_NUMBER >= 0x10101000L)
+#if HAVE_SSL_EARLY_DATA
+ 		if (!SSL_is_init_finished(conn->xprt_ctx)) {
+ 			unsigned int max_early;
+ 
--- a/srcpkgs/haproxy/patches/patch-include_proto_openssl-compat_h.patch
+++ b/srcpkgs/haproxy/patches/patch-include_proto_openssl-compat_h.patch
@ -1,15 +0,0 @@
-$OpenBSD: patch-include_proto_openssl-compat_h,v 1.6 2018/03/20 21:57:55 sthen Exp $
-
-Index: include/proto/openssl-compat.h
--- include/proto/openssl-compat.h.orig
-+++ include/proto/openssl-compat.h
-@@ -89,7 +89,8 @@ static inline int SSL_SESSION_set1_id_context(SSL_SESS
- }
- #endif
- 
-#if (OPENSSL_VERSION_NUMBER < 0x1010000fL) || defined(LIBRESSL_VERSION_NUMBER)
-+#if (OPENSSL_VERSION_NUMBER < 0x1010000fL) || \
-+    (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000fL)
- /*
-  * Functions introduced in OpenSSL 1.1.0 and not yet present in LibreSSL
-  */
--- a/srcpkgs/haproxy/template
+++ b/srcpkgs/haproxy/template
@ -1,6 +1,6 @@
 # Template file for 'haproxy'
 pkgname=haproxy
-version=1.7.11
+version=1.8.11
 revision=1
 build_style=gnu-makefile
 make_build_args="TARGET=linux2628 USE_PCRE=1 USE_PCRE_JIT=1 USE_ZLIB=1
@ -12,7 +12,7 @@ maintainer="Eivind Uggedal <eivind@uggedal.com>"
 license="GPL-2.0-or-later, LGPL-2.1-or-later"
 homepage="https://www.haproxy.org"
 distfiles="${homepage}/download/${version%.*}/src/${pkgname}-${version}.tar.gz"
-checksum=d564b8e9429d1e8e13cb648bf4694926b472e36da1079df946bb732927b232ea
+checksum=b4b403ceb5efe3c65c6d86e1a44fc0953189f12cdf0bd884e5df04bbabb27947
 make_dirs="$haproxy_homedir 0750 ${pkgname} ${pkgname}"
 conf_files="/etc/${pkgname}/${pkgname}.cfg"
 system_accounts="${pkgname}"