main/haproxy: fix build with libressl 2.7

3 files changed, 106 insertions, 136 deletions

diff --git a/main/haproxy/APKBUILD b/main/haproxy/APKBUILD
index da5b29ce50..eccfed17e3 100644
--- a/main/haproxy/APKBUILD
+++ b/main/haproxy/APKBUILD
@@ -15,7 +15,7 @@ makedepends="pcre-dev libressl-dev linux-headers lua${_luaver}-dev zlib-dev"
 install="haproxy.pre-install haproxy.pre-upgrade"
 subpackages="$pkgname-doc"
 source="http://haproxy.1wt.eu/download/${_pkgmajorver}/src/$pkgname-$pkgver.tar.gz
-	fix-libressl-1.8.5.patch
+	libressl-2.7.patch
 	haproxy.initd
 	haproxy.cfg"
 
@@ -50,6 +50,6 @@ package() {
 }
 
 sha512sums="5fd8796e4e1964ba8f010dc775de7a0953c4a7137c817bd81c5b4b6a063f3f9694f122f48bebf014c5cc8b49cf8f0a57b6bed282af12c560bd6dcc6770792cf2  haproxy-1.8.5.tar.gz
-70f9df92d68f80906ff728c576b395b794046f88017b5a57a2aa1979b9f3e4bb37194bf204f28fe460282bb7f6ab954aa1febca0eb2458bba772545ddef02b3e  fix-libressl-1.8.5.patch
+636bb2b18ad1de7f9cf97f69c8a911aae6575787eac999d1c419bf22989a3a36a7de14d21620a9919ae717be807518c9db0e20c46ca5788a3f9a5857ceb0bfee  libressl-2.7.patch
 3ab277bf77fe864ec6c927118dcd70bdec0eb3c54535812d1c3c0995fa66a3ea91a73c342edeb8944caeb097d2dd1a7761099182df44af5e3ef42de6e2176d26  haproxy.initd
 26bc8f8ac504fcbaec113ecbb9bb59b9da47dc8834779ebbb2870a8cadf2ee7561b3a811f01e619358a98c6c7768e8fdd90ab447098c05b82e788c8212c4c41f  haproxy.cfg"
diff --git a/main/haproxy/fix-libressl-1.8.5.patch b/main/haproxy/fix-libressl-1.8.5.patch
deleted file mode 100644
index ebd9f29628..0000000000
--- a/main/haproxy/fix-libressl-1.8.5.patch
+++ /dev/null
@@ -1,134 +0,0 @@
---- a/src/ssl_sock.c.orig
-+++ b/src/ssl_sock.c
-@@ -56,6 +56,15 @@
- #include <openssl/engine.h>
- #endif
- 
-+
-+#ifdef LIBRESSL_VERSION_NUMBER
-+
-+#ifndef OPENSSL_NO_ASYNC
-+#define OPENSSL_NO_ASYNC
-+#endif
-+
-+#endif
-+
- #if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC)
- #include <openssl/async.h>
- #endif
-@@ -1126,8 +1135,11 @@
- 		ocsp = NULL;
- 
- #ifndef SSL_CTX_get_tlsext_status_cb
--# define SSL_CTX_get_tlsext_status_cb(ctx, cb) \
--	*cb = (void (*) (void))ctx->tlsext_status_cb;
-+#ifndef SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB
-+#define SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB 128
-+#endif
-+#define SSL_CTX_get_tlsext_status_cb(ctx, cb) \
-+	*cb = SSL_CTX_ctrl(ctx,SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB,0, (void (**)(void))cb)
- #endif
- 	SSL_CTX_get_tlsext_status_cb(ctx, &callback);
- 
-@@ -1155,7 +1167,10 @@
- 		int key_type;
- 		EVP_PKEY *pkey;
- 
--#ifdef SSL_CTX_get_tlsext_status_arg
-+#if defined(SSL_CTX_get_tlsext_status_arg) || defined(LIBRESSL_VERSION_NUMBER)
-+#ifndef SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG
-+#define SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG 129
-+#endif
- 		SSL_CTX_ctrl(ctx, SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG, 0, &cb_arg);
- #else
- 		cb_arg = ctx->tlsext_status_arg;
-@@ -2066,7 +2081,7 @@
- 	SSL_set_SSL_CTX(ssl, ctx);
- }
- 
--#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) || defined(OPENSSL_IS_BORINGSSL)
-+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined LIBRESSL_VERSION_NUMBER) || defined(OPENSSL_IS_BORINGSSL)
- 
- static int ssl_sock_switchctx_err_cbk(SSL *ssl, int *al, void *priv)
- {
-@@ -2208,7 +2223,7 @@
- #else
- 			cipher = SSL_CIPHER_find(ssl, cipher_suites);
- #endif
--			if (cipher && SSL_CIPHER_get_auth_nid(cipher) == NID_auth_ecdsa) {
-+			if (cipher && SSL_CIPHER_is_ECDSA(cipher)) {
- 				has_ecdsa = 1;
- 				break;
- 			}
-@@ -2306,7 +2321,7 @@
- #ifdef OPENSSL_IS_BORINGSSL
- 	if (allow_early)
- 		SSL_set_early_data_enabled(ssl, 1);
--#else
-+#elif !defined LIBRESSL_VERSION_NUMBER
- 	if (!allow_early)
- 		SSL_set_max_early_data(ssl, 0);
- #endif
-@@ -3798,7 +3813,7 @@
- #ifdef OPENSSL_IS_BORINGSSL
- 	SSL_CTX_set_select_certificate_cb(ctx, ssl_sock_switchctx_cbk);
- 	SSL_CTX_set_tlsext_servername_callback(ctx, ssl_sock_switchctx_err_cbk);
--#elif (OPENSSL_VERSION_NUMBER >= 0x10101000L)
-+#elif (OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined LIBRESSL_VERSION_NUMBER
- 	SSL_CTX_set_client_hello_cb(ctx, ssl_sock_switchctx_cbk, NULL);
- 	SSL_CTX_set_tlsext_servername_callback(ctx, ssl_sock_switchctx_err_cbk);
- #else
-@@ -5052,7 +5067,7 @@
- 	if (!conn->xprt_ctx)
- 		goto out_error;
- 
--#if OPENSSL_VERSION_NUMBER >= 0x10101000L
-+#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined LIBRESSL_VERSION_NUMBER
- 	/*
- 	 * Check if we have early data. If we do, we have to read them
- 	 * before SSL_do_handshake() is called, And there's no way to
-@@ -5128,7 +5143,7 @@
- 					OSSL_HANDSHAKE_STATE state = SSL_get_state((SSL *)conn->xprt_ctx);
- 					empty_handshake = state == TLS_ST_BEFORE;
- #else
--					empty_handshake = !((SSL *)conn->xprt_ctx)->packet_length;
-+					empty_handshake = SSL_state((SSL *)conn->xprt_ctx) == SSL_ST_BEFORE;
- #endif
- 					if (empty_handshake) {
- 						if (!errno) {
-@@ -5212,7 +5227,7 @@
- 				OSSL_HANDSHAKE_STATE state = SSL_get_state((SSL *)conn->xprt_ctx);
- 				empty_handshake = state == TLS_ST_BEFORE;
- #else
--				empty_handshake = !((SSL *)conn->xprt_ctx)->packet_length;
-+				empty_handshake = SSL_state((SSL *)conn->xprt_ctx) == SSL_ST_BEFORE;
- #endif
- 				if (empty_handshake) {
- 					if (!errno) {
-@@ -5252,7 +5267,7 @@
- 			goto out_error;
- 		}
- 	}
--#if (OPENSSL_VERSION_NUMBER >= 0x10101000L)
-+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined LIBRESSL_VERSION_NUMBER
- 	else {
- 		/*
- 		 * If the server refused the early data, we have to send a
-@@ -5375,7 +5390,7 @@
- 			continue;
- 		}
- 
--#if (OPENSSL_VERSION_NUMBER >= 0x10101000L)
-+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined LIBRESSL_VERSION_NUMBER
- 		if (conn->flags & CO_FL_EARLY_SSL_HS) {
- 			size_t read_length;
- 
-@@ -5531,7 +5546,7 @@
- 			conn->xprt_st |= SSL_SOCK_SEND_UNLIMITED;
- 		}
- 
--#if (OPENSSL_VERSION_NUMBER >= 0x10101000L)
-+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined LIBRESSL_VERSION_NUMBER
- 		if (!SSL_is_init_finished(conn->xprt_ctx)) {
- 			unsigned int max_early;
- 
diff --git a/main/haproxy/libressl-2.7.patch b/main/haproxy/libressl-2.7.patch
new file mode 100644
index 0000000000..8a3dc82507
--- /dev/null
+++ b/main/haproxy/libressl-2.7.patch
@@ -0,0 +1,104 @@
+diff --git a/include/proto/openssl-compat.h b/include/proto/openssl-compat.h
+index b6fe1d2..551cae2 100644
+--- a/include/proto/openssl-compat.h
++++ b/include/proto/openssl-compat.h
+@@ -89,7 +89,7 @@ static inline int SSL_SESSION_set1_id_context(SSL_SESSION *s, const unsigned cha
+ }
+ #endif
+ 
+-#if (OPENSSL_VERSION_NUMBER < 0x1010000fL) || defined(LIBRESSL_VERSION_NUMBER) || defined(OPENSSL_IS_BORINGSSL)
++#if (OPENSSL_VERSION_NUMBER < 0x1010000fL) || (defined(LIBRESSL_VERSION_NUMBER) && (LIBRESSL_VERSION_NUMBER < 0x20700000L)) || defined(OPENSSL_IS_BORINGSSL)
+ /*
+  * Functions introduced in OpenSSL 1.1.0 and not yet present in LibreSSL / BoringSSL
+  */
+@@ -121,7 +121,7 @@ static inline const OCSP_CERTID *OCSP_SINGLERESP_get0_id(const OCSP_SINGLERESP *
+ 
+ #endif
+ 
+-#if (OPENSSL_VERSION_NUMBER < 0x1010000fL) || defined(LIBRESSL_VERSION_NUMBER)
++#if (OPENSSL_VERSION_NUMBER < 0x1010000fL) || (defined(LIBRESSL_VERSION_NUMBER) && (LIBRESSL_VERSION_NUMBER < 0x20700000L))
+ /*
+  * Functions introduced in OpenSSL 1.1.0 and not yet present in LibreSSL
+  */
+diff --git a/src/ssl_sock.c b/src/ssl_sock.c
+index c2b5bf6..ebde76d 100644
+--- a/src/ssl_sock.c
++++ b/src/ssl_sock.c
+@@ -56,6 +56,14 @@
+ #include <openssl/engine.h>
+ #endif
+ 
++#if defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_NO_ASYNC)
++#define OPENSSL_NO_ASYNC
++#endif
++
++#if defined(SSL_READ_EARLY_DATA_ERROR) && defined(SSL_READ_EARLY_DATA_SUCCESS)
++#define HAVE_SSL_READ_EARLY
++#endif
++
+ #if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC)
+ #include <openssl/async.h>
+ #endif
+@@ -2066,7 +2074,7 @@ static void ssl_sock_switchctx_set(SSL *ssl, SSL_CTX *ctx)
+ 	SSL_set_SSL_CTX(ssl, ctx);
+ }
+ 
+-#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) || defined(OPENSSL_IS_BORINGSSL)
++#if ((OPENSSL_VERSION_NUMBER >= 0x10101000L) || defined(OPENSSL_IS_BORINGSSL)) && !defined(LIBRESSL_VERSION_NUMBER)
+ 
+ static int ssl_sock_switchctx_err_cbk(SSL *ssl, int *al, void *priv)
+ {
+@@ -3798,7 +3806,7 @@ ssl_sock_initial_ctx(struct bind_conf *bind_conf)
+ #ifdef OPENSSL_IS_BORINGSSL
+ 	SSL_CTX_set_select_certificate_cb(ctx, ssl_sock_switchctx_cbk);
+ 	SSL_CTX_set_tlsext_servername_callback(ctx, ssl_sock_switchctx_err_cbk);
+-#elif (OPENSSL_VERSION_NUMBER >= 0x10101000L)
++#elif (OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined(LIBRESSL_VERSION_NUMBER)
+ 	SSL_CTX_set_client_hello_cb(ctx, ssl_sock_switchctx_cbk, NULL);
+ 	SSL_CTX_set_tlsext_servername_callback(ctx, ssl_sock_switchctx_err_cbk);
+ #else
+@@ -5052,7 +5060,7 @@ int ssl_sock_handshake(struct connection *conn, unsigned int flag)
+ 	if (!conn->xprt_ctx)
+ 		goto out_error;
+ 
+-#if OPENSSL_VERSION_NUMBER >= 0x10101000L
++#if HAVE_SSL_READ_EARLY
+ 	/*
+ 	 * Check if we have early data. If we do, we have to read them
+ 	 * before SSL_do_handshake() is called, And there's no way to
+@@ -5252,7 +5260,7 @@ check_error:
+ 			goto out_error;
+ 		}
+ 	}
+-#if (OPENSSL_VERSION_NUMBER >= 0x10101000L)
++#if HAVE_SSL_READ_EARLY
+ 	else {
+ 		/*
+ 		 * If the server refused the early data, we have to send a
+@@ -5375,7 +5383,7 @@ static int ssl_sock_to_buf(struct connection *conn, struct buffer *buf, int coun
+ 			continue;
+ 		}
+ 
+-#if (OPENSSL_VERSION_NUMBER >= 0x10101000L)
++#if OPENSSL_READ_EARLY
+ 		if (conn->flags & CO_FL_EARLY_SSL_HS) {
+ 			size_t read_length;
+ 
+@@ -5512,7 +5520,7 @@ static int ssl_sock_from_buf(struct connection *conn, struct buffer *buf, int fl
+ 	 * in which case we accept to do it once again.
+ 	 */
+ 	while (buf->o) {
+-#if (OPENSSL_VERSION_NUMBER >= 0x10101000L)
++#if HAVE_SSL_EARLY_DATA
+ 		size_t written_data;
+ #endif
+ 
+@@ -5531,7 +5539,7 @@ static int ssl_sock_from_buf(struct connection *conn, struct buffer *buf, int fl
+ 			conn->xprt_st |= SSL_SOCK_SEND_UNLIMITED;
+ 		}
+ 
+-#if (OPENSSL_VERSION_NUMBER >= 0x10101000L)
++#if HAVE_SSL_EARLY_DATA
+ 		if (!SSL_is_init_finished(conn->xprt_ctx)) {
+ 			unsigned int max_early;
+