main/haproxy: upgrade to 1.8.5

author: Andy Postnikov <apostnikov@gmail.com> 2017-11-30 15:12:12 +0200
committer: Natanael Copa <ncopa@alpinelinux.org> 2018-04-06 05:19:22 +0000
commit: 783811d1ac952d97d9b086d252456f27832ef3c4 (patch)
tree: 811cd6bef11106f0a1705308ce9475cfdaa23f1f /main/haproxy
parent: d1d940636b26b200f991e48525737fd511f271d3 (diff)
download: aports-783811d1ac952d97d9b086d252456f27832ef3c4.tar.bz2
aports-783811d1ac952d97d9b086d252456f27832ef3c4.tar.xz
3 files changed, 139 insertions, 51 deletions
diff --git a/main/haproxy/APKBUILD b/main/haproxy/APKBUILD
index c708a7c534..618b31b3ab 100644
--- a/main/haproxy/APKBUILD
+++ b/main/haproxy/APKBUILD
@@ -1,9 +1,9 @@
 # Contributor: Jeff Bilyk <jbilyk@gmail.com>
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=haproxy
-pkgver=1.7.9
+pkgver=1.8.5
 _pkgmajorver=${pkgver%.*}
-pkgrel=2
+pkgrel=0
 pkgdesc="A TCP/HTTP reverse proxy for high availability environments"
 url="http://haproxy.1wt.eu"
 arch="all"
@@ -14,7 +14,7 @@ makedepends="pcre-dev libressl-dev linux-headers lua${_luaver}-dev zlib-dev"
 install="haproxy.pre-install haproxy.pre-upgrade"
 subpackages="$pkgname-doc $pkgname-systemd-wrapper:wrapper"
 source="http://haproxy.1wt.eu/download/${_pkgmajorver}/src/$pkgname-$pkgver.tar.gz
-	fix-libressl-2.5.patch
+	fix-libressl-1.8.5.patch
 	haproxy.initd
 	haproxy.cfg"
 
@@ -58,7 +58,7 @@ wrapper() {
 	   "$subpkgdir"/usr/sbin/
 }
 
-sha512sums="d1ed791bc9607dbeabcfc6a1853cf258e28b3a079923b63d3bf97504dd59e64a5f5f44f9da968c23c12b4279e8d45ff3bd39418942ca6f00d9d548c9a0ccfd73  haproxy-1.7.9.tar.gz
-a69734b0760dacf9a3e9b69202623eb55b8a8ae75dae7a9c7ee92240636b3dfd05f640ead2be604249c86280f85f149837aa9da284e7796ecd7f9f907c439121  fix-libressl-2.5.patch
+sha512sums="5fd8796e4e1964ba8f010dc775de7a0953c4a7137c817bd81c5b4b6a063f3f9694f122f48bebf014c5cc8b49cf8f0a57b6bed282af12c560bd6dcc6770792cf2  haproxy-1.8.5.tar.gz
+70f9df92d68f80906ff728c576b395b794046f88017b5a57a2aa1979b9f3e4bb37194bf204f28fe460282bb7f6ab954aa1febca0eb2458bba772545ddef02b3e  fix-libressl-1.8.5.patch
 3ab277bf77fe864ec6c927118dcd70bdec0eb3c54535812d1c3c0995fa66a3ea91a73c342edeb8944caeb097d2dd1a7761099182df44af5e3ef42de6e2176d26  haproxy.initd
 26bc8f8ac504fcbaec113ecbb9bb59b9da47dc8834779ebbb2870a8cadf2ee7561b3a811f01e619358a98c6c7768e8fdd90ab447098c05b82e788c8212c4c41f  haproxy.cfg"
diff --git a/main/haproxy/fix-libressl-1.8.5.patch b/main/haproxy/fix-libressl-1.8.5.patch
new file mode 100644
index 0000000000..ebd9f29628
--- /dev/null
+++ b/main/haproxy/fix-libressl-1.8.5.patch
@@ -0,0 +1,134 @@
+--- a/src/ssl_sock.c.orig
++++ b/src/ssl_sock.c
+@@ -56,6 +56,15 @@
+ #include <openssl/engine.h>
+ #endif
+ 
++
++#ifdef LIBRESSL_VERSION_NUMBER
++
++#ifndef OPENSSL_NO_ASYNC
++#define OPENSSL_NO_ASYNC
++#endif
++
++#endif
++
+ #if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC)
+ #include <openssl/async.h>
+ #endif
+@@ -1126,8 +1135,11 @@
+ 		ocsp = NULL;
+ 
+ #ifndef SSL_CTX_get_tlsext_status_cb
+-# define SSL_CTX_get_tlsext_status_cb(ctx, cb) \
+-	*cb = (void (*) (void))ctx->tlsext_status_cb;
++#ifndef SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB
++#define SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB 128
++#endif
++#define SSL_CTX_get_tlsext_status_cb(ctx, cb) \
++	*cb = SSL_CTX_ctrl(ctx,SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB,0, (void (**)(void))cb)
+ #endif
+ 	SSL_CTX_get_tlsext_status_cb(ctx, &callback);
+ 
+@@ -1155,7 +1167,10 @@
+ 		int key_type;
+ 		EVP_PKEY *pkey;
+ 
+-#ifdef SSL_CTX_get_tlsext_status_arg
++#if defined(SSL_CTX_get_tlsext_status_arg) || defined(LIBRESSL_VERSION_NUMBER)
++#ifndef SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG
++#define SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG 129
++#endif
+ 		SSL_CTX_ctrl(ctx, SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG, 0, &cb_arg);
+ #else
+ 		cb_arg = ctx->tlsext_status_arg;
+@@ -2066,7 +2081,7 @@
+ 	SSL_set_SSL_CTX(ssl, ctx);
+ }
+ 
+-#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) || defined(OPENSSL_IS_BORINGSSL)
++#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined LIBRESSL_VERSION_NUMBER) || defined(OPENSSL_IS_BORINGSSL)
+ 
+ static int ssl_sock_switchctx_err_cbk(SSL *ssl, int *al, void *priv)
+ {
+@@ -2208,7 +2223,7 @@
+ #else
+ 			cipher = SSL_CIPHER_find(ssl, cipher_suites);
+ #endif
+-			if (cipher && SSL_CIPHER_get_auth_nid(cipher) == NID_auth_ecdsa) {
++			if (cipher && SSL_CIPHER_is_ECDSA(cipher)) {
+ 				has_ecdsa = 1;
+ 				break;
+ 			}
+@@ -2306,7 +2321,7 @@
+ #ifdef OPENSSL_IS_BORINGSSL
+ 	if (allow_early)
+ 		SSL_set_early_data_enabled(ssl, 1);
+-#else
++#elif !defined LIBRESSL_VERSION_NUMBER
+ 	if (!allow_early)
+ 		SSL_set_max_early_data(ssl, 0);
+ #endif
+@@ -3798,7 +3813,7 @@
+ #ifdef OPENSSL_IS_BORINGSSL
+ 	SSL_CTX_set_select_certificate_cb(ctx, ssl_sock_switchctx_cbk);
+ 	SSL_CTX_set_tlsext_servername_callback(ctx, ssl_sock_switchctx_err_cbk);
+-#elif (OPENSSL_VERSION_NUMBER >= 0x10101000L)
++#elif (OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined LIBRESSL_VERSION_NUMBER
+ 	SSL_CTX_set_client_hello_cb(ctx, ssl_sock_switchctx_cbk, NULL);
+ 	SSL_CTX_set_tlsext_servername_callback(ctx, ssl_sock_switchctx_err_cbk);
+ #else
+@@ -5052,7 +5067,7 @@
+ 	if (!conn->xprt_ctx)
+ 		goto out_error;
+ 
+-#if OPENSSL_VERSION_NUMBER >= 0x10101000L
++#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined LIBRESSL_VERSION_NUMBER
+ 	/*
+ 	 * Check if we have early data. If we do, we have to read them
+ 	 * before SSL_do_handshake() is called, And there's no way to
+@@ -5128,7 +5143,7 @@
+ 					OSSL_HANDSHAKE_STATE state = SSL_get_state((SSL *)conn->xprt_ctx);
+ 					empty_handshake = state == TLS_ST_BEFORE;
+ #else
+-					empty_handshake = !((SSL *)conn->xprt_ctx)->packet_length;
++					empty_handshake = SSL_state((SSL *)conn->xprt_ctx) == SSL_ST_BEFORE;
+ #endif
+ 					if (empty_handshake) {
+ 						if (!errno) {
+@@ -5212,7 +5227,7 @@
+ 				OSSL_HANDSHAKE_STATE state = SSL_get_state((SSL *)conn->xprt_ctx);
+ 				empty_handshake = state == TLS_ST_BEFORE;
+ #else
+-				empty_handshake = !((SSL *)conn->xprt_ctx)->packet_length;
++				empty_handshake = SSL_state((SSL *)conn->xprt_ctx) == SSL_ST_BEFORE;
+ #endif
+ 				if (empty_handshake) {
+ 					if (!errno) {
+@@ -5252,7 +5267,7 @@
+ 			goto out_error;
+ 		}
+ 	}
+-#if (OPENSSL_VERSION_NUMBER >= 0x10101000L)
++#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined LIBRESSL_VERSION_NUMBER
+ 	else {
+ 		/*
+ 		 * If the server refused the early data, we have to send a
+@@ -5375,7 +5390,7 @@
+ 			continue;
+ 		}
+ 
+-#if (OPENSSL_VERSION_NUMBER >= 0x10101000L)
++#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined LIBRESSL_VERSION_NUMBER
+ 		if (conn->flags & CO_FL_EARLY_SSL_HS) {
+ 			size_t read_length;
+ 
+@@ -5531,7 +5546,7 @@
+ 			conn->xprt_st |= SSL_SOCK_SEND_UNLIMITED;
+ 		}
+ 
+-#if (OPENSSL_VERSION_NUMBER >= 0x10101000L)
++#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined LIBRESSL_VERSION_NUMBER
+ 		if (!SSL_is_init_finished(conn->xprt_ctx)) {
+ 			unsigned int max_early;
+ 
diff --git a/main/haproxy/fix-libressl-2.5.patch b/main/haproxy/fix-libressl-2.5.patch
deleted file mode 100644
index fbf61507e2..0000000000
--- a/main/haproxy/fix-libressl-2.5.patch
+++ /dev/null
@@ -1,46 +0,0 @@
---- a/src/ssl_sock.c.orig	2017-01-13 09:03:00 UTC
-+++ b/src/ssl_sock.c
-@@ -792,8 +792,11 @@ static int ssl_sock_load_ocsp(SSL_CTX *c
- 		ocsp = NULL;
- 
- #ifndef SSL_CTX_get_tlsext_status_cb
--# define SSL_CTX_get_tlsext_status_cb(ctx, cb) \
--	*cb = (void (*) (void))ctx->tlsext_status_cb;
-+#ifndef SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB
-+#define SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB 128
-+#endif
-+#define SSL_CTX_get_tlsext_status_cb(ctx, cb) \
-+	*cb = SSL_CTX_ctrl(ctx,SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB,0, (void (**)(void))cb)
- #endif
- 	SSL_CTX_get_tlsext_status_cb(ctx, &callback);
- 
-@@ -821,7 +824,10 @@ static int ssl_sock_load_ocsp(SSL_CTX *c
- 		int key_type;
- 		EVP_PKEY *pkey;
- 
--#ifdef SSL_CTX_get_tlsext_status_arg
-+#if defined(SSL_CTX_get_tlsext_status_arg) || defined(LIBRESSL_VERSION_NUMBER)
-+#ifndef SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG
-+#define SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG 129
-+#endif
- 		SSL_CTX_ctrl(ctx, SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG, 0, &cb_arg);
- #else
- 		cb_arg = ctx->tlsext_status_arg;
-@@ -3537,7 +3543,7 @@ int ssl_sock_handshake(struct connection
- 					OSSL_HANDSHAKE_STATE state = SSL_get_state((SSL *)conn->xprt_ctx);
- 					empty_handshake = state == TLS_ST_BEFORE;
- #else
--					empty_handshake = !((SSL *)conn->xprt_ctx)->packet_length;
-+					empty_handshake = SSL_state((SSL *)conn->xprt_ctx) == SSL_ST_BEFORE;
- #endif
- 
- 					if (empty_handshake) {
-@@ -3615,7 +3621,7 @@ int ssl_sock_handshake(struct connection
- 			state = SSL_get_state((SSL *)conn->xprt_ctx);
- 			empty_handshake = state == TLS_ST_BEFORE;
- #else
--			empty_handshake = !((SSL *)conn->xprt_ctx)->packet_length;
-+			empty_handshake = SSL_state((SSL *)conn->xprt_ctx) == SSL_ST_BEFORE;
- #endif
- 			if (empty_handshake) {
- 				if (!errno) {
author	Andy Postnikov <apostnikov@gmail.com>	2017-11-30 15:12:12 +0200
committer	Natanael Copa <ncopa@alpinelinux.org>	2018-04-06 05:19:22 +0000
commit	783811d1ac952d97d9b086d252456f27832ef3c4 (patch)
tree	811cd6bef11106f0a1705308ce9475cfdaa23f1f /main/haproxy
parent	d1d940636b26b200f991e48525737fd511f271d3 (diff)
download	aports-783811d1ac952d97d9b086d252456f27832ef3c4.tar.bz2 aports-783811d1ac952d97d9b086d252456f27832ef3c4.tar.xz