main/haproxy: security upgrade to 1.8.23 (CVE-2019-19330)

fixes #11003

2 files changed, 37 insertions, 15 deletions

diff --git a/main/haproxy/APKBUILD b/main/haproxy/APKBUILD
index eccfed17e3..e1b6eaf91d 100644
--- a/main/haproxy/APKBUILD
+++ b/main/haproxy/APKBUILD
@@ -1,7 +1,7 @@
 # Contributor: Jeff Bilyk <jbilyk@gmail.com>
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=haproxy
-pkgver=1.8.5
+pkgver=1.8.23
 _pkgmajorver=${pkgver%.*}
 pkgrel=0
 pkgdesc="A TCP/HTTP reverse proxy for high availability environments"
@@ -21,6 +21,10 @@ source="http://haproxy.1wt.eu/download/${_pkgmajorver}/src/$pkgname-$pkgver.tar.
 
 builddir="$srcdir/$pkgname-$pkgver"
 
+# secfixes:
+#   1.8.23:
+#     - CVE-2019-19330
+
 build() {
 	cd "$builddir"
 	make \
@@ -49,7 +53,7 @@ package() {
 	        "$pkgdir"/etc/haproxy/haproxy.cfg
 }
 
-sha512sums="5fd8796e4e1964ba8f010dc775de7a0953c4a7137c817bd81c5b4b6a063f3f9694f122f48bebf014c5cc8b49cf8f0a57b6bed282af12c560bd6dcc6770792cf2  haproxy-1.8.5.tar.gz
-636bb2b18ad1de7f9cf97f69c8a911aae6575787eac999d1c419bf22989a3a36a7de14d21620a9919ae717be807518c9db0e20c46ca5788a3f9a5857ceb0bfee  libressl-2.7.patch
+sha512sums="bfd65179345285f6f4581a7dce42e638b89e12717d4cb9218afa085759161e04b6c78307d04265a6c97cd484b67949781639da5236edb89137585c625130be4f  haproxy-1.8.23.tar.gz
+06908ddc3c689f4887bd3ae89bed49c17b5ead7938ce4c8b31128067be9a1a98afbfeacf2f1f9ba784d0ce12ac2042de6123435d03dcdfa911924a89792a9e9c  libressl-2.7.patch
 3ab277bf77fe864ec6c927118dcd70bdec0eb3c54535812d1c3c0995fa66a3ea91a73c342edeb8944caeb097d2dd1a7761099182df44af5e3ef42de6e2176d26  haproxy.initd
 26bc8f8ac504fcbaec113ecbb9bb59b9da47dc8834779ebbb2870a8cadf2ee7561b3a811f01e619358a98c6c7768e8fdd90ab447098c05b82e788c8212c4c41f  haproxy.cfg"
diff --git a/main/haproxy/libressl-2.7.patch b/main/haproxy/libressl-2.7.patch
index 8a3dc82507..0ec569a7ff 100644
--- a/main/haproxy/libressl-2.7.patch
+++ b/main/haproxy/libressl-2.7.patch
@@ -21,7 +21,7 @@ index b6fe1d2..551cae2 100644
   * Functions introduced in OpenSSL 1.1.0 and not yet present in LibreSSL
   */
 diff --git a/src/ssl_sock.c b/src/ssl_sock.c
-index c2b5bf6..ebde76d 100644
+index e53133d..c663500 100644
 --- a/src/ssl_sock.c
 +++ b/src/ssl_sock.c
 @@ -56,6 +56,14 @@
@@ -39,7 +39,7 @@ index c2b5bf6..ebde76d 100644
  #if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC)
  #include <openssl/async.h>
  #endif
-@@ -2066,7 +2074,7 @@ static void ssl_sock_switchctx_set(SSL *ssl, SSL_CTX *ctx)
+@@ -2093,7 +2101,7 @@ static void ssl_sock_switchctx_set(SSL *ssl, SSL_CTX *ctx)
  	SSL_set_SSL_CTX(ssl, ctx);
  }
  
@@ -48,16 +48,16 @@ index c2b5bf6..ebde76d 100644
  
  static int ssl_sock_switchctx_err_cbk(SSL *ssl, int *al, void *priv)
  {
-@@ -3798,7 +3806,7 @@ ssl_sock_initial_ctx(struct bind_conf *bind_conf)
+@@ -3932,7 +3940,7 @@ ssl_sock_initial_ctx(struct bind_conf *bind_conf)
  #ifdef OPENSSL_IS_BORINGSSL
  	SSL_CTX_set_select_certificate_cb(ctx, ssl_sock_switchctx_cbk);
  	SSL_CTX_set_tlsext_servername_callback(ctx, ssl_sock_switchctx_err_cbk);
 -#elif (OPENSSL_VERSION_NUMBER >= 0x10101000L)
 +#elif (OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined(LIBRESSL_VERSION_NUMBER)
- 	SSL_CTX_set_client_hello_cb(ctx, ssl_sock_switchctx_cbk, NULL);
- 	SSL_CTX_set_tlsext_servername_callback(ctx, ssl_sock_switchctx_err_cbk);
- #else
-@@ -5052,7 +5060,7 @@ int ssl_sock_handshake(struct connection *conn, unsigned int flag)
+ 	if (bind_conf->ssl_conf.early_data) {
+ 		SSL_CTX_set_options(ctx, SSL_OP_NO_ANTI_REPLAY);
+ 		SSL_CTX_set_max_early_data(ctx, global.tune.bufsize - global.tune.maxrewrite);
+@@ -5223,7 +5231,7 @@ int ssl_sock_handshake(struct connection *conn, unsigned int flag)
  	if (!conn->xprt_ctx)
  		goto out_error;
  
@@ -66,7 +66,25 @@ index c2b5bf6..ebde76d 100644
  	/*
  	 * Check if we have early data. If we do, we have to read them
  	 * before SSL_do_handshake() is called, And there's no way to
-@@ -5252,7 +5260,7 @@ check_error:
+@@ -5299,7 +5307,7 @@ int ssl_sock_handshake(struct connection *conn, unsigned int flag)
+ 					OSSL_HANDSHAKE_STATE state = SSL_get_state((SSL *)conn->xprt_ctx);
+ 					empty_handshake = state == TLS_ST_BEFORE;
+ #else
+-					empty_handshake = !((SSL *)conn->xprt_ctx)->packet_length;
++					empty_handshake = SSL_state((SSL *)conn->xprt_ctx) == SSL_ST_BEFORE;
+ #endif
+ 					if (empty_handshake) {
+ 						if (!errno) {
+@@ -5383,7 +5391,7 @@ check_error:
+ 				OSSL_HANDSHAKE_STATE state = SSL_get_state((SSL *)conn->xprt_ctx);
+ 				empty_handshake = state == TLS_ST_BEFORE;
+ #else
+-				empty_handshake = !((SSL *)conn->xprt_ctx)->packet_length;
++				empty_handshake = SSL_state((SSL *)conn->xprt_ctx) == SSL_ST_BEFORE;
+ #endif
+ 				if (empty_handshake) {
+ 					if (!errno) {
+@@ -5423,7 +5431,7 @@ check_error:
  			goto out_error;
  		}
  	}
@@ -75,7 +93,7 @@ index c2b5bf6..ebde76d 100644
  	else {
  		/*
  		 * If the server refused the early data, we have to send a
-@@ -5375,7 +5383,7 @@ static int ssl_sock_to_buf(struct connection *conn, struct buffer *buf, int coun
+@@ -5542,7 +5550,7 @@ static int ssl_sock_to_buf(struct connection *conn, struct buffer *buf, int coun
  			continue;
  		}
  
@@ -84,7 +102,7 @@ index c2b5bf6..ebde76d 100644
  		if (conn->flags & CO_FL_EARLY_SSL_HS) {
  			size_t read_length;
  
-@@ -5512,7 +5520,7 @@ static int ssl_sock_from_buf(struct connection *conn, struct buffer *buf, int fl
+@@ -5670,7 +5678,7 @@ static int ssl_sock_from_buf(struct connection *conn, struct buffer *buf, int fl
  	 * in which case we accept to do it once again.
  	 */
  	while (buf->o) {
@@ -93,12 +111,12 @@ index c2b5bf6..ebde76d 100644
  		size_t written_data;
  #endif
  
-@@ -5531,7 +5539,7 @@ static int ssl_sock_from_buf(struct connection *conn, struct buffer *buf, int fl
+@@ -5689,7 +5697,7 @@ static int ssl_sock_from_buf(struct connection *conn, struct buffer *buf, int fl
  			conn->xprt_st |= SSL_SOCK_SEND_UNLIMITED;
  		}
  
 -#if (OPENSSL_VERSION_NUMBER >= 0x10101000L)
 +#if HAVE_SSL_EARLY_DATA
- 		if (!SSL_is_init_finished(conn->xprt_ctx)) {
+ 		if (!SSL_is_init_finished(conn->xprt_ctx) && conn_is_back(conn)) {
  			unsigned int max_early;