Hi, Here's the diff to update haproxy to the 1.8 branch. Most of the libressl stuff has been done by jsing (thanks!) but he did the update to 1.8.13 and 13->14 needed some more fiddling. I did them on my own so I guess a review wouldn't hurt.
The 1.8 branch brings HTTP/2 and TLS1.3 but maybe the latter won't work because of the libressl vs openssl. I don't know. I'm dogfooding it and so far it's been good. I'll be kind and save some users some trouble: don't try to backport this diff to 6.4, it won't work. Tests? Comments? OK? Cheers, Daniel Index: Makefile =================================================================== RCS file: /cvs/ports/net/haproxy/Makefile,v retrieving revision 1.49 diff -u -p -r1.49 Makefile --- Makefile 26 May 2018 16:40:04 -0000 1.49 +++ Makefile 26 Nov 2018 23:15:06 -0000 @@ -2,7 +2,7 @@ COMMENT = reliable, high performance TCP/HTTP load balancer -DISTNAME = haproxy-1.7.11 +DISTNAME = haproxy-1.8.14 CATEGORIES = net www HOMEPAGE = http://www.haproxy.org/ MAINTAINER = Daniel Jakots <[email protected]> @@ -10,9 +10,9 @@ MAINTAINER = Daniel Jakots <[email protected] # GPLv2 PERMIT_PACKAGE_CDROM = Yes -WANTLIB = c crypto pcre pcreposix ssl +WANTLIB += c crypto pcre pcreposix pthread ssl -MASTER_SITES = ${HOMEPAGE}/download/1.7/src/ +MASTER_SITES = ${HOMEPAGE}/download/1.8/src/ HAPROXYCONF = ${SYSCONFDIR}/haproxy HAPROXYSTATE = /var/haproxy Index: distinfo =================================================================== RCS file: /cvs/ports/net/haproxy/distinfo,v retrieving revision 1.29 diff -u -p -r1.29 distinfo --- distinfo 26 May 2018 16:40:04 -0000 1.29 +++ distinfo 26 Nov 2018 23:15:06 -0000 @@ -1,2 +1,2 @@ -SHA256 (haproxy-1.7.11.tar.gz) = 1WS46UKdHo4Ty2SL9GlJJrRy422hB535RrtzKSeyMuo= -SIZE (haproxy-1.7.11.tar.gz) = 1752129 +SHA256 (haproxy-1.8.14.tar.gz) = sX5AJXi+heWK96PqyZsfZ1lTvqn2evLpZM+L29G9P98= +SIZE (haproxy-1.8.14.tar.gz) = 2070813 Index: patches/patch-doc_haproxy_1 =================================================================== RCS file: /cvs/ports/net/haproxy/patches/patch-doc_haproxy_1,v retrieving revision 1.4 diff -u -p -r1.4 patch-doc_haproxy_1 --- patches/patch-doc_haproxy_1 12 Aug 2017 14:20:11 -0000 1.4 +++ patches/patch-doc_haproxy_1 26 Nov 2018 23:15:06 -0000 @@ -2,7 +2,7 @@ $OpenBSD: patch-doc_haproxy_1,v 1.4 2017 Index: doc/haproxy.1 --- doc/haproxy.1.orig +++ doc/haproxy.1 -@@ -190,8 +190,7 @@ This signal is intercepted and ignored on systems with +@@ -196,8 +196,7 @@ This signal is intercepted and ignored on systems with .SH SEE ALSO Index: patches/patch-include_proto_openssl-compat_h =================================================================== RCS file: /cvs/ports/net/haproxy/patches/patch-include_proto_openssl-compat_h,v retrieving revision 1.6 diff -u -p -r1.6 patch-include_proto_openssl-compat_h --- patches/patch-include_proto_openssl-compat_h 20 Mar 2018 21:57:55 -0000 1.6 +++ patches/patch-include_proto_openssl-compat_h 26 Nov 2018 23:15:06 -0000 @@ -3,13 +3,26 @@ $OpenBSD: patch-include_proto_openssl-co Index: include/proto/openssl-compat.h --- include/proto/openssl-compat.h.orig +++ include/proto/openssl-compat.h -@@ -89,7 +89,8 @@ static inline int SSL_SESSION_set1_id_context(SSL_SESS +@@ -89,7 +89,7 @@ static inline int SSL_SESSION_set1_id_context(SSL_SESS } #endif --#if (OPENSSL_VERSION_NUMBER < 0x1010000fL) || defined(LIBRESSL_VERSION_NUMBER) -+#if (OPENSSL_VERSION_NUMBER < 0x1010000fL) || \ -+ (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000fL) +-#if (OPENSSL_VERSION_NUMBER < 0x1010000fL) || defined(LIBRESSL_VERSION_NUMBER) || defined(OPENSSL_IS_BORINGSSL) ++#if (OPENSSL_VERSION_NUMBER < 0x1010000fL) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000fL) || defined(OPENSSL_IS_BORINGSSL) /* - * Functions introduced in OpenSSL 1.1.0 and not yet present in LibreSSL + * Functions introduced in OpenSSL 1.1.0 and not yet present in LibreSSL / BoringSSL */ +@@ -118,13 +118,6 @@ static inline const OCSP_CERTID *OCSP_SINGLERESP_get0_ + return single->certId; + } + #endif +- +-#endif +- +-#if (OPENSSL_VERSION_NUMBER < 0x1010000fL) || defined(LIBRESSL_VERSION_NUMBER) +-/* +- * Functions introduced in OpenSSL 1.1.0 and not yet present in LibreSSL +- */ + + static inline pem_password_cb *SSL_CTX_get_default_passwd_cb(SSL_CTX *ctx) + { Index: patches/patch-src_ssl_sock_c =================================================================== RCS file: /cvs/ports/net/haproxy/patches/patch-src_ssl_sock_c,v retrieving revision 1.8 diff -u -p -r1.8 patch-src_ssl_sock_c --- patches/patch-src_ssl_sock_c 26 May 2018 16:40:04 -0000 1.8 +++ patches/patch-src_ssl_sock_c 26 Nov 2018 23:15:06 -0000 @@ -1,51 +1,105 @@ $OpenBSD: patch-src_ssl_sock_c,v 1.8 2018/05/26 16:40:04 danj Exp $ -From -https://github.com/trueos/freebsd-ports/blob/3745ead2e0f43985c3647e1e3aecae2751decfda/net/haproxy/files/patch-src_ssl__sock.c - Index: src/ssl_sock.c --- src/ssl_sock.c.orig +++ src/ssl_sock.c -@@ -793,8 +793,11 @@ static int ssl_sock_load_ocsp(SSL_CTX *ctx, const char - ocsp = NULL; +@@ -2067,7 +2067,7 @@ static void ssl_sock_switchctx_set(SSL *ssl, SSL_CTX * + SSL_set_SSL_CTX(ssl, ctx); + } - #ifndef SSL_CTX_get_tlsext_status_cb -+#ifndef SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB -+#define SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB 128 -+#endif - # define SSL_CTX_get_tlsext_status_cb(ctx, cb) \ -- *cb = (void (*) (void))ctx->tlsext_status_cb; -+ *cb = SSL_CTX_ctrl(ctx,SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB,0, (void (**)(void))cb) +-#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) || defined(OPENSSL_IS_BORINGSSL) ++#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)) || defined(OPENSSL_IS_BORINGSSL) + + static int ssl_sock_switchctx_err_cbk(SSL *ssl, int *al, void *priv) + { +@@ -3795,7 +3795,7 @@ ssl_sock_initial_ctx(struct bind_conf *bind_conf) + #ifdef OPENSSL_IS_BORINGSSL + SSL_CTX_set_select_certificate_cb(ctx, ssl_sock_switchctx_cbk); + SSL_CTX_set_tlsext_servername_callback(ctx, ssl_sock_switchctx_err_cbk); +-#elif (OPENSSL_VERSION_NUMBER >= 0x10101000L) ++#elif (OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined(LIBRESSL_VERSION_NUMBER) + SSL_CTX_set_client_hello_cb(ctx, ssl_sock_switchctx_cbk, NULL); + SSL_CTX_set_tlsext_servername_callback(ctx, ssl_sock_switchctx_err_cbk); + #else +@@ -5019,7 +5019,7 @@ static int ssl_sock_init(struct connection *conn) + + /* leave init state and start handshake */ + conn->flags |= CO_FL_SSL_WAIT_HS | CO_FL_WAIT_L6_CONN; +-#if OPENSSL_VERSION_NUMBER >= 0x10101000L || defined(OPENSSL_IS_BORINGSSL) ++#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)) || defined(OPENSSL_IS_BORINGSSL) + conn->flags |= CO_FL_EARLY_SSL_HS; #endif - SSL_CTX_get_tlsext_status_cb(ctx, &callback); -@@ -822,7 +825,10 @@ static int ssl_sock_load_ocsp(SSL_CTX *ctx, const char - int key_type; - EVP_PKEY *pkey; - --#ifdef SSL_CTX_get_tlsext_status_arg -+#if defined(SSL_CTX_get_tlsext_status_arg) || defined(LIBRESSL_VERSION_NUMBER) -+#ifndef SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG -+#define SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG 129 -+#endif - SSL_CTX_ctrl(ctx, SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG, 0, &cb_arg); +@@ -5049,7 +5049,7 @@ int ssl_sock_handshake(struct connection *conn, unsign + if (!conn->xprt_ctx) + goto out_error; + +-#if OPENSSL_VERSION_NUMBER >= 0x10101000L ++#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER) + /* + * Check if we have early data. If we do, we have to read them + * before SSL_do_handshake() is called, And there's no way to +@@ -5117,11 +5117,11 @@ int ssl_sock_handshake(struct connection *conn, unsign + if (!errno && conn->flags & CO_FL_WAIT_L4_CONN) + conn->flags &= ~CO_FL_WAIT_L4_CONN; + if (!conn->err_code) { +-#ifdef OPENSSL_IS_BORINGSSL /* BoringSSL */ ++#if defined(OPENSSL_IS_BORINGSSL) || defined(LIBRESSL_VERSION_NUMBER) + conn->err_code = CO_ER_SSL_HANDSHAKE; #else - cb_arg = ctx->tlsext_status_arg; -@@ -3538,7 +3544,7 @@ int ssl_sock_handshake(struct connection *conn, unsign + int empty_handshake; +-#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(LIBRESSL_VERSION_NUMBER) ++#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) OSSL_HANDSHAKE_STATE state = SSL_get_state((SSL *)conn->xprt_ctx); empty_handshake = state == TLS_ST_BEFORE; #else -- empty_handshake = !((SSL *)conn->xprt_ctx)->packet_length; -+ empty_handshake = SSL_state((SSL *)conn->xprt_ctx) == SSL_ST_BEFORE; - #endif - - if (empty_handshake) { -@@ -3616,7 +3622,7 @@ int ssl_sock_handshake(struct connection *conn, unsign - state = SSL_get_state((SSL *)conn->xprt_ctx); - empty_handshake = state == TLS_ST_BEFORE; +@@ -5201,11 +5201,11 @@ check_error: + if (!errno && conn->flags & CO_FL_WAIT_L4_CONN) + conn->flags &= ~CO_FL_WAIT_L4_CONN; + if (!conn->err_code) { +-#ifdef OPENSSL_IS_BORINGSSL /* BoringSSL */ ++#if defined(OPENSSL_IS_BORINGSSL) || defined(LIBRESSL_VERSION_NUMBER) + conn->err_code = CO_ER_SSL_HANDSHAKE; #else -- empty_handshake = !((SSL *)conn->xprt_ctx)->packet_length; -+ empty_handshake = SSL_state((SSL *)conn->xprt_ctx) == SSL_ST_BEFORE; + int empty_handshake; +-#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(LIBRESSL_VERSION_NUMBER) ++#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) + OSSL_HANDSHAKE_STATE state = SSL_get_state((SSL *)conn->xprt_ctx); + empty_handshake = state == TLS_ST_BEFORE; + #else +@@ -5249,7 +5249,7 @@ check_error: + goto out_error; + } + } +-#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) ++#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined(LIBRESSL_VERSION_NUMBER) + else { + /* + * If the server refused the early data, we have to send a +@@ -5372,7 +5372,7 @@ static int ssl_sock_to_buf(struct connection *conn, st + continue; + } + +-#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) ++#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined(LIBRESSL_VERSION_NUMBER) + if (conn->flags & CO_FL_EARLY_SSL_HS) { + size_t read_length; + +@@ -5509,7 +5509,7 @@ static int ssl_sock_from_buf(struct connection *conn, + * in which case we accept to do it once again. + */ + while (buf->o) { +-#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) ++#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined(LIBRESSL_VERSION_NUMBER) + size_t written_data; #endif - if (empty_handshake) { - if (!errno) { + +@@ -5528,7 +5528,7 @@ static int ssl_sock_from_buf(struct connection *conn, + conn->xprt_st |= SSL_SOCK_SEND_UNLIMITED; + } + +-#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) ++#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined(LIBRESSL_VERSION_NUMBER) + if (!SSL_is_init_finished(conn->xprt_ctx)) { + unsigned int max_early; + Index: pkg/PLIST =================================================================== RCS file: /cvs/ports/net/haproxy/pkg/PLIST,v retrieving revision 1.4 diff -u -p -r1.4 PLIST --- pkg/PLIST 10 Nov 2015 11:56:54 -0000 1.4 +++ pkg/PLIST 26 Nov 2018 23:15:06 -0000 @@ -1,6 +1,7 @@ @comment $OpenBSD: PLIST,v 1.4 2015/11/10 11:56:54 jca Exp $ @newgroup _haproxy:${HAPROXYGID} @newuser _haproxy:${HAPROXYUID}:_haproxy:daemon:HAProxy Daemon:/var/haproxy:/sbin/nologin +@rcscript ${RCDIR}/haproxy @man man/man1/haproxy.1 @bin sbin/haproxy @sample ${HAPROXYCONF}/ @@ -16,4 +17,3 @@ share/examples/haproxy/content-sw-sample share/examples/haproxy/haproxy.cfg @sample ${HAPROXYCONF}/haproxy.cfg share/examples/haproxy/option-http_proxy.cfg -@rcscript ${RCDIR}/haproxy
