On Mon, Nov 26, 2018 at 06:21:56PM -0500, Daniel Jakots wrote: > Hi, > > Here's the diff to update haproxy to the 1.8 branch. > Most of the libressl stuff has been done by jsing (thanks!) but he did > the update to 1.8.13 and 13->14 needed some more fiddling. I did them > on my own so I guess a review wouldn't hurt.
I haven't run-time tested it, but the diff looks good to me. ok tb > > The 1.8 branch brings HTTP/2 and TLS1.3 but maybe the latter won't work > because of the libressl vs openssl. I don't know. > > I'm dogfooding it and so far it's been good. > > I'll be kind and save some users some trouble: don't try to backport > this diff to 6.4, it won't work. > > > Tests? Comments? OK? > > Cheers, > Daniel > > Index: Makefile > =================================================================== > RCS file: /cvs/ports/net/haproxy/Makefile,v > retrieving revision 1.49 > diff -u -p -r1.49 Makefile > --- Makefile 26 May 2018 16:40:04 -0000 1.49 > +++ Makefile 26 Nov 2018 23:15:06 -0000 > @@ -2,7 +2,7 @@ > > COMMENT = reliable, high performance TCP/HTTP load balancer > > -DISTNAME = haproxy-1.7.11 > +DISTNAME = haproxy-1.8.14 > CATEGORIES = net www > HOMEPAGE = http://www.haproxy.org/ > MAINTAINER = Daniel Jakots <[email protected]> > @@ -10,9 +10,9 @@ MAINTAINER = Daniel Jakots <[email protected] > # GPLv2 > PERMIT_PACKAGE_CDROM = Yes > > -WANTLIB = c crypto pcre pcreposix ssl > +WANTLIB += c crypto pcre pcreposix pthread ssl > > -MASTER_SITES = ${HOMEPAGE}/download/1.7/src/ > +MASTER_SITES = ${HOMEPAGE}/download/1.8/src/ > > HAPROXYCONF = ${SYSCONFDIR}/haproxy > HAPROXYSTATE = /var/haproxy > Index: distinfo > =================================================================== > RCS file: /cvs/ports/net/haproxy/distinfo,v > retrieving revision 1.29 > diff -u -p -r1.29 distinfo > --- distinfo 26 May 2018 16:40:04 -0000 1.29 > +++ distinfo 26 Nov 2018 23:15:06 -0000 > @@ -1,2 +1,2 @@ > -SHA256 (haproxy-1.7.11.tar.gz) = 1WS46UKdHo4Ty2SL9GlJJrRy422hB535RrtzKSeyMuo= > -SIZE (haproxy-1.7.11.tar.gz) = 1752129 > +SHA256 (haproxy-1.8.14.tar.gz) = sX5AJXi+heWK96PqyZsfZ1lTvqn2evLpZM+L29G9P98= > +SIZE (haproxy-1.8.14.tar.gz) = 2070813 > Index: patches/patch-doc_haproxy_1 > =================================================================== > RCS file: /cvs/ports/net/haproxy/patches/patch-doc_haproxy_1,v > retrieving revision 1.4 > diff -u -p -r1.4 patch-doc_haproxy_1 > --- patches/patch-doc_haproxy_1 12 Aug 2017 14:20:11 -0000 1.4 > +++ patches/patch-doc_haproxy_1 26 Nov 2018 23:15:06 -0000 > @@ -2,7 +2,7 @@ $OpenBSD: patch-doc_haproxy_1,v 1.4 2017 > Index: doc/haproxy.1 > --- doc/haproxy.1.orig > +++ doc/haproxy.1 > -@@ -190,8 +190,7 @@ This signal is intercepted and ignored on systems with > +@@ -196,8 +196,7 @@ This signal is intercepted and ignored on systems with > > .SH SEE ALSO > > Index: patches/patch-include_proto_openssl-compat_h > =================================================================== > RCS file: > /cvs/ports/net/haproxy/patches/patch-include_proto_openssl-compat_h,v > retrieving revision 1.6 > diff -u -p -r1.6 patch-include_proto_openssl-compat_h > --- patches/patch-include_proto_openssl-compat_h 20 Mar 2018 21:57:55 > -0000 1.6 > +++ patches/patch-include_proto_openssl-compat_h 26 Nov 2018 23:15:06 > -0000 > @@ -3,13 +3,26 @@ $OpenBSD: patch-include_proto_openssl-co > Index: include/proto/openssl-compat.h > --- include/proto/openssl-compat.h.orig > +++ include/proto/openssl-compat.h > -@@ -89,7 +89,8 @@ static inline int SSL_SESSION_set1_id_context(SSL_SESS > +@@ -89,7 +89,7 @@ static inline int SSL_SESSION_set1_id_context(SSL_SESS > } > #endif > > --#if (OPENSSL_VERSION_NUMBER < 0x1010000fL) || > defined(LIBRESSL_VERSION_NUMBER) > -+#if (OPENSSL_VERSION_NUMBER < 0x1010000fL) || \ > -+ (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < > 0x2070000fL) > +-#if (OPENSSL_VERSION_NUMBER < 0x1010000fL) || > defined(LIBRESSL_VERSION_NUMBER) || defined(OPENSSL_IS_BORINGSSL) > ++#if (OPENSSL_VERSION_NUMBER < 0x1010000fL) || > (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000fL) > || defined(OPENSSL_IS_BORINGSSL) > /* > - * Functions introduced in OpenSSL 1.1.0 and not yet present in LibreSSL > + * Functions introduced in OpenSSL 1.1.0 and not yet present in LibreSSL / > BoringSSL > */ > +@@ -118,13 +118,6 @@ static inline const OCSP_CERTID *OCSP_SINGLERESP_get0_ > + return single->certId; > + } > + #endif > +- > +-#endif > +- > +-#if (OPENSSL_VERSION_NUMBER < 0x1010000fL) || > defined(LIBRESSL_VERSION_NUMBER) > +-/* > +- * Functions introduced in OpenSSL 1.1.0 and not yet present in LibreSSL > +- */ > + > + static inline pem_password_cb *SSL_CTX_get_default_passwd_cb(SSL_CTX *ctx) > + { > Index: patches/patch-src_ssl_sock_c > =================================================================== > RCS file: /cvs/ports/net/haproxy/patches/patch-src_ssl_sock_c,v > retrieving revision 1.8 > diff -u -p -r1.8 patch-src_ssl_sock_c > --- patches/patch-src_ssl_sock_c 26 May 2018 16:40:04 -0000 1.8 > +++ patches/patch-src_ssl_sock_c 26 Nov 2018 23:15:06 -0000 > @@ -1,51 +1,105 @@ > $OpenBSD: patch-src_ssl_sock_c,v 1.8 2018/05/26 16:40:04 danj Exp $ > > -From > -https://github.com/trueos/freebsd-ports/blob/3745ead2e0f43985c3647e1e3aecae2751decfda/net/haproxy/files/patch-src_ssl__sock.c > - > Index: src/ssl_sock.c > --- src/ssl_sock.c.orig > +++ src/ssl_sock.c > -@@ -793,8 +793,11 @@ static int ssl_sock_load_ocsp(SSL_CTX *ctx, const char > - ocsp = NULL; > +@@ -2067,7 +2067,7 @@ static void ssl_sock_switchctx_set(SSL *ssl, SSL_CTX * > + SSL_set_SSL_CTX(ssl, ctx); > + } > > - #ifndef SSL_CTX_get_tlsext_status_cb > -+#ifndef SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB > -+#define SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB 128 > -+#endif > - # define SSL_CTX_get_tlsext_status_cb(ctx, cb) \ > -- *cb = (void (*) (void))ctx->tlsext_status_cb; > -+ *cb = SSL_CTX_ctrl(ctx,SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB,0, (void > (**)(void))cb) > +-#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) || defined(OPENSSL_IS_BORINGSSL) > ++#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && > !defined(LIBRESSL_VERSION_NUMBER)) || defined(OPENSSL_IS_BORINGSSL) > + > + static int ssl_sock_switchctx_err_cbk(SSL *ssl, int *al, void *priv) > + { > +@@ -3795,7 +3795,7 @@ ssl_sock_initial_ctx(struct bind_conf *bind_conf) > + #ifdef OPENSSL_IS_BORINGSSL > + SSL_CTX_set_select_certificate_cb(ctx, ssl_sock_switchctx_cbk); > + SSL_CTX_set_tlsext_servername_callback(ctx, ssl_sock_switchctx_err_cbk); > +-#elif (OPENSSL_VERSION_NUMBER >= 0x10101000L) > ++#elif (OPENSSL_VERSION_NUMBER >= 0x10101000L) && > !defined(LIBRESSL_VERSION_NUMBER) > + SSL_CTX_set_client_hello_cb(ctx, ssl_sock_switchctx_cbk, NULL); > + SSL_CTX_set_tlsext_servername_callback(ctx, ssl_sock_switchctx_err_cbk); > + #else > +@@ -5019,7 +5019,7 @@ static int ssl_sock_init(struct connection *conn) > + > + /* leave init state and start handshake */ > + conn->flags |= CO_FL_SSL_WAIT_HS | CO_FL_WAIT_L6_CONN; > +-#if OPENSSL_VERSION_NUMBER >= 0x10101000L || defined(OPENSSL_IS_BORINGSSL) > ++#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && > !defined(LIBRESSL_VERSION_NUMBER)) || defined(OPENSSL_IS_BORINGSSL) > + conn->flags |= CO_FL_EARLY_SSL_HS; > #endif > - SSL_CTX_get_tlsext_status_cb(ctx, &callback); > > -@@ -822,7 +825,10 @@ static int ssl_sock_load_ocsp(SSL_CTX *ctx, const char > - int key_type; > - EVP_PKEY *pkey; > - > --#ifdef SSL_CTX_get_tlsext_status_arg > -+#if defined(SSL_CTX_get_tlsext_status_arg) || > defined(LIBRESSL_VERSION_NUMBER) > -+#ifndef SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG > -+#define SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG 129 > -+#endif > - SSL_CTX_ctrl(ctx, SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG, 0, > &cb_arg); > +@@ -5049,7 +5049,7 @@ int ssl_sock_handshake(struct connection *conn, unsign > + if (!conn->xprt_ctx) > + goto out_error; > + > +-#if OPENSSL_VERSION_NUMBER >= 0x10101000L > ++#if OPENSSL_VERSION_NUMBER >= 0x10101000L && > !defined(LIBRESSL_VERSION_NUMBER) > + /* > + * Check if we have early data. If we do, we have to read them > + * before SSL_do_handshake() is called, And there's no way to > +@@ -5117,11 +5117,11 @@ int ssl_sock_handshake(struct connection *conn, > unsign > + if (!errno && conn->flags & CO_FL_WAIT_L4_CONN) > + conn->flags &= ~CO_FL_WAIT_L4_CONN; > + if (!conn->err_code) { > +-#ifdef OPENSSL_IS_BORINGSSL /* BoringSSL */ > ++#if defined(OPENSSL_IS_BORINGSSL) || defined(LIBRESSL_VERSION_NUMBER) > + conn->err_code = CO_ER_SSL_HANDSHAKE; > #else > - cb_arg = ctx->tlsext_status_arg; > -@@ -3538,7 +3544,7 @@ int ssl_sock_handshake(struct connection *conn, unsign > + int empty_handshake; > +-#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && > !defined(LIBRESSL_VERSION_NUMBER) > ++#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) > OSSL_HANDSHAKE_STATE state = > SSL_get_state((SSL *)conn->xprt_ctx); > empty_handshake = state == > TLS_ST_BEFORE; > #else > -- empty_handshake = !((SSL > *)conn->xprt_ctx)->packet_length; > -+ empty_handshake = SSL_state((SSL > *)conn->xprt_ctx) == SSL_ST_BEFORE; > - #endif > - > - if (empty_handshake) { > -@@ -3616,7 +3622,7 @@ int ssl_sock_handshake(struct connection *conn, unsign > - state = SSL_get_state((SSL *)conn->xprt_ctx); > - empty_handshake = state == TLS_ST_BEFORE; > +@@ -5201,11 +5201,11 @@ check_error: > + if (!errno && conn->flags & CO_FL_WAIT_L4_CONN) > + conn->flags &= ~CO_FL_WAIT_L4_CONN; > + if (!conn->err_code) { > +-#ifdef OPENSSL_IS_BORINGSSL /* BoringSSL */ > ++#if defined(OPENSSL_IS_BORINGSSL) || defined(LIBRESSL_VERSION_NUMBER) > + conn->err_code = CO_ER_SSL_HANDSHAKE; > #else > -- empty_handshake = !((SSL > *)conn->xprt_ctx)->packet_length; > -+ empty_handshake = SSL_state((SSL *)conn->xprt_ctx) == > SSL_ST_BEFORE; > + int empty_handshake; > +-#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && > !defined(LIBRESSL_VERSION_NUMBER) > ++#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) > + OSSL_HANDSHAKE_STATE state = SSL_get_state((SSL > *)conn->xprt_ctx); > + empty_handshake = state == TLS_ST_BEFORE; > + #else > +@@ -5249,7 +5249,7 @@ check_error: > + goto out_error; > + } > + } > +-#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) > ++#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) && > !defined(LIBRESSL_VERSION_NUMBER) > + else { > + /* > + * If the server refused the early data, we have to send a > +@@ -5372,7 +5372,7 @@ static int ssl_sock_to_buf(struct connection *conn, st > + continue; > + } > + > +-#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) > ++#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) && > !defined(LIBRESSL_VERSION_NUMBER) > + if (conn->flags & CO_FL_EARLY_SSL_HS) { > + size_t read_length; > + > +@@ -5509,7 +5509,7 @@ static int ssl_sock_from_buf(struct connection *conn, > + * in which case we accept to do it once again. > + */ > + while (buf->o) { > +-#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) > ++#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) && > !defined(LIBRESSL_VERSION_NUMBER) > + size_t written_data; > #endif > - if (empty_handshake) { > - if (!errno) { > + > +@@ -5528,7 +5528,7 @@ static int ssl_sock_from_buf(struct connection *conn, > + conn->xprt_st |= SSL_SOCK_SEND_UNLIMITED; > + } > + > +-#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) > ++#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) && > !defined(LIBRESSL_VERSION_NUMBER) > + if (!SSL_is_init_finished(conn->xprt_ctx)) { > + unsigned int max_early; > + > Index: pkg/PLIST > =================================================================== > RCS file: /cvs/ports/net/haproxy/pkg/PLIST,v > retrieving revision 1.4 > diff -u -p -r1.4 PLIST > --- pkg/PLIST 10 Nov 2015 11:56:54 -0000 1.4 > +++ pkg/PLIST 26 Nov 2018 23:15:06 -0000 > @@ -1,6 +1,7 @@ > @comment $OpenBSD: PLIST,v 1.4 2015/11/10 11:56:54 jca Exp $ > @newgroup _haproxy:${HAPROXYGID} > @newuser _haproxy:${HAPROXYUID}:_haproxy:daemon:HAProxy > Daemon:/var/haproxy:/sbin/nologin > +@rcscript ${RCDIR}/haproxy > @man man/man1/haproxy.1 > @bin sbin/haproxy > @sample ${HAPROXYCONF}/ > @@ -16,4 +17,3 @@ share/examples/haproxy/content-sw-sample > share/examples/haproxy/haproxy.cfg > @sample ${HAPROXYCONF}/haproxy.cfg > share/examples/haproxy/option-http_proxy.cfg > -@rcscript ${RCDIR}/haproxy >
