Update to haproxy-1.9.8

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Update to haproxy-1.9.8

Daniel Jakots-6
Hi,

During g2k19 I updated haproxy to the 1.9.x branch with tb's help.
Since then I had to update it to a newer minor and it requires some
fiddling with the ssl_sock.c patch, so reviews welcome for that.

Lightly tested here and seems to work fine. More tests welcome.
I'll commit it in a week or so, unless some problems are found.


Cheers,
Daniel

Index: Makefile
===================================================================
RCS file: /cvs/ports/net/haproxy/Makefile,v
retrieving revision 1.56
diff -u -p -r1.56 Makefile
--- Makefile 14 Mar 2019 21:37:20 -0000 1.56
+++ Makefile 26 May 2019 15:24:25 -0000
@@ -2,7 +2,7 @@
 
 COMMENT = reliable, high performance TCP/HTTP load balancer
 
-DISTNAME = haproxy-1.8.17
+DISTNAME = haproxy-1.9.8
 CATEGORIES = net www
 HOMEPAGE = http://www.haproxy.org/
 MAINTAINER = Daniel Jakots <[hidden email]>
@@ -12,7 +12,7 @@ PERMIT_PACKAGE_CDROM = Yes
 
 WANTLIB += c crypto pcre pcreposix pthread ssl
 
-MASTER_SITES = ${HOMEPAGE}/download/1.8/src/
+MASTER_SITES = ${HOMEPAGE}/download/1.9/src/
 
 HAPROXYCONF = ${SYSCONFDIR}/haproxy
 HAPROXYSTATE = /var/haproxy
Index: distinfo
===================================================================
RCS file: /cvs/ports/net/haproxy/distinfo,v
retrieving revision 1.33
diff -u -p -r1.33 distinfo
--- distinfo 11 Jan 2019 01:09:50 -0000 1.33
+++ distinfo 26 May 2019 15:24:25 -0000
@@ -1,2 +1,2 @@
-SHA256 (haproxy-1.8.17.tar.gz) = e3ibF3h1r91d3v8Fjn795zqoldwtz3KLRkNYY1rjlI4=
-SIZE (haproxy-1.8.17.tar.gz) = 2077525
+SHA256 (haproxy-1.9.8.tar.gz) = LZozANvYcbw1t0OoPKr1D+z78GKQYQIxyi0zT9BMKu4=
+SIZE (haproxy-1.9.8.tar.gz) = 2376526
Index: patches/patch-include_proto_openssl-compat_h
===================================================================
RCS file: /cvs/ports/net/haproxy/patches/patch-include_proto_openssl-compat_h,v
retrieving revision 1.7
diff -u -p -r1.7 patch-include_proto_openssl-compat_h
--- patches/patch-include_proto_openssl-compat_h 5 Dec 2018 16:32:13 -0000 1.7
+++ patches/patch-include_proto_openssl-compat_h 26 May 2019 15:24:25 -0000
@@ -7,22 +7,8 @@ Index: include/proto/openssl-compat.h
  }
  #endif
 
--#if (OPENSSL_VERSION_NUMBER < 0x1010000fL) || defined(LIBRESSL_VERSION_NUMBER) || defined(OPENSSL_IS_BORINGSSL)
-+#if (OPENSSL_VERSION_NUMBER < 0x1010000fL) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000fL) || defined(OPENSSL_IS_BORINGSSL)
+-#if (OPENSSL_VERSION_NUMBER < 0x1010000fL) || defined(LIBRESSL_VERSION_NUMBER)
++#if (OPENSSL_VERSION_NUMBER < 0x1010000fL)
  /*
-  * Functions introduced in OpenSSL 1.1.0 and not yet present in LibreSSL / BoringSSL
+  * Functions introduced in OpenSSL 1.1.0 and not yet present in LibreSSL
   */
-@@ -118,13 +118,6 @@ static inline const OCSP_CERTID *OCSP_SINGLERESP_get0_
- return single->certId;
- }
- #endif
--
--#endif
--
--#if (OPENSSL_VERSION_NUMBER < 0x1010000fL) || defined(LIBRESSL_VERSION_NUMBER)
--/*
-- * Functions introduced in OpenSSL 1.1.0 and not yet present in LibreSSL
-- */
-
- static inline pem_password_cb *SSL_CTX_get_default_passwd_cb(SSL_CTX *ctx)
- {
Index: patches/patch-src_ssl_sock_c
===================================================================
RCS file: /cvs/ports/net/haproxy/patches/patch-src_ssl_sock_c,v
retrieving revision 1.10
diff -u -p -r1.10 patch-src_ssl_sock_c
--- patches/patch-src_ssl_sock_c 15 Dec 2018 20:25:54 -0000 1.10
+++ patches/patch-src_ssl_sock_c 26 May 2019 15:24:25 -0000
@@ -3,7 +3,7 @@ $OpenBSD: patch-src_ssl_sock_c,v 1.10 20
 Index: src/ssl_sock.c
 --- src/ssl_sock.c.orig
 +++ src/ssl_sock.c
-@@ -2088,7 +2088,7 @@ static void ssl_sock_switchctx_set(SSL *ssl, SSL_CTX *
+@@ -2175,7 +2175,7 @@ static void ssl_sock_switchctx_set(SSL *ssl, SSL_CTX *
  SSL_set_SSL_CTX(ssl, ctx);
  }
 
@@ -12,25 +12,16 @@ Index: src/ssl_sock.c
 
  static int ssl_sock_switchctx_err_cbk(SSL *ssl, int *al, void *priv)
  {
-@@ -3820,7 +3820,7 @@ ssl_sock_initial_ctx(struct bind_conf *bind_conf)
+@@ -3919,7 +3919,7 @@ ssl_sock_initial_ctx(struct bind_conf *bind_conf)
  #ifdef OPENSSL_IS_BORINGSSL
  SSL_CTX_set_select_certificate_cb(ctx, ssl_sock_switchctx_cbk);
  SSL_CTX_set_tlsext_servername_callback(ctx, ssl_sock_switchctx_err_cbk);
 -#elif (OPENSSL_VERSION_NUMBER >= 0x10101000L)
 +#elif (OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined(LIBRESSL_VERSION_NUMBER)
- SSL_CTX_set_client_hello_cb(ctx, ssl_sock_switchctx_cbk, NULL);
- SSL_CTX_set_tlsext_servername_callback(ctx, ssl_sock_switchctx_err_cbk);
- #else
-@@ -5067,7 +5067,7 @@ static int ssl_sock_init(struct connection *conn)
-
- /* leave init state and start handshake */
- conn->flags |= CO_FL_SSL_WAIT_HS | CO_FL_WAIT_L6_CONN;
--#if OPENSSL_VERSION_NUMBER >= 0x10101000L || defined(OPENSSL_IS_BORINGSSL)
-+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)) || defined(OPENSSL_IS_BORINGSSL)
- conn->flags |= CO_FL_EARLY_SSL_HS;
- #endif
-
-@@ -5097,7 +5097,7 @@ int ssl_sock_handshake(struct connection *conn, unsign
+ if (bind_conf->ssl_conf.early_data) {
+ SSL_CTX_set_options(ctx, SSL_OP_NO_ANTI_REPLAY);
+ SSL_CTX_set_max_early_data(ctx, global.tune.bufsize - global.tune.maxrewrite);
+@@ -5217,7 +5217,7 @@ int ssl_sock_handshake(struct connection *conn, unsign
  if (!conn->xprt_ctx)
  goto out_error;
 
@@ -39,7 +30,7 @@ Index: src/ssl_sock.c
  /*
  * Check if we have early data. If we do, we have to read them
  * before SSL_do_handshake() is called, And there's no way to
-@@ -5165,11 +5165,11 @@ int ssl_sock_handshake(struct connection *conn, unsign
+@@ -5285,11 +5285,11 @@ int ssl_sock_handshake(struct connection *conn, unsign
  if (!errno && conn->flags & CO_FL_WAIT_L4_CONN)
  conn->flags &= ~CO_FL_WAIT_L4_CONN;
  if (!conn->err_code) {
@@ -53,7 +44,7 @@ Index: src/ssl_sock.c
  OSSL_HANDSHAKE_STATE state = SSL_get_state((SSL *)conn->xprt_ctx);
  empty_handshake = state == TLS_ST_BEFORE;
  #else
-@@ -5249,11 +5249,11 @@ check_error:
+@@ -5369,11 +5369,11 @@ check_error:
  if (!errno && conn->flags & CO_FL_WAIT_L4_CONN)
  conn->flags &= ~CO_FL_WAIT_L4_CONN;
  if (!conn->err_code) {
@@ -67,7 +58,7 @@ Index: src/ssl_sock.c
  OSSL_HANDSHAKE_STATE state = SSL_get_state((SSL *)conn->xprt_ctx);
  empty_handshake = state == TLS_ST_BEFORE;
  #else
-@@ -5297,7 +5297,7 @@ check_error:
+@@ -5417,7 +5417,7 @@ check_error:
  goto out_error;
  }
  }
@@ -76,7 +67,7 @@ Index: src/ssl_sock.c
  else {
  /*
  * If the server refused the early data, we have to send a
-@@ -5420,7 +5420,7 @@ static int ssl_sock_to_buf(struct connection *conn, st
+@@ -5532,7 +5532,7 @@ static size_t ssl_sock_to_buf(struct connection *conn,
  continue;
  }
 
@@ -85,21 +76,21 @@ Index: src/ssl_sock.c
  if (conn->flags & CO_FL_EARLY_SSL_HS) {
  size_t read_length;
 
-@@ -5557,7 +5557,7 @@ static int ssl_sock_from_buf(struct connection *conn,
+@@ -5672,7 +5672,7 @@ static size_t ssl_sock_from_buf(struct connection *con
  * in which case we accept to do it once again.
  */
- while (buf->o) {
+ while (count) {
 -#if (OPENSSL_VERSION_NUMBER >= 0x10101000L)
 +#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined(LIBRESSL_VERSION_NUMBER)
  size_t written_data;
  #endif
 
-@@ -5576,7 +5576,7 @@ static int ssl_sock_from_buf(struct connection *conn,
+@@ -5693,7 +5693,7 @@ static size_t ssl_sock_from_buf(struct connection *con
  conn->xprt_st |= SSL_SOCK_SEND_UNLIMITED;
  }
 
 -#if (OPENSSL_VERSION_NUMBER >= 0x10101000L)
-+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined(LIBRESSL_VERSION_NUMBER)
- if (!SSL_is_init_finished(conn->xprt_ctx)) {
++#if (OPENSSL_VERSION_NUMBER >= 0x10101000L)  && !defined(LIBRESSL_VERSION_NUMBER)
+ if (!SSL_is_init_finished(conn->xprt_ctx) && conn_is_back(conn)) {
  unsigned int max_early;