diff --git a/srcpkgs/haproxy/patches/fix-libressl-2.5.patch b/srcpkgs/haproxy/patches/fix-libressl-2.5.patch deleted file mode 100644 index 578d64e3bcb..00000000000 --- a/srcpkgs/haproxy/patches/fix-libressl-2.5.patch +++ /dev/null @@ -1,46 +0,0 @@ ---- src/ssl_sock.c.orig 2017-01-13 09:03:00 UTC -+++ src/ssl_sock.c -@@ -792,8 +792,11 @@ static int ssl_sock_load_ocsp(SSL_CTX *c - ocsp = NULL; - - #ifndef SSL_CTX_get_tlsext_status_cb --# define SSL_CTX_get_tlsext_status_cb(ctx, cb) \ -- *cb = (void (*) (void))ctx->tlsext_status_cb; -+#ifndef SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB -+#define SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB 128 -+#endif -+#define SSL_CTX_get_tlsext_status_cb(ctx, cb) \ -+ *cb = SSL_CTX_ctrl(ctx,SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB,0, (void (**)(void))cb) - #endif - SSL_CTX_get_tlsext_status_cb(ctx, &callback); - -@@ -821,7 +824,10 @@ static int ssl_sock_load_ocsp(SSL_CTX *c - int key_type; - EVP_PKEY *pkey; - --#ifdef SSL_CTX_get_tlsext_status_arg -+#if defined(SSL_CTX_get_tlsext_status_arg) || defined(LIBRESSL_VERSION_NUMBER) -+#ifndef SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG -+#define SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG 129 -+#endif - SSL_CTX_ctrl(ctx, SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG, 0, &cb_arg); - #else - cb_arg = ctx->tlsext_status_arg; -@@ -3537,7 +3543,7 @@ int ssl_sock_handshake(struct connection - OSSL_HANDSHAKE_STATE state = SSL_get_state((SSL *)conn->xprt_ctx); - empty_handshake = state == TLS_ST_BEFORE; - #else -- empty_handshake = !((SSL *)conn->xprt_ctx)->packet_length; -+ empty_handshake = SSL_state((SSL *)conn->xprt_ctx) == SSL_ST_BEFORE; - #endif - - if (empty_handshake) { -@@ -3615,7 +3621,7 @@ int ssl_sock_handshake(struct connection - state = SSL_get_state((SSL *)conn->xprt_ctx); - empty_handshake = state == TLS_ST_BEFORE; - #else -- empty_handshake = !((SSL *)conn->xprt_ctx)->packet_length; -+ empty_handshake = SSL_state((SSL *)conn->xprt_ctx) == SSL_ST_BEFORE; - #endif - if (empty_handshake) { - if (!errno) { diff --git a/srcpkgs/haproxy/patches/libressl-2.7.patch b/srcpkgs/haproxy/patches/libressl-2.7.patch new file mode 100644 index 00000000000..6c348dc5271 --- /dev/null +++ b/srcpkgs/haproxy/patches/libressl-2.7.patch @@ -0,0 +1,104 @@ +diff --git a/include/proto/openssl-compat.h include/proto/openssl-compat.h +index b6fe1d2..551cae2 100644 +--- a/include/proto/openssl-compat.h ++++ include/proto/openssl-compat.h +@@ -89,7 +89,7 @@ static inline int SSL_SESSION_set1_id_context(SSL_SESSION *s, const unsigned cha + } + #endif + +-#if (OPENSSL_VERSION_NUMBER < 0x1010000fL) || defined(LIBRESSL_VERSION_NUMBER) || defined(OPENSSL_IS_BORINGSSL) ++#if (OPENSSL_VERSION_NUMBER < 0x1010000fL) || (defined(LIBRESSL_VERSION_NUMBER) && (LIBRESSL_VERSION_NUMBER < 0x20700000L)) || defined(OPENSSL_IS_BORINGSSL) + /* + * Functions introduced in OpenSSL 1.1.0 and not yet present in LibreSSL / BoringSSL + */ +@@ -121,7 +121,7 @@ static inline const OCSP_CERTID *OCSP_SINGLERESP_get0_id(const OCSP_SINGLERESP * + + #endif + +-#if (OPENSSL_VERSION_NUMBER < 0x1010000fL) || defined(LIBRESSL_VERSION_NUMBER) ++#if (OPENSSL_VERSION_NUMBER < 0x1010000fL) || (defined(LIBRESSL_VERSION_NUMBER) && (LIBRESSL_VERSION_NUMBER < 0x20700000L)) + /* + * Functions introduced in OpenSSL 1.1.0 and not yet present in LibreSSL + */ +diff --git a/src/ssl_sock.c src/ssl_sock.c +index c2b5bf6..ebde76d 100644 +--- a/src/ssl_sock.c ++++ src/ssl_sock.c +@@ -56,6 +56,14 @@ + #include + #endif + ++#if defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_NO_ASYNC) ++#define OPENSSL_NO_ASYNC ++#endif ++ ++#if defined(SSL_READ_EARLY_DATA_ERROR) && defined(SSL_READ_EARLY_DATA_SUCCESS) ++#define HAVE_SSL_READ_EARLY ++#endif ++ + #if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) + #include + #endif +@@ -2066,7 +2074,7 @@ static void ssl_sock_switchctx_set(SSL *ssl, SSL_CTX *ctx) + SSL_set_SSL_CTX(ssl, ctx); + } + +-#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) || defined(OPENSSL_IS_BORINGSSL) ++#if ((OPENSSL_VERSION_NUMBER >= 0x10101000L) || defined(OPENSSL_IS_BORINGSSL)) && !defined(LIBRESSL_VERSION_NUMBER) + + static int ssl_sock_switchctx_err_cbk(SSL *ssl, int *al, void *priv) + { +@@ -3798,7 +3806,7 @@ ssl_sock_initial_ctx(struct bind_conf *bind_conf) + #ifdef OPENSSL_IS_BORINGSSL + SSL_CTX_set_select_certificate_cb(ctx, ssl_sock_switchctx_cbk); + SSL_CTX_set_tlsext_servername_callback(ctx, ssl_sock_switchctx_err_cbk); +-#elif (OPENSSL_VERSION_NUMBER >= 0x10101000L) ++#elif (OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined(LIBRESSL_VERSION_NUMBER) + SSL_CTX_set_client_hello_cb(ctx, ssl_sock_switchctx_cbk, NULL); + SSL_CTX_set_tlsext_servername_callback(ctx, ssl_sock_switchctx_err_cbk); + #else +@@ -5052,7 +5060,7 @@ int ssl_sock_handshake(struct connection *conn, unsigned int flag) + if (!conn->xprt_ctx) + goto out_error; + +-#if OPENSSL_VERSION_NUMBER >= 0x10101000L ++#if HAVE_SSL_READ_EARLY + /* + * Check if we have early data. If we do, we have to read them + * before SSL_do_handshake() is called, And there's no way to +@@ -5252,7 +5260,7 @@ check_error: + goto out_error; + } + } +-#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) ++#if HAVE_SSL_READ_EARLY + else { + /* + * If the server refused the early data, we have to send a +@@ -5375,7 +5383,7 @@ static int ssl_sock_to_buf(struct connection *conn, struct buffer *buf, int coun + continue; + } + +-#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) ++#if OPENSSL_READ_EARLY + if (conn->flags & CO_FL_EARLY_SSL_HS) { + size_t read_length; + +@@ -5512,7 +5520,7 @@ static int ssl_sock_from_buf(struct connection *conn, struct buffer *buf, int fl + * in which case we accept to do it once again. + */ + while (buf->o) { +-#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) ++#if HAVE_SSL_EARLY_DATA + size_t written_data; + #endif + +@@ -5531,7 +5539,7 @@ static int ssl_sock_from_buf(struct connection *conn, struct buffer *buf, int fl + conn->xprt_st |= SSL_SOCK_SEND_UNLIMITED; + } + +-#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) ++#if HAVE_SSL_EARLY_DATA + if (!SSL_is_init_finished(conn->xprt_ctx)) { + unsigned int max_early; + diff --git a/srcpkgs/haproxy/patches/patch-include_proto_openssl-compat_h.patch b/srcpkgs/haproxy/patches/patch-include_proto_openssl-compat_h.patch deleted file mode 100644 index 474a51e22bc..00000000000 --- a/srcpkgs/haproxy/patches/patch-include_proto_openssl-compat_h.patch +++ /dev/null @@ -1,15 +0,0 @@ -$OpenBSD: patch-include_proto_openssl-compat_h,v 1.6 2018/03/20 21:57:55 sthen Exp $ - -Index: include/proto/openssl-compat.h ---- include/proto/openssl-compat.h.orig -+++ include/proto/openssl-compat.h -@@ -89,7 +89,8 @@ static inline int SSL_SESSION_set1_id_context(SSL_SESS - } - #endif - --#if (OPENSSL_VERSION_NUMBER < 0x1010000fL) || defined(LIBRESSL_VERSION_NUMBER) -+#if (OPENSSL_VERSION_NUMBER < 0x1010000fL) || \ -+ (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000fL) - /* - * Functions introduced in OpenSSL 1.1.0 and not yet present in LibreSSL - */ diff --git a/srcpkgs/haproxy/template b/srcpkgs/haproxy/template index d5821df2f41..55191c1cb7a 100644 --- a/srcpkgs/haproxy/template +++ b/srcpkgs/haproxy/template @@ -1,6 +1,6 @@ # Template file for 'haproxy' pkgname=haproxy -version=1.7.11 +version=1.8.11 revision=1 build_style=gnu-makefile make_build_args="TARGET=linux2628 USE_PCRE=1 USE_PCRE_JIT=1 USE_ZLIB=1 @@ -12,7 +12,7 @@ maintainer="Eivind Uggedal " license="GPL-2.0-or-later, LGPL-2.1-or-later" homepage="https://www.haproxy.org" distfiles="${homepage}/download/${version%.*}/src/${pkgname}-${version}.tar.gz" -checksum=d564b8e9429d1e8e13cb648bf4694926b472e36da1079df946bb732927b232ea +checksum=b4b403ceb5efe3c65c6d86e1a44fc0953189f12cdf0bd884e5df04bbabb27947 make_dirs="$haproxy_homedir 0750 ${pkgname} ${pkgname}" conf_files="/etc/${pkgname}/${pkgname}.cfg" system_accounts="${pkgname}"