Pullup ticket #4499 - requested by morr

net/haproxy: security update

Revisions pulled up:
- net/haproxy/Makefile                                          1.13-1.15
- net/haproxy/PLIST                                             1.5
- net/haproxy/distinfo                                          1.9-1.11
- net/haproxy/options.mk                                        1.1
- net/haproxy/patches/patch-aa                                  1.5
- net/haproxy/patches/patch-ab                                  deleted
- net/haproxy/patches/patch-standard_h                          1.1

---
   Module Name:	pkgsrc
   Committed By:	fhajny
   Date:		Mon Jul 14 15:30:10 UTC 2014

   Modified Files:
   	pkgsrc/net/haproxy: Makefile PLIST distinfo
   	pkgsrc/net/haproxy/patches: patch-aa
   Added Files:
   	pkgsrc/net/haproxy: options.mk
   	pkgsrc/net/haproxy/patches: patch-standard_h
   Removed Files:
   	pkgsrc/net/haproxy/patches: patch-ab

   Log Message:
   Update haproxy to 1.5.2. Introduce support for OpenSSL, PCRE and Zlib.

   1.5.2
   -----
   Two extra important issues were discovered since 1.5.1 which were fixed
   in 1.5.2. The first one can cause some sample fetch combinations to fail
   together in a same expression, and one artificial case (but totally
   useless) may even crash the process. The second one is an incomplete
   fix in 1.5-dev23 for the request body forwarding. Hash-based balancing
   algorithms and http-send-name-header may fail if a request contains
   a body which starts to be forwarded before the contents are used.
   A few other bugs were fixed, and the max syslog line length is now
   configurable per logger.

   1.5.1
   -----
   Version 1.5.1 fixes a few bugs from 1.5.0 among which a really annoying
   one which can cause some file descriptor leak when dealing with clients
   which disappear from the net, resulting in the impossibility to accept
   new connections after some time.

   1.5.0
   -----
   1.5 expands 1.4 with many new features and performance improvements,
   including native SSL support on both sides with SNI/NPN/ALPN and OCSP
   stapling, IPv6 and UNIX sockets are supported everywhere, full HTTP
   keep-alive for better support of NTLM and improved efficiency in
   static farms, HTTP/1.1 compression (deflate, gzip) to save bandwidth,
   PROXY protocol versions 1 and 2 on both sides, data sampling on
   everything in request or response, including payload, ACLs can use
   any matching method with any input sample maps and dynamic ACLs
   updatable from the CLI stick-tables support counters to track
   activity on any input sample custom format for logs, unique-id,
   header rewriting, and redirects, improved health checks (SSL,
   scripted TCP, check agent, ...), much more scalable configuration
   supports hundreds of thousands of backends and certificates without
   sweating.

   Full changelog for the 1.5 branch:

   http://www.haproxy.org/download/1.5/src/CHANGELOG

---
   Module Name:	pkgsrc
   Committed By:	fhajny
   Date:		Sun Jul 27 16:33:36 UTC 2014

   Modified Files:
   	pkgsrc/net/haproxy: Makefile distinfo

   Log Message:
   Update haproxy to 1.5.3.

   2014/07/25 : 1.5.3
   - DOC: fix typo in Unix Socket commands
   - BUG/MEDIUM: connection: fix memory corruption when building a proxy
     v2 header
   - BUG/MEDIUM: ssl: Fix a memory leak in DHE key exchange
   - DOC: mention that Squid correctly responds 400 to PPv2 header
   - BUG/MINOR: http: base32+src should use the big endian version of base32
   - BUG/MEDIUM: connection: fix proxy v2 header again!

---
   Module Name:	pkgsrc
   Committed By:	morr
   Date:		Fri Sep 12 21:37:38 UTC 2014

   Modified Files:
   	pkgsrc/net/haproxy: Makefile distinfo

   Log Message:
   Update to version 1.5.4.

   Changes:

   - BUG: config: error in http-response replace-header number of arguments
   - BUG/MINOR: Fix search for -p argument in systemd wrapper.
   - BUG/MEDIUM: auth: fix segfault with http-auth and a configuration with an unknown encryption algorithm
   - BUG/MEDIUM: config: userlists should ensure that encrypted passwords are supported
   - MEDIUM: connection: add new bit in Proxy Protocol V2
   - BUG/MINOR: server: move the directive #endif to the end of file
   - BUG/MEDIUM: http: tarpit timeout is reset
   - BUG/MAJOR: tcp: fix a possible busy spinning loop in content track-sc*
   - BUG/MEDIUM: http: fix inverted condition in pat_match_meth()
   - BUG/MEDIUM: http: fix improper parsing of HTTP methods for use with ACLs
   - BUG/MINOR: pattern: remove useless allocation of unused trash in pat_parse_reg()
   - BUG/MEDIUM: acl: correctly compute the output type when a converter is used
   - CLEANUP: acl: cleanup some of the redundancy and spaghetti after last fix
   - BUG/CRITICAL: http: don't update msg->sov once data start to leave the buffer

7 files changed, 81 insertions, 43 deletions

diff --git a/net/haproxy/Makefile b/net/haproxy/Makefile
index 55e553f9232..87177ec2761 100644
--- a/net/haproxy/Makefile
+++ b/net/haproxy/Makefile
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.12 2014/04/27 01:28:01 rodent Exp $
+# $NetBSD: Makefile,v 1.12.2.1 2014/09/13 18:13:24 tron Exp $
 
-DISTNAME=	haproxy-1.4.25
+DISTNAME=	haproxy-1.5.4
 CATEGORIES=	net www
-MASTER_SITES=	http://haproxy.1wt.eu/download/1.4/src/
+MASTER_SITES=	http://haproxy.1wt.eu/download/1.5/src/
 
 MAINTAINER=	morr@NetBSD.org
 HOMEPAGE=	http://haproxy.1wt.eu/
@@ -10,15 +10,17 @@ COMMENT=	Reliable, high performance TCP/HTTP load balancer
 LICENSE=	gnu-gpl-v2
 
 USE_TOOLS+=		gmake
-BUILD_MAKE_FLAGS+=	TARGET=${TARGET}
+BUILD_MAKE_FLAGS+=	TARGET=${TARGET} ADDLIB=${COMPILER_RPATH_FLAG}${PREFIX}/lib USE_ZLIB=1
 INSTALL_MAKE_FLAGS+=	TARGET=${TARGET}
 INSTALL_MAKE_FLAGS+=	PREFIX=${PREFIX}
 INSTALL_MAKE_FLAGS+=	DOCDIR=${PREFIX}/share/doc/${PKGBASE}
 INSTALL_MAKE_FLAGS+=	MANDIR=${PREFIX}/${PKGMANDIR}
 
+.include "options.mk"
+
 RCD_SCRIPTS=		haproxy
 EGDIR=			${PREFIX}/share/examples/${PKGBASE}
-INSTALLATION_DIRS=	${EGDIR} share/examples/rc.d
+INSTALLATION_DIRS+=	${EGDIR}
 
 .include "../../mk/bsd.prefs.mk"
 
@@ -49,4 +51,5 @@ LIBS.SunOS+=		-lxnet
 post-install:
 	${INSTALL_DATA} ${WRKSRC}/examples/haproxy.cfg ${DESTDIR}${EGDIR}/
 
+.include "../../devel/zlib/buildlink3.mk"
 .include "../../mk/bsd.pkg.mk"
diff --git a/net/haproxy/PLIST b/net/haproxy/PLIST
index 7c1e8050ae3..fa18d1cf160 100644
--- a/net/haproxy/PLIST
+++ b/net/haproxy/PLIST
@@ -1,6 +1,7 @@
-@comment $NetBSD: PLIST,v 1.4 2014/03/11 14:05:08 jperkin Exp $
+@comment $NetBSD: PLIST,v 1.4.4.1 2014/09/13 18:13:24 tron Exp $
 man/man1/haproxy.1
 sbin/haproxy
+sbin/haproxy-systemd-wrapper
 share/doc/haproxy/architecture.txt
 share/doc/haproxy/configuration.txt
 share/doc/haproxy/haproxy-en.txt
diff --git a/net/haproxy/distinfo b/net/haproxy/distinfo
index 1b469b1d1eb..3eb2af65204 100644
--- a/net/haproxy/distinfo
+++ b/net/haproxy/distinfo
@@ -1,7 +1,7 @@
-$NetBSD: distinfo,v 1.8 2014/04/27 01:28:01 rodent Exp $
+$NetBSD: distinfo,v 1.8.2.1 2014/09/13 18:13:24 tron Exp $
 
-SHA1 (haproxy-1.4.25.tar.gz) = f5c7dcaf0e8190f86e58b8e106dbc53609beaacd
-RMD160 (haproxy-1.4.25.tar.gz) = ececa8cf89c2c323016ba043ce5fc7e609b49efd
-Size (haproxy-1.4.25.tar.gz) = 838775 bytes
-SHA1 (patch-aa) = ad0de5c2ae97f4794635cdb823ec6b3049a50054
-SHA1 (patch-ab) = 10e051618f1fc561f5e5c87af576a87e1c3a884b
+SHA1 (haproxy-1.5.4.tar.gz) = 3387f1038128fb3291fff8be9b94808e32cc0f8d
+RMD160 (haproxy-1.5.4.tar.gz) = 6a02025139a36698636b116bbf46cd7c6e47de88
+Size (haproxy-1.5.4.tar.gz) = 1336140 bytes
+SHA1 (patch-aa) = be43fca3478d170620607cfe7f4b9ed30f341651
+SHA1 (patch-standard_h) = 08ef71d48cd846d16b7427e6dd133bb4a02d431c
diff --git a/net/haproxy/options.mk b/net/haproxy/options.mk
new file mode 100644
index 00000000000..cc68f8856a8
--- /dev/null
+++ b/net/haproxy/options.mk
@@ -0,0 +1,23 @@
+# $NetBSD: options.mk,v 1.1.2.2 2014/09/13 18:13:24 tron Exp $
+
+PKG_OPTIONS_VAR=	PKG_OPTIONS.haproxy
+PKG_SUPPORTED_OPTIONS=	pcre ssl
+PKG_SUGGESTED_OPTIONS=	pcre
+
+.include "../../mk/bsd.options.mk"
+
+###
+### Use libpcre rather than libc for header processing regexp
+###
+.if !empty(PKG_OPTIONS:Mpcre)
+.  include "../../devel/pcre/buildlink3.mk"
+BUILD_MAKE_FLAGS+=	USE_PCRE=1
+.endif
+
+###
+### Support OpenSSL for termination.
+###
+.if !empty(PKG_OPTIONS:Mssl)
+.  include "../../security/openssl/buildlink3.mk"
+BUILD_MAKE_FLAGS+=	USE_OPENSSL=1
+.endif
diff --git a/net/haproxy/patches/patch-aa b/net/haproxy/patches/patch-aa
index cee33afcdca..e0a7a232acf 100644
--- a/net/haproxy/patches/patch-aa
+++ b/net/haproxy/patches/patch-aa
@@ -1,20 +1,20 @@
-$NetBSD: patch-aa,v 1.4 2014/04/24 16:23:59 jperkin Exp $
+$NetBSD: patch-aa,v 1.4.2.1 2014/09/13 18:13:24 tron Exp $
 
 Add support for NetBSD.
 Remove -fomit-frame-pointer on SunOS.
 
---- Makefile.orig	2013-06-17 13:28:14.000000000 +0000
+--- Makefile.orig	2014-07-12 14:40:52.000000000 +0000
 +++ Makefile
-@@ -73,7 +73,7 @@ DOCDIR = $(PREFIX)/doc/haproxy
+@@ -89,7 +89,7 @@ DOCDIR = $(PREFIX)/doc/haproxy
  # Use TARGET=<target_name> to optimize for a specifc target OS among the
  # following list (use the default "generic" if uncertain) :
  #    generic, linux22, linux24, linux24e, linux26, solaris,
--#    freebsd, openbsd, cygwin, custom, aix52
-+#    freebsd, netbsd, openbsd, cygwin, custom, aix52
+-#    freebsd, openbsd, cygwin, custom, aix51, aix52
++#    freebsd, netbsd, openbsd, cygwin, custom, aix51, aix52
  TARGET =
  
  #### TARGET CPU
-@@ -91,7 +91,6 @@ ARCH =
+@@ -107,7 +107,6 @@ ARCH =
  
  #### Toolchain options.
  # GCC is normally used both for compiling and linking.
@@ -22,16 +22,16 @@ Remove -fomit-frame-pointer on SunOS.
  LD = $(CC)
  
  #### Debug flags (typically "-g").
-@@ -232,7 +231,7 @@ else
- ifeq ($(TARGET),solaris)
+@@ -267,7 +266,7 @@ ifeq ($(TARGET),solaris)
    # This is for Solaris 8
+   # We also enable getaddrinfo() which works since solaris 8.
    USE_POLL       = implicit
 -  TARGET_CFLAGS  = -fomit-frame-pointer -DFD_SETSIZE=65536 -D_REENTRANT
 +  TARGET_CFLAGS  = -DFD_SETSIZE=65536 -D_REENTRANT
    TARGET_LDFLAGS = -lnsl -lsocket
    USE_TPROXY     = implicit
    USE_LIBCRYPT    = implicit
-@@ -252,6 +251,12 @@ ifeq ($(TARGET),osx)
+@@ -288,6 +287,12 @@ ifeq ($(TARGET),osx)
    USE_TPROXY     = implicit
    USE_LIBCRYPT   = implicit
  else
@@ -44,15 +44,15 @@ Remove -fomit-frame-pointer on SunOS.
  ifeq ($(TARGET),openbsd)
    # This is for OpenBSD >= 3.0
    USE_POLL       = implicit
-@@ -274,6 +279,7 @@ ifeq ($(TARGET),cygwin)
- endif # cygwin
+@@ -318,6 +323,7 @@ endif # cygwin
  endif # aix52
+ endif # aix51
  endif # openbsd
 +endif # netbsd
  endif # osx
  endif # freebsd
  endif # solaris
-@@ -510,7 +516,7 @@ all:
+@@ -634,7 +640,7 @@ all:
  	@echo "Please choose the target among the following supported list :"
  	@echo
  	@echo "   linux2628, linux26, linux24, linux24e, linux22, solaris"
diff --git a/net/haproxy/patches/patch-ab b/net/haproxy/patches/patch-ab
deleted file mode 100644
index 7dbae3baca2..00000000000
--- a/net/haproxy/patches/patch-ab
+++ /dev/null
@@ -1,19 +0,0 @@
-$NetBSD: patch-ab,v 1.2 2013/04/17 19:55:37 morr Exp $
-
---- src/haproxy.c.orig	2013-04-03 00:33:32.000000000 +0000
-+++ src/haproxy.c
-@@ -101,10 +101,10 @@ int  relative_pid = 1;		/* process id st
- 
- /* global options */
- struct global global = {
--	logfac1 : -1,
--	logfac2 : -1,
--	loglev1 : 7, /* max syslog level : debug */
--	loglev2 : 7,
-+	.logfac1 = -1,
-+	.logfac2 = -1,
-+	.loglev1 = 7, /* max syslog level : debug */
-+	.loglev2 = 7,
- 	.stats_sock = {
- 		.maxconn = 10, /* 10 concurrent stats connections */
- 		.perm = {
diff --git a/net/haproxy/patches/patch-standard_h b/net/haproxy/patches/patch-standard_h
new file mode 100644
index 00000000000..ee93865e4af
--- /dev/null
+++ b/net/haproxy/patches/patch-standard_h
@@ -0,0 +1,30 @@
+$NetBSD: patch-standard_h,v 1.1.2.2 2014/09/13 18:13:24 tron Exp $
+
+Remove local version of popcount(3), conflicts w/ libc.
+
+--- include/common/standard.h.orig	2014-07-12 14:40:52.000000000 +0000
++++ include/common/standard.h
+@@ -24,6 +24,7 @@
+ 
+ #include <limits.h>
+ #include <string.h>
++#include <strings.h>
+ #include <time.h>
+ #include <sys/types.h>
+ #include <sys/socket.h>
+@@ -565,6 +566,7 @@ static inline unsigned int div64_32(unsi
+ 	return result;
+ }
+ 
++#if !defined(__NetBSD__)
+ /* Simple popcount implementation. It returns the number of ones in a word */
+ static inline unsigned int popcount(unsigned long a)
+ {
+@@ -575,6 +577,7 @@ static inline unsigned int popcount(unsi
+ 	}
+ 	return cnt;
+ }
++#endif
+ 
+ /* Build a word with the <bits> lower bits set (reverse of popcount) */
+ static inline unsigned long nbits(int bits)