Merge ~athos-ribeiro/ubuntu/+source/squid:MRE-kinetic-5.7 into ubuntu/+source/squid:ubuntu/kinetic-devel
- Git
- lp:~athos-ribeiro/ubuntu/+source/squid
- MRE-kinetic-5.7
- Merge into ubuntu/kinetic-devel
Status: | Rejected | ||||
---|---|---|---|---|---|
Rejected by: | Robie Basak | ||||
Proposed branch: | ~athos-ribeiro/ubuntu/+source/squid:MRE-kinetic-5.7 | ||||
Merge into: | ubuntu/+source/squid:ubuntu/kinetic-devel | ||||
Diff against target: |
2052 lines (+467/-220) 48 files modified
ChangeLog (+11/-0) RELEASENOTES.html (+24/-3) compat/GnuRegex.c (+7/-0) compat/os/mswindows.h (+6/-2) configure (+16/-10) configure.ac (+2/-1) debian/NEWS (+12/-0) debian/changelog (+22/-0) debian/patches/series (+0/-3) debian/squid-openssl.postinst (+14/-0) dev/null (+0/-36) doc/release-notes/release-5.html (+24/-3) include/autoconf.h.in (+3/-0) include/version.h (+1/-1) lib/ntlmauth/ntlmauth.cc (+12/-2) src/FwdState.cc (+11/-7) src/HappyConnOpener.cc (+2/-2) src/HappyConnOpener.h (+2/-1) src/HttpHeaderTools.h (+1/-1) src/acl/RegexData.cc (+3/-0) src/acl/external/SQL_session/ext_sql_session_acl.8 (+1/-1) src/acl/external/delayer/ext_delayer_acl.8 (+1/-1) src/acl/external/kerberos_sid_group/ext_kerberos_sid_group_acl.8 (+1/-1) src/acl/external/session/ext_session_acl.cc (+11/-5) src/acl/external/wbinfo_group/ext_wbinfo_group_acl.8 (+1/-1) src/auth/basic/DB/basic_db_auth.8 (+1/-1) src/auth/basic/POP3/basic_pop3_auth.8 (+1/-1) src/base/EnumIterator.h (+7/-1) src/cache_cf.cc (+1/-1) src/cf.data.pre (+7/-3) src/cf_gen.cc (+0/-2) src/fs/ufs/RebuildState.cc (+8/-10) src/fs/ufs/RebuildState.h (+2/-2) src/http/url_rewriters/LFS/url_lfs_rewrite.8 (+1/-1) src/log/DB/log_db_daemon.8 (+1/-1) src/main.cc (+2/-0) src/sbuf/SBuf.h (+8/-1) src/security/PeerOptions.cc (+36/-32) src/security/ServerOptions.cc (+92/-0) src/security/cert_validators/fake/security_fake_certverify.8 (+1/-1) src/security/forward.h (+17/-11) src/ssl/gadgets.cc (+20/-31) src/ssl/gadgets.h (+1/-7) src/ssl/support.cc (+17/-6) src/store/id_rewriters/file/storeid_file_rewrite.8 (+1/-1) src/tests/testStoreHashIndex.cc (+6/-0) src/tunnel.cc (+48/-25) tools/helper-mux/helper-mux.8 (+1/-1) |
||||
Related bugs: |
|
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Athos Ribeiro (community) | Disapprove | ||
git-ubuntu bot | Pending | ||
Canonical Server Reporter | Pending | ||
Sergio Durigan Junior | Pending | ||
Review via email: mp+442032@code.launchpad.net |
This proposal supersedes a proposal from 2023-03-31.
Commit message
Description of the change
This is the kinetic MRE for squid 5.7, as described in LP: #2013423
The most relevant change here is the official openssl 3 support. DO note that, as described in LP: #2013423, there is a configuration option whose support is being dropped. We consider this to be an acceptable tradeoff to remove the uncertainty around this package openssl3 support.
PPA: https:/
The DEP8 test suite results:
- squid/5.
+ ✅ squid on kinetic for amd64 @ 27.04.23 12:04:00 Log️ 🗒️
+ ✅ squid on kinetic for arm64 @ 27.04.23 12:06:27 Log️ 🗒️
+ ❌ squid on kinetic for armhf @ 27.04.23 12:03:05 Log️ 🗒️
• upstream-test-suite PASS 🟩
• squid FAIL 🟥
+ ❌ squid on kinetic for i386 @ 27.04.23 11:55:16 Log️ 🗒️
• upstream-test-suite FAIL 🟥
• squid FAIL 🟥
+ ✅ squid on kinetic for ppc64el @ 27.04.23 11:58:33 Log️ 🗒️
+ ✅ squid on kinetic for s390x @ 27.04.23 12:02:37 Log️ 🗒️
Sergio Durigan Junior (sergiodj) wrote : Posted in a previous version of this proposal | # |
Sergio Durigan Junior (sergiodj) wrote : Posted in a previous version of this proposal | # |
Results: (from http://
squid @ amd64:
http://
31.03.23 04:10:00 ✅ Triggers: squid/5.
http://
31.03.23 11:42:04 ✅ Triggers: squid/5.
squid @ arm64:
http://
31.03.23 04:22:17 ✅ Triggers: squid/5.
http://
31.03.23 11:52:07 ✅ Triggers: squid/5.
squid @ armhf:
http://
31.03.23 04:14:45 ❌ Triggers: squid/5.
squid FAIL 🟥
http://
31.03.23 11:41:17 ❌ Triggers: squid/5.
squid FAIL 🟥
squid @ ppc64el:
http://
31.03.23 04:12:25 ✅ Triggers: squid/5.
http://
31.03.23 11:41:52 ✅ Triggers: squid/5.
squid @ s390x:
http://
31.03.23 04:10:59 ✅ Triggers: squid/5.
http://
31.03.23 12:34:12 ✅ Triggers: squid/5.
Sergio Durigan Junior (sergiodj) wrote : Posted in a previous version of this proposal | # |
Thanks, Athos.
LGTM modulo the d/NEWS modifications I suggested in the Jammy MP. +1
git-ubuntu bot (git-ubuntu-bot) wrote : Posted in a previous version of this proposal | # |
Approvers: athos-ribeiro, sergiodj
Uploaders: athos-ribeiro, sergiodj
MP auto-approved
Athos Ribeiro (athos-ribeiro) wrote : Posted in a previous version of this proposal | # |
Thanks, Sergio.
Applied the suggestions (thx!) and uploaded :)
Athos Ribeiro (athos-ribeiro) wrote : | # |
I am re-submitting this with 2 changes:
- We are now commenting out the ssl_engine configuration directive in the postinst if it is present and if the previous squid version is <= 5.7.
- We are documenting the change described above in d/NEWS.
Athos Ribeiro (athos-ribeiro) wrote : | # |
Here is an easy way to verify the new behavior:
lxc launch ubuntu-
lxc exec squid-kk bash
# apt update && apt install -y squid-openssl
# systemctl is-active squid
> should be active
# echo 'ssl_engine dynamic' >> /etc/squid/
# systemctl restart squid
# systemctl is-active squid
> should still be active in kinetic, since our current Openssl3 support patch still supports the directive
# add-apt-repository -y ppa:athos-
# apt update && apt install -y squid-openssl
# systemctl is-active squid
> should still be active, since the postinst script commented out the ssl_engine line
# tail -n2 /etc/squid/
> should show the commented lines:
# ssl_engine is no longer supported since squid 5.7 (LP: #2013423).
# ssl_engine dynamic
# echo 'ssl_engine dynamic' >> /etc/squid/
# systemctl restart squid
# systemctl status squid
> the restart command should fail, and the status should show:
FATAL: Bungled (null) line 3: sslproxy_cert_sign signTrusted all
# cat /var/log/syslog | grep ssl_engine
FATAL: bad configuration: Cannot use ssl_engine in Squid built with OpenSSL 3.0 or newer
Athos Ribeiro (athos-ribeiro) wrote : | # |
- squid/5.
+ ✅ squid on kinetic for amd64 @ 28.04.23 01:20:13 Log️ 🗒️
+ ✅ squid on kinetic for arm64 @ 28.04.23 01:24:25 Log️ 🗒️
+ ❌ squid on kinetic for armhf @ 28.04.23 01:17:14 Log️ 🗒️
• upstream-test-suite PASS 🟩
• squid FAIL 🟥
+ ❌ squid on kinetic for i386 @ 28.04.23 01:09:16 Log️ 🗒️
• upstream-test-suite FAIL 🟥
• squid FAIL 🟥
+ ✅ squid on kinetic for ppc64el @ 28.04.23 01:16:34 Log️ 🗒️
+ ✅ squid on kinetic for s390x @ 28.04.23 01:14:46 Log️ 🗒️
Athos Ribeiro (athos-ribeiro) wrote : | # |
marking bug as wontfix since kinetic reached its EOSS
Robie Basak (racb) wrote : | # |
Athos asked me to mark this as Rejected.
Unmerged commits
- a2821d9... by Athos Ribeiro
-
Update changelog
- 75524db... by Athos Ribeiro
-
- d/NEWS: document end of support of the ssh_engine directive.
- 305f507... by Athos Ribeiro
-
- d/squid-
openssl. postinst: remove ssl_engine configuration directive. - 9d93934... by Athos Ribeiro
-
- d/p/CVE-
2022-41318. patch: drop patch to fix NTLM decoder truncated strings.
[ Fixed in 5.7 ] - 20873ef... by Athos Ribeiro
-
- d/p/CVE-
2022-41317. patch: drop patch to fix typo in manager ACL.
[ Fixed in 5.7 ] - d3785f8... by Athos Ribeiro
-
- d/p/0006-
Fix-build- against- OpenSSL- 3-0.patch: drop downstream
OpenSSL 3 support patch.
[ Fixed in 5.7 ] - fa498c5... by Athos Ribeiro
-
New Upstream release 5.7
Preview Diff
1 | diff --git a/ChangeLog b/ChangeLog |
2 | index f42c6d1..49174d4 100644 |
3 | --- a/ChangeLog |
4 | +++ b/ChangeLog |
5 | @@ -1,3 +1,14 @@ |
6 | +Changes in squid-5.7 (05 Sep 2022): |
7 | + |
8 | + - Regression Fix: Typo in manager ACL |
9 | + - Bug 5186: noteDestinationsEnd check failed: transportWait |
10 | + - Bug 5160: Test suite fails with -flto=auto |
11 | + - Bug 3193 pt2: NTLM decoder truncating strings |
12 | + - Bug 5133: OpenSSL 3.0 support |
13 | + - ext_session_acl: fix TDB key lookup |
14 | + - forward_max_tries: Do not count discarded connections |
15 | + - ... and many compile and debugging fixes |
16 | + |
17 | Changes in squid-5.6 (06 Jun 2022): |
18 | |
19 | - Bug 5208: Part 1: Restart kids killed by SIGKILL |
20 | diff --git a/RELEASENOTES.html b/RELEASENOTES.html |
21 | index a037de3..7369f54 100644 |
22 | --- a/RELEASENOTES.html |
23 | +++ b/RELEASENOTES.html |
24 | @@ -3,10 +3,10 @@ |
25 | <HEAD> |
26 | <META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.82"> |
27 | <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> |
28 | - <TITLE>Squid 5.6 release notes</TITLE> |
29 | + <TITLE>Squid 5.7 release notes</TITLE> |
30 | </HEAD> |
31 | <BODY> |
32 | -<H1>Squid 5.6 release notes</H1> |
33 | +<H1>Squid 5.7 release notes</H1> |
34 | |
35 | <H2>Squid Developers</H2> |
36 | <HR> |
37 | @@ -31,6 +31,7 @@ for Applied Network Research and members of the Web Caching community.</EM> |
38 | <LI><A NAME="toc2.4">2.4</A> <A HREF="#ss2.4">TrivialDB Support</A> |
39 | <LI><A NAME="toc2.5">2.5</A> <A HREF="#ss2.5">Loop Detection in Content Delivery Networks</A> |
40 | <LI><A NAME="toc2.6">2.6</A> <A HREF="#ss2.6">Peering support for SSL-Bump</A> |
41 | +<LI><A NAME="toc2.7">2.7</A> <A HREF="#ss2.7">OpenSSL 3.0 Support</A> |
42 | </UL> |
43 | <P> |
44 | <H2><A NAME="toc3">3.</A> <A HREF="#s3">Changes to squid.conf since Squid-4</A></H2> |
45 | @@ -61,7 +62,7 @@ for Applied Network Research and members of the Web Caching community.</EM> |
46 | <HR> |
47 | <H2><A NAME="s1">1.</A> <A HREF="#toc1">Notice</A></H2> |
48 | |
49 | -<P>The Squid Team are pleased to announce the release of Squid-5.6.</P> |
50 | +<P>The Squid Team are pleased to announce the release of Squid-5.7.</P> |
51 | <P>This new release is available for download from |
52 | <A HREF="http://www.squid-cache.org/Versions/v5/">http://www.squid-cache.org/Versions/v5/</A> or the |
53 | <A HREF="http://www.squid-cache.org/Download/http-mirrors.html">mirrors</A>.</P> |
54 | @@ -95,6 +96,7 @@ for how to submit a report with a stack trace.</P> |
55 | <LI>TrivialDB Support</LI> |
56 | <LI>RFC 8586: Loop Detection in Content Delivery Networks</LI> |
57 | <LI>Peering support for SSL-Bump</LI> |
58 | +<LI>OpenSSL 3.0 Support</LI> |
59 | </UL> |
60 | </P> |
61 | <P>Most user-facing changes are reflected in squid.conf (see below).</P> |
62 | @@ -220,6 +222,21 @@ see TLS client handshake) <EM>before</EM> selecting the cache_peer.</P> |
63 | yet do TLS-in-TLS.</P> |
64 | |
65 | |
66 | +<H2><A NAME="ss2.7">2.7</A> <A HREF="#toc2.7">OpenSSL 3.0 Support</A> |
67 | +</H2> |
68 | + |
69 | +<P>Squid-5.7 adds OpenSSL 3.0 support.</P> |
70 | + |
71 | +<P>This version of Squid does not add any of the new features provided by |
72 | +OpenSSL 3.0. It only contains support for features already supported by prior |
73 | +versions of Squid using new APIs provided by OpenSSL 3.0.</P> |
74 | + |
75 | +<P>Notably the libssl custom Engine feature has been deprecated by OpenSSL 3.0 |
76 | +and new Providers replacement is not supported by this Squid.</P> |
77 | + |
78 | +<P>OpenSSL 3.0 uses new licensing terms.</P> |
79 | + |
80 | + |
81 | <H2><A NAME="s3">3.</A> <A HREF="#toc3">Changes to squid.conf since Squid-4</A></H2> |
82 | |
83 | <P>There have been changes to Squid's configuration file since Squid-4.</P> |
84 | @@ -364,6 +381,10 @@ code to indicate the response was received from server using TLS/1.3.</P> |
85 | <P>Codes <EM>rm</EM>, <EM><rm</EM> and <EM>>rm</EM> display "-" |
86 | instead of the made-up method NONE.</P> |
87 | |
88 | +<DT><B>ssl_engine</B><DD> |
89 | +<P>OpenSSL 3.0 deprecates the Engine feature. This directive is |
90 | +only supported when Squid is built for older OpenSSL versions.</P> |
91 | + |
92 | </DL> |
93 | </P> |
94 | |
95 | diff --git a/compat/GnuRegex.c b/compat/GnuRegex.c |
96 | index 9ef932e..82c9129 100644 |
97 | --- a/compat/GnuRegex.c |
98 | +++ b/compat/GnuRegex.c |
99 | @@ -40,6 +40,13 @@ |
100 | |
101 | #if USE_GNUREGEX /* only if squid needs it. Usually not */ |
102 | |
103 | +/* Starting with v12.1, GCC warns of various problems with this ancient code. */ |
104 | +/* GCC versions prior to v12.1 do not support these pragmas. */ |
105 | +#if (__GNUC__ == 12 && __GNUC_MINOR__ >= 1) || (__GNUC__ > 12) |
106 | +#pragma GCC diagnostic ignored "-Warray-bounds" |
107 | +#pragma GCC diagnostic ignored "-Wuse-after-free" |
108 | +#endif |
109 | + |
110 | #if !HAVE_ALLOCA |
111 | #define REGEX_MALLOC 1 |
112 | #endif |
113 | diff --git a/compat/os/mswindows.h b/compat/os/mswindows.h |
114 | index a819767..cfc9565 100644 |
115 | --- a/compat/os/mswindows.h |
116 | +++ b/compat/os/mswindows.h |
117 | @@ -618,27 +618,31 @@ getsockopt(int s, int l, int o, void * v, socklen_t * n) |
118 | } |
119 | #define getsockopt(s,l,o,v,n) Squid::getsockopt(s,l,o,v,n) |
120 | |
121 | +#if HAVE_DECL_INETNTOPA || HAVE_DECL_INET_NTOP |
122 | inline char * |
123 | inet_ntop(int af, const void *src, char *dst, size_t size) |
124 | { |
125 | #if HAVE_DECL_INETNTOPA |
126 | return (char*)InetNtopA(af, const_cast<void*>(src), dst, size); |
127 | -#else |
128 | +#else // HAVE_DECL_INET_NTOP |
129 | return ::inet_ntop(af, src, dst, size); |
130 | #endif |
131 | } |
132 | #define inet_ntop(a,s,d,l) Squid::inet_ntop(a,s,d,l) |
133 | +#endif // let compat/inet_ntop.h deal with it |
134 | |
135 | +#if HAVE_DECL_INETPTONA || HAVE_DECL_INET_PTON |
136 | inline char * |
137 | inet_pton(int af, const void *src, char *dst) |
138 | { |
139 | #if HAVE_DECL_INETPTONA |
140 | return (char*)InetPtonA(af, const_cast<void*>(src), dst); |
141 | -#else |
142 | +#else // HAVE_DECL_INET_PTON |
143 | return ::inet_pton(af, src, dst); |
144 | #endif |
145 | } |
146 | #define inet_pton(a,s,d) Squid::inet_pton(a,s,d) |
147 | +#endif // let compat/inet_pton.h deal with it |
148 | |
149 | /* Simple ioctl() emulation */ |
150 | inline int |
151 | diff --git a/configure b/configure |
152 | index ef2f3f1..7bffb06 100755 |
153 | --- a/configure |
154 | +++ b/configure |
155 | @@ -1,7 +1,7 @@ |
156 | #! /bin/sh |
157 | # From configure.ac Revision. |
158 | # Guess values for system-dependent variables and create Makefiles. |
159 | -# Generated by GNU Autoconf 2.71 for Squid Web Proxy 5.6. |
160 | +# Generated by GNU Autoconf 2.71 for Squid Web Proxy 5.7. |
161 | # |
162 | # Report bugs to <http://bugs.squid-cache.org/>. |
163 | # |
164 | @@ -626,8 +626,8 @@ MAKEFLAGS= |
165 | # Identity of this package. |
166 | PACKAGE_NAME='Squid Web Proxy' |
167 | PACKAGE_TARNAME='squid' |
168 | -PACKAGE_VERSION='5.6' |
169 | -PACKAGE_STRING='Squid Web Proxy 5.6' |
170 | +PACKAGE_VERSION='5.7' |
171 | +PACKAGE_STRING='Squid Web Proxy 5.7' |
172 | PACKAGE_BUGREPORT='http://bugs.squid-cache.org/' |
173 | PACKAGE_URL='' |
174 | |
175 | @@ -1691,7 +1691,7 @@ if test "$ac_init_help" = "long"; then |
176 | # Omit some internal or obsolete options to make the list less imposing. |
177 | # This message is too long to be a string in the A/UX 3.1 sh. |
178 | cat <<_ACEOF |
179 | -\`configure' configures Squid Web Proxy 5.6 to adapt to many kinds of systems. |
180 | +\`configure' configures Squid Web Proxy 5.7 to adapt to many kinds of systems. |
181 | |
182 | Usage: $0 [OPTION]... [VAR=VALUE]... |
183 | |
184 | @@ -1762,7 +1762,7 @@ fi |
185 | |
186 | if test -n "$ac_init_help"; then |
187 | case $ac_init_help in |
188 | - short | recursive ) echo "Configuration of Squid Web Proxy 5.6:";; |
189 | + short | recursive ) echo "Configuration of Squid Web Proxy 5.7:";; |
190 | esac |
191 | cat <<\_ACEOF |
192 | |
193 | @@ -2196,7 +2196,7 @@ fi |
194 | test -n "$ac_init_help" && exit $ac_status |
195 | if $ac_init_version; then |
196 | cat <<\_ACEOF |
197 | -Squid Web Proxy configure 5.6 |
198 | +Squid Web Proxy configure 5.7 |
199 | generated by GNU Autoconf 2.71 |
200 | |
201 | Copyright (C) 2021 Free Software Foundation, Inc. |
202 | @@ -3209,7 +3209,7 @@ cat >config.log <<_ACEOF |
203 | This file contains any messages produced by compilers while |
204 | running configure, to aid debugging if configure makes a mistake. |
205 | |
206 | -It was created by Squid Web Proxy $as_me 5.6, which was |
207 | +It was created by Squid Web Proxy $as_me 5.7, which was |
208 | generated by GNU Autoconf 2.71. Invocation command line was |
209 | |
210 | $ $0$ac_configure_args_raw |
211 | @@ -4701,7 +4701,7 @@ fi |
212 | |
213 | # Define the identity of the package. |
214 | PACKAGE='squid' |
215 | - VERSION='5.6' |
216 | + VERSION='5.7' |
217 | |
218 | |
219 | printf "%s\n" "#define PACKAGE \"$PACKAGE\"" >>confdefs.h |
220 | @@ -25257,6 +25257,12 @@ then : |
221 | printf "%s\n" "#define HAVE_OPENSSL_CRYPTO_H 1" >>confdefs.h |
222 | |
223 | fi |
224 | +ac_fn_cxx_check_header_compile "$LINENO" "openssl/decoder.h" "ac_cv_header_openssl_decoder_h" "$ac_includes_default" |
225 | +if test "x$ac_cv_header_openssl_decoder_h" = xyes |
226 | +then : |
227 | + printf "%s\n" "#define HAVE_OPENSSL_DECODER_H 1" >>confdefs.h |
228 | + |
229 | +fi |
230 | ac_fn_cxx_check_header_compile "$LINENO" "openssl/dh.h" "ac_cv_header_openssl_dh_h" "$ac_includes_default" |
231 | if test "x$ac_cv_header_openssl_dh_h" = xyes |
232 | then : |
233 | @@ -48442,7 +48448,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 |
234 | # report actual input values of CONFIG_FILES etc. instead of their |
235 | # values after options handling. |
236 | ac_log=" |
237 | -This file was extended by Squid Web Proxy $as_me 5.6, which was |
238 | +This file was extended by Squid Web Proxy $as_me 5.7, which was |
239 | generated by GNU Autoconf 2.71. Invocation command line was |
240 | |
241 | CONFIG_FILES = $CONFIG_FILES |
242 | @@ -48510,7 +48516,7 @@ ac_cs_config_escaped=`printf "%s\n" "$ac_cs_config" | sed "s/^ //; s/'/'\\\\\\\\ |
243 | cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 |
244 | ac_cs_config='$ac_cs_config_escaped' |
245 | ac_cs_version="\\ |
246 | -Squid Web Proxy config.status 5.6 |
247 | +Squid Web Proxy config.status 5.7 |
248 | configured by $0, generated by GNU Autoconf 2.71, |
249 | with options \\"\$ac_cs_config\\" |
250 | |
251 | diff --git a/configure.ac b/configure.ac |
252 | index 0cf6f9a..17aac0d 100644 |
253 | --- a/configure.ac |
254 | +++ b/configure.ac |
255 | @@ -5,7 +5,7 @@ |
256 | ## Please see the COPYING and CONTRIBUTORS files for details. |
257 | ## |
258 | |
259 | -AC_INIT([Squid Web Proxy],[5.6],[http://bugs.squid-cache.org/],[squid]) |
260 | +AC_INIT([Squid Web Proxy],[5.7],[http://bugs.squid-cache.org/],[squid]) |
261 | AC_PREREQ(2.61) |
262 | AC_CONFIG_HEADERS([include/autoconf.h]) |
263 | AC_CONFIG_AUX_DIR(cfgaux) |
264 | @@ -1333,6 +1333,7 @@ if test "x$with_openssl" = "xyes"; then |
265 | openssl/bio.h \ |
266 | openssl/bn.h \ |
267 | openssl/crypto.h \ |
268 | + openssl/decoder.h \ |
269 | openssl/dh.h \ |
270 | openssl/err.h \ |
271 | openssl/evp.h \ |
272 | diff --git a/debian/NEWS b/debian/NEWS |
273 | index 83136fb..e229d83 100644 |
274 | --- a/debian/NEWS |
275 | +++ b/debian/NEWS |
276 | @@ -1,3 +1,15 @@ |
277 | +squid (5.7-0ubuntu0.22.10.1) kinetic; urgency=medium |
278 | + |
279 | + The support for the "ssl_engine" configuration directive has been dropped, |
280 | + meaning squid would fail to start for installations using that directive. |
281 | + There is no current workaround for this issue since squid does not provide |
282 | + support for OpenSSL >= 3 Providers yet. Therefore, your ssl_engine |
283 | + configuration directive will be commented out (if present) to avoid service |
284 | + disruption on upgrades. You can find more context on that particular change |
285 | + at https://github.com/squid-cache/squid/pull/694. |
286 | + |
287 | + -- Athos Ribeiro <athos.ribeiro@canonical.com> Thu, 06 Apr 2023 18:27:15 -0300 |
288 | + |
289 | squid (5.1-2) unstable; urgency=medium |
290 | |
291 | ext_session_acl and ext_time_quota_acl helpers have been switched from |
292 | diff --git a/debian/changelog b/debian/changelog |
293 | index 396cc68..4f6976a 100644 |
294 | --- a/debian/changelog |
295 | +++ b/debian/changelog |
296 | @@ -1,3 +1,25 @@ |
297 | +squid (5.7-0ubuntu0.22.10.1) kinetic; urgency=medium |
298 | + |
299 | + * New upstream version. (LP: #2013423): |
300 | + - Add OpenSSL 3.0 support for features that were already supported by |
301 | + squid. No new OpenSSL 3.0 feature support added at this time. |
302 | + - Drop support for the libssl custom Engine feature for builds linked to |
303 | + OpenSSL 3.0. Therefore, the configuration directive ssl_engine is no |
304 | + longer supported for builds using OpenSSL >= 3. |
305 | + - For a comprehensive list of changes, please see |
306 | + http://www.squid-cache.org/Versions/v5/ChangeLog.html. |
307 | + * d/p/0006-Fix-build-against-OpenSSL-3-0.patch: drop downstream |
308 | + OpenSSL 3 support patch. |
309 | + [ Fixed in 5.7 ] |
310 | + * d/p/CVE-2022-41317.patch: drop patch to fix typo in manager ACL. |
311 | + [ Fixed in 5.7 ] |
312 | + * d/p/CVE-2022-41318.patch: drop patch to fix NTLM decoder truncated strings. |
313 | + [ Fixed in 5.7 ] |
314 | + * d/squid-openssl.postinst: remove ssl_engine configuration directive. |
315 | + * d/NEWS: document end of support of the ssh_engine directive. |
316 | + |
317 | + -- Athos Ribeiro <athos.ribeiro@canonical.com> Thu, 30 Mar 2023 07:27:09 -0300 |
318 | + |
319 | squid (5.6-1ubuntu3.1) kinetic; urgency=medium |
320 | |
321 | * Make builds fail when upstream test suite fails (LP: #2004050): |
322 | diff --git a/debian/patches/0006-Fix-build-against-OpenSSL-3-0.patch b/debian/patches/0006-Fix-build-against-OpenSSL-3-0.patch |
323 | deleted file mode 100644 |
324 | index a8f2916..0000000 |
325 | --- a/debian/patches/0006-Fix-build-against-OpenSSL-3-0.patch |
326 | +++ /dev/null |
327 | @@ -1,210 +0,0 @@ |
328 | -From: Nicholas Guriev <guriev-ns@ya.ru> |
329 | -Date: Tue, 31 May 2022 22:31:08 +0300 |
330 | -Subject: Make build against OpenSSL-3.0 possible |
331 | - In OpenSSL, the SSL_get_ex_new_index macro (substituted to |
332 | - CRYPTO_get_ex_new_index) requires CRYPTO_EX_dup as the second callback. This |
333 | - typedef, for some reason, has got an extra asterisk near void* within |
334 | - arguments into the third version. Freely conversions from void* to void** is |
335 | - okay in C but prohibited in C++. So I've updated the callback prototype to |
336 | - match the last OpenSSL version. |
337 | - . |
338 | - OpenSSL pre-3.0 defined all of the SSL_OP_* macros with numeric hexadecimal |
339 | - literals. However, the third version uses there casting expressions with |
340 | - shifts which preprocessor is unable to compute. So I check only macros |
341 | - existence, this lets Squid accept obsolete options. But it's nothing, |
342 | - OpenSSL should ignore them anyway. |
343 | - |
344 | ---- |
345 | - acinclude/lib-checks.m4 | 2 - |
346 | - src/security/PeerOptions.cc | 50 ++++++++++++++++++++++---------------------- |
347 | - src/ssl/support.cc | 2 - |
348 | - 3 files changed, 27 insertions(+), 27 deletions(-) |
349 | - |
350 | ---- a/acinclude/lib-checks.m4 |
351 | -+++ b/acinclude/lib-checks.m4 |
352 | -@@ -236,7 +236,7 @@ AC_DEFUN([SQUID_CHECK_OPENSSL_CONST_CRYP |
353 | - AC_COMPILE_IFELSE([AC_LANG_PROGRAM([ |
354 | - #include <openssl/ssl.h> |
355 | - |
356 | --int const_dup_func(CRYPTO_EX_DATA *, const CRYPTO_EX_DATA *, void *, int, long, void *) { |
357 | -+int const_dup_func(CRYPTO_EX_DATA *, const CRYPTO_EX_DATA *, void **, int, long, void *) { |
358 | - return 0; |
359 | - } |
360 | - ],[ |
361 | ---- a/src/security/PeerOptions.cc |
362 | -+++ b/src/security/PeerOptions.cc |
363 | -@@ -297,130 +297,130 @@ static struct ssl_option { |
364 | - |
365 | - } ssl_options[] = { |
366 | - |
367 | --#if SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG |
368 | -+#ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG |
369 | - { |
370 | - "NETSCAPE_REUSE_CIPHER_CHANGE_BUG", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG |
371 | - }, |
372 | - #endif |
373 | --#if SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG |
374 | -+#ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG |
375 | - { |
376 | - "SSLREF2_REUSE_CERT_TYPE_BUG", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG |
377 | - }, |
378 | - #endif |
379 | --#if SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER |
380 | -+#ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER |
381 | - { |
382 | - "MICROSOFT_BIG_SSLV3_BUFFER", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER |
383 | - }, |
384 | - #endif |
385 | --#if SSL_OP_SSLEAY_080_CLIENT_DH_BUG |
386 | -+#ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG |
387 | - { |
388 | - "SSLEAY_080_CLIENT_DH_BUG", SSL_OP_SSLEAY_080_CLIENT_DH_BUG |
389 | - }, |
390 | - #endif |
391 | --#if SSL_OP_TLS_D5_BUG |
392 | -+#ifdef SSL_OP_TLS_D5_BUG |
393 | - { |
394 | - "TLS_D5_BUG", SSL_OP_TLS_D5_BUG |
395 | - }, |
396 | - #endif |
397 | --#if SSL_OP_TLS_BLOCK_PADDING_BUG |
398 | -+#ifdef SSL_OP_TLS_BLOCK_PADDING_BUG |
399 | - { |
400 | - "TLS_BLOCK_PADDING_BUG", SSL_OP_TLS_BLOCK_PADDING_BUG |
401 | - }, |
402 | - #endif |
403 | --#if SSL_OP_TLS_ROLLBACK_BUG |
404 | -+#ifdef SSL_OP_TLS_ROLLBACK_BUG |
405 | - { |
406 | - "TLS_ROLLBACK_BUG", SSL_OP_TLS_ROLLBACK_BUG |
407 | - }, |
408 | - #endif |
409 | --#if SSL_OP_ALL |
410 | -+#ifdef SSL_OP_ALL |
411 | - { |
412 | - "ALL", (long)SSL_OP_ALL |
413 | - }, |
414 | - #endif |
415 | --#if SSL_OP_SINGLE_DH_USE |
416 | -+#ifdef SSL_OP_SINGLE_DH_USE |
417 | - { |
418 | - "SINGLE_DH_USE", SSL_OP_SINGLE_DH_USE |
419 | - }, |
420 | - #endif |
421 | --#if SSL_OP_EPHEMERAL_RSA |
422 | -+#ifdef SSL_OP_EPHEMERAL_RSA |
423 | - { |
424 | - "EPHEMERAL_RSA", SSL_OP_EPHEMERAL_RSA |
425 | - }, |
426 | - #endif |
427 | --#if SSL_OP_PKCS1_CHECK_1 |
428 | -+#ifdef SSL_OP_PKCS1_CHECK_1 |
429 | - { |
430 | - "PKCS1_CHECK_1", SSL_OP_PKCS1_CHECK_1 |
431 | - }, |
432 | - #endif |
433 | --#if SSL_OP_PKCS1_CHECK_2 |
434 | -+#ifdef SSL_OP_PKCS1_CHECK_2 |
435 | - { |
436 | - "PKCS1_CHECK_2", SSL_OP_PKCS1_CHECK_2 |
437 | - }, |
438 | - #endif |
439 | --#if SSL_OP_NETSCAPE_CA_DN_BUG |
440 | -+#ifdef SSL_OP_NETSCAPE_CA_DN_BUG |
441 | - { |
442 | - "NETSCAPE_CA_DN_BUG", SSL_OP_NETSCAPE_CA_DN_BUG |
443 | - }, |
444 | - #endif |
445 | --#if SSL_OP_NON_EXPORT_FIRST |
446 | -+#ifdef SSL_OP_NON_EXPORT_FIRST |
447 | - { |
448 | - "NON_EXPORT_FIRST", SSL_OP_NON_EXPORT_FIRST |
449 | - }, |
450 | - #endif |
451 | --#if SSL_OP_CIPHER_SERVER_PREFERENCE |
452 | -+#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE |
453 | - { |
454 | - "CIPHER_SERVER_PREFERENCE", SSL_OP_CIPHER_SERVER_PREFERENCE |
455 | - }, |
456 | - #endif |
457 | --#if SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG |
458 | -+#ifdef SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG |
459 | - { |
460 | - "NETSCAPE_DEMO_CIPHER_CHANGE_BUG", SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG |
461 | - }, |
462 | - #endif |
463 | --#if SSL_OP_NO_SSLv3 |
464 | -+#ifdef SSL_OP_NO_SSLv3 |
465 | - { |
466 | - "NO_SSLv3", SSL_OP_NO_SSLv3 |
467 | - }, |
468 | - #endif |
469 | --#if SSL_OP_NO_TLSv1 |
470 | -+#ifdef SSL_OP_NO_TLSv1 |
471 | - { |
472 | - "NO_TLSv1", SSL_OP_NO_TLSv1 |
473 | - }, |
474 | - #else |
475 | - { "NO_TLSv1", 0 }, |
476 | - #endif |
477 | --#if SSL_OP_NO_TLSv1_1 |
478 | -+#ifdef SSL_OP_NO_TLSv1_1 |
479 | - { |
480 | - "NO_TLSv1_1", SSL_OP_NO_TLSv1_1 |
481 | - }, |
482 | - #else |
483 | - { "NO_TLSv1_1", 0 }, |
484 | - #endif |
485 | --#if SSL_OP_NO_TLSv1_2 |
486 | -+#ifdef SSL_OP_NO_TLSv1_2 |
487 | - { |
488 | - "NO_TLSv1_2", SSL_OP_NO_TLSv1_2 |
489 | - }, |
490 | - #else |
491 | - { "NO_TLSv1_2", 0 }, |
492 | - #endif |
493 | --#if SSL_OP_NO_TLSv1_3 |
494 | -+#ifdef SSL_OP_NO_TLSv1_3 |
495 | - { |
496 | - "NO_TLSv1_3", SSL_OP_NO_TLSv1_3 |
497 | - }, |
498 | - #else |
499 | - { "NO_TLSv1_3", 0 }, |
500 | - #endif |
501 | --#if SSL_OP_NO_COMPRESSION |
502 | -+#ifdef SSL_OP_NO_COMPRESSION |
503 | - { |
504 | - "No_Compression", SSL_OP_NO_COMPRESSION |
505 | - }, |
506 | - #endif |
507 | --#if SSL_OP_NO_TICKET |
508 | -+#ifdef SSL_OP_NO_TICKET |
509 | - { |
510 | - "NO_TICKET", SSL_OP_NO_TICKET |
511 | - }, |
512 | - #endif |
513 | --#if SSL_OP_SINGLE_ECDH_USE |
514 | -+#ifdef SSL_OP_SINGLE_ECDH_USE |
515 | - { |
516 | - "SINGLE_ECDH_USE", SSL_OP_SINGLE_ECDH_USE |
517 | - }, |
518 | -@@ -512,7 +512,7 @@ Security::PeerOptions::parseOptions() |
519 | - |
520 | - } |
521 | - |
522 | --#if SSL_OP_NO_SSLv2 |
523 | -+#ifdef SSL_OP_NO_SSLv2 |
524 | - // compliance with RFC 6176: Prohibiting Secure Sockets Layer (SSL) Version 2.0 |
525 | - op = op | SSL_OP_NO_SSLv2; |
526 | - #endif |
527 | ---- a/src/ssl/support.cc |
528 | -+++ b/src/ssl/support.cc |
529 | -@@ -559,7 +559,7 @@ Ssl::VerifyCallbackParameters::At(Securi |
530 | - // "dup" function for SSL_get_ex_new_index("cert_err_check") |
531 | - #if SQUID_USE_CONST_CRYPTO_EX_DATA_DUP |
532 | - static int |
533 | --ssl_dupAclChecklist(CRYPTO_EX_DATA *, const CRYPTO_EX_DATA *, void *, |
534 | -+ssl_dupAclChecklist(CRYPTO_EX_DATA *, const CRYPTO_EX_DATA *, void **, |
535 | - int, long, void *) |
536 | - #else |
537 | - static int |
538 | diff --git a/debian/patches/CVE-2022-41317.patch b/debian/patches/CVE-2022-41317.patch |
539 | deleted file mode 100644 |
540 | index c5447db..0000000 |
541 | --- a/debian/patches/CVE-2022-41317.patch |
542 | +++ /dev/null |
543 | @@ -1,19 +0,0 @@ |
544 | -commit 55151c545a8e0bd2cb69036da5794c9cb21018b2 |
545 | -Author: Amos Jeffries <yadij@users.noreply.github.com> |
546 | -Date: 2022-08-17 23:32:43 +0000 |
547 | - |
548 | - Fix typo in manager ACL (#1113) |
549 | - |
550 | -diff --git a/src/cf.data.pre b/src/cf.data.pre |
551 | -index a0bdb2f83..118256437 100644 |
552 | ---- a/src/cf.data.pre |
553 | -+++ b/src/cf.data.pre |
554 | -@@ -1036,7 +1036,7 @@ DEFAULT: ssl::certUntrusted ssl_error X509_V_ERR_INVALID_CA X509_V_ERR_SELF_SIGN |
555 | - DEFAULT: ssl::certSelfSigned ssl_error X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT |
556 | - ENDIF |
557 | - DEFAULT: all src all |
558 | --DEFAULT: manager url_regex -i ^cache_object:// +i ^https?://[^/]+/squid-internal-mgr/ |
559 | -+DEFAULT: manager url_regex -i ^cache_object:// +i ^[^:]+://[^/]+/squid-internal-mgr/ |
560 | - DEFAULT: localhost src 127.0.0.1/32 ::1 |
561 | - DEFAULT: to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1/128 ::/128 |
562 | - DEFAULT: CONNECT method CONNECT |
563 | diff --git a/debian/patches/CVE-2022-41318.patch b/debian/patches/CVE-2022-41318.patch |
564 | deleted file mode 100644 |
565 | index 02a66ea..0000000 |
566 | --- a/debian/patches/CVE-2022-41318.patch |
567 | +++ /dev/null |
568 | @@ -1,36 +0,0 @@ |
569 | -commit 8eca72c14f94e8591b0d40bd6210ec68d1e54c46 |
570 | -Author: Amos Jeffries <yadij@users.noreply.github.com> |
571 | -Date: 2022-08-09 23:34:54 +0000 |
572 | - |
573 | - Bug 3193 pt2: NTLM decoder truncating strings (#1114) |
574 | - |
575 | - The initial bug fix overlooked large 'offset' causing integer |
576 | - wrap to extract a too-short length string. |
577 | - |
578 | - Improve debugs and checks sequence to clarify cases and ensure |
579 | - that all are handled correctly. |
580 | - |
581 | ---- a/lib/ntlmauth/ntlmauth.cc |
582 | -+++ b/lib/ntlmauth/ntlmauth.cc |
583 | -@@ -107,10 +107,19 @@ ntlm_fetch_string(const ntlmhdr *packet, |
584 | - int32_t o = le32toh(str->offset); |
585 | - // debug("ntlm_fetch_string(plength=%d,l=%d,o=%d)\n",packet_size,l,o); |
586 | - |
587 | -- if (l < 0 || l > NTLM_MAX_FIELD_LENGTH || o + l > packet_size || o == 0) { |
588 | -- debug("ntlm_fetch_string: insane data (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o); |
589 | -+ if (l < 0 || l > NTLM_MAX_FIELD_LENGTH) { |
590 | -+ debug("ntlm_fetch_string: insane string length (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o); |
591 | - return rv; |
592 | - } |
593 | -+ else if (o <= 0 || o > packet_size) { |
594 | -+ debug("ntlm_fetch_string: insane string offset (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o); |
595 | -+ return rv; |
596 | -+ } |
597 | -+ else if (l > packet_size - o) { |
598 | -+ debug("ntlm_fetch_string: truncated string data (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o); |
599 | -+ return rv; |
600 | -+ } |
601 | -+ |
602 | - rv.str = (char *)packet + o; |
603 | - rv.l = 0; |
604 | - if ((flags & NTLM_NEGOTIATE_ASCII) == 0) { |
605 | diff --git a/debian/patches/series b/debian/patches/series |
606 | index 8c2318e..eb9acfd 100644 |
607 | --- a/debian/patches/series |
608 | +++ b/debian/patches/series |
609 | @@ -1,10 +1,7 @@ |
610 | 0001-Default-configuration-file-for-debian.patch |
611 | 0002-Change-default-file-locations-for-debian.patch |
612 | 0005-Use-RuntimeDirectory-to-create-run-squid.patch |
613 | -0006-Fix-build-against-OpenSSL-3-0.patch |
614 | 90-cf.data.ubuntu.patch |
615 | 99-ubuntu-ssl-cert-snakeoil.patch |
616 | fix-max-pkt-sz-for-icmpEchoData-padding.patch |
617 | 0009-Fix-Werror-alloc-size-larger-than-on-GCC-12.patch |
618 | -CVE-2022-41317.patch |
619 | -CVE-2022-41318.patch |
620 | diff --git a/debian/squid-openssl.postinst b/debian/squid-openssl.postinst |
621 | index f64fd49..8c3e4e0 100644 |
622 | --- a/debian/squid-openssl.postinst |
623 | +++ b/debian/squid-openssl.postinst |
624 | @@ -1,6 +1,12 @@ |
625 | #! /bin/sh |
626 | |
627 | set -e |
628 | +remove_ssl_engine_config() { |
629 | + match='^([ \t]*ssl_engine[ \t].*)$' |
630 | + doc='# ssl_engine is no longer supported since squid 5.7 (LP: #2013423).' |
631 | + find /etc/squid/ -type f,l -name "*.conf" -exec \ |
632 | + sed -Ei "s/${match}/${doc}\n# \1/" '{}' \; |
633 | +} |
634 | |
635 | grepconf () { |
636 | w=" " # space tab |
637 | @@ -70,6 +76,14 @@ case "$1" in |
638 | chmod u+s $PINGER |
639 | fi |
640 | |
641 | + # |
642 | + # Remove the unsupported ssl_engine configuration directive, if present. |
643 | + # LP: #2013423 |
644 | + # |
645 | + if dpkg --compare-versions "$2" lt-nl "5.7"; then |
646 | + remove_ssl_engine_config |
647 | + fi |
648 | + |
649 | ;; |
650 | abort-upgrade|abort-remove|abort-deconfigure) |
651 | ;; |
652 | diff --git a/doc/release-notes/release-5.html b/doc/release-notes/release-5.html |
653 | index a037de3..7369f54 100644 |
654 | --- a/doc/release-notes/release-5.html |
655 | +++ b/doc/release-notes/release-5.html |
656 | @@ -3,10 +3,10 @@ |
657 | <HEAD> |
658 | <META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.82"> |
659 | <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> |
660 | - <TITLE>Squid 5.6 release notes</TITLE> |
661 | + <TITLE>Squid 5.7 release notes</TITLE> |
662 | </HEAD> |
663 | <BODY> |
664 | -<H1>Squid 5.6 release notes</H1> |
665 | +<H1>Squid 5.7 release notes</H1> |
666 | |
667 | <H2>Squid Developers</H2> |
668 | <HR> |
669 | @@ -31,6 +31,7 @@ for Applied Network Research and members of the Web Caching community.</EM> |
670 | <LI><A NAME="toc2.4">2.4</A> <A HREF="#ss2.4">TrivialDB Support</A> |
671 | <LI><A NAME="toc2.5">2.5</A> <A HREF="#ss2.5">Loop Detection in Content Delivery Networks</A> |
672 | <LI><A NAME="toc2.6">2.6</A> <A HREF="#ss2.6">Peering support for SSL-Bump</A> |
673 | +<LI><A NAME="toc2.7">2.7</A> <A HREF="#ss2.7">OpenSSL 3.0 Support</A> |
674 | </UL> |
675 | <P> |
676 | <H2><A NAME="toc3">3.</A> <A HREF="#s3">Changes to squid.conf since Squid-4</A></H2> |
677 | @@ -61,7 +62,7 @@ for Applied Network Research and members of the Web Caching community.</EM> |
678 | <HR> |
679 | <H2><A NAME="s1">1.</A> <A HREF="#toc1">Notice</A></H2> |
680 | |
681 | -<P>The Squid Team are pleased to announce the release of Squid-5.6.</P> |
682 | +<P>The Squid Team are pleased to announce the release of Squid-5.7.</P> |
683 | <P>This new release is available for download from |
684 | <A HREF="http://www.squid-cache.org/Versions/v5/">http://www.squid-cache.org/Versions/v5/</A> or the |
685 | <A HREF="http://www.squid-cache.org/Download/http-mirrors.html">mirrors</A>.</P> |
686 | @@ -95,6 +96,7 @@ for how to submit a report with a stack trace.</P> |
687 | <LI>TrivialDB Support</LI> |
688 | <LI>RFC 8586: Loop Detection in Content Delivery Networks</LI> |
689 | <LI>Peering support for SSL-Bump</LI> |
690 | +<LI>OpenSSL 3.0 Support</LI> |
691 | </UL> |
692 | </P> |
693 | <P>Most user-facing changes are reflected in squid.conf (see below).</P> |
694 | @@ -220,6 +222,21 @@ see TLS client handshake) <EM>before</EM> selecting the cache_peer.</P> |
695 | yet do TLS-in-TLS.</P> |
696 | |
697 | |
698 | +<H2><A NAME="ss2.7">2.7</A> <A HREF="#toc2.7">OpenSSL 3.0 Support</A> |
699 | +</H2> |
700 | + |
701 | +<P>Squid-5.7 adds OpenSSL 3.0 support.</P> |
702 | + |
703 | +<P>This version of Squid does not add any of the new features provided by |
704 | +OpenSSL 3.0. It only contains support for features already supported by prior |
705 | +versions of Squid using new APIs provided by OpenSSL 3.0.</P> |
706 | + |
707 | +<P>Notably the libssl custom Engine feature has been deprecated by OpenSSL 3.0 |
708 | +and new Providers replacement is not supported by this Squid.</P> |
709 | + |
710 | +<P>OpenSSL 3.0 uses new licensing terms.</P> |
711 | + |
712 | + |
713 | <H2><A NAME="s3">3.</A> <A HREF="#toc3">Changes to squid.conf since Squid-4</A></H2> |
714 | |
715 | <P>There have been changes to Squid's configuration file since Squid-4.</P> |
716 | @@ -364,6 +381,10 @@ code to indicate the response was received from server using TLS/1.3.</P> |
717 | <P>Codes <EM>rm</EM>, <EM><rm</EM> and <EM>>rm</EM> display "-" |
718 | instead of the made-up method NONE.</P> |
719 | |
720 | +<DT><B>ssl_engine</B><DD> |
721 | +<P>OpenSSL 3.0 deprecates the Engine feature. This directive is |
722 | +only supported when Squid is built for older OpenSSL versions.</P> |
723 | + |
724 | </DL> |
725 | </P> |
726 | |
727 | diff --git a/include/autoconf.h.in b/include/autoconf.h.in |
728 | index fe0a3da..92533bf 100644 |
729 | --- a/include/autoconf.h.in |
730 | +++ b/include/autoconf.h.in |
731 | @@ -772,6 +772,9 @@ |
732 | /* Define to 1 if you have the <openssl/crypto.h> header file. */ |
733 | #undef HAVE_OPENSSL_CRYPTO_H |
734 | |
735 | +/* Define to 1 if you have the <openssl/decoder.h> header file. */ |
736 | +#undef HAVE_OPENSSL_DECODER_H |
737 | + |
738 | /* Define to 1 if you have the <openssl/dh.h> header file. */ |
739 | #undef HAVE_OPENSSL_DH_H |
740 | |
741 | diff --git a/include/version.h b/include/version.h |
742 | index 77b3d91..14c1335 100644 |
743 | --- a/include/version.h |
744 | +++ b/include/version.h |
745 | @@ -7,7 +7,7 @@ |
746 | */ |
747 | |
748 | #ifndef SQUID_RELEASE_TIME |
749 | -#define SQUID_RELEASE_TIME 1654468914 |
750 | +#define SQUID_RELEASE_TIME 1662392113 |
751 | #endif |
752 | |
753 | /* |
754 | diff --git a/lib/ntlmauth/ntlmauth.cc b/lib/ntlmauth/ntlmauth.cc |
755 | index 7e2156d..dac8a7e 100644 |
756 | --- a/lib/ntlmauth/ntlmauth.cc |
757 | +++ b/lib/ntlmauth/ntlmauth.cc |
758 | @@ -12,6 +12,7 @@ |
759 | #include "squid.h" |
760 | |
761 | #include <cstring> |
762 | +#include <ctime> |
763 | #include <random> |
764 | #if HAVE_STRINGS_H |
765 | #include <strings.h> |
766 | @@ -107,10 +108,19 @@ ntlm_fetch_string(const ntlmhdr *packet, const int32_t packet_size, const strhdr |
767 | int32_t o = le32toh(str->offset); |
768 | // debug("ntlm_fetch_string(plength=%d,l=%d,o=%d)\n",packet_size,l,o); |
769 | |
770 | - if (l < 0 || l > NTLM_MAX_FIELD_LENGTH || o + l > packet_size || o == 0) { |
771 | - debug("ntlm_fetch_string: insane data (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o); |
772 | + if (l < 0 || l > NTLM_MAX_FIELD_LENGTH) { |
773 | + debug("ntlm_fetch_string: insane string length (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o); |
774 | return rv; |
775 | } |
776 | + else if (o <= 0 || o > packet_size) { |
777 | + debug("ntlm_fetch_string: insane string offset (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o); |
778 | + return rv; |
779 | + } |
780 | + else if (l > packet_size - o) { |
781 | + debug("ntlm_fetch_string: truncated string data (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o); |
782 | + return rv; |
783 | + } |
784 | + |
785 | rv.str = (char *)packet + o; |
786 | rv.l = 0; |
787 | if ((flags & NTLM_NEGOTIATE_ASCII) == 0) { |
788 | diff --git a/src/FwdState.cc b/src/FwdState.cc |
789 | index e493a88..bdcfcd6 100644 |
790 | --- a/src/FwdState.cc |
791 | +++ b/src/FwdState.cc |
792 | @@ -641,7 +641,6 @@ FwdState::noteDestination(Comm::ConnectionPointer path) |
793 | if (transporting()) |
794 | return; // and continue to receive destinations for backup |
795 | |
796 | - // This is the first path candidate we have seen. Use it. |
797 | useDestinations(); |
798 | } |
799 | |
800 | @@ -657,12 +656,8 @@ FwdState::noteDestinationsEnd(ErrorState *selectionError) |
801 | Must(!err); // if we tried to connect, then path selection succeeded |
802 | fail(selectionError); |
803 | } |
804 | - else if (err) |
805 | - debugs(17, 3, "Will abort forwarding because all found paths have failed."); |
806 | - else |
807 | - debugs(17, 3, "Will abort forwarding because path selection found no paths."); |
808 | |
809 | - useDestinations(); // will detect and handle the lack of paths |
810 | + stopAndDestroy("path selection found no paths"); |
811 | return; |
812 | } |
813 | // else continue to use one of the previously noted destinations; |
814 | @@ -675,7 +670,16 @@ FwdState::noteDestinationsEnd(ErrorState *selectionError) |
815 | return; // and continue to wait for FwdState::noteConnection() callback |
816 | } |
817 | |
818 | - Must(transporting()); // or we would be stuck with nothing to do or wait for |
819 | + if (transporting()) { |
820 | + // We are already using a previously opened connection (but were also |
821 | + // receiving more destinations in case we need to re-forward). |
822 | + debugs(17, 7, "keep transporting"); |
823 | + return; |
824 | + } |
825 | + |
826 | + // destinationsFound, but none of them worked, and we were waiting for more |
827 | + assert(err); |
828 | + stopAndDestroy("all found paths have failed"); |
829 | } |
830 | |
831 | /// makes sure connection opener knows that the destinations have changed |
832 | diff --git a/src/HappyConnOpener.cc b/src/HappyConnOpener.cc |
833 | index 6d83ff1..a9f2df5 100644 |
834 | --- a/src/HappyConnOpener.cc |
835 | +++ b/src/HappyConnOpener.cc |
836 | @@ -568,8 +568,6 @@ HappyConnOpener::openFreshConnection(Attempt &attempt, PeerConnectionPointer &de |
837 | const auto conn = dest->cloneProfile(); |
838 | GetMarkingsToServer(cause.getRaw(), *conn); |
839 | |
840 | - ++n_tries; |
841 | - |
842 | typedef CommCbMemFunT<HappyConnOpener, CommConnectCbParams> Dialer; |
843 | AsyncCall::Pointer callConnect = asyncCall(48, 5, attempt.callbackMethodName, |
844 | Dialer(this, attempt.callbackMethod)); |
845 | @@ -611,6 +609,8 @@ HappyConnOpener::handleConnOpenerAnswer(Attempt &attempt, const CommConnectCbPar |
846 | handledPath.finalize(params.conn); // closed on errors |
847 | attempt.finish(); |
848 | |
849 | + ++n_tries; |
850 | + |
851 | if (params.flag == Comm::OK) { |
852 | sendSuccess(handledPath, false, what); |
853 | return; |
854 | diff --git a/src/HappyConnOpener.h b/src/HappyConnOpener.h |
855 | index c57c431..63e4df9 100644 |
856 | --- a/src/HappyConnOpener.h |
857 | +++ b/src/HappyConnOpener.h |
858 | @@ -258,7 +258,8 @@ private: |
859 | /// the request that needs a to-server connection |
860 | HttpRequestPointer cause; |
861 | |
862 | - /// number of connection opening attempts, including those in the requestor |
863 | + /// number of our finished connection opening attempts (including pconn |
864 | + /// reuses) plus previously finished attempts supplied by the requestor |
865 | int n_tries; |
866 | |
867 | /// Reason to ran out of time or attempts |
868 | diff --git a/src/HttpHeaderTools.h b/src/HttpHeaderTools.h |
869 | index d017dfe..3720864 100644 |
870 | --- a/src/HttpHeaderTools.h |
871 | +++ b/src/HttpHeaderTools.h |
872 | @@ -67,7 +67,7 @@ public: |
873 | private: |
874 | /// Case-insensitive std::string "less than" comparison functor. |
875 | /// Fast version recommended by Meyers' "Effective STL" for ASCII c-strings. |
876 | - class NoCaseLessThan: public std::binary_function<std::string, std::string, bool> |
877 | + class NoCaseLessThan |
878 | { |
879 | public: |
880 | bool operator()(const std::string &lhs, const std::string &rhs) const { |
881 | diff --git a/src/acl/RegexData.cc b/src/acl/RegexData.cc |
882 | index 91a9ba9..2be5342 100644 |
883 | --- a/src/acl/RegexData.cc |
884 | +++ b/src/acl/RegexData.cc |
885 | @@ -83,6 +83,9 @@ ACLRegexData::dump() const |
886 | static const char * |
887 | removeUnnecessaryWildcards(char * t) |
888 | { |
889 | + if (strcmp(t, ".*") == 0) // we cannot simplify that further |
890 | + return t; // avoid "WARNING: ... Using '.*' instead" below |
891 | + |
892 | char * orig = t; |
893 | |
894 | if (strncmp(t, "^.*", 3) == 0) |
895 | diff --git a/src/acl/external/SQL_session/ext_sql_session_acl.8 b/src/acl/external/SQL_session/ext_sql_session_acl.8 |
896 | index 9ddf338..6a22fd7 100644 |
897 | --- a/src/acl/external/SQL_session/ext_sql_session_acl.8 |
898 | +++ b/src/acl/external/SQL_session/ext_sql_session_acl.8 |
899 | @@ -133,7 +133,7 @@ |
900 | .\" ======================================================================== |
901 | .\" |
902 | .IX Title "EXT_SQL_SESSION_ACL 8" |
903 | -.TH EXT_SQL_SESSION_ACL 8 "2022-06-05" "perl v5.34.0" "User Contributed Perl Documentation" |
904 | +.TH EXT_SQL_SESSION_ACL 8 "2022-09-05" "perl v5.34.0" "User Contributed Perl Documentation" |
905 | .\" For nroff, turn off justification. Always turn off hyphenation; it makes |
906 | .\" way too many mistakes in technical documents. |
907 | .if n .ad l |
908 | diff --git a/src/acl/external/delayer/ext_delayer_acl.8 b/src/acl/external/delayer/ext_delayer_acl.8 |
909 | index a7783de..1149322 100644 |
910 | --- a/src/acl/external/delayer/ext_delayer_acl.8 |
911 | +++ b/src/acl/external/delayer/ext_delayer_acl.8 |
912 | @@ -133,7 +133,7 @@ |
913 | .\" ======================================================================== |
914 | .\" |
915 | .IX Title "EXT_DELAYER_ACL 8" |
916 | -.TH EXT_DELAYER_ACL 8 "2022-06-05" "perl v5.34.0" "User Contributed Perl Documentation" |
917 | +.TH EXT_DELAYER_ACL 8 "2022-09-05" "perl v5.34.0" "User Contributed Perl Documentation" |
918 | .\" For nroff, turn off justification. Always turn off hyphenation; it makes |
919 | .\" way too many mistakes in technical documents. |
920 | .if n .ad l |
921 | diff --git a/src/acl/external/kerberos_sid_group/ext_kerberos_sid_group_acl.8 b/src/acl/external/kerberos_sid_group/ext_kerberos_sid_group_acl.8 |
922 | index edec6bd..5ae9af5 100644 |
923 | --- a/src/acl/external/kerberos_sid_group/ext_kerberos_sid_group_acl.8 |
924 | +++ b/src/acl/external/kerberos_sid_group/ext_kerberos_sid_group_acl.8 |
925 | @@ -133,7 +133,7 @@ |
926 | .\" ======================================================================== |
927 | .\" |
928 | .IX Title "EXT_KERBEROS_SID_GROUP_ACL 8" |
929 | -.TH EXT_KERBEROS_SID_GROUP_ACL 8 "2022-06-05" "perl v5.34.0" "User Contributed Perl Documentation" |
930 | +.TH EXT_KERBEROS_SID_GROUP_ACL 8 "2022-09-05" "perl v5.34.0" "User Contributed Perl Documentation" |
931 | .\" For nroff, turn off justification. Always turn off hyphenation; it makes |
932 | .\" way too many mistakes in technical documents. |
933 | .if n .ad l |
934 | diff --git a/src/acl/external/session/ext_session_acl.cc b/src/acl/external/session/ext_session_acl.cc |
935 | index ba21b6e..d6ee15e 100644 |
936 | --- a/src/acl/external/session/ext_session_acl.cc |
937 | +++ b/src/acl/external/session/ext_session_acl.cc |
938 | @@ -197,13 +197,19 @@ copyValue(void *dst, const DB_ENTRY *src, size_t sz) |
939 | static int session_active(const char *details, size_t len) |
940 | { |
941 | #if USE_BERKLEYDB |
942 | - DBT key = {0}; |
943 | - DBT data = {0}; |
944 | - key.data = (void *)details; |
945 | + DBT key = {}; |
946 | + key.data = const_cast<char*>(details); |
947 | key.size = len; |
948 | + |
949 | + DBT data = {}; |
950 | #elif USE_TRIVIALDB |
951 | - TDB_DATA key; |
952 | - TDB_DATA data; |
953 | + TDB_DATA key = {}; |
954 | + key.dptr = reinterpret_cast<decltype(key.dptr)>(const_cast<char*>(details)); |
955 | + key.dsize = len; |
956 | + |
957 | + TDB_DATA data = {}; |
958 | +#else |
959 | + (void)len; |
960 | #endif |
961 | if (fetchKey(key, &data)) { |
962 | time_t timestamp; |
963 | diff --git a/src/acl/external/wbinfo_group/ext_wbinfo_group_acl.8 b/src/acl/external/wbinfo_group/ext_wbinfo_group_acl.8 |
964 | index 9113719..7506e2f 100644 |
965 | --- a/src/acl/external/wbinfo_group/ext_wbinfo_group_acl.8 |
966 | +++ b/src/acl/external/wbinfo_group/ext_wbinfo_group_acl.8 |
967 | @@ -133,7 +133,7 @@ |
968 | .\" ======================================================================== |
969 | .\" |
970 | .IX Title "EXT_WBINFO_GROUP_ACL 8" |
971 | -.TH EXT_WBINFO_GROUP_ACL 8 "2022-06-05" "perl v5.34.0" "User Contributed Perl Documentation" |
972 | +.TH EXT_WBINFO_GROUP_ACL 8 "2022-09-05" "perl v5.34.0" "User Contributed Perl Documentation" |
973 | .\" For nroff, turn off justification. Always turn off hyphenation; it makes |
974 | .\" way too many mistakes in technical documents. |
975 | .if n .ad l |
976 | diff --git a/src/auth/basic/DB/basic_db_auth.8 b/src/auth/basic/DB/basic_db_auth.8 |
977 | index 07ffc10..a180993 100644 |
978 | --- a/src/auth/basic/DB/basic_db_auth.8 |
979 | +++ b/src/auth/basic/DB/basic_db_auth.8 |
980 | @@ -133,7 +133,7 @@ |
981 | .\" ======================================================================== |
982 | .\" |
983 | .IX Title "BASIC_DB_AUTH 8" |
984 | -.TH BASIC_DB_AUTH 8 "2022-06-05" "perl v5.34.0" "User Contributed Perl Documentation" |
985 | +.TH BASIC_DB_AUTH 8 "2022-09-05" "perl v5.34.0" "User Contributed Perl Documentation" |
986 | .\" For nroff, turn off justification. Always turn off hyphenation; it makes |
987 | .\" way too many mistakes in technical documents. |
988 | .if n .ad l |
989 | diff --git a/src/auth/basic/POP3/basic_pop3_auth.8 b/src/auth/basic/POP3/basic_pop3_auth.8 |
990 | index 85bd803..ddf8057 100644 |
991 | --- a/src/auth/basic/POP3/basic_pop3_auth.8 |
992 | +++ b/src/auth/basic/POP3/basic_pop3_auth.8 |
993 | @@ -133,7 +133,7 @@ |
994 | .\" ======================================================================== |
995 | .\" |
996 | .IX Title "BASIC_POP3_AUTH 8" |
997 | -.TH BASIC_POP3_AUTH 8 "2022-06-05" "perl v5.34.0" "User Contributed Perl Documentation" |
998 | +.TH BASIC_POP3_AUTH 8 "2022-09-05" "perl v5.34.0" "User Contributed Perl Documentation" |
999 | .\" For nroff, turn off justification. Always turn off hyphenation; it makes |
1000 | .\" way too many mistakes in technical documents. |
1001 | .if n .ad l |
1002 | diff --git a/src/base/EnumIterator.h b/src/base/EnumIterator.h |
1003 | index 5d88100..96cb826 100644 |
1004 | --- a/src/base/EnumIterator.h |
1005 | +++ b/src/base/EnumIterator.h |
1006 | @@ -20,7 +20,7 @@ |
1007 | * \see EnumIterator, ReverseEnumIterator |
1008 | */ |
1009 | template <typename EnumType> |
1010 | -class EnumIteratorBase : public std::iterator<std::bidirectional_iterator_tag, EnumType> |
1011 | +class EnumIteratorBase |
1012 | { |
1013 | protected: |
1014 | #if HAVE_STD_UNDERLYING_TYPE |
1015 | @@ -30,6 +30,12 @@ protected: |
1016 | #endif |
1017 | |
1018 | public: |
1019 | + using iterator_category = std::bidirectional_iterator_tag; |
1020 | + using value_type = EnumType; |
1021 | + using difference_type = std::ptrdiff_t; |
1022 | + using pointer = EnumType *; |
1023 | + using reference = EnumType &; |
1024 | + |
1025 | explicit EnumIteratorBase(EnumType e) : current(static_cast<iterator_type>(e)) {} |
1026 | |
1027 | bool operator==(const EnumIteratorBase &i) const { |
1028 | diff --git a/src/cache_cf.cc b/src/cache_cf.cc |
1029 | index cb746dc..1bae8d3 100644 |
1030 | --- a/src/cache_cf.cc |
1031 | +++ b/src/cache_cf.cc |
1032 | @@ -720,7 +720,7 @@ configDoConfigure(void) |
1033 | * the extra space is for loop detection in client_side.c -- we search |
1034 | * for substrings in the Via header. |
1035 | */ |
1036 | - snprintf(ThisCache2, sizeof(ThisCache), " %s (%s)", |
1037 | + snprintf(ThisCache2, sizeof(ThisCache2), " %s (%s)", |
1038 | uniqueHostname(), |
1039 | visible_appname_string); |
1040 | |
1041 | diff --git a/src/cf.data.pre b/src/cf.data.pre |
1042 | index 48f3e13..ee8c720 100644 |
1043 | --- a/src/cf.data.pre |
1044 | +++ b/src/cf.data.pre |
1045 | @@ -1036,7 +1036,7 @@ DEFAULT: ssl::certUntrusted ssl_error X509_V_ERR_INVALID_CA X509_V_ERR_SELF_SIGN |
1046 | DEFAULT: ssl::certSelfSigned ssl_error X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT |
1047 | ENDIF |
1048 | DEFAULT: all src all |
1049 | -DEFAULT: manager url_regex -i ^cache_object:// +i ^https?://[^/]+/squid-internal-mgr/ |
1050 | +DEFAULT: manager url_regex -i ^cache_object:// +i ^[^:]+://[^/]+/squid-internal-mgr/ |
1051 | DEFAULT: localhost src 127.0.0.1/32 ::1 |
1052 | DEFAULT: to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1/128 ::/128 |
1053 | DEFAULT: CONNECT method CONNECT |
1054 | @@ -3049,6 +3049,8 @@ DEFAULT: none |
1055 | DOC_START |
1056 | The OpenSSL engine to use. You will need to set this if you |
1057 | would like to use hardware SSL acceleration for example. |
1058 | + |
1059 | + Not supported in builds with OpenSSL 3.0 or newer. |
1060 | DOC_END |
1061 | |
1062 | NAME: sslproxy_session_ttl |
1063 | @@ -4004,8 +4006,10 @@ DOC_START |
1064 | For the purpose of this limit, Squid counts all high-level request |
1065 | forwarding attempts, including any same-destination retries after |
1066 | certain persistent connection failures and any attempts to use a |
1067 | - different peer. However, low-level connection reopening attempts |
1068 | - (enabled using connect_retries) are not counted. |
1069 | + different peer. However, these low-level attempts are not counted: |
1070 | + * connection reopening attempts (enabled using connect_retries) |
1071 | + * unfinished Happy Eyeballs connection attempts (prevented by setting |
1072 | + happy_eyeballs_connect_limit to 0) |
1073 | |
1074 | See also: forward_timeout and connect_retries. |
1075 | DOC_END |
1076 | diff --git a/src/cf_gen.cc b/src/cf_gen.cc |
1077 | index 3d33f9e..b72642c 100644 |
1078 | --- a/src/cf_gen.cc |
1079 | +++ b/src/cf_gen.cc |
1080 | @@ -378,7 +378,6 @@ main(int argc, char *argv[]) |
1081 | } else if (!strcmp(buff, "NOCOMMENT_START")) { |
1082 | state = sNOCOMMENT; |
1083 | } else { // if (buff != NULL) { |
1084 | - assert(buff != NULL); |
1085 | entries.back().doc.push_back(buff); |
1086 | } |
1087 | break; |
1088 | @@ -387,7 +386,6 @@ main(int argc, char *argv[]) |
1089 | if (!strcmp(buff, "NOCOMMENT_END")) { |
1090 | state = sDOC; |
1091 | } else { // if (buff != NULL) { |
1092 | - assert(buff != NULL); |
1093 | entries.back().nocomment.push_back(buff); |
1094 | } |
1095 | break; |
1096 | diff --git a/src/fs/ufs/RebuildState.cc b/src/fs/ufs/RebuildState.cc |
1097 | index bc8d181..1af6e41 100644 |
1098 | --- a/src/fs/ufs/RebuildState.cc |
1099 | +++ b/src/fs/ufs/RebuildState.cc |
1100 | @@ -44,8 +44,6 @@ Fs::Ufs::RebuildState::RebuildState(RefCount<UFSSwapDir> aSwapDir) : |
1101 | _done(false), |
1102 | cbdata(NULL) |
1103 | { |
1104 | - *fullpath = 0; |
1105 | - *fullfilename = 0; |
1106 | |
1107 | /* |
1108 | * If the swap.state file exists in the cache_dir, then |
1109 | @@ -379,14 +377,14 @@ Fs::Ufs::RebuildState::getNextFile(sfileno * filn_p, int *) |
1110 | } |
1111 | |
1112 | if (0 == in_dir) { /* we need to read in a new directory */ |
1113 | - snprintf(fullpath, sizeof(fullpath), "%s/%02X/%02X", |
1114 | - sd->path, |
1115 | - curlvl1, curlvl2); |
1116 | + fullpath.Printf("%s/%02X/%02X", |
1117 | + sd->path, |
1118 | + curlvl1, curlvl2); |
1119 | |
1120 | if (dirs_opened) |
1121 | return -1; |
1122 | |
1123 | - td = opendir(fullpath); |
1124 | + td = opendir(fullpath.c_str()); |
1125 | |
1126 | ++dirs_opened; |
1127 | |
1128 | @@ -425,10 +423,10 @@ Fs::Ufs::RebuildState::getNextFile(sfileno * filn_p, int *) |
1129 | continue; |
1130 | } |
1131 | |
1132 | - snprintf(fullfilename, sizeof(fullfilename), "%s/%s", |
1133 | - fullpath, entry->d_name); |
1134 | - debugs(47, 3, HERE << "Opening " << fullfilename); |
1135 | - fd = file_open(fullfilename, O_RDONLY | O_BINARY); |
1136 | + fullfilename.Printf(SQUIDSBUFPH "/%s", |
1137 | + SQUIDSBUFPRINT(fullpath), entry->d_name); |
1138 | + debugs(47, 3, "Opening " << fullfilename); |
1139 | + fd = file_open(fullfilename.c_str(), O_RDONLY | O_BINARY); |
1140 | |
1141 | if (fd < 0) { |
1142 | int xerrno = errno; |
1143 | diff --git a/src/fs/ufs/RebuildState.h b/src/fs/ufs/RebuildState.h |
1144 | index d9c6f91..203c65e 100644 |
1145 | --- a/src/fs/ufs/RebuildState.h |
1146 | +++ b/src/fs/ufs/RebuildState.h |
1147 | @@ -53,8 +53,8 @@ public: |
1148 | |
1149 | dirent_t *entry; |
1150 | DIR *td; |
1151 | - char fullpath[MAXPATHLEN]; |
1152 | - char fullfilename[MAXPATHLEN*2]; |
1153 | + SBuf fullpath; |
1154 | + SBuf fullfilename; |
1155 | |
1156 | StoreRebuildData counts; |
1157 | |
1158 | diff --git a/src/http/url_rewriters/LFS/url_lfs_rewrite.8 b/src/http/url_rewriters/LFS/url_lfs_rewrite.8 |
1159 | index 6f1ca62..a5f7485 100644 |
1160 | --- a/src/http/url_rewriters/LFS/url_lfs_rewrite.8 |
1161 | +++ b/src/http/url_rewriters/LFS/url_lfs_rewrite.8 |
1162 | @@ -133,7 +133,7 @@ |
1163 | .\" ======================================================================== |
1164 | .\" |
1165 | .IX Title "URL_LFS_REWRITE 8" |
1166 | -.TH URL_LFS_REWRITE 8 "2022-06-05" "perl v5.34.0" "User Contributed Perl Documentation" |
1167 | +.TH URL_LFS_REWRITE 8 "2022-09-05" "perl v5.34.0" "User Contributed Perl Documentation" |
1168 | .\" For nroff, turn off justification. Always turn off hyphenation; it makes |
1169 | .\" way too many mistakes in technical documents. |
1170 | .if n .ad l |
1171 | diff --git a/src/log/DB/log_db_daemon.8 b/src/log/DB/log_db_daemon.8 |
1172 | index f1aaf9b..63fd886 100644 |
1173 | --- a/src/log/DB/log_db_daemon.8 |
1174 | +++ b/src/log/DB/log_db_daemon.8 |
1175 | @@ -133,7 +133,7 @@ |
1176 | .\" ======================================================================== |
1177 | .\" |
1178 | .IX Title "LOG_DB_DAEMON 8" |
1179 | -.TH LOG_DB_DAEMON 8 "2022-06-05" "perl v5.34.0" "User Contributed Perl Documentation" |
1180 | +.TH LOG_DB_DAEMON 8 "2022-09-05" "perl v5.34.0" "User Contributed Perl Documentation" |
1181 | .\" For nroff, turn off justification. Always turn off hyphenation; it makes |
1182 | .\" way too many mistakes in technical documents. |
1183 | .if n .ad l |
1184 | diff --git a/src/main.cc b/src/main.cc |
1185 | index 080e71a..a55d9ed 100644 |
1186 | --- a/src/main.cc |
1187 | +++ b/src/main.cc |
1188 | @@ -679,8 +679,10 @@ mainHandleCommandLineOption(const int optId, const char *optValue) |
1189 | printf("%s\n",SQUID_BUILD_INFO); |
1190 | #if USE_OPENSSL |
1191 | printf("\nThis binary uses %s. ", OpenSSL_version(OPENSSL_VERSION)); |
1192 | +#if OPENSSL_VERSION_MAJOR < 3 |
1193 | printf("For legal restrictions on distribution see https://www.openssl.org/source/license.html\n\n"); |
1194 | #endif |
1195 | +#endif |
1196 | printf( "configure options: %s\n", SQUID_CONFIGURE_OPTIONS); |
1197 | |
1198 | #if USE_WIN32_SERVICE |
1199 | diff --git a/src/sbuf/SBuf.h b/src/sbuf/SBuf.h |
1200 | index ac98137..964d8fb 100644 |
1201 | --- a/src/sbuf/SBuf.h |
1202 | +++ b/src/sbuf/SBuf.h |
1203 | @@ -45,9 +45,16 @@ class CharacterSet; |
1204 | * Please note that any operation on the underlying SBuf may invalidate |
1205 | * all iterators over it, resulting in undefined behavior by them. |
1206 | */ |
1207 | -class SBufIterator : public std::iterator<std::input_iterator_tag, char> |
1208 | +class SBufIterator |
1209 | { |
1210 | public: |
1211 | + // iterator traits |
1212 | + using iterator_category = std::input_iterator_tag; |
1213 | + using value_type = char; |
1214 | + using difference_type = std::ptrdiff_t; |
1215 | + using pointer = char*; |
1216 | + using reference = char&; |
1217 | + |
1218 | friend class SBuf; |
1219 | typedef MemBlob::size_type size_type; |
1220 | bool operator==(const SBufIterator &s) const; |
1221 | diff --git a/src/security/PeerOptions.cc b/src/security/PeerOptions.cc |
1222 | index 679f968..b61280a 100644 |
1223 | --- a/src/security/PeerOptions.cc |
1224 | +++ b/src/security/PeerOptions.cc |
1225 | @@ -293,134 +293,134 @@ Security::PeerOptions::createClientContext(bool setOptions) |
1226 | /// set of options we can parse and what they map to |
1227 | static struct ssl_option { |
1228 | const char *name; |
1229 | - long value; |
1230 | + Security::ParsedOptions value; |
1231 | |
1232 | } ssl_options[] = { |
1233 | |
1234 | -#if SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG |
1235 | +#if defined(SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) |
1236 | { |
1237 | "NETSCAPE_REUSE_CIPHER_CHANGE_BUG", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG |
1238 | }, |
1239 | #endif |
1240 | -#if SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG |
1241 | +#if defined(SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG) |
1242 | { |
1243 | "SSLREF2_REUSE_CERT_TYPE_BUG", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG |
1244 | }, |
1245 | #endif |
1246 | -#if SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER |
1247 | +#if defined(SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER) |
1248 | { |
1249 | "MICROSOFT_BIG_SSLV3_BUFFER", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER |
1250 | }, |
1251 | #endif |
1252 | -#if SSL_OP_SSLEAY_080_CLIENT_DH_BUG |
1253 | +#if defined(SSL_OP_SSLEAY_080_CLIENT_DH_BUG) |
1254 | { |
1255 | "SSLEAY_080_CLIENT_DH_BUG", SSL_OP_SSLEAY_080_CLIENT_DH_BUG |
1256 | }, |
1257 | #endif |
1258 | -#if SSL_OP_TLS_D5_BUG |
1259 | +#if defined(SSL_OP_TLS_D5_BUG) |
1260 | { |
1261 | "TLS_D5_BUG", SSL_OP_TLS_D5_BUG |
1262 | }, |
1263 | #endif |
1264 | -#if SSL_OP_TLS_BLOCK_PADDING_BUG |
1265 | +#if defined(SSL_OP_TLS_BLOCK_PADDING_BUG) |
1266 | { |
1267 | "TLS_BLOCK_PADDING_BUG", SSL_OP_TLS_BLOCK_PADDING_BUG |
1268 | }, |
1269 | #endif |
1270 | -#if SSL_OP_TLS_ROLLBACK_BUG |
1271 | +#if defined(SSL_OP_TLS_ROLLBACK_BUG) |
1272 | { |
1273 | "TLS_ROLLBACK_BUG", SSL_OP_TLS_ROLLBACK_BUG |
1274 | }, |
1275 | #endif |
1276 | -#if SSL_OP_ALL |
1277 | +#if defined(SSL_OP_ALL) |
1278 | { |
1279 | - "ALL", (long)SSL_OP_ALL |
1280 | + "ALL", SSL_OP_ALL |
1281 | }, |
1282 | #endif |
1283 | -#if SSL_OP_SINGLE_DH_USE |
1284 | +#if defined(SSL_OP_SINGLE_DH_USE) |
1285 | { |
1286 | "SINGLE_DH_USE", SSL_OP_SINGLE_DH_USE |
1287 | }, |
1288 | #endif |
1289 | -#if SSL_OP_EPHEMERAL_RSA |
1290 | +#if defined(SSL_OP_EPHEMERAL_RSA) |
1291 | { |
1292 | "EPHEMERAL_RSA", SSL_OP_EPHEMERAL_RSA |
1293 | }, |
1294 | #endif |
1295 | -#if SSL_OP_PKCS1_CHECK_1 |
1296 | +#if defined(SSL_OP_PKCS1_CHECK_1) |
1297 | { |
1298 | "PKCS1_CHECK_1", SSL_OP_PKCS1_CHECK_1 |
1299 | }, |
1300 | #endif |
1301 | -#if SSL_OP_PKCS1_CHECK_2 |
1302 | +#if defined(SSL_OP_PKCS1_CHECK_2) |
1303 | { |
1304 | "PKCS1_CHECK_2", SSL_OP_PKCS1_CHECK_2 |
1305 | }, |
1306 | #endif |
1307 | -#if SSL_OP_NETSCAPE_CA_DN_BUG |
1308 | +#if defined(SSL_OP_NETSCAPE_CA_DN_BUG) |
1309 | { |
1310 | "NETSCAPE_CA_DN_BUG", SSL_OP_NETSCAPE_CA_DN_BUG |
1311 | }, |
1312 | #endif |
1313 | -#if SSL_OP_NON_EXPORT_FIRST |
1314 | +#if defined(SSL_OP_NON_EXPORT_FIRST) |
1315 | { |
1316 | "NON_EXPORT_FIRST", SSL_OP_NON_EXPORT_FIRST |
1317 | }, |
1318 | #endif |
1319 | -#if SSL_OP_CIPHER_SERVER_PREFERENCE |
1320 | +#if defined(SSL_OP_CIPHER_SERVER_PREFERENCE) |
1321 | { |
1322 | "CIPHER_SERVER_PREFERENCE", SSL_OP_CIPHER_SERVER_PREFERENCE |
1323 | }, |
1324 | #endif |
1325 | -#if SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG |
1326 | +#if defined(SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG) |
1327 | { |
1328 | "NETSCAPE_DEMO_CIPHER_CHANGE_BUG", SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG |
1329 | }, |
1330 | #endif |
1331 | -#if SSL_OP_NO_SSLv3 |
1332 | +#if defined(SSL_OP_NO_SSLv3) |
1333 | { |
1334 | "NO_SSLv3", SSL_OP_NO_SSLv3 |
1335 | }, |
1336 | #endif |
1337 | -#if SSL_OP_NO_TLSv1 |
1338 | +#if defined(SSL_OP_NO_TLSv1) |
1339 | { |
1340 | "NO_TLSv1", SSL_OP_NO_TLSv1 |
1341 | }, |
1342 | #else |
1343 | { "NO_TLSv1", 0 }, |
1344 | #endif |
1345 | -#if SSL_OP_NO_TLSv1_1 |
1346 | +#if defined(SSL_OP_NO_TLSv1_1) |
1347 | { |
1348 | "NO_TLSv1_1", SSL_OP_NO_TLSv1_1 |
1349 | }, |
1350 | #else |
1351 | { "NO_TLSv1_1", 0 }, |
1352 | #endif |
1353 | -#if SSL_OP_NO_TLSv1_2 |
1354 | +#if defined(SSL_OP_NO_TLSv1_2) |
1355 | { |
1356 | "NO_TLSv1_2", SSL_OP_NO_TLSv1_2 |
1357 | }, |
1358 | #else |
1359 | { "NO_TLSv1_2", 0 }, |
1360 | #endif |
1361 | -#if SSL_OP_NO_TLSv1_3 |
1362 | +#if defined(SSL_OP_NO_TLSv1_3) |
1363 | { |
1364 | "NO_TLSv1_3", SSL_OP_NO_TLSv1_3 |
1365 | }, |
1366 | #else |
1367 | { "NO_TLSv1_3", 0 }, |
1368 | #endif |
1369 | -#if SSL_OP_NO_COMPRESSION |
1370 | +#if defined(SSL_OP_NO_COMPRESSION) |
1371 | { |
1372 | "No_Compression", SSL_OP_NO_COMPRESSION |
1373 | }, |
1374 | #endif |
1375 | -#if SSL_OP_NO_TICKET |
1376 | +#if defined(SSL_OP_NO_TICKET) |
1377 | { |
1378 | "NO_TICKET", SSL_OP_NO_TICKET |
1379 | }, |
1380 | #endif |
1381 | -#if SSL_OP_SINGLE_ECDH_USE |
1382 | +#if defined(SSL_OP_SINGLE_ECDH_USE) |
1383 | { |
1384 | "SINGLE_ECDH_USE", SSL_OP_SINGLE_ECDH_USE |
1385 | }, |
1386 | @@ -455,7 +455,7 @@ Security::PeerOptions::parseOptions() |
1387 | |
1388 | #if USE_OPENSSL |
1389 | ::Parser::Tokenizer tok(str); |
1390 | - long op = 0; |
1391 | + ParsedOptions op = 0; |
1392 | |
1393 | while (!tok.atEnd()) { |
1394 | enum { |
1395 | @@ -472,7 +472,8 @@ Security::PeerOptions::parseOptions() |
1396 | static const CharacterSet optChars = CharacterSet("TLS-option", "_") + CharacterSet::ALPHA + CharacterSet::DIGIT; |
1397 | int64_t hex = 0; |
1398 | SBuf option; |
1399 | - long value = 0; |
1400 | + ParsedOptions value = 0; |
1401 | + bool found = false; |
1402 | |
1403 | // Bug 4429: identify the full option name before determining text or numeric |
1404 | if (tok.prefix(option, optChars)) { |
1405 | @@ -481,14 +482,16 @@ Security::PeerOptions::parseOptions() |
1406 | for (struct ssl_option *opttmp = ssl_options; opttmp->name; ++opttmp) { |
1407 | if (option.cmp(opttmp->name) == 0) { |
1408 | value = opttmp->value; |
1409 | + found = true; |
1410 | break; |
1411 | } |
1412 | } |
1413 | |
1414 | // Special case.. hex specification |
1415 | ::Parser::Tokenizer tmp(option); |
1416 | - if (!value && tmp.int64(hex, 16, false) && tmp.atEnd()) { |
1417 | + if (!found && tmp.int64(hex, 16, false) && tmp.atEnd()) { |
1418 | value = hex; |
1419 | + found = true; |
1420 | } |
1421 | } |
1422 | |
1423 | @@ -502,7 +505,7 @@ Security::PeerOptions::parseOptions() |
1424 | break; |
1425 | } |
1426 | } else { |
1427 | - debugs(83, DBG_PARSE_NOTE(1), "ERROR: Unknown TLS option " << option); |
1428 | + debugs(83, DBG_PARSE_NOTE(DBG_IMPORTANT), "ERROR: " << (found?"Unsupported":"Unknown") << " TLS option " << option); |
1429 | } |
1430 | |
1431 | static const CharacterSet delims("TLS-option-delim",":,"); |
1432 | @@ -512,9 +515,10 @@ Security::PeerOptions::parseOptions() |
1433 | |
1434 | } |
1435 | |
1436 | -#if SSL_OP_NO_SSLv2 |
1437 | +#if defined(SSL_OP_NO_SSLv2) |
1438 | // compliance with RFC 6176: Prohibiting Secure Sockets Layer (SSL) Version 2.0 |
1439 | - op = op | SSL_OP_NO_SSLv2; |
1440 | + if (SSL_OP_NO_SSLv2) |
1441 | + op |= SSL_OP_NO_SSLv2; |
1442 | #endif |
1443 | parsedOptions = op; |
1444 | |
1445 | diff --git a/src/security/ServerOptions.cc b/src/security/ServerOptions.cc |
1446 | index e96869c..a5ddb43 100644 |
1447 | --- a/src/security/ServerOptions.cc |
1448 | +++ b/src/security/ServerOptions.cc |
1449 | @@ -10,8 +10,10 @@ |
1450 | #include "anyp/PortCfg.h" |
1451 | #include "base/Packable.h" |
1452 | #include "cache_cf.h" |
1453 | +#include "error/SysErrorDetail.h" |
1454 | #include "fatal.h" |
1455 | #include "globals.h" |
1456 | +#include "security/Io.h" |
1457 | #include "security/ServerOptions.h" |
1458 | #include "security/Session.h" |
1459 | #include "SquidConfig.h" |
1460 | @@ -19,6 +21,9 @@ |
1461 | #include "compat/openssl.h" |
1462 | #include "ssl/support.h" |
1463 | |
1464 | +#if HAVE_OPENSSL_DECODER_H |
1465 | +#include <openssl/decoder.h> |
1466 | +#endif |
1467 | #if HAVE_OPENSSL_ERR_H |
1468 | #include <openssl/err.h> |
1469 | #endif |
1470 | @@ -352,11 +357,20 @@ Security::ServerOptions::loadDhParams() |
1471 | if (dhParamsFile.isEmpty()) |
1472 | return; |
1473 | |
1474 | + // TODO: After loading and validating parameters, also validate that "the |
1475 | + // public and private components have the correct mathematical |
1476 | + // relationship". See EVP_PKEY_check(). |
1477 | + |
1478 | #if USE_OPENSSL |
1479 | +#if OPENSSL_VERSION_MAJOR < 3 |
1480 | DH *dhp = nullptr; |
1481 | if (FILE *in = fopen(dhParamsFile.c_str(), "r")) { |
1482 | dhp = PEM_read_DHparams(in, NULL, NULL, NULL); |
1483 | fclose(in); |
1484 | + } else { |
1485 | + const auto xerrno = errno; |
1486 | + debugs(83, DBG_IMPORTANT, "WARNING: Failed to open '" << dhParamsFile << "'" << xstrerr(xerrno)); |
1487 | + return; |
1488 | } |
1489 | |
1490 | if (!dhp) { |
1491 | @@ -374,7 +388,73 @@ Security::ServerOptions::loadDhParams() |
1492 | } |
1493 | |
1494 | parsedDhParams.resetWithoutLocking(dhp); |
1495 | + |
1496 | +#else // OpenSSL 3.0+ |
1497 | + const auto type = eecdhCurve.isEmpty() ? "DH" : "EC"; |
1498 | + |
1499 | + Security::ForgetErrors(); |
1500 | + EVP_PKEY *rawPkey = nullptr; |
1501 | + using DecoderContext = std::unique_ptr<OSSL_DECODER_CTX, HardFun<void, OSSL_DECODER_CTX*, &OSSL_DECODER_CTX_free> >; |
1502 | + if (const DecoderContext dctx{OSSL_DECODER_CTX_new_for_pkey(&rawPkey, "PEM", nullptr, type, 0, nullptr, nullptr)}) { |
1503 | + |
1504 | + // OpenSSL documentation is vague on this, but OpenSSL code and our |
1505 | + // tests suggest that rawPkey remains nil here while rawCtx keeps |
1506 | + // rawPkey _address_ for use by the decoder (see OSSL_DECODER_from_fp() |
1507 | + // below). Thus, we must not move *rawPkey into a smart pointer until |
1508 | + // decoding is over. For cleanup code simplicity, we assert nil rawPkey. |
1509 | + assert(!rawPkey); |
1510 | + |
1511 | + if (OSSL_DECODER_CTX_get_num_decoders(dctx.get()) == 0) { |
1512 | + auto ssl_error = ERR_get_error(); |
1513 | + debugs(83, DBG_IMPORTANT, "WARNING: No suitable decoders found for " << type << " parameters. " << Security::ErrorString(ssl_error)); |
1514 | + return; |
1515 | + } |
1516 | + |
1517 | + if (const auto in = fopen(dhParamsFile.c_str(), "r")) { |
1518 | + if (OSSL_DECODER_from_fp(dctx.get(), in)) { |
1519 | + assert(rawPkey); |
1520 | + const Security::DhePointer pkey(rawPkey); |
1521 | + // TODO: verify that the loaded parameters match the curve named in eecdhCurve |
1522 | + |
1523 | + if (const Ssl::EVP_PKEY_CTX_Pointer pkeyCtx{EVP_PKEY_CTX_new_from_pkey(nullptr, pkey.get(), nullptr)}) { |
1524 | + switch (EVP_PKEY_param_check(pkeyCtx.get())) { |
1525 | + case 1: // success |
1526 | + parsedDhParams = pkey; |
1527 | + break; |
1528 | + case -2: { |
1529 | + auto ssl_error = ERR_get_error(); |
1530 | + debugs(83, DBG_PARSE_NOTE(2), "WARNING: OpenSSL does not support " << type << " parameters check: " << dhParamsFile << ". " << Security::ErrorString(ssl_error)); |
1531 | + } |
1532 | + break; |
1533 | + default: { |
1534 | + auto ssl_error = ERR_get_error(); |
1535 | + debugs(83, DBG_IMPORTANT, "ERROR: Failed to verify " << type << " parameters in " << dhParamsFile << ". " << Security::ErrorString(ssl_error)); |
1536 | + } |
1537 | + break; |
1538 | + } |
1539 | + } else { |
1540 | + // TODO: Reduce error reporting code duplication. |
1541 | + auto ssl_error = ERR_get_error(); |
1542 | + debugs(83, DBG_IMPORTANT, "ERROR: Cannot check " << type << " parameters in " << dhParamsFile << ". " << Security::ErrorString(ssl_error)); |
1543 | + } |
1544 | + } else { |
1545 | + auto ssl_error = ERR_get_error(); |
1546 | + debugs(83, DBG_IMPORTANT, "WARNING: Failed to decode " << type << " parameters '" << dhParamsFile << "'. " << Security::ErrorString(ssl_error)); |
1547 | + EVP_PKEY_free(rawPkey); // probably still nil, but just in case |
1548 | + } |
1549 | + fclose(in); |
1550 | + } else { |
1551 | + const auto xerrno = errno; |
1552 | + debugs(83, DBG_IMPORTANT, "WARNING: Failed to open '" << dhParamsFile << "'" << xstrerr(xerrno)); |
1553 | + } |
1554 | + |
1555 | + } else { |
1556 | + auto ssl_error = ERR_get_error(); |
1557 | + debugs(83, DBG_IMPORTANT, "WARNING: Unable to create decode context for " << type << " parameters. " << Security::ErrorString(ssl_error)); |
1558 | + return; |
1559 | + } |
1560 | #endif |
1561 | +#endif // USE_OPENSSL |
1562 | } |
1563 | |
1564 | bool |
1565 | @@ -452,12 +532,16 @@ Security::ServerOptions::updateContextEecdh(Security::ContextPointer &ctx) |
1566 | debugs(83, 9, "Setting Ephemeral ECDH curve to " << eecdhCurve << "."); |
1567 | |
1568 | #if USE_OPENSSL && OPENSSL_VERSION_NUMBER >= 0x0090800fL && !defined(OPENSSL_NO_ECDH) |
1569 | + |
1570 | + Security::ForgetErrors(); |
1571 | + |
1572 | int nid = OBJ_sn2nid(eecdhCurve.c_str()); |
1573 | if (!nid) { |
1574 | debugs(83, DBG_CRITICAL, "ERROR: Unknown EECDH curve '" << eecdhCurve << "'"); |
1575 | return; |
1576 | } |
1577 | |
1578 | +#if OPENSSL_VERSION_MAJOR < 3 |
1579 | auto ecdh = EC_KEY_new_by_curve_name(nid); |
1580 | if (!ecdh) { |
1581 | const auto x = ERR_get_error(); |
1582 | @@ -472,6 +556,14 @@ Security::ServerOptions::updateContextEecdh(Security::ContextPointer &ctx) |
1583 | EC_KEY_free(ecdh); |
1584 | |
1585 | #else |
1586 | + // TODO: Support multiple group names via SSL_CTX_set1_groups_list(). |
1587 | + if (!SSL_CTX_set1_groups(ctx.get(), &nid, 1)) { |
1588 | + auto ssl_error = ERR_get_error(); |
1589 | + debugs(83, DBG_CRITICAL, "ERROR: Unable to set Ephemeral ECDH: " << Security::ErrorString(ssl_error)); |
1590 | + return; |
1591 | + } |
1592 | +#endif |
1593 | +#else |
1594 | debugs(83, DBG_CRITICAL, "ERROR: EECDH is not available in this build." << |
1595 | " Please link against OpenSSL>=0.9.8 and ensure OPENSSL_NO_ECDH is not set."); |
1596 | #endif |
1597 | diff --git a/src/security/cert_validators/fake/security_fake_certverify.8 b/src/security/cert_validators/fake/security_fake_certverify.8 |
1598 | index 246152d..9dbb485 100644 |
1599 | --- a/src/security/cert_validators/fake/security_fake_certverify.8 |
1600 | +++ b/src/security/cert_validators/fake/security_fake_certverify.8 |
1601 | @@ -133,7 +133,7 @@ |
1602 | .\" ======================================================================== |
1603 | .\" |
1604 | .IX Title "SECURITY_FAKE_CERTVERIFY 8" |
1605 | -.TH SECURITY_FAKE_CERTVERIFY 8 "2022-06-05" "perl v5.34.0" "User Contributed Perl Documentation" |
1606 | +.TH SECURITY_FAKE_CERTVERIFY 8 "2022-09-05" "perl v5.34.0" "User Contributed Perl Documentation" |
1607 | .\" For nroff, turn off justification. Always turn off hyphenation; it makes |
1608 | .\" way too many mistakes in technical documents. |
1609 | .if n .ad l |
1610 | diff --git a/src/security/forward.h b/src/security/forward.h |
1611 | index 26225aa..9c4ff05 100644 |
1612 | --- a/src/security/forward.h |
1613 | +++ b/src/security/forward.h |
1614 | @@ -93,10 +93,25 @@ typedef std::list<Security::CertPointer> CertList; |
1615 | typedef std::list<Security::CrlPointer> CertRevokeList; |
1616 | |
1617 | #if USE_OPENSSL |
1618 | +CtoCpp1(EVP_PKEY_free, EVP_PKEY *) |
1619 | +using PrivateKeyPointer = Security::LockingPointer<EVP_PKEY, EVP_PKEY_free_cpp, HardFun<int, EVP_PKEY *, EVP_PKEY_up_ref>>; |
1620 | +#elif USE_GNUTLS |
1621 | +using PrivateKeyPointer = std::shared_ptr<struct gnutls_x509_privkey_int>; |
1622 | +#else |
1623 | +using PrivateKeyPointer = std::shared_ptr<void>; |
1624 | +#endif |
1625 | + |
1626 | +#if USE_OPENSSL |
1627 | +#if OPENSSL_VERSION_MAJOR < 3 |
1628 | CtoCpp1(DH_free, DH *); |
1629 | typedef Security::LockingPointer<DH, DH_free_cpp, HardFun<int, DH *, DH_up_ref> > DhePointer; |
1630 | #else |
1631 | -typedef void *DhePointer; |
1632 | +using DhePointer = PrivateKeyPointer; |
1633 | +#endif |
1634 | +#elif USE_GNUTLS |
1635 | +using DhePointer = void *; |
1636 | +#else |
1637 | +using DhePointer = void *; |
1638 | #endif |
1639 | |
1640 | class EncryptorAnswer; |
1641 | @@ -159,7 +174,7 @@ class IoResult; |
1642 | class KeyData; |
1643 | |
1644 | #if USE_OPENSSL |
1645 | -typedef long ParsedOptions; |
1646 | +using ParsedOptions = uint64_t; |
1647 | #elif USE_GNUTLS |
1648 | typedef std::shared_ptr<struct gnutls_priority_st> ParsedOptions; |
1649 | #else |
1650 | @@ -175,15 +190,6 @@ class PeerConnector; |
1651 | class BlindPeerConnector; |
1652 | class PeerOptions; |
1653 | |
1654 | -#if USE_OPENSSL |
1655 | -CtoCpp1(EVP_PKEY_free, EVP_PKEY *) |
1656 | -typedef Security::LockingPointer<EVP_PKEY, EVP_PKEY_free_cpp, HardFun<int, EVP_PKEY *, EVP_PKEY_up_ref> > PrivateKeyPointer; |
1657 | -#elif USE_GNUTLS |
1658 | -typedef std::shared_ptr<struct gnutls_x509_privkey_int> PrivateKeyPointer; |
1659 | -#else |
1660 | -typedef std::shared_ptr<void> PrivateKeyPointer; |
1661 | -#endif |
1662 | - |
1663 | class ServerOptions; |
1664 | |
1665 | class ErrorDetail; |
1666 | diff --git a/src/ssl/gadgets.cc b/src/ssl/gadgets.cc |
1667 | index ef572ba..d1def59 100644 |
1668 | --- a/src/ssl/gadgets.cc |
1669 | +++ b/src/ssl/gadgets.cc |
1670 | @@ -9,36 +9,26 @@ |
1671 | #include "squid.h" |
1672 | #include "ssl/gadgets.h" |
1673 | |
1674 | -EVP_PKEY * Ssl::createSslPrivateKey() |
1675 | +static Security::PrivateKeyPointer |
1676 | +CreateRsaPrivateKey() |
1677 | { |
1678 | - Security::PrivateKeyPointer pkey(EVP_PKEY_new()); |
1679 | - |
1680 | - if (!pkey) |
1681 | - return NULL; |
1682 | - |
1683 | - BIGNUM_Pointer bn(BN_new()); |
1684 | - if (!bn) |
1685 | - return NULL; |
1686 | - |
1687 | - if (!BN_set_word(bn.get(), RSA_F4)) |
1688 | - return NULL; |
1689 | - |
1690 | - Ssl::RSA_Pointer rsa(RSA_new()); |
1691 | + Ssl::EVP_PKEY_CTX_Pointer rsa(EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, nullptr)); |
1692 | if (!rsa) |
1693 | - return NULL; |
1694 | + return nullptr; |
1695 | |
1696 | - int num = 2048; // Maybe use 4096 RSA keys, or better make it configurable? |
1697 | - if (!RSA_generate_key_ex(rsa.get(), num, bn.get(), NULL)) |
1698 | - return NULL; |
1699 | + if (EVP_PKEY_keygen_init(rsa.get()) <= 0) |
1700 | + return nullptr; |
1701 | |
1702 | - if (!rsa) |
1703 | - return NULL; |
1704 | + int num = 2048; // Maybe use 4096 RSA keys, or better make it configurable? |
1705 | + if (EVP_PKEY_CTX_set_rsa_keygen_bits(rsa.get(), num) <= 0) |
1706 | + return nullptr; |
1707 | |
1708 | - if (!EVP_PKEY_assign_RSA(pkey.get(), (rsa.get()))) |
1709 | - return NULL; |
1710 | + /* Generate key */ |
1711 | + EVP_PKEY *pkey = nullptr; |
1712 | + if (EVP_PKEY_keygen(rsa.get(), &pkey) <= 0) |
1713 | + return nullptr; |
1714 | |
1715 | - rsa.release(); |
1716 | - return pkey.release(); |
1717 | + return Security::PrivateKeyPointer(pkey); |
1718 | } |
1719 | |
1720 | /** |
1721 | @@ -56,7 +46,7 @@ static bool setSerialNumber(ASN1_INTEGER *ai, BIGNUM const* serial) |
1722 | if (!bn) |
1723 | return false; |
1724 | |
1725 | - if (!BN_pseudo_rand(bn.get(), 64, 0, 0)) |
1726 | + if (!BN_rand(bn.get(), 64, 0, 0)) |
1727 | return false; |
1728 | } |
1729 | |
1730 | @@ -375,7 +365,11 @@ mimicExtensions(Security::CertPointer & cert, Security::CertPointer const &mimic |
1731 | // XXX: Add PublicKeyPointer. In OpenSSL, public and private keys are |
1732 | // internally represented by EVP_PKEY pair, but GnuTLS uses distinct types. |
1733 | const Security::PrivateKeyPointer certKey(X509_get_pubkey(mimicCert.get())); |
1734 | +#if OPENSSL_VERSION_MAJOR < 3 |
1735 | const auto rsaPkey = EVP_PKEY_get0_RSA(certKey.get()) != nullptr; |
1736 | +#else |
1737 | + const auto rsaPkey = EVP_PKEY_is_a(certKey.get(), "RSA") == 1; |
1738 | +#endif |
1739 | |
1740 | int added = 0; |
1741 | int nid; |
1742 | @@ -544,13 +538,8 @@ static bool buildCertificate(Security::CertPointer & cert, Ssl::CertificatePrope |
1743 | |
1744 | static bool generateFakeSslCertificate(Security::CertPointer & certToStore, Security::PrivateKeyPointer & pkeyToStore, Ssl::CertificateProperties const &properties, Ssl::BIGNUM_Pointer const &serial) |
1745 | { |
1746 | - Security::PrivateKeyPointer pkey; |
1747 | // Use signing certificates private key as generated certificate private key |
1748 | - if (properties.signWithPkey.get()) |
1749 | - pkey.resetAndLock(properties.signWithPkey.get()); |
1750 | - else // if not exist generate one |
1751 | - pkey.resetWithoutLocking(Ssl::createSslPrivateKey()); |
1752 | - |
1753 | + const auto pkey = properties.signWithPkey ? properties.signWithPkey : CreateRsaPrivateKey(); |
1754 | if (!pkey) |
1755 | return false; |
1756 | |
1757 | diff --git a/src/ssl/gadgets.h b/src/ssl/gadgets.h |
1758 | index 8e46f89..4c5b30b 100644 |
1759 | --- a/src/ssl/gadgets.h |
1760 | +++ b/src/ssl/gadgets.h |
1761 | @@ -58,7 +58,7 @@ typedef std::unique_ptr<TXT_DB, HardFun<void, TXT_DB*, &TXT_DB_free>> TXT_DB_Poi |
1762 | |
1763 | typedef std::unique_ptr<X509_NAME, HardFun<void, X509_NAME*, &X509_NAME_free>> X509_NAME_Pointer; |
1764 | |
1765 | -typedef std::unique_ptr<RSA, HardFun<void, RSA*, &RSA_free>> RSA_Pointer; |
1766 | +using EVP_PKEY_CTX_Pointer = std::unique_ptr<EVP_PKEY_CTX, HardFun<void, EVP_PKEY_CTX*, &EVP_PKEY_CTX_free>>; |
1767 | |
1768 | typedef std::unique_ptr<X509_REQ, HardFun<void, X509_REQ*, &X509_REQ_free>> X509_REQ_Pointer; |
1769 | |
1770 | @@ -74,12 +74,6 @@ typedef std::unique_ptr<X509_EXTENSION, HardFun<void, X509_EXTENSION*, &X509_EXT |
1771 | typedef std::unique_ptr<X509_STORE_CTX, HardFun<void, X509_STORE_CTX *, &X509_STORE_CTX_free>> X509_STORE_CTX_Pointer; |
1772 | /** |
1773 | \ingroup SslCrtdSslAPI |
1774 | - * Create 1024 bits rsa key. |
1775 | - */ |
1776 | -EVP_PKEY * createSslPrivateKey(); |
1777 | - |
1778 | -/** |
1779 | - \ingroup SslCrtdSslAPI |
1780 | * Write private key and SSL certificate to memory. |
1781 | */ |
1782 | bool writeCertAndPrivateKeyToMemory(Security::CertPointer const & cert, Security::PrivateKeyPointer const & pkey, std::string & bufferToWrite); |
1783 | diff --git a/src/ssl/support.cc b/src/ssl/support.cc |
1784 | index 11ef077..40c1e32 100644 |
1785 | --- a/src/ssl/support.cc |
1786 | +++ b/src/ssl/support.cc |
1787 | @@ -557,7 +557,11 @@ Ssl::VerifyCallbackParameters::At(Security::Connection &sconn) |
1788 | } |
1789 | |
1790 | // "dup" function for SSL_get_ex_new_index("cert_err_check") |
1791 | -#if SQUID_USE_CONST_CRYPTO_EX_DATA_DUP |
1792 | +#if OPENSSL_VERSION_MAJOR >= 3 |
1793 | +static int |
1794 | +ssl_dupAclChecklist(CRYPTO_EX_DATA *, const CRYPTO_EX_DATA *, void **, |
1795 | + int, long, void *) |
1796 | +#elif SQUID_USE_CONST_CRYPTO_EX_DATA_DUP |
1797 | static int |
1798 | ssl_dupAclChecklist(CRYPTO_EX_DATA *, const CRYPTO_EX_DATA *, void *, |
1799 | int, long, void *) |
1800 | @@ -654,8 +658,12 @@ Ssl::Initialize(void) |
1801 | |
1802 | SQUID_OPENSSL_init_ssl(); |
1803 | |
1804 | -#if !defined(OPENSSL_NO_ENGINE) |
1805 | if (::Config.SSL.ssl_engine) { |
1806 | +#if OPENSSL_VERSION_MAJOR < 3 |
1807 | + debugs(83, DBG_PARSE_NOTE(DBG_IMPORTANT), "WARNING: Support for ssl_engine is deprecated " << |
1808 | + "in Squids built with OpenSSL 1.x (like this Squid). " << |
1809 | + "It is removed in Squids built with OpenSSL 3.0 or newer."); |
1810 | +#if !defined(OPENSSL_NO_ENGINE) |
1811 | ENGINE_load_builtin_engines(); |
1812 | ENGINE *e; |
1813 | if (!(e = ENGINE_by_id(::Config.SSL.ssl_engine))) |
1814 | @@ -665,11 +673,14 @@ Ssl::Initialize(void) |
1815 | const auto ssl_error = ERR_get_error(); |
1816 | fatalf("Failed to initialise SSL engine: %s\n", Security::ErrorString(ssl_error)); |
1817 | } |
1818 | - } |
1819 | -#else |
1820 | - if (::Config.SSL.ssl_engine) |
1821 | - fatalf("Your OpenSSL has no SSL engine support\n"); |
1822 | +#else /* OPENSSL_NO_ENGINE */ |
1823 | + throw TextException("Cannot use ssl_engine in Squid built with OpenSSL configured to disable SSL engine support", Here()); |
1824 | +#endif |
1825 | + |
1826 | +#else /* OPENSSL_VERSION_MAJOR */ |
1827 | + throw TextException("Cannot use ssl_engine in Squid built with OpenSSL 3.0 or newer", Here()); |
1828 | #endif |
1829 | + } |
1830 | |
1831 | const char *defName = ::Config.SSL.certSignHash ? ::Config.SSL.certSignHash : SQUID_SSL_SIGN_HASH_IF_NONE; |
1832 | Ssl::DefaultSignHash = EVP_get_digestbyname(defName); |
1833 | diff --git a/src/store/id_rewriters/file/storeid_file_rewrite.8 b/src/store/id_rewriters/file/storeid_file_rewrite.8 |
1834 | index d3c63af..43913e8 100644 |
1835 | --- a/src/store/id_rewriters/file/storeid_file_rewrite.8 |
1836 | +++ b/src/store/id_rewriters/file/storeid_file_rewrite.8 |
1837 | @@ -133,7 +133,7 @@ |
1838 | .\" ======================================================================== |
1839 | .\" |
1840 | .IX Title "STOREID_FILE_REWRITE 8" |
1841 | -.TH STOREID_FILE_REWRITE 8 "2022-06-05" "perl v5.34.0" "User Contributed Perl Documentation" |
1842 | +.TH STOREID_FILE_REWRITE 8 "2022-09-05" "perl v5.34.0" "User Contributed Perl Documentation" |
1843 | .\" For nroff, turn off justification. Always turn off hyphenation; it makes |
1844 | .\" way too many mistakes in technical documents. |
1845 | .if n .ad l |
1846 | diff --git a/src/tests/testStoreHashIndex.cc b/src/tests/testStoreHashIndex.cc |
1847 | index dcfbcab..d017887 100644 |
1848 | --- a/src/tests/testStoreHashIndex.cc |
1849 | +++ b/src/tests/testStoreHashIndex.cc |
1850 | @@ -102,6 +102,8 @@ void commonInit() |
1851 | if (inited) |
1852 | return; |
1853 | |
1854 | + inited = true; |
1855 | + |
1856 | Mem::Init(); |
1857 | |
1858 | Config.Store.avgObjectSize = 1024; |
1859 | @@ -109,6 +111,10 @@ void commonInit() |
1860 | Config.Store.objectsPerBucket = 20; |
1861 | |
1862 | Config.Store.maxObjectSize = 2048; |
1863 | + |
1864 | + Config.memShared.defaultTo(false); |
1865 | + |
1866 | + Config.store_dir_select_algorithm = xstrdup("round-robin"); |
1867 | } |
1868 | |
1869 | /* TODO make this a cbdata class */ |
1870 | diff --git a/src/tunnel.cc b/src/tunnel.cc |
1871 | index 4fc5abd..c5d4dfc 100644 |
1872 | --- a/src/tunnel.cc |
1873 | +++ b/src/tunnel.cc |
1874 | @@ -97,6 +97,10 @@ public: |
1875 | return (server.conn != NULL && server.conn->getPeer() ? server.conn->getPeer()->host : request->url.host()); |
1876 | }; |
1877 | |
1878 | + /// store the given to-server connection; prohibit retries and do not look |
1879 | + /// for any other destinations |
1880 | + void commitToServer(const Comm::ConnectionPointer &); |
1881 | + |
1882 | /// Whether the client sent a CONNECT request to us. |
1883 | bool clientExpectsConnectResponse() const { |
1884 | // If we are forcing a tunnel after receiving a client CONNECT, then we |
1885 | @@ -186,6 +190,10 @@ public: |
1886 | /// whether another destination may be still attempted if the TCP connection |
1887 | /// was unexpectedly closed |
1888 | bool retriable; |
1889 | + |
1890 | + /// whether the decision to tunnel to a particular destination was final |
1891 | + bool committedToServer; |
1892 | + |
1893 | // TODO: remove after fixing deferred reads in TunnelStateData::copyRead() |
1894 | CodeContext::Pointer codeContext; ///< our creator context |
1895 | |
1896 | @@ -263,9 +271,8 @@ private: |
1897 | |
1898 | /// \returns whether the request should be retried (nil) or the description why it should not |
1899 | const char *checkRetry(); |
1900 | - /// whether the successfully selected path destination or the established |
1901 | - /// server connection is still in use |
1902 | - bool usingDestination() const; |
1903 | + |
1904 | + bool transporting() const; |
1905 | |
1906 | /// details of the "last tunneling attempt" failure (if it failed) |
1907 | ErrorState *savedError = nullptr; |
1908 | @@ -362,6 +369,7 @@ TunnelStateData::TunnelStateData(ClientHttpRequest *clientRequest) : |
1909 | destinations(new ResolvedPeers()), |
1910 | destinationsFound(false), |
1911 | retriable(true), |
1912 | + committedToServer(false), |
1913 | codeContext(CodeContext::Current()) |
1914 | { |
1915 | debugs(26, 3, "TunnelStateData constructed this=" << this); |
1916 | @@ -1009,8 +1017,7 @@ void |
1917 | TunnelStateData::notePeerReadyToShovel(const Comm::ConnectionPointer &conn) |
1918 | { |
1919 | assert(!client.dirty); |
1920 | - retriable = false; |
1921 | - server.initConnection(conn, tunnelServerClosed, "tunnelServerClosed", this); |
1922 | + commitToServer(conn); |
1923 | |
1924 | if (!clientExpectsConnectResponse()) |
1925 | tunnelStartShoveling(this); // ssl-bumped connection, be quiet |
1926 | @@ -1025,6 +1032,15 @@ TunnelStateData::notePeerReadyToShovel(const Comm::ConnectionPointer &conn) |
1927 | } |
1928 | } |
1929 | |
1930 | +void |
1931 | +TunnelStateData::commitToServer(const Comm::ConnectionPointer &conn) |
1932 | +{ |
1933 | + committedToServer = true; |
1934 | + retriable = false; // may already be false |
1935 | + PeerSelectionInitiator::subscribed = false; // may already be false |
1936 | + server.initConnection(conn, tunnelServerClosed, "tunnelServerClosed", this); |
1937 | +} |
1938 | + |
1939 | static void |
1940 | tunnelErrorComplete(int fd/*const Comm::ConnectionPointer &*/, void *data, size_t) |
1941 | { |
1942 | @@ -1252,18 +1268,15 @@ TunnelStateData::noteDestination(Comm::ConnectionPointer path) |
1943 | |
1944 | destinations->addPath(path); |
1945 | |
1946 | - if (usingDestination()) { |
1947 | - // We are already using a previously opened connection but also |
1948 | - // receiving destinations in case we need to re-forward. |
1949 | - Must(!transportWait); |
1950 | - return; |
1951 | - } |
1952 | - |
1953 | if (transportWait) { |
1954 | + assert(!transporting()); |
1955 | notifyConnOpener(); |
1956 | return; // and continue to wait for tunnelConnectDone() callback |
1957 | } |
1958 | |
1959 | + if (transporting()) |
1960 | + return; // and continue to receive destinations for backup |
1961 | + |
1962 | startConnecting(); |
1963 | } |
1964 | |
1965 | @@ -1279,8 +1292,9 @@ TunnelStateData::noteDestinationsEnd(ErrorState *selectionError) |
1966 | if (selectionError) |
1967 | return sendError(selectionError, "path selection has failed"); |
1968 | |
1969 | + // TODO: Merge with FwdState and remove this likely unnecessary check. |
1970 | if (savedError) |
1971 | - return sendError(savedError, "all found paths have failed"); |
1972 | + return sendError(savedError, "path selection found no paths (with an impossible early error)"); |
1973 | |
1974 | return sendError(new ErrorState(ERR_CANNOT_FORWARD, Http::scInternalServerError, request.getRaw(), al), |
1975 | "path selection found no paths"); |
1976 | @@ -1289,21 +1303,32 @@ TunnelStateData::noteDestinationsEnd(ErrorState *selectionError) |
1977 | // if all of them fail, tunneling as whole will fail |
1978 | Must(!selectionError); // finding at least one path means selection succeeded |
1979 | |
1980 | - if (usingDestination()) { |
1981 | - // We are already using a previously opened connection but also |
1982 | - // receiving destinations in case we need to re-forward. |
1983 | - Must(!transportWait); |
1984 | + if (transportWait) { |
1985 | + assert(!transporting()); |
1986 | + notifyConnOpener(); |
1987 | + return; // and continue to wait for the noteConnection() callback |
1988 | + } |
1989 | + |
1990 | + if (transporting()) { |
1991 | + // We are already using a previously opened connection (but were also |
1992 | + // receiving more destinations in case we need to re-forward). |
1993 | + debugs(17, 7, "keep transporting"); |
1994 | return; |
1995 | } |
1996 | |
1997 | - Must(transportWait); // or we would be stuck with nothing to do or wait for |
1998 | - notifyConnOpener(); |
1999 | + // destinationsFound, but none of them worked, and we were waiting for more |
2000 | + assert(savedError); |
2001 | + // XXX: Honor clientExpectsConnectResponse() before replying. |
2002 | + sendError(savedError, "all found paths have failed"); |
2003 | } |
2004 | |
2005 | +/// Whether a tunneling attempt to some selected destination X is in progress |
2006 | +/// (after successfully opening/reusing a transport connection to X). |
2007 | +/// \sa transportWait |
2008 | bool |
2009 | -TunnelStateData::usingDestination() const |
2010 | +TunnelStateData::transporting() const |
2011 | { |
2012 | - return encryptionWait || peerWait || Comm::IsConnOpen(server.conn); |
2013 | + return encryptionWait || peerWait || committedToServer; |
2014 | } |
2015 | |
2016 | /// remembers an error to be used if there will be no more connection attempts |
2017 | @@ -1362,7 +1387,7 @@ TunnelStateData::startConnecting() |
2018 | request->hier.startPeerClock(); |
2019 | |
2020 | assert(!destinations->empty()); |
2021 | - assert(!usingDestination()); |
2022 | + assert(!transporting()); |
2023 | AsyncCall::Pointer callback = asyncCall(17, 5, "TunnelStateData::noteConnection", HappyConnOpener::CbDialer<TunnelStateData>(&TunnelStateData::noteConnection, this)); |
2024 | const auto cs = new HappyConnOpener(destinations, callback, request, startTime, 0, al); |
2025 | cs->setHost(request->url.host()); |
2026 | @@ -1457,12 +1482,10 @@ switchToTunnel(HttpRequest *request, const Comm::ConnectionPointer &clientConn, |
2027 | debugs(26, 3, request->method << " " << context->http->uri << " " << request->http_ver); |
2028 | |
2029 | TunnelStateData *tunnelState = new TunnelStateData(context->http); |
2030 | - tunnelState->retriable = false; |
2031 | + tunnelState->commitToServer(srvConn); |
2032 | |
2033 | request->hier.resetPeerNotes(srvConn, tunnelState->getHost()); |
2034 | |
2035 | - tunnelState->server.initConnection(srvConn, tunnelServerClosed, "tunnelServerClosed", tunnelState); |
2036 | - |
2037 | #if USE_DELAY_POOLS |
2038 | /* no point using the delayIsNoDelay stuff since tunnel is nice and simple */ |
2039 | if (!srvConn->getPeer() || !srvConn->getPeer()->options.no_delay) |
2040 | diff --git a/tools/helper-mux/helper-mux.8 b/tools/helper-mux/helper-mux.8 |
2041 | index 788e3e6..d904e33 100644 |
2042 | --- a/tools/helper-mux/helper-mux.8 |
2043 | +++ b/tools/helper-mux/helper-mux.8 |
2044 | @@ -133,7 +133,7 @@ |
2045 | .\" ======================================================================== |
2046 | .\" |
2047 | .IX Title "HELPER-MUX 8" |
2048 | -.TH HELPER-MUX 8 "2022-06-05" "perl v5.34.0" "User Contributed Perl Documentation" |
2049 | +.TH HELPER-MUX 8 "2022-09-05" "perl v5.34.0" "User Contributed Perl Documentation" |
2050 | .\" For nroff, turn off justification. Always turn off hyphenation; it makes |
2051 | .\" way too many mistakes in technical documents. |
2052 | .if n .ad l |
I'll review this one tomorrow.