Merge ~athos-ribeiro/ubuntu/+source/squid:MRE-kinetic-5.7 into ubuntu/+source/squid:ubuntu/kinetic-devel
- Git
- lp:~athos-ribeiro/ubuntu/+source/squid
- MRE-kinetic-5.7
- Merge into ubuntu/kinetic-devel
Status: | Rejected | ||||
---|---|---|---|---|---|
Rejected by: | Robie Basak | ||||
Proposed branch: | ~athos-ribeiro/ubuntu/+source/squid:MRE-kinetic-5.7 | ||||
Merge into: | ubuntu/+source/squid:ubuntu/kinetic-devel | ||||
Diff against target: |
2052 lines (+467/-220) 48 files modified
ChangeLog (+11/-0) RELEASENOTES.html (+24/-3) compat/GnuRegex.c (+7/-0) compat/os/mswindows.h (+6/-2) configure (+16/-10) configure.ac (+2/-1) debian/NEWS (+12/-0) debian/changelog (+22/-0) debian/patches/series (+0/-3) debian/squid-openssl.postinst (+14/-0) dev/null (+0/-36) doc/release-notes/release-5.html (+24/-3) include/autoconf.h.in (+3/-0) include/version.h (+1/-1) lib/ntlmauth/ntlmauth.cc (+12/-2) src/FwdState.cc (+11/-7) src/HappyConnOpener.cc (+2/-2) src/HappyConnOpener.h (+2/-1) src/HttpHeaderTools.h (+1/-1) src/acl/RegexData.cc (+3/-0) src/acl/external/SQL_session/ext_sql_session_acl.8 (+1/-1) src/acl/external/delayer/ext_delayer_acl.8 (+1/-1) src/acl/external/kerberos_sid_group/ext_kerberos_sid_group_acl.8 (+1/-1) src/acl/external/session/ext_session_acl.cc (+11/-5) src/acl/external/wbinfo_group/ext_wbinfo_group_acl.8 (+1/-1) src/auth/basic/DB/basic_db_auth.8 (+1/-1) src/auth/basic/POP3/basic_pop3_auth.8 (+1/-1) src/base/EnumIterator.h (+7/-1) src/cache_cf.cc (+1/-1) src/cf.data.pre (+7/-3) src/cf_gen.cc (+0/-2) src/fs/ufs/RebuildState.cc (+8/-10) src/fs/ufs/RebuildState.h (+2/-2) src/http/url_rewriters/LFS/url_lfs_rewrite.8 (+1/-1) src/log/DB/log_db_daemon.8 (+1/-1) src/main.cc (+2/-0) src/sbuf/SBuf.h (+8/-1) src/security/PeerOptions.cc (+36/-32) src/security/ServerOptions.cc (+92/-0) src/security/cert_validators/fake/security_fake_certverify.8 (+1/-1) src/security/forward.h (+17/-11) src/ssl/gadgets.cc (+20/-31) src/ssl/gadgets.h (+1/-7) src/ssl/support.cc (+17/-6) src/store/id_rewriters/file/storeid_file_rewrite.8 (+1/-1) src/tests/testStoreHashIndex.cc (+6/-0) src/tunnel.cc (+48/-25) tools/helper-mux/helper-mux.8 (+1/-1) |
||||
Related bugs: |
|
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Athos Ribeiro (community) | Disapprove | ||
git-ubuntu bot | Pending | ||
Canonical Server Reporter | Pending | ||
Sergio Durigan Junior | Pending | ||
Review via email: mp+442032@code.launchpad.net |
This proposal supersedes a proposal from 2023-03-31.
Commit message
Description of the change
This is the kinetic MRE for squid 5.7, as described in LP: #2013423
The most relevant change here is the official openssl 3 support. DO note that, as described in LP: #2013423, there is a configuration option whose support is being dropped. We consider this to be an acceptable tradeoff to remove the uncertainty around this package openssl3 support.
PPA: https:/
The DEP8 test suite results:
- squid/5.
+ ✅ squid on kinetic for amd64 @ 27.04.23 12:04:00 Log️ 🗒️
+ ✅ squid on kinetic for arm64 @ 27.04.23 12:06:27 Log️ 🗒️
+ ❌ squid on kinetic for armhf @ 27.04.23 12:03:05 Log️ 🗒️
• upstream-test-suite PASS 🟩
• squid FAIL 🟥
+ ❌ squid on kinetic for i386 @ 27.04.23 11:55:16 Log️ 🗒️
• upstream-test-suite FAIL 🟥
• squid FAIL 🟥
+ ✅ squid on kinetic for ppc64el @ 27.04.23 11:58:33 Log️ 🗒️
+ ✅ squid on kinetic for s390x @ 27.04.23 12:02:37 Log️ 🗒️
Sergio Durigan Junior (sergiodj) wrote : Posted in a previous version of this proposal | # |
Sergio Durigan Junior (sergiodj) wrote : Posted in a previous version of this proposal | # |
Results: (from http://
squid @ amd64:
http://
31.03.23 04:10:00 ✅ Triggers: squid/5.
http://
31.03.23 11:42:04 ✅ Triggers: squid/5.
squid @ arm64:
http://
31.03.23 04:22:17 ✅ Triggers: squid/5.
http://
31.03.23 11:52:07 ✅ Triggers: squid/5.
squid @ armhf:
http://
31.03.23 04:14:45 ❌ Triggers: squid/5.
squid FAIL 🟥
http://
31.03.23 11:41:17 ❌ Triggers: squid/5.
squid FAIL 🟥
squid @ ppc64el:
http://
31.03.23 04:12:25 ✅ Triggers: squid/5.
http://
31.03.23 11:41:52 ✅ Triggers: squid/5.
squid @ s390x:
http://
31.03.23 04:10:59 ✅ Triggers: squid/5.
http://
31.03.23 12:34:12 ✅ Triggers: squid/5.
Sergio Durigan Junior (sergiodj) wrote : Posted in a previous version of this proposal | # |
Thanks, Athos.
LGTM modulo the d/NEWS modifications I suggested in the Jammy MP. +1
git-ubuntu bot (git-ubuntu-bot) wrote : Posted in a previous version of this proposal | # |
Approvers: athos-ribeiro, sergiodj
Uploaders: athos-ribeiro, sergiodj
MP auto-approved
Athos Ribeiro (athos-ribeiro) wrote : Posted in a previous version of this proposal | # |
Thanks, Sergio.
Applied the suggestions (thx!) and uploaded :)
Athos Ribeiro (athos-ribeiro) wrote : | # |
I am re-submitting this with 2 changes:
- We are now commenting out the ssl_engine configuration directive in the postinst if it is present and if the previous squid version is <= 5.7.
- We are documenting the change described above in d/NEWS.
Athos Ribeiro (athos-ribeiro) wrote : | # |
Here is an easy way to verify the new behavior:
lxc launch ubuntu-
lxc exec squid-kk bash
# apt update && apt install -y squid-openssl
# systemctl is-active squid
> should be active
# echo 'ssl_engine dynamic' >> /etc/squid/
# systemctl restart squid
# systemctl is-active squid
> should still be active in kinetic, since our current Openssl3 support patch still supports the directive
# add-apt-repository -y ppa:athos-
# apt update && apt install -y squid-openssl
# systemctl is-active squid
> should still be active, since the postinst script commented out the ssl_engine line
# tail -n2 /etc/squid/
> should show the commented lines:
# ssl_engine is no longer supported since squid 5.7 (LP: #2013423).
# ssl_engine dynamic
# echo 'ssl_engine dynamic' >> /etc/squid/
# systemctl restart squid
# systemctl status squid
> the restart command should fail, and the status should show:
FATAL: Bungled (null) line 3: sslproxy_cert_sign signTrusted all
# cat /var/log/syslog | grep ssl_engine
FATAL: bad configuration: Cannot use ssl_engine in Squid built with OpenSSL 3.0 or newer
Athos Ribeiro (athos-ribeiro) wrote : | # |
- squid/5.
+ ✅ squid on kinetic for amd64 @ 28.04.23 01:20:13 Log️ 🗒️
+ ✅ squid on kinetic for arm64 @ 28.04.23 01:24:25 Log️ 🗒️
+ ❌ squid on kinetic for armhf @ 28.04.23 01:17:14 Log️ 🗒️
• upstream-test-suite PASS 🟩
• squid FAIL 🟥
+ ❌ squid on kinetic for i386 @ 28.04.23 01:09:16 Log️ 🗒️
• upstream-test-suite FAIL 🟥
• squid FAIL 🟥
+ ✅ squid on kinetic for ppc64el @ 28.04.23 01:16:34 Log️ 🗒️
+ ✅ squid on kinetic for s390x @ 28.04.23 01:14:46 Log️ 🗒️
Athos Ribeiro (athos-ribeiro) wrote : | # |
marking bug as wontfix since kinetic reached its EOSS
Robie Basak (racb) wrote : | # |
Athos asked me to mark this as Rejected.
Unmerged commits
- a2821d9... by Athos Ribeiro
-
Update changelog
- 75524db... by Athos Ribeiro
-
- d/NEWS: document end of support of the ssh_engine directive.
- 305f507... by Athos Ribeiro
-
- d/squid-
openssl. postinst: remove ssl_engine configuration directive. - 9d93934... by Athos Ribeiro
-
- d/p/CVE-
2022-41318. patch: drop patch to fix NTLM decoder truncated strings.
[ Fixed in 5.7 ] - 20873ef... by Athos Ribeiro
-
- d/p/CVE-
2022-41317. patch: drop patch to fix typo in manager ACL.
[ Fixed in 5.7 ] - d3785f8... by Athos Ribeiro
-
- d/p/0006-
Fix-build- against- OpenSSL- 3-0.patch: drop downstream
OpenSSL 3 support patch.
[ Fixed in 5.7 ] - fa498c5... by Athos Ribeiro
-
New Upstream release 5.7
Preview Diff
1 | diff --git a/ChangeLog b/ChangeLog | |||
2 | index f42c6d1..49174d4 100644 | |||
3 | --- a/ChangeLog | |||
4 | +++ b/ChangeLog | |||
5 | @@ -1,3 +1,14 @@ | |||
6 | 1 | Changes in squid-5.7 (05 Sep 2022): | ||
7 | 2 | |||
8 | 3 | - Regression Fix: Typo in manager ACL | ||
9 | 4 | - Bug 5186: noteDestinationsEnd check failed: transportWait | ||
10 | 5 | - Bug 5160: Test suite fails with -flto=auto | ||
11 | 6 | - Bug 3193 pt2: NTLM decoder truncating strings | ||
12 | 7 | - Bug 5133: OpenSSL 3.0 support | ||
13 | 8 | - ext_session_acl: fix TDB key lookup | ||
14 | 9 | - forward_max_tries: Do not count discarded connections | ||
15 | 10 | - ... and many compile and debugging fixes | ||
16 | 11 | |||
17 | 1 | Changes in squid-5.6 (06 Jun 2022): | 12 | Changes in squid-5.6 (06 Jun 2022): |
18 | 2 | 13 | ||
19 | 3 | - Bug 5208: Part 1: Restart kids killed by SIGKILL | 14 | - Bug 5208: Part 1: Restart kids killed by SIGKILL |
20 | diff --git a/RELEASENOTES.html b/RELEASENOTES.html | |||
21 | index a037de3..7369f54 100644 | |||
22 | --- a/RELEASENOTES.html | |||
23 | +++ b/RELEASENOTES.html | |||
24 | @@ -3,10 +3,10 @@ | |||
25 | 3 | <HEAD> | 3 | <HEAD> |
26 | 4 | <META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.82"> | 4 | <META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.82"> |
27 | 5 | <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> | 5 | <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> |
29 | 6 | <TITLE>Squid 5.6 release notes</TITLE> | 6 | <TITLE>Squid 5.7 release notes</TITLE> |
30 | 7 | </HEAD> | 7 | </HEAD> |
31 | 8 | <BODY> | 8 | <BODY> |
33 | 9 | <H1>Squid 5.6 release notes</H1> | 9 | <H1>Squid 5.7 release notes</H1> |
34 | 10 | 10 | ||
35 | 11 | <H2>Squid Developers</H2> | 11 | <H2>Squid Developers</H2> |
36 | 12 | <HR> | 12 | <HR> |
37 | @@ -31,6 +31,7 @@ for Applied Network Research and members of the Web Caching community.</EM> | |||
38 | 31 | <LI><A NAME="toc2.4">2.4</A> <A HREF="#ss2.4">TrivialDB Support</A> | 31 | <LI><A NAME="toc2.4">2.4</A> <A HREF="#ss2.4">TrivialDB Support</A> |
39 | 32 | <LI><A NAME="toc2.5">2.5</A> <A HREF="#ss2.5">Loop Detection in Content Delivery Networks</A> | 32 | <LI><A NAME="toc2.5">2.5</A> <A HREF="#ss2.5">Loop Detection in Content Delivery Networks</A> |
40 | 33 | <LI><A NAME="toc2.6">2.6</A> <A HREF="#ss2.6">Peering support for SSL-Bump</A> | 33 | <LI><A NAME="toc2.6">2.6</A> <A HREF="#ss2.6">Peering support for SSL-Bump</A> |
41 | 34 | <LI><A NAME="toc2.7">2.7</A> <A HREF="#ss2.7">OpenSSL 3.0 Support</A> | ||
42 | 34 | </UL> | 35 | </UL> |
43 | 35 | <P> | 36 | <P> |
44 | 36 | <H2><A NAME="toc3">3.</A> <A HREF="#s3">Changes to squid.conf since Squid-4</A></H2> | 37 | <H2><A NAME="toc3">3.</A> <A HREF="#s3">Changes to squid.conf since Squid-4</A></H2> |
45 | @@ -61,7 +62,7 @@ for Applied Network Research and members of the Web Caching community.</EM> | |||
46 | 61 | <HR> | 62 | <HR> |
47 | 62 | <H2><A NAME="s1">1.</A> <A HREF="#toc1">Notice</A></H2> | 63 | <H2><A NAME="s1">1.</A> <A HREF="#toc1">Notice</A></H2> |
48 | 63 | 64 | ||
50 | 64 | <P>The Squid Team are pleased to announce the release of Squid-5.6.</P> | 65 | <P>The Squid Team are pleased to announce the release of Squid-5.7.</P> |
51 | 65 | <P>This new release is available for download from | 66 | <P>This new release is available for download from |
52 | 66 | <A HREF="http://www.squid-cache.org/Versions/v5/">http://www.squid-cache.org/Versions/v5/</A> or the | 67 | <A HREF="http://www.squid-cache.org/Versions/v5/">http://www.squid-cache.org/Versions/v5/</A> or the |
53 | 67 | <A HREF="http://www.squid-cache.org/Download/http-mirrors.html">mirrors</A>.</P> | 68 | <A HREF="http://www.squid-cache.org/Download/http-mirrors.html">mirrors</A>.</P> |
54 | @@ -95,6 +96,7 @@ for how to submit a report with a stack trace.</P> | |||
55 | 95 | <LI>TrivialDB Support</LI> | 96 | <LI>TrivialDB Support</LI> |
56 | 96 | <LI>RFC 8586: Loop Detection in Content Delivery Networks</LI> | 97 | <LI>RFC 8586: Loop Detection in Content Delivery Networks</LI> |
57 | 97 | <LI>Peering support for SSL-Bump</LI> | 98 | <LI>Peering support for SSL-Bump</LI> |
58 | 99 | <LI>OpenSSL 3.0 Support</LI> | ||
59 | 98 | </UL> | 100 | </UL> |
60 | 99 | </P> | 101 | </P> |
61 | 100 | <P>Most user-facing changes are reflected in squid.conf (see below).</P> | 102 | <P>Most user-facing changes are reflected in squid.conf (see below).</P> |
62 | @@ -220,6 +222,21 @@ see TLS client handshake) <EM>before</EM> selecting the cache_peer.</P> | |||
63 | 220 | yet do TLS-in-TLS.</P> | 222 | yet do TLS-in-TLS.</P> |
64 | 221 | 223 | ||
65 | 222 | 224 | ||
66 | 225 | <H2><A NAME="ss2.7">2.7</A> <A HREF="#toc2.7">OpenSSL 3.0 Support</A> | ||
67 | 226 | </H2> | ||
68 | 227 | |||
69 | 228 | <P>Squid-5.7 adds OpenSSL 3.0 support.</P> | ||
70 | 229 | |||
71 | 230 | <P>This version of Squid does not add any of the new features provided by | ||
72 | 231 | OpenSSL 3.0. It only contains support for features already supported by prior | ||
73 | 232 | versions of Squid using new APIs provided by OpenSSL 3.0.</P> | ||
74 | 233 | |||
75 | 234 | <P>Notably the libssl custom Engine feature has been deprecated by OpenSSL 3.0 | ||
76 | 235 | and new Providers replacement is not supported by this Squid.</P> | ||
77 | 236 | |||
78 | 237 | <P>OpenSSL 3.0 uses new licensing terms.</P> | ||
79 | 238 | |||
80 | 239 | |||
81 | 223 | <H2><A NAME="s3">3.</A> <A HREF="#toc3">Changes to squid.conf since Squid-4</A></H2> | 240 | <H2><A NAME="s3">3.</A> <A HREF="#toc3">Changes to squid.conf since Squid-4</A></H2> |
82 | 224 | 241 | ||
83 | 225 | <P>There have been changes to Squid's configuration file since Squid-4.</P> | 242 | <P>There have been changes to Squid's configuration file since Squid-4.</P> |
84 | @@ -364,6 +381,10 @@ code to indicate the response was received from server using TLS/1.3.</P> | |||
85 | 364 | <P>Codes <EM>rm</EM>, <EM><rm</EM> and <EM>>rm</EM> display "-" | 381 | <P>Codes <EM>rm</EM>, <EM><rm</EM> and <EM>>rm</EM> display "-" |
86 | 365 | instead of the made-up method NONE.</P> | 382 | instead of the made-up method NONE.</P> |
87 | 366 | 383 | ||
88 | 384 | <DT><B>ssl_engine</B><DD> | ||
89 | 385 | <P>OpenSSL 3.0 deprecates the Engine feature. This directive is | ||
90 | 386 | only supported when Squid is built for older OpenSSL versions.</P> | ||
91 | 387 | |||
92 | 367 | </DL> | 388 | </DL> |
93 | 368 | </P> | 389 | </P> |
94 | 369 | 390 | ||
95 | diff --git a/compat/GnuRegex.c b/compat/GnuRegex.c | |||
96 | index 9ef932e..82c9129 100644 | |||
97 | --- a/compat/GnuRegex.c | |||
98 | +++ b/compat/GnuRegex.c | |||
99 | @@ -40,6 +40,13 @@ | |||
100 | 40 | 40 | ||
101 | 41 | #if USE_GNUREGEX /* only if squid needs it. Usually not */ | 41 | #if USE_GNUREGEX /* only if squid needs it. Usually not */ |
102 | 42 | 42 | ||
103 | 43 | /* Starting with v12.1, GCC warns of various problems with this ancient code. */ | ||
104 | 44 | /* GCC versions prior to v12.1 do not support these pragmas. */ | ||
105 | 45 | #if (__GNUC__ == 12 && __GNUC_MINOR__ >= 1) || (__GNUC__ > 12) | ||
106 | 46 | #pragma GCC diagnostic ignored "-Warray-bounds" | ||
107 | 47 | #pragma GCC diagnostic ignored "-Wuse-after-free" | ||
108 | 48 | #endif | ||
109 | 49 | |||
110 | 43 | #if !HAVE_ALLOCA | 50 | #if !HAVE_ALLOCA |
111 | 44 | #define REGEX_MALLOC 1 | 51 | #define REGEX_MALLOC 1 |
112 | 45 | #endif | 52 | #endif |
113 | diff --git a/compat/os/mswindows.h b/compat/os/mswindows.h | |||
114 | index a819767..cfc9565 100644 | |||
115 | --- a/compat/os/mswindows.h | |||
116 | +++ b/compat/os/mswindows.h | |||
117 | @@ -618,27 +618,31 @@ getsockopt(int s, int l, int o, void * v, socklen_t * n) | |||
118 | 618 | } | 618 | } |
119 | 619 | #define getsockopt(s,l,o,v,n) Squid::getsockopt(s,l,o,v,n) | 619 | #define getsockopt(s,l,o,v,n) Squid::getsockopt(s,l,o,v,n) |
120 | 620 | 620 | ||
121 | 621 | #if HAVE_DECL_INETNTOPA || HAVE_DECL_INET_NTOP | ||
122 | 621 | inline char * | 622 | inline char * |
123 | 622 | inet_ntop(int af, const void *src, char *dst, size_t size) | 623 | inet_ntop(int af, const void *src, char *dst, size_t size) |
124 | 623 | { | 624 | { |
125 | 624 | #if HAVE_DECL_INETNTOPA | 625 | #if HAVE_DECL_INETNTOPA |
126 | 625 | return (char*)InetNtopA(af, const_cast<void*>(src), dst, size); | 626 | return (char*)InetNtopA(af, const_cast<void*>(src), dst, size); |
128 | 626 | #else | 627 | #else // HAVE_DECL_INET_NTOP |
129 | 627 | return ::inet_ntop(af, src, dst, size); | 628 | return ::inet_ntop(af, src, dst, size); |
130 | 628 | #endif | 629 | #endif |
131 | 629 | } | 630 | } |
132 | 630 | #define inet_ntop(a,s,d,l) Squid::inet_ntop(a,s,d,l) | 631 | #define inet_ntop(a,s,d,l) Squid::inet_ntop(a,s,d,l) |
133 | 632 | #endif // let compat/inet_ntop.h deal with it | ||
134 | 631 | 633 | ||
135 | 634 | #if HAVE_DECL_INETPTONA || HAVE_DECL_INET_PTON | ||
136 | 632 | inline char * | 635 | inline char * |
137 | 633 | inet_pton(int af, const void *src, char *dst) | 636 | inet_pton(int af, const void *src, char *dst) |
138 | 634 | { | 637 | { |
139 | 635 | #if HAVE_DECL_INETPTONA | 638 | #if HAVE_DECL_INETPTONA |
140 | 636 | return (char*)InetPtonA(af, const_cast<void*>(src), dst); | 639 | return (char*)InetPtonA(af, const_cast<void*>(src), dst); |
142 | 637 | #else | 640 | #else // HAVE_DECL_INET_PTON |
143 | 638 | return ::inet_pton(af, src, dst); | 641 | return ::inet_pton(af, src, dst); |
144 | 639 | #endif | 642 | #endif |
145 | 640 | } | 643 | } |
146 | 641 | #define inet_pton(a,s,d) Squid::inet_pton(a,s,d) | 644 | #define inet_pton(a,s,d) Squid::inet_pton(a,s,d) |
147 | 645 | #endif // let compat/inet_pton.h deal with it | ||
148 | 642 | 646 | ||
149 | 643 | /* Simple ioctl() emulation */ | 647 | /* Simple ioctl() emulation */ |
150 | 644 | inline int | 648 | inline int |
151 | diff --git a/configure b/configure | |||
152 | index ef2f3f1..7bffb06 100755 | |||
153 | --- a/configure | |||
154 | +++ b/configure | |||
155 | @@ -1,7 +1,7 @@ | |||
156 | 1 | #! /bin/sh | 1 | #! /bin/sh |
157 | 2 | # From configure.ac Revision. | 2 | # From configure.ac Revision. |
158 | 3 | # Guess values for system-dependent variables and create Makefiles. | 3 | # Guess values for system-dependent variables and create Makefiles. |
160 | 4 | # Generated by GNU Autoconf 2.71 for Squid Web Proxy 5.6. | 4 | # Generated by GNU Autoconf 2.71 for Squid Web Proxy 5.7. |
161 | 5 | # | 5 | # |
162 | 6 | # Report bugs to <http://bugs.squid-cache.org/>. | 6 | # Report bugs to <http://bugs.squid-cache.org/>. |
163 | 7 | # | 7 | # |
164 | @@ -626,8 +626,8 @@ MAKEFLAGS= | |||
165 | 626 | # Identity of this package. | 626 | # Identity of this package. |
166 | 627 | PACKAGE_NAME='Squid Web Proxy' | 627 | PACKAGE_NAME='Squid Web Proxy' |
167 | 628 | PACKAGE_TARNAME='squid' | 628 | PACKAGE_TARNAME='squid' |
170 | 629 | PACKAGE_VERSION='5.6' | 629 | PACKAGE_VERSION='5.7' |
171 | 630 | PACKAGE_STRING='Squid Web Proxy 5.6' | 630 | PACKAGE_STRING='Squid Web Proxy 5.7' |
172 | 631 | PACKAGE_BUGREPORT='http://bugs.squid-cache.org/' | 631 | PACKAGE_BUGREPORT='http://bugs.squid-cache.org/' |
173 | 632 | PACKAGE_URL='' | 632 | PACKAGE_URL='' |
174 | 633 | 633 | ||
175 | @@ -1691,7 +1691,7 @@ if test "$ac_init_help" = "long"; then | |||
176 | 1691 | # Omit some internal or obsolete options to make the list less imposing. | 1691 | # Omit some internal or obsolete options to make the list less imposing. |
177 | 1692 | # This message is too long to be a string in the A/UX 3.1 sh. | 1692 | # This message is too long to be a string in the A/UX 3.1 sh. |
178 | 1693 | cat <<_ACEOF | 1693 | cat <<_ACEOF |
180 | 1694 | \`configure' configures Squid Web Proxy 5.6 to adapt to many kinds of systems. | 1694 | \`configure' configures Squid Web Proxy 5.7 to adapt to many kinds of systems. |
181 | 1695 | 1695 | ||
182 | 1696 | Usage: $0 [OPTION]... [VAR=VALUE]... | 1696 | Usage: $0 [OPTION]... [VAR=VALUE]... |
183 | 1697 | 1697 | ||
184 | @@ -1762,7 +1762,7 @@ fi | |||
185 | 1762 | 1762 | ||
186 | 1763 | if test -n "$ac_init_help"; then | 1763 | if test -n "$ac_init_help"; then |
187 | 1764 | case $ac_init_help in | 1764 | case $ac_init_help in |
189 | 1765 | short | recursive ) echo "Configuration of Squid Web Proxy 5.6:";; | 1765 | short | recursive ) echo "Configuration of Squid Web Proxy 5.7:";; |
190 | 1766 | esac | 1766 | esac |
191 | 1767 | cat <<\_ACEOF | 1767 | cat <<\_ACEOF |
192 | 1768 | 1768 | ||
193 | @@ -2196,7 +2196,7 @@ fi | |||
194 | 2196 | test -n "$ac_init_help" && exit $ac_status | 2196 | test -n "$ac_init_help" && exit $ac_status |
195 | 2197 | if $ac_init_version; then | 2197 | if $ac_init_version; then |
196 | 2198 | cat <<\_ACEOF | 2198 | cat <<\_ACEOF |
198 | 2199 | Squid Web Proxy configure 5.6 | 2199 | Squid Web Proxy configure 5.7 |
199 | 2200 | generated by GNU Autoconf 2.71 | 2200 | generated by GNU Autoconf 2.71 |
200 | 2201 | 2201 | ||
201 | 2202 | Copyright (C) 2021 Free Software Foundation, Inc. | 2202 | Copyright (C) 2021 Free Software Foundation, Inc. |
202 | @@ -3209,7 +3209,7 @@ cat >config.log <<_ACEOF | |||
203 | 3209 | This file contains any messages produced by compilers while | 3209 | This file contains any messages produced by compilers while |
204 | 3210 | running configure, to aid debugging if configure makes a mistake. | 3210 | running configure, to aid debugging if configure makes a mistake. |
205 | 3211 | 3211 | ||
207 | 3212 | It was created by Squid Web Proxy $as_me 5.6, which was | 3212 | It was created by Squid Web Proxy $as_me 5.7, which was |
208 | 3213 | generated by GNU Autoconf 2.71. Invocation command line was | 3213 | generated by GNU Autoconf 2.71. Invocation command line was |
209 | 3214 | 3214 | ||
210 | 3215 | $ $0$ac_configure_args_raw | 3215 | $ $0$ac_configure_args_raw |
211 | @@ -4701,7 +4701,7 @@ fi | |||
212 | 4701 | 4701 | ||
213 | 4702 | # Define the identity of the package. | 4702 | # Define the identity of the package. |
214 | 4703 | PACKAGE='squid' | 4703 | PACKAGE='squid' |
216 | 4704 | VERSION='5.6' | 4704 | VERSION='5.7' |
217 | 4705 | 4705 | ||
218 | 4706 | 4706 | ||
219 | 4707 | printf "%s\n" "#define PACKAGE \"$PACKAGE\"" >>confdefs.h | 4707 | printf "%s\n" "#define PACKAGE \"$PACKAGE\"" >>confdefs.h |
220 | @@ -25257,6 +25257,12 @@ then : | |||
221 | 25257 | printf "%s\n" "#define HAVE_OPENSSL_CRYPTO_H 1" >>confdefs.h | 25257 | printf "%s\n" "#define HAVE_OPENSSL_CRYPTO_H 1" >>confdefs.h |
222 | 25258 | 25258 | ||
223 | 25259 | fi | 25259 | fi |
224 | 25260 | ac_fn_cxx_check_header_compile "$LINENO" "openssl/decoder.h" "ac_cv_header_openssl_decoder_h" "$ac_includes_default" | ||
225 | 25261 | if test "x$ac_cv_header_openssl_decoder_h" = xyes | ||
226 | 25262 | then : | ||
227 | 25263 | printf "%s\n" "#define HAVE_OPENSSL_DECODER_H 1" >>confdefs.h | ||
228 | 25264 | |||
229 | 25265 | fi | ||
230 | 25260 | ac_fn_cxx_check_header_compile "$LINENO" "openssl/dh.h" "ac_cv_header_openssl_dh_h" "$ac_includes_default" | 25266 | ac_fn_cxx_check_header_compile "$LINENO" "openssl/dh.h" "ac_cv_header_openssl_dh_h" "$ac_includes_default" |
231 | 25261 | if test "x$ac_cv_header_openssl_dh_h" = xyes | 25267 | if test "x$ac_cv_header_openssl_dh_h" = xyes |
232 | 25262 | then : | 25268 | then : |
233 | @@ -48442,7 +48448,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 | |||
234 | 48442 | # report actual input values of CONFIG_FILES etc. instead of their | 48448 | # report actual input values of CONFIG_FILES etc. instead of their |
235 | 48443 | # values after options handling. | 48449 | # values after options handling. |
236 | 48444 | ac_log=" | 48450 | ac_log=" |
238 | 48445 | This file was extended by Squid Web Proxy $as_me 5.6, which was | 48451 | This file was extended by Squid Web Proxy $as_me 5.7, which was |
239 | 48446 | generated by GNU Autoconf 2.71. Invocation command line was | 48452 | generated by GNU Autoconf 2.71. Invocation command line was |
240 | 48447 | 48453 | ||
241 | 48448 | CONFIG_FILES = $CONFIG_FILES | 48454 | CONFIG_FILES = $CONFIG_FILES |
242 | @@ -48510,7 +48516,7 @@ ac_cs_config_escaped=`printf "%s\n" "$ac_cs_config" | sed "s/^ //; s/'/'\\\\\\\\ | |||
243 | 48510 | cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 | 48516 | cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 |
244 | 48511 | ac_cs_config='$ac_cs_config_escaped' | 48517 | ac_cs_config='$ac_cs_config_escaped' |
245 | 48512 | ac_cs_version="\\ | 48518 | ac_cs_version="\\ |
247 | 48513 | Squid Web Proxy config.status 5.6 | 48519 | Squid Web Proxy config.status 5.7 |
248 | 48514 | configured by $0, generated by GNU Autoconf 2.71, | 48520 | configured by $0, generated by GNU Autoconf 2.71, |
249 | 48515 | with options \\"\$ac_cs_config\\" | 48521 | with options \\"\$ac_cs_config\\" |
250 | 48516 | 48522 | ||
251 | diff --git a/configure.ac b/configure.ac | |||
252 | index 0cf6f9a..17aac0d 100644 | |||
253 | --- a/configure.ac | |||
254 | +++ b/configure.ac | |||
255 | @@ -5,7 +5,7 @@ | |||
256 | 5 | ## Please see the COPYING and CONTRIBUTORS files for details. | 5 | ## Please see the COPYING and CONTRIBUTORS files for details. |
257 | 6 | ## | 6 | ## |
258 | 7 | 7 | ||
260 | 8 | AC_INIT([Squid Web Proxy],[5.6],[http://bugs.squid-cache.org/],[squid]) | 8 | AC_INIT([Squid Web Proxy],[5.7],[http://bugs.squid-cache.org/],[squid]) |
261 | 9 | AC_PREREQ(2.61) | 9 | AC_PREREQ(2.61) |
262 | 10 | AC_CONFIG_HEADERS([include/autoconf.h]) | 10 | AC_CONFIG_HEADERS([include/autoconf.h]) |
263 | 11 | AC_CONFIG_AUX_DIR(cfgaux) | 11 | AC_CONFIG_AUX_DIR(cfgaux) |
264 | @@ -1333,6 +1333,7 @@ if test "x$with_openssl" = "xyes"; then | |||
265 | 1333 | openssl/bio.h \ | 1333 | openssl/bio.h \ |
266 | 1334 | openssl/bn.h \ | 1334 | openssl/bn.h \ |
267 | 1335 | openssl/crypto.h \ | 1335 | openssl/crypto.h \ |
268 | 1336 | openssl/decoder.h \ | ||
269 | 1336 | openssl/dh.h \ | 1337 | openssl/dh.h \ |
270 | 1337 | openssl/err.h \ | 1338 | openssl/err.h \ |
271 | 1338 | openssl/evp.h \ | 1339 | openssl/evp.h \ |
272 | diff --git a/debian/NEWS b/debian/NEWS | |||
273 | index 83136fb..e229d83 100644 | |||
274 | --- a/debian/NEWS | |||
275 | +++ b/debian/NEWS | |||
276 | @@ -1,3 +1,15 @@ | |||
277 | 1 | squid (5.7-0ubuntu0.22.10.1) kinetic; urgency=medium | ||
278 | 2 | |||
279 | 3 | The support for the "ssl_engine" configuration directive has been dropped, | ||
280 | 4 | meaning squid would fail to start for installations using that directive. | ||
281 | 5 | There is no current workaround for this issue since squid does not provide | ||
282 | 6 | support for OpenSSL >= 3 Providers yet. Therefore, your ssl_engine | ||
283 | 7 | configuration directive will be commented out (if present) to avoid service | ||
284 | 8 | disruption on upgrades. You can find more context on that particular change | ||
285 | 9 | at https://github.com/squid-cache/squid/pull/694. | ||
286 | 10 | |||
287 | 11 | -- Athos Ribeiro <athos.ribeiro@canonical.com> Thu, 06 Apr 2023 18:27:15 -0300 | ||
288 | 12 | |||
289 | 1 | squid (5.1-2) unstable; urgency=medium | 13 | squid (5.1-2) unstable; urgency=medium |
290 | 2 | 14 | ||
291 | 3 | ext_session_acl and ext_time_quota_acl helpers have been switched from | 15 | ext_session_acl and ext_time_quota_acl helpers have been switched from |
292 | diff --git a/debian/changelog b/debian/changelog | |||
293 | index 396cc68..4f6976a 100644 | |||
294 | --- a/debian/changelog | |||
295 | +++ b/debian/changelog | |||
296 | @@ -1,3 +1,25 @@ | |||
297 | 1 | squid (5.7-0ubuntu0.22.10.1) kinetic; urgency=medium | ||
298 | 2 | |||
299 | 3 | * New upstream version. (LP: #2013423): | ||
300 | 4 | - Add OpenSSL 3.0 support for features that were already supported by | ||
301 | 5 | squid. No new OpenSSL 3.0 feature support added at this time. | ||
302 | 6 | - Drop support for the libssl custom Engine feature for builds linked to | ||
303 | 7 | OpenSSL 3.0. Therefore, the configuration directive ssl_engine is no | ||
304 | 8 | longer supported for builds using OpenSSL >= 3. | ||
305 | 9 | - For a comprehensive list of changes, please see | ||
306 | 10 | http://www.squid-cache.org/Versions/v5/ChangeLog.html. | ||
307 | 11 | * d/p/0006-Fix-build-against-OpenSSL-3-0.patch: drop downstream | ||
308 | 12 | OpenSSL 3 support patch. | ||
309 | 13 | [ Fixed in 5.7 ] | ||
310 | 14 | * d/p/CVE-2022-41317.patch: drop patch to fix typo in manager ACL. | ||
311 | 15 | [ Fixed in 5.7 ] | ||
312 | 16 | * d/p/CVE-2022-41318.patch: drop patch to fix NTLM decoder truncated strings. | ||
313 | 17 | [ Fixed in 5.7 ] | ||
314 | 18 | * d/squid-openssl.postinst: remove ssl_engine configuration directive. | ||
315 | 19 | * d/NEWS: document end of support of the ssh_engine directive. | ||
316 | 20 | |||
317 | 21 | -- Athos Ribeiro <athos.ribeiro@canonical.com> Thu, 30 Mar 2023 07:27:09 -0300 | ||
318 | 22 | |||
319 | 1 | squid (5.6-1ubuntu3.1) kinetic; urgency=medium | 23 | squid (5.6-1ubuntu3.1) kinetic; urgency=medium |
320 | 2 | 24 | ||
321 | 3 | * Make builds fail when upstream test suite fails (LP: #2004050): | 25 | * Make builds fail when upstream test suite fails (LP: #2004050): |
322 | diff --git a/debian/patches/0006-Fix-build-against-OpenSSL-3-0.patch b/debian/patches/0006-Fix-build-against-OpenSSL-3-0.patch | |||
323 | 4 | deleted file mode 100644 | 26 | deleted file mode 100644 |
324 | index a8f2916..0000000 | |||
325 | --- a/debian/patches/0006-Fix-build-against-OpenSSL-3-0.patch | |||
326 | +++ /dev/null | |||
327 | @@ -1,210 +0,0 @@ | |||
328 | 1 | From: Nicholas Guriev <guriev-ns@ya.ru> | ||
329 | 2 | Date: Tue, 31 May 2022 22:31:08 +0300 | ||
330 | 3 | Subject: Make build against OpenSSL-3.0 possible | ||
331 | 4 | In OpenSSL, the SSL_get_ex_new_index macro (substituted to | ||
332 | 5 | CRYPTO_get_ex_new_index) requires CRYPTO_EX_dup as the second callback. This | ||
333 | 6 | typedef, for some reason, has got an extra asterisk near void* within | ||
334 | 7 | arguments into the third version. Freely conversions from void* to void** is | ||
335 | 8 | okay in C but prohibited in C++. So I've updated the callback prototype to | ||
336 | 9 | match the last OpenSSL version. | ||
337 | 10 | . | ||
338 | 11 | OpenSSL pre-3.0 defined all of the SSL_OP_* macros with numeric hexadecimal | ||
339 | 12 | literals. However, the third version uses there casting expressions with | ||
340 | 13 | shifts which preprocessor is unable to compute. So I check only macros | ||
341 | 14 | existence, this lets Squid accept obsolete options. But it's nothing, | ||
342 | 15 | OpenSSL should ignore them anyway. | ||
343 | 16 | |||
344 | 17 | --- | ||
345 | 18 | acinclude/lib-checks.m4 | 2 - | ||
346 | 19 | src/security/PeerOptions.cc | 50 ++++++++++++++++++++++---------------------- | ||
347 | 20 | src/ssl/support.cc | 2 - | ||
348 | 21 | 3 files changed, 27 insertions(+), 27 deletions(-) | ||
349 | 22 | |||
350 | 23 | --- a/acinclude/lib-checks.m4 | ||
351 | 24 | +++ b/acinclude/lib-checks.m4 | ||
352 | 25 | @@ -236,7 +236,7 @@ AC_DEFUN([SQUID_CHECK_OPENSSL_CONST_CRYP | ||
353 | 26 | AC_COMPILE_IFELSE([AC_LANG_PROGRAM([ | ||
354 | 27 | #include <openssl/ssl.h> | ||
355 | 28 | |||
356 | 29 | -int const_dup_func(CRYPTO_EX_DATA *, const CRYPTO_EX_DATA *, void *, int, long, void *) { | ||
357 | 30 | +int const_dup_func(CRYPTO_EX_DATA *, const CRYPTO_EX_DATA *, void **, int, long, void *) { | ||
358 | 31 | return 0; | ||
359 | 32 | } | ||
360 | 33 | ],[ | ||
361 | 34 | --- a/src/security/PeerOptions.cc | ||
362 | 35 | +++ b/src/security/PeerOptions.cc | ||
363 | 36 | @@ -297,130 +297,130 @@ static struct ssl_option { | ||
364 | 37 | |||
365 | 38 | } ssl_options[] = { | ||
366 | 39 | |||
367 | 40 | -#if SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG | ||
368 | 41 | +#ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG | ||
369 | 42 | { | ||
370 | 43 | "NETSCAPE_REUSE_CIPHER_CHANGE_BUG", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG | ||
371 | 44 | }, | ||
372 | 45 | #endif | ||
373 | 46 | -#if SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG | ||
374 | 47 | +#ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG | ||
375 | 48 | { | ||
376 | 49 | "SSLREF2_REUSE_CERT_TYPE_BUG", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG | ||
377 | 50 | }, | ||
378 | 51 | #endif | ||
379 | 52 | -#if SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER | ||
380 | 53 | +#ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER | ||
381 | 54 | { | ||
382 | 55 | "MICROSOFT_BIG_SSLV3_BUFFER", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER | ||
383 | 56 | }, | ||
384 | 57 | #endif | ||
385 | 58 | -#if SSL_OP_SSLEAY_080_CLIENT_DH_BUG | ||
386 | 59 | +#ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG | ||
387 | 60 | { | ||
388 | 61 | "SSLEAY_080_CLIENT_DH_BUG", SSL_OP_SSLEAY_080_CLIENT_DH_BUG | ||
389 | 62 | }, | ||
390 | 63 | #endif | ||
391 | 64 | -#if SSL_OP_TLS_D5_BUG | ||
392 | 65 | +#ifdef SSL_OP_TLS_D5_BUG | ||
393 | 66 | { | ||
394 | 67 | "TLS_D5_BUG", SSL_OP_TLS_D5_BUG | ||
395 | 68 | }, | ||
396 | 69 | #endif | ||
397 | 70 | -#if SSL_OP_TLS_BLOCK_PADDING_BUG | ||
398 | 71 | +#ifdef SSL_OP_TLS_BLOCK_PADDING_BUG | ||
399 | 72 | { | ||
400 | 73 | "TLS_BLOCK_PADDING_BUG", SSL_OP_TLS_BLOCK_PADDING_BUG | ||
401 | 74 | }, | ||
402 | 75 | #endif | ||
403 | 76 | -#if SSL_OP_TLS_ROLLBACK_BUG | ||
404 | 77 | +#ifdef SSL_OP_TLS_ROLLBACK_BUG | ||
405 | 78 | { | ||
406 | 79 | "TLS_ROLLBACK_BUG", SSL_OP_TLS_ROLLBACK_BUG | ||
407 | 80 | }, | ||
408 | 81 | #endif | ||
409 | 82 | -#if SSL_OP_ALL | ||
410 | 83 | +#ifdef SSL_OP_ALL | ||
411 | 84 | { | ||
412 | 85 | "ALL", (long)SSL_OP_ALL | ||
413 | 86 | }, | ||
414 | 87 | #endif | ||
415 | 88 | -#if SSL_OP_SINGLE_DH_USE | ||
416 | 89 | +#ifdef SSL_OP_SINGLE_DH_USE | ||
417 | 90 | { | ||
418 | 91 | "SINGLE_DH_USE", SSL_OP_SINGLE_DH_USE | ||
419 | 92 | }, | ||
420 | 93 | #endif | ||
421 | 94 | -#if SSL_OP_EPHEMERAL_RSA | ||
422 | 95 | +#ifdef SSL_OP_EPHEMERAL_RSA | ||
423 | 96 | { | ||
424 | 97 | "EPHEMERAL_RSA", SSL_OP_EPHEMERAL_RSA | ||
425 | 98 | }, | ||
426 | 99 | #endif | ||
427 | 100 | -#if SSL_OP_PKCS1_CHECK_1 | ||
428 | 101 | +#ifdef SSL_OP_PKCS1_CHECK_1 | ||
429 | 102 | { | ||
430 | 103 | "PKCS1_CHECK_1", SSL_OP_PKCS1_CHECK_1 | ||
431 | 104 | }, | ||
432 | 105 | #endif | ||
433 | 106 | -#if SSL_OP_PKCS1_CHECK_2 | ||
434 | 107 | +#ifdef SSL_OP_PKCS1_CHECK_2 | ||
435 | 108 | { | ||
436 | 109 | "PKCS1_CHECK_2", SSL_OP_PKCS1_CHECK_2 | ||
437 | 110 | }, | ||
438 | 111 | #endif | ||
439 | 112 | -#if SSL_OP_NETSCAPE_CA_DN_BUG | ||
440 | 113 | +#ifdef SSL_OP_NETSCAPE_CA_DN_BUG | ||
441 | 114 | { | ||
442 | 115 | "NETSCAPE_CA_DN_BUG", SSL_OP_NETSCAPE_CA_DN_BUG | ||
443 | 116 | }, | ||
444 | 117 | #endif | ||
445 | 118 | -#if SSL_OP_NON_EXPORT_FIRST | ||
446 | 119 | +#ifdef SSL_OP_NON_EXPORT_FIRST | ||
447 | 120 | { | ||
448 | 121 | "NON_EXPORT_FIRST", SSL_OP_NON_EXPORT_FIRST | ||
449 | 122 | }, | ||
450 | 123 | #endif | ||
451 | 124 | -#if SSL_OP_CIPHER_SERVER_PREFERENCE | ||
452 | 125 | +#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE | ||
453 | 126 | { | ||
454 | 127 | "CIPHER_SERVER_PREFERENCE", SSL_OP_CIPHER_SERVER_PREFERENCE | ||
455 | 128 | }, | ||
456 | 129 | #endif | ||
457 | 130 | -#if SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG | ||
458 | 131 | +#ifdef SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG | ||
459 | 132 | { | ||
460 | 133 | "NETSCAPE_DEMO_CIPHER_CHANGE_BUG", SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG | ||
461 | 134 | }, | ||
462 | 135 | #endif | ||
463 | 136 | -#if SSL_OP_NO_SSLv3 | ||
464 | 137 | +#ifdef SSL_OP_NO_SSLv3 | ||
465 | 138 | { | ||
466 | 139 | "NO_SSLv3", SSL_OP_NO_SSLv3 | ||
467 | 140 | }, | ||
468 | 141 | #endif | ||
469 | 142 | -#if SSL_OP_NO_TLSv1 | ||
470 | 143 | +#ifdef SSL_OP_NO_TLSv1 | ||
471 | 144 | { | ||
472 | 145 | "NO_TLSv1", SSL_OP_NO_TLSv1 | ||
473 | 146 | }, | ||
474 | 147 | #else | ||
475 | 148 | { "NO_TLSv1", 0 }, | ||
476 | 149 | #endif | ||
477 | 150 | -#if SSL_OP_NO_TLSv1_1 | ||
478 | 151 | +#ifdef SSL_OP_NO_TLSv1_1 | ||
479 | 152 | { | ||
480 | 153 | "NO_TLSv1_1", SSL_OP_NO_TLSv1_1 | ||
481 | 154 | }, | ||
482 | 155 | #else | ||
483 | 156 | { "NO_TLSv1_1", 0 }, | ||
484 | 157 | #endif | ||
485 | 158 | -#if SSL_OP_NO_TLSv1_2 | ||
486 | 159 | +#ifdef SSL_OP_NO_TLSv1_2 | ||
487 | 160 | { | ||
488 | 161 | "NO_TLSv1_2", SSL_OP_NO_TLSv1_2 | ||
489 | 162 | }, | ||
490 | 163 | #else | ||
491 | 164 | { "NO_TLSv1_2", 0 }, | ||
492 | 165 | #endif | ||
493 | 166 | -#if SSL_OP_NO_TLSv1_3 | ||
494 | 167 | +#ifdef SSL_OP_NO_TLSv1_3 | ||
495 | 168 | { | ||
496 | 169 | "NO_TLSv1_3", SSL_OP_NO_TLSv1_3 | ||
497 | 170 | }, | ||
498 | 171 | #else | ||
499 | 172 | { "NO_TLSv1_3", 0 }, | ||
500 | 173 | #endif | ||
501 | 174 | -#if SSL_OP_NO_COMPRESSION | ||
502 | 175 | +#ifdef SSL_OP_NO_COMPRESSION | ||
503 | 176 | { | ||
504 | 177 | "No_Compression", SSL_OP_NO_COMPRESSION | ||
505 | 178 | }, | ||
506 | 179 | #endif | ||
507 | 180 | -#if SSL_OP_NO_TICKET | ||
508 | 181 | +#ifdef SSL_OP_NO_TICKET | ||
509 | 182 | { | ||
510 | 183 | "NO_TICKET", SSL_OP_NO_TICKET | ||
511 | 184 | }, | ||
512 | 185 | #endif | ||
513 | 186 | -#if SSL_OP_SINGLE_ECDH_USE | ||
514 | 187 | +#ifdef SSL_OP_SINGLE_ECDH_USE | ||
515 | 188 | { | ||
516 | 189 | "SINGLE_ECDH_USE", SSL_OP_SINGLE_ECDH_USE | ||
517 | 190 | }, | ||
518 | 191 | @@ -512,7 +512,7 @@ Security::PeerOptions::parseOptions() | ||
519 | 192 | |||
520 | 193 | } | ||
521 | 194 | |||
522 | 195 | -#if SSL_OP_NO_SSLv2 | ||
523 | 196 | +#ifdef SSL_OP_NO_SSLv2 | ||
524 | 197 | // compliance with RFC 6176: Prohibiting Secure Sockets Layer (SSL) Version 2.0 | ||
525 | 198 | op = op | SSL_OP_NO_SSLv2; | ||
526 | 199 | #endif | ||
527 | 200 | --- a/src/ssl/support.cc | ||
528 | 201 | +++ b/src/ssl/support.cc | ||
529 | 202 | @@ -559,7 +559,7 @@ Ssl::VerifyCallbackParameters::At(Securi | ||
530 | 203 | // "dup" function for SSL_get_ex_new_index("cert_err_check") | ||
531 | 204 | #if SQUID_USE_CONST_CRYPTO_EX_DATA_DUP | ||
532 | 205 | static int | ||
533 | 206 | -ssl_dupAclChecklist(CRYPTO_EX_DATA *, const CRYPTO_EX_DATA *, void *, | ||
534 | 207 | +ssl_dupAclChecklist(CRYPTO_EX_DATA *, const CRYPTO_EX_DATA *, void **, | ||
535 | 208 | int, long, void *) | ||
536 | 209 | #else | ||
537 | 210 | static int | ||
538 | diff --git a/debian/patches/CVE-2022-41317.patch b/debian/patches/CVE-2022-41317.patch | |||
539 | 211 | deleted file mode 100644 | 0 | deleted file mode 100644 |
540 | index c5447db..0000000 | |||
541 | --- a/debian/patches/CVE-2022-41317.patch | |||
542 | +++ /dev/null | |||
543 | @@ -1,19 +0,0 @@ | |||
544 | 1 | commit 55151c545a8e0bd2cb69036da5794c9cb21018b2 | ||
545 | 2 | Author: Amos Jeffries <yadij@users.noreply.github.com> | ||
546 | 3 | Date: 2022-08-17 23:32:43 +0000 | ||
547 | 4 | |||
548 | 5 | Fix typo in manager ACL (#1113) | ||
549 | 6 | |||
550 | 7 | diff --git a/src/cf.data.pre b/src/cf.data.pre | ||
551 | 8 | index a0bdb2f83..118256437 100644 | ||
552 | 9 | --- a/src/cf.data.pre | ||
553 | 10 | +++ b/src/cf.data.pre | ||
554 | 11 | @@ -1036,7 +1036,7 @@ DEFAULT: ssl::certUntrusted ssl_error X509_V_ERR_INVALID_CA X509_V_ERR_SELF_SIGN | ||
555 | 12 | DEFAULT: ssl::certSelfSigned ssl_error X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT | ||
556 | 13 | ENDIF | ||
557 | 14 | DEFAULT: all src all | ||
558 | 15 | -DEFAULT: manager url_regex -i ^cache_object:// +i ^https?://[^/]+/squid-internal-mgr/ | ||
559 | 16 | +DEFAULT: manager url_regex -i ^cache_object:// +i ^[^:]+://[^/]+/squid-internal-mgr/ | ||
560 | 17 | DEFAULT: localhost src 127.0.0.1/32 ::1 | ||
561 | 18 | DEFAULT: to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1/128 ::/128 | ||
562 | 19 | DEFAULT: CONNECT method CONNECT | ||
563 | diff --git a/debian/patches/CVE-2022-41318.patch b/debian/patches/CVE-2022-41318.patch | |||
564 | 20 | deleted file mode 100644 | 0 | deleted file mode 100644 |
565 | index 02a66ea..0000000 | |||
566 | --- a/debian/patches/CVE-2022-41318.patch | |||
567 | +++ /dev/null | |||
568 | @@ -1,36 +0,0 @@ | |||
569 | 1 | commit 8eca72c14f94e8591b0d40bd6210ec68d1e54c46 | ||
570 | 2 | Author: Amos Jeffries <yadij@users.noreply.github.com> | ||
571 | 3 | Date: 2022-08-09 23:34:54 +0000 | ||
572 | 4 | |||
573 | 5 | Bug 3193 pt2: NTLM decoder truncating strings (#1114) | ||
574 | 6 | |||
575 | 7 | The initial bug fix overlooked large 'offset' causing integer | ||
576 | 8 | wrap to extract a too-short length string. | ||
577 | 9 | |||
578 | 10 | Improve debugs and checks sequence to clarify cases and ensure | ||
579 | 11 | that all are handled correctly. | ||
580 | 12 | |||
581 | 13 | --- a/lib/ntlmauth/ntlmauth.cc | ||
582 | 14 | +++ b/lib/ntlmauth/ntlmauth.cc | ||
583 | 15 | @@ -107,10 +107,19 @@ ntlm_fetch_string(const ntlmhdr *packet, | ||
584 | 16 | int32_t o = le32toh(str->offset); | ||
585 | 17 | // debug("ntlm_fetch_string(plength=%d,l=%d,o=%d)\n",packet_size,l,o); | ||
586 | 18 | |||
587 | 19 | - if (l < 0 || l > NTLM_MAX_FIELD_LENGTH || o + l > packet_size || o == 0) { | ||
588 | 20 | - debug("ntlm_fetch_string: insane data (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o); | ||
589 | 21 | + if (l < 0 || l > NTLM_MAX_FIELD_LENGTH) { | ||
590 | 22 | + debug("ntlm_fetch_string: insane string length (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o); | ||
591 | 23 | return rv; | ||
592 | 24 | } | ||
593 | 25 | + else if (o <= 0 || o > packet_size) { | ||
594 | 26 | + debug("ntlm_fetch_string: insane string offset (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o); | ||
595 | 27 | + return rv; | ||
596 | 28 | + } | ||
597 | 29 | + else if (l > packet_size - o) { | ||
598 | 30 | + debug("ntlm_fetch_string: truncated string data (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o); | ||
599 | 31 | + return rv; | ||
600 | 32 | + } | ||
601 | 33 | + | ||
602 | 34 | rv.str = (char *)packet + o; | ||
603 | 35 | rv.l = 0; | ||
604 | 36 | if ((flags & NTLM_NEGOTIATE_ASCII) == 0) { | ||
605 | diff --git a/debian/patches/series b/debian/patches/series | |||
606 | index 8c2318e..eb9acfd 100644 | |||
607 | --- a/debian/patches/series | |||
608 | +++ b/debian/patches/series | |||
609 | @@ -1,10 +1,7 @@ | |||
610 | 1 | 0001-Default-configuration-file-for-debian.patch | 1 | 0001-Default-configuration-file-for-debian.patch |
611 | 2 | 0002-Change-default-file-locations-for-debian.patch | 2 | 0002-Change-default-file-locations-for-debian.patch |
612 | 3 | 0005-Use-RuntimeDirectory-to-create-run-squid.patch | 3 | 0005-Use-RuntimeDirectory-to-create-run-squid.patch |
613 | 4 | 0006-Fix-build-against-OpenSSL-3-0.patch | ||
614 | 5 | 90-cf.data.ubuntu.patch | 4 | 90-cf.data.ubuntu.patch |
615 | 6 | 99-ubuntu-ssl-cert-snakeoil.patch | 5 | 99-ubuntu-ssl-cert-snakeoil.patch |
616 | 7 | fix-max-pkt-sz-for-icmpEchoData-padding.patch | 6 | fix-max-pkt-sz-for-icmpEchoData-padding.patch |
617 | 8 | 0009-Fix-Werror-alloc-size-larger-than-on-GCC-12.patch | 7 | 0009-Fix-Werror-alloc-size-larger-than-on-GCC-12.patch |
618 | 9 | CVE-2022-41317.patch | ||
619 | 10 | CVE-2022-41318.patch | ||
620 | diff --git a/debian/squid-openssl.postinst b/debian/squid-openssl.postinst | |||
621 | index f64fd49..8c3e4e0 100644 | |||
622 | --- a/debian/squid-openssl.postinst | |||
623 | +++ b/debian/squid-openssl.postinst | |||
624 | @@ -1,6 +1,12 @@ | |||
625 | 1 | #! /bin/sh | 1 | #! /bin/sh |
626 | 2 | 2 | ||
627 | 3 | set -e | 3 | set -e |
628 | 4 | remove_ssl_engine_config() { | ||
629 | 5 | match='^([ \t]*ssl_engine[ \t].*)$' | ||
630 | 6 | doc='# ssl_engine is no longer supported since squid 5.7 (LP: #2013423).' | ||
631 | 7 | find /etc/squid/ -type f,l -name "*.conf" -exec \ | ||
632 | 8 | sed -Ei "s/${match}/${doc}\n# \1/" '{}' \; | ||
633 | 9 | } | ||
634 | 4 | 10 | ||
635 | 5 | grepconf () { | 11 | grepconf () { |
636 | 6 | w=" " # space tab | 12 | w=" " # space tab |
637 | @@ -70,6 +76,14 @@ case "$1" in | |||
638 | 70 | chmod u+s $PINGER | 76 | chmod u+s $PINGER |
639 | 71 | fi | 77 | fi |
640 | 72 | 78 | ||
641 | 79 | # | ||
642 | 80 | # Remove the unsupported ssl_engine configuration directive, if present. | ||
643 | 81 | # LP: #2013423 | ||
644 | 82 | # | ||
645 | 83 | if dpkg --compare-versions "$2" lt-nl "5.7"; then | ||
646 | 84 | remove_ssl_engine_config | ||
647 | 85 | fi | ||
648 | 86 | |||
649 | 73 | ;; | 87 | ;; |
650 | 74 | abort-upgrade|abort-remove|abort-deconfigure) | 88 | abort-upgrade|abort-remove|abort-deconfigure) |
651 | 75 | ;; | 89 | ;; |
652 | diff --git a/doc/release-notes/release-5.html b/doc/release-notes/release-5.html | |||
653 | index a037de3..7369f54 100644 | |||
654 | --- a/doc/release-notes/release-5.html | |||
655 | +++ b/doc/release-notes/release-5.html | |||
656 | @@ -3,10 +3,10 @@ | |||
657 | 3 | <HEAD> | 3 | <HEAD> |
658 | 4 | <META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.82"> | 4 | <META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.82"> |
659 | 5 | <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> | 5 | <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> |
661 | 6 | <TITLE>Squid 5.6 release notes</TITLE> | 6 | <TITLE>Squid 5.7 release notes</TITLE> |
662 | 7 | </HEAD> | 7 | </HEAD> |
663 | 8 | <BODY> | 8 | <BODY> |
665 | 9 | <H1>Squid 5.6 release notes</H1> | 9 | <H1>Squid 5.7 release notes</H1> |
666 | 10 | 10 | ||
667 | 11 | <H2>Squid Developers</H2> | 11 | <H2>Squid Developers</H2> |
668 | 12 | <HR> | 12 | <HR> |
669 | @@ -31,6 +31,7 @@ for Applied Network Research and members of the Web Caching community.</EM> | |||
670 | 31 | <LI><A NAME="toc2.4">2.4</A> <A HREF="#ss2.4">TrivialDB Support</A> | 31 | <LI><A NAME="toc2.4">2.4</A> <A HREF="#ss2.4">TrivialDB Support</A> |
671 | 32 | <LI><A NAME="toc2.5">2.5</A> <A HREF="#ss2.5">Loop Detection in Content Delivery Networks</A> | 32 | <LI><A NAME="toc2.5">2.5</A> <A HREF="#ss2.5">Loop Detection in Content Delivery Networks</A> |
672 | 33 | <LI><A NAME="toc2.6">2.6</A> <A HREF="#ss2.6">Peering support for SSL-Bump</A> | 33 | <LI><A NAME="toc2.6">2.6</A> <A HREF="#ss2.6">Peering support for SSL-Bump</A> |
673 | 34 | <LI><A NAME="toc2.7">2.7</A> <A HREF="#ss2.7">OpenSSL 3.0 Support</A> | ||
674 | 34 | </UL> | 35 | </UL> |
675 | 35 | <P> | 36 | <P> |
676 | 36 | <H2><A NAME="toc3">3.</A> <A HREF="#s3">Changes to squid.conf since Squid-4</A></H2> | 37 | <H2><A NAME="toc3">3.</A> <A HREF="#s3">Changes to squid.conf since Squid-4</A></H2> |
677 | @@ -61,7 +62,7 @@ for Applied Network Research and members of the Web Caching community.</EM> | |||
678 | 61 | <HR> | 62 | <HR> |
679 | 62 | <H2><A NAME="s1">1.</A> <A HREF="#toc1">Notice</A></H2> | 63 | <H2><A NAME="s1">1.</A> <A HREF="#toc1">Notice</A></H2> |
680 | 63 | 64 | ||
682 | 64 | <P>The Squid Team are pleased to announce the release of Squid-5.6.</P> | 65 | <P>The Squid Team are pleased to announce the release of Squid-5.7.</P> |
683 | 65 | <P>This new release is available for download from | 66 | <P>This new release is available for download from |
684 | 66 | <A HREF="http://www.squid-cache.org/Versions/v5/">http://www.squid-cache.org/Versions/v5/</A> or the | 67 | <A HREF="http://www.squid-cache.org/Versions/v5/">http://www.squid-cache.org/Versions/v5/</A> or the |
685 | 67 | <A HREF="http://www.squid-cache.org/Download/http-mirrors.html">mirrors</A>.</P> | 68 | <A HREF="http://www.squid-cache.org/Download/http-mirrors.html">mirrors</A>.</P> |
686 | @@ -95,6 +96,7 @@ for how to submit a report with a stack trace.</P> | |||
687 | 95 | <LI>TrivialDB Support</LI> | 96 | <LI>TrivialDB Support</LI> |
688 | 96 | <LI>RFC 8586: Loop Detection in Content Delivery Networks</LI> | 97 | <LI>RFC 8586: Loop Detection in Content Delivery Networks</LI> |
689 | 97 | <LI>Peering support for SSL-Bump</LI> | 98 | <LI>Peering support for SSL-Bump</LI> |
690 | 99 | <LI>OpenSSL 3.0 Support</LI> | ||
691 | 98 | </UL> | 100 | </UL> |
692 | 99 | </P> | 101 | </P> |
693 | 100 | <P>Most user-facing changes are reflected in squid.conf (see below).</P> | 102 | <P>Most user-facing changes are reflected in squid.conf (see below).</P> |
694 | @@ -220,6 +222,21 @@ see TLS client handshake) <EM>before</EM> selecting the cache_peer.</P> | |||
695 | 220 | yet do TLS-in-TLS.</P> | 222 | yet do TLS-in-TLS.</P> |
696 | 221 | 223 | ||
697 | 222 | 224 | ||
698 | 225 | <H2><A NAME="ss2.7">2.7</A> <A HREF="#toc2.7">OpenSSL 3.0 Support</A> | ||
699 | 226 | </H2> | ||
700 | 227 | |||
701 | 228 | <P>Squid-5.7 adds OpenSSL 3.0 support.</P> | ||
702 | 229 | |||
703 | 230 | <P>This version of Squid does not add any of the new features provided by | ||
704 | 231 | OpenSSL 3.0. It only contains support for features already supported by prior | ||
705 | 232 | versions of Squid using new APIs provided by OpenSSL 3.0.</P> | ||
706 | 233 | |||
707 | 234 | <P>Notably the libssl custom Engine feature has been deprecated by OpenSSL 3.0 | ||
708 | 235 | and new Providers replacement is not supported by this Squid.</P> | ||
709 | 236 | |||
710 | 237 | <P>OpenSSL 3.0 uses new licensing terms.</P> | ||
711 | 238 | |||
712 | 239 | |||
713 | 223 | <H2><A NAME="s3">3.</A> <A HREF="#toc3">Changes to squid.conf since Squid-4</A></H2> | 240 | <H2><A NAME="s3">3.</A> <A HREF="#toc3">Changes to squid.conf since Squid-4</A></H2> |
714 | 224 | 241 | ||
715 | 225 | <P>There have been changes to Squid's configuration file since Squid-4.</P> | 242 | <P>There have been changes to Squid's configuration file since Squid-4.</P> |
716 | @@ -364,6 +381,10 @@ code to indicate the response was received from server using TLS/1.3.</P> | |||
717 | 364 | <P>Codes <EM>rm</EM>, <EM><rm</EM> and <EM>>rm</EM> display "-" | 381 | <P>Codes <EM>rm</EM>, <EM><rm</EM> and <EM>>rm</EM> display "-" |
718 | 365 | instead of the made-up method NONE.</P> | 382 | instead of the made-up method NONE.</P> |
719 | 366 | 383 | ||
720 | 384 | <DT><B>ssl_engine</B><DD> | ||
721 | 385 | <P>OpenSSL 3.0 deprecates the Engine feature. This directive is | ||
722 | 386 | only supported when Squid is built for older OpenSSL versions.</P> | ||
723 | 387 | |||
724 | 367 | </DL> | 388 | </DL> |
725 | 368 | </P> | 389 | </P> |
726 | 369 | 390 | ||
727 | diff --git a/include/autoconf.h.in b/include/autoconf.h.in | |||
728 | index fe0a3da..92533bf 100644 | |||
729 | --- a/include/autoconf.h.in | |||
730 | +++ b/include/autoconf.h.in | |||
731 | @@ -772,6 +772,9 @@ | |||
732 | 772 | /* Define to 1 if you have the <openssl/crypto.h> header file. */ | 772 | /* Define to 1 if you have the <openssl/crypto.h> header file. */ |
733 | 773 | #undef HAVE_OPENSSL_CRYPTO_H | 773 | #undef HAVE_OPENSSL_CRYPTO_H |
734 | 774 | 774 | ||
735 | 775 | /* Define to 1 if you have the <openssl/decoder.h> header file. */ | ||
736 | 776 | #undef HAVE_OPENSSL_DECODER_H | ||
737 | 777 | |||
738 | 775 | /* Define to 1 if you have the <openssl/dh.h> header file. */ | 778 | /* Define to 1 if you have the <openssl/dh.h> header file. */ |
739 | 776 | #undef HAVE_OPENSSL_DH_H | 779 | #undef HAVE_OPENSSL_DH_H |
740 | 777 | 780 | ||
741 | diff --git a/include/version.h b/include/version.h | |||
742 | index 77b3d91..14c1335 100644 | |||
743 | --- a/include/version.h | |||
744 | +++ b/include/version.h | |||
745 | @@ -7,7 +7,7 @@ | |||
746 | 7 | */ | 7 | */ |
747 | 8 | 8 | ||
748 | 9 | #ifndef SQUID_RELEASE_TIME | 9 | #ifndef SQUID_RELEASE_TIME |
750 | 10 | #define SQUID_RELEASE_TIME 1654468914 | 10 | #define SQUID_RELEASE_TIME 1662392113 |
751 | 11 | #endif | 11 | #endif |
752 | 12 | 12 | ||
753 | 13 | /* | 13 | /* |
754 | diff --git a/lib/ntlmauth/ntlmauth.cc b/lib/ntlmauth/ntlmauth.cc | |||
755 | index 7e2156d..dac8a7e 100644 | |||
756 | --- a/lib/ntlmauth/ntlmauth.cc | |||
757 | +++ b/lib/ntlmauth/ntlmauth.cc | |||
758 | @@ -12,6 +12,7 @@ | |||
759 | 12 | #include "squid.h" | 12 | #include "squid.h" |
760 | 13 | 13 | ||
761 | 14 | #include <cstring> | 14 | #include <cstring> |
762 | 15 | #include <ctime> | ||
763 | 15 | #include <random> | 16 | #include <random> |
764 | 16 | #if HAVE_STRINGS_H | 17 | #if HAVE_STRINGS_H |
765 | 17 | #include <strings.h> | 18 | #include <strings.h> |
766 | @@ -107,10 +108,19 @@ ntlm_fetch_string(const ntlmhdr *packet, const int32_t packet_size, const strhdr | |||
767 | 107 | int32_t o = le32toh(str->offset); | 108 | int32_t o = le32toh(str->offset); |
768 | 108 | // debug("ntlm_fetch_string(plength=%d,l=%d,o=%d)\n",packet_size,l,o); | 109 | // debug("ntlm_fetch_string(plength=%d,l=%d,o=%d)\n",packet_size,l,o); |
769 | 109 | 110 | ||
772 | 110 | if (l < 0 || l > NTLM_MAX_FIELD_LENGTH || o + l > packet_size || o == 0) { | 111 | if (l < 0 || l > NTLM_MAX_FIELD_LENGTH) { |
773 | 111 | debug("ntlm_fetch_string: insane data (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o); | 112 | debug("ntlm_fetch_string: insane string length (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o); |
774 | 112 | return rv; | 113 | return rv; |
775 | 113 | } | 114 | } |
776 | 115 | else if (o <= 0 || o > packet_size) { | ||
777 | 116 | debug("ntlm_fetch_string: insane string offset (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o); | ||
778 | 117 | return rv; | ||
779 | 118 | } | ||
780 | 119 | else if (l > packet_size - o) { | ||
781 | 120 | debug("ntlm_fetch_string: truncated string data (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o); | ||
782 | 121 | return rv; | ||
783 | 122 | } | ||
784 | 123 | |||
785 | 114 | rv.str = (char *)packet + o; | 124 | rv.str = (char *)packet + o; |
786 | 115 | rv.l = 0; | 125 | rv.l = 0; |
787 | 116 | if ((flags & NTLM_NEGOTIATE_ASCII) == 0) { | 126 | if ((flags & NTLM_NEGOTIATE_ASCII) == 0) { |
788 | diff --git a/src/FwdState.cc b/src/FwdState.cc | |||
789 | index e493a88..bdcfcd6 100644 | |||
790 | --- a/src/FwdState.cc | |||
791 | +++ b/src/FwdState.cc | |||
792 | @@ -641,7 +641,6 @@ FwdState::noteDestination(Comm::ConnectionPointer path) | |||
793 | 641 | if (transporting()) | 641 | if (transporting()) |
794 | 642 | return; // and continue to receive destinations for backup | 642 | return; // and continue to receive destinations for backup |
795 | 643 | 643 | ||
796 | 644 | // This is the first path candidate we have seen. Use it. | ||
797 | 645 | useDestinations(); | 644 | useDestinations(); |
798 | 646 | } | 645 | } |
799 | 647 | 646 | ||
800 | @@ -657,12 +656,8 @@ FwdState::noteDestinationsEnd(ErrorState *selectionError) | |||
801 | 657 | Must(!err); // if we tried to connect, then path selection succeeded | 656 | Must(!err); // if we tried to connect, then path selection succeeded |
802 | 658 | fail(selectionError); | 657 | fail(selectionError); |
803 | 659 | } | 658 | } |
804 | 660 | else if (err) | ||
805 | 661 | debugs(17, 3, "Will abort forwarding because all found paths have failed."); | ||
806 | 662 | else | ||
807 | 663 | debugs(17, 3, "Will abort forwarding because path selection found no paths."); | ||
808 | 664 | 659 | ||
810 | 665 | useDestinations(); // will detect and handle the lack of paths | 660 | stopAndDestroy("path selection found no paths"); |
811 | 666 | return; | 661 | return; |
812 | 667 | } | 662 | } |
813 | 668 | // else continue to use one of the previously noted destinations; | 663 | // else continue to use one of the previously noted destinations; |
814 | @@ -675,7 +670,16 @@ FwdState::noteDestinationsEnd(ErrorState *selectionError) | |||
815 | 675 | return; // and continue to wait for FwdState::noteConnection() callback | 670 | return; // and continue to wait for FwdState::noteConnection() callback |
816 | 676 | } | 671 | } |
817 | 677 | 672 | ||
819 | 678 | Must(transporting()); // or we would be stuck with nothing to do or wait for | 673 | if (transporting()) { |
820 | 674 | // We are already using a previously opened connection (but were also | ||
821 | 675 | // receiving more destinations in case we need to re-forward). | ||
822 | 676 | debugs(17, 7, "keep transporting"); | ||
823 | 677 | return; | ||
824 | 678 | } | ||
825 | 679 | |||
826 | 680 | // destinationsFound, but none of them worked, and we were waiting for more | ||
827 | 681 | assert(err); | ||
828 | 682 | stopAndDestroy("all found paths have failed"); | ||
829 | 679 | } | 683 | } |
830 | 680 | 684 | ||
831 | 681 | /// makes sure connection opener knows that the destinations have changed | 685 | /// makes sure connection opener knows that the destinations have changed |
832 | diff --git a/src/HappyConnOpener.cc b/src/HappyConnOpener.cc | |||
833 | index 6d83ff1..a9f2df5 100644 | |||
834 | --- a/src/HappyConnOpener.cc | |||
835 | +++ b/src/HappyConnOpener.cc | |||
836 | @@ -568,8 +568,6 @@ HappyConnOpener::openFreshConnection(Attempt &attempt, PeerConnectionPointer &de | |||
837 | 568 | const auto conn = dest->cloneProfile(); | 568 | const auto conn = dest->cloneProfile(); |
838 | 569 | GetMarkingsToServer(cause.getRaw(), *conn); | 569 | GetMarkingsToServer(cause.getRaw(), *conn); |
839 | 570 | 570 | ||
840 | 571 | ++n_tries; | ||
841 | 572 | |||
842 | 573 | typedef CommCbMemFunT<HappyConnOpener, CommConnectCbParams> Dialer; | 571 | typedef CommCbMemFunT<HappyConnOpener, CommConnectCbParams> Dialer; |
843 | 574 | AsyncCall::Pointer callConnect = asyncCall(48, 5, attempt.callbackMethodName, | 572 | AsyncCall::Pointer callConnect = asyncCall(48, 5, attempt.callbackMethodName, |
844 | 575 | Dialer(this, attempt.callbackMethod)); | 573 | Dialer(this, attempt.callbackMethod)); |
845 | @@ -611,6 +609,8 @@ HappyConnOpener::handleConnOpenerAnswer(Attempt &attempt, const CommConnectCbPar | |||
846 | 611 | handledPath.finalize(params.conn); // closed on errors | 609 | handledPath.finalize(params.conn); // closed on errors |
847 | 612 | attempt.finish(); | 610 | attempt.finish(); |
848 | 613 | 611 | ||
849 | 612 | ++n_tries; | ||
850 | 613 | |||
851 | 614 | if (params.flag == Comm::OK) { | 614 | if (params.flag == Comm::OK) { |
852 | 615 | sendSuccess(handledPath, false, what); | 615 | sendSuccess(handledPath, false, what); |
853 | 616 | return; | 616 | return; |
854 | diff --git a/src/HappyConnOpener.h b/src/HappyConnOpener.h | |||
855 | index c57c431..63e4df9 100644 | |||
856 | --- a/src/HappyConnOpener.h | |||
857 | +++ b/src/HappyConnOpener.h | |||
858 | @@ -258,7 +258,8 @@ private: | |||
859 | 258 | /// the request that needs a to-server connection | 258 | /// the request that needs a to-server connection |
860 | 259 | HttpRequestPointer cause; | 259 | HttpRequestPointer cause; |
861 | 260 | 260 | ||
863 | 261 | /// number of connection opening attempts, including those in the requestor | 261 | /// number of our finished connection opening attempts (including pconn |
864 | 262 | /// reuses) plus previously finished attempts supplied by the requestor | ||
865 | 262 | int n_tries; | 263 | int n_tries; |
866 | 263 | 264 | ||
867 | 264 | /// Reason to ran out of time or attempts | 265 | /// Reason to ran out of time or attempts |
868 | diff --git a/src/HttpHeaderTools.h b/src/HttpHeaderTools.h | |||
869 | index d017dfe..3720864 100644 | |||
870 | --- a/src/HttpHeaderTools.h | |||
871 | +++ b/src/HttpHeaderTools.h | |||
872 | @@ -67,7 +67,7 @@ public: | |||
873 | 67 | private: | 67 | private: |
874 | 68 | /// Case-insensitive std::string "less than" comparison functor. | 68 | /// Case-insensitive std::string "less than" comparison functor. |
875 | 69 | /// Fast version recommended by Meyers' "Effective STL" for ASCII c-strings. | 69 | /// Fast version recommended by Meyers' "Effective STL" for ASCII c-strings. |
877 | 70 | class NoCaseLessThan: public std::binary_function<std::string, std::string, bool> | 70 | class NoCaseLessThan |
878 | 71 | { | 71 | { |
879 | 72 | public: | 72 | public: |
880 | 73 | bool operator()(const std::string &lhs, const std::string &rhs) const { | 73 | bool operator()(const std::string &lhs, const std::string &rhs) const { |
881 | diff --git a/src/acl/RegexData.cc b/src/acl/RegexData.cc | |||
882 | index 91a9ba9..2be5342 100644 | |||
883 | --- a/src/acl/RegexData.cc | |||
884 | +++ b/src/acl/RegexData.cc | |||
885 | @@ -83,6 +83,9 @@ ACLRegexData::dump() const | |||
886 | 83 | static const char * | 83 | static const char * |
887 | 84 | removeUnnecessaryWildcards(char * t) | 84 | removeUnnecessaryWildcards(char * t) |
888 | 85 | { | 85 | { |
889 | 86 | if (strcmp(t, ".*") == 0) // we cannot simplify that further | ||
890 | 87 | return t; // avoid "WARNING: ... Using '.*' instead" below | ||
891 | 88 | |||
892 | 86 | char * orig = t; | 89 | char * orig = t; |
893 | 87 | 90 | ||
894 | 88 | if (strncmp(t, "^.*", 3) == 0) | 91 | if (strncmp(t, "^.*", 3) == 0) |
895 | diff --git a/src/acl/external/SQL_session/ext_sql_session_acl.8 b/src/acl/external/SQL_session/ext_sql_session_acl.8 | |||
896 | index 9ddf338..6a22fd7 100644 | |||
897 | --- a/src/acl/external/SQL_session/ext_sql_session_acl.8 | |||
898 | +++ b/src/acl/external/SQL_session/ext_sql_session_acl.8 | |||
899 | @@ -133,7 +133,7 @@ | |||
900 | 133 | .\" ======================================================================== | 133 | .\" ======================================================================== |
901 | 134 | .\" | 134 | .\" |
902 | 135 | .IX Title "EXT_SQL_SESSION_ACL 8" | 135 | .IX Title "EXT_SQL_SESSION_ACL 8" |
904 | 136 | .TH EXT_SQL_SESSION_ACL 8 "2022-06-05" "perl v5.34.0" "User Contributed Perl Documentation" | 136 | .TH EXT_SQL_SESSION_ACL 8 "2022-09-05" "perl v5.34.0" "User Contributed Perl Documentation" |
905 | 137 | .\" For nroff, turn off justification. Always turn off hyphenation; it makes | 137 | .\" For nroff, turn off justification. Always turn off hyphenation; it makes |
906 | 138 | .\" way too many mistakes in technical documents. | 138 | .\" way too many mistakes in technical documents. |
907 | 139 | .if n .ad l | 139 | .if n .ad l |
908 | diff --git a/src/acl/external/delayer/ext_delayer_acl.8 b/src/acl/external/delayer/ext_delayer_acl.8 | |||
909 | index a7783de..1149322 100644 | |||
910 | --- a/src/acl/external/delayer/ext_delayer_acl.8 | |||
911 | +++ b/src/acl/external/delayer/ext_delayer_acl.8 | |||
912 | @@ -133,7 +133,7 @@ | |||
913 | 133 | .\" ======================================================================== | 133 | .\" ======================================================================== |
914 | 134 | .\" | 134 | .\" |
915 | 135 | .IX Title "EXT_DELAYER_ACL 8" | 135 | .IX Title "EXT_DELAYER_ACL 8" |
917 | 136 | .TH EXT_DELAYER_ACL 8 "2022-06-05" "perl v5.34.0" "User Contributed Perl Documentation" | 136 | .TH EXT_DELAYER_ACL 8 "2022-09-05" "perl v5.34.0" "User Contributed Perl Documentation" |
918 | 137 | .\" For nroff, turn off justification. Always turn off hyphenation; it makes | 137 | .\" For nroff, turn off justification. Always turn off hyphenation; it makes |
919 | 138 | .\" way too many mistakes in technical documents. | 138 | .\" way too many mistakes in technical documents. |
920 | 139 | .if n .ad l | 139 | .if n .ad l |
921 | diff --git a/src/acl/external/kerberos_sid_group/ext_kerberos_sid_group_acl.8 b/src/acl/external/kerberos_sid_group/ext_kerberos_sid_group_acl.8 | |||
922 | index edec6bd..5ae9af5 100644 | |||
923 | --- a/src/acl/external/kerberos_sid_group/ext_kerberos_sid_group_acl.8 | |||
924 | +++ b/src/acl/external/kerberos_sid_group/ext_kerberos_sid_group_acl.8 | |||
925 | @@ -133,7 +133,7 @@ | |||
926 | 133 | .\" ======================================================================== | 133 | .\" ======================================================================== |
927 | 134 | .\" | 134 | .\" |
928 | 135 | .IX Title "EXT_KERBEROS_SID_GROUP_ACL 8" | 135 | .IX Title "EXT_KERBEROS_SID_GROUP_ACL 8" |
930 | 136 | .TH EXT_KERBEROS_SID_GROUP_ACL 8 "2022-06-05" "perl v5.34.0" "User Contributed Perl Documentation" | 136 | .TH EXT_KERBEROS_SID_GROUP_ACL 8 "2022-09-05" "perl v5.34.0" "User Contributed Perl Documentation" |
931 | 137 | .\" For nroff, turn off justification. Always turn off hyphenation; it makes | 137 | .\" For nroff, turn off justification. Always turn off hyphenation; it makes |
932 | 138 | .\" way too many mistakes in technical documents. | 138 | .\" way too many mistakes in technical documents. |
933 | 139 | .if n .ad l | 139 | .if n .ad l |
934 | diff --git a/src/acl/external/session/ext_session_acl.cc b/src/acl/external/session/ext_session_acl.cc | |||
935 | index ba21b6e..d6ee15e 100644 | |||
936 | --- a/src/acl/external/session/ext_session_acl.cc | |||
937 | +++ b/src/acl/external/session/ext_session_acl.cc | |||
938 | @@ -197,13 +197,19 @@ copyValue(void *dst, const DB_ENTRY *src, size_t sz) | |||
939 | 197 | static int session_active(const char *details, size_t len) | 197 | static int session_active(const char *details, size_t len) |
940 | 198 | { | 198 | { |
941 | 199 | #if USE_BERKLEYDB | 199 | #if USE_BERKLEYDB |
945 | 200 | DBT key = {0}; | 200 | DBT key = {}; |
946 | 201 | DBT data = {0}; | 201 | key.data = const_cast<char*>(details); |
944 | 202 | key.data = (void *)details; | ||
947 | 203 | key.size = len; | 202 | key.size = len; |
948 | 203 | |||
949 | 204 | DBT data = {}; | ||
950 | 204 | #elif USE_TRIVIALDB | 205 | #elif USE_TRIVIALDB |
953 | 205 | TDB_DATA key; | 206 | TDB_DATA key = {}; |
954 | 206 | TDB_DATA data; | 207 | key.dptr = reinterpret_cast<decltype(key.dptr)>(const_cast<char*>(details)); |
955 | 208 | key.dsize = len; | ||
956 | 209 | |||
957 | 210 | TDB_DATA data = {}; | ||
958 | 211 | #else | ||
959 | 212 | (void)len; | ||
960 | 207 | #endif | 213 | #endif |
961 | 208 | if (fetchKey(key, &data)) { | 214 | if (fetchKey(key, &data)) { |
962 | 209 | time_t timestamp; | 215 | time_t timestamp; |
963 | diff --git a/src/acl/external/wbinfo_group/ext_wbinfo_group_acl.8 b/src/acl/external/wbinfo_group/ext_wbinfo_group_acl.8 | |||
964 | index 9113719..7506e2f 100644 | |||
965 | --- a/src/acl/external/wbinfo_group/ext_wbinfo_group_acl.8 | |||
966 | +++ b/src/acl/external/wbinfo_group/ext_wbinfo_group_acl.8 | |||
967 | @@ -133,7 +133,7 @@ | |||
968 | 133 | .\" ======================================================================== | 133 | .\" ======================================================================== |
969 | 134 | .\" | 134 | .\" |
970 | 135 | .IX Title "EXT_WBINFO_GROUP_ACL 8" | 135 | .IX Title "EXT_WBINFO_GROUP_ACL 8" |
972 | 136 | .TH EXT_WBINFO_GROUP_ACL 8 "2022-06-05" "perl v5.34.0" "User Contributed Perl Documentation" | 136 | .TH EXT_WBINFO_GROUP_ACL 8 "2022-09-05" "perl v5.34.0" "User Contributed Perl Documentation" |
973 | 137 | .\" For nroff, turn off justification. Always turn off hyphenation; it makes | 137 | .\" For nroff, turn off justification. Always turn off hyphenation; it makes |
974 | 138 | .\" way too many mistakes in technical documents. | 138 | .\" way too many mistakes in technical documents. |
975 | 139 | .if n .ad l | 139 | .if n .ad l |
976 | diff --git a/src/auth/basic/DB/basic_db_auth.8 b/src/auth/basic/DB/basic_db_auth.8 | |||
977 | index 07ffc10..a180993 100644 | |||
978 | --- a/src/auth/basic/DB/basic_db_auth.8 | |||
979 | +++ b/src/auth/basic/DB/basic_db_auth.8 | |||
980 | @@ -133,7 +133,7 @@ | |||
981 | 133 | .\" ======================================================================== | 133 | .\" ======================================================================== |
982 | 134 | .\" | 134 | .\" |
983 | 135 | .IX Title "BASIC_DB_AUTH 8" | 135 | .IX Title "BASIC_DB_AUTH 8" |
985 | 136 | .TH BASIC_DB_AUTH 8 "2022-06-05" "perl v5.34.0" "User Contributed Perl Documentation" | 136 | .TH BASIC_DB_AUTH 8 "2022-09-05" "perl v5.34.0" "User Contributed Perl Documentation" |
986 | 137 | .\" For nroff, turn off justification. Always turn off hyphenation; it makes | 137 | .\" For nroff, turn off justification. Always turn off hyphenation; it makes |
987 | 138 | .\" way too many mistakes in technical documents. | 138 | .\" way too many mistakes in technical documents. |
988 | 139 | .if n .ad l | 139 | .if n .ad l |
989 | diff --git a/src/auth/basic/POP3/basic_pop3_auth.8 b/src/auth/basic/POP3/basic_pop3_auth.8 | |||
990 | index 85bd803..ddf8057 100644 | |||
991 | --- a/src/auth/basic/POP3/basic_pop3_auth.8 | |||
992 | +++ b/src/auth/basic/POP3/basic_pop3_auth.8 | |||
993 | @@ -133,7 +133,7 @@ | |||
994 | 133 | .\" ======================================================================== | 133 | .\" ======================================================================== |
995 | 134 | .\" | 134 | .\" |
996 | 135 | .IX Title "BASIC_POP3_AUTH 8" | 135 | .IX Title "BASIC_POP3_AUTH 8" |
998 | 136 | .TH BASIC_POP3_AUTH 8 "2022-06-05" "perl v5.34.0" "User Contributed Perl Documentation" | 136 | .TH BASIC_POP3_AUTH 8 "2022-09-05" "perl v5.34.0" "User Contributed Perl Documentation" |
999 | 137 | .\" For nroff, turn off justification. Always turn off hyphenation; it makes | 137 | .\" For nroff, turn off justification. Always turn off hyphenation; it makes |
1000 | 138 | .\" way too many mistakes in technical documents. | 138 | .\" way too many mistakes in technical documents. |
1001 | 139 | .if n .ad l | 139 | .if n .ad l |
1002 | diff --git a/src/base/EnumIterator.h b/src/base/EnumIterator.h | |||
1003 | index 5d88100..96cb826 100644 | |||
1004 | --- a/src/base/EnumIterator.h | |||
1005 | +++ b/src/base/EnumIterator.h | |||
1006 | @@ -20,7 +20,7 @@ | |||
1007 | 20 | * \see EnumIterator, ReverseEnumIterator | 20 | * \see EnumIterator, ReverseEnumIterator |
1008 | 21 | */ | 21 | */ |
1009 | 22 | template <typename EnumType> | 22 | template <typename EnumType> |
1011 | 23 | class EnumIteratorBase : public std::iterator<std::bidirectional_iterator_tag, EnumType> | 23 | class EnumIteratorBase |
1012 | 24 | { | 24 | { |
1013 | 25 | protected: | 25 | protected: |
1014 | 26 | #if HAVE_STD_UNDERLYING_TYPE | 26 | #if HAVE_STD_UNDERLYING_TYPE |
1015 | @@ -30,6 +30,12 @@ protected: | |||
1016 | 30 | #endif | 30 | #endif |
1017 | 31 | 31 | ||
1018 | 32 | public: | 32 | public: |
1019 | 33 | using iterator_category = std::bidirectional_iterator_tag; | ||
1020 | 34 | using value_type = EnumType; | ||
1021 | 35 | using difference_type = std::ptrdiff_t; | ||
1022 | 36 | using pointer = EnumType *; | ||
1023 | 37 | using reference = EnumType &; | ||
1024 | 38 | |||
1025 | 33 | explicit EnumIteratorBase(EnumType e) : current(static_cast<iterator_type>(e)) {} | 39 | explicit EnumIteratorBase(EnumType e) : current(static_cast<iterator_type>(e)) {} |
1026 | 34 | 40 | ||
1027 | 35 | bool operator==(const EnumIteratorBase &i) const { | 41 | bool operator==(const EnumIteratorBase &i) const { |
1028 | diff --git a/src/cache_cf.cc b/src/cache_cf.cc | |||
1029 | index cb746dc..1bae8d3 100644 | |||
1030 | --- a/src/cache_cf.cc | |||
1031 | +++ b/src/cache_cf.cc | |||
1032 | @@ -720,7 +720,7 @@ configDoConfigure(void) | |||
1033 | 720 | * the extra space is for loop detection in client_side.c -- we search | 720 | * the extra space is for loop detection in client_side.c -- we search |
1034 | 721 | * for substrings in the Via header. | 721 | * for substrings in the Via header. |
1035 | 722 | */ | 722 | */ |
1037 | 723 | snprintf(ThisCache2, sizeof(ThisCache), " %s (%s)", | 723 | snprintf(ThisCache2, sizeof(ThisCache2), " %s (%s)", |
1038 | 724 | uniqueHostname(), | 724 | uniqueHostname(), |
1039 | 725 | visible_appname_string); | 725 | visible_appname_string); |
1040 | 726 | 726 | ||
1041 | diff --git a/src/cf.data.pre b/src/cf.data.pre | |||
1042 | index 48f3e13..ee8c720 100644 | |||
1043 | --- a/src/cf.data.pre | |||
1044 | +++ b/src/cf.data.pre | |||
1045 | @@ -1036,7 +1036,7 @@ DEFAULT: ssl::certUntrusted ssl_error X509_V_ERR_INVALID_CA X509_V_ERR_SELF_SIGN | |||
1046 | 1036 | DEFAULT: ssl::certSelfSigned ssl_error X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT | 1036 | DEFAULT: ssl::certSelfSigned ssl_error X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT |
1047 | 1037 | ENDIF | 1037 | ENDIF |
1048 | 1038 | DEFAULT: all src all | 1038 | DEFAULT: all src all |
1050 | 1039 | DEFAULT: manager url_regex -i ^cache_object:// +i ^https?://[^/]+/squid-internal-mgr/ | 1039 | DEFAULT: manager url_regex -i ^cache_object:// +i ^[^:]+://[^/]+/squid-internal-mgr/ |
1051 | 1040 | DEFAULT: localhost src 127.0.0.1/32 ::1 | 1040 | DEFAULT: localhost src 127.0.0.1/32 ::1 |
1052 | 1041 | DEFAULT: to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1/128 ::/128 | 1041 | DEFAULT: to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1/128 ::/128 |
1053 | 1042 | DEFAULT: CONNECT method CONNECT | 1042 | DEFAULT: CONNECT method CONNECT |
1054 | @@ -3049,6 +3049,8 @@ DEFAULT: none | |||
1055 | 3049 | DOC_START | 3049 | DOC_START |
1056 | 3050 | The OpenSSL engine to use. You will need to set this if you | 3050 | The OpenSSL engine to use. You will need to set this if you |
1057 | 3051 | would like to use hardware SSL acceleration for example. | 3051 | would like to use hardware SSL acceleration for example. |
1058 | 3052 | |||
1059 | 3053 | Not supported in builds with OpenSSL 3.0 or newer. | ||
1060 | 3052 | DOC_END | 3054 | DOC_END |
1061 | 3053 | 3055 | ||
1062 | 3054 | NAME: sslproxy_session_ttl | 3056 | NAME: sslproxy_session_ttl |
1063 | @@ -4004,8 +4006,10 @@ DOC_START | |||
1064 | 4004 | For the purpose of this limit, Squid counts all high-level request | 4006 | For the purpose of this limit, Squid counts all high-level request |
1065 | 4005 | forwarding attempts, including any same-destination retries after | 4007 | forwarding attempts, including any same-destination retries after |
1066 | 4006 | certain persistent connection failures and any attempts to use a | 4008 | certain persistent connection failures and any attempts to use a |
1069 | 4007 | different peer. However, low-level connection reopening attempts | 4009 | different peer. However, these low-level attempts are not counted: |
1070 | 4008 | (enabled using connect_retries) are not counted. | 4010 | * connection reopening attempts (enabled using connect_retries) |
1071 | 4011 | * unfinished Happy Eyeballs connection attempts (prevented by setting | ||
1072 | 4012 | happy_eyeballs_connect_limit to 0) | ||
1073 | 4009 | 4013 | ||
1074 | 4010 | See also: forward_timeout and connect_retries. | 4014 | See also: forward_timeout and connect_retries. |
1075 | 4011 | DOC_END | 4015 | DOC_END |
1076 | diff --git a/src/cf_gen.cc b/src/cf_gen.cc | |||
1077 | index 3d33f9e..b72642c 100644 | |||
1078 | --- a/src/cf_gen.cc | |||
1079 | +++ b/src/cf_gen.cc | |||
1080 | @@ -378,7 +378,6 @@ main(int argc, char *argv[]) | |||
1081 | 378 | } else if (!strcmp(buff, "NOCOMMENT_START")) { | 378 | } else if (!strcmp(buff, "NOCOMMENT_START")) { |
1082 | 379 | state = sNOCOMMENT; | 379 | state = sNOCOMMENT; |
1083 | 380 | } else { // if (buff != NULL) { | 380 | } else { // if (buff != NULL) { |
1084 | 381 | assert(buff != NULL); | ||
1085 | 382 | entries.back().doc.push_back(buff); | 381 | entries.back().doc.push_back(buff); |
1086 | 383 | } | 382 | } |
1087 | 384 | break; | 383 | break; |
1088 | @@ -387,7 +386,6 @@ main(int argc, char *argv[]) | |||
1089 | 387 | if (!strcmp(buff, "NOCOMMENT_END")) { | 386 | if (!strcmp(buff, "NOCOMMENT_END")) { |
1090 | 388 | state = sDOC; | 387 | state = sDOC; |
1091 | 389 | } else { // if (buff != NULL) { | 388 | } else { // if (buff != NULL) { |
1092 | 390 | assert(buff != NULL); | ||
1093 | 391 | entries.back().nocomment.push_back(buff); | 389 | entries.back().nocomment.push_back(buff); |
1094 | 392 | } | 390 | } |
1095 | 393 | break; | 391 | break; |
1096 | diff --git a/src/fs/ufs/RebuildState.cc b/src/fs/ufs/RebuildState.cc | |||
1097 | index bc8d181..1af6e41 100644 | |||
1098 | --- a/src/fs/ufs/RebuildState.cc | |||
1099 | +++ b/src/fs/ufs/RebuildState.cc | |||
1100 | @@ -44,8 +44,6 @@ Fs::Ufs::RebuildState::RebuildState(RefCount<UFSSwapDir> aSwapDir) : | |||
1101 | 44 | _done(false), | 44 | _done(false), |
1102 | 45 | cbdata(NULL) | 45 | cbdata(NULL) |
1103 | 46 | { | 46 | { |
1104 | 47 | *fullpath = 0; | ||
1105 | 48 | *fullfilename = 0; | ||
1106 | 49 | 47 | ||
1107 | 50 | /* | 48 | /* |
1108 | 51 | * If the swap.state file exists in the cache_dir, then | 49 | * If the swap.state file exists in the cache_dir, then |
1109 | @@ -379,14 +377,14 @@ Fs::Ufs::RebuildState::getNextFile(sfileno * filn_p, int *) | |||
1110 | 379 | } | 377 | } |
1111 | 380 | 378 | ||
1112 | 381 | if (0 == in_dir) { /* we need to read in a new directory */ | 379 | if (0 == in_dir) { /* we need to read in a new directory */ |
1116 | 382 | snprintf(fullpath, sizeof(fullpath), "%s/%02X/%02X", | 380 | fullpath.Printf("%s/%02X/%02X", |
1117 | 383 | sd->path, | 381 | sd->path, |
1118 | 384 | curlvl1, curlvl2); | 382 | curlvl1, curlvl2); |
1119 | 385 | 383 | ||
1120 | 386 | if (dirs_opened) | 384 | if (dirs_opened) |
1121 | 387 | return -1; | 385 | return -1; |
1122 | 388 | 386 | ||
1124 | 389 | td = opendir(fullpath); | 387 | td = opendir(fullpath.c_str()); |
1125 | 390 | 388 | ||
1126 | 391 | ++dirs_opened; | 389 | ++dirs_opened; |
1127 | 392 | 390 | ||
1128 | @@ -425,10 +423,10 @@ Fs::Ufs::RebuildState::getNextFile(sfileno * filn_p, int *) | |||
1129 | 425 | continue; | 423 | continue; |
1130 | 426 | } | 424 | } |
1131 | 427 | 425 | ||
1136 | 428 | snprintf(fullfilename, sizeof(fullfilename), "%s/%s", | 426 | fullfilename.Printf(SQUIDSBUFPH "/%s", |
1137 | 429 | fullpath, entry->d_name); | 427 | SQUIDSBUFPRINT(fullpath), entry->d_name); |
1138 | 430 | debugs(47, 3, HERE << "Opening " << fullfilename); | 428 | debugs(47, 3, "Opening " << fullfilename); |
1139 | 431 | fd = file_open(fullfilename, O_RDONLY | O_BINARY); | 429 | fd = file_open(fullfilename.c_str(), O_RDONLY | O_BINARY); |
1140 | 432 | 430 | ||
1141 | 433 | if (fd < 0) { | 431 | if (fd < 0) { |
1142 | 434 | int xerrno = errno; | 432 | int xerrno = errno; |
1143 | diff --git a/src/fs/ufs/RebuildState.h b/src/fs/ufs/RebuildState.h | |||
1144 | index d9c6f91..203c65e 100644 | |||
1145 | --- a/src/fs/ufs/RebuildState.h | |||
1146 | +++ b/src/fs/ufs/RebuildState.h | |||
1147 | @@ -53,8 +53,8 @@ public: | |||
1148 | 53 | 53 | ||
1149 | 54 | dirent_t *entry; | 54 | dirent_t *entry; |
1150 | 55 | DIR *td; | 55 | DIR *td; |
1153 | 56 | char fullpath[MAXPATHLEN]; | 56 | SBuf fullpath; |
1154 | 57 | char fullfilename[MAXPATHLEN*2]; | 57 | SBuf fullfilename; |
1155 | 58 | 58 | ||
1156 | 59 | StoreRebuildData counts; | 59 | StoreRebuildData counts; |
1157 | 60 | 60 | ||
1158 | diff --git a/src/http/url_rewriters/LFS/url_lfs_rewrite.8 b/src/http/url_rewriters/LFS/url_lfs_rewrite.8 | |||
1159 | index 6f1ca62..a5f7485 100644 | |||
1160 | --- a/src/http/url_rewriters/LFS/url_lfs_rewrite.8 | |||
1161 | +++ b/src/http/url_rewriters/LFS/url_lfs_rewrite.8 | |||
1162 | @@ -133,7 +133,7 @@ | |||
1163 | 133 | .\" ======================================================================== | 133 | .\" ======================================================================== |
1164 | 134 | .\" | 134 | .\" |
1165 | 135 | .IX Title "URL_LFS_REWRITE 8" | 135 | .IX Title "URL_LFS_REWRITE 8" |
1167 | 136 | .TH URL_LFS_REWRITE 8 "2022-06-05" "perl v5.34.0" "User Contributed Perl Documentation" | 136 | .TH URL_LFS_REWRITE 8 "2022-09-05" "perl v5.34.0" "User Contributed Perl Documentation" |
1168 | 137 | .\" For nroff, turn off justification. Always turn off hyphenation; it makes | 137 | .\" For nroff, turn off justification. Always turn off hyphenation; it makes |
1169 | 138 | .\" way too many mistakes in technical documents. | 138 | .\" way too many mistakes in technical documents. |
1170 | 139 | .if n .ad l | 139 | .if n .ad l |
1171 | diff --git a/src/log/DB/log_db_daemon.8 b/src/log/DB/log_db_daemon.8 | |||
1172 | index f1aaf9b..63fd886 100644 | |||
1173 | --- a/src/log/DB/log_db_daemon.8 | |||
1174 | +++ b/src/log/DB/log_db_daemon.8 | |||
1175 | @@ -133,7 +133,7 @@ | |||
1176 | 133 | .\" ======================================================================== | 133 | .\" ======================================================================== |
1177 | 134 | .\" | 134 | .\" |
1178 | 135 | .IX Title "LOG_DB_DAEMON 8" | 135 | .IX Title "LOG_DB_DAEMON 8" |
1180 | 136 | .TH LOG_DB_DAEMON 8 "2022-06-05" "perl v5.34.0" "User Contributed Perl Documentation" | 136 | .TH LOG_DB_DAEMON 8 "2022-09-05" "perl v5.34.0" "User Contributed Perl Documentation" |
1181 | 137 | .\" For nroff, turn off justification. Always turn off hyphenation; it makes | 137 | .\" For nroff, turn off justification. Always turn off hyphenation; it makes |
1182 | 138 | .\" way too many mistakes in technical documents. | 138 | .\" way too many mistakes in technical documents. |
1183 | 139 | .if n .ad l | 139 | .if n .ad l |
1184 | diff --git a/src/main.cc b/src/main.cc | |||
1185 | index 080e71a..a55d9ed 100644 | |||
1186 | --- a/src/main.cc | |||
1187 | +++ b/src/main.cc | |||
1188 | @@ -679,8 +679,10 @@ mainHandleCommandLineOption(const int optId, const char *optValue) | |||
1189 | 679 | printf("%s\n",SQUID_BUILD_INFO); | 679 | printf("%s\n",SQUID_BUILD_INFO); |
1190 | 680 | #if USE_OPENSSL | 680 | #if USE_OPENSSL |
1191 | 681 | printf("\nThis binary uses %s. ", OpenSSL_version(OPENSSL_VERSION)); | 681 | printf("\nThis binary uses %s. ", OpenSSL_version(OPENSSL_VERSION)); |
1192 | 682 | #if OPENSSL_VERSION_MAJOR < 3 | ||
1193 | 682 | printf("For legal restrictions on distribution see https://www.openssl.org/source/license.html\n\n"); | 683 | printf("For legal restrictions on distribution see https://www.openssl.org/source/license.html\n\n"); |
1194 | 683 | #endif | 684 | #endif |
1195 | 685 | #endif | ||
1196 | 684 | printf( "configure options: %s\n", SQUID_CONFIGURE_OPTIONS); | 686 | printf( "configure options: %s\n", SQUID_CONFIGURE_OPTIONS); |
1197 | 685 | 687 | ||
1198 | 686 | #if USE_WIN32_SERVICE | 688 | #if USE_WIN32_SERVICE |
1199 | diff --git a/src/sbuf/SBuf.h b/src/sbuf/SBuf.h | |||
1200 | index ac98137..964d8fb 100644 | |||
1201 | --- a/src/sbuf/SBuf.h | |||
1202 | +++ b/src/sbuf/SBuf.h | |||
1203 | @@ -45,9 +45,16 @@ class CharacterSet; | |||
1204 | 45 | * Please note that any operation on the underlying SBuf may invalidate | 45 | * Please note that any operation on the underlying SBuf may invalidate |
1205 | 46 | * all iterators over it, resulting in undefined behavior by them. | 46 | * all iterators over it, resulting in undefined behavior by them. |
1206 | 47 | */ | 47 | */ |
1208 | 48 | class SBufIterator : public std::iterator<std::input_iterator_tag, char> | 48 | class SBufIterator |
1209 | 49 | { | 49 | { |
1210 | 50 | public: | 50 | public: |
1211 | 51 | // iterator traits | ||
1212 | 52 | using iterator_category = std::input_iterator_tag; | ||
1213 | 53 | using value_type = char; | ||
1214 | 54 | using difference_type = std::ptrdiff_t; | ||
1215 | 55 | using pointer = char*; | ||
1216 | 56 | using reference = char&; | ||
1217 | 57 | |||
1218 | 51 | friend class SBuf; | 58 | friend class SBuf; |
1219 | 52 | typedef MemBlob::size_type size_type; | 59 | typedef MemBlob::size_type size_type; |
1220 | 53 | bool operator==(const SBufIterator &s) const; | 60 | bool operator==(const SBufIterator &s) const; |
1221 | diff --git a/src/security/PeerOptions.cc b/src/security/PeerOptions.cc | |||
1222 | index 679f968..b61280a 100644 | |||
1223 | --- a/src/security/PeerOptions.cc | |||
1224 | +++ b/src/security/PeerOptions.cc | |||
1225 | @@ -293,134 +293,134 @@ Security::PeerOptions::createClientContext(bool setOptions) | |||
1226 | 293 | /// set of options we can parse and what they map to | 293 | /// set of options we can parse and what they map to |
1227 | 294 | static struct ssl_option { | 294 | static struct ssl_option { |
1228 | 295 | const char *name; | 295 | const char *name; |
1230 | 296 | long value; | 296 | Security::ParsedOptions value; |
1231 | 297 | 297 | ||
1232 | 298 | } ssl_options[] = { | 298 | } ssl_options[] = { |
1233 | 299 | 299 | ||
1235 | 300 | #if SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG | 300 | #if defined(SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) |
1236 | 301 | { | 301 | { |
1237 | 302 | "NETSCAPE_REUSE_CIPHER_CHANGE_BUG", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG | 302 | "NETSCAPE_REUSE_CIPHER_CHANGE_BUG", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG |
1238 | 303 | }, | 303 | }, |
1239 | 304 | #endif | 304 | #endif |
1241 | 305 | #if SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG | 305 | #if defined(SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG) |
1242 | 306 | { | 306 | { |
1243 | 307 | "SSLREF2_REUSE_CERT_TYPE_BUG", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG | 307 | "SSLREF2_REUSE_CERT_TYPE_BUG", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG |
1244 | 308 | }, | 308 | }, |
1245 | 309 | #endif | 309 | #endif |
1247 | 310 | #if SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER | 310 | #if defined(SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER) |
1248 | 311 | { | 311 | { |
1249 | 312 | "MICROSOFT_BIG_SSLV3_BUFFER", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER | 312 | "MICROSOFT_BIG_SSLV3_BUFFER", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER |
1250 | 313 | }, | 313 | }, |
1251 | 314 | #endif | 314 | #endif |
1253 | 315 | #if SSL_OP_SSLEAY_080_CLIENT_DH_BUG | 315 | #if defined(SSL_OP_SSLEAY_080_CLIENT_DH_BUG) |
1254 | 316 | { | 316 | { |
1255 | 317 | "SSLEAY_080_CLIENT_DH_BUG", SSL_OP_SSLEAY_080_CLIENT_DH_BUG | 317 | "SSLEAY_080_CLIENT_DH_BUG", SSL_OP_SSLEAY_080_CLIENT_DH_BUG |
1256 | 318 | }, | 318 | }, |
1257 | 319 | #endif | 319 | #endif |
1259 | 320 | #if SSL_OP_TLS_D5_BUG | 320 | #if defined(SSL_OP_TLS_D5_BUG) |
1260 | 321 | { | 321 | { |
1261 | 322 | "TLS_D5_BUG", SSL_OP_TLS_D5_BUG | 322 | "TLS_D5_BUG", SSL_OP_TLS_D5_BUG |
1262 | 323 | }, | 323 | }, |
1263 | 324 | #endif | 324 | #endif |
1265 | 325 | #if SSL_OP_TLS_BLOCK_PADDING_BUG | 325 | #if defined(SSL_OP_TLS_BLOCK_PADDING_BUG) |
1266 | 326 | { | 326 | { |
1267 | 327 | "TLS_BLOCK_PADDING_BUG", SSL_OP_TLS_BLOCK_PADDING_BUG | 327 | "TLS_BLOCK_PADDING_BUG", SSL_OP_TLS_BLOCK_PADDING_BUG |
1268 | 328 | }, | 328 | }, |
1269 | 329 | #endif | 329 | #endif |
1271 | 330 | #if SSL_OP_TLS_ROLLBACK_BUG | 330 | #if defined(SSL_OP_TLS_ROLLBACK_BUG) |
1272 | 331 | { | 331 | { |
1273 | 332 | "TLS_ROLLBACK_BUG", SSL_OP_TLS_ROLLBACK_BUG | 332 | "TLS_ROLLBACK_BUG", SSL_OP_TLS_ROLLBACK_BUG |
1274 | 333 | }, | 333 | }, |
1275 | 334 | #endif | 334 | #endif |
1277 | 335 | #if SSL_OP_ALL | 335 | #if defined(SSL_OP_ALL) |
1278 | 336 | { | 336 | { |
1280 | 337 | "ALL", (long)SSL_OP_ALL | 337 | "ALL", SSL_OP_ALL |
1281 | 338 | }, | 338 | }, |
1282 | 339 | #endif | 339 | #endif |
1284 | 340 | #if SSL_OP_SINGLE_DH_USE | 340 | #if defined(SSL_OP_SINGLE_DH_USE) |
1285 | 341 | { | 341 | { |
1286 | 342 | "SINGLE_DH_USE", SSL_OP_SINGLE_DH_USE | 342 | "SINGLE_DH_USE", SSL_OP_SINGLE_DH_USE |
1287 | 343 | }, | 343 | }, |
1288 | 344 | #endif | 344 | #endif |
1290 | 345 | #if SSL_OP_EPHEMERAL_RSA | 345 | #if defined(SSL_OP_EPHEMERAL_RSA) |
1291 | 346 | { | 346 | { |
1292 | 347 | "EPHEMERAL_RSA", SSL_OP_EPHEMERAL_RSA | 347 | "EPHEMERAL_RSA", SSL_OP_EPHEMERAL_RSA |
1293 | 348 | }, | 348 | }, |
1294 | 349 | #endif | 349 | #endif |
1296 | 350 | #if SSL_OP_PKCS1_CHECK_1 | 350 | #if defined(SSL_OP_PKCS1_CHECK_1) |
1297 | 351 | { | 351 | { |
1298 | 352 | "PKCS1_CHECK_1", SSL_OP_PKCS1_CHECK_1 | 352 | "PKCS1_CHECK_1", SSL_OP_PKCS1_CHECK_1 |
1299 | 353 | }, | 353 | }, |
1300 | 354 | #endif | 354 | #endif |
1302 | 355 | #if SSL_OP_PKCS1_CHECK_2 | 355 | #if defined(SSL_OP_PKCS1_CHECK_2) |
1303 | 356 | { | 356 | { |
1304 | 357 | "PKCS1_CHECK_2", SSL_OP_PKCS1_CHECK_2 | 357 | "PKCS1_CHECK_2", SSL_OP_PKCS1_CHECK_2 |
1305 | 358 | }, | 358 | }, |
1306 | 359 | #endif | 359 | #endif |
1308 | 360 | #if SSL_OP_NETSCAPE_CA_DN_BUG | 360 | #if defined(SSL_OP_NETSCAPE_CA_DN_BUG) |
1309 | 361 | { | 361 | { |
1310 | 362 | "NETSCAPE_CA_DN_BUG", SSL_OP_NETSCAPE_CA_DN_BUG | 362 | "NETSCAPE_CA_DN_BUG", SSL_OP_NETSCAPE_CA_DN_BUG |
1311 | 363 | }, | 363 | }, |
1312 | 364 | #endif | 364 | #endif |
1314 | 365 | #if SSL_OP_NON_EXPORT_FIRST | 365 | #if defined(SSL_OP_NON_EXPORT_FIRST) |
1315 | 366 | { | 366 | { |
1316 | 367 | "NON_EXPORT_FIRST", SSL_OP_NON_EXPORT_FIRST | 367 | "NON_EXPORT_FIRST", SSL_OP_NON_EXPORT_FIRST |
1317 | 368 | }, | 368 | }, |
1318 | 369 | #endif | 369 | #endif |
1320 | 370 | #if SSL_OP_CIPHER_SERVER_PREFERENCE | 370 | #if defined(SSL_OP_CIPHER_SERVER_PREFERENCE) |
1321 | 371 | { | 371 | { |
1322 | 372 | "CIPHER_SERVER_PREFERENCE", SSL_OP_CIPHER_SERVER_PREFERENCE | 372 | "CIPHER_SERVER_PREFERENCE", SSL_OP_CIPHER_SERVER_PREFERENCE |
1323 | 373 | }, | 373 | }, |
1324 | 374 | #endif | 374 | #endif |
1326 | 375 | #if SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG | 375 | #if defined(SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG) |
1327 | 376 | { | 376 | { |
1328 | 377 | "NETSCAPE_DEMO_CIPHER_CHANGE_BUG", SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG | 377 | "NETSCAPE_DEMO_CIPHER_CHANGE_BUG", SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG |
1329 | 378 | }, | 378 | }, |
1330 | 379 | #endif | 379 | #endif |
1332 | 380 | #if SSL_OP_NO_SSLv3 | 380 | #if defined(SSL_OP_NO_SSLv3) |
1333 | 381 | { | 381 | { |
1334 | 382 | "NO_SSLv3", SSL_OP_NO_SSLv3 | 382 | "NO_SSLv3", SSL_OP_NO_SSLv3 |
1335 | 383 | }, | 383 | }, |
1336 | 384 | #endif | 384 | #endif |
1338 | 385 | #if SSL_OP_NO_TLSv1 | 385 | #if defined(SSL_OP_NO_TLSv1) |
1339 | 386 | { | 386 | { |
1340 | 387 | "NO_TLSv1", SSL_OP_NO_TLSv1 | 387 | "NO_TLSv1", SSL_OP_NO_TLSv1 |
1341 | 388 | }, | 388 | }, |
1342 | 389 | #else | 389 | #else |
1343 | 390 | { "NO_TLSv1", 0 }, | 390 | { "NO_TLSv1", 0 }, |
1344 | 391 | #endif | 391 | #endif |
1346 | 392 | #if SSL_OP_NO_TLSv1_1 | 392 | #if defined(SSL_OP_NO_TLSv1_1) |
1347 | 393 | { | 393 | { |
1348 | 394 | "NO_TLSv1_1", SSL_OP_NO_TLSv1_1 | 394 | "NO_TLSv1_1", SSL_OP_NO_TLSv1_1 |
1349 | 395 | }, | 395 | }, |
1350 | 396 | #else | 396 | #else |
1351 | 397 | { "NO_TLSv1_1", 0 }, | 397 | { "NO_TLSv1_1", 0 }, |
1352 | 398 | #endif | 398 | #endif |
1354 | 399 | #if SSL_OP_NO_TLSv1_2 | 399 | #if defined(SSL_OP_NO_TLSv1_2) |
1355 | 400 | { | 400 | { |
1356 | 401 | "NO_TLSv1_2", SSL_OP_NO_TLSv1_2 | 401 | "NO_TLSv1_2", SSL_OP_NO_TLSv1_2 |
1357 | 402 | }, | 402 | }, |
1358 | 403 | #else | 403 | #else |
1359 | 404 | { "NO_TLSv1_2", 0 }, | 404 | { "NO_TLSv1_2", 0 }, |
1360 | 405 | #endif | 405 | #endif |
1362 | 406 | #if SSL_OP_NO_TLSv1_3 | 406 | #if defined(SSL_OP_NO_TLSv1_3) |
1363 | 407 | { | 407 | { |
1364 | 408 | "NO_TLSv1_3", SSL_OP_NO_TLSv1_3 | 408 | "NO_TLSv1_3", SSL_OP_NO_TLSv1_3 |
1365 | 409 | }, | 409 | }, |
1366 | 410 | #else | 410 | #else |
1367 | 411 | { "NO_TLSv1_3", 0 }, | 411 | { "NO_TLSv1_3", 0 }, |
1368 | 412 | #endif | 412 | #endif |
1370 | 413 | #if SSL_OP_NO_COMPRESSION | 413 | #if defined(SSL_OP_NO_COMPRESSION) |
1371 | 414 | { | 414 | { |
1372 | 415 | "No_Compression", SSL_OP_NO_COMPRESSION | 415 | "No_Compression", SSL_OP_NO_COMPRESSION |
1373 | 416 | }, | 416 | }, |
1374 | 417 | #endif | 417 | #endif |
1376 | 418 | #if SSL_OP_NO_TICKET | 418 | #if defined(SSL_OP_NO_TICKET) |
1377 | 419 | { | 419 | { |
1378 | 420 | "NO_TICKET", SSL_OP_NO_TICKET | 420 | "NO_TICKET", SSL_OP_NO_TICKET |
1379 | 421 | }, | 421 | }, |
1380 | 422 | #endif | 422 | #endif |
1382 | 423 | #if SSL_OP_SINGLE_ECDH_USE | 423 | #if defined(SSL_OP_SINGLE_ECDH_USE) |
1383 | 424 | { | 424 | { |
1384 | 425 | "SINGLE_ECDH_USE", SSL_OP_SINGLE_ECDH_USE | 425 | "SINGLE_ECDH_USE", SSL_OP_SINGLE_ECDH_USE |
1385 | 426 | }, | 426 | }, |
1386 | @@ -455,7 +455,7 @@ Security::PeerOptions::parseOptions() | |||
1387 | 455 | 455 | ||
1388 | 456 | #if USE_OPENSSL | 456 | #if USE_OPENSSL |
1389 | 457 | ::Parser::Tokenizer tok(str); | 457 | ::Parser::Tokenizer tok(str); |
1391 | 458 | long op = 0; | 458 | ParsedOptions op = 0; |
1392 | 459 | 459 | ||
1393 | 460 | while (!tok.atEnd()) { | 460 | while (!tok.atEnd()) { |
1394 | 461 | enum { | 461 | enum { |
1395 | @@ -472,7 +472,8 @@ Security::PeerOptions::parseOptions() | |||
1396 | 472 | static const CharacterSet optChars = CharacterSet("TLS-option", "_") + CharacterSet::ALPHA + CharacterSet::DIGIT; | 472 | static const CharacterSet optChars = CharacterSet("TLS-option", "_") + CharacterSet::ALPHA + CharacterSet::DIGIT; |
1397 | 473 | int64_t hex = 0; | 473 | int64_t hex = 0; |
1398 | 474 | SBuf option; | 474 | SBuf option; |
1400 | 475 | long value = 0; | 475 | ParsedOptions value = 0; |
1401 | 476 | bool found = false; | ||
1402 | 476 | 477 | ||
1403 | 477 | // Bug 4429: identify the full option name before determining text or numeric | 478 | // Bug 4429: identify the full option name before determining text or numeric |
1404 | 478 | if (tok.prefix(option, optChars)) { | 479 | if (tok.prefix(option, optChars)) { |
1405 | @@ -481,14 +482,16 @@ Security::PeerOptions::parseOptions() | |||
1406 | 481 | for (struct ssl_option *opttmp = ssl_options; opttmp->name; ++opttmp) { | 482 | for (struct ssl_option *opttmp = ssl_options; opttmp->name; ++opttmp) { |
1407 | 482 | if (option.cmp(opttmp->name) == 0) { | 483 | if (option.cmp(opttmp->name) == 0) { |
1408 | 483 | value = opttmp->value; | 484 | value = opttmp->value; |
1409 | 485 | found = true; | ||
1410 | 484 | break; | 486 | break; |
1411 | 485 | } | 487 | } |
1412 | 486 | } | 488 | } |
1413 | 487 | 489 | ||
1414 | 488 | // Special case.. hex specification | 490 | // Special case.. hex specification |
1415 | 489 | ::Parser::Tokenizer tmp(option); | 491 | ::Parser::Tokenizer tmp(option); |
1417 | 490 | if (!value && tmp.int64(hex, 16, false) && tmp.atEnd()) { | 492 | if (!found && tmp.int64(hex, 16, false) && tmp.atEnd()) { |
1418 | 491 | value = hex; | 493 | value = hex; |
1419 | 494 | found = true; | ||
1420 | 492 | } | 495 | } |
1421 | 493 | } | 496 | } |
1422 | 494 | 497 | ||
1423 | @@ -502,7 +505,7 @@ Security::PeerOptions::parseOptions() | |||
1424 | 502 | break; | 505 | break; |
1425 | 503 | } | 506 | } |
1426 | 504 | } else { | 507 | } else { |
1428 | 505 | debugs(83, DBG_PARSE_NOTE(1), "ERROR: Unknown TLS option " << option); | 508 | debugs(83, DBG_PARSE_NOTE(DBG_IMPORTANT), "ERROR: " << (found?"Unsupported":"Unknown") << " TLS option " << option); |
1429 | 506 | } | 509 | } |
1430 | 507 | 510 | ||
1431 | 508 | static const CharacterSet delims("TLS-option-delim",":,"); | 511 | static const CharacterSet delims("TLS-option-delim",":,"); |
1432 | @@ -512,9 +515,10 @@ Security::PeerOptions::parseOptions() | |||
1433 | 512 | 515 | ||
1434 | 513 | } | 516 | } |
1435 | 514 | 517 | ||
1437 | 515 | #if SSL_OP_NO_SSLv2 | 518 | #if defined(SSL_OP_NO_SSLv2) |
1438 | 516 | // compliance with RFC 6176: Prohibiting Secure Sockets Layer (SSL) Version 2.0 | 519 | // compliance with RFC 6176: Prohibiting Secure Sockets Layer (SSL) Version 2.0 |
1440 | 517 | op = op | SSL_OP_NO_SSLv2; | 520 | if (SSL_OP_NO_SSLv2) |
1441 | 521 | op |= SSL_OP_NO_SSLv2; | ||
1442 | 518 | #endif | 522 | #endif |
1443 | 519 | parsedOptions = op; | 523 | parsedOptions = op; |
1444 | 520 | 524 | ||
1445 | diff --git a/src/security/ServerOptions.cc b/src/security/ServerOptions.cc | |||
1446 | index e96869c..a5ddb43 100644 | |||
1447 | --- a/src/security/ServerOptions.cc | |||
1448 | +++ b/src/security/ServerOptions.cc | |||
1449 | @@ -10,8 +10,10 @@ | |||
1450 | 10 | #include "anyp/PortCfg.h" | 10 | #include "anyp/PortCfg.h" |
1451 | 11 | #include "base/Packable.h" | 11 | #include "base/Packable.h" |
1452 | 12 | #include "cache_cf.h" | 12 | #include "cache_cf.h" |
1453 | 13 | #include "error/SysErrorDetail.h" | ||
1454 | 13 | #include "fatal.h" | 14 | #include "fatal.h" |
1455 | 14 | #include "globals.h" | 15 | #include "globals.h" |
1456 | 16 | #include "security/Io.h" | ||
1457 | 15 | #include "security/ServerOptions.h" | 17 | #include "security/ServerOptions.h" |
1458 | 16 | #include "security/Session.h" | 18 | #include "security/Session.h" |
1459 | 17 | #include "SquidConfig.h" | 19 | #include "SquidConfig.h" |
1460 | @@ -19,6 +21,9 @@ | |||
1461 | 19 | #include "compat/openssl.h" | 21 | #include "compat/openssl.h" |
1462 | 20 | #include "ssl/support.h" | 22 | #include "ssl/support.h" |
1463 | 21 | 23 | ||
1464 | 24 | #if HAVE_OPENSSL_DECODER_H | ||
1465 | 25 | #include <openssl/decoder.h> | ||
1466 | 26 | #endif | ||
1467 | 22 | #if HAVE_OPENSSL_ERR_H | 27 | #if HAVE_OPENSSL_ERR_H |
1468 | 23 | #include <openssl/err.h> | 28 | #include <openssl/err.h> |
1469 | 24 | #endif | 29 | #endif |
1470 | @@ -352,11 +357,20 @@ Security::ServerOptions::loadDhParams() | |||
1471 | 352 | if (dhParamsFile.isEmpty()) | 357 | if (dhParamsFile.isEmpty()) |
1472 | 353 | return; | 358 | return; |
1473 | 354 | 359 | ||
1474 | 360 | // TODO: After loading and validating parameters, also validate that "the | ||
1475 | 361 | // public and private components have the correct mathematical | ||
1476 | 362 | // relationship". See EVP_PKEY_check(). | ||
1477 | 363 | |||
1478 | 355 | #if USE_OPENSSL | 364 | #if USE_OPENSSL |
1479 | 365 | #if OPENSSL_VERSION_MAJOR < 3 | ||
1480 | 356 | DH *dhp = nullptr; | 366 | DH *dhp = nullptr; |
1481 | 357 | if (FILE *in = fopen(dhParamsFile.c_str(), "r")) { | 367 | if (FILE *in = fopen(dhParamsFile.c_str(), "r")) { |
1482 | 358 | dhp = PEM_read_DHparams(in, NULL, NULL, NULL); | 368 | dhp = PEM_read_DHparams(in, NULL, NULL, NULL); |
1483 | 359 | fclose(in); | 369 | fclose(in); |
1484 | 370 | } else { | ||
1485 | 371 | const auto xerrno = errno; | ||
1486 | 372 | debugs(83, DBG_IMPORTANT, "WARNING: Failed to open '" << dhParamsFile << "'" << xstrerr(xerrno)); | ||
1487 | 373 | return; | ||
1488 | 360 | } | 374 | } |
1489 | 361 | 375 | ||
1490 | 362 | if (!dhp) { | 376 | if (!dhp) { |
1491 | @@ -374,7 +388,73 @@ Security::ServerOptions::loadDhParams() | |||
1492 | 374 | } | 388 | } |
1493 | 375 | 389 | ||
1494 | 376 | parsedDhParams.resetWithoutLocking(dhp); | 390 | parsedDhParams.resetWithoutLocking(dhp); |
1495 | 391 | |||
1496 | 392 | #else // OpenSSL 3.0+ | ||
1497 | 393 | const auto type = eecdhCurve.isEmpty() ? "DH" : "EC"; | ||
1498 | 394 | |||
1499 | 395 | Security::ForgetErrors(); | ||
1500 | 396 | EVP_PKEY *rawPkey = nullptr; | ||
1501 | 397 | using DecoderContext = std::unique_ptr<OSSL_DECODER_CTX, HardFun<void, OSSL_DECODER_CTX*, &OSSL_DECODER_CTX_free> >; | ||
1502 | 398 | if (const DecoderContext dctx{OSSL_DECODER_CTX_new_for_pkey(&rawPkey, "PEM", nullptr, type, 0, nullptr, nullptr)}) { | ||
1503 | 399 | |||
1504 | 400 | // OpenSSL documentation is vague on this, but OpenSSL code and our | ||
1505 | 401 | // tests suggest that rawPkey remains nil here while rawCtx keeps | ||
1506 | 402 | // rawPkey _address_ for use by the decoder (see OSSL_DECODER_from_fp() | ||
1507 | 403 | // below). Thus, we must not move *rawPkey into a smart pointer until | ||
1508 | 404 | // decoding is over. For cleanup code simplicity, we assert nil rawPkey. | ||
1509 | 405 | assert(!rawPkey); | ||
1510 | 406 | |||
1511 | 407 | if (OSSL_DECODER_CTX_get_num_decoders(dctx.get()) == 0) { | ||
1512 | 408 | auto ssl_error = ERR_get_error(); | ||
1513 | 409 | debugs(83, DBG_IMPORTANT, "WARNING: No suitable decoders found for " << type << " parameters. " << Security::ErrorString(ssl_error)); | ||
1514 | 410 | return; | ||
1515 | 411 | } | ||
1516 | 412 | |||
1517 | 413 | if (const auto in = fopen(dhParamsFile.c_str(), "r")) { | ||
1518 | 414 | if (OSSL_DECODER_from_fp(dctx.get(), in)) { | ||
1519 | 415 | assert(rawPkey); | ||
1520 | 416 | const Security::DhePointer pkey(rawPkey); | ||
1521 | 417 | // TODO: verify that the loaded parameters match the curve named in eecdhCurve | ||
1522 | 418 | |||
1523 | 419 | if (const Ssl::EVP_PKEY_CTX_Pointer pkeyCtx{EVP_PKEY_CTX_new_from_pkey(nullptr, pkey.get(), nullptr)}) { | ||
1524 | 420 | switch (EVP_PKEY_param_check(pkeyCtx.get())) { | ||
1525 | 421 | case 1: // success | ||
1526 | 422 | parsedDhParams = pkey; | ||
1527 | 423 | break; | ||
1528 | 424 | case -2: { | ||
1529 | 425 | auto ssl_error = ERR_get_error(); | ||
1530 | 426 | debugs(83, DBG_PARSE_NOTE(2), "WARNING: OpenSSL does not support " << type << " parameters check: " << dhParamsFile << ". " << Security::ErrorString(ssl_error)); | ||
1531 | 427 | } | ||
1532 | 428 | break; | ||
1533 | 429 | default: { | ||
1534 | 430 | auto ssl_error = ERR_get_error(); | ||
1535 | 431 | debugs(83, DBG_IMPORTANT, "ERROR: Failed to verify " << type << " parameters in " << dhParamsFile << ". " << Security::ErrorString(ssl_error)); | ||
1536 | 432 | } | ||
1537 | 433 | break; | ||
1538 | 434 | } | ||
1539 | 435 | } else { | ||
1540 | 436 | // TODO: Reduce error reporting code duplication. | ||
1541 | 437 | auto ssl_error = ERR_get_error(); | ||
1542 | 438 | debugs(83, DBG_IMPORTANT, "ERROR: Cannot check " << type << " parameters in " << dhParamsFile << ". " << Security::ErrorString(ssl_error)); | ||
1543 | 439 | } | ||
1544 | 440 | } else { | ||
1545 | 441 | auto ssl_error = ERR_get_error(); | ||
1546 | 442 | debugs(83, DBG_IMPORTANT, "WARNING: Failed to decode " << type << " parameters '" << dhParamsFile << "'. " << Security::ErrorString(ssl_error)); | ||
1547 | 443 | EVP_PKEY_free(rawPkey); // probably still nil, but just in case | ||
1548 | 444 | } | ||
1549 | 445 | fclose(in); | ||
1550 | 446 | } else { | ||
1551 | 447 | const auto xerrno = errno; | ||
1552 | 448 | debugs(83, DBG_IMPORTANT, "WARNING: Failed to open '" << dhParamsFile << "'" << xstrerr(xerrno)); | ||
1553 | 449 | } | ||
1554 | 450 | |||
1555 | 451 | } else { | ||
1556 | 452 | auto ssl_error = ERR_get_error(); | ||
1557 | 453 | debugs(83, DBG_IMPORTANT, "WARNING: Unable to create decode context for " << type << " parameters. " << Security::ErrorString(ssl_error)); | ||
1558 | 454 | return; | ||
1559 | 455 | } | ||
1560 | 377 | #endif | 456 | #endif |
1561 | 457 | #endif // USE_OPENSSL | ||
1562 | 378 | } | 458 | } |
1563 | 379 | 459 | ||
1564 | 380 | bool | 460 | bool |
1565 | @@ -452,12 +532,16 @@ Security::ServerOptions::updateContextEecdh(Security::ContextPointer &ctx) | |||
1566 | 452 | debugs(83, 9, "Setting Ephemeral ECDH curve to " << eecdhCurve << "."); | 532 | debugs(83, 9, "Setting Ephemeral ECDH curve to " << eecdhCurve << "."); |
1567 | 453 | 533 | ||
1568 | 454 | #if USE_OPENSSL && OPENSSL_VERSION_NUMBER >= 0x0090800fL && !defined(OPENSSL_NO_ECDH) | 534 | #if USE_OPENSSL && OPENSSL_VERSION_NUMBER >= 0x0090800fL && !defined(OPENSSL_NO_ECDH) |
1569 | 535 | |||
1570 | 536 | Security::ForgetErrors(); | ||
1571 | 537 | |||
1572 | 455 | int nid = OBJ_sn2nid(eecdhCurve.c_str()); | 538 | int nid = OBJ_sn2nid(eecdhCurve.c_str()); |
1573 | 456 | if (!nid) { | 539 | if (!nid) { |
1574 | 457 | debugs(83, DBG_CRITICAL, "ERROR: Unknown EECDH curve '" << eecdhCurve << "'"); | 540 | debugs(83, DBG_CRITICAL, "ERROR: Unknown EECDH curve '" << eecdhCurve << "'"); |
1575 | 458 | return; | 541 | return; |
1576 | 459 | } | 542 | } |
1577 | 460 | 543 | ||
1578 | 544 | #if OPENSSL_VERSION_MAJOR < 3 | ||
1579 | 461 | auto ecdh = EC_KEY_new_by_curve_name(nid); | 545 | auto ecdh = EC_KEY_new_by_curve_name(nid); |
1580 | 462 | if (!ecdh) { | 546 | if (!ecdh) { |
1581 | 463 | const auto x = ERR_get_error(); | 547 | const auto x = ERR_get_error(); |
1582 | @@ -472,6 +556,14 @@ Security::ServerOptions::updateContextEecdh(Security::ContextPointer &ctx) | |||
1583 | 472 | EC_KEY_free(ecdh); | 556 | EC_KEY_free(ecdh); |
1584 | 473 | 557 | ||
1585 | 474 | #else | 558 | #else |
1586 | 559 | // TODO: Support multiple group names via SSL_CTX_set1_groups_list(). | ||
1587 | 560 | if (!SSL_CTX_set1_groups(ctx.get(), &nid, 1)) { | ||
1588 | 561 | auto ssl_error = ERR_get_error(); | ||
1589 | 562 | debugs(83, DBG_CRITICAL, "ERROR: Unable to set Ephemeral ECDH: " << Security::ErrorString(ssl_error)); | ||
1590 | 563 | return; | ||
1591 | 564 | } | ||
1592 | 565 | #endif | ||
1593 | 566 | #else | ||
1594 | 475 | debugs(83, DBG_CRITICAL, "ERROR: EECDH is not available in this build." << | 567 | debugs(83, DBG_CRITICAL, "ERROR: EECDH is not available in this build." << |
1595 | 476 | " Please link against OpenSSL>=0.9.8 and ensure OPENSSL_NO_ECDH is not set."); | 568 | " Please link against OpenSSL>=0.9.8 and ensure OPENSSL_NO_ECDH is not set."); |
1596 | 477 | #endif | 569 | #endif |
1597 | diff --git a/src/security/cert_validators/fake/security_fake_certverify.8 b/src/security/cert_validators/fake/security_fake_certverify.8 | |||
1598 | index 246152d..9dbb485 100644 | |||
1599 | --- a/src/security/cert_validators/fake/security_fake_certverify.8 | |||
1600 | +++ b/src/security/cert_validators/fake/security_fake_certverify.8 | |||
1601 | @@ -133,7 +133,7 @@ | |||
1602 | 133 | .\" ======================================================================== | 133 | .\" ======================================================================== |
1603 | 134 | .\" | 134 | .\" |
1604 | 135 | .IX Title "SECURITY_FAKE_CERTVERIFY 8" | 135 | .IX Title "SECURITY_FAKE_CERTVERIFY 8" |
1606 | 136 | .TH SECURITY_FAKE_CERTVERIFY 8 "2022-06-05" "perl v5.34.0" "User Contributed Perl Documentation" | 136 | .TH SECURITY_FAKE_CERTVERIFY 8 "2022-09-05" "perl v5.34.0" "User Contributed Perl Documentation" |
1607 | 137 | .\" For nroff, turn off justification. Always turn off hyphenation; it makes | 137 | .\" For nroff, turn off justification. Always turn off hyphenation; it makes |
1608 | 138 | .\" way too many mistakes in technical documents. | 138 | .\" way too many mistakes in technical documents. |
1609 | 139 | .if n .ad l | 139 | .if n .ad l |
1610 | diff --git a/src/security/forward.h b/src/security/forward.h | |||
1611 | index 26225aa..9c4ff05 100644 | |||
1612 | --- a/src/security/forward.h | |||
1613 | +++ b/src/security/forward.h | |||
1614 | @@ -93,10 +93,25 @@ typedef std::list<Security::CertPointer> CertList; | |||
1615 | 93 | typedef std::list<Security::CrlPointer> CertRevokeList; | 93 | typedef std::list<Security::CrlPointer> CertRevokeList; |
1616 | 94 | 94 | ||
1617 | 95 | #if USE_OPENSSL | 95 | #if USE_OPENSSL |
1618 | 96 | CtoCpp1(EVP_PKEY_free, EVP_PKEY *) | ||
1619 | 97 | using PrivateKeyPointer = Security::LockingPointer<EVP_PKEY, EVP_PKEY_free_cpp, HardFun<int, EVP_PKEY *, EVP_PKEY_up_ref>>; | ||
1620 | 98 | #elif USE_GNUTLS | ||
1621 | 99 | using PrivateKeyPointer = std::shared_ptr<struct gnutls_x509_privkey_int>; | ||
1622 | 100 | #else | ||
1623 | 101 | using PrivateKeyPointer = std::shared_ptr<void>; | ||
1624 | 102 | #endif | ||
1625 | 103 | |||
1626 | 104 | #if USE_OPENSSL | ||
1627 | 105 | #if OPENSSL_VERSION_MAJOR < 3 | ||
1628 | 96 | CtoCpp1(DH_free, DH *); | 106 | CtoCpp1(DH_free, DH *); |
1629 | 97 | typedef Security::LockingPointer<DH, DH_free_cpp, HardFun<int, DH *, DH_up_ref> > DhePointer; | 107 | typedef Security::LockingPointer<DH, DH_free_cpp, HardFun<int, DH *, DH_up_ref> > DhePointer; |
1630 | 98 | #else | 108 | #else |
1632 | 99 | typedef void *DhePointer; | 109 | using DhePointer = PrivateKeyPointer; |
1633 | 110 | #endif | ||
1634 | 111 | #elif USE_GNUTLS | ||
1635 | 112 | using DhePointer = void *; | ||
1636 | 113 | #else | ||
1637 | 114 | using DhePointer = void *; | ||
1638 | 100 | #endif | 115 | #endif |
1639 | 101 | 116 | ||
1640 | 102 | class EncryptorAnswer; | 117 | class EncryptorAnswer; |
1641 | @@ -159,7 +174,7 @@ class IoResult; | |||
1642 | 159 | class KeyData; | 174 | class KeyData; |
1643 | 160 | 175 | ||
1644 | 161 | #if USE_OPENSSL | 176 | #if USE_OPENSSL |
1646 | 162 | typedef long ParsedOptions; | 177 | using ParsedOptions = uint64_t; |
1647 | 163 | #elif USE_GNUTLS | 178 | #elif USE_GNUTLS |
1648 | 164 | typedef std::shared_ptr<struct gnutls_priority_st> ParsedOptions; | 179 | typedef std::shared_ptr<struct gnutls_priority_st> ParsedOptions; |
1649 | 165 | #else | 180 | #else |
1650 | @@ -175,15 +190,6 @@ class PeerConnector; | |||
1651 | 175 | class BlindPeerConnector; | 190 | class BlindPeerConnector; |
1652 | 176 | class PeerOptions; | 191 | class PeerOptions; |
1653 | 177 | 192 | ||
1654 | 178 | #if USE_OPENSSL | ||
1655 | 179 | CtoCpp1(EVP_PKEY_free, EVP_PKEY *) | ||
1656 | 180 | typedef Security::LockingPointer<EVP_PKEY, EVP_PKEY_free_cpp, HardFun<int, EVP_PKEY *, EVP_PKEY_up_ref> > PrivateKeyPointer; | ||
1657 | 181 | #elif USE_GNUTLS | ||
1658 | 182 | typedef std::shared_ptr<struct gnutls_x509_privkey_int> PrivateKeyPointer; | ||
1659 | 183 | #else | ||
1660 | 184 | typedef std::shared_ptr<void> PrivateKeyPointer; | ||
1661 | 185 | #endif | ||
1662 | 186 | |||
1663 | 187 | class ServerOptions; | 193 | class ServerOptions; |
1664 | 188 | 194 | ||
1665 | 189 | class ErrorDetail; | 195 | class ErrorDetail; |
1666 | diff --git a/src/ssl/gadgets.cc b/src/ssl/gadgets.cc | |||
1667 | index ef572ba..d1def59 100644 | |||
1668 | --- a/src/ssl/gadgets.cc | |||
1669 | +++ b/src/ssl/gadgets.cc | |||
1670 | @@ -9,36 +9,26 @@ | |||
1671 | 9 | #include "squid.h" | 9 | #include "squid.h" |
1672 | 10 | #include "ssl/gadgets.h" | 10 | #include "ssl/gadgets.h" |
1673 | 11 | 11 | ||
1675 | 12 | EVP_PKEY * Ssl::createSslPrivateKey() | 12 | static Security::PrivateKeyPointer |
1676 | 13 | CreateRsaPrivateKey() | ||
1677 | 13 | { | 14 | { |
1691 | 14 | Security::PrivateKeyPointer pkey(EVP_PKEY_new()); | 15 | Ssl::EVP_PKEY_CTX_Pointer rsa(EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, nullptr)); |
1679 | 15 | |||
1680 | 16 | if (!pkey) | ||
1681 | 17 | return NULL; | ||
1682 | 18 | |||
1683 | 19 | BIGNUM_Pointer bn(BN_new()); | ||
1684 | 20 | if (!bn) | ||
1685 | 21 | return NULL; | ||
1686 | 22 | |||
1687 | 23 | if (!BN_set_word(bn.get(), RSA_F4)) | ||
1688 | 24 | return NULL; | ||
1689 | 25 | |||
1690 | 26 | Ssl::RSA_Pointer rsa(RSA_new()); | ||
1692 | 27 | if (!rsa) | 16 | if (!rsa) |
1694 | 28 | return NULL; | 17 | return nullptr; |
1695 | 29 | 18 | ||
1699 | 30 | int num = 2048; // Maybe use 4096 RSA keys, or better make it configurable? | 19 | if (EVP_PKEY_keygen_init(rsa.get()) <= 0) |
1700 | 31 | if (!RSA_generate_key_ex(rsa.get(), num, bn.get(), NULL)) | 20 | return nullptr; |
1698 | 32 | return NULL; | ||
1701 | 33 | 21 | ||
1704 | 34 | if (!rsa) | 22 | int num = 2048; // Maybe use 4096 RSA keys, or better make it configurable? |
1705 | 35 | return NULL; | 23 | if (EVP_PKEY_CTX_set_rsa_keygen_bits(rsa.get(), num) <= 0) |
1706 | 24 | return nullptr; | ||
1707 | 36 | 25 | ||
1710 | 37 | if (!EVP_PKEY_assign_RSA(pkey.get(), (rsa.get()))) | 26 | /* Generate key */ |
1711 | 38 | return NULL; | 27 | EVP_PKEY *pkey = nullptr; |
1712 | 28 | if (EVP_PKEY_keygen(rsa.get(), &pkey) <= 0) | ||
1713 | 29 | return nullptr; | ||
1714 | 39 | 30 | ||
1717 | 40 | rsa.release(); | 31 | return Security::PrivateKeyPointer(pkey); |
1716 | 41 | return pkey.release(); | ||
1718 | 42 | } | 32 | } |
1719 | 43 | 33 | ||
1720 | 44 | /** | 34 | /** |
1721 | @@ -56,7 +46,7 @@ static bool setSerialNumber(ASN1_INTEGER *ai, BIGNUM const* serial) | |||
1722 | 56 | if (!bn) | 46 | if (!bn) |
1723 | 57 | return false; | 47 | return false; |
1724 | 58 | 48 | ||
1726 | 59 | if (!BN_pseudo_rand(bn.get(), 64, 0, 0)) | 49 | if (!BN_rand(bn.get(), 64, 0, 0)) |
1727 | 60 | return false; | 50 | return false; |
1728 | 61 | } | 51 | } |
1729 | 62 | 52 | ||
1730 | @@ -375,7 +365,11 @@ mimicExtensions(Security::CertPointer & cert, Security::CertPointer const &mimic | |||
1731 | 375 | // XXX: Add PublicKeyPointer. In OpenSSL, public and private keys are | 365 | // XXX: Add PublicKeyPointer. In OpenSSL, public and private keys are |
1732 | 376 | // internally represented by EVP_PKEY pair, but GnuTLS uses distinct types. | 366 | // internally represented by EVP_PKEY pair, but GnuTLS uses distinct types. |
1733 | 377 | const Security::PrivateKeyPointer certKey(X509_get_pubkey(mimicCert.get())); | 367 | const Security::PrivateKeyPointer certKey(X509_get_pubkey(mimicCert.get())); |
1734 | 368 | #if OPENSSL_VERSION_MAJOR < 3 | ||
1735 | 378 | const auto rsaPkey = EVP_PKEY_get0_RSA(certKey.get()) != nullptr; | 369 | const auto rsaPkey = EVP_PKEY_get0_RSA(certKey.get()) != nullptr; |
1736 | 370 | #else | ||
1737 | 371 | const auto rsaPkey = EVP_PKEY_is_a(certKey.get(), "RSA") == 1; | ||
1738 | 372 | #endif | ||
1739 | 379 | 373 | ||
1740 | 380 | int added = 0; | 374 | int added = 0; |
1741 | 381 | int nid; | 375 | int nid; |
1742 | @@ -544,13 +538,8 @@ static bool buildCertificate(Security::CertPointer & cert, Ssl::CertificatePrope | |||
1743 | 544 | 538 | ||
1744 | 545 | static bool generateFakeSslCertificate(Security::CertPointer & certToStore, Security::PrivateKeyPointer & pkeyToStore, Ssl::CertificateProperties const &properties, Ssl::BIGNUM_Pointer const &serial) | 539 | static bool generateFakeSslCertificate(Security::CertPointer & certToStore, Security::PrivateKeyPointer & pkeyToStore, Ssl::CertificateProperties const &properties, Ssl::BIGNUM_Pointer const &serial) |
1745 | 546 | { | 540 | { |
1746 | 547 | Security::PrivateKeyPointer pkey; | ||
1747 | 548 | // Use signing certificates private key as generated certificate private key | 541 | // Use signing certificates private key as generated certificate private key |
1753 | 549 | if (properties.signWithPkey.get()) | 542 | const auto pkey = properties.signWithPkey ? properties.signWithPkey : CreateRsaPrivateKey(); |
1749 | 550 | pkey.resetAndLock(properties.signWithPkey.get()); | ||
1750 | 551 | else // if not exist generate one | ||
1751 | 552 | pkey.resetWithoutLocking(Ssl::createSslPrivateKey()); | ||
1752 | 553 | |||
1754 | 554 | if (!pkey) | 543 | if (!pkey) |
1755 | 555 | return false; | 544 | return false; |
1756 | 556 | 545 | ||
1757 | diff --git a/src/ssl/gadgets.h b/src/ssl/gadgets.h | |||
1758 | index 8e46f89..4c5b30b 100644 | |||
1759 | --- a/src/ssl/gadgets.h | |||
1760 | +++ b/src/ssl/gadgets.h | |||
1761 | @@ -58,7 +58,7 @@ typedef std::unique_ptr<TXT_DB, HardFun<void, TXT_DB*, &TXT_DB_free>> TXT_DB_Poi | |||
1762 | 58 | 58 | ||
1763 | 59 | typedef std::unique_ptr<X509_NAME, HardFun<void, X509_NAME*, &X509_NAME_free>> X509_NAME_Pointer; | 59 | typedef std::unique_ptr<X509_NAME, HardFun<void, X509_NAME*, &X509_NAME_free>> X509_NAME_Pointer; |
1764 | 60 | 60 | ||
1766 | 61 | typedef std::unique_ptr<RSA, HardFun<void, RSA*, &RSA_free>> RSA_Pointer; | 61 | using EVP_PKEY_CTX_Pointer = std::unique_ptr<EVP_PKEY_CTX, HardFun<void, EVP_PKEY_CTX*, &EVP_PKEY_CTX_free>>; |
1767 | 62 | 62 | ||
1768 | 63 | typedef std::unique_ptr<X509_REQ, HardFun<void, X509_REQ*, &X509_REQ_free>> X509_REQ_Pointer; | 63 | typedef std::unique_ptr<X509_REQ, HardFun<void, X509_REQ*, &X509_REQ_free>> X509_REQ_Pointer; |
1769 | 64 | 64 | ||
1770 | @@ -74,12 +74,6 @@ typedef std::unique_ptr<X509_EXTENSION, HardFun<void, X509_EXTENSION*, &X509_EXT | |||
1771 | 74 | typedef std::unique_ptr<X509_STORE_CTX, HardFun<void, X509_STORE_CTX *, &X509_STORE_CTX_free>> X509_STORE_CTX_Pointer; | 74 | typedef std::unique_ptr<X509_STORE_CTX, HardFun<void, X509_STORE_CTX *, &X509_STORE_CTX_free>> X509_STORE_CTX_Pointer; |
1772 | 75 | /** | 75 | /** |
1773 | 76 | \ingroup SslCrtdSslAPI | 76 | \ingroup SslCrtdSslAPI |
1774 | 77 | * Create 1024 bits rsa key. | ||
1775 | 78 | */ | ||
1776 | 79 | EVP_PKEY * createSslPrivateKey(); | ||
1777 | 80 | |||
1778 | 81 | /** | ||
1779 | 82 | \ingroup SslCrtdSslAPI | ||
1780 | 83 | * Write private key and SSL certificate to memory. | 77 | * Write private key and SSL certificate to memory. |
1781 | 84 | */ | 78 | */ |
1782 | 85 | bool writeCertAndPrivateKeyToMemory(Security::CertPointer const & cert, Security::PrivateKeyPointer const & pkey, std::string & bufferToWrite); | 79 | bool writeCertAndPrivateKeyToMemory(Security::CertPointer const & cert, Security::PrivateKeyPointer const & pkey, std::string & bufferToWrite); |
1783 | diff --git a/src/ssl/support.cc b/src/ssl/support.cc | |||
1784 | index 11ef077..40c1e32 100644 | |||
1785 | --- a/src/ssl/support.cc | |||
1786 | +++ b/src/ssl/support.cc | |||
1787 | @@ -557,7 +557,11 @@ Ssl::VerifyCallbackParameters::At(Security::Connection &sconn) | |||
1788 | 557 | } | 557 | } |
1789 | 558 | 558 | ||
1790 | 559 | // "dup" function for SSL_get_ex_new_index("cert_err_check") | 559 | // "dup" function for SSL_get_ex_new_index("cert_err_check") |
1792 | 560 | #if SQUID_USE_CONST_CRYPTO_EX_DATA_DUP | 560 | #if OPENSSL_VERSION_MAJOR >= 3 |
1793 | 561 | static int | ||
1794 | 562 | ssl_dupAclChecklist(CRYPTO_EX_DATA *, const CRYPTO_EX_DATA *, void **, | ||
1795 | 563 | int, long, void *) | ||
1796 | 564 | #elif SQUID_USE_CONST_CRYPTO_EX_DATA_DUP | ||
1797 | 561 | static int | 565 | static int |
1798 | 562 | ssl_dupAclChecklist(CRYPTO_EX_DATA *, const CRYPTO_EX_DATA *, void *, | 566 | ssl_dupAclChecklist(CRYPTO_EX_DATA *, const CRYPTO_EX_DATA *, void *, |
1799 | 563 | int, long, void *) | 567 | int, long, void *) |
1800 | @@ -654,8 +658,12 @@ Ssl::Initialize(void) | |||
1801 | 654 | 658 | ||
1802 | 655 | SQUID_OPENSSL_init_ssl(); | 659 | SQUID_OPENSSL_init_ssl(); |
1803 | 656 | 660 | ||
1804 | 657 | #if !defined(OPENSSL_NO_ENGINE) | ||
1805 | 658 | if (::Config.SSL.ssl_engine) { | 661 | if (::Config.SSL.ssl_engine) { |
1806 | 662 | #if OPENSSL_VERSION_MAJOR < 3 | ||
1807 | 663 | debugs(83, DBG_PARSE_NOTE(DBG_IMPORTANT), "WARNING: Support for ssl_engine is deprecated " << | ||
1808 | 664 | "in Squids built with OpenSSL 1.x (like this Squid). " << | ||
1809 | 665 | "It is removed in Squids built with OpenSSL 3.0 or newer."); | ||
1810 | 666 | #if !defined(OPENSSL_NO_ENGINE) | ||
1811 | 659 | ENGINE_load_builtin_engines(); | 667 | ENGINE_load_builtin_engines(); |
1812 | 660 | ENGINE *e; | 668 | ENGINE *e; |
1813 | 661 | if (!(e = ENGINE_by_id(::Config.SSL.ssl_engine))) | 669 | if (!(e = ENGINE_by_id(::Config.SSL.ssl_engine))) |
1814 | @@ -665,11 +673,14 @@ Ssl::Initialize(void) | |||
1815 | 665 | const auto ssl_error = ERR_get_error(); | 673 | const auto ssl_error = ERR_get_error(); |
1816 | 666 | fatalf("Failed to initialise SSL engine: %s\n", Security::ErrorString(ssl_error)); | 674 | fatalf("Failed to initialise SSL engine: %s\n", Security::ErrorString(ssl_error)); |
1817 | 667 | } | 675 | } |
1822 | 668 | } | 676 | #else /* OPENSSL_NO_ENGINE */ |
1823 | 669 | #else | 677 | throw TextException("Cannot use ssl_engine in Squid built with OpenSSL configured to disable SSL engine support", Here()); |
1824 | 670 | if (::Config.SSL.ssl_engine) | 678 | #endif |
1825 | 671 | fatalf("Your OpenSSL has no SSL engine support\n"); | 679 | |
1826 | 680 | #else /* OPENSSL_VERSION_MAJOR */ | ||
1827 | 681 | throw TextException("Cannot use ssl_engine in Squid built with OpenSSL 3.0 or newer", Here()); | ||
1828 | 672 | #endif | 682 | #endif |
1829 | 683 | } | ||
1830 | 673 | 684 | ||
1831 | 674 | const char *defName = ::Config.SSL.certSignHash ? ::Config.SSL.certSignHash : SQUID_SSL_SIGN_HASH_IF_NONE; | 685 | const char *defName = ::Config.SSL.certSignHash ? ::Config.SSL.certSignHash : SQUID_SSL_SIGN_HASH_IF_NONE; |
1832 | 675 | Ssl::DefaultSignHash = EVP_get_digestbyname(defName); | 686 | Ssl::DefaultSignHash = EVP_get_digestbyname(defName); |
1833 | diff --git a/src/store/id_rewriters/file/storeid_file_rewrite.8 b/src/store/id_rewriters/file/storeid_file_rewrite.8 | |||
1834 | index d3c63af..43913e8 100644 | |||
1835 | --- a/src/store/id_rewriters/file/storeid_file_rewrite.8 | |||
1836 | +++ b/src/store/id_rewriters/file/storeid_file_rewrite.8 | |||
1837 | @@ -133,7 +133,7 @@ | |||
1838 | 133 | .\" ======================================================================== | 133 | .\" ======================================================================== |
1839 | 134 | .\" | 134 | .\" |
1840 | 135 | .IX Title "STOREID_FILE_REWRITE 8" | 135 | .IX Title "STOREID_FILE_REWRITE 8" |
1842 | 136 | .TH STOREID_FILE_REWRITE 8 "2022-06-05" "perl v5.34.0" "User Contributed Perl Documentation" | 136 | .TH STOREID_FILE_REWRITE 8 "2022-09-05" "perl v5.34.0" "User Contributed Perl Documentation" |
1843 | 137 | .\" For nroff, turn off justification. Always turn off hyphenation; it makes | 137 | .\" For nroff, turn off justification. Always turn off hyphenation; it makes |
1844 | 138 | .\" way too many mistakes in technical documents. | 138 | .\" way too many mistakes in technical documents. |
1845 | 139 | .if n .ad l | 139 | .if n .ad l |
1846 | diff --git a/src/tests/testStoreHashIndex.cc b/src/tests/testStoreHashIndex.cc | |||
1847 | index dcfbcab..d017887 100644 | |||
1848 | --- a/src/tests/testStoreHashIndex.cc | |||
1849 | +++ b/src/tests/testStoreHashIndex.cc | |||
1850 | @@ -102,6 +102,8 @@ void commonInit() | |||
1851 | 102 | if (inited) | 102 | if (inited) |
1852 | 103 | return; | 103 | return; |
1853 | 104 | 104 | ||
1854 | 105 | inited = true; | ||
1855 | 106 | |||
1856 | 105 | Mem::Init(); | 107 | Mem::Init(); |
1857 | 106 | 108 | ||
1858 | 107 | Config.Store.avgObjectSize = 1024; | 109 | Config.Store.avgObjectSize = 1024; |
1859 | @@ -109,6 +111,10 @@ void commonInit() | |||
1860 | 109 | Config.Store.objectsPerBucket = 20; | 111 | Config.Store.objectsPerBucket = 20; |
1861 | 110 | 112 | ||
1862 | 111 | Config.Store.maxObjectSize = 2048; | 113 | Config.Store.maxObjectSize = 2048; |
1863 | 114 | |||
1864 | 115 | Config.memShared.defaultTo(false); | ||
1865 | 116 | |||
1866 | 117 | Config.store_dir_select_algorithm = xstrdup("round-robin"); | ||
1867 | 112 | } | 118 | } |
1868 | 113 | 119 | ||
1869 | 114 | /* TODO make this a cbdata class */ | 120 | /* TODO make this a cbdata class */ |
1870 | diff --git a/src/tunnel.cc b/src/tunnel.cc | |||
1871 | index 4fc5abd..c5d4dfc 100644 | |||
1872 | --- a/src/tunnel.cc | |||
1873 | +++ b/src/tunnel.cc | |||
1874 | @@ -97,6 +97,10 @@ public: | |||
1875 | 97 | return (server.conn != NULL && server.conn->getPeer() ? server.conn->getPeer()->host : request->url.host()); | 97 | return (server.conn != NULL && server.conn->getPeer() ? server.conn->getPeer()->host : request->url.host()); |
1876 | 98 | }; | 98 | }; |
1877 | 99 | 99 | ||
1878 | 100 | /// store the given to-server connection; prohibit retries and do not look | ||
1879 | 101 | /// for any other destinations | ||
1880 | 102 | void commitToServer(const Comm::ConnectionPointer &); | ||
1881 | 103 | |||
1882 | 100 | /// Whether the client sent a CONNECT request to us. | 104 | /// Whether the client sent a CONNECT request to us. |
1883 | 101 | bool clientExpectsConnectResponse() const { | 105 | bool clientExpectsConnectResponse() const { |
1884 | 102 | // If we are forcing a tunnel after receiving a client CONNECT, then we | 106 | // If we are forcing a tunnel after receiving a client CONNECT, then we |
1885 | @@ -186,6 +190,10 @@ public: | |||
1886 | 186 | /// whether another destination may be still attempted if the TCP connection | 190 | /// whether another destination may be still attempted if the TCP connection |
1887 | 187 | /// was unexpectedly closed | 191 | /// was unexpectedly closed |
1888 | 188 | bool retriable; | 192 | bool retriable; |
1889 | 193 | |||
1890 | 194 | /// whether the decision to tunnel to a particular destination was final | ||
1891 | 195 | bool committedToServer; | ||
1892 | 196 | |||
1893 | 189 | // TODO: remove after fixing deferred reads in TunnelStateData::copyRead() | 197 | // TODO: remove after fixing deferred reads in TunnelStateData::copyRead() |
1894 | 190 | CodeContext::Pointer codeContext; ///< our creator context | 198 | CodeContext::Pointer codeContext; ///< our creator context |
1895 | 191 | 199 | ||
1896 | @@ -263,9 +271,8 @@ private: | |||
1897 | 263 | 271 | ||
1898 | 264 | /// \returns whether the request should be retried (nil) or the description why it should not | 272 | /// \returns whether the request should be retried (nil) or the description why it should not |
1899 | 265 | const char *checkRetry(); | 273 | const char *checkRetry(); |
1903 | 266 | /// whether the successfully selected path destination or the established | 274 | |
1904 | 267 | /// server connection is still in use | 275 | bool transporting() const; |
1902 | 268 | bool usingDestination() const; | ||
1905 | 269 | 276 | ||
1906 | 270 | /// details of the "last tunneling attempt" failure (if it failed) | 277 | /// details of the "last tunneling attempt" failure (if it failed) |
1907 | 271 | ErrorState *savedError = nullptr; | 278 | ErrorState *savedError = nullptr; |
1908 | @@ -362,6 +369,7 @@ TunnelStateData::TunnelStateData(ClientHttpRequest *clientRequest) : | |||
1909 | 362 | destinations(new ResolvedPeers()), | 369 | destinations(new ResolvedPeers()), |
1910 | 363 | destinationsFound(false), | 370 | destinationsFound(false), |
1911 | 364 | retriable(true), | 371 | retriable(true), |
1912 | 372 | committedToServer(false), | ||
1913 | 365 | codeContext(CodeContext::Current()) | 373 | codeContext(CodeContext::Current()) |
1914 | 366 | { | 374 | { |
1915 | 367 | debugs(26, 3, "TunnelStateData constructed this=" << this); | 375 | debugs(26, 3, "TunnelStateData constructed this=" << this); |
1916 | @@ -1009,8 +1017,7 @@ void | |||
1917 | 1009 | TunnelStateData::notePeerReadyToShovel(const Comm::ConnectionPointer &conn) | 1017 | TunnelStateData::notePeerReadyToShovel(const Comm::ConnectionPointer &conn) |
1918 | 1010 | { | 1018 | { |
1919 | 1011 | assert(!client.dirty); | 1019 | assert(!client.dirty); |
1922 | 1012 | retriable = false; | 1020 | commitToServer(conn); |
1921 | 1013 | server.initConnection(conn, tunnelServerClosed, "tunnelServerClosed", this); | ||
1923 | 1014 | 1021 | ||
1924 | 1015 | if (!clientExpectsConnectResponse()) | 1022 | if (!clientExpectsConnectResponse()) |
1925 | 1016 | tunnelStartShoveling(this); // ssl-bumped connection, be quiet | 1023 | tunnelStartShoveling(this); // ssl-bumped connection, be quiet |
1926 | @@ -1025,6 +1032,15 @@ TunnelStateData::notePeerReadyToShovel(const Comm::ConnectionPointer &conn) | |||
1927 | 1025 | } | 1032 | } |
1928 | 1026 | } | 1033 | } |
1929 | 1027 | 1034 | ||
1930 | 1035 | void | ||
1931 | 1036 | TunnelStateData::commitToServer(const Comm::ConnectionPointer &conn) | ||
1932 | 1037 | { | ||
1933 | 1038 | committedToServer = true; | ||
1934 | 1039 | retriable = false; // may already be false | ||
1935 | 1040 | PeerSelectionInitiator::subscribed = false; // may already be false | ||
1936 | 1041 | server.initConnection(conn, tunnelServerClosed, "tunnelServerClosed", this); | ||
1937 | 1042 | } | ||
1938 | 1043 | |||
1939 | 1028 | static void | 1044 | static void |
1940 | 1029 | tunnelErrorComplete(int fd/*const Comm::ConnectionPointer &*/, void *data, size_t) | 1045 | tunnelErrorComplete(int fd/*const Comm::ConnectionPointer &*/, void *data, size_t) |
1941 | 1030 | { | 1046 | { |
1942 | @@ -1252,18 +1268,15 @@ TunnelStateData::noteDestination(Comm::ConnectionPointer path) | |||
1943 | 1252 | 1268 | ||
1944 | 1253 | destinations->addPath(path); | 1269 | destinations->addPath(path); |
1945 | 1254 | 1270 | ||
1946 | 1255 | if (usingDestination()) { | ||
1947 | 1256 | // We are already using a previously opened connection but also | ||
1948 | 1257 | // receiving destinations in case we need to re-forward. | ||
1949 | 1258 | Must(!transportWait); | ||
1950 | 1259 | return; | ||
1951 | 1260 | } | ||
1952 | 1261 | |||
1953 | 1262 | if (transportWait) { | 1271 | if (transportWait) { |
1954 | 1272 | assert(!transporting()); | ||
1955 | 1263 | notifyConnOpener(); | 1273 | notifyConnOpener(); |
1956 | 1264 | return; // and continue to wait for tunnelConnectDone() callback | 1274 | return; // and continue to wait for tunnelConnectDone() callback |
1957 | 1265 | } | 1275 | } |
1958 | 1266 | 1276 | ||
1959 | 1277 | if (transporting()) | ||
1960 | 1278 | return; // and continue to receive destinations for backup | ||
1961 | 1279 | |||
1962 | 1267 | startConnecting(); | 1280 | startConnecting(); |
1963 | 1268 | } | 1281 | } |
1964 | 1269 | 1282 | ||
1965 | @@ -1279,8 +1292,9 @@ TunnelStateData::noteDestinationsEnd(ErrorState *selectionError) | |||
1966 | 1279 | if (selectionError) | 1292 | if (selectionError) |
1967 | 1280 | return sendError(selectionError, "path selection has failed"); | 1293 | return sendError(selectionError, "path selection has failed"); |
1968 | 1281 | 1294 | ||
1969 | 1295 | // TODO: Merge with FwdState and remove this likely unnecessary check. | ||
1970 | 1282 | if (savedError) | 1296 | if (savedError) |
1972 | 1283 | return sendError(savedError, "all found paths have failed"); | 1297 | return sendError(savedError, "path selection found no paths (with an impossible early error)"); |
1973 | 1284 | 1298 | ||
1974 | 1285 | return sendError(new ErrorState(ERR_CANNOT_FORWARD, Http::scInternalServerError, request.getRaw(), al), | 1299 | return sendError(new ErrorState(ERR_CANNOT_FORWARD, Http::scInternalServerError, request.getRaw(), al), |
1975 | 1286 | "path selection found no paths"); | 1300 | "path selection found no paths"); |
1976 | @@ -1289,21 +1303,32 @@ TunnelStateData::noteDestinationsEnd(ErrorState *selectionError) | |||
1977 | 1289 | // if all of them fail, tunneling as whole will fail | 1303 | // if all of them fail, tunneling as whole will fail |
1978 | 1290 | Must(!selectionError); // finding at least one path means selection succeeded | 1304 | Must(!selectionError); // finding at least one path means selection succeeded |
1979 | 1291 | 1305 | ||
1984 | 1292 | if (usingDestination()) { | 1306 | if (transportWait) { |
1985 | 1293 | // We are already using a previously opened connection but also | 1307 | assert(!transporting()); |
1986 | 1294 | // receiving destinations in case we need to re-forward. | 1308 | notifyConnOpener(); |
1987 | 1295 | Must(!transportWait); | 1309 | return; // and continue to wait for the noteConnection() callback |
1988 | 1310 | } | ||
1989 | 1311 | |||
1990 | 1312 | if (transporting()) { | ||
1991 | 1313 | // We are already using a previously opened connection (but were also | ||
1992 | 1314 | // receiving more destinations in case we need to re-forward). | ||
1993 | 1315 | debugs(17, 7, "keep transporting"); | ||
1994 | 1296 | return; | 1316 | return; |
1995 | 1297 | } | 1317 | } |
1996 | 1298 | 1318 | ||
1999 | 1299 | Must(transportWait); // or we would be stuck with nothing to do or wait for | 1319 | // destinationsFound, but none of them worked, and we were waiting for more |
2000 | 1300 | notifyConnOpener(); | 1320 | assert(savedError); |
2001 | 1321 | // XXX: Honor clientExpectsConnectResponse() before replying. | ||
2002 | 1322 | sendError(savedError, "all found paths have failed"); | ||
2003 | 1301 | } | 1323 | } |
2004 | 1302 | 1324 | ||
2005 | 1325 | /// Whether a tunneling attempt to some selected destination X is in progress | ||
2006 | 1326 | /// (after successfully opening/reusing a transport connection to X). | ||
2007 | 1327 | /// \sa transportWait | ||
2008 | 1303 | bool | 1328 | bool |
2010 | 1304 | TunnelStateData::usingDestination() const | 1329 | TunnelStateData::transporting() const |
2011 | 1305 | { | 1330 | { |
2013 | 1306 | return encryptionWait || peerWait || Comm::IsConnOpen(server.conn); | 1331 | return encryptionWait || peerWait || committedToServer; |
2014 | 1307 | } | 1332 | } |
2015 | 1308 | 1333 | ||
2016 | 1309 | /// remembers an error to be used if there will be no more connection attempts | 1334 | /// remembers an error to be used if there will be no more connection attempts |
2017 | @@ -1362,7 +1387,7 @@ TunnelStateData::startConnecting() | |||
2018 | 1362 | request->hier.startPeerClock(); | 1387 | request->hier.startPeerClock(); |
2019 | 1363 | 1388 | ||
2020 | 1364 | assert(!destinations->empty()); | 1389 | assert(!destinations->empty()); |
2022 | 1365 | assert(!usingDestination()); | 1390 | assert(!transporting()); |
2023 | 1366 | AsyncCall::Pointer callback = asyncCall(17, 5, "TunnelStateData::noteConnection", HappyConnOpener::CbDialer<TunnelStateData>(&TunnelStateData::noteConnection, this)); | 1391 | AsyncCall::Pointer callback = asyncCall(17, 5, "TunnelStateData::noteConnection", HappyConnOpener::CbDialer<TunnelStateData>(&TunnelStateData::noteConnection, this)); |
2024 | 1367 | const auto cs = new HappyConnOpener(destinations, callback, request, startTime, 0, al); | 1392 | const auto cs = new HappyConnOpener(destinations, callback, request, startTime, 0, al); |
2025 | 1368 | cs->setHost(request->url.host()); | 1393 | cs->setHost(request->url.host()); |
2026 | @@ -1457,12 +1482,10 @@ switchToTunnel(HttpRequest *request, const Comm::ConnectionPointer &clientConn, | |||
2027 | 1457 | debugs(26, 3, request->method << " " << context->http->uri << " " << request->http_ver); | 1482 | debugs(26, 3, request->method << " " << context->http->uri << " " << request->http_ver); |
2028 | 1458 | 1483 | ||
2029 | 1459 | TunnelStateData *tunnelState = new TunnelStateData(context->http); | 1484 | TunnelStateData *tunnelState = new TunnelStateData(context->http); |
2031 | 1460 | tunnelState->retriable = false; | 1485 | tunnelState->commitToServer(srvConn); |
2032 | 1461 | 1486 | ||
2033 | 1462 | request->hier.resetPeerNotes(srvConn, tunnelState->getHost()); | 1487 | request->hier.resetPeerNotes(srvConn, tunnelState->getHost()); |
2034 | 1463 | 1488 | ||
2035 | 1464 | tunnelState->server.initConnection(srvConn, tunnelServerClosed, "tunnelServerClosed", tunnelState); | ||
2036 | 1465 | |||
2037 | 1466 | #if USE_DELAY_POOLS | 1489 | #if USE_DELAY_POOLS |
2038 | 1467 | /* no point using the delayIsNoDelay stuff since tunnel is nice and simple */ | 1490 | /* no point using the delayIsNoDelay stuff since tunnel is nice and simple */ |
2039 | 1468 | if (!srvConn->getPeer() || !srvConn->getPeer()->options.no_delay) | 1491 | if (!srvConn->getPeer() || !srvConn->getPeer()->options.no_delay) |
2040 | diff --git a/tools/helper-mux/helper-mux.8 b/tools/helper-mux/helper-mux.8 | |||
2041 | index 788e3e6..d904e33 100644 | |||
2042 | --- a/tools/helper-mux/helper-mux.8 | |||
2043 | +++ b/tools/helper-mux/helper-mux.8 | |||
2044 | @@ -133,7 +133,7 @@ | |||
2045 | 133 | .\" ======================================================================== | 133 | .\" ======================================================================== |
2046 | 134 | .\" | 134 | .\" |
2047 | 135 | .IX Title "HELPER-MUX 8" | 135 | .IX Title "HELPER-MUX 8" |
2049 | 136 | .TH HELPER-MUX 8 "2022-06-05" "perl v5.34.0" "User Contributed Perl Documentation" | 136 | .TH HELPER-MUX 8 "2022-09-05" "perl v5.34.0" "User Contributed Perl Documentation" |
2050 | 137 | .\" For nroff, turn off justification. Always turn off hyphenation; it makes | 137 | .\" For nroff, turn off justification. Always turn off hyphenation; it makes |
2051 | 138 | .\" way too many mistakes in technical documents. | 138 | .\" way too many mistakes in technical documents. |
2052 | 139 | .if n .ad l | 139 | .if n .ad l |
I'll review this one tomorrow.