Ubuntu
squid package

Merge ~athos-ribeiro/ubuntu/+source/squid:MRE-kinetic-5.7 into ubuntu/+source/squid:ubuntu/kinetic-devel

  1. Git
  2. lp:~athos-ribeiro/ubuntu/+source/squid
  3. MRE-kinetic-5.7
  4. Merge into ubuntu/kinetic-devel
Proposed by Athos Ribeiro
Status: Rejected
Rejected by: Robie Basak
Proposed branch: ~athos-ribeiro/ubuntu/+source/squid:MRE-kinetic-5.7
Merge into: ubuntu/+source/squid:ubuntu/kinetic-devel
Diff against target: 2052 lines (+467/-220)
48 files modified
ChangeLog (+11/-0)
RELEASENOTES.html (+24/-3)
compat/GnuRegex.c (+7/-0)
compat/os/mswindows.h (+6/-2)
configure (+16/-10)
configure.ac (+2/-1)
debian/NEWS (+12/-0)
debian/changelog (+22/-0)
debian/patches/series (+0/-3)
debian/squid-openssl.postinst (+14/-0)
dev/null (+0/-36)
doc/release-notes/release-5.html (+24/-3)
include/autoconf.h.in (+3/-0)
include/version.h (+1/-1)
lib/ntlmauth/ntlmauth.cc (+12/-2)
src/FwdState.cc (+11/-7)
src/HappyConnOpener.cc (+2/-2)
src/HappyConnOpener.h (+2/-1)
src/HttpHeaderTools.h (+1/-1)
src/acl/RegexData.cc (+3/-0)
src/acl/external/SQL_session/ext_sql_session_acl.8 (+1/-1)
src/acl/external/delayer/ext_delayer_acl.8 (+1/-1)
src/acl/external/kerberos_sid_group/ext_kerberos_sid_group_acl.8 (+1/-1)
src/acl/external/session/ext_session_acl.cc (+11/-5)
src/acl/external/wbinfo_group/ext_wbinfo_group_acl.8 (+1/-1)
src/auth/basic/DB/basic_db_auth.8 (+1/-1)
src/auth/basic/POP3/basic_pop3_auth.8 (+1/-1)
src/base/EnumIterator.h (+7/-1)
src/cache_cf.cc (+1/-1)
src/cf.data.pre (+7/-3)
src/cf_gen.cc (+0/-2)
src/fs/ufs/RebuildState.cc (+8/-10)
src/fs/ufs/RebuildState.h (+2/-2)
src/http/url_rewriters/LFS/url_lfs_rewrite.8 (+1/-1)
src/log/DB/log_db_daemon.8 (+1/-1)
src/main.cc (+2/-0)
src/sbuf/SBuf.h (+8/-1)
src/security/PeerOptions.cc (+36/-32)
src/security/ServerOptions.cc (+92/-0)
src/security/cert_validators/fake/security_fake_certverify.8 (+1/-1)
src/security/forward.h (+17/-11)
src/ssl/gadgets.cc (+20/-31)
src/ssl/gadgets.h (+1/-7)
src/ssl/support.cc (+17/-6)
src/store/id_rewriters/file/storeid_file_rewrite.8 (+1/-1)
src/tests/testStoreHashIndex.cc (+6/-0)
src/tunnel.cc (+48/-25)
tools/helper-mux/helper-mux.8 (+1/-1)
Reviewer Review Type Date Requested Status
Athos Ribeiro (community) Disapprove
git-ubuntu bot Pending
Canonical Server Reporter Pending
Sergio Durigan Junior Pending
Review via email: mp+442032@code.launchpad.net

This proposal supersedes a proposal from 2023-03-31.

Description of the change

This is the kinetic MRE for squid 5.7, as described in LP: #2013423

The most relevant change here is the official openssl 3 support. DO note that, as described in LP: #2013423, there is a configuration option whose support is being dropped. We consider this to be an acceptable tradeoff to remove the uncertainty around this package openssl3 support.

PPA: https://launchpad.net/~athos-ribeiro/+archive/ubuntu/squid-5.7-mre/+packages

The DEP8 test suite results:

  - squid/5.7-0ubuntu0.22.10.1~ppa2
    + ✅ squid on kinetic for amd64 @ 27.04.23 12:04:00 Log️ 🗒️
    + ✅ squid on kinetic for arm64 @ 27.04.23 12:06:27 Log️ 🗒️
    + ❌ squid on kinetic for armhf @ 27.04.23 12:03:05 Log️ 🗒️
      • upstream-test-suite PASS 🟩
      • squid FAIL 🟥
    + ❌ squid on kinetic for i386 @ 27.04.23 11:55:16 Log️ 🗒️
      • upstream-test-suite FAIL 🟥
      • squid FAIL 🟥
    + ✅ squid on kinetic for ppc64el @ 27.04.23 11:58:33 Log️ 🗒️
    + ✅ squid on kinetic for s390x @ 27.04.23 12:02:37 Log️ 🗒️

To post a comment you must log in.
Revision history for this message
Sergio Durigan Junior (sergiodj) wrote : Posted in a previous version of this proposal

I'll review this one tomorrow.

Revision history for this message
Sergio Durigan Junior (sergiodj) wrote : Posted in a previous version of this proposal

Results: (from http://autopkgtest.ubuntu.com/results/autopkgtest-kinetic-athos-ribeiro-squid-5.7-mre/?format=plain)
  squid @ amd64:
    http://autopkgtest.ubuntu.com/results/autopkgtest-kinetic-athos-ribeiro-squid-5.7-mre/kinetic/amd64/s/squid/20230331_041000_38e7b@/log.gz
    31.03.23 04:10:00 ✅ Triggers: squid/5.7-0ubuntu0.22.10.1~ppa1
    http://autopkgtest.ubuntu.com/results/autopkgtest-kinetic-athos-ribeiro-squid-5.7-mre/kinetic/amd64/s/squid/20230331_114204_a5d29@/log.gz
    31.03.23 11:42:04 ✅ Triggers: squid/5.7-0ubuntu0.22.10.1~ppa1
  squid @ arm64:
    http://autopkgtest.ubuntu.com/results/autopkgtest-kinetic-athos-ribeiro-squid-5.7-mre/kinetic/arm64/s/squid/20230331_042217_57919@/log.gz
    31.03.23 04:22:17 ✅ Triggers: squid/5.7-0ubuntu0.22.10.1~ppa1
    http://autopkgtest.ubuntu.com/results/autopkgtest-kinetic-athos-ribeiro-squid-5.7-mre/kinetic/arm64/s/squid/20230331_115207_7bca2@/log.gz
    31.03.23 11:52:07 ✅ Triggers: squid/5.7-0ubuntu0.22.10.1~ppa1
  squid @ armhf:
    http://autopkgtest.ubuntu.com/results/autopkgtest-kinetic-athos-ribeiro-squid-5.7-mre/kinetic/armhf/s/squid/20230331_041445_ca57e@/log.gz
    31.03.23 04:14:45 ❌ Triggers: squid/5.7-0ubuntu0.22.10.1~ppa1
      squid FAIL 🟥
    http://autopkgtest.ubuntu.com/results/autopkgtest-kinetic-athos-ribeiro-squid-5.7-mre/kinetic/armhf/s/squid/20230331_114117_97eb6@/log.gz
    31.03.23 11:41:17 ❌ Triggers: squid/5.7-0ubuntu0.22.10.1~ppa1
      squid FAIL 🟥
  squid @ ppc64el:
    http://autopkgtest.ubuntu.com/results/autopkgtest-kinetic-athos-ribeiro-squid-5.7-mre/kinetic/ppc64el/s/squid/20230331_041225_83d09@/log.gz
    31.03.23 04:12:25 ✅ Triggers: squid/5.7-0ubuntu0.22.10.1~ppa1
    http://autopkgtest.ubuntu.com/results/autopkgtest-kinetic-athos-ribeiro-squid-5.7-mre/kinetic/ppc64el/s/squid/20230331_114152_68893@/log.gz
    31.03.23 11:41:52 ✅ Triggers: squid/5.7-0ubuntu0.22.10.1~ppa1
  squid @ s390x:
    http://autopkgtest.ubuntu.com/results/autopkgtest-kinetic-athos-ribeiro-squid-5.7-mre/kinetic/s390x/s/squid/20230331_041059_18254@/log.gz
    31.03.23 04:10:59 ✅ Triggers: squid/5.7-0ubuntu0.22.10.1~ppa1
    http://autopkgtest.ubuntu.com/results/autopkgtest-kinetic-athos-ribeiro-squid-5.7-mre/kinetic/s390x/s/squid/20230331_123412_0f94f@/log.gz
    31.03.23 12:34:12 ✅ Triggers: squid/5.7-0ubuntu0.22.10.1~ppa1

Revision history for this message
Sergio Durigan Junior (sergiodj) wrote : Posted in a previous version of this proposal

Thanks, Athos.

LGTM modulo the d/NEWS modifications I suggested in the Jammy MP. +1

review: Approve
Revision history for this message
git-ubuntu bot (git-ubuntu-bot) wrote : Posted in a previous version of this proposal

Approvers: athos-ribeiro, sergiodj
Uploaders: athos-ribeiro, sergiodj
MP auto-approved

review: Approve
Revision history for this message
Athos Ribeiro (athos-ribeiro) wrote : Posted in a previous version of this proposal

Thanks, Sergio.

Applied the suggestions (thx!) and uploaded :)

Revision history for this message
Athos Ribeiro (athos-ribeiro) wrote :

I am re-submitting this with 2 changes:

- We are now commenting out the ssl_engine configuration directive in the postinst if it is present and if the previous squid version is <= 5.7.

- We are documenting the change described above in d/NEWS.

Revision history for this message
Athos Ribeiro (athos-ribeiro) wrote :

Here is an easy way to verify the new behavior:

lxc launch ubuntu-daily:kinetic squid-kk
lxc exec squid-kk bash
# apt update && apt install -y squid-openssl

# systemctl is-active squid
> should be active

# echo 'ssl_engine dynamic' >> /etc/squid/squid.conf
# systemctl restart squid

# systemctl is-active squid
> should still be active in kinetic, since our current Openssl3 support patch still supports the directive

# add-apt-repository -y ppa:athos-ribeiro/squid-5.7-mre
# apt update && apt install -y squid-openssl

# systemctl is-active squid
> should still be active, since the postinst script commented out the ssl_engine line

# tail -n2 /etc/squid/squid.conf
> should show the commented lines:
 # ssl_engine is no longer supported since squid 5.7 (LP: #2013423).
# ssl_engine dynamic

# echo 'ssl_engine dynamic' >> /etc/squid/squid.conf
# systemctl restart squid
# systemctl status squid
> the restart command should fail, and the status should show:
 FATAL: Bungled (null) line 3: sslproxy_cert_sign signTrusted all

# cat /var/log/syslog | grep ssl_engine
FATAL: bad configuration: Cannot use ssl_engine in Squid built with OpenSSL 3.0 or newer

Revision history for this message
Athos Ribeiro (athos-ribeiro) wrote :

  - squid/5.7-0ubuntu0.22.10.1~ppa3
    + ✅ squid on kinetic for amd64 @ 28.04.23 01:20:13 Log️ 🗒️
    + ✅ squid on kinetic for arm64 @ 28.04.23 01:24:25 Log️ 🗒️
    + ❌ squid on kinetic for armhf @ 28.04.23 01:17:14 Log️ 🗒️
      • upstream-test-suite PASS 🟩
      • squid FAIL 🟥
    + ❌ squid on kinetic for i386 @ 28.04.23 01:09:16 Log️ 🗒️
      • upstream-test-suite FAIL 🟥
      • squid FAIL 🟥
    + ✅ squid on kinetic for ppc64el @ 28.04.23 01:16:34 Log️ 🗒️
    + ✅ squid on kinetic for s390x @ 28.04.23 01:14:46 Log️ 🗒️

Revision history for this message
Athos Ribeiro (athos-ribeiro) wrote :

marking bug as wontfix since kinetic reached its EOSS

review: Disapprove
Revision history for this message
Robie Basak (racb) wrote :

Athos asked me to mark this as Rejected.

Unmerged commits

a2821d9... by Athos Ribeiro

Update changelog

75524db... by Athos Ribeiro

    - d/NEWS: document end of support of the ssh_engine directive.

305f507... by Athos Ribeiro

    - d/squid-openssl.postinst: remove ssl_engine configuration directive.

9d93934... by Athos Ribeiro

    - d/p/CVE-2022-41318.patch: drop patch to fix NTLM decoder truncated strings.
      [ Fixed in 5.7 ]

20873ef... by Athos Ribeiro

    - d/p/CVE-2022-41317.patch: drop patch to fix typo in manager ACL.
      [ Fixed in 5.7 ]

d3785f8... by Athos Ribeiro

    - d/p/0006-Fix-build-against-OpenSSL-3-0.patch: drop downstream
      OpenSSL 3 support patch.
      [ Fixed in 5.7 ]

fa498c5... by Athos Ribeiro

New Upstream release 5.7

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/ChangeLog b/ChangeLog
index f42c6d1..49174d4 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,14 @@
1Changes in squid-5.7 (05 Sep 2022):
2
3 - Regression Fix: Typo in manager ACL
4 - Bug 5186: noteDestinationsEnd check failed: transportWait
5 - Bug 5160: Test suite fails with -flto=auto
6 - Bug 3193 pt2: NTLM decoder truncating strings
7 - Bug 5133: OpenSSL 3.0 support
8 - ext_session_acl: fix TDB key lookup
9 - forward_max_tries: Do not count discarded connections
10 - ... and many compile and debugging fixes
11
1Changes in squid-5.6 (06 Jun 2022):12Changes in squid-5.6 (06 Jun 2022):
213
3 - Bug 5208: Part 1: Restart kids killed by SIGKILL14 - Bug 5208: Part 1: Restart kids killed by SIGKILL
diff --git a/RELEASENOTES.html b/RELEASENOTES.html
index a037de3..7369f54 100644
--- a/RELEASENOTES.html
+++ b/RELEASENOTES.html
@@ -3,10 +3,10 @@
3<HEAD>3<HEAD>
4 <META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.82">4 <META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.82">
5 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">5 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
6 <TITLE>Squid 5.6 release notes</TITLE>6 <TITLE>Squid 5.7 release notes</TITLE>
7</HEAD>7</HEAD>
8<BODY>8<BODY>
9<H1>Squid 5.6 release notes</H1>9<H1>Squid 5.7 release notes</H1>
1010
11<H2>Squid Developers</H2>11<H2>Squid Developers</H2>
12<HR>12<HR>
@@ -31,6 +31,7 @@ for Applied Network Research and members of the Web Caching community.</EM>
31<LI><A NAME="toc2.4">2.4</A> <A HREF="#ss2.4">TrivialDB Support</A>31<LI><A NAME="toc2.4">2.4</A> <A HREF="#ss2.4">TrivialDB Support</A>
32<LI><A NAME="toc2.5">2.5</A> <A HREF="#ss2.5">Loop Detection in Content Delivery Networks</A>32<LI><A NAME="toc2.5">2.5</A> <A HREF="#ss2.5">Loop Detection in Content Delivery Networks</A>
33<LI><A NAME="toc2.6">2.6</A> <A HREF="#ss2.6">Peering support for SSL-Bump</A>33<LI><A NAME="toc2.6">2.6</A> <A HREF="#ss2.6">Peering support for SSL-Bump</A>
34<LI><A NAME="toc2.7">2.7</A> <A HREF="#ss2.7">OpenSSL 3.0 Support</A>
34</UL>35</UL>
35<P>36<P>
36<H2><A NAME="toc3">3.</A> <A HREF="#s3">Changes to squid.conf since Squid-4</A></H2>37<H2><A NAME="toc3">3.</A> <A HREF="#s3">Changes to squid.conf since Squid-4</A></H2>
@@ -61,7 +62,7 @@ for Applied Network Research and members of the Web Caching community.</EM>
61<HR>62<HR>
62<H2><A NAME="s1">1.</A> <A HREF="#toc1">Notice</A></H2>63<H2><A NAME="s1">1.</A> <A HREF="#toc1">Notice</A></H2>
6364
64<P>The Squid Team are pleased to announce the release of Squid-5.6.</P>65<P>The Squid Team are pleased to announce the release of Squid-5.7.</P>
65<P>This new release is available for download from 66<P>This new release is available for download from
66<A HREF="http://www.squid-cache.org/Versions/v5/">http://www.squid-cache.org/Versions/v5/</A> or the67<A HREF="http://www.squid-cache.org/Versions/v5/">http://www.squid-cache.org/Versions/v5/</A> or the
67<A HREF="http://www.squid-cache.org/Download/http-mirrors.html">mirrors</A>.</P>68<A HREF="http://www.squid-cache.org/Download/http-mirrors.html">mirrors</A>.</P>
@@ -95,6 +96,7 @@ for how to submit a report with a stack trace.</P>
95<LI>TrivialDB Support</LI>96<LI>TrivialDB Support</LI>
96<LI>RFC 8586: Loop Detection in Content Delivery Networks</LI>97<LI>RFC 8586: Loop Detection in Content Delivery Networks</LI>
97<LI>Peering support for SSL-Bump</LI>98<LI>Peering support for SSL-Bump</LI>
99<LI>OpenSSL 3.0 Support</LI>
98</UL>100</UL>
99</P>101</P>
100<P>Most user-facing changes are reflected in squid.conf (see below).</P>102<P>Most user-facing changes are reflected in squid.conf (see below).</P>
@@ -220,6 +222,21 @@ see TLS client handshake) <EM>before</EM> selecting the cache_peer.</P>
220yet do TLS-in-TLS.</P>222yet do TLS-in-TLS.</P>
221223
222224
225<H2><A NAME="ss2.7">2.7</A> <A HREF="#toc2.7">OpenSSL 3.0 Support</A>
226</H2>
227
228<P>Squid-5.7 adds OpenSSL 3.0 support.</P>
229
230<P>This version of Squid does not add any of the new features provided by
231OpenSSL 3.0. It only contains support for features already supported by prior
232versions of Squid using new APIs provided by OpenSSL 3.0.</P>
233
234<P>Notably the libssl custom Engine feature has been deprecated by OpenSSL 3.0
235and new Providers replacement is not supported by this Squid.</P>
236
237<P>OpenSSL 3.0 uses new licensing terms.</P>
238
239
223<H2><A NAME="s3">3.</A> <A HREF="#toc3">Changes to squid.conf since Squid-4</A></H2>240<H2><A NAME="s3">3.</A> <A HREF="#toc3">Changes to squid.conf since Squid-4</A></H2>
224241
225<P>There have been changes to Squid's configuration file since Squid-4.</P>242<P>There have been changes to Squid's configuration file since Squid-4.</P>
@@ -364,6 +381,10 @@ code to indicate the response was received from server using TLS/1.3.</P>
364<P>Codes <EM>rm</EM>, <EM>&lt;rm</EM> and <EM>&gt;rm</EM> display "-"381<P>Codes <EM>rm</EM>, <EM>&lt;rm</EM> and <EM>&gt;rm</EM> display "-"
365instead of the made-up method NONE.</P>382instead of the made-up method NONE.</P>
366383
384<DT><B>ssl_engine</B><DD>
385<P>OpenSSL 3.0 deprecates the Engine feature. This directive is
386only supported when Squid is built for older OpenSSL versions.</P>
387
367</DL>388</DL>
368</P>389</P>
369390
diff --git a/compat/GnuRegex.c b/compat/GnuRegex.c
index 9ef932e..82c9129 100644
--- a/compat/GnuRegex.c
+++ b/compat/GnuRegex.c
@@ -40,6 +40,13 @@
4040
41#if USE_GNUREGEX /* only if squid needs it. Usually not */41#if USE_GNUREGEX /* only if squid needs it. Usually not */
4242
43/* Starting with v12.1, GCC warns of various problems with this ancient code. */
44/* GCC versions prior to v12.1 do not support these pragmas. */
45#if (__GNUC__ == 12 && __GNUC_MINOR__ >= 1) || (__GNUC__ > 12)
46#pragma GCC diagnostic ignored "-Warray-bounds"
47#pragma GCC diagnostic ignored "-Wuse-after-free"
48#endif
49
43#if !HAVE_ALLOCA50#if !HAVE_ALLOCA
44#define REGEX_MALLOC 151#define REGEX_MALLOC 1
45#endif52#endif
diff --git a/compat/os/mswindows.h b/compat/os/mswindows.h
index a819767..cfc9565 100644
--- a/compat/os/mswindows.h
+++ b/compat/os/mswindows.h
@@ -618,27 +618,31 @@ getsockopt(int s, int l, int o, void * v, socklen_t * n)
618}618}
619#define getsockopt(s,l,o,v,n) Squid::getsockopt(s,l,o,v,n)619#define getsockopt(s,l,o,v,n) Squid::getsockopt(s,l,o,v,n)
620620
621#if HAVE_DECL_INETNTOPA || HAVE_DECL_INET_NTOP
621inline char *622inline char *
622inet_ntop(int af, const void *src, char *dst, size_t size)623inet_ntop(int af, const void *src, char *dst, size_t size)
623{624{
624#if HAVE_DECL_INETNTOPA625#if HAVE_DECL_INETNTOPA
625 return (char*)InetNtopA(af, const_cast<void*>(src), dst, size);626 return (char*)InetNtopA(af, const_cast<void*>(src), dst, size);
626#else627#else // HAVE_DECL_INET_NTOP
627 return ::inet_ntop(af, src, dst, size);628 return ::inet_ntop(af, src, dst, size);
628#endif629#endif
629}630}
630#define inet_ntop(a,s,d,l) Squid::inet_ntop(a,s,d,l)631#define inet_ntop(a,s,d,l) Squid::inet_ntop(a,s,d,l)
632#endif // let compat/inet_ntop.h deal with it
631633
634#if HAVE_DECL_INETPTONA || HAVE_DECL_INET_PTON
632inline char *635inline char *
633inet_pton(int af, const void *src, char *dst)636inet_pton(int af, const void *src, char *dst)
634{637{
635#if HAVE_DECL_INETPTONA638#if HAVE_DECL_INETPTONA
636 return (char*)InetPtonA(af, const_cast<void*>(src), dst);639 return (char*)InetPtonA(af, const_cast<void*>(src), dst);
637#else640#else // HAVE_DECL_INET_PTON
638 return ::inet_pton(af, src, dst);641 return ::inet_pton(af, src, dst);
639#endif642#endif
640}643}
641#define inet_pton(a,s,d) Squid::inet_pton(a,s,d)644#define inet_pton(a,s,d) Squid::inet_pton(a,s,d)
645#endif // let compat/inet_pton.h deal with it
642646
643/* Simple ioctl() emulation */647/* Simple ioctl() emulation */
644inline int648inline int
diff --git a/configure b/configure
index ef2f3f1..7bffb06 100755
--- a/configure
+++ b/configure
@@ -1,7 +1,7 @@
1#! /bin/sh1#! /bin/sh
2# From configure.ac Revision.2# From configure.ac Revision.
3# Guess values for system-dependent variables and create Makefiles.3# Guess values for system-dependent variables and create Makefiles.
4# Generated by GNU Autoconf 2.71 for Squid Web Proxy 5.6.4# Generated by GNU Autoconf 2.71 for Squid Web Proxy 5.7.
5#5#
6# Report bugs to <http://bugs.squid-cache.org/>.6# Report bugs to <http://bugs.squid-cache.org/>.
7#7#
@@ -626,8 +626,8 @@ MAKEFLAGS=
626# Identity of this package.626# Identity of this package.
627PACKAGE_NAME='Squid Web Proxy'627PACKAGE_NAME='Squid Web Proxy'
628PACKAGE_TARNAME='squid'628PACKAGE_TARNAME='squid'
629PACKAGE_VERSION='5.6'629PACKAGE_VERSION='5.7'
630PACKAGE_STRING='Squid Web Proxy 5.6'630PACKAGE_STRING='Squid Web Proxy 5.7'
631PACKAGE_BUGREPORT='http://bugs.squid-cache.org/'631PACKAGE_BUGREPORT='http://bugs.squid-cache.org/'
632PACKAGE_URL=''632PACKAGE_URL=''
633633
@@ -1691,7 +1691,7 @@ if test "$ac_init_help" = "long"; then
1691 # Omit some internal or obsolete options to make the list less imposing.1691 # Omit some internal or obsolete options to make the list less imposing.
1692 # This message is too long to be a string in the A/UX 3.1 sh.1692 # This message is too long to be a string in the A/UX 3.1 sh.
1693 cat <<_ACEOF1693 cat <<_ACEOF
1694\`configure' configures Squid Web Proxy 5.6 to adapt to many kinds of systems.1694\`configure' configures Squid Web Proxy 5.7 to adapt to many kinds of systems.
16951695
1696Usage: $0 [OPTION]... [VAR=VALUE]...1696Usage: $0 [OPTION]... [VAR=VALUE]...
16971697
@@ -1762,7 +1762,7 @@ fi
17621762
1763if test -n "$ac_init_help"; then1763if test -n "$ac_init_help"; then
1764 case $ac_init_help in1764 case $ac_init_help in
1765 short | recursive ) echo "Configuration of Squid Web Proxy 5.6:";;1765 short | recursive ) echo "Configuration of Squid Web Proxy 5.7:";;
1766 esac1766 esac
1767 cat <<\_ACEOF1767 cat <<\_ACEOF
17681768
@@ -2196,7 +2196,7 @@ fi
2196test -n "$ac_init_help" && exit $ac_status2196test -n "$ac_init_help" && exit $ac_status
2197if $ac_init_version; then2197if $ac_init_version; then
2198 cat <<\_ACEOF2198 cat <<\_ACEOF
2199Squid Web Proxy configure 5.62199Squid Web Proxy configure 5.7
2200generated by GNU Autoconf 2.712200generated by GNU Autoconf 2.71
22012201
2202Copyright (C) 2021 Free Software Foundation, Inc.2202Copyright (C) 2021 Free Software Foundation, Inc.
@@ -3209,7 +3209,7 @@ cat >config.log <<_ACEOF
3209This file contains any messages produced by compilers while3209This file contains any messages produced by compilers while
3210running configure, to aid debugging if configure makes a mistake.3210running configure, to aid debugging if configure makes a mistake.
32113211
3212It was created by Squid Web Proxy $as_me 5.6, which was3212It was created by Squid Web Proxy $as_me 5.7, which was
3213generated by GNU Autoconf 2.71. Invocation command line was3213generated by GNU Autoconf 2.71. Invocation command line was
32143214
3215 $ $0$ac_configure_args_raw3215 $ $0$ac_configure_args_raw
@@ -4701,7 +4701,7 @@ fi
47014701
4702# Define the identity of the package.4702# Define the identity of the package.
4703 PACKAGE='squid'4703 PACKAGE='squid'
4704 VERSION='5.6'4704 VERSION='5.7'
47054705
47064706
4707printf "%s\n" "#define PACKAGE \"$PACKAGE\"" >>confdefs.h4707printf "%s\n" "#define PACKAGE \"$PACKAGE\"" >>confdefs.h
@@ -25257,6 +25257,12 @@ then :
25257 printf "%s\n" "#define HAVE_OPENSSL_CRYPTO_H 1" >>confdefs.h25257 printf "%s\n" "#define HAVE_OPENSSL_CRYPTO_H 1" >>confdefs.h
2525825258
25259fi25259fi
25260ac_fn_cxx_check_header_compile "$LINENO" "openssl/decoder.h" "ac_cv_header_openssl_decoder_h" "$ac_includes_default"
25261if test "x$ac_cv_header_openssl_decoder_h" = xyes
25262then :
25263 printf "%s\n" "#define HAVE_OPENSSL_DECODER_H 1" >>confdefs.h
25264
25265fi
25260ac_fn_cxx_check_header_compile "$LINENO" "openssl/dh.h" "ac_cv_header_openssl_dh_h" "$ac_includes_default"25266ac_fn_cxx_check_header_compile "$LINENO" "openssl/dh.h" "ac_cv_header_openssl_dh_h" "$ac_includes_default"
25261if test "x$ac_cv_header_openssl_dh_h" = xyes25267if test "x$ac_cv_header_openssl_dh_h" = xyes
25262then :25268then :
@@ -48442,7 +48448,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
48442# report actual input values of CONFIG_FILES etc. instead of their48448# report actual input values of CONFIG_FILES etc. instead of their
48443# values after options handling.48449# values after options handling.
48444ac_log="48450ac_log="
48445This file was extended by Squid Web Proxy $as_me 5.6, which was48451This file was extended by Squid Web Proxy $as_me 5.7, which was
48446generated by GNU Autoconf 2.71. Invocation command line was48452generated by GNU Autoconf 2.71. Invocation command line was
4844748453
48448 CONFIG_FILES = $CONFIG_FILES48454 CONFIG_FILES = $CONFIG_FILES
@@ -48510,7 +48516,7 @@ ac_cs_config_escaped=`printf "%s\n" "$ac_cs_config" | sed "s/^ //; s/'/'\\\\\\\\
48510cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=148516cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
48511ac_cs_config='$ac_cs_config_escaped'48517ac_cs_config='$ac_cs_config_escaped'
48512ac_cs_version="\\48518ac_cs_version="\\
48513Squid Web Proxy config.status 5.648519Squid Web Proxy config.status 5.7
48514configured by $0, generated by GNU Autoconf 2.71,48520configured by $0, generated by GNU Autoconf 2.71,
48515 with options \\"\$ac_cs_config\\"48521 with options \\"\$ac_cs_config\\"
4851648522
diff --git a/configure.ac b/configure.ac
index 0cf6f9a..17aac0d 100644
--- a/configure.ac
+++ b/configure.ac
@@ -5,7 +5,7 @@
5## Please see the COPYING and CONTRIBUTORS files for details.5## Please see the COPYING and CONTRIBUTORS files for details.
6##6##
77
8AC_INIT([Squid Web Proxy],[5.6],[http://bugs.squid-cache.org/],[squid])8AC_INIT([Squid Web Proxy],[5.7],[http://bugs.squid-cache.org/],[squid])
9AC_PREREQ(2.61)9AC_PREREQ(2.61)
10AC_CONFIG_HEADERS([include/autoconf.h])10AC_CONFIG_HEADERS([include/autoconf.h])
11AC_CONFIG_AUX_DIR(cfgaux)11AC_CONFIG_AUX_DIR(cfgaux)
@@ -1333,6 +1333,7 @@ if test "x$with_openssl" = "xyes"; then
1333 openssl/bio.h \1333 openssl/bio.h \
1334 openssl/bn.h \1334 openssl/bn.h \
1335 openssl/crypto.h \1335 openssl/crypto.h \
1336 openssl/decoder.h \
1336 openssl/dh.h \1337 openssl/dh.h \
1337 openssl/err.h \1338 openssl/err.h \
1338 openssl/evp.h \1339 openssl/evp.h \
diff --git a/debian/NEWS b/debian/NEWS
index 83136fb..e229d83 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,3 +1,15 @@
1squid (5.7-0ubuntu0.22.10.1) kinetic; urgency=medium
2
3 The support for the "ssl_engine" configuration directive has been dropped,
4 meaning squid would fail to start for installations using that directive.
5 There is no current workaround for this issue since squid does not provide
6 support for OpenSSL >= 3 Providers yet. Therefore, your ssl_engine
7 configuration directive will be commented out (if present) to avoid service
8 disruption on upgrades. You can find more context on that particular change
9 at https://github.com/squid-cache/squid/pull/694.
10
11 -- Athos Ribeiro <athos.ribeiro@canonical.com> Thu, 06 Apr 2023 18:27:15 -0300
12
1squid (5.1-2) unstable; urgency=medium13squid (5.1-2) unstable; urgency=medium
214
3 ext_session_acl and ext_time_quota_acl helpers have been switched from15 ext_session_acl and ext_time_quota_acl helpers have been switched from
diff --git a/debian/changelog b/debian/changelog
index 396cc68..4f6976a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,25 @@
1squid (5.7-0ubuntu0.22.10.1) kinetic; urgency=medium
2
3 * New upstream version. (LP: #2013423):
4 - Add OpenSSL 3.0 support for features that were already supported by
5 squid. No new OpenSSL 3.0 feature support added at this time.
6 - Drop support for the libssl custom Engine feature for builds linked to
7 OpenSSL 3.0. Therefore, the configuration directive ssl_engine is no
8 longer supported for builds using OpenSSL >= 3.
9 - For a comprehensive list of changes, please see
10 http://www.squid-cache.org/Versions/v5/ChangeLog.html.
11 * d/p/0006-Fix-build-against-OpenSSL-3-0.patch: drop downstream
12 OpenSSL 3 support patch.
13 [ Fixed in 5.7 ]
14 * d/p/CVE-2022-41317.patch: drop patch to fix typo in manager ACL.
15 [ Fixed in 5.7 ]
16 * d/p/CVE-2022-41318.patch: drop patch to fix NTLM decoder truncated strings.
17 [ Fixed in 5.7 ]
18 * d/squid-openssl.postinst: remove ssl_engine configuration directive.
19 * d/NEWS: document end of support of the ssh_engine directive.
20
21 -- Athos Ribeiro <athos.ribeiro@canonical.com> Thu, 30 Mar 2023 07:27:09 -0300
22
1squid (5.6-1ubuntu3.1) kinetic; urgency=medium23squid (5.6-1ubuntu3.1) kinetic; urgency=medium
224
3 * Make builds fail when upstream test suite fails (LP: #2004050):25 * Make builds fail when upstream test suite fails (LP: #2004050):
diff --git a/debian/patches/0006-Fix-build-against-OpenSSL-3-0.patch b/debian/patches/0006-Fix-build-against-OpenSSL-3-0.patch
4deleted file mode 10064426deleted file mode 100644
index a8f2916..0000000
--- a/debian/patches/0006-Fix-build-against-OpenSSL-3-0.patch
+++ /dev/null
@@ -1,210 +0,0 @@
1From: Nicholas Guriev <guriev-ns@ya.ru>
2Date: Tue, 31 May 2022 22:31:08 +0300
3Subject: Make build against OpenSSL-3.0 possible
4 In OpenSSL, the SSL_get_ex_new_index macro (substituted to
5 CRYPTO_get_ex_new_index) requires CRYPTO_EX_dup as the second callback. This
6 typedef, for some reason, has got an extra asterisk near void* within
7 arguments into the third version. Freely conversions from void* to void** is
8 okay in C but prohibited in C++. So I've updated the callback prototype to
9 match the last OpenSSL version.
10 .
11 OpenSSL pre-3.0 defined all of the SSL_OP_* macros with numeric hexadecimal
12 literals. However, the third version uses there casting expressions with
13 shifts which preprocessor is unable to compute. So I check only macros
14 existence, this lets Squid accept obsolete options. But it's nothing,
15 OpenSSL should ignore them anyway.
16
17---
18 acinclude/lib-checks.m4 | 2 -
19 src/security/PeerOptions.cc | 50 ++++++++++++++++++++++----------------------
20 src/ssl/support.cc | 2 -
21 3 files changed, 27 insertions(+), 27 deletions(-)
22
23--- a/acinclude/lib-checks.m4
24+++ b/acinclude/lib-checks.m4
25@@ -236,7 +236,7 @@ AC_DEFUN([SQUID_CHECK_OPENSSL_CONST_CRYP
26 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([
27 #include <openssl/ssl.h>
28
29-int const_dup_func(CRYPTO_EX_DATA *, const CRYPTO_EX_DATA *, void *, int, long, void *) {
30+int const_dup_func(CRYPTO_EX_DATA *, const CRYPTO_EX_DATA *, void **, int, long, void *) {
31 return 0;
32 }
33 ],[
34--- a/src/security/PeerOptions.cc
35+++ b/src/security/PeerOptions.cc
36@@ -297,130 +297,130 @@ static struct ssl_option {
37
38 } ssl_options[] = {
39
40-#if SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
41+#ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
42 {
43 "NETSCAPE_REUSE_CIPHER_CHANGE_BUG", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
44 },
45 #endif
46-#if SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
47+#ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
48 {
49 "SSLREF2_REUSE_CERT_TYPE_BUG", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
50 },
51 #endif
52-#if SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
53+#ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
54 {
55 "MICROSOFT_BIG_SSLV3_BUFFER", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
56 },
57 #endif
58-#if SSL_OP_SSLEAY_080_CLIENT_DH_BUG
59+#ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
60 {
61 "SSLEAY_080_CLIENT_DH_BUG", SSL_OP_SSLEAY_080_CLIENT_DH_BUG
62 },
63 #endif
64-#if SSL_OP_TLS_D5_BUG
65+#ifdef SSL_OP_TLS_D5_BUG
66 {
67 "TLS_D5_BUG", SSL_OP_TLS_D5_BUG
68 },
69 #endif
70-#if SSL_OP_TLS_BLOCK_PADDING_BUG
71+#ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
72 {
73 "TLS_BLOCK_PADDING_BUG", SSL_OP_TLS_BLOCK_PADDING_BUG
74 },
75 #endif
76-#if SSL_OP_TLS_ROLLBACK_BUG
77+#ifdef SSL_OP_TLS_ROLLBACK_BUG
78 {
79 "TLS_ROLLBACK_BUG", SSL_OP_TLS_ROLLBACK_BUG
80 },
81 #endif
82-#if SSL_OP_ALL
83+#ifdef SSL_OP_ALL
84 {
85 "ALL", (long)SSL_OP_ALL
86 },
87 #endif
88-#if SSL_OP_SINGLE_DH_USE
89+#ifdef SSL_OP_SINGLE_DH_USE
90 {
91 "SINGLE_DH_USE", SSL_OP_SINGLE_DH_USE
92 },
93 #endif
94-#if SSL_OP_EPHEMERAL_RSA
95+#ifdef SSL_OP_EPHEMERAL_RSA
96 {
97 "EPHEMERAL_RSA", SSL_OP_EPHEMERAL_RSA
98 },
99 #endif
100-#if SSL_OP_PKCS1_CHECK_1
101+#ifdef SSL_OP_PKCS1_CHECK_1
102 {
103 "PKCS1_CHECK_1", SSL_OP_PKCS1_CHECK_1
104 },
105 #endif
106-#if SSL_OP_PKCS1_CHECK_2
107+#ifdef SSL_OP_PKCS1_CHECK_2
108 {
109 "PKCS1_CHECK_2", SSL_OP_PKCS1_CHECK_2
110 },
111 #endif
112-#if SSL_OP_NETSCAPE_CA_DN_BUG
113+#ifdef SSL_OP_NETSCAPE_CA_DN_BUG
114 {
115 "NETSCAPE_CA_DN_BUG", SSL_OP_NETSCAPE_CA_DN_BUG
116 },
117 #endif
118-#if SSL_OP_NON_EXPORT_FIRST
119+#ifdef SSL_OP_NON_EXPORT_FIRST
120 {
121 "NON_EXPORT_FIRST", SSL_OP_NON_EXPORT_FIRST
122 },
123 #endif
124-#if SSL_OP_CIPHER_SERVER_PREFERENCE
125+#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
126 {
127 "CIPHER_SERVER_PREFERENCE", SSL_OP_CIPHER_SERVER_PREFERENCE
128 },
129 #endif
130-#if SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG
131+#ifdef SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG
132 {
133 "NETSCAPE_DEMO_CIPHER_CHANGE_BUG", SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG
134 },
135 #endif
136-#if SSL_OP_NO_SSLv3
137+#ifdef SSL_OP_NO_SSLv3
138 {
139 "NO_SSLv3", SSL_OP_NO_SSLv3
140 },
141 #endif
142-#if SSL_OP_NO_TLSv1
143+#ifdef SSL_OP_NO_TLSv1
144 {
145 "NO_TLSv1", SSL_OP_NO_TLSv1
146 },
147 #else
148 { "NO_TLSv1", 0 },
149 #endif
150-#if SSL_OP_NO_TLSv1_1
151+#ifdef SSL_OP_NO_TLSv1_1
152 {
153 "NO_TLSv1_1", SSL_OP_NO_TLSv1_1
154 },
155 #else
156 { "NO_TLSv1_1", 0 },
157 #endif
158-#if SSL_OP_NO_TLSv1_2
159+#ifdef SSL_OP_NO_TLSv1_2
160 {
161 "NO_TLSv1_2", SSL_OP_NO_TLSv1_2
162 },
163 #else
164 { "NO_TLSv1_2", 0 },
165 #endif
166-#if SSL_OP_NO_TLSv1_3
167+#ifdef SSL_OP_NO_TLSv1_3
168 {
169 "NO_TLSv1_3", SSL_OP_NO_TLSv1_3
170 },
171 #else
172 { "NO_TLSv1_3", 0 },
173 #endif
174-#if SSL_OP_NO_COMPRESSION
175+#ifdef SSL_OP_NO_COMPRESSION
176 {
177 "No_Compression", SSL_OP_NO_COMPRESSION
178 },
179 #endif
180-#if SSL_OP_NO_TICKET
181+#ifdef SSL_OP_NO_TICKET
182 {
183 "NO_TICKET", SSL_OP_NO_TICKET
184 },
185 #endif
186-#if SSL_OP_SINGLE_ECDH_USE
187+#ifdef SSL_OP_SINGLE_ECDH_USE
188 {
189 "SINGLE_ECDH_USE", SSL_OP_SINGLE_ECDH_USE
190 },
191@@ -512,7 +512,7 @@ Security::PeerOptions::parseOptions()
192
193 }
194
195-#if SSL_OP_NO_SSLv2
196+#ifdef SSL_OP_NO_SSLv2
197 // compliance with RFC 6176: Prohibiting Secure Sockets Layer (SSL) Version 2.0
198 op = op | SSL_OP_NO_SSLv2;
199 #endif
200--- a/src/ssl/support.cc
201+++ b/src/ssl/support.cc
202@@ -559,7 +559,7 @@ Ssl::VerifyCallbackParameters::At(Securi
203 // "dup" function for SSL_get_ex_new_index("cert_err_check")
204 #if SQUID_USE_CONST_CRYPTO_EX_DATA_DUP
205 static int
206-ssl_dupAclChecklist(CRYPTO_EX_DATA *, const CRYPTO_EX_DATA *, void *,
207+ssl_dupAclChecklist(CRYPTO_EX_DATA *, const CRYPTO_EX_DATA *, void **,
208 int, long, void *)
209 #else
210 static int
diff --git a/debian/patches/CVE-2022-41317.patch b/debian/patches/CVE-2022-41317.patch
211deleted file mode 1006440deleted file mode 100644
index c5447db..0000000
--- a/debian/patches/CVE-2022-41317.patch
+++ /dev/null
@@ -1,19 +0,0 @@
1commit 55151c545a8e0bd2cb69036da5794c9cb21018b2
2Author: Amos Jeffries <yadij@users.noreply.github.com>
3Date: 2022-08-17 23:32:43 +0000
4
5 Fix typo in manager ACL (#1113)
6
7diff --git a/src/cf.data.pre b/src/cf.data.pre
8index a0bdb2f83..118256437 100644
9--- a/src/cf.data.pre
10+++ b/src/cf.data.pre
11@@ -1036,7 +1036,7 @@ DEFAULT: ssl::certUntrusted ssl_error X509_V_ERR_INVALID_CA X509_V_ERR_SELF_SIGN
12 DEFAULT: ssl::certSelfSigned ssl_error X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
13 ENDIF
14 DEFAULT: all src all
15-DEFAULT: manager url_regex -i ^cache_object:// +i ^https?://[^/]+/squid-internal-mgr/
16+DEFAULT: manager url_regex -i ^cache_object:// +i ^[^:]+://[^/]+/squid-internal-mgr/
17 DEFAULT: localhost src 127.0.0.1/32 ::1
18 DEFAULT: to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1/128 ::/128
19 DEFAULT: CONNECT method CONNECT
diff --git a/debian/patches/CVE-2022-41318.patch b/debian/patches/CVE-2022-41318.patch
20deleted file mode 1006440deleted file mode 100644
index 02a66ea..0000000
--- a/debian/patches/CVE-2022-41318.patch
+++ /dev/null
@@ -1,36 +0,0 @@
1commit 8eca72c14f94e8591b0d40bd6210ec68d1e54c46
2Author: Amos Jeffries <yadij@users.noreply.github.com>
3Date: 2022-08-09 23:34:54 +0000
4
5 Bug 3193 pt2: NTLM decoder truncating strings (#1114)
6
7 The initial bug fix overlooked large 'offset' causing integer
8 wrap to extract a too-short length string.
9
10 Improve debugs and checks sequence to clarify cases and ensure
11 that all are handled correctly.
12
13--- a/lib/ntlmauth/ntlmauth.cc
14+++ b/lib/ntlmauth/ntlmauth.cc
15@@ -107,10 +107,19 @@ ntlm_fetch_string(const ntlmhdr *packet,
16 int32_t o = le32toh(str->offset);
17 // debug("ntlm_fetch_string(plength=%d,l=%d,o=%d)\n",packet_size,l,o);
18
19- if (l < 0 || l > NTLM_MAX_FIELD_LENGTH || o + l > packet_size || o == 0) {
20- debug("ntlm_fetch_string: insane data (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o);
21+ if (l < 0 || l > NTLM_MAX_FIELD_LENGTH) {
22+ debug("ntlm_fetch_string: insane string length (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o);
23 return rv;
24 }
25+ else if (o <= 0 || o > packet_size) {
26+ debug("ntlm_fetch_string: insane string offset (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o);
27+ return rv;
28+ }
29+ else if (l > packet_size - o) {
30+ debug("ntlm_fetch_string: truncated string data (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o);
31+ return rv;
32+ }
33+
34 rv.str = (char *)packet + o;
35 rv.l = 0;
36 if ((flags & NTLM_NEGOTIATE_ASCII) == 0) {
diff --git a/debian/patches/series b/debian/patches/series
index 8c2318e..eb9acfd 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,10 +1,7 @@
10001-Default-configuration-file-for-debian.patch10001-Default-configuration-file-for-debian.patch
20002-Change-default-file-locations-for-debian.patch20002-Change-default-file-locations-for-debian.patch
30005-Use-RuntimeDirectory-to-create-run-squid.patch30005-Use-RuntimeDirectory-to-create-run-squid.patch
40006-Fix-build-against-OpenSSL-3-0.patch
590-cf.data.ubuntu.patch490-cf.data.ubuntu.patch
699-ubuntu-ssl-cert-snakeoil.patch599-ubuntu-ssl-cert-snakeoil.patch
7fix-max-pkt-sz-for-icmpEchoData-padding.patch6fix-max-pkt-sz-for-icmpEchoData-padding.patch
80009-Fix-Werror-alloc-size-larger-than-on-GCC-12.patch70009-Fix-Werror-alloc-size-larger-than-on-GCC-12.patch
9CVE-2022-41317.patch
10CVE-2022-41318.patch
diff --git a/debian/squid-openssl.postinst b/debian/squid-openssl.postinst
index f64fd49..8c3e4e0 100644
--- a/debian/squid-openssl.postinst
+++ b/debian/squid-openssl.postinst
@@ -1,6 +1,12 @@
1#! /bin/sh1#! /bin/sh
22
3set -e3set -e
4remove_ssl_engine_config() {
5 match='^([ \t]*ssl_engine[ \t].*)$'
6 doc='# ssl_engine is no longer supported since squid 5.7 (LP: #2013423).'
7 find /etc/squid/ -type f,l -name "*.conf" -exec \
8 sed -Ei "s/${match}/${doc}\n# \1/" '{}' \;
9}
410
5grepconf () {11grepconf () {
6 w=" " # space tab12 w=" " # space tab
@@ -70,6 +76,14 @@ case "$1" in
70 chmod u+s $PINGER76 chmod u+s $PINGER
71 fi77 fi
7278
79 #
80 # Remove the unsupported ssl_engine configuration directive, if present.
81 # LP: #2013423
82 #
83 if dpkg --compare-versions "$2" lt-nl "5.7"; then
84 remove_ssl_engine_config
85 fi
86
73 ;;87 ;;
74 abort-upgrade|abort-remove|abort-deconfigure)88 abort-upgrade|abort-remove|abort-deconfigure)
75 ;;89 ;;
diff --git a/doc/release-notes/release-5.html b/doc/release-notes/release-5.html
index a037de3..7369f54 100644
--- a/doc/release-notes/release-5.html
+++ b/doc/release-notes/release-5.html
@@ -3,10 +3,10 @@
3<HEAD>3<HEAD>
4 <META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.82">4 <META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.82">
5 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">5 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
6 <TITLE>Squid 5.6 release notes</TITLE>6 <TITLE>Squid 5.7 release notes</TITLE>
7</HEAD>7</HEAD>
8<BODY>8<BODY>
9<H1>Squid 5.6 release notes</H1>9<H1>Squid 5.7 release notes</H1>
1010
11<H2>Squid Developers</H2>11<H2>Squid Developers</H2>
12<HR>12<HR>
@@ -31,6 +31,7 @@ for Applied Network Research and members of the Web Caching community.</EM>
31<LI><A NAME="toc2.4">2.4</A> <A HREF="#ss2.4">TrivialDB Support</A>31<LI><A NAME="toc2.4">2.4</A> <A HREF="#ss2.4">TrivialDB Support</A>
32<LI><A NAME="toc2.5">2.5</A> <A HREF="#ss2.5">Loop Detection in Content Delivery Networks</A>32<LI><A NAME="toc2.5">2.5</A> <A HREF="#ss2.5">Loop Detection in Content Delivery Networks</A>
33<LI><A NAME="toc2.6">2.6</A> <A HREF="#ss2.6">Peering support for SSL-Bump</A>33<LI><A NAME="toc2.6">2.6</A> <A HREF="#ss2.6">Peering support for SSL-Bump</A>
34<LI><A NAME="toc2.7">2.7</A> <A HREF="#ss2.7">OpenSSL 3.0 Support</A>
34</UL>35</UL>
35<P>36<P>
36<H2><A NAME="toc3">3.</A> <A HREF="#s3">Changes to squid.conf since Squid-4</A></H2>37<H2><A NAME="toc3">3.</A> <A HREF="#s3">Changes to squid.conf since Squid-4</A></H2>
@@ -61,7 +62,7 @@ for Applied Network Research and members of the Web Caching community.</EM>
61<HR>62<HR>
62<H2><A NAME="s1">1.</A> <A HREF="#toc1">Notice</A></H2>63<H2><A NAME="s1">1.</A> <A HREF="#toc1">Notice</A></H2>
6364
64<P>The Squid Team are pleased to announce the release of Squid-5.6.</P>65<P>The Squid Team are pleased to announce the release of Squid-5.7.</P>
65<P>This new release is available for download from 66<P>This new release is available for download from
66<A HREF="http://www.squid-cache.org/Versions/v5/">http://www.squid-cache.org/Versions/v5/</A> or the67<A HREF="http://www.squid-cache.org/Versions/v5/">http://www.squid-cache.org/Versions/v5/</A> or the
67<A HREF="http://www.squid-cache.org/Download/http-mirrors.html">mirrors</A>.</P>68<A HREF="http://www.squid-cache.org/Download/http-mirrors.html">mirrors</A>.</P>
@@ -95,6 +96,7 @@ for how to submit a report with a stack trace.</P>
95<LI>TrivialDB Support</LI>96<LI>TrivialDB Support</LI>
96<LI>RFC 8586: Loop Detection in Content Delivery Networks</LI>97<LI>RFC 8586: Loop Detection in Content Delivery Networks</LI>
97<LI>Peering support for SSL-Bump</LI>98<LI>Peering support for SSL-Bump</LI>
99<LI>OpenSSL 3.0 Support</LI>
98</UL>100</UL>
99</P>101</P>
100<P>Most user-facing changes are reflected in squid.conf (see below).</P>102<P>Most user-facing changes are reflected in squid.conf (see below).</P>
@@ -220,6 +222,21 @@ see TLS client handshake) <EM>before</EM> selecting the cache_peer.</P>
220yet do TLS-in-TLS.</P>222yet do TLS-in-TLS.</P>
221223
222224
225<H2><A NAME="ss2.7">2.7</A> <A HREF="#toc2.7">OpenSSL 3.0 Support</A>
226</H2>
227
228<P>Squid-5.7 adds OpenSSL 3.0 support.</P>
229
230<P>This version of Squid does not add any of the new features provided by
231OpenSSL 3.0. It only contains support for features already supported by prior
232versions of Squid using new APIs provided by OpenSSL 3.0.</P>
233
234<P>Notably the libssl custom Engine feature has been deprecated by OpenSSL 3.0
235and new Providers replacement is not supported by this Squid.</P>
236
237<P>OpenSSL 3.0 uses new licensing terms.</P>
238
239
223<H2><A NAME="s3">3.</A> <A HREF="#toc3">Changes to squid.conf since Squid-4</A></H2>240<H2><A NAME="s3">3.</A> <A HREF="#toc3">Changes to squid.conf since Squid-4</A></H2>
224241
225<P>There have been changes to Squid's configuration file since Squid-4.</P>242<P>There have been changes to Squid's configuration file since Squid-4.</P>
@@ -364,6 +381,10 @@ code to indicate the response was received from server using TLS/1.3.</P>
364<P>Codes <EM>rm</EM>, <EM>&lt;rm</EM> and <EM>&gt;rm</EM> display "-"381<P>Codes <EM>rm</EM>, <EM>&lt;rm</EM> and <EM>&gt;rm</EM> display "-"
365instead of the made-up method NONE.</P>382instead of the made-up method NONE.</P>
366383
384<DT><B>ssl_engine</B><DD>
385<P>OpenSSL 3.0 deprecates the Engine feature. This directive is
386only supported when Squid is built for older OpenSSL versions.</P>
387
367</DL>388</DL>
368</P>389</P>
369390
diff --git a/include/autoconf.h.in b/include/autoconf.h.in
index fe0a3da..92533bf 100644
--- a/include/autoconf.h.in
+++ b/include/autoconf.h.in
@@ -772,6 +772,9 @@
772/* Define to 1 if you have the <openssl/crypto.h> header file. */772/* Define to 1 if you have the <openssl/crypto.h> header file. */
773#undef HAVE_OPENSSL_CRYPTO_H773#undef HAVE_OPENSSL_CRYPTO_H
774774
775/* Define to 1 if you have the <openssl/decoder.h> header file. */
776#undef HAVE_OPENSSL_DECODER_H
777
775/* Define to 1 if you have the <openssl/dh.h> header file. */778/* Define to 1 if you have the <openssl/dh.h> header file. */
776#undef HAVE_OPENSSL_DH_H779#undef HAVE_OPENSSL_DH_H
777780
diff --git a/include/version.h b/include/version.h
index 77b3d91..14c1335 100644
--- a/include/version.h
+++ b/include/version.h
@@ -7,7 +7,7 @@
7 */7 */
88
9#ifndef SQUID_RELEASE_TIME9#ifndef SQUID_RELEASE_TIME
10#define SQUID_RELEASE_TIME 165446891410#define SQUID_RELEASE_TIME 1662392113
11#endif11#endif
1212
13/*13/*
diff --git a/lib/ntlmauth/ntlmauth.cc b/lib/ntlmauth/ntlmauth.cc
index 7e2156d..dac8a7e 100644
--- a/lib/ntlmauth/ntlmauth.cc
+++ b/lib/ntlmauth/ntlmauth.cc
@@ -12,6 +12,7 @@
12#include "squid.h"12#include "squid.h"
1313
14#include <cstring>14#include <cstring>
15#include <ctime>
15#include <random>16#include <random>
16#if HAVE_STRINGS_H17#if HAVE_STRINGS_H
17#include <strings.h>18#include <strings.h>
@@ -107,10 +108,19 @@ ntlm_fetch_string(const ntlmhdr *packet, const int32_t packet_size, const strhdr
107 int32_t o = le32toh(str->offset);108 int32_t o = le32toh(str->offset);
108 // debug("ntlm_fetch_string(plength=%d,l=%d,o=%d)\n",packet_size,l,o);109 // debug("ntlm_fetch_string(plength=%d,l=%d,o=%d)\n",packet_size,l,o);
109110
110 if (l < 0 || l > NTLM_MAX_FIELD_LENGTH || o + l > packet_size || o == 0) {111 if (l < 0 || l > NTLM_MAX_FIELD_LENGTH) {
111 debug("ntlm_fetch_string: insane data (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o);112 debug("ntlm_fetch_string: insane string length (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o);
112 return rv;113 return rv;
113 }114 }
115 else if (o <= 0 || o > packet_size) {
116 debug("ntlm_fetch_string: insane string offset (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o);
117 return rv;
118 }
119 else if (l > packet_size - o) {
120 debug("ntlm_fetch_string: truncated string data (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o);
121 return rv;
122 }
123
114 rv.str = (char *)packet + o;124 rv.str = (char *)packet + o;
115 rv.l = 0;125 rv.l = 0;
116 if ((flags & NTLM_NEGOTIATE_ASCII) == 0) {126 if ((flags & NTLM_NEGOTIATE_ASCII) == 0) {
diff --git a/src/FwdState.cc b/src/FwdState.cc
index e493a88..bdcfcd6 100644
--- a/src/FwdState.cc
+++ b/src/FwdState.cc
@@ -641,7 +641,6 @@ FwdState::noteDestination(Comm::ConnectionPointer path)
641 if (transporting())641 if (transporting())
642 return; // and continue to receive destinations for backup642 return; // and continue to receive destinations for backup
643643
644 // This is the first path candidate we have seen. Use it.
645 useDestinations();644 useDestinations();
646}645}
647646
@@ -657,12 +656,8 @@ FwdState::noteDestinationsEnd(ErrorState *selectionError)
657 Must(!err); // if we tried to connect, then path selection succeeded656 Must(!err); // if we tried to connect, then path selection succeeded
658 fail(selectionError);657 fail(selectionError);
659 }658 }
660 else if (err)
661 debugs(17, 3, "Will abort forwarding because all found paths have failed.");
662 else
663 debugs(17, 3, "Will abort forwarding because path selection found no paths.");
664659
665 useDestinations(); // will detect and handle the lack of paths660 stopAndDestroy("path selection found no paths");
666 return;661 return;
667 }662 }
668 // else continue to use one of the previously noted destinations;663 // else continue to use one of the previously noted destinations;
@@ -675,7 +670,16 @@ FwdState::noteDestinationsEnd(ErrorState *selectionError)
675 return; // and continue to wait for FwdState::noteConnection() callback670 return; // and continue to wait for FwdState::noteConnection() callback
676 }671 }
677672
678 Must(transporting()); // or we would be stuck with nothing to do or wait for673 if (transporting()) {
674 // We are already using a previously opened connection (but were also
675 // receiving more destinations in case we need to re-forward).
676 debugs(17, 7, "keep transporting");
677 return;
678 }
679
680 // destinationsFound, but none of them worked, and we were waiting for more
681 assert(err);
682 stopAndDestroy("all found paths have failed");
679}683}
680684
681/// makes sure connection opener knows that the destinations have changed685/// makes sure connection opener knows that the destinations have changed
diff --git a/src/HappyConnOpener.cc b/src/HappyConnOpener.cc
index 6d83ff1..a9f2df5 100644
--- a/src/HappyConnOpener.cc
+++ b/src/HappyConnOpener.cc
@@ -568,8 +568,6 @@ HappyConnOpener::openFreshConnection(Attempt &attempt, PeerConnectionPointer &de
568 const auto conn = dest->cloneProfile();568 const auto conn = dest->cloneProfile();
569 GetMarkingsToServer(cause.getRaw(), *conn);569 GetMarkingsToServer(cause.getRaw(), *conn);
570570
571 ++n_tries;
572
573 typedef CommCbMemFunT<HappyConnOpener, CommConnectCbParams> Dialer;571 typedef CommCbMemFunT<HappyConnOpener, CommConnectCbParams> Dialer;
574 AsyncCall::Pointer callConnect = asyncCall(48, 5, attempt.callbackMethodName,572 AsyncCall::Pointer callConnect = asyncCall(48, 5, attempt.callbackMethodName,
575 Dialer(this, attempt.callbackMethod));573 Dialer(this, attempt.callbackMethod));
@@ -611,6 +609,8 @@ HappyConnOpener::handleConnOpenerAnswer(Attempt &attempt, const CommConnectCbPar
611 handledPath.finalize(params.conn); // closed on errors609 handledPath.finalize(params.conn); // closed on errors
612 attempt.finish();610 attempt.finish();
613611
612 ++n_tries;
613
614 if (params.flag == Comm::OK) {614 if (params.flag == Comm::OK) {
615 sendSuccess(handledPath, false, what);615 sendSuccess(handledPath, false, what);
616 return;616 return;
diff --git a/src/HappyConnOpener.h b/src/HappyConnOpener.h
index c57c431..63e4df9 100644
--- a/src/HappyConnOpener.h
+++ b/src/HappyConnOpener.h
@@ -258,7 +258,8 @@ private:
258 /// the request that needs a to-server connection258 /// the request that needs a to-server connection
259 HttpRequestPointer cause;259 HttpRequestPointer cause;
260260
261 /// number of connection opening attempts, including those in the requestor261 /// number of our finished connection opening attempts (including pconn
262 /// reuses) plus previously finished attempts supplied by the requestor
262 int n_tries;263 int n_tries;
263264
264 /// Reason to ran out of time or attempts265 /// Reason to ran out of time or attempts
diff --git a/src/HttpHeaderTools.h b/src/HttpHeaderTools.h
index d017dfe..3720864 100644
--- a/src/HttpHeaderTools.h
+++ b/src/HttpHeaderTools.h
@@ -67,7 +67,7 @@ public:
67private:67private:
68 /// Case-insensitive std::string "less than" comparison functor.68 /// Case-insensitive std::string "less than" comparison functor.
69 /// Fast version recommended by Meyers' "Effective STL" for ASCII c-strings.69 /// Fast version recommended by Meyers' "Effective STL" for ASCII c-strings.
70 class NoCaseLessThan: public std::binary_function<std::string, std::string, bool>70 class NoCaseLessThan
71 {71 {
72 public:72 public:
73 bool operator()(const std::string &lhs, const std::string &rhs) const {73 bool operator()(const std::string &lhs, const std::string &rhs) const {
diff --git a/src/acl/RegexData.cc b/src/acl/RegexData.cc
index 91a9ba9..2be5342 100644
--- a/src/acl/RegexData.cc
+++ b/src/acl/RegexData.cc
@@ -83,6 +83,9 @@ ACLRegexData::dump() const
83static const char *83static const char *
84removeUnnecessaryWildcards(char * t)84removeUnnecessaryWildcards(char * t)
85{85{
86 if (strcmp(t, ".*") == 0) // we cannot simplify that further
87 return t; // avoid "WARNING: ... Using '.*' instead" below
88
86 char * orig = t;89 char * orig = t;
8790
88 if (strncmp(t, "^.*", 3) == 0)91 if (strncmp(t, "^.*", 3) == 0)
diff --git a/src/acl/external/SQL_session/ext_sql_session_acl.8 b/src/acl/external/SQL_session/ext_sql_session_acl.8
index 9ddf338..6a22fd7 100644
--- a/src/acl/external/SQL_session/ext_sql_session_acl.8
+++ b/src/acl/external/SQL_session/ext_sql_session_acl.8
@@ -133,7 +133,7 @@
133.\" ========================================================================133.\" ========================================================================
134.\"134.\"
135.IX Title "EXT_SQL_SESSION_ACL 8"135.IX Title "EXT_SQL_SESSION_ACL 8"
136.TH EXT_SQL_SESSION_ACL 8 "2022-06-05" "perl v5.34.0" "User Contributed Perl Documentation"136.TH EXT_SQL_SESSION_ACL 8 "2022-09-05" "perl v5.34.0" "User Contributed Perl Documentation"
137.\" For nroff, turn off justification. Always turn off hyphenation; it makes137.\" For nroff, turn off justification. Always turn off hyphenation; it makes
138.\" way too many mistakes in technical documents.138.\" way too many mistakes in technical documents.
139.if n .ad l139.if n .ad l
diff --git a/src/acl/external/delayer/ext_delayer_acl.8 b/src/acl/external/delayer/ext_delayer_acl.8
index a7783de..1149322 100644
--- a/src/acl/external/delayer/ext_delayer_acl.8
+++ b/src/acl/external/delayer/ext_delayer_acl.8
@@ -133,7 +133,7 @@
133.\" ========================================================================133.\" ========================================================================
134.\"134.\"
135.IX Title "EXT_DELAYER_ACL 8"135.IX Title "EXT_DELAYER_ACL 8"
136.TH EXT_DELAYER_ACL 8 "2022-06-05" "perl v5.34.0" "User Contributed Perl Documentation"136.TH EXT_DELAYER_ACL 8 "2022-09-05" "perl v5.34.0" "User Contributed Perl Documentation"
137.\" For nroff, turn off justification. Always turn off hyphenation; it makes137.\" For nroff, turn off justification. Always turn off hyphenation; it makes
138.\" way too many mistakes in technical documents.138.\" way too many mistakes in technical documents.
139.if n .ad l139.if n .ad l
diff --git a/src/acl/external/kerberos_sid_group/ext_kerberos_sid_group_acl.8 b/src/acl/external/kerberos_sid_group/ext_kerberos_sid_group_acl.8
index edec6bd..5ae9af5 100644
--- a/src/acl/external/kerberos_sid_group/ext_kerberos_sid_group_acl.8
+++ b/src/acl/external/kerberos_sid_group/ext_kerberos_sid_group_acl.8
@@ -133,7 +133,7 @@
133.\" ========================================================================133.\" ========================================================================
134.\"134.\"
135.IX Title "EXT_KERBEROS_SID_GROUP_ACL 8"135.IX Title "EXT_KERBEROS_SID_GROUP_ACL 8"
136.TH EXT_KERBEROS_SID_GROUP_ACL 8 "2022-06-05" "perl v5.34.0" "User Contributed Perl Documentation"136.TH EXT_KERBEROS_SID_GROUP_ACL 8 "2022-09-05" "perl v5.34.0" "User Contributed Perl Documentation"
137.\" For nroff, turn off justification. Always turn off hyphenation; it makes137.\" For nroff, turn off justification. Always turn off hyphenation; it makes
138.\" way too many mistakes in technical documents.138.\" way too many mistakes in technical documents.
139.if n .ad l139.if n .ad l
diff --git a/src/acl/external/session/ext_session_acl.cc b/src/acl/external/session/ext_session_acl.cc
index ba21b6e..d6ee15e 100644
--- a/src/acl/external/session/ext_session_acl.cc
+++ b/src/acl/external/session/ext_session_acl.cc
@@ -197,13 +197,19 @@ copyValue(void *dst, const DB_ENTRY *src, size_t sz)
197static int session_active(const char *details, size_t len)197static int session_active(const char *details, size_t len)
198{198{
199#if USE_BERKLEYDB199#if USE_BERKLEYDB
200 DBT key = {0};200 DBT key = {};
201 DBT data = {0};201 key.data = const_cast<char*>(details);
202 key.data = (void *)details;
203 key.size = len;202 key.size = len;
203
204 DBT data = {};
204#elif USE_TRIVIALDB205#elif USE_TRIVIALDB
205 TDB_DATA key;206 TDB_DATA key = {};
206 TDB_DATA data;207 key.dptr = reinterpret_cast<decltype(key.dptr)>(const_cast<char*>(details));
208 key.dsize = len;
209
210 TDB_DATA data = {};
211#else
212 (void)len;
207#endif213#endif
208 if (fetchKey(key, &data)) {214 if (fetchKey(key, &data)) {
209 time_t timestamp;215 time_t timestamp;
diff --git a/src/acl/external/wbinfo_group/ext_wbinfo_group_acl.8 b/src/acl/external/wbinfo_group/ext_wbinfo_group_acl.8
index 9113719..7506e2f 100644
--- a/src/acl/external/wbinfo_group/ext_wbinfo_group_acl.8
+++ b/src/acl/external/wbinfo_group/ext_wbinfo_group_acl.8
@@ -133,7 +133,7 @@
133.\" ========================================================================133.\" ========================================================================
134.\"134.\"
135.IX Title "EXT_WBINFO_GROUP_ACL 8"135.IX Title "EXT_WBINFO_GROUP_ACL 8"
136.TH EXT_WBINFO_GROUP_ACL 8 "2022-06-05" "perl v5.34.0" "User Contributed Perl Documentation"136.TH EXT_WBINFO_GROUP_ACL 8 "2022-09-05" "perl v5.34.0" "User Contributed Perl Documentation"
137.\" For nroff, turn off justification. Always turn off hyphenation; it makes137.\" For nroff, turn off justification. Always turn off hyphenation; it makes
138.\" way too many mistakes in technical documents.138.\" way too many mistakes in technical documents.
139.if n .ad l139.if n .ad l
diff --git a/src/auth/basic/DB/basic_db_auth.8 b/src/auth/basic/DB/basic_db_auth.8
index 07ffc10..a180993 100644
--- a/src/auth/basic/DB/basic_db_auth.8
+++ b/src/auth/basic/DB/basic_db_auth.8
@@ -133,7 +133,7 @@
133.\" ========================================================================133.\" ========================================================================
134.\"134.\"
135.IX Title "BASIC_DB_AUTH 8"135.IX Title "BASIC_DB_AUTH 8"
136.TH BASIC_DB_AUTH 8 "2022-06-05" "perl v5.34.0" "User Contributed Perl Documentation"136.TH BASIC_DB_AUTH 8 "2022-09-05" "perl v5.34.0" "User Contributed Perl Documentation"
137.\" For nroff, turn off justification. Always turn off hyphenation; it makes137.\" For nroff, turn off justification. Always turn off hyphenation; it makes
138.\" way too many mistakes in technical documents.138.\" way too many mistakes in technical documents.
139.if n .ad l139.if n .ad l
diff --git a/src/auth/basic/POP3/basic_pop3_auth.8 b/src/auth/basic/POP3/basic_pop3_auth.8
index 85bd803..ddf8057 100644
--- a/src/auth/basic/POP3/basic_pop3_auth.8
+++ b/src/auth/basic/POP3/basic_pop3_auth.8
@@ -133,7 +133,7 @@
133.\" ========================================================================133.\" ========================================================================
134.\"134.\"
135.IX Title "BASIC_POP3_AUTH 8"135.IX Title "BASIC_POP3_AUTH 8"
136.TH BASIC_POP3_AUTH 8 "2022-06-05" "perl v5.34.0" "User Contributed Perl Documentation"136.TH BASIC_POP3_AUTH 8 "2022-09-05" "perl v5.34.0" "User Contributed Perl Documentation"
137.\" For nroff, turn off justification. Always turn off hyphenation; it makes137.\" For nroff, turn off justification. Always turn off hyphenation; it makes
138.\" way too many mistakes in technical documents.138.\" way too many mistakes in technical documents.
139.if n .ad l139.if n .ad l
diff --git a/src/base/EnumIterator.h b/src/base/EnumIterator.h
index 5d88100..96cb826 100644
--- a/src/base/EnumIterator.h
+++ b/src/base/EnumIterator.h
@@ -20,7 +20,7 @@
20 * \see EnumIterator, ReverseEnumIterator20 * \see EnumIterator, ReverseEnumIterator
21 */21 */
22template <typename EnumType>22template <typename EnumType>
23class EnumIteratorBase : public std::iterator<std::bidirectional_iterator_tag, EnumType>23class EnumIteratorBase
24{24{
25protected:25protected:
26#if HAVE_STD_UNDERLYING_TYPE26#if HAVE_STD_UNDERLYING_TYPE
@@ -30,6 +30,12 @@ protected:
30#endif30#endif
3131
32public:32public:
33 using iterator_category = std::bidirectional_iterator_tag;
34 using value_type = EnumType;
35 using difference_type = std::ptrdiff_t;
36 using pointer = EnumType *;
37 using reference = EnumType &;
38
33 explicit EnumIteratorBase(EnumType e) : current(static_cast<iterator_type>(e)) {}39 explicit EnumIteratorBase(EnumType e) : current(static_cast<iterator_type>(e)) {}
3440
35 bool operator==(const EnumIteratorBase &i) const {41 bool operator==(const EnumIteratorBase &i) const {
diff --git a/src/cache_cf.cc b/src/cache_cf.cc
index cb746dc..1bae8d3 100644
--- a/src/cache_cf.cc
+++ b/src/cache_cf.cc
@@ -720,7 +720,7 @@ configDoConfigure(void)
720 * the extra space is for loop detection in client_side.c -- we search720 * the extra space is for loop detection in client_side.c -- we search
721 * for substrings in the Via header.721 * for substrings in the Via header.
722 */722 */
723 snprintf(ThisCache2, sizeof(ThisCache), " %s (%s)",723 snprintf(ThisCache2, sizeof(ThisCache2), " %s (%s)",
724 uniqueHostname(),724 uniqueHostname(),
725 visible_appname_string);725 visible_appname_string);
726726
diff --git a/src/cf.data.pre b/src/cf.data.pre
index 48f3e13..ee8c720 100644
--- a/src/cf.data.pre
+++ b/src/cf.data.pre
@@ -1036,7 +1036,7 @@ DEFAULT: ssl::certUntrusted ssl_error X509_V_ERR_INVALID_CA X509_V_ERR_SELF_SIGN
1036DEFAULT: ssl::certSelfSigned ssl_error X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT1036DEFAULT: ssl::certSelfSigned ssl_error X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
1037ENDIF1037ENDIF
1038DEFAULT: all src all1038DEFAULT: all src all
1039DEFAULT: manager url_regex -i ^cache_object:// +i ^https?://[^/]+/squid-internal-mgr/1039DEFAULT: manager url_regex -i ^cache_object:// +i ^[^:]+://[^/]+/squid-internal-mgr/
1040DEFAULT: localhost src 127.0.0.1/32 ::11040DEFAULT: localhost src 127.0.0.1/32 ::1
1041DEFAULT: to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1/128 ::/1281041DEFAULT: to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1/128 ::/128
1042DEFAULT: CONNECT method CONNECT1042DEFAULT: CONNECT method CONNECT
@@ -3049,6 +3049,8 @@ DEFAULT: none
3049DOC_START3049DOC_START
3050 The OpenSSL engine to use. You will need to set this if you3050 The OpenSSL engine to use. You will need to set this if you
3051 would like to use hardware SSL acceleration for example.3051 would like to use hardware SSL acceleration for example.
3052
3053 Not supported in builds with OpenSSL 3.0 or newer.
3052DOC_END3054DOC_END
30533055
3054NAME: sslproxy_session_ttl3056NAME: sslproxy_session_ttl
@@ -4004,8 +4006,10 @@ DOC_START
4004 For the purpose of this limit, Squid counts all high-level request4006 For the purpose of this limit, Squid counts all high-level request
4005 forwarding attempts, including any same-destination retries after4007 forwarding attempts, including any same-destination retries after
4006 certain persistent connection failures and any attempts to use a4008 certain persistent connection failures and any attempts to use a
4007 different peer. However, low-level connection reopening attempts4009 different peer. However, these low-level attempts are not counted:
4008 (enabled using connect_retries) are not counted.4010 * connection reopening attempts (enabled using connect_retries)
4011 * unfinished Happy Eyeballs connection attempts (prevented by setting
4012 happy_eyeballs_connect_limit to 0)
40094013
4010 See also: forward_timeout and connect_retries.4014 See also: forward_timeout and connect_retries.
4011DOC_END4015DOC_END
diff --git a/src/cf_gen.cc b/src/cf_gen.cc
index 3d33f9e..b72642c 100644
--- a/src/cf_gen.cc
+++ b/src/cf_gen.cc
@@ -378,7 +378,6 @@ main(int argc, char *argv[])
378 } else if (!strcmp(buff, "NOCOMMENT_START")) {378 } else if (!strcmp(buff, "NOCOMMENT_START")) {
379 state = sNOCOMMENT;379 state = sNOCOMMENT;
380 } else { // if (buff != NULL) {380 } else { // if (buff != NULL) {
381 assert(buff != NULL);
382 entries.back().doc.push_back(buff);381 entries.back().doc.push_back(buff);
383 }382 }
384 break;383 break;
@@ -387,7 +386,6 @@ main(int argc, char *argv[])
387 if (!strcmp(buff, "NOCOMMENT_END")) {386 if (!strcmp(buff, "NOCOMMENT_END")) {
388 state = sDOC;387 state = sDOC;
389 } else { // if (buff != NULL) {388 } else { // if (buff != NULL) {
390 assert(buff != NULL);
391 entries.back().nocomment.push_back(buff);389 entries.back().nocomment.push_back(buff);
392 }390 }
393 break;391 break;
diff --git a/src/fs/ufs/RebuildState.cc b/src/fs/ufs/RebuildState.cc
index bc8d181..1af6e41 100644
--- a/src/fs/ufs/RebuildState.cc
+++ b/src/fs/ufs/RebuildState.cc
@@ -44,8 +44,6 @@ Fs::Ufs::RebuildState::RebuildState(RefCount<UFSSwapDir> aSwapDir) :
44 _done(false),44 _done(false),
45 cbdata(NULL)45 cbdata(NULL)
46{46{
47 *fullpath = 0;
48 *fullfilename = 0;
4947
50 /*48 /*
51 * If the swap.state file exists in the cache_dir, then49 * If the swap.state file exists in the cache_dir, then
@@ -379,14 +377,14 @@ Fs::Ufs::RebuildState::getNextFile(sfileno * filn_p, int *)
379 }377 }
380378
381 if (0 == in_dir) { /* we need to read in a new directory */379 if (0 == in_dir) { /* we need to read in a new directory */
382 snprintf(fullpath, sizeof(fullpath), "%s/%02X/%02X",380 fullpath.Printf("%s/%02X/%02X",
383 sd->path,381 sd->path,
384 curlvl1, curlvl2);382 curlvl1, curlvl2);
385383
386 if (dirs_opened)384 if (dirs_opened)
387 return -1;385 return -1;
388386
389 td = opendir(fullpath);387 td = opendir(fullpath.c_str());
390388
391 ++dirs_opened;389 ++dirs_opened;
392390
@@ -425,10 +423,10 @@ Fs::Ufs::RebuildState::getNextFile(sfileno * filn_p, int *)
425 continue;423 continue;
426 }424 }
427425
428 snprintf(fullfilename, sizeof(fullfilename), "%s/%s",426 fullfilename.Printf(SQUIDSBUFPH "/%s",
429 fullpath, entry->d_name);427 SQUIDSBUFPRINT(fullpath), entry->d_name);
430 debugs(47, 3, HERE << "Opening " << fullfilename);428 debugs(47, 3, "Opening " << fullfilename);
431 fd = file_open(fullfilename, O_RDONLY | O_BINARY);429 fd = file_open(fullfilename.c_str(), O_RDONLY | O_BINARY);
432430
433 if (fd < 0) {431 if (fd < 0) {
434 int xerrno = errno;432 int xerrno = errno;
diff --git a/src/fs/ufs/RebuildState.h b/src/fs/ufs/RebuildState.h
index d9c6f91..203c65e 100644
--- a/src/fs/ufs/RebuildState.h
+++ b/src/fs/ufs/RebuildState.h
@@ -53,8 +53,8 @@ public:
5353
54 dirent_t *entry;54 dirent_t *entry;
55 DIR *td;55 DIR *td;
56 char fullpath[MAXPATHLEN];56 SBuf fullpath;
57 char fullfilename[MAXPATHLEN*2];57 SBuf fullfilename;
5858
59 StoreRebuildData counts;59 StoreRebuildData counts;
6060
diff --git a/src/http/url_rewriters/LFS/url_lfs_rewrite.8 b/src/http/url_rewriters/LFS/url_lfs_rewrite.8
index 6f1ca62..a5f7485 100644
--- a/src/http/url_rewriters/LFS/url_lfs_rewrite.8
+++ b/src/http/url_rewriters/LFS/url_lfs_rewrite.8
@@ -133,7 +133,7 @@
133.\" ========================================================================133.\" ========================================================================
134.\"134.\"
135.IX Title "URL_LFS_REWRITE 8"135.IX Title "URL_LFS_REWRITE 8"
136.TH URL_LFS_REWRITE 8 "2022-06-05" "perl v5.34.0" "User Contributed Perl Documentation"136.TH URL_LFS_REWRITE 8 "2022-09-05" "perl v5.34.0" "User Contributed Perl Documentation"
137.\" For nroff, turn off justification. Always turn off hyphenation; it makes137.\" For nroff, turn off justification. Always turn off hyphenation; it makes
138.\" way too many mistakes in technical documents.138.\" way too many mistakes in technical documents.
139.if n .ad l139.if n .ad l
diff --git a/src/log/DB/log_db_daemon.8 b/src/log/DB/log_db_daemon.8
index f1aaf9b..63fd886 100644
--- a/src/log/DB/log_db_daemon.8
+++ b/src/log/DB/log_db_daemon.8
@@ -133,7 +133,7 @@
133.\" ========================================================================133.\" ========================================================================
134.\"134.\"
135.IX Title "LOG_DB_DAEMON 8"135.IX Title "LOG_DB_DAEMON 8"
136.TH LOG_DB_DAEMON 8 "2022-06-05" "perl v5.34.0" "User Contributed Perl Documentation"136.TH LOG_DB_DAEMON 8 "2022-09-05" "perl v5.34.0" "User Contributed Perl Documentation"
137.\" For nroff, turn off justification. Always turn off hyphenation; it makes137.\" For nroff, turn off justification. Always turn off hyphenation; it makes
138.\" way too many mistakes in technical documents.138.\" way too many mistakes in technical documents.
139.if n .ad l139.if n .ad l
diff --git a/src/main.cc b/src/main.cc
index 080e71a..a55d9ed 100644
--- a/src/main.cc
+++ b/src/main.cc
@@ -679,8 +679,10 @@ mainHandleCommandLineOption(const int optId, const char *optValue)
679 printf("%s\n",SQUID_BUILD_INFO);679 printf("%s\n",SQUID_BUILD_INFO);
680#if USE_OPENSSL680#if USE_OPENSSL
681 printf("\nThis binary uses %s. ", OpenSSL_version(OPENSSL_VERSION));681 printf("\nThis binary uses %s. ", OpenSSL_version(OPENSSL_VERSION));
682#if OPENSSL_VERSION_MAJOR < 3
682 printf("For legal restrictions on distribution see https://www.openssl.org/source/license.html\n\n");683 printf("For legal restrictions on distribution see https://www.openssl.org/source/license.html\n\n");
683#endif684#endif
685#endif
684 printf( "configure options: %s\n", SQUID_CONFIGURE_OPTIONS);686 printf( "configure options: %s\n", SQUID_CONFIGURE_OPTIONS);
685687
686#if USE_WIN32_SERVICE688#if USE_WIN32_SERVICE
diff --git a/src/sbuf/SBuf.h b/src/sbuf/SBuf.h
index ac98137..964d8fb 100644
--- a/src/sbuf/SBuf.h
+++ b/src/sbuf/SBuf.h
@@ -45,9 +45,16 @@ class CharacterSet;
45 * Please note that any operation on the underlying SBuf may invalidate45 * Please note that any operation on the underlying SBuf may invalidate
46 * all iterators over it, resulting in undefined behavior by them.46 * all iterators over it, resulting in undefined behavior by them.
47 */47 */
48class SBufIterator : public std::iterator<std::input_iterator_tag, char>48class SBufIterator
49{49{
50public:50public:
51 // iterator traits
52 using iterator_category = std::input_iterator_tag;
53 using value_type = char;
54 using difference_type = std::ptrdiff_t;
55 using pointer = char*;
56 using reference = char&;
57
51 friend class SBuf;58 friend class SBuf;
52 typedef MemBlob::size_type size_type;59 typedef MemBlob::size_type size_type;
53 bool operator==(const SBufIterator &s) const;60 bool operator==(const SBufIterator &s) const;
diff --git a/src/security/PeerOptions.cc b/src/security/PeerOptions.cc
index 679f968..b61280a 100644
--- a/src/security/PeerOptions.cc
+++ b/src/security/PeerOptions.cc
@@ -293,134 +293,134 @@ Security::PeerOptions::createClientContext(bool setOptions)
293/// set of options we can parse and what they map to293/// set of options we can parse and what they map to
294static struct ssl_option {294static struct ssl_option {
295 const char *name;295 const char *name;
296 long value;296 Security::ParsedOptions value;
297297
298} ssl_options[] = {298} ssl_options[] = {
299299
300#if SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG300#if defined(SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG)
301 {301 {
302 "NETSCAPE_REUSE_CIPHER_CHANGE_BUG", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG302 "NETSCAPE_REUSE_CIPHER_CHANGE_BUG", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
303 },303 },
304#endif304#endif
305#if SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG305#if defined(SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG)
306 {306 {
307 "SSLREF2_REUSE_CERT_TYPE_BUG", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG307 "SSLREF2_REUSE_CERT_TYPE_BUG", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
308 },308 },
309#endif309#endif
310#if SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER310#if defined(SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER)
311 {311 {
312 "MICROSOFT_BIG_SSLV3_BUFFER", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER312 "MICROSOFT_BIG_SSLV3_BUFFER", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
313 },313 },
314#endif314#endif
315#if SSL_OP_SSLEAY_080_CLIENT_DH_BUG315#if defined(SSL_OP_SSLEAY_080_CLIENT_DH_BUG)
316 {316 {
317 "SSLEAY_080_CLIENT_DH_BUG", SSL_OP_SSLEAY_080_CLIENT_DH_BUG317 "SSLEAY_080_CLIENT_DH_BUG", SSL_OP_SSLEAY_080_CLIENT_DH_BUG
318 },318 },
319#endif319#endif
320#if SSL_OP_TLS_D5_BUG320#if defined(SSL_OP_TLS_D5_BUG)
321 {321 {
322 "TLS_D5_BUG", SSL_OP_TLS_D5_BUG322 "TLS_D5_BUG", SSL_OP_TLS_D5_BUG
323 },323 },
324#endif324#endif
325#if SSL_OP_TLS_BLOCK_PADDING_BUG325#if defined(SSL_OP_TLS_BLOCK_PADDING_BUG)
326 {326 {
327 "TLS_BLOCK_PADDING_BUG", SSL_OP_TLS_BLOCK_PADDING_BUG327 "TLS_BLOCK_PADDING_BUG", SSL_OP_TLS_BLOCK_PADDING_BUG
328 },328 },
329#endif329#endif
330#if SSL_OP_TLS_ROLLBACK_BUG330#if defined(SSL_OP_TLS_ROLLBACK_BUG)
331 {331 {
332 "TLS_ROLLBACK_BUG", SSL_OP_TLS_ROLLBACK_BUG332 "TLS_ROLLBACK_BUG", SSL_OP_TLS_ROLLBACK_BUG
333 },333 },
334#endif334#endif
335#if SSL_OP_ALL335#if defined(SSL_OP_ALL)
336 {336 {
337 "ALL", (long)SSL_OP_ALL337 "ALL", SSL_OP_ALL
338 },338 },
339#endif339#endif
340#if SSL_OP_SINGLE_DH_USE340#if defined(SSL_OP_SINGLE_DH_USE)
341 {341 {
342 "SINGLE_DH_USE", SSL_OP_SINGLE_DH_USE342 "SINGLE_DH_USE", SSL_OP_SINGLE_DH_USE
343 },343 },
344#endif344#endif
345#if SSL_OP_EPHEMERAL_RSA345#if defined(SSL_OP_EPHEMERAL_RSA)
346 {346 {
347 "EPHEMERAL_RSA", SSL_OP_EPHEMERAL_RSA347 "EPHEMERAL_RSA", SSL_OP_EPHEMERAL_RSA
348 },348 },
349#endif349#endif
350#if SSL_OP_PKCS1_CHECK_1350#if defined(SSL_OP_PKCS1_CHECK_1)
351 {351 {
352 "PKCS1_CHECK_1", SSL_OP_PKCS1_CHECK_1352 "PKCS1_CHECK_1", SSL_OP_PKCS1_CHECK_1
353 },353 },
354#endif354#endif
355#if SSL_OP_PKCS1_CHECK_2355#if defined(SSL_OP_PKCS1_CHECK_2)
356 {356 {
357 "PKCS1_CHECK_2", SSL_OP_PKCS1_CHECK_2357 "PKCS1_CHECK_2", SSL_OP_PKCS1_CHECK_2
358 },358 },
359#endif359#endif
360#if SSL_OP_NETSCAPE_CA_DN_BUG360#if defined(SSL_OP_NETSCAPE_CA_DN_BUG)
361 {361 {
362 "NETSCAPE_CA_DN_BUG", SSL_OP_NETSCAPE_CA_DN_BUG362 "NETSCAPE_CA_DN_BUG", SSL_OP_NETSCAPE_CA_DN_BUG
363 },363 },
364#endif364#endif
365#if SSL_OP_NON_EXPORT_FIRST365#if defined(SSL_OP_NON_EXPORT_FIRST)
366 {366 {
367 "NON_EXPORT_FIRST", SSL_OP_NON_EXPORT_FIRST367 "NON_EXPORT_FIRST", SSL_OP_NON_EXPORT_FIRST
368 },368 },
369#endif369#endif
370#if SSL_OP_CIPHER_SERVER_PREFERENCE370#if defined(SSL_OP_CIPHER_SERVER_PREFERENCE)
371 {371 {
372 "CIPHER_SERVER_PREFERENCE", SSL_OP_CIPHER_SERVER_PREFERENCE372 "CIPHER_SERVER_PREFERENCE", SSL_OP_CIPHER_SERVER_PREFERENCE
373 },373 },
374#endif374#endif
375#if SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG375#if defined(SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG)
376 {376 {
377 "NETSCAPE_DEMO_CIPHER_CHANGE_BUG", SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG377 "NETSCAPE_DEMO_CIPHER_CHANGE_BUG", SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG
378 },378 },
379#endif379#endif
380#if SSL_OP_NO_SSLv3380#if defined(SSL_OP_NO_SSLv3)
381 {381 {
382 "NO_SSLv3", SSL_OP_NO_SSLv3382 "NO_SSLv3", SSL_OP_NO_SSLv3
383 },383 },
384#endif384#endif
385#if SSL_OP_NO_TLSv1385#if defined(SSL_OP_NO_TLSv1)
386 {386 {
387 "NO_TLSv1", SSL_OP_NO_TLSv1387 "NO_TLSv1", SSL_OP_NO_TLSv1
388 },388 },
389#else389#else
390 { "NO_TLSv1", 0 },390 { "NO_TLSv1", 0 },
391#endif391#endif
392#if SSL_OP_NO_TLSv1_1392#if defined(SSL_OP_NO_TLSv1_1)
393 {393 {
394 "NO_TLSv1_1", SSL_OP_NO_TLSv1_1394 "NO_TLSv1_1", SSL_OP_NO_TLSv1_1
395 },395 },
396#else396#else
397 { "NO_TLSv1_1", 0 },397 { "NO_TLSv1_1", 0 },
398#endif398#endif
399#if SSL_OP_NO_TLSv1_2399#if defined(SSL_OP_NO_TLSv1_2)
400 {400 {
401 "NO_TLSv1_2", SSL_OP_NO_TLSv1_2401 "NO_TLSv1_2", SSL_OP_NO_TLSv1_2
402 },402 },
403#else403#else
404 { "NO_TLSv1_2", 0 },404 { "NO_TLSv1_2", 0 },
405#endif405#endif
406#if SSL_OP_NO_TLSv1_3406#if defined(SSL_OP_NO_TLSv1_3)
407 {407 {
408 "NO_TLSv1_3", SSL_OP_NO_TLSv1_3408 "NO_TLSv1_3", SSL_OP_NO_TLSv1_3
409 },409 },
410#else410#else
411 { "NO_TLSv1_3", 0 },411 { "NO_TLSv1_3", 0 },
412#endif412#endif
413#if SSL_OP_NO_COMPRESSION413#if defined(SSL_OP_NO_COMPRESSION)
414 {414 {
415 "No_Compression", SSL_OP_NO_COMPRESSION415 "No_Compression", SSL_OP_NO_COMPRESSION
416 },416 },
417#endif417#endif
418#if SSL_OP_NO_TICKET418#if defined(SSL_OP_NO_TICKET)
419 {419 {
420 "NO_TICKET", SSL_OP_NO_TICKET420 "NO_TICKET", SSL_OP_NO_TICKET
421 },421 },
422#endif422#endif
423#if SSL_OP_SINGLE_ECDH_USE423#if defined(SSL_OP_SINGLE_ECDH_USE)
424 {424 {
425 "SINGLE_ECDH_USE", SSL_OP_SINGLE_ECDH_USE425 "SINGLE_ECDH_USE", SSL_OP_SINGLE_ECDH_USE
426 },426 },
@@ -455,7 +455,7 @@ Security::PeerOptions::parseOptions()
455455
456#if USE_OPENSSL456#if USE_OPENSSL
457 ::Parser::Tokenizer tok(str);457 ::Parser::Tokenizer tok(str);
458 long op = 0;458 ParsedOptions op = 0;
459459
460 while (!tok.atEnd()) {460 while (!tok.atEnd()) {
461 enum {461 enum {
@@ -472,7 +472,8 @@ Security::PeerOptions::parseOptions()
472 static const CharacterSet optChars = CharacterSet("TLS-option", "_") + CharacterSet::ALPHA + CharacterSet::DIGIT;472 static const CharacterSet optChars = CharacterSet("TLS-option", "_") + CharacterSet::ALPHA + CharacterSet::DIGIT;
473 int64_t hex = 0;473 int64_t hex = 0;
474 SBuf option;474 SBuf option;
475 long value = 0;475 ParsedOptions value = 0;
476 bool found = false;
476477
477 // Bug 4429: identify the full option name before determining text or numeric478 // Bug 4429: identify the full option name before determining text or numeric
478 if (tok.prefix(option, optChars)) {479 if (tok.prefix(option, optChars)) {
@@ -481,14 +482,16 @@ Security::PeerOptions::parseOptions()
481 for (struct ssl_option *opttmp = ssl_options; opttmp->name; ++opttmp) {482 for (struct ssl_option *opttmp = ssl_options; opttmp->name; ++opttmp) {
482 if (option.cmp(opttmp->name) == 0) {483 if (option.cmp(opttmp->name) == 0) {
483 value = opttmp->value;484 value = opttmp->value;
485 found = true;
484 break;486 break;
485 }487 }
486 }488 }
487489
488 // Special case.. hex specification490 // Special case.. hex specification
489 ::Parser::Tokenizer tmp(option);491 ::Parser::Tokenizer tmp(option);
490 if (!value && tmp.int64(hex, 16, false) && tmp.atEnd()) {492 if (!found && tmp.int64(hex, 16, false) && tmp.atEnd()) {
491 value = hex;493 value = hex;
494 found = true;
492 }495 }
493 }496 }
494497
@@ -502,7 +505,7 @@ Security::PeerOptions::parseOptions()
502 break;505 break;
503 }506 }
504 } else {507 } else {
505 debugs(83, DBG_PARSE_NOTE(1), "ERROR: Unknown TLS option " << option);508 debugs(83, DBG_PARSE_NOTE(DBG_IMPORTANT), "ERROR: " << (found?"Unsupported":"Unknown") << " TLS option " << option);
506 }509 }
507510
508 static const CharacterSet delims("TLS-option-delim",":,");511 static const CharacterSet delims("TLS-option-delim",":,");
@@ -512,9 +515,10 @@ Security::PeerOptions::parseOptions()
512515
513 }516 }
514517
515#if SSL_OP_NO_SSLv2518#if defined(SSL_OP_NO_SSLv2)
516 // compliance with RFC 6176: Prohibiting Secure Sockets Layer (SSL) Version 2.0519 // compliance with RFC 6176: Prohibiting Secure Sockets Layer (SSL) Version 2.0
517 op = op | SSL_OP_NO_SSLv2;520 if (SSL_OP_NO_SSLv2)
521 op |= SSL_OP_NO_SSLv2;
518#endif522#endif
519 parsedOptions = op;523 parsedOptions = op;
520524
diff --git a/src/security/ServerOptions.cc b/src/security/ServerOptions.cc
index e96869c..a5ddb43 100644
--- a/src/security/ServerOptions.cc
+++ b/src/security/ServerOptions.cc
@@ -10,8 +10,10 @@
10#include "anyp/PortCfg.h"10#include "anyp/PortCfg.h"
11#include "base/Packable.h"11#include "base/Packable.h"
12#include "cache_cf.h"12#include "cache_cf.h"
13#include "error/SysErrorDetail.h"
13#include "fatal.h"14#include "fatal.h"
14#include "globals.h"15#include "globals.h"
16#include "security/Io.h"
15#include "security/ServerOptions.h"17#include "security/ServerOptions.h"
16#include "security/Session.h"18#include "security/Session.h"
17#include "SquidConfig.h"19#include "SquidConfig.h"
@@ -19,6 +21,9 @@
19#include "compat/openssl.h"21#include "compat/openssl.h"
20#include "ssl/support.h"22#include "ssl/support.h"
2123
24#if HAVE_OPENSSL_DECODER_H
25#include <openssl/decoder.h>
26#endif
22#if HAVE_OPENSSL_ERR_H27#if HAVE_OPENSSL_ERR_H
23#include <openssl/err.h>28#include <openssl/err.h>
24#endif29#endif
@@ -352,11 +357,20 @@ Security::ServerOptions::loadDhParams()
352 if (dhParamsFile.isEmpty())357 if (dhParamsFile.isEmpty())
353 return;358 return;
354359
360 // TODO: After loading and validating parameters, also validate that "the
361 // public and private components have the correct mathematical
362 // relationship". See EVP_PKEY_check().
363
355#if USE_OPENSSL364#if USE_OPENSSL
365#if OPENSSL_VERSION_MAJOR < 3
356 DH *dhp = nullptr;366 DH *dhp = nullptr;
357 if (FILE *in = fopen(dhParamsFile.c_str(), "r")) {367 if (FILE *in = fopen(dhParamsFile.c_str(), "r")) {
358 dhp = PEM_read_DHparams(in, NULL, NULL, NULL);368 dhp = PEM_read_DHparams(in, NULL, NULL, NULL);
359 fclose(in);369 fclose(in);
370 } else {
371 const auto xerrno = errno;
372 debugs(83, DBG_IMPORTANT, "WARNING: Failed to open '" << dhParamsFile << "'" << xstrerr(xerrno));
373 return;
360 }374 }
361375
362 if (!dhp) {376 if (!dhp) {
@@ -374,7 +388,73 @@ Security::ServerOptions::loadDhParams()
374 }388 }
375389
376 parsedDhParams.resetWithoutLocking(dhp);390 parsedDhParams.resetWithoutLocking(dhp);
391
392#else // OpenSSL 3.0+
393 const auto type = eecdhCurve.isEmpty() ? "DH" : "EC";
394
395 Security::ForgetErrors();
396 EVP_PKEY *rawPkey = nullptr;
397 using DecoderContext = std::unique_ptr<OSSL_DECODER_CTX, HardFun<void, OSSL_DECODER_CTX*, &OSSL_DECODER_CTX_free> >;
398 if (const DecoderContext dctx{OSSL_DECODER_CTX_new_for_pkey(&rawPkey, "PEM", nullptr, type, 0, nullptr, nullptr)}) {
399
400 // OpenSSL documentation is vague on this, but OpenSSL code and our
401 // tests suggest that rawPkey remains nil here while rawCtx keeps
402 // rawPkey _address_ for use by the decoder (see OSSL_DECODER_from_fp()
403 // below). Thus, we must not move *rawPkey into a smart pointer until
404 // decoding is over. For cleanup code simplicity, we assert nil rawPkey.
405 assert(!rawPkey);
406
407 if (OSSL_DECODER_CTX_get_num_decoders(dctx.get()) == 0) {
408 auto ssl_error = ERR_get_error();
409 debugs(83, DBG_IMPORTANT, "WARNING: No suitable decoders found for " << type << " parameters. " << Security::ErrorString(ssl_error));
410 return;
411 }
412
413 if (const auto in = fopen(dhParamsFile.c_str(), "r")) {
414 if (OSSL_DECODER_from_fp(dctx.get(), in)) {
415 assert(rawPkey);
416 const Security::DhePointer pkey(rawPkey);
417 // TODO: verify that the loaded parameters match the curve named in eecdhCurve
418
419 if (const Ssl::EVP_PKEY_CTX_Pointer pkeyCtx{EVP_PKEY_CTX_new_from_pkey(nullptr, pkey.get(), nullptr)}) {
420 switch (EVP_PKEY_param_check(pkeyCtx.get())) {
421 case 1: // success
422 parsedDhParams = pkey;
423 break;
424 case -2: {
425 auto ssl_error = ERR_get_error();
426 debugs(83, DBG_PARSE_NOTE(2), "WARNING: OpenSSL does not support " << type << " parameters check: " << dhParamsFile << ". " << Security::ErrorString(ssl_error));
427 }
428 break;
429 default: {
430 auto ssl_error = ERR_get_error();
431 debugs(83, DBG_IMPORTANT, "ERROR: Failed to verify " << type << " parameters in " << dhParamsFile << ". " << Security::ErrorString(ssl_error));
432 }
433 break;
434 }
435 } else {
436 // TODO: Reduce error reporting code duplication.
437 auto ssl_error = ERR_get_error();
438 debugs(83, DBG_IMPORTANT, "ERROR: Cannot check " << type << " parameters in " << dhParamsFile << ". " << Security::ErrorString(ssl_error));
439 }
440 } else {
441 auto ssl_error = ERR_get_error();
442 debugs(83, DBG_IMPORTANT, "WARNING: Failed to decode " << type << " parameters '" << dhParamsFile << "'. " << Security::ErrorString(ssl_error));
443 EVP_PKEY_free(rawPkey); // probably still nil, but just in case
444 }
445 fclose(in);
446 } else {
447 const auto xerrno = errno;
448 debugs(83, DBG_IMPORTANT, "WARNING: Failed to open '" << dhParamsFile << "'" << xstrerr(xerrno));
449 }
450
451 } else {
452 auto ssl_error = ERR_get_error();
453 debugs(83, DBG_IMPORTANT, "WARNING: Unable to create decode context for " << type << " parameters. " << Security::ErrorString(ssl_error));
454 return;
455 }
377#endif456#endif
457#endif // USE_OPENSSL
378}458}
379459
380bool460bool
@@ -452,12 +532,16 @@ Security::ServerOptions::updateContextEecdh(Security::ContextPointer &ctx)
452 debugs(83, 9, "Setting Ephemeral ECDH curve to " << eecdhCurve << ".");532 debugs(83, 9, "Setting Ephemeral ECDH curve to " << eecdhCurve << ".");
453533
454#if USE_OPENSSL && OPENSSL_VERSION_NUMBER >= 0x0090800fL && !defined(OPENSSL_NO_ECDH)534#if USE_OPENSSL && OPENSSL_VERSION_NUMBER >= 0x0090800fL && !defined(OPENSSL_NO_ECDH)
535
536 Security::ForgetErrors();
537
455 int nid = OBJ_sn2nid(eecdhCurve.c_str());538 int nid = OBJ_sn2nid(eecdhCurve.c_str());
456 if (!nid) {539 if (!nid) {
457 debugs(83, DBG_CRITICAL, "ERROR: Unknown EECDH curve '" << eecdhCurve << "'");540 debugs(83, DBG_CRITICAL, "ERROR: Unknown EECDH curve '" << eecdhCurve << "'");
458 return;541 return;
459 }542 }
460543
544#if OPENSSL_VERSION_MAJOR < 3
461 auto ecdh = EC_KEY_new_by_curve_name(nid);545 auto ecdh = EC_KEY_new_by_curve_name(nid);
462 if (!ecdh) {546 if (!ecdh) {
463 const auto x = ERR_get_error();547 const auto x = ERR_get_error();
@@ -472,6 +556,14 @@ Security::ServerOptions::updateContextEecdh(Security::ContextPointer &ctx)
472 EC_KEY_free(ecdh);556 EC_KEY_free(ecdh);
473557
474#else558#else
559 // TODO: Support multiple group names via SSL_CTX_set1_groups_list().
560 if (!SSL_CTX_set1_groups(ctx.get(), &nid, 1)) {
561 auto ssl_error = ERR_get_error();
562 debugs(83, DBG_CRITICAL, "ERROR: Unable to set Ephemeral ECDH: " << Security::ErrorString(ssl_error));
563 return;
564 }
565#endif
566#else
475 debugs(83, DBG_CRITICAL, "ERROR: EECDH is not available in this build." <<567 debugs(83, DBG_CRITICAL, "ERROR: EECDH is not available in this build." <<
476 " Please link against OpenSSL>=0.9.8 and ensure OPENSSL_NO_ECDH is not set.");568 " Please link against OpenSSL>=0.9.8 and ensure OPENSSL_NO_ECDH is not set.");
477#endif569#endif
diff --git a/src/security/cert_validators/fake/security_fake_certverify.8 b/src/security/cert_validators/fake/security_fake_certverify.8
index 246152d..9dbb485 100644
--- a/src/security/cert_validators/fake/security_fake_certverify.8
+++ b/src/security/cert_validators/fake/security_fake_certverify.8
@@ -133,7 +133,7 @@
133.\" ========================================================================133.\" ========================================================================
134.\"134.\"
135.IX Title "SECURITY_FAKE_CERTVERIFY 8"135.IX Title "SECURITY_FAKE_CERTVERIFY 8"
136.TH SECURITY_FAKE_CERTVERIFY 8 "2022-06-05" "perl v5.34.0" "User Contributed Perl Documentation"136.TH SECURITY_FAKE_CERTVERIFY 8 "2022-09-05" "perl v5.34.0" "User Contributed Perl Documentation"
137.\" For nroff, turn off justification. Always turn off hyphenation; it makes137.\" For nroff, turn off justification. Always turn off hyphenation; it makes
138.\" way too many mistakes in technical documents.138.\" way too many mistakes in technical documents.
139.if n .ad l139.if n .ad l
diff --git a/src/security/forward.h b/src/security/forward.h
index 26225aa..9c4ff05 100644
--- a/src/security/forward.h
+++ b/src/security/forward.h
@@ -93,10 +93,25 @@ typedef std::list<Security::CertPointer> CertList;
93typedef std::list<Security::CrlPointer> CertRevokeList;93typedef std::list<Security::CrlPointer> CertRevokeList;
9494
95#if USE_OPENSSL95#if USE_OPENSSL
96CtoCpp1(EVP_PKEY_free, EVP_PKEY *)
97using PrivateKeyPointer = Security::LockingPointer<EVP_PKEY, EVP_PKEY_free_cpp, HardFun<int, EVP_PKEY *, EVP_PKEY_up_ref>>;
98#elif USE_GNUTLS
99using PrivateKeyPointer = std::shared_ptr<struct gnutls_x509_privkey_int>;
100#else
101using PrivateKeyPointer = std::shared_ptr<void>;
102#endif
103
104#if USE_OPENSSL
105#if OPENSSL_VERSION_MAJOR < 3
96CtoCpp1(DH_free, DH *);106CtoCpp1(DH_free, DH *);
97typedef Security::LockingPointer<DH, DH_free_cpp, HardFun<int, DH *, DH_up_ref> > DhePointer;107typedef Security::LockingPointer<DH, DH_free_cpp, HardFun<int, DH *, DH_up_ref> > DhePointer;
98#else108#else
99typedef void *DhePointer;109using DhePointer = PrivateKeyPointer;
110#endif
111#elif USE_GNUTLS
112using DhePointer = void *;
113#else
114using DhePointer = void *;
100#endif115#endif
101116
102class EncryptorAnswer;117class EncryptorAnswer;
@@ -159,7 +174,7 @@ class IoResult;
159class KeyData;174class KeyData;
160175
161#if USE_OPENSSL176#if USE_OPENSSL
162typedef long ParsedOptions;177using ParsedOptions = uint64_t;
163#elif USE_GNUTLS178#elif USE_GNUTLS
164typedef std::shared_ptr<struct gnutls_priority_st> ParsedOptions;179typedef std::shared_ptr<struct gnutls_priority_st> ParsedOptions;
165#else180#else
@@ -175,15 +190,6 @@ class PeerConnector;
175class BlindPeerConnector;190class BlindPeerConnector;
176class PeerOptions;191class PeerOptions;
177192
178#if USE_OPENSSL
179CtoCpp1(EVP_PKEY_free, EVP_PKEY *)
180typedef Security::LockingPointer<EVP_PKEY, EVP_PKEY_free_cpp, HardFun<int, EVP_PKEY *, EVP_PKEY_up_ref> > PrivateKeyPointer;
181#elif USE_GNUTLS
182typedef std::shared_ptr<struct gnutls_x509_privkey_int> PrivateKeyPointer;
183#else
184typedef std::shared_ptr<void> PrivateKeyPointer;
185#endif
186
187class ServerOptions;193class ServerOptions;
188194
189class ErrorDetail;195class ErrorDetail;
diff --git a/src/ssl/gadgets.cc b/src/ssl/gadgets.cc
index ef572ba..d1def59 100644
--- a/src/ssl/gadgets.cc
+++ b/src/ssl/gadgets.cc
@@ -9,36 +9,26 @@
9#include "squid.h"9#include "squid.h"
10#include "ssl/gadgets.h"10#include "ssl/gadgets.h"
1111
12EVP_PKEY * Ssl::createSslPrivateKey()12static Security::PrivateKeyPointer
13CreateRsaPrivateKey()
13{14{
14 Security::PrivateKeyPointer pkey(EVP_PKEY_new());15 Ssl::EVP_PKEY_CTX_Pointer rsa(EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, nullptr));
15
16 if (!pkey)
17 return NULL;
18
19 BIGNUM_Pointer bn(BN_new());
20 if (!bn)
21 return NULL;
22
23 if (!BN_set_word(bn.get(), RSA_F4))
24 return NULL;
25
26 Ssl::RSA_Pointer rsa(RSA_new());
27 if (!rsa)16 if (!rsa)
28 return NULL;17 return nullptr;
2918
30 int num = 2048; // Maybe use 4096 RSA keys, or better make it configurable?19 if (EVP_PKEY_keygen_init(rsa.get()) <= 0)
31 if (!RSA_generate_key_ex(rsa.get(), num, bn.get(), NULL))20 return nullptr;
32 return NULL;
3321
34 if (!rsa)22 int num = 2048; // Maybe use 4096 RSA keys, or better make it configurable?
35 return NULL;23 if (EVP_PKEY_CTX_set_rsa_keygen_bits(rsa.get(), num) <= 0)
24 return nullptr;
3625
37 if (!EVP_PKEY_assign_RSA(pkey.get(), (rsa.get())))26 /* Generate key */
38 return NULL;27 EVP_PKEY *pkey = nullptr;
28 if (EVP_PKEY_keygen(rsa.get(), &pkey) <= 0)
29 return nullptr;
3930
40 rsa.release();31 return Security::PrivateKeyPointer(pkey);
41 return pkey.release();
42}32}
4333
44/**34/**
@@ -56,7 +46,7 @@ static bool setSerialNumber(ASN1_INTEGER *ai, BIGNUM const* serial)
56 if (!bn)46 if (!bn)
57 return false;47 return false;
5848
59 if (!BN_pseudo_rand(bn.get(), 64, 0, 0))49 if (!BN_rand(bn.get(), 64, 0, 0))
60 return false;50 return false;
61 }51 }
6252
@@ -375,7 +365,11 @@ mimicExtensions(Security::CertPointer & cert, Security::CertPointer const &mimic
375 // XXX: Add PublicKeyPointer. In OpenSSL, public and private keys are365 // XXX: Add PublicKeyPointer. In OpenSSL, public and private keys are
376 // internally represented by EVP_PKEY pair, but GnuTLS uses distinct types.366 // internally represented by EVP_PKEY pair, but GnuTLS uses distinct types.
377 const Security::PrivateKeyPointer certKey(X509_get_pubkey(mimicCert.get()));367 const Security::PrivateKeyPointer certKey(X509_get_pubkey(mimicCert.get()));
368#if OPENSSL_VERSION_MAJOR < 3
378 const auto rsaPkey = EVP_PKEY_get0_RSA(certKey.get()) != nullptr;369 const auto rsaPkey = EVP_PKEY_get0_RSA(certKey.get()) != nullptr;
370#else
371 const auto rsaPkey = EVP_PKEY_is_a(certKey.get(), "RSA") == 1;
372#endif
379373
380 int added = 0;374 int added = 0;
381 int nid;375 int nid;
@@ -544,13 +538,8 @@ static bool buildCertificate(Security::CertPointer & cert, Ssl::CertificatePrope
544538
545static bool generateFakeSslCertificate(Security::CertPointer & certToStore, Security::PrivateKeyPointer & pkeyToStore, Ssl::CertificateProperties const &properties, Ssl::BIGNUM_Pointer const &serial)539static bool generateFakeSslCertificate(Security::CertPointer & certToStore, Security::PrivateKeyPointer & pkeyToStore, Ssl::CertificateProperties const &properties, Ssl::BIGNUM_Pointer const &serial)
546{540{
547 Security::PrivateKeyPointer pkey;
548 // Use signing certificates private key as generated certificate private key541 // Use signing certificates private key as generated certificate private key
549 if (properties.signWithPkey.get())542 const auto pkey = properties.signWithPkey ? properties.signWithPkey : CreateRsaPrivateKey();
550 pkey.resetAndLock(properties.signWithPkey.get());
551 else // if not exist generate one
552 pkey.resetWithoutLocking(Ssl::createSslPrivateKey());
553
554 if (!pkey)543 if (!pkey)
555 return false;544 return false;
556545
diff --git a/src/ssl/gadgets.h b/src/ssl/gadgets.h
index 8e46f89..4c5b30b 100644
--- a/src/ssl/gadgets.h
+++ b/src/ssl/gadgets.h
@@ -58,7 +58,7 @@ typedef std::unique_ptr<TXT_DB, HardFun<void, TXT_DB*, &TXT_DB_free>> TXT_DB_Poi
5858
59typedef std::unique_ptr<X509_NAME, HardFun<void, X509_NAME*, &X509_NAME_free>> X509_NAME_Pointer;59typedef std::unique_ptr<X509_NAME, HardFun<void, X509_NAME*, &X509_NAME_free>> X509_NAME_Pointer;
6060
61typedef std::unique_ptr<RSA, HardFun<void, RSA*, &RSA_free>> RSA_Pointer;61using EVP_PKEY_CTX_Pointer = std::unique_ptr<EVP_PKEY_CTX, HardFun<void, EVP_PKEY_CTX*, &EVP_PKEY_CTX_free>>;
6262
63typedef std::unique_ptr<X509_REQ, HardFun<void, X509_REQ*, &X509_REQ_free>> X509_REQ_Pointer;63typedef std::unique_ptr<X509_REQ, HardFun<void, X509_REQ*, &X509_REQ_free>> X509_REQ_Pointer;
6464
@@ -74,12 +74,6 @@ typedef std::unique_ptr<X509_EXTENSION, HardFun<void, X509_EXTENSION*, &X509_EXT
74typedef std::unique_ptr<X509_STORE_CTX, HardFun<void, X509_STORE_CTX *, &X509_STORE_CTX_free>> X509_STORE_CTX_Pointer;74typedef std::unique_ptr<X509_STORE_CTX, HardFun<void, X509_STORE_CTX *, &X509_STORE_CTX_free>> X509_STORE_CTX_Pointer;
75/**75/**
76 \ingroup SslCrtdSslAPI76 \ingroup SslCrtdSslAPI
77 * Create 1024 bits rsa key.
78 */
79EVP_PKEY * createSslPrivateKey();
80
81/**
82 \ingroup SslCrtdSslAPI
83 * Write private key and SSL certificate to memory.77 * Write private key and SSL certificate to memory.
84 */78 */
85bool writeCertAndPrivateKeyToMemory(Security::CertPointer const & cert, Security::PrivateKeyPointer const & pkey, std::string & bufferToWrite);79bool writeCertAndPrivateKeyToMemory(Security::CertPointer const & cert, Security::PrivateKeyPointer const & pkey, std::string & bufferToWrite);
diff --git a/src/ssl/support.cc b/src/ssl/support.cc
index 11ef077..40c1e32 100644
--- a/src/ssl/support.cc
+++ b/src/ssl/support.cc
@@ -557,7 +557,11 @@ Ssl::VerifyCallbackParameters::At(Security::Connection &sconn)
557}557}
558558
559// "dup" function for SSL_get_ex_new_index("cert_err_check")559// "dup" function for SSL_get_ex_new_index("cert_err_check")
560#if SQUID_USE_CONST_CRYPTO_EX_DATA_DUP560#if OPENSSL_VERSION_MAJOR >= 3
561static int
562ssl_dupAclChecklist(CRYPTO_EX_DATA *, const CRYPTO_EX_DATA *, void **,
563 int, long, void *)
564#elif SQUID_USE_CONST_CRYPTO_EX_DATA_DUP
561static int565static int
562ssl_dupAclChecklist(CRYPTO_EX_DATA *, const CRYPTO_EX_DATA *, void *,566ssl_dupAclChecklist(CRYPTO_EX_DATA *, const CRYPTO_EX_DATA *, void *,
563 int, long, void *)567 int, long, void *)
@@ -654,8 +658,12 @@ Ssl::Initialize(void)
654658
655 SQUID_OPENSSL_init_ssl();659 SQUID_OPENSSL_init_ssl();
656660
657#if !defined(OPENSSL_NO_ENGINE)
658 if (::Config.SSL.ssl_engine) {661 if (::Config.SSL.ssl_engine) {
662#if OPENSSL_VERSION_MAJOR < 3
663 debugs(83, DBG_PARSE_NOTE(DBG_IMPORTANT), "WARNING: Support for ssl_engine is deprecated " <<
664 "in Squids built with OpenSSL 1.x (like this Squid). " <<
665 "It is removed in Squids built with OpenSSL 3.0 or newer.");
666#if !defined(OPENSSL_NO_ENGINE)
659 ENGINE_load_builtin_engines();667 ENGINE_load_builtin_engines();
660 ENGINE *e;668 ENGINE *e;
661 if (!(e = ENGINE_by_id(::Config.SSL.ssl_engine)))669 if (!(e = ENGINE_by_id(::Config.SSL.ssl_engine)))
@@ -665,11 +673,14 @@ Ssl::Initialize(void)
665 const auto ssl_error = ERR_get_error();673 const auto ssl_error = ERR_get_error();
666 fatalf("Failed to initialise SSL engine: %s\n", Security::ErrorString(ssl_error));674 fatalf("Failed to initialise SSL engine: %s\n", Security::ErrorString(ssl_error));
667 }675 }
668 }676#else /* OPENSSL_NO_ENGINE */
669#else677 throw TextException("Cannot use ssl_engine in Squid built with OpenSSL configured to disable SSL engine support", Here());
670 if (::Config.SSL.ssl_engine)678#endif
671 fatalf("Your OpenSSL has no SSL engine support\n");679
680#else /* OPENSSL_VERSION_MAJOR */
681 throw TextException("Cannot use ssl_engine in Squid built with OpenSSL 3.0 or newer", Here());
672#endif682#endif
683 }
673684
674 const char *defName = ::Config.SSL.certSignHash ? ::Config.SSL.certSignHash : SQUID_SSL_SIGN_HASH_IF_NONE;685 const char *defName = ::Config.SSL.certSignHash ? ::Config.SSL.certSignHash : SQUID_SSL_SIGN_HASH_IF_NONE;
675 Ssl::DefaultSignHash = EVP_get_digestbyname(defName);686 Ssl::DefaultSignHash = EVP_get_digestbyname(defName);
diff --git a/src/store/id_rewriters/file/storeid_file_rewrite.8 b/src/store/id_rewriters/file/storeid_file_rewrite.8
index d3c63af..43913e8 100644
--- a/src/store/id_rewriters/file/storeid_file_rewrite.8
+++ b/src/store/id_rewriters/file/storeid_file_rewrite.8
@@ -133,7 +133,7 @@
133.\" ========================================================================133.\" ========================================================================
134.\"134.\"
135.IX Title "STOREID_FILE_REWRITE 8"135.IX Title "STOREID_FILE_REWRITE 8"
136.TH STOREID_FILE_REWRITE 8 "2022-06-05" "perl v5.34.0" "User Contributed Perl Documentation"136.TH STOREID_FILE_REWRITE 8 "2022-09-05" "perl v5.34.0" "User Contributed Perl Documentation"
137.\" For nroff, turn off justification. Always turn off hyphenation; it makes137.\" For nroff, turn off justification. Always turn off hyphenation; it makes
138.\" way too many mistakes in technical documents.138.\" way too many mistakes in technical documents.
139.if n .ad l139.if n .ad l
diff --git a/src/tests/testStoreHashIndex.cc b/src/tests/testStoreHashIndex.cc
index dcfbcab..d017887 100644
--- a/src/tests/testStoreHashIndex.cc
+++ b/src/tests/testStoreHashIndex.cc
@@ -102,6 +102,8 @@ void commonInit()
102 if (inited)102 if (inited)
103 return;103 return;
104104
105 inited = true;
106
105 Mem::Init();107 Mem::Init();
106108
107 Config.Store.avgObjectSize = 1024;109 Config.Store.avgObjectSize = 1024;
@@ -109,6 +111,10 @@ void commonInit()
109 Config.Store.objectsPerBucket = 20;111 Config.Store.objectsPerBucket = 20;
110112
111 Config.Store.maxObjectSize = 2048;113 Config.Store.maxObjectSize = 2048;
114
115 Config.memShared.defaultTo(false);
116
117 Config.store_dir_select_algorithm = xstrdup("round-robin");
112}118}
113119
114/* TODO make this a cbdata class */120/* TODO make this a cbdata class */
diff --git a/src/tunnel.cc b/src/tunnel.cc
index 4fc5abd..c5d4dfc 100644
--- a/src/tunnel.cc
+++ b/src/tunnel.cc
@@ -97,6 +97,10 @@ public:
97 return (server.conn != NULL && server.conn->getPeer() ? server.conn->getPeer()->host : request->url.host());97 return (server.conn != NULL && server.conn->getPeer() ? server.conn->getPeer()->host : request->url.host());
98 };98 };
9999
100 /// store the given to-server connection; prohibit retries and do not look
101 /// for any other destinations
102 void commitToServer(const Comm::ConnectionPointer &);
103
100 /// Whether the client sent a CONNECT request to us.104 /// Whether the client sent a CONNECT request to us.
101 bool clientExpectsConnectResponse() const {105 bool clientExpectsConnectResponse() const {
102 // If we are forcing a tunnel after receiving a client CONNECT, then we106 // If we are forcing a tunnel after receiving a client CONNECT, then we
@@ -186,6 +190,10 @@ public:
186 /// whether another destination may be still attempted if the TCP connection190 /// whether another destination may be still attempted if the TCP connection
187 /// was unexpectedly closed191 /// was unexpectedly closed
188 bool retriable;192 bool retriable;
193
194 /// whether the decision to tunnel to a particular destination was final
195 bool committedToServer;
196
189 // TODO: remove after fixing deferred reads in TunnelStateData::copyRead()197 // TODO: remove after fixing deferred reads in TunnelStateData::copyRead()
190 CodeContext::Pointer codeContext; ///< our creator context198 CodeContext::Pointer codeContext; ///< our creator context
191199
@@ -263,9 +271,8 @@ private:
263271
264 /// \returns whether the request should be retried (nil) or the description why it should not272 /// \returns whether the request should be retried (nil) or the description why it should not
265 const char *checkRetry();273 const char *checkRetry();
266 /// whether the successfully selected path destination or the established274
267 /// server connection is still in use275 bool transporting() const;
268 bool usingDestination() const;
269276
270 /// details of the "last tunneling attempt" failure (if it failed)277 /// details of the "last tunneling attempt" failure (if it failed)
271 ErrorState *savedError = nullptr;278 ErrorState *savedError = nullptr;
@@ -362,6 +369,7 @@ TunnelStateData::TunnelStateData(ClientHttpRequest *clientRequest) :
362 destinations(new ResolvedPeers()),369 destinations(new ResolvedPeers()),
363 destinationsFound(false),370 destinationsFound(false),
364 retriable(true),371 retriable(true),
372 committedToServer(false),
365 codeContext(CodeContext::Current())373 codeContext(CodeContext::Current())
366{374{
367 debugs(26, 3, "TunnelStateData constructed this=" << this);375 debugs(26, 3, "TunnelStateData constructed this=" << this);
@@ -1009,8 +1017,7 @@ void
1009TunnelStateData::notePeerReadyToShovel(const Comm::ConnectionPointer &conn)1017TunnelStateData::notePeerReadyToShovel(const Comm::ConnectionPointer &conn)
1010{1018{
1011 assert(!client.dirty);1019 assert(!client.dirty);
1012 retriable = false;1020 commitToServer(conn);
1013 server.initConnection(conn, tunnelServerClosed, "tunnelServerClosed", this);
10141021
1015 if (!clientExpectsConnectResponse())1022 if (!clientExpectsConnectResponse())
1016 tunnelStartShoveling(this); // ssl-bumped connection, be quiet1023 tunnelStartShoveling(this); // ssl-bumped connection, be quiet
@@ -1025,6 +1032,15 @@ TunnelStateData::notePeerReadyToShovel(const Comm::ConnectionPointer &conn)
1025 }1032 }
1026}1033}
10271034
1035void
1036TunnelStateData::commitToServer(const Comm::ConnectionPointer &conn)
1037{
1038 committedToServer = true;
1039 retriable = false; // may already be false
1040 PeerSelectionInitiator::subscribed = false; // may already be false
1041 server.initConnection(conn, tunnelServerClosed, "tunnelServerClosed", this);
1042}
1043
1028static void1044static void
1029tunnelErrorComplete(int fd/*const Comm::ConnectionPointer &*/, void *data, size_t)1045tunnelErrorComplete(int fd/*const Comm::ConnectionPointer &*/, void *data, size_t)
1030{1046{
@@ -1252,18 +1268,15 @@ TunnelStateData::noteDestination(Comm::ConnectionPointer path)
12521268
1253 destinations->addPath(path);1269 destinations->addPath(path);
12541270
1255 if (usingDestination()) {
1256 // We are already using a previously opened connection but also
1257 // receiving destinations in case we need to re-forward.
1258 Must(!transportWait);
1259 return;
1260 }
1261
1262 if (transportWait) {1271 if (transportWait) {
1272 assert(!transporting());
1263 notifyConnOpener();1273 notifyConnOpener();
1264 return; // and continue to wait for tunnelConnectDone() callback1274 return; // and continue to wait for tunnelConnectDone() callback
1265 }1275 }
12661276
1277 if (transporting())
1278 return; // and continue to receive destinations for backup
1279
1267 startConnecting();1280 startConnecting();
1268}1281}
12691282
@@ -1279,8 +1292,9 @@ TunnelStateData::noteDestinationsEnd(ErrorState *selectionError)
1279 if (selectionError)1292 if (selectionError)
1280 return sendError(selectionError, "path selection has failed");1293 return sendError(selectionError, "path selection has failed");
12811294
1295 // TODO: Merge with FwdState and remove this likely unnecessary check.
1282 if (savedError)1296 if (savedError)
1283 return sendError(savedError, "all found paths have failed");1297 return sendError(savedError, "path selection found no paths (with an impossible early error)");
12841298
1285 return sendError(new ErrorState(ERR_CANNOT_FORWARD, Http::scInternalServerError, request.getRaw(), al),1299 return sendError(new ErrorState(ERR_CANNOT_FORWARD, Http::scInternalServerError, request.getRaw(), al),
1286 "path selection found no paths");1300 "path selection found no paths");
@@ -1289,21 +1303,32 @@ TunnelStateData::noteDestinationsEnd(ErrorState *selectionError)
1289 // if all of them fail, tunneling as whole will fail1303 // if all of them fail, tunneling as whole will fail
1290 Must(!selectionError); // finding at least one path means selection succeeded1304 Must(!selectionError); // finding at least one path means selection succeeded
12911305
1292 if (usingDestination()) {1306 if (transportWait) {
1293 // We are already using a previously opened connection but also1307 assert(!transporting());
1294 // receiving destinations in case we need to re-forward.1308 notifyConnOpener();
1295 Must(!transportWait);1309 return; // and continue to wait for the noteConnection() callback
1310 }
1311
1312 if (transporting()) {
1313 // We are already using a previously opened connection (but were also
1314 // receiving more destinations in case we need to re-forward).
1315 debugs(17, 7, "keep transporting");
1296 return;1316 return;
1297 }1317 }
12981318
1299 Must(transportWait); // or we would be stuck with nothing to do or wait for1319 // destinationsFound, but none of them worked, and we were waiting for more
1300 notifyConnOpener();1320 assert(savedError);
1321 // XXX: Honor clientExpectsConnectResponse() before replying.
1322 sendError(savedError, "all found paths have failed");
1301}1323}
13021324
1325/// Whether a tunneling attempt to some selected destination X is in progress
1326/// (after successfully opening/reusing a transport connection to X).
1327/// \sa transportWait
1303bool1328bool
1304TunnelStateData::usingDestination() const1329TunnelStateData::transporting() const
1305{1330{
1306 return encryptionWait || peerWait || Comm::IsConnOpen(server.conn);1331 return encryptionWait || peerWait || committedToServer;
1307}1332}
13081333
1309/// remembers an error to be used if there will be no more connection attempts1334/// remembers an error to be used if there will be no more connection attempts
@@ -1362,7 +1387,7 @@ TunnelStateData::startConnecting()
1362 request->hier.startPeerClock();1387 request->hier.startPeerClock();
13631388
1364 assert(!destinations->empty());1389 assert(!destinations->empty());
1365 assert(!usingDestination());1390 assert(!transporting());
1366 AsyncCall::Pointer callback = asyncCall(17, 5, "TunnelStateData::noteConnection", HappyConnOpener::CbDialer<TunnelStateData>(&TunnelStateData::noteConnection, this));1391 AsyncCall::Pointer callback = asyncCall(17, 5, "TunnelStateData::noteConnection", HappyConnOpener::CbDialer<TunnelStateData>(&TunnelStateData::noteConnection, this));
1367 const auto cs = new HappyConnOpener(destinations, callback, request, startTime, 0, al);1392 const auto cs = new HappyConnOpener(destinations, callback, request, startTime, 0, al);
1368 cs->setHost(request->url.host());1393 cs->setHost(request->url.host());
@@ -1457,12 +1482,10 @@ switchToTunnel(HttpRequest *request, const Comm::ConnectionPointer &clientConn,
1457 debugs(26, 3, request->method << " " << context->http->uri << " " << request->http_ver);1482 debugs(26, 3, request->method << " " << context->http->uri << " " << request->http_ver);
14581483
1459 TunnelStateData *tunnelState = new TunnelStateData(context->http);1484 TunnelStateData *tunnelState = new TunnelStateData(context->http);
1460 tunnelState->retriable = false;1485 tunnelState->commitToServer(srvConn);
14611486
1462 request->hier.resetPeerNotes(srvConn, tunnelState->getHost());1487 request->hier.resetPeerNotes(srvConn, tunnelState->getHost());
14631488
1464 tunnelState->server.initConnection(srvConn, tunnelServerClosed, "tunnelServerClosed", tunnelState);
1465
1466#if USE_DELAY_POOLS1489#if USE_DELAY_POOLS
1467 /* no point using the delayIsNoDelay stuff since tunnel is nice and simple */1490 /* no point using the delayIsNoDelay stuff since tunnel is nice and simple */
1468 if (!srvConn->getPeer() || !srvConn->getPeer()->options.no_delay)1491 if (!srvConn->getPeer() || !srvConn->getPeer()->options.no_delay)
diff --git a/tools/helper-mux/helper-mux.8 b/tools/helper-mux/helper-mux.8
index 788e3e6..d904e33 100644
--- a/tools/helper-mux/helper-mux.8
+++ b/tools/helper-mux/helper-mux.8
@@ -133,7 +133,7 @@
133.\" ========================================================================133.\" ========================================================================
134.\"134.\"
135.IX Title "HELPER-MUX 8"135.IX Title "HELPER-MUX 8"
136.TH HELPER-MUX 8 "2022-06-05" "perl v5.34.0" "User Contributed Perl Documentation"136.TH HELPER-MUX 8 "2022-09-05" "perl v5.34.0" "User Contributed Perl Documentation"
137.\" For nroff, turn off justification. Always turn off hyphenation; it makes137.\" For nroff, turn off justification. Always turn off hyphenation; it makes
138.\" way too many mistakes in technical documents.138.\" way too many mistakes in technical documents.
139.if n .ad l139.if n .ad l

Subscribers

People subscribed via source and target branches