Amos Jeffries [Mon, 12 Jan 2015 08:11:06 +0000 (00:11 -0800)]
squidclient: Fix -A and -P options
With --https addition the A and P values are re-used for --cert and
--params within HTTPS options. This works for long options, but they
cannot be listed as short options by the Transport:: module because
they are required at the top level by old-style HTTP parameters.
Amos Jeffries [Thu, 8 Jan 2015 23:41:52 +0000 (15:41 -0800)]
Update IPC sockets verification check
Coverity Scan gets confused by the code trick of using memset() on a
buffer then filling arbitrary string data into all but the final byte of
that buffer - thus implicitly null terminating.
Try an explicit null termination instead of memset(), this should make
Coverity a bit happier and is also faster than zero'ing the entire buf.
Turn c++11 initializer lists into explicit constructors
Only fairly recent versions of gcc and clang support well c++11-style
initializer lists; reverting to traditional constructors obtains
better portability at the price of less readable code.
This changeset can be reverted after RHEL/CentOS 6, Debian Wheezy and
Ubuntu Precise will not be supported anymore.
Amos Jeffries [Sun, 4 Jan 2015 07:40:55 +0000 (23:40 -0800)]
Improved automake 1.13+ support in unit-tests
Automake 1.13+ are warning about subdir-objects being enabled in
future versions but Squid currently relies on several environment
constructs that prevent that feature from working.
* All cppunit tests share a main() implementation in testMain.cc
which is not able to easily be built as a .o from locations
such as compat/.
Fix this by making the code to include/unitTestMain.h and
including it as an inline main() definition for all cppunit
tests core .cc files.
* lib/testAll unit test
Fix by splitting out into multiple unit-test binaries as is done
by the rest of Squid. And removing duplicate testMain.cc.
* lib/ and src/ objects link to objects in child directories
Enable subdir-objects when possible. Some remain due to
depending on stubs files in the not yet created src/tests/ build
directory. That will be fixed in a future commit.
Amos Jeffries [Fri, 2 Jan 2015 13:15:24 +0000 (05:15 -0800)]
Bug 3754: configure doesnt detect IPFilter 5.1.2 system headers
Solaris 10+ bundles IPFilter code natively, but the IPFilter
headers contain a duplicate definition of minor_t which does
not match the existing OS definition.
The result is that no applications (such as Squid) will build
on Solaris with the natively provided headers.
Also, the upstream IPFilter code separate from Solaris contains
the same minor_t definition so building against a separate
install of IPFilter does not fix the issue.
We must instead play fancy games #define'ing minor_t to a
different real-name for the OS headers and its own name for
the IPFilter headers.
Thanks to Yuri Voinov for sponsoring the Solaris 10
machine and environment resources for this fix.
Amos Jeffries [Thu, 1 Jan 2015 08:57:18 +0000 (00:57 -0800)]
Cleanup: fix most 'unused parameter' warnings
... and several bugs hidden by lack of this check:
* url_rewrite_timeout parser/dumper using wrong cf.data.pre
parameter definition.
* url_rewrite_timeout parser/dumper using wrong object for
state data.
Global a Config object instead of parameter object.
Preventing future use of multiple Config objects. There is
more to be done as the Timeout value itself is not stored
as part of the object apparently detailing the timeout.
* request_header_add directive dump() omitting directive
name in mgr:config output.
* dead code as HTCP packet handlers for NOP, MON, SET
* mime icons download operation incorrectly initialized.
was using the 'view' access parameter to set download
access permission.
* peerCountHandleIcpReply() assertions testing validity
after pointers already used. This would lead to segfault
on errors, now leading to assertion logging.
Only the default built code was checked and updated at this
time. There are 62 known warnings still appearing due to
parameters being only used inside conditional code, possibly
more issues in code not enabled in this build and certainly
a lot more in the stubs and unit tests which were not checked.
Fixed handling of invalid SSL server certificates when splicing connections.
An unpatched Squid in peek-and-splice mode may splice connections after
receiving a malformed or unsupported SSL server Hello message. This may
happen even if sslproxy_cert_error tells Squid to honor the error. After
this change, Squid honors sslproxy_cert_error setting when:
* no server certificate was found and checked using Squid validation procedure
(e.g., because the SSL server Hello response was malformed or unsupported); or
* Squid server certificate validation procedure has failed.
If the certificate error is not allowed, Squid terminates the server connection
and attempts to bump the client connection to deliver the error message to the
user.
Amos Jeffries [Tue, 30 Dec 2014 13:40:33 +0000 (05:40 -0800)]
Fix 64-bit compile issues in rev.13785
The Nettle 3.0 library API imported and used by rev.13785 defines
function symbols with size_t parameters where earlier libraries used
'unsigned'. This matters on 64-bit systems where unsigned is a 'int'
and size_t a 'long' - implicit conversion is not possible.
Explicitly detect the size_t API existence during ./configure time and
use the built-in logics if supplied Nettle library is an older version.
Amos Jeffries [Tue, 30 Dec 2014 10:22:29 +0000 (02:22 -0800)]
basic_msnt_multi_domain_auth: Superceeded by basic_smb_lm_auth
This helper consisted of a Perl script requiring special Perl
SMB:Authen module and Samba nmblookup helper to operate.
It performs the same operations as basic_smb_lm_auth helper,
so is not actually needed.
It also contains a slightly ambiguous copyright license as it
was published to the squid-users mailing list in effective
Public Domain free for any use, but without explicit statement
to the fact.
Amos Jeffries [Tue, 30 Dec 2014 09:09:27 +0000 (01:09 -0800)]
Crypto-NG: Base64 crypto replacement
The existing Squid base64 code had ambiguous copyright licensing. In
particular it only referenced a dead URL for source copyright
ownership details. In all likelihood this was for an Open Source
implementation, but we dont have sufficient record of the original
license terms to be certain without a long investigation.
It has also been heavily modified and customized over the decades
since importing whih complicates the issue a lot.
It also does not match any of the common industry context-based API
patterns for encoders/decoders.
This patch replaces that logic with GPLv2 licensed code from the
Nettle crypto library. Either linking the library dynamically or in
its absence embedding the logic via our libmiscencoding library.
It also updates all code to the new API, and as a byproduct removes
several layers of deprecated wrapper functions which have grown in
over the years.