Cleanup: use SBuf::npos instead of npos in SBuf::append()
Small experiment. It is possible on some systems that std::npos / ::npos
is defined with a different integer size and value.
This may be what is confusing Coverity scan and producing buffer overrun
alerts in the append() c-string with default parameter case.
If ConfigParser::QuotedOrToEol() happend to return NULL. Which may happen
if there is no token before end of current file the auth module config
parser would crash.
Do not crash when sending %ssl::cert_subject to external ACL w/o certificate.
An ACL check in ConnStateData::postHttpsAccept (e.g., when dealing with an
intercepted SSL connection) uses an HttpRequest object that is not yet linked
with the ConnStateData object. Do not blindly dereference the pointer to the
latter.
Fixes a squid crash when a foreign protocol client connected to an https_port
The Ssl::Bio::read will fail to recognize SSL protocol and will return "-1"
as readed SSL bytes. The Ssl::ClientBio::read must return error (-1)
in this case.
Send selected SSL version and cipher to the certificate validation helper.
This patch sends the selected cipher suite and the selected SSL/TLS version
to the certificate verification helper using the "proto_version=v" and
"cipher=c" key=value pairs.
On MinGW at least macro replacement appears to be case insensitive.
The lower-case freeaddrinfo/initaddrinfo system functions are defined
with macros, both in MinGW headers and Squid libcompat.
SourceLayout: rename auth module files to match guidelines
* Squid-3 coding guidelines require that files are named after the
class(es) contained within. Rename the files containing auth Config
classes to match.
* Remove the unused DefaultAuthenticateChildrenMax macros.
* simplify included headers in auth modules.
* alphabetize the order auth modules are detected.
Windows: Fix error displaying helper name on pipe close errors
The helper name string is not directly available to the HelperServerBase
methods for closing pipes. Pass it from the method callers as needed and
drop logging of the command line details.
idnsParseResolvConf() had been disabled for all windows builds. Cygwin
does provide this system config file.
Also, instead of seeding #if/#endif wrappers around always call the
function and just wrap its internals away from Windows builds that do
not supply the necessary config file.
Portability: rename BodyPipe member to avoid clash with pipe() macro
Our Windows compatibility layer defines pipe() as a macro. On MinGW at
least the precompiler makes no distinction between parameterless macro
pipe() and pipe variables.
Use thePipe for member naming and aPipe for function local variables.
Windows: fix mapping between POSIX and Windows socket types
MinGW at least still defines several socket structure fields with size_t
instead of socklen_t. In order to maintain the POSIX API definition in
appearance we need to cast these types to their POSIX variant regardless
of whether size_t or socklen_t is used.
* Windows defines CMSG_DATA macro name for uses unrelated to the BSD
socket CMSG mechanism. Define SQUID_CMSG_DATA as a generic replacement.
* MinGW provides a wrapper layer emulating the BSD socket CMSG mechanism
in the form of WSA_CMG_* macros for the BSD struct types.
Detect and use those wrapper macros when available.
Cleanup: wrap some C-includes with protective macros
Squid-3 guidelines require that C-header includes should be wrapped
and the absence of wrapping causes build errors on Windows at least for
these ones.
Source Maintenance: fix various maintenance script issues
* ensure auto-generated .list are sorted, instead of ad-hoc system
dependent ordering which can cause needless updates.
* grep only paths with *.* (usually files) instead of all items in each
directory. This avoids scanning sub-directory indexes with grep, which
produces fatal errors on some systems.
* add check for Squid Software Foundation copyright blurb and highlight
files needing attention.
%<tt (total server time) is not computed in some cases
The total server time is not computed for CONNECT requests.
An other example case is when server-first bumping mode is used and squid
connects to SSL peer, but connection terminated before the SSL handshake
completes.
PROXY protocol has been developed by Willy Tarreau of HAProxy for
communicating original src and dst IP:port details between proxies and
load balancers in a protocol-agnostic way.
stunnel, HAProxy and some other HTTP proxying software are already
enabled and by adding support to Squid we can effectively chain these
proxies without having to rely on X-Forwarded-For headers.
This patch adds http_port mode flag (require-proxy-header) to signal the
protocol is in use, parsing and processing logics for the PROXY protocol
headers on new connections, and the proxy_protocol_access control to
manage inbound connections.
The indirect client security/trust model remains unchanged. As do all
HTTP related logics on the connection once PROXY protocol header has
been received.
Furture Work:
* support sending PROXY protocol to cache_peers
* support receiving PROXY protocol on https_port
* rework the PROXY parse logics as a Parser-NG child parser.
Close active pconns after their *_port goes away on reconfigure.
This change reduces what may be perceived as reconfigure memory leaks
related to *_port options. Before this change, a single persistent
connection could continue to receive new requests (and tie no longer
globally accessible PortCfg-related structures) for hours.
The goal of this patch is to make SSL bumping decision after the origin server
name is known.
Peek and Splice peeks at the SSL client Hello message and SNI info if any
(bumping step 1), sends identical or a similar Hello message to the SSL server
and peeks at the SSL server Hello message (bumping step 2), and finally
decides to proceed with splicing or bumping the connection (bumping step 3).
After the step 1 bumping step completes the SNI information is available and
after the step 2 bumping step completes the server certificate is available.
The ssl_bump access list evaluated on every bumping step to select the bumping
mode to use. The new acl "at_step" can be used to match the current bumping
step.
In most cases:
- if the user select "peek" bumping mode at step2 then at step3 can select
one of the "splice" or "terminate" modes.
- If the user select "stare" bumping mode at step2 then at step 3 can select
one of the "bump" or "terminate" modes.
If the squid built with the SQUID_USE_OPENSSL_HELLO_OVERWRITE_HACK and the
client uses openSSL library similar to the library used by squid then bumping
is possible after "peek" bumping mode selection and "splice" after "stare"
bumping mode selection.
The bump, terminate and splice are final decisions.
Fixes and polishing in response to Amos' squid-dev review dated 2014/08/19
- Polishing changes
- Move src/acl/AtBumpStep*.[cc,h] files to src/acl/AtStep*.[cc,h]
- Convert Ssl::Bio::sslFeatures::serverName,
Ssl::Bio::sslFeatures::HelloMesssage and Ssl::ServerBio::helloMsg members
to SBuf
Amos Jeffries [Tue, 26 Aug 2014 02:39:30 +0000 (19:39 -0700)]
Boilerplate: update acinclude/ and configure.ac copyrights
* update CONTRIBUTORS with missing contributors
* update CREDITS with missing copyright licenses
- remove outdated Treehouse Networks license on rfc3596.h rfc3596.cc
- shuffle some entries for easier reading. Alphabetical by first source
file path.
* split AX_WITH_PROG() macro into its own source file to clarify the
license scope. It is provided as a standalone file by the author(s).
Amos Jeffries [Mon, 25 Aug 2014 15:47:04 +0000 (08:47 -0700)]
Boilerplate: update copyright licenses on include/ sources
* add Squid Software Foundation blurb
* update CONTRIBUTORS with missing authors
* update CREDITS with missing license and copyright statements
It looks a bit messy, but Carnegie Mellon Univeristy license requires
that several very similar but unique copyright and license blurbs be
documented unabreviated.
Squid-3 is now being administered by the Squid Software Foundation,
a non-profit organisation created for the purpose of providing
governance and representation for the Squid Project and community
of contributors.
http://www.squid-cache.org/Foundation/
As such the Squid source code collection is being prefixed with a
new copyright blurb:
* Copyright (C) 1996-2014 The Squid Software Foundation and contributors
*
* Squid software is distributed under GPLv2+ license and includes
* contributions from numerous individuals and organizations.
* Please see the COPYING and CONTRIBUTORS files for details.
Existing copyright claims on specific source code files are being
preserved in-situ following this collection blurb.
With some exceptions where existing copyright owners have explicitly
given permission for their specific claim statements to be moved to
the CONTRIBUTORS file and assist removal of the inconsistent and
now often incorrect Harvest and Squid Project blurb(s).
This patch publishes the script and boilerplate text used to perform
this change of copyright marking for public review.
Also, adds some administrative polishing in preparation for the
blurb adjustments.
Amos Jeffries [Mon, 25 Aug 2014 04:53:57 +0000 (21:53 -0700)]
Cleanup: remove SQUID_NO_STRING_BUFFER_PROTECT and SQUID_UNIT_TEST macros
These macros were used solely to prevent cppunit and operating system
includes from generating build errors and warnings via Squid protection
from unsafe use of sprintf, strdup and other allocator and string
functions.
The protection against these functions has long ago been move to
source-maintenance script instead of runtime checking. Making these
macros obsolete.
Amos Jeffries [Fri, 22 Aug 2014 12:48:40 +0000 (05:48 -0700)]
Portability: disable krb5-config use when cross-compiling
krb5-config detection does not support cross-compiling or multiple krb5
library installations properly.
pkg-config is supported by recent releases of the popular krb5 libraries
and supports cross-compile properly and complicated build environments
much better. Trust its results when cross-compiling.
Amos Jeffries [Thu, 21 Aug 2014 18:11:23 +0000 (11:11 -0700)]
Docs: update release notes and configure --help after Kerberos update
Add release notes for the ./configure option changes in rev.13538.
Also, adjust ./configure --help display text to match the option
behaviour:
* --with is default action, so --without gets documented.
* --without does not accept path, and --with-foo=PATH is available on
all library options. So remove repeated text.
Alex Rousskov [Thu, 21 Aug 2014 00:29:33 +0000 (18:29 -0600)]
Do not leak fake SSL certificate context cache when reconfigure
changes port addresses.
We believe that deleting a cached LocalContextStorage object does not actually
affect connections that use the corresponding SSL_CTX and certificate because
any SSL object using those things increments their sharing counter and
deleting LocalContextStorage only decrements that counter. The [cached]
SSL_CTX object is not destroyed by SSL_CTX_free until that sharing counter
reaches zero.
Alex Rousskov [Tue, 19 Aug 2014 18:09:50 +0000 (12:09 -0600)]
Do not assert on native FTP ERR_TOO_BIG. Do not check for ERR_TOO_BIG twice.
The assertion occurred because both the FTP request parser and the generic
ConnStateData::checkHeaderLimits() code would try to write their own error
message to the user. Reworked all error reporting code in the FTP parser to
avoid writing early responses (that were bypassing the overall transaction
flow with various negative side effects such as lack of logging).
Removed ConnStateData::checkHeaderLimits(): We already have protocol-specific
checks for huge HTTP and FTP requests. There is no point in duplicating them.
Centralizing them sounds like a good idea, but a general checkHeaderLimits()
cannot produce protocol-specific errors messages that we need, so it hurts
more than it helps. Moreover, checkHeaderLimits() was handling errors
differently than protocol parsing code, making the code more complex overall.
All that remains from the checkHeaderLimits() code now is a single Must(),
checking that the protocol parsers did what they were supposed to do: Return
NULL to request more data after checking any applicable limits. If parsers do
not (a Squid bug!), the ConnStateData job gets killed (and connection gets
closed) as the last resort.
Added clientReplyContext::setReplyToReply() and
StoreEntry::storeErrorResponse() to handle storing of a response to an FTP
command parsing error. The old code was using ErrorState to store parsing
errors, but ErrorState is still HTTP-specific and cannot relay the right FTP
codes/reasons to the user. The setReplyToReply() sounds silly but it matches
the existing setReplyTo*() naming scheme well.
Make sure parsed native FTP command tokens are not even close to the String
buffer limit. These checks are not a firm guarantee, but are better than
nothing until we replace String.
Handle ClientSocketContext registration centrally because all parsers need it.
Call quitAfterError() on fatal native FTP errors. Probably not necessary due
to fssError handling code that closes the FTP control connection, but adds
helpful debugging and brings us closer to the HTTP error handling code.
author: Alex Rousskov <rousskov@measurement-factory.com>
Use v3 for fake certificate if we add _any_ certificate extension.
We used to force v3 version only when adding the subjectAltName extension.
That broke sites that did not have subjectAltName but used other mimicked x509
extensions, when accessed through Firefox 31 (at least):
https://bugzilla.mozilla.org/show_bug.cgi?id=1045973
projects / thirdparty / squid.git / log
