Amos Jeffries [Thu, 19 Feb 2015 02:50:51 +0000 (18:50 -0800)]
basic_nis_auth: fail authentication on crypt() failures
... instead of crashing the helper.
"
Starting with glibc 2.17 (eglibc 2.17), crypt() fails with EINVAL (w/
NULL return) if the salt violates specifications. Additionally, on
FIPS-140 enabled Linux systems, DES or MD5 encrypted passwords passed to
crypt() fail with EPERM (w/ NULL return).
"
Amos Jeffries [Thu, 19 Feb 2015 02:48:23 +0000 (18:48 -0800)]
basic_getpwnam_auth: fail authentication on crypt() failures
... instead of crashing the helper.
"
Starting with glibc 2.17 (eglibc 2.17), crypt() fails with EINVAL (w/
NULL return) if the salt violates specifications. Additionally, on
FIPS-140 enabled Linux systems, DES or MD5 encrypted passwords passed to
crypt() fail with EPERM (w/ NULL return).
"
Problem description:
- Squid sslproxy_options deny the use of TLSv1_2 SSL protocol:
sslproxy_options NO_TLSv1_2
- Squid uses peek mode for bumped connections.
- Web client sends an TLSv1_2 hello message and squid in peek mode, forwards
the client hello message to server
- Web server respond with an TLSv1_2 hello message
- Squid while parsing server hello message aborts with an error because
sslproxy_options deny the use ot TLSv1_2 protocol.
This patch fixes squid to ignore sslproxy_options when peek or stare bumping
mode selected on bumpStep2 bumping step.
The sslproxy_options applied if bump (server-first or client-first) mode
selected on bumpStep1 or bumpStep2 bumping step.
Also applied for "GET https://..." requests.
The original intent for this option was to improve caching. However
HTTP/1.1 permits caching of authenticated messages under conditions
which Squid does check for and obey already.
The legacy popularity of this option from old Squid without the HTTP/1.1
compliant behaviour is now just forming a security and privacy abuse.
Amos Jeffries [Tue, 10 Feb 2015 22:55:58 +0000 (14:55 -0800)]
Parser-NG: HTTP request-line parser replacement
Converts the request-line parse method from a char* string parser to
using ::Parser::Tokenizer based processing.
* The characters for each token are now limited to the RFC 7230
compliant values. The URI is taken as a whole token and characters which
are valid in only one sub-token segment are accepted regardless of their
position. In relaxed parse that is extended beyond the valid URI
characters to include the whitespace characters.
* Whitespace tolerance is extended to include "binary" whitespace VTAB,
HTAB, CR and FF characters specified in RFC 7230.
* The Squid specific tolerance for whitespace prefix to method is
removed. RFC 2730 clarifies that tolerance before request-line is
specfifically and only for whole empty lines (sequences of CRLF or LF).
* The unit tests are extended to check strict and relaxed parse within
the new characterset limits. Drip-feed incremental test updated to check
both parser modes explicitly.
* ::Parser:Tokenizer is extended with methods to skip or retrieve a
token at the suffix of the stored buffer. This is used by the whitespace
tolerant parse to process the URL and HTTP-version tokens from the line
"backwards" from the LF position.
CoAdvisor and Polygraph show no differences. Which is expected since
coadvisor does not test RFC 7230 edge cases (yet), and polygraph is not
stressing incremental parse capabilities.
Eldar Akchurin [Tue, 10 Feb 2015 03:44:32 +0000 (19:44 -0800)]
Bug 4073: Cygwin compile errors
Remove the definition of _SQUID_WINDOWS_ for Cygwin builds. The blend
of win32 and Linux environments is sufficiently different to have major
build issues. We have a precedent in kFreeBSD blend of BSD and Linux to
consider Cygwin a blend and first-class OS.
Also, temporarily disable the Win32-specific libraries and objects until
they can be properly tested.
Fix some small remaining compile errors after the above.
Cygwin Windows build is sponsored by Diladele B.V.
Amos Jeffries [Fri, 6 Feb 2015 21:23:19 +0000 (13:23 -0800)]
Fix for Coverity Scan false positives in SBuf
Coverity scanner gets badly confused with SBuf::npos being used as
default parameter value, even though its used to indicate that
strlen() needs to be used on the string.
This is an experiment to see if it gets less confused by having
explicit overloads for the two cases and not using SBuf::npos value
in relation to the unknown length c-strings.
Amos Jeffries [Fri, 6 Feb 2015 20:09:03 +0000 (12:09 -0800)]
Fix crash when parsing invalid squid.conf
If a time value is going to overflow with default units the
critical debugs() can trigger a segfault instead of logging
and aborting Squid with self_destruct().
Amos Jeffries [Fri, 6 Feb 2015 12:46:54 +0000 (04:46 -0800)]
Add tolerance for whitespace within URI
RFC 7231 advises that there are still clients failing to properly encode
characters within URI. Tolerant parsers should accept that, and later
'reject' with a redirection to a properly encoded form of the URL.
Amos Jeffries [Wed, 4 Feb 2015 21:37:28 +0000 (13:37 -0800)]
Drop unused cbdata.h definitions and re-document
Remove the now unused cbdataFree, cbdataAlloc, CBDATA_TYPE,
CBDATA_INIT_TYPE, CBDATA_INIT_TYPE_FREECB symbols.
Re-write CBDATA documentation to reflect the current available
API symbols, their usage, and mechanisms that should be used
instead of CBDATA such as AsyncJob/Call and RefCount.
Along with some doxygen polishing to meet currently agreed
style for how to document major code features.
Make generic_cbdata::data a private member. The constructor
and unwrap() operator provide all necessary public API.
Replace store_client.cc use of cbdataInternalLock/Unlock with
a CbcPointer<> smart pointer equivalent. The use remains an
abuse of CBDATA, just no longer directly referencing the
internal API functions.
Amos Jeffries [Wed, 4 Feb 2015 17:38:27 +0000 (09:38 -0800)]
Fix some cbdataFree related memory leaks
The delete operator should have been called for these objects after
previous code changes converted them to CBDATA_CLASS. As a result any
member objects relying on their destructor to cleanup were being leaked.
Also, make generic_cbdata::data a private member. The unwrap() method is
easily used now.
Amos Jeffries [Sun, 1 Feb 2015 21:25:46 +0000 (13:25 -0800)]
Cleanup: migrate CachePeer to CBDATA_CLASS API
Replace the alloc/free for CachePeer with new/delete from
the CBDATA_CLASS API.
Shuffle class member default values to constructor.
Shuffle class cleanup code from the (3!) different mechanisms
where it was being done to the class destructor. Also
releasing some memory which was previously leaked on
reconfigure.
Drop the now unused CBDUNL type definition and peerDestroy()
cleanup handler for CachePeer.
Amos Jeffries [Sat, 31 Jan 2015 19:09:22 +0000 (08:09 +1300)]
Per-rule refresh_pattern matching statistics
.. to make it blindingly obvious from the cachemgr report which rules
are completely useless. Such as when the global dot pattern (.) is
placed ahead of custom rules, or one rules pattern is always a subset
of an earlier pattern.
This also allows sysadmin to tune refresh_pattern ordering so most
commonly matching rules are first.
Amos Jeffries [Sat, 31 Jan 2015 14:10:25 +0000 (06:10 -0800)]
Stop emitting (Proxy-)Authentication-Info for Negotiate
This header is not defined for use by RFC 4559, and there seem to
be no clients actually using it.
The syntax Squid was using to emit the details was also clashing
with the syntax defined for use in Digest which is becoming the
standardized ABNF syntax for the header in general.
Amos Jeffries [Sun, 25 Jan 2015 04:48:21 +0000 (20:48 -0800)]
Remove dst ACL dependency on HTTP request message existence
The ACL checklist dst_addr member can be used in cases where the HTTP
message is not provided. Such as ssl_bump, ICAP outgoing IP, or peer
selection probes.
When he prefix() method is passed a set limit for characters to scan and
the matched characters do reach that limit the entire Tokenizer buffer
content is consumed and returned.
Correct operation is to only consume and return the matched characters.
Add missing root CAs when validating chains that passed internal checks.
When internal checks found no certificate errors, Squid does not include root
CA certificate in certificates chain sent to the certificate validator. Squid
just sent the certificates chain sent by the SSL server.
This patch stores the full certificates list built by OpenSSL while validating
the SSL server certificates chain, even if no certificate error found and sends
this list to certificate validator.
Amos Jeffries [Thu, 22 Jan 2015 12:54:08 +0000 (04:54 -0800)]
RFC 7230 compliant request-line parser based on Tokenizer API
Refactor the request-line parser using a Tokenizer.
RFC 7230 requirements provide field terminator/delimiter limitations and
character sets for token validation. Also provides definitions of
boundaries for relaxed/tollerant parsing without needing Squid-specific
RFC violations.
This implementation is slightly stricter regarding whitespace in URLs
than previous implementation. It obeys a SHOULD requirement in RFC 7230
regarding responding with 400 status to those broken request messages.
Set cap_net_admin capability when Squid sets TOS/Diffserv packet values.
In capabilities-capable environments (e.g., Linux with libcap), CAP_NET_ADMIN
capability is required to honor clientside_tos and tcp_outgoing_tos
directives. The code was setting that capability when Netfilter marks or
tproxy was enabled, but missed the clientside_tos and tcp_outgoing_tos cases.
Moved PID file management from Coordinator to Master.
This move is the first step necessary to avoid the following race condition
among PID file deletion and shared segment creation/destruction in SMP Squid:
O1) The old Squid Coordinator removes its PID file and quits.
N1) The system script notices Coordinator death and starts the new Squid.
N2) Shared segments are created by the new Master process.
O2) Shared segments are removed by the old Master process.
N3) New worker/disker processes fail due to missing segments.
TODO: The second step (not a part of this change) is to delete shared memory
segments before PID file is deleted (all in the Master process after this
change).
Now the Master process receives signals and is responsible for forwarding them
to the kids.
The kids does not install default signal handler for shudown signals (SIGINT,
SIGTERM) after a signal received. If a second shutdown signal is received then
squid imediatelly terminates the event loop and exits.
When the "kill-parent-hack" is enabled the kids are sending the kill signal
to master process and master process forward it to other kids too.
Also a small regression added: The PID file can no longer be renamed using
hot reconfiguration. A full Squid restart is now required for that.
When the force_request_body_continuation access list is configured squid is
sends 100-Continue responses to all HTTP GET messages unless the admin
is very careful with the ACLs. This can be reproduced trivially with
force_request_body_continuation allow all
We should not evaluate force_request_body_continuation if the request
does not include "Expect: 100-continue" header.
Amos Jeffries [Sun, 18 Jan 2015 16:34:13 +0000 (08:34 -0800)]
Support rotate=N option on access_log
Add a rotate=N option to access_log directive to set per-log what the
retained log count will be. At present it is only used by the stdio:
logging module, which is also the only one to use logfile_rotate
directive.
If this option is absent (as will be the common case) the log rotation
defaults to using the value of logfile_rotate directive.
Also, add missing dump output of other access_log options if they differ
from the defaults.
The use-cases for this are:
1) Unix fifo logging requires all the stdio: module operations except
that the normal rotate/rename operation is NOT performed on the fifo
socket. It makes more sense to add this option which can also meet case
#2 than to create a whole new module just for fifo.
2) managing only some access_log files with a third-party log manager.
Those specific logs need rotate=0, but the Squid managed logs may
require non-0 values.
projects / thirdparty / squid.git / log
