Amos Jeffries [Mon, 8 Dec 2014 12:05:17 +0000 (04:05 -0800)]
HTTP/2: Support 421 (Misdirected Request) status code
Add support for status 421 responses. Squid is forbidden from generating
messages with this status in its role as proxy, however we expect to see
it being produced in responses by HTTP/2 servers in traffic from HTTP
2.0<->1.1 gateways.
We also MAY emit it on future reverse-proxy responses in the event of a
ERR_CANNOT_FORWARD message.
Amos Jeffries [Wed, 3 Dec 2014 12:06:59 +0000 (04:06 -0800)]
Alternate-Protocol is a hop-by-hop header
Google are pushing Alternate-Protocol header to arbitrarily move clients
from HTTP to their experimental and proprietary protocols.
When relayed through a proxy this can cause traffic bifurcation with
side effects ranging from client visible failures, to traffic increase
on the network as proxy caching is bypassed, to security vulnerabilities
or privacy information leaks over the experimental protocol.
By treating the Alternate-Protocol header as a hop-by-hop header only
relevant on client->origin connections we can both prevent the above
issues occuring on networks utilizing a proxy, and also participate in
the protocol exprimentation process ourselves.
The certificate db size file may become empty (for reasons beyond Squid
control such as server reboots, and possibly some unknown Squid bugs).
When it becomes empty, all ssl_crtd helpers (and then Squid) quit. This
change is required to make ssl_crtd more robust by recovering lost db
size information.
This patch:
- Adds the "size" rebuild operation in CertificateDB and ssl_crtd
daemon. Rebuild ssl_db/size file if it is empty:
* Inside Ssl::CertificateDb::check method
* When a CertificateDB operation try to read size from ssl_db/size file
- If no fs_block_size parameter given for CertificateDB then consider a
default value of 2048. Currently set to 0, which is may cause segfault to
ssl_crtd daemon.
Bug 4102: sslbump cert contains only a dot character in key usage extension
The patch for bug 3966 was slightly incorrect. As a result the Key Usage
field for SSL-bump mimic'ed certificates could end up containing only a
dot (.) character.
Amos Jeffries [Thu, 16 Oct 2014 19:22:37 +0000 (12:22 -0700)]
Bug 3803: ident leaks memory on failure
Begin the process of conversion for IdentStateData to an AsyncJob.
* convert the object from CBDATA struct to a class with
CBDATA_CLASS2() API.
* Bug 3803 is caused by a lack of proper cleanup and consistent exit
actions terminating the job. Take the core logic changes from the
tested bug patch and;
1) define a swanSong() method to cleanup the memory allocated
2) define a deleteThis() method to emulate AsyncJob::deleteThis()
* Locate all code paths leveraging conn->close() to trigger cleanup
via the connection close handler and convert to explicit deleteThis()
with excuse. Including a few which were not but need to in order to
terminate the job correctly as fixed in bug 3803 patch.
The actions performed are nearly identical to the original code. The
differences are that many code paths now omit an AsyncCall step going
via the Comm close handler, and that all paths terminating the IDENT
lookup now go through swanSong() cleanup.
Further cleanup converting to a full AsyncJob is not included, since
there is an explicit hash of running IdentStateData object pointers
being used in the old code.
Amos Jeffries [Thu, 16 Oct 2014 18:39:55 +0000 (11:39 -0700)]
CBDATA: log memory leak situations when --enable-debug-cbdata
CBDATA objects are supposed to be explicitly locked and unlocked by all
users. The nominal 'owner' of the data is also supposed to mark it as
invalid when unlocking its reference.
If a CBDATA object reaches 0 locks and is still valid, it therefore
follows that either the locking or invalidate has not been properly
implemented.
Now that we are migrating to CbcPointer usage instead of explicit
lock/unlock macro calls we have started encountering these situations.
Any object reporting a 'leak' must be investigated;
a) perhapse RefCount is better?
b) using CbcPointer consistently and invalidating correctly.
Amos Jeffries [Thu, 9 Oct 2014 11:53:28 +0000 (04:53 -0700)]
Bug 4088: memory leak in external_acl_type helper with cache=0 or ttl=0
ExternalACLEntry / external_acl_entry objects have been abusing the
CBDATA API for reference counting and since 3.4 this has resulted in
hidden memory leaks as object accounting shows all locks released but
the memory is not freed by any 'owner'.
* convert to using RefCount<> API.
* move ExternalACLEntry pre-define to acl/forward.h
* add ExternalACLEntryPointer in acl/forward.h
* convert LookupDone() method to using explicit typed pointer
* convert from CBDATA_CLASS to MEMPROXY_CLASS memory management.
* convert almost all raw ExternalACLEntry* to Pointer
- remaining usage is in the cache hash pointers. Use an explicit 'cachd'
lock/unlock until this hash is updated to std:: structure types.
Alex Rousskov [Tue, 26 Aug 2014 16:22:01 +0000 (09:22 -0700)]
Use v3 for fake certificate if we add _any_ certificate extension.
We used to force v3 version only when adding the subjectAltName extension.
That broke sites that did not have subjectAltName but used other mimicked x509
extensions, when accessed through Firefox 31 (at least):
https://bugzilla.mozilla.org/show_bug.cgi?id=1045973
Fix %USER_CA_CERT_* and %CA_CERT_ external_acl formating codes
* The attribute part of the %USER_CA_CERT_xx and %CA_CERT_xx formating codes
is not parsed correctly, make these formating codes useless.
* The %USER_CA_CERT_xx documented wrongly
Joe Crayne [Sun, 13 Jul 2014 03:15:01 +0000 (21:15 -0600)]
Bug 3966: Add KeyEncipherment when ssl-bump substitues RSA for EC.
Libnss3, which is used by Firefox to verify the certificate chain, has
different requirements for RSA keys than it does for EC keys. In particular,
RSA keys with the keyUsage extension, must set the KeyEncipherment flag.
This fix was brought to you by the Samizdat project.
http://samizdat.childrenofmay.org
Non https connectiona on SSL-bump enabled port may stuck
This is can be seen on skype when try to connect to server using an
SSL-bump enabled squid port. Squid try to bump the connection, waiting
for ever
the ssl protocol header, and skype client waits for ever an answer from
the
server.
This patch sets the timeout to Config.Timeout.request (request_timeout)
Alex Rousskov [Sat, 21 Jun 2014 04:22:39 +0000 (22:22 -0600)]
Do not leak implicit ACLs during reconfigure.
Many ACLs implicitly created by Squid when grouping multiple ACLs were
not
destroyed because those implicit ACLs where not covered by the global
ACL
registry used for ACL destruction.
See also: r13210 which did not go far enough because it incorrectly
assumed
that all InnerNode() children are aclRegister()ed and, hence, will be
centrally freed.
Also, do not use cbdataFree() on non-POD Acl::Tree objects that have
destructors.
Amos Jeffries [Sat, 21 Jun 2014 04:19:58 +0000 (22:19 -0600)]
Portability: use 64-bit for X-Cache-Age header
While the value is expected to be well within 32-bit range some OS
(OpenBSD 5.5 at least) use 64-bit time_t. Use the larger type size for
calculations which also removes 32-bit wrap errors, and cast for older
systems.
Amos Jeffries [Sat, 21 Jun 2014 04:19:19 +0000 (22:19 -0600)]
Windows: fix various libip build issues
* Missing include ws2tcpip.h for IPv6 definitions
* Alternative IN6_ARE_ADDR_EQUAL definition required
* 'byte' is a reserved / system defined type on Windows,
resolve variable shadowing by renaming to ipbyte.
Alex Rousskov [Tue, 3 Jun 2014 07:12:54 +0000 (01:12 -0600)]
Do not leak ex_data for SSL state that survived reconfigure.
SSL_get_ex_new_index() allocates a new index on every call, even if its
parameters remain unchanged. It should be called once per process
lifetime.
Besides leaking, this 12 year-old(!) bug could probably make some SSL
code misbehave during reconfigure because reconfigure would change the
supposedly constant ex_data indexes.
Alex Rousskov [Tue, 3 Jun 2014 07:10:53 +0000 (01:10 -0600)]
Do not register the same Cache Manager action more than once
... to avoid wrong mgr:menu output and the impression of a reconfigure
memory leak.
The old code was comparing action object pointers, which could not work,
and was adding the same action on every reconfigure call for modules that
register with Cache Manager during [re]configuration.
We already have a working method for finding registered actions. Use it.
Currently note values printed with "%note" formating code, which contain non
alphanumeric characters, were quoted and quotes were then escaped, resulting
in bizarre logged rendition of empty or simple values (often received from
various helpers):
%22-%22
%22Default_Google%22
%22pg13,US%22
This patch:
- does not use quotes to print annotations
- allow system admin to define a separator to use for logged
annotations. The %note logformat accepts the following argument:
[name][:separator]
The separator can be one of the ',' ';' or ':'.
By default, multiple note values are separated with "," and multiple
notes are separated with "\r\n". When logging named notes with
%{name}note, the explicitly configured separator is used between note
values. When logging all notes with %note, the explicitly configured
separator is used between individual notes. There is currently no way to
specify both value and notes separators when logging all notes with %note.
- makes the Format::Token::data a struct (now is a union) and initialize
Format::Token::data data members in Format::Token::Token constructor.
Amos Jeffries [Fri, 2 May 2014 07:49:18 +0000 (00:49 -0700)]
Resolve 'dying from an unhandled exception: c'
CbcPointer<> is used from code outside of Job protection where it is
safe to use Must(). In order to get a useful backtrace we need to assert
immediately at the point of failure. Particularly necessary since these
are in generic operators used "everywhere" in the code.
Anatoli [Fri, 2 May 2014 07:47:32 +0000 (00:47 -0700)]
Fix order dependency between cache_dir and maximum_object_size
parse_cachedir() has a call to update_maxobjsize() which limits the
store_maxobjsize variable used as the internal maximum_object_size
variable of the store data structure) to the value of maximum_object_size
defined at the moment of execution of this function, for all stores (all
store directories). So if parse for cache_dir is called before
maximum_object_size, we get the effect of the default 4 MB.
BUT, when we get to parse maximum_object_size line(s) after the last
cache_dir, the maximum_object_size option is processed and only shown on
the cachemgr config page without having updated store_maxobjsize.
This is may cause problems in some cases where the code assume that the MemBuf
is always NULL terminated. For example when an ErrorState object try to use
an empty errorpage template.
This patch terminates the (empty) MemBuf on MemBuf::init method.
C++11: Upgrade auto-detection to use the formal -std=c++11
When the latest compilers added support for -std=c++11 they also dropped
the temporary -std=c++0x option without backward-compatible support. So
for the newest compilers we have not been testing the C++11 code.
As a result of this change Squid will no longer attempt to enable the
partial support in older compilers with -std=c++0x.
Also, update the compiler option test macro from autoconf project.
This patch fixes the following bug:
1) A user sends a CONNECT request with valid credentials
2) Squid checks the credentials and adds the user to the user cache
3) The same user sends a CONNECT request with invalid credentials
4) Squid overwrites the entry in the user cache and denies the second
CONNECT request
5) The user sends a GET request on the first SSL connection which is
established by now
6) Squid knows that it does not need to check the credentials on the
bumped connection but still somehow checks again whether the user is
successfully authenticated
7) Due to the second CONNECT request the user is regarded as not
successfully authenticated
8) Squid denies the GET request of the first SSL connection with 403
ERR_CACHE_ACCESS_DENIED
On proxies with Basic authentication and SSL bumping, this can be used
to prevent a legitimate user from making any HTTPS requests
Alex Rousskov [Sun, 9 Mar 2014 01:48:00 +0000 (18:48 -0700)]
Avoid assertions on Range requests that trigger Squid-generated errors.
Added HttpRequest::ignoreRange() to encapsulate range ignoring logic.
Currently the new method only contains the code common among all callers. More
work is needed to check whether further caller homogenization is possible.
Documented that ClientSocketContext::getNextRangeOffset() may sometimes be
called before it is ready to do its job.
Amos Jeffries [Sun, 9 Mar 2014 01:47:23 +0000 (18:47 -0700)]
Protect MemBlob::append() against raw-space writes
There is no guarantee that the 'unused' area of MemBlob is actually
unused. For example if a read buffer was being filled into the
rawSpace() of a SBuf or MemBlob it will overlap with this empty area
until a read call updates the related size state in MemBlob/SBuf.
For these cases we must use memmove() which guarantees no buffer
corruption will take place on memory overlaps.
Amos Jeffries [Sun, 9 Mar 2014 01:45:37 +0000 (18:45 -0700)]
Copyright: Relicense helpers by Treehouse Networks Ltd.
Update the license on helper code designed and authored by myself using
the BSD 2-clause license. This makes the example helper code and license
more legally acceptible for use as a basis of proprietary helpers while
remaining compatible with GPL for distribution with Squid.
Amos Jeffries [Sun, 9 Mar 2014 01:44:07 +0000 (18:44 -0700)]
Portability: define CMSG related structures individually
Some OS provide the CMSG related definitions and others only partially
define them. Sometimes (Windows particularly) this varies between build
environments.
Checking for each symbol separately and providing only those needed
avoids problems we have been having with missing or redefined symbols
on Windows and elsewhere.
Amos Jeffries [Wed, 5 Mar 2014 02:50:43 +0000 (19:50 -0700)]
Fix helper ID number assignment
Since helpers are now dynamically started the old method of allocating
an ID number based on the current start sequence can result in many
helpers being assigned overlapping ID numbers.
Use InstanceID template instead to assure a unique incremental ID is
assigned to each helper no matter when it is started.
1) The dynamic_cert_mem_cache_size does not change on reconfigure
2) When dynamic_cert_mem_cache_size of http_port set to 0 then:
a) The dynamic certs cache is grow unlimited.
This patch just disables certificates caching when this option set to 0.
b) Huge amount of memory appeared as free cache memory in "Cached ssl
certificates statistic" page of cache manager.
This problem caused because of a signed to unsigned int conversion.