Amos Jeffries [Tue, 30 Dec 2014 13:40:33 +0000 (05:40 -0800)]
Fix 64-bit compile issues in rev.13785
The Nettle 3.0 library API imported and used by rev.13785 defines
function symbols with size_t parameters where earlier libraries used
'unsigned'. This matters on 64-bit systems where unsigned is a 'int'
and size_t a 'long' - implicit conversion is not possible.
Explicitly detect the size_t API existence during ./configure time and
use the built-in logics if supplied Nettle library is an older version.
Amos Jeffries [Tue, 30 Dec 2014 10:22:29 +0000 (02:22 -0800)]
basic_msnt_multi_domain_auth: Superceeded by basic_smb_lm_auth
This helper consisted of a Perl script requiring special Perl
SMB:Authen module and Samba nmblookup helper to operate.
It performs the same operations as basic_smb_lm_auth helper,
so is not actually needed.
It also contains a slightly ambiguous copyright license as it
was published to the squid-users mailing list in effective
Public Domain free for any use, but without explicit statement
to the fact.
Amos Jeffries [Tue, 30 Dec 2014 09:09:27 +0000 (01:09 -0800)]
Crypto-NG: Base64 crypto replacement
The existing Squid base64 code had ambiguous copyright licensing. In
particular it only referenced a dead URL for source copyright
ownership details. In all likelihood this was for an Open Source
implementation, but we dont have sufficient record of the original
license terms to be certain without a long investigation.
It has also been heavily modified and customized over the decades
since importing whih complicates the issue a lot.
It also does not match any of the common industry context-based API
patterns for encoders/decoders.
This patch replaces that logic with GPLv2 licensed code from the
Nettle crypto library. Either linking the library dynamically or in
its absence embedding the logic via our libmiscencoding library.
It also updates all code to the new API, and as a byproduct removes
several layers of deprecated wrapper functions which have grown in
over the years.
This patch add a new configuration option the 'pconn_lifetime' to allow users
set the desired maximum lifetime of a persistent connection.
When set, Squid will close a now-idle persistent connection that
exceeded configured lifetime instead of moving the connection into
the idle connection pool (or equivalent). No effect on ongoing/active
transactions. Connection lifetime is the time period from the
connection acceptance or opening time until "now".
This limit is useful in environments with long-lived connections
where Squid configuration or environmental factors change during a
single connection lifetime. If unrestricted, some connections may
last for hours and even days, ignoring those changes that should
have affected their behavior or their existence.
This option has the following behaviour when pipelined requests tunneled
to a connection where its lifetime expired:
1. finish interpreting the Nth request
check whether pconn_lifetime has expired
2. if pconn_lifetime has expired, then stop further reading and
do not interpret any already read raw bytes of the N+1st request
3. otherwise, read and interpret read raw bytes of the N+1st request
and go to #1.
Amos Jeffries [Sun, 21 Dec 2014 16:28:17 +0000 (08:28 -0800)]
Windows: fix getaddrinfo, getnameinfo, inet_ntop and inet_pton detection
These API symbols are not always defined as functions, and in varying
locations. AC_REPLACE_FUNCS cannot handle that kind of complexity so we
must use AC_CHECK_DECL instead and provide the sequence of #include
necessary to identify their existence.
Markus Moeller [Fri, 19 Dec 2014 22:16:42 +0000 (14:16 -0800)]
negotiate_kerberos_auth: MEMORY keytab and replay cache support
1) Checks for MEMORY: keytab support and reads the keytab from disk into
MEMORY to improve performance (i.e. read keytab only at startup and
nerver again)
2) Add option for replay cache type. Allows to set replay cache to none
to improve performance ( may reduce security a bit )
3) Add option for replay cache directory. If /var/tmp is not the best
location you can choose a different location.
Fix peek-and-splice mode: certificate validation for domain mismatched errors
Currently squid does not check for domain mismatched errors while validates the
server certificate on peek and splice mode, even if the server hostname is known
from SNI info or from CONNECT request string.
Amos Jeffries [Fri, 19 Dec 2014 16:26:44 +0000 (08:26 -0800)]
MemPool the debug output stream buffers
The CurrentDebug output stream controller for cache.log was
defined as a std::ostringstream object and allocated with
new/delete on each call to debugs().
The std::ostringstream is defined as a templates output stream
which uses the std::allocator<char> built into libc when its
new()'d. Since this is all internal to the STL library
definitions it links against the libc global-scope allocator.
However, there is no matching deallocator definition and when
the object is delete()'d the standard C++ operator overloading
rules make the global-scope SquidNew.h definition of
::operator delete() be the method of deallocation. That uses
free() internally.
To resolve the mismatch of new()/free() we must define a
wrapper class with explicit class-scope new/delete operators
instead of relying on weak linkages to overloaded global scope
operators.
As a result the memory is new()'d and free()'d. As detected by
Valgrind
Amos Jeffries [Thu, 18 Dec 2014 12:12:33 +0000 (01:12 +1300)]
Bug 1961, Bug 429: Add asterisk to class URL
This does not yet perform any of the outgoing request mapping from
path-less URI required by current RFC 7231.
Squid already allows these URI in OPTIONS and TRACE requests (only).
It does make a start by cleaning up the current special case handling of
"*" URI to be matched by the URI class/namespace method and SBuf
comparisions instead of c-strings.
Support http_access denials of SslBump "peeked" connections.
If an SSL connection is "peeked", it is currently not possible to deny it
with http_access. For example, the following configuration denies all plain
HTTP requests as expected but allows all CONNECTs (and all subsequent
encrypted/spliced HTTPS requests inside the allowed CONNECT tunnels):
http_access deny all
ssl_bump peek all
ssl_bump splice all
The bug results in insecure bumping configurations and/or forces admins to
abuse ssl_bump directive (during step1 of bumping) for access control (as a
partial workaround).
This change sends all SSL tunnels (CONNECT and transparent) through http_access
(and adaptation, etc.) checks during bumping step1. If (real or fake) CONNECT is
denied during step1, then Squid does not connect to the SSL server, but bumps
the client connection, and then delivers an error page (in response to the
first decrypted GET). The behavior is similar to what Squid has already been
doing for server certificate validation errors.
Technical notes
----------------
Before these changes:
* When a transparent SSL connection is being bumped, if we decide to splice
during step1, then we splice the connections without any http_access
checks. The (spliced) connection is always established.
* When a CONNECT tunnel is being bumped at step1, if peek/stare/server-first
mode is selected, and our http_access check fails, then:
1) We create an error page and proceeding with SSL bump, expecting
to serve the error after the client SSL connection is negotiated.
2) We start forwarding SSL Hello to the server, to peek/stare at (or
server-first bump) the server connection.
3) If we then decide to splice the connection during step2 or step3, then
we splice, and the error page never gets served to the client!
After these changes:
* During transparent SSL bumping, if we decide to splice at step1, do not
splice the connection immediately, but create a fake CONNECT request first
and send it through the callout code (http_access check, ICAP/ECAP, etc.).
If that fake CONNECT is denied, the code path described below kicks in.
* When an error page is generated during CONNECT or transparent bumping
(e.g. because an http_access check has failed), we switch to the
"client-first" bumping mode and then serve the error page to the client
(upon receiving the first regular request on the bumped connection).
Bug 4164: SEGFAULT when %W formating code used in errorpages
Squid will crash inside ErrorState::Dump if not authentication configured for
squid. In this case ErrorState::auth_user_request is NULL and trying to access
a method of this object will cause segfault to squid.
Hussam Al-Tayeb [Tue, 16 Dec 2014 12:23:58 +0000 (01:23 +1300)]
Bug 3826: pt 2: Provide a systemd .service file for Squid
Created with help from davidstrauss in #systemd channel and provided
as a working example for package distributors to use. It is not
installed by a 'make install' build of Squid.
For now SMP support is not available to Squid controlled by systemd.
That part of the bug 3826 issue has yet to be resolved.
Amos Jeffries [Thu, 11 Dec 2014 08:35:32 +0000 (00:35 -0800)]
Update Http::ProtocolVersion() to initializer functions
The Http::ProtocolVersion(*) does not work sufficiently well as a class
hierarchy.
Convert Http::ProtocolVersion to two functions:
* Http::ProtocolVersion() providing the default Squid HTTP version
level, and
* Http::ProtocolVersion(unsigned, unsigned) providing the HTTP version
details for the given level.
NP: using two overloaded functions instead of one with default
parameter values because with HTTP/0.x and HTTP/2.x we cannot safely
default just the minor value. ie. using two functions prevents
mistakenly using HTTP/2.1, HTTP/0.1 or HTTP/1.0 if the second
parameter is omitted.
All variables must now be of type AnyP::ProtocolVersion, and should be
constructed from an appropriate Foo::ProtocolVersion() function.
Amos Jeffries [Mon, 8 Dec 2014 11:25:58 +0000 (03:25 -0800)]
Update localnet definition for RFC 6890
RFC 6890 details updated IP address reservations for Carrier-Grade NAT
and confirms registration of the "this" network range legitimacy amongst
other non-relevant ddress range allocations.
Amos Jeffries [Fri, 5 Dec 2014 13:02:46 +0000 (05:02 -0800)]
HTTP/2: handle 'PRI' method found in HTTP/1.x traffic
draft-ietf-httpbis-http2-16 section 11.6 registers the method PRI.
"
This method is never used by an actual client.
This method will appear to be used when an HTTP/1.1 server or
intermediary attempts to parse an HTTP/2 connection preface.
"
If seen with a non-2.0 version number it means some client or proxy has
mishandled an HTTP/2.0 connection preface and corrupted the traffic.
The url_rewrite_timeout directive can accept the on_timeout argument to allow
user configure the action when the helper request times out.
The available actions are:
fail: squid return a ERR_GATEWAY_FAILURE error page
bypass: the url is not rewritten.
retry: retry the request to helper
use_configured_response: use a response which can be configured using the
the response= option
Example usage:
url_rewrite_timeout 30 seconds \
on_timeout=use_configured_response \
response="OK url=http://example.com/support"
Amos Jeffries [Wed, 3 Dec 2014 15:13:08 +0000 (07:13 -0800)]
HTTP/2: Support 421 (Misdirected Request) status code
Add support for status 421 responses. Squid is forbidden from generating
messages with this status in its role as proxy, however we expect to see
it being produced in responses by HTTP/2 servers in traffic from HTTP
2.0<->1.1 gateways.
We also MAY emit it on future reverse-proxy responses in the event of a
ERR_CANNOT_FORWARD message.
Amos Jeffries [Wed, 3 Dec 2014 14:12:12 +0000 (06:12 -0800)]
Bug 4135: Support \-escaped character in regex patterns
Squid cannot parse regex patterns as quoted strings since the pattern may
itself contain quote characters as part of the syntax.
Since we updated the squid.conf ConfigParser it is now possible to
handle regex patterns containing quoted-pair (\-escaped) characters
properly.
Add support for escaping by detecting the '\' characters as token
delimiters, and explicitly skipping the following character regardless
of whether it is a SP or not.
Escape detection is only added during parsing of regex tokens or
files listing regex patterns.
Some FTP severs respond to a FEAT command with 5xx status code. Squid sends
an invalid response in these cases which can confuse the client.
This patch fixes Squid to always send a valid 211 reply to client which
lists at least the EPSV and EPRT ftp commands which supported by Squid
regardless of the origin server support.
This patch also fixes a memory leak when FEAT replies processed.
The certificate db size file may become empty (for reasons beyond Squid
control such as server reboots, and possibly some unknown Squid bugs).
When it becomes empty, all ssl_crtd helpers (and then Squid) quit. This
change is required to make ssl_crtd more robust by recovering lost db
size information.
This patch:
- Adds the "size" rebuild operation in CertificateDB and ssl_crtd
daemon. Rebuild ssl_db/size file if it is empty:
* Inside Ssl::CertificateDb::check method
* When a CertificateDB operation try to read size from ssl_db/size file
- If no fs_block_size parameter given for CertificateDB then consider a
default value of 2048. Currently set to 0, which is may cause segfault to
ssl_crtd daemon.
Amos Jeffries [Fri, 21 Nov 2014 18:26:17 +0000 (10:26 -0800)]
Revert r12298 workaround for Bug 3613
Now that Squid is starting to utilize C++11 features we need to enable
them in all compilers. If the problem still exists then we need to find
a better solution to bug 3613.
Amos Jeffries [Fri, 21 Nov 2014 18:09:06 +0000 (10:09 -0800)]
HTCP: fix memory initialization errors
memset() used to initialize HTCP objects made sense when they were
structs. But now they are classes proper constructors need to be used
to avoid memset() erasing vtable and other important areas. It also
helps to reduce code and improve performance during init a tiny bit.
Amos Jeffries [Fri, 21 Nov 2014 04:33:21 +0000 (20:33 -0800)]
Fix build errors on CentOS 7 in rev.13712
It turns out the RHEL and CentOS 7 STL definition does not quite match
up to official documentation of what their GCC version supports. In
particular the use of const_iterator on std::list containers.
Use auto instead of an explicit iterator. Allowing the compiler to select
whichever iterator is available and will work.
projects / thirdparty / squid.git / log
