Original code by Marcello Romani, this version has some additions to
initialize any missing database tables depended on during its startup
phase and some additional polish to fit within the current Squid release.
COPYRIGHT AND LICENSE
Copyright (C) 2008 by Marcello Romani
This library is free software; you can redistribute it and/or modify
it under the same terms as Perl itself, either Perl version 5.8.8 or,
at your option, any later version of Perl 5 you may have available.
Amos Jeffries [Wed, 15 Dec 2010 12:13:01 +0000 (05:13 -0700)]
ext_edirectory_userip_acl: alternative split algorithms
Some compilers do not support dynamically allocated stack space.
Instead perform a scan and hunk copy/wipe of the passed buffers directly.
As a side effect the split is no longer triple-copying data and
double-memset'ing.
Author: Graham Keeling <graham@equiinet.com>
Bug 3113: Squid can eat far too much memory when uploading files
Problem description:
Uploading a large file to a web site on the internet, squid's client
input buffer will increase far faster than it can be emptied to
the target website, and the machine will swiftly run out of memory.
This patch adds the client_request_buffer_max_size configuration
parameter which specifies the maximum buffer size of a client request.
Report ERR_SECURE_CONNECT_FAIL details to the user via a new error detail API.
Currently, the ERR_SECURE_CONNECT_FAIL response contains no usable error
information. Moreover, there is no interface to pass SSL error information
to the response generation code.
This patch adds an interface to allow Squid error responses to contain detailed
information about SSL certificate verification failure. For example, the error
message may contain the following text:
"Server Certificate Verification Failed: Certificate Common Name
(www.lufthansa.com) does not match the host name you are connecting to
(www.lufthansa.de)."
This is a Measurement Factory project.
Change details:
--------------------
- errorpage.cc/.h: The error page now supports the '%D' formating code to
display the detail string passed by modules. The detail strings passed by
modules can contain error page formating codes. Currently only SSL detail
errors messages are supported.
- A new class Ssl::ErrorDetail defined in ssl/ErrorDetail.[cc,h]
The Ssl::ErrorDetail objects passed to the SSL verification callback functions
(sl_verify_cb callback function defined in support.cc) and filled with error
detail data (error_no and a pointer to the X509 Certificate) in the case of
an error and passed back to the forward.cc code.
- The Ssl::ErrorDetail class internally uses (hard coded) templates and
formating codes to allow supporting multiple languages and adding easily
new features
Other changes:
-------------------
- errorpage.cc/.h: The BuildContent method split to BuildContent and ConvertText
method. The second method does the real conversion from a given text template
to output. It is used now to allow formating the detail strings passed with
%D.
- sslparseErrorString moved to ssl/ErrorDetail.cc file and renamed to
Ssl::parseErrorString
- sslFindErrorString moved to ssl/ErrorDetail.cc file and renamed to
Ssl::getErrorName
- The ssl_error_t typedef definition moved from ssl/support.h to
ssl/ErrorDetail.h and renamed to Ssl::error_t
Amos Jeffries [Mon, 13 Dec 2010 11:31:14 +0000 (00:31 +1300)]
Compat: cleanup several config.h hacks
* removes the xmemcpy and xmemmove hacks. Squid has been building for some
long time without them being consistently used all-over. No complaints.
bcopy() alternative is still use if needed. However main code can now
use memcpy( )and memmove() without special X knowledge.
* shuffle strnstr replacement into libcompat from libmisc
* shuffles xis*() function wrappers for is*() with type-casting into compat
Alex Rousskov [Sun, 12 Dec 2010 23:29:26 +0000 (16:29 -0700)]
Handle early eCAP transaction failures better.
Do not throw an exception if eCAP transaction had to deal with a virgin body
but was not consuming it at swangSong() time. This may happen if the eCAP
adapter throws an exception before the adapter requests the virgin body
transmission or after it stops the transmission. In other words, the
transaction wrapper consumes only if proxyingVb is on.
Amos Jeffries [Sun, 12 Dec 2010 05:30:58 +0000 (22:30 -0700)]
SourceLayout: cleanup the various log line formatting code
Adds:
* namespace Log::Format for log display functionality. Each line formater
is a global function inside here. The log format enum is also in here
along with the display encoding 'gadget' functions.
* namespace Time in SquidTime.h for the related time string display
functions. Unified the various log pretty-print httpd-style time
functions into Time::FormatHttpd(time_t).
** care has been taken to preserve the local-static optimization found
in accessLogTime() to prevent wasted cycles re-printing the same
time value more than once per second.
NP: the similar but timezone-missing format is now Time::FormatStrf()
with the same optimization applied to speed up its callers.
* namespace Math:: to avoid symbol clash with global function Log() and
namespace Log.
* support for the Apache "combined" log format. Was documented earlier as
being available but not actually present.
Obsoletes:
* forward_log directive and associated experimental code. If needed
we can easily add another special format to dump the details.
FWIW they are all available in the squid format anyway (timestamp,
squid status, source peer). The documented action of dumping every
forwarding attempt was not working.
* referer_log and useragent_log directives and matching ./configure options.
** shuffled into access_log formats "referrer" and "useragent" for more
flexibility with less directives.
* emulate_httpd_log replaced with Apache "common" format.
* the "auto" pseudo-format becomes obsolete with emulat_httpd_log.
default is now "squid" format in all situations.
Code Shuffles:
* moved the logformat directive parsing into LogConfig object methods.
* shuffled the logformat parsing and token code into src/log/Tokens.h|cc
** this is purely to break it out of access_log.cc. namespace and scoping
needs some work.
Alex Rousskov [Tue, 7 Dec 2010 19:32:43 +0000 (12:32 -0700)]
Tolerate adapted body delivery failures in REQMOD request satisfaction mode.
Without these changes, Squid may assert if an ICAP or eCAP service fails
while delivering response body in REQMOD:
assertion failed: client_side.cc:1438: "rep"
Other assertions may be possible as well, because we were trying to
serve a freshly built, HttpReply-free error response while already
writing the REQMOD "request satisfaction" response. The assertion
probably depends on that writing stage (wrote nothing yet, wrote
headers, wrote some body, etc).
Polished ERR_DETAIL constants to distinguish the special "request
satisfaction" case and to remove ICAP-specific labels from general
adaptation code.
Alex Rousskov [Tue, 7 Dec 2010 19:10:11 +0000 (12:10 -0700)]
Support upcoming "fresh message creation" eCAP API.
Adapters need "fresh" (i.e., empty and not cloned) messages to support
"request satisfaction" mode and other cases where cloning a virgin message is
not possible or is awkward because the adapted message is not an adjusted
version of the virgin one.
fix compile error on OpenSolaris using SunStudio CC
The way the TidyPointer used inside ssl/gadgets.h which included
through ssl/support.h in squid.h file requires the ssl libraries
linked with every binary, even if not realy needed.
To solve this probelm remove the 'include "ssl/support.h"' line
from the squid.h and add it only where required.
The *_free SSL API functions can not be used with TidyPointer in some OSes/compilers
The *_free SSL functions are declared as extern "C" and can not be used as
DeAllocator argument of the TidyPointer class with some compilers and OSes.
To solve this problem:
- Define the CtoCpp1 macro to allow easy implementation of the C++ equivalent
function of an extern C function.
Currently defined in gadgets.h file, if required in the future can be
moved to TidyPointer.h file
- Use the CtoCpp macro to define the X509_free_cpp
- Remove the Ssl::BIO_free_wrapper function does not needed any more
Amos Jeffries [Mon, 6 Dec 2010 14:06:06 +0000 (03:06 +1300)]
Fix 'can't create ./src/***: No such file' errors on linking
Side effect of the AIX port fixes using .o instead of duplicating and
re-building the .cc individually. "It seemed a good idea at the time"(tm).
It is a bit strange that it should only show up now, those changes were
made long ago.
Anyways, I've come to the conclusion from other places that the rebuild is
slower to compile but a lot safer to deal with linkage and dependencies.
Amos Jeffries [Mon, 6 Dec 2010 08:24:12 +0000 (01:24 -0700)]
Fix host OS detection in configure.ac
squid_host_os was being left with the version appended. Which screwed all
the switch and if cases which depended on exact matching the name only.
This corrects the squid_host_os to not contain numeric versions and also
corrects several of the test cases using host_os instead of squid_host_os
or using squid_host_os with version digits.
Amos Jeffries [Sun, 5 Dec 2010 14:29:27 +0000 (03:29 +1300)]
Build libprofiler only when it will be operational
The internal CPU profiler requires specific CPU support. It is not useful
to build and link the library unless it is going to work.
Uses AC_PREPROC_IFELSE to allow building on cross-compilers.
Alex Rousskov [Fri, 3 Dec 2010 23:04:01 +0000 (16:04 -0700)]
Avoid comm_read "!fd_table[fd].closing()" assertion after adaptation ACL check
The assertion was hit if Server fd was closed while we were checking
adaptation ACLs, and we have not been notified of the closure yet (because the
Adaptation::AccessCheck callback is not async while closure notification is).
Alex Rousskov [Fri, 3 Dec 2010 22:59:37 +0000 (15:59 -0700)]
Polished HttpStateData::persistentConnStatus() code. No functionality changes.
Moved virginReply() call closer to the first virgin reply use. This will help
re-adding "did we parse the header yet" check if we ever need it again. It
also saves a couple of CPU cycles for some transactions.
Alex Rousskov [Fri, 3 Dec 2010 22:56:17 +0000 (15:56 -0700)]
Polished HttpStateData::persistentConnStatus() code. No functionality changes.
Do not check for flags.headers_parsed. The removed check was:
- misplaced: connection-related conditions such as eof must be checked first;
- wasteful: we never call persistentConnStatus() unless we parsed headers.
Moreover, calling persistentConnStatus() before we parse headers would trigger
and assertion because the method uses virginReply() which does not exist until
the headers are parsed.
Alex Rousskov [Thu, 2 Dec 2010 23:33:27 +0000 (16:33 -0700)]
Author: Stefan Fritsch <sf@sfritsch.de>
Bug 3096: Squid destroys CbDataList<DeferredRead> objects too late
When server download speed exceeds client download speed, Squid creates a
CbDataList<DeferredRead> object and associates a comm_close handler with it.
When the server kicks the deferred read, the comm_close handler is canceled.
This create/cancel sequence happens every time the server-side code wants to
read but has to wait for the client, which may happen hundreds of times per
second.
Before this change, those canceled comm_close handlers were not removed from
Comm until the end of the entire server transaction, possibly accumulating
thousands of CbDataList<DeferredRead> objects tied to the socket descriptor
via the canceled but still stored close handler.
comm_remove_close_handler now immediately removes canceled close handlers to
avoid their accumulation.
Alex Rousskov [Sun, 28 Nov 2010 15:29:51 +0000 (08:29 -0700)]
Prevent memory leaks when Adaptation::AccessCheck callback ends the job.
The AccessCheckCallbackWrapper is used in nonBlockingCheck() and is called
from the ACL code, using legacy function-based API. If the job ends during
the callback processing, there are no AsyncCall wrappers to destroy the job
object. We now convert legacy to async call to enable proper wrapping and job
destruction.
These kind of job leaks are invisible to valgrind, but that is another bug.
Amos Jeffries [Sat, 27 Nov 2010 01:46:22 +0000 (18:46 -0700)]
SourceLayout: Comm Write cleanups
* creates namespace Comm.
* The comm_write() functions are moved into that scope as Comm::Write()
and only accept AsyncCall now. Old wrapper functions are removed.
* commio_* functions are all moved to methods of a new Comm::IoCallback
object. Which represents either a read or a write callback event
waiting to happen. Old wrapper functions have been removed.
* The fdc_table of pending read and write callbacks has been moved into
the Comm scope with (the name iocb_table) and should be considered private.
For now the COMMIO_*_CB() macros are retained to produce a pointer to
a callback object in this table.
* libcomm-listener.la has been renamed to libcomm.la
Alex Rousskov [Fri, 19 Nov 2010 02:10:21 +0000 (19:10 -0700)]
HTTP Compliance: do not forward TRACE with Max-Forwards: 0 after REQMOD
Before the change, Max-Forwards request value was cached in
HttpRequest::max_forwards member. It was set once in
clientProcessRequest() function. This works fine as long as no request
adaptation is performed. Otherwise original HTTP request may be
replaced with adopted one in ClientHttpRequest::noteAdaptationAnswer()
method and max_forwards value is lost.
This change removes HttpRequest::max_forwards member and gets the value
directly from HttpHeader when needed. This adds another string-to-int
conversion for TRACE and OPTIONS requests, but those are rare, and we
save a little in the other, far more common cases by removing the
HttpRequest::max_forwards member.
Removed assertion from clientReplyContext::traceReply() since it is
called from a single place and the condition is checked right before
the call.
Co-Advisors test cases:
test_case/rfc2616/maxForwardsZero-TRACE-asterisk
test_case/rfc2616/maxForwardsZero-TRACE-absolute
Author: Alex Rousskov, Andrew Balabohin, Christos Tsantilas
Dynamic SSL certificate generartion
This patch implements dynamic SSL certificate generartion in Squid.When
used with SSL Bump, the feature allows Squid to dynamically
generate (using a configurable CA certificate) and cache SSL
certificates for the proxied hosts.
A description for this feature can be found at:
http://wiki.squid-cache.org/Features/DynamicSslCert
A first version of the patch posted by Alex, some months before:
http://www.squid-cache.org/mail-archive/squid-dev/201003/0201.html
Some words about the patch:
* ssl related source files moved under the src/ssl directory
* Introduce the TidyPointer class similar to std::auto_ptr, which implements
a pointer that deletes the object it points to when the pointer's owner
or context is gone. It is designed to avoid memory leaks in the presence
of exceptions and processing short cuts.
* Implements ssl context cache to use with generated ssl contexts. The
Ssl::LocalContextStorage class stores the hostname/ssl context pairs for
a local listening address/port. The Ssl::GlobalContextStorage class used
to store Ssl::LocalContextStorages per local listening address and handles
squid shutdown/configure/reconfigure
* Ssl::Helper class implements the squid part of the ssl_crtd helpers.
* The ssl_crtd helper implemented in ssl_crtd.cc and certificate_db.* files
* The Ssl::CertificateDb class (certificate_db.* files) implements a
database of certificates on disk files. It is used by ssl_crtd helper to
manipulate generated certificates.
* The ssl related files included in the libraries libsslutil.a which
contains common classes and functions and the libsquidssl.a which has
squid related ssl objects and functions