This is may cause problems in some cases where the code assume that the MemBuf
is always NULL terminated. For example when an ErrorState object try to use
an empty errorpage template.
This patch terminates the (empty) MemBuf on MemBuf::init method.
Cleanup: Make crypt(3) detection dependent on the helpers that use it
Only run detection for crypt(3) support when the NCSA and getpwnam
helpers which use it are to be built.
Also, move shadow.h detection to depend on getpwnam helper which is the
only code using it.
Also, shuffle the libcrypt and libmd5 detection up into the section with
other crypto libraries so they are known in advance of helper detections
which may require libcrypt.
Fix OpenSSL detection when an explicit path is given
The previous OpenSSL detection was skipping the library checks when an
explicit path was presented. Resulting in no -lssl flag being passed to
the linker.
Rational for this fix:
pkg-config presents location-neutral details.
The explicit checks are likewise neutral provided the LIBS environment
variable has been set with the explicit path.
User presented path must be used regardless of which the library checks
are used in detection.
So...
Always perform the checks with optionally set LIBS and keep the
user provided path explicitly separate from the pkg-config *_LIBS
variable. Only assemble the parts into SSLLIB once all have been
identified.
Amos Jeffries [Mon, 31 Mar 2014 04:46:50 +0000 (21:46 -0700)]
Cleanup: make loadable modules build variables follow Squid3 coding guidelines
Squid-3 coding guidelines mandate that AM_CONDITIONAL variables begin
with ENABLE_* and AC_DEFINE macros begin with USE_* to resolve confusion
over which is relevant.
Amos Jeffries [Sun, 30 Mar 2014 12:00:34 +0000 (05:00 -0700)]
Cleanup: replace USE_SSL wrapper macro with USE_OPENSSL
Squid-3 currently only supports OpenSSL for SSL/TLS components. This
makes the support type explicit and prepares for alternative SSL
libraries to be added in future with different macro wrappers.
Amos Jeffries [Sun, 30 Mar 2014 06:46:34 +0000 (23:46 -0700)]
Fix buffer overruns in generated NTLM tokens
The NTLM token payload (string value) encoding was not protecting fully
against 16-bit and 8-bit wrap errors and signedness conversions.
This protects against the wrap and conversion errors by truncating at
the maximum field length. That length limit is vastly larger than NTLM
protocol specified field sizes and permitted HTTP header sizes so is not
expected to cause issues with existing implementations.
Amos Jeffries [Sun, 30 Mar 2014 06:41:27 +0000 (23:41 -0700)]
crypto-ng: Drop --enable-ssl build option
This confgure option was fully overlapping --with-openssl.
Simplify the build options and cleanup in preparation for crypto-ng as
SSL functionality will be enabled by default in future when any of the
supported SSL/TLS libraries is available.
Amos Jeffries [Sat, 29 Mar 2014 11:15:13 +0000 (04:15 -0700)]
C++11: Upgrade auto-detection to use the formal -std=c++11
When the latest compilers added support for -std=c++11 they also dropped
the temporary -std=c++0x option without backward-compatible support. So
for the newest compilers we have not been testing the C++11 code.
As a result of this change Squid will no longer attempt to enable the
partial support in older compilers with -std=c++0x.
Also, update the compiler option test macro from autoconf project.
Amos Jeffries [Mon, 24 Mar 2014 04:57:32 +0000 (21:57 -0700)]
Parser-NG: Convert the ConnStateData input buffer to SBuf
Prepare the way to efficiently parse client requests using SBuf based
parser-ng.
IoCallback stores a raw-pointer to the ConnStateData::In::buf member
object rather than an SBuf reference to the backing MemBlob or char*
store so that only the short (blocking) FD_READ_METHOD() call needs to
provide any synchronous guarantees. We also particularly need a direct
(raw) pointer to the ConnStateData member to prevent the possible
read/consume collisions causing problems with the ConnStateData callback
and avoid having to merge two separate SBuf.
This patch fixes the following bug:
1) A user sends a CONNECT request with valid credentials
2) Squid checks the credentials and adds the user to the user cache
3) The same user sends a CONNECT request with invalid credentials
4) Squid overwrites the entry in the user cache and denies the second
CONNECT request
5) The user sends a GET request on the first SSL connection which is
established by now
6) Squid knows that it does not need to check the credentials on the
bumped connection but still somehow checks again whether the user is
successfully authenticated
7) Due to the second CONNECT request the user is regarded as not
successfully authenticated
8) Squid denies the GET request of the first SSL connection with 403
ERR_CACHE_ACCESS_DENIED
On proxies with Basic authentication and SSL bumping, this can be used
to prevent a legitimate user from making any HTTPS requests
Amos Jeffries [Sun, 23 Mar 2014 05:17:14 +0000 (23:17 -0600)]
Portability: invert the basic_nis_auth header check
autoconf macro will set its action-if-found if *any* of the headers is
found. Since these are mandatory headers being tested for we need to
disable if any are missing rather than enable on finding one works.
Amos Jeffries [Sat, 15 Mar 2014 02:30:08 +0000 (19:30 -0700)]
Push SBuf down into Comm::IoCallback
Use a pointer to the SBuf instead of the rawSpace() because using a SBuf
copy can potentially cause different MemBlob to exist behind the Comm
read classes and the caller (ConnStateData) class. They need to be kept
identical so as not to loose any existing bytes in the I/O buffer when
a read callback handler is run.
Pointer to SBuf also avoids race conditions between comm_read async calls
and BodyPipe notifications which can potentially change the MemBlob
underneath comm_read() and invalidate te char* buffer pointer used
previously.
url_rewrite_extras and store_id_extras patch fixes
Fixes to patch "Add url_rewrite_extras and store_id_extras for redirector and store_id helpers",r13308:
- Fix cf_gen.cc:gen_conf(..) function to not escape quotes before write to
conf file
- The Format::Format name is used to inform the user about parsing problems.
Fix the names of related objects for the new redirecor_extras and
store_id_extras directives.
- cf.data.pre: The NAME tag take as argument only the name of directive. Fix
the new redirecor_extras and store_id_extras related tags.
Add url_rewrite_extras and store_id_extras for redirector and store_id helpers
The url_rewrite_extras/store_id_extras is a "quoted string" with logformat
%macro support. It is used to modify the request line for redirector and
storeId helpers.
The url rewrite and store_id helpers request format now is:
url [<SP> extras]
and the default value for extras is:
"%>a/%>A %un %>rm myip=%la myport=%lp"
Example usage:
url_rewrite_extras "Note1=%{Note1}note Note2=%{Note2}note"
Alex Rousskov [Sat, 8 Mar 2014 17:28:23 +0000 (10:28 -0700)]
Avoid assertions on Range requests that trigger Squid-generated errors.
Added HttpRequest::ignoreRange() to encapsulate range ignoring logic.
Currently the new method only contains the code common among all callers. More
work is needed to check whether further caller homogenization is possible.
Documented that ClientSocketContext::getNextRangeOffset() may sometimes be
called before it is ready to do its job.
Amos Jeffries [Sat, 8 Mar 2014 00:18:11 +0000 (16:18 -0800)]
Avoid buffer overrun by comm_read()
It seems the space details provided by SBuf do not necesarily match the
existing MemBlob size. If for example actions like consume() have shifted
the SBuf down the MemBlob buffer.
Use spaceSize() to guarantee that the underlying MemBlob store still
provides sufficient buffer to fill without overflowing.
Amos Jeffries [Fri, 7 Mar 2014 11:18:03 +0000 (04:18 -0700)]
Protect MemBlob::append() against raw-space writes
There is no guarantee that the 'unused' area of MemBlob is actually
unused. For example if a read buffer was being filled into the
rawSpace() of a SBuf or MemBlob it will overlap with this empty area
until a read call updates the related size state in MemBlob/SBuf.
For these cases we must use memmove() which guarantees no buffer
corruption will take place on memory overlaps.
Amos Jeffries [Thu, 6 Mar 2014 03:55:41 +0000 (20:55 -0700)]
Copyright: Relicense helpers by Treehouse Networks Ltd.
Update the license on helper code designed and authored by myself using
the BSD 2-clause license. This makes the example helper code and license
more legally acceptible for use as a basis of proprietary helpers while
remaining compatible with GPL for distribution with Squid.
Amos Jeffries [Wed, 5 Mar 2014 12:08:54 +0000 (01:08 +1300)]
Better fix for CMSG definitions
It turns out autoconf versions are not consistent with $ symbol escaping
which can cause incorrect definitions. Revert to AC_CHECK_TYPE instead.
Its a bit more verbose in configure.ac but works more often than not.
Amos Jeffries [Wed, 5 Mar 2014 06:32:34 +0000 (19:32 +1300)]
Portability: define CMSG related structures individually
Some OS provide the CMSG related definitions and others only partially
define them. Sometimes (Windows particularly) this varies between build
environments.
Checking for each symbol separately and providing only those needed
avoids problems we have been having with missing or redefined symbols
on Windows and elsewhere.
Amos Jeffries [Tue, 4 Mar 2014 10:33:08 +0000 (23:33 +1300)]
Fix helper ID number assignment
Since helpers are now dynamically started the old method of allocating
an ID number based on the current start sequence can result in many
helpers being assigned overlapping ID numbers.
Use InstanceID template instead to assure a unique incremental ID is
assigned to each helper no matter when it is started.
Alex Rousskov [Fri, 21 Feb 2014 16:14:05 +0000 (09:14 -0700)]
Migrated RegisteredRunners to a multi-action interface.
Old generic two-action RegisteredRunners were good for handling paired
create/destroy events, but not all main.cc events fit that model well. In
fact, even the old runners implemented the destruction action for one event
only (rrAfterConfig); all other runners implemented a single action.
The adjusted API better supports runners that are interested in any number
of the supported events. It also allows a single runner object to handle
multiple events, which simplifies current code and may help with better
[re]configuration handling in the future.
Added startShutdown() and finishShutdown() events. The former will be needed
for authentication module shutdown and more polished shutdown initiation code
in general (patch pending). The latter is needed for final cleanup code that
previously ran as the destruction action for rrAfterConfig. finishShutdown()
also destroys all runners.
Note that the master process in SMP mode does not run startShutdown because
that process lacks the main loop and startShutdown() promises at least one
main loop iteration (to help with clean connections closures, for example).
Added syncConfig() event that will be needed for the standby pool
implementation (patch pending) and future code that reacts to Squid
configuration changes caused by reconfiguration.
"after config" event is now called "use config" to better match verb+noun or
action+object naming scheme.
Amos Jeffries [Fri, 21 Feb 2014 10:46:19 +0000 (03:46 -0700)]
Cleanup: un-wrap C++ header includes
Coding guideline is now that standard C++ headers are not to be
wrapped in HAVE_ macros.
* Remove HAVE_ macros for currently wrapped C++ headers.
Includes removing autoconf checks.
* Replace C includes with C++ includes where possible
Also, <cstdio> / <stdio.h> has issues on 64-bit systems and a
portable fixed version is provided by libcompat via squid.h
It should not be included anywhere in the Squid sources.
Amos Jeffries [Thu, 20 Feb 2014 13:03:07 +0000 (06:03 -0700)]
squidclient: --ping mode module support
Module support:
Update squidclient support modules with different logics
and configuration option sets as a basis for multiple
protocol support.
A mechanism is added to allow each module to have its own
command line option set. Any option unknown to the current
module handler drops back to the main loop for processing.
--ping mode module:
Break the existing code "ping mode" operations and command
line processing out from the main squidclient.cc into Ping.*
Ping-specific short command line options are now only parsed
after a mode flag (--ping) is presented. This frees up the
-g and -I options for use by other non-ping modules in future.
Also, shuffle squidclient code into its own directory
tools/squidclient/ to keep the tool code files clearly
identifiable now that they are multiplying.
1) The dynamic_cert_mem_cache_size does not change on reconfigure
2) When dynamic_cert_mem_cache_size of http_port set to 0 then:
a) The dynamic certs cache is grow unlimited.
This patch just disables certificates caching when this option set to 0.
b) Huge amount of memory appeared as free cache memory in "Cached ssl
certificates statistic" page of cache manager.
This problem caused because of a signed to unsigned int conversion.
Amos Jeffries [Sun, 16 Feb 2014 05:15:45 +0000 (22:15 -0700)]
squidclient: support verbosity levels
This makes the -v option repeatable. By default no debug is displayed.
Each time -v is repeated the level of debug message verbosity is raised.
Three levels of verbosity are currently defined:
0 - no output except ERROR messages.
1 - display HTTP request sent
2 - display actions taken connecting to server
Amos Jeffries [Thu, 13 Feb 2014 07:02:35 +0000 (20:02 +1300)]
Bug 4001: remove use of strsep()
The strsep() function is not defined by POSIX. Additionally
auto-tools has been having some obscure issues detecting
or linking the provided implementation into libcompat on
Windows and Solaris respectively. Which are the two known
OS requiring it.
Investigation of its use in Squid revealed that it can be
replaced with strcspan() which is both portable and more
efficient since it also removes the need for several
strdup()/free() operations used to protect Squid from
strsep() memory fiddling.
projects / thirdparty / squid.git / log
