Amos Jeffries [Thu, 21 Aug 2014 07:57:42 +0000 (00:57 -0700)]
Fix build issues after trunk rev.13534 merge
FTP server addition to trunk pulled in design changes to the HTTP parse
and processing. Adding an HTTP server component as well. This branch code
clashed and fails to build without a matching redesign.
author: Alex Rousskov <rousskov@measurement-factory.com>
Use v3 for fake certificate if we add _any_ certificate extension.
We used to force v3 version only when adding the subjectAltName extension.
That broke sites that did not have subjectAltName but used other mimicked x509
extensions, when accessed through Firefox 31 (at least):
https://bugzilla.mozilla.org/show_bug.cgi?id=1045973
Alex Rousskov [Mon, 11 Aug 2014 16:09:06 +0000 (10:09 -0600)]
Initial native FTP Relay support.
* Added ftp_port directive telling Squid to relay native FTP commands.
* Active and passive FTP support on the user-facing side;
require passive connections to come from the control connection src IP.
* IPv6 support (EPSV and, on the user-facing side, EPRT).
* Intelligent adaptation of relayed FTP FEAT responses.
* Relaying of multi-line FTP control responses using various formats.
* Support relaying of FTP MLSD and MLST commands (RFC 3659).
* Several Microsoft FTP server compatibility features.
* ICAP/eCAP support (at individual FTP command/response level).
* Optional "current FTP directory" tracking (cannot be 100% reliable due to
symbolic links and such, but is helpful in some common use cases).
* FTP origin control connection is pinned to the FTP user connection.
* No caching support -- no reliable Request URIs for that (see above).
* Significant FTP code restructuring on the server-facing side.
* Initial steps towards HTTP code restructuring on the client-facing side.
Alex Rousskov [Sat, 9 Aug 2014 00:35:28 +0000 (18:35 -0600)]
Centralized and documented FTP protocol "version" (1.1) definition.
Moved AnyP::PortCfg::setTransport() to the cache_cf.cc parsing code where it
currently belongs. AnyP code should not have protocol-specific pieces as it is
code shared among (or used by) many (ideally, all transfer) protocols.
TODO: Convert Http::ProtocolVersion from class into a function.
Alex Rousskov [Thu, 7 Aug 2014 22:33:48 +0000 (16:33 -0600)]
Fixed HttpHdr::Private/NoCache(v) implementations and optimized their API.
These calls now avoid assertions and extra trailing commas when called with
empty names. The API now allows calling with a String() object, but still
needs more polishing work.
Moved common code from Ftp::Server::setReply and Ftp::Relay::createHttpReply()
into Ftp::HttpReplyWrapper().
Also removed the last non-job callbak from Ftp::Client, polished and synced
new FTP comments with the modern client/server/gateway/relay terminology, as
well as minimized changes compared to trunk.
Alex Rousskov [Thu, 7 Aug 2014 17:26:03 +0000 (11:26 -0600)]
Tokenizer fixes and API improvements.
Taught Tokenizer to keep track of the number of parsed bytes. Many callers
need to know that because they need to adjust/consume I/O offsets/buffers.
Adjusted unused Parser::Tokenizer::token() to not treat NUL delimiter
specially. Besides the fact that not all grammars can treat NUL that way, the
special NUL treatment resulted in some token() calls returning true for empty
tokens, which was confusing parsers. Callers that do not require trailing
delimiters, should use prefix() instead. This change is based on experience
writing Tokenizer-based FTP parser, although the final parser code uses
prefix() instead of token(), for unrelated reasons.
Split Parser::Tokenizer::skip(set) into skipOne() and skipAll(). All other
skip() methods skip exactly one thing (either a given character or a given
token) but the old skip(set) method was skipping multiple things. That
confused callers. We now force the caller to make a choice.
Fixed Parser::Tokenizer::skip(char) to avoid out of bound access.
Alex Rousskov [Thu, 7 Aug 2014 17:20:27 +0000 (11:20 -0600)]
Added CharacterSet::complement() to create "all except those in that set" sets
handy for parsing (e.g., "get all characters until the end of line").
Added CharacterSet::rename() to label sets. Handy in const declarations that
use expressions. For example: const CharacterSet AB = (A+B).renamed("AB").
Alex Rousskov [Thu, 7 Aug 2014 17:13:26 +0000 (11:13 -0600)]
Do not allow SBuf::toLower/toUpper() return a value.
Some callers think toLower() method changes the string and some think it
returns a changed value without changing the string. Without unportable hacks
like __attribute__((warn_unused_result)), some of the callers will guess wrong
and not know about it. It is easier/safer to change the object itself and
return nothing.
Provided ToUpper/ToLower() functions (not methods!) that preserve their
paramter and return a new object for callers that need the old functionality.
These functions are a good candidate for __attribute__ hacks.
Alex Rousskov [Tue, 5 Aug 2014 22:44:23 +0000 (16:44 -0600)]
Polished for the official review, addressing several TODOs.
Use 1.1 version for FTP ports because FTP commands are sent on a
"persistent by default" connection, just like HTTP/1.1.
Cleaned up Ftp::CtrlChannel, Ftp::DataChannel, and Ftp::Client object
construction and destruction.
Do not insist on USER command when intercepting FTP. Interception support
may still not work for other reasons, but USER does not seem to be required
since Squid gets request destination from the intercepted connection info.
Alex Rousskov [Tue, 5 Aug 2014 00:17:16 +0000 (18:17 -0600)]
Done moving FTP code around. Polished moved code to match new locations.
src/clients/FtpNative is now src/clients/FtpRelay. It was awkward to use a
non-noun "Native" as a class name, and the class was already described as
"relaying FTP".
Alex Rousskov [Mon, 4 Aug 2014 21:44:31 +0000 (15:44 -0600)]
Major source layout change: Moved FTP code into servers/, clients/, and ftp/.
src/servers/FtpServer.* # new FTP server, relaying FTP
src/servers/HttpServer.* # old ConnStateData parts conflicting w/ FtpServer
src/clients/FtpClient.* # code shared by old and new FTP clients
src/clients/FtpGateway.* # old FTP client, translating back to HTTP
src/clients/FtpNative.* # new FTP client, relaying FTP
src/ftp/* # FTP stuff shared by clients and servers
This change attempts to preserve code in moved files to the extent possible:
Only copied or added code was polished. Future changes will polish moved code.
Unfortunately, bzr does not track code changes across file splits, so the code
moved from ConnStateData (client_side.cc) into HttpServer and FtpServer
classes appears as removed and added in bzr diff. If you want to see the
branch log for the FtpServer or HttpServer code added in this revision, look
in the previous branch revision of client_side.cc.
Amos Jeffries [Sat, 2 Aug 2014 13:01:28 +0000 (06:01 -0700)]
Remove hierarchy_stoplist in favour of always_direct
This directive was deprecated 2 years (and versions) ago. It can be
replaced with:
acl stoplist url_regex cgi-bin|\?
always_direct allow stoplist
The major difference between the two configurations is that the old
hierarchy_stoplist was applied after never_direct and always_direct is
applied before it. Both override the never_direct result, so this is not
a problem.
Fix %USER_CA_CERT_* and %CA_CERT_ external_acl formating codes
* The attribute part of the %USER_CA_CERT_xx and %CA_CERT_xx formating codes
is not parsed correctly, make these formating codes useless.
* The %USER_CA_CERT_xx documented wrongly
Fix for the patch r13505, "Fix tcp outgoing tos bugs":
The Connection::fd member of a non openned connection used inside
Comm::ConnOpener::createFd member, causing crashes to squid
The tcp_outgoing_tos is buggy in trunk:
- The ToS is never set for packets of the first request of a TCP connection.
- The ToS is never set for HTTPS traffic no matter whether requests are bumped
or not.
- The ToS value is not set for ftp data connections
This patch solve the above problems:
- It moves the codes which sets the TOS value for a new connection from the
the comm_openex to a higher-level code, where the connection protocol
(IPv4 or IPv6) is known.
- Add code to set TOS value for ftp data connections.
- Add a check on parsing code to warn users if the configured ToS value has the
ECN bits set, and adjust the value to a correct one.
Notes
Currently squid support only passive ftp data connections. If squid in the
future supports active ftp connections, then some work required to TcpAcceptor
class to allow setting ToS values for connections established on squid listening
sockets.
This allows long-lived connections to retain access to their original
receiving port configuration even after squid has been reconfigured.
Reference counting prevents some leaking of these port configuration
details and associated state by removing locking uncertainties.
Also, fixes all parsing errors resulting from the change. Most of
the issues were due to use of raw-pointers and explicit
cbdataReference*() API.
Support client connection annotation by helpers via clt_conn_tag=TAG.
TCP client connections tagging is useful for faking various forms of
connection-based "authentication" when standard HTTP authentication cannot be
used. A URL rewriter or, external ACL helper may mark the "authenticated"
client connection to avoid going through "authentication" steps during
subsequent requests on the same connection and to share connection
"authentication" information with Squid ACLs, other helpers, and logs.
After this change, Squid accepts optional clt_conn_tag=TAG pair from a
helper and associates the received TAG with the client TCP connection.
Squid treats the received clt_conn_tag=TAG pair as a regular annotation, but
also keeps it across all requests on the same client connection. A helper may
update the client connection TAG value during subsequent requests.
Also after this patch the notes comming from helpers replaces any existing
note values.
FwdState::negotiateSSL() operates on a TCP connection without a timeout. If,
for example, the server never responds to Squid SSL Hello, the connection get
stuck forever. This happens in real world when, for example, a client is trying
to establish an SSL connection through bumping Squid to an HTTP server that
does not speak SSL and does not detect initial request garbage (from HTTP point
of view)
This patch adds support for timeout to SSL negotiation procedure and sets this
timeout so that it does not exceed peer_connect or forward_timeout.
author: Joe Crayne <oh.hellojoe@gmail.com>
Bug 3966:Add KeyEncipherment when ssl-bump substitues RSA for EC.
Libnss3, which is used by Firefox to verify the certificate chain, has
different requirements for RSA keys than it does for EC keys. In particular,
RSA keys with the keyUsage extension, must set the KeyEncipherment flag.
I've attached a patch that will enable KeyEncipherment whenever ssl-bump
attempts to substitute an RSA key for an EC key that had a keyUsage extension.
This fix was brought to you by the Samizdat project.
http://samizdat.childrenofmay.org
Alex Rousskov [Wed, 25 Jun 2014 00:09:35 +0000 (18:09 -0600)]
Support more collapsed forwarding hit cases:
Allow STORE_MEMORY_CLIENTs to open disk files if needed and possible.
STORE_*_CLIENT designation is rather buggy (several known XXXs). Some
collapsed clients are marked as STORE_MEMORY_CLIENTs (for the lack of info at
determination time) but their hit content may actually come from a disk cache.
Do not abandon writing a collapsed cache entry when we cannot cache the entry
in RAM if the entry can be cached on disk instead. Both shared memory cache
and the disk cache have to refuse to cache the entry for it to become
non-collapsible. This dual refusal is difficult to detect because each cache
may make the caching decision at different times. Added StoreEntry methods to
track those decisions and react to them.
Recognize disk cache as a potential source of the collapsed entry when the
memory cache is configured. While collapsed entries would normally be found in
the shared memory cache, caching policies and other factors may prohibit
memory caching but still allow disk caching. Memory cache is still preferred.
Alex Rousskov [Wed, 25 Jun 2014 00:07:41 +0000 (18:07 -0600)]
Do not use unknown entry size in StoreEntry::checkTooSmall() determination.
The size of collapsed entries is often unknown, even when they are STORE_OK
(because swap_hdr_sz is unknown when the other worker has created the cache
entry). The same code has been using this ignore-unknowns logic for the
Content-Length header value, so the rejection of unknown entry size (added as
a part of C++ conversion without a dedicated message in r5766) could have been
a typo.
Alex Rousskov [Tue, 24 Jun 2014 23:48:37 +0000 (17:48 -0600)]
Rock and shared memory caches fixes/improvements.
* Bug fixes:
Avoid "FATAL: Squid has attempted to read data from memory that is not
present" crashes. Improve related code.
Lifted 16777216 slot limit from rock cache_dirs and shared memory caches.
Caches larger than 256GB (assuming default 16KB cache_dir slot-size) require
this fix to use disk space beyond 256GB. Also fixed rock disk space waste
warning.
Restored Squid ability to cache (in memory) when no disk caches are configured
which was lost during r12662 "Bug 3686: cache_dir max-size default fails" but
other bugs hid this problem.
Allow HITs on entries backed by a shared memory cache only.
Make sure Squid dumps core and not just promises one when memory management
goes wrong.
* Significant RAM usage reduction:
Significantly reduced Large Rock (and slightly shared memory) RAM requirements
by not allocating 40 (and 12) bytes of unused RAM per cache slot.
Stop wasting 96 RAM bytes per slot for high-offset slots in large shared
caches with more than 16777216 slots. For example, a StoreMap for a 1TB shared
cache with default 16KB slot sizes (67108864 slots) occupied about 6.5GB of
RAM. After this change, the same information is stored in about 2.0GB because
unused anchors are not stored.
* Other improvements:
Document counter-intuitive round-robin cache_dir selection; decrease its bias.
Report IpcIo file name with errors and warnings to inform admin which
cache_dir needs troubleshooting or tuning.
Alex Rousskov [Tue, 24 Jun 2014 22:21:48 +0000 (16:21 -0600)]
Prep for merge from trunk: undo branch r13313, r13312, and r13311 that were
temporary undoing trunk r13266, r13269, and r13270 (std::vector migration).
Non https connectiona on SSL-bump enabled port may stuck
This is can be seen on skype when try to connect to server using an
SSL-bump enabled squid port. Squid try to bump the connection, waiting for ever
the ssl protocol header, and skype client waits for ever an answer from the
server.
This patch sets the timeout to Config.Timeout.request (request_timeout)
Alex Rousskov [Mon, 16 Jun 2014 22:50:08 +0000 (16:50 -0600)]
Do not leak implicit ACLs during reconfigure.
Many ACLs implicitly created by Squid when grouping multiple ACLs were not
destroyed because those implicit ACLs where not covered by the global ACL
registry used for ACL destruction.
See also: r13210 which did not go far enough because it incorrectly assumed
that all InnerNode() children are aclRegister()ed and, hence, will be
centrally freed.
Also, do not use cbdataFree() on non-POD Acl::Tree objects that have
destructors.
Alex Rousskov [Mon, 16 Jun 2014 22:45:23 +0000 (16:45 -0600)]
Fix build on some 32bit systems with strtoll()
broken by r13429 that duplicated unportable portability code.
GCC exits with errors: integer constant is too large for 'long' type
nnnL constants are "long" and cannot hold 64bit integers on 32bit platforms.
Use LL suffix for 64bit constants for now. It remains to be seen how portable
that LL C++ extension is: https://gcc.gnu.org/onlinedocs/gcc/Long-Long.html
Also fixed INT64_MIN #define (missing parenthesis).
Amos Jeffries [Sat, 14 Jun 2014 01:45:50 +0000 (18:45 -0700)]
POrtability: use 64-bit for X-Cache-Age header
While the value is expected to be well within 32-bit range some OS
(OpenBSD 5.5 at least) use 64-bit time_t. Use the larger type size for
calculations which also removes 32-bit wrap errors, and cast for older
systems.
Amos Jeffries [Mon, 9 Jun 2014 15:04:29 +0000 (08:04 -0700)]
Windows: fix various libip build issues
* Missing include ws2tcpip.h for IPv6 definitions
* Alternative IN6_ARE_ADDR_EQUAL definition required
* 'byte' is a reserved / system defined type on Windows,
resolve variable shadowing by renaming to ipbyte.
Amos Jeffries [Mon, 9 Jun 2014 13:18:48 +0000 (06:18 -0700)]
Revert rename of Comm::Flag ERROR
On MinGW at least ERROR is a #define'd macro resulting in build failure.
Revert to the old name COMM_ERROR until we can find a better one that
does not duplicate 'comm'.
projects / thirdparty / squid.git / log
