From e01b933cc28814d8650f829712639b4eb0d991e6 Mon Sep 17 00:00:00 2001
From: Matthias Fischer <matthias.fischer@ipfire.org>
Date: Sat, 11 Feb 2017 15:39:26 +0100
Subject: [PATCH] squid 3.5.24: latest patch (14142)

(Fixed: wrong squid version from previous commit)

"Bump SSL client on [more] errors encountered before ssl_bump evaluation"

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 lfs/squid                               |  1 +
 src/patches/squid/squid-3.5-14142.patch | 72 +++++++++++++++++++++++++
 2 files changed, 73 insertions(+)
 create mode 100644 src/patches/squid/squid-3.5-14142.patch

diff --git a/lfs/squid b/lfs/squid
index 4a8d9d8e07..6d557517ce 100644
--- a/lfs/squid
+++ b/lfs/squid
@@ -70,6 +70,7 @@ $(subst %,%_MD5,$(objects)) :
 $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	@$(PREBUILD)
 	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar xaf $(DIR_DL)/$(DL_FILE)
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14142.patch
 	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid-3.5.24-fix-max-file-descriptors.patch
 
 	cd $(DIR_APP) && autoreconf -vfi
diff --git a/src/patches/squid/squid-3.5-14142.patch b/src/patches/squid/squid-3.5-14142.patch
new file mode 100644
index 0000000000..8649e27f9a
--- /dev/null
+++ b/src/patches/squid/squid-3.5-14142.patch
@@ -0,0 +1,72 @@
+------------------------------------------------------------
+revno: 14142
+revision-id: squid3@treenet.co.nz-20170208054033-pxqn8rs4yu713ijq
+parent: squid3@treenet.co.nz-20170128035415-bpwt79jsobv1rqx3
+author: Christos Tsantilas <chtsanti@users.sourceforge.net>
+committer: Amos Jeffries <squid3@treenet.co.nz>
+branch nick: 3.5
+timestamp: Wed 2017-02-08 18:40:33 +1300
+message:
+  Bump SSL client on [more] errors encountered before ssl_bump evaluation
+  
+  ... such as ERR_ACCESS_DENIED with HTTP/403 Forbidden triggered by an
+  http_access deny rule match.
+  
+  The old code allowed ssl_bump step1 rules to be evaluated in the
+  presence of an error. An ssl_bump splicing decision would then trigger
+  the useless "send the error to the client now" processing logic instead
+  of going down the "to serve an error, bump the client first" path.
+  
+  Furthermore, the ssl_bump evaluation result itself could be surprising
+  to the admin because ssl_bump (and most other) rules are not meant to be
+  evaluated for a transaction in an error state. This complicated triage.
+  
+  Also polished an important comment to clarify that we want to bump on
+  error if (and only if) the SslBump feature is applicable to the failed
+  transaction (i.e., if the ssl_bump rules would have been evaluated if
+  there were no prior errors). The old comment could have been
+  misinterpreted that ssl_bump rules must be evaluated to allow an
+  "ssl_bump splice" match to hide the error.
+  
+  This is a Measurement Factory project.
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20170208054033-pxqn8rs4yu713ijq
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: 8c3f2a03f86aa1b1484195a63742bc4002ba2359
+# timestamp: 2017-02-08 05:51:15 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20170128035415-\
+#   bpwt79jsobv1rqx3
+# 
+# Begin patch
+=== modified file 'src/client_side_request.cc'
+--- src/client_side_request.cc	2017-01-23 02:05:46 +0000
++++ src/client_side_request.cc	2017-02-08 05:40:33 +0000
+@@ -1442,6 +1442,13 @@
+         return false;
+     }
+ 
++    if (error) {
++        debugs(85, 5, "SslBump applies. Force bump action on error " << err_type_str[(error->type >= ERR_NONE && error->type < ERR_MAX) ? error->type : ERR_NONE]);
++        http->sslBumpNeed(Ssl::bumpBump);
++        http->al->ssl.bumpMode = Ssl::bumpBump;
++        return false;
++    }
++
+     // Do not bump during authentication: clients would not proxy-authenticate
+     // if we delay a 407 response and respond with 200 OK to CONNECT.
+     if (error && error->httpStatus == Http::scProxyAuthenticationRequired) {
+@@ -1781,8 +1788,9 @@
+     }
+ 
+ #if USE_OPENSSL
+-    // We need to check for SslBump even if the calloutContext->error is set
+-    // because bumping may require delaying the error until after CONNECT.
++    // Even with calloutContext->error, we call sslBumpAccessCheck() to decide
++    // whether SslBump applies to this transaction. If it applies, we will
++    // attempt to bump the client to serve the error.
+     if (!calloutContext->sslBumpCheckDone) {
+         calloutContext->sslBumpCheckDone = true;
+         if (calloutContext->sslBumpAccessCheck())
+
-- 
2.39.2