Bug 4102: sslbump cert contains only a dot character in key usage extension
The patch for bug 3966 was slightly incorrect. As a result the Key Usage
field for SSL-bump mimic'ed certificates could end up containing only a
dot (.) character.
Amos Jeffries [Thu, 16 Oct 2014 18:57:43 +0000 (11:57 -0700)]
Bug 3803: ident leaks memory on failure
Begin the process of conversion for IdentStateData to an AsyncJob.
* convert the object from CBDATA struct to a class with
CBDATA_CLASS2() API.
* Bug 3803 is caused by a lack of proper cleanup and consistent exit
actions terminating the job. Take the core logic changes from the
tested bug patch and;
1) define a swanSong() method to cleanup the memory allocated
2) define a deleteThis() method to emulate AsyncJob::deleteThis()
* Locate all code paths leveraging conn->close() to trigger cleanup
via the connection close handler and convert to explicit deleteThis()
with excuse. Including a few which were not but need to in order to
terminate the job correctly as fixed in bug 3803 patch.
The actions performed are nearly identical to the original code. The
differences are that many code paths now omit an AsyncCall step going
via the Comm close handler, and that all paths terminating the IDENT
lookup now go through swanSong() cleanup.
Further cleanup converting to a full AsyncJob is not included, since
there is an explicit hash of running IdentStateData object pointers
being used in the old code.
Amos Jeffries [Thu, 16 Oct 2014 18:37:10 +0000 (11:37 -0700)]
CBDATA: log memory leak situations when --enable-debug-cbdata
CBDATA objects are supposed to be explicitly locked and unlocked by all
users. The nominal 'owner' of the data is also supposed to mark it as
invalid when unlocking its reference.
If a CBDATA object reaches 0 locks and is still valid, it therefore
follows that either the locking or invalidate has not been properly
implemented.
Now that we are migrating to CbcPointer usage instead of explicit
lock/unlock macro calls we have started encountering these situations.
Any object reporting a 'leak' must be investigated;
a) perhapse RefCount is better?
b) using CbcPointer consistently and invalidating correctly.
Amos Jeffries [Wed, 8 Oct 2014 15:51:28 +0000 (08:51 -0700)]
Bug 4088: memory leak in external_acl_type helper with cache=0 or ttl=0
ExternalACLEntry / external_acl_entry objects have been abusing the
CBDATA API for reference counting and since 3.4 this has resulted in
hidden memory leaks as object accounting shows all locks released but
the memory is not freed by any 'owner'.
* convert to using RefCount<> API.
* move ExternalACLEntry pre-define to acl/forward.h
* add ExternalACLEntryPointer in acl/forward.h
* convert LookupDone() method to using explicit typed pointer
* convert from CBDATA_CLASS to MEMPROXY_CLASS memory management.
* convert almost all raw ExternalACLEntry* to Pointer
- remaining usage is in the cache hash pointers. Use an explicit 'cachd'
lock/unlock until this hash is updated to std:: structure types.
Browser vendors will get rid of SSL certificates that use SHA-1 to generate
the hash that is then signed by the CA. For example, Google Chrome will start
to show an "insecure" sign for certificates that are valid after 1.1.2016 and
will generate a warning page for certificates that are valid after 1.1.2017 [1],
[2],[4]. Microsoft will block certificates with SHA-1 after 1.1.2017 [3].
This patch:
1) Add a new configuration option to select the signing hash for
generated certificates: sslproxy_cert_sign_hash.
2) If sslproxy_cert_sign_hash is not set, then use the sha256 hash.
This patch add support for the "Validate server certificates without bumping"
use case described on the Peek and Splice wiki page:
http://wiki.squid-cache.org/Features/SslPeekAndSplice
This patch send to the certificate validation helper the certificates and
errors found in SslBump3 step, even if the splicing mode selected.
In the case the validation helper found errors in certificates an error
page returned to the http client.
The SSL error forwarding is controlled by ACLs along these lines:
sslproxy_cert_error allow sslBoringErrors
sslproxy_cert_error allow serversWithInvalidCerts
sslproxy_cert_error deny all
Amos Jeffries [Thu, 2 Oct 2014 12:07:26 +0000 (05:07 -0700)]
Portability: provide xstatvfs() shim for system call statvfs()
statfs() and struct statfs have been deprecated for years. Hoewver the
POSIX statvfs replacements are still not universally available.
Remove deprecated statfs() and struct statfs usage from Squid. Although
they may still be used by the xstatvfs() compatibility wrapper if they
are the only available API.
- Record SSL bump action at each bumping step in the Ssl::ServerBump.
The new Ssl::ServerBump::act member added for this purpose.
- Split Ssl::PeerConnector::checkForPeekAndSplice to two methods
(checkForPeekAndSplice and checkForPeekAndSpliceDone) add some
documentation, and polish the code.
- Polish httpsSslBumpStep2AccessCheckDone function (client_side.cc file)
The PID and thus parent process PID concept is not available in Windows
and MinGW at least lacks the API mechanism.
This may re-open an issue with kid processes notifying the coordinator
when they are shutting down. If so we need to find an alternative
mechanism to replace this use of kill(getppid(), SIGUSR1)
Cleanup: convert AuthUserIP from CBDATA to MEMPROXY class
This object was not needing to be passed as callback arguments
but was using CBDATA type to gain memory pooling.
Converting to the correct pooling mechanism removes some more
uses of cbdataFree() and ensures the object and its members
destructors are called properly.
Cleanup: use SBuf::npos instead of npos in SBuf::append()
Small experiment. It is possible on some systems that std::npos / ::npos
is defined with a different integer size and value.
This may be what is confusing Coverity scan and producing buffer overrun
alerts in the append() c-string with default parameter case.
If ConfigParser::QuotedOrToEol() happend to return NULL. Which may happen
if there is no token before end of current file the auth module config
parser would crash.
Do not crash when sending %ssl::cert_subject to external ACL w/o certificate.
An ACL check in ConnStateData::postHttpsAccept (e.g., when dealing with an
intercepted SSL connection) uses an HttpRequest object that is not yet linked
with the ConnStateData object. Do not blindly dereference the pointer to the
latter.
Fixes a squid crash when a foreign protocol client connected to an https_port
The Ssl::Bio::read will fail to recognize SSL protocol and will return "-1"
as readed SSL bytes. The Ssl::ClientBio::read must return error (-1)
in this case.
Send selected SSL version and cipher to the certificate validation helper.
This patch sends the selected cipher suite and the selected SSL/TLS version
to the certificate verification helper using the "proto_version=v" and
"cipher=c" key=value pairs.
On MinGW at least macro replacement appears to be case insensitive.
The lower-case freeaddrinfo/initaddrinfo system functions are defined
with macros, both in MinGW headers and Squid libcompat.
SourceLayout: rename auth module files to match guidelines
* Squid-3 coding guidelines require that files are named after the
class(es) contained within. Rename the files containing auth Config
classes to match.
* Remove the unused DefaultAuthenticateChildrenMax macros.
* simplify included headers in auth modules.
* alphabetize the order auth modules are detected.
Windows: Fix error displaying helper name on pipe close errors
The helper name string is not directly available to the HelperServerBase
methods for closing pipes. Pass it from the method callers as needed and
drop logging of the command line details.
idnsParseResolvConf() had been disabled for all windows builds. Cygwin
does provide this system config file.
Also, instead of seeding #if/#endif wrappers around always call the
function and just wrap its internals away from Windows builds that do
not supply the necessary config file.
Portability: rename BodyPipe member to avoid clash with pipe() macro
Our Windows compatibility layer defines pipe() as a macro. On MinGW at
least the precompiler makes no distinction between parameterless macro
pipe() and pipe variables.
Use thePipe for member naming and aPipe for function local variables.
Windows: fix mapping between POSIX and Windows socket types
MinGW at least still defines several socket structure fields with size_t
instead of socklen_t. In order to maintain the POSIX API definition in
appearance we need to cast these types to their POSIX variant regardless
of whether size_t or socklen_t is used.
* Windows defines CMSG_DATA macro name for uses unrelated to the BSD
socket CMSG mechanism. Define SQUID_CMSG_DATA as a generic replacement.
* MinGW provides a wrapper layer emulating the BSD socket CMSG mechanism
in the form of WSA_CMG_* macros for the BSD struct types.
Detect and use those wrapper macros when available.
Cleanup: wrap some C-includes with protective macros
Squid-3 guidelines require that C-header includes should be wrapped
and the absence of wrapping causes build errors on Windows at least for
these ones.
Source Maintenance: fix various maintenance script issues
* ensure auto-generated .list are sorted, instead of ad-hoc system
dependent ordering which can cause needless updates.
* grep only paths with *.* (usually files) instead of all items in each
directory. This avoids scanning sub-directory indexes with grep, which
produces fatal errors on some systems.
* add check for Squid Software Foundation copyright blurb and highlight
files needing attention.
%<tt (total server time) is not computed in some cases
The total server time is not computed for CONNECT requests.
An other example case is when server-first bumping mode is used and squid
connects to SSL peer, but connection terminated before the SSL handshake
completes.
PROXY protocol has been developed by Willy Tarreau of HAProxy for
communicating original src and dst IP:port details between proxies and
load balancers in a protocol-agnostic way.
stunnel, HAProxy and some other HTTP proxying software are already
enabled and by adding support to Squid we can effectively chain these
proxies without having to rely on X-Forwarded-For headers.
This patch adds http_port mode flag (require-proxy-header) to signal the
protocol is in use, parsing and processing logics for the PROXY protocol
headers on new connections, and the proxy_protocol_access control to
manage inbound connections.
The indirect client security/trust model remains unchanged. As do all
HTTP related logics on the connection once PROXY protocol header has
been received.
Furture Work:
* support sending PROXY protocol to cache_peers
* support receiving PROXY protocol on https_port
* rework the PROXY parse logics as a Parser-NG child parser.
Close active pconns after their *_port goes away on reconfigure.
This change reduces what may be perceived as reconfigure memory leaks
related to *_port options. Before this change, a single persistent
connection could continue to receive new requests (and tie no longer
globally accessible PortCfg-related structures) for hours.