Amos Jeffries [Tue, 26 May 2015 17:25:04 +0000 (10:25 -0700)]
Replace Packer object API with Packable API
Majority of thost patch is symbol renaming to unify the
class method names to the Packable API names.
There is effectively no logical change in this patch
despite appearances because it replaces the Packer object
which provides methods which are just wrappers pointing
to static functions which are in turn wrappers pointing
to storage buffer object methods. With direct calls to
those storage object methods (renamed).
We can now interchangebly use MemBuf or StoreEntry objects
with the packInto(Packable *) functions. Or any other
object which inherits and implements the Packable API.
We also gain 0.1% in performance (+2 RPS) by avoiding the
layers of wrapper funcions and Packer object allocate /
deallocate cycles.
Amos Jeffries [Sat, 23 May 2015 05:10:00 +0000 (22:10 -0700)]
Cleanup: remove unnecessary if-conditions
krb5 credentials objects were being checked fro NULL before freeing in
several cases where they should not be. Use assert() instead to enforce
the expected behaviour.
The Adaptation::Icap::Xaction::swanSong may try to use an invalid
Icap::Xaction::cs object (Comm::ConnOpener object) if the Comm::ConnOpener
is already gone (because its job finished) but the Xaction::noteCommConnected
method is not called yet.
This patch makes the Adaptation::Icap::Xaction::cs object a CbcPointer instead
of a raw pointer and checks if the Xaction::cs object is still valid before
using it.
Amos Jeffries [Fri, 22 May 2015 15:43:19 +0000 (08:43 -0700)]
Portability: Define C++11 uniform distributions if missing
Older compilers standard libraries may not contain the uniform
distribution templates now used. But we may be able to use the TR1
distributions instead.
Amos Jeffries [Fri, 22 May 2015 13:59:49 +0000 (06:59 -0700)]
C++11: compiler support is now mandatory
We are now using too many C++11 features to go without proper support in
the compiler. Present ./configure time errors if support for -std=c++11
is missing.
Amos Jeffries [Fri, 22 May 2015 13:33:01 +0000 (06:33 -0700)]
Crypto-NG: update random number generators
C++11 brings with it a set of reasonable quality random number
generators and tools to retrieve values for various ranges and types.
Use those C++11 STL <random> features to replace the use of the
varyingly broken, weak or non-standard functions: rand(), random(),
lrand48(), and drand48().
In the process we gain much faster and higher 'quality' randomness in
the auth nonces and event queue scheduling. And more "even" spread for
the ACL random feature.
Amos Jeffries [Fri, 22 May 2015 09:42:55 +0000 (02:42 -0700)]
Replacement of sslversion=N by tls-min-version=1.N
Overall the default behaviour is changed from enumerating the protocols
wanted. To enumerating and eliminating the unwanted.
* sslversion= / version= parameter is removed from documentation.
* sslversion= code logics is converted from setting the SSL_*_method()
function to setting the ssloptions= masking parameters.
Yes this will open a hole for future libraries use of TLSv1.3. However
that is kind of desirable and if it becomes a problem the
ssloptions=NO_TLSv1_3 should be made available.
* The SSL_*_method() logic is all converted to using the flexible
TLS_*_Method() API when available (OpenSSL 1.1.0) otherwise the
equivalent SSLv23_*_method() API is used.
That API follows the latest specification behaviour: to send a protocol
frame type that any recipient should be able to parse (library decides
which), while only negotiating the protocol type permitted.
* A new option tls-min-version=1.N is added to server connection
directives. It controls *only* the TLS version range.
- http(s)_port directives are not (yet) implemented using
Security::PeerOptions. For now they are left with options= masking to
select protocol support.
- bug in http(s)_port directives version= parameter is fixed. The new
backward compatibility code accepts version=4|5|6 where the existing
code did not despite documentation saying it did.
- SSLv3 is left at the library default unless ssloptions=NO_SSLv3 is used.
* ssloptions= is left alone so anyone can still set the library options
masks to control SSLv3 enable/disable or specific TLS versions higher
than the configured minimum.
Fix "Not enough space to hold server hello message" error message
This patch merges the Ssl::ClientBio and Ssl::ServerBio read buffering code
to the Ssl::Bio::readAndBuffer method and uses the MemBuf::potentialSpaceSize
instead of MemBuf::spaceSize to check space size for SSL hello messages buffer,
to take in account available space after a possible buffer grow.
Amos Jeffries [Mon, 18 May 2015 12:50:03 +0000 (05:50 -0700)]
Prevent unused ssl_crtd helpers being run
The conditions for when to start ssl_crtd helpers was ignoring the
generate-host-certificates=off option. Meaning most ssl-bump installs
were running them needlessly.
Amos Jeffries [Fri, 15 May 2015 12:50:09 +0000 (05:50 -0700)]
Cleanup: Refactor IcmpConfig
Pull the IcmpConfig object out of the global SquidConfig structure and
updates it to processing its own parse logics. Bringing it inline with
the per-component configuration design in SourceLayout and HotConf projects.
This allows us to use SBuf for storing the pinger program details and
avoid valgrind complaints about some malloc.
It will also allow lazy re-starting of the helper to be implemented later.
Alex Dowad [Thu, 14 May 2015 10:24:29 +0000 (03:24 -0700)]
Fix incorrect use of errno in various libcomm.la places
Fix problems with 'errno' in TcpAcceptor::Listen, Comm::HandleRead, and
Comm::HandleWrite. 'errno' is only valid after a standard library function
returns an error. Also, we must avoid calling out to other functions before
recording the value of 'errno', since they might overwrite it.
Alex Dowad [Mon, 11 May 2015 15:31:57 +0000 (08:31 -0700)]
Fix signal.h usage to resolve compiler warning
When included, musl libc's sys/signal.h issues a compiler warning
stating that signal.h should be used directly instead. If gcc is
treating all warnings as errors, this breaks the build.
glibc's sys/signal.h does not contain any definitions; all it does
is include signal.h (indirectly). So directly including signal.h
doesn't break anything with glibc.
Nathan Hoad [Fri, 8 May 2015 19:28:16 +0000 (12:28 -0700)]
Fix missing external ACL helper notes
external ACL helper notes are only added onto the HTTP request that
kicked off the external ACL lookup, and not cached ACL responses.
This means if you set notes from an external ACL that are used for
some processing in other ACLs, or post-processing on logs, things
may be missed.
The comm_connect_addr on connect failures sets the xerrno to 0
and returns Comm::OK. This is causes problems on ConnOpener
class users which believes the connection is established and
it is ready for use.
Amos Jeffries [Fri, 8 May 2015 08:11:53 +0000 (01:11 -0700)]
Docs: shuffle SMP specific options to the top of squid.conf
The workers directive is required to be used before several other
directives. It makes little sense to documents it after the controls
which depend on it.
Make a new config section to contain the SMP specific options.
Amos Jeffries [Fri, 8 May 2015 07:13:35 +0000 (00:13 -0700)]
CacheMgr: display 'client_db off' instead of 0 clients accessing cache
... to clarify why there is no record of even the mgr request happening.
The cleint_db mechanism needs to be enabled and measuring traffci for
any useful client counter value to exist.
Inside IdleConnList::findUseable the IdleConnList::removeAt call can delete
"this" IdleConnList object. The IdleConnList::clearHandlers called imediatelly
after the removeAt method, will try to use the invalid "this" object in
a comm_read_cancel function call, causing this assertion or other similar.
This patch fixes the IdleConnList::findUseable, IdleConnList::pop and
IdleConnList::findAndClose methods to call IdleConnList::clearHandlers before
the IdleConnList::removeAt is called.
The maximum buffer size for holding Server and Client SSL hello messages is only
16k which is not enough hold a Hello message which includes some extensions and
1-2 or more Certificates.
This patch increases the maximum size to 65535 and also adds some checks to
avoid squid crashes in the case the hello messages buffer overflows.
This patch adds support for ICAP services that require SSL/TLS transport
connections. The same options used for the cache_peer directive are used for
the icap_service directive, with similar certificate validation logic.
To mark an ICAP service as "secure", use an "icaps://" service URI scheme when
listing your service via an icap_service directive. The industry is using a
"Secure ICAP" term, and Squid follows that convention, but "icaps" seems more
appropriate for a _scheme_ name.
Squid uses port 11344 for Secure ICAP by default, following another popular
proxy convention. The old 1344 default for plain ICAP ports has not changed.
Technical Details
==================
This patch:
- Splits Ssl::PeerConnector class into Ssl::PeerConnector parent and two kids:
Ssl::BlindPeerConnector, a basic SSL connector for cache_peers, and
Ssl::PeekingPeerConnector, a peek-and-splice SSL connector for HTTP servers.
- Adds a third Ssl::IcapPeerConnector kid to connect to Secure ICAP servers.
- Fixes ErrorState class to avoid crashes on nil ErrorState::request member.
(Ssl::IcapPeerConnector may generate an ErrorState with a nil request).
- Modifies the ACL peername to use the Secure ICAP server name as value while
connecting to an ICAP server. This is useful to make SSL certificate
policies based on ICAP server name. However, this change is undocumented
until we decide whether a dedicated ACL would be better.
This patch changes pconn_lifetime (r13780) to abort only really idle
persistent connections (when they timeout). It removes some "extra" features
(added to pconn_lifetime during the feature review) because they break things
when aggressive timeouts is combined with picky clients. Specifically,
1. Squid closed connections with partially received requests when they
reached pconn_lifetime limit. We should only close _idle_ connections.
2. When connecting to Squid without sending anything for longer than
pconn_lifetime, the connection hangs if the request is sent after the
waiting period.
3. The connection also hangs if the initial request is starting to be
transmitted but then there is a longer pause before the request is
completed.
Most of the above problems are easy to trigger only when using very aggressive
pconn_lifetime settings that the feature was not designed for, but they still
can be considered bugs from admins point of view. Fixes:
* Do not stop reading a partially received request when we are timing out,
to avoid aborting that request.
* Do not set keepalive flag based on the pconn_lifetime timeout. We cannot
predict whether some new request data is going to be read (and reset the
idle timeout clock) before our Connection:close response is sent back.
HTTP clients are supposed to recover from such races, but some apparently
do not, especially if it is their first request on the connection.
Convert packing methods from Packer* to Packable* objects
Packaging code can now receive any object that implements the Packable
interface instead of requiring the Packer trampoline object. For now it
is still the only object implementing Packable.
Packer class model used C-style function pointers and a standalone
object to perform C-style trampoline for function/method calls.
C++ virtual methods offer to inline all that directly in the data store
objects and enforces type safety on the child object methods instead of
forcing manual type casting on developers.
Re-implement Packer as a wrapper class providing the Packable interface
for backward compatibility with Packer* code. Future code should inherit
objects directly from Packable and implement the interface.
comm_connect_addr() uses errno to determine whether library calls like connect()
are successful. Its callers also use errno for extra information on the cause
of any problem. However, after calling library functions like connect(),
comm_connect_addr() calls other library functions which can overwrite errno.
As the errno manpage explains, "a function that succeeds is allowed to change
errno". So even when nothing is wrong, comm_connect_addr() may return an error
flag if libc sets errno. And when something *is* wrong, incorrect error information
may be returned to the caller because errno was overwritten with a different code.
Correct this by using our own error code variable which is set only when a library
call fails. To avoid breaking callers, set errno before returning.
Fix 'access_log none' to prevent following logs being used
The documented behaviour of "access_log none" for preventing logging
using log lines following the directive has not been working in
Squid-3 for some time.
Since the 'none' type does not have a log module associated the entire
switch logic where its abort is checked for was being skipped.
The SSL_get_peer_certificate openSSL function increases the lock for X509
object it returns so X509 object retrieved using this function must be
released with X509_free after use.
This patch uses the Ssl::X509_Pointer TidyPointer to release X509 object
retrieved with the SSL_get_peer_certificate function inside the
Ssl::PeerConnector::handleNegotiateError method
The SSL_get_peer_certificate openSSL function increases the lock for X509
object it returns so X509 object retrieved using this function must be
released with X509_free after use.
This patch uses the Ssl::X509_Pointer TidyPointer to release X509 object
retrieved with the SSL_get_peer_certificate function inside the
Ssl::PeerConnector::handleNegotiateError method
Unexpected SQUID_X509_V_ERR_DOMAIN_MISMATCH errors while accessing sites with valid certificates
A "const char *" pointer retrieved using the SBuf::c_str() method may attached
to an SSL object using the SSL_set_ex_data method as server name used to
validate server certificates. This pointer may become invalid, causing
the SQUID_X509_V_ERR_DOMAIN_MISMATCH errors.
This patch changes the type of the ssl_ex_index_server index used with the
SSL_set_ex_data function to be an SBuf object.
Portability: Add hacks to define C++11 explicit N-bit type limits
Add cstdint and stdint.h to libcompat headers and ensure that type limits
used by Squid are always available. Mostly this involves shuffling
existing hacks into the compat headers but the UINT32_* limits are new.
Despite the "must match" comment, MAX_AUTHTOKEN_LEN in
auth/UserRequest.h got out of sync with similar constants in Negotiate helpers.
A 32KB buffer cannot fit some helper requests (e.g., those carrying Privilege
Account Certificate information in the client's Kerberos ticket). Each truncated
request blocks the negotiate helper channel, eventually causing helper queue
overflow and possibly killing Squid.
This patch increases MAX_AUTHTOKEN_LEN in UserRequest.h to 65535 which
is also the maximum used by the negotiate helpers. The patch also adds checks
to avoid sending truncated requests, treating them as helper errors instead.
projects / thirdparty / squid.git / log
