Fix cache_peer login=PASS(THRU) after CVE-2015-5400
The patch for CVE-2015-5400 converts all non-200 peer responses
into 502 Bad Gateway responses when relaying a CONNECT to a peer.
This happens to break login=PASS and login=PASSTHRU behaviour
which relies on the 401 and 407 status being relayed transparently.
We need to relay the auth server responses as-is when login= is
set to PASS or PASSTHRU but then unconditionally close the
connections to prevent CVE-2015-5400 from occuring.
Certificate Revokation Lists have gone through several iterations
of logic redesign leading to duplicated code and non-optimal I/O.
Client contexts were loading CRL directly from disk into the
context on every new context creation. Whereas the server contexts
were loading into an OpenSSL STACK_OF structure and adding from
memory instead of disk. This later design is more performant.
* Move the pre-loaded CRL set to Security::PeerOptions and store
in a std::list structure as LockingPointer which will deallocate
as needed on shutdwown and reconfigure.
This depends on trunk rev.14304
* Replace the client context disk I/O with the pre-loaded CRL list
* Add GnuTLS CRL list types. Though at this point GnuTLS does not
pre-load the CRL files.
After the exception is thrown, Squid attempts to wind down the affected
transaction (as it should), but the code either quits with an unhandled
exception error or hits the !callback assertion, depending on whether
the async job processing was in place when the exception was hit (which
depends on whether non-blocking/slow ssl_bump ACLs were active).
The attached patch does three things:
1. Teaches Squid to guess the final ssl_bump action when no ssl_bump
rules match. The final guessed action is "bump" if the last non-final
action was "stare" and "splice" otherwise. I suspect that the older
Squid code attempted to do something like that, but that code may have
been lost when we taught Squid to ignore impossible ssl_bump actions.
2. Protects ssl_bump-checking code from quitting with an unhandled
exception error.
3. Converts the fatal !callback assertion into [hopefully less damaging]
transaction error, with a BUG message logged to cache.log.
More work may be needed to investigate other exceptions, especially
Must(!csd->serverBump() || csd->serverBump()->step <= Ssl::bumpStep2);
Add assigment and move operators to LockingPointer
These operators are required to use LockingPointer instances in STL
containers and unlike TidyPointer the LockingPointer can do them safely
due to the lock preventing premature deletions.
As an historic optimization StoreEntry uses a custom pool chunk size of 2MB.
Knowledge of the actual benefits from this optimization has been lost in time,
and it's not possible to accurately measure its actual impact in all load
scenarios; at the same time this optimization is blocking other potentially
useful developments.
This change is therefore considered a potential performance regression in
some load scenarios.
Bug 4309: Fix the presence of extensions detection in SSL Hello messages
RFC5246 section 7.4.1.3 (Server Hello) says:
The presence of extensions can be detected by determining whether
there are bytes following the compression_method field at the end of
the ServerHello.
Current parsing Hello code checks whether there are bytes in the whole SSL
message. It does not account for the fact that the message may contain more than
just ServerHello.
This patch fixes this issue and try to improve the related code to avoid related
problems in the future.
FILE* handles need to be closed on exit. Shuffle the processing loop logics
to a static function to avoid code duplication from all the requires close
points.
Also, use the available global flag debug_enabled instead of local variable
to avoid having to pass it down explicitly.
Using the MemBuf::buf directly is not great, but it does have a properly
terminated c-string in this instance. We cannot use Raw() interface
because that is for output at DBG_DATA levels and will only display the
buffer name as if that was the raw traffic bytes at 11,2.
Which negates the entire purpose of this 11,2 output.
Alex Rousskov [Tue, 1 Sep 2015 09:07:03 +0000 (02:07 -0700)]
Support splice for SSLv3 and TLSv1 sessions that start with an SSLv2 Hello
Such sessions are created, for example, by some SSL clients using OpenSSL
v0.9.8 with default options. This does _not_ re-enable SSLv2 sessions.
Just enacts the permitted exception for Hello messages in RFC 6176
Amos Jeffries [Sun, 30 Aug 2015 20:36:48 +0000 (13:36 -0700)]
Fix regression in rev.14268
My bad cut-n-paste resulted in wrong locking sequence.
Fixing that reveals that the validity check on the return
result triggers cases of cbdata 'locks > 0' assertions.
The validity test is not currently needed by the fastCheck
code which preserves the value. So removing for now.
Amos Jeffries [Wed, 26 Aug 2015 17:51:18 +0000 (10:51 -0700)]
Bug 3553: cache_swap_high ignored and maxCapacity used instead
Also, to make matters worse the amount of objects (max 70) being purged on
each of the 1-second maintenance loops was far too small for the traffic
speeds of up to 20k RPS now being processed by proxies.
This fixes the cache_swap_high behaviour to closer match what is documented
at present, although some documentatino does say it cleans all the way down
to the low-water mark. Which appears never to have been true in regards to
one cycle but would occur over several of the proxy speed was not too high.
With this updated algorithm there is almost no limit to how far the
aggressiveness can scale, but it is linear at 200 objects per multiple of the
gap between low- and high- watermark.
SwapDir::maintain is now fairly well documented and debug traces added. With
several TODO ideas for future improvement also documented in the method code.
projects / thirdparty / squid.git / log
