diff -u -r -N squid-3.5.3/acinclude/krb5.m4 squid-3.5.4/acinclude/krb5.m4 --- squid-3.5.3/acinclude/krb5.m4 2015-03-28 03:58:05.000000000 -0700 +++ squid-3.5.4/acinclude/krb5.m4 2015-05-01 04:27:20.000000000 -0700 @@ -79,6 +79,9 @@ KRB5INT_BEGIN_DECLS #endif #endif +#if USE_APPLE_KRB5 +#define KERBEROS_APPLE_DEPRECATED(x) +#endif #include krb5_context kc; kc->max_skew = 1; ]]) @@ -100,6 +103,9 @@ KRB5INT_BEGIN_DECLS #endif #endif +#if USE_APPLE_KRB5 +#define KERBEROS_APPLE_DEPRECATED(x) +#endif #include int main(int argc, char *argv[]) { @@ -127,6 +133,9 @@ KRB5INT_BEGIN_DECLS #endif #endif +#if USE_APPLE_KRB5 +#define KERBEROS_APPLE_DEPRECATED(x) +#endif #include int main(int argc, char *argv[]) { @@ -157,6 +166,9 @@ #include #endif #else +#if USE_APPLE_KRB5 +#define GSSKRB_APPLE_DEPRECATED(x) +#endif #if HAVE_GSSAPI_GSSAPI_H #include #elif HAVE_GSSAPI_H @@ -200,6 +212,9 @@ #include #endif #else +#if USE_APPLE_KRB5 +#define GSSKRB_APPLE_DEPRECATED(x) +#endif #if HAVE_GSSAPI_GSSAPI_H #include #elif HAVE_GSSAPI_H @@ -239,6 +254,9 @@ AC_DEFUN([SQUID_CHECK_WORKING_KRB5],[ AC_CACHE_CHECK([for working krb5], squid_cv_working_krb5, [ AC_RUN_IFELSE([AC_LANG_SOURCE([[ +#if USE_APPLE_KRB5 +#define KERBEROS_APPLE_DEPRECATED(x) +#endif #if HAVE_KRB5_H #if HAVE_BROKEN_SOLARIS_KRB5_H #if defined(__cplusplus) @@ -338,6 +356,9 @@ [Define to 1 if you have krb5_get_init_creds_opt_alloc]),) AC_MSG_CHECKING([for krb5_get_init_creds_free requires krb5_context]) AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ + #if USE_APPLE_KRB5 + #define KERBEROS_APPLE_DEPRECATED(x) + #endif #include ]],[[krb5_context context; krb5_get_init_creds_opt *options; diff -u -r -N squid-3.5.3/acinclude/lib-checks.m4 squid-3.5.4/acinclude/lib-checks.m4 --- squid-3.5.3/acinclude/lib-checks.m4 2015-03-28 03:58:05.000000000 -0700 +++ squid-3.5.4/acinclude/lib-checks.m4 2015-05-01 04:27:20.000000000 -0700 @@ -106,7 +106,10 @@ AC_DEFINE(SQUID_SSLGETCERTIFICATE_BUGGY, 1) AC_MSG_RESULT([yes]) ], - []) + [ + AC_DEFINE(SQUID_SSLGETCERTIFICATE_BUGGY, 0) + AC_MSG_RESULT([cross-compile, assuming no]) + ]) AC_MSG_CHECKING(whether the workaround for SSL_get_certificate works) AC_RUN_IFELSE([ @@ -132,7 +135,10 @@ [ AC_MSG_RESULT([no]) ], -[]) + [ + AC_DEFINE(SQUID_USE_SSLGETCERTIFICATE_HACK, 0) + AC_MSG_RESULT([cross-compile, assuming no]) + ]) SQUID_STATE_ROLLBACK(check_SSL_get_certificate) ]) diff -u -r -N squid-3.5.3/ChangeLog squid-3.5.4/ChangeLog --- squid-3.5.3/ChangeLog 2015-03-28 03:58:05.000000000 -0700 +++ squid-3.5.4/ChangeLog 2015-05-01 04:27:20.000000000 -0700 @@ -1,3 +1,20 @@ +Changes to squid-3.5.4 (01 May 2015): + + - Bug 4234: comm_connect_addr uses errno incorrectly + - Bug 4231: fd_open() not correctly handling UDS socket descriptions + - Bug 4226: digest_edirectory_auth: found but cannot be built + - Bug 4198: assertion failed: client_side.h:364: "sslServerBump == srvBump" + - Bug 3775: Disable HTTP/1.1 pipeline feature for pinned connections + - Fix require-proxy-header preventing HTTPS proxying and ssl-bump + - Fix Negotiate/Kerberos authentication request size exceeds output buffer size + - Fix SQUID_X509_V_ERR_DOMAIN_MISMATCH errors while accessing sites with valid certificates + - Add server_name ACL matching server name(s) obtained from various sources + - Add Kerberos support for MAC OS X 10.x + - Support for resuming TLS sessions + - ... and some portability and compile fixes + - ... and several documentation updates + - ... and all fixes from squid 3.4.13 + Changes to squid-3.5.3 (28 Mar 2015): - Regression Bug 4213: negotiate_kerberos_auth: freeing non-dynamic memory @@ -131,6 +148,12 @@ - ... and many error page translation updates - ... and much code cleanup and polishing +Changes to squid-3.4.13 (01 May 2015): + + - Bug 4212: ssl_crtd crashes with corrupt database + - ... and some documentation updates + - ... and all fixes from squid 3.3.14 + Changes to squid-3.4.12 (18 Feb 2015): - Bug 4066: Digest auth nonce indefinite rollover @@ -348,6 +371,12 @@ - ... and many documentation changes - ... and much code cleanup and polishing +Changes to squid-3.3.14 (01 May 2015): + + - Bug 4093: source-maintenance.sh errors and warnings due to wrong tools/options + - ... and some documentation updates + - ... and all fixes from squid 3.2.14 + Changes to squid-3.3.13 (28 Aug 2014): - Fix segmentation fault setting up server SSL connnection @@ -533,6 +562,12 @@ - ... and many compile error fixes - ... and a very large amount of code polish for faster compilation +Changes to squid-3.2.14 (01 May 2015): + + - Fix 'access_log none' to prevent following logs being used + - Fix X509 server certificate domain matching + - ... some documentation updates + Changes to squid-3.2.13 (13 Jul 2013): - Bug 3869: assertion failed: MemBuf.cc:272: size < capacity diff -u -r -N squid-3.5.3/compat/Makefile.in squid-3.5.4/compat/Makefile.in --- squid-3.5.3/compat/Makefile.in 2015-03-28 03:59:15.000000000 -0700 +++ squid-3.5.4/compat/Makefile.in 2015-05-01 04:28:27.000000000 -0700 @@ -83,8 +83,8 @@ build_triplet = @build@ host_triplet = @host@ DIST_COMMON = $(top_srcdir)/src/Common.am $(srcdir)/Makefile.in \ - $(srcdir)/Makefile.am initgroups.c strerror.c drand48.c \ - psignal.c strtoll.c tempnam.c $(top_srcdir)/cfgaux/depcomp \ + $(srcdir)/Makefile.am psignal.c initgroups.c drand48.c \ + tempnam.c strtoll.c strerror.c $(top_srcdir)/cfgaux/depcomp \ $(top_srcdir)/cfgaux/test-driver check_PROGRAMS = testPreCompiler$(EXEEXT) TESTS = testPreCompiler$(EXEEXT) testHeaders diff -u -r -N squid-3.5.3/compat/types.h squid-3.5.4/compat/types.h --- squid-3.5.3/compat/types.h 2015-03-28 03:58:05.000000000 -0700 +++ squid-3.5.4/compat/types.h 2015-05-01 04:27:20.000000000 -0700 @@ -50,6 +50,47 @@ /******************************************************/ /* + * Ensure that standard type limits are defined for use + */ +#if __cplusplus >= 201103L +#include +#elif HAVE_STDINT_H +#include +#endif + +/* explicit bit sizes */ +#if !defined(UINT32_MIN) +#define UINT32_MIN 0x00000000L +#endif +#if !defined(UINT32_MAX) +#define UINT32_MAX 0xFFFFFFFFL +#endif + +#if !defined(INT_MAX) +#define INT_MAX 0x7FFFFFFFL // hack but a safe bet (32-bit signed integer) +#endif + +#if !defined(INT64_MIN) +/* Native 64 bit system without strtoll() */ +#if defined(LONG_MIN) && (SIZEOF_LONG == 8) +#define INT64_MIN LONG_MIN +#else +/* 32 bit system */ +#define INT64_MIN (-9223372036854775807LL-1LL) +#endif +#endif + +#if !defined(INT64_MAX) +/* Native 64 bit system without strtoll() */ +#if defined(LONG_MAX) && (SIZEOF_LONG == 8) +#define INT64_MAX LONG_MAX +#else +/* 32 bit system */ +#define INT64_MAX 9223372036854775807LL +#endif +#endif + +/* * ISO C99 Standard printf() macros for 64 bit integers * On some 64 bit platform, HP Tru64 is one, for printf must be used * "%lx" instead of "%llx" diff -u -r -N squid-3.5.3/configure squid-3.5.4/configure --- squid-3.5.3/configure 2015-03-28 04:00:06.000000000 -0700 +++ squid-3.5.4/configure 2015-05-01 04:29:25.000000000 -0700 @@ -1,7 +1,7 @@ #! /bin/sh # From configure.ac Revision. # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for Squid Web Proxy 3.5.3. +# Generated by GNU Autoconf 2.69 for Squid Web Proxy 3.5.4. # # Report bugs to . # @@ -595,8 +595,8 @@ # Identity of this package. PACKAGE_NAME='Squid Web Proxy' PACKAGE_TARNAME='squid' -PACKAGE_VERSION='3.5.3' -PACKAGE_STRING='Squid Web Proxy 3.5.3' +PACKAGE_VERSION='3.5.4' +PACKAGE_STRING='Squid Web Proxy 3.5.4' PACKAGE_BUGREPORT='http://bugs.squid-cache.org/' PACKAGE_URL='' @@ -1617,7 +1617,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures Squid Web Proxy 3.5.3 to adapt to many kinds of systems. +\`configure' configures Squid Web Proxy 3.5.4 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1687,7 +1687,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of Squid Web Proxy 3.5.3:";; + short | recursive ) echo "Configuration of Squid Web Proxy 3.5.4:";; esac cat <<\_ACEOF @@ -2094,7 +2094,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -Squid Web Proxy configure 3.5.3 +Squid Web Proxy configure 3.5.4 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -3198,7 +3198,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by Squid Web Proxy $as_me 3.5.3, which was +It was created by Squid Web Proxy $as_me 3.5.4, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -4065,7 +4065,7 @@ # Define the identity of the package. PACKAGE='squid' - VERSION='3.5.3' + VERSION='3.5.4' cat >>confdefs.h <<_ACEOF @@ -20137,7 +20137,7 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ -#include +#include int32_t n_32 = 0; uint64_t n_64 = 0; @@ -22966,10 +22966,12 @@ { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the SSL_get_certificate is buggy" >&5 $as_echo_n "checking whether the SSL_get_certificate is buggy... " >&6; } if test "$cross_compiling" = yes; then : - { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 -$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -as_fn_error $? "cannot run test program while cross compiling -See \`config.log' for more details" "$LINENO" 5; } + + $as_echo "#define SQUID_SSLGETCERTIFICATE_BUGGY 0" >>confdefs.h + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: cross-compile, assuming no" >&5 +$as_echo "cross-compile, assuming no" >&6; } + else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ @@ -23014,10 +23016,12 @@ { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the workaround for SSL_get_certificate works" >&5 $as_echo_n "checking whether the workaround for SSL_get_certificate works... " >&6; } if test "$cross_compiling" = yes; then : - { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 -$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -as_fn_error $? "cannot run test program while cross compiling -See \`config.log' for more details" "$LINENO" 5; } + + $as_echo "#define SQUID_USE_SSLGETCERTIFICATE_HACK 0" >>confdefs.h + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: cross-compile, assuming no" >&5 +$as_echo "cross-compile, assuming no" >&6; } + else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ @@ -23477,6 +23481,7 @@ + # Check whether --with-heimdal-krb5 was given. if test "${with_heimdal_krb5+set}" = set; then : withval=$with_heimdal_krb5; @@ -23628,6 +23633,7 @@ krb5confpath="`dirname $ac_cv_path_krb5_config`" ac_heimdal="`$ac_cv_path_krb5_config --version 2>/dev/null | grep -c -i heimdal`" ac_solaris="`$ac_cv_path_krb5_config --version 2>/dev/null | grep -c -i solaris`" + ac_apple="`$ac_cv_path_krb5_config --vendor 2>/dev/null | grep -c -i apple`" if test $ac_heimdal -gt 0 ; then with_heimdal_krb5=yes ac_with_krb5_count=1 @@ -23636,7 +23642,11 @@ with_solaris_krb5=yes ac_with_krb5_count=1 fi - if test $ac_heimdal -eq 0 && test $ac_solaris -eq 0 ; then + if test $ac_apple -gt 0 ; then + with_apple_krb5=yes + ac_with_krb5_count=1 + fi + if test $ac_heimdal -eq 0 && test $ac_solaris -eq 0 && test $ac_apple -eq 0; then with_mit_krb5=yes ac_with_krb5_count=1 fi @@ -23647,7 +23657,7 @@ fi fi -if test "x$with_mit_krb5" = "xyes"; then +if test "x$with_mit_krb5" = "xyes" || test "x$with_apple_krb5" = "xyes" ; then # save state, key is squid_krb5_save squid_krb5_save_CFLAGS="${CFLAGS}" @@ -24267,12 +24277,19 @@ fi if test "x$LIB_KRB5_LIBS" != "x"; then - KRB5LIBS="$LIB_KRB5_PATH $LIB_KRB5_LIBS $KRB5LIBS" - KRB5INCS="$LIB_KRB5_CFLAGS" + if test "x$with_apple_krb5" = "xyes" ; then + +$as_echo "#define USE_APPLE_KRB5 1" >>confdefs.h + + KRB5_FLAVOUR="Apple" + else $as_echo "#define USE_MIT_KRB5 1" >>confdefs.h - KRB5_FLAVOUR="MIT" + KRB5_FLAVOUR="MIT" + fi + KRB5LIBS="$LIB_KRB5_PATH $LIB_KRB5_LIBS $KRB5LIBS" + KRB5INCS="$LIB_KRB5_CFLAGS" # check for other specific broken implementations CXXFLAGS="$CXXFLAGS $KRB5INCS" @@ -25019,6 +25036,9 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ + #if USE_APPLE_KRB5 + #define KERBEROS_APPLE_DEPRECATED(x) + #endif #include int @@ -25093,6 +25113,9 @@ KRB5INT_BEGIN_DECLS #endif #endif +#if USE_APPLE_KRB5 +#define KERBEROS_APPLE_DEPRECATED(x) +#endif #include int main(int argc, char *argv[]) { @@ -25155,6 +25178,9 @@ KRB5INT_BEGIN_DECLS #endif #endif +#if USE_APPLE_KRB5 +#define KERBEROS_APPLE_DEPRECATED(x) +#endif #include int main(int argc, char *argv[]) { @@ -25220,6 +25246,9 @@ #include #endif #else +#if USE_APPLE_KRB5 +#define GSSKRB_APPLE_DEPRECATED(x) +#endif #if HAVE_GSSAPI_GSSAPI_H #include #elif HAVE_GSSAPI_H @@ -25300,6 +25329,9 @@ #include #endif #else +#if USE_APPLE_KRB5 +#define GSSKRB_APPLE_DEPRECATED(x) +#endif #if HAVE_GSSAPI_GSSAPI_H #include #elif HAVE_GSSAPI_H @@ -25374,6 +25406,9 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ +#if USE_APPLE_KRB5 +#define KERBEROS_APPLE_DEPRECATED(x) +#endif #if HAVE_KRB5_H #if HAVE_BROKEN_SOLARIS_KRB5_H #if defined(__cplusplus) @@ -26482,6 +26517,9 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ + #if USE_APPLE_KRB5 + #define KERBEROS_APPLE_DEPRECATED(x) + #endif #include int @@ -26556,6 +26594,9 @@ KRB5INT_BEGIN_DECLS #endif #endif +#if USE_APPLE_KRB5 +#define KERBEROS_APPLE_DEPRECATED(x) +#endif #include int main(int argc, char *argv[]) { @@ -26618,6 +26659,9 @@ KRB5INT_BEGIN_DECLS #endif #endif +#if USE_APPLE_KRB5 +#define KERBEROS_APPLE_DEPRECATED(x) +#endif #include int main(int argc, char *argv[]) { @@ -26683,6 +26727,9 @@ #include #endif #else +#if USE_APPLE_KRB5 +#define GSSKRB_APPLE_DEPRECATED(x) +#endif #if HAVE_GSSAPI_GSSAPI_H #include #elif HAVE_GSSAPI_H @@ -26763,6 +26810,9 @@ #include #endif #else +#if USE_APPLE_KRB5 +#define GSSKRB_APPLE_DEPRECATED(x) +#endif #if HAVE_GSSAPI_GSSAPI_H #include #elif HAVE_GSSAPI_H @@ -26837,6 +26887,9 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ +#if USE_APPLE_KRB5 +#define KERBEROS_APPLE_DEPRECATED(x) +#endif #if HAVE_KRB5_H #if HAVE_BROKEN_SOLARIS_KRB5_H #if defined(__cplusplus) @@ -28997,6 +29050,9 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ + #if USE_APPLE_KRB5 + #define KERBEROS_APPLE_DEPRECATED(x) + #endif #include int @@ -29071,6 +29127,9 @@ KRB5INT_BEGIN_DECLS #endif #endif +#if USE_APPLE_KRB5 +#define KERBEROS_APPLE_DEPRECATED(x) +#endif #include int main(int argc, char *argv[]) { @@ -29133,6 +29192,9 @@ KRB5INT_BEGIN_DECLS #endif #endif +#if USE_APPLE_KRB5 +#define KERBEROS_APPLE_DEPRECATED(x) +#endif #include int main(int argc, char *argv[]) { @@ -29198,6 +29260,9 @@ #include #endif #else +#if USE_APPLE_KRB5 +#define GSSKRB_APPLE_DEPRECATED(x) +#endif #if HAVE_GSSAPI_GSSAPI_H #include #elif HAVE_GSSAPI_H @@ -29278,6 +29343,9 @@ #include #endif #else +#if USE_APPLE_KRB5 +#define GSSKRB_APPLE_DEPRECATED(x) +#endif #if HAVE_GSSAPI_GSSAPI_H #include #elif HAVE_GSSAPI_H @@ -29352,6 +29420,9 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ +#if USE_APPLE_KRB5 +#define KERBEROS_APPLE_DEPRECATED(x) +#endif #if HAVE_KRB5_H #if HAVE_BROKEN_SOLARIS_KRB5_H #if defined(__cplusplus) @@ -29678,6 +29749,9 @@ #include #endif #else +#if USE_APPLE_KRB5 +#define GSSKRB_APPLE_DEPRECATED(x) +#endif #if HAVE_GSSAPI_GSSAPI_H #include #elif HAVE_GSSAPI_H @@ -29758,6 +29832,9 @@ #include #endif #else +#if USE_APPLE_KRB5 +#define GSSKRB_APPLE_DEPRECATED(x) +#endif #if HAVE_GSSAPI_GSSAPI_H #include #elif HAVE_GSSAPI_H @@ -29832,6 +29909,9 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ +#if USE_APPLE_KRB5 +#define KERBEROS_APPLE_DEPRECATED(x) +#endif #if HAVE_KRB5_H #if HAVE_BROKEN_SOLARIS_KRB5_H #if defined(__cplusplus) @@ -32509,7 +32589,7 @@ cat >>confdefs.h <<_ACEOF #define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 _ACEOF - BUILD_HELPER="LDAP" + BUILD_HELPER="eDirectory" fi done @@ -33214,6 +33294,46 @@ if test "x$with_krb5" == "xyes"; then BUILD_HELPER="kerberos_ldap_group" + if test "x$with_apple_krb5" = "xyes" ; then + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lresolv" >&5 +$as_echo_n "checking for main in -lresolv... " >&6; } +if ${ac_cv_lib_resolv_main+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lresolv $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + + +int +main () +{ +return main (); + ; + return 0; +} +_ACEOF +if ac_fn_cxx_try_link "$LINENO"; then : + ac_cv_lib_resolv_main=yes +else + ac_cv_lib_resolv_main=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_resolv_main" >&5 +$as_echo "$ac_cv_lib_resolv_main" >&6; } +if test "x$ac_cv_lib_resolv_main" = xyes; then : + XTRA_LIBS="$XTRA_LIBS -lresolv" +else + + as_fn_error $? "library 'resolv' is required for Apple Kerberos" "$LINENO" 5 + +fi + + fi squid_cv_check_sasl="auto" for ac_header in sasl/sasl.h sasl.h @@ -40794,7 +40914,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by Squid Web Proxy $as_me 3.5.3, which was +This file was extended by Squid Web Proxy $as_me 3.5.4, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -40860,7 +40980,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -Squid Web Proxy config.status 3.5.3 +Squid Web Proxy config.status 3.5.4 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -u -r -N squid-3.5.3/configure.ac squid-3.5.4/configure.ac --- squid-3.5.3/configure.ac 2015-03-28 04:00:06.000000000 -0700 +++ squid-3.5.4/configure.ac 2015-05-01 04:29:24.000000000 -0700 @@ -5,7 +5,7 @@ ## Please see the COPYING and CONTRIBUTORS files for details. ## -AC_INIT([Squid Web Proxy],[3.5.3],[http://bugs.squid-cache.org/],[squid]) +AC_INIT([Squid Web Proxy],[3.5.4],[http://bugs.squid-cache.org/],[squid]) AC_PREREQ(2.61) AC_CONFIG_HEADERS([include/autoconf.h]) AC_CONFIG_AUX_DIR(cfgaux) @@ -425,7 +425,7 @@ # Check for atomic operations support in the compiler AC_CACHE_CHECK([for GNU atomic operations support],[squid_cv_gnu_atomics],[ AC_RUN_IFELSE([AC_LANG_PROGRAM([[ -#include +#include int32_t n_32 = 0; uint64_t n_64 = 0; ]],[[ @@ -1390,6 +1390,7 @@ with_mit_krb5=yes esac ]) +AH_TEMPLATE(USE_APPLE_KRB5,[Apple Kerberos support is available]) AH_TEMPLATE(USE_MIT_KRB5,[MIT Kerberos support is available]) AH_TEMPLATE(USE_SOLARIS_KRB5,[Solaris Kerberos support is available]) @@ -1480,6 +1481,7 @@ krb5confpath="`dirname $ac_cv_path_krb5_config`" ac_heimdal="`$ac_cv_path_krb5_config --version 2>/dev/null | grep -c -i heimdal`" ac_solaris="`$ac_cv_path_krb5_config --version 2>/dev/null | grep -c -i solaris`" + ac_apple="`$ac_cv_path_krb5_config --vendor 2>/dev/null | grep -c -i apple`" if test $ac_heimdal -gt 0 ; then with_heimdal_krb5=yes ac_with_krb5_count=1 @@ -1488,7 +1490,11 @@ with_solaris_krb5=yes ac_with_krb5_count=1 fi - if test $ac_heimdal -eq 0 && test $ac_solaris -eq 0 ; then + if test $ac_apple -gt 0 ; then + with_apple_krb5=yes + ac_with_krb5_count=1 + fi + if test $ac_heimdal -eq 0 && test $ac_solaris -eq 0 && test $ac_apple -eq 0; then with_mit_krb5=yes ac_with_krb5_count=1 fi @@ -1498,7 +1504,7 @@ fi fi -if test "x$with_mit_krb5" = "xyes"; then +if test "x$with_mit_krb5" = "xyes" || test "x$with_apple_krb5" = "xyes" ; then SQUID_STATE_SAVE([squid_krb5_save]) LIBS="$LIBS $LIB_KRB5_PATH" @@ -1549,10 +1555,15 @@ ]) if test "x$LIB_KRB5_LIBS" != "x"; then + if test "x$with_apple_krb5" = "xyes" ; then + AC_DEFINE(USE_APPLE_KRB5,1,[Apple Kerberos support is available]) + KRB5_FLAVOUR="Apple" + else + AC_DEFINE(USE_MIT_KRB5,1,[MIT Kerberos support is available]) + KRB5_FLAVOUR="MIT" + fi KRB5LIBS="$LIB_KRB5_PATH $LIB_KRB5_LIBS $KRB5LIBS" KRB5INCS="$LIB_KRB5_CFLAGS" - AC_DEFINE(USE_MIT_KRB5,1,[MIT Kerberos support is available]) - KRB5_FLAVOUR="MIT" # check for other specific broken implementations CXXFLAGS="$CXXFLAGS $KRB5INCS" diff -u -r -N squid-3.5.3/CONTRIBUTORS squid-3.5.4/CONTRIBUTORS --- squid-3.5.3/CONTRIBUTORS 2015-03-28 03:58:05.000000000 -0700 +++ squid-3.5.4/CONTRIBUTORS 2015-05-01 04:27:20.000000000 -0700 @@ -1,96 +1,136 @@ -This file contains a list of Squid contributors: people and organizations that -have volunteered their time, effort, code, and ideas to make Squid software. -Thank you! +Special thanks go to people who have volunteered their time, effort, +and ideas to make this software available. Adam Ciarcinski Adrian Chadd + Aecio F. Alan Mizrahi + Alan Nastac + Aleksa + Aleksa ??u??uli?? Alexander B. Demenshin Alexander Komyagin + Alexander Lukyanov Alexander Lukyanov Alexandre Chappaz + Alexandre SIMON + Alex Dowad Alexey Veselovsky Alexis Robert Alex Rousskov + Alex Rousskov Alin Nastac Alter Amos Jeffries Amos Jeffries + Amos Anatoli Andrea Gagliardi Andreas Jaeger Andreas Lamprecht Andres Kroonmaa + Andrew Balabohin Andrew Beverley Andrew Doran + Andrew Evdokimov Andrew Hoying Andrew Tridgell Andrey Shorin + Anonymous Pootle User Anonymous Ansgar Hockmann Anthony Baxter Antonino Iannella + Arjan de Vet Arjan de Vet Arkin Arno Streuli + Arthur + Arthur Arthur Tumanyan Assar Westerlund Automatic source maintenance Axel Westerhold + Barry Dobyns Benjamin Kerensa - benno@jeamland.net + Benno Rice Benno Rice Bernard Bertrand Jacquin Bill Welliver Bojan Smojver Brad Smith + Bratislav Brian Degenhardt Brian Denehy Brian Bruce Murphy Carson Gaspar (carson@lehman.com, carson@cs.columbia.edu) + Cephas + Chad E. Naugle + Chad Naugle Changming + Chao Chris Hills + Christian Wittmer Christopher Kerr + Christophe Saout Christoph Lechleitner + Christos Tsantilas Christos Tsantilas Cloyce + Clytie Siddall + Colin Coe Constantin Rack Cord Beermann Daniel Beschorner Daniel O'Callaghan + Daniel Walter + Dan Searle + David Hill David Isaacs David J N Begley David Luyer David Luyer + David Parks + Declan White + Dennis Felippa Dennis Glatting - Dhaval Varia + Dhaval Varia Diego Woitasen - Dmitry Kurochkin + D Kazarov + Dmitry Kurochkin Don Hopkins Doug Dixon Doug Urner Dragutin Cirkovic + drserge Dr. Tilmann Bubeck Duane Wessels Dustin J. Mitchell Ed Knowles + Edward Chernenko Edward Moy + Eldar Akchurin Eliezer Croitoru Elmar Vonlanthen Emilio Casbas Endre Balint Nagy + Eray Aslan Eray Aslan Eric Stern Erik Hofman Eugene Gladchenko Evan Jones + Evgeni Eygene Ryabinkin + Fabian Hugelshofer fancyrabbit Felix Meschberger + Feshchuk Yuriy Finn Thain Flavio Pescuma + Florent folkert Francesco Chemolli Francesco @@ -100,13 +140,18 @@ Frank Balluffi Frank Schmirler Frederic Bourgeois + Fred + F Wolff + Fyodor Geoff Keating George Michaelson Georgy Salnikov Gerard Eviston Gerben Wierda + Gergely Giancarlo Razzolini Gilles Espinasse + gkeeling Glen Gibb Glenn Chisholm Glen Newton @@ -116,21 +161,29 @@ Graham Keeling Guido Serassio Guido Serassio + Gustavo Zacarias + Guy Helmer Hank Hampel Hasso Tepper - Henrik Nordstr?m + helix84 Henrik Nordstrom Henrik Nordstrom Hide Nagaoka - hno + HONDA Hirofumi + Hussam Al-Tayeb Ian Castle Ian Turner Igor Vinokurov + IIDA Yosiaki + isaac Isnard + Ivan Mas??r Jakob Bohm Jakub Wilk + James Bowe James Brotchie James R Grinter + Jan Klemkow Jan Niehusmann Jan Sievers Jean-Francois Micouleau @@ -139,26 +192,35 @@ Jens-S. V?ckler Jeremy Allison Jerry Murdock + Jiri Skala + Jiri Skala Joachim Bauch Joachim Bauch (mail@joachim-bauch.de) Joao Alves Neto Jochen Obalek Jochen Voss + Joe Crayne Joe Ramey Joe Ramey + Joerg Lehrke Johnathan Conley John Dilley John Saunders John Xue Jonathan Larmour + Jonathan Wolfe Jon Kinred Jon Thackray + Jorge Ivan Burgos Aguilar + Jose-Marcio Martins da Cruz + Joshua Root Joshua Root JPP + Juan Juerg Michel + Julien Pinon + Karl Benoit Kieran Whitbread - Kinkie - kinkie@squid-cache.org Klaubert Herr Klaus Singvogel Kolics Bertold @@ -166,12 +228,19 @@ Lab10 Laszlo Attilla Toth Leeann Bent + Leonid Evdokimov libit Luigi Gangitano + Luis Daniel Lucio Quiroz + Lukas B??gelei Luke Howard Lutz Donnerhacke Manu Garg + Marcello Romani + Marcin Wisnicki + Marco Beck Marcus Kool + Marcus Kool Marc van Selm Marin Stavrev Marios Makassikis @@ -182,16 +251,20 @@ Mark Treacy Markus Gyger Markus Moeller + Markus Moeller (markus_moeller at compuserve.com) Markus Rietzler Markus Stumpf Martin Hamilton Martin Hamilton + Martin Huter Martin Huter Martin Stolle Masashi Fujita Massimo Zito + Mathias Fischer Matthew Morgan Matthias Pitzl + Matthias "Silamael" Max Okumoto Merik Karman @@ -201,40 +274,55 @@ Michael O'Reilly Michael Pelletier Michael van Elst + Michael Weiser Michal Luscon Miguel A.L. Paraz Mike Groeneweg + Mike Mitchell Mike Mitchell Mikio Kishi + Milen Pankov Ming Fu Miquel van Smoorenburg Moez Mahfoudh + Mohsen Saeedi + Mrcus Kool Mukaigawa Shin'ichi Nathan Hoad Neil Murray + nglnx - Rosetta Project Niall Doherty Nick Rogers Nikolai Gorchilov 'noloader' + Ole Christensen + Oliver Dumschat Oliver Hookins Olivier Montanuy + Olivier W. + OpenSolaris Project Oskar Pearson Paul Z + Pavel Timofeev Pawel Worach Pedro Lineu Orso Pedro Ribeiro Pete Bentley Peter Hidas + Peter Payne Peter Pramberger Philip Allison Philippe Lantin + Phil Oester Pierangelo Masarati + Pierre LALET Pierre-Louis Brenac Pierre-Louis BRENAC Poul-Henning Kamp Priyanka Gupta Przemek Czerkas Rabellino Sergio (rabellino@di.unito.it) + Rafael Martinez Rafael Martinez Torres Rafal Ramocki Rajiv Desai @@ -243,8 +331,10 @@ Ramon de Carvalho Regardt van de Vyver Regents of the University of California (UCSD) + Reinhard Posmyk Reinhard Sojka Rene Geile + Ren? Geile Reuben Farrelly Richard Huveneers Richard Huveneers @@ -252,58 +342,84 @@ Richard Wall Robert Collins Robert Collins + Robert Robert Forster + Robert Walsh Robin Elfrink Rodrigo Campos Rodrigo Campos (rodrigo@geekbunker.org) Rodrigo Rubira Branco Rodrigo Rubira Branco Ron Gomes - rousskov + R Phillips Russell Street Russell Vincent Ryan Troll Samba Project + Santiago Garcia Mantinan + Scott James Remnant Scott Schram + Sean Critica + Sebastian Krahmer Sebastien Wenske + Sergey Merzlikin Sergio Rabellino Shigechika Aikawa Silamael - squidadm@squid-cache.org Stefan Fritsch Stefano Cordibella Stephen R. van den Berg + Stephen Thorne Steve Bennett Steve Hill + Steven Lawrance Steven Wilton Steve Snyder Stewart Forster Stuart Henderson + Stuart Henderson Susant Sahani Svenx Taavi Talvik Taketo Kabe - The Measurement Factory + The Squid Software Foundation Thomas De Schampheleire Thomas Hozza Thomas-Martin Seck Thomas Ristic Thomas Weber Tianyin Xu + Tilmann Bubeck + Tim Brown + Timo Teras + Timo Tseras Tim Starling Todd C. Miller Tomas Hozza Tony Lorimer + Tsantilas Christos + Unknown Unknown FreeBSD Contributor Unknown - NetBSD Project + Various + Various Translators + Victor Jose Hernandez Gomez Vince Brimhall Vincent Regnard Vitaliy Matytsyn (main) Vitaliy Matytsyn vollkommen + Walter + Wang DaQing + Warren Baker Wesha Will Roberts + Wojciech Zatorski Wojtek Sylwestrzak Wolfgang Breyha Wolfgang Nothdurft + Xavier Redon + yabuki + Yannick Bergeron + Yuhua Wu Zhanpeng Chen diff -u -r -N squid-3.5.3/CREDITS squid-3.5.4/CREDITS --- squid-3.5.3/CREDITS 2015-03-28 03:58:05.000000000 -0700 +++ squid-3.5.4/CREDITS 2015-05-01 04:27:20.000000000 -0700 @@ -617,6 +617,45 @@ ============================================================================== +errors/: + + * Translation Snippets provided by Squid Project Translators held in + * copyright for open distribution. + * + * Translation Snippets provided by Rosetta Project Translators held in + * copyright for open distribution. + * + * Copyright 2009 + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of the University nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + + +see TRANSLATORS file for current contributing translators holding copyrights. + +============================================================================== + errors/errorpage.css: Stylesheet for Squid Error pages diff -u -r -N squid-3.5.3/errors/COPYRIGHT squid-3.5.4/errors/COPYRIGHT --- squid-3.5.3/errors/COPYRIGHT 2015-03-28 03:58:05.000000000 -0700 +++ squid-3.5.4/errors/COPYRIGHT 2015-05-01 04:27:20.000000000 -0700 @@ -1,34 +1,10 @@ ============================================================================== -SQUID Internet Object Cache http://www.squid-cache.org --------------------------------------------------------- - - Squid is the result of efforts by numerous individuals from the - Internet community. Development is led by Duane Wessels of the - National Laboratory for Applied Network Research and funded by - the National Science Foundation. - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, - MA 02110-1301, USA. - -Squid is derived from the ``cached'' software from the ARPA-funded -Harvest research project. The Harvest home page is -http://harvest.cs.colorado.edu/. - -Squid is originally derived from the Harvest Information Discovery and -Access System. + * Copyright (C) 1996-2015 The Squid Software Foundation and contributors + * + * Squid software is distributed under GPLv2+ license and includes + * contributions from numerous individuals and organizations. + * Please see the COPYING and CONTRIBUTORS files for details. ============================================================================== diff -u -r -N squid-3.5.3/helpers/basic_auth/DB/basic_db_auth.8 squid-3.5.4/helpers/basic_auth/DB/basic_db_auth.8 --- squid-3.5.3/helpers/basic_auth/DB/basic_db_auth.8 2015-03-28 04:44:31.000000000 -0700 +++ squid-3.5.4/helpers/basic_auth/DB/basic_db_auth.8 2015-05-01 05:22:12.000000000 -0700 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "BASIC_DB_AUTH 1" -.TH BASIC_DB_AUTH 1 "2015-03-28" "perl v5.20.2" "User Contributed Perl Documentation" +.TH BASIC_DB_AUTH 1 "2015-05-01" "perl v5.20.2" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-3.5.3/helpers/basic_auth/MSNT-multi-domain/basic_msnt_multi_domain_auth.8 squid-3.5.4/helpers/basic_auth/MSNT-multi-domain/basic_msnt_multi_domain_auth.8 --- squid-3.5.3/helpers/basic_auth/MSNT-multi-domain/basic_msnt_multi_domain_auth.8 2015-03-28 04:44:39.000000000 -0700 +++ squid-3.5.4/helpers/basic_auth/MSNT-multi-domain/basic_msnt_multi_domain_auth.8 2015-05-01 05:22:18.000000000 -0700 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "BASIC_MSNT_MULTI_DOMAIN_AUTH 1" -.TH BASIC_MSNT_MULTI_DOMAIN_AUTH 1 "2015-03-28" "perl v5.20.2" "User Contributed Perl Documentation" +.TH BASIC_MSNT_MULTI_DOMAIN_AUTH 1 "2015-05-01" "perl v5.20.2" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-3.5.3/helpers/basic_auth/POP3/basic_pop3_auth.8 squid-3.5.4/helpers/basic_auth/POP3/basic_pop3_auth.8 --- squid-3.5.3/helpers/basic_auth/POP3/basic_pop3_auth.8 2015-03-28 04:44:47.000000000 -0700 +++ squid-3.5.4/helpers/basic_auth/POP3/basic_pop3_auth.8 2015-05-01 05:22:24.000000000 -0700 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "BASIC_POP3_AUTH 1" -.TH BASIC_POP3_AUTH 1 "2015-03-28" "perl v5.20.2" "User Contributed Perl Documentation" +.TH BASIC_POP3_AUTH 1 "2015-05-01" "perl v5.20.2" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-3.5.3/helpers/digest_auth/eDirectory/Makefile.am squid-3.5.4/helpers/digest_auth/eDirectory/Makefile.am --- squid-3.5.3/helpers/digest_auth/eDirectory/Makefile.am 2015-03-28 03:58:05.000000000 -0700 +++ squid-3.5.4/helpers/digest_auth/eDirectory/Makefile.am 2015-05-01 04:27:20.000000000 -0700 @@ -23,6 +23,7 @@ $(COMPAT_LIB) \ $(LDAPLIB) \ $(LBERLIB) \ + $(NETTLELIB) \ $(CRYPTLIB) \ $(SSLLIB) \ $(XTRA_LIBS) diff -u -r -N squid-3.5.3/helpers/digest_auth/eDirectory/Makefile.in squid-3.5.4/helpers/digest_auth/eDirectory/Makefile.in --- squid-3.5.3/helpers/digest_auth/eDirectory/Makefile.in 2015-03-28 03:59:23.000000000 -0700 +++ squid-3.5.4/helpers/digest_auth/eDirectory/Makefile.in 2015-05-01 04:28:35.000000000 -0700 @@ -164,7 +164,7 @@ $(top_builddir)/lib/libmiscencoding.la $(am__DEPENDENCIES_2) \ $(am__DEPENDENCIES_3) $(am__DEPENDENCIES_3) \ $(am__DEPENDENCIES_3) $(am__DEPENDENCIES_3) \ - $(am__DEPENDENCIES_3) + $(am__DEPENDENCIES_3) $(am__DEPENDENCIES_3) AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) am__v_lt_0 = --silent @@ -698,6 +698,7 @@ $(COMPAT_LIB) \ $(LDAPLIB) \ $(LBERLIB) \ + $(NETTLELIB) \ $(CRYPTLIB) \ $(SSLLIB) \ $(XTRA_LIBS) diff -u -r -N squid-3.5.3/helpers/digest_auth/eDirectory/required.m4 squid-3.5.4/helpers/digest_auth/eDirectory/required.m4 --- squid-3.5.3/helpers/digest_auth/eDirectory/required.m4 2015-03-28 03:58:05.000000000 -0700 +++ squid-3.5.4/helpers/digest_auth/eDirectory/required.m4 2015-05-01 04:27:20.000000000 -0700 @@ -5,4 +5,4 @@ ## Please see the COPYING and CONTRIBUTORS files for details. ## -AC_CHECK_HEADERS([ldap.h winldap.h],[BUILD_HELPER="LDAP"]) +AC_CHECK_HEADERS([ldap.h winldap.h],[BUILD_HELPER="eDirectory"]) diff -u -r -N squid-3.5.3/helpers/external_acl/delayer/ext_delayer_acl.8 squid-3.5.4/helpers/external_acl/delayer/ext_delayer_acl.8 --- squid-3.5.3/helpers/external_acl/delayer/ext_delayer_acl.8 2015-03-28 04:45:31.000000000 -0700 +++ squid-3.5.4/helpers/external_acl/delayer/ext_delayer_acl.8 2015-05-01 05:22:43.000000000 -0700 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "EXT_DELAYER_ACL 1" -.TH EXT_DELAYER_ACL 1 "2015-03-28" "perl v5.20.2" "User Contributed Perl Documentation" +.TH EXT_DELAYER_ACL 1 "2015-05-01" "perl v5.20.2" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-3.5.3/helpers/external_acl/kerberos_ldap_group/required.m4 squid-3.5.4/helpers/external_acl/kerberos_ldap_group/required.m4 --- squid-3.5.3/helpers/external_acl/kerberos_ldap_group/required.m4 2015-03-28 03:58:05.000000000 -0700 +++ squid-3.5.4/helpers/external_acl/kerberos_ldap_group/required.m4 2015-05-01 04:27:20.000000000 -0700 @@ -7,5 +7,10 @@ if test "x$with_krb5" == "xyes"; then BUILD_HELPER="kerberos_ldap_group" + if test "x$with_apple_krb5" = "xyes" ; then + AC_CHECK_LIB(resolv, [main], [XTRA_LIBS="$XTRA_LIBS -lresolv"],[ + AC_MSG_ERROR([library 'resolv' is required for Apple Kerberos]) + ]) + fi SQUID_CHECK_SASL fi diff -u -r -N squid-3.5.3/helpers/external_acl/kerberos_ldap_group/support.h squid-3.5.4/helpers/external_acl/kerberos_ldap_group/support.h --- squid-3.5.3/helpers/external_acl/kerberos_ldap_group/support.h 2015-03-28 03:58:05.000000000 -0700 +++ squid-3.5.4/helpers/external_acl/kerberos_ldap_group/support.h 2015-05-01 04:27:20.000000000 -0700 @@ -34,6 +34,10 @@ #include +#if USE_APPLE_KRB5 +#define KERBEROS_APPLE_DEPRECATED(x) +#endif + #if HAVE_KRB5_H #if HAVE_BROKEN_SOLARIS_KRB5_H #warn "Warning! You have a broken Solaris system header" diff -u -r -N squid-3.5.3/helpers/external_acl/kerberos_ldap_group/support_ldap.cc squid-3.5.4/helpers/external_acl/kerberos_ldap_group/support_ldap.cc --- squid-3.5.3/helpers/external_acl/kerberos_ldap_group/support_ldap.cc 2015-03-28 03:58:05.000000000 -0700 +++ squid-3.5.4/helpers/external_acl/kerberos_ldap_group/support_ldap.cc 2015-05-01 04:27:20.000000000 -0700 @@ -114,11 +114,16 @@ void *params) { struct ldap_creds *cp = (struct ldap_creds *) params; + struct berval cred; + if (cp->pw) { + cred.bv_val=cp->pw; + cred.bv_len=strlen(cp->pw); + } whop = whop; credp = credp; methodp = methodp; freeit = freeit; - return ldap_bind_s(ld, cp->dn, cp->pw, LDAP_AUTH_SIMPLE); + return ldap_sasl_bind_s(ld, cp->dn, LDAP_SASL_SIMPLE, &cred, NULL, NULL, NULL); } #elif HAVE_LDAP_REBIND_PROC #if HAVE_SASL_H || HAVE_SASL_SASL_H || HAVE_SASL_DARWIN @@ -148,7 +153,12 @@ void *params) { struct ldap_creds *cp = (struct ldap_creds *) params; - return ldap_bind_s(ld, cp->dn, cp->pw, LDAP_AUTH_SIMPLE); + struct berval cred; + if (cp->pw) { + cred.bv_val=cp->pw; + cred.bv_len=strlen(cp->pw); + } + return ldap_sasl_bind_s(ld, cp->dn, LDAP_SASL_SIMPLE, &cred, NULL, NULL, NULL); } #elif HAVE_LDAP_REBIND_FUNCTION @@ -188,11 +198,16 @@ void *params) { struct ldap_creds *cp = (struct ldap_creds *) params; + struct berval cred; + if (cp->pw) { + cred.bv_val=cp->pw; + cred.bv_len=strlen(cp->pw); + } whop = whop; credp = credp; methodp = methodp; freeit = freeit; - return ldap_bind_s(ld, cp->dn, cp->pw, LDAP_AUTH_SIMPLE); + return ldap_sasl_bind_s(ld, cp->dn, LDAP_SASL_SIMPLE, &cred, NULL, NULL, NULL); } #else #error "No rebind functione defined" @@ -202,12 +217,7 @@ static LDAP_REBIND_PROC ldap_sasl_rebind; static int -ldap_sasl_rebind( - LDAP * ld, - LDAP_CONST char *url, - ber_tag_t request, - ber_int_t msgid, - void *params) +ldap_sasl_rebind(LDAP *ld, LDAP_CONST char *, ber_tag_t request, ber_int_t msgid, void *params) { struct ldap_creds *cp = (struct ldap_creds *) params; return tool_sasl_bind(ld, cp->dn, cp->pw); @@ -217,16 +227,16 @@ static LDAP_REBIND_PROC ldap_simple_rebind; static int -ldap_simple_rebind( - LDAP * ld, - LDAP_CONST char *url, - ber_tag_t request, - ber_int_t msgid, - void *params) +ldap_simple_rebind(LDAP *ld, LDAP_CONST char *, ber_tag_t request, ber_int_t msgid, void *params) { struct ldap_creds *cp = (struct ldap_creds *) params; - return ldap_bind_s(ld, cp->dn, cp->pw, LDAP_AUTH_SIMPLE); + struct berval cred; + if (cp->pw) { + cred.bv_val=cp->pw; + cred.bv_len=strlen(cp->pw); + } + return ldap_sasl_bind_s(ld, cp->dn, LDAP_SASL_SIMPLE, &cred, NULL, NULL, NULL); } #endif @@ -755,7 +765,7 @@ xfree(ldapuri); if (rc != LDAP_SUCCESS) { error((char *) "%s| %s: ERROR: Error while initialising connection to ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); - ldap_unbind(ld); + ldap_unbind_ext(ld,NULL,NULL); ld = NULL; return NULL; } @@ -765,7 +775,7 @@ rc = ldap_set_defaults(ld); if (rc != LDAP_SUCCESS) { error((char *) "%s| %s: ERROR: Error while setting default options for ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); - ldap_unbind(ld); + ldap_unbind_ext(ld, NULL, NULL); ld = NULL; return NULL; } @@ -777,7 +787,7 @@ rc = ldap_set_ssl_defaults(margs); if (rc != LDAP_SUCCESS) { error((char *) "%s| %s: ERROR: Error while setting SSL default options for ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); - ldap_unbind(ld); + ldap_unbind_ext(ld, NULL, NULL); ld = NULL; return NULL; } @@ -788,7 +798,7 @@ rc = ldap_start_tls_s(ld, NULL, NULL); if (rc != LDAP_SUCCESS) { error((char *) "%s| %s: ERROR: Error while setting start_tls for ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); - ldap_unbind(ld); + ldap_unbind_ext(ld, NULL, NULL); ld = NULL; url = (LDAPURLDesc *) xmalloc(sizeof(*url)); memset(url, 0, sizeof(*url)); @@ -820,14 +830,14 @@ xfree(ldapuri); if (rc != LDAP_SUCCESS) { error((char *) "%s| %s: ERROR: Error while initialising connection to ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); - ldap_unbind(ld); + ldap_unbind_ext(ld, NULL, NULL); ld = NULL; return NULL; } rc = ldap_set_defaults(ld); if (rc != LDAP_SUCCESS) { error((char *) "%s| %s: ERROR: Error while setting default options for ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); - ldap_unbind(ld); + ldap_unbind_ext(ld, NULL, NULL); ld = NULL; return NULL; } @@ -836,14 +846,14 @@ ld = ldapssl_init(host, port, 1); if (!ld) { error((char *) "%s| %s: ERROR: Error while setting SSL for ldap server: %s\n", LogTime(), PROGRAM, ldapssl_err2string(rc)); - ldap_unbind(ld); + ldap_unbind_ext(ld, NULL, NULL); ld = NULL; return NULL; } rc = ldap_set_defaults(ld); if (rc != LDAP_SUCCESS) { error((char *) "%s| %s: ERROR: Error while setting default options for ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); - ldap_unbind(ld); + ldap_unbind_ext(ld, NULL, NULL); ld = NULL; return NULL; } @@ -945,7 +955,7 @@ rc = tool_sasl_bind(ld, bindp, margs->ssl); if (rc != LDAP_SUCCESS) { error((char *) "%s| %s: ERROR: Error while binding to ldap server with SASL/GSSAPI: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); - ldap_unbind(ld); + ldap_unbind_ext(ld, NULL, NULL); ld = NULL; continue; } @@ -958,7 +968,7 @@ break; } #else - ldap_unbind(ld); + ldap_unbind_ext(ld, NULL, NULL); ld = NULL; error((char *) "%s| %s: ERROR: SASL not supported on system\n", LogTime(), PROGRAM); continue; @@ -998,7 +1008,11 @@ nhosts = get_hostname_list(&hlist, 0, host); xfree(host); for (size_t i = 0; i < nhosts; ++i) { - + struct berval cred; + if (margs->lpass) { + cred.bv_val=margs->lpass; + cred.bv_len=strlen(margs->lpass); + } ld = tool_ldap_open(margs, hlist[i].host, port, ssl); if (!ld) continue; @@ -1007,10 +1021,10 @@ */ debug((char *) "%s| %s: DEBUG: Bind to ldap server with Username/Password\n", LogTime(), PROGRAM); - rc = ldap_simple_bind_s(ld, margs->luser, margs->lpass); + rc = ldap_sasl_bind_s(ld, margs->luser, LDAP_SASL_SIMPLE, &cred, NULL, NULL, NULL); if (rc != LDAP_SUCCESS) { error((char *) "%s| %s: ERROR: Error while binding to ldap server with Username/Password: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); - ldap_unbind(ld); + ldap_unbind_ext(ld, NULL, NULL); ld = NULL; continue; } @@ -1045,7 +1059,7 @@ rc = check_AD(margs, ld); if (rc != LDAP_SUCCESS) { error((char *) "%s| %s: ERROR: Error determining ldap server type: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); - ldap_unbind(ld); + ldap_unbind_ext(ld, NULL, NULL); ld = NULL; retval = 0; goto cleanup; @@ -1071,7 +1085,7 @@ if (rc != LDAP_SUCCESS) { error((char *) "%s| %s: ERROR: Error searching ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); - ldap_unbind(ld); + ldap_unbind_ext(ld, NULL, NULL); ld = NULL; retval = 0; goto cleanup; @@ -1156,7 +1170,7 @@ ldap_msgfree(res); } else if (ldap_count_entries(ld, res) == 0 && margs->AD) { ldap_msgfree(res); - ldap_unbind(ld); + ldap_unbind_ext(ld, NULL, NULL); ld = NULL; retval = 0; goto cleanup; @@ -1368,7 +1382,7 @@ safe_free(attr_value); } } - rc = ldap_unbind(ld); + rc = ldap_unbind_ext(ld, NULL, NULL); ld = NULL; if (rc != LDAP_SUCCESS) { error((char *) "%s| %s: ERROR: Error unbind ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc)); diff -u -r -N squid-3.5.3/helpers/external_acl/SQL_session/ext_sql_session_acl.8 squid-3.5.4/helpers/external_acl/SQL_session/ext_sql_session_acl.8 --- squid-3.5.3/helpers/external_acl/SQL_session/ext_sql_session_acl.8 2015-03-28 04:45:59.000000000 -0700 +++ squid-3.5.4/helpers/external_acl/SQL_session/ext_sql_session_acl.8 2015-05-01 05:22:54.000000000 -0700 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "EXT_SQL_SESSION_ACL 1" -.TH EXT_SQL_SESSION_ACL 1 "2015-03-28" "perl v5.20.2" "User Contributed Perl Documentation" +.TH EXT_SQL_SESSION_ACL 1 "2015-05-01" "perl v5.20.2" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-3.5.3/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8 squid-3.5.4/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8 --- squid-3.5.3/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8 2015-03-28 04:46:13.000000000 -0700 +++ squid-3.5.4/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8 2015-05-01 05:22:58.000000000 -0700 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "EXT_WBINFO_GROUP_ACL 1" -.TH EXT_WBINFO_GROUP_ACL 1 "2015-03-28" "perl v5.20.2" "User Contributed Perl Documentation" +.TH EXT_WBINFO_GROUP_ACL 1 "2015-05-01" "perl v5.20.2" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-3.5.3/helpers/log_daemon/DB/log_db_daemon.8 squid-3.5.4/helpers/log_daemon/DB/log_db_daemon.8 --- squid-3.5.3/helpers/log_daemon/DB/log_db_daemon.8 2015-03-28 04:46:22.000000000 -0700 +++ squid-3.5.4/helpers/log_daemon/DB/log_db_daemon.8 2015-05-01 05:23:02.000000000 -0700 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "LOG_DB_DAEMON 1" -.TH LOG_DB_DAEMON 1 "2015-03-28" "perl v5.20.2" "User Contributed Perl Documentation" +.TH LOG_DB_DAEMON 1 "2015-05-01" "perl v5.20.2" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-3.5.3/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.cc squid-3.5.4/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.cc --- squid-3.5.3/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.cc 2015-03-28 03:58:05.000000000 -0700 +++ squid-3.5.4/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.cc 2015-05-01 04:27:20.000000000 -0700 @@ -65,7 +65,6 @@ krb5_kt_list *kt_list); #endif /* HAVE_KRB5_MEMORY_KEYTAB */ -#if HAVE_PAC_SUPPORT || HAVE_KRB5_MEMORY_KEYTAB int check_k5_err(krb5_context context, const char *function, krb5_error_code code) { @@ -85,7 +84,6 @@ } return code; } -#endif char * gethost_name(void) diff -u -r -N squid-3.5.3/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth_test.cc squid-3.5.4/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth_test.cc --- squid-3.5.3/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth_test.cc 2015-03-28 03:58:05.000000000 -0700 +++ squid-3.5.4/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth_test.cc 2015-05-01 04:27:20.000000000 -0700 @@ -33,6 +33,9 @@ #include "squid.h" #if HAVE_GSSAPI +#if USE_APPLE_KRB5 +#define GSSKRB_APPLE_DEPRECATED(x) +#endif #include #include diff -u -r -N squid-3.5.3/helpers/negotiate_auth/kerberos/negotiate_kerberos.h squid-3.5.4/helpers/negotiate_auth/kerberos/negotiate_kerberos.h --- squid-3.5.3/helpers/negotiate_auth/kerberos/negotiate_kerberos.h 2015-03-28 03:58:05.000000000 -0700 +++ squid-3.5.4/helpers/negotiate_auth/kerberos/negotiate_kerberos.h 2015-05-01 04:27:20.000000000 -0700 @@ -47,6 +47,11 @@ #include "base64.h" #include "util.h" +#if USE_APPLE_KRB5 +#define KERBEROS_APPLE_DEPRECATED(x) +#define GSSKRB_APPLE_DEPRECATED(x) +#endif + #if HAVE_KRB5_H #if HAVE_BROKEN_SOLARIS_KRB5_H #warn "Warning! You have a broken Solaris system header" @@ -144,7 +149,6 @@ uint32_t pointer; } RPC_UNICODE_STRING; -int check_k5_err(krb5_context context, const char *msg, krb5_error_code code); void align(int n); void getustr(RPC_UNICODE_STRING *string); char **getgids(char **Rids, uint32_t GroupIds, uint32_t GroupCount); @@ -161,4 +165,5 @@ #else #define HAVE_PAC_SUPPORT 0 #endif +int check_k5_err(krb5_context context, const char *msg, krb5_error_code code); diff -u -r -N squid-3.5.3/helpers/ntlm_auth/fake/ntlm_fake_auth.cc squid-3.5.4/helpers/ntlm_auth/fake/ntlm_fake_auth.cc --- squid-3.5.3/helpers/ntlm_auth/fake/ntlm_fake_auth.cc 2015-03-28 03:58:05.000000000 -0700 +++ squid-3.5.4/helpers/ntlm_auth/fake/ntlm_fake_auth.cc 2015-05-01 04:27:20.000000000 -0700 @@ -50,12 +50,6 @@ #if HAVE_GETOPT_H #include #endif -#if HAVE_STDINT_H -#include -#endif -#if HAVE_INTTYPES_H -#include -#endif /* A couple of harmless helper macros */ #define SEND(X) {debug("sending '%s' to squid\n",X); printf(X "\n");} diff -u -r -N squid-3.5.3/helpers/storeid_rewrite/file/storeid_file_rewrite.8 squid-3.5.4/helpers/storeid_rewrite/file/storeid_file_rewrite.8 --- squid-3.5.3/helpers/storeid_rewrite/file/storeid_file_rewrite.8 2015-03-28 04:47:11.000000000 -0700 +++ squid-3.5.4/helpers/storeid_rewrite/file/storeid_file_rewrite.8 2015-05-01 05:23:20.000000000 -0700 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "STOREID_FILE_REWRITE 1" -.TH STOREID_FILE_REWRITE 1 "2015-03-28" "perl v5.20.2" "User Contributed Perl Documentation" +.TH STOREID_FILE_REWRITE 1 "2015-05-01" "perl v5.20.2" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-3.5.3/include/autoconf.h.in squid-3.5.4/include/autoconf.h.in --- squid-3.5.3/include/autoconf.h.in 2015-03-28 03:58:51.000000000 -0700 +++ squid-3.5.4/include/autoconf.h.in 2015-05-01 04:28:05.000000000 -0700 @@ -1318,6 +1318,9 @@ /* common adaptation support */ #undef USE_ADAPTATION +/* Apple Kerberos support is available */ +#undef USE_APPLE_KRB5 + /* Enable support for authentication */ #undef USE_AUTH diff -u -r -N squid-3.5.3/include/version.h squid-3.5.4/include/version.h --- squid-3.5.3/include/version.h 2015-03-28 04:00:06.000000000 -0700 +++ squid-3.5.4/include/version.h 2015-05-01 04:29:25.000000000 -0700 @@ -7,7 +7,7 @@ */ #ifndef SQUID_RELEASE_TIME -#define SQUID_RELEASE_TIME 1427540278 +#define SQUID_RELEASE_TIME 1430479633 #endif /* diff -u -r -N squid-3.5.3/RELEASENOTES.html squid-3.5.4/RELEASENOTES.html --- squid-3.5.3/RELEASENOTES.html 2015-03-28 04:50:18.000000000 -0700 +++ squid-3.5.4/RELEASENOTES.html 2015-05-01 05:25:08.000000000 -0700 @@ -2,10 +2,10 @@ - Squid 3.5.3 release notes + Squid 3.5.4 release notes -

Squid 3.5.3 release notes

+

Squid 3.5.4 release notes

Squid Developers

@@ -63,7 +63,7 @@

1. Notice

-

The Squid Team are pleased to announce the release of Squid-3.5.3.

+

The Squid Team are pleased to announce the release of Squid-3.5.4.

This new release is available for download from http://www.squid-cache.org/Versions/v3/3.5/ or the mirrors.

@@ -489,6 +489,9 @@ for the HTTP transaction so far.

New type at_step to match the current SSL-Bump processing step. Never matches and should not be used outside of ssl_bump.

+

New types ssl::server_name and ssl::server_name_regex +to match server name from various sources (CONNECT authority name, +TLS SNI domain, or X.509 certificate Subject Name).

auth_param

New parameter key_extras to send additional parameters to diff -u -r -N squid-3.5.3/src/acl/DomainData.h squid-3.5.4/src/acl/DomainData.h --- squid-3.5.3/src/acl/DomainData.h 2015-03-28 03:58:05.000000000 -0700 +++ squid-3.5.4/src/acl/DomainData.h 2015-05-01 04:27:20.000000000 -0700 @@ -21,7 +21,7 @@ MEMPROXY_CLASS(ACLDomainData); virtual ~ACLDomainData(); - bool match(char const *); + virtual bool match(char const *); virtual SBufList dump() const; void parse(); bool empty() const; diff -u -r -N squid-3.5.3/src/acl/Makefile.am squid-3.5.4/src/acl/Makefile.am --- squid-3.5.3/src/acl/Makefile.am 2015-03-28 03:58:05.000000000 -0700 +++ squid-3.5.4/src/acl/Makefile.am 2015-05-01 04:27:20.000000000 -0700 @@ -150,6 +150,8 @@ Certificate.h \ ServerCertificate.cc \ ServerCertificate.h \ + ServerName.cc \ + ServerName.h \ SslError.cc \ SslError.h \ SslErrorData.cc \ diff -u -r -N squid-3.5.3/src/acl/Makefile.in squid-3.5.4/src/acl/Makefile.in --- squid-3.5.3/src/acl/Makefile.in 2015-03-28 03:59:39.000000000 -0700 +++ squid-3.5.4/src/acl/Makefile.in 2015-05-01 04:28:54.000000000 -0700 @@ -183,12 +183,12 @@ AtStep.cc AtStep.h AtStepData.cc AtStepData.h \ CertificateData.cc CertificateData.h Certificate.cc \ Certificate.h ServerCertificate.cc ServerCertificate.h \ - SslError.cc SslError.h SslErrorData.cc SslErrorData.h \ - AdaptationService.h AdaptationService.cc \ - AdaptationServiceData.h AdaptationServiceData.cc Arp.cc Arp.h \ - Eui64.cc Eui64.h + ServerName.cc ServerName.h SslError.cc SslError.h \ + SslErrorData.cc SslErrorData.h AdaptationService.h \ + AdaptationService.cc AdaptationServiceData.h \ + AdaptationServiceData.cc Arp.cc Arp.h Eui64.cc Eui64.h am__objects_1 = AtStep.lo AtStepData.lo CertificateData.lo \ - Certificate.lo ServerCertificate.lo SslError.lo \ + Certificate.lo ServerCertificate.lo ServerName.lo SslError.lo \ SslErrorData.lo @ENABLE_SSL_TRUE@am__objects_2 = $(am__objects_1) @USE_ADAPTATION_TRUE@am__objects_3 = AdaptationService.lo \ @@ -800,6 +800,8 @@ Certificate.h \ ServerCertificate.cc \ ServerCertificate.h \ + ServerName.cc \ + ServerName.h \ SslError.cc \ SslError.h \ SslErrorData.cc \ @@ -925,6 +927,7 @@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ReplyMimeType.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/RequestMimeType.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ServerCertificate.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ServerName.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/SourceDomain.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/SourceIp.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/SslError.Plo@am__quote@ diff -u -r -N squid-3.5.3/src/acl/ServerName.cc squid-3.5.4/src/acl/ServerName.cc --- squid-3.5.3/src/acl/ServerName.cc 1969-12-31 16:00:00.000000000 -0800 +++ squid-3.5.4/src/acl/ServerName.cc 2015-05-01 04:27:20.000000000 -0700 @@ -0,0 +1,123 @@ +/* + * Copyright (C) 1996-2015 The Squid Software Foundation and contributors + * + * Squid software is distributed under GPLv2+ license and includes + * contributions from numerous individuals and organizations. + * Please see the COPYING and CONTRIBUTORS files for details. + */ + +/* DEBUG: section 28 Access Control */ + +#include "squid.h" +#include "acl/Checklist.h" +#include "acl/DomainData.h" +#include "acl/RegexData.h" +#include "acl/ServerName.h" +#include "client_side.h" +#include "fde.h" +#include "HttpRequest.h" +#include "ipcache.h" +#include "SquidString.h" +#include "ssl/bio.h" +#include "ssl/ServerBump.h" +#include "ssl/support.h" +#include "URL.h" + +// Compare function for tree search algorithms +static int +aclHostDomainCompare( char *const &a, char * const &b) +{ + const char *h = static_cast(a); + const char *d = static_cast(b); + debugs(28, 7, "Match:" << h << " <> " << d); + return matchDomainName(h, d, true); +} + +bool +ACLServerNameData::match(const char *host) +{ + if (host == NULL) + return 0; + + debugs(28, 3, "checking '" << host << "'"); + + char *h = const_cast(host); + char const * const * result = domains->find(h, aclHostDomainCompare); + + debugs(28, 3, "'" << host << "' " << (result ? "found" : "NOT found")); + + return (result != NULL); + +} + +ACLData * +ACLServerNameData::clone() const +{ + /* Splay trees don't clone yet. */ + assert (!domains); + return new ACLServerNameData; +} + +/// A helper function to be used with Ssl::matchX509CommonNames(). +/// \retval 0 when the name (cn or an alternate name) matches acl data +/// \retval 1 when the name does not match +template +int +check_cert_domain( void *check_data, ASN1_STRING *cn_data) +{ + char cn[1024]; + ACLData * data = (ACLData *)check_data; + + if (cn_data->length > (int)sizeof(cn) - 1) + return 1; // ignore data that does not fit our buffer + + char *s = reinterpret_cast(cn_data->data); + char *d = cn; + for (int i = 0; i < cn_data->length; ++i, ++d, ++s) { + if (*s == '\0') + return 1; // always a domain mismatch. contains 0x00 + *d = *s; + } + cn[cn_data->length] = '\0'; + debugs(28, 4, "Verifying certificate name/subjectAltName " << cn); + if (data->match(cn)) + return 0; + return 1; +} + +int +ACLServerNameStrategy::match (ACLData * &data, ACLFilledChecklist *checklist, ACLFlags &flags) +{ + assert(checklist != NULL && checklist->request != NULL); + + if (checklist->conn() && checklist->conn()->serverBump()) { + if (X509 *peer_cert = checklist->conn()->serverBump()->serverCert.get()) { + if (Ssl::matchX509CommonNames(peer_cert, (void *)data, check_cert_domain)) + return 1; + } + } + + const char *serverName = NULL; + if (checklist->conn() && !checklist->conn()->sslCommonName().isEmpty()) { + SBuf scn = checklist->conn()->sslCommonName(); + serverName = scn.c_str(); + } + + if (serverName == NULL) + serverName = checklist->request->GetHost(); + + if (serverName && data->match(serverName)) { + return 1; + } + + return data->match("none"); +} + +ACLServerNameStrategy * +ACLServerNameStrategy::Instance() +{ + return &Instance_; +} + +ACLServerNameStrategy ACLServerNameStrategy::Instance_; + diff -u -r -N squid-3.5.3/src/acl/ServerName.h squid-3.5.4/src/acl/ServerName.h --- squid-3.5.3/src/acl/ServerName.h 1969-12-31 16:00:00.000000000 -0800 +++ squid-3.5.4/src/acl/ServerName.h 2015-05-01 04:27:20.000000000 -0700 @@ -0,0 +1,62 @@ +/* + * Copyright (C) 1996-2015 The Squid Software Foundation and contributors + * + * Squid software is distributed under GPLv2+ license and includes + * contributions from numerous individuals and organizations. + * Please see the COPYING and CONTRIBUTORS files for details. + */ + +#ifndef SQUID_ACLSERVERNAME_H +#define SQUID_ACLSERVERNAME_H + +#include "acl/Acl.h" +#include "acl/Checklist.h" +#include "acl/Data.h" +#include "acl/DomainData.h" +#include "acl/Strategised.h" + +class ACLServerNameData : public ACLDomainData { +public: + MEMPROXY_CLASS(ACLServerNameData); + ACLServerNameData() : ACLDomainData() {} + virtual bool match(const char *); + virtual ACLData *clone() const; +}; + +class ACLServerNameStrategy : public ACLStrategy +{ + +public: + virtual int match (ACLData * &, ACLFilledChecklist *, ACLFlags &); + static ACLServerNameStrategy *Instance(); + virtual bool requiresRequest() const {return true;} + + /** + * Not implemented to prevent copies of the instance. + \par + * Not private to prevent brain dead g+++ warnings about + * private constructors with no friends + */ + ACLServerNameStrategy(ACLServerNameStrategy const &); + +private: + static ACLServerNameStrategy Instance_; + ACLServerNameStrategy() {} + + ACLServerNameStrategy&operator=(ACLServerNameStrategy const &); +}; + +MEMPROXY_CLASS_INLINE(ACLServerNameData); + +class ACLServerName +{ + +private: + static ACL::Prototype LiteralRegistryProtoype; + static ACLStrategised LiteralRegistryEntry_; + static ACL::Prototype RegexRegistryProtoype; + static ACLStrategised RegexRegistryEntry_; +}; + +#endif /* SQUID_ACLSERVERNAME_H */ + diff -u -r -N squid-3.5.3/src/AclRegs.cc squid-3.5.4/src/AclRegs.cc --- squid-3.5.3/src/AclRegs.cc 2015-03-28 03:58:05.000000000 -0700 +++ squid-3.5.4/src/AclRegs.cc 2015-05-01 04:27:20.000000000 -0700 @@ -72,6 +72,7 @@ #if USE_OPENSSL #include "acl/Certificate.h" #include "acl/CertificateData.h" +#include "acl/ServerName.h" #include "acl/SslError.h" #include "acl/SslErrorData.h" #endif @@ -175,6 +176,12 @@ ACL::Prototype ACLAtStep::RegistryProtoype(&ACLAtStep::RegistryEntry_, "at_step"); ACLStrategised ACLAtStep::RegistryEntry_(new ACLAtStepData, ACLAtStepStrategy::Instance(), "at_step"); + +ACL::Prototype ACLServerName::LiteralRegistryProtoype(&ACLServerName::LiteralRegistryEntry_, "ssl::server_name"); +ACLStrategised ACLServerName::LiteralRegistryEntry_(new ACLServerNameData, ACLServerNameStrategy::Instance(), "ssl::server_name"); +ACL::Prototype ACLServerName::RegexRegistryProtoype(&ACLServerName::RegexRegistryEntry_, "ssl::server_name_regex"); +ACLFlag ServerNameRegexFlags[] = {ACL_F_REGEX_CASE, ACL_F_END}; +ACLStrategised ACLServerName::RegexRegistryEntry_(new ACLRegexData, ACLServerNameStrategy::Instance(), "ssl::server_name_regex", ServerNameRegexFlags); #endif #if USE_SQUID_EUI diff -u -r -N squid-3.5.3/src/auth/negotiate/UserRequest.cc squid-3.5.4/src/auth/negotiate/UserRequest.cc --- squid-3.5.3/src/auth/negotiate/UserRequest.cc 2015-03-28 03:58:05.000000000 -0700 +++ squid-3.5.4/src/auth/negotiate/UserRequest.cc 2015-05-01 04:27:20.000000000 -0700 @@ -68,11 +68,20 @@ Auth::Negotiate::UserRequest::credentialsStr() { static char buf[MAX_AUTHTOKEN_LEN]; + int printResult = 0; if (user()->credentials() == Auth::Pending) { - snprintf(buf, sizeof(buf), "YR %s\n", client_blob); //CHECKME: can ever client_blob be 0 here? + printResult = snprintf(buf, sizeof(buf), "YR %s\n", client_blob); //CHECKME: can ever client_blob be 0 here? } else { - snprintf(buf, sizeof(buf), "KK %s\n", client_blob); + printResult = snprintf(buf, sizeof(buf), "KK %s\n", client_blob); } + + // truncation is OK because we are used only for logging + if (printResult < 0) { + debugs(29, 2, "Can not build negotiate authentication credentials."); + buf[0] = '\0'; + } else if (printResult >= (int)sizeof(buf)) + debugs(29, 2, "Negotiate authentication credentials truncated."); + return buf; } @@ -125,16 +134,26 @@ debugs(29, 8, HERE << "credentials state is '" << user()->credentials() << "'"); const char *keyExtras = helperRequestKeyExtras(request, al); + int printResult = 0; if (user()->credentials() == Auth::Pending) { if (keyExtras) - snprintf(buf, sizeof(buf), "YR %s %s\n", client_blob, keyExtras); + printResult = snprintf(buf, sizeof(buf), "YR %s %s\n", client_blob, keyExtras); else - snprintf(buf, sizeof(buf), "YR %s\n", client_blob); //CHECKME: can ever client_blob be 0 here? + printResult = snprintf(buf, sizeof(buf), "YR %s\n", client_blob); //CHECKME: can ever client_blob be 0 here? } else { if (keyExtras) - snprintf(buf, sizeof(buf), "KK %s %s\n", client_blob, keyExtras); + printResult = snprintf(buf, sizeof(buf), "KK %s %s\n", client_blob, keyExtras); else - snprintf(buf, sizeof(buf), "KK %s\n", client_blob); + printResult = snprintf(buf, sizeof(buf), "KK %s\n", client_blob); + } + + if (printResult < 0 || printResult >= (int)sizeof(buf)) { + if (printResult < 0) + debugs(29, DBG_CRITICAL, "ERROR: Can not build negotiate authentication helper request"); + else + debugs(29, DBG_CRITICAL, "ERROR: Negotiate authentication helper request too big for the " << sizeof(buf) << "-byte buffer"); + handler(data); + return; } waiting = 1; diff -u -r -N squid-3.5.3/src/auth/ntlm/UserRequest.cc squid-3.5.4/src/auth/ntlm/UserRequest.cc --- squid-3.5.3/src/auth/ntlm/UserRequest.cc 2015-03-28 03:58:05.000000000 -0700 +++ squid-3.5.4/src/auth/ntlm/UserRequest.cc 2015-05-01 04:27:20.000000000 -0700 @@ -67,11 +67,20 @@ Auth::Ntlm::UserRequest::credentialsStr() { static char buf[MAX_AUTHTOKEN_LEN]; + int printResult; if (user()->credentials() == Auth::Pending) { - snprintf(buf, sizeof(buf), "YR %s\n", client_blob); + printResult = snprintf(buf, sizeof(buf), "YR %s\n", client_blob); } else { - snprintf(buf, sizeof(buf), "KK %s\n", client_blob); + printResult = snprintf(buf, sizeof(buf), "KK %s\n", client_blob); } + + // truncation is OK because we are used only for logging + if (printResult < 0) { + debugs(29, 2, "Can not build ntlm authentication credentials."); + buf[0] = '\0'; + } else if (printResult >= (int)sizeof(buf)) + debugs(29, 2, "Ntlm authentication credentials truncated."); + return buf; } @@ -121,19 +130,29 @@ debugs(29, 8, HERE << "credentials state is '" << user()->credentials() << "'"); const char *keyExtras = helperRequestKeyExtras(request, al); + int printResult = 0; if (user()->credentials() == Auth::Pending) { if (keyExtras) - snprintf(buf, sizeof(buf), "YR %s %s\n", client_blob, keyExtras); + printResult = snprintf(buf, sizeof(buf), "YR %s %s\n", client_blob, keyExtras); else - snprintf(buf, sizeof(buf), "YR %s\n", client_blob); //CHECKME: can ever client_blob be 0 here? + printResult = snprintf(buf, sizeof(buf), "YR %s\n", client_blob); //CHECKME: can ever client_blob be 0 here? } else { if (keyExtras) - snprintf(buf, sizeof(buf), "KK %s %s\n", client_blob, keyExtras); + printResult = snprintf(buf, sizeof(buf), "KK %s %s\n", client_blob, keyExtras); else - snprintf(buf, sizeof(buf), "KK %s\n", client_blob); + printResult = snprintf(buf, sizeof(buf), "KK %s\n", client_blob); } waiting = 1; + if (printResult < 0 || printResult >= (int)sizeof(buf)) { + if (printResult < 0) + debugs(29, DBG_CRITICAL, "ERROR: Can not build ntlm authentication helper request"); + else + debugs(29, DBG_CRITICAL, "ERROR: Ntlm authentication helper request too big for the " << sizeof(buf) << "-byte buffer."); + handler(data); + return; + } + safe_free(client_blob); helperStatefulSubmit(ntlmauthenticators, buf, Auth::Ntlm::UserRequest::HandleReply, new Auth::StateData(this, handler, data), authserver); diff -u -r -N squid-3.5.3/src/auth/UserRequest.h squid-3.5.4/src/auth/UserRequest.h --- squid-3.5.3/src/auth/UserRequest.h 2015-03-28 03:58:05.000000000 -0700 +++ squid-3.5.4/src/auth/UserRequest.h 2015-05-01 04:27:20.000000000 -0700 @@ -27,8 +27,8 @@ /** * Maximum length (buffer size) for token strings. */ -// AYJ: must match re-definition in helpers/negotiate_auth/kerberos/negotiate_kerb_auth.cc -#define MAX_AUTHTOKEN_LEN 32768 +// XXX: Keep in sync with all others: bzr grep 'define MAX_AUTHTOKEN_LEN' +#define MAX_AUTHTOKEN_LEN 65535 /** * Node used to link an IP address to some user credentials diff -u -r -N squid-3.5.3/src/base/Lock.h squid-3.5.4/src/base/Lock.h --- squid-3.5.3/src/base/Lock.h 2015-03-28 03:58:05.000000000 -0700 +++ squid-3.5.4/src/base/Lock.h 2015-05-01 04:27:20.000000000 -0700 @@ -35,12 +35,13 @@ #if defined(LOCKCOUNT_DEBUG) old_debug(0,1)("Incrementing this %p from count %u\n",this,count_); #endif + assert(count_ < UINT32_MAX); ++count_; } /// Clear one lock / reference against this object. /// All locks must be cleared before it may be destroyed. - unsigned unlock() const { + uint32_t unlock() const { #if defined(LOCKCOUNT_DEBUG) old_debug(0,1)("Decrementing this %p from count %u\n",this,count_); #endif @@ -49,10 +50,10 @@ } /// Inspect the current count of references. - unsigned LockCount() const { return count_; } + uint32_t LockCount() const { return count_; } private: - mutable unsigned count_; ///< number of references currently being tracked + mutable uint32_t count_; ///< number of references currently being tracked }; // For clarity we provide some aliases for the tracking mechanisms diff -u -r -N squid-3.5.3/src/cf.data.pre squid-3.5.4/src/cf.data.pre --- squid-3.5.3/src/cf.data.pre 2015-03-28 03:58:05.000000000 -0700 +++ squid-3.5.4/src/cf.data.pre 2015-05-01 04:27:20.000000000 -0700 @@ -1103,6 +1103,18 @@ # SslBump1: After getting TCP-level and HTTP CONNECT info. # SslBump2: After getting SSL Client Hello info. # SslBump3: After getting SSL Server Hello info. + + acl aclname ssl::server_name .foo.com ... + # matches server name obtained from various sources [fast] + # + # The server name is obtained during Ssl-Bump steps from such sources + # as CONNECT request URI, client SNI, and SSL server certificate CN. + # During each Ssl-Bump step, Squid may improve its understanding of a + # "true server name". Unlike dstdomain, this ACL does not perform + # DNS lookups. + + acl aclname ssl::server_name_regex [-i] \.foo\.com ... + # regex matches server name obtained from various sources [fast] ENDIF acl aclname any-of acl1 acl2 ... # match any one of the acls [fast or slow] @@ -2075,9 +2087,10 @@ RFC2475, and RFC3260. The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or - "default" to use whatever default your host has. Note that in - practice often only multiples of 4 is usable as the two rightmost bits - have been redefined for use by ECN (RFC 3168 section 23.1). + "default" to use whatever default your host has. + Note that only multiples of 4 are usable as the two rightmost bits have + been redefined for use by ECN (RFC 3168 section 23.1). + The squid parser will enforce this by masking away the ECN bits. Processing proceeds in the order specified, and stops at first fully matching line. @@ -2090,7 +2103,7 @@ DEFAULT: none LOC: Ip::Qos::TheConfig.tosToClient DOC_START - Allows you to select a TOS/Diffserv value for packets being transmitted + Allows you to select a TOS/DSCP value for packets being transmitted on the client-side, based on an ACL. clientside_tos ds-field [!]aclname ... @@ -2105,6 +2118,13 @@ Note: This feature is incompatible with qos_flows. Any TOS values set here will be overwritten by TOS values in qos_flows. + + The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or + "default" to use whatever default your host has. + Note that only multiples of 4 are usable as the two rightmost bits have + been redefined for use by ECN (RFC 3168 section 23.1). + The squid parser will enforce this by masking away the ECN bits. + DOC_END NAME: tcp_outgoing_mark @@ -2176,9 +2196,10 @@ know what you're specifying. For more information, see RFC2474, RFC2475, and RFC3260. - The TOS/DSCP byte must be exactly that - a octet value 0 - 255. Note that - in practice often only multiples of 4 is usable as the two rightmost bits - have been redefined for use by ECN (RFC 3168 section 23.1). + The TOS/DSCP byte must be exactly that - a octet value 0 - 255. + Note that only multiples of 4 are usable as the two rightmost bits have + been redefined for use by ECN (RFC 3168 section 23.1). + The squid parser will enforce this by masking away the ECN bits. Mark values can be any unsigned 32-bit integer value. diff -u -r -N squid-3.5.3/src/client_side.cc squid-3.5.4/src/client_side.cc --- squid-3.5.3/src/client_side.cc 2015-03-28 03:58:05.000000000 -0700 +++ squid-3.5.4/src/client_side.cc 2015-05-01 04:27:20.000000000 -0700 @@ -1866,7 +1866,7 @@ break; case STREAM_COMPLETE: - debugs(33, 5, conn << "Stream complete, keepalive is " << http->request->flags.proxyKeepalive); + debugs(33, 5, conn << " Stream complete, keepalive is " << http->request->flags.proxyKeepalive); if (http->request->flags.proxyKeepalive) keepaliveNextRequest(); else @@ -2276,7 +2276,7 @@ #endif - debugs(33,5, HERE << "repare absolute URL from " << + debugs(33,5, "Prepare absolute URL from " << (csd->transparent()?"intercept":(csd->port->flags.accelSurrogate ? "accel":""))); /* Rewrite the URL in transparent or accelerator mode */ /* NP: there are several cases to traverse here: @@ -2860,6 +2860,9 @@ int ConnStateData::pipelinePrefetchMax() const { + // TODO: Support pipelined requests through pinned connections. + if (pinning.pinned) + return 0; return Config.pipeline_max_prefetch; } @@ -3046,7 +3049,8 @@ debugs(33, 5, "PROXY/1.0 protocol on connection " << clientConnection); clientConnection->local = originalDest; clientConnection->remote = originalClient; - clientConnection->flags ^= COMM_TRANSPARENT; // prevent TPROXY spoofing of this new IP. + if ((clientConnection->flags & COMM_TRANSPARENT)) + clientConnection->flags ^= COMM_TRANSPARENT; // prevent TPROXY spoofing of this new IP. debugs(33, 5, "PROXY/1.0 upgrade: " << clientConnection); // repeat fetch ensuring the new client FQDN can be logged @@ -3136,14 +3140,16 @@ clientConnection->local.port(ntohs(ipu.ipv4_addr.dst_port)); clientConnection->remote = ipu.ipv4_addr.src_addr; clientConnection->remote.port(ntohs(ipu.ipv4_addr.src_port)); - clientConnection->flags ^= COMM_TRANSPARENT; // prevent TPROXY spoofing of this new IP. + if ((clientConnection->flags & COMM_TRANSPARENT)) + clientConnection->flags ^= COMM_TRANSPARENT; // prevent TPROXY spoofing of this new IP. break; case 0x2: // IPv6 clientConnection->local = ipu.ipv6_addr.dst_addr; clientConnection->local.port(ntohs(ipu.ipv6_addr.dst_port)); clientConnection->remote = ipu.ipv6_addr.src_addr; clientConnection->remote.port(ntohs(ipu.ipv6_addr.src_port)); - clientConnection->flags ^= COMM_TRANSPARENT; // prevent TPROXY spoofing of this new IP. + if ((clientConnection->flags & COMM_TRANSPARENT)) + clientConnection->flags ^= COMM_TRANSPARENT; // prevent TPROXY spoofing of this new IP. break; default: // do nothing break; @@ -3789,6 +3795,14 @@ " has no certificate."); } +#if defined(TLSEXT_NAMETYPE_host_name) + if (!conn->serverBump()) { + // when in bumpClientFirst mode, get the server name from SNI + if (const char *server = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name)) + conn->resetSslCommonName(server); + } +#endif + conn->readSomeData(); } @@ -3984,7 +3998,7 @@ void ConnStateData::buildSslCertGenerationParams(Ssl::CertificateProperties &certProperties) { - certProperties.commonName = sslCommonName.size() > 0 ? sslCommonName.termedBuf() : sslConnectHostOrIp.termedBuf(); + certProperties.commonName = sslCommonName_.isEmpty() ? sslConnectHostOrIp.termedBuf() : sslCommonName_.c_str(); // fake certificate adaptation requires bump-server-first mode if (!sslServerBump) { @@ -4205,7 +4219,7 @@ assert(!switchedToHttps_); sslConnectHostOrIp = request->GetHost(); - sslCommonName = request->GetHost(); + resetSslCommonName(request->GetHost()); // We are going to read new request flags.readMore = true; @@ -4250,8 +4264,10 @@ if (bio->gotHello()) { if (conn->serverBump()) { Ssl::Bio::sslFeatures const &features = bio->getFeatures(); - if (!features.serverName.isEmpty()) + if (!features.serverName.isEmpty()) { conn->serverBump()->clientSni = features.serverName; + conn->resetSslCommonName(features.serverName.c_str()); + } } debugs(83, 5, "I got hello. Start forwarding the request!!! "); @@ -4386,30 +4402,11 @@ Must(sslServerBump != NULL); if (Comm::IsConnOpen(serverConnection)) { - SSL *ssl = fd_table[serverConnection->fd].ssl; - assert(ssl); - Ssl::X509_Pointer serverCert(SSL_get_peer_certificate(ssl)); - assert(serverCert.get() != NULL); - sslCommonName = Ssl::CommonHostName(serverCert.get()); - debugs(33, 5, HERE << "HTTPS server CN: " << sslCommonName << - " bumped: " << *serverConnection); - pinConnection(serverConnection, NULL, NULL, false); debugs(33, 5, HERE << "bumped HTTPS server: " << sslConnectHostOrIp); } else { debugs(33, 5, HERE << "Error while bumping: " << sslConnectHostOrIp); - Ip::Address intendedDest; - intendedDest = sslConnectHostOrIp.termedBuf(); - const bool isConnectRequest = !port->flags.isIntercepted(); - - // Squid serves its own error page and closes, so we want - // a CN that causes no additional browser errors. Possible - // only when bumping CONNECT with a user-typed address. - if (intendedDest.isAnyAddr() || isConnectRequest) - sslCommonName = sslConnectHostOrIp; - else if (sslServerBump->serverCert.get()) - sslCommonName = Ssl::CommonHostName(sslServerBump->serverCert.get()); // copy error detail from bump-server-first request to CONNECT request if (currentobject != NULL && currentobject->http != NULL && currentobject->http->request) diff -u -r -N squid-3.5.3/src/client_side.h squid-3.5.4/src/client_side.h --- squid-3.5.3/src/client_side.h 2015-03-28 03:58:05.000000000 -0700 +++ squid-3.5.4/src/client_side.h 2015-05-01 04:27:20.000000000 -0700 @@ -363,6 +363,8 @@ else assert(sslServerBump == srvBump); } + const SBuf &sslCommonName() const {return sslCommonName_;} + void resetSslCommonName(const char *name) {sslCommonName_ = name;} /// Fill the certAdaptParams with the required data for certificate adaptation /// and create the key for storing/retrieve the certificate to/from the cache void buildSslCertGenerationParams(Ssl::CertificateProperties &certProperties); @@ -448,7 +450,7 @@ bool switchedToHttps_; /// The SSL server host name appears in CONNECT request or the server ip address for the intercepted requests String sslConnectHostOrIp; ///< The SSL server host name as passed in the CONNECT request - String sslCommonName; ///< CN name for SSL certificate generation + SBuf sslCommonName_; ///< CN name for SSL certificate generation String sslBumpCertKey; ///< Key to use to store/retrieve generated certificate /// HTTPS server cert. fetching state for bump-ssl-server-first diff -u -r -N squid-3.5.3/src/client_side_request.cc squid-3.5.4/src/client_side_request.cc --- squid-3.5.3/src/client_side_request.cc 2015-03-28 03:58:05.000000000 -0700 +++ squid-3.5.4/src/client_side_request.cc 2015-05-01 04:27:20.000000000 -0700 @@ -1417,7 +1417,8 @@ if (bumpMode != Ssl::bumpEnd) { debugs(85, 5, HERE << "SslBump already decided (" << bumpMode << "), " << "ignoring ssl_bump for " << http->getConn()); - http->sslBumpNeed(bumpMode); // for processRequest() to bump if needed + if (!http->getConn()->serverBump()) + http->sslBumpNeed(bumpMode); // for processRequest() to bump if needed and not already bumped http->al->ssl.bumpMode = bumpMode; // inherited from bumped connection return false; } diff -u -r -N squid-3.5.3/src/comm/IoCallback.cc squid-3.5.4/src/comm/IoCallback.cc --- squid-3.5.3/src/comm/IoCallback.cc 2015-03-28 03:58:05.000000000 -0700 +++ squid-3.5.4/src/comm/IoCallback.cc 2015-05-01 04:27:20.000000000 -0700 @@ -113,7 +113,7 @@ void Comm::IoCallback::finish(Comm::Flag code, int xerrn) { - debugs(5, 3, HERE << "called for " << conn << " (" << code << ", " << xerrno << ")"); + debugs(5, 3, "called for " << conn << " (" << code << ", " << xerrn << ")"); assert(active()); /* free data */ diff -u -r -N squid-3.5.3/src/comm.cc squid-3.5.4/src/comm.cc --- squid-3.5.3/src/comm.cc 2015-03-28 03:58:05.000000000 -0700 +++ squid-3.5.4/src/comm.cc 2015-05-01 04:27:20.000000000 -0700 @@ -581,6 +581,11 @@ return commSetConnTimeout(conn, -1, nil); } +/** + * Connect socket FD to given remote address. + * If return value is an error flag (COMM_ERROR, ERR_CONNECT, ERR_PROTOCOL, etc.), + * then error code will also be returned in errno. + */ int comm_connect_addr(int sock, const Ip::Address &address) { @@ -621,7 +626,7 @@ address.getAddrInfo(AI, F->sock_family); /* Establish connection. */ - errno = 0; + int xerrno = 0; if (!F->flags.called_connect) { F->flags.called_connect = true; @@ -633,10 +638,8 @@ // Async calls development will fix this. if (x == 0) { x = -1; - errno = EINPROGRESS; - } - - if (x < 0) { + xerrno = EINPROGRESS; + } else if (x < 0) { debugs(5,5, "comm_connect_addr: sock=" << sock << ", addrinfo( " << " flags=" << AI->ai_flags << ", family=" << AI->ai_family << @@ -645,30 +648,28 @@ ", &addr=" << AI->ai_addr << ", addrlen=" << AI->ai_addrlen << " )" ); - debugs(5, 9, "connect FD " << sock << ": (" << x << ") " << xstrerror()); + debugs(5, 9, "connect FD " << sock << ": (" << x << ") " << xstrerr(xerrno)); debugs(14,9, "connecting to: " << address ); } + } else { + errno = 0; #if _SQUID_NEWSOS6_ /* Makoto MATSUSHITA */ + if (connect(sock, AI->ai_addr, AI->ai_addrlen) < 0) + xerrno = errno; - connect(sock, AI->ai_addr, AI->ai_addrlen); - - if (errno == EINVAL) { + if (xerrno == EINVAL) { errlen = sizeof(err); x = getsockopt(sock, SOL_SOCKET, SO_ERROR, &err, &errlen); - if (x >= 0) - errno = x; + xerrno = x; } - #else errlen = sizeof(err); - x = getsockopt(sock, SOL_SOCKET, SO_ERROR, &err, &errlen); - if (x == 0) - errno = err; + xerrno = err; #if _SQUID_SOLARIS_ /* @@ -677,23 +678,24 @@ * connect and just returns EPIPE. Create a fake * error message for connect. -- fenner@parc.xerox.com */ - if (x < 0 && errno == EPIPE) - errno = ENOTCONN; - + if (x < 0 && xerrno == EPIPE) + xerrno = ENOTCONN; + else + xerrno = errno; #endif #endif - } Ip::Address::FreeAddr(AI); PROF_stop(comm_connect_addr); - if (errno == 0 || errno == EISCONN) + errno = xerrno; + if (xerrno == 0 || xerrno == EISCONN) status = Comm::OK; - else if (ignoreErrno(errno)) + else if (ignoreErrno(xerrno)) status = Comm::INPROGRESS; - else if (errno == EAFNOSUPPORT || errno == EINVAL) + else if (xerrno == EAFNOSUPPORT || xerrno == EINVAL) return Comm::ERR_PROTOCOL; else return Comm::COMM_ERROR; @@ -708,6 +710,7 @@ debugs(5, DBG_DATA, "comm_connect_addr: FD " << sock << " connection pending"); } + errno = xerrno; return status; } @@ -1894,7 +1897,7 @@ debugs(50, 5, HERE << "FD " << new_socket << " is a new socket"); assert(!isOpen(new_socket)); - fd_open(new_socket, FD_MSGHDR, NULL); + fd_open(new_socket, FD_MSGHDR, addr->sun_path); fdd_table[new_socket].close_file = NULL; diff -u -r -N squid-3.5.3/src/fd.cc squid-3.5.4/src/fd.cc --- squid-3.5.3/src/fd.cc 2015-03-28 03:58:05.000000000 -0700 +++ squid-3.5.4/src/fd.cc 2015-05-01 04:27:20.000000000 -0700 @@ -241,8 +241,7 @@ fdUpdateBiggest(fd, 1); - if (desc) - xstrncpy(F->desc, desc, FD_DESC_SZ); + fd_note(fd, desc); ++Number_FD; } @@ -251,7 +250,10 @@ fd_note(int fd, const char *s) { fde *F = &fd_table[fd]; - xstrncpy(F->desc, s, FD_DESC_SZ); + if (s) + xstrncpy(F->desc, s, FD_DESC_SZ); + else + *(F->desc) = 0; // ""-string } void diff -u -r -N squid-3.5.3/src/http/StatusCode.h squid-3.5.4/src/http/StatusCode.h --- squid-3.5.3/src/http/StatusCode.h 2015-03-28 03:58:05.000000000 -0700 +++ squid-3.5.4/src/http/StatusCode.h 2015-05-01 04:27:20.000000000 -0700 @@ -39,7 +39,7 @@ scNotModified = 304, scUseProxy = 305, scTemporaryRedirect = 307, - scPermanentRedirect = 308, /**< RFC7238 */ + scPermanentRedirect = 308, /**< RFC7538 */ scBadRequest = 400, scUnauthorized = 401, scPaymentRequired = 402, diff -u -r -N squid-3.5.3/src/log/access_log.cc squid-3.5.4/src/log/access_log.cc --- squid-3.5.3/src/log/access_log.cc 2015-03-28 03:58:05.000000000 -0700 +++ squid-3.5.4/src/log/access_log.cc 2015-05-01 04:27:20.000000000 -0700 @@ -96,6 +96,10 @@ if (log->aclList && checklist && checklist->fastCheck(log->aclList) != ACCESS_ALLOWED) continue; + // The special-case "none" type has no logfile object set + if (log->type == Log::Format::CLF_NONE) + return; + if (log->logfile) { logfileLineStart(log->logfile); @@ -131,9 +135,6 @@ break; #endif - case Log::Format::CLF_NONE: - return; // abort! - default: fatalf("Unknown log format %d\n", log->type); break; diff -u -r -N squid-3.5.3/src/parser/Tokenizer.cc squid-3.5.4/src/parser/Tokenizer.cc --- squid-3.5.3/src/parser/Tokenizer.cc 2015-03-28 03:58:05.000000000 -0700 +++ squid-3.5.4/src/parser/Tokenizer.cc 2015-05-01 04:27:20.000000000 -0700 @@ -13,28 +13,6 @@ #if HAVE_CTYPE_H #include #endif -#if HAVE_STDINT_H -#include -#endif -#ifndef INT64_MIN -/* Native 64 bit system without strtoll() */ -#if defined(LONG_MIN) && (SIZEOF_LONG == 8) -#define INT64_MIN LONG_MIN -#else -/* 32 bit system */ -#define INT64_MIN (-9223372036854775807LL-1LL) -#endif -#endif - -#ifndef INT64_MAX -/* Native 64 bit system without strtoll() */ -#if defined(LONG_MAX) && (SIZEOF_LONG == 8) -#define INT64_MAX LONG_MAX -#else -/* 32 bit system */ -#define INT64_MAX 9223372036854775807LL -#endif -#endif /// convenience method: consumes up to n bytes, counts, and returns them SBuf diff -u -r -N squid-3.5.3/src/peer_proxy_negotiate_auth.cc squid-3.5.4/src/peer_proxy_negotiate_auth.cc --- squid-3.5.3/src/peer_proxy_negotiate_auth.cc 2015-03-28 03:58:05.000000000 -0700 +++ squid-3.5.4/src/peer_proxy_negotiate_auth.cc 2015-05-01 04:27:20.000000000 -0700 @@ -13,6 +13,10 @@ #include "squid.h" #if HAVE_KRB5 && HAVE_GSSAPI +#if USE_APPLE_KRB5 +#define KERBEROS_APPLE_DEPRECATED(x) +#define GSSKRB_APPLE_DEPRECATED(x) +#endif #include "base64.h" #include "Debug.h" diff -u -r -N squid-3.5.3/src/SBuf.cc squid-3.5.4/src/SBuf.cc --- squid-3.5.3/src/SBuf.cc 2015-03-28 03:58:05.000000000 -0700 +++ squid-3.5.4/src/SBuf.cc 2015-05-01 04:27:20.000000000 -0700 @@ -172,7 +172,7 @@ // it's available, we're effectively claiming ownership // of it. If it's not, we need to go away (realloc) if (store_->canAppend(off_+len_, minSpace)) { - debugs(24, 7, "not growing"); + debugs(24, 7, id << " not growing"); return bufEnd(); } // TODO: we may try to memmove before realloc'ing in order to avoid @@ -484,7 +484,7 @@ n = length(); else n = min(n, length()); - debugs(24, 8, "consume " << n); + debugs(24, 8, id << " consume " << n); SBuf rv(substr(0, n)); chop(n); return rv; @@ -515,6 +515,8 @@ void SBuf::forceSize(size_type newSize) { + debugs(24, 8, id << " force " << (newSize > length() ? "grow" : "shrink") << " to length=" << newSize); + Must(store_->LockCount() == 1); if (newSize > min(maxSize,store_->capacity-off_)) throw SBufTooBigException(__FILE__,__LINE__); @@ -877,7 +879,7 @@ void SBuf::reAlloc(size_type newsize) { - debugs(24, 8, "new size: " << newsize); + debugs(24, 8, id << " new size: " << newsize); if (newsize > maxSize) throw SBufTooBigException(__FILE__, __LINE__); MemBlob::Pointer newbuf = new MemBlob(newsize); @@ -886,7 +888,7 @@ store_ = newbuf; off_ = 0; ++stats.cowSlow; - debugs(24, 7, "new store capacity: " << store_->capacity); + debugs(24, 7, id << " new store capacity: " << store_->capacity); } SBuf& @@ -907,12 +909,12 @@ void SBuf::cow(SBuf::size_type newsize) { - debugs(24, 8, "new size:" << newsize); + debugs(24, 8, id << " new size:" << newsize); if (newsize == npos || newsize < length()) newsize = length(); if (store_->LockCount() == 1 && newsize == length()) { - debugs(24, 8, "no cow needed"); + debugs(24, 8, id << " no cow needed"); ++stats.cowFast; return; } diff -u -r -N squid-3.5.3/src/ssl/bio.cc squid-3.5.4/src/ssl/bio.cc --- squid-3.5.3/src/ssl/bio.cc 2015-03-28 03:58:05.000000000 -0700 +++ squid-3.5.4/src/ssl/bio.cc 2015-05-01 04:27:20.000000000 -0700 @@ -213,28 +213,12 @@ } if (helloState == atHelloNone) { - - const unsigned char *head = (const unsigned char *)rbuf.content(); - const char *s = objToString(head, rbuf.contentSize()); - debugs(83, 7, "SSL Header: " << s); - if (rbuf.contentSize() < 5) { + helloSize = features.parseMsgHead(rbuf); + if (helloSize == 0) { + // Not enough bytes to get hello message size BIO_set_retry_read(table); - return 0; - } - - if (head[0] == 0x16) { - debugs(83, 7, "SSL version 3 handshake message"); - helloSize = (head[3] << 8) + head[4]; - debugs(83, 7, "SSL Header Size: " << helloSize); - helloSize +=5; -#if defined(DO_SSLV23) - } else if ((head[0] & 0x80) && head[2] == 0x01 && head[3] == 0x03) { - debugs(83, 7, "SSL version 2 handshake message with v3 support"); - helloSize = head[1]; - helloSize +=5; -#endif - } else { - debugs(83, 7, "Not an SSL acceptable handshake message (SSLv2 message?)"); + return -1; + } else if (helloSize < 0) { return -1; } @@ -250,7 +234,7 @@ BIO_set_retry_read(table); return -1; } - features.get((const unsigned char *)rbuf.content()); + features.get(rbuf); helloState = atHelloReceived; } @@ -282,17 +266,7 @@ void Ssl::ServerBio::setClientFeatures(const Ssl::Bio::sslFeatures &features) { - clientFeatures.sslVersion = features.sslVersion; - clientFeatures.compressMethod = features.compressMethod; - clientFeatures.serverName = features.serverName; - clientFeatures.clientRequestedCiphers = features.clientRequestedCiphers; - clientFeatures.unknownCiphers = features.unknownCiphers; - memcpy(clientFeatures.client_random, features.client_random, SSL3_RANDOM_SIZE); - clientFeatures.helloMessage.clear(); - clientFeatures.helloMessage.append(features.helloMessage.rawContent(), features.helloMessage.length()); - clientFeatures.doHeartBeats = features.doHeartBeats; - clientFeatures.extensions = features.extensions; - featuresSet = true; + clientFeatures = features; }; int @@ -462,7 +436,7 @@ assert(helloMsg.isEmpty()); SSL *ssl = fd_table[fd_].ssl; - if (featuresSet && ssl) { + if (clientFeatures.initialized_ && ssl) { if (bumpMode_ == Ssl::bumpPeek) { if (adjustSSL(ssl, clientFeatures)) allowBump = true; @@ -523,6 +497,24 @@ } } +bool +Ssl::ServerBio::resumingSession() +{ + if (!serverFeatures.initialized_) + serverFeatures.get(rbuf, false); + + if (!clientFeatures.sessionId.isEmpty() && !serverFeatures.sessionId.isEmpty()) + return clientFeatures.sessionId == serverFeatures.sessionId; + + // is this a session resuming attempt using TLS tickets? + if (clientFeatures.hasTlsTicket && + serverFeatures.tlsTicketsExtension && + serverFeatures.hasCcsOrNst) + return true; + + return false; +} + /// initializes BIO table after allocation static int squid_bio_create(BIO *bi) @@ -642,7 +634,7 @@ } } -Ssl::Bio::sslFeatures::sslFeatures(): sslVersion(-1), compressMethod(-1), unknownCiphers(false), doHeartBeats(true) +Ssl::Bio::sslFeatures::sslFeatures(): sslVersion(-1), compressMethod(-1), helloMsgSize(0), unknownCiphers(false), doHeartBeats(true), tlsTicketsExtension(false), hasTlsTicket(false), tlsStatusRequest(false), hasCcsOrNst(false), initialized_(false) { memset(client_random, 0, SSL3_RANDOM_SIZE); } @@ -751,38 +743,225 @@ opaquePrf = objToString(p, len); } #endif + initialized_ = true; return true; } +int +Ssl::Bio::sslFeatures::parseMsgHead(const MemBuf &buf) +{ + const unsigned char *head = (const unsigned char *)buf.content(); + const char *s = objToString(head, buf.contentSize()); + debugs(83, 7, "SSL Header: " << s); + if (buf.contentSize() < 5) + return 0; + + if (helloMsgSize > 0) + return helloMsgSize; + + // Check for SSLPlaintext/TLSPlaintext record + // RFC6101 section 5.2.1 + // RFC5246 section 6.2.1 + if (head[0] == 0x16) { + debugs(83, 7, "SSL version 3 handshake message"); + // The SSL version exist in the 2nd and 3rd bytes + sslVersion = (head[1] << 8) | head[2]; + debugs(83, 7, "SSL Version :" << std::hex << std::setw(8) << std::setfill('0') << sslVersion); + // The hello message size exist in 4th and 5th bytes + helloMsgSize = (head[3] << 8) + head[4]; + debugs(83, 7, "SSL Header Size: " << helloMsgSize); + helloMsgSize +=5; +#if defined(DO_SSLV23) + } else if ((head[0] & 0x80) && head[2] == 0x01 && head[3] == 0x03) { + debugs(83, 7, "SSL version 2 handshake message with v3 support"); + sslVersion = (hello[3] << 8) | hello[4]; + debugs(83, 7, "SSL Version :" << std::hex << std::setw(8) << std::setfill('0') << sslVersion); + // The hello message size exist in 2nd byte + helloMsgSize = head[1]; + helloMsgSize +=2; +#endif + } else { + debugs(83, 7, "Not an SSL acceptable handshake message (SSLv2 message?)"); + return (helloMsgSize = -1); + } + + // Set object as initialized. Even if we did not full parsing yet + // The basic features, like the SSL version is set + initialized_ = true; + return helloMsgSize; +} + +bool +Ssl::Bio::sslFeatures::checkForCcsOrNst(const unsigned char *msg, size_t size) +{ + while (size > 5) { + const int msgType = msg[0]; + const int msgSslVersion = (msg[1] << 8) | msg[2]; + debugs(83, 7, "SSL Message Version :" << std::hex << std::setw(8) << std::setfill('0') << msgSslVersion); + // Check for Change Cipher Spec message + // RFC5246 section 6.2.1 + if (msgType == 0x14) {// Change Cipher Spec message found + debugs(83, 7, "SSL Change Cipher Spec message found"); + return true; + } + // Check for New Session Ticket message + // RFC5077 section 3.3 + if (msgType == 0x04) {// New Session Ticket message found + debugs(83, 7, "TLS New Session Ticket message found"); + return true; + } + // The hello message size exist in 4th and 5th bytes + size_t msgLength = (msg[3] << 8) + msg[4]; + debugs(83, 7, "SSL Message Size: " << msgLength); + msgLength += 5; + + if (msgLength <= size) { + msg += msgLength; + size -= msgLength; + } else + size = 0; + } + return false; +} + bool -Ssl::Bio::sslFeatures::get(const unsigned char *hello) +Ssl::Bio::sslFeatures::get(const MemBuf &buf, bool record) { - // The SSL handshake message should starts with a 0x16 byte - if (hello[0] == 0x16) { - return parseV3Hello(hello); + int msgSize; + if ((msgSize = parseMsgHead(buf)) <= 0) { + debugs(83, 7, "Not a known SSL handshake message"); + return false; + } + + if (msgSize > buf.contentSize()) { + debugs(83, 2, "Partial SSL handshake message, can not parse!"); + return false; + } + + if (record) { + helloMessage.clear(); + helloMessage.append(buf.content(), buf.contentSize()); + } + + const unsigned char *msg = (const unsigned char *)buf.content(); #if defined(DO_SSLV23) - } else if ((hello[0] & 0x80) && hello[2] == 0x01 && hello[3] == 0x03) { - return parseV23Hello(hello); + if (msg[0] & 0x80) + return parseV23Hello(msg, (size_t)msgSize); + else #endif + { + // Hello messages require 5 bytes header + 1 byte Msg type + 3 bytes for Msg size + if (buf.contentSize() < 9) + return false; + + // Check for the Handshake/Message type + // The type 2 is a ServerHello, the type 1 is a ClientHello + // RFC5246 section 7.4 + if (msg[5] == 0x2) { // ServerHello message + if (parseV3ServerHello(msg, (size_t)msgSize)) { + hasCcsOrNst = checkForCcsOrNst(msg + msgSize, buf.contentSize() - msgSize); + return true; + } + } else if (msg[5] == 0x1) // ClientHello message, + return parseV3Hello(msg, (size_t)msgSize); } - debugs(83, 7, "Not a known SSL handshake message"); return false; } bool -Ssl::Bio::sslFeatures::parseV3Hello(const unsigned char *hello) +Ssl::Bio::sslFeatures::parseV3ServerHello(const unsigned char *hello, size_t size) { - debugs(83, 7, "Get fake features from v3 hello message."); - // The SSL version exist in the 2nd and 3rd bytes - sslVersion = (hello[1] << 8) | hello[2]; - debugs(83, 7, "Get fake features. Version :" << std::hex << std::setw(8) << std::setfill('0')<< sslVersion); - - // The following hello message size exist in 4th and 5th bytes - int helloSize = (hello[3] << 8) | hello[4]; - helloSize += 5; //Include the 5 header bytes. - helloMessage.clear(); - helloMessage.append((const char *)hello, helloSize); + // Parse a ServerHello Handshake message + // RFC5246 section 7.4, 7.4.1.3 + // The ServerHello starts at hello+5 + const size_t helloSize = (hello[6] << 16) | (hello[7] << 8) | hello[8]; + debugs(83, 7, "ServerHello message size: " << helloSize); + // helloSize should be msgSize + hello Header (4 bytes) + if (helloSize + 4 > size) { + debugs(83, 2, "ServerHello parse error"); + return false; + } + + // helloSize should be at least 38 bytes long: + // (SSL Version + Random + SessionId Length + Cipher Suite + Compression Method) + if (helloSize < 38) { + debugs(83, 2, "Too short ServerHello message"); + return false; + } + + debugs(83, 7, "Get fake features from v3 ServerHello message."); + // Get the correct version of the sub-hello message + sslVersion = (hello[9] << 8) | hello[10]; + // At the position 43 (MsgHeader(5 bytes) + HelloHeader (6bytes) + SSL3_RANDOM_SIZE (32bytes)) + const size_t sessIdLen = (size_t)hello[43]; + debugs(83, 7, "Session ID Length: " << sessIdLen); + + // The size should be enough to hold at least the following + // 5 MsgHelloHeader + 4 (hello header) + // + 2 (SSL Version) + 32 (random) + 1 (sessionId length) + // + sessIdLength + 2 (cipher suite) + 1 (compression method) + // = 47 + sessIdLength + if (47 + sessIdLen > size) { + debugs(83, 2, "ciphers length parse error"); + return false; + } + + // The sessionID stored at 44 position, after sessionID length field + sessionId.assign((const char *)(hello + 44), sessIdLen); + + // Check if there are extensions in hello message + // RFC5246 section 7.4.1.4 + if (size > 47 + sessIdLen + 2) { + // 47 + sessIdLen + const unsigned char *pToExtensions = hello + 47 + sessIdLen; + const size_t extensionsLen = (pToExtensions[0] << 8) | pToExtensions[1]; + // Check if the hello size can hold extensions + if (47 + 2 + sessIdLen + extensionsLen > size ) { + debugs(83, 2, "Extensions length parse error"); + return false; + } + + pToExtensions += 2; + const unsigned char *ext = pToExtensions; + while (ext + 4 <= pToExtensions + extensionsLen) { + const short extType = (ext[0] << 8) | ext[1]; + ext += 2; + const short extLen = (ext[0] << 8) | ext[1]; + ext += 2; + debugs(83, 7, "TLS Extension: " << std::hex << extType << " of size:" << extLen); + // SessionTicket TLS Extension, RFC5077 section 3.2 + if (extType == 0x23) { + tlsTicketsExtension = true; + } + ext += extLen; + } + } + return true; +} + +bool +Ssl::Bio::sslFeatures::parseV3Hello(const unsigned char *hello, size_t size) +{ + // Parse a ClientHello Handshake message + // RFC5246 section 7.4, 7.4.1.2 + // The ClientHello starts at hello+5 + + debugs(83, 7, "Get fake features from v3 ClientHello message."); + const size_t helloSize = (hello[6] << 16) | (hello[7] << 8) | hello[8]; + debugs(83, 7, "ClientHello message size: " << helloSize); + // helloSize should be size + hello Header (4 bytes) + if (helloSize + 4 > size) { + debugs(83, 2, "ClientHello parse error"); + return false; + } + + // helloSize should be at least 38 bytes long: + // (SSL Version(2) + Random(32) + SessionId Length(1) + Cipher Suite Length(2) + Compression Method Length(1)) + if (helloSize < 38) { + debugs(83, 2, "Too short ClientHello message"); + return false; + } //For SSLv3 or TLSv1.* protocols we can get some more informations if (hello[1] == 0x3 && hello[5] == 0x1 /*HELLO A message*/) { @@ -793,18 +972,35 @@ debugs(83, 7, "Client random: " << objToString(client_random, SSL3_RANDOM_SIZE)); // At the position 43 (11+SSL3_RANDOM_SIZE) - int sessIDLen = (int)hello[43]; + const size_t sessIDLen = (size_t)hello[43]; debugs(83, 7, "Session ID Length: " << sessIDLen); + // The size should be enough to hold at least the following + // 5 MsgHelloHeader + 4 (hello header) + // + 2 (SSL Version) + 32 (random) + 1 (sessionId length) + // + sessIdLength + 2 (cipher suite length) + 1 (compression method length) + // = 47 + sessIdLength + if (47 + sessIDLen > size) + return false; + + // The sessionID stored art 44 position, after sessionID length field + sessionId.assign((const char *)(hello + 44), sessIDLen); + //Ciphers list. It is stored after the Session ID. + // It is a variable-length vector(RFC5246 section 4.3) const unsigned char *ciphers = hello + 44 + sessIDLen; - int ciphersLen = (ciphers[0] << 8) | ciphers[1]; + const size_t ciphersLen = (ciphers[0] << 8) | ciphers[1]; + if (47 + sessIDLen + ciphersLen > size) { + debugs(83, 2, "ciphers length parse error"); + return false; + } + ciphers += 2; if (ciphersLen) { const SSL_METHOD *method = SSLv3_method(); - int cs = method->put_cipher_by_char(NULL, NULL); + const int cs = method->put_cipher_by_char(NULL, NULL); assert(cs > 0); - for (int i = 0; i < ciphersLen; i += cs) { + for (size_t i = 0; i < ciphersLen; i += cs) { const SSL_CIPHER *c = method->get_cipher_by_char((ciphers + i)); if (c != NULL) { if (!clientRequestedCiphers.empty()) @@ -825,27 +1021,56 @@ compressMethod = 0; debugs(83, 7, "SSL compression methods number: " << (int)compression[0]); + // Parse Extensions, RFC5246 section 7.4.1.4 const unsigned char *pToExtensions = compression + 1 + (int)compression[0]; - if (pToExtensions < hello + helloSize) { - int extensionsLen = (pToExtensions[0] << 8) | pToExtensions[1]; - const unsigned char *ext = pToExtensions + 2; - while (ext < pToExtensions + extensionsLen) { - short extType = (ext[0] << 8) | ext[1]; + if ((size_t)((pToExtensions - hello) + 2) < size) { + const size_t extensionsLen = (pToExtensions[0] << 8) | pToExtensions[1]; + if ((pToExtensions - hello) + 2 + extensionsLen > size) { + debugs(83, 2, "Extensions length parse error"); + return false; + } + + pToExtensions += 2; + const unsigned char *ext = pToExtensions; + while (ext + 4 <= pToExtensions + extensionsLen) { + const short extType = (ext[0] << 8) | ext[1]; ext += 2; - short extLen = (ext[0] << 8) | ext[1]; + const short extLen = (ext[0] << 8) | ext[1]; ext += 2; - debugs(83, 7, "SSL Exntension: " << std::hex << extType << " of size:" << extLen); + debugs(83, 7, "TLS Extension: " << std::hex << extType << " of size:" << extLen); + + if (ext + extLen > pToExtensions + extensionsLen) { + debugs(83, 2, "Extension " << std::hex << extType << " length parser error"); + return false; + } + //The SNI extension has the type 0 (extType == 0) + // RFC6066 sections 3, 10.2 // The two first bytes indicates the length of the SNI data (should be extLen-2) // The next byte is the hostname type, it should be '0' for normal hostname (ext[2] == 0) // The 3rd and 4th bytes are the length of the hostname if (extType == 0 && ext[2] == 0) { - int hostLen = (ext[3] << 8) | ext[4]; + const int hostLen = (ext[3] << 8) | ext[4]; serverName.assign((const char *)(ext+5), hostLen); debugs(83, 7, "Found server name: " << serverName); } else if (extType == 15 && ext[0] != 0) { - // The heartBeats are the type 15 + // The heartBeats are the type 15, RFC6520 doHeartBeats = true; + } else if (extType == 0x23) { + //SessionTicket TLS Extension RFC5077 + tlsTicketsExtension = true; + if (extLen != 0) + hasTlsTicket = true; + } else if (extType == 0x05) { + // RFC6066 sections 8, 10.2 + tlsStatusRequest = true; + } else if (extType == 0x3374) { + // detected TLS next protocol negotiate extension + } else if (extType == 0x10) { + // Application-Layer Protocol Negotiation Extension, RFC7301 + const int listLen = (ext[0] << 8) | ext[1]; + if (listLen < extLen) + tlsAppLayerProtoNeg.assign((const char *)(ext+5), listLen); } else extensions.push_back(extType); @@ -857,23 +1082,19 @@ } bool -Ssl::Bio::sslFeatures::parseV23Hello(const unsigned char *hello) +Ssl::Bio::sslFeatures::parseV23Hello(const unsigned char *hello, size_t size) { #if defined(DO_SSLV23) - debugs(83, 7, "Get fake features from v23 hello message."); - sslVersion = (hello[3] << 8) | hello[4]; - debugs(83, 7, "Get fake features. Version :" << std::hex << std::setw(8) << std::setfill('0')<< sslVersion); - - // The following hello message size exist in 2nd byte - int helloSize = hello[1]; - helloSize += 2; //Include the 2 header bytes. - helloMessage.clear(); - helloMessage.append((char *)hello, helloSize); - + debugs(83, 7, "Get fake features from v23 ClientHello message."); + if (size < 7) + return false; //Ciphers list. It is stored after the Session ID. - - int ciphersLen = (hello[5] << 8) | hello[6]; + const int ciphersLen = (hello[5] << 8) | hello[6]; const unsigned char *ciphers = hello + 11; + + if (size < ciphersLen + 11 + SSL3_RANDOM_SIZE) + return false; + if (ciphersLen) { const SSL_METHOD *method = SSLv23_method(); int cs = method->put_cipher_by_char(NULL, NULL); @@ -907,7 +1128,7 @@ } void -Ssl::Bio::sslFeatures::applyToSSL(SSL *ssl) const +Ssl::Bio::sslFeatures::applyToSSL(SSL *ssl, Ssl::BumpMode bumpMode) const { // To increase the possibility for bumping after peek mode selection or // splicing after stare mode selection it is good to set the @@ -929,12 +1150,28 @@ SSL_set_options(ssl, SSL_OP_NO_COMPRESSION); #endif +#if defined(TLSEXT_STATUSTYPE_ocsp) + if (tlsStatusRequest) + SSL_set_tlsext_status_type(ssl, TLSEXT_STATUSTYPE_ocsp); +#endif + +#if defined(TLSEXT_TYPE_application_layer_protocol_negotiation) + if (!tlsAppLayerProtoNeg.isEmpty()) { + if (bumpMode == Ssl::bumpPeek) + SSL_set_alpn_protos(ssl, (const unsigned char*)tlsAppLayerProtoNeg.rawContent(), tlsAppLayerProtoNeg.length()); + else { + static const unsigned char supported_protos[] = {8, 'h','t','t', 'p', '/', '1', '.', '1'}; + SSL_set_alpn_protos(ssl, supported_protos, sizeof(supported_protos)); + } + } +#endif } std::ostream & Ssl::Bio::sslFeatures::print(std::ostream &os) const { static std::string buf; + // TODO: Also print missing features like the HeartBeats and AppLayerProtoNeg return os << "v" << sslVersion << " SNI:" << (serverName.isEmpty() ? SBuf("-") : serverName) << " comp:" << compressMethod << diff -u -r -N squid-3.5.3/src/ssl/bio.h squid-3.5.4/src/ssl/bio.h --- squid-3.5.3/src/ssl/bio.h 2015-03-28 03:58:05.000000000 -0700 +++ squid-3.5.4/src/ssl/bio.h 2015-05-01 04:27:20.000000000 -0700 @@ -37,18 +37,33 @@ public: sslFeatures(); bool get(const SSL *ssl); ///< Retrieves the features from SSL object - bool get(const unsigned char *hello); ///< Retrieves the features from raw SSL hello message - bool parseV3Hello(const unsigned char *hello); - bool parseV23Hello(const unsigned char *hello); + /// Retrieves features from raw SSL Hello message. + /// \param record whether to store Message to the helloMessage member + bool get(const MemBuf &, bool record = true); + /// Parses a v3 ClientHello message + bool parseV3Hello(const unsigned char *hello, size_t helloSize); + /// Parses a v23 ClientHello message + bool parseV23Hello(const unsigned char *hello, size_t helloSize); + /// Parses a v3 ServerHello message. + bool parseV3ServerHello(const unsigned char *hello, size_t helloSize); /// Prints to os stream a human readable form of sslFeatures object std::ostream & print(std::ostream &os) const; /// Converts to the internal squid SSL version form the sslVersion int toSquidSSLVersion() const; /// Configure the SSL object with the SSL features of the sslFeatures object - void applyToSSL(SSL *ssl) const; + void applyToSSL(SSL *ssl, Ssl::BumpMode bumpMode) const; + /// Parses an SSL Message header. It returns the ssl Message size. + /// \retval >0 if the hello size is retrieved + /// \retval 0 if the contents of the buffer are not enough + /// \retval <0 if the contents of buf are not SSLv3 or TLS hello message + int parseMsgHead(const MemBuf &); + /// Parses msg buffer and return true if one of the Change Cipher Spec + /// or New Session Ticket messages found + bool checkForCcsOrNst(const unsigned char *msg, size_t size); public: int sslVersion; ///< The requested/used SSL version int compressMethod; ///< The requested/used compressed method + int helloMsgSize; ///< the hello message size mutable SBuf serverName; ///< The SNI hostname, if any std::string clientRequestedCiphers; ///< The client requested ciphers bool unknownCiphers; ///< True if one or more ciphers are unknown @@ -56,10 +71,19 @@ std::string ellipticCurves; ///< tlsExtension ellipticCurveList std::string opaquePrf; ///< tlsExtension opaquePrf bool doHeartBeats; + bool tlsTicketsExtension; ///< whether TLS tickets extension is enabled + bool hasTlsTicket; ///< whether a TLS ticket is included + bool tlsStatusRequest; ///< whether the TLS status request extension is set + SBuf tlsAppLayerProtoNeg; ///< The value of the TLS application layer protocol extension if it is enabled + /// whether Change Cipher Spec message included in ServerHello + /// handshake message + bool hasCcsOrNst; /// The client random number unsigned char client_random[SSL3_RANDOM_SIZE]; + SBuf sessionId; std::list extensions; SBuf helloMessage; + bool initialized_; }; explicit Bio(const int anFd); virtual ~Bio(); @@ -113,7 +137,7 @@ /// to socket and sets the "read retry" flag of the BIO to true virtual int read(char *buf, int size, BIO *table); /// Return true if the client hello message received and analized - bool gotHello() {return features.sslVersion != -1;} + bool gotHello() { return (helloState == atHelloReceived); } /// Return the SSL features requested by SSL client const Bio::sslFeatures &getFeatures() const {return features;} /// Prevents or allow writting on socket. @@ -148,7 +172,7 @@ class ServerBio: public Bio { public: - explicit ServerBio(const int anFd): Bio(anFd), featuresSet(false), helloMsgSize(0), helloBuild(false), allowSplice(false), allowBump(false), holdWrite_(false), record_(false), bumpMode_(bumpNone) {} + explicit ServerBio(const int anFd): Bio(anFd), helloMsgSize(0), helloBuild(false), allowSplice(false), allowBump(false), holdWrite_(false), record_(false), bumpMode_(bumpNone) {} /// The ServerBio version of the Ssl::Bio::stateChanged method virtual void stateChanged(const SSL *ssl, int where, int ret); /// The ServerBio version of the Ssl::Bio::write method @@ -165,6 +189,7 @@ /// Sets the random number to use in client SSL HELLO message void setClientFeatures(const sslFeatures &features); + bool resumingSession(); /// The write hold state bool holdWrite() const {return holdWrite_;} /// Enables or disables the write hold state @@ -177,10 +202,10 @@ bool canBump() {return allowBump;} /// The bumping mode void mode(Ssl::BumpMode m) {bumpMode_ = m;} + Ssl::BumpMode bumpMode() {return bumpMode_;} ///< return the bumping mode private: - /// A random number to use as "client random" in client hello message - sslFeatures clientFeatures; - bool featuresSet; ///< True if the clientFeatures member is set and can be used + sslFeatures clientFeatures; ///< SSL client features extracted from ClientHello message or SSL object + sslFeatures serverFeatures; ///< SSL server features extracted from ServerHello message SBuf helloMsg; ///< Used to buffer output data. mb_size_t helloMsgSize; bool helloBuild; ///< True if the client hello message sent to the server diff -u -r -N squid-3.5.3/src/ssl/certificate_db.cc squid-3.5.4/src/ssl/certificate_db.cc --- squid-3.5.3/src/ssl/certificate_db.cc 2015-03-28 03:58:05.000000000 -0700 +++ squid-3.5.4/src/ssl/certificate_db.cc 2015-05-01 04:27:20.000000000 -0700 @@ -57,8 +57,10 @@ #if _SQUID_WINDOWS_ if (!LockFile(hFile, 0, 0, 1, 0)) -#else +#elif _SQUID_SOLARIS_ if (lockf(fd, F_LOCK, 0) != 0) +#else + if (flock(fd, LOCK_EX) != 0) #endif throw std::runtime_error("Failed to get a lock of " + filename); } @@ -73,7 +75,11 @@ } #else if (fd != -1) { +#if _SQUID_SOLARIS_ lockf(fd, F_ULOCK, 0); +#else + flock(fd, LOCK_UN); +#endif close(fd); fd = -1; } diff -u -r -N squid-3.5.3/src/ssl/context_storage.cc squid-3.5.4/src/ssl/context_storage.cc --- squid-3.5.3/src/ssl/context_storage.cc 2015-03-28 03:58:05.000000000 -0700 +++ squid-3.5.4/src/ssl/context_storage.cc 2015-05-01 04:27:20.000000000 -0700 @@ -95,13 +95,14 @@ reconfiguring = false; // remove or change old local storages. - for (std::map::iterator i = storage.begin(); i != storage.end(); ++i) { + for (std::map::iterator i = storage.begin(); i != storage.end();) { std::map::iterator conf_i = configureStorage.find(i->first); if (conf_i == configureStorage.end() || conf_i->second <= 0) { delete i->second; - storage.erase(i); + storage.erase(i++); } else { i->second->setMemLimit(conf_i->second); + ++i; } } diff -u -r -N squid-3.5.3/src/ssl/PeerConnector.cc squid-3.5.4/src/ssl/PeerConnector.cc --- squid-3.5.3/src/ssl/PeerConnector.cc 2015-03-28 03:58:05.000000000 -0700 +++ squid-3.5.4/src/ssl/PeerConnector.cc 2015-05-01 04:27:20.000000000 -0700 @@ -45,7 +45,9 @@ callback(aCallback), negotiationTimeout(timeout), startTime(squid_curtime), - splice(false) + splice(false), + resumingSession(false), + serverCertificateHandled(false) { // if this throws, the caller's cb dialer is not our CbDialer Must(dynamic_cast(callback->getDialer())); @@ -129,18 +131,8 @@ } if (peer) { - if (peer->ssldomain) - SSL_set_ex_data(ssl, ssl_ex_index_server, peer->ssldomain); - -#if NOT_YET - - else if (peer->name) - SSL_set_ex_data(ssl, ssl_ex_index_server, peer->name); - -#endif - - else - SSL_set_ex_data(ssl, ssl_ex_index_server, peer->host); + SBuf *host = new SBuf(peer->ssldomain ? peer->ssldomain : peer->host); + SSL_set_ex_data(ssl, ssl_ex_index_server, host); if (peer->sslSession) SSL_set_session(ssl, peer->sslSession); @@ -148,16 +140,19 @@ // client connection is required in the case we need to splice // or terminate client and server connections assert(clientConn != NULL); - const char *hostName = NULL; + SBuf *hostName = NULL; Ssl::ClientBio *cltBio = NULL; + //Enable Status_request tls extension, required to bump some clients + SSL_set_tlsext_status_type(ssl, TLSEXT_STATUSTYPE_ocsp); + // In server-first bumping mode, clientSsl is NULL. if (SSL *clientSsl = fd_table[clientConn->fd].ssl) { BIO *b = SSL_get_rbio(clientSsl); cltBio = static_cast(b->ptr); const Ssl::Bio::sslFeatures &features = cltBio->getFeatures(); if (!features.serverName.isEmpty()) - hostName = features.serverName.c_str(); + hostName = new SBuf(features.serverName); } if (!hostName) { @@ -166,7 +161,7 @@ // unless it was the CONNECT request with a user-typed address. const bool isConnectRequest = !csd->port->flags.isIntercepted(); if (!request->flags.sslPeek || isConnectRequest) - hostName = request->GetHost(); + hostName = new SBuf(request->GetHost()); } if (hostName) @@ -177,7 +172,7 @@ assert(cltBio); const Ssl::Bio::sslFeatures &features = cltBio->getFeatures(); if (features.sslVersion != -1) { - features.applyToSSL(ssl); + features.applyToSSL(ssl, csd->sslBumpMode); // Should we allow it for all protocols? if (features.sslVersion >= 3) { BIO *b = SSL_get_rbio(ssl); @@ -194,7 +189,7 @@ // Use SNI TLS extension only when we connect directly // to the origin server and we know the server host name. - const char *sniServer = hostName ? hostName : + const char *sniServer = hostName ? hostName->c_str() : (!request->GetHostIsNumeric() ? request->GetHost() : NULL); if (sniServer) Ssl::setClientSNI(ssl, sniServer); @@ -264,17 +259,47 @@ callBack(); } +void +Ssl::PeerConnector::handleServerCertificate() +{ + if (serverCertificateHandled) + return; + + if (ConnStateData *csd = request->clientConnectionManager.valid()) { + const int fd = serverConnection()->fd; + SSL *ssl = fd_table[fd].ssl; + Ssl::X509_Pointer serverCert(SSL_get_peer_certificate(ssl)); + if (!serverCert.get()) + return; + + serverCertificateHandled = true; + + csd->resetSslCommonName(Ssl::CommonHostName(serverCert.get())); + debugs(83, 5, "HTTPS server CN: " << csd->sslCommonName() << + " bumped: " << *serverConnection()); + + // remember the server certificate for later use + if (Ssl::ServerBump *serverBump = csd->serverBump()) { + serverBump->serverCert.reset(serverCert.release()); + } + } +} + bool Ssl::PeerConnector::sslFinalized() { const int fd = serverConnection()->fd; SSL *ssl = fd_table[fd].ssl; - if (request->clientConnectionManager.valid()) { - // remember the server certificate from the ErrorDetail object - if (Ssl::ServerBump *serverBump = request->clientConnectionManager->serverBump()) { - serverBump->serverCert.reset(SSL_get_peer_certificate(ssl)); + // In the case the session is resuming, the certificates does not exist and + // we did not do any cert validation + if (resumingSession) + return true; + + handleServerCertificate(); + if (ConnStateData *csd = request->clientConnectionManager.valid()) { + if (Ssl::ServerBump *serverBump = csd->serverBump()) { // remember validation errors, if any if (Ssl::CertErrors *errs = static_cast(SSL_get_ex_data(ssl, ssl_ex_index_ssl_errors))) serverBump->sslErrors = cbdataReference(errs); @@ -328,16 +353,15 @@ void Ssl::PeerConnector::checkForPeekAndSplice() { - SSL *ssl = fd_table[serverConn->fd].ssl; // Mark Step3 of bumping if (request->clientConnectionManager.valid()) { if (Ssl::ServerBump *serverBump = request->clientConnectionManager->serverBump()) { serverBump->step = Ssl::bumpStep3; - if (!serverBump->serverCert.get()) - serverBump->serverCert.reset(SSL_get_peer_certificate(ssl)); } } + handleServerCertificate(); + ACLFilledChecklist *acl_checklist = new ACLFilledChecklist( ::Config.accessList.ssl_bump, request.getRaw(), NULL); @@ -537,7 +561,7 @@ return; case SSL_ERROR_WANT_WRITE: - if ((request->clientConnectionManager->sslBumpMode == Ssl::bumpPeek || request->clientConnectionManager->sslBumpMode == Ssl::bumpStare) && srvBio->holdWrite()) { + if ((srvBio->bumpMode() == Ssl::bumpPeek || srvBio->bumpMode() == Ssl::bumpStare) && srvBio->holdWrite()) { debugs(81, DBG_IMPORTANT, "hold write on SSL connection on FD " << fd); checkForPeekAndSplice(); return; @@ -549,6 +573,19 @@ case SSL_ERROR_SYSCALL: ssl_lib_error = ERR_get_error(); + // In Peek mode, the ClientHello message sent to the server. If the + // server resuming a previous (spliced) SSL session with the client, + // then probably we are here because local SSL object does not know + // anything about the session being resumed. + // + if (srvBio->bumpMode() == Ssl::bumpPeek && (resumingSession = srvBio->resumingSession())) { + // we currently splice all resumed sessions unconditionally + if (const bool spliceResumed = true) { + checkForPeekAndSpliceDone(Ssl::bumpSplice); + return; + } // else fall through to find a matching ssl_bump action (with limited info) + } + // If we are in peek-and-splice mode and still we did not write to // server yet, try to see if we should splice. // In this case the connection can be saved. @@ -560,11 +597,13 @@ // unsupported server Hello message (TODO: make configurable). #if 1 if (!SSL_get_ex_data(ssl, ssl_ex_index_ssl_error_detail) && - SSL_get_peer_certificate(ssl) && - (request->clientConnectionManager->sslBumpMode == Ssl::bumpPeek || request->clientConnectionManager->sslBumpMode == Ssl::bumpStare) && srvBio->holdWrite()) { - debugs(81, 3, "Error (" << ERR_error_string(ssl_lib_error, NULL) << ") but, hold write on SSL connection on FD " << fd); - checkForPeekAndSplice(); - return; + (srvBio->bumpMode() == Ssl::bumpPeek || srvBio->bumpMode() == Ssl::bumpStare) && srvBio->holdWrite()) { + Ssl::X509_Pointer serverCert(SSL_get_peer_certificate(ssl)); + if (serverCert.get()) { + debugs(81, 3, "Error (" << ERR_error_string(ssl_lib_error, NULL) << ") but, hold write on SSL connection on FD " << fd); + checkForPeekAndSplice(); + return; + } } #endif diff -u -r -N squid-3.5.3/src/ssl/PeerConnector.h squid-3.5.4/src/ssl/PeerConnector.h --- squid-3.5.3/src/ssl/PeerConnector.h 2015-03-28 03:58:05.000000000 -0700 +++ squid-3.5.4/src/ssl/PeerConnector.h 2015-05-01 04:27:20.000000000 -0700 @@ -154,6 +154,10 @@ /// Check SSL errors returned from cert validator against sslproxy_cert_error access list Ssl::CertErrors *sslCrtvdCheckForErrors(Ssl::CertValidationResponse const &, Ssl::ErrorDetail *&); + /// Updates associated client connection manager members + /// if the server certificate was received from the server. + void handleServerCertificate(); + /// Callback function called when squid receive message from cert validator helper static void sslCrtvdHandleReplyWrapper(void *data, Ssl::CertValidationResponse const &); @@ -171,6 +175,8 @@ time_t negotiationTimeout; ///< the ssl connection timeout to use time_t startTime; ///< when the peer connector negotiation started bool splice; ///< Whether we are going to splice or not + bool resumingSession; ///< whether it is an SSL resuming session connection + bool serverCertificateHandled; ///< whether handleServerCertificate() succeeded CBDATA_CLASS2(PeerConnector); }; diff -u -r -N squid-3.5.3/src/ssl/support.cc squid-3.5.4/src/ssl/support.cc --- squid-3.5.3/src/ssl/support.cc 2015-03-28 03:58:05.000000000 -0700 +++ squid-3.5.4/src/ssl/support.cc 2015-05-01 04:27:20.000000000 -0700 @@ -200,7 +200,13 @@ if (cn_data->length > (int)sizeof(cn) - 1) { return 1; //if does not fit our buffer just ignore } - memcpy(cn, cn_data->data, cn_data->length); + char *s = reinterpret_cast(cn_data->data); + char *d = cn; + for (int i = 0; i < cn_data->length; ++i, ++d, ++s) { + if (*s == '\0') + return 1; // always a domain mismatch. contains 0x00 + *d = *s; + } cn[cn_data->length] = '\0'; debugs(83, 4, "Verifying server domain " << server << " to certificate name/subjectAltName " << cn); return matchDomainName(server, cn[0] == '*' ? cn + 1 : cn); @@ -221,7 +227,7 @@ char buffer[256] = ""; SSL *ssl = (SSL *)X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx()); SSL_CTX *sslctx = SSL_get_SSL_CTX(ssl); - const char *server = (const char *)SSL_get_ex_data(ssl, ssl_ex_index_server); + SBuf *server = (SBuf *)SSL_get_ex_data(ssl, ssl_ex_index_server); void *dont_verify_domain = SSL_CTX_get_ex_data(sslctx, ssl_ctx_ex_index_dont_verify_domain); ACLChecklist *check = (ACLChecklist*)SSL_get_ex_data(ssl, ssl_ex_index_cert_error_check); X509 *peeked_cert = (X509 *)SSL_get_ex_data(ssl, ssl_ex_index_ssl_peeked_cert); @@ -252,7 +258,7 @@ // Check for domain mismatch only if the current certificate is the peer certificate. if (!dont_verify_domain && server && peer_cert == X509_STORE_CTX_get_current_cert(ctx)) { - if (!Ssl::checkX509ServerValidity(peer_cert, server)) { + if (!Ssl::checkX509ServerValidity(peer_cert, server->c_str())) { debugs(83, 2, "SQUID_X509_V_ERR_DOMAIN_MISMATCH: Certificate " << buffer << " does not match domainname " << server); ok = 0; error_no = SQUID_X509_V_ERR_DOMAIN_MISMATCH; @@ -698,6 +704,15 @@ X509_free(cert); } +// "free" function for SBuf +static void +ssl_free_SBuf(void *, void *ptr, CRYPTO_EX_DATA *, + int, long, void *) +{ + SBuf *buf = static_cast (ptr); + delete buf; +} + /// \ingroup ServerProtocolSSLInternal static void ssl_initialize(void) @@ -731,7 +746,7 @@ if (!Ssl::DefaultSignHash) fatalf("Sign hash '%s' is not supported\n", defName); - ssl_ex_index_server = SSL_get_ex_new_index(0, (void *) "server", NULL, NULL, NULL); + ssl_ex_index_server = SSL_get_ex_new_index(0, (void *) "server", NULL, NULL, ssl_free_SBuf); ssl_ctx_ex_index_dont_verify_domain = SSL_CTX_get_ex_new_index(0, (void *) "dont_verify_domain", NULL, NULL, NULL); ssl_ex_index_cert_error_check = SSL_get_ex_new_index(0, (void *) "cert_error_check", NULL, &ssl_dupAclChecklist, &ssl_freeAclChecklist); ssl_ex_index_ssl_error_detail = SSL_get_ex_new_index(0, (void *) "ssl_error_detail", NULL, NULL, &ssl_free_ErrorDetail); @@ -1131,6 +1146,17 @@ return NULL; } +#if defined(TLSEXT_TYPE_next_proto_neg) +//Dummy next_proto_neg callback +static int +ssl_next_proto_cb(SSL *s, unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *arg) +{ + static const unsigned char supported_protos[] = {8, 'h','t','t', 'p', '/', '1', '.', '1'}; + (void)SSL_select_next_proto(out, outlen, in, inlen, supported_protos, sizeof(supported_protos)); + return SSL_TLSEXT_ERR_OK; +} +#endif + SSL_CTX * sslCreateClientContext(const char *certfile, const char *keyfile, int version, const char *cipher, const char *options, const char *flags, const char *CAfile, const char *CApath, const char *CRLfile) { @@ -1234,6 +1260,9 @@ debugs(83, DBG_IMPORTANT, "WARNING: Ignoring error setting default CA certificate location: " << ERR_error_string(ssl_error, NULL)); } +#if defined(TLSEXT_TYPE_next_proto_neg) + SSL_CTX_set_next_proto_select_cb(sslContext, &ssl_next_proto_cb, NULL); +#endif return sslContext; } diff -u -r -N squid-3.5.3/src/String.cci squid-3.5.4/src/String.cci --- squid-3.5.3/src/String.cci 2015-03-28 03:58:05.000000000 -0700 +++ squid-3.5.4/src/String.cci 2015-05-01 04:27:20.000000000 -0700 @@ -10,14 +10,6 @@ #include -#if HAVE_STDINT_H -#include -#else /* HAVE_STDINT_H */ -#ifndef INT_MAX -#define INT_MAX 1<<31 //hack but a safe bet -#endif /* INT_MAX */ -#endif /* HAVE_STDINT_H */ - String::String() : size_(0), len_(0), buf_(NULL) { #if DEBUGSTRINGS diff -u -r -N squid-3.5.3/src/url.cc squid-3.5.4/src/url.cc --- squid-3.5.3/src/url.cc 2015-03-28 03:58:05.000000000 -0700 +++ squid-3.5.4/src/url.cc 2015-05-01 04:27:20.000000000 -0700 @@ -687,30 +687,8 @@ return (urlbuf); } -/* - * matchDomainName() compares a hostname with a domainname according - * to the following rules: - * - * HOST DOMAIN MATCH? - * ------------- ------------- ------ - * foo.com foo.com YES - * .foo.com foo.com YES - * x.foo.com foo.com NO - * foo.com .foo.com YES - * .foo.com .foo.com YES - * x.foo.com .foo.com YES - * - * We strip leading dots on hosts (but not domains!) so that - * ".foo.com" is is always the same as "foo.com". - * - * Return values: - * 0 means the host matches the domain - * 1 means the host is greater than the domain - * -1 means the host is less than the domain - */ - int -matchDomainName(const char *h, const char *d) +matchDomainName(const char *h, const char *d, bool honorWildcards) { int dl; int hl; @@ -767,6 +745,13 @@ /* * We found different characters in the same position (from the end). */ + + // If the h has a form of "*.foo.com" and d has a form of "x.foo.com" + // then the h[hl] points to '*', h[hl+1] to '.' and d[dl] to 'x' + // The following checks are safe, the "h[hl + 1]" in the worst case is '\0'. + if (honorWildcards && h[hl] == '*' && h[hl + 1] == '.') + return 0; + /* * If one of those character is '.' then its special. In order * for splay tree sorting to work properly, "x-foo.com" must diff -u -r -N squid-3.5.3/src/URL.h squid-3.5.4/src/URL.h --- squid-3.5.3/src/URL.h 2015-03-28 03:58:05.000000000 -0700 +++ squid-3.5.4/src/URL.h 2015-05-01 04:27:20.000000000 -0700 @@ -72,7 +72,38 @@ char *urlMakeAbsolute(const HttpRequest *, const char *); char *urlRInternal(const char *host, unsigned short port, const char *dir, const char *name); char *urlInternal(const char *dir, const char *name); -int matchDomainName(const char *host, const char *domain); + +/** + * matchDomainName() compares a hostname (usually extracted from traffic) + * with a domainname (usually from an ACL) according to the following rules: + * + * HOST | DOMAIN | MATCH? + * -------------|-------------|------ + * foo.com | foo.com | YES + * .foo.com | foo.com | YES + * x.foo.com | foo.com | NO + * foo.com | .foo.com | YES + * .foo.com | .foo.com | YES + * x.foo.com | .foo.com | YES + * + * We strip leading dots on hosts (but not domains!) so that + * ".foo.com" is always the same as "foo.com". + * + * if honorWildcards is true then the matchDomainName() also accepts + * optional wildcards on hostname: + * + * HOST | DOMAIN | MATCH? + * -------------|--------------|------- + * *.foo.com | x.foo.com | YES + * *.foo.com | .x.foo.com | YES + * *.foo.com | .foo.com | YES + * *.foo.com | foo.com | NO + * + * \retval 0 means the host matches the domain + * \retval 1 means the host is greater than the domain + * \retval -1 means the host is less than the domain + */ +int matchDomainName(const char *host, const char *domain, bool honorWildcards = false); int urlCheckRequest(const HttpRequest *); int urlDefaultPort(AnyP::ProtocolType p); char *urlHostname(const char *url); diff -u -r -N squid-3.5.3/tools/squidclient/gssapi_support.h squid-3.5.4/tools/squidclient/gssapi_support.h --- squid-3.5.3/tools/squidclient/gssapi_support.h 2015-03-28 03:58:05.000000000 -0700 +++ squid-3.5.4/tools/squidclient/gssapi_support.h 2015-05-01 04:27:20.000000000 -0700 @@ -10,6 +10,9 @@ #define _SQUID_TOOLS_SQUIDCLIENT_GSSAPI_H #if HAVE_GSSAPI +#if USE_APPLE_KRB5 +#define GSSKRB_APPLE_DEPRECATED(x) +#endif #if USE_HEIMDAL_KRB5 #if HAVE_GSSAPI_GSSAPI_H .