diff -u -r -N squid-5.6/ChangeLog squid-5.7/ChangeLog
--- squid-5.6/ChangeLog 2022-06-06 10:11:52.000000000 +1200
+++ squid-5.7/ChangeLog 2022-09-05 16:06:48.000000000 +1200
@@ -1,3 +1,14 @@
+Changes in squid-5.7 (05 Sep 2022):
+
+ - Regression Fix: Typo in manager ACL
+ - Bug 5186: noteDestinationsEnd check failed: transportWait
+ - Bug 5160: Test suite fails with -flto=auto
+ - Bug 3193 pt2: NTLM decoder truncating strings
+ - Bug 5133: OpenSSL 3.0 support
+ - ext_session_acl: fix TDB key lookup
+ - forward_max_tries: Do not count discarded connections
+ - ... and many compile and debugging fixes
+
Changes in squid-5.6 (06 Jun 2022):
- Bug 5208: Part 1: Restart kids killed by SIGKILL
diff -u -r -N squid-5.6/compat/GnuRegex.c squid-5.7/compat/GnuRegex.c
--- squid-5.6/compat/GnuRegex.c 2022-06-06 10:11:52.000000000 +1200
+++ squid-5.7/compat/GnuRegex.c 2022-09-05 16:06:48.000000000 +1200
@@ -40,6 +40,13 @@
#if USE_GNUREGEX /* only if squid needs it. Usually not */
+/* Starting with v12.1, GCC warns of various problems with this ancient code. */
+/* GCC versions prior to v12.1 do not support these pragmas. */
+#if (__GNUC__ == 12 && __GNUC_MINOR__ >= 1) || (__GNUC__ > 12)
+#pragma GCC diagnostic ignored "-Warray-bounds"
+#pragma GCC diagnostic ignored "-Wuse-after-free"
+#endif
+
#if !HAVE_ALLOCA
#define REGEX_MALLOC 1
#endif
diff -u -r -N squid-5.6/compat/os/mswindows.h squid-5.7/compat/os/mswindows.h
--- squid-5.6/compat/os/mswindows.h 2022-06-06 10:11:52.000000000 +1200
+++ squid-5.7/compat/os/mswindows.h 2022-09-05 16:06:48.000000000 +1200
@@ -618,27 +618,31 @@
}
#define getsockopt(s,l,o,v,n) Squid::getsockopt(s,l,o,v,n)
+#if HAVE_DECL_INETNTOPA || HAVE_DECL_INET_NTOP
inline char *
inet_ntop(int af, const void *src, char *dst, size_t size)
{
#if HAVE_DECL_INETNTOPA
return (char*)InetNtopA(af, const_cast(src), dst, size);
-#else
+#else // HAVE_DECL_INET_NTOP
return ::inet_ntop(af, src, dst, size);
#endif
}
#define inet_ntop(a,s,d,l) Squid::inet_ntop(a,s,d,l)
+#endif // let compat/inet_ntop.h deal with it
+#if HAVE_DECL_INETPTONA || HAVE_DECL_INET_PTON
inline char *
inet_pton(int af, const void *src, char *dst)
{
#if HAVE_DECL_INETPTONA
return (char*)InetPtonA(af, const_cast(src), dst);
-#else
+#else // HAVE_DECL_INET_PTON
return ::inet_pton(af, src, dst);
#endif
}
#define inet_pton(a,s,d) Squid::inet_pton(a,s,d)
+#endif // let compat/inet_pton.h deal with it
/* Simple ioctl() emulation */
inline int
diff -u -r -N squid-5.6/configure squid-5.7/configure
--- squid-5.6/configure 2022-06-06 10:42:04.000000000 +1200
+++ squid-5.7/configure 2022-09-06 03:35:26.000000000 +1200
@@ -1,7 +1,7 @@
#! /bin/sh
# From configure.ac Revision.
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.71 for Squid Web Proxy 5.6.
+# Generated by GNU Autoconf 2.71 for Squid Web Proxy 5.7.
#
# Report bugs to .
#
@@ -626,8 +626,8 @@
# Identity of this package.
PACKAGE_NAME='Squid Web Proxy'
PACKAGE_TARNAME='squid'
-PACKAGE_VERSION='5.6'
-PACKAGE_STRING='Squid Web Proxy 5.6'
+PACKAGE_VERSION='5.7'
+PACKAGE_STRING='Squid Web Proxy 5.7'
PACKAGE_BUGREPORT='http://bugs.squid-cache.org/'
PACKAGE_URL=''
@@ -1691,7 +1691,7 @@
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures Squid Web Proxy 5.6 to adapt to many kinds of systems.
+\`configure' configures Squid Web Proxy 5.7 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1762,7 +1762,7 @@
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of Squid Web Proxy 5.6:";;
+ short | recursive ) echo "Configuration of Squid Web Proxy 5.7:";;
esac
cat <<\_ACEOF
@@ -2196,7 +2196,7 @@
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-Squid Web Proxy configure 5.6
+Squid Web Proxy configure 5.7
generated by GNU Autoconf 2.71
Copyright (C) 2021 Free Software Foundation, Inc.
@@ -3209,7 +3209,7 @@
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by Squid Web Proxy $as_me 5.6, which was
+It was created by Squid Web Proxy $as_me 5.7, which was
generated by GNU Autoconf 2.71. Invocation command line was
$ $0$ac_configure_args_raw
@@ -4701,7 +4701,7 @@
# Define the identity of the package.
PACKAGE='squid'
- VERSION='5.6'
+ VERSION='5.7'
printf "%s\n" "#define PACKAGE \"$PACKAGE\"" >>confdefs.h
@@ -25257,6 +25257,12 @@
printf "%s\n" "#define HAVE_OPENSSL_CRYPTO_H 1" >>confdefs.h
fi
+ac_fn_cxx_check_header_compile "$LINENO" "openssl/decoder.h" "ac_cv_header_openssl_decoder_h" "$ac_includes_default"
+if test "x$ac_cv_header_openssl_decoder_h" = xyes
+then :
+ printf "%s\n" "#define HAVE_OPENSSL_DECODER_H 1" >>confdefs.h
+
+fi
ac_fn_cxx_check_header_compile "$LINENO" "openssl/dh.h" "ac_cv_header_openssl_dh_h" "$ac_includes_default"
if test "x$ac_cv_header_openssl_dh_h" = xyes
then :
@@ -48442,7 +48448,7 @@
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by Squid Web Proxy $as_me 5.6, which was
+This file was extended by Squid Web Proxy $as_me 5.7, which was
generated by GNU Autoconf 2.71. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -48510,7 +48516,7 @@
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config='$ac_cs_config_escaped'
ac_cs_version="\\
-Squid Web Proxy config.status 5.6
+Squid Web Proxy config.status 5.7
configured by $0, generated by GNU Autoconf 2.71,
with options \\"\$ac_cs_config\\"
diff -u -r -N squid-5.6/configure.ac squid-5.7/configure.ac
--- squid-5.6/configure.ac 2022-06-06 10:42:04.000000000 +1200
+++ squid-5.7/configure.ac 2022-09-06 03:35:26.000000000 +1200
@@ -5,7 +5,7 @@
## Please see the COPYING and CONTRIBUTORS files for details.
##
-AC_INIT([Squid Web Proxy],[5.6],[http://bugs.squid-cache.org/],[squid])
+AC_INIT([Squid Web Proxy],[5.7],[http://bugs.squid-cache.org/],[squid])
AC_PREREQ(2.61)
AC_CONFIG_HEADERS([include/autoconf.h])
AC_CONFIG_AUX_DIR(cfgaux)
@@ -1333,6 +1333,7 @@
openssl/bio.h \
openssl/bn.h \
openssl/crypto.h \
+ openssl/decoder.h \
openssl/dh.h \
openssl/err.h \
openssl/evp.h \
diff -u -r -N squid-5.6/doc/release-notes/release-5.html squid-5.7/doc/release-notes/release-5.html
--- squid-5.6/doc/release-notes/release-5.html 2022-06-06 10:47:28.000000000 +1200
+++ squid-5.7/doc/release-notes/release-5.html 2022-09-06 03:40:52.000000000 +1200
@@ -3,10 +3,10 @@
- Squid 5.6 release notes
+ Squid 5.7 release notes
-Squid 5.6 release notes
+Squid 5.7 release notes
Squid Developers
@@ -31,6 +31,7 @@
2.4 TrivialDB Support
2.5 Loop Detection in Content Delivery Networks
2.6 Peering support for SSL-Bump
+2.7 OpenSSL 3.0 Support
@@ -61,7 +62,7 @@
-The Squid Team are pleased to announce the release of Squid-5.6.
+The Squid Team are pleased to announce the release of Squid-5.7.
This new release is available for download from
http://www.squid-cache.org/Versions/v5/ or the
mirrors.
@@ -95,6 +96,7 @@
TrivialDB Support
RFC 8586: Loop Detection in Content Delivery Networks
Peering support for SSL-Bump
+OpenSSL 3.0 Support
Most user-facing changes are reflected in squid.conf (see below).
@@ -220,6 +222,21 @@
yet do TLS-in-TLS.
+
+
+Squid-5.7 adds OpenSSL 3.0 support.
+
+This version of Squid does not add any of the new features provided by
+OpenSSL 3.0. It only contains support for features already supported by prior
+versions of Squid using new APIs provided by OpenSSL 3.0.
+
+Notably the libssl custom Engine feature has been deprecated by OpenSSL 3.0
+and new Providers replacement is not supported by this Squid.
+
+OpenSSL 3.0 uses new licensing terms.
+
+
There have been changes to Squid's configuration file since Squid-4.
@@ -364,6 +381,10 @@
Codes rm, <rm and >rm display "-"
instead of the made-up method NONE.
+ssl_engine
+OpenSSL 3.0 deprecates the Engine feature. This directive is
+only supported when Squid is built for older OpenSSL versions.
+
diff -u -r -N squid-5.6/include/autoconf.h.in squid-5.7/include/autoconf.h.in
--- squid-5.6/include/autoconf.h.in 2022-06-06 10:41:58.000000000 +1200
+++ squid-5.7/include/autoconf.h.in 2022-09-06 03:35:18.000000000 +1200
@@ -772,6 +772,9 @@
/* Define to 1 if you have the header file. */
#undef HAVE_OPENSSL_CRYPTO_H
+/* Define to 1 if you have the header file. */
+#undef HAVE_OPENSSL_DECODER_H
+
/* Define to 1 if you have the header file. */
#undef HAVE_OPENSSL_DH_H
diff -u -r -N squid-5.6/include/version.h squid-5.7/include/version.h
--- squid-5.6/include/version.h 2022-06-06 10:42:04.000000000 +1200
+++ squid-5.7/include/version.h 2022-09-06 03:35:26.000000000 +1200
@@ -7,7 +7,7 @@
*/
#ifndef SQUID_RELEASE_TIME
-#define SQUID_RELEASE_TIME 1654468914
+#define SQUID_RELEASE_TIME 1662392113
#endif
/*
diff -u -r -N squid-5.6/lib/ntlmauth/ntlmauth.cc squid-5.7/lib/ntlmauth/ntlmauth.cc
--- squid-5.6/lib/ntlmauth/ntlmauth.cc 2022-06-06 10:11:52.000000000 +1200
+++ squid-5.7/lib/ntlmauth/ntlmauth.cc 2022-09-05 16:06:48.000000000 +1200
@@ -12,6 +12,7 @@
#include "squid.h"
#include
+#include
#include
#if HAVE_STRINGS_H
#include
@@ -107,10 +108,19 @@
int32_t o = le32toh(str->offset);
// debug("ntlm_fetch_string(plength=%d,l=%d,o=%d)\n",packet_size,l,o);
- if (l < 0 || l > NTLM_MAX_FIELD_LENGTH || o + l > packet_size || o == 0) {
- debug("ntlm_fetch_string: insane data (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o);
+ if (l < 0 || l > NTLM_MAX_FIELD_LENGTH) {
+ debug("ntlm_fetch_string: insane string length (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o);
return rv;
}
+ else if (o <= 0 || o > packet_size) {
+ debug("ntlm_fetch_string: insane string offset (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o);
+ return rv;
+ }
+ else if (l > packet_size - o) {
+ debug("ntlm_fetch_string: truncated string data (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o);
+ return rv;
+ }
+
rv.str = (char *)packet + o;
rv.l = 0;
if ((flags & NTLM_NEGOTIATE_ASCII) == 0) {
diff -u -r -N squid-5.6/RELEASENOTES.html squid-5.7/RELEASENOTES.html
--- squid-5.6/RELEASENOTES.html 2022-06-06 10:47:28.000000000 +1200
+++ squid-5.7/RELEASENOTES.html 2022-09-06 03:40:52.000000000 +1200
@@ -3,10 +3,10 @@
- Squid 5.6 release notes
+ Squid 5.7 release notes
-Squid 5.6 release notes
+Squid 5.7 release notes
Squid Developers
@@ -31,6 +31,7 @@
2.4 TrivialDB Support
2.5 Loop Detection in Content Delivery Networks
2.6 Peering support for SSL-Bump
+2.7 OpenSSL 3.0 Support
@@ -61,7 +62,7 @@
-The Squid Team are pleased to announce the release of Squid-5.6.
+The Squid Team are pleased to announce the release of Squid-5.7.
This new release is available for download from
http://www.squid-cache.org/Versions/v5/ or the
mirrors.
@@ -95,6 +96,7 @@
TrivialDB Support
RFC 8586: Loop Detection in Content Delivery Networks
Peering support for SSL-Bump
+OpenSSL 3.0 Support
Most user-facing changes are reflected in squid.conf (see below).
@@ -220,6 +222,21 @@
yet do TLS-in-TLS.
+
+
+Squid-5.7 adds OpenSSL 3.0 support.
+
+This version of Squid does not add any of the new features provided by
+OpenSSL 3.0. It only contains support for features already supported by prior
+versions of Squid using new APIs provided by OpenSSL 3.0.
+
+Notably the libssl custom Engine feature has been deprecated by OpenSSL 3.0
+and new Providers replacement is not supported by this Squid.
+
+OpenSSL 3.0 uses new licensing terms.
+
+
There have been changes to Squid's configuration file since Squid-4.
@@ -364,6 +381,10 @@
Codes rm, <rm and >rm display "-"
instead of the made-up method NONE.
+ssl_engine
+OpenSSL 3.0 deprecates the Engine feature. This directive is
+only supported when Squid is built for older OpenSSL versions.
+
diff -u -r -N squid-5.6/src/acl/external/delayer/ext_delayer_acl.8 squid-5.7/src/acl/external/delayer/ext_delayer_acl.8
--- squid-5.6/src/acl/external/delayer/ext_delayer_acl.8 2022-06-06 10:47:31.000000000 +1200
+++ squid-5.7/src/acl/external/delayer/ext_delayer_acl.8 2022-09-06 03:40:57.000000000 +1200
@@ -133,7 +133,7 @@
.\" ========================================================================
.\"
.IX Title "EXT_DELAYER_ACL 8"
-.TH EXT_DELAYER_ACL 8 "2022-06-05" "perl v5.34.0" "User Contributed Perl Documentation"
+.TH EXT_DELAYER_ACL 8 "2022-09-05" "perl v5.34.0" "User Contributed Perl Documentation"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
diff -u -r -N squid-5.6/src/acl/external/kerberos_sid_group/ext_kerberos_sid_group_acl.8 squid-5.7/src/acl/external/kerberos_sid_group/ext_kerberos_sid_group_acl.8
--- squid-5.6/src/acl/external/kerberos_sid_group/ext_kerberos_sid_group_acl.8 2022-06-06 10:47:31.000000000 +1200
+++ squid-5.7/src/acl/external/kerberos_sid_group/ext_kerberos_sid_group_acl.8 2022-09-06 03:40:58.000000000 +1200
@@ -133,7 +133,7 @@
.\" ========================================================================
.\"
.IX Title "EXT_KERBEROS_SID_GROUP_ACL 8"
-.TH EXT_KERBEROS_SID_GROUP_ACL 8 "2022-06-05" "perl v5.34.0" "User Contributed Perl Documentation"
+.TH EXT_KERBEROS_SID_GROUP_ACL 8 "2022-09-05" "perl v5.34.0" "User Contributed Perl Documentation"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
diff -u -r -N squid-5.6/src/acl/external/session/ext_session_acl.cc squid-5.7/src/acl/external/session/ext_session_acl.cc
--- squid-5.6/src/acl/external/session/ext_session_acl.cc 2022-06-06 10:11:52.000000000 +1200
+++ squid-5.7/src/acl/external/session/ext_session_acl.cc 2022-09-05 16:06:48.000000000 +1200
@@ -197,13 +197,19 @@
static int session_active(const char *details, size_t len)
{
#if USE_BERKLEYDB
- DBT key = {0};
- DBT data = {0};
- key.data = (void *)details;
+ DBT key = {};
+ key.data = const_cast(details);
key.size = len;
+
+ DBT data = {};
#elif USE_TRIVIALDB
- TDB_DATA key;
- TDB_DATA data;
+ TDB_DATA key = {};
+ key.dptr = reinterpret_cast(const_cast(details));
+ key.dsize = len;
+
+ TDB_DATA data = {};
+#else
+ (void)len;
#endif
if (fetchKey(key, &data)) {
time_t timestamp;
diff -u -r -N squid-5.6/src/acl/external/SQL_session/ext_sql_session_acl.8 squid-5.7/src/acl/external/SQL_session/ext_sql_session_acl.8
--- squid-5.6/src/acl/external/SQL_session/ext_sql_session_acl.8 2022-06-06 10:47:31.000000000 +1200
+++ squid-5.7/src/acl/external/SQL_session/ext_sql_session_acl.8 2022-09-06 03:40:58.000000000 +1200
@@ -133,7 +133,7 @@
.\" ========================================================================
.\"
.IX Title "EXT_SQL_SESSION_ACL 8"
-.TH EXT_SQL_SESSION_ACL 8 "2022-06-05" "perl v5.34.0" "User Contributed Perl Documentation"
+.TH EXT_SQL_SESSION_ACL 8 "2022-09-05" "perl v5.34.0" "User Contributed Perl Documentation"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
diff -u -r -N squid-5.6/src/acl/external/wbinfo_group/ext_wbinfo_group_acl.8 squid-5.7/src/acl/external/wbinfo_group/ext_wbinfo_group_acl.8
--- squid-5.6/src/acl/external/wbinfo_group/ext_wbinfo_group_acl.8 2022-06-06 10:47:31.000000000 +1200
+++ squid-5.7/src/acl/external/wbinfo_group/ext_wbinfo_group_acl.8 2022-09-06 03:40:58.000000000 +1200
@@ -133,7 +133,7 @@
.\" ========================================================================
.\"
.IX Title "EXT_WBINFO_GROUP_ACL 8"
-.TH EXT_WBINFO_GROUP_ACL 8 "2022-06-05" "perl v5.34.0" "User Contributed Perl Documentation"
+.TH EXT_WBINFO_GROUP_ACL 8 "2022-09-05" "perl v5.34.0" "User Contributed Perl Documentation"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
diff -u -r -N squid-5.6/src/acl/RegexData.cc squid-5.7/src/acl/RegexData.cc
--- squid-5.6/src/acl/RegexData.cc 2022-06-06 10:11:52.000000000 +1200
+++ squid-5.7/src/acl/RegexData.cc 2022-09-05 16:06:48.000000000 +1200
@@ -83,6 +83,9 @@
static const char *
removeUnnecessaryWildcards(char * t)
{
+ if (strcmp(t, ".*") == 0) // we cannot simplify that further
+ return t; // avoid "WARNING: ... Using '.*' instead" below
+
char * orig = t;
if (strncmp(t, "^.*", 3) == 0)
diff -u -r -N squid-5.6/src/auth/basic/DB/basic_db_auth.8 squid-5.7/src/auth/basic/DB/basic_db_auth.8
--- squid-5.6/src/auth/basic/DB/basic_db_auth.8 2022-06-06 10:47:32.000000000 +1200
+++ squid-5.7/src/auth/basic/DB/basic_db_auth.8 2022-09-06 03:40:59.000000000 +1200
@@ -133,7 +133,7 @@
.\" ========================================================================
.\"
.IX Title "BASIC_DB_AUTH 8"
-.TH BASIC_DB_AUTH 8 "2022-06-05" "perl v5.34.0" "User Contributed Perl Documentation"
+.TH BASIC_DB_AUTH 8 "2022-09-05" "perl v5.34.0" "User Contributed Perl Documentation"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
diff -u -r -N squid-5.6/src/auth/basic/POP3/basic_pop3_auth.8 squid-5.7/src/auth/basic/POP3/basic_pop3_auth.8
--- squid-5.6/src/auth/basic/POP3/basic_pop3_auth.8 2022-06-06 10:47:32.000000000 +1200
+++ squid-5.7/src/auth/basic/POP3/basic_pop3_auth.8 2022-09-06 03:40:59.000000000 +1200
@@ -133,7 +133,7 @@
.\" ========================================================================
.\"
.IX Title "BASIC_POP3_AUTH 8"
-.TH BASIC_POP3_AUTH 8 "2022-06-05" "perl v5.34.0" "User Contributed Perl Documentation"
+.TH BASIC_POP3_AUTH 8 "2022-09-05" "perl v5.34.0" "User Contributed Perl Documentation"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
diff -u -r -N squid-5.6/src/base/EnumIterator.h squid-5.7/src/base/EnumIterator.h
--- squid-5.6/src/base/EnumIterator.h 2022-06-06 10:11:52.000000000 +1200
+++ squid-5.7/src/base/EnumIterator.h 2022-09-05 16:06:48.000000000 +1200
@@ -20,7 +20,7 @@
* \see EnumIterator, ReverseEnumIterator
*/
template
-class EnumIteratorBase : public std::iterator
+class EnumIteratorBase
{
protected:
#if HAVE_STD_UNDERLYING_TYPE
@@ -30,6 +30,12 @@
#endif
public:
+ using iterator_category = std::bidirectional_iterator_tag;
+ using value_type = EnumType;
+ using difference_type = std::ptrdiff_t;
+ using pointer = EnumType *;
+ using reference = EnumType &;
+
explicit EnumIteratorBase(EnumType e) : current(static_cast(e)) {}
bool operator==(const EnumIteratorBase &i) const {
diff -u -r -N squid-5.6/src/cache_cf.cc squid-5.7/src/cache_cf.cc
--- squid-5.6/src/cache_cf.cc 2022-06-06 10:11:52.000000000 +1200
+++ squid-5.7/src/cache_cf.cc 2022-09-05 16:06:48.000000000 +1200
@@ -720,7 +720,7 @@
* the extra space is for loop detection in client_side.c -- we search
* for substrings in the Via header.
*/
- snprintf(ThisCache2, sizeof(ThisCache), " %s (%s)",
+ snprintf(ThisCache2, sizeof(ThisCache2), " %s (%s)",
uniqueHostname(),
visible_appname_string);
diff -u -r -N squid-5.6/src/cf.data.pre squid-5.7/src/cf.data.pre
--- squid-5.6/src/cf.data.pre 2022-06-06 10:11:52.000000000 +1200
+++ squid-5.7/src/cf.data.pre 2022-09-05 16:06:48.000000000 +1200
@@ -1036,7 +1036,7 @@
DEFAULT: ssl::certSelfSigned ssl_error X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
ENDIF
DEFAULT: all src all
-DEFAULT: manager url_regex -i ^cache_object:// +i ^https?://[^/]+/squid-internal-mgr/
+DEFAULT: manager url_regex -i ^cache_object:// +i ^[^:]+://[^/]+/squid-internal-mgr/
DEFAULT: localhost src 127.0.0.1/32 ::1
DEFAULT: to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1/128 ::/128
DEFAULT: CONNECT method CONNECT
@@ -3049,6 +3049,8 @@
DOC_START
The OpenSSL engine to use. You will need to set this if you
would like to use hardware SSL acceleration for example.
+
+ Not supported in builds with OpenSSL 3.0 or newer.
DOC_END
NAME: sslproxy_session_ttl
@@ -4004,8 +4006,10 @@
For the purpose of this limit, Squid counts all high-level request
forwarding attempts, including any same-destination retries after
certain persistent connection failures and any attempts to use a
- different peer. However, low-level connection reopening attempts
- (enabled using connect_retries) are not counted.
+ different peer. However, these low-level attempts are not counted:
+ * connection reopening attempts (enabled using connect_retries)
+ * unfinished Happy Eyeballs connection attempts (prevented by setting
+ happy_eyeballs_connect_limit to 0)
See also: forward_timeout and connect_retries.
DOC_END
diff -u -r -N squid-5.6/src/cf_gen.cc squid-5.7/src/cf_gen.cc
--- squid-5.6/src/cf_gen.cc 2022-06-06 10:11:52.000000000 +1200
+++ squid-5.7/src/cf_gen.cc 2022-09-05 16:06:48.000000000 +1200
@@ -378,7 +378,6 @@
} else if (!strcmp(buff, "NOCOMMENT_START")) {
state = sNOCOMMENT;
} else { // if (buff != NULL) {
- assert(buff != NULL);
entries.back().doc.push_back(buff);
}
break;
@@ -387,7 +386,6 @@
if (!strcmp(buff, "NOCOMMENT_END")) {
state = sDOC;
} else { // if (buff != NULL) {
- assert(buff != NULL);
entries.back().nocomment.push_back(buff);
}
break;
diff -u -r -N squid-5.6/src/fs/ufs/RebuildState.cc squid-5.7/src/fs/ufs/RebuildState.cc
--- squid-5.6/src/fs/ufs/RebuildState.cc 2022-06-06 10:11:52.000000000 +1200
+++ squid-5.7/src/fs/ufs/RebuildState.cc 2022-09-05 16:06:48.000000000 +1200
@@ -44,8 +44,6 @@
_done(false),
cbdata(NULL)
{
- *fullpath = 0;
- *fullfilename = 0;
/*
* If the swap.state file exists in the cache_dir, then
@@ -379,14 +377,14 @@
}
if (0 == in_dir) { /* we need to read in a new directory */
- snprintf(fullpath, sizeof(fullpath), "%s/%02X/%02X",
- sd->path,
- curlvl1, curlvl2);
+ fullpath.Printf("%s/%02X/%02X",
+ sd->path,
+ curlvl1, curlvl2);
if (dirs_opened)
return -1;
- td = opendir(fullpath);
+ td = opendir(fullpath.c_str());
++dirs_opened;
@@ -425,10 +423,10 @@
continue;
}
- snprintf(fullfilename, sizeof(fullfilename), "%s/%s",
- fullpath, entry->d_name);
- debugs(47, 3, HERE << "Opening " << fullfilename);
- fd = file_open(fullfilename, O_RDONLY | O_BINARY);
+ fullfilename.Printf(SQUIDSBUFPH "/%s",
+ SQUIDSBUFPRINT(fullpath), entry->d_name);
+ debugs(47, 3, "Opening " << fullfilename);
+ fd = file_open(fullfilename.c_str(), O_RDONLY | O_BINARY);
if (fd < 0) {
int xerrno = errno;
diff -u -r -N squid-5.6/src/fs/ufs/RebuildState.h squid-5.7/src/fs/ufs/RebuildState.h
--- squid-5.6/src/fs/ufs/RebuildState.h 2022-06-06 10:11:52.000000000 +1200
+++ squid-5.7/src/fs/ufs/RebuildState.h 2022-09-05 16:06:48.000000000 +1200
@@ -53,8 +53,8 @@
dirent_t *entry;
DIR *td;
- char fullpath[MAXPATHLEN];
- char fullfilename[MAXPATHLEN*2];
+ SBuf fullpath;
+ SBuf fullfilename;
StoreRebuildData counts;
diff -u -r -N squid-5.6/src/FwdState.cc squid-5.7/src/FwdState.cc
--- squid-5.6/src/FwdState.cc 2022-06-06 10:11:52.000000000 +1200
+++ squid-5.7/src/FwdState.cc 2022-09-05 16:06:48.000000000 +1200
@@ -641,7 +641,6 @@
if (transporting())
return; // and continue to receive destinations for backup
- // This is the first path candidate we have seen. Use it.
useDestinations();
}
@@ -657,12 +656,8 @@
Must(!err); // if we tried to connect, then path selection succeeded
fail(selectionError);
}
- else if (err)
- debugs(17, 3, "Will abort forwarding because all found paths have failed.");
- else
- debugs(17, 3, "Will abort forwarding because path selection found no paths.");
- useDestinations(); // will detect and handle the lack of paths
+ stopAndDestroy("path selection found no paths");
return;
}
// else continue to use one of the previously noted destinations;
@@ -675,7 +670,16 @@
return; // and continue to wait for FwdState::noteConnection() callback
}
- Must(transporting()); // or we would be stuck with nothing to do or wait for
+ if (transporting()) {
+ // We are already using a previously opened connection (but were also
+ // receiving more destinations in case we need to re-forward).
+ debugs(17, 7, "keep transporting");
+ return;
+ }
+
+ // destinationsFound, but none of them worked, and we were waiting for more
+ assert(err);
+ stopAndDestroy("all found paths have failed");
}
/// makes sure connection opener knows that the destinations have changed
diff -u -r -N squid-5.6/src/HappyConnOpener.cc squid-5.7/src/HappyConnOpener.cc
--- squid-5.6/src/HappyConnOpener.cc 2022-06-06 10:11:52.000000000 +1200
+++ squid-5.7/src/HappyConnOpener.cc 2022-09-05 16:06:48.000000000 +1200
@@ -568,8 +568,6 @@
const auto conn = dest->cloneProfile();
GetMarkingsToServer(cause.getRaw(), *conn);
- ++n_tries;
-
typedef CommCbMemFunT Dialer;
AsyncCall::Pointer callConnect = asyncCall(48, 5, attempt.callbackMethodName,
Dialer(this, attempt.callbackMethod));
@@ -611,6 +609,8 @@
handledPath.finalize(params.conn); // closed on errors
attempt.finish();
+ ++n_tries;
+
if (params.flag == Comm::OK) {
sendSuccess(handledPath, false, what);
return;
diff -u -r -N squid-5.6/src/HappyConnOpener.h squid-5.7/src/HappyConnOpener.h
--- squid-5.6/src/HappyConnOpener.h 2022-06-06 10:11:52.000000000 +1200
+++ squid-5.7/src/HappyConnOpener.h 2022-09-05 16:06:48.000000000 +1200
@@ -258,7 +258,8 @@
/// the request that needs a to-server connection
HttpRequestPointer cause;
- /// number of connection opening attempts, including those in the requestor
+ /// number of our finished connection opening attempts (including pconn
+ /// reuses) plus previously finished attempts supplied by the requestor
int n_tries;
/// Reason to ran out of time or attempts
diff -u -r -N squid-5.6/src/http/url_rewriters/LFS/url_lfs_rewrite.8 squid-5.7/src/http/url_rewriters/LFS/url_lfs_rewrite.8
--- squid-5.6/src/http/url_rewriters/LFS/url_lfs_rewrite.8 2022-06-06 10:47:32.000000000 +1200
+++ squid-5.7/src/http/url_rewriters/LFS/url_lfs_rewrite.8 2022-09-06 03:41:00.000000000 +1200
@@ -133,7 +133,7 @@
.\" ========================================================================
.\"
.IX Title "URL_LFS_REWRITE 8"
-.TH URL_LFS_REWRITE 8 "2022-06-05" "perl v5.34.0" "User Contributed Perl Documentation"
+.TH URL_LFS_REWRITE 8 "2022-09-05" "perl v5.34.0" "User Contributed Perl Documentation"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
diff -u -r -N squid-5.6/src/HttpHeaderTools.h squid-5.7/src/HttpHeaderTools.h
--- squid-5.6/src/HttpHeaderTools.h 2022-06-06 10:11:52.000000000 +1200
+++ squid-5.7/src/HttpHeaderTools.h 2022-09-05 16:06:48.000000000 +1200
@@ -67,7 +67,7 @@
private:
/// Case-insensitive std::string "less than" comparison functor.
/// Fast version recommended by Meyers' "Effective STL" for ASCII c-strings.
- class NoCaseLessThan: public std::binary_function
+ class NoCaseLessThan
{
public:
bool operator()(const std::string &lhs, const std::string &rhs) const {
diff -u -r -N squid-5.6/src/log/DB/log_db_daemon.8 squid-5.7/src/log/DB/log_db_daemon.8
--- squid-5.6/src/log/DB/log_db_daemon.8 2022-06-06 10:47:33.000000000 +1200
+++ squid-5.7/src/log/DB/log_db_daemon.8 2022-09-06 03:41:00.000000000 +1200
@@ -133,7 +133,7 @@
.\" ========================================================================
.\"
.IX Title "LOG_DB_DAEMON 8"
-.TH LOG_DB_DAEMON 8 "2022-06-05" "perl v5.34.0" "User Contributed Perl Documentation"
+.TH LOG_DB_DAEMON 8 "2022-09-05" "perl v5.34.0" "User Contributed Perl Documentation"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
diff -u -r -N squid-5.6/src/main.cc squid-5.7/src/main.cc
--- squid-5.6/src/main.cc 2022-06-06 10:11:52.000000000 +1200
+++ squid-5.7/src/main.cc 2022-09-05 16:06:48.000000000 +1200
@@ -679,8 +679,10 @@
printf("%s\n",SQUID_BUILD_INFO);
#if USE_OPENSSL
printf("\nThis binary uses %s. ", OpenSSL_version(OPENSSL_VERSION));
+#if OPENSSL_VERSION_MAJOR < 3
printf("For legal restrictions on distribution see https://www.openssl.org/source/license.html\n\n");
#endif
+#endif
printf( "configure options: %s\n", SQUID_CONFIGURE_OPTIONS);
#if USE_WIN32_SERVICE
diff -u -r -N squid-5.6/src/sbuf/SBuf.h squid-5.7/src/sbuf/SBuf.h
--- squid-5.6/src/sbuf/SBuf.h 2022-06-06 10:11:52.000000000 +1200
+++ squid-5.7/src/sbuf/SBuf.h 2022-09-05 16:06:48.000000000 +1200
@@ -45,9 +45,16 @@
* Please note that any operation on the underlying SBuf may invalidate
* all iterators over it, resulting in undefined behavior by them.
*/
-class SBufIterator : public std::iterator
+class SBufIterator
{
public:
+ // iterator traits
+ using iterator_category = std::input_iterator_tag;
+ using value_type = char;
+ using difference_type = std::ptrdiff_t;
+ using pointer = char*;
+ using reference = char&;
+
friend class SBuf;
typedef MemBlob::size_type size_type;
bool operator==(const SBufIterator &s) const;
diff -u -r -N squid-5.6/src/security/cert_validators/fake/security_fake_certverify.8 squid-5.7/src/security/cert_validators/fake/security_fake_certverify.8
--- squid-5.6/src/security/cert_validators/fake/security_fake_certverify.8 2022-06-06 10:47:33.000000000 +1200
+++ squid-5.7/src/security/cert_validators/fake/security_fake_certverify.8 2022-09-06 03:41:00.000000000 +1200
@@ -133,7 +133,7 @@
.\" ========================================================================
.\"
.IX Title "SECURITY_FAKE_CERTVERIFY 8"
-.TH SECURITY_FAKE_CERTVERIFY 8 "2022-06-05" "perl v5.34.0" "User Contributed Perl Documentation"
+.TH SECURITY_FAKE_CERTVERIFY 8 "2022-09-05" "perl v5.34.0" "User Contributed Perl Documentation"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
diff -u -r -N squid-5.6/src/security/forward.h squid-5.7/src/security/forward.h
--- squid-5.6/src/security/forward.h 2022-06-06 10:11:52.000000000 +1200
+++ squid-5.7/src/security/forward.h 2022-09-05 16:06:48.000000000 +1200
@@ -93,10 +93,25 @@
typedef std::list CertRevokeList;
#if USE_OPENSSL
+CtoCpp1(EVP_PKEY_free, EVP_PKEY *)
+using PrivateKeyPointer = Security::LockingPointer>;
+#elif USE_GNUTLS
+using PrivateKeyPointer = std::shared_ptr;
+#else
+using PrivateKeyPointer = std::shared_ptr;
+#endif
+
+#if USE_OPENSSL
+#if OPENSSL_VERSION_MAJOR < 3
CtoCpp1(DH_free, DH *);
typedef Security::LockingPointer > DhePointer;
#else
-typedef void *DhePointer;
+using DhePointer = PrivateKeyPointer;
+#endif
+#elif USE_GNUTLS
+using DhePointer = void *;
+#else
+using DhePointer = void *;
#endif
class EncryptorAnswer;
@@ -159,7 +174,7 @@
class KeyData;
#if USE_OPENSSL
-typedef long ParsedOptions;
+using ParsedOptions = uint64_t;
#elif USE_GNUTLS
typedef std::shared_ptr ParsedOptions;
#else
@@ -175,15 +190,6 @@
class BlindPeerConnector;
class PeerOptions;
-#if USE_OPENSSL
-CtoCpp1(EVP_PKEY_free, EVP_PKEY *)
-typedef Security::LockingPointer > PrivateKeyPointer;
-#elif USE_GNUTLS
-typedef std::shared_ptr PrivateKeyPointer;
-#else
-typedef std::shared_ptr PrivateKeyPointer;
-#endif
-
class ServerOptions;
class ErrorDetail;
diff -u -r -N squid-5.6/src/security/PeerOptions.cc squid-5.7/src/security/PeerOptions.cc
--- squid-5.6/src/security/PeerOptions.cc 2022-06-06 10:11:52.000000000 +1200
+++ squid-5.7/src/security/PeerOptions.cc 2022-09-05 16:06:48.000000000 +1200
@@ -293,134 +293,134 @@
/// set of options we can parse and what they map to
static struct ssl_option {
const char *name;
- long value;
+ Security::ParsedOptions value;
} ssl_options[] = {
-#if SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
+#if defined(SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG)
{
"NETSCAPE_REUSE_CIPHER_CHANGE_BUG", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
},
#endif
-#if SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
+#if defined(SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG)
{
"SSLREF2_REUSE_CERT_TYPE_BUG", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
},
#endif
-#if SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
+#if defined(SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER)
{
"MICROSOFT_BIG_SSLV3_BUFFER", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
},
#endif
-#if SSL_OP_SSLEAY_080_CLIENT_DH_BUG
+#if defined(SSL_OP_SSLEAY_080_CLIENT_DH_BUG)
{
"SSLEAY_080_CLIENT_DH_BUG", SSL_OP_SSLEAY_080_CLIENT_DH_BUG
},
#endif
-#if SSL_OP_TLS_D5_BUG
+#if defined(SSL_OP_TLS_D5_BUG)
{
"TLS_D5_BUG", SSL_OP_TLS_D5_BUG
},
#endif
-#if SSL_OP_TLS_BLOCK_PADDING_BUG
+#if defined(SSL_OP_TLS_BLOCK_PADDING_BUG)
{
"TLS_BLOCK_PADDING_BUG", SSL_OP_TLS_BLOCK_PADDING_BUG
},
#endif
-#if SSL_OP_TLS_ROLLBACK_BUG
+#if defined(SSL_OP_TLS_ROLLBACK_BUG)
{
"TLS_ROLLBACK_BUG", SSL_OP_TLS_ROLLBACK_BUG
},
#endif
-#if SSL_OP_ALL
+#if defined(SSL_OP_ALL)
{
- "ALL", (long)SSL_OP_ALL
+ "ALL", SSL_OP_ALL
},
#endif
-#if SSL_OP_SINGLE_DH_USE
+#if defined(SSL_OP_SINGLE_DH_USE)
{
"SINGLE_DH_USE", SSL_OP_SINGLE_DH_USE
},
#endif
-#if SSL_OP_EPHEMERAL_RSA
+#if defined(SSL_OP_EPHEMERAL_RSA)
{
"EPHEMERAL_RSA", SSL_OP_EPHEMERAL_RSA
},
#endif
-#if SSL_OP_PKCS1_CHECK_1
+#if defined(SSL_OP_PKCS1_CHECK_1)
{
"PKCS1_CHECK_1", SSL_OP_PKCS1_CHECK_1
},
#endif
-#if SSL_OP_PKCS1_CHECK_2
+#if defined(SSL_OP_PKCS1_CHECK_2)
{
"PKCS1_CHECK_2", SSL_OP_PKCS1_CHECK_2
},
#endif
-#if SSL_OP_NETSCAPE_CA_DN_BUG
+#if defined(SSL_OP_NETSCAPE_CA_DN_BUG)
{
"NETSCAPE_CA_DN_BUG", SSL_OP_NETSCAPE_CA_DN_BUG
},
#endif
-#if SSL_OP_NON_EXPORT_FIRST
+#if defined(SSL_OP_NON_EXPORT_FIRST)
{
"NON_EXPORT_FIRST", SSL_OP_NON_EXPORT_FIRST
},
#endif
-#if SSL_OP_CIPHER_SERVER_PREFERENCE
+#if defined(SSL_OP_CIPHER_SERVER_PREFERENCE)
{
"CIPHER_SERVER_PREFERENCE", SSL_OP_CIPHER_SERVER_PREFERENCE
},
#endif
-#if SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG
+#if defined(SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG)
{
"NETSCAPE_DEMO_CIPHER_CHANGE_BUG", SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG
},
#endif
-#if SSL_OP_NO_SSLv3
+#if defined(SSL_OP_NO_SSLv3)
{
"NO_SSLv3", SSL_OP_NO_SSLv3
},
#endif
-#if SSL_OP_NO_TLSv1
+#if defined(SSL_OP_NO_TLSv1)
{
"NO_TLSv1", SSL_OP_NO_TLSv1
},
#else
{ "NO_TLSv1", 0 },
#endif
-#if SSL_OP_NO_TLSv1_1
+#if defined(SSL_OP_NO_TLSv1_1)
{
"NO_TLSv1_1", SSL_OP_NO_TLSv1_1
},
#else
{ "NO_TLSv1_1", 0 },
#endif
-#if SSL_OP_NO_TLSv1_2
+#if defined(SSL_OP_NO_TLSv1_2)
{
"NO_TLSv1_2", SSL_OP_NO_TLSv1_2
},
#else
{ "NO_TLSv1_2", 0 },
#endif
-#if SSL_OP_NO_TLSv1_3
+#if defined(SSL_OP_NO_TLSv1_3)
{
"NO_TLSv1_3", SSL_OP_NO_TLSv1_3
},
#else
{ "NO_TLSv1_3", 0 },
#endif
-#if SSL_OP_NO_COMPRESSION
+#if defined(SSL_OP_NO_COMPRESSION)
{
"No_Compression", SSL_OP_NO_COMPRESSION
},
#endif
-#if SSL_OP_NO_TICKET
+#if defined(SSL_OP_NO_TICKET)
{
"NO_TICKET", SSL_OP_NO_TICKET
},
#endif
-#if SSL_OP_SINGLE_ECDH_USE
+#if defined(SSL_OP_SINGLE_ECDH_USE)
{
"SINGLE_ECDH_USE", SSL_OP_SINGLE_ECDH_USE
},
@@ -455,7 +455,7 @@
#if USE_OPENSSL
::Parser::Tokenizer tok(str);
- long op = 0;
+ ParsedOptions op = 0;
while (!tok.atEnd()) {
enum {
@@ -472,7 +472,8 @@
static const CharacterSet optChars = CharacterSet("TLS-option", "_") + CharacterSet::ALPHA + CharacterSet::DIGIT;
int64_t hex = 0;
SBuf option;
- long value = 0;
+ ParsedOptions value = 0;
+ bool found = false;
// Bug 4429: identify the full option name before determining text or numeric
if (tok.prefix(option, optChars)) {
@@ -481,14 +482,16 @@
for (struct ssl_option *opttmp = ssl_options; opttmp->name; ++opttmp) {
if (option.cmp(opttmp->name) == 0) {
value = opttmp->value;
+ found = true;
break;
}
}
// Special case.. hex specification
::Parser::Tokenizer tmp(option);
- if (!value && tmp.int64(hex, 16, false) && tmp.atEnd()) {
+ if (!found && tmp.int64(hex, 16, false) && tmp.atEnd()) {
value = hex;
+ found = true;
}
}
@@ -502,7 +505,7 @@
break;
}
} else {
- debugs(83, DBG_PARSE_NOTE(1), "ERROR: Unknown TLS option " << option);
+ debugs(83, DBG_PARSE_NOTE(DBG_IMPORTANT), "ERROR: " << (found?"Unsupported":"Unknown") << " TLS option " << option);
}
static const CharacterSet delims("TLS-option-delim",":,");
@@ -512,9 +515,10 @@
}
-#if SSL_OP_NO_SSLv2
+#if defined(SSL_OP_NO_SSLv2)
// compliance with RFC 6176: Prohibiting Secure Sockets Layer (SSL) Version 2.0
- op = op | SSL_OP_NO_SSLv2;
+ if (SSL_OP_NO_SSLv2)
+ op |= SSL_OP_NO_SSLv2;
#endif
parsedOptions = op;
diff -u -r -N squid-5.6/src/security/ServerOptions.cc squid-5.7/src/security/ServerOptions.cc
--- squid-5.6/src/security/ServerOptions.cc 2022-06-06 10:11:52.000000000 +1200
+++ squid-5.7/src/security/ServerOptions.cc 2022-09-05 16:06:48.000000000 +1200
@@ -10,8 +10,10 @@
#include "anyp/PortCfg.h"
#include "base/Packable.h"
#include "cache_cf.h"
+#include "error/SysErrorDetail.h"
#include "fatal.h"
#include "globals.h"
+#include "security/Io.h"
#include "security/ServerOptions.h"
#include "security/Session.h"
#include "SquidConfig.h"
@@ -19,6 +21,9 @@
#include "compat/openssl.h"
#include "ssl/support.h"
+#if HAVE_OPENSSL_DECODER_H
+#include
+#endif
#if HAVE_OPENSSL_ERR_H
#include
#endif
@@ -352,11 +357,20 @@
if (dhParamsFile.isEmpty())
return;
+ // TODO: After loading and validating parameters, also validate that "the
+ // public and private components have the correct mathematical
+ // relationship". See EVP_PKEY_check().
+
#if USE_OPENSSL
+#if OPENSSL_VERSION_MAJOR < 3
DH *dhp = nullptr;
if (FILE *in = fopen(dhParamsFile.c_str(), "r")) {
dhp = PEM_read_DHparams(in, NULL, NULL, NULL);
fclose(in);
+ } else {
+ const auto xerrno = errno;
+ debugs(83, DBG_IMPORTANT, "WARNING: Failed to open '" << dhParamsFile << "'" << xstrerr(xerrno));
+ return;
}
if (!dhp) {
@@ -374,7 +388,73 @@
}
parsedDhParams.resetWithoutLocking(dhp);
+
+#else // OpenSSL 3.0+
+ const auto type = eecdhCurve.isEmpty() ? "DH" : "EC";
+
+ Security::ForgetErrors();
+ EVP_PKEY *rawPkey = nullptr;
+ using DecoderContext = std::unique_ptr >;
+ if (const DecoderContext dctx{OSSL_DECODER_CTX_new_for_pkey(&rawPkey, "PEM", nullptr, type, 0, nullptr, nullptr)}) {
+
+ // OpenSSL documentation is vague on this, but OpenSSL code and our
+ // tests suggest that rawPkey remains nil here while rawCtx keeps
+ // rawPkey _address_ for use by the decoder (see OSSL_DECODER_from_fp()
+ // below). Thus, we must not move *rawPkey into a smart pointer until
+ // decoding is over. For cleanup code simplicity, we assert nil rawPkey.
+ assert(!rawPkey);
+
+ if (OSSL_DECODER_CTX_get_num_decoders(dctx.get()) == 0) {
+ auto ssl_error = ERR_get_error();
+ debugs(83, DBG_IMPORTANT, "WARNING: No suitable decoders found for " << type << " parameters. " << Security::ErrorString(ssl_error));
+ return;
+ }
+
+ if (const auto in = fopen(dhParamsFile.c_str(), "r")) {
+ if (OSSL_DECODER_from_fp(dctx.get(), in)) {
+ assert(rawPkey);
+ const Security::DhePointer pkey(rawPkey);
+ // TODO: verify that the loaded parameters match the curve named in eecdhCurve
+
+ if (const Ssl::EVP_PKEY_CTX_Pointer pkeyCtx{EVP_PKEY_CTX_new_from_pkey(nullptr, pkey.get(), nullptr)}) {
+ switch (EVP_PKEY_param_check(pkeyCtx.get())) {
+ case 1: // success
+ parsedDhParams = pkey;
+ break;
+ case -2: {
+ auto ssl_error = ERR_get_error();
+ debugs(83, DBG_PARSE_NOTE(2), "WARNING: OpenSSL does not support " << type << " parameters check: " << dhParamsFile << ". " << Security::ErrorString(ssl_error));
+ }
+ break;
+ default: {
+ auto ssl_error = ERR_get_error();
+ debugs(83, DBG_IMPORTANT, "ERROR: Failed to verify " << type << " parameters in " << dhParamsFile << ". " << Security::ErrorString(ssl_error));
+ }
+ break;
+ }
+ } else {
+ // TODO: Reduce error reporting code duplication.
+ auto ssl_error = ERR_get_error();
+ debugs(83, DBG_IMPORTANT, "ERROR: Cannot check " << type << " parameters in " << dhParamsFile << ". " << Security::ErrorString(ssl_error));
+ }
+ } else {
+ auto ssl_error = ERR_get_error();
+ debugs(83, DBG_IMPORTANT, "WARNING: Failed to decode " << type << " parameters '" << dhParamsFile << "'. " << Security::ErrorString(ssl_error));
+ EVP_PKEY_free(rawPkey); // probably still nil, but just in case
+ }
+ fclose(in);
+ } else {
+ const auto xerrno = errno;
+ debugs(83, DBG_IMPORTANT, "WARNING: Failed to open '" << dhParamsFile << "'" << xstrerr(xerrno));
+ }
+
+ } else {
+ auto ssl_error = ERR_get_error();
+ debugs(83, DBG_IMPORTANT, "WARNING: Unable to create decode context for " << type << " parameters. " << Security::ErrorString(ssl_error));
+ return;
+ }
#endif
+#endif // USE_OPENSSL
}
bool
@@ -452,12 +532,16 @@
debugs(83, 9, "Setting Ephemeral ECDH curve to " << eecdhCurve << ".");
#if USE_OPENSSL && OPENSSL_VERSION_NUMBER >= 0x0090800fL && !defined(OPENSSL_NO_ECDH)
+
+ Security::ForgetErrors();
+
int nid = OBJ_sn2nid(eecdhCurve.c_str());
if (!nid) {
debugs(83, DBG_CRITICAL, "ERROR: Unknown EECDH curve '" << eecdhCurve << "'");
return;
}
+#if OPENSSL_VERSION_MAJOR < 3
auto ecdh = EC_KEY_new_by_curve_name(nid);
if (!ecdh) {
const auto x = ERR_get_error();
@@ -472,6 +556,14 @@
EC_KEY_free(ecdh);
#else
+ // TODO: Support multiple group names via SSL_CTX_set1_groups_list().
+ if (!SSL_CTX_set1_groups(ctx.get(), &nid, 1)) {
+ auto ssl_error = ERR_get_error();
+ debugs(83, DBG_CRITICAL, "ERROR: Unable to set Ephemeral ECDH: " << Security::ErrorString(ssl_error));
+ return;
+ }
+#endif
+#else
debugs(83, DBG_CRITICAL, "ERROR: EECDH is not available in this build." <<
" Please link against OpenSSL>=0.9.8 and ensure OPENSSL_NO_ECDH is not set.");
#endif
diff -u -r -N squid-5.6/src/ssl/gadgets.cc squid-5.7/src/ssl/gadgets.cc
--- squid-5.6/src/ssl/gadgets.cc 2022-06-06 10:11:52.000000000 +1200
+++ squid-5.7/src/ssl/gadgets.cc 2022-09-05 16:06:48.000000000 +1200
@@ -9,36 +9,26 @@
#include "squid.h"
#include "ssl/gadgets.h"
-EVP_PKEY * Ssl::createSslPrivateKey()
+static Security::PrivateKeyPointer
+CreateRsaPrivateKey()
{
- Security::PrivateKeyPointer pkey(EVP_PKEY_new());
-
- if (!pkey)
- return NULL;
-
- BIGNUM_Pointer bn(BN_new());
- if (!bn)
- return NULL;
-
- if (!BN_set_word(bn.get(), RSA_F4))
- return NULL;
-
- Ssl::RSA_Pointer rsa(RSA_new());
+ Ssl::EVP_PKEY_CTX_Pointer rsa(EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, nullptr));
if (!rsa)
- return NULL;
+ return nullptr;
- int num = 2048; // Maybe use 4096 RSA keys, or better make it configurable?
- if (!RSA_generate_key_ex(rsa.get(), num, bn.get(), NULL))
- return NULL;
+ if (EVP_PKEY_keygen_init(rsa.get()) <= 0)
+ return nullptr;
- if (!rsa)
- return NULL;
+ int num = 2048; // Maybe use 4096 RSA keys, or better make it configurable?
+ if (EVP_PKEY_CTX_set_rsa_keygen_bits(rsa.get(), num) <= 0)
+ return nullptr;
- if (!EVP_PKEY_assign_RSA(pkey.get(), (rsa.get())))
- return NULL;
+ /* Generate key */
+ EVP_PKEY *pkey = nullptr;
+ if (EVP_PKEY_keygen(rsa.get(), &pkey) <= 0)
+ return nullptr;
- rsa.release();
- return pkey.release();
+ return Security::PrivateKeyPointer(pkey);
}
/**
@@ -56,7 +46,7 @@
if (!bn)
return false;
- if (!BN_pseudo_rand(bn.get(), 64, 0, 0))
+ if (!BN_rand(bn.get(), 64, 0, 0))
return false;
}
@@ -375,7 +365,11 @@
// XXX: Add PublicKeyPointer. In OpenSSL, public and private keys are
// internally represented by EVP_PKEY pair, but GnuTLS uses distinct types.
const Security::PrivateKeyPointer certKey(X509_get_pubkey(mimicCert.get()));
+#if OPENSSL_VERSION_MAJOR < 3
const auto rsaPkey = EVP_PKEY_get0_RSA(certKey.get()) != nullptr;
+#else
+ const auto rsaPkey = EVP_PKEY_is_a(certKey.get(), "RSA") == 1;
+#endif
int added = 0;
int nid;
@@ -544,13 +538,8 @@
static bool generateFakeSslCertificate(Security::CertPointer & certToStore, Security::PrivateKeyPointer & pkeyToStore, Ssl::CertificateProperties const &properties, Ssl::BIGNUM_Pointer const &serial)
{
- Security::PrivateKeyPointer pkey;
// Use signing certificates private key as generated certificate private key
- if (properties.signWithPkey.get())
- pkey.resetAndLock(properties.signWithPkey.get());
- else // if not exist generate one
- pkey.resetWithoutLocking(Ssl::createSslPrivateKey());
-
+ const auto pkey = properties.signWithPkey ? properties.signWithPkey : CreateRsaPrivateKey();
if (!pkey)
return false;
diff -u -r -N squid-5.6/src/ssl/gadgets.h squid-5.7/src/ssl/gadgets.h
--- squid-5.6/src/ssl/gadgets.h 2022-06-06 10:11:52.000000000 +1200
+++ squid-5.7/src/ssl/gadgets.h 2022-09-05 16:06:48.000000000 +1200
@@ -58,7 +58,7 @@
typedef std::unique_ptr> X509_NAME_Pointer;
-typedef std::unique_ptr> RSA_Pointer;
+using EVP_PKEY_CTX_Pointer = std::unique_ptr>;
typedef std::unique_ptr> X509_REQ_Pointer;
@@ -74,12 +74,6 @@
typedef std::unique_ptr> X509_STORE_CTX_Pointer;
/**
\ingroup SslCrtdSslAPI
- * Create 1024 bits rsa key.
- */
-EVP_PKEY * createSslPrivateKey();
-
-/**
- \ingroup SslCrtdSslAPI
* Write private key and SSL certificate to memory.
*/
bool writeCertAndPrivateKeyToMemory(Security::CertPointer const & cert, Security::PrivateKeyPointer const & pkey, std::string & bufferToWrite);
diff -u -r -N squid-5.6/src/ssl/support.cc squid-5.7/src/ssl/support.cc
--- squid-5.6/src/ssl/support.cc 2022-06-06 10:11:52.000000000 +1200
+++ squid-5.7/src/ssl/support.cc 2022-09-05 16:06:48.000000000 +1200
@@ -557,7 +557,11 @@
}
// "dup" function for SSL_get_ex_new_index("cert_err_check")
-#if SQUID_USE_CONST_CRYPTO_EX_DATA_DUP
+#if OPENSSL_VERSION_MAJOR >= 3
+static int
+ssl_dupAclChecklist(CRYPTO_EX_DATA *, const CRYPTO_EX_DATA *, void **,
+ int, long, void *)
+#elif SQUID_USE_CONST_CRYPTO_EX_DATA_DUP
static int
ssl_dupAclChecklist(CRYPTO_EX_DATA *, const CRYPTO_EX_DATA *, void *,
int, long, void *)
@@ -654,8 +658,12 @@
SQUID_OPENSSL_init_ssl();
-#if !defined(OPENSSL_NO_ENGINE)
if (::Config.SSL.ssl_engine) {
+#if OPENSSL_VERSION_MAJOR < 3
+ debugs(83, DBG_PARSE_NOTE(DBG_IMPORTANT), "WARNING: Support for ssl_engine is deprecated " <<
+ "in Squids built with OpenSSL 1.x (like this Squid). " <<
+ "It is removed in Squids built with OpenSSL 3.0 or newer.");
+#if !defined(OPENSSL_NO_ENGINE)
ENGINE_load_builtin_engines();
ENGINE *e;
if (!(e = ENGINE_by_id(::Config.SSL.ssl_engine)))
@@ -665,11 +673,14 @@
const auto ssl_error = ERR_get_error();
fatalf("Failed to initialise SSL engine: %s\n", Security::ErrorString(ssl_error));
}
- }
-#else
- if (::Config.SSL.ssl_engine)
- fatalf("Your OpenSSL has no SSL engine support\n");
+#else /* OPENSSL_NO_ENGINE */
+ throw TextException("Cannot use ssl_engine in Squid built with OpenSSL configured to disable SSL engine support", Here());
+#endif
+
+#else /* OPENSSL_VERSION_MAJOR */
+ throw TextException("Cannot use ssl_engine in Squid built with OpenSSL 3.0 or newer", Here());
#endif
+ }
const char *defName = ::Config.SSL.certSignHash ? ::Config.SSL.certSignHash : SQUID_SSL_SIGN_HASH_IF_NONE;
Ssl::DefaultSignHash = EVP_get_digestbyname(defName);
diff -u -r -N squid-5.6/src/store/id_rewriters/file/storeid_file_rewrite.8 squid-5.7/src/store/id_rewriters/file/storeid_file_rewrite.8
--- squid-5.6/src/store/id_rewriters/file/storeid_file_rewrite.8 2022-06-06 10:47:31.000000000 +1200
+++ squid-5.7/src/store/id_rewriters/file/storeid_file_rewrite.8 2022-09-06 03:40:58.000000000 +1200
@@ -133,7 +133,7 @@
.\" ========================================================================
.\"
.IX Title "STOREID_FILE_REWRITE 8"
-.TH STOREID_FILE_REWRITE 8 "2022-06-05" "perl v5.34.0" "User Contributed Perl Documentation"
+.TH STOREID_FILE_REWRITE 8 "2022-09-05" "perl v5.34.0" "User Contributed Perl Documentation"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
diff -u -r -N squid-5.6/src/tests/testStoreHashIndex.cc squid-5.7/src/tests/testStoreHashIndex.cc
--- squid-5.6/src/tests/testStoreHashIndex.cc 2022-06-06 10:11:52.000000000 +1200
+++ squid-5.7/src/tests/testStoreHashIndex.cc 2022-09-05 16:06:48.000000000 +1200
@@ -102,6 +102,8 @@
if (inited)
return;
+ inited = true;
+
Mem::Init();
Config.Store.avgObjectSize = 1024;
@@ -109,6 +111,10 @@
Config.Store.objectsPerBucket = 20;
Config.Store.maxObjectSize = 2048;
+
+ Config.memShared.defaultTo(false);
+
+ Config.store_dir_select_algorithm = xstrdup("round-robin");
}
/* TODO make this a cbdata class */
diff -u -r -N squid-5.6/src/tunnel.cc squid-5.7/src/tunnel.cc
--- squid-5.6/src/tunnel.cc 2022-06-06 10:11:52.000000000 +1200
+++ squid-5.7/src/tunnel.cc 2022-09-05 16:06:48.000000000 +1200
@@ -97,6 +97,10 @@
return (server.conn != NULL && server.conn->getPeer() ? server.conn->getPeer()->host : request->url.host());
};
+ /// store the given to-server connection; prohibit retries and do not look
+ /// for any other destinations
+ void commitToServer(const Comm::ConnectionPointer &);
+
/// Whether the client sent a CONNECT request to us.
bool clientExpectsConnectResponse() const {
// If we are forcing a tunnel after receiving a client CONNECT, then we
@@ -186,6 +190,10 @@
/// whether another destination may be still attempted if the TCP connection
/// was unexpectedly closed
bool retriable;
+
+ /// whether the decision to tunnel to a particular destination was final
+ bool committedToServer;
+
// TODO: remove after fixing deferred reads in TunnelStateData::copyRead()
CodeContext::Pointer codeContext; ///< our creator context
@@ -263,9 +271,8 @@
/// \returns whether the request should be retried (nil) or the description why it should not
const char *checkRetry();
- /// whether the successfully selected path destination or the established
- /// server connection is still in use
- bool usingDestination() const;
+
+ bool transporting() const;
/// details of the "last tunneling attempt" failure (if it failed)
ErrorState *savedError = nullptr;
@@ -362,6 +369,7 @@
destinations(new ResolvedPeers()),
destinationsFound(false),
retriable(true),
+ committedToServer(false),
codeContext(CodeContext::Current())
{
debugs(26, 3, "TunnelStateData constructed this=" << this);
@@ -1009,8 +1017,7 @@
TunnelStateData::notePeerReadyToShovel(const Comm::ConnectionPointer &conn)
{
assert(!client.dirty);
- retriable = false;
- server.initConnection(conn, tunnelServerClosed, "tunnelServerClosed", this);
+ commitToServer(conn);
if (!clientExpectsConnectResponse())
tunnelStartShoveling(this); // ssl-bumped connection, be quiet
@@ -1025,6 +1032,15 @@
}
}
+void
+TunnelStateData::commitToServer(const Comm::ConnectionPointer &conn)
+{
+ committedToServer = true;
+ retriable = false; // may already be false
+ PeerSelectionInitiator::subscribed = false; // may already be false
+ server.initConnection(conn, tunnelServerClosed, "tunnelServerClosed", this);
+}
+
static void
tunnelErrorComplete(int fd/*const Comm::ConnectionPointer &*/, void *data, size_t)
{
@@ -1252,18 +1268,15 @@
destinations->addPath(path);
- if (usingDestination()) {
- // We are already using a previously opened connection but also
- // receiving destinations in case we need to re-forward.
- Must(!transportWait);
- return;
- }
-
if (transportWait) {
+ assert(!transporting());
notifyConnOpener();
return; // and continue to wait for tunnelConnectDone() callback
}
+ if (transporting())
+ return; // and continue to receive destinations for backup
+
startConnecting();
}
@@ -1279,8 +1292,9 @@
if (selectionError)
return sendError(selectionError, "path selection has failed");
+ // TODO: Merge with FwdState and remove this likely unnecessary check.
if (savedError)
- return sendError(savedError, "all found paths have failed");
+ return sendError(savedError, "path selection found no paths (with an impossible early error)");
return sendError(new ErrorState(ERR_CANNOT_FORWARD, Http::scInternalServerError, request.getRaw(), al),
"path selection found no paths");
@@ -1289,21 +1303,32 @@
// if all of them fail, tunneling as whole will fail
Must(!selectionError); // finding at least one path means selection succeeded
- if (usingDestination()) {
- // We are already using a previously opened connection but also
- // receiving destinations in case we need to re-forward.
- Must(!transportWait);
+ if (transportWait) {
+ assert(!transporting());
+ notifyConnOpener();
+ return; // and continue to wait for the noteConnection() callback
+ }
+
+ if (transporting()) {
+ // We are already using a previously opened connection (but were also
+ // receiving more destinations in case we need to re-forward).
+ debugs(17, 7, "keep transporting");
return;
}
- Must(transportWait); // or we would be stuck with nothing to do or wait for
- notifyConnOpener();
+ // destinationsFound, but none of them worked, and we were waiting for more
+ assert(savedError);
+ // XXX: Honor clientExpectsConnectResponse() before replying.
+ sendError(savedError, "all found paths have failed");
}
+/// Whether a tunneling attempt to some selected destination X is in progress
+/// (after successfully opening/reusing a transport connection to X).
+/// \sa transportWait
bool
-TunnelStateData::usingDestination() const
+TunnelStateData::transporting() const
{
- return encryptionWait || peerWait || Comm::IsConnOpen(server.conn);
+ return encryptionWait || peerWait || committedToServer;
}
/// remembers an error to be used if there will be no more connection attempts
@@ -1362,7 +1387,7 @@
request->hier.startPeerClock();
assert(!destinations->empty());
- assert(!usingDestination());
+ assert(!transporting());
AsyncCall::Pointer callback = asyncCall(17, 5, "TunnelStateData::noteConnection", HappyConnOpener::CbDialer(&TunnelStateData::noteConnection, this));
const auto cs = new HappyConnOpener(destinations, callback, request, startTime, 0, al);
cs->setHost(request->url.host());
@@ -1457,12 +1482,10 @@
debugs(26, 3, request->method << " " << context->http->uri << " " << request->http_ver);
TunnelStateData *tunnelState = new TunnelStateData(context->http);
- tunnelState->retriable = false;
+ tunnelState->commitToServer(srvConn);
request->hier.resetPeerNotes(srvConn, tunnelState->getHost());
- tunnelState->server.initConnection(srvConn, tunnelServerClosed, "tunnelServerClosed", tunnelState);
-
#if USE_DELAY_POOLS
/* no point using the delayIsNoDelay stuff since tunnel is nice and simple */
if (!srvConn->getPeer() || !srvConn->getPeer()->options.no_delay)
diff -u -r -N squid-5.6/tools/helper-mux/helper-mux.8 squid-5.7/tools/helper-mux/helper-mux.8
--- squid-5.6/tools/helper-mux/helper-mux.8 2022-06-06 10:47:33.000000000 +1200
+++ squid-5.7/tools/helper-mux/helper-mux.8 2022-09-06 03:41:01.000000000 +1200
@@ -133,7 +133,7 @@
.\" ========================================================================
.\"
.IX Title "HELPER-MUX 8"
-.TH HELPER-MUX 8 "2022-06-05" "perl v5.34.0" "User Contributed Perl Documentation"
+.TH HELPER-MUX 8 "2022-09-05" "perl v5.34.0" "User Contributed Perl Documentation"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l