webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-10 11:05:54 +02:00
Code Issues Packages Projects Releases Wiki Activity

squid 3.5.22: latest patches (14103-14113)

Browse Source 
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This commit is contained in:
Matthias Fischer
2016-11-30 18:50:05 +01:00
committed by Michael Tremer
parent cc8f79f95f
commit 262c48be60
12 changed files with 728 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
lfs/squid
View File

@@ -74,6 +74,17 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14100.patch
cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14101.patch
cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14102.patch
cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14103.patch
cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14104.patch
cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14105.patch
cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14106.patch
cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14107.patch
cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14108.patch
cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14109.patch
cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14110.patch
cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14111.patch
cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14112.patch
cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14113.patch
cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid-3.5.22-fix-max-file-descriptors.patch
cd $(DIR_APP) && autoreconf -vfi

61
src/patches/squid/squid-3.5-14103.patch Normal file
View File

@@ -0,0 +1,61 @@
------------------------------------------------------------
revno: 14103
revision-id: squid3@treenet.co.nz-20161029232628-1y2u918re62uqs3v
parent: squid3@treenet.co.nz-20161025082530-do632qnr9bwyk5et
fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4627
committer: Amos Jeffries <squid3@treenet.co.nz>
branch nick: 3.5
timestamp: Sun 2016-10-30 12:26:28 +1300
message:
Bug 4627: fix generate-host-certificates and dynamic_cert_mem_cache_size docs
For Squid-3 the fix is just to update the documentation.
------------------------------------------------------------
# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: squid3@treenet.co.nz-20161029232628-1y2u918re62uqs3v
# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
# testament_sha1: ea728cefc977ea5489da01b7a742821121c29476
# timestamp: 2016-10-29 23:51:13 +0000
# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
# base_revision_id: squid3@treenet.co.nz-20161025082530-\
# do632qnr9bwyk5et
#
# Begin patch
=== modified file 'src/cf.data.pre'
--- src/cf.data.pre 2016-10-25 08:23:49 +0000
+++ src/cf.data.pre 2016-10-29 23:26:28 +0000
@@ -1787,13 +1787,12 @@
certificate equals lifetime of the CA certificate. If
generated certificate is selfsigned lifetime is three
years.
- This option is enabled by default when ssl-bump is used.
- See the ssl-bump option above for more information.
+ This option is disabled by default. See the ssl-bump
+ option above for more information.
dynamic_cert_mem_cache_size=SIZE
Approximate total RAM size spent on cached generated
- certificates. If set to zero, caching is disabled. The
- default value is 4MB.
+ certificates. If set to zero, caching is disabled.
TLS / SSL Options:
@@ -2063,13 +2062,12 @@
certificate equals lifetime of CA certificate. If
generated certificate is selfsigned lifetime is three
years.
- This option is enabled by default when SslBump is used.
- See the sslBump option above for more information.
+ This option is disabled by default. See the ssl-bump
+ option above for more information.
dynamic_cert_mem_cache_size=SIZE
Approximate total RAM size spent on cached generated
- certificates. If set to zero, caching is disabled. The
- default value is 4MB.
+ certificates. If set to zero, caching is disabled.
See http_port for a list of available options.
DOC_END

66
src/patches/squid/squid-3.5-14104.patch Normal file
View File

@@ -0,0 +1,66 @@
------------------------------------------------------------
revno: 14104
revision-id: squid3@treenet.co.nz-20161030093816-7vwnk5zrrql2p5ks
parent: squid3@treenet.co.nz-20161029232628-1y2u918re62uqs3v
committer: Amos Jeffries <squid3@treenet.co.nz>
branch nick: 3.5
timestamp: Sun 2016-10-30 22:38:16 +1300
message:
Copyright: add some missing blurbs and contributor details
------------------------------------------------------------
# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: squid3@treenet.co.nz-20161030093816-7vwnk5zrrql2p5ks
# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
# testament_sha1: 8d44709a8f9c34926ce569e58aef82603a3d514b
# timestamp: 2016-10-30 09:40:44 +0000
# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
# base_revision_id: squid3@treenet.co.nz-20161029232628-\
# 1y2u918re62uqs3v
#
# Begin patch
=== modified file 'CONTRIBUTORS'
--- CONTRIBUTORS 2016-01-06 14:27:36 +0000
+++ CONTRIBUTORS 2016-10-30 09:38:16 +0000
@@ -211,6 +211,8 @@
Joe Ramey <ramey@jello.csc.ti.com>
Joerg Lehrke <jlehrke@noc.de>
Johnathan Conley <johnathan.conley@gmail.com>
+ John@MCC.ac.uk
+ John@Pharmweb.NET
John Dilley <jad@hpl.hp.com>
John M Cooper <john.cooper@yourcommunications.co.uk>
John Saunders <johns@rd.scitec.com.au>
=== modified file 'contrib/url-normalizer.pl'
--- contrib/url-normalizer.pl 1996-12-07 00:54:31 +0000
+++ contrib/url-normalizer.pl 2016-10-30 09:38:16 +0000
@@ -1,4 +1,11 @@
#!/usr/local/bin/perl -Tw
+#
+# * Copyright (C) 1996-2016 The Squid Software Foundation and contributors
+# *
+# * Squid software is distributed under GPLv2+ license and includes
+# * contributions from numerous individuals and organizations.
+# * Please see the COPYING and CONTRIBUTORS files for details.
+#
# From: Markus Gyger <mgyger@itr.ch>
#
=== modified file 'contrib/user-agents.pl'
--- contrib/user-agents.pl 1996-12-07 00:28:56 +0000
+++ contrib/user-agents.pl 2016-10-30 09:38:16 +0000
@@ -1,5 +1,13 @@
#!/usr/bin/perl
#
+# * Copyright (C) 1996-2016 The Squid Software Foundation and contributors
+# *
+# * Squid software is distributed under GPLv2+ license and includes
+# * contributions from numerous individuals and organizations.
+# * Please see the COPYING and CONTRIBUTORS files for details.
+#
+
+#
# John@MCC.ac.uk
# John@Pharmweb.NET

48
src/patches/squid/squid-3.5-14105.patch Normal file
View File

@@ -0,0 +1,48 @@
------------------------------------------------------------
revno: 14105
revision-id: squid3@treenet.co.nz-20161030093920-5f7f2px9ea08rxlq
parent: squid3@treenet.co.nz-20161030093816-7vwnk5zrrql2p5ks
fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4567
committer: Amos Jeffries <squid3@treenet.co.nz>
branch nick: 3.5
timestamp: Sun 2016-10-30 22:39:20 +1300
message:
Bug 4567: Strange IPv6 shown in access.log
------------------------------------------------------------
# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: squid3@treenet.co.nz-20161030093920-5f7f2px9ea08rxlq
# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
# testament_sha1: 8dbae4e7fc5fb80afc6eee6800743abd1b1eaa47
# timestamp: 2016-10-30 09:40:47 +0000
# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
# base_revision_id: squid3@treenet.co.nz-20161030093816-\
# 7vwnk5zrrql2p5ks
#
# Begin patch
=== modified file 'src/AccessLogEntry.cc'
--- src/AccessLogEntry.cc 2016-01-01 00:14:27 +0000
+++ src/AccessLogEntry.cc 2016-10-30 09:39:20 +0000
@@ -30,14 +30,17 @@
log_ip = request->indirect_client_addr;
else
#endif
- if (tcpClient != NULL)
+ if (tcpClient)
log_ip = tcpClient->remote;
- else if (cache.caddr.isNoAddr()) { // e.g., ICAP OPTIONS lack client
- strncpy(buf, "-", bufsz);
- return;
- } else
+ else
log_ip = cache.caddr;
+ // internally generated requests (and some ICAP) lack client IP
+ if (log_ip.isNoAddr()) {
+ strncpy(buf, "-", bufsz);
+ return;
+ }
+
// Apply so-called 'privacy masking' to IPv4 clients
// - localhost IP is always shown in full
// - IPv4 clients masked with client_netmask

34
src/patches/squid/squid-3.5-14106.patch Normal file
View File

@@ -0,0 +1,34 @@
------------------------------------------------------------
revno: 14106
revision-id: squid3@treenet.co.nz-20161030094025-l4b8fdahoru8h16d
parent: squid3@treenet.co.nz-20161030093920-5f7f2px9ea08rxlq
author: Garri Djavadyan <garryd@comnet.uz>
committer: Amos Jeffries <squid3@treenet.co.nz>
branch nick: 3.5
timestamp: Sun 2016-10-30 22:40:25 +1300
message:
Fix debug message in ACLChecklist::bannedAction()
------------------------------------------------------------
# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: squid3@treenet.co.nz-20161030094025-l4b8fdahoru8h16d
# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
# testament_sha1: 4fd7942b294096f5c27e3d460b6d4c79580443e1
# timestamp: 2016-10-30 09:40:49 +0000
# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
# base_revision_id: squid3@treenet.co.nz-20161030093920-\
# 5f7f2px9ea08rxlq
#
# Begin patch
=== modified file 'src/acl/Checklist.cc'
--- src/acl/Checklist.cc 2016-01-01 00:14:27 +0000
+++ src/acl/Checklist.cc 2016-10-30 09:40:25 +0000
@@ -397,7 +397,7 @@
ACLChecklist::bannedAction(const allow_t &action) const
{
const bool found = std::find(bannedActions_.begin(), bannedActions_.end(), action) != bannedActions_.end();
- debugs(28, 5, "Action '" << action << "/" << action.kind << (found ? " is " : "is not") << " banned");
+ debugs(28, 5, "Action '" << action << "/" << action.kind << (found ? "' is " : "' is not") << " banned");
return found;
}

56
src/patches/squid/squid-3.5-14107.patch Normal file
View File

@@ -0,0 +1,56 @@
------------------------------------------------------------
revno: 14107
revision-id: squid3@treenet.co.nz-20161030094503-rwdft21ffff44rns
parent: squid3@treenet.co.nz-20161030094025-l4b8fdahoru8h16d
committer: Amos Jeffries <squid3@treenet.co.nz>
branch nick: 3.5
timestamp: Sun 2016-10-30 22:45:03 +1300
message:
HTTP/1.1: make Vary:* objects cacheable
Under new clauses from RFC 7231 section 7.1.4 and HTTP response
containing header Vary:* (wifcard variant) can be cached, but
requires revalidation with server before each use.
Use the new mandatory revalidation flags to allow storing of any
wildcard Vary:* response.
Note that responses with headers like Vary:A,B,C,* are equivalent
to Vary:*. The cache key string for these objects is normalized.
------------------------------------------------------------
# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: squid3@treenet.co.nz-20161030094503-rwdft21ffff44rns
# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
# testament_sha1: 2652a5a689745e31fc450e0dfd1c5c472f6d68d6
# timestamp: 2016-10-30 09:45:47 +0000
# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
# base_revision_id: squid3@treenet.co.nz-20161030094025-\
# l4b8fdahoru8h16d
#
# Begin patch
=== modified file 'src/http.cc'
--- src/http.cc 2016-10-09 19:47:26 +0000
+++ src/http.cc 2016-10-30 09:45:03 +0000
@@ -594,7 +594,7 @@
while (strListGetItem(&vary, ',', &item, &ilen, &pos)) {
SBuf name(item, ilen);
if (name == asterisk) {
- vstr.clear();
+ vstr = asterisk;
break;
}
name.toLower();
@@ -917,6 +917,12 @@
varyFailure = true;
} else {
entry->mem_obj->vary_headers = vary;
+
+ // RFC 7231 section 7.1.4
+ // Vary:* can be cached, but has mandatory revalidation
+ static const SBuf asterisk("*");
+ if (vary == asterisk)
+ EBIT_SET(entry->flags, ENTRY_REVALIDATE_ALWAYS);
}
}

33
src/patches/squid/squid-3.5-14108.patch Normal file
View File

@@ -0,0 +1,33 @@
------------------------------------------------------------
revno: 14108
revision-id: squid3@treenet.co.nz-20161101112231-k77st4up2sekl5zx
parent: squid3@treenet.co.nz-20161030094503-rwdft21ffff44rns
committer: Amos Jeffries <squid3@treenet.co.nz>
branch nick: 3.5
timestamp: Wed 2016-11-02 00:22:31 +1300
message:
Fix build issue after rev.14105
------------------------------------------------------------
# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: squid3@treenet.co.nz-20161101112231-k77st4up2sekl5zx
# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
# testament_sha1: fea1ede525ccb3ad7bf50e8de8f125a86a8dc016
# timestamp: 2016-11-01 11:51:06 +0000
# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
# base_revision_id: squid3@treenet.co.nz-20161030094503-\
# rwdft21ffff44rns
#
# Begin patch
=== modified file 'src/AccessLogEntry.cc'
--- src/AccessLogEntry.cc 2016-10-30 09:39:20 +0000
+++ src/AccessLogEntry.cc 2016-11-01 11:22:31 +0000
@@ -30,7 +30,7 @@
log_ip = request->indirect_client_addr;
else
#endif
- if (tcpClient)
+ if (tcpClient != NULL)
log_ip = tcpClient->remote;
else
log_ip = cache.caddr;

167
src/patches/squid/squid-3.5-14109.patch Normal file
View File

@@ -0,0 +1,167 @@
------------------------------------------------------------
revno: 14109
revision-id: squid3@treenet.co.nz-20161111060325-yh8chavvnzuvfh3h
parent: squid3@treenet.co.nz-20161101112231-k77st4up2sekl5zx
fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=3379
author: Garri Djavadyan <garryd@comnet.uz>, Amos Jeffries <squid3@treenet.co.nz>
committer: Amos Jeffries <squid3@treenet.co.nz>
branch nick: 3.5
timestamp: Fri 2016-11-11 19:03:25 +1300
message:
Bug 3379: Combination of If-Match and a Cache Hit result in TCP Connection Failure
------------------------------------------------------------
# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: squid3@treenet.co.nz-20161111060325-yh8chavvnzuvfh3h
# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
# testament_sha1: 50d66878a765925d9a64569b3c226bebdee1f736
# timestamp: 2016-11-11 06:10:37 +0000
# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
# base_revision_id: squid3@treenet.co.nz-20161101112231-\
# k77st4up2sekl5zx
#
# Begin patch
=== modified file 'src/client_side_reply.cc'
--- src/client_side_reply.cc 2016-10-09 19:47:26 +0000
+++ src/client_side_reply.cc 2016-11-11 06:03:25 +0000
@@ -589,6 +589,7 @@
debugs(88, 5, "negative-HIT");
http->logType = LOG_TCP_NEGATIVE_HIT;
sendMoreData(result);
+ return;
} else if (blockedHit()) {
debugs(88, 5, "send_hit forces a MISS");
http->logType = LOG_TCP_MISS;
@@ -641,27 +642,29 @@
http->logType = LOG_TCP_MISS;
processMiss();
}
+ return;
} else if (r->conditional()) {
debugs(88, 5, "conditional HIT");
- processConditional(result);
- } else {
- /*
- * plain ol' cache hit
- */
- debugs(88, 5, "plain old HIT");
+ if (processConditional(result))
+ return;
+ }
+
+ /*
+ * plain ol' cache hit
+ */
+ debugs(88, 5, "plain old HIT");
#if USE_DELAY_POOLS
- if (e->store_status != STORE_OK)
- http->logType = LOG_TCP_MISS;
- else
+ if (e->store_status != STORE_OK)
+ http->logType = LOG_TCP_MISS;
+ else
#endif
- if (e->mem_status == IN_MEMORY)
- http->logType = LOG_TCP_MEM_HIT;
- else if (Config.onoff.offline)
- http->logType = LOG_TCP_OFFLINE_HIT;
+ if (e->mem_status == IN_MEMORY)
+ http->logType = LOG_TCP_MEM_HIT;
+ else if (Config.onoff.offline)
+ http->logType = LOG_TCP_OFFLINE_HIT;
- sendMoreData(result);
- }
+ sendMoreData(result);
}
/**
@@ -755,17 +758,16 @@
}
/// process conditional request from client
-void
+bool
clientReplyContext::processConditional(StoreIOBuffer &result)
{
StoreEntry *const e = http->storeEntry();
if (e->getReply()->sline.status() != Http::scOkay) {
- debugs(88, 4, "clientReplyContext::processConditional: Reply code " <<
- e->getReply()->sline.status() << " != 200");
+ debugs(88, 4, "Reply code " << e->getReply()->sline.status() << " != 200");
http->logType = LOG_TCP_MISS;
processMiss();
- return;
+ return true;
}
HttpRequest &r = *http->request;
@@ -773,7 +775,7 @@
if (r.header.has(HDR_IF_MATCH) && !e->hasIfMatchEtag(r)) {
// RFC 2616: reply with 412 Precondition Failed if If-Match did not match
sendPreconditionFailedError();
- return;
+ return true;
}
bool matchedIfNoneMatch = false;
@@ -786,14 +788,14 @@
r.header.delById(HDR_IF_MODIFIED_SINCE);
http->logType = LOG_TCP_MISS;
sendMoreData(result);
- return;
+ return true;
}
if (!r.flags.ims) {
// RFC 2616: if If-None-Match matched and there is no IMS,
// reply with 304 Not Modified or 412 Precondition Failed
sendNotModifiedOrPreconditionFailedError();
- return;
+ return true;
}
// otherwise check IMS below to decide if we reply with 304 or 412
@@ -805,19 +807,20 @@
if (e->modifiedSince(r.ims, r.imslen)) {
http->logType = LOG_TCP_IMS_HIT;
sendMoreData(result);
- return;
- }
- if (matchedIfNoneMatch) {
+ } else if (matchedIfNoneMatch) {
// If-None-Match matched, reply with 304 Not Modified or
// 412 Precondition Failed
sendNotModifiedOrPreconditionFailedError();
- return;
+
+ } else {
+ // otherwise reply with 304 Not Modified
+ sendNotModified();
}
-
- // otherwise reply with 304 Not Modified
- sendNotModified();
+ return true;
}
+
+ return false;
}
/// whether squid.conf send_hit prevents us from serving this hit
=== modified file 'src/client_side_reply.h'
--- src/client_side_reply.h 2016-09-23 15:28:42 +0000
+++ src/client_side_reply.h 2016-11-11 06:03:25 +0000
@@ -114,7 +114,7 @@
bool alwaysAllowResponse(Http::StatusCode sline) const;
int checkTransferDone();
void processOnlyIfCachedMiss();
- void processConditional(StoreIOBuffer &result);
+ bool processConditional(StoreIOBuffer &result);
void cacheHit(StoreIOBuffer result);
void handleIMSReply(StoreIOBuffer result);
void sendMoreData(StoreIOBuffer result);

102
src/patches/squid/squid-3.5-14110.patch Normal file
View File

@@ -0,0 +1,102 @@
------------------------------------------------------------
revno: 14110
revision-id: squid3@treenet.co.nz-20161114105124-46hmtnsg8uj4owxz
parent: squid3@treenet.co.nz-20161111060325-yh8chavvnzuvfh3h
author: Christos Tsantilas <chtsanti@users.sourceforge.net>
committer: Amos Jeffries <squid3@treenet.co.nz>
branch nick: 3.5
timestamp: Mon 2016-11-14 23:51:24 +1300
message:
Fix ssl::server_name ACL badly broken since inception.
The original server_name code mishandled all SNI checks and some rare
host checks:
* The SNI-derived value was pointing to an already freed memory storage.
* Missing host-derived values were not detected (host() is never nil).
* Mismatches were re-checked with an undocumented "none" value
instead of being treated as mismatches.
Same for ssl::server_name_regex.
Also set SNI for more server-first and client-first transactions.
This is a Measurement Factory project.
------------------------------------------------------------
# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: squid3@treenet.co.nz-20161114105124-46hmtnsg8uj4owxz
# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
# testament_sha1: 46aadc410b46d91d597218961dbf1c634fb834fb
# timestamp: 2016-11-14 10:56:00 +0000
# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
# base_revision_id: squid3@treenet.co.nz-20161111060325-\
# yh8chavvnzuvfh3h
#
# Begin patch
=== modified file 'src/acl/ServerName.cc'
--- src/acl/ServerName.cc 2016-09-08 12:27:06 +0000
+++ src/acl/ServerName.cc 2016-11-14 10:51:24 +0000
@@ -90,27 +90,28 @@
{
assert(checklist != NULL && checklist->request != NULL);
- if (checklist->conn() && checklist->conn()->serverBump()) {
- if (X509 *peer_cert = checklist->conn()->serverBump()->serverCert.get()) {
- if (Ssl::matchX509CommonNames(peer_cert, (void *)data, check_cert_domain<MatchType>))
- return 1;
- }
- }
-
const char *serverName = NULL;
- if (checklist->conn() && !checklist->conn()->sslCommonName().isEmpty()) {
- SBuf scn = checklist->conn()->sslCommonName();
- serverName = scn.c_str();
- }
-
- if (serverName == NULL)
- serverName = checklist->request->GetHost();
-
- if (serverName && data->match(serverName)) {
- return 1;
- }
-
- return data->match("none");
+ SBuf serverNameKeeper; // because c_str() is not constant
+ if (ConnStateData *conn = checklist->conn()) {
+ if (conn->serverBump()) {
+ if (X509 *peer_cert = conn->serverBump()->serverCert.get())
+ return Ssl::matchX509CommonNames(peer_cert, (void *)data, check_cert_domain<MatchType>);
+ }
+
+ if (conn->sslCommonName().isEmpty()) {
+ const char *host = checklist->request->GetHost();
+ if (host && *host) // paranoid first condition: host() is never nil
+ serverName = host;
+ } else {
+ serverNameKeeper = conn->sslCommonName();
+ serverName = serverNameKeeper.c_str();
+ }
+ }
+
+ if (!serverName)
+ serverName = "none";
+
+ return data->match(serverName);
}
ACLServerNameStrategy *
=== modified file 'src/cf.data.pre'
--- src/cf.data.pre 2016-10-29 23:26:28 +0000
+++ src/cf.data.pre 2016-11-14 10:51:24 +0000
@@ -1167,6 +1167,9 @@
# During each Ssl-Bump step, Squid may improve its understanding of a
# "true server name". Unlike dstdomain, this ACL does not perform
# DNS lookups.
+ # The "none" name can be used to match transactions where Squid
+ # could not compute the server name using any information source
+ # already available at the ACL evaluation time.
acl aclname ssl::server_name_regex [-i] \.foo\.com ...
# regex matches server name obtained from various sources [fast]

43
src/patches/squid/squid-3.5-14111.patch Normal file
View File

@@ -0,0 +1,43 @@
------------------------------------------------------------
revno: 14111
revision-id: squid3@treenet.co.nz-20161114105434-f1uvw2lu8l4lpgay
parent: squid3@treenet.co.nz-20161114105124-46hmtnsg8uj4owxz
author: Garri Djavadyan <garryd@comnet.uz>
committer: Amos Jeffries <squid3@treenet.co.nz>
branch nick: 3.5
timestamp: Mon 2016-11-14 23:54:34 +1300
message:
Fix spelling for digest nonce cache maintenance event
------------------------------------------------------------
# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: squid3@treenet.co.nz-20161114105434-f1uvw2lu8l4lpgay
# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
# testament_sha1: 8c91678868beb689db5e0e6eaa6911c44f503ac8
# timestamp: 2016-11-14 10:56:03 +0000
# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
# base_revision_id: squid3@treenet.co.nz-20161114105124-\
# 46hmtnsg8uj4owxz
#
# Begin patch
=== modified file 'src/auth/digest/Config.cc'
--- src/auth/digest/Config.cc 2016-01-01 00:14:27 +0000
+++ src/auth/digest/Config.cc 2016-11-14 10:54:34 +0000
@@ -204,7 +204,7 @@
if (!digest_nonce_cache) {
digest_nonce_cache = hash_create((HASHCMP *) strcmp, 7921, hash_string);
assert(digest_nonce_cache);
- eventAdd("Digest none cache maintenance", authenticateDigestNonceCacheCleanup, NULL, static_cast<Auth::Digest::Config*>(Auth::Config::Find("digest"))->nonceGCInterval, 1);
+ eventAdd("Digest nonce cache maintenance", authenticateDigestNonceCacheCleanup, NULL, static_cast<Auth::Digest::Config*>(Auth::Config::Find("digest"))->nonceGCInterval, 1);
}
}
@@ -268,7 +268,7 @@
debugs(29, 3, "Finished cleaning the nonce cache.");
if (static_cast<Auth::Digest::Config*>(Auth::Config::Find("digest"))->active())
- eventAdd("Digest none cache maintenance", authenticateDigestNonceCacheCleanup, NULL, static_cast<Auth::Digest::Config*>(Auth::Config::Find("digest"))->nonceGCInterval, 1);
+ eventAdd("Digest nonce cache maintenance", authenticateDigestNonceCacheCleanup, NULL, static_cast<Auth::Digest::Config*>(Auth::Config::Find("digest"))->nonceGCInterval, 1);
}
static void

60
src/patches/squid/squid-3.5-14112.patch Normal file
View File

@@ -0,0 +1,60 @@
------------------------------------------------------------
revno: 14112
revision-id: squid3@treenet.co.nz-20161114124051-s0vzoj5exv5g8w56
parent: squid3@treenet.co.nz-20161114105434-f1uvw2lu8l4lpgay
author: Alex Rousskov <rousskov@measurement-factory.com>
committer: Amos Jeffries <squid3@treenet.co.nz>
branch nick: 3.5
timestamp: Tue 2016-11-15 01:40:51 +1300
message:
Honor SBufReservationRequirements::minSize regardless of idealSize.
In a fully specified SBufReservationRequirements, idealSize would
naturally match or exceed minSize. However, the idealSize default value
(zero) may not. We should honor minSize regardless of idealSize, just as
the API documentation promises to do.
No runtime changes expected right now because the only existing user of
SBufReservationRequirements sets .idealSize to CLIENT_REQ_BUF_SZ (4096)
and .minSize to 1024.
------------------------------------------------------------
# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: squid3@treenet.co.nz-20161114124051-s0vzoj5exv5g8w56
# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
# testament_sha1: fb0969aa035352582364b529a70286cbfd89564a
# timestamp: 2016-11-14 12:43:10 +0000
# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
# base_revision_id: squid3@treenet.co.nz-20161114105434-\
# f1uvw2lu8l4lpgay
#
# Begin patch
=== modified file 'src/SBuf.cc'
--- src/SBuf.cc 2016-06-18 13:36:07 +0000
+++ src/SBuf.cc 2016-11-14 12:40:51 +0000
@@ -178,7 +178,8 @@
if (!mustRealloc && len_ >= req.maxCapacity)
return spaceSize(); // but we cannot reallocate
- const size_type newSpace = std::min(req.idealSpace, maxSize - len_);
+ const size_type desiredSpace = std::max(req.minSpace, req.idealSpace);
+ const size_type newSpace = std::min(desiredSpace, maxSize - len_);
reserveCapacity(std::min(len_ + newSpace, req.maxCapacity));
debugs(24, 7, id << " now: " << off_ << '+' << len_ << '+' << spaceSize() <<
'=' << store_->capacity);
=== modified file 'src/SBuf.h'
--- src/SBuf.h 2016-06-18 13:36:07 +0000
+++ src/SBuf.h 2016-11-14 12:40:51 +0000
@@ -635,9 +635,10 @@
/*
* Parameters are listed in the reverse order of importance: Satisfaction of
* the lower-listed requirements may violate the higher-listed requirements.
+ * For example, idealSpace has no effect unless it exceeds minSpace.
*/
size_type idealSpace; ///< if allocating anyway, provide this much space
- size_type minSpace; ///< allocate if spaceSize() is smaller
+ size_type minSpace; ///< allocate [at least this much] if spaceSize() is smaller
size_type maxCapacity; ///< do not allocate more than this
bool allowShared; ///< whether sharing our storage with others is OK
};

47
src/patches/squid/squid-3.5-14113.patch Normal file
View File

@@ -0,0 +1,47 @@
------------------------------------------------------------
revno: 14113
revision-id: squid3@treenet.co.nz-20161115075728-2xj2621oh5bwn8wn
parent: squid3@treenet.co.nz-20161114124051-s0vzoj5exv5g8w56
committer: Amos Jeffries <squid3@treenet.co.nz>
branch nick: 3.5
timestamp: Tue 2016-11-15 20:57:28 +1300
message:
TLS: Make key= before cert= an error instead of quietly hiding the issue
This squid.conf setup is fatal in Squid-4. So best to fix these installations.
Even though Squdi-3 can cope with it.
------------------------------------------------------------
# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: squid3@treenet.co.nz-20161115075728-2xj2621oh5bwn8wn
# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
# testament_sha1: a18738f4cbf0c1bd368e61d4b19c5d6f5005b919
# timestamp: 2016-11-15 07:58:39 +0000
# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
# base_revision_id: squid3@treenet.co.nz-20161114124051-\
# s0vzoj5exv5g8w56
#
# Begin patch
=== modified file 'src/cache_cf.cc'
--- src/cache_cf.cc 2016-09-23 11:11:48 +0000
+++ src/cache_cf.cc 2016-11-15 07:57:28 +0000
@@ -2257,6 +2257,9 @@
safe_free(p->sslcert);
p->sslcert = xstrdup(token + 8);
} else if (strncmp(token, "sslkey=", 7) == 0) {
+ if (!p->sslcert) {
+ debugs(3, DBG_CRITICAL, "ERROR: " << cfg_directive << ": sslcert= option must be set before sslkey= is used.");
+ }
safe_free(p->sslkey);
p->sslkey = xstrdup(token + 7);
} else if (strncmp(token, "sslversion=", 11) == 0) {
@@ -3729,6 +3732,9 @@
safe_free(s->cert);
s->cert = xstrdup(token + 5);
} else if (strncmp(token, "key=", 4) == 0) {
+ if (!s->cert) {
+ debugs(3, DBG_CRITICAL, "ERROR: " << cfg_directive << ": cert= option must be set before key= is used.");
+ }
safe_free(s->key);
s->key = xstrdup(token + 4);
} else if (strncmp(token, "version=", 8) == 0) {