squid: Update to 4.4 (stable)

For details see:
http://www.squid-cache.org/Versions/v4/changesets/

In July 2018, 'squid 4' was "released for production use", see:
https://wiki.squid-cache.org/Squid-4

"The features have been set and large code changes are reserved for later versions."

I've tested almost all 4.x-versions and patch series before with good results.
Right now, 4.4 is running here with no seen problems together with
'squidclamav', 'squidguard' and 'privoxy'.

I too would declare this version stable.

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

src/patches/squid/01_Certificate_fields_injection_via_D_in_ERR_SECURE_CONNECT_FAIL_306.patch

@@ -1,72 +0,0 @@
-commit f1657a9decc820f748fa3aff68168d3145258031
-Author: Christos Tsantilas <christos@chtsanti.net>
-Date:   2018-10-17 15:14:07 +0000
-
-    Certificate fields injection via %D in ERR_SECURE_CONNECT_FAIL (#306)
-    
-    %ssl_subject, %ssl_ca_name, and %ssl_cn values were not properly escaped when %D code was expanded in HTML context of the ERR_SECURE_CONNECT_FAIL template. This bug affects all
-    ERR_SECURE_CONNECT_FAIL page templates containing %D, including the default template.
-    
-    Other error pages are not vulnerable because Squid does not populate %D with certificate details in other contexts (yet).
-    
-    Thanks to Nikolas Lohmann [eBlocker] for identifying the problem.
-    
-    TODO: If those certificate details become needed for ACL checks or other non-HTML purposes, make their HTML-escaping conditional.
-    
-    This is a Measurement Factory project.
-
-diff --git a/src/ssl/ErrorDetail.cc b/src/ssl/ErrorDetail.cc
-index b5030e3..314e998 100644
---- a/src/ssl/ErrorDetail.cc
-+++ b/src/ssl/ErrorDetail.cc
-@@ -8,6 +8,8 @@
- 
- #include "squid.h"
- #include "errorpage.h"
-+#include "fatal.h"
-+#include "html_quote.h"
- #include "ssl/ErrorDetail.h"
- 
- #include <climits>
-@@ -432,8 +434,11 @@ const char  *Ssl::ErrorDetail::subject() const
- {
-     if (broken_cert.get()) {
-         static char tmpBuffer[256]; // A temporary buffer
--        if (X509_NAME_oneline(X509_get_subject_name(broken_cert.get()), tmpBuffer, sizeof(tmpBuffer)))
--            return tmpBuffer;
-+        if (X509_NAME_oneline(X509_get_subject_name(broken_cert.get()), tmpBuffer, sizeof(tmpBuffer))) {
-+            // quote to avoid possible html code injection through
-+            // certificate subject
-+            return html_quote(tmpBuffer);
-+        }
-     }
-     return "[Not available]";
- }
-@@ -461,8 +466,11 @@ const char *Ssl::ErrorDetail::cn() const
-         static String tmpStr;  ///< A temporary string buffer
-         tmpStr.clean();
-         Ssl::matchX509CommonNames(broken_cert.get(), &tmpStr, copy_cn);
--        if (tmpStr.size())
--            return tmpStr.termedBuf();
-+        if (tmpStr.size()) {
-+            // quote to avoid possible html code injection through
-+            // certificate subject
-+            return html_quote(tmpStr.termedBuf());
-+        }
-     }
-     return "[Not available]";
- }
-@@ -474,8 +482,11 @@ const char *Ssl::ErrorDetail::ca_name() const
- {
-     if (broken_cert.get()) {
-         static char tmpBuffer[256]; // A temporary buffer
--        if (X509_NAME_oneline(X509_get_issuer_name(broken_cert.get()), tmpBuffer, sizeof(tmpBuffer)))
--            return tmpBuffer;
-+        if (X509_NAME_oneline(X509_get_issuer_name(broken_cert.get()), tmpBuffer, sizeof(tmpBuffer))) {
-+            // quote to avoid possible html code injection through
-+            // certificate issuer subject
-+            return html_quote(tmpBuffer);
-+        }
-     }
-     return "[Not available]";
- }

src/patches/squid/01_Fix_netdb_exchange_with_a_TLS_cache_peer_307.patch

@@ -0,0 +1,91 @@
+commit bc54d7a6f7ec510a25966f2f800d3ea874657546
+Author: chi-mf <43963496+chi-mf@users.noreply.github.com>
+Date:   2018-10-30 04:48:40 +0000
+
+    Fix netdb exchange with a TLS cache_peer (#307)
+    
+    Squid uses http-scheme URLs when sending netdb exchange (and possibly
+    other) requests to a cache_peer. If a DIRECT path is selected for that
+    cache_peer URL, then Squid sends a clear text HTTP request to that
+    cache_peer. If that cache_peer expects a TLS connection, it will reject
+    that request (with, e.g., error:transaction-end-before-headers),
+    resulting in an HTTP 503 or 504 netdb fetch error.
+    
+    Workaround this by adding an internalRemoteUri() parameter to indicate
+    whether https or http URL scheme should be used. Netdb fetches from
+    CachePeer::secure peers now get an https scheme and, hence, a TLS
+    connection.
+
+diff --git a/src/icmp/net_db.cc b/src/icmp/net_db.cc
+index 0f488de..526093f 100644
+--- a/src/icmp/net_db.cc
++++ b/src/icmp/net_db.cc
+@@ -1282,7 +1282,7 @@ netdbExchangeStart(void *data)
+ #if USE_ICMP
+     CachePeer *p = (CachePeer *)data;
+     static const SBuf netDB("netdb");
+-    char *uri = internalRemoteUri(p->host, p->http_port, "/squid-internal-dynamic/", netDB);
++    char *uri = internalRemoteUri(p->secure.encryptTransport, p->host, p->http_port, "/squid-internal-dynamic/", netDB);
+     debugs(38, 3, "Requesting '" << uri << "'");
+     const MasterXaction::Pointer mx = new MasterXaction(XactionInitiator::initIcmp);
+     HttpRequest *req = HttpRequest::FromUrl(uri, mx);
+diff --git a/src/internal.cc b/src/internal.cc
+index 6ebc7a6..ff7b4d6 100644
+--- a/src/internal.cc
++++ b/src/internal.cc
+@@ -82,7 +82,7 @@ internalStaticCheck(const SBuf &urlPath)
+  * makes internal url with a given host and port (remote internal url)
+  */
+ char *
+-internalRemoteUri(const char *host, unsigned short port, const char *dir, const SBuf &name)
++internalRemoteUri(bool encrypt, const char *host, unsigned short port, const char *dir, const SBuf &name)
+ {
+     static char lc_host[SQUIDHOSTNAMELEN];
+     assert(host && !name.isEmpty());
+@@ -115,7 +115,7 @@ internalRemoteUri(const char *host, unsigned short port, const char *dir, const
+     static MemBuf mb;
+ 
+     mb.reset();
+-    mb.appendf("http://" SQUIDSBUFPH, SQUIDSBUFPRINT(tmp.authority()));
++    mb.appendf("%s://" SQUIDSBUFPH, encrypt ? "https" : "http", SQUIDSBUFPRINT(tmp.authority()));
+ 
+     if (dir)
+         mb.append(dir, strlen(dir));
+@@ -132,7 +132,10 @@ internalRemoteUri(const char *host, unsigned short port, const char *dir, const
+ char *
+ internalLocalUri(const char *dir, const SBuf &name)
+ {
+-    return internalRemoteUri(getMyHostname(),
++    // XXX: getMy*() may return https_port info, but we force http URIs
++    // because we have not checked whether the callers can handle https.
++    const bool secure = false;
++    return internalRemoteUri(secure, getMyHostname(),
+                              getMyPort(), dir, name);
+ }
+ 
+diff --git a/src/internal.h b/src/internal.h
+index c91f9ac..13a43a6 100644
+--- a/src/internal.h
++++ b/src/internal.h
+@@ -24,7 +24,7 @@ void internalStart(const Comm::ConnectionPointer &clientConn, HttpRequest *, Sto
+ bool internalCheck(const SBuf &urlPath);
+ bool internalStaticCheck(const SBuf &urlPath);
+ char *internalLocalUri(const char *dir, const SBuf &name);
+-char *internalRemoteUri(const char *, unsigned short, const char *, const SBuf &);
++char *internalRemoteUri(bool, const char *, unsigned short, const char *, const SBuf &);
+ const char *internalHostname(void);
+ int internalHostnameIs(const char *);
+ 
+diff --git a/src/peer_digest.cc b/src/peer_digest.cc
+index 36a8705..f515aaa 100644
+--- a/src/peer_digest.cc
++++ b/src/peer_digest.cc
+@@ -323,7 +323,7 @@ peerDigestRequest(PeerDigest * pd)
+     if (p->digest_url)
+         url = xstrdup(p->digest_url);
+     else
+-        url = xstrdup(internalRemoteUri(p->host, p->http_port, "/squid-internal-periodic/", SBuf(StoreDigestFileName)));
++        url = xstrdup(internalRemoteUri(p->secure.encryptTransport, p->host, p->http_port, "/squid-internal-periodic/", SBuf(StoreDigestFileName)));
+     debugs(72, 2, url);
+ 
+     const MasterXaction::Pointer mx = new MasterXaction(XactionInitiator::initCacheDigest);

src/patches/squid/02_Fix_memory_leak_when_parsing_SNMP_packet_313.patch

@@ -1,22 +0,0 @@
-commit bc9786119f058a76ddf0625424bc33d36460b9a2 (refs/remotes/origin/v3.5)
-Author: flozilla <fishyflow@gmail.com>
-Date:   2018-10-24 14:12:01 +0200
-
-    Fix memory leak when parsing SNMP packet (#313)
-    
-    SNMP queries denied by snmp_access rules and queries with certain
-    unsupported SNMPv2 commands were leaking a few hundred bytes each. Such
-    queries trigger "SNMP agent query DENIED from..." WARNINGs in cache.log.
-
-diff --git a/src/snmp_core.cc b/src/snmp_core.cc
-index c4d21c1..16c2993 100644
---- a/src/snmp_core.cc
-+++ b/src/snmp_core.cc
-@@ -409,6 +409,7 @@ snmpDecodePacket(SnmpRequest * rq)
-             snmpConstructReponse(rq);
-         } else {
-             debugs(49, DBG_IMPORTANT, "WARNING: SNMP agent query DENIED from : " << rq->from);
-+            snmp_free_pdu(PDU);
-         }
-         xfree(Community);
- 

src/patches/squid/02_Maintenance_add_xz_tarball_format_formally_to_make_dist_325.patch

@@ -0,0 +1,22 @@
+commit 3c23ae8c7431344f8fc50bb5ee8f4b56d08c10a4
+Author: Amos Jeffries <yadij@users.noreply.github.com>
+Date:   2018-11-11 04:29:58 +0000
+
+    Maintenance: add .xz tarball format formally to make dist (#325)
+    
+    Automake can now handle generating this format itself and the
+    experiments of providing it for downstream have gone well.
+
+diff --git a/configure.ac b/configure.ac
+index 3f8af6d..f668567 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -10,7 +10,7 @@ AC_PREREQ(2.61)
+ AC_CONFIG_HEADERS([include/autoconf.h])
+ AC_CONFIG_AUX_DIR(cfgaux)
+ AC_CONFIG_SRCDIR([src/main.cc])
+-AM_INIT_AUTOMAKE([tar-ustar nostdinc subdir-objects])
++AM_INIT_AUTOMAKE([tar-ustar nostdinc subdir-objects dist-xz])
+ AC_REVISION($Revision$)dnl
+ AC_PREFIX_DEFAULT(/usr/local/squid)
+ AM_MAINTAINER_MODE

src/patches/squid/03_The_handshake_logformat_code_331.patch

@@ -0,0 +1,132 @@
+commit 0022167d80725513d95b38aaebc90086fc0b6938 (tag: refs/tags/M-staged-PR331, refs/remotes/origin/v4)
+Author: Christos Tsantilas <christos@chtsanti.net>
+Date:   2018-11-14 15:17:06 +0000
+
+    The %>handshake logformat code (#331)
+    
+    Logging client "handshake" bytes is useful in at least two contexts:
+    
+    * Runtime traffic bypass and bumping/splicing decisions. Identifying
+      popular clients like Skype for Business (that uses a TLS handshake but
+      then may not speak TLS) is critical for handling their traffic
+      correctly. Squid does not have enough ACLs to interrogate most TLS
+      handshake aspects. Adding more ACLs may still be a good idea, but
+      initial sketches for SfB handshakes showed rather complex
+      ACLs/configurations, _and_ no reasonable ACLs would be able to handle
+      non-TLS handshakes. An external ACL receiving the handshake is in a
+      much better position to analyze/fingerprint it according to custom
+      admin needs.
+    
+    * A logged handshake can be used to analyze new/unusual traffic or even
+      trigger security-related alarms.
+    
+    The current support is limited to cases where Squid was saving handshake
+    for other reasons. With enough demand, this initial support can be
+    extended to all protocols and port configurations.
+    
+    This is a Measurement Factory project.
+
+diff --git a/src/cf.data.pre b/src/cf.data.pre
+index fa8af56..a8ca587 100644
+--- a/src/cf.data.pre
++++ b/src/cf.data.pre
+@@ -4394,6 +4394,37 @@ DOC_START
+ 		<qos	Server connection TOS/DSCP value set by Squid
+ 		<nfmark Server connection netfilter mark set by Squid
+ 
++		>handshake Raw client handshake
++			Initial client bytes received by Squid on a newly
++			accepted TCP connection or inside a just established
++			CONNECT tunnel. Squid stops accumulating handshake
++			bytes as soon as the handshake parser succeeds or
++			fails (determining whether the client is using the
++			expected protocol).
++
++			For HTTP clients, the handshake is the request line.
++			For TLS clients, the handshake consists of all TLS
++			records up to and including the TLS record that
++			contains the last byte of the first ClientHello
++			message. For clients using an unsupported protocol,
++			this field contains the bytes received by Squid at the
++			time of the handshake parsing failure.
++
++			See the on_unsupported_protocol directive for more
++			information on Squid handshake traffic expectations.
++
++			Current support is limited to these contexts:
++			- http_port connections, but only when the
++			  on_unsupported_protocol directive is in use.
++			- https_port connections (and CONNECT tunnels) that
++			  are subject to the ssl_bump peek or stare action.
++
++			To protect binary handshake data, this field is always
++			base64-encoded (RFC 4648 Section 4). If logformat
++			field encoding is configured, that encoding is applied
++			on top of base64. Otherwise, the computed base64 value
++			is recorded as is.
++
+ 	Time related format codes:
+ 
+ 		ts	Seconds since epoch
+diff --git a/src/format/ByteCode.h b/src/format/ByteCode.h
+index ad230bb..a6f8fd9 100644
+--- a/src/format/ByteCode.h
++++ b/src/format/ByteCode.h
+@@ -46,6 +46,8 @@ typedef enum {
+     LFT_CLIENT_LOCAL_TOS,
+     LFT_CLIENT_LOCAL_NFMARK,
+ 
++    LFT_CLIENT_HANDSHAKE,
++
+     /* client connection local squid.conf details */
+     LFT_LOCAL_LISTENING_IP,
+     LFT_LOCAL_LISTENING_PORT,
+diff --git a/src/format/Format.cc b/src/format/Format.cc
+index c1e19b4..8fd6720 100644
+--- a/src/format/Format.cc
++++ b/src/format/Format.cc
+@@ -8,6 +8,7 @@
+ 
+ #include "squid.h"
+ #include "AccessLogEntry.h"
++#include "base64.h"
+ #include "client_side.h"
+ #include "comm/Connection.h"
+ #include "err_detail_type.h"
+@@ -547,6 +548,24 @@ Format::Format::assemble(MemBuf &mb, const AccessLogEntry::Pointer &al, int logS
+             }
+             break;
+ 
++        case LFT_CLIENT_HANDSHAKE:
++            if (al->request && al->request->clientConnectionManager.valid()) {
++                const auto &handshake = al->request->clientConnectionManager->preservedClientData;
++                if (const auto rawLength = handshake.length()) {
++                    // add 1 byte to optimize the c_str() conversion below
++                    char *buf = sb.rawAppendStart(base64_encode_len(rawLength) + 1);
++
++                    struct base64_encode_ctx ctx;
++                    base64_encode_init(&ctx);
++                    auto encLength = base64_encode_update(&ctx, buf, rawLength, reinterpret_cast<const uint8_t*>(handshake.rawContent()));
++                    encLength += base64_encode_final(&ctx, buf + encLength);
++
++                    sb.rawAppendFinish(buf, encLength);
++                    out = sb.c_str();
++                }
++            }
++            break;
++
+         case LFT_TIME_SECONDS_SINCE_EPOCH:
+             // some platforms store time in 32-bit, some 64-bit...
+             outoff = static_cast<int64_t>(current_time.tv_sec);
+diff --git a/src/format/Token.cc b/src/format/Token.cc
+index 186ade5..06c60cf 100644
+--- a/src/format/Token.cc
++++ b/src/format/Token.cc
+@@ -141,6 +141,7 @@ static TokenTableEntry TokenTableMisc[] = {
+     TokenTableEntry("<qos", LFT_SERVER_LOCAL_TOS),
+     TokenTableEntry(">nfmark", LFT_CLIENT_LOCAL_NFMARK),
+     TokenTableEntry("<nfmark", LFT_SERVER_LOCAL_NFMARK),
++    TokenTableEntry(">handshake", LFT_CLIENT_HANDSHAKE),
+     TokenTableEntry("err_code", LFT_SQUID_ERROR ),
+     TokenTableEntry("err_detail", LFT_SQUID_ERROR_DETAIL ),
+     TokenTableEntry("note", LFT_NOTE ),

src/patches/squid/squid-4.4-fix-max-file-descriptors.patch

@@ -1,6 +1,6 @@
 --- configure.ac.~	Wed Apr 20 14:26:07 2016
 +++ configure.ac	Fri Apr 22 17:20:46 2016
-@@ -3135,6 +3135,9 @@
+@@ -3156,6 +3156,9 @@
      ;;
  esac
  
@@ -10,7 +10,7 @@
  dnl --with-maxfd present for compatibility with Squid-2.
  dnl undocumented in ./configure --help  to encourage using the Squid-3 directive
  AC_ARG_WITH(maxfd,,
-@@ -3165,8 +3168,6 @@
+@@ -3186,8 +3189,6 @@
      esac
  ])