From mboxrd@z Thu Jan 1 00:00:00 1970 From: Matthias Fischer To: development@lists.ipfire.org Subject: [PATCH] squid: Update to 4.5 Date: Tue, 01 Jan 2019 18:39:03 +0100 Message-ID: <20190101173903.20601-1-matthias.fischer@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0566642511065899741==" List-Id: --===============0566642511065899741== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable For details see: http://www.squid-cache.org/Versions/v4/changesets/ Best, Matthias Signed-off-by: Matthias Fischer --- lfs/squid | 9 +- ...b_exchange_with_a_TLS_cache_peer_307.patch | 91 ------------ ...all_format_formally_to_make_dist_325.patch | 22 --- .../03_The_handshake_logformat_code_331.patch | 132 ------------------ ... squid-4.5-fix-max-file-descriptors.patch} | 4 +- 5 files changed, 5 insertions(+), 253 deletions(-) delete mode 100644 src/patches/squid/01_Fix_netdb_exchange_with_a_TLS_cache_= peer_307.patch delete mode 100644 src/patches/squid/02_Maintenance_add_xz_tarball_format_fo= rmally_to_make_dist_325.patch delete mode 100644 src/patches/squid/03_The_handshake_logformat_code_331.pat= ch rename src/patches/squid/{squid-4.4-fix-max-file-descriptors.patch =3D> squi= d-4.5-fix-max-file-descriptors.patch} (92%) diff --git a/lfs/squid b/lfs/squid index aaa2d0b96..6033ab394 100644 --- a/lfs/squid +++ b/lfs/squid @@ -24,7 +24,7 @@ =20 include Config =20 -VER =3D 4.4 +VER =3D 4.5 =20 THISAPP =3D squid-$(VER) DL_FILE =3D $(THISAPP).tar.xz @@ -42,7 +42,7 @@ objects =3D $(DL_FILE) =20 $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE) =20 -$(DL_FILE)_MD5 =3D 892504ca9700e1f139a53f84098613bd +$(DL_FILE)_MD5 =3D 8275da5846f9f2243ad2625e5aef2ee0 =20 install : $(TARGET) =20 @@ -72,10 +72,7 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar xaf $(DIR_DL)/$(DL_FILE) - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/squid/01_Fix_netdb_ex= change_with_a_TLS_cache_peer_307.patch - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/squid/02_Maintenance_= add_xz_tarball_format_formally_to_make_dist_325.patch - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/squid/03_The_handshak= e_logformat_code_331.patch - cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-4.4-fix-m= ax-file-descriptors.patch + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-4.5-fix-m= ax-file-descriptors.patch =20 cd $(DIR_APP) && autoreconf -vfi cd $(DIR_APP)/libltdl && autoreconf -vfi diff --git a/src/patches/squid/01_Fix_netdb_exchange_with_a_TLS_cache_peer_30= 7.patch b/src/patches/squid/01_Fix_netdb_exchange_with_a_TLS_cache_peer_307.p= atch deleted file mode 100644 index 09f8961dc..000000000 --- a/src/patches/squid/01_Fix_netdb_exchange_with_a_TLS_cache_peer_307.patch +++ /dev/null @@ -1,91 +0,0 @@ -commit bc54d7a6f7ec510a25966f2f800d3ea874657546 -Author: chi-mf <43963496+chi-mf(a)users.noreply.github.com> -Date: 2018-10-30 04:48:40 +0000 - - Fix netdb exchange with a TLS cache_peer (#307) - =20 - Squid uses http-scheme URLs when sending netdb exchange (and possibly - other) requests to a cache_peer. If a DIRECT path is selected for that - cache_peer URL, then Squid sends a clear text HTTP request to that - cache_peer. If that cache_peer expects a TLS connection, it will reject - that request (with, e.g., error:transaction-end-before-headers), - resulting in an HTTP 503 or 504 netdb fetch error. - =20 - Workaround this by adding an internalRemoteUri() parameter to indicate - whether https or http URL scheme should be used. Netdb fetches from - CachePeer::secure peers now get an https scheme and, hence, a TLS - connection. - -diff --git a/src/icmp/net_db.cc b/src/icmp/net_db.cc -index 0f488de..526093f 100644 ---- a/src/icmp/net_db.cc -+++ b/src/icmp/net_db.cc -@@ -1282,7 +1282,7 @@ netdbExchangeStart(void *data) - #if USE_ICMP - CachePeer *p =3D (CachePeer *)data; - static const SBuf netDB("netdb"); -- char *uri =3D internalRemoteUri(p->host, p->http_port, "/squid-internal= -dynamic/", netDB); -+ char *uri =3D internalRemoteUri(p->secure.encryptTransport, p->host, p-= >http_port, "/squid-internal-dynamic/", netDB); - debugs(38, 3, "Requesting '" << uri << "'"); - const MasterXaction::Pointer mx =3D new MasterXaction(XactionInitiator:= :initIcmp); - HttpRequest *req =3D HttpRequest::FromUrl(uri, mx); -diff --git a/src/internal.cc b/src/internal.cc -index 6ebc7a6..ff7b4d6 100644 ---- a/src/internal.cc -+++ b/src/internal.cc -@@ -82,7 +82,7 @@ internalStaticCheck(const SBuf &urlPath) - * makes internal url with a given host and port (remote internal url) - */ - char * --internalRemoteUri(const char *host, unsigned short port, const char *dir, c= onst SBuf &name) -+internalRemoteUri(bool encrypt, const char *host, unsigned short port, cons= t char *dir, const SBuf &name) - { - static char lc_host[SQUIDHOSTNAMELEN]; - assert(host && !name.isEmpty()); -@@ -115,7 +115,7 @@ internalRemoteUri(const char *host, unsigned short port,= const char *dir, const - static MemBuf mb; -=20 - mb.reset(); -- mb.appendf("http://" SQUIDSBUFPH, SQUIDSBUFPRINT(tmp.authority())); -+ mb.appendf("%s://" SQUIDSBUFPH, encrypt ? "https" : "http", SQUIDSBUFPR= INT(tmp.authority())); -=20 - if (dir) - mb.append(dir, strlen(dir)); -@@ -132,7 +132,10 @@ internalRemoteUri(const char *host, unsigned short port= , const char *dir, const - char * - internalLocalUri(const char *dir, const SBuf &name) - { -- return internalRemoteUri(getMyHostname(), -+ // XXX: getMy*() may return https_port info, but we force http URIs -+ // because we have not checked whether the callers can handle https. -+ const bool secure =3D false; -+ return internalRemoteUri(secure, getMyHostname(), - getMyPort(), dir, name); - } -=20 -diff --git a/src/internal.h b/src/internal.h -index c91f9ac..13a43a6 100644 ---- a/src/internal.h -+++ b/src/internal.h -@@ -24,7 +24,7 @@ void internalStart(const Comm::ConnectionPointer &clientCo= nn, HttpRequest *, Sto - bool internalCheck(const SBuf &urlPath); - bool internalStaticCheck(const SBuf &urlPath); - char *internalLocalUri(const char *dir, const SBuf &name); --char *internalRemoteUri(const char *, unsigned short, const char *, const S= Buf &); -+char *internalRemoteUri(bool, const char *, unsigned short, const char *, c= onst SBuf &); - const char *internalHostname(void); - int internalHostnameIs(const char *); -=20 -diff --git a/src/peer_digest.cc b/src/peer_digest.cc -index 36a8705..f515aaa 100644 ---- a/src/peer_digest.cc -+++ b/src/peer_digest.cc -@@ -323,7 +323,7 @@ peerDigestRequest(PeerDigest * pd) - if (p->digest_url) - url =3D xstrdup(p->digest_url); - else -- url =3D xstrdup(internalRemoteUri(p->host, p->http_port, "/squid-in= ternal-periodic/", SBuf(StoreDigestFileName))); -+ url =3D xstrdup(internalRemoteUri(p->secure.encryptTransport, p->ho= st, p->http_port, "/squid-internal-periodic/", SBuf(StoreDigestFileName))); - debugs(72, 2, url); -=20 - const MasterXaction::Pointer mx =3D new MasterXaction(XactionInitiator:= :initCacheDigest); diff --git a/src/patches/squid/02_Maintenance_add_xz_tarball_format_formally_= to_make_dist_325.patch b/src/patches/squid/02_Maintenance_add_xz_tarball_form= at_formally_to_make_dist_325.patch deleted file mode 100644 index 58ceaa034..000000000 --- a/src/patches/squid/02_Maintenance_add_xz_tarball_format_formally_to_make= _dist_325.patch +++ /dev/null @@ -1,22 +0,0 @@ -commit 3c23ae8c7431344f8fc50bb5ee8f4b56d08c10a4 -Author: Amos Jeffries -Date: 2018-11-11 04:29:58 +0000 - - Maintenance: add .xz tarball format formally to make dist (#325) - =20 - Automake can now handle generating this format itself and the - experiments of providing it for downstream have gone well. - -diff --git a/configure.ac b/configure.ac -index 3f8af6d..f668567 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -10,7 +10,7 @@ AC_PREREQ(2.61) - AC_CONFIG_HEADERS([include/autoconf.h]) - AC_CONFIG_AUX_DIR(cfgaux) - AC_CONFIG_SRCDIR([src/main.cc]) --AM_INIT_AUTOMAKE([tar-ustar nostdinc subdir-objects]) -+AM_INIT_AUTOMAKE([tar-ustar nostdinc subdir-objects dist-xz]) - AC_REVISION($Revision$)dnl - AC_PREFIX_DEFAULT(/usr/local/squid) - AM_MAINTAINER_MODE diff --git a/src/patches/squid/03_The_handshake_logformat_code_331.patch b/sr= c/patches/squid/03_The_handshake_logformat_code_331.patch deleted file mode 100644 index 2ce8bdc4a..000000000 --- a/src/patches/squid/03_The_handshake_logformat_code_331.patch +++ /dev/null @@ -1,132 +0,0 @@ -commit 0022167d80725513d95b38aaebc90086fc0b6938 (tag: refs/tags/M-staged-PR3= 31, refs/remotes/origin/v4) -Author: Christos Tsantilas -Date: 2018-11-14 15:17:06 +0000 - - The %>handshake logformat code (#331) - =20 - Logging client "handshake" bytes is useful in at least two contexts: - =20 - * Runtime traffic bypass and bumping/splicing decisions. Identifying - popular clients like Skype for Business (that uses a TLS handshake but - then may not speak TLS) is critical for handling their traffic - correctly. Squid does not have enough ACLs to interrogate most TLS - handshake aspects. Adding more ACLs may still be a good idea, but - initial sketches for SfB handshakes showed rather complex - ACLs/configurations, _and_ no reasonable ACLs would be able to handle - non-TLS handshakes. An external ACL receiving the handshake is in a - much better position to analyze/fingerprint it according to custom - admin needs. - =20 - * A logged handshake can be used to analyze new/unusual traffic or even - trigger security-related alarms. - =20 - The current support is limited to cases where Squid was saving handshake - for other reasons. With enough demand, this initial support can be - extended to all protocols and port configurations. - =20 - This is a Measurement Factory project. - -diff --git a/src/cf.data.pre b/src/cf.data.pre -index fa8af56..a8ca587 100644 ---- a/src/cf.data.pre -+++ b/src/cf.data.pre -@@ -4394,6 +4394,37 @@ DOC_START - handshake Raw client handshake -+ Initial client bytes received by Squid on a newly -+ accepted TCP connection or inside a just established -+ CONNECT tunnel. Squid stops accumulating handshake -+ bytes as soon as the handshake parser succeeds or -+ fails (determining whether the client is using the -+ expected protocol). -+ -+ For HTTP clients, the handshake is the request line. -+ For TLS clients, the handshake consists of all TLS -+ records up to and including the TLS record that -+ contains the last byte of the first ClientHello -+ message. For clients using an unsupported protocol, -+ this field contains the bytes received by Squid at the -+ time of the handshake parsing failure. -+ -+ See the on_unsupported_protocol directive for more -+ information on Squid handshake traffic expectations. -+ -+ Current support is limited to these contexts: -+ - http_port connections, but only when the -+ on_unsupported_protocol directive is in use. -+ - https_port connections (and CONNECT tunnels) that -+ are subject to the ssl_bump peek or stare action. -+ -+ To protect binary handshake data, this field is always -+ base64-encoded (RFC 4648 Section 4). If logformat -+ field encoding is configured, that encoding is applied -+ on top of base64. Otherwise, the computed base64 value -+ is recorded as is. -+ - Time related format codes: -=20 - ts Seconds since epoch -diff --git a/src/format/ByteCode.h b/src/format/ByteCode.h -index ad230bb..a6f8fd9 100644 ---- a/src/format/ByteCode.h -+++ b/src/format/ByteCode.h -@@ -46,6 +46,8 @@ typedef enum { - LFT_CLIENT_LOCAL_TOS, - LFT_CLIENT_LOCAL_NFMARK, -=20 -+ LFT_CLIENT_HANDSHAKE, -+ - /* client connection local squid.conf details */ - LFT_LOCAL_LISTENING_IP, - LFT_LOCAL_LISTENING_PORT, -diff --git a/src/format/Format.cc b/src/format/Format.cc -index c1e19b4..8fd6720 100644 ---- a/src/format/Format.cc -+++ b/src/format/Format.cc -@@ -8,6 +8,7 @@ -=20 - #include "squid.h" - #include "AccessLogEntry.h" -+#include "base64.h" - #include "client_side.h" - #include "comm/Connection.h" - #include "err_detail_type.h" -@@ -547,6 +548,24 @@ Format::Format::assemble(MemBuf &mb, const AccessLogEnt= ry::Pointer &al, int logS - } - break; -=20 -+ case LFT_CLIENT_HANDSHAKE: -+ if (al->request && al->request->clientConnectionManager.valid()= ) { -+ const auto &handshake =3D al->request->clientConnectionMana= ger->preservedClientData; -+ if (const auto rawLength =3D handshake.length()) { -+ // add 1 byte to optimize the c_str() conversion below -+ char *buf =3D sb.rawAppendStart(base64_encode_len(rawLe= ngth) + 1); -+ -+ struct base64_encode_ctx ctx; -+ base64_encode_init(&ctx); -+ auto encLength =3D base64_encode_update(&ctx, buf, rawL= ength, reinterpret_cast(handshake.rawContent())); -+ encLength +=3D base64_encode_final(&ctx, buf + encLengt= h); -+ -+ sb.rawAppendFinish(buf, encLength); -+ out =3D sb.c_str(); -+ } -+ } -+ break; -+ - case LFT_TIME_SECONDS_SINCE_EPOCH: - // some platforms store time in 32-bit, some 64-bit... - outoff =3D static_cast(current_time.tv_sec); -diff --git a/src/format/Token.cc b/src/format/Token.cc -index 186ade5..06c60cf 100644 ---- a/src/format/Token.cc -+++ b/src/format/Token.cc -@@ -141,6 +141,7 @@ static TokenTableEntry TokenTableMisc[] =3D { - TokenTableEntry("nfmark", LFT_CLIENT_LOCAL_NFMARK), - TokenTableEntry("handshake", LFT_CLIENT_HANDSHAKE), - TokenTableEntry("err_code", LFT_SQUID_ERROR ), - TokenTableEntry("err_detail", LFT_SQUID_ERROR_DETAIL ), - TokenTableEntry("note", LFT_NOTE ), diff --git a/src/patches/squid/squid-4.4-fix-max-file-descriptors.patch b/src= /patches/squid/squid-4.5-fix-max-file-descriptors.patch similarity index 92% rename from src/patches/squid/squid-4.4-fix-max-file-descriptors.patch rename to src/patches/squid/squid-4.5-fix-max-file-descriptors.patch index 8d1a4e03a..57fd0a6a6 100644 --- a/src/patches/squid/squid-4.4-fix-max-file-descriptors.patch +++ b/src/patches/squid/squid-4.5-fix-max-file-descriptors.patch @@ -1,6 +1,6 @@ --- configure.ac.~ Wed Apr 20 14:26:07 2016 +++ configure.ac Fri Apr 22 17:20:46 2016 -@@ -3156,6 +3156,9 @@ +@@ -3160,6 +3160,9 @@ ;; esac =20 @@ -10,7 +10,7 @@ dnl --with-maxfd present for compatibility with Squid-2. dnl undocumented in ./configure --help to encourage using the Squid-3 dire= ctive AC_ARG_WITH(maxfd,, -@@ -3186,8 +3189,6 @@ +@@ -3190,8 +3193,6 @@ esac ]) =20 --=20 2.18.0 --===============0566642511065899741==--