[PATCH] squid 3.5.22: latest patches (14103-14113)

30 Nov 2016

Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org
---
 lfs/squid                               |  11 +++
 src/patches/squid/squid-3.5-14103.patch |  61 ++++++++++++
 src/patches/squid/squid-3.5-14104.patch |  66 +++++++++++++
 src/patches/squid/squid-3.5-14105.patch |  48 +++++++++
 src/patches/squid/squid-3.5-14106.patch |  34 +++++++
 src/patches/squid/squid-3.5-14107.patch |  56 +++++++++++
 src/patches/squid/squid-3.5-14108.patch |  33 +++++++
 src/patches/squid/squid-3.5-14109.patch | 167 ++++++++++++++++++++++++++++++++
 src/patches/squid/squid-3.5-14110.patch | 102 +++++++++++++++++++
 src/patches/squid/squid-3.5-14111.patch |  43 ++++++++
 src/patches/squid/squid-3.5-14112.patch |  60 ++++++++++++
 src/patches/squid/squid-3.5-14113.patch |  47 +++++++++
 12 files changed, 728 insertions(+)
 create mode 100644 src/patches/squid/squid-3.5-14103.patch
 create mode 100644 src/patches/squid/squid-3.5-14104.patch
 create mode 100644 src/patches/squid/squid-3.5-14105.patch
 create mode 100644 src/patches/squid/squid-3.5-14106.patch
 create mode 100644 src/patches/squid/squid-3.5-14107.patch
 create mode 100644 src/patches/squid/squid-3.5-14108.patch
 create mode 100644 src/patches/squid/squid-3.5-14109.patch
 create mode 100644 src/patches/squid/squid-3.5-14110.patch
 create mode 100644 src/patches/squid/squid-3.5-14111.patch
 create mode 100644 src/patches/squid/squid-3.5-14112.patch
 create mode 100644 src/patches/squid/squid-3.5-14113.patch

diff --git a/lfs/squid b/lfs/squid
index 338dcc9..dbe79cb 100644
--- a/lfs/squid
+++ b/lfs/squid
@@ -74,6 +74,17 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
    cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14100.patch
    cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14101.patch
    cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14102.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14103.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14104.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14105.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14106.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14107.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14108.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14109.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14110.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14111.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14112.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14113.patch
    cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid-3.5.22-fix-max-file-descriptors.patch
cd $(DIR_APP) && autoreconf -vfi
diff --git a/src/patches/squid/squid-3.5-14103.patch b/src/patches/squid/squid-3.5-14103.patch
new file mode 100644
index 0000000..816aa91
--- /dev/null
+++ b/src/patches/squid/squid-3.5-14103.patch
@@ -0,0 +1,61 @@
+------------------------------------------------------------
+revno: 14103
+revision-id: squid3@treenet.co.nz-20161029232628-1y2u918re62uqs3v
+parent: squid3@treenet.co.nz-20161025082530-do632qnr9bwyk5et
+fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4627
+committer: Amos Jeffries squid3@treenet.co.nz
+branch nick: 3.5
+timestamp: Sun 2016-10-30 12:26:28 +1300
+message:
+  Bug 4627: fix generate-host-certificates and dynamic_cert_mem_cache_size docs
+  
+  For Squid-3 the fix is just to update the documentation.
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20161029232628-1y2u918re62uqs3v
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: ea728cefc977ea5489da01b7a742821121c29476
+# timestamp: 2016-10-29 23:51:13 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20161025082530-\
+#   do632qnr9bwyk5et
+# 
+# Begin patch
+=== modified file 'src/cf.data.pre'
+--- src/cf.data.pre	2016-10-25 08:23:49 +0000
++++ src/cf.data.pre	2016-10-29 23:26:28 +0000
+@@ -1787,13 +1787,12 @@
+ 			certificate equals lifetime of the CA certificate. If
+ 			generated certificate is selfsigned lifetime is three 
+ 			years.
+-			This option is enabled by default when ssl-bump is used.
+-			See the ssl-bump option above for more information.
++			This option is disabled by default. See the ssl-bump
++			option above for more information.
+ 			
+ 	   dynamic_cert_mem_cache_size=SIZE
+ 			Approximate total RAM size spent on cached generated
+-			certificates. If set to zero, caching is disabled. The
+-			default value is 4MB.
++			certificates. If set to zero, caching is disabled.
+ 
+ 	TLS / SSL Options:
+ 
+@@ -2063,13 +2062,12 @@
+ 			certificate equals lifetime of CA certificate. If
+ 			generated certificate is selfsigned lifetime is three
+ 			years.
+-			This option is enabled by default when SslBump is used.
+-			See the sslBump option above for more information.
++			This option is disabled by default. See the ssl-bump
++			option above for more information.
+ 
+ 	   dynamic_cert_mem_cache_size=SIZE
+ 			Approximate total RAM size spent on cached generated
+-			certificates. If set to zero, caching is disabled. The
+-			default value is 4MB.
++			certificates. If set to zero, caching is disabled.
+ 
+ 	See http_port for a list of available options.
+ DOC_END
+
diff --git a/src/patches/squid/squid-3.5-14104.patch b/src/patches/squid/squid-3.5-14104.patch
new file mode 100644
index 0000000..c5d6ed0
--- /dev/null
+++ b/src/patches/squid/squid-3.5-14104.patch
@@ -0,0 +1,66 @@
+------------------------------------------------------------
+revno: 14104
+revision-id: squid3@treenet.co.nz-20161030093816-7vwnk5zrrql2p5ks
+parent: squid3@treenet.co.nz-20161029232628-1y2u918re62uqs3v
+committer: Amos Jeffries squid3@treenet.co.nz
+branch nick: 3.5
+timestamp: Sun 2016-10-30 22:38:16 +1300
+message:
+  Copyright: add some missing blurbs and contributor details
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20161030093816-7vwnk5zrrql2p5ks
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: 8d44709a8f9c34926ce569e58aef82603a3d514b
+# timestamp: 2016-10-30 09:40:44 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20161029232628-\
+#   1y2u918re62uqs3v
+# 
+# Begin patch
+=== modified file 'CONTRIBUTORS'
+--- CONTRIBUTORS	2016-01-06 14:27:36 +0000
++++ CONTRIBUTORS	2016-10-30 09:38:16 +0000
+@@ -211,6 +211,8 @@
+     Joe Ramey ramey@jello.csc.ti.com
+     Joerg Lehrke jlehrke@noc.de
+     Johnathan Conley johnathan.conley@gmail.com
++    John@MCC.ac.uk
++    John@Pharmweb.NET
+     John Dilley jad@hpl.hp.com
+     John M Cooper john.cooper@yourcommunications.co.uk
+     John Saunders johns@rd.scitec.com.au
+
+=== modified file 'contrib/url-normalizer.pl'
+--- contrib/url-normalizer.pl	1996-12-07 00:54:31 +0000
++++ contrib/url-normalizer.pl	2016-10-30 09:38:16 +0000
+@@ -1,4 +1,11 @@
+ #!/usr/local/bin/perl -Tw
++#
++# * Copyright (C) 1996-2016 The Squid Software Foundation and contributors
++# *
++# * Squid software is distributed under GPLv2+ license and includes
++# * contributions from numerous individuals and organizations.
++# * Please see the COPYING and CONTRIBUTORS files for details.
++#
+ 
+ # From:    Markus Gyger mgyger@itr.ch
+ #
+
+=== modified file 'contrib/user-agents.pl'
+--- contrib/user-agents.pl	1996-12-07 00:28:56 +0000
++++ contrib/user-agents.pl	2016-10-30 09:38:16 +0000
+@@ -1,5 +1,13 @@
+ #!/usr/bin/perl
+ #
++# * Copyright (C) 1996-2016 The Squid Software Foundation and contributors
++# *
++# * Squid software is distributed under GPLv2+ license and includes
++# * contributions from numerous individuals and organizations.
++# * Please see the COPYING and CONTRIBUTORS files for details.
++#
++
++#
+ # John@MCC.ac.uk
+ # John@Pharmweb.NET
+ 
diff --git a/src/patches/squid/squid-3.5-14105.patch b/src/patches/squid/squid-3.5-14105.patch
new file mode 100644
index 0000000..d73dcea
--- /dev/null
+++ b/src/patches/squid/squid-3.5-14105.patch
@@ -0,0 +1,48 @@
+------------------------------------------------------------
+revno: 14105
+revision-id: squid3@treenet.co.nz-20161030093920-5f7f2px9ea08rxlq
+parent: squid3@treenet.co.nz-20161030093816-7vwnk5zrrql2p5ks
+fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4567
+committer: Amos Jeffries squid3@treenet.co.nz
+branch nick: 3.5
+timestamp: Sun 2016-10-30 22:39:20 +1300
+message:
+  Bug 4567: Strange IPv6 shown in access.log
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20161030093920-5f7f2px9ea08rxlq
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: 8dbae4e7fc5fb80afc6eee6800743abd1b1eaa47
+# timestamp: 2016-10-30 09:40:47 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20161030093816-\
+#   7vwnk5zrrql2p5ks
+# 
+# Begin patch
+=== modified file 'src/AccessLogEntry.cc'
+--- src/AccessLogEntry.cc	2016-01-01 00:14:27 +0000
++++ src/AccessLogEntry.cc	2016-10-30 09:39:20 +0000
+@@ -30,14 +30,17 @@
+         log_ip = request->indirect_client_addr;
+     else
+ #endif
+-        if (tcpClient != NULL)
++        if (tcpClient)
+             log_ip = tcpClient->remote;
+-        else if (cache.caddr.isNoAddr()) { // e.g., ICAP OPTIONS lack client
+-            strncpy(buf, "-", bufsz);
+-            return;
+-        } else
++        else
+             log_ip = cache.caddr;
+ 
++    // internally generated requests (and some ICAP) lack client IP
++    if (log_ip.isNoAddr()) {
++        strncpy(buf, "-", bufsz);
++        return;
++    }
++
+     // Apply so-called 'privacy masking' to IPv4 clients
+     // - localhost IP is always shown in full
+     // - IPv4 clients masked with client_netmask
+
diff --git a/src/patches/squid/squid-3.5-14106.patch b/src/patches/squid/squid-3.5-14106.patch
new file mode 100644
index 0000000..cd3f63f
--- /dev/null
+++ b/src/patches/squid/squid-3.5-14106.patch
@@ -0,0 +1,34 @@
+------------------------------------------------------------
+revno: 14106
+revision-id: squid3@treenet.co.nz-20161030094025-l4b8fdahoru8h16d
+parent: squid3@treenet.co.nz-20161030093920-5f7f2px9ea08rxlq
+author: Garri Djavadyan garryd@comnet.uz
+committer: Amos Jeffries squid3@treenet.co.nz
+branch nick: 3.5
+timestamp: Sun 2016-10-30 22:40:25 +1300
+message:
+  Fix debug message in ACLChecklist::bannedAction()
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20161030094025-l4b8fdahoru8h16d
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: 4fd7942b294096f5c27e3d460b6d4c79580443e1
+# timestamp: 2016-10-30 09:40:49 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20161030093920-\
+#   5f7f2px9ea08rxlq
+# 
+# Begin patch
+=== modified file 'src/acl/Checklist.cc'
+--- src/acl/Checklist.cc	2016-01-01 00:14:27 +0000
++++ src/acl/Checklist.cc	2016-10-30 09:40:25 +0000
+@@ -397,7 +397,7 @@
+ ACLChecklist::bannedAction(const allow_t &action) const
+ {
+     const bool found = std::find(bannedActions_.begin(), bannedActions_.end(), action) != bannedActions_.end();
+-    debugs(28, 5, "Action '" << action << "/" << action.kind << (found ? " is " : "is not") << " banned");
++    debugs(28, 5, "Action '" << action << "/" << action.kind << (found ? "' is " : "' is not") << " banned");
+     return found;
+ }
+ 
+
diff --git a/src/patches/squid/squid-3.5-14107.patch b/src/patches/squid/squid-3.5-14107.patch
new file mode 100644
index 0000000..34b0ace
--- /dev/null
+++ b/src/patches/squid/squid-3.5-14107.patch
@@ -0,0 +1,56 @@
+------------------------------------------------------------
+revno: 14107
+revision-id: squid3@treenet.co.nz-20161030094503-rwdft21ffff44rns
+parent: squid3@treenet.co.nz-20161030094025-l4b8fdahoru8h16d
+committer: Amos Jeffries squid3@treenet.co.nz
+branch nick: 3.5
+timestamp: Sun 2016-10-30 22:45:03 +1300
+message:
+  HTTP/1.1: make Vary:* objects cacheable
+  
+  Under new clauses from RFC 7231 section 7.1.4 and HTTP response
+  containing header Vary:* (wifcard variant) can be cached, but
+  requires revalidation with server before each use.
+  
+  Use the new mandatory revalidation flags to allow storing of any
+  wildcard Vary:* response.
+  
+  Note that responses with headers like Vary:A,B,C,* are equivalent
+  to Vary:*. The cache key string for these objects is normalized.
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20161030094503-rwdft21ffff44rns
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: 2652a5a689745e31fc450e0dfd1c5c472f6d68d6
+# timestamp: 2016-10-30 09:45:47 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20161030094025-\
+#   l4b8fdahoru8h16d
+# 
+# Begin patch
+=== modified file 'src/http.cc'
+--- src/http.cc	2016-10-09 19:47:26 +0000
++++ src/http.cc	2016-10-30 09:45:03 +0000
+@@ -594,7 +594,7 @@
+     while (strListGetItem(&vary, ',', &item, &ilen, &pos)) {
+         SBuf name(item, ilen);
+         if (name == asterisk) {
+-            vstr.clear();
++            vstr = asterisk;
+             break;
+         }
+         name.toLower();
+@@ -917,6 +917,12 @@
+             varyFailure = true;
+         } else {
+             entry->mem_obj->vary_headers = vary;
++
++            // RFC 7231 section 7.1.4
++            // Vary:* can be cached, but has mandatory revalidation
++            static const SBuf asterisk("*");
++            if (vary == asterisk)
++                EBIT_SET(entry->flags, ENTRY_REVALIDATE_ALWAYS);
+         }
+     }
+ 
+
diff --git a/src/patches/squid/squid-3.5-14108.patch b/src/patches/squid/squid-3.5-14108.patch
new file mode 100644
index 0000000..282fe41
--- /dev/null
+++ b/src/patches/squid/squid-3.5-14108.patch
@@ -0,0 +1,33 @@
+------------------------------------------------------------
+revno: 14108
+revision-id: squid3@treenet.co.nz-20161101112231-k77st4up2sekl5zx
+parent: squid3@treenet.co.nz-20161030094503-rwdft21ffff44rns
+committer: Amos Jeffries squid3@treenet.co.nz
+branch nick: 3.5
+timestamp: Wed 2016-11-02 00:22:31 +1300
+message:
+  Fix build issue after rev.14105
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20161101112231-k77st4up2sekl5zx
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: fea1ede525ccb3ad7bf50e8de8f125a86a8dc016
+# timestamp: 2016-11-01 11:51:06 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20161030094503-\
+#   rwdft21ffff44rns
+# 
+# Begin patch
+=== modified file 'src/AccessLogEntry.cc'
+--- src/AccessLogEntry.cc	2016-10-30 09:39:20 +0000
++++ src/AccessLogEntry.cc	2016-11-01 11:22:31 +0000
+@@ -30,7 +30,7 @@
+         log_ip = request->indirect_client_addr;
+     else
+ #endif
+-        if (tcpClient)
++        if (tcpClient != NULL)
+             log_ip = tcpClient->remote;
+         else
+             log_ip = cache.caddr;
+
diff --git a/src/patches/squid/squid-3.5-14109.patch b/src/patches/squid/squid-3.5-14109.patch
new file mode 100644
index 0000000..82b7dd2
--- /dev/null
+++ b/src/patches/squid/squid-3.5-14109.patch
@@ -0,0 +1,167 @@
+------------------------------------------------------------
+revno: 14109
+revision-id: squid3@treenet.co.nz-20161111060325-yh8chavvnzuvfh3h
+parent: squid3@treenet.co.nz-20161101112231-k77st4up2sekl5zx
+fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=3379
+author: Garri Djavadyan garryd@comnet.uz, Amos Jeffries squid3@treenet.co.nz
+committer: Amos Jeffries squid3@treenet.co.nz
+branch nick: 3.5
+timestamp: Fri 2016-11-11 19:03:25 +1300
+message:
+  Bug 3379: Combination of If-Match and a Cache Hit result in TCP Connection Failure
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20161111060325-yh8chavvnzuvfh3h
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: 50d66878a765925d9a64569b3c226bebdee1f736
+# timestamp: 2016-11-11 06:10:37 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20161101112231-\
+#   k77st4up2sekl5zx
+# 
+# Begin patch
+=== modified file 'src/client_side_reply.cc'
+--- src/client_side_reply.cc	2016-10-09 19:47:26 +0000
++++ src/client_side_reply.cc	2016-11-11 06:03:25 +0000
+@@ -589,6 +589,7 @@
+         debugs(88, 5, "negative-HIT");
+         http->logType = LOG_TCP_NEGATIVE_HIT;
+         sendMoreData(result);
++        return;
+     } else if (blockedHit()) {
+         debugs(88, 5, "send_hit forces a MISS");
+         http->logType = LOG_TCP_MISS;
+@@ -641,27 +642,29 @@
+             http->logType = LOG_TCP_MISS;
+             processMiss();
+         }
++        return;
+     } else if (r->conditional()) {
+         debugs(88, 5, "conditional HIT");
+-        processConditional(result);
+-    } else {
+-        /*
+-         * plain ol' cache hit
+-         */
+-        debugs(88, 5, "plain old HIT");
++        if (processConditional(result))
++            return;
++    }
++
++    /*
++     * plain ol' cache hit
++     */
++    debugs(88, 5, "plain old HIT");
+ 
+ #if USE_DELAY_POOLS
+-        if (e->store_status != STORE_OK)
+-            http->logType = LOG_TCP_MISS;
+-        else
++    if (e->store_status != STORE_OK)
++        http->logType = LOG_TCP_MISS;
++    else
+ #endif
+-            if (e->mem_status == IN_MEMORY)
+-                http->logType = LOG_TCP_MEM_HIT;
+-            else if (Config.onoff.offline)
+-                http->logType = LOG_TCP_OFFLINE_HIT;
++        if (e->mem_status == IN_MEMORY)
++            http->logType = LOG_TCP_MEM_HIT;
++        else if (Config.onoff.offline)
++            http->logType = LOG_TCP_OFFLINE_HIT;
+ 
+-        sendMoreData(result);
+-    }
++    sendMoreData(result);
+ }
+ 
+ /**
+@@ -755,17 +758,16 @@
+ }
+ 
+ /// process conditional request from client
+-void
++bool
+ clientReplyContext::processConditional(StoreIOBuffer &result)
+ {
+     StoreEntry *const e = http->storeEntry();
+ 
+     if (e->getReply()->sline.status() != Http::scOkay) {
+-        debugs(88, 4, "clientReplyContext::processConditional: Reply code " <<
+-               e->getReply()->sline.status() << " != 200");
++        debugs(88, 4, "Reply code " << e->getReply()->sline.status() << " != 200");
+         http->logType = LOG_TCP_MISS;
+         processMiss();
+-        return;
++        return true;
+     }
+ 
+     HttpRequest &r = *http->request;
+@@ -773,7 +775,7 @@
+     if (r.header.has(HDR_IF_MATCH) && !e->hasIfMatchEtag(r)) {
+         // RFC 2616: reply with 412 Precondition Failed if If-Match did not match
+         sendPreconditionFailedError();
+-        return;
++        return true;
+     }
+ 
+     bool matchedIfNoneMatch = false;
+@@ -786,14 +788,14 @@
+             r.header.delById(HDR_IF_MODIFIED_SINCE);
+             http->logType = LOG_TCP_MISS;
+             sendMoreData(result);
+-            return;
++            return true;
+         }
+ 
+         if (!r.flags.ims) {
+             // RFC 2616: if If-None-Match matched and there is no IMS,
+             // reply with 304 Not Modified or 412 Precondition Failed
+             sendNotModifiedOrPreconditionFailedError();
+-            return;
++            return true;
+         }
+ 
+         // otherwise check IMS below to decide if we reply with 304 or 412
+@@ -805,19 +807,20 @@
+         if (e->modifiedSince(r.ims, r.imslen)) {
+             http->logType = LOG_TCP_IMS_HIT;
+             sendMoreData(result);
+-            return;
+-        }
+ 
+-        if (matchedIfNoneMatch) {
++        } else if (matchedIfNoneMatch) {
+             // If-None-Match matched, reply with 304 Not Modified or
+             // 412 Precondition Failed
+             sendNotModifiedOrPreconditionFailedError();
+-            return;
++
++        } else {
++            // otherwise reply with 304 Not Modified
++            sendNotModified();
+         }
+-
+-        // otherwise reply with 304 Not Modified
+-        sendNotModified();
++        return true;
+     }
++
++    return false;
+ }
+ 
+ /// whether squid.conf send_hit prevents us from serving this hit
+
+=== modified file 'src/client_side_reply.h'
+--- src/client_side_reply.h	2016-09-23 15:28:42 +0000
++++ src/client_side_reply.h	2016-11-11 06:03:25 +0000
+@@ -114,7 +114,7 @@
+     bool alwaysAllowResponse(Http::StatusCode sline) const;
+     int checkTransferDone();
+     void processOnlyIfCachedMiss();
+-    void processConditional(StoreIOBuffer &result);
++    bool processConditional(StoreIOBuffer &result);
+     void cacheHit(StoreIOBuffer result);
+     void handleIMSReply(StoreIOBuffer result);
+     void sendMoreData(StoreIOBuffer result);
+
diff --git a/src/patches/squid/squid-3.5-14110.patch b/src/patches/squid/squid-3.5-14110.patch
new file mode 100644
index 0000000..0d0a9db
--- /dev/null
+++ b/src/patches/squid/squid-3.5-14110.patch
@@ -0,0 +1,102 @@
+------------------------------------------------------------
+revno: 14110
+revision-id: squid3@treenet.co.nz-20161114105124-46hmtnsg8uj4owxz
+parent: squid3@treenet.co.nz-20161111060325-yh8chavvnzuvfh3h
+author: Christos Tsantilas chtsanti@users.sourceforge.net
+committer: Amos Jeffries squid3@treenet.co.nz
+branch nick: 3.5
+timestamp: Mon 2016-11-14 23:51:24 +1300
+message:
+  Fix ssl::server_name ACL badly broken since inception.
+  
+  The original server_name code mishandled all SNI checks and some rare
+  host checks:
+  
+  * The SNI-derived value was pointing to an already freed memory storage.
+  * Missing host-derived values were not detected (host() is never nil).
+  * Mismatches were re-checked with an undocumented "none" value
+    instead of being treated as mismatches.
+  
+  Same for ssl::server_name_regex.
+  
+  Also set SNI for more server-first and client-first transactions.
+  
+  This is a Measurement Factory project.
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20161114105124-46hmtnsg8uj4owxz
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: 46aadc410b46d91d597218961dbf1c634fb834fb
+# timestamp: 2016-11-14 10:56:00 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20161111060325-\
+#   yh8chavvnzuvfh3h
+# 
+# Begin patch
+=== modified file 'src/acl/ServerName.cc'
+--- src/acl/ServerName.cc	2016-09-08 12:27:06 +0000
++++ src/acl/ServerName.cc	2016-11-14 10:51:24 +0000
+@@ -90,27 +90,28 @@
+ {
+     assert(checklist != NULL && checklist->request != NULL);
+ 
+-    if (checklist->conn() && checklist->conn()->serverBump()) {
+-        if (X509 *peer_cert = checklist->conn()->serverBump()->serverCert.get()) {
+-            if (Ssl::matchX509CommonNames(peer_cert, (void *)data, check_cert_domain<MatchType>))
+-                return 1;
+-        }
+-    }
+-
+     const char *serverName = NULL;
+-    if (checklist->conn() && !checklist->conn()->sslCommonName().isEmpty()) {
+-        SBuf scn = checklist->conn()->sslCommonName();
+-        serverName = scn.c_str();
+-    }
+-
+-    if (serverName == NULL)
+-        serverName = checklist->request->GetHost();
+-
+-    if (serverName && data->match(serverName)) {
+-        return 1;
+-    }
+-
+-    return data->match("none");
++    SBuf serverNameKeeper; // because c_str() is not constant
++    if (ConnStateData *conn = checklist->conn()) {
++        if (conn->serverBump()) {
++            if (X509 *peer_cert = conn->serverBump()->serverCert.get())
++                return Ssl::matchX509CommonNames(peer_cert, (void *)data, check_cert_domain<MatchType>);
++        }
++
++        if (conn->sslCommonName().isEmpty()) {
++            const char *host = checklist->request->GetHost();
++            if (host && *host) // paranoid first condition: host() is never nil
++                serverName = host;
++        } else {
++            serverNameKeeper = conn->sslCommonName();
++            serverName = serverNameKeeper.c_str();
++        }
++    }
++
++    if (!serverName)
++        serverName = "none";
++
++    return data->match(serverName);
+ }
+ 
+ ACLServerNameStrategy *
+
+=== modified file 'src/cf.data.pre'
+--- src/cf.data.pre	2016-10-29 23:26:28 +0000
++++ src/cf.data.pre	2016-11-14 10:51:24 +0000
+@@ -1167,6 +1167,9 @@
+ 	  # During each Ssl-Bump step, Squid may improve its understanding of a
+ 	  # "true server name". Unlike dstdomain, this ACL does not perform
+ 	  # DNS lookups.
++	  # The "none" name can be used to match transactions where Squid
++	  # could not compute the server name using any information source
++	  # already available at the ACL evaluation time.
+ 
+ 	acl aclname ssl::server_name_regex [-i] .foo.com ...
+ 	  # regex matches server name obtained from various sources [fast]
+
diff --git a/src/patches/squid/squid-3.5-14111.patch b/src/patches/squid/squid-3.5-14111.patch
new file mode 100644
index 0000000..984069b
--- /dev/null
+++ b/src/patches/squid/squid-3.5-14111.patch
@@ -0,0 +1,43 @@
+------------------------------------------------------------
+revno: 14111
+revision-id: squid3@treenet.co.nz-20161114105434-f1uvw2lu8l4lpgay
+parent: squid3@treenet.co.nz-20161114105124-46hmtnsg8uj4owxz
+author: Garri Djavadyan garryd@comnet.uz
+committer: Amos Jeffries squid3@treenet.co.nz
+branch nick: 3.5
+timestamp: Mon 2016-11-14 23:54:34 +1300
+message:
+  Fix spelling for digest nonce cache maintenance event
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20161114105434-f1uvw2lu8l4lpgay
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: 8c91678868beb689db5e0e6eaa6911c44f503ac8
+# timestamp: 2016-11-14 10:56:03 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20161114105124-\
+#   46hmtnsg8uj4owxz
+# 
+# Begin patch
+=== modified file 'src/auth/digest/Config.cc'
+--- src/auth/digest/Config.cc	2016-01-01 00:14:27 +0000
++++ src/auth/digest/Config.cc	2016-11-14 10:54:34 +0000
+@@ -204,7 +204,7 @@
+     if (!digest_nonce_cache) {
+         digest_nonce_cache = hash_create((HASHCMP *) strcmp, 7921, hash_string);
+         assert(digest_nonce_cache);
+-        eventAdd("Digest none cache maintenance", authenticateDigestNonceCacheCleanup, NULL, static_castAuth::Digest::Config*(Auth::Config::Find("digest"))->nonceGCInterval, 1);
++        eventAdd("Digest nonce cache maintenance", authenticateDigestNonceCacheCleanup, NULL, static_castAuth::Digest::Config*(Auth::Config::Find("digest"))->nonceGCInterval, 1);
+     }
+ }
+ 
+@@ -268,7 +268,7 @@
+     debugs(29, 3, "Finished cleaning the nonce cache.");
+ 
+     if (static_castAuth::Digest::Config*(Auth::Config::Find("digest"))->active())
+-        eventAdd("Digest none cache maintenance", authenticateDigestNonceCacheCleanup, NULL, static_castAuth::Digest::Config*(Auth::Config::Find("digest"))->nonceGCInterval, 1);
++        eventAdd("Digest nonce cache maintenance", authenticateDigestNonceCacheCleanup, NULL, static_castAuth::Digest::Config*(Auth::Config::Find("digest"))->nonceGCInterval, 1);
+ }
+ 
+ static void
+
diff --git a/src/patches/squid/squid-3.5-14112.patch b/src/patches/squid/squid-3.5-14112.patch
new file mode 100644
index 0000000..a63c1c0
--- /dev/null
+++ b/src/patches/squid/squid-3.5-14112.patch
@@ -0,0 +1,60 @@
+------------------------------------------------------------
+revno: 14112
+revision-id: squid3@treenet.co.nz-20161114124051-s0vzoj5exv5g8w56
+parent: squid3@treenet.co.nz-20161114105434-f1uvw2lu8l4lpgay
+author: Alex Rousskov rousskov@measurement-factory.com
+committer: Amos Jeffries squid3@treenet.co.nz
+branch nick: 3.5
+timestamp: Tue 2016-11-15 01:40:51 +1300
+message:
+  Honor SBufReservationRequirements::minSize regardless of idealSize.
+    
+    In a fully specified SBufReservationRequirements, idealSize would
+    naturally match or exceed minSize. However, the idealSize default value
+    (zero) may not. We should honor minSize regardless of idealSize, just as
+    the API documentation promises to do.
+    
+    No runtime changes expected right now because the only existing user of
+    SBufReservationRequirements sets .idealSize to CLIENT_REQ_BUF_SZ (4096)
+    and .minSize to 1024.
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20161114124051-s0vzoj5exv5g8w56
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: fb0969aa035352582364b529a70286cbfd89564a
+# timestamp: 2016-11-14 12:43:10 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20161114105434-\
+#   f1uvw2lu8l4lpgay
+# 
+# Begin patch
+=== modified file 'src/SBuf.cc'
+--- src/SBuf.cc	2016-06-18 13:36:07 +0000
++++ src/SBuf.cc	2016-11-14 12:40:51 +0000
+@@ -178,7 +178,8 @@
+     if (!mustRealloc && len_ >= req.maxCapacity)
+         return spaceSize(); // but we cannot reallocate
+ 
+-    const size_type newSpace = std::min(req.idealSpace, maxSize - len_);
++    const size_type desiredSpace = std::max(req.minSpace, req.idealSpace);
++    const size_type newSpace = std::min(desiredSpace, maxSize - len_);
+     reserveCapacity(std::min(len_ + newSpace, req.maxCapacity));
+     debugs(24, 7, id << " now: " << off_ << '+' << len_ << '+' << spaceSize() <<
+            '=' << store_->capacity);
+
+=== modified file 'src/SBuf.h'
+--- src/SBuf.h	2016-06-18 13:36:07 +0000
++++ src/SBuf.h	2016-11-14 12:40:51 +0000
+@@ -635,9 +635,10 @@
+     /*
+      * Parameters are listed in the reverse order of importance: Satisfaction of
+      * the lower-listed requirements may violate the higher-listed requirements.
++     * For example, idealSpace has no effect unless it exceeds minSpace.
+      */
+     size_type idealSpace; ///< if allocating anyway, provide this much space
+-    size_type minSpace; ///< allocate if spaceSize() is smaller
++    size_type minSpace; ///< allocate [at least this much] if spaceSize() is smaller
+     size_type maxCapacity; ///< do not allocate more than this
+     bool allowShared; ///< whether sharing our storage with others is OK
+ };
+
diff --git a/src/patches/squid/squid-3.5-14113.patch b/src/patches/squid/squid-3.5-14113.patch
new file mode 100644
index 0000000..d545026
--- /dev/null
+++ b/src/patches/squid/squid-3.5-14113.patch
@@ -0,0 +1,47 @@
+------------------------------------------------------------
+revno: 14113
+revision-id: squid3@treenet.co.nz-20161115075728-2xj2621oh5bwn8wn
+parent: squid3@treenet.co.nz-20161114124051-s0vzoj5exv5g8w56
+committer: Amos Jeffries squid3@treenet.co.nz
+branch nick: 3.5
+timestamp: Tue 2016-11-15 20:57:28 +1300
+message:
+  TLS: Make key= before cert= an error instead of quietly hiding the issue
+  
+  This squid.conf setup is fatal in Squid-4. So best to fix these installations.
+  Even though Squdi-3 can cope with it.
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20161115075728-2xj2621oh5bwn8wn
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: a18738f4cbf0c1bd368e61d4b19c5d6f5005b919
+# timestamp: 2016-11-15 07:58:39 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20161114124051-\
+#   s0vzoj5exv5g8w56
+# 
+# Begin patch
+=== modified file 'src/cache_cf.cc'
+--- src/cache_cf.cc	2016-09-23 11:11:48 +0000
++++ src/cache_cf.cc	2016-11-15 07:57:28 +0000
+@@ -2257,6 +2257,9 @@
+             safe_free(p->sslcert);
+             p->sslcert = xstrdup(token + 8);
+         } else if (strncmp(token, "sslkey=", 7) == 0) {
++            if (!p->sslcert) {
++                debugs(3, DBG_CRITICAL, "ERROR: " << cfg_directive << ": sslcert= option must be set before sslkey= is used.");
++            }
+             safe_free(p->sslkey);
+             p->sslkey = xstrdup(token + 7);
+         } else if (strncmp(token, "sslversion=", 11) == 0) {
+@@ -3729,6 +3732,9 @@
+         safe_free(s->cert);
+         s->cert = xstrdup(token + 5);
+     } else if (strncmp(token, "key=", 4) == 0) {
++        if (!s->cert) {
++            debugs(3, DBG_CRITICAL, "ERROR: " << cfg_directive << ": cert= option must be set before key= is used.");
++        }
+         safe_free(s->key);
+         s->key = xstrdup(token + 4);
+     } else if (strncmp(token, "version=", 8) == 0) {
+
-- 
2.10.2


    

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

[PATCH] squid 3.5.22: latest patches (14103-14113)