diff -u -r -N squid-4.0.18/acinclude/lib-checks.m4 squid-4.0.19/acinclude/lib-checks.m4 --- squid-4.0.18/acinclude/lib-checks.m4 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/acinclude/lib-checks.m4 2017-04-02 19:43:45.000000000 +1200 @@ -5,33 +5,6 @@ ## Please see the COPYING and CONTRIBUTORS files for details. ## -dnl checks whether dbopen needs -ldb to be added to libs -dnl sets ac_cv_dbopen_libdb to either "yes" or "no" - -AC_DEFUN([SQUID_CHECK_DBOPEN_NEEDS_LIBDB],[ - AC_CACHE_CHECK(if dbopen needs -ldb,ac_cv_dbopen_libdb, [ - SQUID_STATE_SAVE(dbopen_libdb) - LIBS="$LIBS -ldb" - AC_LINK_IFELSE([AC_LANG_PROGRAM([[ -#if HAVE_SYS_TYPES_H -#include -#endif -#if HAVE_LIMITS_H -#include -#endif -#if HAVE_DB_185_H -#include -#elif HAVE_DB_H -#include -#endif]], -[[dbopen("", 0, 0, DB_HASH, (void *)0L)]])], - [ac_cv_dbopen_libdb="yes"], - [ac_cv_dbopen_libdb="no"]) - SQUID_STATE_ROLLBACK(dbopen_libdb) - ]) -]) - - dnl check whether regex works by actually compiling one dnl sets squid_cv_regex_works to either yes or no diff -u -r -N squid-4.0.18/ChangeLog squid-4.0.19/ChangeLog --- squid-4.0.18/ChangeLog 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/ChangeLog 2017-04-02 19:43:45.000000000 +1200 @@ -1,3 +1,21 @@ +Changes to squid-4.0.19 (02 Apr 2017): + + - Bug 4674: delay_parameters for class 3 and 4 assertion failed + - Bug 4671: GCC 7 compile errors + - Bug 4663: GCC 5+ compile errors with optimization level -O3 + - Bug 4657: delay IDENT until after PROXY protocol handling + - Bug 4610: cleanup of BerkleyDB related checks + - squidclient: Fix missing error handling on PUT + - digest_ldap_auth: Add -r option to clamp the realm to a fixed value + - TLS: initial GnuTLS support for encrypted server connections + - Fix appending Http::HdrType::VIA code + - Fix URI scheme case-sensitivity treatment + - Fix two read-ahead problems related to delay pools (or lack thereof) + - Detail swapfile header inconsistencies + - ... and several build fixes + - ... and many code polishing updates + - ... and all fixes from 3.5.25 + Changes to squid-4.0.18 (06 Feb 2017): - Bug 4661: compile error 'warning: _XPG4_2 redefined' with GCC on Solaris 10 @@ -267,6 +285,18 @@ - ... and many documentation changes - ... and much code cleanup and polishing +Changes to squid-3.5.25 (02 Apr 2017): + + - Bug 4688: various typo error(s) in man page(s) + - Bug 4508: Host forgery stalls intercepted being-spliced connections + - Native FTP relay: NAT and TPROXY interception fixes + - Fix missing CRLF on FTP timeout ABORT commands + - TLS: Bump client on errors encountered before ssl_bump evaluation + - ext_kerberos_ldap_group_acl: fix unused value warnings + - Fix crash when configuring with invalid delay_parameters restore value. + - Check that -k argument is provided before trying to use it. + - ... and some build fixes + Changes to squid-3.5.24 (28 Jan 2017): - Regression Bug 3940: Make 'cache deny' do what is documented diff -u -r -N squid-4.0.18/compat/compat.h squid-4.0.19/compat/compat.h --- squid-4.0.18/compat/compat.h 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/compat/compat.h 2017-04-02 19:43:45.000000000 +1200 @@ -11,7 +11,7 @@ /* * From discussions it was chosen to push compat code as far down as possible. - * That means we can have a seperate compat for most + * That means we can have a separate compat for most * compatability and portability hacks and resolutions. * * This file is meant to collate all those hacks files together and diff -u -r -N squid-4.0.18/compat/Makefile.in squid-4.0.19/compat/Makefile.in --- squid-4.0.18/compat/Makefile.in 2017-02-06 10:17:14.000000000 +1300 +++ squid-4.0.19/compat/Makefile.in 2017-04-02 19:45:20.000000000 +1200 @@ -560,7 +560,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/configure squid-4.0.19/configure --- squid-4.0.18/configure 2017-02-06 10:18:33.000000000 +1300 +++ squid-4.0.19/configure 2017-04-02 19:46:37.000000000 +1200 @@ -1,7 +1,7 @@ #! /bin/sh # From configure.ac Revision. # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for Squid Web Proxy 4.0.18. +# Generated by GNU Autoconf 2.69 for Squid Web Proxy 4.0.19. # # Report bugs to . # @@ -595,8 +595,8 @@ # Identity of this package. PACKAGE_NAME='Squid Web Proxy' PACKAGE_TARNAME='squid' -PACKAGE_VERSION='4.0.18' -PACKAGE_STRING='Squid Web Proxy 4.0.18' +PACKAGE_VERSION='4.0.19' +PACKAGE_STRING='Squid Web Proxy 4.0.19' PACKAGE_BUGREPORT='http://bugs.squid-cache.org/' PACKAGE_URL='' @@ -665,7 +665,6 @@ ENABLE_POLL_FALSE ENABLE_POLL_TRUE LIBOBJS -LIB_DB ALLOCA LIBCPPUNIT_LIBS LIBCPPUNIT_CFLAGS @@ -1648,7 +1647,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures Squid Web Proxy 4.0.18 to adapt to many kinds of systems. +\`configure' configures Squid Web Proxy 4.0.19 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1719,7 +1718,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of Squid Web Proxy 4.0.18:";; + short | recursive ) echo "Configuration of Squid Web Proxy 4.0.19:";; esac cat <<\_ACEOF @@ -2148,7 +2147,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -Squid Web Proxy configure 4.0.18 +Squid Web Proxy configure 4.0.19 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -3252,7 +3251,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by Squid Web Proxy $as_me 4.0.18, which was +It was created by Squid Web Proxy $as_me 4.0.19, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -4119,7 +4118,7 @@ # Define the identity of the package. PACKAGE='squid' - VERSION='4.0.18' + VERSION='4.0.19' cat >>confdefs.h <<_ACEOF @@ -4675,10 +4674,6 @@ - - - - ## Copyright (C) 1996-2017 The Squid Software Foundation and contributors ## ## Squid software is distributed under GPLv2+ license and includes @@ -34594,22 +34589,40 @@ ## Please see the COPYING and CONTRIBUTORS files for details. ## -cat confdefs.h - <<_ACEOF >conftest.$ac_ext +for ac_header in db.h +do : + ac_fn_cxx_check_header_mongrel "$LINENO" "db.h" "ac_cv_header_db_h" "$ac_includes_default" +if test "x$ac_cv_header_db_h" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_DB_H 1 +_ACEOF + + cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include int main () { -DB_ENV *db_env = NULL; db_env_create(&db_env, 0); + + DB_ENV *db_env = nullptr; + db_env_create(&db_env, 0); + ; return 0; } _ACEOF if ac_fn_cxx_try_compile "$LINENO"; then : - BUILD_HELPER="session" + + BUILD_HELPER="session" + fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi + +done + + elif test "x$helper" = "xtime_quota" ; then ## Copyright (C) 1996-2017 The Squid Software Foundation and contributors @@ -34627,11 +34640,17 @@ #define HAVE_DB_185_H 1 _ACEOF BUILD_HELPER="time_quota" -fi +else -done + for ac_header in db.h +do : + ac_fn_cxx_check_header_mongrel "$LINENO" "db.h" "ac_cv_header_db_h" "$ac_includes_default" +if test "x$ac_cv_header_db_h" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_DB_H 1 +_ACEOF -cat confdefs.h - <<_ACEOF >conftest.$ac_ext + cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include @@ -34643,6 +34662,16 @@ rm -f conftest* +fi + +done + + +fi + +done + + elif test "x$helper" = "xunix_group" ; then ## Copyright (C) 1996-2017 The Squid Software Foundation and contributors @@ -35952,8 +35981,6 @@ glib.h \ stdint.h \ inttypes.h \ - db.h \ - db_185.h \ wchar.h do : @@ -39171,118 +39198,6 @@ ;; esac -DBLIB= - -ac_fn_cxx_check_decl "$LINENO" "dbopen" "ac_cv_have_decl_dbopen" " -#if HAVE_SYS_TYPES_H -#include -#endif -#if HAVE_LIMITS_H -#include -#endif -#if HAVE_DB_185_H -#include -#elif HAVE_DB_H -#include -#endif -" -if test "x$ac_cv_have_decl_dbopen" = xyes; then : - -fi - - - - { $as_echo "$as_me:${as_lineno-$LINENO}: checking if dbopen needs -ldb" >&5 -$as_echo_n "checking if dbopen needs -ldb... " >&6; } -if ${ac_cv_dbopen_libdb+:} false; then : - $as_echo_n "(cached) " >&6 -else - - -# save state, key is dbopen_libdb -dbopen_libdb_CFLAGS="${CFLAGS}" -dbopen_libdb_CXXFLAGS="${CXXFLAGS}" -dbopen_libdb_LDFLAGS="${LDFLAGS}" -dbopen_libdb_LIBS="${LIBS}" -dbopen_libdb_CC="${CC}" -dbopen_libdb_CXX="${CXX}" -dbopen_libdb_CPPFLAGS="${CPPFLAGS}" -dbopen_libdb_squid_saved_vars="" -for squid_util_var_tosave in $dbopen_libdb_squid_saved_vars -do - squid_util_var_tosave2="dbopen_libdb_${squid_util_var_tosave}" - eval "${squid_util_var_tosave2}=\"${squid_util_var_tosave}\"" -done - - LIBS="$LIBS -ldb" - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -#if HAVE_SYS_TYPES_H -#include -#endif -#if HAVE_LIMITS_H -#include -#endif -#if HAVE_DB_185_H -#include -#elif HAVE_DB_H -#include -#endif -int -main () -{ -dbopen("", 0, 0, DB_HASH, (void *)0L) - ; - return 0; -} -_ACEOF -if ac_fn_cxx_try_link "$LINENO"; then : - ac_cv_dbopen_libdb="yes" -else - ac_cv_dbopen_libdb="no" -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext - -# rollback state, key is dbopen_libdb -CFLAGS="${dbopen_libdb_CFLAGS}" -CXXFLAGS="${dbopen_libdb_CXXFLAGS}" -LDFLAGS="${dbopen_libdb_LDFLAGS}" -LIBS="${dbopen_libdb_LIBS}" -CC="${dbopen_libdb_CC}" -CXX="${dbopen_libdb_CXX}" -CPPFLAGS="${dbopen_libdb_CPPFLAGS}" -for squid_util_var_tosave in $dbopen_libdb_squid_saved_vars -do - squid_util_var_tosave2="\$dbopen_libdb_${squid_util_var_tosave}" - eval "$squid_util_var_tosave=\"${squid_util_var_tosave2}\"" -done - -# commit state, key is dbopen_libdb -unset dbopen_libdb_CFLAGS -unset dbopen_libdb_CXXFLAGS -unset dbopen_libdb_LDFLAGS -unset dbopen_libdb_LIBS -unset dbopen_libdb_CC -unset dbopen_libdb_CXX -unset dbopen_libdb_CPPFLAGS -for squid_util_var_tosave in $dbopen_libdb_squid_saved_vars -do - unset ${squid_util_var_tosave} -done - - - -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_dbopen_libdb" >&5 -$as_echo "$ac_cv_dbopen_libdb" >&6; } - -if test "x$ac_cv_dbopen_libdb" = "xyes"; then - LIB_DB="-ldb" -fi - - case "$host" in i386-*-solaris2.*) if test "x$GCC" = "xyes"; then @@ -42599,7 +42514,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by Squid Web Proxy $as_me 4.0.18, which was +This file was extended by Squid Web Proxy $as_me 4.0.19, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -42665,7 +42580,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -Squid Web Proxy config.status 4.0.18 +Squid Web Proxy config.status 4.0.19 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -u -r -N squid-4.0.18/configure.ac squid-4.0.19/configure.ac --- squid-4.0.18/configure.ac 2017-02-06 10:18:33.000000000 +1300 +++ squid-4.0.19/configure.ac 2017-04-02 19:46:37.000000000 +1200 @@ -5,7 +5,7 @@ ## Please see the COPYING and CONTRIBUTORS files for details. ## -AC_INIT([Squid Web Proxy],[4.0.18],[http://bugs.squid-cache.org/],[squid]) +AC_INIT([Squid Web Proxy],[4.0.19],[http://bugs.squid-cache.org/],[squid]) AC_PREREQ(2.61) AC_CONFIG_HEADERS([include/autoconf.h]) AC_CONFIG_AUX_DIR(cfgaux) @@ -2848,8 +2848,6 @@ glib.h \ stdint.h \ inttypes.h \ - db.h \ - db_185.h \ wchar.h ) @@ -3183,32 +3181,6 @@ ;; esac -dnl Check for libdb -dnl this is not fully functional if db.h is for a differend db version -DBLIB= - -dnl check that dbopen is actually defined in the header -dnl FIXME: in case of failure undef db-related includes etc. -AC_CHECK_DECL(dbopen,,,[ -#if HAVE_SYS_TYPES_H -#include -#endif -#if HAVE_LIMITS_H -#include -#endif -#if HAVE_DB_185_H -#include -#elif HAVE_DB_H -#include -#endif]) - -dnl 1.85 -SQUID_CHECK_DBOPEN_NEEDS_LIBDB -if test "x$ac_cv_dbopen_libdb" = "xyes"; then - LIB_DB="-ldb" -fi -AC_SUBST(LIB_DB) - dnl System-specific library modifications dnl case "$host" in diff -u -r -N squid-4.0.18/contrib/Makefile.in squid-4.0.19/contrib/Makefile.in --- squid-4.0.18/contrib/Makefile.in 2017-02-06 10:17:14.000000000 +1300 +++ squid-4.0.19/contrib/Makefile.in 2017-04-02 19:45:21.000000000 +1200 @@ -273,7 +273,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/doc/Makefile.in squid-4.0.19/doc/Makefile.in --- squid-4.0.18/doc/Makefile.in 2017-02-06 10:17:15.000000000 +1300 +++ squid-4.0.19/doc/Makefile.in 2017-04-02 19:45:21.000000000 +1200 @@ -328,7 +328,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/doc/manuals/Makefile.in squid-4.0.19/doc/manuals/Makefile.in --- squid-4.0.18/doc/manuals/Makefile.in 2017-02-06 10:17:15.000000000 +1300 +++ squid-4.0.19/doc/manuals/Makefile.in 2017-04-02 19:45:21.000000000 +1200 @@ -268,7 +268,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/doc/release-notes/Makefile.in squid-4.0.19/doc/release-notes/Makefile.in --- squid-4.0.18/doc/release-notes/Makefile.in 2017-02-06 10:17:15.000000000 +1300 +++ squid-4.0.19/doc/release-notes/Makefile.in 2017-04-02 19:45:21.000000000 +1200 @@ -268,7 +268,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/doc/release-notes/release-4.html squid-4.0.19/doc/release-notes/release-4.html --- squid-4.0.18/doc/release-notes/release-4.html 2017-02-06 13:41:22.000000000 +1300 +++ squid-4.0.19/doc/release-notes/release-4.html 2017-04-02 23:47:27.000000000 +1200 @@ -2,10 +2,10 @@ - Squid 4.0.18 release notes + Squid 4.0.19 release notes -

Squid 4.0.18 release notes

+

Squid 4.0.19 release notes

Squid Developers

@@ -31,6 +31,7 @@
  • 2.5 Secure ICAP
  • 2.6 Improved SMP support
  • 2.7 Improved process management +
  • 2.8 Initial GnuTLS support

    3. Changes to squid.conf since Squid-3.5

    @@ -61,7 +62,7 @@

    1. Notice

    -

    The Squid Team are pleased to announce the release of Squid-4.0.18 for testing.

    +

    The Squid Team are pleased to announce the release of Squid-4.0.19 for testing.

    This new release is available for download from http://www.squid-cache.org/Versions/v4/ or the mirrors.

    @@ -83,6 +84,11 @@ GCC 4.9+ and Clang 3.5+ are known to have working C++11 support and are usable. GCC-4.8 will also build for now despite lack of full C++11 support, but some future features may not be available.

    +

    This release does not support LibreSSL. +Due to a bug in the way LibreSSL uses the OpenSSL version macro some changes +necessary to support OpenSSL 1.1 prevent building with LibreSSL.

    + +

    1.2 Changes since earlier releases of Squid-4

    @@ -103,6 +109,7 @@
  • Secure ICAP
  • Improved SMP support
  • Improved process management
    • +
  • Initial GnuTLS support

    • Most user-facing changes are reflected in squid.conf (see below).

    @@ -240,6 +247,23 @@ finished.

    +

    2.8 Initial GnuTLS support +

    + +

    If all you need is a proxy that connects over TLS/SSL to a cache_peer +or accepts https:// URLs over clear-text and performs the necessary +upstream TLS connections. Then you now have the choice to build Squid with +GnuTLS instead of OpenSSL.

    + +

    squid.conf directives and configuration options which have undergone +name changes from 'ssl' to 'tls' prefix in Squid-4 have GnuTLS support, unless +explicitly stated otherwise.

    + +

    Advanced configuration with specific selection of ciphers and similar settings +should still work, but needs the GnuTLS Priority Strings instead of +the OpenSSL options when using GnuTLS.

    + +

    3. Changes to squid.conf since Squid-3.5

    There have been changes to Squid's configuration file since Squid-3.5.

    diff -u -r -N squid-4.0.18/errors/Makefile.in squid-4.0.19/errors/Makefile.in --- squid-4.0.18/errors/Makefile.in 2017-02-06 10:17:15.000000000 +1300 +++ squid-4.0.19/errors/Makefile.in 2017-04-02 19:45:21.000000000 +1200 @@ -269,7 +269,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/icons/Makefile.in squid-4.0.19/icons/Makefile.in --- squid-4.0.18/icons/Makefile.in 2017-02-06 10:17:15.000000000 +1300 +++ squid-4.0.19/icons/Makefile.in 2017-04-02 19:45:22.000000000 +1200 @@ -298,7 +298,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/include/version.h squid-4.0.19/include/version.h --- squid-4.0.18/include/version.h 2017-02-06 10:18:33.000000000 +1300 +++ squid-4.0.19/include/version.h 2017-04-02 19:46:37.000000000 +1200 @@ -7,7 +7,7 @@ */ #ifndef SQUID_RELEASE_TIME -#define SQUID_RELEASE_TIME 1486329334 +#define SQUID_RELEASE_TIME 1491119016 #endif /* diff -u -r -N squid-4.0.18/lib/libTrie/Makefile.am squid-4.0.19/lib/libTrie/Makefile.am --- squid-4.0.18/lib/libTrie/Makefile.am 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/lib/libTrie/Makefile.am 2017-04-02 19:43:45.000000000 +1200 @@ -8,8 +8,8 @@ include $(top_srcdir)/src/Common.am include $(top_srcdir)/src/TestHeaders.am -DIST_SUBDIRS = test -SUBDIRS = test +DIST_SUBDIRS = . test +SUBDIRS = . test noinst_LIBRARIES = libTrie.a diff -u -r -N squid-4.0.18/lib/libTrie/Makefile.in squid-4.0.19/lib/libTrie/Makefile.in --- squid-4.0.18/lib/libTrie/Makefile.in 2017-02-06 10:17:17.000000000 +1300 +++ squid-4.0.19/lib/libTrie/Makefile.in 2017-04-02 19:45:23.000000000 +1200 @@ -592,7 +592,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ @@ -761,8 +760,8 @@ @ENABLE_XPROF_STATS_TRUE@LIBPROFILER = $(top_builddir)/lib/profiler/libprofiler.la COMPAT_LIB = $(top_builddir)/compat/libcompatsquid.la $(LIBPROFILER) subst_perlshell = sed -e 's,[@]PERL[@],$(PERL),g' <$(srcdir)/$@.pl.in >$@ || ($(RM) -f $@ ; exit 1) -DIST_SUBDIRS = test -SUBDIRS = test +DIST_SUBDIRS = . test +SUBDIRS = . test noinst_LIBRARIES = libTrie.a noinst_HEADERS = Trie.h TrieNode.h TrieCharTransform.h libTrie_a_SOURCES = Trie.cc \ diff -u -r -N squid-4.0.18/lib/libTrie/test/Makefile.in squid-4.0.19/lib/libTrie/test/Makefile.in --- squid-4.0.18/lib/libTrie/test/Makefile.in 2017-02-06 10:17:17.000000000 +1300 +++ squid-4.0.19/lib/libTrie/test/Makefile.in 2017-04-02 19:45:23.000000000 +1200 @@ -523,7 +523,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/lib/Makefile.in squid-4.0.19/lib/Makefile.in --- squid-4.0.18/lib/Makefile.in 2017-02-06 10:17:16.000000000 +1300 +++ squid-4.0.19/lib/Makefile.in 2017-04-02 19:45:22.000000000 +1200 @@ -632,7 +632,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/lib/ntlmauth/Makefile.in squid-4.0.19/lib/ntlmauth/Makefile.in --- squid-4.0.18/lib/ntlmauth/Makefile.in 2017-02-06 10:17:18.000000000 +1300 +++ squid-4.0.19/lib/ntlmauth/Makefile.in 2017-04-02 19:45:24.000000000 +1200 @@ -543,7 +543,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/lib/profiler/Makefile.in squid-4.0.19/lib/profiler/Makefile.in --- squid-4.0.18/lib/profiler/Makefile.in 2017-02-06 10:17:18.000000000 +1300 +++ squid-4.0.19/lib/profiler/Makefile.in 2017-04-02 19:45:25.000000000 +1200 @@ -547,7 +547,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/lib/rfcnb/Makefile.in squid-4.0.19/lib/rfcnb/Makefile.in --- squid-4.0.18/lib/rfcnb/Makefile.in 2017-02-06 10:17:19.000000000 +1300 +++ squid-4.0.19/lib/rfcnb/Makefile.in 2017-04-02 19:45:25.000000000 +1200 @@ -523,7 +523,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/lib/smblib/Makefile.in squid-4.0.19/lib/smblib/Makefile.in --- squid-4.0.18/lib/smblib/Makefile.in 2017-02-06 10:17:19.000000000 +1300 +++ squid-4.0.19/lib/smblib/Makefile.in 2017-04-02 19:45:26.000000000 +1200 @@ -524,7 +524,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/lib/snmplib/Makefile.in squid-4.0.19/lib/snmplib/Makefile.in --- squid-4.0.18/lib/snmplib/Makefile.in 2017-02-06 10:17:20.000000000 +1300 +++ squid-4.0.19/lib/snmplib/Makefile.in 2017-04-02 19:45:26.000000000 +1200 @@ -319,7 +319,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/Makefile.in squid-4.0.19/Makefile.in --- squid-4.0.18/Makefile.in 2017-02-06 10:17:13.000000000 +1300 +++ squid-4.0.19/Makefile.in 2017-04-02 19:45:20.000000000 +1200 @@ -356,7 +356,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/RELEASENOTES.html squid-4.0.19/RELEASENOTES.html --- squid-4.0.18/RELEASENOTES.html 2017-02-06 13:41:22.000000000 +1300 +++ squid-4.0.19/RELEASENOTES.html 2017-04-02 23:47:27.000000000 +1200 @@ -2,10 +2,10 @@ - Squid 4.0.18 release notes + Squid 4.0.19 release notes -

    Squid 4.0.18 release notes

    +

    Squid 4.0.19 release notes

    Squid Developers

    @@ -31,6 +31,7 @@
  • 2.5 Secure ICAP
  • 2.6 Improved SMP support
  • 2.7 Improved process management +
  • 2.8 Initial GnuTLS support

    3. Changes to squid.conf since Squid-3.5

    @@ -61,7 +62,7 @@

    1. Notice

    -

    The Squid Team are pleased to announce the release of Squid-4.0.18 for testing.

    +

    The Squid Team are pleased to announce the release of Squid-4.0.19 for testing.

    This new release is available for download from http://www.squid-cache.org/Versions/v4/ or the mirrors.

    @@ -83,6 +84,11 @@ GCC 4.9+ and Clang 3.5+ are known to have working C++11 support and are usable. GCC-4.8 will also build for now despite lack of full C++11 support, but some future features may not be available.

    +

    This release does not support LibreSSL. +Due to a bug in the way LibreSSL uses the OpenSSL version macro some changes +necessary to support OpenSSL 1.1 prevent building with LibreSSL.

    + +

    1.2 Changes since earlier releases of Squid-4

    @@ -103,6 +109,7 @@
  • Secure ICAP
  • Improved SMP support
  • Improved process management
    • +
  • Initial GnuTLS support

    • Most user-facing changes are reflected in squid.conf (see below).

    @@ -240,6 +247,23 @@ finished.

    +

    2.8 Initial GnuTLS support +

    + +

    If all you need is a proxy that connects over TLS/SSL to a cache_peer +or accepts https:// URLs over clear-text and performs the necessary +upstream TLS connections. Then you now have the choice to build Squid with +GnuTLS instead of OpenSSL.

    + +

    squid.conf directives and configuration options which have undergone +name changes from 'ssl' to 'tls' prefix in Squid-4 have GnuTLS support, unless +explicitly stated otherwise.

    + +

    Advanced configuration with specific selection of ciphers and similar settings +should still work, but needs the GnuTLS Priority Strings instead of +the OpenSSL options when using GnuTLS.

    + +

    3. Changes to squid.conf since Squid-3.5

    There have been changes to Squid's configuration file since Squid-3.5.

    diff -u -r -N squid-4.0.18/scripts/Makefile.in squid-4.0.19/scripts/Makefile.in --- squid-4.0.18/scripts/Makefile.in 2017-02-06 10:17:20.000000000 +1300 +++ squid-4.0.19/scripts/Makefile.in 2017-04-02 19:45:26.000000000 +1200 @@ -271,7 +271,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/acl/external/AD_group/Makefile.in squid-4.0.19/src/acl/external/AD_group/Makefile.in --- squid-4.0.18/src/acl/external/AD_group/Makefile.in 2017-02-06 10:17:28.000000000 +1300 +++ squid-4.0.19/src/acl/external/AD_group/Makefile.in 2017-04-02 19:45:36.000000000 +1200 @@ -533,7 +533,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/acl/external/delayer/ext_delayer_acl.8 squid-4.0.19/src/acl/external/delayer/ext_delayer_acl.8 --- squid-4.0.18/src/acl/external/delayer/ext_delayer_acl.8 2017-02-06 13:42:20.000000000 +1300 +++ squid-4.0.19/src/acl/external/delayer/ext_delayer_acl.8 2017-04-02 23:48:24.000000000 +1200 @@ -129,7 +129,7 @@ .\" ======================================================================== .\" .IX Title "EXT_DELAYER_ACL 8" -.TH EXT_DELAYER_ACL 8 "2017-02-06" "perl v5.24.1" "User Contributed Perl Documentation" +.TH EXT_DELAYER_ACL 8 "2017-04-02" "perl v5.24.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-4.0.18/src/acl/external/delayer/Makefile.in squid-4.0.19/src/acl/external/delayer/Makefile.in --- squid-4.0.18/src/acl/external/delayer/Makefile.in 2017-02-06 10:17:30.000000000 +1300 +++ squid-4.0.19/src/acl/external/delayer/Makefile.in 2017-04-02 19:45:38.000000000 +1200 @@ -482,7 +482,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/acl/external/eDirectory_userip/Makefile.in squid-4.0.19/src/acl/external/eDirectory_userip/Makefile.in --- squid-4.0.18/src/acl/external/eDirectory_userip/Makefile.in 2017-02-06 10:17:30.000000000 +1300 +++ squid-4.0.19/src/acl/external/eDirectory_userip/Makefile.in 2017-04-02 19:45:39.000000000 +1200 @@ -536,7 +536,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/acl/external/file_userip/Makefile.in squid-4.0.19/src/acl/external/file_userip/Makefile.in --- squid-4.0.18/src/acl/external/file_userip/Makefile.in 2017-02-06 10:17:31.000000000 +1300 +++ squid-4.0.19/src/acl/external/file_userip/Makefile.in 2017-04-02 19:45:40.000000000 +1200 @@ -534,7 +534,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/acl/external/kerberos_ldap_group/ext_kerberos_ldap_group_acl.8 squid-4.0.19/src/acl/external/kerberos_ldap_group/ext_kerberos_ldap_group_acl.8 --- squid-4.0.18/src/acl/external/kerberos_ldap_group/ext_kerberos_ldap_group_acl.8 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/acl/external/kerberos_ldap_group/ext_kerberos_ldap_group_acl.8 2017-04-02 19:43:45.000000000 +1200 @@ -163,7 +163,7 @@ .if !'po4a'hide' .ft . If you use a different Kerberos domain than the machine itself is in you can point squid to -the seperate Kerberos config file by setting the following environmnet variable in the startup +the separate Kerberos config file by setting the following environment variable in the startup script. .if !'po4a'hide' .P .if !'po4a'hide' .ft CR diff -u -r -N squid-4.0.18/src/acl/external/kerberos_ldap_group/Makefile.in squid-4.0.19/src/acl/external/kerberos_ldap_group/Makefile.in --- squid-4.0.18/src/acl/external/kerberos_ldap_group/Makefile.in 2017-02-06 10:17:32.000000000 +1300 +++ squid-4.0.19/src/acl/external/kerberos_ldap_group/Makefile.in 2017-04-02 19:45:41.000000000 +1200 @@ -564,7 +564,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/acl/external/kerberos_ldap_group/README squid-4.0.19/src/acl/external/kerberos_ldap_group/README --- squid-4.0.18/src/acl/external/kerberos_ldap_group/README 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/acl/external/kerberos_ldap_group/README 2017-04-02 19:43:45.000000000 +1200 @@ -65,7 +65,7 @@ export KRB5_KTNAME If you use a different Kerberos domain than the machine itself is in you can point squid to -the seperate Kerberos config file by setting the following environmnet variable in the startup +the separate Kerberos config file by setting the following environment variable in the startup script. KRB5_CONFIG=/etc/krb5-squid.conf diff -u -r -N squid-4.0.18/src/acl/external/kerberos_ldap_group/support_ldap.cc squid-4.0.19/src/acl/external/kerberos_ldap_group/support_ldap.cc --- squid-4.0.18/src/acl/external/kerberos_ldap_group/support_ldap.cc 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/acl/external/kerberos_ldap_group/support_ldap.cc 2017-04-02 19:43:45.000000000 +1200 @@ -1039,8 +1039,8 @@ /* * Initialise ldap */ - ldap_debug = 127 /* LDAP_DEBUG_TRACE */ ; - ldap_debug = -1 /* LDAP_DEBUG_ANY */ ; +// ldap_debug = 127 /* LDAP_DEBUG_TRACE */ ; +// ldap_debug = -1 /* LDAP_DEBUG_ANY */ ; ldap_debug = 0; (void) ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, &ldap_debug); #endif diff -u -r -N squid-4.0.18/src/acl/external/LDAP_group/ext_ldap_group_acl.8 squid-4.0.19/src/acl/external/LDAP_group/ext_ldap_group_acl.8 --- squid-4.0.18/src/acl/external/LDAP_group/ext_ldap_group_acl.8 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/acl/external/LDAP_group/ext_ldap_group_acl.8 2017-04-02 19:43:45.000000000 +1200 @@ -52,8 +52,8 @@ .BI never dereference aliases (default), .BI always -dereference aliases, only while -.BR search ing +dereference aliases, only during a +.BR search or only to .B find the base object @@ -143,7 +143,7 @@ . .if !'po4a'hide' .TP .if !'po4a'hide' .BI \-H " ldapuri" -Specity the LDAP server to connect to by a LDAP URI (requires OpenLDAP libraries) +Specify the LDAP server to connect to by a LDAP URI (requires OpenLDAP libraries) . .if !'po4a'hide' .TP .if !'po4a'hide' .BI \-K diff -u -r -N squid-4.0.18/src/acl/external/LDAP_group/Makefile.in squid-4.0.19/src/acl/external/LDAP_group/Makefile.in --- squid-4.0.18/src/acl/external/LDAP_group/Makefile.in 2017-02-06 10:17:28.000000000 +1300 +++ squid-4.0.19/src/acl/external/LDAP_group/Makefile.in 2017-04-02 19:45:36.000000000 +1200 @@ -536,7 +536,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/acl/external/LM_group/Makefile.in squid-4.0.19/src/acl/external/LM_group/Makefile.in --- squid-4.0.18/src/acl/external/LM_group/Makefile.in 2017-02-06 10:17:29.000000000 +1300 +++ squid-4.0.19/src/acl/external/LM_group/Makefile.in 2017-04-02 19:45:37.000000000 +1200 @@ -534,7 +534,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/acl/external/Makefile.in squid-4.0.19/src/acl/external/Makefile.in --- squid-4.0.18/src/acl/external/Makefile.in 2017-02-06 10:17:29.000000000 +1300 +++ squid-4.0.19/src/acl/external/Makefile.in 2017-04-02 19:45:38.000000000 +1200 @@ -327,7 +327,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/acl/external/session/ext_session_acl.8 squid-4.0.19/src/acl/external/session/ext_session_acl.8 --- squid-4.0.18/src/acl/external/session/ext_session_acl.8 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/acl/external/session/ext_session_acl.8 2017-04-02 19:43:45.000000000 +1200 @@ -21,7 +21,7 @@ ) or a fixed period of time ( .B \-T ). The former is suitable for displaying terms and conditions to a user; the -latter is suitable for the display of advertisments or other notices (both as a +latter is suitable for the display of advertisements or other notices (both as a splash page \- see config examples in the wiki online). The session helper can also be used to force users to re\-authenticate if the .B %LOGIN @@ -55,7 +55,7 @@ environment is created within the directory. The advantage of the latter is better database support between multiple instances of the session helper. Using multiple instances of the session helper with a single -database file will cause synchronisation problems between processes. +database file will cause synchronization problems between processes. If this option is not specified the session details will be kept in memory only and all sessions will reset each time Squid restarts its helpers (Squid restart or rotation of logs). diff -u -r -N squid-4.0.18/src/acl/external/session/Makefile.am squid-4.0.19/src/acl/external/session/Makefile.am --- squid-4.0.18/src/acl/external/session/Makefile.am 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/acl/external/session/Makefile.am 2017-04-02 19:43:45.000000000 +1200 @@ -14,6 +14,6 @@ ext_session_acl.cc ext_session_acl_LDADD = \ $(COMPAT_LIB) \ - $(LIB_DB) + -ldb EXTRA_DIST= ext_session_acl.8 required.m4 diff -u -r -N squid-4.0.18/src/acl/external/session/Makefile.in squid-4.0.19/src/acl/external/session/Makefile.in --- squid-4.0.18/src/acl/external/session/Makefile.in 2017-02-06 10:17:32.000000000 +1300 +++ squid-4.0.19/src/acl/external/session/Makefile.in 2017-04-02 19:45:41.000000000 +1200 @@ -170,9 +170,7 @@ @ENABLE_XPROF_STATS_TRUE@am__DEPENDENCIES_1 = $(top_builddir)/lib/profiler/libprofiler.la am__DEPENDENCIES_2 = $(top_builddir)/compat/libcompatsquid.la \ $(am__DEPENDENCIES_1) -am__DEPENDENCIES_3 = -ext_session_acl_DEPENDENCIES = $(am__DEPENDENCIES_2) \ - $(am__DEPENDENCIES_3) +ext_session_acl_DEPENDENCIES = $(am__DEPENDENCIES_2) AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) am__v_lt_0 = --silent @@ -533,7 +531,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ @@ -707,7 +704,7 @@ ext_session_acl_LDADD = \ $(COMPAT_LIB) \ - $(LIB_DB) + -ldb EXTRA_DIST = ext_session_acl.8 required.m4 all: all-am diff -u -r -N squid-4.0.18/src/acl/external/session/required.m4 squid-4.0.19/src/acl/external/session/required.m4 --- squid-4.0.18/src/acl/external/session/required.m4 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/acl/external/session/required.m4 2017-04-02 19:43:45.000000000 +1200 @@ -5,4 +5,11 @@ ## Please see the COPYING and CONTRIBUTORS files for details. ## -AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[#include ]],[[DB_ENV *db_env = NULL; db_env_create(&db_env, 0);]])],[BUILD_HELPER="session"],[]) +AC_CHECK_HEADERS(db.h,[ + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[#include ]],[[ + DB_ENV *db_env = nullptr; + db_env_create(&db_env, 0); + ]])],[ + BUILD_HELPER="session" + ],[]) +]) diff -u -r -N squid-4.0.18/src/acl/external/SQL_session/ext_sql_session_acl.8 squid-4.0.19/src/acl/external/SQL_session/ext_sql_session_acl.8 --- squid-4.0.18/src/acl/external/SQL_session/ext_sql_session_acl.8 2017-02-06 13:42:29.000000000 +1300 +++ squid-4.0.19/src/acl/external/SQL_session/ext_sql_session_acl.8 2017-04-02 23:48:36.000000000 +1200 @@ -129,7 +129,7 @@ .\" ======================================================================== .\" .IX Title "EXT_SQL_SESSION_ACL 8" -.TH EXT_SQL_SESSION_ACL 8 "2017-02-06" "perl v5.24.1" "User Contributed Perl Documentation" +.TH EXT_SQL_SESSION_ACL 8 "2017-04-02" "perl v5.24.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-4.0.18/src/acl/external/SQL_session/Makefile.in squid-4.0.19/src/acl/external/SQL_session/Makefile.in --- squid-4.0.18/src/acl/external/SQL_session/Makefile.in 2017-02-06 10:17:30.000000000 +1300 +++ squid-4.0.19/src/acl/external/SQL_session/Makefile.in 2017-04-02 19:45:38.000000000 +1200 @@ -482,7 +482,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/acl/external/time_quota/Makefile.am squid-4.0.19/src/acl/external/time_quota/Makefile.am --- squid-4.0.18/src/acl/external/time_quota/Makefile.am 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/acl/external/time_quota/Makefile.am 2017-04-02 19:43:45.000000000 +1200 @@ -16,6 +16,6 @@ ext_time_quota_acl.cc ext_time_quota_acl_LDADD = \ $(COMPAT_LIB) \ - $(LIB_DB) + -ldb EXTRA_DIST= ext_time_quota_acl.8 required.m4 diff -u -r -N squid-4.0.18/src/acl/external/time_quota/Makefile.in squid-4.0.19/src/acl/external/time_quota/Makefile.in --- squid-4.0.18/src/acl/external/time_quota/Makefile.in 2017-02-06 10:17:33.000000000 +1300 +++ squid-4.0.19/src/acl/external/time_quota/Makefile.in 2017-04-02 19:45:42.000000000 +1200 @@ -170,9 +170,7 @@ @ENABLE_XPROF_STATS_TRUE@am__DEPENDENCIES_1 = $(top_builddir)/lib/profiler/libprofiler.la am__DEPENDENCIES_2 = $(top_builddir)/compat/libcompatsquid.la \ $(am__DEPENDENCIES_1) -am__DEPENDENCIES_3 = -ext_time_quota_acl_DEPENDENCIES = $(am__DEPENDENCIES_2) \ - $(am__DEPENDENCIES_3) +ext_time_quota_acl_DEPENDENCIES = $(am__DEPENDENCIES_2) AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) am__v_lt_0 = --silent @@ -534,7 +532,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ @@ -708,7 +705,7 @@ ext_time_quota_acl_LDADD = \ $(COMPAT_LIB) \ - $(LIB_DB) + -ldb EXTRA_DIST = ext_time_quota_acl.8 required.m4 all: all-am diff -u -r -N squid-4.0.18/src/acl/external/time_quota/required.m4 squid-4.0.19/src/acl/external/time_quota/required.m4 --- squid-4.0.18/src/acl/external/time_quota/required.m4 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/acl/external/time_quota/required.m4 2017-04-02 19:43:45.000000000 +1200 @@ -5,5 +5,8 @@ ## Please see the COPYING and CONTRIBUTORS files for details. ## -AC_CHECK_HEADERS([db_185.h],[BUILD_HELPER="time_quota"]) -AC_EGREP_HEADER([dbopen],[/usr/include/db.h],[BUILD_HELPER="time_quota"]) +AC_CHECK_HEADERS(db_185.h,[BUILD_HELPER="time_quota"],[ + AC_CHECK_HEADERS(db.h,[ + AC_EGREP_HEADER([dbopen],[/usr/include/db.h],[BUILD_HELPER="time_quota"]) + ]) +]) diff -u -r -N squid-4.0.18/src/acl/external/unix_group/Makefile.in squid-4.0.19/src/acl/external/unix_group/Makefile.in --- squid-4.0.18/src/acl/external/unix_group/Makefile.in 2017-02-06 10:17:33.000000000 +1300 +++ squid-4.0.19/src/acl/external/unix_group/Makefile.in 2017-04-02 19:45:42.000000000 +1200 @@ -534,7 +534,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/acl/external/wbinfo_group/ext_wbinfo_group_acl.8 squid-4.0.19/src/acl/external/wbinfo_group/ext_wbinfo_group_acl.8 --- squid-4.0.18/src/acl/external/wbinfo_group/ext_wbinfo_group_acl.8 2017-02-06 13:42:34.000000000 +1300 +++ squid-4.0.19/src/acl/external/wbinfo_group/ext_wbinfo_group_acl.8 2017-04-02 23:48:41.000000000 +1200 @@ -129,7 +129,7 @@ .\" ======================================================================== .\" .IX Title "EXT_WBINFO_GROUP_ACL 8" -.TH EXT_WBINFO_GROUP_ACL 8 "2017-02-06" "perl v5.24.1" "User Contributed Perl Documentation" +.TH EXT_WBINFO_GROUP_ACL 8 "2017-04-02" "perl v5.24.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-4.0.18/src/acl/external/wbinfo_group/Makefile.in squid-4.0.19/src/acl/external/wbinfo_group/Makefile.in --- squid-4.0.18/src/acl/external/wbinfo_group/Makefile.in 2017-02-06 10:17:33.000000000 +1300 +++ squid-4.0.19/src/acl/external/wbinfo_group/Makefile.in 2017-04-02 19:45:43.000000000 +1200 @@ -482,7 +482,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/acl/Makefile.in squid-4.0.19/src/acl/Makefile.in --- squid-4.0.18/src/acl/Makefile.in 2017-02-06 10:17:27.000000000 +1300 +++ squid-4.0.19/src/acl/Makefile.in 2017-04-02 19:45:35.000000000 +1200 @@ -648,7 +648,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/adaptation/ecap/Makefile.in squid-4.0.19/src/adaptation/ecap/Makefile.in --- squid-4.0.18/src/adaptation/ecap/Makefile.in 2017-02-06 10:17:35.000000000 +1300 +++ squid-4.0.19/src/adaptation/ecap/Makefile.in 2017-04-02 19:45:44.000000000 +1200 @@ -550,7 +550,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/adaptation/History.cc squid-4.0.19/src/adaptation/History.cc --- squid-4.0.18/src/adaptation/History.cc 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/adaptation/History.cc 2017-04-02 19:43:45.000000000 +1200 @@ -63,48 +63,37 @@ theEntries[hid].stop(); } -void Adaptation::History::allLogString(const char *serviceId, String &s) +void Adaptation::History::allLogString(const char *serviceId, SBuf &s) { - s=""; + s.clear(); bool prevWasRetried = false; - // XXX: Fix Vector<> so that we can use const_iterator here - typedef Adaptation::History::Entries::iterator ECI; - for (ECI i = theEntries.begin(); i != theEntries.end(); ++i) { + for (auto &i : theEntries) { // TODO: here and below, optimize service ID comparison? - if (!serviceId || i->service == serviceId) { - if (s.size() > 0) // not the first logged time, must delimit - s.append(prevWasRetried ? "+" : ","); - - char buf[64]; - snprintf(buf, sizeof(buf), "%d", i->rptm()); - s.append(buf); - + if (!serviceId || i.service == serviceId) { + if (!s.isEmpty()) // not the first logged time, must delimit + s.append(prevWasRetried ? '+' : ','); + s.appendf("%d", i.rptm()); // continue; we may have two identical services (e.g., for retries) } - prevWasRetried = i->retried; + prevWasRetried = i.retried; } } -void Adaptation::History::sumLogString(const char *serviceId, String &s) +void Adaptation::History::sumLogString(const char *serviceId, SBuf &s) { - s=""; + s.clear(); int retriedRptm = 0; // sum of rptm times of retried transactions - typedef Adaptation::History::Entries::iterator ECI; - for (ECI i = theEntries.begin(); i != theEntries.end(); ++i) { - if (i->retried) { // do not log retried xact but accumulate their time - retriedRptm += i->rptm(); - } else if (!serviceId || i->service == serviceId) { - if (s.size() > 0) // not the first logged time, must delimit - s.append(","); - - char buf[64]; - snprintf(buf, sizeof(buf), "%d", retriedRptm + i->rptm()); - s.append(buf); - + for (auto & i : theEntries) { + if (i.retried) { // do not log retried xact but accumulate their time + retriedRptm += i.rptm(); + } else if (!serviceId || i.service == serviceId) { + if (!s.isEmpty()) // not the first logged time, must delimit + s.append(','); + s.appendf("%d", retriedRptm + i.rptm()); // continue; we may have two identical services (e.g., for retries) } - if (!i->retried) + if (!i.retried) retriedRptm = 0; } diff -u -r -N squid-4.0.18/src/adaptation/History.h squid-4.0.19/src/adaptation/History.h --- squid-4.0.18/src/adaptation/History.h 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/adaptation/History.h 2017-04-02 19:43:45.000000000 +1200 @@ -34,10 +34,10 @@ void recordXactFinish(int hid); /// dump individual xaction times to a string - void allLogString(const char *serviceId, String &buf); + void allLogString(const char *serviceId, SBuf &); /// dump xaction times, merging retried and retry times together - void sumLogString(const char *serviceId, String &buf); + void sumLogString(const char *serviceId, SBuf &); /// sets or resets a cross-transactional database record void updateXxRecord(const char *name, const String &value); diff -u -r -N squid-4.0.18/src/adaptation/icap/Makefile.in squid-4.0.19/src/adaptation/icap/Makefile.in --- squid-4.0.18/src/adaptation/icap/Makefile.in 2017-02-06 10:17:36.000000000 +1300 +++ squid-4.0.19/src/adaptation/icap/Makefile.in 2017-04-02 19:45:45.000000000 +1200 @@ -545,7 +545,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/adaptation/icap/ModXact.cc squid-4.0.19/src/adaptation/icap/ModXact.cc --- squid-4.0.18/src/adaptation/icap/ModXact.cc 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/adaptation/icap/ModXact.cc 2017-04-02 19:43:45.000000000 +1200 @@ -966,7 +966,7 @@ } else if (dynamic_cast(oldHead)) { newHead = new HttpReply; } - Must(newHead != NULL); + Must(newHead); newHead->inheritProperties(oldHead); @@ -1558,12 +1558,11 @@ new_reply->sline = old_reply->sline; headClone = new_reply.getRaw(); } - Must(headClone != NULL); + Must(headClone); headClone->inheritProperties(head); HttpHeaderPos pos = HttpHeaderInitPos; - HttpHeaderEntry* p_head_entry = NULL; - while (NULL != (p_head_entry = head->header.getEntry(&pos)) ) + while (HttpHeaderEntry* p_head_entry = head->header.getEntry(&pos)) headClone->header.addEntry(p_head_entry->clone()); // end cloning diff -u -r -N squid-4.0.18/src/adaptation/Makefile.in squid-4.0.19/src/adaptation/Makefile.in --- squid-4.0.18/src/adaptation/Makefile.in 2017-02-06 10:17:34.000000000 +1300 +++ squid-4.0.19/src/adaptation/Makefile.in 2017-04-02 19:45:44.000000000 +1200 @@ -590,7 +590,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/adaptation/ServiceConfig.cc squid-4.0.19/src/adaptation/ServiceConfig.cc --- squid-4.0.18/src/adaptation/ServiceConfig.cc 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/adaptation/ServiceConfig.cc 2017-04-02 19:43:45.000000000 +1200 @@ -139,7 +139,7 @@ grokked = grokOnOverload(onOverload, value); onOverloadSet = true; } else if (strcmp(name, "connection-encryption") == 0) { - bool encrypt; + bool encrypt = false; grokked = grokBool(encrypt, name, value); connectionEncryption.configure(encrypt); } else if (strncmp(name, "ssl", 3) == 0 || strncmp(name, "tls-", 4) == 0) { diff -u -r -N squid-4.0.18/src/anyp/Makefile.in squid-4.0.19/src/anyp/Makefile.in --- squid-4.0.18/src/anyp/Makefile.in 2017-02-06 10:17:36.000000000 +1300 +++ squid-4.0.19/src/anyp/Makefile.in 2017-04-02 19:45:46.000000000 +1200 @@ -543,7 +543,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/anyp/UriScheme.cc squid-4.0.19/src/anyp/UriScheme.cc --- squid-4.0.18/src/anyp/UriScheme.cc 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/anyp/UriScheme.cc 2017-04-02 19:43:45.000000000 +1200 @@ -11,24 +11,41 @@ #include "squid.h" #include "anyp/UriScheme.h" +AnyP::UriScheme::LowercaseSchemeNames AnyP::UriScheme::LowercaseSchemeNames_; + AnyP::UriScheme::UriScheme(AnyP::ProtocolType const aScheme, const char *img) : theScheme_(aScheme) { - if (img) - // image could be provided explicitly (case-sensitive) + // RFC 3986 section 3.1: schemes are case-insensitive. + + // To improve diagnostic, remember exactly how an unsupported scheme looks like. + // XXX: Object users may rely on toLower() canonicalization that we refuse to provide. + if (img && theScheme_ == AnyP::PROTO_UNKNOWN) + image_ = img; + + // XXX: A broken caller supplies an image of an absent scheme? + // XXX: We assume that the caller is using a lower-case image. + else if (img && theScheme_ == AnyP::PROTO_NONE) image_ = img; - else if (theScheme_ == AnyP::PROTO_UNKNOWN) - // image could be actually unknown and not provided - image_ = "(unknown)"; - - else if (theScheme_ > AnyP::PROTO_NONE && theScheme_ < AnyP::PROTO_MAX) { - // image could be implied by a registered transfer protocol - // which use upper-case labels, so down-case for scheme image - image_ = AnyP::ProtocolType_str[theScheme_]; - image_.toLower(); + else if (theScheme_ > AnyP::PROTO_NONE && theScheme_ < AnyP::PROTO_MAX) + image_ = LowercaseSchemeNames_.at(theScheme_); + // else, the image remains empty (e.g., "://example.com/") + // hopefully, theScheme_ is PROTO_NONE here +} + +void +AnyP::UriScheme::Init() +{ + if (LowercaseSchemeNames_.empty()) { + LowercaseSchemeNames_.reserve(sizeof(SBuf) * AnyP::PROTO_MAX); + // TODO: use base/EnumIterator.h if possible + for (int i = AnyP::PROTO_NONE; i < AnyP::PROTO_MAX; ++i) { + SBuf image(ProtocolType_str[i]); + image.toLower(); + LowercaseSchemeNames_.emplace_back(image); + } } - // else, image is an empty string ("://example.com/") } unsigned short diff -u -r -N squid-4.0.18/src/anyp/UriScheme.h squid-4.0.19/src/anyp/UriScheme.h --- squid-4.0.18/src/anyp/UriScheme.h 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/anyp/UriScheme.h 2017-04-02 19:43:45.000000000 +1200 @@ -13,6 +13,7 @@ #include "sbuf/SBuf.h" #include +#include namespace AnyP { @@ -23,7 +24,10 @@ class UriScheme { public: + typedef std::vector LowercaseSchemeNames; + UriScheme() : theScheme_(AnyP::PROTO_NONE) {} + /// \param img Explicit scheme representation for unknown/none schemes. UriScheme(AnyP::ProtocolType const aScheme, const char *img = nullptr); UriScheme(const AnyP::UriScheme &o) : theScheme_(o.theScheme_), image_(o.image_) {} UriScheme(AnyP::UriScheme &&) = default; @@ -47,7 +51,14 @@ unsigned short defaultPort() const; + /// initializes down-cased protocol scheme names array + static void Init(); + private: + /// optimization: stores down-cased protocol scheme names, copied from + /// AnyP::ProtocolType_str + static LowercaseSchemeNames LowercaseSchemeNames_; + /// This is a typecode pointer into the enum/registry of protocols handled. AnyP::ProtocolType theScheme_; diff -u -r -N squid-4.0.18/src/auth/basic/DB/basic_db_auth.8 squid-4.0.19/src/auth/basic/DB/basic_db_auth.8 --- squid-4.0.18/src/auth/basic/DB/basic_db_auth.8 2017-02-06 13:43:05.000000000 +1300 +++ squid-4.0.19/src/auth/basic/DB/basic_db_auth.8 2017-04-02 23:49:15.000000000 +1200 @@ -129,7 +129,7 @@ .\" ======================================================================== .\" .IX Title "BASIC_DB_AUTH 8" -.TH BASIC_DB_AUTH 8 "2017-02-06" "perl v5.24.1" "User Contributed Perl Documentation" +.TH BASIC_DB_AUTH 8 "2017-04-02" "perl v5.24.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -143,8 +143,8 @@ .Vb 1 \& basic_db_auth [options] .Ve -.SH "DESCRIPTOIN" -.IX Header "DESCRIPTOIN" +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" This program verifies username & password to a database .SH "OPTIONS" .IX Header "OPTIONS" @@ -212,7 +212,7 @@ Copyright (C) 2007 Henrik Nordstrom Copyright (C) 2010 Luis Daniel Lucio Quiroz (Joomla support) This program is free software. You may redistribute copies of it under the -terms of the \s-1GNU\s0 General Public License version 2, or (at youropinion) any +terms of the \s-1GNU\s0 General Public License version 2, or (at your opinion) any later version. .SH "QUESTIONS" .IX Header "QUESTIONS" diff -u -r -N squid-4.0.18/src/auth/basic/DB/basic_db_auth.pl.in squid-4.0.19/src/auth/basic/DB/basic_db_auth.pl.in --- squid-4.0.18/src/auth/basic/DB/basic_db_auth.pl.in 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/auth/basic/DB/basic_db_auth.pl.in 2017-04-02 19:43:45.000000000 +1200 @@ -14,7 +14,7 @@ basic_db_auth [options] -=head1 DESCRIPTOIN +=head1 DESCRIPTION This program verifies username & password to a database @@ -101,7 +101,7 @@ Copyright (C) 2007 Henrik Nordstrom Copyright (C) 2010 Luis Daniel Lucio Quiroz (Joomla support) This program is free software. You may redistribute copies of it under the -terms of the GNU General Public License version 2, or (at youropinion) any +terms of the GNU General Public License version 2, or (at your opinion) any later version. =head1 QUESTIONS diff -u -r -N squid-4.0.18/src/auth/basic/DB/Makefile.in squid-4.0.19/src/auth/basic/DB/Makefile.in --- squid-4.0.18/src/auth/basic/DB/Makefile.in 2017-02-06 10:17:37.000000000 +1300 +++ squid-4.0.19/src/auth/basic/DB/Makefile.in 2017-04-02 19:45:47.000000000 +1200 @@ -482,7 +482,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/auth/basic/fake/Makefile.in squid-4.0.19/src/auth/basic/fake/Makefile.in --- squid-4.0.18/src/auth/basic/fake/Makefile.in 2017-02-06 10:17:44.000000000 +1300 +++ squid-4.0.19/src/auth/basic/fake/Makefile.in 2017-04-02 19:45:54.000000000 +1200 @@ -528,7 +528,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/auth/basic/getpwnam/Makefile.in squid-4.0.19/src/auth/basic/getpwnam/Makefile.in --- squid-4.0.18/src/auth/basic/getpwnam/Makefile.in 2017-02-06 10:17:44.000000000 +1300 +++ squid-4.0.19/src/auth/basic/getpwnam/Makefile.in 2017-04-02 19:45:55.000000000 +1200 @@ -534,7 +534,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/auth/basic/LDAP/basic_ldap_auth.8 squid-4.0.19/src/auth/basic/LDAP/basic_ldap_auth.8 --- squid-4.0.18/src/auth/basic/LDAP/basic_ldap_auth.8 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/auth/basic/LDAP/basic_ldap_auth.8 2017-04-02 19:43:45.000000000 +1200 @@ -98,7 +98,7 @@ .B Note: This can only be done if all your users are located directly under the same position in the LDAP tree and the login name is used for naming -each user object. If your LDAP tree does not match these criterias or if +each user object. If your LDAP tree does not match these criteria or if you want to filter who are valid users then you need to use a search filter to search for your users DN ( .B \-f @@ -186,15 +186,15 @@ .B never dereference aliases (default), .B always -dereference aliases, only while -.B search ing +dereference aliases, only during a +.B search or only to .B find the base object. . .if !'po4a'hide' .TP .if !'po4a'hide' .B "\-H ldap_uri -Specity the LDAP server to connect to by LDAP URI (requires OpenLDAP libraries). +Specify the LDAP server to connect to by LDAP URI (requires OpenLDAP libraries). Servers can also be specified last on the command line. . .if !'po4a'hide' .TP diff -u -r -N squid-4.0.18/src/auth/basic/LDAP/Makefile.in squid-4.0.19/src/auth/basic/LDAP/Makefile.in --- squid-4.0.18/src/auth/basic/LDAP/Makefile.in 2017-02-06 10:17:38.000000000 +1300 +++ squid-4.0.19/src/auth/basic/LDAP/Makefile.in 2017-04-02 19:45:48.000000000 +1200 @@ -534,7 +534,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/auth/basic/Makefile.in squid-4.0.19/src/auth/basic/Makefile.in --- squid-4.0.18/src/auth/basic/Makefile.in 2017-02-06 10:17:38.000000000 +1300 +++ squid-4.0.19/src/auth/basic/Makefile.in 2017-04-02 19:45:48.000000000 +1200 @@ -583,7 +583,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/auth/basic/NCSA/Makefile.in squid-4.0.19/src/auth/basic/NCSA/Makefile.in --- squid-4.0.18/src/auth/basic/NCSA/Makefile.in 2017-02-06 10:17:39.000000000 +1300 +++ squid-4.0.19/src/auth/basic/NCSA/Makefile.in 2017-04-02 19:45:49.000000000 +1200 @@ -555,7 +555,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/auth/basic/NIS/Makefile.in squid-4.0.19/src/auth/basic/NIS/Makefile.in --- squid-4.0.18/src/auth/basic/NIS/Makefile.in 2017-02-06 10:17:39.000000000 +1300 +++ squid-4.0.19/src/auth/basic/NIS/Makefile.in 2017-04-02 19:45:49.000000000 +1200 @@ -550,7 +550,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/auth/basic/PAM/Makefile.in squid-4.0.19/src/auth/basic/PAM/Makefile.in --- squid-4.0.18/src/auth/basic/PAM/Makefile.in 2017-02-06 10:17:40.000000000 +1300 +++ squid-4.0.19/src/auth/basic/PAM/Makefile.in 2017-04-02 19:45:51.000000000 +1200 @@ -533,7 +533,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/auth/basic/POP3/basic_pop3_auth.8 squid-4.0.19/src/auth/basic/POP3/basic_pop3_auth.8 --- squid-4.0.18/src/auth/basic/POP3/basic_pop3_auth.8 2017-02-06 13:43:14.000000000 +1300 +++ squid-4.0.19/src/auth/basic/POP3/basic_pop3_auth.8 2017-04-02 23:49:25.000000000 +1200 @@ -129,7 +129,7 @@ .\" ======================================================================== .\" .IX Title "BASIC_POP3_AUTH 8" -.TH BASIC_POP3_AUTH 8 "2017-02-06" "perl v5.24.1" "User Contributed Perl Documentation" +.TH BASIC_POP3_AUTH 8 "2017-04-02" "perl v5.24.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-4.0.18/src/auth/basic/POP3/Makefile.in squid-4.0.19/src/auth/basic/POP3/Makefile.in --- squid-4.0.18/src/auth/basic/POP3/Makefile.in 2017-02-06 10:17:40.000000000 +1300 +++ squid-4.0.19/src/auth/basic/POP3/Makefile.in 2017-04-02 19:45:51.000000000 +1200 @@ -482,7 +482,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/auth/basic/RADIUS/Makefile.in squid-4.0.19/src/auth/basic/RADIUS/Makefile.in --- squid-4.0.18/src/auth/basic/RADIUS/Makefile.in 2017-02-06 10:17:41.000000000 +1300 +++ squid-4.0.19/src/auth/basic/RADIUS/Makefile.in 2017-04-02 19:45:52.000000000 +1200 @@ -555,7 +555,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/auth/basic/SASL/Makefile.in squid-4.0.19/src/auth/basic/SASL/Makefile.in --- squid-4.0.18/src/auth/basic/SASL/Makefile.in 2017-02-06 10:17:41.000000000 +1300 +++ squid-4.0.19/src/auth/basic/SASL/Makefile.in 2017-04-02 19:45:52.000000000 +1200 @@ -534,7 +534,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/auth/basic/SMB/Makefile.in squid-4.0.19/src/auth/basic/SMB/Makefile.in --- squid-4.0.18/src/auth/basic/SMB/Makefile.in 2017-02-06 10:17:42.000000000 +1300 +++ squid-4.0.19/src/auth/basic/SMB/Makefile.in 2017-04-02 19:45:53.000000000 +1200 @@ -538,7 +538,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/auth/basic/SMB_LM/Makefile.in squid-4.0.19/src/auth/basic/SMB_LM/Makefile.in --- squid-4.0.18/src/auth/basic/SMB_LM/Makefile.in 2017-02-06 10:17:43.000000000 +1300 +++ squid-4.0.19/src/auth/basic/SMB_LM/Makefile.in 2017-04-02 19:45:53.000000000 +1200 @@ -551,7 +551,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/auth/basic/SSPI/Makefile.in squid-4.0.19/src/auth/basic/SSPI/Makefile.in --- squid-4.0.18/src/auth/basic/SSPI/Makefile.in 2017-02-06 10:17:43.000000000 +1300 +++ squid-4.0.19/src/auth/basic/SSPI/Makefile.in 2017-04-02 19:45:54.000000000 +1200 @@ -559,7 +559,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/auth/digest/eDirectory/digest_pw_auth.cc squid-4.0.19/src/auth/digest/eDirectory/digest_pw_auth.cc --- squid-4.0.18/src/auth/digest/eDirectory/digest_pw_auth.cc 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/auth/digest/eDirectory/digest_pw_auth.cc 2017-04-02 19:43:45.000000000 +1200 @@ -30,7 +30,7 @@ * the file format. However storing such a triple does little to * improve security: If compromised the username:realm:HA1 combination * is "plaintext equivalent" - for the purposes of digest authentication - * they allow the user access. Password syncronisation is not tackled + * they allow the user access. Password synchronization is not tackled * by digest - just preventing on the wire compromise. * * Copyright (c) 2003 Robert Collins diff -u -r -N squid-4.0.18/src/auth/digest/eDirectory/Makefile.in squid-4.0.19/src/auth/digest/eDirectory/Makefile.in --- squid-4.0.18/src/auth/digest/eDirectory/Makefile.in 2017-02-06 10:17:46.000000000 +1300 +++ squid-4.0.19/src/auth/digest/eDirectory/Makefile.in 2017-04-02 19:45:56.000000000 +1200 @@ -552,7 +552,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/auth/digest/file/digest_file_auth.8 squid-4.0.19/src/auth/digest/file/digest_file_auth.8 --- squid-4.0.18/src/auth/digest/file/digest_file_auth.8 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/auth/digest/file/digest_file_auth.8 2017-04-02 19:43:45.000000000 +1200 @@ -15,7 +15,7 @@ is an installed binary authentication program for Squid. It handles digest authentication protocol and authenticates against a text file backend. . -This program will automatically detect the existence of a concurrecy channel-ID and adjust appropriately. +This program will automatically detect the existence of a concurrency channel-ID and adjust appropriately. It may be used with any value 0 or above for the auth_param children concurrency= parameter. . .SH OPTIONS @@ -54,7 +54,7 @@ improve security: If compromised the .B username:realm:HA1 combination is "plaintext equivalent" - for the purposes of digest authentication -they allow the user access. Password syncronisation is not tackled +they allow the user access. Password synchronization is not tackled by digest - just preventing on the wire compromise. . .SH AUTHOR diff -u -r -N squid-4.0.18/src/auth/digest/file/digest_file_auth.cc squid-4.0.19/src/auth/digest/file/digest_file_auth.cc --- squid-4.0.18/src/auth/digest/file/digest_file_auth.cc 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/auth/digest/file/digest_file_auth.cc 2017-04-02 19:43:45.000000000 +1200 @@ -33,7 +33,7 @@ * the file format. However storing such a triple does little to * improve security: If compromised the username:realm:HA1 combination * is "plaintext equivalent" - for the purposes of digest authentication - * they allow the user access. Password syncronisation is not tackled + * they allow the user access. Password synchronization is not tackled * by digest - just preventing on the wire compromise. * * Copyright (c) 2003 Robert Collins diff -u -r -N squid-4.0.18/src/auth/digest/file/Makefile.in squid-4.0.19/src/auth/digest/file/Makefile.in --- squid-4.0.18/src/auth/digest/file/Makefile.in 2017-02-06 10:17:46.000000000 +1300 +++ squid-4.0.19/src/auth/digest/file/Makefile.in 2017-04-02 19:45:57.000000000 +1200 @@ -555,7 +555,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/auth/digest/file/text_backend.cc squid-4.0.19/src/auth/digest/file/text_backend.cc --- squid-4.0.18/src/auth/digest/file/text_backend.cc 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/auth/digest/file/text_backend.cc 2017-04-02 19:43:45.000000000 +1200 @@ -29,7 +29,7 @@ * the file format. However storing such a triple does little to * improve security: If compromised the username:realm:HA1 combination * is "plaintext equivalent" - for the purposes of digest authentication - * they allow the user access. Password syncronisation is not tackled + * they allow the user access. Password synchronization is not tackled * by digest - just preventing on the wire compromise. * * Copyright (c) 2003 Robert Collins diff -u -r -N squid-4.0.18/src/auth/digest/LDAP/digest_pw_auth.cc squid-4.0.19/src/auth/digest/LDAP/digest_pw_auth.cc --- squid-4.0.18/src/auth/digest/LDAP/digest_pw_auth.cc 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/auth/digest/LDAP/digest_pw_auth.cc 2017-04-02 19:43:45.000000000 +1200 @@ -30,7 +30,7 @@ * the file format. However storing such a triple does little to * improve security: If compromised the username:realm:HA1 combination * is "plaintext equivalent" - for the purposes of digest authentication - * they allow the user access. Password syncronisation is not tackled + * they allow the user access. Password synchronization is not tackled * by digest - just preventing on the wire compromise. * * Copyright (c) 2003 Robert Collins diff -u -r -N squid-4.0.18/src/auth/digest/LDAP/ldap_backend.cc squid-4.0.19/src/auth/digest/LDAP/ldap_backend.cc --- squid-4.0.18/src/auth/digest/LDAP/ldap_backend.cc 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/auth/digest/LDAP/ldap_backend.cc 2017-04-02 19:43:45.000000000 +1200 @@ -63,6 +63,7 @@ static const char *binddn = NULL; static const char *bindpasswd = NULL; static const char *delimiter = ":"; +static const char *frealm = ""; static int encrpass = 0; static int searchscope = LDAP_SCOPE_SUBTREE; static int persistent = 0; @@ -267,7 +268,7 @@ } value = values; while (*value) { - if (encrpass) { + if (encrpass && *delimiter ) { const char *t = strtok(*value, delimiter); if (t && strcmp(t, realm) == 0) { password = strtok(NULL, delimiter); @@ -451,6 +452,9 @@ case 'l': delimiter = value; break; + case 'r': + frealm = value; + break; case 'b': userbasedn = value; break; @@ -574,10 +578,11 @@ if (!ldapServer) ldapServer = (char *) "localhost"; - if (!userbasedn || !passattr) { - fprintf(stderr, "Usage: " PROGRAM_NAME " -b basedn -f filter [options] ldap_server_name\n\n"); + if (!userbasedn || !passattr || (!*delimiter && !*frealm)) { + fprintf(stderr, "Usage: " PROGRAM_NAME " -b basedn -F filter [options] ldap_server_name\n\n"); fprintf(stderr, "\t-A password attribute(REQUIRED)\t\tUser attribute that contains the password\n"); - fprintf(stderr, "\t-l password realm delimiter(REQUIRED)\tCharater(s) that devides the password attribute\n\t\t\t\t\t\tin realm and password tokens, default ':' realm:password\n"); + fprintf(stderr, "\t-l password realm delimiter(REQUIRED)\tCharacter(s) that divides the password attribute\n\t\t\t\t\t\tin realm and password tokens, default ':' realm:password, could be\n\t\t\t\t\t\tempty string if the password is alone in the password attribute\n"); + fprintf(stderr, "\t-r filtered realm\t\t\tonly honor Squid requests for this realm. Mandatory if the password is alone in\n\t\t\t\t\t\tthe password attribute, acting as the implicit realm\n"); fprintf(stderr, "\t-b basedn (REQUIRED)\t\t\tbase dn under where to search for users\n"); fprintf(stderr, "\t-e Encrypted passwords(REQUIRED)\tPassword are stored encrypted using HHA1\n"); fprintf(stderr, "\t-F filter\t\t\t\tuser search filter pattern. %%s = login\n"); @@ -644,9 +649,17 @@ void LDAPHHA1(RequestData * requestData) { - char *password; + char *password = NULL; ldapconnect(); - password = getpassword(requestData->user, requestData->realm); + + // use the -l delimiter to find realm, or + // only honor the -r specified realm + const bool lookup = (!*frealm && *delimiter) || + (*frealm && strcmp(requestData->realm, frealm) != 0); + + if (lookup) + password = getpassword(requestData->user, requestData->realm); + if (password != NULL) { if (encrpass) xstrncpy(requestData->HHA1, password, sizeof(requestData->HHA1)); diff -u -r -N squid-4.0.18/src/auth/digest/LDAP/Makefile.in squid-4.0.19/src/auth/digest/LDAP/Makefile.in --- squid-4.0.18/src/auth/digest/LDAP/Makefile.in 2017-02-06 10:17:45.000000000 +1300 +++ squid-4.0.19/src/auth/digest/LDAP/Makefile.in 2017-04-02 19:45:55.000000000 +1200 @@ -552,7 +552,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/auth/digest/Makefile.in squid-4.0.19/src/auth/digest/Makefile.in --- squid-4.0.18/src/auth/digest/Makefile.in 2017-02-06 10:17:45.000000000 +1300 +++ squid-4.0.19/src/auth/digest/Makefile.in 2017-04-02 19:45:56.000000000 +1200 @@ -583,7 +583,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/auth/Makefile.in squid-4.0.19/src/auth/Makefile.in --- squid-4.0.18/src/auth/Makefile.in 2017-02-06 10:17:37.000000000 +1300 +++ squid-4.0.19/src/auth/Makefile.in 2017-04-02 19:45:47.000000000 +1200 @@ -588,7 +588,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/auth/negotiate/kerberos/Makefile.in squid-4.0.19/src/auth/negotiate/kerberos/Makefile.in --- squid-4.0.18/src/auth/negotiate/kerberos/Makefile.in 2017-02-06 10:17:48.000000000 +1300 +++ squid-4.0.19/src/auth/negotiate/kerberos/Makefile.in 2017-04-02 19:45:59.000000000 +1200 @@ -576,7 +576,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/auth/negotiate/kerberos/negotiate_kerberos_auth.8 squid-4.0.19/src/auth/negotiate/kerberos/negotiate_kerberos_auth.8 --- squid-4.0.18/src/auth/negotiate/kerberos/negotiate_kerberos_auth.8 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/auth/negotiate/kerberos/negotiate_kerberos_auth.8 2017-04-02 19:43:45.000000000 +1200 @@ -69,7 +69,7 @@ export KRB5_KTNAME If you use a different Kerberos domain than the machine itself is in you can point squid to -the seperate Kerberos config file by setting the following environmnet variable in the startup +the separate Kerberos config file by setting the following environment variable in the startup script. KRB5_CONFIG=/etc/krb5\-squid.conf diff -u -r -N squid-4.0.18/src/auth/negotiate/kerberos/README squid-4.0.19/src/auth/negotiate/kerberos/README --- squid-4.0.18/src/auth/negotiate/kerberos/README 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/auth/negotiate/kerberos/README 2017-04-02 19:43:45.000000000 +1200 @@ -53,7 +53,7 @@ export KRB5_KTNAME If you use a different Kerberos domain than the machine itself is in you can point squid to -the seperate Kerberos config file by setting the following environmnet variable in the startup +the separate Kerberos config file by setting the following environment variable in the startup script. KRB5_CONFIG=/etc/krb-squid5.conf diff -u -r -N squid-4.0.18/src/auth/negotiate/Makefile.in squid-4.0.19/src/auth/negotiate/Makefile.in --- squid-4.0.18/src/auth/negotiate/Makefile.in 2017-02-06 10:17:47.000000000 +1300 +++ squid-4.0.19/src/auth/negotiate/Makefile.in 2017-04-02 19:45:57.000000000 +1200 @@ -584,7 +584,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/auth/negotiate/SSPI/Makefile.in squid-4.0.19/src/auth/negotiate/SSPI/Makefile.in --- squid-4.0.18/src/auth/negotiate/SSPI/Makefile.in 2017-02-06 10:17:48.000000000 +1300 +++ squid-4.0.19/src/auth/negotiate/SSPI/Makefile.in 2017-04-02 19:45:58.000000000 +1200 @@ -531,7 +531,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/auth/negotiate/wrapper/Makefile.in squid-4.0.19/src/auth/negotiate/wrapper/Makefile.in --- squid-4.0.18/src/auth/negotiate/wrapper/Makefile.in 2017-02-06 10:17:49.000000000 +1300 +++ squid-4.0.19/src/auth/negotiate/wrapper/Makefile.in 2017-04-02 19:45:59.000000000 +1200 @@ -531,7 +531,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/auth/ntlm/fake/Makefile.in squid-4.0.19/src/auth/ntlm/fake/Makefile.in --- squid-4.0.18/src/auth/ntlm/fake/Makefile.in 2017-02-06 10:17:51.000000000 +1300 +++ squid-4.0.19/src/auth/ntlm/fake/Makefile.in 2017-04-02 19:46:02.000000000 +1200 @@ -533,7 +533,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/auth/ntlm/Makefile.in squid-4.0.19/src/auth/ntlm/Makefile.in --- squid-4.0.18/src/auth/ntlm/Makefile.in 2017-02-06 10:17:49.000000000 +1300 +++ squid-4.0.19/src/auth/ntlm/Makefile.in 2017-04-02 19:46:00.000000000 +1200 @@ -583,7 +583,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/auth/ntlm/SMB_LM/Makefile.in squid-4.0.19/src/auth/ntlm/SMB_LM/Makefile.in --- squid-4.0.18/src/auth/ntlm/SMB_LM/Makefile.in 2017-02-06 10:17:50.000000000 +1300 +++ squid-4.0.19/src/auth/ntlm/SMB_LM/Makefile.in 2017-04-02 19:46:00.000000000 +1200 @@ -535,7 +535,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/auth/ntlm/SSPI/Makefile.in squid-4.0.19/src/auth/ntlm/SSPI/Makefile.in --- squid-4.0.18/src/auth/ntlm/SSPI/Makefile.in 2017-02-06 10:17:50.000000000 +1300 +++ squid-4.0.19/src/auth/ntlm/SSPI/Makefile.in 2017-04-02 19:46:01.000000000 +1200 @@ -536,7 +536,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/base/Makefile.in squid-4.0.19/src/base/Makefile.in --- squid-4.0.18/src/base/Makefile.in 2017-02-06 10:17:52.000000000 +1300 +++ squid-4.0.19/src/base/Makefile.in 2017-04-02 19:46:02.000000000 +1200 @@ -545,7 +545,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/cf.data.pre squid-4.0.19/src/cf.data.pre --- squid-4.0.18/src/cf.data.pre 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/cf.data.pre 2017-04-02 19:43:45.000000000 +1200 @@ -2584,15 +2584,11 @@ To control SSLv3 use the options= parameter. Supported Values: 1.0 (default), 1.1, 1.2 - options=... Specify various TLS/SSL implementation options: + options=... Specify various TLS/SSL implementation options. - NO_SSLv3 Disallow the use of SSLv3 - - NO_TLSv1 Disallow the use of TLSv1.0 + OpenSSL options most important are: - NO_TLSv1_1 Disallow the use of TLSv1.1 - - NO_TLSv1_2 Disallow the use of TLSv1.2 + NO_SSLv3 Disallow the use of SSLv3 SINGLE_DH_USE Always create a new key when using @@ -2609,8 +2605,21 @@ Be warned that this reduces SSL/TLS strength to some attacks. - See the OpenSSL SSL_CTX_set_options documentation for a - more complete list. + See the OpenSSL SSL_CTX_set_options documentation + for a more complete list. + + GnuTLS options most important are: + + %NO_TICKETS + Disable use of RFC5077 session tickets. + Some servers may have problems + understanding the TLS extension due + to ambiguous specification in RFC4507. + + See the GnuTLS Priority Strings documentation + for a more complete list. + http://www.gnutls.org/manual/gnutls.html#Priority-Strings + cafile= PEM file containing CA certificates to use when verifying the peer certificate. May be repeated to load multiple files. @@ -3346,18 +3355,14 @@ tls-min-version=1.N The minimum TLS protocol version to permit. To control - SSLv3 use the ssloptions= parameter. + SSLv3 use the tls-options= parameter. Supported Values: 1.0 (default), 1.1, 1.2 - ssloptions=... Specify various SSL implementation options: + tls-options=... Specify various TLS implementation options. - NO_SSLv3 Disallow the use of SSLv3 - - NO_TLSv1 Disallow the use of TLSv1.0 + OpenSSL options most important are: - NO_TLSv1_1 Disallow the use of TLSv1.1 - - NO_TLSv1_2 Disallow the use of TLSv1.2 + NO_SSLv3 Disallow the use of SSLv3 SINGLE_DH_USE Always create a new key when using @@ -3376,7 +3381,19 @@ See the OpenSSL SSL_CTX_set_options documentation for a more complete list. - + + GnuTLS options most important are: + + %NO_TICKETS + Disable use of RFC5077 session tickets. + Some servers may have problems + understanding the TLS extension due + to ambiguous specification in RFC4507. + + See the GnuTLS Priority Strings documentation + for a more complete list. + http://www.gnutls.org/manual/gnutls.html#Priority-Strings + tls-cafile= PEM file containing CA certificates to use when verifying the peer certificate. May be repeated to load multiple files. @@ -5577,7 +5594,9 @@ will be considered fresh. 'Max' is an upper limit on how long objects without an explicit - expiry time will be considered fresh. + expiry time will be considered fresh. The value is also used + to form Cache-Control: max-age header for a request sent from + Squid to origin/parent. options: override-expire override-lastmod @@ -8671,17 +8690,13 @@ tls-min-version=1.N The minimum TLS protocol version to permit. To control - SSLv3 use the ssloptions= parameter. + SSLv3 use the tls-options= parameter. Supported Values: 1.0 (default), 1.1, 1.2 tls-options=... Specify various OpenSSL library options: NO_SSLv3 Disallow the use of SSLv3 - NO_TLSv1 Disallow the use of TLSv1.0 - NO_TLSv1_1 Disallow the use of TLSv1.1 - NO_TLSv1_2 Disallow the use of TLSv1.2 - SINGLE_DH_USE Always create a new key when using temporary/ephemeral DH key exchanges diff -u -r -N squid-4.0.18/src/clients/FtpGateway.cc squid-4.0.19/src/clients/FtpGateway.cc --- squid-4.0.18/src/clients/FtpGateway.cc 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/clients/FtpGateway.cc 2017-04-02 19:43:45.000000000 +1200 @@ -154,8 +154,8 @@ virtual void timeout(const CommTimeoutCbParams &io); void ftpAcceptDataConnection(const CommAcceptCbParams &io); - static HttpReply *ftpAuthRequired(HttpRequest * request, const char *realm); - const char *ftpRealm(void); + static HttpReply *ftpAuthRequired(HttpRequest * request, SBuf &realm); + SBuf ftpRealm(); void loginFailed(void); virtual void haveParsedReplyHeaders(); @@ -189,7 +189,7 @@ char *link; } ftpListParts; -#define CTRL_BUFLEN 1024 +#define CTRL_BUFLEN 16*1024 static char cbuf[CTRL_BUFLEN]; /* @@ -1163,7 +1163,8 @@ { if (!checkAuth(&request->header)) { /* create appropriate reply */ - HttpReply *reply = ftpAuthRequired(request, ftpRealm()); + SBuf realm(ftpRealm()); // local copy so SBuf wont disappear too early + HttpReply *reply = ftpAuthRequired(request, realm); entry->replaceHttpReply(reply); serverComplete(); return; @@ -1264,7 +1265,9 @@ #if HAVE_AUTH_MODULE_BASIC /* add Authenticate header */ - newrep->header.putAuth("Basic", ftpRealm()); + // XXX: performance regression. c_str() may reallocate + SBuf realm(ftpRealm()); // local copy so SBuf wont disappear too early + newrep->header.putAuth("Basic", realm.c_str()); #endif // add it to the store entry for response.... @@ -1272,18 +1275,19 @@ serverComplete(); } -const char * +SBuf Ftp::Gateway::ftpRealm() { - static char realm[8192]; + SBuf realm; /* This request is not fully authenticated */ - if (!request) { - snprintf(realm, 8192, "FTP %s unknown", user); - } else if (request->url.port() == 21) { - snprintf(realm, 8192, "FTP %s %s", user, request->url.host()); - } else { - snprintf(realm, 8192, "FTP %s %s port %d", user, request->url.host(), request->url.port()); + realm.appendf("FTP %s ", user); + if (!request) + realm.append("unknown", 7); + else { + realm.append(request->url.host()); + if (request->url.port() != 21) + realm.appendf(" port %d", request->url.port()); } return realm; } @@ -1744,7 +1748,7 @@ // ABORT on timeouts. server may be waiting on a broken TCP link. if (io.xerrno == Comm::TIMEOUT) - writeCommand("ABOR"); + writeCommand("ABOR\r\n"); // try another connection attempt with some other method ftpSendPassive(this); @@ -2643,13 +2647,14 @@ } HttpReply * -Ftp::Gateway::ftpAuthRequired(HttpRequest * request, const char *realm) +Ftp::Gateway::ftpAuthRequired(HttpRequest * request, SBuf &realm) { ErrorState err(ERR_CACHE_ACCESS_DENIED, Http::scUnauthorized, request); HttpReply *newrep = err.BuildHttpReply(); #if HAVE_AUTH_MODULE_BASIC /* add Authenticate header */ - newrep->header.putAuth("Basic", realm); + // XXX: performance regression. c_str() may reallocate + newrep->header.putAuth("Basic", realm.c_str()); #endif return newrep; } diff -u -r -N squid-4.0.18/src/clients/Makefile.in squid-4.0.19/src/clients/Makefile.in --- squid-4.0.18/src/clients/Makefile.in 2017-02-06 10:17:52.000000000 +1300 +++ squid-4.0.19/src/clients/Makefile.in 2017-04-02 19:46:03.000000000 +1200 @@ -544,7 +544,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/client_side.cc squid-4.0.19/src/client_side.cc --- squid-4.0.18/src/client_side.cc 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/client_side.cc 2017-04-02 19:43:45.000000000 +1200 @@ -1998,11 +1998,6 @@ if ((clientConnection->flags & COMM_TRANSPARENT)) clientConnection->flags ^= COMM_TRANSPARENT; // prevent TPROXY spoofing of this new IP. debugs(33, 5, "PROXY/1.0 upgrade: " << clientConnection); - - // repeat fetch ensuring the new client FQDN can be logged - if (Config.onoff.log_fqdn) - fqdncache_gethostbyaddr(clientConnection->remote, FQDN_LOOKUP_IF_MISS); - return true; } else if (tok.skip(unknown)) { @@ -2101,11 +2096,6 @@ break; } debugs(33, 5, "PROXY/2.0 upgrade: " << clientConnection); - - // repeat fetch ensuring the new client FQDN can be logged - if (Config.onoff.log_fqdn) - fqdncache_gethostbyaddr(clientConnection->remote, FQDN_LOOKUP_IF_MISS); - return true; } @@ -2144,8 +2134,14 @@ break; // try to parse the PROXY protocol header magic bytes - if (needProxyProtocolHeader_ && !parseProxyProtocolHeader()) - break; + if (needProxyProtocolHeader_) { + if (!parseProxyProtocolHeader()) + break; + + // we have been waiting for PROXY to provide client-IP + // for some lookups, ie rDNS and IDENT. + whenClientIpKnown(); + } if (Http::StreamPointer context = parseOneRequest()) { debugs(33, 5, clientConnection << ": done parsing a request"); @@ -2461,6 +2457,18 @@ AsyncCall::Pointer call = JobCallback(33, 5, Dialer, this, ConnStateData::connStateClosed); comm_add_close_handler(clientConnection->fd, call); + needProxyProtocolHeader_ = port->flags.proxySurrogate; + if (needProxyProtocolHeader_) { + if (!proxyProtocolValidateClient()) // will close the connection on failure + return; + } else + whenClientIpKnown(); + +} + +void +ConnStateData::whenClientIpKnown() +{ if (Config.onoff.log_fqdn) fqdncache_gethostbyaddr(clientConnection->remote, FQDN_LOOKUP_IF_MISS); @@ -2476,12 +2484,6 @@ clientdbEstablished(clientConnection->remote, 1); - needProxyProtocolHeader_ = port->flags.proxySurrogate; - if (needProxyProtocolHeader_) { - if (!proxyProtocolValidateClient()) // will close the connection on failure - return; - } - #if USE_DELAY_POOLS fd_table[clientConnection->fd].clientInfo = NULL; @@ -2558,13 +2560,12 @@ } #if USE_OPENSSL - -/** Create SSL connection structure and update fd_table */ +/// Create TLS connection structure and update fd_table static bool httpsCreate(const Comm::ConnectionPointer &conn, const Security::ContextPointer &ctx) { - if (Ssl::CreateServer(ctx, conn, "client https start")) { - debugs(33, 5, "will negotate SSL on " << conn); + if (Security::CreateServerSession(ctx, conn, "client https start")) { + debugs(33, 5, "will negotiate TLS on " << conn); return true; } @@ -2853,8 +2854,7 @@ if (!ret) debugs(33, 5, "Failed to set certificates to ssl object for PeekAndSplice mode"); - Security::ContextPointer ctx; - ctx.resetAndLock(SSL_get_SSL_CTX(ssl)); + Security::ContextPointer ctx(Security::GetFrom(fd_table[clientConnection->fd].ssl)); Ssl::configureUnconfiguredSslContext(ctx, signAlgorithm, *port); } else { Security::ContextPointer ctx(Ssl::generateSslContextUsingPkeyAndCertFromMemory(reply_message.getBody().c_str(), *port)); @@ -3009,8 +3009,7 @@ if (!Ssl::configureSSL(ssl, certProperties, *port)) debugs(33, 5, "Failed to set certificates to ssl object for PeekAndSplice mode"); - Security::ContextPointer ctx; - ctx.resetAndLock(SSL_get_SSL_CTX(ssl)); + Security::ContextPointer ctx(Security::GetFrom(fd_table[clientConnection->fd].ssl)); Ssl::configureUnconfiguredSslContext(ctx, certProperties.signAlgorithm, *port); } else { Security::ContextPointer dynCtx(Ssl::generateSslContext(certProperties, *port)); diff -u -r -N squid-4.0.18/src/client_side.h squid-4.0.19/src/client_side.h --- squid-4.0.18/src/client_side.h 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/client_side.h 2017-04-02 19:43:45.000000000 +1200 @@ -328,6 +328,10 @@ /// timeout to use when waiting for the next request virtual time_t idleTimeout() const = 0; + /// Perform client data lookups that depend on client src-IP. + /// The PROXY protocol may require some data input first. + void whenClientIpKnown(); + BodyPipe::Pointer bodyPipe; ///< set when we are reading request body private: diff -u -r -N squid-4.0.18/src/client_side_reply.cc squid-4.0.19/src/client_side_reply.cc --- squid-4.0.18/src/client_side_reply.cc 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/client_side_reply.cc 2017-04-02 19:43:45.000000000 +1200 @@ -1594,19 +1594,8 @@ hdr->putStr(Http::HdrType::TRANSFER_ENCODING, "chunked"); } - /* Append VIA */ - if (Config.onoff.via) { - LOCAL_ARRAY(char, bbuf, MAX_URL + 32); - String strVia; - hdr->getList(Http::HdrType::VIA, &strVia); - snprintf(bbuf, MAX_URL + 32, "%d.%d %s", - reply->sline.version.major, - reply->sline.version.minor, - ThisCache); - strListAdd(&strVia, bbuf, ','); - hdr->delById(Http::HdrType::VIA); - hdr->putStr(Http::HdrType::VIA, strVia.termedBuf()); - } + hdr->addVia(reply->sline.version); + /* Signal keep-alive or close explicitly */ hdr->putStr(Http::HdrType::CONNECTION, request->flags.proxyKeepalive ? "keep-alive" : "close"); diff -u -r -N squid-4.0.18/src/client_side_request.cc squid-4.0.19/src/client_side_request.cc --- squid-4.0.18/src/client_side_request.cc 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/client_side_request.cc 2017-04-02 19:43:45.000000000 +1200 @@ -1452,6 +1452,13 @@ return false; } + if (error) { + debugs(85, 5, "SslBump applies. Force bump action on error " << errorTypeName(error->type)); + http->sslBumpNeed(Ssl::bumpBump); + http->al->ssl.bumpMode = Ssl::bumpBump; + return false; + } + debugs(85, 5, HERE << "SslBump possible, checking ACL"); ACLFilledChecklist *aclChecklist = clientAclChecklistCreate(Config.accessList.ssl_bump, http); @@ -1787,8 +1794,9 @@ } #if USE_OPENSSL - // We need to check for SslBump even if the calloutContext->error is set - // because bumping may require delaying the error until after CONNECT. + // Even with calloutContext->error, we call sslBumpAccessCheck() to decide + // whether SslBump applies to this transaction. If it applies, we will + // attempt to bump the client to serve the error. if (!calloutContext->sslBumpCheckDone) { calloutContext->sslBumpCheckDone = true; if (calloutContext->sslBumpAccessCheck()) diff -u -r -N squid-4.0.18/src/comm/Makefile.in squid-4.0.19/src/comm/Makefile.in --- squid-4.0.18/src/comm/Makefile.in 2017-02-06 10:17:53.000000000 +1300 +++ squid-4.0.19/src/comm/Makefile.in 2017-04-02 19:46:03.000000000 +1200 @@ -546,7 +546,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/comm.cc squid-4.0.19/src/comm.cc --- squid-4.0.18/src/comm.cc 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/comm.cc 2017-04-02 19:43:45.000000000 +1200 @@ -764,10 +764,7 @@ void comm_lingering_close(int fd) { -#if USE_OPENSSL - if (fd_table[fd].ssl) - ssl_shutdown_method(fd_table[fd].ssl); -#endif + Security::SessionSendGoodbye(fd_table[fd].ssl); if (shutdown(fd, 1) < 0) { comm_close(fd); @@ -825,14 +822,11 @@ comm_close(fd); } -#if USE_OPENSSL void -commStartSslClose(const FdeCbParams ¶ms) +commStartTlsClose(const FdeCbParams ¶ms) { - assert(fd_table[params.fd].ssl); - ssl_shutdown_method(fd_table[params.fd].ssl.get()); + Security::SessionSendGoodbye(fd_table[params.fd].ssl); } -#endif void comm_close_complete(const FdeCbParams ¶ms) @@ -890,15 +884,13 @@ F->flags.close_request = true; -#if USE_OPENSSL if (F->ssl) { - AsyncCall::Pointer startCall=commCbCall(5,4, "commStartSslClose", - FdeCbPtrFun(commStartSslClose, NULL)); + AsyncCall::Pointer startCall=commCbCall(5,4, "commStartTlsClose", + FdeCbPtrFun(commStartTlsClose, nullptr)); FdeCbParams &startParams = GetCommParams(startCall); startParams.fd = fd; ScheduleCallHere(startCall); } -#endif // a half-closed fd may lack a reader, so we stop monitoring explicitly if (commHasHalfClosedMonitor(fd)) diff -u -r -N squid-4.0.18/src/delay_pools.cc squid-4.0.19/src/delay_pools.cc --- squid-4.0.18/src/delay_pools.cc 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/delay_pools.cc 2017-04-02 19:43:45.000000000 +1200 @@ -107,6 +107,7 @@ /// \ingroup DelayPoolsInternal class VectorPool : public CompositePoolNode { + MEMPROXY_CLASS(VectorPool); public: typedef RefCount Pointer; @@ -189,6 +190,7 @@ /// \ingroup DelayPoolsInternal class ClassCHostPool : public CompositePoolNode { + MEMPROXY_CLASS(ClassCHostPool); public: typedef RefCount Pointer; diff -u -r -N squid-4.0.18/src/DiskIO/AIO/Makefile.in squid-4.0.19/src/DiskIO/AIO/Makefile.in --- squid-4.0.18/src/DiskIO/AIO/Makefile.in 2017-02-06 10:17:20.000000000 +1300 +++ squid-4.0.19/src/DiskIO/AIO/Makefile.in 2017-04-02 19:45:27.000000000 +1200 @@ -552,7 +552,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/DiskIO/Blocking/Makefile.in squid-4.0.19/src/DiskIO/Blocking/Makefile.in --- squid-4.0.18/src/DiskIO/Blocking/Makefile.in 2017-02-06 10:17:21.000000000 +1300 +++ squid-4.0.19/src/DiskIO/Blocking/Makefile.in 2017-04-02 19:45:28.000000000 +1200 @@ -544,7 +544,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/DiskIO/DiskDaemon/Makefile.in squid-4.0.19/src/DiskIO/DiskDaemon/Makefile.in --- squid-4.0.18/src/DiskIO/DiskDaemon/Makefile.in 2017-02-06 10:17:22.000000000 +1300 +++ squid-4.0.19/src/DiskIO/DiskDaemon/Makefile.in 2017-04-02 19:45:28.000000000 +1200 @@ -560,7 +560,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/DiskIO/DiskThreads/aiops.cc squid-4.0.19/src/DiskIO/DiskThreads/aiops.cc --- squid-4.0.18/src/DiskIO/DiskThreads/aiops.cc 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/DiskIO/DiskThreads/aiops.cc 2017-04-02 19:43:45.000000000 +1200 @@ -296,7 +296,7 @@ /* Create threads and get them to sit in their wait loop */ squidaio_thread_pool = memPoolCreate("aio_thread", sizeof(squidaio_thread_t)); - assert(NUMTHREADS); + assert(NUMTHREADS != 0); for (i = 0; i < NUMTHREADS; ++i) { threadp = (squidaio_thread_t *)squidaio_thread_pool->alloc(); diff -u -r -N squid-4.0.18/src/DiskIO/DiskThreads/Makefile.in squid-4.0.19/src/DiskIO/DiskThreads/Makefile.in --- squid-4.0.18/src/DiskIO/DiskThreads/Makefile.in 2017-02-06 10:17:22.000000000 +1300 +++ squid-4.0.19/src/DiskIO/DiskThreads/Makefile.in 2017-04-02 19:45:29.000000000 +1200 @@ -554,7 +554,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/DiskIO/IpcIo/Makefile.in squid-4.0.19/src/DiskIO/IpcIo/Makefile.in --- squid-4.0.18/src/DiskIO/IpcIo/Makefile.in 2017-02-06 10:17:23.000000000 +1300 +++ squid-4.0.19/src/DiskIO/IpcIo/Makefile.in 2017-04-02 19:45:29.000000000 +1200 @@ -544,7 +544,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/DiskIO/Makefile.in squid-4.0.19/src/DiskIO/Makefile.in --- squid-4.0.18/src/DiskIO/Makefile.in 2017-02-06 10:17:23.000000000 +1300 +++ squid-4.0.19/src/DiskIO/Makefile.in 2017-04-02 19:45:30.000000000 +1200 @@ -606,7 +606,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/DiskIO/Mmapped/Makefile.in squid-4.0.19/src/DiskIO/Mmapped/Makefile.in --- squid-4.0.18/src/DiskIO/Mmapped/Makefile.in 2017-02-06 10:17:24.000000000 +1300 +++ squid-4.0.19/src/DiskIO/Mmapped/Makefile.in 2017-04-02 19:45:30.000000000 +1200 @@ -544,7 +544,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/dns/Makefile.in squid-4.0.19/src/dns/Makefile.in --- squid-4.0.18/src/dns/Makefile.in 2017-02-06 10:17:53.000000000 +1300 +++ squid-4.0.19/src/dns/Makefile.in 2017-04-02 19:46:04.000000000 +1200 @@ -544,7 +544,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/esi/Makefile.in squid-4.0.19/src/esi/Makefile.in --- squid-4.0.18/src/esi/Makefile.in 2017-02-06 10:17:54.000000000 +1300 +++ squid-4.0.19/src/esi/Makefile.in 2017-04-02 19:46:05.000000000 +1200 @@ -563,7 +563,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/eui/Makefile.in squid-4.0.19/src/eui/Makefile.in --- squid-4.0.18/src/eui/Makefile.in 2017-02-06 10:17:55.000000000 +1300 +++ squid-4.0.19/src/eui/Makefile.in 2017-04-02 19:46:05.000000000 +1200 @@ -544,7 +544,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/fde.cc squid-4.0.19/src/fde.cc --- squid-4.0.18/src/fde.cc 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/fde.cc 2017-04-02 19:43:45.000000000 +1200 @@ -86,15 +86,15 @@ char const * fde::remoteAddr() const { - LOCAL_ARRAY(char, buf, MAX_IPSTRLEN ); + static char buf[MAX_IPSTRLEN+7]; // 7 = length of ':port' strings if (type != FD_SOCKET) return null_string; if ( *ipaddr ) - snprintf( buf, MAX_IPSTRLEN, "%s:%d", ipaddr, (int)remote_port); + snprintf(buf, sizeof(buf), "%s:%u", ipaddr, remote_port); else - local_addr.toUrl(buf,MAX_IPSTRLEN); // toHostStr does not include port. + local_addr.toUrl(buf, sizeof(buf)); // toHostStr does not include port. return buf; } diff -u -r -N squid-4.0.18/src/format/Format.cc squid-4.0.19/src/format/Format.cc --- squid-4.0.18/src/format/Format.cc 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/format/Format.cc 2017-04-02 19:43:45.000000000 +1200 @@ -21,6 +21,7 @@ #include "HttpRequest.h" #include "MemBuf.h" #include "rfc1738.h" +#include "sbuf/StringConvert.h" #include "security/CertError.h" #include "security/NegotiationHistory.h" #include "SquidTime.h" @@ -365,11 +366,11 @@ void Format::Format::assemble(MemBuf &mb, const AccessLogEntry::Pointer &al, int logSequenceNumber) const { - char tmp[1024]; - String sb; + static char tmp[1024]; + SBuf sb; - for (Token *fmt = format; fmt != NULL; fmt = fmt->next) { /* for each token */ - const char *out = NULL; + for (Token *fmt = format; fmt; fmt = fmt->next) { /* for each token */ + const char *out = nullptr; int quote = 0; long int outint = 0; int doint = 0; @@ -400,10 +401,10 @@ out = "-"; else out = fqdncache_gethostbyaddr(al->cache.caddr, FQDN_LOOKUP_IF_MISS); + if (!out) { - out = al->cache.caddr.toStr(tmp,1024); + out = al->cache.caddr.toStr(tmp, sizeof(tmp)); } - break; case LFT_CLIENT_PORT: @@ -419,11 +420,13 @@ case LFT_CLIENT_EUI: #if USE_SQUID_EUI // TODO make the ACL checklist have a direct link to any TCP details. - if (al->request && al->request->clientConnectionManager.valid() && al->request->clientConnectionManager->clientConnection != NULL) { - if (al->request->clientConnectionManager->clientConnection->remote.isIPv4()) - al->request->clientConnectionManager->clientConnection->remoteEui48.encode(tmp, 1024); + if (al->request && al->request->clientConnectionManager.valid() && + al->request->clientConnectionManager->clientConnection) { + const auto &conn = al->request->clientConnectionManager->clientConnection; + if (conn->remote.isIPv4()) + conn->remoteEui48.encode(tmp, sizeof(tmp)); else - al->request->clientConnectionManager->clientConnection->remoteEui64.encode(tmp, 1024); + conn->remoteEui64.encode(tmp, sizeof(tmp)); out = tmp; } #endif @@ -432,9 +435,9 @@ case LFT_EXT_ACL_CLIENT_EUI48: #if USE_SQUID_EUI if (al->request && al->request->clientConnectionManager.valid() && - al->request->clientConnectionManager->clientConnection != NULL && + al->request->clientConnectionManager->clientConnection && al->request->clientConnectionManager->clientConnection->remote.isIPv4()) { - al->request->clientConnectionManager->clientConnection->remoteEui48.encode(tmp, 1024); + al->request->clientConnectionManager->clientConnection->remoteEui48.encode(tmp, sizeof(tmp)); out = tmp; } #endif @@ -443,18 +446,17 @@ case LFT_EXT_ACL_CLIENT_EUI64: #if USE_SQUID_EUI if (al->request && al->request->clientConnectionManager.valid() && - al->request->clientConnectionManager->clientConnection != NULL && + al->request->clientConnectionManager->clientConnection && !al->request->clientConnectionManager->clientConnection->remote.isIPv4()) { - al->request->clientConnectionManager->clientConnection->remoteEui64.encode(tmp, 1024); + al->request->clientConnectionManager->clientConnection->remoteEui64.encode(tmp, sizeof(tmp)); out = tmp; } #endif break; case LFT_SERVER_IP_ADDRESS: - if (al->hier.tcpServer != NULL) { - out = al->hier.tcpServer->remote.toStr(tmp,sizeof(tmp)); - } + if (al->hier.tcpServer) + out = al->hier.tcpServer->remote.toStr(tmp, sizeof(tmp)); break; case LFT_SERVER_FQDN_OR_PEER_NAME: @@ -462,7 +464,7 @@ break; case LFT_SERVER_PORT: - if (al->hier.tcpServer != NULL) { + if (al->hier.tcpServer) { outint = al->hier.tcpServer->remote.port(); doint = 1; } @@ -472,39 +474,38 @@ // avoid logging a dash if we have reliable info const bool interceptedAtKnownPort = al->request ? (al->request->flags.interceptTproxy || - al->request->flags.intercepted) && al->cache.port != NULL : + al->request->flags.intercepted) && al->cache.port : false; if (interceptedAtKnownPort) { const bool portAddressConfigured = !al->cache.port->s.isAnyAddr(); if (portAddressConfigured) out = al->cache.port->s.toStr(tmp, sizeof(tmp)); - } else if (al->tcpClient != NULL) + } else if (al->tcpClient) out = al->tcpClient->local.toStr(tmp, sizeof(tmp)); } break; case LFT_CLIENT_LOCAL_IP: - if (al->tcpClient != NULL) { - out = al->tcpClient->local.toStr(tmp,sizeof(tmp)); - } + if (al->tcpClient) + out = al->tcpClient->local.toStr(tmp, sizeof(tmp)); break; case LFT_CLIENT_LOCAL_TOS: - if (al->tcpClient != NULL) { - snprintf(tmp, sizeof(tmp), "0x%x", (uint32_t)al->tcpClient->tos); - out = tmp; + if (al->tcpClient) { + sb.appendf("0x%x", static_cast(al->tcpClient->tos)); + out = sb.c_str(); } break; case LFT_CLIENT_LOCAL_NFMARK: - if (al->tcpClient != NULL) { - snprintf(tmp, sizeof(tmp), "0x%x", al->tcpClient->nfmark); - out = tmp; + if (al->tcpClient) { + sb.appendf("0x%x", al->tcpClient->nfmark); + out = sb.c_str(); } break; case LFT_LOCAL_LISTENING_PORT: - if (al->cache.port != NULL) { + if (al->cache.port) { outint = al->cache.port->s.port(); doint = 1; } else if (al->request) { @@ -514,7 +515,7 @@ break; case LFT_CLIENT_LOCAL_PORT: - if (al->tcpClient != NULL) { + if (al->tcpClient) { outint = al->tcpClient->local.port(); doint = 1; } @@ -522,30 +523,28 @@ case LFT_SERVER_LOCAL_IP_OLD_27: case LFT_SERVER_LOCAL_IP: - if (al->hier.tcpServer != NULL) { - out = al->hier.tcpServer->local.toStr(tmp,sizeof(tmp)); - } + if (al->hier.tcpServer) + out = al->hier.tcpServer->local.toStr(tmp, sizeof(tmp)); break; case LFT_SERVER_LOCAL_PORT: - if (al->hier.tcpServer != NULL) { + if (al->hier.tcpServer) { outint = al->hier.tcpServer->local.port(); doint = 1; } - break; case LFT_SERVER_LOCAL_TOS: - if (al->hier.tcpServer != NULL) { - snprintf(tmp, sizeof(tmp), "0x%x", (uint32_t)al->hier.tcpServer->tos); - out = tmp; + if (al->hier.tcpServer) { + sb.appendf("0x%x", static_cast(al->hier.tcpServer->tos)); + out = sb.c_str(); } break; case LFT_SERVER_LOCAL_NFMARK: - if (al->hier.tcpServer != NULL) { - snprintf(tmp, sizeof(tmp), "0x%x", al->hier.tcpServer->nfmark); - out = tmp; + if (al->hier.tcpServer) { + sb.appendf("0x%x", al->hier.tcpServer->nfmark); + out = sb.c_str(); } break; @@ -561,10 +560,8 @@ break; case LFT_TIME_LOCALTIME: - case LFT_TIME_GMT: { const char *spec; - struct tm *t; spec = fmt->data.string; @@ -580,10 +577,8 @@ } strftime(tmp, sizeof(tmp), spec, t); - out = tmp; } - break; case LFT_TIME_START: @@ -597,9 +592,7 @@ break; case LFT_PEER_RESPONSE_TIME: - if (al->hier.peer_response_time.tv_sec == -1) { - out = "-"; - } else { + if (al->hier.peer_response_time.tv_sec != -1) { outtv = al->hier.peer_response_time; doMsec = 1; } @@ -608,9 +601,7 @@ case LFT_TOTAL_SERVER_SIDE_RESPONSE_TIME: { timeval total_response_time; al->hier.totalResponseTime(total_response_time); - if (total_response_time.tv_sec == -1) { - out = "-"; - } else { + if (total_response_time.tv_sec != -1) { outtv = total_response_time; doMsec = 1; } @@ -628,94 +619,81 @@ break; case LFT_REQUEST_HEADER: - if (const HttpMsg *msg = actualRequestHeader(al)) - sb = msg->header.getByName(fmt->data.header.header); - - out = sb.termedBuf(); - - quote = 1; - + if (const HttpMsg *msg = actualRequestHeader(al)) { + sb = StringToSBuf(msg->header.getByName(fmt->data.header.header)); + out = sb.c_str(); + quote = 1; + } break; case LFT_ADAPTED_REQUEST_HEADER: - - if (al->adapted_request) - sb = al->adapted_request->header.getByName(fmt->data.header.header); - - out = sb.termedBuf(); - - quote = 1; - + if (al->adapted_request) { + sb = StringToSBuf(al->adapted_request->header.getByName(fmt->data.header.header)); + out = sb.c_str(); + quote = 1; + } break; - case LFT_REPLY_HEADER: { - if (const HttpMsg *msg = actualReplyHeader(al)) - sb = msg->header.getByName(fmt->data.header.header); - - out = sb.termedBuf(); - - quote = 1; - } - break; + case LFT_REPLY_HEADER: + if (const HttpMsg *msg = actualReplyHeader(al)) { + sb = StringToSBuf(msg->header.getByName(fmt->data.header.header)); + out = sb.c_str(); + quote = 1; + } + break; #if USE_ADAPTATION case LFT_ADAPTATION_SUM_XACT_TIMES: if (al->request) { Adaptation::History::Pointer ah = al->request->adaptHistory(); - if (ah != NULL) + if (ah) { ah->sumLogString(fmt->data.string, sb); - out = sb.termedBuf(); + out = sb.c_str(); + } } break; case LFT_ADAPTATION_ALL_XACT_TIMES: if (al->request) { Adaptation::History::Pointer ah = al->request->adaptHistory(); - if (ah != NULL) + if (ah) { ah->allLogString(fmt->data.string, sb); - out = sb.termedBuf(); + out = sb.c_str(); + } } break; case LFT_ADAPTATION_LAST_HEADER: if (al->request) { const Adaptation::History::Pointer ah = al->request->adaptHistory(); - if (ah != NULL) // XXX: add adapt::allMeta.getByName(fmt->data.header.header); + if (ah) { // XXX: add adapt::allMeta.getByName(fmt->data.header.header)); + out = sb.c_str(); + quote = 1; + } } - - // XXX: here and elsewhere: move such code inside the if guard - out = sb.termedBuf(); - - quote = 1; - break; case LFT_ADAPTATION_LAST_HEADER_ELEM: if (al->request) { const Adaptation::History::Pointer ah = al->request->adaptHistory(); - if (ah != NULL) // XXX: add adapt::allMeta.getByNameListMember(fmt->data.header.header, fmt->data.header.element, fmt->data.header.separator); + if (ah) { // XXX: add adapt::allMeta.getByNameListMember(fmt->data.header.header, fmt->data.header.element, fmt->data.header.separator)); + out = sb.c_str(); + quote = 1; + } } - - out = sb.termedBuf(); - - quote = 1; - break; case LFT_ADAPTATION_LAST_ALL_HEADERS: out = al->adapt.last_meta; - quote = 1; - break; #endif #if ICAP_CLIENT case LFT_ICAP_ADDR: - if (!out) - out = al->icap.hostAddr.toStr(tmp,1024); + out = al->icap.hostAddr.toStr(tmp, sizeof(tmp)); break; case LFT_ICAP_SERV_NAME: @@ -750,65 +728,61 @@ break; case LFT_ICAP_REQ_HEADER: - if (NULL != al->icap.request) { - sb = al->icap.request->header.getByName(fmt->data.header.header); - out = sb.termedBuf(); + if (al->icap.request) { + sb = StringToSBuf(al->icap.request->header.getByName(fmt->data.header.header)); + out = sb.c_str(); quote = 1; } break; case LFT_ICAP_REQ_HEADER_ELEM: - if (al->icap.request) - sb = al->icap.request->header.getByNameListMember(fmt->data.header.header, fmt->data.header.element, fmt->data.header.separator); - - out = sb.termedBuf(); - - quote = 1; - + if (al->icap.request) { + sb = StringToSBuf(al->icap.request->header.getByNameListMember(fmt->data.header.header, fmt->data.header.element, fmt->data.header.separator)); + out = sb.c_str(); + quote = 1; + } break; case LFT_ICAP_REQ_ALL_HEADERS: if (al->icap.request) { HttpHeaderPos pos = HttpHeaderInitPos; while (const HttpHeaderEntry *e = al->icap.request->header.getEntry(&pos)) { - sb.append(e->name); + sb.append(StringToSBuf(e->name)); sb.append(": "); - sb.append(e->value); + sb.append(StringToSBuf(e->value)); sb.append("\r\n"); } - out = sb.termedBuf(); + out = sb.c_str(); quote = 1; } break; case LFT_ICAP_REP_HEADER: - if (NULL != al->icap.reply) { - sb = al->icap.reply->header.getByName(fmt->data.header.header); - out = sb.termedBuf(); + if (al->icap.reply) { + sb = StringToSBuf(al->icap.reply->header.getByName(fmt->data.header.header)); + out = sb.c_str(); quote = 1; } break; case LFT_ICAP_REP_HEADER_ELEM: - if (NULL != al->icap.reply) - sb = al->icap.reply->header.getByNameListMember(fmt->data.header.header, fmt->data.header.element, fmt->data.header.separator); - - out = sb.termedBuf(); - - quote = 1; - + if (al->icap.reply) { + sb = StringToSBuf(al->icap.reply->header.getByNameListMember(fmt->data.header.header, fmt->data.header.element, fmt->data.header.separator)); + out = sb.c_str(); + quote = 1; + } break; case LFT_ICAP_REP_ALL_HEADERS: if (al->icap.reply) { HttpHeaderPos pos = HttpHeaderInitPos; while (const HttpHeaderEntry *e = al->icap.reply->header.getEntry(&pos)) { - sb.append(e->name); + sb.append(StringToSBuf(e->name)); sb.append(": "); - sb.append(e->value); + sb.append(StringToSBuf(e->value)); sb.append("\r\n"); } - out = sb.termedBuf(); + out = sb.c_str(); quote = 1; } break; @@ -838,34 +812,28 @@ break; #endif case LFT_REQUEST_HEADER_ELEM: - if (const HttpMsg *msg = actualRequestHeader(al)) - sb = msg->header.getByNameListMember(fmt->data.header.header, fmt->data.header.element, fmt->data.header.separator); - - out = sb.termedBuf(); - - quote = 1; - + if (const HttpMsg *msg = actualRequestHeader(al)) { + sb = StringToSBuf(msg->header.getByNameListMember(fmt->data.header.header, fmt->data.header.element, fmt->data.header.separator)); + out = sb.c_str(); + quote = 1; + } break; case LFT_ADAPTED_REQUEST_HEADER_ELEM: - if (al->adapted_request) - sb = al->adapted_request->header.getByNameListMember(fmt->data.header.header, fmt->data.header.element, fmt->data.header.separator); - - out = sb.termedBuf(); - - quote = 1; - + if (al->adapted_request) { + sb = StringToSBuf(al->adapted_request->header.getByNameListMember(fmt->data.header.header, fmt->data.header.element, fmt->data.header.separator)); + out = sb.c_str(); + quote = 1; + } break; - case LFT_REPLY_HEADER_ELEM: { - if (const HttpMsg *msg = actualReplyHeader(al)) - sb = msg->header.getByNameListMember(fmt->data.header.header, fmt->data.header.element, fmt->data.header.separator); - - out = sb.termedBuf(); - - quote = 1; - } - break; + case LFT_REPLY_HEADER_ELEM: + if (const HttpMsg *msg = actualReplyHeader(al)) { + sb = StringToSBuf(msg->header.getByNameListMember(fmt->data.header.header, fmt->data.header.element, fmt->data.header.separator)); + out = sb.c_str(); + quote = 1; + } + break; case LFT_REQUEST_ALL_HEADERS: #if ICAP_CLIENT @@ -877,17 +845,13 @@ #endif { out = al->headers.request; + quote = 1; } - - quote = 1; - break; case LFT_ADAPTED_REQUEST_ALL_HEADERS: out = al->headers.adapted_request; - quote = 1; - break; case LFT_REPLY_ALL_HEADERS: @@ -896,24 +860,20 @@ if (!out && al->icap.reqMethod == Adaptation::methodReqmod) out = al->headers.adapted_request; #endif - quote = 1; - break; case LFT_USER_NAME: #if USE_AUTH - if (al->request && al->request->auth_user_request != NULL) + if (al->request && al->request->auth_user_request) out = strOrNull(al->request->auth_user_request->username()); #endif if (!out && al->request && al->request->extacl_user.size()) { if (const char *t = al->request->extacl_user.termedBuf()) out = t; } - if (!out) out = strOrNull(al->cache.extuser); - #if USE_OPENSSL if (!out) out = strOrNull(al->cache.ssluser); @@ -924,7 +884,7 @@ case LFT_USER_LOGIN: #if USE_AUTH - if (al->request && al->request->auth_user_request != NULL) + if (al->request && al->request->auth_user_request) out = strOrNull(al->request->auth_user_request->username()); #endif break; @@ -951,15 +911,11 @@ case LFT_HTTP_SENT_STATUS_CODE_OLD_30: case LFT_HTTP_SENT_STATUS_CODE: outint = al->http.code; - doint = 1; - break; case LFT_HTTP_RECEIVED_STATUS_CODE: - if (al->hier.peer_reply_status == Http::scNone) { - out = "-"; - } else { + if (al->hier.peer_reply_status != Http::scNone) { outint = al->hier.peer_reply_status; doint = 1; } @@ -991,7 +947,8 @@ case LFT_SQUID_ERROR_DETAIL: #if USE_OPENSSL if (al->request && al->request->errType == ERR_SECURE_CONNECT_FAIL) { - if (! (out = Ssl::GetErrorName(al->request->errDetail))) + out = Ssl::GetErrorName(al->request->errDetail); + if (!out) out = sslErrorName(al->request->errDetail, tmp, sizeof(tmp)); } else #endif @@ -1000,12 +957,12 @@ out = errorDetailName(al->request->errDetail); else { if (al->request->errDetail >= ERR_DETAIL_EXCEPTION_START) - snprintf(tmp, sizeof(tmp), "%s=0x%X", - errorDetailName(al->request->errDetail), (uint32_t) al->request->errDetail); + sb.appendf("%s=0x%X", + errorDetailName(al->request->errDetail), (uint32_t) al->request->errDetail); else - snprintf(tmp, sizeof(tmp), "%s=%d", - errorDetailName(al->request->errDetail), al->request->errDetail); - out = tmp; + sb.appendf("%s=%d", + errorDetailName(al->request->errDetail), al->request->errDetail); + out = sb.c_str(); } } break; @@ -1013,21 +970,17 @@ case LFT_SQUID_HIERARCHY: if (al->hier.ping.timedout) mb.append("TIMEOUT_", 8); - out = hier_code_str[al->hier.code]; - break; case LFT_MIME_TYPE: out = al->http.content_type; - break; case LFT_CLIENT_REQ_METHOD: if (al->request) { - const SBuf &s = al->request->method.image(); - sb.append(s.rawContent(), s.length()); - out = sb.termedBuf(); + sb = al->request->method.image(); + out = sb.c_str(); quote = 1; } break; @@ -1035,18 +988,16 @@ case LFT_CLIENT_REQ_URI: // original client URI if (al->request) { - const SBuf &s = al->request->effectiveRequestUri(); - sb.append(s.rawContent(), s.length()); - out = sb.termedBuf(); + sb = al->request->effectiveRequestUri(); + out = sb.c_str(); quote = 1; } break; case LFT_CLIENT_REQ_URLSCHEME: if (al->request) { - const SBuf s(al->request->url.getScheme().image()); - sb.append(s.rawContent(), s.length()); - out = sb.termedBuf(); + sb = al->request->url.getScheme().image(); + out = sb.c_str(); quote = 1; } break; @@ -1068,47 +1019,42 @@ case LFT_REQUEST_URLPATH_OLD_31: case LFT_CLIENT_REQ_URLPATH: if (al->request) { - SBuf s = al->request->url.path(); - out = s.c_str(); + sb = al->request->url.path(); + out = sb.c_str(); quote = 1; } break; case LFT_CLIENT_REQ_VERSION: if (al->request) { - snprintf(tmp, sizeof(tmp), "%d.%d", (int) al->request->http_ver.major, (int) al->request->http_ver.minor); - out = tmp; + sb.appendf("%u.%u", al->request->http_ver.major, al->request->http_ver.minor); + out = sb.c_str(); } break; case LFT_REQUEST_METHOD: - { - const SBuf s(al->getLogMethod()); - sb.append(s.rawContent(), s.length()); - out = sb.termedBuf(); + sb = al->getLogMethod(); + out = sb.c_str(); quote = 1; - } - break; + break; case LFT_REQUEST_URI: if (!al->url.isEmpty()) { - const SBuf &s = al->url; - sb.append(s.rawContent(), s.length()); - out = sb.termedBuf(); + sb = al->url; + out = sb.c_str(); } break; case LFT_REQUEST_VERSION_OLD_2X: case LFT_REQUEST_VERSION: - snprintf(tmp, sizeof(tmp), "%d.%d", (int) al->http.version.major, (int) al->http.version.minor); - out = tmp; + sb.appendf("%u.%u", al->http.version.major, al->http.version.minor); + out = sb.c_str(); break; case LFT_SERVER_REQ_METHOD: if (al->adapted_request) { - const SBuf &s = al->adapted_request->method.image(); - sb.append(s.rawContent(), s.length()); - out = sb.termedBuf(); + sb = al->adapted_request->method.image(); + out = sb.c_str(); quote = 1; } break; @@ -1116,18 +1062,16 @@ case LFT_SERVER_REQ_URI: // adapted request URI sent to server/peer if (al->adapted_request) { - const SBuf &s = al->adapted_request->effectiveRequestUri(); - sb.append(s.rawContent(), s.length()); - out = sb.termedBuf(); + sb = al->adapted_request->effectiveRequestUri(); + out = sb.c_str(); quote = 1; } break; case LFT_SERVER_REQ_URLSCHEME: if (al->adapted_request) { - const SBuf s(al->adapted_request->url.getScheme().image()); - sb.append(s.rawContent(), s.length()); - out = sb.termedBuf(); + sb = al->adapted_request->url.getScheme().image(); + out = sb.c_str(); quote = 1; } break; @@ -1148,17 +1092,17 @@ case LFT_SERVER_REQ_URLPATH: if (al->adapted_request) { - SBuf s = al->adapted_request->url.path(); - out = s.c_str(); + sb = al->adapted_request->url.path(); + out = sb.c_str(); quote = 1; } break; case LFT_SERVER_REQ_VERSION: if (al->adapted_request) { - snprintf(tmp, sizeof(tmp), "%d.%d", - (int) al->adapted_request->http_ver.major, - (int) al->adapted_request->http_ver.minor); + sb.appendf("%u.%u", + al->adapted_request->http_ver.major, + al->adapted_request->http_ver.minor); out = tmp; } break; @@ -1183,16 +1127,12 @@ case LFT_REPLY_HIGHOFFSET: outoff = al->cache.highOffset; - dooff = 1; - break; case LFT_REPLY_OBJECTSIZE: outoff = al->cache.objectSize; - dooff = 1; - break; case LFT_ADAPTED_REPLY_SIZE_HEADERS: @@ -1210,19 +1150,17 @@ /*case LFT_SERVER_IO_SIZE_TOTAL: */ case LFT_TAG: - if (al->request) + if (al->request) { out = al->request->tag.termedBuf(); - - quote = 1; - + quote = 1; + } break; case LFT_EXT_LOG: - if (al->request) + if (al->request) { out = al->request->extacl_log.termedBuf(); - - quote = 1; - + quote = 1; + } break; case LFT_SEQUENCE_NUMBER: @@ -1309,20 +1247,18 @@ if (al->request && al->request->clientConnectionManager.valid()) { if (Ssl::ServerBump * srvBump = al->request->clientConnectionManager->serverBump()) { const char *separator = fmt->data.string ? fmt->data.string : ":"; - for (const Security::CertErrors *sslError = srvBump->sslErrors(); sslError != nullptr; sslError = sslError->next) { - if (sb.size()) + for (const Security::CertErrors *sslError = srvBump->sslErrors(); sslError; sslError = sslError->next) { + if (!sb.isEmpty()) sb.append(separator); if (const char *errorName = Ssl::GetErrorName(sslError->element.code)) sb.append(errorName); else sb.append(sslErrorName(sslError->element.code, tmp, sizeof(tmp))); - if (sslError->element.depth >= 0) { - snprintf(tmp, sizeof(tmp), "@depth=%d", sslError->element.depth); - sb.append(tmp); - } + if (sslError->element.depth >= 0) + sb.appendf("@depth=%d", sslError->element.depth); } - if (sb.size()) - out = sb.termedBuf(); + if (!sb.isEmpty()) + out = sb.c_str(); } } break; @@ -1342,42 +1278,42 @@ break; case LFT_TLS_CLIENT_NEGOTIATED_VERSION: - if (al->tcpClient != nullptr && al->tcpClient->hasTlsNegotiations()) + if (al->tcpClient && al->tcpClient->hasTlsNegotiations()) out = al->tcpClient->hasTlsNegotiations()->negotiatedVersion(); break; case LFT_TLS_SERVER_NEGOTIATED_VERSION: - if (al->hier.tcpServer != nullptr && al->hier.tcpServer->hasTlsNegotiations()) + if (al->hier.tcpServer && al->hier.tcpServer->hasTlsNegotiations()) out = al->hier.tcpServer->hasTlsNegotiations()->negotiatedVersion(); break; case LFT_TLS_CLIENT_RECEIVED_HELLO_VERSION: - if (al->tcpClient != nullptr && al->tcpClient->hasTlsNegotiations()) + if (al->tcpClient && al->tcpClient->hasTlsNegotiations()) out = al->tcpClient->hasTlsNegotiations()->helloVersion(); break; case LFT_TLS_SERVER_RECEIVED_HELLO_VERSION: - if (al->hier.tcpServer != nullptr && al->hier.tcpServer->hasTlsNegotiations()) + if (al->hier.tcpServer && al->hier.tcpServer->hasTlsNegotiations()) out = al->hier.tcpServer->hasTlsNegotiations()->helloVersion(); break; case LFT_TLS_CLIENT_SUPPORTED_VERSION: - if (al->tcpClient != nullptr && al->tcpClient->hasTlsNegotiations()) + if (al->tcpClient && al->tcpClient->hasTlsNegotiations()) out = al->tcpClient->hasTlsNegotiations()->supportedVersion(); break; case LFT_TLS_SERVER_SUPPORTED_VERSION: - if (al->hier.tcpServer != nullptr && al->hier.tcpServer->hasTlsNegotiations()) + if (al->hier.tcpServer && al->hier.tcpServer->hasTlsNegotiations()) out = al->hier.tcpServer->hasTlsNegotiations()->supportedVersion(); break; case LFT_TLS_CLIENT_NEGOTIATED_CIPHER: - if (al->tcpClient != nullptr && al->tcpClient->hasTlsNegotiations()) + if (al->tcpClient && al->tcpClient->hasTlsNegotiations()) out = al->tcpClient->hasTlsNegotiations()->cipherName(); break; case LFT_TLS_SERVER_NEGOTIATED_CIPHER: - if (al->hier.tcpServer != nullptr && al->hier.tcpServer->hasTlsNegotiations()) + if (al->hier.tcpServer && al->hier.tcpServer->hasTlsNegotiations()) out = al->hier.tcpServer->hasTlsNegotiations()->cipherName(); break; #endif @@ -1392,42 +1328,41 @@ const char *separator = tmp; #if USE_ADAPTATION Adaptation::History::Pointer ah = al->request ? al->request->adaptHistory() : Adaptation::History::Pointer(); - if (ah != NULL && ah->metaHeaders != NULL) { + if (ah && ah->metaHeaders) { if (const char *meta = ah->metaHeaders->find(fmt->data.header.header, separator)) sb.append(meta); } #endif - if (al->notes != NULL) { + if (al->notes) { if (const char *note = al->notes->find(fmt->data.header.header, separator)) { - if (sb.size()) + if (!sb.isEmpty()) sb.append(separator); sb.append(note); } } - out = sb.termedBuf(); + out = sb.c_str(); quote = 1; } else { // if no argument given use default "\r\n" as notes separator const char *separator = fmt->data.string ? tmp : "\r\n"; #if USE_ADAPTATION Adaptation::History::Pointer ah = al->request ? al->request->adaptHistory() : Adaptation::History::Pointer(); - if (ah != NULL && ah->metaHeaders != NULL && !ah->metaHeaders->empty()) + if (ah && ah->metaHeaders && !ah->metaHeaders->empty()) sb.append(ah->metaHeaders->toString(separator)); #endif - if (al->notes != NULL && !al->notes->empty()) + if (al->notes && !al->notes->empty()) sb.append(al->notes->toString(separator)); - out = sb.termedBuf(); + out = sb.c_str(); quote = 1; } break; case LFT_CREDENTIALS: #if USE_AUTH - if (al->request && al->request->auth_user_request != NULL) + if (al->request && al->request->auth_user_request) out = strOrNull(al->request->auth_user_request->credentialsStr()); #endif - break; case LFT_PERCENT: @@ -1445,24 +1380,24 @@ } if (dooff) { - snprintf(tmp, sizeof(tmp), "%0*" PRId64, fmt->zero && fmt->widthMin >= 0 ? fmt->widthMin : 0, outoff); - out = tmp; + sb.appendf("%0*" PRId64, fmt->zero && fmt->widthMin >= 0 ? fmt->widthMin : 0, outoff); + out = sb.c_str(); } else if (doint) { - snprintf(tmp, sizeof(tmp), "%0*ld", fmt->zero && fmt->widthMin >= 0 ? fmt->widthMin : 0, outint); - out = tmp; + sb.appendf("%0*ld", fmt->zero && fmt->widthMin >= 0 ? fmt->widthMin : 0, outint); + out = sb.c_str(); } else if (doMsec) { if (fmt->widthMax < 0) { - snprintf(tmp, sizeof(tmp), "%0*ld", fmt->widthMin , tvToMsec(outtv)); + sb.appendf("%0*ld", fmt->widthMin , tvToMsec(outtv)); } else { int precision = fmt->widthMax; - snprintf(tmp, sizeof(tmp), "%0*" PRId64 ".%0*" PRId64 "", fmt->zero && (fmt->widthMin - precision - 1 >= 0) ? fmt->widthMin - precision - 1 : 0, static_cast(outtv.tv_sec * 1000 + outtv.tv_usec / 1000), precision, static_cast((outtv.tv_usec % 1000 )* (1000 / fmt->divisor))); + sb.appendf("%0*" PRId64 ".%0*" PRId64 "", fmt->zero && (fmt->widthMin - precision - 1 >= 0) ? fmt->widthMin - precision - 1 : 0, static_cast(outtv.tv_sec * 1000 + outtv.tv_usec / 1000), precision, static_cast((outtv.tv_usec % 1000 )* (1000 / fmt->divisor))); } - out = tmp; + out = sb.c_str(); } else if (doSec) { int precision = fmt->widthMax >=0 ? fmt->widthMax :3; - snprintf(tmp, sizeof(tmp), "%0*" PRId64 ".%0*d", fmt->zero && (fmt->widthMin - precision - 1 >= 0) ? fmt->widthMin - precision - 1 : 0, static_cast(outtv.tv_sec), precision, (int)(outtv.tv_usec / fmt->divisor)); - out = tmp; + sb.appendf("%0*" PRId64 ".%0*d", fmt->zero && (fmt->widthMin - precision - 1 >= 0) ? fmt->widthMin - precision - 1 : 0, static_cast(outtv.tv_sec), precision, (int)(outtv.tv_usec / fmt->divisor)); + out = sb.c_str(); } if (out && *out) { @@ -1546,7 +1481,7 @@ if (fmt->space) mb.append(" ", 1); - sb.clean(); + sb.clear(); if (dofree) safe_free(out); diff -u -r -N squid-4.0.18/src/format/Makefile.in squid-4.0.19/src/format/Makefile.in --- squid-4.0.18/src/format/Makefile.in 2017-02-06 10:17:55.000000000 +1300 +++ squid-4.0.19/src/format/Makefile.in 2017-04-02 19:46:06.000000000 +1200 @@ -543,7 +543,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/fs/Makefile.in squid-4.0.19/src/fs/Makefile.in --- squid-4.0.18/src/fs/Makefile.in 2017-02-06 10:17:56.000000000 +1300 +++ squid-4.0.19/src/fs/Makefile.in 2017-04-02 19:46:06.000000000 +1200 @@ -561,7 +561,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/fs/rock/RockHeaderUpdater.cc squid-4.0.19/src/fs/rock/RockHeaderUpdater.cc --- squid-4.0.18/src/fs/rock/RockHeaderUpdater.cc 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/fs/rock/RockHeaderUpdater.cc 2017-04-02 19:43:45.000000000 +1200 @@ -244,7 +244,7 @@ exchangeBuffer.length(), &staleSwapHeaderSize); // Squid assumes that metadata always fits into a single db slot - Must(aBuilder.isBufferSane()); // cannot update what we cannot parse + aBuilder.checkBuffer(); // cannot update an entry with invalid metadata debugs(47, 7, "staleSwapHeaderSize=" << staleSwapHeaderSize); Must(staleSwapHeaderSize > 0); exchangeBuffer.consume(staleSwapHeaderSize); diff -u -r -N squid-4.0.18/src/fs/ufs/RebuildState.cc squid-4.0.19/src/fs/ufs/RebuildState.cc --- squid-4.0.18/src/fs/ufs/RebuildState.cc 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/fs/ufs/RebuildState.cc 2017-04-02 19:43:45.000000000 +1200 @@ -463,7 +463,7 @@ } if (0 == in_dir) { /* we need to read in a new directory */ - snprintf(fullpath, MAXPATHLEN, "%s/%02X/%02X", + snprintf(fullpath, sizeof(fullpath), "%s/%02X/%02X", sd->path, curlvl1, curlvl2); @@ -509,7 +509,7 @@ continue; } - snprintf(fullfilename, MAXPATHLEN, "%s/%s", + snprintf(fullfilename, sizeof(fullfilename), "%s/%s", fullpath, entry->d_name); debugs(47, 3, HERE << "Opening " << fullfilename); fd = file_open(fullfilename, O_RDONLY | O_BINARY); diff -u -r -N squid-4.0.18/src/fs/ufs/RebuildState.h squid-4.0.19/src/fs/ufs/RebuildState.h --- squid-4.0.18/src/fs/ufs/RebuildState.h 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/fs/ufs/RebuildState.h 2017-04-02 19:43:45.000000000 +1200 @@ -55,7 +55,7 @@ dirent_t *entry; DIR *td; char fullpath[MAXPATHLEN]; - char fullfilename[MAXPATHLEN]; + char fullfilename[MAXPATHLEN*2]; StoreRebuildData counts; diff -u -r -N squid-4.0.18/src/ftp/Makefile.in squid-4.0.19/src/ftp/Makefile.in --- squid-4.0.18/src/ftp/Makefile.in 2017-02-06 10:17:57.000000000 +1300 +++ squid-4.0.19/src/ftp/Makefile.in 2017-04-02 19:46:07.000000000 +1200 @@ -543,7 +543,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/gopher.cc squid-4.0.19/src/gopher.cc --- squid-4.0.18/src/gopher.cc 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/gopher.cc 2017-04-02 19:43:45.000000000 +1200 @@ -826,7 +826,7 @@ * This will be called when request write is complete. Schedule read of reply. */ static void -gopherSendComplete(const Comm::ConnectionPointer &conn, char *buf, size_t size, Comm::Flag errflag, int xerrno, void *data) +gopherSendComplete(const Comm::ConnectionPointer &conn, char *, size_t size, Comm::Flag errflag, int xerrno, void *data) { GopherStateData *gopherState = (GopherStateData *) data; StoreEntry *entry = gopherState->entry; @@ -846,10 +846,6 @@ err->url = xstrdup(entry->url()); gopherState->fwd->fail(err); gopherState->serverConn->close(); - - if (buf) - memFree(buf, MEM_4K_BUF); /* Allocated by gopherSendRequest. */ - return; } @@ -891,9 +887,6 @@ AsyncCall::Pointer call = commCbCall(5,5, "gopherReadReply", CommIoCbPtrFun(gopherReadReply, gopherState)); entry->delayAwareRead(conn, gopherState->replybuf, BUFSIZ, call); - - if (buf) - memFree(buf, MEM_4K_BUF); /* Allocated by gopherSendRequest. */ } /** @@ -903,32 +896,31 @@ gopherSendRequest(int, void *data) { GopherStateData *gopherState = (GopherStateData *)data; - char *buf = (char *)memAllocate(MEM_4K_BUF); + MemBuf mb; + mb.init(); if (gopherState->type_id == GOPHER_CSO) { const char *t = strchr(gopherState->request, '?'); - if (t != NULL) + if (t) ++t; /* skip the ? */ else t = ""; - snprintf(buf, 4096, "query %s\r\nquit\r\n", t); - } else if (gopherState->type_id == GOPHER_INDEX) { - char *t = strchr(gopherState->request, '?'); - - if (t != NULL) - *t = '\t'; - - snprintf(buf, 4096, "%s\r\n", gopherState->request); + mb.appendf("query %s\r\nquit", t); } else { - snprintf(buf, 4096, "%s\r\n", gopherState->request); + if (gopherState->type_id == GOPHER_INDEX) { + if (char *t = strchr(gopherState->request, '?')) + *t = '\t'; + } + mb.append(gopherState->request, strlen(gopherState->request)); } + mb.append("\r\n", 2); - debugs(10, 5, HERE << gopherState->serverConn); + debugs(10, 5, gopherState->serverConn); AsyncCall::Pointer call = commCbCall(5,5, "gopherSendComplete", CommIoCbPtrFun(gopherSendComplete, gopherState)); - Comm::Write(gopherState->serverConn, buf, strlen(buf), call, NULL); + Comm::Write(gopherState->serverConn, &mb, call); gopherState->entry->makePublic(); } diff -u -r -N squid-4.0.18/src/helper/Makefile.in squid-4.0.19/src/helper/Makefile.in --- squid-4.0.18/src/helper/Makefile.in 2017-02-06 10:17:58.000000000 +1300 +++ squid-4.0.19/src/helper/Makefile.in 2017-04-02 19:46:07.000000000 +1200 @@ -543,7 +543,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/http/Makefile.in squid-4.0.19/src/http/Makefile.in --- squid-4.0.18/src/http/Makefile.in 2017-02-06 10:17:58.000000000 +1300 +++ squid-4.0.19/src/http/Makefile.in 2017-04-02 19:46:08.000000000 +1200 @@ -585,7 +585,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/http/one/Makefile.in squid-4.0.19/src/http/one/Makefile.in --- squid-4.0.18/src/http/one/Makefile.in 2017-02-06 10:17:59.000000000 +1300 +++ squid-4.0.19/src/http/one/Makefile.in 2017-04-02 19:46:09.000000000 +1200 @@ -544,7 +544,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/http/url_rewriters/fake/Makefile.in squid-4.0.19/src/http/url_rewriters/fake/Makefile.in --- squid-4.0.18/src/http/url_rewriters/fake/Makefile.in 2017-02-06 10:18:01.000000000 +1300 +++ squid-4.0.19/src/http/url_rewriters/fake/Makefile.in 2017-04-02 19:46:10.000000000 +1200 @@ -530,7 +530,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/http/url_rewriters/LFS/Makefile.in squid-4.0.19/src/http/url_rewriters/LFS/Makefile.in --- squid-4.0.18/src/http/url_rewriters/LFS/Makefile.in 2017-02-06 10:18:00.000000000 +1300 +++ squid-4.0.19/src/http/url_rewriters/LFS/Makefile.in 2017-04-02 19:46:09.000000000 +1200 @@ -482,7 +482,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/http/url_rewriters/LFS/url_lfs_rewrite.8 squid-4.0.19/src/http/url_rewriters/LFS/url_lfs_rewrite.8 --- squid-4.0.18/src/http/url_rewriters/LFS/url_lfs_rewrite.8 2017-02-06 13:43:43.000000000 +1300 +++ squid-4.0.19/src/http/url_rewriters/LFS/url_lfs_rewrite.8 2017-04-02 23:49:59.000000000 +1200 @@ -129,7 +129,7 @@ .\" ======================================================================== .\" .IX Title "URL_LFS_REWRITE 8" -.TH URL_LFS_REWRITE 8 "2017-02-06" "perl v5.24.1" "User Contributed Perl Documentation" +.TH URL_LFS_REWRITE 8 "2017-04-02" "perl v5.24.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-4.0.18/src/http/url_rewriters/Makefile.in squid-4.0.19/src/http/url_rewriters/Makefile.in --- squid-4.0.18/src/http/url_rewriters/Makefile.in 2017-02-06 10:18:00.000000000 +1300 +++ squid-4.0.19/src/http/url_rewriters/Makefile.in 2017-04-02 19:46:09.000000000 +1200 @@ -327,7 +327,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/http.cc squid-4.0.19/src/http.cc --- squid-4.0.18/src/http.cc 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/http.cc 2017-04-02 19:43:45.000000000 +1200 @@ -860,13 +860,9 @@ /** * returns true if the peer can support connection pinning */ -bool HttpStateData::peerSupportsConnectionPinning() const +bool +HttpStateData::peerSupportsConnectionPinning() const { - const HttpReply *rep = entry->mem_obj->getReply(); - const HttpHeader *hdr = &rep->header; - bool rc; - String header; - if (!_peer) return true; @@ -876,6 +872,8 @@ if (!_peer->connection_auth) return false; + const HttpReply *rep = entry->mem_obj->getReply(); + /*The peer supports connection pinning and the http reply status is not unauthorized, so the related connection can be pinned */ @@ -908,14 +906,10 @@ reply and has in its list the "Session-Based-Authentication" which means that the peer supports connection pinning. */ - if (!hdr->has(Http::HdrType::PROXY_SUPPORT)) - return false; - - header = hdr->getStrOrList(Http::HdrType::PROXY_SUPPORT); - /* XXX This ought to be done in a case-insensitive manner */ - rc = (strstr(header.termedBuf(), "Session-Based-Authentication") != NULL); + if (rep->header.hasListMember(Http::HdrType::PROXY_SUPPORT, "Session-Based-Authentication", ',')) + return true; - return rc; + return false; } // Called when we parsed (and possibly adapted) the headers but @@ -1134,7 +1128,6 @@ return statusIfComplete(); } -#if USE_DELAY_POOLS static void readDelayed(void *context, CommRead const &) { @@ -1142,7 +1135,6 @@ state->flags.do_next_read = true; state->maybeReadVirginBody(); } -#endif void HttpStateData::readReply(const CommIoCbParams &io) @@ -1177,23 +1169,13 @@ CommIoCbParams rd(this); // will be expanded with ReadNow results rd.conn = io.conn; rd.size = entry->bytesWanted(Range(0, inBuf.spaceSize())); -#if USE_DELAY_POOLS - if (rd.size < 1) { - assert(entry->mem_obj); - /* read ahead limit */ - /* Perhaps these two calls should both live in MemObject */ + if (rd.size <= 0) { + assert(entry->mem_obj); AsyncCall::Pointer nilCall; - if (!entry->mem_obj->readAheadPolicyCanRead()) { - entry->mem_obj->delayRead(DeferredRead(readDelayed, this, CommRead(io.conn, NULL, 0, nilCall))); - return; - } - - /* delay id limit */ - entry->mem_obj->mostBytesAllowed().delayRead(DeferredRead(readDelayed, this, CommRead(io.conn, NULL, 0, nilCall))); + entry->mem_obj->delayRead(DeferredRead(readDelayed, this, CommRead(io.conn, NULL, 0, nilCall))); return; } -#endif switch (Comm::ReadNow(rd, inBuf)) { case Comm::INPROGRESS: @@ -1813,17 +1795,7 @@ request->flags.isRanged = false; } - /* append Via */ - if (Config.onoff.via) { - String strVia; - strVia = hdr_in->getList(Http::HdrType::VIA); - snprintf(bbuf, BBUF_SZ, "%d.%d %s", - request->http_ver.major, - request->http_ver.minor, ThisCache); - strListAdd(&strVia, bbuf, ','); - hdr_out->putStr(Http::HdrType::VIA, strVia.termedBuf()); - strVia.clean(); - } + hdr_out->addVia(request->http_ver, hdr_in); if (request->flags.accelerated) { /* Append Surrogate-Capabilities */ diff -u -r -N squid-4.0.18/src/HttpHeader.cc squid-4.0.19/src/HttpHeader.cc --- squid-4.0.18/src/HttpHeader.cc 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/HttpHeader.cc 2017-04-02 19:43:45.000000000 +1200 @@ -24,6 +24,7 @@ #include "mgr/Registration.h" #include "profiler/Profiler.h" #include "rfc1123.h" +#include "sbuf/StringConvert.h" #include "SquidConfig.h" #include "StatHist.h" #include "Store.h" @@ -957,6 +958,32 @@ } void +HttpHeader::addVia(const AnyP::ProtocolVersion &ver, const HttpHeader *from) +{ + // TODO: do not add Via header for messages where Squid itself + // generated the message (i.e., Downloader or ESI) there should be no Via header added at all. + + if (Config.onoff.via) { + SBuf buf; + // RFC 7230 section 5.7.1.: protocol-name is omitted when + // the received protocol is HTTP. + if (ver.protocol > AnyP::PROTO_NONE && ver.protocol < AnyP::PROTO_UNKNOWN && + ver.protocol != AnyP::PROTO_HTTP && ver.protocol != AnyP::PROTO_HTTPS) + buf.appendf("%s/", AnyP::ProtocolType_str[ver.protocol]); + buf.appendf("%d.%d %s", ver.major, ver.minor, ThisCache); + const HttpHeader *hdr = from ? from : this; + SBuf strVia = StringToSBuf(hdr->getList(Http::HdrType::VIA)); + if (!strVia.isEmpty()) + strVia.append(", ", 2); + strVia.append(buf); + // XXX: putStr() still suffers from String size limits + Must(strVia.length() < String::SizeMaxXXX()); + delById(Http::HdrType::VIA); + putStr(Http::HdrType::VIA, strVia.c_str()); + } +} + +void HttpHeader::putInt(Http::HdrType id, int number) { assert(any_registered_header(id)); diff -u -r -N squid-4.0.18/src/HttpHeader.h squid-4.0.19/src/HttpHeader.h --- squid-4.0.18/src/HttpHeader.h 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/HttpHeader.h 2017-04-02 19:43:45.000000000 +1200 @@ -9,6 +9,7 @@ #ifndef SQUID_HTTPHEADER_H #define SQUID_HTTPHEADER_H +#include "anyp/ProtocolVersion.h" #include "base/LookupTable.h" #include "http/RegisteredHeaders.h" /* because we pass a spec by value */ @@ -108,6 +109,9 @@ String getByNameListMember(const char *name, const char *member, const char separator) const; String getListMember(Http::HdrType id, const char *member, const char separator) const; int has(Http::HdrType id) const; + /// Appends "this cache" information to VIA header field. + /// Takes the initial VIA value from "from" parameter, if provided. + void addVia(const AnyP::ProtocolVersion &ver, const HttpHeader *from = 0); void putInt(Http::HdrType id, int number); void putInt64(Http::HdrType id, int64_t number); void putTime(Http::HdrType id, time_t htime); diff -u -r -N squid-4.0.18/src/icmp/Makefile.in squid-4.0.19/src/icmp/Makefile.in --- squid-4.0.18/src/icmp/Makefile.in 2017-02-06 10:18:01.000000000 +1300 +++ squid-4.0.19/src/icmp/Makefile.in 2017-04-02 19:46:10.000000000 +1200 @@ -574,7 +574,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/ident/Makefile.in squid-4.0.19/src/ident/Makefile.in --- squid-4.0.18/src/ident/Makefile.in 2017-02-06 10:18:02.000000000 +1300 +++ squid-4.0.19/src/ident/Makefile.in 2017-04-02 19:46:11.000000000 +1200 @@ -543,7 +543,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/ip/Makefile.in squid-4.0.19/src/ip/Makefile.in --- squid-4.0.18/src/ip/Makefile.in 2017-02-06 10:18:03.000000000 +1300 +++ squid-4.0.19/src/ip/Makefile.in 2017-04-02 19:46:12.000000000 +1200 @@ -543,7 +543,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/ipc/Makefile.in squid-4.0.19/src/ipc/Makefile.in --- squid-4.0.18/src/ipc/Makefile.in 2017-02-06 10:18:04.000000000 +1300 +++ squid-4.0.19/src/ipc/Makefile.in 2017-04-02 19:46:12.000000000 +1200 @@ -549,7 +549,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/ipcache.cc squid-4.0.19/src/ipcache.cc --- squid-4.0.18/src/ipcache.cc 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/ipcache.cc 2017-04-02 19:43:45.000000000 +1200 @@ -49,7 +49,7 @@ \defgroup IPCacheInternal IP Cache Internals \ingroup IPCacheAPI \todo when IP cache is provided as a class. These sub-groups will be obsolete - * for now they are used to seperate the public and private functions. + * for now they are used to separate the public and private functions. * with the private ones all being in IPCachInternal and public in IPCacheAPI * \section InternalOperation Internal Operation diff -u -r -N squid-4.0.18/src/log/DB/log_db_daemon.8 squid-4.0.19/src/log/DB/log_db_daemon.8 --- squid-4.0.18/src/log/DB/log_db_daemon.8 2017-02-06 13:43:52.000000000 +1300 +++ squid-4.0.19/src/log/DB/log_db_daemon.8 2017-04-02 23:50:09.000000000 +1200 @@ -129,7 +129,7 @@ .\" ======================================================================== .\" .IX Title "LOG_DB_DAEMON 8" -.TH LOG_DB_DAEMON 8 "2017-02-06" "perl v5.24.1" "User Contributed Perl Documentation" +.TH LOG_DB_DAEMON 8 "2017-04-02" "perl v5.24.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -139,8 +139,8 @@ .SH "SYNOPSIS" .IX Header "SYNOPSIS" log_db_daemon \s-1DSN\s0 [options] -.SH "DESCRIPTOIN" -.IX Header "DESCRIPTOIN" +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" This program writes Squid access.log entries to a database. Presently only accepts the \fBsquid\fR native format .IP "\fB\s-1DSN\s0\fR" 8 @@ -341,7 +341,7 @@ \& WHERE squid_request_status LIKE \*(Aq%MISS%\*(Aq) \& / \& (SELECT COUNT(*) FROM access_log)*100 -\& AS pecentage; +\& AS percentage; .Ve .IP "Response time ranges" 4 .IX Item "Response time ranges" @@ -401,7 +401,7 @@ .IX Subsection "Table cleanup" This script currently implements only the \f(CW\*(C`L\*(C'\fR (i.e. \*(L"append a line to the log\*(R") command, therefore the log lines are never purged from the table. This approach has an obvious scalability problem. .PP -One solution would be to implement e.g. the \*(L"rotate log\*(R" command in a way that would calculate some summary values, put them in a \*(L"summary table\*(R" and then delete the lines used to caluclate those values. +One solution would be to implement e.g. the \*(L"rotate log\*(R" command in a way that would calculate some summary values, put them in a \*(L"summary table\*(R" and then delete the lines used to calculate those values. .PP Similar cleanup code could be implemented in an external script and run periodically independently from squid log commands. .SS "Testing" diff -u -r -N squid-4.0.18/src/log/DB/log_db_daemon.pl.in squid-4.0.19/src/log/DB/log_db_daemon.pl.in --- squid-4.0.18/src/log/DB/log_db_daemon.pl.in 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/log/DB/log_db_daemon.pl.in 2017-04-02 19:43:45.000000000 +1200 @@ -18,7 +18,7 @@ log_db_daemon DSN [options] -=head1 DESCRIPTOIN +=head1 DESCRIPTION This program writes Squid access.log entries to a database. Presently only accepts the B native format @@ -373,7 +373,7 @@ WHERE squid_request_status LIKE '%MISS%') / (SELECT COUNT(*) FROM access_log)*100 - AS pecentage; + AS percentage; =item Response time ranges @@ -433,7 +433,7 @@ This script currently implements only the C (i.e. "append a line to the log") command, therefore the log lines are never purged from the table. This approach has an obvious scalability problem. -One solution would be to implement e.g. the "rotate log" command in a way that would calculate some summary values, put them in a "summary table" and then delete the lines used to caluclate those values. +One solution would be to implement e.g. the "rotate log" command in a way that would calculate some summary values, put them in a "summary table" and then delete the lines used to calculate those values. Similar cleanup code could be implemented in an external script and run periodically independently from squid log commands. diff -u -r -N squid-4.0.18/src/log/DB/Makefile.in squid-4.0.19/src/log/DB/Makefile.in --- squid-4.0.18/src/log/DB/Makefile.in 2017-02-06 10:18:04.000000000 +1300 +++ squid-4.0.19/src/log/DB/Makefile.in 2017-04-02 19:46:13.000000000 +1200 @@ -482,7 +482,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/log/file/Makefile.in squid-4.0.19/src/log/file/Makefile.in --- squid-4.0.18/src/log/file/Makefile.in 2017-02-06 10:18:06.000000000 +1300 +++ squid-4.0.19/src/log/file/Makefile.in 2017-04-02 19:46:14.000000000 +1200 @@ -530,7 +530,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/log/Makefile.in squid-4.0.19/src/log/Makefile.in --- squid-4.0.18/src/log/Makefile.in 2017-02-06 10:18:05.000000000 +1300 +++ squid-4.0.19/src/log/Makefile.in 2017-04-02 19:46:13.000000000 +1200 @@ -587,7 +587,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/main.cc squid-4.0.19/src/main.cc --- squid-4.0.18/src/main.cc 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/main.cc 2017-04-02 19:43:45.000000000 +1200 @@ -12,6 +12,7 @@ #include "AccessLogEntry.h" #include "acl/Acl.h" #include "acl/Asn.h" +#include "anyp/UriScheme.h" #include "AuthReg.h" #include "base/RunnersRegistry.h" #include "base/Subscription.h" @@ -523,11 +524,11 @@ /** \par k * Run the administrative action given following the option */ - /** \li When its an unknown option display the usage help. */ - if ((int) strlen(optarg) < 1) + /** \li When it is missing or an unknown option display the usage help. */ + if (!optarg || strlen(optarg) < 1) usage(); - if (!strncmp(optarg, "reconfigure", strlen(optarg))) + else if (!strncmp(optarg, "reconfigure", strlen(optarg))) /** \li On reconfigure send SIGHUP. */ opt_send_signal = SIGHUP; else if (!strncmp(optarg, "rotate", strlen(optarg))) @@ -1500,6 +1501,8 @@ Mem::Init(); + AnyP::UriScheme::Init(); + storeFsInit(); /* required for config parsing */ /* TODO: call the FS::Clean() in shutdown to do Fs cleanups */ diff -u -r -N squid-4.0.18/src/Makefile.am squid-4.0.19/src/Makefile.am --- squid-4.0.18/src/Makefile.am 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/Makefile.am 2017-04-02 19:43:45.000000000 +1200 @@ -3052,10 +3052,10 @@ acl/libacls.la \ DiskIO/libdiskio.la \ acl/libapi.la \ + anyp/libanyp.la \ $(SSL_LIBS) \ ipc/libipc.la \ comm/libcomm.la \ - anyp/libanyp.la \ dns/libdns.la \ base/libbase.la \ ip/libip.la \ diff -u -r -N squid-4.0.18/src/Makefile.in squid-4.0.19/src/Makefile.in --- squid-4.0.18/src/Makefile.in 2017-02-06 10:17:27.000000000 +1300 +++ squid-4.0.19/src/Makefile.in 2017-04-02 19:45:34.000000000 +1200 @@ -2547,7 +2547,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ @@ -5337,10 +5336,10 @@ acl/libacls.la \ DiskIO/libdiskio.la \ acl/libapi.la \ + anyp/libanyp.la \ $(SSL_LIBS) \ ipc/libipc.la \ comm/libcomm.la \ - anyp/libanyp.la \ dns/libdns.la \ base/libbase.la \ ip/libip.la \ diff -u -r -N squid-4.0.18/src/mem/Makefile.in squid-4.0.19/src/mem/Makefile.in --- squid-4.0.18/src/mem/Makefile.in 2017-02-06 10:18:06.000000000 +1300 +++ squid-4.0.19/src/mem/Makefile.in 2017-04-02 19:46:15.000000000 +1200 @@ -544,7 +544,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/MemObject.cc squid-4.0.19/src/MemObject.cc --- squid-4.0.18/src/MemObject.cc 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/MemObject.cc 2017-04-02 19:43:45.000000000 +1200 @@ -462,6 +462,14 @@ void MemObject::delayRead(DeferredRead const &aRead) { +#if USE_DELAY_POOLS + if (readAheadPolicyCanRead()) { + if (DelayId mostAllowedId = mostBytesAllowed()) { + mostAllowedId.delayRead(aRead); + return; + } + } +#endif deferredReads.delayRead(aRead); } diff -u -r -N squid-4.0.18/src/mgr/Makefile.in squid-4.0.19/src/mgr/Makefile.in --- squid-4.0.18/src/mgr/Makefile.in 2017-02-06 10:18:07.000000000 +1300 +++ squid-4.0.19/src/mgr/Makefile.in 2017-04-02 19:46:15.000000000 +1200 @@ -548,7 +548,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/parser/Makefile.in squid-4.0.19/src/parser/Makefile.in --- squid-4.0.18/src/parser/Makefile.in 2017-02-06 10:18:08.000000000 +1300 +++ squid-4.0.19/src/parser/Makefile.in 2017-04-02 19:46:16.000000000 +1200 @@ -543,7 +543,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/repl/Makefile.in squid-4.0.19/src/repl/Makefile.in --- squid-4.0.18/src/repl/Makefile.in 2017-02-06 10:18:09.000000000 +1300 +++ squid-4.0.19/src/repl/Makefile.in 2017-04-02 19:46:16.000000000 +1200 @@ -554,7 +554,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/sbuf/Makefile.in squid-4.0.19/src/sbuf/Makefile.in --- squid-4.0.18/src/sbuf/Makefile.in 2017-02-06 10:18:09.000000000 +1300 +++ squid-4.0.19/src/sbuf/Makefile.in 2017-04-02 19:46:17.000000000 +1200 @@ -544,7 +544,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/sbuf/SBuf.cc squid-4.0.19/src/sbuf/SBuf.cc --- squid-4.0.18/src/sbuf/SBuf.cc 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/sbuf/SBuf.cc 2017-04-02 19:43:45.000000000 +1200 @@ -36,8 +36,7 @@ const SBuf::size_type SBuf::npos; const SBuf::size_type SBuf::maxSize; -SBuf::SBuf() - : store_(GetStorePrototype()), off_(0), len_(0) +SBuf::SBuf() : store_(GetStorePrototype()) { debugs(24, 8, id << " created"); ++stats.alloc; @@ -53,8 +52,7 @@ ++stats.live; } -SBuf::SBuf(const std::string &s) - : store_(GetStorePrototype()), off_(0), len_(0) +SBuf::SBuf(const std::string &s) : store_(GetStorePrototype()) { debugs(24, 8, id << " created from std::string"); lowAppend(s.data(),s.length()); @@ -62,8 +60,7 @@ ++stats.live; } -SBuf::SBuf(const char *S, size_type n) - : store_(GetStorePrototype()), off_(0), len_(0) +SBuf::SBuf(const char *S, size_type n) : store_(GetStorePrototype()) { append(S,n); ++stats.alloc; @@ -71,8 +68,7 @@ ++stats.live; } -SBuf::SBuf(const char *S) - : store_(GetStorePrototype()), off_(0), len_(0) +SBuf::SBuf(const char *S) : store_(GetStorePrototype()) { append(S,npos); ++stats.alloc; diff -u -r -N squid-4.0.18/src/sbuf/SBuf.h squid-4.0.19/src/sbuf/SBuf.h --- squid-4.0.18/src/sbuf/SBuf.h 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/sbuf/SBuf.h 2017-04-02 19:43:45.000000000 +1200 @@ -60,7 +60,7 @@ protected: SBufIterator(const SBuf &, size_type); - const char *iter; + const char *iter = nullptr; }; /** Reverse input const_iterator for SBufs @@ -98,14 +98,11 @@ /// create an empty (zero-size) SBuf SBuf(); SBuf(const SBuf &S); -#if __cplusplus >= 201103L SBuf(SBuf&& S) : store_(std::move(S.store_)), off_(S.off_), len_(S.len_) { ++stats.moves; - S.store_=NULL; //RefCount supports NULL, and S is about to be destructed - S.off_=0; - S.len_=0; + S.store_ = nullptr; //RefCount supports nullptr, and S is about to be destructed + S.off_ = S.len_ = 0; } -#endif /** Constructor: import c-style string * @@ -639,8 +636,8 @@ friend class Locker; MemBlob::Pointer store_; ///< memory block, possibly shared with other SBufs - size_type off_; ///< our content start offset from the beginning of shared store_ - size_type len_; ///< number of our content bytes in shared store_ + size_type off_ = 0; ///< our content start offset from the beginning of shared store_ + size_type len_ = 0; ///< number of our content bytes in shared store_ static SBufStats stats; ///< class-wide statistics /** obtain prototype store diff -u -r -N squid-4.0.18/src/sbuf/Stats.cc squid-4.0.19/src/sbuf/Stats.cc --- squid-4.0.18/src/sbuf/Stats.cc 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/sbuf/Stats.cc 2017-04-02 19:43:45.000000000 +1200 @@ -13,14 +13,6 @@ #include -SBufStats::SBufStats() - : alloc(0), allocCopy(0), allocFromCString(0), - assignFast(0), clear(0), append(0), moves(0), toStream(0), setChar(0), - getChar(0), compareSlow(0), compareFast(0), copyOut(0), - rawAccess(0), nulTerminate(0), chop(0), trim(0), find(0), - caseChange(0), cowFast(0), cowSlow(0), live(0) -{} - SBufStats& SBufStats::operator +=(const SBufStats& ss) { diff -u -r -N squid-4.0.18/src/sbuf/Stats.h squid-4.0.19/src/sbuf/Stats.h --- squid-4.0.18/src/sbuf/Stats.h 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/sbuf/Stats.h 2017-04-02 19:43:45.000000000 +1200 @@ -21,34 +21,34 @@ class SBufStats { public: - uint64_t alloc; ///getPeer()) { assert(peer); @@ -52,6 +54,8 @@ SSL_set_ex_data(serverSession.get(), ssl_ex_index_server, (void*)hostName); #endif } + + debugs(83, 5, "success"); return true; } @@ -59,6 +63,7 @@ Security::BlindPeerConnector::noteNegotiationDone(ErrorState *error) { if (error) { + debugs(83, 5, "error=" << (void*)error); // XXX: forward.cc calls peerConnectSucceeded() after an OK TCP connect but // we call peerConnectFailed() if SSL failed afterwards. Is that OK? // It is not clear whether we should call peerConnectSucceeded/Failed() diff -u -r -N squid-4.0.18/src/security/cert_generators/file/Makefile.in squid-4.0.19/src/security/cert_generators/file/Makefile.in --- squid-4.0.18/src/security/cert_generators/file/Makefile.in 2017-02-06 10:18:11.000000000 +1300 +++ squid-4.0.19/src/security/cert_generators/file/Makefile.in 2017-04-02 19:46:18.000000000 +1200 @@ -556,7 +556,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/security/cert_generators/file/security_file_certgen.8.in squid-4.0.19/src/security/cert_generators/file/security_file_certgen.8.in --- squid-4.0.18/src/security/cert_generators/file/security_file_certgen.8.in 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/security/cert_generators/file/security_file_certgen.8.in 2017-04-02 19:43:45.000000000 +1200 @@ -34,7 +34,7 @@ Because the generation and signing of SSL certificates takes time Squid must use external process to handle the work. . -This process generates new SSL certificates and uses a disk cache of certificatess +This process generates new SSL certificates and uses a disk cache of certificates to improve response times on repeated requests. Communication occurs via TCP sockets bound to the loopback interface. . @@ -123,7 +123,7 @@ . .PP For simple configuration the helper defaults can be used. -Only HTTP listening port options are required to enable generation and set the signign CA certificate. +Only HTTP listening port options are required to enable generation and set the signing CA certificate. For Example: .if !'po4a'hide' .RS .if !'po4a'hide' .B http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=@SYSCONFDIR@/ssl_cert/example.com.pem diff -u -r -N squid-4.0.18/src/security/cert_generators/Makefile.in squid-4.0.19/src/security/cert_generators/Makefile.in --- squid-4.0.18/src/security/cert_generators/Makefile.in 2017-02-06 10:18:10.000000000 +1300 +++ squid-4.0.19/src/security/cert_generators/Makefile.in 2017-04-02 19:46:18.000000000 +1200 @@ -327,7 +327,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/security/cert_validators/fake/Makefile.in squid-4.0.19/src/security/cert_validators/fake/Makefile.in --- squid-4.0.18/src/security/cert_validators/fake/Makefile.in 2017-02-06 10:18:11.000000000 +1300 +++ squid-4.0.19/src/security/cert_validators/fake/Makefile.in 2017-04-02 19:46:19.000000000 +1200 @@ -482,7 +482,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/security/cert_validators/fake/security_fake_certverify.8 squid-4.0.19/src/security/cert_validators/fake/security_fake_certverify.8 --- squid-4.0.18/src/security/cert_validators/fake/security_fake_certverify.8 2017-02-06 13:44:09.000000000 +1300 +++ squid-4.0.19/src/security/cert_validators/fake/security_fake_certverify.8 2017-04-02 23:50:29.000000000 +1200 @@ -129,7 +129,7 @@ .\" ======================================================================== .\" .IX Title "SECURITY_FAKE_CERTVERIFY 8" -.TH SECURITY_FAKE_CERTVERIFY 8 "2017-02-06" "perl v5.24.1" "User Contributed Perl Documentation" +.TH SECURITY_FAKE_CERTVERIFY 8 "2017-04-02" "perl v5.24.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-4.0.18/src/security/cert_validators/Makefile.in squid-4.0.19/src/security/cert_validators/Makefile.in --- squid-4.0.18/src/security/cert_validators/Makefile.in 2017-02-06 10:18:11.000000000 +1300 +++ squid-4.0.19/src/security/cert_validators/Makefile.in 2017-04-02 19:46:19.000000000 +1200 @@ -327,7 +327,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/security/Context.h squid-4.0.19/src/security/Context.h --- squid-4.0.18/src/security/Context.h 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/security/Context.h 2017-04-02 19:43:45.000000000 +1200 @@ -9,8 +9,7 @@ #ifndef SQUID_SRC_SECURITY_CONTEXT_H #define SQUID_SRC_SECURITY_CONTEXT_H -#include "security/forward.h" -#include "security/LockingPointer.h" +#include #if USE_OPENSSL #if HAVE_OPENSSL_SSL_H @@ -26,19 +25,14 @@ namespace Security { #if USE_OPENSSL -CtoCpp1(SSL_CTX_free, SSL_CTX *); -#if defined(CRYPTO_LOCK_SSL_CTX) // OpenSSL 1.0 -inline int SSL_CTX_up_ref(SSL_CTX *t) {if (t) CRYPTO_add(&t->references, 1, CRYPTO_LOCK_SSL_CTX); return 0;} -#endif -typedef Security::LockingPointer > ContextPointer; +typedef std::shared_ptr ContextPointer; #elif USE_GNUTLS -CtoCpp1(gnutls_certificate_free_credentials, gnutls_certificate_credentials_t); -typedef Security::LockingPointer ContextPointer; +typedef std::shared_ptr ContextPointer; #else // use void* so we can check against nullptr -typedef Security::LockingPointer ContextPointer; +typedef std::shared_ptr ContextPointer; #endif diff -u -r -N squid-4.0.18/src/security/forward.h squid-4.0.19/src/security/forward.h --- squid-4.0.18/src/security/forward.h 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/security/forward.h 2017-04-02 19:43:45.000000000 +1200 @@ -108,7 +108,35 @@ /// \note using std::unordered_set ensures values are unique, with fast lookup typedef std::unordered_set Errors; +namespace Io +{ +enum Type { +#if USE_OPENSSL + BIO_TO_CLIENT = 6000, + BIO_TO_SERVER +#elif USE_GNUTLS + // NP: this is odd looking but correct. + // 'to-client' means we are a server, and vice versa. + BIO_TO_CLIENT = GNUTLS_SERVER, + BIO_TO_SERVER = GNUTLS_CLIENT +#else + BIO_TO_CLIENT = 6000, + BIO_TO_SERVER +#endif +}; + +} // namespace Io + class KeyData; + +#if USE_OPENSSL +typedef long ParsedOptions; +#elif USE_GNUTLS +typedef std::shared_ptr ParsedOptions; +#else +class ParsedOptions {}; // we never parse/use TLS options in this case +#endif + class PeerConnector; class PeerOptions; class ServerOptions; diff -u -r -N squid-4.0.18/src/security/Handshake.cc squid-4.0.19/src/security/Handshake.cc --- squid-4.0.18/src/security/Handshake.cc 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/security/Handshake.cc 2017-04-02 19:43:45.000000000 +1200 @@ -545,6 +545,10 @@ pCert.resetWithoutLocking(x509); Must(x509); // successfully parsed Must(x509Pos == x509Start + raw.length()); // no leftovers +#else + // workaround GCC -O3 error with unused variables. see bug 4663. + (void)pCert; + debugs(83, 2, "TLS parsing is not supported without OpenSSL. " << raw); #endif } diff -u -r -N squid-4.0.18/src/security/Makefile.in squid-4.0.19/src/security/Makefile.in --- squid-4.0.18/src/security/Makefile.in 2017-02-06 10:18:10.000000000 +1300 +++ squid-4.0.19/src/security/Makefile.in 2017-04-02 19:46:18.000000000 +1200 @@ -586,7 +586,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/security/PeerConnector.cc squid-4.0.19/src/security/PeerConnector.cc --- squid-4.0.18/src/security/PeerConnector.cc 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/security/PeerConnector.cc 2017-04-02 19:43:45.000000000 +1200 @@ -58,6 +58,7 @@ Security::PeerConnector::start() { AsyncJob::start(); + debugs(83, 5, "this=" << (void*)this); Security::SessionPointer tmp; if (prepareSocket() && initialize(tmp)) @@ -76,6 +77,7 @@ void Security::PeerConnector::connectionClosed(const char *reason) { + debugs(83, 5, reason << " socket closed/closing. this=" << (void*)this); mustStop(reason); callback = NULL; } @@ -83,32 +85,34 @@ bool Security::PeerConnector::prepareSocket() { - const int fd = serverConnection()->fd; - if (!Comm::IsConnOpen(serverConn) || fd_table[serverConn->fd].closing()) { + debugs(83, 5, serverConnection() << ", this=" << (void*)this); + if (!Comm::IsConnOpen(serverConnection()) || fd_table[serverConnection()->fd].closing()) { connectionClosed("Security::PeerConnector::prepareSocket"); return false; } + debugs(83, 5, serverConnection()); + // watch for external connection closures typedef CommCbMemFunT Dialer; closeHandler = JobCallback(9, 5, Dialer, this, Security::PeerConnector::commCloseHandler); - comm_add_close_handler(fd, closeHandler); + comm_add_close_handler(serverConnection()->fd, closeHandler); return true; } bool Security::PeerConnector::initialize(Security::SessionPointer &serverSession) { -#if USE_OPENSSL Security::ContextPointer ctx(getTlsContext()); - assert(ctx); + debugs(83, 5, serverConnection() << ", ctx=" << (void*)ctx.get()); - if (!Ssl::CreateClient(ctx, serverConnection(), "server https start")) { + if (!ctx || !Security::CreateClientSession(ctx, serverConnection(), "server https start")) { const auto xerrno = errno; - const auto ssl_error = ERR_get_error(); + if (!ctx) { + debugs(83, DBG_IMPORTANT, "Error initializing TLS connection: No security context."); + } // else CreateClientSession() did the appropriate debugs() already ErrorState *anErr = new ErrorState(ERR_SOCKET_FAILURE, Http::scInternalServerError, request.getRaw()); anErr->xerrno = xerrno; - debugs(83, DBG_IMPORTANT, "Error allocating TLS handle: " << Security::ErrorString(ssl_error)); noteNegotiationDone(anErr); bail(anErr); return false; @@ -116,7 +120,9 @@ // A TLS/SSL session has now been created for the connection and stored in fd_table serverSession = fd_table[serverConnection()->fd].ssl; + debugs(83, 5, serverConnection() << ", session=" << (void*)serverSession.get()); +#if USE_OPENSSL // If CertValidation Helper used do not lookup checklist for errors, // but keep a list of errors to send it to CertValidator if (!Ssl::TheConfig.ssl_crt_validator) { @@ -129,11 +135,9 @@ SSL_set_ex_data(serverSession.get(), ssl_ex_index_cert_error_check, check); } } +#endif return true; -#else - return false; -#endif } void @@ -179,11 +183,30 @@ return; #if USE_OPENSSL - const int result = SSL_connect(fd_table[fd].ssl.get()); + auto session = fd_table[fd].ssl.get(); + debugs(83, 5, "SSL_connect session=" << (void*)session); + const int result = SSL_connect(session); + if (result <= 0) { +#elif USE_GNUTLS + auto session = fd_table[fd].ssl.get(); + const int result = gnutls_handshake(session); + debugs(83, 5, "gnutls_handshake session=" << (void*)session << ", result=" << result); + + if (result == GNUTLS_E_SUCCESS) { + char *desc = gnutls_session_get_desc(session); + debugs(83, 2, serverConnection() << " TLS Session info: " << desc); + gnutls_free(desc); + } + + if (result != GNUTLS_E_SUCCESS) { + // debug the TLS session state so far + auto descIn = gnutls_handshake_get_last_in(session); + debugs(83, 2, "handshake IN: " << gnutls_handshake_description_get_name(descIn)); + auto descOut = gnutls_handshake_get_last_out(session); + debugs(83, 2, "handshake OUT: " << gnutls_handshake_description_get_name(descOut)); #else - const int result = -1; + if (const int result = -1) { #endif - if (result <= 0) { handleNegotiateError(result); return; // we might be gone by now } @@ -205,11 +228,11 @@ Security::SessionPointer session(fd_table[fd].ssl); Ssl::CertValidationRequest validationRequest; - // WARNING: Currently we do not use any locking for any of the - // members of the Ssl::CertValidationRequest class. In this code the + // WARNING: Currently we do not use any locking for 'errors' member + // of the Ssl::CertValidationRequest class. In this code the // Ssl::CertValidationRequest object used only to pass data to // Ssl::CertValidationHelper::submit method. - validationRequest.ssl = session.get(); + validationRequest.ssl = session; if (SBuf *dName = (SBuf *)SSL_get_ex_data(session.get(), ssl_ex_index_server)) validationRequest.domainName = dName->c_str(); if (Security::CertErrors *errs = static_cast(SSL_get_ex_data(session.get(), ssl_ex_index_ssl_errors))) @@ -360,10 +383,11 @@ void Security::PeerConnector::handleNegotiateError(const int ret) { -#if USE_OPENSSL const int fd = serverConnection()->fd; - unsigned long ssl_lib_error = SSL_ERROR_NONE; - Security::SessionPointer session(fd_table[fd].ssl); + const Security::SessionPointer session(fd_table[fd].ssl); + unsigned long ssl_lib_error = ret; + +#if USE_OPENSSL const int ssl_error = SSL_get_error(session.get(), ret); switch (ssl_error) { @@ -382,19 +406,49 @@ break; default: // no special error handling for all other errors + ssl_lib_error = SSL_ERROR_NONE; + break; + } + +#elif USE_GNUTLS + const int ssl_error = ret; + + switch (ret) { + case GNUTLS_E_WARNING_ALERT_RECEIVED: { + auto alert = gnutls_alert_get(session.get()); + debugs(83, DBG_IMPORTANT, "TLS ALERT: " << gnutls_alert_get_name(alert)); + } + // drop through to next case + + case GNUTLS_E_AGAIN: + case GNUTLS_E_INTERRUPTED: + if (gnutls_record_get_direction(session.get()) == 0) + noteWantRead(); + else + noteWantWrite(); + return; + + default: + // no special error handling for all other errors break; } +#else + // this avoids unused variable compiler warnings. + Must(!session); + const int ssl_error = ret; +#endif + // Log connection details, if any recordNegotiationDetails(); noteNegotiationError(ret, ssl_error, ssl_lib_error); -#endif } void Security::PeerConnector::noteWantRead() { const int fd = serverConnection()->fd; + debugs(83, 5, serverConnection()); #if USE_OPENSSL Security::SessionPointer session(fd_table[fd].ssl); BIO *b = SSL_get_rbio(session.get()); @@ -425,6 +479,7 @@ Security::PeerConnector::noteWantWrite() { const int fd = serverConnection()->fd; + debugs(83, 5, serverConnection()); Comm::SetSelect(fd, COMM_SELECT_WRITE, &NegotiateSsl, this, 0); return; } @@ -432,21 +487,23 @@ void Security::PeerConnector::noteNegotiationError(const int ret, const int ssl_error, const int ssl_lib_error) { -#if USE_OPENSSL // not used unless OpenSSL enabled. #if defined(EPROTO) int sysErrNo = EPROTO; #else int sysErrNo = EACCES; #endif +#if USE_OPENSSL // store/report errno when ssl_error is SSL_ERROR_SYSCALL, ssl_lib_error is 0, and ret is -1 if (ssl_error == SSL_ERROR_SYSCALL && ret == -1 && ssl_lib_error == 0) sysErrNo = errno; +#endif + int xerr = errno; const int fd = serverConnection()->fd; - debugs(83, DBG_IMPORTANT, "Error negotiating SSL on FD " << fd << + debugs(83, DBG_IMPORTANT, "ERROR: negotiating TLS on FD " << fd << ": " << Security::ErrorString(ssl_lib_error) << " (" << - ssl_error << "/" << ret << "/" << errno << ")"); + ssl_error << "/" << ret << "/" << xerr << ")"); ErrorState *anErr = NULL; if (request != NULL) @@ -455,6 +512,7 @@ anErr = new ErrorState(ERR_SECURE_CONNECT_FAIL, Http::scServiceUnavailable, NULL); anErr->xerrno = sysErrNo; +#if USE_OPENSSL Security::SessionPointer session(fd_table[fd].ssl); Ssl::ErrorDetail *errFromFailure = static_cast(SSL_get_ex_data(session.get(), ssl_ex_index_ssl_error_detail)); if (errFromFailure != NULL) { @@ -471,10 +529,10 @@ if (ssl_lib_error != SSL_ERROR_NONE) anErr->detail->setLibError(ssl_lib_error); +#endif noteNegotiationDone(anErr); bail(anErr); -#endif } void @@ -498,6 +556,8 @@ void Security::PeerConnector::callBack() { + debugs(83, 5, "TLS setup ended for " << serverConnection()); + AsyncCall::Pointer cb = callback; // Do this now so that if we throw below, swanSong() assert that we _tried_ // to call back holds. diff -u -r -N squid-4.0.18/src/security/PeerOptions.cc squid-4.0.19/src/security/PeerOptions.cc --- squid-4.0.18/src/security/PeerOptions.cc 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/security/PeerOptions.cc 2017-04-02 19:43:45.000000000 +1200 @@ -21,22 +21,10 @@ Security::PeerOptions Security::ProxyOutgoingConfig; -Security::PeerOptions::PeerOptions(const Security::PeerOptions &p) : - sslOptions(p.sslOptions), - caDir(p.caDir), - crlFile(p.crlFile), - sslCipher(p.sslCipher), - sslFlags(p.sslFlags), - sslDomain(p.sslDomain), - parsedOptions(p.parsedOptions), - parsedFlags(p.parsedFlags), - certs(p.certs), - caFiles(p.caFiles), - parsedCrl(p.parsedCrl), - sslVersion(p.sslVersion), - encryptTransport(p.encryptTransport) +Security::PeerOptions::PeerOptions() { - memcpy(&flags, &p.flags, sizeof(flags)); + // init options consistent with an empty sslOptions + parseOptions(); } void @@ -71,7 +59,7 @@ tlsMinVersion = SBuf(token + 12); } else if (strncmp(token, "options=", 8) == 0) { sslOptions = SBuf(token + 8); - parsedOptions = parseOptions(); + parseOptions(); } else if (strncmp(token, "cipher=", 7) == 0) { sslCipher = SBuf(token + 7); } else if (strncmp(token, "cafile=", 7) == 0) { @@ -167,6 +155,7 @@ if (tok.skip('1') && tok.skip('.') && tok.int64(v, 10, false, 1) && v <= 3) { // only account for TLS here - SSL versions are handled by options= parameter // avoid affecting options= parameter in cachemgr config report +#if USE_OPENSSL #if SSL_OP_NO_TLSv1 if (v > 0) parsedOptions |= SSL_OP_NO_TLSv1; @@ -180,36 +169,73 @@ parsedOptions |= SSL_OP_NO_TLSv1_2; #endif +#elif USE_GNUTLS + // XXX: update parsedOptions directly to avoid polluting 'options=' dumps + SBuf add; + if (v > 0) + add.append(":-VERS-TLS1.0"); + if (v > 1) + add.append(":-VERS-TLS1.1"); + if (v > 2) + add.append(":-VERS-TLS1.2"); + + if (sslOptions.isEmpty()) + add.chop(1); // remove the initial ':' + sslOptions.append(add); +#endif + } else { debugs(0, DBG_PARSE_NOTE(1), "WARNING: Unknown TLS minimum version: " << tlsMinVersion); } - } else if (sslVersion > 2) { + return; + } + + if (sslVersion > 2) { // backward compatibility hack for sslversion= configuration // only use if tls-min-version=N.N is not present // values 0-2 for auto and SSLv2 are not supported any longer. // Do it this way so we DO cause changes to options= in cachemgr config report - const char *add = NULL; + const char *add = nullptr; switch (sslVersion) { case 3: - add = "NO_TLSv1,NO_TLSv1_1,NO_TLSv1_2"; +#if USE_OPENSSL + parsedOptions |= (SSL_OP_NO_TLSv1|SSL_OP_NO_TLSv1_1|SSL_OP_NO_TLSv1_2); +#elif USE_GNUTLS + add = ":-VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.2"; +#endif break; case 4: - add = "NO_SSLv3,NO_TLSv1_1,NO_TLSv1_2"; +#if USE_OPENSSL + parsedOptions |= (SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1_1|SSL_OP_NO_TLSv1_2); +#elif USE_GNUTLS + add = ":+VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.2"; +#endif break; case 5: - add = "NO_SSLv3,NO_TLSv1,NO_TLSv1_2"; +#if USE_OPENSSL + parsedOptions |= (SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1|SSL_OP_NO_TLSv1_2); +#elif USE_GNUTLS + add = ":-VERS-TLS1.0:+VERS-TLS1.1:-VERS-TLS1.2"; +#endif break; case 6: - add = "NO_SSLv3,NO_TLSv1,NO_TLSv1_1"; +#if USE_OPENSSL + parsedOptions |= (SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1|SSL_OP_NO_TLSv1_1); +#elif USE_GNUTLS + add = ":-VERS-TLS1.0:-VERS-TLS1.1"; +#endif break; default: // nothing break; } if (add) { - if (!sslOptions.isEmpty()) - sslOptions.append(",",1); - sslOptions.append(add, strlen(add)); +#if USE_GNUTLS // dont bother otherwise + if (sslOptions.isEmpty()) + sslOptions.append(add+1, strlen(add+1)); + else + sslOptions.append(add, strlen(add)); +#endif } sslVersion = 0; // prevent sslOptions being repeatedly appended } @@ -231,7 +257,7 @@ const auto x = ERR_get_error(); fatalf("Failed to allocate TLS client context: %s\n", Security::ErrorString(x)); } - ctx.resetWithoutLocking(t); + ctx = convertContextFromRawPtr(t); #elif USE_GNUTLS // Initialize for X.509 certificate exchange @@ -239,7 +265,7 @@ if (const int x = gnutls_certificate_allocate_credentials(&t)) { fatalf("Failed to allocate TLS client context: %s\n", Security::ErrorString(x)); } - ctx.resetWithoutLocking(t); + ctx = convertContextFromRawPtr(t); #else debugs(83, 1, "WARNING: Failed to allocate TLS client context: No TLS library"); @@ -257,8 +283,11 @@ Security::ContextPointer t(createBlankContext()); if (t) { #if USE_OPENSSL + // NP: GnuTLS uses 'priorities' which are set per-session instead. + SSL_CTX_set_options(t.get(), (setOptions ? parsedOptions : 0)); + // XXX: temporary performance regression. c_str() data copies and prevents this being a const method - Ssl::InitClientContext(t, *this, (setOptions ? parsedOptions : 0), parsedFlags); + Ssl::InitClientContext(t, *this, parsedFlags); #endif updateContextNpn(t); updateContextCa(t); @@ -268,6 +297,7 @@ return t; } +#if USE_OPENSSL /// set of options we can parse and what they map to static struct ssl_option { const char *name; @@ -397,18 +427,20 @@ NULL, 0 } }; +#endif /* USE_OPENSSL */ /** * Pre-parse TLS options= parameter to be applied when the TLS objects created. * Options must not used in the case of peek or stare bump mode. */ -long +void Security::PeerOptions::parseOptions() { - long op = 0; +#if USE_OPENSSL ::Parser::Tokenizer tok(sslOptions); + long op = 0; - do { + while (!tok.atEnd()) { enum { MODE_ADD, MODE_REMOVE } mode; @@ -461,13 +493,31 @@ fatalf("Unknown TLS option '" SQUIDSBUFPH "'", SQUIDSBUFPRINT(tok.remaining())); } - } while (!tok.atEnd()); + } #if SSL_OP_NO_SSLv2 // compliance with RFC 6176: Prohibiting Secure Sockets Layer (SSL) Version 2.0 op = op | SSL_OP_NO_SSLv2; #endif - return op; + parsedOptions = op; + +#elif USE_GNUTLS + if (sslOptions.isEmpty()) { + parsedOptions.reset(); + return; + } + + const char *err = nullptr; + const char *priorities = sslOptions.c_str(); + gnutls_priority_t op; + if (gnutls_priority_init(&op, priorities, &err) != GNUTLS_E_SUCCESS) { + fatalf("Unknown TLS option '%s'", err); + } + parsedOptions = Security::ParsedOptions(op, [](gnutls_priority_t p) { + debugs(83, 5, "gnutls_priority_deinit p=" << (void*)p); + gnutls_priority_deinit(p); + }); +#endif } /** @@ -572,6 +622,7 @@ static const char * loadSystemTrustedCa(Security::ContextPointer &ctx) { + debugs(83, 8, "Setting default system Trusted CA. ctx=" << (void*)ctx.get()); #if USE_OPENSSL if (SSL_CTX_set_default_verify_paths(ctx.get()) == 0) return Security::ErrorString(ERR_get_error()); @@ -642,6 +693,31 @@ } void +Security::PeerOptions::updateSessionOptions(Security::SessionPointer &s) +{ +#if USE_OPENSSL + // 'options=' value being set to session is a GnuTLS specific thing. +#elif USE_GNUTLS + int x; + SBuf errMsg; + if (!parsedOptions) { + debugs(83, 5, "set GnuTLS default priority/options for session=" << s); + x = gnutls_set_default_priority(s.get()); + static const SBuf defaults("default"); + errMsg = defaults; + } else { + debugs(83, 5, "set GnuTLS options '" << sslOptions << "' for session=" << s); + x = gnutls_priority_set(s.get(), parsedOptions.get()); + errMsg = sslOptions; + } + + if (x != GNUTLS_E_SUCCESS) { + debugs(83, DBG_IMPORTANT, "ERROR: Failed to set TLS options (" << errMsg << "). error: " << Security::ErrorString(x)); + } +#endif +} + +void parse_securePeerOptions(Security::PeerOptions *opt) { while(const char *token = ConfigParser::NextToken()) diff -u -r -N squid-4.0.18/src/security/PeerOptions.h squid-4.0.19/src/security/PeerOptions.h --- squid-4.0.18/src/security/PeerOptions.h 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/security/PeerOptions.h 2017-04-02 19:43:45.000000000 +1200 @@ -22,9 +22,12 @@ class PeerOptions { public: - PeerOptions() : parsedOptions(0), parsedFlags(0), sslVersion(0), encryptTransport(false) {} - PeerOptions(const PeerOptions &); - virtual ~PeerOptions() = default; + PeerOptions(); + PeerOptions(const PeerOptions &) = default; + PeerOptions &operator =(const PeerOptions &) = default; + PeerOptions(PeerOptions &&) = default; + PeerOptions &operator =(PeerOptions &&) = default; + virtual ~PeerOptions() {} /// parse a TLS squid.conf option virtual void parse(const char *); @@ -50,11 +53,14 @@ /// setup the CRL details for the given context void updateContextCrl(Security::ContextPointer &); + /// setup any library-specific options that can be set for the given session + void updateSessionOptions(Security::SessionPointer &); + /// output squid.conf syntax with 'pfx' prefix on parameters for the stored settings virtual void dumpCfg(Packable *, const char *pfx) const; private: - long parseOptions(); + void parseOptions(); ///< parsed value of sslOptions long parseFlags(); void loadCrlFile(); @@ -69,19 +75,39 @@ SBuf tlsMinVersion; ///< version label for minimum TLS version to permit - long parsedOptions; ///< parsed value of sslOptions - long parsedFlags; ///< parsed value of sslFlags + Security::ParsedOptions parsedOptions; ///< parsed value of sslOptions + long parsedFlags = 0; ///< parsed value of sslFlags std::list certs; ///< details from the cert= and file= config parameters std::list caFiles; ///< paths of files containing trusted Certificate Authority Security::CertRevokeList parsedCrl; ///< CRL to use when verifying the remote end certificate protected: - int sslVersion; + template + Security::ContextPointer convertContextFromRawPtr(T ctx) const { +#if USE_OPENSSL + return ContextPointer(ctx, [](SSL_CTX *p) { + debugs(83, 5, "SSL_free ctx=" << (void*)p); + SSL_CTX_free(p); + }); +#elif USE_GNUTLS + return Security::ContextPointer(ctx, [](gnutls_certificate_credentials_t p) { + debugs(83, 5, "gnutls_certificate_free_credentials ctx=" << (void*)p); + gnutls_certificate_free_credentials(p); + }); +#else + assert(!ctx); + return Security::ContextPointer(); +#endif + } + + int sslVersion = 0; /// flags governing Squid internal TLS operations struct flags_ { flags_() : tlsDefaultCa(true), tlsNpn(true) {} + flags_(const flags_ &) = default; + flags_ &operator =(const flags_ &) = default; /// whether to use the system default Trusted CA when verifying the remote end certificate YesNoNone tlsDefaultCa; @@ -92,7 +118,7 @@ public: /// whether transport encryption (TLS/SSL) is to be used on connections to the peer - bool encryptTransport; + bool encryptTransport = false; }; /// configuration options for DIRECT server access diff -u -r -N squid-4.0.18/src/security/ServerOptions.cc squid-4.0.19/src/security/ServerOptions.cc --- squid-4.0.18/src/security/ServerOptions.cc 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/security/ServerOptions.cc 2017-04-02 19:43:45.000000000 +1200 @@ -101,7 +101,7 @@ const auto x = ERR_get_error(); debugs(83, DBG_CRITICAL, "ERROR: Failed to allocate TLS server context: " << Security::ErrorString(x)); } - ctx.resetWithoutLocking(t); + ctx = convertContextFromRawPtr(t); #elif USE_GNUTLS // Initialize for X.509 certificate exchange @@ -109,7 +109,7 @@ if (const int x = gnutls_certificate_allocate_credentials(&t)) { debugs(83, DBG_CRITICAL, "ERROR: Failed to allocate TLS server context: " << Security::ErrorString(x)); } - ctx.resetWithoutLocking(t); + ctx = convertContextFromRawPtr(t); #else debugs(83, DBG_CRITICAL, "ERROR: Failed to allocate TLS server context: No TLS library"); diff -u -r -N squid-4.0.18/src/security/ServerOptions.h squid-4.0.19/src/security/ServerOptions.h --- squid-4.0.18/src/security/ServerOptions.h 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/security/ServerOptions.h 2017-04-02 19:43:45.000000000 +1200 @@ -24,6 +24,10 @@ // is more secure to have only a small set of trusted CA. flags.tlsDefaultCa.defaultTo(false); } + ServerOptions(const ServerOptions &) = default; + ServerOptions &operator =(const ServerOptions &) = default; + ServerOptions(ServerOptions &&) = default; + ServerOptions &operator =(ServerOptions &&) = default; virtual ~ServerOptions() = default; /* Security::PeerOptions API */ diff -u -r -N squid-4.0.18/src/security/Session.cc squid-4.0.19/src/security/Session.cc --- squid-4.0.18/src/security/Session.cc 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/security/Session.cc 2017-04-02 19:43:45.000000000 +1200 @@ -11,14 +11,196 @@ #include "squid.h" #include "anyp/PortCfg.h" #include "base/RunnersRegistry.h" +#include "CachePeer.h" #include "Debug.h" +#include "fd.h" +#include "fde.h" #include "ipc/MemMap.h" #include "security/Session.h" #include "SquidConfig.h" +#include "ssl/bio.h" #define SSL_SESSION_ID_SIZE 32 #define SSL_SESSION_MAX_SIZE 10*1024 +#if USE_OPENSSL || USE_GNUTLS +static int +tls_read_method(int fd, char *buf, int len) +{ + auto session = fd_table[fd].ssl.get(); + debugs(83, 3, "started for session=" << (void*)session); + +#if DONT_DO_THIS && USE_OPENSSL + if (!SSL_is_init_finished(session)) { + errno = ENOTCONN; + return -1; + } +#endif + +#if USE_OPENSSL + int i = SSL_read(session, buf, len); +#elif USE_GNUTLS + int i = gnutls_record_recv(session, buf, len); +#endif + + if (i > 0) { + debugs(83, 8, "TLS FD " << fd << " session=" << (void*)session << " " << i << " bytes"); + (void)VALGRIND_MAKE_MEM_DEFINED(buf, i); + } + +#if USE_OPENSSL + if (i > 0 && SSL_pending(session) > 0) { +#elif USE_GNUTLS + if (i > 0 && gnutls_record_check_pending(session) > 0) { +#endif + debugs(83, 2, "TLS FD " << fd << " is pending"); + fd_table[fd].flags.read_pending = true; + } else + fd_table[fd].flags.read_pending = false; + + return i; +} + +static int +tls_write_method(int fd, const char *buf, int len) +{ + auto session = fd_table[fd].ssl.get(); + debugs(83, 3, "started for session=" << (void*)session); + +#if USE_OPENSSL + if (!SSL_is_init_finished(session)) { + errno = ENOTCONN; + return -1; + } +#endif + +#if USE_OPENSSL + int i = SSL_write(session, buf, len); +#elif USE_GNUTLS + int i = gnutls_record_send(session, buf, len); +#endif + + if (i > 0) { + debugs(83, 8, "TLS FD " << fd << " session=" << (void*)session << " " << i << " bytes"); + } + return i; +} +#endif + +#if USE_OPENSSL +Security::SessionPointer +Security::NewSessionObject(const Security::ContextPointer &ctx) +{ + Security::SessionPointer session(SSL_new(ctx.get()), [](SSL *p) { + debugs(83, 5, "SSL_free session=" << (void*)p); + SSL_free(p); + }); + debugs(83, 5, "SSL_new session=" << (void*)session.get()); + return session; +} +#endif + +static bool +CreateSession(const Security::ContextPointer &ctx, const Comm::ConnectionPointer &conn, Security::Io::Type type, const char *squidCtx) +{ + if (!Comm::IsConnOpen(conn)) { + debugs(83, DBG_IMPORTANT, "Gone connection"); + return false; + } + +#if USE_OPENSSL || USE_GNUTLS + + const char *errAction = "with no TLS/SSL library"; + int errCode = 0; +#if USE_OPENSSL + Security::SessionPointer session(Security::NewSessionObject(ctx)); + if (!session) { + errCode = ERR_get_error(); + errAction = "failed to allocate handle"; + } +#elif USE_GNUTLS + gnutls_session_t tmp; + errCode = gnutls_init(&tmp, static_cast(type) | GNUTLS_NONBLOCK); + Security::SessionPointer session(tmp, [](gnutls_session_t p) { + debugs(83, 5, "gnutls_deinit session=" << (void*)p); + gnutls_deinit(p); + }); + debugs(83, 5, "gnutls_init " << (type == Security::Io::BIO_TO_SERVER ? "client" : "server" )<< " session=" << (void*)session.get()); + if (errCode != GNUTLS_E_SUCCESS) { + session.reset(); + errAction = "failed to initialize session"; + } +#endif + + if (session) { + const int fd = conn->fd; + +#if USE_OPENSSL + // without BIO, we would call SSL_set_fd(ssl.get(), fd) instead + if (BIO *bio = Ssl::Bio::Create(fd, type)) { + Ssl::Bio::Link(session.get(), bio); // cannot fail +#elif USE_GNUTLS + errCode = gnutls_credentials_set(session.get(), GNUTLS_CRD_CERTIFICATE, ctx.get()); + if (errCode == GNUTLS_E_SUCCESS) { + + if (auto *peer = conn->getPeer()) + peer->secure.updateSessionOptions(session); + else + Security::ProxyOutgoingConfig.updateSessionOptions(session); + + // NP: GnuTLS does not yet support the BIO operations + // this does the equivalent of SSL_set_fd() for now. + gnutls_transport_set_int(session.get(), fd); + gnutls_handshake_set_timeout(session.get(), GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT); +#endif + + debugs(83, 5, "link FD " << fd << " to TLS session=" << (void*)session.get()); + fd_table[fd].ssl = session; + fd_table[fd].read_method = &tls_read_method; + fd_table[fd].write_method = &tls_write_method; + fd_note(fd, squidCtx); + return true; + } + +#if USE_OPENSSL + errCode = ERR_get_error(); + errAction = "failed to initialize I/O"; +#elif USE_GNUTLS + errAction = "failed to assign credentials"; +#endif + } + + debugs(83, DBG_IMPORTANT, "ERROR: " << squidCtx << ' ' << errAction << + ": " << (errCode != 0 ? Security::ErrorString(errCode) : "")); +#endif + return false; +} + +bool +Security::CreateClientSession(const Security::ContextPointer &ctx, const Comm::ConnectionPointer &c, const char *squidCtx) +{ + return CreateSession(ctx, c, Security::Io::BIO_TO_SERVER, squidCtx); +} + +bool +Security::CreateServerSession(const Security::ContextPointer &ctx, const Comm::ConnectionPointer &c, const char *squidCtx) +{ + return CreateSession(ctx, c, Security::Io::BIO_TO_CLIENT, squidCtx); +} + +void +Security::SessionSendGoodbye(const Security::SessionPointer &s) +{ + debugs(83, 5, "session=" << (void*)s.get()); + if (s) { +#if USE_OPENSSL + SSL_shutdown(s.get()); +#elif USE_GNUTLS + gnutls_bye(s.get(), GNUTLS_SHUT_RDWR); +#endif + } +} + bool Security::SessionIsResumed(const Security::SessionPointer &s) { diff -u -r -N squid-4.0.18/src/security/Session.h squid-4.0.19/src/security/Session.h --- squid-4.0.18/src/security/Session.h 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/security/Session.h 2017-04-02 19:43:45.000000000 +1200 @@ -9,6 +9,8 @@ #ifndef SQUID_SRC_SECURITY_SESSION_H #define SQUID_SRC_SECURITY_SESSION_H +#include "base/HardFun.h" +#include "comm/forward.h" #include "security/LockingPointer.h" #include @@ -27,35 +29,36 @@ namespace Security { +/// Creates TLS Client connection structure (aka 'session' state) and initializes TLS/SSL I/O (Comm and BIO). +/// On errors, emits DBG_IMPORTANT with details and returns false. +bool CreateClientSession(const Security::ContextPointer &, const Comm::ConnectionPointer &, const char *squidCtx); + +/// Creates TLS Server connection structure (aka 'session' state) and initializes TLS/SSL I/O (Comm and BIO). +/// On errors, emits DBG_IMPORTANT with details and returns false. +bool CreateServerSession(const Security::ContextPointer &, const Comm::ConnectionPointer &, const char *squidCtx); + #if USE_OPENSSL -CtoCpp1(SSL_free, SSL *); -#if defined(CRYPTO_LOCK_SSL) // OpenSSL 1.0 -inline int SSL_up_ref(SSL *t) {if (t) CRYPTO_add(&t->references, 1, CRYPTO_LOCK_SSL); return 0;} -#endif -typedef Security::LockingPointer > SessionPointer; +typedef std::shared_ptr SessionPointer; typedef std::unique_ptr> SessionStatePointer; #elif USE_GNUTLS -// Locks can be implemented attaching locks counter to gnutls_session_t -// objects using the gnutls_session_set_ptr()/gnutls_session_get_ptr () -// library functions -CtoCpp1(gnutls_deinit, gnutls_session_t); -typedef Security::LockingPointer SessionPointer; +typedef std::shared_ptr SessionPointer; // wrapper function to get around gnutls_free being a typedef inline void squid_gnutls_free(void *d) {gnutls_free(d);} typedef std::unique_ptr> SessionStatePointer; #else -// use void* so we can check against NULL -CtoCpp1(xfree, void *); -typedef Security::LockingPointer SessionPointer; +typedef std::shared_ptr SessionPointer; typedef std::unique_ptr SessionStatePointer; #endif +/// send the shutdown/bye notice for an active TLS session. +void SessionSendGoodbye(const Security::SessionPointer &); + /// whether the session is a resumed one bool SessionIsResumed(const Security::SessionPointer &); @@ -74,6 +77,21 @@ /// Needs to be done before using the SessionPointer for a handshake. void SetSessionResumeData(const Security::SessionPointer &, const Security::SessionStatePointer &); +#if USE_OPENSSL +/// Helper function to retrieve a (non-locked) ContextPointer from a SessionPointer +inline Security::ContextPointer +GetFrom(Security::SessionPointer &s) +{ + auto *ctx = SSL_get_SSL_CTX(s.get()); + return Security::ContextPointer(ctx, [](SSL_CTX *) {/* nothing to unlock/free */}); +} + +/// \deprecated use the PeerOptions/ServerOptions API methods instead. +/// Wraps SessionPointer value creation to reduce risk of +/// a nasty hack in ssl/support.cc. +Security::SessionPointer NewSessionObject(const Security::ContextPointer &); +#endif + } // namespace Security #endif /* SQUID_SRC_SECURITY_SESSION_H */ diff -u -r -N squid-4.0.18/src/servers/FtpServer.cc squid-4.0.19/src/servers/FtpServer.cc --- squid-4.0.18/src/servers/FtpServer.cc 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/servers/FtpServer.cc 2017-04-02 19:43:45.000000000 +1200 @@ -1453,9 +1453,33 @@ Comm::ConnectionPointer conn = new Comm::Connection(); conn->flags |= COMM_DOBIND; - // Use local IP address of the control connection as the source address - // of the active data connection, or some clients will refuse to accept. - conn->setAddrs(clientConnection->local, cltAddr); + if (clientConnection->flags & COMM_INTERCEPTION) { + // In the case of NAT interception conn->local value is not set + // because the TCP stack will automatically pick correct source + // address for the data connection. We must only ensure that IP + // version matches client's address. + conn->local.setAnyAddr(); + + if (cltAddr.isIPv4()) + conn->local.setIPv4(); + + conn->remote = cltAddr; + } else { + // In the case of explicit-proxy the local IP of the control connection + // is the Squid IP the client is knowingly talking to. + // + // In the case of TPROXY the IP address of the control connection is + // server IP the client is connecting to, it can be spoofed by Squid. + // + // In both cases some clients may refuse to accept data connections if + // these control connectin local-IP's are not used. + conn->setAddrs(clientConnection->local, cltAddr); + + // Using non-local addresses in TPROXY mode requires appropriate socket option. + if (clientConnection->flags & COMM_TRANSPARENT) + conn->flags |= COMM_TRANSPARENT; + } + // RFC 959 requires active FTP connections to originate from port 20 // but that would preclude us from supporting concurrent transfers! (XXX?) conn->local.port(0); diff -u -r -N squid-4.0.18/src/servers/Makefile.in squid-4.0.19/src/servers/Makefile.in --- squid-4.0.18/src/servers/Makefile.in 2017-02-06 10:18:12.000000000 +1300 +++ squid-4.0.19/src/servers/Makefile.in 2017-04-02 19:46:20.000000000 +1200 @@ -543,7 +543,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/snmp/Makefile.in squid-4.0.19/src/snmp/Makefile.in --- squid-4.0.18/src/snmp/Makefile.in 2017-02-06 10:18:13.000000000 +1300 +++ squid-4.0.19/src/snmp/Makefile.in 2017-04-02 19:46:20.000000000 +1200 @@ -544,7 +544,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/SquidString.h squid-4.0.19/src/SquidString.h --- squid-4.0.18/src/SquidString.h 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/SquidString.h 2017-04-02 19:43:45.000000000 +1200 @@ -42,6 +42,11 @@ */ _SQUID_INLINE_ char operator [](unsigned int pos) const; + /// The absolute size limit on data held in a String. + /// Since Strings can be nil-terminated implicitly it is best to ensure + /// the useful content length is strictly less than this limit. + static const size_type SizeMaxXXX() { return SizeMax_; } + _SQUID_INLINE_ size_type size() const; /// variant of size() suited to be used for printf-alikes. /// throws when size() > MAXINT diff -u -r -N squid-4.0.18/src/ssl/bio.cc squid-4.0.19/src/ssl/bio.cc --- squid-4.0.18/src/ssl/bio.cc 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/ssl/bio.cc 2017-04-02 19:43:45.000000000 +1200 @@ -63,7 +63,7 @@ #endif BIO * -Ssl::Bio::Create(const int fd, Ssl::Bio::Type type) +Ssl::Bio::Create(const int fd, Security::Io::Type type) { #if (OPENSSL_VERSION_NUMBER < 0x10100000L) BIO_METHOD *useMethod = &SquidMethods; @@ -620,7 +620,7 @@ assert(arg2); const int fd = *static_cast(arg2); Ssl::Bio *bio; - if (arg1 == Ssl::Bio::BIO_TO_SERVER) + if (arg1 == Security::Io::BIO_TO_SERVER) bio = new Ssl::ServerBio(fd); else bio = new Ssl::ClientBio(fd); diff -u -r -N squid-4.0.18/src/ssl/bio.h squid-4.0.19/src/ssl/bio.h --- squid-4.0.18/src/ssl/bio.h 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/ssl/bio.h 2017-04-02 19:43:45.000000000 +1200 @@ -9,6 +9,8 @@ #ifndef SQUID_SSL_BIO_H #define SQUID_SSL_BIO_H +#if USE_OPENSSL + #include "FadingCounter.h" #include "fd.h" #include "security/Handshake.h" @@ -28,11 +30,6 @@ class Bio { public: - enum Type { - BIO_TO_CLIENT = 6000, - BIO_TO_SERVER - }; - explicit Bio(const int anFd); virtual ~Bio(); @@ -54,7 +51,7 @@ /// Creates a low-level BIO table, creates a high-level Ssl::Bio object /// for a given socket, and then links the two together via BIO_C_SET_FD. - static BIO *Create(const int fd, Type type); + static BIO *Create(const int fd, Security::Io::Type type); /// Tells ssl connection to use BIO and monitor state via stateChanged() static void Link(SSL *ssl, BIO *bio); @@ -213,5 +210,6 @@ inline void BIO_set_init(BIO *table, int init) { table->init = init; } #endif +#endif /* USE_OPENSSL */ #endif /* SQUID_SSL_BIO_H */ diff -u -r -N squid-4.0.18/src/ssl/cert_validate_message.cc squid-4.0.19/src/ssl/cert_validate_message.cc --- squid-4.0.18/src/ssl/cert_validate_message.cc 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/ssl/cert_validate_message.cc 2017-04-02 19:43:45.000000000 +1200 @@ -21,16 +21,16 @@ { body.clear(); body += Ssl::CertValidationMsg::param_host + "=" + vcert.domainName; - STACK_OF(X509) *peerCerts = static_cast(SSL_get_ex_data(vcert.ssl, ssl_ex_index_ssl_cert_chain)); + STACK_OF(X509) *peerCerts = static_cast(SSL_get_ex_data(vcert.ssl.get(), ssl_ex_index_ssl_cert_chain)); - if (const char *sslVersion = SSL_get_version(vcert.ssl)) + if (const char *sslVersion = SSL_get_version(vcert.ssl.get())) body += "\n" + Ssl::CertValidationMsg::param_proto_version + "=" + sslVersion; - if (const char *cipherName = SSL_CIPHER_get_name(SSL_get_current_cipher(vcert.ssl))) + if (const char *cipherName = SSL_CIPHER_get_name(SSL_get_current_cipher(vcert.ssl.get()))) body += "\n" + Ssl::CertValidationMsg::param_cipher + "=" + cipherName; if (!peerCerts) - peerCerts = SSL_get_peer_cert_chain(vcert.ssl); + peerCerts = SSL_get_peer_cert_chain(vcert.ssl.get()); if (peerCerts) { Ssl::BIO_Pointer bio(BIO_new(BIO_s_mem())); diff -u -r -N squid-4.0.18/src/ssl/cert_validate_message.h squid-4.0.19/src/ssl/cert_validate_message.h --- squid-4.0.18/src/ssl/cert_validate_message.h 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/ssl/cert_validate_message.h 2017-04-02 19:43:45.000000000 +1200 @@ -26,10 +26,9 @@ class CertValidationRequest { public: - SSL *ssl; - Security::CertErrors *errors; ///< The list of errors detected + Security::SessionPointer ssl; + Security::CertErrors *errors = nullptr; ///< The list of errors detected std::string domainName; ///< The server name - CertValidationRequest() : ssl(NULL), errors(NULL) {} }; /** diff -u -r -N squid-4.0.18/src/ssl/helper.cc squid-4.0.19/src/ssl/helper.cc --- squid-4.0.18/src/ssl/helper.cc 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/ssl/helper.cc 2017-04-02 19:43:45.000000000 +1200 @@ -236,7 +236,7 @@ crtdvdData->query = message.compose(); crtdvdData->query += '\n'; crtdvdData->callback = callback; - crtdvdData->ssl.resetAndLock(request.ssl); + crtdvdData->ssl = request.ssl; Ssl::CertValidationResponse::Pointer const*validationResponse; if (CertValidationHelper::HelperCache && diff -u -r -N squid-4.0.18/src/ssl/Makefile.in squid-4.0.19/src/ssl/Makefile.in --- squid-4.0.18/src/ssl/Makefile.in 2017-02-06 10:18:14.000000000 +1300 +++ squid-4.0.19/src/ssl/Makefile.in 2017-04-02 19:46:21.000000000 +1200 @@ -549,7 +549,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/ssl/support.cc squid-4.0.19/src/ssl/support.cc --- squid-4.0.18/src/ssl/support.cc 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/ssl/support.cc 2017-04-02 19:43:45.000000000 +1200 @@ -23,6 +23,7 @@ #include "globals.h" #include "ipc/MemMap.h" #include "security/CertError.h" +#include "security/Session.h" #include "SquidConfig.h" #include "SquidTime.h" #include "ssl/bio.h" @@ -627,13 +628,11 @@ } bool -Ssl::InitClientContext(Security::ContextPointer &ctx, Security::PeerOptions &peer, long options, long fl) +Ssl::InitClientContext(Security::ContextPointer &ctx, Security::PeerOptions &peer, long fl) { if (!ctx) return false; - SSL_CTX_set_options(ctx.get(), options); - if (!peer.sslCipher.isEmpty()) { debugs(83, 5, "Using chiper suite " << peer.sslCipher << "."); @@ -692,55 +691,6 @@ } /// \ingroup ServerProtocolSSLInternal -int -ssl_read_method(int fd, char *buf, int len) -{ - auto ssl = fd_table[fd].ssl.get(); - -#if DONT_DO_THIS - - if (!SSL_is_init_finished(ssl)) { - errno = ENOTCONN; - return -1; - } - -#endif - - int i = SSL_read(ssl, buf, len); - if (i > 0) { - (void)VALGRIND_MAKE_MEM_DEFINED(buf, i); - } - - if (i > 0 && SSL_pending(ssl) > 0) { - debugs(83, 2, "SSL FD " << fd << " is pending"); - fd_table[fd].flags.read_pending = true; - } else - fd_table[fd].flags.read_pending = false; - - return i; -} - -/// \ingroup ServerProtocolSSLInternal -int -ssl_write_method(int fd, const char *buf, int len) -{ - auto ssl = fd_table[fd].ssl.get(); - if (!SSL_is_init_finished(ssl)) { - errno = ENOTCONN; - return -1; - } - - int i = SSL_write(ssl, buf, len); - return i; -} - -void -ssl_shutdown_method(SSL *ssl) -{ - SSL_shutdown(ssl); -} - -/// \ingroup ServerProtocolSSLInternal static const char * ssl_get_attribute(X509_NAME * name, const char *attribute_name) { @@ -1046,7 +996,7 @@ assert(0); #else // Temporary ssl for getting X509 certificate from SSL_CTX. - Security::SessionPointer ssl(SSL_new(ctx.get())); + Security::SessionPointer ssl(Security::NewSessionObject(ctx)); X509 * cert = SSL_get_certificate(ssl.get()); #endif if (!cert) @@ -1429,53 +1379,6 @@ return Ssl::generateSslCertificate(untrustedCert, untrustedPkey, certProperties); } -static bool -SslCreate(const Security::ContextPointer &ctx, const Comm::ConnectionPointer &conn, Ssl::Bio::Type type, const char *squidCtx) -{ - if (!Comm::IsConnOpen(conn)) { - debugs(83, DBG_IMPORTANT, "Gone connection"); - return false; - } - - const char *errAction = NULL; - int errCode = 0; - if (auto ssl = SSL_new(ctx.get())) { - const int fd = conn->fd; - // without BIO, we would call SSL_set_fd(ssl, fd) instead - if (BIO *bio = Ssl::Bio::Create(fd, type)) { - Ssl::Bio::Link(ssl, bio); // cannot fail - - fd_table[fd].ssl.resetWithoutLocking(ssl); - fd_table[fd].read_method = &ssl_read_method; - fd_table[fd].write_method = &ssl_write_method; - fd_note(fd, squidCtx); - return true; - } - errCode = ERR_get_error(); - errAction = "failed to initialize I/O"; - SSL_free(ssl); - } else { - errCode = ERR_get_error(); - errAction = "failed to allocate handle"; - } - - debugs(83, DBG_IMPORTANT, "ERROR: " << squidCtx << ' ' << errAction << - ": " << Security::ErrorString(errCode)); - return false; -} - -bool -Ssl::CreateClient(const Security::ContextPointer &ctx, const Comm::ConnectionPointer &c, const char *squidCtx) -{ - return SslCreate(ctx, c, Ssl::Bio::BIO_TO_SERVER, squidCtx); -} - -bool -Ssl::CreateServer(const Security::ContextPointer &ctx, const Comm::ConnectionPointer &c, const char *squidCtx) -{ - return SslCreate(ctx, c, Ssl::Bio::BIO_TO_CLIENT, squidCtx); -} - static int store_session_cb(SSL *ssl, SSL_SESSION *session) { diff -u -r -N squid-4.0.18/src/ssl/support.h squid-4.0.19/src/ssl/support.h --- squid-4.0.18/src/ssl/support.h 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/ssl/support.h 2017-04-02 19:43:45.000000000 +1200 @@ -73,14 +73,6 @@ class CertValidationResponse; typedef RefCount CertValidationResponsePointer; -/// Creates SSL Client connection structure and initializes SSL I/O (Comm and BIO). -/// On errors, emits DBG_IMPORTANT with details and returns false. -bool CreateClient(const Security::ContextPointer &, const Comm::ConnectionPointer &, const char *squidCtx); - -/// Creates SSL Server connection structure and initializes SSL I/O (Comm and BIO). -/// On errors, emits DBG_IMPORTANT with details and returns false. -bool CreateServer(const Security::ContextPointer &, const Comm::ConnectionPointer &, const char *squidCtx); - void SetSessionCallbacks(Security::ContextPointer &); extern Ipc::MemMap *SessionCache; extern const char *SessionCacheName; @@ -89,7 +81,7 @@ bool InitServerContext(Security::ContextPointer &, AnyP::PortCfg &); /// initialize a TLS client context with OpenSSL specific settings -bool InitClientContext(Security::ContextPointer &, Security::PeerOptions &, long options, long flags); +bool InitClientContext(Security::ContextPointer &, Security::PeerOptions &, long flags); #if defined(CRYPTO_LOCK_X509) // portability wrapper for OpenSSL 1.0 vs 1.1 @@ -100,15 +92,6 @@ } //namespace Ssl /// \ingroup ServerProtocolSSLAPI -int ssl_read_method(int, char *, int); - -/// \ingroup ServerProtocolSSLAPI -int ssl_write_method(int, const char *, int); - -/// \ingroup ServerProtocolSSLAPI -void ssl_shutdown_method(SSL *ssl); - -/// \ingroup ServerProtocolSSLAPI const char *sslGetUserEmail(SSL *ssl); /// \ingroup ServerProtocolSSLAPI diff -u -r -N squid-4.0.18/src/store/id_rewriters/file/Makefile.in squid-4.0.19/src/store/id_rewriters/file/Makefile.in --- squid-4.0.18/src/store/id_rewriters/file/Makefile.in 2017-02-06 10:18:15.000000000 +1300 +++ squid-4.0.19/src/store/id_rewriters/file/Makefile.in 2017-04-02 19:46:22.000000000 +1200 @@ -482,7 +482,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/store/id_rewriters/file/storeid_file_rewrite.8 squid-4.0.19/src/store/id_rewriters/file/storeid_file_rewrite.8 --- squid-4.0.18/src/store/id_rewriters/file/storeid_file_rewrite.8 2017-02-06 13:42:49.000000000 +1300 +++ squid-4.0.19/src/store/id_rewriters/file/storeid_file_rewrite.8 2017-04-02 23:48:57.000000000 +1200 @@ -129,7 +129,7 @@ .\" ======================================================================== .\" .IX Title "STOREID_FILE_REWRITE 8" -.TH STOREID_FILE_REWRITE 8 "2017-02-06" "perl v5.24.1" "User Contributed Perl Documentation" +.TH STOREID_FILE_REWRITE 8 "2017-04-02" "perl v5.24.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -158,7 +158,7 @@ Rewrite rules are matched in the same order as they appear in the rules file. So for best performance, sort it in order of frequency of occurrence. .PP -This program will automatically detect the existence of a concurrecy channel-ID and adjust appropriately. +This program will automatically detect the existence of a concurrency channel-ID and adjust appropriately. It may be used with any value 0 or above for the store_id_children concurrency= parameter. .SH "OPTIONS" .IX Header "OPTIONS" diff -u -r -N squid-4.0.18/src/store/id_rewriters/file/storeid_file_rewrite.pl.in squid-4.0.19/src/store/id_rewriters/file/storeid_file_rewrite.pl.in --- squid-4.0.18/src/store/id_rewriters/file/storeid_file_rewrite.pl.in 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/store/id_rewriters/file/storeid_file_rewrite.pl.in 2017-04-02 19:43:45.000000000 +1200 @@ -29,7 +29,7 @@ Rewrite rules are matched in the same order as they appear in the rules file. So for best performance, sort it in order of frequency of occurrence. -This program will automatically detect the existence of a concurrecy channel-ID and adjust appropriately. +This program will automatically detect the existence of a concurrency channel-ID and adjust appropriately. It may be used with any value 0 or above for the store_id_children concurrency= parameter. =head1 OPTIONS diff -u -r -N squid-4.0.18/src/store/id_rewriters/Makefile.in squid-4.0.19/src/store/id_rewriters/Makefile.in --- squid-4.0.18/src/store/id_rewriters/Makefile.in 2017-02-06 10:18:15.000000000 +1300 +++ squid-4.0.19/src/store/id_rewriters/Makefile.in 2017-04-02 19:46:22.000000000 +1200 @@ -327,7 +327,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/store/Makefile.in squid-4.0.19/src/store/Makefile.in --- squid-4.0.18/src/store/Makefile.in 2017-02-06 10:18:14.000000000 +1300 +++ squid-4.0.19/src/store/Makefile.in 2017-04-02 19:46:22.000000000 +1200 @@ -584,7 +584,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/src/store.cc squid-4.0.19/src/store.cc --- squid-4.0.18/src/store.cc 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/store.cc 2017-04-02 19:43:45.000000000 +1200 @@ -196,24 +196,10 @@ * ->deferRead (fd, buf, len, callback, DelayAwareRead, this) */ - if (amountToRead == 0) { + if (amountToRead <= 0) { assert (mem_obj); - /* read ahead limit */ - /* Perhaps these two calls should both live in MemObject */ -#if USE_DELAY_POOLS - if (!mem_obj->readAheadPolicyCanRead()) { -#endif - mem_obj->delayRead(DeferredRead(DeferReader, this, CommRead(conn, buf, len, callback))); - return; -#if USE_DELAY_POOLS - } - - /* delay id limit */ - mem_obj->mostBytesAllowed().delayRead(DeferredRead(DeferReader, this, CommRead(conn, buf, len, callback))); + mem_obj->delayRead(DeferredRead(DeferReader, this, CommRead(conn, buf, len, callback))); return; - -#endif - } if (fd_table[conn->fd].closing()) { diff -u -r -N squid-4.0.18/src/store_client.cc squid-4.0.19/src/store_client.cc --- squid-4.0.18/src/store_client.cc 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/store_client.cc 2017-04-02 19:43:45.000000000 +1200 @@ -41,7 +41,6 @@ static void storeClientCopy2(StoreEntry * e, store_client * sc); static EVH storeClientCopyEvent; static bool CheckQuickAbortIsReasonable(StoreEntry * entry); -static void CheckQuickAbort(StoreEntry * entry); CBDATA_CLASS_INIT(store_client); @@ -534,20 +533,15 @@ } int swap_hdr_sz = 0; - StoreMetaUnpacker aBuilder(buf, len, &swap_hdr_sz); - - if (!aBuilder.isBufferSane()) { - /* oops, bad disk file? */ - debugs(90, DBG_IMPORTANT, "WARNING: swapfile header inconsistent with available data"); - return false; - } - - tlv *tlv_list = aBuilder.createStoreMeta (); - - if (tlv_list == NULL) { - debugs(90, DBG_IMPORTANT, "WARNING: failed to unpack meta data"); + tlv *tlv_list = nullptr; + try { + StoreMetaUnpacker aBuilder(buf, len, &swap_hdr_sz); + tlv_list = aBuilder.createStoreMeta(); + } catch (const std::exception &e) { + debugs(90, DBG_IMPORTANT, "WARNING: failed to unpack metadata because " << e.what()); return false; } + assert(tlv_list); /* * Check the meta data and make sure we got the right object. @@ -697,11 +691,11 @@ assert(e->locked()); // An entry locked by others may be unlocked (and destructed) by others, so - // we must lock again to safely dereference e after CheckQuickAbort(). + // we must lock again to safely dereference e after CheckQuickAbortIsReasonable(). e->lock("storeUnregister"); - if (mem->nclients == 0) - CheckQuickAbort(e); + if (CheckQuickAbortIsReasonable(e)) + e->abort(); else mem->kickReads(); @@ -760,9 +754,32 @@ static bool CheckQuickAbortIsReasonable(StoreEntry * entry) { + assert(entry); + debugs(90, 3, "entry=" << *entry); + + if (storePendingNClients(entry) > 0) { + debugs(90, 3, "quick-abort? NO storePendingNClients() > 0"); + return false; + } + + if (!shutting_down && Store::Root().transientReaders(*entry)) { + debugs(90, 3, "quick-abort? NO still have one or more transient readers"); + return false; + } + + if (entry->store_status != STORE_PENDING) { + debugs(90, 3, "quick-abort? NO store_status != STORE_PENDING"); + return false; + } + + if (EBIT_TEST(entry->flags, ENTRY_SPECIAL)) { + debugs(90, 3, "quick-abort? NO ENTRY_SPECIAL"); + return false; + } + MemObject * const mem = entry->mem_obj; assert(mem); - debugs(90, 3, "entry=" << entry << ", mem=" << mem); + debugs(90, 3, "mem=" << mem); if (mem->request && !mem->request->flags.cachable) { debugs(90, 3, "quick-abort? YES !mem->request->flags.cachable"); @@ -824,31 +841,6 @@ return true; } -/// Aborts a swapping-out entry if nobody needs it any more _and_ -/// continuing swap out is not reasonable per CheckQuickAbortIsReasonable(). -static void -CheckQuickAbort(StoreEntry * entry) -{ - assert (entry); - - if (storePendingNClients(entry) > 0) - return; - - if (!shutting_down && Store::Root().transientReaders(*entry)) - return; - - if (entry->store_status != STORE_PENDING) - return; - - if (EBIT_TEST(entry->flags, ENTRY_SPECIAL)) - return; - - if (!CheckQuickAbortIsReasonable(entry)) - return; - - entry->abort(); -} - void store_client::dumpStats(MemBuf * output, int clientNumber) const { diff -u -r -N squid-4.0.18/src/StoreFileSystem.h squid-4.0.19/src/StoreFileSystem.h --- squid-4.0.18/src/StoreFileSystem.h 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/StoreFileSystem.h 2017-04-02 19:43:45.000000000 +1200 @@ -48,7 +48,7 @@ \par * configure will take a list of storage types through the * --enable-store-io parameter. This parameter takes a list of - * space seperated storage types. For example, + * space separated storage types. For example, * --enable-store-io="ufs aufs" . * \par diff -u -r -N squid-4.0.18/src/StoreMetaUnpacker.cc squid-4.0.19/src/StoreMetaUnpacker.cc --- squid-4.0.18/src/StoreMetaUnpacker.cc 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/StoreMetaUnpacker.cc 2017-04-02 19:43:45.000000000 +1200 @@ -9,6 +9,7 @@ /* DEBUG: section 20 Storage Manager Swapfile Unpacker */ #include "squid.h" +#include "base/TextException.h" #include "Debug.h" #include "defines.h" #include "StoreMeta.h" @@ -34,25 +35,21 @@ return true; } -bool -StoreMetaUnpacker::isBufferSane() +void +StoreMetaUnpacker::checkBuffer() { - if (buf[0] != (char) STORE_META_OK) - return false; - + assert(buf); // paranoid; already checked in the constructor + if (buf[0] != static_cast(STORE_META_OK)) + throw TexcHere("store entry metadata is corrupted"); /* * sanity check on 'buflen' value. It should be at least big * enough to hold one type and one length. */ getBufferLength(); - if (*hdr_len < MinimumBufferLength) - return false; - + throw TexcHere("store entry metadata is too small"); if (*hdr_len > buflen) - return false; - - return true; + throw TexcHere("store entry metadata is too big"); } void @@ -122,8 +119,7 @@ tail = &TLV; assert(hdr_len != NULL); - if (!isBufferSane()) - return NULL; + checkBuffer(); getBufferLength(); @@ -134,6 +130,10 @@ break; } + if (!TLV) + throw TexcHere("store entry metadata is empty"); + + assert(TLV); return TLV; } diff -u -r -N squid-4.0.18/src/StoreMetaUnpacker.h squid-4.0.19/src/StoreMetaUnpacker.h --- squid-4.0.18/src/StoreMetaUnpacker.h 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/StoreMetaUnpacker.h 2017-04-02 19:43:45.000000000 +1200 @@ -18,8 +18,9 @@ public: StoreMetaUnpacker (const char *buf, ssize_t bufferLength, int *hdrlen); StoreMeta *createStoreMeta(); - bool isBufferZero(); ///< all-zeros buffer, implies !isBufferSane - bool isBufferSane(); + bool isBufferZero(); ///< all-zeros buffer, checkBuffer() would throw + /// validates buffer sanity and throws if validation fails + void checkBuffer(); private: static int const MinimumBufferLength; diff -u -r -N squid-4.0.18/src/store_rebuild.cc squid-4.0.19/src/store_rebuild.cc --- squid-4.0.18/src/store_rebuild.cc 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/store_rebuild.cc 2017-04-02 19:43:45.000000000 +1200 @@ -309,17 +309,14 @@ return false; } - if (!aBuilder.isBufferSane()) { - debugs(47, DBG_IMPORTANT, "WARNING: Ignoring malformed cache entry."); - return false; - } - - StoreMeta *tlv_list = aBuilder.createStoreMeta(); - if (!tlv_list) { - debugs(47, DBG_IMPORTANT, "WARNING: Ignoring cache entry with invalid " << - "meta data"); + StoreMeta *tlv_list = nullptr; + try { + tlv_list = aBuilder.createStoreMeta(); + } catch (const std::exception &e) { + debugs(47, DBG_IMPORTANT, "WARNING: Ignoring store entry because " << e.what()); return false; } + assert(tlv_list); // TODO: consume parsed metadata? diff -u -r -N squid-4.0.18/src/tests/stub_libsecurity.cc squid-4.0.19/src/tests/stub_libsecurity.cc --- squid-4.0.18/src/tests/stub_libsecurity.cc 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/tests/stub_libsecurity.cc 2017-04-02 19:43:45.000000000 +1200 @@ -68,15 +68,21 @@ #include "security/PeerOptions.h" Security::PeerOptions Security::ProxyOutgoingConfig; +Security::PeerOptions::PeerOptions() { +#if USE_OPENSSL + parsedOptions = 0; +#endif + STUB_NOP +} void Security::PeerOptions::parse(char const*) STUB Security::ContextPointer Security::PeerOptions::createClientContext(bool) STUB_RETVAL(Security::ContextPointer()) void Security::PeerOptions::updateTlsVersionLimits() STUB Security::ContextPointer Security::PeerOptions::createBlankContext() const STUB_RETVAL(Security::ContextPointer()) void Security::PeerOptions::updateContextCa(Security::ContextPointer &) STUB void Security::PeerOptions::updateContextCrl(Security::ContextPointer &) STUB +void Security::PeerOptions::updateSessionOptions(Security::SessionPointer &) STUB void Security::PeerOptions::dumpCfg(Packable*, char const*) const STUB -long Security::PeerOptions::parseOptions() STUB_RETVAL(0) -long Security::PeerOptions::parseFlags() STUB_RETVAL(0) +void Security::PeerOptions::parseOptions() STUB void parse_securePeerOptions(Security::PeerOptions *) STUB #include "security/ServerOptions.h" @@ -89,8 +95,14 @@ #include "security/Session.h" namespace Security { +bool CreateClientSession(const Security::ContextPointer &, const Comm::ConnectionPointer &, const char *) STUB_RETVAL(false) +bool CreateServerSession(const Security::ContextPointer &, const Comm::ConnectionPointer &, const char *) STUB_RETVAL(false) +void SessionSendGoodbye(const Security::SessionPointer &) STUB bool SessionIsResumed(const Security::SessionPointer &) STUB_RETVAL(false) void MaybeGetSessionResumeData(const Security::SessionPointer &, Security::SessionStatePointer &) STUB void SetSessionResumeData(const Security::SessionPointer &, const Security::SessionStatePointer &) STUB +#if USE_OPENSSL +Security::SessionPointer NewSessionObject(const Security::ContextPointer &) STUB_RETVAL(nullptr) +#endif } // namespace Security diff -u -r -N squid-4.0.18/src/tests/stub_libsslsquid.cc squid-4.0.19/src/tests/stub_libsslsquid.cc --- squid-4.0.18/src/tests/stub_libsslsquid.cc 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/tests/stub_libsslsquid.cc 2017-04-02 19:43:45.000000000 +1200 @@ -51,11 +51,8 @@ namespace Ssl { bool InitServerContext(Security::ContextPointer &, AnyP::PortCfg &) STUB_RETVAL(false) -bool InitClientContext(Security::ContextPointer &, Security::PeerOptions &, long, const char *) STUB_RETVAL(false) +bool InitClientContext(Security::ContextPointer &, Security::PeerOptions &, const char *) STUB_RETVAL(false) } // namespace Ssl -int ssl_read_method(int, char *, int) STUB_RETVAL(0) -int ssl_write_method(int, const char *, int) STUB_RETVAL(0) -void ssl_shutdown_method(SSL *ssl) STUB const char *sslGetUserEmail(SSL *ssl) STUB_RETVAL(NULL) const char *sslGetUserAttribute(SSL *ssl, const char *attribute_name) STUB_RETVAL(NULL) const char *sslGetCAAttribute(SSL *ssl, const char *attribute_name) STUB_RETVAL(NULL) diff -u -r -N squid-4.0.18/src/tests/stub_SBuf.cc squid-4.0.19/src/tests/stub_SBuf.cc --- squid-4.0.18/src/tests/stub_SBuf.cc 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/tests/stub_SBuf.cc 2017-04-02 19:43:45.000000000 +1200 @@ -19,7 +19,6 @@ const SBuf::size_type SBuf::npos; const SBuf::size_type SBuf::maxSize; -SBufStats::SBufStats() {} std::ostream& SBufStats::dump(std::ostream &os) const STUB_RETVAL(os) SBufStats& SBufStats::operator +=(const SBufStats&) STUB_RETVAL(*this) diff -u -r -N squid-4.0.18/src/tests/testHttpRequest.cc squid-4.0.19/src/tests/testHttpRequest.cc --- squid-4.0.18/src/tests/testHttpRequest.cc 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/tests/testHttpRequest.cc 2017-04-02 19:43:45.000000000 +1200 @@ -31,6 +31,7 @@ testHttpRequest::setUp() { Mem::Init(); + AnyP::UriScheme::Init(); httpHeaderInitModule(); } diff -u -r -N squid-4.0.18/src/tests/testURL.cc squid-4.0.19/src/tests/testURL.cc --- squid-4.0.18/src/tests/testURL.cc 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/tests/testURL.cc 2017-04-02 19:43:45.000000000 +1200 @@ -25,6 +25,7 @@ testURL::setUp() { Mem::Init(); + AnyP::UriScheme::Init(); } /* diff -u -r -N squid-4.0.18/src/ufsdump.cc squid-4.0.19/src/ufsdump.cc --- squid-4.0.18/src/ufsdump.cc 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/ufsdump.cc 2017-04-02 19:43:45.000000000 +1200 @@ -162,8 +162,8 @@ for_each(*metadata, dumper); return 0; - } catch (std::runtime_error error) { - std::cout << "Failed : " << error.what() << std::endl; + } catch (const std::exception &e) { + std::cout << "Failed : " << e.what() << std::endl; if (fd >= 0) close(fd); diff -u -r -N squid-4.0.18/src/url.cc squid-4.0.19/src/url.cc --- squid-4.0.18/src/url.cc 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/src/url.cc 2017-04-02 19:43:45.000000000 +1200 @@ -832,6 +832,8 @@ case AnyP::PROTO_HTTPS: #if USE_OPENSSL rc = 1; +#elif USE_GNUTLS + rc = 1; #else /* * Squid can't originate an SSL connection, so it should diff -u -r -N squid-4.0.18/test-suite/Makefile.in squid-4.0.19/test-suite/Makefile.in --- squid-4.0.18/test-suite/Makefile.in 2017-02-06 10:18:16.000000000 +1300 +++ squid-4.0.19/test-suite/Makefile.in 2017-04-02 19:46:23.000000000 +1200 @@ -626,7 +626,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/test-suite/squidconf/regressions-4.0.18 squid-4.0.19/test-suite/squidconf/regressions-4.0.18 --- squid-4.0.18/test-suite/squidconf/regressions-4.0.18 1970-01-01 12:00:00.000000000 +1200 +++ squid-4.0.19/test-suite/squidconf/regressions-4.0.18 2017-04-02 19:43:45.000000000 +1200 @@ -0,0 +1,16 @@ +# see Bug 4674 +delay_pools 5 + +delay_class 1 1 64000/64000 + +delay_class 2 2 +delay_parameters 2 64000/64000 32000/32000 + +delay_class 3 3 +delay_parameters 3 64000/64000 32000/32000 3000/3000 + +delay_class 4 4 +delay_parameters 4 64000/64000 32000/32000 3000/3000 512/512 + +delay_class 5 5 +delay_parameters 5 64000/64000 diff -u -r -N squid-4.0.18/test-suite/stub_SBuf.cc squid-4.0.19/test-suite/stub_SBuf.cc --- squid-4.0.18/test-suite/stub_SBuf.cc 2017-02-06 13:44:21.000000000 +1300 +++ squid-4.0.19/test-suite/stub_SBuf.cc 2017-04-02 23:50:42.000000000 +1200 @@ -19,7 +19,6 @@ const SBuf::size_type SBuf::npos; const SBuf::size_type SBuf::maxSize; -SBufStats::SBufStats() {} std::ostream& SBufStats::dump(std::ostream &os) const STUB_RETVAL(os) SBufStats& SBufStats::operator +=(const SBufStats&) STUB_RETVAL(*this) diff -u -r -N squid-4.0.18/tools/helper-mux/helper-mux.8 squid-4.0.19/tools/helper-mux/helper-mux.8 --- squid-4.0.18/tools/helper-mux/helper-mux.8 2017-02-06 13:44:26.000000000 +1300 +++ squid-4.0.19/tools/helper-mux/helper-mux.8 2017-04-02 23:50:48.000000000 +1200 @@ -129,7 +129,7 @@ .\" ======================================================================== .\" .IX Title "HELPER-MUX 8" -.TH HELPER-MUX 8 "2017-02-06" "perl v5.24.1" "User Contributed Perl Documentation" +.TH HELPER-MUX 8 "2017-04-02" "perl v5.24.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-4.0.18/tools/helper-mux/Makefile.in squid-4.0.19/tools/helper-mux/Makefile.in --- squid-4.0.18/tools/helper-mux/Makefile.in 2017-02-06 10:18:17.000000000 +1300 +++ squid-4.0.19/tools/helper-mux/Makefile.in 2017-04-02 19:46:24.000000000 +1200 @@ -482,7 +482,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/tools/Makefile.in squid-4.0.19/tools/Makefile.in --- squid-4.0.18/tools/Makefile.in 2017-02-06 10:18:17.000000000 +1300 +++ squid-4.0.19/tools/Makefile.in 2017-04-02 19:46:24.000000000 +1200 @@ -608,7 +608,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/tools/purge/Makefile.in squid-4.0.19/tools/purge/Makefile.in --- squid-4.0.18/tools/purge/Makefile.in 2017-02-06 10:18:18.000000000 +1300 +++ squid-4.0.19/tools/purge/Makefile.in 2017-04-02 19:46:24.000000000 +1200 @@ -552,7 +552,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/tools/squidclient/Makefile.in squid-4.0.19/tools/squidclient/Makefile.in --- squid-4.0.18/tools/squidclient/Makefile.in 2017-02-06 10:18:19.000000000 +1300 +++ squid-4.0.19/tools/squidclient/Makefile.in 2017-04-02 19:46:25.000000000 +1200 @@ -601,7 +601,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/tools/squidclient/squidclient.cc squid-4.0.19/tools/squidclient/squidclient.cc --- squid-4.0.18/tools/squidclient/squidclient.cc 2017-02-06 10:15:41.000000000 +1300 +++ squid-4.0.19/tools/squidclient/squidclient.cc 2017-04-02 19:43:45.000000000 +1200 @@ -569,16 +569,19 @@ if (put_file) { debugVerbose(1, "Sending HTTP request payload ..."); int x; - lseek(put_fd, 0, SEEK_SET); - while ((x = read(put_fd, buf, sizeof(buf))) > 0) { + if ((x = lseek(put_fd, 0, SEEK_SET)) < 0) { + int xerrno = errno; + std::cerr << "ERROR: lseek: " << xstrerr(xerrno) << std::endl; - x = Transport::Write(buf, x); + } else while ((x = read(put_fd, buf, sizeof(buf))) > 0) { - total_bytes += x; + x = Transport::Write(buf, x); - if (x <= 0) - break; - } + total_bytes += x; + + if (x <= 0) + break; + } if (x != 0) std::cerr << "ERROR: Cannot send file." << std::endl; diff -u -r -N squid-4.0.18/tools/systemd/Makefile.in squid-4.0.19/tools/systemd/Makefile.in --- squid-4.0.18/tools/systemd/Makefile.in 2017-02-06 10:18:19.000000000 +1300 +++ squid-4.0.19/tools/systemd/Makefile.in 2017-04-02 19:46:25.000000000 +1200 @@ -268,7 +268,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@ diff -u -r -N squid-4.0.18/tools/sysvinit/Makefile.in squid-4.0.19/tools/sysvinit/Makefile.in --- squid-4.0.18/tools/sysvinit/Makefile.in 2017-02-06 10:18:19.000000000 +1300 +++ squid-4.0.19/tools/sysvinit/Makefile.in 2017-04-02 19:46:25.000000000 +1200 @@ -268,7 +268,6 @@ LIBS = @LIBS@ LIBSASL = @LIBSASL@ LIBTOOL = @LIBTOOL@ -LIB_DB = @LIB_DB@ LIB_KRB5_CFLAGS = @LIB_KRB5_CFLAGS@ LIB_KRB5_LIBS = @LIB_KRB5_LIBS@ LINUXDOC = @LINUXDOC@