diff -u -r -N squid-3.5.22/cfgaux/config.guess squid-3.5.23/cfgaux/config.guess --- squid-3.5.22/cfgaux/config.guess 2016-10-10 09:01:53.000000000 +1300 +++ squid-3.5.23/cfgaux/config.guess 2016-12-16 22:28:02.000000000 +1300 @@ -2,7 +2,7 @@ # Attempt to guess a canonical system name. # Copyright 1992-2016 Free Software Foundation, Inc. -timestamp='2016-04-02' +timestamp='2016-10-02' # This file is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by @@ -186,9 +186,12 @@ *) machine=${UNAME_MACHINE_ARCH}-unknown ;; esac # The Operating System including object format, if it has switched - # to ELF recently, or will in the future. + # to ELF recently (or will in the future) and ABI. case "${UNAME_MACHINE_ARCH}" in - arm*|earm*|i386|m68k|ns32k|sh3*|sparc|vax) + earm*) + os=netbsdelf + ;; + arm*|i386|m68k|ns32k|sh3*|sparc|vax) eval $set_cc_for_build if echo __ELF__ | $CC_FOR_BUILD -E - 2>/dev/null \ | grep -q __ELF__ @@ -997,6 +1000,9 @@ eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^CPU'` test x"${CPU}" != x && { echo "${CPU}-unknown-linux-${LIBC}"; exit; } ;; + mips64el:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + exit ;; openrisc*:Linux:*:*) echo or1k-unknown-linux-${LIBC} exit ;; @@ -1029,6 +1035,9 @@ ppcle:Linux:*:*) echo powerpcle-unknown-linux-${LIBC} exit ;; + riscv32:Linux:*:* | riscv64:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + exit ;; s390:Linux:*:* | s390x:Linux:*:*) echo ${UNAME_MACHINE}-ibm-linux-${LIBC} exit ;; @@ -1408,18 +1417,17 @@ cat >&2 < in order to provide the needed -information to handle your system. +If $0 has already been updated, send the following data and any +information you think might be pertinent to config-patches@gnu.org to +provide the necessary information to handle your system. config.guess timestamp = $timestamp diff -u -r -N squid-3.5.22/cfgaux/config.sub squid-3.5.23/cfgaux/config.sub --- squid-3.5.22/cfgaux/config.sub 2016-10-10 09:01:53.000000000 +1300 +++ squid-3.5.23/cfgaux/config.sub 2016-12-16 22:28:02.000000000 +1300 @@ -2,7 +2,7 @@ # Configuration validation subroutine script. # Copyright 1992-2016 Free Software Foundation, Inc. -timestamp='2016-03-30' +timestamp='2016-11-04' # This file is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by @@ -117,7 +117,7 @@ nto-qnx* | linux-gnu* | linux-android* | linux-dietlibc | linux-newlib* | \ linux-musl* | linux-uclibc* | uclinux-uclibc* | uclinux-gnu* | kfreebsd*-gnu* | \ knetbsd*-gnu* | netbsd*-gnu* | netbsd*-eabi* | \ - kopensolaris*-gnu* | \ + kopensolaris*-gnu* | cloudabi*-eabi* | \ storm-chaos* | os2-emx* | rtmk-nova*) os=-$maybe_os basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'` @@ -301,6 +301,7 @@ | open8 | or1k | or1knd | or32 \ | pdp10 | pdp11 | pj | pjl \ | powerpc | powerpc64 | powerpc64le | powerpcle \ + | pru \ | pyramid \ | riscv32 | riscv64 \ | rl78 | rx \ @@ -428,6 +429,7 @@ | orion-* \ | pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \ | powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* \ + | pru-* \ | pyramid-* \ | riscv32-* | riscv64-* \ | rl78-* | romp-* | rs6000-* | rx-* \ @@ -643,6 +645,14 @@ basic_machine=m68k-bull os=-sysv3 ;; + e500v[12]) + basic_machine=powerpc-unknown + os=$os"spe" + ;; + e500v[12]-*) + basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'` + os=$os"spe" + ;; ebmon29k) basic_machine=a29k-amd os=-ebmon @@ -1022,7 +1032,7 @@ ppc-* | ppcbe-*) basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'` ;; - ppcle | powerpclittle | ppc-le | powerpc-little) + ppcle | powerpclittle) basic_machine=powerpcle-unknown ;; ppcle-* | powerpclittle-*) @@ -1032,7 +1042,7 @@ ;; ppc64-*) basic_machine=powerpc64-`echo $basic_machine | sed 's/^[^-]*-//'` ;; - ppc64le | powerpc64little | ppc64-le | powerpc64-little) + ppc64le | powerpc64little) basic_machine=powerpc64le-unknown ;; ppc64le-* | powerpc64little-*) @@ -1389,7 +1399,7 @@ | -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \ | -chorusos* | -chorusrdb* | -cegcc* \ | -cygwin* | -msys* | -pe* | -psos* | -moss* | -proelf* | -rtems* \ - | -mingw32* | -mingw64* | -linux-gnu* | -linux-android* \ + | -midipix* | -mingw32* | -mingw64* | -linux-gnu* | -linux-android* \ | -linux-newlib* | -linux-musl* | -linux-uclibc* \ | -uxpv* | -beos* | -mpeix* | -udk* | -moxiebox* \ | -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \ @@ -1399,7 +1409,7 @@ | -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \ | -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly* \ | -skyos* | -haiku* | -rdos* | -toppers* | -drops* | -es* \ - | -onefs* | -tirtos*) + | -onefs* | -tirtos* | -phoenix* | -fuchsia*) # Remember, each alternative MUST END IN *, to match a version number. ;; -qnx*) diff -u -r -N squid-3.5.22/ChangeLog squid-3.5.23/ChangeLog --- squid-3.5.22/ChangeLog 2016-10-10 08:58:01.000000000 +1300 +++ squid-3.5.23/ChangeLog 2016-12-16 22:25:05.000000000 +1300 @@ -1,3 +1,26 @@ +Changes to squid-3.5.23 (16 Dec 2016): + + - Bug 4627: fix generate-host-certificates and dynamic_cert_mem_cache_size docs + - Bug 4620: NetBSD build error with --enable-ipf-transparent + - Bug 4567: Strange IPv6 shown in access.log + - Bug 4406: SIGSEV in TunnelStateData::handleConnectResponse() during reconfigure and restart + - Bug 4174 partial: fix Write.cc:41 "!ccb->active()" assertion. + - Bug 4169: HIT marked as MISS when If-None-Match does not match + - Bug 4007: Hang on DNS query with dead-end CNAME + - Bug 4004 partial: Fix segfault via Ftp::Client::readControlReply + - Bug 3940 partial: hostHeaderVerify failures MISS when they should be HIT + - Bug 3533: Cache still valid after HTTP/1.1 303 See Other + - Bug 3379: Combination of If-Match and a Cache Hit result in TCP Connection Failure + - Bug 3290: authenticate_ttl not working for digest authentication + - Bug 2258: bypassing cache but not destroying cache entry + - HTTP/1.1: make Vary:* objects cacheable + - HTTP/1.1: Add registered codes entry for new 103 (Early Hints) status code + - Support IPv6 NAT with PF for NetBSD and FreeBSD + - TLS: Make key= before cert= an error instead of quietly hiding the issue + - ... and some debug updates + - ... and some build fixes + - ... and several documentation updates + Changes to squid-3.5.22 (09 Oct 2016): - Bug 4594: build failure with clang 3.9 diff -u -r -N squid-3.5.22/configure squid-3.5.23/configure --- squid-3.5.22/configure 2016-10-10 09:04:24.000000000 +1300 +++ squid-3.5.23/configure 2016-12-16 22:29:49.000000000 +1300 @@ -1,7 +1,7 @@ #! /bin/sh # From configure.ac Revision. # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for Squid Web Proxy 3.5.22. +# Generated by GNU Autoconf 2.69 for Squid Web Proxy 3.5.23. # # Report bugs to . # @@ -595,8 +595,8 @@ # Identity of this package. PACKAGE_NAME='Squid Web Proxy' PACKAGE_TARNAME='squid' -PACKAGE_VERSION='3.5.22' -PACKAGE_STRING='Squid Web Proxy 3.5.22' +PACKAGE_VERSION='3.5.23' +PACKAGE_STRING='Squid Web Proxy 3.5.23' PACKAGE_BUGREPORT='http://bugs.squid-cache.org/' PACKAGE_URL='' @@ -1636,7 +1636,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures Squid Web Proxy 3.5.22 to adapt to many kinds of systems. +\`configure' configures Squid Web Proxy 3.5.23 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1707,7 +1707,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of Squid Web Proxy 3.5.22:";; + short | recursive ) echo "Configuration of Squid Web Proxy 3.5.23:";; esac cat <<\_ACEOF @@ -2119,7 +2119,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -Squid Web Proxy configure 3.5.22 +Squid Web Proxy configure 3.5.23 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -3223,7 +3223,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by Squid Web Proxy $as_me 3.5.22, which was +It was created by Squid Web Proxy $as_me 3.5.23, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -4090,7 +4090,7 @@ # Define the identity of the package. PACKAGE='squid' - VERSION='3.5.22' + VERSION='3.5.23' cat >>confdefs.h <<_ACEOF @@ -41876,7 +41876,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by Squid Web Proxy $as_me 3.5.22, which was +This file was extended by Squid Web Proxy $as_me 3.5.23, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -41942,7 +41942,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -Squid Web Proxy config.status 3.5.22 +Squid Web Proxy config.status 3.5.23 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -u -r -N squid-3.5.22/configure.ac squid-3.5.23/configure.ac --- squid-3.5.22/configure.ac 2016-10-10 09:04:22.000000000 +1300 +++ squid-3.5.23/configure.ac 2016-12-16 22:29:49.000000000 +1300 @@ -5,7 +5,7 @@ ## Please see the COPYING and CONTRIBUTORS files for details. ## -AC_INIT([Squid Web Proxy],[3.5.22],[http://bugs.squid-cache.org/],[squid]) +AC_INIT([Squid Web Proxy],[3.5.23],[http://bugs.squid-cache.org/],[squid]) AC_PREREQ(2.61) AC_CONFIG_HEADERS([include/autoconf.h]) AC_CONFIG_AUX_DIR(cfgaux) diff -u -r -N squid-3.5.22/contrib/url-normalizer.pl squid-3.5.23/contrib/url-normalizer.pl --- squid-3.5.22/contrib/url-normalizer.pl 2016-10-10 08:58:01.000000000 +1300 +++ squid-3.5.23/contrib/url-normalizer.pl 2016-12-16 22:25:05.000000000 +1300 @@ -1,4 +1,11 @@ #!/usr/local/bin/perl -Tw +# +# * Copyright (C) 1996-2016 The Squid Software Foundation and contributors +# * +# * Squid software is distributed under GPLv2+ license and includes +# * contributions from numerous individuals and organizations. +# * Please see the COPYING and CONTRIBUTORS files for details. +# # From: Markus Gyger # diff -u -r -N squid-3.5.22/contrib/user-agents.pl squid-3.5.23/contrib/user-agents.pl --- squid-3.5.22/contrib/user-agents.pl 2016-10-10 08:58:01.000000000 +1300 +++ squid-3.5.23/contrib/user-agents.pl 2016-12-16 22:25:05.000000000 +1300 @@ -1,5 +1,13 @@ #!/usr/bin/perl # +# * Copyright (C) 1996-2016 The Squid Software Foundation and contributors +# * +# * Squid software is distributed under GPLv2+ license and includes +# * contributions from numerous individuals and organizations. +# * Please see the COPYING and CONTRIBUTORS files for details. +# + +# # John@MCC.ac.uk # John@Pharmweb.NET diff -u -r -N squid-3.5.22/CONTRIBUTORS squid-3.5.23/CONTRIBUTORS --- squid-3.5.22/CONTRIBUTORS 2016-10-10 08:58:01.000000000 +1300 +++ squid-3.5.23/CONTRIBUTORS 2016-12-16 22:25:05.000000000 +1300 @@ -211,6 +211,8 @@ Joe Ramey Joerg Lehrke Johnathan Conley + John@MCC.ac.uk + John@Pharmweb.NET John Dilley John M Cooper John Saunders diff -u -r -N squid-3.5.22/doc/release-notes/release-3.5.html squid-3.5.23/doc/release-notes/release-3.5.html --- squid-3.5.22/doc/release-notes/release-3.5.html 2016-10-10 12:34:07.000000000 +1300 +++ squid-3.5.23/doc/release-notes/release-3.5.html 2016-12-17 06:31:15.000000000 +1300 @@ -2,10 +2,10 @@ - Squid 3.5.22 release notes + Squid 3.5.23 release notes -

Squid 3.5.22 release notes

+

Squid 3.5.23 release notes

Squid Developers

@@ -64,7 +64,7 @@

1. Notice

-

The Squid Team are pleased to announce the release of Squid-3.5.22.

+

The Squid Team are pleased to announce the release of Squid-3.5.23.

This new release is available for download from http://www.squid-cache.org/Versions/v3/3.5/ or the mirrors.

@@ -715,6 +715,9 @@

Deprecated. ICAP client is now auto-enabled. Use --disable-icap-client to disable if you need to.

+
--with-nat-devpf
+

IPv6 NAT interception support added for BSD built with this option.

+

4.3 Removed options diff -u -r -N squid-3.5.22/helpers/basic_auth/DB/basic_db_auth.8 squid-3.5.23/helpers/basic_auth/DB/basic_db_auth.8 --- squid-3.5.22/helpers/basic_auth/DB/basic_db_auth.8 2016-10-10 12:34:14.000000000 +1300 +++ squid-3.5.23/helpers/basic_auth/DB/basic_db_auth.8 2016-12-17 06:31:25.000000000 +1300 @@ -129,7 +129,7 @@ .\" ======================================================================== .\" .IX Title "BASIC_DB_AUTH 8" -.TH BASIC_DB_AUTH 8 "2016-10-09" "perl v5.24.1" "User Contributed Perl Documentation" +.TH BASIC_DB_AUTH 8 "2016-12-16" "perl v5.24.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-3.5.22/helpers/basic_auth/MSNT-multi-domain/basic_msnt_multi_domain_auth.8 squid-3.5.23/helpers/basic_auth/MSNT-multi-domain/basic_msnt_multi_domain_auth.8 --- squid-3.5.22/helpers/basic_auth/MSNT-multi-domain/basic_msnt_multi_domain_auth.8 2016-10-10 12:34:22.000000000 +1300 +++ squid-3.5.23/helpers/basic_auth/MSNT-multi-domain/basic_msnt_multi_domain_auth.8 2016-12-17 06:31:39.000000000 +1300 @@ -129,7 +129,7 @@ .\" ======================================================================== .\" .IX Title "BASIC_MSNT_MULTI_DOMAIN_AUTH 1" -.TH BASIC_MSNT_MULTI_DOMAIN_AUTH 1 "2016-10-09" "perl v5.24.1" "User Contributed Perl Documentation" +.TH BASIC_MSNT_MULTI_DOMAIN_AUTH 1 "2016-12-16" "perl v5.24.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-3.5.22/helpers/basic_auth/POP3/basic_pop3_auth.8 squid-3.5.23/helpers/basic_auth/POP3/basic_pop3_auth.8 --- squid-3.5.22/helpers/basic_auth/POP3/basic_pop3_auth.8 2016-10-10 12:34:31.000000000 +1300 +++ squid-3.5.23/helpers/basic_auth/POP3/basic_pop3_auth.8 2016-12-17 06:31:52.000000000 +1300 @@ -129,7 +129,7 @@ .\" ======================================================================== .\" .IX Title "BASIC_POP3_AUTH 8" -.TH BASIC_POP3_AUTH 8 "2016-10-09" "perl v5.24.1" "User Contributed Perl Documentation" +.TH BASIC_POP3_AUTH 8 "2016-12-16" "perl v5.24.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-3.5.22/helpers/external_acl/delayer/ext_delayer_acl.8 squid-3.5.23/helpers/external_acl/delayer/ext_delayer_acl.8 --- squid-3.5.22/helpers/external_acl/delayer/ext_delayer_acl.8 2016-10-10 12:34:52.000000000 +1300 +++ squid-3.5.23/helpers/external_acl/delayer/ext_delayer_acl.8 2016-12-17 06:32:27.000000000 +1300 @@ -129,7 +129,7 @@ .\" ======================================================================== .\" .IX Title "EXT_DELAYER_ACL 8" -.TH EXT_DELAYER_ACL 8 "2016-10-09" "perl v5.24.1" "User Contributed Perl Documentation" +.TH EXT_DELAYER_ACL 8 "2016-12-16" "perl v5.24.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-3.5.22/helpers/external_acl/SQL_session/ext_sql_session_acl.8 squid-3.5.23/helpers/external_acl/SQL_session/ext_sql_session_acl.8 --- squid-3.5.22/helpers/external_acl/SQL_session/ext_sql_session_acl.8 2016-10-10 12:35:06.000000000 +1300 +++ squid-3.5.23/helpers/external_acl/SQL_session/ext_sql_session_acl.8 2016-12-17 06:32:48.000000000 +1300 @@ -129,7 +129,7 @@ .\" ======================================================================== .\" .IX Title "EXT_SQL_SESSION_ACL 8" -.TH EXT_SQL_SESSION_ACL 8 "2016-10-09" "perl v5.24.1" "User Contributed Perl Documentation" +.TH EXT_SQL_SESSION_ACL 8 "2016-12-16" "perl v5.24.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-3.5.22/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8 squid-3.5.23/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8 --- squid-3.5.22/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8 2016-10-10 12:35:12.000000000 +1300 +++ squid-3.5.23/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8 2016-12-17 06:32:57.000000000 +1300 @@ -129,7 +129,7 @@ .\" ======================================================================== .\" .IX Title "EXT_WBINFO_GROUP_ACL 8" -.TH EXT_WBINFO_GROUP_ACL 8 "2016-10-09" "perl v5.24.1" "User Contributed Perl Documentation" +.TH EXT_WBINFO_GROUP_ACL 8 "2016-12-16" "perl v5.24.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-3.5.22/helpers/log_daemon/DB/log_db_daemon.8 squid-3.5.23/helpers/log_daemon/DB/log_db_daemon.8 --- squid-3.5.22/helpers/log_daemon/DB/log_db_daemon.8 2016-10-10 12:35:15.000000000 +1300 +++ squid-3.5.23/helpers/log_daemon/DB/log_db_daemon.8 2016-12-17 06:33:03.000000000 +1300 @@ -129,7 +129,7 @@ .\" ======================================================================== .\" .IX Title "LOG_DB_DAEMON 8" -.TH LOG_DB_DAEMON 8 "2016-10-09" "perl v5.24.1" "User Contributed Perl Documentation" +.TH LOG_DB_DAEMON 8 "2016-12-16" "perl v5.24.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-3.5.22/helpers/storeid_rewrite/file/storeid_file_rewrite.8 squid-3.5.23/helpers/storeid_rewrite/file/storeid_file_rewrite.8 --- squid-3.5.22/helpers/storeid_rewrite/file/storeid_file_rewrite.8 2016-10-10 12:35:38.000000000 +1300 +++ squid-3.5.23/helpers/storeid_rewrite/file/storeid_file_rewrite.8 2016-12-17 06:33:38.000000000 +1300 @@ -129,7 +129,7 @@ .\" ======================================================================== .\" .IX Title "STOREID_FILE_REWRITE 8" -.TH STOREID_FILE_REWRITE 8 "2016-10-09" "perl v5.24.1" "User Contributed Perl Documentation" +.TH STOREID_FILE_REWRITE 8 "2016-12-16" "perl v5.24.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-3.5.22/include/version.h squid-3.5.23/include/version.h --- squid-3.5.22/include/version.h 2016-10-10 09:04:24.000000000 +1300 +++ squid-3.5.23/include/version.h 2016-12-16 22:29:49.000000000 +1300 @@ -7,7 +7,7 @@ */ #ifndef SQUID_RELEASE_TIME -#define SQUID_RELEASE_TIME 1476043069 +#define SQUID_RELEASE_TIME 1481880292 #endif /* diff -u -r -N squid-3.5.22/RELEASENOTES.html squid-3.5.23/RELEASENOTES.html --- squid-3.5.22/RELEASENOTES.html 2016-10-10 12:34:07.000000000 +1300 +++ squid-3.5.23/RELEASENOTES.html 2016-12-17 06:31:15.000000000 +1300 @@ -2,10 +2,10 @@ - Squid 3.5.22 release notes + Squid 3.5.23 release notes -

Squid 3.5.22 release notes

+

Squid 3.5.23 release notes

Squid Developers

@@ -64,7 +64,7 @@

1. Notice

-

The Squid Team are pleased to announce the release of Squid-3.5.22.

+

The Squid Team are pleased to announce the release of Squid-3.5.23.

This new release is available for download from http://www.squid-cache.org/Versions/v3/3.5/ or the mirrors.

@@ -715,6 +715,9 @@

Deprecated. ICAP client is now auto-enabled. Use --disable-icap-client to disable if you need to.

+
--with-nat-devpf
+

IPv6 NAT interception support added for BSD built with this option.

+

4.3 Removed options diff -u -r -N squid-3.5.22/src/AccessLogEntry.cc squid-3.5.23/src/AccessLogEntry.cc --- squid-3.5.22/src/AccessLogEntry.cc 2016-10-10 08:58:01.000000000 +1300 +++ squid-3.5.23/src/AccessLogEntry.cc 2016-12-16 22:25:05.000000000 +1300 @@ -32,12 +32,15 @@ #endif if (tcpClient != NULL) log_ip = tcpClient->remote; - else if (cache.caddr.isNoAddr()) { // e.g., ICAP OPTIONS lack client - strncpy(buf, "-", bufsz); - return; - } else + else log_ip = cache.caddr; + // internally generated requests (and some ICAP) lack client IP + if (log_ip.isNoAddr()) { + strncpy(buf, "-", bufsz); + return; + } + // Apply so-called 'privacy masking' to IPv4 clients // - localhost IP is always shown in full // - IPv4 clients masked with client_netmask diff -u -r -N squid-3.5.22/src/acl/Checklist.cc squid-3.5.23/src/acl/Checklist.cc --- squid-3.5.22/src/acl/Checklist.cc 2016-10-10 08:58:01.000000000 +1300 +++ squid-3.5.23/src/acl/Checklist.cc 2016-12-16 22:25:05.000000000 +1300 @@ -397,7 +397,7 @@ ACLChecklist::bannedAction(const allow_t &action) const { const bool found = std::find(bannedActions_.begin(), bannedActions_.end(), action) != bannedActions_.end(); - debugs(28, 5, "Action '" << action << "/" << action.kind << (found ? " is " : "is not") << " banned"); + debugs(28, 5, "Action '" << action << "/" << action.kind << (found ? "' is " : "' is not") << " banned"); return found; } diff -u -r -N squid-3.5.22/src/acl/ServerName.cc squid-3.5.23/src/acl/ServerName.cc --- squid-3.5.22/src/acl/ServerName.cc 2016-10-10 08:58:01.000000000 +1300 +++ squid-3.5.23/src/acl/ServerName.cc 2016-12-16 22:25:05.000000000 +1300 @@ -90,27 +90,28 @@ { assert(checklist != NULL && checklist->request != NULL); - if (checklist->conn() && checklist->conn()->serverBump()) { - if (X509 *peer_cert = checklist->conn()->serverBump()->serverCert.get()) { - if (Ssl::matchX509CommonNames(peer_cert, (void *)data, check_cert_domain)) - return 1; + const char *serverName = NULL; + SBuf serverNameKeeper; // because c_str() is not constant + if (ConnStateData *conn = checklist->conn()) { + if (conn->serverBump()) { + if (X509 *peer_cert = conn->serverBump()->serverCert.get()) + return Ssl::matchX509CommonNames(peer_cert, (void *)data, check_cert_domain); } - } - const char *serverName = NULL; - if (checklist->conn() && !checklist->conn()->sslCommonName().isEmpty()) { - SBuf scn = checklist->conn()->sslCommonName(); - serverName = scn.c_str(); + if (conn->sslCommonName().isEmpty()) { + const char *host = checklist->request->GetHost(); + if (host && *host) // paranoid first condition: host() is never nil + serverName = host; + } else { + serverNameKeeper = conn->sslCommonName(); + serverName = serverNameKeeper.c_str(); + } } - if (serverName == NULL) - serverName = checklist->request->GetHost(); - - if (serverName && data->match(serverName)) { - return 1; - } + if (!serverName) + serverName = "none"; - return data->match("none"); + return data->match(serverName); } ACLServerNameStrategy * diff -u -r -N squid-3.5.22/src/adaptation/icap/ModXact.cc squid-3.5.23/src/adaptation/icap/ModXact.cc --- squid-3.5.22/src/adaptation/icap/ModXact.cc 2016-10-10 08:58:01.000000000 +1300 +++ squid-3.5.23/src/adaptation/icap/ModXact.cc 2016-12-16 22:25:05.000000000 +1300 @@ -1303,7 +1303,8 @@ virgin_msg = virgin_request_; assert(virgin_msg != virgin.cause); al.http.clientRequestSz.header = virgin_msg->hdr_sz; - al.http.clientRequestSz.payloadData = virgin_msg->body_pipe->producedSize(); + if (virgin_msg->body_pipe != NULL) + al.http.clientRequestSz.payloadData = virgin_msg->body_pipe->producedSize(); // leave al.icap.bodyBytesRead negative if no body if (replyHttpHeaderSize >= 0 || replyHttpBodySize >= 0) { diff -u -r -N squid-3.5.22/src/auth/digest/Config.cc squid-3.5.23/src/auth/digest/Config.cc --- squid-3.5.22/src/auth/digest/Config.cc 2016-10-10 08:58:01.000000000 +1300 +++ squid-3.5.23/src/auth/digest/Config.cc 2016-12-16 22:25:05.000000000 +1300 @@ -204,7 +204,7 @@ if (!digest_nonce_cache) { digest_nonce_cache = hash_create((HASHCMP *) strcmp, 7921, hash_string); assert(digest_nonce_cache); - eventAdd("Digest none cache maintenance", authenticateDigestNonceCacheCleanup, NULL, static_cast(Auth::Config::Find("digest"))->nonceGCInterval, 1); + eventAdd("Digest nonce cache maintenance", authenticateDigestNonceCacheCleanup, NULL, static_cast(Auth::Config::Find("digest"))->nonceGCInterval, 1); } } @@ -268,7 +268,7 @@ debugs(29, 3, "Finished cleaning the nonce cache."); if (static_cast(Auth::Config::Find("digest"))->active()) - eventAdd("Digest none cache maintenance", authenticateDigestNonceCacheCleanup, NULL, static_cast(Auth::Config::Find("digest"))->nonceGCInterval, 1); + eventAdd("Digest nonce cache maintenance", authenticateDigestNonceCacheCleanup, NULL, static_cast(Auth::Config::Find("digest"))->nonceGCInterval, 1); } static void @@ -1058,6 +1058,10 @@ * the user agent won't change user name without warning. */ authDigestUserLinkNonce(digest_user, nonce); + + /* auth_user is now linked, we reset these values + * after external auth occurs anyway */ + auth_user->expiretime = current_time.tv_sec; } else { debugs(29, 9, "Found user '" << username << "' in the user cache as '" << auth_user << "'"); digest_user = static_cast(auth_user.getRaw()); diff -u -r -N squid-3.5.22/src/auth/digest/UserRequest.cc squid-3.5.23/src/auth/digest/UserRequest.cc --- squid-3.5.22/src/auth/digest/UserRequest.cc 2016-10-10 08:58:01.000000000 +1300 +++ squid-3.5.23/src/auth/digest/UserRequest.cc 2016-12-16 22:25:05.000000000 +1300 @@ -187,12 +187,7 @@ auth_user->credentials(Auth::Ok); /* password was checked and did match */ - debugs(29, 4, HERE << "user '" << auth_user->username() << "' validated OK"); - - /* auth_user is now linked, we reset these values - * after external auth occurs anyway */ - auth_user->expiretime = current_time.tv_sec; - return; + debugs(29, 4, "user '" << auth_user->username() << "' validated OK"); } Auth::Direction diff -u -r -N squid-3.5.22/src/cache_cf.cc squid-3.5.23/src/cache_cf.cc --- squid-3.5.22/src/cache_cf.cc 2016-10-10 08:58:01.000000000 +1300 +++ squid-3.5.23/src/cache_cf.cc 2016-12-16 22:25:05.000000000 +1300 @@ -2257,6 +2257,9 @@ safe_free(p->sslcert); p->sslcert = xstrdup(token + 8); } else if (strncmp(token, "sslkey=", 7) == 0) { + if (!p->sslcert) { + debugs(3, DBG_CRITICAL, "ERROR: " << cfg_directive << ": sslcert= option must be set before sslkey= is used."); + } safe_free(p->sslkey); p->sslkey = xstrdup(token + 7); } else if (strncmp(token, "sslversion=", 11) == 0) { @@ -3729,6 +3732,9 @@ safe_free(s->cert); s->cert = xstrdup(token + 5); } else if (strncmp(token, "key=", 4) == 0) { + if (!s->cert) { + debugs(3, DBG_CRITICAL, "ERROR: " << cfg_directive << ": cert= option must be set before key= is used."); + } safe_free(s->key); s->key = xstrdup(token + 4); } else if (strncmp(token, "version=", 8) == 0) { diff -u -r -N squid-3.5.22/src/cf.data.pre squid-3.5.23/src/cf.data.pre --- squid-3.5.22/src/cf.data.pre 2016-10-10 08:58:01.000000000 +1300 +++ squid-3.5.23/src/cf.data.pre 2016-12-16 22:25:05.000000000 +1300 @@ -678,7 +678,7 @@ children-max=n Maximum number of acl helper processes spawned to service - external acl lookups of this type. (default 20) + external acl lookups of this type. (default 5) children-startup=n Minimum number of acl helper processes to spawn during @@ -1167,6 +1167,9 @@ # During each Ssl-Bump step, Squid may improve its understanding of a # "true server name". Unlike dstdomain, this ACL does not perform # DNS lookups. + # The "none" name can be used to match transactions where Squid + # could not compute the server name using any information source + # already available at the ACL evaluation time. acl aclname ssl::server_name_regex [-i] \.foo\.com ... # regex matches server name obtained from various sources [fast] @@ -1787,13 +1790,12 @@ certificate equals lifetime of the CA certificate. If generated certificate is selfsigned lifetime is three years. - This option is enabled by default when ssl-bump is used. - See the ssl-bump option above for more information. + This option is disabled by default. See the ssl-bump + option above for more information. dynamic_cert_mem_cache_size=SIZE Approximate total RAM size spent on cached generated - certificates. If set to zero, caching is disabled. The - default value is 4MB. + certificates. If set to zero, caching is disabled. TLS / SSL Options: @@ -2063,13 +2065,12 @@ certificate equals lifetime of CA certificate. If generated certificate is selfsigned lifetime is three years. - This option is enabled by default when SslBump is used. - See the sslBump option above for more information. + This option is disabled by default. See the ssl-bump + option above for more information. dynamic_cert_mem_cache_size=SIZE Approximate total RAM size spent on cached generated - certificates. If set to zero, caching is disabled. The - default value is 4MB. + certificates. If set to zero, caching is disabled. See http_port for a list of available options. DOC_END diff -u -r -N squid-3.5.22/src/clients/FtpClient.cc squid-3.5.23/src/clients/FtpClient.cc --- squid-3.5.22/src/clients/FtpClient.cc 2016-10-10 08:58:01.000000000 +1300 +++ squid-3.5.23/src/clients/FtpClient.cc 2016-12-16 22:25:05.000000000 +1300 @@ -442,6 +442,11 @@ char *buf; debugs(9, 3, status()); + if (!Comm::IsConnOpen(ctrl.conn)) { + debugs(9, 5, "The control connection to the remote end is closed"); + return false; + } + if (code != 227) { debugs(9, 2, "PASV not supported by remote end"); return false; @@ -473,6 +478,11 @@ char *buf; debugs(9, 3, status()); + if (!Comm::IsConnOpen(ctrl.conn)) { + debugs(9, 5, "The control connection to the remote end is closed"); + return false; + } + if (code != 229 && code != 522) { if (code == 200) { /* handle broken servers (RFC 2428 says OK code for EPSV MUST be 229 not 200) */ @@ -733,6 +743,11 @@ void Ftp::Client::connectDataChannel() { + if (!Comm::IsConnOpen(ctrl.conn)) { + debugs(9, 5, "The control connection to the remote end is closed"); + return; + } + safe_free(ctrl.last_command); safe_free(ctrl.last_reply); diff -u -r -N squid-3.5.22/src/clients/FtpGateway.cc squid-3.5.23/src/clients/FtpGateway.cc --- squid-3.5.22/src/clients/FtpGateway.cc 2016-10-10 08:58:01.000000000 +1300 +++ squid-3.5.23/src/clients/FtpGateway.cc 2016-12-16 22:25:05.000000000 +1300 @@ -212,7 +212,9 @@ static FTPSM ftpReadMdtm; static FTPSM ftpSendSize; static FTPSM ftpReadSize; +#if 0 static FTPSM ftpSendEPRT; +#endif static FTPSM ftpReadEPRT; static FTPSM ftpSendPORT; static FTPSM ftpReadPORT; @@ -450,6 +452,11 @@ void Ftp::Gateway::listenForDataChannel(const Comm::ConnectionPointer &conn) { + if (!Comm::IsConnOpen(ctrl.conn)) { + debugs(9, 5, "The control connection to the remote end is closed"); + return; + } + assert(!Comm::IsConnOpen(data.conn)); typedef CommCbMemFunT AcceptDialer; @@ -1183,7 +1190,7 @@ checkUrlpath(); buildTitleUrl(); - debugs(9, 5, HERE << "FD " << ctrl.conn->fd << " : host=" << request->GetHost() << + debugs(9, 5, "FD " << (ctrl.conn != NULL ? ctrl.conn->fd : -1) << " : host=" << request->GetHost() << ", path=" << request->urlpath << ", user=" << user << ", passwd=" << password); state = BEGIN; Ftp::Client::start(); @@ -1750,7 +1757,9 @@ if (ftpState->handlePasvReply(srvAddr)) ftpState->connectDataChannel(); else { - ftpSendEPRT(ftpState); + ftpFail(ftpState); + // Currently disabled, does not work correctly: + // ftpSendEPRT(ftpState); return; } } @@ -1790,6 +1799,11 @@ } safe_free(ftpState->data.host); + if (!Comm::IsConnOpen(ftpState->ctrl.conn)) { + debugs(9, 5, "The control connection to the remote end is closed"); + return; + } + /* * Set up a listen socket on the same local address as the * control connection. @@ -1875,9 +1889,14 @@ ftpRestOrList(ftpState); } +#if 0 static void ftpSendEPRT(Ftp::Gateway * ftpState) { + /* check the server control channel is still available */ + if (!ftpState || !ftpState->haveControlChannel("ftpSendEPRT")) + return; + if (Config.Ftp.epsv_all && ftpState->flags.epsv_all_sent) { debugs(9, DBG_IMPORTANT, "FTP does not allow EPRT method after 'EPSV ALL' has been sent."); return; @@ -1913,6 +1932,7 @@ ftpState->writeCommand(cbuf); ftpState->state = Ftp::Client::SENT_EPRT; } +#endif static void ftpReadEPRT(Ftp::Gateway * ftpState) @@ -1939,10 +1959,8 @@ { debugs(9, 3, HERE); - if (EBIT_TEST(entry->flags, ENTRY_ABORTED)) { - abortAll("entry aborted when accepting data conn"); - data.listenConn->close(); - data.listenConn = NULL; + if (!Comm::IsConnOpen(ctrl.conn)) { /*Close handlers will cleanup*/ + debugs(9, 5, "The control connection to the remote end is closed"); return; } @@ -1955,6 +1973,14 @@ return; } + if (EBIT_TEST(entry->flags, ENTRY_ABORTED)) { + abortAll("entry aborted when accepting data conn"); + data.listenConn->close(); + data.listenConn = NULL; + io.conn->close(); + return; + } + /* data listening conn is no longer even open. abort. */ if (!Comm::IsConnOpen(data.listenConn)) { data.listenConn = NULL; // ensure that it's cleared and not just closed. @@ -2705,8 +2731,8 @@ Ftp::Gateway::completeForwarding() { if (fwd == NULL || flags.completed_forwarding) { - debugs(9, 3, HERE << "completeForwarding avoids " << - "double-complete on FD " << ctrl.conn->fd << ", Data FD " << data.conn->fd << + debugs(9, 3, "avoid double-complete on FD " << + (ctrl.conn != NULL ? ctrl.conn->fd : -1) << ", Data FD " << data.conn->fd << ", this " << this << ", fwd " << fwd); return; } diff -u -r -N squid-3.5.22/src/client_side.cc squid-3.5.23/src/client_side.cc --- squid-3.5.22/src/client_side.cc 2016-10-10 08:58:01.000000000 +1300 +++ squid-3.5.23/src/client_side.cc 2016-12-16 22:25:05.000000000 +1300 @@ -340,7 +340,21 @@ AsyncCall::Pointer call = commCbCall(33, 5, "ClientSocketContext::wroteControlMsg", CommIoCbPtrFun(&WroteControlMsg, this)); - getConn()->writeControlMsgAndCall(this, rep.getRaw(), call); + if (!getConn()->writeControlMsgAndCall(this, rep.getRaw(), call)) { + // but still inform the caller (so it may resume its operation) + doneWithControlMsg(); + } +} + +void +ClientSocketContext::doneWithControlMsg() +{ + ScheduleCallHere(cbControlMsgSent); + cbControlMsgSent = NULL; + + debugs(33, 3, clientConnection << ": calling PushDeferredIfNeeded after control msg wrote"); + ClientSocketContextPushDeferredIfNeeded(this, getConn()); + } /// called when we wrote the 1xx response @@ -351,7 +365,7 @@ return; if (errflag == Comm::OK) { - ScheduleCallHere(cbControlMsgSent); + doneWithControlMsg(); return; } @@ -415,6 +429,7 @@ statCounter.client_http.nearHitSvcTime.count(svc_time); break; + case LOG_TCP_INM_HIT: case LOG_TCP_IMS_HIT: statCounter.client_http.nearMissSvcTime.count(svc_time); break; @@ -1455,6 +1470,8 @@ if (context != http->getConn()->getCurrentContext()) context->deferRecipientForLater(node, rep, receivedData); + else if (context->controlMsgIsPending()) + context->deferRecipientForLater(node, rep, receivedData); else http->getConn()->handleReply(rep, receivedData); diff -u -r -N squid-3.5.22/src/client_side.h squid-3.5.23/src/client_side.h --- squid-3.5.22/src/client_side.h 2016-10-10 08:58:01.000000000 +1300 +++ squid-3.5.23/src/client_side.h 2016-12-16 22:25:05.000000000 +1300 @@ -129,9 +129,13 @@ /// starts writing 1xx control message to the client void writeControlMsg(HttpControlMsg &msg); + /// true if 1xx to the user is pending + bool controlMsgIsPending() {return cbControlMsgSent != NULL;} + protected: static IOCB WroteControlMsg; void wroteControlMsg(const Comm::ConnectionPointer &conn, char *bufnotused, size_t size, Comm::Flag errflag, int xerrno); + void doneWithControlMsg(); private: void prepareReply(HttpReply * rep); @@ -387,7 +391,7 @@ void connectionTag(const char *aTag) { connectionTag_ = aTag; } /// handle a control message received by context from a peer and call back - virtual void writeControlMsgAndCall(ClientSocketContext *context, HttpReply *rep, AsyncCall::Pointer &call) = 0; + virtual bool writeControlMsgAndCall(ClientSocketContext *context, HttpReply *rep, AsyncCall::Pointer &call) = 0; /// ClientStream calls this to supply response header (once) and data /// for the current ClientSocketContext. diff -u -r -N squid-3.5.22/src/client_side_reply.cc squid-3.5.23/src/client_side_reply.cc --- squid-3.5.22/src/client_side_reply.cc 2016-10-10 08:58:01.000000000 +1300 +++ squid-3.5.23/src/client_side_reply.cc 2016-12-16 22:25:05.000000000 +1300 @@ -396,6 +396,15 @@ if (result.flags.error && !EBIT_TEST(http->storeEntry()->flags, ENTRY_ABORTED)) return; + if (collapsedRevalidation == crSlave && EBIT_TEST(http->storeEntry()->flags, KEY_PRIVATE)) { + debugs(88, 3, "CF slave hit private " << *http->storeEntry() << ". MISS"); + // restore context to meet processMiss() expectations + restoreState(); + http->logType = LOG_TCP_MISS; + processMiss(); + return; + } + /* update size of the request */ reqsize = result.length + reqofs; @@ -518,6 +527,16 @@ return; } + // The previously identified hit suddenly became unsharable! + // This is common for collapsed forwarding slaves but might also + // happen to regular hits because we are called asynchronously. + if (EBIT_TEST(e->flags, KEY_PRIVATE)) { + debugs(88, 3, "unsharable " << *e << ". MISS"); + http->logType = LOG_TCP_MISS; + processMiss(); + return; + } + if (result.length == 0) { debugs(88, 5, "store IO buffer has no content. MISS"); /* the store couldn't get enough data from the file for us to id the @@ -589,6 +608,7 @@ debugs(88, 5, "negative-HIT"); http->logType = LOG_TCP_NEGATIVE_HIT; sendMoreData(result); + return; } else if (blockedHit()) { debugs(88, 5, "send_hit forces a MISS"); http->logType = LOG_TCP_MISS; @@ -641,27 +661,29 @@ http->logType = LOG_TCP_MISS; processMiss(); } + return; } else if (r->conditional()) { debugs(88, 5, "conditional HIT"); - processConditional(result); - } else { - /* - * plain ol' cache hit - */ - debugs(88, 5, "plain old HIT"); + if (processConditional(result)) + return; + } + + /* + * plain ol' cache hit + */ + debugs(88, 5, "plain old HIT"); #if USE_DELAY_POOLS - if (e->store_status != STORE_OK) - http->logType = LOG_TCP_MISS; - else + if (e->store_status != STORE_OK) + http->logType = LOG_TCP_MISS; + else #endif - if (e->mem_status == IN_MEMORY) - http->logType = LOG_TCP_MEM_HIT; - else if (Config.onoff.offline) - http->logType = LOG_TCP_OFFLINE_HIT; + if (e->mem_status == IN_MEMORY) + http->logType = LOG_TCP_MEM_HIT; + else if (Config.onoff.offline) + http->logType = LOG_TCP_OFFLINE_HIT; - sendMoreData(result); - } + sendMoreData(result); } /** @@ -755,17 +777,16 @@ } /// process conditional request from client -void +bool clientReplyContext::processConditional(StoreIOBuffer &result) { StoreEntry *const e = http->storeEntry(); if (e->getReply()->sline.status() != Http::scOkay) { - debugs(88, 4, "clientReplyContext::processConditional: Reply code " << - e->getReply()->sline.status() << " != 200"); + debugs(88, 4, "Reply code " << e->getReply()->sline.status() << " != 200"); http->logType = LOG_TCP_MISS; processMiss(); - return; + return true; } HttpRequest &r = *http->request; @@ -773,51 +794,39 @@ if (r.header.has(HDR_IF_MATCH) && !e->hasIfMatchEtag(r)) { // RFC 2616: reply with 412 Precondition Failed if If-Match did not match sendPreconditionFailedError(); - return; + return true; } - bool matchedIfNoneMatch = false; if (r.header.has(HDR_IF_NONE_MATCH)) { - if (!e->hasIfNoneMatchEtag(r)) { - // RFC 2616: ignore IMS if If-None-Match did not match - r.flags.ims = false; - r.ims = -1; - r.imslen = 0; - r.header.delById(HDR_IF_MODIFIED_SINCE); - http->logType = LOG_TCP_MISS; - sendMoreData(result); - return; - } + // RFC 7232: If-None-Match recipient MUST ignore IMS + r.flags.ims = false; + r.ims = -1; + r.imslen = 0; + r.header.delById(HDR_IF_MODIFIED_SINCE); - if (!r.flags.ims) { - // RFC 2616: if If-None-Match matched and there is no IMS, - // reply with 304 Not Modified or 412 Precondition Failed + if (e->hasIfNoneMatchEtag(r)) { sendNotModifiedOrPreconditionFailedError(); - return; + return true; } - // otherwise check IMS below to decide if we reply with 304 or 412 - matchedIfNoneMatch = true; + // None-Match is true (no ETag matched); treat as an unconditional hit + return false; } if (r.flags.ims) { // handle If-Modified-Since requests from the client if (e->modifiedSince(r.ims, r.imslen)) { - http->logType = LOG_TCP_IMS_HIT; - sendMoreData(result); - return; - } + // Modified-Since is true; treat as an unconditional hit + return false; - if (matchedIfNoneMatch) { - // If-None-Match matched, reply with 304 Not Modified or - // 412 Precondition Failed - sendNotModifiedOrPreconditionFailedError(); - return; + } else { + // otherwise reply with 304 Not Modified + sendNotModified(); } - - // otherwise reply with 304 Not Modified - sendNotModified(); + return true; } + + return false; } /// whether squid.conf send_hit prevents us from serving this hit @@ -1345,7 +1354,7 @@ hdr->delById(HDR_ETAG); #endif - if (is_hit) + if (is_hit || collapsedRevalidation == crSlave) hdr->delById(HDR_SET_COOKIE); // TODO: RFC 2965 : Must honour Cache-Control: no-cache="set-cookie2" and remove header. @@ -1646,7 +1655,9 @@ { HttpRequest *r = http->request; - if (r->flags.cachable || r->flags.internal) { + // client sent CC:no-cache or some other condition has been + // encountered which prevents delivering a public/cached object. + if (!r->flags.noCache || r->flags.internal) { lookingforstore = 5; StoreEntry::getPublicByRequest (this, r); } else { @@ -1969,7 +1980,12 @@ StoreEntry *e = http->storeEntry(); const time_t timestamp = e->timestamp; HttpReply *const temprep = e->getReply()->make304(); - http->logType = LOG_TCP_IMS_HIT; + // log as TCP_INM_HIT if code 304 generated for + // If-None-Match request + if (!http->request->flags.ims) + http->logType = LOG_TCP_INM_HIT; + else + http->logType = LOG_TCP_IMS_HIT; removeClientStoreReference(&sc, http); createStoreEntry(http->request->method, RequestFlags()); e = http->storeEntry(); diff -u -r -N squid-3.5.22/src/client_side_reply.h squid-3.5.23/src/client_side_reply.h --- squid-3.5.22/src/client_side_reply.h 2016-10-10 08:58:01.000000000 +1300 +++ squid-3.5.23/src/client_side_reply.h 2016-12-16 22:25:05.000000000 +1300 @@ -114,7 +114,7 @@ bool alwaysAllowResponse(Http::StatusCode sline) const; int checkTransferDone(); void processOnlyIfCachedMiss(); - void processConditional(StoreIOBuffer &result); + bool processConditional(StoreIOBuffer &result); void cacheHit(StoreIOBuffer result); void handleIMSReply(StoreIOBuffer result); void sendMoreData(StoreIOBuffer result); diff -u -r -N squid-3.5.22/src/external_acl.cc squid-3.5.23/src/external_acl.cc --- squid-3.5.22/src/external_acl.cc 2016-10-10 08:58:01.000000000 +1300 +++ squid-3.5.23/src/external_acl.cc 2016-12-16 22:25:05.000000000 +1300 @@ -474,13 +474,13 @@ if (node->children.n_max != DEFAULT_EXTERNAL_ACL_CHILDREN) storeAppendPrintf(sentry, " children-max=%d", node->children.n_max); - if (node->children.n_startup != 1) + if (node->children.n_startup != 0) // sync with helper/ChildConfig.cc default storeAppendPrintf(sentry, " children-startup=%d", node->children.n_startup); - if (node->children.n_idle != (node->children.n_max + node->children.n_startup) ) + if (node->children.n_idle != 1) // sync with helper/ChildConfig.cc default storeAppendPrintf(sentry, " children-idle=%d", node->children.n_idle); - if (node->children.concurrency) + if (node->children.concurrency != 0) storeAppendPrintf(sentry, " concurrency=%d", node->children.concurrency); if (node->cache) diff -u -r -N squid-3.5.22/src/format/Format.cc squid-3.5.23/src/format/Format.cc --- squid-3.5.22/src/format/Format.cc 2016-10-10 08:58:01.000000000 +1300 +++ squid-3.5.23/src/format/Format.cc 2016-12-16 22:25:05.000000000 +1300 @@ -318,7 +318,7 @@ actualReplyHeader(const AccessLogEntry::Pointer &al) { const HttpMsg *msg = al->reply; -#if USE_ADAPTATION +#if ICAP_CLIENT // al->icap.reqMethod is methodNone in access.log context if (!msg && al->icap.reqMethod == Adaptation::methodReqmod) msg = al->adapted_request; @@ -331,7 +331,7 @@ static const HttpMsg * actualRequestHeader(const AccessLogEntry::Pointer &al) { -#if USE_ADAPTATION +#if ICAP_CLIENT // al->icap.reqMethod is methodNone in access.log context if (al->icap.reqMethod == Adaptation::methodRespmod) { // XXX: for now AccessLogEntry lacks virgin response headers @@ -819,7 +819,7 @@ break; case LFT_REQUEST_ALL_HEADERS: -#if USE_ADAPTATION +#if ICAP_CLIENT if (al->icap.reqMethod == Adaptation::methodRespmod) { // XXX: since AccessLogEntry::Headers lacks virgin response // headers, do nothing for now @@ -843,7 +843,7 @@ case LFT_REPLY_ALL_HEADERS: out = al->headers.reply; -#if USE_ADAPTATION +#if ICAP_CLIENT if (!out && al->icap.reqMethod == Adaptation::methodReqmod) out = al->headers.adapted_request; #endif diff -u -r -N squid-3.5.22/src/http/StatusCode.cc squid-3.5.23/src/http/StatusCode.cc --- squid-3.5.22/src/http/StatusCode.cc 2016-10-10 08:58:01.000000000 +1300 +++ squid-3.5.23/src/http/StatusCode.cc 2016-12-16 22:25:05.000000000 +1300 @@ -33,6 +33,10 @@ return "Processing"; break; + case Http::scEarlyHints: // 103 + return "Early Hints"; + break; + // 200-299 case Http::scOkay: return "OK"; diff -u -r -N squid-3.5.22/src/http/StatusCode.h squid-3.5.23/src/http/StatusCode.h --- squid-3.5.22/src/http/StatusCode.h 2016-10-10 08:58:01.000000000 +1300 +++ squid-3.5.23/src/http/StatusCode.h 2016-12-16 22:25:05.000000000 +1300 @@ -22,6 +22,7 @@ scContinue = 100, scSwitchingProtocols = 101, scProcessing = 102, /**< RFC2518 section 10.1 */ + scEarlyHints = 103, /**< draft-kazuho-early-hints-status-code */ scOkay = 200, scCreated = 201, scAccepted = 202, diff -u -r -N squid-3.5.22/src/http.cc squid-3.5.23/src/http.cc --- squid-3.5.22/src/http.cc 2016-10-10 08:58:01.000000000 +1300 +++ squid-3.5.23/src/http.cc 2016-12-16 22:25:05.000000000 +1300 @@ -191,6 +191,12 @@ if (!EBIT_TEST(e->flags, KEY_PRIVATE)) return; + // If the new/incoming response cannot be stored, then it does not + // compete with the old stored response for the public key, and the + // old stored response should be left as is. + if (e->mem_obj->request && !e->mem_obj->request->flags.cachable) + return; + switch (status) { case Http::scOkay: @@ -203,6 +209,8 @@ case Http::scFound: + case Http::scSeeOther: + case Http::scGone: case Http::scNotFound: @@ -594,7 +602,7 @@ while (strListGetItem(&vary, ',', &item, &ilen, &pos)) { SBuf name(item, ilen); if (name == asterisk) { - vstr.clear(); + vstr = asterisk; break; } name.toLower(); @@ -917,6 +925,12 @@ varyFailure = true; } else { entry->mem_obj->vary_headers = vary; + + // RFC 7231 section 7.1.4 + // Vary:* can be cached, but has mandatory revalidation + static const SBuf asterisk("*"); + if (vary == asterisk) + EBIT_SET(entry->flags, ENTRY_REVALIDATE_ALWAYS); } } diff -u -r -N squid-3.5.22/src/HttpRequest.cc squid-3.5.23/src/HttpRequest.cc --- squid-3.5.22/src/HttpRequest.cc 2016-10-10 08:58:01.000000000 +1300 +++ squid-3.5.23/src/HttpRequest.cc 2016-12-16 22:25:05.000000000 +1300 @@ -576,8 +576,13 @@ if (!method.respMaybeCacheable()) return false; - // XXX: this would seem the correct place to detect request cache-controls - // no-store, private and related which block cacheability + // RFC 7234 section 5.2.1.5: + // "cache MUST NOT store any part of either this request or any response to it" + // + // NP: refresh_pattern ignore-no-store only applies to response messages + // this test is handling request message CC header. + if (!flags.ignoreCc && cache_control && cache_control->noStore()) + return false; break; case AnyP::PROTO_GOPHER: diff -u -r -N squid-3.5.22/src/ip/Intercept.cc squid-3.5.23/src/ip/Intercept.cc --- squid-3.5.22/src/ip/Intercept.cc 2016-10-10 08:58:01.000000000 +1300 +++ squid-3.5.23/src/ip/Intercept.cc 2016-12-16 22:25:05.000000000 +1300 @@ -25,6 +25,9 @@ #define IPFILTER_VERSION 5000004 #endif +#if HAVE_SYS_PARAM_H +#include +#endif #if HAVE_SYS_IOCCOM_H #include #endif @@ -336,13 +339,20 @@ } memset(&nl, 0, sizeof(struct pfioc_natlook)); - newConn->remote.getInAddr(nl.saddr.v4); - nl.sport = htons(newConn->remote.port()); - newConn->local.getInAddr(nl.daddr.v4); + if (newConn->remote.isIPv6()) { + newConn->remote.getInAddr(nl.saddr.v6); + newConn->local.getInAddr(nl.daddr.v6); + nl.af = AF_INET6; + } else { + newConn->remote.getInAddr(nl.saddr.v4); + newConn->local.getInAddr(nl.daddr.v4); + nl.af = AF_INET; + } + + nl.sport = htons(newConn->remote.port()); nl.dport = htons(newConn->local.port()); - nl.af = AF_INET; nl.proto = IPPROTO_TCP; nl.direction = PF_OUT; @@ -358,7 +368,10 @@ debugs(89, 9, HERE << "address: " << newConn); return false; } else { - newConn->local = nl.rdaddr.v4; + if (newConn->remote.isIPv6()) + newConn->local = nl.rdaddr.v6; + else + newConn->local = nl.rdaddr.v4; newConn->local.port(ntohs(nl.rdport)); debugs(89, 5, HERE << "address NAT: " << newConn); return true; diff -u -r -N squid-3.5.22/src/ipcache.cc squid-3.5.23/src/ipcache.cc --- squid-3.5.22/src/ipcache.cc 2016-10-10 08:58:01.000000000 +1300 +++ squid-3.5.23/src/ipcache.cc 2016-12-16 22:25:05.000000000 +1300 @@ -123,7 +123,6 @@ static FREE ipcacheFreeEntry; static IDNSCB ipcacheHandleReply; static int ipcacheExpiredEntry(ipcache_entry *); -static int ipcacheParse(ipcache_entry *, const rfc1035_rr *, int, const char *error); static ipcache_entry *ipcache_get(const char *); static void ipcacheLockEntry(ipcache_entry *); static void ipcacheStatPrint(ipcache_entry *, StoreEntry *); @@ -328,8 +327,7 @@ ipcacheUnlockEntry(i); } -/// \ingroup IPCacheAPI -static int +static void ipcacheParse(ipcache_entry *i, const rfc1035_rr * answers, int nr, const char *error_message) { int k; @@ -350,25 +348,25 @@ i->addrs.count = 0; if (nr < 0) { - debugs(14, 3, "ipcacheParse: Lookup failed '" << error_message << "' for '" << (const char *)i->hash.key << "'"); + debugs(14, 3, "Lookup failed '" << error_message << "' for '" << (const char *)i->hash.key << "'"); i->error_message = xstrdup(error_message); - return -1; + return; } if (nr == 0) { - debugs(14, 3, "ipcacheParse: No DNS records in response to '" << name << "'"); + debugs(14, 3, "No DNS records in response to '" << name << "'"); i->error_message = xstrdup("No DNS records"); - return -1; + return; } - debugs(14, 3, "ipcacheParse: " << nr << " answers for '" << name << "'"); + debugs(14, 3, nr << " answers for '" << name << "'"); assert(answers); for (k = 0; k < nr; ++k) { if (Ip::EnableIpv6 && answers[k].type == RFC1035_TYPE_AAAA) { if (answers[k].rdlength != sizeof(struct in6_addr)) { - debugs(14, DBG_IMPORTANT, "ipcacheParse: Invalid IPv6 address in response to '" << name << "'"); + debugs(14, DBG_IMPORTANT, MYNAME << "Invalid IPv6 address in response to '" << name << "'"); continue; } ++na; @@ -378,7 +376,7 @@ if (answers[k].type == RFC1035_TYPE_A) { if (answers[k].rdlength != sizeof(struct in_addr)) { - debugs(14, DBG_IMPORTANT, "ipcacheParse: Invalid IPv4 address in response to '" << name << "'"); + debugs(14, DBG_IMPORTANT, MYNAME << "Invalid IPv4 address in response to '" << name << "'"); continue; } ++na; @@ -394,14 +392,14 @@ } // otherwise its an unknown RR. debug at level 9 since we usually want to ignore these and they are common. - debugs(14, 9, HERE << "Unknown RR type received: type=" << answers[k].type << " starting at " << &(answers[k]) ); + debugs(14, 9, "Unknown RR type received: type=" << answers[k].type << " starting at " << &(answers[k]) ); } if (na == 0) { - debugs(14, DBG_IMPORTANT, "ipcacheParse: No Address records in response to '" << name << "'"); + debugs(14, DBG_IMPORTANT, MYNAME << "No Address records in response to '" << name << "'"); i->error_message = xstrdup("No Address records"); if (cname_found) ++IpcacheStats.cname_only; - return 0; + return; } i->addrs.in_addrs = static_cast(xcalloc(na, sizeof(Ip::Address))); @@ -419,7 +417,7 @@ memcpy(&temp, answers[k].rdata, sizeof(struct in_addr)); i->addrs.in_addrs[j] = temp; - debugs(14, 3, "ipcacheParse: " << name << " #" << j << " " << i->addrs.in_addrs[j]); + debugs(14, 3, name << " #" << j << " " << i->addrs.in_addrs[j]); ++j; } else if (Ip::EnableIpv6 && answers[k].type == RFC1035_TYPE_AAAA) { @@ -430,7 +428,7 @@ memcpy(&temp, answers[k].rdata, sizeof(struct in6_addr)); i->addrs.in_addrs[j] = temp; - debugs(14, 3, "ipcacheParse: " << name << " #" << j << " " << i->addrs.in_addrs[j] ); + debugs(14, 3, name << " #" << j << " " << i->addrs.in_addrs[j] ); ++j; } if (ttl == 0 || (int) answers[k].ttl < ttl) @@ -453,8 +451,6 @@ i->expires = squid_curtime + ttl; i->flags.negcached = false; - - return i->addrs.count; } /// \ingroup IPCacheInternal @@ -467,13 +463,9 @@ const int age = i->age(); statCounter.dns.svcTime.count(age); - int done = ipcacheParse(i, answers, na, error_message); - - /* If we have not produced either IPs or Error immediately, wait for recursion to finish. */ - if (done != 0 || error_message != NULL) { - ipcacheAddEntry(i); - ipcacheCallback(i, age); - } + ipcacheParse(i, answers, na, error_message); + ipcacheAddEntry(i); + ipcacheCallback(i, age); } /** diff -u -r -N squid-3.5.22/src/LogTags.h squid-3.5.23/src/LogTags.h --- squid-3.5.22/src/LogTags.h 2016-10-10 08:58:01.000000000 +1300 +++ squid-3.5.23/src/LogTags.h 2016-12-16 22:25:05.000000000 +1300 @@ -28,6 +28,7 @@ LOG_TCP_REFRESH_IGNORED, // refresh from origin ignored, stale entry sent LOG_TCP_CLIENT_REFRESH_MISS, LOG_TCP_IMS_HIT, + LOG_TCP_INM_HIT, LOG_TCP_SWAPFAIL_MISS, LOG_TCP_NEGATIVE_HIT, LOG_TCP_MEM_HIT, @@ -54,6 +55,7 @@ return (code == LOG_TCP_HIT) || (code == LOG_TCP_IMS_HIT) || + (code == LOG_TCP_INM_HIT) || (code == LOG_TCP_REFRESH_FAIL_OLD) || (code == LOG_TCP_REFRESH_UNMODIFIED) || (code == LOG_TCP_NEGATIVE_HIT) || diff -u -r -N squid-3.5.22/src/SBuf.cc squid-3.5.23/src/SBuf.cc --- squid-3.5.22/src/SBuf.cc 2016-10-10 08:58:01.000000000 +1300 +++ squid-3.5.23/src/SBuf.cc 2016-12-16 22:25:05.000000000 +1300 @@ -178,7 +178,8 @@ if (!mustRealloc && len_ >= req.maxCapacity) return spaceSize(); // but we cannot reallocate - const size_type newSpace = std::min(req.idealSpace, maxSize - len_); + const size_type desiredSpace = std::max(req.minSpace, req.idealSpace); + const size_type newSpace = std::min(desiredSpace, maxSize - len_); reserveCapacity(std::min(len_ + newSpace, req.maxCapacity)); debugs(24, 7, id << " now: " << off_ << '+' << len_ << '+' << spaceSize() << '=' << store_->capacity); diff -u -r -N squid-3.5.22/src/SBuf.h squid-3.5.23/src/SBuf.h --- squid-3.5.22/src/SBuf.h 2016-10-10 08:58:01.000000000 +1300 +++ squid-3.5.23/src/SBuf.h 2016-12-16 22:25:05.000000000 +1300 @@ -635,9 +635,10 @@ /* * Parameters are listed in the reverse order of importance: Satisfaction of * the lower-listed requirements may violate the higher-listed requirements. + * For example, idealSpace has no effect unless it exceeds minSpace. */ size_type idealSpace; ///< if allocating anyway, provide this much space - size_type minSpace; ///< allocate if spaceSize() is smaller + size_type minSpace; ///< allocate [at least this much] if spaceSize() is smaller size_type maxCapacity; ///< do not allocate more than this bool allowShared; ///< whether sharing our storage with others is OK }; diff -u -r -N squid-3.5.22/src/servers/FtpServer.cc squid-3.5.23/src/servers/FtpServer.cc --- squid-3.5.22/src/servers/FtpServer.cc 2016-10-10 08:58:01.000000000 +1300 +++ squid-3.5.23/src/servers/FtpServer.cc 2016-12-16 22:25:05.000000000 +1300 @@ -1152,12 +1152,13 @@ writeErrorReply(reply, 451); } -void +bool Ftp::Server::writeControlMsgAndCall(ClientSocketContext *context, HttpReply *reply, AsyncCall::Pointer &call) { // the caller guarantees that we are dealing with the current context only // the caller should also make sure reply->header.has(HDR_FTP_STATUS) writeForwardedReplyAndCall(reply, call); + return true; } void diff -u -r -N squid-3.5.22/src/servers/FtpServer.h squid-3.5.23/src/servers/FtpServer.h --- squid-3.5.22/src/servers/FtpServer.h 2016-10-10 08:58:01.000000000 +1300 +++ squid-3.5.23/src/servers/FtpServer.h 2016-12-16 22:25:05.000000000 +1300 @@ -94,7 +94,7 @@ virtual void clientPinnedConnectionClosed(const CommCloseCbParams &io); virtual void handleReply(HttpReply *header, StoreIOBuffer receivedData); virtual int pipelinePrefetchMax() const; - virtual void writeControlMsgAndCall(ClientSocketContext *context, HttpReply *rep, AsyncCall::Pointer &call); + virtual bool writeControlMsgAndCall(ClientSocketContext *context, HttpReply *rep, AsyncCall::Pointer &call); virtual time_t idleTimeout() const; /* BodyPipe API */ diff -u -r -N squid-3.5.22/src/servers/HttpServer.cc squid-3.5.23/src/servers/HttpServer.cc --- squid-3.5.22/src/servers/HttpServer.cc 2016-10-10 08:58:01.000000000 +1300 +++ squid-3.5.23/src/servers/HttpServer.cc 2016-12-16 22:25:05.000000000 +1300 @@ -35,7 +35,7 @@ virtual ClientSocketContext *parseOneRequest(Http::ProtocolVersion &ver); virtual void processParsedRequest(ClientSocketContext *context, const Http::ProtocolVersion &ver); virtual void handleReply(HttpReply *rep, StoreIOBuffer receivedData); - virtual void writeControlMsgAndCall(ClientSocketContext *context, HttpReply *rep, AsyncCall::Pointer &call); + virtual bool writeControlMsgAndCall(ClientSocketContext *context, HttpReply *rep, AsyncCall::Pointer &call); virtual time_t idleTimeout() const; /* BodyPipe API */ @@ -167,9 +167,16 @@ context->sendStartOfMessage(rep, receivedData); } -void +bool Http::Server::writeControlMsgAndCall(ClientSocketContext *context, HttpReply *rep, AsyncCall::Pointer &call) { + // Ignore this late control message if we have started sending a + // reply to the user already (e.g., after an error). + if (context->reply) { + debugs(11, 2, "drop 1xx made late by " << context->reply); + return false; + } + // apply selected clientReplyContext::buildReplyHeader() mods // it is not clear what headers are required for control messages rep->header.removeHopByHopEntries(); @@ -184,6 +191,7 @@ Comm::Write(context->clientConnection, mb, call); delete mb; + return true; } ConnStateData * diff -u -r -N squid-3.5.22/src/ssl/support.cc squid-3.5.23/src/ssl/support.cc --- squid-3.5.22/src/ssl/support.cc 2016-10-10 08:58:01.000000000 +1300 +++ squid-3.5.23/src/ssl/support.cc 2016-12-16 22:25:05.000000000 +1300 @@ -2011,10 +2011,17 @@ pem_password_cb *cb = ::Config.Program.ssl_password ? &ssl_ask_password_cb : NULL; pkey.reset(readSslPrivateKey(keyFilename, cb)); cert.reset(readSslX509CertificatesChain(certFilename, chain.get())); - if (!pkey || !cert || !X509_check_private_key(cert.get(), pkey.get())) { - pkey.reset(NULL); - cert.reset(NULL); - } + if (!cert) { + debugs(83, DBG_IMPORTANT, "WARNING: missing cert in '" << certFilename << "'"); + } else if (!pkey) { + debugs(83, DBG_IMPORTANT, "WARNING: missing private key in '" << keyFilename << "'"); + } else if (!X509_check_private_key(cert.get(), pkey.get())) { + debugs(83, DBG_IMPORTANT, "WARNING: X509_check_private_key() failed to verify signing cert"); + } else + return; // everything is okay + + pkey.reset(NULL); + cert.reset(NULL); } bool Ssl::generateUntrustedCert(X509_Pointer &untrustedCert, EVP_PKEY_Pointer &untrustedPkey, X509_Pointer const &cert, EVP_PKEY_Pointer const & pkey) diff -u -r -N squid-3.5.22/src/tunnel.cc squid-3.5.23/src/tunnel.cc --- squid-3.5.22/src/tunnel.cc 2016-10-10 08:58:01.000000000 +1300 +++ squid-3.5.23/src/tunnel.cc 2016-12-16 22:25:05.000000000 +1300 @@ -475,7 +475,8 @@ *status_ptr = rep.sline.status(); // we need to relay the 401/407 responses when login=PASS(THRU) - const char *pwd = server.conn->getPeer()->login; + const CachePeer *peer = server.conn->getPeer(); + const char *pwd = (peer ? peer->login : NULL); const bool relay = pwd && (strcmp(pwd, "PASS") == 0 || strcmp(pwd, "PASSTHRU") == 0) && (*status_ptr == Http::scProxyAuthenticationRequired || *status_ptr == Http::scUnauthorized);