diff -u -r -N squid-3.5.5/ChangeLog squid-3.5.6/ChangeLog --- squid-3.5.5/ChangeLog 2015-05-28 04:06:38.000000000 -0700 +++ squid-3.5.6/ChangeLog 2015-07-03 02:12:52.000000000 -0700 @@ -1,3 +1,21 @@ +Changes to squid-3.5.6 (03 Jul 2015): + + - Bug 4274: ssl_crtd.8 not being installed + - Bug 4193: memory leak on FTP listings + - Bug 4183: segfault when freeing https_port clientca on reconfigure or exit + - Bug 3875: bad mimeLoadIconFile error handling + - Bug 3483: assertion failed store.cc:1866: 'isEmpty()' + - Bug 3329: pinned server connection is not closed properly + - TLS: Disable client-initiated renegotiation + - ext_edirectory_userip_acl: fix uninitialized variable + - Support custom OIDs in *_cert ACLs + - Fix CONNECT failover to IPv4 after trying broken IPv6 servers + - Use relative-URL in errorpage.css for SN.png + - Do not blindly forward cache peer CONNECT responses + - Fix assertion String.cc:221: "str" + - Fix assertion comm.cc:759: "Comm::IsConnOpen(conn)" in ConnStateData::getSslContextDone + - Translations: add Spanish US dialect alias + Changes to squid-3.5.5 (28 May 2015): - Regression Bug 4132: short_icon_urls with global_internal_static on diff -u -r -N squid-3.5.5/compat/Makefile.in squid-3.5.6/compat/Makefile.in --- squid-3.5.5/compat/Makefile.in 2015-05-28 04:08:10.000000000 -0700 +++ squid-3.5.6/compat/Makefile.in 2015-07-03 02:14:20.000000000 -0700 @@ -83,8 +83,8 @@ build_triplet = @build@ host_triplet = @host@ DIST_COMMON = $(top_srcdir)/src/Common.am $(srcdir)/Makefile.in \ - $(srcdir)/Makefile.am strtoll.c tempnam.c drand48.c psignal.c \ - initgroups.c strerror.c $(top_srcdir)/cfgaux/depcomp \ + $(srcdir)/Makefile.am initgroups.c tempnam.c drand48.c \ + strtoll.c strerror.c psignal.c $(top_srcdir)/cfgaux/depcomp \ $(top_srcdir)/cfgaux/test-driver check_PROGRAMS = testPreCompiler$(EXEEXT) TESTS = testPreCompiler$(EXEEXT) testHeaders diff -u -r -N squid-3.5.5/configure squid-3.5.6/configure --- squid-3.5.5/configure 2015-05-28 04:09:24.000000000 -0700 +++ squid-3.5.6/configure 2015-07-03 02:15:26.000000000 -0700 @@ -1,7 +1,7 @@ #! /bin/sh # From configure.ac Revision. # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for Squid Web Proxy 3.5.5. +# Generated by GNU Autoconf 2.69 for Squid Web Proxy 3.5.6. # # Report bugs to . # @@ -595,8 +595,8 @@ # Identity of this package. PACKAGE_NAME='Squid Web Proxy' PACKAGE_TARNAME='squid' -PACKAGE_VERSION='3.5.5' -PACKAGE_STRING='Squid Web Proxy 3.5.5' +PACKAGE_VERSION='3.5.6' +PACKAGE_STRING='Squid Web Proxy 3.5.6' PACKAGE_BUGREPORT='http://bugs.squid-cache.org/' PACKAGE_URL='' @@ -1617,7 +1617,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures Squid Web Proxy 3.5.5 to adapt to many kinds of systems. +\`configure' configures Squid Web Proxy 3.5.6 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1687,7 +1687,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of Squid Web Proxy 3.5.5:";; + short | recursive ) echo "Configuration of Squid Web Proxy 3.5.6:";; esac cat <<\_ACEOF @@ -2094,7 +2094,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -Squid Web Proxy configure 3.5.5 +Squid Web Proxy configure 3.5.6 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -3198,7 +3198,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by Squid Web Proxy $as_me 3.5.5, which was +It was created by Squid Web Proxy $as_me 3.5.6, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -4065,7 +4065,7 @@ # Define the identity of the package. PACKAGE='squid' - VERSION='3.5.5' + VERSION='3.5.6' cat >>confdefs.h <<_ACEOF @@ -40919,7 +40919,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by Squid Web Proxy $as_me 3.5.5, which was +This file was extended by Squid Web Proxy $as_me 3.5.6, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -40985,7 +40985,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -Squid Web Proxy config.status 3.5.5 +Squid Web Proxy config.status 3.5.6 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -u -r -N squid-3.5.5/configure.ac squid-3.5.6/configure.ac --- squid-3.5.5/configure.ac 2015-05-28 04:09:23.000000000 -0700 +++ squid-3.5.6/configure.ac 2015-07-03 02:15:26.000000000 -0700 @@ -5,7 +5,7 @@ ## Please see the COPYING and CONTRIBUTORS files for details. ## -AC_INIT([Squid Web Proxy],[3.5.5],[http://bugs.squid-cache.org/],[squid]) +AC_INIT([Squid Web Proxy],[3.5.6],[http://bugs.squid-cache.org/],[squid]) AC_PREREQ(2.61) AC_CONFIG_HEADERS([include/autoconf.h]) AC_CONFIG_AUX_DIR(cfgaux) diff -u -r -N squid-3.5.5/errors/aliases squid-3.5.6/errors/aliases --- squid-3.5.5/errors/aliases 2015-05-28 04:06:38.000000000 -0700 +++ squid-3.5.6/errors/aliases 2015-07-03 02:12:52.000000000 -0700 @@ -13,7 +13,7 @@ de de-at de-ch de-de de-li de-lu el el-gr en en-au en-bz en-ca en-gb en-ie en-in en-jm en-nz en-ph en-sg en-tt en-uk en-us en-za en-zw -es es-ar es-bo es-cl es-co es-cr es-do es-ec es-es es-gt es-hn es-mx es-ni es-pa es-pe es-pr es-py es-sv es-uy es-ve +es es-ar es-bo es-cl es-co es-cr es-do es-ec es-es es-gt es-hn es-mx es-ni es-pa es-pe es-pr es-py es-sv es-us es-uy es-ve et et-ee fa fa-fa fa-ir fi fi-fi diff -u -r -N squid-3.5.5/errors/errorpage.css squid-3.5.6/errors/errorpage.css --- squid-3.5.5/errors/errorpage.css 2015-05-28 04:06:38.000000000 -0700 +++ squid-3.5.6/errors/errorpage.css 2015-07-03 02:12:52.000000000 -0700 @@ -31,7 +31,7 @@ margin-left: 15px; padding: 10px; padding-left: 100px; - background: url('http://www.squid-cache.org/Artwork/SN.png') no-repeat left; + background: url('/squid-internal-static/icons/SN.png') no-repeat left; } /* initial title */ diff -u -r -N squid-3.5.5/helpers/basic_auth/DB/basic_db_auth.8 squid-3.5.6/helpers/basic_auth/DB/basic_db_auth.8 --- squid-3.5.5/helpers/basic_auth/DB/basic_db_auth.8 2015-05-28 04:56:18.000000000 -0700 +++ squid-3.5.6/helpers/basic_auth/DB/basic_db_auth.8 2015-07-03 03:13:13.000000000 -0700 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "BASIC_DB_AUTH 1" -.TH BASIC_DB_AUTH 1 "2015-05-28" "perl v5.20.2" "User Contributed Perl Documentation" +.TH BASIC_DB_AUTH 1 "2015-07-03" "perl v5.20.2" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-3.5.5/helpers/basic_auth/fake/fake.cc squid-3.5.6/helpers/basic_auth/fake/fake.cc --- squid-3.5.5/helpers/basic_auth/fake/fake.cc 2015-05-28 04:06:38.000000000 -0700 +++ squid-3.5.6/helpers/basic_auth/fake/fake.cc 2015-07-03 02:12:52.000000000 -0700 @@ -99,7 +99,7 @@ process_options(argc, argv); - debug("%s build " __DATE__ ", " __TIME__ " starting up...\n", program_name); + debug("%s " VERSION " " SQUID_BUILD_INFO " starting up...\n", program_name); while (fgets(buf, HELPER_INPUT_BUFFER, stdin) != NULL) { char *p; @@ -115,7 +115,7 @@ /* send 'OK' result back to Squid */ SEND_OK(""); } - debug("%s build " __DATE__ ", " __TIME__ " shutting down...\n", program_name); + debug("%s " VERSION " " SQUID_BUILD_INFO " shutting down...\n", program_name); exit(0); } diff -u -r -N squid-3.5.5/helpers/basic_auth/MSNT-multi-domain/basic_msnt_multi_domain_auth.8 squid-3.5.6/helpers/basic_auth/MSNT-multi-domain/basic_msnt_multi_domain_auth.8 --- squid-3.5.5/helpers/basic_auth/MSNT-multi-domain/basic_msnt_multi_domain_auth.8 2015-05-28 04:56:22.000000000 -0700 +++ squid-3.5.6/helpers/basic_auth/MSNT-multi-domain/basic_msnt_multi_domain_auth.8 2015-07-03 03:13:18.000000000 -0700 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "BASIC_MSNT_MULTI_DOMAIN_AUTH 1" -.TH BASIC_MSNT_MULTI_DOMAIN_AUTH 1 "2015-05-28" "perl v5.20.2" "User Contributed Perl Documentation" +.TH BASIC_MSNT_MULTI_DOMAIN_AUTH 1 "2015-07-03" "perl v5.20.2" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-3.5.5/helpers/basic_auth/POP3/basic_pop3_auth.8 squid-3.5.6/helpers/basic_auth/POP3/basic_pop3_auth.8 --- squid-3.5.5/helpers/basic_auth/POP3/basic_pop3_auth.8 2015-05-28 04:56:26.000000000 -0700 +++ squid-3.5.6/helpers/basic_auth/POP3/basic_pop3_auth.8 2015-07-03 03:13:24.000000000 -0700 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "BASIC_POP3_AUTH 1" -.TH BASIC_POP3_AUTH 1 "2015-05-28" "perl v5.20.2" "User Contributed Perl Documentation" +.TH BASIC_POP3_AUTH 1 "2015-07-03" "perl v5.20.2" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-3.5.5/helpers/external_acl/AD_group/ext_ad_group_acl.cc squid-3.5.6/helpers/external_acl/AD_group/ext_ad_group_acl.cc --- squid-3.5.5/helpers/external_acl/AD_group/ext_ad_group_acl.cc 2015-05-28 04:06:38.000000000 -0700 +++ squid-3.5.6/helpers/external_acl/AD_group/ext_ad_group_acl.cc 2015-07-03 02:12:52.000000000 -0700 @@ -801,8 +801,7 @@ if (!DefaultDomain) DefaultDomain = xstrdup(machinedomain); } - debug("External ACL win32 group helper build " __DATE__ ", " __TIME__ - " starting up...\n"); + debug("%s " VERSION " " SQUID_BUILD_INFO " starting up...\n", argv[0]); if (use_global) debug("Domain Global group mode enabled using '%s' as default domain.\n", DefaultDomain); if (use_case_insensitive_compare) diff -u -r -N squid-3.5.5/helpers/external_acl/delayer/ext_delayer_acl.8 squid-3.5.6/helpers/external_acl/delayer/ext_delayer_acl.8 --- squid-3.5.5/helpers/external_acl/delayer/ext_delayer_acl.8 2015-05-28 04:56:36.000000000 -0700 +++ squid-3.5.6/helpers/external_acl/delayer/ext_delayer_acl.8 2015-07-03 03:13:40.000000000 -0700 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "EXT_DELAYER_ACL 1" -.TH EXT_DELAYER_ACL 1 "2015-05-28" "perl v5.20.2" "User Contributed Perl Documentation" +.TH EXT_DELAYER_ACL 1 "2015-07-03" "perl v5.20.2" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-3.5.5/helpers/external_acl/eDirectory_userip/ext_edirectory_userip_acl.cc squid-3.5.6/helpers/external_acl/eDirectory_userip/ext_edirectory_userip_acl.cc --- squid-3.5.5/helpers/external_acl/eDirectory_userip/ext_edirectory_userip_acl.cc 2015-05-28 04:06:38.000000000 -0700 +++ squid-3.5.6/helpers/external_acl/eDirectory_userip/ext_edirectory_userip_acl.cc 2015-07-03 02:12:52.000000000 -0700 @@ -1500,6 +1500,7 @@ memset(bufb, '\0', sizeof(bufb)); memset(bufc, '\0', sizeof(bufc)); memset(sfmod, '\0', sizeof(sfmod)); + memset(&sv, 0, sizeof(sv)); InitConf(); xstrncpy(edui_conf.program, argv[0], sizeof(edui_conf.program)); diff -u -r -N squid-3.5.5/helpers/external_acl/LM_group/ext_lm_group_acl.cc squid-3.5.6/helpers/external_acl/LM_group/ext_lm_group_acl.cc --- squid-3.5.5/helpers/external_acl/LM_group/ext_lm_group_acl.cc 2015-05-28 04:06:38.000000000 -0700 +++ squid-3.5.6/helpers/external_acl/LM_group/ext_lm_group_acl.cc 2015-07-03 02:12:52.000000000 -0700 @@ -540,8 +540,7 @@ if (!DefaultDomain) DefaultDomain = xstrdup(machinedomain); } - debug("External ACL win32 group helper build " __DATE__ ", " __TIME__ - " starting up...\n"); + debug("%s " VERSION " " SQUID_BUILD_INFO " starting up...\n", argv[0]); if (use_global) { debug("Domain Global group mode enabled using '%s' as default domain.\n", DefaultDomain); } diff -u -r -N squid-3.5.5/helpers/external_acl/SQL_session/ext_sql_session_acl.8 squid-3.5.6/helpers/external_acl/SQL_session/ext_sql_session_acl.8 --- squid-3.5.5/helpers/external_acl/SQL_session/ext_sql_session_acl.8 2015-05-28 04:56:43.000000000 -0700 +++ squid-3.5.6/helpers/external_acl/SQL_session/ext_sql_session_acl.8 2015-07-03 03:13:49.000000000 -0700 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "EXT_SQL_SESSION_ACL 1" -.TH EXT_SQL_SESSION_ACL 1 "2015-05-28" "perl v5.20.2" "User Contributed Perl Documentation" +.TH EXT_SQL_SESSION_ACL 1 "2015-07-03" "perl v5.20.2" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-3.5.5/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8 squid-3.5.6/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8 --- squid-3.5.5/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8 2015-05-28 04:56:46.000000000 -0700 +++ squid-3.5.6/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8 2015-07-03 03:13:53.000000000 -0700 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "EXT_WBINFO_GROUP_ACL 1" -.TH EXT_WBINFO_GROUP_ACL 1 "2015-05-28" "perl v5.20.2" "User Contributed Perl Documentation" +.TH EXT_WBINFO_GROUP_ACL 1 "2015-07-03" "perl v5.20.2" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-3.5.5/helpers/log_daemon/DB/log_db_daemon.8 squid-3.5.6/helpers/log_daemon/DB/log_db_daemon.8 --- squid-3.5.5/helpers/log_daemon/DB/log_db_daemon.8 2015-05-28 04:56:48.000000000 -0700 +++ squid-3.5.6/helpers/log_daemon/DB/log_db_daemon.8 2015-07-03 03:13:56.000000000 -0700 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "LOG_DB_DAEMON 1" -.TH LOG_DB_DAEMON 1 "2015-05-28" "perl v5.20.2" "User Contributed Perl Documentation" +.TH LOG_DB_DAEMON 1 "2015-07-03" "perl v5.20.2" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-3.5.5/helpers/negotiate_auth/SSPI/negotiate_sspi_auth.cc squid-3.5.6/helpers/negotiate_auth/SSPI/negotiate_sspi_auth.cc --- squid-3.5.5/helpers/negotiate_auth/SSPI/negotiate_sspi_auth.cc 2015-05-28 04:06:38.000000000 -0700 +++ squid-3.5.6/helpers/negotiate_auth/SSPI/negotiate_sspi_auth.cc 2015-07-03 02:12:52.000000000 -0700 @@ -281,7 +281,7 @@ process_options(argc, argv); - debug("%s build " __DATE__ ", " __TIME__ " starting up...\n", my_program_name); + debug("%s " VERSION " " SQUID_BUILD_INFO " starting up...\n", my_program_name); if (LoadSecurityDll(SSP_NTLM, NEGOTIATE_PACKAGE_NAME) == NULL) { fprintf(stderr, "FATAL: %s: can't initialize SSPI, exiting.\n", argv[0]); diff -u -r -N squid-3.5.5/helpers/ntlm_auth/fake/ntlm_fake_auth.cc squid-3.5.6/helpers/ntlm_auth/fake/ntlm_fake_auth.cc --- squid-3.5.5/helpers/ntlm_auth/fake/ntlm_fake_auth.cc 2015-05-28 04:06:38.000000000 -0700 +++ squid-3.5.6/helpers/ntlm_auth/fake/ntlm_fake_auth.cc 2015-07-03 02:12:52.000000000 -0700 @@ -141,7 +141,7 @@ process_options(argc, argv); - debug("%s build " __DATE__ ", " __TIME__ " starting up...\n", my_program_name); + debug("%s " VERSION " " SQUID_BUILD_INFO " starting up...\n", my_program_name); while (fgets(buf, HELPER_INPUT_BUFFER, stdin) != NULL) { user[0] = '\0'; /*no user code */ diff -u -r -N squid-3.5.5/helpers/ntlm_auth/smb_lm/ntlm_smb_lm_auth.cc squid-3.5.6/helpers/ntlm_auth/smb_lm/ntlm_smb_lm_auth.cc --- squid-3.5.5/helpers/ntlm_auth/smb_lm/ntlm_smb_lm_auth.cc 2015-05-28 04:06:38.000000000 -0700 +++ squid-3.5.6/helpers/ntlm_auth/smb_lm/ntlm_smb_lm_auth.cc 2015-07-03 02:12:52.000000000 -0700 @@ -622,7 +622,7 @@ int main(int argc, char *argv[]) { - debug("ntlm_auth build " __DATE__ ", " __TIME__ " starting up...\n"); + debug("%s " VERSION " " SQUID_BUILD_INFO " starting up...\n", argv[0]); my_program_name = argv[0]; process_options(argc, argv); diff -u -r -N squid-3.5.5/helpers/ntlm_auth/SSPI/ntlm_sspi_auth.cc squid-3.5.6/helpers/ntlm_auth/SSPI/ntlm_sspi_auth.cc --- squid-3.5.5/helpers/ntlm_auth/SSPI/ntlm_sspi_auth.cc 2015-05-28 04:06:38.000000000 -0700 +++ squid-3.5.6/helpers/ntlm_auth/SSPI/ntlm_sspi_auth.cc 2015-07-03 02:12:52.000000000 -0700 @@ -619,7 +619,7 @@ process_options(argc, argv); - debug("%s build " __DATE__ ", " __TIME__ " starting up...\n", my_program_name); + debug("%s " VERSION " " SQUID_BUILD_INFO " starting up...\n", my_program_name); if (LoadSecurityDll(SSP_NTLM, NTLM_PACKAGE_NAME) == NULL) { fprintf(stderr, "FATAL, can't initialize SSPI, exiting.\n"); diff -u -r -N squid-3.5.5/helpers/storeid_rewrite/file/storeid_file_rewrite.8 squid-3.5.6/helpers/storeid_rewrite/file/storeid_file_rewrite.8 --- squid-3.5.5/helpers/storeid_rewrite/file/storeid_file_rewrite.8 2015-05-28 04:57:00.000000000 -0700 +++ squid-3.5.6/helpers/storeid_rewrite/file/storeid_file_rewrite.8 2015-07-03 03:14:11.000000000 -0700 @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "STOREID_FILE_REWRITE 1" -.TH STOREID_FILE_REWRITE 1 "2015-05-28" "perl v5.20.2" "User Contributed Perl Documentation" +.TH STOREID_FILE_REWRITE 1 "2015-07-03" "perl v5.20.2" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-3.5.5/helpers/url_rewrite/fake/fake.cc squid-3.5.6/helpers/url_rewrite/fake/fake.cc --- squid-3.5.5/helpers/url_rewrite/fake/fake.cc 2015-05-28 04:06:38.000000000 -0700 +++ squid-3.5.6/helpers/url_rewrite/fake/fake.cc 2015-07-03 02:12:52.000000000 -0700 @@ -104,7 +104,7 @@ process_options(argc, argv); - debug("%s build " __DATE__ ", " __TIME__ " starting up...\n", my_program_name); + debug("%s " VERSION " " SQUID_BUILD_INFO " starting up...\n", my_program_name); while (fgets(buf, HELPER_INPUT_BUFFER, stdin) != NULL) { char *p; @@ -127,7 +127,7 @@ fprintf(stdout, "%" PRId64 " ERR\n", channelId); } } - debug("%s build " __DATE__ ", " __TIME__ " shutting down...\n", my_program_name); + debug("%s " VERSION " " SQUID_BUILD_INFO " shutting down...\n", my_program_name); return 0; } diff -u -r -N squid-3.5.5/include/version.h squid-3.5.6/include/version.h --- squid-3.5.5/include/version.h 2015-05-28 04:09:24.000000000 -0700 +++ squid-3.5.6/include/version.h 2015-07-03 02:15:26.000000000 -0700 @@ -7,7 +7,7 @@ */ #ifndef SQUID_RELEASE_TIME -#define SQUID_RELEASE_TIME 1432811191 +#define SQUID_RELEASE_TIME 1435914765 #endif /* diff -u -r -N squid-3.5.5/RELEASENOTES.html squid-3.5.6/RELEASENOTES.html --- squid-3.5.5/RELEASENOTES.html 2015-05-28 04:58:09.000000000 -0700 +++ squid-3.5.6/RELEASENOTES.html 2015-07-03 03:15:40.000000000 -0700 @@ -2,10 +2,10 @@ - Squid 3.5.5 release notes + Squid 3.5.6 release notes -

Squid 3.5.5 release notes

+

Squid 3.5.6 release notes

Squid Developers

@@ -63,7 +63,7 @@

1. Notice

-

The Squid Team are pleased to announce the release of Squid-3.5.5.

+

The Squid Team are pleased to announce the release of Squid-3.5.6.

This new release is available for download from http://www.squid-cache.org/Versions/v3/3.5/ or the mirrors.

diff -u -r -N squid-3.5.5/src/acl/CertificateData.cc squid-3.5.6/src/acl/CertificateData.cc --- squid-3.5.5/src/acl/CertificateData.cc 2015-05-28 04:06:38.000000000 -0700 +++ squid-3.5.6/src/acl/CertificateData.cc 2015-07-03 02:12:52.000000000 -0700 @@ -126,8 +126,29 @@ debugs(28, DBG_CRITICAL, "FATAL: An acl must use consistent attributes in all config lines (" << newAttribute << "!=" << attribute << ")."); self_destruct(); } - } else + } else { + if (strcasecmp(newAttribute, "DN") != 0) { + int nid = OBJ_txt2nid(newAttribute); + if (nid == 0) { + const size_t span = strspn(newAttribute, "0123456789."); + if(newAttribute[span] == '\0') { // looks like a numerical OID + // create a new object based on this attribute + + // NOTE: Not a [bad] leak: If the same attribute + // has been added before, the OBJ_txt2nid call + // would return a valid nid value. + // TODO: call OBJ_cleanup() on reconfigure? + nid = OBJ_create(newAttribute, newAttribute, newAttribute); + debugs(28, 7, "New SSL certificate attribute created with name: " << newAttribute << " and nid: " << nid); + } + } + if (nid == 0) { + debugs(28, DBG_CRITICAL, "FATAL: Not valid SSL certificate attribute name or numerical OID: " << newAttribute); + self_destruct(); + } + } attribute = xstrdup(newAttribute); + } } } diff -u -r -N squid-3.5.5/src/cf.data.pre squid-3.5.6/src/cf.data.pre --- squid-3.5.5/src/cf.data.pre 2015-05-28 04:06:38.000000000 -0700 +++ squid-3.5.6/src/cf.data.pre 2015-07-03 02:12:52.000000000 -0700 @@ -1063,11 +1063,11 @@ acl aclname user_cert attribute values... # match against attributes in a user SSL certificate - # attribute is one of DN/C/O/CN/L/ST [fast] + # attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast] acl aclname ca_cert attribute values... # match against attributes a users issuing CA SSL certificate - # attribute is one of DN/C/O/CN/L/ST [fast] + # attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast] acl aclname ext_user username ... acl aclname ext_user_regex [-i] pattern ... diff -u -r -N squid-3.5.5/src/clients/FtpGateway.cc squid-3.5.6/src/clients/FtpGateway.cc --- squid-3.5.5/src/clients/FtpGateway.cc 2015-05-28 04:06:38.000000000 -0700 +++ squid-3.5.6/src/clients/FtpGateway.cc 2015-07-03 02:12:52.000000000 -0700 @@ -967,7 +967,7 @@ if ( t != NULL) { debugs(9, 7, HERE << "listing append: t = {" << t->contentSize() << ", '" << t->content() << "'}"); listing.append(t->content(), t->contentSize()); -//leak? delete t; + delete t; } } diff -u -r -N squid-3.5.5/src/client_side.cc squid-3.5.6/src/client_side.cc --- squid-3.5.5/src/client_side.cc 2015-05-28 04:06:38.000000000 -0700 +++ squid-3.5.6/src/client_side.cc 2015-07-03 02:12:52.000000000 -0700 @@ -3687,19 +3687,19 @@ debugs(83, (xerrno == ECONNRESET) ? 1 : 2, "Error negotiating SSL connection on FD " << fd << ": " << (xerrno == 0 ? ERR_error_string(ssl_error, NULL) : xstrerr(xerrno))); } - comm_close(fd); + conn->clientConnection->close(); return false; case SSL_ERROR_ZERO_RETURN: debugs(83, DBG_IMPORTANT, "Error negotiating SSL connection on FD " << fd << ": Closed by client"); - comm_close(fd); + conn->clientConnection->close(); return false; default: debugs(83, DBG_IMPORTANT, "Error negotiating SSL connection on FD " << fd << ": " << ERR_error_string(ERR_get_error(), NULL) << " (" << ssl_error << "/" << ret << ")"); - comm_close(fd); + conn->clientConnection->close(); return false; } @@ -3947,6 +3947,11 @@ void ConnStateData::sslCrtdHandleReply(const Helper::Reply &reply) { + if (!isOpen()) { + debugs(33, 3, "Connection gone while waiting for ssl_crtd helper reply; helper reply:" << reply); + return; + } + if (reply.result == Helper::BrokenHelper) { debugs(33, 5, HERE << "Certificate for " << sslConnectHostOrIp << " cannot be generated. ssl_crtd response: " << reply); } else if (!reply.other().hasContent()) { @@ -4306,7 +4311,7 @@ connState->sslBumpMode = bumpAction; if (bumpAction == Ssl::bumpTerminate) { - comm_close(connState->clientConnection->fd); + connState->clientConnection->close(); } else if (bumpAction != Ssl::bumpSplice) { connState->startPeekAndSpliceDone(); } else { @@ -4851,6 +4856,7 @@ assert(pinning.serverConnection == io.conn); pinning.closeHandler = NULL; // Comm unregisters handlers before calling const bool sawZeroReply = pinning.zeroReply; // reset when unpinning + pinning.serverConnection->noteClosure(); unpinConnection(false); if (sawZeroReply && clientConnection != NULL) { diff -u -r -N squid-3.5.5/src/comm/Connection.cc squid-3.5.6/src/comm/Connection.cc --- squid-3.5.5/src/comm/Connection.cc 2015-05-28 04:06:38.000000000 -0700 +++ squid-3.5.6/src/comm/Connection.cc 2015-07-03 02:12:52.000000000 -0700 @@ -74,6 +74,14 @@ { if (isOpen()) { comm_close(fd); + noteClosure(); + } +} + +void +Comm::Connection::noteClosure() +{ + if (isOpen()) { fd = -1; if (CachePeer *p=getPeer()) peerConnClosed(p); diff -u -r -N squid-3.5.5/src/comm/Connection.h squid-3.5.6/src/comm/Connection.h --- squid-3.5.5/src/comm/Connection.h 2015-05-28 04:06:38.000000000 -0700 +++ squid-3.5.6/src/comm/Connection.h 2015-07-03 02:12:52.000000000 -0700 @@ -75,6 +75,9 @@ /** Close any open socket. */ void close(); + /** Synchronize with Comm: Somebody closed our connection. */ + void noteClosure(); + /** determine whether this object describes an active connection or not. */ bool isOpen() const { return (fd >= 0); } diff -u -r -N squid-3.5.5/src/mime.cc squid-3.5.6/src/mime.cc --- squid-3.5.5/src/mime.cc 2015-05-28 04:06:38.000000000 -0700 +++ squid-3.5.6/src/mime.cc 2015-07-03 02:12:52.000000000 -0700 @@ -40,11 +40,14 @@ public: explicit MimeIcon(const char *aName); ~MimeIcon(); + MEMPROXY_CLASS(MimeIcon); + void setName(char const *); char const * getName() const; void load(); - void created(StoreEntry *newEntry); - MEMPROXY_CLASS(MimeIcon); + + /* StoreClient API */ + virtual void created(StoreEntry *); private: const char *icon_; @@ -361,32 +364,43 @@ } void -MimeIcon::created (StoreEntry *newEntry) +MimeIcon::created(StoreEntry *newEntry) { /* if the icon is already in the store, do nothing */ if (!newEntry->isNull()) return; + // XXX: if a 204 is cached due to earlier load 'failure' we should try to reload. - int fd; - int n; - RequestFlags flags; - struct stat sb; - LOCAL_ARRAY(char, path, MAXPATHLEN); - char *buf; - - snprintf(path, MAXPATHLEN, "%s/%s", Config.icons.directory, icon_); + // default is a 200 object with image data. + // set to the backup value of 204 on image loading errors + Http::StatusCode status = Http::scOkay; + + static char path[MAXPATHLEN]; + *path = 0; + if (snprintf(path, sizeof(path)-1, "%s/%s", Config.icons.directory, icon_) < 0) { + debugs(25, DBG_CRITICAL, "ERROR: icon file '" << Config.icons.directory << "/" << icon_ << "' path is longer than " << MAXPATHLEN << " bytes"); + status = Http::scNoContent; + } - fd = file_open(path, O_RDONLY | O_BINARY); - if (fd < 0) { - debugs(25, DBG_CRITICAL, "Problem opening icon file " << path << ": " << xstrerror()); - return; + int fd = -1; + errno = 0; + if (status == Http::scOkay && (fd = file_open(path, O_RDONLY | O_BINARY)) < 0) { + int xerrno = errno; + debugs(25, DBG_CRITICAL, "ERROR: opening icon file " << path << ": " << xstrerr(xerrno)); + status = Http::scNoContent; } - if (fstat(fd, &sb) < 0) { - debugs(25, DBG_CRITICAL, "Problem opening icon file. Fd: " << fd << ", fstat error " << xstrerror()); + + struct stat sb; + errno = 0; + if (status == Http::scOkay && fstat(fd, &sb) < 0) { + int xerrno = errno; + debugs(25, DBG_CRITICAL, "ERROR: opening icon file " << path << " FD " << fd << ", fstat error " << xstrerr(xerrno)); file_close(fd); - return; + status = Http::scNoContent; } + // fill newEntry with a canned 2xx response object + RequestFlags flags; flags.cachable = true; StoreEntry *e = storeCreateEntry(url_,url_,flags,Http::METHOD_GET); assert(e != NULL); @@ -396,30 +410,37 @@ HttpRequest *r = HttpRequest::CreateFromUrl(url_); if (NULL == r) - fatal("mimeLoadIcon: cannot parse internal URL"); + fatalf("mimeLoadIcon: cannot parse internal URL: %s", url_); e->mem_obj->request = r; HTTPMSGLOCK(e->mem_obj->request); HttpReply *reply = new HttpReply; - reply->setHeaders(Http::scOkay, NULL, mimeGetContentType(icon_), sb.st_size, sb.st_mtime, -1); + if (status == Http::scNoContent) + reply->setHeaders(status, NULL, NULL, 0, -1, -1); + else + reply->setHeaders(status, NULL, mimeGetContentType(icon_), sb.st_size, sb.st_mtime, -1); reply->cache_control = new HttpHdrCc(); reply->cache_control->maxAge(86400); reply->header.putCc(reply->cache_control); e->replaceHttpReply(reply); - /* read the file into the buffer and append it to store */ - buf = (char *)memAllocate(MEM_4K_BUF); - while ((n = FD_READ_METHOD(fd, buf, 4096)) > 0) - e->append(buf, n); + if (status == Http::scOkay) { + /* read the file into the buffer and append it to store */ + int n; + char *buf = (char *)memAllocate(MEM_4K_BUF); + while ((n = FD_READ_METHOD(fd, buf, sizeof(*buf))) > 0) + e->append(buf, n); + + file_close(fd); + memFree(buf, MEM_4K_BUF); + } - file_close(fd); e->flush(); e->complete(); e->timestampsSet(); e->unlock("MimeIcon::created"); - memFree(buf, MEM_4K_BUF); debugs(25, 3, "Loaded icon " << url_); } diff -u -r -N squid-3.5.5/src/ssl/ErrorDetail.cc squid-3.5.6/src/ssl/ErrorDetail.cc --- squid-3.5.5/src/ssl/ErrorDetail.cc 2015-05-28 04:06:38.000000000 -0700 +++ squid-3.5.6/src/ssl/ErrorDetail.cc 2015-07-03 02:12:52.000000000 -0700 @@ -430,13 +430,12 @@ */ const char *Ssl::ErrorDetail::subject() const { - if (!broken_cert) - return "[Not available]"; - - static char tmpBuffer[256]; // A temporary buffer - X509_NAME_oneline(X509_get_subject_name(broken_cert.get()), tmpBuffer, - sizeof(tmpBuffer)); - return tmpBuffer; + if (broken_cert.get()) { + static char tmpBuffer[256]; // A temporary buffer + if (X509_NAME_oneline(X509_get_subject_name(broken_cert.get()), tmpBuffer, sizeof(tmpBuffer))) + return tmpBuffer; + } + return "[Not available]"; } // helper function to be used with Ssl::matchX509CommonNames @@ -445,9 +444,11 @@ String *str = (String *)check_data; if (!str) // no data? abort return 0; - if (str->size() > 0) - str->append(", "); - str->append((const char *)cn_data->data, cn_data->length); + if (cn_data && cn_data->length) { + if (str->size() > 0) + str->append(", "); + str->append((const char *)cn_data->data, cn_data->length); + } return 1; } @@ -456,13 +457,14 @@ */ const char *Ssl::ErrorDetail::cn() const { - if (!broken_cert) - return "[Not available]"; - - static String tmpStr; ///< A temporary string buffer - tmpStr.clean(); - Ssl::matchX509CommonNames(broken_cert.get(), &tmpStr, copy_cn); - return tmpStr.termedBuf(); + if (broken_cert.get()) { + static String tmpStr; ///< A temporary string buffer + tmpStr.clean(); + Ssl::matchX509CommonNames(broken_cert.get(), &tmpStr, copy_cn); + if (tmpStr.size()) + return tmpStr.termedBuf(); + } + return "[Not available]"; } /** @@ -470,12 +472,12 @@ */ const char *Ssl::ErrorDetail::ca_name() const { - if (!broken_cert) - return "[Not available]"; - - static char tmpBuffer[256]; // A temporary buffer - X509_NAME_oneline(X509_get_issuer_name(broken_cert.get()), tmpBuffer, sizeof(tmpBuffer)); - return tmpBuffer; + if (broken_cert.get()) { + static char tmpBuffer[256]; // A temporary buffer + if (X509_NAME_oneline(X509_get_issuer_name(broken_cert.get()), tmpBuffer, sizeof(tmpBuffer))) + return tmpBuffer; + } + return "[Not available]"; } /** @@ -483,13 +485,14 @@ */ const char *Ssl::ErrorDetail::notbefore() const { - if (!broken_cert) - return "[Not available]"; - - static char tmpBuffer[256]; // A temporary buffer - ASN1_UTCTIME * tm = X509_get_notBefore(broken_cert.get()); - Ssl::asn1timeToString(tm, tmpBuffer, sizeof(tmpBuffer)); - return tmpBuffer; + if (broken_cert.get()) { + if (ASN1_UTCTIME * tm = X509_get_notBefore(broken_cert.get())) { + static char tmpBuffer[256]; // A temporary buffer + Ssl::asn1timeToString(tm, tmpBuffer, sizeof(tmpBuffer)); + return tmpBuffer; + } + } + return "[Not available]"; } /** @@ -497,13 +500,14 @@ */ const char *Ssl::ErrorDetail::notafter() const { - if (!broken_cert) - return "[Not available]"; - - static char tmpBuffer[256]; // A temporary buffer - ASN1_UTCTIME * tm = X509_get_notAfter(broken_cert.get()); - Ssl::asn1timeToString(tm, tmpBuffer, sizeof(tmpBuffer)); - return tmpBuffer; + if (broken_cert.get()) { + if (ASN1_UTCTIME * tm = X509_get_notAfter(broken_cert.get())) { + static char tmpBuffer[256]; // A temporary buffer + Ssl::asn1timeToString(tm, tmpBuffer, sizeof(tmpBuffer)); + return tmpBuffer; + } + } + return "[Not available]"; } /** diff -u -r -N squid-3.5.5/src/ssl/Makefile.am squid-3.5.6/src/ssl/Makefile.am --- squid-3.5.5/src/ssl/Makefile.am 2015-05-28 04:06:38.000000000 -0700 +++ squid-3.5.6/src/ssl/Makefile.am 2015-07-03 02:12:52.000000000 -0700 @@ -18,6 +18,7 @@ if USE_SSL_CRTD SSL_CRTD = ssl_crtd +man_MANS = ssl_crtd.8 else SSL_CRTD = endif diff -u -r -N squid-3.5.5/src/ssl/Makefile.in squid-3.5.6/src/ssl/Makefile.in --- squid-3.5.5/src/ssl/Makefile.in 2015-05-28 04:09:08.000000000 -0700 +++ squid-3.5.6/src/ssl/Makefile.in 2015-07-03 02:15:11.000000000 -0700 @@ -168,7 +168,7 @@ am_libsslutil_la_OBJECTS = gadgets.lo crtd_message.lo libsslutil_la_OBJECTS = $(am_libsslutil_la_OBJECTS) @USE_SSL_CRTD_TRUE@am__EXEEXT_1 = ssl_crtd$(EXEEXT) -am__installdirs = "$(DESTDIR)$(libexecdir)" +am__installdirs = "$(DESTDIR)$(libexecdir)" "$(DESTDIR)$(man8dir)" PROGRAMS = $(libexec_PROGRAMS) am__ssl_crtd_SOURCES_DIST = ssl_crtd.cc certificate_db.cc \ certificate_db.h @@ -242,6 +242,36 @@ n|no|NO) false;; \ *) (install-info --version) >/dev/null 2>&1;; \ esac +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__uninstall_files_from_dir = { \ + test -z "$$files" \ + || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \ + || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ + $(am__cd) "$$dir" && rm -f $$files; }; \ + } +man8dir = $(mandir)/man8 +NROFF = nroff +MANS = $(man_MANS) am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) # Read a list of newline-separated strings from the standard input, # and print each of them once, without duplicates. Input order is @@ -283,33 +313,6 @@ std=''; \ fi; \ } -am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; -am__vpath_adj = case $$p in \ - $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ - *) f=$$p;; \ - esac; -am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; -am__install_max = 40 -am__nobase_strip_setup = \ - srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` -am__nobase_strip = \ - for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" -am__nobase_list = $(am__nobase_strip_setup); \ - for p in $$list; do echo "$$p $$p"; done | \ - sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ - $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ - if (++n[$$2] == $(am__install_max)) \ - { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ - END { for (dir in files) print dir, files[dir] }' -am__base_list = \ - sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ - sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' -am__uninstall_files_from_dir = { \ - test -z "$$files" \ - || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \ - || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ - $(am__cd) "$$dir" && rm -f $$files; }; \ - } am__recheck_rx = ^[ ]*:recheck:[ ]* am__global_test_result_rx = ^[ ]*:global-test-result:[ ]* am__copy_in_global_log_rx = ^[ ]*:copy-in-global-log:[ ]* @@ -709,6 +712,7 @@ @USE_SSL_CRTD_FALSE@SSL_CRTD = @USE_SSL_CRTD_TRUE@SSL_CRTD = ssl_crtd +@USE_SSL_CRTD_TRUE@man_MANS = ssl_crtd.8 libsslsquid_la_SOURCES = \ bio.cc \ bio.h \ @@ -902,6 +906,49 @@ clean-libtool: -rm -rf .libs _libs +install-man8: $(man_MANS) + @$(NORMAL_INSTALL) + @list1=''; \ + list2='$(man_MANS)'; \ + test -n "$(man8dir)" \ + && test -n "`echo $$list1$$list2`" \ + || exit 0; \ + echo " $(MKDIR_P) '$(DESTDIR)$(man8dir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(man8dir)" || exit 1; \ + { for i in $$list1; do echo "$$i"; done; \ + if test -n "$$list2"; then \ + for i in $$list2; do echo "$$i"; done \ + | sed -n '/\.8[a-z]*$$/p'; \ + fi; \ + } | while read p; do \ + if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; echo "$$p"; \ + done | \ + sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \ + sed 'N;N;s,\n, ,g' | { \ + list=; while read file base inst; do \ + if test "$$base" = "$$inst"; then list="$$list $$file"; else \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst" || exit $$?; \ + fi; \ + done; \ + for i in $$list; do echo "$$i"; done | $(am__base_list) | \ + while read files; do \ + test -z "$$files" || { \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man8dir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(man8dir)" || exit $$?; }; \ + done; } + +uninstall-man8: + @$(NORMAL_UNINSTALL) + @list=''; test -n "$(man8dir)" || exit 0; \ + files=`{ for i in $$list; do echo "$$i"; done; \ + l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + sed -n '/\.8[a-z]*$$/p'; \ + } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ + dir='$(DESTDIR)$(man8dir)'; $(am__uninstall_files_from_dir) ID: $(am__tagged_files) $(am__define_uniq_tagged_files); mkid -fID $$unique @@ -1152,9 +1199,9 @@ $(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS) $(MAKE) $(AM_MAKEFLAGS) check-TESTS check: check-am -all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) +all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(MANS) installdirs: - for dir in "$(DESTDIR)$(libexecdir)"; do \ + for dir in "$(DESTDIR)$(libexecdir)" "$(DESTDIR)$(man8dir)"; do \ test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done install: install-am @@ -1214,7 +1261,7 @@ info-am: -install-data-am: +install-data-am: install-man install-dvi: install-dvi-am @@ -1230,7 +1277,7 @@ install-info-am: -install-man: +install-man: install-man8 install-pdf: install-pdf-am @@ -1260,7 +1307,9 @@ ps-am: -uninstall-am: uninstall-libexecPROGRAMS +uninstall-am: uninstall-libexecPROGRAMS uninstall-man + +uninstall-man: uninstall-man8 .MAKE: check-am install-am install-strip @@ -1273,12 +1322,13 @@ install-data-am install-dvi install-dvi-am install-exec \ install-exec-am install-html install-html-am install-info \ install-info-am install-libexecPROGRAMS install-man \ - install-pdf install-pdf-am install-ps install-ps-am \ - install-strip installcheck installcheck-am installdirs \ - maintainer-clean maintainer-clean-generic mostlyclean \ - mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ - pdf pdf-am ps ps-am recheck tags tags-am uninstall \ - uninstall-am uninstall-libexecPROGRAMS + install-man8 install-pdf install-pdf-am install-ps \ + install-ps-am install-strip installcheck installcheck-am \ + installdirs maintainer-clean maintainer-clean-generic \ + mostlyclean mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool pdf pdf-am ps ps-am recheck tags tags-am \ + uninstall uninstall-am uninstall-libexecPROGRAMS uninstall-man \ + uninstall-man8 $(OBJS): $(top_srcdir)/include/version.h $(top_builddir)/include/autoconf.h diff -u -r -N squid-3.5.5/src/ssl/PeerConnector.cc squid-3.5.6/src/ssl/PeerConnector.cc --- squid-3.5.5/src/ssl/PeerConnector.cc 2015-05-28 04:06:38.000000000 -0700 +++ squid-3.5.6/src/ssl/PeerConnector.cc 2015-07-03 02:12:52.000000000 -0700 @@ -393,8 +393,8 @@ } if (finalAction == Ssl::bumpTerminate) { - comm_close(serverConn->fd); - comm_close(clientConn->fd); + serverConn->close(); + clientConn->close(); } else if (finalAction != Ssl::bumpSplice) { //Allow write, proceed with the connection srvBio->holdWrite(false); diff -u -r -N squid-3.5.5/src/ssl/support.cc squid-3.5.6/src/ssl/support.cc --- squid-3.5.5/src/ssl/support.cc 2015-05-28 04:06:38.000000000 -0700 +++ squid-3.5.6/src/ssl/support.cc 2015-07-03 02:12:52.000000000 -0700 @@ -838,12 +838,28 @@ return dh; } +#if defined(SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) +static void +ssl_info_cb(const SSL *ssl, int where, int ret) +{ + (void)ret; + if ((where & SSL_CB_HANDSHAKE_DONE) != 0) { + // disable renegotiation (CVE-2009-3555) + ssl->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS; + } +} +#endif + static bool configureSslContext(SSL_CTX *sslContext, AnyP::PortCfg &port) { int ssl_error; SSL_CTX_set_options(sslContext, port.sslOptions); +#if defined(SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) + SSL_CTX_set_info_callback(sslContext, ssl_info_cb); +#endif + if (port.sslContextSessionId) SSL_CTX_set_session_id_context(sslContext, (const unsigned char *)port.sslContextSessionId, strlen(port.sslContextSessionId)); @@ -886,7 +902,13 @@ if (port.clientCA.get()) { ERR_clear_error(); - SSL_CTX_set_client_CA_list(sslContext, port.clientCA.get()); + if (STACK_OF(X509_NAME) *clientca = SSL_dup_CA_list(port.clientCA.get())) { + SSL_CTX_set_client_CA_list(sslContext, clientca); + } else { + ssl_error = ERR_get_error(); + debugs(83, DBG_CRITICAL, "ERROR: Failed to dupe the client CA list: " << ERR_error_string(ssl_error, NULL)); + return false; + } if (port.sslContextFlags & SSL_FLAG_DELAYED_AUTH) { debugs(83, 9, "Not requesting client certificates until acl processing requires one"); @@ -1186,6 +1208,10 @@ SSL_CTX_set_options(sslContext, Ssl::parse_options(options)); +#if defined(SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) + SSL_CTX_set_info_callback(sslContext, ssl_info_cb); +#endif + if (cipher) { debugs(83, 5, "Using chiper suite " << cipher << "."); @@ -1804,6 +1830,11 @@ SSL * SslCreate(SSL_CTX *sslContext, const int fd, Ssl::Bio::Type type, const char *squidCtx) { + if (fd < 0) { + debugs(83, DBG_IMPORTANT, "Gone connection"); + return NULL; + } + const char *errAction = NULL; int errCode = 0; if (SSL *ssl = SSL_new(sslContext)) { diff -u -r -N squid-3.5.5/src/store_client.cc squid-3.5.6/src/store_client.cc --- squid-3.5.5/src/store_client.cc 2015-05-28 04:06:38.000000000 -0700 +++ squid-3.5.6/src/store_client.cc 2015-07-03 02:12:52.000000000 -0700 @@ -526,15 +526,14 @@ sc->readBody(buf, len); } -void +bool store_client::unpackHeader(char const *buf, ssize_t len) { debugs(90, 3, "store_client::unpackHeader: len " << len << ""); if (len < 0) { - debugs(90, 3, "store_client::unpackHeader: " << xstrerror() << ""); - fail(); - return; + debugs(90, 3, "WARNING: unpack error: " << xstrerror()); + return false; } int swap_hdr_sz = 0; @@ -543,16 +542,14 @@ if (!aBuilder.isBufferSane()) { /* oops, bad disk file? */ debugs(90, DBG_IMPORTANT, "WARNING: swapfile header inconsistent with available data"); - fail(); - return; + return false; } tlv *tlv_list = aBuilder.createStoreMeta (); if (tlv_list == NULL) { debugs(90, DBG_IMPORTANT, "WARNING: failed to unpack meta data"); - fail(); - return; + return false; } /* @@ -561,8 +558,7 @@ for (tlv *t = tlv_list; t; t = t->next) { if (!t->checkConsistency(entry)) { storeSwapTLVFree(tlv_list); - fail(); - return; + return false; } } @@ -577,6 +573,7 @@ debugs(90, 5, "store_client::unpackHeader: swap_file_sz=" << entry->swap_file_sz << "( " << swap_hdr_sz << " + " << entry->mem_obj->object_sz << ")"); + return true; } void @@ -588,11 +585,15 @@ flags.disk_io_pending = false; assert(_callback.pending()); - unpackHeader (buf, len); - + // abort if we fail()'d earlier if (!object_ok) return; + if (!unpackHeader(buf, len)) { + fail(); + return; + } + /* * If our last read got some data the client wants, then give * it to them, otherwise schedule another read. diff -u -r -N squid-3.5.5/src/StoreClient.h squid-3.5.6/src/StoreClient.h --- squid-3.5.5/src/StoreClient.h 2015-05-28 04:06:38.000000000 -0700 +++ squid-3.5.6/src/StoreClient.h 2015-07-03 02:12:52.000000000 -0700 @@ -80,7 +80,7 @@ void scheduleMemRead(); void scheduleRead(); bool startSwapin(); - void unpackHeader(char const *buf, ssize_t len); + bool unpackHeader(char const *buf, ssize_t len); int type; bool object_ok; diff -u -r -N squid-3.5.5/src/tunnel.cc squid-3.5.6/src/tunnel.cc --- squid-3.5.5/src/tunnel.cc 2015-05-28 04:06:38.000000000 -0700 +++ squid-3.5.6/src/tunnel.cc 2015-07-03 02:12:52.000000000 -0700 @@ -110,6 +110,10 @@ (request->flags.interceptTproxy || request->flags.intercepted)); } + /// Sends "502 Bad Gateway" error response to the client, + /// if it is waiting for Squid CONNECT response, closing connections. + void informUserOfPeerError(const char *errMsg); + class Connection { @@ -128,12 +132,13 @@ void error(int const xerrno); int debugLevelForError(int const xerrno) const; - /// handles a non-I/O error associated with this Connection - void logicError(const char *errMsg); void closeIfOpen(); void dataSent (size_t amount); + /// writes 'b' buffer, setting the 'writer' member to 'callback'. + void write(const char *b, int size, AsyncCall::Pointer &callback, FREE * free_func); int len; char *buf; + AsyncCall::Pointer writer; ///< pending Comm::Write callback int64_t *size_ptr; /* pointer to size in an ConnStateData for logging */ Comm::ConnectionPointer conn; ///< The currently connected connection. @@ -155,6 +160,7 @@ LogTags *logTag_ptr; ///< pointer for logging Squid processing code MemBuf *connectRespBuf; ///< accumulates peer CONNECT response when we need it bool connectReqWriting; ///< whether we are writing a CONNECT request to a peer + time_t started; ///< when this tunnel was initiated. void copyRead(Connection &from, IOCB *completion); @@ -223,6 +229,7 @@ TunnelStateData *tunnelState = (TunnelStateData *)params.data; debugs(26, 3, HERE << tunnelState->server.conn); tunnelState->server.conn = NULL; + tunnelState->server.writer = NULL; if (tunnelState->request != NULL) tunnelState->request->hier.stopPeerClock(false); @@ -232,7 +239,7 @@ return; } - if (!tunnelState->server.len) { + if (!tunnelState->client.writer) { tunnelState->client.conn->close(); return; } @@ -244,13 +251,14 @@ TunnelStateData *tunnelState = (TunnelStateData *)params.data; debugs(26, 3, HERE << tunnelState->client.conn); tunnelState->client.conn = NULL; + tunnelState->client.writer = NULL; if (tunnelState->noConnections()) { delete tunnelState; return; } - if (!tunnelState->client.len) { + if (!tunnelState->server.writer) { tunnelState->server.conn->close(); return; } @@ -381,6 +389,23 @@ handleConnectResponse(len); } +void +TunnelStateData::informUserOfPeerError(const char *errMsg) +{ + server.len = 0; + if (!clientExpectsConnectResponse()) { + // closing the connection is the best we can do here + debugs(50, 3, server.conn << " closing on error: " << errMsg); + server.conn->close(); + return; + } + ErrorState *err = new ErrorState(ERR_CONNECT_FAIL, Http::scBadGateway, request.getRaw()); + err->callback = tunnelErrorComplete; + err->callback_data = this; + *status_ptr = Http::scBadGateway; + errorSend(http->getConn()->clientConnection, err); +} + /* Read from client side and queue it for writing to the server */ void TunnelStateData::ReadConnectResponseDone(const Comm::ConnectionPointer &, char *buf, size_t len, Comm::Flag errcode, int xerrno, void *data) @@ -412,7 +437,7 @@ const bool parsed = rep.parse(connectRespBuf, eof, &parseErr); if (!parsed) { if (parseErr > 0) { // unrecoverable parsing error - server.logicError("malformed CONNECT response from peer"); + informUserOfPeerError("malformed CONNECT response from peer"); return; } @@ -421,7 +446,7 @@ assert(!parseErr); if (!connectRespBuf->hasSpace()) { - server.logicError("huge CONNECT response from peer"); + informUserOfPeerError("huge CONNECT response from peer"); return; } @@ -435,7 +460,8 @@ // bail if we did not get an HTTP 200 (Connection Established) response if (rep.sline.status() != Http::scOkay) { - server.logicError("unsupported CONNECT response status code"); + // if we ever decide to reuse the peer connection, we must extract the error response first + informUserOfPeerError("unsupported CONNECT response status code"); return; } @@ -454,13 +480,6 @@ } void -TunnelStateData::Connection::logicError(const char *errMsg) -{ - debugs(50, 3, conn << " closing on error: " << errMsg); - conn->close(); -} - -void TunnelStateData::Connection::error(int const xerrno) { /* XXX fixme xstrerror and xerrno... */ @@ -556,7 +575,7 @@ debugs(26, 3, HERE << "Schedule Write"); AsyncCall::Pointer call = commCbCall(5,5, "TunnelBlindCopyWriteHandler", CommIoCbPtrFun(completion, this)); - Comm::Write(to.conn, from.buf, len, call, NULL); + to.write(from.buf, len, call, NULL); } /* Writes data from the client buffer to the server side */ @@ -565,6 +584,7 @@ { TunnelStateData *tunnelState = (TunnelStateData *)data; assert (cbdataReferenceValid (tunnelState)); + tunnelState->server.writer = NULL; tunnelState->writeServerDone(buf, len, flag, xerrno); } @@ -614,6 +634,7 @@ { TunnelStateData *tunnelState = (TunnelStateData *)data; assert (cbdataReferenceValid (tunnelState)); + tunnelState->client.writer = NULL; tunnelState->writeClientDone(buf, len, flag, xerrno); } @@ -631,7 +652,14 @@ } void -TunnelStateData::writeClientDone(char *buf, size_t len, Comm::Flag flag, int xerrno) +TunnelStateData::Connection::write(const char *b, int size, AsyncCall::Pointer &callback, FREE * free_func) +{ + writer = callback; + Comm::Write(conn, b, size, callback, free_func); +} + +void +TunnelStateData::writeClientDone(char *, size_t len, Comm::Flag flag, int xerrno) { debugs(26, 3, HERE << client.conn << ", " << len << " bytes written, flag=" << flag); @@ -789,6 +817,7 @@ { TunnelStateData *tunnelState = (TunnelStateData *)data; debugs(26, 3, HERE << conn << ", flag=" << flag); + tunnelState->client.writer = NULL; if (flag != Comm::OK) { *tunnelState->status_ptr = Http::scInternalServerError; @@ -805,6 +834,7 @@ { TunnelStateData *tunnelState = (TunnelStateData *)data; debugs(26, 3, conn << ", flag=" << flag); + tunnelState->server.writer = NULL; assert(tunnelState->waitingForConnectRequest()); if (flag != Comm::OK) { @@ -845,7 +875,7 @@ else { AsyncCall::Pointer call = commCbCall(5,5, "tunnelConnectedWriteDone", CommIoCbPtrFun(tunnelConnectedWriteDone, tunnelState)); - Comm::Write(tunnelState->client.conn, conn_established, strlen(conn_established), call, NULL); + tunnelState->client.write(conn_established, strlen(conn_established), call, NULL); } } @@ -875,13 +905,20 @@ /* At this point only the TCP handshake has failed. no data has been passed. * we are allowed to re-try the TCP-level connection to alternate IPs for CONNECT. */ + debugs(26, 4, "removing server 1 of " << tunnelState->serverDestinations.size() << + " from destinations (" << tunnelState->serverDestinations[0] << ")"); tunnelState->serverDestinations.erase(tunnelState->serverDestinations.begin()); - if (status != Comm::TIMEOUT && tunnelState->serverDestinations.size() > 0) { + time_t fwdTimeout = tunnelState->started + Config.Timeout.forward; + if (fwdTimeout > squid_curtime && tunnelState->serverDestinations.size() > 0) { + // find remaining forward_timeout available for this attempt + fwdTimeout -= squid_curtime; + if (fwdTimeout > Config.Timeout.connect) + fwdTimeout = Config.Timeout.connect; /* Try another IP of this destination host */ GetMarkingsToServer(tunnelState->request.getRaw(), *tunnelState->serverDestinations[0]); debugs(26, 4, HERE << "retry with : " << tunnelState->serverDestinations[0]); AsyncCall::Pointer call = commCbCall(26,3, "tunnelConnectDone", CommConnectCbPtrFun(tunnelConnectDone, tunnelState)); - Comm::ConnOpener *cs = new Comm::ConnOpener(tunnelState->serverDestinations[0], call, Config.Timeout.connect); + Comm::ConnOpener *cs = new Comm::ConnOpener(tunnelState->serverDestinations[0], call, fwdTimeout); cs->setHost(tunnelState->url); AsyncJob::Start(cs); } else { @@ -981,6 +1018,7 @@ tunnelState->client.conn = http->getConn()->clientConnection; tunnelState->http = http; tunnelState->al = al; + tunnelState->started = squid_curtime; comm_add_close_handler(tunnelState->client.conn->fd, tunnelClientClosed, @@ -1064,29 +1102,21 @@ debugs(11, 2, "Tunnel Server REQUEST: " << tunnelState->server.conn << ":\n----------\n" << Raw("tunnelRelayConnectRequest", mb.content(), mb.contentSize()) << "\n----------"); - if (tunnelState->clientExpectsConnectResponse()) { - // hack: blindly tunnel peer response (to our CONNECT request) to the client as ours. - AsyncCall::Pointer writeCall = commCbCall(5,5, "tunnelConnectedWriteDone", - CommIoCbPtrFun(tunnelConnectedWriteDone, tunnelState)); - Comm::Write(srv, &mb, writeCall); - } else { - // we have to eat the connect response from the peer (so that the client - // does not see it) and only then start shoveling data to the client - AsyncCall::Pointer writeCall = commCbCall(5,5, "tunnelConnectReqWriteDone", - CommIoCbPtrFun(tunnelConnectReqWriteDone, - tunnelState)); - Comm::Write(srv, &mb, writeCall); - tunnelState->connectReqWriting = true; - - tunnelState->connectRespBuf = new MemBuf; - // SQUID_TCP_SO_RCVBUF: we should not accumulate more than regular I/O buffer - // can hold since any CONNECT response leftovers have to fit into server.buf. - // 2*SQUID_TCP_SO_RCVBUF: HttpMsg::parse() zero-terminates, which uses space. - tunnelState->connectRespBuf->init(SQUID_TCP_SO_RCVBUF, 2*SQUID_TCP_SO_RCVBUF); - tunnelState->readConnectResponse(); + AsyncCall::Pointer writeCall = commCbCall(5,5, "tunnelConnectReqWriteDone", + CommIoCbPtrFun(tunnelConnectReqWriteDone, + tunnelState)); + + tunnelState->server.write(mb.buf, mb.size, writeCall, mb.freeFunc()); + tunnelState->connectReqWriting = true; + + tunnelState->connectRespBuf = new MemBuf; + // SQUID_TCP_SO_RCVBUF: we should not accumulate more than regular I/O buffer + // can hold since any CONNECT response leftovers have to fit into server.buf. + // 2*SQUID_TCP_SO_RCVBUF: HttpMsg::parse() zero-terminates, which uses space. + tunnelState->connectRespBuf->init(SQUID_TCP_SO_RCVBUF, 2*SQUID_TCP_SO_RCVBUF); + tunnelState->readConnectResponse(); - assert(tunnelState->waitingForConnectExchange()); - } + assert(tunnelState->waitingForConnectExchange()); AsyncCall::Pointer timeoutCall = commCbCall(5, 4, "tunnelTimeout", CommTimeoutCbPtrFun(tunnelTimeout, tunnelState)); @@ -1219,7 +1249,7 @@ AsyncCall::Pointer call = commCbCall(5,5, "tunnelConnectedWriteDone", CommIoCbPtrFun(tunnelConnectedWriteDone, tunnelState)); - Comm::Write(tunnelState->client.conn, buf.content(), buf.contentSize(), call, NULL); + tunnelState->client.write(buf.content(), buf.contentSize(), call, NULL); } #endif //USE_OPENSSL