diff -u -r -N squid-4.3/acinclude/lib-checks.m4 squid-4.4/acinclude/lib-checks.m4 --- squid-4.3/acinclude/lib-checks.m4 2018-10-01 07:57:54.000000000 +1300 +++ squid-4.4/acinclude/lib-checks.m4 2018-10-28 09:44:55.000000000 +1300 @@ -61,42 +61,48 @@ dnl Checks whether the -lcrypto library provides various OpenSSL API functions AC_DEFUN([SQUID_CHECK_LIBCRYPTO_API],[ + AH_TEMPLATE(HAVE_LIBCRYPTO_OPENSSL_LH_STRHASH, "Define to 1 if the OPENSSL_LH_strhash() OpenSSL API function exists") AH_TEMPLATE(HAVE_LIBCRYPTO_EVP_PKEY_GET0_RSA, "Define to 1 if the EVP_PKEY_get0_RSA() OpenSSL API function exists") AH_TEMPLATE(HAVE_LIBCRYPTO_BIO_METH_NEW, "Define to 1 if the BIO_meth_new() OpenSSL API function exists") + AH_TEMPLATE(HAVE_LIBCRYPTO_BIO_GET_DATA, "Define to 1 if the BIO_get_data() OpenSSL API function exists") AH_TEMPLATE(HAVE_LIBCRYPTO_BIO_GET_INIT, "Define to 1 if the BIO_get_init() OpenSSL API function exists") AH_TEMPLATE(HAVE_LIBCRYPTO_ASN1_STRING_GET0_DATA, "Define to 1 if the ASN1_STRING_get0_data() OpenSSL API function exists") + AH_TEMPLATE(HAVE_LIBCRYPTO_EVP_PKEY_UP_REF, "Define to 1 if the EVP_PKEY_up_ref() OpenSSL API function exists") AH_TEMPLATE(HAVE_LIBCRYPTO_X509_STORE_CTX_GET0_CERT, "Define to 1 if the X509_STORE_CTX_get0_cert() OpenSSL API function exists") AH_TEMPLATE(HAVE_LIBCRYPTO_X509_VERIFY_PARAM_GET_DEPTH, "Define to 1 if the X509_VERIFY_PARAM_get_depth() OpenSSL API function exists") AH_TEMPLATE(HAVE_LIBCRYPTO_X509_STORE_CTX_GET0_UNTRUSTED, "Define to 1 if the X509_STORE_CTX_get0_untrusted() OpenSSL API function exists") - AH_TEMPLATE(HAVE_LIBCRYPTO_X509_STORE_CTX_SET0_UNTRUSTED, "Define to 1 if the X509_STORE_CTX_set0_untrusted() OpenSSL API function exists") AH_TEMPLATE(HAVE_LIBCRYPTO_X509_UP_REF, "Define to 1 if the X509_up_ref() OpenSSL API function exists") AH_TEMPLATE(HAVE_LIBCRYPTO_X509_CRL_UP_REF, "Define to 1 if the X509_CRL_up_ref() OpenSSL API function exists") AH_TEMPLATE(HAVE_LIBCRYPTO_DH_UP_REF, "Define to 1 if the DH_up_ref() OpenSSL API function exists") AH_TEMPLATE(HAVE_LIBCRYPTO_X509_GET0_SIGNATURE, "Define to 1 if the X509_get0_signature() OpenSSL API function exists") SQUID_STATE_SAVE(check_openssl_libcrypto_api) LIBS="$LIBS $SSLLIB" + AC_CHECK_LIB(crypto, OPENSSL_LH_strhash, AC_DEFINE(HAVE_LIBCRYPTO_OPENSSL_LH_STRHASH, 1)) AC_CHECK_LIB(crypto, EVP_PKEY_get0_RSA, AC_DEFINE(HAVE_LIBCRYPTO_EVP_PKEY_GET0_RSA, 1)) AC_CHECK_LIB(crypto, BIO_meth_new, AC_DEFINE(HAVE_LIBCRYPTO_BIO_METH_NEW, 1)) + AC_CHECK_LIB(crypto, BIO_get_data, AC_DEFINE(HAVE_LIBCRYPTO_BIO_GET_DATA, 1)) AC_CHECK_LIB(crypto, BIO_get_init, AC_DEFINE(HAVE_LIBCRYPTO_BIO_GET_INIT, 1)) AC_CHECK_LIB(crypto, ASN1_STRING_get0_data, AC_DEFINE(HAVE_LIBCRYPTO_ASN1_STRING_GET0_DATA, 1)) + AC_CHECK_LIB(crypto, EVP_PKEY_up_ref, AC_DEFINE(HAVE_LIBCRYPTO_EVP_PKEY_UP_REF, 1)) AC_CHECK_LIB(crypto, X509_STORE_CTX_get0_cert, AC_DEFINE(HAVE_LIBCRYPTO_X509_STORE_CTX_GET0_CERT, 1)) AC_CHECK_LIB(crypto, X509_VERIFY_PARAM_get_depth, AC_DEFINE(HAVE_LIBCRYPTO_X509_VERIFY_PARAM_GET_DEPTH, 1)) AC_CHECK_LIB(crypto, X509_STORE_CTX_get0_untrusted, AC_DEFINE(HAVE_LIBCRYPTO_X509_STORE_CTX_GET0_UNTRUSTED, 1)) - AC_CHECK_LIB(crypto, X509_STORE_CTX_set0_untrusted, AC_DEFINE(HAVE_LIBCRYPTO_X509_STORE_CTX_SET0_UNTRUSTED, 1)) AC_CHECK_LIB(crypto, X509_up_ref, AC_DEFINE(HAVE_LIBCRYPTO_X509_UP_REF, 1)) AC_CHECK_LIB(crypto, X509_CRL_up_ref, AC_DEFINE(HAVE_LIBCRYPTO_X509_CRL_UP_REF, 1)) AC_CHECK_LIB(crypto, DH_up_ref, AC_DEFINE(HAVE_LIBCRYPTO_DH_UP_REF, 1)) - AC_CHECK_LIB(crypto, X509_get0_signature, AC_DEFINE(HAVE_LIBCRYPTO_X509_GET0_SIGNATURE, 1)) + AC_CHECK_LIB(crypto, X509_get0_signature, AC_DEFINE(HAVE_LIBCRYPTO_X509_GET0_SIGNATURE, 1), AC_DEFINE(SQUID_CONST_X509_GET0_SIGNATURE_ARGS,)) SQUID_STATE_ROLLBACK(check_openssl_libcrypto_api) ]) dnl Checks whether the -lssl library provides various OpenSSL API functions AC_DEFUN([SQUID_CHECK_LIBSSL_API],[ + AH_TEMPLATE(HAVE_LIBSSL_OPENSSL_INIT_SSL, "Define to 1 if the OPENSSL_init_ssl() OpenSSL API function exists") AH_TEMPLATE(HAVE_LIBSSL_SSL_CIPHER_FIND, "Define to 1 if the SSL_CIPHER_find() OpenSSL API function exists") AH_TEMPLATE(HAVE_LIBSSL_SSL_CTX_SET_TMP_RSA_CALLBACK, "Define to 1 if the SSL_CTX_set_tmp_rsa_callback() OpenSSL API function exists") AH_TEMPLATE(HAVE_LIBSSL_SSL_SESSION_GET_ID, "Define to 1 if the SSL_SESSION_get_id() OpenSSL API function exists") SQUID_STATE_SAVE(check_openssl_libssl_api) LIBS="$LIBS $SSLLIB" + AC_CHECK_LIB(ssl, OPENSSL_init_ssl, AC_DEFINE(HAVE_LIBSSL_OPENSSL_INIT_SSL, 1)) AC_CHECK_LIB(ssl, SSL_CIPHER_find, AC_DEFINE(HAVE_LIBSSL_SSL_CIPHER_FIND, 1)) AC_CHECK_LIB(ssl, SSL_CTX_set_tmp_rsa_callback, AC_DEFINE(HAVE_LIBSSL_SSL_CTX_SET_TMP_RSA_CALLBACK, 1)) AC_CHECK_LIB(ssl, SSL_SESSION_get_id, AC_DEFINE(HAVE_LIBSSL_SSL_SESSION_GET_ID, 1)) @@ -122,7 +128,9 @@ #include ], [ +#if defined(SSLeay_add_ssl_algorithms) SSLeay_add_ssl_algorithms(); +#endif #if HAVE_OPENSSL_TLS_METHOD SSL_CTX *sslContext = SSL_CTX_new(TLS_method()); #else @@ -153,7 +161,9 @@ #include ], [ +#if defined(SSLeay_add_ssl_algorithms) SSLeay_add_ssl_algorithms(); +#endif #if HAVE_OPENSSL_TLS_METHOD SSL_CTX *sslContext = SSL_CTX_new(TLS_method()); #else @@ -261,7 +271,7 @@ dnl Checks whether the X509_get0_signature() has const arguments AC_DEFUN([SQUID_CHECK_OPENSSL_CONST_X509_GET0_SIGNATURE_ARGS],[ - AH_TEMPLATE(SQUID_USE_CONST_X509_GET0_SIGNATURE_ARGS, "Define if X509_get0_signature() accepts const parameters") + AH_TEMPLATE(SQUID_CONST_X509_GET0_SIGNATURE_ARGS, Define to const if X509_get0_signature() accepts const parameters; define as empty otherwise. Don't leave it undefined!) SQUID_STATE_SAVE(check_const_X509_get0_signature_args) AC_MSG_CHECKING("whether X509_get0_signature() accepts const parameters") AC_COMPILE_IFELSE([AC_LANG_PROGRAM([ @@ -276,9 +286,10 @@ #endif ]) ],[ - AC_DEFINE(SQUID_USE_CONST_X509_GET0_SIGNATURE_ARGS, 1) + AC_DEFINE(SQUID_CONST_X509_GET0_SIGNATURE_ARGS, const) AC_MSG_RESULT([yes]) ],[ + AC_DEFINE(SQUID_CONST_X509_GET0_SIGNATURE_ARGS,) AC_MSG_RESULT([no]) ]) SQUID_STATE_ROLLBACK(check_const_X509_get0_signature_args) diff -u -r -N squid-4.3/aclocal.m4 squid-4.4/aclocal.m4 --- squid-4.3/aclocal.m4 2018-10-01 08:21:51.000000000 +1300 +++ squid-4.4/aclocal.m4 2018-10-28 09:45:06.000000000 +1300 @@ -4077,7 +4077,8 @@ if AC_TRY_EVAL(ac_compile); then # Now try to grab the symbols. nlist=conftest.nm - if AC_TRY_EVAL(NM conftest.$ac_objext \| "$lt_cv_sys_global_symbol_pipe" \> $nlist) && test -s "$nlist"; then + $ECHO "$as_me:$LINENO: $NM conftest.$ac_objext | $lt_cv_sys_global_symbol_pipe > $nlist" >&AS_MESSAGE_LOG_FD + if eval "$NM" conftest.$ac_objext \| "$lt_cv_sys_global_symbol_pipe" \> $nlist 2>&AS_MESSAGE_LOG_FD && test -s "$nlist"; then # Try sorting and uniquifying the output. if sort "$nlist" | uniq > "$nlist"T; then mv -f "$nlist"T "$nlist" diff -u -r -N squid-4.3/cfgaux/ltmain.sh squid-4.4/cfgaux/ltmain.sh --- squid-4.3/cfgaux/ltmain.sh 2018-10-01 08:21:52.000000000 +1300 +++ squid-4.4/cfgaux/ltmain.sh 2018-10-28 09:45:07.000000000 +1300 @@ -31,7 +31,7 @@ PROGRAM=libtool PACKAGE=libtool -VERSION="2.4.6 Debian-2.4.6-4" +VERSION="2.4.6 Debian-2.4.6-6" package_revision=2.4.6 @@ -64,7 +64,7 @@ # libraries, which are installed to $pkgauxdir. # Set a version string for this script. -scriptversion=2015-10-12.13; # UTC +scriptversion=2015-10-04.22; # UTC # General shell script boiler plate, and helper functions. # Written by Gary V. Vaughan, 2004 @@ -580,16 +580,16 @@ { $debug_cmd - func_quote_arg pretty "$2" - eval "$1+=\\ \$func_quote_arg_result" + func_quote_for_eval "$2" + eval "$1+=\\ \$func_quote_for_eval_result" }' else func_append_quoted () { $debug_cmd - func_quote_arg pretty "$2" - eval "$1=\$$1\\ \$func_quote_arg_result" + func_quote_for_eval "$2" + eval "$1=\$$1\\ \$func_quote_for_eval_result" } fi @@ -1091,184 +1091,135 @@ } -# func_quote_portable EVAL ARG -# ---------------------------- -# Internal function to portably implement func_quote_arg. Note that we still -# keep attention to performance here so we as much as possible try to avoid -# calling sed binary (so far O(N) complexity as long as func_append is O(1)). -func_quote_portable () +# func_quote ARG +# -------------- +# Aesthetically quote one ARG, store the result into $func_quote_result. Note +# that we keep attention to performance here (so far O(N) complexity as long as +# func_append is O(1)). +func_quote () { $debug_cmd - func_quote_portable_result=$2 + func_quote_result=$1 - # one-time-loop (easy break) - while true - do - if $1; then - func_quote_portable_result=`$ECHO "$2" | $SED \ - -e "$sed_double_quote_subst" -e "$sed_double_backslash"` - break - fi - - # Quote for eval. - case $func_quote_portable_result in - *[\\\`\"\$]*) - case $func_quote_portable_result in - *[\[\*\?]*) - func_quote_portable_result=`$ECHO "$func_quote_portable_result" | $SED "$sed_quote_subst"` - break - ;; - esac + case $func_quote_result in + *[\\\`\"\$]*) + case $func_quote_result in + *[\[\*\?]*) + func_quote_result=`$ECHO "$func_quote_result" | $SED "$sed_quote_subst"` + return 0 + ;; + esac - func_quote_portable_old_IFS=$IFS - for _G_char in '\' '`' '"' '$' + func_quote_old_IFS=$IFS + for _G_char in '\' '`' '"' '$' + do + # STATE($1) PREV($2) SEPARATOR($3) + set start "" "" + func_quote_result=dummy"$_G_char$func_quote_result$_G_char"dummy + IFS=$_G_char + for _G_part in $func_quote_result do - # STATE($1) PREV($2) SEPARATOR($3) - set start "" "" - func_quote_portable_result=dummy"$_G_char$func_quote_portable_result$_G_char"dummy - IFS=$_G_char - for _G_part in $func_quote_portable_result - do - case $1 in - quote) - func_append func_quote_portable_result "$3$2" - set quote "$_G_part" "\\$_G_char" - ;; - start) - set first "" "" - func_quote_portable_result= - ;; - first) - set quote "$_G_part" "" - ;; - esac - done + case $1 in + quote) + func_append func_quote_result "$3$2" + set quote "$_G_part" "\\$_G_char" + ;; + start) + set first "" "" + func_quote_result= + ;; + first) + set quote "$_G_part" "" + ;; + esac done - IFS=$func_quote_portable_old_IFS - ;; - *) ;; - esac - break - done - - func_quote_portable_unquoted_result=$func_quote_portable_result - case $func_quote_portable_result in - # double-quote args containing shell metacharacters to delay - # word splitting, command substitution and variable expansion - # for a subsequent eval. - # many bourne shells cannot handle close brackets correctly - # in scan sets, so we specify it separately. - *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \ ]*|*]*|"") - func_quote_portable_result=\"$func_quote_portable_result\" + IFS=$func_quote_old_IFS + done ;; + *) ;; esac } -# func_quotefast_eval ARG -# ----------------------- -# Quote one ARG (internal). This is equivalent to 'func_quote_arg eval ARG', -# but optimized for speed. Result is stored in $func_quotefast_eval. -if test xyes = `(x=; printf -v x %q yes; echo x"$x") 2>/dev/null`; then - func_quotefast_eval () - { - printf -v func_quotefast_eval_result %q "$1" - } -else - func_quotefast_eval () - { - func_quote_portable false "$1" - func_quotefast_eval_result=$func_quote_portable_result - } -fi - - -# func_quote_arg MODEs ARG -# ------------------------ -# Quote one ARG to be evaled later. MODEs argument may contain zero ore more -# specifiers listed below separated by ',' character. This function returns two -# values: -# i) func_quote_arg_result -# double-quoted (when needed), suitable for a subsequent eval -# ii) func_quote_arg_unquoted_result +# func_quote_for_eval ARG... +# -------------------------- +# Aesthetically quote ARGs to be evaled later. +# This function returns two values: +# i) func_quote_for_eval_result +# double-quoted, suitable for a subsequent eval +# ii) func_quote_for_eval_unquoted_result # has all characters that are still active within double -# quotes backslashified. Available only if 'unquoted' is specified. -# -# Available modes: -# ---------------- -# 'eval' (default) -# - escape shell special characters -# 'expand' -# - the same as 'eval'; but do not quote variable references -# 'pretty' -# - request aesthetic output, i.e. '"a b"' instead of 'a\ b'. This might -# later used in func_quote to get output like: 'echo "a b"' instead of -# 'echo a\ b'. This is slower than default on some shells. -# 'unquoted' -# - produce also $func_quote_arg_unquoted_result which does not contain -# wrapping double-quotes. -# -# Examples for 'func_quote_arg pretty,unquoted string': -# -# string | *_result | *_unquoted_result -# ------------+-----------------------+------------------- -# " | \" | \" -# a b | "a b" | a b -# "a b" | "\"a b\"" | \"a b\" -# * | "*" | * -# z="${x-$y}" | "z=\"\${x-\$y}\"" | z=\"\${x-\$y}\" -# -# Examples for 'func_quote_arg pretty,unquoted,expand string': -# -# string | *_result | *_unquoted_result -# --------------+---------------------+-------------------- -# z="${x-$y}" | "z=\"${x-$y}\"" | z=\"${x-$y}\" -func_quote_arg () -{ - _G_quote_expand=false - case ,$1, in - *,expand,*) - _G_quote_expand=: - ;; - esac - - case ,$1, in - *,pretty,*|*,expand,*|*,unquoted,*) - func_quote_portable $_G_quote_expand "$2" - func_quote_arg_result=$func_quote_portable_result - func_quote_arg_unquoted_result=$func_quote_portable_unquoted_result - ;; - *) - # Faster quote-for-eval for some shells. - func_quotefast_eval "$2" - func_quote_arg_result=$func_quotefast_eval_result - ;; - esac -} - - -# func_quote MODEs ARGs... -# ------------------------ -# Quote all ARGs to be evaled later and join them into single command. See -# func_quote_arg's description for more info. -func_quote () +# quotes backslashified. +func_quote_for_eval () { $debug_cmd - _G_func_quote_mode=$1 ; shift - func_quote_result= + + func_quote_for_eval_unquoted_result= + func_quote_for_eval_result= while test 0 -lt $#; do - func_quote_arg "$_G_func_quote_mode" "$1" - if test -n "$func_quote_result"; then - func_append func_quote_result " $func_quote_arg_result" + func_quote "$1" + _G_unquoted_arg=$func_quote_result + if test -n "$func_quote_for_eval_unquoted_result"; then + func_append func_quote_for_eval_unquoted_result " $_G_unquoted_arg" else - func_append func_quote_result "$func_quote_arg_result" + func_append func_quote_for_eval_unquoted_result "$_G_unquoted_arg" + fi + + case $_G_unquoted_arg in + # Double-quote args containing shell metacharacters to delay + # word splitting, command substitution and variable expansion + # for a subsequent eval. + # Many Bourne shells cannot handle close brackets correctly + # in scan sets, so we specify it separately. + *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \ ]*|*]*|"") + _G_quoted_arg=\"$_G_unquoted_arg\" + ;; + *) + _G_quoted_arg=$_G_unquoted_arg + ;; + esac + + if test -n "$func_quote_for_eval_result"; then + func_append func_quote_for_eval_result " $_G_quoted_arg" + else + func_append func_quote_for_eval_result "$_G_quoted_arg" fi shift done } +# func_quote_for_expand ARG +# ------------------------- +# Aesthetically quote ARG to be evaled later; same as above, +# but do not quote variable references. +func_quote_for_expand () +{ + $debug_cmd + + case $1 in + *[\\\`\"]*) + _G_arg=`$ECHO "$1" | $SED \ + -e "$sed_double_quote_subst" -e "$sed_double_backslash"` ;; + *) + _G_arg=$1 ;; + esac + + case $_G_arg in + # Double-quote args containing shell metacharacters to delay + # word splitting and command substitution for a subsequent eval. + # Many Bourne shells cannot handle close brackets correctly + # in scan sets, so we specify it separately. + *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \ ]*|*]*|"") + _G_arg=\"$_G_arg\" + ;; + esac + + func_quote_for_expand_result=$_G_arg +} + + # func_stripname PREFIX SUFFIX NAME # --------------------------------- # strip PREFIX and SUFFIX from NAME, and store in func_stripname_result. @@ -1311,8 +1262,8 @@ _G_cmd=$1 _G_fail_exp=${2-':'} - func_quote_arg pretty,expand "$_G_cmd" - eval "func_notquiet $func_quote_arg_result" + func_quote_for_expand "$_G_cmd" + eval "func_notquiet $func_quote_for_expand_result" $opt_dry_run || { eval "$_G_cmd" @@ -1337,8 +1288,8 @@ _G_fail_exp=${2-':'} $opt_quiet || { - func_quote_arg expand,pretty "$_G_cmd" - eval "func_echo $func_quote_arg_result" + func_quote_for_expand "$_G_cmd" + eval "func_echo $func_quote_for_expand_result" } $opt_dry_run || { @@ -1466,7 +1417,7 @@ #! /bin/sh # Set a version string for this script. -scriptversion=2015-10-12.13; # UTC +scriptversion=2015-10-07.11; # UTC # A portable, pluggable option parser for Bourne shell. # Written by Gary V. Vaughan, 2010 @@ -1676,8 +1627,8 @@ # ' # # No change in '$@' (ignored completely by this hook). There is # # no need to do the equivalent (but slower) action: -# # func_quote eval ${1+"$@"} -# # my_options_prep_result=$func_quote_result +# # func_quote_for_eval ${1+"$@"} +# # my_options_prep_result=$func_quote_for_eval_result # false # } # func_add_hook func_options_prep my_options_prep @@ -1713,8 +1664,8 @@ # done # # if $args_changed; then -# func_quote eval ${1+"$@"} -# my_silent_option_result=$func_quote_result +# func_quote_for_eval ${1+"$@"} +# my_silent_option_result=$func_quote_for_eval_result # fi # # $args_changed @@ -1781,8 +1732,8 @@ if $_G_rc_options; then func_options_result=$_G_res_var else - func_quote eval ${1+"$@"} - func_options_result=$func_quote_result + func_quote_for_eval ${1+"$@"} + func_options_result=$func_quote_for_eval_result fi $_G_rc_options @@ -1925,8 +1876,8 @@ if $_G_rc_parse_options; then # save modified positional parameters for caller - func_quote eval ${1+"$@"} - func_parse_options_result=$func_quote_result + func_quote_for_eval ${1+"$@"} + func_parse_options_result=$func_quote_for_eval_result fi $_G_rc_parse_options @@ -2237,7 +2188,7 @@ compiler: $LTCC compiler flags: $LTCFLAGS linker: $LD (gnu? $with_gnu_ld) - version: $progname $scriptversion Debian-2.4.6-4 + version: $progname $scriptversion Debian-2.4.6-6 automake: `($AUTOMAKE --version) 2>/dev/null |$SED 1q` autoconf: `($AUTOCONF --version) 2>/dev/null |$SED 1q` @@ -2471,8 +2422,8 @@ if $_G_rc_lt_options_prep; then # Pass back the list of options. - func_quote eval ${1+"$@"} - libtool_options_prep_result=$func_quote_result + func_quote_for_eval ${1+"$@"} + libtool_options_prep_result=$func_quote_for_eval_result fi $_G_rc_lt_options_prep @@ -2578,8 +2529,8 @@ if $_G_rc_lt_parse_options; then # save modified positional parameters for caller - func_quote eval ${1+"$@"} - libtool_parse_options_result=$func_quote_result + func_quote_for_eval ${1+"$@"} + libtool_parse_options_result=$func_quote_for_eval_result fi $_G_rc_lt_parse_options @@ -2639,8 +2590,8 @@ } # Pass back the unparsed argument list - func_quote eval ${1+"$@"} - libtool_validate_options_result=$func_quote_result + func_quote_for_eval ${1+"$@"} + libtool_validate_options_result=$func_quote_for_eval_result } func_add_hook func_validate_options libtool_validate_options @@ -3606,8 +3557,8 @@ esac done - func_quote_arg pretty "$libobj" - test "X$libobj" != "X$func_quote_arg_result" \ + func_quote_for_eval "$libobj" + test "X$libobj" != "X$func_quote_for_eval_result" \ && $ECHO "X$libobj" | $GREP '[]~#^*{};<>?"'"'"' &()|`$[]' \ && func_warning "libobj name '$libobj' may not contain shell special characters." func_dirname_and_basename "$obj" "/" "" @@ -3680,8 +3631,8 @@ func_to_tool_file "$srcfile" func_convert_file_msys_to_w32 srcfile=$func_to_tool_file_result - func_quote_arg pretty "$srcfile" - qsrcfile=$func_quote_arg_result + func_quote_for_eval "$srcfile" + qsrcfile=$func_quote_for_eval_result # Only build a PIC object if we are building libtool libraries. if test yes = "$build_libtool_libs"; then @@ -4284,8 +4235,8 @@ case $nonopt in *shtool*) :;; *) false;; esac then # Aesthetically quote it. - func_quote_arg pretty "$nonopt" - install_prog="$func_quote_arg_result " + func_quote_for_eval "$nonopt" + install_prog="$func_quote_for_eval_result " arg=$1 shift else @@ -4295,8 +4246,8 @@ # The real first argument should be the name of the installation program. # Aesthetically quote it. - func_quote_arg pretty "$arg" - func_append install_prog "$func_quote_arg_result" + func_quote_for_eval "$arg" + func_append install_prog "$func_quote_for_eval_result" install_shared_prog=$install_prog case " $install_prog " in *[\\\ /]cp\ *) install_cp=: ;; @@ -4353,12 +4304,12 @@ esac # Aesthetically quote the argument. - func_quote_arg pretty "$arg" - func_append install_prog " $func_quote_arg_result" + func_quote_for_eval "$arg" + func_append install_prog " $func_quote_for_eval_result" if test -n "$arg2"; then - func_quote_arg pretty "$arg2" + func_quote_for_eval "$arg2" fi - func_append install_shared_prog " $func_quote_arg_result" + func_append install_shared_prog " $func_quote_for_eval_result" done test -z "$install_prog" && \ @@ -4369,8 +4320,8 @@ if test -n "$install_override_mode" && $no_mode; then if $install_cp; then :; else - func_quote_arg pretty "$install_override_mode" - func_append install_shared_prog " -m $func_quote_arg_result" + func_quote_for_eval "$install_override_mode" + func_append install_shared_prog " -m $func_quote_for_eval_result" fi fi @@ -4666,8 +4617,8 @@ relink_command=`$ECHO "$relink_command" | $SED 's%@OUTPUT@%'"$outputname"'%g'` $opt_quiet || { - func_quote_arg expand,pretty "$relink_command" - eval "func_echo $func_quote_arg_result" + func_quote_for_expand "$relink_command" + eval "func_echo $func_quote_for_expand_result" } if eval "$relink_command"; then : else @@ -5446,8 +5397,8 @@ if test \"\$libtool_execute_magic\" != \"$magic\"; then file=\"\$0\"" - func_quote_arg pretty "$ECHO" - qECHO=$func_quote_arg_result + func_quote "$ECHO" + qECHO=$func_quote_result $ECHO "\ # A function that is used when there is no print builtin or printf. @@ -5457,7 +5408,7 @@ \$1 _LTECHO_EOF' } - ECHO=$qECHO + ECHO=\"$qECHO\" fi # Very basic option parsing. These options are (a) specific to @@ -6800,9 +6751,9 @@ while test "$#" -gt 0; do arg=$1 shift - func_quote_arg pretty,unquoted "$arg" - qarg=$func_quote_arg_unquoted_result - func_append libtool_args " $func_quote_arg_result" + func_quote_for_eval "$arg" + qarg=$func_quote_for_eval_unquoted_result + func_append libtool_args " $func_quote_for_eval_result" # If the previous option needs an argument, assign it. if test -n "$prev"; then @@ -7400,9 +7351,9 @@ save_ifs=$IFS; IFS=, for flag in $args; do IFS=$save_ifs - func_quote_arg pretty "$flag" - func_append arg " $func_quote_arg_result" - func_append compiler_flags " $func_quote_arg_result" + func_quote_for_eval "$flag" + func_append arg " $func_quote_for_eval_result" + func_append compiler_flags " $func_quote_for_eval_result" done IFS=$save_ifs func_stripname ' ' '' "$arg" @@ -7416,10 +7367,10 @@ save_ifs=$IFS; IFS=, for flag in $args; do IFS=$save_ifs - func_quote_arg pretty "$flag" - func_append arg " $wl$func_quote_arg_result" - func_append compiler_flags " $wl$func_quote_arg_result" - func_append linker_flags " $func_quote_arg_result" + func_quote_for_eval "$flag" + func_append arg " $wl$func_quote_for_eval_result" + func_append compiler_flags " $wl$func_quote_for_eval_result" + func_append linker_flags " $func_quote_for_eval_result" done IFS=$save_ifs func_stripname ' ' '' "$arg" @@ -7443,8 +7394,8 @@ # -msg_* for osf cc -msg_*) - func_quote_arg pretty "$arg" - arg=$func_quote_arg_result + func_quote_for_eval "$arg" + arg=$func_quote_for_eval_result ;; # Flags to be passed through unchanged, with rationale: @@ -7468,8 +7419,8 @@ -t[45]*|-txscale*|-p|-pg|--coverage|-fprofile-*|-F*|@*|-tp=*|--sysroot=*| \ -O*|-g*|-flto*|-fwhopr*|-fuse-linker-plugin|-fstack-protector*|-stdlib=*| \ -specs=*|-fsanitize=*) - func_quote_arg pretty "$arg" - arg=$func_quote_arg_result + func_quote_for_eval "$arg" + arg=$func_quote_for_eval_result func_append compile_command " $arg" func_append finalize_command " $arg" func_append compiler_flags " $arg" @@ -7490,15 +7441,15 @@ continue else # Otherwise treat like 'Some other compiler flag' below - func_quote_arg pretty "$arg" - arg=$func_quote_arg_result + func_quote_for_eval "$arg" + arg=$func_quote_for_eval_result fi ;; # Some other compiler flag. -* | +*) - func_quote_arg pretty "$arg" - arg=$func_quote_arg_result + func_quote_for_eval "$arg" + arg=$func_quote_for_eval_result ;; *.$objext) @@ -7618,8 +7569,8 @@ *) # Unknown arguments in both finalize_command and compile_command need # to be aesthetically quoted because they are evaled later. - func_quote_arg pretty "$arg" - arg=$func_quote_arg_result + func_quote_for_eval "$arg" + arg=$func_quote_for_eval_result ;; esac # arg @@ -10131,8 +10082,8 @@ for cmd in $concat_cmds; do IFS=$save_ifs $opt_quiet || { - func_quote_arg expand,pretty "$cmd" - eval "func_echo $func_quote_arg_result" + func_quote_for_expand "$cmd" + eval "func_echo $func_quote_for_expand_result" } $opt_dry_run || eval "$cmd" || { lt_exit=$? @@ -10225,8 +10176,8 @@ eval cmd=\"$cmd\" IFS=$save_ifs $opt_quiet || { - func_quote_arg expand,pretty "$cmd" - eval "func_echo $func_quote_arg_result" + func_quote_for_expand "$cmd" + eval "func_echo $func_quote_for_expand_result" } $opt_dry_run || eval "$cmd" || { lt_exit=$? @@ -10700,12 +10651,12 @@ elif eval var_value=\$$var; test -z "$var_value"; then relink_command="$var=; export $var; $relink_command" else - func_quote_arg pretty "$var_value" - relink_command="$var=$func_quote_arg_result; export $var; $relink_command" + func_quote_for_eval "$var_value" + relink_command="$var=$func_quote_for_eval_result; export $var; $relink_command" fi done - func_quote_arg pretty,unquoted "(cd `pwd`; $relink_command)" - relink_command=$func_quote_arg_unquoted_result + func_quote "(cd `pwd`; $relink_command)" + relink_command=$func_quote_result fi # Only actually do things if not in dry run mode. @@ -10945,14 +10896,14 @@ elif eval var_value=\$$var; test -z "$var_value"; then relink_command="$var=; export $var; $relink_command" else - func_quote_arg pretty,unquoted "$var_value" - relink_command="$var=$func_quote_arg_unquoted_result; export $var; $relink_command" + func_quote_for_eval "$var_value" + relink_command="$var=$func_quote_for_eval_result; export $var; $relink_command" fi done # Quote the link command for shipping. relink_command="(cd `pwd`; $SHELL \"$progpath\" $preserve_args --mode=relink $libtool_args @inst_prefix_dir@)" - func_quote_arg pretty,unquoted "$relink_command" - relink_command=$func_quote_arg_unquoted_result + func_quote "$relink_command" + relink_command=$func_quote_result if test yes = "$hardcode_automatic"; then relink_command= fi diff -u -r -N squid-4.3/ChangeLog squid-4.4/ChangeLog --- squid-4.3/ChangeLog 2018-10-01 07:57:54.000000000 +1300 +++ squid-4.4/ChangeLog 2018-10-28 09:44:55.000000000 +1300 @@ -1,3 +1,13 @@ +Changes to squid-4.3 (28 Oct 2018): + + - Bug 4893: Malformed %>ru URIs for CONNECT requests + - Fix %USER_CA_CERT_xx and %USER_CERT_xx crashes + - SSL: support compilation with minimal OpenSSL + - SSL: certificate fields injection via %D in ERR_SECURE_CONNECT_FAIL + - Fix netdb not saving to disk + - Fix memory leak when parsing SNMP packet + - ... and some compile issues + Changes to squid-4.3 (01 Oct 2018): - Bug 4885: Excessive memory usage when running out of descriptors diff -u -r -N squid-4.3/compat/Makefile.am squid-4.4/compat/Makefile.am --- squid-4.3/compat/Makefile.am 2018-10-01 07:57:54.000000000 +1300 +++ squid-4.4/compat/Makefile.am 2018-10-28 09:44:55.000000000 +1300 @@ -42,6 +42,7 @@ initgroups.h \ memrchr.cc \ memrchr.h \ + openssl.h \ osdetect.h \ psignal.h \ shm.cc \ diff -u -r -N squid-4.3/compat/Makefile.in squid-4.4/compat/Makefile.in --- squid-4.3/compat/Makefile.in 2018-10-01 08:21:54.000000000 +1300 +++ squid-4.4/compat/Makefile.in 2018-10-28 09:45:09.000000000 +1300 @@ -776,6 +776,7 @@ initgroups.h \ memrchr.cc \ memrchr.h \ + openssl.h \ osdetect.h \ psignal.h \ shm.cc \ diff -u -r -N squid-4.3/compat/openssl.h squid-4.4/compat/openssl.h --- squid-4.3/compat/openssl.h 1970-01-01 12:00:00.000000000 +1200 +++ squid-4.4/compat/openssl.h 2018-10-28 09:44:55.000000000 +1300 @@ -0,0 +1,249 @@ +/* + * Copyright (C) 1996-2018 The Squid Software Foundation and contributors + * + * Squid software is distributed under GPLv2+ license and includes + * contributions from numerous individuals and organizations. + * Please see the COPYING and CONTRIBUTORS files for details. + */ + +/* OpenSSL API changed dramatically between 1.0.2 and 1.1.0, and + * compatibility was broken. Most of the structures became opaque, + * and access functions were created. There's no (safe) way to + * access the struct members any more, so the solution is to use + * the new API in the main code, and add the functions for older + * versions in compat/openssl.h. + * Once all the supported library versions use the new API, the shim + * can be dropped. + */ + +#ifndef OPENSSL_COMPAT_H +#define OPENSSL_COMPAT_H + +#if !USE_OPENSSL +#error compat/openssl.h depends on USE_OPENSSL +#endif + +#if HAVE_OPENSSL_ASN1_H +#include +#endif +#if HAVE_OPENSSL_BIO_H +#include +#endif +#if HAVE_OPENSSL_DH_H +#include +#endif +#if HAVE_OPENSSL_EVP_H +#include +#endif +#if HAVE_OPENSSL_LHASH_H +#include +#endif +#if HAVE_OPENSSL_SSL_H +#include +#endif +#if HAVE_OPENSSL_X509_H +#include +#endif + +extern "C" { + +#if !HAVE_LIBCRYPTO_ASN1_STRING_GET0_DATA + inline const unsigned char * + ASN1_STRING_get0_data(const ASN1_STRING *x) + { + return x->data; + } +#endif + +#if !HAVE_LIBCRYPTO_BIO_GET_DATA + inline void * + BIO_get_data(BIO *table) + { + return table->ptr; + } + + inline void + BIO_set_data(BIO *table, void *data) + { + table->ptr = data; + } + + inline void + BIO_set_init(BIO *table, int init) + { + table->init = init; + } +#endif + +#if !HAVE_LIBCRYPTO_BIO_GET_INIT + inline int + BIO_get_init(BIO *table) + { + return table->init; + } +#endif + +#if !HAVE_LIBCRYPTO_DH_UP_REF // OpenSSL 1.1 API +#if defined(CRYPTO_LOCK_DH) // OpenSSL 1.0 API + inline int + DH_up_ref(DH *t) + { + if (t && (CRYPTO_add(&t->references, 1, CRYPTO_LOCK_DH) > 1)) + return 1; + return 0; + } +#else +#error missing both OpenSSL API features DH_up_ref (v1.1) and CRYPTO_LOCK_DH (v1.0) +#endif /* OpenSSL 1.0 CRYPTO_LOCK_DH */ +#endif /* OpenSSL 1.1 DH_up_ref */ + +#if !HAVE_LIBCRYPTO_EVP_PKEY_GET0_RSA + inline RSA * + EVP_PKEY_get0_RSA(EVP_PKEY *pkey) + { + if (pkey->type != EVP_PKEY_RSA) + return nullptr; + return pkey->pkey.rsa; + } +#endif + +#if !HAVE_LIBCRYPTO_EVP_PKEY_UP_REF +#if defined(CRYPTO_LOCK_EVP_PKEY) // OpenSSL 1.0 + inline int + EVP_PKEY_up_ref(EVP_PKEY *t) + { + if (t && (CRYPTO_add(&t->references, 1, CRYPTO_LOCK_EVP_PKEY)) > 1) + return 1; + return 0; + } + +#else +#error missing both OpenSSL API features EVP_PKEY_up_ref (v1.1) and CRYPTO_LOCK_EVP_PKEY (v1.0) +#endif /* OpenSSL 1.0 CRYPTO_LOCK_EVP_PKEY */ +#endif /* OpenSSL 1.1 EVP_PKEY_up_ref */ + +#if !HAVE_LIBCRYPTO_OPENSSL_LH_STRHASH +#define OPENSSL_LH_delete lh_delete +#define OPENSSL_LH_strhash lh_strhash +#endif + +#if !defined OPENSSL_VERSION +#define OPENSSL_VERSION SSLEAY_VERSION +#define OpenSSL_version SSLeay_version +#endif + +#if !HAVE_LIBSSL_SSL_CIPHER_FIND + inline const SSL_CIPHER * + SSL_CIPHER_find(SSL *ssl, const unsigned char *ptr) + { + return ssl->method->get_cipher_by_char(ptr); + } +#endif + +#if !HAVE_LIBSSL_SSL_SESSION_GET_ID + inline const unsigned char * + SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int *len) + { + if (len) + *len = s->session_id_length; + return s->session_id; + } +#endif + +#if !HAVE_OPENSSL_TLS_CLIENT_METHOD +#define TLS_client_method SSLv23_client_method +#endif + +#if !HAVE_OPENSSL_TLS_SERVER_METHOD +#define TLS_server_method SSLv23_server_method +#endif + +#if !HAVE_LIBCRYPTO_X509_CRL_UP_REF // OpenSSL 1.1 API +#if defined(CRYPTO_LOCK_X509_CRL) // OpenSSL 1.0 API + inline int + X509_CRL_up_ref(X509_CRL *t) + { + if (t && (CRYPTO_add(&t->references, 1, CRYPTO_LOCK_X509_CRL) > 1)) + return 1; + return 0; + } +#else +#error missing both OpenSSL API features X509_up_ref (v1.1) and CRYPTO_LOCK_X509 (v1.0) +#endif /* CRYPTO_LOCK_X509_CRL */ +#endif /* X509_CRL_up_ref */ + +#if !HAVE_LIBCRYPTO_X509_GET0_SIGNATURE + inline void + X509_get0_signature(ASN1_BIT_STRING **psig, X509_ALGOR **palg, const X509 *x) + { + if (psig) + *psig = (ASN1_BIT_STRING *)&x->signature; + if (palg) + *palg = (X509_ALGOR *)&x->sig_alg; + } +#endif + +#if !HAVE_LIBCRYPTO_X509_STORE_CTX_GET0_CERT + inline X509 * + X509_STORE_CTX_get0_cert(X509_STORE_CTX *ctx) + { + return ctx->cert; + } +#endif + +#if !HAVE_LIBCRYPTO_X509_STORE_CTX_GET0_UNTRUSTED + inline STACK_OF(X509) * + X509_STORE_CTX_get0_untrusted(X509_STORE_CTX *ctx) + { + return ctx->untrusted; + } + +/// Note that all of the calls in this next group were renamed, or had the new +/// name added at the same time as X509_STORE_CTX_get0_untrusted was implemented, +/// in all supported OpenSSL-compatible libraries +#define X509_STORE_CTX_set0_untrusted X509_STORE_CTX_set_chain +#define X509_getm_notAfter X509_get_notAfter +#define X509_getm_notBefore X509_get_notBefore +#define X509_set1_notAfter X509_set_notAfter +#define X509_set1_notBefore X509_set_notBefore +#endif /* !HAVE_LIBCRYPTO_X509_STORE_CTX_GET0_UNTRUSTED */ + +#if !HAVE_LIBCRYPTO_X509_UP_REF // OpenSSL 1.1 API +#if defined(CRYPTO_LOCK_X509) // OpenSSL 1.0 API + inline int + X509_up_ref(X509 *t) + { + if (t && (CRYPTO_add(&t->references, 1, CRYPTO_LOCK_X509)) > 1) + return 1; + return 0; + } +#else +#error missing both OpenSSL API features X509_up_ref (v1.1) and CRYPTO_LOCK_X509 (v1.0) +#endif /* CRYPTO_LOCK_X509 */ +#endif /* X509_up_ref */ + +#if !HAVE_LIBCRYPTO_X509_VERIFY_PARAM_GET_DEPTH + inline int + X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param) + { + return param->depth; + } +#endif + +} /* extern "C" */ + +inline void +SQUID_OPENSSL_init_ssl(void) +{ +#if HAVE_LIBSSL_OPENSSL_INIT_SSL + // OpenSSL will properly auto-initialize itself (in Squid context). + // No explicit initialization is required. + //OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, nullptr); +#else + SSL_load_error_strings(); + SSLeay_add_ssl_algorithms(); +#endif +} + +#endif /* OPENSSL_COMPAT_H */ + diff -u -r -N squid-4.3/configure squid-4.4/configure --- squid-4.3/configure 2018-10-01 08:22:02.000000000 +1300 +++ squid-4.4/configure 2018-10-28 09:45:15.000000000 +1300 @@ -1,7 +1,7 @@ #! /bin/sh # From configure.ac Revision. # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for Squid Web Proxy 4.3. +# Generated by GNU Autoconf 2.69 for Squid Web Proxy 4.4. # # Report bugs to . # @@ -595,8 +595,8 @@ # Identity of this package. PACKAGE_NAME='Squid Web Proxy' PACKAGE_TARNAME='squid' -PACKAGE_VERSION='4.3' -PACKAGE_STRING='Squid Web Proxy 4.3' +PACKAGE_VERSION='4.4' +PACKAGE_STRING='Squid Web Proxy 4.4' PACKAGE_BUGREPORT='http://bugs.squid-cache.org/' PACKAGE_URL='' @@ -1647,7 +1647,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures Squid Web Proxy 4.3 to adapt to many kinds of systems. +\`configure' configures Squid Web Proxy 4.4 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1718,7 +1718,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of Squid Web Proxy 4.3:";; + short | recursive ) echo "Configuration of Squid Web Proxy 4.4:";; esac cat <<\_ACEOF @@ -2147,7 +2147,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -Squid Web Proxy configure 4.3 +Squid Web Proxy configure 4.4 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -3251,7 +3251,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by Squid Web Proxy $as_me 4.3, which was +It was created by Squid Web Proxy $as_me 4.4, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -4118,7 +4118,7 @@ # Define the identity of the package. PACKAGE='squid' - VERSION='4.3' + VERSION='4.4' cat >>confdefs.h <<_ACEOF @@ -10038,11 +10038,8 @@ test $ac_status = 0; }; then # Now try to grab the symbols. nlist=conftest.nm - if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$NM conftest.$ac_objext \| "$lt_cv_sys_global_symbol_pipe" \> $nlist\""; } >&5 - (eval $NM conftest.$ac_objext \| "$lt_cv_sys_global_symbol_pipe" \> $nlist) 2>&5 - ac_status=$? - $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; } && test -s "$nlist"; then + $ECHO "$as_me:$LINENO: $NM conftest.$ac_objext | $lt_cv_sys_global_symbol_pipe > $nlist" >&5 + if eval "$NM" conftest.$ac_objext \| "$lt_cv_sys_global_symbol_pipe" \> $nlist 2>&5 && test -s "$nlist"; then # Try sorting and uniquifying the output. if sort "$nlist" | uniq > "$nlist"T; then mv -f "$nlist"T "$nlist" @@ -23610,12 +23607,19 @@ ## OpenSSL is default disable due to licensing issues on some OS if test "x$with_openssl" = "xyes"; then for ac_header in \ + openssl/asn1.h \ openssl/bio.h \ + openssl/bn.h \ openssl/crypto.h \ + openssl/dh.h \ openssl/err.h \ + openssl/evp.h \ + openssl/lhash.h \ openssl/md5.h \ openssl/opensslv.h \ + openssl/rsa.h \ openssl/ssl.h \ + openssl/x509.h \ openssl/x509v3.h \ openssl/engine.h \ openssl/txt_db.h \ @@ -23980,6 +23984,8 @@ + + # save state, key is check_openssl_libcrypto_api check_openssl_libcrypto_api_CFLAGS="${CFLAGS}" check_openssl_libcrypto_api_CXXFLAGS="${CXXFLAGS}" @@ -23996,6 +24002,47 @@ done LIBS="$LIBS $SSLLIB" + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for OPENSSL_LH_strhash in -lcrypto" >&5 +$as_echo_n "checking for OPENSSL_LH_strhash in -lcrypto... " >&6; } +if ${ac_cv_lib_crypto_OPENSSL_LH_strhash+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lcrypto $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char OPENSSL_LH_strhash (); +int +main () +{ +return OPENSSL_LH_strhash (); + ; + return 0; +} +_ACEOF +if ac_fn_cxx_try_link "$LINENO"; then : + ac_cv_lib_crypto_OPENSSL_LH_strhash=yes +else + ac_cv_lib_crypto_OPENSSL_LH_strhash=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_crypto_OPENSSL_LH_strhash" >&5 +$as_echo "$ac_cv_lib_crypto_OPENSSL_LH_strhash" >&6; } +if test "x$ac_cv_lib_crypto_OPENSSL_LH_strhash" = xyes; then : + $as_echo "#define HAVE_LIBCRYPTO_OPENSSL_LH_STRHASH 1" >>confdefs.h + +fi + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for EVP_PKEY_get0_RSA in -lcrypto" >&5 $as_echo_n "checking for EVP_PKEY_get0_RSA in -lcrypto... " >&6; } if ${ac_cv_lib_crypto_EVP_PKEY_get0_RSA+:} false; then : @@ -24078,6 +24125,47 @@ fi + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for BIO_get_data in -lcrypto" >&5 +$as_echo_n "checking for BIO_get_data in -lcrypto... " >&6; } +if ${ac_cv_lib_crypto_BIO_get_data+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lcrypto $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char BIO_get_data (); +int +main () +{ +return BIO_get_data (); + ; + return 0; +} +_ACEOF +if ac_fn_cxx_try_link "$LINENO"; then : + ac_cv_lib_crypto_BIO_get_data=yes +else + ac_cv_lib_crypto_BIO_get_data=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_crypto_BIO_get_data" >&5 +$as_echo "$ac_cv_lib_crypto_BIO_get_data" >&6; } +if test "x$ac_cv_lib_crypto_BIO_get_data" = xyes; then : + $as_echo "#define HAVE_LIBCRYPTO_BIO_GET_DATA 1" >>confdefs.h + +fi + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for BIO_get_init in -lcrypto" >&5 $as_echo_n "checking for BIO_get_init in -lcrypto... " >&6; } if ${ac_cv_lib_crypto_BIO_get_init+:} false; then : @@ -24160,6 +24248,47 @@ fi + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for EVP_PKEY_up_ref in -lcrypto" >&5 +$as_echo_n "checking for EVP_PKEY_up_ref in -lcrypto... " >&6; } +if ${ac_cv_lib_crypto_EVP_PKEY_up_ref+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lcrypto $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char EVP_PKEY_up_ref (); +int +main () +{ +return EVP_PKEY_up_ref (); + ; + return 0; +} +_ACEOF +if ac_fn_cxx_try_link "$LINENO"; then : + ac_cv_lib_crypto_EVP_PKEY_up_ref=yes +else + ac_cv_lib_crypto_EVP_PKEY_up_ref=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_crypto_EVP_PKEY_up_ref" >&5 +$as_echo "$ac_cv_lib_crypto_EVP_PKEY_up_ref" >&6; } +if test "x$ac_cv_lib_crypto_EVP_PKEY_up_ref" = xyes; then : + $as_echo "#define HAVE_LIBCRYPTO_EVP_PKEY_UP_REF 1" >>confdefs.h + +fi + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for X509_STORE_CTX_get0_cert in -lcrypto" >&5 $as_echo_n "checking for X509_STORE_CTX_get0_cert in -lcrypto... " >&6; } if ${ac_cv_lib_crypto_X509_STORE_CTX_get0_cert+:} false; then : @@ -24283,47 +24412,6 @@ fi - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for X509_STORE_CTX_set0_untrusted in -lcrypto" >&5 -$as_echo_n "checking for X509_STORE_CTX_set0_untrusted in -lcrypto... " >&6; } -if ${ac_cv_lib_crypto_X509_STORE_CTX_set0_untrusted+:} false; then : - $as_echo_n "(cached) " >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-lcrypto $LIBS" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char X509_STORE_CTX_set0_untrusted (); -int -main () -{ -return X509_STORE_CTX_set0_untrusted (); - ; - return 0; -} -_ACEOF -if ac_fn_cxx_try_link "$LINENO"; then : - ac_cv_lib_crypto_X509_STORE_CTX_set0_untrusted=yes -else - ac_cv_lib_crypto_X509_STORE_CTX_set0_untrusted=no -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_crypto_X509_STORE_CTX_set0_untrusted" >&5 -$as_echo "$ac_cv_lib_crypto_X509_STORE_CTX_set0_untrusted" >&6; } -if test "x$ac_cv_lib_crypto_X509_STORE_CTX_set0_untrusted" = xyes; then : - $as_echo "#define HAVE_LIBCRYPTO_X509_STORE_CTX_SET0_UNTRUSTED 1" >>confdefs.h - -fi - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for X509_up_ref in -lcrypto" >&5 $as_echo_n "checking for X509_up_ref in -lcrypto... " >&6; } if ${ac_cv_lib_crypto_X509_up_ref+:} false; then : @@ -24486,6 +24574,9 @@ if test "x$ac_cv_lib_crypto_X509_get0_signature" = xyes; then : $as_echo "#define HAVE_LIBCRYPTO_X509_GET0_SIGNATURE 1" >>confdefs.h +else + $as_echo "#define SQUID_CONST_X509_GET0_SIGNATURE_ARGS /**/" >>confdefs.h + fi @@ -24523,6 +24614,7 @@ + # save state, key is check_openssl_libssl_api check_openssl_libssl_api_CFLAGS="${CFLAGS}" check_openssl_libssl_api_CXXFLAGS="${CXXFLAGS}" @@ -24539,6 +24631,47 @@ done LIBS="$LIBS $SSLLIB" + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for OPENSSL_init_ssl in -lssl" >&5 +$as_echo_n "checking for OPENSSL_init_ssl in -lssl... " >&6; } +if ${ac_cv_lib_ssl_OPENSSL_init_ssl+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lssl $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char OPENSSL_init_ssl (); +int +main () +{ +return OPENSSL_init_ssl (); + ; + return 0; +} +_ACEOF +if ac_fn_cxx_try_link "$LINENO"; then : + ac_cv_lib_ssl_OPENSSL_init_ssl=yes +else + ac_cv_lib_ssl_OPENSSL_init_ssl=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_ssl_OPENSSL_init_ssl" >&5 +$as_echo "$ac_cv_lib_ssl_OPENSSL_init_ssl" >&6; } +if test "x$ac_cv_lib_ssl_OPENSSL_init_ssl" = xyes; then : + $as_echo "#define HAVE_LIBSSL_OPENSSL_INIT_SSL 1" >>confdefs.h + +fi + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for SSL_CIPHER_find in -lssl" >&5 $as_echo_n "checking for SSL_CIPHER_find in -lssl... " >&6; } if ${ac_cv_lib_ssl_SSL_CIPHER_find+:} false; then : @@ -25008,7 +25141,9 @@ main () { +#if defined(SSLeay_add_ssl_algorithms) SSLeay_add_ssl_algorithms(); +#endif #if HAVE_OPENSSL_TLS_METHOD SSL_CTX *sslContext = SSL_CTX_new(TLS_method()); #else @@ -25062,7 +25197,9 @@ main () { +#if defined(SSLeay_add_ssl_algorithms) SSLeay_add_ssl_algorithms(); +#endif #if HAVE_OPENSSL_TLS_METHOD SSL_CTX *sslContext = SSL_CTX_new(TLS_method()); #else @@ -25427,13 +25564,15 @@ _ACEOF if ac_fn_cxx_try_compile "$LINENO"; then : - $as_echo "#define SQUID_USE_CONST_X509_GET0_SIGNATURE_ARGS 1" >>confdefs.h + $as_echo "#define SQUID_CONST_X509_GET0_SIGNATURE_ARGS const" >>confdefs.h { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } else + $as_echo "#define SQUID_CONST_X509_GET0_SIGNATURE_ARGS /**/" >>confdefs.h + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } @@ -43832,7 +43971,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by Squid Web Proxy $as_me 4.3, which was +This file was extended by Squid Web Proxy $as_me 4.4, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -43898,7 +44037,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -Squid Web Proxy config.status 4.3 +Squid Web Proxy config.status 4.4 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -u -r -N squid-4.3/configure.ac squid-4.4/configure.ac --- squid-4.3/configure.ac 2018-10-01 08:22:02.000000000 +1300 +++ squid-4.4/configure.ac 2018-10-28 09:45:15.000000000 +1300 @@ -5,7 +5,7 @@ ## Please see the COPYING and CONTRIBUTORS files for details. ## -AC_INIT([Squid Web Proxy],[4.3],[http://bugs.squid-cache.org/],[squid]) +AC_INIT([Squid Web Proxy],[4.4],[http://bugs.squid-cache.org/],[squid]) AC_PREREQ(2.61) AC_CONFIG_HEADERS([include/autoconf.h]) AC_CONFIG_AUX_DIR(cfgaux) @@ -1317,12 +1317,19 @@ ## OpenSSL is default disable due to licensing issues on some OS if test "x$with_openssl" = "xyes"; then AC_CHECK_HEADERS( \ + openssl/asn1.h \ openssl/bio.h \ + openssl/bn.h \ openssl/crypto.h \ + openssl/dh.h \ openssl/err.h \ + openssl/evp.h \ + openssl/lhash.h \ openssl/md5.h \ openssl/opensslv.h \ + openssl/rsa.h \ openssl/ssl.h \ + openssl/x509.h \ openssl/x509v3.h \ openssl/engine.h \ openssl/txt_db.h \ diff -u -r -N squid-4.3/doc/release-notes/release-4.html squid-4.4/doc/release-notes/release-4.html --- squid-4.3/doc/release-notes/release-4.html 2018-10-01 08:34:31.000000000 +1300 +++ squid-4.4/doc/release-notes/release-4.html 2018-10-28 09:56:40.000000000 +1300 @@ -2,10 +2,10 @@ - Squid 4.3 release notes + Squid 4.4 release notes -

Squid 4.3 release notes

+

Squid 4.4 release notes

Squid Developers

@@ -63,7 +63,7 @@

1. Notice

-

The Squid Team are pleased to announce the release of Squid-4.3 for testing.

+

The Squid Team are pleased to announce the release of Squid-4.4 for testing.

This new release is available for download from http://www.squid-cache.org/Versions/v4/ or the mirrors.

diff -u -r -N squid-4.3/include/autoconf.h.in squid-4.4/include/autoconf.h.in --- squid-4.3/include/autoconf.h.in 2018-10-01 08:21:52.000000000 +1300 +++ squid-4.4/include/autoconf.h.in 2018-10-28 09:45:07.000000000 +1300 @@ -501,6 +501,9 @@ /* "Define to 1 if the ASN1_STRING_get0_data() OpenSSL API function exists" */ #undef HAVE_LIBCRYPTO_ASN1_STRING_GET0_DATA +/* "Define to 1 if the BIO_get_data() OpenSSL API function exists" */ +#undef HAVE_LIBCRYPTO_BIO_GET_DATA + /* "Define to 1 if the BIO_get_init() OpenSSL API function exists" */ #undef HAVE_LIBCRYPTO_BIO_GET_INIT @@ -513,6 +516,12 @@ /* "Define to 1 if the EVP_PKEY_get0_RSA() OpenSSL API function exists" */ #undef HAVE_LIBCRYPTO_EVP_PKEY_GET0_RSA +/* "Define to 1 if the EVP_PKEY_up_ref() OpenSSL API function exists" */ +#undef HAVE_LIBCRYPTO_EVP_PKEY_UP_REF + +/* "Define to 1 if the OPENSSL_LH_strhash() OpenSSL API function exists" */ +#undef HAVE_LIBCRYPTO_OPENSSL_LH_STRHASH + /* "Define to 1 if the X509_CRL_up_ref() OpenSSL API function exists" */ #undef HAVE_LIBCRYPTO_X509_CRL_UP_REF @@ -527,10 +536,6 @@ exists" */ #undef HAVE_LIBCRYPTO_X509_STORE_CTX_GET0_UNTRUSTED -/* "Define to 1 if the X509_STORE_CTX_set0_untrusted() OpenSSL API function - exists" */ -#undef HAVE_LIBCRYPTO_X509_STORE_CTX_SET0_UNTRUSTED - /* "Define to 1 if the X509_up_ref() OpenSSL API function exists" */ #undef HAVE_LIBCRYPTO_X509_UP_REF @@ -567,6 +572,9 @@ header file. */ #undef HAVE_LIBNETFILTER_CONNTRACK_LIBNETFILTER_CONNTRACK_TCP_H +/* "Define to 1 if the OPENSSL_init_ssl() OpenSSL API function exists" */ +#undef HAVE_LIBSSL_OPENSSL_INIT_SSL + /* "Define to 1 if the SSL_CIPHER_find() OpenSSL API function exists" */ #undef HAVE_LIBSSL_SSL_CIPHER_FIND @@ -752,24 +760,42 @@ /* OpenLDAP support */ #undef HAVE_OPENLDAP +/* Define to 1 if you have the header file. */ +#undef HAVE_OPENSSL_ASN1_H + /* Define to 1 if you have the header file. */ #undef HAVE_OPENSSL_BIO_H +/* Define to 1 if you have the header file. */ +#undef HAVE_OPENSSL_BN_H + /* Define to 1 if you have the header file. */ #undef HAVE_OPENSSL_CRYPTO_H +/* Define to 1 if you have the header file. */ +#undef HAVE_OPENSSL_DH_H + /* Define to 1 if you have the header file. */ #undef HAVE_OPENSSL_ENGINE_H /* Define to 1 if you have the header file. */ #undef HAVE_OPENSSL_ERR_H +/* Define to 1 if you have the header file. */ +#undef HAVE_OPENSSL_EVP_H + +/* Define to 1 if you have the header file. */ +#undef HAVE_OPENSSL_LHASH_H + /* Define to 1 if you have the header file. */ #undef HAVE_OPENSSL_MD5_H /* Define to 1 if you have the header file. */ #undef HAVE_OPENSSL_OPENSSLV_H +/* Define to 1 if you have the header file. */ +#undef HAVE_OPENSSL_RSA_H + /* Define to 1 if you have the header file. */ #undef HAVE_OPENSSL_SSL_H @@ -788,6 +814,9 @@ /* Define to 1 if you have the header file. */ #undef HAVE_OPENSSL_X509V3_H +/* Define to 1 if you have the header file. */ +#undef HAVE_OPENSSL_X509_H + /* pad128_t is defined in system headers */ #undef HAVE_PAD128_T @@ -1352,6 +1381,10 @@ /* configure command line used to configure Squid */ #undef SQUID_CONFIGURE_OPTIONS +/* Define to const if X509_get0_signature() accepts const parameters; define + as empty otherwise. Don't leave it undefined! */ +#undef SQUID_CONST_X509_GET0_SIGNATURE_ARGS + /* UDP receive buffer size */ #undef SQUID_DETECT_UDP_SO_RCVBUF @@ -1392,9 +1425,6 @@ argument" */ #undef SQUID_USE_CONST_SSL_SESSION_CBID -/* "Define if X509_get0_signature() accepts const parameters" */ -#undef SQUID_USE_CONST_X509_GET0_SIGNATURE_ARGS - /* "Define to 1 if hello message can be overwritten in SSL struct" */ #undef SQUID_USE_OPENSSL_HELLO_OVERWRITE_HACK diff -u -r -N squid-4.3/include/hash.h squid-4.4/include/hash.h --- squid-4.3/include/hash.h 2018-10-01 07:57:54.000000000 +1300 +++ squid-4.4/include/hash.h 2018-10-28 09:44:55.000000000 +1300 @@ -44,7 +44,7 @@ SQUIDCEXTERN void hashFreeItems(hash_table *, HASHFREE *); SQUIDCEXTERN HASHHASH hash_string; SQUIDCEXTERN HASHHASH hash4; -SQUIDCEXTERN const char *hashKeyStr(hash_link *); +SQUIDCEXTERN const char *hashKeyStr(const hash_link *); /* * Here are some good prime number choices. It's important not to diff -u -r -N squid-4.3/include/version.h squid-4.4/include/version.h --- squid-4.3/include/version.h 2018-10-01 08:22:02.000000000 +1300 +++ squid-4.4/include/version.h 2018-10-28 09:45:15.000000000 +1300 @@ -7,7 +7,7 @@ */ #ifndef SQUID_RELEASE_TIME -#define SQUID_RELEASE_TIME 1538335308 +#define SQUID_RELEASE_TIME 1540673103 #endif /* diff -u -r -N squid-4.3/lib/hash.cc squid-4.4/lib/hash.cc --- squid-4.3/lib/hash.cc 2018-10-01 07:57:54.000000000 +1300 +++ squid-4.4/lib/hash.cc 2018-10-28 09:44:55.000000000 +1300 @@ -314,7 +314,7 @@ * return the key of a hash_link as a const string */ const char * -hashKeyStr(hash_link * hl) +hashKeyStr(const hash_link * hl) { return (const char *) hl->key; } diff -u -r -N squid-4.3/lib/sspwin32.cc squid-4.4/lib/sspwin32.cc --- squid-4.3/lib/sspwin32.cc 2018-10-01 07:57:54.000000000 +1300 +++ squid-4.4/lib/sspwin32.cc 2018-10-28 09:44:55.000000000 +1300 @@ -31,8 +31,8 @@ SECURITY_STATUS SecurityStatus = SEC_E_OK; static DWORD cbMaxToken = 0; -static PVOID pClientBuf = NULL; -static PVOID pServerBuf = NULL; +static uint8_t * pClientBuf = NULL; +static uint8_t * pServerBuf = NULL; static AUTH_SEQ NTLM_asServer = {0}; @@ -200,8 +200,8 @@ _FreeContextBuffer(pSPI); /* Allocate buffers for client and server messages */ - pClientBuf = xcalloc(cbMaxToken, sizeof(char)); - pServerBuf = xcalloc(cbMaxToken, sizeof(char)); + pClientBuf = static_cast(xcalloc(cbMaxToken, sizeof(char))); + pServerBuf = static_cast(xcalloc(cbMaxToken, sizeof(char))); SSP_Package_InUse = xstrdup(SSP_Package); return hModule; @@ -458,7 +458,7 @@ const char * WINAPI SSP_MakeChallenge(PVOID PNegotiateBuf, int NegotiateLen) { BOOL fDone = FALSE; - PVOID fResult = NULL; + uint8_t * fResult = NULL; DWORD cbOut = 0; DWORD cbIn = 0; ntlm_challenge * challenge; @@ -491,8 +491,8 @@ NTLM_LocalCall = NTLM_NEGOTIATE_THIS_IS_LOCAL_CALL & challenge->flags; struct base64_encode_ctx ctx; base64_encode_init(&ctx); - static uint8_t encoded[8192]; - size_t dstLen = base64_encode_update(&ctx, encoded, cbOut, reinterpret_cast(fResult)); + static char encoded[8192]; + size_t dstLen = base64_encode_update(&ctx, encoded, cbOut, fResult); assert(dstLen < sizeof(encoded)); dstLen += base64_encode_final(&ctx, encoded+dstLen); assert(dstLen < sizeof(encoded)); @@ -557,8 +557,8 @@ if (pServerBuf != NULL && cbOut > 0) { struct base64_encode_ctx ctx; base64_encode_init(&ctx); - static uint8_t encoded[8192]; - size_t dstLen = base64_encode_update(&ctx, encoded, cbOut, reinterpret_cast(pServerBuf)); + static char encoded[8192]; + size_t dstLen = base64_encode_update(&ctx, encoded, cbOut, pServerBuf); assert(dstLen < sizeof(encoded)); dstLen += base64_encode_final(&ctx, encoded+dstLen); assert(dstLen < sizeof(encoded)); @@ -592,8 +592,8 @@ if (pServerBuf != NULL && cbOut > 0) { struct base64_encode_ctx ctx; base64_encode_init(&ctx); - static uint8_t encoded[8192]; - size_t dstLen = base64_encode_update(&ctx, encoded, cbOut, reinterpret_cast(pServerBuf)); + static char encoded[8192]; + size_t dstLen = base64_encode_update(&ctx, encoded, cbOut, pServerBuf); assert(dstLen < sizeof(encoded)); dstLen += base64_encode_final(&ctx, encoded+dstLen); assert(dstLen < sizeof(encoded)); diff -u -r -N squid-4.3/libltdl/configure squid-4.4/libltdl/configure --- squid-4.3/libltdl/configure 2018-10-01 08:22:45.000000000 +1300 +++ squid-4.4/libltdl/configure 2018-10-28 09:46:03.000000000 +1300 @@ -6127,11 +6127,8 @@ test $ac_status = 0; }; then # Now try to grab the symbols. nlist=conftest.nm - if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$NM conftest.$ac_objext \| "$lt_cv_sys_global_symbol_pipe" \> $nlist\""; } >&5 - (eval $NM conftest.$ac_objext \| "$lt_cv_sys_global_symbol_pipe" \> $nlist) 2>&5 - ac_status=$? - $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; } && test -s "$nlist"; then + $ECHO "$as_me:$LINENO: $NM conftest.$ac_objext | $lt_cv_sys_global_symbol_pipe > $nlist" >&5 + if eval "$NM" conftest.$ac_objext \| "$lt_cv_sys_global_symbol_pipe" \> $nlist 2>&5 && test -s "$nlist"; then # Try sorting and uniquifying the output. if sort "$nlist" | uniq > "$nlist"T; then mv -f "$nlist"T "$nlist" diff -u -r -N squid-4.3/libltdl/m4/libtool.m4 squid-4.4/libltdl/m4/libtool.m4 --- squid-4.3/libltdl/m4/libtool.m4 2018-10-01 08:21:52.000000000 +1300 +++ squid-4.4/libltdl/m4/libtool.m4 2018-10-28 09:45:07.000000000 +1300 @@ -4063,7 +4063,8 @@ if AC_TRY_EVAL(ac_compile); then # Now try to grab the symbols. nlist=conftest.nm - if AC_TRY_EVAL(NM conftest.$ac_objext \| "$lt_cv_sys_global_symbol_pipe" \> $nlist) && test -s "$nlist"; then + $ECHO "$as_me:$LINENO: $NM conftest.$ac_objext | $lt_cv_sys_global_symbol_pipe > $nlist" >&AS_MESSAGE_LOG_FD + if eval "$NM" conftest.$ac_objext \| "$lt_cv_sys_global_symbol_pipe" \> $nlist 2>&AS_MESSAGE_LOG_FD && test -s "$nlist"; then # Try sorting and uniquifying the output. if sort "$nlist" | uniq > "$nlist"T; then mv -f "$nlist"T "$nlist" diff -u -r -N squid-4.3/RELEASENOTES.html squid-4.4/RELEASENOTES.html --- squid-4.3/RELEASENOTES.html 2018-10-01 08:34:31.000000000 +1300 +++ squid-4.4/RELEASENOTES.html 2018-10-28 09:56:40.000000000 +1300 @@ -2,10 +2,10 @@ - Squid 4.3 release notes + Squid 4.4 release notes -

Squid 4.3 release notes

+

Squid 4.4 release notes

Squid Developers

@@ -63,7 +63,7 @@

1. Notice

-

The Squid Team are pleased to announce the release of Squid-4.3 for testing.

+

The Squid Team are pleased to announce the release of Squid-4.4 for testing.

This new release is available for download from http://www.squid-cache.org/Versions/v4/ or the mirrors.

diff -u -r -N squid-4.3/src/AccessLogEntry.cc squid-4.4/src/AccessLogEntry.cc --- squid-4.3/src/AccessLogEntry.cc 2018-10-01 07:57:54.000000000 +1300 +++ squid-4.4/src/AccessLogEntry.cc 2018-10-28 09:44:55.000000000 +1300 @@ -115,7 +115,7 @@ const SBuf * AccessLogEntry::effectiveVirginUrl() const { - const SBuf *effectiveUrl = request ? &request->url.absolute() : &virginUrlForMissingRequest_; + const SBuf *effectiveUrl = request ? &request->effectiveRequestUri() : &virginUrlForMissingRequest_; if (effectiveUrl && !effectiveUrl->isEmpty()) return effectiveUrl; // We can not use ALE::url here because it may contain a request URI after diff -u -r -N squid-4.3/src/acl/external/delayer/ext_delayer_acl.8 squid-4.4/src/acl/external/delayer/ext_delayer_acl.8 --- squid-4.3/src/acl/external/delayer/ext_delayer_acl.8 2018-10-01 08:34:33.000000000 +1300 +++ squid-4.4/src/acl/external/delayer/ext_delayer_acl.8 2018-10-28 09:56:43.000000000 +1300 @@ -129,7 +129,7 @@ .\" ======================================================================== .\" .IX Title "EXT_DELAYER_ACL 8" -.TH EXT_DELAYER_ACL 8 "2018-09-30" "perl v5.26.2" "User Contributed Perl Documentation" +.TH EXT_DELAYER_ACL 8 "2018-10-27" "perl v5.26.2" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-4.3/src/acl/external/SQL_session/ext_sql_session_acl.8 squid-4.4/src/acl/external/SQL_session/ext_sql_session_acl.8 --- squid-4.3/src/acl/external/SQL_session/ext_sql_session_acl.8 2018-10-01 08:34:34.000000000 +1300 +++ squid-4.4/src/acl/external/SQL_session/ext_sql_session_acl.8 2018-10-28 09:56:44.000000000 +1300 @@ -129,7 +129,7 @@ .\" ======================================================================== .\" .IX Title "EXT_SQL_SESSION_ACL 8" -.TH EXT_SQL_SESSION_ACL 8 "2018-09-30" "perl v5.26.2" "User Contributed Perl Documentation" +.TH EXT_SQL_SESSION_ACL 8 "2018-10-27" "perl v5.26.2" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-4.3/src/acl/external/wbinfo_group/ext_wbinfo_group_acl.8 squid-4.4/src/acl/external/wbinfo_group/ext_wbinfo_group_acl.8 --- squid-4.3/src/acl/external/wbinfo_group/ext_wbinfo_group_acl.8 2018-10-01 08:34:34.000000000 +1300 +++ squid-4.4/src/acl/external/wbinfo_group/ext_wbinfo_group_acl.8 2018-10-28 09:56:44.000000000 +1300 @@ -129,7 +129,7 @@ .\" ======================================================================== .\" .IX Title "EXT_WBINFO_GROUP_ACL 8" -.TH EXT_WBINFO_GROUP_ACL 8 "2018-09-30" "perl v5.26.2" "User Contributed Perl Documentation" +.TH EXT_WBINFO_GROUP_ACL 8 "2018-10-27" "perl v5.26.2" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-4.3/src/acl/FilledChecklist.cc squid-4.4/src/acl/FilledChecklist.cc --- squid-4.3/src/acl/FilledChecklist.cc 2018-10-01 07:57:54.000000000 +1300 +++ squid-4.4/src/acl/FilledChecklist.cc 2018-10-28 09:44:55.000000000 +1300 @@ -109,7 +109,7 @@ showDebugWarning("URL"); // XXX: al->url should be the request URL from client, // but request->url may be different (e.g.,redirected) - al->url = request->url.absolute(); + al->url = request->effectiveRequestUri(); } } diff -u -r -N squid-4.3/src/anyp/Uri.cc squid-4.4/src/anyp/Uri.cc --- squid-4.3/src/anyp/Uri.cc 2018-10-01 07:57:54.000000000 +1300 +++ squid-4.4/src/anyp/Uri.cc 2018-10-28 09:44:55.000000000 +1300 @@ -657,7 +657,7 @@ } int -matchDomainName(const char *h, const char *d, uint flags) +matchDomainName(const char *h, const char *d, uint8_t flags) { int dl; int hl; diff -u -r -N squid-4.3/src/anyp/Uri.h squid-4.4/src/anyp/Uri.h --- squid-4.3/src/anyp/Uri.h 2018-10-01 07:57:54.000000000 +1300 +++ squid-4.4/src/anyp/Uri.h 2018-10-28 09:44:55.000000000 +1300 @@ -231,7 +231,7 @@ * \retval 1 means the host is greater than the domain * \retval -1 means the host is less than the domain */ -int matchDomainName(const char *host, const char *domain, uint flags = mdnNone); +int matchDomainName(const char *host, const char *domain, uint8_t flags = mdnNone); int urlCheckRequest(const HttpRequest *); char *urlHostname(const char *url); void urlExtMethodConfigure(void); diff -u -r -N squid-4.3/src/auth/basic/DB/basic_db_auth.8 squid-4.4/src/auth/basic/DB/basic_db_auth.8 --- squid-4.3/src/auth/basic/DB/basic_db_auth.8 2018-10-01 08:34:34.000000000 +1300 +++ squid-4.4/src/auth/basic/DB/basic_db_auth.8 2018-10-28 09:56:45.000000000 +1300 @@ -129,7 +129,7 @@ .\" ======================================================================== .\" .IX Title "BASIC_DB_AUTH 8" -.TH BASIC_DB_AUTH 8 "2018-09-30" "perl v5.26.2" "User Contributed Perl Documentation" +.TH BASIC_DB_AUTH 8 "2018-10-27" "perl v5.26.2" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-4.3/src/auth/basic/POP3/basic_pop3_auth.8 squid-4.4/src/auth/basic/POP3/basic_pop3_auth.8 --- squid-4.3/src/auth/basic/POP3/basic_pop3_auth.8 2018-10-01 08:34:35.000000000 +1300 +++ squid-4.4/src/auth/basic/POP3/basic_pop3_auth.8 2018-10-28 09:56:45.000000000 +1300 @@ -129,7 +129,7 @@ .\" ======================================================================== .\" .IX Title "BASIC_POP3_AUTH 8" -.TH BASIC_POP3_AUTH 8 "2018-09-30" "perl v5.26.2" "User Contributed Perl Documentation" +.TH BASIC_POP3_AUTH 8 "2018-10-27" "perl v5.26.2" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-4.3/src/auth/negotiate/kerberos/negotiate_kerberos_auth.cc squid-4.4/src/auth/negotiate/kerberos/negotiate_kerberos_auth.cc --- squid-4.3/src/auth/negotiate/kerberos/negotiate_kerberos_auth.cc 2018-10-01 07:57:54.000000000 +1300 +++ squid-4.4/src/auth/negotiate/kerberos/negotiate_kerberos_auth.cc 2018-10-28 09:44:55.000000000 +1300 @@ -56,6 +56,8 @@ } *krb5_kt_list; krb5_kt_list ktlist = NULL; +krb5_keytab memory_keytab; + krb5_error_code krb5_free_kt_list(krb5_context context, krb5_kt_list kt_list); krb5_error_code krb5_write_keytab(krb5_context context, krb5_kt_list kt_list, @@ -300,16 +302,15 @@ */ krb5_error_code krb5_write_keytab(krb5_context context, krb5_kt_list list, char *name) { - krb5_keytab kt; char ktname[MAXPATHLEN+sizeof("MEMORY:")+1]; krb5_error_code retval = 0; snprintf(ktname, sizeof(ktname), "%s", name); - retval = krb5_kt_resolve(context, ktname, &kt); + retval = krb5_kt_resolve(context, ktname, &memory_keytab); if (retval) return retval; for (krb5_kt_list lp = list; lp; lp = lp->next) { - retval = krb5_kt_add_entry(context, kt, lp->entry); + retval = krb5_kt_add_entry(context, memory_keytab, lp->entry); if (retval) break; } @@ -351,6 +352,7 @@ char default_keytab[MAXPATHLEN]; #if HAVE_KRB5_MEMORY_KEYTAB char *memory_keytab_name = NULL; + char *memory_keytab_name_env = NULL; #endif char *rcache_type = NULL; char *rcache_type_env = NULL; @@ -560,10 +562,10 @@ debug((char *) "%s| %s: ERROR: Writing list into keytab %s\n", LogTime(), PROGRAM, memory_keytab_name); } else { - keytab_name_env = (char *) xmalloc(strlen("KRB5_KTNAME=")+strlen(memory_keytab_name)+1); - strcpy(keytab_name_env, "KRB5_KTNAME="); - strcat(keytab_name_env, memory_keytab_name); - putenv(keytab_name_env); + memory_keytab_name_env = (char *) xmalloc(strlen("KRB5_KTNAME=")+strlen(memory_keytab_name)+1); + strcpy(memory_keytab_name_env, "KRB5_KTNAME="); + strcat(memory_keytab_name_env, memory_keytab_name); + putenv(memory_keytab_name_env); xfree(keytab_name); keytab_name = xstrdup(memory_keytab_name); debug((char *) "%s| %s: INFO: Changed keytab to %s\n", @@ -640,6 +642,18 @@ xfree(spnegoToken); } xfree(token); + xfree(rcache_type); + xfree(rcache_type_env); + xfree(rcache_dir); + xfree(rcache_dir_env); + xfree(keytab_name); + xfree(keytab_name_env); +#if HAVE_KRB5_MEMORY_KEYTAB + krb5_kt_close(context, memory_keytab); + xfree(memory_keytab_name); + xfree(memory_keytab_name_env); +#endif + xfree(rfc_user); fprintf(stdout, "BH quit command\n"); exit(0); } diff -u -r -N squid-4.3/src/base/File.cc squid-4.4/src/base/File.cc --- squid-4.3/src/base/File.cc 2018-10-01 07:57:54.000000000 +1300 +++ squid-4.4/src/base/File.cc 2018-10-28 09:44:55.000000000 +1300 @@ -170,7 +170,7 @@ File::open(const FileOpeningConfig &cfg) { #if _SQUID_WINDOWS_ - fd_ = CreateFile(TEXT(name_.c_str()), desiredAccess, shareMode, nullptr, creationDisposition, FILE_ATTRIBUTE_NORMAL, nullptr); + fd_ = CreateFile(TEXT(name_.c_str()), cfg.desiredAccess, cfg.shareMode, nullptr, cfg.creationDisposition, FILE_ATTRIBUTE_NORMAL, nullptr); if (fd_ == InvalidHandle) { const auto savedError = GetLastError(); throw TexcHere(sysCallFailure("CreateFile", WindowsErrorMessage(savedError).c_str())); @@ -199,7 +199,7 @@ #if _SQUID_WINDOWS_ if (!CloseHandle(fd_)) { const auto savedError = GetLastError(); - debugs(54, DBG_IMPORTANT, sysCallFailure("CloseHandle", WindowsErrorMessage(savedError))); + debugs(54, DBG_IMPORTANT, sysCallFailure("CloseHandle", WindowsErrorMessage(savedError).c_str())); } #else if (::close(fd_) != 0) { @@ -370,3 +370,6 @@ return sysCallFailure(callName, xstrerr(savedErrno)); } +#if _SQUID_WINDOWS_ +const HANDLE File::InvalidHandle = INVALID_HANDLE_VALUE; +#endif /* _SQUID_WINDOWS_ */ diff -u -r -N squid-4.3/src/base/File.h squid-4.4/src/base/File.h --- squid-4.3/src/base/File.h 2018-10-01 07:57:54.000000000 +1300 +++ squid-4.4/src/base/File.h 2018-10-28 09:44:55.000000000 +1300 @@ -115,7 +115,7 @@ // Windows-specific HANDLE is needed because LockFileEx() does not take POSIX FDs. #if _SQUID_WINDOWS_ typedef HANDLE Handle; - static const Handle InvalidHandle = INVALID_HANDLE_VALUE; + static const Handle InvalidHandle; #else typedef int Handle; static const Handle InvalidHandle = -1; diff -u -r -N squid-4.3/src/CachePeer.h squid-4.4/src/CachePeer.h --- squid-4.3/src/CachePeer.h 2018-10-01 07:57:54.000000000 +1300 +++ squid-4.4/src/CachePeer.h 2018-10-28 09:44:55.000000000 +1300 @@ -19,10 +19,6 @@ //TODO: remove, it is unconditionally defined and always used. #define PEER_MULTICAST_SIBLINGS 1 -#if HAVE_OPENSSL_SSL_H -#include -#endif - class NeighborTypeDomainList; class PconnPool; class PeerDigest; diff -u -r -N squid-4.3/src/format/Format.cc squid-4.4/src/format/Format.cc --- squid-4.3/src/format/Format.cc 2018-10-01 07:57:54.000000000 +1300 +++ squid-4.4/src/format/Format.cc 2018-10-28 09:44:55.000000000 +1300 @@ -1193,7 +1193,7 @@ ConnStateData *conn = al->request->clientConnectionManager.get(); if (conn && Comm::IsConnOpen(conn->clientConnection)) { if (auto ssl = fd_table[conn->clientConnection->fd].ssl.get()) - out = sslGetUserAttribute(ssl, format->data.header.header); + out = sslGetUserAttribute(ssl, fmt->data.header.header); } } break; @@ -1203,7 +1203,7 @@ ConnStateData *conn = al->request->clientConnectionManager.get(); if (conn && Comm::IsConnOpen(conn->clientConnection)) { if (auto ssl = fd_table[conn->clientConnection->fd].ssl.get()) - out = sslGetCAAttribute(ssl, format->data.header.header); + out = sslGetCAAttribute(ssl, fmt->data.header.header); } } break; diff -u -r -N squid-4.3/src/http/url_rewriters/LFS/url_lfs_rewrite.8 squid-4.4/src/http/url_rewriters/LFS/url_lfs_rewrite.8 --- squid-4.3/src/http/url_rewriters/LFS/url_lfs_rewrite.8 2018-10-01 08:34:35.000000000 +1300 +++ squid-4.4/src/http/url_rewriters/LFS/url_lfs_rewrite.8 2018-10-28 09:56:46.000000000 +1300 @@ -129,7 +129,7 @@ .\" ======================================================================== .\" .IX Title "URL_LFS_REWRITE 8" -.TH URL_LFS_REWRITE 8 "2018-09-30" "perl v5.26.2" "User Contributed Perl Documentation" +.TH URL_LFS_REWRITE 8 "2018-10-27" "perl v5.26.2" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-4.3/src/icmp/net_db.cc squid-4.4/src/icmp/net_db.cc --- squid-4.3/src/icmp/net_db.cc 2018-10-01 07:57:54.000000000 +1300 +++ squid-4.4/src/icmp/net_db.cc 2018-10-28 09:44:55.000000000 +1300 @@ -502,7 +502,7 @@ unlink(Config.netdbFilename); lf = logfileOpen(Config.netdbFilename, 4096, 0); - if (lf) { + if (!lf) { int xerrno = errno; debugs(50, DBG_IMPORTANT, MYNAME << Config.netdbFilename << ": " << xstrerr(xerrno)); return; diff -u -r -N squid-4.3/src/log/DB/log_db_daemon.8 squid-4.4/src/log/DB/log_db_daemon.8 --- squid-4.3/src/log/DB/log_db_daemon.8 2018-10-01 08:34:36.000000000 +1300 +++ squid-4.4/src/log/DB/log_db_daemon.8 2018-10-28 09:56:46.000000000 +1300 @@ -129,7 +129,7 @@ .\" ======================================================================== .\" .IX Title "LOG_DB_DAEMON 8" -.TH LOG_DB_DAEMON 8 "2018-09-30" "perl v5.26.2" "User Contributed Perl Documentation" +.TH LOG_DB_DAEMON 8 "2018-10-27" "perl v5.26.2" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-4.3/src/main.cc squid-4.4/src/main.cc --- squid-4.3/src/main.cc 2018-10-01 07:57:54.000000000 +1300 +++ squid-4.4/src/main.cc 2018-10-28 09:44:55.000000000 +1300 @@ -678,7 +678,7 @@ if (strlen(SQUID_BUILD_INFO)) printf("%s\n",SQUID_BUILD_INFO); #if USE_OPENSSL - printf("\nThis binary uses %s. ", SSLeay_version(SSLEAY_VERSION)); + printf("\nThis binary uses %s. ", OpenSSL_version(OPENSSL_VERSION)); printf("For legal restrictions on distribution see https://www.openssl.org/source/license.html\n\n"); #endif printf( "configure options: %s\n", SQUID_CONFIGURE_OPTIONS); diff -u -r -N squid-4.3/src/security/cert_generators/file/certificate_db.cc squid-4.4/src/security/cert_generators/file/certificate_db.cc --- squid-4.3/src/security/cert_generators/file/certificate_db.cc 2018-10-01 07:57:54.000000000 +1300 +++ squid-4.4/src/security/cert_generators/file/certificate_db.cc 2018-10-28 09:44:55.000000000 +1300 @@ -216,7 +216,7 @@ data = lh_OPENSSL_STRING_delete(fieldIndex, rrow); #else if (LHASH *fieldIndex = db->index[db_indexes[i]]) - data = lh_delete(fieldIndex, rrow); + data = OPENSSL_LH_delete(fieldIndex, rrow); #endif if (data) assert(data == rrow); @@ -227,7 +227,7 @@ const char *n = a[Ssl::CertificateDb::cnlSerial]; while (*n == '0') ++n; - return lh_strhash(n); + return OPENSSL_LH_strhash(n); } int Ssl::CertificateDb::index_serial_cmp(const char **a, const char **b) { @@ -238,7 +238,7 @@ } unsigned long Ssl::CertificateDb::index_name_hash(const char **a) { - return(lh_strhash(a[Ssl::CertificateDb::cnlKey])); + return(OPENSSL_LH_strhash(a[Ssl::CertificateDb::cnlKey])); } int Ssl::CertificateDb::index_name_cmp(const char **a, const char **b) { @@ -336,7 +336,7 @@ dbSize = size(); // get the current database size } - ASN1_UTCTIME * tm = X509_get_notAfter(cert.get()); + const auto tm = X509_getm_notAfter(cert.get()); row.setValue(cnlExp_date, std::string(reinterpret_cast(tm->data), tm->length).c_str()); std::unique_ptr subject(X509_NAME_oneline(X509_get_subject_name(cert.get()), nullptr, 0)); row.setValue(cnlName, subject.get()); diff -u -r -N squid-4.3/src/security/cert_generators/file/certificate_db.h squid-4.4/src/security/cert_generators/file/certificate_db.h --- squid-4.3/src/security/cert_generators/file/certificate_db.h 2018-10-01 07:57:54.000000000 +1300 +++ squid-4.4/src/security/cert_generators/file/certificate_db.h 2018-10-28 09:44:55.000000000 +1300 @@ -11,9 +11,6 @@ #include "ssl/gadgets.h" -#if HAVE_OPENSSL_OPENSSLV_H -#include -#endif #include namespace Ssl diff -u -r -N squid-4.3/src/security/cert_generators/file/security_file_certgen.cc squid-4.4/src/security/cert_generators/file/security_file_certgen.cc --- squid-4.3/src/security/cert_generators/file/security_file_certgen.cc 2018-10-01 07:57:54.000000000 +1300 +++ squid-4.4/src/security/cert_generators/file/security_file_certgen.cc 2018-10-28 09:44:55.000000000 +1300 @@ -325,8 +325,7 @@ } // Initialize SSL subsystem - SSL_load_error_strings(); - SSLeay_add_ssl_algorithms(); + SQUID_OPENSSL_init_ssl(); // process request. for (;;) { char request[HELPER_INPUT_BUFFER]; diff -u -r -N squid-4.3/src/security/cert_validators/fake/security_fake_certverify.8 squid-4.4/src/security/cert_validators/fake/security_fake_certverify.8 --- squid-4.3/src/security/cert_validators/fake/security_fake_certverify.8 2018-10-01 08:34:36.000000000 +1300 +++ squid-4.4/src/security/cert_validators/fake/security_fake_certverify.8 2018-10-28 09:56:46.000000000 +1300 @@ -129,7 +129,7 @@ .\" ======================================================================== .\" .IX Title "SECURITY_FAKE_CERTVERIFY 8" -.TH SECURITY_FAKE_CERTVERIFY 8 "2018-09-30" "perl v5.26.2" "User Contributed Perl Documentation" +.TH SECURITY_FAKE_CERTVERIFY 8 "2018-10-27" "perl v5.26.2" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-4.3/src/security/Context.h squid-4.4/src/security/Context.h --- squid-4.3/src/security/Context.h 2018-10-01 07:57:54.000000000 +1300 +++ squid-4.4/src/security/Context.h 2018-10-28 09:44:55.000000000 +1300 @@ -12,6 +12,7 @@ #include #if USE_OPENSSL +#include "compat/openssl.h" #if HAVE_OPENSSL_SSL_H #include #endif diff -u -r -N squid-4.3/src/security/forward.h squid-4.4/src/security/forward.h --- squid-4.3/src/security/forward.h 2018-10-01 07:57:54.000000000 +1300 +++ squid-4.4/src/security/forward.h 2018-10-28 09:44:55.000000000 +1300 @@ -17,9 +17,18 @@ #include #endif #include -#if USE_OPENSSL && HAVE_OPENSSL_ERR_H +#if USE_OPENSSL +#include "compat/openssl.h" +#if HAVE_OPENSSL_BN_H +#include +#endif +#if HAVE_OPENSSL_ERR_H #include #endif +#if HAVE_OPENSSL_RSA_H +#include +#endif +#endif /* USE_OPENSSL */ #include #if USE_OPENSSL @@ -30,39 +39,6 @@ struct sk_object ## _free_wrapper { \ void operator()(argument_type a) { sk_object ## _pop_free(a, freefunction); } \ } - -#if !HAVE_LIBCRYPTO_X509_UP_REF // OpenSSL 1.1 API -#if defined(CRYPTO_LOCK_X509) // OpenSSL 1.0 API -inline int X509_up_ref(X509 *t) {if (t) CRYPTO_add(&t->references, 1, CRYPTO_LOCK_X509); return 0;} -#else -#error missing both OpenSSL API features X509_up_ref (v1.1) and CRYPTO_LOCK_X509 (v1.0) -#endif /* CRYPTO_LOCK_X509 */ -#endif /* X509_up_ref */ - -#if !HAVE_LIBCRYPTO_X509_CRL_UP_REF // OpenSSL 1.1 API -#if defined(CRYPTO_LOCK_X509_CRL) // OpenSSL 1.0 API -inline int X509_CRL_up_ref(X509_CRL *t) {if (t) CRYPTO_add(&t->references, 1, CRYPTO_LOCK_X509_CRL); return 0;} -#else -#error missing both OpenSSL API features X509_up_ref (v1.1) and CRYPTO_LOCK_X509 (v1.0) -#endif /* CRYPTO_LOCK_X509_CRL */ -#endif /* X509_CRL_up_ref */ -#if !HAVE_LIBCRYPTO_DH_UP_REF // OpenSSL 1.1 API -#if defined(CRYPTO_LOCK_DH) // OpenSSL 1.0 API -inline int DH_up_ref(DH *t) {if (t) CRYPTO_add(&t->references, 1, CRYPTO_LOCK_DH); return 0;} -#else - -#error missing both OpenSSL API features DH_up_ref (v1.1) and CRYPTO_LOCK_DH (v1.0) -#endif /* OpenSSL 1.0 CRYPTO_LOCK_X509_CRL */ -#endif /* OpenSSL 1.1 DH_up_ref */ - -#if !HAVE_LIBCRYPTO_EVP_PKEY_UP_REF -#if defined(CRYPTO_LOCK_EVP_PKEY) // OpenSSL 1.0 -inline int EVP_PKEY_up_ref(EVP_PKEY *t) {if (t) CRYPTO_add(&t->references, 1, CRYPTO_LOCK_EVP_PKEY); return 0;} -#endif -#else -#error missing both OpenSSL API features EVP_PKEY_up_ref (v1.1) and CRYPTO_LOCK_EVP_PKEY (v1.0) -#endif - #endif /* USE_OPENSSL */ /* flags a SSL connection can be configured with */ diff -u -r -N squid-4.3/src/security/LockingPointer.h squid-4.4/src/security/LockingPointer.h --- squid-4.3/src/security/LockingPointer.h 2018-10-01 07:57:54.000000000 +1300 +++ squid-4.4/src/security/LockingPointer.h 2018-10-28 09:44:55.000000000 +1300 @@ -12,6 +12,7 @@ #include "base/HardFun.h" #if USE_OPENSSL +#include "compat/openssl.h" #if HAVE_OPENSSL_CRYPTO_H #include #endif diff -u -r -N squid-4.3/src/security/PeerOptions.cc squid-4.4/src/security/PeerOptions.cc --- squid-4.3/src/security/PeerOptions.cc 2018-10-01 07:57:54.000000000 +1300 +++ squid-4.4/src/security/PeerOptions.cc 2018-10-28 09:44:55.000000000 +1300 @@ -248,11 +248,7 @@ #if USE_OPENSSL Ssl::Initialize(); -#if HAVE_OPENSSL_TLS_CLIENT_METHOD SSL_CTX *t = SSL_CTX_new(TLS_client_method()); -#else - SSL_CTX *t = SSL_CTX_new(SSLv23_client_method()); -#endif if (!t) { const auto x = ERR_get_error(); fatalf("Failed to allocate TLS client context: %s\n", Security::ErrorString(x)); diff -u -r -N squid-4.3/src/security/ServerOptions.cc squid-4.4/src/security/ServerOptions.cc --- squid-4.3/src/security/ServerOptions.cc 2018-10-01 07:57:54.000000000 +1300 +++ squid-4.4/src/security/ServerOptions.cc 2018-10-28 09:44:55.000000000 +1300 @@ -16,14 +16,12 @@ #include "security/Session.h" #include "SquidConfig.h" #if USE_OPENSSL +#include "compat/openssl.h" #include "ssl/support.h" -#endif #if HAVE_OPENSSL_ERR_H #include #endif -#if HAVE_OPENSSL_X509_H -#include #endif Security::ServerOptions & @@ -161,11 +159,7 @@ #if USE_OPENSSL Ssl::Initialize(); -#if HAVE_OPENSSL_SERVER_METHOD SSL_CTX *t = SSL_CTX_new(TLS_server_method()); -#else - SSL_CTX *t = SSL_CTX_new(SSLv23_server_method()); -#endif if (!t) { const auto x = ERR_get_error(); debugs(83, DBG_CRITICAL, "ERROR: Failed to allocate TLS server context: " << Security::ErrorString(x)); diff -u -r -N squid-4.3/src/security/ServerOptions.h squid-4.4/src/security/ServerOptions.h --- squid-4.3/src/security/ServerOptions.h 2018-10-01 07:57:54.000000000 +1300 +++ squid-4.4/src/security/ServerOptions.h 2018-10-28 09:44:55.000000000 +1300 @@ -11,6 +11,12 @@ #include "anyp/forward.h" #include "security/PeerOptions.h" +#if USE_OPENSSL +#include "compat/openssl.h" +#if HAVE_OPENSSL_X509_H +#include +#endif +#endif namespace Security { diff -u -r -N squid-4.3/src/security/Session.cc squid-4.4/src/security/Session.cc --- squid-4.3/src/security/Session.cc 2018-10-01 07:57:54.000000000 +1300 +++ squid-4.4/src/security/Session.cc 2018-10-28 09:44:55.000000000 +1300 @@ -290,13 +290,8 @@ SSL_SESSION_set_timeout(session, Config.SSL.session_ttl); -#if HAVE_LIBSSL_SSL_SESSION_GET_ID unsigned int idlen; const unsigned char *id = SSL_SESSION_get_id(session, &idlen); -#else - unsigned char *id = session->session_id; - unsigned int idlen = session->session_id_length; -#endif // XXX: the other calls [to openForReading()] do not copy the sessionId to a char buffer, does this really have to? unsigned char key[MEMMAP_SLOT_KEY_SIZE]; // Session ids are of size 32bytes. They should always fit to a diff -u -r -N squid-4.3/src/security/Session.h squid-4.4/src/security/Session.h --- squid-4.3/src/security/Session.h 2018-10-01 07:57:54.000000000 +1300 +++ squid-4.4/src/security/Session.h 2018-10-28 09:44:55.000000000 +1300 @@ -16,6 +16,7 @@ #include #if USE_OPENSSL +#include "compat/openssl.h" #if HAVE_OPENSSL_SSL_H #include #endif diff -u -r -N squid-4.3/src/snmp_core.cc squid-4.4/src/snmp_core.cc --- squid-4.3/src/snmp_core.cc 2018-10-01 07:57:54.000000000 +1300 +++ squid-4.4/src/snmp_core.cc 2018-10-28 09:44:55.000000000 +1300 @@ -409,6 +409,7 @@ snmpConstructReponse(rq); } else { debugs(49, DBG_IMPORTANT, "WARNING: SNMP agent query DENIED from : " << rq->from); + snmp_free_pdu(PDU); } xfree(Community); diff -u -r -N squid-4.3/src/ssl/bio.cc squid-4.4/src/ssl/bio.cc --- squid-4.3/src/ssl/bio.cc 2018-10-01 07:57:54.000000000 +1300 +++ squid-4.4/src/ssl/bio.cc 2018-10-28 09:44:55.000000000 +1300 @@ -23,10 +23,6 @@ #include "SquidTime.h" #include "ssl/bio.h" -#if HAVE_OPENSSL_SSL_H -#include -#endif - #if _SQUID_WINDOWS_ extern int socket_read_method(int, char *, int); extern int socket_write_method(int, const char *, int); @@ -76,7 +72,7 @@ BIO_meth_set_create(SquidMethods, squid_bio_create); BIO_meth_set_destroy(SquidMethods, squid_bio_destroy); } - const BIO_METHOD *useMethod = SquidMethods; + BIO_METHOD *useMethod = SquidMethods; #else BIO_METHOD *useMethod = &SquidMethods; #endif @@ -706,13 +702,7 @@ cbytes[0] = (cipherId >> 8) & 0xFF; cbytes[1] = cipherId & 0xFF; cbytes[2] = 0; -#if HAVE_LIBSSL_SSL_CIPHER_FIND - const SSL_CIPHER *c = SSL_CIPHER_find(ssl, cbytes); -#else - const SSL_METHOD *method = SSLv23_method(); - const SSL_CIPHER *c = method->get_cipher_by_char(cbytes); -#endif - if (c != NULL) { + if (const auto c = SSL_CIPHER_find(ssl, cbytes)) { if (!strCiphers.isEmpty()) strCiphers.append(":"); strCiphers.append(SSL_CIPHER_get_name(c)); diff -u -r -N squid-4.3/src/ssl/bio.h squid-4.4/src/ssl/bio.h --- squid-4.3/src/ssl/bio.h 2018-10-01 07:57:54.000000000 +1300 +++ squid-4.4/src/ssl/bio.h 2018-10-28 09:44:55.000000000 +1300 @@ -11,6 +11,7 @@ #if USE_OPENSSL +#include "compat/openssl.h" #include "FadingCounter.h" #include "fd.h" #include "MemBuf.h" @@ -204,14 +205,6 @@ void applyTlsDetailsToSSL(SSL *ssl, Security::TlsDetails::Pointer const &details, Ssl::BumpMode bumpMode); -#if !HAVE_LIBCRYPTO_BIO_GET_INIT -// OpenSSL v1.0 bio compatibility functions -inline void *BIO_get_data(BIO *table) { return table->ptr; } -inline void BIO_set_data(BIO *table, void *data) { table->ptr = data; } -inline int BIO_get_init(BIO *table) { return table->init; } -inline void BIO_set_init(BIO *table, int init) { table->init = init; } -#endif - #endif /* USE_OPENSSL */ #endif /* SQUID_SSL_BIO_H */ diff -u -r -N squid-4.3/src/ssl/context_storage.cc squid-4.4/src/ssl/context_storage.cc --- squid-4.3/src/ssl/context_storage.cc 2018-10-01 07:57:54.000000000 +1300 +++ squid-4.4/src/ssl/context_storage.cc 2018-10-28 09:44:55.000000000 +1300 @@ -13,9 +13,12 @@ #include "Store.h" #include +#if USE_OPENSSL +#include "compat/openssl.h" #if HAVE_OPENSSL_SSL_H #include #endif +#endif Ssl::CertificateStorageAction::CertificateStorageAction(const Mgr::Command::Pointer &aCmd) : Mgr::Action(aCmd) diff -u -r -N squid-4.3/src/ssl/context_storage.h squid-4.4/src/ssl/context_storage.h --- squid-4.3/src/ssl/context_storage.h 2018-10-01 07:57:54.000000000 +1300 +++ squid-4.4/src/ssl/context_storage.h 2018-10-28 09:44:55.000000000 +1300 @@ -13,6 +13,7 @@ #include "base/LruMap.h" #include "CacheManager.h" +#include "compat/openssl.h" #include "ip/Address.h" #include "mgr/Action.h" #include "mgr/Command.h" diff -u -r -N squid-4.3/src/ssl/ErrorDetail.cc squid-4.4/src/ssl/ErrorDetail.cc --- squid-4.3/src/ssl/ErrorDetail.cc 2018-10-01 07:57:54.000000000 +1300 +++ squid-4.4/src/ssl/ErrorDetail.cc 2018-10-28 09:44:55.000000000 +1300 @@ -9,6 +9,7 @@ #include "squid.h" #include "errorpage.h" #include "fatal.h" +#include "html_quote.h" #include "ssl/ErrorDetail.h" #include @@ -436,8 +437,11 @@ { if (broken_cert.get()) { static char tmpBuffer[256]; // A temporary buffer - if (X509_NAME_oneline(X509_get_subject_name(broken_cert.get()), tmpBuffer, sizeof(tmpBuffer))) - return tmpBuffer; + if (X509_NAME_oneline(X509_get_subject_name(broken_cert.get()), tmpBuffer, sizeof(tmpBuffer))) { + // quote to avoid possible html code injection through + // certificate subject + return html_quote(tmpBuffer); + } } return "[Not available]"; } @@ -465,8 +469,11 @@ static String tmpStr; ///< A temporary string buffer tmpStr.clean(); Ssl::matchX509CommonNames(broken_cert.get(), &tmpStr, copy_cn); - if (tmpStr.size()) - return tmpStr.termedBuf(); + if (tmpStr.size()) { + // quote to avoid possible html code injection through + // certificate subject + return html_quote(tmpStr.termedBuf()); + } } return "[Not available]"; } @@ -478,8 +485,11 @@ { if (broken_cert.get()) { static char tmpBuffer[256]; // A temporary buffer - if (X509_NAME_oneline(X509_get_issuer_name(broken_cert.get()), tmpBuffer, sizeof(tmpBuffer))) - return tmpBuffer; + if (X509_NAME_oneline(X509_get_issuer_name(broken_cert.get()), tmpBuffer, sizeof(tmpBuffer))) { + // quote to avoid possible html code injection through + // certificate issuer subject + return html_quote(tmpBuffer); + } } return "[Not available]"; } @@ -490,7 +500,7 @@ const char *Ssl::ErrorDetail::notbefore() const { if (broken_cert.get()) { - if (ASN1_UTCTIME * tm = X509_get_notBefore(broken_cert.get())) { + if (const auto tm = X509_getm_notBefore(broken_cert.get())) { static char tmpBuffer[256]; // A temporary buffer Ssl::asn1timeToString(tm, tmpBuffer, sizeof(tmpBuffer)); return tmpBuffer; @@ -505,7 +515,7 @@ const char *Ssl::ErrorDetail::notafter() const { if (broken_cert.get()) { - if (ASN1_UTCTIME * tm = X509_get_notAfter(broken_cert.get())) { + if (const auto tm = X509_getm_notAfter(broken_cert.get())) { static char tmpBuffer[256]; // A temporary buffer Ssl::asn1timeToString(tm, tmpBuffer, sizeof(tmpBuffer)); return tmpBuffer; diff -u -r -N squid-4.3/src/ssl/gadgets.cc squid-4.4/src/ssl/gadgets.cc --- squid-4.3/src/ssl/gadgets.cc 2018-10-01 07:57:54.000000000 +1300 +++ squid-4.4/src/ssl/gadgets.cc 2018-10-28 09:44:55.000000000 +1300 @@ -9,11 +9,6 @@ #include "squid.h" #include "ssl/gadgets.h" -#include -#if HAVE_OPENSSL_X509V3_H -#include -#endif - EVP_PKEY * Ssl::createSslPrivateKey() { Security::PrivateKeyPointer pkey(EVP_PKEY_new()); @@ -381,13 +376,8 @@ DecipherOnly }; -#if HAVE_LIBCRYPTO_EVP_PKEY_GET0_RSA EVP_PKEY *certKey = X509_get_pubkey(mimicCert.get()); const bool rsaPkey = (EVP_PKEY_get0_RSA(certKey) != nullptr); -#else - const int mimicAlgo = OBJ_obj2nid(mimicCert.get()->cert_info->key->algor->algorithm); - const bool rsaPkey = (mimicAlgo == NID_rsaEncryption); -#endif int added = 0; int nid; @@ -496,25 +486,25 @@ // objects. ASN1_TIME *aTime = NULL; if (!properties.setValidBefore && properties.mimicCert.get()) - aTime = X509_get_notBefore(properties.mimicCert.get()); + aTime = X509_getm_notBefore(properties.mimicCert.get()); if (!aTime && properties.signWithX509.get()) - aTime = X509_get_notBefore(properties.signWithX509.get()); + aTime = X509_getm_notBefore(properties.signWithX509.get()); if (aTime) { - if (!X509_set_notBefore(cert.get(), aTime)) + if (!X509_set1_notBefore(cert.get(), aTime)) return false; - } else if (!X509_gmtime_adj(X509_get_notBefore(cert.get()), (-2)*24*60*60)) + } else if (!X509_gmtime_adj(X509_getm_notBefore(cert.get()), (-2)*24*60*60)) return false; aTime = NULL; if (!properties.setValidAfter && properties.mimicCert.get()) - aTime = X509_get_notAfter(properties.mimicCert.get()); + aTime = X509_getm_notAfter(properties.mimicCert.get()); if (!aTime && properties.signWithX509.get()) - aTime = X509_get_notAfter(properties.signWithX509.get()); + aTime = X509_getm_notAfter(properties.signWithX509.get()); if (aTime) { - if (!X509_set_notAfter(cert.get(), aTime)) + if (!X509_set1_notAfter(cert.get(), aTime)) return false; - } else if (!X509_gmtime_adj(X509_get_notAfter(cert.get()), 60*60*24*356*3)) + } else if (!X509_gmtime_adj(X509_getm_notAfter(cert.get()), 60*60*24*356*3)) return false; int addedExtensions = 0; @@ -844,21 +834,21 @@ return false; if (!properties.setValidBefore) { - ASN1_TIME *aTime = X509_get_notBefore(cert); - ASN1_TIME *bTime = X509_get_notBefore(cert2); + const auto aTime = X509_getm_notBefore(cert); + const auto bTime = X509_getm_notBefore(cert2); if (asn1time_cmp(aTime, bTime) != 0) return false; - } else if (X509_cmp_current_time(X509_get_notBefore(cert)) >= 0) { + } else if (X509_cmp_current_time(X509_getm_notBefore(cert)) >= 0) { // notBefore does not exist (=0) or it is in the future (>0) return false; } if (!properties.setValidAfter) { - ASN1_TIME *aTime = X509_get_notAfter(cert); - ASN1_TIME *bTime = X509_get_notAfter(cert2); + const auto aTime = X509_getm_notAfter(cert); + const auto bTime = X509_getm_notAfter(cert2); if (asn1time_cmp(aTime, bTime) != 0) return false; - } else if (X509_cmp_current_time(X509_get_notAfter(cert)) <= 0) { + } else if (X509_cmp_current_time(X509_getm_notAfter(cert)) <= 0) { // notAfter does not exist (0) or it is in the past (<0) return false; } @@ -948,18 +938,10 @@ const ASN1_BIT_STRING * Ssl::X509_get_signature(const Security::CertPointer &cert) { -#if HAVE_LIBCRYPTO_X509_GET0_SIGNATURE -#if SQUID_USE_CONST_X509_GET0_SIGNATURE_ARGS - const ASN1_BIT_STRING *sig = nullptr; - const X509_ALGOR *sig_alg = nullptr; -#else - ASN1_BIT_STRING *sig = nullptr; - X509_ALGOR *sig_alg = nullptr; -#endif + SQUID_CONST_X509_GET0_SIGNATURE_ARGS ASN1_BIT_STRING *sig = nullptr; + SQUID_CONST_X509_GET0_SIGNATURE_ARGS X509_ALGOR *sig_alg = nullptr; + X509_get0_signature(&sig, &sig_alg, cert.get()); return sig; -#else - return cert->signature; -#endif } diff -u -r -N squid-4.3/src/ssl/gadgets.h squid-4.4/src/ssl/gadgets.h --- squid-4.3/src/ssl/gadgets.h 2018-10-01 07:57:54.000000000 +1300 +++ squid-4.4/src/ssl/gadgets.h 2018-10-28 09:44:55.000000000 +1300 @@ -13,12 +13,18 @@ #include "security/forward.h" #include "ssl/crtd_message.h" +#if USE_OPENSSL +#include "compat/openssl.h" +#if HAVE_OPENSSL_ASN1_H +#include +#endif #if HAVE_OPENSSL_TXT_DB_H #include #endif #if HAVE_OPENSSL_X509V3_H #include #endif +#endif #include namespace Ssl @@ -29,12 +35,6 @@ because they are used by security_file_certgen helper. */ -#if SQUID_USE_CONST_SSL_METHOD -typedef const SSL_METHOD * ContextMethod; -#else -typedef SSL_METHOD * ContextMethod; -#endif - #if !defined(SQUID_SSL_SIGN_HASH_IF_NONE) #define SQUID_SSL_SIGN_HASH_IF_NONE "sha256" #endif diff -u -r -N squid-4.3/src/ssl/support.cc squid-4.4/src/ssl/support.cc --- squid-4.3/src/ssl/support.cc 2018-10-01 07:57:54.000000000 +1300 +++ squid-4.4/src/ssl/support.cc 2018-10-28 09:44:55.000000000 +1300 @@ -97,18 +97,34 @@ static RSA * ssl_temp_rsa_cb(SSL * ssl, int anInt, int keylen) { - static RSA *rsa_512 = NULL; - static RSA *rsa_1024 = NULL; - RSA *rsa = NULL; + static RSA *rsa_512 = nullptr; + static RSA *rsa_1024 = nullptr; + static BIGNUM *e = nullptr; + RSA *rsa = nullptr; int newkey = 0; + if (!e) { + e = BN_new(); + if (!e || !BN_set_word(e, RSA_F4)) { + debugs(83, DBG_IMPORTANT, "ssl_temp_rsa_cb: Failed to set exponent for key " << keylen); + BN_free(e); + e = nullptr; + return nullptr; + } + } + switch (keylen) { case 512: if (!rsa_512) { - rsa_512 = RSA_generate_key(512, RSA_F4, NULL, NULL); - newkey = 1; + rsa_512 = RSA_new(); + if (rsa_512 && RSA_generate_key_ex(rsa_512, 512, e, nullptr)) { + newkey = 1; + } else { + RSA_free(rsa_512); + rsa_512 = nullptr; + } } rsa = rsa_512; @@ -117,8 +133,13 @@ case 1024: if (!rsa_1024) { - rsa_1024 = RSA_generate_key(1024, RSA_F4, NULL, NULL); - newkey = 1; + rsa_1024 = RSA_new(); + if (rsa_1024 && RSA_generate_key_ex(rsa_1024, 1024, e, nullptr)) { + newkey = 1; + } else { + RSA_free(rsa_1024); + rsa_1024 = nullptr; + } } rsa = rsa_1024; @@ -232,13 +253,6 @@ return matchX509CommonNames(cert, (void *)server, check_domain); } -#if !HAVE_LIBCRYPTO_X509_STORE_CTX_GET0_CERT -static inline X509 *X509_STORE_CTX_get0_cert(X509_STORE_CTX *ctx) -{ - return ctx->cert; -} -#endif - /// \ingroup ServerProtocolSSLInternal static int ssl_verify_cb(int ok, X509_STORE_CTX * ctx) @@ -469,8 +483,7 @@ return; initialized = true; - SSL_load_error_strings(); - SSLeay_add_ssl_algorithms(); + SQUID_OPENSSL_init_ssl(); #if HAVE_OPENSSL_ENGINE_H if (::Config.SSL.ssl_engine) { @@ -905,8 +918,8 @@ #endif if (!cert) return false; - ASN1_TIME * time_notBefore = X509_get_notBefore(cert); - ASN1_TIME * time_notAfter = X509_get_notAfter(cert); + const auto time_notBefore = X509_getm_notBefore(cert); + const auto time_notAfter = X509_getm_notAfter(cert); return (X509_cmp_current_time(time_notBefore) < 0 && X509_cmp_current_time(time_notAfter) > 0); } @@ -949,11 +962,7 @@ if (ad->location->type == GEN_URI) { xstrncpy(uri, reinterpret_cast( -#if HAVE_LIBCRYPTO_ASN1_STRING_GET0_DATA ASN1_STRING_get0_data(ad->location->d.uniformResourceIdentifier) -#else - ASN1_STRING_data(ad->location->d.uniformResourceIdentifier) -#endif ), sizeof(uri)); } @@ -1115,12 +1124,8 @@ { debugs(83, 2, "completing " << sk_X509_num(untrustedCerts) << " OpenSSL untrusted certs using " << SquidUntrustedCerts.size() << " configured untrusted certificates"); -#if HAVE_LIBCRYPTO_X509_VERIFY_PARAM_GET_DEPTH const X509_VERIFY_PARAM *param = X509_STORE_CTX_get0_param(ctx); int depth = X509_VERIFY_PARAM_get_depth(param); -#else - int depth = ctx->param->depth; -#endif X509 *current = X509_STORE_CTX_get0_cert(ctx); int i = 0; for (i = 0; current && (i < depth); ++i) { @@ -1155,11 +1160,7 @@ // OpenSSL already maintains ctx->untrusted but we cannot modify // internal OpenSSL list directly. We have to give OpenSSL our own // list, but it must include certificates on the OpenSSL ctx->untrusted -#if HAVE_LIBCRYPTO_X509_STORE_CTX_GET0_UNTRUSTED STACK_OF(X509) *oldUntrusted = X509_STORE_CTX_get0_untrusted(ctx); -#else - STACK_OF(X509) *oldUntrusted = ctx->untrusted; -#endif STACK_OF(X509) *sk = sk_X509_dup(oldUntrusted); // oldUntrusted is always not NULL for (int i = 0; i < sk_X509_num(sslUntrustedStack); ++i) { @@ -1172,13 +1173,9 @@ if (SquidUntrustedCerts.size() > 0) completeIssuers(ctx, sk); - X509_STORE_CTX_set_chain(ctx, sk); // No locking/unlocking, just sets ctx->untrusted + X509_STORE_CTX_set0_untrusted(ctx, sk); // No locking/unlocking, just sets ctx->untrusted int ret = X509_verify_cert(ctx); -#if HAVE_LIBCRYPTO_X509_STORE_CTX_SET0_UNTRUSTED - X509_STORE_CTX_set0_untrusted(ctx, oldUntrusted); -#else - X509_STORE_CTX_set_chain(ctx, oldUntrusted); // Set back the old untrusted list -#endif + X509_STORE_CTX_set0_untrusted(ctx, oldUntrusted); // Set back the old untrusted list sk_X509_free(sk); // Release sk list return ret; } diff -u -r -N squid-4.3/src/ssl/support.h squid-4.4/src/ssl/support.h --- squid-4.3/src/ssl/support.h 2018-10-01 07:57:54.000000000 +1300 +++ squid-4.4/src/ssl/support.h 2018-10-28 09:44:55.000000000 +1300 @@ -15,6 +15,7 @@ #include "base/CbDataList.h" #include "comm/forward.h" +#include "compat/openssl.h" #include "sbuf/SBuf.h" #include "security/forward.h" #include "ssl/gadgets.h" diff -u -r -N squid-4.3/src/store/id_rewriters/file/storeid_file_rewrite.8 squid-4.4/src/store/id_rewriters/file/storeid_file_rewrite.8 --- squid-4.3/src/store/id_rewriters/file/storeid_file_rewrite.8 2018-10-01 08:34:34.000000000 +1300 +++ squid-4.4/src/store/id_rewriters/file/storeid_file_rewrite.8 2018-10-28 09:56:44.000000000 +1300 @@ -129,7 +129,7 @@ .\" ======================================================================== .\" .IX Title "STOREID_FILE_REWRITE 8" -.TH STOREID_FILE_REWRITE 8 "2018-09-30" "perl v5.26.2" "User Contributed Perl Documentation" +.TH STOREID_FILE_REWRITE 8 "2018-10-27" "perl v5.26.2" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-4.3/tools/helper-mux/helper-mux.8 squid-4.4/tools/helper-mux/helper-mux.8 --- squid-4.3/tools/helper-mux/helper-mux.8 2018-10-01 08:34:36.000000000 +1300 +++ squid-4.4/tools/helper-mux/helper-mux.8 2018-10-28 09:56:47.000000000 +1300 @@ -129,7 +129,7 @@ .\" ======================================================================== .\" .IX Title "HELPER-MUX 8" -.TH HELPER-MUX 8 "2018-09-30" "perl v5.26.2" "User Contributed Perl Documentation" +.TH HELPER-MUX 8 "2018-10-27" "perl v5.26.2" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l