Attachment #216343 for bug #247397

Lines 1-8 Link Here

(-)b/www/squid/Makefile (-2 / +1 lines)
1	# $FreeBSD$	1	# $FreeBSD$
2		2
3	PORTNAME= squid	3	PORTNAME= squid
4	PORTVERSION= 4.11	4	PORTVERSION= 4.12
5	PORTREVISION= 2
6	CATEGORIES= www	5	CATEGORIES= www
7	MASTER_SITES= http://www.squid-cache.org/Versions/v4/ \	6	MASTER_SITES= http://www.squid-cache.org/Versions/v4/ \
8	http://www2.us.squid-cache.org/Versions/v4/ \	7	http://www2.us.squid-cache.org/Versions/v4/ \

Lines 1-3 Link Here

(-)b/www/squid/distinfo (-3 / +3 lines)
1	TIMESTAMP = 1588493552	1	TIMESTAMP = 1592516847
2	SHA256 (squid-4.11.tar.xz) = 4ed947612410263f57ad0e39bfd087e60fb714f028d7d3b0e469943efd34287d	2	SHA256 (squid-4.12.tar.xz) = f42a03c8b3dc020722c88bf1a87da8cb0c087b2f66b41d8256c77ee1b527e317
3	SIZE (squid-4.11.tar.xz) = 2447700	3	SIZE (squid-4.12.tar.xz) = 2450564




--- configure.orig	2020-06-18 21:56:43 UTC
+++ configure
@@ -35092,7 +35092,7 @@ done
 ##
 
 BUILD_HELPER="NIS"

 do :
   as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
 ac_fn_cxx_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "
@@ -35107,8 +35107,10 @@ if eval test \"x\$"$as_ac_Header"\" = x"yes"; then :
 #define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
 _ACEOF
 

 fi
 
 done
@@ -35581,7 +35583,7 @@ done
 
   # unconditionally requires crypt(3), for now
   if test "x$ac_cv_func_crypt" != "x"; then

 do :
   as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
 ac_fn_cxx_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default"
@@ -37973,7 +37975,7 @@ for ac_header in \
   arpa/nameser.h \
   assert.h \
   bstring.h \

   ctype.h \
   direct.h \
   errno.h \
@@ -38166,6 +38168,7 @@ ac_fn_cxx_check_header_compile "$LINENO" "$ac_header" 
 #include <netinet/ip.h>
 #endif
 #if HAVE_NETINET_IP_COMPAT_H
+#include <net/if.h>	/* IFNAMSIZ */
 #include <netinet/ip_compat.h>
 #endif
 #if HAVE_NETINET_IP_FIL_H
@@ -42213,6 +42216,7 @@ if test "x$enable_ipf_transparent" != "xno" ; then
 #     include <sys/ioccom.h>
 #     include <netinet/in.h>
 
+#     include <net/if.h>	/* IFNAMSIZ */
 #     include <netinet/ip_compat.h>
 #     include <netinet/ip_fil.h>
 #     include <netinet/ip_nat.h>
@@ -42243,6 +42247,7 @@ else
 #       include <sys/ioccom.h>
 #       include <netinet/in.h>
 #undef minor_t
+#       include <net/if.h>	/* IFNAMSIZ */
 #       include <netinet/ip_compat.h>
 #       include <netinet/ip_fil.h>
 #       include <netinet/ip_nat.h>
@@ -42287,6 +42292,7 @@ _ACEOF
 	ip_fil_compat.h \
 	ip_fil.h \
 	ip_nat.h \
+	net/if.h \
 	netinet/ip_compat.h \
 	netinet/ip_fil_compat.h \
 	netinet/ip_fil.h \
@@ -42316,6 +42322,7 @@ ac_fn_cxx_check_header_compile "$LINENO" "$ac_header" 
 #if HAVE_IP_COMPAT_H
 #include <ip_compat.h>
 #elif HAVE_NETINET_IP_COMPAT_H
+#include <net/if.h>	/* IFNAMSIZ */
 #include <netinet/ip_compat.h>
 #endif
 #if HAVE_IP_FIL_H
@@ -42379,8 +42386,7 @@ _ACEOF
 
 
 fi
-ac_fn_cxx_check_member "$LINENO" "struct natlookup" "nl_realipaddr.in6"
-   "ac_cv_member_struct_natlookup_nl_realipaddr_in6___" "
+ac_fn_cxx_check_member "$LINENO" "struct natlookup" "nl_realipaddr.in6" "ac_cv_member_struct_natlookup_nl_realipaddr_in6___" "
 #if USE_SOLARIS_IPFILTER_MINOR_T_HACK
 #define minor_t fubar
 #endif




--- src/acl/external/eDirectory_userip/ext_edirectory_userip_acl.cc.orig	2020-04-19 12:38:51 UTC
+++ src/acl/external/eDirectory_userip/ext_edirectory_userip_acl.cc
@@ -69,6 +69,12 @@
 #ifdef HAVE_NETDB_H
 #include <netdb.h>
 #endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
 
 #ifdef HELPER_INPUT_BUFFER
 #define EDUI_MAXLEN     HELPER_INPUT_BUFFER




--- src/acl/external/kerberos_ldap_group/support_krb5.cc.orig	2020-04-19 12:38:51 UTC
+++ src/acl/external/kerberos_ldap_group/support_krb5.cc
@@ -467,10 +467,15 @@ krb5_create_cache(char *domain, char *service_principa
                 }
 
                 // overwrite limitation of enctypes
+#if USE_HEIMDAL_KRB5
+                creds->session.keytype = 0;
+                if (creds->session.keyvalue.length>0)
+                    krb5_free_keyblock_contents(kparam.context, &creds->session);
+#else
                 creds->keyblock.enctype = 0;
                 if (creds->keyblock.contents)
                     krb5_free_keyblock_contents(kparam.context, &creds->keyblock);
-
+#endif
                 code = krb5_get_credentials(kparam.context, 0, kparam.cc[ccindex], creds, &tgt_creds);
                 if (code) {
                     k5_error("Error while getting tgt", code);




Address GREASEd issues:

https://github.com/squid-cache/squid/pull/663
https://www.spinics.net/lists/squid/msg92728.html
https://www.spinics.net/lists/squid/msg92814.html

--- src/security/Handshake.cc.orig	2020-07-09 17:27:31 UTC
+++ src/security/Handshake.cc
@@ -9,6 +9,7 @@
 /* DEBUG: section 83    SSL-Bump Server/Peer negotiation */
 
 #include "squid.h"
+#include "sbuf/Stream.h"
 #include "security/Handshake.h"
 #if USE_OPENSSL
 #include "ssl/support.h"
@@ -104,25 +105,52 @@ class Extension (public)
 typedef std::unordered_set<Extension::Type> Extensions;
 static Extensions SupportedExtensions();
 
-} // namespace Security
-
 /// parse TLS ProtocolVersion (uint16) and convert it to AnyP::ProtocolVersion
+/// \retval PROTO_NONE for unsupported values (in relaxed mode)
 static AnyP::ProtocolVersion
-ParseProtocolVersion(Parser::BinaryTokenizer &tk, const char *contextLabel = ".version")
+ParseProtocolVersionBase(Parser::BinaryTokenizer &tk, const char *contextLabel, const bool beStrict)
 {
     Parser::BinaryTokenizerContext context(tk, contextLabel);
     uint8_t vMajor = tk.uint8(".major");
     uint8_t vMinor = tk.uint8(".minor");
+
     if (vMajor == 0 && vMinor == 2)
         return AnyP::ProtocolVersion(AnyP::PROTO_SSL, 2, 0);
 
-    Must(vMajor == 3);
-    if (vMinor == 0)
-        return AnyP::ProtocolVersion(AnyP::PROTO_SSL, 3, 0);
+    if (vMajor == 3) {
+        if (vMinor == 0)
+            return AnyP::ProtocolVersion(AnyP::PROTO_SSL, 3, 0);
+        return AnyP::ProtocolVersion(AnyP::PROTO_TLS, 1, (vMinor - 1));
+    }
 
-    return AnyP::ProtocolVersion(AnyP::PROTO_TLS, 1, (vMinor - 1));
+    /* handle unsupported versions */
+
+    const uint16_t vRaw = (vMajor << 8) | vMinor;
+    debugs(83, 7, "unsupported: " << asHex(vRaw));
+    if (beStrict)
+        throw TextException(ToSBuf("unsupported TLS version: ", asHex(vRaw)), Here());
+    // else hide unsupported version details from the caller behind PROTO_NONE
+    return AnyP::ProtocolVersion();
 }
 
+/// parse a framing-related TLS ProtocolVersion
+/// \returns a supported SSL or TLS Anyp::ProtocolVersion, never PROTO_NONE
+static AnyP::ProtocolVersion
+ParseProtocolVersion(Parser::BinaryTokenizer &tk)
+{
+    return ParseProtocolVersionBase(tk, ".version", true);
+}
+
+/// parse a framing-unrelated TLS ProtocolVersion
+/// \retval PROTO_NONE for unsupported values
+static AnyP::ProtocolVersion
+ParseOptionalProtocolVersion(Parser::BinaryTokenizer &tk, const char *contextLabel)
+{
+    return ParseProtocolVersionBase(tk, contextLabel, false);
+}
+
+} // namespace Security
+
 Security::TLSPlaintext::TLSPlaintext(Parser::BinaryTokenizer &tk)
 {
     Parser::BinaryTokenizerContext context(tk, "TLSPlaintext");
@@ -431,6 +459,8 @@ Security::HandshakeParser::parseExtensions(const SBuf 
             break;
         case 16: { // Application-Layer Protocol Negotiation Extension, RFC 7301
             Parser::BinaryTokenizer tkAPN(extension.data);
+            // Store the entire protocol list, including unsupported-by-Squid
+            // values (if any). We have to use all when peeking at the server.
             details->tlsAppLayerProtoNeg = tkAPN.pstring16("APN");
             break;
         }
@@ -441,8 +471,9 @@ Security::HandshakeParser::parseExtensions(const SBuf 
         case 43: // supported_versions extension; RFC 8446
             parseSupportedVersionsExtension(extension.data);
             break;
-        case 13172: // Next Protocol Negotiation Extension (expired draft?)
         default:
+            // other extensions, including those that Squid does not support, do
+            // not require special handling here, but see unsupportedExtensions
             break;
         }
     }
@@ -455,7 +486,7 @@ Security::HandshakeParser::parseCiphers(const SBuf &ra
     Parser::BinaryTokenizer tk(raw);
     while (!tk.atEnd()) {
         const uint16_t cipher = tk.uint16("cipher");
-        details->ciphers.insert(cipher);
+        details->ciphers.insert(cipher); // including Squid-unsupported ones
     }
 }
 
@@ -473,7 +504,7 @@ Security::HandshakeParser::parseV23Ciphers(const SBuf 
         const uint8_t prefix = tk.uint8("prefix");
         const uint16_t cipher = tk.uint16("cipher");
         if (prefix == 0)
-            details->ciphers.insert(cipher);
+            details->ciphers.insert(cipher); // including Squid-unsupported ones
     }
 }
 
@@ -486,6 +517,7 @@ Security::HandshakeParser::parseServerHelloHandshakeMe
     details->tlsSupportedVersion = ParseProtocolVersion(tk);
     tk.skip(HelloRandomSize, ".random");
     details->sessionId = tk.pstring8(".session_id");
+    // cipherSuite may be unsupported by a peeking Squid
     details->ciphers.insert(tk.uint16(".cipher_suite"));
     details->compressionSupported = tk.uint8(".compression_method") != 0; // not null
     if (!tk.atEnd()) // extensions present
@@ -554,12 +586,15 @@ Security::HandshakeParser::parseSupportedVersionsExten
         Parser::BinaryTokenizer tkList(extensionData);
         Parser::BinaryTokenizer tkVersions(tkList.pstring8("SupportedVersions"));
         while (!tkVersions.atEnd()) {
-            const auto version = ParseProtocolVersion(tkVersions, "supported_version");
+            const auto version = ParseOptionalProtocolVersion(tkVersions, "supported_version");
+            // ignore values unsupported by Squid,represented by a falsy version
+            if (!version)
+                continue;
             if (!supportedVersionMax || TlsVersionEarlierThan(supportedVersionMax, version))
                 supportedVersionMax = version;
         }
 
-        // ignore empty supported_versions
+        // ignore empty and ignored-values-only supported_versions
         if (!supportedVersionMax)
             return;
 
@@ -569,7 +604,11 @@ Security::HandshakeParser::parseSupportedVersionsExten
     } else {
         assert(messageSource == fromServer);
         Parser::BinaryTokenizer tkVersion(extensionData);
-        const auto version = ParseProtocolVersion(tkVersion, "selected_version");
+        const auto version = ParseOptionalProtocolVersion(tkVersion, "selected_version");
+        // Ignore values unsupported by Squid. There should not be any until we
+        // start seeing TLS v2+, but they do not affect TLS framing anyway.
+        if (!version)
+            return;
         // RFC 8446 Section 4.2.1:
         // A server which negotiates a version of TLS prior to TLS 1.3 [...]
         // MUST NOT send the "supported_versions" extension.

Lines 29-34 Link Here

(-)b/www/squid/files/squid.in (+24 lines)
29	# you want to run Squid in reverse proxy setups or if you want	29	# you want to run Squid in reverse proxy setups or if you want
30	# Squid to listen on a "privileged" port < 1024.	30	# Squid to listen on a "privileged" port < 1024.
31	#	31	#
		32	# squid_group: The group id that should be used to run the Squid master
		33	# process. Default: squid
		34	# Note that it affects squid pid dir also, where SHM files
		35	# may be stored on some OS (see r391555)
		36	#
		37	# squid_maxwait: Seconds to wait for squid PID file
		38	# Default: 10
		39	#
32	# squid_pidfile:	40	# squid_pidfile:
33	# The name (including the full path) of the Squid	41	# The name (including the full path) of the Squid
34	# master process' PID file.	42	# master process' PID file.
Lines 74-80 squid_load_rc_config() Link Here
74	: ${squid_enable:=NO}	82	: ${squid_enable:=NO}
75	: ${squid_program:=%%PREFIX%%/sbin/squid}	83	: ${squid_program:=%%PREFIX%%/sbin/squid}
76	: ${squid_pidfile:=/var/run/squid/squid.pid}	84	: ${squid_pidfile:=/var/run/squid/squid.pid}
		85	: ${squid_maxwait:=10}
77	: ${squid_user:=squid}	86	: ${squid_user:=squid}
		87	: ${squid_group:=squid}
78		88
79	required_args="-f ${squid_conf}"	89	required_args="-f ${squid_conf}"
80	required_dirs=$chdir	90	required_dirs=$chdir
Lines 87-92 squid_load_rc_config() Link Here
87		97
88	squid_prestart()	98	squid_prestart()
89	{	99	{
		100	# create piddir if it's missing (for example if /var/run is tmpfs)
		101	squid_piddir=${pidfile%/*}
		102	if [ ! -d "${squid_piddir}" ]; then
		103	echo "Creating PID directory ${squid_piddir}"
		104	mkdir ${squid_piddir} && chown ${squid_user}:${squid_group} ${squid_piddir} && chmod 750 ${squid_piddir}\|\| return $?
		105	fi
		106
90	# setup KRB5_KTNAME:	107	# setup KRB5_KTNAME:
91	squid_krb5_ktname=${squid_krb5_ktname:-"NONE"}	108	squid_krb5_ktname=${squid_krb5_ktname:-"NONE"}
92	if [ "${squid_krb5_ktname}" != "NONE" ]; then	109	if [ "${squid_krb5_ktname}" != "NONE" ]; then
Lines 137-144 squid_getpid() Link Here
137	# retrieve the PID of the Squid master process explicitly here	154	# retrieve the PID of the Squid master process explicitly here
138	# in case rc.subr was unable to determine it:	155	# in case rc.subr was unable to determine it:
139	if [ -z "$rc_pid" ]; then	156	if [ -z "$rc_pid" ]; then
		157	squid_secs=0
140	while ! [ -f ${pidfile} ]; do	158	while ! [ -f ${pidfile} ]; do
		159	if [ ${squid_maxwait} -le ${squid_secs} ]; then
		160	echo "give up waiting for pidfile"
		161	break
		162	fi
141	sleep 1	163	sleep 1
		164	echo -n "."
		165	: $(( squid_secs+=1 ))
142	done	166	done
143	read _pid _junk <${pidfile}	167	read _pid _junk <${pidfile}
144	[ -z "${_pid}" ] \|\| pid=${_pid}	168	[ -z "${_pid}" ] \|\| pid=${_pid}

Return to bug 247397

Lines 1-6 Link Here

(-)b/www/squid/files/patch-configure (-55 / +5 lines)
1	--- configure.orig 2020-04-19 12:39:06 UTC	1	--- configure.orig 2020-06-18 21:56:43 UTC
2	+++ configure	2	+++ configure
3	@@ -35077,7 +35077,7 @@ done	3	@@ -35092,7 +35092,7 @@ done
4	##	4	##
5		5
6	BUILD_HELPER="NIS"	6	BUILD_HELPER="NIS"
Lines 9-15 Link Here
9	do :	9	do :
10	as_ac_Header=`$as_echo "ac_cv_header_$ac_header" \| $as_tr_sh`	10	as_ac_Header=`$as_echo "ac_cv_header_$ac_header" \| $as_tr_sh`
11	ac_fn_cxx_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "	11	ac_fn_cxx_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "
12	@@ -35092,8 +35092,10 @@ if eval test \"x\$"$as_ac_Header"\" = x"yes"; then :	12	@@ -35107,8 +35107,10 @@ if eval test \"x\$"$as_ac_Header"\" = x"yes"; then :
13	#define `$as_echo "HAVE_$ac_header" \| $as_tr_cpp` 1	13	#define `$as_echo "HAVE_$ac_header" \| $as_tr_cpp` 1
14	_ACEOF	14	_ACEOF
15		15
Lines 22-28 Link Here
22	fi	22	fi
23		23
24	done	24	done
25	@@ -35566,7 +35568,7 @@ done	25	@@ -35581,7 +35583,7 @@ done
26		26
27	# unconditionally requires crypt(3), for now	27	# unconditionally requires crypt(3), for now
28	if test "x$ac_cv_func_crypt" != "x"; then	28	if test "x$ac_cv_func_crypt" != "x"; then
Lines 31-37 Link Here
31	do :	31	do :
32	as_ac_Header=`$as_echo "ac_cv_header_$ac_header" \| $as_tr_sh`	32	as_ac_Header=`$as_echo "ac_cv_header_$ac_header" \| $as_tr_sh`
33	ac_fn_cxx_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default"	33	ac_fn_cxx_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default"
34	@@ -37958,7 +37960,7 @@ for ac_header in \	34	@@ -37973,7 +37975,7 @@ for ac_header in \
35	arpa/nameser.h \	35	arpa/nameser.h \
36	assert.h \	36	assert.h \
37	bstring.h \	37	bstring.h \
Lines 40-92 Link Here
40	ctype.h \	40	ctype.h \
41	direct.h \	41	direct.h \
42	errno.h \	42	errno.h \
43	@@ -38166,6 +38168,7 @@ ac_fn_cxx_check_header_compile "$LINENO" "$ac_header"
44	#include <netinet/ip.h>
45	#endif
46	#if HAVE_NETINET_IP_COMPAT_H
47	+#include <net/if.h> /* IFNAMSIZ */
48	#include <netinet/ip_compat.h>
49	#endif
50	#if HAVE_NETINET_IP_FIL_H
51	@@ -42213,6 +42216,7 @@ if test "x$enable_ipf_transparent" != "xno" ; then
52	# include <sys/ioccom.h>
53	# include <netinet/in.h>
54
55	+# include <net/if.h> /* IFNAMSIZ */
56	# include <netinet/ip_compat.h>
57	# include <netinet/ip_fil.h>
58	# include <netinet/ip_nat.h>
59	@@ -42243,6 +42247,7 @@ else
60	# include <sys/ioccom.h>
61	# include <netinet/in.h>
62	#undef minor_t
63	+# include <net/if.h> /* IFNAMSIZ */
64	# include <netinet/ip_compat.h>
65	# include <netinet/ip_fil.h>
66	# include <netinet/ip_nat.h>
67	@@ -42287,6 +42292,7 @@ _ACEOF
68	ip_fil_compat.h \
69	ip_fil.h \
70	ip_nat.h \
71	+ net/if.h \
72	netinet/ip_compat.h \
73	netinet/ip_fil_compat.h \
74	netinet/ip_fil.h \
75	@@ -42316,6 +42322,7 @@ ac_fn_cxx_check_header_compile "$LINENO" "$ac_header"
76	#if HAVE_IP_COMPAT_H
77	#include <ip_compat.h>
78	#elif HAVE_NETINET_IP_COMPAT_H
79	+#include <net/if.h> /* IFNAMSIZ */
80	#include <netinet/ip_compat.h>
81	#endif
82	#if HAVE_IP_FIL_H
83	@@ -42379,8 +42386,7 @@ _ACEOF
84
85
86	fi
87	-ac_fn_cxx_check_member "$LINENO" "struct natlookup" "nl_realipaddr.in6"
88	- "ac_cv_member_struct_natlookup_nl_realipaddr_in6___" "
89	+ac_fn_cxx_check_member "$LINENO" "struct natlookup" "nl_realipaddr.in6" "ac_cv_member_struct_natlookup_nl_realipaddr_in6___" "
90	#if USE_SOLARIS_IPFILTER_MINOR_T_HACK
91	#define minor_t fubar
92	#endif

Removed Link Here

(-)a/www/squid/files/patch-src_acl_external_eDirectory__userip_ext__edirectory__userip__acl.cc (-15 lines)
1	--- src/acl/external/eDirectory_userip/ext_edirectory_userip_acl.cc.orig 2020-04-19 12:38:51 UTC
2	+++ src/acl/external/eDirectory_userip/ext_edirectory_userip_acl.cc
3	@@ -69,6 +69,12 @@
4	#ifdef HAVE_NETDB_H
5	#include <netdb.h>
6	#endif
7	+#ifdef HAVE_SYS_SOCKET_H
8	+#include <sys/socket.h>
9	+#endif
10	+#ifdef HAVE_NETINET_IN_H
11	+#include <netinet/in.h>
12	+#endif
13
14	#ifdef HELPER_INPUT_BUFFER
15	#define EDUI_MAXLEN HELPER_INPUT_BUFFER

Removed Link Here

(-)a/www/squid/files/patch-src_acl_external_kerberos__ldap__group_support__krb5.cc (-19 lines)
1	--- src/acl/external/kerberos_ldap_group/support_krb5.cc.orig 2020-04-19 12:38:51 UTC
2	+++ src/acl/external/kerberos_ldap_group/support_krb5.cc
3	@@ -467,10 +467,15 @@ krb5_create_cache(char domain, char service_principa
4	}
5
6	// overwrite limitation of enctypes
7	+#if USE_HEIMDAL_KRB5
8	+ creds->session.keytype = 0;
9	+ if (creds->session.keyvalue.length>0)
10	+ krb5_free_keyblock_contents(kparam.context, &creds->session);
11	+#else
12	creds->keyblock.enctype = 0;
13	if (creds->keyblock.contents)
14	krb5_free_keyblock_contents(kparam.context, &creds->keyblock);
15	-
16	+#endif
17	code = krb5_get_credentials(kparam.context, 0, kparam.cc[ccindex], creds, &tgt_creds);
18	if (code) {
19	k5_error("Error while getting tgt", code);

Added Link Here

(-)b/www/squid/files/patch-src_security_Handshake.cc (+153 lines)
1	Address GREASEd issues:
2
3	https://github.com/squid-cache/squid/pull/663
4	https://www.spinics.net/lists/squid/msg92728.html
5	https://www.spinics.net/lists/squid/msg92814.html
6
7	--- src/security/Handshake.cc.orig 2020-07-09 17:27:31 UTC
8	+++ src/security/Handshake.cc
9	@@ -9,6 +9,7 @@
10	/* DEBUG: section 83 SSL-Bump Server/Peer negotiation */
11
12	#include "squid.h"
13	+#include "sbuf/Stream.h"
14	#include "security/Handshake.h"
15	#if USE_OPENSSL
16	#include "ssl/support.h"
17	@@ -104,25 +105,52 @@ class Extension (public)
18	typedef std::unordered_set<Extension::Type> Extensions;
19	static Extensions SupportedExtensions();
20
21	-} // namespace Security
22	-
23	/// parse TLS ProtocolVersion (uint16) and convert it to AnyP::ProtocolVersion
24	+/// \retval PROTO_NONE for unsupported values (in relaxed mode)
25	static AnyP::ProtocolVersion
26	-ParseProtocolVersion(Parser::BinaryTokenizer &tk, const char *contextLabel = ".version")
27	+ParseProtocolVersionBase(Parser::BinaryTokenizer &tk, const char *contextLabel, const bool beStrict)
28	{
29	Parser::BinaryTokenizerContext context(tk, contextLabel);
30	uint8_t vMajor = tk.uint8(".major");
31	uint8_t vMinor = tk.uint8(".minor");
32	+
33	if (vMajor == 0 && vMinor == 2)
34	return AnyP::ProtocolVersion(AnyP::PROTO_SSL, 2, 0);
35
36	- Must(vMajor == 3);
37	- if (vMinor == 0)
38	- return AnyP::ProtocolVersion(AnyP::PROTO_SSL, 3, 0);
39	+ if (vMajor == 3) {
40	+ if (vMinor == 0)
41	+ return AnyP::ProtocolVersion(AnyP::PROTO_SSL, 3, 0);
42	+ return AnyP::ProtocolVersion(AnyP::PROTO_TLS, 1, (vMinor - 1));
43	+ }
44
45	- return AnyP::ProtocolVersion(AnyP::PROTO_TLS, 1, (vMinor - 1));
46	+ /* handle unsupported versions */
47	+
48	+ const uint16_t vRaw = (vMajor << 8) \| vMinor;
49	+ debugs(83, 7, "unsupported: " << asHex(vRaw));
50	+ if (beStrict)
51	+ throw TextException(ToSBuf("unsupported TLS version: ", asHex(vRaw)), Here());
52	+ // else hide unsupported version details from the caller behind PROTO_NONE
53	+ return AnyP::ProtocolVersion();
54	}
55
56	+/// parse a framing-related TLS ProtocolVersion
57	+/// \returns a supported SSL or TLS Anyp::ProtocolVersion, never PROTO_NONE
58	+static AnyP::ProtocolVersion
59	+ParseProtocolVersion(Parser::BinaryTokenizer &tk)
60	+{
61	+ return ParseProtocolVersionBase(tk, ".version", true);
62	+}
63	+
64	+/// parse a framing-unrelated TLS ProtocolVersion
65	+/// \retval PROTO_NONE for unsupported values
66	+static AnyP::ProtocolVersion
67	+ParseOptionalProtocolVersion(Parser::BinaryTokenizer &tk, const char *contextLabel)
68	+{
69	+ return ParseProtocolVersionBase(tk, contextLabel, false);
70	+}
71	+
72	+} // namespace Security
73	+
74	Security::TLSPlaintext::TLSPlaintext(Parser::BinaryTokenizer &tk)
75	{
76	Parser::BinaryTokenizerContext context(tk, "TLSPlaintext");
77	@@ -431,6 +459,8 @@ Security::HandshakeParser::parseExtensions(const SBuf
78	break;
79	case 16: { // Application-Layer Protocol Negotiation Extension, RFC 7301
80	Parser::BinaryTokenizer tkAPN(extension.data);
81	+ // Store the entire protocol list, including unsupported-by-Squid
82	+ // values (if any). We have to use all when peeking at the server.
83	details->tlsAppLayerProtoNeg = tkAPN.pstring16("APN");
84	break;
85	}
86	@@ -441,8 +471,9 @@ Security::HandshakeParser::parseExtensions(const SBuf
87	case 43: // supported_versions extension; RFC 8446
88	parseSupportedVersionsExtension(extension.data);
89	break;
90	- case 13172: // Next Protocol Negotiation Extension (expired draft?)
91	default:
92	+ // other extensions, including those that Squid does not support, do
93	+ // not require special handling here, but see unsupportedExtensions
94	break;
95	}
96	}
97	@@ -455,7 +486,7 @@ Security::HandshakeParser::parseCiphers(const SBuf &ra
98	Parser::BinaryTokenizer tk(raw);
99	while (!tk.atEnd()) {
100	const uint16_t cipher = tk.uint16("cipher");
101	- details->ciphers.insert(cipher);
102	+ details->ciphers.insert(cipher); // including Squid-unsupported ones
103	}
104	}
105
106	@@ -473,7 +504,7 @@ Security::HandshakeParser::parseV23Ciphers(const SBuf
107	const uint8_t prefix = tk.uint8("prefix");
108	const uint16_t cipher = tk.uint16("cipher");
109	if (prefix == 0)
110	- details->ciphers.insert(cipher);
111	+ details->ciphers.insert(cipher); // including Squid-unsupported ones
112	}
113	}
114
115	@@ -486,6 +517,7 @@ Security::HandshakeParser::parseServerHelloHandshakeMe
116	details->tlsSupportedVersion = ParseProtocolVersion(tk);
117	tk.skip(HelloRandomSize, ".random");
118	details->sessionId = tk.pstring8(".session_id");
119	+ // cipherSuite may be unsupported by a peeking Squid
120	details->ciphers.insert(tk.uint16(".cipher_suite"));
121	details->compressionSupported = tk.uint8(".compression_method") != 0; // not null
122	if (!tk.atEnd()) // extensions present
123	@@ -554,12 +586,15 @@ Security::HandshakeParser::parseSupportedVersionsExten
124	Parser::BinaryTokenizer tkList(extensionData);
125	Parser::BinaryTokenizer tkVersions(tkList.pstring8("SupportedVersions"));
126	while (!tkVersions.atEnd()) {
127	- const auto version = ParseProtocolVersion(tkVersions, "supported_version");
128	+ const auto version = ParseOptionalProtocolVersion(tkVersions, "supported_version");
129	+ // ignore values unsupported by Squid,represented by a falsy version
130	+ if (!version)
131	+ continue;
132	if (!supportedVersionMax \|\| TlsVersionEarlierThan(supportedVersionMax, version))
133	supportedVersionMax = version;
134	}
135
136	- // ignore empty supported_versions
137	+ // ignore empty and ignored-values-only supported_versions
138	if (!supportedVersionMax)
139	return;
140
141	@@ -569,7 +604,11 @@ Security::HandshakeParser::parseSupportedVersionsExten
142	} else {
143	assert(messageSource == fromServer);
144	Parser::BinaryTokenizer tkVersion(extensionData);
145	- const auto version = ParseProtocolVersion(tkVersion, "selected_version");
146	+ const auto version = ParseOptionalProtocolVersion(tkVersion, "selected_version");
147	+ // Ignore values unsupported by Squid. There should not be any until we
148	+ // start seeing TLS v2+, but they do not affect TLS framing anyway.
149	+ if (!version)
150	+ return;
151	// RFC 8446 Section 4.2.1:
152	// A server which negotiates a version of TLS prior to TLS 1.3 [...]
153	// MUST NOT send the "supported_versions" extension.