Attachment #216412 for bug #247397

Lines 1-8 Link Here

(-)squid/Makefile (-2 / +1 lines)
1	# $FreeBSD: head/www/squid/Makefile 535391 2020-05-16 10:51:32Z sunpoet $	1	# $FreeBSD: head/www/squid/Makefile 535391 2020-05-16 10:51:32Z sunpoet $
2		2
3	PORTNAME= squid	3	PORTNAME= squid
4	PORTVERSION= 4.11	4	PORTVERSION= 4.12
5	PORTREVISION= 2
6	CATEGORIES= www	5	CATEGORIES= www
7	MASTER_SITES= http://www.squid-cache.org/Versions/v4/ \	6	MASTER_SITES= http://www.squid-cache.org/Versions/v4/ \
8	http://www2.us.squid-cache.org/Versions/v4/ \	7	http://www2.us.squid-cache.org/Versions/v4/ \

Lines 1-3 Link Here

(-)squid/distinfo (-3 / +3 lines)
1	TIMESTAMP = 1588493552	1	TIMESTAMP = 1592288810
2	SHA256 (squid-4.11.tar.xz) = 4ed947612410263f57ad0e39bfd087e60fb714f028d7d3b0e469943efd34287d	2	SHA256 (squid-4.12.tar.xz) = f42a03c8b3dc020722c88bf1a87da8cb0c087b2f66b41d8256c77ee1b527e317
3	SIZE (squid-4.11.tar.xz) = 2447700	3	SIZE (squid-4.12.tar.xz) = 2450564




--- configure.orig	2020-06-09 07:15:48 UTC
+++ configure
@@ -35092,7 +35092,7 @@ done
 ##
 
 BUILD_HELPER="NIS"

 do :
   as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
 ac_fn_cxx_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "
@@ -35107,8 +35107,10 @@ if eval test \"x\$"$as_ac_Header"\" = x"yes"; then :
 #define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
 _ACEOF
 

 fi
 
 done
@@ -35581,7 +35583,7 @@ done
 
   # unconditionally requires crypt(3), for now
   if test "x$ac_cv_func_crypt" != "x"; then

 do :
   as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
 ac_fn_cxx_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default"
@@ -37973,7 +37975,7 @@ for ac_header in \
   arpa/nameser.h \
   assert.h \
   bstring.h \

   ctype.h \
   direct.h \
   errno.h \
@@ -38181,6 +38183,7 @@ ac_fn_cxx_check_header_compile "$LINENO" "$ac_header" 
 #include <netinet/ip.h>
 #endif
 #if HAVE_NETINET_IP_COMPAT_H

 #include <netinet/ip_compat.h>
 #endif
 #if HAVE_NETINET_IP_FIL_H
@@ -42228,6 +42231,7 @@ if test "x$enable_ipf_transparent" != "xno" ; then
 #     include <sys/ioccom.h>
 #     include <netinet/in.h>
 

 #     include <netinet/ip_compat.h>
 #     include <netinet/ip_fil.h>
 #     include <netinet/ip_nat.h>
@@ -42258,6 +42262,7 @@ else
 #       include <sys/ioccom.h>
 #       include <netinet/in.h>
 #undef minor_t

 #       include <netinet/ip_compat.h>
 #       include <netinet/ip_fil.h>
 #       include <netinet/ip_nat.h>
@@ -42302,6 +42307,7 @@ _ACEOF
 	ip_fil_compat.h \
 	ip_fil.h \
 	ip_nat.h \

 	netinet/ip_compat.h \
 	netinet/ip_fil_compat.h \
 	netinet/ip_fil.h \
@@ -42331,6 +42337,7 @@ ac_fn_cxx_check_header_compile "$LINENO" "$ac_header" 
 #if HAVE_IP_COMPAT_H
 #include <ip_compat.h>
 #elif HAVE_NETINET_IP_COMPAT_H

 #include <netinet/ip_compat.h>
 #endif
 #if HAVE_IP_FIL_H
@@ -42379,8 +42386,7 @@ _ACEOF
 
 
 fi
-ac_fn_cxx_check_member "$LINENO" "struct natlookup" "nl_realipaddr.in6"
-   "ac_cv_member_struct_natlookup_nl_realipaddr_in6___" "
+ac_fn_cxx_check_member "$LINENO" "struct natlookup" "nl_realipaddr.in6" "ac_cv_member_struct_natlookup_nl_realipaddr_in6___" "
 #if USE_SOLARIS_IPFILTER_MINOR_T_HACK
 #define minor_t fubar
 #endif




--- src/acl/external/eDirectory_userip/ext_edirectory_userip_acl.cc.orig	2020-04-19 12:38:51 UTC
+++ src/acl/external/eDirectory_userip/ext_edirectory_userip_acl.cc
@@ -69,6 +69,12 @@
 #ifdef HAVE_NETDB_H
 #include <netdb.h>
 #endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
 
 #ifdef HELPER_INPUT_BUFFER
 #define EDUI_MAXLEN     HELPER_INPUT_BUFFER




--- src/acl/external/kerberos_ldap_group/support_krb5.cc.orig	2020-04-19 12:38:51 UTC
+++ src/acl/external/kerberos_ldap_group/support_krb5.cc
@@ -467,10 +467,15 @@ krb5_create_cache(char *domain, char *service_principa
                 }
 
                 // overwrite limitation of enctypes
+#if USE_HEIMDAL_KRB5
+                creds->session.keytype = 0;
+                if (creds->session.keyvalue.length>0)
+                    krb5_free_keyblock_contents(kparam.context, &creds->session);
+#else
                 creds->keyblock.enctype = 0;
                 if (creds->keyblock.contents)
                     krb5_free_keyblock_contents(kparam.context, &creds->keyblock);
-
+#endif
                 code = krb5_get_credentials(kparam.context, 0, kparam.cc[ccindex], creds, &tgt_creds);
                 if (code) {
                     k5_error("Error while getting tgt", code);




--- src/security/Handshake.cc.orig	2020-06-07 15:42:16 UTC
+++ src/security/Handshake.cc
@@ -9,6 +9,7 @@
 /* DEBUG: section 83    SSL-Bump Server/Peer negotiation */
 
 #include "squid.h"
+#include "sbuf/Stream.h"
 #include "security/Handshake.h"
 #if USE_OPENSSL
 #include "ssl/support.h"
@@ -104,25 +105,52 @@ class Extension (public)
 typedef std::unordered_set<Extension::Type> Extensions;
 static Extensions SupportedExtensions();
 
-} // namespace Security
-
 /// parse TLS ProtocolVersion (uint16) and convert it to AnyP::ProtocolVersion
+/// \retval PROTO_NONE for unsupported values (in relaxed mode)
 static AnyP::ProtocolVersion
-ParseProtocolVersion(Parser::BinaryTokenizer &tk, const char *contextLabel = ".version")
+ParseProtocolVersionBase(Parser::BinaryTokenizer &tk, const char *contextLabel, const bool beStrict)
 {
     Parser::BinaryTokenizerContext context(tk, contextLabel);
     uint8_t vMajor = tk.uint8(".major");
     uint8_t vMinor = tk.uint8(".minor");
+
     if (vMajor == 0 && vMinor == 2)
         return AnyP::ProtocolVersion(AnyP::PROTO_SSL, 2, 0);
 
-    Must(vMajor == 3);
-    if (vMinor == 0)
-        return AnyP::ProtocolVersion(AnyP::PROTO_SSL, 3, 0);
+    if (vMajor == 3) {
+        if (vMinor == 0)
+            return AnyP::ProtocolVersion(AnyP::PROTO_SSL, 3, 0);
+        return AnyP::ProtocolVersion(AnyP::PROTO_TLS, 1, (vMinor - 1));
+    }
 
-    return AnyP::ProtocolVersion(AnyP::PROTO_TLS, 1, (vMinor - 1));
+    /* handle unsupported versions */
+
+    const uint16_t vRaw = (vMajor << 8) | vMinor;
+    debugs(83, 7, "unsupported: " << asHex(vRaw));
+    if (beStrict)
+        throw TextException(ToSBuf("unsupported TLS version: ", asHex(vRaw)), Here());
+    // else hide unsupported version details from the caller behind PROTO_NONE
+    return AnyP::ProtocolVersion();
 }
 
+/// parse a framing-related TLS ProtocolVersion
+/// \returns a supported SSL or TLS Anyp::ProtocolVersion, never PROTO_NONE
+static AnyP::ProtocolVersion
+ParseProtocolVersion(Parser::BinaryTokenizer &tk)
+{
+    return ParseProtocolVersionBase(tk, ".version", true);
+}
+
+/// parse a framing-unrelated TLS ProtocolVersion
+/// \retval PROTO_NONE for unsupported values
+static AnyP::ProtocolVersion
+ParseOptionalProtocolVersion(Parser::BinaryTokenizer &tk, const char *contextLabel)
+{
+    return ParseProtocolVersionBase(tk, contextLabel, false);
+}
+
+} // namespace Security
+
 Security::TLSPlaintext::TLSPlaintext(Parser::BinaryTokenizer &tk)
 {
     Parser::BinaryTokenizerContext context(tk, "TLSPlaintext");
@@ -431,6 +459,8 @@ Security::HandshakeParser::parseExtensions(const SBuf 
             break;
         case 16: { // Application-Layer Protocol Negotiation Extension, RFC 7301
             Parser::BinaryTokenizer tkAPN(extension.data);
+            // Store the entire protocol list, including unsupported-by-Squid
+            // values (if any). We have to use all when peeking at the server.
             details->tlsAppLayerProtoNeg = tkAPN.pstring16("APN");
             break;
         }
@@ -441,8 +471,9 @@ Security::HandshakeParser::parseExtensions(const SBuf 
         case 43: // supported_versions extension; RFC 8446
             parseSupportedVersionsExtension(extension.data);
             break;
-        case 13172: // Next Protocol Negotiation Extension (expired draft?)
         default:
+            // other extensions, including those that Squid does not support, do
+            // not require special handling here, but see unsupportedExtensions
             break;
         }
     }
@@ -455,7 +486,7 @@ Security::HandshakeParser::parseCiphers(const SBuf &ra
     Parser::BinaryTokenizer tk(raw);
     while (!tk.atEnd()) {
         const uint16_t cipher = tk.uint16("cipher");
-        details->ciphers.insert(cipher);
+        details->ciphers.insert(cipher); // including Squid-unsupported ones
     }
 }
 
@@ -473,7 +504,7 @@ Security::HandshakeParser::parseV23Ciphers(const SBuf 
         const uint8_t prefix = tk.uint8("prefix");
         const uint16_t cipher = tk.uint16("cipher");
         if (prefix == 0)
-            details->ciphers.insert(cipher);
+            details->ciphers.insert(cipher); // including Squid-unsupported ones
     }
 }
 
@@ -486,6 +517,7 @@ Security::HandshakeParser::parseServerHelloHandshakeMe
     details->tlsSupportedVersion = ParseProtocolVersion(tk);
     tk.skip(HelloRandomSize, ".random");
     details->sessionId = tk.pstring8(".session_id");
+    // cipherSuite may be unsupported by a peeking Squid
     details->ciphers.insert(tk.uint16(".cipher_suite"));
     details->compressionSupported = tk.uint8(".compression_method") != 0; // not null
     if (!tk.atEnd()) // extensions present
@@ -554,12 +586,15 @@ Security::HandshakeParser::parseSupportedVersionsExten
         Parser::BinaryTokenizer tkList(extensionData);
         Parser::BinaryTokenizer tkVersions(tkList.pstring8("SupportedVersions"));
         while (!tkVersions.atEnd()) {
-            const auto version = ParseProtocolVersion(tkVersions, "supported_version");
+            const auto version = ParseOptionalProtocolVersion(tkVersions, "supported_version");
+            // ignore values unsupported by Squid,represented by a falsy version
+            if (!version)
+                continue;
             if (!supportedVersionMax || TlsVersionEarlierThan(supportedVersionMax, version))
                 supportedVersionMax = version;
         }
 
-        // ignore empty supported_versions
+        // ignore empty and ignored-values-only supported_versions
         if (!supportedVersionMax)
             return;
 
@@ -569,7 +604,11 @@ Security::HandshakeParser::parseSupportedVersionsExten
     } else {
         assert(messageSource == fromServer);
         Parser::BinaryTokenizer tkVersion(extensionData);
-        const auto version = ParseProtocolVersion(tkVersion, "selected_version");
+        const auto version = ParseOptionalProtocolVersion(tkVersion, "selected_version");
+        // Ignore values unsupported by Squid. There should not be any until we
+        // start seeing TLS v2+, but they do not affect TLS framing anyway.
+        if (!version)
+            return;
         // RFC 8446 Section 4.2.1:
         // A server which negotiates a version of TLS prior to TLS 1.3 [...]
         // MUST NOT send the "supported_versions" extension.

Lines 29-34 Link Here

(-)squid/files/squid.in (+24 lines)
29	# you want to run Squid in reverse proxy setups or if you want	29	# you want to run Squid in reverse proxy setups or if you want
30	# Squid to listen on a "privileged" port < 1024.	30	# Squid to listen on a "privileged" port < 1024.
31	#	31	#
		32	# squid_group: The group id that should be used to run the Squid master
		33	# process. Default: squid
		34	# Note that it affects squid pid dir also, where SHM files
		35	# may be stored on some OS (see r391555)
		36	#
		37	# squid_maxwait: Seconds to wait for squid PID file
		38	# Default: 10
		39	#
32	# squid_pidfile:	40	# squid_pidfile:
33	# The name (including the full path) of the Squid	41	# The name (including the full path) of the Squid
34	# master process' PID file.	42	# master process' PID file.
Lines 74-80 Link Here
74	: ${squid_enable:=NO}	82	: ${squid_enable:=NO}
75	: ${squid_program:=%%PREFIX%%/sbin/squid}	83	: ${squid_program:=%%PREFIX%%/sbin/squid}
76	: ${squid_pidfile:=/var/run/squid/squid.pid}	84	: ${squid_pidfile:=/var/run/squid/squid.pid}
		85	: ${squid_maxwait:=10}
77	: ${squid_user:=squid}	86	: ${squid_user:=squid}
		87	: ${squid_group:=squid}
78		88
79	required_args="-f ${squid_conf}"	89	required_args="-f ${squid_conf}"
80	required_dirs=$chdir	90	required_dirs=$chdir
Lines 87-92 Link Here
87		97
88	squid_prestart()	98	squid_prestart()
89	{	99	{
		100	# create piddir if it's missing (for example if /var/run is tmpfs)
		101	squid_piddir=${pidfile%/*}
		102	if [ ! -d "${squid_piddir}" ]; then
		103	echo "Creating PID directory ${squid_piddir}"
		104	mkdir ${squid_piddir} && chown ${squid_user}:${squid_group} ${squid_piddir} && chmod 750 ${squid_piddir}\|\| return $?
		105	fi
		106
90	# setup KRB5_KTNAME:	107	# setup KRB5_KTNAME:
91	squid_krb5_ktname=${squid_krb5_ktname:-"NONE"}	108	squid_krb5_ktname=${squid_krb5_ktname:-"NONE"}
92	if [ "${squid_krb5_ktname}" != "NONE" ]; then	109	if [ "${squid_krb5_ktname}" != "NONE" ]; then
Lines 137-144 Link Here
137	# retrieve the PID of the Squid master process explicitly here	154	# retrieve the PID of the Squid master process explicitly here
138	# in case rc.subr was unable to determine it:	155	# in case rc.subr was unable to determine it:
139	if [ -z "$rc_pid" ]; then	156	if [ -z "$rc_pid" ]; then
		157	squid_secs=0
140	while ! [ -f ${pidfile} ]; do	158	while ! [ -f ${pidfile} ]; do
		159	if [ ${squid_maxwait} -le ${squid_secs} ]; then
		160	echo "give up waiting for pidfile"
		161	break
		162	fi
141	sleep 1	163	sleep 1
		164	echo -n "."
		165	: $(( squid_secs+=1 ))
142	done	166	done
143	read _pid _junk <${pidfile}	167	read _pid _junk <${pidfile}
144	[ -z "${_pid}" ] \|\| pid=${_pid}	168	[ -z "${_pid}" ] \|\| pid=${_pid}

Return to bug 247397

Lines 1-6 Link Here

(-)squid/files/patch-configure (-20 / +10 lines)
1	--- configure.orig 2020-04-19 12:39:06 UTC	1	--- configure.orig 2020-06-09 07:15:48 UTC
2	+++ configure	2	+++ configure
3	@@ -35077,7 +35077,7 @@ done	3	@@ -35092,7 +35092,7 @@ done
4	##	4	##
5		5
6	BUILD_HELPER="NIS"	6	BUILD_HELPER="NIS"
Lines 9-15 Link Here
9	do :	9	do :
10	as_ac_Header=`$as_echo "ac_cv_header_$ac_header" \| $as_tr_sh`	10	as_ac_Header=`$as_echo "ac_cv_header_$ac_header" \| $as_tr_sh`
11	ac_fn_cxx_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "	11	ac_fn_cxx_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "
12	@@ -35092,8 +35092,10 @@ if eval test \"x\$"$as_ac_Header"\" = x"yes"; then :	12	@@ -35107,8 +35107,10 @@ if eval test \"x\$"$as_ac_Header"\" = x"yes"; then :
13	#define `$as_echo "HAVE_$ac_header" \| $as_tr_cpp` 1	13	#define `$as_echo "HAVE_$ac_header" \| $as_tr_cpp` 1
14	_ACEOF	14	_ACEOF
15		15
Lines 22-28 Link Here
22	fi	22	fi
23		23
24	done	24	done
25	@@ -35566,7 +35568,7 @@ done	25	@@ -35581,7 +35583,7 @@ done
26		26
27	# unconditionally requires crypt(3), for now	27	# unconditionally requires crypt(3), for now
28	if test "x$ac_cv_func_crypt" != "x"; then	28	if test "x$ac_cv_func_crypt" != "x"; then
Lines 31-37 Link Here
31	do :	31	do :
32	as_ac_Header=`$as_echo "ac_cv_header_$ac_header" \| $as_tr_sh`	32	as_ac_Header=`$as_echo "ac_cv_header_$ac_header" \| $as_tr_sh`
33	ac_fn_cxx_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default"	33	ac_fn_cxx_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default"
34	@@ -37958,7 +37960,7 @@ for ac_header in \	34	@@ -37973,7 +37975,7 @@ for ac_header in \
35	arpa/nameser.h \	35	arpa/nameser.h \
36	assert.h \	36	assert.h \
37	bstring.h \	37	bstring.h \
Lines 40-46 Link Here
40	ctype.h \	40	ctype.h \
41	direct.h \	41	direct.h \
42	errno.h \	42	errno.h \
43	@@ -38166,6 +38168,7 @@ ac_fn_cxx_check_header_compile "$LINENO" "$ac_header"	43	@@ -38181,6 +38183,7 @@ ac_fn_cxx_check_header_compile "$LINENO" "$ac_header"
44	#include <netinet/ip.h>	44	#include <netinet/ip.h>
45	#endif	45	#endif
46	#if HAVE_NETINET_IP_COMPAT_H	46	#if HAVE_NETINET_IP_COMPAT_H
Lines 48-54 Link Here
48	#include <netinet/ip_compat.h>	48	#include <netinet/ip_compat.h>
49	#endif	49	#endif
50	#if HAVE_NETINET_IP_FIL_H	50	#if HAVE_NETINET_IP_FIL_H
51	@@ -42213,6 +42216,7 @@ if test "x$enable_ipf_transparent" != "xno" ; then	51	@@ -42228,6 +42231,7 @@ if test "x$enable_ipf_transparent" != "xno" ; then
52	# include <sys/ioccom.h>	52	# include <sys/ioccom.h>
53	# include <netinet/in.h>	53	# include <netinet/in.h>
54		54
Lines 56-62 Link Here
56	# include <netinet/ip_compat.h>	56	# include <netinet/ip_compat.h>
57	# include <netinet/ip_fil.h>	57	# include <netinet/ip_fil.h>
58	# include <netinet/ip_nat.h>	58	# include <netinet/ip_nat.h>
59	@@ -42243,6 +42247,7 @@ else	59	@@ -42258,6 +42262,7 @@ else
60	# include <sys/ioccom.h>	60	# include <sys/ioccom.h>
61	# include <netinet/in.h>	61	# include <netinet/in.h>
62	#undef minor_t	62	#undef minor_t
Lines 64-70 Link Here
64	# include <netinet/ip_compat.h>	64	# include <netinet/ip_compat.h>
65	# include <netinet/ip_fil.h>	65	# include <netinet/ip_fil.h>
66	# include <netinet/ip_nat.h>	66	# include <netinet/ip_nat.h>
67	@@ -42287,6 +42292,7 @@ _ACEOF	67	@@ -42302,6 +42307,7 @@ _ACEOF
68	ip_fil_compat.h \	68	ip_fil_compat.h \
69	ip_fil.h \	69	ip_fil.h \
70	ip_nat.h \	70	ip_nat.h \
Lines 72-78 Link Here
72	netinet/ip_compat.h \	72	netinet/ip_compat.h \
73	netinet/ip_fil_compat.h \	73	netinet/ip_fil_compat.h \
74	netinet/ip_fil.h \	74	netinet/ip_fil.h \
75	@@ -42316,6 +42322,7 @@ ac_fn_cxx_check_header_compile "$LINENO" "$ac_header"	75	@@ -42331,6 +42337,7 @@ ac_fn_cxx_check_header_compile "$LINENO" "$ac_header"
76	#if HAVE_IP_COMPAT_H	76	#if HAVE_IP_COMPAT_H
77	#include <ip_compat.h>	77	#include <ip_compat.h>
78	#elif HAVE_NETINET_IP_COMPAT_H	78	#elif HAVE_NETINET_IP_COMPAT_H
Lines 80-92 Link Here
80	#include <netinet/ip_compat.h>	80	#include <netinet/ip_compat.h>
81	#endif	81	#endif
82	#if HAVE_IP_FIL_H	82	#if HAVE_IP_FIL_H
83	@@ -42379,8 +42386,7 @@ _ACEOF
84
85
86	fi
87	-ac_fn_cxx_check_member "$LINENO" "struct natlookup" "nl_realipaddr.in6"
88	- "ac_cv_member_struct_natlookup_nl_realipaddr_in6___" "
89	+ac_fn_cxx_check_member "$LINENO" "struct natlookup" "nl_realipaddr.in6" "ac_cv_member_struct_natlookup_nl_realipaddr_in6___" "
90	#if USE_SOLARIS_IPFILTER_MINOR_T_HACK
91	#define minor_t fubar
92	#endif

Lines 1-15 Link Here

(-)squid/files/patch-src_acl_external_eDirectory__userip_ext__edirectory__userip__acl.cc (-15 lines)
1	--- src/acl/external/eDirectory_userip/ext_edirectory_userip_acl.cc.orig 2020-04-19 12:38:51 UTC
2	+++ src/acl/external/eDirectory_userip/ext_edirectory_userip_acl.cc
3	@@ -69,6 +69,12 @@
4	#ifdef HAVE_NETDB_H
5	#include <netdb.h>
6	#endif
7	+#ifdef HAVE_SYS_SOCKET_H
8	+#include <sys/socket.h>
9	+#endif
10	+#ifdef HAVE_NETINET_IN_H
11	+#include <netinet/in.h>
12	+#endif
13
14	#ifdef HELPER_INPUT_BUFFER
15	#define EDUI_MAXLEN HELPER_INPUT_BUFFER

Lines 1-19 Link Here

(-)squid/files/patch-src_acl_external_kerberos__ldap__group_support__krb5.cc (-19 lines)
1	--- src/acl/external/kerberos_ldap_group/support_krb5.cc.orig 2020-04-19 12:38:51 UTC
2	+++ src/acl/external/kerberos_ldap_group/support_krb5.cc
3	@@ -467,10 +467,15 @@ krb5_create_cache(char domain, char service_principa
4	}
5
6	// overwrite limitation of enctypes
7	+#if USE_HEIMDAL_KRB5
8	+ creds->session.keytype = 0;
9	+ if (creds->session.keyvalue.length>0)
10	+ krb5_free_keyblock_contents(kparam.context, &creds->session);
11	+#else
12	creds->keyblock.enctype = 0;
13	if (creds->keyblock.contents)
14	krb5_free_keyblock_contents(kparam.context, &creds->keyblock);
15	-
16	+#endif
17	code = krb5_get_credentials(kparam.context, 0, kparam.cc[ccindex], creds, &tgt_creds);
18	if (code) {
19	k5_error("Error while getting tgt", code);

Line 0 Link Here

(-)squid/files/patch-src_security_Handshake.cc (+147 lines)
		1	--- src/security/Handshake.cc.orig 2020-06-07 15:42:16 UTC
		2	+++ src/security/Handshake.cc
		3	@@ -9,6 +9,7 @@
		4	/* DEBUG: section 83 SSL-Bump Server/Peer negotiation */
		5
		6	#include "squid.h"
		7	+#include "sbuf/Stream.h"
		8	#include "security/Handshake.h"
		9	#if USE_OPENSSL
		10	#include "ssl/support.h"
		11	@@ -104,25 +105,52 @@ class Extension (public)
		12	typedef std::unordered_set<Extension::Type> Extensions;
		13	static Extensions SupportedExtensions();
		14
		15	-} // namespace Security
		16	-
		17	/// parse TLS ProtocolVersion (uint16) and convert it to AnyP::ProtocolVersion
		18	+/// \retval PROTO_NONE for unsupported values (in relaxed mode)
		19	static AnyP::ProtocolVersion
		20	-ParseProtocolVersion(Parser::BinaryTokenizer &tk, const char *contextLabel = ".version")
		21	+ParseProtocolVersionBase(Parser::BinaryTokenizer &tk, const char *contextLabel, const bool beStrict)
		22	{
		23	Parser::BinaryTokenizerContext context(tk, contextLabel);
		24	uint8_t vMajor = tk.uint8(".major");
		25	uint8_t vMinor = tk.uint8(".minor");
		26	+
		27	if (vMajor == 0 && vMinor == 2)
		28	return AnyP::ProtocolVersion(AnyP::PROTO_SSL, 2, 0);
		29
		30	- Must(vMajor == 3);
		31	- if (vMinor == 0)
		32	- return AnyP::ProtocolVersion(AnyP::PROTO_SSL, 3, 0);
		33	+ if (vMajor == 3) {
		34	+ if (vMinor == 0)
		35	+ return AnyP::ProtocolVersion(AnyP::PROTO_SSL, 3, 0);
		36	+ return AnyP::ProtocolVersion(AnyP::PROTO_TLS, 1, (vMinor - 1));
		37	+ }
		38
		39	- return AnyP::ProtocolVersion(AnyP::PROTO_TLS, 1, (vMinor - 1));
		40	+ /* handle unsupported versions */
		41	+
		42	+ const uint16_t vRaw = (vMajor << 8) \| vMinor;
		43	+ debugs(83, 7, "unsupported: " << asHex(vRaw));
		44	+ if (beStrict)
		45	+ throw TextException(ToSBuf("unsupported TLS version: ", asHex(vRaw)), Here());
		46	+ // else hide unsupported version details from the caller behind PROTO_NONE
		47	+ return AnyP::ProtocolVersion();
		48	}
		49
		50	+/// parse a framing-related TLS ProtocolVersion
		51	+/// \returns a supported SSL or TLS Anyp::ProtocolVersion, never PROTO_NONE
		52	+static AnyP::ProtocolVersion
		53	+ParseProtocolVersion(Parser::BinaryTokenizer &tk)
		54	+{
		55	+ return ParseProtocolVersionBase(tk, ".version", true);
		56	+}
		57	+
		58	+/// parse a framing-unrelated TLS ProtocolVersion
		59	+/// \retval PROTO_NONE for unsupported values
		60	+static AnyP::ProtocolVersion
		61	+ParseOptionalProtocolVersion(Parser::BinaryTokenizer &tk, const char *contextLabel)
		62	+{
		63	+ return ParseProtocolVersionBase(tk, contextLabel, false);
		64	+}
65	+
66	+} // namespace Security
67	+
68	Security::TLSPlaintext::TLSPlaintext(Parser::BinaryTokenizer &tk)
69	{
70	Parser::BinaryTokenizerContext context(tk, "TLSPlaintext");
71	@@ -431,6 +459,8 @@ Security::HandshakeParser::parseExtensions(const SBuf
72	break;
73	case 16: { // Application-Layer Protocol Negotiation Extension, RFC 7301
74	Parser::BinaryTokenizer tkAPN(extension.data);
75	+ // Store the entire protocol list, including unsupported-by-Squid
76	+ // values (if any). We have to use all when peeking at the server.
77	details->tlsAppLayerProtoNeg = tkAPN.pstring16("APN");
78	break;
79	}
80	@@ -441,8 +471,9 @@ Security::HandshakeParser::parseExtensions(const SBuf
81	case 43: // supported_versions extension; RFC 8446
82	parseSupportedVersionsExtension(extension.data);
83	break;
84	- case 13172: // Next Protocol Negotiation Extension (expired draft?)
85	default:
86	+ // other extensions, including those that Squid does not support, do
87	+ // not require special handling here, but see unsupportedExtensions
88	break;
89	}
90	}
91	@@ -455,7 +486,7 @@ Security::HandshakeParser::parseCiphers(const SBuf &ra
92	Parser::BinaryTokenizer tk(raw);
93	while (!tk.atEnd()) {
94	const uint16_t cipher = tk.uint16("cipher");
95	- details->ciphers.insert(cipher);
96	+ details->ciphers.insert(cipher); // including Squid-unsupported ones
97	}
98	}
99
100	@@ -473,7 +504,7 @@ Security::HandshakeParser::parseV23Ciphers(const SBuf
101	const uint8_t prefix = tk.uint8("prefix");
102	const uint16_t cipher = tk.uint16("cipher");
103	if (prefix == 0)
104	- details->ciphers.insert(cipher);
105	+ details->ciphers.insert(cipher); // including Squid-unsupported ones
106	}
107	}
108
109	@@ -486,6 +517,7 @@ Security::HandshakeParser::parseServerHelloHandshakeMe
110	details->tlsSupportedVersion = ParseProtocolVersion(tk);
111	tk.skip(HelloRandomSize, ".random");
112	details->sessionId = tk.pstring8(".session_id");
113	+ // cipherSuite may be unsupported by a peeking Squid
114	details->ciphers.insert(tk.uint16(".cipher_suite"));
115	details->compressionSupported = tk.uint8(".compression_method") != 0; // not null
116	if (!tk.atEnd()) // extensions present
117	@@ -554,12 +586,15 @@ Security::HandshakeParser::parseSupportedVersionsExten
118	Parser::BinaryTokenizer tkList(extensionData);
119	Parser::BinaryTokenizer tkVersions(tkList.pstring8("SupportedVersions"));
120	while (!tkVersions.atEnd()) {
121	- const auto version = ParseProtocolVersion(tkVersions, "supported_version");
122	+ const auto version = ParseOptionalProtocolVersion(tkVersions, "supported_version");
123	+ // ignore values unsupported by Squid,represented by a falsy version
124	+ if (!version)
125	+ continue;
126	if (!supportedVersionMax \|\| TlsVersionEarlierThan(supportedVersionMax, version))
127	supportedVersionMax = version;
128	}
129
130	- // ignore empty supported_versions
131	+ // ignore empty and ignored-values-only supported_versions
132	if (!supportedVersionMax)
133	return;
134
135	@@ -569,7 +604,11 @@ Security::HandshakeParser::parseSupportedVersionsExten
136	} else {
137	assert(messageSource == fromServer);
138	Parser::BinaryTokenizer tkVersion(extensionData);
139	- const auto version = ParseProtocolVersion(tkVersion, "selected_version");
140	+ const auto version = ParseOptionalProtocolVersion(tkVersion, "selected_version");
141	+ // Ignore values unsupported by Squid. There should not be any until we
142	+ // start seeing TLS v2+, but they do not affect TLS framing anyway.
143	+ if (!version)
144	+ return;
145	// RFC 8446 Section 4.2.1:
146	// A server which negotiates a version of TLS prior to TLS 1.3 [...]
147	// MUST NOT send the "supported_versions" extension.