Attachment 216343 Details for Bug 247397 – Update to 4.12 and address GREASEd

[patch] Update to 4.12 and address GREASEd

www_squid.diff (text/plain), 14.44 KB, created by Juraj Lutter on 2020-07-09 19:02:15 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Juraj Lutter

Created: 2020-07-09 19:02:15 UTC

Size: 14.44 KB

patch

obsolete

>diff --git a/www/squid/Makefile b/www/squid/Makefile
>index 78fe2539a091..992ac6549162 100644
>--- a/www/squid/Makefile
>+++ b/www/squid/Makefile
>@@ -1,8 +1,7 @@
> # $FreeBSD$
> 
> PORTNAME=	squid
>-PORTVERSION=	4.11
>-PORTREVISION=	2
>+PORTVERSION=	4.12
> CATEGORIES=	www
> MASTER_SITES=	http://www.squid-cache.org/Versions/v4/ \
> 		http://www2.us.squid-cache.org/Versions/v4/ \
>diff --git a/www/squid/distinfo b/www/squid/distinfo
>index 00caed0c73cf..2aaac422be87 100644
>--- a/www/squid/distinfo
>+++ b/www/squid/distinfo
>@@ -1,3 +1,3 @@
>-TIMESTAMP = 1588493552
>-SHA256 (squid-4.11.tar.xz) = 4ed947612410263f57ad0e39bfd087e60fb714f028d7d3b0e469943efd34287d
>-SIZE (squid-4.11.tar.xz) = 2447700
>+TIMESTAMP = 1592516847
>+SHA256 (squid-4.12.tar.xz) = f42a03c8b3dc020722c88bf1a87da8cb0c087b2f66b41d8256c77ee1b527e317
>+SIZE (squid-4.12.tar.xz) = 2450564
>diff --git a/www/squid/files/patch-configure b/www/squid/files/patch-configure
>index 50b6ece70612..d71b23ce744e 100644
>--- a/www/squid/files/patch-configure
>+++ b/www/squid/files/patch-configure
>@@ -1,6 +1,6 @@
>---- configure.orig	2020-04-19 12:39:06 UTC
>+--- configure.orig	2020-06-18 21:56:43 UTC
> +++ configure
>-@@ -35077,7 +35077,7 @@ done
>+@@ -35092,7 +35092,7 @@ done
>  ##
>  
>  BUILD_HELPER="NIS"
>@@ -9,7 +9,7 @@
>  do :
>    as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
>  ac_fn_cxx_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "
>-@@ -35092,8 +35092,10 @@ if eval test \"x\$"$as_ac_Header"\" = x"yes"; then :
>+@@ -35107,8 +35107,10 @@ if eval test \"x\$"$as_ac_Header"\" = x"yes"; then :
>  #define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
>  _ACEOF
>  
>@@ -22,7 +22,7 @@
>  fi
>  
>  done
>-@@ -35566,7 +35568,7 @@ done
>+@@ -35581,7 +35583,7 @@ done
>  
>    # unconditionally requires crypt(3), for now
>    if test "x$ac_cv_func_crypt" != "x"; then
>@@ -31,7 +31,7 @@
>  do :
>    as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
>  ac_fn_cxx_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default"
>-@@ -37958,7 +37960,7 @@ for ac_header in \
>+@@ -37973,7 +37975,7 @@ for ac_header in \
>    arpa/nameser.h \
>    assert.h \
>    bstring.h \
>@@ -40,53 +40,3 @@
>    ctype.h \
>    direct.h \
>    errno.h \
>-@@ -38166,6 +38168,7 @@ ac_fn_cxx_check_header_compile "$LINENO" "$ac_header" 
>- #include <netinet/ip.h>
>- #endif
>- #if HAVE_NETINET_IP_COMPAT_H
>-+#include <net/if.h>	/* IFNAMSIZ */
>- #include <netinet/ip_compat.h>
>- #endif
>- #if HAVE_NETINET_IP_FIL_H
>-@@ -42213,6 +42216,7 @@ if test "x$enable_ipf_transparent" != "xno" ; then
>- #     include <sys/ioccom.h>
>- #     include <netinet/in.h>
>- 
>-+#     include <net/if.h>	/* IFNAMSIZ */
>- #     include <netinet/ip_compat.h>
>- #     include <netinet/ip_fil.h>
>- #     include <netinet/ip_nat.h>
>-@@ -42243,6 +42247,7 @@ else
>- #       include <sys/ioccom.h>
>- #       include <netinet/in.h>
>- #undef minor_t
>-+#       include <net/if.h>	/* IFNAMSIZ */
>- #       include <netinet/ip_compat.h>
>- #       include <netinet/ip_fil.h>
>- #       include <netinet/ip_nat.h>
>-@@ -42287,6 +42292,7 @@ _ACEOF
>- 	ip_fil_compat.h \
>- 	ip_fil.h \
>- 	ip_nat.h \
>-+	net/if.h \
>- 	netinet/ip_compat.h \
>- 	netinet/ip_fil_compat.h \
>- 	netinet/ip_fil.h \
>-@@ -42316,6 +42322,7 @@ ac_fn_cxx_check_header_compile "$LINENO" "$ac_header" 
>- #if HAVE_IP_COMPAT_H
>- #include <ip_compat.h>
>- #elif HAVE_NETINET_IP_COMPAT_H
>-+#include <net/if.h>	/* IFNAMSIZ */
>- #include <netinet/ip_compat.h>
>- #endif
>- #if HAVE_IP_FIL_H
>-@@ -42379,8 +42386,7 @@ _ACEOF
>- 
>- 
>- fi
>--ac_fn_cxx_check_member "$LINENO" "struct natlookup" "nl_realipaddr.in6"
>--   "ac_cv_member_struct_natlookup_nl_realipaddr_in6___" "
>-+ac_fn_cxx_check_member "$LINENO" "struct natlookup" "nl_realipaddr.in6" "ac_cv_member_struct_natlookup_nl_realipaddr_in6___" "
>- #if USE_SOLARIS_IPFILTER_MINOR_T_HACK
>- #define minor_t fubar
>- #endif
>diff --git a/www/squid/files/patch-src_acl_external_eDirectory__userip_ext__edirectory__userip__acl.cc b/www/squid/files/patch-src_acl_external_eDirectory__userip_ext__edirectory__userip__acl.cc
>deleted file mode 100644
>index e5189a91bc1a..000000000000
>--- a/www/squid/files/patch-src_acl_external_eDirectory__userip_ext__edirectory__userip__acl.cc
>+++ /dev/null
>@@ -1,15 +0,0 @@
>---- src/acl/external/eDirectory_userip/ext_edirectory_userip_acl.cc.orig	2020-04-19 12:38:51 UTC
>-+++ src/acl/external/eDirectory_userip/ext_edirectory_userip_acl.cc
>-@@ -69,6 +69,12 @@
>- #ifdef HAVE_NETDB_H
>- #include <netdb.h>
>- #endif
>-+#ifdef HAVE_SYS_SOCKET_H
>-+#include <sys/socket.h>
>-+#endif
>-+#ifdef HAVE_NETINET_IN_H
>-+#include <netinet/in.h>
>-+#endif
>- 
>- #ifdef HELPER_INPUT_BUFFER
>- #define EDUI_MAXLEN     HELPER_INPUT_BUFFER
>diff --git a/www/squid/files/patch-src_acl_external_kerberos__ldap__group_support__krb5.cc b/www/squid/files/patch-src_acl_external_kerberos__ldap__group_support__krb5.cc
>deleted file mode 100644
>index 8aaf7af308d1..000000000000
>--- a/www/squid/files/patch-src_acl_external_kerberos__ldap__group_support__krb5.cc
>+++ /dev/null
>@@ -1,19 +0,0 @@
>---- src/acl/external/kerberos_ldap_group/support_krb5.cc.orig	2020-04-19 12:38:51 UTC
>-+++ src/acl/external/kerberos_ldap_group/support_krb5.cc
>-@@ -467,10 +467,15 @@ krb5_create_cache(char *domain, char *service_principa
>-                 }
>- 
>-                 // overwrite limitation of enctypes
>-+#if USE_HEIMDAL_KRB5
>-+                creds->session.keytype = 0;
>-+                if (creds->session.keyvalue.length>0)
>-+                    krb5_free_keyblock_contents(kparam.context, &creds->session);
>-+#else
>-                 creds->keyblock.enctype = 0;
>-                 if (creds->keyblock.contents)
>-                     krb5_free_keyblock_contents(kparam.context, &creds->keyblock);
>--
>-+#endif
>-                 code = krb5_get_credentials(kparam.context, 0, kparam.cc[ccindex], creds, &tgt_creds);
>-                 if (code) {
>-                     k5_error("Error while getting tgt", code);
>diff --git a/www/squid/files/patch-src_security_Handshake.cc b/www/squid/files/patch-src_security_Handshake.cc
>new file mode 100644
>index 000000000000..55c1bf06a352
>--- /dev/null
>+++ b/www/squid/files/patch-src_security_Handshake.cc
>@@ -0,0 +1,153 @@
>+Address GREASEd issues:
>+
>+https://github.com/squid-cache/squid/pull/663
>+https://www.spinics.net/lists/squid/msg92728.html
>+https://www.spinics.net/lists/squid/msg92814.html
>+
>+--- src/security/Handshake.cc.orig	2020-07-09 17:27:31 UTC
>++++ src/security/Handshake.cc
>+@@ -9,6 +9,7 @@
>+ /* DEBUG: section 83    SSL-Bump Server/Peer negotiation */
>+ 
>+ #include "squid.h"
>++#include "sbuf/Stream.h"
>+ #include "security/Handshake.h"
>+ #if USE_OPENSSL
>+ #include "ssl/support.h"
>+@@ -104,25 +105,52 @@ class Extension (public)
>+ typedef std::unordered_set<Extension::Type> Extensions;
>+ static Extensions SupportedExtensions();
>+ 
>+-} // namespace Security
>+-
>+ /// parse TLS ProtocolVersion (uint16) and convert it to AnyP::ProtocolVersion
>++/// \retval PROTO_NONE for unsupported values (in relaxed mode)
>+ static AnyP::ProtocolVersion
>+-ParseProtocolVersion(Parser::BinaryTokenizer &tk, const char *contextLabel = ".version")
>++ParseProtocolVersionBase(Parser::BinaryTokenizer &tk, const char *contextLabel, const bool beStrict)
>+ {
>+     Parser::BinaryTokenizerContext context(tk, contextLabel);
>+     uint8_t vMajor = tk.uint8(".major");
>+     uint8_t vMinor = tk.uint8(".minor");
>++
>+     if (vMajor == 0 && vMinor == 2)
>+         return AnyP::ProtocolVersion(AnyP::PROTO_SSL, 2, 0);
>+ 
>+-    Must(vMajor == 3);
>+-    if (vMinor == 0)
>+-        return AnyP::ProtocolVersion(AnyP::PROTO_SSL, 3, 0);
>++    if (vMajor == 3) {
>++        if (vMinor == 0)
>++            return AnyP::ProtocolVersion(AnyP::PROTO_SSL, 3, 0);
>++        return AnyP::ProtocolVersion(AnyP::PROTO_TLS, 1, (vMinor - 1));
>++    }
>+ 
>+-    return AnyP::ProtocolVersion(AnyP::PROTO_TLS, 1, (vMinor - 1));
>++    /* handle unsupported versions */
>++
>++    const uint16_t vRaw = (vMajor << 8) | vMinor;
>++    debugs(83, 7, "unsupported: " << asHex(vRaw));
>++    if (beStrict)
>++        throw TextException(ToSBuf("unsupported TLS version: ", asHex(vRaw)), Here());
>++    // else hide unsupported version details from the caller behind PROTO_NONE
>++    return AnyP::ProtocolVersion();
>+ }
>+ 
>++/// parse a framing-related TLS ProtocolVersion
>++/// \returns a supported SSL or TLS Anyp::ProtocolVersion, never PROTO_NONE
>++static AnyP::ProtocolVersion
>++ParseProtocolVersion(Parser::BinaryTokenizer &tk)
>++{
>++    return ParseProtocolVersionBase(tk, ".version", true);
>++}
>++
>++/// parse a framing-unrelated TLS ProtocolVersion
>++/// \retval PROTO_NONE for unsupported values
>++static AnyP::ProtocolVersion
>++ParseOptionalProtocolVersion(Parser::BinaryTokenizer &tk, const char *contextLabel)
>++{
>++    return ParseProtocolVersionBase(tk, contextLabel, false);
>++}
>++
>++} // namespace Security
>++
>+ Security::TLSPlaintext::TLSPlaintext(Parser::BinaryTokenizer &tk)
>+ {
>+     Parser::BinaryTokenizerContext context(tk, "TLSPlaintext");
>+@@ -431,6 +459,8 @@ Security::HandshakeParser::parseExtensions(const SBuf 
>+             break;
>+         case 16: { // Application-Layer Protocol Negotiation Extension, RFC 7301
>+             Parser::BinaryTokenizer tkAPN(extension.data);
>++            // Store the entire protocol list, including unsupported-by-Squid
>++            // values (if any). We have to use all when peeking at the server.
>+             details->tlsAppLayerProtoNeg = tkAPN.pstring16("APN");
>+             break;
>+         }
>+@@ -441,8 +471,9 @@ Security::HandshakeParser::parseExtensions(const SBuf 
>+         case 43: // supported_versions extension; RFC 8446
>+             parseSupportedVersionsExtension(extension.data);
>+             break;
>+-        case 13172: // Next Protocol Negotiation Extension (expired draft?)
>+         default:
>++            // other extensions, including those that Squid does not support, do
>++            // not require special handling here, but see unsupportedExtensions
>+             break;
>+         }
>+     }
>+@@ -455,7 +486,7 @@ Security::HandshakeParser::parseCiphers(const SBuf &ra
>+     Parser::BinaryTokenizer tk(raw);
>+     while (!tk.atEnd()) {
>+         const uint16_t cipher = tk.uint16("cipher");
>+-        details->ciphers.insert(cipher);
>++        details->ciphers.insert(cipher); // including Squid-unsupported ones
>+     }
>+ }
>+ 
>+@@ -473,7 +504,7 @@ Security::HandshakeParser::parseV23Ciphers(const SBuf 
>+         const uint8_t prefix = tk.uint8("prefix");
>+         const uint16_t cipher = tk.uint16("cipher");
>+         if (prefix == 0)
>+-            details->ciphers.insert(cipher);
>++            details->ciphers.insert(cipher); // including Squid-unsupported ones
>+     }
>+ }
>+ 
>+@@ -486,6 +517,7 @@ Security::HandshakeParser::parseServerHelloHandshakeMe
>+     details->tlsSupportedVersion = ParseProtocolVersion(tk);
>+     tk.skip(HelloRandomSize, ".random");
>+     details->sessionId = tk.pstring8(".session_id");
>++    // cipherSuite may be unsupported by a peeking Squid
>+     details->ciphers.insert(tk.uint16(".cipher_suite"));
>+     details->compressionSupported = tk.uint8(".compression_method") != 0; // not null
>+     if (!tk.atEnd()) // extensions present
>+@@ -554,12 +586,15 @@ Security::HandshakeParser::parseSupportedVersionsExten
>+         Parser::BinaryTokenizer tkList(extensionData);
>+         Parser::BinaryTokenizer tkVersions(tkList.pstring8("SupportedVersions"));
>+         while (!tkVersions.atEnd()) {
>+-            const auto version = ParseProtocolVersion(tkVersions, "supported_version");
>++            const auto version = ParseOptionalProtocolVersion(tkVersions, "supported_version");
>++            // ignore values unsupported by Squid,represented by a falsy version
>++            if (!version)
>++                continue;
>+             if (!supportedVersionMax || TlsVersionEarlierThan(supportedVersionMax, version))
>+                 supportedVersionMax = version;
>+         }
>+ 
>+-        // ignore empty supported_versions
>++        // ignore empty and ignored-values-only supported_versions
>+         if (!supportedVersionMax)
>+             return;
>+ 
>+@@ -569,7 +604,11 @@ Security::HandshakeParser::parseSupportedVersionsExten
>+     } else {
>+         assert(messageSource == fromServer);
>+         Parser::BinaryTokenizer tkVersion(extensionData);
>+-        const auto version = ParseProtocolVersion(tkVersion, "selected_version");
>++        const auto version = ParseOptionalProtocolVersion(tkVersion, "selected_version");
>++        // Ignore values unsupported by Squid. There should not be any until we
>++        // start seeing TLS v2+, but they do not affect TLS framing anyway.
>++        if (!version)
>++            return;
>+         // RFC 8446 Section 4.2.1:
>+         // A server which negotiates a version of TLS prior to TLS 1.3 [...]
>+         // MUST NOT send the "supported_versions" extension.
>diff --git a/www/squid/files/squid.in b/www/squid/files/squid.in
>index 5fe8bd2e1c4f..fb4962f1a034 100644
>--- a/www/squid/files/squid.in
>+++ b/www/squid/files/squid.in
>@@ -29,6 +29,14 @@
> #		you want to run Squid in reverse proxy setups or if you want
> #		Squid to listen on a "privileged" port < 1024.
> #
>+# squid_group:	The group id that should be used to run the Squid master
>+#		process. Default: squid
>+#		Note that it affects squid pid dir also, where SHM files
>+#		may be stored on some OS (see r391555)
>+#
>+# squid_maxwait:	Seconds to wait for squid PID file
>+#		Default: 10
>+#
> # squid_pidfile:
> #		The name (including the full path) of the Squid
> #		master process' PID file.
>@@ -74,7 +82,9 @@ squid_load_rc_config()
> 	: ${squid_enable:=NO}
> 	: ${squid_program:=%%PREFIX%%/sbin/squid}
> 	: ${squid_pidfile:=/var/run/squid/squid.pid}
>+	: ${squid_maxwait:=10}
> 	: ${squid_user:=squid}
>+	: ${squid_group:=squid}
> 
> 	required_args="-f ${squid_conf}"
> 	required_dirs=$chdir
>@@ -87,6 +97,13 @@ squid_load_rc_config()
> 
> squid_prestart()
> {
>+	# create piddir if it's missing (for example if /var/run is tmpfs)
>+	squid_piddir=${pidfile%/*}
>+	if [ ! -d "${squid_piddir}" ]; then
>+		echo "Creating PID directory ${squid_piddir}"
>+		mkdir ${squid_piddir} && chown ${squid_user}:${squid_group} ${squid_piddir} && chmod 750 ${squid_piddir}|| return $?
>+	fi
>+
> 	# setup KRB5_KTNAME:
> 	squid_krb5_ktname=${squid_krb5_ktname:-"NONE"}
> 	if [ "${squid_krb5_ktname}" != "NONE" ]; then
>@@ -137,8 +154,15 @@ squid_getpid()
> 	# retrieve the PID of the Squid master process explicitly here
> 	# in case rc.subr was unable to determine it:
> 	if [ -z "$rc_pid" ]; then
>+		squid_secs=0
> 		while ! [ -f ${pidfile} ]; do
>+			if [ ${squid_maxwait} -le ${squid_secs} ]; then
>+				echo "give up waiting for pidfile"
>+				break
>+			fi
> 			sleep 1
>+			echo -n "."
>+			: $(( squid_secs+=1 ))
> 		done
> 		read _pid _junk <${pidfile}
> 		[ -z "${_pid}" ] || pid=${_pid}

Actions: View | Diff

Attachments on bug 247397: 215756 | 216115 | 216343 | 216412