diff -u -r -N squid-3.5.25/ChangeLog squid-3.5.26/ChangeLog
--- squid-3.5.25/ChangeLog 2017-04-03 01:04:18.000000000 +1200
+++ squid-3.5.26/ChangeLog 2017-06-02 01:49:00.000000000 +1200
@@ -1,3 +1,16 @@
+Changes to squid-3.5.26 (01 Jun 2017):
+
+ - Bug 4711: SubjectAlternativeNames is missing in some generated certificates
+ - Bug 4695: squidpurge: GCC 7 build errors
+ - Bug 4682: ignoring http_access deny when client-first bumping mode is used
+ - Bug 4682: Fix ssl_bump "bump" action documentation
+ - Bug 4653: %st lies about tunneled traffic volumes
+ - Bug 4589: ssl_crtd: returning zero on failure
+ - Bug 3772: message from FTP server gets mangled
+ - Bug 3102: FTP directory listing drops fist character of file names
+ - Add OpenSSL library details to -v output
+ - ... and some documentatino updates
+
Changes to squid-3.5.25 (02 Apr 2017):
- Bug 4688: various typo error(s) in man page(s)
diff -u -r -N squid-3.5.25/compat/xstring.h squid-3.5.26/compat/xstring.h
--- squid-3.5.25/compat/xstring.h 2017-04-03 01:04:18.000000000 +1200
+++ squid-3.5.26/compat/xstring.h 2017-06-02 01:49:00.000000000 +1200
@@ -41,7 +41,10 @@
char *xstrncpy(char *dst, const char *src, size_t n);
/**
- * xstrndup() - same as strndup(3). Used for portability.
+ * xstrndup() - Somewhat similar(XXX) to strndup(3): Allocates up to n bytes,
+ * while strndup(3) copies up to n bytes and allocates up to n+1 bytes
+ * to fit the terminating character. Assumes s is 0-terminated (another XXX).
+ *
* Never returns NULL; fatal on error.
*
* Sets errno to EINVAL if a NULL pointer or negative
diff -u -r -N squid-3.5.25/configure squid-3.5.26/configure
--- squid-3.5.25/configure 2017-04-03 01:07:29.000000000 +1200
+++ squid-3.5.26/configure 2017-06-02 01:55:26.000000000 +1200
@@ -1,7 +1,7 @@
#! /bin/sh
# From configure.ac Revision.
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for Squid Web Proxy 3.5.25.
+# Generated by GNU Autoconf 2.69 for Squid Web Proxy 3.5.26.
#
# Report bugs to .
#
@@ -595,8 +595,8 @@
# Identity of this package.
PACKAGE_NAME='Squid Web Proxy'
PACKAGE_TARNAME='squid'
-PACKAGE_VERSION='3.5.25'
-PACKAGE_STRING='Squid Web Proxy 3.5.25'
+PACKAGE_VERSION='3.5.26'
+PACKAGE_STRING='Squid Web Proxy 3.5.26'
PACKAGE_BUGREPORT='http://bugs.squid-cache.org/'
PACKAGE_URL=''
@@ -1636,7 +1636,7 @@
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures Squid Web Proxy 3.5.25 to adapt to many kinds of systems.
+\`configure' configures Squid Web Proxy 3.5.26 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1707,7 +1707,7 @@
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of Squid Web Proxy 3.5.25:";;
+ short | recursive ) echo "Configuration of Squid Web Proxy 3.5.26:";;
esac
cat <<\_ACEOF
@@ -2119,7 +2119,7 @@
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-Squid Web Proxy configure 3.5.25
+Squid Web Proxy configure 3.5.26
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
@@ -3223,7 +3223,7 @@
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by Squid Web Proxy $as_me 3.5.25, which was
+It was created by Squid Web Proxy $as_me 3.5.26, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
@@ -4090,7 +4090,7 @@
# Define the identity of the package.
PACKAGE='squid'
- VERSION='3.5.25'
+ VERSION='3.5.26'
cat >>confdefs.h <<_ACEOF
@@ -41876,7 +41876,7 @@
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by Squid Web Proxy $as_me 3.5.25, which was
+This file was extended by Squid Web Proxy $as_me 3.5.26, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -41942,7 +41942,7 @@
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
-Squid Web Proxy config.status 3.5.25
+Squid Web Proxy config.status 3.5.26
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
diff -u -r -N squid-3.5.25/configure.ac squid-3.5.26/configure.ac
--- squid-3.5.25/configure.ac 2017-04-03 01:07:28.000000000 +1200
+++ squid-3.5.26/configure.ac 2017-06-02 01:55:25.000000000 +1200
@@ -5,7 +5,7 @@
## Please see the COPYING and CONTRIBUTORS files for details.
##
-AC_INIT([Squid Web Proxy],[3.5.25],[http://bugs.squid-cache.org/],[squid])
+AC_INIT([Squid Web Proxy],[3.5.26],[http://bugs.squid-cache.org/],[squid])
AC_PREREQ(2.61)
AC_CONFIG_HEADERS([include/autoconf.h])
AC_CONFIG_AUX_DIR(cfgaux)
diff -u -r -N squid-3.5.25/doc/release-notes/release-3.5.html squid-3.5.26/doc/release-notes/release-3.5.html
--- squid-3.5.25/doc/release-notes/release-3.5.html 2017-04-03 05:10:43.000000000 +1200
+++ squid-3.5.26/doc/release-notes/release-3.5.html 2017-06-02 10:41:39.000000000 +1200
@@ -2,10 +2,10 @@
- Squid 3.5.25 release notes
+ Squid 3.5.26 release notes
-Squid 3.5.25 release notes
+Squid 3.5.26 release notes
Squid Developers
@@ -64,7 +64,7 @@
-The Squid Team are pleased to announce the release of Squid-3.5.25.
+The Squid Team are pleased to announce the release of Squid-3.5.26.
This new release is available for download from
http://www.squid-cache.org/Versions/v3/3.5/ or the
mirrors.
diff -u -r -N squid-3.5.25/helpers/basic_auth/DB/basic_db_auth.8 squid-3.5.26/helpers/basic_auth/DB/basic_db_auth.8
--- squid-3.5.25/helpers/basic_auth/DB/basic_db_auth.8 2017-04-03 05:10:47.000000000 +1200
+++ squid-3.5.26/helpers/basic_auth/DB/basic_db_auth.8 2017-06-02 10:41:45.000000000 +1200
@@ -129,7 +129,7 @@
.\" ========================================================================
.\"
.IX Title "BASIC_DB_AUTH 8"
-.TH BASIC_DB_AUTH 8 "2017-04-02" "perl v5.24.1" "User Contributed Perl Documentation"
+.TH BASIC_DB_AUTH 8 "2017-06-01" "perl v5.24.1" "User Contributed Perl Documentation"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
diff -u -r -N squid-3.5.25/helpers/basic_auth/LDAP/basic_ldap_auth.8 squid-3.5.26/helpers/basic_auth/LDAP/basic_ldap_auth.8
--- squid-3.5.25/helpers/basic_auth/LDAP/basic_ldap_auth.8 2017-04-03 01:04:18.000000000 +1200
+++ squid-3.5.26/helpers/basic_auth/LDAP/basic_ldap_auth.8 2017-06-02 01:49:00.000000000 +1200
@@ -5,9 +5,9 @@
.
.SH SYNOPSIS
.if !'po4a'hide' .B basic_ldap_auth
-.if !'po4a'hide' .B \-b\ \"
+.if !'po4a'hide' .B \-b\ \(dq
base DN
-.if !'po4a'hide' .B \"\ [\-u
+.if !'po4a'hide' .B \(dq\ [\-u
attribute
.if !'po4a'hide' .B ]\ [
options
@@ -20,11 +20,11 @@
.if !'po4a'hide' .B ]...
.br
.if !'po4a'hide' .B basic_ldap_auth
-.if !'po4a'hide' .B \-b\ \"
+.if !'po4a'hide' .B \-b\ \(dq
base DN
-.if !'po4a'hide' .B \"\ \-f\ \"
+.if !'po4a'hide' .B \(dq\ \-f\ \(dq
LDAP search filter
-.if !'po4a'hide' .B \"\ [
+.if !'po4a'hide' .B \(dq\ [
options
.if !'po4a'hide' .B ]\ [
LDAP server name
@@ -74,7 +74,7 @@
The search filter can contain up to 15 occurrences of
.B %s
which will be replaced by the username, as in
-.B "\"uid\=%s\""
+.B "\(dquid\=%s\(dq"
for RFC2037 directories. For a detailed description of LDAP search
filter syntax see RFC2254.
.br
diff -u -r -N squid-3.5.25/helpers/basic_auth/MSNT-multi-domain/basic_msnt_multi_domain_auth.8 squid-3.5.26/helpers/basic_auth/MSNT-multi-domain/basic_msnt_multi_domain_auth.8
--- squid-3.5.25/helpers/basic_auth/MSNT-multi-domain/basic_msnt_multi_domain_auth.8 2017-04-03 05:10:51.000000000 +1200
+++ squid-3.5.26/helpers/basic_auth/MSNT-multi-domain/basic_msnt_multi_domain_auth.8 2017-06-02 10:41:53.000000000 +1200
@@ -129,7 +129,7 @@
.\" ========================================================================
.\"
.IX Title "BASIC_MSNT_MULTI_DOMAIN_AUTH 1"
-.TH BASIC_MSNT_MULTI_DOMAIN_AUTH 1 "2017-04-02" "perl v5.24.1" "User Contributed Perl Documentation"
+.TH BASIC_MSNT_MULTI_DOMAIN_AUTH 1 "2017-06-01" "perl v5.24.1" "User Contributed Perl Documentation"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
diff -u -r -N squid-3.5.25/helpers/basic_auth/POP3/basic_pop3_auth.8 squid-3.5.26/helpers/basic_auth/POP3/basic_pop3_auth.8
--- squid-3.5.25/helpers/basic_auth/POP3/basic_pop3_auth.8 2017-04-03 05:10:55.000000000 +1200
+++ squid-3.5.26/helpers/basic_auth/POP3/basic_pop3_auth.8 2017-06-02 10:42:03.000000000 +1200
@@ -129,7 +129,7 @@
.\" ========================================================================
.\"
.IX Title "BASIC_POP3_AUTH 8"
-.TH BASIC_POP3_AUTH 8 "2017-04-02" "perl v5.24.1" "User Contributed Perl Documentation"
+.TH BASIC_POP3_AUTH 8 "2017-06-01" "perl v5.24.1" "User Contributed Perl Documentation"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
diff -u -r -N squid-3.5.25/helpers/basic_auth/RADIUS/basic_radius_auth.8 squid-3.5.26/helpers/basic_auth/RADIUS/basic_radius_auth.8
--- squid-3.5.25/helpers/basic_auth/RADIUS/basic_radius_auth.8 2017-04-03 01:04:18.000000000 +1200
+++ squid-3.5.26/helpers/basic_auth/RADIUS/basic_radius_auth.8 2017-06-02 01:49:00.000000000 +1200
@@ -9,9 +9,9 @@
config file
.br
.if !'po4a'hide' .B basic_radius_auth
-.if !'po4a'hide' .B "\-h \""
+.if !'po4a'hide' .B "\-h \(dq"
server name
-.if !'po4a'hide' .B "\" [\-p "
+.if !'po4a'hide' .B "\(dq [\-p "
port
.if !'po4a'hide' .B "] [\-i "
identifier
diff -u -r -N squid-3.5.25/helpers/external_acl/delayer/ext_delayer_acl.8 squid-3.5.26/helpers/external_acl/delayer/ext_delayer_acl.8
--- squid-3.5.25/helpers/external_acl/delayer/ext_delayer_acl.8 2017-04-03 05:11:10.000000000 +1200
+++ squid-3.5.26/helpers/external_acl/delayer/ext_delayer_acl.8 2017-06-02 10:42:29.000000000 +1200
@@ -129,7 +129,7 @@
.\" ========================================================================
.\"
.IX Title "EXT_DELAYER_ACL 8"
-.TH EXT_DELAYER_ACL 8 "2017-04-02" "perl v5.24.1" "User Contributed Perl Documentation"
+.TH EXT_DELAYER_ACL 8 "2017-06-01" "perl v5.24.1" "User Contributed Perl Documentation"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
diff -u -r -N squid-3.5.25/helpers/external_acl/file_userip/ext_file_userip_acl.8 squid-3.5.26/helpers/external_acl/file_userip/ext_file_userip_acl.8
--- squid-3.5.25/helpers/external_acl/file_userip/ext_file_userip_acl.8 2017-04-03 01:04:18.000000000 +1200
+++ squid-3.5.26/helpers/external_acl/file_userip/ext_file_userip_acl.8 2017-06-02 01:49:00.000000000 +1200
@@ -68,7 +68,7 @@
.B ALL
and
.B NONE
-, which mean \"any user on this IP address may authenticate\" or \"no user on this IP address may authenticate\".
+, which mean \(dqany user on this IP address may authenticate\(dq or \(dqno user on this IP address may authenticate\(dq.
.
.SH AUTHOR
This program was written by
diff -u -r -N squid-3.5.25/helpers/external_acl/SQL_session/ext_sql_session_acl.8 squid-3.5.26/helpers/external_acl/SQL_session/ext_sql_session_acl.8
--- squid-3.5.25/helpers/external_acl/SQL_session/ext_sql_session_acl.8 2017-04-03 05:11:18.000000000 +1200
+++ squid-3.5.26/helpers/external_acl/SQL_session/ext_sql_session_acl.8 2017-06-02 10:42:45.000000000 +1200
@@ -129,7 +129,7 @@
.\" ========================================================================
.\"
.IX Title "EXT_SQL_SESSION_ACL 8"
-.TH EXT_SQL_SESSION_ACL 8 "2017-04-02" "perl v5.24.1" "User Contributed Perl Documentation"
+.TH EXT_SQL_SESSION_ACL 8 "2017-06-01" "perl v5.24.1" "User Contributed Perl Documentation"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
diff -u -r -N squid-3.5.25/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8 squid-3.5.26/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8
--- squid-3.5.25/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8 2017-04-03 05:11:21.000000000 +1200
+++ squid-3.5.26/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8 2017-06-02 10:42:51.000000000 +1200
@@ -129,7 +129,7 @@
.\" ========================================================================
.\"
.IX Title "EXT_WBINFO_GROUP_ACL 8"
-.TH EXT_WBINFO_GROUP_ACL 8 "2017-04-02" "perl v5.24.1" "User Contributed Perl Documentation"
+.TH EXT_WBINFO_GROUP_ACL 8 "2017-06-01" "perl v5.24.1" "User Contributed Perl Documentation"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
diff -u -r -N squid-3.5.25/helpers/log_daemon/DB/log_db_daemon.8 squid-3.5.26/helpers/log_daemon/DB/log_db_daemon.8
--- squid-3.5.25/helpers/log_daemon/DB/log_db_daemon.8 2017-04-03 05:11:24.000000000 +1200
+++ squid-3.5.26/helpers/log_daemon/DB/log_db_daemon.8 2017-06-02 10:42:55.000000000 +1200
@@ -129,7 +129,7 @@
.\" ========================================================================
.\"
.IX Title "LOG_DB_DAEMON 8"
-.TH LOG_DB_DAEMON 8 "2017-04-02" "perl v5.24.1" "User Contributed Perl Documentation"
+.TH LOG_DB_DAEMON 8 "2017-06-01" "perl v5.24.1" "User Contributed Perl Documentation"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
diff -u -r -N squid-3.5.25/helpers/storeid_rewrite/file/storeid_file_rewrite.8 squid-3.5.26/helpers/storeid_rewrite/file/storeid_file_rewrite.8
--- squid-3.5.25/helpers/storeid_rewrite/file/storeid_file_rewrite.8 2017-04-03 05:11:38.000000000 +1200
+++ squid-3.5.26/helpers/storeid_rewrite/file/storeid_file_rewrite.8 2017-06-02 10:43:23.000000000 +1200
@@ -129,7 +129,7 @@
.\" ========================================================================
.\"
.IX Title "STOREID_FILE_REWRITE 8"
-.TH STOREID_FILE_REWRITE 8 "2017-04-02" "perl v5.24.1" "User Contributed Perl Documentation"
+.TH STOREID_FILE_REWRITE 8 "2017-06-01" "perl v5.24.1" "User Contributed Perl Documentation"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
diff -u -r -N squid-3.5.25/include/version.h squid-3.5.26/include/version.h
--- squid-3.5.25/include/version.h 2017-04-03 01:07:29.000000000 +1200
+++ squid-3.5.26/include/version.h 2017-06-02 01:55:26.000000000 +1200
@@ -7,7 +7,7 @@
*/
#ifndef SQUID_RELEASE_TIME
-#define SQUID_RELEASE_TIME 1491138248
+#define SQUID_RELEASE_TIME 1496324930
#endif
/*
diff -u -r -N squid-3.5.25/RELEASENOTES.html squid-3.5.26/RELEASENOTES.html
--- squid-3.5.25/RELEASENOTES.html 2017-04-03 05:10:43.000000000 +1200
+++ squid-3.5.26/RELEASENOTES.html 2017-06-02 10:41:39.000000000 +1200
@@ -2,10 +2,10 @@
- Squid 3.5.25 release notes
+ Squid 3.5.26 release notes
-Squid 3.5.25 release notes
+Squid 3.5.26 release notes
Squid Developers
@@ -64,7 +64,7 @@
-The Squid Team are pleased to announce the release of Squid-3.5.25.
+The Squid Team are pleased to announce the release of Squid-3.5.26.
This new release is available for download from
http://www.squid-cache.org/Versions/v3/3.5/ or the
mirrors.
diff -u -r -N squid-3.5.25/src/cf.data.pre squid-3.5.26/src/cf.data.pre
--- squid-3.5.25/src/cf.data.pre 2017-04-03 01:04:18.000000000 +1200
+++ squid-3.5.26/src/cf.data.pre 2017-06-02 01:49:00.000000000 +1200
@@ -2669,8 +2669,11 @@
This is the default action.
bump
- Establish a secure connection with the server and, using a
- mimicked server certificate, with the client.
+ When used on step SslBump1, establishes a secure connection
+ with the client first, then connect to the server.
+ When used on step SslBump2 or SslBump3, establishes a secure
+ connection with the server and, using a mimicked server
+ certificate, with the client.
peek
Receive client (step SslBump1) or server (step SslBump2)
diff -u -r -N squid-3.5.25/src/clients/FtpGateway.cc squid-3.5.26/src/clients/FtpGateway.cc
--- squid-3.5.25/src/clients/FtpGateway.cc 2017-04-03 01:04:18.000000000 +1200
+++ squid-3.5.26/src/clients/FtpGateway.cc 2017-06-02 01:49:00.000000000 +1200
@@ -626,10 +626,17 @@
while (strchr(w_space, *copyFrom))
++copyFrom;
} else {
- /* XXX assumes a single space between date and filename
+ /* Handle the following four formats:
+ * "MMM DD YYYY Name"
+ * "MMM DD YYYYName"
+ * "MMM DD YYYY Name"
+ * "MMM DD YYYY Name"
+ * Assuming a single space between date and filename
* suggested by: Nathan.Bailey@cc.monash.edu.au and
* Mike Battersby */
- copyFrom += strlen(tbuf) + 1;
+ copyFrom += strlen(tbuf);
+ if (strchr(w_space, *copyFrom))
+ ++copyFrom;
}
p->name = xstrdup(copyFrom);
@@ -1534,7 +1541,7 @@
/* Reset cwd_message to only include the last message */
ftpState->cwd_message.reset("");
for (wordlist *w = ftpState->ctrl.message; w; w = w->next) {
- ftpState->cwd_message.append(' ');
+ ftpState->cwd_message.append('\n');
ftpState->cwd_message.append(w->key);
}
ftpState->ctrl.message = NULL;
diff -u -r -N squid-3.5.25/src/client_side.cc squid-3.5.26/src/client_side.cc
--- squid-3.5.25/src/client_side.cc 2017-04-03 01:04:18.000000000 +1200
+++ squid-3.5.26/src/client_side.cc 2017-06-02 01:49:00.000000000 +1200
@@ -4391,7 +4391,7 @@
// in.buf still has the "CONNECT ..." request data, reset it to SSL hello message
connState->in.buf.append(rbuf.content(), rbuf.contentSize());
ClientHttpRequest *http = context->http;
- tunnelStart(http, &http->out.size, &http->al->http.code, http->al);
+ tunnelStart(http);
}
}
}
diff -u -r -N squid-3.5.25/src/client_side_reply.cc squid-3.5.26/src/client_side_reply.cc
--- squid-3.5.25/src/client_side_reply.cc 2017-04-03 01:04:18.000000000 +1200
+++ squid-3.5.26/src/client_side_reply.cc 2017-06-02 01:49:00.000000000 +1200
@@ -1179,7 +1179,7 @@
if (curReply->content_length < 0)
return 0;
- int64_t expectedLength = curReply->content_length + http->out.headers_sz;
+ uint64_t expectedLength = curReply->content_length + http->out.headers_sz;
if (http->out.size < expectedLength)
return 0;
diff -u -r -N squid-3.5.25/src/client_side_request.cc squid-3.5.26/src/client_side_request.cc
--- squid-3.5.25/src/client_side_request.cc 2017-04-03 01:04:18.000000000 +1200
+++ squid-3.5.26/src/client_side_request.cc 2017-06-02 01:49:00.000000000 +1200
@@ -1424,7 +1424,17 @@
if (bumpMode != Ssl::bumpEnd) {
debugs(85, 5, HERE << "SslBump already decided (" << bumpMode <<
"), " << "ignoring ssl_bump for " << http->getConn());
- if (!http->getConn()->serverBump())
+
+ // We need the following "if" for transparently bumped TLS connection,
+ // because in this case we are running ssl_bump access list before
+ // the doCallouts runs. It can be removed after the bug #4340 fixed.
+ // We do not want to proceed to bumping steps:
+ // - if the TLS connection with the client is already established
+ // because we are accepting normal HTTP requests on TLS port,
+ // or because of the client-first bumping mode
+ // - When the bumping is already started
+ if (!http->getConn()->switchedToHttps() &&
+ !http->getConn()->serverBump())
http->sslBumpNeed(bumpMode); // for processRequest() to bump if needed and not already bumped
http->al->ssl.bumpMode = bumpMode; // inherited from bumped connection
return false;
@@ -1512,7 +1522,7 @@
}
#endif
getConn()->stopReading(); // tunnels read for themselves
- tunnelStart(this, &out.size, &al->http.code, al);
+ tunnelStart(this);
return;
}
diff -u -r -N squid-3.5.25/src/client_side_request.h squid-3.5.26/src/client_side_request.h
--- squid-3.5.25/src/client_side_request.h 2017-04-03 01:04:18.000000000 +1200
+++ squid-3.5.26/src/client_side_request.h 2017-06-02 01:49:00.000000000 +1200
@@ -73,7 +73,7 @@
struct {
int64_t offset;
- int64_t size;
+ uint64_t size;
size_t headers_sz;
} out;
@@ -182,7 +182,7 @@
void clientAccessCheck(ClientHttpRequest *);
/* ones that should be elsewhere */
-void tunnelStart(ClientHttpRequest *, int64_t *, int *, const AccessLogEntry::Pointer &al);
+void tunnelStart(ClientHttpRequest *);
#if _USE_INLINE_
#include "client_side_request.cci"
diff -u -r -N squid-3.5.25/src/esi/Expression.cc squid-3.5.26/src/esi/Expression.cc
--- squid-3.5.25/src/esi/Expression.cc 2017-04-03 01:04:18.000000000 +1200
+++ squid-3.5.26/src/esi/Expression.cc 2017-06-02 01:49:00.000000000 +1200
@@ -743,7 +743,7 @@
/* Special case for zero length strings */
if (t - s - 1)
- rv.value.string = xstrndup(s + 1, t - s - 1);
+ rv.value.string = xstrndup(s + 1, t - (s + 1) + 1);
else
rv.value.string = static_cast(xcalloc(1,1));
diff -u -r -N squid-3.5.25/src/main.cc squid-3.5.26/src/main.cc
--- squid-3.5.25/src/main.cc 2017-04-03 01:04:18.000000000 +1200
+++ squid-3.5.26/src/main.cc 2017-06-02 01:49:00.000000000 +1200
@@ -563,6 +563,10 @@
printf("Service Name: " SQUIDSBUFPH "\n", SQUIDSBUFPRINT(service_name));
if (strlen(SQUID_BUILD_INFO))
printf("%s\n",SQUID_BUILD_INFO);
+#if USE_OPENSSL
+ printf("\nThis binary uses %s. ", SSLeay_version(SSLEAY_VERSION));
+ printf("For legal restrictions on distribution see https://www.openssl.org/source/license.html\n\n");
+#endif
printf( "configure options: %s\n", SQUID_CONFIGURE_OPTIONS);
#if USE_WIN32_SERVICE
diff -u -r -N squid-3.5.25/src/SBufExceptions.cc squid-3.5.26/src/SBufExceptions.cc
--- squid-3.5.25/src/SBufExceptions.cc 2017-04-03 01:04:18.000000000 +1200
+++ squid-3.5.26/src/SBufExceptions.cc 2017-06-02 01:49:00.000000000 +1200
@@ -25,9 +25,7 @@
explanatoryText.appendf(" in file %s", aFileName);
explanatoryText.appendf(" while accessing position %d in a SBuf long %d",
pos, throwingBuf.length());
- // we can safely alias c_str as both are local to the object
- // and will not further manipulated.
- message = xstrndup(explanatoryText.c_str(),explanatoryText.length());
+ message = xstrdup(explanatoryText.c_str());
}
OutOfBoundsException::~OutOfBoundsException() throw()
diff -u -r -N squid-3.5.25/src/ssl/gadgets.cc squid-3.5.26/src/ssl/gadgets.cc
--- squid-3.5.25/src/ssl/gadgets.cc 2017-04-03 01:04:18.000000000 +1200
+++ squid-3.5.26/src/ssl/gadgets.cc 2017-06-02 01:49:00.000000000 +1200
@@ -339,7 +339,40 @@
return added;
}
-static bool buildCertificate(Ssl::X509_Pointer & cert, Ssl::CertificateProperties const &properties)
+/// Adds a new subjectAltName extension contining Subject CN or returns false
+/// expects the caller to check for the existing subjectAltName extension
+static bool
+addAltNameWithSubjectCn(Ssl::X509_Pointer &cert)
+{
+ X509_NAME *name = X509_get_subject_name(cert.get());
+ if (!name)
+ return false;
+
+ const int loc = X509_NAME_get_index_by_NID(name, NID_commonName, -1);
+ if (loc < 0)
+ return false;
+
+ ASN1_STRING *cn_data = X509_NAME_ENTRY_get_data(X509_NAME_get_entry(name, loc));
+ if (!cn_data)
+ return false;
+
+ char dnsName[1024]; // DNS names are limited to 256 characters
+ const int res = snprintf(dnsName, sizeof(dnsName), "DNS:%*s", cn_data->length, cn_data->data);
+ if (res <= 0 || res >= static_cast(sizeof(dnsName)))
+ return false;
+
+ X509_EXTENSION *ext = X509V3_EXT_conf_nid(NULL, NULL, NID_subject_alt_name, dnsName);
+ if (!ext)
+ return false;
+
+ const bool result = X509_add_ext(cert.get(), ext, -1);
+
+ X509_EXTENSION_free(ext);
+ return result;
+}
+
+static bool
+buildCertificate(Ssl::X509_Pointer & cert, Ssl::CertificateProperties const &properties)
{
// not an Ssl::X509_NAME_Pointer because X509_REQ_get_subject_name()
// returns a pointer to the existing subject name. Nothing to clean here.
@@ -387,6 +420,8 @@
} else if (!X509_gmtime_adj(X509_get_notAfter(cert.get()), 60*60*24*356*3))
return false;
+ int addedExtensions = 0;
+ bool useCommonNameAsAltName = true;
// mimic the alias and possibly subjectAltName
if (properties.mimicCert.get()) {
unsigned char *alStr;
@@ -396,26 +431,29 @@
X509_alias_set1(cert.get(), alStr, alLen);
}
- int addedExtensions = 0;
-
// Mimic subjectAltName unless we used a configured CN: browsers reject
// certificates with CN unrelated to subjectAltNames.
if (!properties.setCommonName) {
- int pos=X509_get_ext_by_NID (properties.mimicCert.get(), OBJ_sn2nid("subjectAltName"), -1);
+ int pos = X509_get_ext_by_NID(properties.mimicCert.get(), NID_subject_alt_name, -1);
X509_EXTENSION *ext=X509_get_ext(properties.mimicCert.get(), pos);
if (ext) {
if (X509_add_ext(cert.get(), ext, -1))
++addedExtensions;
}
+ // We want to mimic the server-sent subjectAltName, not enhance it.
+ useCommonNameAsAltName = false;
}
addedExtensions += mimicExtensions(cert, properties.mimicCert);
-
- // According to RFC 5280, using extensions requires v3 certificate.
- if (addedExtensions)
- X509_set_version(cert.get(), 2); // value 2 means v3
}
+ if (useCommonNameAsAltName && addAltNameWithSubjectCn(cert))
+ ++addedExtensions;
+
+ // According to RFC 5280, using extensions requires v3 certificate.
+ if (addedExtensions)
+ X509_set_version(cert.get(), 2); // value 2 means v3
+
return true;
}
diff -u -r -N squid-3.5.25/src/ssl/ssl_crtd.cc squid-3.5.26/src/ssl/ssl_crtd.cc
--- squid-3.5.25/src/ssl/ssl_crtd.cc 2017-04-03 01:04:18.000000000 +1200
+++ squid-3.5.26/src/ssl/ssl_crtd.cc 2017-06-02 01:49:00.000000000 +1200
@@ -350,7 +350,7 @@
}
} catch (std::runtime_error & error) {
std::cerr << argv[0] << ": " << error.what() << std::endl;
- return 0;
+ return -1;
}
return 0;
}
diff -u -r -N squid-3.5.25/src/tests/stub_tunnel.cc squid-3.5.26/src/tests/stub_tunnel.cc
--- squid-3.5.25/src/tests/stub_tunnel.cc 2017-04-03 01:04:18.000000000 +1200
+++ squid-3.5.26/src/tests/stub_tunnel.cc 2017-06-02 01:49:00.000000000 +1200
@@ -14,7 +14,7 @@
#include "FwdState.h"
class ClientHttpRequest;
-void tunnelStart(ClientHttpRequest *, int64_t *, int *, const AccessLogEntryPointer &al) STUB
+void tunnelStart(ClientHttpRequest *) STUB
void switchToTunnel(HttpRequest *request, Comm::ConnectionPointer &clientConn, Comm::ConnectionPointer &srvConn) STUB
diff -u -r -N squid-3.5.25/src/tunnel.cc squid-3.5.26/src/tunnel.cc
--- squid-3.5.25/src/tunnel.cc 2017-04-03 01:04:18.000000000 +1200
+++ squid-3.5.26/src/tunnel.cc 2017-06-02 01:49:00.000000000 +1200
@@ -139,7 +139,7 @@
int len;
char *buf;
AsyncCall::Pointer writer; ///< pending Comm::Write callback
- int64_t *size_ptr; /* pointer to size in an ConnStateData for logging */
+ uint64_t *size_ptr; /* pointer to size in an ConnStateData for logging */
Comm::ConnectionPointer conn; ///< The currently connected connection.
uint8_t delayedLoops; ///< how many times a read on this connection has been postponed.
@@ -848,6 +848,11 @@
return;
}
+ if (ClientHttpRequest *http = tunnelState->http.get()) {
+ http->out.headers_sz += size;
+ http->out.size += size;
+ }
+
tunnelStartShoveling(tunnelState);
}
@@ -995,7 +1000,7 @@
}
void
-tunnelStart(ClientHttpRequest * http, int64_t * size_ptr, int *status_ptr, const AccessLogEntryPointer &al)
+tunnelStart(ClientHttpRequest * http)
{
debugs(26, 3, HERE);
/* Create state structure. */
@@ -1021,7 +1026,7 @@
if (ch.fastCheck() == ACCESS_DENIED) {
debugs(26, 4, HERE << "MISS access forbidden.");
err = new ErrorState(ERR_FORWARDING_DENIED, Http::scForbidden, request);
- *status_ptr = Http::scForbidden;
+ http->al->http.code = Http::scForbidden;
errorSend(http->getConn()->clientConnection, err);
return;
}
@@ -1037,12 +1042,13 @@
#endif
tunnelState->url = xstrdup(url);
tunnelState->request = request;
- tunnelState->server.size_ptr = size_ptr;
- tunnelState->status_ptr = status_ptr;
+ tunnelState->server.size_ptr = &http->out.size;
+ tunnelState->client.size_ptr = &http->al->http.clientRequestSz.payloadData;
+ tunnelState->status_ptr = &http->al->http.code;
tunnelState->logTag_ptr = &http->logType;
tunnelState->client.conn = http->getConn()->clientConnection;
tunnelState->http = http;
- tunnelState->al = al;
+ tunnelState->al = http->al ;
tunnelState->started = squid_curtime;
comm_add_close_handler(tunnelState->client.conn->fd,
@@ -1053,7 +1059,7 @@
CommTimeoutCbPtrFun(tunnelTimeout, tunnelState));
commSetConnTimeout(tunnelState->client.conn, Config.Timeout.lifetime, timeoutCall);
- peerSelect(&(tunnelState->serverDestinations), request, al,
+ peerSelect(&(tunnelState->serverDestinations), request, tunnelState->al,
NULL,
tunnelPeerSelectComplete,
tunnelState);
@@ -1226,6 +1232,10 @@
if (context != NULL && context->http != NULL) {
tunnelState->logTag_ptr = &context->http->logType;
tunnelState->server.size_ptr = &context->http->out.size;
+ if (context->http->al != NULL) {
+ tunnelState->al = context->http->al;
+ tunnelState->client.size_ptr = &context->http->al->http.clientRequestSz.payloadData;
+ }
#if USE_DELAY_POOLS
/* no point using the delayIsNoDelay stuff since tunnel is nice and simple */
diff -u -r -N squid-3.5.25/tools/cachemgr.cc squid-3.5.26/tools/cachemgr.cc
--- squid-3.5.25/tools/cachemgr.cc 2017-04-03 01:04:18.000000000 +1200
+++ squid-3.5.26/tools/cachemgr.cc 2017-06-02 01:49:00.000000000 +1200
@@ -440,7 +440,7 @@
return;
}
- buf_copy = x = xstrndup(buf, bufLen);
+ buf_copy = x = xstrndup(buf, bufLen+1);
a = xstrtok(&x, '\t');
diff -u -r -N squid-3.5.25/tools/purge/purge.cc squid-3.5.26/tools/purge/purge.cc
--- squid-3.5.25/tools/purge/purge.cc 2017-04-03 01:04:18.000000000 +1200
+++ squid-3.5.26/tools/purge/purge.cc 2017-06-02 01:49:00.000000000 +1200
@@ -272,7 +272,7 @@
snprintf( md5, sizeof(md5), "%-32s", "(no_md5_data_available)" );
}
- char timeb[64];
+ char timeb[256];
if ( meta && (findings = meta->search( STORE_META_STD )) ) {
StoreMetaStd temp;
// make data aligned, avoid SIGBUS on RISC machines (ARGH!)
@@ -283,7 +283,7 @@
} else if ( meta && (findings = meta->search( STORE_META_STD_LFS )) ) {
StoreMetaStdLFS temp;
// make data aligned, avoid SIGBUS on RISC machines (ARGH!)
- memcpy( &temp, findings->data, sizeof(StoreMetaStd) );
+ memcpy( &temp, findings->data, sizeof(StoreMetaStdLFS) );
snprintf( timeb, sizeof(timeb), "%08lx %08lx %08lx %08lx %04x %5hu ",
(unsigned long)temp.timestamp, (unsigned long)temp.lastref,
(unsigned long)temp.expires, (unsigned long)temp.lastmod, temp.flags, temp.refcount );
diff -u -r -N squid-3.5.25/tools/squidclient/squidclient.1 squid-3.5.26/tools/squidclient/squidclient.1
--- squid-3.5.25/tools/squidclient/squidclient.1 2017-04-03 01:04:18.000000000 +1200
+++ squid-3.5.26/tools/squidclient/squidclient.1 2017-06-02 01:49:00.000000000 +1200
@@ -86,7 +86,7 @@
.if !'po4a'hide' .TP
.if !'po4a'hide' .B "\-H 'string'"
Extra headers to send. Use
-.B '\\n'
+.B '\en'
for new lines.
.
.if !'po4a'hide' .TP