Thu Jul 9 20:57:11 2020 UTC ()
squid4: Fix build and SSL handshake on Chromium-based browsers
Changes:
- Fix an error where strings.h was not properly included
- Add SMF support on apropriate platforms
- Backport https://github.com/squid-cache/squid/pull/663:
SslBump: Support parsing GREASEd (and future) TLS handshakes
(otis)
diff -r1.10 -r1.11 pkgsrc/www/squid4/Makefile
diff -r1.7 -r1.8 pkgsrc/www/squid4/distinfo
diff -r0 -r1.1 pkgsrc/www/squid4/files/smf/manifest.xml
diff -r0 -r1.1 pkgsrc/www/squid4/patches/patch-src_esi_VarState.cc
diff -r0 -r1.1 pkgsrc/www/squid4/patches/patch-src_security_Handshake.cc
--- pkgsrc/www/squid4/Makefile 2020/06/19 13:44:28 1.10
+++ pkgsrc/www/squid4/Makefile 2020/07/09 20:57:11 1.11
| @@ -1,16 +1,17 @@ | | | @@ -1,16 +1,17 @@ |
| 1 | # $NetBSD: Makefile,v 1.10 2020/06/19 13:44:28 taca Exp $ | | 1 | # $NetBSD: Makefile,v 1.11 2020/07/09 20:57:11 otis Exp $ |
| 2 | | | 2 | |
| 3 | DISTNAME= squid-4.12 | | 3 | DISTNAME= squid-4.12 |
| | | 4 | PKGREVISION= 1 |
| 4 | CATEGORIES= www | | 5 | CATEGORIES= www |
| 5 | MASTER_SITES= http://www.squid-cache.org/Versions/v4/ | | 6 | MASTER_SITES= http://www.squid-cache.org/Versions/v4/ |
| 6 | MASTER_SITES+= ftp://ftp.squid-cache.org/pub/squid/ | | 7 | MASTER_SITES+= ftp://ftp.squid-cache.org/pub/squid/ |
| 7 | MASTER_SITES+= ftp://ftp.squid-cache.org/pub/archive/4/ | | 8 | MASTER_SITES+= ftp://ftp.squid-cache.org/pub/archive/4/ |
| 8 | EXTRACT_SUFX= .tar.xz | | 9 | EXTRACT_SUFX= .tar.xz |
| 9 | | | 10 | |
| 10 | MAINTAINER= pkgsrc-users@NetBSD.org | | 11 | MAINTAINER= pkgsrc-users@NetBSD.org |
| 11 | HOMEPAGE= http://www.squid-cache.org/ | | 12 | HOMEPAGE= http://www.squid-cache.org/ |
| 12 | COMMENT= Post-Harvest_cached WWW proxy cache and accelerator | | 13 | COMMENT= Post-Harvest_cached WWW proxy cache and accelerator |
| 13 | LICENSE= gnu-gpl-v2 | | 14 | LICENSE= gnu-gpl-v2 |
| 14 | | | 15 | |
| 15 | USE_LANGUAGES= c c++11 | | 16 | USE_LANGUAGES= c c++11 |
| 16 | USE_TOOLS+= perl:run gmake | | 17 | USE_TOOLS+= perl:run gmake |
| @@ -60,26 +61,27 @@ OWN_DIRS_PERMS+= ${SQUID_DATADIR}/cache | | | @@ -60,26 +61,27 @@ OWN_DIRS_PERMS+= ${SQUID_DATADIR}/cache |
| 60 | | | 61 | |
| 61 | .include "Makefile.common" | | 62 | .include "Makefile.common" |
| 62 | .include "options.mk" | | 63 | .include "options.mk" |
| 63 | | | 64 | |
| 64 | # Incorrect check for <netinet/ip_icmp.h> on FreeBSD: | | 65 | # Incorrect check for <netinet/ip_icmp.h> on FreeBSD: |
| 65 | CONFIGURE_ENV.FreeBSD+= ac_cv_header_netinet_ip_icmp_h=yes | | 66 | CONFIGURE_ENV.FreeBSD+= ac_cv_header_netinet_ip_icmp_h=yes |
| 66 | | | 67 | |
| 67 | INSTALLATION_DIRS= ${EGDIR} | | 68 | INSTALLATION_DIRS= ${EGDIR} |
| 68 | | | 69 | |
| 69 | SPECIAL_PERMS+= libexec/pinger ${SETUID_ROOT_PERMS} | | 70 | SPECIAL_PERMS+= libexec/pinger ${SETUID_ROOT_PERMS} |
| 70 | | | 71 | |
| 71 | RCD_SCRIPTS= squid | | 72 | RCD_SCRIPTS= squid |
| 72 | RCD_SCRIPT_SRC.squid= files/squid.sh | | 73 | RCD_SCRIPT_SRC.squid= files/squid.sh |
| | | 74 | SMF_NAME= squid |
| 73 | | | 75 | |
| 74 | SUBST_CLASSES+= confs | | 76 | SUBST_CLASSES+= confs |
| 75 | SUBST_STAGE.confs= pre-configure | | 77 | SUBST_STAGE.confs= pre-configure |
| 76 | SUBST_FILES.confs= src/cf.data.pre | | 78 | SUBST_FILES.confs= src/cf.data.pre |
| 77 | SUBST_SED.confs= -e "s/@DEFAULT_CACHE_EFFECTIVE_USER@/${SQUID_USER}/" | | 79 | SUBST_SED.confs= -e "s/@DEFAULT_CACHE_EFFECTIVE_USER@/${SQUID_USER}/" |
| 78 | SUBST_MESSAGE.confs= Fixing configuration files. | | 80 | SUBST_MESSAGE.confs= Fixing configuration files. |
| 79 | | | 81 | |
| 80 | post-build: | | 82 | post-build: |
| 81 | cd ${WRKSRC}/src && ${CP} -pf squid.conf.documented squid.conf.default | | 83 | cd ${WRKSRC}/src && ${CP} -pf squid.conf.documented squid.conf.default |
| 82 | | | 84 | |
| 83 | post-install: | | 85 | post-install: |
| 84 | .for f in ${EGFILES} | | 86 | .for f in ${EGFILES} |
| 85 | ${INSTALL_DATA} ${WRKSRC}/${f} \ | | 87 | ${INSTALL_DATA} ${WRKSRC}/${f} \ |
--- pkgsrc/www/squid4/distinfo 2020/06/19 13:44:28 1.7
+++ pkgsrc/www/squid4/distinfo 2020/07/09 20:57:11 1.8
| @@ -1,14 +1,16 @@ | | | @@ -1,14 +1,16 @@ |
| 1 | $NetBSD: distinfo,v 1.7 2020/06/19 13:44:28 taca Exp $ | | 1 | $NetBSD: distinfo,v 1.8 2020/07/09 20:57:11 otis Exp $ |
| 2 | | | 2 | |
| 3 | SHA1 (squid-4.12.tar.xz) = 316b8a343aa542b5e7469d33b9d726bee00679c6 | | 3 | SHA1 (squid-4.12.tar.xz) = 316b8a343aa542b5e7469d33b9d726bee00679c6 |
| 4 | RMD160 (squid-4.12.tar.xz) = 5d593efe84ca34c39a21bab523e75621dec4e9bb | | 4 | RMD160 (squid-4.12.tar.xz) = 5d593efe84ca34c39a21bab523e75621dec4e9bb |
| 5 | SHA512 (squid-4.12.tar.xz) = 96fa700a0c28711eb1ec5e44e1d324dc8d3accdddbc675def8babe057e2cc71083bd3817bc37cbd9f3c03772743df578573ee3698bbd6131df68c3580ad31ef4 | | 5 | SHA512 (squid-4.12.tar.xz) = 96fa700a0c28711eb1ec5e44e1d324dc8d3accdddbc675def8babe057e2cc71083bd3817bc37cbd9f3c03772743df578573ee3698bbd6131df68c3580ad31ef4 |
| 6 | Size (squid-4.12.tar.xz) = 2450564 bytes | | 6 | Size (squid-4.12.tar.xz) = 2450564 bytes |
| 7 | SHA1 (patch-compat_compat.h) = 839381a5e1f46e7d9b822bbb53d82a53c996ddc0 | | 7 | SHA1 (patch-compat_compat.h) = 839381a5e1f46e7d9b822bbb53d82a53c996ddc0 |
| 8 | SHA1 (patch-configure) = 0d204989666c36172f0765f2a44766d9194c7bb2 | | 8 | SHA1 (patch-configure) = 0d204989666c36172f0765f2a44766d9194c7bb2 |
| 9 | SHA1 (patch-errors_Makefile.in) = 84cbf5c836f02ed5fbfff140888c6d3aadeac326 | | 9 | SHA1 (patch-errors_Makefile.in) = 84cbf5c836f02ed5fbfff140888c6d3aadeac326 |
| 10 | SHA1 (patch-src_Makefile.in) = afc5aefd97c46d1ffab43e97aeaeade3a5a8c648 | | 10 | SHA1 (patch-src_Makefile.in) = afc5aefd97c46d1ffab43e97aeaeade3a5a8c648 |
| 11 | SHA1 (patch-src_acl_external_kerberos__ldap__group_support__resolv.cc) = 0ea41d55e32d689a16e012391a9eea67631daf3a | | 11 | SHA1 (patch-src_acl_external_kerberos__ldap__group_support__resolv.cc) = 0ea41d55e32d689a16e012391a9eea67631daf3a |
| 12 | SHA1 (patch-src_comm_ModKqueue.cc) = d8c5d235f07a48731275101d60fcbf2e22f77b96 | | 12 | SHA1 (patch-src_comm_ModKqueue.cc) = d8c5d235f07a48731275101d60fcbf2e22f77b96 |
| | | 13 | SHA1 (patch-src_esi_VarState.cc) = d9418e59cdc390b2d970195167a99bb7ed392c38 |
| 13 | SHA1 (patch-src_fs_ufs_RebuildState.h) = 76ee5c437b3dad05e428ae89cd5af6c052a40e59 | | 14 | SHA1 (patch-src_fs_ufs_RebuildState.h) = 76ee5c437b3dad05e428ae89cd5af6c052a40e59 |
| | | 15 | SHA1 (patch-src_security_Handshake.cc) = 5c48ab63e7e387ff14e3a0a2d9cddfeef66782ec |
| 14 | SHA1 (patch-tools_Makefile.in) = d098c0c9dc4af577f74e562d99f07ed98be5ae01 | | 16 | SHA1 (patch-tools_Makefile.in) = d098c0c9dc4af577f74e562d99f07ed98be5ae01 |
<?xml version="1.0"?>
<!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1">
<service_bundle type="manifest" name="export">
<service name="@SMF_PREFIX@/@SMF_NAME@" type="service" version="1">
<create_default_instance enabled="false" />
<single_instance />
<dependency name="network" grouping="require_all" restart_on="error" type="service">
<service_fmri value="svc:/milestone/network:default" />
</dependency>
<dependency name="filesystem" grouping="require_all" restart_on="error" type="service">
<service_fmri value="svc:/system/filesystem/local" />
</dependency>
<exec_method type="method" name="start" exec="@PREFIX@/sbin/squid -f %{config_file}" timeout_seconds="60" />
<exec_method type="method" name="stop" exec="@PREFIX@/sbin/squid -k shutdown" timeout_seconds="120" />
<property_group name="startd" type="framework">
<propval name="duration" type="astring" value="contract" />
<propval name="ignore_error" type="astring" value="core,signal" />
</property_group>
<property_group name="application" type="application">
<propval name="config_file" type="astring" value="@PKG_SYSCONFDIR@/squid.conf" />
</property_group>
<template>
<common_name>
<loctext xml:lang="C">squid daemon</loctext>
</common_name>
</template>
</service>
</service_bundle>
$NetBSD: patch-src_esi_VarState.cc,v 1.1 2020/07/09 20:57:11 otis Exp $
Fix undeclared index() by including the proper header file.
--- src/esi/VarState.cc.orig 2020-07-09 19:37:38.879095702 +0000
+++ src/esi/VarState.cc
@@ -12,6 +12,9 @@
#include "esi/VarState.h"
#include "fatal.h"
#include "HttpReply.h"
+#if HAVE_STRINGS_H
+#include <strings.h>
+#endif
char const *ESIVariableUserAgent::esiUserOs[]= {
"WIN",
$NetBSD: patch-src_security_Handshake.cc,v 1.1 2020/07/09 20:57:11 otis Exp $
Address:
https://github.com/squid-cache/squid/pull/663
https://www.spinics.net/lists/squid/msg92728.html
https://www.spinics.net/lists/squid/msg92814.html
See also:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=247397
--- src/security/Handshake.cc.orig 2020-07-09 19:09:34.152270307 +0000
+++ src/security/Handshake.cc
@@ -9,6 +9,7 @@
/* DEBUG: section 83 SSL-Bump Server/Peer negotiation */
#include "squid.h"
+#include "sbuf/Stream.h"
#include "security/Handshake.h"
#if USE_OPENSSL
#include "ssl/support.h"
@@ -104,25 +105,52 @@ public:
typedef std::unordered_set<Extension::Type> Extensions;
static Extensions SupportedExtensions();
-} // namespace Security
-
/// parse TLS ProtocolVersion (uint16) and convert it to AnyP::ProtocolVersion
+/// \retval PROTO_NONE for unsupported values (in relaxed mode)
static AnyP::ProtocolVersion
-ParseProtocolVersion(Parser::BinaryTokenizer &tk, const char *contextLabel = ".version")
+ParseProtocolVersionBase(Parser::BinaryTokenizer &tk, const char *contextLabel, const bool beStrict)
{
Parser::BinaryTokenizerContext context(tk, contextLabel);
uint8_t vMajor = tk.uint8(".major");
uint8_t vMinor = tk.uint8(".minor");
+
if (vMajor == 0 && vMinor == 2)
return AnyP::ProtocolVersion(AnyP::PROTO_SSL, 2, 0);
- Must(vMajor == 3);
- if (vMinor == 0)
- return AnyP::ProtocolVersion(AnyP::PROTO_SSL, 3, 0);
+ if (vMajor == 3) {
+ if (vMinor == 0)
+ return AnyP::ProtocolVersion(AnyP::PROTO_SSL, 3, 0);
+ return AnyP::ProtocolVersion(AnyP::PROTO_TLS, 1, (vMinor - 1));
+ }
+
+ /* handle unsupported versions */
+
+ const uint16_t vRaw = (vMajor << 8) | vMinor;
+ debugs(83, 7, "unsupported: " << asHex(vRaw));
+ if (beStrict)
+ throw TextException(ToSBuf("unsupported TLS version: ", asHex(vRaw)), Here());
+ // else hide unsupported version details from the caller behind PROTO_NONE
+ return AnyP::ProtocolVersion();
+}
+
+/// parse a framing-related TLS ProtocolVersion
+/// \returns a supported SSL or TLS Anyp::ProtocolVersion, never PROTO_NONE
+static AnyP::ProtocolVersion
+ParseProtocolVersion(Parser::BinaryTokenizer &tk)
+{
+ return ParseProtocolVersionBase(tk, ".version", true);
+}
- return AnyP::ProtocolVersion(AnyP::PROTO_TLS, 1, (vMinor - 1));
+/// parse a framing-unrelated TLS ProtocolVersion
+/// \retval PROTO_NONE for unsupported values
+static AnyP::ProtocolVersion
+ParseOptionalProtocolVersion(Parser::BinaryTokenizer &tk, const char *contextLabel)
+{
+ return ParseProtocolVersionBase(tk, contextLabel, false);
}
+} // namespace Security
+
Security::TLSPlaintext::TLSPlaintext(Parser::BinaryTokenizer &tk)
{
Parser::BinaryTokenizerContext context(tk, "TLSPlaintext");
@@ -431,6 +459,8 @@ Security::HandshakeParser::parseExtensio
break;
case 16: { // Application-Layer Protocol Negotiation Extension, RFC 7301
Parser::BinaryTokenizer tkAPN(extension.data);
+ // Store the entire protocol list, including unsupported-by-Squid
+ // values (if any). We have to use all when peeking at the server.
details->tlsAppLayerProtoNeg = tkAPN.pstring16("APN");
break;
}
@@ -441,8 +471,9 @@ Security::HandshakeParser::parseExtensio
case 43: // supported_versions extension; RFC 8446
parseSupportedVersionsExtension(extension.data);
break;
- case 13172: // Next Protocol Negotiation Extension (expired draft?)
default:
+ // other extensions, including those that Squid does not support, do
+ // not require special handling here, but see unsupportedExtensions
break;
}
}
@@ -455,7 +486,7 @@ Security::HandshakeParser::parseCiphers(
Parser::BinaryTokenizer tk(raw);
while (!tk.atEnd()) {
const uint16_t cipher = tk.uint16("cipher");
- details->ciphers.insert(cipher);
+ details->ciphers.insert(cipher); // including Squid-unsupported ones
}
}
@@ -473,7 +504,7 @@ Security::HandshakeParser::parseV23Ciphe
const uint8_t prefix = tk.uint8("prefix");
const uint16_t cipher = tk.uint16("cipher");
if (prefix == 0)
- details->ciphers.insert(cipher);
+ details->ciphers.insert(cipher); // including Squid-unsupported ones
}
}
@@ -486,6 +517,7 @@ Security::HandshakeParser::parseServerHe
details->tlsSupportedVersion = ParseProtocolVersion(tk);
tk.skip(HelloRandomSize, ".random");
details->sessionId = tk.pstring8(".session_id");
+ // cipherSuite may be unsupported by a peeking Squid
details->ciphers.insert(tk.uint16(".cipher_suite"));
details->compressionSupported = tk.uint8(".compression_method") != 0; // not null
if (!tk.atEnd()) // extensions present
@@ -554,12 +586,15 @@ Security::HandshakeParser::parseSupporte
Parser::BinaryTokenizer tkList(extensionData);
Parser::BinaryTokenizer tkVersions(tkList.pstring8("SupportedVersions"));
while (!tkVersions.atEnd()) {
- const auto version = ParseProtocolVersion(tkVersions, "supported_version");
+ const auto version = ParseOptionalProtocolVersion(tkVersions, "supported_version");
+ // ignore values unsupported by Squid,represented by a falsy version
+ if (!version)
+ continue;
if (!supportedVersionMax || TlsVersionEarlierThan(supportedVersionMax, version))
supportedVersionMax = version;
}
- // ignore empty supported_versions
+ // ignore empty and ignored-values-only supported_versions
if (!supportedVersionMax)
return;
@@ -569,7 +604,11 @@ Security::HandshakeParser::parseSupporte
} else {
assert(messageSource == fromServer);
Parser::BinaryTokenizer tkVersion(extensionData);
- const auto version = ParseProtocolVersion(tkVersion, "selected_version");
+ const auto version = ParseOptionalProtocolVersion(tkVersion, "selected_version");
+ // Ignore values unsupported by Squid. There should not be any until we
+ // start seeing TLS v2+, but they do not affect TLS framing anyway.
+ if (!version)
+ return;
// RFC 8446 Section 4.2.1:
// A server which negotiates a version of TLS prior to TLS 1.3 [...]
// MUST NOT send the "supported_versions" extension.