header file. */
@@ -1114,6 +1114,9 @@
/* The system implements a functional va_copy() */
#undef HAVE_VA_COPY
+/* Define to 1 if you have the `vfork' function. */
+#undef HAVE_VFORK
+
/* Define to 1 if you have the `vsnprintf' function. */
#undef HAVE_VSNPRINTF
diff -u -r -N squid-3.4.6/include/sspwin32.h squid-3.4.7/include/sspwin32.h
--- squid-3.4.6/include/sspwin32.h 2014-06-25 07:41:39.000000000 -0700
+++ squid-3.4.7/include/sspwin32.h 2014-08-27 07:22:40.000000000 -0700
@@ -70,7 +70,7 @@
HMODULE LoadSecurityDll(int, const char *);
void UnloadSecurityDll(void);
- BOOL WINAPI SSP_LogonUser(unsigned char *, unsigned char *, unsigned char *);
+ BOOL WINAPI SSP_LogonUser(PTSTR, PTSTR, PTSTR);
BOOL WINAPI SSP_ValidateNTLMCredentials(PVOID, int, char *);
const char * WINAPI SSP_ValidateNegotiateCredentials(PVOID, int, PBOOL, int *, char *);
const char * WINAPI SSP_MakeChallenge(PVOID, int);
diff -u -r -N squid-3.4.6/include/version.h squid-3.4.7/include/version.h
--- squid-3.4.6/include/version.h 2014-06-25 07:43:23.000000000 -0700
+++ squid-3.4.7/include/version.h 2014-08-27 07:24:14.000000000 -0700
@@ -7,7 +7,7 @@
*/
#ifndef SQUID_RELEASE_TIME
-#define SQUID_RELEASE_TIME 1403707292
+#define SQUID_RELEASE_TIME 1409149346
#endif
#ifndef APP_SHORTNAME
diff -u -r -N squid-3.4.6/RELEASENOTES.html squid-3.4.7/RELEASENOTES.html
--- squid-3.4.6/RELEASENOTES.html 2014-06-25 08:31:11.000000000 -0700
+++ squid-3.4.7/RELEASENOTES.html 2014-08-27 08:04:03.000000000 -0700
@@ -2,10 +2,10 @@
- Squid 3.4.5 release notes
+ Squid 3.4.7 release notes
-Squid 3.4.5 release notes
+Squid 3.4.7 release notes
Squid Developers
@@ -57,7 +57,7 @@
-The Squid Team are pleased to announce the release of Squid-3.4.5 for testing.
+The Squid Team are pleased to announce the release of Squid-3.4.7 for testing.
This new release is available for download from
http://www.squid-cache.org/Versions/v3/3.4/ or the
mirrors.
diff -u -r -N squid-3.4.6/src/anyp/PortCfg.h squid-3.4.7/src/anyp/PortCfg.h
--- squid-3.4.6/src/anyp/PortCfg.h 2014-06-25 07:41:39.000000000 -0700
+++ squid-3.4.7/src/anyp/PortCfg.h 2014-08-27 07:22:40.000000000 -0700
@@ -92,8 +92,10 @@
} // namespace AnyP
+#if !defined(MAXTCPLISTENPORTS)
// Max number of TCP listening ports
#define MAXTCPLISTENPORTS 128
+#endif
// TODO: kill this global array. Need to check performance of array vs list though.
extern int NHttpSockets;
diff -u -r -N squid-3.4.6/src/cache_cf.cc squid-3.4.7/src/cache_cf.cc
--- squid-3.4.6/src/cache_cf.cc 2014-06-25 07:41:39.000000000 -0700
+++ squid-3.4.7/src/cache_cf.cc 2014-08-27 07:22:40.000000000 -0700
@@ -893,16 +893,18 @@
Config2.effectiveGroupID = pwd->pw_gid;
#if HAVE_PUTENV
-
if (pwd->pw_dir && *pwd->pw_dir) {
- int len;
- char *env_str = (char *)xcalloc((len = strlen(pwd->pw_dir) + 6), 1);
- snprintf(env_str, len, "HOME=%s", pwd->pw_dir);
- putenv(env_str);
+ // putenv() leaks by design; avoid leaks when nothing changes
+ static String lastDir;
+ if (!lastDir.size() || lastDir != pwd->pw_dir) {
+ lastDir = pwd->pw_dir;
+ int len = strlen(pwd->pw_dir) + 6;
+ char *env_str = (char *)xcalloc(len, 1);
+ snprintf(env_str, len, "HOME=%s", pwd->pw_dir);
+ putenv(env_str);
+ }
}
-
#endif
-
}
} else {
Config2.effectiveUserID = geteuid();
diff -u -r -N squid-3.4.6/src/cf.data.pre squid-3.4.7/src/cf.data.pre
--- squid-3.4.6/src/cf.data.pre 2014-06-25 07:41:39.000000000 -0700
+++ squid-3.4.7/src/cf.data.pre 2014-08-27 07:22:40.000000000 -0700
@@ -715,7 +715,7 @@
%USER_CERT SSL User certificate in PEM format
%USER_CERTCHAIN SSL User certificate chain in PEM format
%USER_CERT_xx SSL User certificate subject attribute xx
- %USER_CA_xx SSL User certificate issuer attribute xx
+ %USER_CA_CERT_xx SSL User certificate issuer attribute xx
%>{Header} HTTP request header "Header"
%>{Hdr:member}
diff -u -r -N squid-3.4.6/src/eui/Eui48.cc squid-3.4.7/src/eui/Eui48.cc
--- squid-3.4.6/src/eui/Eui48.cc 2014-06-25 07:41:39.000000000 -0700
+++ squid-3.4.7/src/eui/Eui48.cc 2014-08-27 07:22:40.000000000 -0700
@@ -59,8 +59,9 @@
struct sockaddr arp_ha; /* hardware address */
int arp_flags; /* flags */
};
-
-#include
+#if HAVE_IPHLPAPI_H
+#include
+#endif
#endif
#if HAVE_SYS_PARAM_H
diff -u -r -N squid-3.4.6/src/external_acl.cc squid-3.4.7/src/external_acl.cc
--- squid-3.4.6/src/external_acl.cc 2014-06-25 07:41:39.000000000 -0700
+++ squid-3.4.7/src/external_acl.cc 2014-08-27 07:22:40.000000000 -0700
@@ -473,13 +473,13 @@
else if (strncmp(token, "%USER_CERT_", 11) == 0) {
format->type = _external_acl_format::EXT_ACL_USER_CERT;
format->header = xstrdup(token + 11);
- } else if (strncmp(token, "%USER_CA_CERT_", 11) == 0) {
+ } else if (strncmp(token, "%USER_CA_CERT_", 14) == 0) {
format->type = _external_acl_format::EXT_ACL_USER_CA_CERT;
- format->header = xstrdup(token + 11);
- } else if (strncmp(token, "%CA_CERT_", 11) == 0) {
+ format->header = xstrdup(token + 14);
+ } else if (strncmp(token, "%CA_CERT_", 9) == 0) {
debugs(82, DBG_PARSE_NOTE(DBG_IMPORTANT), "WARNING: external_acl_type %CA_CERT_* code is obsolete. Use %USER_CA_CERT_* instead");
format->type = _external_acl_format::EXT_ACL_USER_CA_CERT;
- format->header = xstrdup(token + 11);
+ format->header = xstrdup(token + 9);
}
#endif
#if USE_AUTH
diff -u -r -N squid-3.4.6/src/HttpHdrRange.cc squid-3.4.7/src/HttpHdrRange.cc
--- squid-3.4.6/src/HttpHdrRange.cc 2014-06-25 07:41:39.000000000 -0700
+++ squid-3.4.7/src/HttpHdrRange.cc 2014-08-27 07:22:40.000000000 -0700
@@ -92,7 +92,7 @@
/* is it a suffix-byte-range-spec ? */
if (*field == '-') {
- if (!httpHeaderParseOffset(field + 1, &length))
+ if (!httpHeaderParseOffset(field + 1, &length) || !known_spec(length))
return false;
} else
/* must have a '-' somewhere in _this_ field */
@@ -100,7 +100,7 @@
debugs(64, 2, "invalid (missing '-') range-spec near: '" << field << "'");
return false;
} else {
- if (!httpHeaderParseOffset(field, &offset))
+ if (!httpHeaderParseOffset(field, &offset) || !known_spec(offset))
return false;
++p;
@@ -109,7 +109,7 @@
if (p - field < flen) {
int64_t last_pos;
- if (!httpHeaderParseOffset(p, &last_pos))
+ if (!httpHeaderParseOffset(p, &last_pos) || !known_spec(last_pos))
return false;
// RFC 2616 s14.35.1 MUST: last-byte-pos >= first-byte-pos
diff -u -r -N squid-3.4.6/src/ident/Ident.cc squid-3.4.7/src/ident/Ident.cc
--- squid-3.4.6/src/ident/Ident.cc 2014-06-25 07:41:39.000000000 -0700
+++ squid-3.4.7/src/ident/Ident.cc 2014-08-27 07:22:40.000000000 -0700
@@ -123,9 +123,9 @@
IdentStateData *state = (IdentStateData *)data;
if (status != COMM_OK) {
- if (status == COMM_TIMEOUT) {
+ if (status == COMM_TIMEOUT)
debugs(30, 3, "IDENT connection timeout to " << state->conn->remote);
- }
+ Ident::identCallback(state, NULL);
return;
}
diff -u -r -N squid-3.4.6/src/ssl/gadgets.cc squid-3.4.7/src/ssl/gadgets.cc
--- squid-3.4.6/src/ssl/gadgets.cc 2014-06-25 07:41:39.000000000 -0700
+++ squid-3.4.7/src/ssl/gadgets.cc 2014-08-27 07:22:40.000000000 -0700
@@ -249,11 +249,12 @@
return certKey;
}
-// Copy certificate extensions from cert to mimicCert.
+/// Copy certificate extensions from cert to mimicCert.
+/// Returns the number of extensions copied.
// Currently only extensions which are reported by the users that required are
// mimicked. More safe to mimic extensions would be added here if users request
// them.
-static void
+static int
mimicExtensions(Ssl::X509_Pointer & cert, Ssl::X509_Pointer const & mimicCert)
{
static int extensions[]= {
@@ -263,15 +264,50 @@
0
};
+ // key usage bit names
+ enum {
+ DigitalSignature,
+ NonRepudiation,
+ KeyEncipherment, // NSS requires for RSA but not EC
+ DataEncipherment,
+ KeyAgreement,
+ KeyCertificateSign,
+ CRLSign,
+ EncipherOnly,
+ DecipherOnly
+ };
+
+ int mimicAlgo = OBJ_obj2nid(mimicCert.get()->cert_info->key->algor->algorithm);
+
+ int added = 0;
int nid;
for (int i = 0; (nid = extensions[i]) != 0; ++i) {
const int pos = X509_get_ext_by_NID(mimicCert.get(), nid, -1);
- if (X509_EXTENSION *ext = X509_get_ext(mimicCert.get(), pos))
- X509_add_ext(cert.get(), ext, -1);
+ if (X509_EXTENSION *ext = X509_get_ext(mimicCert.get(), pos)) {
+ // Mimic extension exactly.
+ if (X509_add_ext(cert.get(), ext, -1))
+ ++added;
+ if ( nid == NID_key_usage && mimicAlgo != NID_rsaEncryption ) {
+ // NSS does not requre the KeyEncipherment flag on EC keys
+ // but it does require it for RSA keys. Since ssl-bump
+ // substitutes RSA keys for EC ones, we need to ensure that
+ // that the more stringent requirements are met.
+
+ const int p = X509_get_ext_by_NID(cert.get(), NID_key_usage, -1);
+ if ((ext = X509_get_ext(cert.get(), p)) != NULL) {
+ ASN1_BIT_STRING *keyusage = (ASN1_BIT_STRING *)X509V3_EXT_d2i(ext);
+ ASN1_BIT_STRING_set_bit(keyusage, KeyEncipherment, 1);
+ X509_EXTENSION_set_data( ext, (ASN1_OCTET_STRING*)keyusage );
+ ASN1_BIT_STRING_free(keyusage);
+ }
+ }
+ }
}
// We could also restrict mimicking of the CA extension to CA:FALSE
// because Squid does not generate valid fake CA certificates.
+
+ return added;
}
static bool buildCertificate(Ssl::X509_Pointer & cert, Ssl::CertificateProperties const &properties)
@@ -331,22 +367,24 @@
X509_alias_set1(cert.get(), alStr, alLen);
}
+ int addedExtensions = 0;
+
// Mimic subjectAltName unless we used a configured CN: browsers reject
// certificates with CN unrelated to subjectAltNames.
if (!properties.setCommonName) {
int pos=X509_get_ext_by_NID (properties.mimicCert.get(), OBJ_sn2nid("subjectAltName"), -1);
X509_EXTENSION *ext=X509_get_ext(properties.mimicCert.get(), pos);
if (ext) {
- X509_add_ext(cert.get(), ext, -1);
- /* According the RFC 5280 using extensions requires version 3
- certificate.
- Set version value to 2 for version 3 certificates.
- */
- X509_set_version(cert.get(), 2);
+ if (X509_add_ext(cert.get(), ext, -1))
+ ++addedExtensions;
}
}
- mimicExtensions(cert, properties.mimicCert);
+ addedExtensions += mimicExtensions(cert, properties.mimicCert);
+
+ // According to RFC 5280, using extensions requires v3 certificate.
+ if (addedExtensions)
+ X509_set_version(cert.get(), 2); // value 2 means v3
}
return true;