diff -u -r -N squid-3.4.6/ChangeLog squid-3.4.7/ChangeLog --- squid-3.4.6/ChangeLog 2014-06-25 07:41:39.000000000 -0700 +++ squid-3.4.7/ChangeLog 2014-08-27 07:22:40.000000000 -0700 @@ -1,3 +1,17 @@ +Changes to squid-3.4.7 (28 Aug 2014): + + - Regression Fix: Kerberos LDAP authorizing groups with principle subdomain + - Bug 4080: worker hangs when client identd is not responding + - Bug 3966: Add KeyEncipherment when ssl-bump substitues RSA for EC + - HTTP/1.1: Ignore Range headers with unidentifiable byte-range values + - SSL-bump: Use v3 for fake certificate if we add _any_ certificate extension + - Enable compile-time override for MAXTCPLISTENPORTS + - ntlm_sspi_auth: Fix various build errors + - negotiate_wrapper: Fix build issues with non-portable vfork() + - negotiate_sspi_auth: Portability fixes for MinGW + - ext_lm_group_acl: Portability fixes for MinGW + - ... and several minor memory leaks + Changes to squid-3.4.6 (25 Jun 2014): - Regression: segmentation fault logging with %tg format specifier @@ -151,6 +165,11 @@ - ... and many documentation changes - ... and much code cleanup and polishing +Changes to squid-3.3.13 (28 Aug 2014): + + - Fix segmentation fault setting up server SSL connnection + - HTTP/1.1: Ignore Range headers with unidentifiable byte-range values + Changes to squid-3.3.12 (09 Mar 2014): - Regression Bug 3769: client_netmask not evaluated since Comm redesign diff -u -r -N squid-3.4.6/compat/Makefile.in squid-3.4.7/compat/Makefile.in --- squid-3.4.6/compat/Makefile.in 2014-06-25 07:42:32.000000000 -0700 +++ squid-3.4.7/compat/Makefile.in 2014-08-27 07:23:26.000000000 -0700 @@ -83,9 +83,9 @@ build_triplet = @build@ host_triplet = @host@ DIST_COMMON = $(top_srcdir)/src/Common.am $(srcdir)/Makefile.in \ - $(srcdir)/Makefile.am strtoll.c initgroups.c tempnam.c \ - drand48.c getaddrinfo.c psignal.c inet_ntop.c strerror.c \ - getnameinfo.c inet_pton.c $(top_srcdir)/cfgaux/depcomp \ + $(srcdir)/Makefile.am strtoll.c strerror.c drand48.c \ + inet_pton.c getnameinfo.c tempnam.c inet_ntop.c psignal.c \ + getaddrinfo.c initgroups.c $(top_srcdir)/cfgaux/depcomp \ $(top_srcdir)/cfgaux/test-driver check_PROGRAMS = testPreCompiler$(EXEEXT) TESTS = testPreCompiler$(EXEEXT) testHeaders diff -u -r -N squid-3.4.6/configure squid-3.4.7/configure --- squid-3.4.6/configure 2014-06-25 07:43:23.000000000 -0700 +++ squid-3.4.7/configure 2014-08-27 07:24:14.000000000 -0700 @@ -1,7 +1,7 @@ #! /bin/sh # From configure.ac Revision. # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for Squid Web Proxy 3.4.6. +# Generated by GNU Autoconf 2.69 for Squid Web Proxy 3.4.7. # # Report bugs to . # @@ -595,8 +595,8 @@ # Identity of this package. PACKAGE_NAME='Squid Web Proxy' PACKAGE_TARNAME='squid' -PACKAGE_VERSION='3.4.6' -PACKAGE_STRING='Squid Web Proxy 3.4.6' +PACKAGE_VERSION='3.4.7' +PACKAGE_STRING='Squid Web Proxy 3.4.7' PACKAGE_BUGREPORT='http://bugs.squid-cache.org/' PACKAGE_URL='' @@ -1605,7 +1605,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures Squid Web Proxy 3.4.6 to adapt to many kinds of systems. +\`configure' configures Squid Web Proxy 3.4.7 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1675,7 +1675,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of Squid Web Proxy 3.4.6:";; + short | recursive ) echo "Configuration of Squid Web Proxy 3.4.7:";; esac cat <<\_ACEOF @@ -2071,7 +2071,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -Squid Web Proxy configure 3.4.6 +Squid Web Proxy configure 3.4.7 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -3175,7 +3175,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by Squid Web Proxy $as_me 3.4.6, which was +It was created by Squid Web Proxy $as_me 3.4.7, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -4042,7 +4042,7 @@ # Define the identity of the package. PACKAGE='squid' - VERSION='3.4.6' + VERSION='3.4.7' cat >>confdefs.h <<_ACEOF @@ -21893,7 +21893,7 @@ $as_echo "$as_me: WARNING: EUI support probably will not work on host $host." >&2;} ;; esac - #Iphlpapi.h check delayed after winsock2.h + # iphlpapi.h check delayed after winsock2.h for ac_header in \ windows.h \ sys/sockio.h \ @@ -24351,7 +24351,17 @@ elif test "x$helper" = "xwrapper" ; then - BUILD_HELPER="wrapper" + for ac_func in vfork +do : + ac_fn_cxx_check_func "$LINENO" "vfork" "ac_cv_func_vfork" +if test "x$ac_cv_func_vfork" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_VFORK 1 +_ACEOF + BUILD_HELPER="wrapper" +fi +done + # modules not yet converted to autoconf macros (or third party drop-in's) @@ -29505,7 +29515,7 @@ for ac_header in \ windows.h \ ws2tcpip.h \ - Iphlpapi.h + iphlpapi.h do : as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` ac_fn_cxx_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" " @@ -34219,7 +34229,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by Squid Web Proxy $as_me 3.4.6, which was +This file was extended by Squid Web Proxy $as_me 3.4.7, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -34285,7 +34295,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -Squid Web Proxy config.status 3.4.6 +Squid Web Proxy config.status 3.4.7 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -u -r -N squid-3.4.6/configure.ac squid-3.4.7/configure.ac --- squid-3.4.6/configure.ac 2014-06-25 07:43:23.000000000 -0700 +++ squid-3.4.7/configure.ac 2014-08-27 07:24:14.000000000 -0700 @@ -1,4 +1,4 @@ -AC_INIT([Squid Web Proxy],[3.4.6],[http://bugs.squid-cache.org/],[squid]) +AC_INIT([Squid Web Proxy],[3.4.7],[http://bugs.squid-cache.org/],[squid]) AC_PREREQ(2.61) AC_CONFIG_HEADERS([include/autoconf.h]) AC_CONFIG_AUX_DIR(cfgaux) @@ -1169,7 +1169,7 @@ AC_MSG_WARN([EUI support probably will not work on host $host.]) ;; esac - #Iphlpapi.h check delayed after winsock2.h + # iphlpapi.h check delayed after winsock2.h AC_CHECK_HEADERS( \ windows.h \ sys/sockio.h \ @@ -2538,7 +2538,7 @@ AC_CHECK_HEADERS( \ windows.h \ ws2tcpip.h \ - Iphlpapi.h ,,,[ + iphlpapi.h ,,,[ #if HAVE_WINDOWS_H #include #endif diff -u -r -N squid-3.4.6/helpers/basic_auth/DB/basic_db_auth.8 squid-3.4.7/helpers/basic_auth/DB/basic_db_auth.8 --- squid-3.4.6/helpers/basic_auth/DB/basic_db_auth.8 2014-06-25 08:29:28.000000000 -0700 +++ squid-3.4.7/helpers/basic_auth/DB/basic_db_auth.8 2014-08-27 08:02:40.000000000 -0700 @@ -1,4 +1,4 @@ -.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28) +.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28) .\" .\" Standard preamble: .\" ======================================================================== @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "BASIC_DB_AUTH 1" -.TH BASIC_DB_AUTH 1 "2014-06-25" "perl v5.18.2" "User Contributed Perl Documentation" +.TH BASIC_DB_AUTH 1 "2014-08-27" "perl v5.20.0" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-3.4.6/helpers/defines.h squid-3.4.7/helpers/defines.h --- squid-3.4.6/helpers/defines.h 2014-06-25 07:41:39.000000000 -0700 +++ squid-3.4.7/helpers/defines.h 2014-08-27 07:22:40.000000000 -0700 @@ -46,4 +46,7 @@ /* send ERR result to Squid with a string parameter. */ #define SEND_BH(x) fprintf(stdout, "BH %s\n",x) +/* send TT result to Squid with a string parameter. */ +#define SEND_TT(x) fprintf(stdout, "TT %s\n",x) + #endif /* __SQUID_HELPERS_DEFINES_H */ diff -u -r -N squid-3.4.6/helpers/external_acl/kerberos_ldap_group/support_krb5.cc squid-3.4.7/helpers/external_acl/kerberos_ldap_group/support_krb5.cc --- squid-3.4.6/helpers/external_acl/kerberos_ldap_group/support_krb5.cc 2014-06-25 07:41:39.000000000 -0700 +++ squid-3.4.7/helpers/external_acl/kerberos_ldap_group/support_krb5.cc 2014-08-27 07:22:40.000000000 -0700 @@ -260,7 +260,6 @@ } - safe_free(principal_name); if (creds) krb5_free_creds(kparam.context, creds); creds = NULL; diff -u -r -N squid-3.4.6/helpers/external_acl/LM_group/ext_lm_group_acl.cc squid-3.4.7/helpers/external_acl/LM_group/ext_lm_group_acl.cc --- squid-3.4.6/helpers/external_acl/LM_group/ext_lm_group_acl.cc 2014-06-25 07:41:39.000000000 -0700 +++ squid-3.4.7/helpers/external_acl/LM_group/ext_lm_group_acl.cc 2014-08-27 07:22:40.000000000 -0700 @@ -97,7 +97,7 @@ int use_global = 0; int use_PDC_only = 0; -char *program_name; +const char *program_name; pid_t mypid; char *machinedomain; int use_case_insensitive_compare = 0; @@ -541,12 +541,15 @@ } debug("External ACL win32 group helper build " __DATE__ ", " __TIME__ " starting up...\n"); - if (use_global) + if (use_global) { debug("Domain Global group mode enabled using '%s' as default domain.\n", DefaultDomain); - if (use_case_insensitive_compare) + } + if (use_case_insensitive_compare) { debug("Warning: running in case insensitive mode !!!\n"); - if (use_PDC_only) + } + if (use_PDC_only) { debug("Warning: using only PDCs for group validation !!!\n"); + } /* Main Loop */ while (fgets(buf, HELPER_INPUT_BUFFER, stdin)) { diff -u -r -N squid-3.4.6/helpers/external_acl/LM_group/Makefile.am squid-3.4.7/helpers/external_acl/LM_group/Makefile.am --- squid-3.4.6/helpers/external_acl/LM_group/Makefile.am 2014-06-25 07:41:39.000000000 -0700 +++ squid-3.4.7/helpers/external_acl/LM_group/Makefile.am 2014-08-27 07:22:40.000000000 -0700 @@ -4,6 +4,7 @@ ext_lm_group_acl_SOURCES = ext_lm_group_acl.cc LDADD = \ + $(top_builddir)/lib/libmiscencoding.la \ $(COMPAT_LIB) \ -lnetapi32 \ -ladvapi32 \ diff -u -r -N squid-3.4.6/helpers/external_acl/LM_group/Makefile.in squid-3.4.7/helpers/external_acl/LM_group/Makefile.in --- squid-3.4.6/helpers/external_acl/LM_group/Makefile.in 2014-06-25 07:42:42.000000000 -0700 +++ squid-3.4.7/helpers/external_acl/LM_group/Makefile.in 2014-08-27 07:23:35.000000000 -0700 @@ -158,7 +158,8 @@ am__DEPENDENCIES_2 = $(top_builddir)/compat/libcompat-squid.la \ $(am__DEPENDENCIES_1) am__DEPENDENCIES_3 = -ext_lm_group_acl_DEPENDENCIES = $(am__DEPENDENCIES_2) \ +ext_lm_group_acl_DEPENDENCIES = \ + $(top_builddir)/lib/libmiscencoding.la $(am__DEPENDENCIES_2) \ $(am__DEPENDENCIES_3) AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) @@ -661,6 +662,7 @@ subst_perlshell = sed -e 's,[@]PERL[@],$(PERL),g' <$(srcdir)/$@.pl.in >$@ || ($(RM) -f $@ ; exit 1) ext_lm_group_acl_SOURCES = ext_lm_group_acl.cc LDADD = \ + $(top_builddir)/lib/libmiscencoding.la \ $(COMPAT_LIB) \ -lnetapi32 \ -ladvapi32 \ diff -u -r -N squid-3.4.6/helpers/external_acl/SQL_session/ext_sql_session_acl.8 squid-3.4.7/helpers/external_acl/SQL_session/ext_sql_session_acl.8 --- squid-3.4.6/helpers/external_acl/SQL_session/ext_sql_session_acl.8 2014-06-25 08:29:53.000000000 -0700 +++ squid-3.4.7/helpers/external_acl/SQL_session/ext_sql_session_acl.8 2014-08-27 08:02:58.000000000 -0700 @@ -1,4 +1,4 @@ -.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28) +.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28) .\" .\" Standard preamble: .\" ======================================================================== @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "EXT_SQL_SESSION_ACL 1" -.TH EXT_SQL_SESSION_ACL 1 "2014-06-25" "perl v5.18.2" "User Contributed Perl Documentation" +.TH EXT_SQL_SESSION_ACL 1 "2014-08-27" "perl v5.20.0" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-3.4.6/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8 squid-3.4.7/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8 --- squid-3.4.6/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8 2014-06-25 08:29:56.000000000 -0700 +++ squid-3.4.7/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8 2014-08-27 08:03:01.000000000 -0700 @@ -1,4 +1,4 @@ -.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28) +.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28) .\" .\" Standard preamble: .\" ======================================================================== @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "EXT_WBINFO_GROUP_ACL.PL.IN 1" -.TH EXT_WBINFO_GROUP_ACL.PL.IN 1 "2014-06-25" "perl v5.18.2" "User Contributed Perl Documentation" +.TH EXT_WBINFO_GROUP_ACL.PL.IN 1 "2014-08-27" "perl v5.20.0" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-3.4.6/helpers/log_daemon/DB/log_db_daemon.8 squid-3.4.7/helpers/log_daemon/DB/log_db_daemon.8 --- squid-3.4.6/helpers/log_daemon/DB/log_db_daemon.8 2014-06-25 08:29:58.000000000 -0700 +++ squid-3.4.7/helpers/log_daemon/DB/log_db_daemon.8 2014-08-27 08:03:02.000000000 -0700 @@ -1,4 +1,4 @@ -.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28) +.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28) .\" .\" Standard preamble: .\" ======================================================================== @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "LOG_DB_DAEMON 1" -.TH LOG_DB_DAEMON 1 "2014-06-25" "perl v5.18.2" "User Contributed Perl Documentation" +.TH LOG_DB_DAEMON 1 "2014-08-27" "perl v5.20.0" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-3.4.6/helpers/negotiate_auth/SSPI/Makefile.am squid-3.4.7/helpers/negotiate_auth/SSPI/Makefile.am --- squid-3.4.6/helpers/negotiate_auth/SSPI/Makefile.am 2014-06-25 07:41:39.000000000 -0700 +++ squid-3.4.7/helpers/negotiate_auth/SSPI/Makefile.am 2014-08-27 07:22:40.000000000 -0700 @@ -6,6 +6,7 @@ LDADD = \ -L$(top_builddir)/lib -lsspwin32 \ + $(top_builddir)/lib/libmiscencoding.la \ $(COMPAT_LIB) \ -ladvapi32 \ $(XTRA_LIBS) diff -u -r -N squid-3.4.6/helpers/negotiate_auth/SSPI/Makefile.in squid-3.4.7/helpers/negotiate_auth/SSPI/Makefile.in --- squid-3.4.6/helpers/negotiate_auth/SSPI/Makefile.in 2014-06-25 07:42:47.000000000 -0700 +++ squid-3.4.7/helpers/negotiate_auth/SSPI/Makefile.in 2014-08-27 07:23:40.000000000 -0700 @@ -158,7 +158,8 @@ am__DEPENDENCIES_2 = $(top_builddir)/compat/libcompat-squid.la \ $(am__DEPENDENCIES_1) am__DEPENDENCIES_3 = -negotiate_sspi_auth_DEPENDENCIES = $(am__DEPENDENCIES_2) \ +negotiate_sspi_auth_DEPENDENCIES = \ + $(top_builddir)/lib/libmiscencoding.la $(am__DEPENDENCIES_2) \ $(am__DEPENDENCIES_3) AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) @@ -659,6 +660,7 @@ negotiate_sspi_auth_SOURCES = negotiate_sspi_auth.cc LDADD = \ -L$(top_builddir)/lib -lsspwin32 \ + $(top_builddir)/lib/libmiscencoding.la \ $(COMPAT_LIB) \ -ladvapi32 \ $(XTRA_LIBS) diff -u -r -N squid-3.4.6/helpers/negotiate_auth/SSPI/negotiate_sspi_auth.cc squid-3.4.7/helpers/negotiate_auth/SSPI/negotiate_sspi_auth.cc --- squid-3.4.6/helpers/negotiate_auth/SSPI/negotiate_sspi_auth.cc 2014-06-25 07:41:39.000000000 -0700 +++ squid-3.4.7/helpers/negotiate_auth/SSPI/negotiate_sspi_auth.cc 2014-08-27 07:22:40.000000000 -0700 @@ -37,8 +37,10 @@ * */ #include "squid.h" +#include "base64.h" #include "helpers/defines.h" -#include "libntlmauth/support_bits.cci" +#include "ntlmauth/ntlmauth.h" +#include "ntlmauth/support_bits.cci" #include "sspwin32.h" #include "util.h" @@ -135,7 +137,7 @@ if (fgets(buf, HELPER_INPUT_BUFFER, stdin)) return 0; - c = memchr(buf, '\n', HELPER_INPUT_BUFFER); /* safer against overrun than strchr */ + c = static_cast(memchr(buf, '\n', HELPER_INPUT_BUFFER)); if (c) { if (oversized) { SEND("BH illegal request received"); @@ -153,13 +155,13 @@ decodedLen = base64_decode(decoded, sizeof(decoded), buf+3); strncpy(helper_command, buf, 2); debug("Got '%s' from Squid with data:\n", helper_command); - hex_dump(decoded, decodedLen); + hex_dump(reinterpret_cast(decoded), decodedLen); } else debug("Got '%s' from Squid\n", buf); if (memcmp(buf, "YR ", 3) == 0) { /* refresh-request */ /* figure out what we got */ - decoded = base64_decode(buf + 3); + decodedLen = base64_decode(decoded, sizeof(decoded), buf + 3); if ((size_t)decodedLen < sizeof(ntlmhdr)) { /* decoding failure, return error */ SEND("NA * Packet format error, couldn't base64-decode"); return 1; @@ -176,7 +178,7 @@ decodedLen = base64_decode(decoded, sizeof(decoded), c); debug("sending 'AF' %s to squid with data:\n", cred); if (c != NULL) - hex_dump(decoded, decodedLen); + hex_dump(reinterpret_cast(decoded), decodedLen); else fprintf(stderr, "No data available.\n"); printf("AF %s %s\n", c, cred); @@ -186,7 +188,7 @@ if (Negotiate_packet_debug_enabled) { decodedLen = base64_decode(decoded, sizeof(decoded), c); debug("sending 'TT' to squid with data:\n"); - hex_dump(decoded, decodedLen); + hex_dump(reinterpret_cast(decoded), decodedLen); printf("TT %s\n", c); } else { SEND2("TT %s", c); @@ -236,7 +238,7 @@ decodedLen = base64_decode(decoded, sizeof(decoded), c); debug("sending 'AF' %s to squid with data:\n", cred); if (c != NULL) - hex_dump(decoded, decodedLen); + hex_dump(reinterpret_cast(decoded), decodedLen); else fprintf(stderr, "No data available.\n"); printf("AF %s %s\n", c, cred); @@ -248,7 +250,7 @@ if (Negotiate_packet_debug_enabled) { decodedLen = base64_decode(decoded, sizeof(decoded), c); debug("sending 'TT' to squid with data:\n"); - hex_dump(decoded, decodedLen); + hex_dump(reinterpret_cast(decoded), decodedLen); printf("TT %s\n", c); } else SEND2("TT %s", c); diff -u -r -N squid-3.4.6/helpers/negotiate_auth/wrapper/required.m4 squid-3.4.7/helpers/negotiate_auth/wrapper/required.m4 --- squid-3.4.6/helpers/negotiate_auth/wrapper/required.m4 2014-06-25 07:41:39.000000000 -0700 +++ squid-3.4.7/helpers/negotiate_auth/wrapper/required.m4 2014-08-27 07:22:40.000000000 -0700 @@ -1 +1 @@ -BUILD_HELPER="wrapper" +AC_CHECK_FUNCS(vfork,[BUILD_HELPER="wrapper"]) diff -u -r -N squid-3.4.6/helpers/ntlm_auth/SSPI/Makefile.am squid-3.4.7/helpers/ntlm_auth/SSPI/Makefile.am --- squid-3.4.6/helpers/ntlm_auth/SSPI/Makefile.am 2014-06-25 07:41:39.000000000 -0700 +++ squid-3.4.7/helpers/ntlm_auth/SSPI/Makefile.am 2014-08-27 07:22:40.000000000 -0700 @@ -9,6 +9,7 @@ LDADD = \ $(top_builddir)/lib/ntlmauth/libntlmauth.la \ -L$(top_builddir)/lib -lsspwin32 \ + $(top_builddir)/lib/libmiscencoding.la \ $(COMPAT_LIB) \ -lnetapi32 \ -ladvapi32 \ diff -u -r -N squid-3.4.6/helpers/ntlm_auth/SSPI/Makefile.in squid-3.4.7/helpers/ntlm_auth/SSPI/Makefile.in --- squid-3.4.6/helpers/ntlm_auth/SSPI/Makefile.in 2014-06-25 07:42:48.000000000 -0700 +++ squid-3.4.7/helpers/ntlm_auth/SSPI/Makefile.in 2014-08-27 07:23:42.000000000 -0700 @@ -160,7 +160,8 @@ am__DEPENDENCIES_3 = ntlm_sspi_auth_DEPENDENCIES = \ $(top_builddir)/lib/ntlmauth/libntlmauth.la \ - $(am__DEPENDENCIES_2) $(am__DEPENDENCIES_3) + $(top_builddir)/lib/libmiscencoding.la $(am__DEPENDENCIES_2) \ + $(am__DEPENDENCIES_3) AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) am__v_lt_0 = --silent @@ -665,6 +666,7 @@ LDADD = \ $(top_builddir)/lib/ntlmauth/libntlmauth.la \ -L$(top_builddir)/lib -lsspwin32 \ + $(top_builddir)/lib/libmiscencoding.la \ $(COMPAT_LIB) \ -lnetapi32 \ -ladvapi32 \ diff -u -r -N squid-3.4.6/helpers/ntlm_auth/SSPI/ntlm_sspi_auth.cc squid-3.4.7/helpers/ntlm_auth/SSPI/ntlm_sspi_auth.cc --- squid-3.4.6/helpers/ntlm_auth/SSPI/ntlm_sspi_auth.cc 2014-06-25 07:41:39.000000000 -0700 +++ squid-3.4.7/helpers/ntlm_auth/SSPI/ntlm_sspi_auth.cc 2014-08-27 07:22:40.000000000 -0700 @@ -61,12 +61,13 @@ /************* END CONFIGURATION ***************/ -typedef unsigned char uchar; +//typedef unsigned char uchar; #include "squid.h" +#include "base64.h" #include "helpers/defines.h" -#include "libntlmauth/ntlmauth.h" -#include "libntlmauth/support_bits.h" +#include "ntlmauth/ntlmauth.h" +#include "ntlmauth/support_bits.cci" #include "sspwin32.h" #include "util.h" @@ -82,8 +83,6 @@ #include #include -#define BUFFER_SIZE 10240 - int NTLM_packet_debug_enabled = 0; static int have_challenge; char * NTAllowedGroup; @@ -272,10 +271,10 @@ return DomainName; } -/* returns NULL on failure, or a pointer to - * the user's credentials (domain\\username) - * upon success. WARNING. It's pointing to static storage. - * In case of problem sets as side-effect ntlm_errno to one of the +/* + * Fills auth with the user's credentials. + * + * In case of problem returns one of the * codes defined in libntlmauth/ntlmauth.h */ int @@ -284,7 +283,6 @@ int x; int rv; char credentials[DNLEN+UNLEN+2]; /* we can afford to waste */ - lstring tmp; if (!NTLM_LocalCall) { @@ -341,7 +339,7 @@ #if FAIL_DEBUG fail_debug_enabled =1; #endif - SEND2("BH %s", reason); + SEND_BH(reason); } /* @@ -411,11 +409,10 @@ manage_request() { ntlmhdr *fast_header; - char buf[BUFFER_SIZE]; - char decoded[BUFFER_SIZE]; + char buf[HELPER_INPUT_BUFFER]; + char decoded[HELPER_INPUT_BUFFER]; int decodedLen; char helper_command[3]; - char *c, *cred; int oversized = 0; char * ErrorMessage; static ntlm_negotiate local_nego; @@ -424,38 +421,40 @@ /* NP: for some reason this helper sometimes needs to accept * from clients that send no negotiate packet. */ - if (memcpy(local_nego.signature, "NTLMSSP", 8) != 0) { + if (memcpy(local_nego.hdr.signature, "NTLMSSP", 8) != 0) { memset(&local_nego, 0, sizeof(ntlm_negotiate)); /* reset */ - memcpy(local_nego.signature, "NTLMSSP", 8); /* set the signature */ - local_nego.type = le32toh(NTLM_NEGOTIATE); /* this is a challenge */ + memcpy(local_nego.hdr.signature, "NTLMSSP", 8); /* set the signature */ + local_nego.hdr.type = le32toh(NTLM_NEGOTIATE); /* this is a challenge */ local_nego.flags = le32toh(NTLM_NEGOTIATE_ALWAYS_SIGN | NTLM_NEGOTIATE_USE_NTLM | NTLM_NEGOTIATE_USE_LM | NTLM_NEGOTIATE_ASCII ); } -try_again: - if (fgets(buf, BUFFER_SIZE, stdin) == NULL) - return 0; - - c = memchr(buf, '\n', BUFFER_SIZE); /* safer against overrun than strchr */ - if (c) { - if (oversized) { - helperfail("illegal request received"); - fprintf(stderr, "Illegal request received: '%s'\n", buf); - return 1; - } - *c = '\0'; - } else { - fprintf(stderr, "No newline in '%s'\n", buf); - oversized = 1; - goto try_again; - } + do { + if (fgets(buf, sizeof(buf), stdin) == NULL) + return 0; + + char *c = static_cast(memchr(buf, '\n', sizeof(buf))); + if (c) { + if (oversized) { + helperfail("messge=\"illegal request received\""); + fprintf(stderr, "Illegal request received: '%s'\n", buf); + return 1; + } + *c = '\0'; + } else { + fprintf(stderr, "No newline in '%s'\n", buf); + oversized = 1; + continue; + } + } while (false); + if ((strlen(buf) > 3) && NTLM_packet_debug_enabled) { decodedLen = base64_decode(decoded, sizeof(decoded), buf+3); strncpy(helper_command, buf, 2); debug("Got '%s' from Squid with data:\n", helper_command); - hex_dump(decoded, decodedLen); + hex_dump(reinterpret_cast(decoded), decodedLen); } else debug("Got '%s' from Squid\n", buf); if (memcmp(buf, "YR", 2) == 0) { /* refresh-request */ @@ -464,11 +463,11 @@ decodedLen = base64_decode(decoded, sizeof(decoded), buf+3); else { debug("Negotiate packet not supplied - self generated\n"); - memcpy(decoded, local_lego, sizeof(local_nego)); - decodedLen = sizeof(localnego); + memcpy(decoded, &local_nego, sizeof(local_nego)); + decodedLen = sizeof(local_nego); } if ((size_t)decodedLen < sizeof(ntlmhdr)) { /* decoding failure, return error */ - SEND("NA Packet format error, couldn't base64-decode"); + SEND_ERR("message=\"Packet format error, couldn't base64-decode\""); return 1; } /* fast-track-decode request type. */ @@ -476,54 +475,55 @@ /* sanity-check: it IS a NTLMSSP packet, isn't it? */ if (ntlm_validate_packet(fast_header, NTLM_ANY) != NTLM_ERR_NONE) { - SEND("NA Broken authentication packet"); + SEND_ERR("message=\"Broken authentication packet\""); return 1; } switch (fast_header->type) { - case NTLM_NEGOTIATE: + case NTLM_NEGOTIATE: { /* Obtain challenge against SSPI */ debug("attempting SSPI challenge retrieval\n"); - if ((c = (char *) SSP_MakeChallenge((ntlm_negotiate *) decoded, decodedLen)) != NULL ) { + char *c = (char *) SSP_MakeChallenge((ntlm_negotiate *) decoded, decodedLen); + if (c) { + SEND_TT(c); if (NTLM_packet_debug_enabled) { - printf("TT %s\n",c); decodedLen = base64_decode(decoded, sizeof(decoded), c); - debug("sending 'TT' to squid with data:\n"); - hex_dump(decoded, decodedLen); - if (NTLM_LocalCall) + debug("send 'TT' to squid with data:\n"); + hex_dump(reinterpret_cast(decoded), decodedLen); + if (NTLM_LocalCall) { debug("NTLM Local Call detected\n"); - } else { - SEND2("TT %s", c); + } } have_challenge = 1; } else - helperfail("can't obtain challenge"); + helperfail("message=\"can't obtain challenge\""); return 1; - /* notreached */ + } + /* notreached */ case NTLM_CHALLENGE: - SEND("NA Got a challenge. We refuse to have our authority disputed"); + SEND_ERR("message=\"Got a challenge. We refuse to have our authority disputed\""); return 1; /* notreached */ case NTLM_AUTHENTICATE: - SEND("NA Got authentication request instead of negotiate request"); + SEND_ERR("message=\"Got authentication request instead of negotiate request\""); return 1; /* notreached */ default: - helperfail("unknown refresh-request packet type"); + helperfail("message=\"unknown refresh-request packet type\""); return 1; } return 1; } if (memcmp(buf, "KK ", 3) == 0) { /* authenticate-request */ if (!have_challenge) { - helperfail("invalid challenge"); + helperfail("message=\"invalid challenge\""); return 1; } /* figure out what we got */ decodedLen = base64_decode(decoded, sizeof(decoded), buf+3); if ((size_t)decodedLen < sizeof(ntlmhdr)) { /* decoding failure, return error */ - SEND("NA Packet format error, couldn't base64-decode"); + SEND_ERR("message=\"Packet format error, couldn't base64-decode\""); return 1; } /* fast-track-decode request type. */ @@ -531,35 +531,34 @@ /* sanity-check: it IS a NTLMSSP packet, isn't it? */ if (ntlm_validate_packet(fast_header, NTLM_ANY) != NTLM_ERR_NONE) { - SEND("NA Broken authentication packet"); + SEND_ERR("message=\"Broken authentication packet\""); return 1; } switch (fast_header->type) { case NTLM_NEGOTIATE: - SEND("NA Invalid negotiation request received"); + SEND_ERR("message=\"Invalid negotiation request received\""); return 1; /* notreached */ case NTLM_CHALLENGE: - SEND - ("NA Got a challenge. We refuse to have our authority disputed"); + SEND_ERR("message=\"Got a challenge. We refuse to have our authority disputed\""); return 1; /* notreached */ - case NTLM_AUTHENTICATE: + case NTLM_AUTHENTICATE: { /* check against SSPI */ - err = ntlm_check_auth((ntlm_authenticate *) decoded, user, domain, decodedLen); + int err = ntlm_check_auth((ntlm_authenticate *) decoded, user, domain, decodedLen); have_challenge = 0; if (err != NTLM_ERR_NONE) { #if FAIL_DEBUG fail_debug_enabled =1; #endif - switch (ntlm_errno) { + switch (err) { case NTLM_ERR_NONE: break; case NTLM_BAD_NTGROUP: - SEND("NA Incorrect Group Membership"); + SEND_ERR("message=\"Incorrect Group Membership\""); return 1; case NTLM_BAD_REQUEST: - SEND("NA Incorrect Request Format"); + SEND_ERR("message=\"Incorrect Request Format\""); return 1; case NTLM_SSPI_ERROR: FormatMessage( @@ -576,28 +575,31 @@ ErrorMessage[strlen(ErrorMessage) - 1] = '\0'; if (ErrorMessage[strlen(ErrorMessage) - 1] == '\r') ErrorMessage[strlen(ErrorMessage) - 1] = '\0'; - SEND2("NA %s", ErrorMessage); + SEND_ERR(ErrorMessage); // TODO update to new syntax LocalFree(ErrorMessage); return 1; default: - SEND("NA Unknown Error"); + SEND_ERR("message=\"Unknown Error\""); return 1; } } /* let's lowercase them for our convenience */ - SEND3("AF %s\\%s", lc(domain), lc(user)); + lc(domain); + lc(user); + fprintf(stdout, "OK user=\"%s\\%s\"", domain, user); return 1; + } default: - helperfail("unknown authentication packet type"); + helperfail("message=\"unknown authentication packet type\""); return 1; } return 1; } else { /* not an auth-request */ - helperfail("illegal request received"); + helperfail("message=\"illegal request received\""); fprintf(stderr, "Illegal request received: '%s'\n", buf); return 1; } - helperfail("detected protocol error"); + helperfail("message=\"detected protocol error\""); return 1; /********* END ********/ } diff -u -r -N squid-3.4.6/helpers/storeid_rewrite/file/storeid_file_rewrite.8 squid-3.4.7/helpers/storeid_rewrite/file/storeid_file_rewrite.8 --- squid-3.4.6/helpers/storeid_rewrite/file/storeid_file_rewrite.8 2014-06-25 08:30:10.000000000 -0700 +++ squid-3.4.7/helpers/storeid_rewrite/file/storeid_file_rewrite.8 2014-08-27 08:03:13.000000000 -0700 @@ -1,4 +1,4 @@ -.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28) +.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28) .\" .\" Standard preamble: .\" ======================================================================== @@ -133,7 +133,7 @@ .\" ======================================================================== .\" .IX Title "STOREID_FILE_REWRITE 1" -.TH STOREID_FILE_REWRITE 1 "2014-06-25" "perl v5.18.2" "User Contributed Perl Documentation" +.TH STOREID_FILE_REWRITE 1 "2014-08-27" "perl v5.20.0" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-3.4.6/include/autoconf.h.in squid-3.4.7/include/autoconf.h.in --- squid-3.4.6/include/autoconf.h.in 2014-06-25 07:42:09.000000000 -0700 +++ squid-3.4.7/include/autoconf.h.in 2014-08-27 07:23:04.000000000 -0700 @@ -375,7 +375,7 @@ /* The system provides struct iovec */ #undef HAVE_IOVEC -/* Define to 1 if you have the header file. */ +/* Define to 1 if you have the header file. */ #undef HAVE_IPHLPAPI_H /* Define to 1 if you have the header file. */ @@ -1114,6 +1114,9 @@ /* The system implements a functional va_copy() */ #undef HAVE_VA_COPY +/* Define to 1 if you have the `vfork' function. */ +#undef HAVE_VFORK + /* Define to 1 if you have the `vsnprintf' function. */ #undef HAVE_VSNPRINTF diff -u -r -N squid-3.4.6/include/sspwin32.h squid-3.4.7/include/sspwin32.h --- squid-3.4.6/include/sspwin32.h 2014-06-25 07:41:39.000000000 -0700 +++ squid-3.4.7/include/sspwin32.h 2014-08-27 07:22:40.000000000 -0700 @@ -70,7 +70,7 @@ HMODULE LoadSecurityDll(int, const char *); void UnloadSecurityDll(void); - BOOL WINAPI SSP_LogonUser(unsigned char *, unsigned char *, unsigned char *); + BOOL WINAPI SSP_LogonUser(PTSTR, PTSTR, PTSTR); BOOL WINAPI SSP_ValidateNTLMCredentials(PVOID, int, char *); const char * WINAPI SSP_ValidateNegotiateCredentials(PVOID, int, PBOOL, int *, char *); const char * WINAPI SSP_MakeChallenge(PVOID, int); diff -u -r -N squid-3.4.6/include/version.h squid-3.4.7/include/version.h --- squid-3.4.6/include/version.h 2014-06-25 07:43:23.000000000 -0700 +++ squid-3.4.7/include/version.h 2014-08-27 07:24:14.000000000 -0700 @@ -7,7 +7,7 @@ */ #ifndef SQUID_RELEASE_TIME -#define SQUID_RELEASE_TIME 1403707292 +#define SQUID_RELEASE_TIME 1409149346 #endif #ifndef APP_SHORTNAME diff -u -r -N squid-3.4.6/RELEASENOTES.html squid-3.4.7/RELEASENOTES.html --- squid-3.4.6/RELEASENOTES.html 2014-06-25 08:31:11.000000000 -0700 +++ squid-3.4.7/RELEASENOTES.html 2014-08-27 08:04:03.000000000 -0700 @@ -2,10 +2,10 @@ - Squid 3.4.5 release notes + Squid 3.4.7 release notes -

Squid 3.4.5 release notes

+

Squid 3.4.7 release notes

Squid Developers

@@ -57,7 +57,7 @@

1. Notice

-

The Squid Team are pleased to announce the release of Squid-3.4.5 for testing.

+

The Squid Team are pleased to announce the release of Squid-3.4.7 for testing.

This new release is available for download from http://www.squid-cache.org/Versions/v3/3.4/ or the mirrors.

diff -u -r -N squid-3.4.6/src/anyp/PortCfg.h squid-3.4.7/src/anyp/PortCfg.h --- squid-3.4.6/src/anyp/PortCfg.h 2014-06-25 07:41:39.000000000 -0700 +++ squid-3.4.7/src/anyp/PortCfg.h 2014-08-27 07:22:40.000000000 -0700 @@ -92,8 +92,10 @@ } // namespace AnyP +#if !defined(MAXTCPLISTENPORTS) // Max number of TCP listening ports #define MAXTCPLISTENPORTS 128 +#endif // TODO: kill this global array. Need to check performance of array vs list though. extern int NHttpSockets; diff -u -r -N squid-3.4.6/src/cache_cf.cc squid-3.4.7/src/cache_cf.cc --- squid-3.4.6/src/cache_cf.cc 2014-06-25 07:41:39.000000000 -0700 +++ squid-3.4.7/src/cache_cf.cc 2014-08-27 07:22:40.000000000 -0700 @@ -893,16 +893,18 @@ Config2.effectiveGroupID = pwd->pw_gid; #if HAVE_PUTENV - if (pwd->pw_dir && *pwd->pw_dir) { - int len; - char *env_str = (char *)xcalloc((len = strlen(pwd->pw_dir) + 6), 1); - snprintf(env_str, len, "HOME=%s", pwd->pw_dir); - putenv(env_str); + // putenv() leaks by design; avoid leaks when nothing changes + static String lastDir; + if (!lastDir.size() || lastDir != pwd->pw_dir) { + lastDir = pwd->pw_dir; + int len = strlen(pwd->pw_dir) + 6; + char *env_str = (char *)xcalloc(len, 1); + snprintf(env_str, len, "HOME=%s", pwd->pw_dir); + putenv(env_str); + } } - #endif - } } else { Config2.effectiveUserID = geteuid(); diff -u -r -N squid-3.4.6/src/cf.data.pre squid-3.4.7/src/cf.data.pre --- squid-3.4.6/src/cf.data.pre 2014-06-25 07:41:39.000000000 -0700 +++ squid-3.4.7/src/cf.data.pre 2014-08-27 07:22:40.000000000 -0700 @@ -715,7 +715,7 @@ %USER_CERT SSL User certificate in PEM format %USER_CERTCHAIN SSL User certificate chain in PEM format %USER_CERT_xx SSL User certificate subject attribute xx - %USER_CA_xx SSL User certificate issuer attribute xx + %USER_CA_CERT_xx SSL User certificate issuer attribute xx %>{Header} HTTP request header "Header" %>{Hdr:member} diff -u -r -N squid-3.4.6/src/eui/Eui48.cc squid-3.4.7/src/eui/Eui48.cc --- squid-3.4.6/src/eui/Eui48.cc 2014-06-25 07:41:39.000000000 -0700 +++ squid-3.4.7/src/eui/Eui48.cc 2014-08-27 07:22:40.000000000 -0700 @@ -59,8 +59,9 @@ struct sockaddr arp_ha; /* hardware address */ int arp_flags; /* flags */ }; - -#include +#if HAVE_IPHLPAPI_H +#include +#endif #endif #if HAVE_SYS_PARAM_H diff -u -r -N squid-3.4.6/src/external_acl.cc squid-3.4.7/src/external_acl.cc --- squid-3.4.6/src/external_acl.cc 2014-06-25 07:41:39.000000000 -0700 +++ squid-3.4.7/src/external_acl.cc 2014-08-27 07:22:40.000000000 -0700 @@ -473,13 +473,13 @@ else if (strncmp(token, "%USER_CERT_", 11) == 0) { format->type = _external_acl_format::EXT_ACL_USER_CERT; format->header = xstrdup(token + 11); - } else if (strncmp(token, "%USER_CA_CERT_", 11) == 0) { + } else if (strncmp(token, "%USER_CA_CERT_", 14) == 0) { format->type = _external_acl_format::EXT_ACL_USER_CA_CERT; - format->header = xstrdup(token + 11); - } else if (strncmp(token, "%CA_CERT_", 11) == 0) { + format->header = xstrdup(token + 14); + } else if (strncmp(token, "%CA_CERT_", 9) == 0) { debugs(82, DBG_PARSE_NOTE(DBG_IMPORTANT), "WARNING: external_acl_type %CA_CERT_* code is obsolete. Use %USER_CA_CERT_* instead"); format->type = _external_acl_format::EXT_ACL_USER_CA_CERT; - format->header = xstrdup(token + 11); + format->header = xstrdup(token + 9); } #endif #if USE_AUTH diff -u -r -N squid-3.4.6/src/HttpHdrRange.cc squid-3.4.7/src/HttpHdrRange.cc --- squid-3.4.6/src/HttpHdrRange.cc 2014-06-25 07:41:39.000000000 -0700 +++ squid-3.4.7/src/HttpHdrRange.cc 2014-08-27 07:22:40.000000000 -0700 @@ -92,7 +92,7 @@ /* is it a suffix-byte-range-spec ? */ if (*field == '-') { - if (!httpHeaderParseOffset(field + 1, &length)) + if (!httpHeaderParseOffset(field + 1, &length) || !known_spec(length)) return false; } else /* must have a '-' somewhere in _this_ field */ @@ -100,7 +100,7 @@ debugs(64, 2, "invalid (missing '-') range-spec near: '" << field << "'"); return false; } else { - if (!httpHeaderParseOffset(field, &offset)) + if (!httpHeaderParseOffset(field, &offset) || !known_spec(offset)) return false; ++p; @@ -109,7 +109,7 @@ if (p - field < flen) { int64_t last_pos; - if (!httpHeaderParseOffset(p, &last_pos)) + if (!httpHeaderParseOffset(p, &last_pos) || !known_spec(last_pos)) return false; // RFC 2616 s14.35.1 MUST: last-byte-pos >= first-byte-pos diff -u -r -N squid-3.4.6/src/ident/Ident.cc squid-3.4.7/src/ident/Ident.cc --- squid-3.4.6/src/ident/Ident.cc 2014-06-25 07:41:39.000000000 -0700 +++ squid-3.4.7/src/ident/Ident.cc 2014-08-27 07:22:40.000000000 -0700 @@ -123,9 +123,9 @@ IdentStateData *state = (IdentStateData *)data; if (status != COMM_OK) { - if (status == COMM_TIMEOUT) { + if (status == COMM_TIMEOUT) debugs(30, 3, "IDENT connection timeout to " << state->conn->remote); - } + Ident::identCallback(state, NULL); return; } diff -u -r -N squid-3.4.6/src/ssl/gadgets.cc squid-3.4.7/src/ssl/gadgets.cc --- squid-3.4.6/src/ssl/gadgets.cc 2014-06-25 07:41:39.000000000 -0700 +++ squid-3.4.7/src/ssl/gadgets.cc 2014-08-27 07:22:40.000000000 -0700 @@ -249,11 +249,12 @@ return certKey; } -// Copy certificate extensions from cert to mimicCert. +/// Copy certificate extensions from cert to mimicCert. +/// Returns the number of extensions copied. // Currently only extensions which are reported by the users that required are // mimicked. More safe to mimic extensions would be added here if users request // them. -static void +static int mimicExtensions(Ssl::X509_Pointer & cert, Ssl::X509_Pointer const & mimicCert) { static int extensions[]= { @@ -263,15 +264,50 @@ 0 }; + // key usage bit names + enum { + DigitalSignature, + NonRepudiation, + KeyEncipherment, // NSS requires for RSA but not EC + DataEncipherment, + KeyAgreement, + KeyCertificateSign, + CRLSign, + EncipherOnly, + DecipherOnly + }; + + int mimicAlgo = OBJ_obj2nid(mimicCert.get()->cert_info->key->algor->algorithm); + + int added = 0; int nid; for (int i = 0; (nid = extensions[i]) != 0; ++i) { const int pos = X509_get_ext_by_NID(mimicCert.get(), nid, -1); - if (X509_EXTENSION *ext = X509_get_ext(mimicCert.get(), pos)) - X509_add_ext(cert.get(), ext, -1); + if (X509_EXTENSION *ext = X509_get_ext(mimicCert.get(), pos)) { + // Mimic extension exactly. + if (X509_add_ext(cert.get(), ext, -1)) + ++added; + if ( nid == NID_key_usage && mimicAlgo != NID_rsaEncryption ) { + // NSS does not requre the KeyEncipherment flag on EC keys + // but it does require it for RSA keys. Since ssl-bump + // substitutes RSA keys for EC ones, we need to ensure that + // that the more stringent requirements are met. + + const int p = X509_get_ext_by_NID(cert.get(), NID_key_usage, -1); + if ((ext = X509_get_ext(cert.get(), p)) != NULL) { + ASN1_BIT_STRING *keyusage = (ASN1_BIT_STRING *)X509V3_EXT_d2i(ext); + ASN1_BIT_STRING_set_bit(keyusage, KeyEncipherment, 1); + X509_EXTENSION_set_data( ext, (ASN1_OCTET_STRING*)keyusage ); + ASN1_BIT_STRING_free(keyusage); + } + } + } } // We could also restrict mimicking of the CA extension to CA:FALSE // because Squid does not generate valid fake CA certificates. + + return added; } static bool buildCertificate(Ssl::X509_Pointer & cert, Ssl::CertificateProperties const &properties) @@ -331,22 +367,24 @@ X509_alias_set1(cert.get(), alStr, alLen); } + int addedExtensions = 0; + // Mimic subjectAltName unless we used a configured CN: browsers reject // certificates with CN unrelated to subjectAltNames. if (!properties.setCommonName) { int pos=X509_get_ext_by_NID (properties.mimicCert.get(), OBJ_sn2nid("subjectAltName"), -1); X509_EXTENSION *ext=X509_get_ext(properties.mimicCert.get(), pos); if (ext) { - X509_add_ext(cert.get(), ext, -1); - /* According the RFC 5280 using extensions requires version 3 - certificate. - Set version value to 2 for version 3 certificates. - */ - X509_set_version(cert.get(), 2); + if (X509_add_ext(cert.get(), ext, -1)) + ++addedExtensions; } } - mimicExtensions(cert, properties.mimicCert); + addedExtensions += mimicExtensions(cert, properties.mimicCert); + + // According to RFC 5280, using extensions requires v3 certificate. + if (addedExtensions) + X509_set_version(cert.get(), 2); // value 2 means v3 } return true;