Index: branches/2020Q3/www/squid/Makefile =================================================================== --- branches/2020Q3/www/squid/Makefile (revision 543589) +++ branches/2020Q3/www/squid/Makefile (revision 543590) @@ -1,314 +1,313 @@ # $FreeBSD$ PORTNAME= squid -PORTVERSION= 4.11 -PORTREVISION= 2 +PORTVERSION= 4.12 CATEGORIES= www MASTER_SITES= http://www.squid-cache.org/Versions/v4/ \ http://www2.us.squid-cache.org/Versions/v4/ \ http://www1.at.squid-cache.org/Versions/v4/ \ http://www.eu.squid-cache.org/Versions/v4/ \ http://www1.jp.squid-cache.org/Versions/v4/ PATCH_SITES= http://www.squid-cache.org/%SUBDIR%/ \ http://www2.us.squid-cache.org/%SUBDIR%/ \ http://www1.at.squid-cache.org/%SUBDIR%/ \ http://www.eu.squid-cache.org/%SUBDIR%/ \ http://www1.jp.squid-cache.org/%SUBDIR%/ \ http://master.squid-cache.org/~amosjeffries/patches/:nosid PATCH_SITE_SUBDIR= Versions/v4/changesets MAINTAINER= timp87@gmail.com COMMENT= HTTP Caching Proxy LICENSE= GPLv2 LICENSE_FILE= ${WRKSRC}/COPYING USES= compiler:c++11-lib cpe perl5 shebangfix tar:xz CONFLICTS= squid3-* squid-devel-* CPE_VENDOR= squid-cache SHEBANG_FILES= scripts/*.pl contrib/*.pl tools/*.pl GNU_CONFIGURE= yes USE_RC_SUBR= squid USERS= squid GROUPS= squid MYDOCS= QUICKSTART README RELEASENOTES.html doc/debug-sections.txt PORTDOCS= ${MYDOCS:T} PORTEXAMPLES= * SUB_FILES+= pkg-install pkg-message OPTIONS_SUB= yes OPTIONS_GROUP= AUTH OPTIONS_RADIO= FW OPTIONS_GROUP_AUTH=AUTH_LDAP AUTH_NIS AUTH_SASL AUTH_SMB AUTH_SQL OPTIONS_RADIO_FW=TP_IPF TP_IPFW TP_PF OPTIONS_DEFINE= ARP_ACL BDB CACHE_DIGESTS DEBUG DELAY_POOLS DOCS ECAP ESI EXAMPLES \ FOLLOW_XFF FS_AUFS FS_DISKD FS_ROCK HTCP ICAP ICMP IDENT IPV6 \ KQUEUE LARGEFILE LAX_HTTP NETTLE PCRE SNMP SSL SSL_CRTD \ STACKTRACES VIA_DB WCCP WCCPV2 OPTIONS_SINGLE= GSSAPI OPTIONS_SINGLE_GSSAPI= GSSAPI_NONE GSSAPI_BASE GSSAPI_HEIMDAL GSSAPI_MIT OPTIONS_DEFAULT=ARP_ACL AUTH_NIS CACHE_DIGESTS DELAY_POOLS FOLLOW_XFF FS_AUFS \ FS_DISKD FS_ROCK GSSAPI_BASE HTCP ICAP ICMP IDENT KQUEUE \ LARGEFILE LAX_HTTP PCRE SNMP SSL SSL_CRTD TP_IPFW VIA_DB WCCP \ WCCPV2 ARP_ACL_CONFIGURE_ENABLE= eui AUTH_LDAP_CFLAGS= -I${LOCALBASE}/include AUTH_LDAP_LDFLAGS= -L${LOCALBASE}/lib AUTH_LDAP_USE= OPENLDAP=yes AUTH_LDAP_VARS= BASIC_AUTH+=LDAP DIGEST_AUTH+="eDirectory LDAP" EXTERNAL_ACL+="LDAP_group eDirectory_userip" AUTH_SASL_CFLAGS= -I${LOCALBASE}/include AUTH_SASL_CPPFLAGS= -I${LOCALBASE}/include AUTH_SASL_LDFLAGS= -L${LOCALBASE}/lib AUTH_SASL_LIB_DEPENDS= libsasl2.so:security/cyrus-sasl2 AUTH_SASL_VARS= BASIC_AUTH+=SASL AUTH_SMB_USES= samba:run AUTH_SMB_VARS= BASIC_AUTH+=SMB EXTERNAL_ACL+=wbinfo_group AUTH_SQL_RUN_DEPENDS= p5-DBI>=1.08:databases/p5-DBI AUTH_SQL_VARS= EXTERNAL_ACL+=SQL_session BDB_USES= bdb CACHE_DIGESTS_CONFIGURE_ENABLE= cache-digests DELAY_POOLS_CONFIGURE_ENABLE= delay-pools ECAP_CFLAGS= -I${LOCALBASE}/include ECAP_CONFIGURE_ENABLE= ecap ECAP_LDFLAGS= -L${LOCALBASE}/lib ECAP_LIB_DEPENDS= libecap.so:www/libecap ECAP_USES= pkgconfig:build ESI_CFLAGS= -I${LOCALBASE}/include -I${LOCALBASE}/include/libxml2 ESI_CONFIGURE_ENABLE= esi ESI_LDFLAGS= -L${LOCALBASE}/lib ESI_LIB_DEPENDS= libexpat.so:textproc/expat2 \ libxml2.so:textproc/libxml2 FOLLOW_XFF_CONFIGURE_ENABLE= follow-x-forwarded-for HTCP_CONFIGURE_ENABLE= htcp ICAP_CONFIGURE_ENABLE= icap-client ICMP_CONFIGURE_ENABLE= icmp IDENT_CONFIGURE_ENABLE= ident-lookups IPV6_CONFIGURE_ENABLE= ipv6 KQUEUE_CONFIGURE_ENABLE= kqueue LARGEFILE_CONFIGURE_WITH= large-files LAX_HTTP_CONFIGURE_ENABLE= http-violations FS_AUFS_VARS= STORAGE_SCHEMES+=aufs DISKIO_MODULES+=DiskThreads # Nil aufs threads is default, set any other value via SQUID_CONFIGURE_ARGS, # e.g. SQUID_CONFIGURE_ARGS=--with-aufs-threads=N FS_AUFS_LDFLAGS= -pthread FS_AUFS_CONFIGURE_OFF= --without-pthreads FS_DISKD_VARS= STORAGE_SCHEMES+=diskd DISKIO_MODULES+=DiskDaemon FS_ROCK_VARS= STORAGE_SCHEMES+=rock NETTLE_LIB_DEPENDS= libnettle.so:security/nettle NETTLE_CONFIGURE_OFF= --without-nettle PCRE_LIB_DEPENDS= libpcre.so:devel/pcre PCRE_CPPFLAGS= -I${LOCALBASE}/include PCRE_LDFLAGS= -L${LOCALBASE}/lib -lpcreposix -lpcre SNMP_CONFIGURE_ENABLE= snmp SSL_CONFIGURE_ENABLE= ssl SSL_CONFIGURE_ON= --with-openssl=${OPENSSLBASE} \ --enable-security-cert-generators="file" \ LIBOPENSSL_CFLAGS=-I${OPENSSLINC} \ LIBOPENSSL_LIBS="-lcrypto -lssl" SSL_USES= ssl SSL_CRTD_CONFIGURE_ENABLE= ssl-crtd SSL_CRTD_IMPLIES= SSL STACKTRACES_CONFIGURE_ENABLE= stacktraces STACKTRACES_EXTRA_PATCHES= ${FILESDIR}/extra-patch-gen-stacktrace STACKTRACES_LIB_DEPENDS= libunwind.so:devel/libunwind STACKTRACES_CFLAGS= -g STACKTRACES_LDFLAGS= -lunwind -L${LOCALBASE}/lib STACKTRACES_VARS= STRIP="" TP_IPFW_CONFIGURE_ENABLE= ipfw-transparent TP_IPF_CONFIGURE_ENABLE= ipf-transparent TP_PF_CONFIGURE_ENABLE= pf-transparent TP_PF_CONFIGURE_WITH= nat-devpf VIA_DB_CONFIGURE_ENABLE= forw-via-db WCCPV2_CONFIGURE_ENABLE= wccpv2 WCCP_CONFIGURE_ENABLE= wccp GSSAPI_NONE_CONFIGURE_ON= --without-heimdal-krb5 \ --without-mit-krb5 \ --without-gss GSSAPI_BASE_USES= gssapi GSSAPI_BASE_CONFIGURE_ON= --with-heimdal-krb5=${GSSAPIBASEDIR} \ ${GSSAPI_CONFIGURE_ARGS} \ krb5_config=${GSSAPIBASEDIR}/bin/krb5-config GSSAPI_BASE_PLIST_SUB= AUTH_KERB="" GSSAPI_HEIMDAL_USES= gssapi:heimdal GSSAPI_HEIMDAL_CONFIGURE_ON= --with-heimdal-krb5=${GSSAPIBASEDIR} \ ${GSSAPI_CONFIGURE_ARGS} \ krb5_config=${GSSAPIBASEDIR}/bin/krb5-config GSSAPI_HEIMDAL_PLIST_SUB= AUTH_KERB="" GSSAPI_MIT_USES= gssapi:mit GSSAPI_MIT_CONFIGURE_ON= --with-mit-krb5=${GSSAPIBASEDIR} \ ${GSSAPI_CONFIGURE_ARGS} \ krb5_config=${GSSAPIBASEDIR}/bin/krb5-config GSSAPI_MIT_PLIST_SUB= AUTH_KERB="" ARP_ACL_DESC= ARP/MAC/EUI based authentification AUTH_DESC= Authentication helpers AUTH_LDAP_DESC= Install LDAP authentication helpers AUTH_NIS_DESC= Install NIS/YP authentication helpers AUTH_SASL_DESC= Install SASL authentication helpers AUTH_SMB_DESC= Install SMB auth. helpers (req. Samba) AUTH_SQL_DESC= Install SQL based auth BDB_DESC= Berkeley DB support required for session and time quota external helpers CACHE_DIGESTS_DESC= Use cache digests DEBUG_DESC= Build with extended debugging support DELAY_POOLS_DESC= Delay pools (bandwidth limiting) ECAP_DESC= Loadable content adaptation modules ESI_DESC= ESI support FOLLOW_XFF_DESC= Support for the X-Following-For header FS_AUFS_DESC= AUFS (threaded-io) support FS_DISKD_DESC= DISKD storage engine controlled by separate service FS_ROCK_DESC= ROCK storage engine HTCP_DESC= HTCP support ICAP_DESC= the ICAP client ICMP_DESC= ICMP pinging and network measurement IDENT_DESC= Ident lookups (RFC 931) KQUEUE_DESC= Kqueue(2) support LARGEFILE_DESC= Support large (>2GB) cache and log files NETTLE_DESC= Nettle MD5 algorithm support SNMP_DESC= SNMP support SSL_CRTD_DESC= Use ssl_crtd to handle SSL cert requests SSL_DESC= SSL gatewaying support STACKTRACES_DESC= Enable automatic backtraces on fatal errors LAX_HTTP_DESC= Do not enforce strict HTTP compliance TP_IPFW_DESC= Transparent proxying with IPFW TP_IPF_DESC= Transparent proxying with IPFilter TP_PF_DESC= Transparent proxying with PF VIA_DB_DESC= Forward/Via database WCCPV2_DESC= Web Cache Coordination Protocol v2 WCCP_DESC= Web Cache Coordination Protocol change_files= ChangeLog \ contrib/nextstep/makepkg \ contrib/nextstep/post_install \ errors/Makefile.am \ errors/Makefile.in \ src/auth/basic/SMB_LM/README.html \ src/Makefile.am \ src/Makefile.in \ src/cf_gen.cc \ src/squid.8.in \ test-suite/Makefile.in \ tools/Makefile.am \ tools/Makefile.in .if !defined(SQUID_CONFIGURE_ARGS) \ || ${SQUID_CONFIGURE_ARGS:M*--disable-unlinkd*} == "" PLIST_SUB+= UNLINKD="" .else PLIST_SUB+= UNLINKD="@comment " .endif CONFIGURE_ARGS= --with-default-user=squid \ --bindir=${PREFIX}/sbin \ --sbindir=${PREFIX}/sbin \ --datadir=${ETCDIR} \ --libexecdir=${PREFIX}/libexec/squid \ --localstatedir=/var \ --sysconfdir=${ETCDIR} \ --with-logdir=/var/log/squid \ --with-pidfile=/var/run/squid/squid.pid \ --with-swapdir=/var/squid/cache \ --without-gnutls \ --with-included-ltdl \ --enable-auth \ --enable-zph-qos \ --enable-build-info \ --enable-loadable-modules \ --enable-removal-policies="lru heap" \ --disable-epoll \ --disable-linux-netfilter \ --disable-linux-tproxy \ --disable-translation \ --disable-arch-native \ --disable-strict-error-checking .include # Authentication methods and modules: BASIC_AUTH+= DB SMB_LM NCSA PAM POP3 RADIUS fake getpwnam DIGEST_AUTH+= file EXTERNAL_ACL+= file_userip unix_group delayer # POLA: allow the old global make.conf(5) (pre src.conf(5)) defines, too: .if ${PORT_OPTIONS:MAUTH_NIS} && !defined(NO_NIS) && !defined(WITHOUT_NIS) BASIC_AUTH+= NIS .endif # POLA: allow the old global make.conf(5) (pre src.conf(5)) defines, too: .if ${PORT_OPTIONS:MGSSAPI_NONE} || defined(NO_KERBEROS) || defined(WITHOUT_KERBEROS) NEGOTIATE_AUTH= none PLIST_SUB+= AUTH_KERB="@comment " .else # The kerberos_ldap_group external helper also depends on LDAP and SASL: . if ${PORT_OPTIONS:MAUTH_LDAP} && ${PORT_OPTIONS:MAUTH_SASL} EXTERNAL_ACL+= kerberos_ldap_group . endif NEGOTIATE_AUTH= kerberos wrapper .endif # The session and time_quota external helpers require Berkeley DB support: .if ${PORT_OPTIONS:MBDB} CPPFLAGS+= -I${BDB_INCLUDE_DIR} LDFLAGS+= -L${BDB_LIB_DIR} EXTERNAL_ACL+= time_quota session .endif # Storage schemes: STORAGE_SCHEMES+= ufs DISKIO_MODULES+= AIO Blocking IpcIo Mmapped CONFIGURE_ARGS+= --enable-auth-basic="${BASIC_AUTH}" \ --enable-auth-digest="${DIGEST_AUTH}" \ --enable-external-acl-helpers="${EXTERNAL_ACL}" \ --enable-auth-negotiate="${NEGOTIATE_AUTH}" \ --enable-auth-ntlm="fake SMB_LM" \ --enable-storeio="${STORAGE_SCHEMES}" \ --enable-disk-io="${DISKIO_MODULES}" \ --enable-log-daemon-helpers="file DB" \ --enable-url-rewrite-helpers="fake LFS" \ --enable-storeid-rewrite-helpers="file" \ --enable-security-cert-validators="fake" # Other options set via 'make config': .if ${PORT_OPTIONS:MDEBUG} || defined(WITH_DEBUG) CONFIGURE_ARGS+= --disable-optimizations --enable-debug-cbdata WITH_DEBUG?= yes .endif # Finally, add additional user specified configuration options: CONFIGURE_ARGS+= ${SQUID_CONFIGURE_ARGS} post-patch: @(cd ${WRKSRC} && ${REINPLACE_CMD} \ -e 's|\.conf\.default|.conf.sample|' \ -e 's|)\.default|).sample|' \ ${change_files}) @(cd ${WRKSRC} && ${MV} src/mime.conf.default src/mime.conf.sample) post-patch-IPV6-off: @${REINPLACE_CMD} -E -e's| ::1$$||' -e's| ::1?/128||g' \ -e'/acl localnet src f[ce][08]0::/d' \ -e's| 2001:DB8::[^[:space:]]+$$||' \ -e'/tcp_outgoing_address 2001:db8::/d' \ ${WRKSRC}/src/cf.data.pre post-install: @${MKDIR} ${STAGEDIR}${EXAMPLESDIR} ${INSTALL_DATA} ${WRKSRC}/src/auth/basic/DB/passwd.sql \ ${STAGEDIR}${EXAMPLESDIR} @${MKDIR} ${STAGEDIR}${DOCSDIR} (cd ${WRKSRC} && ${INSTALL_DATA} ${MYDOCS} ${STAGEDIR}${DOCSDIR}) .include Index: branches/2020Q3/www/squid/distinfo =================================================================== --- branches/2020Q3/www/squid/distinfo (revision 543589) +++ branches/2020Q3/www/squid/distinfo (revision 543590) @@ -1,3 +1,3 @@ -TIMESTAMP = 1588493552 -SHA256 (squid-4.11.tar.xz) = 4ed947612410263f57ad0e39bfd087e60fb714f028d7d3b0e469943efd34287d -SIZE (squid-4.11.tar.xz) = 2447700 +TIMESTAMP = 1592288810 +SHA256 (squid-4.12.tar.xz) = f42a03c8b3dc020722c88bf1a87da8cb0c087b2f66b41d8256c77ee1b527e317 +SIZE (squid-4.12.tar.xz) = 2450564 Index: branches/2020Q3/www/squid/files/patch-src_acl_external_eDirectory__userip_ext__edirectory__userip__acl.cc =================================================================== --- branches/2020Q3/www/squid/files/patch-src_acl_external_eDirectory__userip_ext__edirectory__userip__acl.cc (revision 543589) +++ branches/2020Q3/www/squid/files/patch-src_acl_external_eDirectory__userip_ext__edirectory__userip__acl.cc (nonexistent) @@ -1,15 +0,0 @@ ---- src/acl/external/eDirectory_userip/ext_edirectory_userip_acl.cc.orig 2020-04-19 12:38:51 UTC -+++ src/acl/external/eDirectory_userip/ext_edirectory_userip_acl.cc -@@ -69,6 +69,12 @@ - #ifdef HAVE_NETDB_H - #include - #endif -+#ifdef HAVE_SYS_SOCKET_H -+#include -+#endif -+#ifdef HAVE_NETINET_IN_H -+#include -+#endif - - #ifdef HELPER_INPUT_BUFFER - #define EDUI_MAXLEN HELPER_INPUT_BUFFER Property changes on: branches/2020Q3/www/squid/files/patch-src_acl_external_eDirectory__userip_ext__edirectory__userip__acl.cc ___________________________________________________________________ Deleted: fbsd:nokeywords ## -1 +0,0 ## -ON \ No newline at end of property Index: branches/2020Q3/www/squid/files/patch-src_acl_external_kerberos__ldap__group_support__krb5.cc =================================================================== --- branches/2020Q3/www/squid/files/patch-src_acl_external_kerberos__ldap__group_support__krb5.cc (revision 543589) +++ branches/2020Q3/www/squid/files/patch-src_acl_external_kerberos__ldap__group_support__krb5.cc (nonexistent) @@ -1,19 +0,0 @@ ---- src/acl/external/kerberos_ldap_group/support_krb5.cc.orig 2020-04-19 12:38:51 UTC -+++ src/acl/external/kerberos_ldap_group/support_krb5.cc -@@ -467,10 +467,15 @@ krb5_create_cache(char *domain, char *service_principa - } - - // overwrite limitation of enctypes -+#if USE_HEIMDAL_KRB5 -+ creds->session.keytype = 0; -+ if (creds->session.keyvalue.length>0) -+ krb5_free_keyblock_contents(kparam.context, &creds->session); -+#else - creds->keyblock.enctype = 0; - if (creds->keyblock.contents) - krb5_free_keyblock_contents(kparam.context, &creds->keyblock); -- -+#endif - code = krb5_get_credentials(kparam.context, 0, kparam.cc[ccindex], creds, &tgt_creds); - if (code) { - k5_error("Error while getting tgt", code); Property changes on: branches/2020Q3/www/squid/files/patch-src_acl_external_kerberos__ldap__group_support__krb5.cc ___________________________________________________________________ Deleted: fbsd:nokeywords ## -1 +0,0 ## -ON \ No newline at end of property Index: branches/2020Q3/www/squid/files/patch-configure =================================================================== --- branches/2020Q3/www/squid/files/patch-configure (revision 543589) +++ branches/2020Q3/www/squid/files/patch-configure (revision 543590) @@ -1,92 +1,82 @@ ---- configure.orig 2020-04-19 12:39:06 UTC +--- configure.orig 2020-06-09 07:15:48 UTC +++ configure -@@ -35077,7 +35077,7 @@ done +@@ -35092,7 +35092,7 @@ done ## BUILD_HELPER="NIS" -for ac_header in sys/types.h rpc/rpc.h rpcsvc/ypclnt.h rpcsvc/yp_prot.h crypt.h +for ac_header in sys/types.h rpc/rpc.h rpcsvc/ypclnt.h rpcsvc/yp_prot.h rpcsvc/crypt.h do : as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` ac_fn_cxx_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" " -@@ -35092,8 +35092,10 @@ if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : +@@ -35107,8 +35107,10 @@ if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : #define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 _ACEOF -else - BUILD_HELPER="" +# XXX: On FreeBSD we have to do this to make NIS work +# until https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=188247 +# is resolved. + BUILD_HELPER="NIS" fi done -@@ -35566,7 +35568,7 @@ done +@@ -35581,7 +35583,7 @@ done # unconditionally requires crypt(3), for now if test "x$ac_cv_func_crypt" != "x"; then - for ac_header in unistd.h crypt.h shadow.h + for ac_header in unistd.h rpcsvc/crypt.h shadow.h do : as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` ac_fn_cxx_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default" -@@ -37958,7 +37960,7 @@ for ac_header in \ +@@ -37973,7 +37975,7 @@ for ac_header in \ arpa/nameser.h \ assert.h \ bstring.h \ - crypt.h \ + rpcsvc/crypt.h \ ctype.h \ direct.h \ errno.h \ -@@ -38166,6 +38168,7 @@ ac_fn_cxx_check_header_compile "$LINENO" "$ac_header" +@@ -38181,6 +38183,7 @@ ac_fn_cxx_check_header_compile "$LINENO" "$ac_header" #include #endif #if HAVE_NETINET_IP_COMPAT_H +#include /* IFNAMSIZ */ #include #endif #if HAVE_NETINET_IP_FIL_H -@@ -42213,6 +42216,7 @@ if test "x$enable_ipf_transparent" != "xno" ; then +@@ -42228,6 +42231,7 @@ if test "x$enable_ipf_transparent" != "xno" ; then # include # include +# include /* IFNAMSIZ */ # include # include # include -@@ -42243,6 +42247,7 @@ else +@@ -42258,6 +42262,7 @@ else # include # include #undef minor_t +# include /* IFNAMSIZ */ # include # include # include -@@ -42287,6 +42292,7 @@ _ACEOF +@@ -42302,6 +42307,7 @@ _ACEOF ip_fil_compat.h \ ip_fil.h \ ip_nat.h \ + net/if.h \ netinet/ip_compat.h \ netinet/ip_fil_compat.h \ netinet/ip_fil.h \ -@@ -42316,6 +42322,7 @@ ac_fn_cxx_check_header_compile "$LINENO" "$ac_header" +@@ -42331,6 +42337,7 @@ ac_fn_cxx_check_header_compile "$LINENO" "$ac_header" #if HAVE_IP_COMPAT_H #include #elif HAVE_NETINET_IP_COMPAT_H +#include /* IFNAMSIZ */ #include #endif #if HAVE_IP_FIL_H -@@ -42379,8 +42386,7 @@ _ACEOF - - - fi --ac_fn_cxx_check_member "$LINENO" "struct natlookup" "nl_realipaddr.in6" -- "ac_cv_member_struct_natlookup_nl_realipaddr_in6___" " -+ac_fn_cxx_check_member "$LINENO" "struct natlookup" "nl_realipaddr.in6" "ac_cv_member_struct_natlookup_nl_realipaddr_in6___" " - #if USE_SOLARIS_IPFILTER_MINOR_T_HACK - #define minor_t fubar - #endif Index: branches/2020Q3/www/squid/files/patch-src_security_Handshake.cc =================================================================== --- branches/2020Q3/www/squid/files/patch-src_security_Handshake.cc (nonexistent) +++ branches/2020Q3/www/squid/files/patch-src_security_Handshake.cc (revision 543590) @@ -0,0 +1,147 @@ +--- src/security/Handshake.cc.orig 2020-06-07 15:42:16 UTC ++++ src/security/Handshake.cc +@@ -9,6 +9,7 @@ + /* DEBUG: section 83 SSL-Bump Server/Peer negotiation */ + + #include "squid.h" ++#include "sbuf/Stream.h" + #include "security/Handshake.h" + #if USE_OPENSSL + #include "ssl/support.h" +@@ -104,25 +105,52 @@ class Extension (public) + typedef std::unordered_set Extensions; + static Extensions SupportedExtensions(); + +-} // namespace Security +- + /// parse TLS ProtocolVersion (uint16) and convert it to AnyP::ProtocolVersion ++/// \retval PROTO_NONE for unsupported values (in relaxed mode) + static AnyP::ProtocolVersion +-ParseProtocolVersion(Parser::BinaryTokenizer &tk, const char *contextLabel = ".version") ++ParseProtocolVersionBase(Parser::BinaryTokenizer &tk, const char *contextLabel, const bool beStrict) + { + Parser::BinaryTokenizerContext context(tk, contextLabel); + uint8_t vMajor = tk.uint8(".major"); + uint8_t vMinor = tk.uint8(".minor"); ++ + if (vMajor == 0 && vMinor == 2) + return AnyP::ProtocolVersion(AnyP::PROTO_SSL, 2, 0); + +- Must(vMajor == 3); +- if (vMinor == 0) +- return AnyP::ProtocolVersion(AnyP::PROTO_SSL, 3, 0); ++ if (vMajor == 3) { ++ if (vMinor == 0) ++ return AnyP::ProtocolVersion(AnyP::PROTO_SSL, 3, 0); ++ return AnyP::ProtocolVersion(AnyP::PROTO_TLS, 1, (vMinor - 1)); ++ } + +- return AnyP::ProtocolVersion(AnyP::PROTO_TLS, 1, (vMinor - 1)); ++ /* handle unsupported versions */ ++ ++ const uint16_t vRaw = (vMajor << 8) | vMinor; ++ debugs(83, 7, "unsupported: " << asHex(vRaw)); ++ if (beStrict) ++ throw TextException(ToSBuf("unsupported TLS version: ", asHex(vRaw)), Here()); ++ // else hide unsupported version details from the caller behind PROTO_NONE ++ return AnyP::ProtocolVersion(); + } + ++/// parse a framing-related TLS ProtocolVersion ++/// \returns a supported SSL or TLS Anyp::ProtocolVersion, never PROTO_NONE ++static AnyP::ProtocolVersion ++ParseProtocolVersion(Parser::BinaryTokenizer &tk) ++{ ++ return ParseProtocolVersionBase(tk, ".version", true); ++} ++ ++/// parse a framing-unrelated TLS ProtocolVersion ++/// \retval PROTO_NONE for unsupported values ++static AnyP::ProtocolVersion ++ParseOptionalProtocolVersion(Parser::BinaryTokenizer &tk, const char *contextLabel) ++{ ++ return ParseProtocolVersionBase(tk, contextLabel, false); ++} ++ ++} // namespace Security ++ + Security::TLSPlaintext::TLSPlaintext(Parser::BinaryTokenizer &tk) + { + Parser::BinaryTokenizerContext context(tk, "TLSPlaintext"); +@@ -431,6 +459,8 @@ Security::HandshakeParser::parseExtensions(const SBuf + break; + case 16: { // Application-Layer Protocol Negotiation Extension, RFC 7301 + Parser::BinaryTokenizer tkAPN(extension.data); ++ // Store the entire protocol list, including unsupported-by-Squid ++ // values (if any). We have to use all when peeking at the server. + details->tlsAppLayerProtoNeg = tkAPN.pstring16("APN"); + break; + } +@@ -441,8 +471,9 @@ Security::HandshakeParser::parseExtensions(const SBuf + case 43: // supported_versions extension; RFC 8446 + parseSupportedVersionsExtension(extension.data); + break; +- case 13172: // Next Protocol Negotiation Extension (expired draft?) + default: ++ // other extensions, including those that Squid does not support, do ++ // not require special handling here, but see unsupportedExtensions + break; + } + } +@@ -455,7 +486,7 @@ Security::HandshakeParser::parseCiphers(const SBuf &ra + Parser::BinaryTokenizer tk(raw); + while (!tk.atEnd()) { + const uint16_t cipher = tk.uint16("cipher"); +- details->ciphers.insert(cipher); ++ details->ciphers.insert(cipher); // including Squid-unsupported ones + } + } + +@@ -473,7 +504,7 @@ Security::HandshakeParser::parseV23Ciphers(const SBuf + const uint8_t prefix = tk.uint8("prefix"); + const uint16_t cipher = tk.uint16("cipher"); + if (prefix == 0) +- details->ciphers.insert(cipher); ++ details->ciphers.insert(cipher); // including Squid-unsupported ones + } + } + +@@ -486,6 +517,7 @@ Security::HandshakeParser::parseServerHelloHandshakeMe + details->tlsSupportedVersion = ParseProtocolVersion(tk); + tk.skip(HelloRandomSize, ".random"); + details->sessionId = tk.pstring8(".session_id"); ++ // cipherSuite may be unsupported by a peeking Squid + details->ciphers.insert(tk.uint16(".cipher_suite")); + details->compressionSupported = tk.uint8(".compression_method") != 0; // not null + if (!tk.atEnd()) // extensions present +@@ -554,12 +586,15 @@ Security::HandshakeParser::parseSupportedVersionsExten + Parser::BinaryTokenizer tkList(extensionData); + Parser::BinaryTokenizer tkVersions(tkList.pstring8("SupportedVersions")); + while (!tkVersions.atEnd()) { +- const auto version = ParseProtocolVersion(tkVersions, "supported_version"); ++ const auto version = ParseOptionalProtocolVersion(tkVersions, "supported_version"); ++ // ignore values unsupported by Squid,represented by a falsy version ++ if (!version) ++ continue; + if (!supportedVersionMax || TlsVersionEarlierThan(supportedVersionMax, version)) + supportedVersionMax = version; + } + +- // ignore empty supported_versions ++ // ignore empty and ignored-values-only supported_versions + if (!supportedVersionMax) + return; + +@@ -569,7 +604,11 @@ Security::HandshakeParser::parseSupportedVersionsExten + } else { + assert(messageSource == fromServer); + Parser::BinaryTokenizer tkVersion(extensionData); +- const auto version = ParseProtocolVersion(tkVersion, "selected_version"); ++ const auto version = ParseOptionalProtocolVersion(tkVersion, "selected_version"); ++ // Ignore values unsupported by Squid. There should not be any until we ++ // start seeing TLS v2+, but they do not affect TLS framing anyway. ++ if (!version) ++ return; + // RFC 8446 Section 4.2.1: + // A server which negotiates a version of TLS prior to TLS 1.3 [...] + // MUST NOT send the "supported_versions" extension. Property changes on: branches/2020Q3/www/squid/files/patch-src_security_Handshake.cc ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: branches/2020Q3/www/squid/files/squid.in =================================================================== --- branches/2020Q3/www/squid/files/squid.in (revision 543589) +++ branches/2020Q3/www/squid/files/squid.in (revision 543590) @@ -1,158 +1,182 @@ #!/bin/sh # # $FreeBSD$ # # PROVIDE: squid # REQUIRE: LOGIN # KEYWORD: shutdown # # Note: # Set "squid_enable=yes" in either /etc/rc.conf, /etc/rc.conf.local or # /etc/rc.conf.d/squid to activate Squid. # # Additional variables you can define in one of these files: # # squid_chdir: the directory into which the rc system moves into before # starting Squid. Default: /var/squid # # squid_conf: The configuration file that Squid should use. # Default: %%PREFIX%%/etc/squid/squid.conf # # squid_fib: The alternative routing table id that Squid should use. # Default: none # See setfib(1) for further details. Note that the setfib(2) # system call is not available in FreeBSD versions prior to 7.1. # # squid_user: The user id that should be used to run the Squid master # process. Default: squid. # Note that you probably need to define "squid_user=root" if # you want to run Squid in reverse proxy setups or if you want # Squid to listen on a "privileged" port < 1024. # +# squid_group: The group id that should be used to run the Squid master +# process. Default: squid +# Note that it affects squid pid dir also, where SHM files +# may be stored on some OS (see r391555) +# +# squid_maxwait: Seconds to wait for squid PID file +# Default: 10 +# # squid_pidfile: # The name (including the full path) of the Squid # master process' PID file. # Default: /var/run/squid/squid.pid. # You only need to change this if you changed the # corresponding entry in your Squid configuration. # # squid_flags: Additional commandline arguments for Squid you might want to # use. See squid(8) for further details. # # squid_krb5_ktname: # Alternative Kerberos 5 Key Table. # Default: none # squid_krb5_config: # Alternative Kerberos 5 config file # Default: none . /etc/rc.subr name=squid rcvar=squid_enable # Make sure that we invoke squid with "-f ${squid_conf}"; define this # variable early so reload_cmd and stop_precmd pick it up: extra_commands="reload configtest" reload_cmd=squid_reload start_precmd=squid_prestart start_postcmd=squid_getpid stop_precmd=squid_prestop configtest_cmd=squid_configtest reload_precmd=squid_configtest restart_precmd=squid_configtest # squid(8) will not start if ${squid_conf} is not present so try # to catch that beforehand via ${required_files} rather than make # squid(8) crash. squid_load_rc_config() { : ${squid_chdir:=/var/squid} : ${squid_conf:=%%PREFIX%%/etc/squid/squid.conf} : ${squid_enable:=NO} : ${squid_program:=%%PREFIX%%/sbin/squid} : ${squid_pidfile:=/var/run/squid/squid.pid} + : ${squid_maxwait:=10} : ${squid_user:=squid} + : ${squid_group:=squid} required_args="-f ${squid_conf}" required_dirs=$chdir required_files=$squid_conf command_args="${required_args} ${squid_flags}" # We used to need it in squid3 to match pid and proc name # procname="?squid-*" pidfile=$squid_pidfile } squid_prestart() { + # create piddir if it's missing (for example if /var/run is tmpfs) + squid_piddir=${pidfile%/*} + if [ ! -d "${squid_piddir}" ]; then + echo "Creating PID directory ${squid_piddir}" + mkdir ${squid_piddir} && chown ${squid_user}:${squid_group} ${squid_piddir} && chmod 750 ${squid_piddir}|| return $? + fi + # setup KRB5_KTNAME: squid_krb5_ktname=${squid_krb5_ktname:-"NONE"} if [ "${squid_krb5_ktname}" != "NONE" ]; then export KRB5_KTNAME=${squid_krb5_ktname} fi # setup KRB5_CONFIG: squid_krb5_config=${squid_krb5_config:-"NONE"} if [ "${squid_krb5_config}" != "NONE" ]; then export KRB5_CONFIG=${squid_krb5_config} fi # setup FIB tables: if command -v check_namevarlist > /dev/null 2>&1; then check_namevarlist fib && return 0 fi ${SYSCTL} net.fibs >/dev/null 2>&1 || return 0 squid_fib=${squid_fib:-"NONE"} if [ "${squid_fib}" != "NONE" ]; then command="setfib -F $squid_fib $command" else return 0 fi squid_configtest } squid_reload() { $command $required_args $squid_flags -k reconfigure } squid_configtest() { echo "Performing sanity check on ${name} configuration." if $command $required_args $squid_flags -k check; then echo "Configuration for ${name} passes." return 0 else return $? fi } squid_getpid() { # retrieve the PID of the Squid master process explicitly here # in case rc.subr was unable to determine it: if [ -z "$rc_pid" ]; then + squid_secs=0 while ! [ -f ${pidfile} ]; do + if [ ${squid_maxwait} -le ${squid_secs} ]; then + echo "give up waiting for pidfile" + break + fi sleep 1 + echo -n "." + : $(( squid_secs+=1 )) done read _pid _junk <${pidfile} [ -z "${_pid}" ] || pid=${_pid} else pid=${rc_pid} fi } squid_prestop() { command_args="$command_args -k shutdown" squid_configtest } load_rc_config $name squid_load_rc_config run_rc_command $1 Index: branches/2020Q3 =================================================================== --- branches/2020Q3 (revision 543589) +++ branches/2020Q3 (revision 543590) Property changes on: branches/2020Q3 ___________________________________________________________________ Modified: svn:mergeinfo ## -0,0 +0,1 ## Merged /head:r543526