Date: Mon, 27 Jul 2020 14:50:15 +0000 (UTC) From: Renato Botelho <garga@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r543526 - in head/www/squid: . files Message-ID: <202007271450.06REoFAF088555@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: garga Date: Mon Jul 27 14:50:15 2020 New Revision: 543526 URL: https://svnweb.freebsd.org/changeset/ports/543526 Log: www/squid: Update to 4.12 among other changes - Update to 4.12 - Remove upstreamed patches - Enhance rc script (thanks to Walter von Entferndt for ideas!): -- create piddir if missing (/var/run may be a tmpfs) -- don't wait endlessly if squid can't create a pidfile -- define squid_group - address GREASEd (thanks to Joshua Kinard and Juraj Lutter!) PR: 247397 Submitted by: Juraj Lutter <juraj@lutter.sk> Reworked by: maintainer Approved by: maintainer MFH: 2020Q3 (bug-fix release) Sponsored by: Rubicon Communications, LLC (Netgate) Added: head/www/squid/files/patch-src_security_Handshake.cc (contents, props changed) Deleted: head/www/squid/files/patch-src_acl_external_eDirectory__userip_ext__edirectory__userip__acl.cc head/www/squid/files/patch-src_acl_external_kerberos__ldap__group_support__krb5.cc Modified: head/www/squid/Makefile head/www/squid/distinfo head/www/squid/files/patch-configure head/www/squid/files/squid.in Modified: head/www/squid/Makefile ============================================================================== --- head/www/squid/Makefile Mon Jul 27 14:17:20 2020 (r543525) +++ head/www/squid/Makefile Mon Jul 27 14:50:15 2020 (r543526) @@ -1,8 +1,7 @@ # $FreeBSD$ PORTNAME= squid -PORTVERSION= 4.11 -PORTREVISION= 2 +PORTVERSION= 4.12 CATEGORIES= www MASTER_SITES= http://www.squid-cache.org/Versions/v4/ \ http://www2.us.squid-cache.org/Versions/v4/ \ Modified: head/www/squid/distinfo ============================================================================== --- head/www/squid/distinfo Mon Jul 27 14:17:20 2020 (r543525) +++ head/www/squid/distinfo Mon Jul 27 14:50:15 2020 (r543526) @@ -1,3 +1,3 @@ -TIMESTAMP = 1588493552 -SHA256 (squid-4.11.tar.xz) = 4ed947612410263f57ad0e39bfd087e60fb714f028d7d3b0e469943efd34287d -SIZE (squid-4.11.tar.xz) = 2447700 +TIMESTAMP = 1592288810 +SHA256 (squid-4.12.tar.xz) = f42a03c8b3dc020722c88bf1a87da8cb0c087b2f66b41d8256c77ee1b527e317 +SIZE (squid-4.12.tar.xz) = 2450564 Modified: head/www/squid/files/patch-configure ============================================================================== --- head/www/squid/files/patch-configure Mon Jul 27 14:17:20 2020 (r543525) +++ head/www/squid/files/patch-configure Mon Jul 27 14:50:15 2020 (r543526) @@ -1,6 +1,6 @@ ---- configure.orig 2020-04-19 12:39:06 UTC +--- configure.orig 2020-06-09 07:15:48 UTC +++ configure -@@ -35077,7 +35077,7 @@ done +@@ -35092,7 +35092,7 @@ done ## BUILD_HELPER="NIS" @@ -9,7 +9,7 @@ do : as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` ac_fn_cxx_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" " -@@ -35092,8 +35092,10 @@ if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : +@@ -35107,8 +35107,10 @@ if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : #define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 _ACEOF @@ -22,7 +22,7 @@ fi done -@@ -35566,7 +35568,7 @@ done +@@ -35581,7 +35583,7 @@ done # unconditionally requires crypt(3), for now if test "x$ac_cv_func_crypt" != "x"; then @@ -31,7 +31,7 @@ do : as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` ac_fn_cxx_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default" -@@ -37958,7 +37960,7 @@ for ac_header in \ +@@ -37973,7 +37975,7 @@ for ac_header in \ arpa/nameser.h \ assert.h \ bstring.h \ @@ -40,7 +40,7 @@ ctype.h \ direct.h \ errno.h \ -@@ -38166,6 +38168,7 @@ ac_fn_cxx_check_header_compile "$LINENO" "$ac_header" +@@ -38181,6 +38183,7 @@ ac_fn_cxx_check_header_compile "$LINENO" "$ac_header" #include <netinet/ip.h> #endif #if HAVE_NETINET_IP_COMPAT_H @@ -48,7 +48,7 @@ #include <netinet/ip_compat.h> #endif #if HAVE_NETINET_IP_FIL_H -@@ -42213,6 +42216,7 @@ if test "x$enable_ipf_transparent" != "xno" ; then +@@ -42228,6 +42231,7 @@ if test "x$enable_ipf_transparent" != "xno" ; then # include <sys/ioccom.h> # include <netinet/in.h> @@ -56,7 +56,7 @@ # include <netinet/ip_compat.h> # include <netinet/ip_fil.h> # include <netinet/ip_nat.h> -@@ -42243,6 +42247,7 @@ else +@@ -42258,6 +42262,7 @@ else # include <sys/ioccom.h> # include <netinet/in.h> #undef minor_t @@ -64,7 +64,7 @@ # include <netinet/ip_compat.h> # include <netinet/ip_fil.h> # include <netinet/ip_nat.h> -@@ -42287,6 +42292,7 @@ _ACEOF +@@ -42302,6 +42307,7 @@ _ACEOF ip_fil_compat.h \ ip_fil.h \ ip_nat.h \ @@ -72,7 +72,7 @@ netinet/ip_compat.h \ netinet/ip_fil_compat.h \ netinet/ip_fil.h \ -@@ -42316,6 +42322,7 @@ ac_fn_cxx_check_header_compile "$LINENO" "$ac_header" +@@ -42331,6 +42337,7 @@ ac_fn_cxx_check_header_compile "$LINENO" "$ac_header" #if HAVE_IP_COMPAT_H #include <ip_compat.h> #elif HAVE_NETINET_IP_COMPAT_H @@ -80,13 +80,3 @@ #include <netinet/ip_compat.h> #endif #if HAVE_IP_FIL_H -@@ -42379,8 +42386,7 @@ _ACEOF - - - fi --ac_fn_cxx_check_member "$LINENO" "struct natlookup" "nl_realipaddr.in6" -- "ac_cv_member_struct_natlookup_nl_realipaddr_in6___" " -+ac_fn_cxx_check_member "$LINENO" "struct natlookup" "nl_realipaddr.in6" "ac_cv_member_struct_natlookup_nl_realipaddr_in6___" " - #if USE_SOLARIS_IPFILTER_MINOR_T_HACK - #define minor_t fubar - #endif Added: head/www/squid/files/patch-src_security_Handshake.cc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/www/squid/files/patch-src_security_Handshake.cc Mon Jul 27 14:50:15 2020 (r543526) @@ -0,0 +1,147 @@ +--- src/security/Handshake.cc.orig 2020-06-07 15:42:16 UTC ++++ src/security/Handshake.cc +@@ -9,6 +9,7 @@ + /* DEBUG: section 83 SSL-Bump Server/Peer negotiation */ + + #include "squid.h" ++#include "sbuf/Stream.h" + #include "security/Handshake.h" + #if USE_OPENSSL + #include "ssl/support.h" +@@ -104,25 +105,52 @@ class Extension (public) + typedef std::unordered_set<Extension::Type> Extensions; + static Extensions SupportedExtensions(); + +-} // namespace Security +- + /// parse TLS ProtocolVersion (uint16) and convert it to AnyP::ProtocolVersion ++/// \retval PROTO_NONE for unsupported values (in relaxed mode) + static AnyP::ProtocolVersion +-ParseProtocolVersion(Parser::BinaryTokenizer &tk, const char *contextLabel = ".version") ++ParseProtocolVersionBase(Parser::BinaryTokenizer &tk, const char *contextLabel, const bool beStrict) + { + Parser::BinaryTokenizerContext context(tk, contextLabel); + uint8_t vMajor = tk.uint8(".major"); + uint8_t vMinor = tk.uint8(".minor"); ++ + if (vMajor == 0 && vMinor == 2) + return AnyP::ProtocolVersion(AnyP::PROTO_SSL, 2, 0); + +- Must(vMajor == 3); +- if (vMinor == 0) +- return AnyP::ProtocolVersion(AnyP::PROTO_SSL, 3, 0); ++ if (vMajor == 3) { ++ if (vMinor == 0) ++ return AnyP::ProtocolVersion(AnyP::PROTO_SSL, 3, 0); ++ return AnyP::ProtocolVersion(AnyP::PROTO_TLS, 1, (vMinor - 1)); ++ } + +- return AnyP::ProtocolVersion(AnyP::PROTO_TLS, 1, (vMinor - 1)); ++ /* handle unsupported versions */ ++ ++ const uint16_t vRaw = (vMajor << 8) | vMinor; ++ debugs(83, 7, "unsupported: " << asHex(vRaw)); ++ if (beStrict) ++ throw TextException(ToSBuf("unsupported TLS version: ", asHex(vRaw)), Here()); ++ // else hide unsupported version details from the caller behind PROTO_NONE ++ return AnyP::ProtocolVersion(); + } + ++/// parse a framing-related TLS ProtocolVersion ++/// \returns a supported SSL or TLS Anyp::ProtocolVersion, never PROTO_NONE ++static AnyP::ProtocolVersion ++ParseProtocolVersion(Parser::BinaryTokenizer &tk) ++{ ++ return ParseProtocolVersionBase(tk, ".version", true); ++} ++ ++/// parse a framing-unrelated TLS ProtocolVersion ++/// \retval PROTO_NONE for unsupported values ++static AnyP::ProtocolVersion ++ParseOptionalProtocolVersion(Parser::BinaryTokenizer &tk, const char *contextLabel) ++{ ++ return ParseProtocolVersionBase(tk, contextLabel, false); ++} ++ ++} // namespace Security ++ + Security::TLSPlaintext::TLSPlaintext(Parser::BinaryTokenizer &tk) + { + Parser::BinaryTokenizerContext context(tk, "TLSPlaintext"); +@@ -431,6 +459,8 @@ Security::HandshakeParser::parseExtensions(const SBuf + break; + case 16: { // Application-Layer Protocol Negotiation Extension, RFC 7301 + Parser::BinaryTokenizer tkAPN(extension.data); ++ // Store the entire protocol list, including unsupported-by-Squid ++ // values (if any). We have to use all when peeking at the server. + details->tlsAppLayerProtoNeg = tkAPN.pstring16("APN"); + break; + } +@@ -441,8 +471,9 @@ Security::HandshakeParser::parseExtensions(const SBuf + case 43: // supported_versions extension; RFC 8446 + parseSupportedVersionsExtension(extension.data); + break; +- case 13172: // Next Protocol Negotiation Extension (expired draft?) + default: ++ // other extensions, including those that Squid does not support, do ++ // not require special handling here, but see unsupportedExtensions + break; + } + } +@@ -455,7 +486,7 @@ Security::HandshakeParser::parseCiphers(const SBuf &ra + Parser::BinaryTokenizer tk(raw); + while (!tk.atEnd()) { + const uint16_t cipher = tk.uint16("cipher"); +- details->ciphers.insert(cipher); ++ details->ciphers.insert(cipher); // including Squid-unsupported ones + } + } + +@@ -473,7 +504,7 @@ Security::HandshakeParser::parseV23Ciphers(const SBuf + const uint8_t prefix = tk.uint8("prefix"); + const uint16_t cipher = tk.uint16("cipher"); + if (prefix == 0) +- details->ciphers.insert(cipher); ++ details->ciphers.insert(cipher); // including Squid-unsupported ones + } + } + +@@ -486,6 +517,7 @@ Security::HandshakeParser::parseServerHelloHandshakeMe + details->tlsSupportedVersion = ParseProtocolVersion(tk); + tk.skip(HelloRandomSize, ".random"); + details->sessionId = tk.pstring8(".session_id"); ++ // cipherSuite may be unsupported by a peeking Squid + details->ciphers.insert(tk.uint16(".cipher_suite")); + details->compressionSupported = tk.uint8(".compression_method") != 0; // not null + if (!tk.atEnd()) // extensions present +@@ -554,12 +586,15 @@ Security::HandshakeParser::parseSupportedVersionsExten + Parser::BinaryTokenizer tkList(extensionData); + Parser::BinaryTokenizer tkVersions(tkList.pstring8("SupportedVersions")); + while (!tkVersions.atEnd()) { +- const auto version = ParseProtocolVersion(tkVersions, "supported_version"); ++ const auto version = ParseOptionalProtocolVersion(tkVersions, "supported_version"); ++ // ignore values unsupported by Squid,represented by a falsy version ++ if (!version) ++ continue; + if (!supportedVersionMax || TlsVersionEarlierThan(supportedVersionMax, version)) + supportedVersionMax = version; + } + +- // ignore empty supported_versions ++ // ignore empty and ignored-values-only supported_versions + if (!supportedVersionMax) + return; + +@@ -569,7 +604,11 @@ Security::HandshakeParser::parseSupportedVersionsExten + } else { + assert(messageSource == fromServer); + Parser::BinaryTokenizer tkVersion(extensionData); +- const auto version = ParseProtocolVersion(tkVersion, "selected_version"); ++ const auto version = ParseOptionalProtocolVersion(tkVersion, "selected_version"); ++ // Ignore values unsupported by Squid. There should not be any until we ++ // start seeing TLS v2+, but they do not affect TLS framing anyway. ++ if (!version) ++ return; + // RFC 8446 Section 4.2.1: + // A server which negotiates a version of TLS prior to TLS 1.3 [...] + // MUST NOT send the "supported_versions" extension. Modified: head/www/squid/files/squid.in ============================================================================== --- head/www/squid/files/squid.in Mon Jul 27 14:17:20 2020 (r543525) +++ head/www/squid/files/squid.in Mon Jul 27 14:50:15 2020 (r543526) @@ -29,6 +29,14 @@ # you want to run Squid in reverse proxy setups or if you want # Squid to listen on a "privileged" port < 1024. # +# squid_group: The group id that should be used to run the Squid master +# process. Default: squid +# Note that it affects squid pid dir also, where SHM files +# may be stored on some OS (see r391555) +# +# squid_maxwait: Seconds to wait for squid PID file +# Default: 10 +# # squid_pidfile: # The name (including the full path) of the Squid # master process' PID file. @@ -74,7 +82,9 @@ squid_load_rc_config() : ${squid_enable:=NO} : ${squid_program:=%%PREFIX%%/sbin/squid} : ${squid_pidfile:=/var/run/squid/squid.pid} + : ${squid_maxwait:=10} : ${squid_user:=squid} + : ${squid_group:=squid} required_args="-f ${squid_conf}" required_dirs=$chdir @@ -87,6 +97,13 @@ squid_load_rc_config() squid_prestart() { + # create piddir if it's missing (for example if /var/run is tmpfs) + squid_piddir=${pidfile%/*} + if [ ! -d "${squid_piddir}" ]; then + echo "Creating PID directory ${squid_piddir}" + mkdir ${squid_piddir} && chown ${squid_user}:${squid_group} ${squid_piddir} && chmod 750 ${squid_piddir}|| return $? + fi + # setup KRB5_KTNAME: squid_krb5_ktname=${squid_krb5_ktname:-"NONE"} if [ "${squid_krb5_ktname}" != "NONE" ]; then @@ -137,8 +154,15 @@ squid_getpid() # retrieve the PID of the Squid master process explicitly here # in case rc.subr was unable to determine it: if [ -z "$rc_pid" ]; then + squid_secs=0 while ! [ -f ${pidfile} ]; do + if [ ${squid_maxwait} -le ${squid_secs} ]; then + echo "give up waiting for pidfile" + break + fi sleep 1 + echo -n "." + : $(( squid_secs+=1 )) done read _pid _junk <${pidfile} [ -z "${_pid}" ] || pid=${_pid}
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202007271450.06REoFAF088555>