summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorotis <otis@pkgsrc.org>2020-07-09 20:57:11 +0000
committerotis <otis@pkgsrc.org>2020-07-09 20:57:11 +0000
commit6ef4454024088b488bdb6277722c5e0bbbcd7c63 (patch)
tree8eaa17b594de478e5c2749809da3dd1e00d707a4
parent16e223db8eb3743b057a961a4985888362234ecd (diff)
downloadpkgsrc-6ef4454024088b488bdb6277722c5e0bbbcd7c63.tar.gz
squid4: Fix build and SSL handshake on Chromium-based browsers
Changes: - Fix an error where strings.h was not properly included - Add SMF support on apropriate platforms - Backport https://github.com/squid-cache/squid/pull/663: SslBump: Support parsing GREASEd (and future) TLS handshakes
-rw-r--r--www/squid4/Makefile4
-rw-r--r--www/squid4/distinfo4
-rw-r--r--www/squid4/files/smf/manifest.xml28
-rw-r--r--www/squid4/patches/patch-src_esi_VarState.cc16
-rw-r--r--www/squid4/patches/patch-src_security_Handshake.cc157
5 files changed, 207 insertions, 2 deletions
diff --git a/www/squid4/Makefile b/www/squid4/Makefile
index 7d1ee22f9a6..8ee3b9df349 100644
--- a/www/squid4/Makefile
+++ b/www/squid4/Makefile
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.10 2020/06/19 13:44:28 taca Exp $
+# $NetBSD: Makefile,v 1.11 2020/07/09 20:57:11 otis Exp $
DISTNAME= squid-4.12
+PKGREVISION= 1
CATEGORIES= www
MASTER_SITES= http://www.squid-cache.org/Versions/v4/
MASTER_SITES+= ftp://ftp.squid-cache.org/pub/squid/
@@ -70,6 +71,7 @@ SPECIAL_PERMS+= libexec/pinger ${SETUID_ROOT_PERMS}
RCD_SCRIPTS= squid
RCD_SCRIPT_SRC.squid= files/squid.sh
+SMF_NAME= squid
SUBST_CLASSES+= confs
SUBST_STAGE.confs= pre-configure
diff --git a/www/squid4/distinfo b/www/squid4/distinfo
index 54b0bede2d0..eafb30ca448 100644
--- a/www/squid4/distinfo
+++ b/www/squid4/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.7 2020/06/19 13:44:28 taca Exp $
+$NetBSD: distinfo,v 1.8 2020/07/09 20:57:11 otis Exp $
SHA1 (squid-4.12.tar.xz) = 316b8a343aa542b5e7469d33b9d726bee00679c6
RMD160 (squid-4.12.tar.xz) = 5d593efe84ca34c39a21bab523e75621dec4e9bb
@@ -10,5 +10,7 @@ SHA1 (patch-errors_Makefile.in) = 84cbf5c836f02ed5fbfff140888c6d3aadeac326
SHA1 (patch-src_Makefile.in) = afc5aefd97c46d1ffab43e97aeaeade3a5a8c648
SHA1 (patch-src_acl_external_kerberos__ldap__group_support__resolv.cc) = 0ea41d55e32d689a16e012391a9eea67631daf3a
SHA1 (patch-src_comm_ModKqueue.cc) = d8c5d235f07a48731275101d60fcbf2e22f77b96
+SHA1 (patch-src_esi_VarState.cc) = d9418e59cdc390b2d970195167a99bb7ed392c38
SHA1 (patch-src_fs_ufs_RebuildState.h) = 76ee5c437b3dad05e428ae89cd5af6c052a40e59
+SHA1 (patch-src_security_Handshake.cc) = 5c48ab63e7e387ff14e3a0a2d9cddfeef66782ec
SHA1 (patch-tools_Makefile.in) = d098c0c9dc4af577f74e562d99f07ed98be5ae01
diff --git a/www/squid4/files/smf/manifest.xml b/www/squid4/files/smf/manifest.xml
new file mode 100644
index 00000000000..63dc285a7ec
--- /dev/null
+++ b/www/squid4/files/smf/manifest.xml
@@ -0,0 +1,28 @@
+<?xml version="1.0"?>
+<!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1">
+<service_bundle type="manifest" name="export">
+ <service name="@SMF_PREFIX@/@SMF_NAME@" type="service" version="1">
+ <create_default_instance enabled="false" />
+ <single_instance />
+ <dependency name="network" grouping="require_all" restart_on="error" type="service">
+ <service_fmri value="svc:/milestone/network:default" />
+ </dependency>
+ <dependency name="filesystem" grouping="require_all" restart_on="error" type="service">
+ <service_fmri value="svc:/system/filesystem/local" />
+ </dependency>
+ <exec_method type="method" name="start" exec="@PREFIX@/sbin/squid -f %{config_file}" timeout_seconds="60" />
+ <exec_method type="method" name="stop" exec="@PREFIX@/sbin/squid -k shutdown" timeout_seconds="120" />
+ <property_group name="startd" type="framework">
+ <propval name="duration" type="astring" value="contract" />
+ <propval name="ignore_error" type="astring" value="core,signal" />
+ </property_group>
+ <property_group name="application" type="application">
+ <propval name="config_file" type="astring" value="@PKG_SYSCONFDIR@/squid.conf" />
+ </property_group>
+ <template>
+ <common_name>
+ <loctext xml:lang="C">squid daemon</loctext>
+ </common_name>
+ </template>
+ </service>
+</service_bundle>
diff --git a/www/squid4/patches/patch-src_esi_VarState.cc b/www/squid4/patches/patch-src_esi_VarState.cc
new file mode 100644
index 00000000000..926ecff2096
--- /dev/null
+++ b/www/squid4/patches/patch-src_esi_VarState.cc
@@ -0,0 +1,16 @@
+$NetBSD: patch-src_esi_VarState.cc,v 1.1 2020/07/09 20:57:11 otis Exp $
+
+Fix undeclared index() by including the proper header file.
+
+--- src/esi/VarState.cc.orig 2020-07-09 19:37:38.879095702 +0000
++++ src/esi/VarState.cc
+@@ -12,6 +12,9 @@
+ #include "esi/VarState.h"
+ #include "fatal.h"
+ #include "HttpReply.h"
++#if HAVE_STRINGS_H
++#include <strings.h>
++#endif
+
+ char const *ESIVariableUserAgent::esiUserOs[]= {
+ "WIN",
diff --git a/www/squid4/patches/patch-src_security_Handshake.cc b/www/squid4/patches/patch-src_security_Handshake.cc
new file mode 100644
index 00000000000..4aaa6e0ff12
--- /dev/null
+++ b/www/squid4/patches/patch-src_security_Handshake.cc
@@ -0,0 +1,157 @@
+$NetBSD: patch-src_security_Handshake.cc,v 1.1 2020/07/09 20:57:11 otis Exp $
+
+Address:
+https://github.com/squid-cache/squid/pull/663
+https://www.spinics.net/lists/squid/msg92728.html
+https://www.spinics.net/lists/squid/msg92814.html
+
+See also:
+https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=247397
+
+--- src/security/Handshake.cc.orig 2020-07-09 19:09:34.152270307 +0000
++++ src/security/Handshake.cc
+@@ -9,6 +9,7 @@
+ /* DEBUG: section 83 SSL-Bump Server/Peer negotiation */
+
+ #include "squid.h"
++#include "sbuf/Stream.h"
+ #include "security/Handshake.h"
+ #if USE_OPENSSL
+ #include "ssl/support.h"
+@@ -104,25 +105,52 @@ public:
+ typedef std::unordered_set<Extension::Type> Extensions;
+ static Extensions SupportedExtensions();
+
+-} // namespace Security
+-
+ /// parse TLS ProtocolVersion (uint16) and convert it to AnyP::ProtocolVersion
++/// \retval PROTO_NONE for unsupported values (in relaxed mode)
+ static AnyP::ProtocolVersion
+-ParseProtocolVersion(Parser::BinaryTokenizer &tk, const char *contextLabel = ".version")
++ParseProtocolVersionBase(Parser::BinaryTokenizer &tk, const char *contextLabel, const bool beStrict)
+ {
+ Parser::BinaryTokenizerContext context(tk, contextLabel);
+ uint8_t vMajor = tk.uint8(".major");
+ uint8_t vMinor = tk.uint8(".minor");
++
+ if (vMajor == 0 && vMinor == 2)
+ return AnyP::ProtocolVersion(AnyP::PROTO_SSL, 2, 0);
+
+- Must(vMajor == 3);
+- if (vMinor == 0)
+- return AnyP::ProtocolVersion(AnyP::PROTO_SSL, 3, 0);
++ if (vMajor == 3) {
++ if (vMinor == 0)
++ return AnyP::ProtocolVersion(AnyP::PROTO_SSL, 3, 0);
++ return AnyP::ProtocolVersion(AnyP::PROTO_TLS, 1, (vMinor - 1));
++ }
++
++ /* handle unsupported versions */
++
++ const uint16_t vRaw = (vMajor << 8) | vMinor;
++ debugs(83, 7, "unsupported: " << asHex(vRaw));
++ if (beStrict)
++ throw TextException(ToSBuf("unsupported TLS version: ", asHex(vRaw)), Here());
++ // else hide unsupported version details from the caller behind PROTO_NONE
++ return AnyP::ProtocolVersion();
++}
++
++/// parse a framing-related TLS ProtocolVersion
++/// \returns a supported SSL or TLS Anyp::ProtocolVersion, never PROTO_NONE
++static AnyP::ProtocolVersion
++ParseProtocolVersion(Parser::BinaryTokenizer &tk)
++{
++ return ParseProtocolVersionBase(tk, ".version", true);
++}
+
+- return AnyP::ProtocolVersion(AnyP::PROTO_TLS, 1, (vMinor - 1));
++/// parse a framing-unrelated TLS ProtocolVersion
++/// \retval PROTO_NONE for unsupported values
++static AnyP::ProtocolVersion
++ParseOptionalProtocolVersion(Parser::BinaryTokenizer &tk, const char *contextLabel)
++{
++ return ParseProtocolVersionBase(tk, contextLabel, false);
+ }
+
++} // namespace Security
++
+ Security::TLSPlaintext::TLSPlaintext(Parser::BinaryTokenizer &tk)
+ {
+ Parser::BinaryTokenizerContext context(tk, "TLSPlaintext");
+@@ -431,6 +459,8 @@ Security::HandshakeParser::parseExtensio
+ break;
+ case 16: { // Application-Layer Protocol Negotiation Extension, RFC 7301
+ Parser::BinaryTokenizer tkAPN(extension.data);
++ // Store the entire protocol list, including unsupported-by-Squid
++ // values (if any). We have to use all when peeking at the server.
+ details->tlsAppLayerProtoNeg = tkAPN.pstring16("APN");
+ break;
+ }
+@@ -441,8 +471,9 @@ Security::HandshakeParser::parseExtensio
+ case 43: // supported_versions extension; RFC 8446
+ parseSupportedVersionsExtension(extension.data);
+ break;
+- case 13172: // Next Protocol Negotiation Extension (expired draft?)
+ default:
++ // other extensions, including those that Squid does not support, do
++ // not require special handling here, but see unsupportedExtensions
+ break;
+ }
+ }
+@@ -455,7 +486,7 @@ Security::HandshakeParser::parseCiphers(
+ Parser::BinaryTokenizer tk(raw);
+ while (!tk.atEnd()) {
+ const uint16_t cipher = tk.uint16("cipher");
+- details->ciphers.insert(cipher);
++ details->ciphers.insert(cipher); // including Squid-unsupported ones
+ }
+ }
+
+@@ -473,7 +504,7 @@ Security::HandshakeParser::parseV23Ciphe
+ const uint8_t prefix = tk.uint8("prefix");
+ const uint16_t cipher = tk.uint16("cipher");
+ if (prefix == 0)
+- details->ciphers.insert(cipher);
++ details->ciphers.insert(cipher); // including Squid-unsupported ones
+ }
+ }
+
+@@ -486,6 +517,7 @@ Security::HandshakeParser::parseServerHe
+ details->tlsSupportedVersion = ParseProtocolVersion(tk);
+ tk.skip(HelloRandomSize, ".random");
+ details->sessionId = tk.pstring8(".session_id");
++ // cipherSuite may be unsupported by a peeking Squid
+ details->ciphers.insert(tk.uint16(".cipher_suite"));
+ details->compressionSupported = tk.uint8(".compression_method") != 0; // not null
+ if (!tk.atEnd()) // extensions present
+@@ -554,12 +586,15 @@ Security::HandshakeParser::parseSupporte
+ Parser::BinaryTokenizer tkList(extensionData);
+ Parser::BinaryTokenizer tkVersions(tkList.pstring8("SupportedVersions"));
+ while (!tkVersions.atEnd()) {
+- const auto version = ParseProtocolVersion(tkVersions, "supported_version");
++ const auto version = ParseOptionalProtocolVersion(tkVersions, "supported_version");
++ // ignore values unsupported by Squid,represented by a falsy version
++ if (!version)
++ continue;
+ if (!supportedVersionMax || TlsVersionEarlierThan(supportedVersionMax, version))
+ supportedVersionMax = version;
+ }
+
+- // ignore empty supported_versions
++ // ignore empty and ignored-values-only supported_versions
+ if (!supportedVersionMax)
+ return;
+
+@@ -569,7 +604,11 @@ Security::HandshakeParser::parseSupporte
+ } else {
+ assert(messageSource == fromServer);
+ Parser::BinaryTokenizer tkVersion(extensionData);
+- const auto version = ParseProtocolVersion(tkVersion, "selected_version");
++ const auto version = ParseOptionalProtocolVersion(tkVersion, "selected_version");
++ // Ignore values unsupported by Squid. There should not be any until we
++ // start seeing TLS v2+, but they do not affect TLS framing anyway.
++ if (!version)
++ return;
+ // RFC 8446 Section 4.2.1:
+ // A server which negotiates a version of TLS prior to TLS 1.3 [...]
+ // MUST NOT send the "supported_versions" extension.