diff options
author | otis <otis@pkgsrc.org> | 2020-07-09 20:57:11 +0000 |
---|---|---|
committer | otis <otis@pkgsrc.org> | 2020-07-09 20:57:11 +0000 |
commit | 6ef4454024088b488bdb6277722c5e0bbbcd7c63 (patch) | |
tree | 8eaa17b594de478e5c2749809da3dd1e00d707a4 | |
parent | 16e223db8eb3743b057a961a4985888362234ecd (diff) | |
download | pkgsrc-6ef4454024088b488bdb6277722c5e0bbbcd7c63.tar.gz |
squid4: Fix build and SSL handshake on Chromium-based browsers
Changes:
- Fix an error where strings.h was not properly included
- Add SMF support on apropriate platforms
- Backport https://github.com/squid-cache/squid/pull/663:
SslBump: Support parsing GREASEd (and future) TLS handshakes
-rw-r--r-- | www/squid4/Makefile | 4 | ||||
-rw-r--r-- | www/squid4/distinfo | 4 | ||||
-rw-r--r-- | www/squid4/files/smf/manifest.xml | 28 | ||||
-rw-r--r-- | www/squid4/patches/patch-src_esi_VarState.cc | 16 | ||||
-rw-r--r-- | www/squid4/patches/patch-src_security_Handshake.cc | 157 |
5 files changed, 207 insertions, 2 deletions
diff --git a/www/squid4/Makefile b/www/squid4/Makefile index 7d1ee22f9a6..8ee3b9df349 100644 --- a/www/squid4/Makefile +++ b/www/squid4/Makefile @@ -1,6 +1,7 @@ -# $NetBSD: Makefile,v 1.10 2020/06/19 13:44:28 taca Exp $ +# $NetBSD: Makefile,v 1.11 2020/07/09 20:57:11 otis Exp $ DISTNAME= squid-4.12 +PKGREVISION= 1 CATEGORIES= www MASTER_SITES= http://www.squid-cache.org/Versions/v4/ MASTER_SITES+= ftp://ftp.squid-cache.org/pub/squid/ @@ -70,6 +71,7 @@ SPECIAL_PERMS+= libexec/pinger ${SETUID_ROOT_PERMS} RCD_SCRIPTS= squid RCD_SCRIPT_SRC.squid= files/squid.sh +SMF_NAME= squid SUBST_CLASSES+= confs SUBST_STAGE.confs= pre-configure diff --git a/www/squid4/distinfo b/www/squid4/distinfo index 54b0bede2d0..eafb30ca448 100644 --- a/www/squid4/distinfo +++ b/www/squid4/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.7 2020/06/19 13:44:28 taca Exp $ +$NetBSD: distinfo,v 1.8 2020/07/09 20:57:11 otis Exp $ SHA1 (squid-4.12.tar.xz) = 316b8a343aa542b5e7469d33b9d726bee00679c6 RMD160 (squid-4.12.tar.xz) = 5d593efe84ca34c39a21bab523e75621dec4e9bb @@ -10,5 +10,7 @@ SHA1 (patch-errors_Makefile.in) = 84cbf5c836f02ed5fbfff140888c6d3aadeac326 SHA1 (patch-src_Makefile.in) = afc5aefd97c46d1ffab43e97aeaeade3a5a8c648 SHA1 (patch-src_acl_external_kerberos__ldap__group_support__resolv.cc) = 0ea41d55e32d689a16e012391a9eea67631daf3a SHA1 (patch-src_comm_ModKqueue.cc) = d8c5d235f07a48731275101d60fcbf2e22f77b96 +SHA1 (patch-src_esi_VarState.cc) = d9418e59cdc390b2d970195167a99bb7ed392c38 SHA1 (patch-src_fs_ufs_RebuildState.h) = 76ee5c437b3dad05e428ae89cd5af6c052a40e59 +SHA1 (patch-src_security_Handshake.cc) = 5c48ab63e7e387ff14e3a0a2d9cddfeef66782ec SHA1 (patch-tools_Makefile.in) = d098c0c9dc4af577f74e562d99f07ed98be5ae01 diff --git a/www/squid4/files/smf/manifest.xml b/www/squid4/files/smf/manifest.xml new file mode 100644 index 00000000000..63dc285a7ec --- /dev/null +++ b/www/squid4/files/smf/manifest.xml @@ -0,0 +1,28 @@ +<?xml version="1.0"?> +<!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1"> +<service_bundle type="manifest" name="export"> + <service name="@SMF_PREFIX@/@SMF_NAME@" type="service" version="1"> + <create_default_instance enabled="false" /> + <single_instance /> + <dependency name="network" grouping="require_all" restart_on="error" type="service"> + <service_fmri value="svc:/milestone/network:default" /> + </dependency> + <dependency name="filesystem" grouping="require_all" restart_on="error" type="service"> + <service_fmri value="svc:/system/filesystem/local" /> + </dependency> + <exec_method type="method" name="start" exec="@PREFIX@/sbin/squid -f %{config_file}" timeout_seconds="60" /> + <exec_method type="method" name="stop" exec="@PREFIX@/sbin/squid -k shutdown" timeout_seconds="120" /> + <property_group name="startd" type="framework"> + <propval name="duration" type="astring" value="contract" /> + <propval name="ignore_error" type="astring" value="core,signal" /> + </property_group> + <property_group name="application" type="application"> + <propval name="config_file" type="astring" value="@PKG_SYSCONFDIR@/squid.conf" /> + </property_group> + <template> + <common_name> + <loctext xml:lang="C">squid daemon</loctext> + </common_name> + </template> + </service> +</service_bundle> diff --git a/www/squid4/patches/patch-src_esi_VarState.cc b/www/squid4/patches/patch-src_esi_VarState.cc new file mode 100644 index 00000000000..926ecff2096 --- /dev/null +++ b/www/squid4/patches/patch-src_esi_VarState.cc @@ -0,0 +1,16 @@ +$NetBSD: patch-src_esi_VarState.cc,v 1.1 2020/07/09 20:57:11 otis Exp $ + +Fix undeclared index() by including the proper header file. + +--- src/esi/VarState.cc.orig 2020-07-09 19:37:38.879095702 +0000 ++++ src/esi/VarState.cc +@@ -12,6 +12,9 @@ + #include "esi/VarState.h" + #include "fatal.h" + #include "HttpReply.h" ++#if HAVE_STRINGS_H ++#include <strings.h> ++#endif + + char const *ESIVariableUserAgent::esiUserOs[]= { + "WIN", diff --git a/www/squid4/patches/patch-src_security_Handshake.cc b/www/squid4/patches/patch-src_security_Handshake.cc new file mode 100644 index 00000000000..4aaa6e0ff12 --- /dev/null +++ b/www/squid4/patches/patch-src_security_Handshake.cc @@ -0,0 +1,157 @@ +$NetBSD: patch-src_security_Handshake.cc,v 1.1 2020/07/09 20:57:11 otis Exp $ + +Address: +https://github.com/squid-cache/squid/pull/663 +https://www.spinics.net/lists/squid/msg92728.html +https://www.spinics.net/lists/squid/msg92814.html + +See also: +https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=247397 + +--- src/security/Handshake.cc.orig 2020-07-09 19:09:34.152270307 +0000 ++++ src/security/Handshake.cc +@@ -9,6 +9,7 @@ + /* DEBUG: section 83 SSL-Bump Server/Peer negotiation */ + + #include "squid.h" ++#include "sbuf/Stream.h" + #include "security/Handshake.h" + #if USE_OPENSSL + #include "ssl/support.h" +@@ -104,25 +105,52 @@ public: + typedef std::unordered_set<Extension::Type> Extensions; + static Extensions SupportedExtensions(); + +-} // namespace Security +- + /// parse TLS ProtocolVersion (uint16) and convert it to AnyP::ProtocolVersion ++/// \retval PROTO_NONE for unsupported values (in relaxed mode) + static AnyP::ProtocolVersion +-ParseProtocolVersion(Parser::BinaryTokenizer &tk, const char *contextLabel = ".version") ++ParseProtocolVersionBase(Parser::BinaryTokenizer &tk, const char *contextLabel, const bool beStrict) + { + Parser::BinaryTokenizerContext context(tk, contextLabel); + uint8_t vMajor = tk.uint8(".major"); + uint8_t vMinor = tk.uint8(".minor"); ++ + if (vMajor == 0 && vMinor == 2) + return AnyP::ProtocolVersion(AnyP::PROTO_SSL, 2, 0); + +- Must(vMajor == 3); +- if (vMinor == 0) +- return AnyP::ProtocolVersion(AnyP::PROTO_SSL, 3, 0); ++ if (vMajor == 3) { ++ if (vMinor == 0) ++ return AnyP::ProtocolVersion(AnyP::PROTO_SSL, 3, 0); ++ return AnyP::ProtocolVersion(AnyP::PROTO_TLS, 1, (vMinor - 1)); ++ } ++ ++ /* handle unsupported versions */ ++ ++ const uint16_t vRaw = (vMajor << 8) | vMinor; ++ debugs(83, 7, "unsupported: " << asHex(vRaw)); ++ if (beStrict) ++ throw TextException(ToSBuf("unsupported TLS version: ", asHex(vRaw)), Here()); ++ // else hide unsupported version details from the caller behind PROTO_NONE ++ return AnyP::ProtocolVersion(); ++} ++ ++/// parse a framing-related TLS ProtocolVersion ++/// \returns a supported SSL or TLS Anyp::ProtocolVersion, never PROTO_NONE ++static AnyP::ProtocolVersion ++ParseProtocolVersion(Parser::BinaryTokenizer &tk) ++{ ++ return ParseProtocolVersionBase(tk, ".version", true); ++} + +- return AnyP::ProtocolVersion(AnyP::PROTO_TLS, 1, (vMinor - 1)); ++/// parse a framing-unrelated TLS ProtocolVersion ++/// \retval PROTO_NONE for unsupported values ++static AnyP::ProtocolVersion ++ParseOptionalProtocolVersion(Parser::BinaryTokenizer &tk, const char *contextLabel) ++{ ++ return ParseProtocolVersionBase(tk, contextLabel, false); + } + ++} // namespace Security ++ + Security::TLSPlaintext::TLSPlaintext(Parser::BinaryTokenizer &tk) + { + Parser::BinaryTokenizerContext context(tk, "TLSPlaintext"); +@@ -431,6 +459,8 @@ Security::HandshakeParser::parseExtensio + break; + case 16: { // Application-Layer Protocol Negotiation Extension, RFC 7301 + Parser::BinaryTokenizer tkAPN(extension.data); ++ // Store the entire protocol list, including unsupported-by-Squid ++ // values (if any). We have to use all when peeking at the server. + details->tlsAppLayerProtoNeg = tkAPN.pstring16("APN"); + break; + } +@@ -441,8 +471,9 @@ Security::HandshakeParser::parseExtensio + case 43: // supported_versions extension; RFC 8446 + parseSupportedVersionsExtension(extension.data); + break; +- case 13172: // Next Protocol Negotiation Extension (expired draft?) + default: ++ // other extensions, including those that Squid does not support, do ++ // not require special handling here, but see unsupportedExtensions + break; + } + } +@@ -455,7 +486,7 @@ Security::HandshakeParser::parseCiphers( + Parser::BinaryTokenizer tk(raw); + while (!tk.atEnd()) { + const uint16_t cipher = tk.uint16("cipher"); +- details->ciphers.insert(cipher); ++ details->ciphers.insert(cipher); // including Squid-unsupported ones + } + } + +@@ -473,7 +504,7 @@ Security::HandshakeParser::parseV23Ciphe + const uint8_t prefix = tk.uint8("prefix"); + const uint16_t cipher = tk.uint16("cipher"); + if (prefix == 0) +- details->ciphers.insert(cipher); ++ details->ciphers.insert(cipher); // including Squid-unsupported ones + } + } + +@@ -486,6 +517,7 @@ Security::HandshakeParser::parseServerHe + details->tlsSupportedVersion = ParseProtocolVersion(tk); + tk.skip(HelloRandomSize, ".random"); + details->sessionId = tk.pstring8(".session_id"); ++ // cipherSuite may be unsupported by a peeking Squid + details->ciphers.insert(tk.uint16(".cipher_suite")); + details->compressionSupported = tk.uint8(".compression_method") != 0; // not null + if (!tk.atEnd()) // extensions present +@@ -554,12 +586,15 @@ Security::HandshakeParser::parseSupporte + Parser::BinaryTokenizer tkList(extensionData); + Parser::BinaryTokenizer tkVersions(tkList.pstring8("SupportedVersions")); + while (!tkVersions.atEnd()) { +- const auto version = ParseProtocolVersion(tkVersions, "supported_version"); ++ const auto version = ParseOptionalProtocolVersion(tkVersions, "supported_version"); ++ // ignore values unsupported by Squid,represented by a falsy version ++ if (!version) ++ continue; + if (!supportedVersionMax || TlsVersionEarlierThan(supportedVersionMax, version)) + supportedVersionMax = version; + } + +- // ignore empty supported_versions ++ // ignore empty and ignored-values-only supported_versions + if (!supportedVersionMax) + return; + +@@ -569,7 +604,11 @@ Security::HandshakeParser::parseSupporte + } else { + assert(messageSource == fromServer); + Parser::BinaryTokenizer tkVersion(extensionData); +- const auto version = ParseProtocolVersion(tkVersion, "selected_version"); ++ const auto version = ParseOptionalProtocolVersion(tkVersion, "selected_version"); ++ // Ignore values unsupported by Squid. There should not be any until we ++ // start seeing TLS v2+, but they do not affect TLS framing anyway. ++ if (!version) ++ return; + // RFC 8446 Section 4.2.1: + // A server which negotiates a version of TLS prior to TLS 1.3 [...] + // MUST NOT send the "supported_versions" extension. |