squid4: Fix build and SSL handshake on Chromium-based browsers

Changes:
- Fix an error where strings.h was not properly included
- Add SMF support on apropriate platforms
- Backport https://github.com/squid-cache/squid/pull/663:
  SslBump: Support parsing GREASEd (and future) TLS handshakes

5 files changed, 207 insertions, 2 deletions

diff --git a/www/squid4/Makefile b/www/squid4/Makefile
index 7d1ee22f9a6..8ee3b9df349 100644
--- a/www/squid4/Makefile
+++ b/www/squid4/Makefile
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.10 2020/06/19 13:44:28 taca Exp $
+# $NetBSD: Makefile,v 1.11 2020/07/09 20:57:11 otis Exp $
 
 DISTNAME=	squid-4.12
+PKGREVISION=	1
 CATEGORIES=	www
 MASTER_SITES=	http://www.squid-cache.org/Versions/v4/
 MASTER_SITES+=	ftp://ftp.squid-cache.org/pub/squid/
@@ -70,6 +71,7 @@ SPECIAL_PERMS+=		libexec/pinger ${SETUID_ROOT_PERMS}
 
 RCD_SCRIPTS=		squid
 RCD_SCRIPT_SRC.squid=	files/squid.sh
+SMF_NAME=		squid
 
 SUBST_CLASSES+=		confs
 SUBST_STAGE.confs=	pre-configure
diff --git a/www/squid4/distinfo b/www/squid4/distinfo
index 54b0bede2d0..eafb30ca448 100644
--- a/www/squid4/distinfo
+++ b/www/squid4/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.7 2020/06/19 13:44:28 taca Exp $
+$NetBSD: distinfo,v 1.8 2020/07/09 20:57:11 otis Exp $
 
 SHA1 (squid-4.12.tar.xz) = 316b8a343aa542b5e7469d33b9d726bee00679c6
 RMD160 (squid-4.12.tar.xz) = 5d593efe84ca34c39a21bab523e75621dec4e9bb
@@ -10,5 +10,7 @@ SHA1 (patch-errors_Makefile.in) = 84cbf5c836f02ed5fbfff140888c6d3aadeac326
 SHA1 (patch-src_Makefile.in) = afc5aefd97c46d1ffab43e97aeaeade3a5a8c648
 SHA1 (patch-src_acl_external_kerberos__ldap__group_support__resolv.cc) = 0ea41d55e32d689a16e012391a9eea67631daf3a
 SHA1 (patch-src_comm_ModKqueue.cc) = d8c5d235f07a48731275101d60fcbf2e22f77b96
+SHA1 (patch-src_esi_VarState.cc) = d9418e59cdc390b2d970195167a99bb7ed392c38
 SHA1 (patch-src_fs_ufs_RebuildState.h) = 76ee5c437b3dad05e428ae89cd5af6c052a40e59
+SHA1 (patch-src_security_Handshake.cc) = 5c48ab63e7e387ff14e3a0a2d9cddfeef66782ec
 SHA1 (patch-tools_Makefile.in) = d098c0c9dc4af577f74e562d99f07ed98be5ae01
diff --git a/www/squid4/files/smf/manifest.xml b/www/squid4/files/smf/manifest.xml
new file mode 100644
index 00000000000..63dc285a7ec
--- /dev/null
+++ b/www/squid4/files/smf/manifest.xml
@@ -0,0 +1,28 @@
+<?xml version="1.0"?>
+<!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1">
+<service_bundle type="manifest" name="export">
+  <service name="@SMF_PREFIX@/@SMF_NAME@" type="service" version="1">
+    <create_default_instance enabled="false" />
+    <single_instance />
+    <dependency name="network" grouping="require_all" restart_on="error" type="service">
+      <service_fmri value="svc:/milestone/network:default" />
+    </dependency>
+    <dependency name="filesystem" grouping="require_all" restart_on="error" type="service">
+      <service_fmri value="svc:/system/filesystem/local" />
+    </dependency>
+    <exec_method type="method" name="start" exec="@PREFIX@/sbin/squid -f %{config_file}" timeout_seconds="60" />
+    <exec_method type="method" name="stop" exec="@PREFIX@/sbin/squid -k shutdown" timeout_seconds="120" />
+    <property_group name="startd" type="framework">
+      <propval name="duration" type="astring" value="contract" />
+      <propval name="ignore_error" type="astring" value="core,signal" />
+    </property_group>
+    <property_group name="application" type="application">
+      <propval name="config_file" type="astring" value="@PKG_SYSCONFDIR@/squid.conf" />
+    </property_group>
+    <template>
+      <common_name>
+        <loctext xml:lang="C">squid daemon</loctext>
+      </common_name>
+    </template>
+  </service>
+</service_bundle>
diff --git a/www/squid4/patches/patch-src_esi_VarState.cc b/www/squid4/patches/patch-src_esi_VarState.cc
new file mode 100644
index 00000000000..926ecff2096
--- /dev/null
+++ b/www/squid4/patches/patch-src_esi_VarState.cc
@@ -0,0 +1,16 @@
+$NetBSD: patch-src_esi_VarState.cc,v 1.1 2020/07/09 20:57:11 otis Exp $
+
+Fix undeclared index() by including the proper header file.
+
+--- src/esi/VarState.cc.orig	2020-07-09 19:37:38.879095702 +0000
++++ src/esi/VarState.cc
+@@ -12,6 +12,9 @@
+ #include "esi/VarState.h"
+ #include "fatal.h"
+ #include "HttpReply.h"
++#if HAVE_STRINGS_H
++#include <strings.h>
++#endif
+ 
+ char const *ESIVariableUserAgent::esiUserOs[]= {
+     "WIN",
diff --git a/www/squid4/patches/patch-src_security_Handshake.cc b/www/squid4/patches/patch-src_security_Handshake.cc
new file mode 100644
index 00000000000..4aaa6e0ff12
--- /dev/null
+++ b/www/squid4/patches/patch-src_security_Handshake.cc
@@ -0,0 +1,157 @@
+$NetBSD: patch-src_security_Handshake.cc,v 1.1 2020/07/09 20:57:11 otis Exp $
+
+Address:
+https://github.com/squid-cache/squid/pull/663
+https://www.spinics.net/lists/squid/msg92728.html
+https://www.spinics.net/lists/squid/msg92814.html
+
+See also:
+https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=247397
+
+--- src/security/Handshake.cc.orig	2020-07-09 19:09:34.152270307 +0000
++++ src/security/Handshake.cc
+@@ -9,6 +9,7 @@
+ /* DEBUG: section 83    SSL-Bump Server/Peer negotiation */
+ 
+ #include "squid.h"
++#include "sbuf/Stream.h"
+ #include "security/Handshake.h"
+ #if USE_OPENSSL
+ #include "ssl/support.h"
+@@ -104,25 +105,52 @@ public:
+ typedef std::unordered_set<Extension::Type> Extensions;
+ static Extensions SupportedExtensions();
+ 
+-} // namespace Security
+-
+ /// parse TLS ProtocolVersion (uint16) and convert it to AnyP::ProtocolVersion
++/// \retval PROTO_NONE for unsupported values (in relaxed mode)
+ static AnyP::ProtocolVersion
+-ParseProtocolVersion(Parser::BinaryTokenizer &tk, const char *contextLabel = ".version")
++ParseProtocolVersionBase(Parser::BinaryTokenizer &tk, const char *contextLabel, const bool beStrict)
+ {
+     Parser::BinaryTokenizerContext context(tk, contextLabel);
+     uint8_t vMajor = tk.uint8(".major");
+     uint8_t vMinor = tk.uint8(".minor");
++
+     if (vMajor == 0 && vMinor == 2)
+         return AnyP::ProtocolVersion(AnyP::PROTO_SSL, 2, 0);
+ 
+-    Must(vMajor == 3);
+-    if (vMinor == 0)
+-        return AnyP::ProtocolVersion(AnyP::PROTO_SSL, 3, 0);
++    if (vMajor == 3) {
++        if (vMinor == 0)
++            return AnyP::ProtocolVersion(AnyP::PROTO_SSL, 3, 0);
++        return AnyP::ProtocolVersion(AnyP::PROTO_TLS, 1, (vMinor - 1));
++    }
++
++    /* handle unsupported versions */
++
++    const uint16_t vRaw = (vMajor << 8) | vMinor;
++    debugs(83, 7, "unsupported: " << asHex(vRaw));
++    if (beStrict)
++        throw TextException(ToSBuf("unsupported TLS version: ", asHex(vRaw)), Here());
++    // else hide unsupported version details from the caller behind PROTO_NONE
++    return AnyP::ProtocolVersion();
++}
++
++/// parse a framing-related TLS ProtocolVersion
++/// \returns a supported SSL or TLS Anyp::ProtocolVersion, never PROTO_NONE
++static AnyP::ProtocolVersion
++ParseProtocolVersion(Parser::BinaryTokenizer &tk)
++{
++    return ParseProtocolVersionBase(tk, ".version", true);
++}
+ 
+-    return AnyP::ProtocolVersion(AnyP::PROTO_TLS, 1, (vMinor - 1));
++/// parse a framing-unrelated TLS ProtocolVersion
++/// \retval PROTO_NONE for unsupported values
++static AnyP::ProtocolVersion
++ParseOptionalProtocolVersion(Parser::BinaryTokenizer &tk, const char *contextLabel)
++{
++    return ParseProtocolVersionBase(tk, contextLabel, false);
+ }
+ 
++} // namespace Security
++
+ Security::TLSPlaintext::TLSPlaintext(Parser::BinaryTokenizer &tk)
+ {
+     Parser::BinaryTokenizerContext context(tk, "TLSPlaintext");
+@@ -431,6 +459,8 @@ Security::HandshakeParser::parseExtensio
+             break;
+         case 16: { // Application-Layer Protocol Negotiation Extension, RFC 7301
+             Parser::BinaryTokenizer tkAPN(extension.data);
++            // Store the entire protocol list, including unsupported-by-Squid
++            // values (if any). We have to use all when peeking at the server.
+             details->tlsAppLayerProtoNeg = tkAPN.pstring16("APN");
+             break;
+         }
+@@ -441,8 +471,9 @@ Security::HandshakeParser::parseExtensio
+         case 43: // supported_versions extension; RFC 8446
+             parseSupportedVersionsExtension(extension.data);
+             break;
+-        case 13172: // Next Protocol Negotiation Extension (expired draft?)
+         default:
++            // other extensions, including those that Squid does not support, do
++            // not require special handling here, but see unsupportedExtensions
+             break;
+         }
+     }
+@@ -455,7 +486,7 @@ Security::HandshakeParser::parseCiphers(
+     Parser::BinaryTokenizer tk(raw);
+     while (!tk.atEnd()) {
+         const uint16_t cipher = tk.uint16("cipher");
+-        details->ciphers.insert(cipher);
++        details->ciphers.insert(cipher); // including Squid-unsupported ones
+     }
+ }
+ 
+@@ -473,7 +504,7 @@ Security::HandshakeParser::parseV23Ciphe
+         const uint8_t prefix = tk.uint8("prefix");
+         const uint16_t cipher = tk.uint16("cipher");
+         if (prefix == 0)
+-            details->ciphers.insert(cipher);
++            details->ciphers.insert(cipher); // including Squid-unsupported ones
+     }
+ }
+ 
+@@ -486,6 +517,7 @@ Security::HandshakeParser::parseServerHe
+     details->tlsSupportedVersion = ParseProtocolVersion(tk);
+     tk.skip(HelloRandomSize, ".random");
+     details->sessionId = tk.pstring8(".session_id");
++    // cipherSuite may be unsupported by a peeking Squid
+     details->ciphers.insert(tk.uint16(".cipher_suite"));
+     details->compressionSupported = tk.uint8(".compression_method") != 0; // not null
+     if (!tk.atEnd()) // extensions present
+@@ -554,12 +586,15 @@ Security::HandshakeParser::parseSupporte
+         Parser::BinaryTokenizer tkList(extensionData);
+         Parser::BinaryTokenizer tkVersions(tkList.pstring8("SupportedVersions"));
+         while (!tkVersions.atEnd()) {
+-            const auto version = ParseProtocolVersion(tkVersions, "supported_version");
++            const auto version = ParseOptionalProtocolVersion(tkVersions, "supported_version");
++            // ignore values unsupported by Squid,represented by a falsy version
++            if (!version)
++                continue;
+             if (!supportedVersionMax || TlsVersionEarlierThan(supportedVersionMax, version))
+                 supportedVersionMax = version;
+         }
+ 
+-        // ignore empty supported_versions
++        // ignore empty and ignored-values-only supported_versions
+         if (!supportedVersionMax)
+             return;
+ 
+@@ -569,7 +604,11 @@ Security::HandshakeParser::parseSupporte
+     } else {
+         assert(messageSource == fromServer);
+         Parser::BinaryTokenizer tkVersion(extensionData);
+-        const auto version = ParseProtocolVersion(tkVersion, "selected_version");
++        const auto version = ParseOptionalProtocolVersion(tkVersion, "selected_version");
++        // Ignore values unsupported by Squid. There should not be any until we
++        // start seeing TLS v2+, but they do not affect TLS framing anyway.
++        if (!version)
++            return;
+         // RFC 8446 Section 4.2.1:
+         // A server which negotiates a version of TLS prior to TLS 1.3 [...]
+         // MUST NOT send the "supported_versions" extension.