svn commit: r543526 - in head/www/squid: . files
Renato Botelho
garga at FreeBSD.org
Mon Jul 27 14:50:17 UTC 2020
Author: garga
Date: Mon Jul 27 14:50:15 2020
New Revision: 543526
URL: https://svnweb.freebsd.org/changeset/ports/543526
Log:
www/squid: Update to 4.12 among other changes
- Update to 4.12
- Remove upstreamed patches
- Enhance rc script (thanks to Walter von Entferndt for ideas!):
-- create piddir if missing (/var/run may be a tmpfs)
-- don't wait endlessly if squid can't create a pidfile
-- define squid_group
- address GREASEd (thanks to Joshua Kinard and Juraj Lutter!)
PR: 247397
Submitted by: Juraj Lutter <juraj at lutter.sk>
Reworked by: maintainer
Approved by: maintainer
MFH: 2020Q3 (bug-fix release)
Sponsored by: Rubicon Communications, LLC (Netgate)
Added:
head/www/squid/files/patch-src_security_Handshake.cc (contents, props changed)
Deleted:
head/www/squid/files/patch-src_acl_external_eDirectory__userip_ext__edirectory__userip__acl.cc
head/www/squid/files/patch-src_acl_external_kerberos__ldap__group_support__krb5.cc
Modified:
head/www/squid/Makefile
head/www/squid/distinfo
head/www/squid/files/patch-configure
head/www/squid/files/squid.in
Modified: head/www/squid/Makefile
==============================================================================
--- head/www/squid/Makefile Mon Jul 27 14:17:20 2020 (r543525)
+++ head/www/squid/Makefile Mon Jul 27 14:50:15 2020 (r543526)
@@ -1,8 +1,7 @@
# $FreeBSD$
PORTNAME= squid
-PORTVERSION= 4.11
-PORTREVISION= 2
+PORTVERSION= 4.12
CATEGORIES= www
MASTER_SITES= http://www.squid-cache.org/Versions/v4/ \
http://www2.us.squid-cache.org/Versions/v4/ \
Modified: head/www/squid/distinfo
==============================================================================
--- head/www/squid/distinfo Mon Jul 27 14:17:20 2020 (r543525)
+++ head/www/squid/distinfo Mon Jul 27 14:50:15 2020 (r543526)
@@ -1,3 +1,3 @@
-TIMESTAMP = 1588493552
-SHA256 (squid-4.11.tar.xz) = 4ed947612410263f57ad0e39bfd087e60fb714f028d7d3b0e469943efd34287d
-SIZE (squid-4.11.tar.xz) = 2447700
+TIMESTAMP = 1592288810
+SHA256 (squid-4.12.tar.xz) = f42a03c8b3dc020722c88bf1a87da8cb0c087b2f66b41d8256c77ee1b527e317
+SIZE (squid-4.12.tar.xz) = 2450564
Modified: head/www/squid/files/patch-configure
==============================================================================
--- head/www/squid/files/patch-configure Mon Jul 27 14:17:20 2020 (r543525)
+++ head/www/squid/files/patch-configure Mon Jul 27 14:50:15 2020 (r543526)
@@ -1,6 +1,6 @@
---- configure.orig 2020-04-19 12:39:06 UTC
+--- configure.orig 2020-06-09 07:15:48 UTC
+++ configure
-@@ -35077,7 +35077,7 @@ done
+@@ -35092,7 +35092,7 @@ done
##
BUILD_HELPER="NIS"
@@ -9,7 +9,7 @@
do :
as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
ac_fn_cxx_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "
-@@ -35092,8 +35092,10 @@ if eval test \"x\$"$as_ac_Header"\" = x"yes"; then :
+@@ -35107,8 +35107,10 @@ if eval test \"x\$"$as_ac_Header"\" = x"yes"; then :
#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
_ACEOF
@@ -22,7 +22,7 @@
fi
done
-@@ -35566,7 +35568,7 @@ done
+@@ -35581,7 +35583,7 @@ done
# unconditionally requires crypt(3), for now
if test "x$ac_cv_func_crypt" != "x"; then
@@ -31,7 +31,7 @@
do :
as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
ac_fn_cxx_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default"
-@@ -37958,7 +37960,7 @@ for ac_header in \
+@@ -37973,7 +37975,7 @@ for ac_header in \
arpa/nameser.h \
assert.h \
bstring.h \
@@ -40,7 +40,7 @@
ctype.h \
direct.h \
errno.h \
-@@ -38166,6 +38168,7 @@ ac_fn_cxx_check_header_compile "$LINENO" "$ac_header"
+@@ -38181,6 +38183,7 @@ ac_fn_cxx_check_header_compile "$LINENO" "$ac_header"
#include <netinet/ip.h>
#endif
#if HAVE_NETINET_IP_COMPAT_H
@@ -48,7 +48,7 @@
#include <netinet/ip_compat.h>
#endif
#if HAVE_NETINET_IP_FIL_H
-@@ -42213,6 +42216,7 @@ if test "x$enable_ipf_transparent" != "xno" ; then
+@@ -42228,6 +42231,7 @@ if test "x$enable_ipf_transparent" != "xno" ; then
# include <sys/ioccom.h>
# include <netinet/in.h>
@@ -56,7 +56,7 @@
# include <netinet/ip_compat.h>
# include <netinet/ip_fil.h>
# include <netinet/ip_nat.h>
-@@ -42243,6 +42247,7 @@ else
+@@ -42258,6 +42262,7 @@ else
# include <sys/ioccom.h>
# include <netinet/in.h>
#undef minor_t
@@ -64,7 +64,7 @@
# include <netinet/ip_compat.h>
# include <netinet/ip_fil.h>
# include <netinet/ip_nat.h>
-@@ -42287,6 +42292,7 @@ _ACEOF
+@@ -42302,6 +42307,7 @@ _ACEOF
ip_fil_compat.h \
ip_fil.h \
ip_nat.h \
@@ -72,7 +72,7 @@
netinet/ip_compat.h \
netinet/ip_fil_compat.h \
netinet/ip_fil.h \
-@@ -42316,6 +42322,7 @@ ac_fn_cxx_check_header_compile "$LINENO" "$ac_header"
+@@ -42331,6 +42337,7 @@ ac_fn_cxx_check_header_compile "$LINENO" "$ac_header"
#if HAVE_IP_COMPAT_H
#include <ip_compat.h>
#elif HAVE_NETINET_IP_COMPAT_H
@@ -80,13 +80,3 @@
#include <netinet/ip_compat.h>
#endif
#if HAVE_IP_FIL_H
-@@ -42379,8 +42386,7 @@ _ACEOF
-
-
- fi
--ac_fn_cxx_check_member "$LINENO" "struct natlookup" "nl_realipaddr.in6"
-- "ac_cv_member_struct_natlookup_nl_realipaddr_in6___" "
-+ac_fn_cxx_check_member "$LINENO" "struct natlookup" "nl_realipaddr.in6" "ac_cv_member_struct_natlookup_nl_realipaddr_in6___" "
- #if USE_SOLARIS_IPFILTER_MINOR_T_HACK
- #define minor_t fubar
- #endif
Added: head/www/squid/files/patch-src_security_Handshake.cc
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/www/squid/files/patch-src_security_Handshake.cc Mon Jul 27 14:50:15 2020 (r543526)
@@ -0,0 +1,147 @@
+--- src/security/Handshake.cc.orig 2020-06-07 15:42:16 UTC
++++ src/security/Handshake.cc
+@@ -9,6 +9,7 @@
+ /* DEBUG: section 83 SSL-Bump Server/Peer negotiation */
+
+ #include "squid.h"
++#include "sbuf/Stream.h"
+ #include "security/Handshake.h"
+ #if USE_OPENSSL
+ #include "ssl/support.h"
+@@ -104,25 +105,52 @@ class Extension (public)
+ typedef std::unordered_set<Extension::Type> Extensions;
+ static Extensions SupportedExtensions();
+
+-} // namespace Security
+-
+ /// parse TLS ProtocolVersion (uint16) and convert it to AnyP::ProtocolVersion
++/// \retval PROTO_NONE for unsupported values (in relaxed mode)
+ static AnyP::ProtocolVersion
+-ParseProtocolVersion(Parser::BinaryTokenizer &tk, const char *contextLabel = ".version")
++ParseProtocolVersionBase(Parser::BinaryTokenizer &tk, const char *contextLabel, const bool beStrict)
+ {
+ Parser::BinaryTokenizerContext context(tk, contextLabel);
+ uint8_t vMajor = tk.uint8(".major");
+ uint8_t vMinor = tk.uint8(".minor");
++
+ if (vMajor == 0 && vMinor == 2)
+ return AnyP::ProtocolVersion(AnyP::PROTO_SSL, 2, 0);
+
+- Must(vMajor == 3);
+- if (vMinor == 0)
+- return AnyP::ProtocolVersion(AnyP::PROTO_SSL, 3, 0);
++ if (vMajor == 3) {
++ if (vMinor == 0)
++ return AnyP::ProtocolVersion(AnyP::PROTO_SSL, 3, 0);
++ return AnyP::ProtocolVersion(AnyP::PROTO_TLS, 1, (vMinor - 1));
++ }
+
+- return AnyP::ProtocolVersion(AnyP::PROTO_TLS, 1, (vMinor - 1));
++ /* handle unsupported versions */
++
++ const uint16_t vRaw = (vMajor << 8) | vMinor;
++ debugs(83, 7, "unsupported: " << asHex(vRaw));
++ if (beStrict)
++ throw TextException(ToSBuf("unsupported TLS version: ", asHex(vRaw)), Here());
++ // else hide unsupported version details from the caller behind PROTO_NONE
++ return AnyP::ProtocolVersion();
+ }
+
++/// parse a framing-related TLS ProtocolVersion
++/// \returns a supported SSL or TLS Anyp::ProtocolVersion, never PROTO_NONE
++static AnyP::ProtocolVersion
++ParseProtocolVersion(Parser::BinaryTokenizer &tk)
++{
++ return ParseProtocolVersionBase(tk, ".version", true);
++}
++
++/// parse a framing-unrelated TLS ProtocolVersion
++/// \retval PROTO_NONE for unsupported values
++static AnyP::ProtocolVersion
++ParseOptionalProtocolVersion(Parser::BinaryTokenizer &tk, const char *contextLabel)
++{
++ return ParseProtocolVersionBase(tk, contextLabel, false);
++}
++
++} // namespace Security
++
+ Security::TLSPlaintext::TLSPlaintext(Parser::BinaryTokenizer &tk)
+ {
+ Parser::BinaryTokenizerContext context(tk, "TLSPlaintext");
+@@ -431,6 +459,8 @@ Security::HandshakeParser::parseExtensions(const SBuf
+ break;
+ case 16: { // Application-Layer Protocol Negotiation Extension, RFC 7301
+ Parser::BinaryTokenizer tkAPN(extension.data);
++ // Store the entire protocol list, including unsupported-by-Squid
++ // values (if any). We have to use all when peeking at the server.
+ details->tlsAppLayerProtoNeg = tkAPN.pstring16("APN");
+ break;
+ }
+@@ -441,8 +471,9 @@ Security::HandshakeParser::parseExtensions(const SBuf
+ case 43: // supported_versions extension; RFC 8446
+ parseSupportedVersionsExtension(extension.data);
+ break;
+- case 13172: // Next Protocol Negotiation Extension (expired draft?)
+ default:
++ // other extensions, including those that Squid does not support, do
++ // not require special handling here, but see unsupportedExtensions
+ break;
+ }
+ }
+@@ -455,7 +486,7 @@ Security::HandshakeParser::parseCiphers(const SBuf &ra
+ Parser::BinaryTokenizer tk(raw);
+ while (!tk.atEnd()) {
+ const uint16_t cipher = tk.uint16("cipher");
+- details->ciphers.insert(cipher);
++ details->ciphers.insert(cipher); // including Squid-unsupported ones
+ }
+ }
+
+@@ -473,7 +504,7 @@ Security::HandshakeParser::parseV23Ciphers(const SBuf
+ const uint8_t prefix = tk.uint8("prefix");
+ const uint16_t cipher = tk.uint16("cipher");
+ if (prefix == 0)
+- details->ciphers.insert(cipher);
++ details->ciphers.insert(cipher); // including Squid-unsupported ones
+ }
+ }
+
+@@ -486,6 +517,7 @@ Security::HandshakeParser::parseServerHelloHandshakeMe
+ details->tlsSupportedVersion = ParseProtocolVersion(tk);
+ tk.skip(HelloRandomSize, ".random");
+ details->sessionId = tk.pstring8(".session_id");
++ // cipherSuite may be unsupported by a peeking Squid
+ details->ciphers.insert(tk.uint16(".cipher_suite"));
+ details->compressionSupported = tk.uint8(".compression_method") != 0; // not null
+ if (!tk.atEnd()) // extensions present
+@@ -554,12 +586,15 @@ Security::HandshakeParser::parseSupportedVersionsExten
+ Parser::BinaryTokenizer tkList(extensionData);
+ Parser::BinaryTokenizer tkVersions(tkList.pstring8("SupportedVersions"));
+ while (!tkVersions.atEnd()) {
+- const auto version = ParseProtocolVersion(tkVersions, "supported_version");
++ const auto version = ParseOptionalProtocolVersion(tkVersions, "supported_version");
++ // ignore values unsupported by Squid,represented by a falsy version
++ if (!version)
++ continue;
+ if (!supportedVersionMax || TlsVersionEarlierThan(supportedVersionMax, version))
+ supportedVersionMax = version;
+ }
+
+- // ignore empty supported_versions
++ // ignore empty and ignored-values-only supported_versions
+ if (!supportedVersionMax)
+ return;
+
+@@ -569,7 +604,11 @@ Security::HandshakeParser::parseSupportedVersionsExten
+ } else {
+ assert(messageSource == fromServer);
+ Parser::BinaryTokenizer tkVersion(extensionData);
+- const auto version = ParseProtocolVersion(tkVersion, "selected_version");
++ const auto version = ParseOptionalProtocolVersion(tkVersion, "selected_version");
++ // Ignore values unsupported by Squid. There should not be any until we
++ // start seeing TLS v2+, but they do not affect TLS framing anyway.
++ if (!version)
++ return;
+ // RFC 8446 Section 4.2.1:
+ // A server which negotiates a version of TLS prior to TLS 1.3 [...]
+ // MUST NOT send the "supported_versions" extension.
Modified: head/www/squid/files/squid.in
==============================================================================
--- head/www/squid/files/squid.in Mon Jul 27 14:17:20 2020 (r543525)
+++ head/www/squid/files/squid.in Mon Jul 27 14:50:15 2020 (r543526)
@@ -29,6 +29,14 @@
# you want to run Squid in reverse proxy setups or if you want
# Squid to listen on a "privileged" port < 1024.
#
+# squid_group: The group id that should be used to run the Squid master
+# process. Default: squid
+# Note that it affects squid pid dir also, where SHM files
+# may be stored on some OS (see r391555)
+#
+# squid_maxwait: Seconds to wait for squid PID file
+# Default: 10
+#
# squid_pidfile:
# The name (including the full path) of the Squid
# master process' PID file.
@@ -74,7 +82,9 @@ squid_load_rc_config()
: ${squid_enable:=NO}
: ${squid_program:=%%PREFIX%%/sbin/squid}
: ${squid_pidfile:=/var/run/squid/squid.pid}
+ : ${squid_maxwait:=10}
: ${squid_user:=squid}
+ : ${squid_group:=squid}
required_args="-f ${squid_conf}"
required_dirs=$chdir
@@ -87,6 +97,13 @@ squid_load_rc_config()
squid_prestart()
{
+ # create piddir if it's missing (for example if /var/run is tmpfs)
+ squid_piddir=${pidfile%/*}
+ if [ ! -d "${squid_piddir}" ]; then
+ echo "Creating PID directory ${squid_piddir}"
+ mkdir ${squid_piddir} && chown ${squid_user}:${squid_group} ${squid_piddir} && chmod 750 ${squid_piddir}|| return $?
+ fi
+
# setup KRB5_KTNAME:
squid_krb5_ktname=${squid_krb5_ktname:-"NONE"}
if [ "${squid_krb5_ktname}" != "NONE" ]; then
@@ -137,8 +154,15 @@ squid_getpid()
# retrieve the PID of the Squid master process explicitly here
# in case rc.subr was unable to determine it:
if [ -z "$rc_pid" ]; then
+ squid_secs=0
while ! [ -f ${pidfile} ]; do
+ if [ ${squid_maxwait} -le ${squid_secs} ]; then
+ echo "give up waiting for pidfile"
+ break
+ fi
sleep 1
+ echo -n "."
+ : $(( squid_secs+=1 ))
done
read _pid _junk <${pidfile}
[ -z "${_pid}" ] || pid=${_pid}
More information about the svn-ports-all
mailing list