From 22a11a4a8b6f73f9ba9abe9490f09f5628b42b6d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Wed, 5 Feb 2025 18:12:27 +0100 Subject: [PATCH 1/9] Source URL change Use the GitHub URL as the source URL instead of the obsolete one. --- squid.spec | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/squid.spec b/squid.spec index d73d7be..dbdcc3a 100644 --- a/squid.spec +++ b/squid.spec @@ -1,4 +1,5 @@ %define __perl_requires %{SOURCE98} +%define version_underscore %(echo %{version} | tr '.' '_') Name: squid Version: 6.13 @@ -9,8 +10,8 @@ Epoch: 7 License: GPL-2.0-or-later AND (LGPL-2.0-or-later AND MIT AND BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause AND BSD-4-Clause-UC AND LicenseRef-Fedora-Public-Domain AND Beerware) URL: http://www.squid-cache.org -Source0: http://www.squid-cache.org/Versions/v6/squid-%{version}.tar.xz -Source1: http://www.squid-cache.org/Versions/v6/squid-%{version}.tar.xz.asc +Source0: https://github.com/squid-cache/squid/releases/download/SQUID_%{version_underscore}/squid-%{version}.tar.xz +Source1: https://github.com/squid-cache/squid/releases/download/SQUID_%{version_underscore}/squid-%{version}.tar.xz.asc Source2: http://www.squid-cache.org/pgp.asc Source3: squid.logrotate Source4: squid.sysconfig From 3f92dc8816e1639138e4fcb01ac2d293dc49ff8b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Thu, 10 Apr 2025 14:34:13 +0200 Subject: [PATCH 2/9] Do not blame cache_peer for 4xx CONNECT responses --- squid-6.13-cache-peer-connect-errors.patch | 287 +++++++++++++++++++++ squid.spec | 16 +- 2 files changed, 297 insertions(+), 6 deletions(-) create mode 100644 squid-6.13-cache-peer-connect-errors.patch diff --git a/squid-6.13-cache-peer-connect-errors.patch b/squid-6.13-cache-peer-connect-errors.patch new file mode 100644 index 0000000..339d9ec --- /dev/null +++ b/squid-6.13-cache-peer-connect-errors.patch @@ -0,0 +1,287 @@ +From 2e7dea3cedd3ef2f071dee82867c4147f17376dd Mon Sep 17 00:00:00 2001 +From: Alex Rousskov +Date: Tue, 2 Apr 2024 20:37:31 +0000 +Subject: [PATCH] Do not blame cache_peer for CONNECT errors (#1772) + + ERROR: Connection to [such-and-such-cache_peer] failed + TCP_TUNNEL/503 CONNECT nxdomain.test:443 FIRSTUP_PARENT + +Squid does not alert an admin about (and decrease health level of) a +cache_peer that responded with an error to a GET request. Just like GET +responses from a cache_peer, CONNECT responses may (and often do!) +reflect client or origin server failures. We should not penalize +cache_peers (and alert admins) until we can distinguish these frequent +client/origin failures from (relatively rare) cache_peer problems. This +change absolves cache_peers of CONNECT problems, restoring parity with +GETs and restoring v4 behavior changed (probably by accident) in v5. + +Also removed Http::StatusCode parameter from failure notification +functions because it became essentially unused after the primary +Http::Tunneler changes. Tunneler was the only source of status code +information that (in some cases) used received HTTP response to compute +that status code. All other cases extracted that status code from +Squid-generated errors. Those errors were arguably never meant to supply +status code information for "this failure is not our fault" decision, +and they do not supply 4xx status codes driving that decision. + +### Problem evolution + +2019 commit f5e1794 effectively started blaming cache_peer for all +FwdState CONNECT errors. That functionality change was probably +accidental, likely influenced by the names of noteConnectFailure() and +peerConnectFailed() functions that abbreviated "Connection", making the +functions look as applicable to CONNECT failures. Prior to that commit, +the functions were never used for CONNECT errors. After it, FwdState +started calling peerConnectFailed() for all CONNECT failures. + +In 2020 commit 25b0ce4, TunnelStateData started blaming cache_peers as +well (by moving that FwdState-only error handling code into Tunneler). +The same "accidental functionality change" speculations apply here. + +In 2022 commit 022dbab, we made an exception for 4xx CONNECT errors as +folks deploying newer code started complaining about cache_peers getting +blamed for client-caused errors (e.g., HTTP 403 Forbidden replies). We +did not realize that the blaming code itself was an unwanted accident. + +Now we are getting complaints about cache_peers getting blamed for 502 +and 503 CONNECT errors caused by, for example, domain names without IPs: +As these CONNECT error responses are propagated from parent to child +caches, every child cache in the chain logs ERRORs and every cache_peer +in the chain gets its health counter decreased! +--- + src/CachePeer.cc | 11 +---------- + src/CachePeer.h | 12 +++++------- + src/HappyConnOpener.cc | 2 +- + src/PeerPoolMgr.cc | 2 +- + src/clients/HttpTunneler.cc | 10 ++++++---- + src/clients/HttpTunneler.h | 2 +- + src/neighbors.cc | 2 +- + src/security/BlindPeerConnector.cc | 2 +- + src/security/PeerConnector.cc | 8 ++++---- + src/security/PeerConnector.h | 2 +- + src/tests/stub_libsecurity.cc | 2 +- + 11 files changed, 23 insertions(+), 32 deletions(-) + +diff --git a/src/CachePeer.cc b/src/CachePeer.cc +index a5c3adf..91045ef 100644 +--- a/src/CachePeer.cc ++++ b/src/CachePeer.cc +@@ -68,20 +68,11 @@ CachePeer::noteSuccess() + } + } + +-void +-CachePeer::noteFailure(const Http::StatusCode code) +-{ +- if (Http::Is4xx(code)) +- return; // this failure is not our fault +- +- countFailure(); +-} +- + // TODO: Require callers to detail failures instead of using one (and often + // misleading!) "connection failed" phrase for all of them. + /// noteFailure() helper for handling failures attributed to this peer + void +-CachePeer::countFailure() ++CachePeer::noteFailure() + { + stats.last_connect_failure = squid_curtime; + if (tcp_up > 0) +diff --git a/src/CachePeer.h b/src/CachePeer.h +index 5b13e29..14e40ff 100644 +--- a/src/CachePeer.h ++++ b/src/CachePeer.h +@@ -38,9 +38,8 @@ public: + /// reacts to a successful establishment of a connection to this cache_peer + void noteSuccess(); + +- /// reacts to a failure on a connection to this cache_peer +- /// \param code a received response status code, if any +- void noteFailure(Http::StatusCode code); ++ /// reacts to a failed attempt to establish a connection to this cache_peer ++ void noteFailure(); + + /// (re)configure cache_peer name=value + void rename(const char *); +@@ -238,14 +237,13 @@ NoteOutgoingConnectionSuccess(CachePeer * const peer) + peer->noteSuccess(); + } + +-/// reacts to a failure on a connection to an origin server or cache_peer ++/// reacts to a failed attempt to establish a connection to an origin server or cache_peer + /// \param peer nil if the connection is to an origin server +-/// \param code a received response status code, if any + inline void +-NoteOutgoingConnectionFailure(CachePeer * const peer, const Http::StatusCode code) ++NoteOutgoingConnectionFailure(CachePeer * const peer) + { + if (peer) +- peer->noteFailure(code); ++ peer->noteFailure(); + } + + /// identify the given cache peer in cache.log messages and such +diff --git a/src/HappyConnOpener.cc b/src/HappyConnOpener.cc +index 5ab9294..5e17a76 100644 +--- a/src/HappyConnOpener.cc ++++ b/src/HappyConnOpener.cc +@@ -638,7 +638,7 @@ HappyConnOpener::handleConnOpenerAnswer(Attempt &attempt, const CommConnectCbPar + lastError = makeError(ERR_CONNECT_FAIL); + lastError->xerrno = params.xerrno; + +- NoteOutgoingConnectionFailure(params.conn->getPeer(), lastError->httpStatus); ++ NoteOutgoingConnectionFailure(params.conn->getPeer()); + + if (spareWaiting) + updateSpareWaitAfterPrimeFailure(); +diff --git a/src/PeerPoolMgr.cc b/src/PeerPoolMgr.cc +index 9cb038e..6fb5b09 100644 +--- a/src/PeerPoolMgr.cc ++++ b/src/PeerPoolMgr.cc +@@ -86,7 +86,7 @@ PeerPoolMgr::handleOpenedConnection(const CommConnectCbParams ¶ms) + } + + if (params.flag != Comm::OK) { +- NoteOutgoingConnectionFailure(peer, Http::scNone); ++ NoteOutgoingConnectionFailure(peer); + checkpoint("conn opening failure"); // may retry + return; + } +diff --git a/src/clients/HttpTunneler.cc b/src/clients/HttpTunneler.cc +index 2fbc3fb..a6e49db 100644 +--- a/src/clients/HttpTunneler.cc ++++ b/src/clients/HttpTunneler.cc +@@ -90,7 +90,7 @@ Http::Tunneler::handleConnectionClosure(const CommCloseCbParams &) + { + closer = nullptr; + if (connection) { +- countFailingConnection(nullptr); ++ countFailingConnection(); + connection->noteClosure(); + connection = nullptr; + } +@@ -355,7 +355,7 @@ Http::Tunneler::bailWith(ErrorState *error) + + if (const auto failingConnection = connection) { + // TODO: Reuse to-peer connections after a CONNECT error response. +- countFailingConnection(error); ++ countFailingConnection(); + disconnect(); + failingConnection->close(); + } +@@ -374,10 +374,12 @@ Http::Tunneler::sendSuccess() + } + + void +-Http::Tunneler::countFailingConnection(const ErrorState * const error) ++Http::Tunneler::countFailingConnection() + { + assert(connection); +- NoteOutgoingConnectionFailure(connection->getPeer(), error ? error->httpStatus : Http::scNone); ++ // No NoteOutgoingConnectionFailure(connection->getPeer()) call here because ++ // we do not blame cache_peer for CONNECT failures (on top of a successfully ++ // established connection to that cache_peer). + if (noteFwdPconnUse && connection->isOpen()) + fwdPconnPool->noteUses(fd_table[connection->fd].pconn.uses); + } +diff --git a/src/clients/HttpTunneler.h b/src/clients/HttpTunneler.h +index 7886f09..596efcf 100644 +--- a/src/clients/HttpTunneler.h ++++ b/src/clients/HttpTunneler.h +@@ -80,7 +80,7 @@ private: + void disconnect(); + + /// updates connection usage history before the connection is closed +- void countFailingConnection(const ErrorState *); ++ void countFailingConnection(); + + AsyncCall::Pointer writer; ///< called when the request has been written + AsyncCall::Pointer reader; ///< called when the response should be read +diff --git a/src/neighbors.cc b/src/neighbors.cc +index 04b69c1..75f56c9 100644 +--- a/src/neighbors.cc ++++ b/src/neighbors.cc +@@ -1320,7 +1320,7 @@ peerProbeConnectDone(const Comm::ConnectionPointer &conn, Comm::Flag status, int + if (status == Comm::OK) + p->noteSuccess(); + else +- p->noteFailure(Http::scNone); ++ p->noteFailure(); + + -- p->testing_now; + conn->close(); +diff --git a/src/security/BlindPeerConnector.cc b/src/security/BlindPeerConnector.cc +index b9e5659..4c37f34 100644 +--- a/src/security/BlindPeerConnector.cc ++++ b/src/security/BlindPeerConnector.cc +@@ -76,7 +76,7 @@ Security::BlindPeerConnector::noteNegotiationDone(ErrorState *error) + // based on TCP results, SSL results, or both. And the code is probably not + // consistent in this aspect across tunnelling and forwarding modules. + if (peer && peer->secure.encryptTransport) +- peer->noteFailure(error->httpStatus); ++ peer->noteFailure(); + return; + } + +diff --git a/src/security/PeerConnector.cc b/src/security/PeerConnector.cc +index d458f99..d0131a1 100644 +--- a/src/security/PeerConnector.cc ++++ b/src/security/PeerConnector.cc +@@ -115,7 +115,7 @@ Security::PeerConnector::commCloseHandler(const CommCloseCbParams ¶ms) + err->detailError(d); + + if (serverConn) { +- countFailingConnection(err); ++ countFailingConnection(); + serverConn->noteClosure(); + serverConn = nullptr; + } +@@ -507,7 +507,7 @@ Security::PeerConnector::bail(ErrorState *error) + answer().error = error; + + if (const auto failingConnection = serverConn) { +- countFailingConnection(error); ++ countFailingConnection(); + disconnect(); + failingConnection->close(); + } +@@ -525,10 +525,10 @@ Security::PeerConnector::sendSuccess() + } + + void +-Security::PeerConnector::countFailingConnection(const ErrorState * const error) ++Security::PeerConnector::countFailingConnection() + { + assert(serverConn); +- NoteOutgoingConnectionFailure(serverConn->getPeer(), error ? error->httpStatus : Http::scNone); ++ NoteOutgoingConnectionFailure(serverConn->getPeer()); + // TODO: Calling PconnPool::noteUses() should not be our responsibility. + if (noteFwdPconnUse && serverConn->isOpen()) + fwdPconnPool->noteUses(fd_table[serverConn->fd].pconn.uses); +diff --git a/src/security/PeerConnector.h b/src/security/PeerConnector.h +index a1d5ef9..401df06 100644 +--- a/src/security/PeerConnector.h ++++ b/src/security/PeerConnector.h +@@ -150,7 +150,7 @@ protected: + void disconnect(); + + /// updates connection usage history before the connection is closed +- void countFailingConnection(const ErrorState *); ++ void countFailingConnection(); + + /// If called the certificates validator will not used + void bypassCertValidator() {useCertValidator_ = false;} +diff --git a/src/tests/stub_libsecurity.cc b/src/tests/stub_libsecurity.cc +index 6bd6204..b513a22 100644 +--- a/src/tests/stub_libsecurity.cc ++++ b/src/tests/stub_libsecurity.cc +@@ -97,7 +97,7 @@ void PeerConnector::bail(ErrorState *) STUB + void PeerConnector::sendSuccess() STUB + void PeerConnector::callBack() STUB + void PeerConnector::disconnect() STUB +-void PeerConnector::countFailingConnection(const ErrorState *) STUB ++void PeerConnector::countFailingConnection() STUB + void PeerConnector::recordNegotiationDetails() STUB + EncryptorAnswer &PeerConnector::answer() STUB_RETREF(EncryptorAnswer) + } diff --git a/squid.spec b/squid.spec index dbdcc3a..fea08a9 100644 --- a/squid.spec +++ b/squid.spec @@ -3,7 +3,7 @@ Name: squid Version: 6.13 -Release: 1%{?dist} +Release: 2%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -26,7 +26,12 @@ Source98: perl-requires-squid.sh # Upstream patches # Backported patches -# Patch101: patch +# Upstream PR: https://github.com/squid-cache/squid/pull/1442 +Patch101: squid-6.1-crash-half-closed.patch +# Upstream PR: https://github.com/squid-cache/squid/pull/1914 +Patch102: squid-6.11-ignore-wsp-after-chunk-size.patch +# Upstream commit: https://github.com/squid-cache/squid/commit/022dbabd89249f839d1861aa87c1ab9e1a008a47 +Patch103: squid-6.13-cache-peer-connect-errors.patch # Local patches # Applying upstream patches first makes it less likely that local patches @@ -37,10 +42,6 @@ Patch203: squid-6.1-perlpath.patch # revert this upstream patch - https://bugzilla.redhat.com/show_bug.cgi?id=1936422 # workaround for #1934919 Patch204: squid-6.1-symlink-lang-err.patch -# Upstream PR: https://github.com/squid-cache/squid/pull/1442 -Patch205: squid-6.1-crash-half-closed.patch -# Upstream PR: https://github.com/squid-cache/squid/pull/1914 -Patch206: squid-6.11-ignore-wsp-after-chunk-size.patch # cache_swap.sh Requires: bash gawk @@ -315,6 +316,9 @@ fi %changelog +* Wed Mar 12 2025 Luboš Uhliarik - 7:6.13-2 +- Do not blame cache_peer for 4xx CONNECT responses + * Tue Feb 04 2025 Luboš Uhliarik - 7:6.13-1 - new version 6.13 From 383c43dd7bcf46924ab261bf4a0937745a2e356e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Mon, 21 Jul 2025 19:36:11 +0200 Subject: [PATCH 3/9] new version 6.14 --- sources | 4 ++-- squid-6.1-perlpath.patch | 2 +- squid.spec | 7 +++++-- 3 files changed, 8 insertions(+), 5 deletions(-) diff --git a/sources b/sources index 83d969f..02e8a81 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (squid-6.13.tar.xz) = a67276a7eb38d00271962b67bff7f08e760db73bc6b0f94ab71297d520405033df65ebb0b38ee5db02bd6c00d81cd600b60d918fe7fff64e06255deaf78f00c1 -SHA512 (squid-6.13.tar.xz.asc) = 66d8d657793ca3bd20e4a728dc0d3568fac078334d57f3105bb67f1c6fbc5e89e21b757f38048f2361b670938ff350d1afd956ba3dfa5d55dfb54d13e4620fc9 +SHA512 (squid-6.14.tar.xz) = 5905060ae8d70128516c26cf379ed5b434c02525efe0e17ac56d4e060af7542b4a7a41ac3eca5ba5a00867791aed18ed5ed0e247b18a376e1ae7bc13039782f5 +SHA512 (squid-6.14.tar.xz.asc) = 5cc102787796db1cf4c71e9e21d3462becdd869eb72cd69a5c4ca74f60628a98a5543aabe7a0d0bc74c99a62bae0678d3ae6eab9dfe0e4dfb9c063678005f2e3 SHA512 (pgp.asc) = b1e1dd5ead34711f064a12a324b2f156ad4835330d861eae4032926b8a6cd07c0eacc76f52518d47ed5a8ead4695f5abd02f2b4190af8e7833bd3ea31453569d diff --git a/squid-6.1-perlpath.patch b/squid-6.1-perlpath.patch index 7539001..8bfdbdf 100644 --- a/squid-6.1-perlpath.patch +++ b/squid-6.1-perlpath.patch @@ -6,5 +6,5 @@ index e965e9e..ed5ffcb 100755 -#!/usr/local/bin/perl -Tw +#!/usr/bin/perl -Tw # - # * Copyright (C) 1996-2024 The Squid Software Foundation and contributors + # * Copyright (C) 1996-2025 The Squid Software Foundation and contributors # * diff --git a/squid.spec b/squid.spec index fea08a9..5c4ee42 100644 --- a/squid.spec +++ b/squid.spec @@ -2,8 +2,8 @@ %define version_underscore %(echo %{version} | tr '.' '_') Name: squid -Version: 6.13 -Release: 2%{?dist} +Version: 6.14 +Release: 1%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -316,6 +316,9 @@ fi %changelog +* Mon Jul 21 2025 Luboš Uhliarik - 7:6.14-1 +- new version 6.14 + * Wed Mar 12 2025 Luboš Uhliarik - 7:6.13-2 - Do not blame cache_peer for 4xx CONNECT responses From fea9e4c688052db60dc2833d2786c511f44d6b29 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Fri, 25 Jul 2025 18:41:07 +0000 Subject: [PATCH 4/9] Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild --- squid.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/squid.spec b/squid.spec index 5c4ee42..352f5a2 100644 --- a/squid.spec +++ b/squid.spec @@ -3,7 +3,7 @@ Name: squid Version: 6.14 -Release: 1%{?dist} +Release: 2%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -316,6 +316,9 @@ fi %changelog +* Fri Jul 25 2025 Fedora Release Engineering - 7:6.14-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild + * Mon Jul 21 2025 Luboš Uhliarik - 7:6.14-1 - new version 6.14 From 6e12cc940ee289ffca223c00616510350e50c89f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Thu, 14 Aug 2025 22:29:23 +0200 Subject: [PATCH 5/9] new version 7.1 removed squidclient removed purge removed cachemgr.cgi removed basic_smb_lm_auth and ntlm_smb_lm_auth helpers --- sources | 4 +- squid-6.1-crash-half-closed.patch | 158 -------- squid-6.11-ignore-wsp-after-chunk-size.patch | 367 ------------------- squid-6.13-cache-peer-connect-errors.patch | 287 --------------- squid.spec | 33 +- 5 files changed, 17 insertions(+), 832 deletions(-) delete mode 100644 squid-6.1-crash-half-closed.patch delete mode 100644 squid-6.11-ignore-wsp-after-chunk-size.patch delete mode 100644 squid-6.13-cache-peer-connect-errors.patch diff --git a/sources b/sources index 02e8a81..700eafd 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (squid-6.14.tar.xz) = 5905060ae8d70128516c26cf379ed5b434c02525efe0e17ac56d4e060af7542b4a7a41ac3eca5ba5a00867791aed18ed5ed0e247b18a376e1ae7bc13039782f5 -SHA512 (squid-6.14.tar.xz.asc) = 5cc102787796db1cf4c71e9e21d3462becdd869eb72cd69a5c4ca74f60628a98a5543aabe7a0d0bc74c99a62bae0678d3ae6eab9dfe0e4dfb9c063678005f2e3 +SHA512 (squid-7.1.tar.xz) = f12d4cac78576eecf19193cbb88f374b2d1bf3f480e684008a562bdda55eedae643b1a5766846c04673030ad1e89a608a62f52078312a80a3664fdccfc5f44df +SHA512 (squid-7.1.tar.xz.asc) = 4c7be2b32b7ce6cd1a99fe49c397fcd4d294817f96c4aaf5e66ad8c2de0c51b9debb4c85cf877efce87b1c44c2ebbb795a170859ca38124389b050e9fbaa1ff6 SHA512 (pgp.asc) = b1e1dd5ead34711f064a12a324b2f156ad4835330d861eae4032926b8a6cd07c0eacc76f52518d47ed5a8ead4695f5abd02f2b4190af8e7833bd3ea31453569d diff --git a/squid-6.1-crash-half-closed.patch b/squid-6.1-crash-half-closed.patch deleted file mode 100644 index 901ece2..0000000 --- a/squid-6.1-crash-half-closed.patch +++ /dev/null @@ -1,158 +0,0 @@ -diff --git a/src/client_side.cc b/src/client_side.cc -index f488fc4..69586df 100644 ---- a/src/client_side.cc -+++ b/src/client_side.cc -@@ -932,7 +932,7 @@ ConnStateData::kick() - * We are done with the response, and we are either still receiving request - * body (early response!) or have already stopped receiving anything. - * -- * If we are still receiving, then clientParseRequest() below will fail. -+ * If we are still receiving, then parseRequests() below will fail. - * (XXX: but then we will call readNextRequest() which may succeed and - * execute a smuggled request as we are not done with the current request). - * -@@ -952,28 +952,12 @@ ConnStateData::kick() - * Attempt to parse a request from the request buffer. - * If we've been fed a pipelined request it may already - * be in our read buffer. -- * -- \par -- * This needs to fall through - if we're unlucky and parse the _last_ request -- * from our read buffer we may never re-register for another client read. - */ - -- if (clientParseRequests()) { -- debugs(33, 3, clientConnection << ": parsed next request from buffer"); -- } -+ parseRequests(); - -- /** \par -- * Either we need to kick-start another read or, if we have -- * a half-closed connection, kill it after the last request. -- * This saves waiting for half-closed connections to finished being -- * half-closed _AND_ then, sometimes, spending "Timeout" time in -- * the keepalive "Waiting for next request" state. -- */ -- if (commIsHalfClosed(clientConnection->fd) && pipeline.empty()) { -- debugs(33, 3, "half-closed client with no pending requests, closing"); -- clientConnection->close(); -+ if (!isOpen()) - return; -- } - - /** \par - * At this point we either have a parsed request (which we've -@@ -1893,16 +1877,11 @@ ConnStateData::receivedFirstByte() - resetReadTimeout(Config.Timeout.request); - } - --/** -- * Attempt to parse one or more requests from the input buffer. -- * Returns true after completing parsing of at least one request [header]. That -- * includes cases where parsing ended with an error (e.g., a huge request). -- */ --bool --ConnStateData::clientParseRequests() -+/// Attempt to parse one or more requests from the input buffer. -+/// May close the connection. -+void -+ConnStateData::parseRequests() - { -- bool parsed_req = false; -- - debugs(33, 5, clientConnection << ": attempting to parse"); - - // Loop while we have read bytes that are not needed for producing the body -@@ -1947,8 +1926,6 @@ ConnStateData::clientParseRequests() - - processParsedRequest(context); - -- parsed_req = true; // XXX: do we really need to parse everything right NOW ? -- - if (context->mayUseConnection()) { - debugs(33, 3, "Not parsing new requests, as this request may need the connection"); - break; -@@ -1961,8 +1938,19 @@ ConnStateData::clientParseRequests() - } - } - -- /* XXX where to 'finish' the parsing pass? */ -- return parsed_req; -+ debugs(33, 7, "buffered leftovers: " << inBuf.length()); -+ -+ if (isOpen() && commIsHalfClosed(clientConnection->fd)) { -+ if (pipeline.empty()) { -+ // we processed what we could parse, and no more data is coming -+ debugs(33, 5, "closing half-closed without parsed requests: " << clientConnection); -+ clientConnection->close(); -+ } else { -+ // we parsed what we could, and no more data is coming -+ debugs(33, 5, "monitoring half-closed while processing parsed requests: " << clientConnection); -+ flags.readMore = false; // may already be false -+ } -+ } - } - - void -@@ -1979,18 +1967,7 @@ ConnStateData::afterClientRead() - if (pipeline.empty()) - fd_note(clientConnection->fd, "Reading next request"); - -- if (!clientParseRequests()) { -- if (!isOpen()) -- return; -- // We may get here if the client half-closed after sending a partial -- // request. See doClientRead() and shouldCloseOnEof(). -- // XXX: This partially duplicates ConnStateData::kick(). -- if (pipeline.empty() && commIsHalfClosed(clientConnection->fd)) { -- debugs(33, 5, clientConnection << ": half-closed connection, no completed request parsed, connection closing."); -- clientConnection->close(); -- return; -- } -- } -+ parseRequests(); - - if (!isOpen()) - return; -@@ -3775,7 +3752,7 @@ ConnStateData::notePinnedConnectionBecameIdle(PinnedIdleContext pic) - startPinnedConnectionMonitoring(); - - if (pipeline.empty()) -- kick(); // in case clientParseRequests() was blocked by a busy pic.connection -+ kick(); // in case parseRequests() was blocked by a busy pic.connection - } - - /// Forward future client requests using the given server connection. -diff --git a/src/client_side.h b/src/client_side.h -index 6027b31..60b99b1 100644 ---- a/src/client_side.h -+++ b/src/client_side.h -@@ -98,7 +98,6 @@ public: - void doneWithControlMsg() override; - - /// Traffic parsing -- bool clientParseRequests(); - void readNextRequest(); - - /// try to make progress on a transaction or read more I/O -@@ -443,6 +442,7 @@ private: - - void checkLogging(); - -+ void parseRequests(); - void clientAfterReadingRequests(); - bool concurrentRequestQueueFilled() const; - -diff --git a/src/tests/stub_client_side.cc b/src/tests/stub_client_side.cc -index 8c160e5..f49d5dc 100644 ---- a/src/tests/stub_client_side.cc -+++ b/src/tests/stub_client_side.cc -@@ -14,7 +14,7 @@ - #include "tests/STUB.h" - - #include "client_side.h" --bool ConnStateData::clientParseRequests() STUB_RETVAL(false) -+void ConnStateData::parseRequests() STUB - void ConnStateData::readNextRequest() STUB - bool ConnStateData::isOpen() const STUB_RETVAL(false) - void ConnStateData::kick() STUB diff --git a/squid-6.11-ignore-wsp-after-chunk-size.patch b/squid-6.11-ignore-wsp-after-chunk-size.patch deleted file mode 100644 index ea4025f..0000000 --- a/squid-6.11-ignore-wsp-after-chunk-size.patch +++ /dev/null @@ -1,367 +0,0 @@ -From 8d0ee420a4d91ac7fd97316338f1e28b4b060cbf Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= -Date: Thu, 10 Oct 2024 19:26:27 +0200 -Subject: [PATCH 1/6] Ignore whitespace chars after chunk-size - -Previously (before #1498 change), squid was accepting TE-chunked replies -with whitespaces after chunk-size and missing chunk-ext data. After - -It turned out that replies with such whitespace chars are pretty -common and other webservers which can act as forward proxies (e.g. -nginx, httpd...) are accepting them. - -This change will allow to proxy chunked responses from origin server, -which had whitespaces inbetween chunk-size and CRLF. ---- - src/http/one/TeChunkedParser.cc | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/http/one/TeChunkedParser.cc b/src/http/one/TeChunkedParser.cc -index 9cce10fdc91..04753395e16 100644 ---- a/src/http/one/TeChunkedParser.cc -+++ b/src/http/one/TeChunkedParser.cc -@@ -125,6 +125,7 @@ Http::One::TeChunkedParser::parseChunkMetadataSuffix(Tokenizer &tok) - // Code becomes much simpler when incremental parsing functions throw on - // bad or insufficient input, like in the code below. TODO: Expand up. - try { -+ tok.skipAll(CharacterSet::WSP); // Some servers send SP/TAB after chunk-size - parseChunkExtensions(tok); // a possibly empty chunk-ext list - tok.skipRequired("CRLF after [chunk-ext]", Http1::CrLf()); - buf_ = tok.remaining(); - -From 9c8d35f899035fa06021ab3fe6919f892c2f0c6b Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= -Date: Fri, 11 Oct 2024 02:06:31 +0200 -Subject: [PATCH 2/6] Added new argument to Http::One::ParseBws() - -Depending on new wsp_only argument in ParseBws() it will be decided -which set of whitespaces characters will be parsed. If wsp_only is set -to true, only SP and HTAB chars will be parsed. - -Also optimized number of ParseBws calls. ---- - src/http/one/Parser.cc | 4 ++-- - src/http/one/Parser.h | 3 ++- - src/http/one/TeChunkedParser.cc | 13 +++++++++---- - src/http/one/TeChunkedParser.h | 2 +- - 4 files changed, 14 insertions(+), 8 deletions(-) - -diff --git a/src/http/one/Parser.cc b/src/http/one/Parser.cc -index b1908316a0b..01d7e3bc0e8 100644 ---- a/src/http/one/Parser.cc -+++ b/src/http/one/Parser.cc -@@ -273,9 +273,9 @@ Http::One::ErrorLevel() - - // BWS = *( SP / HTAB ) ; WhitespaceCharacters() may relax this RFC 7230 rule - void --Http::One::ParseBws(Parser::Tokenizer &tok) -+Http::One::ParseBws(Parser::Tokenizer &tok, const bool wsp_only) - { -- const auto count = tok.skipAll(Parser::WhitespaceCharacters()); -+ const auto count = tok.skipAll(wsp_only ? CharacterSet::WSP : Parser::WhitespaceCharacters()); - - if (tok.atEnd()) - throw InsufficientInput(); // even if count is positive -diff --git a/src/http/one/Parser.h b/src/http/one/Parser.h -index d9a0ac8c273..08200371cd6 100644 ---- a/src/http/one/Parser.h -+++ b/src/http/one/Parser.h -@@ -163,8 +163,9 @@ class Parser : public RefCountable - }; - - /// skips and, if needed, warns about RFC 7230 BWS ("bad" whitespace) -+/// \param wsp_only force skipping of whitespaces only, don't consider skipping relaxed delimeter chars - /// \throws InsufficientInput when the end of BWS cannot be confirmed --void ParseBws(Parser::Tokenizer &); -+void ParseBws(Parser::Tokenizer &, const bool wsp_only = false); - - /// the right debugs() level for logging HTTP violation messages - int ErrorLevel(); -diff --git a/src/http/one/TeChunkedParser.cc b/src/http/one/TeChunkedParser.cc -index 04753395e16..41e1e5ddaea 100644 ---- a/src/http/one/TeChunkedParser.cc -+++ b/src/http/one/TeChunkedParser.cc -@@ -125,8 +125,11 @@ Http::One::TeChunkedParser::parseChunkMetadataSuffix(Tokenizer &tok) - // Code becomes much simpler when incremental parsing functions throw on - // bad or insufficient input, like in the code below. TODO: Expand up. - try { -- tok.skipAll(CharacterSet::WSP); // Some servers send SP/TAB after chunk-size -- parseChunkExtensions(tok); // a possibly empty chunk-ext list -+ // A possibly empty chunk-ext list. If no chunk-ext has been found, -+ // try to skip trailing BWS, because some servers send "chunk-size BWS CRLF". -+ if (!parseChunkExtensions(tok)) -+ ParseBws(tok, true); -+ - tok.skipRequired("CRLF after [chunk-ext]", Http1::CrLf()); - buf_ = tok.remaining(); - parsingStage_ = theChunkSize ? Http1::HTTP_PARSE_CHUNK : Http1::HTTP_PARSE_MIME; -@@ -140,20 +143,22 @@ Http::One::TeChunkedParser::parseChunkMetadataSuffix(Tokenizer &tok) - - /// Parses the chunk-ext list (RFC 9112 section 7.1.1: - /// chunk-ext = *( BWS ";" BWS chunk-ext-name [ BWS "=" BWS chunk-ext-val ] ) --void -+bool - Http::One::TeChunkedParser::parseChunkExtensions(Tokenizer &callerTok) - { -+ bool foundChunkExt = false; - do { - auto tok = callerTok; - - ParseBws(tok); // Bug 4492: IBM_HTTP_Server sends SP after chunk-size - - if (!tok.skip(';')) -- return; // reached the end of extensions (if any) -+ return foundChunkExt; // reached the end of extensions (if any) - - parseOneChunkExtension(tok); - buf_ = tok.remaining(); // got one extension - callerTok = tok; -+ foundChunkExt = true; - } while (true); - } - -diff --git a/src/http/one/TeChunkedParser.h b/src/http/one/TeChunkedParser.h -index 02eacd1bb89..8c5d4bb4cba 100644 ---- a/src/http/one/TeChunkedParser.h -+++ b/src/http/one/TeChunkedParser.h -@@ -71,7 +71,7 @@ class TeChunkedParser : public Http1::Parser - private: - bool parseChunkSize(Tokenizer &tok); - bool parseChunkMetadataSuffix(Tokenizer &); -- void parseChunkExtensions(Tokenizer &); -+ bool parseChunkExtensions(Tokenizer &); - void parseOneChunkExtension(Tokenizer &); - bool parseChunkBody(Tokenizer &tok); - bool parseChunkEnd(Tokenizer &tok); - -From 81e67f97f9c386bdd0bb4a5e182395c46adb70ad Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= -Date: Fri, 11 Oct 2024 02:44:33 +0200 -Subject: [PATCH 3/6] Fix typo in Parser.h - ---- - src/http/one/Parser.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/http/one/Parser.h b/src/http/one/Parser.h -index 08200371cd6..3ef4c5f7752 100644 ---- a/src/http/one/Parser.h -+++ b/src/http/one/Parser.h -@@ -163,7 +163,7 @@ class Parser : public RefCountable - }; - - /// skips and, if needed, warns about RFC 7230 BWS ("bad" whitespace) --/// \param wsp_only force skipping of whitespaces only, don't consider skipping relaxed delimeter chars -+/// \param wsp_only force skipping of whitespaces only, don't consider skipping relaxed delimiter chars - /// \throws InsufficientInput when the end of BWS cannot be confirmed - void ParseBws(Parser::Tokenizer &, const bool wsp_only = false); - - -From a0d4fe1794e605f8299a5c118c758a807453f016 Mon Sep 17 00:00:00 2001 -From: Alex Rousskov -Date: Thu, 10 Oct 2024 22:39:42 -0400 -Subject: [PATCH 4/6] Bug 5449 is a regression of Bug 4492! - -Both bugs deal with "chunk-size SP+ CRLF" use cases. Bug 4492 had _two_ -spaces after chunk-size, which answers one of the PR review questions: -Should we skip just one space? No, we should not. - -The lines moved around in many commits, but I believe this regression -was introduced in commit 951013d0 because that commit stopped consuming -partially parsed chunk-ext sequences. That consumption was wrong, but it -had a positive side effect -- fixing Bug 4492... ---- - src/http/one/TeChunkedParser.cc | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/src/http/one/TeChunkedParser.cc b/src/http/one/TeChunkedParser.cc -index 41e1e5ddaea..aa4a840fdcf 100644 ---- a/src/http/one/TeChunkedParser.cc -+++ b/src/http/one/TeChunkedParser.cc -@@ -125,10 +125,10 @@ Http::One::TeChunkedParser::parseChunkMetadataSuffix(Tokenizer &tok) - // Code becomes much simpler when incremental parsing functions throw on - // bad or insufficient input, like in the code below. TODO: Expand up. - try { -- // A possibly empty chunk-ext list. If no chunk-ext has been found, -- // try to skip trailing BWS, because some servers send "chunk-size BWS CRLF". -- if (!parseChunkExtensions(tok)) -- ParseBws(tok, true); -+ // Bug 4492: IBM_HTTP_Server sends SP after chunk-size -+ ParseBws(tok, true); -+ -+ parseChunkExtensions(tok); - - tok.skipRequired("CRLF after [chunk-ext]", Http1::CrLf()); - buf_ = tok.remaining(); -@@ -150,7 +150,7 @@ Http::One::TeChunkedParser::parseChunkExtensions(Tokenizer &callerTok) - do { - auto tok = callerTok; - -- ParseBws(tok); // Bug 4492: IBM_HTTP_Server sends SP after chunk-size -+ ParseBws(tok); - - if (!tok.skip(';')) - return foundChunkExt; // reached the end of extensions (if any) - -From f837f5ff61301a17008f16ce1fb793c2abf19786 Mon Sep 17 00:00:00 2001 -From: Alex Rousskov -Date: Thu, 10 Oct 2024 23:06:42 -0400 -Subject: [PATCH 5/6] fixup: Fewer conditionals/ifs and more explicit spelling - -... to draw code reader attention when something unusual is going on. ---- - src/http/one/Parser.cc | 22 ++++++++++++++++++---- - src/http/one/Parser.h | 10 ++++++++-- - src/http/one/TeChunkedParser.cc | 14 ++++++-------- - src/http/one/TeChunkedParser.h | 2 +- - 4 files changed, 33 insertions(+), 15 deletions(-) - -diff --git a/src/http/one/Parser.cc b/src/http/one/Parser.cc -index 01d7e3bc0e8..d3937e5e96b 100644 ---- a/src/http/one/Parser.cc -+++ b/src/http/one/Parser.cc -@@ -271,11 +271,12 @@ Http::One::ErrorLevel() - return Config.onoff.relaxed_header_parser < 0 ? DBG_IMPORTANT : 5; - } - --// BWS = *( SP / HTAB ) ; WhitespaceCharacters() may relax this RFC 7230 rule --void --Http::One::ParseBws(Parser::Tokenizer &tok, const bool wsp_only) -+/// common part of ParseBws() and ParseStrctBws() -+namespace Http::One { -+static void -+ParseBws_(Parser::Tokenizer &tok, const CharacterSet &bwsChars) - { -- const auto count = tok.skipAll(wsp_only ? CharacterSet::WSP : Parser::WhitespaceCharacters()); -+ const auto count = tok.skipAll(bwsChars); - - if (tok.atEnd()) - throw InsufficientInput(); // even if count is positive -@@ -290,4 +291,17 @@ Http::One::ParseBws(Parser::Tokenizer &tok, const bool wsp_only) - - // success: no more BWS characters expected - } -+} // namespace Http::One -+ -+void -+Http::One::ParseBws(Parser::Tokenizer &tok) -+{ -+ ParseBws_(tok, CharacterSet::WSP); -+} -+ -+void -+Http::One::ParseStrictBws(Parser::Tokenizer &tok) -+{ -+ ParseBws_(tok, Parser::WhitespaceCharacters()); -+} - -diff --git a/src/http/one/Parser.h b/src/http/one/Parser.h -index 3ef4c5f7752..49e399de546 100644 ---- a/src/http/one/Parser.h -+++ b/src/http/one/Parser.h -@@ -163,9 +163,15 @@ class Parser : public RefCountable - }; - - /// skips and, if needed, warns about RFC 7230 BWS ("bad" whitespace) --/// \param wsp_only force skipping of whitespaces only, don't consider skipping relaxed delimiter chars - /// \throws InsufficientInput when the end of BWS cannot be confirmed --void ParseBws(Parser::Tokenizer &, const bool wsp_only = false); -+/// \sa WhitespaceCharacters() for the definition of BWS characters -+/// \sa ParseStrictBws() that avoids WhitespaceCharacters() uncertainties -+void ParseBws(Parser::Tokenizer &); -+ -+/// Like ParseBws() but only skips CharacterSet::WSP characters. This variation -+/// must be used if the next element may start with CR or any other character -+/// from RelaxedDelimiterCharacters(). -+void ParseStrictBws(Parser::Tokenizer &); - - /// the right debugs() level for logging HTTP violation messages - int ErrorLevel(); -diff --git a/src/http/one/TeChunkedParser.cc b/src/http/one/TeChunkedParser.cc -index aa4a840fdcf..859471b8c77 100644 ---- a/src/http/one/TeChunkedParser.cc -+++ b/src/http/one/TeChunkedParser.cc -@@ -125,11 +125,11 @@ Http::One::TeChunkedParser::parseChunkMetadataSuffix(Tokenizer &tok) - // Code becomes much simpler when incremental parsing functions throw on - // bad or insufficient input, like in the code below. TODO: Expand up. - try { -- // Bug 4492: IBM_HTTP_Server sends SP after chunk-size -- ParseBws(tok, true); -- -- parseChunkExtensions(tok); -+ // Bug 4492: IBM_HTTP_Server sends SP after chunk-size. -+ // No ParseBws() here because it may consume CR required further below. -+ ParseStrictBws(tok); - -+ parseChunkExtensions(tok); // a possibly empty chunk-ext list - tok.skipRequired("CRLF after [chunk-ext]", Http1::CrLf()); - buf_ = tok.remaining(); - parsingStage_ = theChunkSize ? Http1::HTTP_PARSE_CHUNK : Http1::HTTP_PARSE_MIME; -@@ -143,22 +143,20 @@ Http::One::TeChunkedParser::parseChunkMetadataSuffix(Tokenizer &tok) - - /// Parses the chunk-ext list (RFC 9112 section 7.1.1: - /// chunk-ext = *( BWS ";" BWS chunk-ext-name [ BWS "=" BWS chunk-ext-val ] ) --bool -+void - Http::One::TeChunkedParser::parseChunkExtensions(Tokenizer &callerTok) - { -- bool foundChunkExt = false; - do { - auto tok = callerTok; - - ParseBws(tok); - - if (!tok.skip(';')) -- return foundChunkExt; // reached the end of extensions (if any) -+ return; // reached the end of extensions (if any) - - parseOneChunkExtension(tok); - buf_ = tok.remaining(); // got one extension - callerTok = tok; -- foundChunkExt = true; - } while (true); - } - -diff --git a/src/http/one/TeChunkedParser.h b/src/http/one/TeChunkedParser.h -index 8c5d4bb4cba..02eacd1bb89 100644 ---- a/src/http/one/TeChunkedParser.h -+++ b/src/http/one/TeChunkedParser.h -@@ -71,7 +71,7 @@ class TeChunkedParser : public Http1::Parser - private: - bool parseChunkSize(Tokenizer &tok); - bool parseChunkMetadataSuffix(Tokenizer &); -- bool parseChunkExtensions(Tokenizer &); -+ void parseChunkExtensions(Tokenizer &); - void parseOneChunkExtension(Tokenizer &); - bool parseChunkBody(Tokenizer &tok); - bool parseChunkEnd(Tokenizer &tok); - -From f79936a234e722adb2dd08f31cf6019d81ee712c Mon Sep 17 00:00:00 2001 -From: Alex Rousskov -Date: Thu, 10 Oct 2024 23:31:08 -0400 -Subject: [PATCH 6/6] fixup: Deadly typo - ---- - src/http/one/Parser.cc | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/http/one/Parser.cc b/src/http/one/Parser.cc -index d3937e5e96b..7403a9163a2 100644 ---- a/src/http/one/Parser.cc -+++ b/src/http/one/Parser.cc -@@ -296,12 +296,12 @@ ParseBws_(Parser::Tokenizer &tok, const CharacterSet &bwsChars) - void - Http::One::ParseBws(Parser::Tokenizer &tok) - { -- ParseBws_(tok, CharacterSet::WSP); -+ ParseBws_(tok, Parser::WhitespaceCharacters()); - } - - void - Http::One::ParseStrictBws(Parser::Tokenizer &tok) - { -- ParseBws_(tok, Parser::WhitespaceCharacters()); -+ ParseBws_(tok, CharacterSet::WSP); - } - - diff --git a/squid-6.13-cache-peer-connect-errors.patch b/squid-6.13-cache-peer-connect-errors.patch deleted file mode 100644 index 339d9ec..0000000 --- a/squid-6.13-cache-peer-connect-errors.patch +++ /dev/null @@ -1,287 +0,0 @@ -From 2e7dea3cedd3ef2f071dee82867c4147f17376dd Mon Sep 17 00:00:00 2001 -From: Alex Rousskov -Date: Tue, 2 Apr 2024 20:37:31 +0000 -Subject: [PATCH] Do not blame cache_peer for CONNECT errors (#1772) - - ERROR: Connection to [such-and-such-cache_peer] failed - TCP_TUNNEL/503 CONNECT nxdomain.test:443 FIRSTUP_PARENT - -Squid does not alert an admin about (and decrease health level of) a -cache_peer that responded with an error to a GET request. Just like GET -responses from a cache_peer, CONNECT responses may (and often do!) -reflect client or origin server failures. We should not penalize -cache_peers (and alert admins) until we can distinguish these frequent -client/origin failures from (relatively rare) cache_peer problems. This -change absolves cache_peers of CONNECT problems, restoring parity with -GETs and restoring v4 behavior changed (probably by accident) in v5. - -Also removed Http::StatusCode parameter from failure notification -functions because it became essentially unused after the primary -Http::Tunneler changes. Tunneler was the only source of status code -information that (in some cases) used received HTTP response to compute -that status code. All other cases extracted that status code from -Squid-generated errors. Those errors were arguably never meant to supply -status code information for "this failure is not our fault" decision, -and they do not supply 4xx status codes driving that decision. - -### Problem evolution - -2019 commit f5e1794 effectively started blaming cache_peer for all -FwdState CONNECT errors. That functionality change was probably -accidental, likely influenced by the names of noteConnectFailure() and -peerConnectFailed() functions that abbreviated "Connection", making the -functions look as applicable to CONNECT failures. Prior to that commit, -the functions were never used for CONNECT errors. After it, FwdState -started calling peerConnectFailed() for all CONNECT failures. - -In 2020 commit 25b0ce4, TunnelStateData started blaming cache_peers as -well (by moving that FwdState-only error handling code into Tunneler). -The same "accidental functionality change" speculations apply here. - -In 2022 commit 022dbab, we made an exception for 4xx CONNECT errors as -folks deploying newer code started complaining about cache_peers getting -blamed for client-caused errors (e.g., HTTP 403 Forbidden replies). We -did not realize that the blaming code itself was an unwanted accident. - -Now we are getting complaints about cache_peers getting blamed for 502 -and 503 CONNECT errors caused by, for example, domain names without IPs: -As these CONNECT error responses are propagated from parent to child -caches, every child cache in the chain logs ERRORs and every cache_peer -in the chain gets its health counter decreased! ---- - src/CachePeer.cc | 11 +---------- - src/CachePeer.h | 12 +++++------- - src/HappyConnOpener.cc | 2 +- - src/PeerPoolMgr.cc | 2 +- - src/clients/HttpTunneler.cc | 10 ++++++---- - src/clients/HttpTunneler.h | 2 +- - src/neighbors.cc | 2 +- - src/security/BlindPeerConnector.cc | 2 +- - src/security/PeerConnector.cc | 8 ++++---- - src/security/PeerConnector.h | 2 +- - src/tests/stub_libsecurity.cc | 2 +- - 11 files changed, 23 insertions(+), 32 deletions(-) - -diff --git a/src/CachePeer.cc b/src/CachePeer.cc -index a5c3adf..91045ef 100644 ---- a/src/CachePeer.cc -+++ b/src/CachePeer.cc -@@ -68,20 +68,11 @@ CachePeer::noteSuccess() - } - } - --void --CachePeer::noteFailure(const Http::StatusCode code) --{ -- if (Http::Is4xx(code)) -- return; // this failure is not our fault -- -- countFailure(); --} -- - // TODO: Require callers to detail failures instead of using one (and often - // misleading!) "connection failed" phrase for all of them. - /// noteFailure() helper for handling failures attributed to this peer - void --CachePeer::countFailure() -+CachePeer::noteFailure() - { - stats.last_connect_failure = squid_curtime; - if (tcp_up > 0) -diff --git a/src/CachePeer.h b/src/CachePeer.h -index 5b13e29..14e40ff 100644 ---- a/src/CachePeer.h -+++ b/src/CachePeer.h -@@ -38,9 +38,8 @@ public: - /// reacts to a successful establishment of a connection to this cache_peer - void noteSuccess(); - -- /// reacts to a failure on a connection to this cache_peer -- /// \param code a received response status code, if any -- void noteFailure(Http::StatusCode code); -+ /// reacts to a failed attempt to establish a connection to this cache_peer -+ void noteFailure(); - - /// (re)configure cache_peer name=value - void rename(const char *); -@@ -238,14 +237,13 @@ NoteOutgoingConnectionSuccess(CachePeer * const peer) - peer->noteSuccess(); - } - --/// reacts to a failure on a connection to an origin server or cache_peer -+/// reacts to a failed attempt to establish a connection to an origin server or cache_peer - /// \param peer nil if the connection is to an origin server --/// \param code a received response status code, if any - inline void --NoteOutgoingConnectionFailure(CachePeer * const peer, const Http::StatusCode code) -+NoteOutgoingConnectionFailure(CachePeer * const peer) - { - if (peer) -- peer->noteFailure(code); -+ peer->noteFailure(); - } - - /// identify the given cache peer in cache.log messages and such -diff --git a/src/HappyConnOpener.cc b/src/HappyConnOpener.cc -index 5ab9294..5e17a76 100644 ---- a/src/HappyConnOpener.cc -+++ b/src/HappyConnOpener.cc -@@ -638,7 +638,7 @@ HappyConnOpener::handleConnOpenerAnswer(Attempt &attempt, const CommConnectCbPar - lastError = makeError(ERR_CONNECT_FAIL); - lastError->xerrno = params.xerrno; - -- NoteOutgoingConnectionFailure(params.conn->getPeer(), lastError->httpStatus); -+ NoteOutgoingConnectionFailure(params.conn->getPeer()); - - if (spareWaiting) - updateSpareWaitAfterPrimeFailure(); -diff --git a/src/PeerPoolMgr.cc b/src/PeerPoolMgr.cc -index 9cb038e..6fb5b09 100644 ---- a/src/PeerPoolMgr.cc -+++ b/src/PeerPoolMgr.cc -@@ -86,7 +86,7 @@ PeerPoolMgr::handleOpenedConnection(const CommConnectCbParams ¶ms) - } - - if (params.flag != Comm::OK) { -- NoteOutgoingConnectionFailure(peer, Http::scNone); -+ NoteOutgoingConnectionFailure(peer); - checkpoint("conn opening failure"); // may retry - return; - } -diff --git a/src/clients/HttpTunneler.cc b/src/clients/HttpTunneler.cc -index 2fbc3fb..a6e49db 100644 ---- a/src/clients/HttpTunneler.cc -+++ b/src/clients/HttpTunneler.cc -@@ -90,7 +90,7 @@ Http::Tunneler::handleConnectionClosure(const CommCloseCbParams &) - { - closer = nullptr; - if (connection) { -- countFailingConnection(nullptr); -+ countFailingConnection(); - connection->noteClosure(); - connection = nullptr; - } -@@ -355,7 +355,7 @@ Http::Tunneler::bailWith(ErrorState *error) - - if (const auto failingConnection = connection) { - // TODO: Reuse to-peer connections after a CONNECT error response. -- countFailingConnection(error); -+ countFailingConnection(); - disconnect(); - failingConnection->close(); - } -@@ -374,10 +374,12 @@ Http::Tunneler::sendSuccess() - } - - void --Http::Tunneler::countFailingConnection(const ErrorState * const error) -+Http::Tunneler::countFailingConnection() - { - assert(connection); -- NoteOutgoingConnectionFailure(connection->getPeer(), error ? error->httpStatus : Http::scNone); -+ // No NoteOutgoingConnectionFailure(connection->getPeer()) call here because -+ // we do not blame cache_peer for CONNECT failures (on top of a successfully -+ // established connection to that cache_peer). - if (noteFwdPconnUse && connection->isOpen()) - fwdPconnPool->noteUses(fd_table[connection->fd].pconn.uses); - } -diff --git a/src/clients/HttpTunneler.h b/src/clients/HttpTunneler.h -index 7886f09..596efcf 100644 ---- a/src/clients/HttpTunneler.h -+++ b/src/clients/HttpTunneler.h -@@ -80,7 +80,7 @@ private: - void disconnect(); - - /// updates connection usage history before the connection is closed -- void countFailingConnection(const ErrorState *); -+ void countFailingConnection(); - - AsyncCall::Pointer writer; ///< called when the request has been written - AsyncCall::Pointer reader; ///< called when the response should be read -diff --git a/src/neighbors.cc b/src/neighbors.cc -index 04b69c1..75f56c9 100644 ---- a/src/neighbors.cc -+++ b/src/neighbors.cc -@@ -1320,7 +1320,7 @@ peerProbeConnectDone(const Comm::ConnectionPointer &conn, Comm::Flag status, int - if (status == Comm::OK) - p->noteSuccess(); - else -- p->noteFailure(Http::scNone); -+ p->noteFailure(); - - -- p->testing_now; - conn->close(); -diff --git a/src/security/BlindPeerConnector.cc b/src/security/BlindPeerConnector.cc -index b9e5659..4c37f34 100644 ---- a/src/security/BlindPeerConnector.cc -+++ b/src/security/BlindPeerConnector.cc -@@ -76,7 +76,7 @@ Security::BlindPeerConnector::noteNegotiationDone(ErrorState *error) - // based on TCP results, SSL results, or both. And the code is probably not - // consistent in this aspect across tunnelling and forwarding modules. - if (peer && peer->secure.encryptTransport) -- peer->noteFailure(error->httpStatus); -+ peer->noteFailure(); - return; - } - -diff --git a/src/security/PeerConnector.cc b/src/security/PeerConnector.cc -index d458f99..d0131a1 100644 ---- a/src/security/PeerConnector.cc -+++ b/src/security/PeerConnector.cc -@@ -115,7 +115,7 @@ Security::PeerConnector::commCloseHandler(const CommCloseCbParams ¶ms) - err->detailError(d); - - if (serverConn) { -- countFailingConnection(err); -+ countFailingConnection(); - serverConn->noteClosure(); - serverConn = nullptr; - } -@@ -507,7 +507,7 @@ Security::PeerConnector::bail(ErrorState *error) - answer().error = error; - - if (const auto failingConnection = serverConn) { -- countFailingConnection(error); -+ countFailingConnection(); - disconnect(); - failingConnection->close(); - } -@@ -525,10 +525,10 @@ Security::PeerConnector::sendSuccess() - } - - void --Security::PeerConnector::countFailingConnection(const ErrorState * const error) -+Security::PeerConnector::countFailingConnection() - { - assert(serverConn); -- NoteOutgoingConnectionFailure(serverConn->getPeer(), error ? error->httpStatus : Http::scNone); -+ NoteOutgoingConnectionFailure(serverConn->getPeer()); - // TODO: Calling PconnPool::noteUses() should not be our responsibility. - if (noteFwdPconnUse && serverConn->isOpen()) - fwdPconnPool->noteUses(fd_table[serverConn->fd].pconn.uses); -diff --git a/src/security/PeerConnector.h b/src/security/PeerConnector.h -index a1d5ef9..401df06 100644 ---- a/src/security/PeerConnector.h -+++ b/src/security/PeerConnector.h -@@ -150,7 +150,7 @@ protected: - void disconnect(); - - /// updates connection usage history before the connection is closed -- void countFailingConnection(const ErrorState *); -+ void countFailingConnection(); - - /// If called the certificates validator will not used - void bypassCertValidator() {useCertValidator_ = false;} -diff --git a/src/tests/stub_libsecurity.cc b/src/tests/stub_libsecurity.cc -index 6bd6204..b513a22 100644 ---- a/src/tests/stub_libsecurity.cc -+++ b/src/tests/stub_libsecurity.cc -@@ -97,7 +97,7 @@ void PeerConnector::bail(ErrorState *) STUB - void PeerConnector::sendSuccess() STUB - void PeerConnector::callBack() STUB - void PeerConnector::disconnect() STUB --void PeerConnector::countFailingConnection(const ErrorState *) STUB -+void PeerConnector::countFailingConnection() STUB - void PeerConnector::recordNegotiationDetails() STUB - EncryptorAnswer &PeerConnector::answer() STUB_RETREF(EncryptorAnswer) - } diff --git a/squid.spec b/squid.spec index 352f5a2..bf7b2f2 100644 --- a/squid.spec +++ b/squid.spec @@ -2,8 +2,8 @@ %define version_underscore %(echo %{version} | tr '.' '_') Name: squid -Version: 6.14 -Release: 2%{?dist} +Version: 7.1 +Release: 1%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -26,12 +26,7 @@ Source98: perl-requires-squid.sh # Upstream patches # Backported patches -# Upstream PR: https://github.com/squid-cache/squid/pull/1442 -Patch101: squid-6.1-crash-half-closed.patch -# Upstream PR: https://github.com/squid-cache/squid/pull/1914 -Patch102: squid-6.11-ignore-wsp-after-chunk-size.patch -# Upstream commit: https://github.com/squid-cache/squid/commit/022dbabd89249f839d1861aa87c1ab9e1a008a47 -Patch103: squid-6.13-cache-peer-connect-errors.patch +# Patch101: squid-7.1-.....patch # Local patches # Applying upstream patches first makes it less likely that local patches @@ -119,8 +114,8 @@ sed -i 's|@SYSCONFDIR@/squid.conf.documented|%{_pkgdocdir}/squid.conf.documented --enable-eui \ --enable-follow-x-forwarded-for \ --enable-auth \ - --enable-auth-basic="DB,fake,getpwnam,LDAP,NCSA,PAM,POP3,RADIUS,SASL,SMB,SMB_LM" \ - --enable-auth-ntlm="SMB_LM,fake" \ + --enable-auth-basic="DB,fake,getpwnam,LDAP,NCSA,PAM,POP3,RADIUS,SASL,SMB" \ + --enable-auth-ntlm="fake" \ --enable-auth-digest="file,LDAP" \ --enable-auth-negotiate="kerberos" \ --enable-external-acl-helpers="LDAP_group,time_quota,session,unix_group,wbinfo_group,kerberos_ldap_group" \ @@ -156,9 +151,9 @@ sed -i 's|@SYSCONFDIR@/squid.conf.documented|%{_pkgdocdir}/squid.conf.documented --enable-translation # workaround to build squid v5 -mkdir -p src/icmp/tests -mkdir -p tools/squidclient/tests -mkdir -p tools/tests +#mkdir -p src/icmp/tests +#mkdir -p tools/squidclient/tests +#mkdir -p tools/tests %make_build @@ -229,7 +224,6 @@ install -p -D -m 0644 %{SOURCE9} %{buildroot}%{_sysusersdir}/squid.conf %config(noreplace) %attr(644,root,root) %{_sysconfdir}/httpd/conf.d/squid.conf %config(noreplace) %attr(640,root,squid) %{_sysconfdir}/squid/squid.conf -%config(noreplace) %attr(644,root,squid) %{_sysconfdir}/squid/cachemgr.conf %config(noreplace) %{_sysconfdir}/squid/mime.conf %config(noreplace) %{_sysconfdir}/squid/errorpage.css %config(noreplace) %{_sysconfdir}/sysconfig/squid @@ -237,7 +231,6 @@ install -p -D -m 0644 %{SOURCE9} %{buildroot}%{_sysusersdir}/squid.conf %config %{_sysconfdir}/squid/squid.conf.default %config %{_sysconfdir}/squid/mime.conf.default %config %{_sysconfdir}/squid/errorpage.css.default -%config %{_sysconfdir}/squid/cachemgr.conf.default %config(noreplace) %{_sysconfdir}/pam.d/squid %config(noreplace) %{_sysconfdir}/logrotate.d/squid @@ -246,10 +239,7 @@ install -p -D -m 0644 %{SOURCE9} %{buildroot}%{_sysusersdir}/squid.conf %{_prefix}/lib/NetworkManager %{_datadir}/squid/icons %{_sbindir}/squid -%{_bindir}/squidclient -%{_bindir}/purge %{_mandir}/man8/* -%{_mandir}/man1/* %{_libdir}/squid/* %{_datadir}/snmp/mibs/SQUID-MIB.txt %{_sysusersdir}/squid.conf @@ -316,6 +306,13 @@ fi %changelog +* Thu Aug 14 2025 Luboš Uhliarik - 7:7.1-1 +- new version 7.1 +- removed squidclient +- removed purge +- removed cachemgr.cgi +- removed basic_smb_lm_auth and ntlm_smb_lm_auth helpers + * Fri Jul 25 2025 Fedora Release Engineering - 7:6.14-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild From 3b10dff1195943f7da91454604681981c150b47e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Fri, 12 Sep 2025 01:25:20 +0200 Subject: [PATCH 6/9] Support provider keys that require NULL digest --- squid-7.1-provider-keys-digest.patch | 36 ++++++++++++++++++++++++++++ squid.spec | 6 ++++- 2 files changed, 41 insertions(+), 1 deletion(-) create mode 100644 squid-7.1-provider-keys-digest.patch diff --git a/squid-7.1-provider-keys-digest.patch b/squid-7.1-provider-keys-digest.patch new file mode 100644 index 0000000..bd62ea1 --- /dev/null +++ b/squid-7.1-provider-keys-digest.patch @@ -0,0 +1,36 @@ +diff --git a/src/ssl/gadgets.cc b/src/ssl/gadgets.cc +index 09bad6d..59171b7 100644 +--- a/src/ssl/gadgets.cc ++++ b/src/ssl/gadgets.cc +@@ -15,6 +15,19 @@ + #include "security/Io.h" + #include "ssl/gadgets.h" + ++/// whether the given key requires a digest when signing ++static bool ++keyNeedsDigest(const EVP_PKEY * const pkey) { ++ if (EVP_PKEY_is_a(pkey, "ML-DSA-44") || ++ EVP_PKEY_is_a(pkey, "ML-DSA-65") || ++ EVP_PKEY_is_a(pkey, "ML-DSA-87") || ++ EVP_PKEY_is_a(pkey, "ED25519") || ++ EVP_PKEY_is_a(pkey, "ED448")) ++ return false; // no digest needed ++ ++ return true; // require a digest for all other types ++} ++ + void + Ssl::ForgetErrors() + { +@@ -677,9 +690,9 @@ static bool generateFakeSslCertificate(Security::CertPointer & certToStore, Secu + assert(hash); + /*Now sign the request */ + if (properties.signAlgorithm != Ssl::algSignSelf && properties.signWithPkey.get()) +- ret = X509_sign(cert.get(), properties.signWithPkey.get(), hash); ++ ret = X509_sign(cert.get(), properties.signWithPkey.get(), keyNeedsDigest(properties.signWithPkey.get()) ? hash : nullptr); + else //else sign with self key (self signed request) +- ret = X509_sign(cert.get(), pkey.get(), hash); ++ ret = X509_sign(cert.get(), pkey.get(), keyNeedsDigest(pkey.get()) ? hash : nullptr); + + if (!ret) + return false; diff --git a/squid.spec b/squid.spec index bf7b2f2..ec105a4 100644 --- a/squid.spec +++ b/squid.spec @@ -3,7 +3,7 @@ Name: squid Version: 7.1 -Release: 1%{?dist} +Release: 2%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -37,6 +37,7 @@ Patch203: squid-6.1-perlpath.patch # revert this upstream patch - https://bugzilla.redhat.com/show_bug.cgi?id=1936422 # workaround for #1934919 Patch204: squid-6.1-symlink-lang-err.patch +Patch205: squid-7.1-provider-keys-digest.patch # cache_swap.sh Requires: bash gawk @@ -306,6 +307,9 @@ fi %changelog +* Thu Sep 11 2025 Luboš Uhliarik - 7:7.1-2 +- Support provider keys that require NULL digest + * Thu Aug 14 2025 Luboš Uhliarik - 7:7.1-1 - new version 7.1 - removed squidclient From a70045fc305bb0ab6afd4178e67b35ed38d041b3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Wed, 24 Sep 2025 10:05:39 +0200 Subject: [PATCH 7/9] Support provider keys that require NULL digest - use upstream patch --- squid-7.1-provider-keys-digest.patch | 51 ++++++++++++++++++++-------- squid.spec | 4 +-- 2 files changed, 39 insertions(+), 16 deletions(-) diff --git a/squid-7.1-provider-keys-digest.patch b/squid-7.1-provider-keys-digest.patch index bd62ea1..961a506 100644 --- a/squid-7.1-provider-keys-digest.patch +++ b/squid-7.1-provider-keys-digest.patch @@ -1,36 +1,59 @@ diff --git a/src/ssl/gadgets.cc b/src/ssl/gadgets.cc -index 09bad6d..59171b7 100644 +index 1f8ac9d..3f54e3d 100644 --- a/src/ssl/gadgets.cc +++ b/src/ssl/gadgets.cc -@@ -15,6 +15,19 @@ +@@ -13,6 +13,42 @@ #include "security/Io.h" #include "ssl/gadgets.h" -+/// whether the given key requires a digest when signing ++/// whether to supply a digest algorithm name when calling X509_sign() with the given key +static bool -+keyNeedsDigest(const EVP_PKEY * const pkey) { -+ if (EVP_PKEY_is_a(pkey, "ML-DSA-44") || -+ EVP_PKEY_is_a(pkey, "ML-DSA-65") || -+ EVP_PKEY_is_a(pkey, "ML-DSA-87") || -+ EVP_PKEY_is_a(pkey, "ED25519") || -+ EVP_PKEY_is_a(pkey, "ED448")) -+ return false; // no digest needed ++signWithDigest(const Security::PrivateKeyPointer &key) { ++ Assure(key); // TODO: Add and use Security::PrivateKey (here and in caller). ++ const auto pkey = key.get(); + -+ return true; // require a digest for all other types ++ // OpenSSL does not define a maximum name size, but does terminate longer ++ // names without returning an error to the caller. Many similar callers in ++ // OpenSSL sources use 80-byte buffers. ++ char defaultDigestName[80] = ""; ++ const auto nameGetterResult = EVP_PKEY_get_default_digest_name(pkey, defaultDigestName, sizeof(defaultDigestName)); ++ debugs(83, 3, "nameGetterResult=" << nameGetterResult << " defaultDigestName=" << defaultDigestName); ++ if (nameGetterResult <= 0) { ++ debugs(83, 3, "ERROR: EVP_PKEY_get_default_digest_name() failure: " << Ssl::ReportAndForgetErrors); ++ // Backward compatibility: On error, assume digest should be used. ++ // TODO: Return false for -2 nameGetterResult as it "indicates the ++ // operation is not supported by the public key algorithm"? ++ return true; ++ } ++ ++ // The name "UNDEF" signifies that a digest must (for return value 2) or may ++ // (for return value 1) be left unspecified. ++ if (nameGetterResult == 2 && strcmp(defaultDigestName, "UNDEF") == 0) ++ return false; ++ ++ // Defined mandatory algorithms and "may be left unspecified" cases mentioned above. ++ return true; ++} ++ ++/// OpenSSL X509_sign() wrapper ++static auto ++Sign(Security::Certificate &cert, const Security::PrivateKeyPointer &key, const EVP_MD &availableDigest) { ++ const auto digestOrNil = signWithDigest(key) ? &availableDigest : nullptr; ++ return X509_sign(&cert, key.get(), digestOrNil); +} + void Ssl::ForgetErrors() { -@@ -677,9 +690,9 @@ static bool generateFakeSslCertificate(Security::CertPointer & certToStore, Secu +@@ -618,9 +654,9 @@ static bool generateFakeSslCertificate(Security::CertPointer & certToStore, Secu assert(hash); /*Now sign the request */ if (properties.signAlgorithm != Ssl::algSignSelf && properties.signWithPkey.get()) - ret = X509_sign(cert.get(), properties.signWithPkey.get(), hash); -+ ret = X509_sign(cert.get(), properties.signWithPkey.get(), keyNeedsDigest(properties.signWithPkey.get()) ? hash : nullptr); ++ ret = Sign(*cert, properties.signWithPkey, *hash); else //else sign with self key (self signed request) - ret = X509_sign(cert.get(), pkey.get(), hash); -+ ret = X509_sign(cert.get(), pkey.get(), keyNeedsDigest(pkey.get()) ? hash : nullptr); ++ ret = Sign(*cert, pkey, *hash); if (!ret) return false; diff --git a/squid.spec b/squid.spec index ec105a4..1a32214 100644 --- a/squid.spec +++ b/squid.spec @@ -3,7 +3,7 @@ Name: squid Version: 7.1 -Release: 2%{?dist} +Release: 3%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -307,7 +307,7 @@ fi %changelog -* Thu Sep 11 2025 Luboš Uhliarik - 7:7.1-2 +* Thu Sep 11 2025 Luboš Uhliarik - 7:7.1-3 - Support provider keys that require NULL digest * Thu Aug 14 2025 Luboš Uhliarik - 7:7.1-1 From 8c77c2eb9851b794b03226cccaedf594ad0d3615 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Fri, 17 Oct 2025 10:53:46 +0200 Subject: [PATCH 8/9] new version 7.2 --- sources | 4 +- squid-7.1-provider-keys-digest.patch | 59 ---------------------------- squid.spec | 8 ++-- 3 files changed, 7 insertions(+), 64 deletions(-) delete mode 100644 squid-7.1-provider-keys-digest.patch diff --git a/sources b/sources index 700eafd..1a01cad 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (squid-7.1.tar.xz) = f12d4cac78576eecf19193cbb88f374b2d1bf3f480e684008a562bdda55eedae643b1a5766846c04673030ad1e89a608a62f52078312a80a3664fdccfc5f44df -SHA512 (squid-7.1.tar.xz.asc) = 4c7be2b32b7ce6cd1a99fe49c397fcd4d294817f96c4aaf5e66ad8c2de0c51b9debb4c85cf877efce87b1c44c2ebbb795a170859ca38124389b050e9fbaa1ff6 +SHA512 (squid-7.2.tar.xz) = 424c425dde7b399531c9ed5a700ef84bf8e828b1896f0bd037da121e9b4c8ad0fb0c2b8daad1a0a5308269cc5ffbda42e4c1815421c0bdd6a4046d92dcb56fa7 +SHA512 (squid-7.2.tar.xz.asc) = 688dac65470fa27551579046061130c6a4a623070fda56fdb873ca1c6008afbf2c5fe328f2a93135bec3645444b9636137b9ec32fb2c041fdad8924dc91ccf5f SHA512 (pgp.asc) = b1e1dd5ead34711f064a12a324b2f156ad4835330d861eae4032926b8a6cd07c0eacc76f52518d47ed5a8ead4695f5abd02f2b4190af8e7833bd3ea31453569d diff --git a/squid-7.1-provider-keys-digest.patch b/squid-7.1-provider-keys-digest.patch deleted file mode 100644 index 961a506..0000000 --- a/squid-7.1-provider-keys-digest.patch +++ /dev/null @@ -1,59 +0,0 @@ -diff --git a/src/ssl/gadgets.cc b/src/ssl/gadgets.cc -index 1f8ac9d..3f54e3d 100644 ---- a/src/ssl/gadgets.cc -+++ b/src/ssl/gadgets.cc -@@ -13,6 +13,42 @@ - #include "security/Io.h" - #include "ssl/gadgets.h" - -+/// whether to supply a digest algorithm name when calling X509_sign() with the given key -+static bool -+signWithDigest(const Security::PrivateKeyPointer &key) { -+ Assure(key); // TODO: Add and use Security::PrivateKey (here and in caller). -+ const auto pkey = key.get(); -+ -+ // OpenSSL does not define a maximum name size, but does terminate longer -+ // names without returning an error to the caller. Many similar callers in -+ // OpenSSL sources use 80-byte buffers. -+ char defaultDigestName[80] = ""; -+ const auto nameGetterResult = EVP_PKEY_get_default_digest_name(pkey, defaultDigestName, sizeof(defaultDigestName)); -+ debugs(83, 3, "nameGetterResult=" << nameGetterResult << " defaultDigestName=" << defaultDigestName); -+ if (nameGetterResult <= 0) { -+ debugs(83, 3, "ERROR: EVP_PKEY_get_default_digest_name() failure: " << Ssl::ReportAndForgetErrors); -+ // Backward compatibility: On error, assume digest should be used. -+ // TODO: Return false for -2 nameGetterResult as it "indicates the -+ // operation is not supported by the public key algorithm"? -+ return true; -+ } -+ -+ // The name "UNDEF" signifies that a digest must (for return value 2) or may -+ // (for return value 1) be left unspecified. -+ if (nameGetterResult == 2 && strcmp(defaultDigestName, "UNDEF") == 0) -+ return false; -+ -+ // Defined mandatory algorithms and "may be left unspecified" cases mentioned above. -+ return true; -+} -+ -+/// OpenSSL X509_sign() wrapper -+static auto -+Sign(Security::Certificate &cert, const Security::PrivateKeyPointer &key, const EVP_MD &availableDigest) { -+ const auto digestOrNil = signWithDigest(key) ? &availableDigest : nullptr; -+ return X509_sign(&cert, key.get(), digestOrNil); -+} -+ - void - Ssl::ForgetErrors() - { -@@ -618,9 +654,9 @@ static bool generateFakeSslCertificate(Security::CertPointer & certToStore, Secu - assert(hash); - /*Now sign the request */ - if (properties.signAlgorithm != Ssl::algSignSelf && properties.signWithPkey.get()) -- ret = X509_sign(cert.get(), properties.signWithPkey.get(), hash); -+ ret = Sign(*cert, properties.signWithPkey, *hash); - else //else sign with self key (self signed request) -- ret = X509_sign(cert.get(), pkey.get(), hash); -+ ret = Sign(*cert, pkey, *hash); - - if (!ret) - return false; diff --git a/squid.spec b/squid.spec index 1a32214..5d3f86e 100644 --- a/squid.spec +++ b/squid.spec @@ -2,8 +2,8 @@ %define version_underscore %(echo %{version} | tr '.' '_') Name: squid -Version: 7.1 -Release: 3%{?dist} +Version: 7.2 +Release: 1%{?dist} Summary: The Squid proxy caching server Epoch: 7 # See CREDITS for breakdown of non GPLv2+ code @@ -37,7 +37,6 @@ Patch203: squid-6.1-perlpath.patch # revert this upstream patch - https://bugzilla.redhat.com/show_bug.cgi?id=1936422 # workaround for #1934919 Patch204: squid-6.1-symlink-lang-err.patch -Patch205: squid-7.1-provider-keys-digest.patch # cache_swap.sh Requires: bash gawk @@ -307,6 +306,9 @@ fi %changelog +* Fri Oct 17 2025 Luboš Uhliarik - 7:7.2-1 +- new version 7.2 + * Thu Sep 11 2025 Luboš Uhliarik - 7:7.1-3 - Support provider keys that require NULL digest From d9e38f92158f83eef6f4a9cf9ddad9931d703413 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Wed, 29 Oct 2025 11:01:53 +0100 Subject: [PATCH 9/9] new version 7.3 --- sources | 4 ++-- squid.spec | 5 ++++- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/sources b/sources index 1a01cad..304c790 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (squid-7.2.tar.xz) = 424c425dde7b399531c9ed5a700ef84bf8e828b1896f0bd037da121e9b4c8ad0fb0c2b8daad1a0a5308269cc5ffbda42e4c1815421c0bdd6a4046d92dcb56fa7 -SHA512 (squid-7.2.tar.xz.asc) = 688dac65470fa27551579046061130c6a4a623070fda56fdb873ca1c6008afbf2c5fe328f2a93135bec3645444b9636137b9ec32fb2c041fdad8924dc91ccf5f +SHA512 (squid-7.3.tar.xz) = ad6bbe518d79d079f7fe5d1ee9ae7a3f49b28ba75afdb1f0db16675e1e4127be2bc30dd246b00576f29e987c08c41dbff50c8227166ae3955c460ff837a89e2b +SHA512 (squid-7.3.tar.xz.asc) = c6774627e0408d1feed5a00489ca95467f001261b201b82c3ab9c450856fe5ad27e50d43db7a2afe2aaff88930981f783315a1b764cac5619543852e93338273 SHA512 (pgp.asc) = b1e1dd5ead34711f064a12a324b2f156ad4835330d861eae4032926b8a6cd07c0eacc76f52518d47ed5a8ead4695f5abd02f2b4190af8e7833bd3ea31453569d diff --git a/squid.spec b/squid.spec index 5d3f86e..84d079b 100644 --- a/squid.spec +++ b/squid.spec @@ -2,7 +2,7 @@ %define version_underscore %(echo %{version} | tr '.' '_') Name: squid -Version: 7.2 +Version: 7.3 Release: 1%{?dist} Summary: The Squid proxy caching server Epoch: 7 @@ -306,6 +306,9 @@ fi %changelog +* Wed Oct 29 2025 Luboš Uhliarik - 7:7.3-1 +- new version 7.3 + * Fri Oct 17 2025 Luboš Uhliarik - 7:7.2-1 - new version 7.2