Change link order of libcomm and libip to fix missing symbols at link
time on Solaris:
libtool: link: /usr/gcc/14/bin/g++ ... -o tests/testCacheManager
_ZN2Ip11InterceptorE ... libcomm.a
_ZN2Ip9Intercept9LookupNatERKN4Comm10ConnectionE ... libcomm.a
ld: fatal: symbol referencing errors
The FreeBSD project has promoted version 14.2 to stable.
Some packages we use are not compatible with version 14.1.
Upgrade the reference version we use, the action supports it
Fixed missing includes, type mismatches in some
local variables, applied some AAA;
extracted WIN32_maperror
into own header and implementation files using NoMoreGlobals,
and used modern c++ data types for it.
This change also mirrors changes introduced in aiops.cc by commit
91d1cfb. These changes require further refinement (in both files).
Examples of errors fixed:
```
aiops_win32.cc: In function
'void* squidaio_xmalloc(int)':
aiops_win32.cc:161:17: error:
invalid use of incomplete type 'class Mem::Allocator'
aiops_win32.cc: In function 'void squidaio_init()':
aiops_win32.cc:278:19: error:
comparison of integer expressions of different signedness:
'int' and 'size_t' {aka 'long long unsigned int'}
aiops_win32.cc: In function
'void squidaio_do_read(squidaio_request_t*)':
aiops_win32.cc:782:9: error:
'WIN32_maperror' was not declared in this scope
```
The pipe(2) function is not available on Windows and mingw,
in favour of a broader _pipe() call.
Fixes the following build error:
DiskThreads/CommIO.cc:
In static member function 'static void CommIO::Initialize()':
DiskThreads/CommIO.cc:26:9: error:
'pipe' was not declared in this scope; did you mean '_pipe'?
Solve build error:
```
ld: ntlm_sspi_auth.o: in function `token_decode':
undefined reference to `nettle_base64_decode_init'
undefined reference to `nettle_base64_decode_update'
undefined reference to `nettle_base64_decode_final'
```
HttpRequest::peer_host was added in 2009 commit 9ca29d23 so that
httpFixupAuthentication() could pass copied raw CachePeer::host pointer
value to peer_proxy_negotiate_auth(). Unfortunately, raw peer_host
pointer (to CachePeer::host memory) becomes dangling when CachePeer is
reconfigured away. Instead of maintaining this problematic field, we can
safely obtain the same CachePeer::host value from HttpStateData::_peer.
Sending new requests to a removed cache_peer contradicts current Squid
configuration and even exposes Squid code that forgets to check
CachePeer validity to dangling pointers. We will address the latter
concern separately.
Now these optional features are enabled during applicable layer tests if
their packages appear to be available on the build system. This should
help prevent regressions like the one fixed in recent commit 53ed1a9.
Terminate helper_command buffer before using it as a c-string. Supported
helper commands have two characters.
This change also reduces MinGW build errors.
In the non-Windows case, we unconditinoally
include some system headers. Add conditions
for improved portability
Fixes error:
```
src/auth/digest/LDAP/ldap_backend.cc:49:10:
fatal error: lber.h: No such file or directory
```
On Windows, mkdir only takes one argument.
compat/mswindows.h has an adapter, add it to
compat/mingw.h as well.
Solves error:
```
UFSSwapDir.cc:617:26: error: too many arguments
to function 'int mkdir(const char*)'
mingw/include/io.h:282:15: note: declared here
int __cdecl mkdir (const char *);
```
When the environment does not HAVE_SHM, Ipc::Mem::Segment::open() method
definition does not match its declaration. Make it match.
src/ipc/mem/Segment.cc:346:1: error: no declaration matches
void Ipc::Mem::Segment::open()
src/ipc/mem/Segment.h:37:10: note: candidate is:
void Ipc::Mem::Segment::open(bool)
libnettle is needed to build negotiate_sspi_auth.
This change fixes many errors similar to:
negotiate_sspi_auth.cc:126: undefined reference to
nettle_base64_decode_init
The AIO Windows compatibilty layer is also
necessary on mingw
Problems fixed:
```
DiskIO/AIO/async_io.h:58:18:
error: field 'aq_e_aiocb' has incomplete type 'aiocb'
DiskIO/AIO/async_io.h:58:12:
note: forward declaration of 'struct aiocb'
DiskIO/AIO/AIODiskFile.cc:
In member function
'virtual void AIODiskFile::read(ReadRequest*)':
src/DiskIO/AIO/AIODiskFile.cc:134:9:
error: 'aio_read' was not declared in this scope;
did you mean 'file_read' ?
```
# When applying tls-dh=prime256v1:dhparams.pem configuration:
WARNING: Failed to decode EC parameters 'dhparams.pem'
# When forcing the use of FFDHE with something like
# openssl s_client -tls1_2 -cipher DHE-RSA-AES256-SHA256 -connect...
ERROR: failure while accepting a TLS connection on:
SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A0000C1+TLS_IO_ERR=1
Squid `https_port ... tls-dh=curve:dhparams.pem` configuration is
supposed to support _both_ ECDHE and FFDHE key exchange mechanisms (and
their cipher suites), depending on client-supported cipher suites. ECDHE
mechanism should use the named curve (e.g., `prime256v1`), and FFDHE
mechanism should use key exchange parameters loaded from the named PEM
file (e.g., `ffdhe4096` named group specified in RFC 7919).
When 2022 commit 742236c added support for OpenSSL v3 APIs, new
loadDhParams() code misinterpreted curve name presence in `tls-dh` value
as an indication that the named parameters file contains ECDHE
parameters, setting OSSL_DECODER_CTX_new_for_pkey() type parameter to
"EC", and (when parameter file specified FFDHE details) triggering the
WARNING message quoted above.
Squid should not expect additional ECDHE parameters when the elliptic
curve group is already fully specified by naming it at the start of
`tls-dh` value. Squid now reverts to earlier (v4) behavior, where
the two mechanisms can coexist and can be configured separately as
described above:
$ openssl s_client -tls1_2 -cipher DHE-RSA-AES256-SHA256 -connect...
Server Temp Key: DH, 4096 bits
$ openssl s_client -connect...
Server Temp Key: ECDH, prime256v1, 256 bits
Furthermore, updateContextEecdh() code in commit 742236c continued to
load parsed parameters using old SSL_CTX_set_tmp_dh() call but should
have used SSL_CTX_set0_tmp_dh_pkey() API because the type of parsed
parameters (i.e. DhePointer) have changed from DH to EVP_PKEY pointer.
This second bug affected configurations with and without an explicit
curve name in `tls-dh` value.
Also report a failure to load parsed parameters into TLS context.
Lan Manager (LM) is an obsolete variant of the SMB protocol.
No product on the market has supported it for several years now,
in favour of NTLMv1 , NTLMv2 and Kerberos.
ext_ad_group_acl was written in 2008 in C, and
it used the C variant of the Win32 API.
It was then ported to C++, but the API callers were
not updated to the C++ version of the API.
With more modern compilers, and
Squid enforcing more strict types and error handling,
it is no longer compiling.
This is part 1 of 2 of the fixes to make the helper build
again, the scope is to update Win32 API callers so they
use the C++ version of the API
Examples of fixed errors:
error: 'IADs' {aka 'struct IADs'} has no member named 'lpVtbl'
error: 'VARIANT' {aka 'struct tagVARIANT'} has no member named 'n1'
<winldap.h> requires <windows.h> to be previously
included in order to compile.
configure:38466: checking for winldap.h
wincrypt.h:5051:254: error: 'PSYSTEMTIME' has not been declared
These changes were anticipated in Bug 5390 fix (recent commit c565067):
https://bugs.squid-cache.org/show_bug.cgi?id=5390#c16
They eliminate all known OpenSSL-related globals:
* Security::ProxyOutgoingConfig
* Ssl::SquidUntrustedCerts
* Ssl::TheGeneratorRequests
* Ssl::TheGlobalContextStorage
Also applied AAA and range-based `for` loop upgrades to modified lines.
CppUnit tests emit a lot of "FAIL: 0" and "XFAIL: 0" lines, which are
incorrectly classified as errors by the test-builds.sh. Filter these
messages out as they are not indicative of problems.
GitHub Actions UI does not handle large amounts of console output with
collapsable `::group::` sections well.
For example, UI may truncate console output if a collapsable `::group::`
section gets too many log lines. In some cases, GitHub does not report
truncation at all, resulting in misleading console output. In other, UI
warns: "This step has been truncated due to its large size. Download the
full logs from the menu once the workflow run has completed."
This change reverts recent commit e5a66fc26d.
store/Disks.cc:690: error: argument 1 value 18446744073709551615
exceeds maximum object size 9223372036854775807
[-Werror=alloc-size-larger-than=]
const auto tmp = new SwapDir::Pointer[swap->n_allocated];
pconn.cc:43:53: error: argument 1 value 18446744073709551615 ...
theList_ = new Comm::ConnectionPointer[capacity_];
Tested on Ubuntu 24.04 and GCC v13.2.0.
During shutdown, iocb_table global was deleted, but the corresponding
cleanup code ignored some IoCallback members, triggering misleading
Ipc::UdsSender memory leak reports from Valgrind.
This change uses NoNewGlobals design to address the above problem, but
this code needs a lot more refactoring to address other old problems
associated with Comm initialization.
test-builds.sh records build output in per-layer logs, and we are
already collecting those logs. Send build output to standard output as
well, to expose it in GitHub Actions user interface. This new detailed
output is enclosed in a "layer ... output" group to keep emphasizing
problematic output lines extracted by test-builds.sh.
Also enclose MacOS build setup output in a group, for similar reasons.
Level-2 "Tunnel Server RESPONSE:..." debugs() incorrectly assumed that
its readBuf parameter contained hdr_sz header bytes. In reality, by the
time code reached that debugs(), readBuf no longer had any header bytes
(and often had no bytes at all). Besides broken header dumps, this bug
could lead to problems that Valgrind reports as "Conditional jump or
move depends on uninitialised value" in DebugChannel::writeToStream().
This fix mimics HttpStateData::processReplyHeader() reporting code,
including its known problems. Future changes should address those
problems and reduce code duplication across at least ten functions
containing similar "decorated" level-2 message dumps.
To avoid documentation duplication, current https_port and ftp_port
directive descriptions reference http_port directive instead of
detailing their own supported parameters. For https_port, this solution
creates a false impression that the directive supports all http_port
options. Our ftp_port documentation is better but still leaves the
reader guessing which options are actually supported.
This change starts enumerating http_port configuration parameters that
ftp_port and https_port directives do _not_ support. Eventually, Squid
should reject configurations with unsupported listening port options.
In modern code, FwdReplyCodes[0][i] is usually zero because n_tries is
usually at least one at logReplyStatus() call time. This leads to
mgr:forward report showing nothing but table heading (i.e. no stats)
Also improve `try#N` heading:data match by skipping FwdReplyCodes[0]
reporting (there is still no `try#0` heading) and adding a previously
missing `try#9` heading
