- - old_nettle_compat.patch: Fix compatibility with nettle in SLE-12

OBS-URL: https://build.opensuse.org/package/show/server:proxy/squid?expand=0&rev=193

old_nettle_compat.patch

@@ -0,0 +1,95 @@
+Author: Adam Majer <amajer@suse.de>
+Date: Thu Jul 18 13:57:22 CEST 2019
+
+nettle from SLE-12 is missing the change from later
+versions that ignores the destLen parameter size to
+base64_decode_update function. This is only used in
+the assert() but we need to pass real size of the buffer
+as otherwise all we get is a crash.
+
+The missing commit in nettle is,
+commit 07cb0b62a5fab216ed647f5a87e0f17ab3c9a615
+Author: Niels Möller <nisse@lysator.liu.se>
+Date:   Fri Feb 7 09:11:20 2014 +0100
+
+    Base64 and base16 decoding: Use *dst_length as output only.
+
+
+Index: squid-3.5.21/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.cc
+===================================================================
+--- squid-3.5.21.orig/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.cc
++++ squid-3.5.21/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.cc
+@@ -667,7 +667,7 @@ main(int argc, char *const argv[])
+ 
+         struct base64_decode_ctx ctx;
+         base64_decode_init(&ctx);
+-        unsigned int dstLen = 0;
++        unsigned int dstLen = input_token.length;
+         if (!base64_decode_update(&ctx, &dstLen, static_cast<uint8_t*>(input_token.value), srcLen, b64Token) ||
+                 !base64_decode_final(&ctx)) {
+             debug((char *) "%s| %s: ERROR: Invalid base64 token [%s]\n", LogTime(), PROGRAM, b64Token);
+Index: squid-3.5.21/helpers/negotiate_auth/wrapper/negotiate_wrapper.cc
+===================================================================
+--- squid-3.5.21.orig/helpers/negotiate_auth/wrapper/negotiate_wrapper.cc
++++ squid-3.5.21/helpers/negotiate_auth/wrapper/negotiate_wrapper.cc
+@@ -341,7 +341,7 @@ main(int argc, char *const argv[])
+ 
+         struct base64_decode_ctx ctx;
+         base64_decode_init(&ctx);
+-        unsigned int dstLen = 0;
++        unsigned int dstLen = length;
+         if (!base64_decode_update(&ctx, &dstLen, token, strlen(buf+3), reinterpret_cast<const uint8_t*>(buf+3)) ||
+                 !base64_decode_final(&ctx)) {
+             if (debug)
+Index: squid-3.5.21/helpers/ntlm_auth/fake/ntlm_fake_auth.cc
+===================================================================
+--- squid-3.5.21.orig/helpers/ntlm_auth/fake/ntlm_fake_auth.cc
++++ squid-3.5.21/helpers/ntlm_auth/fake/ntlm_fake_auth.cc
+@@ -151,7 +151,7 @@ main(int argc, char *argv[])
+         buflen = strlen(buf);   /* keep this so we only scan the buffer for \0 once per loop */
+         struct base64_decode_ctx ctx;
+         base64_decode_init(&ctx);
+-        unsigned int dstLen = 0;
++        unsigned int dstLen = HELPER_INPUT_BUFFER;
+         if (buflen > 3 &&
+                 base64_decode_update(&ctx, &dstLen, decodedBuf, buflen-3, reinterpret_cast<const uint8_t*>(buf+3)) &&
+                 base64_decode_final(&ctx)) {
+Index: squid-3.5.21/helpers/ntlm_auth/smb_lm/ntlm_smb_lm_auth.cc
+===================================================================
+--- squid-3.5.21.orig/helpers/ntlm_auth/smb_lm/ntlm_smb_lm_auth.cc
++++ squid-3.5.21/helpers/ntlm_auth/smb_lm/ntlm_smb_lm_auth.cc
+@@ -517,7 +517,7 @@ manage_request()
+         /* figure out what we got */
+         struct base64_decode_ctx ctx;
+         base64_decode_init(&ctx);
+-        unsigned int dstLen = 0;
++        unsigned int dstLen = NTLM_BLOB_BUFFER_SIZE;
+         int decodedLen = 0;
+         if (!base64_decode_update(&ctx, &dstLen, reinterpret_cast<uint8_t*>(decoded), strlen(buf)-3, reinterpret_cast<const uint8_t*>(buf+3)) ||
+                 !base64_decode_final(&ctx)) {
+Index: squid-3.5.21/src/HttpHeader.cc
+===================================================================
+--- squid-3.5.21.orig/src/HttpHeader.cc
++++ squid-3.5.21/src/HttpHeader.cc
+@@ -1535,7 +1535,7 @@ HttpHeader::getAuth(http_hdr_type id, co
+     static char decodedAuthToken[8192];
+     struct base64_decode_ctx ctx;
+     base64_decode_init(&ctx);
+-    unsigned int decodedLen = 0;
++    unsigned int decodedLen = 8190;
+     if (!base64_decode_update(&ctx, &decodedLen, reinterpret_cast<uint8_t*>(decodedAuthToken), strlen(field), reinterpret_cast<const uint8_t*>(field)) ||
+             !base64_decode_final(&ctx)) {
+         return NULL;
+Index: squid-3.5.21/src/auth/basic/Config.cc
+===================================================================
+--- squid-3.5.21.orig/src/auth/basic/Config.cc
++++ squid-3.5.21/src/auth/basic/Config.cc
+@@ -173,7 +173,7 @@ Auth::Basic::Config::decodeCleartext(con
+     struct base64_decode_ctx ctx;
+     base64_decode_init(&ctx);
+ 
+-    unsigned int dstLen = 0;
++    unsigned int dstLen = BASE64_DECODE_LENGTH(srcLen)+1;
+     if (base64_decode_update(&ctx, &dstLen, reinterpret_cast<uint8_t*>(cleartext), srcLen, (const uint8_t*)eek) && base64_decode_final(&ctx)) {
+         cleartext[dstLen] = '\0';
+ 

squid.changes

@@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Thu Jul 18 14:11:28 UTC 2019 - Adam Majer <adam.majer@suse.de>
+
+- old_nettle_compat.patch: Fix compatibility with nettle in SLE-12
+
 -------------------------------------------------------------------
 Mon Jul 15 14:58:13 UTC 2019 - Adam Majer <adam.majer@suse.de>
 

squid.spec

@@ -39,6 +39,7 @@ Source15:       cache_dir.sed
 Source16:       initialize_cache_if_needed.sh
 Source17:       tmpfilesdir.squid.conf
 Patch1:         missing_installs.patch
+Patch2:         old_nettle_compat.patch
 BuildRequires:  cppunit-devel
 BuildRequires:  db-devel
 BuildRequires:  ed
@@ -88,6 +89,9 @@ cp %{SOURCE10} .
 # upstream patches after RELEASE
 perl -p -i -e 's|%{_prefix}/local/bin/perl|%{_bindir}/perl|' `find -name "*.pl"`
 %patch1 -p1
+%if %{suse_version} < 1500
+%patch2 -p1
+%endif
 
 %build
 %define _lto_cflags %{nil}