File squid-Bug-5390-Non-POD-SquidConfig-ssl_client-sslContext-e.patch of Package squid.42765

From c565067bf2ddf3ce88ed27d71d1d8816ee03047e Mon Sep 17 00:00:00 2001
From: Eduard Bagdasaryan <eduard.bagdasaryan@measurement-factory.com>
Date: Sat, 30 Nov 2024 03:04:33 +0000
Subject: [PATCH] Bug 5390: Non-POD SquidConfig::ssl_client::sslContext exit
 crash (#1952)

Squid may crash when the SquidConfig global is auto-destructed after
main() ends. Since SquidConfig global is used by cleanup code, we should
keep its fields alive, essentially emulating "No New Globals" policy
effects. This surgical fix will be followed up with more changes to
address general OpenSSL cleanup problems exposed by this bug.

This bug fix facilitates backporting by using FuturePeerContext shim.

tabraham@suse.com: backport of commit c565067bf2ddf3ce88ed27d71d1d8816ee03047e
---
 src/SquidConfig.h                  |  2 +-
 src/cache_cf.cc                    | 10 ++++++----
 src/security/BlindPeerConnector.cc |  2 +-
 src/ssl/PeekingPeerConnector.cc    |  2 +-
 4 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/src/SquidConfig.h b/src/SquidConfig.h
index 7cb949b38..84210a5bb 100644
--- a/src/SquidConfig.h
+++ b/src/SquidConfig.h
@@ -511,7 +511,7 @@ public:
     external_acl *externalAclHelperList;
 
     struct {
-        Security::ContextPointer sslContext;
+        Security::ContextPointer *sslContext_;
 #if USE_OPENSSL
         char *foreignIntermediateCertsPath;
         acl_access *cert_error;
diff --git a/src/cache_cf.cc b/src/cache_cf.cc
index cc1cbc556..4d323f12f 100644
--- a/src/cache_cf.cc
+++ b/src/cache_cf.cc
@@ -963,8 +963,9 @@ configDoConfigure(void)
 
     if (Security::ProxyOutgoingConfig.encryptTransport) {
         debugs(3, 2, "initializing https:// proxy context");
-        Config.ssl_client.sslContext = Security::ProxyOutgoingConfig.createClientContext(false);
-        if (!Config.ssl_client.sslContext) {
+	const auto rawSslContext = Security::ProxyOutgoingConfig.createClientContext(false);
+	Config.ssl_client.sslContext_ = rawSslContext ? new Security::ContextPointer(rawSslContext) : nullptr;
+        if (!Config.ssl_client.sslContext_) {
 #if USE_OPENSSL
             fatal("ERROR: Could not initialize https:// proxy context");
 #else
@@ -972,7 +973,7 @@ configDoConfigure(void)
 #endif
         }
 #if USE_OPENSSL
-        Ssl::useSquidUntrusted(Config.ssl_client.sslContext.get());
+        Ssl::useSquidUntrusted(Config.ssl_client.sslContext_->get());
 #endif
     }
 
@@ -3929,7 +3930,8 @@ configFreeMemory(void)
 {
     free_all();
     Dns::ResolveClientAddressesAsap = false;
-    Config.ssl_client.sslContext.reset();
+    delete Config.ssl_client.sslContext_;
+    Config.ssl_client.sslContext_ = nullptr;
 #if USE_OPENSSL
     Ssl::unloadSquidUntrusted();
 #endif
diff --git a/src/security/BlindPeerConnector.cc b/src/security/BlindPeerConnector.cc
index 7372df960..2f442edbc 100644
--- a/src/security/BlindPeerConnector.cc
+++ b/src/security/BlindPeerConnector.cc
@@ -27,7 +27,7 @@ Security::BlindPeerConnector::getTlsContext()
     if (peer && peer->secure.encryptTransport)
         return peer->sslContext;
 
-    return ::Config.ssl_client.sslContext;
+    return *Config.ssl_client.sslContext_;
 }
 
 bool
diff --git a/src/ssl/PeekingPeerConnector.cc b/src/ssl/PeekingPeerConnector.cc
index 6098b5ae9..b57b62a98 100644
--- a/src/ssl/PeekingPeerConnector.cc
+++ b/src/ssl/PeekingPeerConnector.cc
@@ -145,7 +145,7 @@ Ssl::PeekingPeerConnector::checkForPeekAndSpliceGuess() const
 Security::ContextPointer
 Ssl::PeekingPeerConnector::getTlsContext()
 {
-    return ::Config.ssl_client.sslContext;
+    return *Config.ssl_client.sslContext_;
 }
 
 bool
-- 
2.51.0
Places

File squid-Bug-5390-Non-POD-SquidConfig-ssl_client-sslContext-e.patch of Package squid.42765

Places
