From: Alex Rousskov <rousskov@measurement-factory.com>
Date: Mon, 2 Jun 2014 05:26:17 +0000 (-0700)
Subject: Do not leak ex_data for SSL state that survived reconfigure.
X-Git-Tag: SQUID_3_5_0_1~211
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=56a35ad1f0c66cdad042e28cfd1a1f41521d4d5d;p=thirdparty%2Fsquid.git

Do not leak ex_data for SSL state that survived reconfigure.

SSL_get_ex_new_index() allocates a new index on every call, even if its
parameters remain unchanged. It should be called once per process
lifetime.

Besides leaking, this 12 year-old(!) bug could probably make some SSL
code misbehave during reconfigure because reconfigure would change the
supposedly constant ex_data indexes.
---

diff --git a/src/ssl/support.cc b/src/ssl/support.cc
index f944bf0c4e..7e83ac8572 100644
--- a/src/ssl/support.cc
+++ b/src/ssl/support.cc
@@ -711,35 +711,29 @@ ssl_free_X509(void *, void *ptr, CRYPTO_EX_DATA *,
 static void
 ssl_initialize(void)
 {
-    static int ssl_initialized = 0;
-
-    if (!ssl_initialized) {
-        ssl_initialized = 1;
-        SSL_load_error_strings();
-        SSLeay_add_ssl_algorithms();
-#if HAVE_OPENSSL_ENGINE_H
-
-        if (Config.SSL.ssl_engine) {
-            ENGINE *e;
+    static bool initialized = false;
+    if (initialized)
+        return;
+    initialized = true;
 
-            if (!(e = ENGINE_by_id(Config.SSL.ssl_engine))) {
-                fatalf("Unable to find SSL engine '%s'\n", Config.SSL.ssl_engine);
-            }
+    SSL_load_error_strings();
+    SSLeay_add_ssl_algorithms();
 
-            if (!ENGINE_set_default(e, ENGINE_METHOD_ALL)) {
-                int ssl_error = ERR_get_error();
-                fatalf("Failed to initialise SSL engine: %s\n",
-                       ERR_error_string(ssl_error, NULL));
-            }
+#if HAVE_OPENSSL_ENGINE_H
+    if (Config.SSL.ssl_engine) {
+        ENGINE *e;
+        if (!(e = ENGINE_by_id(Config.SSL.ssl_engine)))
+            fatalf("Unable to find SSL engine '%s'\n", Config.SSL.ssl_engine);
+
+        if (!ENGINE_set_default(e, ENGINE_METHOD_ALL)) {
+            int ssl_error = ERR_get_error();
+            fatalf("Failed to initialise SSL engine: %s\n", ERR_error_string(ssl_error, NULL));
         }
-
+    }
 #else
-        if (Config.SSL.ssl_engine) {
-            fatalf("Your OpenSSL has no SSL engine support\n");
-        }
-
+    if (Config.SSL.ssl_engine)
+        fatalf("Your OpenSSL has no SSL engine support\n");
 #endif
-    }
 
     ssl_ex_index_server = SSL_get_ex_new_index(0, (void *) "server", NULL, NULL, NULL);
     ssl_ctx_ex_index_dont_verify_domain = SSL_CTX_get_ex_new_index(0, (void *) "dont_verify_domain", NULL, NULL, NULL);