From: Alex Rousskov <rousskov@measurement-factory.com>
Date: Tue, 3 Jun 2014 07:12:54 +0000 (-0600)
Subject: Do not leak ex_data for SSL state that survived reconfigure.
X-Git-Tag: SQUID_3_4_6~10
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=68d0658c38d1b56e23f5dfa59ce96dfc49360880;p=thirdparty%2Fsquid.git

Do not leak ex_data for SSL state that survived reconfigure.

SSL_get_ex_new_index() allocates a new index on every call, even if its
parameters remain unchanged. It should be called once per process
lifetime.

Besides leaking, this 12 year-old(!) bug could probably make some SSL
code misbehave during reconfigure because reconfigure would change the
supposedly constant ex_data indexes.
---

diff --git a/src/ssl/support.cc b/src/ssl/support.cc
index e0123f6f66..e3cd327e31 100644
--- a/src/ssl/support.cc
+++ b/src/ssl/support.cc
@@ -705,37 +705,30 @@ ssl_free_X509(void *, void *ptr, CRYPTO_EX_DATA *,
 static void
 ssl_initialize(void)
 {
-    static int ssl_initialized = 0;
-
-    if (!ssl_initialized) {
-        ssl_initialized = 1;
-        SSL_load_error_strings();
-        SSLeay_add_ssl_algorithms();
-#if HAVE_OPENSSL_ENGINE_H
+    static bool initialized = false;
+    if (initialized)
+        return;
+    initialized = true;
 
-        if (Config.SSL.ssl_engine) {
-            ENGINE *e;
+    SSL_load_error_strings();
+    SSLeay_add_ssl_algorithms();
 
-            if (!(e = ENGINE_by_id(Config.SSL.ssl_engine))) {
-                fatalf("Unable to find SSL engine '%s'\n", Config.SSL.ssl_engine);
-            }
-
-            if (!ENGINE_set_default(e, ENGINE_METHOD_ALL)) {
-                int ssl_error = ERR_get_error();
-                fatalf("Failed to initialise SSL engine: %s\n",
-                       ERR_error_string(ssl_error, NULL));
-            }
+#if HAVE_OPENSSL_ENGINE_H
+    if (Config.SSL.ssl_engine) {
+        ENGINE *e;
+        if (!(e = ENGINE_by_id(Config.SSL.ssl_engine)))
+            fatalf("Unable to find SSL engine '%s'\n", Config.SSL.ssl_engine);
+
+        if (!ENGINE_set_default(e, ENGINE_METHOD_ALL)) {
+            int ssl_error = ERR_get_error();
+            fatalf("Failed to initialise SSL engine: %s\n", ERR_error_string(ssl_error, NULL));
         }
-
+    }
 #else
-        if (Config.SSL.ssl_engine) {
-            fatalf("Your OpenSSL has no SSL engine support\n");
-        }
-
+    if (Config.SSL.ssl_engine)
+        fatalf("Your OpenSSL has no SSL engine support\n");
 #endif
 
-    }
-
     ssl_ex_index_server = SSL_get_ex_new_index(0, (void *) "server", NULL, NULL, NULL);
     ssl_ctx_ex_index_dont_verify_domain = SSL_CTX_get_ex_new_index(0, (void *) "dont_verify_domain", NULL, NULL, NULL);
     ssl_ex_index_cert_error_check = SSL_get_ex_new_index(0, (void *) "cert_error_check", NULL, &ssl_dupAclChecklist, &ssl_freeAclChecklist);