Fix crypto card functionality (bsc#1250223)

squid-Bug-5390-Non-POD-SquidConfig-ssl_client-sslContext-e.patch

@@ -0,0 +1,99 @@
+From c565067bf2ddf3ce88ed27d71d1d8816ee03047e Mon Sep 17 00:00:00 2001
+From: Eduard Bagdasaryan <eduard.bagdasaryan@measurement-factory.com>
+Date: Sat, 30 Nov 2024 03:04:33 +0000
+Subject: [PATCH] Bug 5390: Non-POD SquidConfig::ssl_client::sslContext exit
+ crash (#1952)
+
+Squid may crash when the SquidConfig global is auto-destructed after
+main() ends. Since SquidConfig global is used by cleanup code, we should
+keep its fields alive, essentially emulating "No New Globals" policy
+effects. This surgical fix will be followed up with more changes to
+address general OpenSSL cleanup problems exposed by this bug.
+
+This bug fix facilitates backporting by using FuturePeerContext shim.
+
+tabraham@suse.com: backport of commit c565067bf2ddf3ce88ed27d71d1d8816ee03047e
+---
+ src/SquidConfig.h                  |  2 +-
+ src/cache_cf.cc                    | 10 ++++++----
+ src/security/BlindPeerConnector.cc |  2 +-
+ src/ssl/PeekingPeerConnector.cc    |  2 +-
+ 4 files changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/src/SquidConfig.h b/src/SquidConfig.h
+index 7cb949b38..84210a5bb 100644
+--- a/src/SquidConfig.h
++++ b/src/SquidConfig.h
+@@ -511,7 +511,7 @@ public:
+     external_acl *externalAclHelperList;
+ 
+     struct {
+-        Security::ContextPointer sslContext;
++        Security::ContextPointer *sslContext_;
+ #if USE_OPENSSL
+         char *foreignIntermediateCertsPath;
+         acl_access *cert_error;
+diff --git a/src/cache_cf.cc b/src/cache_cf.cc
+index cc1cbc556..4d323f12f 100644
+--- a/src/cache_cf.cc
++++ b/src/cache_cf.cc
+@@ -963,8 +963,9 @@ configDoConfigure(void)
+ 
+     if (Security::ProxyOutgoingConfig.encryptTransport) {
+         debugs(3, 2, "initializing https:// proxy context");
+-        Config.ssl_client.sslContext = Security::ProxyOutgoingConfig.createClientContext(false);
+-        if (!Config.ssl_client.sslContext) {
++	const auto rawSslContext = Security::ProxyOutgoingConfig.createClientContext(false);
++	Config.ssl_client.sslContext_ = rawSslContext ? new Security::ContextPointer(rawSslContext) : nullptr;
++        if (!Config.ssl_client.sslContext_) {
+ #if USE_OPENSSL
+             fatal("ERROR: Could not initialize https:// proxy context");
+ #else
+@@ -972,7 +973,7 @@ configDoConfigure(void)
+ #endif
+         }
+ #if USE_OPENSSL
+-        Ssl::useSquidUntrusted(Config.ssl_client.sslContext.get());
++        Ssl::useSquidUntrusted(Config.ssl_client.sslContext_->get());
+ #endif
+     }
+ 
+@@ -3929,7 +3930,8 @@ configFreeMemory(void)
+ {
+     free_all();
+     Dns::ResolveClientAddressesAsap = false;
+-    Config.ssl_client.sslContext.reset();
++    delete Config.ssl_client.sslContext_;
++    Config.ssl_client.sslContext_ = nullptr;
+ #if USE_OPENSSL
+     Ssl::unloadSquidUntrusted();
+ #endif
+diff --git a/src/security/BlindPeerConnector.cc b/src/security/BlindPeerConnector.cc
+index 7372df960..2f442edbc 100644
+--- a/src/security/BlindPeerConnector.cc
++++ b/src/security/BlindPeerConnector.cc
+@@ -27,7 +27,7 @@ Security::BlindPeerConnector::getTlsContext()
+     if (peer && peer->secure.encryptTransport)
+         return peer->sslContext;
+ 
+-    return ::Config.ssl_client.sslContext;
++    return *Config.ssl_client.sslContext_;
+ }
+ 
+ bool
+diff --git a/src/ssl/PeekingPeerConnector.cc b/src/ssl/PeekingPeerConnector.cc
+index 6098b5ae9..b57b62a98 100644
+--- a/src/ssl/PeekingPeerConnector.cc
++++ b/src/ssl/PeekingPeerConnector.cc
+@@ -145,7 +145,7 @@ Ssl::PeekingPeerConnector::checkForPeekAndSpliceGuess() const
+ Security::ContextPointer
+ Ssl::PeekingPeerConnector::getTlsContext()
+ {
+-    return ::Config.ssl_client.sslContext;
++    return *Config.ssl_client.sslContext_;
+ }
+ 
+ bool
+-- 
+2.51.0
+

squid.changes

@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Fri Feb 13 16:27:15 UTC 2026 - Adam Majer <adam.majer@suse.de>
+
+- squid-Bug-5390-Non-POD-SquidConfig-ssl_client-sslContext-e.patch:
+  fix workign with crypto module (bsc#1250223)
+
 -------------------------------------------------------------------
 Thu Nov  6 15:07:07 UTC 2025 - Adam Majer <adam.majer@suse.de>
 

squid.spec

@@ -51,6 +51,7 @@ Patch3:         harden_squid.service.patch
 Patch4:         CVE-2024-33427.patch
 Patch5:         CVE-2025-59362.patch
 Patch6:         CVE-2025-62168.patch
+Patch7:         squid-Bug-5390-Non-POD-SquidConfig-ssl_client-sslContext-e.patch
 BuildRequires:  cppunit-devel
 BuildRequires:  expat
 BuildRequires:  fdupes
@@ -110,6 +111,7 @@ cp %{SOURCE10} .
 %patch -P 4 -p1
 %patch -P 5 -p1
 %patch -P 6 -p1
+%patch -P 7 -p1
 
 # upstream patches after RELEASE
 perl -p -i -e 's|%{_prefix}/local/bin/perl|%{_bindir}/perl|' `find -name "*.pl"`