gamzinav/haproxy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

MEDIUM: ssl: ctx_set_version/ssl_set_version func for methodVersions table

Browse Source 
This patch cleanup the usage of set_version func with a more suitable name:
ctx_set_version. It introduce ssl_set_version func (unused for the moment).
This commit is contained in:
Emmanuel Hocdet 2017-05-18 12:33:19 +02:00 committed by Willy Tarreau
parent ecb0e234b9
commit 4aa615ff6b
1 changed files with 70 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

107
src/ssl_sock.c
View File

@ -1821,71 +1821,103 @@ ssl_sock_generate_certificate(const char *servername, struct bind_conf *bind_con
#endif #endif
#if (OPENSSL_VERSION_NUMBER < 0x1010000fL) && !defined(OPENSSL_IS_BORINGSSL) #if (OPENSSL_VERSION_NUMBER < 0x1010000fL) && !defined(OPENSSL_IS_BORINGSSL)
static void ssl_set_SSLv3_func(SSL_CTX *ctx, int is_server) typedef enum { SET_CLIENT, SET_SERVER } set_context_func;
static void ctx_set_SSLv3_func(SSL_CTX *ctx, set_context_func c)
{ {
#if SSL_OP_NO_SSLv3 #if SSL_OP_NO_SSLv3
is_server ? SSL_CTX_set_ssl_version(ctx, SSLv3_server_method()) c == SET_SERVER ? SSL_CTX_set_ssl_version(ctx, SSLv3_server_method())
: SSL_CTX_set_ssl_version(ctx, SSLv3_client_method()); : SSL_CTX_set_ssl_version(ctx, SSLv3_client_method());
#endif #endif
} }
static void ssl_set_TLSv10_func(SSL_CTX *ctx, int is_server) { static void ctx_set_TLSv10_func(SSL_CTX *ctx, set_context_func c) {
is_server ? SSL_CTX_set_ssl_version(ctx, TLSv1_server_method()) c == SET_SERVER ? SSL_CTX_set_ssl_version(ctx, TLSv1_server_method())
: SSL_CTX_set_ssl_version(ctx, TLSv1_client_method()); : SSL_CTX_set_ssl_version(ctx, TLSv1_client_method());
} }
static void ssl_set_TLSv11_func(SSL_CTX *ctx, int is_server) { static void ctx_set_TLSv11_func(SSL_CTX *ctx, set_context_func c) {
#if SSL_OP_NO_TLSv1_1 #if SSL_OP_NO_TLSv1_1
is_server ? SSL_CTX_set_ssl_version(ctx, TLSv1_1_server_method()) c == SET_SERVER ? SSL_CTX_set_ssl_version(ctx, TLSv1_1_server_method())
: SSL_CTX_set_ssl_version(ctx, TLSv1_1_client_method()); : SSL_CTX_set_ssl_version(ctx, TLSv1_1_client_method());
#endif #endif
} }
static void ssl_set_TLSv12_func(SSL_CTX *ctx, int is_server) { static void ctx_set_TLSv12_func(SSL_CTX *ctx, set_context_func c) {
#if SSL_OP_NO_TLSv1_2 #if SSL_OP_NO_TLSv1_2
is_server ? SSL_CTX_set_ssl_version(ctx, TLSv1_2_server_method()) c == SET_SERVER ? SSL_CTX_set_ssl_version(ctx, TLSv1_2_server_method())
: SSL_CTX_set_ssl_version(ctx, TLSv1_2_client_method()); : SSL_CTX_set_ssl_version(ctx, TLSv1_2_client_method());
#endif #endif
} }
static void ssl_set_TLSv13_func(SSL_CTX *ctx, int is_server) { /* TLS 1.2 is the last supported version in this context. */
/* TLS 1.2 is the last supported version in this context. */ static void ctx_set_TLSv13_func(SSL_CTX *ctx, set_context_func c) {}
} /* Unusable in this context. */
static void ssl_set_SSLv3_func(SSL *ssl, set_context_func c) {}
static void ssl_set_TLSv10_func(SSL *ssl, set_context_func c) {}
static void ssl_set_TLSv11_func(SSL *ssl, set_context_func c) {}
static void ssl_set_TLSv12_func(SSL *ssl, set_context_func c) {}
static void ssl_set_TLSv13_func(SSL *ssl, set_context_func c) {}
#else /* openssl >= 1.1.0 */ #else /* openssl >= 1.1.0 */
static void ssl_set_SSLv3_func(SSL_CTX *ctx, int is_max) { typedef enum { SET_MIN, SET_MAX } set_context_func;
is_max ? SSL_CTX_set_max_proto_version(ctx, SSL3_VERSION)
static void ctx_set_SSLv3_func(SSL_CTX *ctx, set_context_func c) {
c == SET_MAX ? SSL_CTX_set_max_proto_version(ctx, SSL3_VERSION)
: SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION); : SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION);
} }
static void ssl_set_TLSv10_func(SSL_CTX *ctx, int is_max) { static void ssl_set_SSLv3_func(SSL *ssl, set_context_func c) {
is_max ? SSL_CTX_set_max_proto_version(ctx, TLS1_VERSION) c == SET_MAX ? SSL_set_max_proto_version(ssl, SSL3_VERSION)
: SSL_set_min_proto_version(ssl, SSL3_VERSION);
}
static void ctx_set_TLSv10_func(SSL_CTX *ctx, set_context_func c) {
c == SET_MAX ? SSL_CTX_set_max_proto_version(ctx, TLS1_VERSION)
: SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION); : SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION);
} }
static void ssl_set_TLSv11_func(SSL_CTX *ctx, int is_max) { static void ssl_set_TLSv10_func(SSL *ssl, set_context_func c) {
is_max ? SSL_CTX_set_max_proto_version(ctx, TLS1_1_VERSION) c == SET_MAX ? SSL_set_max_proto_version(ssl, TLS1_VERSION)
: SSL_set_min_proto_version(ssl, TLS1_VERSION);
}
static void ctx_set_TLSv11_func(SSL_CTX *ctx, set_context_func c) {
c == SET_MAX ? SSL_CTX_set_max_proto_version(ctx, TLS1_1_VERSION)
: SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION); : SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION);
} }
static void ssl_set_TLSv12_func(SSL_CTX *ctx, int is_max) { static void ssl_set_TLSv11_func(SSL *ssl, set_context_func c) {
is_max ? SSL_CTX_set_max_proto_version(ctx, TLS1_2_VERSION) c == SET_MAX ? SSL_set_max_proto_version(ssl, TLS1_1_VERSION)
: SSL_set_min_proto_version(ssl, TLS1_1_VERSION);
}
static void ctx_set_TLSv12_func(SSL_CTX *ctx, set_context_func c) {
c == SET_MAX ? SSL_CTX_set_max_proto_version(ctx, TLS1_2_VERSION)
: SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION); : SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION);
} }
static void ssl_set_TLSv13_func(SSL_CTX *ctx, int is_max) { static void ssl_set_TLSv12_func(SSL *ssl, set_context_func c) {
c == SET_MAX ? SSL_set_max_proto_version(ssl, TLS1_2_VERSION)
: SSL_set_min_proto_version(ssl, TLS1_2_VERSION);
}
static void ctx_set_TLSv13_func(SSL_CTX *ctx, set_context_func c) {
#if SSL_OP_NO_TLSv1_3 #if SSL_OP_NO_TLSv1_3
is_max ? SSL_CTX_set_max_proto_version(ctx, TLS1_3_VERSION) c == SET_MAX ? SSL_CTX_set_max_proto_version(ctx, TLS1_3_VERSION)
: SSL_CTX_set_min_proto_version(ctx, TLS1_3_VERSION); : SSL_CTX_set_min_proto_version(ctx, TLS1_3_VERSION);
#endif #endif
} }
static void ssl_set_TLSv13_func(SSL *ssl, set_context_func c) {
#if SSL_OP_NO_TLSv1_3
c == SET_MAX ? SSL_set_max_proto_version(ssl, TLS1_3_VERSION)
: SSL_set_min_proto_version(ssl, TLS1_3_VERSION);
#endif #endif
static void ssl_set_None_func(SSL_CTX *ctx, int i) {
} }
#endif
static void ctx_set_None_func(SSL_CTX *ctx, set_context_func c) { }
static void ssl_set_None_func(SSL *ssl, set_context_func c) { }
static struct { static struct {
int option; int option;
uint16_t flag; uint16_t flag;
void (*set_version)(SSL_CTX *, int); void (*ctx_set_version)(SSL_CTX *, set_context_func);
void (*ssl_set_version)(SSL *, set_context_func);
const char *name; const char *name;
} methodVersions[] = { } methodVersions[] = {
{0, 0, ssl_set_None_func, "NONE"}, /* CONF_TLSV_NONE */ {0, 0, ctx_set_None_func, ssl_set_None_func, "NONE"}, /* CONF_TLSV_NONE */
{SSL_OP_NO_SSLv3, MC_SSL_O_NO_SSLV3, ssl_set_SSLv3_func, "SSLv3"}, /* CONF_SSLV3 */ {SSL_OP_NO_SSLv3, MC_SSL_O_NO_SSLV3, ctx_set_SSLv3_func, ssl_set_SSLv3_func, "SSLv3"}, /* CONF_SSLV3 */
{SSL_OP_NO_TLSv1, MC_SSL_O_NO_TLSV10, ssl_set_TLSv10_func, "TLSv1.0"}, /* CONF_TLSV10 */ {SSL_OP_NO_TLSv1, MC_SSL_O_NO_TLSV10, ctx_set_TLSv10_func, ssl_set_TLSv10_func, "TLSv1.0"}, /* CONF_TLSV10 */
{SSL_OP_NO_TLSv1_1, MC_SSL_O_NO_TLSV11, ssl_set_TLSv11_func, "TLSv1.1"}, /* CONF_TLSV11 */ {SSL_OP_NO_TLSv1_1, MC_SSL_O_NO_TLSV11, ctx_set_TLSv11_func, ssl_set_TLSv11_func, "TLSv1.1"}, /* CONF_TLSV11 */
{SSL_OP_NO_TLSv1_2, MC_SSL_O_NO_TLSV12, ssl_set_TLSv12_func, "TLSv1.2"}, /* CONF_TLSV12 */ {SSL_OP_NO_TLSv1_2, MC_SSL_O_NO_TLSV12, ctx_set_TLSv12_func, ssl_set_TLSv12_func, "TLSv1.2"}, /* CONF_TLSV12 */
{SSL_OP_NO_TLSv1_3, MC_SSL_O_NO_TLSV13, ssl_set_TLSv13_func, "TLSv1.3"}, /* CONF_TLSV13 */ {SSL_OP_NO_TLSv1_3, MC_SSL_O_NO_TLSV13, ctx_set_TLSv13_func, ssl_set_TLSv13_func, "TLSv1.3"}, /* CONF_TLSV13 */
}; };
static void ssl_sock_switchctx_set(SSL *ssl, SSL_CTX *ctx) static void ssl_sock_switchctx_set(SSL *ssl, SSL_CTX *ctx)
@ -3505,12 +3537,13 @@ ssl_sock_initial_ctx(struct bind_conf *bind_conf)
else else
flags = conf_ssl_methods->flags; flags = conf_ssl_methods->flags;
/* Real min and max should be determinate with configuration and openssl's capabilities */
if (conf_ssl_methods->min) if (conf_ssl_methods->min)
flags |= (methodVersions[conf_ssl_methods->min].flag - 1); flags |= (methodVersions[conf_ssl_methods->min].flag - 1);
if (conf_ssl_methods->max) if (conf_ssl_methods->max)
flags |= ~((methodVersions[conf_ssl_methods->max].flag << 1) - 1); flags |= ~((methodVersions[conf_ssl_methods->max].flag << 1) - 1);
/* Find min, max and holds */ /* find min, max and holes */
min = max = CONF_TLSV_NONE; min = max = CONF_TLSV_NONE;
hole = 0; hole = 0;
for (i = CONF_TLSV_MIN; i <= CONF_TLSV_MAX; i++) for (i = CONF_TLSV_MIN; i <= CONF_TLSV_MAX; i++)
@ -3544,15 +3577,15 @@ ssl_sock_initial_ctx(struct bind_conf *bind_conf)
/* Keep force-xxx implementation as it is in older haproxy. It's a /* Keep force-xxx implementation as it is in older haproxy. It's a
precautionary measure to avoid any suprise with older openssl version. */ precautionary measure to avoid any suprise with older openssl version. */
if (min == max) if (min == max)
methodVersions[min].set_version(ctx, 1 /* server */); methodVersions[min].ctx_set_version(ctx, SET_SERVER);
else else
for (i = CONF_TLSV_MIN; i <= CONF_TLSV_MAX; i++) for (i = CONF_TLSV_MIN; i <= CONF_TLSV_MAX; i++)
if (flags & methodVersions[i].flag) if (flags & methodVersions[i].flag)
options |= methodVersions[i].option; options |= methodVersions[i].option;
#else /* openssl >= 1.1.0 */ #else /* openssl >= 1.1.0 */
/* set the max_version is required to cap TLS version or activate new TLS (v1.3) */ /* set the max_version is required to cap TLS version or activate new TLS (v1.3) */
methodVersions[min].set_version(ctx, 0); methodVersions[min].ctx_set_version(ctx, SET_MIN);
methodVersions[max].set_version(ctx, 1); methodVersions[max].ctx_set_version(ctx, SET_MAX);
#endif #endif
if (bind_conf->ssl_options & BC_SSL_O_NO_TLS_TICKETS) if (bind_conf->ssl_options & BC_SSL_O_NO_TLS_TICKETS)
@ -3962,7 +3995,7 @@ int ssl_sock_prepare_srv_ctx(struct server *srv)
if (conf_ssl_methods->max) if (conf_ssl_methods->max)
flags |= ~((methodVersions[conf_ssl_methods->max].flag << 1) - 1); flags |= ~((methodVersions[conf_ssl_methods->max].flag << 1) - 1);
/* find min, max and holds */ /* find min, max and holes */
min = max = CONF_TLSV_NONE; min = max = CONF_TLSV_NONE;
hole = 0; hole = 0;
for (i = CONF_TLSV_MIN; i <= CONF_TLSV_MAX; i++) for (i = CONF_TLSV_MIN; i <= CONF_TLSV_MAX; i++)
@ -3996,15 +4029,15 @@ int ssl_sock_prepare_srv_ctx(struct server *srv)
/* Keep force-xxx implementation as it is in older haproxy. It's a /* Keep force-xxx implementation as it is in older haproxy. It's a
precautionary measure to avoid any suprise with older openssl version. */ precautionary measure to avoid any suprise with older openssl version. */
if (min == max) if (min == max)
methodVersions[min].set_version(ctx, 0 /* client */); methodVersions[min].ctx_set_version(ctx, SET_CLIENT);
else else
for (i = CONF_TLSV_MIN; i <= CONF_TLSV_MAX; i++) for (i = CONF_TLSV_MIN; i <= CONF_TLSV_MAX; i++)
if (flags & methodVersions[i].flag) if (flags & methodVersions[i].flag)
options |= methodVersions[i].option; options |= methodVersions[i].option;
#else /* openssl >= 1.1.0 */ #else /* openssl >= 1.1.0 */
/* set the max_version is required to cap TLS version or activate new TLS (v1.3) */ /* set the max_version is required to cap TLS version or activate new TLS (v1.3) */
methodVersions[min].set_version(ctx, 0); methodVersions[min].ctx_set_version(ctx, SET_MIN);
methodVersions[max].set_version(ctx, 1); methodVersions[max].ctx_set_version(ctx, SET_MAX);
#endif #endif
if (srv->ssl_ctx.options & SRV_SSL_O_NO_TLS_TICKETS) if (srv->ssl_ctx.options & SRV_SSL_O_NO_TLS_TICKETS)