MINOR: ssl: use bit fields to store ssl options instead of one int each
Too many SSL options already and some still to come, use a bit field and get rid of all the integers. No functional change here.
This commit is contained in:
Emeric Brun
Willy Tarreau
parent
fb510ea2b9
commit
8967549d52
@ -94,6 +94,17 @@ enum {
|
||||
* maxconn setting to the global.maxsock value so that its resources are reserved.
|
||||
*/
|
||||
|
||||
#ifdef USE_OPENSSL
|
||||
/* bind_conf ssl options */
|
||||
#define BC_SSL_O_NONE 0x0000
|
||||
#define BC_SSL_O_NO_SSLV3 0x0001 /* disable SSLv3 */
|
||||
#define BC_SSL_O_NO_TLSV10 0x0002 /* disable TLSv10 */
|
||||
#define BC_SSL_O_NO_TLSV11 0x0004 /* disable TLSv11 */
|
||||
#define BC_SSL_O_NO_TLSV12 0x0008 /* disable TLSv12 */
|
||||
/* 0x000F reserved for 'no' protocol version options */
|
||||
#define BC_SSL_O_NO_TLS_TICKETS 0x0100 /* disable session resumption tickets */
|
||||
#endif
|
||||
|
||||
/* "bind" line settings */
|
||||
struct bind_conf {
|
||||
#ifdef USE_OPENSSL
|
||||
@ -103,11 +114,7 @@ struct bind_conf {
|
||||
char *ciphers; /* cipher suite to use if non-null */
|
||||
char *crl_file; /* CRLfile to use on verify */
|
||||
char *ecdhe; /* named curve to use for ECDHE */
|
||||
int no_tls_tickets; /* disable session resumption tickets */
|
||||
int no_sslv3; /* disable SSLv3 */
|
||||
int no_tlsv10; /* disable TLSv1.0 */
|
||||
int no_tlsv11; /* disable TLSv1.1 */
|
||||
int no_tlsv12; /* disable TLSv1.2 */
|
||||
int ssl_options; /* ssl options */
|
||||
int verify; /* verify method (set of SSL_VERIFY_* flags) */
|
||||
SSL_CTX *default_ctx; /* SSL context of first/default certificate */
|
||||
struct eb_root sni_ctx; /* sni_ctx tree of all known certs full-names sorted by name */
|
||||
|
||||
@ -79,6 +79,16 @@
|
||||
#define SRV_EWGHT_RANGE (SRV_UWGHT_RANGE * BE_WEIGHT_SCALE)
|
||||
#define SRV_EWGHT_MAX (SRV_UWGHT_MAX * BE_WEIGHT_SCALE)
|
||||
|
||||
#ifdef USE_OPENSSL
|
||||
/* server ssl options */
|
||||
#define SRV_SSL_O_NONE 0x0000
|
||||
#define SRV_SSL_O_NO_SSLV3 0x0001 /* disable SSLv3 */
|
||||
#define SRV_SSL_O_NO_TLSV10 0x0002 /* disable TLSv1.0 */
|
||||
#define SRV_SSL_O_NO_TLSV11 0x0004 /* disable TLSv1.1 */
|
||||
#define SRV_SSL_O_NO_TLSV12 0x0008 /* disable TLSv1.2 */
|
||||
/* 0x000F reserved for 'no' protocol version options */
|
||||
#endif
|
||||
|
||||
/* A tree occurrence is a descriptor of a place in a tree, with a pointer back
|
||||
* to the server itself.
|
||||
*/
|
||||
@ -178,10 +188,7 @@ struct server {
|
||||
SSL_CTX *ctx;
|
||||
SSL_SESSION *reused_sess;
|
||||
char *ciphers; /* cipher suite to use if non-null */
|
||||
int no_sslv3; /* disable SSLv3 */
|
||||
int no_tlsv10; /* disable TLSv1.0 */
|
||||
int no_tlsv11; /* disable TLSv1.1 */
|
||||
int no_tlsv12; /* disable TLSv1.2 */
|
||||
int options; /* ssl options */
|
||||
} ssl_ctx;
|
||||
#endif
|
||||
struct {
|
||||
|
||||
@ -4295,7 +4295,7 @@ stats_error_parsing:
|
||||
}
|
||||
else if (!strcmp(args[cur_arg], "no-sslv3")) {
|
||||
#ifdef USE_OPENSSL
|
||||
newsrv->ssl_ctx.no_sslv3 = 1;
|
||||
newsrv->ssl_ctx.options |= SRV_SSL_O_NO_SSLV3;
|
||||
cur_arg += 1;
|
||||
#else /* USE_OPENSSL */
|
||||
Alert("parsing [%s:%d]: '%s' option not implemented.\n",
|
||||
@ -4306,7 +4306,7 @@ stats_error_parsing:
|
||||
}
|
||||
else if (!strcmp(args[cur_arg], "no-tlsv10")) {
|
||||
#ifdef USE_OPENSSL
|
||||
newsrv->ssl_ctx.no_tlsv10 = 1;
|
||||
newsrv->ssl_ctx.options |= SRV_SSL_O_NO_TLSV10;
|
||||
cur_arg += 1;
|
||||
#else /* USE_OPENSSL */
|
||||
Alert("parsing [%s:%d]: '%s' option not implemented.\n",
|
||||
@ -4317,7 +4317,7 @@ stats_error_parsing:
|
||||
}
|
||||
else if (!strcmp(args[cur_arg], "no-tlsv11")) {
|
||||
#ifdef USE_OPENSSL
|
||||
newsrv->ssl_ctx.no_tlsv11 = 1;
|
||||
newsrv->ssl_ctx.options |= SRV_SSL_O_NO_TLSV11;
|
||||
cur_arg += 1;
|
||||
#else /* USE_OPENSSL */
|
||||
Alert("parsing [%s:%d]: '%s' option not implemented.\n",
|
||||
@ -4328,7 +4328,7 @@ stats_error_parsing:
|
||||
}
|
||||
else if (!strcmp(args[cur_arg], "no-tlsv12")) {
|
||||
#ifdef USE_OPENSSL
|
||||
newsrv->ssl_ctx.no_tlsv12 = 1;
|
||||
newsrv->ssl_ctx.options |= SRV_SSL_O_NO_TLSV12;
|
||||
cur_arg += 1;
|
||||
#else /* USE_OPENSSL */
|
||||
Alert("parsing [%s:%d]: '%s' option not implemented.\n",
|
||||
@ -6360,13 +6360,13 @@ out_uri_auth_compat:
|
||||
goto next_srv;
|
||||
}
|
||||
|
||||
if (newsrv->ssl_ctx.no_sslv3)
|
||||
if (newsrv->ssl_ctx.options & SRV_SSL_O_NO_SSLV3)
|
||||
ssloptions |= SSL_OP_NO_SSLv3;
|
||||
if (newsrv->ssl_ctx.no_tlsv10)
|
||||
if (newsrv->ssl_ctx.options & SRV_SSL_O_NO_TLSV10)
|
||||
ssloptions |= SSL_OP_NO_TLSv1;
|
||||
if (newsrv->ssl_ctx.no_tlsv11)
|
||||
if (newsrv->ssl_ctx.options & SRV_SSL_O_NO_TLSV11)
|
||||
ssloptions |= SSL_OP_NO_TLSv1_1;
|
||||
if (newsrv->ssl_ctx.no_tlsv12)
|
||||
if (newsrv->ssl_ctx.options & SRV_SSL_O_NO_TLSV12)
|
||||
ssloptions |= SSL_OP_NO_TLSv1_2;
|
||||
SSL_CTX_set_options(newsrv->ssl_ctx.ctx, ssloptions);
|
||||
SSL_CTX_set_mode(newsrv->ssl_ctx.ctx, sslmode);
|
||||
|
||||
@ -484,15 +484,15 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx, struct proxy
|
||||
SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |
|
||||
SSL_MODE_RELEASE_BUFFERS;
|
||||
|
||||
if (bind_conf->no_sslv3)
|
||||
if (bind_conf->ssl_options & BC_SSL_O_NO_SSLV3)
|
||||
ssloptions |= SSL_OP_NO_SSLv3;
|
||||
if (bind_conf->no_tlsv10)
|
||||
if (bind_conf->ssl_options & BC_SSL_O_NO_TLSV10)
|
||||
ssloptions |= SSL_OP_NO_TLSv1;
|
||||
if (bind_conf->no_tlsv11)
|
||||
if (bind_conf->ssl_options & BC_SSL_O_NO_TLSV11)
|
||||
ssloptions |= SSL_OP_NO_TLSv1_1;
|
||||
if (bind_conf->no_tlsv12)
|
||||
if (bind_conf->ssl_options & BC_SSL_O_NO_TLSV12)
|
||||
ssloptions |= SSL_OP_NO_TLSv1_2;
|
||||
if (bind_conf->no_tls_tickets)
|
||||
if (bind_conf->ssl_options & BC_SSL_O_NO_TLS_TICKETS)
|
||||
ssloptions |= SSL_OP_NO_TICKET;
|
||||
|
||||
SSL_CTX_set_options(ctx, ssloptions);
|
||||
@ -1248,7 +1248,7 @@ static int bind_parse_ignore_err(char **args, int cur_arg, struct proxy *px, str
|
||||
/* parse the "no-tls-tickets" bind keyword */
|
||||
static int bind_parse_no_tls_tickets(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
|
||||
{
|
||||
conf->no_tls_tickets = 1;
|
||||
conf->ssl_options |= BC_SSL_O_NO_TLS_TICKETS;
|
||||
return 0;
|
||||
}
|
||||
|
||||
@ -1256,28 +1256,28 @@ static int bind_parse_no_tls_tickets(char **args, int cur_arg, struct proxy *px,
|
||||
/* parse the "no-sslv3" bind keyword */
|
||||
static int bind_parse_no_sslv3(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
|
||||
{
|
||||
conf->no_sslv3 = 1;
|
||||
conf->ssl_options |= BC_SSL_O_NO_SSLV3;
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* parse the "no-tlsv10" bind keyword */
|
||||
static int bind_parse_no_tlsv10(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
|
||||
{
|
||||
conf->no_tlsv10 = 1;
|
||||
conf->ssl_options |= BC_SSL_O_NO_TLSV10;
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* parse the "no-tlsv11" bind keyword */
|
||||
static int bind_parse_no_tlsv11(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
|
||||
{
|
||||
conf->no_tlsv11 = 1;
|
||||
conf->ssl_options |= BC_SSL_O_NO_TLSV11;
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* parse the "no-tlsv12" bind keyword */
|
||||
static int bind_parse_no_tlsv12(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
|
||||
{
|
||||
conf->no_tlsv12 = 1;
|
||||
conf->ssl_options |= BC_SSL_O_NO_TLSV12;
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user