From: Emeric Brun Date: Fri, 5 Oct 2012 11:48:26 +0000 (+0200) Subject: MINOR: ssl: use bit fields to store ssl options instead of one int each X-Git-Tag: v1.5-dev13~186 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8967549d529e01ea47907f58300fca5110197a80;p=thirdparty%2Fhaproxy.git MINOR: ssl: use bit fields to store ssl options instead of one int each Too many SSL options already and some still to come, use a bit field and get rid of all the integers. No functional change here. --- diff --git a/include/types/listener.h b/include/types/listener.h index eda7161875..aba864c7b1 100644 --- a/include/types/listener.h +++ b/include/types/listener.h @@ -94,6 +94,17 @@ enum { * maxconn setting to the global.maxsock value so that its resources are reserved. */ +#ifdef USE_OPENSSL +/* bind_conf ssl options */ +#define BC_SSL_O_NONE 0x0000 +#define BC_SSL_O_NO_SSLV3 0x0001 /* disable SSLv3 */ +#define BC_SSL_O_NO_TLSV10 0x0002 /* disable TLSv10 */ +#define BC_SSL_O_NO_TLSV11 0x0004 /* disable TLSv11 */ +#define BC_SSL_O_NO_TLSV12 0x0008 /* disable TLSv12 */ +/* 0x000F reserved for 'no' protocol version options */ +#define BC_SSL_O_NO_TLS_TICKETS 0x0100 /* disable session resumption tickets */ +#endif + /* "bind" line settings */ struct bind_conf { #ifdef USE_OPENSSL @@ -103,11 +114,7 @@ struct bind_conf { char *ciphers; /* cipher suite to use if non-null */ char *crl_file; /* CRLfile to use on verify */ char *ecdhe; /* named curve to use for ECDHE */ - int no_tls_tickets; /* disable session resumption tickets */ - int no_sslv3; /* disable SSLv3 */ - int no_tlsv10; /* disable TLSv1.0 */ - int no_tlsv11; /* disable TLSv1.1 */ - int no_tlsv12; /* disable TLSv1.2 */ + int ssl_options; /* ssl options */ int verify; /* verify method (set of SSL_VERIFY_* flags) */ SSL_CTX *default_ctx; /* SSL context of first/default certificate */ struct eb_root sni_ctx; /* sni_ctx tree of all known certs full-names sorted by name */ diff --git a/include/types/server.h b/include/types/server.h index a3156e4851..5453b08564 100644 --- a/include/types/server.h +++ b/include/types/server.h @@ -79,6 +79,16 @@ #define SRV_EWGHT_RANGE (SRV_UWGHT_RANGE * BE_WEIGHT_SCALE) #define SRV_EWGHT_MAX (SRV_UWGHT_MAX * BE_WEIGHT_SCALE) +#ifdef USE_OPENSSL +/* server ssl options */ +#define SRV_SSL_O_NONE 0x0000 +#define SRV_SSL_O_NO_SSLV3 0x0001 /* disable SSLv3 */ +#define SRV_SSL_O_NO_TLSV10 0x0002 /* disable TLSv1.0 */ +#define SRV_SSL_O_NO_TLSV11 0x0004 /* disable TLSv1.1 */ +#define SRV_SSL_O_NO_TLSV12 0x0008 /* disable TLSv1.2 */ +/* 0x000F reserved for 'no' protocol version options */ +#endif + /* A tree occurrence is a descriptor of a place in a tree, with a pointer back * to the server itself. */ @@ -178,10 +188,7 @@ struct server { SSL_CTX *ctx; SSL_SESSION *reused_sess; char *ciphers; /* cipher suite to use if non-null */ - int no_sslv3; /* disable SSLv3 */ - int no_tlsv10; /* disable TLSv1.0 */ - int no_tlsv11; /* disable TLSv1.1 */ - int no_tlsv12; /* disable TLSv1.2 */ + int options; /* ssl options */ } ssl_ctx; #endif struct { diff --git a/src/cfgparse.c b/src/cfgparse.c index 1c84ee3283..9b1ac46c6b 100644 --- a/src/cfgparse.c +++ b/src/cfgparse.c @@ -4295,7 +4295,7 @@ stats_error_parsing: } else if (!strcmp(args[cur_arg], "no-sslv3")) { #ifdef USE_OPENSSL - newsrv->ssl_ctx.no_sslv3 = 1; + newsrv->ssl_ctx.options |= SRV_SSL_O_NO_SSLV3; cur_arg += 1; #else /* USE_OPENSSL */ Alert("parsing [%s:%d]: '%s' option not implemented.\n", @@ -4306,7 +4306,7 @@ stats_error_parsing: } else if (!strcmp(args[cur_arg], "no-tlsv10")) { #ifdef USE_OPENSSL - newsrv->ssl_ctx.no_tlsv10 = 1; + newsrv->ssl_ctx.options |= SRV_SSL_O_NO_TLSV10; cur_arg += 1; #else /* USE_OPENSSL */ Alert("parsing [%s:%d]: '%s' option not implemented.\n", @@ -4317,7 +4317,7 @@ stats_error_parsing: } else if (!strcmp(args[cur_arg], "no-tlsv11")) { #ifdef USE_OPENSSL - newsrv->ssl_ctx.no_tlsv11 = 1; + newsrv->ssl_ctx.options |= SRV_SSL_O_NO_TLSV11; cur_arg += 1; #else /* USE_OPENSSL */ Alert("parsing [%s:%d]: '%s' option not implemented.\n", @@ -4328,7 +4328,7 @@ stats_error_parsing: } else if (!strcmp(args[cur_arg], "no-tlsv12")) { #ifdef USE_OPENSSL - newsrv->ssl_ctx.no_tlsv12 = 1; + newsrv->ssl_ctx.options |= SRV_SSL_O_NO_TLSV12; cur_arg += 1; #else /* USE_OPENSSL */ Alert("parsing [%s:%d]: '%s' option not implemented.\n", @@ -6360,13 +6360,13 @@ out_uri_auth_compat: goto next_srv; } - if (newsrv->ssl_ctx.no_sslv3) + if (newsrv->ssl_ctx.options & SRV_SSL_O_NO_SSLV3) ssloptions |= SSL_OP_NO_SSLv3; - if (newsrv->ssl_ctx.no_tlsv10) + if (newsrv->ssl_ctx.options & SRV_SSL_O_NO_TLSV10) ssloptions |= SSL_OP_NO_TLSv1; - if (newsrv->ssl_ctx.no_tlsv11) + if (newsrv->ssl_ctx.options & SRV_SSL_O_NO_TLSV11) ssloptions |= SSL_OP_NO_TLSv1_1; - if (newsrv->ssl_ctx.no_tlsv12) + if (newsrv->ssl_ctx.options & SRV_SSL_O_NO_TLSV12) ssloptions |= SSL_OP_NO_TLSv1_2; SSL_CTX_set_options(newsrv->ssl_ctx.ctx, ssloptions); SSL_CTX_set_mode(newsrv->ssl_ctx.ctx, sslmode); diff --git a/src/ssl_sock.c b/src/ssl_sock.c index f951be63be..af02a6986c 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -484,15 +484,15 @@ int ssl_sock_prepare_ctx(struct bind_conf *bind_conf, SSL_CTX *ctx, struct proxy SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | SSL_MODE_RELEASE_BUFFERS; - if (bind_conf->no_sslv3) + if (bind_conf->ssl_options & BC_SSL_O_NO_SSLV3) ssloptions |= SSL_OP_NO_SSLv3; - if (bind_conf->no_tlsv10) + if (bind_conf->ssl_options & BC_SSL_O_NO_TLSV10) ssloptions |= SSL_OP_NO_TLSv1; - if (bind_conf->no_tlsv11) + if (bind_conf->ssl_options & BC_SSL_O_NO_TLSV11) ssloptions |= SSL_OP_NO_TLSv1_1; - if (bind_conf->no_tlsv12) + if (bind_conf->ssl_options & BC_SSL_O_NO_TLSV12) ssloptions |= SSL_OP_NO_TLSv1_2; - if (bind_conf->no_tls_tickets) + if (bind_conf->ssl_options & BC_SSL_O_NO_TLS_TICKETS) ssloptions |= SSL_OP_NO_TICKET; SSL_CTX_set_options(ctx, ssloptions); @@ -1248,7 +1248,7 @@ static int bind_parse_ignore_err(char **args, int cur_arg, struct proxy *px, str /* parse the "no-tls-tickets" bind keyword */ static int bind_parse_no_tls_tickets(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err) { - conf->no_tls_tickets = 1; + conf->ssl_options |= BC_SSL_O_NO_TLS_TICKETS; return 0; } @@ -1256,28 +1256,28 @@ static int bind_parse_no_tls_tickets(char **args, int cur_arg, struct proxy *px, /* parse the "no-sslv3" bind keyword */ static int bind_parse_no_sslv3(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err) { - conf->no_sslv3 = 1; + conf->ssl_options |= BC_SSL_O_NO_SSLV3; return 0; } /* parse the "no-tlsv10" bind keyword */ static int bind_parse_no_tlsv10(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err) { - conf->no_tlsv10 = 1; + conf->ssl_options |= BC_SSL_O_NO_TLSV10; return 0; } /* parse the "no-tlsv11" bind keyword */ static int bind_parse_no_tlsv11(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err) { - conf->no_tlsv11 = 1; + conf->ssl_options |= BC_SSL_O_NO_TLSV11; return 0; } /* parse the "no-tlsv12" bind keyword */ static int bind_parse_no_tlsv12(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err) { - conf->no_tlsv12 = 1; + conf->ssl_options |= BC_SSL_O_NO_TLSV12; return 0; }