Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / 43664768520e11bf96413732c3d41adb1e55cf8e^! / .
commit43664768520e11bf96413732c3d41adb1e55cf8e[log] [tgz]
authorEmmanuel Hocdet <manu@gandi.net>Wed Aug 09 18:26:20 2017 +0200
committerWilly Tarreau <w@1wt.eu>Tue Sep 05 09:42:30 2017 +0200
tree47bfe9f20b2b7981a8f38d1c9f96cc30460e5d34
parent87e4302707adc2c9c36d640a8f7571d5e6d0e987 [diff]
MINOR: ssl: remove duplicate ssl_methods in struct bind_conf

Patch "MINOR: ssl: support ssl-min-ver and ssl-max-ver with crt-list"
introduce ssl_methods in struct ssl_bind_conf. struct bind_conf have now
ssl_methods and ssl_conf.ssl_methods (unused). It's error-prone. This patch
remove the duplicate structure to avoid any confusion.

diff --git a/include/types/listener.h b/include/types/listener.h
index 064c040..f04a8ea 100644
--- a/include/types/listener.h
+++ b/include/types/listener.h

@@ -140,7 +140,6 @@
 	struct ssl_bind_conf *default_ssl_conf; /* custom SSL conf of default_ctx */
 	int strict_sni;            /* refuse negotiation if sni doesn't match a certificate */
 	int ssl_options;           /* ssl options */
-	struct tls_version_filter ssl_methods; /* ssl methods */
 	struct eb_root sni_ctx;    /* sni_ctx tree of all known certs full-names sorted by name */
 	struct eb_root sni_w_ctx;  /* sni_ctx tree of all known certs wildcards sorted by name */
 	struct tls_keys_ref *keys_ref; /* TLS ticket keys reference */

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 36f8cc2..de1dd9a 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c

@@ -2129,15 +2129,11 @@
 	node = node_ecdsa ? node_ecdsa : (node_rsa ? node_rsa : node_anonymous);
 
 	if (node) {
-		int min, max;
 		/* switch ctx */
+		struct ssl_bind_conf *conf = container_of(node, struct sni_ctx, name)->conf;
 		ssl_sock_switchctx_set(ctx->ssl, container_of(node, struct sni_ctx, name)->ctx);
-		min = container_of(node, struct sni_ctx, name)->conf->ssl_methods.min;
-		if (min != s->ssl_methods.min)
-			methodVersions[min].ssl_set_version(ctx->ssl, SET_MIN);
-		max = container_of(node, struct sni_ctx, name)->conf->ssl_methods.max;
-		if (max != s->ssl_methods.max)
-			methodVersions[max].ssl_set_version(ctx->ssl, SET_MAX);
+		methodVersions[conf->ssl_methods.min].ssl_set_version(ctx->ssl, SET_MIN);
+		methodVersions[conf->ssl_methods.max].ssl_set_version(ctx->ssl, SET_MAX);
 		return 1;
 	}
 	if (!s->strict_sni) {
@@ -3552,7 +3548,7 @@
 		SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |
 		SSL_MODE_RELEASE_BUFFERS |
 		SSL_MODE_SMALL_BUFFERS;
-	struct tls_version_filter *conf_ssl_methods = &bind_conf->ssl_methods;
+	struct tls_version_filter *conf_ssl_methods = &bind_conf->ssl_conf.ssl_methods;
 	int i, min, max, hole;
 	int flags = MC_SSL_O_ALL;
 	int cfgerr = 0;
@@ -3666,8 +3662,8 @@
 		int flags = MC_SSL_O_ALL;
 
 		/* Real min and max should be determinate with configuration and openssl's capabilities */
-		min = conf_ssl_methods->min ? conf_ssl_methods->min : bind_conf->ssl_methods.min;
-		max = conf_ssl_methods->max ? conf_ssl_methods->max : bind_conf->ssl_methods.max;
+		min = conf_ssl_methods->min ? conf_ssl_methods->min : bind_conf->ssl_conf.ssl_methods.min;
+		max = conf_ssl_methods->max ? conf_ssl_methods->max : bind_conf->ssl_conf.ssl_methods.max;
 		if (min)
 			flags |= (methodVersions[min].flag - 1);
 		if (max)
@@ -6739,7 +6735,7 @@
 
 static int bind_parse_tls_method_options(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
 {
-	return parse_tls_method_options(args[cur_arg], &conf->ssl_methods, err);
+	return parse_tls_method_options(args[cur_arg], &conf->ssl_conf.ssl_methods, err);
 }
 
 static int srv_parse_tls_method_options(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
@@ -6787,7 +6783,7 @@
 
 static int bind_parse_tls_method_minmax(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
 {
-	return parse_tls_method_minmax(args, cur_arg, &conf->ssl_methods, err);
+	return parse_tls_method_minmax(args, cur_arg, &conf->ssl_conf.ssl_methods, err);
 }
 
 static int srv_parse_tls_method_minmax(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
@@ -6923,11 +6919,11 @@
 	if (global_ssl.listen_default_ciphers && !conf->ssl_conf.ciphers)
 		conf->ssl_conf.ciphers = strdup(global_ssl.listen_default_ciphers);
 	conf->ssl_options |= global_ssl.listen_default_ssloptions;
-	conf->ssl_methods.flags |= global_ssl.listen_default_sslmethods.flags;
-	if (!conf->ssl_methods.min)
-		conf->ssl_methods.min = global_ssl.listen_default_sslmethods.min;
-	if (!conf->ssl_methods.max)
-		conf->ssl_methods.max = global_ssl.listen_default_sslmethods.max;
+	conf->ssl_conf.ssl_methods.flags |= global_ssl.listen_default_sslmethods.flags;
+	if (!conf->ssl_conf.ssl_methods.min)
+		conf->ssl_conf.ssl_methods.min = global_ssl.listen_default_sslmethods.min;
+	if (!conf->ssl_conf.ssl_methods.max)
+		conf->ssl_conf.ssl_methods.max = global_ssl.listen_default_sslmethods.max;
 
 	return 0;
 }