Revert "CLEANUP: server: always include the storage for SSL settings"
This reverts commit 5279e61cee28b7012619906048edd2c8a9c89059.
This commit breaks compilation with OpenSSL versions < 1.1.1, it was
marked as mandatory for 8fdaf255c ("BUG/MEDIUM: sample: properly verify
that variables cast to sample"), but this is not the case.
diff --git a/include/haproxy/server-t.h b/include/haproxy/server-t.h
index d1be0c1..cd95f9e 100644
--- a/include/haproxy/server-t.h
+++ b/include/haproxy/server-t.h
@@ -328,6 +328,7 @@
unsigned int init_addr_methods; /* initial address setting, 3-bit per method, ends at 0, enough to store 10 entries */
enum srv_log_proto log_proto; /* used proto to emit messages on server lines from ring section */
+#ifdef USE_OPENSSL
char *sni_expr; /* Temporary variable to store a sample expression for SNI */
struct {
SSL_CTX *ctx;
@@ -364,6 +365,7 @@
struct quic_transport_params quic_params; /* QUIC transport parameters */
struct eb_root cids; /* QUIC connections IDs. */
#endif
+#endif
struct resolv_srvrq *srvrq; /* Pointer representing the DNS SRV requeest, if any */
struct list srv_rec_item; /* to attach server to a srv record item */
struct list ip_rec_item; /* to attach server to a A or AAAA record item */
diff --git a/src/server.c b/src/server.c
index 4f692e2..ff88dcb 100644
--- a/src/server.c
+++ b/src/server.c
@@ -1827,6 +1827,7 @@
return NULL;
}
+#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
static struct sample_expr *srv_sni_sample_parse_expr(struct server *srv, struct proxy *px,
const char *file, int linenum, char **err)
{
@@ -1866,6 +1867,7 @@
return 0;
}
+#endif
static void display_parser_err(const char *file, int linenum, char **args, int cur_arg, int err_code, char **err)
{
@@ -1962,11 +1964,14 @@
if (src->ssl_ctx.methods.max)
srv->ssl_ctx.methods.max = src->ssl_ctx.methods.max;
+#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
if (src->ssl_ctx.ciphersuites != NULL)
srv->ssl_ctx.ciphersuites = strdup(src->ssl_ctx.ciphersuites);
+#endif
if (src->sni_expr != NULL)
srv->sni_expr = strdup(src->sni_expr);
+#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
if (src->ssl_ctx.alpn_str) {
srv->ssl_ctx.alpn_str = malloc(src->ssl_ctx.alpn_len);
if (srv->ssl_ctx.alpn_str) {
@@ -1975,7 +1980,8 @@
srv->ssl_ctx.alpn_len = src->ssl_ctx.alpn_len;
}
}
-
+#endif
+#ifdef OPENSSL_NPN_NEGOTIATED
if (src->ssl_ctx.npn_str) {
srv->ssl_ctx.npn_str = malloc(src->ssl_ctx.npn_len);
if (srv->ssl_ctx.npn_str) {
@@ -1984,6 +1990,7 @@
srv->ssl_ctx.npn_len = src->ssl_ctx.npn_len;
}
}
+#endif
}
#endif
@@ -2339,13 +2346,13 @@
srv_settings_cpy(newsrv, srv, 1);
srv_prepare_for_resolution(newsrv, srv->hostname);
-
+#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
if (newsrv->sni_expr) {
newsrv->ssl_ctx.sni = srv_sni_sample_parse_expr(newsrv, px, NULL, 0, NULL);
if (!newsrv->ssl_ctx.sni)
goto err;
}
-
+#endif
/* append to list of servers available to receive an hostname */
if (newsrv->srvrq)
LIST_APPEND(&newsrv->srvrq->attached_servers, &newsrv->srv_rec_item);
@@ -2364,7 +2371,9 @@
err:
_srv_parse_set_id_from_prefix(srv, srv->tmpl_info.prefix, srv->tmpl_info.nb_low);
if (newsrv) {
+#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
release_sample_expr(newsrv->ssl_ctx.sni);
+#endif
free_check(&newsrv->agent);
free_check(&newsrv->check);
LIST_DELETE(&newsrv->global_list);
@@ -2622,6 +2631,7 @@
return err_code;
}
+#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
/* This function is first intended to be used through parse_server to
* initialize a new server on startup.
*/
@@ -2640,6 +2650,7 @@
return ret;
}
+#endif
/* Server initializations finalization.
* Initialize health check, agent check and SNI expression if enabled.
@@ -2652,7 +2663,9 @@
struct server *srv, struct proxy *px,
int parse_flags, char **errmsg)
{
+#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
int ret;
+#endif
if (srv->do_check && srv->trackit) {
memprintf(errmsg, "unable to enable checks and tracking at the same time!");
@@ -2665,8 +2678,10 @@
return ERR_ALERT | ERR_FATAL;
}
+#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
if ((ret = _srv_parse_sni_expr_init(args, cur_arg, srv, px, errmsg)) != 0)
return ret;
+#endif
/* A dynamic server is disabled on startup. It must not be counted as
* an active backend entry.