MINOR: ssl: use bit fields to store ssl options instead of one int each
Too many SSL options already and some still to come, use a bit field
and get rid of all the integers. No functional change here.
diff --git a/src/cfgparse.c b/src/cfgparse.c
index 1c84ee3..9b1ac46 100644
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@@ -4295,7 +4295,7 @@
}
else if (!strcmp(args[cur_arg], "no-sslv3")) {
#ifdef USE_OPENSSL
- newsrv->ssl_ctx.no_sslv3 = 1;
+ newsrv->ssl_ctx.options |= SRV_SSL_O_NO_SSLV3;
cur_arg += 1;
#else /* USE_OPENSSL */
Alert("parsing [%s:%d]: '%s' option not implemented.\n",
@@ -4306,7 +4306,7 @@
}
else if (!strcmp(args[cur_arg], "no-tlsv10")) {
#ifdef USE_OPENSSL
- newsrv->ssl_ctx.no_tlsv10 = 1;
+ newsrv->ssl_ctx.options |= SRV_SSL_O_NO_TLSV10;
cur_arg += 1;
#else /* USE_OPENSSL */
Alert("parsing [%s:%d]: '%s' option not implemented.\n",
@@ -4317,7 +4317,7 @@
}
else if (!strcmp(args[cur_arg], "no-tlsv11")) {
#ifdef USE_OPENSSL
- newsrv->ssl_ctx.no_tlsv11 = 1;
+ newsrv->ssl_ctx.options |= SRV_SSL_O_NO_TLSV11;
cur_arg += 1;
#else /* USE_OPENSSL */
Alert("parsing [%s:%d]: '%s' option not implemented.\n",
@@ -4328,7 +4328,7 @@
}
else if (!strcmp(args[cur_arg], "no-tlsv12")) {
#ifdef USE_OPENSSL
- newsrv->ssl_ctx.no_tlsv12 = 1;
+ newsrv->ssl_ctx.options |= SRV_SSL_O_NO_TLSV12;
cur_arg += 1;
#else /* USE_OPENSSL */
Alert("parsing [%s:%d]: '%s' option not implemented.\n",
@@ -6360,13 +6360,13 @@
goto next_srv;
}
- if (newsrv->ssl_ctx.no_sslv3)
+ if (newsrv->ssl_ctx.options & SRV_SSL_O_NO_SSLV3)
ssloptions |= SSL_OP_NO_SSLv3;
- if (newsrv->ssl_ctx.no_tlsv10)
+ if (newsrv->ssl_ctx.options & SRV_SSL_O_NO_TLSV10)
ssloptions |= SSL_OP_NO_TLSv1;
- if (newsrv->ssl_ctx.no_tlsv11)
+ if (newsrv->ssl_ctx.options & SRV_SSL_O_NO_TLSV11)
ssloptions |= SSL_OP_NO_TLSv1_1;
- if (newsrv->ssl_ctx.no_tlsv12)
+ if (newsrv->ssl_ctx.options & SRV_SSL_O_NO_TLSV12)
ssloptions |= SSL_OP_NO_TLSv1_2;
SSL_CTX_set_options(newsrv->ssl_ctx.ctx, ssloptions);
SSL_CTX_set_mode(newsrv->ssl_ctx.ctx, sslmode);
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index f951be6..af02a69 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -484,15 +484,15 @@
SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |
SSL_MODE_RELEASE_BUFFERS;
- if (bind_conf->no_sslv3)
+ if (bind_conf->ssl_options & BC_SSL_O_NO_SSLV3)
ssloptions |= SSL_OP_NO_SSLv3;
- if (bind_conf->no_tlsv10)
+ if (bind_conf->ssl_options & BC_SSL_O_NO_TLSV10)
ssloptions |= SSL_OP_NO_TLSv1;
- if (bind_conf->no_tlsv11)
+ if (bind_conf->ssl_options & BC_SSL_O_NO_TLSV11)
ssloptions |= SSL_OP_NO_TLSv1_1;
- if (bind_conf->no_tlsv12)
+ if (bind_conf->ssl_options & BC_SSL_O_NO_TLSV12)
ssloptions |= SSL_OP_NO_TLSv1_2;
- if (bind_conf->no_tls_tickets)
+ if (bind_conf->ssl_options & BC_SSL_O_NO_TLS_TICKETS)
ssloptions |= SSL_OP_NO_TICKET;
SSL_CTX_set_options(ctx, ssloptions);
@@ -1248,7 +1248,7 @@
/* parse the "no-tls-tickets" bind keyword */
static int bind_parse_no_tls_tickets(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
{
- conf->no_tls_tickets = 1;
+ conf->ssl_options |= BC_SSL_O_NO_TLS_TICKETS;
return 0;
}
@@ -1256,28 +1256,28 @@
/* parse the "no-sslv3" bind keyword */
static int bind_parse_no_sslv3(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
{
- conf->no_sslv3 = 1;
+ conf->ssl_options |= BC_SSL_O_NO_SSLV3;
return 0;
}
/* parse the "no-tlsv10" bind keyword */
static int bind_parse_no_tlsv10(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
{
- conf->no_tlsv10 = 1;
+ conf->ssl_options |= BC_SSL_O_NO_TLSV10;
return 0;
}
/* parse the "no-tlsv11" bind keyword */
static int bind_parse_no_tlsv11(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
{
- conf->no_tlsv11 = 1;
+ conf->ssl_options |= BC_SSL_O_NO_TLSV11;
return 0;
}
/* parse the "no-tlsv12" bind keyword */
static int bind_parse_no_tlsv12(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
{
- conf->no_tlsv12 = 1;
+ conf->ssl_options |= BC_SSL_O_NO_TLSV12;
return 0;
}