RepoMirrors/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git/ synced 2024-12-29 08:02:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

CLEANUP: listener: replace bind_conf->generate_cers with BC_O_GENERATE_CERTS

Browse Source 
The new flag will now replace this boolean variable.
This commit is contained in:
Willy Tarreau 2022-05-20 16:03:18 +02:00
parent 11ba404c6b
commit 1ea6e6a17f
3 changed files with 10 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
include/haproxy/listener-t.h
View File

@ -115,6 +115,7 @@ enum li_status {
/* flags used with bind_conf->options */
#define BC_O_USE_SSL 0x00000001 /* SSL is being used on this bind_conf */
#define BC_O_GENERATE_CERTS 0x00000002 /* 1 if generate-certificates option is set, else 0 */
/* flags used with bind_conf->ssl_options */
@ -181,7 +182,6 @@ struct bind_conf {
const struct mux_proto_list *mux_proto; /* the mux to use for all incoming connections (specified by the "proto" keyword) */
struct xprt_ops *xprt; /* transport-layer operations for all listeners */
uint options; /* set of BC_O_* flags */
int generate_certs; /* 1 if generate-certificates option is set, else 0 */
int level; /* stats access level (ACCESS_LVL_*) */
int severity_output; /* default severity output format in cli feedback messages */
struct list listeners; /* list of listeners using this bind config */

2
src/cfgparse-ssl.c
View File

@ -1151,7 +1151,7 @@ static int bind_parse_pcc(char **args, int cur_arg, struct proxy *px, struct bin
static int bind_parse_generate_certs(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
{
#if (defined SSL_CTRL_SET_TLSEXT_HOSTNAME && !defined SSL_NO_GENERATE_CERTIFICATES)
conf->generate_certs = 1;
conf->options |= BC_O_GENERATE_CERTS;
#else
memprintf(err, "%sthis version of openssl cannot generate SSL certificates.\n",
err && *err ? *err : "");

16
src/ssl_sock.c
View File

@ -2557,7 +2557,7 @@ int ssl_sock_switchctx_err_cbk(SSL *ssl, int *al, void *priv)
struct bind_conf *s = priv;
(void)al; /* shut gcc stupid warning */
if (SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name) || s->generate_certs)
if (SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name) || (s->options & BC_O_GENERATE_CERTS))
return SSL_TLSEXT_ERR_OK;
return SSL_TLSEXT_ERR_NOACK;
}
@ -2664,7 +2664,7 @@ int ssl_sock_switchctx_cbk(SSL *ssl, int *al, void *arg)
servername_len = len;
} else {
#if (!defined SSL_NO_GENERATE_CERTIFICATES)
if (s->generate_certs && ssl_sock_generate_certificate_from_conn(s, ssl)) {
if (s->options & BC_O_GENERATE_CERTS && ssl_sock_generate_certificate_from_conn(s, ssl)) {
goto allow_early;
}
#endif
@ -2827,7 +2827,7 @@ int ssl_sock_switchctx_cbk(SSL *ssl, int *al, void *arg)
HA_RWLOCK_RDUNLOCK(SNI_LOCK, &s->sni_lock);
#if (!defined SSL_NO_GENERATE_CERTIFICATES)
if (s->generate_certs && ssl_sock_generate_certificate(trash.area, s, ssl)) {
if (s->options & BC_O_GENERATE_CERTS && ssl_sock_generate_certificate(trash.area, s, ssl)) {
/* switch ctx done in ssl_sock_generate_certificate */
goto allow_early;
}
@ -2897,7 +2897,7 @@ static int ssl_sock_switchctx_cbk(SSL *ssl, int *al, void *priv)
servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
if (!servername) {
#if (!defined SSL_NO_GENERATE_CERTIFICATES)
if (s->generate_certs && ssl_sock_generate_certificate_from_conn(s, ssl))
if (s->options & BC_O_GENERATE_CERTS && ssl_sock_generate_certificate_from_conn(s, ssl))
return SSL_TLSEXT_ERR_OK;
#endif
if (s->strict_sni)
@ -2939,7 +2939,7 @@ static int ssl_sock_switchctx_cbk(SSL *ssl, int *al, void *priv)
}
if (!node) {
#if (!defined SSL_NO_GENERATE_CERTIFICATES)
if (s->generate_certs && ssl_sock_generate_certificate(servername, s, ssl)) {
if (s->options & BC_O_GENERATE_CERTS && ssl_sock_generate_certificate(servername, s, ssl)) {
/* switch ctx done in ssl_sock_generate_certificate */
HA_RWLOCK_RDUNLOCK(SNI_LOCK, &s->sni_lock);
return SSL_TLSEXT_ERR_OK;
@ -5453,7 +5453,7 @@ int ssl_sock_prepare_bind_conf(struct bind_conf *bind_conf)
return 0;
}
if (!bind_conf->default_ctx) {
if (bind_conf->strict_sni && !bind_conf->generate_certs) {
if (bind_conf->strict_sni && !(bind_conf->options & BC_O_GENERATE_CERTS)) {
ha_warning("Proxy '%s': no SSL certificate specified for bind '%s' at [%s:%d], ssl connections will fail (use 'crt').\n",
px->id, bind_conf->arg, bind_conf->file, bind_conf->line);
}
@ -5606,7 +5606,7 @@ ssl_sock_load_ca(struct bind_conf *bind_conf)
int ret = 0;
char *err = NULL;
if (!bind_conf->generate_certs)
if (!(bind_conf->options & BC_O_GENERATE_CERTS))
return ret;
#if (defined SSL_CTRL_SET_TLSEXT_HOSTNAME && !defined SSL_NO_GENERATE_CERTIFICATES)
@ -5657,7 +5657,7 @@ ssl_sock_load_ca(struct bind_conf *bind_conf)
free(ckch);
}
bind_conf->generate_certs = 0;
bind_conf->options &= ~BC_O_GENERATE_CERTS;
ret++;
return ret;
}