aboutsummaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorKevin Guthrie <[email protected]>2024-08-29 17:12:19 -0400
committerYuchen Wu <[email protected]>2024-08-30 10:03:14 -0700
commit1b9e8eead1ed8e6d858a48e7a4c06e4a2aff3d41 (patch)
tree17169028c8b2f32772c68a63a6124d11710faf71
parentd8f3ffae77ddc1edd285ab1d517a1b6748ce3d58 (diff)
downloadpingora-1b9e8eead1ed8e6d858a48e7a4c06e4a2aff3d41.tar.gz
pingora-1b9e8eead1ed8e6d858a48e7a4c06e4a2aff3d41.zip
Refactor module into and relocate the no-op tls module
-rw-r--r--.bleep2
-rw-r--r--pingora-core/Cargo.toml7
-rw-r--r--pingora-core/src/connectors/http/mod.rs1
-rw-r--r--pingora-core/src/connectors/http/v1.rs1
-rw-r--r--pingora-core/src/connectors/http/v2.rs4
-rw-r--r--pingora-core/src/connectors/mod.rs1
-rw-r--r--pingora-core/src/connectors/tls.rs4
-rw-r--r--pingora-core/src/lib.rs4
-rw-r--r--pingora-core/src/listeners/mod.rs3
-rw-r--r--pingora-core/src/listeners/tls.rs4
-rw-r--r--pingora-core/src/protocols/digest.rs2
-rw-r--r--pingora-core/src/protocols/mod.rs6
-rw-r--r--pingora-core/src/protocols/tls/client.rs (renamed from pingora-core/src/protocols/ssl/client.rs)0
-rw-r--r--pingora-core/src/protocols/tls/digest.rs (renamed from pingora-core/src/protocols/ssl/digest.rs)0
-rw-r--r--pingora-core/src/protocols/tls/dummy_tls/mod.rs805
-rw-r--r--pingora-core/src/protocols/tls/mod.rs (renamed from pingora-core/src/protocols/ssl/mod.rs)3
-rw-r--r--pingora-core/src/protocols/tls/server.rs (renamed from pingora-core/src/protocols/ssl/server.rs)1
-rw-r--r--pingora-core/src/upstreams/peer.rs2
-rw-r--r--pingora-core/tests/test_basic.rs3
19 files changed, 837 insertions, 16 deletions
diff --git a/.bleep b/.bleep
index 220b9e9..6efaac4 100644
--- a/.bleep
+++ b/.bleep
@@ -1 +1 @@
-b01a9bc71ff892b2fdbb47f6bb3f9eac88907435 \ No newline at end of file
+aadd07a5b3064b0fbdf57c8c02a5ef7b65b5fc03 \ No newline at end of file
diff --git a/pingora-core/Cargo.toml b/pingora-core/Cargo.toml
index c5bce77..6efad9a 100644
--- a/pingora-core/Cargo.toml
+++ b/pingora-core/Cargo.toml
@@ -79,6 +79,7 @@ jemallocator = "0.5"
[features]
default = ["openssl"]
-openssl = ["pingora-openssl"]
-boringssl = ["pingora-boringssl"]
-patched_http1 = [] \ No newline at end of file
+openssl = ["pingora-openssl", "some_tls"]
+boringssl = ["pingora-boringssl", "some_tls"]
+patched_http1 = []
+some_tls = [] \ No newline at end of file
diff --git a/pingora-core/src/connectors/http/mod.rs b/pingora-core/src/connectors/http/mod.rs
index c399530..33c5e01 100644
--- a/pingora-core/src/connectors/http/mod.rs
+++ b/pingora-core/src/connectors/http/mod.rs
@@ -95,6 +95,7 @@ impl Connector {
}
#[cfg(test)]
+#[cfg(feature = "some_tls")]
mod tests {
use super::*;
use crate::protocols::http::v1::client::HttpSession as Http1Session;
diff --git a/pingora-core/src/connectors/http/v1.rs b/pingora-core/src/connectors/http/v1.rs
index 66f7bbb..fb5dfd0 100644
--- a/pingora-core/src/connectors/http/v1.rs
+++ b/pingora-core/src/connectors/http/v1.rs
@@ -103,6 +103,7 @@ mod tests {
}
#[tokio::test]
+ #[cfg(feature = "some_tls")]
async fn test_connect_tls() {
let connector = Connector::new(None);
let peer = HttpPeer::new(("1.1.1.1", 443), true, "one.one.one.one".into());
diff --git a/pingora-core/src/connectors/http/v2.rs b/pingora-core/src/connectors/http/v2.rs
index 05b3072..433bc4b 100644
--- a/pingora-core/src/connectors/http/v2.rs
+++ b/pingora-core/src/connectors/http/v2.rs
@@ -460,6 +460,7 @@ mod tests {
use crate::upstreams::peer::HttpPeer;
#[tokio::test]
+ #[cfg(feature = "some_tls")]
async fn test_connect_h2() {
let connector = Connector::new(None);
let mut peer = HttpPeer::new(("1.1.1.1", 443), true, "one.one.one.one".into());
@@ -472,6 +473,7 @@ mod tests {
}
#[tokio::test]
+ #[cfg(feature = "some_tls")]
async fn test_connect_h1() {
let connector = Connector::new(None);
let mut peer = HttpPeer::new(("1.1.1.1", 443), true, "one.one.one.one".into());
@@ -497,6 +499,7 @@ mod tests {
}
#[tokio::test]
+ #[cfg(feature = "some_tls")]
async fn test_h2_single_stream() {
let connector = Connector::new(None);
let mut peer = HttpPeer::new(("1.1.1.1", 443), true, "one.one.one.one".into());
@@ -528,6 +531,7 @@ mod tests {
}
#[tokio::test]
+ #[cfg(feature = "some_tls")]
async fn test_h2_multiple_stream() {
let connector = Connector::new(None);
let mut peer = HttpPeer::new(("1.1.1.1", 443), true, "one.one.one.one".into());
diff --git a/pingora-core/src/connectors/mod.rs b/pingora-core/src/connectors/mod.rs
index 09ed01a..2d4584c 100644
--- a/pingora-core/src/connectors/mod.rs
+++ b/pingora-core/src/connectors/mod.rs
@@ -365,6 +365,7 @@ fn test_reusable_stream(stream: &mut Stream) -> bool {
}
#[cfg(test)]
+#[cfg(feature = "some_tls")]
mod tests {
use pingora_error::ErrorType;
diff --git a/pingora-core/src/connectors/tls.rs b/pingora-core/src/connectors/tls.rs
index 8a6bd63..01dd8b3 100644
--- a/pingora-core/src/connectors/tls.rs
+++ b/pingora-core/src/connectors/tls.rs
@@ -17,8 +17,8 @@ use pingora_error::{Error, ErrorType::*, OrErr, Result};
use std::sync::{Arc, Once};
use super::ConnectorOptions;
-use crate::protocols::ssl::client::handshake;
-use crate::protocols::ssl::SslStream;
+use crate::protocols::tls::client::handshake;
+use crate::protocols::tls::SslStream;
use crate::protocols::IO;
use crate::tls::ext::{
add_host, clear_error_stack, ssl_add_chain_cert, ssl_set_groups_list,
diff --git a/pingora-core/src/lib.rs b/pingora-core/src/lib.rs
index 7a70d56..fbc3394 100644
--- a/pingora-core/src/lib.rs
+++ b/pingora-core/src/lib.rs
@@ -58,8 +58,8 @@ pub use pingora_boringssl as tls;
#[cfg(all(not(feature = "boringssl"), feature = "openssl"))]
pub use pingora_openssl as tls;
-#[cfg(all(not(feature = "boringssl"), not(feature = "openssl")))]
-pub mod tls;
+#[cfg(not(feature = "some_tls"))]
+pub use protocols::tls::dummy_tls as tls;
pub mod prelude {
pub use crate::server::configuration::Opt;
diff --git a/pingora-core/src/listeners/mod.rs b/pingora-core/src/listeners/mod.rs
index cc8edb8..cb6e2c6 100644
--- a/pingora-core/src/listeners/mod.rs
+++ b/pingora-core/src/listeners/mod.rs
@@ -26,7 +26,7 @@ use std::{fs::Permissions, sync::Arc};
use l4::{ListenerEndpoint, Stream as L4Stream};
use tls::Acceptor;
-pub use crate::protocols::ssl::server::TlsAccept;
+pub use crate::protocols::tls::server::TlsAccept;
pub use l4::{ServerAddress, TcpSocketOptions};
pub use tls::{TlsSettings, ALPN};
@@ -213,6 +213,7 @@ mod test {
}
#[tokio::test]
+ #[cfg(feature = "some_tls")]
async fn test_listen_tls() {
use tokio::io::AsyncReadExt;
diff --git a/pingora-core/src/listeners/tls.rs b/pingora-core/src/listeners/tls.rs
index 1dd63d4..55a7139 100644
--- a/pingora-core/src/listeners/tls.rs
+++ b/pingora-core/src/listeners/tls.rs
@@ -16,14 +16,14 @@ use log::debug;
use pingora_error::{ErrorType, OrErr, Result};
use std::ops::{Deref, DerefMut};
-use crate::protocols::ssl::{
+use crate::protocols::tls::{
server::{handshake, handshake_with_callback, TlsAcceptCallbacks},
SslStream,
};
use crate::protocols::IO;
use crate::tls::ssl::{SslAcceptor, SslAcceptorBuilder, SslFiletype, SslMethod};
-pub use crate::protocols::ssl::ALPN;
+pub use crate::protocols::tls::ALPN;
pub const TLS_CONF_ERR: ErrorType = ErrorType::Custom("TLSConfigError");
diff --git a/pingora-core/src/protocols/digest.rs b/pingora-core/src/protocols/digest.rs
index e080a89..3150306 100644
--- a/pingora-core/src/protocols/digest.rs
+++ b/pingora-core/src/protocols/digest.rs
@@ -22,7 +22,7 @@ use once_cell::sync::OnceCell;
use super::l4::ext::{get_recv_buf, get_tcp_info, TCP_INFO};
use super::l4::socket::SocketAddr;
use super::raw_connect::ProxyDigest;
-use super::ssl::digest::SslDigest;
+use super::tls::digest::SslDigest;
/// The information can be extracted from a connection
#[derive(Clone, Debug, Default)]
diff --git a/pingora-core/src/protocols/mod.rs b/pingora-core/src/protocols/mod.rs
index 32695e1..fb30992 100644
--- a/pingora-core/src/protocols/mod.rs
+++ b/pingora-core/src/protocols/mod.rs
@@ -18,14 +18,14 @@ mod digest;
pub mod http;
pub mod l4;
pub mod raw_connect;
-pub mod ssl;
+pub mod tls;
pub use digest::{
Digest, GetProxyDigest, GetSocketDigest, GetTimingDigest, ProtoDigest, SocketDigest,
TimingDigest,
};
pub use l4::ext::TcpKeepalive;
-pub use ssl::ALPN;
+pub use tls::ALPN;
use async_trait::async_trait;
use std::fmt::Debug;
@@ -53,7 +53,7 @@ pub trait Ssl {
}
/// Return the [`ssl::SslDigest`] for logging
- fn get_ssl_digest(&self) -> Option<Arc<ssl::SslDigest>> {
+ fn get_ssl_digest(&self) -> Option<Arc<tls::SslDigest>> {
None
}
diff --git a/pingora-core/src/protocols/ssl/client.rs b/pingora-core/src/protocols/tls/client.rs
index 9edf29b..9edf29b 100644
--- a/pingora-core/src/protocols/ssl/client.rs
+++ b/pingora-core/src/protocols/tls/client.rs
diff --git a/pingora-core/src/protocols/ssl/digest.rs b/pingora-core/src/protocols/tls/digest.rs
index 3cdb7aa..3cdb7aa 100644
--- a/pingora-core/src/protocols/ssl/digest.rs
+++ b/pingora-core/src/protocols/tls/digest.rs
diff --git a/pingora-core/src/protocols/tls/dummy_tls/mod.rs b/pingora-core/src/protocols/tls/dummy_tls/mod.rs
new file mode 100644
index 0000000..9a841d6
--- /dev/null
+++ b/pingora-core/src/protocols/tls/dummy_tls/mod.rs
@@ -0,0 +1,805 @@
+// Copyright 2024 Cloudflare, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//! This module contains a dummy TLS implementation for the scenarios where real TLS
+//! implementations are unavailable.
+
+macro_rules! impl_display {
+ ($ty:ty) => {
+ impl std::fmt::Display for $ty {
+ fn fmt(&self, _f: &mut std::fmt::Formatter<'_>) -> Result<(), std::fmt::Error> {
+ Ok(())
+ }
+ }
+ };
+}
+
+macro_rules! impl_deref {
+ ($from:ty => $to:ty) => {
+ impl std::ops::Deref for $from {
+ type Target = $to;
+ fn deref(&self) -> &$to {
+ unimplemented!();
+ }
+ }
+ impl std::ops::DerefMut for $from {
+ fn deref_mut(&mut self) -> &mut $to {
+ unimplemented!();
+ }
+ }
+ };
+}
+
+pub mod ssl {
+ use super::error::ErrorStack;
+ use super::x509::verify::X509VerifyParamRef;
+ use super::x509::{X509VerifyResult, X509};
+
+ /// An error returned from an ALPN selection callback.
+ pub struct AlpnError;
+ impl AlpnError {
+ /// Terminate the handshake with a fatal alert.
+ pub const ALERT_FATAL: AlpnError = Self {};
+
+ /// Do not select a protocol, but continue the handshake.
+ pub const NOACK: AlpnError = Self {};
+ }
+
+ /// A type which allows for configuration of a client-side TLS session before connection.
+ pub struct ConnectConfiguration;
+ impl_deref! {ConnectConfiguration => SslRef}
+ impl ConnectConfiguration {
+ /// Configures the use of Server Name Indication (SNI) when connecting.
+ pub fn set_use_server_name_indication(&mut self, _use_sni: bool) {
+ unimplemented!();
+ }
+
+ /// Configures the use of hostname verification when connecting.
+ pub fn set_verify_hostname(&mut self, _verify_hostname: bool) {
+ unimplemented!();
+ }
+
+ /// Returns an `Ssl` configured to connect to the provided domain.
+ pub fn into_ssl(self, _domain: &str) -> Result<Ssl, ErrorStack> {
+ unimplemented!();
+ }
+
+ /// Like `SslContextBuilder::set_verify`.
+ pub fn set_verify(&mut self, _mode: SslVerifyMode) {
+ unimplemented!();
+ }
+
+ /// Like `SslContextBuilder::set_alpn_protos`.
+ pub fn set_alpn_protos(&mut self, _protocols: &[u8]) -> Result<(), ErrorStack> {
+ unimplemented!();
+ }
+
+ /// Returns a mutable reference to the X509 verification configuration.
+ pub fn param_mut(&mut self) -> &mut X509VerifyParamRef {
+ unimplemented!();
+ }
+ }
+
+ /// An SSL error.
+ #[derive(Debug)]
+ pub struct Error;
+ impl_display!(Error);
+ impl Error {
+ pub fn code(&self) -> ErrorCode {
+ unimplemented!();
+ }
+ }
+
+ /// An error code returned from SSL functions.
+ #[derive(PartialEq)]
+ pub struct ErrorCode(i32);
+ impl ErrorCode {
+ /// An error occurred in the SSL library.
+ pub const SSL: ErrorCode = Self(0);
+ }
+
+ /// An identifier of a session name type.
+ pub struct NameType;
+ impl NameType {
+ pub const HOST_NAME: NameType = Self {};
+ }
+
+ /// The state of an SSL/TLS session.
+ pub struct Ssl;
+ impl Ssl {
+ /// Creates a new `Ssl`.
+ pub fn new(_ctx: &SslContextRef) -> Result<Ssl, ErrorStack> {
+ unimplemented!();
+ }
+ }
+ impl_deref! {Ssl => SslRef}
+
+ /// A type which wraps server-side streams in a TLS session.
+ pub struct SslAcceptor;
+ impl SslAcceptor {
+ /// Creates a new builder configured to connect to non-legacy clients. This should
+ /// generally be considered a reasonable default choice.
+ pub fn mozilla_intermediate_v5(
+ _method: SslMethod,
+ ) -> Result<SslAcceptorBuilder, ErrorStack> {
+ unimplemented!();
+ }
+ }
+
+ /// A builder for `SslAcceptor`s.
+ pub struct SslAcceptorBuilder;
+ impl SslAcceptorBuilder {
+ /// Consumes the builder, returning a `SslAcceptor`.
+ pub fn build(self) -> SslAcceptor {
+ unimplemented!();
+ }
+
+ /// Sets the callback used by a server to select a protocol for Application Layer Protocol
+ /// Negotiation (ALPN).
+ pub fn set_alpn_select_callback<F>(&mut self, _callback: F)
+ where
+ F: for<'a> Fn(&mut SslRef, &'a [u8]) -> Result<&'a [u8], AlpnError>
+ + 'static
+ + Sync
+ + Send,
+ {
+ unimplemented!();
+ }
+
+ /// Loads a certificate chain from a file.
+ pub fn set_certificate_chain_file<P: AsRef<std::path::Path>>(
+ &mut self,
+ _file: P,
+ ) -> Result<(), ErrorStack> {
+ unimplemented!();
+ }
+
+ /// Loads the private key from a file.
+ pub fn set_private_key_file<P: AsRef<std::path::Path>>(
+ &mut self,
+ _file: P,
+ _file_type: SslFiletype,
+ ) -> Result<(), ErrorStack> {
+ unimplemented!();
+ }
+
+ /// Sets the maximum supported protocol version.
+ pub fn set_max_proto_version(
+ &mut self,
+ _version: Option<SslVersion>,
+ ) -> Result<(), ErrorStack> {
+ unimplemented!();
+ }
+ }
+
+ /// Reference to an [`SslCipher`].
+ pub struct SslCipherRef;
+ impl SslCipherRef {
+ /// Returns the name of the cipher.
+ pub fn name(&self) -> &'static str {
+ unimplemented!();
+ }
+ }
+
+ /// A type which wraps client-side streams in a TLS session.
+ pub struct SslConnector;
+ impl SslConnector {
+ /// Creates a new builder for TLS connections.
+ pub fn builder(_method: SslMethod) -> Result<SslConnectorBuilder, ErrorStack> {
+ Ok(SslConnectorBuilder)
+ }
+
+ /// Returns a structure allowing for configuration of a single TLS session before connection.
+ pub fn configure(&self) -> Result<ConnectConfiguration, ErrorStack> {
+ Ok(ConnectConfiguration)
+ }
+
+ /// Returns a shared reference to the inner raw `SslContext`.
+ pub fn context(&self) -> &SslContextRef {
+ &SslContextRef
+ }
+ }
+
+ /// A builder for `SslConnector`s.
+ pub struct SslConnectorBuilder;
+ impl SslConnectorBuilder {
+ /// Consumes the builder, returning an `SslConnector`.
+ pub fn build(self) -> SslConnector {
+ SslConnector
+ }
+
+ /// Sets the list of supported ciphers for protocols before TLSv1.3.
+ pub fn set_cipher_list(&mut self, _cipher_list: &str) -> Result<(), ErrorStack> {
+ Ok(())
+ }
+
+ /// Sets the context’s supported signature algorithms.
+ pub fn set_sigalgs_list(&mut self, _sigalgs: &str) -> Result<(), ErrorStack> {
+ Ok(())
+ }
+
+ /// Sets the minimum supported protocol version.
+ pub fn set_min_proto_version(
+ &mut self,
+ _version: Option<SslVersion>,
+ ) -> Result<(), ErrorStack> {
+ Ok(())
+ }
+
+ /// Sets the maximum supported protocol version.
+ pub fn set_max_proto_version(
+ &mut self,
+ _version: Option<SslVersion>,
+ ) -> Result<(), ErrorStack> {
+ Ok(())
+ }
+
+ /// Use the default locations of trusted certificates for verification.
+ pub fn set_default_verify_paths(&mut self) -> Result<(), ErrorStack> {
+ Ok(())
+ }
+
+ /// Loads trusted root certificates from a file.
+ pub fn set_ca_file<P: AsRef<std::path::Path>>(
+ &mut self,
+ _file: P,
+ ) -> Result<(), ErrorStack> {
+ Ok(())
+ }
+
+ /// Loads a leaf certificate from a file.
+ pub fn set_certificate_file<P: AsRef<std::path::Path>>(
+ &mut self,
+ _file: P,
+ _file_type: SslFiletype,
+ ) -> Result<(), ErrorStack> {
+ Ok(())
+ }
+
+ /// Loads the private key from a file.
+ pub fn set_private_key_file<P: AsRef<std::path::Path>>(
+ &mut self,
+ _file: P,
+ _file_type: SslFiletype,
+ ) -> Result<(), ErrorStack> {
+ Ok(())
+ }
+
+ /// Sets the TLS key logging callback.
+ pub fn set_keylog_callback<F>(&mut self, _callback: F)
+ where
+ F: Fn(&SslRef, &str) + 'static + Sync + Send,
+ {
+ }
+ }
+
+ /// A context object for TLS streams.
+ pub struct SslContext;
+ impl SslContext {
+ /// Creates a new builder object for an `SslContext`.
+ pub fn builder(_method: SslMethod) -> Result<SslContextBuilder, ErrorStack> {
+ unimplemented!();
+ }
+ }
+ impl_deref! {SslContext => SslContextRef}
+
+ /// A builder for `SslContext`s.
+ pub struct SslContextBuilder;
+ impl SslContextBuilder {
+ /// Consumes the builder, returning a new `SslContext`.
+ pub fn build(self) -> SslContext {
+ unimplemented!();
+ }
+ }
+
+ /// Reference to [`SslContext`]
+ pub struct SslContextRef;
+
+ /// An identifier of the format of a certificate or key file.
+ pub struct SslFiletype;
+ impl SslFiletype {
+ /// The PEM format.
+ pub const PEM: SslFiletype = Self {};
+ }
+
+ /// A type specifying the kind of protocol an `SslContext`` will speak.
+ pub struct SslMethod;
+ impl SslMethod {
+ /// Support all versions of the TLS protocol.
+ pub fn tls() -> SslMethod {
+ Self
+ }
+ }
+
+ /// Reference to an [`Ssl`].
+ pub struct SslRef;
+ impl SslRef {
+ /// Like [`SslContextBuilder::set_verify`].
+ pub fn set_verify(&mut self, _mode: SslVerifyMode) {
+ unimplemented!();
+ }
+
+ /// Returns the current cipher if the session is active.
+ pub fn current_cipher(&self) -> Option<&SslCipherRef> {
+ unimplemented!();
+ }
+
+ /// Sets the host name to be sent to the server for Server Name Indication (SNI).
+ pub fn set_hostname(&mut self, _hostname: &str) -> Result<(), ErrorStack> {
+ unimplemented!();
+ }
+
+ /// Returns the peer’s certificate, if present.
+ pub fn peer_certificate(&self) -> Option<X509> {
+ unimplemented!();
+ }
+
+ /// Returns the certificate verification result.
+ pub fn verify_result(&self) -> X509VerifyResult {
+ unimplemented!();
+ }
+
+ /// Returns a string describing the protocol version of the session.
+ pub fn version_str(&self) -> &'static str {
+ unimplemented!();
+ }
+
+ /// Returns the protocol selected via Application Layer Protocol Negotiation (ALPN).
+ pub fn selected_alpn_protocol(&self) -> Option<&[u8]> {
+ unimplemented!();
+ }
+
+ /// Returns the servername sent by the client via Server Name Indication (SNI).
+ pub fn servername(&self, _type_: NameType) -> Option<&str> {
+ unimplemented!();
+ }
+ }
+
+ /// Options controlling the behavior of certificate verification.
+ pub struct SslVerifyMode;
+ impl SslVerifyMode {
+ /// Verifies that the peer’s certificate is trusted.
+ pub const PEER: Self = Self {};
+
+ /// Disables verification of the peer’s certificate.
+ pub const NONE: Self = Self {};
+ }
+
+ /// An SSL/TLS protocol version.
+ pub struct SslVersion;
+ impl SslVersion {
+ /// TLSv1.0
+ pub const TLS1: SslVersion = Self {};
+
+ /// TLSv1.2
+ pub const TLS1_2: SslVersion = Self {};
+
+ /// TLSv1.3
+ pub const TLS1_3: SslVersion = Self {};
+ }
+
+ /// A standard implementation of protocol selection for Application Layer Protocol Negotiation
+ /// (ALPN).
+ pub fn select_next_proto<'a>(_server: &[u8], _client: &'a [u8]) -> Option<&'a [u8]> {
+ unimplemented!();
+ }
+}
+
+pub mod ssl_sys {
+ pub const X509_V_OK: i32 = 0;
+ pub const X509_V_ERR_INVALID_CALL: i32 = 69;
+}
+
+pub mod error {
+ use super::ssl::Error;
+
+ /// Collection of [`Errors`] from OpenSSL.
+ #[derive(Debug)]
+ pub struct ErrorStack;
+ impl_display!(ErrorStack);
+ impl std::error::Error for ErrorStack {}
+ impl ErrorStack {
+ /// Returns the contents of the OpenSSL error stack.
+ pub fn get() -> ErrorStack {
+ unimplemented!();
+ }
+
+ /// Returns the errors in the stack.
+ pub fn errors(&self) -> &[Error] {
+ unimplemented!();
+ }
+ }
+}
+
+pub mod x509 {
+ use super::asn1::{Asn1IntegerRef, Asn1StringRef, Asn1TimeRef};
+ use super::error::ErrorStack;
+ use super::hash::{DigestBytes, MessageDigest};
+ use super::nid::Nid;
+
+ /// An `X509` public key certificate.
+ #[derive(Debug, Clone)]
+ pub struct X509;
+ impl_deref! {X509 => X509Ref}
+ impl X509 {
+ /// Deserializes a PEM-encoded X509 structure.
+ pub fn from_pem(_pem: &[u8]) -> Result<X509, ErrorStack> {
+ unimplemented!();
+ }
+ }
+
+ /// A type to destructure and examine an `X509Name`.
+ pub struct X509NameEntries<'a> {
+ marker: std::marker::PhantomData<&'a ()>,
+ }
+ impl<'a> Iterator for X509NameEntries<'a> {
+ type Item = &'a X509NameEntryRef;
+ fn next(&mut self) -> Option<&'a X509NameEntryRef> {
+ unimplemented!();
+ }
+ }
+
+ /// Reference to `X509NameEntry`.
+ pub struct X509NameEntryRef;
+ impl X509NameEntryRef {
+ pub fn data(&self) -> &Asn1StringRef {
+ unimplemented!();
+ }
+ }
+
+ /// Reference to `X509Name`.
+ pub struct X509NameRef;
+ impl X509NameRef {
+ /// Returns the name entries by the nid.
+ pub fn entries_by_nid(&self, _nid: Nid) -> X509NameEntries<'_> {
+ unimplemented!();
+ }
+ }
+
+ /// Reference to `X509`.
+ pub struct X509Ref;
+ impl X509Ref {
+ /// Returns this certificate’s subject name.
+ pub fn subject_name(&self) -> &X509NameRef {
+ unimplemented!();
+ }
+
+ /// Returns a digest of the DER representation of the certificate.
+ pub fn digest(&self, _hash_type: MessageDigest) -> Result<DigestBytes, ErrorStack> {
+ unimplemented!();
+ }
+
+ /// Returns the certificate’s Not After validity period.
+ pub fn not_after(&self) -> &Asn1TimeRef {
+ unimplemented!();
+ }
+
+ /// Returns this certificate’s serial number.
+ pub fn serial_number(&self) -> &Asn1IntegerRef {
+ unimplemented!();
+ }
+ }
+
+ /// The result of peer certificate verification.
+ pub struct X509VerifyResult;
+ impl X509VerifyResult {
+ /// Return the integer representation of an `X509VerifyResult`.
+ pub fn as_raw(&self) -> i32 {
+ unimplemented!();
+ }
+ }
+
+ pub mod store {
+ use super::super::error::ErrorStack;
+ use super::X509;
+
+ /// A builder type used to construct an `X509Store`.
+ pub struct X509StoreBuilder;
+ impl X509StoreBuilder {
+ /// Returns a builder for a certificate store..
+ pub fn new() -> Result<X509StoreBuilder, ErrorStack> {
+ unimplemented!();
+ }
+
+ /// Constructs the `X509Store`.
+ pub fn build(self) -> X509Store {
+ unimplemented!();
+ }
+
+ /// Adds a certificate to the certificate store.
+ pub fn add_cert(&mut self, _cert: X509) -> Result<(), ErrorStack> {
+ unimplemented!();
+ }
+ }
+
+ /// A certificate store to hold trusted X509 certificates.
+ pub struct X509Store;
+ impl_deref! {X509Store => X509StoreRef}
+
+ /// Reference to an `X509Store`.
+ pub struct X509StoreRef;
+ }
+
+ pub mod verify {
+ /// Reference to `X509VerifyParam`.
+ pub struct X509VerifyParamRef;
+ }
+}
+
+pub mod nid {
+ /// A numerical identifier for an OpenSSL object.
+ pub struct Nid;
+ impl Nid {
+ pub const COMMONNAME: Nid = Self {};
+ pub const ORGANIZATIONNAME: Nid = Self {};
+ pub const ORGANIZATIONALUNITNAME: Nid = Self {};
+ }
+}
+
+pub mod pkey {
+ use super::error::ErrorStack;
+
+ /// A public or private key.
+ #[derive(Clone)]
+ pub struct PKey<T> {
+ marker: std::marker::PhantomData<T>,
+ }
+ impl<T> std::ops::Deref for PKey<T> {
+ type Target = PKeyRef<T>;
+ fn deref(&self) -> &PKeyRef<T> {
+ unimplemented!();
+ }
+ }
+ impl<T> std::ops::DerefMut for PKey<T> {
+ fn deref_mut(&mut self) -> &mut PKeyRef<T> {
+ unimplemented!();
+ }
+ }
+ impl PKey<Private> {
+ pub fn private_key_from_pem(_pem: &[u8]) -> Result<PKey<Private>, ErrorStack> {
+ unimplemented!();
+ }
+ }
+
+ /// Reference to `PKey`.
+ pub struct PKeyRef<T> {
+ marker: std::marker::PhantomData<T>,
+ }
+
+ /// A tag type indicating that a key has private components.
+ #[derive(Clone)]
+ pub enum Private {}
+ unsafe impl HasPrivate for Private {}
+
+ /// A trait indicating that a key has private components.
+ pub unsafe trait HasPrivate {}
+}
+
+pub mod hash {
+ /// A message digest algorithm.
+ pub struct MessageDigest;
+ impl MessageDigest {
+ pub fn sha256() -> MessageDigest {
+ unimplemented!();
+ }
+ }
+
+ /// The resulting bytes of a digest.
+ pub struct DigestBytes;
+ impl AsRef<[u8]> for DigestBytes {
+ fn as_ref(&self) -> &[u8] {
+ unimplemented!();
+ }
+ }
+}
+
+pub mod asn1 {
+ use super::bn::BigNum;
+ use super::error::ErrorStack;
+
+ /// A reference to an `Asn1Integer`.
+ pub struct Asn1IntegerRef;
+ impl Asn1IntegerRef {
+ /// Converts the integer to a `BigNum`.
+ pub fn to_bn(&self) -> Result<BigNum, ErrorStack> {
+ unimplemented!();
+ }
+ }
+
+ /// A reference to an `Asn1String`.
+ pub struct Asn1StringRef;
+ impl Asn1StringRef {
+ pub fn as_utf8(&self) -> Result<&str, ErrorStack> {
+ unimplemented!();
+ }
+ }
+
+ /// Reference to an `Asn1Time`
+ pub struct Asn1TimeRef;
+ impl_display! {Asn1TimeRef}
+}
+
+pub mod bn {
+ use super::error::ErrorStack;
+
+ /// Dynamically sized large number implementation
+ pub struct BigNum;
+ impl BigNum {
+ /// Returns a hexadecimal string representation of `self`.
+ pub fn to_hex_str(&self) -> Result<&str, ErrorStack> {
+ unimplemented!();
+ }
+ }
+}
+
+pub mod ext {
+ use super::error::ErrorStack;
+ use super::pkey::{HasPrivate, PKeyRef};
+ use super::ssl::{Ssl, SslAcceptor, SslRef};
+ use super::x509::store::X509StoreRef;
+ use super::x509::verify::X509VerifyParamRef;
+ use super::x509::X509Ref;
+
+ /// Add name as an additional reference identifier that can match the peer's certificate
+ pub fn add_host(_verify_param: &mut X509VerifyParamRef, _host: &str) -> Result<(), ErrorStack> {
+ unimplemented!();
+ }
+
+ /// Set the verify cert store of `_ssl`
+ pub fn ssl_set_verify_cert_store(
+ _ssl: &mut SslRef,
+ _cert_store: &X509StoreRef,
+ ) -> Result<(), ErrorStack> {
+ unimplemented!();
+ }
+
+ /// Load the certificate into `_ssl`
+ pub fn ssl_use_certificate(_ssl: &mut SslRef, _cert: &X509Ref) -> Result<(), ErrorStack> {
+ unimplemented!();
+ }
+
+ /// Load the private key into `_ssl`
+ pub fn ssl_use_private_key<T>(_ssl: &mut SslRef, _key: &PKeyRef<T>) -> Result<(), ErrorStack>
+ where
+ T: HasPrivate,
+ {
+ unimplemented!();
+ }
+
+ /// Clear the error stack
+ pub fn clear_error_stack() {}
+
+ /// Create a new [Ssl] from &[SslAcceptor]
+ pub fn ssl_from_acceptor(_acceptor: &SslAcceptor) -> Result<Ssl, ErrorStack> {
+ unimplemented!();
+ }
+
+ /// Suspend the TLS handshake when a certificate is needed.
+ pub fn suspend_when_need_ssl_cert(_ssl: &mut SslRef) {
+ unimplemented!();
+ }
+
+ /// Unblock a TLS handshake after the certificate is set.
+ pub fn unblock_ssl_cert(_ssl: &mut SslRef) {
+ unimplemented!();
+ }
+
+ /// Whether the TLS error is SSL_ERROR_WANT_X509_LOOKUP
+ pub fn is_suspended_for_cert(_error: &super::ssl::Error) -> bool {
+ unimplemented!();
+ }
+
+ /// Add the certificate into the cert chain of `_ssl`
+ pub fn ssl_add_chain_cert(_ssl: &mut SslRef, _cert: &X509Ref) -> Result<(), ErrorStack> {
+ unimplemented!();
+ }
+
+ /// Set renegotiation
+ pub fn ssl_set_renegotiate_mode_freely(_ssl: &mut SslRef) {}
+
+ /// Set the curves/groups of `_ssl`
+ pub fn ssl_set_groups_list(_ssl: &mut SslRef, _groups: &str) -> Result<(), ErrorStack> {
+ unimplemented!();
+ }
+
+ /// Sets whether a second keyshare to be sent in client hello when PQ is used.
+ pub fn ssl_use_second_key_share(_ssl: &mut SslRef, _enabled: bool) {}
+
+ /// Get a mutable SslRef ouf of SslRef, which is a missing functionality even when holding &mut SslStream
+ /// # Safety
+ pub unsafe fn ssl_mut(_ssl: &SslRef) -> &mut SslRef {
+ unimplemented!();
+ }
+}
+
+pub mod tokio_ssl {
+ use std::pin::Pin;
+ use std::task::{Context, Poll};
+ use tokio::io::{AsyncRead, AsyncWrite, ReadBuf};
+
+ use super::error::ErrorStack;
+ use super::ssl::{Error, Ssl, SslRef};
+
+ /// A TLS session over a stream.
+ #[derive(Debug)]
+ pub struct SslStream<S> {
+ marker: std::marker::PhantomData<S>,
+ }
+ impl<S> SslStream<S> {
+ /// Creates a new `SslStream`.
+ pub fn new(_ssl: Ssl, _stream: S) -> Result<Self, ErrorStack> {
+ unimplemented!();
+ }
+
+ /// Initiates a client-side TLS handshake.
+ pub async fn connect(self: Pin<&mut Self>) -> Result<(), Error> {
+ unimplemented!();
+ }
+
+ /// Initiates a server-side TLS handshake.
+ pub async fn accept(self: Pin<&mut Self>) -> Result<(), Error> {
+ unimplemented!();
+ }
+
+ /// Returns a shared reference to the `Ssl` object associated with this stream.
+ pub fn ssl(&self) -> &SslRef {
+ unimplemented!();
+ }
+
+ /// Returns a shared reference to the underlying stream.
+ pub fn get_ref(&self) -> &S {
+ unimplemented!();
+ }
+
+ /// Returns a mutable reference to the underlying stream.
+ pub fn get_mut(&mut self) -> &mut S {
+ unimplemented!();
+ }
+ }
+ impl<S> AsyncRead for SslStream<S>
+ where
+ S: AsyncRead + AsyncWrite,
+ {
+ fn poll_read(
+ self: Pin<&mut Self>,
+ _ctx: &mut Context<'_>,
+ _buf: &mut ReadBuf<'_>,
+ ) -> Poll<std::io::Result<()>> {
+ unimplemented!();
+ }
+ }
+ impl<S> AsyncWrite for SslStream<S>
+ where
+ S: AsyncRead + AsyncWrite,
+ {
+ fn poll_write(
+ self: Pin<&mut Self>,
+ _ctx: &mut Context<'_>,
+ _buf: &[u8],
+ ) -> Poll<std::io::Result<usize>> {
+ unimplemented!();
+ }
+
+ fn poll_flush(self: Pin<&mut Self>, _ctx: &mut Context<'_>) -> Poll<std::io::Result<()>> {
+ unimplemented!();
+ }
+
+ fn poll_shutdown(
+ self: Pin<&mut Self>,
+ _ctx: &mut Context<'_>,
+ ) -> Poll<std::io::Result<()>> {
+ unimplemented!();
+ }
+ }
+}
diff --git a/pingora-core/src/protocols/ssl/mod.rs b/pingora-core/src/protocols/tls/mod.rs
index f1ce8b9..b1edf23 100644
--- a/pingora-core/src/protocols/ssl/mod.rs
+++ b/pingora-core/src/protocols/tls/mod.rs
@@ -18,6 +18,9 @@ pub mod client;
pub mod digest;
pub mod server;
+#[cfg(not(feature = "some_tls"))]
+pub mod dummy_tls;
+
use crate::protocols::digest::TimingDigest;
use crate::protocols::{Ssl, UniqueID};
use crate::tls::{self, ssl, tokio_ssl::SslStream as InnerSsl};
diff --git a/pingora-core/src/protocols/ssl/server.rs b/pingora-core/src/protocols/tls/server.rs
index c85846b..1da1d45 100644
--- a/pingora-core/src/protocols/ssl/server.rs
+++ b/pingora-core/src/protocols/tls/server.rs
@@ -143,6 +143,7 @@ impl<S: AsyncRead + AsyncWrite + Send + Unpin> ResumableAccept for SslStream<S>
}
#[tokio::test]
+#[cfg(feature = "some_tls")]
async fn test_async_cert() {
use tokio::io::AsyncReadExt;
let acceptor = ssl::SslAcceptor::mozilla_intermediate_v5(ssl::SslMethod::tls())
diff --git a/pingora-core/src/upstreams/peer.rs b/pingora-core/src/upstreams/peer.rs
index c4a23a8..fad8471 100644
--- a/pingora-core/src/upstreams/peer.rs
+++ b/pingora-core/src/upstreams/peer.rs
@@ -36,7 +36,7 @@ use crate::protocols::TcpKeepalive;
use crate::tls::x509::X509;
use crate::utils::{get_organization_unit, CertKey};
-pub use crate::protocols::ssl::ALPN;
+pub use crate::protocols::tls::ALPN;
/// The interface to trace the connection
pub trait Tracing: Send + Sync + std::fmt::Debug {
diff --git a/pingora-core/tests/test_basic.rs b/pingora-core/tests/test_basic.rs
index 171f757..9842009 100644
--- a/pingora-core/tests/test_basic.rs
+++ b/pingora-core/tests/test_basic.rs
@@ -18,6 +18,7 @@ use hyper::Client;
use hyperlocal::{UnixClientExt, Uri};
use utils::init;
+#[cfg(feature = "some_tls")]
#[tokio::test]
async fn test_http() {
init();
@@ -25,6 +26,7 @@ async fn test_http() {
assert_eq!(res.status(), reqwest::StatusCode::OK);
}
+#[cfg(feature = "some_tls")]
#[tokio::test]
async fn test_https_http2() {
init();
@@ -49,6 +51,7 @@ async fn test_https_http2() {
assert_eq!(res.version(), reqwest::Version::HTTP_11);
}
+#[cfg(feature = "some_tls")]
#[tokio::test]
async fn test_uds() {
init();