diff options
author | afon <[email protected]> | 2024-03-02 12:32:51 +0800 |
---|---|---|
committer | Edward Wang <[email protected]> | 2024-03-15 14:37:56 -0700 |
commit | 81e6adea4d38ae00387538fb48dd8a6aab1ad21f (patch) | |
tree | 870e2aeb89d41d8c41c748b66f7b5264db6d9dc1 | |
parent | d19ae74563bbabb6cf5a7473d0227d7c560840df (diff) | |
download | pingora-81e6adea4d38ae00387538fb48dd8a6aab1ad21f.tar.gz pingora-81e6adea4d38ae00387538fb48dd8a6aab1ad21f.zip |
Unify the type for matching `verify_result`
-rw-r--r-- | .bleep | 2 | ||||
-rw-r--r-- | pingora-core/src/protocols/ssl/client.rs | 36 |
2 files changed, 26 insertions, 12 deletions
@@ -1 +1 @@ -f5828844181647e13067b3578ea7333c70ab671c
\ No newline at end of file +7226cbe46016b51a2f76743555e734415f67923b
\ No newline at end of file diff --git a/pingora-core/src/protocols/ssl/client.rs b/pingora-core/src/protocols/ssl/client.rs index abb6da6..7ed683f 100644 --- a/pingora-core/src/protocols/ssl/client.rs +++ b/pingora-core/src/protocols/ssl/client.rs @@ -17,11 +17,7 @@ use super::SslStream; use crate::protocols::raw_connect::ProxyDigest; use crate::protocols::{GetProxyDigest, GetTimingDigest, TimingDigest, IO}; -use crate::tls::{ - ssl, - ssl::ConnectConfiguration, - ssl_sys::{X509_V_ERR_INVALID_CALL, X509_V_OK}, -}; +use crate::tls::{ssl, ssl::ConnectConfiguration, ssl_sys::X509_V_ERR_INVALID_CALL}; use pingora_error::{Error, ErrorType::*, OrErr, Result}; use std::sync::Arc; @@ -43,13 +39,31 @@ pub async fn handshake<S: IO>( Err(e) => { let context = format!("TLS connect() failed: {e}, SNI: {domain}"); match e.code() { - ssl::ErrorCode::SSL => match stream.ssl().verify_result().as_raw() { - // X509_V_ERR_INVALID_CALL in case verify result was never set - X509_V_OK | X509_V_ERR_INVALID_CALL => { - Error::e_explain(TLSHandshakeFailure, context) + ssl::ErrorCode::SSL => { + // Unify the return type of `verify_result` for openssl + #[cfg(not(feature = "boringssl"))] + fn verify_result<S>(stream: SslStream<S>) -> Result<(), i32> { + match stream.ssl().verify_result().as_raw() { + crate::tls::ssl_sys::X509_V_OK => Ok(()), + e => Err(e), + } } - _ => Error::e_explain(InvalidCert, context), - }, + + // Unify the return type of `verify_result` for boringssl + #[cfg(feature = "boringssl")] + fn verify_result<S>(stream: SslStream<S>) -> Result<(), i32> { + stream.ssl().verify_result().map_err(|e| e.as_raw()) + } + + match verify_result(stream) { + Ok(()) => Error::e_explain(TLSHandshakeFailure, context), + // X509_V_ERR_INVALID_CALL in case verify result was never set + Err(X509_V_ERR_INVALID_CALL) => { + Error::e_explain(TLSHandshakeFailure, context) + } + _ => Error::e_explain(InvalidCert, context), + } + } /* likely network error, but still mark as TLS error */ _ => Error::e_explain(TLSHandshakeFailure, context), } |