aboutsummaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorafon <[email protected]>2024-03-02 12:32:51 +0800
committerEdward Wang <[email protected]>2024-03-15 14:37:56 -0700
commit81e6adea4d38ae00387538fb48dd8a6aab1ad21f (patch)
tree870e2aeb89d41d8c41c748b66f7b5264db6d9dc1
parentd19ae74563bbabb6cf5a7473d0227d7c560840df (diff)
downloadpingora-81e6adea4d38ae00387538fb48dd8a6aab1ad21f.tar.gz
pingora-81e6adea4d38ae00387538fb48dd8a6aab1ad21f.zip
Unify the type for matching `verify_result`
-rw-r--r--.bleep2
-rw-r--r--pingora-core/src/protocols/ssl/client.rs36
2 files changed, 26 insertions, 12 deletions
diff --git a/.bleep b/.bleep
index 7092101..eaa447d 100644
--- a/.bleep
+++ b/.bleep
@@ -1 +1 @@
-f5828844181647e13067b3578ea7333c70ab671c \ No newline at end of file
+7226cbe46016b51a2f76743555e734415f67923b \ No newline at end of file
diff --git a/pingora-core/src/protocols/ssl/client.rs b/pingora-core/src/protocols/ssl/client.rs
index abb6da6..7ed683f 100644
--- a/pingora-core/src/protocols/ssl/client.rs
+++ b/pingora-core/src/protocols/ssl/client.rs
@@ -17,11 +17,7 @@
use super::SslStream;
use crate::protocols::raw_connect::ProxyDigest;
use crate::protocols::{GetProxyDigest, GetTimingDigest, TimingDigest, IO};
-use crate::tls::{
- ssl,
- ssl::ConnectConfiguration,
- ssl_sys::{X509_V_ERR_INVALID_CALL, X509_V_OK},
-};
+use crate::tls::{ssl, ssl::ConnectConfiguration, ssl_sys::X509_V_ERR_INVALID_CALL};
use pingora_error::{Error, ErrorType::*, OrErr, Result};
use std::sync::Arc;
@@ -43,13 +39,31 @@ pub async fn handshake<S: IO>(
Err(e) => {
let context = format!("TLS connect() failed: {e}, SNI: {domain}");
match e.code() {
- ssl::ErrorCode::SSL => match stream.ssl().verify_result().as_raw() {
- // X509_V_ERR_INVALID_CALL in case verify result was never set
- X509_V_OK | X509_V_ERR_INVALID_CALL => {
- Error::e_explain(TLSHandshakeFailure, context)
+ ssl::ErrorCode::SSL => {
+ // Unify the return type of `verify_result` for openssl
+ #[cfg(not(feature = "boringssl"))]
+ fn verify_result<S>(stream: SslStream<S>) -> Result<(), i32> {
+ match stream.ssl().verify_result().as_raw() {
+ crate::tls::ssl_sys::X509_V_OK => Ok(()),
+ e => Err(e),
+ }
}
- _ => Error::e_explain(InvalidCert, context),
- },
+
+ // Unify the return type of `verify_result` for boringssl
+ #[cfg(feature = "boringssl")]
+ fn verify_result<S>(stream: SslStream<S>) -> Result<(), i32> {
+ stream.ssl().verify_result().map_err(|e| e.as_raw())
+ }
+
+ match verify_result(stream) {
+ Ok(()) => Error::e_explain(TLSHandshakeFailure, context),
+ // X509_V_ERR_INVALID_CALL in case verify result was never set
+ Err(X509_V_ERR_INVALID_CALL) => {
+ Error::e_explain(TLSHandshakeFailure, context)
+ }
+ _ => Error::e_explain(InvalidCert, context),
+ }
+ }
/* likely network error, but still mark as TLS error */
_ => Error::e_explain(TLSHandshakeFailure, context),
}