From 81e6adea4d38ae00387538fb48dd8a6aab1ad21f Mon Sep 17 00:00:00 2001 From: afon Date: Sat, 2 Mar 2024 12:32:51 +0800 Subject: Unify the type for matching `verify_result` --- .bleep | 2 +- pingora-core/src/protocols/ssl/client.rs | 36 ++++++++++++++++++++++---------- 2 files changed, 26 insertions(+), 12 deletions(-) diff --git a/.bleep b/.bleep index 7092101..eaa447d 100644 --- a/.bleep +++ b/.bleep @@ -1 +1 @@ -f5828844181647e13067b3578ea7333c70ab671c \ No newline at end of file +7226cbe46016b51a2f76743555e734415f67923b \ No newline at end of file diff --git a/pingora-core/src/protocols/ssl/client.rs b/pingora-core/src/protocols/ssl/client.rs index abb6da6..7ed683f 100644 --- a/pingora-core/src/protocols/ssl/client.rs +++ b/pingora-core/src/protocols/ssl/client.rs @@ -17,11 +17,7 @@ use super::SslStream; use crate::protocols::raw_connect::ProxyDigest; use crate::protocols::{GetProxyDigest, GetTimingDigest, TimingDigest, IO}; -use crate::tls::{ - ssl, - ssl::ConnectConfiguration, - ssl_sys::{X509_V_ERR_INVALID_CALL, X509_V_OK}, -}; +use crate::tls::{ssl, ssl::ConnectConfiguration, ssl_sys::X509_V_ERR_INVALID_CALL}; use pingora_error::{Error, ErrorType::*, OrErr, Result}; use std::sync::Arc; @@ -43,13 +39,31 @@ pub async fn handshake( Err(e) => { let context = format!("TLS connect() failed: {e}, SNI: {domain}"); match e.code() { - ssl::ErrorCode::SSL => match stream.ssl().verify_result().as_raw() { - // X509_V_ERR_INVALID_CALL in case verify result was never set - X509_V_OK | X509_V_ERR_INVALID_CALL => { - Error::e_explain(TLSHandshakeFailure, context) + ssl::ErrorCode::SSL => { + // Unify the return type of `verify_result` for openssl + #[cfg(not(feature = "boringssl"))] + fn verify_result(stream: SslStream) -> Result<(), i32> { + match stream.ssl().verify_result().as_raw() { + crate::tls::ssl_sys::X509_V_OK => Ok(()), + e => Err(e), + } } - _ => Error::e_explain(InvalidCert, context), - }, + + // Unify the return type of `verify_result` for boringssl + #[cfg(feature = "boringssl")] + fn verify_result(stream: SslStream) -> Result<(), i32> { + stream.ssl().verify_result().map_err(|e| e.as_raw()) + } + + match verify_result(stream) { + Ok(()) => Error::e_explain(TLSHandshakeFailure, context), + // X509_V_ERR_INVALID_CALL in case verify result was never set + Err(X509_V_ERR_INVALID_CALL) => { + Error::e_explain(TLSHandshakeFailure, context) + } + _ => Error::e_explain(InvalidCert, context), + } + } /* likely network error, but still mark as TLS error */ _ => Error::e_explain(TLSHandshakeFailure, context), } -- cgit v1.2.3