Skip to content

Commit 5a93ea0

Browse files
committed
Remove all connect and accept functions
Those functions were blurring the line between setup failures (which are caused by the developer misusing the API) and actual failures encountered on the stream while trying to achieve the TLS handshake, especially on SslConnector and SslAcceptor. Removing them allows for the removal of HandshakeError, as the HandshakeError::SetupFailure variant becomes useless, and there is no real need to distinguish in that error type between Failure and WouldBlock when we can just check the error stored in MidHandshakeSslStream. This then allow us to simplify tokio_boring's own entry points, also making them distinguish between setup failures and failures on the stream.
1 parent b27a6e7 commit 5a93ea0

File tree

11 files changed

+136
-282
lines changed

11 files changed

+136
-282
lines changed

boring/src/ssl/connector.rs

+2-45
Original file line numberDiff line numberDiff line change
@@ -4,8 +4,8 @@ use std::ops::{Deref, DerefMut};
44
use crate::dh::Dh;
55
use crate::error::ErrorStack;
66
use crate::ssl::{
7-
HandshakeError, Ssl, SslContext, SslContextBuilder, SslContextRef, SslMethod, SslMode,
8-
SslOptions, SslRef, SslStream, SslVerifyMode,
7+
Ssl, SslContext, SslContextBuilder, SslContextRef, SslMethod, SslMode, SslOptions, SslRef,
8+
SslVerifyMode,
99
};
1010
use crate::version;
1111

@@ -111,21 +111,6 @@ impl SslConnector {
111111
self.configure()?.setup_connect(domain, stream)
112112
}
113113

114-
/// Attempts a client-side TLS session on a stream.
115-
///
116-
/// The domain is used for SNI and hostname verification.
117-
///
118-
/// This is a convenience method which combines [`Self::setup_connect`] and
119-
/// [`MidHandshakeSslStream::handshake`].
120-
pub fn connect<S>(&self, domain: &str, stream: S) -> Result<SslStream<S>, HandshakeError<S>>
121-
where
122-
S: Read + Write,
123-
{
124-
self.setup_connect(domain, stream)
125-
.map_err(HandshakeError::SetupFailure)?
126-
.handshake()
127-
}
128-
129114
/// Returns a structure allowing for configuration of a single TLS session before connection.
130115
pub fn configure(&self) -> Result<ConnectConfiguration, ErrorStack> {
131116
Ssl::new(&self.0).map(|ssl| ConnectConfiguration {
@@ -239,21 +224,6 @@ impl ConnectConfiguration {
239224

240225
Ok(self.ssl.setup_connect(stream))
241226
}
242-
243-
/// Attempts a client-side TLS session on a stream.
244-
///
245-
/// The domain is used for SNI and hostname verification if enabled.
246-
///
247-
/// This is a convenience method which combines [`Self::setup_connect`] and
248-
/// [`MidHandshakeSslStream::handshake`].
249-
pub fn connect<S>(self, domain: &str, stream: S) -> Result<SslStream<S>, HandshakeError<S>>
250-
where
251-
S: Read + Write,
252-
{
253-
self.setup_connect(domain, stream)
254-
.map_err(HandshakeError::SetupFailure)?
255-
.handshake()
256-
}
257227
}
258228

259229
impl Deref for ConnectConfiguration {
@@ -373,19 +343,6 @@ impl SslAcceptor {
373343
Ok(ssl.setup_accept(stream))
374344
}
375345

376-
/// Attempts a server-side TLS handshake on a stream.
377-
///
378-
/// This is a convenience method which combines [`Self::setup_accept`] and
379-
/// [`MidHandshakeSslStream::handshake`].
380-
pub fn accept<S>(&self, stream: S) -> Result<SslStream<S>, HandshakeError<S>>
381-
where
382-
S: Read + Write,
383-
{
384-
self.setup_accept(stream)
385-
.map_err(HandshakeError::SetupFailure)?
386-
.handshake()
387-
}
388-
389346
/// Consumes the `SslAcceptor`, returning the inner raw `SslContext`.
390347
pub fn into_context(self) -> SslContext {
391348
self.0

boring/src/ssl/error.rs

-65
Original file line numberDiff line numberDiff line change
@@ -1,13 +1,10 @@
11
use crate::ffi;
22
use libc::c_int;
33
use std::error;
4-
use std::error::Error as StdError;
54
use std::fmt;
65
use std::io;
76

87
use crate::error::ErrorStack;
9-
use crate::ssl::MidHandshakeSslStream;
10-
use crate::x509::X509VerifyResult;
118

129
/// An error code returned from SSL functions.
1310
#[derive(Debug, Copy, Clone, PartialEq, Eq)]
@@ -130,65 +127,3 @@ impl error::Error for Error {
130127
}
131128
}
132129
}
133-
134-
/// An error or intermediate state after a TLS handshake attempt.
135-
// FIXME overhaul
136-
#[derive(Debug)]
137-
pub enum HandshakeError<S> {
138-
/// Setup failed.
139-
SetupFailure(ErrorStack),
140-
/// The handshake failed.
141-
Failure(MidHandshakeSslStream<S>),
142-
/// The handshake encountered a `WouldBlock` error midway through.
143-
///
144-
/// This error will never be returned for blocking streams.
145-
WouldBlock(MidHandshakeSslStream<S>),
146-
}
147-
148-
impl<S: fmt::Debug> StdError for HandshakeError<S> {
149-
fn source(&self) -> Option<&(dyn StdError + 'static)> {
150-
match *self {
151-
HandshakeError::SetupFailure(ref e) => Some(e),
152-
HandshakeError::Failure(ref s) | HandshakeError::WouldBlock(ref s) => Some(s.error()),
153-
}
154-
}
155-
}
156-
157-
impl<S> fmt::Display for HandshakeError<S> {
158-
fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
159-
match *self {
160-
HandshakeError::SetupFailure(ref e) => {
161-
write!(f, "TLS stream setup failed {}", e)
162-
}
163-
HandshakeError::Failure(ref s) => fmt_mid_handshake_error(s, f, "TLS handshake failed"),
164-
HandshakeError::WouldBlock(ref s) => {
165-
fmt_mid_handshake_error(s, f, "TLS handshake interrupted")
166-
}
167-
}
168-
}
169-
}
170-
171-
fn fmt_mid_handshake_error(
172-
s: &MidHandshakeSslStream<impl Sized>,
173-
f: &mut fmt::Formatter,
174-
prefix: &str,
175-
) -> fmt::Result {
176-
#[cfg(feature = "rpk")]
177-
if s.ssl().ssl_context().is_rpk() {
178-
write!(f, "{}", prefix)?;
179-
return write!(f, " {}", s.error());
180-
}
181-
182-
match s.ssl().verify_result() {
183-
X509VerifyResult::OK => write!(f, "{}", prefix)?,
184-
verify => write!(f, "{}: cert verification failed - {}", prefix, verify)?,
185-
}
186-
187-
write!(f, " {}", s.error())
188-
}
189-
190-
impl<S> From<ErrorStack> for HandshakeError<S> {
191-
fn from(e: ErrorStack) -> HandshakeError<S> {
192-
HandshakeError::SetupFailure(e)
193-
}
194-
}

boring/src/ssl/mod.rs

+21-93
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,11 @@
1515
//! let connector = SslConnector::builder(SslMethod::tls()).unwrap().build();
1616
//!
1717
//! let stream = TcpStream::connect("google.com:443").unwrap();
18-
//! let mut stream = connector.connect("google.com", stream).unwrap();
18+
//! let mut stream = connector
19+
//! .setup_connect("google.com", stream)
20+
//! .unwrap()
21+
//! .handshake()
22+
//! .unwrap();
1923
//!
2024
//! stream.write_all(b"GET / HTTP/1.0\r\n\r\n").unwrap();
2125
//! let mut res = vec![];
@@ -49,7 +53,12 @@
4953
//! Ok(stream) => {
5054
//! let acceptor = acceptor.clone();
5155
//! thread::spawn(move || {
52-
//! let stream = acceptor.accept(stream).unwrap();
56+
//! let stream = acceptor
57+
//! .setup_accept(stream)
58+
//! .unwrap()
59+
//! .handshake()
60+
//! .unwrap();
61+
//!
5362
//! handle_client(stream);
5463
//! });
5564
//! }
@@ -98,7 +107,7 @@ use crate::{cvt, cvt_0i, cvt_n, cvt_p, init};
98107
pub use crate::ssl::connector::{
99108
ConnectConfiguration, SslAcceptor, SslAcceptorBuilder, SslConnector, SslConnectorBuilder,
100109
};
101-
pub use crate::ssl::error::{Error, ErrorCode, HandshakeError};
110+
pub use crate::ssl::error::{Error, ErrorCode};
102111

103112
mod bio;
104113
mod callbacks;
@@ -2324,22 +2333,6 @@ impl Ssl {
23242333
SslStreamBuilder::new(self, stream).setup_connect()
23252334
}
23262335

2327-
/// Attempts a client-side TLS handshake.
2328-
///
2329-
/// This is a convenience method which combines [`Self::setup_connect`] and
2330-
/// [`MidHandshakeSslStream::handshake`].
2331-
///
2332-
/// # Warning
2333-
///
2334-
/// OpenSSL's default configuration is insecure. It is highly recommended to use
2335-
/// [`SslConnector`] rather than `Ssl` directly, as it manages that configuration.
2336-
pub fn connect<S>(self, stream: S) -> Result<SslStream<S>, HandshakeError<S>>
2337-
where
2338-
S: Read + Write,
2339-
{
2340-
self.setup_connect(stream).handshake()
2341-
}
2342-
23432336
/// Initiates a server-side TLS handshake.
23442337
///
23452338
/// This method is guaranteed to return without calling any callback defined
@@ -2372,24 +2365,6 @@ impl Ssl {
23722365

23732366
SslStreamBuilder::new(self, stream).setup_accept()
23742367
}
2375-
2376-
/// Attempts a server-side TLS handshake.
2377-
///
2378-
/// This is a convenience method which combines [`Self::setup_accept`] and
2379-
/// [`MidHandshakeSslStream::handshake`].
2380-
///
2381-
/// # Warning
2382-
///
2383-
/// OpenSSL's default configuration is insecure. It is highly recommended to use
2384-
/// `SslAcceptor` rather than `Ssl` directly, as it manages that configuration.
2385-
///
2386-
/// [`SSL_accept`]: https://www.openssl.org/docs/manmaster/man3/SSL_accept.html
2387-
pub fn accept<S>(self, stream: S) -> Result<SslStream<S>, HandshakeError<S>>
2388-
where
2389-
S: Read + Write,
2390-
{
2391-
self.setup_accept(stream).handshake()
2392-
}
23932368
}
23942369

23952370
impl fmt::Debug for SslRef {
@@ -3192,16 +3167,14 @@ impl<S> MidHandshakeSslStream<S> {
31923167
/// This corresponds to [`SSL_do_handshake`].
31933168
///
31943169
/// [`SSL_do_handshake`]: https://www.openssl.org/docs/manmaster/man3/SSL_do_handshake.html
3195-
pub fn handshake(mut self) -> Result<SslStream<S>, HandshakeError<S>> {
3170+
pub fn handshake(mut self) -> Result<SslStream<S>, MidHandshakeSslStream<S>> {
31963171
let ret = unsafe { ffi::SSL_do_handshake(self.stream.ssl.as_ptr()) };
31973172
if ret > 0 {
31983173
Ok(self.stream)
31993174
} else {
32003175
self.error = self.stream.make_error(ret);
3201-
match self.error.would_block() {
3202-
true => Err(HandshakeError::WouldBlock(self)),
3203-
false => Err(HandshakeError::Failure(self)),
3204-
}
3176+
3177+
Err(self)
32053178
}
32063179
}
32073180
}
@@ -3484,7 +3457,7 @@ where
34843457
/// This corresponds to [`SSL_set_connect_state`].
34853458
///
34863459
/// [`SSL_set_connect_state`]: https://www.openssl.org/docs/manmaster/man3/SSL_set_connect_state.html
3487-
pub fn set_connect_state(&mut self) {
3460+
fn set_connect_state(&mut self) {
34883461
unsafe { ffi::SSL_set_connect_state(self.inner.ssl.as_ptr()) }
34893462
}
34903463

@@ -3493,15 +3466,14 @@ where
34933466
/// This corresponds to [`SSL_set_accept_state`].
34943467
///
34953468
/// [`SSL_set_accept_state`]: https://www.openssl.org/docs/manmaster/man3/SSL_set_accept_state.html
3496-
pub fn set_accept_state(&mut self) {
3469+
fn set_accept_state(&mut self) {
34973470
unsafe { ffi::SSL_set_accept_state(self.inner.ssl.as_ptr()) }
34983471
}
34993472

35003473
/// Initiates a client-side TLS handshake, returning a [`MidHandshakeSslStream`].
35013474
///
3502-
/// This method calls [`Self::set_connect_state`] and returns without actually
3503-
/// initiating the handshake. The caller is then free to call
3504-
/// [`MidHandshakeSslStream`] and loop on [`HandshakeError::WouldBlock`].
3475+
/// The caller is then free to call [`MidHandshakeSslStream::handshake`] and retry
3476+
/// on blocking errors.
35053477
pub fn setup_connect(mut self) -> MidHandshakeSslStream<S> {
35063478
self.set_connect_state();
35073479

@@ -3517,19 +3489,10 @@ where
35173489
}
35183490
}
35193491

3520-
/// Attempts a client-side TLS handshake.
3521-
///
3522-
/// This is a convenience method which combines [`Self::setup_connect`] and
3523-
/// [`MidHandshakeSslStream::handshake`].
3524-
pub fn connect(self) -> Result<SslStream<S>, HandshakeError<S>> {
3525-
self.setup_connect().handshake()
3526-
}
3527-
35283492
/// Initiates a server-side TLS handshake, returning a [`MidHandshakeSslStream`].
35293493
///
3530-
/// This method calls [`Self::set_accept_state`] and returns without actually
3531-
/// initiating the handshake. The caller is then free to call
3532-
/// [`MidHandshakeSslStream`] and loop on [`HandshakeError::WouldBlock`].
3494+
/// The caller is then free to call [`MidHandshakeSslStream::handshake`] and retry
3495+
/// on blocking errors.
35333496
pub fn setup_accept(mut self) -> MidHandshakeSslStream<S> {
35343497
self.set_accept_state();
35353498

@@ -3544,41 +3507,6 @@ where
35443507
},
35453508
}
35463509
}
3547-
3548-
/// Attempts a server-side TLS handshake.
3549-
///
3550-
/// This is a convenience method which combines [`Self::setup_accept`] and
3551-
/// [`MidHandshakeSslStream::handshake`].
3552-
pub fn accept(self) -> Result<SslStream<S>, HandshakeError<S>> {
3553-
self.setup_accept().handshake()
3554-
}
3555-
3556-
/// Initiates the handshake.
3557-
///
3558-
/// This will fail if `set_accept_state` or `set_connect_state` was not called first.
3559-
///
3560-
/// This corresponds to [`SSL_do_handshake`].
3561-
///
3562-
/// [`SSL_do_handshake`]: https://www.openssl.org/docs/manmaster/man3/SSL_do_handshake.html
3563-
pub fn handshake(self) -> Result<SslStream<S>, HandshakeError<S>> {
3564-
let mut stream = self.inner;
3565-
let ret = unsafe { ffi::SSL_do_handshake(stream.ssl.as_ptr()) };
3566-
if ret > 0 {
3567-
Ok(stream)
3568-
} else {
3569-
let error = stream.make_error(ret);
3570-
match error.would_block() {
3571-
true => Err(HandshakeError::WouldBlock(MidHandshakeSslStream {
3572-
stream,
3573-
error,
3574-
})),
3575-
false => Err(HandshakeError::Failure(MidHandshakeSslStream {
3576-
stream,
3577-
error,
3578-
})),
3579-
}
3580-
}
3581-
}
35823510
}
35833511

35843512
impl<S> SslStreamBuilder<S> {

0 commit comments

Comments
 (0)