diff --git a/platform/src/ssl_stream.cpp b/platform/src/ssl_stream.cpp index 947d6fb..49f5eba 100644 --- a/platform/src/ssl_stream.cpp +++ b/platform/src/ssl_stream.cpp @@ -474,7 +474,7 @@ void ssl_stat_init(struct ssl_mgr * mgr) return; } static void downstream_ossl_init(struct ssl_stream* s_stream); -static void upstream_ossl_init(struct ssl_stream* s_stream); +static int upstream_ossl_init(struct ssl_stream* s_stream); static void sslctx_set_opts(SSL_CTX * sslctx, struct ssl_mgr * mgr); @@ -883,7 +883,7 @@ int ossl_client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey) * Create new SSL context for outgoing connections to the original destination. * If hostname sni is provided, use it for Server Name Indication. */ -static void upstream_ossl_init(struct ssl_stream* s_stream) +static int upstream_ossl_init(struct ssl_stream* s_stream) { SSL_CTX * sslctx = NULL; SSL * ssl = NULL; @@ -891,6 +891,11 @@ static void upstream_ossl_init(struct ssl_stream* s_stream) struct ssl_mgr * mgr = s_stream->mgr; struct ssl_chello * chello=s_stream->up_parts.client_hello; sslctx = SSL_CTX_new(mgr->sslmethod()); + if (sslctx == NULL) + { + TFE_LOG_ERROR(mgr->logger, "ssl ctx new failed."); + return -1; + } sslctx_set_opts(sslctx, mgr); int ret=0; char common_cipher[TFE_STRING_MAX]={0}, tls13_cipher[TFE_STRING_MAX]={0}; @@ -905,7 +910,7 @@ static void upstream_ossl_init(struct ssl_stream* s_stream) ret=SSL_CTX_set_cipher_list(sslctx, common_cipher); if(ret==0) { - TFE_LOG_ERROR(mgr->logger, "SSL_CTX_set_cipher_list %s failed.", common_cipher); + TFE_LOG_ERROR(mgr->logger, "ssl ctx set cipher list %s failed.", common_cipher); SSL_CTX_set_cipher_list(sslctx, mgr->default_ciphers); } } @@ -918,11 +923,17 @@ static void upstream_ossl_init(struct ssl_stream* s_stream) //SSL_CTX_set_ciphersuites(sslctx, tls13_cipher); } - if (SSL_CTX_set_min_proto_version(sslctx, s_stream->ssl_min_version) == 0 || - SSL_CTX_set_max_proto_version(sslctx, s_stream->ssl_max_version) == 0) + if (SSL_CTX_set_min_proto_version(sslctx, s_stream->ssl_min_version) == 0) { SSL_CTX_free(sslctx); - return; + TFE_LOG_ERROR(mgr->logger, "ssl set min proto version failed %d.", s_stream->ssl_min_version); + return -1; + } + if (SSL_CTX_set_max_proto_version(sslctx, s_stream->ssl_max_version) == 0) + { + SSL_CTX_free(sslctx); + TFE_LOG_ERROR(mgr->logger, "ssl set max proto version failed %d.", s_stream->ssl_max_version); + return -1; } SSL_CTX_set_verify(sslctx, SSL_VERIFY_NONE, NULL); @@ -950,7 +961,8 @@ static void upstream_ossl_init(struct ssl_stream* s_stream) SSL_CTX_free(sslctx); /* SSL_new() increments refcount */ if (!ssl) { - return; + TFE_LOG_ERROR(mgr->logger, "ssl new failed."); + return -1; } SSL_set_ex_data(ssl, SSL_EX_DATA_IDX_SSLSTREAM, s_stream); @@ -967,7 +979,7 @@ static void upstream_ossl_init(struct ssl_stream* s_stream) SSL_set_mode(ssl, SSL_get_mode(ssl) | SSL_MODE_RELEASE_BUFFERS); s_stream->ssl=ssl; - return ; + return 0; } void ssl_connect_server_ctx_free(struct ssl_connect_server_ctx * ctx) @@ -1404,7 +1416,13 @@ static void peek_chello_on_succ(future_result_t * result, void * user) } else { - upstream_ossl_init(s_stream); + if (upstream_ossl_init(s_stream)) + { + promise_dettach_ctx(p); + promise_failed(p, FUTURE_ERROR_EXCEPTION, "upstream ossl init failed"); + wrap_ssl_connect_server_ctx_free(ctx); + return; + } ctx->bev = bufferevent_openssl_socket_new(evbase, ctx->fd_upstream, ctx->s_stream->ssl, BUFFEREVENT_SSL_CONNECTING, BEV_OPT_DEFER_CALLBACKS | BEV_OPT_THREADSAFE ); @@ -2236,5 +2254,4 @@ int ssl_stream_get_string_opt(struct ssl_stream *upstream, enum SSL_STREAM_OPT o return -1; } return 0; -} - +} \ No newline at end of file