diff --git a/platform/src/ssl_stream.cpp b/platform/src/ssl_stream.cpp index 947d6fb..ff7c06a 100644 --- a/platform/src/ssl_stream.cpp +++ b/platform/src/ssl_stream.cpp @@ -474,7 +474,7 @@ void ssl_stat_init(struct ssl_mgr * mgr) return; } static void downstream_ossl_init(struct ssl_stream* s_stream); -static void upstream_ossl_init(struct ssl_stream* s_stream); +static int upstream_ossl_init(struct ssl_stream* s_stream); static void sslctx_set_opts(SSL_CTX * sslctx, struct ssl_mgr * mgr); @@ -883,7 +883,7 @@ int ossl_client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey) * Create new SSL context for outgoing connections to the original destination. * If hostname sni is provided, use it for Server Name Indication. */ -static void upstream_ossl_init(struct ssl_stream* s_stream) +static int upstream_ossl_init(struct ssl_stream* s_stream) { SSL_CTX * sslctx = NULL; SSL * ssl = NULL; @@ -891,6 +891,11 @@ static void upstream_ossl_init(struct ssl_stream* s_stream) struct ssl_mgr * mgr = s_stream->mgr; struct ssl_chello * chello=s_stream->up_parts.client_hello; sslctx = SSL_CTX_new(mgr->sslmethod()); + if (sslctx == NULL) + { + TFE_LOG_ERROR(mgr->logger, "ssl stream, SSL_CTX_new() failed."); + return -1; + } sslctx_set_opts(sslctx, mgr); int ret=0; char common_cipher[TFE_STRING_MAX]={0}, tls13_cipher[TFE_STRING_MAX]={0}; @@ -905,7 +910,7 @@ static void upstream_ossl_init(struct ssl_stream* s_stream) ret=SSL_CTX_set_cipher_list(sslctx, common_cipher); if(ret==0) { - TFE_LOG_ERROR(mgr->logger, "SSL_CTX_set_cipher_list %s failed.", common_cipher); + TFE_LOG_ERROR(mgr->logger, "ssl stream, SSL_CTX_set_cipher_list %s failed.", common_cipher); SSL_CTX_set_cipher_list(sslctx, mgr->default_ciphers); } } @@ -918,11 +923,17 @@ static void upstream_ossl_init(struct ssl_stream* s_stream) //SSL_CTX_set_ciphersuites(sslctx, tls13_cipher); } - if (SSL_CTX_set_min_proto_version(sslctx, s_stream->ssl_min_version) == 0 || - SSL_CTX_set_max_proto_version(sslctx, s_stream->ssl_max_version) == 0) + if (SSL_CTX_set_min_proto_version(sslctx, s_stream->ssl_min_version) == 0) { SSL_CTX_free(sslctx); - return; + TFE_LOG_ERROR(mgr->logger, "ssl stream, SSL_CTX_set_min_proto_version() failed, ssl min version:%d.", s_stream->ssl_min_version); + return -1; + } + if (SSL_CTX_set_max_proto_version(sslctx, s_stream->ssl_max_version) == 0) + { + SSL_CTX_free(sslctx); + TFE_LOG_ERROR(mgr->logger, "ssl stream, SSL_CTX_set_max_proto_version() failed, ssl max version:%d.", s_stream->ssl_max_version); + return -1; } SSL_CTX_set_verify(sslctx, SSL_VERIFY_NONE, NULL); @@ -950,7 +961,8 @@ static void upstream_ossl_init(struct ssl_stream* s_stream) SSL_CTX_free(sslctx); /* SSL_new() increments refcount */ if (!ssl) { - return; + TFE_LOG_ERROR(mgr->logger, "ssl stream, SSL_new() failed."); + return -1; } SSL_set_ex_data(ssl, SSL_EX_DATA_IDX_SSLSTREAM, s_stream); @@ -961,13 +973,14 @@ static void upstream_ossl_init(struct ssl_stream* s_stream) if (chello->alpn && s_stream->up_parts.apln_enabled) { ret=SSL_set_alpn_protos(ssl, (unsigned char*)chello->alpn, strlen(chello->alpn)); + TFE_LOG_ERROR(mgr->logger, "ssl stream, SSL_set_alpn_protos() failed."); assert(ret==0); } /* lower memory footprint for idle connections */ SSL_set_mode(ssl, SSL_get_mode(ssl) | SSL_MODE_RELEASE_BUFFERS); s_stream->ssl=ssl; - return ; + return 0; } void ssl_connect_server_ctx_free(struct ssl_connect_server_ctx * ctx) @@ -1404,7 +1417,13 @@ static void peek_chello_on_succ(future_result_t * result, void * user) } else { - upstream_ossl_init(s_stream); + if (upstream_ossl_init(s_stream)) + { + promise_dettach_ctx(p); + promise_failed(p, FUTURE_ERROR_EXCEPTION, "upstream ossl init failed"); + wrap_ssl_connect_server_ctx_free(ctx); + return; + } ctx->bev = bufferevent_openssl_socket_new(evbase, ctx->fd_upstream, ctx->s_stream->ssl, BUFFEREVENT_SSL_CONNECTING, BEV_OPT_DEFER_CALLBACKS | BEV_OPT_THREADSAFE );