archive/pingora
1
0
Fork 0
mirror of https://github.com/cloudflare/pingora.git synced 2024-09-20 02:31:35 +02:00
Code Issues Projects Releases Packages Wiki Activity

Refactor module into and relocate the no-op tls module

Browse source
This commit is contained in:
Kevin Guthrie 2024-08-29 17:12:19 -04:00
parent d8f3ffae77
commit e465899aa6
19 changed files with 837 additions and 16 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
.bleep
View file

@ -1 +1 @@
b01a9bc71ff892b2fdbb47f6bb3f9eac88907435 aadd07a5b3064b0fbdf57c8c02a5ef7b65b5fc03

7
pingora-core/Cargo.toml
View file

@ -79,6 +79,7 @@ jemallocator = "0.5"
[features] [features]
default = ["openssl"] default = ["openssl"]
openssl = ["pingora-openssl"] openssl = ["pingora-openssl", "some_tls"]
boringssl = ["pingora-boringssl"] boringssl = ["pingora-boringssl", "some_tls"]
patched_http1 = [] patched_http1 = []
some_tls = []

1
pingora-core/src/connectors/http/mod.rs
View file

@ -95,6 +95,7 @@ impl Connector {
} }
#[cfg(test)] #[cfg(test)]
#[cfg(feature = "some_tls")]
mod tests { mod tests {
use super::*; use super::*;
use crate::protocols::http::v1::client::HttpSession as Http1Session; use crate::protocols::http::v1::client::HttpSession as Http1Session;

1
pingora-core/src/connectors/http/v1.rs
View file

@ -103,6 +103,7 @@ mod tests {
} }
#[tokio::test] #[tokio::test]
#[cfg(feature = "some_tls")]
async fn test_connect_tls() { async fn test_connect_tls() {
let connector = Connector::new(None); let connector = Connector::new(None);
let peer = HttpPeer::new(("1.1.1.1", 443), true, "one.one.one.one".into()); let peer = HttpPeer::new(("1.1.1.1", 443), true, "one.one.one.one".into());

4
pingora-core/src/connectors/http/v2.rs
View file

@ -460,6 +460,7 @@ mod tests {
use crate::upstreams::peer::HttpPeer; use crate::upstreams::peer::HttpPeer;
#[tokio::test] #[tokio::test]
#[cfg(feature = "some_tls")]
async fn test_connect_h2() { async fn test_connect_h2() {
let connector = Connector::new(None); let connector = Connector::new(None);
let mut peer = HttpPeer::new(("1.1.1.1", 443), true, "one.one.one.one".into()); let mut peer = HttpPeer::new(("1.1.1.1", 443), true, "one.one.one.one".into());
@ -472,6 +473,7 @@ mod tests {
} }
#[tokio::test] #[tokio::test]
#[cfg(feature = "some_tls")]
async fn test_connect_h1() { async fn test_connect_h1() {
let connector = Connector::new(None); let connector = Connector::new(None);
let mut peer = HttpPeer::new(("1.1.1.1", 443), true, "one.one.one.one".into()); let mut peer = HttpPeer::new(("1.1.1.1", 443), true, "one.one.one.one".into());
@ -497,6 +499,7 @@ mod tests {
} }
#[tokio::test] #[tokio::test]
#[cfg(feature = "some_tls")]
async fn test_h2_single_stream() { async fn test_h2_single_stream() {
let connector = Connector::new(None); let connector = Connector::new(None);
let mut peer = HttpPeer::new(("1.1.1.1", 443), true, "one.one.one.one".into()); let mut peer = HttpPeer::new(("1.1.1.1", 443), true, "one.one.one.one".into());
@ -528,6 +531,7 @@ mod tests {
} }
#[tokio::test] #[tokio::test]
#[cfg(feature = "some_tls")]
async fn test_h2_multiple_stream() { async fn test_h2_multiple_stream() {
let connector = Connector::new(None); let connector = Connector::new(None);
let mut peer = HttpPeer::new(("1.1.1.1", 443), true, "one.one.one.one".into()); let mut peer = HttpPeer::new(("1.1.1.1", 443), true, "one.one.one.one".into());

1
pingora-core/src/connectors/mod.rs
View file

@ -365,6 +365,7 @@ fn test_reusable_stream(stream: &mut Stream) -> bool {
} }
#[cfg(test)] #[cfg(test)]
#[cfg(feature = "some_tls")]
mod tests { mod tests {
use pingora_error::ErrorType; use pingora_error::ErrorType;

4
pingora-core/src/connectors/tls.rs
View file

@ -17,8 +17,8 @@ use pingora_error::{Error, ErrorType::*, OrErr, Result};
use std::sync::{Arc, Once}; use std::sync::{Arc, Once};
use super::ConnectorOptions; use super::ConnectorOptions;
use crate::protocols::ssl::client::handshake; use crate::protocols::tls::client::handshake;
use crate::protocols::ssl::SslStream; use crate::protocols::tls::SslStream;
use crate::protocols::IO; use crate::protocols::IO;
use crate::tls::ext::{ use crate::tls::ext::{
add_host, clear_error_stack, ssl_add_chain_cert, ssl_set_groups_list, add_host, clear_error_stack, ssl_add_chain_cert, ssl_set_groups_list,

4
pingora-core/src/lib.rs
View file

@ -58,8 +58,8 @@ pub use pingora_boringssl as tls;
#[cfg(all(not(feature = "boringssl"), feature = "openssl"))] #[cfg(all(not(feature = "boringssl"), feature = "openssl"))]
pub use pingora_openssl as tls; pub use pingora_openssl as tls;
#[cfg(all(not(feature = "boringssl"), not(feature = "openssl")))] #[cfg(not(feature = "some_tls"))]
pub mod tls; pub use protocols::tls::dummy_tls as tls;
pub mod prelude { pub mod prelude {
pub use crate::server::configuration::Opt; pub use crate::server::configuration::Opt;

3
pingora-core/src/listeners/mod.rs
View file

@ -26,7 +26,7 @@ use std::{fs::Permissions, sync::Arc};
use l4::{ListenerEndpoint, Stream as L4Stream}; use l4::{ListenerEndpoint, Stream as L4Stream};
use tls::Acceptor; use tls::Acceptor;
pub use crate::protocols::ssl::server::TlsAccept; pub use crate::protocols::tls::server::TlsAccept;
pub use l4::{ServerAddress, TcpSocketOptions}; pub use l4::{ServerAddress, TcpSocketOptions};
pub use tls::{TlsSettings, ALPN}; pub use tls::{TlsSettings, ALPN};
@ -213,6 +213,7 @@ mod test {
} }
#[tokio::test] #[tokio::test]
#[cfg(feature = "some_tls")]
async fn test_listen_tls() { async fn test_listen_tls() {
use tokio::io::AsyncReadExt; use tokio::io::AsyncReadExt;

4
pingora-core/src/listeners/tls.rs
View file

@ -16,14 +16,14 @@ use log::debug;
use pingora_error::{ErrorType, OrErr, Result}; use pingora_error::{ErrorType, OrErr, Result};
use std::ops::{Deref, DerefMut}; use std::ops::{Deref, DerefMut};
use crate::protocols::ssl::{ use crate::protocols::tls::{
server::{handshake, handshake_with_callback, TlsAcceptCallbacks}, server::{handshake, handshake_with_callback, TlsAcceptCallbacks},
SslStream, SslStream,
}; };
use crate::protocols::IO; use crate::protocols::IO;
use crate::tls::ssl::{SslAcceptor, SslAcceptorBuilder, SslFiletype, SslMethod}; use crate::tls::ssl::{SslAcceptor, SslAcceptorBuilder, SslFiletype, SslMethod};
pub use crate::protocols::ssl::ALPN; pub use crate::protocols::tls::ALPN;
pub const TLS_CONF_ERR: ErrorType = ErrorType::Custom("TLSConfigError"); pub const TLS_CONF_ERR: ErrorType = ErrorType::Custom("TLSConfigError");

2
pingora-core/src/protocols/digest.rs
View file

@ -22,7 +22,7 @@ use once_cell::sync::OnceCell;
use super::l4::ext::{get_recv_buf, get_tcp_info, TCP_INFO}; use super::l4::ext::{get_recv_buf, get_tcp_info, TCP_INFO};
use super::l4::socket::SocketAddr; use super::l4::socket::SocketAddr;
use super::raw_connect::ProxyDigest; use super::raw_connect::ProxyDigest;
use super::ssl::digest::SslDigest; use super::tls::digest::SslDigest;
/// The information can be extracted from a connection /// The information can be extracted from a connection
#[derive(Clone, Debug, Default)] #[derive(Clone, Debug, Default)]

6
pingora-core/src/protocols/mod.rs
View file

@ -18,14 +18,14 @@ mod digest;
pub mod http; pub mod http;
pub mod l4; pub mod l4;
pub mod raw_connect; pub mod raw_connect;
pub mod ssl; pub mod tls;
pub use digest::{ pub use digest::{
Digest, GetProxyDigest, GetSocketDigest, GetTimingDigest, ProtoDigest, SocketDigest, Digest, GetProxyDigest, GetSocketDigest, GetTimingDigest, ProtoDigest, SocketDigest,
TimingDigest, TimingDigest,
}; };
pub use l4::ext::TcpKeepalive; pub use l4::ext::TcpKeepalive;
pub use ssl::ALPN; pub use tls::ALPN;
use async_trait::async_trait; use async_trait::async_trait;
use std::fmt::Debug; use std::fmt::Debug;
@ -53,7 +53,7 @@ pub trait Ssl {
} }
/// Return the [`ssl::SslDigest`] for logging /// Return the [`ssl::SslDigest`] for logging
fn get_ssl_digest(&self) -> Option<Arc<ssl::SslDigest>> { fn get_ssl_digest(&self) -> Option<Arc<tls::SslDigest>> {
None None
} }

0
pingora-core/src/protocols/ssl/client.rs → pingora-core/src/protocols/tls/client.rs
View file

0
pingora-core/src/protocols/ssl/digest.rs → pingora-core/src/protocols/tls/digest.rs
View file

805
pingora-core/src/protocols/tls/dummy_tls/mod.rs Normal file
View file

@ -0,0 +1,805 @@
// Copyright 2024 Cloudflare, Inc.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//! This module contains a dummy TLS implementation for the scenarios where real TLS
//! implementations are unavailable.
macro_rules! impl_display {
($ty:ty) => {
impl std::fmt::Display for $ty {
fn fmt(&self, _f: &mut std::fmt::Formatter<'_>) -> Result<(), std::fmt::Error> {
Ok(())
}
}
};
}
macro_rules! impl_deref {
($from:ty => $to:ty) => {
impl std::ops::Deref for $from {
type Target = $to;
fn deref(&self) -> &$to {
unimplemented!();
}
}
impl std::ops::DerefMut for $from {
fn deref_mut(&mut self) -> &mut $to {
unimplemented!();
}
}
};
}
pub mod ssl {
use super::error::ErrorStack;
use super::x509::verify::X509VerifyParamRef;
use super::x509::{X509VerifyResult, X509};
/// An error returned from an ALPN selection callback.
pub struct AlpnError;
impl AlpnError {
/// Terminate the handshake with a fatal alert.
pub const ALERT_FATAL: AlpnError = Self {};
/// Do not select a protocol, but continue the handshake.
pub const NOACK: AlpnError = Self {};
}
/// A type which allows for configuration of a client-side TLS session before connection.
pub struct ConnectConfiguration;
impl_deref! {ConnectConfiguration => SslRef}
impl ConnectConfiguration {
/// Configures the use of Server Name Indication (SNI) when connecting.
pub fn set_use_server_name_indication(&mut self, _use_sni: bool) {
unimplemented!();
}
/// Configures the use of hostname verification when connecting.
pub fn set_verify_hostname(&mut self, _verify_hostname: bool) {
unimplemented!();
}
/// Returns an `Ssl` configured to connect to the provided domain.
pub fn into_ssl(self, _domain: &str) -> Result<Ssl, ErrorStack> {
unimplemented!();
}
/// Like `SslContextBuilder::set_verify`.
pub fn set_verify(&mut self, _mode: SslVerifyMode) {
unimplemented!();
}
/// Like `SslContextBuilder::set_alpn_protos`.
pub fn set_alpn_protos(&mut self, _protocols: &[u8]) -> Result<(), ErrorStack> {
unimplemented!();
}
/// Returns a mutable reference to the X509 verification configuration.
pub fn param_mut(&mut self) -> &mut X509VerifyParamRef {
unimplemented!();
}
}
/// An SSL error.
#[derive(Debug)]
pub struct Error;
impl_display!(Error);
impl Error {
pub fn code(&self) -> ErrorCode {
unimplemented!();
}
}
/// An error code returned from SSL functions.
#[derive(PartialEq)]
pub struct ErrorCode(i32);
impl ErrorCode {
/// An error occurred in the SSL library.
pub const SSL: ErrorCode = Self(0);
}
/// An identifier of a session name type.
pub struct NameType;
impl NameType {
pub const HOST_NAME: NameType = Self {};
}
/// The state of an SSL/TLS session.
pub struct Ssl;
impl Ssl {
/// Creates a new `Ssl`.
pub fn new(_ctx: &SslContextRef) -> Result<Ssl, ErrorStack> {
unimplemented!();
}
}
impl_deref! {Ssl => SslRef}
/// A type which wraps server-side streams in a TLS session.
pub struct SslAcceptor;
impl SslAcceptor {
/// Creates a new builder configured to connect to non-legacy clients. This should
/// generally be considered a reasonable default choice.
pub fn mozilla_intermediate_v5(
_method: SslMethod,
) -> Result<SslAcceptorBuilder, ErrorStack> {
unimplemented!();
}
}
/// A builder for `SslAcceptor`s.
pub struct SslAcceptorBuilder;
impl SslAcceptorBuilder {
/// Consumes the builder, returning a `SslAcceptor`.
pub fn build(self) -> SslAcceptor {
unimplemented!();
}
/// Sets the callback used by a server to select a protocol for Application Layer Protocol
/// Negotiation (ALPN).
pub fn set_alpn_select_callback<F>(&mut self, _callback: F)
where
F: for<'a> Fn(&mut SslRef, &'a [u8]) -> Result<&'a [u8], AlpnError>
+ 'static
+ Sync
+ Send,
{
unimplemented!();
}
/// Loads a certificate chain from a file.
pub fn set_certificate_chain_file<P: AsRef<std::path::Path>>(
&mut self,
_file: P,
) -> Result<(), ErrorStack> {
unimplemented!();
}
/// Loads the private key from a file.
pub fn set_private_key_file<P: AsRef<std::path::Path>>(
&mut self,
_file: P,
_file_type: SslFiletype,
) -> Result<(), ErrorStack> {
unimplemented!();
}
/// Sets the maximum supported protocol version.
pub fn set_max_proto_version(
&mut self,
_version: Option<SslVersion>,
) -> Result<(), ErrorStack> {
unimplemented!();
}
}
/// Reference to an [`SslCipher`].
pub struct SslCipherRef;
impl SslCipherRef {
/// Returns the name of the cipher.
pub fn name(&self) -> &'static str {
unimplemented!();
}
}
/// A type which wraps client-side streams in a TLS session.
pub struct SslConnector;
impl SslConnector {
/// Creates a new builder for TLS connections.
pub fn builder(_method: SslMethod) -> Result<SslConnectorBuilder, ErrorStack> {
Ok(SslConnectorBuilder)
}
/// Returns a structure allowing for configuration of a single TLS session before connection.
pub fn configure(&self) -> Result<ConnectConfiguration, ErrorStack> {
Ok(ConnectConfiguration)
}
/// Returns a shared reference to the inner raw `SslContext`.
pub fn context(&self) -> &SslContextRef {
&SslContextRef
}
}
/// A builder for `SslConnector`s.
pub struct SslConnectorBuilder;
impl SslConnectorBuilder {
/// Consumes the builder, returning an `SslConnector`.
pub fn build(self) -> SslConnector {
SslConnector
}
/// Sets the list of supported ciphers for protocols before TLSv1.3.
pub fn set_cipher_list(&mut self, _cipher_list: &str) -> Result<(), ErrorStack> {
Ok(())
}
/// Sets the contexts supported signature algorithms.
pub fn set_sigalgs_list(&mut self, _sigalgs: &str) -> Result<(), ErrorStack> {
Ok(())
}
/// Sets the minimum supported protocol version.
pub fn set_min_proto_version(
&mut self,
_version: Option<SslVersion>,
) -> Result<(), ErrorStack> {
Ok(())
}
/// Sets the maximum supported protocol version.
pub fn set_max_proto_version(
&mut self,
_version: Option<SslVersion>,
) -> Result<(), ErrorStack> {
Ok(())
}
/// Use the default locations of trusted certificates for verification.
pub fn set_default_verify_paths(&mut self) -> Result<(), ErrorStack> {
Ok(())
}
/// Loads trusted root certificates from a file.
pub fn set_ca_file<P: AsRef<std::path::Path>>(
&mut self,
_file: P,
) -> Result<(), ErrorStack> {
Ok(())
}
/// Loads a leaf certificate from a file.
pub fn set_certificate_file<P: AsRef<std::path::Path>>(
&mut self,
_file: P,
_file_type: SslFiletype,
) -> Result<(), ErrorStack> {
Ok(())
}
/// Loads the private key from a file.
pub fn set_private_key_file<P: AsRef<std::path::Path>>(
&mut self,
_file: P,
_file_type: SslFiletype,
) -> Result<(), ErrorStack> {
Ok(())
}
/// Sets the TLS key logging callback.
pub fn set_keylog_callback<F>(&mut self, _callback: F)
where
F: Fn(&SslRef, &str) + 'static + Sync + Send,
{
}
}
/// A context object for TLS streams.
pub struct SslContext;
impl SslContext {
/// Creates a new builder object for an `SslContext`.
pub fn builder(_method: SslMethod) -> Result<SslContextBuilder, ErrorStack> {
unimplemented!();
}
}
impl_deref! {SslContext => SslContextRef}
/// A builder for `SslContext`s.
pub struct SslContextBuilder;
impl SslContextBuilder {
/// Consumes the builder, returning a new `SslContext`.
pub fn build(self) -> SslContext {
unimplemented!();
}
}
/// Reference to [`SslContext`]
pub struct SslContextRef;
/// An identifier of the format of a certificate or key file.
pub struct SslFiletype;
impl SslFiletype {
/// The PEM format.
pub const PEM: SslFiletype = Self {};
}
/// A type specifying the kind of protocol an `SslContext`` will speak.
pub struct SslMethod;
impl SslMethod {
/// Support all versions of the TLS protocol.
pub fn tls() -> SslMethod {
Self
}
}
/// Reference to an [`Ssl`].
pub struct SslRef;
impl SslRef {
/// Like [`SslContextBuilder::set_verify`].
pub fn set_verify(&mut self, _mode: SslVerifyMode) {
unimplemented!();
}
/// Returns the current cipher if the session is active.
pub fn current_cipher(&self) -> Option<&SslCipherRef> {
unimplemented!();
}
/// Sets the host name to be sent to the server for Server Name Indication (SNI).
pub fn set_hostname(&mut self, _hostname: &str) -> Result<(), ErrorStack> {
unimplemented!();
}
/// Returns the peers certificate, if present.
pub fn peer_certificate(&self) -> Option<X509> {
unimplemented!();
}
/// Returns the certificate verification result.
pub fn verify_result(&self) -> X509VerifyResult {
unimplemented!();
}
/// Returns a string describing the protocol version of the session.
pub fn version_str(&self) -> &'static str {
unimplemented!();
}
/// Returns the protocol selected via Application Layer Protocol Negotiation (ALPN).
pub fn selected_alpn_protocol(&self) -> Option<&[u8]> {
unimplemented!();
}
/// Returns the servername sent by the client via Server Name Indication (SNI).
pub fn servername(&self, _type_: NameType) -> Option<&str> {
unimplemented!();
}
}
/// Options controlling the behavior of certificate verification.
pub struct SslVerifyMode;
impl SslVerifyMode {
/// Verifies that the peers certificate is trusted.
pub const PEER: Self = Self {};
/// Disables verification of the peers certificate.
pub const NONE: Self = Self {};
}
/// An SSL/TLS protocol version.
pub struct SslVersion;
impl SslVersion {
/// TLSv1.0
pub const TLS1: SslVersion = Self {};
/// TLSv1.2
pub const TLS1_2: SslVersion = Self {};
/// TLSv1.3
pub const TLS1_3: SslVersion = Self {};
}
/// A standard implementation of protocol selection for Application Layer Protocol Negotiation
/// (ALPN).
pub fn select_next_proto<'a>(_server: &[u8], _client: &'a [u8]) -> Option<&'a [u8]> {
unimplemented!();
}
}
pub mod ssl_sys {
pub const X509_V_OK: i32 = 0;
pub const X509_V_ERR_INVALID_CALL: i32 = 69;
}
pub mod error {
use super::ssl::Error;
/// Collection of [`Errors`] from OpenSSL.
#[derive(Debug)]
pub struct ErrorStack;
impl_display!(ErrorStack);
impl std::error::Error for ErrorStack {}
impl ErrorStack {
/// Returns the contents of the OpenSSL error stack.
pub fn get() -> ErrorStack {
unimplemented!();
}
/// Returns the errors in the stack.
pub fn errors(&self) -> &[Error] {
unimplemented!();
}
}
}
pub mod x509 {
use super::asn1::{Asn1IntegerRef, Asn1StringRef, Asn1TimeRef};
use super::error::ErrorStack;
use super::hash::{DigestBytes, MessageDigest};
use super::nid::Nid;
/// An `X509` public key certificate.
#[derive(Debug, Clone)]
pub struct X509;
impl_deref! {X509 => X509Ref}
impl X509 {
/// Deserializes a PEM-encoded X509 structure.
pub fn from_pem(_pem: &[u8]) -> Result<X509, ErrorStack> {
unimplemented!();
}
}
/// A type to destructure and examine an `X509Name`.
pub struct X509NameEntries<'a> {
marker: std::marker::PhantomData<&'a ()>,
}
impl<'a> Iterator for X509NameEntries<'a> {
type Item = &'a X509NameEntryRef;
fn next(&mut self) -> Option<&'a X509NameEntryRef> {
unimplemented!();
}
}
/// Reference to `X509NameEntry`.
pub struct X509NameEntryRef;
impl X509NameEntryRef {
pub fn data(&self) -> &Asn1StringRef {
unimplemented!();
}
}
/// Reference to `X509Name`.
pub struct X509NameRef;
impl X509NameRef {
/// Returns the name entries by the nid.
pub fn entries_by_nid(&self, _nid: Nid) -> X509NameEntries<'_> {
unimplemented!();
}
}
/// Reference to `X509`.
pub struct X509Ref;
impl X509Ref {
/// Returns this certificates subject name.
pub fn subject_name(&self) -> &X509NameRef {
unimplemented!();
}
/// Returns a digest of the DER representation of the certificate.
pub fn digest(&self, _hash_type: MessageDigest) -> Result<DigestBytes, ErrorStack> {
unimplemented!();
}
/// Returns the certificates Not After validity period.
pub fn not_after(&self) -> &Asn1TimeRef {
unimplemented!();
}
/// Returns this certificates serial number.
pub fn serial_number(&self) -> &Asn1IntegerRef {
unimplemented!();
}
}
/// The result of peer certificate verification.
pub struct X509VerifyResult;
impl X509VerifyResult {
/// Return the integer representation of an `X509VerifyResult`.
pub fn as_raw(&self) -> i32 {
unimplemented!();
}
}
pub mod store {
use super::super::error::ErrorStack;
use super::X509;
/// A builder type used to construct an `X509Store`.
pub struct X509StoreBuilder;
impl X509StoreBuilder {
/// Returns a builder for a certificate store..
pub fn new() -> Result<X509StoreBuilder, ErrorStack> {
unimplemented!();
}
/// Constructs the `X509Store`.
pub fn build(self) -> X509Store {
unimplemented!();
}
/// Adds a certificate to the certificate store.
pub fn add_cert(&mut self, _cert: X509) -> Result<(), ErrorStack> {
unimplemented!();
}
}
/// A certificate store to hold trusted X509 certificates.
pub struct X509Store;
impl_deref! {X509Store => X509StoreRef}
/// Reference to an `X509Store`.
pub struct X509StoreRef;
}
pub mod verify {
/// Reference to `X509VerifyParam`.
pub struct X509VerifyParamRef;
}
}
pub mod nid {
/// A numerical identifier for an OpenSSL object.
pub struct Nid;
impl Nid {
pub const COMMONNAME: Nid = Self {};
pub const ORGANIZATIONNAME: Nid = Self {};
pub const ORGANIZATIONALUNITNAME: Nid = Self {};
}
}
pub mod pkey {
use super::error::ErrorStack;
/// A public or private key.
#[derive(Clone)]
pub struct PKey<T> {
marker: std::marker::PhantomData<T>,
}
impl<T> std::ops::Deref for PKey<T> {
type Target = PKeyRef<T>;
fn deref(&self) -> &PKeyRef<T> {
unimplemented!();
}
}
impl<T> std::ops::DerefMut for PKey<T> {
fn deref_mut(&mut self) -> &mut PKeyRef<T> {
unimplemented!();
}
}
impl PKey<Private> {
pub fn private_key_from_pem(_pem: &[u8]) -> Result<PKey<Private>, ErrorStack> {
unimplemented!();
}
}
/// Reference to `PKey`.
pub struct PKeyRef<T> {
marker: std::marker::PhantomData<T>,
}
/// A tag type indicating that a key has private components.
#[derive(Clone)]
pub enum Private {}
unsafe impl HasPrivate for Private {}
/// A trait indicating that a key has private components.
pub unsafe trait HasPrivate {}
}
pub mod hash {
/// A message digest algorithm.
pub struct MessageDigest;
impl MessageDigest {
pub fn sha256() -> MessageDigest {
unimplemented!();
}
}
/// The resulting bytes of a digest.
pub struct DigestBytes;
impl AsRef<[u8]> for DigestBytes {
fn as_ref(&self) -> &[u8] {
unimplemented!();
}
}
}
pub mod asn1 {
use super::bn::BigNum;
use super::error::ErrorStack;
/// A reference to an `Asn1Integer`.
pub struct Asn1IntegerRef;
impl Asn1IntegerRef {
/// Converts the integer to a `BigNum`.
pub fn to_bn(&self) -> Result<BigNum, ErrorStack> {
unimplemented!();
}
}
/// A reference to an `Asn1String`.
pub struct Asn1StringRef;
impl Asn1StringRef {
pub fn as_utf8(&self) -> Result<&str, ErrorStack> {
unimplemented!();
}
}
/// Reference to an `Asn1Time`
pub struct Asn1TimeRef;
impl_display! {Asn1TimeRef}
}
pub mod bn {
use super::error::ErrorStack;
/// Dynamically sized large number implementation
pub struct BigNum;
impl BigNum {
/// Returns a hexadecimal string representation of `self`.
pub fn to_hex_str(&self) -> Result<&str, ErrorStack> {
unimplemented!();
}
}
}
pub mod ext {
use super::error::ErrorStack;
use super::pkey::{HasPrivate, PKeyRef};
use super::ssl::{Ssl, SslAcceptor, SslRef};
use super::x509::store::X509StoreRef;
use super::x509::verify::X509VerifyParamRef;
use super::x509::X509Ref;
/// Add name as an additional reference identifier that can match the peer's certificate
pub fn add_host(_verify_param: &mut X509VerifyParamRef, _host: &str) -> Result<(), ErrorStack> {
unimplemented!();
}
/// Set the verify cert store of `_ssl`
pub fn ssl_set_verify_cert_store(
_ssl: &mut SslRef,
_cert_store: &X509StoreRef,
) -> Result<(), ErrorStack> {
unimplemented!();
}
/// Load the certificate into `_ssl`
pub fn ssl_use_certificate(_ssl: &mut SslRef, _cert: &X509Ref) -> Result<(), ErrorStack> {
unimplemented!();
}
/// Load the private key into `_ssl`
pub fn ssl_use_private_key<T>(_ssl: &mut SslRef, _key: &PKeyRef<T>) -> Result<(), ErrorStack>
where
T: HasPrivate,
{
unimplemented!();
}
/// Clear the error stack
pub fn clear_error_stack() {}
/// Create a new [Ssl] from &[SslAcceptor]
pub fn ssl_from_acceptor(_acceptor: &SslAcceptor) -> Result<Ssl, ErrorStack> {
unimplemented!();
}
/// Suspend the TLS handshake when a certificate is needed.
pub fn suspend_when_need_ssl_cert(_ssl: &mut SslRef) {
unimplemented!();
}
/// Unblock a TLS handshake after the certificate is set.
pub fn unblock_ssl_cert(_ssl: &mut SslRef) {
unimplemented!();
}
/// Whether the TLS error is SSL_ERROR_WANT_X509_LOOKUP
pub fn is_suspended_for_cert(_error: &super::ssl::Error) -> bool {
unimplemented!();
}
/// Add the certificate into the cert chain of `_ssl`
pub fn ssl_add_chain_cert(_ssl: &mut SslRef, _cert: &X509Ref) -> Result<(), ErrorStack> {
unimplemented!();
}
/// Set renegotiation
pub fn ssl_set_renegotiate_mode_freely(_ssl: &mut SslRef) {}
/// Set the curves/groups of `_ssl`
pub fn ssl_set_groups_list(_ssl: &mut SslRef, _groups: &str) -> Result<(), ErrorStack> {
unimplemented!();
}
/// Sets whether a second keyshare to be sent in client hello when PQ is used.
pub fn ssl_use_second_key_share(_ssl: &mut SslRef, _enabled: bool) {}
/// Get a mutable SslRef ouf of SslRef, which is a missing functionality even when holding &mut SslStream
/// # Safety
pub unsafe fn ssl_mut(_ssl: &SslRef) -> &mut SslRef {
unimplemented!();
}
}
pub mod tokio_ssl {
use std::pin::Pin;
use std::task::{Context, Poll};
use tokio::io::{AsyncRead, AsyncWrite, ReadBuf};
use super::error::ErrorStack;
use super::ssl::{Error, Ssl, SslRef};
/// A TLS session over a stream.
#[derive(Debug)]
pub struct SslStream<S> {
marker: std::marker::PhantomData<S>,
}
impl<S> SslStream<S> {
/// Creates a new `SslStream`.
pub fn new(_ssl: Ssl, _stream: S) -> Result<Self, ErrorStack> {
unimplemented!();
}
/// Initiates a client-side TLS handshake.
pub async fn connect(self: Pin<&mut Self>) -> Result<(), Error> {
unimplemented!();
}
/// Initiates a server-side TLS handshake.
pub async fn accept(self: Pin<&mut Self>) -> Result<(), Error> {
unimplemented!();
}
/// Returns a shared reference to the `Ssl` object associated with this stream.
pub fn ssl(&self) -> &SslRef {
unimplemented!();
}
/// Returns a shared reference to the underlying stream.
pub fn get_ref(&self) -> &S {
unimplemented!();
}
/// Returns a mutable reference to the underlying stream.
pub fn get_mut(&mut self) -> &mut S {
unimplemented!();
}
}
impl<S> AsyncRead for SslStream<S>
where
S: AsyncRead + AsyncWrite,
{
fn poll_read(
self: Pin<&mut Self>,
_ctx: &mut Context<'_>,
_buf: &mut ReadBuf<'_>,
) -> Poll<std::io::Result<()>> {
unimplemented!();
}
}
impl<S> AsyncWrite for SslStream<S>
where
S: AsyncRead + AsyncWrite,
{
fn poll_write(
self: Pin<&mut Self>,
_ctx: &mut Context<'_>,
_buf: &[u8],
) -> Poll<std::io::Result<usize>> {
unimplemented!();
}
fn poll_flush(self: Pin<&mut Self>, _ctx: &mut Context<'_>) -> Poll<std::io::Result<()>> {
unimplemented!();
}
fn poll_shutdown(
self: Pin<&mut Self>,
_ctx: &mut Context<'_>,
) -> Poll<std::io::Result<()>> {
unimplemented!();
}
}
}

3
pingora-core/src/protocols/ssl/mod.rs → pingora-core/src/protocols/tls/mod.rs
View file

@ -18,6 +18,9 @@ pub mod client;
pub mod digest; pub mod digest;
pub mod server; pub mod server;
#[cfg(not(feature = "some_tls"))]
pub mod dummy_tls;
use crate::protocols::digest::TimingDigest; use crate::protocols::digest::TimingDigest;
use crate::protocols::{Ssl, UniqueID}; use crate::protocols::{Ssl, UniqueID};
use crate::tls::{self, ssl, tokio_ssl::SslStream as InnerSsl}; use crate::tls::{self, ssl, tokio_ssl::SslStream as InnerSsl};

1
pingora-core/src/protocols/ssl/server.rs → pingora-core/src/protocols/tls/server.rs
View file

@ -143,6 +143,7 @@ impl<S: AsyncRead + AsyncWrite + Send + Unpin> ResumableAccept for SslStream<S>
} }
#[tokio::test] #[tokio::test]
#[cfg(feature = "some_tls")]
async fn test_async_cert() { async fn test_async_cert() {
use tokio::io::AsyncReadExt; use tokio::io::AsyncReadExt;
let acceptor = ssl::SslAcceptor::mozilla_intermediate_v5(ssl::SslMethod::tls()) let acceptor = ssl::SslAcceptor::mozilla_intermediate_v5(ssl::SslMethod::tls())

2
pingora-core/src/upstreams/peer.rs
View file

@ -36,7 +36,7 @@ use crate::protocols::TcpKeepalive;
use crate::tls::x509::X509; use crate::tls::x509::X509;
use crate::utils::{get_organization_unit, CertKey}; use crate::utils::{get_organization_unit, CertKey};
pub use crate::protocols::ssl::ALPN; pub use crate::protocols::tls::ALPN;
/// The interface to trace the connection /// The interface to trace the connection
pub trait Tracing: Send + Sync + std::fmt::Debug { pub trait Tracing: Send + Sync + std::fmt::Debug {

3
pingora-core/tests/test_basic.rs
View file

@ -18,6 +18,7 @@ use hyper::Client;
use hyperlocal::{UnixClientExt, Uri}; use hyperlocal::{UnixClientExt, Uri};
use utils::init; use utils::init;
#[cfg(feature = "some_tls")]
#[tokio::test] #[tokio::test]
async fn test_http() { async fn test_http() {
init(); init();
@ -25,6 +26,7 @@ async fn test_http() {
assert_eq!(res.status(), reqwest::StatusCode::OK); assert_eq!(res.status(), reqwest::StatusCode::OK);
} }
#[cfg(feature = "some_tls")]
#[tokio::test] #[tokio::test]
async fn test_https_http2() { async fn test_https_http2() {
init(); init();
@ -49,6 +51,7 @@ async fn test_https_http2() {
assert_eq!(res.version(), reqwest::Version::HTTP_11); assert_eq!(res.version(), reqwest::Version::HTTP_11);
} }
#[cfg(feature = "some_tls")]
#[tokio::test] #[tokio::test]
async fn test_uds() { async fn test_uds() {
init(); init();