From 08c333a10543d686fa3922b5f483c70e6c6c3540 Mon Sep 17 00:00:00 2001 From: Anthony Ramine Date: Wed, 11 Oct 2023 12:04:20 +0200 Subject: [PATCH] Change X509VerifyResult to Result<(), X509VerifyError> This commit separates X509VerifyResult::OK from the rest of the codes that actually represent errors, using a Result type as usual. --- boring/examples/mk_certs.rs | 6 ++--- boring/src/ssl/error.rs | 5 ++--- boring/src/ssl/mod.rs | 6 +++-- boring/src/ssl/test/mod.rs | 6 ++--- boring/src/x509/mod.rs | 44 ++++++++++++++++++++++--------------- boring/src/x509/tests.rs | 6 ++--- 6 files changed, 41 insertions(+), 32 deletions(-) diff --git a/boring/examples/mk_certs.rs b/boring/examples/mk_certs.rs index 217786e2..ce0c8492 100644 --- a/boring/examples/mk_certs.rs +++ b/boring/examples/mk_certs.rs @@ -13,7 +13,7 @@ use boring::x509::extension::{ AuthorityKeyIdentifier, BasicConstraints, KeyUsage, SubjectAlternativeName, SubjectKeyIdentifier, }; -use boring::x509::{X509NameBuilder, X509Ref, X509Req, X509ReqBuilder, X509VerifyResult, X509}; +use boring::x509::{X509NameBuilder, X509Ref, X509Req, X509ReqBuilder, X509}; /// Make a CA certificate and private key fn mk_ca_cert() -> Result<(X509, PKey), ErrorStack> { @@ -145,8 +145,8 @@ fn real_main() -> Result<(), ErrorStack> { // Verify that this cert was issued by this ca match ca_cert.issued(&cert) { - X509VerifyResult::OK => println!("Certificate verified!"), - ver_err => println!("Failed to verify certificate: {}", ver_err), + Ok(()) => println!("Certificate verified!"), + Err(ver_err) => println!("Failed to verify certificate: {}", ver_err), }; Ok(()) diff --git a/boring/src/ssl/error.rs b/boring/src/ssl/error.rs index e77ce291..0f75b818 100644 --- a/boring/src/ssl/error.rs +++ b/boring/src/ssl/error.rs @@ -7,7 +7,6 @@ use std::io; use crate::error::ErrorStack; use crate::ssl::MidHandshakeSslStream; -use crate::x509::X509VerifyResult; /// An error code returned from SSL functions. #[derive(Debug, Copy, Clone, PartialEq, Eq)] @@ -200,8 +199,8 @@ fn fmt_mid_handshake_error( } match s.ssl().verify_result() { - X509VerifyResult::OK => write!(f, "{}", prefix)?, - verify => write!(f, "{}: cert verification failed - {}", prefix, verify)?, + Ok(()) => write!(f, "{}", prefix)?, + Err(verify) => write!(f, "{}: cert verification failed - {}", prefix, verify)?, } write!(f, " {}", s.error()) diff --git a/boring/src/ssl/mod.rs b/boring/src/ssl/mod.rs index 724d7823..60a649e9 100644 --- a/boring/src/ssl/mod.rs +++ b/boring/src/ssl/mod.rs @@ -92,7 +92,9 @@ use crate::ssl::error::InnerError; use crate::stack::{Stack, StackRef}; use crate::x509::store::{X509Store, X509StoreBuilderRef, X509StoreRef}; use crate::x509::verify::X509VerifyParamRef; -use crate::x509::{X509Name, X509Ref, X509StoreContextRef, X509VerifyResult, X509}; +use crate::x509::{ + X509Name, X509Ref, X509StoreContextRef, X509VerifyError, X509VerifyResult, X509, +}; use crate::{cvt, cvt_0i, cvt_n, cvt_p, init}; pub use crate::ssl::connector::{ @@ -3011,7 +3013,7 @@ impl SslRef { "This API is not supported for RPK" ); - unsafe { X509VerifyResult::from_raw(ffi::SSL_get_verify_result(self.as_ptr()) as c_int) } + unsafe { X509VerifyError::from_raw(ffi::SSL_get_verify_result(self.as_ptr()) as c_int) } } /// Returns a shared reference to the SSL session. diff --git a/boring/src/ssl/test/mod.rs b/boring/src/ssl/test/mod.rs index a68c3dc7..53e5177b 100644 --- a/boring/src/ssl/test/mod.rs +++ b/boring/src/ssl/test/mod.rs @@ -32,7 +32,7 @@ use crate::ssl::{ }; use crate::x509::store::X509StoreBuilder; use crate::x509::verify::X509CheckFlags; -use crate::x509::{X509Name, X509StoreContext, X509VerifyResult, X509}; +use crate::x509::{X509Name, X509StoreContext, X509}; mod private_key_method; mod server; @@ -159,7 +159,7 @@ fn verify_trusted_get_error_ok() { client .ctx() .set_verify_callback(SslVerifyMode::PEER, |_, x509| { - assert_eq!(x509.error(), X509VerifyResult::OK); + assert_eq!(x509.verify_result(), Ok(())); true }); @@ -176,7 +176,7 @@ fn verify_trusted_get_error_err() { client .ctx() .set_verify_callback(SslVerifyMode::PEER, |_, x509| { - assert_ne!(x509.error(), X509VerifyResult::OK); + assert!(x509.verify_result().is_err()); false }); diff --git a/boring/src/x509/mod.rs b/boring/src/x509/mod.rs index 1033d364..d17fa74e 100644 --- a/boring/src/x509/mod.rs +++ b/boring/src/x509/mod.rs @@ -90,13 +90,13 @@ impl X509StoreContextRef { } } - /// Returns the error code of the context. + /// Returns the verify result of the context. /// /// This corresponds to [`X509_STORE_CTX_get_error`]. /// /// [`X509_STORE_CTX_get_error`]: https://www.openssl.org/docs/man1.1.0/crypto/X509_STORE_CTX_get_error.html - pub fn error(&self) -> X509VerifyResult { - unsafe { X509VerifyResult::from_raw(ffi::X509_STORE_CTX_get_error(self.as_ptr())) } + pub fn verify_result(&self) -> X509VerifyResult { + unsafe { X509VerifyError::from_raw(ffi::X509_STORE_CTX_get_error(self.as_ptr())) } } /// Initializes this context with the given certificate, certificates chain and certificate @@ -161,14 +161,17 @@ impl X509StoreContextRef { unsafe { cvt_n(ffi::X509_verify_cert(self.as_ptr())).map(|n| n != 0) } } - /// Set the error code of the context. + /// Set the verify result of the context. /// /// This corresponds to [`X509_STORE_CTX_set_error`]. /// /// [`X509_STORE_CTX_set_error`]: https://www.openssl.org/docs/man1.1.0/crypto/X509_STORE_CTX_set_error.html pub fn set_error(&mut self, result: X509VerifyResult) { unsafe { - ffi::X509_STORE_CTX_set_error(self.as_ptr(), result.as_raw()); + ffi::X509_STORE_CTX_set_error( + self.as_ptr(), + result.err().as_ref().map_or(ffi::X509_V_OK, X509VerifyError::as_raw), + ); } } @@ -542,7 +545,7 @@ impl X509Ref { pub fn issued(&self, subject: &X509Ref) -> X509VerifyResult { unsafe { let r = ffi::X509_check_issued(self.as_ptr(), subject.as_ptr()); - X509VerifyResult::from_raw(r) + X509VerifyError::from_raw(r) } } @@ -1363,38 +1366,44 @@ impl X509ReqRef { } /// The result of peer certificate verification. +pub type X509VerifyResult = Result<(), X509VerifyError>; + #[derive(Copy, Clone, PartialEq, Eq)] -pub struct X509VerifyResult(c_int); +pub struct X509VerifyError(c_int); -impl fmt::Debug for X509VerifyResult { +impl fmt::Debug for X509VerifyError { fn fmt(&self, fmt: &mut fmt::Formatter) -> fmt::Result { - fmt.debug_struct("X509VerifyResult") + fmt.debug_struct("X509VerifyError") .field("code", &self.0) .field("error", &self.error_string()) .finish() } } -impl fmt::Display for X509VerifyResult { +impl fmt::Display for X509VerifyError { fn fmt(&self, fmt: &mut fmt::Formatter) -> fmt::Result { fmt.write_str(self.error_string()) } } -impl Error for X509VerifyResult {} +impl Error for X509VerifyError {} -impl X509VerifyResult { - /// Creates an `X509VerifyResult` from a raw error number. +impl X509VerifyError { + /// Creates an [`X509VerifyResult`] from a raw error number. /// /// # Safety /// - /// Some methods on `X509VerifyResult` are not thread safe if the error + /// Some methods on [`X509VerifyError`] are not thread safe if the error /// number is invalid. pub unsafe fn from_raw(err: c_int) -> X509VerifyResult { - X509VerifyResult(err) + if err == ffi::X509_V_OK { + Ok(()) + } else { + Err(X509VerifyError(err)) + } } - /// Return the integer representation of an `X509VerifyResult`. + /// Return the integer representation of an [`X509VerifyError`]. #[allow(clippy::trivially_copy_pass_by_ref)] pub fn as_raw(&self) -> c_int { self.0 @@ -1417,8 +1426,7 @@ impl X509VerifyResult { } #[allow(missing_docs)] // no need to document the constants -impl X509VerifyResult { - pub const OK: Self = Self(ffi::X509_V_OK); +impl X509VerifyError { pub const UNSPECIFIED: Self = Self(ffi::X509_V_ERR_UNSPECIFIED); pub const UNABLE_TO_GET_ISSUER_CERT: Self = Self(ffi::X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT); pub const UNABLE_TO_GET_CRL: Self = Self(ffi::X509_V_ERR_UNABLE_TO_GET_CRL); diff --git a/boring/src/x509/tests.rs b/boring/src/x509/tests.rs index e437060b..e656873d 100644 --- a/boring/src/x509/tests.rs +++ b/boring/src/x509/tests.rs @@ -12,7 +12,7 @@ use crate::x509::extension::{ SubjectKeyIdentifier, }; use crate::x509::store::X509StoreBuilder; -use crate::x509::{X509Extension, X509Name, X509Req, X509StoreContext, X509VerifyResult, X509}; +use crate::x509::{X509Extension, X509Name, X509Req, X509StoreContext, X509}; fn pkey() -> PKey { let rsa = Rsa::generate(2048).unwrap(); @@ -363,8 +363,8 @@ fn issued() { let ca = include_bytes!("../../test/root-ca.pem"); let ca = X509::from_pem(ca).unwrap(); - assert_eq!(ca.issued(&cert), X509VerifyResult::OK); - assert_ne!(cert.issued(&cert), X509VerifyResult::OK); + assert_eq!(ca.issued(&cert), Ok(())); + assert!(cert.issued(&cert).is_err()); } #[test]