min
/
boring2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Remove INVALID_CALL from mid-handshake error message 

Mid-handshake errors that occur before certificate verification
currently look like this:

```
TLS handshake failed: cert verification failed - Invalid certificate verification context [WRONG_VERSION_NUMBER]
```

Despite no certificate even being received yet, the error complains
about a failed verification. The cause here is that `cert verification
failed` is only omitted if the verification result is `OK`. The default
in BoringSSL before verification runs is `INVALID_CALL`, however.

`INVALID_CALL` is set/returned in these places:
- 44b3df6f03/src/ssl/internal.h (L3904)
- 44b3df6f03/src/ssl/ssl_session.cc (L396)
- 44b3df6f03/src/ssl/ssl_x509.cc (L713)

It is not used anywhere else as a verification result code. To improve
the error message, this commit adds `INVALID_CALL` as a verification
result for which no additional error is dislayed.
This commit is contained in:
Leo Blöcher 2024-11-12 14:01:30 +01:00 committed by Kornel
parent 33b511331b
commit baede6c0af
1 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
boring/src/ssl/error.rs
View File

@ -1,4 +1,5 @@
use crate::ffi;
use crate::x509::X509VerifyError;
use libc::c_int;
use std::error;
use std::error::Error as StdError;
@ -206,7 +207,9 @@ fn fmt_mid_handshake_error(
}
match s.ssl().verify_result() {
Ok(()) => write!(f, "{}", prefix)?,
// INVALID_CALL is returned if no verification took place,
// such as before a cert is sent.
Ok(()) | Err(X509VerifyError::INVALID_CALL) => write!(f, "{}", prefix)?,
Err(verify) => write!(f, "{}: cert verification failed - {}", prefix, verify)?,
}