rama_boring/ssl/
error.rs

1use crate::ffi;
2use crate::x509::X509VerifyError;
3use libc::c_int;
4use std::error;
5use std::error::Error as StdError;
6use std::fmt;
7use std::io;
8
9use crate::error::ErrorStack;
10use crate::ssl::MidHandshakeSslStream;
11
12/// An error code returned from SSL functions.
13#[derive(Debug, Copy, Clone, PartialEq, Eq)]
14pub struct ErrorCode(c_int);
15
16impl ErrorCode {
17    /// No error.
18    pub const NONE: ErrorCode = ErrorCode(ffi::SSL_ERROR_NONE);
19
20    /// The SSL session has been closed.
21    pub const ZERO_RETURN: ErrorCode = ErrorCode(ffi::SSL_ERROR_ZERO_RETURN);
22
23    /// An attempt to read data from the underlying socket returned `WouldBlock`.
24    ///
25    /// Wait for read readiness and retry the operation.
26    pub const WANT_READ: ErrorCode = ErrorCode(ffi::SSL_ERROR_WANT_READ);
27
28    /// An attempt to write data to the underlying socket returned `WouldBlock`.
29    ///
30    /// Wait for write readiness and retry the operation.
31    pub const WANT_WRITE: ErrorCode = ErrorCode(ffi::SSL_ERROR_WANT_WRITE);
32
33    pub const WANT_X509_LOOKUP: ErrorCode = ErrorCode(ffi::SSL_ERROR_WANT_X509_LOOKUP);
34
35    pub const PENDING_SESSION: ErrorCode = ErrorCode(ffi::SSL_ERROR_PENDING_SESSION);
36
37    pub const PENDING_CERTIFICATE: ErrorCode = ErrorCode(ffi::SSL_ERROR_PENDING_CERTIFICATE);
38
39    pub const WANT_CERTIFICATE_VERIFY: ErrorCode =
40        ErrorCode(ffi::SSL_ERROR_WANT_CERTIFICATE_VERIFY);
41
42    pub const WANT_PRIVATE_KEY_OPERATION: ErrorCode =
43        ErrorCode(ffi::SSL_ERROR_WANT_PRIVATE_KEY_OPERATION);
44
45    pub const PENDING_TICKET: ErrorCode = ErrorCode(ffi::SSL_ERROR_PENDING_TICKET);
46
47    /// A non-recoverable IO error occurred.
48    pub const SYSCALL: ErrorCode = ErrorCode(ffi::SSL_ERROR_SYSCALL);
49
50    /// An error occurred in the SSL library.
51    pub const SSL: ErrorCode = ErrorCode(ffi::SSL_ERROR_SSL);
52
53    pub fn from_raw(raw: c_int) -> ErrorCode {
54        ErrorCode(raw)
55    }
56
57    #[allow(clippy::trivially_copy_pass_by_ref)]
58    pub fn as_raw(&self) -> c_int {
59        self.0
60    }
61}
62
63#[derive(Debug)]
64pub(crate) enum InnerError {
65    Io(io::Error),
66    Ssl(ErrorStack),
67}
68
69/// An SSL error.
70#[derive(Debug)]
71pub struct Error {
72    pub(crate) code: ErrorCode,
73    pub(crate) cause: Option<InnerError>,
74}
75
76impl Error {
77    pub fn code(&self) -> ErrorCode {
78        self.code
79    }
80
81    pub fn io_error(&self) -> Option<&io::Error> {
82        match self.cause {
83            Some(InnerError::Io(ref e)) => Some(e),
84            _ => None,
85        }
86    }
87
88    pub fn into_io_error(self) -> Result<io::Error, Error> {
89        match self.cause {
90            Some(InnerError::Io(e)) => Ok(e),
91            _ => Err(self),
92        }
93    }
94
95    pub fn ssl_error(&self) -> Option<&ErrorStack> {
96        match self.cause {
97            Some(InnerError::Ssl(ref e)) => Some(e),
98            _ => None,
99        }
100    }
101
102    pub fn would_block(&self) -> bool {
103        matches!(
104            self.code,
105            ErrorCode::WANT_READ
106                | ErrorCode::WANT_WRITE
107                | ErrorCode::WANT_X509_LOOKUP
108                | ErrorCode::PENDING_SESSION
109                | ErrorCode::PENDING_CERTIFICATE
110                | ErrorCode::WANT_PRIVATE_KEY_OPERATION
111                | ErrorCode::WANT_CERTIFICATE_VERIFY
112                | ErrorCode::PENDING_TICKET
113        )
114    }
115}
116
117impl From<ErrorStack> for Error {
118    fn from(e: ErrorStack) -> Error {
119        Error {
120            code: ErrorCode::SSL,
121            cause: Some(InnerError::Ssl(e)),
122        }
123    }
124}
125
126impl fmt::Display for Error {
127    fn fmt(&self, fmt: &mut fmt::Formatter) -> fmt::Result {
128        match self.code {
129            ErrorCode::ZERO_RETURN => fmt.write_str("the SSL session has been shut down"),
130            ErrorCode::WANT_READ => match self.io_error() {
131                Some(_) => fmt.write_str("a nonblocking read call would have blocked"),
132                None => fmt.write_str("the operation should be retried"),
133            },
134            ErrorCode::WANT_WRITE => match self.io_error() {
135                Some(_) => fmt.write_str("a nonblocking write call would have blocked"),
136                None => fmt.write_str("the operation should be retried"),
137            },
138            ErrorCode::SYSCALL => match self.io_error() {
139                Some(err) => write!(fmt, "{}", err),
140                None => fmt.write_str("unexpected EOF"),
141            },
142            ErrorCode::SSL => match self.ssl_error() {
143                Some(e) => write!(fmt, "{}", e),
144                None => fmt.write_str("unknown BoringSSL error"),
145            },
146            ErrorCode(code) => write!(fmt, "unknown error code {}", code),
147        }
148    }
149}
150
151impl error::Error for Error {
152    fn source(&self) -> Option<&(dyn error::Error + 'static)> {
153        match self.cause {
154            Some(InnerError::Io(ref e)) => Some(e),
155            Some(InnerError::Ssl(ref e)) => Some(e),
156            None => None,
157        }
158    }
159}
160
161/// An error or intermediate state after a TLS handshake attempt.
162// FIXME overhaul
163#[derive(Debug)]
164pub enum HandshakeError<S> {
165    /// Setup failed.
166    SetupFailure(ErrorStack),
167    /// The handshake failed.
168    Failure(MidHandshakeSslStream<S>),
169    /// The handshake encountered a `WouldBlock` error midway through.
170    ///
171    /// This error will never be returned for blocking streams.
172    WouldBlock(MidHandshakeSslStream<S>),
173}
174
175impl<S: fmt::Debug> StdError for HandshakeError<S> {
176    fn source(&self) -> Option<&(dyn StdError + 'static)> {
177        match *self {
178            HandshakeError::SetupFailure(ref e) => Some(e),
179            HandshakeError::Failure(ref s) | HandshakeError::WouldBlock(ref s) => Some(s.error()),
180        }
181    }
182}
183
184impl<S> fmt::Display for HandshakeError<S> {
185    fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
186        match *self {
187            HandshakeError::SetupFailure(ref e) => {
188                write!(f, "TLS stream setup failed {}", e)
189            }
190            HandshakeError::Failure(ref s) => fmt_mid_handshake_error(s, f, "TLS handshake failed"),
191            HandshakeError::WouldBlock(ref s) => {
192                fmt_mid_handshake_error(s, f, "TLS handshake interrupted")
193            }
194        }
195    }
196}
197
198fn fmt_mid_handshake_error(
199    s: &MidHandshakeSslStream<impl Sized>,
200    f: &mut fmt::Formatter,
201    prefix: &str,
202) -> fmt::Result {
203    #[cfg(feature = "rpk")]
204    if s.ssl().ssl_context().is_rpk() {
205        write!(f, "{}", prefix)?;
206        return write!(f, " {}", s.error());
207    }
208
209    match s.ssl().verify_result() {
210        // INVALID_CALL is returned if no verification took place,
211        // such as before a cert is sent.
212        Ok(()) | Err(X509VerifyError::INVALID_CALL) => write!(f, "{}", prefix)?,
213        Err(verify) => write!(f, "{}: cert verification failed - {}", prefix, verify)?,
214    }
215
216    write!(f, " {}", s.error())
217}
218
219impl<S> From<ErrorStack> for HandshakeError<S> {
220    fn from(e: ErrorStack) -> HandshakeError<S> {
221        HandshakeError::SetupFailure(e)
222    }
223}