Skip to main content

SseError

s4_server::sse

Enum SseError 

Source 
pub enum SseError {

Show 24 variants    KeyFileIo {
        path: PathBuf,
        source: Error,
    },
    BadKeyLength {
        got: usize,
    },
    TooShort {
        got: usize,
    },
    BadMagic {
        got: [u8; 4],
    },
    UnsupportedAlgo {
        tag: u8,
    },
    KeyNotInKeyring {
        id: u16,
    },
    DecryptFailed,
    WrongCustomerKey,
    InvalidCustomerKey {
        reason: &'static str,
    },
    CustomerKeyAlgorithmUnsupported {
        algo: String,
    },
    CustomerKeyRequired,
    CustomerKeyUnexpected,
    KmsAsyncRequired,
    KmsFrameTooShort {
        got: usize,
        min: usize,
    },
    KmsFrameFieldOob {
        what: &'static str,
    },
    KmsKeyIdNotUtf8,
    KmsWrappedDekMismatch {
        supplied: String,
        stored: String,
    },
    KmsRequired,
    KmsBackend(KmsError),
    ChunkAuthFailed {
        chunk_index: u32,
    },
    ChunkSizeInvalid,
    ChunkFrameTruncated {
        what: &'static str,
    },
    ChunkCountTooLarge {
        got: u32,
        max: u32,
    },
    ChunkFrameTooLarge {
        details: &'static str,
    },

}

Variants§

§

KeyFileIo

Fields

§path: PathBuf
§source: Error
§

BadKeyLength

Fields

§got: usize
§

TooShort

Fields

§got: usize
§

BadMagic

Fields

§got: [u8; 4]
§

UnsupportedAlgo

Fields

§tag: u8
§

KeyNotInKeyring

Fields

§id: u16
§

DecryptFailed

§

WrongCustomerKey

The MD5 fingerprint stored in the S4E3 frame doesn’t match the MD5 of the customer key the client supplied. This is the “wrong customer key on GET” signal — distinct from DecryptFailed so service.rs can map it to AWS S3’s 403 AccessDenied (S3 returns AccessDenied when the supplied SSE-C key doesn’t match the one used at PUT time).

§

InvalidCustomerKey

parse_customer_key_headers saw a malformed input. reason is a short human string (“base64 decode of key”, “key length”, “md5 length”, “md5 mismatch”) for operator log lines — never echoed to the client (would leak crypto details).

Fields

§reason: &'static str
§

CustomerKeyAlgorithmUnsupported

Client asked for an SSE-C algorithm the gateway doesn’t speak. AWS S3 only ever defines AES256 here; surfacing the offending string lets us 400 with a useful message.

Fields

§algo: String
§

CustomerKeyRequired

S4E3 body lacks an SSE-C key — caller passed SseSource::Keyring when decrypting an SSE-C-encrypted object. service.rs should translate this into the same “missing customer key” 400 that AWS S3 returns when SSE-C headers are absent on a GET.

§

CustomerKeyUnexpected

Inverse: client sent SSE-C headers on a GET for an object stored without SSE-C. The supplied key has no role in decryption, but AWS S3 actually 400s in this case (“expected an unencrypted object” / “extraneous SSE-C headers”), so we mirror that.

§

KmsAsyncRequired

decrypt (sync) was handed an S4E4 body. SSE-KMS unwrap is async (it round-trips to the KMS backend), so callers must peek the magic with peek_magic and dispatch S4E4 frames to decrypt_with_kms instead. service.rs’s GET handler does this; tests / direct callers may hit this if they forget.

§

KmsFrameTooShort

S4E4 frame is shorter than the minimum-possible header (38 bytes for an empty key_id + empty wrapped_dek, which is itself impossible — we just sanity-check the floor).

Fields

§got: usize
§min: usize
§

KmsFrameFieldOob

S4E4 declared a key_id_len or wrapped_dek_len that runs past the end of the body. Almost certainly truncation / corruption rather than tampering (tampering would fail the AES-GCM tag instead).

Fields

§what: &'static str
§

KmsKeyIdNotUtf8

key_id field of an S4E4 frame is not valid UTF-8. We require UTF-8 because LocalKms uses the basename of a .kek file (which is OS-string-but-typically-UTF-8) and AWS KMS uses ARNs (which are ASCII).

§

KmsWrappedDekMismatch

service.rs handed decrypt_with_kms a WrappedDek whose key_id doesn’t match the one stored in the S4E4 frame. This is an integration bug (caller is meant to pull the wrapped DEK from the frame, not from somewhere else), surface as a distinct error so it shows up in tests rather than silently failing the AES-GCM tag.

Fields

§supplied: String
§stored: String
§

KmsRequired

SSE-KMS path got a non-Kms SseSource for an S4E4 body. The async dispatch in decrypt_with_kms re-derives the source internally so this can only happen if a future caller passes SseSource::Keyring / CustomerKey to a path that expected Kms — kept around for symmetry with the other “wrong source” errors.

§

KmsBackend(KmsError)

Pass-through for crate::kms::KmsError surfaced from KmsBackend::decrypt_dek — boxed so the variant stays small.

§

ChunkAuthFailed

AES-GCM auth tag verify failed on chunk chunk_index of an S4E5 body. Distinct from the all-or-nothing SseError::DecryptFailed because the streaming GET may have already emitted earlier chunks to the client by the time chunk N fails — operators need the chunk index in audit logs to triangulate which byte range was tampered with (or which disk sector flipped).

Fields

§chunk_index: u32
§

ChunkSizeInvalid

Caller asked encrypt_v2_chunked to use a chunk size of 0 — nonsensical (would loop forever). Surfaced as an error rather than panicking so service.rs can map a bad --sse-chunk-size 0 configuration to a clear startup error.

§

ChunkFrameTruncated

S4E5 frame is shorter than the fixed header or declares a (chunk_count × per-chunk-bytes) total that overruns the body. Almost certainly truncation / corruption — tampering with the per-chunk ciphertext or tag would surface as SseError::ChunkAuthFailed instead.

Fields

§what: &'static str
§

ChunkCountTooLarge

S4E6 chunk_index is encoded as a 24-bit big-endian field in the per-chunk nonce, capping chunk_count at 2^24 - 1 = 16_777_215. At the default 1 MiB chunk size that is ~16 PiB per object — well past S3’s 5 GiB single-object ceiling. Surface as a distinct error so a misconfiguration (--sse-chunk-size 1 on a multi-GiB object, say) shows up at PUT time with a clear cause rather than a panic at the u32 → u24 cast.

Fields

§got: u32
§max: u32
§

ChunkFrameTooLarge

parse_chunked_header rejected an S4E5 / S4E6 frame because the declared chunk_size × chunk_count (or the on-disk total after adding per-chunk tag overhead and the fixed header) is either:

  1. arithmetically nonsensical (the multiplication / addition overflows u64 on a 64-bit host), or
  2. larger than the gateway’s configured max_body_bytes (default 5 GiB — AWS S3’s single-object PUT ceiling).

This is the DoS guard for the chunked path: without it, a 24-byte malicious header that claims chunk_size = u32::MAX and chunk_count = u32::MAX would have caused the buffered decrypt path to attempt a multi-PB Vec::with_capacity (or integer-overflow into a tiny alloc + later out-of-bounds panic) before any cryptographic work happened. Surface as a distinct variant — never echo the offending sizes back to the client (kept as a &'static str details field for operator audit logs only) so the response isn’t a tampering oracle.

Fields

§details: &'static str

Trait Implementations§

Source§

impl Debug for SseError

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl Display for SseError

Source§

fn fmt(&self, __formatter: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl Error for SseError

Source§

fn source(&self) -> Option<&(dyn Error + 'static)>

Returns the lower-level source of this error, if any. Read more
1.0.0 · Source§

fn description(&self) -> &str

👎Deprecated since 1.42.0:

use the Display impl or to_string()

Read more
1.0.0 · Source§

fn cause(&self) -> Option<&dyn Error>

👎Deprecated since 1.33.0:

replaced by Error::source, which can support downcasting

Source§

fn provide<'a>(&'a self, request: &mut Request<'a>)

🔬This is a nightly-only experimental API. (error_generic_member_access)
Provides type-based access to context intended for error reports. Read more
Source§

impl From<KmsError> for SseError

Source§

fn from(source: KmsError) -> Self

Converts to this type from the input type.

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<'a, T, E> AsTaggedExplicit<'a, E> for T
where T: 'a,

Source§

fn explicit(self, class: Class, tag: u32) -> TaggedParser<'a, Explicit, Self, E>

Source§

impl<'a, T, E> AsTaggedImplicit<'a, E> for T
where T: 'a,

Source§

fn implicit( self, class: Class, constructed: bool, tag: u32, ) -> TaggedParser<'a, Implicit, Self, E>

Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T> FromExt for T

Source§

fn from_<T>(t: T) -> Self
where Self: From<T>,

Source§

impl<T> Instrument for T

Source§

fn instrument(self, span: Span) -> Instrumented<Self>

Instruments this type with the provided Span, returning an Instrumented wrapper. Read more
Source§

fn in_current_span(self) -> Instrumented<Self>

Instruments this type with the current Span, returning an Instrumented wrapper. Read more
Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> IntoExt for T

Source§

fn into_<T>(self) -> T
where Self: Into<T>,

Source§

impl<T> Pointable for T

Source§

const ALIGN: usize

The alignment of pointer.
Source§

type Init = T

The type for initializers.
Source§

unsafe fn init(init: <T as Pointable>::Init) -> usize

Initializes a with the given initializer. Read more
Source§

unsafe fn deref<'a>(ptr: usize) -> &'a T

Dereferences the given pointer. Read more
Source§

unsafe fn deref_mut<'a>(ptr: usize) -> &'a mut T

Mutably dereferences the given pointer. Read more
Source§

unsafe fn drop(ptr: usize)

Drops the object pointed to by the given pointer. Read more
Source§

impl<T> PolicyExt for T
where T: ?Sized,

Source§

fn and<P, B, E>(self, other: P) -> And<T, P>
where T: Policy<B, E>, P: Policy<B, E>,

Create a new Policy that returns Action::Follow only if self and other return Action::Follow. Read more
Source§

fn or<P, B, E>(self, other: P) -> Or<T, P>
where T: Policy<B, E>, P: Policy<B, E>,

Create a new Policy that returns Action::Follow if either self or other returns Action::Follow. Read more
Source§

impl<T> Same for T

Source§

type Output = T

Should always be Self
Source§

impl<T> ToString for T
where T: Display + ?Sized,

Source§

fn to_string(&self) -> String

Converts the given value to a String. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T> TryFromExt for T

Source§

fn try_from_<T>(t: T) -> Result<Self, Self::Error>
where Self: TryFrom<T>,

Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
Source§

impl<T> TryIntoExt for T

Source§

fn try_into_<T>(self) -> Result<T, Self::Error>
where Self: TryInto<T>,

Source§

impl<V, T> VZip<V> for T
where V: MultiLane<T>,

Source§

fn vzip(self) -> V

Source§

impl<T> WithSubscriber for T

Source§

fn with_subscriber<S>(self, subscriber: S) -> WithDispatch<Self>
where S: Into<Dispatch>,

Attaches the provided Subscriber to this type, returning a WithDispatch wrapper. Read more
Source§

fn with_current_subscriber(self) -> WithDispatch<Self>

Attaches the current default Subscriber to this type, returning a WithDispatch wrapper. Read more