1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168

use crate::msgs::enums::{AlertDescription, ContentType, HandshakeType};
use sct;
use std::error::Error;
use std::fmt;
use webpki;

/// rustls reports protocol errors using this type.
#[derive(Debug, PartialEq, Clone)]
pub enum TLSError {
    /// We received a TLS message that isn't valid right now.
    /// `expect_types` lists the message types we can expect right now.
    /// `got_type` is the type we found.  This error is typically
    /// caused by a buggy TLS stack (the peer or this one), a broken
    /// network, or an attack.
    InappropriateMessage {
        /// Which types we expected
        expect_types: Vec<ContentType>,
        /// What type we received
        got_type: ContentType,
    },

    /// We received a TLS handshake message that isn't valid right now.
    /// `expect_types` lists the handshake message types we can expect
    /// right now.  `got_type` is the type we found.
    InappropriateHandshakeMessage {
        /// Which handshake type we expected
        expect_types: Vec<HandshakeType>,
        /// What handshake type we received
        got_type: HandshakeType,
    },

    /// The peer sent us a syntactically incorrect TLS message.
    CorruptMessage,

    /// The peer sent us a TLS message with invalid contents.
    CorruptMessagePayload(ContentType),

    /// The peer didn't give us any certificates.
    NoCertificatesPresented,

    /// We couldn't decrypt a message.  This is invariably fatal.
    DecryptError,

    /// The peer doesn't support a protocol version/feature we require.
    /// The parameter gives a hint as to what version/feature it is.
    PeerIncompatibleError(String),

    /// The peer deviated from the standard TLS protocol.
    /// The parameter gives a hint where.
    PeerMisbehavedError(String),

    /// We received a fatal alert.  This means the peer is unhappy.
    AlertReceived(AlertDescription),

    /// The presented certificate chain is invalid.
    WebPKIError(webpki::Error),

    /// The presented SCT(s) were invalid.
    InvalidSCT(sct::Error),

    /// A catch-all error for unlikely errors.
    General(String),

    /// We failed to figure out what time it currently is.
    FailedToGetCurrentTime,

    /// This function doesn't work until the TLS handshake
    /// is complete.
    HandshakeNotComplete,

    /// The peer sent an oversized record/fragment.
    PeerSentOversizedRecord,

    /// An incoming connection did not support any known application protocol.
    NoApplicationProtocol,
}

fn join<T: fmt::Debug>(items: &[T]) -> String {
    items
        .iter()
        .map(|x| format!("{:?}", x))
        .collect::<Vec<String>>()
        .join(" or ")
}

impl fmt::Display for TLSError {
    fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
        match *self {
            TLSError::InappropriateMessage {
                ref expect_types,
                ref got_type,
            } => write!(
                f,
                "received unexpected message: got {:?} when expecting {}",
                got_type,
                join::<ContentType>(expect_types)
            ),
            TLSError::InappropriateHandshakeMessage {
                ref expect_types,
                ref got_type,
            } => write!(
                f,
                "received unexpected handshake message: got {:?} when expecting {}",
                got_type,
                join::<HandshakeType>(expect_types)
            ),
            TLSError::CorruptMessagePayload(ref typ) => {
                write!(f, "received corrupt message of type {:?}", typ)
            }
            TLSError::PeerIncompatibleError(ref why) => write!(f, "peer is incompatible: {}", why),
            TLSError::PeerMisbehavedError(ref why) => write!(f, "peer misbehaved: {}", why),
            TLSError::AlertReceived(ref alert) => write!(f, "received fatal alert: {:?}", alert),
            TLSError::WebPKIError(ref err) => write!(f, "invalid certificate: {:?}", err),
            TLSError::CorruptMessage => write!(f, "received corrupt message"),
            TLSError::NoCertificatesPresented => write!(f, "peer sent no certificates"),
            TLSError::DecryptError => write!(f, "cannot decrypt peer's message"),
            TLSError::PeerSentOversizedRecord => write!(f, "peer sent excess record size"),
            TLSError::HandshakeNotComplete => write!(f, "handshake not complete"),
            TLSError::NoApplicationProtocol => write!(f, "peer doesn't support any known protocol"),
            TLSError::InvalidSCT(ref err) => write!(f, "invalid certificate timestamp: {:?}", err),
            TLSError::FailedToGetCurrentTime => write!(f, "failed to get current time"),
            TLSError::General(ref err) => write!(f, "unexpected error: {}", err), // (please file a bug)
        }
    }
}

impl Error for TLSError {}

#[cfg(test)]
mod tests {
    #[test]
    fn smoke() {
        use super::TLSError;
        use crate::msgs::enums::{AlertDescription, ContentType, HandshakeType};
        use sct;
        use webpki;

        let all = vec![
            TLSError::InappropriateMessage {
                expect_types: vec![ContentType::Alert],
                got_type: ContentType::Handshake,
            },
            TLSError::InappropriateHandshakeMessage {
                expect_types: vec![HandshakeType::ClientHello, HandshakeType::Finished],
                got_type: HandshakeType::ServerHello,
            },
            TLSError::CorruptMessage,
            TLSError::CorruptMessagePayload(ContentType::Alert),
            TLSError::NoCertificatesPresented,
            TLSError::DecryptError,
            TLSError::PeerIncompatibleError("no tls1.2".to_string()),
            TLSError::PeerMisbehavedError("inconsistent something".to_string()),
            TLSError::AlertReceived(AlertDescription::ExportRestriction),
            TLSError::WebPKIError(webpki::Error::ExtensionValueInvalid),
            TLSError::InvalidSCT(sct::Error::MalformedSCT),
            TLSError::General("undocumented error".to_string()),
            TLSError::FailedToGetCurrentTime,
            TLSError::HandshakeNotComplete,
            TLSError::PeerSentOversizedRecord,
            TLSError::NoApplicationProtocol,
        ];

        for err in all {
            println!("{:?}:", err);
            println!("  fmt '{}'", err);
        }
    }
}