From 6aac4eeafd29e78991f3b3f7c393e965b9eceb1e Mon Sep 17 00:00:00 2001
From: Daniel McCarney <daniel@binaryparadox.net>
Date: Wed, 2 Oct 2024 15:10:38 -0400
Subject: [PATCH] error: sync with upstream Rustls error changes

* `Error::InvalidCertificate(CertificateError)` gained a new
  `CertificateError::ExpiredRevocationList`.
* `InvalidMessage(InvalidMessage)` gained a new
  `InvalidMessage::CertificatePayloadTooLarge`.
* New `Error::InconsistentKeys(InconsistentKeys)`.
* New `Error::InvalidEncryptedClientHello(EncryptedClientHelloError)`.
---
 src/error.rs | 49 ++++++++++++++++++++++++++++++++++++++++++++++---
 src/rustls.h |  7 +++++++
 2 files changed, 53 insertions(+), 3 deletions(-)

diff --git a/src/error.rs b/src/error.rs
index af9d466d..22dafe62 100644
--- a/src/error.rs
+++ b/src/error.rs
@@ -5,7 +5,10 @@ use std::sync::Arc;
 use crate::ffi_panic_boundary;
 use libc::{c_char, c_uint, size_t};
 use rustls::server::VerifierBuilderError;
-use rustls::{CertRevocationListError, CertificateError, Error, InvalidMessage};
+use rustls::{
+    CertRevocationListError, CertificateError, EncryptedClientHelloError, Error, InconsistentKeys,
+    InvalidMessage,
+};
 
 /// A return value for a function that may return either success (0) or a
 /// non-zero value representing an error.
@@ -97,7 +100,8 @@ u32_enum_builder! {
         CertInvalidPurpose => 7129,
         CertApplicationVerificationFailure => 7130,
         CertOtherError => 7131,
-        CertUnknownRevocationStatus => 7154, // Last added.
+        CertUnknownRevocationStatus => 7154,
+        CertExpiredRevocationList => 7156, // Last added.
 
         // From InvalidMessage, with fields that get flattened.
         // https://docs.rs/rustls/0.21.0/rustls/enum.Error.html#variant.InvalidMessage
@@ -122,6 +126,7 @@ u32_enum_builder! {
         MessageUnsupportedCurveType => 7151,
         MessageUnsupportedKeyExchangeAlgorithm => 7152,
         MessageInvalidOther => 7153,
+        MessageCertificatePayloadTooLarge => 7155,
 
         // From Error, with fields that get dropped.
         PeerIncompatibleError => 7107,
@@ -190,7 +195,16 @@ u32_enum_builder! {
         CertRevocationListUnsupportedRevocationReason => 7410,
 
         // From ClientCertVerifierBuilderError, with fields that get flattened.
-        ClientCertVerifierBuilderNoRootAnchors => 7500
+        ClientCertVerifierBuilderNoRootAnchors => 7500,
+
+        // From InconsistentKeys, with fields that get flattened.
+        InconsistentKeysKeysMismatch => 7600,
+        InconsistentKeysUnknown => 7601,
+
+        // From InvalidEncryptedClientHello, with fields that get flattened.
+        InvalidEncryptedClientHelloInvalidConfigList => 7700,
+        InvalidEncryptedClientHelloNoCompatibleConfig => 7701,
+        InvalidEncryptedClientHelloSniRequired => 7702
     }
 }
 
@@ -267,6 +281,7 @@ pub(crate) fn cert_result_to_error(result: rustls_result) -> Error {
         CertApplicationVerificationFailure => {
             InvalidCertificate(CertificateError::ApplicationVerificationFailure)
         }
+        CertExpiredRevocationList => InvalidCertificate(CertificateError::ExpiredRevocationList),
         CertOtherError => InvalidCertificate(CertificateError::Other(OtherError(Arc::from(
             Box::from(""),
         )))),
@@ -319,6 +334,7 @@ pub(crate) fn map_error(input: Error) -> rustls_result {
 
         Error::InvalidMessage(e) => match e {
             InvalidMessage::HandshakePayloadTooLarge => MessageHandshakePayloadTooLarge,
+            InvalidMessage::CertificatePayloadTooLarge => MessageCertificatePayloadTooLarge,
             InvalidMessage::InvalidCcs => MessageInvalidCcs,
             InvalidMessage::InvalidContentType => MessageInvalidContentType,
             InvalidMessage::InvalidCertificateStatusType => MessageInvalidCertStatusType,
@@ -356,6 +372,7 @@ pub(crate) fn map_error(input: Error) -> rustls_result {
             CertificateError::UnhandledCriticalExtension => CertUnhandledCriticalExtension,
             CertificateError::UnknownIssuer => CertUnknownIssuer,
             CertificateError::UnknownRevocationStatus => CertUnknownRevocationStatus,
+            CertificateError::ExpiredRevocationList => CertExpiredRevocationList,
             CertificateError::BadSignature => CertBadSignature,
             CertificateError::NotValidForName => CertNotValidForName,
             CertificateError::InvalidPurpose => CertInvalidPurpose,
@@ -406,6 +423,9 @@ pub(crate) fn map_error(input: Error) -> rustls_result {
 
         Error::InvalidCertRevocationList(e) => map_crl_error(e),
 
+        Error::InconsistentKeys(InconsistentKeys::KeyMismatch) => InconsistentKeysKeysMismatch,
+        Error::InconsistentKeys(InconsistentKeys::Unknown) => InconsistentKeysUnknown,
+
         _ => General,
     }
 }
@@ -521,6 +541,9 @@ impl Display for rustls_result {
             CertUnknownRevocationStatus => {
                 Error::InvalidCertificate(CertificateError::UnknownRevocationStatus).fmt(f)
             }
+            CertExpiredRevocationList => {
+                Error::InvalidCertificate(CertificateError::ExpiredRevocationList).fmt(f)
+            }
             CertOtherError => write!(f, "unknown certificate error"),
 
             // These variants correspond to a rustls::Error variant with a field,
@@ -532,6 +555,9 @@ impl Display for rustls_result {
             MessageHandshakePayloadTooLarge => {
                 Error::InvalidMessage(InvalidMessage::HandshakePayloadTooLarge).fmt(f)
             }
+            MessageCertificatePayloadTooLarge => {
+                Error::InvalidMessage(InvalidMessage::CertificatePayloadTooLarge).fmt(f)
+            }
             MessageInvalidContentType => {
                 Error::InvalidMessage(InvalidMessage::InvalidContentType).fmt(f)
             }
@@ -688,6 +714,23 @@ impl Display for rustls_result {
             .fmt(f),
 
             ClientCertVerifierBuilderNoRootAnchors => write!(f, "no root trust anchors provided"),
+
+            InconsistentKeysKeysMismatch => {
+                Error::InconsistentKeys(InconsistentKeys::KeyMismatch).fmt(f)
+            }
+            InconsistentKeysUnknown => Error::InconsistentKeys(InconsistentKeys::Unknown).fmt(f),
+
+            InvalidEncryptedClientHelloInvalidConfigList => {
+                Error::InvalidEncryptedClientHello(EncryptedClientHelloError::InvalidConfigList)
+                    .fmt(f)
+            }
+            InvalidEncryptedClientHelloNoCompatibleConfig => {
+                Error::InvalidEncryptedClientHello(EncryptedClientHelloError::NoCompatibleConfig)
+                    .fmt(f)
+            }
+            InvalidEncryptedClientHelloSniRequired => {
+                Error::InvalidEncryptedClientHello(EncryptedClientHelloError::SniRequired).fmt(f)
+            }
         }
     }
 }
diff --git a/src/rustls.h b/src/rustls.h
index e4f9be1d..11594594 100644
--- a/src/rustls.h
+++ b/src/rustls.h
@@ -48,6 +48,7 @@ enum rustls_result {
   RUSTLS_RESULT_CERT_APPLICATION_VERIFICATION_FAILURE = 7130,
   RUSTLS_RESULT_CERT_OTHER_ERROR = 7131,
   RUSTLS_RESULT_CERT_UNKNOWN_REVOCATION_STATUS = 7154,
+  RUSTLS_RESULT_CERT_EXPIRED_REVOCATION_LIST = 7156,
   RUSTLS_RESULT_MESSAGE_HANDSHAKE_PAYLOAD_TOO_LARGE = 7133,
   RUSTLS_RESULT_MESSAGE_INVALID_CCS = 7134,
   RUSTLS_RESULT_MESSAGE_INVALID_CONTENT_TYPE = 7135,
@@ -69,6 +70,7 @@ enum rustls_result {
   RUSTLS_RESULT_MESSAGE_UNSUPPORTED_CURVE_TYPE = 7151,
   RUSTLS_RESULT_MESSAGE_UNSUPPORTED_KEY_EXCHANGE_ALGORITHM = 7152,
   RUSTLS_RESULT_MESSAGE_INVALID_OTHER = 7153,
+  RUSTLS_RESULT_MESSAGE_CERTIFICATE_PAYLOAD_TOO_LARGE = 7155,
   RUSTLS_RESULT_PEER_INCOMPATIBLE_ERROR = 7107,
   RUSTLS_RESULT_PEER_MISBEHAVED_ERROR = 7108,
   RUSTLS_RESULT_INAPPROPRIATE_MESSAGE = 7109,
@@ -121,6 +123,11 @@ enum rustls_result {
   RUSTLS_RESULT_CERT_REVOCATION_LIST_UNSUPPORTED_INDIRECT_CRL = 7409,
   RUSTLS_RESULT_CERT_REVOCATION_LIST_UNSUPPORTED_REVOCATION_REASON = 7410,
   RUSTLS_RESULT_CLIENT_CERT_VERIFIER_BUILDER_NO_ROOT_ANCHORS = 7500,
+  RUSTLS_RESULT_INCONSISTENT_KEYS_KEYS_MISMATCH = 7600,
+  RUSTLS_RESULT_INCONSISTENT_KEYS_UNKNOWN = 7601,
+  RUSTLS_RESULT_INVALID_ENCRYPTED_CLIENT_HELLO_INVALID_CONFIG_LIST = 7700,
+  RUSTLS_RESULT_INVALID_ENCRYPTED_CLIENT_HELLO_NO_COMPATIBLE_CONFIG = 7701,
+  RUSTLS_RESULT_INVALID_ENCRYPTED_CLIENT_HELLO_SNI_REQUIRED = 7702,
 };
 typedef uint32_t rustls_result;