Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Cleanup libcrypto errors #4733

Merged
merged 3 commits into from
Aug 27, 2024
Merged

fix: Cleanup libcrypto errors #4733

merged 3 commits into from
Aug 27, 2024

Conversation

goatgoose
Copy link
Contributor

@goatgoose goatgoose commented Aug 26, 2024
edited
Loading

Description of changes:

This PR attempts to fix the places where potentially confusing libcrypto error codes are used.

Changes to the following s2n-tls errors were made:

S2N_ERR_NO_SUPPORTED_LIBCRYPTO_API

This error is mostly being used in PQ functions when the libcrypto doesn't support PQ. This error should never be raised in this case, since these functions shouldn't be called if the libcrypto doesn't support PQ. S2N_ERR_UNIMPLEMENTED is typically used for this purpose, so S2N_ERR_NO_SUPPORTED_LIBCRYPTO_API was replaced with this error instead.

There were also a couple of places where S2N_ERR_NO_SUPPORTED_LIBCRYPTO_API was raised if the peer unexpectedly indicated a PQ algorithm when the libcrypto doesn't support PQ. These errors were switched to protocol errors.

S2N_ERR_INTERNAL_LIBCRYPTO_ERROR

This error is being used in cases where the libcrypto is erroring unexpectedly. However, S2N_ERR_INTERNAL_LIBCRYPTO_ERROR is a usage error, which doesn't make sense for this purpose. The error type of S2N_ERR_INTERNAL_LIBCRYPTO_ERROR was changed to internal.

This error was also being used to gate the s2n_config_set_cert_authorities_from_trust_store() API behind a supported libcrypto, which should be a usage error. This was switched to a new S2N_ERR_API_UNSUPPORTED usage error instead.

Call-outs:

None

Testing:

I updated a test in s2n_server_key_share_extension_test to test the success case when PQ is enabled, since the new error code is less specific.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@github-actions github-actions bot added the s2n-core team label Aug 26, 2024
@goatgoose goatgoose marked this pull request as ready for review August 26, 2024 18:29
lrstewart
lrstewart reviewed Aug 27, 2024
View reviewed changes
crypto/s2n_kyber_evp.c Show resolved Hide resolved
error/s2n_errno.c Outdated Show resolved Hide resolved
tests/unit/s2n_server_key_share_extension_test.c Show resolved Hide resolved
@goatgoose goatgoose enabled auto-merge (squash) August 27, 2024 19:07
@goatgoose goatgoose merged commit fd2e45d into aws:main Aug 27, 2024
36 checks passed
@BrewTestBot BrewTestBot mentioned this pull request Sep 6, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jouho jouho jouho approved these changes

@lrstewart lrstewart lrstewart approved these changes

Assignees
No one assigned
Labels
s2n-core team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@goatgoose @lrstewart @jouho