cosmopolitan/third_party/mbedtls/shakedescription.c

/*-*- mode:c;indent-tabs-mode:nil;c-basic-offset:2;tab-width:8;coding:utf-8 -*-│
│ vi: set et ft=c ts=2 sts=2 sw=2 fenc=utf-8                               :vi │
╞══════════════════════════════════════════════════════════════════════════════╡
│ Copyright 2023 Justine Alexandra Roberts Tunney                              │
│                                                                              │
│ Permission to use, copy, modify, and/or distribute this software for         │
│ any purpose with or without fee is hereby granted, provided that the         │
│ above copyright notice and this permission notice appear in all copies.      │
│                                                                              │
│ THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL                │
│ WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED                │
│ WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE             │
│ AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL         │
│ DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR        │
│ PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER               │
│ TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR             │
│ PERFORMANCE OF THIS SOFTWARE.                                                │
╚─────────────────────────────────────────────────────────────────────────────*/
#include "third_party/mbedtls/iana.h"
#include "third_party/mbedtls/net_sockets.h"
#include "third_party/mbedtls/ssl.h"
#include "third_party/mbedtls/x509.h"

const char *DescribeSslClientHandshakeError(const mbedtls_ssl_context *ssl,
                                            int ret) {
  switch (ret) {
    case MBEDTLS_ERR_SSL_CONN_EOF:
      return "connection eof";
    case MBEDTLS_ERR_NET_CONN_RESET:
      return "connection reset";
    case MBEDTLS_ERR_SSL_TIMEOUT:
      return "ssl timeout";
    case MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN:
      return "no cipher chosen";
    case MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE:
      return "no usable ciphersuite";
    case MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION:
      return "bad ssl version";
    case MBEDTLS_ERR_SSL_INVALID_MAC:
      return "bad ssl mac";
    case MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE:
      return "bad key exchange";
    case MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:
      switch (ssl->session_negotiate->verify_result) {
        case MBEDTLS_X509_BADCERT_EXPIRED:
          return "the certificate validity has expired";
        case MBEDTLS_X509_BADCERT_REVOKED:
          return "the certificate has been revoked (is on a crl)";
        case MBEDTLS_X509_BADCERT_CN_MISMATCH:
          return "the certificate common name (cn) does not match with the "
                 "expected cn";
        case MBEDTLS_X509_BADCERT_NOT_TRUSTED:
          return "the certificate is not correctly signed by the trusted ca";
        case MBEDTLS_X509_BADCRL_NOT_TRUSTED:
          return "the crl is not correctly signed by the trusted ca";
        case MBEDTLS_X509_BADCRL_EXPIRED:
          return "the crl is expired";
        case MBEDTLS_X509_BADCERT_MISSING:
          return "certificate was missing";
        case MBEDTLS_X509_BADCERT_SKIP_VERIFY:
          return "certificate verification was skipped";
        case MBEDTLS_X509_BADCERT_OTHER:
          return "other reason (can be used by verify callback)";
        case MBEDTLS_X509_BADCERT_FUTURE:
          return "the certificate validity starts in the future";
        case MBEDTLS_X509_BADCRL_FUTURE:
          return "the crl is from the future";
        case MBEDTLS_X509_BADCERT_KEY_USAGE:
          return "usage does not match the keyusage extension";
        case MBEDTLS_X509_BADCERT_EXT_KEY_USAGE:
          return "usage does not match the extendedkeyusage extension";
        case MBEDTLS_X509_BADCERT_NS_CERT_TYPE:
          return "usage does not match the nscerttype extension";
        case MBEDTLS_X509_BADCERT_BAD_MD:
          return "the certificate is signed with an unacceptable hash";
        case MBEDTLS_X509_BADCERT_BAD_PK:
          return "the certificate is signed with an unacceptable pk alg (eg "
                 "rsa vs ecdsa)";
        case MBEDTLS_X509_BADCERT_BAD_KEY:
          return "the certificate is signed with an unacceptable key (eg bad "
                 "curve, rsa too short)";
        case MBEDTLS_X509_BADCRL_BAD_MD:
          return "the crl is signed with an unacceptable hash";
        case MBEDTLS_X509_BADCRL_BAD_PK:
          return "the crl is signed with an unacceptable pk alg (eg rsa vs "
                 "ecdsa)";
        case MBEDTLS_X509_BADCRL_BAD_KEY:
          return "the crl is signed with an unacceptable key (eg bad curve, "
                 "rsa too short)";
        default:
          return "verification failed";
      }
    case MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE:
      return GetAlertDescription(ssl->fatal_alert);
    default:
      return DescribeMbedtlsErrorCode(ret);
  }
}
Do work on curl/mbedtls/zstd This change fixes stderr to be unbuffered. Added hardware AES on ARM64 to help safeguard against timing attacks. The curl.com command will be somewhat more pleasant to use. 2023-07-07 17:00:49 +00:00			`/-- mode:c;indent-tabs-mode:nil;c-basic-offset:2;tab-width:8;coding:utf-8 -*-│`
flip et / noet in modelines `et` means `expandtab`. ```sh rg 'vi: .* :vi' -l -0 \| \ xargs -0 sed -i '' 's/vi: \(.\) et\(.\) :vi/vi: \1 xoet\2:vi/' rg 'vi: .* :vi' -l -0 \| \ xargs -0 sed -i '' 's/vi: \(.\)noet\(.\):vi/vi: \1et\2 :vi/' rg 'vi: .* :vi' -l -0 \| \ xargs -0 sed -i '' 's/vi: \(.\)xoet\(.\):vi/vi: \1noet\2:vi/' ``` 2023-12-08 03:11:56 +00:00			`│ vi: set et ft=c ts=2 sts=2 sw=2 fenc=utf-8 :vi │`
Do work on curl/mbedtls/zstd This change fixes stderr to be unbuffered. Added hardware AES on ARM64 to help safeguard against timing attacks. The curl.com command will be somewhat more pleasant to use. 2023-07-07 17:00:49 +00:00			`╞══════════════════════════════════════════════════════════════════════════════╡`
			`│ Copyright 2023 Justine Alexandra Roberts Tunney │`
			`│ │`
			`│ Permission to use, copy, modify, and/or distribute this software for │`
			`│ any purpose with or without fee is hereby granted, provided that the │`
			`│ above copyright notice and this permission notice appear in all copies. │`
			`│ │`
			`│ THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL │`
			`│ WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED │`
			`│ WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE │`
			`│ AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL │`
			`│ DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR │`
			`│ PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER │`
			`│ TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR │`
			`│ PERFORMANCE OF THIS SOFTWARE. │`
			`╚─────────────────────────────────────────────────────────────────────────────*/`
			`#include "third_party/mbedtls/iana.h"`
			`#include "third_party/mbedtls/net_sockets.h"`
			`#include "third_party/mbedtls/ssl.h"`
			`#include "third_party/mbedtls/x509.h"`

			`const char DescribeSslClientHandshakeError(const mbedtls_ssl_context ssl,`
			`int ret) {`
			`switch (ret) {`
			`case MBEDTLS_ERR_SSL_CONN_EOF:`
			`return "connection eof";`
			`case MBEDTLS_ERR_NET_CONN_RESET:`
			`return "connection reset";`
			`case MBEDTLS_ERR_SSL_TIMEOUT:`
			`return "ssl timeout";`
			`case MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN:`
			`return "no cipher chosen";`
			`case MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE:`
			`return "no usable ciphersuite";`
			`case MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION:`
			`return "bad ssl version";`
			`case MBEDTLS_ERR_SSL_INVALID_MAC:`
			`return "bad ssl mac";`
			`case MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE:`
			`return "bad key exchange";`
			`case MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:`
			`switch (ssl->session_negotiate->verify_result) {`
			`case MBEDTLS_X509_BADCERT_EXPIRED:`
			`return "the certificate validity has expired";`
			`case MBEDTLS_X509_BADCERT_REVOKED:`
			`return "the certificate has been revoked (is on a crl)";`
			`case MBEDTLS_X509_BADCERT_CN_MISMATCH:`
			`return "the certificate common name (cn) does not match with the "`
			`"expected cn";`
			`case MBEDTLS_X509_BADCERT_NOT_TRUSTED:`
			`return "the certificate is not correctly signed by the trusted ca";`
			`case MBEDTLS_X509_BADCRL_NOT_TRUSTED:`
			`return "the crl is not correctly signed by the trusted ca";`
			`case MBEDTLS_X509_BADCRL_EXPIRED:`
			`return "the crl is expired";`
			`case MBEDTLS_X509_BADCERT_MISSING:`
			`return "certificate was missing";`
			`case MBEDTLS_X509_BADCERT_SKIP_VERIFY:`
			`return "certificate verification was skipped";`
			`case MBEDTLS_X509_BADCERT_OTHER:`
			`return "other reason (can be used by verify callback)";`
			`case MBEDTLS_X509_BADCERT_FUTURE:`
			`return "the certificate validity starts in the future";`
			`case MBEDTLS_X509_BADCRL_FUTURE:`
			`return "the crl is from the future";`
			`case MBEDTLS_X509_BADCERT_KEY_USAGE:`
			`return "usage does not match the keyusage extension";`
			`case MBEDTLS_X509_BADCERT_EXT_KEY_USAGE:`
			`return "usage does not match the extendedkeyusage extension";`
			`case MBEDTLS_X509_BADCERT_NS_CERT_TYPE:`
			`return "usage does not match the nscerttype extension";`
			`case MBEDTLS_X509_BADCERT_BAD_MD:`
			`return "the certificate is signed with an unacceptable hash";`
			`case MBEDTLS_X509_BADCERT_BAD_PK:`
			`return "the certificate is signed with an unacceptable pk alg (eg "`
			`"rsa vs ecdsa)";`
			`case MBEDTLS_X509_BADCERT_BAD_KEY:`
			`return "the certificate is signed with an unacceptable key (eg bad "`
			`"curve, rsa too short)";`
			`case MBEDTLS_X509_BADCRL_BAD_MD:`
			`return "the crl is signed with an unacceptable hash";`
			`case MBEDTLS_X509_BADCRL_BAD_PK:`
			`return "the crl is signed with an unacceptable pk alg (eg rsa vs "`
			`"ecdsa)";`
			`case MBEDTLS_X509_BADCRL_BAD_KEY:`
			`return "the crl is signed with an unacceptable key (eg bad curve, "`
			`"rsa too short)";`
			`default:`
			`return "verification failed";`
			`}`
			`case MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE:`
			`return GetAlertDescription(ssl->fatal_alert);`
			`default:`
			`return DescribeMbedtlsErrorCode(ret);`
			`}`
			`}`