From 0651f72569f9f207acfc66091a83922fd032be5f Mon Sep 17 00:00:00 2001 From: Daniel McCarney Date: Thu, 7 Sep 2023 12:57:29 -0400 Subject: [PATCH] error: add is_fatal helper, use in verify_cert This commit adds a method to `Error` for testing whether an error should be considered fatal, e.g. should stop any further path building progress. The existing consideration of fatal errors in `loop_while_non_fatal_error` is updated to use the `is_fatal` fn. Having this in a central place means we can avoid duplicating the match arms in multiple places, where they are likely to fall out-of-sync. --- src/error.rs | 14 ++++++++++++++ src/verify_cert.rs | 6 +++--- 2 files changed, 17 insertions(+), 3 deletions(-) diff --git a/src/error.rs b/src/error.rs index 2b7183a4..c450b89f 100644 --- a/src/error.rs +++ b/src/error.rs @@ -115,6 +115,20 @@ pub enum Error { UnsupportedSignatureAlgorithmForPublicKey, } +impl Error { + /// Returns true for errors that should be considered fatal during path building. Errors of + /// this class should halt any further path building and be returned immediately. + #[inline] + pub(crate) fn is_fatal(&self) -> bool { + matches!( + self, + Error::MaximumSignatureChecksExceeded + | Error::MaximumPathBuildCallsExceeded + | Error::MaximumNameConstraintComparisonsExceeded + ) + } +} + impl fmt::Display for Error { fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result { write!(f, "{:?}", self) diff --git a/src/verify_cert.rs b/src/verify_cert.rs index c77c8e5f..cc977cf1 100644 --- a/src/verify_cert.rs +++ b/src/verify_cert.rs @@ -464,9 +464,9 @@ where // If the error is not fatal, then keep going. match f(v) { Ok(()) => return Ok(()), - err @ Err(Error::MaximumSignatureChecksExceeded) - | err @ Err(Error::MaximumPathBuildCallsExceeded) - | err @ Err(Error::MaximumNameConstraintComparisonsExceeded) => return err, + // Fatal errors should halt further looping. + res @ Err(err) if err.is_fatal() => return res, + // Non-fatal errors should allow looping to continue. _ => {} } }