simplify more errors (#5353)

the quest to stop using unstable openssl error codes continues

src/_cffi_src/openssl/err.py

@@ -10,7 +10,6 @@ INCLUDES = """
 
 TYPES = """
 static const int Cryptography_HAS_EC_CODES;
-static const int Cryptography_HAS_RSA_R_PKCS_DECODING_ERROR;
 
 static const int ERR_LIB_DH;
 static const int ERR_LIB_EVP;
@@ -92,14 +91,7 @@ static const int PEM_R_UNSUPPORTED_ENCRYPTION;
 
 static const int PKCS12_R_PKCS12_CIPHERFINAL_ERROR;
 
-static const int RSA_R_BAD_PAD_BYTE_COUNT;
-static const int RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE;
-static const int RSA_R_DATA_TOO_LARGE_FOR_MODULUS;
 static const int RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY;
-static const int RSA_R_BLOCK_TYPE_IS_NOT_01;
-static const int RSA_R_BLOCK_TYPE_IS_NOT_02;
-static const int RSA_R_PKCS_DECODING_ERROR;
-static const int RSA_R_OAEP_DECODING_ERROR;
 
 static const int SSL_TLSEXT_ERR_OK;
 static const int SSL_TLSEXT_ERR_ALERT_WARNING;
@@ -159,10 +151,4 @@ int ERR_GET_REASON(unsigned long);
 CUSTOMIZATIONS = """
 static const long Cryptography_HAS_EC_CODES = 1;
 
-#ifdef RSA_R_PKCS_DECODING_ERROR
-static const long Cryptography_HAS_RSA_R_PKCS_DECODING_ERROR = 1;
-#else
-static const long Cryptography_HAS_RSA_R_PKCS_DECODING_ERROR = 0;
-static const long RSA_R_PKCS_DECODING_ERROR = 0;
-#endif
 """

src/cryptography/hazmat/backends/openssl/rsa.py

@@ -127,33 +127,15 @@ def _enc_dec_rsa_pkey_ctx(backend, key, data, padding_enum, padding):
 
 
 def _handle_rsa_enc_dec_error(backend, key):
-    errors = backend._consume_errors()
-    backend.openssl_assert(errors)
-    backend.openssl_assert(errors[0].lib == backend._lib.ERR_LIB_RSA)
+    errors = backend._consume_errors_with_text()
     if isinstance(key, _RSAPublicKey):
-        backend.openssl_assert(
-            errors[0].reason == backend._lib.RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE
-        )
         raise ValueError(
             "Data too long for key size. Encrypt less data or use a "
-            "larger key size."
+            "larger key size.",
+            errors,
         )
     else:
-        decoding_errors = [
-            backend._lib.RSA_R_BAD_PAD_BYTE_COUNT,
-            backend._lib.RSA_R_BLOCK_TYPE_IS_NOT_01,
-            backend._lib.RSA_R_BLOCK_TYPE_IS_NOT_02,
-            backend._lib.RSA_R_OAEP_DECODING_ERROR,
-            # Though this error looks similar to the
-            # RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE, this occurs on decrypts,
-            # rather than on encrypts
-            backend._lib.RSA_R_DATA_TOO_LARGE_FOR_MODULUS,
-        ]
-        if backend._lib.Cryptography_HAS_RSA_R_PKCS_DECODING_ERROR:
-            decoding_errors.append(backend._lib.RSA_R_PKCS_DECODING_ERROR)
-
-        backend.openssl_assert(errors[0].reason in decoding_errors)
-        raise ValueError("Decryption failed.")
+        raise ValueError("Decryption failed.", errors)
 
 
 def _rsa_sig_determine_padding(backend, key, padding, algorithm):
@@ -241,20 +223,12 @@ def _rsa_sig_sign(backend, padding, algorithm, private_key, data):
     buf = backend._ffi.new("unsigned char[]", buflen[0])
     res = backend._lib.EVP_PKEY_sign(pkey_ctx, buf, buflen, data, len(data))
     if res != 1:
-        errors = backend._consume_errors()
-        backend.openssl_assert(errors[0].lib == backend._lib.ERR_LIB_RSA)
-        if errors[0].reason == backend._lib.RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE:
-            reason = (
-                "Salt length too long for key size. Try using "
-                "MAX_LENGTH instead."
-            )
-        else:
-            backend.openssl_assert(
-                errors[0].reason
-                == backend._lib.RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY
-            )
-            reason = "Digest too large for key size. Use a larger key."
-        raise ValueError(reason)
+        errors = backend._consume_errors_with_text()
+        raise ValueError(
+            "Digest or salt length too long for key size. Use a larger key "
+            "or shorter salt length if you are specifying a PSS salt",
+            errors,
+        )
 
     return backend._ffi.buffer(buf)[:]
 

src/cryptography/hazmat/bindings/openssl/_conditional.py

@@ -13,10 +13,6 @@ def cryptography_has_ec2m():
     ]
 
 
-def cryptography_has_rsa_r_pkcs_decoding_error():
-    return ["RSA_R_PKCS_DECODING_ERROR"]
-
-
 def cryptography_has_rsa_oaep_md():
     return [
         "EVP_PKEY_CTX_set_rsa_oaep_md",
@@ -306,9 +302,6 @@ def cryptography_has_srtp():
 # lists so we can use coverage to measure which are used.
 CONDITIONAL_NAMES = {
     "Cryptography_HAS_EC2M": cryptography_has_ec2m,
-    "Cryptography_HAS_RSA_R_PKCS_DECODING_ERROR": (
-        cryptography_has_rsa_r_pkcs_decoding_error
-    ),
     "Cryptography_HAS_RSA_OAEP_MD": cryptography_has_rsa_oaep_md,
     "Cryptography_HAS_RSA_OAEP_LABEL": cryptography_has_rsa_oaep_label,
     "Cryptography_HAS_SSL3_METHOD": cryptography_has_ssl3_method,

tests/hazmat/primitives/test_rsa.py

@@ -1583,9 +1583,9 @@ class TestRSADecryption(object):
         skip_message="Does not support OAEP.",
     )
     def test_invalid_oaep_decryption(self, backend):
-        # More recent versions of OpenSSL may raise RSA_R_OAEP_DECODING_ERROR
-        # This test triggers it and confirms that we properly handle it. Other
-        # backends should also return the proper ValueError.
+        # More recent versions of OpenSSL may raise different errors.
+        # This test triggers a failure and confirms that we properly handle
+        # it.
         private_key = RSA_KEY_512.private_key(backend)
 
         ciphertext = private_key.public_key().encrypt(