Description
(CC @tiran and @tniessen for CPython and Node, respectively. Please correct me if I've misunderstood what your projects are trying to do here!)
Given a value like SSL_R_THING_WENT_WRONG, ERR_reason_error_string returns a string like "thing went wrong". There doesn't seem to be any way to get the symbol name of an error reason.
I've noticed that both Node and CPython care about doing this, both because their public APIs involve exposing the symbolic name of the error. Node does it by uppercasing and replacing spaces with underscores.
https://github.com/nodejs/node/blob/v19.2.0/src/crypto/crypto_util.cc#L466-L476
This inverts the transform OpenSSL applies to generate the reason strings.
https://github.com/openssl/openssl/blob/openssl-3.0.7/util/mkerr.pl#L565
However, this is not documented and some errors in OpenSSL have manually adjusted strings. SSL_R_AT_LEAST_TLS_1_0_NEEDED_IN_FIPS_MODE's error string is "at least TLS 1.0 needed in FIPS mode". But this isn't universal; SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS is "unable to find ecdh parameters", not "unable to find ECDH parameters".
CPython takes a different approach. They maintain a table mapping error code to symbol name, seeded by parsing OpenSSL's header files:
https://github.com/python/cpython/blob/v3.11.0/Tools/ssl/make_ssl_data.py
https://github.com/python/cpython/blob/v3.11.0/Modules/_ssl_data_300.h
https://github.com/python/cpython/blob/v3.11.0/Modules/_ssl.c#L6022
https://github.com/python/cpython/blob/v3.11.0/Modules/_ssl.c#L458
Neither of these seems a particularly satisfying solution. The Node solution breaks on errors like SSL_R_AT_LEAST_TLS_1_0_NEEDED_IN_FIPS_MODE, while the CPython solution requires updating CPython source every time OpenSSL introduces a new error. Given two different projects have had to work around this already, perhaps OpenSSL should just provide a function with the appropriate semantics.
Perhaps ERR_reason_symbol_name and ERR_lib_symbol_name to return values like AT_LEAST_TLS_1_0_NEEDED_IN_FIPS_MODE and SSL for SSL_R_AT_LEAST_TLS_1_0_NEEDED_IN_FIPS_MODE and ERR_LIB_SSL, respectively?