From a7e14dc9eb764f529aa915b0f69e4005c5c54b4f Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Mon, 16 Sep 2024 13:10:11 +0200 Subject: [PATCH 1/5] Don't expect added error codes Signed-off-by: Gilles Peskine --- library/ssl_tls.c | 2 +- library/ssl_tls13_generic.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 46fb92464d..7eb181e373 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -7004,7 +7004,7 @@ static int ssl_parse_certificate_chain(mbedtls_ssl_context *ssl, #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ switch (ret) { case 0: /*ok*/ - case MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG + MBEDTLS_ERR_OID_NOT_FOUND: + case MBEDTLS_ERR_OID_NOT_FOUND: /* Ignore certificate with an unknown algorithm: maybe a prior certificate was already trusted. */ break; diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index 6a7d502723..1076dea393 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -518,7 +518,7 @@ int mbedtls_ssl_tls13_parse_certificate(mbedtls_ssl_context *ssl, switch (ret) { case 0: /*ok*/ break; - case MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG + MBEDTLS_ERR_OID_NOT_FOUND: + case MBEDTLS_ERR_OID_NOT_FOUND: /* Ignore certificate with an unknown algorithm: maybe a prior certificate was already trusted. */ break; From c8c1a393e0eb338c600645ce389f46e4a48435fa Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 24 Jan 2025 15:42:17 +0100 Subject: [PATCH 2/5] Changelog entry for error code space unification Signed-off-by: Gilles Peskine --- ChangeLog.d/error-unification.txt | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 ChangeLog.d/error-unification.txt diff --git a/ChangeLog.d/error-unification.txt b/ChangeLog.d/error-unification.txt new file mode 100644 index 0000000000..e1790d29d2 --- /dev/null +++ b/ChangeLog.d/error-unification.txt @@ -0,0 +1,7 @@ +API changes + * The PSA and Mbed TLS error space are now unified. This means that + mbedtls_xxx() functions can return PSA_ERROR_xxx values. + There is no longer a distinction between "low-level" and "high-level" + Mbed TLS error codes.. + This will not affect most applications since in both cases, the + error values are between -32767 and -1 as before. From 275951292c138072366a34a6408bd1d152045929 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 24 Jan 2025 14:53:49 +0100 Subject: [PATCH 3/5] Update crypto submodule Signed-off-by: Gilles Peskine --- tf-psa-crypto | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tf-psa-crypto b/tf-psa-crypto index 399c5f9e1d..332798582b 160000 --- a/tf-psa-crypto +++ b/tf-psa-crypto @@ -1 +1 @@ -Subproject commit 399c5f9e1d71cb177eb0c16cb934755b409abe23 +Subproject commit 332798582bccda6e5f90dbe85dd8898d5dbdf652 From 1ffdb18cdbc05dcc3d110540513c9bd2e570a647 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 24 Jan 2025 15:46:11 +0100 Subject: [PATCH 4/5] Remove mbedtls_low_level_sterr() and mbedtls_high_level_strerr() Just removed from the API. We can greatly simplify error.c but that will be for later. Signed-off-by: Gilles Peskine --- ChangeLog.d/error-unification.txt | 4 ++++ include/mbedtls/error.h | 30 ------------------------------ scripts/data_files/error.fmt | 4 ++-- 3 files changed, 6 insertions(+), 32 deletions(-) diff --git a/ChangeLog.d/error-unification.txt b/ChangeLog.d/error-unification.txt index e1790d29d2..a19e60c008 100644 --- a/ChangeLog.d/error-unification.txt +++ b/ChangeLog.d/error-unification.txt @@ -5,3 +5,7 @@ API changes Mbed TLS error codes.. This will not affect most applications since in both cases, the error values are between -32767 and -1 as before. + +Removals + * Remove mbedtls_low_level_sterr() and mbedtls_high_level_strerr(), + since these concepts no longer exists. There is just mbedtls_strerror(). diff --git a/include/mbedtls/error.h b/include/mbedtls/error.h index 8b7c19aa5f..7abb00fd03 100644 --- a/include/mbedtls/error.h +++ b/include/mbedtls/error.h @@ -30,36 +30,6 @@ extern "C" { */ void mbedtls_strerror(int errnum, char *buffer, size_t buflen); -/** - * \brief Translate the high-level part of an Mbed TLS error code into a string - * representation. - * - * This function returns a const pointer to an un-modifiable string. The caller - * must not try to modify the string. It is intended to be used mostly for - * logging purposes. - * - * \param error_code error code - * - * \return The string representation of the error code, or \c NULL if the error - * code is unknown. - */ -const char *mbedtls_high_level_strerr(int error_code); - -/** - * \brief Translate the low-level part of an Mbed TLS error code into a string - * representation. - * - * This function returns a const pointer to an un-modifiable string. The caller - * must not try to modify the string. It is intended to be used mostly for - * logging purposes. - * - * \param error_code error code - * - * \return The string representation of the error code, or \c NULL if the error - * code is unknown. - */ -const char *mbedtls_low_level_strerr(int error_code); - #ifdef __cplusplus } #endif diff --git a/scripts/data_files/error.fmt b/scripts/data_files/error.fmt index b75a9ab4ec..14522ecd20 100644 --- a/scripts/data_files/error.fmt +++ b/scripts/data_files/error.fmt @@ -20,7 +20,7 @@ HEADER_INCLUDED -const char *mbedtls_high_level_strerr(int error_code) +static const char *mbedtls_high_level_strerr(int error_code) { int high_level_error_code; @@ -43,7 +43,7 @@ const char *mbedtls_high_level_strerr(int error_code) return NULL; } -const char *mbedtls_low_level_strerr(int error_code) +static const char *mbedtls_low_level_strerr(int error_code) { int low_level_error_code; From 61621cbb5d43da24320322995a6cdc64a47fdba7 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 30 Jan 2025 12:13:36 +0100 Subject: [PATCH 5/5] Don't allow psa_xxx() to return MBEDTLS_ERR_XXX Signed-off-by: Gilles Peskine --- ChangeLog.d/error-unification.txt | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/ChangeLog.d/error-unification.txt b/ChangeLog.d/error-unification.txt index a19e60c008..bcf5ba1f3d 100644 --- a/ChangeLog.d/error-unification.txt +++ b/ChangeLog.d/error-unification.txt @@ -1,10 +1,10 @@ API changes - * The PSA and Mbed TLS error space are now unified. This means that - mbedtls_xxx() functions can return PSA_ERROR_xxx values. + * The PSA and Mbed TLS error spaces are now unified. mbedtls_xxx() + functions can now return PSA_ERROR_xxx values. There is no longer a distinction between "low-level" and "high-level" - Mbed TLS error codes.. - This will not affect most applications since in both cases, the - error values are between -32767 and -1 as before. + Mbed TLS error codes. + This will not affect most applications since the error values are + between -32767 and -1 as before. Removals * Remove mbedtls_low_level_sterr() and mbedtls_high_level_strerr(),