From b86e588911781d5a4590e63ccdaead7439ec0a16 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 30 Apr 2021 05:14:25 +0100 Subject: [PATCH 01/11] Remove unused MBEDTLS_ERR_SSL_UNKNOWN_CIPHER The SSL error code MBEDTLS_ERR_SSL_UNKNOWN_CIPHER is unused. Remove it for Mbed TLS 3.0 and leave a comment indicating the gap in the error code space it creates. Signed-off-by: Hanno Becker --- include/mbedtls/error.h | 2 +- include/mbedtls/ssl.h | 2 +- library/error.c | 2 -- 3 files changed, 2 insertions(+), 4 deletions(-) diff --git a/include/mbedtls/error.h b/include/mbedtls/error.h index 7936f6b786..6b42b22e79 100644 --- a/include/mbedtls/error.h +++ b/include/mbedtls/error.h @@ -107,7 +107,7 @@ * SSL 5 2 (Started from 0x5F00) * CIPHER 6 8 (Started from 0x6080) * SSL 6 24 (Started from top, plus 0x6000) - * SSL 7 32 + * SSL 7 31 (Started from 0x7080, gap at 0x7300) * * Module dependent error code (5 bits 0x.00.-0x.F8.) */ diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 2350910756..aaddd7f466 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -67,7 +67,7 @@ #define MBEDTLS_ERR_SSL_INVALID_MAC -0x7180 /**< Verification of the message MAC failed. */ #define MBEDTLS_ERR_SSL_INVALID_RECORD -0x7200 /**< An invalid SSL record was received. */ #define MBEDTLS_ERR_SSL_CONN_EOF -0x7280 /**< The connection indicated an EOF. */ -#define MBEDTLS_ERR_SSL_UNKNOWN_CIPHER -0x7300 /**< An unknown cipher was received. */ +/* NOTE: Error space gap */ #define MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN -0x7380 /**< The server has no ciphersuites in common with the client. */ #define MBEDTLS_ERR_SSL_NO_RNG -0x7400 /**< No RNG was provided to the SSL module. */ #define MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE -0x7480 /**< No client certification received from the client, but required by the authentication mode. */ diff --git a/library/error.c b/library/error.c index a176deb8c5..48e99249f6 100644 --- a/library/error.c +++ b/library/error.c @@ -374,8 +374,6 @@ const char * mbedtls_high_level_strerr( int error_code ) return( "SSL - An invalid SSL record was received" ); case -(MBEDTLS_ERR_SSL_CONN_EOF): return( "SSL - The connection indicated an EOF" ); - case -(MBEDTLS_ERR_SSL_UNKNOWN_CIPHER): - return( "SSL - An unknown cipher was received" ); case -(MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN): return( "SSL - The server has no ciphersuites in common with the client" ); case -(MBEDTLS_ERR_SSL_NO_RNG): From eca840f71ddda389e2d46af7a02b29dbd1049d12 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 30 Apr 2021 05:19:55 +0100 Subject: [PATCH 02/11] Remove unused MBEDTLS_ERR_SSL_PEER_VERIFY_FAILED The SSL error code MBEDTLS_ERR_SSL_PEER_VERIFY_FAILED is unused. Remove it for Mbed TLS 3.0. The code being unused comes as a surprise, at is seems to be reasonable to report it to the user upon peer CRT verification failure. However, this study (can potentially re-introduction of the code) can be left for 3.x, while the error code removal can only happen in 3.0. Signed-off-by: Hanno Becker --- include/mbedtls/error.h | 3 ++- include/mbedtls/ssl.h | 2 +- library/error.c | 2 -- 3 files changed, 3 insertions(+), 4 deletions(-) diff --git a/include/mbedtls/error.h b/include/mbedtls/error.h index 6b42b22e79..591692761e 100644 --- a/include/mbedtls/error.h +++ b/include/mbedtls/error.h @@ -107,7 +107,8 @@ * SSL 5 2 (Started from 0x5F00) * CIPHER 6 8 (Started from 0x6080) * SSL 6 24 (Started from top, plus 0x6000) - * SSL 7 31 (Started from 0x7080, gap at 0x7300) + * SSL 7 30 (Started from 0x7080, gaps at + * 0x7300, 0x7800) * * Module dependent error code (5 bits 0x.00.-0x.F8.) */ diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index aaddd7f466..2dd6cc4551 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -77,7 +77,7 @@ #define MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED -0x7680 /**< No CA Chain is set, but required to operate. */ #define MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE -0x7700 /**< An unexpected message was received from our peer. */ #define MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE -0x7780 /**< A fatal alert message was received from our peer. */ -#define MBEDTLS_ERR_SSL_PEER_VERIFY_FAILED -0x7800 /**< Verification of our peer failed. */ +/* NOTE: Error space gap */ #define MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY -0x7880 /**< The peer notified us that the connection is going to be closed. */ #define MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO -0x7900 /**< Processing of the ClientHello handshake message failed. */ #define MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO -0x7980 /**< Processing of the ServerHello handshake message failed. */ diff --git a/library/error.c b/library/error.c index 48e99249f6..1b050df3de 100644 --- a/library/error.c +++ b/library/error.c @@ -392,8 +392,6 @@ const char * mbedtls_high_level_strerr( int error_code ) return( "SSL - An unexpected message was received from our peer" ); case -(MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE): return( "SSL - A fatal alert message was received from our peer" ); - case -(MBEDTLS_ERR_SSL_PEER_VERIFY_FAILED): - return( "SSL - Verification of our peer failed" ); case -(MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY): return( "SSL - The peer notified us that the connection is going to be closed" ); case -(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO): From 91e1cc3bd7dcfe89dd0c9c2d6ad7041f839c5c31 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 30 Apr 2021 05:28:49 +0100 Subject: [PATCH 03/11] Remove MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE error code This error is used when the output buffer isn't large enough to hold our own certificate. In the interest of cleaning up the error space for 3.0, this commit removes MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE and replaces its single use by MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL. Signed-off-by: Hanno Becker --- include/mbedtls/error.h | 4 ++-- include/mbedtls/ssl.h | 2 +- library/error.c | 2 -- library/ssl_tls.c | 2 +- 4 files changed, 4 insertions(+), 6 deletions(-) diff --git a/include/mbedtls/error.h b/include/mbedtls/error.h index 591692761e..c219d672e9 100644 --- a/include/mbedtls/error.h +++ b/include/mbedtls/error.h @@ -107,8 +107,8 @@ * SSL 5 2 (Started from 0x5F00) * CIPHER 6 8 (Started from 0x6080) * SSL 6 24 (Started from top, plus 0x6000) - * SSL 7 30 (Started from 0x7080, gaps at - * 0x7300, 0x7800) + * SSL 7 29 (Started from 0x7080, gaps at + * 0x7300, 0x7500, 0x7800) * * Module dependent error code (5 bits 0x.00.-0x.F8.) */ diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 2dd6cc4551..107a40ea88 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -71,7 +71,7 @@ #define MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN -0x7380 /**< The server has no ciphersuites in common with the client. */ #define MBEDTLS_ERR_SSL_NO_RNG -0x7400 /**< No RNG was provided to the SSL module. */ #define MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE -0x7480 /**< No client certification received from the client, but required by the authentication mode. */ -#define MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE -0x7500 /**< Our own certificate(s) is/are too large to send in an SSL message. */ +/* NOTE: Error space gap */ #define MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED -0x7580 /**< The own certificate is not set, but needed by the server. */ #define MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED -0x7600 /**< The own private key or pre-shared key is not set, but needed. */ #define MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED -0x7680 /**< No CA Chain is set, but required to operate. */ diff --git a/library/error.c b/library/error.c index 1b050df3de..039e7be5b9 100644 --- a/library/error.c +++ b/library/error.c @@ -380,8 +380,6 @@ const char * mbedtls_high_level_strerr( int error_code ) return( "SSL - No RNG was provided to the SSL module" ); case -(MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE): return( "SSL - No client certification received from the client, but required by the authentication mode" ); - case -(MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE): - return( "SSL - Our own certificate(s) is/are too large to send in an SSL message" ); case -(MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED): return( "SSL - The own certificate is not set, but needed by the server" ); case -(MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED): diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 75faf22adf..422df9944c 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -1964,7 +1964,7 @@ int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_MSG( 1, ( "certificate too large, %" MBEDTLS_PRINTF_SIZET " > %" MBEDTLS_PRINTF_SIZET, i + 3 + n, (size_t) MBEDTLS_SSL_OUT_CONTENT_LEN ) ); - return( MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE ); + return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); } ssl->out_msg[i ] = (unsigned char)( n >> 16 ); From 6c780469609da63915ec9930efb2a8ee0985799c Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 30 Apr 2021 05:35:50 +0100 Subject: [PATCH 04/11] Remove uses of MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH The error code MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH is only returned from the internal function ``` mbedtls_ssl_set_calc_verify_md() ``` Moreover, at every call-site of this function, it is only checked whether the return value is 0 or not, while the exact return value is irrelevant. The behavior the library is therefore unchanged if we return 1 instead of MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH in `mbedtls_ssl_set_calc_verify_md()`. This commit makes this change. Signed-off-by: Hanno Becker --- library/ssl_tls.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 422df9944c..aceeb45dff 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -6998,14 +6998,14 @@ int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md ) { #if defined(MBEDTLS_SSL_PROTO_TLS1_2) if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 ) - return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH; + return( 1 ); switch( md ) { #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) #if defined(MBEDTLS_MD5_C) case MBEDTLS_SSL_HASH_MD5: - return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH; + return( 1 ); #endif #if defined(MBEDTLS_SHA1_C) case MBEDTLS_SSL_HASH_SHA1: @@ -7024,7 +7024,7 @@ int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md ) break; #endif default: - return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH; + return( 1 ); } return 0; @@ -7032,7 +7032,7 @@ int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md ) (void) ssl; (void) md; - return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH; + return( 1 ); #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ } From 56ee9e5f141bb5cf3d0468fa09b6de7f5b19daf6 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 30 Apr 2021 05:36:02 +0100 Subject: [PATCH 05/11] Remove MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH This commit removes the unused error code ``` MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH ``` from the public API for Mbed TLS 3.0. Signed-off-by: Hanno Becker --- include/mbedtls/error.h | 3 ++- include/mbedtls/ssl.h | 2 +- library/error.c | 2 -- 3 files changed, 3 insertions(+), 4 deletions(-) diff --git a/include/mbedtls/error.h b/include/mbedtls/error.h index c219d672e9..776013ff32 100644 --- a/include/mbedtls/error.h +++ b/include/mbedtls/error.h @@ -106,7 +106,8 @@ * HKDF 5 1 (Started from top) * SSL 5 2 (Started from 0x5F00) * CIPHER 6 8 (Started from 0x6080) - * SSL 6 24 (Started from top, plus 0x6000) + * SSL 6 23 (Started from top, plus 0x6000, gaps at + * 0x6600) * SSL 7 29 (Started from 0x7080, gaps at * 0x7300, 0x7500, 0x7800) * diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 107a40ea88..691b0ee519 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -111,7 +111,7 @@ #define MBEDTLS_ERR_SSL_CLIENT_RECONNECT -0x6780 /**< The client initiated a reconnect from the same port. */ #define MBEDTLS_ERR_SSL_UNEXPECTED_RECORD -0x6700 /**< Record header looks valid but is not expected. */ #define MBEDTLS_ERR_SSL_NON_FATAL -0x6680 /**< The alert message received indicates a non-fatal error. */ -#define MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH -0x6600 /**< Couldn't set the hash for verifying CertificateVerify */ +/* NOTE: Error space gap */ #define MBEDTLS_ERR_SSL_CONTINUE_PROCESSING -0x6580 /**< Internal-only message signaling that further message-processing should be done */ #define MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS -0x6500 /**< The asynchronous operation is not completed yet. */ #define MBEDTLS_ERR_SSL_EARLY_MESSAGE -0x6480 /**< Internal-only message signaling that a message arrived early. */ diff --git a/library/error.c b/library/error.c index 039e7be5b9..14aaf3d092 100644 --- a/library/error.c +++ b/library/error.c @@ -456,8 +456,6 @@ const char * mbedtls_high_level_strerr( int error_code ) return( "SSL - Record header looks valid but is not expected" ); case -(MBEDTLS_ERR_SSL_NON_FATAL): return( "SSL - The alert message received indicates a non-fatal error" ); - case -(MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH): - return( "SSL - Couldn't set the hash for verifying CertificateVerify" ); case -(MBEDTLS_ERR_SSL_CONTINUE_PROCESSING): return( "SSL - Internal-only message signaling that further message-processing should be done" ); case -(MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS): From 9cfe6e977d14bdc56f80e6f06a757ca7ccd42da2 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 30 Apr 2021 05:38:24 +0100 Subject: [PATCH 06/11] Assert presence of server certificate in Certificate writer The server-side `Certificate` handshake message writer checks whether a certificate is present, and if not fails with: ``` MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED ``` This should never happen, since the library checks the presence of a suitable certificate before picking a ciphersuite. It is therefore more suitable to convert this check into an assertion, and fail with MBEDTLS_ERR_SSL_INTERNAL_ERROR upon failure. Signed-off-by: Hanno Becker --- library/ssl_tls.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index aceeb45dff..fd77dc3d3a 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -1936,8 +1936,9 @@ int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl ) { if( mbedtls_ssl_own_cert( ssl ) == NULL ) { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no certificate to send" ) ); - return( MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED ); + /* Should never happen because we shouldn't have picked the + * ciphersuite if we don't have a certificate. */ + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); } } #endif From 3268d84313e16297b4f21ab251d5c5436e72d04c Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 30 Apr 2021 05:41:12 +0100 Subject: [PATCH 07/11] Remove unused error code MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED After the previous commit, the code is no longer used and can be removed for Mbed TLS 3.0. Signed-off-by: Hanno Becker --- include/mbedtls/error.h | 4 ++-- include/mbedtls/ssl.h | 2 +- library/error.c | 2 -- 3 files changed, 3 insertions(+), 5 deletions(-) diff --git a/include/mbedtls/error.h b/include/mbedtls/error.h index 776013ff32..73d155bb66 100644 --- a/include/mbedtls/error.h +++ b/include/mbedtls/error.h @@ -108,8 +108,8 @@ * CIPHER 6 8 (Started from 0x6080) * SSL 6 23 (Started from top, plus 0x6000, gaps at * 0x6600) - * SSL 7 29 (Started from 0x7080, gaps at - * 0x7300, 0x7500, 0x7800) + * SSL 7 28 (Started from 0x7080, gaps at + * 0x7300, 0x7500, 0x7580, 0x7800) * * Module dependent error code (5 bits 0x.00.-0x.F8.) */ diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 691b0ee519..3ad19275ce 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -72,7 +72,7 @@ #define MBEDTLS_ERR_SSL_NO_RNG -0x7400 /**< No RNG was provided to the SSL module. */ #define MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE -0x7480 /**< No client certification received from the client, but required by the authentication mode. */ /* NOTE: Error space gap */ -#define MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED -0x7580 /**< The own certificate is not set, but needed by the server. */ +/* NOTE: Error space gap */ #define MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED -0x7600 /**< The own private key or pre-shared key is not set, but needed. */ #define MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED -0x7680 /**< No CA Chain is set, but required to operate. */ #define MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE -0x7700 /**< An unexpected message was received from our peer. */ diff --git a/library/error.c b/library/error.c index 14aaf3d092..3a84366327 100644 --- a/library/error.c +++ b/library/error.c @@ -380,8 +380,6 @@ const char * mbedtls_high_level_strerr( int error_code ) return( "SSL - No RNG was provided to the SSL module" ); case -(MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE): return( "SSL - No client certification received from the client, but required by the authentication mode" ); - case -(MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED): - return( "SSL - The own certificate is not set, but needed by the server" ); case -(MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED): return( "SSL - The own private key or pre-shared key is not set, but needed" ); case -(MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED): From 541af8575ea00cd95c405937de0e81c2efb4b8bd Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 14 May 2021 16:49:01 +0100 Subject: [PATCH 08/11] Use -1 instead of 1 as failure return value in internal SSL function Signed-off-by: Hanno Becker --- library/ssl_tls.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index fd77dc3d3a..1c54b5f77b 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -6999,14 +6999,14 @@ int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md ) { #if defined(MBEDTLS_SSL_PROTO_TLS1_2) if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 ) - return( 1 ); + return( -1 ); switch( md ) { #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) #if defined(MBEDTLS_MD5_C) case MBEDTLS_SSL_HASH_MD5: - return( 1 ); + return( -1 ); #endif #if defined(MBEDTLS_SHA1_C) case MBEDTLS_SSL_HASH_SHA1: @@ -7025,7 +7025,7 @@ int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md ) break; #endif default: - return( 1 ); + return( -1 ); } return 0; @@ -7033,7 +7033,7 @@ int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md ) (void) ssl; (void) md; - return( 1 ); + return( -1 ); #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ } From a808ec3f0d9de3ec8d4789abf1119905d4ea7b8c Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 14 May 2021 17:10:15 +0100 Subject: [PATCH 09/11] Add ChangeLog entry Signed-off-by: Hanno Becker --- ChangeLog.d/ssl-error-code-cleanup.txt | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 ChangeLog.d/ssl-error-code-cleanup.txt diff --git a/ChangeLog.d/ssl-error-code-cleanup.txt b/ChangeLog.d/ssl-error-code-cleanup.txt new file mode 100644 index 0000000000..0438aa2f6b --- /dev/null +++ b/ChangeLog.d/ssl-error-code-cleanup.txt @@ -0,0 +1,7 @@ +API changes + * Remove SSL error codes `MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED` + and `MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH` which are never + returned from the public SSL API. + * Remove `MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE` and return + `MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL` instead. + ` From 8e184e2debf4e0d26f4324c4debd36d6a4844bea Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 14 May 2021 17:10:27 +0100 Subject: [PATCH 10/11] Add migration guide Signed-off-by: Hanno Becker --- .../ssl-error-code-cleanup.md | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 docs/3.0-migration-guide.d/ssl-error-code-cleanup.md diff --git a/docs/3.0-migration-guide.d/ssl-error-code-cleanup.md b/docs/3.0-migration-guide.d/ssl-error-code-cleanup.md new file mode 100644 index 0000000000..49d1a0f223 --- /dev/null +++ b/docs/3.0-migration-guide.d/ssl-error-code-cleanup.md @@ -0,0 +1,20 @@ +Removal of some SSL error codes +----------------------------------------------------------------- + +This affects users manually checking for the following error codes: +- `MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED` +- `MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH` +- `MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE` + +Migration paths: +- `MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED` and `MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH` + should never be returned from Mbed TLS, and there is no need to check for it. + Users should simply remove manual checks for those codes, and let the Mbed TLS + team know if -- contrary to the team's understanding -- there is in fact a situation + where one of them was ever returned. +- `MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE` has been removed, and + `MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL` is returned instead if the user's own certificate + is too large to fit into the output buffers. Users should check for + `MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL` instead, and potentially compare the size of their + own certificate against the configured size of the output buffer to understand if + the error is due to an overly large certificate. From 59b97bbe065ce04f716624795081f898ecc21a9e Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 14 May 2021 17:12:15 +0100 Subject: [PATCH 11/11] Fixup glitch in ChangeLog entry Signed-off-by: Hanno Becker --- ChangeLog.d/ssl-error-code-cleanup.txt | 1 - 1 file changed, 1 deletion(-) diff --git a/ChangeLog.d/ssl-error-code-cleanup.txt b/ChangeLog.d/ssl-error-code-cleanup.txt index 0438aa2f6b..768d1905ad 100644 --- a/ChangeLog.d/ssl-error-code-cleanup.txt +++ b/ChangeLog.d/ssl-error-code-cleanup.txt @@ -4,4 +4,3 @@ API changes returned from the public SSL API. * Remove `MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE` and return `MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL` instead. - `