Unify PSA to Mbed TLS error translation

Move all error translation utilities to psa_util.c. Introduce macros and functions to avoid having a local copy of the error translating function in each place. Identify overlapping errors and introduce a generic function. Provide a single macro for all error translations (unless one file needs a couple of different ones). Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2025-07-30 22:43:08 +03:00 · 2022-12-23 11:00:06 -05:00
parent 05b80a4eee
commit 8a045ce5e6
29 changed files with 459 additions and 147 deletions
--- a/library/ssl_msg.c
+++ b/library/ssl_msg.c
@ -48,6 +48,12 @@
 #include "mbedtls/oid.h"
 #endif

+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status,   \
+                                                           psa_to_ssl_errors,             \
+                                                           psa_generic_status_to_mbedtls)
+#endif
+
 static uint32_t ssl_get_hs_total_len(mbedtls_ssl_context const *ssl);

 /*
@ -879,10 +885,10 @@ int mbedtls_ssl_encrypt_buf(mbedtls_ssl_context *ssl,
 hmac_failed_etm_disabled:
        mbedtls_platform_zeroize(mac, transform->maclen);
 #if defined(MBEDTLS_USE_PSA_CRYPTO)
-        ret = psa_ssl_status_to_mbedtls(status);
+        ret = PSA_TO_MBEDTLS_ERR(status);
        status = psa_mac_abort(&operation);
        if (ret == 0 && status != PSA_SUCCESS) {
-            ret = psa_ssl_status_to_mbedtls(status);
+            ret = PSA_TO_MBEDTLS_ERR(status);
        }
 #endif /* MBEDTLS_USE_PSA_CRYPTO */
        if (ret != 0) {
@ -979,7 +985,7 @@ hmac_failed_etm_disabled:
                                  &rec->data_len);

        if (status != PSA_SUCCESS) {
-            ret = psa_ssl_status_to_mbedtls(status);
+            ret = PSA_TO_MBEDTLS_ERR(status);
            MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_encrypt_buf", ret);
            return ret;
        }
@ -1089,7 +1095,7 @@ hmac_failed_etm_disabled:
                                          transform->psa_key_enc, transform->psa_alg);

        if (status != PSA_SUCCESS) {
-            ret = psa_ssl_status_to_mbedtls(status);
+            ret = PSA_TO_MBEDTLS_ERR(status);
            MBEDTLS_SSL_DEBUG_RET(1, "psa_cipher_encrypt_setup", ret);
            return ret;
        }
@ -1097,7 +1103,7 @@ hmac_failed_etm_disabled:
        status = psa_cipher_set_iv(&cipher_op, transform->iv_enc, transform->ivlen);

        if (status != PSA_SUCCESS) {
-            ret = psa_ssl_status_to_mbedtls(status);
+            ret = PSA_TO_MBEDTLS_ERR(status);
            MBEDTLS_SSL_DEBUG_RET(1, "psa_cipher_set_iv", ret);
            return ret;

@ -1108,7 +1114,7 @@ hmac_failed_etm_disabled:
                                   data, rec->data_len, &olen);

        if (status != PSA_SUCCESS) {
-            ret = psa_ssl_status_to_mbedtls(status);
+            ret = PSA_TO_MBEDTLS_ERR(status);
            MBEDTLS_SSL_DEBUG_RET(1, "psa_cipher_update", ret);
            return ret;

@ -1119,7 +1125,7 @@ hmac_failed_etm_disabled:
                                   &part_len);

        if (status != PSA_SUCCESS) {
-            ret = psa_ssl_status_to_mbedtls(status);
+            ret = PSA_TO_MBEDTLS_ERR(status);
            MBEDTLS_SSL_DEBUG_RET(1, "psa_cipher_finish", ret);
            return ret;

@ -1222,10 +1228,10 @@ hmac_failed_etm_disabled:
 hmac_failed_etm_enabled:
            mbedtls_platform_zeroize(mac, transform->maclen);
 #if defined(MBEDTLS_USE_PSA_CRYPTO)
-            ret = psa_ssl_status_to_mbedtls(status);
+            ret = PSA_TO_MBEDTLS_ERR(status);
            status = psa_mac_abort(&operation);
            if (ret == 0 && status != PSA_SUCCESS) {
-                ret = psa_ssl_status_to_mbedtls(status);
+                ret = PSA_TO_MBEDTLS_ERR(status);
            }
 #endif /* MBEDTLS_USE_PSA_CRYPTO */
            if (ret != 0) {
@ -1399,7 +1405,7 @@ int mbedtls_ssl_decrypt_buf(mbedtls_ssl_context const *ssl,
                                  &olen);

        if (status != PSA_SUCCESS) {
-            ret = psa_ssl_status_to_mbedtls(status);
+            ret = PSA_TO_MBEDTLS_ERR(status);
            MBEDTLS_SSL_DEBUG_RET(1, "psa_aead_decrypt", ret);
            return ret;
        }
@ -1571,10 +1577,10 @@ int mbedtls_ssl_decrypt_buf(mbedtls_ssl_context const *ssl,

 hmac_failed_etm_enabled:
 #if defined(MBEDTLS_USE_PSA_CRYPTO)
-            ret = psa_ssl_status_to_mbedtls(status);
+            ret = PSA_TO_MBEDTLS_ERR(status);
            status = psa_mac_abort(&operation);
            if (ret == 0 && status != PSA_SUCCESS) {
-                ret = psa_ssl_status_to_mbedtls(status);
+                ret = PSA_TO_MBEDTLS_ERR(status);
            }
 #else
            mbedtls_platform_zeroize(mac_expect, transform->maclen);
@ -1621,7 +1627,7 @@ hmac_failed_etm_enabled:
                                          transform->psa_key_dec, transform->psa_alg);

        if (status != PSA_SUCCESS) {
-            ret = psa_ssl_status_to_mbedtls(status);
+            ret = PSA_TO_MBEDTLS_ERR(status);
            MBEDTLS_SSL_DEBUG_RET(1, "psa_cipher_decrypt_setup", ret);
            return ret;
        }
@ -1629,7 +1635,7 @@ hmac_failed_etm_enabled:
        status = psa_cipher_set_iv(&cipher_op, transform->iv_dec, transform->ivlen);

        if (status != PSA_SUCCESS) {
-            ret = psa_ssl_status_to_mbedtls(status);
+            ret = PSA_TO_MBEDTLS_ERR(status);
            MBEDTLS_SSL_DEBUG_RET(1, "psa_cipher_set_iv", ret);
            return ret;
        }
@ -1639,7 +1645,7 @@ hmac_failed_etm_enabled:
                                   data, rec->data_len, &olen);

        if (status != PSA_SUCCESS) {
-            ret = psa_ssl_status_to_mbedtls(status);
+            ret = PSA_TO_MBEDTLS_ERR(status);
            MBEDTLS_SSL_DEBUG_RET(1, "psa_cipher_update", ret);
            return ret;
        }
@ -1649,7 +1655,7 @@ hmac_failed_etm_enabled:
                                   &part_len);

        if (status != PSA_SUCCESS) {
-            ret = psa_ssl_status_to_mbedtls(status);
+            ret = PSA_TO_MBEDTLS_ERR(status);
            MBEDTLS_SSL_DEBUG_RET(1, "psa_cipher_finish", ret);
            return ret;
        }