From a01ddf65b7f58dc145ac3be10d1eac7365a74b7a Mon Sep 17 00:00:00 2001 From: Felix Conway Date: Thu, 28 Aug 2025 14:18:43 +0100 Subject: [PATCH] Revert unification for some error codes Signed-off-by: Felix Conway --- ChangeLog.d/unify-errors.txt | 1 - include/mbedtls/pkcs7.h | 2 +- include/mbedtls/x509.h | 6 +-- include/mbedtls/x509_crt.h | 12 ++--- tests/ssl-opt.sh | 98 ++++++++++++++++++------------------ 5 files changed, 59 insertions(+), 60 deletions(-) diff --git a/ChangeLog.d/unify-errors.txt b/ChangeLog.d/unify-errors.txt index 3dad7f3b67..0ed56ba305 100644 --- a/ChangeLog.d/unify-errors.txt +++ b/ChangeLog.d/unify-errors.txt @@ -4,5 +4,4 @@ API changes MBEDTLS_ERR_xxx_BAD_INPUT_DATA -> PSA_ERROR_INVALID_ARGUMENT MBEDTLS_ERR_xxx_ALLOC_FAILED -> PSA_ERROR_INSUFFICIENT_MEMORY MBEDTLS_ERR_xxx_VERIFY_FAILED -> PSA_ERROR_INVALID_SIGNATURE - MBEDTLS_ERR_xxx_INVALID_SIGNATURE -> PSA_ERROR_INVALID_SIGNATURE MBEDTLS_ERR_xxx_BUFFER_TOO_SMALL -> PSA_ERROR_BUFFER_TOO_SMALL diff --git a/include/mbedtls/pkcs7.h b/include/mbedtls/pkcs7.h index cf9e4407ce..957ca53d71 100644 --- a/include/mbedtls/pkcs7.h +++ b/include/mbedtls/pkcs7.h @@ -53,7 +53,7 @@ #define MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO -0x5480 /**< The PKCS #7 content info is invalid or cannot be parsed. */ #define MBEDTLS_ERR_PKCS7_INVALID_ALG -0x5500 /**< The algorithm tag or value is invalid or cannot be parsed. */ #define MBEDTLS_ERR_PKCS7_INVALID_CERT -0x5580 /**< The certificate tag or value is invalid or cannot be parsed. */ -#define MBEDTLS_ERR_PKCS7_INVALID_SIGNATURE PSA_ERROR_INVALID_SIGNATURE /**< Error parsing the signature */ +#define MBEDTLS_ERR_PKCS7_INVALID_SIGNATURE -0x5600 /**< Error parsing the signature */ #define MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO -0x5680 /**< Error parsing the signer's info */ #define MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA PSA_ERROR_INVALID_ARGUMENT /**< Input invalid. */ #define MBEDTLS_ERR_PKCS7_ALLOC_FAILED PSA_ERROR_INSUFFICIENT_MEMORY /**< Allocation of memory failed. */ diff --git a/include/mbedtls/x509.h b/include/mbedtls/x509.h index a021a7d996..3cced52f47 100644 --- a/include/mbedtls/x509.h +++ b/include/mbedtls/x509.h @@ -58,7 +58,7 @@ /** The date tag or value is invalid. */ #define MBEDTLS_ERR_X509_INVALID_DATE -0x2400 /** The signature tag or value invalid. */ -#define MBEDTLS_ERR_X509_INVALID_SIGNATURE PSA_ERROR_INVALID_SIGNATURE +#define MBEDTLS_ERR_X509_INVALID_SIGNATURE -0x2480 /** The extension tag or value is invalid. */ #define MBEDTLS_ERR_X509_INVALID_EXTENSIONS -0x2500 /** CRT/CRL/CSR has an unsupported version number. */ @@ -68,11 +68,11 @@ /** Signature algorithms do not match. (see \c ::mbedtls_x509_crt sig_oid) */ #define MBEDTLS_ERR_X509_SIG_MISMATCH -0x2680 /** Certificate verification failed, e.g. CRL, CA or signature check failed. */ -#define MBEDTLS_ERR_X509_CERT_VERIFY_FAILED PSA_ERROR_INVALID_SIGNATURE +#define MBEDTLS_ERR_X509_CERT_VERIFY_FAILED -0x2700 /** Format not recognized as DER or PEM. */ #define MBEDTLS_ERR_X509_CERT_UNKNOWN_FORMAT -0x2780 /** Input invalid. */ -#define MBEDTLS_ERR_X509_BAD_INPUT_DATA PSA_ERROR_INVALID_ARGUMENT +#define MBEDTLS_ERR_X509_BAD_INPUT_DATA -0x2800 /** Allocation of memory failed. */ #define MBEDTLS_ERR_X509_ALLOC_FAILED PSA_ERROR_INSUFFICIENT_MEMORY /** Read/write of file failed. */ diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h index 6b81652bb0..61986483bb 100644 --- a/include/mbedtls/x509_crt.h +++ b/include/mbedtls/x509_crt.h @@ -610,7 +610,7 @@ int mbedtls_x509_crt_verify_info(char *buf, size_t size, const char *prefix, * other than fatal error, as a non-zero return code * immediately aborts the verification process. For fatal * errors, a specific error code should be used (different - * from #PSA_ERROR_INVALID_SIGNATURE which should not + * from #MBEDTLS_ERR_X509_CERT_VERIFY_FAILED which should not * be returned at this point), or MBEDTLS_ERR_X509_FATAL_ERROR * can be used if no better code is available. * @@ -653,7 +653,7 @@ int mbedtls_x509_crt_verify_info(char *buf, size_t size, const char *prefix, * * \return \c 0 if the chain is valid with respect to the * passed CN, CAs, CRLs and security profile. - * \return #PSA_ERROR_INVALID_SIGNATURE in case the + * \return #MBEDTLS_ERR_X509_CERT_VERIFY_FAILED in case the * certificate chain verification failed. In this case, * \c *flags will have one or more * \c MBEDTLS_X509_BADCERT_XXX or \c MBEDTLS_X509_BADCRL_XXX @@ -694,7 +694,7 @@ int mbedtls_x509_crt_verify(mbedtls_x509_crt *crt, * * \return \c 0 if the chain is valid with respect to the * passed CN, CAs, CRLs and security profile. - * \return #PSA_ERROR_INVALID_SIGNATURE in case the + * \return #MBEDTLS_ERR_X509_CERT_VERIFY_FAILED in case the * certificate chain verification failed. In this case, * \c *flags will have one or more * \c MBEDTLS_X509_BADCERT_XXX or \c MBEDTLS_X509_BADCRL_XXX @@ -826,7 +826,7 @@ int mbedtls_x509_crt_verify_with_ca_cb(mbedtls_x509_crt *crt, * that bit MAY be set. * * \return 0 is these uses of the certificate are allowed, - * #PSA_ERROR_INVALID_ARGUMENT if the keyUsage extension + * #MBEDTLS_ERR_X509_BAD_INPUT_DATA if the keyUsage extension * is present but does not match the usage argument. * * \note You should only call this function on leaf certificates, on @@ -845,7 +845,7 @@ int mbedtls_x509_crt_check_key_usage(const mbedtls_x509_crt *crt, * \param usage_len Length of usage_oid (eg given by MBEDTLS_OID_SIZE()). * * \return 0 if this use of the certificate is allowed, - * #PSA_ERROR_INVALID_ARGUMENT if not. + * #MBEDTLS_ERR_X509_BAD_INPUT_DATA if not. * * \note Usually only makes sense on leaf certificates. */ @@ -952,7 +952,7 @@ void mbedtls_x509write_crt_set_version(mbedtls_x509write_cert *ctx, int version) * input buffer * * \return 0 if successful, or - * #PSA_ERROR_INVALID_ARGUMENT if the provided input buffer + * #MBEDTLS_ERR_X509_BAD_INPUT_DATA if the provided input buffer * is too big (longer than MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN) */ int mbedtls_x509write_crt_set_serial_raw(mbedtls_x509write_cert *ctx, diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 35afb8fcf9..d0278b123c 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -5839,7 +5839,7 @@ run_test "Authentication: server badcert, client required" \ -c "! The certificate is not correctly signed by the trusted CA" \ -c "! mbedtls_ssl_handshake returned" \ -c "send alert level=2 message=48" \ - -c "Last error was: \(-0x95\|-149\)" + -c "X509 - Certificate verification failed" # MBEDTLS_X509_BADCERT_NOT_TRUSTED -> MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA # We don't check that the server receives the alert because it might # detect that its write end of the connection is closed and abort @@ -5854,7 +5854,7 @@ run_test "Authentication: server badcert, client required (1.2)" \ -c "! The certificate is not correctly signed by the trusted CA" \ -c "! mbedtls_ssl_handshake returned" \ -c "send alert level=2 message=48" \ - -c "Last error was: \(-0x95\|-149\)" + -c "X509 - Certificate verification failed" # MBEDTLS_X509_BADCERT_NOT_TRUSTED -> MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA run_test "Authentication: server badcert, client optional" \ @@ -5866,7 +5866,7 @@ run_test "Authentication: server badcert, client optional" \ -c "! The certificate is not correctly signed by the trusted CA" \ -C "! mbedtls_ssl_handshake returned" \ -C "send alert level=2 message=48" \ - -C "Last error was: \(-0x95\|-149\)" + -C "X509 - Certificate verification failed" run_test "Authentication: server badcert, client optional (1.2)" \ "$P_SRV crt_file=$DATA_FILES_PATH/server5-badsign.crt \ @@ -5877,7 +5877,7 @@ run_test "Authentication: server badcert, client optional (1.2)" \ -c "! The certificate is not correctly signed by the trusted CA" \ -C "! mbedtls_ssl_handshake returned" \ -C "send alert level=2 message=48" \ - -C "Last error was: \(-0x95\|-149\)" + -C "X509 - Certificate verification failed" run_test "Authentication: server badcert, client none" \ "$P_SRV crt_file=$DATA_FILES_PATH/server5-badsign.crt \ @@ -5888,7 +5888,7 @@ run_test "Authentication: server badcert, client none" \ -C "! The certificate is not correctly signed by the trusted CA" \ -C "! mbedtls_ssl_handshake returned" \ -C "send alert level=2 message=48" \ - -C "Last error was: \(-0x95\|-149\)" + -C "X509 - Certificate verification failed" run_test "Authentication: server badcert, client none (1.2)" \ "$P_SRV crt_file=$DATA_FILES_PATH/server5-badsign.crt \ @@ -5899,7 +5899,7 @@ run_test "Authentication: server badcert, client none (1.2)" \ -C "! The certificate is not correctly signed by the trusted CA" \ -C "! mbedtls_ssl_handshake returned" \ -C "send alert level=2 message=48" \ - -C "Last error was: \(-0x95\|-149\)" + -C "X509 - Certificate verification failed" run_test "Authentication: server goodcert, client required, no trusted CA" \ "$P_SRV" \ @@ -5930,7 +5930,7 @@ run_test "Authentication: server goodcert, client optional, no trusted CA" \ -c "! The certificate is not correctly signed by the trusted CA" \ -c "! Certificate verification flags"\ -C "! mbedtls_ssl_handshake returned" \ - -C "Last error was: \(-0x95\|-149\)" \ + -C "X509 - Certificate verification failed" \ -C "SSL - No CA Chain is set, but required to operate" requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT @@ -5942,7 +5942,7 @@ run_test "Authentication: server goodcert, client optional, no trusted CA (1. -c "! The certificate is not correctly signed by the trusted CA" \ -c "! Certificate verification flags"\ -C "! mbedtls_ssl_handshake returned" \ - -C "Last error was: \(-0x95\|-149\)" \ + -C "X509 - Certificate verification failed" \ -C "SSL - No CA Chain is set, but required to operate" run_test "Authentication: server goodcert, client none, no trusted CA" \ @@ -5953,7 +5953,7 @@ run_test "Authentication: server goodcert, client none, no trusted CA" \ -C "! The certificate is not correctly signed by the trusted CA" \ -C "! Certificate verification flags"\ -C "! mbedtls_ssl_handshake returned" \ - -C "Last error was: \(-0x95\|-149\)" \ + -C "X509 - Certificate verification failed" \ -C "SSL - No CA Chain is set, but required to operate" requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT @@ -5965,7 +5965,7 @@ run_test "Authentication: server goodcert, client none, no trusted CA (1.2)" -C "! The certificate is not correctly signed by the trusted CA" \ -C "! Certificate verification flags"\ -C "! mbedtls_ssl_handshake returned" \ - -C "Last error was: \(-0x95\|-149\)" \ + -C "X509 - Certificate verification failed" \ -C "SSL - No CA Chain is set, but required to operate" # The next few tests check what happens if the server has a valid certificate @@ -5980,7 +5980,7 @@ run_test "Authentication: hostname match, client required" \ -C "Certificate verification without CN verification" \ -C "x509_verify_cert() returned -" \ -C "! mbedtls_ssl_handshake returned" \ - -C "Last error was: \(-0x95\|-149\)" + -C "X509 - Certificate verification failed" run_test "Authentication: hostname match, client required, CA callback" \ "$P_SRV" \ @@ -5992,7 +5992,7 @@ run_test "Authentication: hostname match, client required, CA callback" \ -c "use CA callback for X.509 CRT verification" \ -C "x509_verify_cert() returned -" \ -C "! mbedtls_ssl_handshake returned" \ - -C "Last error was: \(-0x95\|-149\)" + -C "X509 - Certificate verification failed" run_test "Authentication: hostname mismatch (wrong), client required" \ "$P_SRV" \ @@ -6001,7 +6001,7 @@ run_test "Authentication: hostname mismatch (wrong), client required" \ -c "does not match with the expected CN" \ -c "x509_verify_cert() returned -" \ -c "! mbedtls_ssl_handshake returned" \ - -c "Last error was: \(-0x95\|-149\)" + -c "X509 - Certificate verification failed" run_test "Authentication: hostname mismatch (empty), client required" \ "$P_SRV" \ @@ -6010,7 +6010,7 @@ run_test "Authentication: hostname mismatch (empty), client required" \ -c "does not match with the expected CN" \ -c "x509_verify_cert() returned -" \ -c "! mbedtls_ssl_handshake returned" \ - -c "Last error was: \(-0x95\|-149\)" + -c "X509 - Certificate verification failed" run_test "Authentication: hostname mismatch (truncated), client required" \ "$P_SRV" \ @@ -6019,7 +6019,7 @@ run_test "Authentication: hostname mismatch (truncated), client required" \ -c "does not match with the expected CN" \ -c "x509_verify_cert() returned -" \ -c "! mbedtls_ssl_handshake returned" \ - -c "Last error was: \(-0x95\|-149\)" + -c "X509 - Certificate verification failed" run_test "Authentication: hostname mismatch (last char), client required" \ "$P_SRV" \ @@ -6028,7 +6028,7 @@ run_test "Authentication: hostname mismatch (last char), client required" \ -c "does not match with the expected CN" \ -c "x509_verify_cert() returned -" \ -c "! mbedtls_ssl_handshake returned" \ - -c "Last error was: \(-0x95\|-149\)" + -c "X509 - Certificate verification failed" run_test "Authentication: hostname mismatch (trailing), client required" \ "$P_SRV" \ @@ -6037,7 +6037,7 @@ run_test "Authentication: hostname mismatch (trailing), client required" \ -c "does not match with the expected CN" \ -c "x509_verify_cert() returned -" \ -c "! mbedtls_ssl_handshake returned" \ - -c "Last error was: \(-0x95\|-149\)" + -c "X509 - Certificate verification failed" run_test "Authentication: hostname mismatch, client optional" \ "$P_SRV" \ @@ -6045,7 +6045,7 @@ run_test "Authentication: hostname mismatch, client optional" \ 0 \ -c "does not match with the expected CN" \ -c "x509_verify_cert() returned -" \ - -C "Last error was: \(-0x95\|-149\)" + -C "X509 - Certificate verification failed" run_test "Authentication: hostname mismatch, client none" \ "$P_SRV" \ @@ -6055,7 +6055,7 @@ run_test "Authentication: hostname mismatch, client none" \ -C "Certificate verification without having set hostname" \ -C "Certificate verification without CN verification" \ -C "x509_verify_cert() returned -" \ - -C "Last error was: \(-0x95\|-149\)" + -C "X509 - Certificate verification failed" run_test "Authentication: hostname null, client required" \ "$P_SRV" \ @@ -6066,7 +6066,7 @@ run_test "Authentication: hostname null, client required" \ -c "Certificate verification without CN verification" \ -C "x509_verify_cert() returned -" \ -C "! mbedtls_ssl_handshake returned" \ - -C "Last error was: \(-0x95\|-149\)" + -C "X509 - Certificate verification failed" run_test "Authentication: hostname null, client optional" \ "$P_SRV" \ @@ -6076,7 +6076,7 @@ run_test "Authentication: hostname null, client optional" \ -C "Certificate verification without having set hostname" \ -c "Certificate verification without CN verification" \ -C "x509_verify_cert() returned -" \ - -C "Last error was: \(-0x95\|-149\)" + -C "X509 - Certificate verification failed" run_test "Authentication: hostname null, client none" \ "$P_SRV" \ @@ -6086,7 +6086,7 @@ run_test "Authentication: hostname null, client none" \ -C "Certificate verification without having set hostname" \ -C "Certificate verification without CN verification" \ -C "x509_verify_cert() returned -" \ - -C "Last error was: \(-0x95\|-149\)" + -C "X509 - Certificate verification failed" run_test "Authentication: hostname unset, client required" \ "$P_SRV" \ @@ -6098,7 +6098,7 @@ run_test "Authentication: hostname unset, client required" \ -c "get_hostname_for_verification() returned -" \ -C "x509_verify_cert() returned -" \ -c "! mbedtls_ssl_handshake returned" \ - -C "Last error was: \(-0x95\|-149\)" + -C "X509 - Certificate verification failed" run_test "Authentication: hostname unset, client required, CA callback" \ "$P_SRV" \ @@ -6111,7 +6111,7 @@ run_test "Authentication: hostname unset, client required, CA callback" \ -C "use CA callback for X.509 CRT verification" \ -C "x509_verify_cert() returned -" \ -c "! mbedtls_ssl_handshake returned" \ - -C "Last error was: \(-0x95\|-149\)" + -C "X509 - Certificate verification failed" run_test "Authentication: hostname unset, client optional" \ "$P_SRV" \ @@ -6121,7 +6121,7 @@ run_test "Authentication: hostname unset, client optional" \ -c "Certificate verification without having set hostname" \ -c "Certificate verification without CN verification" \ -C "x509_verify_cert() returned -" \ - -C "Last error was: \(-0x95\|-149\)" + -C "X509 - Certificate verification failed" run_test "Authentication: hostname unset, client none" \ "$P_SRV" \ @@ -6131,7 +6131,7 @@ run_test "Authentication: hostname unset, client none" \ -C "Certificate verification without having set hostname" \ -C "Certificate verification without CN verification" \ -C "x509_verify_cert() returned -" \ - -C "Last error was: \(-0x95\|-149\)" + -C "X509 - Certificate verification failed" run_test "Authentication: hostname unset, client default, server picks cert, 1.2" \ "$P_SRV force_version=tls12 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \ @@ -6142,7 +6142,7 @@ run_test "Authentication: hostname unset, client default, server picks cert, 1.2 -C "Certificate verification without CN verification" \ -c "get_hostname_for_verification() returned -" \ -C "x509_verify_cert() returned -" \ - -C "Last error was: \(-0x95\|-149\)" + -C "X509 - Certificate verification failed" requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "Authentication: hostname unset, client default, server picks cert, 1.3" \ @@ -6154,7 +6154,7 @@ run_test "Authentication: hostname unset, client default, server picks cert, 1.3 -C "Certificate verification without CN verification" \ -c "get_hostname_for_verification() returned -" \ -C "x509_verify_cert() returned -" \ - -C "Last error was: \(-0x95\|-149\)" + -C "X509 - Certificate verification failed" run_test "Authentication: hostname unset, client default, server picks PSK, 1.2" \ "$P_SRV force_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8 psk=73776f726466697368 psk_identity=foo" \ @@ -6164,7 +6164,7 @@ run_test "Authentication: hostname unset, client default, server picks PSK, 1.2" -C "Certificate verification without having set hostname" \ -C "Certificate verification without CN verification" \ -C "x509_verify_cert() returned -" \ - -C "Last error was: \(-0x95\|-149\)" + -C "X509 - Certificate verification failed" requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED run_test "Authentication: hostname unset, client default, server picks PSK, 1.3" \ @@ -6175,7 +6175,7 @@ run_test "Authentication: hostname unset, client default, server picks PSK, 1.3" -C "Certificate verification without having set hostname" \ -C "Certificate verification without CN verification" \ -C "x509_verify_cert() returned -" \ - -C "Last error was: \(-0x95\|-149\)" + -C "X509 - Certificate verification failed" # The purpose of the next two tests is to test the client's behaviour when receiving a server # certificate with an unsupported elliptic curve. This should usually not happen because @@ -6252,7 +6252,7 @@ run_test "Authentication: client badcert, server required" \ -s "! The certificate is not correctly signed by the trusted CA" \ -s "! mbedtls_ssl_handshake returned" \ -s "send alert level=2 message=48" \ - -s "Last error was: \(-0x95\|-149\)" + -s "X509 - Certificate verification failed" # We don't check that the client receives the alert because it might # detect that its write end of the connection is closed and abort # before reading the alert message. @@ -6270,7 +6270,7 @@ run_test "Authentication: client cert self-signed and trusted, server require -S "skip parse certificate verify" \ -S "x509_verify_cert() returned" \ -S "! The certificate is not correctly signed" \ - -S "Last error was: \(-0x95\|-149\)" + -S "X509 - Certificate verification failed" run_test "Authentication: client cert not trusted, server required" \ "$P_SRV debug_level=3 auth_mode=required" \ @@ -6286,7 +6286,7 @@ run_test "Authentication: client cert not trusted, server required" \ -s "x509_verify_cert() returned" \ -s "! The certificate is not correctly signed by the trusted CA" \ -s "! mbedtls_ssl_handshake returned" \ - -s "Last error was: \(-0x95\|-149\)" + -s "X509 - Certificate verification failed" run_test "Authentication: client badcert, server optional" \ "$P_SRV debug_level=3 auth_mode=optional" \ @@ -6303,7 +6303,7 @@ run_test "Authentication: client badcert, server optional" \ -s "! The certificate is not correctly signed by the trusted CA" \ -S "! mbedtls_ssl_handshake returned" \ -C "! mbedtls_ssl_handshake returned" \ - -S "Last error was: \(-0x95\|-149\)" + -S "X509 - Certificate verification failed" run_test "Authentication: client badcert, server none" \ "$P_SRV debug_level=3 auth_mode=none" \ @@ -6320,7 +6320,7 @@ run_test "Authentication: client badcert, server none" \ -S "! The certificate is not correctly signed by the trusted CA" \ -S "! mbedtls_ssl_handshake returned" \ -C "! mbedtls_ssl_handshake returned" \ - -S "Last error was: \(-0x95\|-149\)" + -S "X509 - Certificate verification failed" run_test "Authentication: client no cert, server optional" \ "$P_SRV debug_level=3 auth_mode=optional" \ @@ -6336,7 +6336,7 @@ run_test "Authentication: client no cert, server optional" \ -s "! Certificate was missing" \ -S "! mbedtls_ssl_handshake returned" \ -C "! mbedtls_ssl_handshake returned" \ - -S "Last error was: \(-0x95\|-149\)" + -S "X509 - Certificate verification failed" requires_openssl_tls1_3_with_compatible_ephemeral run_test "Authentication: openssl client no cert, server optional" \ @@ -6347,7 +6347,7 @@ run_test "Authentication: openssl client no cert, server optional" \ -s "skip parse certificate verify" \ -s "! Certificate was missing" \ -S "! mbedtls_ssl_handshake returned" \ - -S "Last error was: \(-0x95\|-149\)" + -S "X509 - Certificate verification failed" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "Authentication: client no cert, openssl server optional" \ @@ -6483,7 +6483,7 @@ run_test "Authentication: send CA list in CertificateRequest, client self sig -s "! The certificate is not correctly signed by the trusted CA" \ -s "! mbedtls_ssl_handshake returned" \ -c "! mbedtls_ssl_handshake returned" \ - -s "Last error was: \(-0x95\|-149\)" + -s "X509 - Certificate verification failed" requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT run_test "Authentication: send alt conf DN hints in CertificateRequest" \ @@ -6530,7 +6530,7 @@ run_test "Authentication, CA callback: server badcert, client required" \ -c "x509_verify_cert() returned" \ -c "! The certificate is not correctly signed by the trusted CA" \ -c "! mbedtls_ssl_handshake returned" \ - -c "Last error was: \(-0x95\|-149\)" + -c "X509 - Certificate verification failed" run_test "Authentication, CA callback: server badcert, client optional" \ "$P_SRV crt_file=$DATA_FILES_PATH/server5-badsign.crt \ @@ -6541,7 +6541,7 @@ run_test "Authentication, CA callback: server badcert, client optional" \ -c "x509_verify_cert() returned" \ -c "! The certificate is not correctly signed by the trusted CA" \ -C "! mbedtls_ssl_handshake returned" \ - -C "Last error was: \(-0x95\|-149\)" + -C "X509 - Certificate verification failed" run_test "Authentication, CA callback: server badcert, client none" \ "$P_SRV crt_file=$DATA_FILES_PATH/server5-badsign.crt \ @@ -6552,7 +6552,7 @@ run_test "Authentication, CA callback: server badcert, client none" \ -C "x509_verify_cert() returned" \ -C "! The certificate is not correctly signed by the trusted CA" \ -C "! mbedtls_ssl_handshake returned" \ - -C "Last error was: \(-0x95\|-149\)" + -C "X509 - Certificate verification failed" # The purpose of the next two tests is to test the client's behaviour when receiving a server # certificate with an unsupported elliptic curve. This should usually not happen because @@ -6619,7 +6619,7 @@ run_test "Authentication, CA callback: client badcert, server required" \ -s "! The certificate is not correctly signed by the trusted CA" \ -s "! mbedtls_ssl_handshake returned" \ -s "send alert level=2 message=48" \ - -s "Last error was: \(-0x95\|-149\)" + -s "X509 - Certificate verification failed" # We don't check that the client receives the alert because it might # detect that its write end of the connection is closed and abort # before reading the alert message. @@ -6639,7 +6639,7 @@ run_test "Authentication, CA callback: client cert not trusted, server requir -s "x509_verify_cert() returned" \ -s "! The certificate is not correctly signed by the trusted CA" \ -s "! mbedtls_ssl_handshake returned" \ - -s "Last error was: \(-0x95\|-149\)" + -s "X509 - Certificate verification failed" run_test "Authentication, CA callback: client badcert, server optional" \ "$P_SRV ca_callback=1 debug_level=3 auth_mode=optional" \ @@ -6657,7 +6657,7 @@ run_test "Authentication, CA callback: client badcert, server optional" \ -s "! The certificate is not correctly signed by the trusted CA" \ -S "! mbedtls_ssl_handshake returned" \ -C "! mbedtls_ssl_handshake returned" \ - -S "Last error was: \(-0x95\|-149\)" + -S "X509 - Certificate verification failed" requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer @@ -9498,7 +9498,7 @@ run_test "EC restart: TLS, max_ops=1000, badsign" \ -C "mbedtls_pk_sign.*\(4b00\|-248\)" \ -c "! The certificate is not correctly signed by the trusted CA" \ -c "! mbedtls_ssl_handshake returned" \ - -c "Last error was: \(-0x95\|-149\)" + -c "X509 - Certificate verification failed" # With USE_PSA disabled we expect full restartable behaviour. requires_config_enabled MBEDTLS_ECP_RESTARTABLE @@ -9518,7 +9518,7 @@ run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign (no USE_P -c "mbedtls_pk_sign.*\(4b00\|-248\)" \ -c "! The certificate is not correctly signed by the trusted CA" \ -C "! mbedtls_ssl_handshake returned" \ - -C "Last error was: \(-0x95\|-149\)" + -C "X509 - Certificate verification failed" # With USE_PSA enabled we expect only partial restartable behaviour: # everything except ECDH (where TLS calls PSA directly). @@ -9538,7 +9538,7 @@ run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign (USE_PSA) -c "mbedtls_pk_sign.*\(4b00\|-248\)" \ -c "! The certificate is not correctly signed by the trusted CA" \ -C "! mbedtls_ssl_handshake returned" \ - -C "Last error was: \(-0x95\|-149\)" + -C "X509 - Certificate verification failed" # With USE_PSA disabled we expect full restartable behaviour. requires_config_enabled MBEDTLS_ECP_RESTARTABLE @@ -9558,7 +9558,7 @@ run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign (no USE_PSA)" -c "mbedtls_pk_sign.*\(4b00\|-248\)" \ -C "! The certificate is not correctly signed by the trusted CA" \ -C "! mbedtls_ssl_handshake returned" \ - -C "Last error was: \(-0x95\|-149\)" + -C "X509 - Certificate verification failed" # With USE_PSA enabled we expect only partial restartable behaviour: # everything except ECDH (where TLS calls PSA directly). @@ -9578,7 +9578,7 @@ run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign (USE_PSA)" \ -c "mbedtls_pk_sign.*\(4b00\|-248\)" \ -C "! The certificate is not correctly signed by the trusted CA" \ -C "! mbedtls_ssl_handshake returned" \ - -C "Last error was: \(-0x95\|-149\)" + -C "X509 - Certificate verification failed" # With USE_PSA disabled we expect full restartable behaviour. requires_config_enabled MBEDTLS_ECP_RESTARTABLE