lib/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-12-08 02:02:16 +03:00
Code Activity

Merge pull request #10363 from felixc-arm/error-codes-prereq

Browse Source 
[1/3] Unify generic error codes (partial prerequisite)
This commit is contained in:
Gilles Peskine
2025-08-29 11:04:53 +00:00
committed by GitHub
parent ae9f633cd4 0f7cf1942b
commit fda51526b5
10 changed files with 84 additions and 71 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
ChangeLog.d/unify-errors.txt Normal file
View File

@@ -0,0 +1,7 @@
API changes
* Make the following error codes aliases of their PSA equivalents, where
xxx is a module, e.g. X509 or SSL.
MBEDTLS_ERR_xxx_BAD_INPUT_DATA -> PSA_ERROR_INVALID_ARGUMENT
MBEDTLS_ERR_xxx_ALLOC_FAILED -> PSA_ERROR_INSUFFICIENT_MEMORY
MBEDTLS_ERR_xxx_BUFFER_TOO_SMALL -> PSA_ERROR_BUFFER_TOO_SMALL
MBEDTLS_ERR_PKCS7_VERIFY_FAIL -> PSA_ERROR_INVALID_SIGNATURE

19
docs/4.0-migration-guide/error-codes.md
View File

@@ -18,11 +18,20 @@ As a consequence, the functions `mbedtls_low_level_strerr()` and `mbedtls_high_l
Many legacy error codes have been removed in favor of PSA error codes. Generally, functions that returned a legacy error code in the table below in Mbed TLS 3.6 now return the PSA error code listed on the same row. Similarly, callbacks should apply the same changes to error code, unless there has been a relevant change to the callback's interface.
| Legacy constant (Mbed TLS 3.6) | PSA constant (Mbed TLS 4.0) |
| ------------------------------ | --------------------------- |
| Legacy constant (Mbed TLS 3.6) | PSA constant (Mbed TLS 4.0) |
|-----------------------------------------|---------------------------------|
| `MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED` | `PSA_ERROR_CORRUPTION_DETECTED` |
| `MBEDTLS_ERR_ERROR_GENERIC_ERROR` | `PSA_ERROR_GENERIC_ERROR` |
| `MBEDTLS_ERR_OID_BUF_TOO_SMALL` | `PSA_ERROR_BUFFER_TOO_SMALL`
| `MBEDTLS_ERR_OID_NOT_FOUND` | `PSA_ERROR_NOT_SUPPORTED` |
| `MBEDTLS_ERR_ERROR_GENERIC_ERROR` | `PSA_ERROR_GENERIC_ERROR` |
| `MBEDTLS_ERR_NET_BUFFER_TOO_SMALL` | `PSA_ERROR_BUFFER_TOO_SMALL` |
| `MBEDTLS_ERR_OID_BUF_TOO_SMALL` | `PSA_ERROR_BUFFER_TOO_SMALL` |
| `MBEDTLS_ERR_OID_NOT_FOUND` | `PSA_ERROR_NOT_SUPPORTED` |
| `MBEDTLS_ERR_PKCS7_ALLOC_FAILED` | `PSA_ERROR_INSUFFICIENT_MEMORY` |
| `MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA` | `PSA_ERROR_INVALID_ARGUMENT` |
| `MBEDTLS_ERR_PKCS7_VERIFY_FAIL` | `PSA_ERROR_INVALID_SIGNATURE` |
| `MBEDTLS_ERR_SSL_ALLOC_FAILED` | `PSA_ERROR_INSUFFICIENT_MEMORY` |
| `MBEDTLS_ERR_SSL_BAD_INPUT_DATA` | `PSA_ERROR_INVALID_ARGUMENT` |
| `MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL` | `PSA_ERROR_BUFFER_TOO_SMALL` |
| `MBEDTLS_ERR_X509_ALLOC_FAILED` | `PSA_ERROR_INSUFFICIENT_MEMORY` |
| `MBEDTLS_ERR_X509_BUFFER_TOO_SMALL` | `PSA_ERROR_BUFFER_TOO_SMALL` |
See also the corresponding section in the TF-PSA-Crypto migration guide, which lists error codes from cryptography modules.

12
include/mbedtls/net_sockets.h
View File

@@ -53,7 +53,7 @@
/** Failed to get an IP address for the given hostname. */
#define MBEDTLS_ERR_NET_UNKNOWN_HOST -0x0052
/** Buffer is too small to hold the data. */
#define MBEDTLS_ERR_NET_BUFFER_TOO_SMALL -0x0043
#define MBEDTLS_ERR_NET_BUFFER_TOO_SMALL PSA_ERROR_BUFFER_TOO_SMALL
/** The context is invalid, eg because it was free()ed. */
#define MBEDTLS_ERR_NET_INVALID_CONTEXT -0x0045
/** Polling the net context failed. */
@@ -147,11 +147,11 @@ int mbedtls_net_bind(mbedtls_net_context *ctx, const char *bind_ip, const char *
* can be NULL if client_ip is null
*
* \return 0 if successful, or
* MBEDTLS_ERR_NET_SOCKET_FAILED,
* MBEDTLS_ERR_NET_BIND_FAILED,
* MBEDTLS_ERR_NET_ACCEPT_FAILED, or
* MBEDTLS_ERR_NET_BUFFER_TOO_SMALL if buf_size is too small,
* MBEDTLS_ERR_SSL_WANT_READ if bind_fd was set to
* #MBEDTLS_ERR_NET_SOCKET_FAILED,
* #MBEDTLS_ERR_NET_BIND_FAILED,
* #MBEDTLS_ERR_NET_ACCEPT_FAILED, or
* #PSA_ERROR_BUFFER_TOO_SMALL if buf_size is too small,
* #MBEDTLS_ERR_SSL_WANT_READ if bind_fd was set to
* non-blocking and accept() would block.
*/
int mbedtls_net_accept(mbedtls_net_context *bind_ctx,

6
include/mbedtls/pkcs7.h
View File

@@ -55,9 +55,9 @@
#define MBEDTLS_ERR_PKCS7_INVALID_CERT -0x5580 /**< The certificate tag or value is invalid or cannot be parsed. */
#define MBEDTLS_ERR_PKCS7_INVALID_SIGNATURE -0x5600 /**< Error parsing the signature */
#define MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO -0x5680 /**< Error parsing the signer's info */
#define MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA -0x5700 /**< Input invalid. */
#define MBEDTLS_ERR_PKCS7_ALLOC_FAILED -0x5780 /**< Allocation of memory failed. */
#define MBEDTLS_ERR_PKCS7_VERIFY_FAIL -0x5800 /**< Verification Failed */
#define MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA PSA_ERROR_INVALID_ARGUMENT /**< Input invalid. */
#define MBEDTLS_ERR_PKCS7_ALLOC_FAILED PSA_ERROR_INSUFFICIENT_MEMORY /**< Allocation of memory failed. */
#define MBEDTLS_ERR_PKCS7_VERIFY_FAIL PSA_ERROR_INVALID_SIGNATURE /**< Verification Failed */
#define MBEDTLS_ERR_PKCS7_CERT_DATE_INVALID -0x5880 /**< The PKCS #7 date issued/expired dates are invalid */
/* \} name */

66
include/mbedtls/ssl.h
View File

@@ -44,7 +44,7 @@
/** The requested feature is not available. */
#define MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE -0x7080
/** Bad input parameters to function. */
#define MBEDTLS_ERR_SSL_BAD_INPUT_DATA -0x7100
#define MBEDTLS_ERR_SSL_BAD_INPUT_DATA PSA_ERROR_INVALID_ARGUMENT
/** Verification of the message MAC failed. */
#define MBEDTLS_ERR_SSL_INVALID_MAC -0x7180
/** An invalid SSL record was received. */
@@ -105,7 +105,7 @@
/** Cache entry not found */
#define MBEDTLS_ERR_SSL_CACHE_ENTRY_NOT_FOUND -0x7E80
/** Memory allocation failed */
#define MBEDTLS_ERR_SSL_ALLOC_FAILED -0x7F00
#define MBEDTLS_ERR_SSL_ALLOC_FAILED PSA_ERROR_INSUFFICIENT_MEMORY
/** Hardware acceleration function returned with error */
#define MBEDTLS_ERR_SSL_HW_ACCEL_FAILED -0x7F80
/** Hardware acceleration function skipped / left alone data */
@@ -129,7 +129,7 @@
/** DTLS client must retry for hello verification */
#define MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED -0x6A80
/** A buffer is too small to receive or write a message */
#define MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL -0x6A00
#define MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL PSA_ERROR_BUFFER_TOO_SMALL
/* Error space gap */
/** No data of requested type currently available on underlying transport. */
#define MBEDTLS_ERR_SSL_WANT_READ -0x6900
@@ -1912,7 +1912,7 @@ void mbedtls_ssl_init(mbedtls_ssl_context *ssl);
* \param ssl SSL context
* \param conf SSL configuration to use
*
* \return 0 if successful, or MBEDTLS_ERR_SSL_ALLOC_FAILED if
* \return 0 if successful, or #PSA_ERROR_INSUFFICIENT_MEMORY if
* memory allocation failed
*/
int mbedtls_ssl_setup(mbedtls_ssl_context *ssl,
@@ -1924,7 +1924,7 @@ int mbedtls_ssl_setup(mbedtls_ssl_context *ssl,
* pointers and data.
*
* \param ssl SSL context
* \return 0 if successful, or MBEDTLS_ERR_SSL_ALLOC_FAILED or
* \return 0 if successful, or #PSA_ERROR_INSUFFICIENT_MEMORY or
MBEDTLS_ERR_SSL_HW_ACCEL_FAILED
*/
int mbedtls_ssl_session_reset(mbedtls_ssl_context *ssl);
@@ -2579,14 +2579,14 @@ void mbedtls_ssl_conf_session_tickets_cb(mbedtls_ssl_config *conf,
* milliseconds.
*
* \return 0 on success,
* MBEDTLS_ERR_SSL_BAD_INPUT_DATA if an input is not valid.
* #PSA_ERROR_INVALID_ARGUMENT if an input is not valid.
*/
static inline int mbedtls_ssl_session_get_ticket_creation_time(
mbedtls_ssl_session *session, mbedtls_ms_time_t *ticket_creation_time)
{
if (session == NULL || ticket_creation_time == NULL ||
session->MBEDTLS_PRIVATE(endpoint) != MBEDTLS_SSL_IS_SERVER) {
return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
return PSA_ERROR_INVALID_ARGUMENT;
}
*ticket_creation_time = session->MBEDTLS_PRIVATE(ticket_creation_time);
@@ -2937,8 +2937,8 @@ void mbedtls_ssl_conf_dtls_cookies(mbedtls_ssl_config *conf,
* \note An internal copy is made, so the info buffer can be reused.
*
* \return 0 on success,
* MBEDTLS_ERR_SSL_BAD_INPUT_DATA if used on client,
* MBEDTLS_ERR_SSL_ALLOC_FAILED if out of memory.
* #PSA_ERROR_INVALID_ARGUMENT if used on client,
* #PSA_ERROR_INSUFFICIENT_MEMORY if out of memory.
*/
int mbedtls_ssl_set_client_transport_id(mbedtls_ssl_context *ssl,
const unsigned char *info,
@@ -3175,8 +3175,8 @@ int mbedtls_ssl_set_session(mbedtls_ssl_context *ssl, const mbedtls_ssl_session
* \param len The size of the serialized data in bytes.
*
* \return \c 0 if successful.
* \return #MBEDTLS_ERR_SSL_ALLOC_FAILED if memory allocation failed.
* \return #MBEDTLS_ERR_SSL_BAD_INPUT_DATA if input data is invalid.
* \return #PSA_ERROR_INSUFFICIENT_MEMORY if memory allocation failed.
* \return #PSA_ERROR_INVALID_ARGUMENT if input data is invalid.
* \return #MBEDTLS_ERR_SSL_VERSION_MISMATCH if the serialized data
* was generated in a different version or configuration of
* Mbed TLS.
@@ -3215,7 +3215,7 @@ int mbedtls_ssl_session_load(mbedtls_ssl_session *session,
* tickets.
*
* \return \c 0 if successful.
* \return #MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL if \p buf is too small.
* \return #PSA_ERROR_BUFFER_TOO_SMALL if \p buf is too small.
* \return #MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE if the
* MBEDTLS_SSL_SESSION_TICKETS configuration option is disabled
* and the session is a TLS 1.3 session.
@@ -3348,7 +3348,7 @@ void mbedtls_ssl_conf_tls13_key_exchange_modes(mbedtls_ssl_config *conf,
* record headers.
*
* \return \c 0 on success.
* \return #MBEDTLS_ERR_SSL_BAD_INPUT_DATA if \p len
* \return #PSA_ERROR_INVALID_ARGUMENT if \p len
* is too large.
*/
int mbedtls_ssl_conf_cid(mbedtls_ssl_config *conf, size_t len,
@@ -3495,7 +3495,7 @@ void mbedtls_ssl_conf_ca_cb(mbedtls_ssl_config *conf,
* \param own_cert own public certificate chain
* \param pk_key own private key
*
* \return 0 on success or MBEDTLS_ERR_SSL_ALLOC_FAILED
* \return 0 on success or #PSA_ERROR_INSUFFICIENT_MEMORY
*/
int mbedtls_ssl_conf_own_cert(mbedtls_ssl_config *conf,
mbedtls_x509_crt *own_cert,
@@ -3744,8 +3744,8 @@ void mbedtls_ssl_conf_sig_algs(mbedtls_ssl_config *conf,
* #MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME
* for more details.
*
* \return 0 if successful, #MBEDTLS_ERR_SSL_ALLOC_FAILED on
* allocation failure, #MBEDTLS_ERR_SSL_BAD_INPUT_DATA on
* \return 0 if successful, #PSA_ERROR_INSUFFICIENT_MEMORY on
* allocation failure, #PSA_ERROR_INVALID_ARGUMENT on
* too long input hostname.
*
* Hostname set to the one provided on success (cleared
@@ -3805,7 +3805,7 @@ const unsigned char *mbedtls_ssl_get_hs_sni(mbedtls_ssl_context *ssl,
* \param own_cert own public certificate chain
* \param pk_key own private key
*
* \return 0 on success or MBEDTLS_ERR_SSL_ALLOC_FAILED
* \return 0 on success or #PSA_ERROR_INSUFFICIENT_MEMORY
*/
int mbedtls_ssl_set_hs_own_cert(mbedtls_ssl_context *ssl,
mbedtls_x509_crt *own_cert,
@@ -3934,7 +3934,7 @@ int mbedtls_ssl_set_hs_ecjpake_password_opaque(mbedtls_ssl_context *ssl,
* the lifetime of the table must be at least as long as the
* lifetime of the SSL configuration structure.
*
* \return 0 on success, or MBEDTLS_ERR_SSL_BAD_INPUT_DATA.
* \return 0 on success, or #PSA_ERROR_INVALID_ARGUMENT.
*/
int mbedtls_ssl_conf_alpn_protocols(mbedtls_ssl_config *conf,
const char *const *protos);
@@ -4001,7 +4001,7 @@ void mbedtls_ssl_conf_srtp_mki_value_supported(mbedtls_ssl_config *conf,
* (excluding the terminating MBEDTLS_TLS_SRTP_UNSET).
*
* \return 0 on success
* \return #MBEDTLS_ERR_SSL_BAD_INPUT_DATA when the list of
* \return #PSA_ERROR_INVALID_ARGUMENT when the list of
* protection profiles is incorrect.
*/
int mbedtls_ssl_conf_dtls_srtp_protection_profiles
@@ -4021,7 +4021,7 @@ int mbedtls_ssl_conf_dtls_srtp_protection_profiles
* is ignored.
*
* \return 0 on success
* \return #MBEDTLS_ERR_SSL_BAD_INPUT_DATA
* \return #PSA_ERROR_INVALID_ARGUMENT
* \return #MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE
*/
int mbedtls_ssl_dtls_srtp_set_mki_value(mbedtls_ssl_context *ssl,
@@ -4166,7 +4166,7 @@ void mbedtls_ssl_conf_cert_req_ca_list(mbedtls_ssl_config *conf,
* MBEDTLS_SSL_MAX_FRAG_LEN_512, MBEDTLS_SSL_MAX_FRAG_LEN_1024,
* MBEDTLS_SSL_MAX_FRAG_LEN_2048, MBEDTLS_SSL_MAX_FRAG_LEN_4096)
*
* \return 0 if successful or MBEDTLS_ERR_SSL_BAD_INPUT_DATA
* \return 0 if successful or #PSA_ERROR_INVALID_ARGUMENT
*/
int mbedtls_ssl_conf_max_frag_len(mbedtls_ssl_config *conf, unsigned char mfl_code);
#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
@@ -4892,7 +4892,7 @@ int mbedtls_ssl_read(mbedtls_ssl_context *ssl, unsigned char *buf, size_t len);
* fragment length (either the built-in limit or the one set
* or negotiated with the peer), then:
* - with TLS, less bytes than requested are written.
* - with DTLS, MBEDTLS_ERR_SSL_BAD_INPUT_DATA is returned.
* - with DTLS, #PSA_ERROR_INVALID_ARGUMENT is returned.
* \c mbedtls_ssl_get_max_out_record_payload() may be used to
* query the active maximum fragment length.
*
@@ -4976,7 +4976,7 @@ int mbedtls_ssl_close_notify(mbedtls_ssl_context *ssl);
* \param len maximum number of bytes to read
*
* \return The (positive) number of bytes read if successful.
* \return #MBEDTLS_ERR_SSL_BAD_INPUT_DATA if input data is invalid.
* \return #PSA_ERROR_INVALID_ARGUMENT if input data is invalid.
* \return #MBEDTLS_ERR_SSL_CANNOT_READ_EARLY_DATA if it is not
* possible to read early data for the SSL context \p ssl. Note
* that this function is intended to be called for an SSL
@@ -5082,10 +5082,10 @@ int mbedtls_ssl_write_early_data(mbedtls_ssl_context *ssl,
*
* \param ssl The SSL context to query
*
* \return #MBEDTLS_ERR_SSL_BAD_INPUT_DATA if this function is called
* \return #PSA_ERROR_INVALID_ARGUMENT if this function is called
* from the server-side.
*
* \return #MBEDTLS_ERR_SSL_BAD_INPUT_DATA if this function is called
* \return #PSA_ERROR_INVALID_ARGUMENT if this function is called
* prior to completion of the handshake.
*
* \return #MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_INDICATED if the client
@@ -5134,7 +5134,7 @@ void mbedtls_ssl_free(mbedtls_ssl_context *ssl);
*
* \note This feature is currently only available under certain
* conditions, see the documentation of the return value
* #MBEDTLS_ERR_SSL_BAD_INPUT_DATA for details.
* #PSA_ERROR_INVALID_ARGUMENT for details.
*
* \note When this function succeeds, it calls
* mbedtls_ssl_session_reset() on \p ssl which as a result is
@@ -5159,15 +5159,15 @@ void mbedtls_ssl_free(mbedtls_ssl_context *ssl);
* to determine the necessary size by calling this function
* with \p buf set to \c NULL and \p buf_len to \c 0. However,
* the value of \p olen is only guaranteed to be correct when
* the function returns #MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL or
* the function returns #PSA_ERROR_BUFFER_TOO_SMALL or
* \c 0. If the return value is different, then the value of
* \p olen is undefined.
*
* \return \c 0 if successful.
* \return #MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL if \p buf is too small.
* \return #MBEDTLS_ERR_SSL_ALLOC_FAILED if memory allocation failed
* \return #PSA_ERROR_BUFFER_TOO_SMALL if \p buf is too small.
* \return #PSA_ERROR_INSUFFICIENT_MEMORY if memory allocation failed
* while resetting the context.
* \return #MBEDTLS_ERR_SSL_BAD_INPUT_DATA if a handshake is in
* \return #PSA_ERROR_INVALID_ARGUMENT if a handshake is in
* progress, or there is pending data for reading or sending,
* or the connection does not use DTLS 1.2 with an AEAD
* ciphersuite, or renegotiation is enabled.
@@ -5240,10 +5240,10 @@ int mbedtls_ssl_context_save(mbedtls_ssl_context *ssl,
* \param len The size of the serialized data in bytes.
*
* \return \c 0 if successful.
* \return #MBEDTLS_ERR_SSL_ALLOC_FAILED if memory allocation failed.
* \return #PSA_ERROR_INSUFFICIENT_MEMORY if memory allocation failed.
* \return #MBEDTLS_ERR_SSL_VERSION_MISMATCH if the serialized data
* comes from a different Mbed TLS version or build.
* \return #MBEDTLS_ERR_SSL_BAD_INPUT_DATA if input data is invalid.
* \return #PSA_ERROR_INVALID_ARGUMENT if input data is invalid.
*/
int mbedtls_ssl_context_load(mbedtls_ssl_context *ssl,
const unsigned char *buf,
@@ -5352,7 +5352,7 @@ int mbedtls_ssl_tls_prf(const mbedtls_tls_prf_types prf,
* context_len are ignored and a 0-length context is used.
*
* \return 0 on success.
* \return MBEDTLS_ERR_SSL_BAD_INPUT_DATA if the handshake is not yet completed.
* \return #PSA_ERROR_INVALID_ARGUMENT if the handshake is not yet completed.
* \return An SSL-specific error on failure.
*/
int mbedtls_ssl_export_keying_material(mbedtls_ssl_context *ssl,

4
include/mbedtls/x509.h
View File

@@ -74,11 +74,11 @@
/** Input invalid. */
#define MBEDTLS_ERR_X509_BAD_INPUT_DATA -0x2800
/** Allocation of memory failed. */
#define MBEDTLS_ERR_X509_ALLOC_FAILED -0x2880
#define MBEDTLS_ERR_X509_ALLOC_FAILED PSA_ERROR_INSUFFICIENT_MEMORY
/** Read/write of file failed. */
#define MBEDTLS_ERR_X509_FILE_IO_ERROR -0x2900
/** Destination buffer is too small. */
#define MBEDTLS_ERR_X509_BUFFER_TOO_SMALL -0x2980
#define MBEDTLS_ERR_X509_BUFFER_TOO_SMALL PSA_ERROR_BUFFER_TOO_SMALL
/** A fatal error occurred, eg the chain is too long or the vrfy callback failed. */
#define MBEDTLS_ERR_X509_FATAL_ERROR -0x3000
/** \} name X509 Error codes */

24
include/mbedtls/x509_crt.h
View File

@@ -234,7 +234,7 @@ mbedtls_x509write_cert;
* \param ctx Certificate context to use
* \param san_list List of SAN values
*
* \return 0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED
* \return 0 if successful, or #PSA_ERROR_INSUFFICIENT_MEMORY
*
* \note "dnsName", "uniformResourceIdentifier", "IP address",
* "otherName", and "DirectoryName", as defined in RFC 5280,
@@ -610,7 +610,7 @@ int mbedtls_x509_crt_verify_info(char *buf, size_t size, const char *prefix,
* other than fatal error, as a non-zero return code
* immediately aborts the verification process. For fatal
* errors, a specific error code should be used (different
* from MBEDTLS_ERR_X509_CERT_VERIFY_FAILED which should not
* from #MBEDTLS_ERR_X509_CERT_VERIFY_FAILED which should not
* be returned at this point), or MBEDTLS_ERR_X509_FATAL_ERROR
* can be used if no better code is available.
*
@@ -826,7 +826,7 @@ int mbedtls_x509_crt_verify_with_ca_cb(mbedtls_x509_crt *crt,
* that bit MAY be set.
*
* \return 0 is these uses of the certificate are allowed,
* MBEDTLS_ERR_X509_BAD_INPUT_DATA if the keyUsage extension
* #MBEDTLS_ERR_X509_BAD_INPUT_DATA if the keyUsage extension
* is present but does not match the usage argument.
*
* \note You should only call this function on leaf certificates, on
@@ -845,7 +845,7 @@ int mbedtls_x509_crt_check_key_usage(const mbedtls_x509_crt *crt,
* \param usage_len Length of usage_oid (eg given by MBEDTLS_OID_SIZE()).
*
* \return 0 if this use of the certificate is allowed,
* MBEDTLS_ERR_X509_BAD_INPUT_DATA if not.
* #MBEDTLS_ERR_X509_BAD_INPUT_DATA if not.
*
* \note Usually only makes sense on leaf certificates.
*/
@@ -952,7 +952,7 @@ void mbedtls_x509write_crt_set_version(mbedtls_x509write_cert *ctx, int version)
* input buffer
*
* \return 0 if successful, or
* MBEDTLS_ERR_X509_BAD_INPUT_DATA if the provided input buffer
* #MBEDTLS_ERR_X509_BAD_INPUT_DATA if the provided input buffer
* is too big (longer than MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN)
*/
int mbedtls_x509write_crt_set_serial_raw(mbedtls_x509write_cert *ctx,
@@ -1041,7 +1041,7 @@ void mbedtls_x509write_crt_set_md_alg(mbedtls_x509write_cert *ctx, mbedtls_md_ty
* \param val value of the extension OCTET STRING
* \param val_len length of the value data
*
* \return 0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED
* \return 0 if successful, or #PSA_ERROR_INSUFFICIENT_MEMORY
*/
int mbedtls_x509write_crt_set_extension(mbedtls_x509write_cert *ctx,
const char *oid, size_t oid_len,
@@ -1057,7 +1057,7 @@ int mbedtls_x509write_crt_set_extension(mbedtls_x509write_cert *ctx,
* certificate (only for CA certificates, -1 is
* unlimited)
*
* \return 0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED
* \return 0 if successful, or #PSA_ERROR_INSUFFICIENT_MEMORY
*/
int mbedtls_x509write_crt_set_basic_constraints(mbedtls_x509write_cert *ctx,
int is_ca, int max_pathlen);
@@ -1070,7 +1070,7 @@ int mbedtls_x509write_crt_set_basic_constraints(mbedtls_x509write_cert *ctx,
*
* \param ctx CRT context to use
*
* \return 0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED
* \return 0 if successful, or #PSA_ERROR_INSUFFICIENT_MEMORY
*/
int mbedtls_x509write_crt_set_subject_key_identifier(mbedtls_x509write_cert *ctx);
@@ -1081,7 +1081,7 @@ int mbedtls_x509write_crt_set_subject_key_identifier(mbedtls_x509write_cert *ctx
*
* \param ctx CRT context to use
*
* \return 0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED
* \return 0 if successful, or #PSA_ERROR_INSUFFICIENT_MEMORY
*/
int mbedtls_x509write_crt_set_authority_key_identifier(mbedtls_x509write_cert *ctx);
#endif /* PSA_WANT_ALG_SHA_1 */
@@ -1093,7 +1093,7 @@ int mbedtls_x509write_crt_set_authority_key_identifier(mbedtls_x509write_cert *c
* \param ctx CRT context to use
* \param key_usage key usage flags to set
*
* \return 0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED
* \return 0 if successful, or #PSA_ERROR_INSUFFICIENT_MEMORY
*/
int mbedtls_x509write_crt_set_key_usage(mbedtls_x509write_cert *ctx,
unsigned int key_usage);
@@ -1106,7 +1106,7 @@ int mbedtls_x509write_crt_set_key_usage(mbedtls_x509write_cert *ctx,
* \param exts extended key usage extensions to set, a sequence of
* MBEDTLS_ASN1_OID objects
*
* \return 0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED
* \return 0 if successful, or #PSA_ERROR_INSUFFICIENT_MEMORY
*/
int mbedtls_x509write_crt_set_ext_key_usage(mbedtls_x509write_cert *ctx,
const mbedtls_asn1_sequence *exts);
@@ -1118,7 +1118,7 @@ int mbedtls_x509write_crt_set_ext_key_usage(mbedtls_x509write_cert *ctx,
* \param ctx CRT context to use
* \param ns_cert_type Netscape Cert Type flags to set
*
* \return 0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED
* \return 0 if successful, or #PSA_ERROR_INSUFFICIENT_MEMORY
*/
int mbedtls_x509write_crt_set_ns_cert_type(mbedtls_x509write_cert *ctx,
unsigned char ns_cert_type);

8
include/mbedtls/x509_csr.h
View File

@@ -263,7 +263,7 @@ void mbedtls_x509write_csr_set_md_alg(mbedtls_x509write_csr *ctx, mbedtls_md_typ
* \param ctx CSR context to use
* \param key_usage key usage flags to set
*
* \return 0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED
* \return 0 if successful, or #PSA_ERROR_INSUFFICIENT_MEMORY
*
* \note The <code>decipherOnly</code> flag from the Key Usage
* extension is represented by bit 8 (i.e.
@@ -281,7 +281,7 @@ int mbedtls_x509write_csr_set_key_usage(mbedtls_x509write_csr *ctx, unsigned cha
* \param ctx CSR context to use
* \param san_list List of SAN values
*
* \return 0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED
* \return 0 if successful, or #PSA_ERROR_INSUFFICIENT_MEMORY
*
* \note Only "dnsName", "uniformResourceIdentifier" and "otherName",
* as defined in RFC 5280, are supported.
@@ -296,7 +296,7 @@ int mbedtls_x509write_csr_set_subject_alternative_name(mbedtls_x509write_csr *ct
* \param ctx CSR context to use
* \param ns_cert_type Netscape Cert Type flags to set
*
* \return 0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED
* \return 0 if successful, or #PSA_ERROR_INSUFFICIENT_MEMORY
*/
int mbedtls_x509write_csr_set_ns_cert_type(mbedtls_x509write_csr *ctx,
unsigned char ns_cert_type);
@@ -312,7 +312,7 @@ int mbedtls_x509write_csr_set_ns_cert_type(mbedtls_x509write_csr *ctx,
* \param val value of the extension OCTET STRING
* \param val_len length of the value data
*
* \return 0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED
* \return 0 if successful, or a #PSA_ERROR_INSUFFICIENT_MEMORY
*/
int mbedtls_x509write_csr_set_extension(mbedtls_x509write_csr *ctx,
const char *oid, size_t oid_len,

1
tests/Makefile
View File

@@ -369,6 +369,7 @@ libtestdriver1.a:
perl -i ./scripts/libtestdriver1_rewrite.pl ./libtestdriver1/include/*/*.h
perl -i ./scripts/libtestdriver1_rewrite.pl ./libtestdriver1/tf-psa-crypto/core/*.[ch]
perl -i ./scripts/libtestdriver1_rewrite.pl ./libtestdriver1/tf-psa-crypto/include/*/*.h
perl -i ./scripts/libtestdriver1_rewrite.pl ./libtestdriver1/tf-psa-crypto/include/*/*/*.h
perl -i ./scripts/libtestdriver1_rewrite.pl ./libtestdriver1/tf-psa-crypto/drivers/builtin/include/*/*.h
perl -i ./scripts/libtestdriver1_rewrite.pl ./libtestdriver1/tf-psa-crypto/drivers/builtin/include/*/*/*.h
perl -i ./scripts/libtestdriver1_rewrite.pl ./libtestdriver1/tf-psa-crypto/drivers/builtin/src/*.[ch]

8
tests/suites/test_suite_error.data
View File

@@ -3,12 +3,8 @@ depends_on:MBEDTLS_AES_C
error_strerror:-0x0020:"AES - Invalid key length"
Single high error
depends_on:MBEDTLS_RSA_C
error_strerror:-0x4080:"RSA - Bad input parameters to function"
Low and high error
depends_on:MBEDTLS_AES_C:MBEDTLS_RSA_C
error_strerror:-0x40A0:"RSA - Bad input parameters to function \: AES - Invalid key length"
depends_on:PSA_WANT_ALG_SHA_256:MBEDTLS_RSA_C:MBEDTLS_X509_CRT_PARSE_C
error_strerror:-0x2280:"X509 - The serial tag or value is invalid"
Non existing high error
error_strerror:-0x8880:"UNKNOWN ERROR CODE (8880)"