From 8616ee762d77123b5dc30500d040920991242e94 Mon Sep 17 00:00:00 2001 From: Felix Conway Date: Mon, 18 Aug 2025 11:32:58 +0100 Subject: [PATCH 1/9] Change values for error tests Previously these tests used values that will become PSA aliases, and so the tests will fail once they're changed. Signed-off-by: Felix Conway --- tests/suites/test_suite_error.data | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/suites/test_suite_error.data b/tests/suites/test_suite_error.data index dec5639ee0..e496841cf0 100644 --- a/tests/suites/test_suite_error.data +++ b/tests/suites/test_suite_error.data @@ -4,11 +4,11 @@ error_strerror:-0x0020:"AES - Invalid key length" Single high error depends_on:MBEDTLS_RSA_C -error_strerror:-0x4080:"RSA - Bad input parameters to function" +error_strerror:-0x4200:"RSA - Key failed to pass the validity check of the library" Low and high error depends_on:MBEDTLS_AES_C:MBEDTLS_RSA_C -error_strerror:-0x40A0:"RSA - Bad input parameters to function \: AES - Invalid key length" +error_strerror:-0x4220:"RSA - Key failed to pass the validity check of the library \: AES - Invalid key length" Non existing high error error_strerror:-0x8880:"UNKNOWN ERROR CODE (8880)" From 37ede2c3b4b96987b525e22878564b0d489da84a Mon Sep 17 00:00:00 2001 From: Felix Conway Date: Mon, 18 Aug 2025 14:46:39 +0100 Subject: [PATCH 2/9] Unify generic errors to PSA errors Signed-off-by: Felix Conway --- include/mbedtls/net_sockets.h | 12 +++---- include/mbedtls/pkcs7.h | 8 ++--- include/mbedtls/ssl.h | 66 +++++++++++++++++------------------ include/mbedtls/x509.h | 10 +++--- include/mbedtls/x509_crt.h | 28 +++++++-------- include/mbedtls/x509_csr.h | 8 ++--- 6 files changed, 66 insertions(+), 66 deletions(-) diff --git a/include/mbedtls/net_sockets.h b/include/mbedtls/net_sockets.h index 8e69bc0fb3..f4eb683d3a 100644 --- a/include/mbedtls/net_sockets.h +++ b/include/mbedtls/net_sockets.h @@ -53,7 +53,7 @@ /** Failed to get an IP address for the given hostname. */ #define MBEDTLS_ERR_NET_UNKNOWN_HOST -0x0052 /** Buffer is too small to hold the data. */ -#define MBEDTLS_ERR_NET_BUFFER_TOO_SMALL -0x0043 +#define MBEDTLS_ERR_NET_BUFFER_TOO_SMALL PSA_ERROR_BUFFER_TOO_SMALL /** The context is invalid, eg because it was free()ed. */ #define MBEDTLS_ERR_NET_INVALID_CONTEXT -0x0045 /** Polling the net context failed. */ @@ -147,11 +147,11 @@ int mbedtls_net_bind(mbedtls_net_context *ctx, const char *bind_ip, const char * * can be NULL if client_ip is null * * \return 0 if successful, or - * MBEDTLS_ERR_NET_SOCKET_FAILED, - * MBEDTLS_ERR_NET_BIND_FAILED, - * MBEDTLS_ERR_NET_ACCEPT_FAILED, or - * MBEDTLS_ERR_NET_BUFFER_TOO_SMALL if buf_size is too small, - * MBEDTLS_ERR_SSL_WANT_READ if bind_fd was set to + * #MBEDTLS_ERR_NET_SOCKET_FAILED, + * #MBEDTLS_ERR_NET_BIND_FAILED, + * #MBEDTLS_ERR_NET_ACCEPT_FAILED, or + * #PSA_ERROR_BUFFER_TOO_SMALL if buf_size is too small, + * #MBEDTLS_ERR_SSL_WANT_READ if bind_fd was set to * non-blocking and accept() would block. */ int mbedtls_net_accept(mbedtls_net_context *bind_ctx, diff --git a/include/mbedtls/pkcs7.h b/include/mbedtls/pkcs7.h index e9b482208e..cf9e4407ce 100644 --- a/include/mbedtls/pkcs7.h +++ b/include/mbedtls/pkcs7.h @@ -53,11 +53,11 @@ #define MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO -0x5480 /**< The PKCS #7 content info is invalid or cannot be parsed. */ #define MBEDTLS_ERR_PKCS7_INVALID_ALG -0x5500 /**< The algorithm tag or value is invalid or cannot be parsed. */ #define MBEDTLS_ERR_PKCS7_INVALID_CERT -0x5580 /**< The certificate tag or value is invalid or cannot be parsed. */ -#define MBEDTLS_ERR_PKCS7_INVALID_SIGNATURE -0x5600 /**< Error parsing the signature */ +#define MBEDTLS_ERR_PKCS7_INVALID_SIGNATURE PSA_ERROR_INVALID_SIGNATURE /**< Error parsing the signature */ #define MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO -0x5680 /**< Error parsing the signer's info */ -#define MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA -0x5700 /**< Input invalid. */ -#define MBEDTLS_ERR_PKCS7_ALLOC_FAILED -0x5780 /**< Allocation of memory failed. */ -#define MBEDTLS_ERR_PKCS7_VERIFY_FAIL -0x5800 /**< Verification Failed */ +#define MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA PSA_ERROR_INVALID_ARGUMENT /**< Input invalid. */ +#define MBEDTLS_ERR_PKCS7_ALLOC_FAILED PSA_ERROR_INSUFFICIENT_MEMORY /**< Allocation of memory failed. */ +#define MBEDTLS_ERR_PKCS7_VERIFY_FAIL PSA_ERROR_INVALID_SIGNATURE /**< Verification Failed */ #define MBEDTLS_ERR_PKCS7_CERT_DATE_INVALID -0x5880 /**< The PKCS #7 date issued/expired dates are invalid */ /* \} name */ diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 628d5c7e71..ab3f256913 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -44,7 +44,7 @@ /** The requested feature is not available. */ #define MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE -0x7080 /** Bad input parameters to function. */ -#define MBEDTLS_ERR_SSL_BAD_INPUT_DATA -0x7100 +#define MBEDTLS_ERR_SSL_BAD_INPUT_DATA PSA_ERROR_INVALID_ARGUMENT /** Verification of the message MAC failed. */ #define MBEDTLS_ERR_SSL_INVALID_MAC -0x7180 /** An invalid SSL record was received. */ @@ -105,7 +105,7 @@ /** Cache entry not found */ #define MBEDTLS_ERR_SSL_CACHE_ENTRY_NOT_FOUND -0x7E80 /** Memory allocation failed */ -#define MBEDTLS_ERR_SSL_ALLOC_FAILED -0x7F00 +#define MBEDTLS_ERR_SSL_ALLOC_FAILED PSA_ERROR_INSUFFICIENT_MEMORY /** Hardware acceleration function returned with error */ #define MBEDTLS_ERR_SSL_HW_ACCEL_FAILED -0x7F80 /** Hardware acceleration function skipped / left alone data */ @@ -129,7 +129,7 @@ /** DTLS client must retry for hello verification */ #define MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED -0x6A80 /** A buffer is too small to receive or write a message */ -#define MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL -0x6A00 +#define MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL PSA_ERROR_BUFFER_TOO_SMALL /* Error space gap */ /** No data of requested type currently available on underlying transport. */ #define MBEDTLS_ERR_SSL_WANT_READ -0x6900 @@ -1912,7 +1912,7 @@ void mbedtls_ssl_init(mbedtls_ssl_context *ssl); * \param ssl SSL context * \param conf SSL configuration to use * - * \return 0 if successful, or MBEDTLS_ERR_SSL_ALLOC_FAILED if + * \return 0 if successful, or #PSA_ERROR_INSUFFICIENT_MEMORY if * memory allocation failed */ int mbedtls_ssl_setup(mbedtls_ssl_context *ssl, @@ -1924,7 +1924,7 @@ int mbedtls_ssl_setup(mbedtls_ssl_context *ssl, * pointers and data. * * \param ssl SSL context - * \return 0 if successful, or MBEDTLS_ERR_SSL_ALLOC_FAILED or + * \return 0 if successful, or #PSA_ERROR_INSUFFICIENT_MEMORY or MBEDTLS_ERR_SSL_HW_ACCEL_FAILED */ int mbedtls_ssl_session_reset(mbedtls_ssl_context *ssl); @@ -2579,14 +2579,14 @@ void mbedtls_ssl_conf_session_tickets_cb(mbedtls_ssl_config *conf, * milliseconds. * * \return 0 on success, - * MBEDTLS_ERR_SSL_BAD_INPUT_DATA if an input is not valid. + * #PSA_ERROR_INVALID_ARGUMENT if an input is not valid. */ static inline int mbedtls_ssl_session_get_ticket_creation_time( mbedtls_ssl_session *session, mbedtls_ms_time_t *ticket_creation_time) { if (session == NULL || ticket_creation_time == NULL || session->MBEDTLS_PRIVATE(endpoint) != MBEDTLS_SSL_IS_SERVER) { - return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; + return PSA_ERROR_INVALID_ARGUMENT; } *ticket_creation_time = session->MBEDTLS_PRIVATE(ticket_creation_time); @@ -2937,8 +2937,8 @@ void mbedtls_ssl_conf_dtls_cookies(mbedtls_ssl_config *conf, * \note An internal copy is made, so the info buffer can be reused. * * \return 0 on success, - * MBEDTLS_ERR_SSL_BAD_INPUT_DATA if used on client, - * MBEDTLS_ERR_SSL_ALLOC_FAILED if out of memory. + * #PSA_ERROR_INVALID_ARGUMENT if used on client, + * #PSA_ERROR_INSUFFICIENT_MEMORY if out of memory. */ int mbedtls_ssl_set_client_transport_id(mbedtls_ssl_context *ssl, const unsigned char *info, @@ -3175,8 +3175,8 @@ int mbedtls_ssl_set_session(mbedtls_ssl_context *ssl, const mbedtls_ssl_session * \param len The size of the serialized data in bytes. * * \return \c 0 if successful. - * \return #MBEDTLS_ERR_SSL_ALLOC_FAILED if memory allocation failed. - * \return #MBEDTLS_ERR_SSL_BAD_INPUT_DATA if input data is invalid. + * \return #PSA_ERROR_INSUFFICIENT_MEMORY if memory allocation failed. + * \return #PSA_ERROR_INVALID_ARGUMENT if input data is invalid. * \return #MBEDTLS_ERR_SSL_VERSION_MISMATCH if the serialized data * was generated in a different version or configuration of * Mbed TLS. @@ -3215,7 +3215,7 @@ int mbedtls_ssl_session_load(mbedtls_ssl_session *session, * tickets. * * \return \c 0 if successful. - * \return #MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL if \p buf is too small. + * \return #PSA_ERROR_BUFFER_TOO_SMALL if \p buf is too small. * \return #MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE if the * MBEDTLS_SSL_SESSION_TICKETS configuration option is disabled * and the session is a TLS 1.3 session. @@ -3348,7 +3348,7 @@ void mbedtls_ssl_conf_tls13_key_exchange_modes(mbedtls_ssl_config *conf, * record headers. * * \return \c 0 on success. - * \return #MBEDTLS_ERR_SSL_BAD_INPUT_DATA if \p len + * \return #PSA_ERROR_INVALID_ARGUMENT if \p len * is too large. */ int mbedtls_ssl_conf_cid(mbedtls_ssl_config *conf, size_t len, @@ -3495,7 +3495,7 @@ void mbedtls_ssl_conf_ca_cb(mbedtls_ssl_config *conf, * \param own_cert own public certificate chain * \param pk_key own private key * - * \return 0 on success or MBEDTLS_ERR_SSL_ALLOC_FAILED + * \return 0 on success or #PSA_ERROR_INSUFFICIENT_MEMORY */ int mbedtls_ssl_conf_own_cert(mbedtls_ssl_config *conf, mbedtls_x509_crt *own_cert, @@ -3744,8 +3744,8 @@ void mbedtls_ssl_conf_sig_algs(mbedtls_ssl_config *conf, * #MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME * for more details. * - * \return 0 if successful, #MBEDTLS_ERR_SSL_ALLOC_FAILED on - * allocation failure, #MBEDTLS_ERR_SSL_BAD_INPUT_DATA on + * \return 0 if successful, #PSA_ERROR_INSUFFICIENT_MEMORY on + * allocation failure, #PSA_ERROR_INVALID_ARGUMENT on * too long input hostname. * * Hostname set to the one provided on success (cleared @@ -3805,7 +3805,7 @@ const unsigned char *mbedtls_ssl_get_hs_sni(mbedtls_ssl_context *ssl, * \param own_cert own public certificate chain * \param pk_key own private key * - * \return 0 on success or MBEDTLS_ERR_SSL_ALLOC_FAILED + * \return 0 on success or #PSA_ERROR_INSUFFICIENT_MEMORY */ int mbedtls_ssl_set_hs_own_cert(mbedtls_ssl_context *ssl, mbedtls_x509_crt *own_cert, @@ -3934,7 +3934,7 @@ int mbedtls_ssl_set_hs_ecjpake_password_opaque(mbedtls_ssl_context *ssl, * the lifetime of the table must be at least as long as the * lifetime of the SSL configuration structure. * - * \return 0 on success, or MBEDTLS_ERR_SSL_BAD_INPUT_DATA. + * \return 0 on success, or #PSA_ERROR_INVALID_ARGUMENT. */ int mbedtls_ssl_conf_alpn_protocols(mbedtls_ssl_config *conf, const char *const *protos); @@ -4001,7 +4001,7 @@ void mbedtls_ssl_conf_srtp_mki_value_supported(mbedtls_ssl_config *conf, * (excluding the terminating MBEDTLS_TLS_SRTP_UNSET). * * \return 0 on success - * \return #MBEDTLS_ERR_SSL_BAD_INPUT_DATA when the list of + * \return #PSA_ERROR_INVALID_ARGUMENT when the list of * protection profiles is incorrect. */ int mbedtls_ssl_conf_dtls_srtp_protection_profiles @@ -4021,7 +4021,7 @@ int mbedtls_ssl_conf_dtls_srtp_protection_profiles * is ignored. * * \return 0 on success - * \return #MBEDTLS_ERR_SSL_BAD_INPUT_DATA + * \return #PSA_ERROR_INVALID_ARGUMENT * \return #MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE */ int mbedtls_ssl_dtls_srtp_set_mki_value(mbedtls_ssl_context *ssl, @@ -4166,7 +4166,7 @@ void mbedtls_ssl_conf_cert_req_ca_list(mbedtls_ssl_config *conf, * MBEDTLS_SSL_MAX_FRAG_LEN_512, MBEDTLS_SSL_MAX_FRAG_LEN_1024, * MBEDTLS_SSL_MAX_FRAG_LEN_2048, MBEDTLS_SSL_MAX_FRAG_LEN_4096) * - * \return 0 if successful or MBEDTLS_ERR_SSL_BAD_INPUT_DATA + * \return 0 if successful or #PSA_ERROR_INVALID_ARGUMENT */ int mbedtls_ssl_conf_max_frag_len(mbedtls_ssl_config *conf, unsigned char mfl_code); #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ @@ -4892,7 +4892,7 @@ int mbedtls_ssl_read(mbedtls_ssl_context *ssl, unsigned char *buf, size_t len); * fragment length (either the built-in limit or the one set * or negotiated with the peer), then: * - with TLS, less bytes than requested are written. - * - with DTLS, MBEDTLS_ERR_SSL_BAD_INPUT_DATA is returned. + * - with DTLS, #PSA_ERROR_INVALID_ARGUMENT is returned. * \c mbedtls_ssl_get_max_out_record_payload() may be used to * query the active maximum fragment length. * @@ -4976,7 +4976,7 @@ int mbedtls_ssl_close_notify(mbedtls_ssl_context *ssl); * \param len maximum number of bytes to read * * \return The (positive) number of bytes read if successful. - * \return #MBEDTLS_ERR_SSL_BAD_INPUT_DATA if input data is invalid. + * \return #PSA_ERROR_INVALID_ARGUMENT if input data is invalid. * \return #MBEDTLS_ERR_SSL_CANNOT_READ_EARLY_DATA if it is not * possible to read early data for the SSL context \p ssl. Note * that this function is intended to be called for an SSL @@ -5082,10 +5082,10 @@ int mbedtls_ssl_write_early_data(mbedtls_ssl_context *ssl, * * \param ssl The SSL context to query * - * \return #MBEDTLS_ERR_SSL_BAD_INPUT_DATA if this function is called + * \return #PSA_ERROR_INVALID_ARGUMENT if this function is called * from the server-side. * - * \return #MBEDTLS_ERR_SSL_BAD_INPUT_DATA if this function is called + * \return #PSA_ERROR_INVALID_ARGUMENT if this function is called * prior to completion of the handshake. * * \return #MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_INDICATED if the client @@ -5134,7 +5134,7 @@ void mbedtls_ssl_free(mbedtls_ssl_context *ssl); * * \note This feature is currently only available under certain * conditions, see the documentation of the return value - * #MBEDTLS_ERR_SSL_BAD_INPUT_DATA for details. + * #PSA_ERROR_INVALID_ARGUMENT for details. * * \note When this function succeeds, it calls * mbedtls_ssl_session_reset() on \p ssl which as a result is @@ -5159,15 +5159,15 @@ void mbedtls_ssl_free(mbedtls_ssl_context *ssl); * to determine the necessary size by calling this function * with \p buf set to \c NULL and \p buf_len to \c 0. However, * the value of \p olen is only guaranteed to be correct when - * the function returns #MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL or + * the function returns #PSA_ERROR_BUFFER_TOO_SMALL or * \c 0. If the return value is different, then the value of * \p olen is undefined. * * \return \c 0 if successful. - * \return #MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL if \p buf is too small. - * \return #MBEDTLS_ERR_SSL_ALLOC_FAILED if memory allocation failed + * \return #PSA_ERROR_BUFFER_TOO_SMALL if \p buf is too small. + * \return #PSA_ERROR_INSUFFICIENT_MEMORY if memory allocation failed * while resetting the context. - * \return #MBEDTLS_ERR_SSL_BAD_INPUT_DATA if a handshake is in + * \return #PSA_ERROR_INVALID_ARGUMENT if a handshake is in * progress, or there is pending data for reading or sending, * or the connection does not use DTLS 1.2 with an AEAD * ciphersuite, or renegotiation is enabled. @@ -5240,10 +5240,10 @@ int mbedtls_ssl_context_save(mbedtls_ssl_context *ssl, * \param len The size of the serialized data in bytes. * * \return \c 0 if successful. - * \return #MBEDTLS_ERR_SSL_ALLOC_FAILED if memory allocation failed. + * \return #PSA_ERROR_INSUFFICIENT_MEMORY if memory allocation failed. * \return #MBEDTLS_ERR_SSL_VERSION_MISMATCH if the serialized data * comes from a different Mbed TLS version or build. - * \return #MBEDTLS_ERR_SSL_BAD_INPUT_DATA if input data is invalid. + * \return #PSA_ERROR_INVALID_ARGUMENT if input data is invalid. */ int mbedtls_ssl_context_load(mbedtls_ssl_context *ssl, const unsigned char *buf, @@ -5352,7 +5352,7 @@ int mbedtls_ssl_tls_prf(const mbedtls_tls_prf_types prf, * context_len are ignored and a 0-length context is used. * * \return 0 on success. - * \return MBEDTLS_ERR_SSL_BAD_INPUT_DATA if the handshake is not yet completed. + * \return #PSA_ERROR_INVALID_ARGUMENT if the handshake is not yet completed. * \return An SSL-specific error on failure. */ int mbedtls_ssl_export_keying_material(mbedtls_ssl_context *ssl, diff --git a/include/mbedtls/x509.h b/include/mbedtls/x509.h index b1a80e3011..a021a7d996 100644 --- a/include/mbedtls/x509.h +++ b/include/mbedtls/x509.h @@ -58,7 +58,7 @@ /** The date tag or value is invalid. */ #define MBEDTLS_ERR_X509_INVALID_DATE -0x2400 /** The signature tag or value invalid. */ -#define MBEDTLS_ERR_X509_INVALID_SIGNATURE -0x2480 +#define MBEDTLS_ERR_X509_INVALID_SIGNATURE PSA_ERROR_INVALID_SIGNATURE /** The extension tag or value is invalid. */ #define MBEDTLS_ERR_X509_INVALID_EXTENSIONS -0x2500 /** CRT/CRL/CSR has an unsupported version number. */ @@ -68,17 +68,17 @@ /** Signature algorithms do not match. (see \c ::mbedtls_x509_crt sig_oid) */ #define MBEDTLS_ERR_X509_SIG_MISMATCH -0x2680 /** Certificate verification failed, e.g. CRL, CA or signature check failed. */ -#define MBEDTLS_ERR_X509_CERT_VERIFY_FAILED -0x2700 +#define MBEDTLS_ERR_X509_CERT_VERIFY_FAILED PSA_ERROR_INVALID_SIGNATURE /** Format not recognized as DER or PEM. */ #define MBEDTLS_ERR_X509_CERT_UNKNOWN_FORMAT -0x2780 /** Input invalid. */ -#define MBEDTLS_ERR_X509_BAD_INPUT_DATA -0x2800 +#define MBEDTLS_ERR_X509_BAD_INPUT_DATA PSA_ERROR_INVALID_ARGUMENT /** Allocation of memory failed. */ -#define MBEDTLS_ERR_X509_ALLOC_FAILED -0x2880 +#define MBEDTLS_ERR_X509_ALLOC_FAILED PSA_ERROR_INSUFFICIENT_MEMORY /** Read/write of file failed. */ #define MBEDTLS_ERR_X509_FILE_IO_ERROR -0x2900 /** Destination buffer is too small. */ -#define MBEDTLS_ERR_X509_BUFFER_TOO_SMALL -0x2980 +#define MBEDTLS_ERR_X509_BUFFER_TOO_SMALL PSA_ERROR_BUFFER_TOO_SMALL /** A fatal error occurred, eg the chain is too long or the vrfy callback failed. */ #define MBEDTLS_ERR_X509_FATAL_ERROR -0x3000 /** \} name X509 Error codes */ diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h index bf418a6851..6b81652bb0 100644 --- a/include/mbedtls/x509_crt.h +++ b/include/mbedtls/x509_crt.h @@ -234,7 +234,7 @@ mbedtls_x509write_cert; * \param ctx Certificate context to use * \param san_list List of SAN values * - * \return 0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED + * \return 0 if successful, or #PSA_ERROR_INSUFFICIENT_MEMORY * * \note "dnsName", "uniformResourceIdentifier", "IP address", * "otherName", and "DirectoryName", as defined in RFC 5280, @@ -610,7 +610,7 @@ int mbedtls_x509_crt_verify_info(char *buf, size_t size, const char *prefix, * other than fatal error, as a non-zero return code * immediately aborts the verification process. For fatal * errors, a specific error code should be used (different - * from MBEDTLS_ERR_X509_CERT_VERIFY_FAILED which should not + * from #PSA_ERROR_INVALID_SIGNATURE which should not * be returned at this point), or MBEDTLS_ERR_X509_FATAL_ERROR * can be used if no better code is available. * @@ -653,7 +653,7 @@ int mbedtls_x509_crt_verify_info(char *buf, size_t size, const char *prefix, * * \return \c 0 if the chain is valid with respect to the * passed CN, CAs, CRLs and security profile. - * \return #MBEDTLS_ERR_X509_CERT_VERIFY_FAILED in case the + * \return #PSA_ERROR_INVALID_SIGNATURE in case the * certificate chain verification failed. In this case, * \c *flags will have one or more * \c MBEDTLS_X509_BADCERT_XXX or \c MBEDTLS_X509_BADCRL_XXX @@ -694,7 +694,7 @@ int mbedtls_x509_crt_verify(mbedtls_x509_crt *crt, * * \return \c 0 if the chain is valid with respect to the * passed CN, CAs, CRLs and security profile. - * \return #MBEDTLS_ERR_X509_CERT_VERIFY_FAILED in case the + * \return #PSA_ERROR_INVALID_SIGNATURE in case the * certificate chain verification failed. In this case, * \c *flags will have one or more * \c MBEDTLS_X509_BADCERT_XXX or \c MBEDTLS_X509_BADCRL_XXX @@ -826,7 +826,7 @@ int mbedtls_x509_crt_verify_with_ca_cb(mbedtls_x509_crt *crt, * that bit MAY be set. * * \return 0 is these uses of the certificate are allowed, - * MBEDTLS_ERR_X509_BAD_INPUT_DATA if the keyUsage extension + * #PSA_ERROR_INVALID_ARGUMENT if the keyUsage extension * is present but does not match the usage argument. * * \note You should only call this function on leaf certificates, on @@ -845,7 +845,7 @@ int mbedtls_x509_crt_check_key_usage(const mbedtls_x509_crt *crt, * \param usage_len Length of usage_oid (eg given by MBEDTLS_OID_SIZE()). * * \return 0 if this use of the certificate is allowed, - * MBEDTLS_ERR_X509_BAD_INPUT_DATA if not. + * #PSA_ERROR_INVALID_ARGUMENT if not. * * \note Usually only makes sense on leaf certificates. */ @@ -952,7 +952,7 @@ void mbedtls_x509write_crt_set_version(mbedtls_x509write_cert *ctx, int version) * input buffer * * \return 0 if successful, or - * MBEDTLS_ERR_X509_BAD_INPUT_DATA if the provided input buffer + * #PSA_ERROR_INVALID_ARGUMENT if the provided input buffer * is too big (longer than MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN) */ int mbedtls_x509write_crt_set_serial_raw(mbedtls_x509write_cert *ctx, @@ -1041,7 +1041,7 @@ void mbedtls_x509write_crt_set_md_alg(mbedtls_x509write_cert *ctx, mbedtls_md_ty * \param val value of the extension OCTET STRING * \param val_len length of the value data * - * \return 0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED + * \return 0 if successful, or #PSA_ERROR_INSUFFICIENT_MEMORY */ int mbedtls_x509write_crt_set_extension(mbedtls_x509write_cert *ctx, const char *oid, size_t oid_len, @@ -1057,7 +1057,7 @@ int mbedtls_x509write_crt_set_extension(mbedtls_x509write_cert *ctx, * certificate (only for CA certificates, -1 is * unlimited) * - * \return 0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED + * \return 0 if successful, or #PSA_ERROR_INSUFFICIENT_MEMORY */ int mbedtls_x509write_crt_set_basic_constraints(mbedtls_x509write_cert *ctx, int is_ca, int max_pathlen); @@ -1070,7 +1070,7 @@ int mbedtls_x509write_crt_set_basic_constraints(mbedtls_x509write_cert *ctx, * * \param ctx CRT context to use * - * \return 0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED + * \return 0 if successful, or #PSA_ERROR_INSUFFICIENT_MEMORY */ int mbedtls_x509write_crt_set_subject_key_identifier(mbedtls_x509write_cert *ctx); @@ -1081,7 +1081,7 @@ int mbedtls_x509write_crt_set_subject_key_identifier(mbedtls_x509write_cert *ctx * * \param ctx CRT context to use * - * \return 0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED + * \return 0 if successful, or #PSA_ERROR_INSUFFICIENT_MEMORY */ int mbedtls_x509write_crt_set_authority_key_identifier(mbedtls_x509write_cert *ctx); #endif /* PSA_WANT_ALG_SHA_1 */ @@ -1093,7 +1093,7 @@ int mbedtls_x509write_crt_set_authority_key_identifier(mbedtls_x509write_cert *c * \param ctx CRT context to use * \param key_usage key usage flags to set * - * \return 0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED + * \return 0 if successful, or #PSA_ERROR_INSUFFICIENT_MEMORY */ int mbedtls_x509write_crt_set_key_usage(mbedtls_x509write_cert *ctx, unsigned int key_usage); @@ -1106,7 +1106,7 @@ int mbedtls_x509write_crt_set_key_usage(mbedtls_x509write_cert *ctx, * \param exts extended key usage extensions to set, a sequence of * MBEDTLS_ASN1_OID objects * - * \return 0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED + * \return 0 if successful, or #PSA_ERROR_INSUFFICIENT_MEMORY */ int mbedtls_x509write_crt_set_ext_key_usage(mbedtls_x509write_cert *ctx, const mbedtls_asn1_sequence *exts); @@ -1118,7 +1118,7 @@ int mbedtls_x509write_crt_set_ext_key_usage(mbedtls_x509write_cert *ctx, * \param ctx CRT context to use * \param ns_cert_type Netscape Cert Type flags to set * - * \return 0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED + * \return 0 if successful, or #PSA_ERROR_INSUFFICIENT_MEMORY */ int mbedtls_x509write_crt_set_ns_cert_type(mbedtls_x509write_cert *ctx, unsigned char ns_cert_type); diff --git a/include/mbedtls/x509_csr.h b/include/mbedtls/x509_csr.h index b11539440c..60a553f55d 100644 --- a/include/mbedtls/x509_csr.h +++ b/include/mbedtls/x509_csr.h @@ -263,7 +263,7 @@ void mbedtls_x509write_csr_set_md_alg(mbedtls_x509write_csr *ctx, mbedtls_md_typ * \param ctx CSR context to use * \param key_usage key usage flags to set * - * \return 0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED + * \return 0 if successful, or #PSA_ERROR_INSUFFICIENT_MEMORY * * \note The decipherOnly flag from the Key Usage * extension is represented by bit 8 (i.e. @@ -281,7 +281,7 @@ int mbedtls_x509write_csr_set_key_usage(mbedtls_x509write_csr *ctx, unsigned cha * \param ctx CSR context to use * \param san_list List of SAN values * - * \return 0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED + * \return 0 if successful, or #PSA_ERROR_INSUFFICIENT_MEMORY * * \note Only "dnsName", "uniformResourceIdentifier" and "otherName", * as defined in RFC 5280, are supported. @@ -296,7 +296,7 @@ int mbedtls_x509write_csr_set_subject_alternative_name(mbedtls_x509write_csr *ct * \param ctx CSR context to use * \param ns_cert_type Netscape Cert Type flags to set * - * \return 0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED + * \return 0 if successful, or #PSA_ERROR_INSUFFICIENT_MEMORY */ int mbedtls_x509write_csr_set_ns_cert_type(mbedtls_x509write_csr *ctx, unsigned char ns_cert_type); @@ -312,7 +312,7 @@ int mbedtls_x509write_csr_set_ns_cert_type(mbedtls_x509write_csr *ctx, * \param val value of the extension OCTET STRING * \param val_len length of the value data * - * \return 0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED + * \return 0 if successful, or a #PSA_ERROR_INSUFFICIENT_MEMORY */ int mbedtls_x509write_csr_set_extension(mbedtls_x509write_csr *ctx, const char *oid, size_t oid_len, From f5b48c3d9c741d3b8e0519eb3a77ae0a5f7ee9ee Mon Sep 17 00:00:00 2001 From: Felix Conway Date: Mon, 18 Aug 2025 14:52:41 +0100 Subject: [PATCH 3/9] Add Changelog and documentation Signed-off-by: Felix Conway --- ChangeLog.d/unify-errors.txt | 8 ++++++++ docs/4.0-migration-guide/error-codes.md | 14 ++++++++++++++ 2 files changed, 22 insertions(+) create mode 100644 ChangeLog.d/unify-errors.txt diff --git a/ChangeLog.d/unify-errors.txt b/ChangeLog.d/unify-errors.txt new file mode 100644 index 0000000000..3dad7f3b67 --- /dev/null +++ b/ChangeLog.d/unify-errors.txt @@ -0,0 +1,8 @@ +API changes + * Make the following error codes aliases of their PSA equivalents, where + xxx is a module, e.g. X509 or SSL. + MBEDTLS_ERR_xxx_BAD_INPUT_DATA -> PSA_ERROR_INVALID_ARGUMENT + MBEDTLS_ERR_xxx_ALLOC_FAILED -> PSA_ERROR_INSUFFICIENT_MEMORY + MBEDTLS_ERR_xxx_VERIFY_FAILED -> PSA_ERROR_INVALID_SIGNATURE + MBEDTLS_ERR_xxx_INVALID_SIGNATURE -> PSA_ERROR_INVALID_SIGNATURE + MBEDTLS_ERR_xxx_BUFFER_TOO_SMALL -> PSA_ERROR_BUFFER_TOO_SMALL diff --git a/docs/4.0-migration-guide/error-codes.md b/docs/4.0-migration-guide/error-codes.md index 074acc04bb..3bcdb8c580 100644 --- a/docs/4.0-migration-guide/error-codes.md +++ b/docs/4.0-migration-guide/error-codes.md @@ -18,6 +18,8 @@ As a consequence, the functions `mbedtls_low_level_strerr()` and `mbedtls_high_l Many legacy error codes have been removed in favor of PSA error codes. Generally, functions that returned a legacy error code in the table below in Mbed TLS 3.6 now return the PSA error code listed on the same row. Similarly, callbacks should apply the same changes to error code, unless there has been a relevant change to the callback's interface. +#### Specific error codes + | Legacy constant (Mbed TLS 3.6) | PSA constant (Mbed TLS 4.0) | | ------------------------------ | --------------------------- | | `MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED` | `PSA_ERROR_CORRUPTION_DETECTED` | @@ -25,4 +27,16 @@ Many legacy error codes have been removed in favor of PSA error codes. Generally | `MBEDTLS_ERR_OID_BUF_TOO_SMALL` | `PSA_ERROR_BUFFER_TOO_SMALL` | `MBEDTLS_ERR_OID_NOT_FOUND` | `PSA_ERROR_NOT_SUPPORTED` | +#### General Replacements + +The module-specific error codes in the table below have been replaced with a single PSA error code. Here `xxx` corresponds to all modules (e.g. `X509` or `SSL`) with the specific error code. + +| Legacy constant (Mbed TLS 3.6) | PSA constant (TF-PSA-Crypto 1.0) | +|---------------------------------| ---------------------------------------------- | +| `MBEDTLS_ERR_xxx_BAD_INPUT_DATA` | `PSA_ERROR_INVALID_ARGUMENT` | +| `MBEDTLS_ERR_xxx_ALLOC_FAILED` | `PSA_ERROR_INSUFFICIENT_MEMORY` | +| `MBEDTLS_ERR_xxx_VERIFY_FAILED` | `PSA_ERROR_INVALID_SIGNATURE` | +| `MBEDTLS_ERR_xxx_INVALID_SIGNATURE` | `PSA_ERROR_INVALID_SIGNATURE` | +| `MBEDTLS_ERR_xxx_BUFFER_TOO_SMALL` | `PSA_ERROR_BUFFER_TOO_SMALL` | + See also the corresponding section in the TF-PSA-Crypto migration guide, which lists error codes from cryptography modules. From e984d35590a1fc8351a9b01096fa193cf9c76cb6 Mon Sep 17 00:00:00 2001 From: Felix Conway Date: Tue, 19 Aug 2025 10:06:27 +0100 Subject: [PATCH 4/9] Fix ssl tests expecting old X509 error output Signed-off-by: Felix Conway --- tests/ssl-opt.sh | 98 ++++++++++++++++++++++++------------------------ 1 file changed, 49 insertions(+), 49 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index d0278b123c..35afb8fcf9 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -5839,7 +5839,7 @@ run_test "Authentication: server badcert, client required" \ -c "! The certificate is not correctly signed by the trusted CA" \ -c "! mbedtls_ssl_handshake returned" \ -c "send alert level=2 message=48" \ - -c "X509 - Certificate verification failed" + -c "Last error was: \(-0x95\|-149\)" # MBEDTLS_X509_BADCERT_NOT_TRUSTED -> MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA # We don't check that the server receives the alert because it might # detect that its write end of the connection is closed and abort @@ -5854,7 +5854,7 @@ run_test "Authentication: server badcert, client required (1.2)" \ -c "! The certificate is not correctly signed by the trusted CA" \ -c "! mbedtls_ssl_handshake returned" \ -c "send alert level=2 message=48" \ - -c "X509 - Certificate verification failed" + -c "Last error was: \(-0x95\|-149\)" # MBEDTLS_X509_BADCERT_NOT_TRUSTED -> MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA run_test "Authentication: server badcert, client optional" \ @@ -5866,7 +5866,7 @@ run_test "Authentication: server badcert, client optional" \ -c "! The certificate is not correctly signed by the trusted CA" \ -C "! mbedtls_ssl_handshake returned" \ -C "send alert level=2 message=48" \ - -C "X509 - Certificate verification failed" + -C "Last error was: \(-0x95\|-149\)" run_test "Authentication: server badcert, client optional (1.2)" \ "$P_SRV crt_file=$DATA_FILES_PATH/server5-badsign.crt \ @@ -5877,7 +5877,7 @@ run_test "Authentication: server badcert, client optional (1.2)" \ -c "! The certificate is not correctly signed by the trusted CA" \ -C "! mbedtls_ssl_handshake returned" \ -C "send alert level=2 message=48" \ - -C "X509 - Certificate verification failed" + -C "Last error was: \(-0x95\|-149\)" run_test "Authentication: server badcert, client none" \ "$P_SRV crt_file=$DATA_FILES_PATH/server5-badsign.crt \ @@ -5888,7 +5888,7 @@ run_test "Authentication: server badcert, client none" \ -C "! The certificate is not correctly signed by the trusted CA" \ -C "! mbedtls_ssl_handshake returned" \ -C "send alert level=2 message=48" \ - -C "X509 - Certificate verification failed" + -C "Last error was: \(-0x95\|-149\)" run_test "Authentication: server badcert, client none (1.2)" \ "$P_SRV crt_file=$DATA_FILES_PATH/server5-badsign.crt \ @@ -5899,7 +5899,7 @@ run_test "Authentication: server badcert, client none (1.2)" \ -C "! The certificate is not correctly signed by the trusted CA" \ -C "! mbedtls_ssl_handshake returned" \ -C "send alert level=2 message=48" \ - -C "X509 - Certificate verification failed" + -C "Last error was: \(-0x95\|-149\)" run_test "Authentication: server goodcert, client required, no trusted CA" \ "$P_SRV" \ @@ -5930,7 +5930,7 @@ run_test "Authentication: server goodcert, client optional, no trusted CA" \ -c "! The certificate is not correctly signed by the trusted CA" \ -c "! Certificate verification flags"\ -C "! mbedtls_ssl_handshake returned" \ - -C "X509 - Certificate verification failed" \ + -C "Last error was: \(-0x95\|-149\)" \ -C "SSL - No CA Chain is set, but required to operate" requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT @@ -5942,7 +5942,7 @@ run_test "Authentication: server goodcert, client optional, no trusted CA (1. -c "! The certificate is not correctly signed by the trusted CA" \ -c "! Certificate verification flags"\ -C "! mbedtls_ssl_handshake returned" \ - -C "X509 - Certificate verification failed" \ + -C "Last error was: \(-0x95\|-149\)" \ -C "SSL - No CA Chain is set, but required to operate" run_test "Authentication: server goodcert, client none, no trusted CA" \ @@ -5953,7 +5953,7 @@ run_test "Authentication: server goodcert, client none, no trusted CA" \ -C "! The certificate is not correctly signed by the trusted CA" \ -C "! Certificate verification flags"\ -C "! mbedtls_ssl_handshake returned" \ - -C "X509 - Certificate verification failed" \ + -C "Last error was: \(-0x95\|-149\)" \ -C "SSL - No CA Chain is set, but required to operate" requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT @@ -5965,7 +5965,7 @@ run_test "Authentication: server goodcert, client none, no trusted CA (1.2)" -C "! The certificate is not correctly signed by the trusted CA" \ -C "! Certificate verification flags"\ -C "! mbedtls_ssl_handshake returned" \ - -C "X509 - Certificate verification failed" \ + -C "Last error was: \(-0x95\|-149\)" \ -C "SSL - No CA Chain is set, but required to operate" # The next few tests check what happens if the server has a valid certificate @@ -5980,7 +5980,7 @@ run_test "Authentication: hostname match, client required" \ -C "Certificate verification without CN verification" \ -C "x509_verify_cert() returned -" \ -C "! mbedtls_ssl_handshake returned" \ - -C "X509 - Certificate verification failed" + -C "Last error was: \(-0x95\|-149\)" run_test "Authentication: hostname match, client required, CA callback" \ "$P_SRV" \ @@ -5992,7 +5992,7 @@ run_test "Authentication: hostname match, client required, CA callback" \ -c "use CA callback for X.509 CRT verification" \ -C "x509_verify_cert() returned -" \ -C "! mbedtls_ssl_handshake returned" \ - -C "X509 - Certificate verification failed" + -C "Last error was: \(-0x95\|-149\)" run_test "Authentication: hostname mismatch (wrong), client required" \ "$P_SRV" \ @@ -6001,7 +6001,7 @@ run_test "Authentication: hostname mismatch (wrong), client required" \ -c "does not match with the expected CN" \ -c "x509_verify_cert() returned -" \ -c "! mbedtls_ssl_handshake returned" \ - -c "X509 - Certificate verification failed" + -c "Last error was: \(-0x95\|-149\)" run_test "Authentication: hostname mismatch (empty), client required" \ "$P_SRV" \ @@ -6010,7 +6010,7 @@ run_test "Authentication: hostname mismatch (empty), client required" \ -c "does not match with the expected CN" \ -c "x509_verify_cert() returned -" \ -c "! mbedtls_ssl_handshake returned" \ - -c "X509 - Certificate verification failed" + -c "Last error was: \(-0x95\|-149\)" run_test "Authentication: hostname mismatch (truncated), client required" \ "$P_SRV" \ @@ -6019,7 +6019,7 @@ run_test "Authentication: hostname mismatch (truncated), client required" \ -c "does not match with the expected CN" \ -c "x509_verify_cert() returned -" \ -c "! mbedtls_ssl_handshake returned" \ - -c "X509 - Certificate verification failed" + -c "Last error was: \(-0x95\|-149\)" run_test "Authentication: hostname mismatch (last char), client required" \ "$P_SRV" \ @@ -6028,7 +6028,7 @@ run_test "Authentication: hostname mismatch (last char), client required" \ -c "does not match with the expected CN" \ -c "x509_verify_cert() returned -" \ -c "! mbedtls_ssl_handshake returned" \ - -c "X509 - Certificate verification failed" + -c "Last error was: \(-0x95\|-149\)" run_test "Authentication: hostname mismatch (trailing), client required" \ "$P_SRV" \ @@ -6037,7 +6037,7 @@ run_test "Authentication: hostname mismatch (trailing), client required" \ -c "does not match with the expected CN" \ -c "x509_verify_cert() returned -" \ -c "! mbedtls_ssl_handshake returned" \ - -c "X509 - Certificate verification failed" + -c "Last error was: \(-0x95\|-149\)" run_test "Authentication: hostname mismatch, client optional" \ "$P_SRV" \ @@ -6045,7 +6045,7 @@ run_test "Authentication: hostname mismatch, client optional" \ 0 \ -c "does not match with the expected CN" \ -c "x509_verify_cert() returned -" \ - -C "X509 - Certificate verification failed" + -C "Last error was: \(-0x95\|-149\)" run_test "Authentication: hostname mismatch, client none" \ "$P_SRV" \ @@ -6055,7 +6055,7 @@ run_test "Authentication: hostname mismatch, client none" \ -C "Certificate verification without having set hostname" \ -C "Certificate verification without CN verification" \ -C "x509_verify_cert() returned -" \ - -C "X509 - Certificate verification failed" + -C "Last error was: \(-0x95\|-149\)" run_test "Authentication: hostname null, client required" \ "$P_SRV" \ @@ -6066,7 +6066,7 @@ run_test "Authentication: hostname null, client required" \ -c "Certificate verification without CN verification" \ -C "x509_verify_cert() returned -" \ -C "! mbedtls_ssl_handshake returned" \ - -C "X509 - Certificate verification failed" + -C "Last error was: \(-0x95\|-149\)" run_test "Authentication: hostname null, client optional" \ "$P_SRV" \ @@ -6076,7 +6076,7 @@ run_test "Authentication: hostname null, client optional" \ -C "Certificate verification without having set hostname" \ -c "Certificate verification without CN verification" \ -C "x509_verify_cert() returned -" \ - -C "X509 - Certificate verification failed" + -C "Last error was: \(-0x95\|-149\)" run_test "Authentication: hostname null, client none" \ "$P_SRV" \ @@ -6086,7 +6086,7 @@ run_test "Authentication: hostname null, client none" \ -C "Certificate verification without having set hostname" \ -C "Certificate verification without CN verification" \ -C "x509_verify_cert() returned -" \ - -C "X509 - Certificate verification failed" + -C "Last error was: \(-0x95\|-149\)" run_test "Authentication: hostname unset, client required" \ "$P_SRV" \ @@ -6098,7 +6098,7 @@ run_test "Authentication: hostname unset, client required" \ -c "get_hostname_for_verification() returned -" \ -C "x509_verify_cert() returned -" \ -c "! mbedtls_ssl_handshake returned" \ - -C "X509 - Certificate verification failed" + -C "Last error was: \(-0x95\|-149\)" run_test "Authentication: hostname unset, client required, CA callback" \ "$P_SRV" \ @@ -6111,7 +6111,7 @@ run_test "Authentication: hostname unset, client required, CA callback" \ -C "use CA callback for X.509 CRT verification" \ -C "x509_verify_cert() returned -" \ -c "! mbedtls_ssl_handshake returned" \ - -C "X509 - Certificate verification failed" + -C "Last error was: \(-0x95\|-149\)" run_test "Authentication: hostname unset, client optional" \ "$P_SRV" \ @@ -6121,7 +6121,7 @@ run_test "Authentication: hostname unset, client optional" \ -c "Certificate verification without having set hostname" \ -c "Certificate verification without CN verification" \ -C "x509_verify_cert() returned -" \ - -C "X509 - Certificate verification failed" + -C "Last error was: \(-0x95\|-149\)" run_test "Authentication: hostname unset, client none" \ "$P_SRV" \ @@ -6131,7 +6131,7 @@ run_test "Authentication: hostname unset, client none" \ -C "Certificate verification without having set hostname" \ -C "Certificate verification without CN verification" \ -C "x509_verify_cert() returned -" \ - -C "X509 - Certificate verification failed" + -C "Last error was: \(-0x95\|-149\)" run_test "Authentication: hostname unset, client default, server picks cert, 1.2" \ "$P_SRV force_version=tls12 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \ @@ -6142,7 +6142,7 @@ run_test "Authentication: hostname unset, client default, server picks cert, 1.2 -C "Certificate verification without CN verification" \ -c "get_hostname_for_verification() returned -" \ -C "x509_verify_cert() returned -" \ - -C "X509 - Certificate verification failed" + -C "Last error was: \(-0x95\|-149\)" requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "Authentication: hostname unset, client default, server picks cert, 1.3" \ @@ -6154,7 +6154,7 @@ run_test "Authentication: hostname unset, client default, server picks cert, 1.3 -C "Certificate verification without CN verification" \ -c "get_hostname_for_verification() returned -" \ -C "x509_verify_cert() returned -" \ - -C "X509 - Certificate verification failed" + -C "Last error was: \(-0x95\|-149\)" run_test "Authentication: hostname unset, client default, server picks PSK, 1.2" \ "$P_SRV force_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8 psk=73776f726466697368 psk_identity=foo" \ @@ -6164,7 +6164,7 @@ run_test "Authentication: hostname unset, client default, server picks PSK, 1.2" -C "Certificate verification without having set hostname" \ -C "Certificate verification without CN verification" \ -C "x509_verify_cert() returned -" \ - -C "X509 - Certificate verification failed" + -C "Last error was: \(-0x95\|-149\)" requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED run_test "Authentication: hostname unset, client default, server picks PSK, 1.3" \ @@ -6175,7 +6175,7 @@ run_test "Authentication: hostname unset, client default, server picks PSK, 1.3" -C "Certificate verification without having set hostname" \ -C "Certificate verification without CN verification" \ -C "x509_verify_cert() returned -" \ - -C "X509 - Certificate verification failed" + -C "Last error was: \(-0x95\|-149\)" # The purpose of the next two tests is to test the client's behaviour when receiving a server # certificate with an unsupported elliptic curve. This should usually not happen because @@ -6252,7 +6252,7 @@ run_test "Authentication: client badcert, server required" \ -s "! The certificate is not correctly signed by the trusted CA" \ -s "! mbedtls_ssl_handshake returned" \ -s "send alert level=2 message=48" \ - -s "X509 - Certificate verification failed" + -s "Last error was: \(-0x95\|-149\)" # We don't check that the client receives the alert because it might # detect that its write end of the connection is closed and abort # before reading the alert message. @@ -6270,7 +6270,7 @@ run_test "Authentication: client cert self-signed and trusted, server require -S "skip parse certificate verify" \ -S "x509_verify_cert() returned" \ -S "! The certificate is not correctly signed" \ - -S "X509 - Certificate verification failed" + -S "Last error was: \(-0x95\|-149\)" run_test "Authentication: client cert not trusted, server required" \ "$P_SRV debug_level=3 auth_mode=required" \ @@ -6286,7 +6286,7 @@ run_test "Authentication: client cert not trusted, server required" \ -s "x509_verify_cert() returned" \ -s "! The certificate is not correctly signed by the trusted CA" \ -s "! mbedtls_ssl_handshake returned" \ - -s "X509 - Certificate verification failed" + -s "Last error was: \(-0x95\|-149\)" run_test "Authentication: client badcert, server optional" \ "$P_SRV debug_level=3 auth_mode=optional" \ @@ -6303,7 +6303,7 @@ run_test "Authentication: client badcert, server optional" \ -s "! The certificate is not correctly signed by the trusted CA" \ -S "! mbedtls_ssl_handshake returned" \ -C "! mbedtls_ssl_handshake returned" \ - -S "X509 - Certificate verification failed" + -S "Last error was: \(-0x95\|-149\)" run_test "Authentication: client badcert, server none" \ "$P_SRV debug_level=3 auth_mode=none" \ @@ -6320,7 +6320,7 @@ run_test "Authentication: client badcert, server none" \ -S "! The certificate is not correctly signed by the trusted CA" \ -S "! mbedtls_ssl_handshake returned" \ -C "! mbedtls_ssl_handshake returned" \ - -S "X509 - Certificate verification failed" + -S "Last error was: \(-0x95\|-149\)" run_test "Authentication: client no cert, server optional" \ "$P_SRV debug_level=3 auth_mode=optional" \ @@ -6336,7 +6336,7 @@ run_test "Authentication: client no cert, server optional" \ -s "! Certificate was missing" \ -S "! mbedtls_ssl_handshake returned" \ -C "! mbedtls_ssl_handshake returned" \ - -S "X509 - Certificate verification failed" + -S "Last error was: \(-0x95\|-149\)" requires_openssl_tls1_3_with_compatible_ephemeral run_test "Authentication: openssl client no cert, server optional" \ @@ -6347,7 +6347,7 @@ run_test "Authentication: openssl client no cert, server optional" \ -s "skip parse certificate verify" \ -s "! Certificate was missing" \ -S "! mbedtls_ssl_handshake returned" \ - -S "X509 - Certificate verification failed" + -S "Last error was: \(-0x95\|-149\)" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "Authentication: client no cert, openssl server optional" \ @@ -6483,7 +6483,7 @@ run_test "Authentication: send CA list in CertificateRequest, client self sig -s "! The certificate is not correctly signed by the trusted CA" \ -s "! mbedtls_ssl_handshake returned" \ -c "! mbedtls_ssl_handshake returned" \ - -s "X509 - Certificate verification failed" + -s "Last error was: \(-0x95\|-149\)" requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT run_test "Authentication: send alt conf DN hints in CertificateRequest" \ @@ -6530,7 +6530,7 @@ run_test "Authentication, CA callback: server badcert, client required" \ -c "x509_verify_cert() returned" \ -c "! The certificate is not correctly signed by the trusted CA" \ -c "! mbedtls_ssl_handshake returned" \ - -c "X509 - Certificate verification failed" + -c "Last error was: \(-0x95\|-149\)" run_test "Authentication, CA callback: server badcert, client optional" \ "$P_SRV crt_file=$DATA_FILES_PATH/server5-badsign.crt \ @@ -6541,7 +6541,7 @@ run_test "Authentication, CA callback: server badcert, client optional" \ -c "x509_verify_cert() returned" \ -c "! The certificate is not correctly signed by the trusted CA" \ -C "! mbedtls_ssl_handshake returned" \ - -C "X509 - Certificate verification failed" + -C "Last error was: \(-0x95\|-149\)" run_test "Authentication, CA callback: server badcert, client none" \ "$P_SRV crt_file=$DATA_FILES_PATH/server5-badsign.crt \ @@ -6552,7 +6552,7 @@ run_test "Authentication, CA callback: server badcert, client none" \ -C "x509_verify_cert() returned" \ -C "! The certificate is not correctly signed by the trusted CA" \ -C "! mbedtls_ssl_handshake returned" \ - -C "X509 - Certificate verification failed" + -C "Last error was: \(-0x95\|-149\)" # The purpose of the next two tests is to test the client's behaviour when receiving a server # certificate with an unsupported elliptic curve. This should usually not happen because @@ -6619,7 +6619,7 @@ run_test "Authentication, CA callback: client badcert, server required" \ -s "! The certificate is not correctly signed by the trusted CA" \ -s "! mbedtls_ssl_handshake returned" \ -s "send alert level=2 message=48" \ - -s "X509 - Certificate verification failed" + -s "Last error was: \(-0x95\|-149\)" # We don't check that the client receives the alert because it might # detect that its write end of the connection is closed and abort # before reading the alert message. @@ -6639,7 +6639,7 @@ run_test "Authentication, CA callback: client cert not trusted, server requir -s "x509_verify_cert() returned" \ -s "! The certificate is not correctly signed by the trusted CA" \ -s "! mbedtls_ssl_handshake returned" \ - -s "X509 - Certificate verification failed" + -s "Last error was: \(-0x95\|-149\)" run_test "Authentication, CA callback: client badcert, server optional" \ "$P_SRV ca_callback=1 debug_level=3 auth_mode=optional" \ @@ -6657,7 +6657,7 @@ run_test "Authentication, CA callback: client badcert, server optional" \ -s "! The certificate is not correctly signed by the trusted CA" \ -S "! mbedtls_ssl_handshake returned" \ -C "! mbedtls_ssl_handshake returned" \ - -S "X509 - Certificate verification failed" + -S "Last error was: \(-0x95\|-149\)" requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer @@ -9498,7 +9498,7 @@ run_test "EC restart: TLS, max_ops=1000, badsign" \ -C "mbedtls_pk_sign.*\(4b00\|-248\)" \ -c "! The certificate is not correctly signed by the trusted CA" \ -c "! mbedtls_ssl_handshake returned" \ - -c "X509 - Certificate verification failed" + -c "Last error was: \(-0x95\|-149\)" # With USE_PSA disabled we expect full restartable behaviour. requires_config_enabled MBEDTLS_ECP_RESTARTABLE @@ -9518,7 +9518,7 @@ run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign (no USE_P -c "mbedtls_pk_sign.*\(4b00\|-248\)" \ -c "! The certificate is not correctly signed by the trusted CA" \ -C "! mbedtls_ssl_handshake returned" \ - -C "X509 - Certificate verification failed" + -C "Last error was: \(-0x95\|-149\)" # With USE_PSA enabled we expect only partial restartable behaviour: # everything except ECDH (where TLS calls PSA directly). @@ -9538,7 +9538,7 @@ run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign (USE_PSA) -c "mbedtls_pk_sign.*\(4b00\|-248\)" \ -c "! The certificate is not correctly signed by the trusted CA" \ -C "! mbedtls_ssl_handshake returned" \ - -C "X509 - Certificate verification failed" + -C "Last error was: \(-0x95\|-149\)" # With USE_PSA disabled we expect full restartable behaviour. requires_config_enabled MBEDTLS_ECP_RESTARTABLE @@ -9558,7 +9558,7 @@ run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign (no USE_PSA)" -c "mbedtls_pk_sign.*\(4b00\|-248\)" \ -C "! The certificate is not correctly signed by the trusted CA" \ -C "! mbedtls_ssl_handshake returned" \ - -C "X509 - Certificate verification failed" + -C "Last error was: \(-0x95\|-149\)" # With USE_PSA enabled we expect only partial restartable behaviour: # everything except ECDH (where TLS calls PSA directly). @@ -9578,7 +9578,7 @@ run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign (USE_PSA)" \ -c "mbedtls_pk_sign.*\(4b00\|-248\)" \ -C "! The certificate is not correctly signed by the trusted CA" \ -C "! mbedtls_ssl_handshake returned" \ - -C "X509 - Certificate verification failed" + -C "Last error was: \(-0x95\|-149\)" # With USE_PSA disabled we expect full restartable behaviour. requires_config_enabled MBEDTLS_ECP_RESTARTABLE From a15729d38e8469e3ccb4238052e22ad41e743dd1 Mon Sep 17 00:00:00 2001 From: Felix Conway Date: Tue, 19 Aug 2025 13:35:19 +0100 Subject: [PATCH 5/9] Fix libtestdriver1 rewrite in include/mbedtls/private Signed-off-by: Felix Conway --- tests/Makefile | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/Makefile b/tests/Makefile index 3a6f0e62ea..a52bc32f57 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -369,6 +369,7 @@ libtestdriver1.a: perl -i ./scripts/libtestdriver1_rewrite.pl ./libtestdriver1/include/*/*.h perl -i ./scripts/libtestdriver1_rewrite.pl ./libtestdriver1/tf-psa-crypto/core/*.[ch] perl -i ./scripts/libtestdriver1_rewrite.pl ./libtestdriver1/tf-psa-crypto/include/*/*.h + perl -i ./scripts/libtestdriver1_rewrite.pl ./libtestdriver1/tf-psa-crypto/include/*/*/*.h perl -i ./scripts/libtestdriver1_rewrite.pl ./libtestdriver1/tf-psa-crypto/drivers/builtin/include/*/*.h perl -i ./scripts/libtestdriver1_rewrite.pl ./libtestdriver1/tf-psa-crypto/drivers/builtin/include/*/*/*.h perl -i ./scripts/libtestdriver1_rewrite.pl ./libtestdriver1/tf-psa-crypto/drivers/builtin/src/*.[ch] From 07eb02889efd9d3d72ab1dad7f4dab0a96731c46 Mon Sep 17 00:00:00 2001 From: Felix Conway Date: Thu, 28 Aug 2025 11:54:46 +0100 Subject: [PATCH 6/9] Remove a redundant error test case and improve another Signed-off-by: Felix Conway --- tests/suites/test_suite_error.data | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/tests/suites/test_suite_error.data b/tests/suites/test_suite_error.data index e496841cf0..8565098286 100644 --- a/tests/suites/test_suite_error.data +++ b/tests/suites/test_suite_error.data @@ -3,12 +3,8 @@ depends_on:MBEDTLS_AES_C error_strerror:-0x0020:"AES - Invalid key length" Single high error -depends_on:MBEDTLS_RSA_C -error_strerror:-0x4200:"RSA - Key failed to pass the validity check of the library" - -Low and high error -depends_on:MBEDTLS_AES_C:MBEDTLS_RSA_C -error_strerror:-0x4220:"RSA - Key failed to pass the validity check of the library \: AES - Invalid key length" +depends_on:PSA_WANT_ALG_SHA_256:MBEDTLS_RSA_C:MBEDTLS_X509_CRT_PARSE_C +error_strerror:-0x2280:"X509 - The serial tag or value is invalid" Non existing high error error_strerror:-0x8880:"UNKNOWN ERROR CODE (8880)" From a01ddf65b7f58dc145ac3be10d1eac7365a74b7a Mon Sep 17 00:00:00 2001 From: Felix Conway Date: Thu, 28 Aug 2025 14:18:43 +0100 Subject: [PATCH 7/9] Revert unification for some error codes Signed-off-by: Felix Conway --- ChangeLog.d/unify-errors.txt | 1 - include/mbedtls/pkcs7.h | 2 +- include/mbedtls/x509.h | 6 +-- include/mbedtls/x509_crt.h | 12 ++--- tests/ssl-opt.sh | 98 ++++++++++++++++++------------------ 5 files changed, 59 insertions(+), 60 deletions(-) diff --git a/ChangeLog.d/unify-errors.txt b/ChangeLog.d/unify-errors.txt index 3dad7f3b67..0ed56ba305 100644 --- a/ChangeLog.d/unify-errors.txt +++ b/ChangeLog.d/unify-errors.txt @@ -4,5 +4,4 @@ API changes MBEDTLS_ERR_xxx_BAD_INPUT_DATA -> PSA_ERROR_INVALID_ARGUMENT MBEDTLS_ERR_xxx_ALLOC_FAILED -> PSA_ERROR_INSUFFICIENT_MEMORY MBEDTLS_ERR_xxx_VERIFY_FAILED -> PSA_ERROR_INVALID_SIGNATURE - MBEDTLS_ERR_xxx_INVALID_SIGNATURE -> PSA_ERROR_INVALID_SIGNATURE MBEDTLS_ERR_xxx_BUFFER_TOO_SMALL -> PSA_ERROR_BUFFER_TOO_SMALL diff --git a/include/mbedtls/pkcs7.h b/include/mbedtls/pkcs7.h index cf9e4407ce..957ca53d71 100644 --- a/include/mbedtls/pkcs7.h +++ b/include/mbedtls/pkcs7.h @@ -53,7 +53,7 @@ #define MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO -0x5480 /**< The PKCS #7 content info is invalid or cannot be parsed. */ #define MBEDTLS_ERR_PKCS7_INVALID_ALG -0x5500 /**< The algorithm tag or value is invalid or cannot be parsed. */ #define MBEDTLS_ERR_PKCS7_INVALID_CERT -0x5580 /**< The certificate tag or value is invalid or cannot be parsed. */ -#define MBEDTLS_ERR_PKCS7_INVALID_SIGNATURE PSA_ERROR_INVALID_SIGNATURE /**< Error parsing the signature */ +#define MBEDTLS_ERR_PKCS7_INVALID_SIGNATURE -0x5600 /**< Error parsing the signature */ #define MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO -0x5680 /**< Error parsing the signer's info */ #define MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA PSA_ERROR_INVALID_ARGUMENT /**< Input invalid. */ #define MBEDTLS_ERR_PKCS7_ALLOC_FAILED PSA_ERROR_INSUFFICIENT_MEMORY /**< Allocation of memory failed. */ diff --git a/include/mbedtls/x509.h b/include/mbedtls/x509.h index a021a7d996..3cced52f47 100644 --- a/include/mbedtls/x509.h +++ b/include/mbedtls/x509.h @@ -58,7 +58,7 @@ /** The date tag or value is invalid. */ #define MBEDTLS_ERR_X509_INVALID_DATE -0x2400 /** The signature tag or value invalid. */ -#define MBEDTLS_ERR_X509_INVALID_SIGNATURE PSA_ERROR_INVALID_SIGNATURE +#define MBEDTLS_ERR_X509_INVALID_SIGNATURE -0x2480 /** The extension tag or value is invalid. */ #define MBEDTLS_ERR_X509_INVALID_EXTENSIONS -0x2500 /** CRT/CRL/CSR has an unsupported version number. */ @@ -68,11 +68,11 @@ /** Signature algorithms do not match. (see \c ::mbedtls_x509_crt sig_oid) */ #define MBEDTLS_ERR_X509_SIG_MISMATCH -0x2680 /** Certificate verification failed, e.g. CRL, CA or signature check failed. */ -#define MBEDTLS_ERR_X509_CERT_VERIFY_FAILED PSA_ERROR_INVALID_SIGNATURE +#define MBEDTLS_ERR_X509_CERT_VERIFY_FAILED -0x2700 /** Format not recognized as DER or PEM. */ #define MBEDTLS_ERR_X509_CERT_UNKNOWN_FORMAT -0x2780 /** Input invalid. */ -#define MBEDTLS_ERR_X509_BAD_INPUT_DATA PSA_ERROR_INVALID_ARGUMENT +#define MBEDTLS_ERR_X509_BAD_INPUT_DATA -0x2800 /** Allocation of memory failed. */ #define MBEDTLS_ERR_X509_ALLOC_FAILED PSA_ERROR_INSUFFICIENT_MEMORY /** Read/write of file failed. */ diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h index 6b81652bb0..61986483bb 100644 --- a/include/mbedtls/x509_crt.h +++ b/include/mbedtls/x509_crt.h @@ -610,7 +610,7 @@ int mbedtls_x509_crt_verify_info(char *buf, size_t size, const char *prefix, * other than fatal error, as a non-zero return code * immediately aborts the verification process. For fatal * errors, a specific error code should be used (different - * from #PSA_ERROR_INVALID_SIGNATURE which should not + * from #MBEDTLS_ERR_X509_CERT_VERIFY_FAILED which should not * be returned at this point), or MBEDTLS_ERR_X509_FATAL_ERROR * can be used if no better code is available. * @@ -653,7 +653,7 @@ int mbedtls_x509_crt_verify_info(char *buf, size_t size, const char *prefix, * * \return \c 0 if the chain is valid with respect to the * passed CN, CAs, CRLs and security profile. - * \return #PSA_ERROR_INVALID_SIGNATURE in case the + * \return #MBEDTLS_ERR_X509_CERT_VERIFY_FAILED in case the * certificate chain verification failed. In this case, * \c *flags will have one or more * \c MBEDTLS_X509_BADCERT_XXX or \c MBEDTLS_X509_BADCRL_XXX @@ -694,7 +694,7 @@ int mbedtls_x509_crt_verify(mbedtls_x509_crt *crt, * * \return \c 0 if the chain is valid with respect to the * passed CN, CAs, CRLs and security profile. - * \return #PSA_ERROR_INVALID_SIGNATURE in case the + * \return #MBEDTLS_ERR_X509_CERT_VERIFY_FAILED in case the * certificate chain verification failed. In this case, * \c *flags will have one or more * \c MBEDTLS_X509_BADCERT_XXX or \c MBEDTLS_X509_BADCRL_XXX @@ -826,7 +826,7 @@ int mbedtls_x509_crt_verify_with_ca_cb(mbedtls_x509_crt *crt, * that bit MAY be set. * * \return 0 is these uses of the certificate are allowed, - * #PSA_ERROR_INVALID_ARGUMENT if the keyUsage extension + * #MBEDTLS_ERR_X509_BAD_INPUT_DATA if the keyUsage extension * is present but does not match the usage argument. * * \note You should only call this function on leaf certificates, on @@ -845,7 +845,7 @@ int mbedtls_x509_crt_check_key_usage(const mbedtls_x509_crt *crt, * \param usage_len Length of usage_oid (eg given by MBEDTLS_OID_SIZE()). * * \return 0 if this use of the certificate is allowed, - * #PSA_ERROR_INVALID_ARGUMENT if not. + * #MBEDTLS_ERR_X509_BAD_INPUT_DATA if not. * * \note Usually only makes sense on leaf certificates. */ @@ -952,7 +952,7 @@ void mbedtls_x509write_crt_set_version(mbedtls_x509write_cert *ctx, int version) * input buffer * * \return 0 if successful, or - * #PSA_ERROR_INVALID_ARGUMENT if the provided input buffer + * #MBEDTLS_ERR_X509_BAD_INPUT_DATA if the provided input buffer * is too big (longer than MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN) */ int mbedtls_x509write_crt_set_serial_raw(mbedtls_x509write_cert *ctx, diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 35afb8fcf9..d0278b123c 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -5839,7 +5839,7 @@ run_test "Authentication: server badcert, client required" \ -c "! The certificate is not correctly signed by the trusted CA" \ -c "! mbedtls_ssl_handshake returned" \ -c "send alert level=2 message=48" \ - -c "Last error was: \(-0x95\|-149\)" + -c "X509 - Certificate verification failed" # MBEDTLS_X509_BADCERT_NOT_TRUSTED -> MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA # We don't check that the server receives the alert because it might # detect that its write end of the connection is closed and abort @@ -5854,7 +5854,7 @@ run_test "Authentication: server badcert, client required (1.2)" \ -c "! The certificate is not correctly signed by the trusted CA" \ -c "! mbedtls_ssl_handshake returned" \ -c "send alert level=2 message=48" \ - -c "Last error was: \(-0x95\|-149\)" + -c "X509 - Certificate verification failed" # MBEDTLS_X509_BADCERT_NOT_TRUSTED -> MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA run_test "Authentication: server badcert, client optional" \ @@ -5866,7 +5866,7 @@ run_test "Authentication: server badcert, client optional" \ -c "! The certificate is not correctly signed by the trusted CA" \ -C "! mbedtls_ssl_handshake returned" \ -C "send alert level=2 message=48" \ - -C "Last error was: \(-0x95\|-149\)" + -C "X509 - Certificate verification failed" run_test "Authentication: server badcert, client optional (1.2)" \ "$P_SRV crt_file=$DATA_FILES_PATH/server5-badsign.crt \ @@ -5877,7 +5877,7 @@ run_test "Authentication: server badcert, client optional (1.2)" \ -c "! The certificate is not correctly signed by the trusted CA" \ -C "! mbedtls_ssl_handshake returned" \ -C "send alert level=2 message=48" \ - -C "Last error was: \(-0x95\|-149\)" + -C "X509 - Certificate verification failed" run_test "Authentication: server badcert, client none" \ "$P_SRV crt_file=$DATA_FILES_PATH/server5-badsign.crt \ @@ -5888,7 +5888,7 @@ run_test "Authentication: server badcert, client none" \ -C "! The certificate is not correctly signed by the trusted CA" \ -C "! mbedtls_ssl_handshake returned" \ -C "send alert level=2 message=48" \ - -C "Last error was: \(-0x95\|-149\)" + -C "X509 - Certificate verification failed" run_test "Authentication: server badcert, client none (1.2)" \ "$P_SRV crt_file=$DATA_FILES_PATH/server5-badsign.crt \ @@ -5899,7 +5899,7 @@ run_test "Authentication: server badcert, client none (1.2)" \ -C "! The certificate is not correctly signed by the trusted CA" \ -C "! mbedtls_ssl_handshake returned" \ -C "send alert level=2 message=48" \ - -C "Last error was: \(-0x95\|-149\)" + -C "X509 - Certificate verification failed" run_test "Authentication: server goodcert, client required, no trusted CA" \ "$P_SRV" \ @@ -5930,7 +5930,7 @@ run_test "Authentication: server goodcert, client optional, no trusted CA" \ -c "! The certificate is not correctly signed by the trusted CA" \ -c "! Certificate verification flags"\ -C "! mbedtls_ssl_handshake returned" \ - -C "Last error was: \(-0x95\|-149\)" \ + -C "X509 - Certificate verification failed" \ -C "SSL - No CA Chain is set, but required to operate" requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT @@ -5942,7 +5942,7 @@ run_test "Authentication: server goodcert, client optional, no trusted CA (1. -c "! The certificate is not correctly signed by the trusted CA" \ -c "! Certificate verification flags"\ -C "! mbedtls_ssl_handshake returned" \ - -C "Last error was: \(-0x95\|-149\)" \ + -C "X509 - Certificate verification failed" \ -C "SSL - No CA Chain is set, but required to operate" run_test "Authentication: server goodcert, client none, no trusted CA" \ @@ -5953,7 +5953,7 @@ run_test "Authentication: server goodcert, client none, no trusted CA" \ -C "! The certificate is not correctly signed by the trusted CA" \ -C "! Certificate verification flags"\ -C "! mbedtls_ssl_handshake returned" \ - -C "Last error was: \(-0x95\|-149\)" \ + -C "X509 - Certificate verification failed" \ -C "SSL - No CA Chain is set, but required to operate" requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT @@ -5965,7 +5965,7 @@ run_test "Authentication: server goodcert, client none, no trusted CA (1.2)" -C "! The certificate is not correctly signed by the trusted CA" \ -C "! Certificate verification flags"\ -C "! mbedtls_ssl_handshake returned" \ - -C "Last error was: \(-0x95\|-149\)" \ + -C "X509 - Certificate verification failed" \ -C "SSL - No CA Chain is set, but required to operate" # The next few tests check what happens if the server has a valid certificate @@ -5980,7 +5980,7 @@ run_test "Authentication: hostname match, client required" \ -C "Certificate verification without CN verification" \ -C "x509_verify_cert() returned -" \ -C "! mbedtls_ssl_handshake returned" \ - -C "Last error was: \(-0x95\|-149\)" + -C "X509 - Certificate verification failed" run_test "Authentication: hostname match, client required, CA callback" \ "$P_SRV" \ @@ -5992,7 +5992,7 @@ run_test "Authentication: hostname match, client required, CA callback" \ -c "use CA callback for X.509 CRT verification" \ -C "x509_verify_cert() returned -" \ -C "! mbedtls_ssl_handshake returned" \ - -C "Last error was: \(-0x95\|-149\)" + -C "X509 - Certificate verification failed" run_test "Authentication: hostname mismatch (wrong), client required" \ "$P_SRV" \ @@ -6001,7 +6001,7 @@ run_test "Authentication: hostname mismatch (wrong), client required" \ -c "does not match with the expected CN" \ -c "x509_verify_cert() returned -" \ -c "! mbedtls_ssl_handshake returned" \ - -c "Last error was: \(-0x95\|-149\)" + -c "X509 - Certificate verification failed" run_test "Authentication: hostname mismatch (empty), client required" \ "$P_SRV" \ @@ -6010,7 +6010,7 @@ run_test "Authentication: hostname mismatch (empty), client required" \ -c "does not match with the expected CN" \ -c "x509_verify_cert() returned -" \ -c "! mbedtls_ssl_handshake returned" \ - -c "Last error was: \(-0x95\|-149\)" + -c "X509 - Certificate verification failed" run_test "Authentication: hostname mismatch (truncated), client required" \ "$P_SRV" \ @@ -6019,7 +6019,7 @@ run_test "Authentication: hostname mismatch (truncated), client required" \ -c "does not match with the expected CN" \ -c "x509_verify_cert() returned -" \ -c "! mbedtls_ssl_handshake returned" \ - -c "Last error was: \(-0x95\|-149\)" + -c "X509 - Certificate verification failed" run_test "Authentication: hostname mismatch (last char), client required" \ "$P_SRV" \ @@ -6028,7 +6028,7 @@ run_test "Authentication: hostname mismatch (last char), client required" \ -c "does not match with the expected CN" \ -c "x509_verify_cert() returned -" \ -c "! mbedtls_ssl_handshake returned" \ - -c "Last error was: \(-0x95\|-149\)" + -c "X509 - Certificate verification failed" run_test "Authentication: hostname mismatch (trailing), client required" \ "$P_SRV" \ @@ -6037,7 +6037,7 @@ run_test "Authentication: hostname mismatch (trailing), client required" \ -c "does not match with the expected CN" \ -c "x509_verify_cert() returned -" \ -c "! mbedtls_ssl_handshake returned" \ - -c "Last error was: \(-0x95\|-149\)" + -c "X509 - Certificate verification failed" run_test "Authentication: hostname mismatch, client optional" \ "$P_SRV" \ @@ -6045,7 +6045,7 @@ run_test "Authentication: hostname mismatch, client optional" \ 0 \ -c "does not match with the expected CN" \ -c "x509_verify_cert() returned -" \ - -C "Last error was: \(-0x95\|-149\)" + -C "X509 - Certificate verification failed" run_test "Authentication: hostname mismatch, client none" \ "$P_SRV" \ @@ -6055,7 +6055,7 @@ run_test "Authentication: hostname mismatch, client none" \ -C "Certificate verification without having set hostname" \ -C "Certificate verification without CN verification" \ -C "x509_verify_cert() returned -" \ - -C "Last error was: \(-0x95\|-149\)" + -C "X509 - Certificate verification failed" run_test "Authentication: hostname null, client required" \ "$P_SRV" \ @@ -6066,7 +6066,7 @@ run_test "Authentication: hostname null, client required" \ -c "Certificate verification without CN verification" \ -C "x509_verify_cert() returned -" \ -C "! mbedtls_ssl_handshake returned" \ - -C "Last error was: \(-0x95\|-149\)" + -C "X509 - Certificate verification failed" run_test "Authentication: hostname null, client optional" \ "$P_SRV" \ @@ -6076,7 +6076,7 @@ run_test "Authentication: hostname null, client optional" \ -C "Certificate verification without having set hostname" \ -c "Certificate verification without CN verification" \ -C "x509_verify_cert() returned -" \ - -C "Last error was: \(-0x95\|-149\)" + -C "X509 - Certificate verification failed" run_test "Authentication: hostname null, client none" \ "$P_SRV" \ @@ -6086,7 +6086,7 @@ run_test "Authentication: hostname null, client none" \ -C "Certificate verification without having set hostname" \ -C "Certificate verification without CN verification" \ -C "x509_verify_cert() returned -" \ - -C "Last error was: \(-0x95\|-149\)" + -C "X509 - Certificate verification failed" run_test "Authentication: hostname unset, client required" \ "$P_SRV" \ @@ -6098,7 +6098,7 @@ run_test "Authentication: hostname unset, client required" \ -c "get_hostname_for_verification() returned -" \ -C "x509_verify_cert() returned -" \ -c "! mbedtls_ssl_handshake returned" \ - -C "Last error was: \(-0x95\|-149\)" + -C "X509 - Certificate verification failed" run_test "Authentication: hostname unset, client required, CA callback" \ "$P_SRV" \ @@ -6111,7 +6111,7 @@ run_test "Authentication: hostname unset, client required, CA callback" \ -C "use CA callback for X.509 CRT verification" \ -C "x509_verify_cert() returned -" \ -c "! mbedtls_ssl_handshake returned" \ - -C "Last error was: \(-0x95\|-149\)" + -C "X509 - Certificate verification failed" run_test "Authentication: hostname unset, client optional" \ "$P_SRV" \ @@ -6121,7 +6121,7 @@ run_test "Authentication: hostname unset, client optional" \ -c "Certificate verification without having set hostname" \ -c "Certificate verification without CN verification" \ -C "x509_verify_cert() returned -" \ - -C "Last error was: \(-0x95\|-149\)" + -C "X509 - Certificate verification failed" run_test "Authentication: hostname unset, client none" \ "$P_SRV" \ @@ -6131,7 +6131,7 @@ run_test "Authentication: hostname unset, client none" \ -C "Certificate verification without having set hostname" \ -C "Certificate verification without CN verification" \ -C "x509_verify_cert() returned -" \ - -C "Last error was: \(-0x95\|-149\)" + -C "X509 - Certificate verification failed" run_test "Authentication: hostname unset, client default, server picks cert, 1.2" \ "$P_SRV force_version=tls12 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \ @@ -6142,7 +6142,7 @@ run_test "Authentication: hostname unset, client default, server picks cert, 1.2 -C "Certificate verification without CN verification" \ -c "get_hostname_for_verification() returned -" \ -C "x509_verify_cert() returned -" \ - -C "Last error was: \(-0x95\|-149\)" + -C "X509 - Certificate verification failed" requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED run_test "Authentication: hostname unset, client default, server picks cert, 1.3" \ @@ -6154,7 +6154,7 @@ run_test "Authentication: hostname unset, client default, server picks cert, 1.3 -C "Certificate verification without CN verification" \ -c "get_hostname_for_verification() returned -" \ -C "x509_verify_cert() returned -" \ - -C "Last error was: \(-0x95\|-149\)" + -C "X509 - Certificate verification failed" run_test "Authentication: hostname unset, client default, server picks PSK, 1.2" \ "$P_SRV force_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8 psk=73776f726466697368 psk_identity=foo" \ @@ -6164,7 +6164,7 @@ run_test "Authentication: hostname unset, client default, server picks PSK, 1.2" -C "Certificate verification without having set hostname" \ -C "Certificate verification without CN verification" \ -C "x509_verify_cert() returned -" \ - -C "Last error was: \(-0x95\|-149\)" + -C "X509 - Certificate verification failed" requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED run_test "Authentication: hostname unset, client default, server picks PSK, 1.3" \ @@ -6175,7 +6175,7 @@ run_test "Authentication: hostname unset, client default, server picks PSK, 1.3" -C "Certificate verification without having set hostname" \ -C "Certificate verification without CN verification" \ -C "x509_verify_cert() returned -" \ - -C "Last error was: \(-0x95\|-149\)" + -C "X509 - Certificate verification failed" # The purpose of the next two tests is to test the client's behaviour when receiving a server # certificate with an unsupported elliptic curve. This should usually not happen because @@ -6252,7 +6252,7 @@ run_test "Authentication: client badcert, server required" \ -s "! The certificate is not correctly signed by the trusted CA" \ -s "! mbedtls_ssl_handshake returned" \ -s "send alert level=2 message=48" \ - -s "Last error was: \(-0x95\|-149\)" + -s "X509 - Certificate verification failed" # We don't check that the client receives the alert because it might # detect that its write end of the connection is closed and abort # before reading the alert message. @@ -6270,7 +6270,7 @@ run_test "Authentication: client cert self-signed and trusted, server require -S "skip parse certificate verify" \ -S "x509_verify_cert() returned" \ -S "! The certificate is not correctly signed" \ - -S "Last error was: \(-0x95\|-149\)" + -S "X509 - Certificate verification failed" run_test "Authentication: client cert not trusted, server required" \ "$P_SRV debug_level=3 auth_mode=required" \ @@ -6286,7 +6286,7 @@ run_test "Authentication: client cert not trusted, server required" \ -s "x509_verify_cert() returned" \ -s "! The certificate is not correctly signed by the trusted CA" \ -s "! mbedtls_ssl_handshake returned" \ - -s "Last error was: \(-0x95\|-149\)" + -s "X509 - Certificate verification failed" run_test "Authentication: client badcert, server optional" \ "$P_SRV debug_level=3 auth_mode=optional" \ @@ -6303,7 +6303,7 @@ run_test "Authentication: client badcert, server optional" \ -s "! The certificate is not correctly signed by the trusted CA" \ -S "! mbedtls_ssl_handshake returned" \ -C "! mbedtls_ssl_handshake returned" \ - -S "Last error was: \(-0x95\|-149\)" + -S "X509 - Certificate verification failed" run_test "Authentication: client badcert, server none" \ "$P_SRV debug_level=3 auth_mode=none" \ @@ -6320,7 +6320,7 @@ run_test "Authentication: client badcert, server none" \ -S "! The certificate is not correctly signed by the trusted CA" \ -S "! mbedtls_ssl_handshake returned" \ -C "! mbedtls_ssl_handshake returned" \ - -S "Last error was: \(-0x95\|-149\)" + -S "X509 - Certificate verification failed" run_test "Authentication: client no cert, server optional" \ "$P_SRV debug_level=3 auth_mode=optional" \ @@ -6336,7 +6336,7 @@ run_test "Authentication: client no cert, server optional" \ -s "! Certificate was missing" \ -S "! mbedtls_ssl_handshake returned" \ -C "! mbedtls_ssl_handshake returned" \ - -S "Last error was: \(-0x95\|-149\)" + -S "X509 - Certificate verification failed" requires_openssl_tls1_3_with_compatible_ephemeral run_test "Authentication: openssl client no cert, server optional" \ @@ -6347,7 +6347,7 @@ run_test "Authentication: openssl client no cert, server optional" \ -s "skip parse certificate verify" \ -s "! Certificate was missing" \ -S "! mbedtls_ssl_handshake returned" \ - -S "Last error was: \(-0x95\|-149\)" + -S "X509 - Certificate verification failed" requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 run_test "Authentication: client no cert, openssl server optional" \ @@ -6483,7 +6483,7 @@ run_test "Authentication: send CA list in CertificateRequest, client self sig -s "! The certificate is not correctly signed by the trusted CA" \ -s "! mbedtls_ssl_handshake returned" \ -c "! mbedtls_ssl_handshake returned" \ - -s "Last error was: \(-0x95\|-149\)" + -s "X509 - Certificate verification failed" requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT run_test "Authentication: send alt conf DN hints in CertificateRequest" \ @@ -6530,7 +6530,7 @@ run_test "Authentication, CA callback: server badcert, client required" \ -c "x509_verify_cert() returned" \ -c "! The certificate is not correctly signed by the trusted CA" \ -c "! mbedtls_ssl_handshake returned" \ - -c "Last error was: \(-0x95\|-149\)" + -c "X509 - Certificate verification failed" run_test "Authentication, CA callback: server badcert, client optional" \ "$P_SRV crt_file=$DATA_FILES_PATH/server5-badsign.crt \ @@ -6541,7 +6541,7 @@ run_test "Authentication, CA callback: server badcert, client optional" \ -c "x509_verify_cert() returned" \ -c "! The certificate is not correctly signed by the trusted CA" \ -C "! mbedtls_ssl_handshake returned" \ - -C "Last error was: \(-0x95\|-149\)" + -C "X509 - Certificate verification failed" run_test "Authentication, CA callback: server badcert, client none" \ "$P_SRV crt_file=$DATA_FILES_PATH/server5-badsign.crt \ @@ -6552,7 +6552,7 @@ run_test "Authentication, CA callback: server badcert, client none" \ -C "x509_verify_cert() returned" \ -C "! The certificate is not correctly signed by the trusted CA" \ -C "! mbedtls_ssl_handshake returned" \ - -C "Last error was: \(-0x95\|-149\)" + -C "X509 - Certificate verification failed" # The purpose of the next two tests is to test the client's behaviour when receiving a server # certificate with an unsupported elliptic curve. This should usually not happen because @@ -6619,7 +6619,7 @@ run_test "Authentication, CA callback: client badcert, server required" \ -s "! The certificate is not correctly signed by the trusted CA" \ -s "! mbedtls_ssl_handshake returned" \ -s "send alert level=2 message=48" \ - -s "Last error was: \(-0x95\|-149\)" + -s "X509 - Certificate verification failed" # We don't check that the client receives the alert because it might # detect that its write end of the connection is closed and abort # before reading the alert message. @@ -6639,7 +6639,7 @@ run_test "Authentication, CA callback: client cert not trusted, server requir -s "x509_verify_cert() returned" \ -s "! The certificate is not correctly signed by the trusted CA" \ -s "! mbedtls_ssl_handshake returned" \ - -s "Last error was: \(-0x95\|-149\)" + -s "X509 - Certificate verification failed" run_test "Authentication, CA callback: client badcert, server optional" \ "$P_SRV ca_callback=1 debug_level=3 auth_mode=optional" \ @@ -6657,7 +6657,7 @@ run_test "Authentication, CA callback: client badcert, server optional" \ -s "! The certificate is not correctly signed by the trusted CA" \ -S "! mbedtls_ssl_handshake returned" \ -C "! mbedtls_ssl_handshake returned" \ - -S "Last error was: \(-0x95\|-149\)" + -S "X509 - Certificate verification failed" requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA requires_full_size_output_buffer @@ -9498,7 +9498,7 @@ run_test "EC restart: TLS, max_ops=1000, badsign" \ -C "mbedtls_pk_sign.*\(4b00\|-248\)" \ -c "! The certificate is not correctly signed by the trusted CA" \ -c "! mbedtls_ssl_handshake returned" \ - -c "Last error was: \(-0x95\|-149\)" + -c "X509 - Certificate verification failed" # With USE_PSA disabled we expect full restartable behaviour. requires_config_enabled MBEDTLS_ECP_RESTARTABLE @@ -9518,7 +9518,7 @@ run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign (no USE_P -c "mbedtls_pk_sign.*\(4b00\|-248\)" \ -c "! The certificate is not correctly signed by the trusted CA" \ -C "! mbedtls_ssl_handshake returned" \ - -C "Last error was: \(-0x95\|-149\)" + -C "X509 - Certificate verification failed" # With USE_PSA enabled we expect only partial restartable behaviour: # everything except ECDH (where TLS calls PSA directly). @@ -9538,7 +9538,7 @@ run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign (USE_PSA) -c "mbedtls_pk_sign.*\(4b00\|-248\)" \ -c "! The certificate is not correctly signed by the trusted CA" \ -C "! mbedtls_ssl_handshake returned" \ - -C "Last error was: \(-0x95\|-149\)" + -C "X509 - Certificate verification failed" # With USE_PSA disabled we expect full restartable behaviour. requires_config_enabled MBEDTLS_ECP_RESTARTABLE @@ -9558,7 +9558,7 @@ run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign (no USE_PSA)" -c "mbedtls_pk_sign.*\(4b00\|-248\)" \ -C "! The certificate is not correctly signed by the trusted CA" \ -C "! mbedtls_ssl_handshake returned" \ - -C "Last error was: \(-0x95\|-149\)" + -C "X509 - Certificate verification failed" # With USE_PSA enabled we expect only partial restartable behaviour: # everything except ECDH (where TLS calls PSA directly). @@ -9578,7 +9578,7 @@ run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign (USE_PSA)" \ -c "mbedtls_pk_sign.*\(4b00\|-248\)" \ -C "! The certificate is not correctly signed by the trusted CA" \ -C "! mbedtls_ssl_handshake returned" \ - -C "Last error was: \(-0x95\|-149\)" + -C "X509 - Certificate verification failed" # With USE_PSA disabled we expect full restartable behaviour. requires_config_enabled MBEDTLS_ECP_RESTARTABLE From 6361e54b221b7f8a065bd6a6bef502f5109a4851 Mon Sep 17 00:00:00 2001 From: Felix Conway Date: Thu, 28 Aug 2025 14:30:04 +0100 Subject: [PATCH 8/9] Add each whole unified error code to the migration guide Signed-off-by: Felix Conway --- docs/4.0-migration-guide/error-codes.md | 33 +++++++++++-------------- 1 file changed, 14 insertions(+), 19 deletions(-) diff --git a/docs/4.0-migration-guide/error-codes.md b/docs/4.0-migration-guide/error-codes.md index 3bcdb8c580..ffb1e0e3bb 100644 --- a/docs/4.0-migration-guide/error-codes.md +++ b/docs/4.0-migration-guide/error-codes.md @@ -18,25 +18,20 @@ As a consequence, the functions `mbedtls_low_level_strerr()` and `mbedtls_high_l Many legacy error codes have been removed in favor of PSA error codes. Generally, functions that returned a legacy error code in the table below in Mbed TLS 3.6 now return the PSA error code listed on the same row. Similarly, callbacks should apply the same changes to error code, unless there has been a relevant change to the callback's interface. -#### Specific error codes - -| Legacy constant (Mbed TLS 3.6) | PSA constant (Mbed TLS 4.0) | -| ------------------------------ | --------------------------- | +| Legacy constant (Mbed TLS 3.6) | PSA constant (Mbed TLS 4.0) | +|-----------------------------------------| --------------------------- | | `MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED` | `PSA_ERROR_CORRUPTION_DETECTED` | -| `MBEDTLS_ERR_ERROR_GENERIC_ERROR` | `PSA_ERROR_GENERIC_ERROR` | -| `MBEDTLS_ERR_OID_BUF_TOO_SMALL` | `PSA_ERROR_BUFFER_TOO_SMALL` -| `MBEDTLS_ERR_OID_NOT_FOUND` | `PSA_ERROR_NOT_SUPPORTED` | - -#### General Replacements - -The module-specific error codes in the table below have been replaced with a single PSA error code. Here `xxx` corresponds to all modules (e.g. `X509` or `SSL`) with the specific error code. - -| Legacy constant (Mbed TLS 3.6) | PSA constant (TF-PSA-Crypto 1.0) | -|---------------------------------| ---------------------------------------------- | -| `MBEDTLS_ERR_xxx_BAD_INPUT_DATA` | `PSA_ERROR_INVALID_ARGUMENT` | -| `MBEDTLS_ERR_xxx_ALLOC_FAILED` | `PSA_ERROR_INSUFFICIENT_MEMORY` | -| `MBEDTLS_ERR_xxx_VERIFY_FAILED` | `PSA_ERROR_INVALID_SIGNATURE` | -| `MBEDTLS_ERR_xxx_INVALID_SIGNATURE` | `PSA_ERROR_INVALID_SIGNATURE` | -| `MBEDTLS_ERR_xxx_BUFFER_TOO_SMALL` | `PSA_ERROR_BUFFER_TOO_SMALL` | +| `MBEDTLS_ERR_ERROR_GENERIC_ERROR` | `PSA_ERROR_GENERIC_ERROR` | +| `MBEDTLS_ERR_OID_NOT_FOUND` | `PSA_ERROR_NOT_SUPPORTED` | +| `MBEDTLS_ERR_OID_BUF_TOO_SMALL` | `PSA_ERROR_BUFFER_TOO_SMALL`| +| `MBEDTLS_ERR_NET_BUFFER_TOO_SMALL` | `PSA_ERROR_BUFFER_TOO_SMALL` | +| `MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL` | `PSA_ERROR_BUFFER_TOO_SMALL` | +| `MBEDTLS_ERR_X509_BUFFER_TOO_SMALL` | `PSA_ERROR_BUFFER_TOO_SMALL` | +| `MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA` | `PSA_ERROR_INVALID_ARGUMENT` | +| `MBEDTLS_ERR_SSL_BAD_INPUT_DATA` | `PSA_ERROR_INVALID_ARGUMENT` | +| `MBEDTLS_ERR_PKCS7_ALLOC_FAILED` | `PSA_ERROR_INSUFFICIENT_MEMORY` | +| `MBEDTLS_ERR_SSL_ALLOC_FAILED` | `PSA_ERROR_INSUFFICIENT_MEMORY` | +| `MBEDTLS_ERR_X509_ALLOC_FAILED` | `PSA_ERROR_INSUFFICIENT_MEMORY` | +| `MBEDTLS_ERR_PKCS7_VERIFY_FAILED` | `PSA_ERROR_INVALID_SIGNATURE` | See also the corresponding section in the TF-PSA-Crypto migration guide, which lists error codes from cryptography modules. From 0f7cf1942b8da5a437b25a8b136cb9abb3883da7 Mon Sep 17 00:00:00 2001 From: Felix Conway Date: Fri, 29 Aug 2025 09:41:59 +0100 Subject: [PATCH 9/9] Small documentation fixes Signed-off-by: Felix Conway --- ChangeLog.d/unify-errors.txt | 2 +- docs/4.0-migration-guide/error-codes.md | 22 +++++++++++----------- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/ChangeLog.d/unify-errors.txt b/ChangeLog.d/unify-errors.txt index 0ed56ba305..f229f1bc4d 100644 --- a/ChangeLog.d/unify-errors.txt +++ b/ChangeLog.d/unify-errors.txt @@ -3,5 +3,5 @@ API changes xxx is a module, e.g. X509 or SSL. MBEDTLS_ERR_xxx_BAD_INPUT_DATA -> PSA_ERROR_INVALID_ARGUMENT MBEDTLS_ERR_xxx_ALLOC_FAILED -> PSA_ERROR_INSUFFICIENT_MEMORY - MBEDTLS_ERR_xxx_VERIFY_FAILED -> PSA_ERROR_INVALID_SIGNATURE MBEDTLS_ERR_xxx_BUFFER_TOO_SMALL -> PSA_ERROR_BUFFER_TOO_SMALL + MBEDTLS_ERR_PKCS7_VERIFY_FAIL -> PSA_ERROR_INVALID_SIGNATURE diff --git a/docs/4.0-migration-guide/error-codes.md b/docs/4.0-migration-guide/error-codes.md index ffb1e0e3bb..a2744679e0 100644 --- a/docs/4.0-migration-guide/error-codes.md +++ b/docs/4.0-migration-guide/error-codes.md @@ -18,20 +18,20 @@ As a consequence, the functions `mbedtls_low_level_strerr()` and `mbedtls_high_l Many legacy error codes have been removed in favor of PSA error codes. Generally, functions that returned a legacy error code in the table below in Mbed TLS 3.6 now return the PSA error code listed on the same row. Similarly, callbacks should apply the same changes to error code, unless there has been a relevant change to the callback's interface. -| Legacy constant (Mbed TLS 3.6) | PSA constant (Mbed TLS 4.0) | -|-----------------------------------------| --------------------------- | +| Legacy constant (Mbed TLS 3.6) | PSA constant (Mbed TLS 4.0) | +|-----------------------------------------|---------------------------------| | `MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED` | `PSA_ERROR_CORRUPTION_DETECTED` | -| `MBEDTLS_ERR_ERROR_GENERIC_ERROR` | `PSA_ERROR_GENERIC_ERROR` | -| `MBEDTLS_ERR_OID_NOT_FOUND` | `PSA_ERROR_NOT_SUPPORTED` | -| `MBEDTLS_ERR_OID_BUF_TOO_SMALL` | `PSA_ERROR_BUFFER_TOO_SMALL`| -| `MBEDTLS_ERR_NET_BUFFER_TOO_SMALL` | `PSA_ERROR_BUFFER_TOO_SMALL` | -| `MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL` | `PSA_ERROR_BUFFER_TOO_SMALL` | -| `MBEDTLS_ERR_X509_BUFFER_TOO_SMALL` | `PSA_ERROR_BUFFER_TOO_SMALL` | -| `MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA` | `PSA_ERROR_INVALID_ARGUMENT` | -| `MBEDTLS_ERR_SSL_BAD_INPUT_DATA` | `PSA_ERROR_INVALID_ARGUMENT` | +| `MBEDTLS_ERR_ERROR_GENERIC_ERROR` | `PSA_ERROR_GENERIC_ERROR` | +| `MBEDTLS_ERR_NET_BUFFER_TOO_SMALL` | `PSA_ERROR_BUFFER_TOO_SMALL` | +| `MBEDTLS_ERR_OID_BUF_TOO_SMALL` | `PSA_ERROR_BUFFER_TOO_SMALL` | +| `MBEDTLS_ERR_OID_NOT_FOUND` | `PSA_ERROR_NOT_SUPPORTED` | | `MBEDTLS_ERR_PKCS7_ALLOC_FAILED` | `PSA_ERROR_INSUFFICIENT_MEMORY` | +| `MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA` | `PSA_ERROR_INVALID_ARGUMENT` | +| `MBEDTLS_ERR_PKCS7_VERIFY_FAIL` | `PSA_ERROR_INVALID_SIGNATURE` | | `MBEDTLS_ERR_SSL_ALLOC_FAILED` | `PSA_ERROR_INSUFFICIENT_MEMORY` | +| `MBEDTLS_ERR_SSL_BAD_INPUT_DATA` | `PSA_ERROR_INVALID_ARGUMENT` | +| `MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL` | `PSA_ERROR_BUFFER_TOO_SMALL` | | `MBEDTLS_ERR_X509_ALLOC_FAILED` | `PSA_ERROR_INSUFFICIENT_MEMORY` | -| `MBEDTLS_ERR_PKCS7_VERIFY_FAILED` | `PSA_ERROR_INVALID_SIGNATURE` | +| `MBEDTLS_ERR_X509_BUFFER_TOO_SMALL` | `PSA_ERROR_BUFFER_TOO_SMALL` | See also the corresponding section in the TF-PSA-Crypto migration guide, which lists error codes from cryptography modules.