cuberite/polarssl
1
0
Fork 0
mirror of https://github.com/cuberite/polarssl.git synced 2025-09-13 09:05:08 -04:00
Code Issues Packages Projects Releases Wiki Activity

Add SSL error code updates from #4724

Browse Source 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
This commit is contained in:
Dave Rodgman 2021-06-30 09:46:07 +01:00
parent 7078973b7b
commit b491b2b051
1 changed files with 25 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
docs/3.0-migration-guide.md
View File

@ -902,7 +902,7 @@ find themselves unable to migrate their session cache functionality without
accessing fields of `mbedtls_ssl_session` should describe their use case accessing fields of `mbedtls_ssl_session` should describe their use case
on the Mbed TLS mailing list. on the Mbed TLS mailing list.
### Removal of some SSL error codes ### Changes in the SSL error code space
This affects users manually checking for the following error codes: This affects users manually checking for the following error codes:
@ -916,11 +916,11 @@ This affects users manually checking for the following error codes:
Migration paths: Migration paths:
- `MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED` and `MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH` - `MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED` and `MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH`
should never be returned from Mbed TLS, and there is no need to check for it. should never be returned from Mbed TLS, and there is no need to check for it.
Users should simply remove manual checks for those codes, and let the Mbed TLS Users should simply remove manual checks for those codes, and let the Mbed TLS
team know if — contrary to the team's understanding — there is in fact a situation team know if — contrary to the team's understanding — there is in fact a situation
where one of them was ever returned. where one of them was ever returned.
- `MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE` has been removed, and - `MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE` has been removed, and
`MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL` is returned instead if the user's own certificate `MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL` is returned instead if the user's own certificate
is too large to fit into the output buffers. is too large to fit into the output buffers.
@ -928,10 +928,29 @@ Migration paths:
Users should check for `MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL` instead, and potentially Users should check for `MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL` instead, and potentially
compare the size of their own certificate against the configured size of the output buffer to compare the size of their own certificate against the configured size of the output buffer to
understand if the error is due to an overly large certificate. understand if the error is due to an overly large certificate.
- `MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN` and `MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE` have been replaced by `MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE`
- all codes of the form `MBEDTLS_ERR_SSL_BAD_HS_XXX` have been replaced by various alternatives. - `MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN` and `MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE` have been
replaced by `MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE`.
- All codes of the form `MBEDTLS_ERR_SSL_BAD_HS_XXX` have been replaced by various alternatives.
Users should check for the newly introduced generic error codes
* `MBEDTLS_ERR_SSL_DECODE_ERROR`
* `MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER`,
* `MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE`
* `MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION`
* `MBEDTLS_ERR_SSL_BAD_CERTIFICATE`
* `MBEDTLS_ERR_SSL_UNRECOGNIZED_NAME`
* `MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION`
* `MBEDTLS_ERR_SSL_NO_APPLICATION_PROTOCOL`
and the pre-existing generic error codes
* `MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE`
* `MBEDTLS_ERR_SSL_INTERNAL_ERROR`
instead.
### Modified semantics of `mbedtls_ssl_{get,set}_session()` ### Modified semantics of `mbedtls_ssl_{get,set}_session()`