commit 2fc9a652bca2ba715e90d68b7bb0cbbd998db085
author Hanno Becker <hanno.becker@arm.com> Thu Jun 24 15:40:11 2021 +0100
committer Dave Rodgman <dave.rodgman@arm.com> Mon Jun 28 12:35:08 2021 +0100
tree bbd1cd6ba4ac052576a331e10e7f84179f751ed4
parent 2e3ecda684f867a6304d1611e13859ea1312e5c3

Address review feedback

Signed-off-by: Hanno Becker <hanno.becker@arm.com>

docs/3.0-migration-guide.d/ssl-error-code-cleanup.md

diff --git a/docs/3.0-migration-guide.d/ssl-error-code-cleanup.md b/docs/3.0-migration-guide.d/ssl-error-code-cleanup.md
index cad5a61..ce795e5 100644
--- a/docs/3.0-migration-guide.d/ssl-error-code-cleanup.md
+++ b/docs/3.0-migration-guide.d/ssl-error-code-cleanup.md
@@ -37,5 +37,3 @@
   * `MBEDTLS_ERR_SSL_BAD_CERTIFICATE`
   * `MBEDTLS_ERR_SSL_UNRECOGNIZED_NAME`
   instead.
-
-  Users should check for the generic error codes instead.

library/ssl_cli.c

diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index adcac44..1acb3d0 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@@ -2558,7 +2558,7 @@
 
     /* First byte is curve_type; only named_curve is handled */
     if( *(*p)++ != MBEDTLS_ECP_TLS_NAMED_CURVE )
-        return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
+        return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
 
     /* Next two bytes are the namedcurve value */
     tls_id = *(*p)++;
@@ -2569,7 +2569,7 @@
     if( ( handshake->ecdh_psa_type =
           mbedtls_psa_parse_tls_ecc_group( tls_id, &ecdh_bits ) ) == 0 )
     {
-        return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
+        return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
     }
     if( ecdh_bits > 0xffff )
         return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
@@ -2631,7 +2631,7 @@
     {
         MBEDTLS_SSL_DEBUG_MSG( 1,
             ( "bad server key exchange message (ECDHE curve)" ) );
-        return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
+        return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
     }
 
     return( ret );
@@ -2801,7 +2801,7 @@
     {
         MBEDTLS_SSL_DEBUG_MSG( 1,
             ( "Server used unsupported HashAlgorithm %d", *(p)[0] ) );
-        return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
+        return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
     }
 
     /*

library/ssl_srv.c

diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index a7de9f4..2c801ef 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -1785,7 +1785,7 @@
                                             "during renegotiation" ) );
                 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
                                                 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
-                return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
+                return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
             }
 #endif
             ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;

library/ssl_tls.c

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index e8ca5e1..eb3dcc2 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -1907,8 +1907,8 @@
             MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
             mbedtls_ssl_send_alert_message( ssl,
                             MBEDTLS_SSL_ALERT_LEVEL_FATAL,
-                            MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
-            return( MBEDTLS_ERR_SSL_DECODE_ERROR );
+                            MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+            return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
         }
 
         /* Read length of the next CRT in the chain. */