commit 34d5e931cf50a0647d13b05ac1577333b2c8a249
author Nick Child <nick.child@ibm.com> Wed Sep 14 14:44:03 2022 -0500
committer Nick Child <nick.child@ibm.com> Wed Sep 14 14:44:03 2022 -0500
tree 0344cd173d306f5844cf7d1fb5018759fd74e2ce
parent 7089ce83812a13191ba4f3af4b68e840d4660693

pkcs7: Use better return code for unimplemented specifications

In response to feedback [1] [2], use MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE
instead of MBEDTLS_ERR_PKCS7_INVALID_FORMAT for errors due to the
pkcs7 implemntation being incomplete.

[1] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r953649079
[2] https://github.com/Mbed-TLS/mbedtls/pull/3431#discussion_r953658276

Signed-off-by: Nick Child <nick.child@ibm.com>

library/pkcs7.c

diff --git a/library/pkcs7.c b/library/pkcs7.c
index 3178ddc..9dcbab2 100644
--- a/library/pkcs7.c
+++ b/library/pkcs7.c
@@ -168,7 +168,6 @@
 
     end = *p + len;
 
-    /** For now, it assumes there is only one digest algorithm specified **/
     ret = mbedtls_asn1_get_alg_null( p, end, alg );
     if( ret != 0 )
     {
@@ -176,8 +175,9 @@
         goto out;
     }
 
+    /** For now, it assumes there is only one digest algorithm specified **/
     if ( *p != end )
-        ret = MBEDTLS_ERR_PKCS7_INVALID_FORMAT;
+        ret = MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE;
 
 out:
     return( ret );
@@ -231,7 +231,7 @@
      */
     if (end_cert != end_set)
     {
-        ret = MBEDTLS_ERR_PKCS7_INVALID_CERT;
+        ret = MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE;
         goto out;
     }