Unify generic errors to PSA errors

Signed-off-by: Felix Conway <felix.conway@arm.com>
diff --git a/include/mbedtls/net_sockets.h b/include/mbedtls/net_sockets.h
index 8e69bc0..f4eb683 100644
--- a/include/mbedtls/net_sockets.h
+++ b/include/mbedtls/net_sockets.h
@@ -53,7 +53,7 @@
 /** Failed to get an IP address for the given hostname. */
 #define MBEDTLS_ERR_NET_UNKNOWN_HOST                      -0x0052
 /** Buffer is too small to hold the data. */
-#define MBEDTLS_ERR_NET_BUFFER_TOO_SMALL                  -0x0043
+#define MBEDTLS_ERR_NET_BUFFER_TOO_SMALL                  PSA_ERROR_BUFFER_TOO_SMALL
 /** The context is invalid, eg because it was free()ed. */
 #define MBEDTLS_ERR_NET_INVALID_CONTEXT                   -0x0045
 /** Polling the net context failed. */
@@ -147,11 +147,11 @@
  *                  can be NULL if client_ip is null
  *
  * \return          0 if successful, or
- *                  MBEDTLS_ERR_NET_SOCKET_FAILED,
- *                  MBEDTLS_ERR_NET_BIND_FAILED,
- *                  MBEDTLS_ERR_NET_ACCEPT_FAILED, or
- *                  MBEDTLS_ERR_NET_BUFFER_TOO_SMALL if buf_size is too small,
- *                  MBEDTLS_ERR_SSL_WANT_READ if bind_fd was set to
+ *                  #MBEDTLS_ERR_NET_SOCKET_FAILED,
+ *                  #MBEDTLS_ERR_NET_BIND_FAILED,
+ *                  #MBEDTLS_ERR_NET_ACCEPT_FAILED, or
+ *                  #PSA_ERROR_BUFFER_TOO_SMALL if buf_size is too small,
+ *                  #MBEDTLS_ERR_SSL_WANT_READ if bind_fd was set to
  *                  non-blocking and accept() would block.
  */
 int mbedtls_net_accept(mbedtls_net_context *bind_ctx,
diff --git a/include/mbedtls/pkcs7.h b/include/mbedtls/pkcs7.h
index e9b4822..cf9e440 100644
--- a/include/mbedtls/pkcs7.h
+++ b/include/mbedtls/pkcs7.h
@@ -53,11 +53,11 @@
 #define MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO             -0x5480  /**< The PKCS #7 content info is invalid or cannot be parsed. */
 #define MBEDTLS_ERR_PKCS7_INVALID_ALG                      -0x5500  /**< The algorithm tag or value is invalid or cannot be parsed. */
 #define MBEDTLS_ERR_PKCS7_INVALID_CERT                     -0x5580  /**< The certificate tag or value is invalid or cannot be parsed. */
-#define MBEDTLS_ERR_PKCS7_INVALID_SIGNATURE                -0x5600  /**< Error parsing the signature */
+#define MBEDTLS_ERR_PKCS7_INVALID_SIGNATURE                PSA_ERROR_INVALID_SIGNATURE  /**< Error parsing the signature */
 #define MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO              -0x5680  /**< Error parsing the signer's info */
-#define MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA                   -0x5700  /**< Input invalid. */
-#define MBEDTLS_ERR_PKCS7_ALLOC_FAILED                     -0x5780  /**< Allocation of memory failed. */
-#define MBEDTLS_ERR_PKCS7_VERIFY_FAIL                      -0x5800  /**< Verification Failed */
+#define MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA                   PSA_ERROR_INVALID_ARGUMENT  /**< Input invalid. */
+#define MBEDTLS_ERR_PKCS7_ALLOC_FAILED                     PSA_ERROR_INSUFFICIENT_MEMORY  /**< Allocation of memory failed. */
+#define MBEDTLS_ERR_PKCS7_VERIFY_FAIL                      PSA_ERROR_INVALID_SIGNATURE  /**< Verification Failed */
 #define MBEDTLS_ERR_PKCS7_CERT_DATE_INVALID                -0x5880  /**< The PKCS #7 date issued/expired dates are invalid */
 /* \} name */
 
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 628d5c7..ab3f256 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -44,7 +44,7 @@
 /** The requested feature is not available. */
 #define MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE               -0x7080
 /** Bad input parameters to function. */
-#define MBEDTLS_ERR_SSL_BAD_INPUT_DATA                    -0x7100
+#define MBEDTLS_ERR_SSL_BAD_INPUT_DATA                    PSA_ERROR_INVALID_ARGUMENT
 /** Verification of the message MAC failed. */
 #define MBEDTLS_ERR_SSL_INVALID_MAC                       -0x7180
 /** An invalid SSL record was received. */
@@ -105,7 +105,7 @@
 /** Cache entry not found */
 #define MBEDTLS_ERR_SSL_CACHE_ENTRY_NOT_FOUND             -0x7E80
 /** Memory allocation failed */
-#define MBEDTLS_ERR_SSL_ALLOC_FAILED                      -0x7F00
+#define MBEDTLS_ERR_SSL_ALLOC_FAILED                      PSA_ERROR_INSUFFICIENT_MEMORY
 /** Hardware acceleration function returned with error */
 #define MBEDTLS_ERR_SSL_HW_ACCEL_FAILED                   -0x7F80
 /** Hardware acceleration function skipped / left alone data */
@@ -129,7 +129,7 @@
 /** DTLS client must retry for hello verification */
 #define MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED             -0x6A80
 /** A buffer is too small to receive or write a message */
-#define MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL                  -0x6A00
+#define MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL                  PSA_ERROR_BUFFER_TOO_SMALL
 /* Error space gap */
 /** No data of requested type currently available on underlying transport. */
 #define MBEDTLS_ERR_SSL_WANT_READ                         -0x6900
@@ -1912,7 +1912,7 @@
  * \param ssl      SSL context
  * \param conf     SSL configuration to use
  *
- * \return         0 if successful, or MBEDTLS_ERR_SSL_ALLOC_FAILED if
+ * \return         0 if successful, or #PSA_ERROR_INSUFFICIENT_MEMORY if
  *                 memory allocation failed
  */
 int mbedtls_ssl_setup(mbedtls_ssl_context *ssl,
@@ -1924,7 +1924,7 @@
  *                 pointers and data.
  *
  * \param ssl      SSL context
- * \return         0 if successful, or MBEDTLS_ERR_SSL_ALLOC_FAILED or
+ * \return         0 if successful, or #PSA_ERROR_INSUFFICIENT_MEMORY or
                    MBEDTLS_ERR_SSL_HW_ACCEL_FAILED
  */
 int mbedtls_ssl_session_reset(mbedtls_ssl_context *ssl);
@@ -2579,14 +2579,14 @@
  *                              milliseconds.
  *
  * \return         0 on success,
- *                 MBEDTLS_ERR_SSL_BAD_INPUT_DATA if an input is not valid.
+ *                 #PSA_ERROR_INVALID_ARGUMENT if an input is not valid.
  */
 static inline int mbedtls_ssl_session_get_ticket_creation_time(
     mbedtls_ssl_session *session, mbedtls_ms_time_t *ticket_creation_time)
 {
     if (session == NULL || ticket_creation_time == NULL ||
         session->MBEDTLS_PRIVATE(endpoint) != MBEDTLS_SSL_IS_SERVER) {
-        return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
+        return PSA_ERROR_INVALID_ARGUMENT;
     }
 
     *ticket_creation_time = session->MBEDTLS_PRIVATE(ticket_creation_time);
@@ -2937,8 +2937,8 @@
  * \note           An internal copy is made, so the info buffer can be reused.
  *
  * \return         0 on success,
- *                 MBEDTLS_ERR_SSL_BAD_INPUT_DATA if used on client,
- *                 MBEDTLS_ERR_SSL_ALLOC_FAILED if out of memory.
+ *                 #PSA_ERROR_INVALID_ARGUMENT if used on client,
+ *                 #PSA_ERROR_INSUFFICIENT_MEMORY if out of memory.
  */
 int mbedtls_ssl_set_client_transport_id(mbedtls_ssl_context *ssl,
                                         const unsigned char *info,
@@ -3175,8 +3175,8 @@
  * \param len      The size of the serialized data in bytes.
  *
  * \return         \c 0 if successful.
- * \return         #MBEDTLS_ERR_SSL_ALLOC_FAILED if memory allocation failed.
- * \return         #MBEDTLS_ERR_SSL_BAD_INPUT_DATA if input data is invalid.
+ * \return         #PSA_ERROR_INSUFFICIENT_MEMORY if memory allocation failed.
+ * \return         #PSA_ERROR_INVALID_ARGUMENT if input data is invalid.
  * \return         #MBEDTLS_ERR_SSL_VERSION_MISMATCH if the serialized data
  *                 was generated in a different version or configuration of
  *                 Mbed TLS.
@@ -3215,7 +3215,7 @@
  *                 tickets.
  *
  * \return         \c 0 if successful.
- * \return         #MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL if \p buf is too small.
+ * \return         #PSA_ERROR_BUFFER_TOO_SMALL if \p buf is too small.
  * \return         #MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE if the
  *                 MBEDTLS_SSL_SESSION_TICKETS configuration option is disabled
  *                 and the session is a TLS 1.3 session.
@@ -3348,7 +3348,7 @@
  *                      record headers.
  *
  * \return              \c 0 on success.
- * \return              #MBEDTLS_ERR_SSL_BAD_INPUT_DATA if \p len
+ * \return              #PSA_ERROR_INVALID_ARGUMENT if \p len
  *                      is too large.
  */
 int mbedtls_ssl_conf_cid(mbedtls_ssl_config *conf, size_t len,
@@ -3495,7 +3495,7 @@
  * \param own_cert own public certificate chain
  * \param pk_key   own private key
  *
- * \return         0 on success or MBEDTLS_ERR_SSL_ALLOC_FAILED
+ * \return         0 on success or #PSA_ERROR_INSUFFICIENT_MEMORY
  */
 int mbedtls_ssl_conf_own_cert(mbedtls_ssl_config *conf,
                               mbedtls_x509_crt *own_cert,
@@ -3744,8 +3744,8 @@
  *                 #MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME
  *                 for more details.
  *
- * \return         0 if successful, #MBEDTLS_ERR_SSL_ALLOC_FAILED on
- *                 allocation failure, #MBEDTLS_ERR_SSL_BAD_INPUT_DATA on
+ * \return         0 if successful, #PSA_ERROR_INSUFFICIENT_MEMORY on
+ *                 allocation failure, #PSA_ERROR_INVALID_ARGUMENT on
  *                 too long input hostname.
  *
  *                 Hostname set to the one provided on success (cleared
@@ -3805,7 +3805,7 @@
  * \param own_cert own public certificate chain
  * \param pk_key   own private key
  *
- * \return         0 on success or MBEDTLS_ERR_SSL_ALLOC_FAILED
+ * \return         0 on success or #PSA_ERROR_INSUFFICIENT_MEMORY
  */
 int mbedtls_ssl_set_hs_own_cert(mbedtls_ssl_context *ssl,
                                 mbedtls_x509_crt *own_cert,
@@ -3934,7 +3934,7 @@
  *                 the lifetime of the table must be at least as long as the
  *                 lifetime of the SSL configuration structure.
  *
- * \return         0 on success, or MBEDTLS_ERR_SSL_BAD_INPUT_DATA.
+ * \return         0 on success, or #PSA_ERROR_INVALID_ARGUMENT.
  */
 int mbedtls_ssl_conf_alpn_protocols(mbedtls_ssl_config *conf,
                                     const char *const *protos);
@@ -4001,7 +4001,7 @@
  *                          (excluding the terminating MBEDTLS_TLS_SRTP_UNSET).
  *
  * \return                  0 on success
- * \return                  #MBEDTLS_ERR_SSL_BAD_INPUT_DATA when the list of
+ * \return                  #PSA_ERROR_INVALID_ARGUMENT when the list of
  *                          protection profiles is incorrect.
  */
 int mbedtls_ssl_conf_dtls_srtp_protection_profiles
@@ -4021,7 +4021,7 @@
  *                         is ignored.
  *
  * \return                 0 on success
- * \return                 #MBEDTLS_ERR_SSL_BAD_INPUT_DATA
+ * \return                 #PSA_ERROR_INVALID_ARGUMENT
  * \return                 #MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE
  */
 int mbedtls_ssl_dtls_srtp_set_mki_value(mbedtls_ssl_context *ssl,
@@ -4166,7 +4166,7 @@
  *                 MBEDTLS_SSL_MAX_FRAG_LEN_512,  MBEDTLS_SSL_MAX_FRAG_LEN_1024,
  *                 MBEDTLS_SSL_MAX_FRAG_LEN_2048, MBEDTLS_SSL_MAX_FRAG_LEN_4096)
  *
- * \return         0 if successful or MBEDTLS_ERR_SSL_BAD_INPUT_DATA
+ * \return         0 if successful or #PSA_ERROR_INVALID_ARGUMENT
  */
 int mbedtls_ssl_conf_max_frag_len(mbedtls_ssl_config *conf, unsigned char mfl_code);
 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
@@ -4892,7 +4892,7 @@
  *                 fragment length (either the built-in limit or the one set
  *                 or negotiated with the peer), then:
  *                 - with TLS, less bytes than requested are written.
- *                 - with DTLS, MBEDTLS_ERR_SSL_BAD_INPUT_DATA is returned.
+ *                 - with DTLS, #PSA_ERROR_INVALID_ARGUMENT is returned.
  *                 \c mbedtls_ssl_get_max_out_record_payload() may be used to
  *                 query the active maximum fragment length.
  *
@@ -4976,7 +4976,7 @@
  * \param len      maximum number of bytes to read
  *
  * \return         The (positive) number of bytes read if successful.
- * \return         #MBEDTLS_ERR_SSL_BAD_INPUT_DATA if input data is invalid.
+ * \return         #PSA_ERROR_INVALID_ARGUMENT if input data is invalid.
  * \return         #MBEDTLS_ERR_SSL_CANNOT_READ_EARLY_DATA if it is not
  *                 possible to read early data for the SSL context \p ssl. Note
  *                 that this function is intended to be called for an SSL
@@ -5082,10 +5082,10 @@
  *
  * \param ssl      The SSL context to query
  *
- * \return         #MBEDTLS_ERR_SSL_BAD_INPUT_DATA if this function is called
+ * \return         #PSA_ERROR_INVALID_ARGUMENT if this function is called
  *                 from the server-side.
  *
- * \return         #MBEDTLS_ERR_SSL_BAD_INPUT_DATA if this function is called
+ * \return         #PSA_ERROR_INVALID_ARGUMENT if this function is called
  *                 prior to completion of the handshake.
  *
  * \return         #MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_INDICATED if the client
@@ -5134,7 +5134,7 @@
  *
  * \note           This feature is currently only available under certain
  *                 conditions, see the documentation of the return value
- *                 #MBEDTLS_ERR_SSL_BAD_INPUT_DATA for details.
+ *                 #PSA_ERROR_INVALID_ARGUMENT for details.
  *
  * \note           When this function succeeds, it calls
  *                 mbedtls_ssl_session_reset() on \p ssl which as a result is
@@ -5159,15 +5159,15 @@
  *                 to determine the necessary size by calling this function
  *                 with \p buf set to \c NULL and \p buf_len to \c 0. However,
  *                 the value of \p olen is only guaranteed to be correct when
- *                 the function returns #MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL or
+ *                 the function returns #PSA_ERROR_BUFFER_TOO_SMALL or
  *                 \c 0. If the return value is different, then the value of
  *                 \p olen is undefined.
  *
  * \return         \c 0 if successful.
- * \return         #MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL if \p buf is too small.
- * \return         #MBEDTLS_ERR_SSL_ALLOC_FAILED if memory allocation failed
+ * \return         #PSA_ERROR_BUFFER_TOO_SMALL if \p buf is too small.
+ * \return         #PSA_ERROR_INSUFFICIENT_MEMORY if memory allocation failed
  *                 while resetting the context.
- * \return         #MBEDTLS_ERR_SSL_BAD_INPUT_DATA if a handshake is in
+ * \return         #PSA_ERROR_INVALID_ARGUMENT if a handshake is in
  *                 progress, or there is pending data for reading or sending,
  *                 or the connection does not use DTLS 1.2 with an AEAD
  *                 ciphersuite, or renegotiation is enabled.
@@ -5240,10 +5240,10 @@
  * \param len      The size of the serialized data in bytes.
  *
  * \return         \c 0 if successful.
- * \return         #MBEDTLS_ERR_SSL_ALLOC_FAILED if memory allocation failed.
+ * \return         #PSA_ERROR_INSUFFICIENT_MEMORY if memory allocation failed.
  * \return         #MBEDTLS_ERR_SSL_VERSION_MISMATCH if the serialized data
  *                 comes from a different Mbed TLS version or build.
- * \return         #MBEDTLS_ERR_SSL_BAD_INPUT_DATA if input data is invalid.
+ * \return         #PSA_ERROR_INVALID_ARGUMENT if input data is invalid.
  */
 int mbedtls_ssl_context_load(mbedtls_ssl_context *ssl,
                              const unsigned char *buf,
@@ -5352,7 +5352,7 @@
  *       context_len are ignored and a 0-length context is used.
  *
  * \return            0 on success.
- * \return            MBEDTLS_ERR_SSL_BAD_INPUT_DATA if the handshake is not yet completed.
+ * \return            #PSA_ERROR_INVALID_ARGUMENT if the handshake is not yet completed.
  * \return            An SSL-specific error on failure.
  */
 int mbedtls_ssl_export_keying_material(mbedtls_ssl_context *ssl,
diff --git a/include/mbedtls/x509.h b/include/mbedtls/x509.h
index b1a80e3..a021a7d 100644
--- a/include/mbedtls/x509.h
+++ b/include/mbedtls/x509.h
@@ -58,7 +58,7 @@
 /** The date tag or value is invalid. */
 #define MBEDTLS_ERR_X509_INVALID_DATE                     -0x2400
 /** The signature tag or value invalid. */
-#define MBEDTLS_ERR_X509_INVALID_SIGNATURE                -0x2480
+#define MBEDTLS_ERR_X509_INVALID_SIGNATURE                PSA_ERROR_INVALID_SIGNATURE
 /** The extension tag or value is invalid. */
 #define MBEDTLS_ERR_X509_INVALID_EXTENSIONS               -0x2500
 /** CRT/CRL/CSR has an unsupported version number. */
@@ -68,17 +68,17 @@
 /** Signature algorithms do not match. (see \c ::mbedtls_x509_crt sig_oid) */
 #define MBEDTLS_ERR_X509_SIG_MISMATCH                     -0x2680
 /** Certificate verification failed, e.g. CRL, CA or signature check failed. */
-#define MBEDTLS_ERR_X509_CERT_VERIFY_FAILED               -0x2700
+#define MBEDTLS_ERR_X509_CERT_VERIFY_FAILED               PSA_ERROR_INVALID_SIGNATURE
 /** Format not recognized as DER or PEM. */
 #define MBEDTLS_ERR_X509_CERT_UNKNOWN_FORMAT              -0x2780
 /** Input invalid. */
-#define MBEDTLS_ERR_X509_BAD_INPUT_DATA                   -0x2800
+#define MBEDTLS_ERR_X509_BAD_INPUT_DATA                   PSA_ERROR_INVALID_ARGUMENT
 /** Allocation of memory failed. */
-#define MBEDTLS_ERR_X509_ALLOC_FAILED                     -0x2880
+#define MBEDTLS_ERR_X509_ALLOC_FAILED                     PSA_ERROR_INSUFFICIENT_MEMORY
 /** Read/write of file failed. */
 #define MBEDTLS_ERR_X509_FILE_IO_ERROR                    -0x2900
 /** Destination buffer is too small. */
-#define MBEDTLS_ERR_X509_BUFFER_TOO_SMALL                 -0x2980
+#define MBEDTLS_ERR_X509_BUFFER_TOO_SMALL                 PSA_ERROR_BUFFER_TOO_SMALL
 /** A fatal error occurred, eg the chain is too long or the vrfy callback failed. */
 #define MBEDTLS_ERR_X509_FATAL_ERROR                      -0x3000
 /** \} name X509 Error codes */
diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h
index bf418a6..6b81652 100644
--- a/include/mbedtls/x509_crt.h
+++ b/include/mbedtls/x509_crt.h
@@ -234,7 +234,7 @@
  * \param ctx       Certificate context to use
  * \param san_list  List of SAN values
  *
- * \return          0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED
+ * \return          0 if successful, or #PSA_ERROR_INSUFFICIENT_MEMORY
  *
  * \note            "dnsName", "uniformResourceIdentifier", "IP address",
  *                  "otherName", and "DirectoryName", as defined in RFC 5280,
@@ -610,7 +610,7 @@
  *                 other than fatal error, as a non-zero return code
  *                 immediately aborts the verification process. For fatal
  *                 errors, a specific error code should be used (different
- *                 from MBEDTLS_ERR_X509_CERT_VERIFY_FAILED which should not
+ *                 from #PSA_ERROR_INVALID_SIGNATURE which should not
  *                 be returned at this point), or MBEDTLS_ERR_X509_FATAL_ERROR
  *                 can be used if no better code is available.
  *
@@ -653,7 +653,7 @@
  *
  * \return         \c 0 if the chain is valid with respect to the
  *                 passed CN, CAs, CRLs and security profile.
- * \return         #MBEDTLS_ERR_X509_CERT_VERIFY_FAILED in case the
+ * \return         #PSA_ERROR_INVALID_SIGNATURE in case the
  *                 certificate chain verification failed. In this case,
  *                 \c *flags will have one or more
  *                 \c MBEDTLS_X509_BADCERT_XXX or \c MBEDTLS_X509_BADCRL_XXX
@@ -694,7 +694,7 @@
  *
  * \return         \c 0 if the chain is valid with respect to the
  *                 passed CN, CAs, CRLs and security profile.
- * \return         #MBEDTLS_ERR_X509_CERT_VERIFY_FAILED in case the
+ * \return         #PSA_ERROR_INVALID_SIGNATURE in case the
  *                 certificate chain verification failed. In this case,
  *                 \c *flags will have one or more
  *                 \c MBEDTLS_X509_BADCERT_XXX or \c MBEDTLS_X509_BADCRL_XXX
@@ -826,7 +826,7 @@
  *                 that bit MAY be set.
  *
  * \return         0 is these uses of the certificate are allowed,
- *                 MBEDTLS_ERR_X509_BAD_INPUT_DATA if the keyUsage extension
+ *                 #PSA_ERROR_INVALID_ARGUMENT if the keyUsage extension
  *                 is present but does not match the usage argument.
  *
  * \note           You should only call this function on leaf certificates, on
@@ -845,7 +845,7 @@
  * \param usage_len Length of usage_oid (eg given by MBEDTLS_OID_SIZE()).
  *
  * \return          0 if this use of the certificate is allowed,
- *                  MBEDTLS_ERR_X509_BAD_INPUT_DATA if not.
+ *                  #PSA_ERROR_INVALID_ARGUMENT if not.
  *
  * \note            Usually only makes sense on leaf certificates.
  */
@@ -952,7 +952,7 @@
  *                     input buffer
  *
  * \return          0 if successful, or
- *                  MBEDTLS_ERR_X509_BAD_INPUT_DATA if the provided input buffer
+ *                  #PSA_ERROR_INVALID_ARGUMENT if the provided input buffer
  *                  is too big (longer than MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN)
  */
 int mbedtls_x509write_crt_set_serial_raw(mbedtls_x509write_cert *ctx,
@@ -1041,7 +1041,7 @@
  * \param val       value of the extension OCTET STRING
  * \param val_len   length of the value data
  *
- * \return          0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED
+ * \return          0 if successful, or #PSA_ERROR_INSUFFICIENT_MEMORY
  */
 int mbedtls_x509write_crt_set_extension(mbedtls_x509write_cert *ctx,
                                         const char *oid, size_t oid_len,
@@ -1057,7 +1057,7 @@
  *                      certificate (only for CA certificates, -1 is
  *                      unlimited)
  *
- * \return          0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED
+ * \return          0 if successful, or #PSA_ERROR_INSUFFICIENT_MEMORY
  */
 int mbedtls_x509write_crt_set_basic_constraints(mbedtls_x509write_cert *ctx,
                                                 int is_ca, int max_pathlen);
@@ -1070,7 +1070,7 @@
  *
  * \param ctx       CRT context to use
  *
- * \return          0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED
+ * \return          0 if successful, or #PSA_ERROR_INSUFFICIENT_MEMORY
  */
 int mbedtls_x509write_crt_set_subject_key_identifier(mbedtls_x509write_cert *ctx);
 
@@ -1081,7 +1081,7 @@
  *
  * \param ctx       CRT context to use
  *
- * \return          0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED
+ * \return          0 if successful, or #PSA_ERROR_INSUFFICIENT_MEMORY
  */
 int mbedtls_x509write_crt_set_authority_key_identifier(mbedtls_x509write_cert *ctx);
 #endif /* PSA_WANT_ALG_SHA_1 */
@@ -1093,7 +1093,7 @@
  * \param ctx       CRT context to use
  * \param key_usage key usage flags to set
  *
- * \return          0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED
+ * \return          0 if successful, or #PSA_ERROR_INSUFFICIENT_MEMORY
  */
 int mbedtls_x509write_crt_set_key_usage(mbedtls_x509write_cert *ctx,
                                         unsigned int key_usage);
@@ -1106,7 +1106,7 @@
  * \param exts      extended key usage extensions to set, a sequence of
  *                  MBEDTLS_ASN1_OID objects
  *
- * \return          0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED
+ * \return          0 if successful, or #PSA_ERROR_INSUFFICIENT_MEMORY
  */
 int mbedtls_x509write_crt_set_ext_key_usage(mbedtls_x509write_cert *ctx,
                                             const mbedtls_asn1_sequence *exts);
@@ -1118,7 +1118,7 @@
  * \param ctx           CRT context to use
  * \param ns_cert_type  Netscape Cert Type flags to set
  *
- * \return          0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED
+ * \return          0 if successful, or #PSA_ERROR_INSUFFICIENT_MEMORY
  */
 int mbedtls_x509write_crt_set_ns_cert_type(mbedtls_x509write_cert *ctx,
                                            unsigned char ns_cert_type);
diff --git a/include/mbedtls/x509_csr.h b/include/mbedtls/x509_csr.h
index b115394..60a553f 100644
--- a/include/mbedtls/x509_csr.h
+++ b/include/mbedtls/x509_csr.h
@@ -263,7 +263,7 @@
  * \param ctx       CSR context to use
  * \param key_usage key usage flags to set
  *
- * \return          0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED
+ * \return          0 if successful, or #PSA_ERROR_INSUFFICIENT_MEMORY
  *
  * \note            The <code>decipherOnly</code> flag from the Key Usage
  *                  extension is represented by bit 8 (i.e.
@@ -281,7 +281,7 @@
  * \param ctx       CSR context to use
  * \param san_list  List of SAN values
  *
- * \return          0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED
+ * \return          0 if successful, or #PSA_ERROR_INSUFFICIENT_MEMORY
  *
  * \note            Only "dnsName", "uniformResourceIdentifier" and "otherName",
  *                  as defined in RFC 5280, are supported.
@@ -296,7 +296,7 @@
  * \param ctx           CSR context to use
  * \param ns_cert_type  Netscape Cert Type flags to set
  *
- * \return          0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED
+ * \return          0 if successful, or #PSA_ERROR_INSUFFICIENT_MEMORY
  */
 int mbedtls_x509write_csr_set_ns_cert_type(mbedtls_x509write_csr *ctx,
                                            unsigned char ns_cert_type);
@@ -312,7 +312,7 @@
  * \param val       value of the extension OCTET STRING
  * \param val_len   length of the value data
  *
- * \return          0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED
+ * \return          0 if successful, or a #PSA_ERROR_INSUFFICIENT_MEMORY
  */
 int mbedtls_x509write_csr_set_extension(mbedtls_x509write_csr *ctx,
                                         const char *oid, size_t oid_len,