Revert unification for some error codes
Signed-off-by: Felix Conway <felix.conway@arm.com>
diff --git a/ChangeLog.d/unify-errors.txt b/ChangeLog.d/unify-errors.txt
index 3dad7f3..0ed56ba 100644
--- a/ChangeLog.d/unify-errors.txt
+++ b/ChangeLog.d/unify-errors.txt
@@ -4,5 +4,4 @@
MBEDTLS_ERR_xxx_BAD_INPUT_DATA -> PSA_ERROR_INVALID_ARGUMENT
MBEDTLS_ERR_xxx_ALLOC_FAILED -> PSA_ERROR_INSUFFICIENT_MEMORY
MBEDTLS_ERR_xxx_VERIFY_FAILED -> PSA_ERROR_INVALID_SIGNATURE
- MBEDTLS_ERR_xxx_INVALID_SIGNATURE -> PSA_ERROR_INVALID_SIGNATURE
MBEDTLS_ERR_xxx_BUFFER_TOO_SMALL -> PSA_ERROR_BUFFER_TOO_SMALL
diff --git a/include/mbedtls/pkcs7.h b/include/mbedtls/pkcs7.h
index cf9e440..957ca53 100644
--- a/include/mbedtls/pkcs7.h
+++ b/include/mbedtls/pkcs7.h
@@ -53,7 +53,7 @@
#define MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO -0x5480 /**< The PKCS #7 content info is invalid or cannot be parsed. */
#define MBEDTLS_ERR_PKCS7_INVALID_ALG -0x5500 /**< The algorithm tag or value is invalid or cannot be parsed. */
#define MBEDTLS_ERR_PKCS7_INVALID_CERT -0x5580 /**< The certificate tag or value is invalid or cannot be parsed. */
-#define MBEDTLS_ERR_PKCS7_INVALID_SIGNATURE PSA_ERROR_INVALID_SIGNATURE /**< Error parsing the signature */
+#define MBEDTLS_ERR_PKCS7_INVALID_SIGNATURE -0x5600 /**< Error parsing the signature */
#define MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO -0x5680 /**< Error parsing the signer's info */
#define MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA PSA_ERROR_INVALID_ARGUMENT /**< Input invalid. */
#define MBEDTLS_ERR_PKCS7_ALLOC_FAILED PSA_ERROR_INSUFFICIENT_MEMORY /**< Allocation of memory failed. */
diff --git a/include/mbedtls/x509.h b/include/mbedtls/x509.h
index a021a7d..3cced52 100644
--- a/include/mbedtls/x509.h
+++ b/include/mbedtls/x509.h
@@ -58,7 +58,7 @@
/** The date tag or value is invalid. */
#define MBEDTLS_ERR_X509_INVALID_DATE -0x2400
/** The signature tag or value invalid. */
-#define MBEDTLS_ERR_X509_INVALID_SIGNATURE PSA_ERROR_INVALID_SIGNATURE
+#define MBEDTLS_ERR_X509_INVALID_SIGNATURE -0x2480
/** The extension tag or value is invalid. */
#define MBEDTLS_ERR_X509_INVALID_EXTENSIONS -0x2500
/** CRT/CRL/CSR has an unsupported version number. */
@@ -68,11 +68,11 @@
/** Signature algorithms do not match. (see \c ::mbedtls_x509_crt sig_oid) */
#define MBEDTLS_ERR_X509_SIG_MISMATCH -0x2680
/** Certificate verification failed, e.g. CRL, CA or signature check failed. */
-#define MBEDTLS_ERR_X509_CERT_VERIFY_FAILED PSA_ERROR_INVALID_SIGNATURE
+#define MBEDTLS_ERR_X509_CERT_VERIFY_FAILED -0x2700
/** Format not recognized as DER or PEM. */
#define MBEDTLS_ERR_X509_CERT_UNKNOWN_FORMAT -0x2780
/** Input invalid. */
-#define MBEDTLS_ERR_X509_BAD_INPUT_DATA PSA_ERROR_INVALID_ARGUMENT
+#define MBEDTLS_ERR_X509_BAD_INPUT_DATA -0x2800
/** Allocation of memory failed. */
#define MBEDTLS_ERR_X509_ALLOC_FAILED PSA_ERROR_INSUFFICIENT_MEMORY
/** Read/write of file failed. */
diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h
index 6b81652..6198648 100644
--- a/include/mbedtls/x509_crt.h
+++ b/include/mbedtls/x509_crt.h
@@ -610,7 +610,7 @@
* other than fatal error, as a non-zero return code
* immediately aborts the verification process. For fatal
* errors, a specific error code should be used (different
- * from #PSA_ERROR_INVALID_SIGNATURE which should not
+ * from #MBEDTLS_ERR_X509_CERT_VERIFY_FAILED which should not
* be returned at this point), or MBEDTLS_ERR_X509_FATAL_ERROR
* can be used if no better code is available.
*
@@ -653,7 +653,7 @@
*
* \return \c 0 if the chain is valid with respect to the
* passed CN, CAs, CRLs and security profile.
- * \return #PSA_ERROR_INVALID_SIGNATURE in case the
+ * \return #MBEDTLS_ERR_X509_CERT_VERIFY_FAILED in case the
* certificate chain verification failed. In this case,
* \c *flags will have one or more
* \c MBEDTLS_X509_BADCERT_XXX or \c MBEDTLS_X509_BADCRL_XXX
@@ -694,7 +694,7 @@
*
* \return \c 0 if the chain is valid with respect to the
* passed CN, CAs, CRLs and security profile.
- * \return #PSA_ERROR_INVALID_SIGNATURE in case the
+ * \return #MBEDTLS_ERR_X509_CERT_VERIFY_FAILED in case the
* certificate chain verification failed. In this case,
* \c *flags will have one or more
* \c MBEDTLS_X509_BADCERT_XXX or \c MBEDTLS_X509_BADCRL_XXX
@@ -826,7 +826,7 @@
* that bit MAY be set.
*
* \return 0 is these uses of the certificate are allowed,
- * #PSA_ERROR_INVALID_ARGUMENT if the keyUsage extension
+ * #MBEDTLS_ERR_X509_BAD_INPUT_DATA if the keyUsage extension
* is present but does not match the usage argument.
*
* \note You should only call this function on leaf certificates, on
@@ -845,7 +845,7 @@
* \param usage_len Length of usage_oid (eg given by MBEDTLS_OID_SIZE()).
*
* \return 0 if this use of the certificate is allowed,
- * #PSA_ERROR_INVALID_ARGUMENT if not.
+ * #MBEDTLS_ERR_X509_BAD_INPUT_DATA if not.
*
* \note Usually only makes sense on leaf certificates.
*/
@@ -952,7 +952,7 @@
* input buffer
*
* \return 0 if successful, or
- * #PSA_ERROR_INVALID_ARGUMENT if the provided input buffer
+ * #MBEDTLS_ERR_X509_BAD_INPUT_DATA if the provided input buffer
* is too big (longer than MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN)
*/
int mbedtls_x509write_crt_set_serial_raw(mbedtls_x509write_cert *ctx,
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 35afb8f..d0278b1 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -5839,7 +5839,7 @@
-c "! The certificate is not correctly signed by the trusted CA" \
-c "! mbedtls_ssl_handshake returned" \
-c "send alert level=2 message=48" \
- -c "Last error was: \(-0x95\|-149\)"
+ -c "X509 - Certificate verification failed"
# MBEDTLS_X509_BADCERT_NOT_TRUSTED -> MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA
# We don't check that the server receives the alert because it might
# detect that its write end of the connection is closed and abort
@@ -5854,7 +5854,7 @@
-c "! The certificate is not correctly signed by the trusted CA" \
-c "! mbedtls_ssl_handshake returned" \
-c "send alert level=2 message=48" \
- -c "Last error was: \(-0x95\|-149\)"
+ -c "X509 - Certificate verification failed"
# MBEDTLS_X509_BADCERT_NOT_TRUSTED -> MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA
run_test "Authentication: server badcert, client optional" \
@@ -5866,7 +5866,7 @@
-c "! The certificate is not correctly signed by the trusted CA" \
-C "! mbedtls_ssl_handshake returned" \
-C "send alert level=2 message=48" \
- -C "Last error was: \(-0x95\|-149\)"
+ -C "X509 - Certificate verification failed"
run_test "Authentication: server badcert, client optional (1.2)" \
"$P_SRV crt_file=$DATA_FILES_PATH/server5-badsign.crt \
@@ -5877,7 +5877,7 @@
-c "! The certificate is not correctly signed by the trusted CA" \
-C "! mbedtls_ssl_handshake returned" \
-C "send alert level=2 message=48" \
- -C "Last error was: \(-0x95\|-149\)"
+ -C "X509 - Certificate verification failed"
run_test "Authentication: server badcert, client none" \
"$P_SRV crt_file=$DATA_FILES_PATH/server5-badsign.crt \
@@ -5888,7 +5888,7 @@
-C "! The certificate is not correctly signed by the trusted CA" \
-C "! mbedtls_ssl_handshake returned" \
-C "send alert level=2 message=48" \
- -C "Last error was: \(-0x95\|-149\)"
+ -C "X509 - Certificate verification failed"
run_test "Authentication: server badcert, client none (1.2)" \
"$P_SRV crt_file=$DATA_FILES_PATH/server5-badsign.crt \
@@ -5899,7 +5899,7 @@
-C "! The certificate is not correctly signed by the trusted CA" \
-C "! mbedtls_ssl_handshake returned" \
-C "send alert level=2 message=48" \
- -C "Last error was: \(-0x95\|-149\)"
+ -C "X509 - Certificate verification failed"
run_test "Authentication: server goodcert, client required, no trusted CA" \
"$P_SRV" \
@@ -5930,7 +5930,7 @@
-c "! The certificate is not correctly signed by the trusted CA" \
-c "! Certificate verification flags"\
-C "! mbedtls_ssl_handshake returned" \
- -C "Last error was: \(-0x95\|-149\)" \
+ -C "X509 - Certificate verification failed" \
-C "SSL - No CA Chain is set, but required to operate"
requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
@@ -5942,7 +5942,7 @@
-c "! The certificate is not correctly signed by the trusted CA" \
-c "! Certificate verification flags"\
-C "! mbedtls_ssl_handshake returned" \
- -C "Last error was: \(-0x95\|-149\)" \
+ -C "X509 - Certificate verification failed" \
-C "SSL - No CA Chain is set, but required to operate"
run_test "Authentication: server goodcert, client none, no trusted CA" \
@@ -5953,7 +5953,7 @@
-C "! The certificate is not correctly signed by the trusted CA" \
-C "! Certificate verification flags"\
-C "! mbedtls_ssl_handshake returned" \
- -C "Last error was: \(-0x95\|-149\)" \
+ -C "X509 - Certificate verification failed" \
-C "SSL - No CA Chain is set, but required to operate"
requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
@@ -5965,7 +5965,7 @@
-C "! The certificate is not correctly signed by the trusted CA" \
-C "! Certificate verification flags"\
-C "! mbedtls_ssl_handshake returned" \
- -C "Last error was: \(-0x95\|-149\)" \
+ -C "X509 - Certificate verification failed" \
-C "SSL - No CA Chain is set, but required to operate"
# The next few tests check what happens if the server has a valid certificate
@@ -5980,7 +5980,7 @@
-C "Certificate verification without CN verification" \
-C "x509_verify_cert() returned -" \
-C "! mbedtls_ssl_handshake returned" \
- -C "Last error was: \(-0x95\|-149\)"
+ -C "X509 - Certificate verification failed"
run_test "Authentication: hostname match, client required, CA callback" \
"$P_SRV" \
@@ -5992,7 +5992,7 @@
-c "use CA callback for X.509 CRT verification" \
-C "x509_verify_cert() returned -" \
-C "! mbedtls_ssl_handshake returned" \
- -C "Last error was: \(-0x95\|-149\)"
+ -C "X509 - Certificate verification failed"
run_test "Authentication: hostname mismatch (wrong), client required" \
"$P_SRV" \
@@ -6001,7 +6001,7 @@
-c "does not match with the expected CN" \
-c "x509_verify_cert() returned -" \
-c "! mbedtls_ssl_handshake returned" \
- -c "Last error was: \(-0x95\|-149\)"
+ -c "X509 - Certificate verification failed"
run_test "Authentication: hostname mismatch (empty), client required" \
"$P_SRV" \
@@ -6010,7 +6010,7 @@
-c "does not match with the expected CN" \
-c "x509_verify_cert() returned -" \
-c "! mbedtls_ssl_handshake returned" \
- -c "Last error was: \(-0x95\|-149\)"
+ -c "X509 - Certificate verification failed"
run_test "Authentication: hostname mismatch (truncated), client required" \
"$P_SRV" \
@@ -6019,7 +6019,7 @@
-c "does not match with the expected CN" \
-c "x509_verify_cert() returned -" \
-c "! mbedtls_ssl_handshake returned" \
- -c "Last error was: \(-0x95\|-149\)"
+ -c "X509 - Certificate verification failed"
run_test "Authentication: hostname mismatch (last char), client required" \
"$P_SRV" \
@@ -6028,7 +6028,7 @@
-c "does not match with the expected CN" \
-c "x509_verify_cert() returned -" \
-c "! mbedtls_ssl_handshake returned" \
- -c "Last error was: \(-0x95\|-149\)"
+ -c "X509 - Certificate verification failed"
run_test "Authentication: hostname mismatch (trailing), client required" \
"$P_SRV" \
@@ -6037,7 +6037,7 @@
-c "does not match with the expected CN" \
-c "x509_verify_cert() returned -" \
-c "! mbedtls_ssl_handshake returned" \
- -c "Last error was: \(-0x95\|-149\)"
+ -c "X509 - Certificate verification failed"
run_test "Authentication: hostname mismatch, client optional" \
"$P_SRV" \
@@ -6045,7 +6045,7 @@
0 \
-c "does not match with the expected CN" \
-c "x509_verify_cert() returned -" \
- -C "Last error was: \(-0x95\|-149\)"
+ -C "X509 - Certificate verification failed"
run_test "Authentication: hostname mismatch, client none" \
"$P_SRV" \
@@ -6055,7 +6055,7 @@
-C "Certificate verification without having set hostname" \
-C "Certificate verification without CN verification" \
-C "x509_verify_cert() returned -" \
- -C "Last error was: \(-0x95\|-149\)"
+ -C "X509 - Certificate verification failed"
run_test "Authentication: hostname null, client required" \
"$P_SRV" \
@@ -6066,7 +6066,7 @@
-c "Certificate verification without CN verification" \
-C "x509_verify_cert() returned -" \
-C "! mbedtls_ssl_handshake returned" \
- -C "Last error was: \(-0x95\|-149\)"
+ -C "X509 - Certificate verification failed"
run_test "Authentication: hostname null, client optional" \
"$P_SRV" \
@@ -6076,7 +6076,7 @@
-C "Certificate verification without having set hostname" \
-c "Certificate verification without CN verification" \
-C "x509_verify_cert() returned -" \
- -C "Last error was: \(-0x95\|-149\)"
+ -C "X509 - Certificate verification failed"
run_test "Authentication: hostname null, client none" \
"$P_SRV" \
@@ -6086,7 +6086,7 @@
-C "Certificate verification without having set hostname" \
-C "Certificate verification without CN verification" \
-C "x509_verify_cert() returned -" \
- -C "Last error was: \(-0x95\|-149\)"
+ -C "X509 - Certificate verification failed"
run_test "Authentication: hostname unset, client required" \
"$P_SRV" \
@@ -6098,7 +6098,7 @@
-c "get_hostname_for_verification() returned -" \
-C "x509_verify_cert() returned -" \
-c "! mbedtls_ssl_handshake returned" \
- -C "Last error was: \(-0x95\|-149\)"
+ -C "X509 - Certificate verification failed"
run_test "Authentication: hostname unset, client required, CA callback" \
"$P_SRV" \
@@ -6111,7 +6111,7 @@
-C "use CA callback for X.509 CRT verification" \
-C "x509_verify_cert() returned -" \
-c "! mbedtls_ssl_handshake returned" \
- -C "Last error was: \(-0x95\|-149\)"
+ -C "X509 - Certificate verification failed"
run_test "Authentication: hostname unset, client optional" \
"$P_SRV" \
@@ -6121,7 +6121,7 @@
-c "Certificate verification without having set hostname" \
-c "Certificate verification without CN verification" \
-C "x509_verify_cert() returned -" \
- -C "Last error was: \(-0x95\|-149\)"
+ -C "X509 - Certificate verification failed"
run_test "Authentication: hostname unset, client none" \
"$P_SRV" \
@@ -6131,7 +6131,7 @@
-C "Certificate verification without having set hostname" \
-C "Certificate verification without CN verification" \
-C "x509_verify_cert() returned -" \
- -C "Last error was: \(-0x95\|-149\)"
+ -C "X509 - Certificate verification failed"
run_test "Authentication: hostname unset, client default, server picks cert, 1.2" \
"$P_SRV force_version=tls12 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
@@ -6142,7 +6142,7 @@
-C "Certificate verification without CN verification" \
-c "get_hostname_for_verification() returned -" \
-C "x509_verify_cert() returned -" \
- -C "Last error was: \(-0x95\|-149\)"
+ -C "X509 - Certificate verification failed"
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
run_test "Authentication: hostname unset, client default, server picks cert, 1.3" \
@@ -6154,7 +6154,7 @@
-C "Certificate verification without CN verification" \
-c "get_hostname_for_verification() returned -" \
-C "x509_verify_cert() returned -" \
- -C "Last error was: \(-0x95\|-149\)"
+ -C "X509 - Certificate verification failed"
run_test "Authentication: hostname unset, client default, server picks PSK, 1.2" \
"$P_SRV force_version=tls12 force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8 psk=73776f726466697368 psk_identity=foo" \
@@ -6164,7 +6164,7 @@
-C "Certificate verification without having set hostname" \
-C "Certificate verification without CN verification" \
-C "x509_verify_cert() returned -" \
- -C "Last error was: \(-0x95\|-149\)"
+ -C "X509 - Certificate verification failed"
requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
run_test "Authentication: hostname unset, client default, server picks PSK, 1.3" \
@@ -6175,7 +6175,7 @@
-C "Certificate verification without having set hostname" \
-C "Certificate verification without CN verification" \
-C "x509_verify_cert() returned -" \
- -C "Last error was: \(-0x95\|-149\)"
+ -C "X509 - Certificate verification failed"
# The purpose of the next two tests is to test the client's behaviour when receiving a server
# certificate with an unsupported elliptic curve. This should usually not happen because
@@ -6252,7 +6252,7 @@
-s "! The certificate is not correctly signed by the trusted CA" \
-s "! mbedtls_ssl_handshake returned" \
-s "send alert level=2 message=48" \
- -s "Last error was: \(-0x95\|-149\)"
+ -s "X509 - Certificate verification failed"
# We don't check that the client receives the alert because it might
# detect that its write end of the connection is closed and abort
# before reading the alert message.
@@ -6270,7 +6270,7 @@
-S "skip parse certificate verify" \
-S "x509_verify_cert() returned" \
-S "! The certificate is not correctly signed" \
- -S "Last error was: \(-0x95\|-149\)"
+ -S "X509 - Certificate verification failed"
run_test "Authentication: client cert not trusted, server required" \
"$P_SRV debug_level=3 auth_mode=required" \
@@ -6286,7 +6286,7 @@
-s "x509_verify_cert() returned" \
-s "! The certificate is not correctly signed by the trusted CA" \
-s "! mbedtls_ssl_handshake returned" \
- -s "Last error was: \(-0x95\|-149\)"
+ -s "X509 - Certificate verification failed"
run_test "Authentication: client badcert, server optional" \
"$P_SRV debug_level=3 auth_mode=optional" \
@@ -6303,7 +6303,7 @@
-s "! The certificate is not correctly signed by the trusted CA" \
-S "! mbedtls_ssl_handshake returned" \
-C "! mbedtls_ssl_handshake returned" \
- -S "Last error was: \(-0x95\|-149\)"
+ -S "X509 - Certificate verification failed"
run_test "Authentication: client badcert, server none" \
"$P_SRV debug_level=3 auth_mode=none" \
@@ -6320,7 +6320,7 @@
-S "! The certificate is not correctly signed by the trusted CA" \
-S "! mbedtls_ssl_handshake returned" \
-C "! mbedtls_ssl_handshake returned" \
- -S "Last error was: \(-0x95\|-149\)"
+ -S "X509 - Certificate verification failed"
run_test "Authentication: client no cert, server optional" \
"$P_SRV debug_level=3 auth_mode=optional" \
@@ -6336,7 +6336,7 @@
-s "! Certificate was missing" \
-S "! mbedtls_ssl_handshake returned" \
-C "! mbedtls_ssl_handshake returned" \
- -S "Last error was: \(-0x95\|-149\)"
+ -S "X509 - Certificate verification failed"
requires_openssl_tls1_3_with_compatible_ephemeral
run_test "Authentication: openssl client no cert, server optional" \
@@ -6347,7 +6347,7 @@
-s "skip parse certificate verify" \
-s "! Certificate was missing" \
-S "! mbedtls_ssl_handshake returned" \
- -S "Last error was: \(-0x95\|-149\)"
+ -S "X509 - Certificate verification failed"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
run_test "Authentication: client no cert, openssl server optional" \
@@ -6483,7 +6483,7 @@
-s "! The certificate is not correctly signed by the trusted CA" \
-s "! mbedtls_ssl_handshake returned" \
-c "! mbedtls_ssl_handshake returned" \
- -s "Last error was: \(-0x95\|-149\)"
+ -s "X509 - Certificate verification failed"
requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
run_test "Authentication: send alt conf DN hints in CertificateRequest" \
@@ -6530,7 +6530,7 @@
-c "x509_verify_cert() returned" \
-c "! The certificate is not correctly signed by the trusted CA" \
-c "! mbedtls_ssl_handshake returned" \
- -c "Last error was: \(-0x95\|-149\)"
+ -c "X509 - Certificate verification failed"
run_test "Authentication, CA callback: server badcert, client optional" \
"$P_SRV crt_file=$DATA_FILES_PATH/server5-badsign.crt \
@@ -6541,7 +6541,7 @@
-c "x509_verify_cert() returned" \
-c "! The certificate is not correctly signed by the trusted CA" \
-C "! mbedtls_ssl_handshake returned" \
- -C "Last error was: \(-0x95\|-149\)"
+ -C "X509 - Certificate verification failed"
run_test "Authentication, CA callback: server badcert, client none" \
"$P_SRV crt_file=$DATA_FILES_PATH/server5-badsign.crt \
@@ -6552,7 +6552,7 @@
-C "x509_verify_cert() returned" \
-C "! The certificate is not correctly signed by the trusted CA" \
-C "! mbedtls_ssl_handshake returned" \
- -C "Last error was: \(-0x95\|-149\)"
+ -C "X509 - Certificate verification failed"
# The purpose of the next two tests is to test the client's behaviour when receiving a server
# certificate with an unsupported elliptic curve. This should usually not happen because
@@ -6619,7 +6619,7 @@
-s "! The certificate is not correctly signed by the trusted CA" \
-s "! mbedtls_ssl_handshake returned" \
-s "send alert level=2 message=48" \
- -s "Last error was: \(-0x95\|-149\)"
+ -s "X509 - Certificate verification failed"
# We don't check that the client receives the alert because it might
# detect that its write end of the connection is closed and abort
# before reading the alert message.
@@ -6639,7 +6639,7 @@
-s "x509_verify_cert() returned" \
-s "! The certificate is not correctly signed by the trusted CA" \
-s "! mbedtls_ssl_handshake returned" \
- -s "Last error was: \(-0x95\|-149\)"
+ -s "X509 - Certificate verification failed"
run_test "Authentication, CA callback: client badcert, server optional" \
"$P_SRV ca_callback=1 debug_level=3 auth_mode=optional" \
@@ -6657,7 +6657,7 @@
-s "! The certificate is not correctly signed by the trusted CA" \
-S "! mbedtls_ssl_handshake returned" \
-C "! mbedtls_ssl_handshake returned" \
- -S "Last error was: \(-0x95\|-149\)"
+ -S "X509 - Certificate verification failed"
requires_config_value_equals "MBEDTLS_X509_MAX_INTERMEDIATE_CA" $MAX_IM_CA
requires_full_size_output_buffer
@@ -9498,7 +9498,7 @@
-C "mbedtls_pk_sign.*\(4b00\|-248\)" \
-c "! The certificate is not correctly signed by the trusted CA" \
-c "! mbedtls_ssl_handshake returned" \
- -c "Last error was: \(-0x95\|-149\)"
+ -c "X509 - Certificate verification failed"
# With USE_PSA disabled we expect full restartable behaviour.
requires_config_enabled MBEDTLS_ECP_RESTARTABLE
@@ -9518,7 +9518,7 @@
-c "mbedtls_pk_sign.*\(4b00\|-248\)" \
-c "! The certificate is not correctly signed by the trusted CA" \
-C "! mbedtls_ssl_handshake returned" \
- -C "Last error was: \(-0x95\|-149\)"
+ -C "X509 - Certificate verification failed"
# With USE_PSA enabled we expect only partial restartable behaviour:
# everything except ECDH (where TLS calls PSA directly).
@@ -9538,7 +9538,7 @@
-c "mbedtls_pk_sign.*\(4b00\|-248\)" \
-c "! The certificate is not correctly signed by the trusted CA" \
-C "! mbedtls_ssl_handshake returned" \
- -C "Last error was: \(-0x95\|-149\)"
+ -C "X509 - Certificate verification failed"
# With USE_PSA disabled we expect full restartable behaviour.
requires_config_enabled MBEDTLS_ECP_RESTARTABLE
@@ -9558,7 +9558,7 @@
-c "mbedtls_pk_sign.*\(4b00\|-248\)" \
-C "! The certificate is not correctly signed by the trusted CA" \
-C "! mbedtls_ssl_handshake returned" \
- -C "Last error was: \(-0x95\|-149\)"
+ -C "X509 - Certificate verification failed"
# With USE_PSA enabled we expect only partial restartable behaviour:
# everything except ECDH (where TLS calls PSA directly).
@@ -9578,7 +9578,7 @@
-c "mbedtls_pk_sign.*\(4b00\|-248\)" \
-C "! The certificate is not correctly signed by the trusted CA" \
-C "! mbedtls_ssl_handshake returned" \
- -C "Last error was: \(-0x95\|-149\)"
+ -C "X509 - Certificate verification failed"
# With USE_PSA disabled we expect full restartable behaviour.
requires_config_enabled MBEDTLS_ECP_RESTARTABLE