Make SSL error code more generic
It's undesirable to have users of the SSL layer check for an error code
specific to a lower-level layer, both out of general layering principles, and
also because if we later make another crypto module gain resume capabilities,
we would need to change the contract again (checking for a new module-specific
error code).
diff --git a/include/mbedtls/error.h b/include/mbedtls/error.h
index 22895e1..29c1c21 100644
--- a/include/mbedtls/error.h
+++ b/include/mbedtls/error.h
@@ -90,7 +90,7 @@
* ECP 4 10 (Started from top)
* MD 5 5
* CIPHER 6 8
- * SSL 6 17 (Started from top)
+ * SSL 6 22 (Started from top)
* SSL 7 31
*
* Module dependent error code (5 bits 0x.00.-0x.F8.)
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 250031a..def20db 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -120,6 +120,7 @@
#define MBEDTLS_ERR_SSL_NON_FATAL -0x6680 /**< The alert message received indicates a non-fatal error. */
#define MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH -0x6600 /**< Couldn't set the hash for verifying CertificateVerify */
#define MBEDTLS_ERR_SSL_CONTINUE_PROCESSING -0x6580 /**< Internal-only message signaling that further message-processing should be done */
+#define MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS -0x6500 /**< A cryptographic operation is in progress. Try again later. */
/*
* Various constants
diff --git a/library/error.c b/library/error.c
index a2de275..4dc13a4 100644
--- a/library/error.c
+++ b/library/error.c
@@ -499,6 +499,8 @@
mbedtls_snprintf( buf, buflen, "SSL - Couldn't set the hash for verifying CertificateVerify" );
if( use_ret == -(MBEDTLS_ERR_SSL_CONTINUE_PROCESSING) )
mbedtls_snprintf( buf, buflen, "SSL - Internal-only message signaling that further message-processing should be done" );
+ if( use_ret == -(MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS) )
+ mbedtls_snprintf( buf, buflen, "SSL - A cryptographic operation is in progress. Try again later" );
#endif /* MBEDTLS_SSL_TLS_C */
#if defined(MBEDTLS_X509_USE_C) || defined(MBEDTLS_X509_CREATE_C)
diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index 7a6ffe0..1937ec5 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@@ -2055,6 +2055,10 @@
(const unsigned char **) p, end ) ) != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ecdh_read_params" ), ret );
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
+ if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
+ ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
+#endif
return( ret );
}
@@ -2619,6 +2623,10 @@
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR );
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify", ret );
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
+ if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
+ ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
+#endif
return( ret );
}
}
@@ -2933,6 +2941,10 @@
if( ret != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret );
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
+ if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
+ ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
+#endif
return( ret );
}
@@ -2956,6 +2968,10 @@
ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret );
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
+ if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
+ ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
+#endif
return( ret );
}
@@ -3313,6 +3329,10 @@
ssl->conf->f_rng, ssl->conf->p_rng, rs_ctx ) ) != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_sign", ret );
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
+ if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
+ ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
+#endif
return( ret );
}
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 8364eb8..2ebf128 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -4683,7 +4683,7 @@
#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
- return( ret );
+ return( MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS );
#endif
/*
diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index b11bedd..0e3e1ed 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@@ -1516,7 +1516,7 @@
{
if( ret != MBEDTLS_ERR_SSL_WANT_READ &&
ret != MBEDTLS_ERR_SSL_WANT_WRITE &&
- ret != MBEDTLS_ERR_ECP_IN_PROGRESS )
+ ret != MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_handshake returned -0x%x\n",
-ret );
@@ -1533,7 +1533,7 @@
}
#if defined(MBEDTLS_ECP_RESTARTABLE)
- if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
+ if( ret == MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS )
continue;
#endif
@@ -1630,7 +1630,7 @@
{
if( ret != MBEDTLS_ERR_SSL_WANT_READ &&
ret != MBEDTLS_ERR_SSL_WANT_WRITE &&
- ret != MBEDTLS_ERR_ECP_IN_PROGRESS )
+ ret != MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_renegotiate returned %d\n\n",
ret );
@@ -1695,7 +1695,7 @@
{
if( ret != MBEDTLS_ERR_SSL_WANT_READ &&
ret != MBEDTLS_ERR_SSL_WANT_WRITE &&
- ret != MBEDTLS_ERR_ECP_IN_PROGRESS )
+ ret != MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_write returned -0x%x\n\n",
-ret );
@@ -1721,7 +1721,7 @@
ret = mbedtls_ssl_write( &ssl, buf, len );
#if defined(MBEDTLS_ECP_RESTARTABLE)
- if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
+ if( ret == MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS )
continue;
#endif
@@ -1779,7 +1779,7 @@
ret = mbedtls_ssl_read( &ssl, buf, len );
#if defined(MBEDTLS_ECP_RESTARTABLE)
- if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
+ if( ret == MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS )
continue;
#endif
@@ -1844,7 +1844,7 @@
ret = mbedtls_ssl_read( &ssl, buf, len );
#if defined(MBEDTLS_ECP_RESTARTABLE)
- if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
+ if( ret == MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS )
continue;
#endif
@@ -1911,7 +1911,7 @@
{
if( ret != MBEDTLS_ERR_SSL_WANT_READ &&
ret != MBEDTLS_ERR_SSL_WANT_WRITE &&
- ret != MBEDTLS_ERR_ECP_IN_PROGRESS )
+ ret != MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_handshake returned -0x%x\n\n",
-ret );
@@ -2010,7 +2010,7 @@
{
if( ret != MBEDTLS_ERR_SSL_WANT_READ &&
ret != MBEDTLS_ERR_SSL_WANT_WRITE &&
- ret != MBEDTLS_ERR_ECP_IN_PROGRESS )
+ ret != MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_handshake returned -0x%x\n\n",
-ret );