MBEDTLS codes don't match value stored in struct

sidwarkd
Posts: 9
Joined: Mon Aug 02, 2021 9:34 pm

MBEDTLS codes don't match value stored in struct

Postby sidwarkd » Mon Aug 02, 2021 9:46 pm

Before submitting a bug on the actual repo I wanted to see if this is a known issue or if I'm doing something wrong. It appears to me that the MbedTLS error codes are not being properly stored in the esp_tls_error_handle_t struct. I am doing some testing with expired X509 certs. When I try to connect to a URL I correctly get an error but when I call esp_tls_get_and_clear_last_error and get the MbedTLS error code it does not match the proper MbedTLS error code defines due to them being negative. For example, in my http handler I have the following code under a case statement for HTTP_EVENT_ERROR:

Code: Select all

int mbedtls_err = 0;
esp_err_t err = esp_tls_get_and_clear_last_error((esp_tls_error_handle_t)evt->data, &mbedtls_err, NULL);
if (err != 0) {
        logger->info(TAG, "Last esp error code: 0x%x\n", err);
        logger->info(TAG, "Last mbedtls failure: 0x%x\n", mbedtls_err);
        logger->info(TAG, "Error as int: %d\n", mbedtls_err);
        logger->info(TAG, "Define as int: %d\n", MBEDTLS_ERR_X509_CERT_VERIFY_FAILED);
}
This is adapted from ESP-IDF sample code. When the SSL handshake fails it shows the mbedtls error code as 9984 (0x2700) and the official MBEDTLS_ERR code as -9984 so it would appear the ESP-IDF processing of the return code from mbedtls is not capturing the negative value of the code correctly. Checking against the ESP_ERR_MBEDTLS error code equivalent works but it seems like if we want to work in the raw MbedTLS error codes we would have to modify the return value by -1. I looked through the source a bit and can't see where this is happening. Any thoughts from the community would be welcome.

Who is online

Users browsing this forum: No registered users and 12 guests