Use MBEDTLS_ERROR_ADD instead of explicit addition: enforcement

Reject direct additions of error constants (regex-based approximation). Fix the lone straggler. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-03-29 22:20:30 +00:00 · 2024-09-15 12:45:44 +02:00 · 2024-09-15 12:45:44 +02:00 · 8085f51108
commit 8085f51108
parent ed6feae513
2 changed files with 22 additions and 2 deletions
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@ -679,8 +679,8 @@ static int x509_get_authority_key_id(unsigned char **p,
    }

    if (*p != end) {
-        return MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
-               MBEDTLS_ERR_ASN1_LENGTH_MISMATCH;
+        return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+                                 MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
    }

    return 0;
--- a/tests/scripts/check_files.py
+++ b/tests/scripts/check_files.py
@ -446,6 +446,25 @@ class LicenseIssueTracker(LineIssueTracker):
        return False


+class ErrorAddIssueTracker(LineIssueTracker):
+    """Signal direct additions of error codes.
+
+    Adding a low-level error code with a high-level error code is deprecated
+    and should use MBEDTLS_ERROR_ADD.
+    """
+
+    heading = "Direct addition of error codes"
+
+    _ERR_PLUS_RE = re.compile(br'MBEDTLS_ERR_\w+ *\+|'
+                              br'\+ *MBEDTLS_ERR_')
+    _EXCLUDE_RE = re.compile(br' *case ')
+
+    def issue_with_line(self, line, filepath, line_number):
+        if self._ERR_PLUS_RE.search(line) and not self._EXCLUDE_RE.match(line):
+            return True
+        return False
+
+
 class IntegrityChecker:
    """Sanity-check files under the current directory."""

@ -467,6 +486,7 @@ class IntegrityChecker:
            TabIssueTracker(),
            MergeArtifactIssueTracker(),
            LicenseIssueTracker(),
+            ErrorAddIssueTracker(),
        ]

    def setup_logger(self, log_file, level=logging.INFO):