crypto/openssl-wrapper: fix SSL error code mapping

ThePassionate · ThePassionate · commit 63c72d318671 · 2026-01-20T10:53:51.000+08:00
Map mbedtls error codes to OpenSSL standard return codes in
SSL_connect/SSL_do_handshake:
- Return 1 on success
- Return 0 on controlled shutdown
- Return -1 on fatal error (was returning mbedtls error codes)

This aligns the return values with OpenSSL specification where
SSL_get_error() should be called to get the actual error reason.

Signed-off-by: makejian &lt;makejian@xiaomi.com&gt;
diff --git a/crypto/openssl_mbedtls_wrapper/mbedtls/ssl_pm.c b/crypto/openssl_mbedtls_wrapper/mbedtls/ssl_pm.c
@@ -368,17 +368,21 @@ int ssl_pm_handshake(SSL *ssl)
     }
 
   /* OpenSSL return codes:
-   *   0 = did not complete, but may be retried
+   *   0 = The TLS/SSL handshake was not successful but was shut down
+   *       controlled and by the specifications of the TLS/SSL protocol.
    *   1 = successfully completed
-   *   <0 = death
+   *   <0 = The TLS/SSL handshake was not successful because a fatal error
+   *        occurred either at the protocol level or a connection failure
+   *        occurred.
    */
 
   if (ret == MBEDTLS_ERR_SSL_WANT_READ || ret == MBEDTLS_ERR_SSL_WANT_WRITE)
     {
-      ssl->err = ret;
+      ssl->err = (ret == MBEDTLS_ERR_SSL_WANT_READ) ? SSL_ERROR_WANT_READ :
+                                                      SSL_ERROR_WANT_WRITE;
       SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL,
                 "mbedtls_ssl_handshake() return -0x%x", -ret);
-      return 0; /* OpenSSL: did not complete but may be retried */
+      return -1;
     }
 
   if (ret == 0)
@@ -397,7 +401,7 @@ int ssl_pm_handshake(SSL *ssl)
     {
       ssl->err = ret == MBEDTLS_ERR_SSL_WANT_READ;
 
-      return 0;
+      return -1;
     }
 
   SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL,

Original file line number	Diff line number	Diff line change
`@@ -368,17 +368,21 @@ int ssl_pm_handshake(SSL *ssl)`
`368`	`368`	`}`
`369`	`369`
`370`	`370`	`/* OpenSSL return codes:`
`371`		`- * 0 = did not complete, but may be retried`
	`371`	`+ * 0 = The TLS/SSL handshake was not successful but was shut down`
	`372`	`+ * controlled and by the specifications of the TLS/SSL protocol.`
`372`	`373`	`* 1 = successfully completed`
`373`		`- * <0 = death`
	`374`	`+ * <0 = The TLS/SSL handshake was not successful because a fatal error`
	`375`	`+ * occurred either at the protocol level or a connection failure`
	`376`	`+ * occurred.`
`374`	`377`	`*/`
`375`	`378`
`376`	`379`	`if (ret == MBEDTLS_ERR_SSL_WANT_READ \|\| ret == MBEDTLS_ERR_SSL_WANT_WRITE)`
`377`	`380`	`{`
`378`		`- ssl->err = ret;`
	`381`	`+ ssl->err = (ret == MBEDTLS_ERR_SSL_WANT_READ) ? SSL_ERROR_WANT_READ :`
	`382`	`+ SSL_ERROR_WANT_WRITE;`
`379`	`383`	`SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL,`
`380`	`384`	`"mbedtls_ssl_handshake() return -0x%x", -ret);`
`381`		`- return 0; /* OpenSSL: did not complete but may be retried */`
	`385`	`+ return -1;`
`382`	`386`	`}`
`383`	`387`
`384`	`388`	`if (ret == 0)`
`@@ -397,7 +401,7 @@ int ssl_pm_handshake(SSL *ssl)`
`397`	`401`	`{`
`398`	`402`	`ssl->err = ret == MBEDTLS_ERR_SSL_WANT_READ;`
`399`	`403`
`400`		`- return 0;`
	`404`	`+ return -1;`
`401`	`405`	`}`
`402`	`406`
`403`	`407`	`SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL,`