WolfSSL
/
wolfssl
mirror of https://github.com/wolfSSL/wolfssl.git
1
0
Fork 0
Code Issues Releases Wiki Activity

src/internal.c: in wolfSSL_ERR_reason_error_string(), add missing error string for SCR_DIFFERENT_CERT_E. 

wolfssl/ssl.h, wolfssl/error-ssl.h, wolfssl/wolfcrypt/error-crypt.h, wolfcrypt/src/error.c, and src/internal.c:
* fix values of WOLFSSL_ERROR_SSL and WOLFSSL_ERROR_WANT_X509_LOOKUP to match OpenSSL values;
* move legacy CyaSSL compat layer error codes from ssl.h to error-ssl.h and renumber them to conform to existing sequence;
* move enum IOerrors from ssl.h to error-ssl.h to get picked up by support/gen-debug-trace-error-codes.sh;
* add to enum wolfSSL_ErrorCodes negative counterparts for several positive error return constants;
* include error-ssl.h from ssl.h;
* add label (wolfCrypt_ErrorCodes) to error-crypt.h enum, and in wc_GetErrorString(), use switch ((enum wolfCrypt_ErrorCodes)error) to activate switch warnings for missing enums;
* in wolfSSL_ERR_reason_error_string(), use switch((enum wolfSSL_ErrorCodes)error) to activate switch warnings for missing enums;
* in ssl.h, add special-case WOLFSSL_DEBUG_TRACE_ERROR_CODES macros for WOLFSSL_FAILURE;
* in error-crypt.h, add missing WOLFSSL_API attribute to wc_backtrace_render(); and
* harmonize gating of error codes, ssl.h / error-ssl.h / internal.c:wolfSSL_ERR_reason_error_string() / api.c:error_test().

tests/api.c:
* add error_test() adapted from wolfcrypt/test/test.c, checking all error strings for expected presence/absence and length, called from existing test_wolfSSL_ERR_strings().
* in post_auth_version_client_cb(), add missing !NO_ERROR_STRINGS gating.

add numerous WC_NO_ERR_TRACE()s to operand error code uses, cleaning up error traces in general, and particularly when WOLFSSL_DEBUG_TRACE_ERROR_CODES_ALWAYS.
* crypto lib (36),
* crypto test&benchmark (20),
* TLS lib (179),
* examples (122),
* linuxkm (3),
* tests/api.c (2272).
pull/7917/head
Daniel Pouzzner 2024-08-29 14:22:56 -05:00
parent b178138d83
commit 17870d4159
6 changed files with 137 additions and 92 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

101
src/internal.c
View File

@ -25165,13 +25165,14 @@ const char* wolfSSL_ERR_reason_error_string(unsigned long e)
return wc_GetErrorString(error);
}
switch (error) {
#ifdef OPENSSL_EXTRA
case 0 :
if (error == 0) {
return "ok";
}
#endif
switch ((enum wolfSSL_ErrorCodes)error) {
case UNSUPPORTED_SUITE :
return "unsupported cipher suite";
@ -25280,9 +25281,6 @@ const char* wolfSSL_ERR_reason_error_string(unsigned long e)
case -WOLFSSL_ERROR_WANT_X509_LOOKUP:
return "application client cert callback asked to be called again";
case -WOLFSSL_ERROR_SSL:
return "fatal TLS protocol error";
case BUFFER_ERROR :
return "malformed buffer input error";
@ -25627,37 +25625,6 @@ const char* wolfSSL_ERR_reason_error_string(unsigned long e)
case HTTP_APPSTR_ERR:
return "HTTP Application string error";
#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER)
/* TODO: -WOLFSSL_X509_V_ERR_CERT_SIGNATURE_FAILURE. Conflicts with
* -WOLFSSL_ERROR_WANT_CONNECT. */
case -WOLFSSL_X509_V_ERR_CERT_NOT_YET_VALID:
return "certificate not yet valid";
case -WOLFSSL_X509_V_ERR_CERT_HAS_EXPIRED:
return "certificate has expired";
case -WOLFSSL_X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
return "certificate signature failure";
case -WOLFSSL_X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
return "format error in certificate's notAfter field";
case -WOLFSSL_X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
return "self-signed certificate in certificate chain";
case -WOLFSSL_X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
return "unable to get local issuer certificate";
case -WOLFSSL_X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
return "unable to verify the first certificate";
case -WOLFSSL_X509_V_ERR_CERT_CHAIN_TOO_LONG:
return "certificate chain too long";
case -WOLFSSL_X509_V_ERR_CERT_REVOKED:
return "certificate revoked";
case -WOLFSSL_X509_V_ERR_INVALID_CA:
return "invalid CA certificate";
case -WOLFSSL_X509_V_ERR_PATH_LENGTH_EXCEEDED:
return "path length constraint exceeded";
case -WOLFSSL_X509_V_ERR_CERT_REJECTED:
return "certificate rejected";
case -WOLFSSL_X509_V_ERR_SUBJECT_ISSUER_MISMATCH:
return "subject issuer mismatch";
#endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL || HAVE_WEBSERVER */
case UNSUPPORTED_PROTO_VERSION:
#ifdef OPENSSL_EXTRA
return "WRONG_SSL_VERSION";
@ -25693,6 +25660,8 @@ const char* wolfSSL_ERR_reason_error_string(unsigned long e)
return "Certificate type not supported";
case WOLFSSL_BAD_STAT:
return "bad status";
case WOLFSSL_BAD_PATH:
return "No certificates found at designated path";
@ -25708,26 +25677,56 @@ const char* wolfSSL_ERR_reason_error_string(unsigned long e)
case WOLFSSL_UNKNOWN:
return "Unknown algorithm (EVP)";
case WOLFSSL_CBIO_ERR_GENERAL:
return "I/O callback general unexpected error";
case WOLFSSL_FATAL_ERROR:
return "fatal error";
case WOLFSSL_CBIO_ERR_WANT_READ:
return "I/O callback want read, call again";
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \
defined(HAVE_WEBSERVER) || defined(HAVE_MEMCACHED)
case WOLFSSL_CBIO_ERR_WANT_WRITE:
return "I/O callback want write, call again";
/* TODO: -WOLFSSL_X509_V_ERR_CERT_SIGNATURE_FAILURE. Conflicts with
* -WOLFSSL_ERROR_WANT_CONNECT.
*/
case WOLFSSL_CBIO_ERR_CONN_RST:
return "I/O callback connection reset";
case -WOLFSSL_X509_V_ERR_CERT_NOT_YET_VALID:
return "certificate not yet valid";
case WOLFSSL_CBIO_ERR_ISR:
return "I/O callback interrupt";
case -WOLFSSL_X509_V_ERR_CERT_HAS_EXPIRED:
return "certificate has expired";
case WOLFSSL_CBIO_ERR_CONN_CLOSE:
return "I/O callback connection closed or epipe";
case -WOLFSSL_X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
return "certificate signature failure";
case WOLFSSL_CBIO_ERR_TIMEOUT:
return "I/O callback socket timeout";
case -WOLFSSL_X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
return "format error in certificate's notAfter field";
case -WOLFSSL_X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
return "self-signed certificate in certificate chain";
case -WOLFSSL_X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
return "unable to get local issuer certificate";
case -WOLFSSL_X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
return "unable to verify the first certificate";
case -WOLFSSL_X509_V_ERR_CERT_CHAIN_TOO_LONG:
return "certificate chain too long";
case -WOLFSSL_X509_V_ERR_CERT_REVOKED:
return "certificate revoked";
case -WOLFSSL_X509_V_ERR_INVALID_CA:
return "invalid CA certificate";
case -WOLFSSL_X509_V_ERR_PATH_LENGTH_EXCEEDED:
return "path length constraint exceeded";
case -WOLFSSL_X509_V_ERR_CERT_REJECTED:
return "certificate rejected";
case -WOLFSSL_X509_V_ERR_SUBJECT_ISSUER_MISMATCH:
return "subject issuer mismatch";
#endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL || HAVE_WEBSERVER || HAVE_MEMCACHED */
default :
return "unknown error number";

57
tests/api.c
View File

@ -55059,8 +55059,10 @@ static int post_auth_version_client_cb(WOLFSSL* ssl)
ExpectIntEQ(wolfSSL_ERR_get_error(), -WC_NO_ERR_TRACE(UNSUPPORTED_PROTO_VERSION));
/* check the string matches expected string */
#ifndef NO_ERROR_STRINGS
ExpectStrEQ(wolfSSL_ERR_error_string(-WC_NO_ERR_TRACE(UNSUPPORTED_PROTO_VERSION), NULL),
"WRONG_SSL_VERSION");
#endif
#endif
return EXPECT_RESULT();
}
@ -83162,6 +83164,7 @@ static int test_wolfSSL_set_psk_use_session_callback(void)
*/
static int error_test(void)
{
EXPECT_DECLS;
const char* errStr;
const char* unknownStr = wc_GetErrorString(0);
@ -83170,11 +83173,9 @@ static int error_test(void)
* The string is that error strings are not available.
*/
errStr = wc_GetErrorString(OPEN_RAN_E);
wc_ErrorString(OPEN_RAN_E, out);
if (XSTRCMP(errStr, unknownStr) != 0)
return -1;
if (XSTRCMP(out, unknownStr) != 0)
return -2;
ExpectIntEQ(XSTRCMP(errStr, unknownStr), 0);
if (EXPECT_FAIL())
return OPEN_RAN_E;
#else
int i;
int j = 0;
@ -83183,6 +83184,20 @@ static int error_test(void)
int first;
int last;
} missing[] = {
#ifndef OPENSSL_EXTRA
{ 0, 0 },
#endif
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \
defined(HAVE_WEBSERVER) || defined(HAVE_MEMCACHED)
{ -11, -12 },
{ -15, -17 },
{ -19, -19 },
{ -26, -27 },
{ -30, WC_FIRST_E+1 },
#else
{ -9, WC_FIRST_E+1 },
#endif
{ -124, -124 },
{ -166, -169 },
{ -300, -300 },
@ -83192,14 +83207,15 @@ static int error_test(void)
{ -358, -358 },
{ -372, -372 },
{ -384, -384 },
{ -473, -499 }
{ -466, -499 },
{ WOLFSSL_LAST_E-1, WOLFSSL_LAST_E-1 }
};
/* Check that all errors have a string and it's the same through the two
* APIs. Check that the values that are not errors map to the unknown
* string.
*/
for (i = WC_FIRST_E; i >= WOLFSSL_LAST_E; i--) {
for (i = 0; i >= WOLFSSL_LAST_E-1; i--) {
int this_missing = 0;
for (j = 0; j < (int)XELEM_CNT(missing); ++j) {
if ((i <= missing[j].first) && (i >= missing[j].last)) {
@ -83210,31 +83226,26 @@ static int error_test(void)
errStr = wolfSSL_ERR_reason_error_string(i);
if (! this_missing) {
if (XSTRCMP(errStr, unknownStr) == 0) {
WOLFSSL_MSG("errStr unknown");
return -3;
ExpectIntNE(XSTRCMP(errStr, unknownStr), 0);
if (EXPECT_FAIL()) {
return i;
}
if (XSTRLEN(errStr) >= WOLFSSL_MAX_ERROR_SZ) {
WOLFSSL_MSG("errStr too long");
return -4;
ExpectTrue(XSTRLEN(errStr) < WOLFSSL_MAX_ERROR_SZ);
if (EXPECT_FAIL()) {
return i;
}
}
else {
j++;
if (XSTRCMP(errStr, unknownStr) != 0) {
return -5;
ExpectIntEQ(XSTRCMP(errStr, unknownStr), 0);
if (EXPECT_FAIL()) {
return i;
}
}
}
/* Check if the next possible value has been given a string. */
errStr = wc_GetErrorString(i);
if (XSTRCMP(errStr, unknownStr) != 0) {
return -6;
}
#endif
return 0;
return 1;
}
static int test_wolfSSL_ERR_strings(void)
@ -83272,7 +83283,7 @@ static int test_wolfSSL_ERR_strings(void)
#endif
#endif
ExpectIntEQ(error_test(), 0);
ExpectIntEQ(error_test(), 1);
return EXPECT_RESULT();
}

4
wolfcrypt/src/error.c
View File

@ -42,7 +42,7 @@
WOLFSSL_ABI
const char* wc_GetErrorString(int error)
{
switch (error) {
switch ((enum wolfCrypt_ErrorCodes)error) {
case MP_MEM :
return "MP integer dynamic memory allocation failed";
@ -642,6 +642,8 @@ const char* wc_GetErrorString(int error)
case PBKDF2_KAT_FIPS_E:
return "wolfCrypt FIPS PBKDF2 Known Answer Test Failure";
case MAX_CODE_E:
case MIN_CODE_E:
default:
return "unknown error number";

56
wolfssl/error-ssl.h
View File

@ -35,9 +35,40 @@
#endif
enum wolfSSL_ErrorCodes {
WOLFSSL_FATAL_ERROR = -1, /* note, must be -1 for backward
* compat. */
WOLFSSL_FIRST_E = -301,
WOLFSSL_FATAL_ERROR = -1, /* must be -1 for backward compat. */
/* negative counterparts to namesake positive constants in ssl.h */
WOLFSSL_ERROR_WANT_READ_E = -2,
WOLFSSL_ERROR_WANT_WRITE_E = -3,
WOLFSSL_ERROR_WANT_X509_LOOKUP_E = -4,
WOLFSSL_ERROR_SYSCALL_E = -5,
WOLFSSL_ERROR_ZERO_RETURN_E = -6,
WOLFSSL_ERROR_WANT_CONNECT_E = -7,
WOLFSSL_ERROR_WANT_ACCEPT_E = -8,
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \
defined(HAVE_WEBSERVER) || defined(HAVE_MEMCACHED)
WOLFSSL_X509_V_ERR_CERT_SIGNATURE_FAILURE_E = -7, /* note conflict with
* WOLFSSL_ERROR_WANT_CONNECT_E
*/
WOLFSSL_X509_V_ERR_CERT_NOT_YET_VALID_E = -9,
WOLFSSL_X509_V_ERR_CERT_HAS_EXPIRED_E = -10,
WOLFSSL_X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD_E = -13,
WOLFSSL_X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD_E = -14,
WOLFSSL_X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT_E = -18,
WOLFSSL_X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY_E = -20,
WOLFSSL_X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE_E = -21,
WOLFSSL_X509_V_ERR_CERT_CHAIN_TOO_LONG_E = -22,
WOLFSSL_X509_V_ERR_CERT_REVOKED_E = -23,
WOLFSSL_X509_V_ERR_INVALID_CA_E = -24,
WOLFSSL_X509_V_ERR_PATH_LENGTH_EXCEEDED_E = -25,
WOLFSSL_X509_V_ERR_CERT_REJECTED_E = -28,
WOLFSSL_X509_V_ERR_SUBJECT_ISSUER_MISMATCH_E = -29,
#endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL || HAVE_WEBSERVER || HAVE_MEMCACHED */
WOLFSSL_FIRST_E = -301, /* start of native TLS codes */
INPUT_CASE_ERROR = -301, /* process input state error */
PREFIX_ERROR = -302, /* bad index to key rounds */
@ -203,15 +234,6 @@ enum wolfSSL_ErrorCodes {
WOLFSSL_NOT_IMPLEMENTED = -464, /* Function not implemented */
WOLFSSL_UNKNOWN = -465, /* Unknown algorithm (EVP) */
/* I/O Callback errors */
WOLFSSL_CBIO_ERR_GENERAL = -466, /* I/O callback general unexpected error */
WOLFSSL_CBIO_ERR_WANT_READ = -467, /* I/O callback want read, call again */
WOLFSSL_CBIO_ERR_WANT_WRITE = -468, /* I/O callback want write, call again */
WOLFSSL_CBIO_ERR_CONN_RST = -469, /* I/O callback connection reset */
WOLFSSL_CBIO_ERR_ISR = -470, /* I/O callback interrupt */
WOLFSSL_CBIO_ERR_CONN_CLOSE = -471, /* I/O callback connection closed or epipe */
WOLFSSL_CBIO_ERR_TIMEOUT = -472, /* I/O callback socket timeout */
/* negotiation parameter errors */
UNSUPPORTED_SUITE = -500, /* unsupported cipher suite */
MATCH_SUITE_ERROR = -501, /* can't match cipher suite */
@ -224,6 +246,16 @@ enum wolfSSL_ErrorCodes {
WOLFSSL_LAST_E = -506
};
/* I/O Callback default errors */
enum IOerrors {
WOLFSSL_CBIO_ERR_GENERAL = -1, /* general unexpected err */
WOLFSSL_CBIO_ERR_WANT_READ = -2, /* need to call read again */
WOLFSSL_CBIO_ERR_WANT_WRITE = -2, /* need to call write again */
WOLFSSL_CBIO_ERR_CONN_RST = -3, /* connection reset */
WOLFSSL_CBIO_ERR_ISR = -4, /* interrupt */
WOLFSSL_CBIO_ERR_CONN_CLOSE = -5, /* connection closed or epipe */
WOLFSSL_CBIO_ERR_TIMEOUT = -6 /* socket timeout */
};
#if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA)
enum {

9
wolfssl/ssl.h
View File

@ -2647,14 +2647,15 @@ enum { /* ssl Constants */
(WOLFSSL_SESS_CACHE_NO_INTERNAL_STORE |
WOLFSSL_SESS_CACHE_NO_INTERNAL_LOOKUP),
/* These values match OpenSSL values for corresponding names. */
WOLFSSL_ERROR_SSL = 1,
WOLFSSL_ERROR_WANT_READ = 2,
WOLFSSL_ERROR_WANT_WRITE = 3,
WOLFSSL_ERROR_WANT_X509_LOOKUP = 4,
WOLFSSL_ERROR_SYSCALL = 5,
WOLFSSL_ERROR_ZERO_RETURN = 6,
WOLFSSL_ERROR_WANT_CONNECT = 7,
WOLFSSL_ERROR_WANT_ACCEPT = 8,
WOLFSSL_ERROR_SYSCALL = 5,
WOLFSSL_ERROR_WANT_X509_LOOKUP = 83,
WOLFSSL_ERROR_ZERO_RETURN = 6,
WOLFSSL_ERROR_SSL = 85,
WOLFSSL_SENT_SHUTDOWN = 1,
WOLFSSL_RECEIVED_SHUTDOWN = 2,

2
wolfssl/wolfcrypt/error-crypt.h
View File

@ -42,7 +42,7 @@ the error status.
#endif
/* error codes, add string for new errors !!! */
enum {
enum wolfCrypt_ErrorCodes {
/* note that WOLFSSL_FATAL_ERROR is defined as -1 in error-ssl.h, for
* reasons of backward compatibility.
*/