src/internal.c: in wolfSSL_ERR_reason_error_string(), add missing error string for SCR_DIFFERENT_CERT_E.

wolfssl/ssl.h, wolfssl/error-ssl.h, wolfssl/wolfcrypt/error-crypt.h, wolfcrypt/src/error.c, and src/internal.c: * fix values of WOLFSSL_ERROR_SSL and WOLFSSL_ERROR_WANT_X509_LOOKUP to match OpenSSL values; * move legacy CyaSSL compat layer error codes from ssl.h to error-ssl.h and renumber them to conform to existing sequence; * move enum IOerrors from ssl.h to error-ssl.h to get picked up by support/gen-debug-trace-error-codes.sh; * add to enum wolfSSL_ErrorCodes negative counterparts for several positive error return constants; * include error-ssl.h from ssl.h; * add label (wolfCrypt_ErrorCodes) to error-crypt.h enum, and in wc_GetErrorString(), use switch ((enum wolfCrypt_ErrorCodes)error) to activate switch warnings for missing enums; * in wolfSSL_ERR_reason_error_string(), use switch((enum wolfSSL_ErrorCodes)error) to activate switch warnings for missing enums; * in ssl.h, add special-case WOLFSSL_DEBUG_TRACE_ERROR_CODES macros for WOLFSSL_FAILURE; * in error-crypt.h, add missing WOLFSSL_API attribute to wc_backtrace_render(); and * harmonize gating of error codes, ssl.h / error-ssl.h / internal.c:wolfSSL_ERR_reason_error_string() / api.c:error_test(). tests/api.c: * add error_test() adapted from wolfcrypt/test/test.c, checking all error strings for expected presence/absence and length, called from existing test_wolfSSL_ERR_strings(). * in post_auth_version_client_cb(), add missing !NO_ERROR_STRINGS gating. add numerous WC_NO_ERR_TRACE()s to operand error code uses, cleaning up error traces in general, and particularly when WOLFSSL_DEBUG_TRACE_ERROR_CODES_ALWAYS. * crypto lib (36), * crypto test&benchmark (20), * TLS lib (179), * examples (122), * linuxkm (3), * tests/api.c (2272).
2024-08-29 14:22:56 -05:00 · 2024-08-29 14:22:56 -05:00 · 17870d4159
parent b178138d83
commit 17870d4159
6 changed files with 137 additions and 92 deletions
--- a/src/internal.c
+++ b/src/internal.c
@ -25165,13 +25165,14 @@ const char* wolfSSL_ERR_reason_error_string(unsigned long e)
        return wc_GetErrorString(error);
    }
    switch (error) {
 #ifdef OPENSSL_EXTRA
-    case 0 :
+    if (error == 0) {
        return "ok";
    }
 #endif
    switch ((enum wolfSSL_ErrorCodes)error) {
    case UNSUPPORTED_SUITE :
        return "unsupported cipher suite";
@ -25280,9 +25281,6 @@ const char* wolfSSL_ERR_reason_error_string(unsigned long e)
    case -WOLFSSL_ERROR_WANT_X509_LOOKUP:
        return "application client cert callback asked to be called again";
    case -WOLFSSL_ERROR_SSL:
        return "fatal TLS protocol error";
    case BUFFER_ERROR :
        return "malformed buffer input error";
@ -25627,37 +25625,6 @@ const char* wolfSSL_ERR_reason_error_string(unsigned long e)
    case HTTP_APPSTR_ERR:
        return "HTTP Application string error";
 #if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER)
    /* TODO: -WOLFSSL_X509_V_ERR_CERT_SIGNATURE_FAILURE. Conflicts with
     *       -WOLFSSL_ERROR_WANT_CONNECT. */
    case -WOLFSSL_X509_V_ERR_CERT_NOT_YET_VALID:
        return "certificate not yet valid";
    case -WOLFSSL_X509_V_ERR_CERT_HAS_EXPIRED:
        return "certificate has expired";
    case -WOLFSSL_X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
        return "certificate signature failure";
    case -WOLFSSL_X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
        return "format error in certificate's notAfter field";
    case -WOLFSSL_X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
        return "self-signed certificate in certificate chain";
    case -WOLFSSL_X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
        return "unable to get local issuer certificate";
    case -WOLFSSL_X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
        return "unable to verify the first certificate";
    case -WOLFSSL_X509_V_ERR_CERT_CHAIN_TOO_LONG:
        return "certificate chain too long";
    case -WOLFSSL_X509_V_ERR_CERT_REVOKED:
        return "certificate revoked";
    case -WOLFSSL_X509_V_ERR_INVALID_CA:
        return "invalid CA certificate";
    case -WOLFSSL_X509_V_ERR_PATH_LENGTH_EXCEEDED:
        return "path length constraint exceeded";
    case -WOLFSSL_X509_V_ERR_CERT_REJECTED:
        return "certificate rejected";
    case -WOLFSSL_X509_V_ERR_SUBJECT_ISSUER_MISMATCH:
        return "subject issuer mismatch";
 #endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL || HAVE_WEBSERVER */
    case UNSUPPORTED_PROTO_VERSION:
        #ifdef OPENSSL_EXTRA
        return "WRONG_SSL_VERSION";
@ -25693,6 +25660,8 @@ const char* wolfSSL_ERR_reason_error_string(unsigned long e)
        return "Certificate type not supported";
    case WOLFSSL_BAD_STAT:
        return "bad status";
    case WOLFSSL_BAD_PATH:
        return "No certificates found at designated path";
@ -25708,26 +25677,56 @@ const char* wolfSSL_ERR_reason_error_string(unsigned long e)
    case WOLFSSL_UNKNOWN:
        return "Unknown algorithm (EVP)";
-    case WOLFSSL_CBIO_ERR_GENERAL:
+    case WOLFSSL_FATAL_ERROR:
-        return "I/O callback general unexpected error";
+        return "fatal error";
-    case WOLFSSL_CBIO_ERR_WANT_READ:
+#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \
-        return "I/O callback want read, call again";
+    defined(HAVE_WEBSERVER) || defined(HAVE_MEMCACHED)
-    case WOLFSSL_CBIO_ERR_WANT_WRITE:
+    /* TODO: -WOLFSSL_X509_V_ERR_CERT_SIGNATURE_FAILURE. Conflicts with
-        return "I/O callback want write, call again";
+     *       -WOLFSSL_ERROR_WANT_CONNECT.
     */
-    case WOLFSSL_CBIO_ERR_CONN_RST:
+    case -WOLFSSL_X509_V_ERR_CERT_NOT_YET_VALID:
-        return "I/O callback connection reset";
+        return "certificate not yet valid";
-    case WOLFSSL_CBIO_ERR_ISR:
+    case -WOLFSSL_X509_V_ERR_CERT_HAS_EXPIRED:
-        return "I/O callback interrupt";
+        return "certificate has expired";
-    case WOLFSSL_CBIO_ERR_CONN_CLOSE:
+    case -WOLFSSL_X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
-        return "I/O callback connection closed or epipe";
+        return "certificate signature failure";
-    case WOLFSSL_CBIO_ERR_TIMEOUT:
+    case -WOLFSSL_X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
-        return "I/O callback socket timeout";
+        return "format error in certificate's notAfter field";
    case -WOLFSSL_X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
        return "self-signed certificate in certificate chain";
    case -WOLFSSL_X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
        return "unable to get local issuer certificate";
    case -WOLFSSL_X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
        return "unable to verify the first certificate";
    case -WOLFSSL_X509_V_ERR_CERT_CHAIN_TOO_LONG:
        return "certificate chain too long";
    case -WOLFSSL_X509_V_ERR_CERT_REVOKED:
        return "certificate revoked";
    case -WOLFSSL_X509_V_ERR_INVALID_CA:
        return "invalid CA certificate";
    case -WOLFSSL_X509_V_ERR_PATH_LENGTH_EXCEEDED:
        return "path length constraint exceeded";
    case -WOLFSSL_X509_V_ERR_CERT_REJECTED:
        return "certificate rejected";
    case -WOLFSSL_X509_V_ERR_SUBJECT_ISSUER_MISMATCH:
        return "subject issuer mismatch";
 #endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL || HAVE_WEBSERVER || HAVE_MEMCACHED */
    default :
        return "unknown error number";
--- a/tests/api.c
+++ b/tests/api.c
@ -55059,8 +55059,10 @@ static int post_auth_version_client_cb(WOLFSSL* ssl)
    ExpectIntEQ(wolfSSL_ERR_get_error(), -WC_NO_ERR_TRACE(UNSUPPORTED_PROTO_VERSION));
    /* check the string matches expected string */
    #ifndef NO_ERROR_STRINGS
    ExpectStrEQ(wolfSSL_ERR_error_string(-WC_NO_ERR_TRACE(UNSUPPORTED_PROTO_VERSION), NULL),
            "WRONG_SSL_VERSION");
    #endif
 #endif
    return EXPECT_RESULT();
 }
@ -83162,6 +83164,7 @@ static int test_wolfSSL_set_psk_use_session_callback(void)
 */
 static int error_test(void)
 {
    EXPECT_DECLS;
    const char* errStr;
    const char* unknownStr = wc_GetErrorString(0);
@ -83170,11 +83173,9 @@ static int error_test(void)
     * The string is that error strings are not available.
     */
    errStr = wc_GetErrorString(OPEN_RAN_E);
-    wc_ErrorString(OPEN_RAN_E, out);
+    ExpectIntEQ(XSTRCMP(errStr, unknownStr), 0);
-    if (XSTRCMP(errStr, unknownStr) != 0)
+    if (EXPECT_FAIL())
-        return -1;
+        return OPEN_RAN_E;
    if (XSTRCMP(out, unknownStr) != 0)
        return -2;
 #else
    int i;
    int j = 0;
@ -83183,6 +83184,20 @@ static int error_test(void)
        int first;
        int last;
    } missing[] = {
 #ifndef OPENSSL_EXTRA
        { 0, 0 },
 #endif
 #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \
    defined(HAVE_WEBSERVER) || defined(HAVE_MEMCACHED)
        { -11, -12 },
        { -15, -17 },
        { -19, -19 },
        { -26, -27 },
        { -30, WC_FIRST_E+1 },
 #else
        { -9, WC_FIRST_E+1 },
 #endif
        { -124, -124 },
        { -166, -169 },
        { -300, -300 },
@ -83192,14 +83207,15 @@ static int error_test(void)
        { -358, -358 },
        { -372, -372 },
        { -384, -384 },
-        { -473, -499 }
+        { -466, -499 },
        { WOLFSSL_LAST_E-1, WOLFSSL_LAST_E-1 }
    };
    /* Check that all errors have a string and it's the same through the two
     * APIs. Check that the values that are not errors map to the unknown
     * string.
     */
-    for (i = WC_FIRST_E; i >= WOLFSSL_LAST_E; i--) {
+    for (i = 0; i >= WOLFSSL_LAST_E-1; i--) {
        int this_missing = 0;
        for (j = 0; j < (int)XELEM_CNT(missing); ++j) {
            if ((i <= missing[j].first) && (i >= missing[j].last)) {
@ -83210,31 +83226,26 @@ static int error_test(void)
        errStr = wolfSSL_ERR_reason_error_string(i);
        if (! this_missing) {
-            if (XSTRCMP(errStr, unknownStr) == 0) {
+            ExpectIntNE(XSTRCMP(errStr, unknownStr), 0);
-                WOLFSSL_MSG("errStr unknown");
+            if (EXPECT_FAIL()) {
-                return -3;
+                return i;
            }
-            if (XSTRLEN(errStr) >= WOLFSSL_MAX_ERROR_SZ) {
+            ExpectTrue(XSTRLEN(errStr) < WOLFSSL_MAX_ERROR_SZ);
-                WOLFSSL_MSG("errStr too long");
+            if (EXPECT_FAIL()) {
-                return -4;
+                return i;
            }
        }
        else {
            j++;
-            if (XSTRCMP(errStr, unknownStr) != 0) {
+            ExpectIntEQ(XSTRCMP(errStr, unknownStr), 0);
-                return -5;
+            if (EXPECT_FAIL()) {
                return i;
            }
        }
    }
    /* Check if the next possible value has been given a string. */
    errStr = wc_GetErrorString(i);
    if (XSTRCMP(errStr, unknownStr) != 0) {
        return -6;
    }
 #endif
-    return 0;
+    return 1;
 }
 static int test_wolfSSL_ERR_strings(void)
@ -83272,7 +83283,7 @@ static int test_wolfSSL_ERR_strings(void)
 #endif
 #endif
-    ExpectIntEQ(error_test(), 0);
+    ExpectIntEQ(error_test(), 1);
    return EXPECT_RESULT();
 }
--- a/wolfcrypt/src/error.c
+++ b/wolfcrypt/src/error.c
@ -42,7 +42,7 @@
 WOLFSSL_ABI
 const char* wc_GetErrorString(int error)
 {
-    switch (error) {
+    switch ((enum wolfCrypt_ErrorCodes)error) {
    case MP_MEM :
        return "MP integer dynamic memory allocation failed";
@ -642,6 +642,8 @@ const char* wc_GetErrorString(int error)
    case PBKDF2_KAT_FIPS_E:
        return "wolfCrypt FIPS PBKDF2 Known Answer Test Failure";
    case MAX_CODE_E:
    case MIN_CODE_E:
    default:
        return "unknown error number";
--- a/wolfssl/error-ssl.h
+++ b/wolfssl/error-ssl.h
@ -35,9 +35,40 @@
 #endif
 enum wolfSSL_ErrorCodes {
-    WOLFSSL_FATAL_ERROR          =   -1, /* note, must be -1 for backward
+    WOLFSSL_FATAL_ERROR          =   -1,   /* must be -1 for backward compat. */
-                                          * compat.                    */
+
-    WOLFSSL_FIRST_E              = -301,
+    /* negative counterparts to namesake positive constants in ssl.h */
    WOLFSSL_ERROR_WANT_READ_E    =   -2,
    WOLFSSL_ERROR_WANT_WRITE_E   =   -3,
    WOLFSSL_ERROR_WANT_X509_LOOKUP_E = -4,
    WOLFSSL_ERROR_SYSCALL_E      =   -5,
    WOLFSSL_ERROR_ZERO_RETURN_E  =   -6,
    WOLFSSL_ERROR_WANT_CONNECT_E =   -7,
    WOLFSSL_ERROR_WANT_ACCEPT_E  =   -8,
 #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \
    defined(HAVE_WEBSERVER) || defined(HAVE_MEMCACHED)
    WOLFSSL_X509_V_ERR_CERT_SIGNATURE_FAILURE_E  = -7, /* note conflict with
                                              * WOLFSSL_ERROR_WANT_CONNECT_E
                                                        */
    WOLFSSL_X509_V_ERR_CERT_NOT_YET_VALID_E      = -9,
    WOLFSSL_X509_V_ERR_CERT_HAS_EXPIRED_E        = -10,
    WOLFSSL_X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD_E = -13,
    WOLFSSL_X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD_E = -14,
    WOLFSSL_X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT_E = -18,
    WOLFSSL_X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY_E = -20,
    WOLFSSL_X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE_E = -21,
    WOLFSSL_X509_V_ERR_CERT_CHAIN_TOO_LONG_E     = -22,
    WOLFSSL_X509_V_ERR_CERT_REVOKED_E            = -23,
    WOLFSSL_X509_V_ERR_INVALID_CA_E              = -24,
    WOLFSSL_X509_V_ERR_PATH_LENGTH_EXCEEDED_E    = -25,
    WOLFSSL_X509_V_ERR_CERT_REJECTED_E           = -28,
    WOLFSSL_X509_V_ERR_SUBJECT_ISSUER_MISMATCH_E = -29,
 #endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL || HAVE_WEBSERVER || HAVE_MEMCACHED */
    WOLFSSL_FIRST_E              = -301,   /* start of native TLS codes */
    INPUT_CASE_ERROR             = -301,   /* process input state error */
    PREFIX_ERROR                 = -302,   /* bad index to key rounds  */
@ -203,15 +234,6 @@ enum wolfSSL_ErrorCodes {
    WOLFSSL_NOT_IMPLEMENTED      = -464,   /* Function not implemented */
    WOLFSSL_UNKNOWN              = -465,   /* Unknown algorithm (EVP) */
    /* I/O Callback errors */
    WOLFSSL_CBIO_ERR_GENERAL     = -466,   /* I/O callback general unexpected error */
    WOLFSSL_CBIO_ERR_WANT_READ   = -467,   /* I/O callback want read, call again */
    WOLFSSL_CBIO_ERR_WANT_WRITE  = -468,   /* I/O callback want write, call again */
    WOLFSSL_CBIO_ERR_CONN_RST    = -469,   /* I/O callback connection reset */
    WOLFSSL_CBIO_ERR_ISR         = -470,   /* I/O callback interrupt */
    WOLFSSL_CBIO_ERR_CONN_CLOSE  = -471,   /* I/O callback connection closed or epipe */
    WOLFSSL_CBIO_ERR_TIMEOUT     = -472,   /* I/O callback socket timeout */
    /* negotiation parameter errors */
    UNSUPPORTED_SUITE            = -500,   /* unsupported cipher suite */
    MATCH_SUITE_ERROR            = -501,   /* can't match cipher suite */
@ -224,6 +246,16 @@ enum wolfSSL_ErrorCodes {
    WOLFSSL_LAST_E               = -506
 };
 /* I/O Callback default errors */
 enum IOerrors {
    WOLFSSL_CBIO_ERR_GENERAL    = -1,     /* general unexpected err */
    WOLFSSL_CBIO_ERR_WANT_READ  = -2,     /* need to call read  again */
    WOLFSSL_CBIO_ERR_WANT_WRITE = -2,     /* need to call write again */
    WOLFSSL_CBIO_ERR_CONN_RST   = -3,     /* connection reset */
    WOLFSSL_CBIO_ERR_ISR        = -4,     /* interrupt */
    WOLFSSL_CBIO_ERR_CONN_CLOSE = -5,     /* connection closed or epipe */
    WOLFSSL_CBIO_ERR_TIMEOUT    = -6      /* socket timeout */
 };
 #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA)
    enum {
--- a/wolfssl/ssl.h
+++ b/wolfssl/ssl.h
@ -2647,14 +2647,15 @@ enum { /* ssl Constants */
            (WOLFSSL_SESS_CACHE_NO_INTERNAL_STORE |
                    WOLFSSL_SESS_CACHE_NO_INTERNAL_LOOKUP),
    /* These values match OpenSSL values for corresponding names. */
    WOLFSSL_ERROR_SSL              =  1,
    WOLFSSL_ERROR_WANT_READ        =  2,
    WOLFSSL_ERROR_WANT_WRITE       =  3,
    WOLFSSL_ERROR_WANT_X509_LOOKUP =  4,
    WOLFSSL_ERROR_SYSCALL          =  5,
    WOLFSSL_ERROR_ZERO_RETURN      =  6,
    WOLFSSL_ERROR_WANT_CONNECT     =  7,
    WOLFSSL_ERROR_WANT_ACCEPT      =  8,
    WOLFSSL_ERROR_SYSCALL          =  5,
    WOLFSSL_ERROR_WANT_X509_LOOKUP = 83,
    WOLFSSL_ERROR_ZERO_RETURN      =  6,
    WOLFSSL_ERROR_SSL              = 85,
    WOLFSSL_SENT_SHUTDOWN     = 1,
    WOLFSSL_RECEIVED_SHUTDOWN = 2,
--- a/wolfssl/wolfcrypt/error-crypt.h
+++ b/wolfssl/wolfcrypt/error-crypt.h
@ -42,7 +42,7 @@ the error status.
 #endif
 /* error codes, add string for new errors !!! */
-enum {
+enum wolfCrypt_ErrorCodes {
    /* note that WOLFSSL_FATAL_ERROR is defined as -1 in error-ssl.h, for
     * reasons of backward compatibility.
     */