20240828-WOLFSSL_DEBUG_TRACE_ERROR_CODES-TLS #7917
Conversation
…or string for SCR_DIFFERENT_CERT_E, and de-gate error strings previously gated on HAVE_HTTP_CLIENT. tests/api.c: add error_test() adapted from wolfcrypt/test/test.c, checking all error strings for expected presence/absence and length, called from existing test_wolfSSL_ERR_strings(). wolfssl/ssl.h, wolfssl/error-ssl.h, and wolfssl/wolfcrypt/error-crypt.h: * move several negative error return codes from ssl.h to error-ssl.h, * renumber them to conform to existing sequence, and * include error-ssl.h from ssl.h; * add special-case WOLFSSL_DEBUG_TRACE_ERROR_CODES macros for WOLFSSL_FAILURE; * add missing WOLFSSL_API attribute to wc_backtrace_render(). add numerous WC_NO_ERR_TRACE()s to operand error code uses, cleaning up error traces in general, and particularly when WOLFSSL_DEBUG_TRACE_ERROR_CODES_ALWAYS. * crypto lib (36), * crypto test&benchmark (20), * TLS lib (179), * examples (122), * linuxkm (3), * tests/api.c (2272).
…or string for SCR_DIFFERENT_CERT_E. wolfssl/ssl.h, wolfssl/error-ssl.h, wolfssl/wolfcrypt/error-crypt.h, wolfcrypt/src/error.c, and src/internal.c: * fix values of WOLFSSL_ERROR_SSL and WOLFSSL_ERROR_WANT_X509_LOOKUP to match OpenSSL values; * move legacy CyaSSL compat layer error codes from ssl.h to error-ssl.h and renumber them to conform to existing sequence; * move enum IOerrors from ssl.h to error-ssl.h to get picked up by support/gen-debug-trace-error-codes.sh; * add to enum wolfSSL_ErrorCodes negative counterparts for several positive error return constants; * include error-ssl.h from ssl.h; * add label (wolfCrypt_ErrorCodes) to error-crypt.h enum, and in wc_GetErrorString(), use switch ((enum wolfCrypt_ErrorCodes)error) to activate switch warnings for missing enums; * in wolfSSL_ERR_reason_error_string(), use switch((enum wolfSSL_ErrorCodes)error) to activate switch warnings for missing enums; * in ssl.h, add special-case WOLFSSL_DEBUG_TRACE_ERROR_CODES macros for WOLFSSL_FAILURE; * in error-crypt.h, add missing WOLFSSL_API attribute to wc_backtrace_render(); and * harmonize gating of error codes, ssl.h / error-ssl.h / internal.c:wolfSSL_ERR_reason_error_string() / api.c:error_test(). tests/api.c: * add error_test() adapted from wolfcrypt/test/test.c, checking all error strings for expected presence/absence and length, called from existing test_wolfSSL_ERR_strings(). * in post_auth_version_client_cb(), add missing !NO_ERROR_STRINGS gating. add numerous WC_NO_ERR_TRACE()s to operand error code uses, cleaning up error traces in general, and particularly when WOLFSSL_DEBUG_TRACE_ERROR_CODES_ALWAYS. * crypto lib (36), * crypto test&benchmark (20), * TLS lib (179), * examples (122), * linuxkm (3), * tests/api.c (2272).
douzzer
force-pushed
the
20240828-WOLFSSL_DEBUG_TRACE_ERROR_CODES-TLS
branch
from
91cfc04
to
17870d4
Compare
wolfssl/error-ssl.h
Outdated
| #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \ | ||
| defined(HAVE_WEBSERVER) || defined(HAVE_MEMCACHED) | ||
|
|
||
| WOLFSSL_X509_V_ERR_CERT_SIGNATURE_FAILURE_E = -7, /* note conflict with |
There was a problem hiding this comment.
These don't belong here.
They are only meant to be in X509 verification error not returned through normal APIs.
There was a problem hiding this comment.
The incumbent implementation of wolfSSL_ERR_reason_error_string() returns error strings for these values. That's why the shadow values are now added in enum wolfSSL_ErrorCodes. It's all one namespace (of numbers) from the point of view of wolfSSL_ERR_reason_error_string().
That said, we can move the corresponding cases out of the main switch() in wolfSSL_ERR_reason_error_string(), enabling us to remove the shadow values in enum wolfSSL_ErrorCodes without provoking -Wswitch-enum, but then we lose the useful build time check that the cases are covered and self-consistent.
Either way, it's worth noting I didn't bother setting up error traces for WOLFSSL_X509_V_*. The sign-flipped _E variants added to enum wolfSSL_ErrorCodes aren't actually used by anything directly, though they're implicitly instrumented.
There was a problem hiding this comment.
wolfSSL_ErrorCodes are returned errors.
WOLFSSL_X509_V_ERR_CERT_SIGNATURE_FAILURE_E is not and should not have a string associated with them when SetErrorString is called.
Don't mix the enums.
There was a problem hiding this comment.
But it is all going through wolfSSL_ERR_reason_error_string() as you said. facepalm
Well at least you'll get an error string out! Just that there is overlap!
These X509_V_ERRs aren't return error codes and shouldn't come out as strings when SetErrorString is called.
wolfSSL_ERR_reason_error_string() is all known error reasons, that is each failure has a unique value unlike wolfSSL.
OpenSSL does not include the X509_V_* errors in this and neither should we.
There was a problem hiding this comment.
Ah ha! So you're thinking we should remove that behavior of wolfSSL_ERR_reason_error_string()! That's where I was hoping this was headed.
… for -WOLFSSL_X509_V_ERR_*, and make corresponding changes in wolfssl/error-ssl.h and tests/api.c.
|
retest this please |
…g for -WOLFSSL_X509_V_ERR_*, but separated from handling for the proper wolfSSL_ErrorCodes.
src/internal.c: inwolfSSL_ERR_reason_error_string(), add missing error string forSCR_DIFFERENT_CERT_E.wolfssl/ssl.h,wolfssl/error-ssl.h,wolfssl/wolfcrypt/error-crypt.h,wolfcrypt/src/error.c, andsrc/internal.c:WOLFSSL_ERROR_SSLandWOLFSSL_ERROR_WANT_X509_LOOKUPto match OpenSSL values;ssl.htoerror-ssl.hand renumber them to conform to existing sequence;enum IOerrorsfromssl.htoerror-ssl.hto get picked up bysupport/gen-debug-trace-error-codes.sh;enum wolfSSL_ErrorCodesnegative counterparts for several positive error return constants;error-ssl.hfromssl.h;wolfCrypt_ErrorCodes) toerror-crypt.henum, and inwc_GetErrorString(), useswitch ((enum wolfCrypt_ErrorCodes)error)to activate switch warnings for missingenums;wolfSSL_ERR_reason_error_string(), useswitch((enum wolfSSL_ErrorCodes)error)to activate switch warnings for missingenums;ssl.h, add special-caseWOLFSSL_DEBUG_TRACE_ERROR_CODESmacros forWOLFSSL_FAILURE;error-crypt.h, add missingWOLFSSL_APIattribute towc_backtrace_render(); andssl.h/error-ssl.h/internal.c:wolfSSL_ERR_reason_error_string()/api.c:error_test().tests/api.c:error_test()adapted fromwolfcrypt/test/test.c, checking all error strings for expected presence/absence and length, called from existingtest_wolfSSL_ERR_strings().post_auth_version_client_cb(), add missing !NO_ERROR_STRINGSgating.add numerous
WC_NO_ERR_TRACE()s to operand error code uses, cleaning up error traces in general, and particularly whenWOLFSSL_DEBUG_TRACE_ERROR_CODES_ALWAYS.tested with
wolfssl-multi-test.sh ... super-quick-checkwithall-gcc-c99-backtraceadded tosuper-quick-check, and an automated code search for unescaped operand error code references added toall-gcc-c99-backtrace.