src/internal.c: in wolfSSL_ERR_reason_error_string(), add missing error string for SCR_DIFFERENT_CERT_E.

wolfssl/ssl.h, wolfssl/error-ssl.h, wolfssl/wolfcrypt/error-crypt.h, wolfcrypt/src/error.c, and src/internal.c:
* fix values of WOLFSSL_ERROR_SSL and WOLFSSL_ERROR_WANT_X509_LOOKUP to match OpenSSL values;
* move legacy CyaSSL compat layer error codes from ssl.h to error-ssl.h and renumber them to conform to existing sequence;
* move enum IOerrors from ssl.h to error-ssl.h to get picked up by support/gen-debug-trace-error-codes.sh;
* add to enum wolfSSL_ErrorCodes negative counterparts for several positive error return constants;
* include error-ssl.h from ssl.h;
* add label (wolfCrypt_ErrorCodes) to error-crypt.h enum, and in wc_GetErrorString(), use switch ((enum wolfCrypt_ErrorCodes)error) to activate switch warnings for missing enums;
* in wolfSSL_ERR_reason_error_string(), use switch((enum wolfSSL_ErrorCodes)error) to activate switch warnings for missing enums;
* in ssl.h, add special-case WOLFSSL_DEBUG_TRACE_ERROR_CODES macros for WOLFSSL_FAILURE;
* in error-crypt.h, add missing WOLFSSL_API attribute to wc_backtrace_render(); and
* harmonize gating of error codes, ssl.h / error-ssl.h / internal.c:wolfSSL_ERR_reason_error_string() / api.c:error_test().

tests/api.c:
* add error_test() adapted from wolfcrypt/test/test.c, checking all error strings for expected presence/absence and length, called from existing test_wolfSSL_ERR_strings().
* in post_auth_version_client_cb(), add missing !NO_ERROR_STRINGS gating.

add numerous WC_NO_ERR_TRACE()s to operand error code uses, cleaning up error traces in general, and particularly when WOLFSSL_DEBUG_TRACE_ERROR_CODES_ALWAYS.
* crypto lib (36),
* crypto test&benchmark (20),
* TLS lib (179),
* examples (122),
* linuxkm (3),
* tests/api.c (2272).

Author: douzzer

src/internal.c

@@ -25165,13 +25165,14 @@ const char* wolfSSL_ERR_reason_error_string(unsigned long e)
         return wc_GetErrorString(error);
     }
 
-    switch (error) {
-
 #ifdef OPENSSL_EXTRA
-    case 0 :
+    if (error == 0) {
         return "ok";
+    }
 #endif
 
+    switch ((enum wolfSSL_ErrorCodes)error) {
+
     case UNSUPPORTED_SUITE :
         return "unsupported cipher suite";
 
@@ -25280,9 +25281,6 @@ const char* wolfSSL_ERR_reason_error_string(unsigned long e)
     case -WOLFSSL_ERROR_WANT_X509_LOOKUP:
         return "application client cert callback asked to be called again";
 
-    case -WOLFSSL_ERROR_SSL:
-        return "fatal TLS protocol error";
-
     case BUFFER_ERROR :
         return "malformed buffer input error";
 
@@ -25627,37 +25625,6 @@ const char* wolfSSL_ERR_reason_error_string(unsigned long e)
     case HTTP_APPSTR_ERR:
         return "HTTP Application string error";
 
-#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER)
-    /* TODO: -WOLFSSL_X509_V_ERR_CERT_SIGNATURE_FAILURE. Conflicts with
-     *       -WOLFSSL_ERROR_WANT_CONNECT. */
-    case -WOLFSSL_X509_V_ERR_CERT_NOT_YET_VALID:
-        return "certificate not yet valid";
-    case -WOLFSSL_X509_V_ERR_CERT_HAS_EXPIRED:
-        return "certificate has expired";
-    case -WOLFSSL_X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
-        return "certificate signature failure";
-    case -WOLFSSL_X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
-        return "format error in certificate's notAfter field";
-    case -WOLFSSL_X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
-        return "self-signed certificate in certificate chain";
-    case -WOLFSSL_X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
-        return "unable to get local issuer certificate";
-    case -WOLFSSL_X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
-        return "unable to verify the first certificate";
-    case -WOLFSSL_X509_V_ERR_CERT_CHAIN_TOO_LONG:
-        return "certificate chain too long";
-    case -WOLFSSL_X509_V_ERR_CERT_REVOKED:
-        return "certificate revoked";
-    case -WOLFSSL_X509_V_ERR_INVALID_CA:
-        return "invalid CA certificate";
-    case -WOLFSSL_X509_V_ERR_PATH_LENGTH_EXCEEDED:
-        return "path length constraint exceeded";
-    case -WOLFSSL_X509_V_ERR_CERT_REJECTED:
-        return "certificate rejected";
-    case -WOLFSSL_X509_V_ERR_SUBJECT_ISSUER_MISMATCH:
-        return "subject issuer mismatch";
-#endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL || HAVE_WEBSERVER */
-
     case UNSUPPORTED_PROTO_VERSION:
         #ifdef OPENSSL_EXTRA
         return "WRONG_SSL_VERSION";
@@ -25693,6 +25660,8 @@ const char* wolfSSL_ERR_reason_error_string(unsigned long e)
         return "Certificate type not supported";
 
     case WOLFSSL_BAD_STAT:
+        return "bad status";
+
     case WOLFSSL_BAD_PATH:
         return "No certificates found at designated path";
 
@@ -25708,26 +25677,56 @@ const char* wolfSSL_ERR_reason_error_string(unsigned long e)
     case WOLFSSL_UNKNOWN:
         return "Unknown algorithm (EVP)";
 
-    case WOLFSSL_CBIO_ERR_GENERAL:
-        return "I/O callback general unexpected error";
+    case WOLFSSL_FATAL_ERROR:
+        return "fatal error";
 
-    case WOLFSSL_CBIO_ERR_WANT_READ:
-        return "I/O callback want read, call again";
+#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \
+    defined(HAVE_WEBSERVER) || defined(HAVE_MEMCACHED)
 
-    case WOLFSSL_CBIO_ERR_WANT_WRITE:
-        return "I/O callback want write, call again";
+    /* TODO: -WOLFSSL_X509_V_ERR_CERT_SIGNATURE_FAILURE. Conflicts with
+     *       -WOLFSSL_ERROR_WANT_CONNECT.
+     */
 
-    case WOLFSSL_CBIO_ERR_CONN_RST:
-        return "I/O callback connection reset";
+    case -WOLFSSL_X509_V_ERR_CERT_NOT_YET_VALID:
+        return "certificate not yet valid";
+
+    case -WOLFSSL_X509_V_ERR_CERT_HAS_EXPIRED:
+        return "certificate has expired";
+
+    case -WOLFSSL_X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
+        return "certificate signature failure";
+
+    case -WOLFSSL_X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
+        return "format error in certificate's notAfter field";
+
+    case -WOLFSSL_X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
+        return "self-signed certificate in certificate chain";
+
+    case -WOLFSSL_X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
+        return "unable to get local issuer certificate";
+
+    case -WOLFSSL_X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
+        return "unable to verify the first certificate";
+
+    case -WOLFSSL_X509_V_ERR_CERT_CHAIN_TOO_LONG:
+        return "certificate chain too long";
+
+    case -WOLFSSL_X509_V_ERR_CERT_REVOKED:
+        return "certificate revoked";
+
+    case -WOLFSSL_X509_V_ERR_INVALID_CA:
+        return "invalid CA certificate";
 
-    case WOLFSSL_CBIO_ERR_ISR:
-        return "I/O callback interrupt";
+    case -WOLFSSL_X509_V_ERR_PATH_LENGTH_EXCEEDED:
+        return "path length constraint exceeded";
 
-    case WOLFSSL_CBIO_ERR_CONN_CLOSE:
-        return "I/O callback connection closed or epipe";
+    case -WOLFSSL_X509_V_ERR_CERT_REJECTED:
+        return "certificate rejected";
+
+    case -WOLFSSL_X509_V_ERR_SUBJECT_ISSUER_MISMATCH:
+        return "subject issuer mismatch";
 
-    case WOLFSSL_CBIO_ERR_TIMEOUT:
-        return "I/O callback socket timeout";
+#endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL || HAVE_WEBSERVER || HAVE_MEMCACHED */
 
     default :
         return "unknown error number";

tests/api.c

@@ -55059,8 +55059,10 @@ static int post_auth_version_client_cb(WOLFSSL* ssl)
     ExpectIntEQ(wolfSSL_ERR_get_error(), -WC_NO_ERR_TRACE(UNSUPPORTED_PROTO_VERSION));
 
     /* check the string matches expected string */
+    #ifndef NO_ERROR_STRINGS
     ExpectStrEQ(wolfSSL_ERR_error_string(-WC_NO_ERR_TRACE(UNSUPPORTED_PROTO_VERSION), NULL),
             "WRONG_SSL_VERSION");
+    #endif
 #endif
     return EXPECT_RESULT();
 }
@@ -83162,6 +83164,7 @@ static int test_wolfSSL_set_psk_use_session_callback(void)
  */
 static int error_test(void)
 {
+    EXPECT_DECLS;
     const char* errStr;
     const char* unknownStr = wc_GetErrorString(0);
 
@@ -83170,11 +83173,9 @@ static int error_test(void)
      * The string is that error strings are not available.
      */
     errStr = wc_GetErrorString(OPEN_RAN_E);
-    wc_ErrorString(OPEN_RAN_E, out);
-    if (XSTRCMP(errStr, unknownStr) != 0)
-        return -1;
-    if (XSTRCMP(out, unknownStr) != 0)
-        return -2;
+    ExpectIntEQ(XSTRCMP(errStr, unknownStr), 0);
+    if (EXPECT_FAIL())
+        return OPEN_RAN_E;
 #else
     int i;
     int j = 0;
@@ -83183,6 +83184,20 @@ static int error_test(void)
         int first;
         int last;
     } missing[] = {
+#ifndef OPENSSL_EXTRA
+        { 0, 0 },
+#endif
+
+#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \
+    defined(HAVE_WEBSERVER) || defined(HAVE_MEMCACHED)
+        { -11, -12 },
+        { -15, -17 },
+        { -19, -19 },
+        { -26, -27 },
+        { -30, WC_FIRST_E+1 },
+#else
+        { -9, WC_FIRST_E+1 },
+#endif
         { -124, -124 },
         { -166, -169 },
         { -300, -300 },
@@ -83192,14 +83207,15 @@ static int error_test(void)
         { -358, -358 },
         { -372, -372 },
         { -384, -384 },
-        { -473, -499 }
+        { -466, -499 },
+        { WOLFSSL_LAST_E-1, WOLFSSL_LAST_E-1 }
     };
 
     /* Check that all errors have a string and it's the same through the two
      * APIs. Check that the values that are not errors map to the unknown
      * string.
      */
-    for (i = WC_FIRST_E; i >= WOLFSSL_LAST_E; i--) {
+    for (i = 0; i >= WOLFSSL_LAST_E-1; i--) {
         int this_missing = 0;
         for (j = 0; j < (int)XELEM_CNT(missing); ++j) {
             if ((i <= missing[j].first) && (i >= missing[j].last)) {
@@ -83210,31 +83226,26 @@ static int error_test(void)
         errStr = wolfSSL_ERR_reason_error_string(i);
 
         if (! this_missing) {
-            if (XSTRCMP(errStr, unknownStr) == 0) {
-                WOLFSSL_MSG("errStr unknown");
-                return -3;
+            ExpectIntNE(XSTRCMP(errStr, unknownStr), 0);
+            if (EXPECT_FAIL()) {
+                return i;
             }
-            if (XSTRLEN(errStr) >= WOLFSSL_MAX_ERROR_SZ) {
-                WOLFSSL_MSG("errStr too long");
-                return -4;
+            ExpectTrue(XSTRLEN(errStr) < WOLFSSL_MAX_ERROR_SZ);
+            if (EXPECT_FAIL()) {
+                return i;
             }
         }
         else {
             j++;
-            if (XSTRCMP(errStr, unknownStr) != 0) {
-                return -5;
+            ExpectIntEQ(XSTRCMP(errStr, unknownStr), 0);
+            if (EXPECT_FAIL()) {
+                return i;
             }
         }
     }
-
-    /* Check if the next possible value has been given a string. */
-    errStr = wc_GetErrorString(i);
-    if (XSTRCMP(errStr, unknownStr) != 0) {
-        return -6;
-    }
 #endif
 
-    return 0;
+    return 1;
 }
 
 static int test_wolfSSL_ERR_strings(void)
@@ -83272,7 +83283,7 @@ static int test_wolfSSL_ERR_strings(void)
 #endif
 #endif
 
-    ExpectIntEQ(error_test(), 0);
+    ExpectIntEQ(error_test(), 1);
 
     return EXPECT_RESULT();
 }

wolfcrypt/src/error.c

@@ -42,7 +42,7 @@
 WOLFSSL_ABI
 const char* wc_GetErrorString(int error)
 {
-    switch (error) {
+    switch ((enum wolfCrypt_ErrorCodes)error) {
 
     case MP_MEM :
         return "MP integer dynamic memory allocation failed";
@@ -642,6 +642,8 @@ const char* wc_GetErrorString(int error)
     case PBKDF2_KAT_FIPS_E:
         return "wolfCrypt FIPS PBKDF2 Known Answer Test Failure";
 
+    case MAX_CODE_E:
+    case MIN_CODE_E:
     default:
         return "unknown error number";
 

wolfssl/error-ssl.h

@@ -35,9 +35,40 @@
 #endif
 
 enum wolfSSL_ErrorCodes {
-    WOLFSSL_FATAL_ERROR          =   -1, /* note, must be -1 for backward
-                                          * compat.                    */
-    WOLFSSL_FIRST_E              = -301,
+    WOLFSSL_FATAL_ERROR          =   -1,   /* must be -1 for backward compat. */
+
+    /* negative counterparts to namesake positive constants in ssl.h */
+    WOLFSSL_ERROR_WANT_READ_E    =   -2,
+    WOLFSSL_ERROR_WANT_WRITE_E   =   -3,
+    WOLFSSL_ERROR_WANT_X509_LOOKUP_E = -4,
+    WOLFSSL_ERROR_SYSCALL_E      =   -5,
+    WOLFSSL_ERROR_ZERO_RETURN_E  =   -6,
+    WOLFSSL_ERROR_WANT_CONNECT_E =   -7,
+    WOLFSSL_ERROR_WANT_ACCEPT_E  =   -8,
+
+#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \
+    defined(HAVE_WEBSERVER) || defined(HAVE_MEMCACHED)
+
+    WOLFSSL_X509_V_ERR_CERT_SIGNATURE_FAILURE_E  = -7, /* note conflict with
+                                              * WOLFSSL_ERROR_WANT_CONNECT_E
+                                                        */
+    WOLFSSL_X509_V_ERR_CERT_NOT_YET_VALID_E      = -9,
+    WOLFSSL_X509_V_ERR_CERT_HAS_EXPIRED_E        = -10,
+    WOLFSSL_X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD_E = -13,
+    WOLFSSL_X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD_E = -14,
+    WOLFSSL_X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT_E = -18,
+    WOLFSSL_X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY_E = -20,
+    WOLFSSL_X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE_E = -21,
+    WOLFSSL_X509_V_ERR_CERT_CHAIN_TOO_LONG_E     = -22,
+    WOLFSSL_X509_V_ERR_CERT_REVOKED_E            = -23,
+    WOLFSSL_X509_V_ERR_INVALID_CA_E              = -24,
+    WOLFSSL_X509_V_ERR_PATH_LENGTH_EXCEEDED_E    = -25,
+    WOLFSSL_X509_V_ERR_CERT_REJECTED_E           = -28,
+    WOLFSSL_X509_V_ERR_SUBJECT_ISSUER_MISMATCH_E = -29,
+
+#endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL || HAVE_WEBSERVER || HAVE_MEMCACHED */
+
+    WOLFSSL_FIRST_E              = -301,   /* start of native TLS codes */
 
     INPUT_CASE_ERROR             = -301,   /* process input state error */
     PREFIX_ERROR                 = -302,   /* bad index to key rounds  */
@@ -203,15 +234,6 @@ enum wolfSSL_ErrorCodes {
     WOLFSSL_NOT_IMPLEMENTED      = -464,   /* Function not implemented */
     WOLFSSL_UNKNOWN              = -465,   /* Unknown algorithm (EVP) */
 
-    /* I/O Callback errors */
-    WOLFSSL_CBIO_ERR_GENERAL     = -466,   /* I/O callback general unexpected error */
-    WOLFSSL_CBIO_ERR_WANT_READ   = -467,   /* I/O callback want read, call again */
-    WOLFSSL_CBIO_ERR_WANT_WRITE  = -468,   /* I/O callback want write, call again */
-    WOLFSSL_CBIO_ERR_CONN_RST    = -469,   /* I/O callback connection reset */
-    WOLFSSL_CBIO_ERR_ISR         = -470,   /* I/O callback interrupt */
-    WOLFSSL_CBIO_ERR_CONN_CLOSE  = -471,   /* I/O callback connection closed or epipe */
-    WOLFSSL_CBIO_ERR_TIMEOUT     = -472,   /* I/O callback socket timeout */
-
     /* negotiation parameter errors */
     UNSUPPORTED_SUITE            = -500,   /* unsupported cipher suite */
     MATCH_SUITE_ERROR            = -501,   /* can't match cipher suite */
@@ -224,6 +246,16 @@ enum wolfSSL_ErrorCodes {
     WOLFSSL_LAST_E               = -506
 };
 
+/* I/O Callback default errors */
+enum IOerrors {
+    WOLFSSL_CBIO_ERR_GENERAL    = -1,     /* general unexpected err */
+    WOLFSSL_CBIO_ERR_WANT_READ  = -2,     /* need to call read  again */
+    WOLFSSL_CBIO_ERR_WANT_WRITE = -2,     /* need to call write again */
+    WOLFSSL_CBIO_ERR_CONN_RST   = -3,     /* connection reset */
+    WOLFSSL_CBIO_ERR_ISR        = -4,     /* interrupt */
+    WOLFSSL_CBIO_ERR_CONN_CLOSE = -5,     /* connection closed or epipe */
+    WOLFSSL_CBIO_ERR_TIMEOUT    = -6      /* socket timeout */
+};
 
 #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA)
     enum {

wolfssl/ssl.h

@@ -2647,14 +2647,15 @@ enum { /* ssl Constants */
             (WOLFSSL_SESS_CACHE_NO_INTERNAL_STORE |
                     WOLFSSL_SESS_CACHE_NO_INTERNAL_LOOKUP),
 
+    /* These values match OpenSSL values for corresponding names. */
+    WOLFSSL_ERROR_SSL              =  1,
     WOLFSSL_ERROR_WANT_READ        =  2,
     WOLFSSL_ERROR_WANT_WRITE       =  3,
-    WOLFSSL_ERROR_WANT_CONNECT     =  7,
-    WOLFSSL_ERROR_WANT_ACCEPT      =  8,
+    WOLFSSL_ERROR_WANT_X509_LOOKUP =  4,
     WOLFSSL_ERROR_SYSCALL          =  5,
-    WOLFSSL_ERROR_WANT_X509_LOOKUP = 83,
     WOLFSSL_ERROR_ZERO_RETURN      =  6,
-    WOLFSSL_ERROR_SSL              = 85,
+    WOLFSSL_ERROR_WANT_CONNECT     =  7,
+    WOLFSSL_ERROR_WANT_ACCEPT      =  8,
 
     WOLFSSL_SENT_SHUTDOWN     = 1,
     WOLFSSL_RECEIVED_SHUTDOWN = 2,

wolfssl/wolfcrypt/error-crypt.h

@@ -42,7 +42,7 @@ the error status.
 #endif
 
 /* error codes, add string for new errors !!! */
-enum {
+enum wolfCrypt_ErrorCodes {
     /* note that WOLFSSL_FATAL_ERROR is defined as -1 in error-ssl.h, for
      * reasons of backward compatibility.
      */