From b7fd9cb0020e6da60ec1efccf365104cefb0ae92 Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Sun, 22 Mar 2026 13:11:08 -0500 Subject: [PATCH 1/3] wolfssl/wolfcrypt/error-crypt.h: add __extension__ to __GNUC__&&!__STRICT_ANSI__ variant of wc_debug_trace_error_codes_enabled(), to inhibit false positive "error: ISO C forbids braced-groups within expressions" with -pedantic. --- wolfssl/wolfcrypt/error-crypt.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wolfssl/wolfcrypt/error-crypt.h b/wolfssl/wolfcrypt/error-crypt.h index a22310b452..2207f3b9ac 100644 --- a/wolfssl/wolfcrypt/error-crypt.h +++ b/wolfssl/wolfcrypt/error-crypt.h @@ -355,7 +355,7 @@ WOLFSSL_ABI WOLFSSL_API const char* wc_GetErrorString(int error); #endif #ifndef WC_ERR_TRACE #if defined(__GNUC__) && !defined(__STRICT_ANSI__) - #define WC_ERR_TRACE(label) \ + #define WC_ERR_TRACE(label) __extension__ \ ({ if (wc_debug_trace_error_codes_enabled()) { \ (void)WOLFSSL_DEBUG_PRINTF_FN( \ WOLFSSL_DEBUG_PRINTF_FIRST_ARGS \ From 678660e26d4f9f0d469f45dc3ad52ec2c2f93d36 Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Sun, 22 Mar 2026 13:17:47 -0500 Subject: [PATCH 2/3] src/keys.c and src/tls13.c: add WC_NO_ERR_TRACE() annotations for various initializations. wolfssl/ssl.h, examples/client/client.c, examples/server/server.c, src/bio.c, tests/api.c: add error tracing for WOLFSSL_SHUTDOWN_NOT_DONE. tests/api.c: in test_wolfSSL_read_write_ex(), use WOLFSSL_SUCCESS rather than 1 for expected-success wolfSSL_shutdown()s, and add note that the wrong value is being returned (the test currently always fails, which is masked by an always-success retval). --- examples/client/client.c | 8 ++++---- examples/server/server.c | 4 ++-- src/bio.c | 2 +- src/keys.c | 2 +- src/tls13.c | 12 ++++++------ tests/api.c | 12 +++++++----- wolfssl/ssl.h | 8 ++++++++ 7 files changed, 29 insertions(+), 19 deletions(-) diff --git a/examples/client/client.c b/examples/client/client.c index 8e925f4117..12b63c1398 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -1044,7 +1044,7 @@ static int SMTP_Shutdown(WOLFSSL* ssl, int wc_shutdown) printf("%s\n", tmpBuf); ret = wolfSSL_shutdown(ssl); - if (wc_shutdown && ret == WOLFSSL_SHUTDOWN_NOT_DONE) { + if (wc_shutdown && ret == WC_NO_ERR_TRACE(WOLFSSL_SHUTDOWN_NOT_DONE)) { if (tcp_select(wolfSSL_get_fd(ssl), DEFAULT_TIMEOUT_SEC) == TEST_RECV_READY) { ret = wolfSSL_shutdown(ssl); /* bidirectional shutdown */ @@ -4687,7 +4687,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) #endif ret = wolfSSL_shutdown(ssl); - if (wc_shutdown && ret == WOLFSSL_SHUTDOWN_NOT_DONE) { + if (wc_shutdown && ret == WC_NO_ERR_TRACE(WOLFSSL_SHUTDOWN_NOT_DONE)) { while (tcp_select(wolfSSL_get_fd(ssl), DEFAULT_TIMEOUT_SEC) == TEST_RECV_READY) { ret = wolfSSL_shutdown(ssl); /* bidirectional shutdown */ @@ -4695,7 +4695,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) printf("Bidirectional shutdown complete\n"); break; } - else if (ret != WOLFSSL_SHUTDOWN_NOT_DONE) { + else if (ret != WC_NO_ERR_TRACE(WOLFSSL_SHUTDOWN_NOT_DONE)) { LOG_ERROR("Bidirectional shutdown failed\n"); break; } @@ -4932,7 +4932,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) sendGET, " resume", 0); ret = wolfSSL_shutdown(sslResume); - if (wc_shutdown && ret == WOLFSSL_SHUTDOWN_NOT_DONE) + if (wc_shutdown && ret == WC_NO_ERR_TRACE(WOLFSSL_SHUTDOWN_NOT_DONE)) wolfSSL_shutdown(sslResume); /* bidirectional shutdown */ /* display collected statistics */ diff --git a/examples/server/server.c b/examples/server/server.c index e52d611fbb..5506f27339 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -4044,7 +4044,7 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) #endif /* WOLFSSL_DTLS13 */ ret = SSL_shutdown(ssl); - if (wc_shutdown && ret == WOLFSSL_SHUTDOWN_NOT_DONE) { + if (wc_shutdown && ret == WC_NO_ERR_TRACE(WOLFSSL_SHUTDOWN_NOT_DONE)) { while (tcp_select(wolfSSL_get_fd(ssl), DEFAULT_TIMEOUT_SEC) == TEST_RECV_READY) { ret = wolfSSL_shutdown(ssl); /* bidirectional shutdown */ @@ -4052,7 +4052,7 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) printf("Bidirectional shutdown complete\n"); break; } - else if (ret != WOLFSSL_SHUTDOWN_NOT_DONE) { + else if (ret != WC_NO_ERR_TRACE(WOLFSSL_SHUTDOWN_NOT_DONE)) { LOG_ERROR("Bidirectional shutdown failed\n"); break; } diff --git a/src/bio.c b/src/bio.c index 02431dd38a..2eecb4fc7e 100644 --- a/src/bio.c +++ b/src/bio.c @@ -2646,7 +2646,7 @@ int wolfSSL_BIO_flush(WOLFSSL_BIO* bio) if (b->ptr.ssl != NULL) { int rc = wolfSSL_shutdown(b->ptr.ssl); - if (rc == WOLFSSL_SHUTDOWN_NOT_DONE) { + if (rc == WC_NO_ERR_TRACE(WOLFSSL_SHUTDOWN_NOT_DONE)) { /* In this case, call again to give us a chance to read the * close notify alert from the other end. */ wolfSSL_shutdown(b->ptr.ssl); diff --git a/src/keys.c b/src/keys.c index b4b39a43f2..190a5d4dd3 100644 --- a/src/keys.c +++ b/src/keys.c @@ -3571,7 +3571,7 @@ int SetKeysSide(WOLFSSL* ssl, enum encrypt_side side) #endif #if !defined(NO_CERTS) && defined(HAVE_PK_CALLBACKS) - ret = PROTOCOLCB_UNAVAILABLE; + ret = WC_NO_ERR_TRACE(PROTOCOLCB_UNAVAILABLE); if (ssl->ctx->EncryptKeysCb) { void* ctx = wolfSSL_GetEncryptKeysCtx(ssl); #if defined(WOLFSSL_RENESAS_FSPSM_TLS) diff --git a/src/tls13.c b/src/tls13.c index 50192f763c..1e267c1375 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -234,7 +234,7 @@ static int Tls13HKDFExpandKeyLabel(WOLFSSL* ssl, byte* okm, word32 okmLen, { int ret; #if defined(HAVE_PK_CALLBACKS) - ret = NOT_COMPILED_IN; + ret = WC_NO_ERR_TRACE(NOT_COMPILED_IN); if (ssl->ctx && ssl->ctx->HKDFExpandLabelCb) { ret = ssl->ctx->HKDFExpandLabelCb(okm, okmLen, prk, prkLen, protocol, protocolLen, @@ -2662,7 +2662,7 @@ static int EncryptTls13(WOLFSSL* ssl, byte* output, const byte* input, nonceSz = AESGCM_NONCE_SZ; #if defined(HAVE_PK_CALLBACKS) - ret = NOT_COMPILED_IN; + ret = WC_NO_ERR_TRACE(NOT_COMPILED_IN); if (ssl->ctx && ssl->ctx->PerformTlsRecordProcessingCb) { ret = ssl->ctx->PerformTlsRecordProcessingCb(ssl, 1, output, input, dataSz, @@ -2704,7 +2704,7 @@ static int EncryptTls13(WOLFSSL* ssl, byte* output, const byte* input, nonceSz = AESCCM_NONCE_SZ; #if defined(HAVE_PK_CALLBACKS) - ret = NOT_COMPILED_IN; + ret = WC_NO_ERR_TRACE(NOT_COMPILED_IN); if (ssl->ctx && ssl->ctx->PerformTlsRecordProcessingCb) { ret = ssl->ctx->PerformTlsRecordProcessingCb(ssl, 1, output, input, dataSz, @@ -3063,7 +3063,7 @@ int DecryptTls13(WOLFSSL* ssl, byte* output, const byte* input, word16 sz, nonceSz = AESGCM_NONCE_SZ; #if defined(HAVE_PK_CALLBACKS) - ret = NOT_COMPILED_IN; + ret = WC_NO_ERR_TRACE(NOT_COMPILED_IN); if (ssl->ctx && ssl->ctx->PerformTlsRecordProcessingCb) { ret = ssl->ctx->PerformTlsRecordProcessingCb(ssl, 0, output, input, dataSz, @@ -3102,7 +3102,7 @@ int DecryptTls13(WOLFSSL* ssl, byte* output, const byte* input, word16 sz, nonceSz = AESCCM_NONCE_SZ; #if defined(HAVE_PK_CALLBACKS) - ret = NOT_COMPILED_IN; + ret = WC_NO_ERR_TRACE(NOT_COMPILED_IN); if (ssl->ctx && ssl->ctx->PerformTlsRecordProcessingCb) { ret = ssl->ctx->PerformTlsRecordProcessingCb(ssl, 0, output, input, dataSz, @@ -6892,7 +6892,7 @@ int DoTls13ClientHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx, #endif { /* Reset state */ - ret = VERSION_ERROR; + ret = WC_NO_ERR_TRACE(VERSION_ERROR); ssl->options.asyncState = TLS_ASYNC_BEGIN; XMEMSET(args, 0, sizeof(Dch13Args)); #ifdef WOLFSSL_ASYNC_CRYPT diff --git a/tests/api.c b/tests/api.c index 8687213f42..794a9a58d4 100644 --- a/tests/api.c +++ b/tests/api.c @@ -6713,13 +6713,15 @@ static int test_wolfSSL_read_write_ex(void) ExpectIntEQ(wolfSSL_shutdown(ssl_c), WOLFSSL_SHUTDOWN_NOT_DONE); ExpectIntEQ(wolfSSL_shutdown(ssl_s), WOLFSSL_SHUTDOWN_NOT_DONE); - ExpectIntEQ(wolfSSL_shutdown(ssl_c), 1); - ExpectIntEQ(wolfSSL_shutdown(ssl_s), 1); + ExpectIntEQ(wolfSSL_shutdown(ssl_c), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_shutdown(ssl_s), WOLFSSL_SUCCESS); wolfSSL_free(ssl_c); wolfSSL_free(ssl_s); wolfSSL_CTX_free(ctx_c); wolfSSL_CTX_free(ctx_s); + + /* XXX this should be return EXPECT_RESULT(); */ return TEST_SUCCESS; } @@ -25691,7 +25693,7 @@ static THREAD_RETURN WOLFSSL_THREAD SSL_read_test_client_thread(void* args) if (EXPECT_SUCCESS()) { ret = wolfSSL_shutdown(ssl); - if (ret == WOLFSSL_SHUTDOWN_NOT_DONE) { + if (ret == WC_NO_ERR_TRACE(WOLFSSL_SHUTDOWN_NOT_DONE)) { ret = wolfSSL_shutdown(ssl); } } @@ -29286,7 +29288,7 @@ static void test_ticket_and_psk_mixing_on_result(WOLFSSL* ssl) } do { ret = wolfSSL_shutdown(ssl); - } while (ret == WOLFSSL_SHUTDOWN_NOT_DONE); + } while (ret == WC_NO_ERR_TRACE(WOLFSSL_SHUTDOWN_NOT_DONE)); AssertIntEQ(wolfSSL_clear(ssl), WOLFSSL_SUCCESS); wolfSSL_set_psk_callback_ctx(ssl, (void*)"TLS13-AES256-GCM-SHA384"); #ifndef OPENSSL_COMPATIBLE_DEFAULTS @@ -29377,7 +29379,7 @@ static void test_prioritize_psk_on_result(WOLFSSL* ssl) } do { ret = wolfSSL_shutdown(ssl); - } while (ret == WOLFSSL_SHUTDOWN_NOT_DONE); + } while (ret == WC_NO_ERR_TRACE(WOLFSSL_SHUTDOWN_NOT_DONE)); AssertIntEQ(wolfSSL_clear(ssl), WOLFSSL_SUCCESS); wolfSSL_set_psk_callback_ctx(ssl, (void*)"TLS13-AES256-GCM-SHA384"); /* Previous connection was made with TLS13-AES128-GCM-SHA256. Order is diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 518e3e3a92..17d108b592 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -3075,6 +3075,14 @@ enum { /* ssl Constants */ WOLFSSL_SHUTDOWN_NOT_DONE = 2, #endif + #if defined(WOLFSSL_DEBUG_TRACE_ERROR_CODES) && \ + (defined(BUILDING_WOLFSSL) || \ + defined(WOLFSSL_DEBUG_TRACE_ERROR_CODES_ALWAYS)) + #define WOLFSSL_SHUTDOWN_NOT_DONE \ + WC_ERR_TRACE(WOLFSSL_SHUTDOWN_NOT_DONE) + #define CONST_NUM_ERR_WOLFSSL_SHUTDOWN_NOT_DONE 0 + #endif + WOLFSSL_FILETYPE_ASN1 = CTC_FILETYPE_ASN1, WOLFSSL_FILETYPE_PEM = CTC_FILETYPE_PEM, WOLFSSL_FILETYPE_DEFAULT = CTC_FILETYPE_ASN1, /* ASN1 */ From b8f9b06b5d4562fe660edfe006da36880f67fc1d Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Sun, 22 Mar 2026 13:22:27 -0500 Subject: [PATCH 3/3] wolfcrypt/src/logging.c: fix recursion in wc_backtrace_render(). --- wolfcrypt/src/logging.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/wolfcrypt/src/logging.c b/wolfcrypt/src/logging.c index 5f7d03acce..633b8a9690 100644 --- a/wolfcrypt/src/logging.c +++ b/wolfcrypt/src/logging.c @@ -1939,7 +1939,7 @@ int wc_backtrace_render(void) { int cur_init_count = wolfSSL_Atomic_Int_FetchSub(&init_count, 1); if (cur_init_count != 0) { (void)wolfSSL_Atomic_Int_FetchAdd(&init_count, 1); - return DEADLOCK_AVERTED_E; + return WC_NO_ERR_TRACE(DEADLOCK_AVERTED_E); } ret = wc_InitMutex(&backtrace_mutex); if (ret != 0) @@ -1960,7 +1960,7 @@ int wc_backtrace_render(void) { if (backtrace_state == NULL) { if (backtrace_init(&backtrace_state) < 0) { wc_UnLockMutex(&backtrace_mutex); - return BAD_STATE_E; + return WC_NO_ERR_TRACE(BAD_STATE_E); } }