-
Notifications
You must be signed in to change notification settings - Fork 836
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
20240608-WOLFSSL_DEBUG_TRACE_ERROR_CODES #7634
20240608-WOLFSSL_DEBUG_TRACE_ERROR_CODES #7634
Conversation
…C_ERR_TRACE(), WC_NO_ERR_TRACE(), support/gen-debug-trace-error-codes.sh. also add numerous deployments of WC_NO_ERR_TRACE() to inhibit frivolous/misleading errcode traces when -DWOLFSSL_DEBUG_TRACE_ERROR_CODES.
323f7fa
to
b3e8f0a
Compare
retest this please |
src/ssl.c
Outdated
@@ -3532,12 +3532,14 @@ int wolfSSL_ALPN_FreePeerProtocol(WOLFSSL* ssl, char **list) | |||
/* user is forcing ability to use secure renegotiation, we discourage it */ | |||
int wolfSSL_UseSecureRenegotiation(WOLFSSL* ssl) | |||
{ | |||
int ret = BAD_FUNC_ARG; | |||
int ret; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You should have an initializer defined anyway.
src/tls.c
Outdated
@@ -878,7 +883,7 @@ static int Hmac_HashFinalRaw(Hmac* hmac, unsigned char* hash) | |||
*/ | |||
static int Hmac_OuterHash(Hmac* hmac, unsigned char* mac) | |||
{ | |||
int ret = BAD_FUNC_ARG; | |||
int ret; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same here
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it's fine not to initialize that one but also harmless to initialize it (to = WC_NO_ERR_TRACE(BAD_FUNC_ARG)
). going with the latter, at your suggestion. that's already what I went with in nearly every other case like this.
… because needed (in wolfSSL_UseSecureRenegotiation()), the rest in an abundance of caution, and rearrange wolfSSL_CryptHwMutexInit() and wolfSSL_CryptHwMutexUnLock() in a similar abundance of caution.
( fprintf(stderr, \ | ||
"ERR TRACE: %s L %d " #label " (%d)\n", \ | ||
__FILE__, __LINE__, label), label) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@douzzer Should use WOLFSSL_MSG_EX
.
New global debugging aid --
--enable-debug-trace-errcodes
aka-DWOLFSSL_DEBUG_TRACE_ERROR_CODES
causes the library to render tostderr
a message with the filename, line number, error code name, and error number, for each and every error code throw.Example log fragment from an application, with
--enable-debug
also enabled (they are independent of each other):and another example, from
testwolfcrypt
output showing results from the SRTP-KDF expected-failure tests:WC_ERR_TRACE(label)
can be overridden (e.g. fromuser_settings.h
) with an embedded-friendly or otherwise specialized definition.Note that error codes are instrumented only inside the library -- the shimming requires
defined(BUILDING_LIBWOLFSSL)
. Thus theWC_NO_ERR_TRACE()
macro (which is always a constant numeric value) is for internal use only. Everything outside the library -- applications, of course, but alsotestwolfcrypt
,benchmark.c
, etc. -- always see the same numeric constantenum
error codes as ever.On non-autotools builds, manually running
support/gen-debug-trace-error-codes.sh
will be necessary by some mechanism. It's fine to run manually and directly, and takes no args.The nitty gritty:
add
--enable-debug-trace-errcodes
,WOLFSSL_DEBUG_TRACE_ERROR_CODES
,WC_ERR_TRACE()
,WC_NO_ERR_TRACE()
,support/gen-debug-trace-error-codes.sh
.also add numerous deployments of
WC_NO_ERR_TRACE()
to inhibit frivolous/misleading errcode traces when-DWOLFSSL_DEBUG_TRACE_ERROR_CODES
.tested with
wolfssl-multi-test.sh ... quick-check all-gcc-debug-c99 cppcheck-force-source
withall-gcc-debug-c99
tweaked to have--enable-debug-trace-errcodes
.additional notes:
missing
WC_NO_ERR_TRACE()
annotations are benign even in-DWOLFSSL_DEBUG_TRACE_ERROR_CODES
builds -- they just cause frivolous errcode traces to render, obviously self-explanatory to the developer because the file and line number are rendered.building
-UWOLFSSL_DEBUG_TRACE_ERROR_CODES
(the default) is identical to status quo, because the default definition ofWC_NO_ERR_TRACE()
is identity. Several frivolous or otherwise unnecessary error code initializations have been removed, but even then most such initializations have been left in place withWC_NO_ERR_TRACE()
wrappers.I used several scripts to autoconvert code for
WC_NO_ERR_TRACE()
and identify code needing manual tweaks:autoconvert comparisons to error codes:
find initializations to error codes (require manual mitigation):
count and rank occurrences in
testwolfcrypt
output, to orient+prioritize auditing and manual mitigation of frivolous errcode traces: