From 43db3b669ac4277d1a3fa2f550eb924fb53e5c78 Mon Sep 17 00:00:00 2001 From: Robert de Vries Date: Sat, 11 Apr 2026 20:16:05 +0200 Subject: [PATCH] Add support for wcGetErrorString() including error codes. It was already used, but not compiled in. A unit test is added. As wcGetErrorString() always returns a string the error handling in class _Hmac has been removed. --- scripts/build_ffi.py | 266 ++++++++++++++++++++++++++++++++++++- tests/test_error_string.py | 29 ++++ wolfcrypt/hashes.py | 6 +- 3 files changed, 295 insertions(+), 6 deletions(-) create mode 100644 tests/test_error_string.py diff --git a/scripts/build_ffi.py b/scripts/build_ffi.py index d9519ae..75a6efd 100644 --- a/scripts/build_ffi.py +++ b/scripts/build_ffi.py @@ -242,7 +242,6 @@ def make_flags(prefix, fips): flags.append("--disable-oldtls") flags.append("--disable-oldnames") flags.append("--disable-extended-master") - flags.append("--disable-errorstrings") return " ".join(flags) @@ -429,6 +428,7 @@ def build_ffi(local_wolfssl, features): includes_string += """ #include + #include #include #include @@ -549,6 +549,270 @@ def build_ffi(local_wolfssl, features): int wc_FreeRng(WC_RNG*); """ + if features["ERROR_STRINGS"]: + cdef += """ + static const int WC_FAILURE; + + static const int MAX_CODE_E; + static const int WC_FIRST_E; + + static const int WC_SPAN1_FIRST_E; + + static const int MP_MEM; + static const int MP_VAL; + static const int MP_WOULDBLOCK; + + static const int MP_NOT_INF; + + static const int OPEN_RAN_E; + static const int READ_RAN_E; + static const int WINCRYPT_E; + static const int CRYPTGEN_E; + static const int RAN_BLOCK_E; + static const int BAD_MUTEX_E; + static const int WC_TIMEOUT_E; + static const int WC_PENDING_E; + static const int WC_NO_PENDING_E; + + static const int MP_INIT_E; + static const int MP_READ_E; + static const int MP_EXPTMOD_E; + static const int MP_TO_E; + static const int MP_SUB_E; + static const int MP_ADD_E; + static const int MP_MUL_E; + static const int MP_MULMOD_E; + static const int MP_MOD_E; + static const int MP_INVMOD_E; + static const int MP_CMP_E; + static const int MP_ZERO_E; + + static const int AES_EAX_AUTH_E; + static const int KEY_EXHAUSTED_E; + static const int MEMORY_E; + static const int VAR_STATE_CHANGE_E; + static const int FIPS_DEGRADED_E; + + static const int FIPS_CODE_SZ_E; + static const int FIPS_DATA_SZ_E; + + static const int RSA_WRONG_TYPE_E; + static const int RSA_BUFFER_E; + static const int BUFFER_E; + static const int ALGO_ID_E; + static const int PUBLIC_KEY_E; + static const int DATE_E; + static const int SUBJECT_E; + static const int ISSUER_E; + static const int CA_TRUE_E; + static const int EXTENSIONS_E; + + static const int ASN_PARSE_E; + static const int ASN_VERSION_E; + static const int ASN_GETINT_E; + static const int ASN_RSA_KEY_E; + static const int ASN_OBJECT_ID_E; + static const int ASN_TAG_NULL_E; + static const int ASN_EXPECT_0_E; + static const int ASN_BITSTR_E; + static const int ASN_UNKNOWN_OID_E; + static const int ASN_DATE_SZ_E; + static const int ASN_BEFORE_DATE_E; + static const int ASN_AFTER_DATE_E; + static const int ASN_SIG_OID_E; + static const int ASN_TIME_E; + static const int ASN_INPUT_E; + static const int ASN_SIG_CONFIRM_E; + static const int ASN_SIG_HASH_E; + static const int ASN_SIG_KEY_E; + static const int ASN_DH_KEY_E; + static const int KDF_SRTP_KAT_FIPS_E; + static const int ASN_CRIT_EXT_E; + static const int ASN_ALT_NAME_E; + static const int ASN_NO_PEM_HEADER; + static const int ED25519_KAT_FIPS_E; + static const int ED448_KAT_FIPS_E; + static const int PBKDF2_KAT_FIPS_E; + static const int WC_KEY_MISMATCH_E; + + static const int ECC_BAD_ARG_E; + static const int ASN_ECC_KEY_E; + static const int ECC_CURVE_OID_E; + static const int BAD_FUNC_ARG; + static const int NOT_COMPILED_IN; + static const int UNICODE_SIZE_E; + static const int NO_PASSWORD; + static const int ALT_NAME_E; + static const int BAD_OCSP_RESPONDER; + static const int CRL_CERT_DATE_ERR; + + static const int AES_GCM_AUTH_E; + static const int AES_CCM_AUTH_E; + + static const int ASYNC_INIT_E; + + static const int COMPRESS_INIT_E; + static const int COMPRESS_E; + static const int DECOMPRESS_INIT_E; + static const int DECOMPRESS_E; + + static const int BAD_ALIGN_E; + static const int ASN_NO_SIGNER_E; + static const int ASN_CRL_CONFIRM_E; + static const int ASN_CRL_NO_SIGNER_E; + static const int ASN_OCSP_CONFIRM_E; + + static const int BAD_STATE_E; + static const int BAD_PADDING_E; + + static const int REQ_ATTRIBUTE_E; + + static const int PKCS7_OID_E; + static const int PKCS7_RECIP_E; + static const int FIPS_NOT_ALLOWED_E; + static const int ASN_NAME_INVALID_E; + + static const int RNG_FAILURE_E; + static const int HMAC_MIN_KEYLEN_E; + static const int RSA_PAD_E; + static const int LENGTH_ONLY_E; + + static const int IN_CORE_FIPS_E; + static const int AES_KAT_FIPS_E; + static const int DES3_KAT_FIPS_E; + static const int HMAC_KAT_FIPS_E; + static const int RSA_KAT_FIPS_E; + static const int DRBG_KAT_FIPS_E; + static const int DRBG_CONT_FIPS_E; + static const int AESGCM_KAT_FIPS_E; + static const int THREAD_STORE_KEY_E; + static const int THREAD_STORE_SET_E; + + static const int MAC_CMP_FAILED_E; + static const int IS_POINT_E; + static const int ECC_INF_E; + static const int ECC_PRIV_KEY_E; + static const int ECC_OUT_OF_RANGE_E; + + static const int SRP_CALL_ORDER_E; + static const int SRP_VERIFY_E; + static const int SRP_BAD_KEY_E; + + static const int ASN_NO_SKID; + static const int ASN_NO_AKID; + static const int ASN_NO_KEYUSAGE; + static const int SKID_E; + static const int AKID_E; + static const int KEYUSAGE_E; + static const int CERTPOLICIES_E; + + static const int WC_INIT_E; + static const int SIG_VERIFY_E; + static const int BAD_COND_E; + static const int SIG_TYPE_E; + static const int HASH_TYPE_E; + + static const int FIPS_INVALID_VER_E; + + static const int WC_KEY_SIZE_E; + static const int ASN_COUNTRY_SIZE_E; + static const int MISSING_RNG_E; + static const int ASN_PATHLEN_SIZE_E; + static const int ASN_PATHLEN_INV_E; + + static const int BAD_KEYWRAP_ALG_E; + static const int BAD_KEYWRAP_IV_E; + static const int WC_CLEANUP_E; + static const int ECC_CDH_KAT_FIPS_E; + static const int DH_CHECK_PUB_E; + static const int BAD_PATH_ERROR; + + static const int ASYNC_OP_E; + + static const int ECC_PRIVATEONLY_E; + static const int EXTKEYUSAGE_E; + static const int WC_HW_E; + static const int WC_HW_WAIT_E; + + static const int PSS_SALTLEN_E; + static const int PRIME_GEN_E; + static const int BER_INDEF_E; + static const int RSA_OUT_OF_RANGE_E; + static const int RSAPSS_PAT_FIPS_E; + static const int ECDSA_PAT_FIPS_E; + static const int DH_KAT_FIPS_E; + static const int AESCCM_KAT_FIPS_E; + static const int SHA3_KAT_FIPS_E; + static const int ECDHE_KAT_FIPS_E; + static const int AES_GCM_OVERFLOW_E; + static const int AES_CCM_OVERFLOW_E; + static const int RSA_KEY_PAIR_E; + static const int DH_CHECK_PRIV_E; + + static const int WC_AFALG_SOCK_E; + static const int WC_DEVCRYPTO_E; + + static const int ZLIB_INIT_ERROR; + static const int ZLIB_COMPRESS_ERROR; + static const int ZLIB_DECOMPRESS_ERROR; + + static const int PKCS7_NO_SIGNER_E; + static const int WC_PKCS7_WANT_READ_E; + + static const int CRYPTOCB_UNAVAILABLE; + static const int PKCS7_SIGNEEDS_CHECK; + static const int PSS_SALTLEN_RECOVER_E; + static const int CHACHA_POLY_OVERFLOW; + static const int ASN_SELF_SIGNED_E; + static const int SAKKE_VERIFY_FAIL_E; + static const int MISSING_IV; + static const int MISSING_KEY; + static const int BAD_LENGTH_E; + static const int ECDSA_KAT_FIPS_E; + static const int RSA_PAT_FIPS_E; + static const int KDF_TLS12_KAT_FIPS_E; + static const int KDF_TLS13_KAT_FIPS_E; + static const int KDF_SSH_KAT_FIPS_E; + static const int DHE_PCT_E; + static const int ECC_PCT_E; + static const int FIPS_PRIVATE_KEY_LOCKED_E; + static const int PROTOCOLCB_UNAVAILABLE; + static const int AES_SIV_AUTH_E; + static const int NO_VALID_DEVID; + + static const int IO_FAILED_E; + static const int SYSLIB_FAILED_E; + static const int USE_HW_PSK; + + static const int ENTROPY_RT_E; + static const int ENTROPY_APT_E; + + static const int ASN_DEPTH_E; + static const int ASN_LEN_E; + + static const int SM4_GCM_AUTH_E; + static const int SM4_CCM_AUTH_E; + + static const int WC_SPAN1_LAST_E; + static const int WC_SPAN1_MIN_CODE_E; + + static const int WC_SPAN2_FIRST_E; + + static const int DEADLOCK_AVERTED_E; + static const int ASCON_AUTH_E; + static const int WC_ACCEL_INHIBIT_E; + static const int BAD_INDEX_E; + static const int INTERRUPTED_E; + + static const int WC_SPAN2_LAST_E; + static const int WC_LAST_E; + + static const int WC_SPAN2_MIN_CODE_E; + static const int MIN_CODE_E; + + const char* wc_GetErrorString(int error); + """ + if not features["FIPS"] or features["FIPS_VERSION"] > 2: cdef += """ int wc_GenerateSeed(OS_Seed* os, byte* seed, word32 sz); diff --git a/tests/test_error_string.py b/tests/test_error_string.py new file mode 100644 index 0000000..3c7c401 --- /dev/null +++ b/tests/test_error_string.py @@ -0,0 +1,29 @@ +# test_error_string.py +# +# Copyright (C) 2026 wolfSSL Inc. +# +# This file is part of wolfSSL. (formerly known as CyaSSL) +# +# wolfSSL is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# wolfSSL is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA + +import pytest + +from wolfcrypt._ffi import ffi as _ffi +from wolfcrypt._ffi import lib as _lib + + +@pytest.mark.parametrize("err", (_lib.WC_FAILURE, _lib.KEY_EXHAUSTED_E, _lib.NO_PASSWORD, _lib.INTERRUPTED_E, 0)) +def test_error_string(err): + print(_ffi.string(_lib.wc_GetErrorString(err)).decode()) diff --git a/wolfcrypt/hashes.py b/wolfcrypt/hashes.py index ef3989e..d6a2af1 100644 --- a/wolfcrypt/hashes.py +++ b/wolfcrypt/hashes.py @@ -318,11 +318,7 @@ def _init(self, hmac, key): if len(key) > 0: ret = _lib.wc_HmacSetKey(self._native_object, hmac, key, len(key)) if ret < 0: - err_str = "no error description found" - try: - err_str = _ffi.string(_lib.wc_GetErrorString(ret)).decode() - except: - pass + err_str = _ffi.string(_lib.wc_GetErrorString(ret)).decode() raise WolfCryptError("wc_HmacSetKey returned {}: {}".format(ret, err_str)) return ret