OpenSSL error code handling in reason_error_string

miyazakh · miyazakh · commit 0e8af03f1d63 · 2026-01-10T13:50:08.000+09:00
diff --git a/src/internal.c b/src/internal.c
@@ -26595,6 +26595,65 @@ int SendAlert(WOLFSSL* ssl, int severity, int type)
 #include <wolfssl/debug-untrace-error-codes.h>
 #endif
 
+#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \
+    defined(HAVE_WEBSERVER) || defined(HAVE_MEMCACHED)
+static const char* wolfSSL_ERR_reason_error_string_OpenSSL(unsigned long e)
+{
+    switch (e) {
+    /* TODO: -WOLFSSL_X509_V_ERR_CERT_SIGNATURE_FAILURE. Conflicts with
+     *       -WOLFSSL_ERROR_WANT_CONNECT.
+     */
+    case WOLFSSL_X509_V_ERR_CRL_HAS_EXPIRED:
+        return "CRL has expired";
+
+    case WOLFSSL_X509_V_ERR_UNABLE_TO_GET_CRL:
+        return "unable to get CRL";
+
+    case WOLFSSL_X509_V_ERR_CERT_NOT_YET_VALID:
+        return "certificate not yet valid";
+
+    case WOLFSSL_X509_V_ERR_CERT_HAS_EXPIRED:
+        return "certificate has expired";
+
+    case WOLFSSL_X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
+        return "certificate signature failure";
+
+    case WOLFSSL_X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
+        return "format error in certificate's notAfter field";
+
+    case WOLFSSL_X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
+        return "self-signed certificate in certificate chain";
+
+    case WOLFSSL_X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
+        return "unable to get local issuer certificate";
+
+    case WOLFSSL_X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
+        return "unable to verify the first certificate";
+
+    case WOLFSSL_X509_V_ERR_CERT_CHAIN_TOO_LONG:
+        return "certificate chain too long";
+
+    case WOLFSSL_X509_V_ERR_CERT_REVOKED:
+        return "certificate revoked";
+
+    case WOLFSSL_X509_V_ERR_INVALID_CA:
+        return "invalid CA certificate";
+
+    case WOLFSSL_X509_V_ERR_PATH_LENGTH_EXCEEDED:
+        return "path length constraint exceeded";
+
+    case WOLFSSL_X509_V_ERR_CERT_REJECTED:
+        return "certificate rejected";
+
+    case WOLFSSL_X509_V_ERR_SUBJECT_ISSUER_MISMATCH:
+        return "subject issuer mismatch";
+
+    default:
+        return NULL;
+    }
+}
+#endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL || HAVE_WEBSERVER || HAVE_MEMCACHED */
+
 const char* wolfSSL_ERR_reason_error_string(unsigned long e)
 {
 #ifdef NO_ERROR_STRINGS
@@ -26606,11 +26665,18 @@ const char* wolfSSL_ERR_reason_error_string(unsigned long e)
 
     int error = (int)e;
 
-    /* OpenSSL uses positive error codes */
     if (error > 0) {
+#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \
+    defined(HAVE_WEBSERVER) || defined(HAVE_MEMCACHED)
+    /* try OpenSSL error strings first */
+        const char* ossl_err = wolfSSL_ERR_reason_error_string_OpenSSL(e);
+        if (ossl_err != NULL) {
+            return ossl_err;
+        }
+    /* try to find error strings from wolfSSL */
+#endif
         error = -error;
     }
-
     /* pass to wolfCrypt */
     if ((error <= WC_SPAN1_FIRST_E && error >= WC_SPAN1_MIN_CODE_E) ||
         (error <= WC_SPAN2_FIRST_E && error >= WC_SPAN2_MIN_CODE_E))
@@ -27169,55 +27235,6 @@ const char* wolfSSL_ERR_reason_error_string(unsigned long e)
         return "Private key decode error (EVP)";
     }
 
-#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \
-    defined(HAVE_WEBSERVER) || defined(HAVE_MEMCACHED)
-
-    switch (error) {
-    /* TODO: -WOLFSSL_X509_V_ERR_CERT_SIGNATURE_FAILURE. Conflicts with
-     *       -WOLFSSL_ERROR_WANT_CONNECT.
-     */
-
-    case -WOLFSSL_X509_V_ERR_CERT_NOT_YET_VALID:
-        return "certificate not yet valid";
-
-    case -WOLFSSL_X509_V_ERR_CERT_HAS_EXPIRED:
-        return "certificate has expired";
-
-    case -WOLFSSL_X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
-        return "certificate signature failure";
-
-    case -WOLFSSL_X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
-        return "format error in certificate's notAfter field";
-
-    case -WOLFSSL_X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
-        return "self-signed certificate in certificate chain";
-
-    case -WOLFSSL_X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
-        return "unable to get local issuer certificate";
-
-    case -WOLFSSL_X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
-        return "unable to verify the first certificate";
-
-    case -WOLFSSL_X509_V_ERR_CERT_CHAIN_TOO_LONG:
-        return "certificate chain too long";
-
-    case -WOLFSSL_X509_V_ERR_CERT_REVOKED:
-        return "certificate revoked";
-
-    case -WOLFSSL_X509_V_ERR_INVALID_CA:
-        return "invalid CA certificate";
-
-    case -WOLFSSL_X509_V_ERR_PATH_LENGTH_EXCEEDED:
-        return "path length constraint exceeded";
-
-    case -WOLFSSL_X509_V_ERR_CERT_REJECTED:
-        return "certificate rejected";
-
-    case -WOLFSSL_X509_V_ERR_SUBJECT_ISSUER_MISMATCH:
-        return "subject issuer mismatch";
-    }
-#endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL || HAVE_WEBSERVER || HAVE_MEMCACHED */
-
     return "unknown error number";
 
 #endif /* NO_ERROR_STRINGS */
diff --git a/tests/api.c b/tests/api.c
@@ -34750,6 +34750,7 @@ static int error_test(void)
     if (EXPECT_FAIL())
         return OPEN_RAN_E;
 #else
+    int start_idx = 0;
     int i;
     int j = 0;
     /* Values that are not or no longer error codes. */
@@ -34763,14 +34764,12 @@ static int error_test(void)
 
 #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \
     defined(HAVE_WEBSERVER) || defined(HAVE_MEMCACHED)
-        { -11, -12 },
-        { -15, -17 },
-        { -19, -19 },
-        { -26, -27 },
-        { -30, WC_SPAN1_FIRST_E + 1 },
-#else
-        { -9, WC_SPAN1_FIRST_E + 1 },
+        {11, 11},
+        {17, 15},
+        {19, 19},
+        {27, 26 },
 #endif
+        { -9, WC_SPAN1_FIRST_E + 1 },
         { -124, -124 },
         { -167, -169 },
         { -300, -300 },
@@ -34788,7 +34787,10 @@ static int error_test(void)
      * APIs. Check that the values that are not errors map to the unknown
      * string.
      */
-    for (i = 0; i >= MIN_CODE_E; i--) {
+#if defined(OPENSSL_EXTRA)
+    start_idx = WC_OSSL_V509_V_ERR_MAX - 1;
+#endif
+    for (i = start_idx; i >= MIN_CODE_E; i--) {
         int this_missing = 0;
         for (j = 0; j < (int)XELEM_CNT(missing); ++j) {
             if ((i <= missing[j].first) && (i >= missing[j].last)) {
diff --git a/wolfssl/openssl/x509.h b/wolfssl/openssl/x509.h
@@ -68,9 +68,6 @@
 #define WOLFSSL_XN_FLAG_MULTILINE       0xFFFF
 #define WOLFSSL_XN_FLAG_ONELINE (WOLFSSL_XN_FLAG_SEP_CPLUS_SPC | WOLFSSL_XN_FLAG_SPC_EQ | WOLFSSL_XN_FLAG_FN_SN)
 
-#define WOLFSSL_X509_V_ERR_CRL_HAS_EXPIRED              12
-#define WOLFSSL_X509_V_ERR_UNABLE_TO_GET_CRL            3
-
 #ifndef OPENSSL_COEXIST
 
 /* wolfSSL_X509_print_ex flags */
diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h
@@ -2612,9 +2612,11 @@ WOLFSSL_API void* wolfSSL_get_app_data( const WOLFSSL *ssl);
      */
 enum {
     WOLFSSL_X509_V_OK                                    = 0,
+    WOLFSSL_X509_V_ERR_UNABLE_TO_GET_CRL                 = 3,
     WOLFSSL_X509_V_ERR_CERT_SIGNATURE_FAILURE            = 7,
     WOLFSSL_X509_V_ERR_CERT_NOT_YET_VALID                = 9,
     WOLFSSL_X509_V_ERR_CERT_HAS_EXPIRED                  = 10,
+    WOLFSSL_X509_V_ERR_CRL_HAS_EXPIRED                   = 12,
     WOLFSSL_X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD    = 13,
     WOLFSSL_X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD     = 14,
     WOLFSSL_X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT       = 18,
@@ -2626,6 +2628,7 @@ enum {
     WOLFSSL_X509_V_ERR_PATH_LENGTH_EXCEEDED              = 25,
     WOLFSSL_X509_V_ERR_CERT_REJECTED                     = 28,
     WOLFSSL_X509_V_ERR_SUBJECT_ISSUER_MISMATCH           = 29,
+    WC_OSSL_V509_V_ERR_MAX = 30,
 
 #ifdef HAVE_OCSP
     /* OCSP Flags */
