From 4264a49246534b6ee862420c9bd2d2874a2156ea Mon Sep 17 00:00:00 2001
From: TakayukiMatsuo <tak@wolfssl.com>
Date: Mon, 22 Feb 2021 08:05:11 +0900
Subject: [PATCH 1/3] Causes SSL_CTX_load_verify_locations and
 X509_LOOKUP_load_file to return zero on failure if WOLFSSL_ERR_CODE_OPENSSL
 is defined

---
 src/ssl.c     | 14 ++++++++------
 tests/api.c   |  9 ++++++---
 wolfssl/ssl.h |  6 ++++++
 3 files changed, 20 insertions(+), 9 deletions(-)

diff --git a/src/ssl.c b/src/ssl.c
index 609f1c1ca..372767680 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -6913,8 +6913,10 @@ WOLFSSL_ABI
 int wolfSSL_CTX_load_verify_locations(WOLFSSL_CTX* ctx, const char* file,
                                      const char* path)
 {
-    return wolfSSL_CTX_load_verify_locations_ex(ctx, file, path,
+    int ret = wolfSSL_CTX_load_verify_locations_ex(ctx, file, path,
         WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS);
+
+    return RETURN_CODE(ret,0);
 }
 
 
@@ -24407,15 +24409,15 @@ int wolfSSL_X509_LOOKUP_load_file(WOLFSSL_X509_LOOKUP* lookup,
     const char* footer = NULL;
 
     if (type != X509_FILETYPE_PEM)
-        return BAD_FUNC_ARG;
+        return RETURN_CODE(BAD_FUNC_ARG,0);
 
     fp = XFOPEN(file, "rb");
     if (fp == XBADFILE)
-        return BAD_FUNC_ARG;
+        return RETURN_CODE(BAD_FUNC_ARG,0);
 
     if(XFSEEK(fp, 0, XSEEK_END) != 0) {
         XFCLOSE(fp);
-        return WOLFSSL_BAD_FILE;
+        return RETURN_CODE(WOLFSSL_BAD_FILE,0);
     }
     sz = XFTELL(fp);
     XREWIND(fp);
@@ -24485,12 +24487,12 @@ end:
     if (pem != NULL)
         XFREE(pem, 0, DYNAMIC_TYPE_PEM);
     XFCLOSE(fp);
-    return ret;
+    return RETURN_CODE(ret,0);
 #else
     (void)lookup;
     (void)file;
     (void)type;
-    return WOLFSSL_FAILURE;
+    return RETURN_CODE(WOLFSSL_FAILURE,0);
 #endif
 }
 
diff --git a/tests/api.c b/tests/api.c
index 6a2283663..61049017d 100644
--- a/tests/api.c
+++ b/tests/api.c
@@ -953,17 +953,20 @@ static void test_wolfSSL_CTX_load_verify_locations(void)
     AssertIntEQ(wolfSSL_CTX_load_verify_locations(ctx, NULL, NULL), WOLFSSL_FAILURE);
 
     /* invalid ca file */
-    AssertIntEQ(wolfSSL_CTX_load_verify_locations(ctx, bogusFile, NULL), WOLFSSL_BAD_FILE);
+    AssertIntEQ(wolfSSL_CTX_load_verify_locations(ctx, bogusFile, NULL),
+     RETURN_CODE(WOLFSSL_BAD_FILE,0));
 
 
 #if !defined(NO_WOLFSSL_DIR) && !defined(WOLFSSL_TIRTOS)
     /* invalid path */
-    AssertIntEQ(wolfSSL_CTX_load_verify_locations(ctx, NULL, bogusFile), BAD_PATH_ERROR);
+    AssertIntEQ(wolfSSL_CTX_load_verify_locations(ctx, NULL, bogusFile),
+     RETURN_CODE(BAD_PATH_ERROR,0));
 #endif
 
     /* load ca cert */
 #ifdef NO_RSA
-    AssertIntEQ(wolfSSL_CTX_load_verify_locations(ctx, caCertFile, NULL), ASN_UNKNOWN_OID_E);
+    AssertIntEQ(wolfSSL_CTX_load_verify_locations(ctx, caCertFile, NULL),
+     RETURN_CODE(ASN_UNKNOWN_OID_E,0));
 #else /* Skip the following test without RSA certs. */
     AssertIntEQ(wolfSSL_CTX_load_verify_locations(ctx, caCertFile, NULL), WOLFSSL_SUCCESS);
 
diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h
index 0c81c9b77..3a6fb9c73 100644
--- a/wolfssl/ssl.h
+++ b/wolfssl/ssl.h
@@ -674,6 +674,12 @@ enum AlertLevel {
     alert_fatal   = 2
 };
 
+#if defined(WOLFSSL_ERROR_CODE_OPENSSL)
+    #define RETURN_CODE(w,o)  ((w < 0)?o:w)
+#else
+    #define RETURN_CODE(w,o) (w)
+#endif
+
 /* Maximum master key length (SECRET_LEN) */
 #define WOLFSSL_MAX_MASTER_KEY_LENGTH 48
 /* Maximum number of groups that can be set */

From bbf12841123e736782b9da8dcdfaa6e85836c7b6 Mon Sep 17 00:00:00 2001
From: TakayukiMatsuo <tak@wolfssl.com>
Date: Wed, 3 Mar 2021 11:23:11 +0900
Subject: [PATCH 2/3] Replace immediate value "0" with WOLFSSL_FAILURE and add
 comment to the RETURN_CODE macro

---
 src/ssl.c     | 12 ++++++------
 tests/api.c   |  6 +++---
 wolfssl/ssl.h |  9 +++++++++
 3 files changed, 18 insertions(+), 9 deletions(-)

diff --git a/src/ssl.c b/src/ssl.c
index 372767680..dc8c08eb2 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -6916,7 +6916,7 @@ int wolfSSL_CTX_load_verify_locations(WOLFSSL_CTX* ctx, const char* file,
     int ret = wolfSSL_CTX_load_verify_locations_ex(ctx, file, path,
         WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS);
 
-    return RETURN_CODE(ret,0);
+    return RETURN_CODE(ret,WOLFSSL_FAILURE);
 }
 
 
@@ -24409,15 +24409,15 @@ int wolfSSL_X509_LOOKUP_load_file(WOLFSSL_X509_LOOKUP* lookup,
     const char* footer = NULL;
 
     if (type != X509_FILETYPE_PEM)
-        return RETURN_CODE(BAD_FUNC_ARG,0);
+        return RETURN_CODE(BAD_FUNC_ARG,WOLFSSL_FAILURE);
 
     fp = XFOPEN(file, "rb");
     if (fp == XBADFILE)
-        return RETURN_CODE(BAD_FUNC_ARG,0);
+        return RETURN_CODE(BAD_FUNC_ARG,WOLFSSL_FAILURE);
 
     if(XFSEEK(fp, 0, XSEEK_END) != 0) {
         XFCLOSE(fp);
-        return RETURN_CODE(WOLFSSL_BAD_FILE,0);
+        return RETURN_CODE(WOLFSSL_BAD_FILE,WOLFSSL_FAILURE);
     }
     sz = XFTELL(fp);
     XREWIND(fp);
@@ -24487,12 +24487,12 @@ end:
     if (pem != NULL)
         XFREE(pem, 0, DYNAMIC_TYPE_PEM);
     XFCLOSE(fp);
-    return RETURN_CODE(ret,0);
+    return RETURN_CODE(ret,WOLFSSL_FAILURE);
 #else
     (void)lookup;
     (void)file;
     (void)type;
-    return RETURN_CODE(WOLFSSL_FAILURE,0);
+    return RETURN_CODE(WOLFSSL_FAILURE,WOLFSSL_FAILURE);
 #endif
 }
 
diff --git a/tests/api.c b/tests/api.c
index 61049017d..ccfc954d9 100644
--- a/tests/api.c
+++ b/tests/api.c
@@ -954,19 +954,19 @@ static void test_wolfSSL_CTX_load_verify_locations(void)
 
     /* invalid ca file */
     AssertIntEQ(wolfSSL_CTX_load_verify_locations(ctx, bogusFile, NULL),
-     RETURN_CODE(WOLFSSL_BAD_FILE,0));
+     RETURN_CODE(WOLFSSL_BAD_FILE,WOLFSSL_FAILURE));
 
 
 #if !defined(NO_WOLFSSL_DIR) && !defined(WOLFSSL_TIRTOS)
     /* invalid path */
     AssertIntEQ(wolfSSL_CTX_load_verify_locations(ctx, NULL, bogusFile),
-     RETURN_CODE(BAD_PATH_ERROR,0));
+     RETURN_CODE(BAD_PATH_ERROR,WOLFSSL_FAILURE));
 #endif
 
     /* load ca cert */
 #ifdef NO_RSA
     AssertIntEQ(wolfSSL_CTX_load_verify_locations(ctx, caCertFile, NULL),
-     RETURN_CODE(ASN_UNKNOWN_OID_E,0));
+     RETURN_CODE(ASN_UNKNOWN_OID_E,WOLFSSL_FAILURE));
 #else /* Skip the following test without RSA certs. */
     AssertIntEQ(wolfSSL_CTX_load_verify_locations(ctx, caCertFile, NULL), WOLFSSL_SUCCESS);
 
diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h
index 3a6fb9c73..9a086ca0f 100644
--- a/wolfssl/ssl.h
+++ b/wolfssl/ssl.h
@@ -674,6 +674,15 @@ enum AlertLevel {
     alert_fatal   = 2
 };
 
+/* RETURN_CODE macro
+ * Some OpenSSL APIs specify "0" as the return value when an error occurs.
+ * However, some corresponding wolfSSL APIs(eg.
+ * wolfSSL_CTX_load_verify_locations) return negative values. Such functions
+ * should use this macro to fill this gap. Users who want them to return
+ * the same return value as OpenSSL can define WOLFSSL_ERR_CODE_OPENSSL.
+ * Note that this macro replaces only negative return values with the
+ * specified value.
+ */
 #if defined(WOLFSSL_ERROR_CODE_OPENSSL)
     #define RETURN_CODE(w,o)  ((w < 0)?o:w)
 #else

From feeb0ceb9669dedd62757ddaa57093d1210ce0c6 Mon Sep 17 00:00:00 2001
From: TakayukiMatsuo <tak@wolfssl.com>
Date: Mon, 8 Mar 2021 11:57:36 +0900
Subject: [PATCH 3/3] Change macro name to WS_RETURN_CODE and add more
 comments.

---
 src/ssl.c     | 12 ++++++------
 tests/api.c   |  6 +++---
 wolfssl/ssl.h | 21 ++++++++++++++-------
 3 files changed, 23 insertions(+), 16 deletions(-)

diff --git a/src/ssl.c b/src/ssl.c
index dc8c08eb2..2ac9c7dd7 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -6916,7 +6916,7 @@ int wolfSSL_CTX_load_verify_locations(WOLFSSL_CTX* ctx, const char* file,
     int ret = wolfSSL_CTX_load_verify_locations_ex(ctx, file, path,
         WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS);
 
-    return RETURN_CODE(ret,WOLFSSL_FAILURE);
+    return WS_RETURN_CODE(ret,WOLFSSL_FAILURE);
 }
 
 
@@ -24409,15 +24409,15 @@ int wolfSSL_X509_LOOKUP_load_file(WOLFSSL_X509_LOOKUP* lookup,
     const char* footer = NULL;
 
     if (type != X509_FILETYPE_PEM)
-        return RETURN_CODE(BAD_FUNC_ARG,WOLFSSL_FAILURE);
+        return WS_RETURN_CODE(BAD_FUNC_ARG,WOLFSSL_FAILURE);
 
     fp = XFOPEN(file, "rb");
     if (fp == XBADFILE)
-        return RETURN_CODE(BAD_FUNC_ARG,WOLFSSL_FAILURE);
+        return WS_RETURN_CODE(BAD_FUNC_ARG,WOLFSSL_FAILURE);
 
     if(XFSEEK(fp, 0, XSEEK_END) != 0) {
         XFCLOSE(fp);
-        return RETURN_CODE(WOLFSSL_BAD_FILE,WOLFSSL_FAILURE);
+        return WS_RETURN_CODE(WOLFSSL_BAD_FILE,WOLFSSL_FAILURE);
     }
     sz = XFTELL(fp);
     XREWIND(fp);
@@ -24487,12 +24487,12 @@ end:
     if (pem != NULL)
         XFREE(pem, 0, DYNAMIC_TYPE_PEM);
     XFCLOSE(fp);
-    return RETURN_CODE(ret,WOLFSSL_FAILURE);
+    return WS_RETURN_CODE(ret,WOLFSSL_FAILURE);
 #else
     (void)lookup;
     (void)file;
     (void)type;
-    return RETURN_CODE(WOLFSSL_FAILURE,WOLFSSL_FAILURE);
+    return WS_RETURN_CODE(WOLFSSL_FAILURE,WOLFSSL_FAILURE);
 #endif
 }
 
diff --git a/tests/api.c b/tests/api.c
index ccfc954d9..b62454fe0 100644
--- a/tests/api.c
+++ b/tests/api.c
@@ -954,19 +954,19 @@ static void test_wolfSSL_CTX_load_verify_locations(void)
 
     /* invalid ca file */
     AssertIntEQ(wolfSSL_CTX_load_verify_locations(ctx, bogusFile, NULL),
-     RETURN_CODE(WOLFSSL_BAD_FILE,WOLFSSL_FAILURE));
+     WS_RETURN_CODE(WOLFSSL_BAD_FILE,WOLFSSL_FAILURE));
 
 
 #if !defined(NO_WOLFSSL_DIR) && !defined(WOLFSSL_TIRTOS)
     /* invalid path */
     AssertIntEQ(wolfSSL_CTX_load_verify_locations(ctx, NULL, bogusFile),
-     RETURN_CODE(BAD_PATH_ERROR,WOLFSSL_FAILURE));
+     WS_RETURN_CODE(BAD_PATH_ERROR,WOLFSSL_FAILURE));
 #endif
 
     /* load ca cert */
 #ifdef NO_RSA
     AssertIntEQ(wolfSSL_CTX_load_verify_locations(ctx, caCertFile, NULL),
-     RETURN_CODE(ASN_UNKNOWN_OID_E,WOLFSSL_FAILURE));
+     WS_RETURN_CODE(ASN_UNKNOWN_OID_E,WOLFSSL_FAILURE));
 #else /* Skip the following test without RSA certs. */
     AssertIntEQ(wolfSSL_CTX_load_verify_locations(ctx, caCertFile, NULL), WOLFSSL_SUCCESS);
 
diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h
index 9a086ca0f..45cf82d6d 100644
--- a/wolfssl/ssl.h
+++ b/wolfssl/ssl.h
@@ -674,19 +674,26 @@ enum AlertLevel {
     alert_fatal   = 2
 };
 
-/* RETURN_CODE macro
+/* WS_RETURN_CODE macro
  * Some OpenSSL APIs specify "0" as the return value when an error occurs.
- * However, some corresponding wolfSSL APIs(eg.
- * wolfSSL_CTX_load_verify_locations) return negative values. Such functions
- * should use this macro to fill this gap. Users who want them to return
- * the same return value as OpenSSL can define WOLFSSL_ERR_CODE_OPENSSL.
+ * However, some corresponding wolfSSL APIs　return negative values. Such
+ * functions should use this macro to fill this gap. Users who want them
+ * to return the same return value as OpenSSL can define
+ * WOLFSSL_ERR_CODE_OPENSSL.
+ * Give item1 a variable that contains the potentially negative
+ * wolfSSL-defined return value or the return value itself, and
+ * give item2 the openSSL-defined return value.
  * Note that this macro replaces only negative return values with the
  * specified value.
+ * Since wolfSSL 4.7.0, the following functions use this macro:
+ * - wolfSSL_CTX_load_verify_locations
+ * - wolfSSL_X509_LOOKUP_load_file
  */
 #if defined(WOLFSSL_ERROR_CODE_OPENSSL)
-    #define RETURN_CODE(w,o)  ((w < 0)?o:w)
+    #define WS_RETURN_CODE(item1,item2) \
+      ((item1 < 0) ? item2 : item1)
 #else
-    #define RETURN_CODE(w,o) (w)
+    #define WS_RETURN_CODE(item1,item2)  (item1)
 #endif
 
 /* Maximum master key length (SECRET_LEN) */