From d64ef34ef89c2734e1e2c9b7551368c80014dfc2 Mon Sep 17 00:00:00 2001 From: gojimmypi Date: Wed, 6 Aug 2025 13:57:53 -0700 Subject: [PATCH] Introduce WOLFSSL_DEBUG_CERTS Certificate Debug Messages --- .github/workflows/os-check.yml | 3 +- CMakeLists.txt | 23 +- src/crl.c | 9 +- src/internal.c | 24 +- src/ssl.c | 40 +++- src/ssl_load.c | 23 +- src/wolfio.c | 1 + wolfcrypt/src/asn.c | 9 +- wolfcrypt/src/logging.c | 267 +++++++++++++++++++--- wolfcrypt/src/poly1305.c | 6 +- wolfcrypt/src/port/Espressif/esp32_util.c | 5 + wolfcrypt/src/rsa.c | 5 +- wolfcrypt/src/tfm.c | 14 +- wolfssl/wolfcrypt/logging.h | 251 ++++++++++++++++++-- wolfssl/wolfcrypt/settings.h | 15 ++ wolfssl/wolfcrypt/types.h | 3 + wolfssl/wolfcrypt/wc_port.h | 5 +- 17 files changed, 630 insertions(+), 73 deletions(-) diff --git a/.github/workflows/os-check.yml b/.github/workflows/os-check.yml index 52a76de02..bce6b7088 100644 --- a/.github/workflows/os-check.yml +++ b/.github/workflows/os-check.yml @@ -57,7 +57,8 @@ jobs: '--enable-opensslextra=x509small', 'CPPFLAGS=''-DWOLFSSL_EXTRA'' ', '--enable-lms=small,verify-only --enable-xmss=small,verify-only', - '--disable-sys-ca-certs' + '--disable-sys-ca-certs', + '--enable-all CPPFLAGS=-DWOLFSSL_DEBUG_CERTS ', ] name: make check if: github.repository_owner == 'wolfssl' diff --git a/CMakeLists.txt b/CMakeLists.txt index 447072725..e25cc8eed 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -281,7 +281,28 @@ add_option("WOLFSSL_DEBUG" "no" "yes;no") if(WOLFSSL_DEBUG) - set(CMAKE_C_FLAGS "-g ${CMAKE_C_FLAGS}") + # Optional variable inspection + if (0) + get_cmake_property(_variableNames VARIABLES) + list (SORT _variableNames) + message(STATUS "") + message(STATUS "ALL VARIABLES BEGIN") + message(STATUS "") + foreach (_variableName ${_variableNames}) + message(STATUS "${_variableName}=${${_variableName}}") + endforeach() + message(STATUS "") + message(STATUS "ALL VARIABLES END") + message(STATUS "") + endif() + + if (CMAKE_C_COMPILER_ID STREQUAL "Watcom" OR CMAKE_C_COMPILER_ID STREQUAL "OpenWatcom" OR CMAKE_GENERATOR STREQUAL "Watcom WMake") + # Open Watcom v2 does not support -g debugging + message(STATUS "Detected Watcom compiler, using CMAKE_C_FLAGS_DEBUG -d2") + set(CMAKE_C_FLAGS_DEBUG "-d2 ${CMAKE_C_FLAGS_DEBUG}") + else() + set(CMAKE_C_FLAGS "-g ${CMAKE_C_FLAGS}") + endif() list(APPEND WOLFSSL_DEFINITIONS "-DDEBUG_WOLFSSL" "-DDEBUG") diff --git a/src/crl.c b/src/crl.c index 4e4700f85..5347d0138 100644 --- a/src/crl.c +++ b/src/crl.c @@ -39,6 +39,7 @@ CRL Options: #include #include +#include #ifndef WOLFSSL_LINUXKM #include @@ -791,7 +792,7 @@ int BufferLoadCRL(WOLFSSL_CRL* crl, const byte* buff, long sz, int type, crl->currentEntry = CRL_Entry_new(crl->heap); if (crl->currentEntry == NULL) { - WOLFSSL_MSG("alloc CRL Entry failed"); + WOLFSSL_MSG_CERT_LOG("alloc CRL Entry failed"); #ifdef WOLFSSL_SMALL_STACK XFREE(dcrl, NULL, DYNAMIC_TYPE_TMP_BUFFER); #endif @@ -802,9 +803,11 @@ int BufferLoadCRL(WOLFSSL_CRL* crl, const byte* buff, long sz, int type, InitDecodedCRL(dcrl, crl->heap); ret = ParseCRL(crl->currentEntry->certs, dcrl, myBuffer, (word32)sz, verify, crl->cm); + if (ret != 0 && !(ret == WC_NO_ERR_TRACE(ASN_CRL_NO_SIGNER_E) && verify == NO_VERIFY)) { - WOLFSSL_MSG("ParseCRL error"); + WOLFSSL_MSG_CERT_LOG("ParseCRL error"); + WOLFSSL_MSG_CERT_EX("ParseCRL verify = %d, ret = %d", verify, ret); CRL_Entry_free(crl->currentEntry, crl->heap); crl->currentEntry = NULL; } @@ -812,7 +815,7 @@ int BufferLoadCRL(WOLFSSL_CRL* crl, const byte* buff, long sz, int type, ret = AddCRL(crl, dcrl, myBuffer, ret != WC_NO_ERR_TRACE(ASN_CRL_NO_SIGNER_E)); if (ret != 0) { - WOLFSSL_MSG("AddCRL error"); + WOLFSSL_MSG_CERT_LOG("AddCRL error"); crl->currentEntry = NULL; } } diff --git a/src/internal.c b/src/internal.c index 5d6cd160d..bf5021aa3 100644 --- a/src/internal.c +++ b/src/internal.c @@ -8025,7 +8025,7 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup) ssl->secLevel = ctx->secLevel; #endif /* WOLFSSL_SYS_CRYPTO_POLICY */ /* Returns 0 on success, not WOLFSSL_SUCCESS (1) */ - WOLFSSL_MSG_EX("InitSSL done. return 0 (success)"); + WOLFSSL_MSG("InitSSL done. return 0 (success)"); return 0; } @@ -15776,7 +15776,8 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, if (ret == WC_NO_ERR_TRACE(ASN_NO_SIGNER_E) || ret == WC_NO_ERR_TRACE(ASN_SELF_SIGNED_E)) { if (!ssl->options.usingAltCertChain) { - WOLFSSL_MSG("Trying alternate cert chain"); + WOLFSSL_MSG_CERT_LOG( + "Trying alternate cert chain"); ssl->options.usingAltCertChain = 1; } @@ -15788,8 +15789,25 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, /* do not add to certificate manager */ skipAddCA = 1; + } /* ASN_NO_SIGNER_E || ASN_SELF_SIGNED_E */ + } /* ret != 0 && isCA */ + #else + /* Not defined: WOLFSSL_ALT_CERT_CHAINS + * When WOLFSSL_DEBUG_CERTS enabled, suggest solution */ + #ifdef WOLFSSL_DEBUG_CERTS + if (ret != 0 && args->dCert->isCA) { + if (ret == WC_NO_ERR_TRACE(ASN_NO_SIGNER_E)) { + WOLFSSL_MSG_CERT( + "Consider enabling WOLFSSL_ALT_CERT_CHAINS" + " to resolve ASN_NO_SIGNER_E"); } - } + if (ret == WC_NO_ERR_TRACE(ASN_SELF_SIGNED_E)) { + WOLFSSL_MSG_CERT( + "Consider enabling WOLFSSL_ALT_CERT_CHAINS" + " to resolve ASN_SELF_SIGNED_E"); + } + } /* check alt-cert possible fixable error codes */ + #endif #endif /* WOLFSSL_ALT_CERT_CHAINS */ #if defined(__APPLE__) && defined(WOLFSSL_SYS_CA_CERTS) diff --git a/src/ssl.c b/src/ssl.c index ce5fb21e9..a508a6863 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -5869,7 +5869,7 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify) #endif DerBuffer* der = *pDer; - WOLFSSL_MSG("Adding a CA"); + WOLFSSL_MSG_CERT_LOG("Adding a CA"); if (cm == NULL) { FreeDer(pDer); @@ -5893,8 +5893,34 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify) } #endif + WOLFSSL_MSG_CERT("\tParsing new CA"); ret = ParseCert(cert, CA_TYPE, verify, cm); + WOLFSSL_MSG("\tParsed new CA"); +#ifdef WOLFSSL_DEBUG_CERTS + #ifdef WOLFSSL_SMALL_STACK + if (cert == NULL) { + WOLFSSL_MSG_CERT(WOLFSSL_MSG_CERT_INDENT "Failed; cert is NULL"); + } + else + #endif + { + const char* err_msg; + if (ret == 0) { + WOLFSSL_MSG_CERT_EX(WOLFSSL_MSG_CERT_INDENT "issuer: '%s'", + cert->issuer); + WOLFSSL_MSG_CERT_EX(WOLFSSL_MSG_CERT_INDENT "subject: '%s'", + cert->subject); + } + else { + WOLFSSL_MSG_CERT( + WOLFSSL_MSG_CERT_INDENT "Failed during parse of new CA"); + err_msg = wc_GetErrorString(ret); + WOLFSSL_MSG_CERT_EX(WOLFSSL_MSG_CERT_INDENT "error ret: %d; %s", + ret, err_msg); + } + } +#endif /* WOLFSSL_DEBUG_CERTS */ #ifndef NO_SKID subjectHash = cert->extSubjKeyId; @@ -5903,7 +5929,7 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify) #endif /* check CA key size */ - if (verify) { + if (verify && (ret == 0 )) { switch (cert->keyOID) { #ifndef NO_RSA #ifdef WC_RSA_PSS @@ -5913,7 +5939,10 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify) if (cm->minRsaKeySz < 0 || cert->pubKeySize < (word16)cm->minRsaKeySz) { ret = RSA_KEY_SIZE_E; - WOLFSSL_MSG("\tCA RSA key size error"); + WOLFSSL_MSG_CERT_LOG("\tCA RSA key size error"); + WOLFSSL_MSG_CERT_EX("\tCA RSA pubKeySize = %d; " + "minRsaKeySz = %d", + cert->pubKeySize, cm->minRsaKeySz); } break; #endif /* !NO_RSA */ @@ -5922,7 +5951,10 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify) if (cm->minEccKeySz < 0 || cert->pubKeySize < (word16)cm->minEccKeySz) { ret = ECC_KEY_SIZE_E; - WOLFSSL_MSG("\tCA ECC key size error"); + WOLFSSL_MSG_CERT_LOG("\tCA ECC key size error"); + WOLFSSL_MSG_CERT_EX("\tCA ECC pubKeySize = %d; " + "minEccKeySz = %d", + cert->pubKeySize, cm->minEccKeySz); } break; #endif /* HAVE_ECC */ diff --git a/src/ssl_load.c b/src/ssl_load.c index d50fae933..a540e801f 100644 --- a/src/ssl_load.c +++ b/src/ssl_load.c @@ -28,6 +28,7 @@ */ #ifdef WOLFSSL_SYS_CA_CERTS +/* Will be turned off automatically when NO_FILESYSTEM is defined */ #ifdef _WIN32 #define _WINSOCKAPI_ /* block inclusion of winsock.h header file */ @@ -59,6 +60,8 @@ #endif #else +#include + #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) /* PSK field of context when it exists. */ #define CTX_HAVE_PSK(ctx) (ctx)->havePSK @@ -2721,7 +2724,7 @@ int ProcessFile(WOLFSSL_CTX* ctx, const char* fname, int format, int type, &sz); if ((ret == 0) && (type == DETECT_CERT_TYPE) && (format != WOLFSSL_FILETYPE_PEM)) { - WOLFSSL_MSG("Cannot detect certificate type when not PEM"); + WOLFSSL_MSG_CERT_LOG("Cannot detect certificate type when not PEM"); ret = WOLFSSL_BAD_CERTTYPE; } /* Try to detect type by parsing cert header and footer. */ @@ -2729,17 +2732,24 @@ int ProcessFile(WOLFSSL_CTX* ctx, const char* fname, int format, int type, #if !defined(NO_CODING) && !defined(WOLFSSL_NO_PEM) const char* header = NULL; const char* footer = NULL; +#ifdef HAVE_CRL + WOLFSSL_MSG_CERT("Detecting cert type... (including CRL_TYPE)"); +#else + WOLFSSL_MSG_CERT("Detecting cert type... (HAVE_CRL not defined)"); +#endif /* Look for CA header and footer - same as CERT_TYPE. */ if (wc_PemGetHeaderFooter(CA_TYPE, &header, &footer) == 0 && (XSTRNSTR((char*)content.buffer, header, (word32)sz) != NULL)) { type = CA_TYPE; + WOLFSSL_DEBUG_PRINTF("Detected cert type CA_TYPE = %d:", type); } #ifdef HAVE_CRL /* Look for CRL header and footer. */ else if (wc_PemGetHeaderFooter(CRL_TYPE, &header, &footer) == 0 && (XSTRNSTR((char*)content.buffer, header, (word32)sz) != NULL)) { type = CRL_TYPE; + WOLFSSL_DEBUG_PRINTF("Detected cert type CRL_TYPE = %d:", type); } #endif /* Look for cert header and footer - same as CA_TYPE. */ @@ -2747,12 +2757,13 @@ int ProcessFile(WOLFSSL_CTX* ctx, const char* fname, int format, int type, (XSTRNSTR((char*)content.buffer, header, (word32)sz) != NULL)) { type = CERT_TYPE; + WOLFSSL_DEBUG_PRINTF("Detected cert type CERT_TYPE = %d:", type); } else -#endif +#endif /* !NO_CODING && !WOLFSSL_NO_PEM */ { /* Not a header that we support. */ - WOLFSSL_MSG("Failed to detect certificate type"); + WOLFSSL_MSG_CERT_LOG("Failed to detect certificate type"); #ifdef WOLFSSL_DEBUG_CERTIFICATE_LOADS WOLFSSL_DEBUG_PRINTF( "ERROR: ProcessFile: Failed to detect certificate type" @@ -2761,17 +2772,19 @@ int ProcessFile(WOLFSSL_CTX* ctx, const char* fname, int format, int type, #endif ret = WOLFSSL_BAD_CERTTYPE; } - } + } /* (ret == 0) && (type == DETECT_CERT_TYPE) */ + if (ret == 0) { /* When CA or trusted peer and PEM - process as a chain buffer. */ if (((type == CA_TYPE) || (type == TRUSTED_PEER_TYPE)) && (format == WOLFSSL_FILETYPE_PEM)) { + WOLFSSL_MSG_CERT("Processing cert chain buffer..."); ret = ProcessChainBuffer(ctx, ssl, content.buffer, sz, type, verify, fname); } #ifdef HAVE_CRL else if (type == CRL_TYPE) { - /* Load the CRL. */ + WOLFSSL_MSG_CERT("Loading CRL..."); ret = BufferLoadCRL(crl, content.buffer, sz, format, verify); } #endif diff --git a/src/wolfio.c b/src/wolfio.c index f5d45de67..80c9d0444 100644 --- a/src/wolfio.c +++ b/src/wolfio.c @@ -40,6 +40,7 @@ #include #include #include +#include #ifdef NUCLEUS_PLUS_2_3 /* Holds last Nucleus networking error number */ diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 066543903..7717f4de1 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -25749,7 +25749,7 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm, } } #endif /* IGNORE_NAME_CONSTRAINTS */ - } + } /* cert->ca */ #ifdef WOLFSSL_CERT_REQ else if (type == CERTREQ_TYPE) { /* try to confirm/verify signature */ @@ -25813,7 +25813,7 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm, #endif else { /* no signer */ - WOLFSSL_MSG("No CA signer to verify with"); + WOLFSSL_MSG_CERT_LOG("No CA signer to verify with"); /* If you end up here with error -188, * consider using WOLFSSL_ALT_CERT_CHAINS. */ #if defined(OPENSSL_ALL) || defined(WOLFSSL_QT) @@ -25826,10 +25826,11 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm, #endif { WOLFSSL_ERROR_VERBOSE(ASN_NO_SIGNER_E); + WOLFSSL_MSG_CERT("Consider using WOLFSSL_ALT_CERT_CHAINS."); return ASN_NO_SIGNER_E; } } - } + } /* verify != NO_VERIFY && type != CA_TYPE && type != TRUSTED_PEER_TYPE */ #if defined(WOLFSSL_NO_TRUSTED_CERTS_VERIFY) && !defined(NO_SKID) exit_pcr: @@ -25839,7 +25840,7 @@ exit_pcr: if (verify != VERIFY_SKIP_DATE) { return cert->badDate; } - WOLFSSL_MSG("Date error: Verify option is skipping"); + WOLFSSL_MSG_CERT_LOG("Date error: Verify option is skipping"); } if (cert->criticalExt != 0) diff --git a/wolfcrypt/src/logging.c b/wolfcrypt/src/logging.c index cb1befd89..8c62d06e0 100644 --- a/wolfcrypt/src/logging.c +++ b/wolfcrypt/src/logging.c @@ -115,7 +115,8 @@ THREAD_LS_T void *StackSizeCheck_stackOffsetPointer = 0; #endif /* HAVE_STACK_SIZE_VERBOSE */ -#ifdef DEBUG_WOLFSSL +#if defined(DEBUG_WOLFSSL) || \ + (defined(WOLFSSL_DEBUG_CERTS) && !defined(NO_WOLFSSL_DEBUG_CERTS)) /* Set these to default values initially. */ static wolfSSL_Logging_cb log_function = NULL; @@ -123,14 +124,58 @@ static wolfSSL_Logging_cb log_function = NULL; #define WOLFSSL_LOGGINGENABLED_DEFAULT 0 #endif static int loggingEnabled = WOLFSSL_LOGGINGENABLED_DEFAULT; +#ifndef WOLFSSL_CERT_LOG_ENABLED_DEFAULT +#define WOLFSSL_CERT_LOG_ENABLED_DEFAULT 0 +#endif +#ifndef NO_WOLFSSL_DEBUG_CERTS +static int loggingCertEnabled = WOLFSSL_CERT_LOG_ENABLED_DEFAULT; +#endif THREAD_LS_T const char* log_prefix = NULL; #if defined(WOLFSSL_APACHE_MYNEWT) #include "log/log.h" static struct log mynewt_log; +#define WOLFSSL_APACHE_MYNEWT_NOT_INITALIZED 0 +#define WOLFSSL_APACHE_MYNEWT_INITALIZED 1 +static int loggingApacheNewtRegistered = WOLFSSL_APACHE_MYNEWT_NOT_INITALIZED; #endif /* WOLFSSL_APACHE_MYNEWT */ +#endif /* DEBUG_WOLFSSL || WOLFSSL_DEBUG_CERTS */ -#endif /* DEBUG_WOLFSSL */ +int wolfSSL_CertDebugging_ON(void) +{ + /* Certificate debugging is also a subset of full debugging */ +#if defined(WOLFSSL_DEBUG_CERTS) || defined(DEBUG_WOLFSSL) + #if defined(NO_WOLFSSL_DEBUG_CERTS) + return NOT_COMPILED_IN; + #else + loggingCertEnabled = 1; + #endif + #if defined(WOLFSSL_APACHE_MYNEWT) + if (loggingApacheNewtRegistered != WOLFSSL_APACHE_MYNEWT_INITALIZED) { + log_register("wolfcrypt", &mynewt_log, &log_console_handler, + NULL, LOG_SYSLEVEL); + loggingApacheNewtRegistered = WOLFSSL_APACHE_MYNEWT_INITALIZED; + } + #endif /* WOLFSSL_APACHE_MYNEWT */ + return 0; +#else + return NOT_COMPILED_IN; +#endif +} + +int wolfSSL_CertDebugging_OFF(void) +{ +#if defined(WOLFSSL_DEBUG_CERTS) || defined(DEBUG_WOLFSSL) + #if defined(NO_WOLFSSL_DEBUG_CERTS) + return NOT_COMPILED_IN; + #else + loggingCertEnabled = 0; + #endif + return 0; +#else + return NOT_COMPILED_IN; +#endif +} /* allow this to be set to NULL, so logs can be redirected to default output */ int wolfSSL_SetLoggingCb(wolfSSL_Logging_cb f) @@ -159,13 +204,22 @@ int wolfSSL_Debugging_ON(void) { #ifdef DEBUG_WOLFSSL loggingEnabled = 1; -#if defined(WOLFSSL_APACHE_MYNEWT) - log_register("wolfcrypt", &mynewt_log, &log_console_handler, NULL, LOG_SYSLEVEL); -#endif /* WOLFSSL_APACHE_MYNEWT */ + #ifndef NO_WOLFSSL_DEBUG_CERTS + /* Certificate debugging is enabled by default during DEBUG_WOLFSSL, + * unless explicitly disabled with NO_WOLFSSL_DEBUG_CERTS */ + loggingCertEnabled = 1; + #endif + #if defined(WOLFSSL_APACHE_MYNEWT) + if (loggingApacheNewtRegistered != WOLFSSL_APACHE_MYNEWT_INITALIZED) { + log_register("wolfcrypt", &mynewt_log, &log_console_handler, + NULL, LOG_SYSLEVEL); + loggingApacheNewtRegistered = WOLFSSL_APACHE_MYNEWT_INITALIZED; + } + #endif /* WOLFSSL_APACHE_MYNEWT */ return 0; #else return NOT_COMPILED_IN; -#endif +#endif /* DEBUG_WOLFSSL */ } @@ -173,12 +227,16 @@ void wolfSSL_Debugging_OFF(void) { #ifdef DEBUG_WOLFSSL loggingEnabled = 0; + #ifndef NO_WOLFSSL_DEBUG_CERTS + loggingCertEnabled = 0; + #endif #endif } void wolfSSL_SetLoggingPrefix(const char* prefix) { -#ifdef DEBUG_WOLFSSL +#if defined(DEBUG_WOLFSSL) || \ + (defined(WOLFSSL_DEBUG_CERTS) && !defined(NO_WOLFSSL_DEBUG_CERTS)) log_prefix = prefix; #else (void)prefix; @@ -228,8 +286,8 @@ void WOLFSSL_TIME(int count) } #endif -#ifdef DEBUG_WOLFSSL - +#if defined(DEBUG_WOLFSSL) || \ + (defined(WOLFSSL_DEBUG_CERTS) && !defined(NO_WOLFSSL_DEBUG_CERTS)) #ifdef HAVE_STACK_SIZE_VERBOSE #include @@ -248,24 +306,33 @@ static void wolfssl_log(const int logLevel, const char* const file_name, #elif defined(WOLFSSL_DEBUG_PRINTF_FN) #ifdef WOLFSSL_MDK_ARM fflush(stdout); + #endif + /* see settings.h for platform-specific line endings */ + #ifndef WOLFSSL_DEBUG_LINE_ENDING + #define WOLFSSL_DEBUG_LINE_ENDING "\n" #endif if (log_prefix != NULL) { - if (file_name != NULL) + if (file_name != NULL) { WOLFSSL_DEBUG_PRINTF_FN(WOLFSSL_DEBUG_PRINTF_FIRST_ARGS - "[%s]: [%s L %d] %s\n", + "[%s]: [%s L %d] %s" WOLFSSL_DEBUG_LINE_ENDING, log_prefix, file_name, line_number, logMessage); - else + } + else { WOLFSSL_DEBUG_PRINTF_FN(WOLFSSL_DEBUG_PRINTF_FIRST_ARGS - "[%s]: %s\n", log_prefix, logMessage); - } else { - if (file_name != NULL) - WOLFSSL_DEBUG_PRINTF_FN(WOLFSSL_DEBUG_PRINTF_FIRST_ARGS - "[%s L %d] %s\n", - file_name, line_number, logMessage); - else - WOLFSSL_DEBUG_PRINTF_FN(WOLFSSL_DEBUG_PRINTF_FIRST_ARGS - "%s\n", logMessage); + "[%s]: %s" WOLFSSL_DEBUG_LINE_ENDING, log_prefix, logMessage); + } /* file_name check */ } + else { + if (file_name != NULL) { + WOLFSSL_DEBUG_PRINTF_FN(WOLFSSL_DEBUG_PRINTF_FIRST_ARGS + "[%s L %d] %s" WOLFSSL_DEBUG_LINE_ENDING, + file_name, line_number, logMessage); + } + else { + WOLFSSL_DEBUG_PRINTF_FN(WOLFSSL_DEBUG_PRINTF_FIRST_ARGS + "%s" WOLFSSL_DEBUG_LINE_ENDING, logMessage); + } /* file_name check */ + } /* log_prefix check */ #ifdef WOLFSSL_MDK_ARM fflush(stdout); #endif @@ -285,12 +352,89 @@ static void wolfssl_log(const int logLevel, const char* const file_name, #ifndef WOLFSSL_DEBUG_ERRORS_ONLY +/* Certificate debugging available with either regular debugging + * DEBUG_WOLFSSL or just certificate debugging: WOLFSSL_DEBUG_CERTS */ +#if (defined(WOLFSSL_DEBUG_CERTS) || defined(DEBUG_WOLFSSL)) && \ + !defined(NO_WOLFSSL_DEBUG_CERTS) + #include /* for var args */ + + #ifndef WOLFSSL_MSG_CERT_BUF_SZ + #define WOLFSSL_MSG_CERT_BUF_SZ 140 + #endif + + int WOLFSSL_MSG_CERT(const char* msg) + { + /* Regular debug may have been compiled out */ + (void)loggingEnabled; + + if ((msg != NULL) && (loggingCertEnabled != 0)) { + wolfssl_log(CERT_LOG, NULL, 0, msg); + } + return 0; + } + + #ifdef __clang__ + /* tell clang argument 1 is format */ + __attribute__((__format__ (__printf__, 1, 0))) + #endif + int WOLFSSL_MSG_CERT_EX(const char* fmt, ...) + { + /* Certificate logging output may have large messages */ + #ifdef WOLFSSL_SMALL_STACK + char* msg; + msg = (char*)XMALLOC(WOLFSSL_MSG_CERT_BUF_SZ, NULL, + DYNAMIC_TYPE_TMP_BUFFER); + if (msg == NULL) { + return MEMORY_E; + } + #else + char msg[WOLFSSL_MSG_CERT_BUF_SZ]; + #endif + int written; + va_list args; + va_start(args, fmt); + /* Assume zero-terminated msg, len less than WOLFSSL_MSG_CERT_BUF_SZ */ + written = XVSNPRINTF(msg, WOLFSSL_MSG_CERT_BUF_SZ, fmt, args); + va_end(args); + if ((written > 0) && (loggingCertEnabled =! 0)) { + wolfssl_log(INFO_LOG, NULL, 0, msg); + } +#ifdef WOLFSSL_SMALL_STACK + XFREE(msg, NULL, DYNAMIC_TYPE_TMP_BUFFER); +#endif + return 0; + } /* WOLFSSL_MSG_CERT_EX */ +#else + + /* !(DEBUG_WOLFSSL || WOLFSSL_DEBUG_CERTS) */ + #ifdef WOLF_NO_VARIADIC_MACROS + #ifdef __WATCOMC__ + /* Do-nothing implementation in header for OW Open Watcom V2 */ + #else + int WOLFSSL_MSG_CERT(const char* msg) + { + (void)msg; + return NOT_COMPILED_IN; + } + int WOLFSSL_MSG_CERT_EX(const char* fmt, ...) + { + (void)fmt; + return NOT_COMPILED_IN; + } + #endif + #else + /* using a macro, see logging.h */ + #endif +#endif /* DEBUG_WOLFSSL || WOLFSSL_DEBUG_CERTS */ + #if defined(XVSNPRINTF) && !defined(NO_WOLFSSL_MSG_EX) #include /* for var args */ + #ifndef WOLFSSL_MSG_EX_BUF_SZ #define WOLFSSL_MSG_EX_BUF_SZ 100 #endif -#undef WOLFSSL_MSG_EX /* undo WOLFSSL_DEBUG_CODEPOINTS wrapper */ + +#if !defined(WOLFSSL_MSG_EX) && defined(DEBUG_WOLFSSL) #ifdef __clang__ /* tell clang argument 1 is format */ __attribute__((__format__ (__printf__, 1, 0))) @@ -308,6 +452,7 @@ void WOLFSSL_MSG_EX(const char* fmt, ...) wolfssl_log(INFO_LOG, NULL, 0, msg); } } +#endif #ifdef WOLFSSL_DEBUG_CODEPOINTS void WOLFSSL_MSG_EX2(const char *file, int line, const char* fmt, ...) @@ -323,16 +468,24 @@ void WOLFSSL_MSG_EX2(const char *file, int line, const char* fmt, ...) wolfssl_log(INFO_LOG, file, line, msg); } } -#endif +#endif /* WOLFSSL_DEBUG_CODEPOINTS */ -#endif +#else + /* We need a do-nothing function when variadic macros not available */ + #ifdef WOLF_NO_VARIADIC_MACROS + /* See header for same-name, do nothing functions */ + #else + /* See header for same-name, do nothing macros */ + #endif +#endif /* XVSNPRINTF && !NO_WOLFSSL_MSG_EX */ -#undef WOLFSSL_MSG /* undo WOLFSSL_DEBUG_CODEPOINTS wrapper */ +#ifndef WOLFSSL_MSG void WOLFSSL_MSG(const char* msg) { if (loggingEnabled) wolfssl_log(INFO_LOG, NULL, 0, msg); } +#endif #ifdef WOLFSSL_DEBUG_CODEPOINTS void WOLFSSL_MSG2(const char *file, int line, const char* msg) @@ -342,6 +495,7 @@ void WOLFSSL_MSG2(const char *file, int line, const char* msg) } #endif +#ifndef WOLFSSL_BUFFER #ifndef LINE_LEN #define LINE_LEN 16 #endif @@ -418,8 +572,9 @@ errout: wolfssl_log(INFO_LOG, NULL, 0, "\t[Buffer error while rendering]"); } +#endif /* WOLFSSL_BUFFER */ -#undef WOLFSSL_ENTER /* undo WOLFSSL_DEBUG_CODEPOINTS wrapper */ +#ifndef WOLFSSL_ENTER void WOLFSSL_ENTER(const char* msg) { if (loggingEnabled) { @@ -432,6 +587,7 @@ void WOLFSSL_ENTER(const char* msg) wolfssl_log(ENTER_LOG, NULL, 0, buffer); } } +#endif /* WOLFSSL_ENTER */ #ifdef WOLFSSL_DEBUG_CODEPOINTS void WOLFSSL_ENTER2(const char *file, int line, const char* msg) @@ -446,9 +602,9 @@ void WOLFSSL_ENTER2(const char *file, int line, const char* msg) wolfssl_log(ENTER_LOG, file, line, buffer); } } -#endif +#endif /* WOLFSSL_DEBUG_CODEPOINTS */ -#undef WOLFSSL_LEAVE /* undo WOLFSSL_DEBUG_CODEPOINTS wrapper */ +#ifndef WOLFSSL_LEAVE void WOLFSSL_LEAVE(const char* msg, int ret) { if (loggingEnabled) { @@ -462,6 +618,7 @@ void WOLFSSL_LEAVE(const char* msg, int ret) wolfssl_log(LEAVE_LOG, NULL, 0, buffer); } } +#endif /* WOLFSSL_LEAVE */ #ifdef WOLFSSL_DEBUG_CODEPOINTS void WOLFSSL_LEAVE2(const char *file, int line, const char* msg, int ret) @@ -485,17 +642,67 @@ void WOLFSSL_LEAVE2(const char *file, int line, const char* msg, int ret) #define WOLFSSL_ENTER(msg) WOLFSSL_ENTER2(__FILE__, __LINE__, msg) #define WOLFSSL_LEAVE(msg, ret) WOLFSSL_LEAVE2(__FILE__, __LINE__, msg, ret) #ifdef XVSNPRINTF - #define WOLFSSL_MSG_EX(fmt, args...) \ +/* #define WOLFSSL_MSG_EX(fmt, args...) \ WOLFSSL_MSG_EX2(__FILE__, __LINE__, fmt, ## args) + */ #endif #endif +#ifndef WOLFSSL_IS_DEBUG_ON int WOLFSSL_IS_DEBUG_ON(void) { return loggingEnabled; } +#endif /* WOLFSSL_IS_DEBUG_ON */ #endif /* !WOLFSSL_DEBUG_ERRORS_ONLY */ -#endif /* DEBUG_WOLFSSL */ + +#else + /* !(DEBUG_WOLFSSL || (WOLFSSL_DEBUG_CERTS && !NO_WOLFSSL_DEBUG_CERTS)) */ + /* + * Create some no-op functions for compilers without variadic macros, + * other than Open Watcom V2. + */ + #ifdef WOLF_NO_VARIADIC_MACROS + /* no debug and cannot use variadic macros */ + #ifdef __WATCOMC__ + /* see logging.h for no-op Watcom implementation */ + #else + int WOLFSSL_MSG_CERT(const char* msg) + { + (void)msg; + return NOT_COMPILED_IN; + } + + int WOLFSSL_MSG_CERT_EX(const char* fmt, ...) + { + (void)fmt; + return NOT_COMPILED_IN; + } + #endif + #else + /* see logging.h for variadic macros */ + #endif +#endif /* DEBUG_WOLFSSL || (WOLFSSL_DEBUG_CERTS && !NO_WOLFSSL_DEBUG_CERTS) */ + +/* Final catch for no-op WOLFSSL_MSG_EX needing implementation */ +#ifdef __WATCOMC__ + /* See no-op implementation as needed in logging.h */ +#else + #ifdef DEBUG_WOLFSSL + /* The empty no-op function is not needed when debugging */ + #else + #if defined(HAVE_WOLFSSL_MSG_EX) || defined(WOLF_NO_VARIADIC_MACROS) + void WOLFSSL_MSG_EX(const char* fmt, ...) + { + (void)fmt; + } + #else + /* See macro in header */ + #endif + #endif +#endif + + #if defined(OPENSSL_EXTRA) || defined(DEBUG_WOLFSSL_VERBOSE) || defined(HAVE_MEMCACHED) diff --git a/wolfcrypt/src/poly1305.c b/wolfcrypt/src/poly1305.c index f8e230f4c..a3e009317 100644 --- a/wolfcrypt/src/poly1305.c +++ b/wolfcrypt/src/poly1305.c @@ -88,7 +88,9 @@ static word32 cpu_flags_set = 0; #endif #if defined(USE_INTEL_POLY1305_SPEEDUP) || defined(POLY130564) - #if defined(_MSC_VER) + #if defined(__WATCOMC__) + #error "POLY130564 || USE_INTEL_POLY1305_SPEEDUP Watcom not supported" + #elif defined(_MSC_VER) #define POLY1305_NOINLINE __declspec(noinline) #elif defined(__GNUC__) #define POLY1305_NOINLINE __attribute__((noinline)) @@ -96,7 +98,7 @@ static word32 cpu_flags_set = 0; #define POLY1305_NOINLINE #endif - #if defined(_MSC_VER) + #if defined(_MSC_VER) && !(__WATCOMC__) #include typedef struct word128 { diff --git a/wolfcrypt/src/port/Espressif/esp32_util.c b/wolfcrypt/src/port/Espressif/esp32_util.c index c7db477b4..c7f44b120 100644 --- a/wolfcrypt/src/port/Espressif/esp32_util.c +++ b/wolfcrypt/src/port/Espressif/esp32_util.c @@ -557,6 +557,11 @@ esp_err_t ShowExtendedSystemInfo_config(void) show_macro("WOLFSSL_NO_CURRDIR", STR_IFNDEF(WOLFSSL_NO_CURRDIR)); show_macro("WOLFSSL_LWIP", STR_IFNDEF(WOLFSSL_LWIP)); + show_macro("DEBUG_WOLFSSL", STR_IFNDEF(DEBUG_WOLFSSL)); + show_macro("WOLFSSL_DEBUG_CERTS", STR_IFNDEF(WOLFSSL_DEBUG_CERTS)); + show_macro("NO_WOLFSSL_DEBUG_CERTS", STR_IFNDEF(NO_WOLFSSL_DEBUG_CERTS)); + show_macro("WOLFSSL_DEBUG_ERRORS_ONLY", STR_IFNDEF(WOLFSSL_DEBUG_ERRORS_ONLY)); + ESP_LOGI(TAG, WOLFSSL_ESPIDF_BLANKLINE_MESSAGE); #if defined(CONFIG_COMPILER_OPTIMIZATION_DEFAULT) ESP_LOGI(TAG, "Compiler Optimization: Default"); diff --git a/wolfcrypt/src/rsa.c b/wolfcrypt/src/rsa.c index e53d97037..a0670397d 100644 --- a/wolfcrypt/src/rsa.c +++ b/wolfcrypt/src/rsa.c @@ -42,6 +42,7 @@ RSA keys can be used to encrypt, decrypt, sign and verify data. #endif #include +#include #ifdef WOLFSSL_AFALG_XILINX_RSA #include @@ -2748,7 +2749,7 @@ static int RsaFunctionSync(const byte* in, word32 inLen, byte* out, case RSA_PUBLIC_ENCRYPT: case RSA_PUBLIC_DECRYPT: if (mp_exptmod_nct(tmp, &key->e, &key->n, tmp) != MP_OKAY) { - WOLFSSL_MSG("mp_exptmod_nct failed"); + WOLFSSL_MSG_CERT_LOG("mp_exptmod_nct failed"); ret = MP_EXPTMOD_E; } break; @@ -2845,7 +2846,7 @@ static int wc_RsaFunctionSync(const byte* in, word32 inLen, byte* out, *outLen = keyLen; return RsaFunctionSync(in, inLen, out, outLen, type, key, rng); #endif /* WOLFSSL_SP_MATH */ -} +} /* wc_RsaFunctionSync */ #endif /* WOLF_CRYPTO_CB_ONLY_RSA */ #endif diff --git a/wolfcrypt/src/tfm.c b/wolfcrypt/src/tfm.c index 1f07d8ecf..9941c44b7 100644 --- a/wolfcrypt/src/tfm.c +++ b/wolfcrypt/src/tfm.c @@ -44,6 +44,7 @@ #include #include /* will define asm MACROS or C ones */ #include /* common functions */ +#include #ifdef WOLFSSL_ESPIDF #include @@ -3297,7 +3298,18 @@ int fp_exptmod_nct(fp_int * G, fp_int * X, fp_int * P, fp_int * Y) #endif /* handle modulus of zero and prevent overflows */ - if (fp_iszero(P) || (P->used > (FP_SIZE/2))) { + if (fp_iszero(P)) { + return FP_VAL; + } + if (P->used > (FP_SIZE/2)) { + /* FP_MAX_BITS too small is a common cert failure cause */ +#ifdef WOLFSSL_DEBUG_CERTS + WOLFSSL_MSG_CERT_EX("TFM fp_exptmod_nct failed: P.used (%d) > (FP_SIZE/2)" + "; FP_SIZE: %d; FP_MAX_SIZE: %d", + P->used, FP_SIZE, FP_MAX_BITS, FP_MAX_SIZE); + WOLFSSL_MSG_CERT_EX("Consider adjusting current FP_MAX_BITS: %d", + FP_MAX_BITS); +#endif return FP_VAL; } if (fp_isone(P)) { diff --git a/wolfssl/wolfcrypt/logging.h b/wolfssl/wolfcrypt/logging.h index f7ccf9555..c15de663c 100644 --- a/wolfssl/wolfcrypt/logging.h +++ b/wolfssl/wolfcrypt/logging.h @@ -26,11 +26,109 @@ /* submitted by eof */ +/* + * Enable wolfSSL debugging with DEBUG_WOLFSSL + * + * Certificate debugging is a subset of DEBUG_WOLFSSL but can be enabled + * exclusively with WOLFSSL_DEBUG_CERTS. + * + * When DEBUG_WOLFSSL is enabled, but the subset of certificate debugging + * is not desired, it can disabled with NO_WOLFSSL_DEBUG_CERTS + * + * **************************************************************************** + * Message / printf debugging + * **************************************************************************** + * + * WOLFSSL_DEBUG_PRINTF() + * Utility macro: A buffer-less, non-truncating debug message renderer. + * Unavailable on some targets, and has no default no-op definition, + * so the WOLFSSL_DEBUG_CERTIFICATE_LOADS gate is needed. + * + * WOLFSSL_DEBUG_PRINTF_FN(...) + * Used to supply an override definition of the target platform's printf-like + * function, and it is not function-like: + * + * #ifdef WOLFSSL_DEBUG_PRINTF_FN + * #define [user-supplied definition] + * #elif defined(ARDUINO) + * #warning ARDUINO only has print and sprintf, no printf on some targets. + * #elif defined(WOLFSSL_LOG_PRINTF) || defined(WOLFSSL_DEOS) + * #define WOLFSSL_DEBUG_PRINTF_FN printf + * [...] + * + * WOLFSSL_MSG_EX_BUF_SZ + * Re-definable macro: maximum length of WOLFSSL_MSG_EX debugging messages. + * + * WOLFSSL_MSG + * Single message parameter. Works everywhere. + * + * WOLFSSL_MSG_EX + * Variable number of parameters. Should be supported nearly everywhere. + * + * WOLFSSL_MSG_EX2 + * Variable number of parameters. Should be supported nearly everywhere. + * Special case where first two parameters are const char *file, int line + * + * **************************************************************************** + * Certificate Debugging: a subset of DEBUG_WOLFSSL + * or can be used alone WOLFSSL_DEBUG_CERTS without all the debugging noise + * **************************************************************************** + * + * WOLFSSL_MSG_CERT_BUF_SZ + * Used by WOLFSSL_MSG_CERT and WOLFSSL_MSG_CERT_EX + * Re-definable macro: maximum length of debugging messages. + * + * WOLFSSL_MSG_CERT + * Single message parameter. Works everywhere. + * Print only during WOLFSSL_DEBUG_CERTS + * + * WOLFSSL_MSG_CERT_LOG + * Single message parameter. Works everywhere. + * Print during either DEBUG_WOLFSSL or WOLFSSL_DEBUG_CERTS + * + * WOLFSSL_MSG_CERT_EX + * Variable number of parameters. Should be supported nearly everywhere. + * + * When any of the above are disabled: + * With WOLF_NO_VARIADIC_MACROS a do nothing placeholder function is used. + * Otherwise, a do-nothing macro. See WC_DO_NOTHING + * + * Optional user callbacks: + * wolfSSL_SetLoggingCb(my_log_cb); + * + * To disable certificate debugging: + * Do not define WOLFSSL_DEBUG_CERTS when used without DEBUG_WOLFSSL + * or + * Define NO_WOLFSSL_DEBUG_CERTS when DEBUG_WOLFSSL is enabled + * + * If NO_WOLFSSL_DEBUG_CERTS is detected in settings.h, the respective + * WOLFSSL_DEBUG_CERTS will be undefined. The explicit NO_WOLFSSL_DEBUG_CERTS + * checks are still performed in logging source for code clarity only. + * + * **************************************************************************** + * At runtime with debugging enabled: + * **************************************************************************** + * + * Display debug messages: + * int wolfSSL_Debugging_ON(void) + * int wolfSSL_CertDebugging_ON(void) + * + * Disable debug messages until re-enabled at runtime: + * void wolfSSL_Debugging_OFF(void); + * int wolfSSL_CertDebugging_OFF(void) + * + * See also: + * int WOLFSSL_IS_DEBUG_ON(void) + * + * Note: does not detect or control WOLFSSL_DEBUG_PRINTF_FN usage + * + */ #ifndef WOLFSSL_LOGGING_H #define WOLFSSL_LOGGING_H #include +#include #ifdef __cplusplus extern "C" { @@ -42,6 +140,7 @@ enum wc_LogLevels { INFO_LOG, ENTER_LOG, LEAVE_LOG, + CERT_LOG, OTHER_LOG }; @@ -99,6 +198,11 @@ WOLFSSL_API wolfSSL_Logging_cb wolfSSL_GetLoggingCb(void); WOLFSSL_API int wolfSSL_Debugging_ON(void); /* turn logging off */ WOLFSSL_API void wolfSSL_Debugging_OFF(void); +/* turn cert debugging on, only if compiled in */ +WOLFSSL_API int wolfSSL_CertDebugging_ON(void); +/* turn cert debugging off */ +WOLFSSL_API int wolfSSL_CertDebugging_OFF(void); + WOLFSSL_API void wolfSSL_SetLoggingPrefix(const char* prefix); @@ -152,8 +256,52 @@ WOLFSSL_API void wolfSSL_SetLoggingPrefix(const char* prefix); #define WOLFSSL_TIME(n) WC_DO_NOTHING #endif +/* Certificate Debugging: WOLFSSL_MSG_CERT */ +#if defined(XVSNPRINTF) && !defined(NO_WOLFSSL_DEBUG_CERTS) && \ + (defined(DEBUG_WOLFSSL) || defined(WOLFSSL_DEBUG_CERTS)) + #define HAVE_WOLFSSL_DEBUG_CERTS + #ifndef WOLFSSL_MSG_CERT_INDENT + #define WOLFSSL_MSG_CERT_INDENT "\t- " + #endif + + WOLFSSL_API int WOLFSSL_MSG_CERT(const char* msg); + WOLFSSL_API int WOLFSSL_MSG_CERT_EX(const char* fmt, ...); +#else + /* No Certificate Debugging */ + #undef WOLFSSL_DEBUG_CERTS + + #ifndef WOLFSSL_MSG_CERT_INDENT + #define WOLFSSL_MSG_CERT_INDENT "" + #endif + #ifdef WOLF_NO_VARIADIC_MACROS + /* The issue is variadic macros, not function parameters. e.g Watcom + * Additionally, Watcom needs the empty declaration here: */ + #ifdef __WATCOMC__ + /* don't use WOLFSSL_API nor inline for Watcom stubs */ + static int WOLFSSL_MSG_CERT(const char* msg) + { + (void)msg; + return NOT_COMPILED_IN; + } + + static int WOLFSSL_MSG_CERT_EX(const char* fmt, ...) + { + (void)fmt; + return NOT_COMPILED_IN; + } + #else + WOLFSSL_API int WOLFSSL_MSG_CERT(const char* msg); + WOLFSSL_API int WOLFSSL_MSG_CERT_EX(const char* fmt, ...); + #endif + #else + /* Nearly all compilers will support variadic macros */ + #define WOLFSSL_MSG_CERT(m) WC_DO_NOTHING + #define WOLFSSL_MSG_CERT_EX(...) WC_DO_NOTHING + #endif +#endif /* Certificate Debugging: WOLFSSL_MSG_CERT */ + #if defined(DEBUG_WOLFSSL) && !defined(WOLFSSL_DEBUG_ERRORS_ONLY) - #if defined(_WIN32) + #if defined(_WIN32) && !defined(__WATCOMC__) #if defined(INTIME_RTOS) #define __func__ NULL #else @@ -169,14 +317,18 @@ WOLFSSL_API void wolfSSL_SetLoggingPrefix(const char* prefix); #define WOLFSSL_STUB(m) \ WOLFSSL_MSG(WOLFSSL_LOG_CAT(wolfSSL Stub, m, not implemented)) WOLFSSL_API int WOLFSSL_IS_DEBUG_ON(void); + + /* WOLFSSL_MSG_EX may not be available. Check with HAVE_WOLFSSL_MSG_EX */ #if defined(XVSNPRINTF) && !defined(NO_WOLFSSL_MSG_EX) WOLFSSL_API void WOLFSSL_MSG_EX(const char* fmt, ...); #define HAVE_WOLFSSL_MSG_EX #else #ifdef WOLF_NO_VARIADIC_MACROS - #define WOLFSSL_MSG_EX() WC_DO_NOTHING + /* We need a do-nothing function with a variable number of parameters */ + /* see logging.c + * static inline void WOLFSSL_MSG_EX(const char* fmt, ...); */ #else - #define WOLFSSL_MSG_EX(...) WC_DO_NOTHING + #define WOLFSSL_MSG_EX(...) WC_DO_NOTHING #endif #endif WOLFSSL_API void WOLFSSL_MSG(const char* msg); @@ -206,25 +358,51 @@ WOLFSSL_API void wolfSSL_SetLoggingPrefix(const char* prefix); WOLFSSL_API void WOLFSSL_BUFFER(const byte* buffer, word32 length); #else - - #define WOLFSSL_ENTER(m) WC_DO_NOTHING - #define WOLFSSL_LEAVE(m, r) WC_DO_NOTHING - #define WOLFSSL_STUB(m) WC_DO_NOTHING + /* ! (defined(DEBUG_WOLFSSL) && !defined(WOLFSSL_DEBUG_ERRORS_ONLY)) */ + #define WOLFSSL_ENTER(m) WC_DO_NOTHING + #define WOLFSSL_LEAVE(m, r) WC_DO_NOTHING + #define WOLFSSL_STUB(m) WC_DO_NOTHING #define WOLFSSL_IS_DEBUG_ON() 0 #ifdef WOLF_NO_VARIADIC_MACROS /* note, modern preprocessors will generate errors with this definition. * "error: macro "WOLFSSL_MSG_EX" passed 2 arguments, but takes just 0" - */ - #define WOLFSSL_MSG_EX() WC_DO_NOTHING + * + * #define WOLFSSL_MSG_EX(a, b) WC_DO_NOTHING + * + * We need a do-nothing function with a variable number of parameters: */ + #ifdef __WATCOMC__ + /* don't use WOLFSSL_API nor inline for Watcom stubs */ + static void WOLFSSL_MSG_EX(const char* fmt, ...) + { + (void)fmt; + } + #else + WOLFSSL_API void WOLFSSL_MSG_EX(const char* fmt, ...); + #endif #else - #define WOLFSSL_MSG_EX(...) WC_DO_NOTHING + #define WOLFSSL_MSG_EX(...) WC_DO_NOTHING #endif - #define WOLFSSL_MSG(m) WC_DO_NOTHING - #define WOLFSSL_BUFFER(b, l) WC_DO_NOTHING + #define WOLFSSL_MSG(m) WC_DO_NOTHING + #define WOLFSSL_BUFFER(b, l) WC_DO_NOTHING #endif /* DEBUG_WOLFSSL && !WOLFSSL_DEBUG_ERRORS_ONLY */ +/* A special case of certificate-related debug AND regular debug. + * WOLFSSL_MSG_CERT_LOG will always print during DEBUG_WOLFSSL + * even if cert debugging disabled with NO_WOLFSSL_DEBUG_CERTS. + * + * WOLFSSL_MSG_CERT_LOG will also print during WOLFSSL_DEBUG_CERTS + * even if standard DEBUG_WOLFSSL is not enabled. */ +#if defined(DEBUG_WOLFSSL) + #define WOLFSSL_MSG_CERT_LOG(msg) WOLFSSL_MSG(msg) +#elif defined(WOLFSSL_DEBUG_CERTS) + #define WOLFSSL_MSG_CERT_LOG(msg) WOLFSSL_MSG_CERT(msg) +#else + #define WOLFSSL_MSG_CERT_LOG(msg) WC_DO_NOTHING +#endif + +/* WOLFSSL_ERROR and WOLFSSL_HAVE_ERROR_QUEUE */ #if defined(DEBUG_WOLFSSL) || defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) ||\ defined(WOLFSSL_HAPROXY) || defined(OPENSSL_EXTRA) @@ -305,10 +483,33 @@ WOLFSSL_API void wolfSSL_SetLoggingPrefix(const char* prefix); int dc_log_printf(char*, ...); #endif +/* WOLFSSL_DEBUG_PRINTF_FN is intended to be used only in wolfssl_log(), + * but is exposed in header as a customer cross-platform debugging capability. + * + * All general wolfSSL debugging should use: + * WOLFSSL_MSG and WOLFSSL_MSG_EX + * + * All wolfSSL certificate-related debugging should use: + * WOLFSSL_MSG_CERT and WOLFSSL_MSG_CERT_EX + * + * For custom debugging output, define your own WOLFSSL_DEBUG_PRINTF_FN + */ #ifdef WOLFSSL_DEBUG_PRINTF_FN /* user-supplied definition */ #elif defined(ARDUINO) /* ARDUINO only has print and sprintf, no printf. */ +#elif defined(__WATCOMC__) + #if defined(DEBUG_WOLFSSL) || defined(WOLFSSL_DEBUG_CERTS) + #include + #define WOLFSSL_DEBUG_PRINTF_FN printf + #else + /* Watcom does not support variadic macros; we need a no-op function */ + static int WOLFSSL_DEBUG_PRINTF(const char* fmt, ...) + { + (void)fmt; + return NOT_COMPILED_IN; + } + #endif /* __WATCOMC__ */ #elif defined(WOLFSSL_LOG_PRINTF) || defined(WOLFSSL_DEOS) #define WOLFSSL_DEBUG_PRINTF_FN printf #elif defined(THREADX) && !defined(THREADX_NO_DC_PRINTF) @@ -350,10 +551,28 @@ WOLFSSL_API void wolfSSL_SetLoggingPrefix(const char* prefix); #define WOLFSSL_DEBUG_PRINTF_FIRST_ARGS #endif -#if defined(WOLFSSL_DEBUG_PRINTF_FN) && !defined(WOLFSSL_DEBUG_PRINTF) && \ - !defined(WOLF_NO_VARIADIC_MACROS) - #define WOLFSSL_DEBUG_PRINTF(...) \ - WOLFSSL_DEBUG_PRINTF_FN(WOLFSSL_DEBUG_PRINTF_FIRST_ARGS __VA_ARGS__) +#if defined(WOLFSSL_DEBUG_PRINTF_FN) && !defined(WOLFSSL_DEBUG_PRINTF) + #if defined(WOLF_NO_VARIADIC_MACROS) + #if defined(WOLFSSL_ESPIDF) + /* ESP-IDF supports variadic. Do not use WOLF_NO_VARIADIC_MACROS. + * This is only for WOLF_NO_VARIADIC_MACROS testing: */ + #define WOLFSSL_DEBUG_PRINTF(a) \ + WOLFSSL_DEBUG_PRINTF_FN(WOLFSSL_DEBUG_PRINTF_FIRST_ARGS, a) + #else + /* no variadic not defined for this platform */ + #endif + #else + #define WOLFSSL_DEBUG_PRINTF(...) \ + WOLFSSL_DEBUG_PRINTF_FN(WOLFSSL_DEBUG_PRINTF_FIRST_ARGS __VA_ARGS__) + #endif +#endif + +/* Sanity Checks */ +#if defined(WOLFSSL_DEBUG_ERRORS_ONLY) && defined(DEBUG_WOLFSSL) + #error "Failed: WOLFSSL_DEBUG_ERRORS_ONLY and DEBUG_WOLFSSL pick one" +#endif +#if defined(WOLFSSL_DEBUG_ERRORS_ONLY) && defined(WOLFSSL_DEBUG_CERTS) + #error "Failed: Cannot WOLFSSL_DEBUG_CERTS with WOLFSSL_DEBUG_ERRORS_ONLY" #endif #ifdef __cplusplus diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h index 50aa25df4..a821f0319 100644 --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h @@ -356,6 +356,12 @@ #warning "No configuration for wolfSSL detected, check header order" #endif +/* Ensure WOLFSSL_DEBUG_CERTS is always set when DEBUG_WOLFSSL is enabled */ +#ifdef DEBUG_WOLFSSL + #undef WOLFSSL_DEBUG_CERTS + #define WOLFSSL_DEBUG_CERTS +#endif + #include /*------------------------------------------------------------*/ @@ -563,6 +569,9 @@ #define WOLFSSL_MAX_ERROR_SZ 200 #endif + /* Debug message do not need an additional LF for ESP_LOG */ + #define WOLFSSL_DEBUG_LINE_ENDING "" + /* Parse any Kconfig / menuconfig items into wolfSSL macro equivalents. * Macros may or may not be defined. If defined, they may have a value of * @@ -4425,6 +4434,12 @@ extern void uITRON4_free(void *p) ; #endif #endif /* WOLFSSL_SYS_CA_CERTS */ +#ifdef NO_WOLFSSL_DEBUG_CERTS + /* Simplify certificate debugging gate check with only WOLFSSL_DEBUG_CERTS. + * NO_WOLFSSL_DEBUG_CERTS prioritized over WOLFSSL_DEBUG_CERTS; disable: */ + #undef WOLFSSL_DEBUG_CERTS +#endif + #if defined(SESSION_CACHE_DYNAMIC_MEM) && defined(PERSIST_SESSION_CACHE) #error "Dynamic session cache currently does not support persistent session cache." #endif diff --git a/wolfssl/wolfcrypt/types.h b/wolfssl/wolfcrypt/types.h index 9a5102fc5..10c0e99ff 100644 --- a/wolfssl/wolfcrypt/types.h +++ b/wolfssl/wolfcrypt/types.h @@ -1482,6 +1482,9 @@ WOLFSSL_API word32 CheckRunTimeSettings(void); #define XALIGNED(x) __attribute__ ( (aligned (x))) #elif defined(__KEIL__) #define XALIGNED(x) __align(x) + #elif defined(__WATCOMC__) /* && (_MSC_VER or !_MSC_VER) */ + /* No align available for Open Watcom V2, expansion comment needed: */ + #define XALIGNED(x) /* null expansion */ #elif defined(_MSC_VER) /* disable align warning, we want alignment ! */ #pragma warning(disable: 4324) diff --git a/wolfssl/wolfcrypt/wc_port.h b/wolfssl/wolfcrypt/wc_port.h index c0fd47f62..e5e6e5c1f 100644 --- a/wolfssl/wolfcrypt/wc_port.h +++ b/wolfssl/wolfcrypt/wc_port.h @@ -90,8 +90,11 @@ ((__GNUC__ == 4) && (__GNUC_MINOR__ > 5))))) || \ defined(__clang__) #define WC_DEPRECATED(msg) __attribute__((deprecated(msg))) + #elif defined(__WATCOMC__) + /* Watcom macro needs to expand to something, here just a comment: */ + #define WC_DEPRECATED(msg) /* null expansion */ #elif defined(_MSC_VER) || defined(__MINGW32__) || defined(__CYGWIN__) || \ - defined(_WIN32_WCE) || defined(__WATCOMC__) + defined(_WIN32_WCE) #define WC_DEPRECATED(msg) __declspec(deprecated(msg)) #elif (defined(__GNUC__) && (__GNUC__ >= 4)) || \ defined(__IAR_SYSTEMS_ICC__)