OpenSSL error code handling in reason_error_string

miyazakh · miyazakh · commit 942c6ce5805f · 2026-01-09T17:49:12.000+09:00
diff --git a/src/internal.c b/src/internal.c
@@ -26606,11 +26606,6 @@ const char* wolfSSL_ERR_reason_error_string(unsigned long e)
 
     int error = (int)e;
 
-    /* OpenSSL uses positive error codes */
-    if (error > 0) {
-        error = -error;
-    }
-
     /* pass to wolfCrypt */
     if ((error <= WC_SPAN1_FIRST_E && error >= WC_SPAN1_MIN_CODE_E) ||
         (error <= WC_SPAN2_FIRST_E && error >= WC_SPAN2_MIN_CODE_E))
@@ -27087,11 +27082,7 @@ const char* wolfSSL_ERR_reason_error_string(unsigned long e)
         return "HTTP Application string error";
 
     case UNSUPPORTED_PROTO_VERSION:
-        #ifdef OPENSSL_EXTRA
-        return "WRONG_SSL_VERSION";
-        #else
         return "bad/unsupported protocol version";
-        #endif
 
     case FALCON_KEY_SIZE_E:
         return "Wrong key size for Falcon.";
@@ -27172,10 +27163,23 @@ const char* wolfSSL_ERR_reason_error_string(unsigned long e)
 #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \
     defined(HAVE_WEBSERVER) || defined(HAVE_MEMCACHED)
 
+    /* OpenSSL uses positive error codes */
+    if (error > 0) {
+        error = -error;
+    }
+
     switch (error) {
     /* TODO: -WOLFSSL_X509_V_ERR_CERT_SIGNATURE_FAILURE. Conflicts with
      *       -WOLFSSL_ERROR_WANT_CONNECT.
      */
+    case -WOLFSSL_R_WRONG_SSL_VERSION:
+        return "WRONG_SSL_VERSION";
+
+    case -WOLFSSL_X509_V_ERR_CRL_HAS_EXPIRED:
+        return "CRL has expired";
+
+    case -WOLFSSL_X509_V_ERR_UNABLE_TO_GET_CRL:
+        return "unable to get CRL";
 
     case -WOLFSSL_X509_V_ERR_CERT_NOT_YET_VALID:
         return "certificate not yet valid";
diff --git a/tests/api.c b/tests/api.c
@@ -34763,7 +34763,7 @@ static int error_test(void)
 
 #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \
     defined(HAVE_WEBSERVER) || defined(HAVE_MEMCACHED)
-        { -11, -12 },
+        { -11, -11 },
         { -15, -17 },
         { -19, -19 },
         { -26, -27 },
diff --git a/wolfssl/openssl/x509.h b/wolfssl/openssl/x509.h
@@ -68,9 +68,6 @@
 #define WOLFSSL_XN_FLAG_MULTILINE       0xFFFF
 #define WOLFSSL_XN_FLAG_ONELINE (WOLFSSL_XN_FLAG_SEP_CPLUS_SPC | WOLFSSL_XN_FLAG_SPC_EQ | WOLFSSL_XN_FLAG_FN_SN)
 
-#define WOLFSSL_X509_V_ERR_CRL_HAS_EXPIRED              12
-#define WOLFSSL_X509_V_ERR_UNABLE_TO_GET_CRL            3
-
 #ifndef OPENSSL_COEXIST
 
 /* wolfSSL_X509_print_ex flags */
diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h
@@ -2612,9 +2612,11 @@ WOLFSSL_API void* wolfSSL_get_app_data( const WOLFSSL *ssl);
      */
 enum {
     WOLFSSL_X509_V_OK                                    = 0,
+    WOLFSSL_X509_V_ERR_UNABLE_TO_GET_CRL                 = 3,
     WOLFSSL_X509_V_ERR_CERT_SIGNATURE_FAILURE            = 7,
     WOLFSSL_X509_V_ERR_CERT_NOT_YET_VALID                = 9,
     WOLFSSL_X509_V_ERR_CERT_HAS_EXPIRED                  = 10,
+    WOLFSSL_X509_V_ERR_CRL_HAS_EXPIRED                   = 12,
     WOLFSSL_X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD    = 13,
     WOLFSSL_X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD     = 14,
     WOLFSSL_X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT       = 18,
@@ -2627,6 +2629,8 @@ enum {
     WOLFSSL_X509_V_ERR_CERT_REJECTED                     = 28,
     WOLFSSL_X509_V_ERR_SUBJECT_ISSUER_MISMATCH           = 29,
 
+    WOLFSSL_R_WRONG_SSL_VERSION = -UNSUPPORTED_PROTO_VERSION,
+
 #ifdef HAVE_OCSP
     /* OCSP Flags */
     WOLFSSL_OCSP_NOCERTS     = 1,
