Restore IP_SOCK_getsockopt emNET error lookup

The merge of the old TranslateReturnCode into wolfSSL_LastError dropped
the IP_SOCK_getsockopt(SO_ERROR) lookup that emNET integrations rely on
to retrieve the canonical IP_ERR_* for a failed recv/send, leaving a
broken branch that returned the raw return value and mishandled the
POSIX-facade convention. Restore the historic pattern (fixing the
optlen pointer-vs-int typo along the way) so both native and
POSIX-facade emNET stacks produce correct
SOCKET_EWOULDBLOCK == IP_ERR_WOULD_BLOCK mappings, and extend the CI
shim with an emNET-faithful IP_SOCK_getsockopt (SO_ERROR-then-errno
fallback, since Linux does not stash EAGAIN in SO_ERROR) plus a second
test binary linked without -Wl,--wrap=recv,--wrap=send to exercise the
POSIX-facade path the original shim-wrapped binary bypassed.

Author: LinuxJedi

.github/workflows/emnet-nonblock.yml

@@ -44,10 +44,16 @@ jobs:
             --enable-static --disable-shared \
             --enable-tls13 --disable-oldtls \
             --enable-ecc --disable-examples \
+            --disable-benchmark --disable-crypttests \
             CFLAGS="-DWOLFSSL_EMNET -I$(pwd)/tests/emnet"
 
-      - name: Build wolfSSL
-        run: make -j$(nproc)
+      # The WOLFSSL_EMNET branch in src/wolfio.c calls IP_SOCK_getsockopt
+      # which only resolves against the test shim. Build only the static
+      # library; examples/benchmark/crypttests are disabled above, but
+      # explicitly target the .a to avoid pulling in any residual link
+      # targets that would fail with an undefined reference.
+      - name: Build wolfSSL static library
+        run: make -j$(nproc) src/libwolfssl.la
 
       - name: Build emNET non-blocking test
         run: make -C tests/emnet

src/wolfio.c

@@ -153,8 +153,24 @@ static WC_INLINE int wolfSSL_LastError(int err, SOCKET_T sd)
 #elif defined(WOLFSSL_LINUXKM)
     return -err; /* Return provided error value with corrected sign. */
 #elif defined(WOLFSSL_EMNET)
-    /* emNET BSD sockets return the IP_ERR_* value (negative) directly
-     * from send/recv on failure; no translation needed. */
+    /* Any negative recv/send return is a SOCKET_ERROR sentinel under
+     * emNET; the canonical IP_ERR_* lives in the socket SO_ERROR.
+     * Retrieving it via IP_SOCK_getsockopt works across both emNET
+     * integrator conventions (native: recv returns IP_ERR_* directly;
+     * POSIX facade: recv returns -1 with errno set). If the lookup
+     * itself fails, fall back to IP_ERR_FAULT rather than returning
+     * the raw -1 sentinel — the latter matches no SOCKET_E* constant
+     * and would regress into WOLFSSL_CBIO_ERR_GENERAL. */
+    if (err < 0) {
+        int sock_err = err;
+        if (IP_SOCK_getsockopt(sd, SOL_SOCKET, SO_ERROR, &sock_err,
+                               (int)sizeof(sock_err)) == 0) {
+            err = sock_err;
+        }
+        else if (err == -1) {
+            err = IP_ERR_FAULT;
+        }
+    }
     return err;
 #elif defined(FUSION_RTOS)
     #include <fclerrno.h>

tests/emnet/IP/IP.h

@@ -32,10 +32,11 @@ extern "C" {
 #define IP_ERR_PIPE          (-13)
 #define IP_ERR_FAULT         (-25)
 
-/* BSD-style socket option retrieval. Signature matches the SEGGER API:
- * length is passed by pointer of type int*, unlike POSIX socklen_t*. */
-int IP_SOCK_getsockopt(int sd, int level, int optname,
-                       void *optval, int *optlen);
+/* BSD-style socket option retrieval. Signature matches the SEGGER
+ * emNET API (UM07001, IP_Socket.h): the length is passed by value as
+ * a plain int, not a POSIX socklen_t* / int*. */
+int IP_SOCK_getsockopt(int hSock, int Level, int Name,
+                       void *pVal, int ValLen);
 
 #ifdef __cplusplus
 }

tests/emnet/Makefile

@@ -9,6 +9,14 @@
 #               -I$$(pwd)/tests/emnet"
 #   make
 #   make -C tests/emnet run
+#
+# Two binaries are produced, exercising the two emNET integrator
+# conventions observed in the wild:
+#   emnet_nonblock_test       - native: recv/send return IP_ERR_*
+#                               directly (linker --wrap + shim).
+#   emnet_nonblock_test_posix - POSIX facade: recv/send return -1 and
+#                               set errno (no --wrap, plain glibc).
+# `make run` runs both and fails if either fails.
 
 CURDIR     := $(shell pwd)
 WOLFSSL_ROOT := $(abspath $(CURDIR)/../..)
@@ -19,14 +27,15 @@ CFLAGS_TEST := -Wall -Wextra -O2 -g \
     -DWOLFSSL_EMNET \
     -I$(CURDIR) \
     -I$(WOLFSSL_ROOT)
-LDFLAGS_TEST := -Wl,--wrap=recv,--wrap=send
+LDFLAGS_NATIVE := -Wl,--wrap=recv,--wrap=send
 LIBS_TEST := $(WOLFSSL_LIB) -lpthread -lm
 
-TEST_BIN := emnet_nonblock_test
+TEST_BIN       := emnet_nonblock_test
+TEST_BIN_POSIX := emnet_nonblock_test_posix
 
 .PHONY: all run clean check-lib
 
-all: $(TEST_BIN)
+all: $(TEST_BIN) $(TEST_BIN_POSIX)
 
 check-lib:
 	@if [ ! -f "$(WOLFSSL_LIB)" ]; then \
@@ -35,18 +44,44 @@ check-lib:
 	    exit 1; \
 	fi
 
-$(TEST_BIN): emnet_nonblock_test.o emnet_shim.o check-lib
-	$(CC) $(LDFLAGS_TEST) -o $@ emnet_nonblock_test.o emnet_shim.o $(LIBS_TEST)
+# Native variant: --wrap=recv,--wrap=send via emnet_shim_wrap.o so the
+# raw recv/send return values match the native emNET ABI (IP_ERR_*
+# directly). Still links the common shim for IP_SOCK_getsockopt.
+# check-lib is an order-only dependency (after |) so its phony status
+# does not force the binary to relink on every `make` invocation.
+$(TEST_BIN): emnet_nonblock_test.o emnet_shim.o emnet_shim_wrap.o | check-lib
+	$(CC) $(LDFLAGS_NATIVE) -o $@ emnet_nonblock_test.o emnet_shim.o \
+	    emnet_shim_wrap.o $(LIBS_TEST)
+
+# POSIX-facade variant: no --wrap, no __wrap_* wrappers. recv/send
+# fall through to glibc's POSIX implementation (-1 + errno on
+# would-block); wolfSSL_LastError then retrieves the canonical
+# IP_ERR_* via IP_SOCK_getsockopt in the common shim.
+$(TEST_BIN_POSIX): emnet_nonblock_test_posix.o emnet_shim.o | check-lib
+	$(CC) -o $@ emnet_nonblock_test_posix.o emnet_shim.o $(LIBS_TEST)
 
 emnet_nonblock_test.o: emnet_nonblock_test.c
 	$(CC) $(CFLAGS_TEST) -c $< -o $@
 
+# Same source, compiled again so the object files are distinct and
+# parallel builds don't race on a single .o.
+emnet_nonblock_test_posix.o: emnet_nonblock_test.c
+	$(CC) $(CFLAGS_TEST) -c $< -o $@
+
 emnet_shim.o: emnet_shim.c IP/IP.h
 	$(CC) $(CFLAGS_TEST) -c $< -o $@
 
-# Run from the repo root so the relative cert paths resolve.
-run: $(TEST_BIN)
-	cd $(WOLFSSL_ROOT) && ./tests/emnet/$(TEST_BIN)
+emnet_shim_wrap.o: emnet_shim_wrap.c IP/IP.h
+	$(CC) $(CFLAGS_TEST) -c $< -o $@
+
+# Run from the repo root so the relative cert paths resolve. Run both
+# binaries; any failure propagates via `set -e`.
+run: $(TEST_BIN) $(TEST_BIN_POSIX)
+	cd $(WOLFSSL_ROOT) && set -e && \
+	    echo "--- native IP_ERR_* convention ---" && \
+	    ./tests/emnet/$(TEST_BIN) && \
+	    echo "--- POSIX -1 + errno convention ---" && \
+	    ./tests/emnet/$(TEST_BIN_POSIX)
 
 clean:
-	rm -f *.o $(TEST_BIN)
+	rm -f *.o $(TEST_BIN) $(TEST_BIN_POSIX)

tests/emnet/emnet_nonblock_test.c

@@ -61,8 +61,13 @@ static void set_nonblock(int fd)
  * success (ready or timeout, caller retries), -1 on hard failure. */
 static int wait_io(struct side *s, short events, int iter)
 {
-    struct pollfd pfd = { .fd = s->fd, .events = events };
-    int r = poll(&pfd, 1, POLL_MS);
+    struct pollfd pfd;
+    int r;
+
+    pfd.fd = s->fd;
+    pfd.events = events;
+    pfd.revents = 0;
+    r = poll(&pfd, 1, POLL_MS);
     if (r >= 0)
         return 0;
     if (errno == EINTR)
@@ -76,15 +81,17 @@ static void *run_side(void *arg)
 {
     struct side *s = (struct side *)arg;
     int iter;
+    int ret;
+    int err;
 
     for (iter = 0; iter < MAX_ITERS; iter++) {
-        int ret = s->fn(s->ssl);
+        ret = s->fn(s->ssl);
         if (ret == WOLFSSL_SUCCESS) {
             s->completed = 1;
             return NULL;
         }
 
-        int err = wolfSSL_get_error(s->ssl, ret);
+        err = wolfSSL_get_error(s->ssl, ret);
         s->last_err = err;
 
         if (err == WOLFSSL_ERROR_WANT_READ) {
@@ -125,6 +132,16 @@ static void *run_side(void *arg)
 int main(void)
 {
     int sv[2];
+    WOLFSSL_CTX *sctx;
+    WOLFSSL_CTX *cctx;
+    WOLFSSL *server_ssl;
+    WOLFSSL *client_ssl;
+    struct side server;
+    struct side client;
+    pthread_t st, ct;
+    int prc;
+    int rc;
+
     if (socketpair(AF_UNIX, SOCK_STREAM, 0, sv) < 0) {
         perror("socketpair");
         return 2;
@@ -134,8 +151,8 @@ int main(void)
 
     wolfSSL_Init();
 
-    WOLFSSL_CTX *sctx = wolfSSL_CTX_new(wolfTLSv1_3_server_method());
-    WOLFSSL_CTX *cctx = wolfSSL_CTX_new(wolfTLSv1_3_client_method());
+    sctx = wolfSSL_CTX_new(wolfTLSv1_3_server_method());
+    cctx = wolfSSL_CTX_new(wolfTLSv1_3_client_method());
     if (!sctx || !cctx) {
         fprintf(stderr, "wolfSSL_CTX_new failed\n");
         return 2;
@@ -157,8 +174,8 @@ int main(void)
         return 2;
     }
 
-    WOLFSSL *server_ssl = wolfSSL_new(sctx);
-    WOLFSSL *client_ssl = wolfSSL_new(cctx);
+    server_ssl = wolfSSL_new(sctx);
+    client_ssl = wolfSSL_new(cctx);
     if (!server_ssl || !client_ssl) {
         fprintf(stderr, "wolfSSL_new failed\n");
         return 2;
@@ -167,13 +184,17 @@ int main(void)
     wolfSSL_set_fd(server_ssl, sv[0]);
     wolfSSL_set_fd(client_ssl, sv[1]);
 
-    struct side server = { .fd = sv[0], .name = "server",
-                           .ssl = server_ssl, .fn = wolfSSL_accept };
-    struct side client = { .fd = sv[1], .name = "client",
-                           .ssl = client_ssl, .fn = wolfSSL_connect };
+    memset(&server, 0, sizeof(server));
+    memset(&client, 0, sizeof(client));
+    server.fd = sv[0];
+    server.name = "server";
+    server.ssl = server_ssl;
+    server.fn = wolfSSL_accept;
+    client.fd = sv[1];
+    client.name = "client";
+    client.ssl = client_ssl;
+    client.fn = wolfSSL_connect;
 
-    pthread_t st, ct;
-    int prc;
     prc = pthread_create(&st, NULL, run_side, &server);
     if (prc != 0) {
         fprintf(stderr, "FAIL: pthread_create(server): %s\n", strerror(prc));
@@ -196,7 +217,7 @@ int main(void)
         return 2;
     }
 
-    int rc = 0;
+    rc = 0;
     if (server.failed || client.failed) {
         rc = 1;
     } else if (!server.completed || !client.completed) {

tests/emnet/emnet_shim.c

@@ -1,20 +1,18 @@
 /* emnet_shim.c -- POSIX-backed shim for the emNET (embOS/IP) socket ABI
  * used by wolfSSL when WOLFSSL_EMNET is defined.
  *
- * The goal is to reproduce the error-reporting contract of emNET on top
- * of stock Linux BSD sockets: when the underlying socket signals
- * would-block, connection reset, etc., the shim surfaces the
- * corresponding IP_ERR_* negative constant (emNET convention) instead
- * of -1/errno (POSIX convention). This is exactly what wolfSSL's
- * WOLFSSL_EMNET branch in wolfio.h/wolfio.c was written to consume, so
- * CI can drive the non-blocking handshake paths without the real
- * SEGGER stack.
+ * Provides the canonical error lookup path wolfSSL's wolfSSL_LastError
+ * relies on: IP_SOCK_getsockopt(SO_ERROR) returns the pending IP_ERR_*
+ * for a socket, as required by UM07001's emNET API contract. On top of
+ * Linux BSD sockets this is emulated by consulting POSIX SO_ERROR plus
+ * the thread-local errno (because Linux does not store transient
+ * would-block conditions in SO_ERROR).
  *
- * Linker wrapping:
- *   -Wl,--wrap=recv,--wrap=send
- * hooks wolfSSL's RECV_FUNCTION/SEND_FUNCTION (which are the
- * unqualified POSIX send/recv on the WOLFSSL_EMNET build) without
- * patching any wolfSSL source.
+ * The paired native-convention wrapper (emnet_shim_wrap.c) hooks
+ * recv/send via -Wl,--wrap to also make the raw return value match
+ * the native emNET ABI; that file is only linked into the native test
+ * binary, whereas this translation unit is shared by both test
+ * variants.
  */
 
 #include "IP/IP.h"
@@ -25,12 +23,9 @@
 #include <stddef.h>
 #include <string.h>
 
-/* Forward declarations for the linker's --wrap mechanism. */
-ssize_t __real_recv(int sd, void *buf, size_t len, int flags);
-ssize_t __real_send(int sd, const void *buf, size_t len, int flags);
-
-/* Translate a POSIX errno value into the emNET IP_ERR_* space. */
-static int emnet_errno_to_ip_err(int err)
+/* Translate a POSIX errno value into the emNET IP_ERR_* space. Shared
+ * with the --wrap wrappers in emnet_shim_wrap.c, so not static. */
+int emnet_errno_to_ip_err(int err)
 {
     /* Linux, where this shim runs in CI, defines EWOULDBLOCK == EAGAIN,
      * so EAGAIN covers both. */
@@ -50,54 +45,45 @@ static int emnet_errno_to_ip_err(int err)
     }
 }
 
-/* recv wrapper: preserve success/close semantics; on error return the
- * emNET-style negative error code in place of -1/errno. wolfSSL's
- * TranslateIoReturnCode uses err < 0 to branch into error handling and
- * then compares against SOCKET_EWOULDBLOCK == IP_ERR_WOULD_BLOCK. */
-ssize_t __wrap_recv(int sd, void *buf, size_t len, int flags)
+/* IP_SOCK_getsockopt: emulates the emNET ABI on top of POSIX. This is
+ * the canonical error source for WOLFSSL_EMNET code paths — wolfSSL
+ * calls it after a negative recv/send return to retrieve the real
+ * IP_ERR_* value.
+ *
+ * For SO_ERROR we deliberately diverge from a pure POSIX pass-through:
+ * Linux stores sticky socket errors (ECONNRESET etc.) in SO_ERROR but
+ * does NOT store transient would-block conditions (EAGAIN/EWOULDBLOCK)
+ * there — those live only in thread-local errno after the failing
+ * syscall. Real emNET's SO_ERROR does carry would-block. To reproduce
+ * that contract here, read POSIX SO_ERROR first, fall back to errno
+ * when SO_ERROR is empty, then translate into the IP_ERR_* space. */
+int IP_SOCK_getsockopt(int hSock, int Level, int Name,
+                       void *pVal, int ValLen)
 {
-    ssize_t ret = __real_recv(sd, buf, len, flags);
-    if (ret < 0) {
-        return (ssize_t)emnet_errno_to_ip_err(errno);
+    if (pVal == NULL || ValLen <= 0) {
+        errno = EINVAL;
+        return -1;
     }
-    return ret;
-}
 
-ssize_t __wrap_send(int sd, const void *buf, size_t len, int flags)
-{
-    ssize_t ret = __real_send(sd, buf, len, flags);
-    if (ret < 0) {
-        return (ssize_t)emnet_errno_to_ip_err(errno);
-    }
-    return ret;
-}
+    if (Level == SOL_SOCKET && Name == SO_ERROR
+            && ValLen >= (int)sizeof(int)) {
+        int       saved_errno = errno;
+        int       so_err      = 0;
+        socklen_t posix_len   = (socklen_t)sizeof(so_err);
+        int       ip_err;
 
-/* IP_SOCK_getsockopt: kept to satisfy the emNET ABI surface expected
- * by WOLFSSL_EMNET-linked code. Delegates to POSIX getsockopt and, for
- * SO_ERROR, maps the returned POSIX errno value into emNET's IP_ERR_*
- * space so callers see emNET-style error reporting. */
-int IP_SOCK_getsockopt(int sd, int level, int optname,
-                       void *optval, int *optlen)
-{
-    socklen_t posix_len;
-    int rc;
+        (void)getsockopt(hSock, SOL_SOCKET, SO_ERROR, &so_err, &posix_len);
+        if (so_err == 0)
+            so_err = saved_errno;
 
-    if (optlen == NULL) {
-        errno = EINVAL;
-        return -1;
+        ip_err = emnet_errno_to_ip_err(so_err);
+        memcpy(pVal, &ip_err, sizeof(ip_err));
+        return 0;
     }
-    posix_len = (socklen_t)*optlen;
-    rc = getsockopt(sd, level, optname, optval, &posix_len);
-    *optlen = (int)posix_len;
 
-    if (rc == 0 && level == SOL_SOCKET && optname == SO_ERROR
-            && optval != NULL && posix_len >= (socklen_t)sizeof(int)) {
-        int so_err;
-        memcpy(&so_err, optval, sizeof(so_err));
-        if (so_err != 0) {
-            so_err = emnet_errno_to_ip_err(so_err);
-            memcpy(optval, &so_err, sizeof(so_err));
-        }
+    /* Pass-through for other options. */
+    {
+        socklen_t posix_len = (socklen_t)ValLen;
+        return getsockopt(hSock, Level, Name, pVal, &posix_len);
     }
-    return rc;
 }