Fix emNET support and add tests

The emNET `wolfSSL_LastError` branches were incorrect. The second one
was never hit and would never compile. The first one inverts error codes
that should not be inverted.

This fixes that code and adds a test with a shim layer to test emNET
calls without using emNET.

Author: LinuxJedi

.github/workflows/emnet-nonblock.yml

@@ -0,0 +1,60 @@
+name: emNET non-blocking handshake test
+
+# START OF COMMON SECTION
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+# END OF COMMON SECTION
+
+# Build wolfSSL with -DWOLFSSL_EMNET using the clean-room shim in
+# tests/emnet/ (IP/IP.h + emnet_shim.c), link a non-blocking TLS 1.3
+# handshake test with -Wl,--wrap=recv,--wrap=send, and run it.
+#
+# On current master the test is expected to FAIL because of an
+# unreachable `#elif defined(WOLFSSL_EMNET)` branch in
+# src/wolfio.c:wolfSSL_LastError() — shadowed by the combined
+# WOLFSSL_LINUXKM||WOLFSSL_EMNET branch that returns -err. The
+# would-block path therefore reports WOLFSSL_CBIO_ERR_GENERAL instead
+# of WOLFSSL_CBIO_ERR_WANT_READ/WANT_WRITE. The follow-up fix to
+# wolfio.c will flip this workflow green.
+
+jobs:
+  emnet_nonblock:
+    name: wolfSSL emNET non-blocking handshake
+    if: github.repository_owner == 'wolfssl'
+    runs-on: ubuntu-24.04
+    timeout-minutes: 20
+    steps:
+      - name: Checkout wolfSSL
+        uses: actions/checkout@v4
+
+      - name: Install build deps
+        uses: ./.github/actions/install-apt-deps
+        with:
+          packages: autoconf automake libtool build-essential
+
+      - name: Bootstrap
+        run: ./autogen.sh
+
+      - name: Configure wolfSSL (WOLFSSL_EMNET + emNET shim headers)
+        run: |
+          ./configure \
+            --enable-static --disable-shared \
+            --enable-tls13 --disable-oldtls \
+            --enable-ecc --disable-examples \
+            CFLAGS="-DWOLFSSL_EMNET -I$(pwd)/tests/emnet"
+
+      - name: Build wolfSSL
+        run: make -j$(nproc)
+
+      - name: Build emNET non-blocking test
+        run: make -C tests/emnet
+
+      - name: Run emNET non-blocking test
+        run: make -C tests/emnet run

src/wolfio.c

@@ -150,8 +150,12 @@ static WC_INLINE int wolfSSL_LastError(int err, SOCKET_T sd)
     return WSAGetLastError();
 #elif defined(EBSNET)
     return xn_getlasterror();
-#elif defined(WOLFSSL_LINUXKM) || defined(WOLFSSL_EMNET)
+#elif defined(WOLFSSL_LINUXKM)
     return -err; /* Return provided error value with corrected sign. */
+#elif defined(WOLFSSL_EMNET)
+    /* emNET BSD sockets return the IP_ERR_* value (negative) directly
+     * from send/recv on failure; no translation needed. */
+    return err;
 #elif defined(FUSION_RTOS)
     #include <fclerrno.h>
     return FCL_GET_ERRNO;
@@ -169,10 +173,6 @@ static WC_INLINE int wolfSSL_LastError(int err, SOCKET_T sd)
         }
         return err;
     }
-#elif defined(WOLFSSL_EMNET)
-    /* Get the real socket error */
-    IP_SOCK_getsockopt(sd, SOL_SOCKET, SO_ERROR, &err, (int)sizeof(old));
-    return err;
 #else
     return errno;
 #endif

tests/emnet/IP/IP.h

@@ -0,0 +1,44 @@
+/* IP.h -- clean-room shim for the subset of SEGGER emNET (embOS/IP) API
+ * that wolfSSL's WOLFSSL_EMNET port compiles against. Written from the
+ * public API surface documented in SEGGER UM07001; contains no SEGGER
+ * source.
+ *
+ * Scope: enough to build wolfSSL with -DWOLFSSL_EMNET on a POSIX host
+ * for CI test purposes. Only error constants and IP_SOCK_getsockopt are
+ * provided here; the runtime behaviour of send/recv under emNET is
+ * emulated by emnet_shim.c via linker --wrap.
+ */
+
+#ifndef WOLFSSL_EMNET_SHIM_IP_H
+#define WOLFSSL_EMNET_SHIM_IP_H
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <errno.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* emNET error codes (UM07001). Values match the public ABI. */
+#define IP_ERR_CONN_ABORTED   (-5)
+#define IP_ERR_WOULD_BLOCK    (-6)
+#define IP_ERR_CONN_REFUSED   (-7)
+#define IP_ERR_CONN_RESET     (-8)
+#define IP_ERR_PIPE          (-13)
+#define IP_ERR_FAULT         (-25)
+
+/* BSD-style socket option retrieval. Signature matches the SEGGER API:
+ * length is passed by pointer of type int*, unlike POSIX socklen_t*. */
+int IP_SOCK_getsockopt(int sd, int level, int optname,
+                       void *optval, int *optlen);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* WOLFSSL_EMNET_SHIM_IP_H */

tests/emnet/Makefile

@@ -0,0 +1,52 @@
+# Build the emNET non-blocking handshake test.
+# Requires wolfSSL already configured + built at the repo root with
+# WOLFSSL_EMNET and the emnet IP include path, e.g.:
+#
+#   cd $(repo_root)
+#   ./autogen.sh
+#   ./configure --enable-static --disable-shared --enable-tls13 \
+#               --disable-oldtls CFLAGS="-DWOLFSSL_EMNET \
+#               -I$$(pwd)/tests/emnet"
+#   make
+#   make -C tests/emnet run
+
+CURDIR     := $(shell pwd)
+WOLFSSL_ROOT := $(abspath $(CURDIR)/../..)
+WOLFSSL_LIB := $(WOLFSSL_ROOT)/src/.libs/libwolfssl.a
+
+CC ?= cc
+CFLAGS_TEST := -Wall -Wextra -O2 -g \
+    -DWOLFSSL_EMNET \
+    -I$(CURDIR) \
+    -I$(WOLFSSL_ROOT)
+LDFLAGS_TEST := -Wl,--wrap=recv,--wrap=send
+LIBS_TEST := $(WOLFSSL_LIB) -lpthread -lm
+
+TEST_BIN := emnet_nonblock_test
+
+.PHONY: all run clean check-lib
+
+all: $(TEST_BIN)
+
+check-lib:
+	@if [ ! -f "$(WOLFSSL_LIB)" ]; then \
+	    echo "error: $(WOLFSSL_LIB) not found."; \
+	    echo "Build wolfSSL first (see header of this Makefile)."; \
+	    exit 1; \
+	fi
+
+$(TEST_BIN): emnet_nonblock_test.o emnet_shim.o check-lib
+	$(CC) $(LDFLAGS_TEST) -o $@ emnet_nonblock_test.o emnet_shim.o $(LIBS_TEST)
+
+emnet_nonblock_test.o: emnet_nonblock_test.c
+	$(CC) $(CFLAGS_TEST) -c $< -o $@
+
+emnet_shim.o: emnet_shim.c IP/IP.h
+	$(CC) $(CFLAGS_TEST) -c $< -o $@
+
+# Run from the repo root so the relative cert paths resolve.
+run: $(TEST_BIN)
+	cd $(WOLFSSL_ROOT) && ./tests/emnet/$(TEST_BIN)
+
+clean:
+	rm -f *.o $(TEST_BIN)

tests/emnet/emnet_nonblock_test.c

@@ -0,0 +1,190 @@
+/* emnet_nonblock_test.c -- non-blocking TLS 1.3 handshake over a
+ * socketpair, with wolfSSL built for WOLFSSL_EMNET and the recv/send
+ * error surface translated by emnet_shim.c.
+ *
+ * Purpose: expose the unreachable `#elif defined(WOLFSSL_EMNET)` branch
+ * in src/wolfio.c:172 (shadowed by the WOLFSSL_LINUXKM|WOLFSSL_EMNET
+ * branch at line 153). On current master the shadowing branch returns
+ * `-err`, flipping IP_ERR_WOULD_BLOCK (-6) to +6, which no longer
+ * matches SOCKET_EWOULDBLOCK, so TranslateIoReturnCode falls through to
+ * WOLFSSL_CBIO_ERR_GENERAL and the handshake aborts the first time
+ * the socket would block. The test exits non-zero with a diagnostic
+ * naming the unexpected error; the follow-up fix will make it pass.
+ */
+
+#include <errno.h>
+#include <fcntl.h>
+#include <poll.h>
+#include <pthread.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <unistd.h>
+
+#include <wolfssl/options.h>
+#include <wolfssl/ssl.h>
+
+#define MAX_ITERS   200   /* handshake loop safety cap */
+#define POLL_MS     500
+
+#define CERT_PATH    "certs/server-ecc.pem"
+#define KEY_PATH     "certs/ecc-key.pem"
+#define CA_PATH      "certs/ca-ecc-cert.pem"
+
+struct side {
+    int fd;
+    const char *name;
+    WOLFSSL *ssl;
+    int (*fn)(WOLFSSL *);
+    int saw_would_block;
+    int completed;
+    int failed;
+    int last_err;
+};
+
+static void set_nonblock(int fd)
+{
+    int flags = fcntl(fd, F_GETFL, 0);
+    if (flags < 0) {
+        perror("fcntl F_GETFL");
+        exit(2);
+    }
+    if (fcntl(fd, F_SETFL, flags | O_NONBLOCK) < 0) {
+        perror("fcntl F_SETFL O_NONBLOCK");
+        exit(2);
+    }
+}
+
+static void *run_side(void *arg)
+{
+    struct side *s = (struct side *)arg;
+    int iter;
+
+    for (iter = 0; iter < MAX_ITERS; iter++) {
+        int ret = s->fn(s->ssl);
+        if (ret == WOLFSSL_SUCCESS) {
+            s->completed = 1;
+            return NULL;
+        }
+
+        int err = wolfSSL_get_error(s->ssl, ret);
+        s->last_err = err;
+
+        if (err == WOLFSSL_ERROR_WANT_READ) {
+            struct pollfd pfd = { .fd = s->fd, .events = POLLIN };
+            s->saw_would_block = 1;
+            poll(&pfd, 1, POLL_MS);
+            continue;
+        }
+        if (err == WOLFSSL_ERROR_WANT_WRITE) {
+            struct pollfd pfd = { .fd = s->fd, .events = POLLOUT };
+            s->saw_would_block = 1;
+            poll(&pfd, 1, POLL_MS);
+            continue;
+        }
+
+        /* Anything else on a non-blocking handshake is a failure. */
+        char errstr[WOLFSSL_MAX_ERROR_SZ];
+        wolfSSL_ERR_error_string_n((unsigned long)err,
+                                   errstr, sizeof(errstr));
+        fprintf(stderr,
+            "FAIL: %s: wolfSSL_get_error=%d (%s) after iter=%d. "
+            "Expected WANT_READ/WANT_WRITE on a non-blocking socketpair. "
+            "This is the emNET non-blocking error-translation bug in "
+            "src/wolfio.c (unreachable WOLFSSL_EMNET branch in "
+            "wolfSSL_LastError).\n",
+            s->name, err, errstr, iter);
+        s->failed = 1;
+        return NULL;
+    }
+
+    fprintf(stderr, "FAIL: %s: handshake did not complete within %d "
+            "iterations (last err=%d)\n",
+            s->name, MAX_ITERS, s->last_err);
+    s->failed = 1;
+    return NULL;
+}
+
+int main(void)
+{
+    int sv[2];
+    if (socketpair(AF_UNIX, SOCK_STREAM, 0, sv) < 0) {
+        perror("socketpair");
+        return 2;
+    }
+    set_nonblock(sv[0]);
+    set_nonblock(sv[1]);
+
+    wolfSSL_Init();
+
+    WOLFSSL_CTX *sctx = wolfSSL_CTX_new(wolfTLSv1_3_server_method());
+    WOLFSSL_CTX *cctx = wolfSSL_CTX_new(wolfTLSv1_3_client_method());
+    if (!sctx || !cctx) {
+        fprintf(stderr, "wolfSSL_CTX_new failed\n");
+        return 2;
+    }
+
+    if (wolfSSL_CTX_use_certificate_file(sctx, CERT_PATH,
+                                         WOLFSSL_FILETYPE_PEM) != WOLFSSL_SUCCESS) {
+        fprintf(stderr, "failed to load server cert %s\n", CERT_PATH);
+        return 2;
+    }
+    if (wolfSSL_CTX_use_PrivateKey_file(sctx, KEY_PATH,
+                                        WOLFSSL_FILETYPE_PEM) != WOLFSSL_SUCCESS) {
+        fprintf(stderr, "failed to load server key %s\n", KEY_PATH);
+        return 2;
+    }
+    if (wolfSSL_CTX_load_verify_locations(cctx, CA_PATH, NULL)
+            != WOLFSSL_SUCCESS) {
+        fprintf(stderr, "failed to load CA %s\n", CA_PATH);
+        return 2;
+    }
+
+    WOLFSSL *server_ssl = wolfSSL_new(sctx);
+    WOLFSSL *client_ssl = wolfSSL_new(cctx);
+    if (!server_ssl || !client_ssl) {
+        fprintf(stderr, "wolfSSL_new failed\n");
+        return 2;
+    }
+
+    wolfSSL_set_fd(server_ssl, sv[0]);
+    wolfSSL_set_fd(client_ssl, sv[1]);
+
+    struct side server = { .fd = sv[0], .name = "server",
+                           .ssl = server_ssl, .fn = wolfSSL_accept };
+    struct side client = { .fd = sv[1], .name = "client",
+                           .ssl = client_ssl, .fn = wolfSSL_connect };
+
+    pthread_t st, ct;
+    pthread_create(&st, NULL, run_side, &server);
+    pthread_create(&ct, NULL, run_side, &client);
+    pthread_join(st, NULL);
+    pthread_join(ct, NULL);
+
+    int rc = 0;
+    if (server.failed || client.failed) {
+        rc = 1;
+    } else if (!server.completed || !client.completed) {
+        fprintf(stderr, "FAIL: handshake incomplete (server=%d client=%d)\n",
+                server.completed, client.completed);
+        rc = 1;
+    } else if (!server.saw_would_block && !client.saw_would_block) {
+        fprintf(stderr, "FAIL: handshake completed but never hit a "
+                "non-blocking path. Test scaffolding not exercising "
+                "the WOLFSSL_EMNET error-translation code.\n");
+        rc = 1;
+    } else {
+        printf("OK: handshake completed, would-block paths exercised\n");
+    }
+
+    wolfSSL_free(server_ssl);
+    wolfSSL_free(client_ssl);
+    wolfSSL_CTX_free(sctx);
+    wolfSSL_CTX_free(cctx);
+    wolfSSL_Cleanup();
+    close(sv[0]);
+    close(sv[1]);
+    return rc;
+}