Skip to content

Refactor All SetUp fucntions to use GetOpt and Handle new error codes / Standardization#260

Open
aidankeefe2022 wants to merge 9 commits into
wolfSSL:mainfrom
aidankeefe2022:refactor-setup-to-GetOpt
Open

Refactor All SetUp fucntions to use GetOpt and Handle new error codes / Standardization#260
aidankeefe2022 wants to merge 9 commits into
wolfSSL:mainfrom
aidankeefe2022:refactor-setup-to-GetOpt

Conversation

@aidankeefe2022

@aidankeefe2022 aidankeefe2022 commented Jun 30, 2026

Copy link
Copy Markdown
Member

Rewriting Every Setup Function and Standardizing help function locations; Also slight refactor to wolfCLU_getOpt func

Why

Three main issues were pervasive before this change:

  • Hanging on bad args.
  • OOB reads due to absolute positional arguments (ie. argv[2] is accessed unchecked).
  • unchecked illegal arguments.
  • Consistency and locality of behavior

There was also a lot of legacy argument checking via the use of strcmp and checkForArgument calls that made understanding what was set when very difficult and adding new functionality much harder than in the modern functions that used getOpt. Moving the help functions just made the code base consistent in style.

Benefits

  1. All handling of args works the same way across every setup function. This makes it much easier to reason about and understand flow of the program.
  2. By moving to the modern system and adding new return codes to getOpt we are able to catch and act on specific situations rather than have the same exit code be used for the successful parsing of all args and issues like repeat args (WOLFCLU_FATAL_ERROR).

@aidankeefe2022 aidankeefe2022 self-assigned this Jun 30, 2026
@aidankeefe2022 aidankeefe2022 changed the title Refactor All SetUp fucntions to use GetOpt and Handle new error codes Refactor All SetUp fucntions to use GetOpt and Handle new error codes / Standardization Jun 30, 2026

@wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fenrir Automated Review — PR #260

Scan targets checked: wolfclu-bugs, wolfclu-src

Findings: 5
5 finding(s) posted as inline comments (see file-level comments below)

This review was generated automatically by Fenrir. Findings are non-blocking.

Comment thread src/crypto/clu_crypto_setup.c
Comment thread src/sign-verify/clu_dgst_setup.c Outdated
Comment thread src/server/clu_server_setup.c Outdated
Comment thread src/x509/clu_cert_setup.c Outdated
Comment thread src/x509/clu_request_setup.c Outdated

@JacobBarthelmeh JacobBarthelmeh left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall it is a nice refactor to have.

Comment thread src/tools/clu_funcs.c Outdated
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/

#include "wolfclu/clu_error_codes.h"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Use same <> instead of "" for search pattern when finding wolfclu header files.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed

Comment thread src/x509/clu_ca_setup.c Outdated
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/

#include "wolfclu/clu_error_codes.h"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as earlier, "" vs <>

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed

Comment thread tests/dgst/dgst-test.py
expected = "3e5915162b1974ac0d57a5a45113a1efcc1edc5e71e5e55ca69f9a7c60ca11fd"

r = run_wolfssl("-hash", "sha256", "-in", self.LARGE_FILE)
r = run_wolfssl("-hash", "-sha256", "-in", self.LARGE_FILE)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The -sha256 versus sha256 might be expected but please compare this to drop in replacement of openssl command line args to make sure. We would not want to change the test case if it is a test added for confirming a specific format of the command is accepted.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Comment thread tests/hash/hash-test.py
def test_sha_base64enc(self):
r = run_wolfssl("-hash", "sha", "-in", CERT_FILE, "-base64enc")
def test_sha_(self):
r = run_wolfssl("-hash", "-sha", "-in", CERT_FILE)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as -sha256. Confirm this is an okay adjustment to make.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The OpenSSL CLU does not have a hash sub command so we are already deviating from them. Making this change should be okay to make.

Comment thread wolfclu/certgen/clu_certgen.h Outdated
#endif
#ifndef NO_RSA
#include <wolfssl/wolfcrypt/rsa.h>

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Extra newline with no purpose? If not needed please remove it. It's one less file touched as changed in the PR.

Comment thread wolfclu/clu_error_codes.h
DER_TO_PEM_ERROR = -1004, /* converting der to pem failed */
OUTPUT_FILE_ERROR = -1005,
FEATURE_COMING_SOON = -1006, /* Feature not yet implemented */
ARG_FOUND_TWICE = -1007,

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a nice sanity check on most args. I have a suspecion though that it could backfire on some cases. Like with req -addext <ext> -addext <ext> or cms -recip <recipient 1> -recip <recipient 2>. Is the ARG_FOUND_TWICE handling cases where it is expected that multiples of the same arg are used?

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change is just surfacing what happened via an error code. The wolfCLU_GetOpt function previously just logged and noopt on duplicate args. All of the rewritten setup funcs did not use duplicate args either.

Comment thread src/server/clu_server_setup.c Outdated
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/

#include "wolfclu/clu_error_codes.h"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"" versus <>

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking at this, I also think flu_header_main.h should be included before cpu_error_codes.h in all of the files.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I fixed this across the code base should be good now!

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR refactors wolfCLU subcommand setup/argument parsing to consistently use wolfCLU_GetOpt() (with new standardized end-of-args and duplicate-arg error codes), relocates/help-standardizes multiple *_Help() functions, and updates tests/feature guards (notably BLAKE2B-related macros) to match the revised CLI.

Changes:

  • Standardize option parsing across many setup functions by switching GetOpt loops to terminate on END_OF_ARGS and handle duplicate arguments via ARG_FOUND_TWICE.
  • Move/inline various help functions closer to their owning subcommands for consistency and locality.
  • Update tests and feature guards (e.g., HAVE_BLAKE2B, -hash -sha* flags) and add a base64 expected-output fixture.

Reviewed changes

Copilot reviewed 35 out of 36 changed files in this pull request and generated 11 comments.

Show a summary per file
File Description
wolfclu/clu_optargs.h Adds new option/command enum values for expanded x509/hash/genkey parsing.
wolfclu/clu_header_main.h Updates BLAKE2 guard macro and removes help prototypes that were relocated.
wolfclu/clu_error_codes.h Adds ARG_FOUND_TWICE and END_OF_ARGS error codes used by GetOpt loops.
wolfclu/certgen/clu_certgen.h Minor whitespace adjustment.
tests/testjunk/tests.sh Updates build-option grep to HAVE_BLAKE2B.
tests/hash/hash-test.py Updates hash CLI tests to new flag-style algorithms; adds base64 enc/dec coverage.
tests/hash/base64enc-expect.b64 Adds expected output fixture for base64 encoding test.
tests/dgst/dgst-test.py Updates -hash invocation and sha256 shortcut invocation to new flag style.
src/x509/clu_request_setup.c Switches GetOpt loop to END_OF_ARGS, adds duplicate-arg handling, and relocates certgen help.
src/x509/clu_cert_setup.c Refactors x509 arg parsing to GetOpt and adds option table/help locally.
src/x509/clu_ca_setup.c Switches GetOpt loop to END_OF_ARGS and adds duplicate-arg handling.
src/tools/clu_rand.c Switches GetOpt loop to END_OF_ARGS and adds duplicate-arg handling.
src/tools/clu_funcs.c Updates wolfCLU_GetOpt() to return END_OF_ARGS and introduce ARG_FOUND_TWICE.
src/tools/clu_base64.c Switches GetOpt loop to END_OF_ARGS and adds duplicate-arg handling.
src/sign-verify/clu_x509_verify.c Switches GetOpt loop to END_OF_ARGS and adds duplicate-arg handling.
src/sign-verify/clu_sign_verify_setup.c Refactors sign/verify setup to GetOpt; relocates sign/verify help locally.
src/sign-verify/clu_dgst_setup.c Switches GetOpt loop to END_OF_ARGS and adds duplicate-arg handling.
src/sign-verify/clu_crl_verify.c Switches GetOpt loop to END_OF_ARGS and adds duplicate-arg handling.
src/server/clu_server_setup.c Switches GetOpt loop to END_OF_ARGS and adds duplicate-arg handling.
src/pkey/clu_rsa.c Switches GetOpt loop to END_OF_ARGS and adds duplicate-arg handling.
src/pkey/clu_pkey.c Switches GetOpt loop to END_OF_ARGS and adds duplicate-arg handling.
src/pkcs/clu_pkcs8.c Switches GetOpt loop to END_OF_ARGS and adds duplicate-arg handling.
src/pkcs/clu_pkcs7.c Switches GetOpt loop to END_OF_ARGS and adds duplicate-arg handling.
src/pkcs/clu_pkcs12.c Switches GetOpt loop to END_OF_ARGS and adds duplicate-arg handling.
src/ocsp/clu_ocsp.c Switches GetOpt loop to END_OF_ARGS and adds duplicate-arg handling.
src/hash/clu_hash.c Updates BLAKE2 guard macro and improves base64 output handling (raw vs hex).
src/hash/clu_hash_setup.c Refactors -hash setup to GetOpt with new per-algorithm flags and help updates.
src/genkey/clu_genkey_setup.c Refactors genkey setup to GetOpt and centralizes output directive parsing.
src/ecparam/clu_ecparam.c Switches GetOpt loop to END_OF_ARGS and adds duplicate-arg handling.
src/dsa/clu_dsa.c Switches GetOpt loop to END_OF_ARGS and adds duplicate-arg handling.
src/dh/clu_dh.c Switches GetOpt loop to END_OF_ARGS and adds duplicate-arg handling.
src/crypto/clu_crypto_setup.c Relocates encrypt/decrypt help and switches GetOpt loop to END_OF_ARGS.
src/client/clu_client_setup.c Switches GetOpt loop to END_OF_ARGS and adds duplicate-arg handling.
src/benchmark/clu_benchmark.c Updates BLAKE2 guard macro.
src/benchmark/clu_bench_setup.c Refactors bench setup to GetOpt and introduces a benchmark-index enum.
.gitignore Adds ignores for wolfclu-configure artifacts, IDE files, and compile_commands.json.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/tools/clu_funcs.c
Comment thread src/x509/clu_cert_setup.c Outdated
Comment thread src/x509/clu_cert_setup.c
Comment thread src/hash/clu_hash_setup.c Outdated
Comment thread src/hash/clu_hash_setup.c Outdated
Comment thread src/hash/clu_hash_setup.c Outdated
Comment thread src/hash/clu_hash_setup.c Outdated
Comment thread src/hash/clu_hash_setup.c
Comment thread src/hash/clu_hash_setup.c Outdated
Comment thread tests/hash/hash-test.py Outdated
Comment thread src/x509/clu_request_setup.c Outdated
Comment thread src/x509/clu_cert_setup.c Outdated
Comment thread src/server/clu_server_setup.c Outdated
Comment thread src/sign-verify/clu_dgst_setup.c Outdated
Comment thread src/crypto/clu_crypto_setup.c

@wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fenrir Automated Review — PR #260

Scan targets checked: wolfclu-bugs, wolfclu-src

Findings: 1
1 finding(s) posted as inline comments (see file-level comments below)

This review was generated automatically by Fenrir. Findings are non-blocking.

Comment thread src/hash/clu_hash_setup.c Outdated
Comment thread src/hash/clu_hash_setup.c Outdated

@wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fenrir Automated Review — PR #260

Scan targets checked: wolfclu-bugs, wolfclu-src
Findings: 2
1 finding(s) posted as inline comments (see file-level comments below)

Low (1)

In-loop error returns in wolfCLU_setup leak mode and key buffers without zeroizing

File: src/crypto/clu_crypto_setup.c:590
Function: wolfCLU_setup
Category: Resource leaks

The WOLFCLU_MD invalid-digest path (and the -pwd/-key/-iv error returns) return without freeing the heap-allocated mode and, when a password or key was already parsed, without XMEMSET-ing pwdKey/key, leaving key material in freed/unfreed heap. The PR added mode cleanup only to the malloc-failure and duplicate-arg paths.

Recommendation: Route these error returns through the common cleanup that zeroizes pwdKey/key/iv and frees mode.

Referenced code: src/crypto/clu_crypto_setup.c:590-595 (6 lines)


This review was generated automatically by Fenrir. Findings are non-blocking.

Comment thread src/hash/clu_hash_setup.c Outdated
@aidankeefe2022 aidankeefe2022 force-pushed the refactor-setup-to-GetOpt branch from 27866c3 to 6b4078f Compare July 1, 2026 18:47
@aidankeefe2022

Copy link
Copy Markdown
Member Author

Jenkins retest this please

1 similar comment
@aidankeefe2022

Copy link
Copy Markdown
Member Author

Jenkins retest this please

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants