fix: move ERR_error_string funcs out of internal.c (ZD-21735)

[MarkAtwood]

Root Cause

wolfSSL_ERR_error_string, wolfSSL_ERR_error_string_n, wolfSSL_ERR_reason_error_string, and SetErrorString were defined in src/internal.c and src/ssl.c. Both files are excluded from WOLFCRYPT_ONLY builds by the build system — src/include.am gates them on if !BUILD_CRYPTONLY, so neither is compiled or linked when building with --enable-cryptonly.

The symbols are declared in wolfssl/ssl.h (visible to callers) but absent from libwolfssl.a in a crypto-only build, causing undefined symbol link errors for any application calling these functions.

Why Was This Not Caught Earlier

The WOLFCRYPT_ONLY + OPENSSL_EXTRA combination is an edge case not covered by common CI configurations. The placement in internal.c dates to December 2013 (commit a36c18c), when an external contributor added CyaSSL_ERR_reason_error_string. It was put in internal.c because SetErrorString already lived there. Three subsequent major refactors never revisited the placement.

Fix

Move all five functions (including the static wolfSSL_ERR_reason_error_string_OpenSSL helper) to wolfcrypt/src/error.c, which is compiled in all wolfSSL configurations: full TLS, WOLFCRYPT_ONLY, and FIPS.

The functions are placed after the file-level #endif /* !NO_ERROR_STRINGS */ so they are unconditionally compiled regardless of NO_ERROR_STRINGS. The function bodies already handle NO_ERROR_STRINGS internally where needed (wolfSSL_ERR_reason_error_string returns a stub string in that case).

Added unconditional #include <wolfssl/error-ssl.h> and #include <wolfssl/ssl.h> before the new block. Several other wolfcrypt port files already include wolfssl/error-ssl.h, so this is an established pattern.

Also removed a spurious top-level #ifdef WOLFSSL_DEBUG_TRACE_ERROR_CODES_H / debug-untrace block that was incorrectly placed at file scope during extraction from internal.c.

Testing

• Full TLS build: clean compile, testwolfcrypt passes, unit.test passes
• --enable-cryptonly --enable-opensslextra: library builds cleanly; nm libwolfssl.a confirms all five symbols present in error.o

Fixes ZD-21735.

[Copilot]

Pull request overview

This PR fixes --enable-cryptonly --enable-opensslextra link failures by ensuring OpenSSL-compat error-string APIs are built into crypto-only configurations (where src/internal.c and src/ssl.c are excluded by the build).

Changes:

• Move wolfSSL_ERR_error_string, wolfSSL_ERR_error_string_n, wolfSSL_ERR_reason_error_string, SetErrorString, and the OpenSSL-reason helper into wolfcrypt/src/error.c (compiled in all configurations).
• Remove duplicate/now-relocated wolfSSL_ERR_error_string* implementations from src/ssl.c.
• Remove the SSL/TLS-range reason-string implementation and SetErrorString from src/internal.c.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File	Description
wolfcrypt/src/error.c	Adds SSL/TLS-range error-string functions so the symbols exist in WOLFCRYPT_ONLY + OPENSSL_EXTRA builds.
src/ssl.c	Removes wolfSSL_ERR_error_string / _n implementations that are now provided by wolfcrypt/src/error.c.
src/internal.c	Removes SSL/TLS-range reason-string implementation and SetErrorString now hosted in wolfcrypt/src/error.c.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[wolfSSL-Fenrir-bot]

Fenrir Automated Review — PR #10369

Scan targets checked: wolfcrypt-bugs, wolfcrypt-src, wolfssl-bugs, wolfssl-src

Findings: 1
1 finding(s) posted as inline comments (see file-level comments below)

This review was generated automatically by Fenrir. Findings are non-blocking.

[wolfSSL-Fenrir-bot]

🔴 [High] Moved error-string functions now gated by outer NO_ERROR_STRINGS guard · Dead/unreachable code

error.c is wrapped in #ifndef NO_ERROR_STRINGS (line 29 to line 1402), so the moved wolfSSL_ERR_reason_error_string, wolfSSL_ERR_error_string, wolfSSL_ERR_error_string_n, and SetErrorString are no longer compiled when NO_ERROR_STRINGS is defined. These were unconditionally defined before; the public-API symbols declared in wolfssl/ssl.h are now missing under that build, breaking link with callers like wolfSSL_ERR_print_errors_fp, src/ssl_load.c:2456, and src/x509.c:8286.

Fix: Move these five functions outside the file-level #ifndef NO_ERROR_STRINGS block so they are always compiled, matching the prior behavior.

[MarkAtwood]

Fixed in 531a224. Moved all five functions (and their static helper) to after the closing #endif /* !NO_ERROR_STRINGS */, outside the outer guard. The functions already handle NO_ERROR_STRINGS internally where needed (wolfSSL_ERR_reason_error_string returns a stub string). Also removed a spurious top-level #ifdef WOLFSSL_DEBUG_TRACE_ERROR_CODES_H / debug-untrace block that had been incorrectly placed at file scope during the extraction from internal.c.