From a7b83b06c171d6dbc701453613ffb85f9cbf217c Mon Sep 17 00:00:00 2001 From: Kareem Date: Fri, 26 Dec 2025 15:23:23 -0700 Subject: [PATCH 1/3] Alert on out of order message with unexpected_message. Fixes #9531. --- src/internal.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/internal.c b/src/internal.c index 841e49fc8f0..b555bdcdb80 100644 --- a/src/internal.c +++ b/src/internal.c @@ -35262,6 +35262,8 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, return wolfssl_alert_protocol_version; case WC_NO_ERR_TRACE(BAD_CERTIFICATE_STATUS_ERROR): return bad_certificate_status_response; + case WC_NO_ERR_TRACE(OUT_OF_ORDER_E): + return unexpected_message; default: return invalid_alert; } From 6145f3aba22107cea4d6cbc40c44b5a4068934b1 Mon Sep 17 00:00:00 2001 From: Kareem Date: Fri, 26 Dec 2025 15:24:14 -0700 Subject: [PATCH 2/3] Fix incorrect alert being sent when wolfSSL receives unexpected PSK extension. Fixes #9503. --- src/tls.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/tls.c b/src/tls.c index 743fbf3e947..9f0e2796a1a 100644 --- a/src/tls.c +++ b/src/tls.c @@ -11607,7 +11607,7 @@ static int TLSX_PreSharedKey_Parse(WOLFSSL* ssl, const byte* input, /* Find the list of identities sent to server. */ extension = TLSX_Find(ssl->extensions, TLSX_PRE_SHARED_KEY); if (extension == NULL) - return PSK_KEY_ERROR; + return INCOMPLETE_DATA; list = (PreSharedKey*)extension->data; /* Mark the identity as chosen. */ From 7d04a53a6ce3e05eabc40aba2bb62457f2a56dbf Mon Sep 17 00:00:00 2001 From: Kareem Date: Fri, 26 Dec 2025 15:26:05 -0700 Subject: [PATCH 3/3] Update X509_get_default_cert_* stubs to return empty strings. According to the documentation, these functions must return static strings, so NULL was not valid. Fixes #6474. --- src/x509.c | 8 ++++---- tests/api/test_ossl_x509.c | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/src/x509.c b/src/x509.c index 8fc94f5f1d0..a34f72df7ba 100644 --- a/src/x509.c +++ b/src/x509.c @@ -3448,25 +3448,25 @@ int wolfSSL_X509_pubkey_digest(const WOLFSSL_X509 *x509, const char* wolfSSL_X509_get_default_cert_file_env(void) { WOLFSSL_STUB("X509_get_default_cert_file_env"); - return NULL; + return ""; } const char* wolfSSL_X509_get_default_cert_file(void) { WOLFSSL_STUB("X509_get_default_cert_file"); - return NULL; + return ""; } const char* wolfSSL_X509_get_default_cert_dir_env(void) { WOLFSSL_STUB("X509_get_default_cert_dir_env"); - return NULL; + return ""; } const char* wolfSSL_X509_get_default_cert_dir(void) { WOLFSSL_STUB("X509_get_default_cert_dir"); - return NULL; + return ""; } #endif diff --git a/tests/api/test_ossl_x509.c b/tests/api/test_ossl_x509.c index b198da11d9a..a28728800f6 100644 --- a/tests/api/test_ossl_x509.c +++ b/tests/api/test_ossl_x509.c @@ -528,10 +528,10 @@ int test_wolfSSL_X509(void) ExpectIntEQ(X509_verify_cert(ctx), SSL_SUCCESS); #ifndef NO_WOLFSSL_STUB - ExpectNull(X509_get_default_cert_file_env()); - ExpectNull(X509_get_default_cert_file()); - ExpectNull(X509_get_default_cert_dir_env()); - ExpectNull(X509_get_default_cert_dir()); + ExpectStrEQ(X509_get_default_cert_file_env(), ""); + ExpectStrEQ(X509_get_default_cert_file(), ""); + ExpectStrEQ(X509_get_default_cert_dir_env(), ""); + ExpectStrEQ(X509_get_default_cert_dir(), ""); #endif ExpectNull(wolfSSL_X509_get_der(NULL, NULL));