From a5ee9604c71294dea6d0d31da75dd24f2f2908a1 Mon Sep 17 00:00:00 2001 From: Jeremiah Mackey Date: Thu, 7 May 2026 16:53:20 +0000 Subject: [PATCH] tls13: alert illegal_parameter for ctx --- src/tls13.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/src/tls13.c b/src/tls13.c index c07f9b0803..679338bf86 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -6089,8 +6089,13 @@ static int DoTls13CertificateRequest(WOLFSSL* ssl, const byte* input, len = input[(*inOutIdx)++]; if ((*inOutIdx - begin) + len > size) return BUFFER_ERROR; - if (ssl->options.connectState < FINISHED_DONE && len > 0) - return BUFFER_ERROR; + /* INVALID_PARAMETER does not map to illegal_parameter in the central + * alert path, so emit the alert explicitly before returning. */ + if (ssl->options.connectState < FINISHED_DONE && len > 0) { + SendAlert(ssl, alert_fatal, illegal_parameter); + WOLFSSL_ERROR_VERBOSE(INVALID_PARAMETER); + return INVALID_PARAMETER; + } #ifdef WOLFSSL_POST_HANDSHAKE_AUTH /* Remember the request context bytes; the CertReqCtx allocation and