x509_str: align WOLFSSL_X509_V_ERR_INVALID_CA with OpenSSL value

julek-wolfssl · julek-wolfssl · commit 66074e24b4c6 · 2026-04-28T17:44:18.000+02:00
WOLFSSL_X509_V_ERR_INVALID_CA was 24 while X509_V_ERR_INVALID_CA from
the OpenSSL-compat header is 79.  In OPENSSL_COEXIST builds the literal
X509_V_ERR_INVALID_CA macro is suppressed to avoid clashing with real
OpenSSL, so referencing it from src/x509_str.c failed to compile.

Move WOLFSSL_X509_V_ERR_INVALID_CA to 79 so the wolfSSL native code
matches the OpenSSL value, bump WC_OSSL_V509_V_ERR_MAX to 80, and use
the WOLFSSL_-prefixed constant in wolfSSL_X509_verify_cert.  Extend
error_test()'s missing-value table to cover the new gaps (24 and
65-78).

Also skip test_tls13_ticket_peer_cert_reverify under
WOLFSSL_NO_DEF_TICKET_ENC_CB, since without a ticket encryption
callback the server never emits a NewSessionTicket and the test's
resumption step cannot run.
diff --git a/src/x509_str.c b/src/x509_str.c
@@ -710,7 +710,7 @@ int wolfSSL_X509_verify_cert(WOLFSSL_X509_STORE_CTX* ctx)
              * but the leaf signature must still be verified against the
              * issuer below — never skip X509StoreVerifyCert. */
             if (!issuer->isCa) {
-                SetupStoreCtxError_ex(ctx, X509_V_ERR_INVALID_CA,
+                SetupStoreCtxError_ex(ctx, WOLFSSL_X509_V_ERR_INVALID_CA,
                                 (ctx->chain) ? (int)(ctx->chain->num + 1) : 1);
             #if defined(OPENSSL_ALL) || defined(WOLFSSL_QT)
                 if (ctx->store->verify_cb) {
diff --git a/tests/api.c b/tests/api.c
@@ -28238,9 +28238,11 @@ static int error_test(void)
         {11, 11},
         {17, 15},
         {19, 19},
+        {24, 24},
         {27, 26 },
         {61, 30},
         {63, 63},
+        {78, 65},
 #endif
         { -9, WC_SPAN1_FIRST_E + 1 },
         { -300, -300 },
diff --git a/tests/api/test_tls13.c b/tests/api/test_tls13.c
@@ -5276,7 +5276,7 @@ int test_tls13_ticket_peer_cert_reverify(void)
     defined(WOLFSSL_TLS13) && defined(HAVE_SESSION_TICKET) && \
     defined(OPENSSL_ALL) && defined(KEEP_PEER_CERT) && \
     !defined(NO_CERT_IN_TICKET) && !defined(WOLFSSL_NO_TLS12) && \
-    !defined(NO_RSA)
+    !defined(NO_RSA) && !defined(WOLFSSL_NO_DEF_TICKET_ENC_CB)
     struct test_memio_ctx test_ctx;
     WOLFSSL_CTX *ctx_c = NULL, *ctx_s = NULL;
     WOLFSSL *ssl_c = NULL, *ssl_s = NULL;
diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h
@@ -2684,13 +2684,13 @@ enum {
     WOLFSSL_X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE   = 21,
     WOLFSSL_X509_V_ERR_CERT_CHAIN_TOO_LONG               = 22,
     WOLFSSL_X509_V_ERR_CERT_REVOKED                      = 23,
-    WOLFSSL_X509_V_ERR_INVALID_CA                        = 24,
     WOLFSSL_X509_V_ERR_PATH_LENGTH_EXCEEDED              = 25,
     WOLFSSL_X509_V_ERR_CERT_REJECTED                     = 28,
     WOLFSSL_X509_V_ERR_SUBJECT_ISSUER_MISMATCH           = 29,
-    WOLFSSL_X509_V_ERR_HOSTNAME_MISMATCH                = 62,
-    WOLFSSL_X509_V_ERR_IP_ADDRESS_MISMATCH              = 64,
-    WC_OSSL_V509_V_ERR_MAX = 65,
+    WOLFSSL_X509_V_ERR_HOSTNAME_MISMATCH                 = 62,
+    WOLFSSL_X509_V_ERR_IP_ADDRESS_MISMATCH               = 64,
+    WOLFSSL_X509_V_ERR_INVALID_CA                        = 79,
+    WC_OSSL_V509_V_ERR_MAX = 80,
 
 #ifdef HAVE_OCSP
     /* OCSP Flags */
