[Bug]: SNI Missing Extension Alert Inconsistency

[LiD0209]

Contact Details

lxd_dong@bupt.edu.cn

Version

V5.9.1

Description

SNI Missing Extension Alert Inconsistency

Issue Overview

TLS 1.3 recommends a specific alert for the case where a server requires a
valid server_name extension, but the client's ClientHello does not contain
that extension.

In wolfSSL, the corresponding path aborts the handshake, but sends
handshake_failure rather than missing_extension.

This is therefore an alert-value inconsistency with the standard's recommended
behavior. It is not a case where wolfSSL completely fails to reject the invalid
scenario.

Standard Text

RFC 8446 Section 9.2, "Mandatory-to-Implement Extensions":
https://www.rfc-editor.org/rfc/rfc8446.html#section-9.2

Servers MAY require clients to send a valid "server_name" extension.
Servers requiring this extension SHOULD respond to a ClientHello
lacking a "server_name" extension by terminating the connection with
a "missing_extension" alert.

Key point: this is a SHOULD, not a MUST.

wolfSSL Code Behavior

The key code is in tls.c:

if (ctx_sni->options & WOLFSSL_SNI_ABORT_ON_ABSENCE) {
    sni = TLSX_SNI_Find(ssl_sni, ctx_sni->type);

    if (sni) {
        if (sni->status != WOLFSSL_SNI_NO_MATCH)
            continue;

        /* if ssl level overrides ctx level, it is ok. */
        if ((sni->options & WOLFSSL_SNI_ABORT_ON_ABSENCE) == 0)
            continue;
    }

    SendAlert(ssl, alert_fatal, handshake_failure);
    WOLFSSL_ERROR_VERBOSE(SNI_ABSENT_ERROR);
    return SNI_ABSENT_ERROR;
}

The same logic also appears on the SSL-level path; see
tls.c.

Standard vs. wolfSSL

Standard behavior:

• Condition: the server requires server_name.
• Client behavior: ClientHello lacks server_name.
• Recommended alert: missing_extension.

wolfSSL behavior:

• Condition: WOLFSSL_SNI_ABORT_ON_ABSENCE is enabled.
• Client behavior: ClientHello lacks server_name.
• Actual alert: handshake_failure.

Conclusion

wolfSSL does reject the missing-SNI case when configured to abort on SNI
absence, but it uses handshake_failure instead of the RFC 8446 recommended
missing_extension alert.

Classification: partially aligned with the standard's intent, but inconsistent
with the recommended alert value.

Reproduction steps

No response

Relevant log output

[cpsource]

Took a crack at this. Root-cause analysis, proposed fix, a self-contained reproducer with wire-byte inspection, and an automated BEFORE/AFTER verification script are all below. (Queried gh first — no existing PR addresses this. Adjacent PRs #9528 and #9588 fixed missing_extension for KeyShare/SupportedGroups and PSK respectively, but neither touched TLSX_SNI_VerifyParse.)

---

The bug

When a wolfSSL server is configured with
WOLFSSL_SNI_ABORT_ON_ABSENCE and a client sends a TLS 1.3
ClientHello without the server_name extension, the server
correctly aborts the handshake — but the fatal alert it transmits
on the wire carries description 40 (handshake_failure) instead
of the RFC 8446 §9.2 SHOULD value 109 (missing_extension).

This is an alert-value inconsistency, not a missing rejection.

Wire-level evidence (this review's reproducer):

BEFORE: server alert description = 40 (0x28)   handshake_failure
AFTER : server alert description = 109 (0x6d)  missing_extension

Upstream status

Checked on 2026-04-27 with gh:

• Issue opened 2026-04-27 by LiD0209 (Li Xiangdong); 0 comments,
  no assignee, label bug. Reporter ran wolfSSL V5.9.1.
• gh pr list --repo wolfSSL/wolfssl --state all --search "10318" →
  no PRs reference this issue.
• gh search issues --repo wolfSSL/wolfssl --include-prs "10318" →
  only the issue itself.
• Keyword scan for missing_extension:
  • PR TLS 1.3 missing extension: return correct alert code #9528 (merged 2025-12-15) "TLS 1.3 missing extension:
    return correct alert code" — addresses the
    KeyShare/SupportedGroups co-occurrence rule, not SNI.
  • PR Fix incorrect alerts. #9588 (merged 2026-01-06) "Fix incorrect alerts" —
    sends missing_extension for unexpected PSK and
    unexpected_message for out-of-order. Touches different
    extensions and code paths.
• Neither PR modified TLSX_SNI_VerifyParse(). Both
  SendAlert(... handshake_failure) calls in that function are
  unchanged on master.

Conclusion: this gap is real on master and not in flight upstream.

Root cause

TLSX_SNI_VerifyParse() in src/tls.c is the server-side SNI
absence check. It runs from TLSX_Parse() at line 18126 while the
server processes the client's ClientHello. Two parallel arms
(CTX-level config at line 2598 and SSL-level overrides at line
2609) each unconditionally emit handshake_failure:

/* tls.c:2585  CTX-level abort-on-absence loop */
for (; ctx_sni; ctx_sni = ctx_sni->next) {
    if (ctx_sni->options & WOLFSSL_SNI_ABORT_ON_ABSENCE) {
        ...
        SendAlert(ssl, alert_fatal, handshake_failure);   /* (1) */
        WOLFSSL_ERROR_VERBOSE(SNI_ABSENT_ERROR);
        return SNI_ABSENT_ERROR;
    }
}

/* tls.c:2604  SSL-level abort-on-absence loop */
for (; ssl_sni; ssl_sni = ssl_sni->next) {
    if (ssl_sni->options & WOLFSSL_SNI_ABORT_ON_ABSENCE) {
        ...
        SendAlert(ssl, alert_fatal, handshake_failure);   /* (2) */
        WOLFSSL_ERROR_VERBOSE(SNI_ABSENT_ERROR);
        return SNI_ABSENT_ERROR;
    }
}

RFC 8446 §9.2 says:

Servers MAY require clients to send a valid "server_name"
extension. Servers requiring this extension SHOULD respond to a
ClientHello lacking a "server_name" extension by terminating the
connection with a "missing_extension" alert.

missing_extension (description = 109) is a TLS 1.3-only alert
code (RFC 8446 §6). For pre-TLS-1.3 connections the code is not
defined, and historical wolfSSL behaviour has been
handshake_failure.

Why the current design exists

Both call sites predate TLS 1.3 in the codebase. The original SNI
abort path picked a generic alert because that was the lingua
franca of TLS 1.2; no version-aware branch was added when TLS 1.3
support landed.

Proposed fix

Make each SendAlert version-aware:

SendAlert(ssl, alert_fatal,
          IsAtLeastTLSv1_3(ssl->version)
              ? missing_extension
              : handshake_failure);

Both missing_extension = 109 and handshake_failure = 40 are
already present in enum AlertDescription (wolfssl/ssl.h).
IsAtLeastTLSv1_3() is already used throughout tls.c.

After the fix, the following invariants hold:

• A TLS 1.3 server requiring SNI emits a fatal
  missing_extension(109) when the client's ClientHello lacks the
  server_name extension (RFC 8446 §9.2 SHOULD obeyed).
• A pre-TLS-1.3 server in the same situation emits the historical
  handshake_failure(40) (no behavioural change).
• The SSL-level overrides path is updated in lockstep with the
  CTX-level path.
• The function still returns SNI_ABSENT_ERROR (-402), so any
  caller-side error handling is unchanged.

Patch shape: 36-line unified diff, two parallel SendAlert call
edits (and short comment annotations).

Caveats and risks

• Pre-TLS-1.3: zero behavioural change. The legacy alert code
  path is preserved.
• API surface: no public API changes; both alert constants are
  already exported via wolfssl/ssl.h's enum AlertDescription.
• Async / threading: SNI verification runs on the SSL state
  machine, single-threaded per-WOLFSSL. No async crypto on this
  branch.
• Build-config guards: the existing #ifndef NO_WOLFSSL_SERVER
  block is unchanged. The fix activates only for builds that
  already include SNI support, which is gated on
  HAVE_SNI/--enable-sni (the issue's prerequisite).
• Interop: a TLS 1.3 client receiving a fatal
  missing_extension(109) will recognise it as a standard alert
  code per RFC 8446 §6. Any third-party client that hard-codes
  expectations of handshake_failure(40) for SNI-absence would
  break — but such hard-coding is non-conformant.

Tests to add

1. Included in this review — issue-10318-test.c drives an
   in-process TLS 1.3 client/server pair via custom IO callbacks,
   sets WOLFSSL_SNI_ABORT_ON_ABSENCE on the server, omits SNI on
   the client, and inspects the server's outgoing wire bytes for a
   plaintext alert record. Asserts description == 109 after the
   fix; would fail (description == 40) on master.
2. Suggested follow-up — a tests/api/test_tls13.c regression
   in the spirit of test_tls13_unknown_ext_rejected (added by PR
   Error out in case of unknown extensions in response message in TLS 1.3 #10186): drive the same scenario via test_memio and assert
   on both wolfSSL_get_error() (-402 SNI_ABSENT_ERROR) and the
   transmitted alert byte.
3. Suggested follow-up — a TLS 1.2 sibling that confirms the
   non-1.3 path still emits handshake_failure(40).

Files touched by the proposed patch

• src/tls.c — TLSX_SNI_VerifyParse(): two parallel
  SendAlert(... handshake_failure) calls become version-aware.

See issue-10318.patch alongside this file.

Appendix — end-to-end verification

issue-10318-test.c:

1. Initialises wolfSSL.
2. Builds a server WOLFSSL_CTX* with
   wolfTLSv1_3_server_method(), loads
   certs/server-cert.pem + certs/server-key.pem.
3. Builds a client WOLFSSL_CTX* with
   wolfTLSv1_3_client_method(), loads certs/ca-cert.pem for
   peer verification.
4. Configures the server: wolfSSL_CTX_UseSNI(WOLFSSL_SNI_HOST_NAME, "example.test", 12) registers the expected name, and
   wolfSSL_CTX_SNI_SetOptions(WOLFSSL_SNI_HOST_NAME, WOLFSSL_SNI_ABORT_ON_ABSENCE) requires the client to advertise
   SNI.
5. Wires up custom I/O callbacks against two in-memory pipes
   (s2c, c2s).
6. Drives the handshake by alternating wolfSSL_connect and
   wolfSSL_accept. The client deliberately does not call
   wolfSSL_UseSNI(), so its ClientHello carries no
   server_name extension.
7. The server reaches TLSX_SNI_VerifyParse() while parsing the
   ClientHello, finds the SNI absent, sends a fatal alert in
   plaintext (no record-layer keys derived yet), and returns
   SNI_ABSENT_ERROR.
8. The test scans the server's outgoing buffer for a 7-byte
   plaintext fatal alert pattern
   (0x15 0x03 0x03 0x00 0x02 0x02 ??) and prints the
   description byte.
9. PASS iff the description is 109 (missing_extension);
   FAIL iff it is 40 (handshake_failure) or no alert is
   present.

Observed results

Scenario	BEFORE (master)	AFTER (patched)
TLS 1.3 ClientHello without SNI to a server with WOLFSSL_SNI_ABORT_ON_ABSENCE	FAIL — alert description 40 (handshake_failure)	PASS — alert description 109 (missing_extension)

In both states the server returns SNI_ABSENT_ERROR(-402); the
distinction is purely in the alert byte the peer observes on the
wire.

Running the test harness

test.sh alongside this README automates the BEFORE/AFTER
verification. From this directory:

./test.sh

What it does, in order:

1. Resets src/tls.c via git checkout and asserts the patch
   marker is absent.
2. Runs ./configure --enable-tls13 --enable-sni.
3. Builds wolfSSL and the reproducer.
4. BEFORE: runs the reproducer; expects FAIL.
5. Applies issue-10318.patch, rebuilds.
6. AFTER: runs the reproducer; expects PASS.
7. Prints a colored summary.
8. On exit, restores the tree (trap).

Exit status: 0 only when BEFORE FAILs and AFTER PASSes.

---

issue-10318.patch — 36-line diff in src/tls.c (two parallel SendAlert call-site edits)

diff --git a/src/tls.c b/src/tls.c
index c60826121..4c13a055e 100644
--- a/src/tls.c
+++ b/src/tls.c
@@ -2595,7 +2595,16 @@ static int TLSX_SNI_VerifyParse(WOLFSSL* ssl,  byte isRequest)
                         continue;
                 }
 
-                SendAlert(ssl, alert_fatal, handshake_failure);
+                /* Issue #10318 / RFC 8446 Section 9.2: a TLS 1.3
+                 * server requiring SNI SHOULD respond to a
+                 * ClientHello lacking the server_name extension with
+                 * a missing_extension alert. Pre-1.3 connections
+                 * have no missing_extension code and continue to use
+                 * the historical handshake_failure. */
+                SendAlert(ssl, alert_fatal,
+                          IsAtLeastTLSv1_3(ssl->version)
+                              ? missing_extension
+                              : handshake_failure);
                 WOLFSSL_ERROR_VERBOSE(SNI_ABSENT_ERROR);
                 return SNI_ABSENT_ERROR;
             }
@@ -2606,7 +2615,12 @@ static int TLSX_SNI_VerifyParse(WOLFSSL* ssl,  byte isRequest)
                 if (ssl_sni->status != WOLFSSL_SNI_NO_MATCH)
                     continue;
 
-                SendAlert(ssl, alert_fatal, handshake_failure);
+                /* Issue #10318 / RFC 8446 Section 9.2: same rule on
+                 * the SSL-level overrides path. */
+                SendAlert(ssl, alert_fatal,
+                          IsAtLeastTLSv1_3(ssl->version)
+                              ? missing_extension
+                              : handshake_failure);
                 WOLFSSL_ERROR_VERBOSE(SNI_ABSENT_ERROR);
                 return SNI_ABSENT_ERROR;
             }

issue-10318-test.c — in-process TLS 1.3 reproducer with wire-byte inspection

/* issue-10318-test.c
 *
 * Reproducer for wolfSSL issue #10318:
 *   "[Bug]: SNI Missing Extension Alert Inconsistency"
 *
 * Drives a TLS 1.3 client / server pair entirely in-process via
 * custom I/O callbacks. The server is configured with
 * wolfSSL_CTX_UseSNI("expected") and
 * wolfSSL_CTX_SNI_SetOptions(WOLFSSL_SNI_ABORT_ON_ABSENCE), so it
 * requires the client to advertise server_name. The client is
 * intentionally not configured with SNI, so its ClientHello carries
 * no server_name extension.
 *
 * RFC 8446 Section 9.2 (TLS 1.3): a server requiring SNI SHOULD
 * respond to a ClientHello lacking the server_name extension with a
 * fatal missing_extension alert (description = 109). The server's
 * alert is sent in plaintext during ClientHello processing (no
 * record-layer keys derived yet), so it lands directly in the wire
 * buffer the test inspects.
 *
 * Behaviour:
 *   - BEFORE the patch (current master): server emits
 *       0x15 0x03 0x03 0x00 0x02 0x02 0x28
 *     i.e. fatal handshake_failure (40 = 0x28). Test prints FAIL
 *     and exits 1.
 *   - AFTER the patch: server emits
 *       0x15 0x03 0x03 0x00 0x02 0x02 0x6d
 *     i.e. fatal missing_extension (109 = 0x6d). Test prints PASS
 *     and exits 0.
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#include <wolfssl/options.h>
#include <wolfssl/ssl.h>
#include <wolfssl/error-ssl.h>

#define PIPE_SZ 32768

typedef struct {
    unsigned char buf[PIPE_SZ];
    int           rd;
    int           wr;
} pipe_t;

static pipe_t s2c;
static pipe_t c2s;

static int pipe_send(pipe_t* p, const char* buf, int sz)
{
    if (p->wr + sz > (int)sizeof(p->buf))
        return WOLFSSL_CBIO_ERR_WANT_WRITE;
    memcpy(p->buf + p->wr, buf, (size_t)sz);
    p->wr += sz;
    return sz;
}
static int pipe_recv(pipe_t* p, char* buf, int sz)
{
    int avail = p->wr - p->rd;
    int n;
    if (avail <= 0)
        return WOLFSSL_CBIO_ERR_WANT_READ;
    n = (avail < sz) ? avail : sz;
    memcpy(buf, p->buf + p->rd, (size_t)n);
    p->rd += n;
    return n;
}
static int srv_send_cb(WOLFSSL* s, char* b, int sz, void* c)
{ (void)s; (void)c; return pipe_send(&s2c, b, sz); }
static int srv_recv_cb(WOLFSSL* s, char* b, int sz, void* c)
{ (void)s; (void)c; return pipe_recv(&c2s, b, sz); }
static int cli_send_cb(WOLFSSL* s, char* b, int sz, void* c)
{ (void)s; (void)c; return pipe_send(&c2s, b, sz); }
static int cli_recv_cb(WOLFSSL* s, char* b, int sz, void* c)
{ (void)s; (void)c; return pipe_recv(&s2c, b, sz); }

static int is_want_io(int err)
{
    return err == WOLFSSL_ERROR_WANT_READ ||
           err == WOLFSSL_ERROR_WANT_WRITE;
}

/* Search the server's outgoing buffer for a fatal alert record and
 * return the alert description byte, or -1 if no plaintext alert is
 * present. The alert record framing is:
 *   0x15 0x03 0x03 0x00 0x02 LEVEL DESCRIPTION
 */
static int find_alert_desc(const unsigned char* buf, int len)
{
    int i;
    for (i = 0; i + 7 <= len; i++) {
        if (buf[i]   == 0x15 &&    /* type = alert */
            buf[i+1] == 0x03 &&    /* version = TLS 1.x */
            (buf[i+2] == 0x03 || buf[i+2] == 0x01) &&
            buf[i+3] == 0x00 &&    /* length high */
            buf[i+4] == 0x02 &&    /* length low = 2 */
            buf[i+5] == 0x02) {    /* level = fatal */
            return buf[i+6];
        }
    }
    return -1;
}

int main(int argc, char** argv)
{
    int          rc = 1;
    WOLFSSL_CTX* sctx = NULL;
    WOLFSSL_CTX* cctx = NULL;
    WOLFSSL*     sssl = NULL;
    WOLFSSL*     cssl = NULL;
    int          cli_done = 0, srv_done = 0;
    int          ret;
    int          err;
    int          alert_desc;
    int          i;

    (void)argc; (void)argv;

    wolfSSL_Init();

    sctx = wolfSSL_CTX_new(wolfTLSv1_3_server_method());
    cctx = wolfSSL_CTX_new(wolfTLSv1_3_client_method());
    if (sctx == NULL || cctx == NULL) {
        fprintf(stderr, "ctx alloc failed\n"); goto out;
    }

    if (wolfSSL_CTX_use_certificate_file(sctx,
            "certs/server-cert.pem", SSL_FILETYPE_PEM) != WOLFSSL_SUCCESS) {
        fprintf(stderr, "server cert load failed\n"); goto out;
    }
    if (wolfSSL_CTX_use_PrivateKey_file(sctx,
            "certs/server-key.pem", SSL_FILETYPE_PEM) != WOLFSSL_SUCCESS) {
        fprintf(stderr, "server key load failed\n"); goto out;
    }
    if (wolfSSL_CTX_load_verify_locations(cctx,
            "certs/ca-cert.pem", NULL) != WOLFSSL_SUCCESS) {
        fprintf(stderr, "CA load failed\n"); goto out;
    }

    /* Server requires SNI for hostname "example.test"; abort if
     * client does not present it. */
    if (wolfSSL_CTX_UseSNI(sctx, WOLFSSL_SNI_HOST_NAME,
            "example.test", 12) != WOLFSSL_SUCCESS) {
        fprintf(stderr, "UseSNI failed\n"); goto out;
    }
    wolfSSL_CTX_SNI_SetOptions(sctx, WOLFSSL_SNI_HOST_NAME,
            WOLFSSL_SNI_ABORT_ON_ABSENCE);

    wolfSSL_CTX_SetIOSend(sctx, srv_send_cb);
    wolfSSL_CTX_SetIORecv(sctx, srv_recv_cb);
    wolfSSL_CTX_SetIOSend(cctx, cli_send_cb);
    wolfSSL_CTX_SetIORecv(cctx, cli_recv_cb);

    sssl = wolfSSL_new(sctx);
    cssl = wolfSSL_new(cctx);
    if (sssl == NULL || cssl == NULL) {
        fprintf(stderr, "ssl alloc failed\n"); goto out;
    }

    /* Client deliberately does NOT call wolfSSL_UseSNI(), so its
     * ClientHello has no server_name extension. */

    /* Drive handshake. We expect the server to abort during
     * ClientHello processing with a fatal alert. */
    for (i = 0; i < 32 && !(cli_done && srv_done); i++) {
        if (!cli_done) {
            ret = wolfSSL_connect(cssl);
            if (ret == WOLFSSL_SUCCESS) cli_done = 1;
            else {
                err = wolfSSL_get_error(cssl, ret);
                if (!is_want_io(err)) {
                    /* Client sees server's alert as a peer-side
                     * close — that's fine; we are interested in
                     * what the server sent on the wire. */
                    cli_done = 1;
                }
            }
        }
        if (!srv_done) {
            ret = wolfSSL_accept(sssl);
            if (ret == WOLFSSL_SUCCESS) srv_done = 1;
            else {
                err = wolfSSL_get_error(sssl, ret);
                if (!is_want_io(err)) {
                    /* Expected: server returned SNI_ABSENT_ERROR. */
                    srv_done = 1;
                }
            }
        }
    }

    /* Inspect what the server sent back to the client. */
    alert_desc = find_alert_desc(s2c.buf, s2c.wr);
    printf("server alert description = %d (0x%02x)\n",
           alert_desc, alert_desc & 0xFF);
    printf("server returned err = %d (%s)\n",
           wolfSSL_get_error(sssl, -1),
           (wolfSSL_get_error(sssl, -1) ==
            WC_NO_ERR_TRACE(SNI_ABSENT_ERROR)) ?
                "SNI_ABSENT_ERROR" : "other");

    if (alert_desc == 109) {
        printf("PASS  fatal missing_extension(109) sent "
               "(RFC 8446 9.2 obeyed)\n");
        rc = 0;
    }
    else if (alert_desc == 40) {
        printf("FAIL  fatal handshake_failure(40) sent; "
               "RFC 8446 9.2 SHOULD specifies missing_extension(109).\n");
        rc = 1;
    }
    else if (alert_desc < 0) {
        printf("FAIL  no fatal alert seen on the wire\n");
        rc = 1;
    }
    else {
        printf("FAIL  unexpected alert description %d\n", alert_desc);
        rc = 1;
    }

out:
    if (cssl != NULL) wolfSSL_free(cssl);
    if (sssl != NULL) wolfSSL_free(sssl);
    if (cctx != NULL) wolfSSL_CTX_free(cctx);
    if (sctx != NULL) wolfSSL_CTX_free(sctx);
    wolfSSL_Cleanup();
    return rc;
}

test.sh — BEFORE/AFTER harness

#!/bin/bash
# End-to-end BEFORE/AFTER runner for wolfSSL issue #10318
# ("SNI Missing Extension Alert Inconsistency").

set -u

ISSUE_N="10318"
SOURCE_FILE_RELATIVE="src/tls.c"
CFG_FLAGS="--enable-tls13 --enable-sni"
PATCH_MARKER="Issue #10318"

HERE="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
REPO="$(cd "$HERE/../.." && pwd)"
cd "$REPO"

TEST_BIN="$HERE/issue-${ISSUE_N}-test"
TEST_SRC="$HERE/issue-${ISSUE_N}-test.c"
PATCH="$HERE/issue-${ISSUE_N}.patch"
LIB_DIR="$REPO/src/.libs"
CFG_LOG="/tmp/wolfssl-cfg-${ISSUE_N}.log"
BLD_LOG="/tmp/wolfssl-build-${ISSUE_N}.log"

red()   { printf '\033[31m%s\033[0m' "$*"; }
green() { printf '\033[32m%s\033[0m' "$*"; }
bold()  { printf '\033[1m%s\033[0m'  "$*"; }
section() { echo; echo "==================== $* ===================="; }

PATCH_PREEXISTING=0
if grep -q "$PATCH_MARKER" "$REPO/$SOURCE_FILE_RELATIVE" 2>/dev/null; then
    PATCH_PREEXISTING=1
fi

restore_tree() {
    echo
    echo "Restoring tree to pre-script state..."
    git -C "$REPO" checkout -- "$SOURCE_FILE_RELATIVE"
    if [ "$PATCH_PREEXISTING" = "1" ]; then
        git -C "$REPO" apply "$PATCH" || echo "  WARN: could not re-apply patch"
        make -C "$REPO" -j"$(nproc)" >"$BLD_LOG" 2>&1 || true
    else
        make -C "$REPO" -j"$(nproc)" >"$BLD_LOG" 2>&1 || true
    fi
}
trap restore_tree EXIT

section "Reset $SOURCE_FILE_RELATIVE to clean state"
git -C "$REPO" checkout -- "$SOURCE_FILE_RELATIVE"
if grep -q "$PATCH_MARKER" "$REPO/$SOURCE_FILE_RELATIVE"; then
    echo "ERROR: patch markers present after checkout"
    exit 1
fi

section "Configure wolfSSL ($CFG_FLAGS)"
./configure $CFG_FLAGS >"$CFG_LOG" 2>&1 || {
    echo "configure failed; tail of $CFG_LOG:"
    tail -30 "$CFG_LOG"
    exit 1
}

section "Build wolfSSL (unpatched)"
make -j"$(nproc)" >"$BLD_LOG" 2>&1 || {
    echo "build failed; tail of $BLD_LOG:"
    tail -40 "$BLD_LOG"
    exit 1
}

section "Build reproducer"
gcc -Wall -Wextra -I"$REPO" -L"$LIB_DIR" \
    "$TEST_SRC" -lwolfssl -lm -o "$TEST_BIN" || {
    echo "reproducer compile failed"
    exit 1
}

run_repro() {
    local label="$1"
    echo; echo "  --- $label ---"
    LD_LIBRARY_PATH="$LIB_DIR" "$TEST_BIN" 2>&1
    local rc=$?
    echo "  reproducer exit = $rc"
    return $rc
}

section "BEFORE (unpatched / buggy) — expected: FAIL"
run_repro "TLS 1.3 ClientHello without SNI to SNI-required server"
RC_BEF=$?

section "Apply issue-${ISSUE_N}.patch and rebuild"
git -C "$REPO" apply "$PATCH" || {
    echo "git apply failed"
    exit 1
}
echo "  patch markers in $SOURCE_FILE_RELATIVE: $(grep -c "$PATCH_MARKER" "$REPO/$SOURCE_FILE_RELATIVE")"
make -j"$(nproc)" >"$BLD_LOG" 2>&1 || {
    echo "patched build failed; tail of $BLD_LOG:"
    tail -40 "$BLD_LOG"
    exit 1
}

section "AFTER (patched) — expected: PASS"
run_repro "TLS 1.3 ClientHello without SNI to SNI-required server"
RC_AFT=$?

section "Summary"
fmt_expected_fail() { [ "$1" != "0" ] && green "FAIL (expected — bug present)" || red "PASS (UNEXPECTED — bug not reproduced)"; }
fmt_expected_pass() { [ "$1"  = "0" ] && green "PASS (expected — fix in place)"  || red "FAIL (UNEXPECTED — fix did not hold)"; }

printf "  BEFORE  SNI absence : "; fmt_expected_fail "$RC_BEF"; echo
printf "  AFTER   SNI absence : "; fmt_expected_pass "$RC_AFT"; echo

OK=1
[ "$RC_BEF" = "0" ] && OK=0
[ "$RC_AFT" = "0" ] || OK=0

if [ "$OK" = "1" ]; then
    echo; bold "Overall: all outcomes as expected."; echo
    exit 0
else
    echo; bold "Overall: at least one outcome was UNEXPECTED."; echo
    exit 1
fi

Happy to turn this into a PR if useful.

[jackctj117]

PR is up for this bug fix: #10332