From 9b50708741f8c1f5c134b3d3d0c74a53fcb1146f Mon Sep 17 00:00:00 2001
From: David Garske <david@wolfssl.com>
Date: Thu, 19 Jun 2025 11:52:48 -0700
Subject: [PATCH 1/3] Fix to expose API to access "store" error code and error
 depth for cert failure callback (from set_verify). Useful for C# wrapper or
 clients that cannot directly dereference X509_STORE. Fixes for building with
 WOLFSSL_EXTRA and `WOLFSSL_NO_CA_NAMES` (and added new tests). Added example
 in CSharp TLS client for overriding a begin date error (useful if date is not
 set).

---
 .github/workflows/os-check.yml                |  9 ++-
 src/internal.c                                |  4 +-
 src/ssl.c                                     |  6 +-
 src/x509_str.c                                | 58 ++++++++++---------
 tests/api.c                                   |  7 ++-
 wolfssl/internal.h                            | 10 +++-
 wolfssl/ssl.h                                 | 12 +++-
 wolfssl/test.h                                | 22 ++++---
 .../wolfSSL-TLS-Client/wolfSSL-TLS-Client.cs  | 21 +++++--
 9 files changed, 93 insertions(+), 56 deletions(-)

diff --git a/.github/workflows/os-check.yml b/.github/workflows/os-check.yml
index 9cb948101..30556d02a 100644
--- a/.github/workflows/os-check.yml
+++ b/.github/workflows/os-check.yml
@@ -41,16 +41,21 @@ jobs:
           '--enable-dtls --enable-dtls13 --enable-dtls-frag-ch
            --enable-dtls-mtu',
           '--enable-dtls --enable-dtlscid --enable-dtls13 --enable-secure-renegotiation
-            --enable-psk --enable-aesccm --enable-nullcipher CPPFLAGS=-DWOLFSSL_STATIC_RSA',
+            --enable-psk --enable-aesccm --enable-nullcipher
+            CPPFLAGS=-DWOLFSSL_STATIC_RSA',
           '--enable-ascon --enable-experimental',
           '--enable-ascon CPPFLAGS=-DWOLFSSL_ASCON_UNROLL --enable-experimental',
           '--enable-all CPPFLAGS=''-DNO_AES_192 -DNO_AES_256'' ',
-          '--enable-sniffer --enable-curve25519 --enable-curve448 --enable-enckeys CFLAGS=-DWOLFSSL_DH_EXTRA',
+          '--enable-sniffer --enable-curve25519 --enable-curve448 --enable-enckeys
+            CPPFLAGS=-DWOLFSSL_DH_EXTRA',
           '--enable-dtls --enable-dtls13 --enable-dtls-frag-ch
             --enable-dtls-mtu CPPFLAGS=-DWOLFSSL_DTLS_RECORDS_CAN_SPAN_DATAGRAMS',
           '--enable-opensslall --enable-opensslextra CPPFLAGS=-DWC_RNG_SEED_CB',
           '--enable-opensslall --enable-opensslextra
             CPPFLAGS=''-DWC_RNG_SEED_CB -DWOLFSSL_NO_GETPID'' ',
+          '--enable-opensslextra CPPFLAGS=''-DWOLFSSL_NO_CA_NAMES'' ',
+          '--enable-opensslextra=x509small',
+          'CPPFLAGS=''-DWOLFSSL_EXTRA'' '
         ]
     name: make check
     if: github.repository_owner == 'wolfssl'
diff --git a/src/internal.c b/src/internal.c
index 0edd4f226..bd9ba2dba 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -2905,7 +2905,7 @@ void SSL_CtxResourceFree(WOLFSSL_CTX* ctx)
         defined(WOLFSSL_WPAS_SMALL)
         wolfSSL_X509_STORE_free(ctx->x509_store_pt);
     #endif
-    #if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EXTRA) || defined(HAVE_LIGHTY)
+    #ifndef WOLFSSL_NO_CA_NAMES
         wolfSSL_sk_X509_NAME_pop_free(ctx->client_ca_names, NULL);
         ctx->client_ca_names = NULL;
     #endif
@@ -8784,7 +8784,7 @@ void wolfSSL_ResourceFree(WOLFSSL* ssl)
     wolfSSL_sk_X509_pop_free(ssl->ourCertChain, NULL);
     #endif
 #endif
-#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EXTRA) || defined(HAVE_LIGHTY)
+#ifndef WOLFSSL_NO_CA_NAMES
     wolfSSL_sk_X509_NAME_pop_free(ssl->client_ca_names, NULL);
     ssl->client_ca_names = NULL;
 #endif
diff --git a/src/ssl.c b/src/ssl.c
index 16acfda1c..b9a224ebb 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -12163,7 +12163,7 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
 #endif /* !NO_BIO */
 #endif /* OPENSSL_EXTRA */
 
-#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EXTRA)
+#ifndef WOLFSSL_NO_CA_NAMES
     void wolfSSL_CTX_set_client_CA_list(WOLFSSL_CTX* ctx,
                                        WOLF_STACK_OF(WOLFSSL_X509_NAME)* names)
     {
@@ -12184,7 +12184,9 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
             ssl->client_ca_names = names;
         }
     }
+#endif
 
+#if defined(OPENSSL_EXTRA) || defined(HAVE_LIGHTY)
     #ifdef OPENSSL_EXTRA
     /* registers client cert callback, called during handshake if server
        requests client auth but user has not loaded client cert/key */
@@ -12399,7 +12401,7 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
     }
     #endif /* OPENSSL_EXTRA */
 
-#endif /* OPENSSL_EXTRA || WOLFSSL_EXTRA || HAVE_WEBSERVER */
+#endif /* OPENSSL_EXTRA || HAVE_LIGHTY */
 
 #ifndef WOLFSSL_NO_CA_NAMES
     WOLF_STACK_OF(WOLFSSL_X509_NAME)* wolfSSL_CTX_get_client_CA_list(
diff --git a/src/x509_str.c b/src/x509_str.c
index 9fec690b3..2c054c114 100644
--- a/src/x509_str.c
+++ b/src/x509_str.c
@@ -577,33 +577,15 @@ exit:
 
 #endif /* OPENSSL_EXTRA */
 
-#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL)
-    WOLFSSL_X509* wolfSSL_X509_STORE_CTX_get_current_cert(
-                                                WOLFSSL_X509_STORE_CTX* ctx)
-    {
-        WOLFSSL_ENTER("wolfSSL_X509_STORE_CTX_get_current_cert");
-        if (ctx)
-            return ctx->current_cert;
-        return NULL;
-    }
-
-
-    int wolfSSL_X509_STORE_CTX_get_error(WOLFSSL_X509_STORE_CTX* ctx)
-    {
-        WOLFSSL_ENTER("wolfSSL_X509_STORE_CTX_get_error");
-        if (ctx != NULL)
-            return ctx->error;
-        return 0;
-    }
-
-
-    int wolfSSL_X509_STORE_CTX_get_error_depth(WOLFSSL_X509_STORE_CTX* ctx)
-    {
-        WOLFSSL_ENTER("wolfSSL_X509_STORE_CTX_get_error_depth");
-        if(ctx)
-            return ctx->error_depth;
-        return WOLFSSL_FATAL_ERROR;
-    }
+#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
+WOLFSSL_X509* wolfSSL_X509_STORE_CTX_get_current_cert(
+                                            WOLFSSL_X509_STORE_CTX* ctx)
+{
+    WOLFSSL_ENTER("wolfSSL_X509_STORE_CTX_get_current_cert");
+    if (ctx)
+        return ctx->current_cert;
+    return NULL;
+}
 
 /* get X509_STORE_CTX ex_data, max idx is MAX_EX_DATA */
 void* wolfSSL_X509_STORE_CTX_get_ex_data(WOLFSSL_X509_STORE_CTX* ctx, int idx)
@@ -619,7 +601,27 @@ void* wolfSSL_X509_STORE_CTX_get_ex_data(WOLFSSL_X509_STORE_CTX* ctx, int idx)
 #endif
     return NULL;
 }
-#endif /* OPENSSL_EXTRA || WOLFSSL_WPAS_SMALL */
+#endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */
+
+
+#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \
+    defined(WOLFSSL_EXTRA)
+    int wolfSSL_X509_STORE_CTX_get_error(WOLFSSL_X509_STORE_CTX* ctx)
+    {
+        WOLFSSL_ENTER("wolfSSL_X509_STORE_CTX_get_error");
+        if (ctx != NULL)
+            return ctx->error;
+        return 0;
+    }
+
+    int wolfSSL_X509_STORE_CTX_get_error_depth(WOLFSSL_X509_STORE_CTX* ctx)
+    {
+        WOLFSSL_ENTER("wolfSSL_X509_STORE_CTX_get_error_depth");
+        if (ctx)
+            return ctx->error_depth;
+        return WOLFSSL_FATAL_ERROR;
+    }
+#endif
 
 #ifdef OPENSSL_EXTRA
     void wolfSSL_X509_STORE_CTX_set_verify_cb(WOLFSSL_X509_STORE_CTX *ctx,
diff --git a/tests/api.c b/tests/api.c
index 8cadb6af8..5e2e94791 100644
--- a/tests/api.c
+++ b/tests/api.c
@@ -28110,7 +28110,8 @@ static int test_wolfSSL_CTX_set_client_CA_list(void)
 static int test_wolfSSL_CTX_add_client_CA(void)
 {
     EXPECT_DECLS;
-#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && !defined(NO_CERTS) && \
+#if !defined(WOLFSSL_NO_CA_NAMES) && defined(OPENSSL_EXTRA) && \
+    !defined(NO_RSA) && !defined(NO_CERTS) && \
     !defined(NO_TLS) && !defined(NO_WOLFSSL_CLIENT)
     WOLFSSL_CTX* ctx = NULL;
     WOLFSSL_X509* x509 = NULL;
@@ -38569,7 +38570,7 @@ static int test_wolfSSL_cert_cb_dyn_ciphers(void)
 static int test_wolfSSL_ciphersuite_auth(void)
 {
     EXPECT_DECLS;
-#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EXTRA)
+#if defined(OPENSSL_EXTRA)
     WOLFSSL_CIPHERSUITE_INFO info;
 
     (void)info;
@@ -38659,7 +38660,7 @@ static int test_wolfSSL_ciphersuite_auth(void)
 static int test_wolfSSL_sigalg_info(void)
 {
     EXPECT_DECLS;
-#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EXTRA)
+#if defined(OPENSSL_EXTRA)
     byte hashSigAlgo[WOLFSSL_MAX_SIGALGO];
     word16 len = 0;
     word16 idx = 0;
diff --git a/wolfssl/internal.h b/wolfssl/internal.h
index b834f12df..2ffa47ad9 100644
--- a/wolfssl/internal.h
+++ b/wolfssl/internal.h
@@ -1086,13 +1086,17 @@
 
 #undef WSSL_HARDEN_TLS
 
-#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EXTRA) || defined(HAVE_LIGHTY)
-#define SSL_CA_NAMES(ssl) ((ssl)->client_ca_names != NULL ? (ssl)->client_ca_names : \
+#if !defined(WOLFSSL_NO_CA_NAMES) && \
+    (defined(OPENSSL_EXTRA) || defined(HAVE_LIGHTY))
+    #define SSL_CA_NAMES(ssl) ((ssl)->client_ca_names != NULL ? \
+        (ssl)->client_ca_names : \
         (ssl)->ctx->client_ca_names)
 #else
-#define WOLFSSL_NO_CA_NAMES
+    #undef  WOLFSSL_NO_CA_NAMES
+    #define WOLFSSL_NO_CA_NAMES
 #endif
 
+
 /* actual cipher values, 2nd byte */
 enum {
     TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA = 0x16,
diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h
index 820651151..4c13411c1 100644
--- a/wolfssl/ssl.h
+++ b/wolfssl/ssl.h
@@ -1841,6 +1841,12 @@ WOLFSSL_API const char* wolfSSL_ERR_func_error_string(unsigned long e);
 WOLFSSL_API const char* wolfSSL_ERR_lib_error_string(unsigned long e);
 
 /* -------- EXTRAS BEGIN -------- */
+#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \
+    defined(WOLFSSL_EXTRA)
+WOLFSSL_API int   wolfSSL_X509_STORE_CTX_get_error(WOLFSSL_X509_STORE_CTX* ctx);
+WOLFSSL_API int   wolfSSL_X509_STORE_CTX_get_error_depth(WOLFSSL_X509_STORE_CTX* ctx);
+#endif
+
 #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
 WOLFSSL_API void wolfSSL_ERR_print_errors(WOLFSSL_BIO *bio);
 
@@ -2144,9 +2150,6 @@ WOLFSSL_API int  wolfSSL_num_locks(void);
 
 WOLFSSL_API WOLFSSL_X509* wolfSSL_X509_STORE_CTX_get_current_cert(
                                                         WOLFSSL_X509_STORE_CTX* ctx);
-WOLFSSL_API int   wolfSSL_X509_STORE_CTX_get_error(WOLFSSL_X509_STORE_CTX* ctx);
-WOLFSSL_API int   wolfSSL_X509_STORE_CTX_get_error_depth(WOLFSSL_X509_STORE_CTX* ctx);
-
 WOLFSSL_API void  wolfSSL_X509_STORE_CTX_set_verify_cb(WOLFSSL_X509_STORE_CTX *ctx,
                                   WOLFSSL_X509_STORE_CTX_verify_cb verify_cb);
 WOLFSSL_API void wolfSSL_X509_STORE_set_verify_cb(WOLFSSL_X509_STORE *st,
@@ -2407,6 +2410,8 @@ WOLFSSL_API void wolfSSL_ASN1_TIME_free(WOLFSSL_ASN1_TIME* t);
 #endif
 
 WOLFSSL_API WOLF_STACK_OF(WOLFSSL_X509_NAME)* wolfSSL_load_client_CA_file(const char* fname);
+
+#ifndef WOLFSSL_NO_CA_NAMES
 WOLFSSL_API WOLF_STACK_OF(WOLFSSL_X509_NAME)* wolfSSL_CTX_get_client_CA_list(
         const WOLFSSL_CTX *ctx);
 /* deprecated function name */
@@ -2418,6 +2423,7 @@ WOLFSSL_API void wolfSSL_set_client_CA_list(WOLFSSL* ssl,
                                                WOLF_STACK_OF(WOLFSSL_X509_NAME)*);
 WOLFSSL_API WOLF_STACK_OF(WOLFSSL_X509_NAME)* wolfSSL_get_client_CA_list(
             const WOLFSSL* ssl);
+#endif /* !WOLFSSL_NO_CA_NAMES */
 
 typedef int (*client_cert_cb)(WOLFSSL *ssl, WOLFSSL_X509 **x509,
                               WOLFSSL_EVP_PKEY **pkey);
diff --git a/wolfssl/test.h b/wolfssl/test.h
index 70765c4db..7dd83fef0 100644
--- a/wolfssl/test.h
+++ b/wolfssl/test.h
@@ -2467,14 +2467,14 @@ static THREAD_LS_T int myVerifyAction = VERIFY_OVERRIDE_ERROR;
 static WC_INLINE int myVerify(int preverify, WOLFSSL_X509_STORE_CTX* store)
 {
     char err_buffer[WOLFSSL_MAX_ERROR_SZ];
+    int err;
 #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
     WOLFSSL_X509* peer;
-#if defined(SHOW_CERTS) && !defined(NO_FILESYSTEM) && \
-    !defined(OPENSSL_EXTRA_X509_SMALL)
+#endif
+#if defined(OPENSSL_EXTRA) && defined(SHOW_CERTS) && !defined(NO_FILESYSTEM)
     WOLFSSL_BIO* bio = NULL;
     WOLFSSL_STACK* sk = NULL;
     X509* x509 = NULL;
-#endif
 #endif
 
     /* Verify Callback Arguments:
@@ -2492,10 +2492,17 @@ static WC_INLINE int myVerify(int preverify, WOLFSSL_X509_STORE_CTX* store)
         will be discarded (only with SESSION_CERTS)
      */
 
-    fprintf(stderr, "In verification callback, error = %d, %s\n", store->error,
-            wolfSSL_ERR_error_string((unsigned long) store->error, err_buffer));
+#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \
+    defined(WOLFSSL_EXTRA)
+    err = wolfSSL_X509_STORE_CTX_get_error(store);
+#else
+    err = store->error;
+#endif
+
+    fprintf(stderr, "In verification callback, error = %d, %s\n", err,
+            wolfSSL_ERR_error_string((unsigned long) err, err_buffer));
 #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
-    peer = store->current_cert;
+    peer = wolfSSL_X509_STORE_CTX_get_current_cert(store);
     if (peer) {
         char* issuer  = wolfSSL_X509_NAME_oneline(
                                        wolfSSL_X509_get_issuer_name(peer), 0, 0);
@@ -2515,8 +2522,7 @@ static WC_INLINE int myVerify(int preverify, WOLFSSL_X509_STORE_CTX* store)
 
         XFREE(subject, 0, DYNAMIC_TYPE_OPENSSL);
         XFREE(issuer,  0, DYNAMIC_TYPE_OPENSSL);
-#if defined(SHOW_CERTS) && !defined(NO_FILESYSTEM) && \
-    !defined(OPENSSL_EXTRA_X509_SMALL)
+#if defined(OPENSSL_EXTRA) && defined(SHOW_CERTS) && !defined(NO_FILESYSTEM)
         /* avoid printing duplicate certs */
         if (store->depth == 1) {
             int i;
diff --git a/wrapper/CSharp/wolfSSL-TLS-Client/wolfSSL-TLS-Client.cs b/wrapper/CSharp/wolfSSL-TLS-Client/wolfSSL-TLS-Client.cs
index d327b6534..007ef778f 100644
--- a/wrapper/CSharp/wolfSSL-TLS-Client/wolfSSL-TLS-Client.cs
+++ b/wrapper/CSharp/wolfSSL-TLS-Client/wolfSSL-TLS-Client.cs
@@ -54,9 +54,20 @@ public class wolfSSL_TLS_Client
     /// <param name="x509_ctx">Certificate in WOLFSSL_X509_STORE_CTX format</param>
     private static int myVerify(int preverify, IntPtr x509_ctx)
     {
-        /* Use the provided verification */
+        int verify = preverify;
+
+        /* example for overriding an error code */
+        /* X509_STORE_CTX_get_error API can be enabled with
+         * OPENSSL_EXTRA_X509_SMALL or WOLFSSL_EXTRA */
+        int error = wolfssl.X509_STORE_CTX_get_error(x509_ctx);
+        const int ASN_BEFORE_DATE_E = -150;  /* ASN date error, current date before */
+
+        if (error == ASN_BEFORE_DATE_E) {
+            verify = 1; /* override error */
+        }
+
         /* Can optionally override failures by returning non-zero value */
-        return preverify;
+        return verify;
     }
 
     /// <summary>
@@ -90,7 +101,7 @@ public class wolfSSL_TLS_Client
 
         if (caCert == "" || dhparam.Length == 0) {
             Console.WriteLine("Platform not supported.");
-            return; 
+            return;
         }
 
         StringBuilder buff = new StringBuilder(1024);
@@ -133,14 +144,14 @@ public class wolfSSL_TLS_Client
         }
 
         int sniArg = haveSNI(args);
-        if (sniArg >= 0) 
+        if (sniArg >= 0)
         {
             string sniHostNameString = args[sniArg].Trim();
             sniHostName = Marshal.StringToHGlobalAnsi(sniHostNameString);
 
             ushort size = (ushort)sniHostNameString.Length;
 
-           if (wolfssl.CTX_UseSNI(ctx, (byte)wolfssl.WOLFSSL_SNI_HOST_NAME, sniHostName, size) != wolfssl.SUCCESS) 
+           if (wolfssl.CTX_UseSNI(ctx, (byte)wolfssl.WOLFSSL_SNI_HOST_NAME, sniHostName, size) != wolfssl.SUCCESS)
            {
                Console.WriteLine("UseSNI failed");
                wolfssl.CTX_free(ctx);

From 4c6279c6c75ffca872362294652c8d7008d8a9a3 Mon Sep 17 00:00:00 2001
From: David Garske <david@wolfssl.com>
Date: Fri, 20 Jun 2025 09:41:35 -0700
Subject: [PATCH 2/3] Good feedback about adding wolfCrypt error codes to .cs
 layer. Partially added useful ones.

---
 .../wolfSSL-TLS-Client/wolfSSL-TLS-Client.cs  |  4 +--
 wrapper/CSharp/wolfSSL_CSharp/wolfCrypt.cs    | 28 +++++++++++++++----
 2 files changed, 24 insertions(+), 8 deletions(-)

diff --git a/wrapper/CSharp/wolfSSL-TLS-Client/wolfSSL-TLS-Client.cs b/wrapper/CSharp/wolfSSL-TLS-Client/wolfSSL-TLS-Client.cs
index 007ef778f..496ce0c12 100644
--- a/wrapper/CSharp/wolfSSL-TLS-Client/wolfSSL-TLS-Client.cs
+++ b/wrapper/CSharp/wolfSSL-TLS-Client/wolfSSL-TLS-Client.cs
@@ -60,9 +60,7 @@ public class wolfSSL_TLS_Client
         /* X509_STORE_CTX_get_error API can be enabled with
          * OPENSSL_EXTRA_X509_SMALL or WOLFSSL_EXTRA */
         int error = wolfssl.X509_STORE_CTX_get_error(x509_ctx);
-        const int ASN_BEFORE_DATE_E = -150;  /* ASN date error, current date before */
-
-        if (error == ASN_BEFORE_DATE_E) {
+        if (error == wolfcrypt.ASN_BEFORE_DATE_E) {
             verify = 1; /* override error */
         }
 
diff --git a/wrapper/CSharp/wolfSSL_CSharp/wolfCrypt.cs b/wrapper/CSharp/wolfSSL_CSharp/wolfCrypt.cs
index 8951fcb73..168b1e969 100644
--- a/wrapper/CSharp/wolfSSL_CSharp/wolfCrypt.cs
+++ b/wrapper/CSharp/wolfSSL_CSharp/wolfCrypt.cs
@@ -566,11 +566,29 @@ namespace wolfSSL.CSharp
         public static readonly int AES_BLOCK_SIZE = 16;
 
         /* Error codes */
-        public static readonly int SUCCESS = 0;
-        public static readonly int SIG_VERIFY_E = -229;    /* wolfcrypt signature verify error */
-        public static readonly int MEMORY_E = -125;        /* Out of memory error */
-        public static readonly int EXCEPTION_E = -1;
-        public static readonly int BUFFER_E = -131;        /* RSA buffer error, output too small/large */
+        public static readonly int SUCCESS            = 0;
+        public static readonly int EXCEPTION_E        = -1;
+        public static readonly int MEMORY_E           = -125;  /* Out of memory error */
+        public static readonly int BUFFER_E           = -131;  /* RSA buffer error, output too small/large */
+        public static readonly int ASN_PARSE_E        = -140;  /* ASN parsing error, invalid input */
+        public static readonly int ASN_VERSION_E      = -141;  /* ASN version error, invalid number */
+        public static readonly int ASN_GETINT_E       = -142;  /* ASN get big int error, invalid data */
+        public static readonly int ASN_RSA_KEY_E      = -143;  /* ASN key init error, invalid input */
+        public static readonly int ASN_OBJECT_ID_E    = -144;  /* ASN object id error, invalid id */
+        public static readonly int ASN_TAG_NULL_E     = -145;  /* ASN tag error, not null */
+        public static readonly int ASN_EXPECT_0_E     = -146;  /* ASN expect error, not zero */
+        public static readonly int ASN_BITSTR_E       = -147;  /* ASN bit string error, wrong id */
+        public static readonly int ASN_UNKNOWN_OID_E  = -148;  /* ASN oid error, unknown sum id */
+        public static readonly int ASN_DATE_SZ_E      = -149;  /* ASN date error, bad size */
+        public static readonly int ASN_BEFORE_DATE_E  = -150;  /* ASN date error, current date before */
+        public static readonly int ASN_AFTER_DATE_E   = -151;  /* ASN date error, current date after */
+        public static readonly int ASN_SIG_OID_E      = -152;  /* ASN signature error, mismatched oid */
+        public static readonly int ASN_TIME_E         = -153;  /* ASN time error, unknown time type */
+        public static readonly int ASN_INPUT_E        = -154;  /* ASN input error, not enough data */
+        public static readonly int ASN_SIG_CONFIRM_E  = -155;  /* ASN sig error, confirm failure */
+        public static readonly int ASN_SIG_HASH_E     = -156;  /* ASN sig error, unsupported hash type */
+        public static readonly int ASN_SIG_KEY_E      = -157;  /* ASN sig error, unsupported key type */
+        public static readonly int SIG_VERIFY_E       = -229;  /* wolfcrypt signature verify error */
 
 
         /***********************************************************************

From b98cf8882b417d844e2a0b4c03df64fdbbbb943b Mon Sep 17 00:00:00 2001
From: David Garske <david@wolfssl.com>
Date: Fri, 20 Jun 2025 11:23:53 -0700
Subject: [PATCH 3/3] Remove `HAVE_LIGHTY` from the client_ca_names feature.

---
 src/ssl.c          | 7 ++-----
 wolfssl/internal.h | 4 ++--
 2 files changed, 4 insertions(+), 7 deletions(-)

diff --git a/src/ssl.c b/src/ssl.c
index b9a224ebb..c18a5407a 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -12186,8 +12186,7 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
     }
 #endif
 
-#if defined(OPENSSL_EXTRA) || defined(HAVE_LIGHTY)
-    #ifdef OPENSSL_EXTRA
+#ifdef OPENSSL_EXTRA
     /* registers client cert callback, called during handshake if server
        requests client auth but user has not loaded client cert/key */
     void wolfSSL_CTX_set_client_cert_cb(WOLFSSL_CTX *ctx, client_cert_cb cb)
@@ -12399,9 +12398,7 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
         }
         return ret;
     }
-    #endif /* OPENSSL_EXTRA */
-
-#endif /* OPENSSL_EXTRA || HAVE_LIGHTY */
+#endif /* OPENSSL_EXTRA */
 
 #ifndef WOLFSSL_NO_CA_NAMES
     WOLF_STACK_OF(WOLFSSL_X509_NAME)* wolfSSL_CTX_get_client_CA_list(
diff --git a/wolfssl/internal.h b/wolfssl/internal.h
index 2ffa47ad9..ca9d4620b 100644
--- a/wolfssl/internal.h
+++ b/wolfssl/internal.h
@@ -1086,8 +1086,8 @@
 
 #undef WSSL_HARDEN_TLS
 
-#if !defined(WOLFSSL_NO_CA_NAMES) && \
-    (defined(OPENSSL_EXTRA) || defined(HAVE_LIGHTY))
+/* Client CA Names feature */
+#if !defined(WOLFSSL_NO_CA_NAMES) && defined(OPENSSL_EXTRA)
     #define SSL_CA_NAMES(ssl) ((ssl)->client_ca_names != NULL ? \
         (ssl)->client_ca_names : \
         (ssl)->ctx->client_ca_names)