stricter NULL checks

sebastian-carpenter · sebastian-carpenter · commit ed64d8d46d1a · 2026-04-08T10:46:41.000-06:00
diff --git a/src/internal.c b/src/internal.c
@@ -16858,10 +16858,12 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
                         ssl->echConfigs != NULL &&
                         !ssl->options.echAccepted) {
                     TLSX* echX = TLSX_Find(ssl->extensions, TLSX_ECH);
-                    if (echX != NULL) {
+                    if (echX != NULL && echX->data != NULL) {
                         WOLFSSL_ECH* ech = (WOLFSSL_ECH*)echX->data;
-                        domainName = ech->echConfig ?
-                            ech->echConfig->publicName : NULL;
+                        if (ech->echConfig != NULL &&
+                                ech->echConfig->publicName != NULL) {
+                            domainName = ech->echConfig->publicName;
+                        }
                     }
                 }
             #endif
diff --git a/src/tls.c b/src/tls.c
@@ -13771,12 +13771,12 @@ static int TLSX_ECH_CheckInnerPadding(WOLFSSL* ssl, WOLFSSL_ECH* ech)
     byte acc = 0;
     word32 i;
 
-    (void)ssl;
-
 #ifdef WOLFSSL_DTLS13
     headerSz = ssl->options.dtls ? DTLS13_HANDSHAKE_HEADER_SZ :
                                    HANDSHAKE_HEADER_SZ;
 #else
+    (void)ssl;
+
     headerSz = HANDSHAKE_HEADER_SZ;
 #endif
 
diff --git a/tests/api.c b/tests/api.c
@@ -15132,6 +15132,10 @@ static int test_wolfSSL_Tls13_ECH_rejected_empty_client_cert(void)
         "ech-private.com", (word16)XSTRLEN("ech-private.com")),
         WOLFSSL_SUCCESS);
 
+    wolfSSL_set_verify(test_ctx.s_ssl,
+            WOLFSSL_VERIFY_PEER | WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
+    wolfSSL_set_verify(test_ctx.c_ssl, WOLFSSL_VERIFY_PEER, NULL);
+
     /* Disable ECH on the server so ECH is rejected */
     wolfSSL_SetEchEnable(test_ctx.s_ssl, 0);
 
