tls.c: send missing_extension alert on TLS 1.3 SNI absence

[jackctj117]

This pull request updates the alert handling logic in the TLSX_SNI_VerifyParse function to improve compliance with TLS 1.3 requirements. Specifically, it changes the type of alert sent when the SNI (Server Name Indication) extension is absent or does not match, sending a missing_extension alert for TLS 1.3 and above, while maintaining the previous behavior for earlier versions.

Alert handling improvements for TLS 1.3:

• Updated TLSX_SNI_VerifyParse in src/tls.c to send a missing_extension alert instead of handshake_failure when the SNI extension is missing or has no match, but only for TLS 1.3 and above. For earlier versions, the function still sends handshake_failure. [1] [2]

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

This PR adjusts TLS alert behavior in TLSX_SNI_VerifyParse to better align with TLS 1.3 expectations by sending a different fatal alert when SNI is missing or doesn’t match.

Changes:

• For TLS 1.3+, send missing_extension instead of handshake_failure when SNI is absent.
• For TLS 1.3+, also send missing_extension instead of handshake_failure when SNI has NO_MATCH.
• Preserve handshake_failure behavior for pre–TLS 1.3.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

MemBrowse Memory Report

No memory changes detected for:

• gcc-arm-cortex-m4
• gcc-arm-cortex-m4-baremetal
• gcc-arm-cortex-m4-min-ecc
• gcc-arm-cortex-m4-tls12

[wolfSSL-Fenrir-bot]

Fenrir Automated Review — PR #10332

Scan targets checked: wolfssl-bugs, wolfssl-src

No new issues found in the changed files. ✅

[ColtonWilley]

Jenkins retest this please.

[dgarske]

Jenkins retest this please. PRB-fsanitize-addr-v3 -> FAIL: scripts/resume.test
The triage shows this was a timeout