From d09b5ee1f1fb545583bd1f90549ef9a36a8dae3c Mon Sep 17 00:00:00 2001
From: Kareem <kareem@wolfssl.com>
Date: Fri, 26 Dec 2025 12:02:35 -0700
Subject: [PATCH] Add duplicate entry error to distinguish cases where a
 duplicate CRL is rejected.

---
 src/crl.c           | 2 +-
 src/internal.c      | 3 +++
 src/ssl_certman.c   | 1 +
 tests/api.c         | 2 +-
 wolfssl/error-ssl.h | 1 +
 5 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/crl.c b/src/crl.c
index 9056bd1c6ce..4e1c4bc50b9 100644
--- a/src/crl.c
+++ b/src/crl.c
@@ -707,7 +707,7 @@ static int AddCRL(WOLFSSL_CRL* crl, DecodedCRL* dcrl, const byte* buff,
                 WOLFSSL_MSG("Same or newer CRL entry already exists");
                 CRL_Entry_free(crle, crl->heap);
                 wc_UnLockRwLock(&crl->crlLock);
-                return BAD_FUNC_ARG;
+                return DUPE_ENTRY_E;
             }
             else if (ret < 0) {
                 WOLFSSL_MSG("Error comparing CRL Numbers");
diff --git a/src/internal.c b/src/internal.c
index 841e49fc8f0..eaab27cd5d4 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -26748,6 +26748,9 @@ const char* wolfSSL_ERR_reason_error_string(unsigned long e)
     case PSK_KEY_ERROR:
         return "psk key callback error";
 
+    case DUPE_ENTRY_E:
+        return "duplicate entry error";
+
     case GETTIME_ERROR:
         return "gettimeofday() error";
 
diff --git a/src/ssl_certman.c b/src/ssl_certman.c
index 1fa5d0b490c..47f460a2e18 100644
--- a/src/ssl_certman.c
+++ b/src/ssl_certman.c
@@ -1795,6 +1795,7 @@ int wolfSSL_CertManagerDisableCRL(WOLFSSL_CERT_MANAGER* cm)
  *                     WOLFSSL_FILETYPE_ASN1, WOLFSSL_FILETYPE_PEM.
  * @return  WOLFSSL_SUCCESS on success.
  * @return  BAD_FUNC_ARG when cm or buff is NULL or sz is negative or zero.
+ * @return  DUPE_ENTRY_E if the same or a newer CRL already exists in the cm.
  * @return  WOLFSSL_FATAL_ERROR when creating CRL object fails.
  */
 int wolfSSL_CertManagerLoadCRLBuffer(WOLFSSL_CERT_MANAGER* cm,
diff --git a/tests/api.c b/tests/api.c
index 10631d5e9bc..530c0d0d6c6 100644
--- a/tests/api.c
+++ b/tests/api.c
@@ -34759,7 +34759,7 @@ static int error_test(void)
         { -124, -124 },
         { -167, -169 },
         { -300, -300 },
-        { -334, -336 },
+        { -335, -336 },
         { -346, -349 },
         { -356, -356 },
         { -358, -358 },
diff --git a/wolfssl/error-ssl.h b/wolfssl/error-ssl.h
index 654ec63af52..9a4f4a257a4 100644
--- a/wolfssl/error-ssl.h
+++ b/wolfssl/error-ssl.h
@@ -82,6 +82,7 @@ enum wolfSSL_ErrorCodes {
     CLIENT_ID_ERROR              = -331,   /* psk client identity error  */
     SERVER_HINT_ERROR            = -332,   /* psk server hint error  */
     PSK_KEY_ERROR                = -333,   /* psk key error  */
+    DUPE_ENTRY_E                 = -334,   /* duplicate entry error */
 
     GETTIME_ERROR                = -337,   /* gettimeofday failed ??? */
     GETITIMER_ERROR              = -338,   /* getitimer failed ??? */