src/ssl.c: in wolfSSL_check_domain_name(), call wolfssl_local_IsValidFQDN() to validate the argument, with allowance for "localhost".

douzzer · douzzer · commit b6de2d3cbc3e · 2026-05-06T18:29:27.000-05:00
scripts/crl-revoked.test: improve "Workaround to not pollute the certs folder" (don't copy whole source tree, and don't copy file contents).
diff --git a/scripts/crl-revoked.test b/scripts/crl-revoked.test
@@ -29,11 +29,6 @@ elif [ "${AM_BWRAPPED-}" != "yes" ]; then
     unset AM_BWRAPPED
 fi
 
-# Workaround to not pollute the certs folder with our files that can impact other tests
-RUNNING_DIR=$(mktemp -d)
-cp -rp . $RUNNING_DIR/.
-cd $RUNNING_DIR
-
 revocation_code="-361"
 revocation_code_openssl="23"
 exit_code=1
@@ -49,13 +44,9 @@ server_pid=$no_pid
 # also let's add some randomness by adding pid in case multiple 'make check's
 # per source tree
 ready_file=`pwd`/wolfssl_crl_ready$$
-CERT_DIR=certs
 
 remove_ready_file() {
-    if test -e "$ready_file"; then
-        echo -e "removing existing ready file"
-        rm "$ready_file"
-    fi
+    rm -f "$ready_file"
 }
 
 # trap this function so if user aborts with ^C or other kill signal we still
@@ -84,10 +75,20 @@ trap abort_trap INT TERM
 # instead use "exit <some value>" and this function will run automatically
 restore_file_system() {
     remove_ready_file
-    cd / && rm -rf "$RUNNING_DIR"
+    if [ -n "$TMP_DIR" ]; then
+        rm -rf "$TMP_DIR"
+    fi
 }
 trap restore_file_system EXIT
 
+# Workaround to not pollute the certs folder with our files that can impact other tests
+TMP_DIR=$(mktemp -d) || exit $?
+SRC_DIR="$PWD"
+pushd "$TMP_DIR" || exit $?
+cp -r --symbolic-link "${SRC_DIR}/certs" . || exit $?
+popd || exit $?
+CERT_DIR="${TMP_DIR}/certs"
+
 run_test() {
     echo -e "\nStarting example server for crl test...\n"
 
@@ -121,7 +122,7 @@ run_test() {
     crl_port="$(cat "$ready_file")"
 
     # starts client on crl_port and captures the output from client
-    capture_out=$(./examples/client/client -p $crl_port 2>&1)
+    capture_out=$(cd "${CERT_DIR}/.." && "${SRC_DIR}/examples/client/client" -p $crl_port 2>&1)
     client_result=$?
 
     wait $server_pid
@@ -187,7 +188,7 @@ run_hashdir_test() {
   crl_port="$(cat "$ready_file")"
 
   # starts client on crl_port and captures the output from client
-  capture_out=$(./examples/client/client -p $crl_port -9 2>&1)
+  capture_out=$(cd "${CERT_DIR}/.." && "${SRC_DIR}/examples/client/client" -p $crl_port -9 2>&1)
   client_result=$?
 
   wait $server_pid
diff --git a/src/ssl.c b/src/ssl.c
@@ -7718,13 +7718,24 @@ int wolfSSL_Cleanup(void)
 WOLFSSL_ABI
 int wolfSSL_check_domain_name(WOLFSSL* ssl, const char* dn)
 {
+    size_t dn_len;
+
     WOLFSSL_ENTER("wolfSSL_check_domain_name");
 
     if (ssl == NULL || dn == NULL) {
         WOLFSSL_MSG("Bad function argument: NULL");
         return WOLFSSL_FAILURE;
     }
 
+    dn_len = XSTRLEN(dn);
+
+    if ((! wolfssl_local_IsValidFQDN(dn, (word32)dn_len)) &&
+        (strcmp(dn, "localhost") != 0))
+    {
+        WOLFSSL_MSG("Bad function argument: fails wolfssl_local_IsValidFQDN");
+        return WOLFSSL_FAILURE;
+    }
+
     if (ssl->buffers.domainName.buffer)
         XFREE(ssl->buffers.domainName.buffer, ssl->heap, DYNAMIC_TYPE_DOMAIN);
 
