src/ssl.c: in wolfSSL_check_domain_name(), call wolfssl_local_IsValidFQDN() to validate the argument, with allowance for "localhost".

scripts/crl-revoked.test: improve "Workaround to not pollute the certs folder" (don't copy whole source tree, and don't copy file contents).
This commit is contained in:
Daniel Pouzzner
2026-05-06 18:29:27 -05:00
parent 980fc51ea7
commit b6de2d3cbc
2 changed files with 25 additions and 13 deletions
+14 -13
View File
@@ -29,11 +29,6 @@ elif [ "${AM_BWRAPPED-}" != "yes" ]; then
unset AM_BWRAPPED
fi
# Workaround to not pollute the certs folder with our files that can impact other tests
RUNNING_DIR=$(mktemp -d)
cp -rp . $RUNNING_DIR/.
cd $RUNNING_DIR
revocation_code="-361"
revocation_code_openssl="23"
exit_code=1
@@ -49,13 +44,9 @@ server_pid=$no_pid
# also let's add some randomness by adding pid in case multiple 'make check's
# per source tree
ready_file=`pwd`/wolfssl_crl_ready$$
CERT_DIR=certs
remove_ready_file() {
if test -e "$ready_file"; then
echo -e "removing existing ready file"
rm "$ready_file"
fi
rm -f "$ready_file"
}
# trap this function so if user aborts with ^C or other kill signal we still
@@ -84,10 +75,20 @@ trap abort_trap INT TERM
# instead use "exit <some value>" and this function will run automatically
restore_file_system() {
remove_ready_file
cd / && rm -rf "$RUNNING_DIR"
if [ -n "$TMP_DIR" ]; then
rm -rf "$TMP_DIR"
fi
}
trap restore_file_system EXIT
# Workaround to not pollute the certs folder with our files that can impact other tests
TMP_DIR=$(mktemp -d) || exit $?
SRC_DIR="$PWD"
pushd "$TMP_DIR" || exit $?
cp -r --symbolic-link "${SRC_DIR}/certs" . || exit $?
popd || exit $?
CERT_DIR="${TMP_DIR}/certs"
run_test() {
echo -e "\nStarting example server for crl test...\n"
@@ -121,7 +122,7 @@ run_test() {
crl_port="$(cat "$ready_file")"
# starts client on crl_port and captures the output from client
capture_out=$(./examples/client/client -p $crl_port 2>&1)
capture_out=$(cd "${CERT_DIR}/.." && "${SRC_DIR}/examples/client/client" -p $crl_port 2>&1)
client_result=$?
wait $server_pid
@@ -187,7 +188,7 @@ run_hashdir_test() {
crl_port="$(cat "$ready_file")"
# starts client on crl_port and captures the output from client
capture_out=$(./examples/client/client -p $crl_port -9 2>&1)
capture_out=$(cd "${CERT_DIR}/.." && "${SRC_DIR}/examples/client/client" -p $crl_port -9 2>&1)
client_result=$?
wait $server_pid
+11
View File
@@ -7718,6 +7718,8 @@ int wolfSSL_Cleanup(void)
WOLFSSL_ABI
int wolfSSL_check_domain_name(WOLFSSL* ssl, const char* dn)
{
size_t dn_len;
WOLFSSL_ENTER("wolfSSL_check_domain_name");
if (ssl == NULL || dn == NULL) {
@@ -7725,6 +7727,15 @@ int wolfSSL_check_domain_name(WOLFSSL* ssl, const char* dn)
return WOLFSSL_FAILURE;
}
dn_len = XSTRLEN(dn);
if ((! wolfssl_local_IsValidFQDN(dn, (word32)dn_len)) &&
(strcmp(dn, "localhost") != 0))
{
WOLFSSL_MSG("Bad function argument: fails wolfssl_local_IsValidFQDN");
return WOLFSSL_FAILURE;
}
if (ssl->buffers.domainName.buffer)
XFREE(ssl->buffers.domainName.buffer, ssl->heap, DYNAMIC_TYPE_DOMAIN);