Fixes from review

embhorn · embhorn · commit ad59622c8410 · 2026-05-05T15:41:14.000-05:00
diff --git a/tests/api/test_ossl_x509.c b/tests/api/test_ossl_x509.c
@@ -1663,7 +1663,8 @@ int test_wolfssl_local_IsValidFQDN(void) {
                         test_cases[i].is_FQDN);
         if (! EXPECT_SUCCESS()) {
             fprintf(stderr, "wolfssl_local_IsValidFQDN() wrong result for "
-                    "case %d \"%s\"\n", i, test_cases[i].str);
+                    "case %d \"%s\"\n", i,
+                    test_cases[i].str ? test_cases[i].str : "(null)");
             break;
         }
     }
@@ -1710,12 +1711,12 @@ int test_wolfssl_local_IsValidFQDN(void) {
 /* Verify that MatchDomainName() refuses to expand wildcards across IDNA
  * A-labels (xn-- prefix) per RFC 6125 sec. 6.4.3 / RFC 9525 sec. 6.3.
  *
- * MatchDomainName() is WOLFSSL_LOCAL but visible to the test binary because
- * tests link against the in-tree library. */
+ * MatchDomainName() is exposed for testing via the visibility mechanism
+ * declared in wolfssl/internal.h. */
 int test_wolfSSL_MatchDomainName_idn(void)
 {
     EXPECT_DECLS;
-#if !defined(NO_CERTS)
+#if !defined(NO_ASN) && !defined(WOLFCRYPT_ONLY) && !defined(NO_CERTS)
     static const struct {
         const char* pattern;
         const char* host;
@@ -1791,7 +1792,7 @@ int test_wolfSSL_MatchDomainName_idn(void)
             break;
         }
     }
-#endif /* !NO_CERTS */
+#endif /* !NO_ASN && !WOLFCRYPT_ONLY && !NO_CERTS */
     return EXPECT_RESULT();
 }
 
diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
@@ -18076,7 +18076,11 @@ static int ConfirmNameConstraints(Signer* signer, DecodedCert* cert)
 #endif /* IGNORE_NAME_CONSTRAINTS */
 
 #if !defined(WOLFCRYPT_ONLY) && !defined(NO_CERTS)
-/* Returns 1 if name is a syntactically valid DNS FQDN per RFC 952/1123.
+/* Returns 1 if name is a syntactically valid DNS FQDN.
+ *
+ * Based on RFC 952/1123 DNS label rules, with the pragmatic extension that
+ * underscores are permitted in non-TLD labels (common in SRV/internal names
+ * despite RFC 952/1123 not allowing them).
  *
  * Rules enforced:
  *   - Total effective length (excluding optional trailing dot) in [1, 253]

Original file line number	Diff line number	Diff line change
`@@ -1663,7 +1663,8 @@ int test_wolfssl_local_IsValidFQDN(void) {`
`1663`	`1663`	`test_cases[i].is_FQDN);`
`1664`	`1664`	`if (! EXPECT_SUCCESS()) {`
`1665`	`1665`	`fprintf(stderr, "wolfssl_local_IsValidFQDN() wrong result for "`
`1666`		`- "case %d \"%s\"\n", i, test_cases[i].str);`
	`1666`	`+ "case %d \"%s\"\n", i,`
	`1667`	`+ test_cases[i].str ? test_cases[i].str : "(null)");`
`1667`	`1668`	`break;`
`1668`	`1669`	`}`
`1669`	`1670`	`}`
`@@ -1710,12 +1711,12 @@ int test_wolfssl_local_IsValidFQDN(void) {`
`1710`	`1711`	`/* Verify that MatchDomainName() refuses to expand wildcards across IDNA`
`1711`	`1712`	`* A-labels (xn-- prefix) per RFC 6125 sec. 6.4.3 / RFC 9525 sec. 6.3.`
`1712`	`1713`	`*`
`1713`		`- * MatchDomainName() is WOLFSSL_LOCAL but visible to the test binary because`
`1714`		`- * tests link against the in-tree library. */`
	`1714`	`+ * MatchDomainName() is exposed for testing via the visibility mechanism`
	`1715`	`+ * declared in wolfssl/internal.h. */`
`1715`	`1716`	`int test_wolfSSL_MatchDomainName_idn(void)`
`1716`	`1717`	`{`
`1717`	`1718`	`EXPECT_DECLS;`
`1718`		`-#if !defined(NO_CERTS)`
	`1719`	`+#if !defined(NO_ASN) && !defined(WOLFCRYPT_ONLY) && !defined(NO_CERTS)`
`1719`	`1720`	`static const struct {`
`1720`	`1721`	`const char* pattern;`
`1721`	`1722`	`const char* host;`
`@@ -1791,7 +1792,7 @@ int test_wolfSSL_MatchDomainName_idn(void)`
`1791`	`1792`	`break;`
`1792`	`1793`	`}`
`1793`	`1794`	`}`
`1794`		`-#endif /* !NO_CERTS */`
	`1795`	`+#endif /* !NO_ASN && !WOLFCRYPT_ONLY && !NO_CERTS */`
`1795`	`1796`	`return EXPECT_RESULT();`
`1796`	`1797`	`}`
`1797`	`1798`