Silently ignore X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT.
This flag is backwards. We want to check the common name less, not more. See if
anything was actually relying on this.
Update-Note: X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT is now ignored.
Change-Id: I8288d57540f8117059e58d72cc173aa4d3077fb6
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/35646
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/crypto/x509/x509_test.cc b/crypto/x509/x509_test.cc
index ca86ef4..93bb582 100644
--- a/crypto/x509/x509_test.cc
+++ b/crypto/x509/x509_test.cc
@@ -1805,9 +1805,8 @@
EXPECT_EQ(X509_V_OK, verify_cert(without_sans.get(), 0 /* no flags */,
"foo.host1.test"));
- // X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT causes the common name to always be
- // checked.
- EXPECT_EQ(X509_V_OK,
+ // X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT is ignored.
+ EXPECT_EQ(X509_V_ERR_HOSTNAME_MISMATCH,
verify_cert(with_sans.get(), X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT,
"foo.host1.test"));
EXPECT_EQ(X509_V_OK,
diff --git a/crypto/x509v3/v3_utl.c b/crypto/x509v3/v3_utl.c
index b38f49f..ebda63a 100644
--- a/crypto/x509v3/v3_utl.c
+++ b/crypto/x509v3/v3_utl.c
@@ -1003,7 +1003,7 @@
GENERAL_NAMES_free(gens);
if (rv != 0)
return rv;
- if (san_present && !(flags & X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT))
+ if (san_present)
return 0;
}
diff --git a/include/openssl/x509v3.h b/include/openssl/x509v3.h
index 77af8c3..b5db715 100644
--- a/include/openssl/x509v3.h
+++ b/include/openssl/x509v3.h
@@ -703,8 +703,8 @@
OPENSSL_EXPORT STACK_OF(OPENSSL_STRING) *X509_get1_ocsp(X509 *x);
/* Flags for X509_check_* functions */
-/* Always check subject name for host match even if subject alt names present */
-#define X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT 0x1
+/* Deprecated: this flag does nothing */
+#define X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT 0
/* Disable wildcard matching for dnsName fields and common name. */
#define X509_CHECK_FLAG_NO_WILDCARDS 0x2
/* Wildcards must not match a partial label. */
