Silently ignore X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT. This flag is backwards. We want to check the common name less, not more. See if anything was actually relying on this. Update-Note: X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT is now ignored. Change-Id: I8288d57540f8117059e58d72cc173aa4d3077fb6 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/35646 Reviewed-by: Adam Langley <agl@google.com>
diff --git a/crypto/x509/x509_test.cc b/crypto/x509/x509_test.cc index ca86ef4..93bb582 100644 --- a/crypto/x509/x509_test.cc +++ b/crypto/x509/x509_test.cc
@@ -1805,9 +1805,8 @@ EXPECT_EQ(X509_V_OK, verify_cert(without_sans.get(), 0 /* no flags */, "foo.host1.test")); - // X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT causes the common name to always be - // checked. - EXPECT_EQ(X509_V_OK, + // X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT is ignored. + EXPECT_EQ(X509_V_ERR_HOSTNAME_MISMATCH, verify_cert(with_sans.get(), X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT, "foo.host1.test")); EXPECT_EQ(X509_V_OK,
diff --git a/crypto/x509v3/v3_utl.c b/crypto/x509v3/v3_utl.c index b38f49f..ebda63a 100644 --- a/crypto/x509v3/v3_utl.c +++ b/crypto/x509v3/v3_utl.c
@@ -1003,7 +1003,7 @@ GENERAL_NAMES_free(gens); if (rv != 0) return rv; - if (san_present && !(flags & X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT)) + if (san_present) return 0; }
diff --git a/include/openssl/x509v3.h b/include/openssl/x509v3.h index 77af8c3..b5db715 100644 --- a/include/openssl/x509v3.h +++ b/include/openssl/x509v3.h
@@ -703,8 +703,8 @@ OPENSSL_EXPORT STACK_OF(OPENSSL_STRING) *X509_get1_ocsp(X509 *x); /* Flags for X509_check_* functions */ -/* Always check subject name for host match even if subject alt names present */ -#define X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT 0x1 +/* Deprecated: this flag does nothing */ +#define X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT 0 /* Disable wildcard matching for dnsName fields and common name. */ #define X509_CHECK_FLAG_NO_WILDCARDS 0x2 /* Wildcards must not match a partial label. */