From: Viktor Dukhovni <openssl-users@dukhovni.org>
Date: Tue, 8 Mar 2016 20:20:02 +0000 (-0500)
Subject: Add X509_CHECK_FLAG_NEVER_CHECK_SUBJECT flag
X-Git-Tag: OpenSSL_1_1_0-pre4~103
X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=dd60efea955e41a6f0926f93ec1503c6f83c4e58;p=oweals%2Fopenssl.git

Add X509_CHECK_FLAG_NEVER_CHECK_SUBJECT flag

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
---

diff --git a/crypto/x509v3/v3_utl.c b/crypto/x509v3/v3_utl.c
index 66b5711aff..a220b27ab9 100644
--- a/crypto/x509v3/v3_utl.c
+++ b/crypto/x509v3/v3_utl.c
@@ -978,14 +978,12 @@ static int do_x509_check(X509 *x, const char *chk, size_t chklen,
         GENERAL_NAMES_free(gens);
         if (rv != 0)
             return rv;
-        if (cnid == NID_undef
-            || (san_present
-                && !(flags & X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT)))
+        if (san_present && !(flags & X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT))
             return 0;
     }
 
     /* We're done if CN-ID is not pertinent */
-    if (cnid == NID_undef)
+    if (cnid == NID_undef || (flags & X509_CHECK_FLAG_NEVER_CHECK_SUBJECT))
         return 0;
 
     i = -1;
diff --git a/doc/crypto/X509_check_host.pod b/doc/crypto/X509_check_host.pod
index 23447f41f2..d35ade8cb9 100644
--- a/doc/crypto/X509_check_host.pod
+++ b/doc/crypto/X509_check_host.pod
@@ -70,6 +70,8 @@ flags:
 
 =item B<X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT>,
 
+=item B<X509_CHECK_FLAG_NEVER_CHECK_SUBJECT>,
+
 =item B<X509_CHECK_FLAG_NO_WILDCARDS>,
 
 =item B<X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS>,
@@ -86,6 +88,12 @@ one subject alternative name of the right type (DNS name or email
 address as appropriate); the default is to ignore the subject DN
 when at least one corresponding subject alternative names is present.
 
+The B<X509_CHECK_FLAG_NEVER_CHECK_SUBJECT> flag causes the function to never
+consider the subject DN even if the certificate contains no subject alternative
+names of the right type (DNS name or email address as appropriate); the default
+is to use the subject DN when no corresponding subject alternative names are
+present.
+
 If set, B<X509_CHECK_FLAG_NO_WILDCARDS> disables wildcard
 expansion; this only applies to B<X509_check_host>.
 
diff --git a/include/openssl/x509v3.h b/include/openssl/x509v3.h
index fa2120840a..b0f1545f85 100644
--- a/include/openssl/x509v3.h
+++ b/include/openssl/x509v3.h
@@ -737,6 +737,8 @@ STACK_OF(OPENSSL_STRING) *X509_get1_ocsp(X509 *x);
 # define X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS 0x8
 /* Constraint verifier subdomain patterns to match a single labels. */
 # define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0x10
+/* Never check the subject CN */
+# define X509_CHECK_FLAG_NEVER_CHECK_SUBJECT    0x20
 /*
  * Match reference identifiers starting with "." to any sub-domain.
  * This is a non-public flag, turned on implicitly when the subject