diff options
| author | Viktor Dukhovni <openssl-users@dukhovni.org> | 2016-03-08 15:20:02 -0500 |
|---|---|---|
| committer | Viktor Dukhovni <openssl-users@dukhovni.org> | 2016-03-09 20:41:28 -0500 |
| commit | dd60efea955e41a6f0926f93ec1503c6f83c4e58 (patch) | |
| tree | 1068aa7ab94a6acca182698c0bfdca10ecf84286 | |
| parent | 29f082603a14bd8d6816a71a17f7c76adca7817d (diff) | |
Add X509_CHECK_FLAG_NEVER_CHECK_SUBJECT flag
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
| -rw-r--r-- | crypto/x509v3/v3_utl.c | 6 | ||||
| -rw-r--r-- | doc/crypto/X509_check_host.pod | 8 | ||||
| -rw-r--r-- | include/openssl/x509v3.h | 2 |
3 files changed, 12 insertions, 4 deletions
diff --git a/crypto/x509v3/v3_utl.c b/crypto/x509v3/v3_utl.c index 66b5711aff..a220b27ab9 100644 --- a/crypto/x509v3/v3_utl.c +++ b/crypto/x509v3/v3_utl.c @@ -978,14 +978,12 @@ static int do_x509_check(X509 *x, const char *chk, size_t chklen, GENERAL_NAMES_free(gens); if (rv != 0) return rv; - if (cnid == NID_undef - || (san_present - && !(flags & X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT))) + if (san_present && !(flags & X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT)) return 0; } /* We're done if CN-ID is not pertinent */ - if (cnid == NID_undef) + if (cnid == NID_undef || (flags & X509_CHECK_FLAG_NEVER_CHECK_SUBJECT)) return 0; i = -1; diff --git a/doc/crypto/X509_check_host.pod b/doc/crypto/X509_check_host.pod index 23447f41f2..d35ade8cb9 100644 --- a/doc/crypto/X509_check_host.pod +++ b/doc/crypto/X509_check_host.pod @@ -70,6 +70,8 @@ flags: =item B<X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT>, +=item B<X509_CHECK_FLAG_NEVER_CHECK_SUBJECT>, + =item B<X509_CHECK_FLAG_NO_WILDCARDS>, =item B<X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS>, @@ -86,6 +88,12 @@ one subject alternative name of the right type (DNS name or email address as appropriate); the default is to ignore the subject DN when at least one corresponding subject alternative names is present. +The B<X509_CHECK_FLAG_NEVER_CHECK_SUBJECT> flag causes the function to never +consider the subject DN even if the certificate contains no subject alternative +names of the right type (DNS name or email address as appropriate); the default +is to use the subject DN when no corresponding subject alternative names are +present. + If set, B<X509_CHECK_FLAG_NO_WILDCARDS> disables wildcard expansion; this only applies to B<X509_check_host>. diff --git a/include/openssl/x509v3.h b/include/openssl/x509v3.h index fa2120840a..b0f1545f85 100644 --- a/include/openssl/x509v3.h +++ b/include/openssl/x509v3.h @@ -737,6 +737,8 @@ STACK_OF(OPENSSL_STRING) *X509_get1_ocsp(X509 *x); # define X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS 0x8 /* Constraint verifier subdomain patterns to match a single labels. */ # define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0x10 +/* Never check the subject CN */ +# define X509_CHECK_FLAG_NEVER_CHECK_SUBJECT 0x20 /* * Match reference identifiers starting with "." to any sub-domain. * This is a non-public flag, turned on implicitly when the subject |