[openssl-commits] [openssl] master update
Viktor Dukhovni
viktor at openssl.org
Thu Mar 10 01:42:12 UTC 2016
The branch master has been updated
via dd60efea955e41a6f0926f93ec1503c6f83c4e58 (commit)
from 29f082603a14bd8d6816a71a17f7c76adca7817d (commit)
- Log -----------------------------------------------------------------
commit dd60efea955e41a6f0926f93ec1503c6f83c4e58
Author: Viktor Dukhovni <openssl-users at dukhovni.org>
Date: Tue Mar 8 15:20:02 2016 -0500
Add X509_CHECK_FLAG_NEVER_CHECK_SUBJECT flag
Reviewed-by: Dr. Stephen Henson <steve at openssl.org>
-----------------------------------------------------------------------
Summary of changes:
crypto/x509v3/v3_utl.c | 6 ++----
doc/crypto/X509_check_host.pod | 8 ++++++++
include/openssl/x509v3.h | 2 ++
3 files changed, 12 insertions(+), 4 deletions(-)
diff --git a/crypto/x509v3/v3_utl.c b/crypto/x509v3/v3_utl.c
index 66b5711..a220b27 100644
--- a/crypto/x509v3/v3_utl.c
+++ b/crypto/x509v3/v3_utl.c
@@ -978,14 +978,12 @@ static int do_x509_check(X509 *x, const char *chk, size_t chklen,
GENERAL_NAMES_free(gens);
if (rv != 0)
return rv;
- if (cnid == NID_undef
- || (san_present
- && !(flags & X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT)))
+ if (san_present && !(flags & X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT))
return 0;
}
/* We're done if CN-ID is not pertinent */
- if (cnid == NID_undef)
+ if (cnid == NID_undef || (flags & X509_CHECK_FLAG_NEVER_CHECK_SUBJECT))
return 0;
i = -1;
diff --git a/doc/crypto/X509_check_host.pod b/doc/crypto/X509_check_host.pod
index 23447f4..d35ade8 100644
--- a/doc/crypto/X509_check_host.pod
+++ b/doc/crypto/X509_check_host.pod
@@ -70,6 +70,8 @@ flags:
=item B<X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT>,
+=item B<X509_CHECK_FLAG_NEVER_CHECK_SUBJECT>,
+
=item B<X509_CHECK_FLAG_NO_WILDCARDS>,
=item B<X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS>,
@@ -86,6 +88,12 @@ one subject alternative name of the right type (DNS name or email
address as appropriate); the default is to ignore the subject DN
when at least one corresponding subject alternative names is present.
+The B<X509_CHECK_FLAG_NEVER_CHECK_SUBJECT> flag causes the function to never
+consider the subject DN even if the certificate contains no subject alternative
+names of the right type (DNS name or email address as appropriate); the default
+is to use the subject DN when no corresponding subject alternative names are
+present.
+
If set, B<X509_CHECK_FLAG_NO_WILDCARDS> disables wildcard
expansion; this only applies to B<X509_check_host>.
diff --git a/include/openssl/x509v3.h b/include/openssl/x509v3.h
index fa21208..b0f1545 100644
--- a/include/openssl/x509v3.h
+++ b/include/openssl/x509v3.h
@@ -737,6 +737,8 @@ STACK_OF(OPENSSL_STRING) *X509_get1_ocsp(X509 *x);
# define X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS 0x8
/* Constraint verifier subdomain patterns to match a single labels. */
# define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0x10
+/* Never check the subject CN */
+# define X509_CHECK_FLAG_NEVER_CHECK_SUBJECT 0x20
/*
* Match reference identifiers starting with "." to any sub-domain.
* This is a non-public flag, turned on implicitly when the subject
More information about the openssl-commits
mailing list