generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Add X509_CHECK_FLAG_NEVER_CHECK_SUBJECT flag

Browse Source 
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
This commit is contained in:
Viktor Dukhovni 2016-03-08 15:20:02 -05:00
parent 29f082603a
commit dd60efea95
3 changed files with 12 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
crypto/x509v3/v3_utl.c
View File

@ -978,14 +978,12 @@ static int do_x509_check(X509 *x, const char *chk, size_t chklen,
GENERAL_NAMES_free(gens); GENERAL_NAMES_free(gens);
if (rv != 0) if (rv != 0)
return rv; return rv;
if (cnid == NID_undef if (san_present && !(flags & X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT))
|| (san_present
&& !(flags & X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT)))
return 0; return 0;
} }
/* We're done if CN-ID is not pertinent */ /* We're done if CN-ID is not pertinent */
if (cnid == NID_undef) if (cnid == NID_undef || (flags & X509_CHECK_FLAG_NEVER_CHECK_SUBJECT))
return 0; return 0;
i = -1; i = -1;

8
doc/crypto/X509_check_host.pod
View File

@ -70,6 +70,8 @@ flags:
=item B<X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT>, =item B<X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT>,
=item B<X509_CHECK_FLAG_NEVER_CHECK_SUBJECT>,
=item B<X509_CHECK_FLAG_NO_WILDCARDS>, =item B<X509_CHECK_FLAG_NO_WILDCARDS>,
=item B<X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS>, =item B<X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS>,
@ -86,6 +88,12 @@ one subject alternative name of the right type (DNS name or email
address as appropriate); the default is to ignore the subject DN address as appropriate); the default is to ignore the subject DN
when at least one corresponding subject alternative names is present. when at least one corresponding subject alternative names is present.
The B<X509_CHECK_FLAG_NEVER_CHECK_SUBJECT> flag causes the function to never
consider the subject DN even if the certificate contains no subject alternative
names of the right type (DNS name or email address as appropriate); the default
is to use the subject DN when no corresponding subject alternative names are
present.
If set, B<X509_CHECK_FLAG_NO_WILDCARDS> disables wildcard If set, B<X509_CHECK_FLAG_NO_WILDCARDS> disables wildcard
expansion; this only applies to B<X509_check_host>. expansion; this only applies to B<X509_check_host>.

2
include/openssl/x509v3.h
View File

@ -737,6 +737,8 @@ STACK_OF(OPENSSL_STRING) *X509_get1_ocsp(X509 *x);
# define X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS 0x8 # define X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS 0x8
/* Constraint verifier subdomain patterns to match a single labels. */ /* Constraint verifier subdomain patterns to match a single labels. */
# define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0x10 # define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0x10
/* Never check the subject CN */
# define X509_CHECK_FLAG_NEVER_CHECK_SUBJECT 0x20
/* /*
* Match reference identifiers starting with "." to any sub-domain. * Match reference identifiers starting with "." to any sub-domain.
* This is a non-public flag, turned on implicitly when the subject * This is a non-public flag, turned on implicitly when the subject