Silently ignore X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT.

This flag is backwards. We want to check the common name less, not more. See if
anything was actually relying on this.

Update-Note: X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT is now ignored.
Change-Id: I8288d57540f8117059e58d72cc173aa4d3077fb6
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/35646
Reviewed-by: Adam Langley <agl@google.com>

crypto/x509/x509_test.cc

@@ -1805,9 +1805,8 @@ TEST(X509Test, CommonNameFallback) {
   EXPECT_EQ(X509_V_OK, verify_cert(without_sans.get(), 0 /* no flags */,
                                    "foo.host1.test"));
 
-  // X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT causes the common name to always be
-  // checked.
-  EXPECT_EQ(X509_V_OK,
+  // X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT is ignored.
+  EXPECT_EQ(X509_V_ERR_HOSTNAME_MISMATCH,
             verify_cert(with_sans.get(), X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT,
                         "foo.host1.test"));
   EXPECT_EQ(X509_V_OK,

crypto/x509v3/v3_utl.c

@@ -1003,7 +1003,7 @@ static int do_x509_check(X509 *x, const char *chk, size_t chklen,
         GENERAL_NAMES_free(gens);
         if (rv != 0)
             return rv;
-        if (san_present && !(flags & X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT))
+        if (san_present)
             return 0;
     }
 

include/openssl/x509v3.h

@@ -703,8 +703,8 @@ OPENSSL_EXPORT void X509_email_free(STACK_OF(OPENSSL_STRING) *sk);
 OPENSSL_EXPORT STACK_OF(OPENSSL_STRING) *X509_get1_ocsp(X509 *x);
 /* Flags for X509_check_* functions */
 
-/* Always check subject name for host match even if subject alt names present */
-#define X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT	0x1
+/* Deprecated: this flag does nothing */
+#define X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT	0
 /* Disable wildcard matching for dnsName fields and common name. */
 #define X509_CHECK_FLAG_NO_WILDCARDS	0x2
 /* Wildcards must not match a partial label. */