From 6d666491ce582dd5d8d1d42bf4387c4d670527e2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tobias=20Nie=C3=9Fen?= <tniessen@tnie.de>
Date: Mon, 17 Jan 2022 15:48:51 +0000
Subject: [PATCH] crypto: remove checkIP options argument

None of the supported options have any effect on X509_check_ip_asc.

Refs: https://github.com/openssl/openssl/pull/17536

PR-URL: https://github.com/nodejs/node/pull/41571
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
---
 doc/api/crypto.md           | 17 ++++++++++-------
 lib/internal/crypto/x509.js |  5 +++++
 2 files changed, 15 insertions(+), 7 deletions(-)

diff --git a/doc/api/crypto.md b/doc/api/crypto.md
index 4d9493ac5dee5c..e51148d85a7321 100644
--- a/doc/api/crypto.md
+++ b/doc/api/crypto.md
@@ -2542,24 +2542,26 @@ does not contain any DNS names. This behavior is consistent with [RFC 2818][]
 If the `'subject'` option is set to `'never'`, the certificate subject is never
 considered, even if the certificate contains no subject alternative names.
 
-### `x509.checkIP(ip[, options])`
+### `x509.checkIP(ip)`
 
 <!-- YAML
 added: v15.6.0
+changes:
+  - version: REPLACEME
+    pr-url: https://github.com/nodejs/node/pull/41571
+    description: The `options` argument has been removed since it had no effect.
 -->
 
 * `ip` {string}
-* `options` {Object}
-  * `subject` {string} `'always'` or `'never'`. **Default:** `'always'`.
-  * `wildcards` {boolean} **Default:** `true`.
-  * `partialWildcards` {boolean} **Default:** `true`.
-  * `multiLabelWildcards` {boolean} **Default:** `false`.
-  * `singleLabelSubdomains` {boolean} **Default:** `false`.
 * Returns: {string|undefined} Returns `ip` if the certificate matches,
   `undefined` if it does not.
 
 Checks whether the certificate matches the given IP address (IPv4 or IPv6).
 
+Only [RFC 5280][] `iPAddress` subject alternative names are considered, and they
+must match the given `ip` address exactly. Other subject alternative names as
+well as the subject field of the certificate are ignored.
+
 ### `x509.checkIssued(otherCert)`
 
 <!-- YAML
@@ -5976,6 +5978,7 @@ See the [list of SSL OP Flags][] for details.
 [RFC 4055]: https://www.rfc-editor.org/rfc/rfc4055.txt
 [RFC 4122]: https://www.rfc-editor.org/rfc/rfc4122.txt
 [RFC 5208]: https://www.rfc-editor.org/rfc/rfc5208.txt
+[RFC 5280]: https://www.rfc-editor.org/rfc/rfc5280.txt
 [Web Crypto API documentation]: webcrypto.md
 [`BN_is_prime_ex`]: https://www.openssl.org/docs/man1.1.1/man3/BN_is_prime_ex.html
 [`Buffer`]: buffer.md
diff --git a/lib/internal/crypto/x509.js b/lib/internal/crypto/x509.js
index 603e3f8fc5872f..cd20f6868da72c 100644
--- a/lib/internal/crypto/x509.js
+++ b/lib/internal/crypto/x509.js
@@ -315,6 +315,11 @@ class X509Certificate extends JSTransferable {
 
   checkIP(ip, options) {
     validateString(ip, 'ip');
+    // The options argument is currently undocumented since none of the options
+    // have any effect on the behavior of this function. However, we still parse
+    // the options argument in case OpenSSL adds flags in the future that do
+    // affect the behavior of X509_check_ip. This ensures that no invalid values
+    // are passed as the second argument in the meantime.
     return this[kHandle].checkIP(ip, getFlags(options));
   }