Merge branch 'x509-ipaddress-constraints'

Adds support for nameConstraints of type iPAddress, which represent a subnet, to the x509, openssl and constraints plugins. SANs of type iPAddress are matched against such constraints. Closes strongswan/strongswan#1991
2025-10-04 00:00:14 -04:00 · 2023-11-13 12:23:43 +01:00 · 2023-11-13 12:23:43 +01:00 · bae841ea04
commit bae841ea04
parent f781b9d326 1589f2d9ae
3 changed files with 43 additions and 1 deletions
--- a/src/libstrongswan/plugins/constraints/constraints_validator.c
+++ b/src/libstrongswan/plugins/constraints/constraints_validator.c
@ -143,6 +143,26 @@ static bool dn_matches(identification_t *constraint, identification_t *id)
 	return match;
 }

+/**
+ * Check if the given identity type matches the type of NameConstraint
+ */
+static bool type_matches(id_type_t constraint, id_type_t id)
+{
+	switch (constraint)
+	{
+		case ID_FQDN:
+		case ID_RFC822_ADDR:
+		case ID_DER_ASN1_DN:
+			return constraint == id;
+		case ID_IPV4_ADDR_SUBNET:
+			return id == ID_IPV4_ADDR;
+		case ID_IPV6_ADDR_SUBNET:
+			return id == ID_IPV6_ADDR;
+		default:
+			return FALSE;
+	}
+}
+
 /**
 * Check if a certificate matches to a NameConstraint
 */
@ -168,7 +188,7 @@ static bool name_constraint_matches(identification_t *constraint,
 	enumerator = x509->create_subjectAltName_enumerator(x509);
 	while (enumerator->enumerate(enumerator, &id))
 	{
-		if (id->get_type(id) == type)
+		if (type_matches(type, id->get_type(id)))
 		{
 			switch (type)
 			{
@ -181,6 +201,10 @@ static bool name_constraint_matches(identification_t *constraint,
 				case ID_DER_ASN1_DN:
 					matches = dn_matches(constraint, id);
 					break;
+				case ID_IPV4_ADDR_SUBNET:
+				case ID_IPV6_ADDR_SUBNET:
+					matches = id->matches(id, constraint);
+					break;
 				default:
 					DBG1(DBG_CFG, "%N NameConstraint matching not implemented",
 						 id_type_names, type);
--- a/src/libstrongswan/plugins/openssl/openssl_x509.c
+++ b/src/libstrongswan/plugins/openssl/openssl_x509.c
@ -224,10 +224,20 @@ static identification_t *general_name2id(GENERAL_NAME *name)
 			{
 				return identification_create_from_encoding(ID_IPV4_ADDR, chunk);
 			}
+			if (chunk.len == 8)
+			{
+				return identification_create_from_encoding(ID_IPV4_ADDR_SUBNET,
+														   chunk);
+			}
 			if (chunk.len == 16)
 			{
 				return identification_create_from_encoding(ID_IPV6_ADDR, chunk);
 			}
+			if (chunk.len == 32)
+			{
+				return identification_create_from_encoding(ID_IPV6_ADDR_SUBNET,
+														   chunk);
+			}
 			return NULL;
 		}
 		case GEN_DIRNAME :
--- a/src/libstrongswan/plugins/x509/x509_cert.c
+++ b/src/libstrongswan/plugins/x509/x509_cert.c
@ -483,9 +483,15 @@ static identification_t *parse_generalName(chunk_t blob, int level0)
 					case 4:
 						id_type = ID_IPV4_ADDR;
 						break;
+					case 8:
+						id_type = ID_IPV4_ADDR_SUBNET;
+						break;
 					case 16:
 						id_type = ID_IPV6_ADDR;
 						break;
+					case 32:
+						id_type = ID_IPV6_ADDR_SUBNET;
+						break;
 					default:
 						break;
 				}
@ -2065,6 +2071,8 @@ static chunk_t build_generalName(identification_t *id)
 			break;
 		case ID_IPV4_ADDR:
 		case ID_IPV6_ADDR:
+		case ID_IPV4_ADDR_SUBNET:
+		case ID_IPV6_ADDR_SUBNET:
 			context = ASN1_CONTEXT_S_7;
 			break;
 		default: