diff --git a/src/libstrongswan/plugins/constraints/constraints_validator.c b/src/libstrongswan/plugins/constraints/constraints_validator.c index 379bb40f7b..b1f60fb156 100644 --- a/src/libstrongswan/plugins/constraints/constraints_validator.c +++ b/src/libstrongswan/plugins/constraints/constraints_validator.c @@ -143,6 +143,26 @@ static bool dn_matches(identification_t *constraint, identification_t *id) return match; } +/** + * Check if the given identity type matches the type of NameConstraint + */ +static bool type_matches(id_type_t constraint, id_type_t id) +{ + switch (constraint) + { + case ID_FQDN: + case ID_RFC822_ADDR: + case ID_DER_ASN1_DN: + return constraint == id; + case ID_IPV4_ADDR_SUBNET: + return id == ID_IPV4_ADDR; + case ID_IPV6_ADDR_SUBNET: + return id == ID_IPV6_ADDR; + default: + return FALSE; + } +} + /** * Check if a certificate matches to a NameConstraint */ @@ -168,7 +188,7 @@ static bool name_constraint_matches(identification_t *constraint, enumerator = x509->create_subjectAltName_enumerator(x509); while (enumerator->enumerate(enumerator, &id)) { - if (id->get_type(id) == type) + if (type_matches(type, id->get_type(id))) { switch (type) { @@ -181,6 +201,10 @@ static bool name_constraint_matches(identification_t *constraint, case ID_DER_ASN1_DN: matches = dn_matches(constraint, id); break; + case ID_IPV4_ADDR_SUBNET: + case ID_IPV6_ADDR_SUBNET: + matches = id->matches(id, constraint); + break; default: DBG1(DBG_CFG, "%N NameConstraint matching not implemented", id_type_names, type); diff --git a/src/libstrongswan/plugins/openssl/openssl_x509.c b/src/libstrongswan/plugins/openssl/openssl_x509.c index f7bef0d031..db227c5485 100644 --- a/src/libstrongswan/plugins/openssl/openssl_x509.c +++ b/src/libstrongswan/plugins/openssl/openssl_x509.c @@ -224,10 +224,20 @@ static identification_t *general_name2id(GENERAL_NAME *name) { return identification_create_from_encoding(ID_IPV4_ADDR, chunk); } + if (chunk.len == 8) + { + return identification_create_from_encoding(ID_IPV4_ADDR_SUBNET, + chunk); + } if (chunk.len == 16) { return identification_create_from_encoding(ID_IPV6_ADDR, chunk); } + if (chunk.len == 32) + { + return identification_create_from_encoding(ID_IPV6_ADDR_SUBNET, + chunk); + } return NULL; } case GEN_DIRNAME : diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c index 3cb7a53633..ca200408e5 100644 --- a/src/libstrongswan/plugins/x509/x509_cert.c +++ b/src/libstrongswan/plugins/x509/x509_cert.c @@ -483,9 +483,15 @@ static identification_t *parse_generalName(chunk_t blob, int level0) case 4: id_type = ID_IPV4_ADDR; break; + case 8: + id_type = ID_IPV4_ADDR_SUBNET; + break; case 16: id_type = ID_IPV6_ADDR; break; + case 32: + id_type = ID_IPV6_ADDR_SUBNET; + break; default: break; } @@ -2065,6 +2071,8 @@ static chunk_t build_generalName(identification_t *id) break; case ID_IPV4_ADDR: case ID_IPV6_ADDR: + case ID_IPV4_ADDR_SUBNET: + case ID_IPV6_ADDR_SUBNET: context = ASN1_CONTEXT_S_7; break; default: