From ede96fe3db62f46aa77f45cb8acf5b163abc942f Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Wed, 18 Oct 2023 18:25:14 +0200 Subject: [PATCH 1/3] x509: Add support for IP address nameConstraints According to RFC 5280, section 4.2.1.10, these are encoded as address followed by a network mask of the same length. --- src/libstrongswan/plugins/x509/x509_cert.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c index 3cb7a53633..ca200408e5 100644 --- a/src/libstrongswan/plugins/x509/x509_cert.c +++ b/src/libstrongswan/plugins/x509/x509_cert.c @@ -483,9 +483,15 @@ static identification_t *parse_generalName(chunk_t blob, int level0) case 4: id_type = ID_IPV4_ADDR; break; + case 8: + id_type = ID_IPV4_ADDR_SUBNET; + break; case 16: id_type = ID_IPV6_ADDR; break; + case 32: + id_type = ID_IPV6_ADDR_SUBNET; + break; default: break; } @@ -2065,6 +2071,8 @@ static chunk_t build_generalName(identification_t *id) break; case ID_IPV4_ADDR: case ID_IPV6_ADDR: + case ID_IPV4_ADDR_SUBNET: + case ID_IPV6_ADDR_SUBNET: context = ASN1_CONTEXT_S_7; break; default: From 1c3096fe50b59ae892a14c260d3e287ec87aa36c Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Wed, 18 Oct 2023 18:27:07 +0200 Subject: [PATCH 2/3] openssl: Add support for IP address nameConstraints --- src/libstrongswan/plugins/openssl/openssl_x509.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/src/libstrongswan/plugins/openssl/openssl_x509.c b/src/libstrongswan/plugins/openssl/openssl_x509.c index f7bef0d031..db227c5485 100644 --- a/src/libstrongswan/plugins/openssl/openssl_x509.c +++ b/src/libstrongswan/plugins/openssl/openssl_x509.c @@ -224,10 +224,20 @@ static identification_t *general_name2id(GENERAL_NAME *name) { return identification_create_from_encoding(ID_IPV4_ADDR, chunk); } + if (chunk.len == 8) + { + return identification_create_from_encoding(ID_IPV4_ADDR_SUBNET, + chunk); + } if (chunk.len == 16) { return identification_create_from_encoding(ID_IPV6_ADDR, chunk); } + if (chunk.len == 32) + { + return identification_create_from_encoding(ID_IPV6_ADDR_SUBNET, + chunk); + } return NULL; } case GEN_DIRNAME : From 1589f2d9ae8704074df6ddab22c54f60bd3557ff Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Wed, 18 Oct 2023 18:32:48 +0200 Subject: [PATCH 3/3] constraints: Add support for IP address nameConstraints --- .../constraints/constraints_validator.c | 26 ++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/src/libstrongswan/plugins/constraints/constraints_validator.c b/src/libstrongswan/plugins/constraints/constraints_validator.c index 379bb40f7b..b1f60fb156 100644 --- a/src/libstrongswan/plugins/constraints/constraints_validator.c +++ b/src/libstrongswan/plugins/constraints/constraints_validator.c @@ -143,6 +143,26 @@ static bool dn_matches(identification_t *constraint, identification_t *id) return match; } +/** + * Check if the given identity type matches the type of NameConstraint + */ +static bool type_matches(id_type_t constraint, id_type_t id) +{ + switch (constraint) + { + case ID_FQDN: + case ID_RFC822_ADDR: + case ID_DER_ASN1_DN: + return constraint == id; + case ID_IPV4_ADDR_SUBNET: + return id == ID_IPV4_ADDR; + case ID_IPV6_ADDR_SUBNET: + return id == ID_IPV6_ADDR; + default: + return FALSE; + } +} + /** * Check if a certificate matches to a NameConstraint */ @@ -168,7 +188,7 @@ static bool name_constraint_matches(identification_t *constraint, enumerator = x509->create_subjectAltName_enumerator(x509); while (enumerator->enumerate(enumerator, &id)) { - if (id->get_type(id) == type) + if (type_matches(type, id->get_type(id))) { switch (type) { @@ -181,6 +201,10 @@ static bool name_constraint_matches(identification_t *constraint, case ID_DER_ASN1_DN: matches = dn_matches(constraint, id); break; + case ID_IPV4_ADDR_SUBNET: + case ID_IPV6_ADDR_SUBNET: + matches = id->matches(id, constraint); + break; default: DBG1(DBG_CFG, "%N NameConstraint matching not implemented", id_type_names, type);