identification: Clarify that ID_USER_FQDN is just an alias for ID_RFC822_ADDR

This means userfqdn: is a valid prefix for regular expressions.

diff --git a/src/libstrongswan/tests/suites/test_identification.c b/src/libstrongswan/tests/suites/test_identification.c
index 3ece5e1a72266f41c15d66d5cfc81b502feea720..e7a4d4493e7066033bbabdb88c59f4b496fd676e 100644 (file)
--- a/src/libstrongswan/tests/suites/test_identification.c
+++ b/src/libstrongswan/tests/suites/test_identification.c
@@ -683,7 +683,7 @@ START_TEST(test_equals_empty)
                case ID_FQDN:
                        ck_assert(!id_equals(a, "moon.strongswan.org"));
                        break;
-               case ID_USER_FQDN:
+               case ID_RFC822_ADDR:
                        ck_assert(!id_equals(a, "moon@strongswan.org"));
                        break;
                case ID_IPV6_ADDR:
@@ -1308,7 +1308,7 @@ START_TEST(test_matches_empty)
                case ID_FQDN:
                        ck_assert(id_matches(a, "moon.strongswan.org", ID_MATCH_NONE));
                        break;
-               case ID_USER_FQDN:
+               case ID_RFC822_ADDR:
                        ck_assert(id_matches(a, "moon@strongswan.org", ID_MATCH_NONE));
                        break;
                case ID_IPV6_ADDR:
@@ -1362,7 +1362,7 @@ START_TEST(test_matches_empty_reverse)
                case ID_FQDN:
                        ck_assert(id_matches_rev(a, "moon.strongswan.org", ID_MATCH_NONE));
                        break;
-               case ID_USER_FQDN:
+               case ID_RFC822_ADDR:
                        ck_assert(id_matches_rev(a, "moon@strongswan.org", ID_MATCH_NONE));
                        break;
                case ID_IPV6_ADDR:

diff --git a/src/libstrongswan/utils/identification.c b/src/libstrongswan/utils/identification.c
index 08c2b7bb9a87f8f7cb53c96c948c5678dc235110..57b1af7015af5a0dbe059ab95107c8b969635a23 100644 (file)
--- a/src/libstrongswan/utils/identification.c
+++ b/src/libstrongswan/utils/identification.c
@@ -1828,7 +1828,7 @@ static const struct {
        { "ipv6range:",         ID_IPV6_ADDR_RANGE,             FALSE},
        { "rfc822:",            ID_RFC822_ADDR,                 TRUE},
        { "email:",                     ID_RFC822_ADDR,                 TRUE},
-       { "userfqdn:",          ID_USER_FQDN,                   FALSE},
+       { "userfqdn:",          ID_RFC822_ADDR,                 TRUE},
        { "fqdn:",                      ID_FQDN,                                TRUE},
        { "dns:",                       ID_FQDN,                                TRUE},
        { "asn1dn:",            ID_DER_ASN1_DN,                 TRUE},
@@ -2111,7 +2111,7 @@ identification_t *identification_create_from_string(char *string)
                        }
                        else if (*string == '@')
                        {
-                               this = identification_create(ID_USER_FQDN);
+                               this = identification_create(ID_RFC822_ADDR);
                                this->encoded = chunk_clone(chunk_from_str(string + 1));
                                return &this->public;
                        }

diff --git a/src/libstrongswan/utils/identification.h b/src/libstrongswan/utils/identification.h
index 3be5a54db23a2a04c0d0ece4c28806441e9802eb..cac32304407bbd7486624215a689fc2fb93da859 100644 (file)
--- a/src/libstrongswan/utils/identification.h
+++ b/src/libstrongswan/utils/identification.h
@@ -336,9 +336,9 @@ identification_t *identification_create_from_string(char *string);
  * trusted/configured values, never untrusted values received over the network.
  *
  * A regular expression must be prefixed by an identity type (supported are
- * rfc822:, email:, fqdn:, dns:, and asn1dn:), and it must start with a caret
- * ('^') and end with a dollar sign ('$') to indicate an anchored pattern.
- * If the regular expression is invalid, the function returns NULL.
+ * rfc822:, email:, userfqdn:, fqdn:, dns:, and asn1dn:), and it must start
+ * with a caret ('^') and end with a dollar sign ('$') to indicate an anchored
+ * pattern. If the regular expression is invalid, the function returns NULL.
  *
  * The regular expression is always matched against the string representation
  * of other identities and matching is performed case-insensitive.

diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt
index 7901b4ed28e74866bda2f9b5a5420aaf47b51357..8336735fff4ebadce7592f14d9b7170248de3b7f 100644 (file)
--- a/src/swanctl/swanctl.opt
+++ b/src/swanctl/swanctl.opt
@@ -537,11 +537,12 @@ connections.<conn>.remote<suffix>.id = %any
        Extended POSIX regular expressions are also supported for remote identity
        matching. They must start with an explicit type prefix, followed by a caret
        character ('^'), and end with a dollar sign ('$') to indicate an anchored
-       pattern. Supported types are _rfc822_, _email_, _fqdn_, _dns_, and _asn1dn_.
+       pattern. Make sure to escape backslash characters when configuring
+       identities in double quotes. Supported types are _rfc822_, _email_,
+       _userfqdn_, _fqdn_, _dns_, and _asn1dn_.
        While regular expressions are always matched against the string
        representation of other identities, the type must match as well. The
-       matching is performed case insensitive. Make sure to escape backslash
-       characters when configuring identities in double quotes. Examples:
+       matching is performed case insensitive. Examples:
        _email:^(moon|sun)@strongswan\.org$_, _fqdn:^vpn[0-9]+\.strongswan\.org$_,
        _"asn1dn:^.*CN=.+\\.strongswan\\.org$"_.