From: Tobias Brunner Date: Mon, 16 Jun 2025 07:28:40 +0000 (+0200) Subject: identification: Clarify that ID_USER_FQDN is just an alias for ID_RFC822_ADDR X-Git-Tag: android-2.5.6~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a153626af70e7916f122e5e76e905768dac691cf;p=thirdparty%2Fstrongswan.git identification: Clarify that ID_USER_FQDN is just an alias for ID_RFC822_ADDR This means userfqdn: is a valid prefix for regular expressions. --- diff --git a/src/libstrongswan/tests/suites/test_identification.c b/src/libstrongswan/tests/suites/test_identification.c index 3ece5e1a72..e7a4d4493e 100644 --- a/src/libstrongswan/tests/suites/test_identification.c +++ b/src/libstrongswan/tests/suites/test_identification.c @@ -683,7 +683,7 @@ START_TEST(test_equals_empty) case ID_FQDN: ck_assert(!id_equals(a, "moon.strongswan.org")); break; - case ID_USER_FQDN: + case ID_RFC822_ADDR: ck_assert(!id_equals(a, "moon@strongswan.org")); break; case ID_IPV6_ADDR: @@ -1308,7 +1308,7 @@ START_TEST(test_matches_empty) case ID_FQDN: ck_assert(id_matches(a, "moon.strongswan.org", ID_MATCH_NONE)); break; - case ID_USER_FQDN: + case ID_RFC822_ADDR: ck_assert(id_matches(a, "moon@strongswan.org", ID_MATCH_NONE)); break; case ID_IPV6_ADDR: @@ -1362,7 +1362,7 @@ START_TEST(test_matches_empty_reverse) case ID_FQDN: ck_assert(id_matches_rev(a, "moon.strongswan.org", ID_MATCH_NONE)); break; - case ID_USER_FQDN: + case ID_RFC822_ADDR: ck_assert(id_matches_rev(a, "moon@strongswan.org", ID_MATCH_NONE)); break; case ID_IPV6_ADDR: diff --git a/src/libstrongswan/utils/identification.c b/src/libstrongswan/utils/identification.c index 08c2b7bb9a..57b1af7015 100644 --- a/src/libstrongswan/utils/identification.c +++ b/src/libstrongswan/utils/identification.c @@ -1828,7 +1828,7 @@ static const struct { { "ipv6range:", ID_IPV6_ADDR_RANGE, FALSE}, { "rfc822:", ID_RFC822_ADDR, TRUE}, { "email:", ID_RFC822_ADDR, TRUE}, - { "userfqdn:", ID_USER_FQDN, FALSE}, + { "userfqdn:", ID_RFC822_ADDR, TRUE}, { "fqdn:", ID_FQDN, TRUE}, { "dns:", ID_FQDN, TRUE}, { "asn1dn:", ID_DER_ASN1_DN, TRUE}, @@ -2111,7 +2111,7 @@ identification_t *identification_create_from_string(char *string) } else if (*string == '@') { - this = identification_create(ID_USER_FQDN); + this = identification_create(ID_RFC822_ADDR); this->encoded = chunk_clone(chunk_from_str(string + 1)); return &this->public; } diff --git a/src/libstrongswan/utils/identification.h b/src/libstrongswan/utils/identification.h index 3be5a54db2..cac3230440 100644 --- a/src/libstrongswan/utils/identification.h +++ b/src/libstrongswan/utils/identification.h @@ -336,9 +336,9 @@ identification_t *identification_create_from_string(char *string); * trusted/configured values, never untrusted values received over the network. * * A regular expression must be prefixed by an identity type (supported are - * rfc822:, email:, fqdn:, dns:, and asn1dn:), and it must start with a caret - * ('^') and end with a dollar sign ('$') to indicate an anchored pattern. - * If the regular expression is invalid, the function returns NULL. + * rfc822:, email:, userfqdn:, fqdn:, dns:, and asn1dn:), and it must start + * with a caret ('^') and end with a dollar sign ('$') to indicate an anchored + * pattern. If the regular expression is invalid, the function returns NULL. * * The regular expression is always matched against the string representation * of other identities and matching is performed case-insensitive. diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt index 7901b4ed28..8336735fff 100644 --- a/src/swanctl/swanctl.opt +++ b/src/swanctl/swanctl.opt @@ -537,11 +537,12 @@ connections..remote.id = %any Extended POSIX regular expressions are also supported for remote identity matching. They must start with an explicit type prefix, followed by a caret character ('^'), and end with a dollar sign ('$') to indicate an anchored - pattern. Supported types are _rfc822_, _email_, _fqdn_, _dns_, and _asn1dn_. + pattern. Make sure to escape backslash characters when configuring + identities in double quotes. Supported types are _rfc822_, _email_, + _userfqdn_, _fqdn_, _dns_, and _asn1dn_. While regular expressions are always matched against the string representation of other identities, the type must match as well. The - matching is performed case insensitive. Make sure to escape backslash - characters when configuring identities in double quotes. Examples: + matching is performed case insensitive. Examples: _email:^(moon|sun)@strongswan\.org$_, _fqdn:^vpn[0-9]+\.strongswan\.org$_, _"asn1dn:^.*CN=.+\\.strongswan\\.org$"_.