From: Tobias Brunner <tobias@strongswan.org>
Date: Wed, 18 Oct 2023 16:32:48 +0000 (+0200)
Subject: constraints: Add support for IP address nameConstraints
X-Git-Tag: 5.9.12rc1~8^2
X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=1589f2d9ae8704074df6ddab22c54f60bd3557ff;p=thirdparty%2Fstrongswan.git

constraints: Add support for IP address nameConstraints
---

diff --git a/src/libstrongswan/plugins/constraints/constraints_validator.c b/src/libstrongswan/plugins/constraints/constraints_validator.c
index 379bb40f7b..b1f60fb156 100644
--- a/src/libstrongswan/plugins/constraints/constraints_validator.c
+++ b/src/libstrongswan/plugins/constraints/constraints_validator.c
@@ -143,6 +143,26 @@ static bool dn_matches(identification_t *constraint, identification_t *id)
 	return match;
 }
 
+/**
+ * Check if the given identity type matches the type of NameConstraint
+ */
+static bool type_matches(id_type_t constraint, id_type_t id)
+{
+	switch (constraint)
+	{
+		case ID_FQDN:
+		case ID_RFC822_ADDR:
+		case ID_DER_ASN1_DN:
+			return constraint == id;
+		case ID_IPV4_ADDR_SUBNET:
+			return id == ID_IPV4_ADDR;
+		case ID_IPV6_ADDR_SUBNET:
+			return id == ID_IPV6_ADDR;
+		default:
+			return FALSE;
+	}
+}
+
 /**
  * Check if a certificate matches to a NameConstraint
  */
@@ -168,7 +188,7 @@ static bool name_constraint_matches(identification_t *constraint,
 	enumerator = x509->create_subjectAltName_enumerator(x509);
 	while (enumerator->enumerate(enumerator, &id))
 	{
-		if (id->get_type(id) == type)
+		if (type_matches(type, id->get_type(id)))
 		{
 			switch (type)
 			{
@@ -181,6 +201,10 @@ static bool name_constraint_matches(identification_t *constraint,
 				case ID_DER_ASN1_DN:
 					matches = dn_matches(constraint, id);
 					break;
+				case ID_IPV4_ADDR_SUBNET:
+				case ID_IPV6_ADDR_SUBNET:
+					matches = id->matches(id, constraint);
+					break;
 				default:
 					DBG1(DBG_CFG, "%N NameConstraint matching not implemented",
 						 id_type_names, type);