From: Tobias Brunner <tobias@strongswan.org>
Date: Wed, 18 Oct 2023 16:25:14 +0000 (+0200)
Subject: x509: Add support for IP address nameConstraints
X-Git-Tag: 5.9.12rc1~8^2~2
X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=ede96fe3db62f46aa77f45cb8acf5b163abc942f;p=thirdparty%2Fstrongswan.git

x509: Add support for IP address nameConstraints

According to RFC 5280, section 4.2.1.10, these are encoded as address
followed by a network mask of the same length.
---

diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c
index 3cb7a53633..ca200408e5 100644
--- a/src/libstrongswan/plugins/x509/x509_cert.c
+++ b/src/libstrongswan/plugins/x509/x509_cert.c
@@ -483,9 +483,15 @@ static identification_t *parse_generalName(chunk_t blob, int level0)
 					case 4:
 						id_type = ID_IPV4_ADDR;
 						break;
+					case 8:
+						id_type = ID_IPV4_ADDR_SUBNET;
+						break;
 					case 16:
 						id_type = ID_IPV6_ADDR;
 						break;
+					case 32:
+						id_type = ID_IPV6_ADDR_SUBNET;
+						break;
 					default:
 						break;
 				}
@@ -2065,6 +2071,8 @@ static chunk_t build_generalName(identification_t *id)
 			break;
 		case ID_IPV4_ADDR:
 		case ID_IPV6_ADDR:
+		case ID_IPV4_ADDR_SUBNET:
+		case ID_IPV6_ADDR_SUBNET:
 			context = ASN1_CONTEXT_S_7;
 			break;
 		default: