From ede96fe3db62f46aa77f45cb8acf5b163abc942f Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Wed, 18 Oct 2023 18:25:14 +0200
Subject: [PATCH] x509: Add support for IP address nameConstraints

According to RFC 5280, section 4.2.1.10, these are encoded as address
followed by a network mask of the same length.
---
 src/libstrongswan/plugins/x509/x509_cert.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c
index 3cb7a53633..ca200408e5 100644
--- a/src/libstrongswan/plugins/x509/x509_cert.c
+++ b/src/libstrongswan/plugins/x509/x509_cert.c
@@ -483,9 +483,15 @@ static identification_t *parse_generalName(chunk_t blob, int level0)
 					case 4:
 						id_type = ID_IPV4_ADDR;
 						break;
+					case 8:
+						id_type = ID_IPV4_ADDR_SUBNET;
+						break;
 					case 16:
 						id_type = ID_IPV6_ADDR;
 						break;
+					case 32:
+						id_type = ID_IPV6_ADDR_SUBNET;
+						break;
 					default:
 						break;
 				}
@@ -2065,6 +2071,8 @@ static chunk_t build_generalName(identification_t *id)
 			break;
 		case ID_IPV4_ADDR:
 		case ID_IPV6_ADDR:
+		case ID_IPV4_ADDR_SUBNET:
+		case ID_IPV6_ADDR_SUBNET:
 			context = ASN1_CONTEXT_S_7;
 			break;
 		default:
-- 
2.47.2