aboutsummaryrefslogtreecommitdiffstats
path: root/src/libstrongswan/credentials/auth_cfg.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/libstrongswan/credentials/auth_cfg.c')
-rw-r--r--src/libstrongswan/credentials/auth_cfg.c23
1 files changed, 23 insertions, 0 deletions
diff --git a/src/libstrongswan/credentials/auth_cfg.c b/src/libstrongswan/credentials/auth_cfg.c
index c364e4b64..360e83f94 100644
--- a/src/libstrongswan/credentials/auth_cfg.c
+++ b/src/libstrongswan/credentials/auth_cfg.c
@@ -33,6 +33,7 @@ ENUM(auth_class_names, AUTH_CLASS_ANY, AUTH_CLASS_XAUTH,
ENUM(auth_rule_names, AUTH_RULE_IDENTITY, AUTH_HELPER_REVOCATION_CERT,
"RULE_IDENTITY",
+ "RULE_IDENTITY_LOOSE",
"RULE_AUTH_CLASS",
"RULE_AAA_IDENTITY",
"RULE_EAP_IDENTITY",
@@ -70,6 +71,7 @@ static inline bool is_multi_value_rule(auth_rule_t type)
case AUTH_RULE_RSA_STRENGTH:
case AUTH_RULE_ECDSA_STRENGTH:
case AUTH_RULE_IDENTITY:
+ case AUTH_RULE_IDENTITY_LOOSE:
case AUTH_RULE_EAP_IDENTITY:
case AUTH_RULE_AAA_IDENTITY:
case AUTH_RULE_XAUTH_IDENTITY:
@@ -197,6 +199,7 @@ static entry_t *entry_create(auth_rule_t type, va_list args)
this->type = type;
switch (type)
{
+ case AUTH_RULE_IDENTITY_LOOSE:
case AUTH_RULE_AUTH_CLASS:
case AUTH_RULE_EAP_TYPE:
case AUTH_RULE_EAP_VENDOR:
@@ -244,6 +247,7 @@ static bool entry_equals(entry_t *e1, entry_t *e2)
}
switch (e1->type)
{
+ case AUTH_RULE_IDENTITY_LOOSE:
case AUTH_RULE_AUTH_CLASS:
case AUTH_RULE_EAP_TYPE:
case AUTH_RULE_EAP_VENDOR:
@@ -331,6 +335,7 @@ static void destroy_entry_value(entry_t *entry)
free(entry->value);
break;
}
+ case AUTH_RULE_IDENTITY_LOOSE:
case AUTH_RULE_AUTH_CLASS:
case AUTH_RULE_EAP_TYPE:
case AUTH_RULE_EAP_VENDOR:
@@ -361,6 +366,7 @@ static void replace(private_auth_cfg_t *this, entry_enumerator_t *enumerator,
entry->type = type;
switch (type)
{
+ case AUTH_RULE_IDENTITY_LOOSE:
case AUTH_RULE_AUTH_CLASS:
case AUTH_RULE_EAP_TYPE:
case AUTH_RULE_EAP_VENDOR:
@@ -447,6 +453,8 @@ METHOD(auth_cfg_t, get, void*,
case AUTH_RULE_CRL_VALIDATION:
case AUTH_RULE_OCSP_VALIDATION:
return (void*)VALIDATION_FAILED;
+ case AUTH_RULE_IDENTITY_LOOSE:
+ return (void*)FALSE;
case AUTH_RULE_IDENTITY:
case AUTH_RULE_EAP_IDENTITY:
case AUTH_RULE_AAA_IDENTITY:
@@ -605,6 +613,17 @@ METHOD(auth_cfg_t, complies, bool,
id2 = get(this, t1);
if (!id2 || !id2->matches(id2, id1))
{
+ if (t1 == AUTH_RULE_IDENTITY &&
+ constraints->get(constraints, AUTH_RULE_IDENTITY_LOOSE))
+ { /* also verify identity against subjectAltNames */
+ certificate_t *cert;
+
+ cert = get(this, AUTH_HELPER_SUBJECT_CERT);
+ if (cert && cert->has_subject(cert, id1))
+ {
+ break;
+ }
+ }
success = FALSE;
if (log_error)
{
@@ -709,6 +728,8 @@ METHOD(auth_cfg_t, complies, bool,
}
break;
}
+ case AUTH_RULE_IDENTITY_LOOSE:
+ /* just an indication when verifying AUTH_RULE_IDENTITY */
case AUTH_RULE_XAUTH_BACKEND:
/* not enforced, just a hint for local authentication */
case AUTH_HELPER_IM_CERT:
@@ -843,6 +864,7 @@ static void merge(private_auth_cfg_t *this, private_auth_cfg_t *other, bool copy
add(this, type, cert->get_ref(cert));
break;
}
+ case AUTH_RULE_IDENTITY_LOOSE:
case AUTH_RULE_CRL_VALIDATION:
case AUTH_RULE_OCSP_VALIDATION:
case AUTH_RULE_AUTH_CLASS:
@@ -1001,6 +1023,7 @@ METHOD(auth_cfg_t, clone_, auth_cfg_t*,
clone->add(clone, entry->type, strdup(entry->value));
break;
}
+ case AUTH_RULE_IDENTITY_LOOSE:
case AUTH_RULE_AUTH_CLASS:
case AUTH_RULE_EAP_TYPE:
case AUTH_RULE_EAP_VENDOR:
generated by cgit v1.2.3 (git 2.25.1) at 2025-02-27 15:12:56 +0000