add explicit option for SubjectAltName:IP check

ChangeLog

@@ -2,7 +2,7 @@ changes since 1.7.2
 	New features:
 	- Autodetect status-server capability of servers
 	- Minimalistic status-server
-	- Explicit SubjectAltName:DNS match on certificates
+	- Explicit SubjectAltName:DNS and :IP match on certificates
 
 	Misc:
 	- No longer require docbook2x tools, but include plain manpages

radsecproxy.conf.5

@@ -411,10 +411,12 @@ For a TLS/DTLS client, disable the default behaviour of matching CN or
 SubjectAltName against the specified hostname or IP address.
 .RE
 
-\fBMatchCertificateAttribute ((\fR CN \fB|\fR SubjectAltName:URI \fB|\fR SubjectAltName:DNS \fB) :\fR/\fIregexp\fR/\fB )\fR
+\fBmatchCertificateAttribute (\fR CN \fB|\fR SubjectAltName:URI \fB|\fR SubjectAltName:DNS \fB) :\fR/\fIregexp\fR/
+.br
+\fBMatchCertificateAttribute \fRSubjectAltName:IP:\fIaddress\fR
 .RS
-Perform additional validation of certificate attributes. Currently only matching
-of CN and SubjectAltName type URI and DNS is supported. Note that currently this 
+Perform additional validation of certificate attributes. Currently matching
+of CN and SubjectAltName types URI DNS and IP is supported. Note that currently this 
 option can only be specified once in a client block.
 .RE
 
@@ -607,7 +609,9 @@ block. The details are not repeated here. Please refer to the definitions in the
 .br
 .BR "CertificateNameCheck (" on | off )
 .br
-\fBmatchCertificateAttribute ((\fR CN \fB|\fR SubjectAltName:URI \fB|\fR SubjectAltName:DNS \fB) :\fR/\fIregexp\fR/\fB )\fR
+\fBmatchCertificateAttribute (\fR CN \fB|\fR SubjectAltName:URI \fB|\fR SubjectAltName:DNS \fB) :\fR/\fIregexp\fR/
+.br
+\fBMatchCertificateAttribute \fRSubjectAltName:IP:\fIaddress\fR
 .br
 .BR "AddTTL " 1-255
 .br

radsecproxy.h

@@ -6,6 +6,7 @@
 #include <stdint.h>
 #include <pthread.h>
 #include <regex.h>
+#include <netinet/in.h>
 #include "list.h"
 #include "tlv11.h"
 #include "radmsg.h"
@@ -149,6 +150,8 @@ struct clsrvconf {
     regex_t *certcnregex;
     regex_t *certuriregex;
     regex_t *certdnsregex;
+    in6_addr_t certipmatch;
+    int certipmatchaf;
     char *confrewritein;
     char *confrewriteout;
     char *confrewriteusername;

tlscommon.c

@@ -709,6 +709,7 @@ int certnamecheck(X509 *cert, struct list *hostports) {
 
 int verifyconfcert(X509 *cert, struct clsrvconf *conf) {
     char *subject;
+    char addrbuf[INET6_ADDRSTRLEN];
     int ok = 1;
 
     subject = X509_NAME_oneline(X509_get_subject_name(cert), NULL, 0);
@@ -741,6 +742,13 @@ int verifyconfcert(X509 *cert, struct clsrvconf *conf) {
             ok = 0;
         }
     }
+    if (conf->certipmatchaf) {
+        debug(DBG_DBG, "verifyconfcert: matching subjectaltname IP %s", inet_ntop(conf->certipmatchaf, &conf->certipmatch, addrbuf, INET6_ADDRSTRLEN));
+        if (subjectaltnameaddr(cert, conf->certipmatchaf, &conf->certipmatch) < 1) {
+            debug(DBG_WARN, "verifyconfcert: subjectaltname IP not matching regex for host %s (%s)", conf->name, subject);
+            ok = 0;
+        }
+    }
     free(subject);
     return ok;
 }
@@ -821,6 +829,17 @@ int addmatchcertattr(struct clsrvconf *conf) {
     char *v;
     regex_t **r;
 
+    if (!strncasecmp(conf->matchcertattr, "SubjectAltName:IP:", 18)) {
+        if (inet_pton(AF_INET, conf->matchcertattr+18, &conf->certipmatch))
+            conf->certipmatchaf = AF_INET;
+        else if (inet_pton(AF_INET6, conf->matchcertattr+18, &conf->certipmatch))
+            conf->certipmatchaf = AF_INET6;
+        else
+            return 0;
+        return 1;
+    }
+
+    /* the other cases below use a common regex match */
     if (!strncasecmp(conf->matchcertattr, "CN:/", 4)) {
         r = &conf->certcnregex;
         v = conf->matchcertattr + 4;