diff --git a/ChangeLog b/ChangeLog
index d4036cc..9fde94a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -2,7 +2,7 @@ changes since 1.7.2
New features:
- Autodetect status-server capability of servers
- Minimalistic status-server
- - Explicit SubjectAltName:DNS match on certificates
+ - Explicit SubjectAltName:DNS and :IP match on certificates
Misc:
- No longer require docbook2x tools, but include plain manpages
diff --git a/radsecproxy.conf.5 b/radsecproxy.conf.5
index 23d4ab6..4d322e0 100644
--- a/radsecproxy.conf.5
+++ b/radsecproxy.conf.5
@@ -411,10 +411,12 @@ For a TLS/DTLS client, disable the default behaviour of matching CN or
SubjectAltName against the specified hostname or IP address.
.RE
-\fBMatchCertificateAttribute ((\fR CN \fB|\fR SubjectAltName:URI \fB|\fR SubjectAltName:DNS \fB) :\fR/\fIregexp\fR/\fB )\fR
+\fBmatchCertificateAttribute (\fR CN \fB|\fR SubjectAltName:URI \fB|\fR SubjectAltName:DNS \fB) :\fR/\fIregexp\fR/
+.br
+\fBMatchCertificateAttribute \fRSubjectAltName:IP:\fIaddress\fR
.RS
-Perform additional validation of certificate attributes. Currently only matching
-of CN and SubjectAltName type URI and DNS is supported. Note that currently this
+Perform additional validation of certificate attributes. Currently matching
+of CN and SubjectAltName types URI DNS and IP is supported. Note that currently this
option can only be specified once in a client block.
.RE
@@ -607,7 +609,9 @@ block. The details are not repeated here. Please refer to the definitions in the
.br
.BR "CertificateNameCheck (" on | off )
.br
-\fBmatchCertificateAttribute ((\fR CN \fB|\fR SubjectAltName:URI \fB|\fR SubjectAltName:DNS \fB) :\fR/\fIregexp\fR/\fB )\fR
+\fBmatchCertificateAttribute (\fR CN \fB|\fR SubjectAltName:URI \fB|\fR SubjectAltName:DNS \fB) :\fR/\fIregexp\fR/
+.br
+\fBMatchCertificateAttribute \fRSubjectAltName:IP:\fIaddress\fR
.br
.BR "AddTTL " 1-255
.br
diff --git a/radsecproxy.h b/radsecproxy.h
index 06a55eb..0ee1f20 100644
--- a/radsecproxy.h
+++ b/radsecproxy.h
@@ -6,6 +6,7 @@
#include <stdint.h>
#include <pthread.h>
#include <regex.h>
+#include <netinet/in.h>
#include "list.h"
#include "tlv11.h"
#include "radmsg.h"
@@ -149,6 +150,8 @@ struct clsrvconf {
regex_t *certcnregex;
regex_t *certuriregex;
regex_t *certdnsregex;
+ in6_addr_t certipmatch;
+ int certipmatchaf;
char *confrewritein;
char *confrewriteout;
char *confrewriteusername;
diff --git a/tlscommon.c b/tlscommon.c
index f9fa7fb..4522942 100644
--- a/tlscommon.c
+++ b/tlscommon.c
@@ -709,6 +709,7 @@ int certnamecheck(X509 *cert, struct list *hostports) {
int verifyconfcert(X509 *cert, struct clsrvconf *conf) {
char *subject;
+ char addrbuf[INET6_ADDRSTRLEN];
int ok = 1;
subject = X509_NAME_oneline(X509_get_subject_name(cert), NULL, 0);
@@ -741,6 +742,13 @@ int verifyconfcert(X509 *cert, struct clsrvconf *conf) {
ok = 0;
}
}
+ if (conf->certipmatchaf) {
+ debug(DBG_DBG, "verifyconfcert: matching subjectaltname IP %s", inet_ntop(conf->certipmatchaf, &conf->certipmatch, addrbuf, INET6_ADDRSTRLEN));
+ if (subjectaltnameaddr(cert, conf->certipmatchaf, &conf->certipmatch) < 1) {
+ debug(DBG_WARN, "verifyconfcert: subjectaltname IP not matching regex for host %s (%s)", conf->name, subject);
+ ok = 0;
+ }
+ }
free(subject);
return ok;
}
@@ -821,6 +829,17 @@ int addmatchcertattr(struct clsrvconf *conf) {
char *v;
regex_t **r;
+ if (!strncasecmp(conf->matchcertattr, "SubjectAltName:IP:", 18)) {
+ if (inet_pton(AF_INET, conf->matchcertattr+18, &conf->certipmatch))
+ conf->certipmatchaf = AF_INET;
+ else if (inet_pton(AF_INET6, conf->matchcertattr+18, &conf->certipmatch))
+ conf->certipmatchaf = AF_INET6;
+ else
+ return 0;
+ return 1;
+ }
+
+ /* the other cases below use a common regex match */
if (!strncasecmp(conf->matchcertattr, "CN:/", 4)) {
r = &conf->certcnregex;
v = conf->matchcertattr + 4;