From ab1b601ac7f7a74022577f779c5cdf73ef028151 Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Mon, 23 Mar 2026 17:45:11 +0100
Subject: [PATCH] constraints: Case-insensitive matching and reject excluded DN
 name constraints

The case is generally ignored when matching identities.  So this is
an issue with excluded name constraints where a malicious intermediate
CA could evade the constraints by issuing certificates with names that
just modify the case (e.g. strongSwan.org instead strongswan.org).

Note that it's likely that permitted name constraints are preferred over
excluded name constraints as it might be difficult to come up with a
conclusive list of names to exclude.

With directoryName (DN) name constraints the issue is a bit more comples.
Some RDNs have to be matched in a case-insensitive manner, which we e.g.
do in `identification.c::rdn_equals`.  By not doing it for name
constraints, a malicious intermediate CA could evade an excluded name
constraint just by modifying the case in such an RDN.

While we could use the mentioned function in `dn_matches`, this doesn't
properly fix the problem because the function is basically too strict.
Especially in regards to RDNs of type UTF8String, which are only compared
binary.  To match these properly, we'd have to implement the string
preparation described in RFC 5280, section 7.1 and the referenced RFCs.
Until that's the case, we reject excluded name constraints of type
directoryName as we are unable to enforce them.

Fixes: a2b340764fac ("Implemented NameConstraint matching in constraints plugin")
Fixes: CVE-2026-35331
---
 .../constraints/constraints_validator.c       | 25 ++++++++++++++++---
 .../tests/suites/test_certnames.c             | 10 ++++----
 2 files changed, 27 insertions(+), 8 deletions(-)

diff --git a/src/libstrongswan/plugins/constraints/constraints_validator.c b/src/libstrongswan/plugins/constraints/constraints_validator.c
index b1f60fb15603..4779baaf7083 100644
--- a/src/libstrongswan/plugins/constraints/constraints_validator.c
+++ b/src/libstrongswan/plugins/constraints/constraints_validator.c
@@ -52,6 +52,18 @@ static bool check_pathlen(x509_t *issuer, int pathlen)
 	return TRUE;
 }
 
+/**
+ * Check if the constraint and ID strings match case-insensitively
+ */
+static bool string_matches(chunk_t constraint, chunk_t id)
+{
+	/* make sure the two strings have actually the same length */
+	return constraint.len == id.len &&
+		   memchr(constraint.ptr, 0, constraint.len) == NULL &&
+		   memchr(id.ptr, 0, id.len) == NULL &&
+		   strncasecmp(constraint.ptr, id.ptr, constraint.len) == 0;
+}
+
 /**
  * Check if a FQDN constraint matches
  */
@@ -67,7 +79,7 @@ static bool fqdn_matches(identification_t *constraint, identification_t *id)
 		return FALSE;
 	}
 	diff = chunk_create(i.ptr, i.len - c.len);
-	if (!chunk_equals(c, chunk_skip(i, diff.len)))
+	if (!string_matches(c, chunk_skip(i, diff.len)))
 	{
 		return FALSE;
 	}
@@ -98,10 +110,10 @@ static bool email_matches(identification_t *constraint, identification_t *id)
 	}
 	if (memchr(c.ptr, '@', c.len))
 	{	/* constraint is a full email address */
-		return chunk_equals(c, i);
+		return string_matches(c, i);
 	}
 	diff = chunk_create(i.ptr, i.len - c.len);
-	if (!diff.len || !chunk_equals(c, chunk_skip(i, diff.len)))
+	if (!string_matches(c, chunk_skip(i, diff.len)))
 	{
 		return FALSE;
 	}
@@ -178,6 +190,13 @@ static bool name_constraint_matches(identification_t *constraint,
 	type = constraint->get_type(constraint);
 	if (type == ID_DER_ASN1_DN)
 	{
+		if (!permitted)
+		{
+			DBG1(DBG_CFG, "excluded %N NameConstraint not supported",
+				 id_type_names, type);
+			/* we have to return TRUE to let the constraint fail */
+			return TRUE;
+		}
 		matches = dn_matches(constraint, cert->get_subject(cert));
 		if (matches != permitted)
 		{
diff --git a/src/libstrongswan/tests/suites/test_certnames.c b/src/libstrongswan/tests/suites/test_certnames.c
index 36729123657b..390f202a47ac 100644
--- a/src/libstrongswan/tests/suites/test_certnames.c
+++ b/src/libstrongswan/tests/suites/test_certnames.c
@@ -232,11 +232,11 @@ static struct {
 	char *subject;
 	bool good;
 } excluded_dn[] = {
-	{ "C=CH, O=another", "C=CH, O=strongSwan, CN=tester", TRUE },
-	{ "C=CH, O=another", "C=CH, O=anot", TRUE },
-	{ "C=CH, O=another", "C=CH, O=anot, CN=tester", TRUE },
+	{ "C=CH, O=another", "C=CH, O=strongSwan, CN=tester", FALSE },
+	{ "C=CH, O=another", "C=CH, O=anot", FALSE },
+	{ "C=CH, O=another", "C=CH, O=anot, CN=tester", FALSE },
 	{ "C=CH, O=another", "C=CH, O=another, CN=tester", FALSE },
-	{ "C=CH, O=another", "C=CH, CN=tester, O=another", TRUE },
+	{ "C=CH, O=another", "C=CH, CN=tester, O=another", FALSE },
 };
 
 START_TEST(test_excluded_dn)
@@ -334,7 +334,7 @@ static struct {
 	char *subject;
 	bool good;
 } excluded_dninh[] = {
-	{ "C=CH, O=strongSwan", "C=CH", "C=DE", TRUE },
+	{ "C=CH, O=strongSwan", "C=CH", "C=DE", FALSE },
 	{ "C=CH, O=strongSwan", "C=DE", "C=CH", FALSE },
 	{ "C=CH", "C=CH, O=strongSwan", "C=CH, O=strongSwan, CN=tester", FALSE },
 };
-- 
2.43.0