]> git.ipfire.org Git - thirdparty/strongswan.git/commitdiff
projects / thirdparty / strongswan.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 428c0b2)
openssl: Accept CRLs issued by non-CA certificates with cRLSign keyUsage flag
authorTobias Brunner <tobias@strongswan.org>
Wed, 29 Jul 2020 16:40:20 +0000 (18:40 +0200)
committerTobias Brunner <tobias@strongswan.org>
Mon, 5 Oct 2020 13:39:37 +0000 (15:39 +0200)
The x509 plugin accepted CRL signers since forever, to be precise, since
dffb176f2bc0 ("CRLSign keyUsage or CA basicConstraint are sufficient
for CRL validation")).

References #3529.

src/libstrongswan/plugins/openssl/openssl_crl.c patch | blob | blame | history

diff --git a/src/libstrongswan/plugins/openssl/openssl_crl.c b/src/libstrongswan/plugins/openssl/openssl_crl.c
index 3e7490dc6041856e274a2a0aa957547f0a4beca6..ca2830ce8554c57067115c18246e14e4a74a0ca8 100644 (file)
--- a/src/libstrongswan/plugins/openssl/openssl_crl.c
+++ b/src/libstrongswan/plugins/openssl/openssl_crl.c
@@ -303,7 +303,7 @@ METHOD(certificate_t, issued_by, bool,
                return FALSE;
        }
        x509 = (x509_t*)issuer;
-       if (!(x509->get_flags(x509) & X509_CA))
+       if (!(x509->get_flags(x509) & (X509_CA | X509_CRL_SIGN)))
        {
                return FALSE;
        }
Unnamed repository; edit this file 'description' to name the repository.