From: Tobias Brunner <tobias@strongswan.org>
Date: Wed, 29 Jul 2020 16:40:20 +0000 (+0200)
Subject: openssl: Accept CRLs issued by non-CA certificates with cRLSign keyUsage flag
X-Git-Tag: 5.9.1dr1~7
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7f170e4c9cb618c25ba7b85fa370db5265bbf15a;p=thirdparty%2Fstrongswan.git

openssl: Accept CRLs issued by non-CA certificates with cRLSign keyUsage flag

The x509 plugin accepted CRL signers since forever, to be precise, since
dffb176f2bc0 ("CRLSign keyUsage or CA basicConstraint are sufficient
for CRL validation")).

References #3529.
---

diff --git a/src/libstrongswan/plugins/openssl/openssl_crl.c b/src/libstrongswan/plugins/openssl/openssl_crl.c
index 3e7490dc60..ca2830ce85 100644
--- a/src/libstrongswan/plugins/openssl/openssl_crl.c
+++ b/src/libstrongswan/plugins/openssl/openssl_crl.c
@@ -303,7 +303,7 @@ METHOD(certificate_t, issued_by, bool,
 		return FALSE;
 	}
 	x509 = (x509_t*)issuer;
-	if (!(x509->get_flags(x509) & X509_CA))
+	if (!(x509->get_flags(x509) & (X509_CA | X509_CRL_SIGN)))
 	{
 		return FALSE;
 	}