From 7f170e4c9cb618c25ba7b85fa370db5265bbf15a Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Wed, 29 Jul 2020 18:40:20 +0200
Subject: [PATCH] openssl: Accept CRLs issued by non-CA certificates with
 cRLSign keyUsage flag

The x509 plugin accepted CRL signers since forever, to be precise, since
dffb176f2bc0 ("CRLSign keyUsage or CA basicConstraint are sufficient
for CRL validation")).

References #3529.
---
 src/libstrongswan/plugins/openssl/openssl_crl.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/libstrongswan/plugins/openssl/openssl_crl.c b/src/libstrongswan/plugins/openssl/openssl_crl.c
index 3e7490dc6..ca2830ce8 100644
--- a/src/libstrongswan/plugins/openssl/openssl_crl.c
+++ b/src/libstrongswan/plugins/openssl/openssl_crl.c
@@ -303,7 +303,7 @@ METHOD(certificate_t, issued_by, bool,
 		return FALSE;
 	}
 	x509 = (x509_t*)issuer;
-	if (!(x509->get_flags(x509) & X509_CA))
+	if (!(x509->get_flags(x509) & (X509_CA | X509_CRL_SIGN)))
 	{
 		return FALSE;
 	}