libressl: fix CVE-2017-8301

This commit is contained in:
Duncaen 2017-04-30 02:20:32 +02:00
parent 9401e89012
commit 1cade96ef9
2 changed files with 29 additions and 1 deletions

View file

@ -0,0 +1,28 @@
From e4ea34f17cdd3b81ab1b6bd4df3712fbe49dc136 Mon Sep 17 00:00:00 2001
From: beck <>
Date: Fri, 28 Apr 2017 23:03:58 +0000
Subject: [PATCH] Revert previous change that forced consistency between return
value and error code, since this breaks the documented API. Under certain
circumstances this will result in incorrect successful certiticate
verification (where a user supplied callback always returns 1, and later code
checks the error code to potentially abort post verification)
--- crypto/x509/x509_vfy.c
+++ crypto/x509/x509_vfy.c
@@ -541,15 +541,7 @@ X509_verify_cert(X509_STORE_CTX *ctx)
/* Safety net, error returns must set ctx->error */
if (ok <= 0 && ctx->error == X509_V_OK)
ctx->error = X509_V_ERR_UNSPECIFIED;
-
- /*
- * Safety net, if user provided verify callback indicates sucess
- * make sure they have set error to X509_V_OK
- */
- if (ctx->verify_cb != null_callback && ok == 1)
- ctx->error = X509_V_OK;
-
- return(ctx->error == X509_V_OK);
+ return ok;
}
/* Given a STACK_OF(X509) find the issuer of cert (if any)

View file

@ -1,7 +1,7 @@
# Template file for 'libressl'
pkgname=libressl
version=2.5.3
revision=1
revision=2
bootstrap=yes
build_style=gnu-configure
short_desc="Version of the TLS/crypto stack forked from OpenSSL"