libressl: fix CVE-2017-8301
This commit is contained in:
Duncaen
parent
9401e89012
commit
1cade96ef9
|
|
@ -0,0 +1,28 @@
|
||||||
|
From e4ea34f17cdd3b81ab1b6bd4df3712fbe49dc136 Mon Sep 17 00:00:00 2001
|
||||||
|
From: beck <>
|
||||||
|
Date: Fri, 28 Apr 2017 23:03:58 +0000
|
||||||
|
Subject: [PATCH] Revert previous change that forced consistency between return
|
||||||
|
value and error code, since this breaks the documented API. Under certain
|
||||||
|
circumstances this will result in incorrect successful certiticate
|
||||||
|
verification (where a user supplied callback always returns 1, and later code
|
||||||
|
checks the error code to potentially abort post verification)
|
||||||
|
|
||||||
|
--- crypto/x509/x509_vfy.c
|
||||||
|
+++ crypto/x509/x509_vfy.c
|
||||||
|
@@ -541,15 +541,7 @@ X509_verify_cert(X509_STORE_CTX *ctx)
|
||||||
|
/* Safety net, error returns must set ctx->error */
|
||||||
|
if (ok <= 0 && ctx->error == X509_V_OK)
|
||||||
|
ctx->error = X509_V_ERR_UNSPECIFIED;
|
||||||
|
-
|
||||||
|
- /*
|
||||||
|
- * Safety net, if user provided verify callback indicates sucess
|
||||||
|
- * make sure they have set error to X509_V_OK
|
||||||
|
- */
|
||||||
|
- if (ctx->verify_cb != null_callback && ok == 1)
|
||||||
|
- ctx->error = X509_V_OK;
|
||||||
|
-
|
||||||
|
- return(ctx->error == X509_V_OK);
|
||||||
|
+ return ok;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Given a STACK_OF(X509) find the issuer of cert (if any)
|
||||||
|
|
@ -1,7 +1,7 @@
|
||||||
# Template file for 'libressl'
|
# Template file for 'libressl'
|
||||||
pkgname=libressl
|
pkgname=libressl
|
||||||
version=2.5.3
|
version=2.5.3
|
||||||
revision=1
|
revision=2
|
||||||
bootstrap=yes
|
bootstrap=yes
|
||||||
build_style=gnu-configure
|
build_style=gnu-configure
|
||||||
short_desc="Version of the TLS/crypto stack forked from OpenSSL"
|
short_desc="Version of the TLS/crypto stack forked from OpenSSL"
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue