libressl: fix CVE-2017-8301

srcpkgs/libressl/patches/CVE-2017-8301.patch

@@ -0,0 +1,28 @@
+From e4ea34f17cdd3b81ab1b6bd4df3712fbe49dc136 Mon Sep 17 00:00:00 2001
+From: beck <>
+Date: Fri, 28 Apr 2017 23:03:58 +0000
+Subject: [PATCH] Revert previous change that forced consistency between return
+ value and error code, since this breaks the documented API. Under certain
+ circumstances this will result in incorrect successful certiticate
+ verification (where a user supplied callback always returns 1, and later code
+ checks the error code to potentially abort post verification)
+
+--- crypto/x509/x509_vfy.c
++++ crypto/x509/x509_vfy.c
+@@ -541,15 +541,7 @@ X509_verify_cert(X509_STORE_CTX *ctx)
+ 	/* Safety net, error returns must set ctx->error */
+ 	if (ok <= 0 && ctx->error == X509_V_OK)
+ 		ctx->error = X509_V_ERR_UNSPECIFIED;
+-
+-	/*
+-	 * Safety net, if user provided verify callback indicates sucess
+-	 * make sure they have set error to X509_V_OK
+-	 */
+-	if (ctx->verify_cb != null_callback && ok == 1)
+-		ctx->error = X509_V_OK;
+-
+-	return(ctx->error == X509_V_OK);
++	return ok;
+ }
+
+ /* Given a STACK_OF(X509) find the issuer of cert (if any)

srcpkgs/libressl/template

@@ -1,7 +1,7 @@
 # Template file for 'libressl'
 pkgname=libressl
 version=2.5.3
-revision=1
+revision=2
 bootstrap=yes
 build_style=gnu-configure
 short_desc="Version of the TLS/crypto stack forked from OpenSSL"