2 files changed, 33 insertions, 0 deletions

diff --git a/security/libressl/Makefile b/security/libressl/Makefile
index e4d241dc4f24..60a96c616dfa 100644
--- a/security/libressl/Makefile
+++ b/security/libressl/Makefile
@@ -3,6 +3,7 @@
 
 PORTNAME=	libressl
 PORTVERSION=	2.5.3
+PORTREVISION=	1
 CATEGORIES=	security devel
 MASTER_SITES=	OPENBSD/LibreSSL
 
diff --git a/security/libressl/files/patch-CVE-2017-8301 b/security/libressl/files/patch-CVE-2017-8301
new file mode 100644
index 000000000000..21b24aa330e2
--- /dev/null
+++ b/security/libressl/files/patch-CVE-2017-8301
@@ -0,0 +1,32 @@
+https://marc.info/?l=openbsd-cvs&m=149342064612660
+
+===================================================================
+RCS file: /cvs/src/lib/libcrypto/x509/x509_vfy.c,v
+retrieving revision 1.61
+retrieving revision 1.61.4.1
+diff -u -r1.61 -r1.61.4.1
+--- crypto/x509/x509_vfy.c	2017/02/05 02:33:21	1.61
++++ crypto/x509/x509_vfy.c	2017/04/28 23:12:04	1.61.4.1
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: x509_vfy.c,v 1.61 2017/02/05 02:33:21 beck Exp $ */
++/* $OpenBSD: x509_vfy.c,v 1.61.4.1 2017/04/28 23:12:04 beck Exp $ */
+ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+  * All rights reserved.
+  *
+@@ -541,15 +541,7 @@
+ 	/* Safety net, error returns must set ctx->error */
+ 	if (ok <= 0 && ctx->error == X509_V_OK)
+ 		ctx->error = X509_V_ERR_UNSPECIFIED;
+-
+-	/*
+-	 * Safety net, if user provided verify callback indicates sucess
+-	 * make sure they have set error to X509_V_OK
+-	 */
+-	if (ctx->verify_cb != null_callback && ok == 1)
+-		ctx->error = X509_V_OK;
+-
+-	return(ctx->error == X509_V_OK);
++	return ok;
+ }
+ 
+ /* Given a STACK_OF(X509) find the issuer of cert (if any)