git.ipfire.org Git - thirdparty/openssl.git/commit

author	Matt Caswell <matt@openssl.org>
	Fri, 3 Dec 2021 15:56:58 +0000 (15:56 +0000)
committer	Matt Caswell <matt@openssl.org>
	Tue, 14 Dec 2021 14:28:45 +0000 (14:28 +0000)
commit	758754966791c537ea95241438454aa86f91f256
tree	7e1d324d9d840bcd4cbdb75c69444a9501e1366b	tree
parent	8e78289c4e6f4c9f2fec073b78443736e689854d	commit \| diff

Fix invalid handling of verify errors in libssl

In the event that X509_verify() returned an internal error result then
libssl would mishandle this and set rwstate to SSL_RETRY_VERIFY. This
subsequently causes SSL_get_error() to return SSL_ERROR_WANT_RETRY_VERIFY.
That return code is supposed to only ever be returned if an application
is using an app verify callback to complete replace the use of
X509_verify(). Applications may not be written to expect that return code
and could therefore crash (or misbehave in some other way) as a result.

CVE-2021-4044

Reviewed-by: Tomas Mraz <tomas@openssl.org>

ssl/ssl_cert.c		diff \| blob \| blame \| history
ssl/statem/statem_clnt.c		diff \| blob \| blame \| history