Skip to content

Commit 0d16b7e

Browse files
t8mt8m
committed
Fix documentation of X509_VERIFY_PARAM_add0_policy()
The function was incorrectly documented as enabling policy checking. Fixes: CVE-2023-0466 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from #20564)
1 parent 8bc232b commit 0d16b7e

File tree

3 files changed

+13
-2
lines changed

3 files changed

+13
-2
lines changed

CHANGES

+5
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,11 @@
99

1010
Changes between 1.1.1t and 1.1.1u [xx XXX xxxx]
1111

12+
*) Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention
13+
that it does not enable policy checking. Thanks to
14+
David Benjamin for discovering this issue. (CVE-2023-0466)
15+
[Tomas Mraz]
16+
1217
*) Fixed an issue where invalid certificate policies in leaf certificates are
1318
silently ignored by OpenSSL and other certificate policy checks are skipped
1419
for that certificate. A malicious CA could use this to deliberately assert

NEWS

+1
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,7 @@
77

88
Major changes between OpenSSL 1.1.1t and OpenSSL 1.1.1u [under development]
99

10+
o Fixed documentation of X509_VERIFY_PARAM_add0_policy() (CVE-2023-0466)
1011
o Fixed handling of invalid certificate policies in leaf certificates
1112
(CVE-2023-0465)
1213
o Limited the number of nodes created in a policy tree ([CVE-2023-0464])

doc/man3/X509_VERIFY_PARAM_set_flags.pod

+7-2
Original file line numberDiff line numberDiff line change
@@ -92,8 +92,9 @@ B<trust>.
9292
X509_VERIFY_PARAM_set_time() sets the verification time in B<param> to
9393
B<t>. Normally the current time is used.
9494

95-
X509_VERIFY_PARAM_add0_policy() enables policy checking (it is disabled
96-
by default) and adds B<policy> to the acceptable policy set.
95+
X509_VERIFY_PARAM_add0_policy() adds B<policy> to the acceptable policy set.
96+
Contrary to preexisting documentation of this function it does not enable
97+
policy checking.
9798

9899
X509_VERIFY_PARAM_set1_policies() enables policy checking (it is disabled
99100
by default) and sets the acceptable policy set to B<policies>. Any existing
@@ -377,6 +378,10 @@ and has no effect.
377378

378379
The X509_VERIFY_PARAM_get_hostflags() function was added in OpenSSL 1.1.0i.
379380

381+
The function X509_VERIFY_PARAM_add0_policy() was historically documented as
382+
enabling policy checking however the implementation has never done this.
383+
The documentation was changed to align with the implementation.
384+
380385
=head1 COPYRIGHT
381386

382387
Copyright 2009-2020 The OpenSSL Project Authors. All Rights Reserved.

0 commit comments

Comments
 (0)