Skip to content

Commit

Permalink
Fix documentation of X509_VERIFY_PARAM_add0_policy()
Browse files Browse the repository at this point in the history
The function was incorrectly documented as enabling policy checking.

Fixes: CVE-2023-0466

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from #20564)
  • Loading branch information
t8m committed Mar 28, 2023
1 parent 8bc232b commit 0d16b7e
Show file tree
Hide file tree
Showing 3 changed files with 13 additions and 2 deletions.
5 changes: 5 additions & 0 deletions CHANGES
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,11 @@

Changes between 1.1.1t and 1.1.1u [xx XXX xxxx]

*) Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention
that it does not enable policy checking. Thanks to
David Benjamin for discovering this issue. (CVE-2023-0466)
[Tomas Mraz]

*) Fixed an issue where invalid certificate policies in leaf certificates are
silently ignored by OpenSSL and other certificate policy checks are skipped
for that certificate. A malicious CA could use this to deliberately assert
Expand Down
1 change: 1 addition & 0 deletions NEWS
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@

Major changes between OpenSSL 1.1.1t and OpenSSL 1.1.1u [under development]

o Fixed documentation of X509_VERIFY_PARAM_add0_policy() (CVE-2023-0466)
o Fixed handling of invalid certificate policies in leaf certificates
(CVE-2023-0465)
o Limited the number of nodes created in a policy tree ([CVE-2023-0464])
Expand Down
9 changes: 7 additions & 2 deletions doc/man3/X509_VERIFY_PARAM_set_flags.pod
Original file line number Diff line number Diff line change
Expand Up @@ -92,8 +92,9 @@ B<trust>.
X509_VERIFY_PARAM_set_time() sets the verification time in B<param> to
B<t>. Normally the current time is used.

X509_VERIFY_PARAM_add0_policy() enables policy checking (it is disabled
by default) and adds B<policy> to the acceptable policy set.
X509_VERIFY_PARAM_add0_policy() adds B<policy> to the acceptable policy set.
Contrary to preexisting documentation of this function it does not enable
policy checking.

X509_VERIFY_PARAM_set1_policies() enables policy checking (it is disabled
by default) and sets the acceptable policy set to B<policies>. Any existing
Expand Down Expand Up @@ -377,6 +378,10 @@ and has no effect.

The X509_VERIFY_PARAM_get_hostflags() function was added in OpenSSL 1.1.0i.

The function X509_VERIFY_PARAM_add0_policy() was historically documented as
enabling policy checking however the implementation has never done this.
The documentation was changed to align with the implementation.

=head1 COPYRIGHT

Copyright 2009-2020 The OpenSSL Project Authors. All Rights Reserved.
Expand Down

0 comments on commit 0d16b7e

Please sign in to comment.