File tree 3 files changed +13
-2
lines changed
3 files changed +13
-2
lines changed Original file line number Diff line number Diff line change 99
1010 Changes between 1.1.1t and 1.1.1u [xx XXX xxxx]
1111
12+ *) Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention
13+ that it does not enable policy checking. Thanks to
14+ David Benjamin for discovering this issue. (CVE-2023-0466)
15+ [Tomas Mraz]
16+
1217 *) Fixed an issue where invalid certificate policies in leaf certificates are
1318 silently ignored by OpenSSL and other certificate policy checks are skipped
1419 for that certificate. A malicious CA could use this to deliberately assert
Original file line number Diff line number Diff line change 77
88 Major changes between OpenSSL 1.1.1t and OpenSSL 1.1.1u [under development]
99
10+ o Fixed documentation of X509_VERIFY_PARAM_add0_policy() (CVE-2023-0466)
1011 o Fixed handling of invalid certificate policies in leaf certificates
1112 (CVE-2023-0465)
1213 o Limited the number of nodes created in a policy tree ([CVE-2023-0464])
Original file line number Diff line number Diff line change @@ -92,8 +92,9 @@ B<trust>.
9292X509_VERIFY_PARAM_set_time() sets the verification time in B<param> to
9393B<t>. Normally the current time is used.
9494
95- X509_VERIFY_PARAM_add0_policy() enables policy checking (it is disabled
96- by default) and adds B<policy> to the acceptable policy set.
95+ X509_VERIFY_PARAM_add0_policy() adds B<policy> to the acceptable policy set.
96+ Contrary to preexisting documentation of this function it does not enable
97+ policy checking.
9798
9899X509_VERIFY_PARAM_set1_policies() enables policy checking (it is disabled
99100by default) and sets the acceptable policy set to B<policies>. Any existing
@@ -377,6 +378,10 @@ and has no effect.
377378
378379The X509_VERIFY_PARAM_get_hostflags() function was added in OpenSSL 1.1.0i.
379380
381+ The function X509_VERIFY_PARAM_add0_policy() was historically documented as
382+ enabling policy checking however the implementation has never done this.
383+ The documentation was changed to align with the implementation.
384+
380385=head1 COPYRIGHT
381386
382387Copyright 2009-2020 The OpenSSL Project Authors. All Rights Reserved.
You can’t perform that action at this time.
0 commit comments