File tree 3 files changed +13
-2
lines changed
3 files changed +13
-2
lines changed Original file line number Diff line number Diff line change 99
1010 Changes between 1.0.2zg and 1.0.2zh [xx XXX xxxx]
1111
12+ *) Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention
13+ that it does not enable policy checking. Thanks to
14+ David Benjamin for discovering this issue. (CVE-2023-0466)
15+ [Tomas Mraz]
16+
1217 *) Fixed an issue where invalid certificate policies in leaf certificates are
1318 silently ignored by OpenSSL and other certificate policy checks are skipped
1419 for that certificate. A malicious CA could use this to deliberately assert
Original file line number Diff line number Diff line change 77
88 Major changes between OpenSSL 1.0.2zg and OpenSSL 1.0.2zh [under development]
99
10+ o Fixed documentation of X509_VERIFY_PARAM_add0_policy() (CVE-2023-0466)
1011 o Fixed handling of invalid certificate policies in leaf certificates
1112 (CVE-2023-0465)
1213 o Limited the number of nodes created in a policy tree ([CVE-2023-0464])
Original file line number Diff line number Diff line change @@ -62,8 +62,9 @@ B<trust>.
6262X509_VERIFY_PARAM_set_time() sets the verification time in B<param> to
6363B<t>. Normally the current time is used.
6464
65- X509_VERIFY_PARAM_add0_policy() enables policy checking (it is disabled
66- by default) and adds B<policy> to the acceptable policy set.
65+ X509_VERIFY_PARAM_add0_policy() adds B<policy> to the acceptable policy set.
66+ Contrary to preexisting documentation of this function it does not enable
67+ policy checking.
6768
6869X509_VERIFY_PARAM_set1_policies() enables policy checking (it is disabled
6970by default) and sets the acceptable policy set to B<policies>. Any existing
@@ -263,4 +264,8 @@ L<x509(1)|x509(1)>
263264
264265The B<X509_V_FLAG_NO_ALT_CHAINS> flag was added in OpenSSL 1.0.2b
265266
267+ The function X509_VERIFY_PARAM_add0_policy() was historically documented as
268+ enabling policy checking however the implementation has never done this.
269+ The documentation was changed to align with the implementation.
270+
266271=cut
You can’t perform that action at this time.
0 commit comments