File tree 3 files changed +17
-2
lines changed
3 files changed +17
-2
lines changed Original file line number Diff line number Diff line change @@ -24,6 +24,13 @@ OpenSSL 3.1
2424
2525### Changes between 3.1.0 and 3.1.1 [xx XXX xxxx]
2626
27+ * Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention
28+ that it does not enable policy checking. Thanks to David Benjamin for
29+ discovering this issue.
30+ ([CVE-2023-0466])
31+
32+ *Tomáš Mráz*
33+
2734 * Fixed an issue where invalid certificate policies in leaf certificates are
2835 silently ignored by OpenSSL and other certificate policy checks are skipped
2936 for that certificate. A malicious CA could use this to deliberately assert
@@ -19699,6 +19706,7 @@ ndif
1969919706
1970019707<!-- Links -->
1970119708
19709+ [CVE-2023-0466]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0466
1970219710[CVE-2023-0465]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0465
1970319711[CVE-2023-0464]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0464
1970419712[CVE-2023-0401]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0401
Original file line number Diff line number Diff line change @@ -21,6 +21,7 @@ OpenSSL 3.1
2121
2222### Major changes between OpenSSL 3.1.0 and OpenSSL 3.1.1 [ under development]
2323
24+ * Fixed documentation of X509_VERIFY_PARAM_add0_policy() ([ CVE-2023 -0466] )
2425 * Fixed handling of invalid certificate policies in leaf certificates
2526 ([ CVE-2023 -0465] )
2627 * Limited the number of nodes created in a policy tree ([ CVE-2023 -0464] )
@@ -1448,6 +1449,7 @@ OpenSSL 0.9.x
14481449 * Support for various new platforms
14491450
14501451<!-- Links -->
1452+ [ CVE-2023-0466 ] : https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0466
14511453[ CVE-2023-0465 ] : https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0465
14521454[ CVE-2023-0464 ] : https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0464
14531455[ CVE-2023-0401 ] : https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0401
Original file line number Diff line number Diff line change @@ -98,8 +98,9 @@ B<trust>.
9898X509_VERIFY_PARAM_set_time() sets the verification time in B<param> to
9999B<t>. Normally the current time is used.
100100
101- X509_VERIFY_PARAM_add0_policy() enables policy checking (it is disabled
102- by default) and adds B<policy> to the acceptable policy set.
101+ X509_VERIFY_PARAM_add0_policy() adds B<policy> to the acceptable policy set.
102+ Contrary to preexisting documentation of this function it does not enable
103+ policy checking.
103104
104105X509_VERIFY_PARAM_set1_policies() enables policy checking (it is disabled
105106by default) and sets the acceptable policy set to B<policies>. Any existing
@@ -400,6 +401,10 @@ The X509_VERIFY_PARAM_get_hostflags() function was added in OpenSSL 1.1.0i.
400401The X509_VERIFY_PARAM_get0_host(), X509_VERIFY_PARAM_get0_email(),
401402and X509_VERIFY_PARAM_get1_ip_asc() functions were added in OpenSSL 3.0.
402403
404+ The function X509_VERIFY_PARAM_add0_policy() was historically documented as
405+ enabling policy checking however the implementation has never done this.
406+ The documentation was changed to align with the implementation.
407+
403408=head1 COPYRIGHT
404409
405410Copyright 2009-2023 The OpenSSL Project Authors. All Rights Reserved.
You can’t perform that action at this time.
0 commit comments