Skip to content

Commit fc814a3

Browse files
committed
Fix documentation of X509_VERIFY_PARAM_add0_policy()
The function was incorrectly documented as enabling policy checking. Fixes: CVE-2023-0466 Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from #20562)
1 parent 07d8baf commit fc814a3

File tree

3 files changed

+17
-2
lines changed

3 files changed

+17
-2
lines changed

Diff for: CHANGES.md

+8
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,13 @@ OpenSSL 3.1
2424

2525
### Changes between 3.1.0 and 3.1.1 [xx XXX xxxx]
2626

27+
* Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention
28+
that it does not enable policy checking. Thanks to David Benjamin for
29+
discovering this issue.
30+
([CVE-2023-0466])
31+
32+
*Tomáš Mráz*
33+
2734
* Fixed an issue where invalid certificate policies in leaf certificates are
2835
silently ignored by OpenSSL and other certificate policy checks are skipped
2936
for that certificate. A malicious CA could use this to deliberately assert
@@ -19699,6 +19706,7 @@ ndif
1969919706

1970019707
<!-- Links -->
1970119708

19709+
[CVE-2023-0466]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0466
1970219710
[CVE-2023-0465]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0465
1970319711
[CVE-2023-0464]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0464
1970419712
[CVE-2023-0401]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0401

Diff for: NEWS.md

+2
Original file line numberDiff line numberDiff line change
@@ -21,6 +21,7 @@ OpenSSL 3.1
2121

2222
### Major changes between OpenSSL 3.1.0 and OpenSSL 3.1.1 [under development]
2323

24+
* Fixed documentation of X509_VERIFY_PARAM_add0_policy() ([CVE-2023-0466])
2425
* Fixed handling of invalid certificate policies in leaf certificates
2526
([CVE-2023-0465])
2627
* Limited the number of nodes created in a policy tree ([CVE-2023-0464])
@@ -1448,6 +1449,7 @@ OpenSSL 0.9.x
14481449
* Support for various new platforms
14491450

14501451
<!-- Links -->
1452+
[CVE-2023-0466]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0466
14511453
[CVE-2023-0465]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0465
14521454
[CVE-2023-0464]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0464
14531455
[CVE-2023-0401]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0401

Diff for: doc/man3/X509_VERIFY_PARAM_set_flags.pod

+7-2
Original file line numberDiff line numberDiff line change
@@ -98,8 +98,9 @@ B<trust>.
9898
X509_VERIFY_PARAM_set_time() sets the verification time in B<param> to
9999
B<t>. Normally the current time is used.
100100

101-
X509_VERIFY_PARAM_add0_policy() enables policy checking (it is disabled
102-
by default) and adds B<policy> to the acceptable policy set.
101+
X509_VERIFY_PARAM_add0_policy() adds B<policy> to the acceptable policy set.
102+
Contrary to preexisting documentation of this function it does not enable
103+
policy checking.
103104

104105
X509_VERIFY_PARAM_set1_policies() enables policy checking (it is disabled
105106
by default) and sets the acceptable policy set to B<policies>. Any existing
@@ -400,6 +401,10 @@ The X509_VERIFY_PARAM_get_hostflags() function was added in OpenSSL 1.1.0i.
400401
The X509_VERIFY_PARAM_get0_host(), X509_VERIFY_PARAM_get0_email(),
401402
and X509_VERIFY_PARAM_get1_ip_asc() functions were added in OpenSSL 3.0.
402403

404+
The function X509_VERIFY_PARAM_add0_policy() was historically documented as
405+
enabling policy checking however the implementation has never done this.
406+
The documentation was changed to align with the implementation.
407+
403408
=head1 COPYRIGHT
404409

405410
Copyright 2009-2023 The OpenSSL Project Authors. All Rights Reserved.

0 commit comments

Comments
 (0)