From: Tomas Mraz Date: Tue, 21 Mar 2023 15:15:47 +0000 (+0100) Subject: Fix documentation of X509_VERIFY_PARAM_add0_policy() X-Git-Tag: OpenSSL_1_1_1u~15 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0d16b7e99aafc0b4a6d729eec65a411a7e025f0a;p=thirdparty%2Fopenssl.git Fix documentation of X509_VERIFY_PARAM_add0_policy() The function was incorrectly documented as enabling policy checking. Fixes: CVE-2023-0466 Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/20564) --- diff --git a/CHANGES b/CHANGES index efccf7838e6..b19f1429bbb 100644 --- a/CHANGES +++ b/CHANGES @@ -9,6 +9,11 @@ Changes between 1.1.1t and 1.1.1u [xx XXX xxxx] + *) Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention + that it does not enable policy checking. Thanks to + David Benjamin for discovering this issue. (CVE-2023-0466) + [Tomas Mraz] + *) Fixed an issue where invalid certificate policies in leaf certificates are silently ignored by OpenSSL and other certificate policy checks are skipped for that certificate. A malicious CA could use this to deliberately assert diff --git a/NEWS b/NEWS index 36a9bb6890b..62615693fab 100644 --- a/NEWS +++ b/NEWS @@ -7,6 +7,7 @@ Major changes between OpenSSL 1.1.1t and OpenSSL 1.1.1u [under development] + o Fixed documentation of X509_VERIFY_PARAM_add0_policy() (CVE-2023-0466) o Fixed handling of invalid certificate policies in leaf certificates (CVE-2023-0465) o Limited the number of nodes created in a policy tree ([CVE-2023-0464]) diff --git a/doc/man3/X509_VERIFY_PARAM_set_flags.pod b/doc/man3/X509_VERIFY_PARAM_set_flags.pod index f6f304bf7bd..aa292f9336f 100644 --- a/doc/man3/X509_VERIFY_PARAM_set_flags.pod +++ b/doc/man3/X509_VERIFY_PARAM_set_flags.pod @@ -92,8 +92,9 @@ B. X509_VERIFY_PARAM_set_time() sets the verification time in B to B. Normally the current time is used. -X509_VERIFY_PARAM_add0_policy() enables policy checking (it is disabled -by default) and adds B to the acceptable policy set. +X509_VERIFY_PARAM_add0_policy() adds B to the acceptable policy set. +Contrary to preexisting documentation of this function it does not enable +policy checking. X509_VERIFY_PARAM_set1_policies() enables policy checking (it is disabled by default) and sets the acceptable policy set to B. Any existing @@ -377,6 +378,10 @@ and has no effect. The X509_VERIFY_PARAM_get_hostflags() function was added in OpenSSL 1.1.0i. +The function X509_VERIFY_PARAM_add0_policy() was historically documented as +enabling policy checking however the implementation has never done this. +The documentation was changed to align with the implementation. + =head1 COPYRIGHT Copyright 2009-2020 The OpenSSL Project Authors. All Rights Reserved.