root
/
openssl
mirror of https://github.com/openssl/openssl.git
1
0
Fork 0
Code Issues Actions 7 Packages Projects Releases Wiki Activity

Fix documentation of X509_VERIFY_PARAM_add0_policy() 

The function was incorrectly documented as enabling policy checking.

Fixes: CVE-2023-0466

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20564)
This commit is contained in:
Tomas Mraz 2023-03-21 16:15:47 +01:00
parent 8bc232b146
commit 0d16b7e99a
3 changed files with 13 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
CHANGES
View File

@ -9,6 +9,11 @@
Changes between 1.1.1t and 1.1.1u [xx XXX xxxx] Changes between 1.1.1t and 1.1.1u [xx XXX xxxx]
*) Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention
that it does not enable policy checking. Thanks to
David Benjamin for discovering this issue. (CVE-2023-0466)
[Tomas Mraz]
*) Fixed an issue where invalid certificate policies in leaf certificates are *) Fixed an issue where invalid certificate policies in leaf certificates are
silently ignored by OpenSSL and other certificate policy checks are skipped silently ignored by OpenSSL and other certificate policy checks are skipped
for that certificate. A malicious CA could use this to deliberately assert for that certificate. A malicious CA could use this to deliberately assert

1
NEWS
View File

@ -7,6 +7,7 @@
Major changes between OpenSSL 1.1.1t and OpenSSL 1.1.1u [under development] Major changes between OpenSSL 1.1.1t and OpenSSL 1.1.1u [under development]
o Fixed documentation of X509_VERIFY_PARAM_add0_policy() (CVE-2023-0466)
o Fixed handling of invalid certificate policies in leaf certificates o Fixed handling of invalid certificate policies in leaf certificates
(CVE-2023-0465) (CVE-2023-0465)
o Limited the number of nodes created in a policy tree ([CVE-2023-0464]) o Limited the number of nodes created in a policy tree ([CVE-2023-0464])

9
doc/man3/X509_VERIFY_PARAM_set_flags.pod
View File

@ -92,8 +92,9 @@ B<trust>.
X509_VERIFY_PARAM_set_time() sets the verification time in B<param> to X509_VERIFY_PARAM_set_time() sets the verification time in B<param> to
B<t>. Normally the current time is used. B<t>. Normally the current time is used.
X509_VERIFY_PARAM_add0_policy() enables policy checking (it is disabled X509_VERIFY_PARAM_add0_policy() adds B<policy> to the acceptable policy set.
by default) and adds B<policy> to the acceptable policy set. Contrary to preexisting documentation of this function it does not enable
policy checking.
X509_VERIFY_PARAM_set1_policies() enables policy checking (it is disabled X509_VERIFY_PARAM_set1_policies() enables policy checking (it is disabled
by default) and sets the acceptable policy set to B<policies>. Any existing by default) and sets the acceptable policy set to B<policies>. Any existing
@ -377,6 +378,10 @@ and has no effect.
The X509_VERIFY_PARAM_get_hostflags() function was added in OpenSSL 1.1.0i. The X509_VERIFY_PARAM_get_hostflags() function was added in OpenSSL 1.1.0i.
The function X509_VERIFY_PARAM_add0_policy() was historically documented as
enabling policy checking however the implementation has never done this.
The documentation was changed to align with the implementation.
=head1 COPYRIGHT =head1 COPYRIGHT
Copyright 2009-2020 The OpenSSL Project Authors. All Rights Reserved. Copyright 2009-2020 The OpenSSL Project Authors. All Rights Reserved.