Fix documentation of X509_VERIFY_PARAM_add0_policy()

The function was incorrectly documented as enabling policy checking. Fixes: CVE-2023-0466 Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20561)
2023-03-21 16:15:47 +01:00 · 2023-03-21 16:15:47 +01:00 · 5ab3f71a33
parent 986f9a674d
commit 5ab3f71a33
3 changed files with 17 additions and 2 deletions
--- a/CHANGES.md
+++ b/CHANGES.md
@ -242,6 +242,13 @@ OpenSSL 3.1

 ### Changes between 3.1.0 and 3.1.1 [xx XXX xxxx]

+ * Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention
+   that it does not enable policy checking. Thanks to David Benjamin for
+   discovering this issue.
+   ([CVE-2023-0466])
+
+   *Tomáš Mráz*
+
 * Fixed an issue where invalid certificate policies in leaf certificates are
   silently ignored by OpenSSL and other certificate policy checks are skipped
   for that certificate. A malicious CA could use this to deliberately assert
@ -19901,6 +19908,7 @@ ndif

 <!-- Links -->

+[CVE-2023-0466]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0466
 [CVE-2023-0465]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0465
 [CVE-2023-0464]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0464
 [CVE-2023-0401]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0401
--- a/NEWS.md
+++ b/NEWS.md
@ -37,6 +37,7 @@ OpenSSL 3.1

 ### Major changes between OpenSSL 3.1.0 and OpenSSL 3.1.1 [under development]

+  * Fixed documentation of X509_VERIFY_PARAM_add0_policy() ([CVE-2023-0466])
  * Fixed handling of invalid certificate policies in leaf certificates
    ([CVE-2023-0465])
  * Limited the number of nodes created in a policy tree ([CVE-2023-0464])
@ -1464,6 +1465,7 @@ OpenSSL 0.9.x
  * Support for various new platforms

 <!-- Links -->
+[CVE-2023-0466]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0466
 [CVE-2023-0465]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0465
 [CVE-2023-0464]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0464
 [CVE-2023-0401]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0401
--- a/doc/man3/X509_VERIFY_PARAM_set_flags.pod
+++ b/doc/man3/X509_VERIFY_PARAM_set_flags.pod
@ -98,8 +98,9 @@ B<trust>.
 X509_VERIFY_PARAM_set_time() sets the verification time in B<param> to
 B<t>. Normally the current time is used.

-X509_VERIFY_PARAM_add0_policy() enables policy checking (it is disabled
-by default) and adds B<policy> to the acceptable policy set.
+X509_VERIFY_PARAM_add0_policy() adds B<policy> to the acceptable policy set.
+Contrary to preexisting documentation of this function it does not enable
+policy checking.

 X509_VERIFY_PARAM_set1_policies() enables policy checking (it is disabled
 by default) and sets the acceptable policy set to B<policies>. Any existing
@ -400,6 +401,10 @@ The X509_VERIFY_PARAM_get_hostflags() function was added in OpenSSL 1.1.0i.
 The X509_VERIFY_PARAM_get0_host(), X509_VERIFY_PARAM_get0_email(),
 and X509_VERIFY_PARAM_get1_ip_asc() functions were added in OpenSSL 3.0.

+The function X509_VERIFY_PARAM_add0_policy() was historically documented as
+enabling policy checking however the implementation has never done this.
+The documentation was changed to align with the implementation.
+
 =head1 COPYRIGHT

 Copyright 2009-2022 The OpenSSL Project Authors. All Rights Reserved.