Fix documentation of X509_VERIFY_PARAM_add0_policy()

The function was incorrectly documented as enabling policy checking. Fixes: CVE-2023-0466 Reviewed-by: N Matt Caswell <matt@openssl.org> Reviewed-by: N Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20564) Signed-off-by: N code4lala <fengziteng2@huawei.com>

Fix documentation of X509_VERIFY_PARAM_add0_policy()
The function was incorrectly documented as enabling policy checking. Fixes: CVE-2023-0466 Reviewed-by: N Matt Caswell <matt@openssl.org> Reviewed-by: N Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20564) Signed-off-by: N code4lala <fengziteng2@huawei.com>
4825a775 · Tomas Mraz · code4lala · 48eb1191 · 4825a775 · 4825a775
隐藏空白更改
内联并排

Showing with 12 addition and 2 deletion

CHANGES CHANGES +4 -0

NEWS NEWS +1 -0

doc/man3/X509_VERIFY_PARAM_set_flags.pod doc/man3/X509_VERIFY_PARAM_set_flags.pod +7 -2

未找到文件。
--- a/CHANGES
+++ b/CHANGES
@@ -8,6 +8,10 @@
 release branch.

 Changes between 1.1.1s and 1.1.1t [xx XXX xxxx]
+  *) Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention
+     that it does not enable policy checking. Thanks to
+     David Benjamin for discovering this issue. (CVE-2023-0466)
+     [Tomas Mraz]

  *) Fixed a type confusion vulnerability relating to X.400 address processing
     inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING

--- a/NEWS
+++ b/NEWS
@@ -4,6 +4,7 @@

  This file gives a brief overview of the major changes between each OpenSSL
  release. For more details please read the CHANGES file.
+      o Fixed documentation of X509_VERIFY_PARAM_add0_policy() (CVE-2023-0466)

  Major changes between OpenSSL 1.1.1m and OpenSSL 1.1.1n [15 Mar 2022]


--- a/doc/man3/X509_VERIFY_PARAM_set_flags.pod
+++ b/doc/man3/X509_VERIFY_PARAM_set_flags.pod
@@ -92,8 +92,9 @@ B<trust>.
 X509_VERIFY_PARAM_set_time() sets the verification time in B<param> to
 B<t>. Normally the current time is used.

-X509_VERIFY_PARAM_add0_policy() enables policy checking (it is disabled
-by default) and adds B<policy> to the acceptable policy set.
+X509_VERIFY_PARAM_add0_policy() adds B<policy> to the acceptable policy set.
+Contrary to preexisting documentation of this function it does not enable
+policy checking.

 X509_VERIFY_PARAM_set1_policies() enables policy checking (it is disabled
 by default) and sets the acceptable policy set to B<policies>. Any existing
@@ -377,6 +378,10 @@ and has no effect.

 The X509_VERIFY_PARAM_get_hostflags() function was added in OpenSSL 1.1.0i.

+The function X509_VERIFY_PARAM_add0_policy() was historically documented as
+enabling policy checking however the implementation has never done this.
+The documentation was changed to align with the implementation.
+
 =head1 COPYRIGHT

 Copyright 2009-2020 The OpenSSL Project Authors. All Rights Reserved.