Fix documentation of X509_VERIFY_PARAM_add0_policy()

The function was incorrectly documented as enabling policy checking. Fixes: CVE-2023-0466 Reviewed-by: N Matt Caswell <matt@openssl.org> Reviewed-by: N Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20563) Signed-off-by: N code4lala <fengziteng2@huawei.com> Change-Id: I515b0c03074af5cf5a6f5e72bcec4a2d6642707a

Fix documentation of X509_VERIFY_PARAM_add0_policy()
The function was incorrectly documented as enabling policy checking. Fixes: CVE-2023-0466 Reviewed-by: N Matt Caswell <matt@openssl.org> Reviewed-by: N Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20563) Signed-off-by: N code4lala <fengziteng2@huawei.com> Change-Id: I515b0c03074af5cf5a6f5e72bcec4a2d6642707a
826e5cbc · Tomas Mraz · code4lala · 5170a5b1 · 826e5cbc · 826e5cbc
隐藏空白更改
内联并排

Showing with 17 addition and 2 deletion

CHANGES.md CHANGES.md +8 -0

NEWS.md NEWS.md +2 -0

doc/man3/X509_VERIFY_PARAM_set_flags.pod doc/man3/X509_VERIFY_PARAM_set_flags.pod +7 -2

未找到文件。
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -28,6 +28,13 @@ breaking changes, and mappings for the large list of deprecated functions.

 [Migration guide]: https://github.com/openssl/openssl/tree/master/doc/man7/migration_guide.pod

+ * Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention
+   that it does not enable policy checking. Thanks to David Benjamin for
+   discovering this issue.
+   ([CVE-2023-0466])
+
+   *Tomáš Mráz*
+
 * Fixed buffer overread in AES-XTS decryption on ARM 64 bit platforms which
   happens if the buffer size is 4 mod 5. This can trigger a crash of an
   application using AES-XTS decryption if the memory just after the buffer
@@ -19442,6 +19449,7 @@ ndif

 <!-- Links -->

+[CVE-2023-0466]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0466
 [CVE-2023-1255]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-1255
 [CVE-2023-0286]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0286
 [CVE-2022-2274]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-2274

--- a/NEWS.md
+++ b/NEWS.md
@@ -17,6 +17,7 @@ OpenSSL Releases

 OpenSSL 3.0
 -----------
+  * Fixed documentation of X509_VERIFY_PARAM_add0_policy() ([CVE-2023-0466])
  * Fixed buffer overread in AES-XTS decryption on ARM 64 bit platforms
    ([CVE-2023-1255])

@@ -1421,6 +1422,7 @@ OpenSSL 0.9.x

 <!-- Links -->

+[CVE-2023-0466]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0466
 [CVE-2023-1255]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-1255
 [CVE-2022-2274]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-2274
 [CVE-2022-2097]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-2274

--- a/doc/man3/X509_VERIFY_PARAM_set_flags.pod
+++ b/doc/man3/X509_VERIFY_PARAM_set_flags.pod
@@ -97,8 +97,9 @@ B<trust>.
 X509_VERIFY_PARAM_set_time() sets the verification time in B<param> to
 B<t>. Normally the current time is used.

-X509_VERIFY_PARAM_add0_policy() enables policy checking (it is disabled
-by default) and adds B<policy> to the acceptable policy set.
+X509_VERIFY_PARAM_add0_policy() adds B<policy> to the acceptable policy set.
+Contrary to preexisting documentation of this function it does not enable
+policy checking.

 X509_VERIFY_PARAM_set1_policies() enables policy checking (it is disabled
 by default) and sets the acceptable policy set to B<policies>. Any existing
@@ -399,6 +400,10 @@ The X509_VERIFY_PARAM_get_hostflags() function was added in OpenSSL 1.1.0i.
 The X509_VERIFY_PARAM_get0_host(), X509_VERIFY_PARAM_get0_email(),
 and X509_VERIFY_PARAM_get1_ip_asc() functions were added in OpenSSL 3.0.

+The function X509_VERIFY_PARAM_add0_policy() was historically documented as
+enabling policy checking however the implementation has never done this.
+The documentation was changed to align with the implementation.
+
 =head1 COPYRIGHT

 Copyright 2009-2022 The OpenSSL Project Authors. All Rights Reserved.