81 lines
3.5 KiB
Diff
81 lines
3.5 KiB
Diff
From f079bca52e6abf58d32cc003f32a3ab3c6781f44 Mon Sep 17 00:00:00 2001
|
|
From: Tomas Mraz <tomas@openssl.org>
|
|
Date: Tue, 21 Mar 2023 16:15:47 +0100
|
|
Subject: [PATCH] Fix documentation of X509_VERIFY_PARAM_add0_policy()
|
|
|
|
The function was incorrectly documented as enabling policy checking.
|
|
|
|
Fixes: CVE-2023-0466
|
|
---
|
|
CHANGES.md | 8 ++++++++
|
|
NEWS.md | 2 ++
|
|
doc/man3/X509_VERIFY_PARAM_set_flags.pod | 9 +++++++--
|
|
3 files changed, 17 insertions(+), 2 deletions(-)
|
|
|
|
--- a/CHANGES.md
|
|
+++ b/CHANGES.md
|
|
@@ -30,6 +30,13 @@ breaking changes, and mappings for the l
|
|
|
|
### Changes between 3.0.7 and 3.0.8 [7 Feb 2023]
|
|
|
|
+ * Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention
|
|
+ that it does not enable policy checking. Thanks to David Benjamin for
|
|
+ discovering this issue.
|
|
+ ([CVE-2023-0466])
|
|
+
|
|
+ *Tomáš Mráz*
|
|
+
|
|
* Fixed an issue where invalid certificate policies in leaf certificates are
|
|
silently ignored by OpenSSL and other certificate policy checks are skipped
|
|
for that certificate. A malicious CA could use this to deliberately assert
|
|
@@ -19597,6 +19604,7 @@ ndif
|
|
|
|
<!-- Links -->
|
|
|
|
+[CVE-2023-0466]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0466
|
|
[CVE-2023-0465]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0465
|
|
[CVE-2023-0464]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0464
|
|
[CVE-2023-0401]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0401
|
|
--- a/NEWS.md
|
|
+++ b/NEWS.md
|
|
@@ -20,6 +20,7 @@ OpenSSL 3.0
|
|
|
|
### Major changes between OpenSSL 3.0.7 and OpenSSL 3.0.8 [7 Feb 2023]
|
|
|
|
+ * Fixed documentation of X509_VERIFY_PARAM_add0_policy() ([CVE-2023-0466])
|
|
* Fixed handling of invalid certificate policies in leaf certificates
|
|
([CVE-2023-0465])
|
|
* Limited the number of nodes created in a policy tree ([CVE-2023-0464])
|
|
@@ -1433,6 +1434,7 @@ OpenSSL 0.9.x
|
|
* Support for various new platforms
|
|
|
|
<!-- Links -->
|
|
+[CVE-2023-0466]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0466
|
|
[CVE-2023-0465]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0465
|
|
[CVE-2023-0464]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0464
|
|
[CVE-2023-0401]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0401
|
|
--- a/doc/man3/X509_VERIFY_PARAM_set_flags.pod
|
|
+++ b/doc/man3/X509_VERIFY_PARAM_set_flags.pod
|
|
@@ -98,8 +98,9 @@ B<trust>.
|
|
X509_VERIFY_PARAM_set_time() sets the verification time in B<param> to
|
|
B<t>. Normally the current time is used.
|
|
|
|
-X509_VERIFY_PARAM_add0_policy() enables policy checking (it is disabled
|
|
-by default) and adds B<policy> to the acceptable policy set.
|
|
+X509_VERIFY_PARAM_add0_policy() adds B<policy> to the acceptable policy set.
|
|
+Contrary to preexisting documentation of this function it does not enable
|
|
+policy checking.
|
|
|
|
X509_VERIFY_PARAM_set1_policies() enables policy checking (it is disabled
|
|
by default) and sets the acceptable policy set to B<policies>. Any existing
|
|
@@ -400,6 +401,10 @@ The X509_VERIFY_PARAM_get_hostflags() fu
|
|
The X509_VERIFY_PARAM_get0_host(), X509_VERIFY_PARAM_get0_email(),
|
|
and X509_VERIFY_PARAM_get1_ip_asc() functions were added in OpenSSL 3.0.
|
|
|
|
+The function X509_VERIFY_PARAM_add0_policy() was historically documented as
|
|
+enabling policy checking however the implementation has never done this.
|
|
+The documentation was changed to align with the implementation.
|
|
+
|
|
=head1 COPYRIGHT
|
|
|
|
Copyright 2009-2023 The OpenSSL Project Authors. All Rights Reserved.
|