From 51e8a84ce742db0f6c70510d0159dad8f7825908 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Tue, 21 Mar 2023 16:15:47 +0100 Subject: [PATCH] Fix documentation of X509_VERIFY_PARAM_add0_policy() The function was incorrectly documented as enabling policy checking. Fixes: CVE-2023-0466 Reviewed-by: Matt Caswell Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/20563) Upstream-Status: Backport from [https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=51e8a84ce742db0f6c70510d0159dad8f7825908] CVE: CVE-2023-0466 Signed-off-by: Siddharth Doshi --- doc/man3/X509_VERIFY_PARAM_set_flags.pod | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/doc/man3/X509_VERIFY_PARAM_set_flags.pod b/doc/man3/X509_VERIFY_PARAM_set_flags.pod index 75a1677..43c1900 100644 --- a/doc/man3/X509_VERIFY_PARAM_set_flags.pod +++ b/doc/man3/X509_VERIFY_PARAM_set_flags.pod @@ -98,8 +98,9 @@ B. X509_VERIFY_PARAM_set_time() sets the verification time in B to B. Normally the current time is used. -X509_VERIFY_PARAM_add0_policy() enables policy checking (it is disabled -by default) and adds B to the acceptable policy set. +X509_VERIFY_PARAM_add0_policy() adds B to the acceptable policy set. +Contrary to preexisting documentation of this function it does not enable +policy checking. X509_VERIFY_PARAM_set1_policies() enables policy checking (it is disabled by default) and sets the acceptable policy set to B. Any existing @@ -400,6 +401,10 @@ The X509_VERIFY_PARAM_get_hostflags() function was added in OpenSSL 1.1.0i. The X509_VERIFY_PARAM_get0_host(), X509_VERIFY_PARAM_get0_email(), and X509_VERIFY_PARAM_get1_ip_asc() functions were added in OpenSSL 3.0. +The function X509_VERIFY_PARAM_add0_policy() was historically documented as +enabling policy checking however the implementation has never done this. +The documentation was changed to align with the implementation. + =head1 COPYRIGHT Copyright 2009-2023 The OpenSSL Project Authors. All Rights Reserved. -- 2.35.7