Fix documentation of X509_VERIFY_PARAM_add0_policy()

The function was incorrectly documented as enabling policy checking. Fixes: CVE-2023-0466 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20564)
author: Tomas Mraz <tomas@openssl.org> 2023-03-21 16:15:47 +0100
committer: Tomas Mraz <tomas@openssl.org> 2023-03-28 14:13:38 +0200
commit: 0d16b7e99aafc0b4a6d729eec65a411a7e025f0a (patch)
tree: d2797ea6cdecf1bf6554df3fe0a5ea7d3130ffcf
parent: 8bc232b14624b7af01801d7940b7dec59b3ae47d (diff)
3 files changed, 13 insertions, 2 deletions
diff --git a/CHANGES b/CHANGES
index efccf7838e..b19f1429bb 100644
--- a/CHANGES
+++ b/CHANGES
@@ -9,6 +9,11 @@
 
  Changes between 1.1.1t and 1.1.1u [xx XXX xxxx]
 
+  *) Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention
+     that it does not enable policy checking. Thanks to
+     David Benjamin for discovering this issue. (CVE-2023-0466)
+     [Tomas Mraz]
+
   *) Fixed an issue where invalid certificate policies in leaf certificates are
      silently ignored by OpenSSL and other certificate policy checks are skipped
      for that certificate. A malicious CA could use this to deliberately assert
diff --git a/NEWS b/NEWS
index 36a9bb6890..62615693fa 100644
--- a/NEWS
+++ b/NEWS
@@ -7,6 +7,7 @@
 
   Major changes between OpenSSL 1.1.1t and OpenSSL 1.1.1u [under development]
 
+      o Fixed documentation of X509_VERIFY_PARAM_add0_policy() (CVE-2023-0466)
       o Fixed handling of invalid certificate policies in leaf certificates
         (CVE-2023-0465)
       o Limited the number of nodes created in a policy tree ([CVE-2023-0464])
diff --git a/doc/man3/X509_VERIFY_PARAM_set_flags.pod b/doc/man3/X509_VERIFY_PARAM_set_flags.pod
index f6f304bf7b..aa292f9336 100644
--- a/doc/man3/X509_VERIFY_PARAM_set_flags.pod
+++ b/doc/man3/X509_VERIFY_PARAM_set_flags.pod
@@ -92,8 +92,9 @@ B<trust>.
 X509_VERIFY_PARAM_set_time() sets the verification time in B<param> to
 B<t>. Normally the current time is used.
 
-X509_VERIFY_PARAM_add0_policy() enables policy checking (it is disabled
-by default) and adds B<policy> to the acceptable policy set.
+X509_VERIFY_PARAM_add0_policy() adds B<policy> to the acceptable policy set.
+Contrary to preexisting documentation of this function it does not enable
+policy checking.
 
 X509_VERIFY_PARAM_set1_policies() enables policy checking (it is disabled
 by default) and sets the acceptable policy set to B<policies>. Any existing
@@ -377,6 +378,10 @@ and has no effect.
 
 The X509_VERIFY_PARAM_get_hostflags() function was added in OpenSSL 1.1.0i.
 
+The function X509_VERIFY_PARAM_add0_policy() was historically documented as
+enabling policy checking however the implementation has never done this.
+The documentation was changed to align with the implementation.
+
 =head1 COPYRIGHT
 
 Copyright 2009-2020 The OpenSSL Project Authors. All Rights Reserved.
author	Tomas Mraz <tomas@openssl.org>	2023-03-21 16:15:47 +0100
committer	Tomas Mraz <tomas@openssl.org>	2023-03-28 14:13:38 +0200
commit	0d16b7e99aafc0b4a6d729eec65a411a7e025f0a (patch)
tree	d2797ea6cdecf1bf6554df3fe0a5ea7d3130ffcf
parent	8bc232b14624b7af01801d7940b7dec59b3ae47d (diff)