blob: 5b0e65c38fbf1850c216b84366c9f7ded4a2f78d [file] [view]
# OpenSSL Advisory: March 28th, 2023
OpenSSL have published a [security advisory](https://openssl-library.org/news/secadv/20230328.txt). Here's how it affects BoringSSL:
CVE | Summary | [Severity] in OpenSSL | Impact to BoringSSL
----|---------|-----------------------|---------------------
CVE-2023-0465 | Invalid certificate policies in leaf certificates are silently ignored | Low | Fixed [December 2022](https://boringssl.googlesource.com/boringssl/+/d1b20a9580aebb6fbb0b1b2408cf1221d83afb71)
CVE-2023-0466 | Certificate policy check not enabled | Low | See discussion below
[Severity]: https://openssl-library.org/policies/general/security-policy/index.html#issue-severity
## CVE-2023-0465
We discovered this issue while working on the X.509 implementation in BoringSSL. This was fixed in BoringSSL on [December 20, 2022](https://boringssl.googlesource.com/boringssl/+/d1b20a9580aebb6fbb0b1b2408cf1221d83afb71). Applications that enable policy validation should update to `d1b20a9580aeb` or later.
Policy validation is enabled if one of the following APIs is used:
* `X509_VERIFY_PARAM_set1_policies`
* `X509_V_FLAG_POLICY_CHECK`
* `X509_V_FLAG_EXPLICIT_POLICY`
* `X509_V_FLAG_INHIBIT_ANY`
* `X509_V_FLAG_INHIBIT_MAP`
## CVE-2023-0466
We discovered this issue while working on the X.509 implementation in BoringSSL. The `X509_VERIFY_PARAM_add0_policy` function, contrary to its documentation in OpenSSL, does not implicitly enable policy validation. OpenSSL opted to leave the functions behavior unchanged and update the documentation.
Applications that call `X509_VERIFY_PARAM_add0_policy` and do not use one of the above APIs should explicitly call `X509_VERIFY_PARAM_set_flags` with `X509_V_FLAG_POLICY_CHECK` if the intent was to enable policy validation.
Future revisions of BoringSSL may enable policy validation unconditionally to address some [issues with critical extensions](https://bugs.chromium.org/p/boringssl/issues/detail?id=557), which will make this moot.
*January 27th, 2026 addendum: Policy validation was enabled unconditionally in BoringSSL shortly after this advisory was published, on [March 30th, 2023](https://boringssl.googlesource.com/boringssl/+/28226f584e8fb65eb8730721dcb5001f2a072efc).*