CVE-2023-0466: The function X509_VERIFY_PARAM_add0_policy() is documented to implicitly enable the certificate...

The vulnerability CVE-2023-0466 arises from a discrepancy between the documented and actual behavior of the OpenSSL function X509_VERIFY_PARAM_add0_policy(). The function was documented as enabling certificate policy checking, but its implementation never did so. This could lead to applications unintentionally bypassing policy checks if they relied on the incorrect documentation. The provided commit information (e.g., 0d16b7e99aa, 51e8a84ce74, 73398dea26d, fc814a30fc4) consistently shows patches that update documentation files (like 'doc/man3/X509_VERIFY_PARAM_set_flags.pod') to accurately describe that X509_VERIFY_PARAM_add0_policy() does not enable policy checking. Therefore, X509_VERIFY_PARAM_add0_policy() is identified as the vulnerable function because its actual behavior, when used under the assumptions fostered by the old documentation, leads to the security weakness. The file path provided in the 'vulnerable_functions' entry points to one of the documentation files modified in the patches, as this is the direct evidence from the commits regarding the function's misrepresentation. The function itself resides in OpenSSL's C source code (likely crypto/x509/x509_vfy.c, though not directly modified in these specific documentation patches).