new manual page X509_CRL_METHOD_new(3)

documenting five functions to customize CRL handling
author: schwarze <> 2021-10-30 16:20:35 +0000
committer: schwarze <> 2021-10-30 16:20:35 +0000
commit: 1507ec383c4225e409a40fc53eb43aec39bd4b66 (patch)
tree: 659176c3c20d98443281077c6c089ca93c678b31
parent: ebf7bdd740439b0c094f1a97f94bd885a052642b (diff)
download: openbsd-1507ec383c4225e409a40fc53eb43aec39bd4b66.tar.gz
openbsd-1507ec383c4225e409a40fc53eb43aec39bd4b66.tar.bz2
openbsd-1507ec383c4225e409a40fc53eb43aec39bd4b66.zip
6 files changed, 245 insertions, 14 deletions
diff --git a/src/lib/libcrypto/man/Makefile b/src/lib/libcrypto/man/Makefile
index 43d7c5bc56..1e2c626d0c 100644
--- a/src/lib/libcrypto/man/Makefile
+++ b/src/lib/libcrypto/man/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.207 2021/10/29 09:42:07 schwarze Exp $
+# $OpenBSD: Makefile,v 1.208 2021/10/30 16:20:35 schwarze Exp $
 .include <bsd.own.mk>
@@ -286,6 +286,7 @@ MAN=	\
        X509_ATTRIBUTE_new.3 \
        X509_ATTRIBUTE_set1_object.3 \
        X509_CINF_new.3 \
+        X509_CRL_METHOD_new.3 \
        X509_CRL_get0_by_serial.3 \
        X509_CRL_new.3 \
        X509_CRL_print.3 \
diff --git a/src/lib/libcrypto/man/X509_CRL_METHOD_new.3 b/src/lib/libcrypto/man/X509_CRL_METHOD_new.3
new file mode 100644
index 0000000000..f80ce743cd
--- /dev/null
+++ b/src/lib/libcrypto/man/X509_CRL_METHOD_new.3
@@ -0,0 +1,182 @@
+.\" $OpenBSD: X509_CRL_METHOD_new.3,v 1.1 2021/10/30 16:20:35 schwarze Exp $
+.\"
+.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.Dd $Mdocdate: October 30 2021 $
+.Dt X509_CRL_METHOD_NEW 3
+.Os
+.Sh NAME
+.Nm X509_CRL_METHOD_new ,
+.Nm X509_CRL_METHOD_free ,
+.Nm X509_CRL_set_default_method ,
+.Nm X509_CRL_set_meth_data ,
+.Nm X509_CRL_get_meth_data
+.Nd customize CRL handling
+.Sh SYNOPSIS
+.In openssl/x509.h
+.Ft X509_CRL_METHOD *
+.Fo X509_CRL_METHOD_new
+.Fa "int (*crl_init)(X509_CRL *crl)"
+.Fa "int (*crl_free)(X509_CRL *crl)"
+.Fa "int (*crl_lookup)(X509_CRL *crl, X509_REVOKED **ret,\
+ ASN1_INTEGER *ser, X509_NAME *issuer)"
+.Fa "int (*crl_verify)(X509_CRL *crl, EVP_PKEY *pk)"
+.Fc
+.Ft void
+.Fn X509_CRL_METHOD_free "X509_CRL_METHOD *method"
+.Ft void
+.Fn X509_CRL_set_default_method "const X509_CRL_METHOD *method"
+.Ft void
+.Fn X509_CRL_set_meth_data "X509_CRL *crl" "void *data"
+.Ft void *
+.Fn X509_CRL_get_meth_data "X509_CRL *crl"
+.Sh DESCRIPTION
+These functions customize BER decoding and signature verification
+of X.509 certificate revocation lists,
+as well as retrieval of revoked entries from such lists.
+.Pp
+.Fn X509_CRL_METHOD_new
+allocates and initializes a new
+.Vt X509_CRL_METHOD
+object, storing the four pointers to callback functions in it
+that are provided as arguments.
+.Pp
+.Fn X509_CRL_METHOD_free
+frees the given
+.Fa method
+object.
+If
+.Fa method
+is a
+.Dv NULL
+pointer or points to the static object built into the library,
+no action occurs.
+.Pp
+.Fn X509_CRL_set_default_method
+designates the given
+.Fa method
+to be used for objects that will be created with
+.Xr X509_CRL_new 3
+in the future.
+It has no effect on
+.Vt X509_CRL
+objects that already exist.
+If
+.Fa method
+is
+.Dv NULL ,
+any previously installed method will no longer be used for new
+.Vt X509_CRL
+objects created in the future, and those future objects will adhere
+to the default behaviour instead.
+.Pp
+The optional function
+.Fn crl_init
+will be called at the end of
+.Xr d2i_X509_CRL 3 ,
+the optional function
+.Fn crl_free
+near the end of
+.Xr X509_CRL_free 3 ,
+immediately before freeing
+.Fa crl
+itself.
+The function
+.Fn crl_lookup
+will be called by
+.Xr X509_CRL_get0_by_serial 3 ,
+setting
+.Fa issuer
+to
+.Dv NULL ,
+and by
+.Xr X509_CRL_get0_by_cert 3 ,
+both instead of performing the default action.
+The function
+.Fn crl_verify
+will be called by
+.Xr X509_CRL_verify 3
+instead of performing the default action.
+.Pp
+.Fn X509_CRL_set_meth_data
+stores the pointer to the auxiliary
+.Fa data
+inside the
+.Fa crl
+object.
+The pointer is expected to remain valid during the whole lifetime of the
+.Fa crl
+object but is not automatically freed when the
+.Fa crl
+object is freed.
+.Pp
+.Fn X509_CRL_get_meth_data
+retrieves the
+.Fa data
+from
+.Fa crl
+the was added with
+.Fn X509_CRL_set_meth_data .
+This may for example be useful inside the four callback methods
+installed with
+.Fn X509_CRL_METHOD_new .
+.Sh RETURN VALUES
+.Fn X509_CRL_METHOD_new
+returns a pointer to the new object or
+.Dv NULL
+if memory allocation fails.
+.Pp
+.Fn X509_CRL_get_meth_data
+returns the pointer previously installed with
+.Fn X509_CRL_set_meth_data
+or
+.Dv NULL
+if
+.Fn X509_CRL_set_meth_data
+was not called on
+.Fa crl .
+.Pp
+The callback functions
+.Fn crl_init
+and
+.Fn crl_free
+are supposed to return 1 for success or 0 for failure.
+.Pp
+The callback function
+.Fn crl_lookup
+is supposed to return 0 for failure or 1 for success,
+except if the revoked entry has the reason
+.Qq removeFromCRL ,
+in which case it is supposed to return 2.
+.Pp
+The callback function
+.Fn crl_verify
+is supposed to return 1 if the signature is valid
+or 0 if the signature check fails.
+If the signature could not be checked at all because it was invalid
+or some other error occurred, \-1 may be returned.
+.Sh SEE ALSO
+.Xr ASN1_INTEGER_new 3 ,
+.Xr d2i_X509_CRL 3 ,
+.Xr EVP_PKEY_new 3 ,
+.Xr X509_CRL_get0_by_serial 3 ,
+.Xr X509_CRL_new 3 ,
+.Xr X509_CRL_verify 3 ,
+.Xr X509_NAME_new 3 ,
+.Xr X509_REVOKED_new 3
+.Sh HISTORY
+These functions first appeared in OpenSSL 1.0.0
+and have been available since
+.Ox 4.9 .
diff --git a/src/lib/libcrypto/man/X509_CRL_get0_by_serial.3 b/src/lib/libcrypto/man/X509_CRL_get0_by_serial.3
index 8db046051b..865e86feb9 100644
--- a/src/lib/libcrypto/man/X509_CRL_get0_by_serial.3
+++ b/src/lib/libcrypto/man/X509_CRL_get0_by_serial.3
@@ -1,5 +1,5 @@
-.\"     $OpenBSD: X509_CRL_get0_by_serial.3,v 1.11 2020/10/21 17:17:43 tb Exp $
+.\" $OpenBSD: X509_CRL_get0_by_serial.3,v 1.12 2021/10/30 16:20:35 schwarze Exp $
-.\"     OpenSSL X509_CRL_get0_by_serial.pod cdd6c8c5 Mar 20 12:29:37 2017 +0100
+.\" full merge up to: OpenSSL cdd6c8c5 Mar 20 12:29:37 2017 +0100
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
 .\" Copyright (c) 2015, 2017 The OpenSSL Project.  All rights reserved.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: October 21 2020 $
+.Dd $Mdocdate: October 30 2021 $
 .Dt X509_CRL_GET0_BY_SERIAL 3
 .Os
 .Sh NAME
@@ -105,6 +105,18 @@ except that it looks for a revoked entry using the serial number
 of certificate
 .Fa x .
 .Pp
+If
+.Xr X509_CRL_set_default_method 3
+was in effect at the time the
+.Fa crl
+object was created,
+.Fn X509_CRL_get0_by_serial
+and
+.Fn X509_CRL_get0_by_cert
+invoke the
+.Fn crl_lookup
+callback function instead of performing the default action.
+.Pp
 .Fn X509_CRL_get_REVOKED
 returns an internal pointer to a stack of all revoked entries for
 .Fa crl .
@@ -158,6 +170,7 @@ returns a STACK of revoked entries.
 .Xr X509_CRL_get_ext 3 ,
 .Xr X509_CRL_get_issuer 3 ,
 .Xr X509_CRL_get_version 3 ,
+.Xr X509_CRL_METHOD_new 3 ,
 .Xr X509_CRL_new 3 ,
 .Xr X509_REVOKED_new 3 ,
 .Xr X509V3_get_d2i 3
diff --git a/src/lib/libcrypto/man/X509_CRL_new.3 b/src/lib/libcrypto/man/X509_CRL_new.3
index 4d3f97afdb..82ba18266a 100644
--- a/src/lib/libcrypto/man/X509_CRL_new.3
+++ b/src/lib/libcrypto/man/X509_CRL_new.3
@@ -1,6 +1,6 @@
-.\" $OpenBSD: X509_CRL_new.3,v 1.12 2021/08/02 16:21:11 schwarze Exp $
+.\" $OpenBSD: X509_CRL_new.3,v 1.13 2021/10/30 16:20:35 schwarze Exp $
 .\"
-.\" Copyright (c) 2016, 2018 Ingo Schwarze <schwarze@openbsd.org>
+.\" Copyright (c) 2016, 2018, 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: August 2 2021 $
+.Dd $Mdocdate: October 30 2021 $
 .Dt X509_CRL_NEW 3
 .Os
 .Sh NAME
@@ -67,6 +67,19 @@ decrements the reference count of
 by 1.
 If the reference count reaches 0, it frees
 .Fa crl .
+If
+.Xr X509_CRL_set_default_method 3
+was in effect at the time
+.Fa crl
+was created and the
+.Fn crl_free
+callback is not
+.Dv NULL ,
+that callback is invoked near the end of
+.Fn X509_CRL_free ,
+right before freeing
+.Fa crl
+itself.
 .Pp
 .Fn X509_CRL_INFO_new
 allocates and initializes an empty
@@ -112,6 +125,7 @@ returns 1 on success or 0 on error.
 .Xr X509_CRL_get_issuer 3 ,
 .Xr X509_CRL_get_version 3 ,
 .Xr X509_CRL_match 3 ,
+.Xr X509_CRL_METHOD_new 3 ,
 .Xr X509_CRL_print 3 ,
 .Xr X509_CRL_sign 3 ,
 .Xr X509_EXTENSION_new 3 ,
diff --git a/src/lib/libcrypto/man/X509_sign.3 b/src/lib/libcrypto/man/X509_sign.3
index ca4c5192b2..eb69874cdc 100644
--- a/src/lib/libcrypto/man/X509_sign.3
+++ b/src/lib/libcrypto/man/X509_sign.3
@@ -1,5 +1,5 @@
-.\"     $OpenBSD: X509_sign.3,v 1.8 2019/06/14 13:59:32 schwarze Exp $
+.\" $OpenBSD: X509_sign.3,v 1.9 2021/10/30 16:20:35 schwarze Exp $
-.\"     OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
+.\" full merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
 .\" Copyright (c) 2015, 2016 The OpenSSL Project.  All rights reserved.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 14 2019 $
+.Dd $Mdocdate: October 30 2021 $
 .Dt X509_SIGN 3
 .Os
 .Sh NAME
@@ -145,6 +145,16 @@ and
 .Fn X509_CRL_verify
 sign and verify certificate requests and CRLs, respectively.
 .Pp
+If
+.Xr X509_CRL_set_default_method 3
+was in effect at the time the
+.Vt X509_CRL
+object was created,
+.Fn X509_CRL_verify
+calls the
+.Fn crl_verify
+callback function instead of performing the default action.
+.Pp
 .Fn X509_sign_ctx
 is used where the default parameters for the corresponding public key
 and digest are not suitable.
@@ -181,6 +191,7 @@ In some cases of failure, the reason can be determined with
 .Xr d2i_X509 3 ,
 .Xr EVP_DigestInit 3 ,
 .Xr X509_CRL_get0_by_serial 3 ,
+.Xr X509_CRL_METHOD_new 3 ,
 .Xr X509_CRL_new 3 ,
 .Xr X509_get_pubkey 3 ,
 .Xr X509_get_subject_name 3 ,
diff --git a/src/lib/libcrypto/man/d2i_X509_CRL.3 b/src/lib/libcrypto/man/d2i_X509_CRL.3
index 920be4aa89..a0a19b4f55 100644
--- a/src/lib/libcrypto/man/d2i_X509_CRL.3
+++ b/src/lib/libcrypto/man/d2i_X509_CRL.3
@@ -1,7 +1,6 @@
-.\"     $OpenBSD: d2i_X509_CRL.3,v 1.7 2018/03/27 17:35:50 schwarze Exp $
+.\" $OpenBSD: d2i_X509_CRL.3,v 1.8 2021/10/30 16:20:35 schwarze Exp $
-.\"     OpenSSL bb9ad09e Jun 6 00:43:05 2016 -0400
 .\"
-.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
+.\" Copyright (c) 2016, 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: October 30 2021 $
 .Dt D2I_X509_CRL 3
 .Os
 .Sh NAME
@@ -96,6 +95,16 @@ and
 decode and encode an ASN.1
 .Vt CertificateList
 structure defined in RFC 5280 section 5.1.
+.Pp
+If
+.Xr X509_CRL_set_default_method 3
+is in effect and the
+.Fn crl_init
+callback is not
+.Dv NULL ,
+that callback is invoked at the end of
+.Fn d2i_X509_CRL .
+.Pp
 .Fn d2i_X509_CRL_bio ,
 .Fn d2i_X509_CRL_fp ,
 .Fn i2d_X509_CRL_bio ,
@@ -123,6 +132,7 @@ the revokedCertificates field of the ASN.1
 structure.
 .Sh SEE ALSO
 .Xr ASN1_item_d2i 3 ,
+.Xr X509_CRL_METHOD_new 3 ,
 .Xr X509_CRL_new 3 ,
 .Xr X509_REVOKED_new 3
 .Sh STANDARDS
author	schwarze <>	2021-10-30 16:20:35 +0000
committer	schwarze <>	2021-10-30 16:20:35 +0000
commit	1507ec383c4225e409a40fc53eb43aec39bd4b66 (patch)
tree	659176c3c20d98443281077c6c089ca93c678b31
parent	ebf7bdd740439b0c094f1a97f94bd885a052642b (diff)
download	openbsd-1507ec383c4225e409a40fc53eb43aec39bd4b66.tar.gz openbsd-1507ec383c4225e409a40fc53eb43aec39bd4b66.tar.bz2 openbsd-1507ec383c4225e409a40fc53eb43aec39bd4b66.zip

diff --git a/src/lib/libcrypto/man/Makefile b/src/lib/libcrypto/man/Makefile index 43d7c5bc56..1e2c626d0c 100644 --- a/src/lib/libcrypto/man/Makefile +++ b/src/lib/libcrypto/man/Makefile
@@ -1,4 +1,4 @@
1	# $OpenBSD: Makefile,v 1.207 2021/10/29 09:42:07 schwarze Exp $	1	# $OpenBSD: Makefile,v 1.208 2021/10/30 16:20:35 schwarze Exp $
2		2
3	.include <bsd.own.mk>	3	.include <bsd.own.mk>
4		4
@@ -286,6 +286,7 @@ MAN= \
286	X509_ATTRIBUTE_new.3 \	286	X509_ATTRIBUTE_new.3 \
287	X509_ATTRIBUTE_set1_object.3 \	287	X509_ATTRIBUTE_set1_object.3 \
288	X509_CINF_new.3 \	288	X509_CINF_new.3 \
		289	X509_CRL_METHOD_new.3 \
289	X509_CRL_get0_by_serial.3 \	290	X509_CRL_get0_by_serial.3 \
290	X509_CRL_new.3 \	291	X509_CRL_new.3 \
291	X509_CRL_print.3 \	292	X509_CRL_print.3 \


diff --git a/src/lib/libcrypto/man/X509_CRL_METHOD_new.3 b/src/lib/libcrypto/man/X509_CRL_METHOD_new.3 new file mode 100644 index 0000000000..f80ce743cd --- /dev/null +++ b/src/lib/libcrypto/man/X509_CRL_METHOD_new.3
@@ -0,0 +1,182 @@
		1	.\" $OpenBSD: X509_CRL_METHOD_new.3,v 1.1 2021/10/30 16:20:35 schwarze Exp $
		2	.\"
		3	.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
		4	.\"
		5	.\" Permission to use, copy, modify, and distribute this software for any
		6	.\" purpose with or without fee is hereby granted, provided that the above
		7	.\" copyright notice and this permission notice appear in all copies.
		8	.\"
		9	.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
		10	.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
		11	.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
		12	.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
		13	.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
		14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
		15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
		16	.\"
		17	.Dd $Mdocdate: October 30 2021 $
		18	.Dt X509_CRL_METHOD_NEW 3
		19	.Os
		20	.Sh NAME
		21	.Nm X509_CRL_METHOD_new ,
		22	.Nm X509_CRL_METHOD_free ,
		23	.Nm X509_CRL_set_default_method ,
		24	.Nm X509_CRL_set_meth_data ,
		25	.Nm X509_CRL_get_meth_data
		26	.Nd customize CRL handling
		27	.Sh SYNOPSIS
		28	.In openssl/x509.h
		29	.Ft X509_CRL_METHOD *
		30	.Fo X509_CRL_METHOD_new
		31	.Fa "int (crl_init)(X509_CRL crl)"
		32	.Fa "int (crl_free)(X509_CRL crl)"
		33	.Fa "int (crl_lookup)(X509_CRL crl, X509_REVOKED **ret,\
		34	ASN1_INTEGER ser, X509_NAME issuer)"
		35	.Fa "int (crl_verify)(X509_CRL crl, EVP_PKEY *pk)"
		36	.Fc
		37	.Ft void
		38	.Fn X509_CRL_METHOD_free "X509_CRL_METHOD *method"
		39	.Ft void
		40	.Fn X509_CRL_set_default_method "const X509_CRL_METHOD *method"
		41	.Ft void
		42	.Fn X509_CRL_set_meth_data "X509_CRL crl" "void data"
		43	.Ft void *
		44	.Fn X509_CRL_get_meth_data "X509_CRL *crl"
		45	.Sh DESCRIPTION
		46	These functions customize BER decoding and signature verification
		47	of X.509 certificate revocation lists,
		48	as well as retrieval of revoked entries from such lists.
		49	.Pp
		50	.Fn X509_CRL_METHOD_new
		51	allocates and initializes a new
		52	.Vt X509_CRL_METHOD
		53	object, storing the four pointers to callback functions in it
		54	that are provided as arguments.
		55	.Pp
		56	.Fn X509_CRL_METHOD_free
		57	frees the given
		58	.Fa method
		59	object.
		60	If
		61	.Fa method
		62	is a
		63	.Dv NULL
		64	pointer or points to the static object built into the library,
		65	no action occurs.
		66	.Pp
		67	.Fn X509_CRL_set_default_method
		68	designates the given
		69	.Fa method
		70	to be used for objects that will be created with
		71	.Xr X509_CRL_new 3
		72	in the future.
		73	It has no effect on
		74	.Vt X509_CRL
		75	objects that already exist.
		76	If
		77	.Fa method
		78	is
		79	.Dv NULL ,
		80	any previously installed method will no longer be used for new
		81	.Vt X509_CRL
		82	objects created in the future, and those future objects will adhere
		83	to the default behaviour instead.
		84	.Pp
		85	The optional function
		86	.Fn crl_init
		87	will be called at the end of
		88	.Xr d2i_X509_CRL 3 ,
		89	the optional function
		90	.Fn crl_free
		91	near the end of
		92	.Xr X509_CRL_free 3 ,
		93	immediately before freeing
		94	.Fa crl
		95	itself.
		96	The function
		97	.Fn crl_lookup
		98	will be called by
		99	.Xr X509_CRL_get0_by_serial 3 ,
		100	setting
		101	.Fa issuer
		102	to
		103	.Dv NULL ,
		104	and by
		105	.Xr X509_CRL_get0_by_cert 3 ,
		106	both instead of performing the default action.
		107	The function
		108	.Fn crl_verify
		109	will be called by
		110	.Xr X509_CRL_verify 3
		111	instead of performing the default action.
		112	.Pp
		113	.Fn X509_CRL_set_meth_data
		114	stores the pointer to the auxiliary
		115	.Fa data
		116	inside the
		117	.Fa crl
		118	object.
		119	The pointer is expected to remain valid during the whole lifetime of the
		120	.Fa crl
		121	object but is not automatically freed when the
		122	.Fa crl
		123	object is freed.
		124	.Pp
		125	.Fn X509_CRL_get_meth_data
		126	retrieves the
		127	.Fa data
		128	from
		129	.Fa crl
		130	the was added with
		131	.Fn X509_CRL_set_meth_data .
		132	This may for example be useful inside the four callback methods
		133	installed with
		134	.Fn X509_CRL_METHOD_new .
		135	.Sh RETURN VALUES
		136	.Fn X509_CRL_METHOD_new
		137	returns a pointer to the new object or
		138	.Dv NULL
		139	if memory allocation fails.
		140	.Pp
		141	.Fn X509_CRL_get_meth_data
		142	returns the pointer previously installed with
		143	.Fn X509_CRL_set_meth_data
		144	or
		145	.Dv NULL
		146	if
		147	.Fn X509_CRL_set_meth_data
		148	was not called on
		149	.Fa crl .
		150	.Pp
		151	The callback functions
		152	.Fn crl_init
		153	and
		154	.Fn crl_free
		155	are supposed to return 1 for success or 0 for failure.
		156	.Pp
		157	The callback function
		158	.Fn crl_lookup
		159	is supposed to return 0 for failure or 1 for success,
		160	except if the revoked entry has the reason
		161	.Qq removeFromCRL ,
		162	in which case it is supposed to return 2.
		163	.Pp
		164	The callback function
		165	.Fn crl_verify
		166	is supposed to return 1 if the signature is valid
		167	or 0 if the signature check fails.
		168	If the signature could not be checked at all because it was invalid
		169	or some other error occurred, \-1 may be returned.
		170	.Sh SEE ALSO
		171	.Xr ASN1_INTEGER_new 3 ,
		172	.Xr d2i_X509_CRL 3 ,
		173	.Xr EVP_PKEY_new 3 ,
		174	.Xr X509_CRL_get0_by_serial 3 ,
		175	.Xr X509_CRL_new 3 ,
		176	.Xr X509_CRL_verify 3 ,
		177	.Xr X509_NAME_new 3 ,
		178	.Xr X509_REVOKED_new 3
		179	.Sh HISTORY
		180	These functions first appeared in OpenSSL 1.0.0
		181	and have been available since
		182	.Ox 4.9 .


diff --git a/src/lib/libcrypto/man/X509_CRL_get0_by_serial.3 b/src/lib/libcrypto/man/X509_CRL_get0_by_serial.3 index 8db046051b..865e86feb9 100644 --- a/src/lib/libcrypto/man/X509_CRL_get0_by_serial.3 +++ b/src/lib/libcrypto/man/X509_CRL_get0_by_serial.3
@@ -1,5 +1,5 @@
1	.\" $OpenBSD: X509_CRL_get0_by_serial.3,v 1.11 2020/10/21 17:17:43 tb Exp $	1	.\" $OpenBSD: X509_CRL_get0_by_serial.3,v 1.12 2021/10/30 16:20:35 schwarze Exp $
2	.\" OpenSSL X509_CRL_get0_by_serial.pod cdd6c8c5 Mar 20 12:29:37 2017 +0100	2	.\" full merge up to: OpenSSL cdd6c8c5 Mar 20 12:29:37 2017 +0100
3	.\"	3	.\"
4	.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.	4	.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
5	.\" Copyright (c) 2015, 2017 The OpenSSL Project. All rights reserved.	5	.\" Copyright (c) 2015, 2017 The OpenSSL Project. All rights reserved.
@@ -48,7 +48,7 @@
48	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED	48	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
49	.\" OF THE POSSIBILITY OF SUCH DAMAGE.	49	.\" OF THE POSSIBILITY OF SUCH DAMAGE.
50	.\"	50	.\"
51	.Dd $Mdocdate: October 21 2020 $	51	.Dd $Mdocdate: October 30 2021 $
52	.Dt X509_CRL_GET0_BY_SERIAL 3	52	.Dt X509_CRL_GET0_BY_SERIAL 3
53	.Os	53	.Os
54	.Sh NAME	54	.Sh NAME
@@ -105,6 +105,18 @@ except that it looks for a revoked entry using the serial number
105	of certificate	105	of certificate
106	.Fa x .	106	.Fa x .
107	.Pp	107	.Pp
		108	If
		109	.Xr X509_CRL_set_default_method 3
		110	was in effect at the time the
		111	.Fa crl
		112	object was created,
		113	.Fn X509_CRL_get0_by_serial
		114	and
		115	.Fn X509_CRL_get0_by_cert
		116	invoke the
		117	.Fn crl_lookup
		118	callback function instead of performing the default action.
		119	.Pp
108	.Fn X509_CRL_get_REVOKED	120	.Fn X509_CRL_get_REVOKED
109	returns an internal pointer to a stack of all revoked entries for	121	returns an internal pointer to a stack of all revoked entries for
110	.Fa crl .	122	.Fa crl .
@@ -158,6 +170,7 @@ returns a STACK of revoked entries.
158	.Xr X509_CRL_get_ext 3 ,	170	.Xr X509_CRL_get_ext 3 ,
159	.Xr X509_CRL_get_issuer 3 ,	171	.Xr X509_CRL_get_issuer 3 ,
160	.Xr X509_CRL_get_version 3 ,	172	.Xr X509_CRL_get_version 3 ,
		173	.Xr X509_CRL_METHOD_new 3 ,
161	.Xr X509_CRL_new 3 ,	174	.Xr X509_CRL_new 3 ,
162	.Xr X509_REVOKED_new 3 ,	175	.Xr X509_REVOKED_new 3 ,
163	.Xr X509V3_get_d2i 3	176	.Xr X509V3_get_d2i 3


diff --git a/src/lib/libcrypto/man/X509_CRL_new.3 b/src/lib/libcrypto/man/X509_CRL_new.3 index 4d3f97afdb..82ba18266a 100644 --- a/src/lib/libcrypto/man/X509_CRL_new.3 +++ b/src/lib/libcrypto/man/X509_CRL_new.3
@@ -1,6 +1,6 @@
1	.\" $OpenBSD: X509_CRL_new.3,v 1.12 2021/08/02 16:21:11 schwarze Exp $	1	.\" $OpenBSD: X509_CRL_new.3,v 1.13 2021/10/30 16:20:35 schwarze Exp $
2	.\"	2	.\"
3	.\" Copyright (c) 2016, 2018 Ingo Schwarze <schwarze@openbsd.org>	3	.\" Copyright (c) 2016, 2018, 2021 Ingo Schwarze <schwarze@openbsd.org>
4	.\"	4	.\"
5	.\" Permission to use, copy, modify, and distribute this software for any	5	.\" Permission to use, copy, modify, and distribute this software for any
6	.\" purpose with or without fee is hereby granted, provided that the above	6	.\" purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF	14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.	15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16	.\"	16	.\"
17	.Dd $Mdocdate: August 2 2021 $	17	.Dd $Mdocdate: October 30 2021 $
18	.Dt X509_CRL_NEW 3	18	.Dt X509_CRL_NEW 3
19	.Os	19	.Os
20	.Sh NAME	20	.Sh NAME
@@ -67,6 +67,19 @@ decrements the reference count of
67	by 1.	67	by 1.
68	If the reference count reaches 0, it frees	68	If the reference count reaches 0, it frees
69	.Fa crl .	69	.Fa crl .
		70	If
		71	.Xr X509_CRL_set_default_method 3
		72	was in effect at the time
		73	.Fa crl
		74	was created and the
		75	.Fn crl_free
		76	callback is not
		77	.Dv NULL ,
		78	that callback is invoked near the end of
		79	.Fn X509_CRL_free ,
		80	right before freeing
		81	.Fa crl
		82	itself.
70	.Pp	83	.Pp
71	.Fn X509_CRL_INFO_new	84	.Fn X509_CRL_INFO_new
72	allocates and initializes an empty	85	allocates and initializes an empty
@@ -112,6 +125,7 @@ returns 1 on success or 0 on error.
112	.Xr X509_CRL_get_issuer 3 ,	125	.Xr X509_CRL_get_issuer 3 ,
113	.Xr X509_CRL_get_version 3 ,	126	.Xr X509_CRL_get_version 3 ,
114	.Xr X509_CRL_match 3 ,	127	.Xr X509_CRL_match 3 ,
		128	.Xr X509_CRL_METHOD_new 3 ,
115	.Xr X509_CRL_print 3 ,	129	.Xr X509_CRL_print 3 ,
116	.Xr X509_CRL_sign 3 ,	130	.Xr X509_CRL_sign 3 ,
117	.Xr X509_EXTENSION_new 3 ,	131	.Xr X509_EXTENSION_new 3 ,


diff --git a/src/lib/libcrypto/man/X509_sign.3 b/src/lib/libcrypto/man/X509_sign.3 index ca4c5192b2..eb69874cdc 100644 --- a/src/lib/libcrypto/man/X509_sign.3 +++ b/src/lib/libcrypto/man/X509_sign.3
@@ -1,5 +1,5 @@
1	.\" $OpenBSD: X509_sign.3,v 1.8 2019/06/14 13:59:32 schwarze Exp $	1	.\" $OpenBSD: X509_sign.3,v 1.9 2021/10/30 16:20:35 schwarze Exp $
2	.\" OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400	2	.\" full merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100
3	.\"	3	.\"
4	.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.	4	.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
5	.\" Copyright (c) 2015, 2016 The OpenSSL Project. All rights reserved.	5	.\" Copyright (c) 2015, 2016 The OpenSSL Project. All rights reserved.
@@ -48,7 +48,7 @@
48	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED	48	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
49	.\" OF THE POSSIBILITY OF SUCH DAMAGE.	49	.\" OF THE POSSIBILITY OF SUCH DAMAGE.
50	.\"	50	.\"
51	.Dd $Mdocdate: June 14 2019 $	51	.Dd $Mdocdate: October 30 2021 $
52	.Dt X509_SIGN 3	52	.Dt X509_SIGN 3
53	.Os	53	.Os
54	.Sh NAME	54	.Sh NAME
@@ -145,6 +145,16 @@ and
145	.Fn X509_CRL_verify	145	.Fn X509_CRL_verify
146	sign and verify certificate requests and CRLs, respectively.	146	sign and verify certificate requests and CRLs, respectively.
147	.Pp	147	.Pp
		148	If
		149	.Xr X509_CRL_set_default_method 3
		150	was in effect at the time the
		151	.Vt X509_CRL
		152	object was created,
		153	.Fn X509_CRL_verify
		154	calls the
		155	.Fn crl_verify
		156	callback function instead of performing the default action.
		157	.Pp
148	.Fn X509_sign_ctx	158	.Fn X509_sign_ctx
149	is used where the default parameters for the corresponding public key	159	is used where the default parameters for the corresponding public key
150	and digest are not suitable.	160	and digest are not suitable.
@@ -181,6 +191,7 @@ In some cases of failure, the reason can be determined with
181	.Xr d2i_X509 3 ,	191	.Xr d2i_X509 3 ,
182	.Xr EVP_DigestInit 3 ,	192	.Xr EVP_DigestInit 3 ,
183	.Xr X509_CRL_get0_by_serial 3 ,	193	.Xr X509_CRL_get0_by_serial 3 ,
		194	.Xr X509_CRL_METHOD_new 3 ,
184	.Xr X509_CRL_new 3 ,	195	.Xr X509_CRL_new 3 ,
185	.Xr X509_get_pubkey 3 ,	196	.Xr X509_get_pubkey 3 ,
186	.Xr X509_get_subject_name 3 ,	197	.Xr X509_get_subject_name 3 ,


diff --git a/src/lib/libcrypto/man/d2i_X509_CRL.3 b/src/lib/libcrypto/man/d2i_X509_CRL.3 index 920be4aa89..a0a19b4f55 100644 --- a/src/lib/libcrypto/man/d2i_X509_CRL.3 +++ b/src/lib/libcrypto/man/d2i_X509_CRL.3
@@ -1,7 +1,6 @@
1	.\" $OpenBSD: d2i_X509_CRL.3,v 1.7 2018/03/27 17:35:50 schwarze Exp $	1	.\" $OpenBSD: d2i_X509_CRL.3,v 1.8 2021/10/30 16:20:35 schwarze Exp $
2	.\" OpenSSL bb9ad09e Jun 6 00:43:05 2016 -0400
3	.\"	2	.\"
4	.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>	3	.\" Copyright (c) 2016, 2021 Ingo Schwarze <schwarze@openbsd.org>
5	.\"	4	.\"
6	.\" Permission to use, copy, modify, and distribute this software for any	5	.\" Permission to use, copy, modify, and distribute this software for any
7	.\" purpose with or without fee is hereby granted, provided that the above	6	.\" purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
15	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF	14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.	15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17	.\"	16	.\"
18	.Dd $Mdocdate: March 27 2018 $	17	.Dd $Mdocdate: October 30 2021 $
19	.Dt D2I_X509_CRL 3	18	.Dt D2I_X509_CRL 3
20	.Os	19	.Os
21	.Sh NAME	20	.Sh NAME
@@ -96,6 +95,16 @@ and
96	decode and encode an ASN.1	95	decode and encode an ASN.1
97	.Vt CertificateList	96	.Vt CertificateList
98	structure defined in RFC 5280 section 5.1.	97	structure defined in RFC 5280 section 5.1.
		98	.Pp
		99	If
		100	.Xr X509_CRL_set_default_method 3
		101	is in effect and the
		102	.Fn crl_init
		103	callback is not
		104	.Dv NULL ,
		105	that callback is invoked at the end of
		106	.Fn d2i_X509_CRL .
		107	.Pp
99	.Fn d2i_X509_CRL_bio ,	108	.Fn d2i_X509_CRL_bio ,
100	.Fn d2i_X509_CRL_fp ,	109	.Fn d2i_X509_CRL_fp ,
101	.Fn i2d_X509_CRL_bio ,	110	.Fn i2d_X509_CRL_bio ,
@@ -123,6 +132,7 @@ the revokedCertificates field of the ASN.1
123	structure.	132	structure.
124	.Sh SEE ALSO	133	.Sh SEE ALSO
125	.Xr ASN1_item_d2i 3 ,	134	.Xr ASN1_item_d2i 3 ,
		135	.Xr X509_CRL_METHOD_new 3 ,
126	.Xr X509_CRL_new 3 ,	136	.Xr X509_CRL_new 3 ,
127	.Xr X509_REVOKED_new 3	137	.Xr X509_REVOKED_new 3
128	.Sh STANDARDS	138	.Sh STANDARDS