In x509_vfy.h rev. 1.37 and x509_vfy.c rev. 1.91, tb@ provided

X509_STORE_CTX_set_verify(3) and X509_STORE_CTX_get_verify(3). Document them. In the next bump, tb@ will also provide X509_STORE_CTX_verify_fn(3) and X509_STORE_set_verify(3) and restore X509_STORE_set_verify_func(3) to working order. For efficiency of documentation work, already document those three, too, but keep the text temporariy .if'ed out until they become available. Delete X509_STORE_set_verify_func(3) from X509_STORE_set_verify_cb_func(3) because it was misplaced in that page: it is not related to the verification callback. tb@ agrees with the general direction.
author: schwarze <> 2021-11-17 16:08:32 +0000
committer: schwarze <> 2021-11-17 16:08:32 +0000
commit: 8c1761a51aa50ec3f12696927791681f5d155db6 (patch)
tree: b482c5bb492a64e0f9db616bf3b40910b8ce4eff /src/lib/libcrypto/man/X509_STORE_CTX_set_verify.3
parent: 1e3c032a54098351c348cfd0269ea0030e6454eb (diff)
download: openbsd-8c1761a51aa50ec3f12696927791681f5d155db6.tar.gz
openbsd-8c1761a51aa50ec3f12696927791681f5d155db6.tar.bz2
openbsd-8c1761a51aa50ec3f12696927791681f5d155db6.zip
1 files changed, 167 insertions, 0 deletions
diff --git a/src/lib/libcrypto/man/X509_STORE_CTX_set_verify.3 b/src/lib/libcrypto/man/X509_STORE_CTX_set_verify.3
new file mode 100644
index 0000000000..a68ade6b3f
--- /dev/null
+++ b/src/lib/libcrypto/man/X509_STORE_CTX_set_verify.3
@@ -0,0 +1,167 @@
+.\" $OpenBSD: X509_STORE_CTX_set_verify.3,v 1.1 2021/11/17 16:08:32 schwarze Exp $
+.\"
+.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.Dd $Mdocdate: November 17 2021 $
+.Dt X509_STORE_CTX_SET_VERIFY 3
+.Os
+.\" ds LIBRESSL_NEW_API
+.Sh NAME
+.if dLIBRESSL_NEW_API \{\
+.Nm X509_STORE_CTX_verify_fn ,
+.\}
+.Nm X509_STORE_CTX_set_verify ,
+.ie dLIBRESSL_NEW_API \{\
+.Nm X509_STORE_CTX_get_verify ,
+.Nm X509_STORE_set_verify ,
+.Nm X509_STORE_set_verify_func
+.\}
+.el \{\
+.Nm X509_STORE_CTX_get_verify
+.\}
+.Nd user-defined certificate chain verification function
+.Sh SYNOPSIS
+.In openssl/x509_vfy.h
+.if dLIBRESSL_NEW_API \{\
+.Ft typedef int
+.Fo "(*X509_STORE_CTX_verify_fn)"
+.Fa "X509_STORE_CTX *ctx"
+.Fc
+.\}
+.Ft void
+.Fo X509_STORE_CTX_set_verify
+.Fa "X509_STORE_CTX *ctx"
+.ie dLIBRESSL_NEW_API \{\
+.Fa "X509_STORE_CTX_verify_fn verify"
+.\}
+.el \{\
+.Fa "int (*verify)(X509_STORE_CTX *)"
+.\}
+.Fc
+.ie dLIBRESSL_NEW_API \{\
+.Ft X509_STORE_CTX_verify_fn
+.Fo X509_STORE_CTX_get_verify
+.\}
+.el \{\
+.Ft int
+.Fo "(*X509_STORE_CTX_get_verify(X509_STORE_CTX *ctx))"
+.\}
+.Fa "X509_STORE_CTX *ctx"
+.Fc
+.if dLIBRESSL_NEW_API \{\
+.Ft void
+.Fo X509_STORE_set_verify
+.Fa "X509_STORE *store"
+.Fa "X509_STORE_CTX_verify_fn verify"
+.Fc
+.Ft void
+.Fo X509_STORE_set_verify_func
+.Fa "X509_STORE *store"
+.Fa "X509_STORE_CTX_verify_fn verify"
+.Fc
+.\}
+.Sh DESCRIPTION
+.Fn X509_STORE_CTX_set_verify
+configures
+.Fa ctx
+to use the
+.Fa verify
+argument as the X.509 certificate chain verification function instead
+of the default verification function built into the library when
+.Xr X509_verify_cert 3
+is called.
+.Pp
+The
+.Fa verify
+function provided by the user is only called if the
+.Dv X509_V_FLAG_LEGACY_VERIFY
+or
+.Dv X509_V_FLAG_NO_ALT_CHAINS
+flag was set on
+.Fa ctx
+using
+.Xr X509_STORE_CTX_set_flags 3
+or
+.Xr X509_VERIFY_PARAM_set_flags 3 .
+Otherwise, it is ignored and a different algorithm is used that does
+not support replacing the verification function.
+.if dLIBRESSL_NEW_API \{\
+.Pp
+.Fn X509_STORE_set_verify
+saves the function pointer
+.Fa verify
+in the given
+.Fa store
+object.
+That pointer will be copied to an
+.Vt X509_STORE_CTX
+object when
+.Fa store
+is later passed as an argument to
+.Xr X509_STORE_CTX_init 3 .
+.Pp
+.Fn X509_STORE_set_verify_func
+is an alias for
+.Fn X509_STORE_set_verify
+implemented as a macro.
+.\}
+.Sh RETURN VALUES
+.if dLIBRESSL_NEW_API \{\
+.Fn X509_STORE_CTX_verify_fn
+is supposed to return 1 to indicate that the chain is valid
+or 0 if it is not or if an error occurred.
+.Pp
+.\}
+.Fn X509_STORE_CTX_get_verify
+returns a function pointer to the function previously set with
+.Fn X509_STORE_CTX_set_verify
+or
+.Xr X509_STORE_CTX_init 3 ,
+or
+.Dv NULL
+if
+.Fa ctx
+is uninitialized.
+.Sh SEE ALSO
+.Xr X509_STORE_CTX_init 3 ,
+.Xr X509_STORE_CTX_set_error 3 ,
+.Xr X509_STORE_CTX_set_flags 3 ,
+.Xr X509_STORE_CTX_set_verify_cb 3 ,
+.Xr X509_STORE_new 3 ,
+.Xr X509_STORE_set_flags 3 ,
+.Xr X509_STORE_set_verify_cb 3 ,
+.Xr X509_verify_cert 3 ,
+.Xr X509_VERIFY_PARAM_set_flags 3
+.Sh HISTORY
+.if dLIBRESSL_NEW_API \{\
+.Fn X509_STORE_set_verify_func
+first appeared in SSLeay 0.8.0 and has been available since
+.Ox 2.4 .
+.Pp
+.\}
+.Fn X509_STORE_CTX_set_verify
+and
+.Fn X509_STORE_CTX_get_verify
+first appeared in OpenSSL 1.1.0 and have been available since
+.Ox 7.1 .
+.if dLIBRESSL_NEW_API \{\
+.Pp
+.Fn X509_STORE_CTX_verify_fn
+and
+.Fn X509_STORE_set_verify
+first appeared in OpenSSL 1.1.0 and have been available since
+.reminder Check the version number!
+.Ox 7.1 .
+.\}
author	schwarze <>	2021-11-17 16:08:32 +0000
committer	schwarze <>	2021-11-17 16:08:32 +0000
commit	8c1761a51aa50ec3f12696927791681f5d155db6 (patch)
tree	b482c5bb492a64e0f9db616bf3b40910b8ce4eff /src/lib/libcrypto/man/X509_STORE_CTX_set_verify.3
parent	1e3c032a54098351c348cfd0269ea0030e6454eb (diff)
download	openbsd-8c1761a51aa50ec3f12696927791681f5d155db6.tar.gz openbsd-8c1761a51aa50ec3f12696927791681f5d155db6.tar.bz2 openbsd-8c1761a51aa50ec3f12696927791681f5d155db6.zip

diff --git a/src/lib/libcrypto/man/X509_STORE_CTX_set_verify.3 b/src/lib/libcrypto/man/X509_STORE_CTX_set_verify.3 new file mode 100644 index 0000000000..a68ade6b3f --- /dev/null +++ b/src/lib/libcrypto/man/X509_STORE_CTX_set_verify.3
@@ -0,0 +1,167 @@
	1	.\" $OpenBSD: X509_STORE_CTX_set_verify.3,v 1.1 2021/11/17 16:08:32 schwarze Exp $
	2	.\"
	3	.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
	4	.\"
	5	.\" Permission to use, copy, modify, and distribute this software for any
	6	.\" purpose with or without fee is hereby granted, provided that the above
	7	.\" copyright notice and this permission notice appear in all copies.
	8	.\"
	9	.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
	10	.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
	11	.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
	12	.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
	13	.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
	14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
	15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
	16	.\"
	17	.Dd $Mdocdate: November 17 2021 $
	18	.Dt X509_STORE_CTX_SET_VERIFY 3
	19	.Os
	20	.\" ds LIBRESSL_NEW_API
	21	.Sh NAME
	22	.if dLIBRESSL_NEW_API \{\
	23	.Nm X509_STORE_CTX_verify_fn ,
	24	.\}
	25	.Nm X509_STORE_CTX_set_verify ,
	26	.ie dLIBRESSL_NEW_API \{\
	27	.Nm X509_STORE_CTX_get_verify ,
	28	.Nm X509_STORE_set_verify ,
	29	.Nm X509_STORE_set_verify_func
	30	.\}
	31	.el \{\
	32	.Nm X509_STORE_CTX_get_verify
	33	.\}
	34	.Nd user-defined certificate chain verification function
	35	.Sh SYNOPSIS
	36	.In openssl/x509_vfy.h
	37	.if dLIBRESSL_NEW_API \{\
	38	.Ft typedef int
	39	.Fo "(*X509_STORE_CTX_verify_fn)"
	40	.Fa "X509_STORE_CTX *ctx"
	41	.Fc
	42	.\}
	43	.Ft void
	44	.Fo X509_STORE_CTX_set_verify
	45	.Fa "X509_STORE_CTX *ctx"
	46	.ie dLIBRESSL_NEW_API \{\
	47	.Fa "X509_STORE_CTX_verify_fn verify"
	48	.\}
	49	.el \{\
	50	.Fa "int (verify)(X509_STORE_CTX )"
	51	.\}
	52	.Fc
	53	.ie dLIBRESSL_NEW_API \{\
	54	.Ft X509_STORE_CTX_verify_fn
	55	.Fo X509_STORE_CTX_get_verify
	56	.\}
	57	.el \{\
	58	.Ft int
	59	.Fo "(X509_STORE_CTX_get_verify(X509_STORE_CTX ctx))"
	60	.\}
	61	.Fa "X509_STORE_CTX *ctx"
	62	.Fc
	63	.if dLIBRESSL_NEW_API \{\
	64	.Ft void
	65	.Fo X509_STORE_set_verify
	66	.Fa "X509_STORE *store"
	67	.Fa "X509_STORE_CTX_verify_fn verify"
	68	.Fc
	69	.Ft void
	70	.Fo X509_STORE_set_verify_func
	71	.Fa "X509_STORE *store"
	72	.Fa "X509_STORE_CTX_verify_fn verify"
	73	.Fc
	74	.\}
	75	.Sh DESCRIPTION
	76	.Fn X509_STORE_CTX_set_verify
	77	configures
	78	.Fa ctx
	79	to use the
	80	.Fa verify
	81	argument as the X.509 certificate chain verification function instead
	82	of the default verification function built into the library when
	83	.Xr X509_verify_cert 3
	84	is called.
	85	.Pp
	86	The
	87	.Fa verify
	88	function provided by the user is only called if the
	89	.Dv X509_V_FLAG_LEGACY_VERIFY
	90	or
	91	.Dv X509_V_FLAG_NO_ALT_CHAINS
	92	flag was set on
	93	.Fa ctx
	94	using
	95	.Xr X509_STORE_CTX_set_flags 3
	96	or
	97	.Xr X509_VERIFY_PARAM_set_flags 3 .
	98	Otherwise, it is ignored and a different algorithm is used that does
	99	not support replacing the verification function.
	100	.if dLIBRESSL_NEW_API \{\
	101	.Pp
	102	.Fn X509_STORE_set_verify
	103	saves the function pointer
	104	.Fa verify
	105	in the given
	106	.Fa store
	107	object.
	108	That pointer will be copied to an
	109	.Vt X509_STORE_CTX
	110	object when
	111	.Fa store
	112	is later passed as an argument to
	113	.Xr X509_STORE_CTX_init 3 .
	114	.Pp
	115	.Fn X509_STORE_set_verify_func
	116	is an alias for
	117	.Fn X509_STORE_set_verify
	118	implemented as a macro.
	119	.\}
	120	.Sh RETURN VALUES
	121	.if dLIBRESSL_NEW_API \{\
	122	.Fn X509_STORE_CTX_verify_fn
	123	is supposed to return 1 to indicate that the chain is valid
	124	or 0 if it is not or if an error occurred.
	125	.Pp
	126	.\}
	127	.Fn X509_STORE_CTX_get_verify
	128	returns a function pointer to the function previously set with
	129	.Fn X509_STORE_CTX_set_verify
	130	or
	131	.Xr X509_STORE_CTX_init 3 ,
	132	or
	133	.Dv NULL
	134	if
	135	.Fa ctx
	136	is uninitialized.
	137	.Sh SEE ALSO
	138	.Xr X509_STORE_CTX_init 3 ,
	139	.Xr X509_STORE_CTX_set_error 3 ,
	140	.Xr X509_STORE_CTX_set_flags 3 ,
	141	.Xr X509_STORE_CTX_set_verify_cb 3 ,
	142	.Xr X509_STORE_new 3 ,
	143	.Xr X509_STORE_set_flags 3 ,
	144	.Xr X509_STORE_set_verify_cb 3 ,
	145	.Xr X509_verify_cert 3 ,
	146	.Xr X509_VERIFY_PARAM_set_flags 3
	147	.Sh HISTORY
	148	.if dLIBRESSL_NEW_API \{\
	149	.Fn X509_STORE_set_verify_func
	150	first appeared in SSLeay 0.8.0 and has been available since
	151	.Ox 2.4 .
	152	.Pp
	153	.\}
	154	.Fn X509_STORE_CTX_set_verify
	155	and
	156	.Fn X509_STORE_CTX_get_verify
	157	first appeared in OpenSSL 1.1.0 and have been available since
	158	.Ox 7.1 .
	159	.if dLIBRESSL_NEW_API \{\
	160	.Pp
	161	.Fn X509_STORE_CTX_verify_fn
	162	and
	163	.Fn X509_STORE_set_verify
	164	first appeared in OpenSSL 1.1.0 and have been available since
	165	.reminder Check the version number!
	166	.Ox 7.1 .
	167	.\}