Document the interactions of X509_V_FLAG_USE_CHECK_TIME,

X509_V_FLAG_NO_CHECK_TIME, X509_VERIFY_PARAM_set_time(3), X509_VERIFY_PARAM_set_flags(3), and X509_VERIFY_PARAM_clear_flags(3) in detail because the API design is both surprising and surprisingly complicated in this respect, and the resulting nasty traps have already caused bugs in the past.
author: schwarze <> 2021-11-13 19:21:17 +0000
committer: schwarze <> 2021-11-13 19:21:17 +0000
commit: 008ce6e9d0e664052a6b5a3dfc6c9292f4a90432 (patch)
tree: fa11a97d0c19339e6542825578d4225f265cfff3 /src/lib
parent: 65755c720be5df80f0b2c973b379b8a9a4b546bf (diff)
download: openbsd-008ce6e9d0e664052a6b5a3dfc6c9292f4a90432.tar.gz
openbsd-008ce6e9d0e664052a6b5a3dfc6c9292f4a90432.tar.bz2
openbsd-008ce6e9d0e664052a6b5a3dfc6c9292f4a90432.zip
1 files changed, 35 insertions, 6 deletions
diff --git a/src/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3 b/src/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3
index 6db1e0ea29..6e2c0259c5 100644
--- a/src/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3
+++ b/src/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_VERIFY_PARAM_set_flags.3,v 1.19 2021/11/12 18:56:00 schwarze Exp $
+.\" $OpenBSD: X509_VERIFY_PARAM_set_flags.3,v 1.20 2021/11/13 19:21:17 schwarze Exp $
 .\" full merge up to: OpenSSL d33def66 Feb 9 14:17:13 2016 -0500
 .\" selective merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
 .\"
@@ -68,7 +68,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 12 2021 $
+.Dd $Mdocdate: November 13 2021 $
 .Dt X509_VERIFY_PARAM_SET_FLAGS 3
 .Os
 .Sh NAME
@@ -599,13 +599,42 @@ certificates.
 This makes it possible to trust certificates issued by an intermediate
 CA without having to trust its ancestor root CA.
 .Pp
-The
+If
+.Dv X509_V_FLAG_USE_CHECK_TIME
+is set, the validity period of certificates and CRLs is checked.
+In this case,
 .Dv X509_V_FLAG_NO_CHECK_TIME
-flag suppresses checking the validity period of certificates and CRLs
+is ignored.
-against the current time.
+If the validation time was set with
+.Fn X509_VERIFY_PARAM_set_time ,
+that time is used.
 If
 .Fn X509_VERIFY_PARAM_set_time
-is used to specify a verification time, the check is not suppressed.
+was not called, the UNIX Epoch (January 1, 1970) is used.
+.Pp
+If neither
+.Dv X509_V_FLAG_USE_CHECK_TIME
+nor
+.Dv X509_V_FLAG_NO_CHECK_TIME
+is set, the validity period of certificates and CRLs is checked
+using the current time.
+This is the deafult behaviour.
+In this case, if a validation time was set with
+.Fn X509_VERIFY_PARAM_set_time
+but
+.Dv X509_V_FLAG_USE_CHECK_TIME
+was later cleared with
+.Fn X509_VERIFY_PARAM_clear_flags ,
+the configured validation time is ignored
+and the current time is used anyway.
+.Pp
+If
+.Dv X509_V_FLAG_USE_CHECK_TIME
+is not set but
+.Dv X509_V_FLAG_NO_CHECK_TIME
+is set, the validity period of certificates and CRLs is not checked
+at all, and like in the previous case, any configured validation
+time is ignored.
 .Sh EXAMPLES
 Enable CRL checking when performing certificate verification during
 SSL connections associated with an
author	schwarze <>	2021-11-13 19:21:17 +0000
committer	schwarze <>	2021-11-13 19:21:17 +0000
commit	008ce6e9d0e664052a6b5a3dfc6c9292f4a90432 (patch)
tree	fa11a97d0c19339e6542825578d4225f265cfff3 /src/lib
parent	65755c720be5df80f0b2c973b379b8a9a4b546bf (diff)
download	openbsd-008ce6e9d0e664052a6b5a3dfc6c9292f4a90432.tar.gz openbsd-008ce6e9d0e664052a6b5a3dfc6c9292f4a90432.tar.bz2 openbsd-008ce6e9d0e664052a6b5a3dfc6c9292f4a90432.zip

diff --git a/src/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3 b/src/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3 index 6db1e0ea29..6e2c0259c5 100644 --- a/src/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3 +++ b/src/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: X509_VERIFY_PARAM_set_flags.3,v 1.19 2021/11/12 18:56:00 schwarze Exp $	1	.\" $OpenBSD: X509_VERIFY_PARAM_set_flags.3,v 1.20 2021/11/13 19:21:17 schwarze Exp $
2	.\" full merge up to: OpenSSL d33def66 Feb 9 14:17:13 2016 -0500	2	.\" full merge up to: OpenSSL d33def66 Feb 9 14:17:13 2016 -0500
3	.\" selective merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100	3	.\" selective merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
4	.\"	4	.\"
@@ -68,7 +68,7 @@
68	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED	68	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
69	.\" OF THE POSSIBILITY OF SUCH DAMAGE.	69	.\" OF THE POSSIBILITY OF SUCH DAMAGE.
70	.\"	70	.\"
71	.Dd $Mdocdate: November 12 2021 $	71	.Dd $Mdocdate: November 13 2021 $
72	.Dt X509_VERIFY_PARAM_SET_FLAGS 3	72	.Dt X509_VERIFY_PARAM_SET_FLAGS 3
73	.Os	73	.Os
74	.Sh NAME	74	.Sh NAME
@@ -599,13 +599,42 @@ certificates.
599	This makes it possible to trust certificates issued by an intermediate	599	This makes it possible to trust certificates issued by an intermediate
600	CA without having to trust its ancestor root CA.	600	CA without having to trust its ancestor root CA.
601	.Pp	601	.Pp
602	The	602	If
		603	.Dv X509_V_FLAG_USE_CHECK_TIME
		604	is set, the validity period of certificates and CRLs is checked.
		605	In this case,
603	.Dv X509_V_FLAG_NO_CHECK_TIME	606	.Dv X509_V_FLAG_NO_CHECK_TIME
604	flag suppresses checking the validity period of certificates and CRLs	607	is ignored.
605	against the current time.	608	If the validation time was set with
		609	.Fn X509_VERIFY_PARAM_set_time ,
		610	that time is used.
606	If	611	If
607	.Fn X509_VERIFY_PARAM_set_time	612	.Fn X509_VERIFY_PARAM_set_time
608	is used to specify a verification time, the check is not suppressed.	613	was not called, the UNIX Epoch (January 1, 1970) is used.
		614	.Pp
		615	If neither
		616	.Dv X509_V_FLAG_USE_CHECK_TIME
		617	nor
		618	.Dv X509_V_FLAG_NO_CHECK_TIME
		619	is set, the validity period of certificates and CRLs is checked
		620	using the current time.
		621	This is the deafult behaviour.
		622	In this case, if a validation time was set with
		623	.Fn X509_VERIFY_PARAM_set_time
		624	but
		625	.Dv X509_V_FLAG_USE_CHECK_TIME
		626	was later cleared with
		627	.Fn X509_VERIFY_PARAM_clear_flags ,
		628	the configured validation time is ignored
		629	and the current time is used anyway.
		630	.Pp
		631	If
		632	.Dv X509_V_FLAG_USE_CHECK_TIME
		633	is not set but
		634	.Dv X509_V_FLAG_NO_CHECK_TIME
		635	is set, the validity period of certificates and CRLs is not checked
		636	at all, and like in the previous case, any configured validation
		637	time is ignored.
609	.Sh EXAMPLES	638	.Sh EXAMPLES
610	Enable CRL checking when performing certificate verification during	639	Enable CRL checking when performing certificate verification during
611	SSL connections associated with an	640	SSL connections associated with an