document the horrifying function X509_TRUST_set_default(3)

author: schwarze <> 2021-10-29 11:25:37 +0000
committer: schwarze <> 2021-10-29 11:25:37 +0000
commit: d4df4c56341f43698935f4f678cf1fce37aa0bb7 (patch)
tree: d211c1c17e04f7e4aa8893eeb3d9b53415fd1566 /src/lib
parent: 30e48389a9a0526b8590730f6fa5dbfa186c8e25 (diff)
download: openbsd-d4df4c56341f43698935f4f678cf1fce37aa0bb7.tar.gz
openbsd-d4df4c56341f43698935f4f678cf1fce37aa0bb7.tar.bz2
openbsd-d4df4c56341f43698935f4f678cf1fce37aa0bb7.zip
1 files changed, 43 insertions, 3 deletions
diff --git a/src/lib/libcrypto/man/X509_check_trust.3 b/src/lib/libcrypto/man/X509_check_trust.3
index c34f7f7370..f6a5dbe5b2 100644
--- a/src/lib/libcrypto/man/X509_check_trust.3
+++ b/src/lib/libcrypto/man/X509_check_trust.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_check_trust.3,v 1.3 2021/07/28 07:37:04 jmc Exp $
+.\" $OpenBSD: X509_check_trust.3,v 1.4 2021/10/29 11:25:37 schwarze Exp $
 .\"
 .\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,11 +14,12 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: July 28 2021 $
+.Dd $Mdocdate: October 29 2021 $
 .Dt X509_CHECK_TRUST 3
 .Os
 .Sh NAME
-.Nm X509_check_trust
+.Nm X509_check_trust ,
+.Nm X509_TRUST_set_default
 .Nd check whether a certificate is trusted
 .Sh SYNOPSIS
 .In openssl/x509.h
@@ -28,6 +29,12 @@
 .Fa "int trust"
 .Fa "int flags"
 .Fc
+.Ft int
+.Fo "(*X509_TRUST_set_default(int (*handler)(int, X509 *, int)))"
+.Fa "int trust"
+.Fa "X509 *certificate"
+.Fa "int flags"
+.Fc
 .Sh DESCRIPTION
 .Fn X509_check_trust
 checks whether the
@@ -176,6 +183,27 @@ identifiers listed above, or it may have installed additional,
 user-supplied checking functions for user-defined
 .Fa trust
 identifiers not listed above.
+.Pp
+If the function
+.Fn X509_TRUST_set_default
+was called, the
+.Fa handler
+function passed to it is used instead of the standard algorithm,
+but only in the case where the
+.Fa trust
+argument of
+.Fn X509_check_trust
+is invalid.
+The compatibility step is not used used in this case.
+.Pp
+If the return value of the first call to
+.Fn X509_TRUST_set_default
+is saved and passed back to
+.Fn X509_TRUST_set_default
+later on, the standard behaviour
+of using the standard algorithm for invalid
+.Fa trust
+arguments is restored.
 .Sh RETURN VALUES
 .Fn X509_check_trust
 returns the following values:
@@ -194,6 +222,16 @@ The
 is neither trusted nor explicitly rejected,
 which implies that it is not trusted.
 .El
+.Pp
+.Fn X509_TRUST_set_default
+returns a pointer to the handler function for invalid
+.Fa trust
+that was installed before the call, which may either be a pointer
+to a function installed by a previous call to
+.Fn X509_TRUST_set_default
+or a pointer to the built-in function implementing the standard algorithm if
+.Fn X509_TRUST_set_default
+was never called before.
 .Sh SEE ALSO
 .Xr PEM_read_X509_AUX 3 ,
 .Xr X509_add1_trust_object 3 ,
@@ -205,5 +243,7 @@ which implies that it is not trusted.
 .Xr X509_VERIFY_PARAM_set_trust 3
 .Sh HISTORY
 .Fn X509_check_trust
+and
+.Fn X509_TRUST_set_default
 first appeared in OpenSSL 0.9.5 and has been available since
 .Ox 2.7 .
author	schwarze <>	2021-10-29 11:25:37 +0000
committer	schwarze <>	2021-10-29 11:25:37 +0000
commit	d4df4c56341f43698935f4f678cf1fce37aa0bb7 (patch)
tree	d211c1c17e04f7e4aa8893eeb3d9b53415fd1566 /src/lib
parent	30e48389a9a0526b8590730f6fa5dbfa186c8e25 (diff)
download	openbsd-d4df4c56341f43698935f4f678cf1fce37aa0bb7.tar.gz openbsd-d4df4c56341f43698935f4f678cf1fce37aa0bb7.tar.bz2 openbsd-d4df4c56341f43698935f4f678cf1fce37aa0bb7.zip

diff --git a/src/lib/libcrypto/man/X509_check_trust.3 b/src/lib/libcrypto/man/X509_check_trust.3 index c34f7f7370..f6a5dbe5b2 100644 --- a/src/lib/libcrypto/man/X509_check_trust.3 +++ b/src/lib/libcrypto/man/X509_check_trust.3
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: X509_check_trust.3,v 1.3 2021/07/28 07:37:04 jmc Exp $	1	.\" $OpenBSD: X509_check_trust.3,v 1.4 2021/10/29 11:25:37 schwarze Exp $
2	.\"	2	.\"
3	.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>	3	.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
4	.\"	4	.\"
@@ -14,11 +14,12 @@
14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF	14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.	15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16	.\"	16	.\"
17	.Dd $Mdocdate: July 28 2021 $	17	.Dd $Mdocdate: October 29 2021 $
18	.Dt X509_CHECK_TRUST 3	18	.Dt X509_CHECK_TRUST 3
19	.Os	19	.Os
20	.Sh NAME	20	.Sh NAME
21	.Nm X509_check_trust	21	.Nm X509_check_trust ,
		22	.Nm X509_TRUST_set_default
22	.Nd check whether a certificate is trusted	23	.Nd check whether a certificate is trusted
23	.Sh SYNOPSIS	24	.Sh SYNOPSIS
24	.In openssl/x509.h	25	.In openssl/x509.h
@@ -28,6 +29,12 @@
28	.Fa "int trust"	29	.Fa "int trust"
29	.Fa "int flags"	30	.Fa "int flags"
30	.Fc	31	.Fc
		32	.Ft int
		33	.Fo "(X509_TRUST_set_default(int (handler)(int, X509 *, int)))"
		34	.Fa "int trust"
		35	.Fa "X509 *certificate"
		36	.Fa "int flags"
		37	.Fc
31	.Sh DESCRIPTION	38	.Sh DESCRIPTION
32	.Fn X509_check_trust	39	.Fn X509_check_trust
33	checks whether the	40	checks whether the
@@ -176,6 +183,27 @@ identifiers listed above, or it may have installed additional,
176	user-supplied checking functions for user-defined	183	user-supplied checking functions for user-defined
177	.Fa trust	184	.Fa trust
178	identifiers not listed above.	185	identifiers not listed above.
		186	.Pp
		187	If the function
		188	.Fn X509_TRUST_set_default
		189	was called, the
		190	.Fa handler
		191	function passed to it is used instead of the standard algorithm,
		192	but only in the case where the
		193	.Fa trust
		194	argument of
		195	.Fn X509_check_trust
		196	is invalid.
		197	The compatibility step is not used used in this case.
		198	.Pp
		199	If the return value of the first call to
		200	.Fn X509_TRUST_set_default
		201	is saved and passed back to
		202	.Fn X509_TRUST_set_default
		203	later on, the standard behaviour
		204	of using the standard algorithm for invalid
		205	.Fa trust
		206	arguments is restored.
179	.Sh RETURN VALUES	207	.Sh RETURN VALUES
180	.Fn X509_check_trust	208	.Fn X509_check_trust
181	returns the following values:	209	returns the following values:
@@ -194,6 +222,16 @@ The
194	is neither trusted nor explicitly rejected,	222	is neither trusted nor explicitly rejected,
195	which implies that it is not trusted.	223	which implies that it is not trusted.
196	.El	224	.El
		225	.Pp
		226	.Fn X509_TRUST_set_default
		227	returns a pointer to the handler function for invalid
		228	.Fa trust
		229	that was installed before the call, which may either be a pointer
		230	to a function installed by a previous call to
		231	.Fn X509_TRUST_set_default
		232	or a pointer to the built-in function implementing the standard algorithm if
		233	.Fn X509_TRUST_set_default
		234	was never called before.
197	.Sh SEE ALSO	235	.Sh SEE ALSO
198	.Xr PEM_read_X509_AUX 3 ,	236	.Xr PEM_read_X509_AUX 3 ,
199	.Xr X509_add1_trust_object 3 ,	237	.Xr X509_add1_trust_object 3 ,
@@ -205,5 +243,7 @@ which implies that it is not trusted.
205	.Xr X509_VERIFY_PARAM_set_trust 3	243	.Xr X509_VERIFY_PARAM_set_trust 3
206	.Sh HISTORY	244	.Sh HISTORY
207	.Fn X509_check_trust	245	.Fn X509_check_trust
		246	and
		247	.Fn X509_TRUST_set_default
208	first appeared in OpenSSL 0.9.5 and has been available since	248	first appeared in OpenSSL 0.9.5 and has been available since
209	.Ox 2.7 .	249	.Ox 2.7 .