diff options
| author | tb <> | 2024-06-07 05:51:39 +0000 |
|---|---|---|
| committer | tb <> | 2024-06-07 05:51:39 +0000 |
| commit | 3fe1d3990fd478cae995125994e62261ee0ba4e3 (patch) | |
| tree | 6e6da532a454cc93e5f2a6e04bcb3f68d6a86f4f /src | |
| parent | 371ac7085256069dec0367a240329d112f110e6a (diff) | |
| download | openbsd-3fe1d3990fd478cae995125994e62261ee0ba4e3.tar.gz openbsd-3fe1d3990fd478cae995125994e62261ee0ba4e3.tar.bz2 openbsd-3fe1d3990fd478cae995125994e62261ee0ba4e3.zip | |
Call out argument reversal between check_issued() and X509_check_issued()
It's a trap!
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/libcrypto/man/X509_STORE_CTX_set_verify.3 | 37 |
1 files changed, 35 insertions, 2 deletions
diff --git a/src/lib/libcrypto/man/X509_STORE_CTX_set_verify.3 b/src/lib/libcrypto/man/X509_STORE_CTX_set_verify.3 index 2c0bd692a0..8c27deea5d 100644 --- a/src/lib/libcrypto/man/X509_STORE_CTX_set_verify.3 +++ b/src/lib/libcrypto/man/X509_STORE_CTX_set_verify.3 | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | .\" $OpenBSD: X509_STORE_CTX_set_verify.3,v 1.7 2023/08/10 16:15:42 schwarze Exp $ | 1 | .\" $OpenBSD: X509_STORE_CTX_set_verify.3,v 1.8 2024/06/07 05:51:39 tb Exp $ |
| 2 | .\" | 2 | .\" |
| 3 | .\" Copyright (c) 2021, 2022 Ingo Schwarze <schwarze@openbsd.org> | 3 | .\" Copyright (c) 2021, 2022 Ingo Schwarze <schwarze@openbsd.org> |
| 4 | .\" Copyright (c) 2023 Job Snijders <job@openbsd.org> | 4 | .\" Copyright (c) 2023 Job Snijders <job@openbsd.org> |
| @@ -15,7 +15,7 @@ | |||
| 15 | .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF | 15 | .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF |
| 16 | .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. | 16 | .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
| 17 | .\" | 17 | .\" |
| 18 | .Dd $Mdocdate: August 10 2023 $ | 18 | .Dd $Mdocdate: June 7 2024 $ |
| 19 | .Dt X509_STORE_CTX_SET_VERIFY 3 | 19 | .Dt X509_STORE_CTX_SET_VERIFY 3 |
| 20 | .Os | 20 | .Os |
| 21 | .Sh NAME | 21 | .Sh NAME |
| @@ -142,6 +142,28 @@ function provided by the user should check whether a given certificate | |||
| 142 | was issued using the CA certificate | 142 | was issued using the CA certificate |
| 143 | .Fa issuer , | 143 | .Fa issuer , |
| 144 | and must return 0 on failure and 1 on success. | 144 | and must return 0 on failure and 1 on success. |
| 145 | The default implementation ignores the | ||
| 146 | .Fa ctx | ||
| 147 | argument and returns success if and only if | ||
| 148 | .Xr X509_check_issued 3 | ||
| 149 | returns | ||
| 150 | .Dv X509_V_OK . | ||
| 151 | It is important to pay close attention to the order of the | ||
| 152 | .Fa issuer | ||
| 153 | and | ||
| 154 | .Fa subject | ||
| 155 | arguments. | ||
| 156 | In | ||
| 157 | .Xr X509_check_issued 3 | ||
| 158 | the | ||
| 159 | .Fa issuer | ||
| 160 | precedes the | ||
| 161 | .Fa subject | ||
| 162 | while in | ||
| 163 | .Fn check_issued | ||
| 164 | the | ||
| 165 | .Fa subject | ||
| 166 | comes first. | ||
| 145 | .Sh RETURN VALUES | 167 | .Sh RETURN VALUES |
| 146 | .Fn X509_STORE_CTX_verify_fn | 168 | .Fn X509_STORE_CTX_verify_fn |
| 147 | is supposed to return 1 to indicate that the chain is valid | 169 | is supposed to return 1 to indicate that the chain is valid |
| @@ -221,3 +243,14 @@ and | |||
| 221 | .Fn X509_STORE_CTX_get_check_issued | 243 | .Fn X509_STORE_CTX_get_check_issued |
| 222 | first appeared in OpenSSL 1.1.0 and have been available since | 244 | first appeared in OpenSSL 1.1.0 and have been available since |
| 223 | .Ox 7.3 . | 245 | .Ox 7.3 . |
| 246 | .Sh BUGS | ||
| 247 | The reversal of order of | ||
| 248 | .Fa subject | ||
| 249 | and | ||
| 250 | .Fa issuer | ||
| 251 | between | ||
| 252 | .Fn check_issued | ||
| 253 | and | ||
| 254 | .Xr X509_check_issued 3 | ||
| 255 | is very confusing. | ||
| 256 | It has led to bugs and will cause many more. | ||