document X509_LOOKUP_mem(3) in X509_LOOKUP_hash_dir(3)

and add a new manual page X509_LOOKUP_new(3)

8 files changed, 636 insertions, 32 deletions

diff --git a/src/lib/libcrypto/man/Makefile b/src/lib/libcrypto/man/Makefile
index f605de5dbc..666ef63aaf 100644
--- a/src/lib/libcrypto/man/Makefile
+++ b/src/lib/libcrypto/man/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.188 2021/07/27 13:27:46 schwarze Exp $
+# $OpenBSD: Makefile,v 1.189 2021/07/31 14:54:33 schwarze Exp $
 
 .include <bsd.own.mk>
 
@@ -284,6 +284,7 @@ MAN=	\
         X509_EXTENSION_set_object.3 \
         X509_INFO_new.3 \
         X509_LOOKUP_hash_dir.3 \
+        X509_LOOKUP_new.3 \
         X509_NAME_ENTRY_get_object.3 \
         X509_NAME_add_entry_by_txt.3 \
         X509_NAME_get_index_by_NID.3 \
diff --git a/src/lib/libcrypto/man/PEM_X509_INFO_read.3 b/src/lib/libcrypto/man/PEM_X509_INFO_read.3
index 4a9dc97148..0e908b7988 100644
--- a/src/lib/libcrypto/man/PEM_X509_INFO_read.3
+++ b/src/lib/libcrypto/man/PEM_X509_INFO_read.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: PEM_X509_INFO_read.3,v 1.2 2021/03/12 05:18:00 jsg Exp $
+.\" $OpenBSD: PEM_X509_INFO_read.3,v 1.3 2021/07/31 14:54:33 schwarze Exp $
 .\"
 .\" Copyright (c) 2020 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: March 12 2021 $
+.Dd $Mdocdate: July 31 2021 $
 .Dt PEM_X509_INFO_READ 3
 .Os
 .Sh NAME
@@ -161,6 +161,7 @@ may sometimes return 0 anyway.
 .Xr STACK_OF 3 ,
 .Xr X509_CRL_new 3 ,
 .Xr X509_INFO_new 3 ,
+.Xr X509_LOOKUP_new 3 ,
 .Xr X509_new 3
 .Sh HISTORY
 .Fn PEM_X509_INFO_read
diff --git a/src/lib/libcrypto/man/X509_LOOKUP_hash_dir.3 b/src/lib/libcrypto/man/X509_LOOKUP_hash_dir.3
index c59706d6c4..14e49f3a77 100644
--- a/src/lib/libcrypto/man/X509_LOOKUP_hash_dir.3
+++ b/src/lib/libcrypto/man/X509_LOOKUP_hash_dir.3
@@ -1,7 +1,24 @@
-.\" $OpenBSD: X509_LOOKUP_hash_dir.3,v 1.9 2019/06/06 01:06:59 schwarze Exp $
+.\" $OpenBSD: X509_LOOKUP_hash_dir.3,v 1.10 2021/07/31 14:54:33 schwarze Exp $
 .\" full merge up to: OpenSSL 61f805c1 Jan 16 01:01:46 2018 +0800
 .\"
-.\" This file was written by Victor B. Wagner <vitus@cryptocom.ru>
+.\" This file is a derived work.
+.\" The changes are covered by the following Copyright and license:
+.\"
+.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" The original file was written by Victor B. Wagner <vitus@cryptocom.ru>
 .\" and Claus Assmann.
 .\" Copyright (c) 2015, 2016, 2017 The OpenSSL Project.  All rights reserved.
 .\"
@@ -49,22 +66,25 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 6 2019 $
+.Dd $Mdocdate: July 31 2021 $
 .Dt X509_LOOKUP_HASH_DIR 3
 .Os
 .Sh NAME
 .Nm X509_LOOKUP_hash_dir ,
 .Nm X509_LOOKUP_file ,
+.Nm X509_LOOKUP_mem ,
 .Nm X509_load_cert_file ,
 .Nm X509_load_crl_file ,
 .Nm X509_load_cert_crl_file
-.Nd default OpenSSL certificate lookup methods
+.Nd default certificate lookup methods
 .Sh SYNOPSIS
 .In openssl/x509_vfy.h
 .Ft X509_LOOKUP_METHOD *
 .Fn X509_LOOKUP_hash_dir void
 .Ft X509_LOOKUP_METHOD *
 .Fn X509_LOOKUP_file void
+.Ft X509_LOOKUP_METHOD *
+.Fn X509_LOOKUP_mem void
 .Ft int
 .Fo X509_load_cert_file
 .Fa "X509_LOOKUP *ctx"
@@ -84,16 +104,17 @@
 .Fa "int type"
 .Fc
 .Sh DESCRIPTION
-.Fn X509_LOOKUP_hash_dir
+.Fn X509_LOOKUP_hash_dir ,
+.Fn X509_LOOKUP_file ,
 and
-.Fn X509_LOOKUP_file
-are two certificate lookup methods to use with
-.Vt X509_STORE ,
-provided by the OpenSSL library.
+.Fn X509_LOOKUP_mem
+return pointers to static certificate lookup method objects
+built into the library, for use with
+.Vt X509_STORE .
 .Pp
-Users of the library typically do not need to create instances of these
-methods manually.
-They are created automatically by the
+Users of the library typically do not need
+to retrieve pointers to these method objects manually.
+They are automatically used by the
 .Xr X509_STORE_load_locations 3
 or
 .Xr SSL_CTX_load_verify_locations 3
@@ -141,7 +162,7 @@ filename causes these functions to load the default certificate
 store file (see
 .Xr X509_STORE_set_default_paths 3 ) .
 .Pp
-Both methods support adding several certificate locations into one
+All three methods support adding several certificate locations into one
 .Sy X509_STORE .
 .Pp
 This page documents certificate store formats used by these methods and
@@ -208,13 +229,22 @@ sequence number greater than that of the already cached CRL.
 Note that the hash algorithm used for subject name hashing changed in
 OpenSSL 1.0.0, and all certificate stores have to be rehashed when
 moving from OpenSSL 0.9.8 to 1.0.0.
+.Ss Memory Method
+The
+.Fn X509_LOOKUP_mem
+method supports loading PEM-encoded certificates and revocation lists
+that are already stored in memory, using the function
+.Xr X509_LOOKUP_add_mem 3 .
+This is particularly useful in processes using
+.Xr chroot 2 .
 .Sh RETURN VALUES
-.Fn X509_LOOKUP_hash_dir
+.Fn X509_LOOKUP_hash_dir ,
+.Fn X509_LOOKUP_file ,
 and
-.Fn X509_LOOKUP_file
+.Fn X509_LOOKUP_mem
 always return a pointer to a static
 .Vt X509_LOOKUP_METHOD
-structure.
+object.
 .Pp
 .Fn X509_load_cert_file ,
 .Fn X509_load_crl_file ,
@@ -227,6 +257,7 @@ or 0 on error.
 .Xr d2i_X509_bio 3 ,
 .Xr PEM_read_PrivateKey 3 ,
 .Xr SSL_CTX_load_verify_locations 3 ,
+.Xr X509_LOOKUP_new 3 ,
 .Xr X509_OBJECT_get0_X509 3 ,
 .Xr X509_STORE_load_locations 3 ,
 .Xr X509_STORE_new 3
@@ -244,3 +275,7 @@ These functions have been available since
 .Fn X509_load_cert_crl_file
 first appeared in OpenSSL 0.9.5 and has been available since
 .Ox 2.7 .
+.Pp
+.Fn X509_LOOKUP_mem
+first appeared in
+.Ox 5.7 .
diff --git a/src/lib/libcrypto/man/X509_LOOKUP_new.3 b/src/lib/libcrypto/man/X509_LOOKUP_new.3
new file mode 100644
index 0000000000..02fe4c9f4e
--- /dev/null
+++ b/src/lib/libcrypto/man/X509_LOOKUP_new.3
@@ -0,0 +1,566 @@
+.\" $OpenBSD: X509_LOOKUP_new.3,v 1.1 2021/07/31 14:54:33 schwarze Exp $
+.\"
+.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.Dd $Mdocdate: July 31 2021 $
+.Dt X509_LOOKUP_NEW 3
+.Os
+.Sh NAME
+.Nm X509_LOOKUP_new ,
+.Nm X509_LOOKUP_free ,
+.Nm X509_LOOKUP_ctrl ,
+.Nm X509_LOOKUP_add_dir ,
+.Nm X509_LOOKUP_load_file ,
+.Nm X509_LOOKUP_add_mem ,
+.Nm X509_LOOKUP_by_subject ,
+.Nm X509_LOOKUP_init ,
+.Nm X509_LOOKUP_shutdown ,
+.Nm X509_LOOKUP_by_issuer_serial ,
+.Nm X509_LOOKUP_by_fingerprint ,
+.Nm X509_LOOKUP_by_alias ,
+.Nm X509_get_default_cert_dir ,
+.Nm X509_get_default_cert_file
+.Nd certificate lookup object
+.Sh SYNOPSIS
+.In openssl/x509_vfy.h
+.Ft X509_LOOKUP *
+.Fn X509_LOOKUP_new "X509_LOOKUP_METHOD *method"
+.Ft void
+.Fn X509_LOOKUP_free "X509_LOOKUP *lookup"
+.Ft int
+.Fo X509_LOOKUP_ctrl
+.Fa "X509_LOOKUP *lookup"
+.Fa "int command"
+.Fa "const char *source"
+.Fa "long type"
+.Fa "char **ret"
+.Fc
+.Ft int
+.Fo X509_LOOKUP_add_dir
+.Fa "X509_LOOKUP *lookup"
+.Fa "const char *source"
+.Fa "long type"
+.Fc
+.Ft int
+.Fo X509_LOOKUP_load_file
+.Fa "X509_LOOKUP *lookup"
+.Fa "const char *source"
+.Fa "long type"
+.Fc
+.Ft int
+.Fo X509_LOOKUP_add_mem
+.Fa "X509_LOOKUP *lookup"
+.Fa "const struct iovec *source"
+.Fa "long type"
+.Fc
+.Ft int
+.Fo X509_LOOKUP_by_subject
+.Fa "X509_LOOKUP *lookup"
+.Fa "int type"
+.Fa "X509_NAME *name"
+.Fa "X509_OBJECT *ret"
+.Fc
+.Ft int
+.Fn X509_LOOKUP_init "X509_LOOKUP *lookup"
+.Ft int
+.Fn X509_LOOKUP_shutdown "X509_LOOKUP *lookup"
+.Ft int
+.Fo X509_LOOKUP_by_issuer_serial
+.Fa "X509_LOOKUP *lookup"
+.Fa "int type"
+.Fa "X509_NAME *name"
+.Fa "ASN1_INTEGER *serial"
+.Fa "X509_OBJECT *ret"
+.Fc
+.Ft int
+.Fo X509_LOOKUP_by_fingerprint
+.Fa "X509_LOOKUP *lookup"
+.Fa "int type"
+.Fa "const unsigned char *bytes"
+.Fa "int length"
+.Fa "X509_OBJECT *ret"
+.Fc
+.Ft int
+.Fo X509_LOOKUP_by_alias
+.Fa "X509_LOOKUP *lookup"
+.Fa "int type"
+.Fa "const char *string"
+.Fa "int length"
+.Fa "X509_OBJECT *ret"
+.Fc
+.In openssl/x509.h
+.Ft const char *
+.Fn X509_get_default_cert_dir void
+.Ft const char *
+.Fn X509_get_default_cert_file void
+.Sh DESCRIPTION
+.Fn X509_LOOKUP_new
+allocates a new, empty
+.Vt X509_LOOKUP
+object and associates it with the
+.Fa method
+which is a static objects returned from either
+.Xr X509_LOOKUP_hash_dir 3
+or
+.Xr X509_LOOKUP_file 3
+or
+.Xr X509_LOOKUP_mem 3 .
+.Pp
+.Fn X509_LOOKUP_free
+releases the memory used by
+.Fa lookup .
+If
+.Fa lookup
+is a
+.Dv NULL
+pointer, no action occurs.
+.Pp
+The operation of
+.Fn X509_LOOKUP_ctrl
+depends on the
+.Vt X509_LOOKUP_METHOD
+used by
+.Fa lookup :
+.Bl -tag -width 4n
+.It Xr X509_LOOKUP_hash_dir 3
+The
+.Fa command
+is required to be
+.Dv X509_L_ADD_DIR
+and the
+.Fa source
+argument is interpreted
+as a colon-separated, NUL-terminated list of directory names.
+These directories are added to an internal list of directories to search
+for certificate files of the given
+.Fa type .
+.Pp
+If
+.Fa type
+is
+.Dv X509_FILETYPE_DEFAULT ,
+the
+.Fa source
+argument is ignored and
+.Pa /etc/ssl/certs
+and a type of
+.Dv X509_FILETYPE_PEM
+are used instead.
+.Pp
+.Fn X509_LOOKUP_add_dir
+is a macro that calls
+.Fn X509_LOOKUP_ctrl
+with a
+.Fa command
+of
+.Dv X509_L_ADD_DIR
+and
+.Fa ret
+set to
+.Dv NULL .
+.It Xr X509_LOOKUP_file 3
+The
+.Fa command
+is required to be
+.Dv X509_L_FILE_LOAD
+and the
+.Fa source
+argument is interpreted as a NUL-terminated file name.
+If the
+.Fa type
+is
+.Dv X509_FILETYPE_PEM ,
+the file is read with
+.Xr BIO_new_file 3
+and
+.Xr PEM_X509_INFO_read_bio 3
+and the certificates and revocation lists found are added to the
+.Vt X509_STORE
+object associated with
+.Fa lookup
+using
+.Xr X509_STORE_add_cert 3
+and
+.Xr X509_STORE_add_crl 3 .
+If
+.Fa type
+is
+.Dv X509_FILETYPE_DEFAULT ,
+the
+.Fa source
+argument is ignored and
+.Pa /etc/ssl/certs.pem
+and a type of
+.Dv X509_FILETYPE_PEM
+are used instead.
+If
+.Fa type
+is
+.Dv X509_FILETYPE_ASN1 ,
+the file is read with
+.Xr d2i_X509_bio 3
+and the single certificate is added to the
+.Vt X509_STORE
+object associated with
+.Fa lookup
+using
+.Xr X509_STORE_add_cert 3 .
+.Pp
+.Fn X509_LOOKUP_load_file
+is a macro calling
+.Fn X509_LOOKUP_ctrl
+with a
+.Fa command
+of
+.Dv X509_L_FILE_LOAD
+and
+.Fa ret
+set to
+.Dv NULL .
+.It Xr X509_LOOKUP_mem 3
+The
+.Fa command
+and
+.Fa type
+are required to be
+.Dv X509_L_MEM
+and
+.Dv X509_FILETYPE_PEM ,
+respectively.
+The
+.Fa source
+argument is interpreted as a pointer to an
+.Vt iovec
+structure defined in
+.In sys/uio.h .
+The memory area described by that structure is read with
+.Xr BIO_new_mem_buf 3
+and
+.Xr PEM_X509_INFO_read_bio 3
+and the certificates and revocation lists found are added to the
+.Vt X509_STORE
+object associated with
+.Fa lookup
+using
+.Xr X509_STORE_add_cert 3
+and
+.Xr X509_STORE_add_crl 3 .
+.Pp
+.Fn X509_LOOKUP_add_mem
+is a macro calling
+.Fn X509_LOOKUP_ctrl
+with a command of
+.Dv X509_L_MEM
+and
+.Fa ret
+set to
+.Dv NULL .
+.El
+.Pp
+.Fn X509_LOOKUP_ctrl
+always ignores the
+.Fa ret
+argument when the built-in
+.Vt X509_LOOKUP_METHOD
+objects are used.
+.Pp
+When using built-in
+.Vt X509_LOOKUP_METHOD
+objects,
+.Fn X509_LOOKUP_by_subject
+is only useful if
+.Fa lookup
+uses
+.Xr X509_LOOKUP_hash_dir 3 .
+It passes the
+.Fa name
+to
+.Xr X509_NAME_hash 3
+and converts the resulting hash to an eight-digit lower-case
+hexadecimal number.
+If the
+.Fa type
+is
+.Dv X509_LU_X509 ,
+it searches the configured directories for files having that name,
+with a file name extension that is a small, non-negative decimal integer
+starting at
+.Qq ".0" .
+These files are read with
+.Xr X509_load_cert_file 3 .
+In each directory, the search is ended once a file with the expected name
+and extension does not exists.
+.Pp
+If the
+.Fa type
+is
+.Dv X509_LU_CRL ,
+the file name extensions are expected to have a prefix of
+.Qq "r" ,
+i.e. they start with
+.Qq ".r0" ,
+and the files are read with
+.Xr X509_load_crl_file 3 .
+.Pp
+Unless an application program manually constructs its own
+.Vt X509_LOOKUP_METHOD
+object containing its own callback functions,
+.Fn X509_LOOKUP_init ,
+.Fn X509_LOOKUP_shutdown ,
+.Fn X509_LOOKUP_by_issuer_serial ,
+.Fn X509_LOOKUP_by_fingerprint ,
+and
+.Fn X509_LOOKUP_by_alias
+have no effect.
+.Fn X509_LOOKUP_init
+is supposed to be called after
+.Fn X509_LOOKUP_new
+and before using the
+.Fa lookup
+object,
+.Fn X509_LOOKUP_shutdown
+after using it and before
+.Fn X509_LOOKUP_free .
+.Sh RETURN VALUES
+.Fn X509_LOOKUP_new
+returns the new object or
+.Dv NULL
+if memory allocation fails.
+.Pp
+.Fn X509_LOOKUP_ctrl
+returns 1 for success or 0 for failure.
+If
+.Fa lookup
+uses a user-defined
+.Vt X509_LOOKUP_METHOD
+object, it might also return \-1 for internal errors.
+.Pp
+.Fn X509_LOOKUP_by_subject
+returns
+.Dv X509_LU_X509
+for success or
+.Dv X509_LU_FAIL
+for failure.
+In particular, it fails if
+.Fa lookup
+uses
+.Xr X509_LOOKUP_file 3
+or
+.Xr X509_LOOKUP_mem 3 ,
+if
+.Fa name
+is
+.Dv NULL ,
+if
+.Fa type
+is neither
+.Dv X509_LU_X509
+nor
+.Dv X509_LU_CRL ,
+or if memory allocation fails.
+.Pp
+.Fn X509_LOOKUP_init
+and
+.Fn X509_LOOKUP_shutdown
+are supposed to return 1 for success and 0 for failure.
+When using the built-in
+.Vt X509_LOOKUP_METHOD
+objects, they always return 1.
+.Pp
+.Fn X509_LOOKUP_by_issuer_serial ,
+.Fn X509_LOOKUP_by_fingerprint ,
+and
+.Fn X509_LOOKUP_by_alias
+always return
+.Dv X509_LU_FAIL
+when using the built-in
+.Vt X509_LOOKUP_METHOD
+objects.
+.Pp
+.Fn X509_get_default_cert_dir
+returns a pointer to the constant string
+.Qq /etc/ssl/certs ,
+and
+.Fn X509_get_default_cert_file
+to the constant string
+.Qq /etc/ssl/certs.pem .
+.Sh FILES
+.Bl -tag -width /etc/ssl/certs.pem -compact
+.It Pa /etc/ssl/certs/
+default directory for storing trusted certificates
+.It Pa /etc/ssl/certs.pem
+default file for storing trusted certificates
+.El
+.Sh ERRORS
+The following diagnostics can be retrieved with
+.Xr ERR_get_error 3 ,
+.Xr ERR_GET_REASON 3 ,
+and
+.Xr ERR_reason_error_string 3 :
+.Bl -tag -width Ds
+.It Dv ERR_R_ASN1_LIB Qq "ASN1 lib"
+.Xr d2i_X509_bio 3
+failed in
+.Fn X509_LOOKUP_ctrl .
+.It Dv X509_R_BAD_X509_FILETYPE Qq "bad x509 filetype"
+.Fn X509_LOOKUP_ctrl
+was called with an invalid
+.Fa type .
+.It Dv ERR_R_BUF_LIB Qq "BUF lib"
+Memory allocation failed in
+.Fn X509_LOOKUP_by_subject .
+.It Dv X509_R_INVALID_DIRECTORY Qq "invalid directory"
+The
+.Fa source
+argument of
+.Fn X509_LOOKUP_ctrl
+with
+.Dv X509_L_ADD_DIR
+or
+.Fn X509_LOOKUP_add_dir
+was
+.Dv NULL
+or an empty string.
+.It Dv X509_R_LOADING_CERT_DIR Qq "loading cert dir"
+.Fn X509_LOOKUP_ctrl
+with
+.Dv X509_L_ADD_DIR
+or
+.Fn X509_LOOKUP_add_dir
+was called with
+.Dv X509_FILETYPE_DEFAULT
+and adding the default directories failed.
+This error is added after and in addition to a more specific diagnostic.
+.It Dv X509_R_LOADING_DEFAULTS Qq "loading defaults"
+.Fn X509_LOOKUP_ctrl
+with
+.Dv X509_L_FILE_LOAD
+or
+.Fn X509_LOOKUP_load_file
+was called with
+.Dv X509_FILETYPE_DEFAULT
+and adding the certificates and revocation lists failed.
+This error is added after and in addition to a more specific diagnostic.
+.It Dv ERR_R_MALLOC_FAILURE Qq "malloc failure"
+Memory allocation failed in
+.Fn X509_LOOKUP_ctrl
+or
+.Fn X509_LOOKUP_by_subject .
+.It Dv ERR_R_PEM_LIB Qq "PEM lib"
+.Xr PEM_X509_INFO_read_bio 3 ,
+.Xr PEM_read_bio_X509_AUX 3 ,
+or
+.Xr PEM_read_bio_X509_CRL 3
+failed in
+.Fn X509_LOOKUP_ctrl .
+.It Dv ERR_R_SYS_LIB Qq "system lib"
+.Xr BIO_new 3 ,
+.Xr BIO_new_file 3 ,
+or
+.Xr BIO_read_filename 3
+failed in
+.Fn X509_LOOKUP_ctrl .
+.It Dv X509_R_WRONG_LOOKUP_TYPE Qq "wrong lookup type"
+.Fn X509_LOOKUP_by_subject
+was called with an invalid
+.Fa type .
+.El
+.Pp
+Passing an invalid
+.Fa command
+to
+.Fn X509_LOOKUP_ctrl
+or calling
+.Fn X509_LOOKUP_by_subject
+with a
+.Dv NULL
+.Fa name
+causes failure but provides no diagnostics.
+.Sh SEE ALSO
+.Xr d2i_X509_bio 3 ,
+.Xr PEM_read_bio_X509_AUX 3 ,
+.Xr PEM_X509_INFO_read_bio 3 ,
+.Xr X509_LOOKUP_hash_dir 3 ,
+.Xr X509_NAME_hash 3 ,
+.Xr X509_NAME_new 3 ,
+.Xr X509_new 3 ,
+.Xr X509_OBJECT_get_type 3 ,
+.Xr X509_STORE_add_cert 3
+.Sh HISTORY
+.Fn X509_get_default_cert_dir
+and
+.Fn X509_get_default_cert_file
+first appeared in SSLeay 0.4.1 and have been available since
+.Ox 2.4 .
+.Pp
+.Fn X509_LOOKUP_add_mem
+first appeared in
+.Ox 5.7 .
+.Pp
+The other functions first appeared in SSLeay 0.8.0
+and have been available since
+.Ox 2.4 .
+.Sh BUGS
+If the
+.Fa type
+is
+.Dv X509_FILETYPE_DEFAULT
+or
+.Dv X509_FILETYPE_PEM ,
+.Fn X509_LOOKUP_ctrl
+with
+.Dv X509_L_FILE_LOAD
+and
+.Fn X509_LOOKUP_load_file
+silently ignore failure of
+.Xr X509_STORE_add_cert 3
+and
+.Xr X509_STORE_add_crl 3
+and indicate success anyway.
+.Pp
+Handling of a
+.Dv NULL
+.Fa source
+is inconsistent for
+.Fn X509_LOOKUP_ctrl
+with
+.Dv X509_L_FILE_LOAD
+and for
+.Fn X509_LOOKUP_load_file .
+With
+.Dv X509_FILETYPE_PEM ,
+it causes failure, but with
+.Dv X509_FILETYPE_ASN1 ,
+no action occurs and success is indicated.
+.Pp
+When called on a
+.Fa lookup
+object using
+.Xr X509_LOOKUP_mem 3 ,
+.Fn X509_LOOKUP_ctrl
+raises
+.Dv ERR_R_PEM_LIB
+when called with an invalid
+.Fa command
+or
+.Fa type ,
+when
+.Xr BIO_new_mem_buf 3
+fails, when
+.Fa source
+contains zero objects, or when
+.Xr X509_STORE_add_cert 3
+fails on the first object encountered, which is all inconsistent
+with the behaviour of the other lookup methods.
diff --git a/src/lib/libcrypto/man/X509_NAME_hash.3 b/src/lib/libcrypto/man/X509_NAME_hash.3
index 917fa65463..8766109525 100644
--- a/src/lib/libcrypto/man/X509_NAME_hash.3
+++ b/src/lib/libcrypto/man/X509_NAME_hash.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_NAME_hash.3,v 1.2 2021/07/23 20:25:36 schwarze Exp $
+.\" $OpenBSD: X509_NAME_hash.3,v 1.3 2021/07/31 14:54:33 schwarze Exp $
 .\"
 .\" Copyright (c) 2017, 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: July 23 2021 $
+.Dd $Mdocdate: July 31 2021 $
 .Dt X509_NAME_HASH 3
 .Os
 .Sh NAME
@@ -71,6 +71,7 @@ These functions return the hash value or 0 if an error occurs.
 .Sh SEE ALSO
 .Xr i2d_X509_NAME 3 ,
 .Xr X509_get_subject_name 3 ,
+.Xr X509_LOOKUP_new 3 ,
 .Xr X509_NAME_digest 3 ,
 .Xr X509_NAME_new 3
 .Sh HISTORY
diff --git a/src/lib/libcrypto/man/X509_OBJECT_get0_X509.3 b/src/lib/libcrypto/man/X509_OBJECT_get0_X509.3
index 07dd3e5568..fc51696ac8 100644
--- a/src/lib/libcrypto/man/X509_OBJECT_get0_X509.3
+++ b/src/lib/libcrypto/man/X509_OBJECT_get0_X509.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_OBJECT_get0_X509.3,v 1.9 2019/06/06 01:06:59 schwarze Exp $
+.\" $OpenBSD: X509_OBJECT_get0_X509.3,v 1.10 2021/07/31 14:54:34 schwarze Exp $
 .\" Copyright (c) 2018 Ingo Schwarze <schwarze@openbsd.org>
 .\"
 .\" Permission to use, copy, modify, and distribute this software for any
@@ -13,7 +13,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: June 6 2019 $
+.Dd $Mdocdate: July 31 2021 $
 .Dt X509_OBJECT_GET0_X509 3
 .Os
 .Sh NAME
@@ -225,17 +225,14 @@ is
 or no match is found.
 .Sh SEE ALSO
 .Xr X509_CRL_new 3 ,
+.Xr X509_LOOKUP_new 3 ,
 .Xr X509_NAME_new 3 ,
 .Xr X509_STORE_get0_objects 3 ,
 .Xr X509_STORE_load_locations 3 ,
 .Xr X509_STORE_new 3
 .\" The type X509_OBJECT is also used
-.\" by the following undocumented public functions:
+.\" by the following undocumented public function:
 .\" X509_STORE_get_by_subject
-.\" X509_LOOKUP_by_subject
-.\" X509_LOOKUP_by_issuer_serial
-.\" X509_LOOKUP_by_fingerprint
-.\" X509_LOOKUP_by_alias
 .Sh HISTORY
 .Fn X509_OBJECT_up_ref_count
 and
diff --git a/src/lib/libcrypto/man/X509_STORE_set1_param.3 b/src/lib/libcrypto/man/X509_STORE_set1_param.3
index 36d4d4f115..b44293966b 100644
--- a/src/lib/libcrypto/man/X509_STORE_set1_param.3
+++ b/src/lib/libcrypto/man/X509_STORE_set1_param.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_STORE_set1_param.3,v 1.16 2019/06/06 01:06:59 schwarze Exp $
+.\" $OpenBSD: X509_STORE_set1_param.3,v 1.17 2021/07/31 14:54:34 schwarze Exp $
 .\" content checked up to:
 .\" OpenSSL man3/X509_STORE_add_cert b0edda11 Mar 20 13:00:17 2018 +0000
 .\" OpenSSL man3/X509_STORE_get0_param e90fc053 Jul 15 09:39:45 2017 -0400
@@ -17,7 +17,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: June 6 2019 $
+.Dd $Mdocdate: July 31 2021 $
 .Dt X509_STORE_SET1_PARAM 3
 .Os
 .Sh NAME
@@ -192,6 +192,7 @@ on failure.
 .Sh SEE ALSO
 .Xr RSA_get_ex_new_index 3 ,
 .Xr SSL_set1_param 3 ,
+.Xr X509_LOOKUP_new 3 ,
 .Xr X509_OBJECT_get0_X509 3 ,
 .Xr X509_STORE_CTX_set0_param 3 ,
 .Xr X509_STORE_load_locations 3 ,
diff --git a/src/lib/libcrypto/man/X509_new.3 b/src/lib/libcrypto/man/X509_new.3
index 8a1da448c4..efd4db5359 100644
--- a/src/lib/libcrypto/man/X509_new.3
+++ b/src/lib/libcrypto/man/X509_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_new.3,v 1.28 2021/07/27 13:27:46 schwarze Exp $
+.\" $OpenBSD: X509_new.3,v 1.29 2021/07/31 14:54:34 schwarze Exp $
 .\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" This file is a derived work.
@@ -66,7 +66,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 27 2021 $
+.Dd $Mdocdate: July 31 2021 $
 .Dt X509_NEW 3
 .Os
 .Sh NAME
@@ -192,6 +192,8 @@ if an error occurs.
 .Xr X509_get_subject_name 3 ,
 .Xr X509_get_version 3 ,
 .Xr X509_INFO_new 3 ,
+.Xr X509_LOOKUP_hash_dir 3 ,
+.Xr X509_LOOKUP_new 3 ,
 .Xr X509_NAME_new 3 ,
 .Xr X509_policy_check 3 ,
 .Xr X509_policy_tree_level_count 3 ,