diff options
| author | schwarze <> | 2022-07-13 21:17:03 +0000 |
|---|---|---|
| committer | schwarze <> | 2022-07-13 21:17:03 +0000 |
| commit | b68d0bc6a9857dd9ce4ba6cd65d3c2e75b595544 (patch) | |
| tree | 12202fbb197e5bd41a32fcb3b44017a631c77b26 /src | |
| parent | 5ce0e2f73b6896dab560f31b71a232221d72e27a (diff) | |
| download | openbsd-b68d0bc6a9857dd9ce4ba6cd65d3c2e75b595544.tar.gz openbsd-b68d0bc6a9857dd9ce4ba6cd65d3c2e75b595544.tar.bz2 openbsd-b68d0bc6a9857dd9ce4ba6cd65d3c2e75b595544.zip | |
In x509_vfy.h rev. 1.54, tb@ provided X509_VERIFY_PARAM_get_time(3)
and X509_VERIFY_PARAM_set_auth_level(3). Document them.
For the latter, i included a few sentences from the OpenSSL 1.1.1
branch, which is still under a free license.
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3 | 47 |
1 files changed, 44 insertions, 3 deletions
diff --git a/src/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3 b/src/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3 index fdcfd4834e..7a39050c4f 100644 --- a/src/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3 +++ b/src/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3 | |||
| @@ -1,11 +1,11 @@ | |||
| 1 | .\" $OpenBSD: X509_VERIFY_PARAM_set_flags.3,v 1.25 2022/03/31 17:27:17 naddy Exp $ | 1 | .\" $OpenBSD: X509_VERIFY_PARAM_set_flags.3,v 1.26 2022/07/13 21:17:03 schwarze Exp $ |
| 2 | .\" full merge up to: OpenSSL d33def66 Feb 9 14:17:13 2016 -0500 | 2 | .\" full merge up to: OpenSSL d33def66 Feb 9 14:17:13 2016 -0500 |
| 3 | .\" selective merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100 | 3 | .\" selective merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100 |
| 4 | .\" | 4 | .\" |
| 5 | .\" This file is a derived work. | 5 | .\" This file is a derived work. |
| 6 | .\" The changes are covered by the following Copyright and license: | 6 | .\" The changes are covered by the following Copyright and license: |
| 7 | .\" | 7 | .\" |
| 8 | .\" Copyright (c) 2018, 2021 Ingo Schwarze <schwarze@openbsd.org> | 8 | .\" Copyright (c) 2018, 2021, 2022 Ingo Schwarze <schwarze@openbsd.org> |
| 9 | .\" | 9 | .\" |
| 10 | .\" Permission to use, copy, modify, and distribute this software for any | 10 | .\" Permission to use, copy, modify, and distribute this software for any |
| 11 | .\" purpose with or without fee is hereby granted, provided that the above | 11 | .\" purpose with or without fee is hereby granted, provided that the above |
| @@ -68,7 +68,7 @@ | |||
| 68 | .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED | 68 | .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED |
| 69 | .\" OF THE POSSIBILITY OF SUCH DAMAGE. | 69 | .\" OF THE POSSIBILITY OF SUCH DAMAGE. |
| 70 | .\" | 70 | .\" |
| 71 | .Dd $Mdocdate: March 31 2022 $ | 71 | .Dd $Mdocdate: July 13 2022 $ |
| 72 | .Dt X509_VERIFY_PARAM_SET_FLAGS 3 | 72 | .Dt X509_VERIFY_PARAM_SET_FLAGS 3 |
| 73 | .Os | 73 | .Os |
| 74 | .Sh NAME | 74 | .Sh NAME |
| @@ -80,10 +80,12 @@ | |||
| 80 | .Nm X509_VERIFY_PARAM_set_purpose , | 80 | .Nm X509_VERIFY_PARAM_set_purpose , |
| 81 | .Nm X509_VERIFY_PARAM_set_trust , | 81 | .Nm X509_VERIFY_PARAM_set_trust , |
| 82 | .Nm X509_VERIFY_PARAM_set_time , | 82 | .Nm X509_VERIFY_PARAM_set_time , |
| 83 | .Nm X509_VERIFY_PARAM_get_time , | ||
| 83 | .Nm X509_VERIFY_PARAM_add0_policy , | 84 | .Nm X509_VERIFY_PARAM_add0_policy , |
| 84 | .Nm X509_VERIFY_PARAM_set1_policies , | 85 | .Nm X509_VERIFY_PARAM_set1_policies , |
| 85 | .Nm X509_VERIFY_PARAM_set_depth , | 86 | .Nm X509_VERIFY_PARAM_set_depth , |
| 86 | .Nm X509_VERIFY_PARAM_get_depth , | 87 | .Nm X509_VERIFY_PARAM_get_depth , |
| 88 | .Nm X509_VERIFY_PARAM_set_auth_level , | ||
| 87 | .Nm X509_VERIFY_PARAM_set1_host , | 89 | .Nm X509_VERIFY_PARAM_set1_host , |
| 88 | .Nm X509_VERIFY_PARAM_add1_host , | 90 | .Nm X509_VERIFY_PARAM_add1_host , |
| 89 | .Nm X509_VERIFY_PARAM_set_hostflags , | 91 | .Nm X509_VERIFY_PARAM_set_hostflags , |
| @@ -132,6 +134,10 @@ | |||
| 132 | .Fa "X509_VERIFY_PARAM *param" | 134 | .Fa "X509_VERIFY_PARAM *param" |
| 133 | .Fa "time_t t" | 135 | .Fa "time_t t" |
| 134 | .Fc | 136 | .Fc |
| 137 | .Ft time_t | ||
| 138 | .Fo X509_VERIFY_PARAM_get_time | ||
| 139 | .Fa const X509_VERIFY_PARAM *param" | ||
| 140 | .Fc | ||
| 135 | .Ft int | 141 | .Ft int |
| 136 | .Fo X509_VERIFY_PARAM_add0_policy | 142 | .Fo X509_VERIFY_PARAM_add0_policy |
| 137 | .Fa "X509_VERIFY_PARAM *param" | 143 | .Fa "X509_VERIFY_PARAM *param" |
| @@ -151,6 +157,11 @@ | |||
| 151 | .Fo X509_VERIFY_PARAM_get_depth | 157 | .Fo X509_VERIFY_PARAM_get_depth |
| 152 | .Fa "const X509_VERIFY_PARAM *param" | 158 | .Fa "const X509_VERIFY_PARAM *param" |
| 153 | .Fc | 159 | .Fc |
| 160 | .Ft void | ||
| 161 | .Fo X509_VERIFY_PARAM_set_auth_level | ||
| 162 | .Fa "X509_VERIFY_PARAM *param" | ||
| 163 | .Fa "int auth_level" | ||
| 164 | .Fc | ||
| 154 | .Ft int | 165 | .Ft int |
| 155 | .Fo X509_VERIFY_PARAM_set1_host | 166 | .Fo X509_VERIFY_PARAM_set1_host |
| 156 | .Fa "X509_VERIFY_PARAM *param" | 167 | .Fa "X509_VERIFY_PARAM *param" |
| @@ -322,6 +333,23 @@ sets the maximum verification depth to | |||
| 322 | That is the maximum number of untrusted CA certificates that can appear | 333 | That is the maximum number of untrusted CA certificates that can appear |
| 323 | in a chain. | 334 | in a chain. |
| 324 | .Pp | 335 | .Pp |
| 336 | .Fn X509_VERIFY_PARAM_set_auth_level | ||
| 337 | sets the security level as defined in | ||
| 338 | .Xr SSL_CTX_set_security_level 3 | ||
| 339 | for certificate chain validation. | ||
| 340 | For a certificate chain to validate, the public keys of all the | ||
| 341 | certificates must meet the specified security level. | ||
| 342 | The signature algorithm security level is not enforced for the | ||
| 343 | chain's trust anchor certificate, which is either directly trusted | ||
| 344 | or validated by means other than its signature. | ||
| 345 | .Pp | ||
| 346 | From the point of view of the X.509 library, | ||
| 347 | the default security level is 0. | ||
| 348 | However, the SSL library | ||
| 349 | uses a different default security level of 1 and calls | ||
| 350 | .Fn X509_VERIFY_PARAM_set_auth_level | ||
| 351 | with its own level before validating a certificate chain. | ||
| 352 | .Pp | ||
| 325 | .Fn X509_VERIFY_PARAM_set1_host | 353 | .Fn X509_VERIFY_PARAM_set1_host |
| 326 | sets the expected DNS hostname to | 354 | sets the expected DNS hostname to |
| 327 | .Fa name | 355 | .Fa name |
| @@ -468,6 +496,12 @@ using the poisoned object will fail. | |||
| 468 | .Fn X509_VERIFY_PARAM_get_flags | 496 | .Fn X509_VERIFY_PARAM_get_flags |
| 469 | returns the current verification flags. | 497 | returns the current verification flags. |
| 470 | .Pp | 498 | .Pp |
| 499 | .Fn X509_VERIFY_PARAM_get_time | ||
| 500 | always returns the configured verification time. | ||
| 501 | It does so even if the returned time will not be used because the flag | ||
| 502 | .Dv X509_V_FLAG_USE_CHECK_TIME | ||
| 503 | is unset. | ||
| 504 | .Pp | ||
| 471 | .Fn X509_VERIFY_PARAM_get_depth | 505 | .Fn X509_VERIFY_PARAM_get_depth |
| 472 | returns the current verification depth. | 506 | returns the current verification depth. |
| 473 | .Pp | 507 | .Pp |
| @@ -687,6 +721,13 @@ and | |||
| 687 | .Fn X509_VERIFY_PARAM_set1_ip_asc | 721 | .Fn X509_VERIFY_PARAM_set1_ip_asc |
| 688 | first appeared in OpenSSL 1.0.2 and have been available since | 722 | first appeared in OpenSSL 1.0.2 and have been available since |
| 689 | .Ox 6.3 . | 723 | .Ox 6.3 . |
| 724 | .Pp | ||
| 725 | .Fn X509_VERIFY_PARAM_set_auth_level | ||
| 726 | first appeared in OpenSSL 1.1.0 and | ||
| 727 | .Fn X509_VERIFY_PARAM_get_time | ||
| 728 | in OpenSSL 1.1.0d. | ||
| 729 | Both functions have been available since | ||
| 730 | .Ox 7.2 . | ||
| 690 | .Sh BUGS | 731 | .Sh BUGS |
| 691 | Delta CRL checking is currently primitive. | 732 | Delta CRL checking is currently primitive. |
| 692 | Only a single delta can be used and (partly due to limitations of | 733 | Only a single delta can be used and (partly due to limitations of |