1 files changed, 22 insertions, 6 deletions
diff --git a/src/lib/libssl/man/SSL_CTX_use_certificate.3 b/src/lib/libssl/man/SSL_CTX_use_certificate.3
index dd6caa6d88..dec16b3255 100644
--- a/src/lib/libssl/man/SSL_CTX_use_certificate.3
+++ b/src/lib/libssl/man/SSL_CTX_use_certificate.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_use_certificate.3,v 1.3 2017/04/10 01:46:37 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_use_certificate.3,v 1.4 2017/07/25 17:28:37 benno Exp $
 .\"     OpenSSL e248596b Apr 8 22:49:57 2005 +0000
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 10 2017 $
+.Dd $Mdocdate: July 25 2017 $
 .Dt SSL_CTX_USE_CERTIFICATE 3
 .Os
 .Sh NAME
@@ -301,22 +301,38 @@ to
 adds the first private RSA key found to
 .Fa ssl .
 .Pp
+The
 .Fn SSL_CTX_check_private_key
-checks the consistency of a private key with the corresponding certificate
+function is seriously misnamed.
-loaded into
+It compares the
+.Em public
+key components and parameters of an OpenSSL private key with the
+corresponding certificate loaded into
 .Fa ctx .
 If more than one key/certificate pair (RSA/DSA) is installed,
-the last item installed will be checked.
+the last item installed will be compared.
 If, e.g., the last item was a RSA certificate or key,
 the RSA key/certificate pair will be checked.
 .Fn SSL_check_private_key
-performs the same check for
+performs the same
+.Em public
+key comparison for
 .Fa ssl .
 If no key/certificate was explicitly added for this
 .Fa ssl ,
 the last item added into
 .Fa ctx
 will be checked.
+.Pp
+Despite the name, neither
+.Fn SSL_CTX_check_private_key
+nor
+.Fn SSL_check_private_key
+checks whether the private key component is indeed a private key,
+nor whether it matches the public key component.
+They merely compare the public materials (e.g. exponent and modulus of
+an RSA key) and/or key parameters (e.g. EC params of an EC key) of a
+key pair.
 .Sh NOTES
 The internal certificate store of OpenSSL can hold two private key/certificate
 pairs at a time:

diff --git a/src/lib/libssl/man/SSL_CTX_use_certificate.3 b/src/lib/libssl/man/SSL_CTX_use_certificate.3 index dd6caa6d88..dec16b3255 100644 --- a/src/lib/libssl/man/SSL_CTX_use_certificate.3 +++ b/src/lib/libssl/man/SSL_CTX_use_certificate.3
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: SSL_CTX_use_certificate.3,v 1.3 2017/04/10 01:46:37 schwarze Exp $	1	.\" $OpenBSD: SSL_CTX_use_certificate.3,v 1.4 2017/07/25 17:28:37 benno Exp $
2	.\" OpenSSL e248596b Apr 8 22:49:57 2005 +0000	2	.\" OpenSSL e248596b Apr 8 22:49:57 2005 +0000
3	.\"	3	.\"
4	.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.	4	.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -49,7 +49,7 @@
49	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED	49	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50	.\" OF THE POSSIBILITY OF SUCH DAMAGE.	50	.\" OF THE POSSIBILITY OF SUCH DAMAGE.
51	.\"	51	.\"
52	.Dd $Mdocdate: April 10 2017 $	52	.Dd $Mdocdate: July 25 2017 $
53	.Dt SSL_CTX_USE_CERTIFICATE 3	53	.Dt SSL_CTX_USE_CERTIFICATE 3
54	.Os	54	.Os
55	.Sh NAME	55	.Sh NAME
@@ -301,22 +301,38 @@ to
301	adds the first private RSA key found to	301	adds the first private RSA key found to
302	.Fa ssl .	302	.Fa ssl .
303	.Pp	303	.Pp
		304	The
304	.Fn SSL_CTX_check_private_key	305	.Fn SSL_CTX_check_private_key
305	checks the consistency of a private key with the corresponding certificate	306	function is seriously misnamed.
306	loaded into	307	It compares the
		308	.Em public
		309	key components and parameters of an OpenSSL private key with the
		310	corresponding certificate loaded into
307	.Fa ctx .	311	.Fa ctx .
308	If more than one key/certificate pair (RSA/DSA) is installed,	312	If more than one key/certificate pair (RSA/DSA) is installed,
309	the last item installed will be checked.	313	the last item installed will be compared.
310	If, e.g., the last item was a RSA certificate or key,	314	If, e.g., the last item was a RSA certificate or key,
311	the RSA key/certificate pair will be checked.	315	the RSA key/certificate pair will be checked.
312	.Fn SSL_check_private_key	316	.Fn SSL_check_private_key
313	performs the same check for	317	performs the same
		318	.Em public
		319	key comparison for
314	.Fa ssl .	320	.Fa ssl .
315	If no key/certificate was explicitly added for this	321	If no key/certificate was explicitly added for this
316	.Fa ssl ,	322	.Fa ssl ,
317	the last item added into	323	the last item added into
318	.Fa ctx	324	.Fa ctx
319	will be checked.	325	will be checked.
		326	.Pp
		327	Despite the name, neither
		328	.Fn SSL_CTX_check_private_key
		329	nor
		330	.Fn SSL_check_private_key
		331	checks whether the private key component is indeed a private key,
		332	nor whether it matches the public key component.
		333	They merely compare the public materials (e.g. exponent and modulus of
		334	an RSA key) and/or key parameters (e.g. EC params of an EC key) of a
		335	key pair.
320	.Sh NOTES	336	.Sh NOTES
321	The internal certificate store of OpenSSL can hold two private key/certificate	337	The internal certificate store of OpenSSL can hold two private key/certificate
322	pairs at a time:	338	pairs at a time: