1 files changed, 103 insertions, 25 deletions
diff --git a/src/lib/libssl/man/SSL_load_client_CA_file.3 b/src/lib/libssl/man/SSL_load_client_CA_file.3
index ba08dff77f..4eab59ff6e 100644
--- a/src/lib/libssl/man/SSL_load_client_CA_file.3
+++ b/src/lib/libssl/man/SSL_load_client_CA_file.3
@@ -1,7 +1,24 @@
-.\"     $OpenBSD: SSL_load_client_CA_file.3,v 1.2 2016/12/04 12:20:54 schwarze Exp $
+.\"     $OpenBSD: SSL_load_client_CA_file.3,v 1.3 2016/12/07 14:38:43 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
-.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
+.\" This file is a derived work.
+.\" The changes are covered by the following Copyright and license:
+.\"
+.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" The original file was written by Lutz Jaenicke <jaenicke@openssl.org>.
 .\" Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
 .\"
 .\" Redistribution and use in source and binary forms, with or without
@@ -48,42 +65,69 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 4 2016 $
+.Dd $Mdocdate: December 7 2016 $
 .Dt SSL_LOAD_CLIENT_CA_FILE 3
 .Os
 .Sh NAME
-.Nm SSL_load_client_CA_file
+.Nm SSL_load_client_CA_file ,
-.Nd load certificate names from file
+.Nm SSL_add_file_cert_subjects_to_stack ,
+.Nm SSL_add_dir_cert_subjects_to_stack
+.Nd load certificate names from files
 .Sh SYNOPSIS
 .In openssl/ssl.h
 .Ft STACK_OF(X509_NAME) *
 .Fn SSL_load_client_CA_file "const char *file"
+.Ft int
+.Fo SSL_add_file_cert_subjects_to_stack
+.Fa "STACK_OF(X509_NAME) *stack"
+.Fa "const char *file"
+.Fc
+.Ft int
+.Fo SSL_add_dir_cert_subjects_to_stack
+.Fa "STACK_OF(X509_NAME) *stack"
+.Fa "const char *dir"
+.Fc
 .Sh DESCRIPTION
 .Fn SSL_load_client_CA_file
-reads certificates from
+reads PEM formatted certificates from
 .Fa file
-and returns a
+and returns a new
-.Dv STACK_OF Ns
+.Vt STACK_OF(X509_NAME)
-.Pq Vt X509_NAME
 with the subject names found.
-.Pp
+While the name suggests the specific usage as a support function for
-.Fn SSL_load_client_CA_file
-reads a file of PEM formatted certificates and extracts the
-.Vt X509_NAME Ns s
-of the certificates found.
-While the name suggests the specific usage as support function for
 .Xr SSL_CTX_set_client_CA_list 3 ,
 it is not limited to CA certificates.
+.Pp
+.Fn SSL_add_file_cert_subjects_to_stack
+is similar except that the names are added to the existing
+.Fa stack .
+.Pp
+.Fn SSL_add_dir_cert_subjects_to_stack
+calls
+.Fn SSL_add_file_cert_subjects_to_stack
+on every file in the directory
+.Fa dir .
+.Pp
+If a name is already on the stack, all these functions skip it and
+do not add it again.
 .Sh RETURN VALUES
-The following return values can occur:
+.Fn SSL_load_client_CA_file
-.Bl -tag -width Ds
+returns a pointer to the new
-.It Dv NULL
+.Vt STACK_OF(X509_NAME)
-The operation failed, check out the error stack for the reason.
+or
-.It Pointer to Dv STACK_OF Ns Po Vt X509_NAME Pc
+.Dv NULL on failure.
-Pointer to the subject names of the successfully read certificates.
+.Pp
-.El
+.Fn SSL_add_file_cert_subjects_to_stack
+and
+.Fn SSL_add_dir_cert_subjects_to_stack
+return 1 for success or 0 for failure.
+.Pp
+All these functions treat empty files and directories as failures.
+.Pp
+In some cases of failure, the reason can be determined with
+.Xr ERR_get_error 3 .
 .Sh EXAMPLES
-Load names of CAs from file and use it as a client CA list:
+Load names of CAs from a file and use it as a client CA list:
 .Bd -literal
 SSL_CTX *ctx;
 STACK_OF(X509_NAME) *cert_names;
@@ -96,5 +140,39 @@ else
 \&...
 .Ed
 .Sh SEE ALSO
-.Xr ssl 3 ,
+.Xr PEM_read_bio_X509 3 ,
-.Xr SSL_CTX_set_client_CA_list 3
+.Xr SSL_CTX_set_client_CA_list 3 ,
+.Xr X509_get_subject_name 3
+.Sh HISTORY
+.Fn SSL_add_file_cert_subjects_to_stack
+and
+.Fn SSL_add_dir_cert_subjects_to_stack
+first appeared in OpenSSL 0.9.2b.
+.Sh AUTHORS
+.Fn SSL_add_file_cert_subjects_to_stack
+and
+.Fn SSL_add_dir_cert_subjects_to_stack
+were written by
+.An Ben Laurie Aq Mt ben@openssl.org
+in 1999.
+.Sh BUGS
+In some cases of failure, for example for empty files and directories,
+these functions fail to report an error, in the sense that
+.Xr ERR_get_error 3
+does not work.
+.Pp
+Even in case of failure, for example when parsing one of the
+files or certificates fails,
+.Fn SSL_add_file_cert_subjects_to_stack
+and
+.Fn SSL_add_dir_cert_subjects_to_stack
+may still have added some certificates to the stack.
+.Pp
+The behaviour of
+.Fn SSL_add_dir_cert_subjects_to_stack
+is non-deterministic.
+If parsing one file fails, parsing of the whole directory is aborted.
+Files in the directory are not parsed in any specific order.
+For example, adding an empty file to
+.Fa dir
+may or may not cause some of the other files to be ignored.

diff --git a/src/lib/libssl/man/SSL_load_client_CA_file.3 b/src/lib/libssl/man/SSL_load_client_CA_file.3 index ba08dff77f..4eab59ff6e 100644 --- a/src/lib/libssl/man/SSL_load_client_CA_file.3 +++ b/src/lib/libssl/man/SSL_load_client_CA_file.3
@@ -1,7 +1,24 @@
1	.\" $OpenBSD: SSL_load_client_CA_file.3,v 1.2 2016/12/04 12:20:54 schwarze Exp $	1	.\" $OpenBSD: SSL_load_client_CA_file.3,v 1.3 2016/12/07 14:38:43 schwarze Exp $
2	.\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100	2	.\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
3	.\"	3	.\"
4	.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.	4	.\" This file is a derived work.
		5	.\" The changes are covered by the following Copyright and license:
		6	.\"
		7	.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
		8	.\"
		9	.\" Permission to use, copy, modify, and distribute this software for any
		10	.\" purpose with or without fee is hereby granted, provided that the above
		11	.\" copyright notice and this permission notice appear in all copies.
		12	.\"
		13	.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
		14	.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
		15	.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
		16	.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
		17	.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
		18	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
		19	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
		20	.\"
		21	.\" The original file was written by Lutz Jaenicke <jaenicke@openssl.org>.
5	.\" Copyright (c) 2000 The OpenSSL Project. All rights reserved.	22	.\" Copyright (c) 2000 The OpenSSL Project. All rights reserved.
6	.\"	23	.\"
7	.\" Redistribution and use in source and binary forms, with or without	24	.\" Redistribution and use in source and binary forms, with or without
@@ -48,42 +65,69 @@
48	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED	65	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
49	.\" OF THE POSSIBILITY OF SUCH DAMAGE.	66	.\" OF THE POSSIBILITY OF SUCH DAMAGE.
50	.\"	67	.\"
51	.Dd $Mdocdate: December 4 2016 $	68	.Dd $Mdocdate: December 7 2016 $
52	.Dt SSL_LOAD_CLIENT_CA_FILE 3	69	.Dt SSL_LOAD_CLIENT_CA_FILE 3
53	.Os	70	.Os
54	.Sh NAME	71	.Sh NAME
55	.Nm SSL_load_client_CA_file	72	.Nm SSL_load_client_CA_file ,
56	.Nd load certificate names from file	73	.Nm SSL_add_file_cert_subjects_to_stack ,
		74	.Nm SSL_add_dir_cert_subjects_to_stack
		75	.Nd load certificate names from files
57	.Sh SYNOPSIS	76	.Sh SYNOPSIS
58	.In openssl/ssl.h	77	.In openssl/ssl.h
59	.Ft STACK_OF(X509_NAME) *	78	.Ft STACK_OF(X509_NAME) *
60	.Fn SSL_load_client_CA_file "const char *file"	79	.Fn SSL_load_client_CA_file "const char *file"
		80	.Ft int
		81	.Fo SSL_add_file_cert_subjects_to_stack
		82	.Fa "STACK_OF(X509_NAME) *stack"
		83	.Fa "const char *file"
		84	.Fc
		85	.Ft int
		86	.Fo SSL_add_dir_cert_subjects_to_stack
		87	.Fa "STACK_OF(X509_NAME) *stack"
		88	.Fa "const char *dir"
		89	.Fc
61	.Sh DESCRIPTION	90	.Sh DESCRIPTION
62	.Fn SSL_load_client_CA_file	91	.Fn SSL_load_client_CA_file
63	reads certificates from	92	reads PEM formatted certificates from
64	.Fa file	93	.Fa file
65	and returns a	94	and returns a new
66	.Dv STACK_OF Ns	95	.Vt STACK_OF(X509_NAME)
67	.Pq Vt X509_NAME
68	with the subject names found.	96	with the subject names found.
69	.Pp	97	While the name suggests the specific usage as a support function for
70	.Fn SSL_load_client_CA_file
71	reads a file of PEM formatted certificates and extracts the
72	.Vt X509_NAME Ns s
73	of the certificates found.
74	While the name suggests the specific usage as support function for
75	.Xr SSL_CTX_set_client_CA_list 3 ,	98	.Xr SSL_CTX_set_client_CA_list 3 ,
76	it is not limited to CA certificates.	99	it is not limited to CA certificates.
		100	.Pp
		101	.Fn SSL_add_file_cert_subjects_to_stack
		102	is similar except that the names are added to the existing
		103	.Fa stack .
		104	.Pp
		105	.Fn SSL_add_dir_cert_subjects_to_stack
		106	calls
		107	.Fn SSL_add_file_cert_subjects_to_stack
		108	on every file in the directory
		109	.Fa dir .
		110	.Pp
		111	If a name is already on the stack, all these functions skip it and
		112	do not add it again.
77	.Sh RETURN VALUES	113	.Sh RETURN VALUES
78	The following return values can occur:	114	.Fn SSL_load_client_CA_file
79	.Bl -tag -width Ds	115	returns a pointer to the new
80	.It Dv NULL	116	.Vt STACK_OF(X509_NAME)
81	The operation failed, check out the error stack for the reason.	117	or
82	.It Pointer to Dv STACK_OF Ns Po Vt X509_NAME Pc	118	.Dv NULL on failure.
83	Pointer to the subject names of the successfully read certificates.	119	.Pp
84	.El	120	.Fn SSL_add_file_cert_subjects_to_stack
		121	and
		122	.Fn SSL_add_dir_cert_subjects_to_stack
		123	return 1 for success or 0 for failure.
		124	.Pp
		125	All these functions treat empty files and directories as failures.
		126	.Pp
		127	In some cases of failure, the reason can be determined with
		128	.Xr ERR_get_error 3 .
85	.Sh EXAMPLES	129	.Sh EXAMPLES
86	Load names of CAs from file and use it as a client CA list:	130	Load names of CAs from a file and use it as a client CA list:
87	.Bd -literal	131	.Bd -literal
88	SSL_CTX *ctx;	132	SSL_CTX *ctx;
89	STACK_OF(X509_NAME) *cert_names;	133	STACK_OF(X509_NAME) *cert_names;
@@ -96,5 +140,39 @@ else
96	\&...	140	\&...
97	.Ed	141	.Ed
98	.Sh SEE ALSO	142	.Sh SEE ALSO
99	.Xr ssl 3 ,	143	.Xr PEM_read_bio_X509 3 ,
100	.Xr SSL_CTX_set_client_CA_list 3	144	.Xr SSL_CTX_set_client_CA_list 3 ,
		145	.Xr X509_get_subject_name 3
		146	.Sh HISTORY
		147	.Fn SSL_add_file_cert_subjects_to_stack
		148	and
		149	.Fn SSL_add_dir_cert_subjects_to_stack
		150	first appeared in OpenSSL 0.9.2b.
		151	.Sh AUTHORS
		152	.Fn SSL_add_file_cert_subjects_to_stack
		153	and
		154	.Fn SSL_add_dir_cert_subjects_to_stack
		155	were written by
		156	.An Ben Laurie Aq Mt ben@openssl.org
		157	in 1999.
		158	.Sh BUGS
		159	In some cases of failure, for example for empty files and directories,
		160	these functions fail to report an error, in the sense that
		161	.Xr ERR_get_error 3
		162	does not work.
		163	.Pp
		164	Even in case of failure, for example when parsing one of the
		165	files or certificates fails,
		166	.Fn SSL_add_file_cert_subjects_to_stack
		167	and
		168	.Fn SSL_add_dir_cert_subjects_to_stack
		169	may still have added some certificates to the stack.
		170	.Pp
		171	The behaviour of
		172	.Fn SSL_add_dir_cert_subjects_to_stack
		173	is non-deterministic.
		174	If parsing one file fails, parsing of the whole directory is aborted.
		175	Files in the directory are not parsed in any specific order.
		176	For example, adding an empty file to
		177	.Fa dir
		178	may or may not cause some of the other files to be ignored.