1 files changed, 75 insertions, 3 deletions
diff --git a/src/lib/libcrypto/man/X509_STORE_CTX_set_verify.3 b/src/lib/libcrypto/man/X509_STORE_CTX_set_verify.3
index 1c7797bbfc..a7c8954416 100644
--- a/src/lib/libcrypto/man/X509_STORE_CTX_set_verify.3
+++ b/src/lib/libcrypto/man/X509_STORE_CTX_set_verify.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_STORE_CTX_set_verify.3,v 1.3 2022/11/16 14:55:40 schwarze Exp $
+.\" $OpenBSD: X509_STORE_CTX_set_verify.3,v 1.4 2023/03/16 15:21:44 job Exp $
 .\"
 .\" Copyright (c) 2021, 2022 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: November 16 2022 $
+.Dd $Mdocdate: March 16 2023 $
 .Dt X509_STORE_CTX_SET_VERIFY 3
 .Os
 .Sh NAME
@@ -23,7 +23,10 @@
 .Nm X509_STORE_CTX_get_verify ,
 .Nm X509_STORE_set_verify ,
 .Nm X509_STORE_set_verify_func ,
-.Nm X509_STORE_get_verify
+.Nm X509_STORE_get_verify ,
+.Nm X509_STORE_set_check_issued ,
+.Nm X509_STORE_get_check_issued ,
+.Nm X509_STORE_CTX_get_check_issued
 .Nd user-defined certificate chain verification function
 .Sh SYNOPSIS
 .In openssl/x509_vfy.h
@@ -54,6 +57,25 @@
 .Fo X509_STORE_get_verify
 .Fa "X509_STORE_CTX *ctx"
 .Fc
+.Ft typedef int
+.Fo "(*X509_STORE_CTX_check_issued_fn)
+.Fa "X509_STORE_CTX *ctx"
+.Fa "X509 *subject"
+.Fa "X509 *issuer"
+.Fc
+.Ft void
+.Fo X509_STORE_set_check_issued
+.Fa "X509_STORE *store"
+.Fa "X509_STORE_CTX_check_issued_fn check_issued"
+.Fc
+.Ft X509_STORE_CTX_check_issued_fn
+.Fo X509_STORE_get_check_issued
+.Fa "X509_STORE *store"
+.Fc
+.Ft X509_STORE_CTX_check_issued_fn
+.Fo X509_STORE_CTX_get_check_issued
+.Fa "X509_STORE_CTX *ctx"
+.Fc
 .Sh DESCRIPTION
 .Fn X509_STORE_CTX_set_verify
 configures
@@ -97,6 +119,27 @@ is later passed as an argument to
 is an alias for
 .Fn X509_STORE_set_verify
 implemented as a macro.
+.Pp
+.Fn X509_STORE_set_check_issued
+saves the function pointer
+.Fa check_issued
+in the given
+.Fa store
+object.
+That pointer will be copied to an
+.Vt X509_STORE_CTX
+object when
+.Fa store
+is later passed as an argument to
+.Fn X509_STORE_CTX_init 3 .
+.Pp
+The
+.Fa check_issued
+function provided by the user should check whether a given certificate
+.Fa subject
+was issued using the CA certificate
+.Fa issuer ,
+and must return 0 on failure and 1 on success.
 .Sh RETURN VALUES
 .Fn X509_STORE_CTX_verify_fn
 is supposed to return 1 to indicate that the chain is valid
@@ -120,6 +163,27 @@ or
 .Dv NULL
 if that function was not called on the
 .Fa store .
+.Pp
+.Fn X509_STORE_get_check_issued
+returns the function pointer previously set with
+.Fn X509_STORE_set_check_issued ,
+or
+.Dv NULL
+if that function was not called on the
+.Fa store .
+.Pp
+.Fn X509_STORE_CTX_get_check_issued
+returns the
+.Fn check_issued
+function set on the
+.Vt X509_STORE_CTX .
+This is either the
+.Fn check_issued
+function inherited from the
+.Fa store
+used in
+.Xr X509_STORE_CTX_init 3
+or the library's default implementation.
 .Sh SEE ALSO
 .Xr X509_STORE_CTX_init 3 ,
 .Xr X509_STORE_CTX_set_error 3 ,
@@ -130,6 +194,7 @@ if that function was not called on the
 .Xr X509_STORE_set_verify_cb 3 ,
 .Xr X509_verify_cert 3 ,
 .Xr X509_VERIFY_PARAM_set_flags 3
+.Xr X509_check_issued 3
 .Sh HISTORY
 .Fn X509_STORE_set_verify_func
 first appeared in SSLeay 0.8.0 and has been available since
@@ -147,3 +212,10 @@ and
 .Fn X509_STORE_get_verify
 first appeared in OpenSSL 1.1.0 and have been available since
 .Ox 7.2 .
+.Pp
+.Fn X509_STORE_set_check_issued ,
+.Fn X509_STORE_get_check_issued ,
+and
+.Fn X509_STORE_CTX_get_check_issued
+first appeared in OpenSSL 1.1.0 and have been available since
+.Ox 7.3 .

diff --git a/src/lib/libcrypto/man/X509_STORE_CTX_set_verify.3 b/src/lib/libcrypto/man/X509_STORE_CTX_set_verify.3 index 1c7797bbfc..a7c8954416 100644 --- a/src/lib/libcrypto/man/X509_STORE_CTX_set_verify.3 +++ b/src/lib/libcrypto/man/X509_STORE_CTX_set_verify.3
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: X509_STORE_CTX_set_verify.3,v 1.3 2022/11/16 14:55:40 schwarze Exp $	1	.\" $OpenBSD: X509_STORE_CTX_set_verify.3,v 1.4 2023/03/16 15:21:44 job Exp $
2	.\"	2	.\"
3	.\" Copyright (c) 2021, 2022 Ingo Schwarze <schwarze@openbsd.org>	3	.\" Copyright (c) 2021, 2022 Ingo Schwarze <schwarze@openbsd.org>
4	.\"	4	.\"
@@ -14,7 +14,7 @@
14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF	14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.	15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16	.\"	16	.\"
17	.Dd $Mdocdate: November 16 2022 $	17	.Dd $Mdocdate: March 16 2023 $
18	.Dt X509_STORE_CTX_SET_VERIFY 3	18	.Dt X509_STORE_CTX_SET_VERIFY 3
19	.Os	19	.Os
20	.Sh NAME	20	.Sh NAME
@@ -23,7 +23,10 @@
23	.Nm X509_STORE_CTX_get_verify ,	23	.Nm X509_STORE_CTX_get_verify ,
24	.Nm X509_STORE_set_verify ,	24	.Nm X509_STORE_set_verify ,
25	.Nm X509_STORE_set_verify_func ,	25	.Nm X509_STORE_set_verify_func ,
26	.Nm X509_STORE_get_verify	26	.Nm X509_STORE_get_verify ,
		27	.Nm X509_STORE_set_check_issued ,
		28	.Nm X509_STORE_get_check_issued ,
		29	.Nm X509_STORE_CTX_get_check_issued
27	.Nd user-defined certificate chain verification function	30	.Nd user-defined certificate chain verification function
28	.Sh SYNOPSIS	31	.Sh SYNOPSIS
29	.In openssl/x509_vfy.h	32	.In openssl/x509_vfy.h
@@ -54,6 +57,25 @@
54	.Fo X509_STORE_get_verify	57	.Fo X509_STORE_get_verify
55	.Fa "X509_STORE_CTX *ctx"	58	.Fa "X509_STORE_CTX *ctx"
56	.Fc	59	.Fc
		60	.Ft typedef int
		61	.Fo "(*X509_STORE_CTX_check_issued_fn)
		62	.Fa "X509_STORE_CTX *ctx"
		63	.Fa "X509 *subject"
		64	.Fa "X509 *issuer"
		65	.Fc
		66	.Ft void
		67	.Fo X509_STORE_set_check_issued
		68	.Fa "X509_STORE *store"
		69	.Fa "X509_STORE_CTX_check_issued_fn check_issued"
		70	.Fc
		71	.Ft X509_STORE_CTX_check_issued_fn
		72	.Fo X509_STORE_get_check_issued
		73	.Fa "X509_STORE *store"
		74	.Fc
		75	.Ft X509_STORE_CTX_check_issued_fn
		76	.Fo X509_STORE_CTX_get_check_issued
		77	.Fa "X509_STORE_CTX *ctx"
		78	.Fc
57	.Sh DESCRIPTION	79	.Sh DESCRIPTION
58	.Fn X509_STORE_CTX_set_verify	80	.Fn X509_STORE_CTX_set_verify
59	configures	81	configures
@@ -97,6 +119,27 @@ is later passed as an argument to
97	is an alias for	119	is an alias for
98	.Fn X509_STORE_set_verify	120	.Fn X509_STORE_set_verify
99	implemented as a macro.	121	implemented as a macro.
		122	.Pp
		123	.Fn X509_STORE_set_check_issued
		124	saves the function pointer
		125	.Fa check_issued
		126	in the given
		127	.Fa store
		128	object.
		129	That pointer will be copied to an
		130	.Vt X509_STORE_CTX
		131	object when
		132	.Fa store
		133	is later passed as an argument to
		134	.Fn X509_STORE_CTX_init 3 .
		135	.Pp
		136	The
		137	.Fa check_issued
		138	function provided by the user should check whether a given certificate
		139	.Fa subject
		140	was issued using the CA certificate
		141	.Fa issuer ,
		142	and must return 0 on failure and 1 on success.
100	.Sh RETURN VALUES	143	.Sh RETURN VALUES
101	.Fn X509_STORE_CTX_verify_fn	144	.Fn X509_STORE_CTX_verify_fn
102	is supposed to return 1 to indicate that the chain is valid	145	is supposed to return 1 to indicate that the chain is valid
@@ -120,6 +163,27 @@ or
120	.Dv NULL	163	.Dv NULL
121	if that function was not called on the	164	if that function was not called on the
122	.Fa store .	165	.Fa store .
		166	.Pp
		167	.Fn X509_STORE_get_check_issued
		168	returns the function pointer previously set with
		169	.Fn X509_STORE_set_check_issued ,
		170	or
		171	.Dv NULL
		172	if that function was not called on the
		173	.Fa store .
		174	.Pp
		175	.Fn X509_STORE_CTX_get_check_issued
		176	returns the
		177	.Fn check_issued
		178	function set on the
		179	.Vt X509_STORE_CTX .
		180	This is either the
		181	.Fn check_issued
		182	function inherited from the
		183	.Fa store
		184	used in
		185	.Xr X509_STORE_CTX_init 3
		186	or the library's default implementation.
123	.Sh SEE ALSO	187	.Sh SEE ALSO
124	.Xr X509_STORE_CTX_init 3 ,	188	.Xr X509_STORE_CTX_init 3 ,
125	.Xr X509_STORE_CTX_set_error 3 ,	189	.Xr X509_STORE_CTX_set_error 3 ,
@@ -130,6 +194,7 @@ if that function was not called on the
130	.Xr X509_STORE_set_verify_cb 3 ,	194	.Xr X509_STORE_set_verify_cb 3 ,
131	.Xr X509_verify_cert 3 ,	195	.Xr X509_verify_cert 3 ,
132	.Xr X509_VERIFY_PARAM_set_flags 3	196	.Xr X509_VERIFY_PARAM_set_flags 3
		197	.Xr X509_check_issued 3
133	.Sh HISTORY	198	.Sh HISTORY
134	.Fn X509_STORE_set_verify_func	199	.Fn X509_STORE_set_verify_func
135	first appeared in SSLeay 0.8.0 and has been available since	200	first appeared in SSLeay 0.8.0 and has been available since
@@ -147,3 +212,10 @@ and
147	.Fn X509_STORE_get_verify	212	.Fn X509_STORE_get_verify
148	first appeared in OpenSSL 1.1.0 and have been available since	213	first appeared in OpenSSL 1.1.0 and have been available since
149	.Ox 7.2 .	214	.Ox 7.2 .
		215	.Pp
		216	.Fn X509_STORE_set_check_issued ,
		217	.Fn X509_STORE_get_check_issued ,
		218	and
		219	.Fn X509_STORE_CTX_get_check_issued
		220	first appeared in OpenSSL 1.1.0 and have been available since
		221	.Ox 7.3 .