1 files changed, 0 insertions, 460 deletions
diff --git a/src/lib/libcrypto/man/X509_LOOKUP_new.3 b/src/lib/libcrypto/man/X509_LOOKUP_new.3
deleted file mode 100644
index 559dbbb594..0000000000
--- a/src/lib/libcrypto/man/X509_LOOKUP_new.3
+++ /dev/null
@@ -1,460 +0,0 @@
-.\" $OpenBSD: X509_LOOKUP_new.3,v 1.12 2024/09/06 07:48:20 tb Exp $
-.\"
-.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: September 6 2024 $
-.Dt X509_LOOKUP_NEW 3
-.Os
-.Sh NAME
-.Nm X509_LOOKUP_free ,
-.Nm X509_LOOKUP_ctrl ,
-.Nm X509_LOOKUP_add_dir ,
-.Nm X509_LOOKUP_load_file ,
-.Nm X509_LOOKUP_add_mem ,
-.Nm X509_get_default_cert_dir ,
-.Nm X509_get_default_cert_file ,
-.Nm X509_get_default_cert_dir_env ,
-.Nm X509_get_default_cert_file_env
-.\" X509_get_default_private_dir is intentionally undocumented
-.\" because it appears to be unused by any real-world software
-.\" and because it doesn't do much in the first place.
-.Nd certificate lookup object
-.Sh SYNOPSIS
-.In openssl/x509_vfy.h
-.Ft void
-.Fn X509_LOOKUP_free "X509_LOOKUP *lookup"
-.Ft int
-.Fo X509_LOOKUP_ctrl
-.Fa "X509_LOOKUP *lookup"
-.Fa "int command"
-.Fa "const char *source"
-.Fa "long type"
-.Fa "char **ret"
-.Fc
-.Ft int
-.Fo X509_LOOKUP_add_dir
-.Fa "X509_LOOKUP *lookup"
-.Fa "const char *source"
-.Fa "long type"
-.Fc
-.Ft int
-.Fo X509_LOOKUP_load_file
-.Fa "X509_LOOKUP *lookup"
-.Fa "const char *source"
-.Fa "long type"
-.Fc
-.Ft int
-.Fo X509_LOOKUP_add_mem
-.Fa "X509_LOOKUP *lookup"
-.Fa "const struct iovec *source"
-.Fa "long type"
-.Fc
-.In openssl/x509.h
-.Ft const char *
-.Fn X509_get_default_cert_dir void
-.Ft const char *
-.Fn X509_get_default_cert_file void
-.Ft const char *
-.Fn X509_get_default_cert_dir_env void
-.Ft const char *
-.Fn X509_get_default_cert_file_env void
-.Sh DESCRIPTION
-.Fn X509_LOOKUP_free
-is a deprecated function that
-releases the memory used by
-.Fa lookup .
-It is provided for compatibility only.
-If
-.Fa lookup
-is a
-.Dv NULL
-pointer, no action occurs.
-.Pp
-The operation of
-.Fn X509_LOOKUP_ctrl
-depends on the
-.Vt X509_LOOKUP_METHOD
-used by
-.Fa lookup :
-.Bl -tag -width 4n
-.It Xr X509_LOOKUP_hash_dir 3
-The
-.Fa command
-is required to be
-.Dv X509_L_ADD_DIR
-and the
-.Fa source
-argument is interpreted
-as a colon-separated, NUL-terminated list of directory names.
-These directories are added to an internal list of directories to search
-for certificate files of the given
-.Fa type .
-.Pp
-If
-.Fa type
-is
-.Dv X509_FILETYPE_DEFAULT ,
-the
-.Fa source
-argument is ignored and
-.Pa /etc/ssl/certs
-and a type of
-.Dv X509_FILETYPE_PEM
-are used instead.
-.Pp
-.Fn X509_LOOKUP_add_dir
-is a macro that calls
-.Fn X509_LOOKUP_ctrl
-with a
-.Fa command
-of
-.Dv X509_L_ADD_DIR
-and
-.Fa ret
-set to
-.Dv NULL .
-.Pp
-This lookup method is peculiar in so far as calling
-.Fn X509_LOOKUP_ctrl
-on a lookup object using it does not yet add any certificates to the associated
-.Vt X509_STORE
-object.
-.It Xr X509_LOOKUP_file 3
-The
-.Fa command
-is required to be
-.Dv X509_L_FILE_LOAD
-and the
-.Fa source
-argument is interpreted as a NUL-terminated file name.
-If the
-.Fa type
-is
-.Dv X509_FILETYPE_PEM ,
-the file is read with
-.Xr BIO_new_file 3
-and
-.Xr PEM_X509_INFO_read_bio 3
-and the certificates and revocation lists found are added to the
-.Vt X509_STORE
-object associated with
-.Fa lookup
-using
-.Xr X509_STORE_add_cert 3
-and
-.Xr X509_STORE_add_crl 3 .
-If
-.Fa type
-is
-.Dv X509_FILETYPE_DEFAULT ,
-the
-.Fa source
-argument is ignored and
-.Pa /etc/ssl/certs.pem
-and a type of
-.Dv X509_FILETYPE_PEM
-are used instead.
-If
-.Fa type
-is
-.Dv X509_FILETYPE_ASN1 ,
-the file is read with
-.Xr d2i_X509_bio 3
-and the single certificate is added to the
-.Vt X509_STORE
-object associated with
-.Fa lookup
-using
-.Xr X509_STORE_add_cert 3 .
-.Pp
-.Fn X509_LOOKUP_load_file
-is a macro calling
-.Fn X509_LOOKUP_ctrl
-with a
-.Fa command
-of
-.Dv X509_L_FILE_LOAD
-and
-.Fa ret
-set to
-.Dv NULL .
-.It Xr X509_LOOKUP_mem 3
-The
-.Fa command
-and
-.Fa type
-are required to be
-.Dv X509_L_MEM
-and
-.Dv X509_FILETYPE_PEM ,
-respectively.
-The
-.Fa source
-argument is interpreted as a pointer to an
-.Vt iovec
-structure defined in
-.In sys/uio.h .
-The memory area described by that structure is read with
-.Xr BIO_new_mem_buf 3
-and
-.Xr PEM_X509_INFO_read_bio 3
-and the certificates and revocation lists found are added to the
-.Vt X509_STORE
-object associated with
-.Fa lookup
-using
-.Xr X509_STORE_add_cert 3
-and
-.Xr X509_STORE_add_crl 3 .
-.Pp
-.Fn X509_LOOKUP_add_mem
-is a macro calling
-.Fn X509_LOOKUP_ctrl
-with a command of
-.Dv X509_L_MEM
-and
-.Fa ret
-set to
-.Dv NULL .
-.El
-.Pp
-With LibreSSL,
-.Fn X509_LOOKUP_ctrl
-always ignores the
-.Fa ret
-argument.
-.Pp
-If the
-.Fa type
-is
-.Dv X509_LU_X509 ,
-it searches the configured directories for files having that name,
-with a file name extension that is a small, non-negative decimal integer
-starting at
-.Qq ".0" .
-These files are read with
-.Xr X509_load_cert_file 3 .
-In each directory, the search is ended once a file with the expected name
-and extension does not exists.
-.Pp
-If the
-.Fa type
-is
-.Dv X509_LU_CRL ,
-the file name extensions are expected to have a prefix of
-.Qq "r" ,
-i.e. they start with
-.Qq ".r0" ,
-and the files are read with
-.Xr X509_load_crl_file 3 .
-.Pp
-In case of success, the first match is returned in the
-.Pf * Fa object
-provided by the caller, overwriting any previous content.
-.Sh RETURN VALUES
-.Fn X509_LOOKUP_ctrl
-returns 1 for success or 0 for failure.
-With library implementations other than LibreSSL,
-it might also return \-1 for internal errors.
-.Pp
-.Fn X509_get_default_cert_dir
-returns a pointer to the constant string
-.Qq /etc/ssl/certs ,
-.Fn X509_get_default_cert_file
-to
-.Qq /etc/ssl/certs.pem ,
-.Fn X509_get_default_cert_dir_env
-to
-.Qq SSL_CERT_DIR ,
-and
-.Fn X509_get_default_cert_file_env
-to
-.Qq SSL_CERT_FILE .
-.Sh ENVIRONMENT
-For reasons of security and simplicity,
-LibreSSL ignores the environment variables
-.Ev SSL_CERT_DIR
-and
-.Ev SSL_CERT_FILE ,
-but other library implementations may use their contents instead
-of the standard locations for trusted certificates, and a few
-third-party application programs also inspect these variables
-directly and may pass their values to
-.Fn X509_LOOKUP_add_dir
-and
-.Fn X509_LOOKUP_load_file .
-.Sh FILES
-.Bl -tag -width /etc/ssl/certs.pem -compact
-.It Pa /etc/ssl/certs/
-default directory for storing trusted certificates
-.It Pa /etc/ssl/certs.pem
-default file for storing trusted certificates
-.El
-.Sh ERRORS
-The following diagnostics can be retrieved with
-.Xr ERR_get_error 3 ,
-.Xr ERR_GET_REASON 3 ,
-and
-.Xr ERR_reason_error_string 3 :
-.Bl -tag -width Ds
-.It Dv ERR_R_ASN1_LIB Qq "ASN1 lib"
-.Xr d2i_X509_bio 3
-failed in
-.Fn X509_LOOKUP_ctrl .
-.It Dv X509_R_BAD_X509_FILETYPE Qq "bad x509 filetype"
-.Fn X509_LOOKUP_ctrl
-was called with an invalid
-.Fa type .
-.It Dv ERR_R_BUF_LIB Qq "BUF lib"
-Memory allocation failed.
-.It Dv X509_R_INVALID_DIRECTORY Qq "invalid directory"
-The
-.Fa source
-argument of
-.Fn X509_LOOKUP_ctrl
-with
-.Dv X509_L_ADD_DIR
-or
-.Fn X509_LOOKUP_add_dir
-was
-.Dv NULL
-or an empty string.
-.It Dv X509_R_LOADING_CERT_DIR Qq "loading cert dir"
-.Fn X509_LOOKUP_ctrl
-with
-.Dv X509_L_ADD_DIR
-or
-.Fn X509_LOOKUP_add_dir
-was called with
-.Dv X509_FILETYPE_DEFAULT
-and adding the default directories failed.
-This error is added after and in addition to a more specific diagnostic.
-.It Dv X509_R_LOADING_DEFAULTS Qq "loading defaults"
-.Fn X509_LOOKUP_ctrl
-with
-.Dv X509_L_FILE_LOAD
-or
-.Fn X509_LOOKUP_load_file
-was called with
-.Dv X509_FILETYPE_DEFAULT
-and adding the certificates and revocation lists failed.
-This error is added after and in addition to a more specific diagnostic.
-.It Dv ERR_R_MALLOC_FAILURE Qq "malloc failure"
-Memory allocation failed.
-.It Dv ERR_R_PEM_LIB Qq "PEM lib"
-.Xr PEM_X509_INFO_read_bio 3 ,
-.Xr PEM_read_bio_X509_AUX 3 ,
-or
-.Xr PEM_read_bio_X509_CRL 3
-failed in
-.Fn X509_LOOKUP_ctrl .
-.It Dv ERR_R_SYS_LIB Qq "system lib"
-.Xr BIO_new 3 ,
-.Xr BIO_new_file 3 ,
-or
-.Xr BIO_read_filename 3
-failed in
-.Fn X509_LOOKUP_ctrl .
-.It Dv X509_R_WRONG_LOOKUP_TYPE Qq "wrong lookup type"
-.Xr X509_STORE_CTX_get_by_subject 3
-was called with an invalid
-.Fa type .
-.El
-.Pp
-Passing an invalid
-.Fa command
-to
-.Fn X509_LOOKUP_ctrl
-causes failure but provides no diagnostics.
-.Sh SEE ALSO
-.Xr d2i_X509_bio 3 ,
-.Xr PEM_read_bio_X509_AUX 3 ,
-.Xr PEM_X509_INFO_read_bio 3 ,
-.Xr X509_load_cert_file 3 ,
-.Xr X509_LOOKUP_hash_dir 3 ,
-.Xr X509_NAME_hash 3 ,
-.Xr X509_NAME_new 3 ,
-.Xr X509_new 3 ,
-.Xr X509_OBJECT_get_type 3 ,
-.Xr X509_STORE_add_cert 3 ,
-.Xr X509_STORE_get_by_subject 3
-.Sh HISTORY
-.Fn X509_get_default_cert_dir ,
-.Fn X509_get_default_cert_file ,
-.Fn X509_get_default_cert_dir_env ,
-and
-.Fn X509_get_default_cert_file_env
-first appeared in SSLeay 0.4.1 and have been available since
-.Ox 2.4 .
-.Pp
-.Fn X509_LOOKUP_add_mem
-first appeared in
-.Ox 5.7 .
-.Pp
-The other functions first appeared in SSLeay 0.8.0
-and have been available since
-.Ox 2.4 .
-.Sh BUGS
-If the
-.Fa type
-is
-.Dv X509_FILETYPE_DEFAULT
-or
-.Dv X509_FILETYPE_PEM ,
-.Fn X509_LOOKUP_ctrl
-with
-.Dv X509_L_FILE_LOAD
-and
-.Fn X509_LOOKUP_load_file
-silently ignore failure of
-.Xr X509_STORE_add_cert 3
-and
-.Xr X509_STORE_add_crl 3
-and indicate success anyway.
-.Pp
-Handling of a
-.Dv NULL
-.Fa source
-is inconsistent for
-.Fn X509_LOOKUP_ctrl
-with
-.Dv X509_L_FILE_LOAD
-and for
-.Fn X509_LOOKUP_load_file .
-With
-.Dv X509_FILETYPE_PEM ,
-it causes failure, but with
-.Dv X509_FILETYPE_ASN1 ,
-no action occurs and success is indicated.
-.Pp
-When called on a
-.Fa lookup
-object using
-.Xr X509_LOOKUP_mem 3 ,
-.Fn X509_LOOKUP_ctrl
-raises
-.Dv ERR_R_PEM_LIB
-when called with an invalid
-.Fa command
-or
-.Fa type ,
-when
-.Xr BIO_new_mem_buf 3
-fails, when
-.Fa source
-contains zero objects, or when
-.Xr X509_STORE_add_cert 3
-fails on the first object encountered, which is all inconsistent
-with the behaviour of the other lookup methods.

diff --git a/src/lib/libcrypto/man/X509_LOOKUP_new.3 b/src/lib/libcrypto/man/X509_LOOKUP_new.3 deleted file mode 100644 index 559dbbb594..0000000000 --- a/src/lib/libcrypto/man/X509_LOOKUP_new.3 +++ /dev/null
@@ -1,460 +0,0 @@
1	.\" $OpenBSD: X509_LOOKUP_new.3,v 1.12 2024/09/06 07:48:20 tb Exp $
2	.\"
3	.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
4	.\"
5	.\" Permission to use, copy, modify, and distribute this software for any
6	.\" purpose with or without fee is hereby granted, provided that the above
7	.\" copyright notice and this permission notice appear in all copies.
8	.\"
9	.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10	.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11	.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12	.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13	.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16	.\"
17	.Dd $Mdocdate: September 6 2024 $
18	.Dt X509_LOOKUP_NEW 3
19	.Os
20	.Sh NAME
21	.Nm X509_LOOKUP_free ,
22	.Nm X509_LOOKUP_ctrl ,
23	.Nm X509_LOOKUP_add_dir ,
24	.Nm X509_LOOKUP_load_file ,
25	.Nm X509_LOOKUP_add_mem ,
26	.Nm X509_get_default_cert_dir ,
27	.Nm X509_get_default_cert_file ,
28	.Nm X509_get_default_cert_dir_env ,
29	.Nm X509_get_default_cert_file_env
30	.\" X509_get_default_private_dir is intentionally undocumented
31	.\" because it appears to be unused by any real-world software
32	.\" and because it doesn't do much in the first place.
33	.Nd certificate lookup object
34	.Sh SYNOPSIS
35	.In openssl/x509_vfy.h
36	.Ft void
37	.Fn X509_LOOKUP_free "X509_LOOKUP *lookup"
38	.Ft int
39	.Fo X509_LOOKUP_ctrl
40	.Fa "X509_LOOKUP *lookup"
41	.Fa "int command"
42	.Fa "const char *source"
43	.Fa "long type"
44	.Fa "char **ret"
45	.Fc
46	.Ft int
47	.Fo X509_LOOKUP_add_dir
48	.Fa "X509_LOOKUP *lookup"
49	.Fa "const char *source"
50	.Fa "long type"
51	.Fc
52	.Ft int
53	.Fo X509_LOOKUP_load_file
54	.Fa "X509_LOOKUP *lookup"
55	.Fa "const char *source"
56	.Fa "long type"
57	.Fc
58	.Ft int
59	.Fo X509_LOOKUP_add_mem
60	.Fa "X509_LOOKUP *lookup"
61	.Fa "const struct iovec *source"
62	.Fa "long type"
63	.Fc
64	.In openssl/x509.h
65	.Ft const char *
66	.Fn X509_get_default_cert_dir void
67	.Ft const char *
68	.Fn X509_get_default_cert_file void
69	.Ft const char *
70	.Fn X509_get_default_cert_dir_env void
71	.Ft const char *
72	.Fn X509_get_default_cert_file_env void
73	.Sh DESCRIPTION
74	.Fn X509_LOOKUP_free
75	is a deprecated function that
76	releases the memory used by
77	.Fa lookup .
78	It is provided for compatibility only.
79	If
80	.Fa lookup
81	is a
82	.Dv NULL
83	pointer, no action occurs.
84	.Pp
85	The operation of
86	.Fn X509_LOOKUP_ctrl
87	depends on the
88	.Vt X509_LOOKUP_METHOD
89	used by
90	.Fa lookup :
91	.Bl -tag -width 4n
92	.It Xr X509_LOOKUP_hash_dir 3
93	The
94	.Fa command
95	is required to be
96	.Dv X509_L_ADD_DIR
97	and the
98	.Fa source
99	argument is interpreted
100	as a colon-separated, NUL-terminated list of directory names.
101	These directories are added to an internal list of directories to search
102	for certificate files of the given
103	.Fa type .
104	.Pp
105	If
106	.Fa type
107	is
108	.Dv X509_FILETYPE_DEFAULT ,
109	the
110	.Fa source
111	argument is ignored and
112	.Pa /etc/ssl/certs
113	and a type of
114	.Dv X509_FILETYPE_PEM
115	are used instead.
116	.Pp
117	.Fn X509_LOOKUP_add_dir
118	is a macro that calls
119	.Fn X509_LOOKUP_ctrl
120	with a
121	.Fa command
122	of
123	.Dv X509_L_ADD_DIR
124	and
125	.Fa ret
126	set to
127	.Dv NULL .
128	.Pp
129	This lookup method is peculiar in so far as calling
130	.Fn X509_LOOKUP_ctrl
131	on a lookup object using it does not yet add any certificates to the associated
132	.Vt X509_STORE
133	object.
134	.It Xr X509_LOOKUP_file 3
135	The
136	.Fa command
137	is required to be
138	.Dv X509_L_FILE_LOAD
139	and the
140	.Fa source
141	argument is interpreted as a NUL-terminated file name.
142	If the
143	.Fa type
144	is
145	.Dv X509_FILETYPE_PEM ,
146	the file is read with
147	.Xr BIO_new_file 3
148	and
149	.Xr PEM_X509_INFO_read_bio 3
150	and the certificates and revocation lists found are added to the
151	.Vt X509_STORE
152	object associated with
153	.Fa lookup
154	using
155	.Xr X509_STORE_add_cert 3
156	and
157	.Xr X509_STORE_add_crl 3 .
158	If
159	.Fa type
160	is
161	.Dv X509_FILETYPE_DEFAULT ,
162	the
163	.Fa source
164	argument is ignored and
165	.Pa /etc/ssl/certs.pem
166	and a type of
167	.Dv X509_FILETYPE_PEM
168	are used instead.
169	If
170	.Fa type
171	is
172	.Dv X509_FILETYPE_ASN1 ,
173	the file is read with
174	.Xr d2i_X509_bio 3
175	and the single certificate is added to the
176	.Vt X509_STORE
177	object associated with
178	.Fa lookup
179	using
180	.Xr X509_STORE_add_cert 3 .
181	.Pp
182	.Fn X509_LOOKUP_load_file
183	is a macro calling
184	.Fn X509_LOOKUP_ctrl
185	with a
186	.Fa command
187	of
188	.Dv X509_L_FILE_LOAD
189	and
190	.Fa ret
191	set to
192	.Dv NULL .
193	.It Xr X509_LOOKUP_mem 3
194	The
195	.Fa command
196	and
197	.Fa type
198	are required to be
199	.Dv X509_L_MEM
200	and
201	.Dv X509_FILETYPE_PEM ,
202	respectively.
203	The
204	.Fa source
205	argument is interpreted as a pointer to an
206	.Vt iovec
207	structure defined in
208	.In sys/uio.h .
209	The memory area described by that structure is read with
210	.Xr BIO_new_mem_buf 3
211	and
212	.Xr PEM_X509_INFO_read_bio 3
213	and the certificates and revocation lists found are added to the
214	.Vt X509_STORE
215	object associated with
216	.Fa lookup
217	using
218	.Xr X509_STORE_add_cert 3
219	and
220	.Xr X509_STORE_add_crl 3 .
221	.Pp
222	.Fn X509_LOOKUP_add_mem
223	is a macro calling
224	.Fn X509_LOOKUP_ctrl
225	with a command of
226	.Dv X509_L_MEM
227	and
228	.Fa ret
229	set to
230	.Dv NULL .
231	.El
232	.Pp
233	With LibreSSL,
234	.Fn X509_LOOKUP_ctrl
235	always ignores the
236	.Fa ret
237	argument.
238	.Pp
239	If the
240	.Fa type
241	is
242	.Dv X509_LU_X509 ,
243	it searches the configured directories for files having that name,
244	with a file name extension that is a small, non-negative decimal integer
245	starting at
246	.Qq ".0" .
247	These files are read with
248	.Xr X509_load_cert_file 3 .
249	In each directory, the search is ended once a file with the expected name
250	and extension does not exists.
251	.Pp
252	If the
253	.Fa type
254	is
255	.Dv X509_LU_CRL ,
256	the file name extensions are expected to have a prefix of
257	.Qq "r" ,
258	i.e. they start with
259	.Qq ".r0" ,
260	and the files are read with
261	.Xr X509_load_crl_file 3 .
262	.Pp
263	In case of success, the first match is returned in the
264	.Pf * Fa object
265	provided by the caller, overwriting any previous content.
266	.Sh RETURN VALUES
267	.Fn X509_LOOKUP_ctrl
268	returns 1 for success or 0 for failure.
269	With library implementations other than LibreSSL,
270	it might also return \-1 for internal errors.
271	.Pp
272	.Fn X509_get_default_cert_dir
273	returns a pointer to the constant string
274	.Qq /etc/ssl/certs ,
275	.Fn X509_get_default_cert_file
276	to
277	.Qq /etc/ssl/certs.pem ,
278	.Fn X509_get_default_cert_dir_env
279	to
280	.Qq SSL_CERT_DIR ,
281	and
282	.Fn X509_get_default_cert_file_env
283	to
284	.Qq SSL_CERT_FILE .
285	.Sh ENVIRONMENT
286	For reasons of security and simplicity,
287	LibreSSL ignores the environment variables
288	.Ev SSL_CERT_DIR
289	and
290	.Ev SSL_CERT_FILE ,
291	but other library implementations may use their contents instead
292	of the standard locations for trusted certificates, and a few
293	third-party application programs also inspect these variables
294	directly and may pass their values to
295	.Fn X509_LOOKUP_add_dir
296	and
297	.Fn X509_LOOKUP_load_file .
298	.Sh FILES
299	.Bl -tag -width /etc/ssl/certs.pem -compact
300	.It Pa /etc/ssl/certs/
301	default directory for storing trusted certificates
302	.It Pa /etc/ssl/certs.pem
303	default file for storing trusted certificates
304	.El
305	.Sh ERRORS
306	The following diagnostics can be retrieved with
307	.Xr ERR_get_error 3 ,
308	.Xr ERR_GET_REASON 3 ,
309	and
310	.Xr ERR_reason_error_string 3 :
311	.Bl -tag -width Ds
312	.It Dv ERR_R_ASN1_LIB Qq "ASN1 lib"
313	.Xr d2i_X509_bio 3
314	failed in
315	.Fn X509_LOOKUP_ctrl .
316	.It Dv X509_R_BAD_X509_FILETYPE Qq "bad x509 filetype"
317	.Fn X509_LOOKUP_ctrl
318	was called with an invalid
319	.Fa type .
320	.It Dv ERR_R_BUF_LIB Qq "BUF lib"
321	Memory allocation failed.
322	.It Dv X509_R_INVALID_DIRECTORY Qq "invalid directory"
323	The
324	.Fa source
325	argument of
326	.Fn X509_LOOKUP_ctrl
327	with
328	.Dv X509_L_ADD_DIR
329	or
330	.Fn X509_LOOKUP_add_dir
331	was
332	.Dv NULL
333	or an empty string.
334	.It Dv X509_R_LOADING_CERT_DIR Qq "loading cert dir"
335	.Fn X509_LOOKUP_ctrl
336	with
337	.Dv X509_L_ADD_DIR
338	or
339	.Fn X509_LOOKUP_add_dir
340	was called with
341	.Dv X509_FILETYPE_DEFAULT
342	and adding the default directories failed.
343	This error is added after and in addition to a more specific diagnostic.
344	.It Dv X509_R_LOADING_DEFAULTS Qq "loading defaults"
345	.Fn X509_LOOKUP_ctrl
346	with
347	.Dv X509_L_FILE_LOAD
348	or
349	.Fn X509_LOOKUP_load_file
350	was called with
351	.Dv X509_FILETYPE_DEFAULT
352	and adding the certificates and revocation lists failed.
353	This error is added after and in addition to a more specific diagnostic.
354	.It Dv ERR_R_MALLOC_FAILURE Qq "malloc failure"
355	Memory allocation failed.
356	.It Dv ERR_R_PEM_LIB Qq "PEM lib"
357	.Xr PEM_X509_INFO_read_bio 3 ,
358	.Xr PEM_read_bio_X509_AUX 3 ,
359	or
360	.Xr PEM_read_bio_X509_CRL 3
361	failed in
362	.Fn X509_LOOKUP_ctrl .
363	.It Dv ERR_R_SYS_LIB Qq "system lib"
364	.Xr BIO_new 3 ,
365	.Xr BIO_new_file 3 ,
366	or
367	.Xr BIO_read_filename 3
368	failed in
369	.Fn X509_LOOKUP_ctrl .
370	.It Dv X509_R_WRONG_LOOKUP_TYPE Qq "wrong lookup type"
371	.Xr X509_STORE_CTX_get_by_subject 3
372	was called with an invalid
373	.Fa type .
374	.El
375	.Pp
376	Passing an invalid
377	.Fa command
378	to
379	.Fn X509_LOOKUP_ctrl
380	causes failure but provides no diagnostics.
381	.Sh SEE ALSO
382	.Xr d2i_X509_bio 3 ,
383	.Xr PEM_read_bio_X509_AUX 3 ,
384	.Xr PEM_X509_INFO_read_bio 3 ,
385	.Xr X509_load_cert_file 3 ,
386	.Xr X509_LOOKUP_hash_dir 3 ,
387	.Xr X509_NAME_hash 3 ,
388	.Xr X509_NAME_new 3 ,
389	.Xr X509_new 3 ,
390	.Xr X509_OBJECT_get_type 3 ,
391	.Xr X509_STORE_add_cert 3 ,
392	.Xr X509_STORE_get_by_subject 3
393	.Sh HISTORY
394	.Fn X509_get_default_cert_dir ,
395	.Fn X509_get_default_cert_file ,
396	.Fn X509_get_default_cert_dir_env ,
397	and
398	.Fn X509_get_default_cert_file_env
399	first appeared in SSLeay 0.4.1 and have been available since
400	.Ox 2.4 .
401	.Pp
402	.Fn X509_LOOKUP_add_mem
403	first appeared in
404	.Ox 5.7 .
405	.Pp
406	The other functions first appeared in SSLeay 0.8.0
407	and have been available since
408	.Ox 2.4 .
409	.Sh BUGS
410	If the
411	.Fa type
412	is
413	.Dv X509_FILETYPE_DEFAULT
414	or
415	.Dv X509_FILETYPE_PEM ,
416	.Fn X509_LOOKUP_ctrl
417	with
418	.Dv X509_L_FILE_LOAD
419	and
420	.Fn X509_LOOKUP_load_file
421	silently ignore failure of
422	.Xr X509_STORE_add_cert 3
423	and
424	.Xr X509_STORE_add_crl 3
425	and indicate success anyway.
426	.Pp
427	Handling of a
428	.Dv NULL
429	.Fa source
430	is inconsistent for
431	.Fn X509_LOOKUP_ctrl
432	with
433	.Dv X509_L_FILE_LOAD
434	and for
435	.Fn X509_LOOKUP_load_file .
436	With
437	.Dv X509_FILETYPE_PEM ,
438	it causes failure, but with
439	.Dv X509_FILETYPE_ASN1 ,
440	no action occurs and success is indicated.
441	.Pp
442	When called on a
443	.Fa lookup
444	object using
445	.Xr X509_LOOKUP_mem 3 ,
446	.Fn X509_LOOKUP_ctrl
447	raises
448	.Dv ERR_R_PEM_LIB
449	when called with an invalid
450	.Fa command
451	or
452	.Fa type ,
453	when
454	.Xr BIO_new_mem_buf 3
455	fails, when
456	.Fa source
457	contains zero objects, or when
458	.Xr X509_STORE_add_cert 3
459	fails on the first object encountered, which is all inconsistent
460	with the behaviour of the other lookup methods.