1 files changed, 145 insertions, 3 deletions
diff --git a/src/lib/libcrypto/man/X509_VERIFY_PARAM_new.3 b/src/lib/libcrypto/man/X509_VERIFY_PARAM_new.3
index 05a36a4f79..ffde66cde5 100644
--- a/src/lib/libcrypto/man/X509_VERIFY_PARAM_new.3
+++ b/src/lib/libcrypto/man/X509_VERIFY_PARAM_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_VERIFY_PARAM_new.3,v 1.1 2021/10/18 14:46:37 schwarze Exp $
+.\" $OpenBSD: X509_VERIFY_PARAM_new.3,v 1.2 2021/10/18 18:20:39 schwarze Exp $
 .\"
 .\" Copyright (c) 2018, 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -19,19 +19,31 @@
 .Os
 .Sh NAME
 .Nm X509_VERIFY_PARAM_new ,
+.Nm X509_VERIFY_PARAM_inherit ,
+.Nm X509_VERIFY_PARAM_set1 ,
 .Nm X509_VERIFY_PARAM_free ,
 .Nm X509_VERIFY_PARAM_add0_table ,
 .Nm X509_VERIFY_PARAM_lookup ,
 .Nm X509_VERIFY_PARAM_get_count ,
 .Nm X509_VERIFY_PARAM_get0 ,
 .Nm X509_VERIFY_PARAM_table_cleanup
-.Nd X509 verification parameter object
+.Nd X509 verification parameter objects
 .Sh SYNOPSIS
 .In openssl/x509_vfy.h
 .Ft X509_VERIFY_PARAM *
 .Fo X509_VERIFY_PARAM_new
 .Fa void
 .Fc
+.Ft int
+.Fo X509_VERIFY_PARAM_inherit
+.Fa "X509_VERIFY_PARAM *destination"
+.Fa "const X509_VERIFY_PARAM *source"
+.Fc
+.Ft int
+.Fo X509_VERIFY_PARAM_set1
+.Fa "X509_VERIFY_PARAM *destination"
+.Fa "const X509_VERIFY_PARAM *source"
+.Fc
 .Ft void
 .Fo X509_VERIFY_PARAM_free
 .Fa "X509_VERIFY_PARAM *param"
@@ -62,6 +74,131 @@ allocates and initializes an empty
 .Vt X509_VERIFY_PARAM
 object.
 .Pp
+.Fn X509_VERIFY_PARAM_inherit
+copies some data from the
+.Fa source
+object to the
+.Fa destination
+object.
+.Pp
+The verification flags set with
+.Xr X509_VERIFY_PARAM_set_flags 3
+in the
+.Fa source
+object are always OR'ed into the verification flags of the
+.Fa destination
+object.
+.Pp
+Fields having their default value in the
+.Fa source
+object are not copied.
+.Pp
+By default, fields in the
+.Fa destination
+object already having a non-default value are not overwritten.
+However, if at least one of the
+.Fa source
+or
+.Fa destination
+objects was created during a call to
+.Xr X509_STORE_CTX_init 3
+that did not have a
+.Fa store
+argument, and if that object was not previously used as the
+.Fa destination
+in an earlier call to
+.Fn X509_VERIFY_PARAM_inherit ,
+this restriction is waived and even non-default fields in the
+.Fa destination
+object get overwritten.
+If fields overwritten in this way contain pointers to allocated memory,
+that memory is freed.
+.Pp
+As far as permitted by the above rules, the following fields are copied:
+.Bl -bullet -width 1n
+.It
+the verification purpose identifier set with
+.Xr X509_VERIFY_PARAM_set_purpose 3
+.It
+the trust setting set with
+.Xr X509_VERIFY_PARAM_set_trust 3
+.It
+the verification time set with
+.Xr X509_VERIFY_PARAM_set_time 3 ;
+in this case, the only condition is that
+.Dv X509_V_FLAG_USE_CHECK_TIME
+is not set in the
+.Fa destination
+object, whereas the time value in the
+.Fa destination
+object is not inspected before overwriting it
+.It
+the acceptable policy set set with
+.Xr X509_VERIFY_PARAM_set1_policies 3
+.It
+the maximum verification depth set with
+.Xr X509_VERIFY_PARAM_set_depth 3
+.It
+the list of expected DNS hostnames built with
+.Xr X509_VERIFY_PARAM_set1_host 3
+and
+.Xr X509_VERIFY_PARAM_add1_host 3 ;
+if this list is copied, any flags that were set with
+.Xr X509_VERIFY_PARAM_set_hostflags 3
+are copied together with the list, without inspecting any such flags
+that may already be present in the
+.Fa destination
+object before overwriting them
+.It
+the expected RFC 822 email address set with
+.Xr X509_VERIFY_PARAM_set1_email 3
+.It
+the expected IP address set with
+.Xr X509_VERIFY_PARAM_set1_ip 3
+or
+.Xr X509_VERIFY_PARAM_set1_ip_asc 3
+.El
+.Pp
+Some data that may be contained in the
+.Fa source
+object is never copied, for example the subject name of the peer
+certificate that can be retrieved with
+.Xr X509_VERIFY_PARAM_get0_peername 3 .
+.Pp
+If
+.Fa source
+is a
+.Dv NULL
+pointer, the function has no effect but returns successfully.
+.Pp
+.Fn X509_VERIFY_PARAM_set1
+is identical to
+.Fn X509_VERIFY_PARAM_inherit
+except that fields in the
+.Fa destination
+object are overwritten even if they do not match their default values.
+Still, fields having their default value in the
+.Fa source
+object are not copied.
+.Pp
+If
+.Fn X509_VERIFY_PARAM_inherit
+or
+.Fn X509_VERIFY_PARAM_set1
+fail, partial copying may have occurred, so all data in the
+.Fa destination
+object should be regarded as invalid.
+.Pp
+.Fn X509_VERIFY_PARAM_inherit
+is used internally by
+.Xr X509_STORE_CTX_init 3
+and by
+.Xr X509_STORE_CTX_set_default 3 ,
+and
+.Fn X509_VERIFY_PARAM_set1
+is used internally by
+.Xr X509_STORE_set1_param 3 .
+.Pp
 .Fn X509_VERIFY_PARAM_free
 clears all data contained in
 .Fa param
@@ -118,8 +255,11 @@ returns a pointer to the new object, or
 .Dv NULL
 on allocation failure.
 .Pp
+.Fn X509_VERIFY_PARAM_inherit ,
+.Fn X509_VERIFY_PARAM_set1 ,
+and
 .Fn X509_VERIFY_PARAM_add0_table
-returns 1 for success or 0 for failure.
+return 1 for success or 0 for failure.
 .Pp
 .Fn X509_VERIFY_PARAM_lookup
 and
@@ -143,6 +283,8 @@ returns a number of objects.
 .Xr X509_VERIFY_PARAM_set_flags 3
 .Sh HISTORY
 .Fn X509_VERIFY_PARAM_new ,
+.Fn X509_VERIFY_PARAM_inherit ,
+.Fn X509_VERIFY_PARAM_set1 ,
 .Fn X509_VERIFY_PARAM_free ,
 .Fn X509_VERIFY_PARAM_add0_table ,
 .Fn X509_VERIFY_PARAM_lookup ,

diff --git a/src/lib/libcrypto/man/X509_VERIFY_PARAM_new.3 b/src/lib/libcrypto/man/X509_VERIFY_PARAM_new.3 index 05a36a4f79..ffde66cde5 100644 --- a/src/lib/libcrypto/man/X509_VERIFY_PARAM_new.3 +++ b/src/lib/libcrypto/man/X509_VERIFY_PARAM_new.3
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: X509_VERIFY_PARAM_new.3,v 1.1 2021/10/18 14:46:37 schwarze Exp $	1	.\" $OpenBSD: X509_VERIFY_PARAM_new.3,v 1.2 2021/10/18 18:20:39 schwarze Exp $
2	.\"	2	.\"
3	.\" Copyright (c) 2018, 2021 Ingo Schwarze <schwarze@openbsd.org>	3	.\" Copyright (c) 2018, 2021 Ingo Schwarze <schwarze@openbsd.org>
4	.\"	4	.\"
@@ -19,19 +19,31 @@
19	.Os	19	.Os
20	.Sh NAME	20	.Sh NAME
21	.Nm X509_VERIFY_PARAM_new ,	21	.Nm X509_VERIFY_PARAM_new ,
		22	.Nm X509_VERIFY_PARAM_inherit ,
		23	.Nm X509_VERIFY_PARAM_set1 ,
22	.Nm X509_VERIFY_PARAM_free ,	24	.Nm X509_VERIFY_PARAM_free ,
23	.Nm X509_VERIFY_PARAM_add0_table ,	25	.Nm X509_VERIFY_PARAM_add0_table ,
24	.Nm X509_VERIFY_PARAM_lookup ,	26	.Nm X509_VERIFY_PARAM_lookup ,
25	.Nm X509_VERIFY_PARAM_get_count ,	27	.Nm X509_VERIFY_PARAM_get_count ,
26	.Nm X509_VERIFY_PARAM_get0 ,	28	.Nm X509_VERIFY_PARAM_get0 ,
27	.Nm X509_VERIFY_PARAM_table_cleanup	29	.Nm X509_VERIFY_PARAM_table_cleanup
28	.Nd X509 verification parameter object	30	.Nd X509 verification parameter objects
29	.Sh SYNOPSIS	31	.Sh SYNOPSIS
30	.In openssl/x509_vfy.h	32	.In openssl/x509_vfy.h
31	.Ft X509_VERIFY_PARAM *	33	.Ft X509_VERIFY_PARAM *
32	.Fo X509_VERIFY_PARAM_new	34	.Fo X509_VERIFY_PARAM_new
33	.Fa void	35	.Fa void
34	.Fc	36	.Fc
		37	.Ft int
		38	.Fo X509_VERIFY_PARAM_inherit
		39	.Fa "X509_VERIFY_PARAM *destination"
		40	.Fa "const X509_VERIFY_PARAM *source"
		41	.Fc
		42	.Ft int
		43	.Fo X509_VERIFY_PARAM_set1
		44	.Fa "X509_VERIFY_PARAM *destination"
		45	.Fa "const X509_VERIFY_PARAM *source"
		46	.Fc
35	.Ft void	47	.Ft void
36	.Fo X509_VERIFY_PARAM_free	48	.Fo X509_VERIFY_PARAM_free
37	.Fa "X509_VERIFY_PARAM *param"	49	.Fa "X509_VERIFY_PARAM *param"
@@ -62,6 +74,131 @@ allocates and initializes an empty
62	.Vt X509_VERIFY_PARAM	74	.Vt X509_VERIFY_PARAM
63	object.	75	object.
64	.Pp	76	.Pp
		77	.Fn X509_VERIFY_PARAM_inherit
		78	copies some data from the
		79	.Fa source
		80	object to the
		81	.Fa destination
		82	object.
		83	.Pp
		84	The verification flags set with
		85	.Xr X509_VERIFY_PARAM_set_flags 3
		86	in the
		87	.Fa source
		88	object are always OR'ed into the verification flags of the
		89	.Fa destination
		90	object.
		91	.Pp
		92	Fields having their default value in the
		93	.Fa source
		94	object are not copied.
		95	.Pp
		96	By default, fields in the
		97	.Fa destination
		98	object already having a non-default value are not overwritten.
		99	However, if at least one of the
		100	.Fa source
		101	or
		102	.Fa destination
		103	objects was created during a call to
		104	.Xr X509_STORE_CTX_init 3
		105	that did not have a
		106	.Fa store
		107	argument, and if that object was not previously used as the
		108	.Fa destination
		109	in an earlier call to
		110	.Fn X509_VERIFY_PARAM_inherit ,
		111	this restriction is waived and even non-default fields in the
		112	.Fa destination
		113	object get overwritten.
		114	If fields overwritten in this way contain pointers to allocated memory,
		115	that memory is freed.
		116	.Pp
		117	As far as permitted by the above rules, the following fields are copied:
		118	.Bl -bullet -width 1n
		119	.It
		120	the verification purpose identifier set with
		121	.Xr X509_VERIFY_PARAM_set_purpose 3
		122	.It
		123	the trust setting set with
		124	.Xr X509_VERIFY_PARAM_set_trust 3
		125	.It
		126	the verification time set with
		127	.Xr X509_VERIFY_PARAM_set_time 3 ;
		128	in this case, the only condition is that
		129	.Dv X509_V_FLAG_USE_CHECK_TIME
		130	is not set in the
		131	.Fa destination
		132	object, whereas the time value in the
		133	.Fa destination
		134	object is not inspected before overwriting it
		135	.It
		136	the acceptable policy set set with
		137	.Xr X509_VERIFY_PARAM_set1_policies 3
		138	.It
		139	the maximum verification depth set with
		140	.Xr X509_VERIFY_PARAM_set_depth 3
		141	.It
		142	the list of expected DNS hostnames built with
		143	.Xr X509_VERIFY_PARAM_set1_host 3
		144	and
		145	.Xr X509_VERIFY_PARAM_add1_host 3 ;
		146	if this list is copied, any flags that were set with
		147	.Xr X509_VERIFY_PARAM_set_hostflags 3
		148	are copied together with the list, without inspecting any such flags
		149	that may already be present in the
		150	.Fa destination
		151	object before overwriting them
		152	.It
		153	the expected RFC 822 email address set with
		154	.Xr X509_VERIFY_PARAM_set1_email 3
		155	.It
		156	the expected IP address set with
		157	.Xr X509_VERIFY_PARAM_set1_ip 3
		158	or
		159	.Xr X509_VERIFY_PARAM_set1_ip_asc 3
		160	.El
		161	.Pp
		162	Some data that may be contained in the
		163	.Fa source
		164	object is never copied, for example the subject name of the peer
		165	certificate that can be retrieved with
		166	.Xr X509_VERIFY_PARAM_get0_peername 3 .
		167	.Pp
		168	If
		169	.Fa source
		170	is a
		171	.Dv NULL
		172	pointer, the function has no effect but returns successfully.
		173	.Pp
		174	.Fn X509_VERIFY_PARAM_set1
		175	is identical to
		176	.Fn X509_VERIFY_PARAM_inherit
		177	except that fields in the
		178	.Fa destination
		179	object are overwritten even if they do not match their default values.
		180	Still, fields having their default value in the
		181	.Fa source
		182	object are not copied.
		183	.Pp
		184	If
		185	.Fn X509_VERIFY_PARAM_inherit
		186	or
		187	.Fn X509_VERIFY_PARAM_set1
		188	fail, partial copying may have occurred, so all data in the
		189	.Fa destination
		190	object should be regarded as invalid.
		191	.Pp
		192	.Fn X509_VERIFY_PARAM_inherit
		193	is used internally by
		194	.Xr X509_STORE_CTX_init 3
		195	and by
		196	.Xr X509_STORE_CTX_set_default 3 ,
		197	and
		198	.Fn X509_VERIFY_PARAM_set1
		199	is used internally by
		200	.Xr X509_STORE_set1_param 3 .
		201	.Pp
65	.Fn X509_VERIFY_PARAM_free	202	.Fn X509_VERIFY_PARAM_free
66	clears all data contained in	203	clears all data contained in
67	.Fa param	204	.Fa param
@@ -118,8 +255,11 @@ returns a pointer to the new object, or
118	.Dv NULL	255	.Dv NULL
119	on allocation failure.	256	on allocation failure.
120	.Pp	257	.Pp
		258	.Fn X509_VERIFY_PARAM_inherit ,
		259	.Fn X509_VERIFY_PARAM_set1 ,
		260	and
121	.Fn X509_VERIFY_PARAM_add0_table	261	.Fn X509_VERIFY_PARAM_add0_table
122	returns 1 for success or 0 for failure.	262	return 1 for success or 0 for failure.
123	.Pp	263	.Pp
124	.Fn X509_VERIFY_PARAM_lookup	264	.Fn X509_VERIFY_PARAM_lookup
125	and	265	and
@@ -143,6 +283,8 @@ returns a number of objects.
143	.Xr X509_VERIFY_PARAM_set_flags 3	283	.Xr X509_VERIFY_PARAM_set_flags 3
144	.Sh HISTORY	284	.Sh HISTORY
145	.Fn X509_VERIFY_PARAM_new ,	285	.Fn X509_VERIFY_PARAM_new ,
		286	.Fn X509_VERIFY_PARAM_inherit ,
		287	.Fn X509_VERIFY_PARAM_set1 ,
146	.Fn X509_VERIFY_PARAM_free ,	288	.Fn X509_VERIFY_PARAM_free ,
147	.Fn X509_VERIFY_PARAM_add0_table ,	289	.Fn X509_VERIFY_PARAM_add0_table ,
148	.Fn X509_VERIFY_PARAM_lookup ,	290	.Fn X509_VERIFY_PARAM_lookup ,