1 files changed, 346 insertions, 0 deletions
diff --git a/src/lib/libcrypto/man/d2i_X509.3 b/src/lib/libcrypto/man/d2i_X509.3
new file mode 100644
index 0000000000..09c65afa58
--- /dev/null
+++ b/src/lib/libcrypto/man/d2i_X509.3
@@ -0,0 +1,346 @@
+.Dd $Mdocdate: November 4 2016 $
+.Dt D2I_X509 3
+.Os
+.Sh NAME
+.Nm d2i_X509 ,
+.Nm i2d_X509 ,
+.Nm d2i_X509_bio ,
+.Nm d2i_X509_fp ,
+.Nm i2d_X509_bio ,
+.Nm i2d_X509_fp
+.Nd X509 encode and decode functions
+.Sh SYNOPSIS
+.In openssl/x509.h
+.Ft X509 *
+.Fo d2i_X509
+.Fa "X509 **px"
+.Fa "const unsigned char **in"
+.Fa "int len"
+.Fc
+.Ft int
+.Fo i2d_X509
+.Fa "X509 *x"
+.Fa "unsigned char **out"
+.Fc
+.Ft X509 *
+.Fo d2i_X509_bio
+.Fa "BIO *bp"
+.Fa "X509 **x"
+.Fc
+.Ft X509 *
+.Fo d2i_X509_fp
+.Fa "FILE *fp"
+.Fa "X509 **x"
+.Fc
+.Ft int
+.Fo i2d_X509_bio
+.Fa "BIO *bp"
+.Fa "X509 *x"
+.Fc
+.Ft int
+.Fo i2d_X509_fp
+.Fa "FILE *fp"
+.Fa "X509 *x"
+.Fc
+.Sh DESCRIPTION
+The X509 encode and decode routines encode and parse an
+.Vt X509
+structure, which represents an X509 certificate.
+.Pp
+.Fn d2i_X509
+attempts to decode
+.Fa len
+bytes at
+.Pf * Fa in .
+If successful, a pointer to the
+.Vt X509
+structure is returned.
+If an error occurred,
+.Dv NULL
+is returned.
+If
+.Fa px
+is not
+.Dv NULL ,
+the returned structure is written to
+.Pf * Fa px .
+If
+.Pf * Fa px
+is not
+.Dv NULL ,
+then it is assumed that
+.Pf * Fa px
+contains a valid
+.Vt X509
+structure and an attempt is made to reuse it.
+If the call is successful,
+.Pf * Fa in
+is incremented to the byte following the parsed data.
+.Pp
+.Fn i2d_X509
+encodes the structure pointed to by
+.Fa x
+into DER format.
+If
+.Fa out
+is not
+.Dv NULL ,
+it writes the DER encoded data to the buffer at
+.Pf * Fa out
+and increments it to point after the data just written.
+If the return value is negative an error occurred, otherwise it returns
+the length of the encoded data.
+.Pp
+For OpenSSL 0.9.7 and later if
+.Pf * Fa out
+is
+.Dv NULL ,
+memory will be allocated for a buffer and the encoded data written to it.
+In this case
+.Pf * Fa out
+is not incremented and it points to the start of the data just written.
+.Pp
+.Fn d2i_X509_bio
+is similar to
+.Fn d2i_X509
+except it attempts to parse data from
+.Vt BIO
+.Fa bp .
+.Pp
+.Fn d2i_X509_fp
+is similar to
+.Fn d2i_X509
+except it attempts to parse data from the
+.Vt FILE
+pointer
+.Fa fp .
+.Pp
+.Fn i2d_X509_bio
+is similar to
+.Fn i2d_X509
+except it writes the encoding of the structure
+.Fa x
+to
+.Vt BIO
+.Fa bp
+and it returns 1 for success or 0 for failure.
+.Pp
+.Fn i2d_X509_fp
+is similar to
+.Fn i2d_X509
+except it writes the encoding of the structure
+.Fa x
+to
+.Vt BIO
+.Fa bp
+and it returns 1 for success or 0 for failure.
+.Pp
+The letters
+.Sy i
+and
+.Sy d
+in for example
+.Fn i2d_X509
+stand for "internal" (that is an internal C structure) and "DER",
+so that
+.Fn i2d_X509
+converts from internal to DER.
+.Pp
+The functions can also understand BER forms.
+.Pp
+The actual
+.Vt X509
+structure passed to
+.Fn i2d_X509
+must be a valid populated
+.Vt X509
+structure.
+It cannot simply be fed with an empty structure such as that returned by
+.Xr X509_new 3 .
+.Pp
+The encoded data is in binary form and may contain embedded zeroes.
+Therefore any
+.Vt FILE
+pointers or
+.Vt BIO Ns s
+should be opened in binary mode.
+Functions such as
+.Xr strlen 3
+will
+.Sy not
+return the correct length of the encoded structure.
+.Pp
+The ways that
+.Pf * Fa in
+and
+.Pf * Fa out
+are incremented after the operation can trap the unwary.
+See the
+.Sx CAVEATS
+section for some common errors.
+.Pp
+The reason for the auto increment behaviour is to reflect a typical
+usage of ASN1 functions: after one structure is encoded or decoded,
+another will processed after it.
+.Sh RETURN VALUES
+.Fn d2i_X509 ,
+.Fn d2i_X509_bio ,
+and
+.Fn d2i_X509_fp
+return a valid
+.Vt X509
+structure or
+.Dv NULL
+if an error occurs.
+.Pp
+.Fn i2d_X509
+returns the number of bytes successfully encoded or a negative value if
+an error occurs.
+.Pp
+.Fn i2d_X509_bio
+and
+.Fn i2d_X509_fp
+return 1 for success or 0 if an error occurs.
+.Pp
+For all functions, the error code can be obtained by
+.Xr ERR_get_error 3 .
+.Sh EXAMPLES
+Allocate and encode the DER encoding of an X509 structure:
+.Bd -literal -offset indent
+int len;
+unsigned char *buf, *p;
+len = i2d_X509(x, NULL);
+buf = malloc(len);
+if (buf == NULL)
+        /* error */
+p = buf;
+i2d_X509(x, &p);
+.Ed
+.Pp
+If you are using OpenSSL 0.9.7 or later then this can be simplified to:
+.Bd -literal -offset indent
+int len;
+unsigned char *buf;
+buf = NULL;
+len = i2d_X509(x, &buf);
+if (len < 0)
+        /* error */
+.Ed
+.Pp
+Attempt to decode a buffer:
+.Bd -literal -offset indent
+X509 *x;
+unsigned char *buf, *p;
+int len;
+/* Something to setup buf and len */
+p = buf;
+x = d2i_X509(NULL, &p, len);
+if (x == NULL)
+    /* Some error */
+.Ed
+.Pp
+Alternative technique:
+.Bd -literal -offset indent
+X509 *x;
+unsigned char *buf, *p;
+int len;
+/* Something to setup buf and len */
+p = buf;
+x = NULL;
+if(!d2i_X509(&x, &p, len))
+    /* Some error */
+.Ed
+.Sh SEE ALSO
+.Xr ERR_get_error 3
+.Sh HISTORY
+.Fn d2i_X509 ,
+.Fn i2d_X509 ,
+.Fn d2i_X509_bio ,
+.Fn d2i_X509_fp ,
+.Fn i2d_X509_bio ,
+and
+.Fn i2d_X509_fp
+are available in all versions of SSLeay and OpenSSL.
+.Sh CAVEATS
+The use of a temporary variable is mandatory.
+A common mistake is to attempt to use a buffer directly as follows:
+.Bd -literal -offset indent
+int len;
+unsigned char *buf;
+len = i2d_X509(x, NULL);
+buf = malloc(len);
+if (buf == NULL)
+        /* error */
+i2d_X509(x, &buf);
+/* Other stuff ... */
+free(buf);
+.Ed
+.Pp
+This code will result in
+.Fa buf
+apparently containing garbage because it was incremented after the
+call to point after the data just written.
+Also
+.Fa buf
+will no longer contain the pointer allocated by
+.Xr malloc 3
+and the subsequent call to
+.Xr free 3
+may well crash.
+.Pp
+The auto allocation feature (setting
+.Fa buf
+to
+.Dv NULL
+only works on OpenSSL 0.9.7 and later.
+Attempts to use it on earlier versions will typically cause a
+segmentation violation.
+.Pp
+Another trap to avoid is misuse of the
+.Fa px
+argument to
+.Sy d2i_X509() :
+.Bd -literal -offset indent
+X509 *x;
+if (!d2i_X509(&x, &p, len))
+        /* Some error */
+.Ed
+.Pp
+This will probably crash somewhere in
+.Fn d2i_X509 .
+The reason for this is that the variable
+.Fa x
+is uninitialized and an attempt will be made to interpret its (invalid)
+value as an
+.Vt X509
+structure, typically causing a segmentation violation.
+If
+.Fa x
+is set to
+.Dv NULL
+first then this will not happen.
+.Sh BUGS
+In some versions of OpenSSL the "reuse" behaviour of
+.Fn d2i_X509
+when
+.Pf * Fa px
+is valid is broken and some parts of the reused structure may persist
+if they are not present in the new one.
+As a result the use of this "reuse" behaviour is strongly discouraged.
+.Pp
+In many versions of OpenSSL,
+.Fn i2d_X509
+will not return an error if mandatory fields are not initialized
+due to a programming error.
+Then the encoded structure may contain invalid data or omit the
+fields entirely and will not be parsed by
+.Fn d2i_X509 .
+This may be fixed in future so code should not assume that
+.Fn i2d_X509
+will always succeed.

diff --git a/src/lib/libcrypto/man/d2i_X509.3 b/src/lib/libcrypto/man/d2i_X509.3 new file mode 100644 index 0000000000..09c65afa58 --- /dev/null +++ b/src/lib/libcrypto/man/d2i_X509.3
@@ -0,0 +1,346 @@
	1	.Dd $Mdocdate: November 4 2016 $
	2	.Dt D2I_X509 3
	3	.Os
	4	.Sh NAME
	5	.Nm d2i_X509 ,
	6	.Nm i2d_X509 ,
	7	.Nm d2i_X509_bio ,
	8	.Nm d2i_X509_fp ,
	9	.Nm i2d_X509_bio ,
	10	.Nm i2d_X509_fp
	11	.Nd X509 encode and decode functions
	12	.Sh SYNOPSIS
	13	.In openssl/x509.h
	14	.Ft X509 *
	15	.Fo d2i_X509
	16	.Fa "X509 **px"
	17	.Fa "const unsigned char **in"
	18	.Fa "int len"
	19	.Fc
	20	.Ft int
	21	.Fo i2d_X509
	22	.Fa "X509 *x"
	23	.Fa "unsigned char **out"
	24	.Fc
	25	.Ft X509 *
	26	.Fo d2i_X509_bio
	27	.Fa "BIO *bp"
	28	.Fa "X509 **x"
	29	.Fc
	30	.Ft X509 *
	31	.Fo d2i_X509_fp
	32	.Fa "FILE *fp"
	33	.Fa "X509 **x"
	34	.Fc
	35	.Ft int
	36	.Fo i2d_X509_bio
	37	.Fa "BIO *bp"
	38	.Fa "X509 *x"
	39	.Fc
	40	.Ft int
	41	.Fo i2d_X509_fp
	42	.Fa "FILE *fp"
	43	.Fa "X509 *x"
	44	.Fc
	45	.Sh DESCRIPTION
	46	The X509 encode and decode routines encode and parse an
	47	.Vt X509
	48	structure, which represents an X509 certificate.
	49	.Pp
	50	.Fn d2i_X509
	51	attempts to decode
	52	.Fa len
	53	bytes at
	54	.Pf * Fa in .
	55	If successful, a pointer to the
	56	.Vt X509
	57	structure is returned.
	58	If an error occurred,
	59	.Dv NULL
	60	is returned.
	61	If
	62	.Fa px
	63	is not
	64	.Dv NULL ,
	65	the returned structure is written to
	66	.Pf * Fa px .
	67	If
	68	.Pf * Fa px
	69	is not
	70	.Dv NULL ,
	71	then it is assumed that
	72	.Pf * Fa px
	73	contains a valid
	74	.Vt X509
	75	structure and an attempt is made to reuse it.
	76	If the call is successful,
	77	.Pf * Fa in
	78	is incremented to the byte following the parsed data.
	79	.Pp
	80	.Fn i2d_X509
	81	encodes the structure pointed to by
	82	.Fa x
	83	into DER format.
	84	If
	85	.Fa out
	86	is not
	87	.Dv NULL ,
	88	it writes the DER encoded data to the buffer at
	89	.Pf * Fa out
	90	and increments it to point after the data just written.
	91	If the return value is negative an error occurred, otherwise it returns
	92	the length of the encoded data.
	93	.Pp
	94	For OpenSSL 0.9.7 and later if
	95	.Pf * Fa out
	96	is
	97	.Dv NULL ,
	98	memory will be allocated for a buffer and the encoded data written to it.
	99	In this case
	100	.Pf * Fa out
	101	is not incremented and it points to the start of the data just written.
	102	.Pp
	103	.Fn d2i_X509_bio
	104	is similar to
	105	.Fn d2i_X509
	106	except it attempts to parse data from
	107	.Vt BIO
	108	.Fa bp .
	109	.Pp
	110	.Fn d2i_X509_fp
	111	is similar to
	112	.Fn d2i_X509
	113	except it attempts to parse data from the
	114	.Vt FILE
	115	pointer
	116	.Fa fp .
	117	.Pp
	118	.Fn i2d_X509_bio
	119	is similar to
	120	.Fn i2d_X509
	121	except it writes the encoding of the structure
	122	.Fa x
	123	to
	124	.Vt BIO
	125	.Fa bp
	126	and it returns 1 for success or 0 for failure.
	127	.Pp
	128	.Fn i2d_X509_fp
	129	is similar to
	130	.Fn i2d_X509
	131	except it writes the encoding of the structure
	132	.Fa x
	133	to
	134	.Vt BIO
	135	.Fa bp
	136	and it returns 1 for success or 0 for failure.
	137	.Pp
	138	The letters
	139	.Sy i
	140	and
	141	.Sy d
	142	in for example
	143	.Fn i2d_X509
	144	stand for "internal" (that is an internal C structure) and "DER",
	145	so that
	146	.Fn i2d_X509
	147	converts from internal to DER.
	148	.Pp
	149	The functions can also understand BER forms.
	150	.Pp
	151	The actual
	152	.Vt X509
	153	structure passed to
	154	.Fn i2d_X509
	155	must be a valid populated
	156	.Vt X509
	157	structure.
	158	It cannot simply be fed with an empty structure such as that returned by
	159	.Xr X509_new 3 .
	160	.Pp
	161	The encoded data is in binary form and may contain embedded zeroes.
	162	Therefore any
	163	.Vt FILE
	164	pointers or
	165	.Vt BIO Ns s
	166	should be opened in binary mode.
	167	Functions such as
	168	.Xr strlen 3
	169	will
	170	.Sy not
	171	return the correct length of the encoded structure.
	172	.Pp
	173	The ways that
	174	.Pf * Fa in
	175	and
	176	.Pf * Fa out
	177	are incremented after the operation can trap the unwary.
	178	See the
	179	.Sx CAVEATS
	180	section for some common errors.
	181	.Pp
	182	The reason for the auto increment behaviour is to reflect a typical
	183	usage of ASN1 functions: after one structure is encoded or decoded,
	184	another will processed after it.
	185	.Sh RETURN VALUES
	186	.Fn d2i_X509 ,
	187	.Fn d2i_X509_bio ,
	188	and
	189	.Fn d2i_X509_fp
	190	return a valid
	191	.Vt X509
	192	structure or
	193	.Dv NULL
	194	if an error occurs.
	195	.Pp
	196	.Fn i2d_X509
	197	returns the number of bytes successfully encoded or a negative value if
	198	an error occurs.
	199	.Pp
	200	.Fn i2d_X509_bio
	201	and
	202	.Fn i2d_X509_fp
	203	return 1 for success or 0 if an error occurs.
	204	.Pp
	205	For all functions, the error code can be obtained by
	206	.Xr ERR_get_error 3 .
	207	.Sh EXAMPLES
	208	Allocate and encode the DER encoding of an X509 structure:
	209	.Bd -literal -offset indent
	210	int len;
	211	unsigned char buf, p;
	212
	213	len = i2d_X509(x, NULL);
	214	buf = malloc(len);
	215	if (buf == NULL)
	216	/* error */
	217	p = buf;
	218	i2d_X509(x, &p);
	219	.Ed
	220	.Pp
	221	If you are using OpenSSL 0.9.7 or later then this can be simplified to:
	222	.Bd -literal -offset indent
	223	int len;
	224	unsigned char *buf;
	225
	226	buf = NULL;
	227	len = i2d_X509(x, &buf);
	228	if (len < 0)
	229	/* error */
	230	.Ed
	231	.Pp
	232	Attempt to decode a buffer:
	233	.Bd -literal -offset indent
	234	X509 *x;
	235	unsigned char buf, p;
	236	int len;
	237
	238	/* Something to setup buf and len */
	239	p = buf;
	240	x = d2i_X509(NULL, &p, len);
	241	if (x == NULL)
	242	/* Some error */
	243	.Ed
	244	.Pp
	245	Alternative technique:
	246	.Bd -literal -offset indent
	247	X509 *x;
	248	unsigned char buf, p;
	249	int len;
	250
	251	/* Something to setup buf and len */
	252	p = buf;
	253	x = NULL;
	254	if(!d2i_X509(&x, &p, len))
	255	/* Some error */
	256	.Ed
	257	.Sh SEE ALSO
	258	.Xr ERR_get_error 3
	259	.Sh HISTORY
	260	.Fn d2i_X509 ,
	261	.Fn i2d_X509 ,
	262	.Fn d2i_X509_bio ,
	263	.Fn d2i_X509_fp ,
	264	.Fn i2d_X509_bio ,
	265	and
	266	.Fn i2d_X509_fp
	267	are available in all versions of SSLeay and OpenSSL.
	268	.Sh CAVEATS
	269	The use of a temporary variable is mandatory.
	270	A common mistake is to attempt to use a buffer directly as follows:
	271	.Bd -literal -offset indent
	272	int len;
	273	unsigned char *buf;
	274
	275	len = i2d_X509(x, NULL);
	276	buf = malloc(len);
	277	if (buf == NULL)
	278	/* error */
	279	i2d_X509(x, &buf);
	280	/* Other stuff ... */
	281	free(buf);
	282	.Ed
	283	.Pp
	284	This code will result in
	285	.Fa buf
	286	apparently containing garbage because it was incremented after the
	287	call to point after the data just written.
	288	Also
	289	.Fa buf
	290	will no longer contain the pointer allocated by
	291	.Xr malloc 3
	292	and the subsequent call to
	293	.Xr free 3
	294	may well crash.
	295	.Pp
	296	The auto allocation feature (setting
	297	.Fa buf
	298	to
	299	.Dv NULL
	300	only works on OpenSSL 0.9.7 and later.
	301	Attempts to use it on earlier versions will typically cause a
	302	segmentation violation.
	303	.Pp
	304	Another trap to avoid is misuse of the
	305	.Fa px
	306	argument to
	307	.Sy d2i_X509() :
	308	.Bd -literal -offset indent
	309	X509 *x;
	310
	311	if (!d2i_X509(&x, &p, len))
	312	/* Some error */
	313	.Ed
	314	.Pp
	315	This will probably crash somewhere in
	316	.Fn d2i_X509 .
	317	The reason for this is that the variable
	318	.Fa x
	319	is uninitialized and an attempt will be made to interpret its (invalid)
	320	value as an
	321	.Vt X509
	322	structure, typically causing a segmentation violation.
	323	If
	324	.Fa x
	325	is set to
	326	.Dv NULL
	327	first then this will not happen.
	328	.Sh BUGS
	329	In some versions of OpenSSL the "reuse" behaviour of
	330	.Fn d2i_X509
	331	when
	332	.Pf * Fa px
	333	is valid is broken and some parts of the reused structure may persist
	334	if they are not present in the new one.
	335	As a result the use of this "reuse" behaviour is strongly discouraged.
	336	.Pp
	337	In many versions of OpenSSL,
	338	.Fn i2d_X509
	339	will not return an error if mandatory fields are not initialized
	340	due to a programming error.
	341	Then the encoded structure may contain invalid data or omit the
	342	fields entirely and will not be parsed by
	343	.Fn d2i_X509 .
	344	This may be fixed in future so code should not assume that
	345	.Fn i2d_X509
	346	will always succeed.