4 files changed, 435 insertions, 1 deletions

diff --git a/src/lib/libcrypto/man/Makefile b/src/lib/libcrypto/man/Makefile
index 8491e94fa0..63b97d44ae 100644
--- a/src/lib/libcrypto/man/Makefile
+++ b/src/lib/libcrypto/man/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.63 2016/12/05 12:50:07 schwarze Exp $
+# $OpenBSD: Makefile,v 1.64 2016/12/05 15:56:46 schwarze Exp $
 
 .include <bsd.own.mk>
 
@@ -186,6 +186,9 @@ MAN=	\
         X509_STORE_CTX_set_verify_cb.3 \
         X509_STORE_set_verify_cb_func.3 \
         X509_VERIFY_PARAM_set_flags.3 \
+        X509_check_ca.3 \
+        X509_check_host.3 \
+        X509_check_issued.3 \
         X509_new.3 \
         X509_verify_cert.3 \
         bn.3 \
diff --git a/src/lib/libcrypto/man/X509_check_ca.3 b/src/lib/libcrypto/man/X509_check_ca.3
new file mode 100644
index 0000000000..67aac693e6
--- /dev/null
+++ b/src/lib/libcrypto/man/X509_check_ca.3
@@ -0,0 +1,93 @@
+.\"     $OpenBSD: X509_check_ca.3,v 1.1 2016/12/05 15:56:46 schwarze Exp $
+.\"     OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
+.\"
+.\" This file was written by Victor B. Wagner <vitus@cryptocom.ru>.
+.\" Copyright (c) 2015, 2016 The OpenSSL Project.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in
+.\"    the documentation and/or other materials provided with the
+.\"    distribution.
+.\"
+.\" 3. All advertising materials mentioning features or use of this
+.\"    software must display the following acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+.\"
+.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+.\"    endorse or promote products derived from this software without
+.\"    prior written permission. For written permission, please contact
+.\"    openssl-core@openssl.org.
+.\"
+.\" 5. Products derived from this software may not be called "OpenSSL"
+.\"    nor may "OpenSSL" appear in their names without prior written
+.\"    permission of the OpenSSL Project.
+.\"
+.\" 6. Redistributions of any form whatsoever must retain the following
+.\"    acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+.\" OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: December 5 2016 $
+.Dt X509_CHECK_CA 3
+.Os
+.Sh NAME
+.Nm X509_check_ca
+.Nd check whether a certificate is a CA certificate
+.Sh SYNOPSIS
+.In openssl/x509v3.h
+.Ft int
+.Fo X509_check_ca
+.Fa "X509 *cert"
+.Fc
+.Sh DESCRIPTION
+This function checks whether the given certificate is a CA certificate,
+that is, whether it can be used to sign other certificates.
+.Sh RETURN VALUE
+This functions returns non-zero if
+.Fa cert
+is a CA certificate or 0 otherwise.
+.Pp
+The following return values identify specific kinds of CA certificates:
+.Bl -tag -width 2n
+.It 1
+an X.509 v3 CA certificate with
+.Sy basicConstraints
+extension CA:TRUE
+.It 3
+a self-signed X.509 v1 certificate
+.It 4
+a certificate with
+.Sy keyUsage
+extension with bit
+.Sy keyCertSign
+set, but without
+.Sy basicConstraints
+.It 5
+a certificate with an outdated Netscape Certificate Type extension telling
+that it is a CA certificate
+.El
+.Sh SEE ALSO
+.Xr X509_check_issued 3 ,
+.Xr X509_check_purpose 3 ,
+.Xr X509_verify_cert 3
diff --git a/src/lib/libcrypto/man/X509_check_host.3 b/src/lib/libcrypto/man/X509_check_host.3
new file mode 100644
index 0000000000..1e6a44ffe1
--- /dev/null
+++ b/src/lib/libcrypto/man/X509_check_host.3
@@ -0,0 +1,234 @@
+.\"     $OpenBSD: X509_check_host.3,v 1.1 2016/12/05 15:56:46 schwarze Exp $
+.\"     OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
+.\"
+.\" This file was written by Florian Weimer <fweimer@redhat.com> and
+.\" Viktor Dukhovni <openssl-users@dukhovni.org>.
+.\" Copyright (c) 2012, 2014, 2015, 2016 The OpenSSL Project.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in
+.\"    the documentation and/or other materials provided with the
+.\"    distribution.
+.\"
+.\" 3. All advertising materials mentioning features or use of this
+.\"    software must display the following acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+.\"
+.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+.\"    endorse or promote products derived from this software without
+.\"    prior written permission. For written permission, please contact
+.\"    openssl-core@openssl.org.
+.\"
+.\" 5. Products derived from this software may not be called "OpenSSL"
+.\"    nor may "OpenSSL" appear in their names without prior written
+.\"    permission of the OpenSSL Project.
+.\"
+.\" 6. Redistributions of any form whatsoever must retain the following
+.\"    acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+.\" OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: December 5 2016 $
+.Dt X509_CHECK_HOST 3
+.Os
+.Sh NAME
+.Nm X509_check_host ,
+.Nm X509_check_email ,
+.Nm X509_check_ip ,
+.Nm X509_check_ip_asc
+.Nd X.509 certificate matching
+.Sh SYNOPSIS
+.In openssl/x509v3.h
+.Ft int
+.Fo X509_check_host
+.Fa "X509 *x"
+.Fa "const char *name"
+.Fa "size_t namelen"
+.Fa "unsigned int flags"
+.Fa "char **peername"
+.Fc
+.Ft int
+.Fo X509_check_email
+.Fa "X509 *x"
+.Fa "const char *address"
+.Fa "size_t addresslen"
+.Fa "unsigned int flags"
+.Fc
+.Ft int
+.Fo X509_check_ip
+.Fa "X509 *x"
+.Fa "const unsigned char *address"
+.Fa "size_t addresslen"
+.Fa "unsigned int flags"
+.Fc
+.Ft int
+.Fo X509_check_ip_asc
+.Fa "X509 *x"
+.Fa "const char *address"
+.Fa "unsigned int flags"
+.Fc
+.Sh DESCRIPTION
+The certificate matching functions are used to check whether a
+certificate matches a given host name, email address, or IP address.
+The validity of the certificate and its trust level has to be checked by
+other means.
+.Pp
+.Fn X509_check_host
+checks if the certificate Subject Alternative Name (SAN) or Subject
+CommonName (CN) matches the specified host name, which must be encoded
+in the preferred name syntax described in section 3.5 of RFC 1034.
+By default, wildcards are supported and they match only in the
+left-most label; but they may match part of that label with an
+explicit prefix or suffix.
+For example, by default, the host
+.Fa name
+.Qq www.example.com
+would match a certificate with a SAN or CN value of
+.Qq *.example.com ,
+.Qq w*.example.com
+or
+.Qq *w.example.com .
+.Pp
+Per section 6.4.2 of RFC 6125,
+.Fa name
+values representing international domain names must be given in A-label
+form.
+The
+.Fa namelen
+argument must be the number of characters in the name string or zero, in
+which case the length is calculated with
+.Fn strlen name .
+When
+.Fa name
+starts with a dot (e.g.\&
+.Qq .example.com ) ,
+it will be matched by a certificate valid for any sub-domain of
+.Fa name ; see also
+.Fa X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS
+below.
+.Pp
+When the certificate is matched and
+.Fa peername
+is not
+.Dv NULL ,
+a pointer to a copy of the matching SAN or CN from the peer
+certificate is stored at the address passed in
+.Fa peername .
+The application is responsible for freeing the peername via
+.Xr free 3
+when it is no longer needed.
+.Pp
+.Fn X509_check_email
+checks if the certificate matches the specified email
+.Fa address .
+Only the mailbox syntax of RFC 822 is supported, comments are not
+allowed, and no attempt is made to normalize quoted characters.
+The
+.Fa addresslen
+argument must be the number of characters in the address string or zero
+in which case the length is calculated with
+.Fn strlen address .
+.Pp
+.Fn X509_check_ip
+checks if the certificate matches a specified IPv4 or IPv6 address.
+The
+.Fa address
+array is in binary format, in network byte order.
+The length is either 4 (IPv4) or 16 (IPv6).
+Only explicitly marked addresses in the certificates are considered;
+IP addresses stored in DNS names and Common Names are ignored.
+.Pp
+.Fn X509_check_ip_asc
+is similar, except that the NUL-terminated string
+.Fa address
+is first converted to the internal representation.
+.Pp
+The
+.Fa flags
+argument is usually 0, but it can be the bitwise OR of the following
+flags.
+.Pp
+The
+.Dv X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT
+flag causes the function to consider the subject DN even if the
+certificate contains at least one subject alternative name of the right
+type (DNS name or email address as appropriate); the default is to
+ignore the subject DN when at least one corresponding subject
+alternative names is present.
+.Pp
+The remaining flags are only meaningful for
+.Fn X509_check_host .
+.Pp
+The
+.Dv X509_CHECK_FLAG_NO_WILDCARDS
+flag disables wildcard expansion.
+.Pp
+The
+.Dv X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
+flag suppresses support for
+.Qq *
+as a wildcard pattern in labels that have a
+prefix or suffix, such as
+.Qq www*
+or
+.Qq *www .
+.Pp
+The
+.Dv X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS
+flag allows a
+.Qq *
+that constitutes the complete label of a DNS name (e.g.\&
+.Qq *.example.com )
+to match more than one label in
+.Fa name .
+.Pp
+The
+.Dv X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS
+flag restricts
+.Fa name
+values which start with
+.Qq \&. ,
+that would otherwise match any sub-domain in the peer certificate,
+to only match direct child sub-domains.
+Thus, for instance, with this flag set a
+.Fa name
+of
+.Qq .example.com
+would match a peer certificate with a DNS name of
+.Qq www.example.com ,
+but would not match a peer certificate with a DNS name of
+.Qq www.sub.example.com .
+.Sh RETURN VALUES
+The functions return 1 for a successful match, 0 for a failed match and
+-1 for an internal error: typically a memory allocation failure or an
+ASN.1 decoding error.
+.Pp
+All functions can also return -2 if the input is malformed.
+For example,
+.Fn X509_check_host
+returns -2 if the provided
+.Fa name
+contains embedded NUL bytes.
+.Sh HISTORY
+These functions were added in OpenSSL 1.0.2.
diff --git a/src/lib/libcrypto/man/X509_check_issued.3 b/src/lib/libcrypto/man/X509_check_issued.3
new file mode 100644
index 0000000000..997dfe12f1
--- /dev/null
+++ b/src/lib/libcrypto/man/X509_check_issued.3
@@ -0,0 +1,104 @@
+.\"     $OpenBSD: X509_check_issued.3,v 1.1 2016/12/05 15:56:46 schwarze Exp $
+.\"     OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
+.\"
+.\" This file was written by Victor B. Wagner <vitus@cryptocom.ru>.
+.\" Copyright (c) 2015 The OpenSSL Project.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in
+.\"    the documentation and/or other materials provided with the
+.\"    distribution.
+.\"
+.\" 3. All advertising materials mentioning features or use of this
+.\"    software must display the following acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+.\"
+.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+.\"    endorse or promote products derived from this software without
+.\"    prior written permission. For written permission, please contact
+.\"    openssl-core@openssl.org.
+.\"
+.\" 5. Products derived from this software may not be called "OpenSSL"
+.\"    nor may "OpenSSL" appear in their names without prior written
+.\"    permission of the OpenSSL Project.
+.\"
+.\" 6. Redistributions of any form whatsoever must retain the following
+.\"    acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+.\" OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: December 5 2016 $
+.Dt X509_CHECK_ISSUED 3
+.Os
+.Sh NAME
+.Nm X509_check_issued
+.Nd check whether a certificate was issued using a given CA certificate
+.Sh SYNOPSIS
+.In openssl/x509v3.h
+.Ft int
+.Fo X509_check_issued
+.Fa "X509 *issuer"
+.Fa "X509 *subject"
+.Fc
+.Sh DESCRIPTION
+This function checks whether the certificate
+.Fa subject
+was issued using the CA certificate
+.Fa issuer .
+It does the following checks:
+.Bl -bullet
+.It
+match the issuer field of
+.Fa subject
+against the subject field of
+.Fa issuer
+.It
+if
+.Sy authorityKeyIdentifier
+is present in the
+.Fa subject
+certificate,
+compare it to the
+.Sy subjectKeyIdentifier
+of
+.Fa issuer
+.It
+check the
+.Sy keyUsage
+field of
+.Fa issuer .
+.El
+.Sh RETURN VALUE
+This function returns
+.Dv X509_V_OK
+if the certificate
+.Fa subject
+is issued by
+.Fa issuer ,
+or some
+.Dv X509_V_ERR*
+constant to indicate an error.
+.Sh SEE ALSO
+.Xr X509_check_ca 3 ,
+.Xr X509_verify_cert 3