1 files changed, 43 insertions, 9 deletions
diff --git a/src/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3 b/src/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3
index a90fe6ea84..6db1e0ea29 100644
--- a/src/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3
+++ b/src/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_VERIFY_PARAM_set_flags.3,v 1.18 2021/10/18 14:46:37 schwarze Exp $
+.\" $OpenBSD: X509_VERIFY_PARAM_set_flags.3,v 1.19 2021/11/12 18:56:00 schwarze Exp $
 .\" full merge up to: OpenSSL d33def66 Feb 9 14:17:13 2016 -0500
 .\" selective merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
 .\"
@@ -68,7 +68,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: October 18 2021 $
+.Dd $Mdocdate: November 12 2021 $
 .Dt X509_VERIFY_PARAM_SET_FLAGS 3
 .Os
 .Sh NAME
@@ -231,16 +231,42 @@ section for a complete description of values the
 .Fa flags
 parameter can take.
 .Pp
+If the
+.Fa flags
+argument includes any of the flags contained in
+.Dv X509_V_FLAG_POLICY_MASK ,
+that is, any of
+.Dv X509_V_FLAG_POLICY_CHECK ,
+.Dv X509_V_FLAG_EXPLICIT_POLICY ,
+.Dv X509_V_FLAG_INHIBIT_ANY ,
+and
+.Dv X509_V_FLAG_INHIBIT_MAP ,
+then
+.Dv X509_V_FLAG_POLICY_CHECK
+is set in addition to the flags contained in the
+.Fa flags
+argument.
+.Pp
 .Fn X509_VERIFY_PARAM_get_flags
 returns the flags in
 .Fa param .
 .Pp
 .Fn X509_VERIFY_PARAM_clear_flags
-clears the flags
+clears the specified
 .Fa flags
 in
 .Fa param .
 .Pp
+Calling this function can result in unsusual internal states of the
+.Fa param
+object, for example having a verification time configured but having
+.Dv X509_V_FLAG_USE_CHECK_TIME
+unset, or having
+.Dv X509_V_FLAG_EXPLICIT_POLICY
+set but
+.Dv X509_V_FLAG_POLICY_CHECK
+unset, which may have surprising effects.
+.Pp
 .Fn X509_VERIFY_PARAM_set_purpose
 sets the verification
 .Fa purpose
@@ -262,11 +288,17 @@ to
 .Fa trust .
 .Pp
 .Fn X509_VERIFY_PARAM_set_time
-sets the verification time in
+sets the flag
+.Dv X509_V_FLAG_USE_CHECK_TIME
+in
 .Fa param
-to
+in addition to the flags already set and sets the verification time to
 .Fa t .
-Normally the current time is used.
+If this function is not called, the current time is used instead,
+or the UNIX Epoch (January 1, 1970) if
+.Dv X509_V_FLAG_USE_CHECK_TIME
+is manually set using
+.Fn X509_VERIFY_PARAM_set_flags .
 .Pp
 .Fn X509_VERIFY_PARAM_add0_policy
 enables policy checking (it is disabled by default) and adds
@@ -492,12 +524,14 @@ set the
 and
 .Dq inhibit policy mapping
 flags, respectively, as defined in RFC 3280.
-Policy checking is automatically enabled if any of these flags are set.
+These three flags are ignored unless
+.Dv X509_V_FLAG_POLICY_CHECK
+is also set.
 .Pp
 If
 .Dv X509_V_FLAG_NOTIFY_POLICY
-is set and the policy checking is successful a special status code is
+is set and policy checking is successful, a special status code is
-set to the verification callback.
+sent to the verification callback.
 This permits it to examine the valid policy tree and perform additional
 checks or simply log it for debugging purposes.
 .Pp

diff --git a/src/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3 b/src/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3 index a90fe6ea84..6db1e0ea29 100644 --- a/src/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3 +++ b/src/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: X509_VERIFY_PARAM_set_flags.3,v 1.18 2021/10/18 14:46:37 schwarze Exp $	1	.\" $OpenBSD: X509_VERIFY_PARAM_set_flags.3,v 1.19 2021/11/12 18:56:00 schwarze Exp $
2	.\" full merge up to: OpenSSL d33def66 Feb 9 14:17:13 2016 -0500	2	.\" full merge up to: OpenSSL d33def66 Feb 9 14:17:13 2016 -0500
3	.\" selective merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100	3	.\" selective merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
4	.\"	4	.\"
@@ -68,7 +68,7 @@
68	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED	68	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
69	.\" OF THE POSSIBILITY OF SUCH DAMAGE.	69	.\" OF THE POSSIBILITY OF SUCH DAMAGE.
70	.\"	70	.\"
71	.Dd $Mdocdate: October 18 2021 $	71	.Dd $Mdocdate: November 12 2021 $
72	.Dt X509_VERIFY_PARAM_SET_FLAGS 3	72	.Dt X509_VERIFY_PARAM_SET_FLAGS 3
73	.Os	73	.Os
74	.Sh NAME	74	.Sh NAME
@@ -231,16 +231,42 @@ section for a complete description of values the
231	.Fa flags	231	.Fa flags
232	parameter can take.	232	parameter can take.
233	.Pp	233	.Pp
		234	If the
		235	.Fa flags
		236	argument includes any of the flags contained in
		237	.Dv X509_V_FLAG_POLICY_MASK ,
		238	that is, any of
		239	.Dv X509_V_FLAG_POLICY_CHECK ,
		240	.Dv X509_V_FLAG_EXPLICIT_POLICY ,
		241	.Dv X509_V_FLAG_INHIBIT_ANY ,
		242	and
		243	.Dv X509_V_FLAG_INHIBIT_MAP ,
		244	then
		245	.Dv X509_V_FLAG_POLICY_CHECK
		246	is set in addition to the flags contained in the
		247	.Fa flags
		248	argument.
		249	.Pp
234	.Fn X509_VERIFY_PARAM_get_flags	250	.Fn X509_VERIFY_PARAM_get_flags
235	returns the flags in	251	returns the flags in
236	.Fa param .	252	.Fa param .
237	.Pp	253	.Pp
238	.Fn X509_VERIFY_PARAM_clear_flags	254	.Fn X509_VERIFY_PARAM_clear_flags
239	clears the flags	255	clears the specified
240	.Fa flags	256	.Fa flags
241	in	257	in
242	.Fa param .	258	.Fa param .
243	.Pp	259	.Pp
		260	Calling this function can result in unsusual internal states of the
		261	.Fa param
		262	object, for example having a verification time configured but having
		263	.Dv X509_V_FLAG_USE_CHECK_TIME
		264	unset, or having
		265	.Dv X509_V_FLAG_EXPLICIT_POLICY
		266	set but
		267	.Dv X509_V_FLAG_POLICY_CHECK
		268	unset, which may have surprising effects.
		269	.Pp
244	.Fn X509_VERIFY_PARAM_set_purpose	270	.Fn X509_VERIFY_PARAM_set_purpose
245	sets the verification	271	sets the verification
246	.Fa purpose	272	.Fa purpose
@@ -262,11 +288,17 @@ to
262	.Fa trust .	288	.Fa trust .
263	.Pp	289	.Pp
264	.Fn X509_VERIFY_PARAM_set_time	290	.Fn X509_VERIFY_PARAM_set_time
265	sets the verification time in	291	sets the flag
		292	.Dv X509_V_FLAG_USE_CHECK_TIME
		293	in
266	.Fa param	294	.Fa param
267	to	295	in addition to the flags already set and sets the verification time to
268	.Fa t .	296	.Fa t .
269	Normally the current time is used.	297	If this function is not called, the current time is used instead,
		298	or the UNIX Epoch (January 1, 1970) if
		299	.Dv X509_V_FLAG_USE_CHECK_TIME
		300	is manually set using
		301	.Fn X509_VERIFY_PARAM_set_flags .
270	.Pp	302	.Pp
271	.Fn X509_VERIFY_PARAM_add0_policy	303	.Fn X509_VERIFY_PARAM_add0_policy
272	enables policy checking (it is disabled by default) and adds	304	enables policy checking (it is disabled by default) and adds
@@ -492,12 +524,14 @@ set the
492	and	524	and
493	.Dq inhibit policy mapping	525	.Dq inhibit policy mapping
494	flags, respectively, as defined in RFC 3280.	526	flags, respectively, as defined in RFC 3280.
495	Policy checking is automatically enabled if any of these flags are set.	527	These three flags are ignored unless
		528	.Dv X509_V_FLAG_POLICY_CHECK
		529	is also set.
496	.Pp	530	.Pp
497	If	531	If
498	.Dv X509_V_FLAG_NOTIFY_POLICY	532	.Dv X509_V_FLAG_NOTIFY_POLICY
499	is set and the policy checking is successful a special status code is	533	is set and policy checking is successful, a special status code is
500	set to the verification callback.	534	sent to the verification callback.
501	This permits it to examine the valid policy tree and perform additional	535	This permits it to examine the valid policy tree and perform additional
502	checks or simply log it for debugging purposes.	536	checks or simply log it for debugging purposes.
503	.Pp	537	.Pp