4 files changed, 159 insertions, 8 deletions
diff --git a/src/lib/libcrypto/man/X509_STORE_CTX_new.3 b/src/lib/libcrypto/man/X509_STORE_CTX_new.3
index f285045194..d1aca9527b 100644
--- a/src/lib/libcrypto/man/X509_STORE_CTX_new.3
+++ b/src/lib/libcrypto/man/X509_STORE_CTX_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_STORE_CTX_new.3,v 1.24 2021/08/02 16:21:11 schwarze Exp $
+.\" $OpenBSD: X509_STORE_CTX_new.3,v 1.25 2021/10/18 18:20:39 schwarze Exp $
 .\" full merge up to: OpenSSL aae41f8c Jun 25 09:47:15 2015 +0100
 .\" selective merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
 .\"
@@ -67,7 +67,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: August 2 2021 $
+.Dd $Mdocdate: October 18 2021 $
 .Dt X509_STORE_CTX_NEW 3
 .Os
 .Sh NAME
@@ -182,6 +182,10 @@ not freeing them before
 .Fn X509_STORE_CTX_free
 is called on
 .Fa ctx .
+If a
+.Fa store
+is provided, the verification parameters contained in it are copied using
+.Xr X509_VERIFY_PARAM_inherit 3 .
 .Pp
 .Fn X509_STORE_CTX_cleanup
 internally cleans up
@@ -323,6 +327,7 @@ if no set of additional certificates was provided.
 .Xr X509_STORE_new 3 ,
 .Xr X509_STORE_set1_param 3 ,
 .Xr X509_verify_cert 3 ,
+.Xr X509_VERIFY_PARAM_inherit 3 ,
 .Xr X509_VERIFY_PARAM_set_flags 3
 .Sh HISTORY
 .Fn X509_STORE_CTX_init ,
diff --git a/src/lib/libcrypto/man/X509_STORE_CTX_set_flags.3 b/src/lib/libcrypto/man/X509_STORE_CTX_set_flags.3
index bf78fc78ef..4307a3ae98 100644
--- a/src/lib/libcrypto/man/X509_STORE_CTX_set_flags.3
+++ b/src/lib/libcrypto/man/X509_STORE_CTX_set_flags.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_STORE_CTX_set_flags.3,v 1.4 2021/10/18 14:46:37 schwarze Exp $
+.\" $OpenBSD: X509_STORE_CTX_set_flags.3,v 1.5 2021/10/18 18:20:39 schwarze Exp $
 .\" full merge up to: OpenSSL aae41f8c Jun 25 09:47:15 2015 +0100
 .\" selective merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
 .\"
@@ -286,7 +286,9 @@ looks up and sets the default verification method to
 This uses the function
 .Xr X509_VERIFY_PARAM_lookup 3
 to find an appropriate set of parameters from
-.Fa name .
+.Fa name
+and copies them using
+.Xr X509_VERIFY_PARAM_inherit 3 .
 .Sh RETURN VALUES
 .Fn X509_STORE_CTX_set_trust
 returns 1 if the
diff --git a/src/lib/libcrypto/man/X509_STORE_set1_param.3 b/src/lib/libcrypto/man/X509_STORE_set1_param.3
index 13caccb3c0..354d873854 100644
--- a/src/lib/libcrypto/man/X509_STORE_set1_param.3
+++ b/src/lib/libcrypto/man/X509_STORE_set1_param.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_STORE_set1_param.3,v 1.18 2021/10/18 14:46:37 schwarze Exp $
+.\" $OpenBSD: X509_STORE_set1_param.3,v 1.19 2021/10/18 18:20:39 schwarze Exp $
 .\" content checked up to:
 .\" OpenSSL man3/X509_STORE_add_cert b0edda11 Mar 20 13:00:17 2018 +0000
 .\" OpenSSL man3/X509_STORE_get0_param e90fc053 Jul 15 09:39:45 2017 -0400
@@ -102,6 +102,8 @@
 .Fn X509_STORE_set1_param
 copies the verification parameters from
 .Fa pm
+using
+.Xr X509_VERIFY_PARAM_set1 3
 into the verification parameter object contained in the
 .Fa store .
 .Pp
diff --git a/src/lib/libcrypto/man/X509_VERIFY_PARAM_new.3 b/src/lib/libcrypto/man/X509_VERIFY_PARAM_new.3
index 05a36a4f79..ffde66cde5 100644
--- a/src/lib/libcrypto/man/X509_VERIFY_PARAM_new.3
+++ b/src/lib/libcrypto/man/X509_VERIFY_PARAM_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_VERIFY_PARAM_new.3,v 1.1 2021/10/18 14:46:37 schwarze Exp $
+.\" $OpenBSD: X509_VERIFY_PARAM_new.3,v 1.2 2021/10/18 18:20:39 schwarze Exp $
 .\"
 .\" Copyright (c) 2018, 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -19,19 +19,31 @@
 .Os
 .Sh NAME
 .Nm X509_VERIFY_PARAM_new ,
+.Nm X509_VERIFY_PARAM_inherit ,
+.Nm X509_VERIFY_PARAM_set1 ,
 .Nm X509_VERIFY_PARAM_free ,
 .Nm X509_VERIFY_PARAM_add0_table ,
 .Nm X509_VERIFY_PARAM_lookup ,
 .Nm X509_VERIFY_PARAM_get_count ,
 .Nm X509_VERIFY_PARAM_get0 ,
 .Nm X509_VERIFY_PARAM_table_cleanup
-.Nd X509 verification parameter object
+.Nd X509 verification parameter objects
 .Sh SYNOPSIS
 .In openssl/x509_vfy.h
 .Ft X509_VERIFY_PARAM *
 .Fo X509_VERIFY_PARAM_new
 .Fa void
 .Fc
+.Ft int
+.Fo X509_VERIFY_PARAM_inherit
+.Fa "X509_VERIFY_PARAM *destination"
+.Fa "const X509_VERIFY_PARAM *source"
+.Fc
+.Ft int
+.Fo X509_VERIFY_PARAM_set1
+.Fa "X509_VERIFY_PARAM *destination"
+.Fa "const X509_VERIFY_PARAM *source"
+.Fc
 .Ft void
 .Fo X509_VERIFY_PARAM_free
 .Fa "X509_VERIFY_PARAM *param"
@@ -62,6 +74,131 @@ allocates and initializes an empty
 .Vt X509_VERIFY_PARAM
 object.
 .Pp
+.Fn X509_VERIFY_PARAM_inherit
+copies some data from the
+.Fa source
+object to the
+.Fa destination
+object.
+.Pp
+The verification flags set with
+.Xr X509_VERIFY_PARAM_set_flags 3
+in the
+.Fa source
+object are always OR'ed into the verification flags of the
+.Fa destination
+object.
+.Pp
+Fields having their default value in the
+.Fa source
+object are not copied.
+.Pp
+By default, fields in the
+.Fa destination
+object already having a non-default value are not overwritten.
+However, if at least one of the
+.Fa source
+or
+.Fa destination
+objects was created during a call to
+.Xr X509_STORE_CTX_init 3
+that did not have a
+.Fa store
+argument, and if that object was not previously used as the
+.Fa destination
+in an earlier call to
+.Fn X509_VERIFY_PARAM_inherit ,
+this restriction is waived and even non-default fields in the
+.Fa destination
+object get overwritten.
+If fields overwritten in this way contain pointers to allocated memory,
+that memory is freed.
+.Pp
+As far as permitted by the above rules, the following fields are copied:
+.Bl -bullet -width 1n
+.It
+the verification purpose identifier set with
+.Xr X509_VERIFY_PARAM_set_purpose 3
+.It
+the trust setting set with
+.Xr X509_VERIFY_PARAM_set_trust 3
+.It
+the verification time set with
+.Xr X509_VERIFY_PARAM_set_time 3 ;
+in this case, the only condition is that
+.Dv X509_V_FLAG_USE_CHECK_TIME
+is not set in the
+.Fa destination
+object, whereas the time value in the
+.Fa destination
+object is not inspected before overwriting it
+.It
+the acceptable policy set set with
+.Xr X509_VERIFY_PARAM_set1_policies 3
+.It
+the maximum verification depth set with
+.Xr X509_VERIFY_PARAM_set_depth 3
+.It
+the list of expected DNS hostnames built with
+.Xr X509_VERIFY_PARAM_set1_host 3
+and
+.Xr X509_VERIFY_PARAM_add1_host 3 ;
+if this list is copied, any flags that were set with
+.Xr X509_VERIFY_PARAM_set_hostflags 3
+are copied together with the list, without inspecting any such flags
+that may already be present in the
+.Fa destination
+object before overwriting them
+.It
+the expected RFC 822 email address set with
+.Xr X509_VERIFY_PARAM_set1_email 3
+.It
+the expected IP address set with
+.Xr X509_VERIFY_PARAM_set1_ip 3
+or
+.Xr X509_VERIFY_PARAM_set1_ip_asc 3
+.El
+.Pp
+Some data that may be contained in the
+.Fa source
+object is never copied, for example the subject name of the peer
+certificate that can be retrieved with
+.Xr X509_VERIFY_PARAM_get0_peername 3 .
+.Pp
+If
+.Fa source
+is a
+.Dv NULL
+pointer, the function has no effect but returns successfully.
+.Pp
+.Fn X509_VERIFY_PARAM_set1
+is identical to
+.Fn X509_VERIFY_PARAM_inherit
+except that fields in the
+.Fa destination
+object are overwritten even if they do not match their default values.
+Still, fields having their default value in the
+.Fa source
+object are not copied.
+.Pp
+If
+.Fn X509_VERIFY_PARAM_inherit
+or
+.Fn X509_VERIFY_PARAM_set1
+fail, partial copying may have occurred, so all data in the
+.Fa destination
+object should be regarded as invalid.
+.Pp
+.Fn X509_VERIFY_PARAM_inherit
+is used internally by
+.Xr X509_STORE_CTX_init 3
+and by
+.Xr X509_STORE_CTX_set_default 3 ,
+and
+.Fn X509_VERIFY_PARAM_set1
+is used internally by
+.Xr X509_STORE_set1_param 3 .
+.Pp
 .Fn X509_VERIFY_PARAM_free
 clears all data contained in
 .Fa param
@@ -118,8 +255,11 @@ returns a pointer to the new object, or
 .Dv NULL
 on allocation failure.
 .Pp
+.Fn X509_VERIFY_PARAM_inherit ,
+.Fn X509_VERIFY_PARAM_set1 ,
+and
 .Fn X509_VERIFY_PARAM_add0_table
-returns 1 for success or 0 for failure.
+return 1 for success or 0 for failure.
 .Pp
 .Fn X509_VERIFY_PARAM_lookup
 and
@@ -143,6 +283,8 @@ returns a number of objects.
 .Xr X509_VERIFY_PARAM_set_flags 3
 .Sh HISTORY
 .Fn X509_VERIFY_PARAM_new ,
+.Fn X509_VERIFY_PARAM_inherit ,
+.Fn X509_VERIFY_PARAM_set1 ,
 .Fn X509_VERIFY_PARAM_free ,
 .Fn X509_VERIFY_PARAM_add0_table ,
 .Fn X509_VERIFY_PARAM_lookup ,

diff --git a/src/lib/libcrypto/man/X509_STORE_CTX_new.3 b/src/lib/libcrypto/man/X509_STORE_CTX_new.3 index f285045194..d1aca9527b 100644 --- a/src/lib/libcrypto/man/X509_STORE_CTX_new.3 +++ b/src/lib/libcrypto/man/X509_STORE_CTX_new.3
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: X509_STORE_CTX_new.3,v 1.24 2021/08/02 16:21:11 schwarze Exp $	1	.\" $OpenBSD: X509_STORE_CTX_new.3,v 1.25 2021/10/18 18:20:39 schwarze Exp $
2	.\" full merge up to: OpenSSL aae41f8c Jun 25 09:47:15 2015 +0100	2	.\" full merge up to: OpenSSL aae41f8c Jun 25 09:47:15 2015 +0100
3	.\" selective merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100	3	.\" selective merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
4	.\"	4	.\"
@@ -67,7 +67,7 @@
67	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED	67	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
68	.\" OF THE POSSIBILITY OF SUCH DAMAGE.	68	.\" OF THE POSSIBILITY OF SUCH DAMAGE.
69	.\"	69	.\"
70	.Dd $Mdocdate: August 2 2021 $	70	.Dd $Mdocdate: October 18 2021 $
71	.Dt X509_STORE_CTX_NEW 3	71	.Dt X509_STORE_CTX_NEW 3
72	.Os	72	.Os
73	.Sh NAME	73	.Sh NAME
@@ -182,6 +182,10 @@ not freeing them before
182	.Fn X509_STORE_CTX_free	182	.Fn X509_STORE_CTX_free
183	is called on	183	is called on
184	.Fa ctx .	184	.Fa ctx .
		185	If a
		186	.Fa store
		187	is provided, the verification parameters contained in it are copied using
		188	.Xr X509_VERIFY_PARAM_inherit 3 .
185	.Pp	189	.Pp
186	.Fn X509_STORE_CTX_cleanup	190	.Fn X509_STORE_CTX_cleanup
187	internally cleans up	191	internally cleans up
@@ -323,6 +327,7 @@ if no set of additional certificates was provided.
323	.Xr X509_STORE_new 3 ,	327	.Xr X509_STORE_new 3 ,
324	.Xr X509_STORE_set1_param 3 ,	328	.Xr X509_STORE_set1_param 3 ,
325	.Xr X509_verify_cert 3 ,	329	.Xr X509_verify_cert 3 ,
		330	.Xr X509_VERIFY_PARAM_inherit 3 ,
326	.Xr X509_VERIFY_PARAM_set_flags 3	331	.Xr X509_VERIFY_PARAM_set_flags 3
327	.Sh HISTORY	332	.Sh HISTORY
328	.Fn X509_STORE_CTX_init ,	333	.Fn X509_STORE_CTX_init ,


diff --git a/src/lib/libcrypto/man/X509_STORE_CTX_set_flags.3 b/src/lib/libcrypto/man/X509_STORE_CTX_set_flags.3 index bf78fc78ef..4307a3ae98 100644 --- a/src/lib/libcrypto/man/X509_STORE_CTX_set_flags.3 +++ b/src/lib/libcrypto/man/X509_STORE_CTX_set_flags.3
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: X509_STORE_CTX_set_flags.3,v 1.4 2021/10/18 14:46:37 schwarze Exp $	1	.\" $OpenBSD: X509_STORE_CTX_set_flags.3,v 1.5 2021/10/18 18:20:39 schwarze Exp $
2	.\" full merge up to: OpenSSL aae41f8c Jun 25 09:47:15 2015 +0100	2	.\" full merge up to: OpenSSL aae41f8c Jun 25 09:47:15 2015 +0100
3	.\" selective merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100	3	.\" selective merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
4	.\"	4	.\"
@@ -286,7 +286,9 @@ looks up and sets the default verification method to
286	This uses the function	286	This uses the function
287	.Xr X509_VERIFY_PARAM_lookup 3	287	.Xr X509_VERIFY_PARAM_lookup 3
288	to find an appropriate set of parameters from	288	to find an appropriate set of parameters from
289	.Fa name .	289	.Fa name
		290	and copies them using
		291	.Xr X509_VERIFY_PARAM_inherit 3 .
290	.Sh RETURN VALUES	292	.Sh RETURN VALUES
291	.Fn X509_STORE_CTX_set_trust	293	.Fn X509_STORE_CTX_set_trust
292	returns 1 if the	294	returns 1 if the


diff --git a/src/lib/libcrypto/man/X509_STORE_set1_param.3 b/src/lib/libcrypto/man/X509_STORE_set1_param.3 index 13caccb3c0..354d873854 100644 --- a/src/lib/libcrypto/man/X509_STORE_set1_param.3 +++ b/src/lib/libcrypto/man/X509_STORE_set1_param.3
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: X509_STORE_set1_param.3,v 1.18 2021/10/18 14:46:37 schwarze Exp $	1	.\" $OpenBSD: X509_STORE_set1_param.3,v 1.19 2021/10/18 18:20:39 schwarze Exp $
2	.\" content checked up to:	2	.\" content checked up to:
3	.\" OpenSSL man3/X509_STORE_add_cert b0edda11 Mar 20 13:00:17 2018 +0000	3	.\" OpenSSL man3/X509_STORE_add_cert b0edda11 Mar 20 13:00:17 2018 +0000
4	.\" OpenSSL man3/X509_STORE_get0_param e90fc053 Jul 15 09:39:45 2017 -0400	4	.\" OpenSSL man3/X509_STORE_get0_param e90fc053 Jul 15 09:39:45 2017 -0400
@@ -102,6 +102,8 @@
102	.Fn X509_STORE_set1_param	102	.Fn X509_STORE_set1_param
103	copies the verification parameters from	103	copies the verification parameters from
104	.Fa pm	104	.Fa pm
		105	using
		106	.Xr X509_VERIFY_PARAM_set1 3
105	into the verification parameter object contained in the	107	into the verification parameter object contained in the
106	.Fa store .	108	.Fa store .
107	.Pp	109	.Pp


diff --git a/src/lib/libcrypto/man/X509_VERIFY_PARAM_new.3 b/src/lib/libcrypto/man/X509_VERIFY_PARAM_new.3 index 05a36a4f79..ffde66cde5 100644 --- a/src/lib/libcrypto/man/X509_VERIFY_PARAM_new.3 +++ b/src/lib/libcrypto/man/X509_VERIFY_PARAM_new.3
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: X509_VERIFY_PARAM_new.3,v 1.1 2021/10/18 14:46:37 schwarze Exp $	1	.\" $OpenBSD: X509_VERIFY_PARAM_new.3,v 1.2 2021/10/18 18:20:39 schwarze Exp $
2	.\"	2	.\"
3	.\" Copyright (c) 2018, 2021 Ingo Schwarze <schwarze@openbsd.org>	3	.\" Copyright (c) 2018, 2021 Ingo Schwarze <schwarze@openbsd.org>
4	.\"	4	.\"
@@ -19,19 +19,31 @@
19	.Os	19	.Os
20	.Sh NAME	20	.Sh NAME
21	.Nm X509_VERIFY_PARAM_new ,	21	.Nm X509_VERIFY_PARAM_new ,
		22	.Nm X509_VERIFY_PARAM_inherit ,
		23	.Nm X509_VERIFY_PARAM_set1 ,
22	.Nm X509_VERIFY_PARAM_free ,	24	.Nm X509_VERIFY_PARAM_free ,
23	.Nm X509_VERIFY_PARAM_add0_table ,	25	.Nm X509_VERIFY_PARAM_add0_table ,
24	.Nm X509_VERIFY_PARAM_lookup ,	26	.Nm X509_VERIFY_PARAM_lookup ,
25	.Nm X509_VERIFY_PARAM_get_count ,	27	.Nm X509_VERIFY_PARAM_get_count ,
26	.Nm X509_VERIFY_PARAM_get0 ,	28	.Nm X509_VERIFY_PARAM_get0 ,
27	.Nm X509_VERIFY_PARAM_table_cleanup	29	.Nm X509_VERIFY_PARAM_table_cleanup
28	.Nd X509 verification parameter object	30	.Nd X509 verification parameter objects
29	.Sh SYNOPSIS	31	.Sh SYNOPSIS
30	.In openssl/x509_vfy.h	32	.In openssl/x509_vfy.h
31	.Ft X509_VERIFY_PARAM *	33	.Ft X509_VERIFY_PARAM *
32	.Fo X509_VERIFY_PARAM_new	34	.Fo X509_VERIFY_PARAM_new
33	.Fa void	35	.Fa void
34	.Fc	36	.Fc
		37	.Ft int
		38	.Fo X509_VERIFY_PARAM_inherit
		39	.Fa "X509_VERIFY_PARAM *destination"
		40	.Fa "const X509_VERIFY_PARAM *source"
		41	.Fc
		42	.Ft int
		43	.Fo X509_VERIFY_PARAM_set1
		44	.Fa "X509_VERIFY_PARAM *destination"
		45	.Fa "const X509_VERIFY_PARAM *source"
		46	.Fc
35	.Ft void	47	.Ft void
36	.Fo X509_VERIFY_PARAM_free	48	.Fo X509_VERIFY_PARAM_free
37	.Fa "X509_VERIFY_PARAM *param"	49	.Fa "X509_VERIFY_PARAM *param"
@@ -62,6 +74,131 @@ allocates and initializes an empty
62	.Vt X509_VERIFY_PARAM	74	.Vt X509_VERIFY_PARAM
63	object.	75	object.
64	.Pp	76	.Pp
		77	.Fn X509_VERIFY_PARAM_inherit
		78	copies some data from the
		79	.Fa source
		80	object to the
		81	.Fa destination
		82	object.
		83	.Pp
		84	The verification flags set with
		85	.Xr X509_VERIFY_PARAM_set_flags 3
		86	in the
		87	.Fa source
		88	object are always OR'ed into the verification flags of the
		89	.Fa destination
		90	object.
		91	.Pp
		92	Fields having their default value in the
		93	.Fa source
		94	object are not copied.
		95	.Pp
		96	By default, fields in the
		97	.Fa destination
		98	object already having a non-default value are not overwritten.
		99	However, if at least one of the
		100	.Fa source
		101	or
		102	.Fa destination
		103	objects was created during a call to
		104	.Xr X509_STORE_CTX_init 3
		105	that did not have a
		106	.Fa store
		107	argument, and if that object was not previously used as the
		108	.Fa destination
		109	in an earlier call to
		110	.Fn X509_VERIFY_PARAM_inherit ,
		111	this restriction is waived and even non-default fields in the
		112	.Fa destination
		113	object get overwritten.
		114	If fields overwritten in this way contain pointers to allocated memory,
		115	that memory is freed.
		116	.Pp
		117	As far as permitted by the above rules, the following fields are copied:
		118	.Bl -bullet -width 1n
		119	.It
		120	the verification purpose identifier set with
		121	.Xr X509_VERIFY_PARAM_set_purpose 3
		122	.It
		123	the trust setting set with
		124	.Xr X509_VERIFY_PARAM_set_trust 3
		125	.It
		126	the verification time set with
		127	.Xr X509_VERIFY_PARAM_set_time 3 ;
		128	in this case, the only condition is that
		129	.Dv X509_V_FLAG_USE_CHECK_TIME
		130	is not set in the
		131	.Fa destination
		132	object, whereas the time value in the
		133	.Fa destination
		134	object is not inspected before overwriting it
		135	.It
		136	the acceptable policy set set with
		137	.Xr X509_VERIFY_PARAM_set1_policies 3
		138	.It
		139	the maximum verification depth set with
		140	.Xr X509_VERIFY_PARAM_set_depth 3
		141	.It
		142	the list of expected DNS hostnames built with
		143	.Xr X509_VERIFY_PARAM_set1_host 3
		144	and
		145	.Xr X509_VERIFY_PARAM_add1_host 3 ;
		146	if this list is copied, any flags that were set with
		147	.Xr X509_VERIFY_PARAM_set_hostflags 3
		148	are copied together with the list, without inspecting any such flags
		149	that may already be present in the
		150	.Fa destination
		151	object before overwriting them
		152	.It
		153	the expected RFC 822 email address set with
		154	.Xr X509_VERIFY_PARAM_set1_email 3
		155	.It
		156	the expected IP address set with
		157	.Xr X509_VERIFY_PARAM_set1_ip 3
		158	or
		159	.Xr X509_VERIFY_PARAM_set1_ip_asc 3
		160	.El
		161	.Pp
		162	Some data that may be contained in the
		163	.Fa source
		164	object is never copied, for example the subject name of the peer
		165	certificate that can be retrieved with
		166	.Xr X509_VERIFY_PARAM_get0_peername 3 .
		167	.Pp
		168	If
		169	.Fa source
		170	is a
		171	.Dv NULL
		172	pointer, the function has no effect but returns successfully.
		173	.Pp
		174	.Fn X509_VERIFY_PARAM_set1
		175	is identical to
		176	.Fn X509_VERIFY_PARAM_inherit
		177	except that fields in the
		178	.Fa destination
		179	object are overwritten even if they do not match their default values.
		180	Still, fields having their default value in the
		181	.Fa source
		182	object are not copied.
		183	.Pp
		184	If
		185	.Fn X509_VERIFY_PARAM_inherit
		186	or
		187	.Fn X509_VERIFY_PARAM_set1
		188	fail, partial copying may have occurred, so all data in the
		189	.Fa destination
		190	object should be regarded as invalid.
		191	.Pp
		192	.Fn X509_VERIFY_PARAM_inherit
		193	is used internally by
		194	.Xr X509_STORE_CTX_init 3
		195	and by
		196	.Xr X509_STORE_CTX_set_default 3 ,
		197	and
		198	.Fn X509_VERIFY_PARAM_set1
		199	is used internally by
		200	.Xr X509_STORE_set1_param 3 .
		201	.Pp
65	.Fn X509_VERIFY_PARAM_free	202	.Fn X509_VERIFY_PARAM_free
66	clears all data contained in	203	clears all data contained in
67	.Fa param	204	.Fa param
@@ -118,8 +255,11 @@ returns a pointer to the new object, or
118	.Dv NULL	255	.Dv NULL
119	on allocation failure.	256	on allocation failure.
120	.Pp	257	.Pp
		258	.Fn X509_VERIFY_PARAM_inherit ,
		259	.Fn X509_VERIFY_PARAM_set1 ,
		260	and
121	.Fn X509_VERIFY_PARAM_add0_table	261	.Fn X509_VERIFY_PARAM_add0_table
122	returns 1 for success or 0 for failure.	262	return 1 for success or 0 for failure.
123	.Pp	263	.Pp
124	.Fn X509_VERIFY_PARAM_lookup	264	.Fn X509_VERIFY_PARAM_lookup
125	and	265	and
@@ -143,6 +283,8 @@ returns a number of objects.
143	.Xr X509_VERIFY_PARAM_set_flags 3	283	.Xr X509_VERIFY_PARAM_set_flags 3
144	.Sh HISTORY	284	.Sh HISTORY
145	.Fn X509_VERIFY_PARAM_new ,	285	.Fn X509_VERIFY_PARAM_new ,
		286	.Fn X509_VERIFY_PARAM_inherit ,
		287	.Fn X509_VERIFY_PARAM_set1 ,
146	.Fn X509_VERIFY_PARAM_free ,	288	.Fn X509_VERIFY_PARAM_free ,
147	.Fn X509_VERIFY_PARAM_add0_table ,	289	.Fn X509_VERIFY_PARAM_add0_table ,
148	.Fn X509_VERIFY_PARAM_lookup ,	290	.Fn X509_VERIFY_PARAM_lookup ,