1 files changed, 0 insertions, 415 deletions
diff --git a/src/lib/libssl/doc/SSL_CTX_set_verify.3 b/src/lib/libssl/doc/SSL_CTX_set_verify.3
deleted file mode 100644
index 9292f2086b..0000000000
--- a/src/lib/libssl/doc/SSL_CTX_set_verify.3
+++ /dev/null
@@ -1,415 +0,0 @@
-.\"
-.\"     $OpenBSD: SSL_CTX_set_verify.3,v 1.2 2014/12/02 14:11:01 jmc Exp $
-.\"
-.Dd $Mdocdate: December 2 2014 $
-.Dt SSL_CTX_SET_VERIFY 3
-.Os
-.Sh NAME
-.Nm SSL_CTX_set_verify ,
-.Nm SSL_set_verify ,
-.Nm SSL_CTX_set_verify_depth ,
-.Nm SSL_set_verify_depth
-.Nd set peer certificate verification parameters
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft void
-.Fo SSL_CTX_set_verify
-.Fa "SSL_CTX *ctx"
-.Fa "int mode"
-.Fa "int (*verify_callback)(int, X509_STORE_CTX *)"
-.Fc
-.Ft void
-.Fo SSL_set_verify
-.Fa "SSL *s"
-.Fa "int mode"
-.Fa "int (*verify_callback)(int, X509_STORE_CTX *)"
-.Fc
-.Ft void
-.Fn SSL_CTX_set_verify_depth "SSL_CTX *ctx" "int depth"
-.Ft void
-.Fn SSL_set_verify_depth "SSL *s" "int depth"
-.Ft int
-.Fn verify_callback "int preverify_ok" "X509_STORE_CTX *x509_ctx"
-.Sh DESCRIPTION
-.Fn SSL_CTX_set_verify
-sets the verification flags for
-.Fa ctx
-to be
-.Fa mode
-and
-specifies the
-.Fa verify_callback
-function to be used.
-If no callback function shall be specified, the
-.Dv NULL
-pointer can be used for
-.Fa verify_callback .
-.Pp
-.Fn SSL_set_verify
-sets the verification flags for
-.Fa ssl
-to be
-.Fa mode
-and specifies the
-.Fa verify_callback
-function to be used.
-If no callback function shall be specified, the
-.Dv NULL
-pointer can be used for
-.Fa verify_callback .
-In this case last
-.Fa verify_callback
-set specifically for this
-.Fa ssl
-remains.
-If no special callback was set before, the default callback for the underlying
-.Fa ctx
-is used, that was valid at the time
-.Fa ssl
-was created with
-.Xr SSL_new 3 .
-.Pp
-.Fn SSL_CTX_set_verify_depth
-sets the maximum
-.Fa depth
-for the certificate chain verification that shall be allowed for
-.Fa ctx .
-(See the
-.Sx BUGS
-section.)
-.Pp
-.Fn SSL_set_verify_depth
-sets the maximum
-.Fa depth
-for the certificate chain verification that shall be allowed for
-.Fa ssl .
-(See the
-.Sx BUGS
-section.)
-.Sh NOTES
-The verification of certificates can be controlled by a set of bitwise ORed
-.Fa mode
-flags:
-.Bl -tag -width Ds
-.It Dv SSL_VERIFY_NONE
-.Em Server mode:
-the server will not send a client certificate request to the client,
-so the client will not send a certificate.
-.Pp
-.Em Client mode:
-if not using an anonymous cipher (by default disabled),
-the server will send a certificate which will be checked.
-The result of the certificate verification process can be checked after the
-TLS/SSL handshake using the
-.Xr SSL_get_verify_result 3
-function.
-The handshake will be continued regardless of the verification result.
-.It Dv SSL_VERIFY_PEER
-.Em Server mode:
-the server sends a client certificate request to the client.
-The certificate returned (if any) is checked.
-If the verification process fails,
-the TLS/SSL handshake is immediately terminated with an alert message
-containing the reason for the verification failure.
-The behaviour can be controlled by the additional
-.Dv SSL_VERIFY_FAIL_IF_NO_PEER_CERT
-and
-.Dv SSL_VERIFY_CLIENT_ONCE
-flags.
-.Pp
-.Em Client mode:
-the server certificate is verified.
-If the verification process fails,
-the TLS/SSL handshake is immediately terminated with an alert message
-containing the reason for the verification failure.
-If no server certificate is sent, because an anonymous cipher is used,
-.Dv SSL_VERIFY_PEER
-is ignored.
-.It Dv SSL_VERIFY_FAIL_IF_NO_PEER_CERT
-.Em Server mode:
-if the client did not return a certificate, the TLS/SSL
-handshake is immediately terminated with a
-.Dq handshake failure
-alert.
-This flag must be used together with
-.Dv SSL_VERIFY_PEER.
-.Pp
-.Em Client mode:
-ignored
-.It Dv SSL_VERIFY_CLIENT_ONCE
-.Em Server mode:
-only request a client certificate on the initial TLS/SSL handshake.
-Do not ask for a client certificate again in case of a renegotiation.
-This flag must be used together with
-.Dv SSL_VERIFY_PEER .
-.Pp
-.Em Client mode:
-ignored
-.El
-.Pp
-Exactly one of the
-.Fa mode
-flags
-.Dv SSL_VERIFY_NONE
-and
-.Dv SSL_VERIFY_PEER
-must be set at any time.
-.Pp
-The actual verification procedure is performed either using the built-in
-verification procedure or using another application provided verification
-function set with
-.Xr SSL_CTX_set_cert_verify_callback 3 .
-The following descriptions apply in the case of the built-in procedure.
-An application provided procedure also has access to the verify depth
-information and the
-.Fa verify_callback Ns ()
-function, but the way this information is used may be different.
-.Pp
-.Fn SSL_CTX_set_verify_depth
-and
-.Fn SSL_set_verify_depth
-set the limit up to which depth certificates in a chain are used during the
-verification procedure.
-If the certificate chain is longer than allowed,
-the certificates above the limit are ignored.
-Error messages are generated as if these certificates would not be present,
-most likely a
-.Dv X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
-will be issued.
-The depth count is
-.Dq level 0: peer certificate ,
-.Dq level 1: CA certificate ,
-.Dq level 2: higher level CA certificate ,
-and so on.
-Setting the maximum depth to 2 allows the levels 0, 1, and 2.
-The default depth limit is 100,
-allowing for the peer certificate and an additional 100 CA certificates.
-.Pp
-The
-.Fa verify_callback
-function is used to control the behaviour when the
-.Dv SSL_VERIFY_PEER
-flag is set.
-It must be supplied by the application and receives two arguments:
-.Fa preverify_ok
-indicates whether the verification of the certificate in question was passed
-(preverify_ok=1) or not (preverify_ok=0).
-.Fa x509_ctx
-is a pointer to the complete context used
-for the certificate chain verification.
-.Pp
-The certificate chain is checked starting with the deepest nesting level
-(the root CA certificate) and worked upward to the peer's certificate.
-At each level signatures and issuer attributes are checked.
-Whenever a verification error is found, the error number is stored in
-.Fa x509_ctx
-and
-.Fa verify_callback
-is called with
-.Fa preverify_ok
-equal to 0.
-By applying
-.Fn X509_CTX_store_*
-functions
-.Fa verify_callback
-can locate the certificate in question and perform additional steps (see
-.Sx EXAMPLES ) .
-If no error is found for a certificate,
-.Fa verify_callback
-is called with
-.Fa preverify_ok
-equal to 1 before advancing to the next level.
-.Pp
-The return value of
-.Fa verify_callback
-controls the strategy of the further verification process.
-If
-.Fa verify_callback
-returns 0, the verification process is immediately stopped with
-.Dq verification failed
-state.
-If
-.Dv SSL_VERIFY_PEER
-is set, a verification failure alert is sent to the peer and the TLS/SSL
-handshake is terminated.
-If
-.Fa verify_callback
-returns 1, the verification process is continued.
-If
-.Fa verify_callback
-always returns 1,
-the TLS/SSL handshake will not be terminated with respect to verification
-failures and the connection will be established.
-The calling process can however retrieve the error code of the last
-verification error using
-.Xr SSL_get_verify_result 3
-or by maintaining its own error storage managed by
-.Fa verify_callback .
-.Pp
-If no
-.Fa verify_callback
-is specified, the default callback will be used.
-Its return value is identical to
-.Fa preverify_ok ,
-so that any verification
-failure will lead to a termination of the TLS/SSL handshake with an
-alert message, if
-.Dv SSL_VERIFY_PEER
-is set.
-.Sh RETURN VALUES
-The
-.Fn SSL*_set_verify*
-functions do not provide diagnostic information.
-.Sh EXAMPLES
-The following code sequence realizes an example
-.Fa verify_callback
-function that will always continue the TLS/SSL handshake regardless of
-verification failure, if wished.
-The callback realizes a verification depth limit with more informational output.
-.Pp
-All verification errors are printed;
-information about the certificate chain is printed on request.
-The example is realized for a server that does allow but not require client
-certificates.
-.Pp
-The example makes use of the ex_data technique to store application data
-into/retrieve application data from the
-.Vt SSL
-structure (see
-.Xr SSL_get_ex_new_index 3 ,
-.Xr SSL_get_ex_data_X509_STORE_CTX_idx 3 ) .
-.Bd -literal
-\&...
-typedef struct {
-        int     verbose_mode;
-        int     verify_depth;
-        int     always_continue;
-} mydata_t;
-int mydata_index;
-\&...
-static int
-verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
-{
-        char buf[256];
-        X509 *err_cert;
-        int err, depth;
-        SSL *ssl;
-        mydata_t *mydata;
-        err_cert = X509_STORE_CTX_get_current_cert(ctx);
-        err = X509_STORE_CTX_get_error(ctx);
-        depth = X509_STORE_CTX_get_error_depth(ctx);
-        /*
-         * Retrieve the pointer to the SSL of the connection currently
-         * treated * and the application specific data stored into the
-         * SSL object.
-         */
-        ssl = X509_STORE_CTX_get_ex_data(ctx,
-            SSL_get_ex_data_X509_STORE_CTX_idx());
-        mydata = SSL_get_ex_data(ssl, mydata_index);
-        X509_NAME_oneline(X509_get_subject_name(err_cert), buf, 256);
-        /*
-         * Catch a too long certificate chain. The depth limit set using
-         * SSL_CTX_set_verify_depth() is by purpose set to "limit+1" so
-         * that whenever the "depth>verify_depth" condition is met, we
-         * have violated the limit and want to log this error condition.
-         * We must do it here, because the CHAIN_TOO_LONG error would not
-         * be found explicitly; only errors introduced by cutting off the
-         * additional certificates would be logged.
-         */
-        if (depth > mydata->verify_depth) {
-                preverify_ok = 0;
-                err = X509_V_ERR_CERT_CHAIN_TOO_LONG;
-                X509_STORE_CTX_set_error(ctx, err);
-        }
-        if (!preverify_ok) {
-                printf("verify error:num=%d:%s:depth=%d:%s\en", err,
-                    X509_verify_cert_error_string(err), depth, buf);
-        } else if (mydata->verbose_mode) {
-                printf("depth=%d:%s\en", depth, buf);
-        }
-        /*
-         * At this point, err contains the last verification error.
-         * We can use it for something special
-         */
-        if (!preverify_ok && (err ==
-            X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT)) {
-                X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert),
-                    buf, 256);
-                printf("issuer= %s\en", buf);
-        }
-        if (mydata->always_continue)
-                return 1;
-        else
-                return preverify_ok;
-}
-\&...
-mydata_t mydata;
-\&...
-mydata_index = SSL_get_ex_new_index(0, "mydata index", NULL, NULL, NULL);
-\&...
-SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE,
-    verify_callback);
-/*
- * Let the verify_callback catch the verify_depth error so that we get
- * an appropriate error in the logfile.
- */
-SSL_CTX_set_verify_depth(verify_depth + 1);
-/*
- * Set up the SSL specific data into "mydata" and store it into the SSL
- * structure.
- */
-mydata.verify_depth = verify_depth; ...
-SSL_set_ex_data(ssl, mydata_index, &mydata);
-\&...
-SSL_accept(ssl); /* check of success left out for clarity */
-if (peer = SSL_get_peer_certificate(ssl)) {
-        if (SSL_get_verify_result(ssl) == X509_V_OK) {
-                /* The client sent a certificate which verified OK */
-        }
-}
-.Ed
-.Sh SEE ALSO
-.Xr ssl 3 ,
-.Xr SSL_CTX_get_verify_mode 3 ,
-.Xr SSL_CTX_load_verify_locations 3 ,
-.Xr SSL_CTX_set_cert_verify_callback 3 ,
-.Xr SSL_get_ex_data_X509_STORE_CTX_idx 3 ,
-.Xr SSL_get_ex_new_index 3 ,
-.Xr SSL_get_peer_certificate 3 ,
-.Xr SSL_get_verify_result 3 ,
-.Xr SSL_new 3
-.Sh BUGS
-In client mode, it is not checked whether the
-.Dv SSL_VERIFY_PEER
-flag is set, but whether
-.Dv SSL_VERIFY_NONE
-is not set.
-This can lead to unexpected behaviour, if the
-.Dv SSL_VERIFY_PEER
-and
-.Dv SSL_VERIFY_NONE
-are not used as required (exactly one must be set at any time).
-.Pp
-The certificate verification depth set with
-.Fn SSL[_CTX]_verify_depth
-stops the verification at a certain depth.
-The error message produced will be that of an incomplete certificate chain and
-not
-.Dv X509_V_ERR_CERT_CHAIN_TOO_LONG
-as may be expected.

diff --git a/src/lib/libssl/doc/SSL_CTX_set_verify.3 b/src/lib/libssl/doc/SSL_CTX_set_verify.3 deleted file mode 100644 index 9292f2086b..0000000000 --- a/src/lib/libssl/doc/SSL_CTX_set_verify.3 +++ /dev/null
@@ -1,415 +0,0 @@
1	.\"
2	.\" $OpenBSD: SSL_CTX_set_verify.3,v 1.2 2014/12/02 14:11:01 jmc Exp $
3	.\"
4	.Dd $Mdocdate: December 2 2014 $
5	.Dt SSL_CTX_SET_VERIFY 3
6	.Os
7	.Sh NAME
8	.Nm SSL_CTX_set_verify ,
9	.Nm SSL_set_verify ,
10	.Nm SSL_CTX_set_verify_depth ,
11	.Nm SSL_set_verify_depth
12	.Nd set peer certificate verification parameters
13	.Sh SYNOPSIS
14	.In openssl/ssl.h
15	.Ft void
16	.Fo SSL_CTX_set_verify
17	.Fa "SSL_CTX *ctx"
18	.Fa "int mode"
19	.Fa "int (verify_callback)(int, X509_STORE_CTX )"
20	.Fc
21	.Ft void
22	.Fo SSL_set_verify
23	.Fa "SSL *s"
24	.Fa "int mode"
25	.Fa "int (verify_callback)(int, X509_STORE_CTX )"
26	.Fc
27	.Ft void
28	.Fn SSL_CTX_set_verify_depth "SSL_CTX *ctx" "int depth"
29	.Ft void
30	.Fn SSL_set_verify_depth "SSL *s" "int depth"
31	.Ft int
32	.Fn verify_callback "int preverify_ok" "X509_STORE_CTX *x509_ctx"
33	.Sh DESCRIPTION
34	.Fn SSL_CTX_set_verify
35	sets the verification flags for
36	.Fa ctx
37	to be
38	.Fa mode
39	and
40	specifies the
41	.Fa verify_callback
42	function to be used.
43	If no callback function shall be specified, the
44	.Dv NULL
45	pointer can be used for
46	.Fa verify_callback .
47	.Pp
48	.Fn SSL_set_verify
49	sets the verification flags for
50	.Fa ssl
51	to be
52	.Fa mode
53	and specifies the
54	.Fa verify_callback
55	function to be used.
56	If no callback function shall be specified, the
57	.Dv NULL
58	pointer can be used for
59	.Fa verify_callback .
60	In this case last
61	.Fa verify_callback
62	set specifically for this
63	.Fa ssl
64	remains.
65	If no special callback was set before, the default callback for the underlying
66	.Fa ctx
67	is used, that was valid at the time
68	.Fa ssl
69	was created with
70	.Xr SSL_new 3 .
71	.Pp
72	.Fn SSL_CTX_set_verify_depth
73	sets the maximum
74	.Fa depth
75	for the certificate chain verification that shall be allowed for
76	.Fa ctx .
77	(See the
78	.Sx BUGS
79	section.)
80	.Pp
81	.Fn SSL_set_verify_depth
82	sets the maximum
83	.Fa depth
84	for the certificate chain verification that shall be allowed for
85	.Fa ssl .
86	(See the
87	.Sx BUGS
88	section.)
89	.Sh NOTES
90	The verification of certificates can be controlled by a set of bitwise ORed
91	.Fa mode
92	flags:
93	.Bl -tag -width Ds
94	.It Dv SSL_VERIFY_NONE
95	.Em Server mode:
96	the server will not send a client certificate request to the client,
97	so the client will not send a certificate.
98	.Pp
99	.Em Client mode:
100	if not using an anonymous cipher (by default disabled),
101	the server will send a certificate which will be checked.
102	The result of the certificate verification process can be checked after the
103	TLS/SSL handshake using the
104	.Xr SSL_get_verify_result 3
105	function.
106	The handshake will be continued regardless of the verification result.
107	.It Dv SSL_VERIFY_PEER
108	.Em Server mode:
109	the server sends a client certificate request to the client.
110	The certificate returned (if any) is checked.
111	If the verification process fails,
112	the TLS/SSL handshake is immediately terminated with an alert message
113	containing the reason for the verification failure.
114	The behaviour can be controlled by the additional
115	.Dv SSL_VERIFY_FAIL_IF_NO_PEER_CERT
116	and
117	.Dv SSL_VERIFY_CLIENT_ONCE
118	flags.
119	.Pp
120	.Em Client mode:
121	the server certificate is verified.
122	If the verification process fails,
123	the TLS/SSL handshake is immediately terminated with an alert message
124	containing the reason for the verification failure.
125	If no server certificate is sent, because an anonymous cipher is used,
126	.Dv SSL_VERIFY_PEER
127	is ignored.
128	.It Dv SSL_VERIFY_FAIL_IF_NO_PEER_CERT
129	.Em Server mode:
130	if the client did not return a certificate, the TLS/SSL
131	handshake is immediately terminated with a
132	.Dq handshake failure
133	alert.
134	This flag must be used together with
135	.Dv SSL_VERIFY_PEER.
136	.Pp
137	.Em Client mode:
138	ignored
139	.It Dv SSL_VERIFY_CLIENT_ONCE
140	.Em Server mode:
141	only request a client certificate on the initial TLS/SSL handshake.
142	Do not ask for a client certificate again in case of a renegotiation.
143	This flag must be used together with
144	.Dv SSL_VERIFY_PEER .
145	.Pp
146	.Em Client mode:
147	ignored
148	.El
149	.Pp
150	Exactly one of the
151	.Fa mode
152	flags
153	.Dv SSL_VERIFY_NONE
154	and
155	.Dv SSL_VERIFY_PEER
156	must be set at any time.
157	.Pp
158	The actual verification procedure is performed either using the built-in
159	verification procedure or using another application provided verification
160	function set with
161	.Xr SSL_CTX_set_cert_verify_callback 3 .
162	The following descriptions apply in the case of the built-in procedure.
163	An application provided procedure also has access to the verify depth
164	information and the
165	.Fa verify_callback Ns ()
166	function, but the way this information is used may be different.
167	.Pp
168	.Fn SSL_CTX_set_verify_depth
169	and
170	.Fn SSL_set_verify_depth
171	set the limit up to which depth certificates in a chain are used during the
172	verification procedure.
173	If the certificate chain is longer than allowed,
174	the certificates above the limit are ignored.
175	Error messages are generated as if these certificates would not be present,
176	most likely a
177	.Dv X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
178	will be issued.
179	The depth count is
180	.Dq level 0: peer certificate ,
181	.Dq level 1: CA certificate ,
182	.Dq level 2: higher level CA certificate ,
183	and so on.
184	Setting the maximum depth to 2 allows the levels 0, 1, and 2.
185	The default depth limit is 100,
186	allowing for the peer certificate and an additional 100 CA certificates.
187	.Pp
188	The
189	.Fa verify_callback
190	function is used to control the behaviour when the
191	.Dv SSL_VERIFY_PEER
192	flag is set.
193	It must be supplied by the application and receives two arguments:
194	.Fa preverify_ok
195	indicates whether the verification of the certificate in question was passed
196	(preverify_ok=1) or not (preverify_ok=0).
197	.Fa x509_ctx
198	is a pointer to the complete context used
199	for the certificate chain verification.
200	.Pp
201	The certificate chain is checked starting with the deepest nesting level
202	(the root CA certificate) and worked upward to the peer's certificate.
203	At each level signatures and issuer attributes are checked.
204	Whenever a verification error is found, the error number is stored in
205	.Fa x509_ctx
206	and
207	.Fa verify_callback
208	is called with
209	.Fa preverify_ok
210	equal to 0.
211	By applying
212	.Fn X509_CTX_store_*
213	functions
214	.Fa verify_callback
215	can locate the certificate in question and perform additional steps (see
216	.Sx EXAMPLES ) .
217	If no error is found for a certificate,
218	.Fa verify_callback
219	is called with
220	.Fa preverify_ok
221	equal to 1 before advancing to the next level.
222	.Pp
223	The return value of
224	.Fa verify_callback
225	controls the strategy of the further verification process.
226	If
227	.Fa verify_callback
228	returns 0, the verification process is immediately stopped with
229	.Dq verification failed
230	state.
231	If
232	.Dv SSL_VERIFY_PEER
233	is set, a verification failure alert is sent to the peer and the TLS/SSL
234	handshake is terminated.
235	If
236	.Fa verify_callback
237	returns 1, the verification process is continued.
238	If
239	.Fa verify_callback
240	always returns 1,
241	the TLS/SSL handshake will not be terminated with respect to verification
242	failures and the connection will be established.
243	The calling process can however retrieve the error code of the last
244	verification error using
245	.Xr SSL_get_verify_result 3
246	or by maintaining its own error storage managed by
247	.Fa verify_callback .
248	.Pp
249	If no
250	.Fa verify_callback
251	is specified, the default callback will be used.
252	Its return value is identical to
253	.Fa preverify_ok ,
254	so that any verification
255	failure will lead to a termination of the TLS/SSL handshake with an
256	alert message, if
257	.Dv SSL_VERIFY_PEER
258	is set.
259	.Sh RETURN VALUES
260	The
261	.Fn SSL_set_verify
262	functions do not provide diagnostic information.
263	.Sh EXAMPLES
264	The following code sequence realizes an example
265	.Fa verify_callback
266	function that will always continue the TLS/SSL handshake regardless of
267	verification failure, if wished.
268	The callback realizes a verification depth limit with more informational output.
269	.Pp
270	All verification errors are printed;
271	information about the certificate chain is printed on request.
272	The example is realized for a server that does allow but not require client
273	certificates.
274	.Pp
275	The example makes use of the ex_data technique to store application data
276	into/retrieve application data from the
277	.Vt SSL
278	structure (see
279	.Xr SSL_get_ex_new_index 3 ,
280	.Xr SSL_get_ex_data_X509_STORE_CTX_idx 3 ) .
281	.Bd -literal
282	\&...
283
284	typedef struct {
285	int verbose_mode;
286	int verify_depth;
287	int always_continue;
288	} mydata_t;
289	int mydata_index;
290	\&...
291	static int
292	verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
293	{
294	char buf[256];
295	X509 *err_cert;
296	int err, depth;
297	SSL *ssl;
298	mydata_t *mydata;
299
300	err_cert = X509_STORE_CTX_get_current_cert(ctx);
301	err = X509_STORE_CTX_get_error(ctx);
302	depth = X509_STORE_CTX_get_error_depth(ctx);
303
304	/*
305	* Retrieve the pointer to the SSL of the connection currently
306	* treated * and the application specific data stored into the
307	* SSL object.
308	*/
309	ssl = X509_STORE_CTX_get_ex_data(ctx,
310	SSL_get_ex_data_X509_STORE_CTX_idx());
311	mydata = SSL_get_ex_data(ssl, mydata_index);
312
313	X509_NAME_oneline(X509_get_subject_name(err_cert), buf, 256);
314
315	/*
316	* Catch a too long certificate chain. The depth limit set using
317	* SSL_CTX_set_verify_depth() is by purpose set to "limit+1" so
318	* that whenever the "depth>verify_depth" condition is met, we
319	* have violated the limit and want to log this error condition.
320	* We must do it here, because the CHAIN_TOO_LONG error would not
321	* be found explicitly; only errors introduced by cutting off the
322	* additional certificates would be logged.
323	*/
324	if (depth > mydata->verify_depth) {
325	preverify_ok = 0;
326	err = X509_V_ERR_CERT_CHAIN_TOO_LONG;
327	X509_STORE_CTX_set_error(ctx, err);
328	}
329	if (!preverify_ok) {
330	printf("verify error:num=%d:%s:depth=%d:%s\en", err,
331	X509_verify_cert_error_string(err), depth, buf);
332	} else if (mydata->verbose_mode) {
333	printf("depth=%d:%s\en", depth, buf);
334	}
335
336	/*
337	* At this point, err contains the last verification error.
338	* We can use it for something special
339	*/
340	if (!preverify_ok && (err ==
341	X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT)) {
342	X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert),
343	buf, 256);
344	printf("issuer= %s\en", buf);
345	}
346
347	if (mydata->always_continue)
348	return 1;
349	else
350	return preverify_ok;
351	}
352	\&...
353
354	mydata_t mydata;
355
356	\&...
357
358	mydata_index = SSL_get_ex_new_index(0, "mydata index", NULL, NULL, NULL);
359
360	\&...
361
362	SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER\|SSL_VERIFY_CLIENT_ONCE,
363	verify_callback);
364
365	/*
366	* Let the verify_callback catch the verify_depth error so that we get
367	* an appropriate error in the logfile.
368	*/
369	SSL_CTX_set_verify_depth(verify_depth + 1);
370
371	/*
372	* Set up the SSL specific data into "mydata" and store it into the SSL
373	* structure.
374	*/
375	mydata.verify_depth = verify_depth; ...
376	SSL_set_ex_data(ssl, mydata_index, &mydata);
377
378	\&...
379
380	SSL_accept(ssl); /* check of success left out for clarity */
381	if (peer = SSL_get_peer_certificate(ssl)) {
382	if (SSL_get_verify_result(ssl) == X509_V_OK) {
383	/* The client sent a certificate which verified OK */
384	}
385	}
386	.Ed
387	.Sh SEE ALSO
388	.Xr ssl 3 ,
389	.Xr SSL_CTX_get_verify_mode 3 ,
390	.Xr SSL_CTX_load_verify_locations 3 ,
391	.Xr SSL_CTX_set_cert_verify_callback 3 ,
392	.Xr SSL_get_ex_data_X509_STORE_CTX_idx 3 ,
393	.Xr SSL_get_ex_new_index 3 ,
394	.Xr SSL_get_peer_certificate 3 ,
395	.Xr SSL_get_verify_result 3 ,
396	.Xr SSL_new 3
397	.Sh BUGS
398	In client mode, it is not checked whether the
399	.Dv SSL_VERIFY_PEER
400	flag is set, but whether
401	.Dv SSL_VERIFY_NONE
402	is not set.
403	This can lead to unexpected behaviour, if the
404	.Dv SSL_VERIFY_PEER
405	and
406	.Dv SSL_VERIFY_NONE
407	are not used as required (exactly one must be set at any time).
408	.Pp
409	The certificate verification depth set with
410	.Fn SSL[_CTX]_verify_depth
411	stops the verification at a certain depth.
412	The error message produced will be that of an incomplete certificate chain and
413	not
414	.Dv X509_V_ERR_CERT_CHAIN_TOO_LONG
415	as may be expected.