4 files changed, 303 insertions, 5 deletions
diff --git a/src/lib/libcrypto/man/Makefile b/src/lib/libcrypto/man/Makefile
index fd8655d5b6..300a37686a 100644
--- a/src/lib/libcrypto/man/Makefile
+++ b/src/lib/libcrypto/man/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.184 2021/07/22 17:11:14 schwarze Exp $
+# $OpenBSD: Makefile,v 1.185 2021/07/23 14:27:32 schwarze Exp $
 .include <bsd.own.mk>
@@ -292,6 +292,7 @@ MAN=	\
        X509_NAME_print_ex.3 \
        X509_OBJECT_get0_X509.3 \
        X509_PUBKEY_new.3 \
+        X509_PURPOSE_set.3 \
        X509_REQ_new.3 \
        X509_REVOKED_new.3 \
        X509_SIG_new.3 \
diff --git a/src/lib/libcrypto/man/X509_PURPOSE_set.3 b/src/lib/libcrypto/man/X509_PURPOSE_set.3
new file mode 100644
index 0000000000..1f723e9b9f
--- /dev/null
+++ b/src/lib/libcrypto/man/X509_PURPOSE_set.3
@@ -0,0 +1,295 @@
+.\" $OpenBSD: X509_PURPOSE_set.3,v 1.1 2021/07/23 14:27:32 schwarze Exp $
+.\"
+.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.Dd $Mdocdate: July 23 2021 $
+.Dt X509_PURPOSE_SET 3
+.Os
+.Sh NAME
+.Nm X509_PURPOSE_set ,
+.Nm X509_PURPOSE_get_by_id ,
+.Nm X509_PURPOSE_add ,
+.Nm X509_PURPOSE_get_count ,
+.Nm X509_PURPOSE_cleanup ,
+.Nm X509_PURPOSE_get0 ,
+.Nm X509_PURPOSE_get_by_sname ,
+.Nm X509_PURPOSE_get_id ,
+.Nm X509_PURPOSE_get0_name ,
+.Nm X509_PURPOSE_get0_sname ,
+.Nm X509_PURPOSE_get_trust
+.Nd purpose objects, indices, and identifiers
+.Sh SYNOPSIS
+.In openssl/x509v3.h
+.Ft int
+.Fo X509_PURPOSE_set
+.Fa "int *id_out"
+.Fa "int id_in"
+.Fc
+.Ft int
+.Fn X509_PURPOSE_get_by_id "int identifier"
+.Ft int
+.Fo X509_PURPOSE_add
+.Fa "int identifier"
+.Fa "int trust"
+.Fa "int flags"
+.Fa "int (*check_purpose)(const X509_PURPOSE *, const X509 *, int)"
+.Fa "const char *name"
+.Fa "const char *sname"
+.Fa "void *usr_data"
+.Fc
+.Ft int
+.Fn X509_PURPOSE_get_count void
+.Ft void
+.Fn X509_PURPOSE_cleanup void
+.Ft X509_PURPOSE *
+.Fn X509_PURPOSE_get0 "int index"
+.Ft int
+.Fn X509_PURPOSE_get_by_sname "const char *sname"
+.Ft int
+.Fn X509_PURPOSE_get_id "const X509_PURPOSE *object"
+.Ft char *
+.Fn X509_PURPOSE_get0_name "const X509_PURPOSE *object"
+.Ft char *
+.Fn X509_PURPOSE_get0_sname "const X509_PURPOSE *object"
+.Ft int
+.Fn X509_PURPOSE_get_trust "const X509_PURPOSE *object"
+.Sh DESCRIPTION
+The purposes that an X.509 certificate is intended to be used for
+can be identified in three equivalent ways:
+.Bl -enum
+.It
+By purpose identifiers, which are positive integer constants.
+Standard purpose identifiers lie in the range from
+.Dv X509_PURPOSE_MIN
+to
+.Dv X509_PURPOSE_MAX ,
+inclusive, and are listed in the
+.Xr X509_check_purpose 3
+manual page.
+User defined purpose identifiers are larger than
+.Dv X509_PURPOSE_MAX .
+.It
+By purpose indices, which are non-negative integer constants
+but differ from the purpose identifiers for the same purpose.
+Standard purpose indices are smaller than
+.Dv X509_PURPOSE_MAX .
+User defined purpose indices are larger than or equal to
+.Dv X509_PURPOSE_MAX .
+.It
+By purpose objects of the type
+.Vt X509_PURPOSE .
+Standard purpose objects are available in static storage.
+User defined purpose objects can be created with
+.Fn X509_PURPOSE_add .
+.El
+.Pp
+Application programmers cannot choose the way to identify purposes
+that they like best; depending on the circumstances, all three ways
+are needed.
+Be warned that the naming of most functions is misleading.
+.Pp
+Most API functions documented outside the present manual page
+use purpose identifiers rather than purpose indices.
+.Ss Using purpose identifiers
+.Fn X509_PURPOSE_set
+validates the purpose identifier
+.Fa id_in .
+If it is valid, it is copied to
+.Pf * Fa id_out .
+Otherwise,
+.Pf * Fa id_out
+remains unchanged.
+.Pp
+.Fn X509_PURPOSE_get_by_id
+converts the purpose
+.Fa identifier
+to the corresponding purpose index.
+To find the corresponding purpose object, pass the result to
+.Fn X509_PURPOSE_get0 .
+.Pp
+.Fn X509_PURPOSE_add
+defines a purpose with the given
+.Fa identifier
+or modifies its properties if it already exists.
+The purpose
+.Fa identifier ,
+the
+.Fa trust
+identifier, the
+.Fa flags ,
+the
+.Fa check_purpose
+function, the
+.Fa name ,
+the short name
+.Fa sname ,
+and the
+.Fa usr_data
+pointer are copied into the
+.Vt X509_PURPOSE
+object.
+When modifying an existing purpose object, previous values of fields are
+overwritten and previous
+.Fa name
+and
+.Fa sname
+strings are freed if they were dynamically allocated.
+When creating a new purpose object,
+it is added to the global array of user-defined purpose objects.
+.Pp
+.Dv X509_PURPOSE_DYNAMIC
+and
+.Dv X509_PURPOSE_DYNAMIC_NAME
+are always ignored in the
+.Fa flags
+argument.
+.Dv X509_PURPOSE_DYNAMIC
+is automatically set if the object was created by the user.
+It is never set for standard objects, not even if they were
+modified by the user.
+.Dv X509_PURPOSE_DYNAMIC_NAME
+is automatically set if the object was created or modified by the user.
+It is only unset for unmodified standard objects.
+The library does not appear to define any other flags, so the
+.Fa flags
+argument is probably useless unless users define their own flags
+and use them in the
+.Fa check_purpose
+function.
+.Pp
+The third and final argument of the
+.Fa check_purpose
+function is the
+.Fa ca
+argument documented in
+.Xr X509_check_purpose 3 .
+.Pp
+.Fn X509_PURPOSE_get_count
+returns the total number of purposes currently defined,
+including both standard and user-defined purposes.
+If no user-defined purposes exist, the returned value is
+.Dv X509_PURPOSE_MAX .
+.Pp
+.Fn X509_PURPOSE_cleanup
+deletes all user-defined purpose objects
+and invalidates their purpose identifiers and purpose indices.
+If any of the standard purpose objects were modified by the user,
+those changes are
+.Em not
+reverted.
+.Ss Using purpose indices
+.Fn X509_PURPOSE_get0
+converts the purpose
+.Fa index
+to a pointer to the corresponding purpose object.
+To find the corresponding purpose identifier, pass the result to
+.Fn X509_PURPOSE_get_id .
+.Pp
+.Fn X509_PURPOSE_get_by_sname
+returns the lowest index of a purpose with the given short name.
+.Ss Using purpose objects
+.Fn X509_PURPOSE_get_id
+converts a pointer to a purpose
+.Fa object
+to the corresponding purpose identifier.
+To find the corresponding purpose index, pass the result to
+.Fn X509_PURPOSE_get_by_id .
+.Pp
+.Fn X509_PURPOSE_get0_name ,
+.Fn X509_PURPOSE_get0_sname ,
+and
+.Fn X509_PURPOSE_get_trust
+retrieve the name, short name, and trust identifier from the
+.Fa object ,
+respectively.
+.Sh RETURN VALUES
+.Fn X509_PURPOSE_set
+returns 1 if
+.Fa id_in
+is valid or 0 otherwise.
+.Pp
+.Fn X509_PURPOSE_get_by_id
+and
+.Fn X509_PURPOSE_get_by_sname
+return the corresponding purpose index
+or \-1 if no matching purpose is found.
+.Pp
+.Fn X509_PURPOSE_add
+returns 1 for success or 0 for failure.
+.Pp
+.Fn X509_PURPOSE_get_count
+returns the total number of purposes currently defined.
+.Pp
+.Fn X509_PURPOSE_get0
+returns a standard or user-defined purpose object or
+.Dv NULL
+if the
+.Fa index
+is invalid.
+.Pp
+.Fn X509_PURPOSE_get_id
+always returns a valid purpose identifier.
+.Pp
+.Fn X509_PURPOSE_get0_name
+and
+.Fn X509_PURPOSE_get0_sname
+return pointers to storage owned by the
+.Fa object .
+.Pp
+.Fn X509_PURPOSE_get_trust
+returns the trust identifier associated with the
+.Fa object .
+.Sh ERRORS
+The following diagnostics can be retrieved with
+.Xr ERR_get_error 3 ,
+.Xr ERR_GET_REASON 3 ,
+and
+.Xr ERR_reason_error_string 3 :
+.Bl -tag -width Ds
+.It Dv X509V3_R_INVALID_PURPOSE Qq "invalid purpose"
+.Fn X509_PURPOSE_set
+was called with an invalid
+.Fa id_in
+argument.
+.It Dv X509V3_R_INVALID_NULL_ARGUMENT Qq "invalid null argument"
+.Fn X509_PURPOSE_add
+was called with a
+.Fa name
+or
+.Fa sname
+argument of
+.Dv NULL .
+.It Dv ERR_R_MALLOC_FAILURE Qq "malloc failure"
+.Fn X509_PURPOSE_add
+failed to allocate memory.
+.El
+.Pp
+The other functions provide no diagnostics.
+.Sh SEE ALSO
+.Xr X509_check_purpose 3 ,
+.Xr X509_new 3 ,
+.Xr X509_STORE_set_purpose 3 ,
+.Xr X509_VERIFY_PARAM_set_purpose 3
+.Sh HISTORY
+.Fn X509_PURPOSE_set
+first appeared in OpenSSL 0.9.7 and has been available since
+.Ox 3.2 .
+.Pp
+The other functions first appeared in OpenSSL 0.9.5
+and have been available since
+.Ox 2.7 .
+.Sh CAVEATS
+The difference between purpose identifiers and purpose indices provides
+an ideal breeding ground for off-by-one bugs.
diff --git a/src/lib/libcrypto/man/X509_check_purpose.3 b/src/lib/libcrypto/man/X509_check_purpose.3
index 8e98a62239..935b7eed86 100644
--- a/src/lib/libcrypto/man/X509_check_purpose.3
+++ b/src/lib/libcrypto/man/X509_check_purpose.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_check_purpose.3,v 1.2 2021/06/12 17:04:41 jmc Exp $
+.\" $OpenBSD: X509_check_purpose.3,v 1.3 2021/07/23 14:27:32 schwarze Exp $
 .\" Copyright (c) 2019 Ingo Schwarze <schwarze@openbsd.org>
 .\"
 .\" Permission to use, copy, modify, and distribute this software for any
@@ -13,7 +13,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: June 12 2021 $
+.Dd $Mdocdate: July 23 2021 $
 .Dt X509_CHECK_PURPOSE 3
 .Os
 .Sh NAME
@@ -370,6 +370,7 @@ can be used as a CA for the
 .Xr BASIC_CONSTRAINTS_new 3 ,
 .Xr EXTENDED_KEY_USAGE_new 3 ,
 .Xr X509_new 3 ,
+.Xr X509_PURPOSE_set 3 ,
 .Xr X509V3_get_d2i 3 ,
 .Xr x509v3.cnf 5
 .Sh STANDARDS
diff --git a/src/lib/libcrypto/man/X509_new.3 b/src/lib/libcrypto/man/X509_new.3
index 8a38cf5b72..ef99015ddb 100644
--- a/src/lib/libcrypto/man/X509_new.3
+++ b/src/lib/libcrypto/man/X509_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_new.3,v 1.24 2021/07/12 15:56:54 schwarze Exp $
+.\" $OpenBSD: X509_new.3,v 1.25 2021/07/23 14:27:32 schwarze Exp $
 .\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" This file is a derived work.
@@ -66,7 +66,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 12 2021 $
+.Dd $Mdocdate: July 23 2021 $
 .Dt X509_NEW 3
 .Os
 .Sh NAME
@@ -194,6 +194,7 @@ if an error occurs.
 .Xr X509_NAME_new 3 ,
 .Xr X509_print_ex 3 ,
 .Xr X509_PUBKEY_new 3 ,
+.Xr X509_PURPOSE_set 3 ,
 .Xr X509_REQ_new 3 ,
 .Xr X509_SIG_new 3 ,
 .Xr X509_sign 3 ,

diff --git a/src/lib/libcrypto/man/Makefile b/src/lib/libcrypto/man/Makefile index fd8655d5b6..300a37686a 100644 --- a/src/lib/libcrypto/man/Makefile +++ b/src/lib/libcrypto/man/Makefile
@@ -1,4 +1,4 @@
1	# $OpenBSD: Makefile,v 1.184 2021/07/22 17:11:14 schwarze Exp $	1	# $OpenBSD: Makefile,v 1.185 2021/07/23 14:27:32 schwarze Exp $
2		2
3	.include <bsd.own.mk>	3	.include <bsd.own.mk>
4		4
@@ -292,6 +292,7 @@ MAN= \
292	X509_NAME_print_ex.3 \	292	X509_NAME_print_ex.3 \
293	X509_OBJECT_get0_X509.3 \	293	X509_OBJECT_get0_X509.3 \
294	X509_PUBKEY_new.3 \	294	X509_PUBKEY_new.3 \
		295	X509_PURPOSE_set.3 \
295	X509_REQ_new.3 \	296	X509_REQ_new.3 \
296	X509_REVOKED_new.3 \	297	X509_REVOKED_new.3 \
297	X509_SIG_new.3 \	298	X509_SIG_new.3 \


diff --git a/src/lib/libcrypto/man/X509_PURPOSE_set.3 b/src/lib/libcrypto/man/X509_PURPOSE_set.3 new file mode 100644 index 0000000000..1f723e9b9f --- /dev/null +++ b/src/lib/libcrypto/man/X509_PURPOSE_set.3
@@ -0,0 +1,295 @@
		1	.\" $OpenBSD: X509_PURPOSE_set.3,v 1.1 2021/07/23 14:27:32 schwarze Exp $
		2	.\"
		3	.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
		4	.\"
		5	.\" Permission to use, copy, modify, and distribute this software for any
		6	.\" purpose with or without fee is hereby granted, provided that the above
		7	.\" copyright notice and this permission notice appear in all copies.
		8	.\"
		9	.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
		10	.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
		11	.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
		12	.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
		13	.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
		14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
		15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
		16	.\"
		17	.Dd $Mdocdate: July 23 2021 $
		18	.Dt X509_PURPOSE_SET 3
		19	.Os
		20	.Sh NAME
		21	.Nm X509_PURPOSE_set ,
		22	.Nm X509_PURPOSE_get_by_id ,
		23	.Nm X509_PURPOSE_add ,
		24	.Nm X509_PURPOSE_get_count ,
		25	.Nm X509_PURPOSE_cleanup ,
		26	.Nm X509_PURPOSE_get0 ,
		27	.Nm X509_PURPOSE_get_by_sname ,
		28	.Nm X509_PURPOSE_get_id ,
		29	.Nm X509_PURPOSE_get0_name ,
		30	.Nm X509_PURPOSE_get0_sname ,
		31	.Nm X509_PURPOSE_get_trust
		32	.Nd purpose objects, indices, and identifiers
		33	.Sh SYNOPSIS
		34	.In openssl/x509v3.h
		35	.Ft int
		36	.Fo X509_PURPOSE_set
		37	.Fa "int *id_out"
		38	.Fa "int id_in"
		39	.Fc
		40	.Ft int
		41	.Fn X509_PURPOSE_get_by_id "int identifier"
		42	.Ft int
		43	.Fo X509_PURPOSE_add
		44	.Fa "int identifier"
		45	.Fa "int trust"
		46	.Fa "int flags"
		47	.Fa "int (check_purpose)(const X509_PURPOSE , const X509 *, int)"
		48	.Fa "const char *name"
		49	.Fa "const char *sname"
		50	.Fa "void *usr_data"
		51	.Fc
		52	.Ft int
		53	.Fn X509_PURPOSE_get_count void
		54	.Ft void
		55	.Fn X509_PURPOSE_cleanup void
		56	.Ft X509_PURPOSE *
		57	.Fn X509_PURPOSE_get0 "int index"
		58	.Ft int
		59	.Fn X509_PURPOSE_get_by_sname "const char *sname"
		60	.Ft int
		61	.Fn X509_PURPOSE_get_id "const X509_PURPOSE *object"
		62	.Ft char *
		63	.Fn X509_PURPOSE_get0_name "const X509_PURPOSE *object"
		64	.Ft char *
		65	.Fn X509_PURPOSE_get0_sname "const X509_PURPOSE *object"
		66	.Ft int
		67	.Fn X509_PURPOSE_get_trust "const X509_PURPOSE *object"
		68	.Sh DESCRIPTION
		69	The purposes that an X.509 certificate is intended to be used for
		70	can be identified in three equivalent ways:
		71	.Bl -enum
		72	.It
		73	By purpose identifiers, which are positive integer constants.
		74	Standard purpose identifiers lie in the range from
		75	.Dv X509_PURPOSE_MIN
		76	to
		77	.Dv X509_PURPOSE_MAX ,
		78	inclusive, and are listed in the
		79	.Xr X509_check_purpose 3
		80	manual page.
		81	User defined purpose identifiers are larger than
		82	.Dv X509_PURPOSE_MAX .
		83	.It
		84	By purpose indices, which are non-negative integer constants
		85	but differ from the purpose identifiers for the same purpose.
		86	Standard purpose indices are smaller than
		87	.Dv X509_PURPOSE_MAX .
		88	User defined purpose indices are larger than or equal to
		89	.Dv X509_PURPOSE_MAX .
		90	.It
		91	By purpose objects of the type
		92	.Vt X509_PURPOSE .
		93	Standard purpose objects are available in static storage.
		94	User defined purpose objects can be created with
		95	.Fn X509_PURPOSE_add .
		96	.El
		97	.Pp
		98	Application programmers cannot choose the way to identify purposes
		99	that they like best; depending on the circumstances, all three ways
		100	are needed.
		101	Be warned that the naming of most functions is misleading.
		102	.Pp
		103	Most API functions documented outside the present manual page
		104	use purpose identifiers rather than purpose indices.
		105	.Ss Using purpose identifiers
		106	.Fn X509_PURPOSE_set
		107	validates the purpose identifier
		108	.Fa id_in .
		109	If it is valid, it is copied to
		110	.Pf * Fa id_out .
		111	Otherwise,
		112	.Pf * Fa id_out
		113	remains unchanged.
		114	.Pp
		115	.Fn X509_PURPOSE_get_by_id
		116	converts the purpose
		117	.Fa identifier
		118	to the corresponding purpose index.
		119	To find the corresponding purpose object, pass the result to
		120	.Fn X509_PURPOSE_get0 .
		121	.Pp
		122	.Fn X509_PURPOSE_add
		123	defines a purpose with the given
		124	.Fa identifier
		125	or modifies its properties if it already exists.
		126	The purpose
		127	.Fa identifier ,
		128	the
		129	.Fa trust
		130	identifier, the
		131	.Fa flags ,
		132	the
		133	.Fa check_purpose
		134	function, the
		135	.Fa name ,
		136	the short name
		137	.Fa sname ,
		138	and the
		139	.Fa usr_data
		140	pointer are copied into the
		141	.Vt X509_PURPOSE
		142	object.
		143	When modifying an existing purpose object, previous values of fields are
		144	overwritten and previous
		145	.Fa name
		146	and
		147	.Fa sname
		148	strings are freed if they were dynamically allocated.
		149	When creating a new purpose object,
		150	it is added to the global array of user-defined purpose objects.
		151	.Pp
		152	.Dv X509_PURPOSE_DYNAMIC
		153	and
		154	.Dv X509_PURPOSE_DYNAMIC_NAME
		155	are always ignored in the
		156	.Fa flags
		157	argument.
		158	.Dv X509_PURPOSE_DYNAMIC
		159	is automatically set if the object was created by the user.
		160	It is never set for standard objects, not even if they were
		161	modified by the user.
		162	.Dv X509_PURPOSE_DYNAMIC_NAME
		163	is automatically set if the object was created or modified by the user.
		164	It is only unset for unmodified standard objects.
		165	The library does not appear to define any other flags, so the
		166	.Fa flags
		167	argument is probably useless unless users define their own flags
		168	and use them in the
		169	.Fa check_purpose
		170	function.
		171	.Pp
		172	The third and final argument of the
		173	.Fa check_purpose
		174	function is the
		175	.Fa ca
		176	argument documented in
		177	.Xr X509_check_purpose 3 .
		178	.Pp
		179	.Fn X509_PURPOSE_get_count
		180	returns the total number of purposes currently defined,
		181	including both standard and user-defined purposes.
		182	If no user-defined purposes exist, the returned value is
		183	.Dv X509_PURPOSE_MAX .
		184	.Pp
		185	.Fn X509_PURPOSE_cleanup
		186	deletes all user-defined purpose objects
		187	and invalidates their purpose identifiers and purpose indices.
		188	If any of the standard purpose objects were modified by the user,
		189	those changes are
		190	.Em not
		191	reverted.
		192	.Ss Using purpose indices
		193	.Fn X509_PURPOSE_get0
		194	converts the purpose
		195	.Fa index
		196	to a pointer to the corresponding purpose object.
		197	To find the corresponding purpose identifier, pass the result to
		198	.Fn X509_PURPOSE_get_id .
		199	.Pp
		200	.Fn X509_PURPOSE_get_by_sname
		201	returns the lowest index of a purpose with the given short name.
		202	.Ss Using purpose objects
		203	.Fn X509_PURPOSE_get_id
		204	converts a pointer to a purpose
		205	.Fa object
		206	to the corresponding purpose identifier.
		207	To find the corresponding purpose index, pass the result to
		208	.Fn X509_PURPOSE_get_by_id .
		209	.Pp
		210	.Fn X509_PURPOSE_get0_name ,
		211	.Fn X509_PURPOSE_get0_sname ,
		212	and
		213	.Fn X509_PURPOSE_get_trust
		214	retrieve the name, short name, and trust identifier from the
		215	.Fa object ,
		216	respectively.
		217	.Sh RETURN VALUES
		218	.Fn X509_PURPOSE_set
		219	returns 1 if
		220	.Fa id_in
		221	is valid or 0 otherwise.
		222	.Pp
		223	.Fn X509_PURPOSE_get_by_id
		224	and
		225	.Fn X509_PURPOSE_get_by_sname
		226	return the corresponding purpose index
		227	or \-1 if no matching purpose is found.
		228	.Pp
		229	.Fn X509_PURPOSE_add
		230	returns 1 for success or 0 for failure.
		231	.Pp
		232	.Fn X509_PURPOSE_get_count
		233	returns the total number of purposes currently defined.
		234	.Pp
		235	.Fn X509_PURPOSE_get0
		236	returns a standard or user-defined purpose object or
		237	.Dv NULL
		238	if the
		239	.Fa index
		240	is invalid.
		241	.Pp
		242	.Fn X509_PURPOSE_get_id
		243	always returns a valid purpose identifier.
		244	.Pp
		245	.Fn X509_PURPOSE_get0_name
		246	and
		247	.Fn X509_PURPOSE_get0_sname
		248	return pointers to storage owned by the
		249	.Fa object .
		250	.Pp
		251	.Fn X509_PURPOSE_get_trust
		252	returns the trust identifier associated with the
		253	.Fa object .
		254	.Sh ERRORS
		255	The following diagnostics can be retrieved with
		256	.Xr ERR_get_error 3 ,
		257	.Xr ERR_GET_REASON 3 ,
		258	and
		259	.Xr ERR_reason_error_string 3 :
		260	.Bl -tag -width Ds
		261	.It Dv X509V3_R_INVALID_PURPOSE Qq "invalid purpose"
		262	.Fn X509_PURPOSE_set
		263	was called with an invalid
		264	.Fa id_in
		265	argument.
		266	.It Dv X509V3_R_INVALID_NULL_ARGUMENT Qq "invalid null argument"
		267	.Fn X509_PURPOSE_add
		268	was called with a
		269	.Fa name
		270	or
		271	.Fa sname
		272	argument of
		273	.Dv NULL .
		274	.It Dv ERR_R_MALLOC_FAILURE Qq "malloc failure"
		275	.Fn X509_PURPOSE_add
		276	failed to allocate memory.
		277	.El
		278	.Pp
		279	The other functions provide no diagnostics.
		280	.Sh SEE ALSO
		281	.Xr X509_check_purpose 3 ,
		282	.Xr X509_new 3 ,
		283	.Xr X509_STORE_set_purpose 3 ,
		284	.Xr X509_VERIFY_PARAM_set_purpose 3
		285	.Sh HISTORY
		286	.Fn X509_PURPOSE_set
		287	first appeared in OpenSSL 0.9.7 and has been available since
		288	.Ox 3.2 .
		289	.Pp
		290	The other functions first appeared in OpenSSL 0.9.5
		291	and have been available since
		292	.Ox 2.7 .
		293	.Sh CAVEATS
		294	The difference between purpose identifiers and purpose indices provides
		295	an ideal breeding ground for off-by-one bugs.


diff --git a/src/lib/libcrypto/man/X509_check_purpose.3 b/src/lib/libcrypto/man/X509_check_purpose.3 index 8e98a62239..935b7eed86 100644 --- a/src/lib/libcrypto/man/X509_check_purpose.3 +++ b/src/lib/libcrypto/man/X509_check_purpose.3
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: X509_check_purpose.3,v 1.2 2021/06/12 17:04:41 jmc Exp $	1	.\" $OpenBSD: X509_check_purpose.3,v 1.3 2021/07/23 14:27:32 schwarze Exp $
2	.\" Copyright (c) 2019 Ingo Schwarze <schwarze@openbsd.org>	2	.\" Copyright (c) 2019 Ingo Schwarze <schwarze@openbsd.org>
3	.\"	3	.\"
4	.\" Permission to use, copy, modify, and distribute this software for any	4	.\" Permission to use, copy, modify, and distribute this software for any
@@ -13,7 +13,7 @@
13	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF	13	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.	14	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15	.\"	15	.\"
16	.Dd $Mdocdate: June 12 2021 $	16	.Dd $Mdocdate: July 23 2021 $
17	.Dt X509_CHECK_PURPOSE 3	17	.Dt X509_CHECK_PURPOSE 3
18	.Os	18	.Os
19	.Sh NAME	19	.Sh NAME
@@ -370,6 +370,7 @@ can be used as a CA for the
370	.Xr BASIC_CONSTRAINTS_new 3 ,	370	.Xr BASIC_CONSTRAINTS_new 3 ,
371	.Xr EXTENDED_KEY_USAGE_new 3 ,	371	.Xr EXTENDED_KEY_USAGE_new 3 ,
372	.Xr X509_new 3 ,	372	.Xr X509_new 3 ,
		373	.Xr X509_PURPOSE_set 3 ,
373	.Xr X509V3_get_d2i 3 ,	374	.Xr X509V3_get_d2i 3 ,
374	.Xr x509v3.cnf 5	375	.Xr x509v3.cnf 5
375	.Sh STANDARDS	376	.Sh STANDARDS


diff --git a/src/lib/libcrypto/man/X509_new.3 b/src/lib/libcrypto/man/X509_new.3 index 8a38cf5b72..ef99015ddb 100644 --- a/src/lib/libcrypto/man/X509_new.3 +++ b/src/lib/libcrypto/man/X509_new.3
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: X509_new.3,v 1.24 2021/07/12 15:56:54 schwarze Exp $	1	.\" $OpenBSD: X509_new.3,v 1.25 2021/07/23 14:27:32 schwarze Exp $
2	.\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400	2	.\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
3	.\"	3	.\"
4	.\" This file is a derived work.	4	.\" This file is a derived work.
@@ -66,7 +66,7 @@
66	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED	66	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
67	.\" OF THE POSSIBILITY OF SUCH DAMAGE.	67	.\" OF THE POSSIBILITY OF SUCH DAMAGE.
68	.\"	68	.\"
69	.Dd $Mdocdate: July 12 2021 $	69	.Dd $Mdocdate: July 23 2021 $
70	.Dt X509_NEW 3	70	.Dt X509_NEW 3
71	.Os	71	.Os
72	.Sh NAME	72	.Sh NAME
@@ -194,6 +194,7 @@ if an error occurs.
194	.Xr X509_NAME_new 3 ,	194	.Xr X509_NAME_new 3 ,
195	.Xr X509_print_ex 3 ,	195	.Xr X509_print_ex 3 ,
196	.Xr X509_PUBKEY_new 3 ,	196	.Xr X509_PUBKEY_new 3 ,
		197	.Xr X509_PURPOSE_set 3 ,
197	.Xr X509_REQ_new 3 ,	198	.Xr X509_REQ_new 3 ,
198	.Xr X509_SIG_new 3 ,	199	.Xr X509_SIG_new 3 ,
199	.Xr X509_sign 3 ,	200	.Xr X509_sign 3 ,