5 files changed, 264 insertions, 17 deletions
diff --git a/src/lib/libssl/man/Makefile b/src/lib/libssl/man/Makefile
index 375e5fba2b..4c3157bd95 100644
--- a/src/lib/libssl/man/Makefile
+++ b/src/lib/libssl/man/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.65 2018/03/17 18:52:42 schwarze Exp $
+# $OpenBSD: Makefile,v 1.66 2019/04/05 18:29:43 schwarze Exp $
 .include <bsd.own.mk>
@@ -8,6 +8,7 @@ MAN =	BIO_f_ssl.3 \
        PEM_read_SSL_SESSION.3 \
        SSL_CIPHER_get_name.3 \
        SSL_COMP_add_compression_method.3 \
+        SSL_CTX_add1_chain_cert.3 \
        SSL_CTX_add_extra_chain_cert.3 \
        SSL_CTX_add_session.3 \
        SSL_CTX_ctrl.3 \
diff --git a/src/lib/libssl/man/SSL_CTX_add1_chain_cert.3 b/src/lib/libssl/man/SSL_CTX_add1_chain_cert.3
new file mode 100644
index 0000000000..1f60bad142
--- /dev/null
+++ b/src/lib/libssl/man/SSL_CTX_add1_chain_cert.3
@@ -0,0 +1,222 @@
+.\" $OpenBSD: SSL_CTX_add1_chain_cert.3,v 1.1 2019/04/05 18:29:43 schwarze Exp $
+.\" selective merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100
+.\"
+.\" This file was written by Dr. Stephen Henson <steve@openssl.org>
+.\" and Rob Stradling <rob.stradling@comodo.com>.
+.\" Copyright (c) 2013 The OpenSSL Project.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in
+.\"    the documentation and/or other materials provided with the
+.\"    distribution.
+.\"
+.\" 3. All advertising materials mentioning features or use of this
+.\"    software must display the following acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+.\"
+.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+.\"    endorse or promote products derived from this software without
+.\"    prior written permission. For written permission, please contact
+.\"    openssl-core@openssl.org.
+.\"
+.\" 5. Products derived from this software may not be called "OpenSSL"
+.\"    nor may "OpenSSL" appear in their names without prior written
+.\"    permission of the OpenSSL Project.
+.\"
+.\" 6. Redistributions of any form whatsoever must retain the following
+.\"    acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+.\" OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: April 5 2019 $
+.Dt SSL_CTX_ADD1_CHAIN_CERT 3
+.Os
+.Sh NAME
+.Nm SSL_CTX_set0_chain ,
+.Nm SSL_CTX_set1_chain ,
+.Nm SSL_CTX_add0_chain_cert ,
+.Nm SSL_CTX_add1_chain_cert ,
+.Nm SSL_CTX_get0_chain_certs ,
+.Nm SSL_CTX_clear_chain_certs ,
+.Nm SSL_set0_chain ,
+.Nm SSL_set1_chain ,
+.Nm SSL_add0_chain_cert ,
+.Nm SSL_add1_chain_cert ,
+.Nm SSL_get0_chain_certs ,
+.Nm SSL_clear_chain_certs
+.Nd extra chain certificate processing
+.Sh SYNOPSIS
+.In openssl/ssl.h
+.Ft int
+.Fo SSL_CTX_set0_chain
+.Fa "SSL_CTX *ctx"
+.Fa "STACK_OF(X509) *chain"
+.Fc
+.Ft int
+.Fo SSL_CTX_set1_chain
+.Fa "SSL_CTX *ctx"
+.Fa "STACK_OF(X509) *chain"
+.Fc
+.Ft int
+.Fo SSL_CTX_add0_chain_cert
+.Fa "SSL_CTX *ctx"
+.Fa "X509 *cert"
+.Fc
+.Ft int
+.Fo SSL_CTX_add1_chain_cert
+.Fa "SSL_CTX *ctx"
+.Fa "X509 *cert"
+.Fc
+.Ft int
+.Fo SSL_CTX_get0_chain_certs
+.Fa "SSL_CTX *ctx"
+.Fa "STACK_OF(X509) **chain"
+.Fc
+.Ft int
+.Fo SSL_CTX_clear_chain_certs
+.Fa "SSL_CTX *ctx"
+.Fc
+.Ft int
+.Fo SSL_set0_chain
+.Fa "SSL *ssl"
+.Fa "STACK_OF(X509) *chain"
+.Fc
+.Ft int
+.Fo SSL_set1_chain
+.Fa "SSL *ssl"
+.Fa "STACK_OF(X509) *chain"
+.Fc
+.Ft int
+.Fo SSL_add0_chain_cert
+.Fa "SSL *ssl"
+.Fa "X509 *cert"
+.Fc
+.Ft int
+.Fo SSL_add1_chain_cert
+.Fa "SSL *ssl"
+.Fa "X509 *cert"
+.Fc
+.Ft int
+.Fo SSL_get0_chain_certs
+.Fa "SSL *ssl"
+.Fa "STACK_OF(X509) **chain"
+.Fc
+.Ft int
+.Fo SSL_clear_chain_certs
+.Fa "SSL *ssl"
+.Fc
+.Sh DESCRIPTION
+.Fn SSL_CTX_set0_chain
+and
+.Fn SSL_CTX_set1_chain
+set the certificate chain associated with the current certificate of
+.Fa ctx
+to
+.Fa chain .
+The
+.Fa chain
+is not supposed to include the current certificate itself.
+.Pp
+.Fn SSL_CTX_add0_chain_cert
+and
+.Fn SSL_CTX_add1_chain_cert
+append the single certificate
+.Fa cert
+to the chain associated with the current certificate of
+.Fa ctx .
+.Pp
+.Fn SSL_CTX_get0_chain_certs
+retrieves the chain associated with the current certificate of
+.Fa ctx .
+.Pp
+.Fn SSL_CTX_clear_chain_certs
+clears the existing chain associated with the current certificate of
+.Fa ctx ,
+if any.
+This is equivalent to calling
+.Fn SSL_CTX_set0_chain
+with
+.Fa chain
+set to
+.Dv NULL .
+.Pp
+Each of these functions operates on the
+.Em current
+end entity (i.e. server or client) certificate.
+This is the last certificate loaded or selected on the corresponding
+.Fa ctx
+structure, for example using
+.Xr SSL_CTX_use_certificate 3 .
+.Pp
+.Fn SSL_set0_chain ,
+.Fn SSL_set1_chain ,
+.Fn SSL_add0_chain_cert ,
+.Fn SSL_add1_chain_cert ,
+.Fn SSL_get0_chain_certs ,
+and
+.Fn SSL_clear_chain_certs
+are similar except that they operate on the
+.Fa ssl
+connection.
+.Pp
+The functions containing a
+.Sy 1
+in their name increment the reference count of the supplied certificate
+or chain, so it must be freed at some point after the operation.
+Those containing a
+.Sy 0
+do not increment reference counts and the supplied certificate or chain
+must not be freed after the operation.
+.Pp
+The chains associated with an
+.Vt SSL_CTX
+structure are copied to the new
+.Vt SSL
+structure when
+.Xr SSL_new 3
+is called.
+Existing
+.Vt SSL
+structures are not affected by any chains subsequently changed
+in the parent
+.Vt SSL_CTX .
+.Pp
+One chain can be set for each key type supported by a server.
+So, for example, an RSA and a DSA certificate can (and often will) have
+different chains.
+.Pp
+If any certificates are added using these functions, no certificates
+added using
+.Xr SSL_CTX_add_extra_chain_cert 3
+will be used.
+.Sh RETURN VALUES
+These functions return 1 for success or 0 for failure.
+.Sh SEE ALSO
+.Xr ssl 3 ,
+.Xr SSL_CTX_add_extra_chain_cert 3 ,
+.Xr SSL_CTX_use_certificate 3
+.Sh HISTORY
+These functions first appeared in OpenSSL 1.0.2
+and have been available since
+.Ox 6.5 .
diff --git a/src/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3 b/src/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3
index 1feee4265c..a6d869b335 100644
--- a/src/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3
+++ b/src/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3
@@ -1,5 +1,5 @@
-.\"     $OpenBSD: SSL_CTX_add_extra_chain_cert.3,v 1.5 2018/03/23 05:50:30 schwarze Exp $
+.\" $OpenBSD: SSL_CTX_add_extra_chain_cert.3,v 1.6 2019/04/05 18:29:43 schwarze Exp $
-.\"     OpenSSL f0d6ee6be Feb 15 07:41:42 2002 +0000
+.\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org> and
 .\" Dr. Stephen Henson <steve@openssl.org>.
@@ -50,18 +50,21 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 23 2018 $
+.Dd $Mdocdate: April 5 2019 $
 .Dt SSL_CTX_ADD_EXTRA_CHAIN_CERT 3
 .Os
 .Sh NAME
 .Nm SSL_CTX_add_extra_chain_cert ,
+.Nm SSL_CTX_get_extra_chain_certs ,
 .Nm SSL_CTX_clear_extra_chain_certs
-.Nd add or clear extra chain certificates
+.Nd add, retrieve, and clear extra chain certificates
 .Sh SYNOPSIS
 .In openssl/ssl.h
 .Ft long
 .Fn SSL_CTX_add_extra_chain_cert "SSL_CTX *ctx" "X509 *x509"
 .Ft long
+.Fn SSL_CTX_get_extra_chain_certs "SSL_CTX *ctx" "STACK_OF(X509) **certs"
+.Ft long
 .Fn SSL_CTX_clear_extra_chain_certs "SSL_CTX *ctx"
 .Sh DESCRIPTION
 .Fn SSL_CTX_add_extra_chain_cert
@@ -71,6 +74,11 @@ to the extra chain certificates associated with
 .Fa ctx .
 Several certificates can be added one after another.
 .Pp
+.Fn SSL_CTX_get_extra_chain_certs
+retrieves an internal pointer to the stack of extra chain certificates
+associated with
+.Fa ctx .
+.Pp
 .Fn SSL_CTX_clear_extra_chain_certs
 clears all extra chain certificates associated with
 .Fa ctx .
@@ -91,14 +99,16 @@ will be freed by the library when the
 is destroyed.
 An application should not free the
 .Fa x509
-object.
+object, nor the
+.Pf * Fa certs
+object retrieved by
+.Fn SSL_CTX_get_extra_chain_certs .
 .Sh RETURN VALUES
-.Fn SSL_CTX_add_extra_chain_cert
+These functions return 1 on success or 0 for failure.
-and
-.Fn SSL_CTX_clear_extra_chain_certs
-return 1 on success or 0 for failure.
 Check out the error stack to find out the reason for failure.
 .Sh SEE ALSO
+.Xr ssl 3 ,
+.Xr SSL_CTX_add1_chain_cert 3 ,
 .Xr SSL_CTX_ctrl 3 ,
 .Xr SSL_CTX_load_verify_locations 3 ,
 .Xr SSL_CTX_set_client_cert_cb 3 ,
@@ -108,15 +118,26 @@ Check out the error stack to find out the reason for failure.
 first appeared in SSLeay 0.9.1 and has been available since
 .Ox 2.6 .
 .Pp
+.Fn SSL_CTX_get_extra_chain_certs
+and
 .Fn SSL_CTX_clear_extra_chain_certs
-first appeared in OpenSSL 1.0.1 and has been available since
+first appeared in OpenSSL 1.0.1 and have been available since
 .Ox 5.3 .
 .Sh CAVEATS
+Certificates added with
+.Fn SSL_CTX_add_extra_chain_cert
+are ignored when certificates are also available that have been
+added using the functions documented in
+.Xr SSL_CTX_set1_chain 3 .
+.Pp
 Only one set of extra chain certificates can be specified per
 .Vt SSL_CTX
-structure.
+structure using
+.Fn SSL_CTX_add_extra_chain_cert .
 Different chains for different certificates (for example if both
 RSA and DSA certificates are specified by the same server) or
 different SSL structures with the same parent
 .Vt SSL_CTX
-cannot be specified using this function.
+require using the functions documented in
+.Xr SSL_CTX_set1_chain 3
+instead.
diff --git a/src/lib/libssl/man/SSL_CTX_use_certificate.3 b/src/lib/libssl/man/SSL_CTX_use_certificate.3
index b1b7df5a9a..900a42da7d 100644
--- a/src/lib/libssl/man/SSL_CTX_use_certificate.3
+++ b/src/lib/libssl/man/SSL_CTX_use_certificate.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_use_certificate.3,v 1.9 2018/04/25 13:51:34 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_use_certificate.3,v 1.10 2019/04/05 18:29:43 schwarze Exp $
 .\"     OpenSSL e248596b Apr 8 22:49:57 2005 +0000
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 25 2018 $
+.Dd $Mdocdate: April 5 2019 $
 .Dt SSL_CTX_USE_CERTIFICATE 3
 .Os
 .Sh NAME
@@ -384,6 +384,7 @@ Otherwise check out the error stack to find out the reason.
 .Sh SEE ALSO
 .Xr ssl 3 ,
 .Xr SSL_clear 3 ,
+.Xr SSL_CTX_add1_chain_cert 3 ,
 .Xr SSL_CTX_add_extra_chain_cert 3 ,
 .Xr SSL_CTX_load_verify_locations 3 ,
 .Xr SSL_CTX_set_cipher_list 3 ,
diff --git a/src/lib/libssl/man/ssl.3 b/src/lib/libssl/man/ssl.3
index 23f2f21b54..4877342ba1 100644
--- a/src/lib/libssl/man/ssl.3
+++ b/src/lib/libssl/man/ssl.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ssl.3,v 1.14 2018/03/17 18:19:49 schwarze Exp $
+.\" $OpenBSD: ssl.3,v 1.15 2019/04/05 18:29:43 schwarze Exp $
 .\" full merge up to: OpenSSL e330f55d Nov 11 00:51:04 2016 +0100
 .\" selective merge up to: OpenSSL cbade361 Dec 12 13:14:45 2017 +0100
 .\"
@@ -51,7 +51,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 17 2018 $
+.Dd $Mdocdate: April 5 2019 $
 .Dt SSL 3
 .Os
 .Sh NAME
@@ -200,6 +200,8 @@ Constructors and destructors:
 .Xr SSL_CTX_free 3
 .Pp
 Configuration functions:
+.Xr SSL_CTX_add1_chain_cert 3 ,
+.Xr SSL_CTX_add_extra_chain_cert 3 ,
 .Xr SSL_CTX_ctrl 3 ,
 .Xr SSL_CTX_flush_sessions 3 ,
 .Xr SSL_CTX_get_verify_mode 3 ,

diff --git a/src/lib/libssl/man/Makefile b/src/lib/libssl/man/Makefile index 375e5fba2b..4c3157bd95 100644 --- a/src/lib/libssl/man/Makefile +++ b/src/lib/libssl/man/Makefile
@@ -1,4 +1,4 @@
1	# $OpenBSD: Makefile,v 1.65 2018/03/17 18:52:42 schwarze Exp $	1	# $OpenBSD: Makefile,v 1.66 2019/04/05 18:29:43 schwarze Exp $
2		2
3	.include <bsd.own.mk>	3	.include <bsd.own.mk>
4		4
@@ -8,6 +8,7 @@ MAN = BIO_f_ssl.3 \
8	PEM_read_SSL_SESSION.3 \	8	PEM_read_SSL_SESSION.3 \
9	SSL_CIPHER_get_name.3 \	9	SSL_CIPHER_get_name.3 \
10	SSL_COMP_add_compression_method.3 \	10	SSL_COMP_add_compression_method.3 \
		11	SSL_CTX_add1_chain_cert.3 \
11	SSL_CTX_add_extra_chain_cert.3 \	12	SSL_CTX_add_extra_chain_cert.3 \
12	SSL_CTX_add_session.3 \	13	SSL_CTX_add_session.3 \
13	SSL_CTX_ctrl.3 \	14	SSL_CTX_ctrl.3 \


diff --git a/src/lib/libssl/man/SSL_CTX_add1_chain_cert.3 b/src/lib/libssl/man/SSL_CTX_add1_chain_cert.3 new file mode 100644 index 0000000000..1f60bad142 --- /dev/null +++ b/src/lib/libssl/man/SSL_CTX_add1_chain_cert.3
@@ -0,0 +1,222 @@
		1	.\" $OpenBSD: SSL_CTX_add1_chain_cert.3,v 1.1 2019/04/05 18:29:43 schwarze Exp $
		2	.\" selective merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100
		3	.\"
		4	.\" This file was written by Dr. Stephen Henson <steve@openssl.org>
		5	.\" and Rob Stradling <rob.stradling@comodo.com>.
		6	.\" Copyright (c) 2013 The OpenSSL Project. All rights reserved.
		7	.\"
		8	.\" Redistribution and use in source and binary forms, with or without
		9	.\" modification, are permitted provided that the following conditions
		10	.\" are met:
		11	.\"
		12	.\" 1. Redistributions of source code must retain the above copyright
		13	.\" notice, this list of conditions and the following disclaimer.
		14	.\"
		15	.\" 2. Redistributions in binary form must reproduce the above copyright
		16	.\" notice, this list of conditions and the following disclaimer in
		17	.\" the documentation and/or other materials provided with the
		18	.\" distribution.
		19	.\"
		20	.\" 3. All advertising materials mentioning features or use of this
		21	.\" software must display the following acknowledgment:
		22	.\" "This product includes software developed by the OpenSSL Project
		23	.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
		24	.\"
		25	.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
		26	.\" endorse or promote products derived from this software without
		27	.\" prior written permission. For written permission, please contact
		28	.\" openssl-core@openssl.org.
		29	.\"
		30	.\" 5. Products derived from this software may not be called "OpenSSL"
		31	.\" nor may "OpenSSL" appear in their names without prior written
		32	.\" permission of the OpenSSL Project.
		33	.\"
		34	.\" 6. Redistributions of any form whatsoever must retain the following
		35	.\" acknowledgment:
		36	.\" "This product includes software developed by the OpenSSL Project
		37	.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)"
		38	.\"
		39	.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
		40	.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
		41	.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
		42	.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
		43	.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
		44	.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
		45	.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
		46	.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
		47	.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
		48	.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
		49	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
		50	.\" OF THE POSSIBILITY OF SUCH DAMAGE.
		51	.\"
		52	.Dd $Mdocdate: April 5 2019 $
		53	.Dt SSL_CTX_ADD1_CHAIN_CERT 3
		54	.Os
		55	.Sh NAME
		56	.Nm SSL_CTX_set0_chain ,
		57	.Nm SSL_CTX_set1_chain ,
		58	.Nm SSL_CTX_add0_chain_cert ,
		59	.Nm SSL_CTX_add1_chain_cert ,
		60	.Nm SSL_CTX_get0_chain_certs ,
		61	.Nm SSL_CTX_clear_chain_certs ,
		62	.Nm SSL_set0_chain ,
		63	.Nm SSL_set1_chain ,
		64	.Nm SSL_add0_chain_cert ,
		65	.Nm SSL_add1_chain_cert ,
		66	.Nm SSL_get0_chain_certs ,
		67	.Nm SSL_clear_chain_certs
		68	.Nd extra chain certificate processing
		69	.Sh SYNOPSIS
		70	.In openssl/ssl.h
		71	.Ft int
		72	.Fo SSL_CTX_set0_chain
		73	.Fa "SSL_CTX *ctx"
		74	.Fa "STACK_OF(X509) *chain"
		75	.Fc
		76	.Ft int
		77	.Fo SSL_CTX_set1_chain
		78	.Fa "SSL_CTX *ctx"
		79	.Fa "STACK_OF(X509) *chain"
		80	.Fc
		81	.Ft int
		82	.Fo SSL_CTX_add0_chain_cert
		83	.Fa "SSL_CTX *ctx"
		84	.Fa "X509 *cert"
		85	.Fc
		86	.Ft int
		87	.Fo SSL_CTX_add1_chain_cert
		88	.Fa "SSL_CTX *ctx"
		89	.Fa "X509 *cert"
		90	.Fc
		91	.Ft int
		92	.Fo SSL_CTX_get0_chain_certs
		93	.Fa "SSL_CTX *ctx"
		94	.Fa "STACK_OF(X509) **chain"
		95	.Fc
		96	.Ft int
		97	.Fo SSL_CTX_clear_chain_certs
		98	.Fa "SSL_CTX *ctx"
		99	.Fc
		100	.Ft int
		101	.Fo SSL_set0_chain
		102	.Fa "SSL *ssl"
		103	.Fa "STACK_OF(X509) *chain"
		104	.Fc
		105	.Ft int
		106	.Fo SSL_set1_chain
		107	.Fa "SSL *ssl"
		108	.Fa "STACK_OF(X509) *chain"
		109	.Fc
		110	.Ft int
		111	.Fo SSL_add0_chain_cert
		112	.Fa "SSL *ssl"
		113	.Fa "X509 *cert"
		114	.Fc
		115	.Ft int
		116	.Fo SSL_add1_chain_cert
		117	.Fa "SSL *ssl"
		118	.Fa "X509 *cert"
		119	.Fc
		120	.Ft int
		121	.Fo SSL_get0_chain_certs
		122	.Fa "SSL *ssl"
		123	.Fa "STACK_OF(X509) **chain"
		124	.Fc
		125	.Ft int
		126	.Fo SSL_clear_chain_certs
		127	.Fa "SSL *ssl"
		128	.Fc
		129	.Sh DESCRIPTION
		130	.Fn SSL_CTX_set0_chain
		131	and
		132	.Fn SSL_CTX_set1_chain
		133	set the certificate chain associated with the current certificate of
		134	.Fa ctx
		135	to
		136	.Fa chain .
		137	The
		138	.Fa chain
		139	is not supposed to include the current certificate itself.
		140	.Pp
		141	.Fn SSL_CTX_add0_chain_cert
		142	and
		143	.Fn SSL_CTX_add1_chain_cert
		144	append the single certificate
		145	.Fa cert
		146	to the chain associated with the current certificate of
		147	.Fa ctx .
		148	.Pp
		149	.Fn SSL_CTX_get0_chain_certs
		150	retrieves the chain associated with the current certificate of
		151	.Fa ctx .
		152	.Pp
		153	.Fn SSL_CTX_clear_chain_certs
		154	clears the existing chain associated with the current certificate of
		155	.Fa ctx ,
		156	if any.
		157	This is equivalent to calling
		158	.Fn SSL_CTX_set0_chain
		159	with
		160	.Fa chain
		161	set to
		162	.Dv NULL .
		163	.Pp
		164	Each of these functions operates on the
		165	.Em current
		166	end entity (i.e. server or client) certificate.
		167	This is the last certificate loaded or selected on the corresponding
		168	.Fa ctx
		169	structure, for example using
		170	.Xr SSL_CTX_use_certificate 3 .
		171	.Pp
		172	.Fn SSL_set0_chain ,
		173	.Fn SSL_set1_chain ,
		174	.Fn SSL_add0_chain_cert ,
		175	.Fn SSL_add1_chain_cert ,
		176	.Fn SSL_get0_chain_certs ,
		177	and
		178	.Fn SSL_clear_chain_certs
		179	are similar except that they operate on the
		180	.Fa ssl
		181	connection.
		182	.Pp
		183	The functions containing a
		184	.Sy 1
		185	in their name increment the reference count of the supplied certificate
		186	or chain, so it must be freed at some point after the operation.
		187	Those containing a
		188	.Sy 0
		189	do not increment reference counts and the supplied certificate or chain
		190	must not be freed after the operation.
		191	.Pp
		192	The chains associated with an
		193	.Vt SSL_CTX
		194	structure are copied to the new
		195	.Vt SSL
		196	structure when
		197	.Xr SSL_new 3
		198	is called.
		199	Existing
		200	.Vt SSL
		201	structures are not affected by any chains subsequently changed
		202	in the parent
		203	.Vt SSL_CTX .
		204	.Pp
		205	One chain can be set for each key type supported by a server.
		206	So, for example, an RSA and a DSA certificate can (and often will) have
		207	different chains.
		208	.Pp
		209	If any certificates are added using these functions, no certificates
		210	added using
		211	.Xr SSL_CTX_add_extra_chain_cert 3
		212	will be used.
		213	.Sh RETURN VALUES
		214	These functions return 1 for success or 0 for failure.
		215	.Sh SEE ALSO
		216	.Xr ssl 3 ,
		217	.Xr SSL_CTX_add_extra_chain_cert 3 ,
		218	.Xr SSL_CTX_use_certificate 3
		219	.Sh HISTORY
		220	These functions first appeared in OpenSSL 1.0.2
		221	and have been available since
		222	.Ox 6.5 .


diff --git a/src/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3 b/src/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3 index 1feee4265c..a6d869b335 100644 --- a/src/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3 +++ b/src/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3
@@ -1,5 +1,5 @@
1	.\" $OpenBSD: SSL_CTX_add_extra_chain_cert.3,v 1.5 2018/03/23 05:50:30 schwarze Exp $	1	.\" $OpenBSD: SSL_CTX_add_extra_chain_cert.3,v 1.6 2019/04/05 18:29:43 schwarze Exp $
2	.\" OpenSSL f0d6ee6be Feb 15 07:41:42 2002 +0000	2	.\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
3	.\"	3	.\"
4	.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org> and	4	.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org> and
5	.\" Dr. Stephen Henson <steve@openssl.org>.	5	.\" Dr. Stephen Henson <steve@openssl.org>.
@@ -50,18 +50,21 @@
50	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED	50	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
51	.\" OF THE POSSIBILITY OF SUCH DAMAGE.	51	.\" OF THE POSSIBILITY OF SUCH DAMAGE.
52	.\"	52	.\"
53	.Dd $Mdocdate: March 23 2018 $	53	.Dd $Mdocdate: April 5 2019 $
54	.Dt SSL_CTX_ADD_EXTRA_CHAIN_CERT 3	54	.Dt SSL_CTX_ADD_EXTRA_CHAIN_CERT 3
55	.Os	55	.Os
56	.Sh NAME	56	.Sh NAME
57	.Nm SSL_CTX_add_extra_chain_cert ,	57	.Nm SSL_CTX_add_extra_chain_cert ,
		58	.Nm SSL_CTX_get_extra_chain_certs ,
58	.Nm SSL_CTX_clear_extra_chain_certs	59	.Nm SSL_CTX_clear_extra_chain_certs
59	.Nd add or clear extra chain certificates	60	.Nd add, retrieve, and clear extra chain certificates
60	.Sh SYNOPSIS	61	.Sh SYNOPSIS
61	.In openssl/ssl.h	62	.In openssl/ssl.h
62	.Ft long	63	.Ft long
63	.Fn SSL_CTX_add_extra_chain_cert "SSL_CTX ctx" "X509 x509"	64	.Fn SSL_CTX_add_extra_chain_cert "SSL_CTX ctx" "X509 x509"
64	.Ft long	65	.Ft long
		66	.Fn SSL_CTX_get_extra_chain_certs "SSL_CTX ctx" "STACK_OF(X509) *certs"
		67	.Ft long
65	.Fn SSL_CTX_clear_extra_chain_certs "SSL_CTX *ctx"	68	.Fn SSL_CTX_clear_extra_chain_certs "SSL_CTX *ctx"
66	.Sh DESCRIPTION	69	.Sh DESCRIPTION
67	.Fn SSL_CTX_add_extra_chain_cert	70	.Fn SSL_CTX_add_extra_chain_cert
@@ -71,6 +74,11 @@ to the extra chain certificates associated with
71	.Fa ctx .	74	.Fa ctx .
72	Several certificates can be added one after another.	75	Several certificates can be added one after another.
73	.Pp	76	.Pp
		77	.Fn SSL_CTX_get_extra_chain_certs
		78	retrieves an internal pointer to the stack of extra chain certificates
		79	associated with
		80	.Fa ctx .
		81	.Pp
74	.Fn SSL_CTX_clear_extra_chain_certs	82	.Fn SSL_CTX_clear_extra_chain_certs
75	clears all extra chain certificates associated with	83	clears all extra chain certificates associated with
76	.Fa ctx .	84	.Fa ctx .
@@ -91,14 +99,16 @@ will be freed by the library when the
91	is destroyed.	99	is destroyed.
92	An application should not free the	100	An application should not free the
93	.Fa x509	101	.Fa x509
94	object.	102	object, nor the
		103	.Pf * Fa certs
		104	object retrieved by
		105	.Fn SSL_CTX_get_extra_chain_certs .
95	.Sh RETURN VALUES	106	.Sh RETURN VALUES
96	.Fn SSL_CTX_add_extra_chain_cert	107	These functions return 1 on success or 0 for failure.
97	and
98	.Fn SSL_CTX_clear_extra_chain_certs
99	return 1 on success or 0 for failure.
100	Check out the error stack to find out the reason for failure.	108	Check out the error stack to find out the reason for failure.
101	.Sh SEE ALSO	109	.Sh SEE ALSO
		110	.Xr ssl 3 ,
		111	.Xr SSL_CTX_add1_chain_cert 3 ,
102	.Xr SSL_CTX_ctrl 3 ,	112	.Xr SSL_CTX_ctrl 3 ,
103	.Xr SSL_CTX_load_verify_locations 3 ,	113	.Xr SSL_CTX_load_verify_locations 3 ,
104	.Xr SSL_CTX_set_client_cert_cb 3 ,	114	.Xr SSL_CTX_set_client_cert_cb 3 ,
@@ -108,15 +118,26 @@ Check out the error stack to find out the reason for failure.
108	first appeared in SSLeay 0.9.1 and has been available since	118	first appeared in SSLeay 0.9.1 and has been available since
109	.Ox 2.6 .	119	.Ox 2.6 .
110	.Pp	120	.Pp
		121	.Fn SSL_CTX_get_extra_chain_certs
		122	and
111	.Fn SSL_CTX_clear_extra_chain_certs	123	.Fn SSL_CTX_clear_extra_chain_certs
112	first appeared in OpenSSL 1.0.1 and has been available since	124	first appeared in OpenSSL 1.0.1 and have been available since
113	.Ox 5.3 .	125	.Ox 5.3 .
114	.Sh CAVEATS	126	.Sh CAVEATS
		127	Certificates added with
		128	.Fn SSL_CTX_add_extra_chain_cert
		129	are ignored when certificates are also available that have been
		130	added using the functions documented in
		131	.Xr SSL_CTX_set1_chain 3 .
		132	.Pp
115	Only one set of extra chain certificates can be specified per	133	Only one set of extra chain certificates can be specified per
116	.Vt SSL_CTX	134	.Vt SSL_CTX
117	structure.	135	structure using
		136	.Fn SSL_CTX_add_extra_chain_cert .
118	Different chains for different certificates (for example if both	137	Different chains for different certificates (for example if both
119	RSA and DSA certificates are specified by the same server) or	138	RSA and DSA certificates are specified by the same server) or
120	different SSL structures with the same parent	139	different SSL structures with the same parent
121	.Vt SSL_CTX	140	.Vt SSL_CTX
122	cannot be specified using this function.	141	require using the functions documented in
		142	.Xr SSL_CTX_set1_chain 3
		143	instead.


diff --git a/src/lib/libssl/man/SSL_CTX_use_certificate.3 b/src/lib/libssl/man/SSL_CTX_use_certificate.3 index b1b7df5a9a..900a42da7d 100644 --- a/src/lib/libssl/man/SSL_CTX_use_certificate.3 +++ b/src/lib/libssl/man/SSL_CTX_use_certificate.3
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: SSL_CTX_use_certificate.3,v 1.9 2018/04/25 13:51:34 schwarze Exp $	1	.\" $OpenBSD: SSL_CTX_use_certificate.3,v 1.10 2019/04/05 18:29:43 schwarze Exp $
2	.\" OpenSSL e248596b Apr 8 22:49:57 2005 +0000	2	.\" OpenSSL e248596b Apr 8 22:49:57 2005 +0000
3	.\"	3	.\"
4	.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.	4	.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -49,7 +49,7 @@
49	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED	49	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50	.\" OF THE POSSIBILITY OF SUCH DAMAGE.	50	.\" OF THE POSSIBILITY OF SUCH DAMAGE.
51	.\"	51	.\"
52	.Dd $Mdocdate: April 25 2018 $	52	.Dd $Mdocdate: April 5 2019 $
53	.Dt SSL_CTX_USE_CERTIFICATE 3	53	.Dt SSL_CTX_USE_CERTIFICATE 3
54	.Os	54	.Os
55	.Sh NAME	55	.Sh NAME
@@ -384,6 +384,7 @@ Otherwise check out the error stack to find out the reason.
384	.Sh SEE ALSO	384	.Sh SEE ALSO
385	.Xr ssl 3 ,	385	.Xr ssl 3 ,
386	.Xr SSL_clear 3 ,	386	.Xr SSL_clear 3 ,
		387	.Xr SSL_CTX_add1_chain_cert 3 ,
387	.Xr SSL_CTX_add_extra_chain_cert 3 ,	388	.Xr SSL_CTX_add_extra_chain_cert 3 ,
388	.Xr SSL_CTX_load_verify_locations 3 ,	389	.Xr SSL_CTX_load_verify_locations 3 ,
389	.Xr SSL_CTX_set_cipher_list 3 ,	390	.Xr SSL_CTX_set_cipher_list 3 ,


diff --git a/src/lib/libssl/man/ssl.3 b/src/lib/libssl/man/ssl.3 index 23f2f21b54..4877342ba1 100644 --- a/src/lib/libssl/man/ssl.3 +++ b/src/lib/libssl/man/ssl.3
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: ssl.3,v 1.14 2018/03/17 18:19:49 schwarze Exp $	1	.\" $OpenBSD: ssl.3,v 1.15 2019/04/05 18:29:43 schwarze Exp $
2	.\" full merge up to: OpenSSL e330f55d Nov 11 00:51:04 2016 +0100	2	.\" full merge up to: OpenSSL e330f55d Nov 11 00:51:04 2016 +0100
3	.\" selective merge up to: OpenSSL cbade361 Dec 12 13:14:45 2017 +0100	3	.\" selective merge up to: OpenSSL cbade361 Dec 12 13:14:45 2017 +0100
4	.\"	4	.\"
@@ -51,7 +51,7 @@
51	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED	51	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
52	.\" OF THE POSSIBILITY OF SUCH DAMAGE.	52	.\" OF THE POSSIBILITY OF SUCH DAMAGE.
53	.\"	53	.\"
54	.Dd $Mdocdate: March 17 2018 $	54	.Dd $Mdocdate: April 5 2019 $
55	.Dt SSL 3	55	.Dt SSL 3
56	.Os	56	.Os
57	.Sh NAME	57	.Sh NAME
@@ -200,6 +200,8 @@ Constructors and destructors:
200	.Xr SSL_CTX_free 3	200	.Xr SSL_CTX_free 3
201	.Pp	201	.Pp
202	Configuration functions:	202	Configuration functions:
		203	.Xr SSL_CTX_add1_chain_cert 3 ,
		204	.Xr SSL_CTX_add_extra_chain_cert 3 ,
203	.Xr SSL_CTX_ctrl 3 ,	205	.Xr SSL_CTX_ctrl 3 ,
204	.Xr SSL_CTX_flush_sessions 3 ,	206	.Xr SSL_CTX_flush_sessions 3 ,
205	.Xr SSL_CTX_get_verify_mode 3 ,	207	.Xr SSL_CTX_get_verify_mode 3 ,