From b7b9a845555207bab9b4d4c27b54e4e4757cc9d1 Mon Sep 17 00:00:00 2001
From: tb <>
Date: Tue, 10 May 2022 19:44:29 +0000
Subject: Add a BUGS section to describe the problem of potential lies and
 indicating a workaround.

input/ok jsing
---
 src/lib/libcrypto/man/X509_check_ca.3 | 19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

(limited to 'src/lib')

diff --git a/src/lib/libcrypto/man/X509_check_ca.3 b/src/lib/libcrypto/man/X509_check_ca.3
index b78e349084..114bac69e7 100644
--- a/src/lib/libcrypto/man/X509_check_ca.3
+++ b/src/lib/libcrypto/man/X509_check_ca.3
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: X509_check_ca.3,v 1.6 2022/02/18 01:41:17 jsg Exp $
+.\"	$OpenBSD: X509_check_ca.3,v 1.7 2022/05/10 19:44:29 tb Exp $
 .\"	OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" This file was written by Victor B. Wagner <vitus@cryptocom.ru>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: February 18 2022 $
+.Dd $Mdocdate: May 10 2022 $
 .Dt X509_CHECK_CA 3
 .Os
 .Sh NAME
@@ -93,6 +93,7 @@ that it is a CA certificate
 .Xr BASIC_CONSTRAINTS_new 3 ,
 .Xr EXTENDED_KEY_USAGE_new 3 ,
 .Xr X509_check_issued 3 ,
+.Xr X509_check_purpose 3 ,
 .Xr X509_EXTENSION_new 3 ,
 .Xr X509_new 3 ,
 .Xr X509_verify_cert 3
@@ -100,3 +101,17 @@ that it is a CA certificate
 .Fn X509_check_ca
 first appeared in OpenSSL 0.9.7f and has been available since
 .Ox 3.8 .
+.Sh BUGS
+If
+.Fn X509_check_ca
+fails to cache X509v3 extension values, the return value may
+be incorrect.
+An application should
+call
+.Xr X509_check_purpose 3
+with a
+.Fa purpose
+argument of \-1,
+ensuring that the X509v3 extensions are cached,
+before calling
+.Fn X509_check_ca .
-- 
cgit v1.2.3-55-g6feb