From d81e0a2e2b99c3aa745b51cb8193793f267d2a22 Mon Sep 17 00:00:00 2001 From: schwarze <> Date: Fri, 5 Apr 2019 18:29:43 +0000 Subject: Import SSL_CTX_add1_chain_cert(3) from OpenSSL branch 1.1.1, which is still under a free license, omitting functions we don't have and tweaked by me; the functions were provided by jsing@ in ssl.h rev. 1.166. While here, also document SSL_CTX_get_extra_chain_certs(3) because it is closely related to companion functions are already documented and the API is kind of incomplete without it. --- src/lib/libssl/man/Makefile | 3 +- src/lib/libssl/man/SSL_CTX_add1_chain_cert.3 | 222 ++++++++++++++++++++++ src/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3 | 45 +++-- src/lib/libssl/man/SSL_CTX_use_certificate.3 | 5 +- src/lib/libssl/man/ssl.3 | 6 +- 5 files changed, 264 insertions(+), 17 deletions(-) create mode 100644 src/lib/libssl/man/SSL_CTX_add1_chain_cert.3 (limited to 'src') diff --git a/src/lib/libssl/man/Makefile b/src/lib/libssl/man/Makefile index 375e5fba2b..4c3157bd95 100644 --- a/src/lib/libssl/man/Makefile +++ b/src/lib/libssl/man/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.65 2018/03/17 18:52:42 schwarze Exp $ +# $OpenBSD: Makefile,v 1.66 2019/04/05 18:29:43 schwarze Exp $ .include @@ -8,6 +8,7 @@ MAN = BIO_f_ssl.3 \ PEM_read_SSL_SESSION.3 \ SSL_CIPHER_get_name.3 \ SSL_COMP_add_compression_method.3 \ + SSL_CTX_add1_chain_cert.3 \ SSL_CTX_add_extra_chain_cert.3 \ SSL_CTX_add_session.3 \ SSL_CTX_ctrl.3 \ diff --git a/src/lib/libssl/man/SSL_CTX_add1_chain_cert.3 b/src/lib/libssl/man/SSL_CTX_add1_chain_cert.3 new file mode 100644 index 0000000000..1f60bad142 --- /dev/null +++ b/src/lib/libssl/man/SSL_CTX_add1_chain_cert.3 @@ -0,0 +1,222 @@ +.\" $OpenBSD: SSL_CTX_add1_chain_cert.3,v 1.1 2019/04/05 18:29:43 schwarze Exp $ +.\" selective merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100 +.\" +.\" This file was written by Dr. Stephen Henson +.\" and Rob Stradling . +.\" Copyright (c) 2013 The OpenSSL Project. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in +.\" the documentation and/or other materials provided with the +.\" distribution. +.\" +.\" 3. All advertising materials mentioning features or use of this +.\" software must display the following acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" +.\" +.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to +.\" endorse or promote products derived from this software without +.\" prior written permission. For written permission, please contact +.\" openssl-core@openssl.org. +.\" +.\" 5. Products derived from this software may not be called "OpenSSL" +.\" nor may "OpenSSL" appear in their names without prior written +.\" permission of the OpenSSL Project. +.\" +.\" 6. Redistributions of any form whatsoever must retain the following +.\" acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY +.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR +.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +.\" OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.Dd $Mdocdate: April 5 2019 $ +.Dt SSL_CTX_ADD1_CHAIN_CERT 3 +.Os +.Sh NAME +.Nm SSL_CTX_set0_chain , +.Nm SSL_CTX_set1_chain , +.Nm SSL_CTX_add0_chain_cert , +.Nm SSL_CTX_add1_chain_cert , +.Nm SSL_CTX_get0_chain_certs , +.Nm SSL_CTX_clear_chain_certs , +.Nm SSL_set0_chain , +.Nm SSL_set1_chain , +.Nm SSL_add0_chain_cert , +.Nm SSL_add1_chain_cert , +.Nm SSL_get0_chain_certs , +.Nm SSL_clear_chain_certs +.Nd extra chain certificate processing +.Sh SYNOPSIS +.In openssl/ssl.h +.Ft int +.Fo SSL_CTX_set0_chain +.Fa "SSL_CTX *ctx" +.Fa "STACK_OF(X509) *chain" +.Fc +.Ft int +.Fo SSL_CTX_set1_chain +.Fa "SSL_CTX *ctx" +.Fa "STACK_OF(X509) *chain" +.Fc +.Ft int +.Fo SSL_CTX_add0_chain_cert +.Fa "SSL_CTX *ctx" +.Fa "X509 *cert" +.Fc +.Ft int +.Fo SSL_CTX_add1_chain_cert +.Fa "SSL_CTX *ctx" +.Fa "X509 *cert" +.Fc +.Ft int +.Fo SSL_CTX_get0_chain_certs +.Fa "SSL_CTX *ctx" +.Fa "STACK_OF(X509) **chain" +.Fc +.Ft int +.Fo SSL_CTX_clear_chain_certs +.Fa "SSL_CTX *ctx" +.Fc +.Ft int +.Fo SSL_set0_chain +.Fa "SSL *ssl" +.Fa "STACK_OF(X509) *chain" +.Fc +.Ft int +.Fo SSL_set1_chain +.Fa "SSL *ssl" +.Fa "STACK_OF(X509) *chain" +.Fc +.Ft int +.Fo SSL_add0_chain_cert +.Fa "SSL *ssl" +.Fa "X509 *cert" +.Fc +.Ft int +.Fo SSL_add1_chain_cert +.Fa "SSL *ssl" +.Fa "X509 *cert" +.Fc +.Ft int +.Fo SSL_get0_chain_certs +.Fa "SSL *ssl" +.Fa "STACK_OF(X509) **chain" +.Fc +.Ft int +.Fo SSL_clear_chain_certs +.Fa "SSL *ssl" +.Fc +.Sh DESCRIPTION +.Fn SSL_CTX_set0_chain +and +.Fn SSL_CTX_set1_chain +set the certificate chain associated with the current certificate of +.Fa ctx +to +.Fa chain . +The +.Fa chain +is not supposed to include the current certificate itself. +.Pp +.Fn SSL_CTX_add0_chain_cert +and +.Fn SSL_CTX_add1_chain_cert +append the single certificate +.Fa cert +to the chain associated with the current certificate of +.Fa ctx . +.Pp +.Fn SSL_CTX_get0_chain_certs +retrieves the chain associated with the current certificate of +.Fa ctx . +.Pp +.Fn SSL_CTX_clear_chain_certs +clears the existing chain associated with the current certificate of +.Fa ctx , +if any. +This is equivalent to calling +.Fn SSL_CTX_set0_chain +with +.Fa chain +set to +.Dv NULL . +.Pp +Each of these functions operates on the +.Em current +end entity (i.e. server or client) certificate. +This is the last certificate loaded or selected on the corresponding +.Fa ctx +structure, for example using +.Xr SSL_CTX_use_certificate 3 . +.Pp +.Fn SSL_set0_chain , +.Fn SSL_set1_chain , +.Fn SSL_add0_chain_cert , +.Fn SSL_add1_chain_cert , +.Fn SSL_get0_chain_certs , +and +.Fn SSL_clear_chain_certs +are similar except that they operate on the +.Fa ssl +connection. +.Pp +The functions containing a +.Sy 1 +in their name increment the reference count of the supplied certificate +or chain, so it must be freed at some point after the operation. +Those containing a +.Sy 0 +do not increment reference counts and the supplied certificate or chain +must not be freed after the operation. +.Pp +The chains associated with an +.Vt SSL_CTX +structure are copied to the new +.Vt SSL +structure when +.Xr SSL_new 3 +is called. +Existing +.Vt SSL +structures are not affected by any chains subsequently changed +in the parent +.Vt SSL_CTX . +.Pp +One chain can be set for each key type supported by a server. +So, for example, an RSA and a DSA certificate can (and often will) have +different chains. +.Pp +If any certificates are added using these functions, no certificates +added using +.Xr SSL_CTX_add_extra_chain_cert 3 +will be used. +.Sh RETURN VALUES +These functions return 1 for success or 0 for failure. +.Sh SEE ALSO +.Xr ssl 3 , +.Xr SSL_CTX_add_extra_chain_cert 3 , +.Xr SSL_CTX_use_certificate 3 +.Sh HISTORY +These functions first appeared in OpenSSL 1.0.2 +and have been available since +.Ox 6.5 . diff --git a/src/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3 b/src/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3 index 1feee4265c..a6d869b335 100644 --- a/src/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3 +++ b/src/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3 @@ -1,5 +1,5 @@ -.\" $OpenBSD: SSL_CTX_add_extra_chain_cert.3,v 1.5 2018/03/23 05:50:30 schwarze Exp $ -.\" OpenSSL f0d6ee6be Feb 15 07:41:42 2002 +0000 +.\" $OpenBSD: SSL_CTX_add_extra_chain_cert.3,v 1.6 2019/04/05 18:29:43 schwarze Exp $ +.\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 .\" .\" This file was written by Lutz Jaenicke and .\" Dr. Stephen Henson . @@ -50,18 +50,21 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: March 23 2018 $ +.Dd $Mdocdate: April 5 2019 $ .Dt SSL_CTX_ADD_EXTRA_CHAIN_CERT 3 .Os .Sh NAME .Nm SSL_CTX_add_extra_chain_cert , +.Nm SSL_CTX_get_extra_chain_certs , .Nm SSL_CTX_clear_extra_chain_certs -.Nd add or clear extra chain certificates +.Nd add, retrieve, and clear extra chain certificates .Sh SYNOPSIS .In openssl/ssl.h .Ft long .Fn SSL_CTX_add_extra_chain_cert "SSL_CTX *ctx" "X509 *x509" .Ft long +.Fn SSL_CTX_get_extra_chain_certs "SSL_CTX *ctx" "STACK_OF(X509) **certs" +.Ft long .Fn SSL_CTX_clear_extra_chain_certs "SSL_CTX *ctx" .Sh DESCRIPTION .Fn SSL_CTX_add_extra_chain_cert @@ -71,6 +74,11 @@ to the extra chain certificates associated with .Fa ctx . Several certificates can be added one after another. .Pp +.Fn SSL_CTX_get_extra_chain_certs +retrieves an internal pointer to the stack of extra chain certificates +associated with +.Fa ctx . +.Pp .Fn SSL_CTX_clear_extra_chain_certs clears all extra chain certificates associated with .Fa ctx . @@ -91,14 +99,16 @@ will be freed by the library when the is destroyed. An application should not free the .Fa x509 -object. +object, nor the +.Pf * Fa certs +object retrieved by +.Fn SSL_CTX_get_extra_chain_certs . .Sh RETURN VALUES -.Fn SSL_CTX_add_extra_chain_cert -and -.Fn SSL_CTX_clear_extra_chain_certs -return 1 on success or 0 for failure. +These functions return 1 on success or 0 for failure. Check out the error stack to find out the reason for failure. .Sh SEE ALSO +.Xr ssl 3 , +.Xr SSL_CTX_add1_chain_cert 3 , .Xr SSL_CTX_ctrl 3 , .Xr SSL_CTX_load_verify_locations 3 , .Xr SSL_CTX_set_client_cert_cb 3 , @@ -108,15 +118,26 @@ Check out the error stack to find out the reason for failure. first appeared in SSLeay 0.9.1 and has been available since .Ox 2.6 . .Pp +.Fn SSL_CTX_get_extra_chain_certs +and .Fn SSL_CTX_clear_extra_chain_certs -first appeared in OpenSSL 1.0.1 and has been available since +first appeared in OpenSSL 1.0.1 and have been available since .Ox 5.3 . .Sh CAVEATS +Certificates added with +.Fn SSL_CTX_add_extra_chain_cert +are ignored when certificates are also available that have been +added using the functions documented in +.Xr SSL_CTX_set1_chain 3 . +.Pp Only one set of extra chain certificates can be specified per .Vt SSL_CTX -structure. +structure using +.Fn SSL_CTX_add_extra_chain_cert . Different chains for different certificates (for example if both RSA and DSA certificates are specified by the same server) or different SSL structures with the same parent .Vt SSL_CTX -cannot be specified using this function. +require using the functions documented in +.Xr SSL_CTX_set1_chain 3 +instead. diff --git a/src/lib/libssl/man/SSL_CTX_use_certificate.3 b/src/lib/libssl/man/SSL_CTX_use_certificate.3 index b1b7df5a9a..900a42da7d 100644 --- a/src/lib/libssl/man/SSL_CTX_use_certificate.3 +++ b/src/lib/libssl/man/SSL_CTX_use_certificate.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: SSL_CTX_use_certificate.3,v 1.9 2018/04/25 13:51:34 schwarze Exp $ +.\" $OpenBSD: SSL_CTX_use_certificate.3,v 1.10 2019/04/05 18:29:43 schwarze Exp $ .\" OpenSSL e248596b Apr 8 22:49:57 2005 +0000 .\" .\" This file was written by Lutz Jaenicke . @@ -49,7 +49,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: April 25 2018 $ +.Dd $Mdocdate: April 5 2019 $ .Dt SSL_CTX_USE_CERTIFICATE 3 .Os .Sh NAME @@ -384,6 +384,7 @@ Otherwise check out the error stack to find out the reason. .Sh SEE ALSO .Xr ssl 3 , .Xr SSL_clear 3 , +.Xr SSL_CTX_add1_chain_cert 3 , .Xr SSL_CTX_add_extra_chain_cert 3 , .Xr SSL_CTX_load_verify_locations 3 , .Xr SSL_CTX_set_cipher_list 3 , diff --git a/src/lib/libssl/man/ssl.3 b/src/lib/libssl/man/ssl.3 index 23f2f21b54..4877342ba1 100644 --- a/src/lib/libssl/man/ssl.3 +++ b/src/lib/libssl/man/ssl.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssl.3,v 1.14 2018/03/17 18:19:49 schwarze Exp $ +.\" $OpenBSD: ssl.3,v 1.15 2019/04/05 18:29:43 schwarze Exp $ .\" full merge up to: OpenSSL e330f55d Nov 11 00:51:04 2016 +0100 .\" selective merge up to: OpenSSL cbade361 Dec 12 13:14:45 2017 +0100 .\" @@ -51,7 +51,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: March 17 2018 $ +.Dd $Mdocdate: April 5 2019 $ .Dt SSL 3 .Os .Sh NAME @@ -200,6 +200,8 @@ Constructors and destructors: .Xr SSL_CTX_free 3 .Pp Configuration functions: +.Xr SSL_CTX_add1_chain_cert 3 , +.Xr SSL_CTX_add_extra_chain_cert 3 , .Xr SSL_CTX_ctrl 3 , .Xr SSL_CTX_flush_sessions 3 , .Xr SSL_CTX_get_verify_mode 3 , -- cgit v1.2.3-55-g6feb