summaryrefslogtreecommitdiffstats
path: root/lib/libssl/man
diff options
context:
space:
mode:
Diffstat (limited to 'lib/libssl/man')
-rw-r--r--lib/libssl/man/Makefile3
-rw-r--r--lib/libssl/man/SSL_CTX_add1_chain_cert.3222
-rw-r--r--lib/libssl/man/SSL_CTX_add_extra_chain_cert.345
-rw-r--r--lib/libssl/man/SSL_CTX_use_certificate.35
-rw-r--r--lib/libssl/man/ssl.36
5 files changed, 264 insertions, 17 deletions
diff --git a/lib/libssl/man/Makefile b/lib/libssl/man/Makefile
index 375e5fba2bf..4c3157bd950 100644
--- a/lib/libssl/man/Makefile
+++ b/lib/libssl/man/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.65 2018/03/17 18:52:42 schwarze Exp $
+# $OpenBSD: Makefile,v 1.66 2019/04/05 18:29:43 schwarze Exp $
.include <bsd.own.mk>
@@ -8,6 +8,7 @@ MAN = BIO_f_ssl.3 \
PEM_read_SSL_SESSION.3 \
SSL_CIPHER_get_name.3 \
SSL_COMP_add_compression_method.3 \
+ SSL_CTX_add1_chain_cert.3 \
SSL_CTX_add_extra_chain_cert.3 \
SSL_CTX_add_session.3 \
SSL_CTX_ctrl.3 \
diff --git a/lib/libssl/man/SSL_CTX_add1_chain_cert.3 b/lib/libssl/man/SSL_CTX_add1_chain_cert.3
new file mode 100644
index 00000000000..1f60bad142c
--- /dev/null
+++ b/lib/libssl/man/SSL_CTX_add1_chain_cert.3
@@ -0,0 +1,222 @@
+.\" $OpenBSD: SSL_CTX_add1_chain_cert.3,v 1.1 2019/04/05 18:29:43 schwarze Exp $
+.\" selective merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100
+.\"
+.\" This file was written by Dr. Stephen Henson <steve@openssl.org>
+.\" and Rob Stradling <rob.stradling@comodo.com>.
+.\" Copyright (c) 2013 The OpenSSL Project. All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in
+.\" the documentation and/or other materials provided with the
+.\" distribution.
+.\"
+.\" 3. All advertising materials mentioning features or use of this
+.\" software must display the following acknowledgment:
+.\" "This product includes software developed by the OpenSSL Project
+.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+.\"
+.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+.\" endorse or promote products derived from this software without
+.\" prior written permission. For written permission, please contact
+.\" openssl-core@openssl.org.
+.\"
+.\" 5. Products derived from this software may not be called "OpenSSL"
+.\" nor may "OpenSSL" appear in their names without prior written
+.\" permission of the OpenSSL Project.
+.\"
+.\" 6. Redistributions of any form whatsoever must retain the following
+.\" acknowledgment:
+.\" "This product includes software developed by the OpenSSL Project
+.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+.\" OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: April 5 2019 $
+.Dt SSL_CTX_ADD1_CHAIN_CERT 3
+.Os
+.Sh NAME
+.Nm SSL_CTX_set0_chain ,
+.Nm SSL_CTX_set1_chain ,
+.Nm SSL_CTX_add0_chain_cert ,
+.Nm SSL_CTX_add1_chain_cert ,
+.Nm SSL_CTX_get0_chain_certs ,
+.Nm SSL_CTX_clear_chain_certs ,
+.Nm SSL_set0_chain ,
+.Nm SSL_set1_chain ,
+.Nm SSL_add0_chain_cert ,
+.Nm SSL_add1_chain_cert ,
+.Nm SSL_get0_chain_certs ,
+.Nm SSL_clear_chain_certs
+.Nd extra chain certificate processing
+.Sh SYNOPSIS
+.In openssl/ssl.h
+.Ft int
+.Fo SSL_CTX_set0_chain
+.Fa "SSL_CTX *ctx"
+.Fa "STACK_OF(X509) *chain"
+.Fc
+.Ft int
+.Fo SSL_CTX_set1_chain
+.Fa "SSL_CTX *ctx"
+.Fa "STACK_OF(X509) *chain"
+.Fc
+.Ft int
+.Fo SSL_CTX_add0_chain_cert
+.Fa "SSL_CTX *ctx"
+.Fa "X509 *cert"
+.Fc
+.Ft int
+.Fo SSL_CTX_add1_chain_cert
+.Fa "SSL_CTX *ctx"
+.Fa "X509 *cert"
+.Fc
+.Ft int
+.Fo SSL_CTX_get0_chain_certs
+.Fa "SSL_CTX *ctx"
+.Fa "STACK_OF(X509) **chain"
+.Fc
+.Ft int
+.Fo SSL_CTX_clear_chain_certs
+.Fa "SSL_CTX *ctx"
+.Fc
+.Ft int
+.Fo SSL_set0_chain
+.Fa "SSL *ssl"
+.Fa "STACK_OF(X509) *chain"
+.Fc
+.Ft int
+.Fo SSL_set1_chain
+.Fa "SSL *ssl"
+.Fa "STACK_OF(X509) *chain"
+.Fc
+.Ft int
+.Fo SSL_add0_chain_cert
+.Fa "SSL *ssl"
+.Fa "X509 *cert"
+.Fc
+.Ft int
+.Fo SSL_add1_chain_cert
+.Fa "SSL *ssl"
+.Fa "X509 *cert"
+.Fc
+.Ft int
+.Fo SSL_get0_chain_certs
+.Fa "SSL *ssl"
+.Fa "STACK_OF(X509) **chain"
+.Fc
+.Ft int
+.Fo SSL_clear_chain_certs
+.Fa "SSL *ssl"
+.Fc
+.Sh DESCRIPTION
+.Fn SSL_CTX_set0_chain
+and
+.Fn SSL_CTX_set1_chain
+set the certificate chain associated with the current certificate of
+.Fa ctx
+to
+.Fa chain .
+The
+.Fa chain
+is not supposed to include the current certificate itself.
+.Pp
+.Fn SSL_CTX_add0_chain_cert
+and
+.Fn SSL_CTX_add1_chain_cert
+append the single certificate
+.Fa cert
+to the chain associated with the current certificate of
+.Fa ctx .
+.Pp
+.Fn SSL_CTX_get0_chain_certs
+retrieves the chain associated with the current certificate of
+.Fa ctx .
+.Pp
+.Fn SSL_CTX_clear_chain_certs
+clears the existing chain associated with the current certificate of
+.Fa ctx ,
+if any.
+This is equivalent to calling
+.Fn SSL_CTX_set0_chain
+with
+.Fa chain
+set to
+.Dv NULL .
+.Pp
+Each of these functions operates on the
+.Em current
+end entity (i.e. server or client) certificate.
+This is the last certificate loaded or selected on the corresponding
+.Fa ctx
+structure, for example using
+.Xr SSL_CTX_use_certificate 3 .
+.Pp
+.Fn SSL_set0_chain ,
+.Fn SSL_set1_chain ,
+.Fn SSL_add0_chain_cert ,
+.Fn SSL_add1_chain_cert ,
+.Fn SSL_get0_chain_certs ,
+and
+.Fn SSL_clear_chain_certs
+are similar except that they operate on the
+.Fa ssl
+connection.
+.Pp
+The functions containing a
+.Sy 1
+in their name increment the reference count of the supplied certificate
+or chain, so it must be freed at some point after the operation.
+Those containing a
+.Sy 0
+do not increment reference counts and the supplied certificate or chain
+must not be freed after the operation.
+.Pp
+The chains associated with an
+.Vt SSL_CTX
+structure are copied to the new
+.Vt SSL
+structure when
+.Xr SSL_new 3
+is called.
+Existing
+.Vt SSL
+structures are not affected by any chains subsequently changed
+in the parent
+.Vt SSL_CTX .
+.Pp
+One chain can be set for each key type supported by a server.
+So, for example, an RSA and a DSA certificate can (and often will) have
+different chains.
+.Pp
+If any certificates are added using these functions, no certificates
+added using
+.Xr SSL_CTX_add_extra_chain_cert 3
+will be used.
+.Sh RETURN VALUES
+These functions return 1 for success or 0 for failure.
+.Sh SEE ALSO
+.Xr ssl 3 ,
+.Xr SSL_CTX_add_extra_chain_cert 3 ,
+.Xr SSL_CTX_use_certificate 3
+.Sh HISTORY
+These functions first appeared in OpenSSL 1.0.2
+and have been available since
+.Ox 6.5 .
diff --git a/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3 b/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3
index 1feee4265cf..a6d869b335e 100644
--- a/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3
+++ b/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3
@@ -1,5 +1,5 @@
-.\" $OpenBSD: SSL_CTX_add_extra_chain_cert.3,v 1.5 2018/03/23 05:50:30 schwarze Exp $
-.\" OpenSSL f0d6ee6be Feb 15 07:41:42 2002 +0000
+.\" $OpenBSD: SSL_CTX_add_extra_chain_cert.3,v 1.6 2019/04/05 18:29:43 schwarze Exp $
+.\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
.\"
.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org> and
.\" Dr. Stephen Henson <steve@openssl.org>.
@@ -50,18 +50,21 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
.\" OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd $Mdocdate: March 23 2018 $
+.Dd $Mdocdate: April 5 2019 $
.Dt SSL_CTX_ADD_EXTRA_CHAIN_CERT 3
.Os
.Sh NAME
.Nm SSL_CTX_add_extra_chain_cert ,
+.Nm SSL_CTX_get_extra_chain_certs ,
.Nm SSL_CTX_clear_extra_chain_certs
-.Nd add or clear extra chain certificates
+.Nd add, retrieve, and clear extra chain certificates
.Sh SYNOPSIS
.In openssl/ssl.h
.Ft long
.Fn SSL_CTX_add_extra_chain_cert "SSL_CTX *ctx" "X509 *x509"
.Ft long
+.Fn SSL_CTX_get_extra_chain_certs "SSL_CTX *ctx" "STACK_OF(X509) **certs"
+.Ft long
.Fn SSL_CTX_clear_extra_chain_certs "SSL_CTX *ctx"
.Sh DESCRIPTION
.Fn SSL_CTX_add_extra_chain_cert
@@ -71,6 +74,11 @@ to the extra chain certificates associated with
.Fa ctx .
Several certificates can be added one after another.
.Pp
+.Fn SSL_CTX_get_extra_chain_certs
+retrieves an internal pointer to the stack of extra chain certificates
+associated with
+.Fa ctx .
+.Pp
.Fn SSL_CTX_clear_extra_chain_certs
clears all extra chain certificates associated with
.Fa ctx .
@@ -91,14 +99,16 @@ will be freed by the library when the
is destroyed.
An application should not free the
.Fa x509
-object.
+object, nor the
+.Pf * Fa certs
+object retrieved by
+.Fn SSL_CTX_get_extra_chain_certs .
.Sh RETURN VALUES
-.Fn SSL_CTX_add_extra_chain_cert
-and
-.Fn SSL_CTX_clear_extra_chain_certs
-return 1 on success or 0 for failure.
+These functions return 1 on success or 0 for failure.
Check out the error stack to find out the reason for failure.
.Sh SEE ALSO
+.Xr ssl 3 ,
+.Xr SSL_CTX_add1_chain_cert 3 ,
.Xr SSL_CTX_ctrl 3 ,
.Xr SSL_CTX_load_verify_locations 3 ,
.Xr SSL_CTX_set_client_cert_cb 3 ,
@@ -108,15 +118,26 @@ Check out the error stack to find out the reason for failure.
first appeared in SSLeay 0.9.1 and has been available since
.Ox 2.6 .
.Pp
+.Fn SSL_CTX_get_extra_chain_certs
+and
.Fn SSL_CTX_clear_extra_chain_certs
-first appeared in OpenSSL 1.0.1 and has been available since
+first appeared in OpenSSL 1.0.1 and have been available since
.Ox 5.3 .
.Sh CAVEATS
+Certificates added with
+.Fn SSL_CTX_add_extra_chain_cert
+are ignored when certificates are also available that have been
+added using the functions documented in
+.Xr SSL_CTX_set1_chain 3 .
+.Pp
Only one set of extra chain certificates can be specified per
.Vt SSL_CTX
-structure.
+structure using
+.Fn SSL_CTX_add_extra_chain_cert .
Different chains for different certificates (for example if both
RSA and DSA certificates are specified by the same server) or
different SSL structures with the same parent
.Vt SSL_CTX
-cannot be specified using this function.
+require using the functions documented in
+.Xr SSL_CTX_set1_chain 3
+instead.
diff --git a/lib/libssl/man/SSL_CTX_use_certificate.3 b/lib/libssl/man/SSL_CTX_use_certificate.3
index b1b7df5a9af..900a42da7d1 100644
--- a/lib/libssl/man/SSL_CTX_use_certificate.3
+++ b/lib/libssl/man/SSL_CTX_use_certificate.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_CTX_use_certificate.3,v 1.9 2018/04/25 13:51:34 schwarze Exp $
+.\" $OpenBSD: SSL_CTX_use_certificate.3,v 1.10 2019/04/05 18:29:43 schwarze Exp $
.\" OpenSSL e248596b Apr 8 22:49:57 2005 +0000
.\"
.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -49,7 +49,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
.\" OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd $Mdocdate: April 25 2018 $
+.Dd $Mdocdate: April 5 2019 $
.Dt SSL_CTX_USE_CERTIFICATE 3
.Os
.Sh NAME
@@ -384,6 +384,7 @@ Otherwise check out the error stack to find out the reason.
.Sh SEE ALSO
.Xr ssl 3 ,
.Xr SSL_clear 3 ,
+.Xr SSL_CTX_add1_chain_cert 3 ,
.Xr SSL_CTX_add_extra_chain_cert 3 ,
.Xr SSL_CTX_load_verify_locations 3 ,
.Xr SSL_CTX_set_cipher_list 3 ,
diff --git a/lib/libssl/man/ssl.3 b/lib/libssl/man/ssl.3
index 23f2f21b545..4877342ba1f 100644
--- a/lib/libssl/man/ssl.3
+++ b/lib/libssl/man/ssl.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ssl.3,v 1.14 2018/03/17 18:19:49 schwarze Exp $
+.\" $OpenBSD: ssl.3,v 1.15 2019/04/05 18:29:43 schwarze Exp $
.\" full merge up to: OpenSSL e330f55d Nov 11 00:51:04 2016 +0100
.\" selective merge up to: OpenSSL cbade361 Dec 12 13:14:45 2017 +0100
.\"
@@ -51,7 +51,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
.\" OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd $Mdocdate: March 17 2018 $
+.Dd $Mdocdate: April 5 2019 $
.Dt SSL 3
.Os
.Sh NAME
@@ -200,6 +200,8 @@ Constructors and destructors:
.Xr SSL_CTX_free 3
.Pp
Configuration functions:
+.Xr SSL_CTX_add1_chain_cert 3 ,
+.Xr SSL_CTX_add_extra_chain_cert 3 ,
.Xr SSL_CTX_ctrl 3 ,
.Xr SSL_CTX_flush_sessions 3 ,
.Xr SSL_CTX_get_verify_mode 3 ,
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.