sync code with last fixes and improvements from OpenBSD

lib/libcrypto/man/X509_STORE_CTX_set_verify.3

@@ -1,6 +1,7 @@
-.\" $OpenBSD: X509_STORE_CTX_set_verify.3,v 1.6 2023/03/18 08:20:20 jsg Exp $
+.\" $OpenBSD: X509_STORE_CTX_set_verify.3,v 1.7 2023/08/10 16:15:42 schwarze Exp $
 .\"
 .\" Copyright (c) 2021, 2022 Ingo Schwarze <schwarze@openbsd.org>
+.\" Copyright (c) 2023 Job Snijders <job@openbsd.org>
 .\"
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +15,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: March 18 2023 $
+.Dd $Mdocdate: August 10 2023 $
 .Dt X509_STORE_CTX_SET_VERIFY 3
 .Os
 .Sh NAME
@@ -24,6 +25,7 @@
 .Nm X509_STORE_set_verify ,
 .Nm X509_STORE_set_verify_func ,
 .Nm X509_STORE_get_verify ,
+.Nm X509_STORE_CTX_check_issued_fn ,
 .Nm X509_STORE_set_check_issued ,
 .Nm X509_STORE_get_check_issued ,
 .Nm X509_STORE_CTX_get_check_issued

lib/libcrypto/man/X509_STORE_get_by_subject.3

@@ -1,6 +1,6 @@
-.\" $OpenBSD: X509_STORE_get_by_subject.3,v 1.3 2021/11/12 14:05:28 schwarze Exp $
+.\" $OpenBSD: X509_STORE_get_by_subject.3,v 1.4 2023/08/10 14:15:16 schwarze Exp $
 .\"
-.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
+.\" Copyright (c) 2021, 2023 Ingo Schwarze <schwarze@openbsd.org>
 .\"
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -14,16 +14,18 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: November 12 2021 $
+.Dd $Mdocdate: August 10 2023 $
 .Dt X509_STORE_GET_BY_SUBJECT 3
 .Os
 .Sh NAME
 .Nm X509_STORE_CTX_get_by_subject ,
 .Nm X509_STORE_CTX_get_obj_by_subject ,
+.Nm X509_STORE_CTX_get1_certs ,
+.Nm X509_STORE_CTX_get1_crls ,
+.Nm X509_STORE_CTX_get1_issuer ,
 .Nm X509_STORE_get_by_subject ,
 .Nm X509_STORE_get1_certs ,
-.Nm X509_STORE_get1_crls ,
-.Nm X509_STORE_CTX_get1_issuer
+.Nm X509_STORE_get1_crls
 .Nd retrieve objects from a certificate store
 .Sh SYNOPSIS
 .In openssl/x509_vfy.h
@@ -40,6 +42,22 @@
 .Fa "X509_LOOKUP_TYPE type"
 .Fa "X509_NAME *name"
 .Fc
+.Ft STACK_OF(X509) *
+.Fo X509_STORE_CTX_get1_certs
+.Fa "X509_STORE_CTX *ctx"
+.Fa "X509_NAME *name"
+.Fc
+.Ft STACK_OF(X509_CRL) *
+.Fo X509_STORE_CTX_get1_crls
+.Fa "X509_STORE_CTX *ctx"
+.Fa "X509_NAME *name"
+.Fc
+.Ft int
+.Fo X509_STORE_CTX_get1_issuer
+.Fa "X509 **issuer"
+.Fa "X509_STORE_CTX *ctx"
+.Fa "X509 *certificate"
+.Fc
 .Ft int
 .Fo X509_STORE_get_by_subject
 .Fa "X509_STORE_CTX *ctx"
@@ -57,12 +75,6 @@
 .Fa "X509_STORE_CTX *ctx"
 .Fa "X509_NAME *name"
 .Fc
-.Ft int
-.Fo X509_STORE_CTX_get1_issuer
-.Fa "X509 **issuer"
-.Fa "X509_STORE_CTX *ctx"
-.Fa "X509 *certificate"
-.Fc
 .Sh DESCRIPTION
 .Fn X509_STORE_CTX_get_by_subject
 retrieves the first object having a matching
@@ -101,11 +113,7 @@ is empty is the responsibility of the caller.
 .Fn X509_STORE_CTX_get_obj_by_subject
 is similar except that a new object is allocated and returned.
 .Pp
-.Fn X509_STORE_get_by_subject
-is a deprecated alias for
-.Fn X509_STORE_CTX_get_by_subject .
-.Pp
-.Fn X509_STORE_get1_certs
+.Fn X509_STORE_CTX_get1_certs
 retrieves all certificates matching the subject
 .Vt name
 from the
@@ -113,15 +121,15 @@ from the
 associated with
 .Fa ctx .
 If there are none yet,
-.Fn X509_STORE_get_by_subject
+.Fn X509_STORE_CTX_get_by_subject
 is called to try and add some.
 In case of success, the reference counts of all certificates
 added to the returned array are incremented by 1.
 .Pp
-.Fn X509_STORE_get1_crls
+.Fn X509_STORE_CTX_get1_crls
 is similar except that it operates on certificate revocation lists
 rather than on certificates and that it always calls
-.Fn X509_STORE_get_by_subject ,
+.Fn X509_STORE_CTX_get_by_subject ,
 even if the
 .Vt X509_STORE
 already contains a matching revocation list.
@@ -138,7 +146,7 @@ associated with
 Internally, the issuer name is retrieved with
 .Xr X509_get_issuer_name 3
 and the candidate issuer CA certificate with
-.Fn X509_STORE_get_by_subject
+.Fn X509_STORE_X509_get_by_subject
 using that issuer name.
 .Xr X509_check_issued 3
 or a user-supplied replacement function is used to check whether the
@@ -151,6 +159,13 @@ If verification parameters associated with
 encourage checking of validity times, CAs with a valid time are
 preferred, but if no matching CA has a valid time, one with an
 invalid time is accepted anyway.
+.Pp
+The following are deprecated aliases:
+.Bl -column X509_STORE_get_by_subject F X509_STORE_CTX_get_by_subject
+.It Fn X509_STORE_get_by_subject Ta for Ta Fn X509_STORE_CTX_get_by_subject
+.It Fn X509_STORE_get1_certs     Ta for Ta Fn X509_STORE_CTX_get1_certs
+.It Fn X509_STORE_get1_crls      Ta for Ta Fn X509_STORE_CTX_get1_crls
+.El
 .Sh RETURN VALUES
 .Fn X509_STORE_CTX_get_by_subject
 and
@@ -167,20 +182,24 @@ returns the new object or
 .Dv NULL
 on failure, in particular if no match is found or memory allocation fails.
 .Pp
+.Fn X509_STORE_CTX_get1_certs
+and
 .Fn X509_STORE_get1_certs
-returns a newly allocated and populated array of certificates or
+return a newly allocated and populated array of certificates or
 .Dv NULL
 on failure.
-It fails if no match is found, if
-.Fn X509_STORE_get_by_subject
+They fail if no match is found, if
+.Fn X509_STORE_CTX_get_by_subject
 fails, or if memory allocation fails.
 .Pp
+.Fn X509_STORE_CTX_get1_crls
+and
 .Fn X509_STORE_get1_crls
-returns a newly allocated and populated array of CRLs or
+return a newly allocated and populated array of CRLs or
 .Dv NULL
 on failure.
-It fails if
-.Fn X509_STORE_get_by_subject
+They fail if
+.Fn X509_STORE_CTX_get_by_subject
 finds no new match, even if the associated
 .Vt X509_STORE
 already contains matching CRLs, or if memory allocation fails.
@@ -222,3 +241,9 @@ and
 .Fn X509_STORE_CTX_get_obj_by_subject
 first appeared in OpenSSL 1.1.0 and have been available since
 .Ox 7.1 .
+.Pp
+.Fn X509_STORE_CTX_get1_certs
+and
+.Fn X509_STORE_CTX_get1_crls
+first appeared in OpenSSL 1.1.0 and have been available since
+.Ox 7.4 .

lib/libcrypto/man/a2d_ASN1_OBJECT.3

@@ -1,4 +1,4 @@
-.\" $OpenBSD: a2d_ASN1_OBJECT.3,v 1.2 2022/01/01 02:06:07 jsg Exp $
+.\" $OpenBSD: a2d_ASN1_OBJECT.3,v 1.3 2023/08/09 17:34:39 schwarze Exp $
 .\"
 .\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,13 +14,14 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: January 1 2022 $
+.Dd $Mdocdate: August 9 2023 $
 .Dt A2D_ASN1_OBJECT 3
 .Os
 .Sh NAME
 .Nm a2d_ASN1_OBJECT
 .Nd DER content octets of an ASN.1 object identifier
 .Sh SYNOPSIS
+.In openssl/asn1.h
 .Ft int
 .Fo a2d_ASN1_OBJECT
 .Fa "unsigned char *der_out"
@@ -55,7 +56,7 @@ If
 .Fa der_out
 is a
 .Dv NULL
-pointer, writing the content objects is skipped
+pointer, writing the content octets is skipped
 and only the return value is calculated.
 .Sh RETURN VALUES
 .Fn a2d_ASN1_OBJECT

lib/libcrypto/man/d2i_ASN1_OBJECT.3

@@ -1,6 +1,6 @@
-.\" $OpenBSD: d2i_ASN1_OBJECT.3,v 1.13 2022/09/12 14:33:47 tb Exp $
+.\" $OpenBSD: d2i_ASN1_OBJECT.3,v 1.14 2023/08/09 17:27:26 schwarze Exp $
 .\"
-.\" Copyright (c) 2017, 2022 Ingo Schwarze <schwarze@openbsd.org>
+.\" Copyright (c) 2017, 2022, 2023 Ingo Schwarze <schwarze@openbsd.org>
 .\"
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -14,12 +14,14 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: September 12 2022 $
+.Dd $Mdocdate: August 9 2023 $
 .Dt D2I_ASN1_OBJECT 3
 .Os
 .Sh NAME
 .Nm d2i_ASN1_OBJECT ,
-.Nm i2d_ASN1_OBJECT
+.Nm i2d_ASN1_OBJECT ,
+.Nm OBJ_get0_data ,
+.Nm OBJ_length
 .Nd decode and encode ASN.1 object identifiers
 .Sh SYNOPSIS
 .In openssl/asn1.h
@@ -34,6 +36,11 @@
 .Fa "const ASN1_OBJECT *val_in"
 .Fa "unsigned char **der_out"
 .Fc
+.In openssl/objects.h
+.Ft const unsigned char *
+.Fn OBJ_get0_data "const ASN1_OBJECT *val_in"
+.Ft size_t
+.Fn OBJ_length "const ASN1_OBJECT *val_in"
 .Sh DESCRIPTION
 These functions decode and encode ASN.1 object identifiers.
 For details about the semantics, examples, caveats, and bugs, see
@@ -60,6 +67,16 @@ and the data contained in them are always marked as dynamically
 allocated, so when they are no longer needed,
 .Xr ASN1_OBJECT_free 3
 can be called on them.
+.Pp
+.Fn i2d_ASN1_OBJECT
+encodes the object identifier pointed to by
+.Fa val_in
+into DER format.
+.Fn OBJ_get0_data
+and
+.Fn OBJ_length
+only deal with the content octets of that DER encoding,
+without taking the identifier and length octets into account.
 .Sh RETURN VALUES
 .Fn d2i_ASN1_OBJECT
 returns a pointer to the new
@@ -71,12 +88,38 @@ With other implementations, it might return a pointer to the reused
 .Vt ASN1_OBJECT .
 .Pp
 .Fn i2d_ASN1_OBJECT
-returns the number of bytes successfully encoded
+returns the number of octets successfully encoded
 or a value <= 0 if an error occurs.
+.Pp
+.Fn OBJ_get0_data
+returns an internal pointer to the first content octet of the DER
+encoding of
+.Fa val_in .
+The other content octets follow the returned pointer contiguously.
+.Fn OBJ_length
+returns the number of content octets contained in the DER encoding of
+.Fa val_in .
+This number is always smaller than the total length of the encoding
+returned by
+.Xr ASN1_object_size 3 .
+.Pp
+If
+.Fa val_in
+is a
+.Dv NULL
+pointer or points to an empty object, for example one freshly created with
+.Xr ASN1_OBJECT_new 3 ,
+.Fn OBJ_get0_data
+returns
+.Dv NULL
+and
+.Fn OBJ_length
+returns zero.
 .Sh SEE ALSO
 .Xr a2d_ASN1_OBJECT 3 ,
 .Xr ASN1_item_d2i 3 ,
 .Xr ASN1_OBJECT_new 3 ,
+.Xr ASN1_put_object 3 ,
 .Xr OBJ_nid2obj 3
 .Sh STANDARDS
 ITU-T Recommendation X.690, also known as ISO/IEC 8825-1:
@@ -90,6 +133,12 @@ and
 .Fn i2d_ASN1_OBJECT
 first appeared in SSLeay 0.5.1 and have been available since
 .Ox 2.4 .
+.Pp
+.Fn OBJ_get0_data
+and
+.Fn OBJ_length
+first appeared in OpenSSL 1.1.0 and have been available since
+.Ox 7.1 .
 .Sh CAVEATS
 .Fn d2i_ASN1_OBJECT
 never sets the long and short names of the object, not even if the
@@ -102,3 +151,14 @@ on the returned object, and then
 and
 .Xr OBJ_nid2ln 3
 on the result.
+.Pp
+Calling
+.Fn OBJ_get0_data
+and then accessing memory in front of the returned pointer
+results in undefined behaviour.
+In particular, it is not possible to find the identifier or
+length octets in that way; use
+.Xr ASN1_put_object 3
+or
+.Fn i2d_ASN1_OBJECT
+instead.