sync with OpenBSD -current

lib/libcrypto/man/Makefile

@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.286 2024/03/06 02:34:14 tb Exp $
+# $OpenBSD: Makefile,v 1.287 2024/05/12 11:50:36 tb Exp $
 
 .include <bsd.own.mk>
 
@@ -304,6 +304,7 @@ MAN=	\
 	UI_get_string_type.3 \
 	UI_new.3 \
 	X25519.3 \
+	X509V3_EXT_get_nid.3 \
 	X509V3_EXT_print.3 \
 	X509V3_extensions_print.3 \
 	X509V3_get_d2i.3 \

lib/libcrypto/man/X509V3_EXT_get_nid.3

@@ -0,0 +1,92 @@
+.\" $OpenBSD: X509V3_EXT_get_nid.3,v 1.3 2024/05/12 15:26:46 tb Exp $
+.\"
+.\" Copyright (c) 2024 Theo Buehler <tb@openbsd.org>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.Dd $Mdocdate: May 12 2024 $
+.Dt X509V3_EXT_GET_NID 3
+.Os
+.Sh NAME
+.Nm X509V3_EXT_get_nid ,
+.Nm X509V3_EXT_get
+.Nd retrieve X.509v3 certificate extension methods
+.Sh SYNOPSIS
+.In openssl/x509v3.h
+.Ft const X509V3_EXT_METHOD *
+.Fo X509V3_EXT_get_nid
+.Fa "int nid"
+.Fc
+.Ft const X509V3_EXT_METHOD *
+.Fo X509V3_EXT_get
+.Fa "X509_EXTENSION *ext"
+.Fc
+.Sh DESCRIPTION
+An X.509v3 certificate extension contains an Object Identifier (OID),
+a boolean criticality indicator, and an opaque extension value
+.Po
+an
+.Vt ASN1_OCTET_STRING
+.Pc
+whose meaning is determined by the OID.
+The library's
+.Vt X509V3_EXT_METHOD
+type,
+which is not yet documented in detail,
+contains a numeric identifier to represent the OID and various
+handlers for encoding, decoding, printing, and configuring the
+extension's value.
+Criticality is handled separately, for example as an argument to
+.Xr X509V3_add1_i2d 3 .
+.Sh RETURN VALUES
+.Fn X509V3_EXT_get_nid
+returns the
+.Vt X509V3_EXT_METHOD
+corresponding to the numeric identifier
+.Fa nid ,
+or
+.Dv NULL
+if there is none.
+.Pp
+.Fn X509V3_EXT_get
+returns the
+.Vt X509V3_EXT_METHOD
+associated with the extension type of
+.Fa ext ,
+or
+.Dv NULL
+if there is none.
+.Sh SEE ALSO
+.Xr i2s_ASN1_ENUMERATED_TABLE 3 ,
+.Xr OBJ_create 3 ,
+.Xr X509_EXTENSION_get_object 3 ,
+.Xr X509V3_get_d2i 3
+.Sh STANDARDS
+RFC 5280: Internet X.509 Public Key Infrastructure Certificate and
+Certificate Revocation List (CRL) Profile
+.Bl -dash -compact
+.It
+section 4.2: Certificate Extensions
+.El
+.Sh HISTORY
+These functions first appeared in OpenSSL 0.9.2b and
+have been available since
+.Ox 2.6 .
+.Sh CAVEATS
+LibreSSL only supports built-in extension methods.
+Other implementations have incomplete support for custom extension methods,
+whose API is not threadsafe, does not affect the behavior of
+.Xr X509_verify_cert 3 ,
+and has various other surprising quirks.
+If custom extensions were added, both functions will prefer them
+over built-in methods.

lib/libcrypto/man/X509V3_get_d2i.3

@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509V3_get_d2i.3,v 1.21 2023/09/25 07:47:52 tb Exp $
+.\" $OpenBSD: X509V3_get_d2i.3,v 1.22 2024/05/12 17:44:11 tb Exp $
 .\" full merge up to: OpenSSL ff7fbfd5 Nov 2 11:52:01 2015 +0000
 .\" selective merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: September 25 2023 $
+.Dd $Mdocdate: May 12 2024 $
 .Dt X509V3_GET_D2I 3
 .Os
 .Sh NAME
@@ -275,6 +275,8 @@ An error is returned if the extension does already exist.
 .Pp
 .Dv X509V3_ADD_APPEND
 appends a new extension, ignoring whether the extension already exists.
+This is a misfeature and should not be used because certificates must
+not include the same extension more than once.
 .Pp
 .Dv X509V3_ADD_REPLACE
 replaces an extension if it exists otherwise appends a new extension.
@@ -290,7 +292,8 @@ returned if the extension does already exist.
 .Pp
 .Dv X509V3_ADD_DELETE
 deletes extension
-.Fa nid .
+.Fa nid
+if it exists and errors otherwise.
 No new extension is added.
 .Pp
 If

lib/libcrypto/man/X509_EXTENSION_set_object.3

@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_EXTENSION_set_object.3,v 1.17 2023/04/30 19:40:23 tb Exp $
+.\" $OpenBSD: X509_EXTENSION_set_object.3,v 1.18 2024/05/12 11:49:47 tb Exp $
 .\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 30 2023 $
+.Dd $Mdocdate: May 12 2024 $
 .Dt X509_EXTENSION_SET_OBJECT 3
 .Os
 .Sh NAME
@@ -297,6 +297,7 @@ pointer.
 .Xr X509_check_issued 3 ,
 .Xr X509_get_extension_flags 3 ,
 .Xr X509_REQ_add_extensions 3 ,
+.Xr X509V3_EXT_get_nid 3 ,
 .Xr X509V3_EXT_print 3 ,
 .Xr X509V3_extensions_print 3 ,
 .Xr X509V3_get_d2i 3 ,

lib/libcrypto/man/X509_STORE_get_by_subject.3

@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_STORE_get_by_subject.3,v 1.5 2023/11/16 20:27:43 schwarze Exp $
+.\" $OpenBSD: X509_STORE_get_by_subject.3,v 1.6 2024/05/12 05:08:59 tb Exp $
 .\"
 .\" Copyright (c) 2021, 2023 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: November 16 2023 $
+.Dd $Mdocdate: May 12 2024 $
 .Dt X509_STORE_GET_BY_SUBJECT 3
 .Os
 .Sh NAME
@@ -95,8 +95,7 @@ to retrieve a revocation list.
 .Pp
 If the store does not yet contain a matching object or if the type is
 .Dv X509_LU_CRL ,
-.Xr X509_LOOKUP_by_subject 3
-is called on
+a lookup by subject is performed on
 .Vt X509_LOOKUP
 objects associated with the store until a match is found,
 which may add zero or more objects to the store.
@@ -172,8 +171,7 @@ and
 .Fn X509_STORE_get_by_subject
 return 1 if a match is found or 0 on failure.
 In addition to simply not finding a match,
-they may also fail due to memory allocation failure in
-.Xr X509_LOOKUP_by_subject 3 .
+they may also fail due to memory allocation failure.
 With library implementations other than LibreSSL,
 they might also return negative values for internal errors.
 .Pp
@@ -215,7 +213,6 @@ it might also return negative values for internal errors.
 .Xr X509_check_issued 3 ,
 .Xr X509_CRL_new 3 ,
 .Xr X509_get_issuer_name 3 ,
-.Xr X509_LOOKUP_by_subject 3 ,
 .Xr X509_NAME_new 3 ,
 .Xr X509_new 3 ,
 .Xr X509_OBJECT_retrieve_by_subject 3 ,