From: schwarze Date: Fri, 12 Nov 2021 14:05:28 +0000 (+0000) Subject: As pointed out by tb@, LibreSSL no longer supports user-defined X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=a8044ef3b35675783ab836e24b5a7e575155b77a;p=openbsd As pointed out by tb@, LibreSSL no longer supports user-defined X509_LOOKUP_METHODs because these objects are now opaque. Simplify the documentation accordingly, shortening it by about 35 input lines in total, but continue providing the information which RETURN VALUES functions might return with other implementations of the library. OK tb@ --- diff --git a/lib/libcrypto/man/X509_LOOKUP_hash_dir.3 b/lib/libcrypto/man/X509_LOOKUP_hash_dir.3 index b1f6a175718..f6321351e13 100644 --- a/lib/libcrypto/man/X509_LOOKUP_hash_dir.3 +++ b/lib/libcrypto/man/X509_LOOKUP_hash_dir.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: X509_LOOKUP_hash_dir.3,v 1.11 2021/11/09 16:23:04 schwarze Exp $ +.\" $OpenBSD: X509_LOOKUP_hash_dir.3,v 1.12 2021/11/12 14:05:28 schwarze Exp $ .\" full merge up to: OpenSSL 61f805c1 Jan 16 01:01:46 2018 +0800 .\" selective merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100 .\" @@ -67,14 +67,14 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: November 9 2021 $ +.Dd $Mdocdate: November 12 2021 $ .Dt X509_LOOKUP_HASH_DIR 3 .Os .Sh NAME .Nm X509_LOOKUP_hash_dir , .Nm X509_LOOKUP_file , .Nm X509_LOOKUP_mem -.Nd default certificate lookup methods +.Nd certificate lookup methods .Sh SYNOPSIS .In openssl/x509_vfy.h .Ft X509_LOOKUP_METHOD * diff --git a/lib/libcrypto/man/X509_LOOKUP_new.3 b/lib/libcrypto/man/X509_LOOKUP_new.3 index e4cd68a40af..f368cbb606f 100644 --- a/lib/libcrypto/man/X509_LOOKUP_new.3 +++ b/lib/libcrypto/man/X509_LOOKUP_new.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: X509_LOOKUP_new.3,v 1.8 2021/11/12 11:41:50 schwarze Exp $ +.\" $OpenBSD: X509_LOOKUP_new.3,v 1.9 2021/11/12 14:05:28 schwarze Exp $ .\" .\" Copyright (c) 2021 Ingo Schwarze .\" @@ -286,16 +286,13 @@ set to .Dv NULL . .El .Pp +With LibreSSL, .Fn X509_LOOKUP_ctrl always ignores the .Fa ret -argument when the built-in -.Vt X509_LOOKUP_METHOD -objects are used. +argument. .Pp -When using built-in -.Vt X509_LOOKUP_METHOD -objects, +With LibreSSL, .Fn X509_LOOKUP_by_subject is only useful if .Fa lookup @@ -336,9 +333,7 @@ In case of success, the first match is returned in the .Pf * Fa object provided by the caller, overwriting any previous content. .Pp -Unless an application program manually constructs its own -.Vt X509_LOOKUP_METHOD -object containing its own callback functions, +With LibreSSL, .Fn X509_LOOKUP_init , .Fn X509_LOOKUP_shutdown , .Fn X509_LOOKUP_by_issuer_serial , @@ -346,15 +341,6 @@ object containing its own callback functions, and .Fn X509_LOOKUP_by_alias have no effect. -.Fn X509_LOOKUP_init -is supposed to be called after -.Fn X509_LOOKUP_new -and before using the -.Fa lookup -object, -.Fn X509_LOOKUP_shutdown -after using it and before -.Fn X509_LOOKUP_free . .Sh RETURN VALUES .Fn X509_LOOKUP_new returns the new object or @@ -363,11 +349,8 @@ if memory allocation fails. .Pp .Fn X509_LOOKUP_ctrl returns 1 for success or 0 for failure. -If -.Fa lookup -uses a user-defined -.Vt X509_LOOKUP_METHOD -object, it might also return \-1 for internal errors. +With library implementations other than LibreSSL, +it might also return \-1 for internal errors. .Pp .Fn X509_LOOKUP_by_subject returns 1 for success or 0 for failure. @@ -388,27 +371,21 @@ is neither nor .Dv X509_LU_CRL , if no match is found, or if memory allocation fails. -If -.Fa lookup -uses a user-defined -.Vt X509_LOOKUP_METHOD -object, it might also return negative values for internal errors. +With library implementations other than LibreSSL, +it might also return negative values for internal errors. .Pp .Fn X509_LOOKUP_init and .Fn X509_LOOKUP_shutdown are supposed to return 1 for success and 0 for failure. -When using the built-in -.Vt X509_LOOKUP_METHOD -objects, they always return 1. +With LibreSSL, they always return 1. .Pp +With LibreSSL, .Fn X509_LOOKUP_by_issuer_serial , .Fn X509_LOOKUP_by_fingerprint , and .Fn X509_LOOKUP_by_alias -always return 0 when using the built-in -.Vt X509_LOOKUP_METHOD -objects. +always return 0. .Pp .Fn X509_get_default_cert_dir returns a pointer to the constant string diff --git a/lib/libcrypto/man/X509_STORE_get_by_subject.3 b/lib/libcrypto/man/X509_STORE_get_by_subject.3 index 797ddc12926..6c8b8f8b5ea 100644 --- a/lib/libcrypto/man/X509_STORE_get_by_subject.3 +++ b/lib/libcrypto/man/X509_STORE_get_by_subject.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: X509_STORE_get_by_subject.3,v 1.2 2021/11/12 11:41:50 schwarze Exp $ +.\" $OpenBSD: X509_STORE_get_by_subject.3,v 1.3 2021/11/12 14:05:28 schwarze Exp $ .\" .\" Copyright (c) 2021 Ingo Schwarze .\" @@ -159,12 +159,7 @@ return 1 if a match is found or 0 on failure. In addition to simply not finding a match, they may also fail due to memory allocation failure in .Xr X509_LOOKUP_by_subject 3 . -If -.Fa ctx -contains any -.Vt X509_LOOKUP -object using a user-defined -.Vt X509_LOOKUP_METHOD , +With library implementations other than LibreSSL, they might also return negative values for internal errors. .Pp .Fn X509_STORE_CTX_get_obj_by_subject @@ -194,12 +189,7 @@ already contains matching CRLs, or if memory allocation fails. returns 1 if a matching .Fa issuer CA certificate is found or 0 otherwise. -If -.Fa ctx -contains any -.Vt X509_LOOKUP -object using a user-defined -.Vt X509_LOOKUP_METHOD , +With library implementations other than LibreSSL, it might also return negative values for internal errors. .Sh SEE ALSO .Xr STACK_OF 3 , diff --git a/lib/libcrypto/man/X509_STORE_load_locations.3 b/lib/libcrypto/man/X509_STORE_load_locations.3 index 66d89507378..f38eeb6671b 100644 --- a/lib/libcrypto/man/X509_STORE_load_locations.3 +++ b/lib/libcrypto/man/X509_STORE_load_locations.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: X509_STORE_load_locations.3,v 1.9 2021/11/09 16:23:04 schwarze Exp $ +.\" $OpenBSD: X509_STORE_load_locations.3,v 1.10 2021/11/12 14:05:28 schwarze Exp $ .\" full merge up to: .\" OpenSSL X509_STORE_add_cert b0edda11 Mar 20 13:00:17 2018 +0000 .\" @@ -16,7 +16,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: November 9 2021 $ +.Dd $Mdocdate: November 12 2021 $ .Dt X509_STORE_LOAD_LOCATIONS 3 .Os .Sh NAME @@ -148,9 +148,7 @@ In particular, parse errors or lack of memory can cause failure. returns the existing or new lookup object or .Dv NULL on failure. -When using the built-in -.Vt X509_LOOKUP_METHOD -objects, the only reason for failure is lack of memory. +With LibreSSL, the only reason for failure is lack of memory. .Sh FILES .Bl -tag -width Ds .It Pa /etc/ssl/cert.pem