1 files changed, 114 insertions, 79 deletions

diff --git a/secure/lib/libcrypto/man/X509_STORE_CTX_set_verify_cb.3 b/secure/lib/libcrypto/man/X509_STORE_CTX_set_verify_cb.3
index 9a6570b2ba90..ad66efab3d10 100644
--- a/secure/lib/libcrypto/man/X509_STORE_CTX_set_verify_cb.3
+++ b/secure/lib/libcrypto/man/X509_STORE_CTX_set_verify_cb.3
@@ -128,21 +128,36 @@
 .rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
-.IX Title "X509_STORE_CTX_set_verify_cb 3"
-.TH X509_STORE_CTX_set_verify_cb 3 "2018-08-14" "1.0.2p" "OpenSSL"
+.IX Title "X509_STORE_CTX_SET_VERIFY_CB 3"
+.TH X509_STORE_CTX_SET_VERIFY_CB 3 "2018-09-11" "1.1.1" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
 .SH "NAME"
-X509_STORE_CTX_set_verify_cb \- set verification callback
+X509_STORE_CTX_get_cleanup, X509_STORE_CTX_get_lookup_crls, X509_STORE_CTX_get_lookup_certs, X509_STORE_CTX_get_check_policy, X509_STORE_CTX_get_cert_crl, X509_STORE_CTX_get_check_crl, X509_STORE_CTX_get_get_crl, X509_STORE_CTX_get_check_revocation, X509_STORE_CTX_get_check_issued, X509_STORE_CTX_get_get_issuer, X509_STORE_CTX_get_verify_cb, X509_STORE_CTX_set_verify_cb, X509_STORE_CTX_verify_cb \&\- get and set verification callback
 .SH "SYNOPSIS"
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/x509_vfy.h>
 \&
+\& typedef int (*X509_STORE_CTX_verify_cb)(int, X509_STORE_CTX *);
+\&
+\& X509_STORE_CTX_verify_cb X509_STORE_CTX_get_verify_cb(X509_STORE_CTX *ctx);
+\&
 \& void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx,
-\&                                int (*verify_cb)(int ok, X509_STORE_CTX *ctx));
+\&                                   X509_STORE_CTX_verify_cb verify_cb);
+\&
+\& X509_STORE_CTX_get_issuer_fn X509_STORE_CTX_get_get_issuer(X509_STORE_CTX *ctx);
+\& X509_STORE_CTX_check_issued_fn X509_STORE_CTX_get_check_issued(X509_STORE_CTX *ctx);
+\& X509_STORE_CTX_check_revocation_fn X509_STORE_CTX_get_check_revocation(X509_STORE_CTX *ctx);
+\& X509_STORE_CTX_get_crl_fn X509_STORE_CTX_get_get_crl(X509_STORE_CTX *ctx);
+\& X509_STORE_CTX_check_crl_fn X509_STORE_CTX_get_check_crl(X509_STORE_CTX *ctx);
+\& X509_STORE_CTX_cert_crl_fn X509_STORE_CTX_get_cert_crl(X509_STORE_CTX *ctx);
+\& X509_STORE_CTX_check_policy_fn X509_STORE_CTX_get_check_policy(X509_STORE_CTX *ctx);
+\& X509_STORE_CTX_lookup_certs_fn X509_STORE_CTX_get_lookup_certs(X509_STORE_CTX *ctx);
+\& X509_STORE_CTX_lookup_crls_fn X509_STORE_CTX_get_lookup_crls(X509_STORE_CTX *ctx);
+\& X509_STORE_CTX_cleanup_fn X509_STORE_CTX_get_cleanup(X509_STORE_CTX *ctx);
 .Ve
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
@@ -157,7 +172,7 @@ However a verification callback is \fBnot\fR essential and the default operation
 is often sufficient.
 .PP
 The \fBok\fR parameter to the callback indicates the value the callback should
-return to retain the default behaviour. If it is zero then and error condition
+return to retain the default behaviour. If it is zero then an error condition
 is indicated. If it is 1 then no error occurred. If the flag
 \&\fBX509_V_FLAG_NOTIFY_POLICY\fR is set then \fBok\fR is set to 2 to indicate the
 policy checking is complete.
@@ -167,6 +182,18 @@ is performing the verification operation. A callback can examine this
 structure and receive additional information about the error, for example
 by calling \fIX509_STORE_CTX_get_current_cert()\fR. Additional application data can
 be passed to the callback via the \fBex_data\fR mechanism.
+.PP
+\&\fIX509_STORE_CTX_get_verify_cb()\fR returns the value of the current callback
+for the specific \fBctx\fR.
+.PP
+\&\fIX509_STORE_CTX_get_get_issuer()\fR,
+\&\fIX509_STORE_CTX_get_check_issued()\fR, \fIX509_STORE_CTX_get_check_revocation()\fR,
+\&\fIX509_STORE_CTX_get_get_crl()\fR, \fIX509_STORE_CTX_get_check_crl()\fR,
+\&\fIX509_STORE_CTX_get_cert_crl()\fR, \fIX509_STORE_CTX_get_check_policy()\fR,
+\&\fIX509_STORE_CTX_get_lookup_certs()\fR, \fIX509_STORE_CTX_get_lookup_crls()\fR
+and \fIX509_STORE_CTX_get_cleanup()\fR return the function pointers cached
+from the corresponding \fBX509_STORE\fR, please see
+\&\fIX509_STORE_set_verify\fR\|(3) for more information.
 .SH "WARNING"
 .IX Header "WARNING"
 In general a verification callback should \fB\s-1NOT\s0\fR unconditionally return 1 in
@@ -188,42 +215,40 @@ associated \fBX509_STORE\fR.
 .IX Header "EXAMPLES"
 Default callback operation:
 .PP
-.Vb 4
-\& int verify_callback(int ok, X509_STORE_CTX *ctx)
-\&        {
-\&        return ok;
-\&        }
+.Vb 3
+\& int verify_callback(int ok, X509_STORE_CTX *ctx) {
+\&     return ok;
+\& }
 .Ve
 .PP
 Simple example, suppose a certificate in the chain is expired and we wish
 to continue after this error:
 .PP
-.Vb 8
-\& int verify_callback(int ok, X509_STORE_CTX *ctx)
-\&        {
-\&        /* Tolerate certificate expiration */
-\&        if (X509_STORE_CTX_get_error(ctx) == X509_V_ERR_CERT_HAS_EXPIRED)
-\&                        return 1;
-\&        /* Otherwise don\*(Aqt override */
-\&        return ok;
-\&        }
+.Vb 7
+\& int verify_callback(int ok, X509_STORE_CTX *ctx) {
+\&     /* Tolerate certificate expiration */
+\&     if (X509_STORE_CTX_get_error(ctx) == X509_V_ERR_CERT_HAS_EXPIRED)
+\&         return 1;
+\&     /* Otherwise don\*(Aqt override */
+\&     return ok;
+\& }
 .Ve
 .PP
 More complex example, we don't wish to continue after \fBany\fR certificate has
 expired just one specific case:
 .PP
-.Vb 11
+.Vb 4
 \& int verify_callback(int ok, X509_STORE_CTX *ctx)
-\&        {
-\&        int err = X509_STORE_CTX_get_error(ctx);
-\&        X509 *err_cert = X509_STORE_CTX_get_current_cert(ctx);
-\&        if (err == X509_V_ERR_CERT_HAS_EXPIRED)
-\&                {
-\&                if (check_is_acceptable_expired_cert(err_cert)
-\&                        return 1;
-\&                }
-\&        return ok;
-\&        }
+\& {
+\&     int err = X509_STORE_CTX_get_error(ctx);
+\&     X509 *err_cert = X509_STORE_CTX_get_current_cert(ctx);
+\&
+\&     if (err == X509_V_ERR_CERT_HAS_EXPIRED) {
+\&         if (check_is_acceptable_expired_cert(err_cert)
+\&             return 1;
+\&     }
+\&     return ok;
+\& }
 .Ve
 .PP
 Full featured logging callback. In this case the \fBbio_err\fR is assumed to be
@@ -232,56 +257,54 @@ a global logging \fB\s-1BIO\s0\fR, an alternative would to store a \s-1BIO\s0 in
 .PP
 .Vb 4
 \& int verify_callback(int ok, X509_STORE_CTX *ctx)
-\&        {
-\&        X509 *err_cert;
-\&        int err,depth;
+\& {
+\&     X509 *err_cert;
+\&     int err, depth;
 \&
-\&        err_cert = X509_STORE_CTX_get_current_cert(ctx);
-\&        err =   X509_STORE_CTX_get_error(ctx);
-\&        depth = X509_STORE_CTX_get_error_depth(ctx);
+\&     err_cert = X509_STORE_CTX_get_current_cert(ctx);
+\&     err = X509_STORE_CTX_get_error(ctx);
+\&     depth = X509_STORE_CTX_get_error_depth(ctx);
 \&
-\&        BIO_printf(bio_err,"depth=%d ",depth);
-\&        if (err_cert)
-\&                {
-\&                X509_NAME_print_ex(bio_err, X509_get_subject_name(err_cert),
-\&                                        0, XN_FLAG_ONELINE);
-\&                BIO_puts(bio_err, "\en");
-\&                }
-\&        else
-\&                BIO_puts(bio_err, "<no cert>\en");
-\&        if (!ok)
-\&                BIO_printf(bio_err,"verify error:num=%d:%s\en",err,
-\&                        X509_verify_cert_error_string(err));
-\&        switch (err)
-\&                {
-\&        case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
-\&                BIO_puts(bio_err,"issuer= ");
-\&                X509_NAME_print_ex(bio_err, X509_get_issuer_name(err_cert),
-\&                                        0, XN_FLAG_ONELINE);
-\&                BIO_puts(bio_err, "\en");
-\&                break;
-\&        case X509_V_ERR_CERT_NOT_YET_VALID:
-\&        case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
-\&                BIO_printf(bio_err,"notBefore=");
-\&                ASN1_TIME_print(bio_err,X509_get_notBefore(err_cert));
-\&                BIO_printf(bio_err,"\en");
-\&                break;
-\&        case X509_V_ERR_CERT_HAS_EXPIRED:
-\&        case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
-\&                BIO_printf(bio_err,"notAfter=");
-\&                ASN1_TIME_print(bio_err,X509_get_notAfter(err_cert));
-\&                BIO_printf(bio_err,"\en");
-\&                break;
-\&        case X509_V_ERR_NO_EXPLICIT_POLICY:
-\&                policies_print(bio_err, ctx);
-\&                break;
-\&                }
-\&        if (err == X509_V_OK && ok == 2)
-\&                /* print out policies */
+\&     BIO_printf(bio_err, "depth=%d ", depth);
+\&     if (err_cert) {
+\&         X509_NAME_print_ex(bio_err, X509_get_subject_name(err_cert),
+\&                            0, XN_FLAG_ONELINE);
+\&         BIO_puts(bio_err, "\en");
+\&     }
+\&     else
+\&         BIO_puts(bio_err, "<no cert>\en");
+\&     if (!ok)
+\&         BIO_printf(bio_err, "verify error:num=%d:%s\en", err,
+\&                    X509_verify_cert_error_string(err));
+\&     switch (err) {
+\&     case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
+\&         BIO_puts(bio_err, "issuer= ");
+\&         X509_NAME_print_ex(bio_err, X509_get_issuer_name(err_cert),
+\&                            0, XN_FLAG_ONELINE);
+\&         BIO_puts(bio_err, "\en");
+\&         break;
+\&     case X509_V_ERR_CERT_NOT_YET_VALID:
+\&     case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
+\&         BIO_printf(bio_err, "notBefore=");
+\&         ASN1_TIME_print(bio_err, X509_get_notBefore(err_cert));
+\&         BIO_printf(bio_err, "\en");
+\&         break;
+\&     case X509_V_ERR_CERT_HAS_EXPIRED:
+\&     case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
+\&         BIO_printf(bio_err, "notAfter=");
+\&         ASN1_TIME_print(bio_err, X509_get_notAfter(err_cert));
+\&         BIO_printf(bio_err, "\en");
+\&         break;
+\&     case X509_V_ERR_NO_EXPLICIT_POLICY:
+\&         policies_print(bio_err, ctx);
+\&         break;
+\&     }
+\&     if (err == X509_V_OK && ok == 2)
+\&         /* print out policies */
 \&
-\&        BIO_printf(bio_err,"verify return:%d\en",ok);
-\&        return(ok);
-\&        }
+\&     BIO_printf(bio_err, "verify return:%d\en", ok);
+\&     return(ok);
+\& }
 .Ve
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
@@ -290,5 +313,17 @@ a global logging \fB\s-1BIO\s0\fR, an alternative would to store a \s-1BIO\s0 in
 \&\fIX509_STORE_CTX_get_ex_new_index\fR\|(3)
 .SH "HISTORY"
 .IX Header "HISTORY"
-\&\fIX509_STORE_CTX_set_verify_cb()\fR is available in all versions of SSLeay and
-OpenSSL.
+\&\fIX509_STORE_CTX_get_get_issuer()\fR,
+\&\fIX509_STORE_CTX_get_check_issued()\fR, \fIX509_STORE_CTX_get_check_revocation()\fR,
+\&\fIX509_STORE_CTX_get_get_crl()\fR, \fIX509_STORE_CTX_get_check_crl()\fR,
+\&\fIX509_STORE_CTX_get_cert_crl()\fR, \fIX509_STORE_CTX_get_check_policy()\fR,
+\&\fIX509_STORE_CTX_get_lookup_certs()\fR, \fIX509_STORE_CTX_get_lookup_crls()\fR
+and \fIX509_STORE_CTX_get_cleanup()\fR were added in OpenSSL 1.1.0.
+.SH "COPYRIGHT"
+.IX Header "COPYRIGHT"
+Copyright 2009\-2016 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the OpenSSL license (the \*(L"License\*(R").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file \s-1LICENSE\s0 in the source distribution or at
+<https://www.openssl.org/source/license.html>.