Upgrade to OpenSSL 0.9.8b.

1 files changed, 48 insertions, 44 deletions

diff --git a/secure/lib/libssl/man/SSL_CTX_set_verify.3 b/secure/lib/libssl/man/SSL_CTX_set_verify.3
index 491c054..7f7a607 100644
--- a/secure/lib/libssl/man/SSL_CTX_set_verify.3
+++ b/secure/lib/libssl/man/SSL_CTX_set_verify.3
@@ -1,8 +1,7 @@
-.\" Automatically generated by Pod::Man version 1.15
-.\" Wed Feb 19 16:47:43 2003
+.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32
 .\"
 .\" Standard preamble:
-.\" ======================================================================
+.\" ========================================================================
 .de Sh \" Subsection heading
 .br
 .if t .Sp
@@ -15,12 +14,6 @@
 .if t .sp .5v
 .if n .sp
 ..
-.de Ip \" List item
-.br
-.ie \\n(.$>=3 .ne \\$3
-.el .ne 3
-.IP "\\$1" \\$2
-..
 .de Vb \" Begin verbatim text
 .ft CW
 .nf
@@ -28,15 +21,14 @@
 ..
 .de Ve \" End verbatim text
 .ft R
-
 .fi
 ..
 .\" Set up some character translations and predefined strings.  \*(-- will
 .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
 .\" double quote, and \*(R" will give a right double quote.  | will give a
-.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used
-.\" to do unbreakable dashes and therefore won't be available.  \*(C` and
-.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<>
+.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used to
+.\" do unbreakable dashes and therefore won't be available.  \*(C` and \*(C'
+.\" expand to `' in nroff, nothing in troff, for use with C<>.
 .tr \(*W-|\(bv\*(Tr
 .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
 .ie n \{\
@@ -56,10 +48,10 @@
 .    ds R" ''
 'br\}
 .\"
-.\" If the F register is turned on, we'll generate index entries on stderr
-.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and
-.\" index entries marked with X<> in POD.  Of course, you'll have to process
-.\" the output yourself in some meaningful fashion.
+.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
 .if \nF \{\
 .    de IX
 .    tm Index:\\$1\t\\n%\t"\\$2"
@@ -68,14 +60,13 @@
 .    rr F
 .\}
 .\"
-.\" For nroff, turn off justification.  Always turn off hyphenation; it
-.\" makes way too many mistakes in technical documents.
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
 .hy 0
 .if n .na
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.bd B 3
 .    \" fudge factors for nroff and troff
 .if n \{\
 .    ds #H 0
@@ -135,11 +126,10 @@
 .    ds Ae AE
 .\}
 .rm #[ #] #H #V #F C
-.\" ======================================================================
+.\" ========================================================================
 .\"
 .IX Title "SSL_CTX_set_verify 3"
-.TH SSL_CTX_set_verify 3 "0.9.7a" "2003-02-19" "OpenSSL"
-.UC
+.TH SSL_CTX_set_verify 3 "2006-07-29" "0.9.8b" "OpenSSL"
 .SH "NAME"
 SSL_CTX_set_verify, SSL_set_verify, SSL_CTX_set_verify_depth, SSL_set_verify_depth \- set peer certificate verification parameters
 .SH "SYNOPSIS"
@@ -147,6 +137,7 @@ SSL_CTX_set_verify, SSL_set_verify, SSL_CTX_set_verify_depth, SSL_set_verify_dep
 .Vb 1
 \& #include <openssl/ssl.h>
 .Ve
+.PP
 .Vb 6
 \& void SSL_CTX_set_verify(SSL_CTX *ctx, int mode,
 \&                         int (*verify_callback)(int, X509_STORE_CTX *));
@@ -155,6 +146,7 @@ SSL_CTX_set_verify, SSL_set_verify, SSL_CTX_set_verify_depth, SSL_set_verify_dep
 \& void SSL_CTX_set_verify_depth(SSL_CTX *ctx,int depth);
 \& void SSL_set_verify_depth(SSL *s, int depth);
 .Ve
+.PP
 .Vb 1
 \& int verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx);
 .Ve
@@ -170,7 +162,7 @@ shall be specified, the \s-1NULL\s0 pointer can be used for \fBverify_callback\f
 this case last \fBverify_callback\fR set specifically for this \fBssl\fR remains. If
 no special \fBcallback\fR was set before, the default callback for the underlying
 \&\fBctx\fR is used, that was valid at the the time \fBssl\fR was created with
-SSL_new(3).
+\&\fISSL_new\fR\|(3).
 .PP
 \&\fISSL_CTX_set_verify_depth()\fR sets the maximum \fBdepth\fR for the certificate chain
 verification that shall be allowed for \fBctx\fR. (See the \s-1BUGS\s0 section.)
@@ -181,7 +173,7 @@ verification that shall be allowed for \fBssl\fR. (See the \s-1BUGS\s0 section.)
 .IX Header "NOTES"
 The verification of certificates can be controlled by a set of logically
 or'ed \fBmode\fR flags:
-.Ip "\s-1SSL_VERIFY_NONE\s0" 4
+.IP "\s-1SSL_VERIFY_NONE\s0" 4
 .IX Item "SSL_VERIFY_NONE"
 \&\fBServer mode:\fR the server will not send a client certificate request to the
 client, so the client will not send a certificate.
@@ -189,9 +181,9 @@ client, so the client will not send a certificate.
 \&\fBClient mode:\fR if not using an anonymous cipher (by default disabled), the
 server will send a certificate which will be checked. The result of the
 certificate verification process can be checked after the \s-1TLS/SSL\s0 handshake
-using the SSL_get_verify_result(3) function.
+using the \fISSL_get_verify_result\fR\|(3) function.
 The handshake will be continued regardless of the verification result.
-.Ip "\s-1SSL_VERIFY_PEER\s0" 4
+.IP "\s-1SSL_VERIFY_PEER\s0" 4
 .IX Item "SSL_VERIFY_PEER"
 \&\fBServer mode:\fR the server sends a client certificate request to the client.
 The certificate returned (if any) is checked. If the verification process
@@ -206,14 +198,14 @@ fails, the \s-1TLS/SSL\s0 handshake is
 immediately terminated with an alert message containing the reason for
 the verification failure. If no server certificate is sent, because an
 anonymous cipher is used, \s-1SSL_VERIFY_PEER\s0 is ignored.
-.Ip "\s-1SSL_VERIFY_FAIL_IF_NO_PEER_CERT\s0" 4
+.IP "\s-1SSL_VERIFY_FAIL_IF_NO_PEER_CERT\s0" 4
 .IX Item "SSL_VERIFY_FAIL_IF_NO_PEER_CERT"
 \&\fBServer mode:\fR if the client did not return a certificate, the \s-1TLS/SSL\s0
 handshake is immediately terminated with a \*(L"handshake failure\*(R" alert.
 This flag must be used together with \s-1SSL_VERIFY_PEER\s0.
 .Sp
 \&\fBClient mode:\fR ignored
-.Ip "\s-1SSL_VERIFY_CLIENT_ONCE\s0" 4
+.IP "\s-1SSL_VERIFY_CLIENT_ONCE\s0" 4
 .IX Item "SSL_VERIFY_CLIENT_ONCE"
 \&\fBServer mode:\fR only request a client certificate on the initial \s-1TLS/SSL\s0
 handshake. Do not ask for a client certificate again in case of a
@@ -227,7 +219,7 @@ set at any time.
 The actual verification procedure is performed either using the built-in
 verification procedure or using another application provided verification
 function set with
-SSL_CTX_set_cert_verify_callback(3).
+\&\fISSL_CTX_set_cert_verify_callback\fR\|(3).
 The following descriptions apply in the case of the built-in procedure. An
 application provided procedure also has access to the verify depth information
 and the \fIverify_callback()\fR function, but the way this information is used
@@ -267,10 +259,10 @@ process is immediately stopped with \*(L"verification failed\*(R" state. If
 \&\s-1SSL_VERIFY_PEER\s0 is set, a verification failure alert is sent to the peer and
 the \s-1TLS/SSL\s0 handshake is terminated. If \fBverify_callback\fR returns 1,
 the verification process is continued. If \fBverify_callback\fR always returns
-1, the \s-1TLS/SSL\s0 handshake will never be terminated because of this application
-experiencing a verification failure. The calling process can however
-retrieve the error code of the last verification error using
-SSL_get_verify_result(3) or by maintaining its
+1, the \s-1TLS/SSL\s0 handshake will not be terminated with respect to verification
+failures and the connection will be established. The calling process can
+however retrieve the error code of the last verification error using
+\&\fISSL_get_verify_result\fR\|(3) or by maintaining its
 own error storage managed by \fBverify_callback\fR.
 .PP
 If no \fBverify_callback\fR is specified, the default callback will be used.
@@ -305,8 +297,8 @@ certificates.
 .PP
 The example makes use of the ex_data technique to store application data
 into/retrieve application data from the \s-1SSL\s0 structure
-(see SSL_get_ex_new_index(3),
-SSL_get_ex_data_X509_STORE_CTX_idx(3)).
+(see \fISSL_get_ex_new_index\fR\|(3),
+\&\fISSL_get_ex_data_X509_STORE_CTX_idx\fR\|(3)).
 .PP
 .Vb 15
 \& ...
@@ -325,11 +317,13 @@ SSL_get_ex_data_X509_STORE_CTX_idx(3)).
 \&    SSL    *ssl;
 \&    mydata_t *mydata;
 .Ve
+.PP
 .Vb 3
 \&    err_cert = X509_STORE_CTX_get_current_cert(ctx);
 \&    err = X509_STORE_CTX_get_error(ctx);
 \&    depth = X509_STORE_CTX_get_error_depth(ctx);
 .Ve
+.PP
 .Vb 6
 \&    /*
 \&     * Retrieve the pointer to the SSL of the connection currently treated
@@ -338,9 +332,11 @@ SSL_get_ex_data_X509_STORE_CTX_idx(3)).
 \&    ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
 \&    mydata = SSL_get_ex_data(ssl, mydata_index);
 .Ve
+.PP
 .Vb 1
 \&    X509_NAME_oneline(X509_get_subject_name(err_cert), buf, 256);
 .Ve
+.PP
 .Vb 22
 \&    /*
 \&     * Catch a too long certificate chain. The depth limit set using
@@ -365,6 +361,7 @@ SSL_get_ex_data_X509_STORE_CTX_idx(3)).
 \&        printf("depth=%d:%s\en", depth, buf);
 \&    }
 .Ve
+.PP
 .Vb 9
 \&    /*
 \&     * At this point, err contains the last verification error. We can use
@@ -376,6 +373,7 @@ SSL_get_ex_data_X509_STORE_CTX_idx(3)).
 \&      printf("issuer= %s\en", buf);
 \&    }
 .Ve
+.PP
 .Vb 6
 \&    if (mydata->always_continue)
 \&      return 1;
@@ -384,18 +382,22 @@ SSL_get_ex_data_X509_STORE_CTX_idx(3)).
 \& }
 \& ...
 .Ve
+.PP
 .Vb 1
 \& mydata_t mydata;
 .Ve
+.PP
 .Vb 2
 \& ...
 \& mydata_index = SSL_get_ex_new_index(0, "mydata index", NULL, NULL, NULL);
 .Ve
+.PP
 .Vb 3
 \& ...
 \& SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE,
 \&                    verify_callback);
 .Ve
+.PP
 .Vb 5
 \& /*
 \&  * Let the verify_callback catch the verify_depth error so that we get
@@ -403,6 +405,7 @@ SSL_get_ex_data_X509_STORE_CTX_idx(3)).
 \&  */
 \& SSL_CTX_set_verify_depth(verify_depth + 1);
 .Ve
+.PP
 .Vb 6
 \& /*
 \&  * Set up the SSL specific data into "mydata" and store it into th SSL
@@ -411,6 +414,7 @@ SSL_get_ex_data_X509_STORE_CTX_idx(3)).
 \& mydata.verify_depth = verify_depth; ...
 \& SSL_set_ex_data(ssl, mydata_index, &mydata);
 .Ve
+.PP
 .Vb 9
 \& ...
 \& SSL_accept(ssl);       /* check of success left out for clarity */
@@ -424,11 +428,11 @@ SSL_get_ex_data_X509_STORE_CTX_idx(3)).
 .Ve
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-ssl(3), SSL_new(3),
-SSL_CTX_get_verify_mode(3),
-SSL_get_verify_result(3),
-SSL_CTX_load_verify_locations(3),
-SSL_get_peer_certificate(3),
-SSL_CTX_set_cert_verify_callback(3),
-SSL_get_ex_data_X509_STORE_CTX_idx(3),
-SSL_get_ex_new_index(3)
+\&\fIssl\fR\|(3), \fISSL_new\fR\|(3),
+\&\fISSL_CTX_get_verify_mode\fR\|(3),
+\&\fISSL_get_verify_result\fR\|(3),
+\&\fISSL_CTX_load_verify_locations\fR\|(3),
+\&\fISSL_get_peer_certificate\fR\|(3),
+\&\fISSL_CTX_set_cert_verify_callback\fR\|(3),
+\&\fISSL_get_ex_data_X509_STORE_CTX_idx\fR\|(3),
+\&\fISSL_get_ex_new_index\fR\|(3)