summaryrefslogtreecommitdiffstats
path: root/secure/lib/libcrypto/man/X509_STORE_CTX_set_verify_cb.3
diff options
context:
space:
mode:
Diffstat (limited to 'secure/lib/libcrypto/man/X509_STORE_CTX_set_verify_cb.3')
-rw-r--r--secure/lib/libcrypto/man/X509_STORE_CTX_set_verify_cb.3289
1 files changed, 289 insertions, 0 deletions
diff --git a/secure/lib/libcrypto/man/X509_STORE_CTX_set_verify_cb.3 b/secure/lib/libcrypto/man/X509_STORE_CTX_set_verify_cb.3
new file mode 100644
index 0000000..41c674c
--- /dev/null
+++ b/secure/lib/libcrypto/man/X509_STORE_CTX_set_verify_cb.3
@@ -0,0 +1,289 @@
+.\" Automatically generated by Pod::Man 2.23 (Pod::Simple 3.22)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" Set up some character translations and predefined strings. \*(-- will
+.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
+.\" double quote, and \*(R" will give a right double quote. \*(C+ will
+.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
+.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
+.\" nothing in troff, for use with C<>.
+.tr \(*W-
+.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.ie n \{\
+. ds -- \(*W-
+. ds PI pi
+. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
+. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
+. ds L" ""
+. ds R" ""
+. ds C` ""
+. ds C' ""
+'br\}
+.el\{\
+. ds -- \|\(em\|
+. ds PI \(*p
+. ds L" ``
+. ds R" ''
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.\"
+.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD. Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.ie \nF \{\
+. de IX
+. tm Index:\\$1\t\\n%\t"\\$2"
+..
+. nr % 0
+. rr F
+.\}
+.el \{\
+. de IX
+..
+.\}
+.\"
+.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
+.\" Fear. Run. Save yourself. No user-serviceable parts.
+. \" fudge factors for nroff and troff
+.if n \{\
+. ds #H 0
+. ds #V .8m
+. ds #F .3m
+. ds #[ \f1
+. ds #] \fP
+.\}
+.if t \{\
+. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
+. ds #V .6m
+. ds #F 0
+. ds #[ \&
+. ds #] \&
+.\}
+. \" simple accents for nroff and troff
+.if n \{\
+. ds ' \&
+. ds ` \&
+. ds ^ \&
+. ds , \&
+. ds ~ ~
+. ds /
+.\}
+.if t \{\
+. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
+. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
+. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
+. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
+. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
+. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
+.\}
+. \" troff and (daisy-wheel) nroff accents
+.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
+.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
+.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
+.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
+.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
+.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
+.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
+.ds ae a\h'-(\w'a'u*4/10)'e
+.ds Ae A\h'-(\w'A'u*4/10)'E
+. \" corrections for vroff
+.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
+.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
+. \" for low resolution devices (crt and lpr)
+.if \n(.H>23 .if \n(.V>19 \
+\{\
+. ds : e
+. ds 8 ss
+. ds o a
+. ds d- d\h'-1'\(ga
+. ds D- D\h'-1'\(hy
+. ds th \o'bp'
+. ds Th \o'LP'
+. ds ae ae
+. ds Ae AE
+.\}
+.rm #[ #] #H #V #F C
+.\" ========================================================================
+.\"
+.IX Title "X509_STORE_CTX_set_verify_cb 3"
+.TH X509_STORE_CTX_set_verify_cb 3 "2012-05-10" "1.0.1c" "OpenSSL"
+.\" For nroff, turn off justification. Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH "NAME"
+X509_STORE_CTX_set_verify_cb \- set verification callback
+.SH "SYNOPSIS"
+.IX Header "SYNOPSIS"
+.Vb 1
+\& #include <openssl/x509_vfy.h>
+\&
+\& void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx,
+\& int (*verify_cb)(int ok, X509_STORE_CTX *ctx));
+.Ve
+.SH "DESCRIPTION"
+.IX Header "DESCRIPTION"
+\&\fIX509_STORE_CTX_set_verify_cb()\fR sets the verification callback of \fBctx\fR to
+\&\fBverify_cb\fR overwriting any existing callback.
+.PP
+The verification callback can be used to customise the operation of certificate
+verification, either by overriding error conditions or logging errors for
+debugging purposes.
+.PP
+However a verification callback is \fBnot\fR essential and the default operation
+is often sufficient.
+.PP
+The \fBok\fR parameter to the callback indicates the value the callback should
+return to retain the default behaviour. If it is zero then and error condition
+is indicated. If it is 1 then no error occurred. If the flag
+\&\fBX509_V_FLAG_NOTIFY_POLICY\fR is set then \fBok\fR is set to 2 to indicate the
+policy checking is complete.
+.PP
+The \fBctx\fR parameter to the callback is the \fBX509_STORE_CTX\fR structure that
+is performing the verification operation. A callback can examine this
+structure and receive additional information about the error, for example
+by calling \fIX509_STORE_CTX_get_current_cert()\fR. Additional application data can
+be passed to the callback via the \fBex_data\fR mechanism.
+.SH "WARNING"
+.IX Header "WARNING"
+In general a verification callback should \fB\s-1NOT\s0\fR unconditionally return 1 in
+all circumstances because this will allow verification to succeed no matter
+what the error. This effectively removes all security from the application
+because \fBany\fR certificate (including untrusted generated ones) will be
+accepted.
+.SH "NOTES"
+.IX Header "NOTES"
+The verification callback can be set and inherited from the parent structure
+performing the operation. In some cases (such as S/MIME verification) the
+\&\fBX509_STORE_CTX\fR structure is created and destroyed internally and the
+only way to set a custom verification callback is by inheriting it from the
+associated \fBX509_STORE\fR.
+.SH "RETURN VALUES"
+.IX Header "RETURN VALUES"
+\&\fIX509_STORE_CTX_set_verify_cb()\fR does not return a value.
+.SH "EXAMPLES"
+.IX Header "EXAMPLES"
+Default callback operation:
+.PP
+.Vb 4
+\& int verify_callback(int ok, X509_STORE_CTX *ctx)
+\& {
+\& return ok;
+\& }
+.Ve
+.PP
+Simple example, suppose a certificate in the chain is expired and we wish
+to continue after this error:
+.PP
+.Vb 8
+\& int verify_callback(int ok, X509_STORE_CTX *ctx)
+\& {
+\& /* Tolerate certificate expiration */
+\& if (X509_STORE_CTX_get_error(ctx) == X509_V_ERR_CERT_HAS_EXPIRED)
+\& return 1;
+\& /* Otherwise don\*(Aqt override */
+\& return ok;
+\& }
+.Ve
+.PP
+More complex example, we don't wish to continue after \fBany\fR certificate has
+expired just one specific case:
+.PP
+.Vb 11
+\& int verify_callback(int ok, X509_STORE_CTX *ctx)
+\& {
+\& int err = X509_STORE_CTX_get_error(ctx);
+\& X509 *err_cert = X509_STORE_CTX_get_current_cert(ctx);
+\& if (err == X509_V_ERR_CERT_HAS_EXPIRED)
+\& {
+\& if (check_is_acceptable_expired_cert(err_cert)
+\& return 1;
+\& }
+\& return ok;
+\& }
+.Ve
+.PP
+Full featured logging callback. In this case the \fBbio_err\fR is assumed to be
+a global logging \fB\s-1BIO\s0\fR, an alternative would to store a \s-1BIO\s0 in \fBctx\fR using
+\&\fBex_data\fR.
+.PP
+.Vb 4
+\& int verify_callback(int ok, X509_STORE_CTX *ctx)
+\& {
+\& X509 *err_cert;
+\& int err,depth;
+\&
+\& err_cert = X509_STORE_CTX_get_current_cert(ctx);
+\& err = X509_STORE_CTX_get_error(ctx);
+\& depth = X509_STORE_CTX_get_error_depth(ctx);
+\&
+\& BIO_printf(bio_err,"depth=%d ",depth);
+\& if (err_cert)
+\& {
+\& X509_NAME_print_ex(bio_err, X509_get_subject_name(err_cert),
+\& 0, XN_FLAG_ONELINE);
+\& BIO_puts(bio_err, "\en");
+\& }
+\& else
+\& BIO_puts(bio_err, "<no cert>\en");
+\& if (!ok)
+\& BIO_printf(bio_err,"verify error:num=%d:%s\en",err,
+\& X509_verify_cert_error_string(err));
+\& switch (err)
+\& {
+\& case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
+\& BIO_puts(bio_err,"issuer= ");
+\& X509_NAME_print_ex(bio_err, X509_get_issuer_name(err_cert),
+\& 0, XN_FLAG_ONELINE);
+\& BIO_puts(bio_err, "\en");
+\& break;
+\& case X509_V_ERR_CERT_NOT_YET_VALID:
+\& case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
+\& BIO_printf(bio_err,"notBefore=");
+\& ASN1_TIME_print(bio_err,X509_get_notBefore(err_cert));
+\& BIO_printf(bio_err,"\en");
+\& break;
+\& case X509_V_ERR_CERT_HAS_EXPIRED:
+\& case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
+\& BIO_printf(bio_err,"notAfter=");
+\& ASN1_TIME_print(bio_err,X509_get_notAfter(err_cert));
+\& BIO_printf(bio_err,"\en");
+\& break;
+\& case X509_V_ERR_NO_EXPLICIT_POLICY:
+\& policies_print(bio_err, ctx);
+\& break;
+\& }
+\& if (err == X509_V_OK && ok == 2)
+\& /* print out policies */
+\&
+\& BIO_printf(bio_err,"verify return:%d\en",ok);
+\& return(ok);
+\& }
+.Ve
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fIX509_STORE_CTX_get_error\fR\|(3)
+\&\fIX509_STORE_set_verify_cb_func\fR\|(3)
+\&\fIX509_STORE_CTX_get_ex_new_index\fR\|(3)
+.SH "HISTORY"
+.IX Header "HISTORY"
+\&\fIX509_STORE_CTX_set_verify_cb()\fR is available in all versions of SSLeay and
+OpenSSL.
OpenPOWER on IntegriCloud