9 files changed, 209 insertions, 46 deletions

diff --git a/lib/libcrypto/man/Makefile b/lib/libcrypto/man/Makefile
index 46ca3ba3d4e..830c556849f 100644
--- a/lib/libcrypto/man/Makefile
+++ b/lib/libcrypto/man/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.215 2021/11/15 16:18:36 schwarze Exp $
+# $OpenBSD: Makefile,v 1.216 2021/11/17 16:08:32 schwarze Exp $
 
 .include <bsd.own.mk>
 
@@ -322,6 +322,7 @@ MAN=	\
 	X509_STORE_CTX_get_ex_new_index.3 \
 	X509_STORE_CTX_new.3 \
 	X509_STORE_CTX_set_flags.3 \
+	X509_STORE_CTX_set_verify.3 \
 	X509_STORE_CTX_set_verify_cb.3 \
 	X509_STORE_get_by_subject.3 \
 	X509_STORE_load_locations.3 \
diff --git a/lib/libcrypto/man/X509_STORE_CTX_get_error.3 b/lib/libcrypto/man/X509_STORE_CTX_get_error.3
index 36ea311dce8..7bfc01228f4 100644
--- a/lib/libcrypto/man/X509_STORE_CTX_get_error.3
+++ b/lib/libcrypto/man/X509_STORE_CTX_get_error.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_STORE_CTX_get_error.3,v 1.19 2021/11/16 12:06:57 schwarze Exp $
+.\" $OpenBSD: X509_STORE_CTX_get_error.3,v 1.20 2021/11/17 16:08:32 schwarze Exp $
 .\" full merge up to:
 .\" OpenSSL man3/X509_STORE_CTX_get_error 24a535ea Sep 22 13:14:20 2020 +0100
 .\" OpenSSL man3/X509_STORE_CTX_new 24a535ea Sep 22 13:14:20 2020 +0100
@@ -68,7 +68,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 16 2021 $
+.Dd $Mdocdate: November 17 2021 $
 .Dt X509_STORE_CTX_GET_ERROR 3
 .Os
 .Sh NAME
@@ -532,6 +532,9 @@ This will never be returned unless explicitly set by an application.
 .Xr X509_policy_check 3 ,
 .Xr X509_policy_tree_level_count 3 ,
 .Xr X509_STORE_CTX_new 3 ,
+.Xr X509_STORE_CTX_set_verify 3 ,
+.Xr X509_STORE_CTX_set_verify_cb 3 ,
+.Xr X509_STORE_set_verify_cb 3 ,
 .Xr X509_up_ref 3 ,
 .Xr X509_verify_cert 3
 .Sh HISTORY
diff --git a/lib/libcrypto/man/X509_STORE_CTX_new.3 b/lib/libcrypto/man/X509_STORE_CTX_new.3
index d1aca9527b9..a10742ff050 100644
--- a/lib/libcrypto/man/X509_STORE_CTX_new.3
+++ b/lib/libcrypto/man/X509_STORE_CTX_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_STORE_CTX_new.3,v 1.25 2021/10/18 18:20:39 schwarze Exp $
+.\" $OpenBSD: X509_STORE_CTX_new.3,v 1.26 2021/11/17 16:08:32 schwarze Exp $
 .\" full merge up to: OpenSSL aae41f8c Jun 25 09:47:15 2015 +0100
 .\" selective merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
 .\"
@@ -67,7 +67,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: October 18 2021 $
+.Dd $Mdocdate: November 17 2021 $
 .Dt X509_STORE_CTX_NEW 3
 .Os
 .Sh NAME
@@ -323,9 +323,12 @@ if no set of additional certificates was provided.
 .Xr X509_STORE_CTX_get_error 3 ,
 .Xr X509_STORE_CTX_get_ex_new_index 3 ,
 .Xr X509_STORE_CTX_set_flags 3 ,
+.Xr X509_STORE_CTX_set_verify 3 ,
+.Xr X509_STORE_CTX_set_verify_cb 3 ,
 .Xr X509_STORE_get_by_subject 3 ,
 .Xr X509_STORE_new 3 ,
 .Xr X509_STORE_set1_param 3 ,
+.Xr X509_STORE_set_verify_cb 3 ,
 .Xr X509_verify_cert 3 ,
 .Xr X509_VERIFY_PARAM_inherit 3 ,
 .Xr X509_VERIFY_PARAM_set_flags 3
diff --git a/lib/libcrypto/man/X509_STORE_CTX_set_flags.3 b/lib/libcrypto/man/X509_STORE_CTX_set_flags.3
index 4307a3ae98d..2ac76951faa 100644
--- a/lib/libcrypto/man/X509_STORE_CTX_set_flags.3
+++ b/lib/libcrypto/man/X509_STORE_CTX_set_flags.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_STORE_CTX_set_flags.3,v 1.5 2021/10/18 18:20:39 schwarze Exp $
+.\" $OpenBSD: X509_STORE_CTX_set_flags.3,v 1.6 2021/11/17 16:08:32 schwarze Exp $
 .\" full merge up to: OpenSSL aae41f8c Jun 25 09:47:15 2015 +0100
 .\" selective merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
 .\"
@@ -67,7 +67,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: October 18 2021 $
+.Dd $Mdocdate: November 17 2021 $
 .Dt X509_STORE_CTX_SET_FLAGS 3
 .Os
 .Sh NAME
@@ -392,8 +392,11 @@ The other functions provide no diagnostics.
 .Sh SEE ALSO
 .Xr X509_STORE_CTX_get_error 3 ,
 .Xr X509_STORE_CTX_new 3 ,
+.Xr X509_STORE_CTX_set_verify 3 ,
+.Xr X509_STORE_CTX_set_verify_cb 3 ,
 .Xr X509_STORE_new 3 ,
 .Xr X509_STORE_set1_param 3 ,
+.Xr X509_STORE_set_verify_cb 3 ,
 .Xr X509_verify_cert 3 ,
 .Xr X509_VERIFY_PARAM_new 3 ,
 .Xr X509_VERIFY_PARAM_set_flags 3
diff --git a/lib/libcrypto/man/X509_STORE_CTX_set_verify.3 b/lib/libcrypto/man/X509_STORE_CTX_set_verify.3
new file mode 100644
index 00000000000..a68ade6b3f8
--- /dev/null
+++ b/lib/libcrypto/man/X509_STORE_CTX_set_verify.3
@@ -0,0 +1,167 @@
+.\" $OpenBSD: X509_STORE_CTX_set_verify.3,v 1.1 2021/11/17 16:08:32 schwarze Exp $
+.\"
+.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.Dd $Mdocdate: November 17 2021 $
+.Dt X509_STORE_CTX_SET_VERIFY 3
+.Os
+.\" ds LIBRESSL_NEW_API
+.Sh NAME
+.if dLIBRESSL_NEW_API \{\
+.Nm X509_STORE_CTX_verify_fn ,
+.\}
+.Nm X509_STORE_CTX_set_verify ,
+.ie dLIBRESSL_NEW_API \{\
+.Nm X509_STORE_CTX_get_verify ,
+.Nm X509_STORE_set_verify ,
+.Nm X509_STORE_set_verify_func
+.\}
+.el \{\
+.Nm X509_STORE_CTX_get_verify
+.\}
+.Nd user-defined certificate chain verification function
+.Sh SYNOPSIS
+.In openssl/x509_vfy.h
+.if dLIBRESSL_NEW_API \{\
+.Ft typedef int
+.Fo "(*X509_STORE_CTX_verify_fn)"
+.Fa "X509_STORE_CTX *ctx"
+.Fc
+.\}
+.Ft void
+.Fo X509_STORE_CTX_set_verify
+.Fa "X509_STORE_CTX *ctx"
+.ie dLIBRESSL_NEW_API \{\
+.Fa "X509_STORE_CTX_verify_fn verify"
+.\}
+.el \{\
+.Fa "int (*verify)(X509_STORE_CTX *)"
+.\}
+.Fc
+.ie dLIBRESSL_NEW_API \{\
+.Ft X509_STORE_CTX_verify_fn
+.Fo X509_STORE_CTX_get_verify
+.\}
+.el \{\
+.Ft int
+.Fo "(*X509_STORE_CTX_get_verify(X509_STORE_CTX *ctx))"
+.\}
+.Fa "X509_STORE_CTX *ctx"
+.Fc
+.if dLIBRESSL_NEW_API \{\
+.Ft void
+.Fo X509_STORE_set_verify
+.Fa "X509_STORE *store"
+.Fa "X509_STORE_CTX_verify_fn verify"
+.Fc
+.Ft void
+.Fo X509_STORE_set_verify_func
+.Fa "X509_STORE *store"
+.Fa "X509_STORE_CTX_verify_fn verify"
+.Fc
+.\}
+.Sh DESCRIPTION
+.Fn X509_STORE_CTX_set_verify
+configures
+.Fa ctx
+to use the
+.Fa verify
+argument as the X.509 certificate chain verification function instead
+of the default verification function built into the library when
+.Xr X509_verify_cert 3
+is called.
+.Pp
+The
+.Fa verify
+function provided by the user is only called if the
+.Dv X509_V_FLAG_LEGACY_VERIFY
+or
+.Dv X509_V_FLAG_NO_ALT_CHAINS
+flag was set on
+.Fa ctx
+using
+.Xr X509_STORE_CTX_set_flags 3
+or
+.Xr X509_VERIFY_PARAM_set_flags 3 .
+Otherwise, it is ignored and a different algorithm is used that does
+not support replacing the verification function.
+.if dLIBRESSL_NEW_API \{\
+.Pp
+.Fn X509_STORE_set_verify
+saves the function pointer
+.Fa verify
+in the given
+.Fa store
+object.
+That pointer will be copied to an
+.Vt X509_STORE_CTX
+object when
+.Fa store
+is later passed as an argument to
+.Xr X509_STORE_CTX_init 3 .
+.Pp
+.Fn X509_STORE_set_verify_func
+is an alias for
+.Fn X509_STORE_set_verify
+implemented as a macro.
+.\}
+.Sh RETURN VALUES
+.if dLIBRESSL_NEW_API \{\
+.Fn X509_STORE_CTX_verify_fn
+is supposed to return 1 to indicate that the chain is valid
+or 0 if it is not or if an error occurred.
+.Pp
+.\}
+.Fn X509_STORE_CTX_get_verify
+returns a function pointer to the function previously set with
+.Fn X509_STORE_CTX_set_verify
+or
+.Xr X509_STORE_CTX_init 3 ,
+or
+.Dv NULL
+if
+.Fa ctx
+is uninitialized.
+.Sh SEE ALSO
+.Xr X509_STORE_CTX_init 3 ,
+.Xr X509_STORE_CTX_set_error 3 ,
+.Xr X509_STORE_CTX_set_flags 3 ,
+.Xr X509_STORE_CTX_set_verify_cb 3 ,
+.Xr X509_STORE_new 3 ,
+.Xr X509_STORE_set_flags 3 ,
+.Xr X509_STORE_set_verify_cb 3 ,
+.Xr X509_verify_cert 3 ,
+.Xr X509_VERIFY_PARAM_set_flags 3
+.Sh HISTORY
+.if dLIBRESSL_NEW_API \{\
+.Fn X509_STORE_set_verify_func
+first appeared in SSLeay 0.8.0 and has been available since
+.Ox 2.4 .
+.Pp
+.\}
+.Fn X509_STORE_CTX_set_verify
+and
+.Fn X509_STORE_CTX_get_verify
+first appeared in OpenSSL 1.1.0 and have been available since
+.Ox 7.1 .
+.if dLIBRESSL_NEW_API \{\
+.Pp
+.Fn X509_STORE_CTX_verify_fn
+and
+.Fn X509_STORE_set_verify
+first appeared in OpenSSL 1.1.0 and have been available since
+.reminder Check the version number!
+.Ox 7.1 .
+.\}
diff --git a/lib/libcrypto/man/X509_STORE_CTX_set_verify_cb.3 b/lib/libcrypto/man/X509_STORE_CTX_set_verify_cb.3
index bf0c6af40d8..2c16230a32b 100644
--- a/lib/libcrypto/man/X509_STORE_CTX_set_verify_cb.3
+++ b/lib/libcrypto/man/X509_STORE_CTX_set_verify_cb.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_STORE_CTX_set_verify_cb.3,v 1.6 2021/11/16 14:07:57 schwarze Exp $
+.\" $OpenBSD: X509_STORE_CTX_set_verify_cb.3,v 1.7 2021/11/17 16:08:32 schwarze Exp $
 .\" full merge up to: OpenSSL a528d4f0 Oct 27 13:40:11 2015 -0400
 .\" selective merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
 .\"
@@ -66,7 +66,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 16 2021 $
+.Dd $Mdocdate: November 17 2021 $
 .Dt X509_STORE_CTX_SET_VERIFY_CB 3
 .Os
 .Sh NAME
@@ -253,7 +253,12 @@ verify_callback(int ok, X509_STORE_CTX *ctx)
 .Sh SEE ALSO
 .Xr X509_STORE_CTX_get_error 3 ,
 .Xr X509_STORE_CTX_get_ex_new_index 3 ,
-.Xr X509_STORE_set_verify_cb_func 3
+.Xr X509_STORE_CTX_new 3 ,
+.Xr X509_STORE_CTX_set_error 3 ,
+.Xr X509_STORE_CTX_set_flags 3 ,
+.Xr X509_STORE_set_verify_cb 3 ,
+.Xr X509_verify_cert 3 ,
+.Xr X509_VERIFY_PARAM_set_flags 3
 .Sh HISTORY
 .Fn X509_STORE_CTX_set_verify_cb
 first appeared in OpenSSL 0.9.6c and has been available since
diff --git a/lib/libcrypto/man/X509_STORE_new.3 b/lib/libcrypto/man/X509_STORE_new.3
index c84be75cbb7..a17da03a411 100644
--- a/lib/libcrypto/man/X509_STORE_new.3
+++ b/lib/libcrypto/man/X509_STORE_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_STORE_new.3,v 1.6 2021/11/09 16:23:04 schwarze Exp $
+.\" $OpenBSD: X509_STORE_new.3,v 1.7 2021/11/17 16:08:32 schwarze Exp $
 .\" full merge up to: OpenSSL 05ea606a May 20 20:52:46 2016 -0400
 .\" selective merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
@@ -67,7 +67,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 9 2021 $
+.Dd $Mdocdate: November 17 2021 $
 .Dt X509_STORE_NEW 3
 .Os
 .Sh NAME
@@ -131,7 +131,8 @@ returns 1 for success and 0 for failure.
 .Xr X509_STORE_get_ex_new_index 3 ,
 .Xr X509_STORE_load_locations 3 ,
 .Xr X509_STORE_set1_param 3 ,
-.Xr X509_STORE_set_verify_cb 3
+.Xr X509_STORE_set_verify_cb 3 ,
+.Xr X509_verify_cert 3
 .Sh HISTORY
 .Fn X509_STORE_new
 and
diff --git a/lib/libcrypto/man/X509_STORE_set_verify_cb_func.3 b/lib/libcrypto/man/X509_STORE_set_verify_cb_func.3
index 59b1feff776..f6d534bbb0d 100644
--- a/lib/libcrypto/man/X509_STORE_set_verify_cb_func.3
+++ b/lib/libcrypto/man/X509_STORE_set_verify_cb_func.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_STORE_set_verify_cb_func.3,v 1.10 2021/07/29 10:13:45 schwarze Exp $
+.\" $OpenBSD: X509_STORE_set_verify_cb_func.3,v 1.11 2021/11/17 16:08:32 schwarze Exp $
 .\" full merge up to: OpenSSL 05ea606a May 20 20:52:46 2016 -0400
 .\" selective merge up to: OpenSSL 315c47e0 Dec 1 14:22:16 2020 +0100
 .\"
@@ -49,13 +49,12 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 29 2021 $
+.Dd $Mdocdate: November 17 2021 $
 .Dt X509_STORE_SET_VERIFY_CB_FUNC 3
 .Os
 .Sh NAME
 .Nm X509_STORE_set_verify_cb ,
-.Nm X509_STORE_set_verify_cb_func ,
-.Nm X509_STORE_set_verify_func
+.Nm X509_STORE_set_verify_cb_func
 .Nd set verification callback
 .Sh SYNOPSIS
 .In openssl/x509_vfy.h
@@ -69,11 +68,6 @@
 .Fa "X509_STORE *st"
 .Fa "int (*verify_cb)(int ok, X509_STORE_CTX *ctx)"
 .Fc
-.Ft void
-.Fo X509_STORE_set_verify_func
-.Fa "X509_STORE *st"
-.Fa "int (*verify_func)(X509_STORE_CTX *ctx)"
-.Fc
 .Sh DESCRIPTION
 .Fn X509_STORE_set_verify_cb
 sets the verification callback of
@@ -93,32 +87,16 @@ structure when it is initialized.
 This can be used to set the verification callback when the
 .Vt X509_STORE_CTX
 is otherwise inaccessible (for example during S/MIME verification).
-.Pp
-.Fn X509_STORE_set_verify_func
-sets the final chain verification function for
-.Fa st
-to
-.Fa verify_func .
-Its purpose is to go through the chain of certificates and check
-that all signatures are valid and that the current time is within
-the limits of each certificate's first and last validity time.
-The final chain verification function
-must return 0 on failure and 1 on success.
-If
-.Fn X509_STORE_set_verify_func
-is not called or called with
-.Fa verify_func
-set to a
-.Dv NULL
-pointer, the built-in default function is used.
 .Sh SEE ALSO
+.Xr X509_STORE_CTX_new 3 ,
+.Xr X509_STORE_CTX_set_verify 3 ,
 .Xr X509_STORE_CTX_set_verify_cb 3 ,
-.Xr X509_STORE_new 3
+.Xr X509_STORE_new 3 ,
+.Xr X509_STORE_set_flags 3 ,
+.Xr X509_verify_cert 3
 .Sh HISTORY
 .Fn X509_STORE_set_verify_cb_func
-and
-.Fn X509_STORE_set_verify_func
-first appeared in SSLeay 0.8.0 and have been available since
+first appeared in SSLeay 0.8.0 and has been available since
 .Ox 2.4 .
 .Pp
 .Fn X509_STORE_set_verify_cb
diff --git a/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3 b/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3
index 6e2c0259c5c..3226dabcd33 100644
--- a/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3
+++ b/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_VERIFY_PARAM_set_flags.3,v 1.20 2021/11/13 19:21:17 schwarze Exp $
+.\" $OpenBSD: X509_VERIFY_PARAM_set_flags.3,v 1.21 2021/11/17 16:08:32 schwarze Exp $
 .\" full merge up to: OpenSSL d33def66 Feb 9 14:17:13 2016 -0500
 .\" selective merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
 .\"
@@ -68,7 +68,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 13 2021 $
+.Dd $Mdocdate: November 17 2021 $
 .Dt X509_VERIFY_PARAM_SET_FLAGS 3
 .Os
 .Sh NAME
@@ -653,6 +653,8 @@ X509_VERIFY_PARAM_free(param);
 .Xr SSL_set1_host 3 ,
 .Xr SSL_set1_param 3 ,
 .Xr X509_check_host 3 ,
+.Xr X509_STORE_CTX_new 3 ,
+.Xr X509_STORE_new 3 ,
 .Xr X509_verify_cert 3 ,
 .Xr X509_VERIFY_PARAM_new 3
 .Sh HISTORY