CVSROOT: /cvs
Module name: src
Changes by: t...@cvs.openbsd.org 2024/01/12 12:28:02
Modified files:
lib/libcrypto/man: X509_STORE_CTX_set_flags.3
Log message:
Remove X509_STORE_CTX_purpose_inherit(3) documentation
This abomination of an API will be removed. Remove the hairy details of
its internals and make the documentation of X509_STORE_CTX_set_trust(3)
and X509_STORE_CTX_set_purpose(3) independent of it.
Neither of these two remaining APIs can be recommended. Once set, trust
and purpose are sticky. Setting the trust to a different (valid) value
will indicate success but leave the value unchanged. I suppose it means
the new trust value was successfully ignored. Also, setting the trust to
X509_TRUST_DEFAULT can succeed or fail depending on which OpenSSL
derivative you use. Setting the purpose will also set the trust (unless
it is already set). Setting some purposes may or may not fail depending
on the OpenSSL lib.
The only way you have a chance of knowing what will be set is by calling
only one of these functions directly after X509_STORE_CTX_init(). This
isn't really safe either because in some versions the user can override
the values stored in a global table by writing directly to it.
The actual contributions here are rather minimal. State more explicitly
that 0 is invalid (but results in success being returned), document the
error values to be accurate across implementations and call out some of
the nonsense in a CAVEATS section.
Many thanks to schwarze for the very helpful review with lots of input.
ok schwarze
