6 files changed, 10 insertions, 205 deletions
diff --git a/src/lib/libcrypto/man/Makefile b/src/lib/libcrypto/man/Makefile
index fc3204e3a2..42b4c2fbe1 100644
--- a/src/lib/libcrypto/man/Makefile
+++ b/src/lib/libcrypto/man/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.249 2023/04/30 14:49:47 tb Exp $
+# $OpenBSD: Makefile,v 1.250 2023/04/30 19:40:23 tb Exp $
 .include <bsd.own.mk>
@@ -265,7 +265,6 @@ MAN=	\
        PKCS8_pkey_set0.3 \
        PKEY_USAGE_PERIOD_new.3 \
        POLICYINFO_new.3 \
-        PROXY_POLICY_new.3 \
        RAND_add.3 \
        RAND_bytes.3 \
        RAND_load_file.3 \
@@ -407,7 +406,6 @@ MAN=	\
        d2i_PKCS8_PRIV_KEY_INFO.3 \
        d2i_PKEY_USAGE_PERIOD.3 \
        d2i_POLICYINFO.3 \
-        d2i_PROXY_POLICY.3 \
        d2i_PrivateKey.3 \
        d2i_RSAPublicKey.3 \
        d2i_TS_REQ.3 \
diff --git a/src/lib/libcrypto/man/PROXY_POLICY_new.3 b/src/lib/libcrypto/man/PROXY_POLICY_new.3
deleted file mode 100644
index c23a620177..0000000000
--- a/src/lib/libcrypto/man/PROXY_POLICY_new.3
+++ /dev/null
@@ -1,97 +0,0 @@
-.\"     $OpenBSD: PROXY_POLICY_new.3,v 1.6 2021/10/27 11:24:47 schwarze Exp $
-.\"
-.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: October 27 2021 $
-.Dt PROXY_POLICY_NEW 3
-.Os
-.Sh NAME
-.Nm PROXY_POLICY_new ,
-.Nm PROXY_POLICY_free ,
-.Nm PROXY_CERT_INFO_EXTENSION_new ,
-.Nm PROXY_CERT_INFO_EXTENSION_free
-.Nd X.509 proxy certificate extension
-.Sh SYNOPSIS
-.In openssl/x509v3.h
-.Ft PROXY_POLICY *
-.Fn PROXY_POLICY_new void
-.Ft void
-.Fn PROXY_POLICY_free "PROXY_POLICY *pp"
-.Ft PROXY_CERT_INFO_EXTENSION *
-.Fn PROXY_CERT_INFO_EXTENSION_new void
-.Ft void
-.Fn PROXY_CERT_INFO_EXTENSION_free "PROXY_CERT_INFO_EXTENSION *pcie"
-.Sh DESCRIPTION
-If a given non-CA certificate grants any privileges, using that
-certificate to issue a proxy certificate and handing that proxy
-certificate over to another person, organization, or service allows
-the bearer of the proxy certificate to exercise some or all of the
-privileges on behalf of the subject of the original certificate.
-.Pp
-.Fn PROXY_POLICY_new
-allocates and initializes an empty
-.Vt PROXY_POLICY
-object, representing an ASN.1
-.Vt ProxyPolicy
-structure defined in RFC 3820 section 3.8.
-It defines which privileges are to be delegated.
-.Fn PROXY_POLICY_free
-frees
-.Fa pp .
-.Pp
-.Fn PROXY_CERT_INFO_EXTENSION_new
-allocates and initializes an empty
-.Vt PROXY_CERT_INFO_EXTENSION
-object, representing an ASN.1
-.Vt ProxyCertInfo
-structure defined in RFC 3820 section 3.8.
-It can contain a
-.Vt PROXY_POLICY
-object, and it can additionally restrict the maximum depth of the
-path of proxy certificates that can be signed by this proxy
-certificate.
-.Fn PROXY_CERT_INFO_EXTENSION_free
-frees
-.Fa pcie .
-.Pp
-If a non-CA certificate contains a
-.Vt PROXY_CERT_INFO_EXTENSION ,
-it is a proxy certificate; otherwise, it is an end entity certificate.
-.Sh RETURN VALUES
-.Fn PROXY_POLICY_new
-and
-.Fn PROXY_CERT_INFO_EXTENSION_new
-return the new
-.Vt PROXY_POLICY
-or
-.Vt PROXY_CERT_INFO_EXTENSION
-object, respectively, or
-.Dv NULL
-if an error occurs.
-.Sh SEE ALSO
-.Xr BASIC_CONSTRAINTS_new 3 ,
-.Xr d2i_PROXY_POLICY 3 ,
-.Xr EXTENDED_KEY_USAGE_new 3 ,
-.Xr POLICYINFO_new 3 ,
-.Xr X509_EXTENSION_new 3 ,
-.Xr X509_get_extension_flags 3 ,
-.Xr X509_new 3
-.Sh STANDARDS
-RFC 3820: Internet X.509 Public Key Infrastructure (PKI) Proxy
-Certificate Profile
-.Sh HISTORY
-These functions first appeared in OpenSSL 0.9.7g
-and have been available since
-.Ox 3.8 .
diff --git a/src/lib/libcrypto/man/X509_EXTENSION_set_object.3 b/src/lib/libcrypto/man/X509_EXTENSION_set_object.3
index 3ade50e4d6..dcfe075ebd 100644
--- a/src/lib/libcrypto/man/X509_EXTENSION_set_object.3
+++ b/src/lib/libcrypto/man/X509_EXTENSION_set_object.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_EXTENSION_set_object.3,v 1.16 2023/04/25 18:48:32 tb Exp $
+.\" $OpenBSD: X509_EXTENSION_set_object.3,v 1.17 2023/04/30 19:40:23 tb Exp $
 .\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 25 2023 $
+.Dd $Mdocdate: April 30 2023 $
 .Dt X509_EXTENSION_SET_OBJECT 3
 .Os
 .Sh NAME
@@ -291,7 +291,6 @@ pointer.
 .Xr OCSP_SERVICELOC_new 3 ,
 .Xr PKEY_USAGE_PERIOD_new 3 ,
 .Xr POLICYINFO_new 3 ,
-.Xr PROXY_POLICY_new 3 ,
 .Xr TS_REQ_new 3 ,
 .Xr X509_check_ca 3 ,
 .Xr X509_check_host 3 ,
diff --git a/src/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3 b/src/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3
index 65e20f1ad8..a0ae839f9a 100644
--- a/src/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3
+++ b/src/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_VERIFY_PARAM_set_flags.3,v 1.28 2023/04/30 14:49:47 tb Exp $
+.\" $OpenBSD: X509_VERIFY_PARAM_set_flags.3,v 1.29 2023/04/30 19:40:23 tb Exp $
 .\" full merge up to: OpenSSL d33def66 Feb 9 14:17:13 2016 -0500
 .\" selective merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
 .\"
@@ -540,7 +540,9 @@ flag disables workarounds for some broken certificates and makes the
 verification strictly apply X509 rules.
 .Pp
 .Dv X509_V_FLAG_ALLOW_PROXY_CERTS
-enables proxy certificate verification.
+deprecated flag that used to
+enable proxy certificate verification.
+In LibreSSL, this flag has no effect.
 .Pp
 .Dv X509_V_FLAG_POLICY_CHECK
 enables certificate policy checking; by default no policy checking is
diff --git a/src/lib/libcrypto/man/X509_get_extension_flags.3 b/src/lib/libcrypto/man/X509_get_extension_flags.3
index 1f63c6a910..1d7f29c687 100644
--- a/src/lib/libcrypto/man/X509_get_extension_flags.3
+++ b/src/lib/libcrypto/man/X509_get_extension_flags.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_get_extension_flags.3,v 1.3 2021/11/11 13:58:59 schwarze Exp $
+.\" $OpenBSD: X509_get_extension_flags.3,v 1.4 2023/04/30 19:40:23 tb Exp $
 .\" full merge up to: OpenSSL 361136f4 Sep 1 18:56:58 2015 +0100
 .\" selective merge up to: OpenSSL 2b2e3106f Feb 16 15:04:45 2021 +0000
 .\"
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 11 2021 $
+.Dd $Mdocdate: April 30 2023 $
 .Dt X509_GET_EXTENSION_FLAGS 3
 .Os
 .Sh NAME
@@ -87,6 +87,7 @@ The certificate contains a basic constraints extension.
 The certificate contains basic constraints and asserts the CA flag.
 .It Dv EXFLAG_PROXY
 The certificate is a valid proxy certificate.
+In LibreSSL this flag is never set.
 .It Dv EXFLAG_SI
 The certificate is self issued (that is subject and issuer names match).
 .It Dv EXFLAG_SS
@@ -217,7 +218,6 @@ return sets of flags corresponding to the certificate extension values.
 .Xr BASIC_CONSTRAINTS_new 3 ,
 .Xr EXTENDED_KEY_USAGE_new 3 ,
 .Xr POLICYINFO_new 3 ,
-.Xr PROXY_CERT_INFO_EXTENSION_new 3 ,
 .Xr X509_check_ca 3 ,
 .Xr X509_check_purpose 3 ,
 .Xr X509_EXTENSION_new 3 ,
diff --git a/src/lib/libcrypto/man/d2i_PROXY_POLICY.3 b/src/lib/libcrypto/man/d2i_PROXY_POLICY.3
deleted file mode 100644
index 794c6edcec..0000000000
--- a/src/lib/libcrypto/man/d2i_PROXY_POLICY.3
+++ /dev/null
@@ -1,97 +0,0 @@
-.\"     $OpenBSD: d2i_PROXY_POLICY.3,v 1.2 2018/03/22 22:07:12 schwarze Exp $
-.\"
-.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: March 22 2018 $
-.Dt D2I_PROXY_POLICY 3
-.Os
-.Sh NAME
-.Nm d2i_PROXY_POLICY ,
-.Nm i2d_PROXY_POLICY ,
-.Nm d2i_PROXY_CERT_INFO_EXTENSION ,
-.Nm i2d_PROXY_CERT_INFO_EXTENSION
-.Nd decode and encode X.509 proxy certificate extensions
-.Sh SYNOPSIS
-.In openssl/x509v3.h
-.Ft PROXY_POLICY *
-.Fo d2i_PROXY_POLICY
-.Fa "PROXY_POLICY **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_PROXY_POLICY
-.Fa "PROXY_POLICY *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft PROXY_CERT_INFO_EXTENSION *
-.Fo d2i_PROXY_CERT_INFO_EXTENSION
-.Fa "PROXY_CERT_INFO_EXTENSION **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_PROXY_CERT_INFO_EXTENSION
-.Fa "PROXY_CERT_INFO_EXTENSION *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Sh DESCRIPTION
-These functions encode and decode X.509 extensions that decide
-whether a certificate is a proxy certificate, and which policies
-apply to it.
-For details about the semantics, examples, caveats, and bugs, see
-.Xr ASN1_item_d2i 3 .
-.Pp
-.Fn d2i_PROXY_POLICY
-and
-.Fn i2d_PROXY_POLICY
-decode and encode an ASN.1
-.Vt ProxyPolicy
-structure defined in RFC 3820 section 3.8.
-.Pp
-.Fn d2i_PROXY_CERT_INFO_EXTENSION
-and
-.Fn i2d_PROXY_CERT_INFO_EXTENSION
-decode and encode an ASN.1
-.Vt ProxyCertInfo
-structure defined in RFC 3820 section 3.8.
-.Sh RETURN VALUES
-.Fn d2i_PROXY_POLICY
-and
-.Fn d2i_PROXY_CERT_INFO_EXTENSION
-return a
-.Vt PROXY_POLICY
-or
-.Vt PROXY_CERT_INFO_EXTENSION
-object, respectively, or
-.Dv NULL
-if an error occurs.
-.Pp
-.Fn i2d_PROXY_POLICY
-and
-.Fn i2d_PROXY_CERT_INFO_EXTENSION
-return the number of bytes successfully encoded or a negative value
-if an error occurs.
-.Sh SEE ALSO
-.Xr ASN1_item_d2i 3 ,
-.Xr PROXY_POLICY_new 3 ,
-.Xr X509_EXTENSION_new 3
-.Sh STANDARDS
-RFC 3820: Internet X.509 Public Key Infrastructure (PKI) Proxy
-Certificate Profile
-.Sh HISTORY
-These functions first appeared in OpenSSL 0.9.7g
-and have been available since
-.Ox 3.8 .

diff --git a/src/lib/libcrypto/man/Makefile b/src/lib/libcrypto/man/Makefile index fc3204e3a2..42b4c2fbe1 100644 --- a/src/lib/libcrypto/man/Makefile +++ b/src/lib/libcrypto/man/Makefile
@@ -1,4 +1,4 @@
1	# $OpenBSD: Makefile,v 1.249 2023/04/30 14:49:47 tb Exp $	1	# $OpenBSD: Makefile,v 1.250 2023/04/30 19:40:23 tb Exp $
2		2
3	.include <bsd.own.mk>	3	.include <bsd.own.mk>
4		4
@@ -265,7 +265,6 @@ MAN= \
265	PKCS8_pkey_set0.3 \	265	PKCS8_pkey_set0.3 \
266	PKEY_USAGE_PERIOD_new.3 \	266	PKEY_USAGE_PERIOD_new.3 \
267	POLICYINFO_new.3 \	267	POLICYINFO_new.3 \
268	PROXY_POLICY_new.3 \
269	RAND_add.3 \	268	RAND_add.3 \
270	RAND_bytes.3 \	269	RAND_bytes.3 \
271	RAND_load_file.3 \	270	RAND_load_file.3 \
@@ -407,7 +406,6 @@ MAN= \
407	d2i_PKCS8_PRIV_KEY_INFO.3 \	406	d2i_PKCS8_PRIV_KEY_INFO.3 \
408	d2i_PKEY_USAGE_PERIOD.3 \	407	d2i_PKEY_USAGE_PERIOD.3 \
409	d2i_POLICYINFO.3 \	408	d2i_POLICYINFO.3 \
410	d2i_PROXY_POLICY.3 \
411	d2i_PrivateKey.3 \	409	d2i_PrivateKey.3 \
412	d2i_RSAPublicKey.3 \	410	d2i_RSAPublicKey.3 \
413	d2i_TS_REQ.3 \	411	d2i_TS_REQ.3 \


diff --git a/src/lib/libcrypto/man/PROXY_POLICY_new.3 b/src/lib/libcrypto/man/PROXY_POLICY_new.3 deleted file mode 100644 index c23a620177..0000000000 --- a/src/lib/libcrypto/man/PROXY_POLICY_new.3 +++ /dev/null
@@ -1,97 +0,0 @@
1	.\" $OpenBSD: PROXY_POLICY_new.3,v 1.6 2021/10/27 11:24:47 schwarze Exp $
2	.\"
3	.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
4	.\"
5	.\" Permission to use, copy, modify, and distribute this software for any
6	.\" purpose with or without fee is hereby granted, provided that the above
7	.\" copyright notice and this permission notice appear in all copies.
8	.\"
9	.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10	.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11	.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12	.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13	.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16	.\"
17	.Dd $Mdocdate: October 27 2021 $
18	.Dt PROXY_POLICY_NEW 3
19	.Os
20	.Sh NAME
21	.Nm PROXY_POLICY_new ,
22	.Nm PROXY_POLICY_free ,
23	.Nm PROXY_CERT_INFO_EXTENSION_new ,
24	.Nm PROXY_CERT_INFO_EXTENSION_free
25	.Nd X.509 proxy certificate extension
26	.Sh SYNOPSIS
27	.In openssl/x509v3.h
28	.Ft PROXY_POLICY *
29	.Fn PROXY_POLICY_new void
30	.Ft void
31	.Fn PROXY_POLICY_free "PROXY_POLICY *pp"
32	.Ft PROXY_CERT_INFO_EXTENSION *
33	.Fn PROXY_CERT_INFO_EXTENSION_new void
34	.Ft void
35	.Fn PROXY_CERT_INFO_EXTENSION_free "PROXY_CERT_INFO_EXTENSION *pcie"
36	.Sh DESCRIPTION
37	If a given non-CA certificate grants any privileges, using that
38	certificate to issue a proxy certificate and handing that proxy
39	certificate over to another person, organization, or service allows
40	the bearer of the proxy certificate to exercise some or all of the
41	privileges on behalf of the subject of the original certificate.
42	.Pp
43	.Fn PROXY_POLICY_new
44	allocates and initializes an empty
45	.Vt PROXY_POLICY
46	object, representing an ASN.1
47	.Vt ProxyPolicy
48	structure defined in RFC 3820 section 3.8.
49	It defines which privileges are to be delegated.
50	.Fn PROXY_POLICY_free
51	frees
52	.Fa pp .
53	.Pp
54	.Fn PROXY_CERT_INFO_EXTENSION_new
55	allocates and initializes an empty
56	.Vt PROXY_CERT_INFO_EXTENSION
57	object, representing an ASN.1
58	.Vt ProxyCertInfo
59	structure defined in RFC 3820 section 3.8.
60	It can contain a
61	.Vt PROXY_POLICY
62	object, and it can additionally restrict the maximum depth of the
63	path of proxy certificates that can be signed by this proxy
64	certificate.
65	.Fn PROXY_CERT_INFO_EXTENSION_free
66	frees
67	.Fa pcie .
68	.Pp
69	If a non-CA certificate contains a
70	.Vt PROXY_CERT_INFO_EXTENSION ,
71	it is a proxy certificate; otherwise, it is an end entity certificate.
72	.Sh RETURN VALUES
73	.Fn PROXY_POLICY_new
74	and
75	.Fn PROXY_CERT_INFO_EXTENSION_new
76	return the new
77	.Vt PROXY_POLICY
78	or
79	.Vt PROXY_CERT_INFO_EXTENSION
80	object, respectively, or
81	.Dv NULL
82	if an error occurs.
83	.Sh SEE ALSO
84	.Xr BASIC_CONSTRAINTS_new 3 ,
85	.Xr d2i_PROXY_POLICY 3 ,
86	.Xr EXTENDED_KEY_USAGE_new 3 ,
87	.Xr POLICYINFO_new 3 ,
88	.Xr X509_EXTENSION_new 3 ,
89	.Xr X509_get_extension_flags 3 ,
90	.Xr X509_new 3
91	.Sh STANDARDS
92	RFC 3820: Internet X.509 Public Key Infrastructure (PKI) Proxy
93	Certificate Profile
94	.Sh HISTORY
95	These functions first appeared in OpenSSL 0.9.7g
96	and have been available since
97	.Ox 3.8 .


diff --git a/src/lib/libcrypto/man/X509_EXTENSION_set_object.3 b/src/lib/libcrypto/man/X509_EXTENSION_set_object.3 index 3ade50e4d6..dcfe075ebd 100644 --- a/src/lib/libcrypto/man/X509_EXTENSION_set_object.3 +++ b/src/lib/libcrypto/man/X509_EXTENSION_set_object.3
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: X509_EXTENSION_set_object.3,v 1.16 2023/04/25 18:48:32 tb Exp $	1	.\" $OpenBSD: X509_EXTENSION_set_object.3,v 1.17 2023/04/30 19:40:23 tb Exp $
2	.\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400	2	.\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
3	.\"	3	.\"
4	.\" This file is a derived work.	4	.\" This file is a derived work.
@@ -65,7 +65,7 @@
65	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED	65	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
66	.\" OF THE POSSIBILITY OF SUCH DAMAGE.	66	.\" OF THE POSSIBILITY OF SUCH DAMAGE.
67	.\"	67	.\"
68	.Dd $Mdocdate: April 25 2023 $	68	.Dd $Mdocdate: April 30 2023 $
69	.Dt X509_EXTENSION_SET_OBJECT 3	69	.Dt X509_EXTENSION_SET_OBJECT 3
70	.Os	70	.Os
71	.Sh NAME	71	.Sh NAME
@@ -291,7 +291,6 @@ pointer.
291	.Xr OCSP_SERVICELOC_new 3 ,	291	.Xr OCSP_SERVICELOC_new 3 ,
292	.Xr PKEY_USAGE_PERIOD_new 3 ,	292	.Xr PKEY_USAGE_PERIOD_new 3 ,
293	.Xr POLICYINFO_new 3 ,	293	.Xr POLICYINFO_new 3 ,
294	.Xr PROXY_POLICY_new 3 ,
295	.Xr TS_REQ_new 3 ,	294	.Xr TS_REQ_new 3 ,
296	.Xr X509_check_ca 3 ,	295	.Xr X509_check_ca 3 ,
297	.Xr X509_check_host 3 ,	296	.Xr X509_check_host 3 ,


diff --git a/src/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3 b/src/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3 index 65e20f1ad8..a0ae839f9a 100644 --- a/src/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3 +++ b/src/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: X509_VERIFY_PARAM_set_flags.3,v 1.28 2023/04/30 14:49:47 tb Exp $	1	.\" $OpenBSD: X509_VERIFY_PARAM_set_flags.3,v 1.29 2023/04/30 19:40:23 tb Exp $
2	.\" full merge up to: OpenSSL d33def66 Feb 9 14:17:13 2016 -0500	2	.\" full merge up to: OpenSSL d33def66 Feb 9 14:17:13 2016 -0500
3	.\" selective merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100	3	.\" selective merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
4	.\"	4	.\"
@@ -540,7 +540,9 @@ flag disables workarounds for some broken certificates and makes the
540	verification strictly apply X509 rules.	540	verification strictly apply X509 rules.
541	.Pp	541	.Pp
542	.Dv X509_V_FLAG_ALLOW_PROXY_CERTS	542	.Dv X509_V_FLAG_ALLOW_PROXY_CERTS
543	enables proxy certificate verification.	543	deprecated flag that used to
		544	enable proxy certificate verification.
		545	In LibreSSL, this flag has no effect.
544	.Pp	546	.Pp
545	.Dv X509_V_FLAG_POLICY_CHECK	547	.Dv X509_V_FLAG_POLICY_CHECK
546	enables certificate policy checking; by default no policy checking is	548	enables certificate policy checking; by default no policy checking is


diff --git a/src/lib/libcrypto/man/X509_get_extension_flags.3 b/src/lib/libcrypto/man/X509_get_extension_flags.3 index 1f63c6a910..1d7f29c687 100644 --- a/src/lib/libcrypto/man/X509_get_extension_flags.3 +++ b/src/lib/libcrypto/man/X509_get_extension_flags.3
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: X509_get_extension_flags.3,v 1.3 2021/11/11 13:58:59 schwarze Exp $	1	.\" $OpenBSD: X509_get_extension_flags.3,v 1.4 2023/04/30 19:40:23 tb Exp $
2	.\" full merge up to: OpenSSL 361136f4 Sep 1 18:56:58 2015 +0100	2	.\" full merge up to: OpenSSL 361136f4 Sep 1 18:56:58 2015 +0100
3	.\" selective merge up to: OpenSSL 2b2e3106f Feb 16 15:04:45 2021 +0000	3	.\" selective merge up to: OpenSSL 2b2e3106f Feb 16 15:04:45 2021 +0000
4	.\"	4	.\"
@@ -49,7 +49,7 @@
49	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED	49	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50	.\" OF THE POSSIBILITY OF SUCH DAMAGE.	50	.\" OF THE POSSIBILITY OF SUCH DAMAGE.
51	.\"	51	.\"
52	.Dd $Mdocdate: November 11 2021 $	52	.Dd $Mdocdate: April 30 2023 $
53	.Dt X509_GET_EXTENSION_FLAGS 3	53	.Dt X509_GET_EXTENSION_FLAGS 3
54	.Os	54	.Os
55	.Sh NAME	55	.Sh NAME
@@ -87,6 +87,7 @@ The certificate contains a basic constraints extension.
87	The certificate contains basic constraints and asserts the CA flag.	87	The certificate contains basic constraints and asserts the CA flag.
88	.It Dv EXFLAG_PROXY	88	.It Dv EXFLAG_PROXY
89	The certificate is a valid proxy certificate.	89	The certificate is a valid proxy certificate.
		90	In LibreSSL this flag is never set.
90	.It Dv EXFLAG_SI	91	.It Dv EXFLAG_SI
91	The certificate is self issued (that is subject and issuer names match).	92	The certificate is self issued (that is subject and issuer names match).
92	.It Dv EXFLAG_SS	93	.It Dv EXFLAG_SS
@@ -217,7 +218,6 @@ return sets of flags corresponding to the certificate extension values.
217	.Xr BASIC_CONSTRAINTS_new 3 ,	218	.Xr BASIC_CONSTRAINTS_new 3 ,
218	.Xr EXTENDED_KEY_USAGE_new 3 ,	219	.Xr EXTENDED_KEY_USAGE_new 3 ,
219	.Xr POLICYINFO_new 3 ,	220	.Xr POLICYINFO_new 3 ,
220	.Xr PROXY_CERT_INFO_EXTENSION_new 3 ,
221	.Xr X509_check_ca 3 ,	221	.Xr X509_check_ca 3 ,
222	.Xr X509_check_purpose 3 ,	222	.Xr X509_check_purpose 3 ,
223	.Xr X509_EXTENSION_new 3 ,	223	.Xr X509_EXTENSION_new 3 ,


diff --git a/src/lib/libcrypto/man/d2i_PROXY_POLICY.3 b/src/lib/libcrypto/man/d2i_PROXY_POLICY.3 deleted file mode 100644 index 794c6edcec..0000000000 --- a/src/lib/libcrypto/man/d2i_PROXY_POLICY.3 +++ /dev/null
@@ -1,97 +0,0 @@
1	.\" $OpenBSD: d2i_PROXY_POLICY.3,v 1.2 2018/03/22 22:07:12 schwarze Exp $
2	.\"
3	.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
4	.\"
5	.\" Permission to use, copy, modify, and distribute this software for any
6	.\" purpose with or without fee is hereby granted, provided that the above
7	.\" copyright notice and this permission notice appear in all copies.
8	.\"
9	.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10	.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11	.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12	.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13	.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16	.\"
17	.Dd $Mdocdate: March 22 2018 $
18	.Dt D2I_PROXY_POLICY 3
19	.Os
20	.Sh NAME
21	.Nm d2i_PROXY_POLICY ,
22	.Nm i2d_PROXY_POLICY ,
23	.Nm d2i_PROXY_CERT_INFO_EXTENSION ,
24	.Nm i2d_PROXY_CERT_INFO_EXTENSION
25	.Nd decode and encode X.509 proxy certificate extensions
26	.Sh SYNOPSIS
27	.In openssl/x509v3.h
28	.Ft PROXY_POLICY *
29	.Fo d2i_PROXY_POLICY
30	.Fa "PROXY_POLICY **val_out"
31	.Fa "const unsigned char **der_in"
32	.Fa "long length"
33	.Fc
34	.Ft int
35	.Fo i2d_PROXY_POLICY
36	.Fa "PROXY_POLICY *val_in"
37	.Fa "unsigned char **der_out"
38	.Fc
39	.Ft PROXY_CERT_INFO_EXTENSION *
40	.Fo d2i_PROXY_CERT_INFO_EXTENSION
41	.Fa "PROXY_CERT_INFO_EXTENSION **val_out"
42	.Fa "const unsigned char **der_in"
43	.Fa "long length"
44	.Fc
45	.Ft int
46	.Fo i2d_PROXY_CERT_INFO_EXTENSION
47	.Fa "PROXY_CERT_INFO_EXTENSION *val_in"
48	.Fa "unsigned char **der_out"
49	.Fc
50	.Sh DESCRIPTION
51	These functions encode and decode X.509 extensions that decide
52	whether a certificate is a proxy certificate, and which policies
53	apply to it.
54	For details about the semantics, examples, caveats, and bugs, see
55	.Xr ASN1_item_d2i 3 .
56	.Pp
57	.Fn d2i_PROXY_POLICY
58	and
59	.Fn i2d_PROXY_POLICY
60	decode and encode an ASN.1
61	.Vt ProxyPolicy
62	structure defined in RFC 3820 section 3.8.
63	.Pp
64	.Fn d2i_PROXY_CERT_INFO_EXTENSION
65	and
66	.Fn i2d_PROXY_CERT_INFO_EXTENSION
67	decode and encode an ASN.1
68	.Vt ProxyCertInfo
69	structure defined in RFC 3820 section 3.8.
70	.Sh RETURN VALUES
71	.Fn d2i_PROXY_POLICY
72	and
73	.Fn d2i_PROXY_CERT_INFO_EXTENSION
74	return a
75	.Vt PROXY_POLICY
76	or
77	.Vt PROXY_CERT_INFO_EXTENSION
78	object, respectively, or
79	.Dv NULL
80	if an error occurs.
81	.Pp
82	.Fn i2d_PROXY_POLICY
83	and
84	.Fn i2d_PROXY_CERT_INFO_EXTENSION
85	return the number of bytes successfully encoded or a negative value
86	if an error occurs.
87	.Sh SEE ALSO
88	.Xr ASN1_item_d2i 3 ,
89	.Xr PROXY_POLICY_new 3 ,
90	.Xr X509_EXTENSION_new 3
91	.Sh STANDARDS
92	RFC 3820: Internet X.509 Public Key Infrastructure (PKI) Proxy
93	Certificate Profile
94	.Sh HISTORY
95	These functions first appeared in OpenSSL 0.9.7g
96	and have been available since
97	.Ox 3.8 .