1 files changed, 0 insertions, 756 deletions

diff --git a/src/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3 b/src/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3
deleted file mode 100644
index ea3c867b8b..0000000000
--- a/src/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3
+++ /dev/null
@@ -1,756 +0,0 @@
-.\" $OpenBSD: X509_VERIFY_PARAM_set_flags.3,v 1.17 2021/07/23 16:43:56 schwarze Exp $
-.\" full merge up to: OpenSSL d33def66 Feb 9 14:17:13 2016 -0500
-.\" selective merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2018, 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Dr. Stephen Henson <steve@openssl.org>
-.\" and Viktor Dukhovni <viktor@dukhovni.org>.
-.\" Copyright (c) 2009, 2013, 2014, 2015, 2016, 2017 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: July 23 2021 $
-.Dt X509_VERIFY_PARAM_SET_FLAGS 3
-.Os
-.Sh NAME
-.Nm X509_VERIFY_PARAM_new ,
-.Nm X509_VERIFY_PARAM_free ,
-.Nm X509_VERIFY_PARAM_get0_name ,
-.Nm X509_VERIFY_PARAM_set1_name ,
-.Nm X509_VERIFY_PARAM_set_flags ,
-.Nm X509_VERIFY_PARAM_clear_flags ,
-.Nm X509_VERIFY_PARAM_get_flags ,
-.Nm X509_VERIFY_PARAM_set_purpose ,
-.Nm X509_VERIFY_PARAM_set_trust ,
-.Nm X509_VERIFY_PARAM_set_time ,
-.Nm X509_VERIFY_PARAM_add0_policy ,
-.Nm X509_VERIFY_PARAM_set1_policies ,
-.Nm X509_VERIFY_PARAM_set_depth ,
-.Nm X509_VERIFY_PARAM_get_depth ,
-.Nm X509_VERIFY_PARAM_set1_host ,
-.Nm X509_VERIFY_PARAM_add1_host ,
-.Nm X509_VERIFY_PARAM_set_hostflags ,
-.Nm X509_VERIFY_PARAM_get0_peername ,
-.Nm X509_VERIFY_PARAM_set1_email ,
-.Nm X509_VERIFY_PARAM_set1_ip ,
-.Nm X509_VERIFY_PARAM_set1_ip_asc ,
-.Nm X509_VERIFY_PARAM_add0_table ,
-.Nm X509_VERIFY_PARAM_lookup ,
-.Nm X509_VERIFY_PARAM_get_count ,
-.Nm X509_VERIFY_PARAM_get0 ,
-.Nm X509_VERIFY_PARAM_table_cleanup
-.Nd X509 verification parameters
-.Sh SYNOPSIS
-.In openssl/x509_vfy.h
-.Ft X509_VERIFY_PARAM *
-.Fo X509_VERIFY_PARAM_new
-.Fa void
-.Fc
-.Ft void
-.Fo X509_VERIFY_PARAM_free
-.Fa "X509_VERIFY_PARAM *param"
-.Fc
-.Ft const char *
-.Fo X509_VERIFY_PARAM_get0_name
-.Fa "const X509_VERIFY_PARAM *param"
-.Fc
-.Ft int
-.Fo X509_VERIFY_PARAM_set1_name
-.Fa "X509_VERIFY_PARAM *param"
-.Fa "const char *name"
-.Fc
-.Ft int
-.Fo X509_VERIFY_PARAM_set_flags
-.Fa "X509_VERIFY_PARAM *param"
-.Fa "unsigned long flags"
-.Fc
-.Ft int
-.Fo X509_VERIFY_PARAM_clear_flags
-.Fa "X509_VERIFY_PARAM *param"
-.Fa "unsigned long flags"
-.Fc
-.Ft unsigned long
-.Fo X509_VERIFY_PARAM_get_flags
-.Fa "X509_VERIFY_PARAM *param"
-.Fc
-.Ft int
-.Fo X509_VERIFY_PARAM_set_purpose
-.Fa "X509_VERIFY_PARAM *param"
-.Fa "int purpose"
-.Fc
-.Ft int
-.Fo X509_VERIFY_PARAM_set_trust
-.Fa "X509_VERIFY_PARAM *param"
-.Fa "int trust"
-.Fc
-.Ft void
-.Fo X509_VERIFY_PARAM_set_time
-.Fa "X509_VERIFY_PARAM *param"
-.Fa "time_t t"
-.Fc
-.Ft int
-.Fo X509_VERIFY_PARAM_add0_policy
-.Fa "X509_VERIFY_PARAM *param"
-.Fa "ASN1_OBJECT *policy"
-.Fc
-.Ft int
-.Fo X509_VERIFY_PARAM_set1_policies
-.Fa "X509_VERIFY_PARAM *param"
-.Fa "STACK_OF(ASN1_OBJECT) *policies"
-.Fc
-.Ft void
-.Fo X509_VERIFY_PARAM_set_depth
-.Fa "X509_VERIFY_PARAM *param"
-.Fa "int depth"
-.Fc
-.Ft int
-.Fo X509_VERIFY_PARAM_get_depth
-.Fa "const X509_VERIFY_PARAM *param"
-.Fc
-.Ft int
-.Fo X509_VERIFY_PARAM_set1_host
-.Fa "X509_VERIFY_PARAM *param"
-.Fa "const char *name"
-.Fa "size_t namelen"
-.Fc
-.Ft int
-.Fo X509_VERIFY_PARAM_add1_host
-.Fa "X509_VERIFY_PARAM *param"
-.Fa "const char *name"
-.Fa "size_t namelen"
-.Fc
-.Ft void
-.Fo X509_VERIFY_PARAM_set_hostflags
-.Fa "X509_VERIFY_PARAM *param"
-.Fa "unsigned int flags"
-.Fc
-.Ft char *
-.Fo X509_VERIFY_PARAM_get0_peername
-.Fa "X509_VERIFY_PARAM *param"
-.Fc
-.Ft int
-.Fo X509_VERIFY_PARAM_set1_email
-.Fa "X509_VERIFY_PARAM *param"
-.Fa "const char *email"
-.Fa "size_t emaillen"
-.Fc
-.Ft int
-.Fo X509_VERIFY_PARAM_set1_ip
-.Fa "X509_VERIFY_PARAM *param"
-.Fa "const unsigned char *ip"
-.Fa "size_t iplen"
-.Fc
-.Ft int
-.Fo X509_VERIFY_PARAM_set1_ip_asc
-.Fa "X509_VERIFY_PARAM *param"
-.Fa "const char *ipasc"
-.Fc
-.Ft int
-.Fo X509_VERIFY_PARAM_add0_table
-.Fa "X509_VERIFY_PARAM *param"
-.Fc
-.Ft const X509_VERIFY_PARAM *
-.Fo X509_VERIFY_PARAM_lookup
-.Fa "const char *name"
-.Fc
-.Ft int
-.Fo X509_VERIFY_PARAM_get_count
-.Fa void
-.Fc
-.Ft const X509_VERIFY_PARAM *
-.Fo X509_VERIFY_PARAM_get0
-.Fa "int id"
-.Fc
-.Ft void
-.Fo X509_VERIFY_PARAM_table_cleanup
-.Fa void
-.Fc
-.Sh DESCRIPTION
-These functions manipulate an
-.Vt X509_VERIFY_PARAM
-object associated with a certificate verification operation.
-.Pp
-.Fn X509_VERIFY_PARAM_new
-allocates and initializes an empty
-.Vt X509_VERIFY_PARAM
-object.
-.Pp
-.Fn X509_VERIFY_PARAM_free
-clears all data contained in
-.Fa param
-and releases all memory used by it.
-If
-.Fa param
-is a
-.Dv NULL
-pointer, no action occurs.
-.Pp
-.Fn X509_VERIFY_PARAM_get0_name
-returns the name of the given
-.Fa param
-object, usually describing its purpose, for example
-.Qq default ,
-.Qq pkcs7 ,
-.Qq smime_sign ,
-.Qq ssl_client ,
-or
-.Qq ssl_server .
-For user-defined objects, the returned pointer may be
-.Dv NULL
-even if the object is otherwise valid.
-.Pp
-.Fn X509_VERIFY_PARAM_set1_name
-sets the name of
-.Fa param
-to a copy of
-.Fa name ,
-or to
-.Dv NULL
-if
-.Fa name
-is
-.Dv NULL .
-.Pp
-.Fn X509_VERIFY_PARAM_set_flags
-sets the flags in
-.Fa param
-by OR'ing it with
-.Fa flags .
-See the
-.Sx VERIFICATION FLAGS
-section for a complete description of values the
-.Fa flags
-parameter can take.
-.Pp
-.Fn X509_VERIFY_PARAM_get_flags
-returns the flags in
-.Fa param .
-.Pp
-.Fn X509_VERIFY_PARAM_clear_flags
-clears the flags
-.Fa flags
-in
-.Fa param .
-.Pp
-.Fn X509_VERIFY_PARAM_set_purpose
-sets the verification
-.Fa purpose
-identifier in
-.Fa param .
-This determines the acceptable purpose of the certificate chain, for example
-.Dv X509_PURPOSE_SSL_CLIENT
-or
-.Dv X509_PURPOSE_SSL_SERVER .
-Standard purposes are listed in
-.Xr X509_check_purpose 3 ,
-and additional purposes can be defined with
-.Xr X509_PURPOSE_add 3 .
-.Pp
-.Fn X509_VERIFY_PARAM_set_trust
-sets the trust setting in
-.Fa param
-to
-.Fa trust .
-.Pp
-.Fn X509_VERIFY_PARAM_set_time
-sets the verification time in
-.Fa param
-to
-.Fa t .
-Normally the current time is used.
-.Pp
-.Fn X509_VERIFY_PARAM_add0_policy
-enables policy checking (it is disabled by default) and adds
-.Fa policy
-to the acceptable policy set.
-.Pp
-.Fn X509_VERIFY_PARAM_set1_policies
-enables policy checking (it is disabled by default) and sets the
-acceptable policy set to
-.Fa policies .
-Any existing policy set is cleared.
-The
-.Fa policies
-parameter can be
-.Dv NULL
-to clear an existing policy set.
-.Pp
-.Fn X509_VERIFY_PARAM_set_depth
-sets the maximum verification depth to
-.Fa depth .
-That is the maximum number of untrusted CA certificates that can appear
-in a chain.
-.Pp
-.Fn X509_VERIFY_PARAM_set1_host
-sets the expected DNS hostname to
-.Fa name
-clearing any previously specified hostname or names.
-If
-.Fa name
-is
-.Dv NULL
-or empty, the list of hostnames is cleared, and name checks are not
-performed on the peer certificate.
-.Fa namelen
-should be set to the length of
-.Fa name .
-For historical compatibility, if
-.Fa name
-is NUL-terminated,
-.Fa namelen
-may be specified as zero.
-When a hostname is specified, certificate verification automatically
-invokes
-.Xr X509_check_host 3
-with flags equal to the
-.Fa flags
-argument given to
-.Fn X509_VERIFY_PARAM_set_hostflags
-(default zero).
-.Fn X509_VERIFY_PARAM_set1_host
-will fail if
-.Fa name
-contains any embedded 0 bytes.
-.Pp
-.Fn X509_VERIFY_PARAM_add1_host
-adds
-.Fa name
-as an additional reference identifier that can match the peer's
-certificate.
-Any previous names set via
-.Fn X509_VERIFY_PARAM_set1_host
-and
-.Fn X509_VERIFY_PARAM_add1_host
-are retained.
-No change is made if
-.Fa name
-is
-.Dv NULL
-or empty.
-.Fa namelen
-should be set to the length of
-.Fa name .
-For historical compatibility, if
-.Fa name
-is NUL-terminated,
-.Fa namelen
-may be specified as zero.
-.Fn X509_VERIFY_PARAM_add1_host
-will fail if
-.Fa name
-contains any embedded 0 bytes.
-When multiple names are configured, the peer is considered verified when
-any name matches.
-.Pp
-.Fn X509_VERIFY_PARAM_get0_peername
-returns the DNS hostname or subject CommonName from the peer certificate
-that matched one of the reference identifiers.
-When wildcard matching is not disabled, or when a reference identifier
-specifies a parent domain (starts with ".") rather than a hostname, the
-peer name may be a wildcard name or a sub-domain of the reference
-identifier respectively.
-.Pp
-.Fn X509_VERIFY_PARAM_set1_email
-sets the expected RFC 822 email address to
-.Fa email .
-.Fa emaillen
-should be set to the length of
-.Fa email .
-For historical compatibility, if
-.Fa email
-is NUL-terminated,
-.Fa emaillen
-may be specified as zero,
-.Fn X509_VERIFY_PARAM_set1_email
-will fail if
-.Fa email
-is NULL, an empty string, or contains embedded 0 bytes.
-When an email address is specified, certificate verification
-automatically invokes
-.Xr X509_check_email 3 .
-.Pp
-.Fn X509_VERIFY_PARAM_set1_ip
-sets the expected IP address to
-.Fa ip .
-The
-.Fa ip
-argument is in binary format, in network byte-order, and
-.Fa iplen
-must be set to 4 for IPv4 and 16 for IPv6.
-.Fn X509_VERIFY_PARAM_set1_ip
-will fail if
-.Fa ip
-is NULL or if
-.Fa iplen
-is not 4 or 16.
-When an IP address is specified,
-certificate verification automatically invokes
-.Xr X509_check_ip 3 .
-.Pp
-.Fn X509_VERIFY_PARAM_set1_ip_asc
-sets the expected IP address to
-.Fa ipasc .
-The
-.Fa ipasc
-argument is a NUL-terminal ASCII string:
-dotted decimal quad for IPv4 and colon-separated hexadecimal for IPv6.
-The condensed "::" notation is supported for IPv6 addresses.
-.Fn X509_VERIFY_PARAM_set1_ip_asc
-will fail if
-.Fa ipasc
-is unparsable.
-.Pp
-.Fn X509_VERIFY_PARAM_add0_table
-adds
-.Fa param
-to a static list of
-.Vt X509_VERIFY_PARAM
-objects maintained by the library.
-This function is extremely dangerous because contrary to the name
-of the function, if the list already contains an object that happens
-to have the same name, that old object is not only silently removed
-from the list, but also silently freed, which may silently invalidate
-various pointers existing elsewhere in the program.
-.Pp
-.Fn X509_VERIFY_PARAM_lookup
-searches this list for an object of the given
-.Fa name .
-If no match is found, the predefined objects built-in to the library
-are also inspected.
-.Pp
-.Fn X509_VERIFY_PARAM_get_count
-returns the sum of the number of objects on this list and the number
-of predefined objects built-in to the library.
-Note that this is not necessarily the total number of
-.Vt X509_VERIFY_PARAM
-objects existing in the program because there may be additional such
-objects that were never added to the list.
-.Pp
-.Fn X509_VERIFY_PARAM_get0
-accesses predefined and user-defined objects using
-.Fa id
-as an index, useful for looping over objects without knowing their names.
-An argument less than the number of predefined objects selects
-one of the predefined objects; a higher argument selects an object
-from the list.
-.Pp
-.Fn X509_VERIFY_PARAM_table_cleanup
-deletes all objects from this list.
-It is extremely dangerous because it also invalidates all data that
-was contained in all objects that were on the list and because it
-frees all these objects, which may invalidate various pointers
-existing elsewhere in the program.
-.Sh RETURN VALUES
-.Fn X509_VERIFY_PARAM_new
-returns a pointer to the new object, or
-.Dv NULL
-on allocation failure.
-.Pp
-.Fn X509_VERIFY_PARAM_set1_name ,
-.Fn X509_VERIFY_PARAM_set_flags ,
-.Fn X509_VERIFY_PARAM_clear_flags ,
-.Fn X509_VERIFY_PARAM_set_purpose ,
-.Fn X509_VERIFY_PARAM_set_trust ,
-.Fn X509_VERIFY_PARAM_add0_policy ,
-.Fn X509_VERIFY_PARAM_set1_policies ,
-and
-.Fn X509_VERIFY_PARAM_add0_table
-return 1 for success or 0 for failure.
-.Pp
-.Fn X509_VERIFY_PARAM_set1_host ,
-.Fn X509_VERIFY_PARAM_add1_host ,
-.Fn X509_VERIFY_PARAM_set1_email ,
-.Fn X509_VERIFY_PARAM_set1_ip ,
-and
-.Fn X509_VERIFY_PARAM_set1_ip_asc ,
-return 1 for success or 0 for failure.
-A failure from these routines will poison
-the
-.Vt X509_VERIFY_PARAM
-object so that future calls to
-.Xr X509_verify_cert 3
-using the poisoned object will fail.
-.Pp
-.Fn X509_VERIFY_PARAM_get_flags
-returns the current verification flags.
-.Pp
-.Fn X509_VERIFY_PARAM_get_depth
-returns the current verification depth.
-.Pp
-.Fn X509_VERIFY_PARAM_get0_name
-and
-.Fn X509_VERIFY_PARAM_get0_peername
-return pointers to strings that are only valid
-during the lifetime of the given
-.Fa param
-object and that must not be freed by the application program.
-.Pp
-.Fn X509_VERIFY_PARAM_lookup
-and
-.Fn X509_VERIFY_PARAM_get0
-return a pointer to an existing built-in or user-defined object, or
-.Dv NULL
-if no object with the given
-.Fa name
-is found, or if
-.Fa id
-is at least
-.Fn X509_VERIFY_PARAM_get_count .
-.Pp
-.Fn X509_VERIFY_PARAM_get_count
-returns a number of objects.
-.Sh VERIFICATION FLAGS
-The verification flags consists of zero or more of the following
-flags OR'ed together.
-.Pp
-.Dv X509_V_FLAG_CRL_CHECK
-enables CRL checking for the certificate chain leaf certificate.
-An error occurs if a suitable CRL cannot be found.
-.Pp
-.Dv X509_V_FLAG_CRL_CHECK_ALL
-enables CRL checking for the entire certificate chain.
-.Pp
-.Dv X509_V_FLAG_IGNORE_CRITICAL
-disables critical extension checking.
-By default any unhandled critical extensions in certificates or (if
-checked) CRLs results in a fatal error.
-If this flag is set unhandled critical extensions are ignored.
-.Sy WARNING :
-setting this option for anything other than debugging purposes can be a
-security risk.
-Finer control over which extensions are supported can be performed in
-the verification callback.
-.Pp
-The
-.Dv X509_V_FLAG_X509_STRICT
-flag disables workarounds for some broken certificates and makes the
-verification strictly apply X509 rules.
-.Pp
-.Dv X509_V_FLAG_ALLOW_PROXY_CERTS
-enables proxy certificate verification.
-.Pp
-.Dv X509_V_FLAG_POLICY_CHECK
-enables certificate policy checking; by default no policy checking is
-performed.
-Additional information is sent to the verification callback relating to
-policy checking.
-.Pp
-.Dv X509_V_FLAG_EXPLICIT_POLICY ,
-.Dv X509_V_FLAG_INHIBIT_ANY ,
-and
-.Dv X509_V_FLAG_INHIBIT_MAP
-set the
-.Dq require explicit policy ,
-.Dq inhibit any policy ,
-and
-.Dq inhibit policy mapping
-flags, respectively, as defined in RFC 3280.
-Policy checking is automatically enabled if any of these flags are set.
-.Pp
-If
-.Dv X509_V_FLAG_NOTIFY_POLICY
-is set and the policy checking is successful a special status code is
-set to the verification callback.
-This permits it to examine the valid policy tree and perform additional
-checks or simply log it for debugging purposes.
-.Pp
-By default some additional features such as indirect CRLs and CRLs
-signed by different keys are disabled.
-If
-.Dv X509_V_FLAG_EXTENDED_CRL_SUPPORT
-is set they are enabled.
-.Pp
-If
-.Dv X509_V_FLAG_USE_DELTAS
-is set, delta CRLs (if present) are used to determine certificate
-status.
-If not set, deltas are ignored.
-.Pp
-.Dv X509_V_FLAG_CHECK_SS_SIGNATURE
-enables checking of the root CA self signed certificate signature.
-By default this check is disabled because it doesn't add any additional
-security but in some cases applications might want to check the
-signature anyway.
-A side effect of not checking the root CA signature is that disabled or
-unsupported message digests on the root CA are not treated as fatal
-errors.
-.Pp
-The
-.Dv X509_V_FLAG_CB_ISSUER_CHECK
-flag enables debugging of certificate issuer checks.
-It is
-.Sy not
-needed unless you are logging certificate verification.
-If this flag is set then additional status codes will be sent to the
-verification callback and it
-.Sy must
-be prepared to handle such cases without assuming they are hard errors.
-.Pp
-When
-.Dv X509_V_FLAG_TRUSTED_FIRST
-is set, construction of the certificate chain in
-.Xr X509_verify_cert 3
-will search the trust store for issuer certificates before searching the
-provided untrusted certificates.
-Local issuer certificates are often more likely to satisfy local
-security requirements and lead to a locally trusted root.
-This is especially important when some certificates in the trust store
-have explicit trust settings; see the trust settings options of the
-.Cm x509
-command in
-.Xr openssl 1 .
-.Pp
-The
-.Dv X509_V_FLAG_NO_ALT_CHAINS
-flag suppresses checking for alternative chains.
-By default, unless
-.Dv X509_V_FLAG_TRUSTED_FIRST
-is set, when building a certificate chain, if the first certificate
-chain found is not trusted, then OpenSSL will attempt to replace
-untrusted certificates supplied by the peer with certificates from the
-trust store to see if an alternative chain can be found that is trusted.
-.Pp
-The
-.Dv X509_V_FLAG_PARTIAL_CHAIN
-flag causes intermediate certificates in the trust store to be treated
-as trust-anchors, in the same way as the self-signed root CA
-certificates.
-This makes it possible to trust certificates issued by an intermediate
-CA without having to trust its ancestor root CA.
-.Pp
-The
-.Dv X509_V_FLAG_NO_CHECK_TIME
-flag suppresses checking the validity period of certificates and CRLs
-against the current time.
-If
-.Fn X509_VERIFY_PARAM_set_time
-is used to specify a verification time, the check is not suppressed.
-.Sh EXAMPLES
-Enable CRL checking when performing certificate verification during
-SSL connections associated with an
-.Vt SSL_CTX
-structure
-.Fa ctx :
-.Bd -literal -offset indent
-X509_VERIFY_PARAM *param;
-
-param = X509_VERIFY_PARAM_new();
-X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK);
-SSL_CTX_set1_param(ctx, param);
-X509_VERIFY_PARAM_free(param);
-.Ed
-.Sh SEE ALSO
-.Xr SSL_set1_host 3 ,
-.Xr SSL_set1_param 3 ,
-.Xr X509_check_host 3 ,
-.Xr X509_STORE_CTX_set0_param 3 ,
-.Xr X509_STORE_set1_param 3 ,
-.Xr X509_verify_cert 3
-.Sh HISTORY
-.Fn X509_VERIFY_PARAM_new ,
-.Fn X509_VERIFY_PARAM_free ,
-.Fn X509_VERIFY_PARAM_set1_name ,
-.Fn X509_VERIFY_PARAM_set_flags ,
-.Fn X509_VERIFY_PARAM_set_purpose ,
-.Fn X509_VERIFY_PARAM_set_trust ,
-.Fn X509_VERIFY_PARAM_set_time ,
-.Fn X509_VERIFY_PARAM_add0_policy ,
-.Fn X509_VERIFY_PARAM_set1_policies ,
-.Fn X509_VERIFY_PARAM_set_depth ,
-.Fn X509_VERIFY_PARAM_get_depth ,
-.Fn X509_VERIFY_PARAM_add0_table ,
-.Fn X509_VERIFY_PARAM_lookup ,
-and
-.Fn X509_VERIFY_PARAM_table_cleanup
-first appeared in OpenSSL 0.9.8.
-.Fn X509_VERIFY_PARAM_clear_flags
-and
-.Fn X509_VERIFY_PARAM_get_flags
-first appeared in OpenSSL 0.9.8a.
-All these functions have been available since
-.Ox 4.5 .
-.Pp
-.Fn X509_VERIFY_PARAM_get0_name
-.Fn X509_VERIFY_PARAM_set1_host ,
-.Fn X509_VERIFY_PARAM_add1_host ,
-.Fn X509_VERIFY_PARAM_set_hostflags ,
-.Fn X509_VERIFY_PARAM_get0_peername ,
-.Fn X509_VERIFY_PARAM_set1_email ,
-.Fn X509_VERIFY_PARAM_set1_ip ,
-.Fn X509_VERIFY_PARAM_set1_ip_asc ,
-.Fn X509_VERIFY_PARAM_get_count ,
-and
-.Fn X509_VERIFY_PARAM_get0
-first appeared in OpenSSL 1.0.2 and have been available since
-.Ox 6.3 .
-.Sh BUGS
-Delta CRL checking is currently primitive.
-Only a single delta can be used and (partly due to limitations of
-.Vt X509_STORE )
-constructed CRLs are not maintained.
-.Pp
-If CRLs checking is enabled, CRLs are expected to be available in
-the corresponding
-.Vt X509_STORE
-structure.
-No attempt is made to download CRLs from the CRL distribution points
-extension.