1 files changed, 0 insertions, 736 deletions

diff --git a/src/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3 b/src/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3
deleted file mode 100644
index a0ae839f9a..0000000000
--- a/src/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3
+++ /dev/null
@@ -1,736 +0,0 @@
-.\" $OpenBSD: X509_VERIFY_PARAM_set_flags.3,v 1.29 2023/04/30 19:40:23 tb Exp $
-.\" full merge up to: OpenSSL d33def66 Feb 9 14:17:13 2016 -0500
-.\" selective merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2018, 2021, 2022 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Dr. Stephen Henson <steve@openssl.org>
-.\" and Viktor Dukhovni <viktor@dukhovni.org>.
-.\" Copyright (c) 2009, 2013, 2014, 2015, 2016, 2017 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: April 30 2023 $
-.Dt X509_VERIFY_PARAM_SET_FLAGS 3
-.Os
-.Sh NAME
-.Nm X509_VERIFY_PARAM_get0_name ,
-.Nm X509_VERIFY_PARAM_set1_name ,
-.Nm X509_VERIFY_PARAM_set_flags ,
-.Nm X509_VERIFY_PARAM_clear_flags ,
-.Nm X509_VERIFY_PARAM_get_flags ,
-.Nm X509_VERIFY_PARAM_set_purpose ,
-.Nm X509_VERIFY_PARAM_set_trust ,
-.Nm X509_VERIFY_PARAM_set_time ,
-.Nm X509_VERIFY_PARAM_get_time ,
-.Nm X509_VERIFY_PARAM_add0_policy ,
-.Nm X509_VERIFY_PARAM_set1_policies ,
-.Nm X509_VERIFY_PARAM_set_depth ,
-.Nm X509_VERIFY_PARAM_get_depth ,
-.Nm X509_VERIFY_PARAM_set_auth_level ,
-.Nm X509_VERIFY_PARAM_set1_host ,
-.Nm X509_VERIFY_PARAM_add1_host ,
-.Nm X509_VERIFY_PARAM_set_hostflags ,
-.Nm X509_VERIFY_PARAM_get0_peername ,
-.Nm X509_VERIFY_PARAM_set1_email ,
-.Nm X509_VERIFY_PARAM_set1_ip ,
-.Nm X509_VERIFY_PARAM_set1_ip_asc
-.Nd X509 verification parameters
-.Sh SYNOPSIS
-.In openssl/x509_vfy.h
-.Ft const char *
-.Fo X509_VERIFY_PARAM_get0_name
-.Fa "const X509_VERIFY_PARAM *param"
-.Fc
-.Ft int
-.Fo X509_VERIFY_PARAM_set1_name
-.Fa "X509_VERIFY_PARAM *param"
-.Fa "const char *name"
-.Fc
-.Ft int
-.Fo X509_VERIFY_PARAM_set_flags
-.Fa "X509_VERIFY_PARAM *param"
-.Fa "unsigned long flags"
-.Fc
-.Ft int
-.Fo X509_VERIFY_PARAM_clear_flags
-.Fa "X509_VERIFY_PARAM *param"
-.Fa "unsigned long flags"
-.Fc
-.Ft unsigned long
-.Fo X509_VERIFY_PARAM_get_flags
-.Fa "X509_VERIFY_PARAM *param"
-.Fc
-.Ft int
-.Fo X509_VERIFY_PARAM_set_purpose
-.Fa "X509_VERIFY_PARAM *param"
-.Fa "int purpose"
-.Fc
-.Ft int
-.Fo X509_VERIFY_PARAM_set_trust
-.Fa "X509_VERIFY_PARAM *param"
-.Fa "int trust"
-.Fc
-.Ft void
-.Fo X509_VERIFY_PARAM_set_time
-.Fa "X509_VERIFY_PARAM *param"
-.Fa "time_t t"
-.Fc
-.Ft time_t
-.Fo X509_VERIFY_PARAM_get_time
-.Fa const X509_VERIFY_PARAM *param"
-.Fc
-.Ft int
-.Fo X509_VERIFY_PARAM_add0_policy
-.Fa "X509_VERIFY_PARAM *param"
-.Fa "ASN1_OBJECT *policy"
-.Fc
-.Ft int
-.Fo X509_VERIFY_PARAM_set1_policies
-.Fa "X509_VERIFY_PARAM *param"
-.Fa "STACK_OF(ASN1_OBJECT) *policies"
-.Fc
-.Ft void
-.Fo X509_VERIFY_PARAM_set_depth
-.Fa "X509_VERIFY_PARAM *param"
-.Fa "int depth"
-.Fc
-.Ft int
-.Fo X509_VERIFY_PARAM_get_depth
-.Fa "const X509_VERIFY_PARAM *param"
-.Fc
-.Ft void
-.Fo X509_VERIFY_PARAM_set_auth_level
-.Fa "X509_VERIFY_PARAM *param"
-.Fa "int auth_level"
-.Fc
-.Ft int
-.Fo X509_VERIFY_PARAM_set1_host
-.Fa "X509_VERIFY_PARAM *param"
-.Fa "const char *name"
-.Fa "size_t namelen"
-.Fc
-.Ft int
-.Fo X509_VERIFY_PARAM_add1_host
-.Fa "X509_VERIFY_PARAM *param"
-.Fa "const char *name"
-.Fa "size_t namelen"
-.Fc
-.Ft void
-.Fo X509_VERIFY_PARAM_set_hostflags
-.Fa "X509_VERIFY_PARAM *param"
-.Fa "unsigned int flags"
-.Fc
-.Ft char *
-.Fo X509_VERIFY_PARAM_get0_peername
-.Fa "X509_VERIFY_PARAM *param"
-.Fc
-.Ft int
-.Fo X509_VERIFY_PARAM_set1_email
-.Fa "X509_VERIFY_PARAM *param"
-.Fa "const char *email"
-.Fa "size_t emaillen"
-.Fc
-.Ft int
-.Fo X509_VERIFY_PARAM_set1_ip
-.Fa "X509_VERIFY_PARAM *param"
-.Fa "const unsigned char *ip"
-.Fa "size_t iplen"
-.Fc
-.Ft int
-.Fo X509_VERIFY_PARAM_set1_ip_asc
-.Fa "X509_VERIFY_PARAM *param"
-.Fa "const char *ipasc"
-.Fc
-.Sh DESCRIPTION
-These functions manipulate an
-.Vt X509_VERIFY_PARAM
-object associated with a certificate verification operation.
-.Pp
-.Fn X509_VERIFY_PARAM_get0_name
-returns the name of the given
-.Fa param
-object, usually describing its purpose, for example
-.Qq default ,
-.Qq pkcs7 ,
-.Qq smime_sign ,
-.Qq ssl_client ,
-or
-.Qq ssl_server .
-For user-defined objects, the returned pointer may be
-.Dv NULL
-even if the object is otherwise valid.
-.Pp
-.Fn X509_VERIFY_PARAM_set1_name
-sets the name of
-.Fa param
-to a copy of
-.Fa name ,
-or to
-.Dv NULL
-if
-.Fa name
-is
-.Dv NULL .
-.Pp
-.Fn X509_VERIFY_PARAM_set_flags
-sets the flags in
-.Fa param
-by OR'ing it with
-.Fa flags .
-See the
-.Sx VERIFICATION FLAGS
-section for a complete description of values the
-.Fa flags
-parameter can take.
-.Pp
-If the
-.Fa flags
-argument includes any of the flags contained in
-.Dv X509_V_FLAG_POLICY_MASK ,
-that is, any of
-.Dv X509_V_FLAG_POLICY_CHECK ,
-.Dv X509_V_FLAG_EXPLICIT_POLICY ,
-.Dv X509_V_FLAG_INHIBIT_ANY ,
-and
-.Dv X509_V_FLAG_INHIBIT_MAP ,
-then
-.Dv X509_V_FLAG_POLICY_CHECK
-is set in addition to the flags contained in the
-.Fa flags
-argument.
-.Pp
-.Fn X509_VERIFY_PARAM_get_flags
-returns the flags in
-.Fa param .
-.Pp
-.Fn X509_VERIFY_PARAM_clear_flags
-clears the specified
-.Fa flags
-in
-.Fa param .
-.Pp
-Calling this function can result in unusual internal states of the
-.Fa param
-object, for example having a verification time configured but having
-.Dv X509_V_FLAG_USE_CHECK_TIME
-unset, or having
-.Dv X509_V_FLAG_EXPLICIT_POLICY
-set but
-.Dv X509_V_FLAG_POLICY_CHECK
-unset, which may have surprising effects.
-.Pp
-.Fn X509_VERIFY_PARAM_set_purpose
-sets the verification
-.Fa purpose
-identifier in
-.Fa param .
-This determines the acceptable purpose of the certificate chain, for example
-.Dv X509_PURPOSE_SSL_CLIENT
-or
-.Dv X509_PURPOSE_SSL_SERVER .
-Standard purposes are listed in
-.Xr X509_check_purpose 3 ,
-and additional purposes can be defined with
-.Xr X509_PURPOSE_add 3 .
-.Pp
-.Fn X509_VERIFY_PARAM_set_trust
-sets the trust setting in
-.Fa param
-to
-.Fa trust .
-.Pp
-.Fn X509_VERIFY_PARAM_set_time
-sets the flag
-.Dv X509_V_FLAG_USE_CHECK_TIME
-in
-.Fa param
-in addition to the flags already set and sets the verification time to
-.Fa t .
-If this function is not called, the current time is used instead,
-or the UNIX Epoch (January 1, 1970) if
-.Dv X509_V_FLAG_USE_CHECK_TIME
-is manually set using
-.Fn X509_VERIFY_PARAM_set_flags .
-.Pp
-.Fn X509_VERIFY_PARAM_add0_policy
-enables policy checking (it is disabled by default) and adds
-.Fa policy
-to the acceptable policy set.
-.Pp
-.Fn X509_VERIFY_PARAM_set1_policies
-enables policy checking (it is disabled by default) and sets the
-acceptable policy set to
-.Fa policies .
-Any existing policy set is cleared.
-The
-.Fa policies
-parameter can be
-.Dv NULL
-to clear an existing policy set.
-.Pp
-.Fn X509_VERIFY_PARAM_set_depth
-sets the maximum verification depth to
-.Fa depth .
-That is the maximum number of untrusted CA certificates that can appear
-in a chain.
-.Pp
-.Fn X509_VERIFY_PARAM_set_auth_level
-sets the security level as defined in
-.Xr SSL_CTX_set_security_level 3
-for certificate chain validation.
-For a certificate chain to validate, the public keys of all the
-certificates must meet the specified security level.
-The signature algorithm security level is not enforced for the
-chain's trust anchor certificate, which is either directly trusted
-or validated by means other than its signature.
-.Pp
-From the point of view of the X.509 library,
-the default security level is 0.
-However, the SSL library
-uses a different default security level of 1 and calls
-.Fn X509_VERIFY_PARAM_set_auth_level
-with its own level before validating a certificate chain.
-.Pp
-.Fn X509_VERIFY_PARAM_set1_host
-sets the expected DNS hostname to
-.Fa name
-clearing any previously specified hostname or names.
-If
-.Fa name
-is
-.Dv NULL
-or empty, the list of hostnames is cleared, and name checks are not
-performed on the peer certificate.
-.Fa namelen
-should be set to the length of
-.Fa name .
-For historical compatibility, if
-.Fa name
-is NUL-terminated,
-.Fa namelen
-may be specified as zero.
-When a hostname is specified, certificate verification automatically
-invokes
-.Xr X509_check_host 3
-with flags equal to the
-.Fa flags
-argument given to
-.Fn X509_VERIFY_PARAM_set_hostflags
-(default zero).
-.Fn X509_VERIFY_PARAM_set1_host
-will fail if
-.Fa name
-contains any embedded 0 bytes.
-.Pp
-.Fn X509_VERIFY_PARAM_add1_host
-adds
-.Fa name
-as an additional reference identifier that can match the peer's
-certificate.
-Any previous names set via
-.Fn X509_VERIFY_PARAM_set1_host
-and
-.Fn X509_VERIFY_PARAM_add1_host
-are retained.
-No change is made if
-.Fa name
-is
-.Dv NULL
-or empty.
-.Fa namelen
-should be set to the length of
-.Fa name .
-For historical compatibility, if
-.Fa name
-is NUL-terminated,
-.Fa namelen
-may be specified as zero.
-.Fn X509_VERIFY_PARAM_add1_host
-will fail if
-.Fa name
-contains any embedded 0 bytes.
-When multiple names are configured, the peer is considered verified when
-any name matches.
-.Pp
-.Fn X509_VERIFY_PARAM_get0_peername
-returns the DNS hostname or subject CommonName from the peer certificate
-that matched one of the reference identifiers.
-When wildcard matching is not disabled, or when a reference identifier
-specifies a parent domain (starts with ".") rather than a hostname, the
-peer name may be a wildcard name or a sub-domain of the reference
-identifier respectively.
-.Pp
-.Fn X509_VERIFY_PARAM_set1_email
-sets the expected RFC 822 email address to
-.Fa email .
-.Fa emaillen
-should be set to the length of
-.Fa email .
-For historical compatibility, if
-.Fa email
-is NUL-terminated,
-.Fa emaillen
-may be specified as zero,
-.Fn X509_VERIFY_PARAM_set1_email
-will fail if
-.Fa email
-is NULL, an empty string, or contains embedded 0 bytes.
-When an email address is specified, certificate verification
-automatically invokes
-.Xr X509_check_email 3 .
-.Pp
-.Fn X509_VERIFY_PARAM_set1_ip
-sets the expected IP address to
-.Fa ip .
-The
-.Fa ip
-argument is in binary format, in network byte-order, and
-.Fa iplen
-must be set to 4 for IPv4 and 16 for IPv6.
-.Fn X509_VERIFY_PARAM_set1_ip
-will fail if
-.Fa ip
-is NULL or if
-.Fa iplen
-is not 4 or 16.
-When an IP address is specified,
-certificate verification automatically invokes
-.Xr X509_check_ip 3 .
-.Pp
-.Fn X509_VERIFY_PARAM_set1_ip_asc
-sets the expected IP address to
-.Fa ipasc .
-The
-.Fa ipasc
-argument is a NUL-terminal ASCII string:
-dotted decimal quad for IPv4 and colon-separated hexadecimal for IPv6.
-The condensed "::" notation is supported for IPv6 addresses.
-.Fn X509_VERIFY_PARAM_set1_ip_asc
-will fail if
-.Fa ipasc
-is unparsable.
-.Sh RETURN VALUES
-.Fn X509_VERIFY_PARAM_set1_name ,
-.Fn X509_VERIFY_PARAM_set_flags ,
-.Fn X509_VERIFY_PARAM_clear_flags ,
-.Fn X509_VERIFY_PARAM_set_purpose ,
-.Fn X509_VERIFY_PARAM_set_trust ,
-.Fn X509_VERIFY_PARAM_add0_policy ,
-and
-.Fn X509_VERIFY_PARAM_set1_policies
-return 1 for success or 0 for failure.
-.Pp
-.Fn X509_VERIFY_PARAM_set1_host ,
-.Fn X509_VERIFY_PARAM_add1_host ,
-.Fn X509_VERIFY_PARAM_set1_email ,
-.Fn X509_VERIFY_PARAM_set1_ip ,
-and
-.Fn X509_VERIFY_PARAM_set1_ip_asc
-return 1 for success or 0 for failure.
-A failure from these routines will poison
-the
-.Vt X509_VERIFY_PARAM
-object so that future calls to
-.Xr X509_verify_cert 3
-using the poisoned object will fail.
-.Pp
-.Fn X509_VERIFY_PARAM_get_flags
-returns the current verification flags.
-.Pp
-.Fn X509_VERIFY_PARAM_get_time
-always returns the configured verification time.
-It does so even if the returned time will not be used because the flag
-.Dv X509_V_FLAG_USE_CHECK_TIME
-is unset.
-.Pp
-.Fn X509_VERIFY_PARAM_get_depth
-returns the current verification depth.
-.Pp
-.Fn X509_VERIFY_PARAM_get0_name
-and
-.Fn X509_VERIFY_PARAM_get0_peername
-return pointers to strings that are only valid
-during the lifetime of the given
-.Fa param
-object and that must not be freed by the application program.
-.Sh VERIFICATION FLAGS
-The verification flags consists of zero or more of the following
-flags OR'ed together.
-.Pp
-.Dv X509_V_FLAG_CRL_CHECK
-enables CRL checking for the certificate chain leaf certificate.
-An error occurs if a suitable CRL cannot be found.
-.Pp
-.Dv X509_V_FLAG_CRL_CHECK_ALL
-enables CRL checking for the entire certificate chain.
-.Pp
-.Dv X509_V_FLAG_IGNORE_CRITICAL
-disables critical extension checking.
-By default any unhandled critical extensions in certificates or (if
-checked) CRLs results in a fatal error.
-If this flag is set, unhandled critical extensions are ignored.
-.Sy WARNING :
-setting this option for anything other than debugging purposes can be a
-security risk.
-Finer control over which extensions are supported can be performed in
-the verification callback.
-.Pp
-The
-.Dv X509_V_FLAG_X509_STRICT
-flag disables workarounds for some broken certificates and makes the
-verification strictly apply X509 rules.
-.Pp
-.Dv X509_V_FLAG_ALLOW_PROXY_CERTS
-deprecated flag that used to
-enable proxy certificate verification.
-In LibreSSL, this flag has no effect.
-.Pp
-.Dv X509_V_FLAG_POLICY_CHECK
-enables certificate policy checking; by default no policy checking is
-performed.
-Additional information is sent to the verification callback relating to
-policy checking.
-.Pp
-.Dv X509_V_FLAG_EXPLICIT_POLICY ,
-.Dv X509_V_FLAG_INHIBIT_ANY ,
-and
-.Dv X509_V_FLAG_INHIBIT_MAP
-set the
-.Dq require explicit policy ,
-.Dq inhibit any policy ,
-and
-.Dq inhibit policy mapping
-flags, respectively, as defined in RFC 3280.
-These three flags are ignored unless
-.Dv X509_V_FLAG_POLICY_CHECK
-is also set.
-.Pp
-If
-.Dv X509_V_FLAG_NOTIFY_POLICY
-is set and policy checking is successful, a special status code is
-sent to the verification callback.
-.Pp
-By default some additional features such as indirect CRLs and CRLs
-signed by different keys are disabled.
-If
-.Dv X509_V_FLAG_EXTENDED_CRL_SUPPORT
-is set, they are enabled.
-.Pp
-If
-.Dv X509_V_FLAG_USE_DELTAS
-is set, delta CRLs (if present) are used to determine certificate
-status.
-If not set, deltas are ignored.
-.Pp
-.Dv X509_V_FLAG_CHECK_SS_SIGNATURE
-enables checking of the root CA self signed certificate signature.
-By default this check is disabled because it doesn't add any additional
-security but in some cases applications might want to check the
-signature anyway.
-A side effect of not checking the root CA signature is that disabled or
-unsupported message digests on the root CA are not treated as fatal
-errors.
-.Pp
-The deprecated
-.Dv X509_V_FLAG_CB_ISSUER_CHECK
-flag used to enable debugging of certificate issuer checks.
-It is provided for binary backwards compatibility and has no effect.
-.Pp
-When
-.Dv X509_V_FLAG_TRUSTED_FIRST
-is set, construction of the certificate chain in
-.Xr X509_verify_cert 3
-will search the trust store for issuer certificates before searching the
-provided untrusted certificates.
-Local issuer certificates are often more likely to satisfy local
-security requirements and lead to a locally trusted root.
-This is especially important when some certificates in the trust store
-have explicit trust settings; see the trust settings options of the
-.Cm x509
-command in
-.Xr openssl 1 .
-.Pp
-The
-.Dv X509_V_FLAG_NO_ALT_CHAINS
-flag suppresses checking for alternative chains.
-By default, unless
-.Dv X509_V_FLAG_TRUSTED_FIRST
-is set, when building a certificate chain, if the first certificate
-chain found is not trusted, then OpenSSL will attempt to replace
-untrusted certificates supplied by the peer with certificates from the
-trust store to see if an alternative chain can be found that is trusted.
-.Pp
-The
-.Dv X509_V_FLAG_PARTIAL_CHAIN
-flag causes intermediate certificates in the trust store to be treated
-as trust-anchors, in the same way as the self-signed root CA
-certificates.
-This makes it possible to trust certificates issued by an intermediate
-CA without having to trust its ancestor root CA.
-.Pp
-If
-.Dv X509_V_FLAG_USE_CHECK_TIME
-is set, the validity period of certificates and CRLs is checked.
-In this case,
-.Dv X509_V_FLAG_NO_CHECK_TIME
-is ignored.
-If the validation time was set with
-.Fn X509_VERIFY_PARAM_set_time ,
-that time is used.
-If
-.Fn X509_VERIFY_PARAM_set_time
-was not called, the UNIX Epoch (January 1, 1970) is used.
-.Pp
-If neither
-.Dv X509_V_FLAG_USE_CHECK_TIME
-nor
-.Dv X509_V_FLAG_NO_CHECK_TIME
-is set, the validity period of certificates and CRLs is checked
-using the current time.
-This is the default behaviour.
-In this case, if a validation time was set with
-.Fn X509_VERIFY_PARAM_set_time
-but
-.Dv X509_V_FLAG_USE_CHECK_TIME
-was later cleared with
-.Fn X509_VERIFY_PARAM_clear_flags ,
-the configured validation time is ignored
-and the current time is used anyway.
-.Pp
-If
-.Dv X509_V_FLAG_USE_CHECK_TIME
-is not set but
-.Dv X509_V_FLAG_NO_CHECK_TIME
-is set, the validity period of certificates and CRLs is not checked
-at all, and like in the previous case, any configured validation
-time is ignored.
-.Sh EXAMPLES
-Enable CRL checking when performing certificate verification during
-SSL connections associated with an
-.Vt SSL_CTX
-structure
-.Fa ctx :
-.Bd -literal -offset indent
-X509_VERIFY_PARAM *param;
-
-param = X509_VERIFY_PARAM_new();
-X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK);
-SSL_CTX_set1_param(ctx, param);
-X509_VERIFY_PARAM_free(param);
-.Ed
-.Sh SEE ALSO
-.Xr SSL_set1_host 3 ,
-.Xr SSL_set1_param 3 ,
-.Xr X509_check_host 3 ,
-.Xr X509_STORE_CTX_new 3 ,
-.Xr X509_STORE_new 3 ,
-.Xr X509_verify_cert 3 ,
-.Xr X509_VERIFY_PARAM_new 3
-.Sh HISTORY
-.Fn X509_VERIFY_PARAM_set1_name ,
-.Fn X509_VERIFY_PARAM_set_flags ,
-.Fn X509_VERIFY_PARAM_set_purpose ,
-.Fn X509_VERIFY_PARAM_set_trust ,
-.Fn X509_VERIFY_PARAM_set_time ,
-.Fn X509_VERIFY_PARAM_add0_policy ,
-.Fn X509_VERIFY_PARAM_set1_policies ,
-.Fn X509_VERIFY_PARAM_set_depth ,
-and
-.Fn X509_VERIFY_PARAM_get_depth
-first appeared in OpenSSL 0.9.8.
-.Fn X509_VERIFY_PARAM_clear_flags
-and
-.Fn X509_VERIFY_PARAM_get_flags
-first appeared in OpenSSL 0.9.8a.
-All these functions have been available since
-.Ox 4.5 .
-.Pp
-.Fn X509_VERIFY_PARAM_get0_name ,
-.Fn X509_VERIFY_PARAM_set1_host ,
-.Fn X509_VERIFY_PARAM_add1_host ,
-.Fn X509_VERIFY_PARAM_set_hostflags ,
-.Fn X509_VERIFY_PARAM_get0_peername ,
-.Fn X509_VERIFY_PARAM_set1_email ,
-.Fn X509_VERIFY_PARAM_set1_ip ,
-and
-.Fn X509_VERIFY_PARAM_set1_ip_asc
-first appeared in OpenSSL 1.0.2 and have been available since
-.Ox 6.3 .
-.Pp
-.Fn X509_VERIFY_PARAM_set_auth_level
-first appeared in OpenSSL 1.1.0 and
-.Fn X509_VERIFY_PARAM_get_time
-in OpenSSL 1.1.0d.
-Both functions have been available since
-.Ox 7.2 .
-.Sh BUGS
-Delta CRL checking is currently primitive.
-Only a single delta can be used and (partly due to limitations of
-.Vt X509_STORE )
-constructed CRLs are not maintained.
-.Pp
-If CRLs checking is enabled, CRLs are expected to be available in
-the corresponding
-.Vt X509_STORE
-structure.
-No attempt is made to download CRLs from the CRL distribution points
-extension.