428 files changed, 0 insertions, 96142 deletions

diff --git a/src/lib/libcrypto/man/ACCESS_DESCRIPTION_new.3 b/src/lib/libcrypto/man/ACCESS_DESCRIPTION_new.3
deleted file mode 100644
index 15156ffca3..0000000000
--- a/src/lib/libcrypto/man/ACCESS_DESCRIPTION_new.3
+++ /dev/null
@@ -1,151 +0,0 @@
-.\"     $OpenBSD: ACCESS_DESCRIPTION_new.3,v 1.6 2022/03/31 17:27:16 naddy Exp $
-.\"
-.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: March 31 2022 $
-.Dt ACCESS_DESCRIPTION_NEW 3
-.Os
-.Sh NAME
-.Nm ACCESS_DESCRIPTION_new ,
-.Nm ACCESS_DESCRIPTION_free ,
-.Nm AUTHORITY_INFO_ACCESS_new ,
-.Nm AUTHORITY_INFO_ACCESS_free
-.Nd X.509 information access extensions
-.Sh SYNOPSIS
-.In openssl/x509v3.h
-.Ft ACCESS_DESCRIPTION *
-.Fn ACCESS_DESCRIPTION_new void
-.Ft void
-.Fn ACCESS_DESCRIPTION_free "ACCESS_DESCRIPTION *ad"
-.Ft AUTHORITY_INFO_ACCESS
-.Fn AUTHORITY_INFO_ACCESS_new void
-.Ft void
-.Fn AUTHORITY_INFO_ACCESS_free "AUTHORITY_INFO_ACCESS *aia"
-.Sh DESCRIPTION
-Using the information access extensions, certificates and certificate
-revocation lists can point to auxiliary information and services
-available online, for example online validation services or CA
-policy data.
-.Pp
-.Fn ACCESS_DESCRIPTION_new
-allocates and initializes an empty
-.Vt ACCESS_DESCRIPTION
-object, representing an ASN.1
-.Vt AccessDescription
-structure defined in RFC 5280 section 4.2.2.1.
-It can hold a pointer to a
-.Vt GENERAL_NAME
-object documented in
-.Xr GENERAL_NAME_new 3
-and an access method identifier.
-.Fn ACCESS_DESCRIPTION_free
-frees
-.Fa ad .
-.Pp
-The access method identifier is somewhat misnamed; it identifies
-the type and format of the information provided.
-How to access that information is often obvious from the
-.Vt GENERAL_NAME
-which may for example include a uniform resource identifier.
-.Pp
-Four standard access method identifiers are defined in RFC 5280:
-.Bl -bullet
-.It
-.Qq id-ad-caIssuers
-can occur in the authority information access extension of certificates
-and certificate revocation lists and provides access to certificates
-issued to the CA that issued the certificate, or provides access
-to certificates used for signing the CRL, in order to help constructing
-a certification path.
-.It
-.Qq id-ad-ocsp
-can occur in the authority information access extension of certificates
-and provides access to revocation information via the Online
-Certificate Status Protocol (OCSP) defined in RFC 6960.
-.It
-.Qq id-ad-caRepository
-can occur in the subject information access extension of CA
-certificates and provides access to an online repository of
-certificates issued by the CA.
-.It
-.Qq id-ad-timeStamping
-can occur in the subject information access extension of end entity
-certificates and indicates that the subject offers timestamping
-services using the Time Stamp Protocol defined in RFC 3161.
-.El
-.Pp
-.Fn AUTHORITY_INFO_ACCESS_new
-allocates and initializes an empty
-.Vt AUTHORITY_INFO_ACCESS
-object, which is a
-.Vt STACK_OF(ACCESS_DESCRIPTION)
-and represents an ASN.1
-.Vt AuthorityInfoAccessSyntax
-structure defined in RFC 5280 section 4.2.2.1.
-It can be used for the authority information access extension of
-certificates and certificate revocation lists and for the subject
-information access extension of certificates.
-.Fn AUTHORITY_INFO_ACCESS_free
-frees
-.Fa aia .
-.Sh RETURN VALUES
-.Fn ACCESS_DESCRIPTION_new
-and
-.Fn AUTHORITY_INFO_ACCESS_new
-return the new
-.Vt ACCESS_DESCRIPTION
-or
-.Vt AUTHORITY_INFO_ACCESS
-object, respectively, or
-.Dv NULL
-if an error occurs.
-.Sh SEE ALSO
-.Xr d2i_ACCESS_DESCRIPTION 3 ,
-.Xr DIST_POINT_new 3 ,
-.Xr GENERAL_NAME_new 3 ,
-.Xr OCSP_REQUEST_new 3 ,
-.Xr TS_REQ_new 3 ,
-.Xr X509_CRL_new 3 ,
-.Xr X509_EXTENSION_new 3 ,
-.Xr X509_new 3
-.Sh STANDARDS
-These extensions are only defined in the following RFC and not
-specified in the underlying X.509 standard.
-.Pp
-RFC 5280: Internet X.509 Public Key Infrastructure Certificate and
-Certificate Revocation List (CRL) Profile:
-.Bl -dash -compact
-.It
-section 4.2.2.1: Certificate Extensions: Authority Information Access
-.It
-section 4.2.2.2: Certificate Extensions: Subject Information Access
-.It
-section 5.2.7: CRL Extensions: Authority Information Access
-.El
-.Pp
-Regarding OCSP and TSP, see:
-.Pp
-RFC 6960: X.509 Internet Public Key Infrastructure Online Certificate
-Status Protocol
-.Pp
-RFC 3161: Internet X.509 Public Key Infrastructure Time-Stamp Protocol
-.Sh HISTORY
-.Fn ACCESS_DESCRIPTION_new ,
-.Fn ACCESS_DESCRIPTION_free ,
-.Fn AUTHORITY_INFO_ACCESS_new ,
-and
-.Fn AUTHORITY_INFO_ACCESS_free
-first appeared in OpenSSL 0.9.5 and have been available since
-.Ox 2.7 .
diff --git a/src/lib/libcrypto/man/AES_encrypt.3 b/src/lib/libcrypto/man/AES_encrypt.3
deleted file mode 100644
index f022848a61..0000000000
--- a/src/lib/libcrypto/man/AES_encrypt.3
+++ /dev/null
@@ -1,173 +0,0 @@
-.\" $OpenBSD: AES_encrypt.3,v 1.1 2019/08/28 10:37:42 schwarze Exp $
-.\"
-.\" Copyright (c) 2019 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: August 28 2019 $
-.Dt AES_ENCRYPT 3
-.Os
-.Sh NAME
-.Nm AES_set_encrypt_key ,
-.Nm AES_set_decrypt_key ,
-.Nm AES_encrypt ,
-.Nm AES_decrypt ,
-.Nm AES_cbc_encrypt
-.Nd low-level interface to the AES symmetric cipher
-.Sh SYNOPSIS
-.In openssl/aes.h
-.Ft int
-.Fo AES_set_encrypt_key
-.Fa "const unsigned char *userKey"
-.Fa "const int bits"
-.Fa "AES_KEY *key"
-.Fc
-.Ft int
-.Fo AES_set_decrypt_key
-.Fa "const unsigned char *userKey"
-.Fa "const int bits"
-.Fa "AES_KEY *key"
-.Fc
-.Ft void
-.Fo AES_encrypt
-.Fa "const unsigned char *in"
-.Fa "unsigned char *out"
-.Fa "const AES_KEY *key"
-.Fc
-.Ft void
-.Fo AES_decrypt
-.Fa "const unsigned char *in"
-.Fa "unsigned char *out"
-.Fa "const AES_KEY *key"
-.Fc
-.Ft void
-.Fo AES_cbc_encrypt
-.Fa "const unsigned char *in"
-.Fa "unsigned char *out"
-.Fa "size_t length"
-.Fa "const AES_KEY *key"
-.Fa "unsigned char *ivec"
-.Fa "const int enc"
-.Fc
-.Sh DESCRIPTION
-These function provide a low-level interface to the AES symmetric
-cipher algorithm, also called Rijndael.
-For reasons of flexibility, it is recommended that application
-programs use the high-level interface described in
-.Xr EVP_EncryptInit 3
-and
-.Xr EVP_aes_128_cbc 3
-instead whenever possible.
-.Pp
-.Vt AES_KEY
-is a structure that can hold up to 60
-.Vt int
-values and a number of rounds.
-.Pp
-.Fn AES_set_encrypt_key
-expands the
-.Fa userKey ,
-which is
-.Fa bits
-long, into the
-.Fa key
-structure to prepare for encryption.
-The number of bits and bytes read from
-.Fa userKey ,
-the number of
-.Vt int
-values stored into
-.Fa key ,
-and the number of rounds are as follows:
-.Pp
-.Bl -column bits bytes ints rounds -offset indent -compact
-.It bits Ta bytes Ta ints Ta rounds
-.It 128  Ta 16    Ta 44   Ta 10
-.It 192  Ta 24    Ta 52   Ta 12
-.It 256  Ta 32    Ta 60   Ta 14
-.El
-.Pp
-.Fn AES_set_decrypt_key
-does the same, but in preparation for decryption.
-.Pp
-.Fn AES_encrypt
-reads a single 16 byte block from
-.Pf * Fa in ,
-encrypts it with the
-.Fa key ,
-and writes the 16 resulting bytes to
-.Pf * Fa out .
-The 16 byte buffers starting at
-.Fa in
-and
-.Fa out
-can overlap, and
-.Fa in
-and
-.Fa out
-can even point to the same memory location.
-.Pp
-.Fn AES_decrypt
-decrypts a single block and is otherwise identical to
-.Fn AES_encrypt .
-.Pp
-If
-.Fa enc
-is non-zero,
-.Fn AES_cbc_encrypt
-encrypts
-.Fa len
-bytes at
-.Fa in
-to
-.Fa out
-using the 128 bit
-.Fa key
-and the 128 bit
-initialization vector
-.Fa ivec
-in CBC mode.
-If
-.Fa enc
-is 0,
-.Fn AES_cbc_encrypt
-performs the corresponding decryption.
-.Sh RETURN VALUES
-.Fn AES_set_encrypt_key
-and
-.Fn AES_set_decrypt_key
-return 0 for success, -1 if
-.Fa userKey
-or
-.Fa key
-is
-.Dv NULL ,
-or -2 if the number of
-.Fa bits
-is unsupported.
-.Sh SEE ALSO
-.Xr crypto 3 ,
-.Xr EVP_aes_128_cbc 3 ,
-.Xr EVP_EncryptInit 3
-.Sh STANDARDS
-ISO/IEC 18033-3:2010
-Information technology \(em Security techniques \(em
-Encryption algorithms \(em Part 3: Block ciphers
-.Sh HISTORY
-These functions first appeared in OpenSSL 0.9.7
-and have been available since
-.Ox 3.2 .
-.Sh AUTHORS
-.An Vincent Rijmen
-.An Antoon Bosselaers
-.An Paulo Barreto
diff --git a/src/lib/libcrypto/man/ASIdentifiers_new.3 b/src/lib/libcrypto/man/ASIdentifiers_new.3
deleted file mode 100644
index d8473b81a0..0000000000
--- a/src/lib/libcrypto/man/ASIdentifiers_new.3
+++ /dev/null
@@ -1,138 +0,0 @@
-.\" $OpenBSD: ASIdentifiers_new.3,v 1.11 2023/09/30 18:16:44 tb Exp $
-.\"
-.\" Copyright (c) 2023 Theo Buehler <tb@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: September 30 2023 $
-.Dt ASIDENTIFIERS_NEW 3
-.Os
-.Sh NAME
-.Nm ASIdentifiers_new ,
-.Nm ASIdentifiers_free ,
-.Nm d2i_ASIdentifiers ,
-.Nm i2d_ASIdentifiers
-.Nd RFC 3779 autonomous system identifier delegation extensions
-.Sh SYNOPSIS
-.In openssl/x509v3.h
-.Ft ASIdentifiers *
-.Fo ASIdentifiers_new
-.Fa "void"
-.Fc
-.Ft void
-.Fo ASIdentifiers_free
-.Fa "ASIdentifiers *asid"
-.Fc
-.Ft ASIdentifiers *
-.Fo d2i_ASIdentifiers
-.Fa "ASIdentifiers **asid"
-.Fa "const unsigned char **in"
-.Fa "long len"
-.Fc
-.Ft int
-.Fo i2d_ASIdentifiers
-.Fa "ASIdentifiers *asid"
-.Fa "unsigned char **out"
-.Fc
-.Sh DESCRIPTION
-RFC 3779 defines two X.509v3 certificate extensions that allow the
-delegation of
-IP addresses and autonomous system (AS) identifiers
-from the issuer to the subject of the certificate.
-An
-.Vt ASIdentifiers
-object contains collections of individual AS numbers and
-ranges of AS numbers to be delegated.
-.Pp
-.Fn ASIdentifiers_new
-allocates and initializes a new, empty
-.Vt ASIdentifiers
-object that can be populated with
-.Xr X509v3_asid_add_id_or_range 3 .
-See
-.Xr ASRange_new 3
-for implementation details.
-.Pp
-.Fn ASIdentifiers_free
-frees
-.Fa asid
-including any data contained in it.
-If
-.Fa asid
-is
-.Dv NULL ,
-no action occurs.
-.Pp
-.Fn d2i_ASIdentifiers
-and
-.Fn i2d_ASIdentifiers
-decode and encode ASN.1
-.Vt ASIdentifiers
-objects as defined in RFC 3779, section 3.2.3.1.
-For details about the semantics, examples, caveats, and bugs, see
-.Xr ASN1_item_d2i 3 .
-In order for the encoding produced by
-.Fn i2d_ASIdentifiers
-to conform to RFC 3779,
-.Fa asid
-must be in
-.Dq canonical form ,
-see
-.Xr X509v3_asid_canonize 3 .
-.Sh RETURN VALUES
-.Fn ASIdentifiers_new
-returns a new
-.Vt ASIdentifiers
-object or
-.Dv NULL
-if an error occurs.
-.Pp
-.Fn d2i_ASIdentifiers
-returns an
-.Vt ASIdentifiers
-object or
-.Dv NULL
-if a decoding or memory allocation error occurs.
-.Pp
-.Fn i2d_ASIdentifiers
-returns the number of bytes successfully encoded
-or a value <= 0 if an error occurs.
-.Sh SEE ALSO
-.Xr ASRange_new 3 ,
-.Xr crypto 3 ,
-.Xr IPAddressRange_new 3 ,
-.Xr X509_new 3 ,
-.Xr X509v3_addr_add_inherit 3 ,
-.Xr X509v3_addr_get_range 3 ,
-.Xr X509v3_addr_inherits 3 ,
-.Xr X509v3_addr_subset 3 ,
-.Xr X509v3_addr_validate_path 3 ,
-.Xr X509v3_asid_add_id_or_range 3
-.Sh STANDARDS
-RFC 3779: X.509 Extensions for IP Addresses and AS Identifiers:
-.Bl -dash -compact
-.It
-section 3: Autonomous System Identifier Delegation Extension
-.El
-.Pp
-RFC 7020: The Internet Numbers Registry System
-.Pp
-RFC 7249: Internet Numbers Registries
-.Sh HISTORY
-These functions first appeared in OpenSSL 0.9.8e
-and have been available since
-.Ox 7.1 .
-.Sh BUGS
-There are no corresponding functions for the RFC 3779
-IP address delegation extension represented by
-.Vt IPAddrBlocks .
diff --git a/src/lib/libcrypto/man/ASN1_BIT_STRING_set.3 b/src/lib/libcrypto/man/ASN1_BIT_STRING_set.3
deleted file mode 100644
index a916ca3ab2..0000000000
--- a/src/lib/libcrypto/man/ASN1_BIT_STRING_set.3
+++ /dev/null
@@ -1,139 +0,0 @@
-.\" $OpenBSD: ASN1_BIT_STRING_set.3,v 1.5 2024/12/24 09:48:56 schwarze Exp $
-.\"
-.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: December 24 2024 $
-.Dt ASN1_BIT_STRING_SET 3
-.Os
-.Sh NAME
-.Nm ASN1_BIT_STRING_set ,
-.Nm ASN1_BIT_STRING_set_bit ,
-.Nm ASN1_BIT_STRING_get_bit
-.Nd ASN.1 BIT STRING accessors
-.Sh SYNOPSIS
-.In openssl/asn1.h
-.Ft int
-.Fo ASN1_BIT_STRING_set
-.Fa "ASN1_BIT_STRING *bitstr"
-.Fa "unsigned char *data"
-.Fa "int len"
-.Fc
-.Ft int
-.Fo ASN1_BIT_STRING_set_bit
-.Fa "ASN1_BIT_STRING *bitstr"
-.Fa "int bitnumber"
-.Fa "int set"
-.Fc
-.Ft int
-.Fo ASN1_BIT_STRING_get_bit
-.Fa "ASN1_BIT_STRING *bitstr"
-.Fa "int bitnumber"
-.Fc
-.Sh DESCRIPTION
-.Fn ASN1_BIT_STRING_set
-sets the length attribute of
-.Fa bitstr
-to
-.Fa len
-and copies that number of bytes from
-.Fa data
-into
-.Fa bitstr ,
-overwriting any previous data, by merely calling
-.Xr ASN1_STRING_set 3 .
-This function does no validation whatsoever.
-In particular, it neither checks that
-.Fa bitstr
-is actually of the type
-.Dv V_ASN1_BIT_STRING
-nor, even if it is, that the
-.Fa data
-and
-.Fa len
-arguments make sense for this particular bit string.
-.Pp
-If the
-.Fa set
-argument is non-zero,
-.Fn ASN1_BIT_STRING_set_bit
-sets the bit with the given
-.Fa bitnumber
-in the
-.Fa bitstr ;
-otherwise, it clears that bit.
-A
-.Fa bitnumber
-of 0 addresses the most significant bit in the first data byte of
-.Fa bitstr ,
-7 the least significant bit in the same byte,
-8 the most significant bit in the second data byte, and so on.
-.Pp
-If setting a bit is requested beyond the last existing data byte,
-additional bytes are added to the
-.Fa bitstr
-as needed.
-After clearing a bit, any trailing NUL bytes are removed from the
-.Fa bitstr .
-.Pp
-.Fn ASN1_BIT_STRING_get_bit
-checks that the bit with the given
-.Fa bitnumber
-is set in
-.Fa bitstr .
-.Sh RETURN VALUES
-.Fn ASN1_BIT_STRING_set
-returns 1 on success or 0 if memory allocation fails or if
-.Fa data
-is
-.Dv NULL
-and
-.Fa len
-is \-1 in the same call.
-.Pp
-.Fn ASN1_BIT_STRING_set_bit
-returns 1 on success or 0 if
-.Fa bitstr
-is
-.Dv NULL
-or if memory allocation fails.
-.Pp
-.Fn ASN1_BIT_STRING_get_bit
-returns 1 if the bit with the given
-.Fa bitnumber
-is set in the
-.Fa bitstr
-or 0 if
-.Fa bitstr
-is
-.Dv NULL ,
-if
-.Fa bitnumber
-points beyond the last data byte in
-.Fa bitstr ,
-or if the requested bit is not set.
-.Sh SEE ALSO
-.Xr ASN1_BIT_STRING_new 3 ,
-.Xr ASN1_STRING_set 3 ,
-.Xr d2i_ASN1_BIT_STRING 3 ,
-.Xr v2i_ASN1_BIT_STRING 3
-.Sh HISTORY
-.Fn ASN1_BIT_STRING_set
-first appeared in SSLeay 0.6.5.
-.Fn ASN1_BIT_STRING_set_bit
-and
-.Fn ASN1_BIT_STRING_get_bit
-first appeared in SSLeay 0.9.0.
-These functions have been available since
-.Ox 2.4 .
diff --git a/src/lib/libcrypto/man/ASN1_INTEGER_get.3 b/src/lib/libcrypto/man/ASN1_INTEGER_get.3
deleted file mode 100644
index 84f566eda9..0000000000
--- a/src/lib/libcrypto/man/ASN1_INTEGER_get.3
+++ /dev/null
@@ -1,428 +0,0 @@
-.\" $OpenBSD: ASN1_INTEGER_get.3,v 1.7 2023/05/22 19:38:04 tb Exp $
-.\" selective merge up to:
-.\" OpenSSL man3/ASN1_INTEGER_get_int64 24a535ea Sep 22 13:14:20 2020 +0100
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2018, 2021, 2022 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2015 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: May 22 2023 $
-.Dt ASN1_INTEGER_GET 3
-.Os
-.Sh NAME
-.Nm ASN1_INTEGER_get_uint64 ,
-.Nm ASN1_INTEGER_get_int64 ,
-.Nm ASN1_INTEGER_get ,
-.Nm ASN1_INTEGER_set_uint64 ,
-.Nm ASN1_INTEGER_set_int64 ,
-.Nm ASN1_INTEGER_set ,
-.Nm ASN1_INTEGER_cmp ,
-.Nm ASN1_INTEGER_dup ,
-.Nm BN_to_ASN1_INTEGER ,
-.Nm ASN1_INTEGER_to_BN ,
-.Nm ASN1_ENUMERATED_get_int64 ,
-.Nm ASN1_ENUMERATED_get ,
-.Nm ASN1_ENUMERATED_set_int64 ,
-.Nm ASN1_ENUMERATED_set ,
-.Nm BN_to_ASN1_ENUMERATED ,
-.Nm ASN1_ENUMERATED_to_BN
-.Nd ASN.1 INTEGER and ENUMERATED utilities
-.Sh SYNOPSIS
-.In openssl/asn1.h
-.Ft int
-.Fo ASN1_INTEGER_get_uint64
-.Fa "uint64_t *out_val"
-.Fa "const ASN1_INTEGER *a"
-.Fc
-.Ft int
-.Fo ASN1_INTEGER_get_int64
-.Fa "int64_t *out_val"
-.Fa "const ASN1_INTEGER *a"
-.Fc
-.Ft long
-.Fo ASN1_INTEGER_get
-.Fa "const ASN1_INTEGER *a"
-.Fc
-.Ft int
-.Fo ASN1_INTEGER_set_uint64
-.Fa "ASN1_INTEGER *a"
-.Fa "uint64_t v"
-.Fc
-.Ft int
-.Fo ASN1_INTEGER_set_int64
-.Fa "ASN1_INTEGER *a"
-.Fa "int64_t v"
-.Fc
-.Ft int
-.Fo ASN1_INTEGER_set
-.Fa "ASN1_INTEGER *a"
-.Fa "long v"
-.Fc
-.Ft int
-.Fo ASN1_INTEGER_cmp
-.Fa "const ASN1_INTEGER *a1"
-.Fa "const ASN1_INTEGER *a2"
-.Fc
-.Ft ASN1_INTEGER *
-.Fo ASN1_INTEGER_dup
-.Fa "const ASN1_INTEGER *a"
-.Fc
-.Ft ASN1_INTEGER *
-.Fo BN_to_ASN1_INTEGER
-.Fa "const BIGNUM *bn"
-.Fa "ASN1_INTEGER *ai"
-.Fc
-.Ft BIGNUM *
-.Fo ASN1_INTEGER_to_BN
-.Fa "const ASN1_INTEGER *ai"
-.Fa "BIGNUM *bn"
-.Fc
-.Ft int
-.Fo ASN1_ENUMERATED_get_int64
-.Fa "int64_t *out_val"
-.Fa "const ASN1_ENUMERATED *a"
-.Fc
-.Ft long
-.Fo ASN1_ENUMERATED_get
-.Fa "const ASN1_ENUMERATED *a"
-.Fc
-.Ft int
-.Fo ASN1_ENUMERATED_set_int64
-.Fa "ASN1_ENUMERATED *a"
-.Fa "int64_t v"
-.Fc
-.Ft int
-.Fo ASN1_ENUMERATED_set
-.Fa "ASN1_ENUMERATED *a"
-.Fa "long v"
-.Fc
-.Ft ASN1_ENUMERATED *
-.Fo BN_to_ASN1_ENUMERATED
-.Fa "const BIGNUM *bn"
-.Fa "ASN1_ENUMERATED *ai"
-.Fc
-.Ft BIGNUM *
-.Fo ASN1_ENUMERATED_to_BN
-.Fa "const ASN1_ENUMERATED *ai"
-.Fa "BIGNUM *bn"
-.Fc
-.Sh DESCRIPTION
-These functions convert to and from
-.Vt ASN1_INTEGER
-and
-.Vt ASN1_ENUMERATED
-objects.
-.Pp
-.Fn ASN1_INTEGER_get_uint64
-and
-.Fn ASN1_INTEGER_get_int64
-store the value of
-.Fa a
-in
-.Pf * Fa out_val
-if successful.
-.Pp
-The deprecated function
-.Fn ASN1_INTEGER_get
-converts
-.Fa a
-to the
-.Vt long
-type.
-.Pp
-.Fn ASN1_INTEGER_set_uint64 ,
-.Fn ASN1_INTEGER_set_int64 ,
-and
-.Fn ASN1_INTEGER_set
-set the type of
-.Fa a
-to
-.Dv V_ASN1_INTEGER
-or
-.Dv V_ASN1_NEG_INTEGER
-depending on the sign of
-.Fa v
-and set the value of
-.Fa a
-to
-.Fa v .
-.Pp
-.Fn ASN1_INTEGER_cmp
-compares the signed integer numbers represented by
-.Fa a1
-and
-.Fa a2 .
-.Pp
-.Fn ASN1_INTEGER_dup
-does exactly the same as
-.Xr ASN1_STRING_dup 3
-without providing any type safety,
-except that it fails if the
-.Xr ASN1_STRING_length 3
-of
-.Fa a
-is 0.
-.Pp
-.Fn BN_to_ASN1_INTEGER
-converts
-.Fa bn
-to an
-.Vt ASN1_INTEGER .
-If
-.Fa ai
-is
-.Dv NULL ,
-a new
-.Vt ASN1_INTEGER
-object is returned.
-Otherwise, the existing object
-.Fa ai
-is used instead.
-.Pp
-.Fn ASN1_INTEGER_to_BN
-converts
-.Fa ai
-into a
-.Vt BIGNUM .
-If
-.Fa bn
-is
-.Dv NULL ,
-a new
-.Vt BIGNUM
-object is returned.
-Otherwise, the existing object
-.Fa bn
-is used instead.
-.Pp
-.Fn ASN1_ENUMERATED_get_int64 ,
-.Fn ASN1_ENUMERATED_get ,
-.Fn ASN1_ENUMERATED_set_int64 ,
-.Fn ASN1_ENUMERATED_set ,
-.Fn BN_to_ASN1_ENUMERATED ,
-and
-.Fn ASN1_ENUMERATED_to_BN
-behave like their
-.Vt ASN1_INTEGER
-counterparts except that they operate on an
-.Vt ASN1_ENUMERATED
-object.
-.Sh RETURN VALUES
-.Fn ASN1_INTEGER_get_uint64
-returns 1 in case of success or 0 if
-.Fa a
-is not of the type
-.Dv V_ASN1_INTEGER
-or greater than
-.Dv UINT64_MAX .
-.Pp
-.Fn ASN1_INTEGER_get_int64
-returns 1 in case of success or 0 if
-.Fa a
-is not of the type
-.Dv V_ASN1_INTEGER
-or
-.Dv V_ASN1_NEG_INTEGER ,
-less than
-.Dv INT64_MIN ,
-or greater than
-.Dv INT64_MAX .
-.Pp
-.Fn ASN1_INTEGER_get
-and
-.Fn ASN1_ENUMERATED_get
-return the converted value, 0 if
-.Fa a
-is
-.Dv NULL ,
-or \-1 on error, which is ambiguous because \-1 is a legitimate
-value for an
-.Vt ASN1_INTEGER .
-.Pp
-.Fn ASN1_INTEGER_set_uint64 ,
-.Fn ASN1_INTEGER_set_int64 ,
-.Fn ASN1_INTEGER_set ,
-.Fn ASN1_ENUMERATED_set_int64 ,
-and
-.Fn ASN1_ENUMERATED_set
-return 1 for success or 0 for failure.
-They only fail if a memory allocation error occurs.
-.Pp
-.Fn ASN1_INTEGER_cmp
-returns a value greater than, equal to, or less than 0
-if the signed integer number represented by
-.Fa a1
-is greater than, equal to, or less than
-the signed integer number represented by
-.Fa a2 ,
-respectively.
-.Pp
-.Fn ASN1_INTEGER_dup
-returns a pointer to a newly allocated
-.Vt ASN1_STRING
-structure or
-.Dv NULL
-if
-.Fa a
-is a
-.Dv NULL
-pointer, if the length of
-.Fa a
-is 0, or if memory allocation fails.
-.Pp
-.Fn BN_to_ASN1_INTEGER
-and
-.Fn BN_to_ASN1_ENUMERATED
-return an
-.Vt ASN1_INTEGER
-or
-.Vt ASN1_ENUMERATED
-object, respectively, or
-.Dv NULL
-if an error occurs.
-They only fail due to memory allocation errors.
-.Pp
-.Fn ASN1_INTEGER_to_BN
-and
-.Fn ASN1_ENUMERATED_to_BN
-return a
-.Vt BIGNUM
-object of
-.Dv NULL
-if an error occurs.
-They can fail if the passed type is incorrect (due to a programming error)
-or due to memory allocation failures.
-.Sh SEE ALSO
-.Xr ASN1_INTEGER_new 3 ,
-.Xr ASN1_STRING_length 3
-.Sh HISTORY
-.Fn ASN1_INTEGER_set
-first appeared in SSLeay 0.5.1.
-.Fn ASN1_INTEGER_get ,
-.Fn BN_to_ASN1_INTEGER ,
-and
-.Fn ASN1_INTEGER_to_BN
-first appeared in SSLeay 0.6.0.
-.Fn ASN1_INTEGER_cmp
-and
-.Fn ASN1_INTEGER_dup
-first appeared in SSLeay 0.6.5.
-These functions have been available since
-.Ox 2.3 .
-.Pp
-.Fn ASN1_ENUMERATED_get ,
-.Fn ASN1_ENUMERATED_set ,
-.Fn BN_to_ASN1_ENUMERATED ,
-and
-.Fn ASN1_ENUMERATED_to_BN
-first appeared in OpenSSL 0.9.2b and have been available since
-.Ox 2.6 .
-.Pp
-.Fn ASN1_INTEGER_get_uint64 ,
-.Fn ASN1_INTEGER_get_int64 ,
-.Fn ASN1_INTEGER_set_uint64 ,
-.Fn ASN1_INTEGER_set_int64 ,
-.Fn ASN1_ENUMERATED_get_int64 ,
-and
-.Fn ASN1_ENUMERATED_set_int64
-first appeared in OpenSSL 1.1.0 and have been available since
-.Ox 7.2 .
-.Sh CAVEATS
-In general an
-.Vt ASN1_INTEGER
-or
-.Vt ASN1_ENUMERATED
-type can contain an integer of almost arbitrary size
-and so cannot always be represented by a C
-.Vt long
-type.
-The ambiguous return values of
-.Fn ASN1_INTEGER_get
-and
-.Fn ASN1_ENUMERATED_get
-imply that these functions should be avoided if possible.
-.Sh BUGS
-.Fn ASN1_INTEGER_cmp ,
-.Fn ASN1_INTEGER_dup ,
-and
-.Fn ASN1_INTEGER_to_BN
-do not check whether their arguments are really of the type
-.Dv V_ASN1_INTEGER
-or
-.Dv V_ASN1_NEG_INTEGER .
-They may report success even if their arguments are of a wrong type.
-Consequently, even in case of success, the return value of
-.Fn ASN1_INTEGER_dup
-is not guaranteed to be of the type
-.Dv V_ASN1_INTEGER
-or
-.Dv V_ASN1_NEG_INTEGER
-either.
-.Pp
-Similarly,
-.Fn ASN1_ENUMERATED_to_BN
-does not check whether its argument is really of the type
-.Dv V_ASN1_ENUMERATED
-or
-.Dv V_ASN1_NEG_ENUMERATED
-and may report success even if the argument is of a wrong type.
diff --git a/src/lib/libcrypto/man/ASN1_NULL_new.3 b/src/lib/libcrypto/man/ASN1_NULL_new.3
deleted file mode 100644
index b4d2428ed1..0000000000
--- a/src/lib/libcrypto/man/ASN1_NULL_new.3
+++ /dev/null
@@ -1,66 +0,0 @@
-.\" $OpenBSD: ASN1_NULL_new.3,v 1.3 2021/12/09 18:42:35 schwarze Exp $
-.\"
-.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: December 9 2021 $
-.Dt ASN1_NULL_NEW 3
-.Os
-.Sh NAME
-.Nm ASN1_NULL_new ,
-.Nm ASN1_NULL_free
-.Nd ASN.1 NULL value
-.Sh SYNOPSIS
-.In openssl/asn1.h
-.Ft ASN1_NULL *
-.Fn ASN1_NULL_new void
-.Ft void
-.Fn ASN1_NULL_free "ASN1_NULL *val_in"
-.Sh DESCRIPTION
-.Fn ASN1_NULL_new
-returns a specific invalid pointer that represents the ASN.1 NULL value,
-which is the only possible value of the ASN.1 NULL type.
-That pointer is different from a
-.Dv NULL
-pointer.
-Dereferencing it almost certainly results in a segmentation fault.
-This function does not allocate memory and cannot fail.
-.Pp
-.Fn ASN1_NULL_free
-has no effect whatsoever.
-In particular, it ignores the
-.Fa val_in
-argument and does not free any memory.
-In normal use, application programs only pass the invalid pointer
-obtained from
-.Fn ASN1_NULL_new
-to this function.
-But even if a valid pointer is passed, that pointer does not become invalid.
-.Pp
-The ASN.1 NULL type is also represented by the
-.Dv V_ASN1_NULL
-type identifier constant.
-.Sh SEE ALSO
-.Xr ASN1_item_new 3 ,
-.Xr d2i_ASN1_NULL 3
-.Sh STANDARDS
-ITU-T Recommendation X.208, also known as ISO/IEC 8824-1:
-Specification of Abstract Syntax Notation One (ASN.1),
-section 19: Notation for the null type
-.Sh HISTORY
-.Fn ASN1_NULL_new
-and
-.Fn ASN1_NULL_free
-first appeared in OpenSSL 0.9.5 and have been available since
-.Ox 2.7 .
diff --git a/src/lib/libcrypto/man/ASN1_OBJECT_new.3 b/src/lib/libcrypto/man/ASN1_OBJECT_new.3
deleted file mode 100644
index 3e2eac02ee..0000000000
--- a/src/lib/libcrypto/man/ASN1_OBJECT_new.3
+++ /dev/null
@@ -1,228 +0,0 @@
-.\" $OpenBSD: ASN1_OBJECT_new.3,v 1.16 2023/09/05 15:01:39 schwarze Exp $
-.\" full merge up to: OpenSSL 99d63d4 Mar 19 12:28:58 2016 -0400
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2017, 2021, 2023 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Dr. Stephen Henson.
-.\" Copyright (c) 2002, 2006 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: September 5 2023 $
-.Dt ASN1_OBJECT_NEW 3
-.Os
-.Sh NAME
-.Nm ASN1_OBJECT_new ,
-.Nm ASN1_OBJECT_create ,
-.Nm ASN1_OBJECT_free
-.Nd ASN.1 object identifiers
-.Sh SYNOPSIS
-.In openssl/asn1.h
-.Ft ASN1_OBJECT *
-.Fo ASN1_OBJECT_new
-.Fa void
-.Fc
-.Ft ASN1_OBJECT *
-.Fo ASN1_OBJECT_create
-.Fa "int nid"
-.Fa "unsigned char *content"
-.Fa "int len"
-.Fa "const char *short_name"
-.Fa "const char *long_name"
-.Fc
-.Ft void
-.Fo ASN1_OBJECT_free
-.Fa "ASN1_OBJECT *a"
-.Fc
-.Sh DESCRIPTION
-.Fn ASN1_OBJECT_new
-allocates and initializes an empty
-.Vt ASN1_OBJECT
-object, representing an ASN.1 OBJECT IDENTIFIER.
-It can hold a short name, a long name, a numeric identifier (NID),
-and a sequence of integers identifying a node in the International
-Object Identifier tree as specified in ITU-T recommendation X.660.
-The new object is marked as dynamically allocated.
-.Pp
-The ASN.1 object identifier type is also represented by the
-.Dv V_ASN1_OBJECT
-type identifier constant.
-.Pp
-.Fn ASN1_OBJECT_create
-allocates a new
-.Vt ASN1_OBJECT
-with the given
-.Fa nid ,
-copies the
-.Fa len
-DER
-.Fa content
-octets, the
-.Fa short_name ,
-and the
-.Fa long_name
-into it, and marks the new object and all data contained in it
-as dynamically allocated.
-.Pp
-Application programs normally use utility functions like
-.Xr OBJ_nid2obj 3
-rather than using
-.Fn ASN1_OBJECT_new
-or
-.Fn ASN1_OBJECT_create
-directly.
-.Pp
-.Fn ASN1_OBJECT_free
-has the following effects:
-.Pp
-All data contained in
-.Fa a
-that is marked as dynamically allocated is freed,
-and the respective fields of
-.Fa a
-become empty.
-Contained data not marked as dynamically allocated remains intact.
-.Pp
-If the object
-.Fa a
-itself is marked as dynamically allocated, it is freed.
-Otherwise, the pointer
-.Fa a
-remains valid.
-.Pp
-If
-.Fa a
-is a
-.Dv NULL
-pointer or if neither the object itself nor any of its content
-is marked as dynamically allocated, no action occurs.
-.Sh RETURN VALUES
-.Fn ASN1_OBJECT_new
-and
-.Fn ASN1_OBJECT_create
-return a pointer to the new object or
-.Dv NULL
-if memory allocation fails,
-.Sh ERRORS
-After failure of
-.Fn ASN1_OBJECT_new
-or
-.Fn ASN1_OBJECT_create ,
-the following diagnostic can be retrieved with
-.Xr ERR_get_error 3 ,
-.Xr ERR_GET_REASON 3 ,
-and
-.Xr ERR_reason_error_string 3 :
-.Bl -tag -width Ds
-.It Dv ERR_R_MALLOC_FAILURE Qq "malloc failure"
-Memory allocation failed.
-.El
-.Pp
-After some cases of failure of
-.Fn ASN1_OBJECT_create ,
-the following diagnostic can be retrieved in addition to the above:
-.Bl -tag -width Ds
-.It Dv ERR_R_ASN1_LIB Qq "ASN1 lib"
-Memory allocation failed.
-.El
-.Sh SEE ALSO
-.Xr a2d_ASN1_OBJECT 3 ,
-.Xr ASN1_TYPE_get 3 ,
-.Xr d2i_ASN1_OBJECT 3 ,
-.Xr OBJ_create 3 ,
-.Xr OBJ_nid2obj 3
-.Sh STANDARDS
-ITU-T Recommendation X.208, also known as ISO/IEC 8824-1:
-Specification of Abstract Syntax Notation One (ASN.1),
-section 28: Notation for the object identifier type
-.Pp
-ITU-T Recommendation X.690, also known as ISO/IEC 8825-1:
-Information technology - ASN.1 encoding rules:
-Specification of Basic Encoding Rules (BER), Canonical Encoding
-Rules (CER) and Distinguished Encoding Rules (DER),
-section 8.19: Encoding of an object identifier value
-.Sh HISTORY
-.Fn ASN1_OBJECT_new
-and
-.Fn ASN1_OBJECT_free
-first appeared in SSLeay 0.5.1 and
-.Fn ASN1_OBJECT_create
-in SSLeay 0.8.0.
-These functions have been available since
-.Ox 2.4 .
-.Sh BUGS
-The function
-.Fn ASN1_OBJECT_new
-is not useful for any practical purpose because the library does not
-provide any function capable of adding data to an existing object.
-Consequently, if the application program creates an object with
-.Fn ASN1_OBJECT_new ,
-that object will always remain empty.
-.Pp
-Similarly, if an
-.Fa nid
-of
-.Dv NID_undef
-is passed to
-.Fn ASN1_OBJECT_create ,
-or if
-.Dv NULL
-is passed for any of its pointer arguments, the returned object
-will permanently remain incomplete.
diff --git a/src/lib/libcrypto/man/ASN1_PRINTABLE_type.3 b/src/lib/libcrypto/man/ASN1_PRINTABLE_type.3
deleted file mode 100644
index 391dd32e66..0000000000
--- a/src/lib/libcrypto/man/ASN1_PRINTABLE_type.3
+++ /dev/null
@@ -1,92 +0,0 @@
-.\" $OpenBSD: ASN1_PRINTABLE_type.3,v 1.1 2021/11/15 13:39:40 schwarze Exp $
-.\"
-.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: November 15 2021 $
-.Dt ASN1_PRINTABLE_TYPE 3
-.Os
-.Sh NAME
-.Nm ASN1_PRINTABLE_type
-.Nd classify a single-byte character string
-.Sh SYNOPSIS
-.In openssl/asn1.h
-.Ft int
-.Fo ASN1_PRINTABLE_type
-.Fa "const unsigned char *string"
-.Fa "int len"
-.Fc
-.Sh DESCRIPTION
-.Fn ASN1_PRINTABLE_type
-assumes that the given
-.Fa string
-consists of single-byte characters and classifies it
-according to which kinds characters occur.
-If
-.Fa len
-is greater than 0, at most
-.Fa len
-characters are inspected.
-Otherwise, the
-.Fa string
-needs to be NUL-terminated.
-.Sh RETURN VALUES
-If the given
-.Fa string
-contains a character outside the
-.Xr ascii 7
-range,
-.Fn ASN1_PRINTABLE_type
-returns
-.Dv V_ASN1_T61STRING .
-.Pp
-Otherwise, if it contains a character that is neither a letter
-nor a digit nor the space character
-.Po
-.Ql "\ " ,
-ASCII 0x20
-.Pc
-nor the apostrophe quote
-.Po
-.Ql \(aq ,
-ASCII 0x27
-.Pc
-nor contained in the set
-.Qq ()+,\-./:=?\& ,
-it returns
-.Dv V_ASN1_IA5STRING .
-.Pp
-Otherwise, including if
-.Fa string
-is a
-.Dv NULL
-pointer or points to an empty string, it returns
-.Dv V_ASN1_PRINTABLESTRING .
-.Sh SEE ALSO
-.Xr ASN1_mbstring_copy 3 ,
-.Xr ASN1_STRING_new 3 ,
-.Xr ASN1_STRING_to_UTF8 3 ,
-.Xr isascii 3 ,
-.Xr ascii 7
-.Sh HISTORY
-.Fn ASN1_PRINTABLE_type
-first appeared in SSLeay 0.4.5d, has been part of the public API
-since SSLeay 0.5.1, and has been available since
-.Ox 2.4 .
-.Sh CAVEATS
-The ASN.1 notion of what constitutes a
-.Vt PrintableString
-is more restrictive than what the C library function
-.Xr isprint 3
-considers printable.
diff --git a/src/lib/libcrypto/man/ASN1_STRING_TABLE_get.3 b/src/lib/libcrypto/man/ASN1_STRING_TABLE_get.3
deleted file mode 100644
index 2bf8831c12..0000000000
--- a/src/lib/libcrypto/man/ASN1_STRING_TABLE_get.3
+++ /dev/null
@@ -1,94 +0,0 @@
-.\" $OpenBSD: ASN1_STRING_TABLE_get.3,v 1.4 2023/12/21 21:23:37 tb Exp $
-.\" checked up to:
-.\" OpenSSL ASN1_STRING_TABLE_add.pod 7b608d08 Jul 27 01:18:50 2017 +0800
-.\"
-.\" Copyright (c) 2017, 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: December 21 2023 $
-.Dt ASN1_STRING_TABLE_GET 3
-.Os
-.Sh NAME
-.\" .Nm ASN1_STRING_TABLE_add0 and
-.\" .Nm ASN1_STRING_TABLE_cleanup are intentionally undocumented
-.\" because they will be removed in the next major bump
-.\" .Dv STABLE_FLAGS_MALLOC is intentionally undocumented because it is unused
-.Nm ASN1_STRING_TABLE_get
-.Nd retrieve an entry from the global ASN.1 string table
-.Sh SYNOPSIS
-.In openssl/asn1.h
-.Ft ASN1_STRING_TABLE *
-.Fo ASN1_STRING_TABLE_get
-.Fa "int nid"
-.Fc
-.Sh DESCRIPTION
-The ASN.1 string table is a unique global object.
-Each entry is of the type
-.Vt ASN1_STRING_TABLE
-and contains information about one NID object.
-The entries are predefined according to RFC 5280 appendix A.1.
-.Pp
-The upper bounds for the number of characters in various kinds of
-.Vt ASN1_STRING
-objects are:
-.Pp
-.Bl -column -compact NID_organizationalUnitNa maxsi ub_organization_unit_na
-.It object type                   Ta maxsize Ta symbolic constant
-.It Dv NID_commonName             Ta 64      Ta Dv ub_common_name
-.It Dv NID_countryName            Ta 2       Ta \(em
-.It Dv NID_givenName              Ta 32768   Ta Dv ub_name
-.It Dv NID_initials               Ta 32768   Ta Dv ub_name
-.It Dv NID_localityName           Ta 128     Ta Dv ub_locality_name
-.It Dv NID_name                   Ta 32768   Ta Dv ub_name
-.It Dv NID_organizationName       Ta 64      Ta Dv ub_organization_name
-.It Dv NID_organizationalUnitName Ta 64      Ta Dv ub_organization_unit_name
-.It Dv NID_pkcs9_emailAddress     Ta 128     Ta Dv ub_email_address
-.It Dv NID_serialNumber           Ta 64      Ta Dv ub_serial_number
-.It Dv NID_stateOrProvinceName    Ta 128     Ta Dv ub_state_name
-.It Dv NID_surname                Ta 32768   Ta Dv ub_name
-.El
-.Pp
-The function
-.Fn ASN1_STRING_TABLE_get
-retrieves the entry for
-.Fa nid .
-If the
-.Dv STABLE_NO_MASK
-flag is set,
-.Xr ASN1_STRING_set_by_NID 3
-skips applying the global mask that can be set with
-.Xr ASN1_STRING_set_default_mask 3 .
-.Sh RETURN VALUES
-.Fn ASN1_STRING_TABLE_get
-returns a valid
-.Vt ASN1_STRING_TABLE
-structure or
-.Dv NULL
-if nothing is found.
-.Sh SEE ALSO
-.Xr ASN1_OBJECT_new 3 ,
-.Xr ASN1_STRING_set_by_NID 3 ,
-.Xr OBJ_create 3 ,
-.Xr OBJ_nid2obj 3
-.Sh HISTORY
-.Fn ASN1_STRING_TABLE_get
-first appeared in OpenSSL 0.9.5 and has been available since
-.Ox 2.7 .
-.Sh BUGS
-Most aspects of the semantics considerably differ from OpenSSL.
-.Pp
-.Dv ub_email_address ,
-which should really be called
-.Dv ub_emailaddress_length ,
-was changed in RFC 5280 from 128 to 255 to match PKCS#9 (RFC 2985).
diff --git a/src/lib/libcrypto/man/ASN1_STRING_length.3 b/src/lib/libcrypto/man/ASN1_STRING_length.3
deleted file mode 100644
index 0c397607a9..0000000000
--- a/src/lib/libcrypto/man/ASN1_STRING_length.3
+++ /dev/null
@@ -1,461 +0,0 @@
-.\" $OpenBSD: ASN1_STRING_length.3,v 1.30 2024/12/27 15:30:17 schwarze Exp $
-.\" full merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2018, 2019, 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Dr. Stephen Henson.
-.\" Copyright (c) 2002, 2006, 2013, 2015, 2016, 2017 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: December 27 2024 $
-.Dt ASN1_STRING_LENGTH 3
-.Os
-.Sh NAME
-.Nm ASN1_STRING_cmp ,
-.Nm ASN1_OCTET_STRING_cmp ,
-.Nm ASN1_STRING_data ,
-.Nm ASN1_STRING_dup ,
-.Nm ASN1_OCTET_STRING_dup ,
-.Nm ASN1_STRING_get0_data ,
-.Nm ASN1_STRING_length ,
-.Nm ASN1_STRING_length_set ,
-.Nm ASN1_STRING_set0 ,
-.Nm ASN1_STRING_set ,
-.Nm ASN1_OCTET_STRING_set ,
-.Nm ASN1_STRING_copy ,
-.Nm ASN1_STRING_to_UTF8 ,
-.Nm ASN1_STRING_type
-.\" deprecated aliases, intentionally undocumented:
-.\" M_ASN1_STRING_data, M_ASN1_STRING_length
-.Nd ASN1_STRING utility functions
-.Sh SYNOPSIS
-.In openssl/asn1.h
-.Ft int
-.Fo ASN1_STRING_cmp
-.Fa "const ASN1_STRING *a"
-.Fa "const ASN1_STRING *b"
-.Fc
-.Ft int
-.Fo ASN1_OCTET_STRING_cmp
-.Fa "const ASN1_OCTET_STRING *a"
-.Fa "const ASN1_OCTET_STRING *b"
-.Fc
-.Ft unsigned char *
-.Fo ASN1_STRING_data
-.Fa "ASN1_STRING *x"
-.Fc
-.Ft ASN1_STRING *
-.Fo ASN1_STRING_dup
-.Fa "const ASN1_STRING *a"
-.Fc
-.Ft ASN1_OCTET_STRING *
-.Fo ASN1_OCTET_STRING_dup
-.Fa "const ASN1_OCTET_STRING *a"
-.Fc
-.Ft const unsigned char *
-.Fo ASN1_STRING_get0_data
-.Fa "const ASN1_STRING *x"
-.Fc
-.Ft int
-.Fo ASN1_STRING_length
-.Fa "const ASN1_STRING *x"
-.Fc
-.Ft void
-.Fo ASN1_STRING_length_set
-.Fa "ASN1_STRING *x"
-.Fa "int len"
-.Fc
-.Ft void
-.Fo ASN1_STRING_set0
-.Fa "ASN1_STRING *str"
-.Fa "void *data"
-.Fa "int len"
-.Fc
-.Ft int
-.Fo ASN1_STRING_set
-.Fa "ASN1_STRING *str"
-.Fa "const void *data"
-.Fa "int len"
-.Fc
-.Ft int
-.Fo ASN1_OCTET_STRING_set
-.Fa "ASN1_OCTET_STRING *str"
-.Fa "const unsigned char *data"
-.Fa "int len"
-.Fc
-.Ft int
-.Fo ASN1_STRING_copy
-.Fa "ASN1_STRING *dst"
-.Fa "const ASN1_STRING *src"
-.Fc
-.Ft int
-.Fo ASN1_STRING_to_UTF8
-.Fa "unsigned char **out"
-.Fa "const ASN1_STRING *in"
-.Fc
-.Ft int
-.Fo ASN1_STRING_type
-.Fa "const ASN1_STRING *x"
-.Fc
-.Sh DESCRIPTION
-These functions manipulate
-.Vt ASN1_STRING
-structures.
-.Pp
-.Fn ASN1_STRING_cmp
-compares the type, the length, and the content of
-.Fa a
-and
-.Fa b .
-.Pp
-.Fn ASN1_OCTET_STRING_cmp
-does exactly the same as
-.Fn ASN1_STRING_cmp
-without providing any type safety.
-.Pp
-.Fn ASN1_STRING_data
-is similar to
-.Fn ASN1_STRING_get0_data
-except that the returned value is not constant.
-This function is deprecated.
-Applications should use
-.Fn ASN1_STRING_get0_data
-instead.
-.Pp
-.Fn ASN1_STRING_dup
-allocates a new
-.Vt ASN1_STRING
-object and copies the type, length, data, and flags from
-.Fa a
-into it.
-.Pp
-.Fn ASN1_OCTET_STRING_dup
-does exactly the same as
-.Fn ASN1_STRING_dup
-without providing any type safety.
-.Pp
-.Fn ASN1_STRING_get0_data
-returns an internal pointer to the data of
-.Fa x .
-It should not be freed or modified in any way.
-.Pp
-.Fn ASN1_STRING_length
-returns the length attribute of
-.Fa x ,
-measured in bytes.
-.Pp
-.Fn ASN1_STRING_length_set
-sets the length attribute of
-.Fa x
-to
-.Fa len .
-It may put
-.Fa x
-into an inconsistent internal state.
-.Pp
-.Fn ASN1_STRING_set0
-frees any data stored in
-.Fa str ,
-sets the length attribute to
-.Fa len
-bytes, and sets the data attribute to
-.Fa data ,
-transferring ownership, without doing any validation.
-.Pp
-.Fn ASN1_STRING_set
-sets the length attribute of
-.Fa str
-to
-.Fa len
-and copies that number of bytes from
-.Fa data
-into
-.Fa str ,
-overwriting any previous data.
-If
-.Fa len
-is \-1, then
-.Fn strlen data
-is used instead of
-.Fa len .
-If
-.Fa data
-is
-.Dv NULL ,
-the content of
-.Fa str
-remains uninitialized; that is not considered an error unless
-.Fa len
-is negative.
-.Pp
-.Fn ASN1_OCTET_STRING_set
-does exactly the same as
-.Fn ASN1_STRING_set
-without providing any type safety.
-.Pp
-.Fn ASN1_STRING_copy
-copies the length and data of
-.Fa src
-into
-.Fa dst
-using
-.Fn ASN1_STRING_set
-and changes the type and flags of
-.Fa dst
-to match the type and flags of
-.Fa src .
-.Pp
-.Fn ASN1_STRING_to_UTF8
-converts the string
-.Fa in
-to UTF-8 format.
-The converted data is copied into a newly allocated buffer
-.Pf * Fa out .
-The buffer
-.Pf * Fa out
-should be freed using
-.Xr free 3 .
-.Pp
-.Fn ASN1_STRING_type
-returns the type of
-.Fa x .
-If the bit
-.Dv V_ASN1_NEG
-is set in the return value,
-.Fa x
-is an ASN.1 INTEGER or ENUMERATED object with a negative value.
-.Pp
-Almost all ASN.1 types are represented as
-.Vt ASN1_STRING
-structures.
-Other types such as
-.Vt ASN1_OCTET_STRING
-are simply typedefed to
-.Vt ASN1_STRING
-and the functions call the
-.Vt ASN1_STRING
-equivalents.
-.Vt ASN1_STRING
-is also used for some CHOICE types which consist entirely of primitive
-string types such as
-.Vt DirectoryString
-and
-.Vt Time .
-.Pp
-These functions should
-.Em not
-be used to examine or modify
-.Vt ASN1_INTEGER
-or
-.Vt ASN1_ENUMERATED
-types: the relevant INTEGER or ENUMERATED utility functions should
-be used instead.
-.Pp
-In general it cannot be assumed that the data returned by
-.Fn ASN1_STRING_get0_data
-and
-.Fn ASN1_STRING_data
-is NUL terminated, and it may contain embedded NUL characters.
-The format of the data depends on the string type:
-for example for an
-.Vt IA5String
-the data contains ASCII characters, for a
-.Vt BMPString
-two bytes per character in big endian format, and for a
-.Vt UTF8String
-UTF-8 characters.
-.Pp
-Similar care should be taken to ensure the data is in the correct format
-when calling
-.Fn ASN1_STRING_set
-or
-.Fn ASN1_STRING_set0 .
-.Sh RETURN VALUES
-.Fn ASN1_STRING_cmp
-and
-.Fn ASN1_OCTET_STRING_cmp
-return 0 if the type, the length, and the content of
-.Fa a
-and
-.Fa b
-agree, or a non-zero value otherwise.
-In contrast to
-.Xr strcmp 3 ,
-the sign of the return value does not indicate lexicographical ordering.
-.Pp
-.Fn ASN1_STRING_data
-and
-.Fn ASN1_STRING_get0_data
-return an internal pointer to the data of
-.Fa x .
-.Pp
-.Fn ASN1_STRING_dup
-and
-.Fn ASN1_OCTET_STRING_dup
-return a pointer to a newly allocated
-.Vt ASN1_STRING
-structure or
-.Dv NULL
-if an error occurred.
-.Pp
-.Fn ASN1_STRING_length
-returns a number of bytes.
-.Pp
-.Fn ASN1_STRING_set ,
-.Fn ASN1_OCTET_STRING_set ,
-and
-.Fn ASN1_STRING_copy
-return 1 on success or 0 on failure.
-They fail if memory allocation fails.
-.Fn ASN1_STRING_set
-and
-.Fn ASN1_OCTET_STRING_set
-also fail if
-.Fa data
-is
-.Dv NULL
-and
-.Fa len
-is \-1 in the same call.
-.Fn ASN1_STRING_copy
-also fails if
-.Fa src
-is
-.Dv NULL .
-.Pp
-.Fn ASN1_STRING_to_UTF8
-returns the number of bytes in the output buffer
-.Pf * Fa out ,
-or a negative number if an error occurred.
-.Pp
-.Fn ASN1_STRING_type
-returns an integer constant, for example
-.Dv V_ASN1_OCTET_STRING
-or
-.Dv V_ASN1_NEG_INTEGER .
-.Pp
-In some cases of failure of
-.Fn ASN1_STRING_dup ,
-.Fn ASN1_STRING_set ,
-and
-.Fn ASN1_STRING_to_UTF8 ,
-the reason can be determined with
-.Xr ERR_get_error 3 .
-.Sh SEE ALSO
-.Xr a2i_ASN1_STRING 3 ,
-.Xr a2i_ipadd 3 ,
-.Xr ASN1_BIT_STRING_set 3 ,
-.Xr ASN1_mbstring_copy 3 ,
-.Xr ASN1_PRINTABLE_type 3 ,
-.Xr ASN1_STRING_new 3 ,
-.Xr ASN1_UNIVERSALSTRING_to_string 3 ,
-.Xr s2i_ASN1_INTEGER 3
-.Sh HISTORY
-.Fn ASN1_STRING_cmp ,
-.Fn ASN1_STRING_dup ,
-.Fn ASN1_STRING_set ,
-and
-.Fn ASN1_OCTET_STRING_set
-first appeared in SSLeay 0.6.5.
-.Fn ASN1_OCTET_STRING_cmp ,
-.Fn ASN1_STRING_data ,
-.Fn ASN1_OCTET_STRING_dup ,
-and
-.Fn ASN1_STRING_type
-first appeared in SSLeay 0.8.0.
-.Fn ASN1_STRING_length
-first appeared in SSLeay 0.9.0.
-All these functions have been available since
-.Ox 2.4 .
-.Pp
-.Fn ASN1_STRING_length_set
-first appeared in OpenSSL 0.9.5 and has been available since
-.Ox 2.7 .
-.Pp
-.Fn ASN1_STRING_to_UTF8
-first appeared in OpenSSL 0.9.6 and has been available since
-.Ox 2.9 .
-.Pp
-.Fn ASN1_STRING_set0
-first appeared in OpenSSL 0.9.8h and has been available since
-.Ox 4.5 .
-.Pp
-.Fn ASN1_STRING_copy
-first appeared in OpenSSL 1.0.0 and has been available since
-.Ox 4.9 .
-.Pp
-.Fn ASN1_STRING_get0_data
-first appeared in OpenSSL 1.1.0 and has been available since
-.Ox 6.3 .
-.Sh BUGS
-.Fn ASN1_OCTET_STRING_cmp ,
-.Fn ASN1_OCTET_STRING_dup ,
-and
-.Fn ASN1_OCTET_STRING_set
-do not check whether their arguments are really of the type
-.Dv V_ASN1_OCTET_STRING .
-They may report success even if their arguments are of a wrong type.
-Consequently, even in case of success, the return value of
-.Fn ASN1_OCTET_STRING_dup
-is not guaranteed to be of the type
-.Dv V_ASN1_OCTET_STRING
-either.
diff --git a/src/lib/libcrypto/man/ASN1_STRING_new.3 b/src/lib/libcrypto/man/ASN1_STRING_new.3
deleted file mode 100644
index 212bacd413..0000000000
--- a/src/lib/libcrypto/man/ASN1_STRING_new.3
+++ /dev/null
@@ -1,303 +0,0 @@
-.\"     $OpenBSD: ASN1_STRING_new.3,v 1.27 2024/12/27 15:30:17 schwarze Exp $
-.\"     OpenSSL 99d63d46 Tue Mar 24 07:52:24 2015 -0400
-.\"
-.\" Copyright (c) 2017 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: December 27 2024 $
-.Dt ASN1_STRING_NEW 3
-.Os
-.Sh NAME
-.Nm ASN1_STRING_new ,
-.Nm ASN1_STRING_type_new ,
-.Nm ASN1_STRING_free ,
-.Nm ASN1_OCTET_STRING_new ,
-.Nm ASN1_OCTET_STRING_free ,
-.Nm ASN1_BIT_STRING_new ,
-.Nm ASN1_BIT_STRING_free ,
-.Nm ASN1_INTEGER_new ,
-.Nm ASN1_INTEGER_free ,
-.Nm ASN1_ENUMERATED_new ,
-.Nm ASN1_ENUMERATED_free ,
-.Nm ASN1_UTF8STRING_new ,
-.Nm ASN1_UTF8STRING_free ,
-.Nm ASN1_IA5STRING_new ,
-.Nm ASN1_IA5STRING_free ,
-.Nm ASN1_UNIVERSALSTRING_new ,
-.Nm ASN1_UNIVERSALSTRING_free ,
-.Nm ASN1_BMPSTRING_new ,
-.Nm ASN1_BMPSTRING_free ,
-.Nm ASN1_GENERALSTRING_new ,
-.Nm ASN1_GENERALSTRING_free ,
-.Nm ASN1_T61STRING_new ,
-.Nm ASN1_T61STRING_free ,
-.Nm ASN1_VISIBLESTRING_new ,
-.Nm ASN1_VISIBLESTRING_free ,
-.Nm ASN1_PRINTABLESTRING_new ,
-.Nm ASN1_PRINTABLESTRING_free ,
-.Nm ASN1_PRINTABLE_new ,
-.Nm ASN1_PRINTABLE_free ,
-.Nm DIRECTORYSTRING_new ,
-.Nm DIRECTORYSTRING_free ,
-.Nm DISPLAYTEXT_new ,
-.Nm DISPLAYTEXT_free ,
-.Nm ASN1_GENERALIZEDTIME_new ,
-.Nm ASN1_GENERALIZEDTIME_free ,
-.Nm ASN1_UTCTIME_new ,
-.Nm ASN1_UTCTIME_free ,
-.Nm ASN1_TIME_new ,
-.Nm ASN1_TIME_free
-.\" deprecated aliases, intentionally undocumented: M_ASN1_IA5STRING_new,
-.\" M_ASN1_ENUMERATED_free, M_ASN1_INTEGER_free, M_ASN1_OCTET_STRING_free
-.Nd allocate and free ASN1_STRING objects
-.Sh SYNOPSIS
-.In openssl/asn1.h
-.Ft ASN1_STRING *
-.Fn ASN1_STRING_new void
-.Ft ASN1_STRING *
-.Fn ASN1_STRING_type_new "int type"
-.Ft void
-.Fn ASN1_STRING_free "ASN1_STRING *a"
-.Ft ASN1_OCTET_STRING *
-.Fn ASN1_OCTET_STRING_new void
-.Ft void
-.Fn ASN1_OCTET_STRING_free "ASN1_OCTET_STRING *a"
-.Ft ASN1_BIT_STRING *
-.Fn ASN1_BIT_STRING_new void
-.Ft void
-.Fn ASN1_BIT_STRING_free "ASN1_BIT_STRING *a"
-.Ft ASN1_INTEGER *
-.Fn ASN1_INTEGER_new void
-.Ft void
-.Fn ASN1_INTEGER_free "ASN1_INTEGER *a"
-.Ft ASN1_ENUMERATED *
-.Fn ASN1_ENUMERATED_new void
-.Ft void
-.Fn ASN1_ENUMERATED_free "ASN1_ENUMERATED *a"
-.Ft ASN1_UTF8STRING *
-.Fn ASN1_UTF8STRING_new void
-.Ft void
-.Fn ASN1_UTF8STRING_free "ASN1_UTF8STRING *a"
-.Ft ASN1_IA5STRING *
-.Fn ASN1_IA5STRING_new void
-.Ft void
-.Fn ASN1_IA5STRING_free "ASN1_IA5STRING *a"
-.Ft ASN1_UNIVERSALSTRING *
-.Fn ASN1_UNIVERSALSTRING_new void
-.Ft void
-.Fn ASN1_UNIVERSALSTRING_free "ASN1_UNIVERSALSTRING *a"
-.Ft ASN1_BMPSTRING *
-.Fn ASN1_BMPSTRING_new void
-.Ft void
-.Fn ASN1_BMPSTRING_free "ASN1_BMPSTRING *a"
-.Ft ASN1_GENERALSTRING *
-.Fn ASN1_GENERALSTRING_new void
-.Ft void
-.Fn ASN1_GENERALSTRING_free "ASN1_GENERALSTRING *a"
-.Ft ASN1_T61STRING *
-.Fn ASN1_T61STRING_new void
-.Ft void
-.Fn ASN1_T61STRING_free "ASN1_T61STRING *a"
-.Ft ASN1_VISIBLESTRING *
-.Fn ASN1_VISIBLESTRING_new void
-.Ft void
-.Fn ASN1_VISIBLESTRING_free "ASN1_VISIBLESTRING *a"
-.Ft ASN1_PRINTABLESTRING *
-.Fn ASN1_PRINTABLESTRING_new void
-.Ft void
-.Fn ASN1_PRINTABLESTRING_free "ASN1_PRINTABLESTRING *a"
-.Ft ASN1_STRING *
-.Fn ASN1_PRINTABLE_new void
-.Ft void
-.Fn ASN1_PRINTABLE_free "ASN1_STRING *a"
-.Ft ASN1_STRING *
-.Fn DIRECTORYSTRING_new void
-.Ft void
-.Fn DIRECTORYSTRING_free "ASN1_STRING *a"
-.Ft ASN1_STRING *
-.Fn DISPLAYTEXT_new void
-.Ft void
-.Fn DISPLAYTEXT_free "ASN1_STRING *a"
-.Ft ASN1_GENERALIZEDTIME *
-.Fn ASN1_GENERALIZEDTIME_new void
-.Ft void
-.Fn ASN1_GENERALIZEDTIME_free "ASN1_GENERALIZEDTIME *a"
-.Ft ASN1_UTCTIME *
-.Fn ASN1_UTCTIME_new void
-.Ft void
-.Fn ASN1_UTCTIME_free "ASN1_UTCTIME *a"
-.Ft ASN1_TIME *
-.Fn ASN1_TIME_new void
-.Ft void
-.Fn ASN1_TIME_free "ASN1_TIME *a"
-.Sh DESCRIPTION
-The
-.Vt ASN1_STRING
-object can represent a variety of ASN.1 built-in types.
-It can store a type and a value.
-.Pp
-All the
-.Fn *_new
-functions
-allocate and initialize an empty
-.Vt ASN1_STRING
-object.
-The following table shows the type assigned to the new object,
-and which ASN.1 type it represents.
-.Bl -column "ASN1_GENERALIZEDTIME_new()" "V_ASN1_GENERALIZEDTIME"
-.It Em constructor function     Ta Em OpenSSL type          Ta Em ASN.1 type
-.It Ta
-.It Fn ASN1_STRING_new          Ta Dv V_ASN1_OCTET_STRING
-.It Fn ASN1_STRING_type_new     Ta Fa type No argument
-.It Ta
-.It Fn ASN1_OCTET_STRING_new    Ta Dv V_ASN1_OCTET_STRING    Ta OCTET STRING
-.It Fn ASN1_BIT_STRING_new      Ta Dv V_ASN1_BIT_STRING      Ta BIT STRING
-.It Fn ASN1_INTEGER_new         Ta Dv V_ASN1_INTEGER         Ta INTEGER
-.It Fn ASN1_ENUMERATED_new      Ta Dv V_ASN1_ENUMERATED      Ta ENUMERATED
-.It Ta
-.It Fn ASN1_UTF8STRING_new      Ta Dv V_ASN1_UTF8STRING      Ta UTF8String
-.It Fn ASN1_IA5STRING_new       Ta Dv V_ASN1_IA5STRING       Ta IA5String
-.It Ta
-.It Fn ASN1_UNIVERSALSTRING_new Ta Dv V_ASN1_UNIVERSALSTRING Ta UniversalString
-.It Fn ASN1_BMPSTRING_new       Ta Dv V_ASN1_BMPSTRING       Ta BMPString
-.It Fn ASN1_GENERALSTRING_new   Ta Dv V_ASN1_GENERALSTRING   Ta GeneralString
-.It Fn ASN1_T61STRING_new       Ta Dv V_ASN1_T61STRING       Ta T61String
-.It Fn ASN1_VISIBLESTRING_new   Ta Dv V_ASN1_VISIBLESTRING   Ta VisibleString
-.It Fn ASN1_PRINTABLESTRING_new Ta Dv V_ASN1_PRINTABLESTRING Ta PrintableString
-.It Ta
-.It Fn ASN1_PRINTABLE_new       Ta Dv V_ASN1_UNDEF
-.It Fn DIRECTORYSTRING_new      Ta Dv V_ASN1_UNDEF
-.It Fn DISPLAYTEXT_new          Ta Dv V_ASN1_UNDEF
-.It Ta
-.It Fn ASN1_GENERALIZEDTIME_new Ta Dv V_ASN1_GENERALIZEDTIME Ta GeneralizedTime
-.It Fn ASN1_UTCTIME_new         Ta Dv V_ASN1_UTCTIME         Ta UTCTime
-.It Fn ASN1_TIME_new            Ta Dv V_ASN1_UNDEF           Ta TIME
-.El
-.Pp
-All the
-.Fn *_free
-functions free
-.Fa a
-including any data contained in it.
-If
-.Fa a
-is a
-.Dv NULL
-pointer, no action occurs.
-.Sh RETURN VALUES
-All the
-.Fn *_new
-functions return the new
-.Vt ASN1_STRING
-object if successful; otherwise
-.Dv NULL
-is returned and an error code can be retrieved with
-.Xr ERR_get_error 3 .
-.Sh SEE ALSO
-.Xr a2i_ipadd 3 ,
-.Xr ASN1_BIT_STRING_set 3 ,
-.Xr ASN1_INTEGER_get 3 ,
-.Xr ASN1_item_pack 3 ,
-.Xr ASN1_mbstring_copy 3 ,
-.Xr ASN1_PRINTABLE_type 3 ,
-.Xr ASN1_STRING_length 3 ,
-.Xr ASN1_STRING_print_ex 3 ,
-.Xr ASN1_TIME_set 3 ,
-.Xr ASN1_TYPE_get 3 ,
-.Xr ASN1_UNIVERSALSTRING_to_string 3 ,
-.Xr d2i_ASN1_OBJECT 3 ,
-.Xr d2i_ASN1_OCTET_STRING 3 ,
-.Xr i2a_ASN1_STRING 3 ,
-.Xr s2i_ASN1_INTEGER 3 ,
-.Xr X509_cmp_time 3 ,
-.Xr X509_EXTENSION_get_object 3 ,
-.Xr X509_get_ext_by_OBJ 3 ,
-.Xr X509_NAME_ENTRY_get_object 3
-.Sh HISTORY
-.Fn ASN1_OCTET_STRING_new ,
-.Fn ASN1_OCTET_STRING_free ,
-.Fn ASN1_BIT_STRING_new ,
-.Fn ASN1_BIT_STRING_free ,
-.Fn ASN1_INTEGER_new ,
-.Fn ASN1_INTEGER_free ,
-.Fn ASN1_IA5STRING_new ,
-.Fn ASN1_IA5STRING_free ,
-.Fn ASN1_T61STRING_new ,
-.Fn ASN1_T61STRING_free ,
-.Fn ASN1_PRINTABLESTRING_new ,
-.Fn ASN1_PRINTABLESTRING_free ,
-.Fn ASN1_PRINTABLE_new ,
-.Fn ASN1_PRINTABLE_free ,
-.Fn ASN1_UTCTIME_new ,
-and
-.Fn ASN1_UTCTIME_free
-first appeared in SSLeay 0.5.1.
-.Fn ASN1_STRING_new ,
-.Fn ASN1_STRING_type_new ,
-and
-.Fn ASN1_STRING_free
-first appeared in SSLeay 0.6.5.
-.Fn ASN1_UNIVERSALSTRING_new ,
-.Fn ASN1_UNIVERSALSTRING_free ,
-.Fn ASN1_GENERALSTRING_new ,
-and
-.Fn ASN1_GENERALSTRING_free
-first appeared in SSLeay 0.8.0.
-.Fn ASN1_BMPSTRING_new ,
-.Fn ASN1_BMPSTRING_free ,
-.Fn ASN1_GENERALIZEDTIME_new ,
-and
-.Fn ASN1_GENERALIZEDTIME_free
-first appeared in SSLeay 0.9.0.
-All these functions have been available since
-.Ox 2.4 .
-.Pp
-.Fn ASN1_ENUMERATED_new ,
-.Fn ASN1_ENUMERATED_free ,
-.Fn ASN1_TIME_new ,
-and
-.Fn ASN1_TIME_free
-first appeared in OpenSSL 0.9.2b.
-.Fn ASN1_UTF8STRING_new ,
-.Fn ASN1_UTF8STRING_free ,
-.Fn ASN1_VISIBLESTRING_new ,
-.Fn ASN1_VISIBLESTRING_free ,
-.Fn DIRECTORYSTRING_new ,
-.Fn DIRECTORYSTRING_free ,
-.Fn DISPLAYTEXT_new ,
-and
-.Fn DISPLAYTEXT_free
-first appeared in OpenSSL 0.9.3.
-These functions have been available since
-.Ox 2.6 .
-.Sh BUGS
-.Vt ASN1_OCTET_STRING ,
-.Vt ASN1_BIT_STRING ,
-.Vt ASN1_INTEGER ,
-.Vt ASN1_ENUMERATED ,
-.Vt ASN1_UTF8STRING ,
-.Vt ASN1_IA5STRING ,
-.Vt ASN1_UNIVERSALSTRING ,
-.Vt ASN1_BMPSTRING ,
-.Vt ASN1_GENERALSTRING ,
-.Vt ASN1_T61STRING ,
-.Vt ASN1_VISIBLESTRING ,
-.Vt ASN1_PRINTABLESTRING ,
-.Vt ASN1_GENERALIZEDTIME ,
-.Vt ASN1_UTCTIME ,
-and
-.Vt ASN1_TIME
-are merely typedef aliases of
-.Vt ASN1_STRING
-and provide no type safety whatsoever.
diff --git a/src/lib/libcrypto/man/ASN1_STRING_print_ex.3 b/src/lib/libcrypto/man/ASN1_STRING_print_ex.3
deleted file mode 100644
index eb43b2fe5c..0000000000
--- a/src/lib/libcrypto/man/ASN1_STRING_print_ex.3
+++ /dev/null
@@ -1,241 +0,0 @@
-.\" $OpenBSD: ASN1_STRING_print_ex.3,v 1.18 2021/12/14 19:36:18 schwarze Exp $
-.\" full merge up to: OpenSSL bb9ad09e Jun 6 00:43:05 2016 -0400
-.\" selective merge up to: OpenSSL 61f805c1 Jan 16 01:01:46 2018 +0800
-.\"
-.\" This file was written by Dr. Stephen Henson.
-.\" Copyright (c) 2002, 2004, 2007, 2013, 2016, 2017 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: December 14 2021 $
-.Dt ASN1_STRING_PRINT_EX 3
-.Os
-.Sh NAME
-.Nm ASN1_STRING_print_ex ,
-.Nm ASN1_STRING_print_ex_fp ,
-.Nm ASN1_STRING_print ,
-.Nm ASN1_tag2str
-.\" M_ASN1_OCTET_STRING_print is a deprecated alias, intentionally undocumented
-.Nd ASN1_STRING output routines
-.Sh SYNOPSIS
-.In openssl/asn1.h
-.Ft int
-.Fo ASN1_STRING_print_ex
-.Fa "BIO *out"
-.Fa "const ASN1_STRING *str"
-.Fa "unsigned long flags"
-.Fc
-.Ft int
-.Fo ASN1_STRING_print_ex_fp
-.Fa "FILE *fp"
-.Fa "const ASN1_STRING *str"
-.Fa "unsigned long flags"
-.Fc
-.Ft int
-.Fo ASN1_STRING_print
-.Fa "BIO *out"
-.Fa "const ASN1_STRING *str"
-.Fc
-.Ft const char *
-.Fo ASN1_tag2str
-.Fa "int tag"
-.Fc
-.Sh DESCRIPTION
-These functions output an
-.Vt ASN1_STRING
-structure.
-.Vt ASN1_STRING
-is used to
-represent all the ASN.1 string types.
-.Pp
-.Fn ASN1_STRING_print_ex
-outputs
-.Fa str
-to
-.Fa out ,
-the format being determined by the options
-.Fa flags .
-.Fn ASN1_STRING_print_ex_fp
-is identical except it outputs to
-.Fa fp
-instead.
-.Pp
-.Fn ASN1_STRING_print
-prints
-.Fa str
-to
-.Fa out
-but using a different format to
-.Fn ASN1_STRING_print_ex .
-It replaces unprintable characters (other than CR, LF) with
-.Sq \&. .
-.Pp
-.Fn ASN1_tag2str
-returns a human-readable name of the specified ASN.1
-.Fa tag .
-.Pp
-.Fn ASN1_STRING_print
-is a deprecated function which should be avoided; use
-.Fn ASN1_STRING_print_ex
-instead.
-.Pp
-Although there are a large number of options,
-.Dv ASN1_STRFLGS_RFC2253
-is often suitable, or on UTF-8 terminals
-.Dv ASN1_STRFLGS_RFC2253
-and
-.Pf ~ Dv ASN1_STRFLGS_ESC_MSB .
-.Pp
-The complete set of supported options for
-.Fa flags
-is listed below.
-.Pp
-Various characters can be escaped.
-If
-.Dv ASN1_STRFLGS_ESC_2253
-is set, the characters determined by RFC 2253 are escaped.
-If
-.Dv ASN1_STRFLGS_ESC_CTRL
-is set, control characters are escaped.
-If
-.Dv ASN1_STRFLGS_ESC_MSB
-is set, characters with the MSB set are escaped: this option should
-.Em not
-be used if the terminal correctly interprets UTF-8 sequences.
-.Pp
-Escaping takes several forms.
-If the character being escaped is a 16-bit character then the form "\eUXXXX"
-is used using exactly four characters for the hex representation.
-If it is 32 bits then "\eWXXXXXXXX" is used using eight characters
-of its hex representation.
-These forms will only be used if UTF-8 conversion is not set (see below).
-.Pp
-Printable characters are normally escaped using the backslash
-.Pq Sq \e
-character.
-If
-.Dv ASN1_STRFLGS_ESC_QUOTE
-is set, then the whole string is instead surrounded by double quote
-characters: this is arguably more readable than the backslash notation.
-Other characters use the "\eXX" using exactly two characters of the hex
-representation.
-.Pp
-If
-.Dv ASN1_STRFLGS_UTF8_CONVERT
-is set, then characters are converted to UTF-8 format first.
-If the terminal supports the display of UTF-8 sequences then this
-option will correctly display multi-byte characters.
-.Pp
-If
-.Dv ASN1_STRFLGS_IGNORE_TYPE
-is set, then the string type is not interpreted at all:
-everything is assumed to be one byte per character.
-This is primarily for debugging purposes and can result
-in confusing output in multi-character strings.
-.Pp
-If
-.Dv ASN1_STRFLGS_SHOW_TYPE
-is set, then the string type itself is printed before its value
-(for example "BMPSTRING"), using
-.Fn ASN1_tag2str .
-.Pp
-Instead of being interpreted the contents of a string can be "dumped":
-this just outputs the value of the string using the form #XXXX
-using hex format for each octet.
-.Pp
-If
-.Dv ASN1_STRFLGS_DUMP_ALL
-is set, then any type is dumped.
-.Pp
-Normally non-character string types (such as OCTET STRING)
-are assumed to be one byte per character; if
-.Dv ASN1_STRFLGS_DUMP_UNKNOWN
-is set, then they will be dumped instead.
-.Pp
-When a type is dumped normally just the content octets are printed; if
-.Dv ASN1_STRFLGS_DUMP_DER
-is set, then the complete encoding is dumped
-instead (including tag and length octets).
-.Pp
-.Dv ASN1_STRFLGS_RFC2253
-includes all the flags required by RFC 2253.
-It is equivalent to
-.Dv ASN1_STRFLGS_ESC_2253 |
-.Dv ASN1_STRFLGS_ESC_CTRL |
-.Dv ASN1_STRFLGS_ESC_MSB |
-.Dv ASN1_STRFLGS_UTF8_CONVERT |
-.Dv ASN1_STRFLGS_DUMP_UNKNOWN |
-.Dv ASN1_STRFLGS_DUMP_DER .
-.Sh RETURN VALUES
-.Fn ASN1_STRING_print_ex
-and
-.Fn ASN1_STRING_print_ex_fp
-return the number of characters written or \-1 if an error occurred.
-.Pp
-.Fn ASN1_STRING_print
-returns 1 on success or 0 on error.
-.Pp
-.Fn ASN1_tag2str
-returns a static string.
-.Sh SEE ALSO
-.Xr ASN1_parse_dump 3 ,
-.Xr ASN1_STRING_new 3 ,
-.Xr X509_NAME_print_ex 3 ,
-.Xr X509_signature_dump 3
-.Sh HISTORY
-.Fn ASN1_STRING_print
-first appeared in SSLeay 0.6.5 and has been available since
-.Ox 2.4 .
-.Pp
-.Fn ASN1_tag2str
-first appeared in OpenSSL 0.9.5 and has been available since
-.Ox 2.7 .
-.Pp
-.Fn ASN1_STRING_print_ex
-and
-.Fn ASN1_STRING_print_ex_fp
-first appeared in OpenSSL 0.9.6 and have been available since
-.Ox 2.9 .
diff --git a/src/lib/libcrypto/man/ASN1_TIME_set.3 b/src/lib/libcrypto/man/ASN1_TIME_set.3
deleted file mode 100644
index 233cb13f2c..0000000000
--- a/src/lib/libcrypto/man/ASN1_TIME_set.3
+++ /dev/null
@@ -1,752 +0,0 @@
-.\" $OpenBSD: ASN1_TIME_set.3,v 1.23 2024/03/05 18:30:40 tb Exp $
-.\" full merge up to: OpenSSL 3d0f1cb9 Jul 11 03:01:24 2017 +0800
-.\" selective merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2022 Ingo Schwarze <schwarze@openbsd.org>
-.\" Copyright (c) 2022 Bob Beck <beck@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHORS DISCLAIM ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Dr. Stephen Henson <steve@openssl.org>
-.\" and Todd Short <tshort@akamai.com>.
-.\" Copyright (c) 2015, 2017 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 5 2024 $
-.Dt ASN1_TIME_SET 3
-.Os
-.Sh NAME
-.Nm ASN1_TIME_set ,
-.Nm ASN1_UTCTIME_set ,
-.Nm ASN1_GENERALIZEDTIME_set ,
-.Nm ASN1_TIME_adj ,
-.Nm ASN1_UTCTIME_adj ,
-.Nm ASN1_GENERALIZEDTIME_adj ,
-.Nm ASN1_TIME_set_string ,
-.Nm ASN1_TIME_set_string_X509 ,
-.Nm ASN1_UTCTIME_set_string ,
-.Nm ASN1_GENERALIZEDTIME_set_string ,
-.Nm ASN1_TIME_normalize ,
-.Nm ASN1_TIME_check ,
-.Nm ASN1_UTCTIME_check ,
-.Nm ASN1_GENERALIZEDTIME_check ,
-.Nm ASN1_TIME_print ,
-.Nm ASN1_UTCTIME_print ,
-.Nm ASN1_GENERALIZEDTIME_print ,
-.Nm ASN1_TIME_to_tm ,
-.Nm ASN1_TIME_diff ,
-.Nm ASN1_TIME_cmp_time_t ,
-.Nm ASN1_UTCTIME_cmp_time_t ,
-.Nm ASN1_TIME_compare ,
-.Nm ASN1_TIME_to_generalizedtime ,
-.Nm OPENSSL_gmtime ,
-.Nm OPENSSL_timegm ,
-.Nm OPENSSL_posix_to_tm ,
-.Nm OPENSSL_tm_to_posix
-.Nd ASN.1 Time functions
-.Sh SYNOPSIS
-.In openssl/asn1.h
-.Ft ASN1_TIME *
-.Fo ASN1_TIME_set
-.Fa "ASN1_TIME *s"
-.Fa "time_t t"
-.Fc
-.Ft ASN1_UTCTIME *
-.Fo ASN1_UTCTIME_set
-.Fa "ASN1_UTCTIME *s"
-.Fa "time_t t"
-.Fc
-.Ft ASN1_GENERALIZEDTIME *
-.Fo ASN1_GENERALIZEDTIME_set
-.Fa "ASN1_GENERALIZEDTIME *s"
-.Fa "time_t t"
-.Fc
-.Ft ASN1_TIME *
-.Fo ASN1_TIME_adj
-.Fa "ASN1_TIME *s"
-.Fa "time_t t"
-.Fa "int offset_day"
-.Fa "long offset_sec"
-.Fc
-.Ft ASN1_UTCTIME *
-.Fo ASN1_UTCTIME_adj
-.Fa "ASN1_UTCTIME *s"
-.Fa "time_t t"
-.Fa "int offset_day"
-.Fa "long offset_sec"
-.Fc
-.Ft ASN1_GENERALIZEDTIME *
-.Fo ASN1_GENERALIZEDTIME_adj
-.Fa "ASN1_GENERALIZEDTIME *s"
-.Fa "time_t t"
-.Fa "int offset_day"
-.Fa "long offset_sec"
-.Fc
-.Ft int
-.Fo ASN1_TIME_set_string
-.Fa "ASN1_TIME *s"
-.Fa "const char *str"
-.Fc
-.Ft int
-.Fo ASN1_TIME_set_string_X509
-.Fa "ASN1_TIME *s"
-.Fa "const char *str"
-.Fc
-.Ft int
-.Fo ASN1_UTCTIME_set_string
-.Fa "ASN1_UTCTIME *s"
-.Fa "const char *str"
-.Fc
-.Ft int
-.Fo ASN1_GENERALIZEDTIME_set_string
-.Fa "ASN1_GENERALIZEDTIME *s"
-.Fa "const char *str"
-.Fc
-.Ft int
-.Fo ASN1_TIME_normalize
-.Fa "ASN1_TIME *s"
-.Fc
-.Ft int
-.Fo ASN1_TIME_check
-.Fa "const ASN1_TIME *t"
-.Fc
-.Ft int
-.Fo ASN1_UTCTIME_check
-.Fa "const ASN1_UTCTIME *t"
-.Fc
-.Ft int
-.Fo ASN1_GENERALIZEDTIME_check
-.Fa "const ASN1_GENERALIZEDTIME *t"
-.Fc
-.Ft int
-.Fo ASN1_TIME_print
-.Fa "BIO *b"
-.Fa "const ASN1_TIME *s"
-.Fc
-.Ft int
-.Fo ASN1_UTCTIME_print
-.Fa "BIO *b"
-.Fa "const ASN1_UTCTIME *s"
-.Fc
-.Ft int
-.Fo ASN1_GENERALIZEDTIME_print
-.Fa "BIO *b"
-.Fa "const ASN1_GENERALIZEDTIME *s"
-.Fc
-.Ft int
-.Fo ASN1_TIME_to_tm
-.Fa "const ASN1_TIME *s"
-.Fa "struct tm *tm"
-.Fc
-.Ft int
-.Fo ASN1_TIME_diff
-.Fa "int *pday"
-.Fa "int *psec"
-.Fa "const ASN1_TIME *from"
-.Fa "const ASN1_TIME *to"
-.Fc
-.Ft int
-.Fo ASN1_TIME_cmp_time_t
-.Fa "const ASN1_TIME *s"
-.Fa "time_t t"
-.Fc
-.Ft int
-.Fo ASN1_UTCTIME_cmp_time_t
-.Fa "const ASN1_UTCTIME *s"
-.Fa "time_t t"
-.Fc
-.Ft int
-.Fo ASN1_TIME_compare
-.Fa "const ASN1_TIME *s"
-.Fa "const ASN1_TIME *t"
-.Fc
-.Ft ASN1_GENERALIZEDTIME *
-.Fo ASN1_TIME_to_generalizedtime
-.Fa "const ASN1_TIME *t"
-.Fa "ASN1_GENERALIZEDTIME **out"
-.Fc
-.In openssl/crypto.h
-.Ft struct tm *
-.Fo OPENSSL_gmtime
-.Fa "const time_t *time"
-.Fa "struct tm *out_tm"
-.Fc
-.In openssl/posix_time.h
-.Ft int
-.Fo OPENSSL_timegm
-.Fa "const struct tm *tm"
-.Fa "time_t *out_time"
-.Fc
-.Ft int
-.Fo OPENSSL_posix_to_tm
-.Fa "int64_t time"
-.Fa "struct tm *out_tm"
-.Fc
-.Ft int
-.Fo OPENSSL_tm_to_posix
-.Fa "struct tm *t_tm"
-.Fa "int64_t *out"
-.Fc
-.Sh DESCRIPTION
-An
-.Vt ASN1_TIME
-object is a shallow wrapper around a string containing an ASN.1
-.Vt Time
-value in the restricted format valid in X.509 certificates.
-An
-.Vt ASN1_TIME
-object is either an
-.Vt ASN1_UTCTIME
-object containing a string of the format
-.Ar YYMMDDHHMMSS Ns Cm Z
-which is valid for the years 1950 to 2049, or an
-.Vt ASN1_GENERALIZEDTIME
-object containing a string of the format
-.Ar YYYYMMDDHHMMSS Ns Cm Z
-which is valid for the years 0000 to 1949 and 2050 to 9999.
-In both cases, the mandatory suffix
-.Sq Cm Z
-represents the GMT time zone.
-LibreSSL by design does not support the full syntax of ASN.1 times.
-In particular, it neither supports fractional seconds
-nor any other time zone.
-.Pp
-The functions
-.Fn ASN1_TIME_set ,
-.Fn ASN1_UTCTIME_set ,
-and
-.Fn ASN1_GENERALIZEDTIME_set
-set the time object
-.Fa s
-to the time represented by the
-.Vt time_t
-value
-.Fa t .
-If
-.Fa s
-is
-.Dv NULL ,
-a new time object is allocated and returned.
-.Pp
-The functions
-.Fn ASN1_TIME_adj ,
-.Fn ASN1_UTCTIME_adj ,
-and
-.Fn ASN1_GENERALIZEDTIME_adj
-set the time object
-.Fa s
-to the time represented by the time
-.Fa offset_day
-and
-.Fa offset_sec
-after the
-.Vt time_t
-value
-.Fa t .
-The values of
-.Fa offset_day
-or
-.Fa offset_sec
-can be negative to set a time before
-.Fa t .
-The
-.Fa offset_sec
-value can also exceed the number of seconds in a day.
-If
-.Fa s
-is
-.Dv NULL ,
-a new time object is allocated and returned.
-.Pp
-.Fn ASN1_TIME_adj
-may change the type from
-.Vt ASN1_GENERALIZEDTIME
-to
-.Vt ASN1_UTCTIME
-or vice versa depending on the resulting year.
-The functions
-.Fn ASN1_UTCTIME_adj
-and
-.Fn ASN1_GENERALIZEDTIME_adj
-do not modify the type of the return object.
-.Pp
-The functions
-.Fn ASN1_TIME_set_string ,
-.Fn ASN1_TIME_set_string_X509 ,
-.Fn ASN1_UTCTIME_set_string ,
-and
-.Fn ASN1_GENERALIZEDTIME_set_string
-set the time object
-.Fa s
-to the time string
-.Fa str ,
-which must be in appropriate ASN.1 time format:
-YYMMDDHHMMSSZ for
-.Vt ASN1_UTCTIME ,
-YYYYMMDDHHMMSSZ for
-.Vt ASN1_GENERALIZEDTIME ,
-or either of the two for
-.Vt ASN1_TIME .
-The string
-.Fa str
-is copied into
-.Fa s .
-If
-.Fa s
-is
-.Dv NULL ,
-these functions only perform a format check on
-.Fa str .
-.Pp
-In LibreSSL,
-.Fn ASN1_TIME_set_string
-and
-.Fn ASN1_TIME_set_string_X509
-behave identically and always set the time object
-to a valid value to use in an X.509 certificate.
-.Fn ASN1_GENERALIZEDTIME_set_string
-may encode a time string that is not valid in an X.509 certificate.
-.Pp
-The function
-.Fn ASN1_TIME_normalize
-converts an
-.Vt ASN1_GENERALIZEDTIME
-into a time value that can be used in a certificate
-by changing it to an
-.Vt ASN1_UTCTIME
-if possible.
-It has no effect on an
-.Vt ASN1_UTCTIME .
-.Pp
-The functions
-.Fn ASN1_TIME_check ,
-.Fn ASN1_UTCTIME_check ,
-and
-.Fn ASN1_GENERALIZEDTIME_check
-check the syntax of the time string contained in the object
-.Fa s .
-.Pp
-The functions
-.Fn ASN1_TIME_print ,
-.Fn ASN1_UTCTIME_print ,
-and
-.Fn ASN1_GENERALIZEDTIME_print
-print out the time
-.Fa s
-to
-.Vt BIO
-.Fa b
-in human readable format.
-It will be of the format MMM DD HH:MM:SS YYYY [GMT], for example "Feb 3
-00:55:52 2015 GMT".
-It does not include a newline.
-If the time string has an invalid format,
-it prints out "Bad time value" and returns an error.
-.Pp
-The function
-.Fn ASN1_TIME_to_tm
-converts the time
-.Fa s
-to the standard
-.Vt tm
-structure.
-If
-.Fa s
-is
-.Dv NULL ,
-then the current time is converted.
-The output time is always in the GMT time zone.
-The
-.Fa tm_sec , tm_min , tm_hour , tm_mday , tm_mon ,
-and
-.Fa tm_year
-fields of the
-.Vt tm
-structure are set to the proper values,
-whereas all other fields are set to 0.
-If
-.Fa tm
-is
-.Dv NULL ,
-this function performs a format check on
-.Fa s
-only.
-.Pp
-The function
-.Fn ASN1_TIME_diff
-sets
-.Pf * Fa pday
-and
-.Pf * Fa psec
-to the time difference between
-.Fa from
-and
-.Fa to .
-If
-.Fa to
-represents a time later than
-.Fa from ,
-then one or both (depending on the time difference) of
-.Pf * Fa pday
-and
-.Pf * Fa psec
-will be positive.
-If
-.Fa to
-represents a time earlier than
-.Fa from ,
-then one or both of
-.Pf * Fa pday
-and
-.Pf * Fa psec
-will be negative.
-If
-.Fa to
-and
-.Fa from
-represent the same time, then
-.Pf * Fa pday
-and
-.Pf * Fa psec
-will both be zero.
-If both
-.Pf * Fa pday
-and
-.Pf * Fa psec
-are nonzero, they will always have the same sign.
-The value of
-.Pf * Fa psec
-will always be less than the number of seconds in a day.
-If
-.Fa from
-or
-.Fa to
-is
-.Dv NULL ,
-the current time is used.
-.Pp
-The functions
-.Fn ASN1_TIME_cmp_time_t ,
-.Fn ASN1_UTCTIME_cmp_time_t ,
-and
-.Fn ASN1_TIME_compare
-compare the two times represented by
-.Fa s
-and
-.Fa t .
-.Pp
-The function
-.Fn ASN1_TIME_to_generalizedtime
-converts the
-.Vt ASN1_TIME
-.Fa t
-to an
-.Vt ASN1_GENERALIZEDTIME ,
-regardless of year.
-If either
-.Fa out
-or
-.Pf * Fa out
-is
-.Dv NULL ,
-then a new object is allocated and must be freed after use.
-.Pp
-The
-.Vt ASN1_TIME ,
-.Vt ASN1_UTCTIME ,
-and
-.Vt ASN1_GENERALIZEDTIME
-objects are represented as
-.Vt ASN1_STRING
-objects internally and can be freed using
-.Xr ASN1_STRING_free 3 .
-.Pp
-It is recommended that
-.Vt ASN1_TIME
-functions be used instead of
-.Vt ASN1_UTCTIME
-or
-.Vt ASN1_GENERALIZEDTIME
-functions because the
-.Vt ASN1_UTCTIME
-and
-.Vt ASN1_GENERALIZEDTIME
-functions act only on that specific time format, while the
-.Vt ASN1_TIME
-functions operate on either format.
-.Pp
-.Fn OPENSSL_gmtime
-converts a time_t value in
-.Fa time
-to a struct tm in
-.Fa out_tm
-and also returns the struct passed in on success.
-.Pp
-.Fn OPENSSL_timegm
-converts a time structure in UTC time in
-.Fa tm
-to a time_t value in
-.Fa out_time .
-.Pp
-.Fn OPENSSL_posix_to_tm
-converts an
-.Vt int64_t
-POSIX time value in
-.Fa time ,
-which must be in the range of year 0 to 9999,
-to a broken out time value in
-.Fa tm .
-.Pp
-.Fn OPENSSL_tm_to_posix
-converts a time value between the years 0 and 9999 in
-.Fa tm
-to a POSIX time value in
-.Fa out .
-.Sh RETURN VALUES
-.Fn ASN1_TIME_set ,
-.Fn ASN1_UTCTIME_set ,
-.Fn ASN1_GENERALIZEDTIME_set ,
-.Fn ASN1_TIME_adj ,
-.Fn ASN1_UTCTIME_adj ,
-.Fn ASN1_GENERALIZEDTIME_adj ,
-and
-.Fn ASN1_TIME_to_generalizedtime
-return a pointer to a time object or
-.Dv NULL
-if an error occurred.
-.Pp
-.Fn ASN1_TIME_set_string ,
-.Fn ASN1_TIME_set_string_X509 ,
-.Fn ASN1_UTCTIME_set_string ,
-and
-.Fn ASN1_GENERALIZEDTIME_set_string
-return 1 if the time value is successfully set or 0 otherwise.
-.Pp
-.Fn ASN1_TIME_normalize
-returns 1 on success or 0 on error.
-.Pp
-.Fn ASN1_TIME_check ,
-.Fn ASN1_UTCTIME_check ,
-and
-.Fn ASN1_GENERALIZEDTIME_check
-return 1 if the time string contained in the object is syntactically
-correct or 0 otherwise.
-.Pp
-.Fn ASN1_TIME_print ,
-.Fn ASN1_UTCTIME_print ,
-and
-.Fn ASN1_GENERALIZEDTIME_print
-return 1 if the time is successfully printed or 0 if an error
-occurred (I/O error or invalid time format).
-.Pp
-.Fn ASN1_TIME_to_tm
-returns 1 if the time is successfully parsed
-or 0 if an error occurred, usually due to an invalid time format.
-.Pp
-.Fn ASN1_TIME_diff
-returns 1 for success or 0 for failure.
-It can for example fail if a time string passed in has invalid syntax.
-.Pp
-.Fn ASN1_TIME_cmp_time_t ,
-.Fn ASN1_UTCTIME_cmp_time_t ,
-and
-.Fn ASN1_TIME_compare
-return \-1 if
-.Fa s
-is earlier than
-.Fa t ,
-0 if both are equal, 1 if
-.Fa s
-is later than
-.Fa t ,
-or \-2 on error.
-.Pp
-.Fn OPENSSL_timegm
-returns 1 for success or 0 for failure.
-It can fail if the time is not representable in a time_t,
-or falls outside the range allowed in RFC 5280 times.
-.Pp
-.Fn OPENSSL_gmtime
-returns
-.Fa out_tm
-on success or NULL for failure.
-It can fail if the time is not representable in a struct tm,
-or falls outside the range allowed in RFC 5280 times.
-.Pp
-.Fn OPENSSL_posix_to_tm
-and
-.Fn OPENSSL_tm_to_posix
-return 1 for success or 0 on failure.
-It is a failure if the year is less than 0 or more than 9999.
-.Sh EXAMPLES
-Set a time object to one hour after the current time and print it
-out:
-.Bd -literal -offset indent
-#include <time.h>
-#include <openssl/asn1.h>
-
-ASN1_TIME *asn1_time;
-time_t t;
-BIO *b;
-
-t = time(NULL);
-asn1_time = ASN1_TIME_adj(NULL, t, 0, 60 * 60);
-b = BIO_new_fp(stdout, BIO_NOCLOSE);
-if (asn1_time != NULL) {
-        ASN1_TIME_print(b, asn1_time);
-        BIO_printf(b, "\en");
-} else {
-        BIO_printf(b, "Time out of range or un-representable\en");
-}
-ASN1_STRING_free(asn1_time);
-BIO_free(b);
-.Ed
-.Sh SEE ALSO
-.Xr ASN1_TIME_new 3 ,
-.Xr X509_cmp_time 3
-.Sh STANDARDS
-The usage of the ASN.1
-.Vt Time ,
-.Vt UTCTime ,
-and
-.Vt GeneralizedTime
-data types in X.509 certificates is specified in
-RFC 5280, Internet X.509 Public Key Infrastructure Certificate and
-Certificate Revocation List (CRL) Profile,
-section 4.1.2.5 (TBS Certificate Validity).
-.Sh HISTORY
-.Fn ASN1_UTCTIME_check
-and
-.Fn ASN1_UTCTIME_print
-first appeared in SSLeay 0.5.1.
-.Fn ASN1_UTCTIME_set
-first appeared in SSLeay 0.6.0.
-.Fn ASN1_UTCTIME_set_string
-first appeared in SSLeay 0.9.0.
-All these functions have been available since
-.Ox 2.4 .
-.Pp
-.Fn ASN1_TIME_set ,
-.Fn ASN1_GENERALIZEDTIME_set ,
-.Fn ASN1_GENERALIZEDTIME_set_string ,
-.Fn ASN1_GENERALIZEDTIME_check ,
-.Fn ASN1_TIME_print ,
-and
-.Fn ASN1_GENERALIZEDTIME_print
-first appeared in OpenSSL 0.9.2b and have been available since
-.Ox 2.6 .
-.Pp
-.Fn ASN1_UTCTIME_cmp_time_t
-first appeared in OpenSSL 0.9.6 and has been available since
-.Ox 2.9 .
-.Pp
-.Fn ASN1_TIME_check
-and
-.Fn ASN1_TIME_to_generalizedtime
-first appeared in OpenSSL 0.9.7 and have been available since
-.Ox 3.2 .
-.Pp
-.Fn ASN1_TIME_adj ,
-.Fn ASN1_UTCTIME_adj ,
-.Fn ASN1_GENERALIZEDTIME_adj ,
-and
-.Fn ASN1_TIME_set_string
-first appeared in OpenSSL 1.0.0 and have been available since
-.Ox 4.9 .
-.Pp
-.Fn ASN1_TIME_diff
-first appeared in OpenSSL 1.0.2 and have been available since
-.Ox 7.1 .
-.Pp
-.Fn ASN1_TIME_set_string_X509 ,
-.Fn ASN1_TIME_normalize ,
-.Fn ASN1_TIME_to_tm ,
-.Fn ASN1_TIME_cmp_time_t ,
-and
-.Fn ASN1_TIME_compare
-first appeared in OpenSSL 1.1.1 and have been available since
-.Ox 7.2 .
-.Pp
-.Fn OPENSSL_gmtime
-first appeared in OpenSSL 0.9.7.
-.Fn OPENSSL_timegm ,
-.Fn OPENSSL_posix_to_tm ,
-and
-.Fn OPENSSL_tm_to_posix
-first appeared in BoringSSL;
-all these functions have been available since
-.Ox 7.5 .
-.Sh CAVEATS
-Some applications add offset times directly to a
-.Vt time_t
-value and pass the results to
-.Fn ASN1_TIME_set
-(or equivalent).
-This can cause problems as the
-.Vt time_t
-value can overflow on some systems resulting in unexpected results.
-New applications should use
-.Fn ASN1_TIME_adj
-instead and pass the offset value in the
-.Fa offset_sec
-and
-.Fa offset_day
-parameters instead of directly manipulating a
-.Vt time_t
-value.
diff --git a/src/lib/libcrypto/man/ASN1_TYPE_get.3 b/src/lib/libcrypto/man/ASN1_TYPE_get.3
deleted file mode 100644
index 16af168d91..0000000000
--- a/src/lib/libcrypto/man/ASN1_TYPE_get.3
+++ /dev/null
@@ -1,443 +0,0 @@
-.\" $OpenBSD: ASN1_TYPE_get.3,v 1.19 2023/10/09 16:06:01 tb Exp $
-.\" selective merge up to: OpenSSL 6328d367 Jul 4 21:58:30 2020 +0200
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2017, 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2015, 2016 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: October 9 2023 $
-.Dt ASN1_TYPE_GET 3
-.Os
-.Sh NAME
-.Nm ASN1_TYPE_new ,
-.Nm ASN1_TYPE_free ,
-.Nm ASN1_TYPE_get ,
-.Nm ASN1_TYPE_set ,
-.Nm ASN1_TYPE_set1 ,
-.Nm ASN1_TYPE_set_octetstring ,
-.Nm ASN1_TYPE_get_octetstring ,
-.Nm ASN1_TYPE_set_int_octetstring ,
-.Nm ASN1_TYPE_get_int_octetstring ,
-.Nm ASN1_TYPE_cmp
-.Nd ASN.1 objects of arbitrary type
-.Sh SYNOPSIS
-.In openssl/asn1.h
-.Ft ASN1_TYPE *
-.Fn ASN1_TYPE_new void
-.Ft void
-.Fn ASN1_TYPE_free "ASN1_TYPE *a"
-.Ft int
-.Fo ASN1_TYPE_get
-.Fa "const ASN1_TYPE *a"
-.Fc
-.Ft void
-.Fo ASN1_TYPE_set
-.Fa "ASN1_TYPE *a"
-.Fa "int type"
-.Fa "void *value"
-.Fc
-.Ft int
-.Fo ASN1_TYPE_set1
-.Fa "ASN1_TYPE *a"
-.Fa "int type"
-.Fa "const void *value"
-.Fc
-.Ft int
-.Fo ASN1_TYPE_set_octetstring
-.Fa "ASN1_TYPE *a"
-.Fa "const unsigned char *data"
-.Fa "int len"
-.Fc
-.Ft int
-.Fo ASN1_TYPE_get_octetstring
-.Fa "const ASN1_TYPE *a"
-.Fa "unsigned char *buffer"
-.Fa "int buflen"
-.Fc
-.Ft int
-.Fo ASN1_TYPE_set_int_octetstring
-.Fa "ASN1_TYPE *a"
-.Fa "long num"
-.Fa "const unsigned char *data"
-.Fa "int len"
-.Fc
-.Ft int
-.Fo ASN1_TYPE_get_int_octetstring
-.Fa "const ASN1_TYPE *a",
-.Fa "long *num"
-.Fa "unsigned char *buffer",
-.Fa "int buflen"
-.Fc
-.Ft int
-.Fo ASN1_TYPE_cmp
-.Fa "const ASN1_TYPE *a"
-.Fa "const ASN1_TYPE *b"
-.Fc
-.Sh DESCRIPTION
-The
-.Vt ASN1_TYPE
-data type and the
-.Dv V_ASN1_ANY
-type identifier constant represent the ASN.1 ANY type.
-An
-.Vt ASN1_TYPE
-object can store an ASN.1 value of arbitrary type,
-including constructed types such as a SEQUENCE.
-It also remembers internally which type it currently holds.
-.Pp
-.Fn ASN1_TYPE_new
-allocates and initializes an empty
-.Vt ASN1_TYPE
-object of type
-.Dv V_ASN1_UNDEF .
-.Pp
-.Fn ASN1_TYPE_free
-frees
-.Fa a
-including the value stored in it, if any.
-If
-.Fa a
-is a
-.Dv NULL
-pointer, no action occurs.
-.Pp
-.Fn ASN1_TYPE_get
-returns the type currently held by
-.Fa a ,
-represented by one of the
-.Dv V_ASN1_*
-constants defined in
-.In openssl/asn1.h .
-.Pp
-.Fn ASN1_TYPE_set
-frees the value contained in
-.Fa a ,
-if any, and sets the
-.Fa value
-and
-.Fa type
-now held in
-.Fa a .
-This function uses the pointer
-.Fa value
-internally so it must
-.Sy not
-be freed up after the call.
-.Pp
-.Fn ASN1_TYPE_set1
-sets the type held by
-.Fa a
-to
-.Fa type
-and its value to a copy of
-.Fa value .
-If copying succeeds, the previous value that was contained in
-.Fa a
-is freed.
-If copying fails,
-.Fa a
-remains unchanged.
-.Pp
-The type and meaning of the
-.Fa value
-argument of
-.Fn ASN1_TYPE_set
-and
-.Fn ASN1_TYPE_set1
-is determined by the
-.Fa type
-argument.
-If
-.Fa type
-is
-.Dv V_ASN1_NULL ,
-.Fa value
-is ignored.
-If
-.Fa type
-is
-.Dv V_ASN1_BOOLEAN ,
-then the boolean is set to TRUE if
-.Fa value
-is not
-.Dv NULL .
-If
-.Fa type
-is
-.Dv V_ASN1_OBJECT ,
-then
-.Fa value
-is an
-.Vt ASN1_OBJECT
-structure.
-Otherwise
-.Fa type
-is an
-.Vt ASN1_STRING
-structure.
-If
-.Fa type
-corresponds to a primitive type or a string type, then the contents
-of the
-.Vt ASN1_STRING
-contains the content octets of the type.
-If
-.Fa type
-corresponds to a constructed type or a tagged type
-.Pq Dv V_ASN1_SEQUENCE , V_ASN1_SET , No or Dv V_ASN1_OTHER ,
-then the
-.Vt ASN1_STRING
-contains the entire ASN.1 encoding verbatim, including tag and
-length octets.
-.Pp
-.Fn ASN1_TYPE_set_octetstring
-allocates a new
-.Vt ASN1_OCTET_STRING
-object, copies
-.Fa len
-bytes of
-.Fa data
-into it using
-.Xr ASN1_STRING_set 3 ,
-and replaces the value of
-.Fa a
-with it by calling
-.Fn ASN1_TYPE_set
-with a type of
-.Dv V_ASN1_OCTET_STRING .
-.Pp
-.Fn ASN1_TYPE_get_octetstring
-copies the contents of the
-.Vt ASN1_OCTET_STRING
-object contained in
-.Fa a ,
-but not more than
-.Fa buflen
-bytes, into the
-.Fa buffer
-provided by the caller.
-.Pp
-.Fn ASN1_TYPE_set_int_octetstring
-frees the value contained in
-.Fa a ,
-if any, sets its type to
-.Dv V_ASN1_SEQUENCE ,
-and sets its value to a two-element ASN.1 sequence consisting of
-an ASN.1 INTEGER object with the value
-.Fa num
-and an ASN.1 OCTET STRING object
-containing a copy of the
-.Fa len
-bytes pointed to by
-.Fa data .
-.Pp
-.Fn ASN1_TYPE_get_int_octetstring
-copies the integer value from the first element of the ASN.1 sequence
-.Fa a
-to
-.Pf * Fa num
-unless
-.Fa num
-is a
-.Dv NULL
-pointer and copies the octet string value from the second element,
-but not more than
-.Fa buflen
-bytes, into the
-.Fa buffer
-provided by the caller unless
-.Fa buffer
-is a
-.Dv NULL
-pointer.
-.Pp
-.Fn ASN1_TYPE_cmp
-checks that
-.Fa a
-and
-.Fa b
-hold the same type, the same value, and are encoded in the same way.
-.Pp
-If the types agree and the values have the same meaning but are
-encoded differently, they are considered different.
-For example, a boolean value is represented
-using a single content octet.
-Under BER, any non-zero octet represents the TRUE value, but
-.Fn ASN1_TYPE_cmp
-will only report a match if the content octet is the same.
-.Pp
-If either or both of the arguments passed to
-.Fn ASN1_TYPE_cmp
-is
-.Dv NULL ,
-the result is a mismatch.
-Technically, if both arguments are
-.Dv NULL ,
-the two types could be absent OPTIONAL fields and so should match,
-however passing
-.Dv NULL
-values could also indicate a programming error (for example an
-unparsable type which returns
-.Dv NULL )
-for types which do
-.Sy not
-match.
-So applications should handle the case of two absent values separately.
-.Sh RETURN VALUES
-.Fn ASN1_TYPE_new
-returns the new
-.Vt ASN1_TYPE
-object or
-.Dv NULL
-if an error occurs.
-.Pp
-.Fn ASN1_TYPE_get
-returns the type currently held by
-.Fa a
-or 0 if an error occurs.
-The latter can happen if
-.Fa a
-does not contain a value even though its type is not
-.Dv V_ASN1_NULL .
-For example, it will always happen for empty objects
-newly constructed with
-.Fn ASN1_TYPE_new .
-.Pp
-.Fn ASN1_TYPE_set1 ,
-.Fn ASN1_TYPE_set_octetstring ,
-and
-.Fn ASN1_TYPE_set_int_octetstring
-return 1 on success or 0 on failure.
-.Pp
-.Fn ASN1_TYPE_get_octetstring
-returns the number of data bytes contained in the
-.Vt ASN1_OCTET_STRING
-object contained in
-.Fa a
-or \-1 if
-.Fa a
-is not of the type
-.Dv V_ASN1_OCTET_STRING
-or does not contain any object.
-If the return value is greater than the
-.Fa buflen
-argument, the content was truncated when copied to the
-.Fa buffer .
-.Pp
-.Fn ASN1_TYPE_get_int_octetstring
-returns the number of data bytes contained in the
-.Vt ASN1_OCTET_STRING
-object that is the second element of the ASN.1 sequence
-.Fa a
-or \-1 if
-.Fa a
-is not of the type
-.Dv V_ASN1_SEQUENCE
-or if decoding fails.
-If the return value is greater than the
-.Fa buflen
-argument, the content was truncated when copied to the
-.Fa buffer .
-.Pp
-.Fn ASN1_TYPE_cmp
-returns 0 for a match or non-zero for a mismatch.
-.Sh SEE ALSO
-.Xr ASN1_generate_nconf 3 ,
-.Xr ASN1_get_object 3 ,
-.Xr ASN1_item_free 3 ,
-.Xr ASN1_OBJECT_new 3 ,
-.Xr ASN1_parse_dump 3 ,
-.Xr ASN1_put_object 3 ,
-.Xr ASN1_STRING_dup 3 ,
-.Xr ASN1_STRING_new 3 ,
-.Xr crypto 3 ,
-.Xr d2i_ASN1_NULL 3 ,
-.Xr d2i_ASN1_SEQUENCE_ANY 3 ,
-.Xr d2i_ASN1_TYPE 3 ,
-.Xr OBJ_dup 3
-.Sh HISTORY
-.Fn ASN1_TYPE_new
-and
-.Fn ASN1_TYPE_free
-first appeared in SSLeay 0.5.1,
-.Fn ASN1_TYPE_get
-and
-.Fn ASN1_TYPE_set
-in SSLeay 0.8.0, and
-.Fn ASN1_TYPE_set_octetstring ,
-.Fn ASN1_TYPE_get_octetstring ,
-.Fn ASN1_TYPE_set_int_octetstring ,
-and
-.Fn ASN1_TYPE_get_int_octetstring
-in SSLeay 0.9.0.
-These functions have been available since
-.Ox 2.4 .
-.Pp
-.Fn ASN1_TYPE_set1
-first appeared in OpenSSL 0.9.8h and has been available since
-.Ox 4.5 .
-.Pp
-.Fn ASN1_TYPE_cmp
-first appeared in OpenSSL 0.9.8zd, 1.0.0p, and 1.0.1k
-and has been available since
-.Ox 4.9 .
diff --git a/src/lib/libcrypto/man/ASN1_UNIVERSALSTRING_to_string.3 b/src/lib/libcrypto/man/ASN1_UNIVERSALSTRING_to_string.3
deleted file mode 100644
index 2af675295b..0000000000
--- a/src/lib/libcrypto/man/ASN1_UNIVERSALSTRING_to_string.3
+++ /dev/null
@@ -1,64 +0,0 @@
-.\" $OpenBSD: ASN1_UNIVERSALSTRING_to_string.3,v 1.1 2021/11/15 13:39:40 schwarze Exp $
-.\"
-.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: November 15 2021 $
-.Dt ASN1_UNIVERSALSTRING_TO_STRING 3
-.Os
-.Sh NAME
-.Nm ASN1_UNIVERSALSTRING_to_string
-.Nd recode UTF-32 to ISO Latin-1
-.Sh SYNOPSIS
-.In openssl/asn1.h
-.Ft int
-.Fo ASN1_UNIVERSALSTRING_to_string
-.Fa "ASN1_UNIVERSALSTRING *string"
-.Fc
-.Sh DESCRIPTION
-.Fn ASN1_UNIVERSALSTRING_to_string
-assumes that the given
-.Fa string
-is encoded in UTF-32, recodes it in place to ISO Latin-1,
-and changes the type according to
-.Xr ASN1_PRINTABLE_type 3 .
-.Pp
-.Fn ASN1_UNIVERSALSTRING_to_string
-fails and leaves the
-.Fa string
-unchanged if its
-.Xr ASN1_STRING_type 3
-is not
-.Dv V_ASN1_UNIVERSALSTRING ,
-if its
-.Xr ASN1_STRING_length 3
-is not a multiple of four bytes,
-or if any of its characters cannot be represented in ISO Latin-1.
-.Pp
-In case of success, the
-.Xr ASN1_STRING_length 3
-of the
-.Fa string
-is reduced by a factor of four.
-.Sh RETURN VALUES
-.Fn ASN1_UNIVERSALSTRING_to_string
-returns 1 on success or 0 on failure.
-.Sh SEE ALSO
-.Xr ASN1_mbstring_copy 3 ,
-.Xr ASN1_STRING_new 3 ,
-.Xr ASN1_STRING_to_UTF8 3
-.Sh HISTORY
-.Fn ASN1_UNIVERSALSTRING_to_string
-first appeared in SSLeay 0.8.0 and has been available since
-.Ox 2.4 .
diff --git a/src/lib/libcrypto/man/ASN1_generate_nconf.3 b/src/lib/libcrypto/man/ASN1_generate_nconf.3
deleted file mode 100644
index b15d4295a9..0000000000
--- a/src/lib/libcrypto/man/ASN1_generate_nconf.3
+++ /dev/null
@@ -1,394 +0,0 @@
-.\"     $OpenBSD: ASN1_generate_nconf.3,v 1.13 2019/06/10 14:58:48 schwarze Exp $
-.\"     OpenSSL 05ea606a Fri May 20 20:52:46 2016 -0400
-.\"
-.\" This file was written by Dr. Stephen Henson.
-.\" Copyright (c) 2002, 2003, 2006-2009, 2013-2015 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: June 10 2019 $
-.Dt ASN1_GENERATE_NCONF 3
-.Os
-.Sh NAME
-.Nm ASN1_generate_nconf ,
-.Nm ASN1_generate_v3
-.Nd ASN.1 generation functions
-.Sh SYNOPSIS
-.In openssl/asn1.h
-.Ft ASN1_TYPE *
-.Fo ASN1_generate_nconf
-.Fa "const char *str"
-.Fa "CONF *nconf"
-.Fc
-.Ft ASN1_TYPE *
-.Fo ASN1_generate_v3
-.Fa "const char *str"
-.Fa "X509V3_CTX *cnf"
-.Fc
-.Sh DESCRIPTION
-These functions generate the ASN.1 encoding of a string in an
-.Vt ASN1_TYPE
-structure.
-.Pp
-.Fa str
-contains the string to encode
-.Fa nconf
-or
-.Fa cnf
-contains the optional configuration information
-where additional strings will be read from.
-.Fa nconf
-will typically come from a config file whereas
-.Fa cnf
-is obtained from an
-.Vt X509V3_CTX
-structure which will typically be used
-by X509 v3 certificate extension functions.
-.Fa cnf
-or
-.Fa nconf
-can be set to
-.Dv NULL
-if no additional configuration will be used.
-.Sh GENERATION STRING FORMAT
-The actual data encoded is determined by the string
-.Fa str
-and the configuration information.
-The general format of the string is:
-.Pp
-.D1 Oo Ar modifier , Oc Ns Ar type Ns Op : Ns Ar value
-.Pp
-That is zero or more comma separated modifiers followed by a type
-followed by an optional colon and a value.
-The formats of
-.Ar type ,
-.Ar value
-and
-.Ar modifier
-are explained below.
-.Ss Supported types
-The supported types are listed below.
-Unless otherwise specified, only the
-.Cm ASCII
-format is permissible.
-.Bl -tag -width Ds
-.It Cm BOOLEAN , BOOL
-This encodes a boolean type.
-The
-.Ar value
-string is mandatory and should be
-.Cm TRUE
-or
-.Cm FALSE .
-Additionally
-.Cm true ,
-.Cm Y ,
-.Cm y ,
-.Cm YES ,
-.Cm yes ,
-.Cm false ,
-.Cm N ,
-.Cm n ,
-.Cm NO
-and
-.Cm no
-are acceptable.
-.It Cm NULL
-Encode the NULL type.
-The
-.Ar value
-string must not be present.
-.It Cm INTEGER , INT
-Encodes an ASN.1 INTEGER type.
-The
-.Ar value
-string represents the value of the integer.
-It can be prefaced by a minus sign
-and is normally interpreted as a decimal value unless the prefix
-.Cm 0x
-is included.
-.It Cm ENUMERATED , ENUM
-Encodes the ASN.1 ENUMERATED type.
-It is otherwise identical to
-.Cm INTEGER .
-.It Cm OBJECT , OID
-Encodes an ASN.1 OBJECT IDENTIFIER.
-The
-.Ar value
-string can be a short name, a long name, or numerical format.
-.It Cm UTCTIME , UTC
-Encodes an ASN.1 UTCTime structure.
-The value should be in the format
-.Ar YYMMDDHHMMSSZ .
-.It Cm GENERALIZEDTIME , GENTIME
-Encodes an ASN.1 GeneralizedTime structure.
-The value should be in the format
-.Ar YYYYMMDDHHMMSSZ .
-.It Cm OCTETSTRING , OCT
-Encodes an ASN.1 OCTET STRING.
-.Ar value
-represents the contents of this structure.
-The format strings
-.Cm ASCII
-and
-.Cm HEX
-can be used to specify the format of
-.Ar value .
-.It Cm BITSTRING , BITSTR
-Encodes an ASN.1 BIT STRING.
-.Ar value
-represents the contents of this structure.
-The format strings
-.Cm ASCII ,
-.Cm HEX ,
-and
-.Cm BITLIST
-can be used to specify the format of
-.Ar value .
-.Pp
-If the format is anything other than
-.Cm BITLIST ,
-the number of unused bits is set to zero.
-.It Xo
-.Cm BMPSTRING , BMP ,
-.Cm GeneralString ,
-.Cm IA5STRING , IA5 ,
-.Cm NUMERICSTRING , NUMERIC ,
-.Cm PRINTABLESTRING , PRINTABLE ,
-.Cm T61STRING , T61 ,
-.Cm TELETEXSTRING ,
-.Cm UNIVERSALSTRING , UNIV ,
-.Cm UTF8String , UTF8 ,
-.Cm VISIBLESTRING , VISIBLE
-.Xc
-These encode the corresponding string types.
-.Ar value
-represents the contents of this structure.
-The format can be
-.Cm ASCII
-or
-.Cm UTF8 .
-.It Cm SEQUENCE , SEQ , SET
-Formats the result as an ASN.1 SEQUENCE or SET type.
-.Ar value
-should be a section name which will contain the contents.
-The field names in the section are ignored
-and the values are in the generated string format.
-If
-.Ar value
-is absent, then an empty SEQUENCE will be encoded.
-.El
-.Ss Modifiers
-Modifiers affect the following structure.
-They can be used to add EXPLICIT or IMPLICIT tagging, add wrappers,
-or to change the string format of the final type and value.
-The supported formats are:
-.Bl -tag -width Ds
-.It Cm EXPLICIT , EXP
-Add an explicit tag to the following structure.
-This string should be followed by a colon
-and the tag value to use as a decimal value.
-.Pp
-By following the number with
-.Cm U ,
-.Cm A ,
-.Cm P
-or
-.Cm C ,
-UNIVERSAL, APPLICATION, PRIVATE or CONTEXT SPECIFIC tagging can be used.
-The default is CONTEXT SPECIFIC.
-.It Cm IMPLICIT , IMP
-This is the same as
-.Cm EXPLICIT
-except IMPLICIT tagging is used instead.
-.It Cm OCTWRAP , SEQWRAP , SETWRAP , BITWRAP
-The following structure is surrounded by
-an OCTET STRING, a SEQUENCE, a SET, or a BIT STRING, respectively.
-For a BIT STRING the number of unused bits is set to zero.
-.It Cm FORMAT
-This specifies the format of the ultimate value.
-It should be followed by a colon and one of the strings
-.Cm ASCII ,
-.Cm UTF8 ,
-.Cm HEX ,
-or
-.Cm BITLIST .
-.Pp
-If no format specifier is included, then
-.Cm ASCII
-is used.
-If
-.Cm UTF8
-is specified, then the
-.Ar value
-string must be a valid UTF-8 string.
-For
-.Cm HEX ,
-the output must be a set of hex digits.
-.Cm BITLIST
-(which is only valid for a BIT STRING) is a comma separated list
-of the indices of the set bits, all other bits are zero.
-.El
-.Sh RETURN VALUES
-.Fn ASN1_generate_nconf
-and
-.Fn ASN1_generate_v3
-return the encoded data as an
-.Vt ASN1_TYPE
-structure or
-.Dv NULL
-if an error occurred.
-.Pp
-The error codes can be obtained by
-.Xr ERR_get_error 3 .
-.Sh EXAMPLES
-A simple
-.Vt IA5String :
-.Pp
-.Dl IA5STRING:Hello World
-.Pp
-An
-.Vt IA5String
-explicitly tagged:
-.Pp
-.Dl EXPLICIT:0,IA5STRING:Hello World
-.Pp
-An
-.Vt IA5String
-explicitly tagged using APPLICATION tagging:
-.Pp
-.Dl EXPLICIT:0A,IA5STRING:Hello World
-.Pp
-A BITSTRING with bits 1 and 5 set and all others zero:
-.Pp
-.Dl FORMAT:BITLIST,BITSTRING:1,5
-.Pp
-A more complex example using a config file to produce a
-SEQUENCE consisting of a BOOL an OID and a
-.Vt UTF8String :
-.Bd -literal -offset indent
-asn1 = SEQUENCE:seq_section
-
-[seq_section]
-
-field1 = BOOLEAN:TRUE
-field2 = OID:commonName
-field3 = UTF8:Third field
-.Ed
-.Pp
-This example produces an
-.Vt RSAPrivateKey
-structure.
-This is the key contained in the file
-.Pa client.pem
-in all OpenSSL distributions.
-Note that the field names such as
-.Qq coeff
-are ignored and are present just for clarity.
-.Bd -literal -offset 2n
-asn1=SEQUENCE:private_key
-[private_key]
-version=INTEGER:0
-
-n=INTEGER:0xBB6FE79432CC6EA2D8F970675A5A87BFBE1AFF0BE63E879F2AFFB93644\e
-D4D2C6D000430DEC66ABF47829E74B8C5108623A1C0EE8BE217B3AD8D36D5EB4FCA1D9
-
-e=INTEGER:0x010001
-
-d=INTEGER:0x6F05EAD2F27FFAEC84BEC360C4B928FD5F3A9865D0FCAAD291E2A52F4A\e
-F810DC6373278C006A0ABBA27DC8C63BF97F7E666E27C5284D7D3B1FFFE16B7A87B51D
-
-p=INTEGER:0xF3929B9435608F8A22C208D86795271D54EBDFB09DDEF539AB083DA912\e
-D4BD57
-
-q=INTEGER:0xC50016F89DFF2561347ED1186A46E150E28BF2D0F539A1594BBD7FE467\e
-46EC4F
-
-exp1=INTEGER:0x9E7D4326C924AFC1DEA40B45650134966D6F9DFA3A7F9D698CD4ABEA\e
-9C0A39B9
-
-exp2=INTEGER:0xBA84003BB95355AFB7C50DF140C60513D0BA51D637272E355E397779\e
-E7B2458F
-
-coeff=INTEGER:0x30B9E4F2AFA5AC679F920FC83F1F2DF1BAF1779CF989447FABC2F5\e
-628657053A
-.Ed
-.Pp
-This example is the corresponding public key in an ASN.1
-.Vt SubjectPublicKeyInfo
-structure:
-.Bd -literal -offset 2n
-# Start with a SEQUENCE
-asn1=SEQUENCE:pubkeyinfo
-
-# pubkeyinfo contains an algorithm identifier and the public key
-# wrapped in a BIT STRING
-[pubkeyinfo]
-algorithm=SEQUENCE:rsa_alg
-pubkey=BITWRAP,SEQUENCE:rsapubkey
-
-# algorithm ID for RSA is just an OID and a NULL
-[rsa_alg]
-algorithm=OID:rsaEncryption
-parameter=NULL
-
-# Actual public key: modulus and exponent
-[rsapubkey]
-n=INTEGER:0xBB6FE79432CC6EA2D8F970675A5A87BFBE1AFF0BE63E879F2AFFB93644\e
-D4D2C6D000430DEC66ABF47829E74B8C5108623A1C0EE8BE217B3AD8D36D5EB4FCA1D9
-
-e=INTEGER:0x010001
-.Ed
-.Sh SEE ALSO
-.Xr ASN1_TYPE_get 3 ,
-.Xr d2i_ASN1_TYPE 3 ,
-.Xr x509v3.cnf 5
-.Sh HISTORY
-.Fn ASN1_generate_nconf
-and
-.Fn ASN1_generate_v3
-first appeared in OpenSSL 0.9.8 and have been available since
-.Ox 4.5 .
diff --git a/src/lib/libcrypto/man/ASN1_get_object.3 b/src/lib/libcrypto/man/ASN1_get_object.3
deleted file mode 100644
index 781b12ad5a..0000000000
--- a/src/lib/libcrypto/man/ASN1_get_object.3
+++ /dev/null
@@ -1,200 +0,0 @@
-.\" $OpenBSD: ASN1_get_object.3,v 1.2 2021/07/11 19:03:45 schwarze Exp $
-.\"
-.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: July 11 2021 $
-.Dt ASN1_GET_OBJECT 3
-.Os
-.Sh NAME
-.Nm ASN1_get_object
-.Nd parse identifier and length octets
-.Sh SYNOPSIS
-.In openssl/asn1.h
-.Ft int
-.Fo ASN1_get_object
-.Fa "const unsigned char **ber_in"
-.Fa "long *plength"
-.Fa "int *ptag"
-.Fa "int *pclass"
-.Fa "long omax"
-.Fc
-.Sh DESCRIPTION
-.Fn ASN1_get_object
-parses the identifier and length octets of a BER-encoded value.
-On function entry,
-.Pf * Fa ber_in
-is expected to point to the first identifier octet.
-If the identifier and length octets turn out to be valid,
-the function advances
-.Pf * Fa ber_in
-to the first content octet before returning.
-.Pp
-If the identifier octets are valid,
-.Fn ASN1_get_object
-stores the tag number in
-.Pf * Fa ptag
-and the class of the tag in
-.Pf * Fa pclass .
-The class is either
-.Dv V_ASN1_UNIVERSAL
-or
-.Dv V_ASN1_APPLICATION
-or
-.Dv V_ASN1_CONTEXT_SPECIFIC
-or
-.Dv V_ASN1_PRIVATE .
-.Pp
-If the length octets are valid, too,
-.Fn ASN1_get_object
-stores the number encoded in the length octets in
-.Pf * Fa plength .
-If the length octet indicates the indefinite form,
-.Pf * Fa plength
-is set to 0.
-.Pp
-.Fn ASN1_get_object
-inspects at most
-.Fa omax
-bytes.
-If parsing of the length octets remains incomplete after inspecting
-that number of bytes, parsing fails with
-.Dv ASN1_R_HEADER_TOO_LONG .
-.Sh RETURN VALUES
-Bits set in the return value of
-.Fn ASN1_get_object
-have the following meanings:
-.Bl -tag -width Ds
-.It 0x80
-An error occurred.
-One of the
-.Sx ERRORS
-described below has been set.
-.It 0x20 = Dv V_ASN1_CONSTRUCTED
-The encoding is constructed rather than primitive,
-and the identifier and length octets are valid.
-.It 0x01
-The length octet indicates the indefinite form.
-This bit can only occur if
-.Dv V_ASN1_CONSTRUCTED
-is also set.
-.El
-.Pp
-Consequently, the following combinations can occur:
-.Bl -tag -width Ds
-.It 0x00
-A valid primitive encoding.
-.It 0x20
-A valid constructed encoding, definite form.
-.It 0x21
-A valid constructed encoding, indefinite form.
-.It 0x80
-Either a primitive encoding with a valid tag and definite length,
-but the content octets won't fit into
-.Fa omax ,
-or parsing failed.
-Use
-.Xr ERR_GET_REASON 3
-to distinguish the two cases.
-.It 0xa0
-A constructed encoding with a valid tag and definite length,
-but the content octets won't fit into
-.Fa omax .
-.El
-.Pp
-The bit combinations 0x01, 0x81, and 0xa1 cannot occur as return values.
-.Sh ERRORS
-If the bit 0x80 is set in the return value,
-diagnostics can be retrieved with
-.Xr ERR_get_error 3 ,
-.Xr ERR_GET_REASON 3 ,
-and
-.Xr ERR_reason_error_string 3 :
-.Bl -tag -width Ds
-.It Dv ASN1_R_HEADER_TOO_LONG Qq "header too long"
-Inspecting
-.Fa omax
-bytes was insufficient to finish parsing,
-the tag number encoded in the identifier octets exceeds
-.Dv INT_MAX ,
-the number encoded in the length octets exceeds
-.Dv LONG_MAX ,
-or using the indefinite form for the length octets is attempted
-even though the encoding is primitive.
-.Pp
-In this case, the return value is exactly 0x80; no other bits are set.
-.Pp
-If the problem occurred while parsing the identifier octets,
-.Pf * Fa ptag
-and
-.Pf * Fa pclass
-remain unchanged.
-If the problem occurred while parsing the length octets,
-.Pf * Fa ptag
-and
-.Pf * Fa pclass
-are set according to the identifier octets.
-In both cases,
-.Pf * Fa ber_in
-and
-.Pf * Fa plength
-remain unchanged.
-.Pp
-The wording of the error message is confusing.
-On the one hand, the header might be just fine,
-and the root cause of the problem could be that the chosen
-.Fa omax
-argument was too small.
-On the other hand, outright BER syntax errors are also reported as
-.Dv ASN1_R_HEADER_TOO_LONG .
-.It Dv ASN1_R_TOO_LONG Qq "too long"
-The identifier and length octets are valid,
-but the content octets won't fit into
-.Fa omax .
-The following have been set as appropriate and can safely be inspected:
-.Pf * pclass ,
-.Pf * ptag ,
-.Pf * plength ,
-and the bits
-.Dv V_ASN1_CONSTRUCTED
-and 0x01 in the return value.
-The parse pointer
-.Pf * ber_in
-has been advanced to the first content octet.
-.Pp
-Again, the error message may occasionally sound confusing.
-The length of the content may be reasonable, and the root cause of
-the problem could be that the chosen
-.Fa omax
-argument was too small.
-.El
-.Sh SEE ALSO
-.Xr ASN1_item_d2i 3 ,
-.Xr ASN1_item_new 3 ,
-.Xr ASN1_parse_dump 3
-.Sh STANDARDS
-ITU-T Recommendation X.690, also known as ISO/IEC 8825-1:
-Information technology - ASN.1 encoding rules:
-Specification of Basic Encoding Rules (BER), Canonical Encoding
-Rules (CER) and Distinguished Encoding Rules (DER):
-.Bl -dash -offset 2n -width 1n -compact
-.It
-Section 8.1.2: Identifier octets
-.It
-Section 8.1.3: Length octets
-.El
-.Sh HISTORY
-.Fn ASN1_get_object
-first appeared in SSLeay 0.5.1 and has been available since
-.Ox 2.4 .
diff --git a/src/lib/libcrypto/man/ASN1_item_d2i.3 b/src/lib/libcrypto/man/ASN1_item_d2i.3
deleted file mode 100644
index bc99f4a6da..0000000000
--- a/src/lib/libcrypto/man/ASN1_item_d2i.3
+++ /dev/null
@@ -1,492 +0,0 @@
-.\" $OpenBSD: ASN1_item_d2i.3,v 1.18 2023/05/01 07:37:45 tb Exp $
-.\" selective merge up to:
-.\" OpenSSL doc/man3/d2i_X509.pod 256989ce Jun 19 15:00:32 2020 +0200
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2016, 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2002, 2003, 2015 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: May 1 2023 $
-.Dt ASN1_ITEM_D2I 3
-.Os
-.Sh NAME
-.Nm ASN1_item_d2i ,
-.Nm ASN1_item_d2i_bio ,
-.Nm ASN1_item_d2i_fp ,
-.Nm d2i_ASN1_TYPE ,
-.Nm ASN1_item_i2d ,
-.Nm ASN1_item_i2d_bio ,
-.Nm ASN1_item_i2d_fp ,
-.Nm i2d_ASN1_TYPE ,
-.Nm ASN1_item_dup ,
-.Nm ASN1_item_print
-.Nd decode and encode ASN.1 objects
-.Sh SYNOPSIS
-.In openssl/asn1.h
-.Ft ASN1_VALUE *
-.Fo ASN1_item_d2i
-.Fa "ASN1_VALUE **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fa "const ASN1_ITEM *it"
-.Fc
-.Ft void *
-.Fo ASN1_item_d2i_bio
-.Fa "const ASN1_ITEM *it"
-.Fa "BIO *in_bio"
-.Fa "void *val_out"
-.Fc
-.Ft void *
-.Fo ASN1_item_d2i_fp
-.Fa "const ASN1_ITEM *it"
-.Fa "FILE *in_fp"
-.Fa "void *val_out"
-.Fc
-.Ft ASN1_TYPE *
-.Fo d2i_ASN1_TYPE
-.Fa "ASN1_TYPE **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo ASN1_item_i2d
-.Fa "ASN1_VALUE *val_in"
-.Fa "unsigned char **der_out"
-.Fa "const ASN1_ITEM *it"
-.Fc
-.Ft int
-.Fo ASN1_item_i2d_bio
-.Fa "const ASN1_ITEM *it"
-.Fa "BIO *out_bio"
-.Fa "void *val_in"
-.Fc
-.Ft int
-.Fo ASN1_item_i2d_fp
-.Fa "const ASN1_ITEM *it"
-.Fa "FILE *out_fp"
-.Fa "void *val_in"
-.Fc
-.Ft int
-.Fo i2d_ASN1_TYPE
-.Fa "ASN1_TYPE *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft void *
-.Fo ASN1_item_dup
-.Fa "const ASN1_ITEM *it"
-.Fa "void *val_in"
-.Fc
-.Ft int
-.Fo ASN1_item_print
-.Fa "BIO *out_bio"
-.Fa "ASN1_VALUE *val_in"
-.Fa "int indent"
-.Fa "const ASN1_ITEM *it"
-.Fa "const ASN1_PCTX *pctx"
-.Fc
-.Sh DESCRIPTION
-These functions convert ASN.1 values from their BER encoding to
-internal C structures
-.Pq Dq d2i
-and vice versa
-.Pq Dq i2d .
-Unlike the C structures which contain pointers to sub-objects, BER
-is a serialized encoding, suitable for transfer over the network
-and for storage in a file.
-.Pp
-.Fn ASN1_item_d2i
-interprets
-.Pf * Fa der_in
-as a DER- or BER-encoded byte array and decodes one value of type
-.Fa it
-represented by up to
-.Fa length
-bytes.
-If successful,
-.Pf * Fa der_in
-is advanced to the byte following the parsed data.
-.Pp
-If decoding succeeds and
-.Fa val_out
-or
-.Pf * Fa val_out
-is
-.Dv NULL ,
-a new object is allocated.
-.Pp
-If decoding succeeds and
-.Pf * Fa val_out
-is not
-.Dv NULL ,
-it is assumed to point to a valid populated object and an attempt
-is made to reuse it.
-It must not be an empty structure such as one returned by
-.Xr ASN1_item_new 3
-or by one of the various type-specific
-.Fn *_new
-functions.
-This
-.Dq reuse
-capability is present for backward compatibility, but its use is
-strongly discouraged; see the
-.Sx BUGS
-section below.
-.Pp
-.Fn ASN1_item_d2i_bio
-and
-.Fn ASN1_item_d2i_fp
-are similar to
-.Fn ASN1_item_d2i
-except that they read from a
-.Vt BIO
-or
-.Vt FILE ,
-respectively.
-.Pp
-.Fn d2i_ASN1_TYPE
-is similar to
-.Fn ASN1_item_d2i
-except that it does not require a desired type to be specified by
-the user, but instead returns an
-.Vt ASN1_TYPE
-wrapper object containing both the type and the value found in the input.
-.Pp
-.Fn ASN1_item_i2d
-encodes the object pointed to by
-.Fa val_in
-into DER format.
-.Pp
-If
-.Pf * Fa der_out
-is not
-.Dv NULL ,
-it writes the DER-encoded data to the buffer at
-.Pf * Fa der_out
-and increments it to point after the data just written.
-In this case, it is the responsibility of the user to make sure
-that the buffer pointed to by
-.Pf * Fa der_out
-is long enough, such that no buffer overflow can occur.
-.Pp
-If
-.Pf * Fa der_out
-is
-.Dv NULL ,
-memory is allocated for a buffer, and
-.Pf * Fa der_out
-is not incremented, but points to the start of the data just written.
-.Pp
-If
-.Fa der_out
-is
-.Dv NULL ,
-the encoded bytes are not written anywhere but discarded.
-For
-.Fa val_in
-objects of variable encoding size, this is sometimes used to first
-find the number of bytes that will be written.
-Then, a sufficient amount of memory is allocated before calling
-.Fn ASN1_item_i2d
-again.
-This explicit double-call technique is often not needed because the
-auto-allocation technique described in the previous paragraph can
-be used.
-.Pp
-.Fn ASN1_item_i2d_bio
-and
-.Fn ASN1_item_i2d_fp
-are similar to
-.Fn ASN1_item_i2d
-except that they write to a
-.Vt BIO
-or
-.Vt FILE ,
-respectively.
-.Pp
-.Fn i2d_ASN1_TYPE
-is similar to
-.Fn ASN1_item_i2d
-except that the type and the value are not provided separately,
-but in the form of a single
-.Vt ASN1_TYPE
-object.
-.Pp
-.Fn ASN1_item_dup
-creates a deep copy of
-.Fa val_in
-by calling
-.Fn ASN1_item_i2d
-and
-.Fn ASN1_item_d2i .
-.Sh RETURN VALUES
-If successful,
-.Fn ASN1_item_d2i ,
-.Fn ASN1_item_d2i_bio ,
-.Fn ASN1_item_d2i_fp ,
-and
-.Fn d2i_ASN1_TYPE
-return a pointer to the decoded ASN.1 value.
-In addition, if
-.Fa val_out
-is not
-.Dv NULL ,
-the pointer is also written to
-.Pf * Fa val_out .
-If an error occurs,
-.Dv NULL
-is returned.
-.Pp
-.Fn ASN1_item_i2d
-and
-.Fn i2d_ASN1_TYPE
-return the number of bytes written
-or a negative value if an error occurs.
-.Pp
-.Fn ASN1_item_i2d_bio
-and
-.Fn ASN1_item_i2d_fp
-return 1 for success or 0 for failure.
-.Pp
-.Fn ASN1_item_dup
-returns the new
-.Vt ASN1_VALUE
-object or
-.Dv NULL
-if an error occurs.
-.Sh EXAMPLES
-Many type-specific wrapper functions exist.
-Using those wrappers is recommended in application code
-because it restores part of the type safety that the low-level
-interfaces using
-.Vt ASN1_VALUE
-lack.
-.Pp
-For example, to allocate a buffer and write the DER encoding of an
-.Vt X509
-object into it:
-.Bd -literal -offset indent
-X509            *x;
-unsigned char   *buf;
-int              len;
-
-buf = NULL;
-len = i2d_X509(x, &buf);
-if (len < 0)
-        /* error */
-.Ed
-.Pp
-Attempt to decode a buffer:
-.Bd -literal -offset indent
-X509                    *x;
-unsigned char           *buf;
-const unsigned char     *p;
-int                      len;
-
-/* Set up buf and len to point to the input buffer. */
-p = buf;
-x = d2i_X509(NULL, &p, len);
-if (x == NULL)
-        /* error */
-.Ed
-.Pp
-Equivalent technique:
-.Bd -literal -offset indent
-X509                    *x;
-unsigned char           *buf;
-const unsigned char     *p;
-int                      len;
-
-/* Set up buf and len to point to the input buffer. */
-p = buf;
-x = NULL;
-
-if (d2i_X509(&x, &p, len) == NULL)
-        /* error */
-.Ed
-.Sh SEE ALSO
-.Xr ASN1_get_object 3 ,
-.Xr ASN1_item_digest 3 ,
-.Xr ASN1_item_new 3 ,
-.Xr ASN1_item_pack 3 ,
-.Xr ASN1_item_sign 3 ,
-.Xr ASN1_item_verify 3 ,
-.Xr ASN1_TYPE_new 3
-.Sh HISTORY
-.Fn d2i_ASN1_TYPE
-and
-.Fn i2d_ASN1_TYPE
-first appeared in SSLeay 0.5.1 and have been available since
-.Ox 2.4 .
-.Pp
-.Fn ASN1_item_d2i ,
-.Fn ASN1_item_d2i_bio ,
-.Fn ASN1_item_d2i_fp ,
-.Fn ASN1_item_i2d ,
-.Fn ASN1_item_i2d_bio ,
-.Fn ASN1_item_i2d_fp ,
-and
-.Fn ASN1_item_dup
-first appeared in OpenSSL 0.9.7 and have been available since
-.Ox 3.2 .
-.Pp
-.Fn ASN1_item_print
-first appeared in OpenSSL 1.0.0 and has been available since
-.Ox 4.9 .
-.Sh CAVEATS
-If the type described by
-.Fa it
-fails to match the true type of
-.Fa val_in
-or
-.Pf * Fa val_out ,
-buffer overflows and segmentation faults are likely to occur.
-For more details about why the type
-.Vt ASN1_VALUE
-constitutes dangerous user interface design, see
-.Xr ASN1_item_new 3 .
-.Pp
-The encoded data is in binary form and may contain embedded NUL bytes.
-Functions such as
-.Xr strlen 3
-will not return the correct length of the encoded data.
-.Pp
-While the way that
-.Pf * Fa der_in
-and
-.Pf * Fa der_out
-are incremented after the operation supports the typical usage
-patterns of reading or writing one object after another, this
-behaviour can trap the unwary.
-.Pp
-Using a temporary pointer into the buffer is mandatory.
-A common mistake is to attempt to use a buffer directly as follows:
-.Bd -literal -offset indent
-X509            *x;
-unsigned char   *buf;
-int              len;
-
-len = i2d_X509(x, NULL);
-buf = malloc(len);
-i2d_X509(x, &buf);
-/* do something with buf[] */
-free(buf);
-.Ed
-.Pp
-This code will result in
-.Va buf
-apparently containing garbage because it was incremented during
-.Fn i2d_X509
-to point after the data just written.
-Also
-.Va buf
-will no longer contain the pointer allocated by
-.Xr malloc 3
-and the subsequent call to
-.Xr free 3
-is likely to crash.
-.Pp
-Another trap to avoid is misuse of the
-.Fa val_out
-argument:
-.Bd -literal -offset indent
-X509            *x;
-
-if (d2i_X509(&x, &p, len) == NULL)
-        /* error */
-.Ed
-.Pp
-This will probably crash somewhere in
-.Fn d2i_X509
-because
-.Va x
-is uninitialized and an attempt will be made to interpret its invalid
-content as an
-.Vt X509
-object, typically causing a segmentation violation.
-If
-.Va x
-is set to
-.Dv NULL
-first, then this will not happen.
-.Sh BUGS
-If the
-.Dq reuse
-capability is used, a valid object is passed in via
-.Pf * Fa val_out ,
-and an error occurs, then the object is not freed and may be left
-in an invalid or inconsistent state.
-.Pp
-In some versions of OpenSSL, the
-.Dq reuse
-behaviour is broken such that some parts of the reused object may
-persist if they are not present in the new one.
-.Pp
-In many versions of OpenSSL,
-.Fn ASN1_item_i2d
-will not return an error if mandatory fields are not initialized
-due to a programming error.
-In that case, the encoded structure may contain invalid data and
-some fields may be missing entirely, such that trying to parse it
-with
-.Fn ASN1_item_d2i
-may fail.
diff --git a/src/lib/libcrypto/man/ASN1_item_digest.3 b/src/lib/libcrypto/man/ASN1_item_digest.3
deleted file mode 100644
index 56a97555e9..0000000000
--- a/src/lib/libcrypto/man/ASN1_item_digest.3
+++ /dev/null
@@ -1,71 +0,0 @@
-.\" $OpenBSD: ASN1_item_digest.3,v 1.2 2022/09/11 04:39:46 jsg Exp $
-.\"
-.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: September 11 2022 $
-.Dt ASN1_ITEM_DIGEST 3
-.Os
-.Sh NAME
-.Nm ASN1_item_digest
-.Nd DER-encode and hash an ASN.1 value
-.Sh SYNOPSIS
-.In openssl/x509.h
-.Ft int
-.Fo ASN1_item_digest
-.Fa "const ASN1_ITEM *it"
-.Fa "const EVP_MD *type"
-.Fa "void *val_in"
-.Fa "unsigned char *md"
-.Fa "unsigned int *s"
-.Fc
-.Sh DESCRIPTION
-.Fn ASN1_item_digest
-assumes that
-.Fa val_in
-is an
-.Vt ASN1_VALUE
-of the type specified by
-.Fa it ,
-encodes it into DER format by calling
-.Xr ASN1_item_i2d 3 ,
-hashes the resulting byte array using the digest
-.Fa type
-by calling
-.Xr EVP_Digest 3 ,
-places the digest value into
-.Pf * Fa md ,
-and, unless
-.Fa s
-is
-.Dv NULL ,
-places the length in bytes of the digest into
-.Pf * Fa s .
-Providing a buffer
-.Pf * Fa md
-large enough to contain the digest is the responsibility of the caller;
-providing a buffer of
-.Dv EVP_MAX_MD_SIZE
-bytes is recommended.
-.Sh RETURN VALUES
-.Fn ASN1_item_digest
-returns 1 for success or 0 if encoding or hashing fails.
-.Sh SEE ALSO
-.Xr ASN1_item_i2d 3 ,
-.Xr ASN1_item_sign 3 ,
-.Xr EVP_Digest 3
-.Sh HISTORY
-.Fn ASN1_item_digest
-first appeared in OpenSSL 0.9.7 and has been available since
-.Ox 3.1 .
diff --git a/src/lib/libcrypto/man/ASN1_item_new.3 b/src/lib/libcrypto/man/ASN1_item_new.3
deleted file mode 100644
index 7015ed6319..0000000000
--- a/src/lib/libcrypto/man/ASN1_item_new.3
+++ /dev/null
@@ -1,126 +0,0 @@
-.\" $OpenBSD: ASN1_item_new.3,v 1.11 2022/01/12 17:54:51 tb Exp $
-.\"
-.\" Copyright (c) 2016, 2018 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: January 12 2022 $
-.Dt ASN1_ITEM_NEW 3
-.Os
-.Sh NAME
-.Nm ASN1_item_new ,
-.Nm ASN1_item_free
-.Nd generic ASN.1 value constructor and destructor
-.Sh SYNOPSIS
-.In openssl/asn1.h
-.Ft ASN1_VALUE *
-.Fo ASN1_item_new
-.Fa "const ASN1_ITEM *it"
-.Fc
-.Ft void
-.Fo ASN1_item_free
-.Fa "ASN1_VALUE *val_in"
-.Fa "const ASN1_ITEM *it"
-.Fc
-.Sh DESCRIPTION
-.Fn ASN1_item_new
-allocates and initializes an empty ASN.1 value
-of the type described by the global static object
-.Fa it .
-.Pp
-If the item type described by
-.Fa it
-is reference counted,
-.Fn ASN1_item_free
-decrements the reference count of
-.Fa val_in .
-Otherwise, or if the reference count reaches 0,
-.Fn ASN1_item_free
-frees
-.Fa val_in ,
-assuming that it is of the type described by
-.Fa it .
-If the true type of
-.Fa val_in
-fails to match the specified
-.Fa it ,
-buffer overflows and segmentation faults are likely to occur.
-It is not possible to recover the type of an
-.Vt ASN1_VALUE
-object by inspecting it; the type always needs to be remembered
-separately.
-.Pp
-.Vt ASN1_VALUE
-is an incomplete type, and pointers to it always require casting
-to the correct complete type before they can be dereferenced.
-For all practical purposes, a pointer to
-.Vt ASN1_VALUE
-is equivalent to a
-.Vt void
-pointer.
-.Pp
-Depending on
-.Fa it ,
-there are more than 150 different types that
-.Fn ASN1_item_new
-may return.
-Most of them are pointers to structures or pointers to arrays of
-structures, but there are a few exceptions, for example:
-If
-.Fa it
-is
-.Dv ASN1_NULL_it ,
-.Fn ASN1_item_new
-returns a specific invalid pointer representing the unique
-.Vt ASN1_NULL
-object.
-If
-.Fa it
-is
-.Dv LONG_it ,
-.Fn ASN1_item_new
-does not return a pointer at all, but a
-.Vt long
-value cast to
-.Vt ASN1_VALUE * .
-.Sh RETURN VALUES
-The
-.Fn ASN1_item_new
-function returns the new
-.Vt ASN1_VALUE
-object if successful; otherwise
-.Dv NULL
-is returned and an error code can be retrieved with
-.Xr ERR_get_error 3 .
-.Sh SEE ALSO
-.Xr ASN1_get_object 3 ,
-.Xr ASN1_item_d2i 3 ,
-.Xr ASN1_item_digest 3 ,
-.Xr ASN1_item_pack 3 ,
-.Xr ASN1_item_sign 3 ,
-.Xr ASN1_item_verify 3 ,
-.Xr ASN1_NULL_new 3 ,
-.Xr ASN1_TYPE_new 3 ,
-.Xr d2i_ASN1_NULL 3 ,
-.Xr OBJ_nid2obj 3
-.Sh HISTORY
-.Fn ASN1_item_new
-and
-.Fn ASN1_item_free
-first appeared in OpenSSL 0.9.7 and have been available since
-.Ox 3.2 .
-.Sh BUGS
-The
-.Vt ASN1_VALUE
-type compromises type safety and invites programming mistakes that
-will typically have severe consequences.
diff --git a/src/lib/libcrypto/man/ASN1_item_pack.3 b/src/lib/libcrypto/man/ASN1_item_pack.3
deleted file mode 100644
index 4c87530622..0000000000
--- a/src/lib/libcrypto/man/ASN1_item_pack.3
+++ /dev/null
@@ -1,84 +0,0 @@
-.\" $OpenBSD: ASN1_item_pack.3,v 1.1 2021/11/15 11:51:09 schwarze Exp $
-.\"
-.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: November 15 2021 $
-.Dt ASN1_ITEM_PACK 3
-.Os
-.Sh NAME
-.Nm ASN1_item_pack ,
-.Nm ASN1_item_unpack
-.Nd pack an ASN.1 object into an ASN1_STRING
-.Sh SYNOPSIS
-.In openssl/asn1.h
-.Ft ASN1_STRING *
-.Fo ASN1_item_pack
-.Fa "void *val_in"
-.Fa "const ASN1_ITEM *it"
-.Fa "ASN1_STRING **string_out"
-.Fc
-.Ft void *
-.Fo ASN1_item_unpack
-.Fa "const ASN1_STRING *string_in"
-.Fa "const ASN1_ITEM *it"
-.Fc
-.Sh DESCRIPTION
-.Fn ASN1_item_pack
-encodes the object pointed to by
-.Fa val_in
-into DER format using
-.Xr ASN1_item_i2d 3
-and stores the encoded form in
-.Pf ** Fa string_out .
-If
-.Fa string_out
-or
-.Pf * Fa string_out
-is a
-.Dv NULL
-pointer, a new
-.Vt ASN1_STRING
-object is allocated and returned.
-.Pp
-.Fn ASN1_item_unpack
-interprets the data in
-.Fa string_in
-as a DER- or BER-encoded byte array and decodes one value of the type
-.Fa it
-into a newly allocated object using
-.Xr ASN1_item_d2i 3 .
-.Sh RETURN VALUES
-.Fn ASN1_item_pack
-returns the modified or new object or
-.Dv NULL
-if memory allocation or encoding fails.
-.Pp
-.Fn ASN1_item_unpack
-returns the new object or
-.Dv NULL
-if memory allocation or decoding fails.
-.Sh SEE ALSO
-.Xr ASN1_item_d2i 3 ,
-.Xr ASN1_item_new 3 ,
-.Xr ASN1_STRING_new 3
-.Sh HISTORY
-.Fn ASN1_item_pack
-and
-.Fn ASN1_item_unpack
-first appeared in OpenSSL 0.9.7 and have been available since
-.Ox 3.2 .
-.Sh BUGS
-See the BUGS section in
-.Xr ASN1_item_i2d 3 .
diff --git a/src/lib/libcrypto/man/ASN1_item_sign.3 b/src/lib/libcrypto/man/ASN1_item_sign.3
deleted file mode 100644
index 8c09fe77ff..0000000000
--- a/src/lib/libcrypto/man/ASN1_item_sign.3
+++ /dev/null
@@ -1,120 +0,0 @@
-.\" $OpenBSD: ASN1_item_sign.3,v 1.3 2024/12/06 12:51:13 schwarze Exp $
-.\"
-.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: December 6 2024 $
-.Dt ASN1_ITEM_SIGN 3
-.Os
-.Sh NAME
-.Nm ASN1_item_sign ,
-.Nm ASN1_item_sign_ctx
-.Nd DER-encode and sign an ASN.1 value
-.Sh SYNOPSIS
-.In openssl/x509.h
-.Ft int
-.Fo ASN1_item_sign
-.Fa "const ASN1_ITEM *it"
-.Fa "X509_ALGOR *algor1"
-.Fa "X509_ALGOR *algor2"
-.Fa "ASN1_BIT_STRING *sig_out"
-.Fa "void *val_in"
-.Fa "EVP_PKEY *pkey"
-.Fa "const EVP_MD *type"
-.Fc
-.Ft int
-.Fo ASN1_item_sign_ctx
-.Fa "const ASN1_ITEM *it"
-.Fa "X509_ALGOR *algor1"
-.Fa "X509_ALGOR *algor2"
-.Fa "ASN1_BIT_STRING *sig_out"
-.Fa "void *val_in"
-.Fa "EVP_MD_CTX *ctx"
-.Fc
-.Sh DESCRIPTION
-.Fn ASN1_item_sign
-assumes that
-.Fa val_in
-is an
-.Vt ASN1_VALUE
-of the type specified by
-.Fa it ,
-encodes it into DER format by calling
-.Xr ASN1_item_i2d 3 ,
-and signs the resulting byte array in a way similar to
-.Xr EVP_DigestSign 3 ,
-using a signing context created with
-.Xr EVP_DigestSignInit 3
-for the given digest
-.Fa type
-and private key
-.Fa pkey .
-The created signature is placed into the
-.Fa sig_out
-object provided by the caller,
-freeing and replacing any data already contained in that object.
-.Pp
-.Fn ASN1_item_sign_ctx
-is similar except that the provided
-.Ft ctx
-is used rather than creating a new one.
-No matter whether
-.Fn ASN1_item_sign_ctx
-succeeds or fails,
-.Xr EVP_MD_CTX_cleanup 3
-is called on
-.Fa ctx
-before returning.
-.Pp
-For both functions, unless
-.Fa algor1
-is
-.Dv NULL ,
-its algorithm OID and parameter type are set according to the digest
-.Fa type
-used, and its parameter value is cleared.
-In RSA-PSS mode, the parameter value is also copied into
-.Fa algor1 .
-Unless
-.Fa algor2
-is
-.Dv NULL ,
-the same data is copied into it.
-.Sh RETURN VALUES
-These functions return the length of the signature in bytes
-or 0 if memory allocation, encoding, or signing fails.
-.Pp
-.Fn ASN1_item_sign_ctx
-also fails and returns 0 if
-.Fa ctx
-is not fully initialized.
-.Sh SEE ALSO
-.Xr ASN1_BIT_STRING_new 3 ,
-.Xr ASN1_item_digest 3 ,
-.Xr ASN1_item_i2d 3 ,
-.Xr ASN1_item_verify 3 ,
-.Xr EVP_Digest 3 ,
-.Xr EVP_DigestSign 3 ,
-.Xr EVP_MD_CTX_new 3 ,
-.Xr EVP_PKEY_new 3 ,
-.Xr OBJ_find_sigid_by_algs 3 ,
-.Xr X509_ALGOR_new 3
-.Sh HISTORY
-.Fn ASN1_item_sign
-first appeared in OpenSSL 0.9.7 and has been available since
-.Ox 3.1 .
-.Pp
-.Fn ASN1_item_sign_ctx
-first appeared in OpenSSL 1.0.1 and has been available since
-.Ox 5.3 .
diff --git a/src/lib/libcrypto/man/ASN1_item_verify.3 b/src/lib/libcrypto/man/ASN1_item_verify.3
deleted file mode 100644
index d2810879e3..0000000000
--- a/src/lib/libcrypto/man/ASN1_item_verify.3
+++ /dev/null
@@ -1,77 +0,0 @@
-.\" $OpenBSD: ASN1_item_verify.3,v 1.3 2021/12/18 17:47:44 schwarze Exp $
-.\"
-.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: December 18 2021 $
-.Dt ASN1_ITEM_VERIFY 3
-.Os
-.Sh NAME
-.Nm ASN1_item_verify
-.Nd signature verification for ASN.1 values
-.Sh SYNOPSIS
-.In openssl/x509.h
-.Ft int
-.Fo ASN1_item_verify
-.Fa "const ASN1_ITEM *it"
-.Fa "X509_ALGOR *algor1"
-.Fa "ASN1_BIT_STRING *sig_in"
-.Fa "void *val_in"
-.Fa "EVP_PKEY *pkey"
-.Fc
-.Sh DESCRIPTION
-.Fn ASN1_item_verify
-assumes that
-.Fa val_in
-is an
-.Ft ASN1_VALUE
-of the type specified by
-.Fa it ,
-encodes it into DER format by calling
-.Xr ASN1_item_i2d 3 ,
-and verifies in a way similar to
-.Xr EVP_DigestVerify 3
-that
-.Fa sig_in
-contains a valid signature of the resulting byte array,
-a signature that was created with the signature algorithm
-.Fa algor1
-and the private key corresponding to the public key
-.Fa pkey .
-.Sh RETURN VALUES
-.Fn ASN1_item_verify
-returns 1 if signature verification succeeds, 0 if signature verification
-fails, or \-1 if
-.Fa pkey
-is
-.Dv NULL ,
-if
-.Fa sig_in
-contains invalid flags, or if
-.Fa algor1
-requests an invalid or unsupported digest algorithm
-or does not work with the given
-.Fa pkey .
-.Sh SEE ALSO
-.Xr ASN1_BIT_STRING_new 3 ,
-.Xr ASN1_item_i2d 3 ,
-.Xr ASN1_item_sign 3 ,
-.Xr EVP_DigestVerify 3 ,
-.Xr EVP_PKEY_new 3 ,
-.Xr OBJ_find_sigid_algs 3 ,
-.Xr X509_ALGOR_new 3
-.Sh HISTORY
-.Fn ASN1_item_verify
-first appeared in OpenSSL 0.9.7 and has been available since
-.Ox 3.1 .
diff --git a/src/lib/libcrypto/man/ASN1_mbstring_copy.3 b/src/lib/libcrypto/man/ASN1_mbstring_copy.3
deleted file mode 100644
index e0b48aaa62..0000000000
--- a/src/lib/libcrypto/man/ASN1_mbstring_copy.3
+++ /dev/null
@@ -1,369 +0,0 @@
-.\" $OpenBSD: ASN1_mbstring_copy.3,v 1.6 2022/02/21 00:22:03 jsg Exp $
-.\"
-.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: February 21 2022 $
-.Dt ASN1_MBSTRING_COPY 3
-.Os
-.Sh NAME
-.Nm ASN1_mbstring_copy ,
-.Nm ASN1_mbstring_ncopy ,
-.Nm ASN1_STRING_set_by_NID ,
-.Nm ASN1_STRING_set_default_mask ,
-.Nm ASN1_STRING_set_default_mask_asc ,
-.Nm ASN1_STRING_get_default_mask ,
-.Nm ASN1_tag2bit
-.Nd copy a multibyte string into an ASN.1 string object
-.Sh SYNOPSIS
-.In openssl/asn1.h
-.Ft int
-.Fo ASN1_mbstring_copy
-.Fa "ASN1_STRING **out"
-.Fa "const unsigned char *in"
-.Fa "int inbytes"
-.Fa "int inform"
-.Fa "unsigned long mask"
-.Fc
-.Ft int
-.Fo ASN1_mbstring_ncopy
-.Fa "ASN1_STRING **out"
-.Fa "const unsigned char *in"
-.Fa "int inbytes"
-.Fa "int inform"
-.Fa "unsigned long mask"
-.Fa "long minchars"
-.Fa "long maxchars"
-.Fc
-.Ft ASN1_STRING *
-.Fo ASN1_STRING_set_by_NID
-.Fa "ASN1_STRING **out"
-.Fa "const unsigned char *in"
-.Fa "int inbytes"
-.Fa "int inform"
-.Fa "int nid"
-.Fc
-.Ft void
-.Fo ASN1_STRING_set_default_mask
-.Fa "unsigned long mask"
-.Fc
-.Ft int
-.Fo ASN1_STRING_set_default_mask_asc
-.Fa "const char *maskname"
-.Fc
-.Ft unsigned long
-.Fn ASN1_STRING_get_default_mask void
-.Ft unsigned long
-.Fn ASN1_tag2bit "int tag"
-.Sh DESCRIPTION
-.Fn ASN1_mbstring_copy
-interprets
-.Fa inbytes
-bytes starting at
-.Fa in
-as a multibyte string and copies it to
-.Pf * Fa out ,
-optionally changing the encoding.
-If the
-.Fa inbytes
-argument is negative, the
-.Xr strlen 3
-of
-.Fa in
-is used instead.
-.Pp
-The
-.Fa inform
-argument specifies the character encoding of
-.Fa in :
-.Bl -column MBSTRING_UNIV encoding
-.It Ar inform Ta encoding
-.It Dv MBSTRING_ASC Ta ISO-Latin-1
-.It Dv MBSTRING_BMP Ta UTF-16
-.It Dv MBSTRING_UNIV Ta UTF-32
-.It Dv MBSTRING_UTF8 Ta UTF-8
-.El
-.Pp
-The bit
-.Fa mask
-specifies a set of ASN.1 string types
-that the user is willing to accept:
-.Bl -column B_ASN1_UNIVERSALSTRING ASN1_UNIVERSALSTRING default
-.It bit in Fa mask            Ta acceptable output type  Ta default
-.It Dv B_ASN1_PRINTABLESTRING Ta Vt ASN1_PRINTABLESTRING Ta yes
-.It Dv B_ASN1_IA5STRING       Ta Vt ASN1_IA5STRING       Ta no
-.It Dv B_ASN1_T61STRING       Ta Vt ASN1_T61STRING       Ta yes
-.It Dv B_ASN1_BMPSTRING       Ta Vt ASN1_BMPSTRING       Ta yes
-.It Dv B_ASN1_UNIVERSALSTRING Ta Vt ASN1_UNIVERSALSTRING Ta no
-.It any other bit             Ta Vt ASN1_UTF8STRING      Ta yes
-.El
-.Pp
-The first type from the above table that is included in the
-.Fa mask
-argument and that can represent
-.Fa in
-is used as the output type.
-The
-.Dq default
-column indicates whether the type is considered acceptable if the
-.Fa mask
-argument has the special value 0.
-.Pp
-The following bit mask constants
-each include several of the bits listed above:
-.Bl -column B_ASN1_DIRECTORYSTRING_ MMM MMM MMM MMM MMM MMMM
-.It mask constant             Ta PRI Ta IA5 Ta T61 Ta BMP Ta UNI Ta UTF8
-.It Dv B_ASN1_DIRECTORYSTRING Ta yes Ta no  Ta yes Ta yes Ta yes Ta yes
-.It Dv DIRSTRING_TYPE         Ta yes Ta no  Ta yes Ta yes Ta no  Ta yes
-.It Dv PKCS9STRING_TYPE       Ta yes Ta yes Ta yes Ta yes Ta no  Ta yes
-.El
-.Pp
-If
-.Fa out
-is
-.Dv NULL ,
-.Fa inform ,
-.Fa inbytes ,
-and
-.Fa in
-are validated and the output type is determined and returned,
-but nothing is copied.
-.Pp
-Otherwise, if
-.Pf * Fa out
-is
-.Dv NULL ,
-a new output object of the output type is allocated
-and a pointer to it is stored in
-.Pf * Fa out .
-.Pp
-Otherwise,
-.Pf ** Fa out
-is used as the output object.
-Any data already stored in it is freed
-and its type is changed to the output type.
-.Pp
-Finally,
-.Fa in
-is copied to the output object, changing the character encoding if
-.Fa inform
-does not match the encoding used by the output type.
-.Pp
-.Fn ASN1_mbstring_ncopy
-is similar except that the number of characters in
-.Fa in
-is restricted to the range from
-.Fa minchars
-to
-.Fa maxchars ,
-inclusive.
-If
-.Fa maxchars
-is 0, no upper limit is enforced on the number of characters.
-.Pp
-.Fn ASN1_STRING_set_by_NID
-is similar with the following differences:
-.Bl -bullet -width 1n
-.It
-If
-.Fa out
-is
-.Dv NULL ,
-a new output object is allocated and returned
-instead of skipping the copying.
-.It
-If
-.Fa nid
-has a global string table entry that can be retrieved with
-.Xr ASN1_STRING_TABLE_get 3 ,
-.Fa mask ,
-.Fa minchars ,
-and
-.Fa maxchars
-are taken from that string table entry.
-For some values of
-.Fa nid ,
-an additional global mask is AND'ed into the mask before using it.
-The default value of the global mask is
-.Dv B_ASN1_UTF8STRING .
-.It
-If
-.Fa nid
-has no global string table entry,
-.Dv B_ASN1_PRINTABLESTRING | B_ASN1_T61STRING |
-.Dv B_ASN1_BMPSTRING | B_ASN1_UTF8STRING
-is used instead of the mask taken from the table,
-and the global mask is also AND'ed into it.
-.It
-Even though success and failure happen in the same situations,
-the return value is different.
-.Xr ASN1_STRING_type 3
-can be used to determine the type of the return value.
-.El
-.Pp
-.Fn ASN1_STRING_set_default_mask
-sets the global mask used by
-.Fn ASN1_STRING_set_by_NID
-to the
-.Fa mask
-argument.
-.Pp
-.Fn ASN1_STRING_set_default_mask_asc
-sets the global mask as follows:
-.Bl -column utf8only
-.It Ar maskname    Ta Ar mask
-.It Qo default  Qc Ta anything
-.It Qo nombstr  Qc Ta anything except Dv B_ASN1_BMPSTRING | B_ASN1_UTF8STRING
-.It Qo pkix     Qc Ta anything except Dv B_ASN1_T61STRING
-.It Qo utf8only Qc Ta Dv B_ASN1_UTF8STRING
-.El
-.Pp
-If the
-.Fa maskname
-argument starts with the substring
-.Qq MASK:\& ,
-the rest of it is interpreted as an
-.Vt unsigned long
-value using
-.Xr strtoul 3 .
-.Pp
-.Fn ASN1_tag2bit
-translates ASN.1 data types to type bits as follows:
-.Bl -column V_ASN1_OBJECT_DESCRIPTOR B_ASN1_UNIVERSALSTRING
-.It Fa tag                      Ta return value
-.It Dv V_ASN1_BIT_STRING        Ta Dv B_ASN1_BIT_STRING
-.It Dv V_ASN1_BMPSTRING         Ta Dv B_ASN1_BMPSTRING
-.It Dv V_ASN1_BOOLEAN           Ta 0
-.It Dv V_ASN1_ENUMERATED        Ta Dv B_ASN1_UNKNOWN
-.It Dv V_ASN1_EOC               Ta 0
-.It Dv V_ASN1_EXTERNAL          Ta Dv B_ASN1_UNKNOWN
-.It Dv V_ASN1_GENERALIZEDTIME   Ta Dv B_ASN1_GENERALIZEDTIME
-.It Dv V_ASN1_GENERALSTRING     Ta Dv B_ASN1_GENERALSTRING
-.It Dv V_ASN1_GRAPHICSTRING     Ta Dv B_ASN1_GRAPHICSTRING
-.It Dv V_ASN1_IA5STRING         Ta Dv B_ASN1_IA5STRING
-.It Dv V_ASN1_INTEGER           Ta 0
-.It Dv V_ASN1_ISO64STRING       Ta Dv B_ASN1_ISO64STRING
-.It Dv V_ASN1_NULL              Ta 0
-.It Dv V_ASN1_NUMERICSTRING     Ta Dv B_ASN1_NUMERICSTRING
-.It Dv V_ASN1_OBJECT            Ta 0
-.It Dv V_ASN1_OBJECT_DESCRIPTOR Ta Dv B_ASN1_UNKNOWN
-.It Dv V_ASN1_OCTET_STRING      Ta Dv B_ASN1_OCTET_STRING
-.It Dv V_ASN1_PRINTABLESTRING   Ta Dv B_ASN1_PRINTABLESTRING
-.It Dv V_ASN1_REAL              Ta Dv B_ASN1_UNKNOWN
-.It Dv V_ASN1_SEQUENCE          Ta Dv B_ASN1_SEQUENCE
-.It Dv V_ASN1_SET               Ta 0
-.It Dv V_ASN1_T61STRING         Ta Dv B_ASN1_T61STRING
-.It Dv V_ASN1_TELETEXSTRING     Ta Dv B_ASN1_TELETEXSTRING
-.It Dv V_ASN1_UNDEF             Ta 0
-.It Dv V_ASN1_UNIVERSALSTRING   Ta Dv B_ASN1_UNIVERSALSTRING
-.It Dv V_ASN1_UTCTIME           Ta Dv B_ASN1_UTCTIME
-.It Dv V_ASN1_UTF8STRING        Ta Dv B_ASN1_UTF8STRING
-.It Dv V_ASN1_VIDEOTEXSTRING    Ta Dv B_ASN1_VIDEOTEXSTRING
-.It Dv V_ASN1_VISIBLESTRING     Ta Dv B_ASN1_VISIBLESTRING
-.It 11, 13, 14, 15, 29          Ta Dv B_ASN1_UNKNOWN
-.It Dv other Po < 0, > 30 Pc    Ta Dv 0
-.El
-.Pp
-In typical usage, the calling code calculates the bitwise AND
-of the return value and a mask describing data types
-that the calling code is willing to use.
-If the result of the AND operation is non-zero, the data type is
-adequate; otherwise, the calling code may need to raise an error.
-.Sh RETURN VALUES
-.Fn ASN1_mbstring_copy
-and
-.Fn ASN1_mbstring_ncopy
-return the
-.Dv V_ASN1_*
-constant representing the output type or \-1 if
-.Fa inform
-is invalid, if
-.Fa inbytes
-or
-.Fa in
-is invalid for the
-.Fa inform
-encoding, if
-.Fa in
-contains an UTF-16 surrogate,
-which is unsupported even for input using the UTF-16 encoding,
-or if memory allocation fails.
-.Pp
-.Fn ASN1_mbstring_ncopy
-also returns \-1 if
-.Fa in
-contains fewer than
-.Fa minchars
-or more than
-.Fa maxchars
-characters.
-.Pp
-.Fn ASN1_STRING_set_by_NID
-returns the new or changed ASN.1 string object or
-.Dv NULL
-on failure.
-.Pp
-.Fn ASN1_STRING_set_default_mask_asc
-returns 1 if successful or 0 if
-.Qq MASK:\&
-is not followed by a number, if the number is followed by a non-numeric
-character, or if the
-.Fa maskname
-is invalid.
-.Pp
-.Fn ASN1_STRING_get_default_mask
-returns the global mask.
-.Pp
-.Fn ASN1_tag2bit
-returns a
-.Dv B_ASN1_*
-constant or 0.
-.Sh SEE ALSO
-.Xr ASN1_PRINTABLE_type 3 ,
-.Xr ASN1_STRING_new 3 ,
-.Xr ASN1_STRING_set 3 ,
-.Xr ASN1_STRING_TABLE_get 3 ,
-.Xr ASN1_UNIVERSALSTRING_to_string 3
-.Sh HISTORY
-.Fn ASN1_mbstring_copy ,
-.Fn ASN1_mbstring_ncopy ,
-.Fn ASN1_STRING_set_by_NID ,
-.Fn ASN1_STRING_set_default_mask ,
-.Fn ASN1_STRING_set_default_mask_asc ,
-and
-.Fn ASN1_STRING_get_default_mask
-first appeared in OpenSSL 0.9.5 and have been available since
-.Ox 2.7 .
-.Pp
-.Fn ASN1_tag2bit
-first appeared in OpenSSL 0.9.7 and has been available since
-.Ox 3.2 .
-.Sh BUGS
-If integer overflow occurs in
-.Fn ASN1_STRING_set_default_mask_asc
-while parsing a number following
-.Qq MASK:\& ,
-the function succeeds, essentially behaving in the same way as for
-.Qq default .
-.Pp
-Passing
-.Qq default
-to
-.Fn ASN1_STRING_set_default_mask_asc
-does
-.Em not
-restore the default mask.
-Instead, passing
-.Qq utf8only
-does that.
diff --git a/src/lib/libcrypto/man/ASN1_parse_dump.3 b/src/lib/libcrypto/man/ASN1_parse_dump.3
deleted file mode 100644
index 50761f38aa..0000000000
--- a/src/lib/libcrypto/man/ASN1_parse_dump.3
+++ /dev/null
@@ -1,216 +0,0 @@
-.\" $OpenBSD: ASN1_parse_dump.3,v 1.3 2021/12/09 18:52:09 schwarze Exp $
-.\"
-.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: December 9 2021 $
-.Dt ASN1_PARSE_DUMP 3
-.Os
-.Sh NAME
-.Nm ASN1_parse_dump ,
-.Nm ASN1_parse
-.Nd parse BER and print information about it
-.Sh SYNOPSIS
-.In openssl/asn1.h
-.Ft int
-.Fo ASN1_parse_dump
-.Fa "BIO *bio"
-.Fa "const unsigned char *ber_in"
-.Fa "long length"
-.Fa "int indent"
-.Fa "int dump"
-.Fc
-.Ft int
-.Fo ASN1_parse
-.Fa "BIO *bio"
-.Fa "const unsigned char *ber_in"
-.Fa "long length"
-.Fa "int indent"
-.Fc
-.Sh DESCRIPTION
-.Fn ASN1_parse_dump
-parses BER-encoded values and prints information about them to
-.Fa bio .
-On function entry,
-.Pf * Fa ber_in
-is expected to point to the first identifier octet of an encoded value.
-At most
-.Fa length
-bytes are inspected.
-.Pp
-For each value successfully parsed, the following information is printed:
-.Bl -enum
-.It
-The index of its first identifier octet relative to
-.Fa ber_in
-as a decimal number followed by a colon.
-For the first value parsed and printed, this is
-.Qq 0:\& .
-.It
-The nesting depth as a decimal integer.
-For the first value parsed and printed, this is
-.Qq d=0 .
-.It
-The header length in bytes, including the identifier octets and the
-length octets, as a decimal integer.
-For example, for a boolean value, this is
-.Qq hl=2
-because the encoding of a boolean value contains
-one identifier octet (0x01) and one length octet (also 0x01,
-because one content octet follows after the header).
-.It
-If the value is encoded using the definite form for the length octets,
-the number encoded in the length octets as a decimal integer.
-This is the number of content octets that follow.
-For example, for a boolean value, this is
-.Qq l=1 .
-If the value is encoded using a length octet indicating the indefinite form,
-.Qq l=inf
-is printed instead.
-.It
-If the value is primitive,
-.Qq prim:\&
-is printed;
-if it is constructed,
-.Qq cons:\& .
-.It
-The next field depends on the class of the tag:
-.Bl -tag -width Ds
-.It Dv V_ASN1_PRIVATE
-.Qq priv
-followed by the decimal tag number in square brackets
-.It Dv V_ASN1_CONTEXT_SPECIFIC
-.Qq cont
-followed by the decimal tag number in square brackets
-.It Dv V_ASN1_APPLICATION
-.Qq appl
-followed by the decimal tag number in square brackets
-.It V_ASN1_UNIVERSAL
-If the tag number is 30 or less, the return value from
-.Xr ASN1_tag2str 3
-is printed; otherwise,
-.Qq <ASN1
-followed by the decimal tag number and a closing angle bracket.
-.El
-.El
-.Pp
-For constructed values, the contained values are recursively printed.
-.Pp
-Primitive values are processed as follows:
-.Bl -tag -width Ds
-.It Dv V_ASN1_BOOLEAN
-Its integer value is printed as a decimal number.
-.It Dv V_ASN1_INTEGER
-Decoded with
-.Xr d2i_ASN1_INTEGER 3 ,
-printed as a hexadecimal number with an even number of digits.
-.It Dv V_ASN1_ENUMERATED
-Decoded with
-.Xr d2i_ASN1_ENUMERATED 3 ,
-printed as a hexadecimal number with an even number of digits.
-.It Dv V_ASN1_OBJECT
-Decoded with
-.Xr d2i_ASN1_OBJECT 3 ,
-printed with
-.Xr i2a_ASN1_OBJECT 3 .
-.It Dv V_ASN1_OCTET_STRING
-Decoded with
-.Xr d2i_ASN1_OCTET_STRING 3 .
-If the data consists only of printable ASCII characters, line feeds,
-carriage returns and horizontal tabs, it is printed as an ASCII string.
-.Pp
-Otherwise, the
-.Fa dump
-argument decides the format.
-If it is zero, a raw hex dump is emitted, consisting of two hexadecimal
-digits for every data byte.
-If
-.Fa dump
-is non-zero,
-.Xr BIO_dump_indent 3
-is used.
-Unless
-.Fa dump
-is \-1, the data is truncated after
-.Fa dump
-bytes.
-.It Dv V_ASN1_PRINTABLESTRING
-Printed as an ASCII string.
-The same applies to
-.Dv V_ASN1_IA5STRING ,
-.Dv V_ASN1_T61STRING ,
-.Dv V_ASN1_NUMERICSTRING ,
-.Dv V_ASN1_VISIBLESTRING ,
-.Dv V_ASN1_UTF8STRING ,
-.Dv V_ASN1_UTCTIME ,
-and
-.Dv V_ASN1_GENERALIZEDTIME .
-.It Other tags
-If the
-.Fa dump
-argument is 0, their data is silently ignored.
-If
-.Fa dump
-is non-zero,
-.Xr BIO_dump_indent 3
-is used.
-Unless
-.Fa dump
-is \-1, the data is truncated after
-.Fa dump
-bytes.
-.El
-.Pp
-.Fn ASN1_parse
-is identical to
-.Fn ASN1_parse_dump
-with 0 passed as the
-.Fa dump
-argument.
-.Sh RETURN VALUES
-These functions return 1 for success or 0 for failure.
-.Pp
-In particular, they print an error message to
-.Fa bio ,
-abort parsing and printing, and return 0
-when parsing or decoding fails, when a recursive call fails,
-when encountering a value extending beyond
-.Fa length ,
-or when encountering a nesting level in excess of 128.
-They also abort parsing and printing and return 0
-when any printing operation fails.
-.Sh SEE ALSO
-.Xr ASN1_get_object 3 ,
-.Xr ASN1_item_d2i 3 ,
-.Xr ASN1_item_new 3 ,
-.Xr ASN1_STRING_print 3 ,
-.Xr ASN1_TYPE_new 3
-.Sh STANDARDS
-ITU-T Recommendation X.690, also known as ISO/IEC 8825-1:
-Information technology - ASN.1 encoding rules:
-Specification of Basic Encoding Rules (BER), Canonical Encoding
-Rules (CER) and Distinguished Encoding Rules (DER),
-section 8.1: General rules for encoding
-.Sh HISTORY
-.Fn ASN1_parse
-first appeared in SSLeay 0.5.1 and has been available since
-.Ox 2.4 .
-.Pp
-.Fn ASN1_parse_dump
-first appeared in OpenSSL 0.9.6 and has been available since
-.Ox 2.9 .
-.Sh BUGS
-The content of values tagged as
-.Dv V_ASN1_BMPSTRING
-is silently ignored and none of it is printed.
diff --git a/src/lib/libcrypto/man/ASN1_put_object.3 b/src/lib/libcrypto/man/ASN1_put_object.3
deleted file mode 100644
index 97a352724c..0000000000
--- a/src/lib/libcrypto/man/ASN1_put_object.3
+++ /dev/null
@@ -1,226 +0,0 @@
-.\" $OpenBSD: ASN1_put_object.3,v 1.5 2022/01/12 17:54:51 tb Exp $
-.\"
-.\" Copyright (c) 2019, 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: January 12 2022 $
-.Dt ASN1_PUT_OBJECT 3
-.Os
-.Sh NAME
-.Nm ASN1_put_object ,
-.Nm ASN1_put_eoc ,
-.Nm ASN1_object_size
-.Nd start and end the BER encoding of an arbitrary ASN.1 data element
-.Sh SYNOPSIS
-.In openssl/asn1.h
-.Ft void
-.Fo ASN1_put_object
-.Fa "unsigned char **ber_out"
-.Fa "int constructed"
-.Fa "int content_length"
-.Fa "int tag"
-.Fa "int class"
-.Fc
-.Ft int
-.Fo ASN1_put_eoc
-.Fa "unsigned char **ber_out"
-.Fc
-.Ft int
-.Fo ASN1_object_size
-.Fa "int constructed"
-.Fa "int content_length"
-.Fa "int tag"
-.Fc
-.Sh DESCRIPTION
-.Fn ASN1_put_object
-begins writing the BER encoding of an arbitrary ASN.1 data element
-to the buffer
-.Pf * ber_out
-by writing the identifier and the length bytes.
-Making sure that there is sufficient space in the buffer
-is the responsibility of the caller.
-This function does not write any content bytes
-nor any end-of-content bytes.
-.Pp
-The tag
-.Fa class
-can be
-.Dv V_ASN1_UNIVERSAL ,
-.Dv V_ASN1_APPLICATION ,
-.Dv V_ASN1_CONTEXT_SPECIFIC ,
-or
-.Dv V_ASN1_PRIVATE
-and is written to the two most significant bits of the first byte written.
-.Pp
-The
-.Fa constructed
-argument can have the following values:
-.Bl -tag -width 1n -offset 2n -compact
-.It 0
-Start a primitive value by setting the third most significant bit
-of the first byte written to 0.
-Always use the definite form.
-.It 1
-Start a constructed value by setting the third most significant bit
-of the first byte written to 1, and use the definite form.
-.It 2
-Start a constructed value and use the indefinite form,
-.El
-.Pp
-If the
-.Fa tag
-is less than
-.Dv V_ASN1_PRIMITIVE_TAG Pq = 0x1f ,
-it is written to the five least significant bits
-of the only identifier byte written.
-Otherwise, these five bits are all set to 1, and the
-.Fa tag
-is encoded in one or more following identifier bytes as needed.
-.Pp
-After completing the identifier byte(s),
-when using the definite form, the given
-.Fa content_length
-is encoded in one or more bytes as needed,
-using the long form if and only if the
-.Fa content_length
-is greater than 127.
-When using the indefinite form,
-the special byte 0x80 is written instead and the
-.Fa content_length
-argument is ignored.
-.Pp
-At the end,
-.Pf * Fa ber_out
-is set to the byte following the last byte written.
-The calling code can then start writing content bytes.
-.Pp
-If the indefinite form was selected,
-the calling code is also responsible for calling
-.Fn ASN1_put_eoc
-which writes an end-of-content marker to
-.Pf * Fa ber_out ,
-consisting of two NUL bytes, and advances
-.Pf * Fa ber_out
-by two bytes.
-.Pp
-.Fn ASN1_object_size
-calculates the total length in bytes of the BER encoding
-of an ASN.1 data element with the given
-.Fa tag
-and the number of content bytes given by
-.Fa content_length .
-The
-.Fa constructed
-argument has the same meaning as for
-.Fn ASN1_put_object .
-The return value includes the identifier, length, and content bytes.
-If
-.Fa constructed
-is 2, it also includes the end-of-content bytes.
-For the definite form, only the short form is supported if the
-.Fa content_length
-is less than 128.
-.Sh RETURN VALUES
-.Fn ASN1_put_eoc
-returns the number of bytes written, which is always 2.
-.Pp
-.Fn ASN1_object_size
-returns the total number of bytes in the encoding of the data element.
-.Sh SEE ALSO
-.Xr ASN1_item_i2d 3 ,
-.Xr ASN1_TYPE_get 3 ,
-.Xr i2d_ASN1_NULL 3 ,
-.Xr i2d_ASN1_OBJECT 3 ,
-.Xr i2d_ASN1_OCTET_STRING 3 ,
-.Xr i2d_ASN1_SEQUENCE_ANY 3
-.Sh STANDARDS
-ITU-T Recommendation X.690, also known as ISO/IEC 8825-1:
-Information technology - ASN.1 encoding rules:
-Specification of Basic Encoding Rules (BER), Canonical Encoding
-Rules (CER) and Distinguished Encoding Rules (DER),
-section 8.1: General rules for encoding
-.Sh HISTORY
-.Fn ASN1_put_object
-and
-.Fn ASN1_object_size
-first appeared in SSLeay 0.5.1 and have been available since
-.Ox 2.4 .
-.Pp
-.Fn ASN1_put_eoc
-first appeared in OpenSSL 0.9.8 and has been available since
-.Ox 4.5 .
-.Sh CAVEATS
-None of these functions do any sanity checking.
-When called in inconsistent ways, invalid content may result in
-.Pf * Fa ber_out ,
-for example
-.Bl -dash -compact
-.It
-a
-.Fa tag
-number less than
-.Dv V_ASN1_PRIMITIVE_TAG
-with a
-.Fa class
-other than
-.Dv V_ASN1_UNIVERSAL
-.It
-a
-.Fa tag
-number equal to
-.Dv V_ASN1_EOC Pq 0x00
-or
-.Dv V_ASN1_PRIMITIVE_TAG Pq 0x1f
-.It
-a
-.Vt BOOLEAN ,
-.Vt INTEGER ,
-.Vt NULL
-etc. with the
-.Fa constructed
-bit set
-.It
-a
-.Vt SEQUENCE
-or
-.Vt SET
-etc. without the
-.Fa constructed
-bit set
-.It
-a
-.Fa content_length
-that makes no sense for the given
-.Fa tag
-.It
-a
-.Fa content_length
-that disagrees with the following data
-.It
-a
-.Vt BOOLEAN ,
-.Vt INTEGER ,
-.Vt NULL
-etc. in indefinite form
-.It
-an end-of-content marker even though no indefinite form was started
-.It
-\&...
-.El
-.Pp
-If the calling code wants to find out how many bytes were written,
-it needs to save a copy of the pointer
-.Pf * Fa ber_out
-before calling
-.Fn ASN1_put_object .
diff --git a/src/lib/libcrypto/man/ASRange_new.3 b/src/lib/libcrypto/man/ASRange_new.3
deleted file mode 100644
index dc58c98e58..0000000000
--- a/src/lib/libcrypto/man/ASRange_new.3
+++ /dev/null
@@ -1,410 +0,0 @@
-.\" $OpenBSD: ASRange_new.3,v 1.8 2023/10/11 12:06:11 tb Exp $
-.\"
-.\" Copyright (c) 2023 Theo Buehler <tb@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: October 11 2023 $
-.Dt ASRANGE_NEW 3
-.Os
-.Sh NAME
-.Nm ASRange_new ,
-.Nm ASRange_free ,
-.Nm d2i_ASRange ,
-.Nm i2d_ASRange ,
-.Nm ASIdOrRange_new ,
-.Nm ASIdOrRange_free ,
-.Nm d2i_ASIdOrRange ,
-.Nm i2d_ASIdOrRange ,
-.Nm ASIdentifierChoice_new ,
-.Nm ASIdentifierChoice_free ,
-.Nm d2i_ASIdentifierChoice ,
-.Nm i2d_ASIdentifierChoice
-.Nd RFC 3779 autonomous system identifiers and ranges
-.Sh SYNOPSIS
-.In openssl/x509v3.h
-.Ft "ASRange *"
-.Fn ASRange_new void
-.Ft void
-.Fn ASRange_free "ASRange *asrange"
-.Ft ASRange *
-.Fo d2i_ASRange
-.Fa "ASRange **asrange"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_ASRange
-.Fa "ASRange *asrange"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft "ASIdOrRange *"
-.Fn ASIdOrRange_new void
-.Ft void
-.Fn ASIdOrRange_free "ASIdOrRange *aor"
-.Ft ASIdOrRange *
-.Fo d2i_ASIdOrRange
-.Fa "ASIdOrRange **aor"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_ASIdOrRange
-.Fa "ASIdOrRange *aor"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft "ASIdentifierChoice *"
-.Fn ASIdentifierChoice_new void
-.Ft void
-.Fn ASIdentifierChoice_free "ASIdentifierChoice *aic"
-.Ft ASIdentifierChoice *
-.Fo d2i_ASIdentifierChoice
-.Fa "ASIdentifierChoice **aic"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_ASIdentifierChoice
-.Fa "ASIdentifierChoice *aic"
-.Fa "unsigned char **der_out"
-.Fc
-.Sh DESCRIPTION
-.Vt ASRange ,
-.Vt ASIdOrRange ,
-and
-.Vt ASIdentifierChoice
-are building blocks of the
-.Vt ASIdentifiers
-type representing the RFC 3779
-autonomous system identifier delegation extension.
-.Pp
-All
-.Vt ASN1_INTEGER Ns s
-in this manual must be representable as unsigned 32-bit integers.
-The API performs no corresponding checks.
-An
-.Vt ASN1_INTEGER
-can be set using
-.Xr ASN1_INTEGER_set_uint64 3 .
-.Pp
-The
-.Vt ASRange
-type defined in RFC 3779 section 3.2.3.8 is implemented as
-.Bd -literal -offset indent
-typedef struct ASRange_st {
-        ASN1_INTEGER *min;
-        ASN1_INTEGER *max;
-} ASRange;
-.Ed
-.Pp
-It represents the closed range [min,max] of AS identifiers between
-.Fa min
-and
-.Fa max ,
-where
-.Fa min
-should be strictly smaller than
-.Fa max .
-.Pp
-.Fn ASRange_new
-allocates a new
-.Vt ASRange
-object with allocated, empty
-.Fa min
-and
-.Fa max ,
-thus representing the invalid range [0,0].
-.Pp
-.Fn ASRange_free
-frees
-.Fa asrange
-including any data contained in it.
-If
-.Fa asrange
-is
-.Dv NULL ,
-no action occurs.
-.Pp
-The
-.Vt ASIdOrRange
-type defined in RFC 3779 section 3.2.3.5 is implemented as
-.Bd -literal -offset indent
-typedef struct ASIdOrRange_st {
-        int type;
-        union {
-                ASN1_INTEGER *id;
-                ASRange *range;
-        } u;
-} ASIdOrRange;
-.Ed
-.Pp
-representing an individual AS identifier or a range.
-When populating an
-.Vt ASIdOrRange
-object by hand, its
-.Fa type
-should be set to
-.Dv ASIdOrRange_id
-or
-.Dv ASIdOrRange_range
-to indicate which member of the union
-.Fa u
-is valid.
-.Pp
-.Fn ASIdOrRange_new
-returns a new
-.Vt ASIdOrRange
-object with invalid type and
-.Dv NULL
-members of the union
-.Fa u .
-.Pp
-.Fn ASIdOrRange_free
-frees
-.Fa aor
-including any data contained in it,
-provided
-.Fa type
-is set correctly.
-If
-.Fa asrange
-is
-.Dv NULL ,
-no action occurs.
-.Pp
-In order to express a list of AS identifiers and ranges,
-RFC 3779 section 3.2.3.4
-uses an ASN.1 SEQUENCE,
-which is implemented via a
-.Xr STACK_OF 3
-construction over
-.Vt ASIdOrRange :
-.Bd -literal -offset indent
-typedef STACK_OF(ASIdOrRange) ASIdOrRanges;
-.Ed
-.Pp
-Since an
-.Vt ASIdOrRanges
-object should be sorted in a specific way (see
-.Xr X509v3_asid_canonize 3 Ns ),
-a comparison function is needed for a correct instantiation
-with
-.Xr sk_new 3 .
-The
-.Fn ASIdOrRange_cmp
-function is not directly exposed and not easily accessible
-from outside the library,
-and it is non-trivial to implement.
-It is therefore discouraged to use
-.Vt ASIdOrRanges
-objects that are not part of an
-.Vt ASIdentifiers
-object.
-.Pp
-The
-.Dq inherit
-marker from RFC 3779 section 3.2.3.3 is implemented as
-.Vt ASN1_NULL .
-It has no dedicated type or API and can be instantiated with
-.Xr ASN1_NULL_new 3 .
-.Pp
-The
-.Vt ASIdentifierChoice
-type defined in RFC 3779 section 3.2.3.2 is implemented as
-.Bd -literal -offset indent
-typedef struct ASIdentifierChoice_st {
-        int type;
-        union {
-                ASN1_NULL *inherit;
-                ASIdOrRanges *asIdsOrRanges;
-        } u;
-} ASIdentifierChoice;
-.Ed
-.Pp
-where the
-.Fa type
-member should be set to
-.Dv ASIdentifierChoice_inherit
-or
-.Dv ASIdentifierChoice_asIdsOrRanges
-to indicate whether a given
-.Vt ASIdentifierChoice
-object represents an inherited list or an explicit list.
-.Pp
-.Fn ASIdentifierChoice_new
-returns a new
-.Vt ASIdentifierChoice
-object with invalid type and
-.Dv NULL
-members of the union
-.Fa u .
-.Pp
-.Fn ASIdentifierChoice_free
-frees
-.Fa aic
-including any data contained in it,
-provided
-.Fa type
-is set correctly.
-.Pp
-The
-.Vt ASIdentifiers
-type defined in RFC 3779 section 3.2.3.1 is implemented as
-.Bd -literal -offset indent
-typedef struct ASIdentifiers_st {
-        ASIdentifierChoice *asnum;
-        ASIdentifierChoice *rdi;
-} ASIdentifiers;
-.Ed
-.Pp
-It should be instantiated with
-.Xr ASIdentifiers_new 3
-and populated with
-.Xr X509v3_asid_add_id_or_range 3 .
-.Pp
-.Fn d2i_ASRange ,
-.Fn i2d_ASRange ,
-.Fn d2i_ASIdOrRange ,
-.Fn i2d_ASIdOrRange ,
-.Fn d2i_ASIdentifierChoice ,
-and
-.Fn i2d_ASIdentifierChoice
-decode and encode ASN.1
-.Vt ASRange ,
-.Vt ASIdOrRange ,
-and
-.Vt ASIdentifierChoice
-objects.
-For details about the semantics, examples, caveats, and bugs, see
-.Xr ASN1_item_d2i 3 .
-In order for the encoding produced by
-.Fn i2d_ASRange
-to be correct,
-.Fa min
-must be strictly less than
-.Fa max .
-Similarly for
-.Fn i2d_ASIdOrRange
-and an
-.Fa ASIdOrRange
-object of
-.Fa type
-.Dv ASIdOrRange_range .
-.Sh RETURN VALUES
-.Fn ASRange_new
-returns a new
-.Vt ASRange
-object with allocated, empty members, or
-.Dv NULL
-if an error occurs.
-.Pp
-.Fn ASIdOrRange_new
-returns a new, empty
-.Vt ASIdOrRange
-object or
-.Dv NULL
-if an error occurs.
-.Pp
-.Fn ASIdentifierChoice_new
-returns a new, empty
-.Vt ASIdentifierChoice
-object or
-.Dv NULL
-if an error occurs.
-.Pp
-The decoding functions
-.Fn d2i_ASRange ,
-.Fn d2i_ASIdOrRange ,
-and
-.Fn d2i_ASIdentifierChoice
-return an
-.Vt ASRange ,
-an
-.Vt ASIdOrRange ,
-or an
-.Vt ASIdentifierChoice ,
-object, respectively,
-or
-.Dv NULL
-if an error occurs.
-.Pp
-The encoding functions
-.Fn i2d_ASRange ,
-.Fn i2d_ASIdOrRange ,
-and
-.Fn i2d_ASIdentifierChoice
-return the number of bytes successfully encoded
-or a value <= 0 if an error occurs.
-.Sh SEE ALSO
-.Xr ASIdentifiers_new 3 ,
-.Xr ASN1_INTEGER_set_uint64 3 ,
-.Xr crypto 3 ,
-.Xr IPAddressRange_new 3 ,
-.Xr s2i_ASN1_INTEGER 3 ,
-.Xr STACK_OF 3 ,
-.Xr X509_new 3 ,
-.Xr X509v3_asid_add_id_or_range 3
-.Sh STANDARDS
-RFC 3779: X.509 Extensions for IP Addresses and AS Identifiers:
-.Bl -dash -compact
-.It
-section 3.2.3: Syntax
-.It
-section 3.2.3.1: Type ASIdentifiers
-.It
-section 3.2.3.2: Elements asnum, rdi, and Type ASIdentifierChoice
-.It
-section 3.2.3.3: Element inherit
-.It
-section 3.2.3.4: Element asIdsOrRanges
-.It
-section 3.2.3.5: Type ASIdOrRange
-.It
-section 3.2.3.6: Element id
-.It
-section 3.2.3.7: Element range
-.It
-section 3.2.3.8: Type ASRange
-.It
-section 3.2.3.9: Elements min and max
-.El
-.Sh HISTORY
-These functions first appeared in OpenSSL 0.9.8e
-and have been available since
-.Ox 7.1 .
-.Sh BUGS
-An
-.Fn ASIdOrRanges_new
-function that installs the correct comparison function
-on the stack of
-.Vt ASIdOrRange
-should have been part of the API to make it usable.
-.Pp
-.Fn ASIdentifierChoice_new
-is of very limited use because
-.Fn ASIdOrRanges_new
-is missing.
-.Pp
-There is no way of ensuring that an
-.Vt ASIdOrRanges
-object is in canonical form unless it is part of an
-.Vt ASIdentifiers
-object.
-It is therefore difficult to guarantee that the output of
-.Fn i2d_ASIdentifierChoice
-is conformant.
-.Pp
-RFC 3779 3.2.3.4 has
-.Dq Fa asIdsOrRanges
-while its type in this implementation is
-.Vt ASIdOrRanges .
diff --git a/src/lib/libcrypto/man/AUTHORITY_KEYID_new.3 b/src/lib/libcrypto/man/AUTHORITY_KEYID_new.3
deleted file mode 100644
index bff451ff36..0000000000
--- a/src/lib/libcrypto/man/AUTHORITY_KEYID_new.3
+++ /dev/null
@@ -1,73 +0,0 @@
-.\"     $OpenBSD: AUTHORITY_KEYID_new.3,v 1.4 2019/06/06 01:06:58 schwarze Exp $
-.\"
-.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: June 6 2019 $
-.Dt AUTHORITY_KEYID_NEW 3
-.Os
-.Sh NAME
-.Nm AUTHORITY_KEYID_new ,
-.Nm AUTHORITY_KEYID_free
-.Nd X.509 authority key identifier extension
-.Sh SYNOPSIS
-.In openssl/x509v3.h
-.Ft AUTHORITY_KEYID *
-.Fn AUTHORITY_KEYID_new void
-.Ft void
-.Fn AUTHORITY_KEYID_free "AUTHORITY_KEYID *id"
-.Sh DESCRIPTION
-Using the authority key identifier extension, an X.509 certificate
-or certificate revocation list can specify which key pair was used
-for signing it.
-.Pp
-.Fn AUTHORITY_KEYID_new
-allocates and initializes an empty
-.Vt AUTHORITY_KEYID
-object, representing an ASN.1
-.Vt AuthorityKeyIdentifier
-structure defined in RFC 5280 section 4.2.1.1.
-It can hold an issuer name, a serial number, and a key identifier.
-.Pp
-.Fn AUTHORITY_KEYID_free
-frees
-.Fa id .
-.Sh RETURN VALUES
-.Fn AUTHORITY_KEYID_new
-returns the new
-.Vt AUTHORITY_KEYID
-object or
-.Dv NULL
-if an error occurs.
-.Sh SEE ALSO
-.Xr d2i_AUTHORITY_KEYID 3 ,
-.Xr GENERAL_NAMES_new 3 ,
-.Xr X509_CRL_new 3 ,
-.Xr X509_EXTENSION_new 3 ,
-.Xr X509_new 3
-.Sh STANDARDS
-RFC 5280: Internet X.509 Public Key Infrastructure Certificate and
-Certificate Revocation List (CRL) Profile:
-.Bl -dash -compact
-.It
-section 4.2.1.1: Certificate Extensions: Authority Key Identifier
-.It
-section 5.2.1: CRL Extensions: Authority Key Identifier
-.El
-.Sh HISTORY
-.Fn AUTHORITY_KEYID_new
-and
-.Fn AUTHORITY_KEYID_free
-first appeared in OpenSSL 0.9.2b and have been available since
-.Ox 2.6 .
diff --git a/src/lib/libcrypto/man/BASIC_CONSTRAINTS_new.3 b/src/lib/libcrypto/man/BASIC_CONSTRAINTS_new.3
deleted file mode 100644
index e60b0d223c..0000000000
--- a/src/lib/libcrypto/man/BASIC_CONSTRAINTS_new.3
+++ /dev/null
@@ -1,89 +0,0 @@
-.\" $OpenBSD: BASIC_CONSTRAINTS_new.3,v 1.6 2021/10/27 11:24:47 schwarze Exp $
-.\"
-.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: October 27 2021 $
-.Dt BASIC_CONSTRAINTS_NEW 3
-.Os
-.Sh NAME
-.Nm BASIC_CONSTRAINTS_new ,
-.Nm BASIC_CONSTRAINTS_free
-.Nd X.509 extension to mark CA certificates
-.Sh SYNOPSIS
-.In openssl/x509v3.h
-.Ft BASIC_CONSTRAINTS *
-.Fn BASIC_CONSTRAINTS_new void
-.Ft void
-.Fn BASIC_CONSTRAINTS_free "BASIC_CONSTRAINTS *bc"
-.Sh DESCRIPTION
-.Fn BASIC_CONSTRAINTS_new
-allocates and initializes an empty
-.Vt BASIC_CONSTRAINTS
-object, representing an ASN.1
-.Vt BasicConstraints
-structure defined in RFC 5280 section 4.2.1.9.
-.Pp
-This object contains two fields.
-The field
-.Fa "int ca"
-is non-zero if the certificate is a CA certificate.
-The field
-.Fa "ASN1_INTEGER *pathlen"
-specifies the maximum number of non-self-issued intermediate
-certificates that may follow this certificate in a valid
-certification path.
-.Pp
-If an X.509 version 3 certificate does not contain this extension
-or if the
-.Fa ca
-field of the
-.Vt BASIC_CONSTRAINTS
-object is 0, or if the certificate contains a key usage extension
-having the
-.Dv KU_KEY_CERT_SIGN
-bit unset, then it is not a CA certificate but an end entity
-certificate.
-.Pp
-.Fn BASIC_CONSTRAINTS_free
-frees
-.Fa bc .
-.Sh RETURN VALUES
-.Fn BASIC_CONSTRAINTS_new
-returns the new
-.Vt BASIC_CONSTRAINTS
-object or
-.Dv NULL
-if an error occurs.
-.Sh SEE ALSO
-.Xr d2i_BASIC_CONSTRAINTS 3 ,
-.Xr X509_check_purpose 3 ,
-.Xr X509_EXTENSION_new 3 ,
-.Xr X509_get_extension_flags 3 ,
-.Xr X509_new 3
-.Sh STANDARDS
-RFC 5280: Internet X.509 Public Key Infrastructure Certificate and
-Certificate Revocation List (CRL) Profile:
-.Bl -dash -compact
-.It
-section 4.2.1.9: Basic Constraints
-.It
-section 6.1: Basic Path Validation
-.El
-.Sh HISTORY
-.Fn BASIC_CONSTRAINTS_new
-and
-.Fn BASIC_CONSTRAINTS_free
-first appeared in OpenSSL 0.9.2b and have been available since
-.Ox 2.6 .
diff --git a/src/lib/libcrypto/man/BF_set_key.3 b/src/lib/libcrypto/man/BF_set_key.3
deleted file mode 100644
index 5f4c7a689b..0000000000
--- a/src/lib/libcrypto/man/BF_set_key.3
+++ /dev/null
@@ -1,269 +0,0 @@
-.\"     $OpenBSD: BF_set_key.3,v 1.12 2023/08/05 18:27:55 jmc Exp $
-.\"     OpenSSL 99d63d46 Jul 19 09:27:53 2016 -0400
-.\"
-.\" This file was written by Richard Levitte <levitte@openssl.org>.
-.\" Copyright (c) 2000, 2002, 2005, 2014, 2016 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: August 5 2023 $
-.Dt BF_SET_KEY 3
-.Os
-.Sh NAME
-.Nm BF_set_key ,
-.Nm BF_encrypt ,
-.Nm BF_decrypt ,
-.Nm BF_ecb_encrypt ,
-.Nm BF_cbc_encrypt ,
-.Nm BF_cfb64_encrypt ,
-.Nm BF_ofb64_encrypt
-.Nd Blowfish encryption
-.Sh SYNOPSIS
-.In openssl/blowfish.h
-.Ft void
-.Fo BF_set_key
-.Fa "BF_KEY *key"
-.Fa "int len"
-.Fa "const unsigned char *data"
-.Fc
-.Ft void
-.Fo BF_encrypt
-.Fa "BF_LONG *data"
-.Fa "const BF_KEY *key"
-.Fc
-.Ft void
-.Fo BF_decrypt
-.Fa "BF_LONG *data"
-.Fa "const BF_KEY *key"
-.Fc
-.Ft void
-.Fo BF_ecb_encrypt
-.Fa "const unsigned char *in"
-.Fa "unsigned char *out"
-.Fa "BF_KEY *key"
-.Fa "int enc"
-.Fc
-.Ft void
-.Fo BF_cbc_encrypt
-.Fa "const unsigned char *in"
-.Fa "unsigned char *out"
-.Fa "long length"
-.Fa "BF_KEY *schedule"
-.Fa "unsigned char *ivec"
-.Fa "int enc"
-.Fc
-.Ft void
-.Fo BF_cfb64_encrypt
-.Fa "const unsigned char *in"
-.Fa "unsigned char *out"
-.Fa "long length"
-.Fa "BF_KEY *schedule"
-.Fa "unsigned char *ivec"
-.Fa "int *num"
-.Fa "int enc"
-.Fc
-.Ft void
-.Fo BF_ofb64_encrypt
-.Fa "const unsigned char *in"
-.Fa "unsigned char *out"
-.Fa "long length"
-.Fa "BF_KEY *schedule"
-.Fa "unsigned char *ivec"
-.Fa "int *num"
-.Fc
-.Sh DESCRIPTION
-This library implements the Blowfish cipher,
-which was invented and defined by
-.An Counterpane .
-Note that applications should use higher level functions such as
-.Xr EVP_EncryptInit 3
-instead of calling the Blowfish functions directly.
-.Pp
-Blowfish is a block cipher that operates on 64-bit (8 byte) blocks of data.
-It uses a variable size key, but typically, 128-bit (16 byte) keys
-are considered good for strong encryption.
-Blowfish can be used in the same modes as DES
-and is currently one of the faster block ciphers.
-It is quite a bit faster than DES, and much faster than IDEA or RC2.
-.Pp
-Blowfish consists of a key setup phase
-and the actual encryption or decryption phase.
-.Pp
-.Fn BF_set_key
-sets up the
-.Vt BF_KEY
-.Fa key
-using the
-.Fa len
-bytes long key at
-.Fa data .
-.Pp
-.Fn BF_ecb_encrypt
-is the basic Blowfish encryption and decryption function.
-It encrypts or decrypts the first 64 bits of
-.Fa in
-using the key
-.Fa key ,
-putting the result in
-.Fa out .
-.Fa enc
-decides if encryption
-.Pq Dv BF_ENCRYPT
-or decryption
-.Pq Dv BF_DECRYPT
-shall be performed.
-The vector pointed at by
-.Fa in
-and
-.Fa out
-must be 64 bits in length, no less.
-If they are larger, everything after the first 64 bits is ignored.
-.Pp
-The mode functions
-.Fn BF_cbc_encrypt ,
-.Fn BF_cfb64_encrypt ,
-and
-.Fn BF_ofb64_encrypt
-all operate on variable length data.
-They all take an initialization vector
-.Fa ivec
-which needs to be passed along into the next call of the same function
-for the same message.
-.Fa ivec
-may be initialized with anything, but the recipient needs to know what
-it was initialized with, or it won't be able to decrypt.
-Some programs and protocols simplify this, like SSH, where
-.Fa ivec
-is simply initialized to zero.
-.Fn BF_cbc_encrypt
-operates on data that is a multiple of 8 bytes long, while
-.Fn BF_cfb64_encrypt
-and
-.Fn BF_ofb64_encrypt
-are used to encrypt a variable number of bytes (the amount
-does not have to be an exact multiple of 8).
-The purpose of the latter two is to simulate stream ciphers and,
-therefore, they need the parameter
-.Fa num ,
-which is a pointer to an integer where the current offset in
-.Fa ivec
-is stored between calls.
-This integer must be initialized to zero when
-.Fa ivec
-is initialized.
-.Pp
-.Fn BF_cbc_encrypt
-is the Cipher Block Chaining function for Blowfish.
-It encrypts or decrypts the 64-bit chunks of
-.Fa in
-using the key
-.Fa schedule ,
-putting the result in
-.Fa out .
-.Fa enc
-decides if encryption
-.Pq Dv BF_ENCRYPT
-or decryption
-.Pq Dv BF_DECRYPT
-shall be performed.
-.Fa ivec
-must point at an 8-byte long initialization vector.
-.Pp
-.Fn BF_cfb64_encrypt
-is the CFB mode for Blowfish with 64-bit feedback.
-It encrypts or decrypts the bytes in
-.Fa in
-using the key
-.Fa schedule ,
-putting the result in
-.Fa out .
-.Fa enc
-decides if encryption
-.Pq Dv BF_ENCRYPT
-or decryption
-.Pq Dv BF_DECRYPT
-shall be performed.
-.Fa ivec
-must point at an
-8-byte long initialization vector.
-.Fa num
-must point at an integer which must be initially zero.
-.Pp
-.Fn BF_ofb64_encrypt
-is the OFB mode for Blowfish with 64-bit feedback.
-It uses the same parameters as
-.Fn BF_cfb64_encrypt ,
-which must be initialized the same way.
-.Pp
-.Fn BF_encrypt
-and
-.Fn BF_decrypt
-are the lowest level functions for Blowfish encryption.
-They encrypt/decrypt the first 64 bits of the vector pointed by
-.Fa data ,
-using the key
-.Fa key .
-These functions should not be used unless implementing `modes' of Blowfish.
-The alternative is to use
-.Fn BF_ecb_encrypt .
-Be aware that these functions take each 32-bit chunk in host-byte order,
-which is little-endian on little-endian platforms
-and big-endian on big-endian ones.
-.Sh SEE ALSO
-.Xr EVP_EncryptInit 3
-.Sh HISTORY
-.Fn BF_set_key ,
-.Fn BF_encrypt ,
-.Fn BF_ecb_encrypt ,
-.Fn BF_cbc_encrypt ,
-.Fn BF_cfb64_encrypt ,
-and
-.Fn BF_ofb64_encrypt
-first appeared in SSLeay 0.6.6.
-.Fn BF_decrypt
-first appeared in SSLeay 0.9.0.
-All these functions have been available since
-.Ox 2.4 .
diff --git a/src/lib/libcrypto/man/BIO_accept.3 b/src/lib/libcrypto/man/BIO_accept.3
deleted file mode 100644
index e2547ac0dd..0000000000
--- a/src/lib/libcrypto/man/BIO_accept.3
+++ /dev/null
@@ -1,387 +0,0 @@
-.\" $OpenBSD: BIO_accept.3,v 1.2 2023/04/30 13:38:48 schwarze Exp $
-.\"
-.\" Copyright (c) 2022 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: April 30 2023 $
-.Dt BIO_ACCEPT 3
-.Os
-.Sh NAME
-.\" mentioned in OpenSSL documentation and still used internally in LibreSSL
-.Nm BIO_get_host_ip ,
-.Nm BIO_get_port ,
-.Nm BIO_get_accept_socket ,
-.Nm BIO_accept ,
-.Nm BIO_sock_error ,
-.Nm BIO_sock_non_fatal_error ,
-.Nm BIO_sock_should_retry ,
-.\" used internally in LibreSSL and OpenSSL and not deprecated in OpenSSL
-.Nm BIO_socket_nbio ,
-.\" mentioned in OpenSSL documentation and not deprecated in OpenSSL
-.Nm BIO_set_tcp_ndelay
-.\" deprecated in OpenSSL and unused anywhere, hence intentionally undocumented
-.\" .Nm BIO_gethostbyname
-.\" .Nm BIO_GHBN_CTRL_CACHE_SIZE
-.\" .Nm BIO_GHBN_CTRL_FLUSH
-.\" .Nm BIO_GHBN_CTRL_GET_ENTRY
-.\" .Nm BIO_GHBN_CTRL_HITS
-.\" .Nm BIO_GHBN_CTRL_MISSES
-.\" .Nm BIO_socket_ioctl
-.\" does almost nothing and used very rarely, hence intentionally undocumented
-.\" .Nm BIO_sock_init
-.\" .Nm BIO_sock_cleanup
-.Nd wrappers for socket operations
-.Sh SYNOPSIS
-.In openssl/bio.h
-.Ft int
-.Fo BIO_get_host_ip
-.Fa "const char *hostname"
-.Fa "unsigned char *in_addr_buffer"
-.Fc
-.Ft int
-.Fo BIO_get_port
-.Fa "const char *servname"
-.Fa "unsigned short *port"
-.Fc
-.Ft int
-.Fo BIO_get_accept_socket
-.Fa "char *host_port"
-.Fa "int bind_mode"
-.Fc
-.Ft int
-.Fo BIO_accept
-.Fa "int socket"
-.Fa "char **addr"
-.Fc
-.Ft int
-.Fn BIO_sock_error "int socket"
-.Ft int
-.Fn BIO_sock_non_fatal_error "int errnum"
-.Ft int
-.Fn BIO_sock_should_retry "int retval"
-.Ft int
-.Fn BIO_socket_nbio "int socket" "int mode"
-.Ft int
-.Fn BIO_set_tcp_ndelay "int socket" "int on"
-.Sh DESCRIPTION
-.Fn BIO_get_host_ip
-looks up one IPv4 address for the given
-.Fa hostname
-using
-.Xr getaddrinfo 3
-and writes the first returned IPv4 address into
-.Pf * Fa in_addr_buffer .
-The caller is responsible for providing a buffer that is at least
-.Fn sizeof in_addr_t
-bytes long.
-After a successful call, the caller needs to cast
-.Fa in_addr_buffer
-to
-.Pq Vt in_addr_t * .
-.Pp
-.Fn BIO_get_port
-looks up
-.Fa servname
-in the
-.Xr services 5
-database using
-.Xr getaddrinfo 3
-and stores the associated port number at the location specified by the
-.Fa port
-argument.
-.Pp
-.Fn BIO_get_accept_socket
-creates an IPv4 TCP socket and
-.Xr listen 2 Ns s
-for incoming connections.
-The string
-.Fa host_port
-is parsed.
-If it contains a colon, the substring before the colon is interpreted
-as a local hostname of the interface to
-.Xr bind 2
-to.
-If the hostname is empty, consists of a single asterisk
-.Pq Qq *:... ,
-or if there is no colon,
-.Dv INADDR_ANY
-is used instead of a local hostname.
-The rest of the string
-.Fa host_port ,
-or the whole string if it contains no colon,
-is treated as a service name.
-The hostname and the service name are converted to a local IP address
-and port number using
-.Xr getaddrinfo 3 .
-If
-.Fa bind_mode
-is the constant
-.Dv BIO_BIND_REUSEADDR ,
-allowing local address reuse is attempted using
-.Xr setsockopt 2
-with an argument of
-.Dv SO_REUSEADDR
-before calling
-.Xr bind 2 .
-.Pp
-.Fn BIO_accept
-calls
-.Xr accept 2
-to receive one connection on the
-.Fa socket .
-When it receives a connection, it
-.Xr free 3 Ns s
-.Pf * Fa addr ,
-and if it is an IPv4 connection, it allocates a new string,
-writes the peer IP address in dotted decimal form, a colon,
-and the decimal port number into the string, and stores a pointer
-to the string in
-.Pf * Fa addr .
-For other address families or if
-.Xr getnameinfo 3
-or memory allocation fails,
-.Pf * Fa addr
-is set to
-.Dv NULL
-but
-.Fn BIO_accept
-succeeds anyway.
-.Pp
-.Fn BIO_sock_error
-retrieves, clears, and returns the error status code of the
-.Fa socket
-by calling
-.Xr getsockopt 2
-with arguments
-.Dv SOL_SOCKET
-and
-.Dv SO_ERROR .
-.Pp
-.Fn BIO_sock_non_fatal_error
-determines whether the error status code
-.Fa errnum
-represents a recoverable error.
-.Pp
-.Fn BIO_sock_should_retry
-determines whether a recoverable error occurred by inspecting both
-.Xr errno 2
-and
-.Fa retval ,
-which is supposed to usually be
-the return value of a previously called function like
-.Fn BIO_accept ,
-.Xr BIO_read 3 ,
-or
-.Xr BIO_write 3 .
-.Pp
-If
-.Fa mode
-is non-zero,
-.Fn BIO_socket_nbio
-switches the
-.Fa socket
-to non-blocking mode using
-.Xr fcntl 2 .
-If
-.Fa mode
-is 0, it switches to blocking mode.
-.Pp
-.Fn BIO_set_tcp_ndelay
-sets the
-.Dv TCP_NODELAY
-option on the
-.Fa socket
-if
-.Fa on
-is 1 or clears it if
-.Fa on
-is 0; see
-.Xr tcp 4
-for details.
-.Sh RETURN VALUES
-.Fn BIO_get_host_ip ,
-.Fn BIO_get_port ,
-and
-.Fn BIO_socket_nbio
-return 1 on success or 0 on failure.
-.Pp
-.Fn BIO_get_accept_socket
-returns the file descriptor of the newly created listening socket or \-1 if
-.Fa host_port
-is
-.Dv NULL ,
-no service is specified, or
-.Xr getaddrinfo 3 ,
-.Xr socket 2 ,
-.Xr bind 2 ,
-.Xr listen 2 ,
-or memory allocation fails.
-.Pp
-.Fn BIO_accept
-returns the file descriptor of the received connection,
-\-1 on fatal errors, that is, when
-.Fa addr
-is
-.Dv NULL
-or
-.Xr accept 2
-fails fatally, or \-2 when
-.Xr accept 2
-fails in a non-fatal way and might succeed when retried later.
-.Pp
-.Fn BIO_sock_error
-returns an error status code like
-.Dv EAGAIN ,
-.Dv ECONNABORTED ,
-.Dv ECONNREFUSED ,
-.Dv ECONNRESET ,
-.Dv ELOOP ,
-.Dv EMSGSIZE ,
-.Dv ENOBUFS ,
-.Dv ENOTCONN ,
-.Dv EPIPE ,
-.Dv ETIMEDOUT ,
-or others, 0 if the
-.Fa socket
-is not in an error state, or 1 if
-.Xr getsockopt 2
-fails.
-.Pp
-.Fn BIO_sock_non_fatal_error
-returns 1 if
-.Fa errnum
-is
-.Dv EAGAIN ,
-.Dv EALREADY ,
-.Dv EINPROGRESS ,
-.Dv EINTR ,
-or
-.Dv ENOTCONN
-and 0 otherwise, even if
-.Fa errnum
-is 0.
-.Pp
-.Fn BIO_sock_should_retry
-returns 1 if
-.Fn BIO_sock_non_fatal_error errno
-is 1 and
-.Fa retval
-is either 0 or \-1, or 0 otherwise.
-.Pp
-.Fn BIO_set_tcp_ndelay
-returns 0 on success or \-1 on failure.
-.Sh ERRORS
-If
-.Fn BIO_get_host_ip ,
-.Fn BIO_get_port ,
-or
-.Fn BIO_get_accept_socket
-fail or
-.Fn BIO_accept
-fails fatally, the following diagnostics can be retrieved with
-.Xr ERR_get_error 3 ,
-.Xr ERR_GET_REASON 3 ,
-and
-.Xr ERR_reason_error_string 3 :
-.Bl -tag -width Ds
-.It Dv BIO_R_ACCEPT_ERROR Qq "accept error"
-.Xr accept 2
-failed fatally in
-.Fn BIO_accept .
-.It Dv BIO_R_BAD_HOSTNAME_LOOKUP Qq "bad hostname lookup"
-.Xr getaddrinfo 3
-failed or
-.Fa hostname
-was
-.Dv NULL
-in
-.Fn BIO_get_host_ip ,
-or
-.Xr getaddrinfo 3
-failed in
-.Fn BIO_get_accept_socket .
-.It Dv BIO_R_INVALID_ARGUMENT Qq "invalid argument"
-.Xr getaddrinfo 3
-failed in
-.Fn BIO_get_port .
-.It Dv ERR_R_MALLOC_FAILURE Qq "malloc failure"
-Memory allocation failed in
-.Fn BIO_get_accept_socket ,
-or
-.Fn BIO_accept
-.Em succeeded
-but was unable to allocate memory for
-.Pf * Fa addr .
-For
-.Fn BIO_accept ,
-the returned file descriptor is valid,
-and communication with the peer can be attempted using it.
-.It Dv BIO_R_NO_PORT_SPECIFIED Qq "no port specified"
-The
-.Fa servname
-argument was
-.Dv NULL
-in
-.Fn BIO_get_port ,
-or
-.Fa host_port
-was
-.Dv NULL
-or ended after the first colon in
-.Fn BIO_get_accept_socket .
-.It Dv BIO_R_NULL_PARAMETER Qq "null parameter"
-The
-.Fa addr
-argument was
-.Dv NULL
-in
-.Fn BIO_accept .
-.It Dv BIO_R_UNABLE_TO_BIND_SOCKET Qq "unable to bind socket"
-.Xr bind 2
-failed in
-.Fn BIO_get_accept_socket .
-.It Dv BIO_R_UNABLE_TO_CREATE_SOCKET Qq "unable to create socket"
-.Xr socket 2
-failed in
-.Fn BIO_get_accept_socket .
-.It Dv BIO_R_UNABLE_TO_LISTEN_SOCKET Qq "unable to listen socket"
-.Xr listen 2
-failed in
-.Fn BIO_get_accept_socket .
-.El
-.Sh SEE ALSO
-.Xr bind 2 ,
-.Xr connect 2 ,
-.Xr errno 2 ,
-.Xr fcntl 2 ,
-.Xr getsockopt 2 ,
-.Xr listen 2 ,
-.Xr sigaction 2 ,
-.Xr socket 2 ,
-.Xr BIO_new 3 ,
-.Xr BIO_read 3 ,
-.Xr getaddrinfo 3 ,
-.Xr ip 4 ,
-.Xr tcp 4
-.Sh HISTORY
-.Fn BIO_sock_should_retry
-first appeared in SSLeay 0.6.5 and the other functions except
-.Fn BIO_socket_nbio
-in SSLeay 0.8.0.
-They have all been available since
-.Ox 2.4 .
-.Pp
-.Fn BIO_socket_nbio
-first appeared in SSLeay 0.9.1 and has been available since
-.Ox 2.6 .
diff --git a/src/lib/libcrypto/man/BIO_ctrl.3 b/src/lib/libcrypto/man/BIO_ctrl.3
deleted file mode 100644
index 2c537956e1..0000000000
--- a/src/lib/libcrypto/man/BIO_ctrl.3
+++ /dev/null
@@ -1,637 +0,0 @@
-.\" $OpenBSD: BIO_ctrl.3,v 1.25 2023/11/16 20:19:23 schwarze Exp $
-.\" full merge up to: OpenSSL 24a535eaf Tue Sep 22 13:14:20 2020 +0100
-.\" selective merge up to: OpenSSL 0c5bc96f Tue Mar 15 13:57:22 2022 +0000
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2023 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2000, 2016 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: November 16 2023 $
-.Dt BIO_CTRL 3
-.Os
-.Sh NAME
-.Nm BIO_ctrl ,
-.Nm BIO_callback_ctrl ,
-.Nm BIO_ptr_ctrl ,
-.Nm BIO_int_ctrl ,
-.Nm BIO_reset ,
-.Nm BIO_seek ,
-.Nm BIO_tell ,
-.Nm BIO_flush ,
-.Nm BIO_eof ,
-.Nm BIO_set_close ,
-.Nm BIO_get_close ,
-.Nm BIO_pending ,
-.Nm BIO_wpending ,
-.Nm BIO_ctrl_pending ,
-.Nm BIO_ctrl_wpending ,
-.Nm BIO_get_info_callback ,
-.Nm BIO_set_info_callback ,
-.Nm BIO_info_cb ,
-.Nm bio_info_cb
-.Nd BIO control operations
-.Sh SYNOPSIS
-.In openssl/bio.h
-.Ft long
-.Fo BIO_ctrl
-.Fa "BIO *b"
-.Fa "int cmd"
-.Fa "long larg"
-.Fa "void *parg"
-.Fc
-.Ft long
-.Fo BIO_callback_ctrl
-.Fa "BIO *b"
-.Fa "int cmd"
-.Fa "BIO_info_cb *cb"
-.Fc
-.Ft char *
-.Fo BIO_ptr_ctrl
-.Fa "BIO *b"
-.Fa "int cmd"
-.Fa "long larg"
-.Fc
-.Ft long
-.Fo BIO_int_ctrl
-.Fa "BIO *b"
-.Fa "int cmd"
-.Fa "long larg"
-.Fa "int iarg"
-.Fc
-.Ft int
-.Fo BIO_reset
-.Fa "BIO *b"
-.Fc
-.Ft int
-.Fo BIO_seek
-.Fa "BIO *b"
-.Fa "int ofs"
-.Fc
-.Ft int
-.Fo BIO_tell
-.Fa "BIO *b"
-.Fc
-.Ft int
-.Fo BIO_flush
-.Fa "BIO *b"
-.Fc
-.Ft int
-.Fo BIO_eof
-.Fa "BIO *b"
-.Fc
-.Ft int
-.Fo BIO_set_close
-.Fa "BIO *b"
-.Fa "long flag"
-.Fc
-.Ft int
-.Fo BIO_get_close
-.Fa "BIO *b"
-.Fc
-.Ft int
-.Fo BIO_pending
-.Fa "BIO *b"
-.Fc
-.Ft int
-.Fo BIO_wpending
-.Fa "BIO *b"
-.Fc
-.Ft size_t
-.Fo BIO_ctrl_pending
-.Fa "BIO *b"
-.Fc
-.Ft size_t
-.Fo BIO_ctrl_wpending
-.Fa "BIO *b"
-.Fc
-.Ft int
-.Fo BIO_get_info_callback
-.Fa "BIO *b"
-.Fa "BIO_info_cb **cbp"
-.Fc
-.Ft int
-.Fo BIO_set_info_callback
-.Fa "BIO *b"
-.Fa "BIO_info_cb *cb"
-.Fc
-.Ft typedef int
-.Fo BIO_info_cb
-.Fa "BIO *b"
-.Fa "int state"
-.Fa "int res"
-.Fc
-.Ft typedef int
-.Fo bio_info_cb
-.Fa "BIO *b"
-.Fa "int state"
-.Fa "int res"
-.Fc
-.Sh DESCRIPTION
-.Fn BIO_ctrl ,
-.Fn BIO_callback_ctrl ,
-.Fn BIO_ptr_ctrl ,
-and
-.Fn BIO_int_ctrl
-are BIO "control" operations taking arguments of various types.
-These functions are not normally called directly -
-various macros are used instead.
-The standard macros are described below.
-Macros specific to a particular type of BIO
-are described in the specific BIO's manual page
-as well as any special features of the standard calls.
-.Pp
-Depending on the
-.Fa cmd
-and on the type of
-.Fa b ,
-.Fn BIO_ctrl
-may have a read-only effect on
-.Fa b
-or change data in
-.Fa b
-or in its sub-structures.
-It may also have a side effect of changing the memory pointed to by
-.Fa parg .
-.Pp
-.Fn BIO_callback_ctrl
-does not call
-.Fn BIO_ctrl
-but instead requires that the BIO type of
-.Fa b
-provides a dedicated
-.Fa callback_ctrl
-function pointer, which is built into the library for some standard BIO
-types and can be provided with
-.Xr BIO_meth_set_callback_ctrl 3
-for application-defined BIO types.
-The only
-.Fa cmd
-supported by
-.Fn BIO_callback_ctrl
-is
-.Dv BIO_CTRL_SET_CALLBACK .
-.Pp
-.Fn BIO_ptr_ctrl
-calls
-.Fn BIO_ctrl
-with
-.Fa parg
-pointing to the location of a temporary pointer variable initialized to
-.Dv NULL .
-.Pp
-.Fn BIO_int_ctrl
-calls
-.Fn BIO_ctrl
-with
-.Fa parg
-pointing to the location of a temporary
-.Vt int
-variable initialized to
-.Fa iarg .
-If
-.Fn BIO_ctrl
-changes the value stored at
-.Pf * Fa parg ,
-the new value is ignored.
-.Pp
-.Fn BIO_reset
-typically resets a BIO to some initial state.
-In the case of file related BIOs, for example,
-it rewinds the file pointer to the start of the file.
-.Pp
-.Fn BIO_seek
-resets a file related BIO's (that is file descriptor and
-FILE BIOs) file position pointer to
-.Fa ofs
-bytes from start of file.
-.Pp
-.Fn BIO_tell
-returns the current file position of a file related BIO.
-.Pp
-.Fn BIO_flush
-normally writes out any internally buffered data.
-In some cases it is used to signal EOF and that no more data will be written.
-.Pp
-.Fn BIO_eof
-returns 1 if the BIO has read EOF.
-The precise meaning of "EOF" varies according to the BIO type.
-.Pp
-.Fn BIO_set_close
-sets the BIO
-.Fa b
-close flag to
-.Fa flag .
-.Fa flag
-can take the value
-.Dv BIO_CLOSE
-or
-.Dv BIO_NOCLOSE .
-Typically
-.Dv BIO_CLOSE
-is used in a source/sink BIO to indicate that the underlying I/O stream
-should be closed when the BIO is freed.
-.Pp
-.Fn BIO_get_close
-returns the BIO's close flag.
-.Pp
-.Fn BIO_pending ,
-.Fn BIO_ctrl_pending ,
-.Fn BIO_wpending ,
-and
-.Fn BIO_ctrl_wpending
-return the number of pending characters in the BIO's read and write buffers.
-Not all BIOs support these calls.
-.Fn BIO_ctrl_pending
-and
-.Fn BIO_ctrl_wpending
-return a
-.Vt size_t
-type and are functions.
-.Pp
-.Fn BIO_set_info_callback
-installs the function pointer
-.Fa cb
-as an info callback in
-.Fa b
-by calling
-.Fn BIO_callback_ctrl
-with a command of
-.Dv BIO_CTRL_SET_CALLBACK .
-Among the BIO types built into the library, only
-.Xr BIO_s_connect 3
-and
-.Xr BIO_f_ssl 3
-support this functionality.
-Some filter BIO types forward this control call
-to the next BIO in the chain instead of processing it themselves.
-.Pp
-.Fn BIO_get_info_callback
-places the function pointer to the info callback into
-.Pf * Fa cbp
-if any was installed using
-.Fn BIO_set_info_callback
-or
-.Fn BIO_callback_ctrl .
-If the type of
-.Fa b
-supports setting an info callback but none was installed, it stores a
-.Dv NULL
-pointer in
-.Pf * Fa cbp .
-.Pp
-The function type name
-.Vt bio_info_cb
-is a deprecated synonym for
-.Vt BIO_info_cb
-provided for backward compatibility with some existing application software.
-.Pp
-The following
-.Fa cmd
-constants correspond to macros:
-.Bl -column BIO_C_SET_SSL_RENEGOTIATE_TIMEOUT BIO_set_ssl_renegotiate_timeout(3)
-.It Fa cmd No constant                   Ta corresponding macro
-.It Dv BIO_C_DESTROY_BIO_PAIR            Ta Xr BIO_destroy_bio_pair 3
-.It Dv BIO_C_DO_STATE_MACHINE            Ta Xr BIO_do_handshake 3
-.It Dv BIO_C_FILE_SEEK                   Ta Fn BIO_seek
-.It Dv BIO_C_FILE_TELL                   Ta Fn BIO_tell
-.It Dv BIO_C_GET_ACCEPT                  Ta Xr BIO_get_accept_port 3
-.It Dv BIO_C_GET_BIND_MODE               Ta Xr BIO_get_bind_mode 3
-.It Dv BIO_C_GET_BUF_MEM_PTR             Ta Xr BIO_get_mem_ptr 3
-.It Dv BIO_C_GET_BUFF_NUM_LINES          Ta Xr BIO_get_buffer_num_lines 3
-.It Dv BIO_C_GET_CIPHER_CTX              Ta Xr BIO_get_cipher_ctx 3
-.It Dv BIO_C_GET_CIPHER_STATUS           Ta Xr BIO_get_cipher_status 3
-.It Dv BIO_C_GET_FD                      Ta Xr BIO_get_fd 3
-.It Dv BIO_C_GET_FILE_PTR                Ta Xr BIO_get_fp 3
-.It Dv BIO_C_GET_MD                      Ta Xr BIO_get_md 3
-.It Dv BIO_C_GET_MD_CTX                  Ta Xr BIO_get_md_ctx 3
-.It Dv BIO_C_GET_READ_REQUEST            Ta Xr BIO_get_read_request 3
-.It Dv BIO_C_GET_SSL                     Ta Xr BIO_get_ssl 3
-.It Dv BIO_C_GET_SSL_NUM_RENEGOTIATES    Ta Xr BIO_get_num_renegotiates 3
-.It Dv BIO_C_GET_WRITE_BUF_SIZE          Ta Xr BIO_get_write_buf_size 3
-.It Dv BIO_C_GET_WRITE_GUARANTEE         Ta Xr BIO_get_write_guarantee 3
-.It Dv BIO_C_MAKE_BIO_PAIR               Ta Xr BIO_make_bio_pair 3
-.It Dv BIO_C_RESET_READ_REQUEST          Ta Xr BIO_ctrl_reset_read_request 3
-.It Dv BIO_C_SET_BIND_MODE               Ta Xr BIO_set_bind_mode 3
-.It Dv BIO_C_SET_BUF_MEM                 Ta Xr BIO_set_mem_buf 3
-.It Dv BIO_C_SET_BUF_MEM_EOF_RETURN      Ta Xr BIO_set_mem_eof_return 3
-.It Dv BIO_C_SET_BUFF_READ_DATA          Ta Xr BIO_set_buffer_read_data 3
-.It Dv BIO_C_SET_FD                      Ta Xr BIO_set_fd 3
-.It Dv BIO_C_SET_FILE_PTR                Ta Xr BIO_set_fp 3
-.It Dv BIO_C_SET_MD                      Ta Xr BIO_set_md 3
-.It Dv BIO_C_SET_MD_CTX                  Ta Xr BIO_set_md_ctx 3
-.It Dv BIO_C_SET_NBIO                    Ta Xr BIO_set_nbio 3
-.It Dv BIO_C_SET_SSL                     Ta Xr BIO_set_ssl 3
-.It Dv BIO_C_SET_SSL_RENEGOTIATE_BYTES   Ta Xr BIO_set_ssl_renegotiate_bytes 3
-.It Dv BIO_C_SET_SSL_RENEGOTIATE_TIMEOUT Ta Xr BIO_set_ssl_renegotiate_timeout 3
-.It Dv BIO_C_SET_WRITE_BUF_SIZE          Ta Xr BIO_set_write_buf_size 3
-.It Dv BIO_C_SHUTDOWN_WR                 Ta Xr BIO_shutdown_wr 3
-.It Dv BIO_C_SSL_MODE                    Ta Xr BIO_set_ssl_mode 3
-.It Dv BIO_CTRL_DGRAM_CONNECT            Ta Xr BIO_ctrl_dgram_connect 3
-.It Dv BIO_CTRL_DGRAM_GET_PEER           Ta Xr BIO_dgram_get_peer 3
-.It Dv BIO_CTRL_DGRAM_GET_RECV_TIMER_EXP Ta Xr BIO_dgram_recv_timedout 3
-.It Dv BIO_CTRL_DGRAM_GET_SEND_TIMER_EXP Ta Xr BIO_dgram_send_timedout 3
-.It Dv BIO_CTRL_DGRAM_SET_CONNECTED      Ta Xr BIO_ctrl_set_connected 3
-.It Dv BIO_CTRL_DGRAM_SET_PEER           Ta Xr BIO_dgram_set_peer 3
-.It Dv BIO_CTRL_DUP                      Ta Xr BIO_dup_state 3
-.It Dv BIO_CTRL_EOF                      Ta Fn BIO_eof
-.It Dv BIO_CTRL_FLUSH                    Ta Fn BIO_flush
-.It Dv BIO_CTRL_GET_CALLBACK             Ta Fn BIO_get_info_callback
-.It Dv BIO_CTRL_GET_CLOSE                Ta Fn BIO_get_close
-.It Dv BIO_CTRL_INFO                     Ta Xr BIO_get_mem_data 3
-.It Dv BIO_CTRL_PENDING                  Ta Fn BIO_pending
-.It Dv BIO_CTRL_RESET                    Ta Fn BIO_reset
-.It Dv BIO_CTRL_SET_CALLBACK             Ta Fn BIO_set_info_callback
-.It Dv BIO_CTRL_SET_CLOSE                Ta Fn BIO_set_close
-.It Dv BIO_CTRL_WPENDING                 Ta Fn BIO_wpending
-.El
-.Pp
-A few
-.Fa cmd
-constants serve more than one macro each
-and are documented in the following manual pages:
-.Bl -column BIO_C_SET_BUFF_SIZE BIO_s_connect(3) -offset 3n
-.It Fa cmd No constant     Ta manual page
-.It Dv BIO_C_GET_CONNECT   Ta Xr BIO_s_connect 3
-.It Dv BIO_C_SET_ACCEPT    Ta Xr BIO_s_accept 3
-.It Dv BIO_C_SET_BUFF_SIZE Ta Xr BIO_f_buffer 3
-.It Dv BIO_C_SET_CONNECT   Ta Xr BIO_s_connect 3
-.It Dv BIO_C_SET_FILENAME  Ta Xr BIO_s_file 3
-.El
-.Pp
-Some
-.Fa cmd
-constants are not associated with any macros.
-They are documented in the following manual pages:
-.Bl -column BIO_CTRL_DGRAM_SET_RECV_TIMEOUT BIO_dgram_recv_timedout(3)\
- -offset 3n
-.It Fa cmd No constant                 Ta manual page
-.\" The following constants are intentionally undocumented because
-.\" BIO_f_asn1 has been removed from the public API.
-.\" .It Dv BIO_C_GET_EX_ARG                Ta Xr BIO_f_asn1 3
-.\" .It Dv BIO_C_SET_EX_ARG                Ta Xr BIO_f_asn1 3
-.It Dv BIO_CTRL_DGRAM_GET_FALLBACK_MTU Ta Xr BIO_dgram_set_peer 3
-.It Dv BIO_CTRL_DGRAM_GET_MTU          Ta Xr BIO_dgram_set_peer 3
-.It Dv BIO_CTRL_DGRAM_GET_RECV_TIMEOUT Ta Xr BIO_dgram_recv_timedout 3
-.It Dv BIO_CTRL_DGRAM_GET_SEND_TIMEOUT Ta Xr BIO_dgram_send_timedout 3
-.It Dv BIO_CTRL_DGRAM_SET_MTU          Ta Xr BIO_dgram_set_peer 3
-.It Dv BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT Ta Xr BIO_dgram_recv_timedout 3
-.It Dv BIO_CTRL_DGRAM_SET_RECV_TIMEOUT Ta Xr BIO_dgram_recv_timedout 3
-.It Dv BIO_CTRL_DGRAM_SET_SEND_TIMEOUT Ta Xr BIO_dgram_send_timedout 3
-.It Dv BIO_CTRL_DGRAM_MTU_EXCEEDED     Ta Xr BIO_s_datagram 3
-.It Dv BIO_CTRL_POP                    Ta Xr BIO_pop 3
-.It Dv BIO_CTRL_PUSH                   Ta Xr BIO_push 3
-.El
-.Sh RETURN VALUES
-The meaning of the return values of
-.Fn BIO_ctrl ,
-.Fn BIO_callback_ctrl ,
-and
-.Fn BIO_int_ctrl
-depends on both the type of
-.Fa b
-and on the
-.Fa cmd .
-If
-.Fa b
-is a
-.Dv NULL
-pointer, no action occurs and 0 is returned.
-The return value \-2 usually indicates a fatal error.
-In particular, it is returned if the
-.Fa cmd
-is unsupported by the type of
-.Fa b .
-.Pp
-.Fn BIO_callback_ctrl
-and
-.Fn BIO_set_info_callback
-return 1 on success, 0 if
-.Fa b
-is
-.Dv NULL
-or to indicate failure of a valid
-.Fa cmd ,
-or \-2 if the
-.Fa cmd
-is not supported by
-.Fa b .
-.Pp
-.Fn BIO_ptr_ctrl
-returns
-.Dv NULL
-if the
-.Fn BIO_ctrl
-call returns a negative value or does not change
-.Pf * Fa parg ,
-or the pointer it puts into
-.Pf * Fa parg
-otherwise.
-.Pp
-.Fn BIO_int_ctrl
-returns the return value of
-.Fn BIO_ctrl .
-.Pp
-.Fn BIO_reset
-normally returns 1 for success and 0 or -1 for failure.
-File BIOs are an exception, returning 0 for success and -1 for failure.
-.Pp
-.Fn BIO_seek
-and
-.Fn BIO_tell
-both return the current file position on success
-and -1 for failure, except file BIOs which for
-.Fn BIO_seek
-always return 0 for success and -1 for failure.
-.Pp
-.Fn BIO_flush
-returns 1 for success and 0 or -1 for failure.
-.Pp
-.Fn BIO_eof
-returns 1 if EOF has been reached or 0 otherwise.
-.Pp
-.Fn BIO_set_close
-always returns 1.
-.Pp
-.Fn BIO_get_close
-returns the close flag value
-.Dv BIO_CLOSE
-or
-.Dv BIO_NOCLOSE .
-.Pp
-.Fn BIO_pending ,
-.Fn BIO_ctrl_pending ,
-.Fn BIO_wpending ,
-and
-.Fn BIO_ctrl_wpending
-return the amount of pending data.
-.Pp
-.Fn BIO_get_info_callback
-returns 1 on success, including when the type of
-.Fa b
-supports an info callback but none is installed,
-0 if
-.Fa b
-is
-.Dv NULL
-or \-2 if the type of
-.Fa b
-does not support an info callback.
-.Pp
-If a callback was installed in
-.Fa b
-using
-.Xr BIO_set_callback_ex 3
-or
-.Xr BIO_set_callback 3 ,
-it can modify the return values of all these functions.
-.Sh NOTES
-Because it can write data,
-.Fn BIO_flush
-may return 0 or -1 indicating that the call should be retried later
-in a similar manner to
-.Xr BIO_write 3 .
-The
-.Xr BIO_should_retry 3
-call should be used and appropriate action taken if the call fails.
-.Pp
-The return values of
-.Fn BIO_pending
-and
-.Fn BIO_wpending
-may not reliably determine the amount of pending data in all cases.
-For example in the case of a file BIO some data may be available in the
-.Vt FILE
-structure's internal buffers but it is not possible
-to determine this in a portable way.
-For other types of BIO they may not be supported.
-.Pp
-If they do not internally handle a particular
-.Fn BIO_ctrl
-operation, filter BIOs usually pass the operation
-to the next BIO in the chain.
-This often means there is no need to locate the required BIO for
-a particular operation: it can be called on a chain and it will
-be automatically passed to the relevant BIO.
-However, this can cause unexpected results.
-For example no current filter BIOs implement
-.Fn BIO_seek ,
-but this may still succeed if the chain ends
-in a FILE or file descriptor BIO.
-.Pp
-Source/sink BIOs return a 0 if they do not recognize the
-.Fn BIO_ctrl
-operation.
-.Sh SEE ALSO
-.Xr BIO_meth_new 3 ,
-.Xr BIO_new 3
-.Sh HISTORY
-.Fn BIO_ctrl ,
-.Fn BIO_reset ,
-.Fn BIO_flush ,
-.Fn BIO_eof ,
-.Fn BIO_set_close ,
-.Fn BIO_get_close ,
-and
-.Fn BIO_pending
-first appeared in SSLeay 0.6.0.
-.Fn BIO_wpending
-first appeared in SSLeay 0.8.1.
-.Fn BIO_ptr_ctrl ,
-.Fn BIO_int_ctrl ,
-.Fn BIO_get_info_callback
-and
-.Fn BIO_set_info_callback
-first appeared in SSLeay 0.9.0.
-All these functions have been available since
-.Ox 2.4 .
-.Pp
-.Fn BIO_seek
-and
-.Fn BIO_tell
-first appeared in SSLeay 0.9.1.
-.Fn BIO_ctrl_pending
-and
-.Fn BIO_ctrl_wpending
-first appeared in OpenSSL 0.9.4.
-These functions have been available since
-.Ox 2.6 .
-.Pp
-.Fn BIO_callback_ctrl
-first appeared in OpenSSL 0.9.5 and has been available since
-.Ox 2.7 .
-.Pp
-.Fn bio_info_cb
-first appeared with a more complicated prototype in OpenSSL 0.9.6
-and has been available since
-.Ox 2.9 .
-.Pp
-.Fn BIO_info_cb
-first appeared in OpenSSL 1.1.0h and has been available since
-.Ox 6.3 .
-.Sh BUGS
-Some of the return values are ambiguous and care should be taken.
-In particular a return value of 0 can be returned if an operation
-is not supported, if an error occurred, if EOF has not been reached
-and in the case of
-.Fn BIO_seek
-on a file BIO for a successful operation.
diff --git a/src/lib/libcrypto/man/BIO_dump.3 b/src/lib/libcrypto/man/BIO_dump.3
deleted file mode 100644
index 8817f0c4ca..0000000000
--- a/src/lib/libcrypto/man/BIO_dump.3
+++ /dev/null
@@ -1,128 +0,0 @@
-.\" $OpenBSD: BIO_dump.3,v 1.4 2022/12/20 15:34:03 schwarze Exp $
-.\"
-.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: December 20 2022 $
-.Dt BIO_DUMP 3
-.Os
-.Sh NAME
-.Nm BIO_dump ,
-.Nm BIO_dump_indent ,
-.Nm BIO_dump_fp ,
-.Nm BIO_dump_indent_fp
-.\" intentionally undocumented because nothing uses these two functions:
-.\" .Nm BIO_dump_cb
-.\" .Nm BIO_dump_indent_cb
-.Nd hexadecimal printout of arbitrary byte arrays
-.Sh SYNOPSIS
-.In openssl/bio.h
-.Ft int
-.Fo BIO_dump
-.Fa "BIO *b"
-.Fa "const char *s"
-.Fa "int len"
-.Fc
-.Ft int
-.Fo BIO_dump_indent
-.Fa "BIO *b"
-.Fa "const char *s"
-.Fa "int len"
-.Fa "int indent"
-.Fc
-.Ft int
-.Fo BIO_dump_fp
-.Fa "FILE *fp"
-.Fa "const char *s"
-.Fa "int len"
-.Fc
-.Ft int
-.Fo BIO_dump_indent_fp
-.Fa "FILE *fp"
-.Fa "const char *s"
-.Fa "int len"
-.Fa "int indent"
-.Fc
-.Sh DESCRIPTION
-.Fn BIO_dump
-prints
-.Fa len
-bytes starting at
-.Fa s
-to
-.Fa bio
-in hexadecimal format.
-.Pp
-The first column of output contains the index, in the byte array starting at
-.Fa s ,
-of the first byte shown on the respective output line, expressed as a
-four-digit hexadecimal number starting at 0000, followed by a dash.
-After the dash, sixteen bytes of data are printed as two-digit
-hexadecimal numbers, respecting the order in which they appear in
-the array
-.Fa s .
-Another dash is printed after the eighth column.
-.Pp
-To the right of the hexadecimal representation of the bytes,
-the same bytes are printed again, this time as ASCII characters.
-Non-printable ASCII characters are replaced with dots.
-.Pp
-Trailing space characters and NUL bytes are omitted from the main table.
-If there are any, an additional line is printed, consisting of the
-.Fa len
-argument as a four-digit hexadecimal number, a dash, and the fixed string
-.Qq <SPACES/NULS> .
-.Pp
-.Fn BIO_dump_indent
-is similar except that
-.Fa indent
-space characters are prepended to each output line.
-If
-.Fa indent
-is 7 or more, the number of data columns is reduced such that the
-total width of the output does not exceed 79 characters per line.
-.Pp
-.Fn BIO_dump_fp
-and
-.Fn BIO_dump_indent_fp
-are similar except that
-.Xr fwrite 3
-is used instead of
-.Xr BIO_write 3 .
-.Sh RETURN VALUES
-On success these functions return the total number of bytes written by
-.Xr BIO_write 3
-or
-.Xr fwrite 3 .
-If a failure occurs at any point when writing, these
-functions will stop after having potentially written out partial results,
-and return -1.
-.Sh SEE ALSO
-.Xr hexdump 1 ,
-.Xr BIO_new 3 ,
-.Xr BIO_write 3
-.Sh HISTORY
-.Fn BIO_dump
-first appeared in SSLeay 0.6.5 and has been available since
-.Ox 2.4 .
-.Pp
-.Fn BIO_dump_indent
-first appeared in OpenSSL 0.9.6 and has been available since
-.Ox 2.9 .
-.Pp
-.Fn BIO_dump_fp
-and
-.Fn BIO_dump_indent_fp
-first appeared in OpenSSL 0.9.8 and have been available since
-.Ox 4.5 .
diff --git a/src/lib/libcrypto/man/BIO_dup_chain.3 b/src/lib/libcrypto/man/BIO_dup_chain.3
deleted file mode 100644
index 5c5e8c6533..0000000000
--- a/src/lib/libcrypto/man/BIO_dup_chain.3
+++ /dev/null
@@ -1,141 +0,0 @@
-.\" $OpenBSD: BIO_dup_chain.3,v 1.2 2023/04/09 06:27:52 jsg Exp $
-.\"
-.\" Copyright (c) 2022 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: April 9 2023 $
-.Dt BIO_DUP_CHAIN 3
-.Os
-.Sh NAME
-.Nm BIO_dup_chain ,
-.Nm BIO_dup_state
-.Nd copy a BIO chain
-.Sh SYNOPSIS
-.In openssl/bio.h
-.Ft BIO *
-.Fn BIO_dup_chain "BIO *b"
-.Ft long
-.Fn BIO_dup_state "BIO *b" "BIO *new_bio"
-.Sh DESCRIPTION
-.Fn BIO_dup_chain
-copies the chain starting at
-.Fa b
-by iteratively copying
-.Fa b
-and all the BIOs following it
-and joining the copies in the same order as in the original chain.
-The copying operation is neither a deep copy nor a shallow copy.
-.Pp
-Some parts of the state of each BIO are copied,
-in particular with respect to the values returned by
-.Xr BIO_get_init 3 ,
-.Xr BIO_test_flags 3 ,
-and
-.Xr BIO_get_shutdown 3 .
-.\" XXX new_bio->num = bio->num;
-Other parts of the state of the BIOs are not copied
-but instead initialized to 0,
-in particular with respect to the values returned by
-.Xr BIO_number_read 3 ,
-.Xr BIO_number_written 3 ,
-and
-.Xr BIO_get_retry_reason 3 .
-The custom data pointer that can be used by custom BIO types
-and that can be retrieved with
-.Xr BIO_get_data 3
-is set to
-.Dv NULL
-in the copied BIO objects rather than copied.
-The reference count of each BIO in the copied chain is set to 1.
-.Pp
-For each BIO in the chain, copying the data that was set with
-.Xr BIO_set_ex_data 3
-is attempted, which may involve calling application-defined
-callback functions.
-.Pp
-The following pointers are copied
-rather than creating deep copies of the objects pointed to:
-.Bl -bullet
-.It
-The
-.Fa type
-pointer used for creating each BIO with
-.Xr BIO_new 3 ,
-implying that functions like
-.Xr BIO_method_name 3
-return pointers to the same strings for the BIOs in the copied chain,
-and that these strings are not copied.
-.It
-All function pointers, in particular those installed with
-.Xr BIO_set_callback_ex 3
-and
-.Xr BIO_get_callback_ex 3 .
-.It
-The pointer installed with
-.Xr BIO_set_callback_arg 3 ,
-which implies that for BIOs using
-.Xr BIO_debug_callback 3 ,
-those in the copied chain use the same BIOs for debugging output
-as the corresponding ones in the original chain,
-and none of the debugging output BIOs are copied.
-.El
-.Pp
-.Fn BIO_dup_state
-is a macro that calls
-.Xr BIO_ctrl 3
-with a
-.Fa cmd
-argument of
-.Dv BIO_CTRL_DUP .
-It is automatically called for each BIO during
-.Fn BIO_dup_chain
-after the copied BIO is initialized and data copied into it,
-but before the data set with
-.Xr BIO_set_ex_data 3
-is copied into the new BIO and before it is linked into the new chain.
-.Pp
-This control operation may modify the operation of
-.Fn BIO_dup_chain
-for particular types of BIOs contained in the chain,
-for example initializing or copying additional data.
-For BIO types provided by the library, such additional effects
-are documented in the respective manual pages, in particular in
-.Xr BIO_f_buffer 3 ,
-.Xr BIO_f_cipher 3 ,
-.Xr BIO_f_md 3 ,
-.Xr BIO_f_ssl 3 ,
-.Xr BIO_s_bio 3 ,
-and
-.Xr BIO_s_connect 3 .
-.Sh RETURN VALUES
-.Fn BIO_dup_chain
-returns a pointer to the newly allocated copy of the BIO
-.Fa b
-on success or
-.Dv NULL
-on failure .
-.Pp
-.Fn BIO_dup_state
-returns 1 on success or a value less than or equal to zero on failure.
-.Sh SEE ALSO
-.Xr BIO_get_data 3 ,
-.Xr BIO_new 3 ,
-.Xr BIO_next 3 ,
-.Xr BIO_push 3
-.Sh HISTORY
-.Fn BIO_dup_chain
-and
-.Fn BIO_dup_state
-first appeared in SSLeay 0.8.0 and have been available since
-.Ox 2.4 .
diff --git a/src/lib/libcrypto/man/BIO_f_base64.3 b/src/lib/libcrypto/man/BIO_f_base64.3
deleted file mode 100644
index e4589de035..0000000000
--- a/src/lib/libcrypto/man/BIO_f_base64.3
+++ /dev/null
@@ -1,148 +0,0 @@
-.\"     $OpenBSD: BIO_f_base64.3,v 1.15 2023/09/11 04:00:40 jsg Exp $
-.\"     OpenSSL fc1d88f0 Wed Jul 2 22:42:40 2014 -0400
-.\"
-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2000, 2003, 2005, 2014 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: September 11 2023 $
-.Dt BIO_F_BASE64 3
-.Os
-.Sh NAME
-.Nm BIO_f_base64
-.\" .Nm EVP_ENCODE_LENGTH and
-.\" .Nm EVP_DECODE_LENGTH are intentionally undocumented
-.\" because they are internal implementation details of BIO_f_base64(3)
-.\" and practically unused outside evp/bio_b64.c.
-.Nd base64 BIO filter
-.Sh SYNOPSIS
-.In openssl/bio.h
-.In openssl/evp.h
-.Ft const BIO_METHOD *
-.Fo BIO_f_base64
-.Fa void
-.Fc
-.Sh DESCRIPTION
-.Fn BIO_f_base64
-returns the base64 BIO method.
-This is a filter BIO that base64 encodes any data written through it
-and decodes any data read through it.
-.Pp
-Base64 BIOs do not support
-.Xr BIO_gets 3
-or
-.Xr BIO_puts 3 .
-.Pp
-.Xr BIO_flush 3
-on a base64 BIO that is being written through
-is used to signal that no more data is to be encoded:
-this is used to flush the final block through the BIO.
-.Pp
-To encode the data all on one line and to expect the data to be all
-on one line, initialize the base64 BIO as follows:
-.Bd -literal -offset indent
-BIO *b64 = BIO_new(BIO_f_base64());
-BIO_set_flags(b64, BIO_FLAGS_BASE64_NO_NL);
-.Ed
-.Sh RETURN VALUES
-.Fn BIO_f_base64
-returns the base64 BIO method.
-.Pp
-When called on a base64 BIO object,
-.Xr BIO_method_type 3
-returns the constant
-.Dv BIO_TYPE_BASE64
-and
-.Xr BIO_method_name 3
-returns a pointer to the static string
-.Qq base64 encoding .
-.Sh EXAMPLES
-Base64 encode the string "hello, world\en"
-and write the result to standard output:
-.Bd -literal -offset indent
-BIO *bio, *b64;
-char message[] = "hello, world\en";
-
-b64 = BIO_new(BIO_f_base64());
-bio = BIO_new_fp(stdout, BIO_NOCLOSE);
-BIO_push(b64, bio);
-BIO_write(b64, message, strlen(message));
-BIO_flush(b64);
-
-BIO_free_all(b64);
-.Ed
-.Pp
-Read Base64-encoded data from standard input
-and write the decoded data to standard output:
-.Bd -literal -offset indent
-BIO *bio, *b64, *bio_out;
-char inbuf[512];
-int inlen;
-
-b64 = BIO_new(BIO_f_base64());
-bio = BIO_new_fp(stdin, BIO_NOCLOSE);
-bio_out = BIO_new_fp(stdout, BIO_NOCLOSE);
-BIO_push(b64, bio);
-while((inlen = BIO_read(b64, inbuf, 512)) > 0)
-        BIO_write(bio_out, inbuf, inlen);
-
-BIO_flush(bio_out);
-BIO_free_all(b64);
-.Ed
-.Sh SEE ALSO
-.Xr BIO_new 3 ,
-.Xr EVP_EncodeInit 3
-.Sh HISTORY
-.Fn BIO_f_base64
-first appeared in SSLeay 0.6.5 and has been available since
-.Ox 2.4 .
-.Sh BUGS
-The ambiguity of EOF in base64-encoded data can cause additional
-data following the base64-encoded block to be misinterpreted.
-.Pp
-There should be some way of specifying a test that the BIO can perform
-to reliably determine EOF (for example a MIME boundary).
diff --git a/src/lib/libcrypto/man/BIO_f_buffer.3 b/src/lib/libcrypto/man/BIO_f_buffer.3
deleted file mode 100644
index a3012c5c5d..0000000000
--- a/src/lib/libcrypto/man/BIO_f_buffer.3
+++ /dev/null
@@ -1,262 +0,0 @@
-.\" $OpenBSD: BIO_f_buffer.3,v 1.17 2023/04/29 12:22:08 schwarze Exp $
-.\" full merge up to OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2023 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2000, 2010, 2015, 2016 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: April 29 2023 $
-.Dt BIO_F_BUFFER 3
-.Os
-.Sh NAME
-.Nm BIO_f_buffer ,
-.Nm BIO_get_buffer_num_lines ,
-.Nm BIO_set_read_buffer_size ,
-.Nm BIO_set_write_buffer_size ,
-.Nm BIO_set_buffer_size ,
-.Nm BIO_set_buffer_read_data
-.\" .Nm BIO_buffer_get_num_lines and
-.\" .Nm BIO_CTRL_GET are intentionally undocumented.
-.\" Contrary to what bio.h says, they do not *not* get some "IO type",
-.\" whatever that is supposed to be, but are NOOPs, and nothing uses them.
-.Nd buffering BIO
-.Sh SYNOPSIS
-.In openssl/bio.h
-.Ft const BIO_METHOD *
-.Fo BIO_f_buffer
-.Fa void
-.Fc
-.Ft long
-.Fo BIO_get_buffer_num_lines
-.Fa "BIO *b"
-.Fc
-.Ft long
-.Fo BIO_set_read_buffer_size
-.Fa "BIO *b"
-.Fa "long size"
-.Fc
-.Ft long
-.Fo BIO_set_write_buffer_size
-.Fa "BIO *b"
-.Fa "long size"
-.Fc
-.Ft long
-.Fo BIO_set_buffer_size
-.Fa "BIO *b"
-.Fa "long size"
-.Fc
-.Ft long
-.Fo BIO_set_buffer_read_data
-.Fa "BIO *b"
-.Fa "void *buf"
-.Fa "long num"
-.Fc
-.Sh DESCRIPTION
-.Fn BIO_f_buffer
-returns the buffering BIO method.
-.Pp
-Data written to a buffering BIO is buffered and periodically written
-to the next BIO in the chain.
-Data read from a buffering BIO comes from an internal buffer
-which is filled from the next BIO in the chain.
-Both
-.Xr BIO_gets 3
-and
-.Xr BIO_puts 3
-are supported.
-.Pp
-Calling
-.Xr BIO_reset 3
-on a buffering BIO clears any buffered data.
-.Pp
-.Fn BIO_get_buffer_num_lines
-returns the number of lines currently buffered.
-.Pp
-.Fn BIO_set_read_buffer_size ,
-.Fn BIO_set_write_buffer_size ,
-and
-.Fn BIO_set_buffer_size
-set the read, write or both read and write buffer sizes to
-.Fa size .
-The initial buffer size is
-.Dv DEFAULT_BUFFER_SIZE ,
-currently 4096.
-Any attempt to reduce the buffer size below
-.Dv DEFAULT_BUFFER_SIZE
-is ignored.
-Any buffered data is cleared when the buffer is resized.
-.Pp
-.Fn BIO_set_buffer_read_data
-clears the read buffer and fills it with
-.Fa num
-bytes of
-.Fa buf .
-If
-.Fa num
-is larger than the current buffer size, the buffer is expanded.
-.Pp
-Buffering BIOs implement
-.Xr BIO_gets 3
-by using
-.Xr BIO_read 3
-operations on the next BIO in the chain.
-By prepending a buffering BIO to a chain
-it is therefore possible to provide the functionality of
-.Xr BIO_gets 3
-if the following BIOs do not support it (for example SSL BIOs).
-.Pp
-Data is only written to the next BIO in the chain
-when the write buffer fills or when
-.Xr BIO_flush 3
-is called.
-It is therefore important to call
-.Xr BIO_flush 3
-whenever any pending data should be written
-such as when removing a buffering BIO using
-.Xr BIO_pop 3 .
-.Xr BIO_flush 3
-may need to be retried if the ultimate source/sink BIO is non-blocking.
-.Pp
-When a chain containing a buffering BIO is copied with
-.Xr BIO_dup_chain 3 ,
-.Fn BIO_set_read_buffer_size
-and
-.Fn BIO_set_write_buffer_size
-are called internally to automatically copy both buffer sizes from the
-original BIO object to the new one.
-.Pp
-.Xr BIO_ctrl 3
-.Fa cmd
-arguments correspond to macros as follows:
-.Bl -column BIO_C_GET_BUFF_NUM_LINES BIO_get_buffer_num_lines() -offset 3n
-.It Fa cmd No constant          Ta corresponding macro
-.It Dv BIO_C_GET_BUFF_NUM_LINES Ta Fn BIO_get_buffer_num_lines
-.It Dv BIO_C_SET_BUFF_READ_DATA Ta Fn BIO_set_buffer_read_data
-.It Dv BIO_C_SET_BUFF_SIZE      Ta Fn BIO_set_buffer_size
-.It Dv BIO_CTRL_FLUSH           Ta Xr BIO_flush 3
-.It Dv BIO_CTRL_PENDING         Ta Xr BIO_pending 3
-.It Dv BIO_CTRL_RESET           Ta Xr BIO_reset 3
-.It Dv BIO_CTRL_WPENDING        Ta Xr BIO_wpending 3
-.El
-.Pp
-The
-.Fa cmd
-constant
-.Dv BIO_C_SET_BUFF_SIZE
-is special.
-It is also used for
-.Xr BIO_int_ctrl 3
-with the following
-.Fa iarg
-arguments:
-.Bl -column BIO_C_SET_BUFF_SIZE iarg BIO_set_write_buffer_size() -offset 3n
-.It Fa cmd No constant     Ta Fa iarg Ta corresponding macro
-.It Dv BIO_C_SET_BUFF_SIZE Ta 0       Ta Fn BIO_set_read_buffer_size
-.It                        Ta 1       Ta Fn BIO_set_write_buffer_size
-.El
-.Sh RETURN VALUES
-.Fn BIO_f_buffer
-returns the buffering BIO method.
-.Pp
-When called on a buffering BIO object,
-.Xr BIO_method_type 3
-returns the constant
-.Dv BIO_TYPE_BUFFER
-and
-.Xr BIO_method_name 3
-returns a pointer to the static string
-.Qq buffer .
-.Pp
-.Fn BIO_get_buffer_num_lines
-returns the number of lines buffered (may be 0).
-.Pp
-.Fn BIO_set_read_buffer_size ,
-.Fn BIO_set_write_buffer_size ,
-and
-.Fn BIO_set_buffer_size
-return 1 if the buffer was successfully resized or 0 for failure.
-.Pp
-.Fn BIO_set_buffer_read_data
-returns 1 if the data was set correctly or 0 if there was an error.
-.Sh SEE ALSO
-.Xr BIO_ctrl 3 ,
-.Xr BIO_flush 3 ,
-.Xr BIO_new 3 ,
-.Xr BIO_pop 3 ,
-.Xr BIO_reset 3
-.Sh HISTORY
-.Fn BIO_f_buffer
-first appeared in SSLeay 0.6.0.
-.Fn BIO_get_buffer_num_lines
-and
-.Fn BIO_set_buffer_size
-first appeared in SSLeay 0.6.5.
-.Fn BIO_set_read_buffer_size
-and
-.Fn BIO_set_write_buffer_size
-first appeared in SSLeay 0.8.0.
-.Fn BIO_set_buffer_read_data
-first appeared in SSLeay 0.9.0.
-All these functions have been available since
-.Ox 2.4 .
diff --git a/src/lib/libcrypto/man/BIO_f_cipher.3 b/src/lib/libcrypto/man/BIO_f_cipher.3
deleted file mode 100644
index c5d00c6981..0000000000
--- a/src/lib/libcrypto/man/BIO_f_cipher.3
+++ /dev/null
@@ -1,209 +0,0 @@
-.\" $OpenBSD: BIO_f_cipher.3,v 1.16 2023/04/29 12:01:53 schwarze Exp $
-.\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100
-.\"
-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2000, 2003, 2015, 2016 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: April 29 2023 $
-.Dt BIO_F_CIPHER 3
-.Os
-.Sh NAME
-.Nm BIO_f_cipher ,
-.Nm BIO_set_cipher ,
-.Nm BIO_get_cipher_status ,
-.Nm BIO_get_cipher_ctx
-.\" .Nm BIO_CTRL_SET is intentionally undocumented because it has no effect.
-.Nd cipher BIO filter
-.Sh SYNOPSIS
-.In openssl/bio.h
-.In openssl/evp.h
-.Ft const BIO_METHOD *
-.Fo BIO_f_cipher
-.Fa void
-.Fc
-.Ft int
-.Fo BIO_set_cipher
-.Fa "BIO *b"
-.Fa "const EVP_CIPHER *cipher"
-.Fa "unsigned char *key"
-.Fa "unsigned char *iv"
-.Fa "int enc"
-.Fc
-.Ft long
-.Fo BIO_get_cipher_status
-.Fa "BIO *b"
-.Fc
-.Ft long
-.Fo BIO_get_cipher_ctx
-.Fa "BIO *b"
-.Fa "EVP_CIPHER_CTX **pctx"
-.Fc
-.Sh DESCRIPTION
-.Fn BIO_f_cipher
-returns the cipher BIO method.
-This is a filter BIO that encrypts any data written through it,
-and decrypts any data read from it.
-It is a BIO wrapper for the cipher routines
-.Xr EVP_CipherInit 3 ,
-.Xr EVP_CipherUpdate 3 ,
-and
-.Xr EVP_CipherFinal 3 .
-.Pp
-Cipher BIOs do not support
-.Xr BIO_gets 3
-or
-.Xr BIO_puts 3 .
-.Pp
-.Xr BIO_flush 3
-on an encryption BIO that is being written through
-is used to signal that no more data is to be encrypted:
-this is used to flush and possibly pad the final block through the BIO.
-.Pp
-.Fn BIO_set_cipher
-sets the cipher of BIO
-.Fa b
-to
-.Fa cipher
-using key
-.Fa key
-and IV
-.Fa iv .
-.Fa enc
-should be set to 1 for encryption and zero for decryption.
-.Pp
-When reading from an encryption BIO, the final block is automatically
-decrypted and checked when EOF is detected.
-.Fn BIO_get_cipher_status
-is a
-.Xr BIO_ctrl 3
-macro which can be called to determine
-whether the decryption operation was successful.
-.Pp
-.Fn BIO_get_cipher_ctx
-is a
-.Xr BIO_ctrl 3
-macro which retrieves the internal BIO cipher context.
-The retrieved context can be used in conjunction
-with the standard cipher routines to set it up.
-This is useful when
-.Fn BIO_set_cipher
-is not flexible enough for the applications needs.
-.Pp
-When a chain containing a cipher BIO is copied with
-.Xr BIO_dup_chain 3 ,
-the cipher context is automatically copied from the existing BIO object
-to the new one and the init flag that can be retrieved with
-.Xr BIO_get_init 3
-is set to 1.
-.Pp
-When encrypting,
-.Xr BIO_flush 3
-must be called to flush the final block through the BIO.
-If it is not, then the final block will fail a subsequent decrypt.
-.Pp
-When decrypting, an error on the final block is signalled
-by a zero return value from the read operation.
-A successful decrypt followed by EOF
-will also return zero for the final read.
-.Fn BIO_get_cipher_status
-should be called to determine if the decrypt was successful.
-.Pp
-As always, if
-.Xr BIO_gets 3
-or
-.Xr BIO_puts 3
-support is needed, then it can be achieved
-by preceding the cipher BIO with a buffering BIO.
-.Pp
-.Xr BIO_ctrl 3
-.Fa cmd
-arguments correspond to macros as follows:
-.Bl -column BIO_C_GET_CIPHER_STATUS BIO_get_cipher_status() -offset 3n
-.It Fa cmd No constant          Ta corresponding macro
-.It Dv BIO_C_GET_CIPHER_CTX     Ta Fn BIO_get_cipher_ctx
-.It Dv BIO_C_GET_CIPHER_STATUS  Ta Fn BIO_get_cipher_status
-.It Dv BIO_CTRL_FLUSH           Ta Xr BIO_flush 3
-.It Dv BIO_CTRL_PENDING         Ta Xr BIO_pending 3
-.It Dv BIO_CTRL_RESET           Ta Xr BIO_reset 3
-.It Dv BIO_CTRL_WPENDING        Ta Xr BIO_wpending 3
-.El
-.Sh RETURN VALUES
-.Fn BIO_f_cipher
-returns the cipher BIO method.
-.Pp
-When called on a cipher BIO object,
-.Xr BIO_method_type 3
-returns the constant
-.Dv BIO_TYPE_CIPHER
-and
-.Xr BIO_method_name 3
-returns a pointer to the static string
-.Qq cipher .
-.Pp
-.Fn BIO_set_cipher
-returns 1 on success and 0 on error.
-.Pp
-.Fn BIO_get_cipher_status
-returns 1 for a successful decrypt and 0 for failure.
-.Pp
-.Fn BIO_get_cipher_ctx
-currently always returns 1.
-.Sh SEE ALSO
-.Xr BIO_new 3 ,
-.Xr EVP_EncryptInit 3
-.Sh HISTORY
-.Fn BIO_f_cipher ,
-.Fn BIO_set_cipher ,
-and
-.Fn BIO_get_cipher_status
-first appeared in SSLeay 0.6.5 and have been available since
-.Ox 2.4 .
-.Pp
-.Fn BIO_get_cipher_ctx
-first appeared in SSLeay 0.9.1 and has been available since
-.Ox 2.6 .
diff --git a/src/lib/libcrypto/man/BIO_f_md.3 b/src/lib/libcrypto/man/BIO_f_md.3
deleted file mode 100644
index 279aabc980..0000000000
--- a/src/lib/libcrypto/man/BIO_f_md.3
+++ /dev/null
@@ -1,366 +0,0 @@
-.\" $OpenBSD: BIO_f_md.3,v 1.15 2023/04/28 16:20:01 schwarze Exp $
-.\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2022, 2023 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2000, 2006, 2009, 2016 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: April 28 2023 $
-.Dt BIO_F_MD 3
-.Os
-.Sh NAME
-.Nm BIO_f_md ,
-.Nm BIO_set_md ,
-.Nm BIO_get_md ,
-.Nm BIO_get_md_ctx ,
-.Nm BIO_set_md_ctx
-.Nd message digest BIO filter
-.Sh SYNOPSIS
-.In openssl/bio.h
-.In openssl/evp.h
-.Ft const BIO_METHOD *
-.Fo BIO_f_md
-.Fa void
-.Fc
-.Ft long
-.Fo BIO_set_md
-.Fa "BIO *b"
-.Fa "EVP_MD *md"
-.Fc
-.Ft long
-.Fo BIO_get_md
-.Fa "BIO *b"
-.Fa "EVP_MD **mdp"
-.Fc
-.Ft long
-.Fo BIO_get_md_ctx
-.Fa "BIO *b"
-.Fa "EVP_MD_CTX **mdcp"
-.Fc
-.Ft long
-.Fo BIO_set_md_ctx
-.Fa "BIO *b"
-.Fa "EVP_MD_CTX *mdc"
-.Fc
-.Sh DESCRIPTION
-.Fn BIO_f_md
-returns the message digest BIO method.
-This is a filter BIO that digests any data passed through it.
-It is a BIO wrapper for the digest routines
-.Xr EVP_DigestInit 3 ,
-.Xr EVP_DigestUpdate 3 ,
-and
-.Xr EVP_DigestFinal 3 .
-.Pp
-.Fn BIO_set_md
-sets the message digest of
-.Fa b
-to
-.Fa md
-and initializes it using
-.Xr EVP_DigestInit_ex 3 .
-Calling this function is required before any data is passed through
-.Fa b .
-.Pp
-.Fn BIO_get_md
-places a pointer to the digest method of
-.Fa b
-into
-.Pf * Fa mdp .
-.Pp
-Any data written or read through a digest BIO using
-.Xr BIO_read 3
-and
-.Xr BIO_write 3
-is digested.
-.Pp
-.Xr BIO_gets 3 ,
-if its
-.Sy size
-parameter is large enough,
-finishes the digest calculation and returns the digest value.
-.Xr BIO_puts 3
-is
-not supported.
-If an application needs to call
-.Xr BIO_gets 3
-or
-.Xr BIO_puts 3
-through a chain containing digest BIOs,
-this can be done by prepending a buffering BIO.
-.Pp
-After the digest has been retrieved from a digest BIO, call
-.Xr BIO_reset 3
-to reinitialize it and any BIOs following it in its chain
-before passing any more data through it.
-If no subsequent BIOs require reinitialization,
-.Fn BIO_set_md
-can be used instead of
-.Xr BIO_reset 3 .
-.Pp
-.Fn BIO_get_md_ctx
-places a pointer to the digest context of
-.Fa b
-into
-.Pf * Fa mdcp
-and marks the BIO as initialized without actually initializing it.
-Unless
-.Fn BIO_set_md
-was already called on
-.Fa b ,
-the caller becomes responsible for initializing the digest context with
-.Xr EVP_DigestInit_ex 3 .
-.Pp
-The context returned by
-.Fn BIO_get_md_ctx
-can be used in calls to
-.Xr EVP_DigestFinal 3
-and also in the signature routines
-.Xr EVP_SignFinal 3
-and
-.Xr EVP_VerifyFinal 3 .
-.Pp
-The context returned by
-.Fn BIO_get_md_ctx
-is an internal context structure.
-Changes made to this context will affect the digest BIO itself, and
-the context pointer will become invalid when the digest BIO is freed.
-.Pp
-.Fn BIO_set_md_ctx
-replaces the digest context of
-.Fa b
-with
-.Fa mdc .
-Calling this function is usually not necessary
-because creating a digest BIO with
-.Xr BIO_new 3
-automatically creates a digest context and stores it internally.
-Before calling
-.Fn BIO_set_md_ctx ,
-the caller has to retrieve the old context using
-.Fn BIO_get_md_ctx ,
-and the caller also becomes responsible for calling
-.Xr EVP_MD_CTX_free 3
-on the old context.
-Unless
-.Fa mdc
-is already initialized, the caller needs to initialize it after calling
-.Fn BIO_set_md_ctx
-using either
-.Fn BIO_set_md
-or
-.Xr EVP_DigestInit 3 .
-.Pp
-When a chain containing a message digest BIO is copied with
-.Xr BIO_dup_chain 3 ,
-.Xr EVP_MD_CTX_copy_ex 3
-is called internally to automatically copy the message digest context
-from the existing BIO object to the new one,
-and the init flag that can be retrieved with
-.Xr BIO_get_init 3
-is set to 1.
-.Pp
-.Xr BIO_ctrl 3
-.Fa cmd
-arguments correspond to macros as follows:
-.Bl -column BIO_C_GET_MD_CTX "corresponding macro" -offset 3n
-.It Fa cmd No constant  Ta corresponding macro
-.It Dv BIO_C_GET_MD     Ta Fn BIO_get_md
-.It Dv BIO_C_GET_MD_CTX Ta Fn BIO_get_md_ctx
-.It Dv BIO_C_SET_MD     Ta Fn BIO_set_md
-.It Dv BIO_C_SET_MD_CTX Ta Fn BIO_set_md_ctx
-.It Dv BIO_CTRL_RESET   Ta Xr BIO_reset 3
-.El
-.Sh RETURN VALUES
-.Fn BIO_f_md
-returns the digest BIO method.
-.Pp
-When called on a message digest BIO object,
-.Xr BIO_method_type 3
-returns the constant
-.Dv BIO_TYPE_MD
-and
-.Xr BIO_method_name 3
-returns a pointer to the static string
-.Qq message digest .
-.Pp
-.Fn BIO_set_md
-returns 1 on success or 0 if
-.Xr EVP_DigestInit_ex 3
-fails.
-.Pp
-.Fn BIO_get_md
-and
-.Fn BIO_set_md_ctx
-return 1 on success or 0 if
-.Fa b
-is not initialized.
-.Pp
-.Fn BIO_get_md_ctx
-returns 1 on success or 0 on failure,
-but the current implementation cannot actually fail.
-.Sh EXAMPLES
-The following example creates a BIO chain containing a SHA-1 and MD5
-digest BIO and passes the string "Hello World" through it.
-Error checking has been omitted for clarity.
-.Bd -literal -offset 2n
-BIO *bio, *mdtmp;
-const char message[] = "Hello World";
-bio = BIO_new(BIO_s_null());
-mdtmp = BIO_new(BIO_f_md());
-BIO_set_md(mdtmp, EVP_sha1());
-/*
- * For BIO_push() we want to append the sink BIO
- * and keep a note of the start of the chain.
- */
-bio = BIO_push(mdtmp, bio);
-mdtmp = BIO_new(BIO_f_md());
-BIO_set_md(mdtmp, EVP_md5());
-bio = BIO_push(mdtmp, bio);
-/* Note: mdtmp can now be discarded */
-BIO_write(bio, message, strlen(message));
-.Ed
-.Pp
-The next example digests data by reading through a chain instead:
-.Bd -literal -offset 2n
-BIO *bio, *mdtmp;
-char buf[1024];
-int rdlen;
-
-bio = BIO_new_file(file, "rb");
-mdtmp = BIO_new(BIO_f_md());
-BIO_set_md(mdtmp, EVP_sha1());
-bio = BIO_push(mdtmp, bio);
-mdtmp = BIO_new(BIO_f_md());
-BIO_set_md(mdtmp, EVP_md5());
-bio = BIO_push(mdtmp, bio);
-do {
-        rdlen = BIO_read(bio, buf, sizeof(buf));
-        /* Might want to do something with the data here */
-} while (rdlen > 0);
-.Ed
-.Pp
-This next example retrieves the message digests from a BIO chain
-and outputs them.
-This could be used with the examples above.
-.Bd -literal -offset 2n
-BIO *mdtmp;
-unsigned char mdbuf[EVP_MAX_MD_SIZE];
-int mdlen;
-int i;
-
-mdtmp = bio;    /* Assume bio has previously been set up */
-do {
-        EVP_MD *md;
-        mdtmp = BIO_find_type(mdtmp, BIO_TYPE_MD);
-        if (!mdtmp)
-                break;
-        BIO_get_md(mdtmp, &md);
-        printf("%s digest", OBJ_nid2sn(EVP_MD_type(md)));
-        mdlen = BIO_gets(mdtmp, mdbuf, EVP_MAX_MD_SIZE);
-        for(i = 0; i < mdlen; i++)
-                printf(":%02X", mdbuf[i]);
-        printf("\en");
-        mdtmp = BIO_next(mdtmp);
-} while(mdtmp);
-BIO_free_all(bio);
-.Ed
-.Sh SEE ALSO
-.Xr BIO_new 3 ,
-.Xr EVP_DigestInit 3
-.Sh HISTORY
-.Fn BIO_f_md ,
-.Fn BIO_set_md ,
-and
-.Fn BIO_get_md
-first appeared in SSLeay 0.6.0.
-.Fn BIO_get_md_ctx
-first appeared in SSLeay 0.8.1.
-These functions have been available since
-.Ox 2.4 .
-.Pp
-.Fn BIO_set_md_ctx
-first appeared in OpenSSL 0.9.7e and has been available since
-.Ox 3.8 .
-.Pp
-Before OpenSSL 1.0.0, the call to
-.Fn BIO_get_md_ctx
-would only work if the
-.Vt BIO
-had been initialized, for example by calling
-.Fn BIO_set_md .
-.Sh BUGS
-The lack of support for
-.Xr BIO_puts 3
-and the non-standard behaviour of
-.Xr BIO_gets 3
-could be regarded as anomalous.
-It could be argued that
-.Xr BIO_gets 3
-and
-.Xr BIO_puts 3
-should be passed to the next BIO in the chain and digest the data
-passed through and that digests should be retrieved using a separate
-.Xr BIO_ctrl 3
-call.
diff --git a/src/lib/libcrypto/man/BIO_f_null.3 b/src/lib/libcrypto/man/BIO_f_null.3
deleted file mode 100644
index 687d991b52..0000000000
--- a/src/lib/libcrypto/man/BIO_f_null.3
+++ /dev/null
@@ -1,99 +0,0 @@
-.\" $OpenBSD: BIO_f_null.3,v 1.12 2023/04/11 16:58:43 schwarze Exp $
-.\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100
-.\"
-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: April 11 2023 $
-.Dt BIO_F_NULL 3
-.Os
-.Sh NAME
-.Nm BIO_f_null
-.\" .Nm BIO_f_nbio_test is intentionally undocumented
-.\" because it exposes absurd functionality that is unused
-.\" except in openssl(1) s_client/s_server -nbio_test.
-.Nd null filter
-.Sh SYNOPSIS
-.In openssl/bio.h
-.Ft const BIO_METHOD *
-.Fo BIO_f_null
-.Fa void
-.Fc
-.Sh DESCRIPTION
-.Fn BIO_f_null
-returns the null filter BIO method.
-This is a filter BIO that does nothing.
-As may be apparent, a null filter BIO is not particularly useful.
-.Pp
-All requests to a null filter BIO are passed through to the next BIO
-in the chain: this means that a BIO chain containing a null filter BIO
-behaves just as though the BIO was not there.
-.Pp
-A chain containing a null filter BIO cannot be copied with
-.Xr BIO_dup_chain 3 ,
-and any attempt to do so fails and returns
-.Dv NULL .
-.Sh RETURN VALUES
-.Fn BIO_f_null
-returns the null filter BIO method.
-.Pp
-When called on a null filter BIO object,
-.Xr BIO_method_type 3
-returns the constant
-.Dv BIO_TYPE_NULL_FILTER
-and
-.Xr BIO_method_name 3
-returns a pointer to the static string
-.Qq NULL filter ,
-not to be confused with a NUL string nor with a
-.Dv NULL pointer .
-.Sh SEE ALSO
-.Xr BIO_new 3
-.Sh HISTORY
-.Fn BIO_f_null
-first appeared in SSLeay 0.8.0 and has been available since
-.Ox 2.4 .
diff --git a/src/lib/libcrypto/man/BIO_find_type.3 b/src/lib/libcrypto/man/BIO_find_type.3
deleted file mode 100644
index 4a9eee7832..0000000000
--- a/src/lib/libcrypto/man/BIO_find_type.3
+++ /dev/null
@@ -1,271 +0,0 @@
-.\" $OpenBSD: BIO_find_type.3,v 1.12 2023/07/26 20:01:04 tb Exp $
-.\" full merge up to: OpenSSL 1cb7eff4 Sep 10 13:56:40 2019 +0100
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2021, 2023 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2000, 2013, 2016 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: July 26 2023 $
-.Dt BIO_FIND_TYPE 3
-.Os
-.Sh NAME
-.Nm BIO_find_type ,
-.Nm BIO_next ,
-.Nm BIO_method_type ,
-.Nm BIO_method_name
-.Nd BIO chain traversal
-.Sh SYNOPSIS
-.In openssl/bio.h
-.Ft BIO *
-.Fo BIO_find_type
-.Fa "BIO *bio"
-.Fa "int type"
-.Fc
-.Ft BIO *
-.Fo BIO_next
-.Fa "BIO *bio"
-.Fc
-.Ft int
-.Fo BIO_method_type
-.Fa "const BIO *bio"
-.Fc
-.Ft const char *
-.Fo BIO_method_name
-.Fa "const BIO *bio"
-.Fc
-.Fd #define BIO_TYPE_NONE               0
-.Fd #define BIO_TYPE_START              128
-.Sh DESCRIPTION
-.Fn BIO_find_type
-searches for a BIO matching the given
-.Fa type
-in the chain starting at
-.Fa bio .
-If the least significant byte of the
-.Fa type
-argument is non-zero, only exact matches of the
-.Fa type
-are accepted.
-Otherwise, a match only requires that any of the bits set in the
-.Fa type
-argument is also set in the candidate BIO.
-.Pp
-Types with a least significant byte in the range from 0 to
-.Dv BIO_TYPE_START ,
-inclusive, are reserved for BIO types built into the library.
-Types with a least significant byte greater than
-.Dv BIO_TYPE_START
-are available for user-defined BIO types; see
-.Xr BIO_get_new_index 3
-for details.
-.Pp
-.Fn BIO_next
-returns the next BIO in the chain after
-.Fa bio .
-This function can be used to traverse all BIOs in a chain
-or in conjunction with
-.Fn BIO_find_type
-to find all BIOs of a certain type.
-.Pp
-.Fn BIO_method_type
-returns the type of the given
-.Fa bio .
-.Pp
-.Fn BIO_method_name
-returns an ASCII string representing the type of the
-.Fa bio .
-.Pp
-The following are the built-in source/sink BIO types
-that operate on file descriptors.
-They all have both of the bits
-.Dv BIO_TYPE_SOURCE_SINK
-and
-.Dv BIO_TYPE_DESCRIPTOR
-but not the bit
-.Dv BIO_TYPE_FILTER
-set in their type constant.
-.Bl -column BIO_TYPE_NULL_FILTER "datagram socket" BIO_s_datagram(3)
-.It Fa type No constant   Ta Em name No string Ta Vt BIO_METHOD
-.It Dv BIO_TYPE_ACCEPT      Ta socket accept   Ta Xr BIO_s_accept 3
-.It Dv BIO_TYPE_CONNECT     Ta socket connect  Ta Xr BIO_s_connect 3
-.It Dv BIO_TYPE_DGRAM       Ta datagram socket Ta Xr BIO_s_datagram 3
-.It Dv BIO_TYPE_FD          Ta file descriptor Ta Xr BIO_s_fd 3
-.It Dv BIO_TYPE_SOCKET      Ta socket          Ta Xr BIO_s_socket 3
-.El
-.Pp
-The following are the built-in source/sink BIO types
-that do not directly operate on file descriptors.
-They all have the bit
-.Dv BIO_TYPE_SOURCE_SINK
-but not the bits
-.Dv BIO_TYPE_DESCRIPTOR
-and
-.Dv BIO_TYPE_FILTER
-set in their type constant.
-.Bl -column BIO_TYPE_NULL_FILTER "datagram socket" BIO_s_datagram(3)
-.It Fa type No constant   Ta Em name No string Ta Vt BIO_METHOD
-.It Dv BIO_TYPE_BIO         Ta BIO pair        Ta Xr BIO_s_bio 3
-.It Dv BIO_TYPE_FILE        Ta FILE pointer    Ta Xr BIO_s_file 3
-.It Dv BIO_TYPE_MEM         Ta memory buffer   Ta Xr BIO_s_mem 3
-.It Dv BIO_TYPE_NULL        Ta NULL            Ta Xr BIO_s_null 3
-.El
-.Pp
-The following are the built-in filter BIO types.
-They all have the bit
-.Dv BIO_TYPE_FILTER
-but not the bits
-.Dv BIO_TYPE_SOURCE_SINK
-and
-.Dv BIO_TYPE_DESCRIPTOR
-set in their type constant.
-.Bl -column BIO_TYPE_NULL_FILTER "datagram socket" BIO_s_datagram(3)
-.It Fa type No constant   Ta Em name No string Ta Vt BIO_METHOD
-.\" BIO_TYPE_ASN1 is intentionally undocumented because BIO_f_asn1 was
-.\" removed from the public API.
-.\" .It Dv BIO_TYPE_ASN1        Ta asn1            Ta Xr BIO_f_asn1 3
-.It Dv BIO_TYPE_BASE64      Ta base64 encoding Ta Xr BIO_f_base64 3
-.It Dv BIO_TYPE_BUFFER      Ta buffer          Ta Xr BIO_f_buffer 3
-.It Dv BIO_TYPE_CIPHER      Ta cipher          Ta Xr BIO_f_cipher 3
-.It Dv BIO_TYPE_MD          Ta message digest  Ta Xr BIO_f_md 3
-.It Dv BIO_TYPE_NULL_FILTER Ta NULL filter     Ta Xr BIO_f_null 3
-.It Dv BIO_TYPE_SSL         Ta ssl             Ta Xr BIO_f_ssl 3
-.El
-.Pp
-The constants
-.Dv BIO_TYPE_BER ,
-.Dv BIO_TYPE_PROXY_CLIENT ,
-and
-.Dv BIO_TYPE_PROXY_SERVER
-do not correspond to any BIO types implemented by the library and are
-not intended to be used for application-defined types, either.
-The constants
-.Dv BIO_TYPE_COMP ,
-.Dv BIO_TYPE_LINEBUFFER ,
-and
-.Dv BIO_TYPE_NBIO_TEST
-corresponds to a deprecated BIO types that are intentionally undocumented.
-.Pp
-If a variable in an application program is intended
-to store a BIO type but temporarily does not refer to any BIO
-or refers to a BIO of an unknown type, setting the variable to
-.Dv BIO_TYPE_NONE
-is recommended.
-.Sh RETURN VALUES
-.Fn BIO_find_type
-returns the next matching BIO or
-.Dv NULL
-if
-.Fa bio
-is a
-.Dv NULL
-pointer or if no matching BIO is found.
-.Pp
-.Fn BIO_next
-returns the next BIO or
-.Dv NULL
-if
-.Fa bio
-is a
-.Dv NULL
-pointer or points to the last BIO in a chain.
-.Pp
-.Fn BIO_method_type
-returns one of the
-.Dv BIO_TYPE_*
-constants.
-.Pp
-.Fn BIO_method_name
-returns an internal pointer to a string.
-.Sh EXAMPLES
-Traverse a chain looking for digest BIOs:
-.Bd -literal -offset 2n
-BIO *btmp;
-
-btmp = in_bio;  /* in_bio is the chain to search through */
-while (btmp != NULL) {
-        btmp = BIO_find_type(btmp, BIO_TYPE_MD);
-        if (btmp == NULL)
-                break;  /* Not found */
-
-        /* btmp is a digest BIO, do something with it ... */
-        ...
-
-        btmp = BIO_next(btmp);
-}
-.Ed
-.Sh SEE ALSO
-.Xr BIO_meth_new 3 ,
-.Xr BIO_new 3
-.Sh HISTORY
-.Fn BIO_method_type
-and
-.Fn BIO_method_name
-first appeared in SSLeay 0.6.0.
-.Fn BIO_find_type
-first appeared in SSLeay 0.6.6.
-These functions have been available since
-.Ox 2.4 .
-.Pp
-.Fn BIO_next
-first appeared in OpenSSL 0.9.6 and has been available since
-.Ox 2.9 .
diff --git a/src/lib/libcrypto/man/BIO_get_data.3 b/src/lib/libcrypto/man/BIO_get_data.3
deleted file mode 100644
index 63750ac37b..0000000000
--- a/src/lib/libcrypto/man/BIO_get_data.3
+++ /dev/null
@@ -1,406 +0,0 @@
-.\" $OpenBSD: BIO_get_data.3,v 1.8 2023/11/16 20:27:43 schwarze Exp $
-.\" full merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2018, 2022 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Matt Caswell <matt@openssl.org>.
-.\" Copyright (c) 2016 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: November 16 2023 $
-.Dt BIO_GET_DATA 3
-.Os
-.Sh NAME
-.Nm BIO_set_data ,
-.Nm BIO_get_data ,
-.Nm BIO_set_flags ,
-.Nm BIO_clear_flags ,
-.Nm BIO_test_flags ,
-.Nm BIO_get_flags ,
-.Nm BIO_set_retry_read ,
-.Nm BIO_set_retry_write ,
-.Nm BIO_set_retry_special ,
-.Nm BIO_clear_retry_flags ,
-.Nm BIO_get_retry_flags ,
-.Nm BIO_copy_next_retry ,
-.Nm BIO_set_init ,
-.Nm BIO_get_init ,
-.Nm BIO_set_shutdown ,
-.Nm BIO_get_shutdown
-.Nd manage BIO state information
-.Sh SYNOPSIS
-.In openssl/bio.h
-.Ft void
-.Fo BIO_set_data
-.Fa "BIO *a"
-.Fa "void *ptr"
-.Fc
-.Ft void *
-.Fo BIO_get_data
-.Fa "BIO *a"
-.Fc
-.Ft void
-.Fo BIO_set_flags
-.Fa "BIO *a"
-.Fa "int flags"
-.Fc
-.Ft void
-.Fo BIO_clear_flags
-.Fa "BIO *a"
-.Fa "int flags"
-.Fc
-.Ft int
-.Fo BIO_test_flags
-.Fa "const BIO *a"
-.Fa "int flags"
-.Fc
-.Ft int
-.Fo BIO_get_flags
-.Fa "const BIO *a"
-.Fc
-.Ft void
-.Fo BIO_set_retry_read
-.Fa "BIO *a"
-.Fc
-.Ft void
-.Fo BIO_set_retry_write
-.Fa "BIO *a"
-.Fc
-.Ft void
-.Fo BIO_set_retry_special
-.Fa "BIO *a"
-.Fc
-.Ft void
-.Fo BIO_clear_retry_flags
-.Fa "BIO *a"
-.Fc
-.Ft int
-.Fo BIO_get_retry_flags
-.Fa "BIO *a"
-.Fc
-.Ft void
-.Fo BIO_copy_next_retry
-.Fa "BIO *a"
-.Fc
-.Ft void
-.Fo BIO_set_init
-.Fa "BIO *a"
-.Fa "int init"
-.Fc
-.Ft int
-.Fo BIO_get_init
-.Fa "BIO *a"
-.Fc
-.Ft void
-.Fo BIO_set_shutdown
-.Fa "BIO *a"
-.Fa "int shutdown"
-.Fc
-.Ft int
-.Fo BIO_get_shutdown
-.Fa "BIO *a"
-.Fc
-.Sh DESCRIPTION
-These functions are mainly useful when implementing a custom BIO.
-.Pp
-The
-.Fn BIO_set_data
-function associates the custom data pointed to by
-.Fa ptr
-with the
-.Fa "BIO a" .
-This data can subsequently be retrieved via a call to
-.Fn BIO_get_data .
-This can be used by custom BIOs for storing implementation specific
-information.
-.Pp
-.Fn BIO_set_flags
-sets all the bits contained in the
-.Fa flags
-argument in the flags stored in
-.Fa a .
-The value of a flag neither changes when it is already set in
-.Fa a
-nor when it is unset in the
-.Fa flags
-argument.
-.Pp
-.Fn BIO_clear_flags
-clears all the bits contained in the
-.Fa flags
-argument from the flags stored in
-.Fa a .
-The value of a flag neither changes when it is already unset in
-.Fa a
-nor when it is unset in the
-.Fa flags
-argument.
-.Pp
-.Fn BIO_test_flags
-checks whether any of the bits contained in the
-.Fa flags
-argument are set in the flags stored in
-.Fa a .
-Application programs usually call macros like those documented in
-.Xr BIO_should_retry 3
-rather than calling
-.Fn BIO_test_flags
-directly.
-Flag bits correspond to accessor macros as follows:
-.Pp
-.Bl -tag -width BIO_FLAGS_SHOULD_RETRY -compact
-.It Dv BIO_FLAGS_READ
-.Xr BIO_should_read 3
-.It Dv BIO_FLAGS_WRITE
-.Xr BIO_should_write 3
-.It Dv BIO_FLAGS_IO_SPECIAL
-.Xr BIO_should_io_special 3
-.It Dv BIO_FLAGS_RWS
-.Xr BIO_retry_type 3
-.It Dv BIO_FLAGS_SHOULD_RETRY
-.Xr BIO_should_retry 3
-.It Dv BIO_FLAGS_BASE64_NO_NL
-see
-.Xr BIO_f_base64 3
-.It Dv BIO_FLAGS_MEM_RDONLY
-see
-.Xr BIO_s_mem 3
-.El
-.Pp
-In particular,
-.Dv BIO_FLAGS_RWS
-is the bitwise OR of
-.Dv BIO_FLAGS_READ ,
-.Dv BIO_FLAGS_WRITE ,
-and
-.Dv BIO_FLAGS_IO_SPECIAL .
-.Pp
-.Fn BIO_set_retry_read ,
-.Fn BIO_set_retry_write ,
-and
-.Fn BIO_set_retry_special
-set the
-.Dv BIO_FLAGS_READ ,
-.Dv BIO_FLAGS_WRITE ,
-and
-.Dv BIO_FLAGS_IO_SPECIAL
-flag bit in
-.Fa a ,
-respectively.
-They all set the
-.Dv BIO_FLAGS_SHOULD_RETRY
-flag bit, too.
-.Pp
-.Fn BIO_clear_retry_flags
-clears the flag bits
-.Dv BIO_FLAGS_READ ,
-.Dv BIO_FLAGS_WRITE ,
-.Dv BIO_FLAGS_IO_SPECIAL ,
-and
-.Dv BIO_FLAGS_SHOULD_RETRY
-in
-.Fa a .
-.Pp
-.Fn BIO_copy_next_retry
-copies retry-related state data from the BIO that follows
-.Fa a
-in its chain to
-.Fa a ,
-that is, the data accessible with
-.Fn BIO_get_retry_flags
-and
-.Xr BIO_get_retry_reason 3 .
-Flags which are already set in
-.Fa a
-are not cleared.
-Before calling
-.Fn BIO_copy_next_retry ,
-making sure that
-.Fa a
-is not the last BIO in its chain is the responsibility of the caller,
-for example by checking that
-.Xr BIO_next 3
-does not return
-.Dv NULL .
-.Pp
-The
-.Fn BIO_set_init
-function sets the
-.Fa init
-flag in
-.Fa a
-to the specified value.
-A non-zero value indicates that initialisation is complete,
-whilst zero indicates that it is not.
-Often initialisation will complete
-during initial construction of the BIO.
-For some BIOs however, initialisation may not be complete until
-additional steps have been taken, for example through calling custom
-ctrls.
-.Pp
-The
-.Fn BIO_set_shutdown
-and
-.Fn BIO_get_shutdown
-functions are low-level interfaces to forcefully set and get the
-.Fa shutdown
-flag of
-.Fa a ,
-circumventing type-dependent sanity checks,
-exclusively intended for implementing a new BIO type.
-The
-.Fa shutdown
-argument must be either
-.Dv BIO_CLOSE
-or
-.Dv BIO_NOCLOSE .
-When merely using a
-.Vt BIO
-object, call
-.Xr BIO_set_close 3
-and
-.Xr BIO_get_close 3
-instead.
-.Pp
-.Fn BIO_get_flags ,
-.Fn BIO_set_retry_read ,
-.Fn BIO_set_retry_write ,
-.Fn BIO_set_retry_special ,
-.Fn BIO_clear_retry_flags ,
-and
-.Fn BIO_get_retry_flags
-are implemented as macros.
-.Sh RETURN VALUES
-.Fn BIO_get_data
-returns a pointer to the implementation specific custom data associated
-with
-.Fa a ,
-or
-.Dv NULL
-if none is set.
-.Pp
-.Fn BIO_test_flags
-returns the bitwise AND of the
-.Fa flags
-argument and the flags stored in
-.Fa a .
-Consequently, it returns a non-zero value
-if and only if at least one of the requested
-.Fa flags
-is set.
-.Pp
-.Fn BIO_get_flags
-returns all the flags currently stored in
-.Fa a .
-.Pp
-.Fn BIO_get_retry_flags
-returns the bitwise AND of
-.Pq Dv BIO_FLAGS_RWS | BIO_FLAGS_SHOULD_RETRY
-and the flags stored in
-.Fa a .
-.Pp
-.Fn BIO_get_init
-returns the value of the init flag of
-.Fa a .
-.Pp
-.Fn BIO_get_shutdown
-returns the value previously set with
-.Fn BIO_set_shutdown
-or with
-.Xr BIO_set_close 3 .
-.Sh SEE ALSO
-.Xr BIO_meth_new 3 ,
-.Xr BIO_new 3 ,
-.Xr BIO_set_close 3 ,
-.Xr BIO_should_retry 3
-.Sh HISTORY
-.Fn BIO_set_flags ,
-.Fn BIO_clear_flags ,
-.Fn BIO_set_retry_read ,
-.Fn BIO_set_retry_write ,
-.Fn BIO_set_retry_special ,
-.Fn BIO_clear_retry_flags ,
-and
-.Fn BIO_get_retry_flags
-first appeared in SSLeay 0.8.0,
-.Fn BIO_copy_next_retry
-in SSLeay 0.8.1, and
-.Fn BIO_get_flags
-in SSLeay 0.9.0.
-These functions have been available since
-.Ox 2.4 .
-.Pp
-.Fn BIO_test_flags
-first appeared in OpenSSL 0.9.8e and has been available since
-.Ox 4.5 .
-.Pp
-.Fn BIO_set_data ,
-.Fn BIO_get_data ,
-.Fn BIO_set_init ,
-.Fn BIO_set_shutdown ,
-and
-.Fn BIO_get_shutdown
-first appeared in OpenSSL 1.1.0 and have been available since
-.Ox 6.3 .
-.Pp
-.Fn BIO_get_init
-first appeared in OpenSSL 1.1.0 and has been available since
-.Ox 7.1 .
diff --git a/src/lib/libcrypto/man/BIO_get_ex_new_index.3 b/src/lib/libcrypto/man/BIO_get_ex_new_index.3
deleted file mode 100644
index 54d00775e7..0000000000
--- a/src/lib/libcrypto/man/BIO_get_ex_new_index.3
+++ /dev/null
@@ -1,198 +0,0 @@
-.\" $OpenBSD: BIO_get_ex_new_index.3,v 1.17 2023/11/19 10:26:36 tb Exp $
-.\" full merge up to: OpenSSL 61f805c1 Jan 16 01:01:46 2018 +0800
-.\"
-.\" This file was written by Rich Salz <rsalz@akamai.com>.
-.\" Copyright (c) 2015, 2016 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: November 19 2023 $
-.Dt BIO_GET_EX_NEW_INDEX 3
-.Os
-.Sh NAME
-.Nm BIO_get_ex_new_index ,
-.Nm BIO_set_ex_data ,
-.Nm BIO_get_ex_data ,
-.Nm BIO_set_app_data ,
-.Nm BIO_get_app_data ,
-.Nm UI_get_ex_new_index ,
-.Nm UI_set_ex_data ,
-.Nm UI_get_ex_data ,
-.Nm X509_get_ex_new_index ,
-.Nm X509_set_ex_data ,
-.Nm X509_get_ex_data ,
-.Nm EC_KEY_get_ex_new_index ,
-.Nm EC_KEY_get_ex_data ,
-.Nm EC_KEY_set_ex_data
-.Nd application-specific data
-.Sh SYNOPSIS
-.In openssl/bio.h
-.In openssl/ui.h
-.In openssl/x509.h
-.In openssl/ec.h
-.Ft int
-.Fo TYPE_get_ex_new_index
-.Fa "long argl"
-.Fa "void *argp"
-.Fa "CRYPTO_EX_new *new_func"
-.Fa "CRYPTO_EX_dup *dup_func"
-.Fa "CRYPTO_EX_free *free_func"
-.Fc
-.Ft int
-.Fo TYPE_set_ex_data
-.Fa "TYPE *d"
-.Fa "int idx"
-.Fa "void *arg"
-.Fc
-.Ft void *
-.Fo TYPE_get_ex_data
-.Fa "TYPE *d"
-.Fa "int idx"
-.Fc
-.Ft int
-.Fo TYPE_set_app_data
-.Fa "TYPE *d"
-.Fa "void *arg"
-.Fc
-.Ft void *
-.Fo TYPE_get_app_data
-.Fa "TYPE *d"
-.Fc
-.Sh DESCRIPTION
-In the description here,
-.Vt TYPE
-is used a placeholder for any of the OpenSSL datatypes listed in
-.Xr CRYPTO_get_ex_new_index 3 .
-.Pp
-These functions handle application-specific data in OpenSSL data
-structures.
-Their usage is identical to that of
-.Xr RSA_get_ex_new_index 3 ,
-.Xr RSA_set_ex_data 3 ,
-and
-.Xr RSA_get_ex_data 3 .
-.Pp
-.Fn TYPE_get_ex_new_index
-is a macro that calls
-.Xr CRYPTO_get_ex_new_index 3
-with the correct index value.
-.Pp
-.Fn TYPE_set_ex_data
-is a function that calls
-.Xr CRYPTO_set_ex_data 3
-with an offset into the opaque ex_data part of the
-.Vt TYPE
-object.
-.Pp
-.Fn TYPE_get_ex_data
-is a function that calls
-.Xr CRYPTO_get_ex_data 3
-with an offset into the opaque ex_data part of the
-.Vt TYPE
-object.
-.Pp
-.Fn TYPE_set_app_data
-and
-.Fn TYPE_get_app_data
-are deprecated wrapper macros that call
-.Fn TYPE_set_ex_data
-and
-.Fn TYPE_get_ex_data
-with
-.Fa idx
-set to 0.
-.Sh RETURN VALUES
-.Fn TYPE_get_new_ex_index
-returns a new index on success or \-1 on error.
-.Pp
-.Fn TYPE_set_ex_data
-and
-.Fn TYPE_set_app_data
-return 1 on success or 0 on error.
-.Pp
-.Fn TYPE_get_ex_data
-and
-.Fn TYPE_get_app_data
-return the application data or
-.Dv NULL
-if an error occurred.
-.Sh SEE ALSO
-.Xr BIO_new 3 ,
-.Xr CRYPTO_get_ex_new_index 3 ,
-.Xr RSA_get_ex_new_index 3 ,
-.Xr X509_new 3
-.Sh HISTORY
-.Fn BIO_set_app_data
-and
-.Fn BIO_get_app_data
-first appeared in SSLeay 0.8.1.
-.Fn BIO_get_ex_new_index ,
-.Fn BIO_set_ex_data ,
-and
-.Fn BIO_get_ex_data
-first appeared in SSLeay 0.9.0.
-These functions have been available since
-.Ox 2.4 .
-.Pp
-.Fn X509_get_ex_new_index ,
-.Fn X509_set_ex_data ,
-and
-.Fn X509_get_ex_data
-first appeared in OpenSSL 0.9.5 and have been available since
-.Ox 2.7 .
-.Pp
-.Fn UI_get_ex_new_index ,
-.Fn UI_set_ex_data ,
-and
-.Fn UI_get_ex_data
-first appeared in OpenSSL 0.9.7 and have been available since
-.Ox 3.2 .
-.Pp
-.Fn EC_KEY_get_ex_new_index ,
-.Fn EC_KEY_set_ex_data ,
-and
-.Fn EC_KEY_get_ex_data
-first appeared in OpenSSL 1.1.0 and have been available since
-.Ox 6.5 .
diff --git a/src/lib/libcrypto/man/BIO_meth_new.3 b/src/lib/libcrypto/man/BIO_meth_new.3
deleted file mode 100644
index 2159560596..0000000000
--- a/src/lib/libcrypto/man/BIO_meth_new.3
+++ /dev/null
@@ -1,367 +0,0 @@
-.\" $OpenBSD: BIO_meth_new.3,v 1.5 2018/07/09 09:52:18 tb Exp $
-.\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
-.\" selective merge up to: OpenSSL 61f805c1 Jan 16 01:01:46 2018 +0800
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2018 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Matt Caswell <matt@openssl.org>
-.\" Copyright (c) 2016 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: July 9 2018 $
-.Dt BIO_METH_NEW 3
-.Os
-.Sh NAME
-.Nm BIO_get_new_index ,
-.Nm BIO_meth_new ,
-.Nm BIO_meth_free ,
-.Nm BIO_meth_get_write ,
-.Nm BIO_meth_set_write ,
-.Nm BIO_meth_get_read ,
-.Nm BIO_meth_set_read ,
-.Nm BIO_meth_get_puts ,
-.Nm BIO_meth_set_puts ,
-.Nm BIO_meth_get_gets ,
-.Nm BIO_meth_set_gets ,
-.Nm BIO_meth_get_ctrl ,
-.Nm BIO_meth_set_ctrl ,
-.Nm BIO_meth_get_create ,
-.Nm BIO_meth_set_create ,
-.Nm BIO_meth_get_destroy ,
-.Nm BIO_meth_set_destroy ,
-.Nm BIO_meth_get_callback_ctrl ,
-.Nm BIO_meth_set_callback_ctrl
-.Nd manipulate BIO_METHOD structures
-.Sh SYNOPSIS
-.In openssl/bio.h
-.Ft int
-.Fn BIO_get_new_index void
-.Ft BIO_METHOD *
-.Fo BIO_meth_new
-.Fa "int type"
-.Fa "const char *name"
-.Fc
-.Ft void
-.Fo BIO_meth_free
-.Fa "BIO_METHOD *biom"
-.Fc
-.Ft int
-.Fn "(*BIO_meth_get_write(const BIO_METHOD *biom))" "BIO *" "const char *" int
-.Ft int
-.Fo BIO_meth_set_write
-.Fa "BIO_METHOD *biom"
-.Fa "int (*write)(BIO *, const char *, int)"
-.Fc
-.Ft int
-.Fn "(*BIO_meth_get_read(const BIO_METHOD *biom))" "BIO *" "char *" int
-.Ft int
-.Fo BIO_meth_set_read
-.Fa "BIO_METHOD *biom"
-.Fa "int (*read)(BIO *, char *, int)"
-.Fc
-.Ft int
-.Fn "(*BIO_meth_get_puts(const BIO_METHOD *biom))" "BIO *" "const char *"
-.Ft int
-.Fo BIO_meth_set_puts
-.Fa "BIO_METHOD *biom"
-.Fa "int (*puts)(BIO *, const char *)"
-.Fc
-.Ft int
-.Fn "(*BIO_meth_get_gets(const BIO_METHOD *biom))" "BIO *" "char *" int
-.Ft int
-.Fo BIO_meth_set_gets
-.Fa "BIO_METHOD *biom"
-.Fa "int (*gets)(BIO *, char *, int)"
-.Fc
-.Ft long
-.Fn "(*BIO_meth_get_ctrl(const BIO_METHOD *biom))" "BIO *" int long "void *"
-.Ft int
-.Fo BIO_meth_set_ctrl
-.Fa "BIO_METHOD *biom"
-.Fa "long (*ctrl)(BIO *, int, long, void *)"
-.Fc
-.Ft int
-.Fn "(*BIO_meth_get_create(const BIO_METHOD *biom))" "BIO *"
-.Ft int
-.Fo BIO_meth_set_create
-.Fa "BIO_METHOD *biom"
-.Fa "int (*create)(BIO *)"
-.Fc
-.Ft int
-.Fn "(*BIO_meth_get_destroy(const BIO_METHOD *biom))" "BIO *"
-.Ft int
-.Fo BIO_meth_set_destroy
-.Fa "BIO_METHOD *biom"
-.Fa "int (*destroy)(BIO *)"
-.Fc
-.Ft long
-.Fo "(*BIO_meth_get_callback_ctrl(const BIO_METHOD *biom))"
-.Fa "BIO *"
-.Fa int
-.Fa "BIO_info_cb *"
-.Fc
-.Ft int
-.Fo BIO_meth_set_callback_ctrl
-.Fa "BIO_METHOD *biom"
-.Fa "long (*callback_ctrl)(BIO *, int, BIO_info_cb *)"
-.Fc
-.Sh DESCRIPTION
-The
-.Vt BIO_METHOD
-structure stores function pointers implementing a
-.Vt BIO
-type.
-See
-.Xr BIO_new 3
-for more information about
-.Vt BIO
-objects.
-.Pp
-.Fn BIO_meth_new
-creates a new
-.Vt BIO_METHOD
-structure.
-It requires a unique integer
-.Fa type ;
-use
-.Fn BIO_get_new_index
-to get the value for
-.Fa type .
-Currently, the user can only create up to 127 different BIO types, and
-.Fa type
-is limited to the range 129\(en255.
-The
-.Fa name
-pointer is stored in the structure and will not be freed by
-.Fn BIO_meth_free .
-.Pp
-The standard BIO types are listed in
-.In openssl/bio.h .
-Some examples include
-.Dv BIO_TYPE_BUFFER
-and
-.Dv BIO_TYPE_CIPHER .
-The
-.Fa type
-of filter BIOs should have the
-.Dv BIO_TYPE_FILTER
-bit set.
-Source/sink BIOs should have the
-.Dv BIO_TYPE_SOURCE_SINK
-bit set.
-File descriptor based BIOs (e.g. socket, fd, connect, accept etc.\&)
-should additionally have the
-.Dv BIO_TYPE_DESCRIPTOR
-bit set.
-See
-.Xr BIO_find_type 3
-for more information.
-.Pp
-.Fn BIO_meth_free
-is an alias for
-.Xr free 3 .
-.Pp
-.Fn BIO_meth_get_write ,
-.Fn BIO_meth_set_write ,
-.Fn BIO_meth_get_read ,
-and
-.Fn BIO_meth_set_read
-get and set the functions
-.Fa write
-and
-.Fa read
-used for writing and reading arbitrary length data to and from the
-.Vt BIO .
-These functions are called from
-.Xr BIO_write 3
-and
-.Xr BIO_read 3 ,
-respectively.
-The parameters and return values of
-.Fa write
-and
-.Fa read
-have the same meaning as for
-.Xr BIO_write 3
-and
-.Xr BIO_read 3 .
-.Pp
-.Fn BIO_meth_get_puts
-and
-.Fn BIO_meth_set_puts
-get and set the function
-.Fa puts
-used for writing a NUL-terminated string to the
-.Vt BIO .
-This function is called from
-.Xr BIO_puts 3 .
-The parameters and the return value of
-.Fa puts
-have the same meaning as for
-.Xr BIO_puts 3 .
-.Pp
-.Fn BIO_meth_get_gets
-and
-.Fn BIO_meth_set_gets
-get and set the function
-.Fa gets
-used for reading a line of data from the
-.Vt BIO .
-This function is called from
-.Xr BIO_gets 3 .
-The parameters and the return value of
-.Fa gets
-have the same meaning as for
-.Xr BIO_gets 3 .
-.Pp
-.Fn BIO_meth_get_ctrl
-and
-.Fn BIO_meth_set_ctrl
-get and set the function
-.Fa ctrl
-used for processing control messages in the
-.Vt BIO .
-This function is called from
-.Xr BIO_ctrl 3 .
-The parameters and return value of
-.Fa ctrl
-have the same meaning as for
-.Xr BIO_ctrl 3 .
-.Pp
-.Fn BIO_meth_get_create
-and
-.Fn BIO_meth_set_create
-get and set a function
-.Fa create
-used while initializing a new instance of the
-.Vt BIO .
-This function is called from
-.Xr BIO_new 3 .
-The
-.Xr BIO_new 3
-function allocates the memory for the new
-.Vt BIO ,
-and a pointer to this newly allocated structure is passed
-as the parameter to
-.Fa create .
-.Pp
-.Fn BIO_meth_get_destroy
-and
-.Fn BIO_meth_set_destroy
-get and set a function
-.Fa destroy
-used while destroying an instance of a
-.Vt BIO .
-This function is called from
-.Xr BIO_free 3 .
-A pointer to the
-.Vt BIO
-to be destroyed is passed as the parameter.
-The
-.Fa destroy
-function is intended to perform clean-up specific to the
-.Vt BIO
-.Fa type .
-The memory for the
-.Vt BIO
-itself must not be freed by this function.
-.Pp
-.Fn BIO_meth_get_callback_ctrl
-and
-.Fn BIO_meth_set_callback_ctrl
-get and set the function
-.Fa callback_ctrl
-used for processing callback control messages in the
-.Vt BIO .
-This function is called from
-.Xr BIO_callback_ctrl 3 .
-The parameters and return value of
-.Fa callback_ctrl
-have the same meaning as for
-.Xr BIO_callback_ctrl 3 .
-.Sh RETURN VALUES
-.Fn BIO_get_new_index
-returns the new BIO type value or \-1 if an error occurs.
-.Pp
-.Fn BIO_meth_new
-returns the new
-.Vt BIO_METHOD
-structure or
-.Dv NULL
-if an error occurs.
-.Pp
-The
-.Fn BIO_meth_set_*
-functions return 1 on success or 0 on error.
-Currently, they cannot fail.
-.Pp
-The
-.Fn BIO_meth_get_*
-functions return function pointers.
-.Sh SEE ALSO
-.Xr BIO_ctrl 3 ,
-.Xr BIO_find_type 3 ,
-.Xr BIO_new 3 ,
-.Xr BIO_read 3
-.Sh HISTORY
-These functions first appeared in OpenSSL 1.1.0
-and have been available since
-.Ox 6.3 .
diff --git a/src/lib/libcrypto/man/BIO_new.3 b/src/lib/libcrypto/man/BIO_new.3
deleted file mode 100644
index f97a314826..0000000000
--- a/src/lib/libcrypto/man/BIO_new.3
+++ /dev/null
@@ -1,279 +0,0 @@
-.\" $OpenBSD: BIO_new.3,v 1.28 2023/07/26 20:01:04 tb Exp $
-.\" full merge up to:
-.\" OpenSSL man3/BIO_new.pod fb46be03 Feb 26 11:51:31 2016 +0000
-.\" OpenSSL man7/bio.pod 631c37be Dec 12 16:56:50 2017 +0100
-.\" partial merge up to:
-.\" OpenSSL man3/BIO_new.pod e9b77246 Jan 20 19:58:49 2017 +0100
-.\"
-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2000, 2015, 2016 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: July 26 2023 $
-.Dt BIO_NEW 3
-.Os
-.Sh NAME
-.Nm BIO_new ,
-.Nm BIO_up_ref ,
-.Nm BIO_set ,
-.Nm BIO_free ,
-.Nm BIO_vfree ,
-.Nm BIO_free_all
-.Nd construct and destruct I/O abstraction objects
-.Sh SYNOPSIS
-.In openssl/bio.h
-.Ft BIO *
-.Fo BIO_new
-.Fa "const BIO_METHOD *type"
-.Fc
-.Ft int
-.Fo BIO_up_ref
-.Fa "BIO *a"
-.Fc
-.Ft int
-.Fo BIO_set
-.Fa "BIO *a"
-.Fa "const BIO_METHOD *type"
-.Fc
-.Ft int
-.Fo BIO_free
-.Fa "BIO *a"
-.Fc
-.Ft void
-.Fo BIO_vfree
-.Fa "BIO *a"
-.Fc
-.Ft void
-.Fo BIO_free_all
-.Fa "BIO *a"
-.Fc
-.Sh DESCRIPTION
-A
-.Vt BIO
-is an I/O abstraction object, hiding many of the underlying I/O
-details from an application.
-If an application uses BIOs for its I/O, it can transparently handle
-SSL connections, unencrypted network connections, and file I/O.
-.Pp
-The
-.Fn BIO_new
-function constructs a new
-.Vt BIO
-using the method
-.Fa type
-and sets its reference count to 1.
-There are two groups of BIO types, source/sink BIOs and filter BIOs.
-.Pp
-Source/sink BIOs provide input or consume output.
-Examples include socket BIOs and file BIOs.
-.Pp
-Filter BIOs take data from one BIO and pass it through to another,
-or to the application, forming a chain of BIOs.
-The data may be left unmodified (for example by a message digest BIO)
-or translated (for example by an encryption BIO).
-The effect of a filter BIO may change according to the I/O operation
-it is performing: for example an encryption BIO encrypts data
-if it is written to and decrypts data if it is read from.
-.Pp
-Some BIOs (such as memory BIOs) can be used immediately after calling
-.Fn BIO_new .
-Others (such as file BIOs) need some additional initialization, and
-utility functions exists to construct and initialize such BIOs.
-.Pp
-Normally the
-.Fa type
-argument is supplied by a function which returns a pointer to a
-.Vt BIO_METHOD .
-There is a naming convention for such functions:
-the methods for source/sink BIOs are called
-.Fn BIO_s_*
-and those for filter BIOs
-.Fn BIO_f_* .
-.Pp
-.Fn BIO_up_ref
-increments the reference count of
-.Fa a
-by 1.
-.Pp
-.Fn BIO_set
-is a deprecated function to initialize an unused
-.Vt BIO
-structure located in static memory or on the stack,
-to set its method to
-.Fa type ,
-and to set its reference count to 1.
-It must not be called on
-.Vt BIO
-objects created with
-.Fn BIO_new ,
-nor on objects that were already used.
-.Pp
-.Fn BIO_free
-and
-.Fn BIO_vfree
-decrement the reference count of
-.Fa a
-by 1, and if the reference count reaches 0, they destruct the single
-.Vt BIO
-.Fa a ,
-which may also have some effect on the
-underlying I/O structure, for example it may close the file being
-referred to under certain circumstances.
-If
-.Fa a
-is a
-.Dv NULL
-pointer, no action occurs.
-If
-.Fn BIO_free
-is called on a BIO chain, it destructs at most one BIO,
-resulting in a memory leak.
-.Pp
-.Fn BIO_free_all
-calls
-.Fn BIO_free
-on
-.Fa a
-and on all following
-.Vt BIO
-objects in the chain.
-As soon as the reference count of a
-.Vt BIO
-is still non-zero after calling
-.Fn BIO_free
-on it, the function
-.Fn BIO_free_all
-returns right away and refrains from freeing the remaining
-.Vt BIO
-objects in the chain.
-It does not halt if an error occurs
-destructing an individual BIO in the chain.
-If
-.Fa a
-is a
-.Dv NULL
-pointer, no action occurs.
-Calling
-.Fn BIO_free_all
-on a single BIO has the same effect as
-.Fn BIO_vfree .
-.Pp
-Common I/O functions are documented in
-.Xr BIO_read 3 .
-Forming chains is explained in
-.Xr BIO_push 3 ;
-inspecting them is explained in
-.Xr BIO_find_type 3 .
-For more details about the different kinds of BIOs, see the individual
-.Vt BIO_METHOD
-manual pages.
-.Sh RETURN VALUES
-.Fn BIO_new
-returns a newly constructed
-.Vt BIO
-object or
-.Dv NULL
-on failure.
-.Pp
-.Fn BIO_up_ref ,
-.Fn BIO_set ,
-and
-.Fn BIO_free
-return 1 for success or 0 for failure.
-.Sh EXAMPLES
-Create a memory BIO:
-.Pp
-.Dl BIO *mem = BIO_new(BIO_s_mem());
-.Sh SEE ALSO
-.Xr BIO_accept 3 ,
-.Xr BIO_ctrl 3 ,
-.Xr BIO_dump 3 ,
-.Xr BIO_dup_chain 3 ,
-.Xr BIO_f_base64 3 ,
-.Xr BIO_f_buffer 3 ,
-.Xr BIO_f_cipher 3 ,
-.Xr BIO_f_md 3 ,
-.Xr BIO_f_null 3 ,
-.Xr BIO_f_ssl 3 ,
-.Xr BIO_find_type 3 ,
-.Xr BIO_get_ex_new_index 3 ,
-.Xr BIO_meth_new 3 ,
-.Xr BIO_new_CMS 3 ,
-.Xr BIO_printf 3 ,
-.Xr BIO_push 3 ,
-.Xr BIO_read 3 ,
-.Xr BIO_s_accept 3 ,
-.Xr BIO_s_bio 3 ,
-.Xr BIO_s_connect 3 ,
-.Xr BIO_s_datagram 3 ,
-.Xr BIO_s_fd 3 ,
-.Xr BIO_s_file 3 ,
-.Xr BIO_s_mem 3 ,
-.Xr BIO_s_null 3 ,
-.Xr BIO_s_socket 3 ,
-.Xr BIO_set_callback 3 ,
-.Xr BIO_set_data 3 ,
-.Xr BIO_should_retry 3 ,
-.Xr BUF_MEM_new 3 ,
-.Xr crypto 3
-.Sh HISTORY
-.Fn BIO_new ,
-.Fn BIO_set ,
-and
-.Fn BIO_free
-first appeared in SSLeay 0.6.0.
-.Fn BIO_free_all
-first appeared in SSLeay 0.6.6.
-All these functions have been available since
-.Ox 2.4 .
-.Pp
-.Fn BIO_vfree
-first appeared in OpenSSL 0.9.6 and has been available since
-.Ox 2.9 .
-.Pp
-.Fn BIO_up_ref
-first appeared in OpenSSL 1.1.0 and has been available since
-.Ox 6.3 .
diff --git a/src/lib/libcrypto/man/BIO_new_CMS.3 b/src/lib/libcrypto/man/BIO_new_CMS.3
deleted file mode 100644
index ab93e1c00c..0000000000
--- a/src/lib/libcrypto/man/BIO_new_CMS.3
+++ /dev/null
@@ -1,141 +0,0 @@
-.\" $OpenBSD: BIO_new_CMS.3,v 1.9 2023/05/01 07:28:11 tb Exp $
-.\" full merge up to: OpenSSL df75c2bfc Dec 9 01:02:36 2018 +0100
-.\"
-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: May 1 2023 $
-.Dt BIO_NEW_CMS 3
-.Os
-.Sh NAME
-.Nm BIO_new_CMS
-.Nd CMS streaming filter BIO
-.Sh SYNOPSIS
-.In openssl/cms.h
-.Ft BIO *
-.Fo BIO_new_CMS
-.Fa "BIO *out"
-.Fa "CMS_ContentInfo *cms"
-.Fc
-.Sh DESCRIPTION
-.Fn BIO_new_CMS
-returns a streaming filter
-.Vt BIO
-chain based on
-.Fa cms .
-The output of the filter is written to
-.Fa out .
-Any data written to the chain is automatically translated
-to a BER format CMS structure of the appropriate type.
-.Pp
-The chain returned by this function behaves like a standard filter
-.Vt BIO .
-It supports non blocking I/O.
-Content is processed and streamed on the fly and not all held in memory
-at once: so it is possible to encode very large structures.
-After all content has been written through the chain,
-.Xr BIO_flush 3
-must be called to finalise the structure.
-.Pp
-The
-.Dv CMS_STREAM
-flag must be included in the corresponding
-.Fa flags
-parameter of the
-.Fa cms
-creation function.
-.Pp
-If an application wishes to write additional data to
-.Fa out ,
-BIOs should be removed from the chain using
-.Xr BIO_pop 3
-and freed with
-.Xr BIO_free 3
-until
-.Fa out
-is reached.
-If no additional data needs to be written,
-.Xr BIO_free_all 3
-can be called to free up the whole chain.
-.Pp
-Any content written through the filter is used verbatim:
-no canonical translation is performed.
-.Pp
-It is possible to chain multiple BIOs to, for example,
-create a triple wrapped signed, enveloped, signed structure.
-In this case it is the application's responsibility
-to set the inner content type of any outer
-.Vt CMS_ContentInfo
-structures.
-.Pp
-Large numbers of small writes through the chain should be avoided as this
-will produce an output consisting of lots of OCTET STRING structures.
-Prepending a
-.Xr BIO_f_buffer 3
-buffering BIO will prevent this.
-.Sh RETURN VALUES
-.Fn BIO_new_CMS
-returns a
-.Vt BIO
-chain when successful or
-.Dv NULL
-if an error occurred.
-The error can be obtained from
-.Xr ERR_get_error 3 .
-.Sh SEE ALSO
-.Xr BIO_new 3 ,
-.Xr CMS_ContentInfo_new 3 ,
-.Xr CMS_encrypt 3 ,
-.Xr CMS_sign 3
-.Sh HISTORY
-.Fn BIO_new_CMS
-first appeared in OpenSSL 1.0.0
-and has been available since
-.Ox 6.7 .
-.Sh BUGS
-There is currently no corresponding inverse BIO
-which can decode a CMS structure on the fly.
diff --git a/src/lib/libcrypto/man/BIO_printf.3 b/src/lib/libcrypto/man/BIO_printf.3
deleted file mode 100644
index 32dec0a828..0000000000
--- a/src/lib/libcrypto/man/BIO_printf.3
+++ /dev/null
@@ -1,46 +0,0 @@
-.\"     $OpenBSD: BIO_printf.3,v 1.4 2024/03/02 09:18:28 tb Exp $
-.\"     OpenSSL 2ca2e917 Mon Mar 20 16:25:22 2017 -0400
-.\"
-.\" Copyright (c) 2017 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: March 2 2024 $
-.Dt BIO_PRINTF 3
-.Os
-.Sh NAME
-.Nm BIO_printf
-.Nd formatted output to a BIO
-.Sh SYNOPSIS
-.In openssl/bio.h
-.Ft int
-.Fo BIO_printf
-.Fa "BIO *bio"
-.Fa "const char *format"
-.Fa ...
-.Fc
-.Sh DESCRIPTION
-.Fn BIO_printf
-is a wrapper around
-.Xr vfprintf 3 ,
-sending the output to the specified
-.Fa bio .
-.Sh RETURN VALUES
-These functions return the number of bytes written,
-or -1 if an error occurs.
-.Sh SEE ALSO
-.Xr BIO_new 3
-.Sh HISTORY
-.Fn BIO_printf
-first appeared in SSLeay 0.6.5 and has been available since
-.Ox 2.4 .
diff --git a/src/lib/libcrypto/man/BIO_push.3 b/src/lib/libcrypto/man/BIO_push.3
deleted file mode 100644
index 46c736e2c2..0000000000
--- a/src/lib/libcrypto/man/BIO_push.3
+++ /dev/null
@@ -1,335 +0,0 @@
-.\" $OpenBSD: BIO_push.3,v 1.14 2022/12/16 16:02:17 schwarze Exp $
-.\" full merge up to:
-.\" OpenSSL doc/man3/BIO_push.pod 791bfd91 Nov 19 20:38:27 2021 +0100
-.\" OpenSSL doc/man7/bio.pod 1cb7eff4 Sep 10 13:56:40 2019 +0100
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2022 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2000, 2014 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: December 16 2022 $
-.Dt BIO_PUSH 3
-.Os
-.Sh NAME
-.Nm BIO_push ,
-.Nm BIO_pop ,
-.Nm BIO_set_next
-.Nd manipulate BIO chains
-.Sh SYNOPSIS
-.In openssl/bio.h
-.Ft BIO *
-.Fo BIO_push
-.Fa "BIO *b"
-.Fa "BIO *new_tail"
-.Fc
-.Ft BIO *
-.Fo BIO_pop
-.Fa "BIO *b"
-.Fc
-.Ft void
-.Fo BIO_set_next
-.Fa "BIO *b"
-.Fa "BIO *new_tail"
-.Fc
-.Sh DESCRIPTION
-BIOs can be joined together to form chains.
-A chain normally consists of one or more filter BIOs
-and one source/sink BIO at the end.
-Data read from or written to the first BIO traverses the chain
-to the end.
-.Pp
-Every BIO is a member of exactly one chain.
-It is either at the beginning of its chain
-or there is exactly one preceding BIO.
-It is either at the end of its chain
-or there is exactly one following BIO.
-If there is neither a preceding nor a following BIO,
-it can be regarded as a chain with one member.
-Every chain has exactly one beginning and exactly one end.
-.Pp
-.Fn BIO_push
-appends the chain starting at
-.Fa new_tail
-to the end of the chain that contains
-.Fa b .
-Unless
-.Fa b
-is
-.Dv NULL ,
-it then calls
-.Xr BIO_ctrl 3
-on
-.Fa b
-with an argument of
-.Dv BIO_CTRL_PUSH .
-If
-.Fa b
-or
-.Fa new_tail
-is
-.Dv NULL ,
-nothing is appended.
-.Pp
-In LibreSSL, if
-.Fa new_tail
-is not at the beginning of its chain,
-the head of that chain up to but not including
-.Fa new_tail
-is cut off and becomes a separate chain.
-For portability, it is best to make sure that
-.Fa new_tail
-is at the beginning of its chain before calling
-.Fn BIO_push .
-.Pp
-.Fn BIO_pop
-removes the BIO
-.Fa b
-from its chain.
-Despite the word
-.Dq pop
-in the function name,
-.Fa b
-can be at the beginning, in the middle, or at the end of its chain.
-Before removal,
-.Xr BIO_ctrl 3
-is called on
-.Fa b
-with an argument of
-.Dv BIO_CTRL_POP .
-The removed BIO
-.Fa b
-becomes the only member of its own chain and can thus be freed
-or attached to a different chain.
-If
-.Fa b
-is
-.Dv NULL ,
-no action occurs.
-.Pp
-.Fn BIO_set_next
-appends the chain starting with
-.Fa new_tail
-to the chain ending with
-.Fa b .
-.Pp
-In LibreSSL, if
-.Fa new_tail
-is not at the beginning of its chain,
-the head of that chain up to but not including
-.Fa new_tail
-is cut off and becomes a separate chain,
-and if
-.Fa b
-is not at the end of its chain,
-the tail of that chain starting after
-.Fa b
-is cut off and becomes a separate chain.
-.Pp
-For portability, it is best to make sure that
-.Fa b
-is at the end of its chain and that
-.Fa new_tail
-is at the beginning of its chain before calling
-.Fn BIO_set_next
-and to avoid calling
-.Fn BIO_pop
-on
-.Fa new_tail
-afterwards.
-.Pp
-In LibreSSL, the only built-in BIO type for which
-.Xr BIO_ctrl 3
-calls with an argument of
-.Dv BIO_CTRL_PUSH
-or
-.Dv BIO_CTRL_POP
-have any effect is
-.Xr BIO_f_ssl 3 .
-.Sh RETURN VALUES
-.Fn BIO_push
-returns
-.Fa b
-if it is not
-.Dv NULL
-or
-.Fa new_tail
-if it is.
-.Pp
-.Fn BIO_pop
-returns the BIO that followed
-.Fa b
-in its chain, or
-.Dv NULL
-if
-.Fa b
-is
-.Dv NULL
-or was at the end of its chain.
-.Sh EXAMPLES
-For these examples suppose
-.Sy md1
-and
-.Sy md2
-are digest BIOs,
-.Sy b64
-is a Base64 BIO and
-.Sy f
-is a file BIO (see
-.Xr BIO_f_md 3 ,
-.Xr BIO_f_base64 3 ,
-and
-.Xr BIO_s_file 3 ,
-respectively).
-.Pp
-If the call
-.Pp
-.Dl BIO_push(b64, f);
-.Pp
-is made then the new chain will be
-.Sy b64-f .
-After making the calls
-.Bd -literal -offset indent
-BIO_push(md2, b64);
-BIO_push(md1, md2);
-.Ed
-.Pp
-the new chain is
-.Sy md1-md2-b64-f .
-Data written to
-.Sy md1
-will be digested
-by
-.Sy md1
-and
-.Sy md2 ,
-Base64-encoded and written to
-.Sy f .
-.Pp
-It should be noted that reading causes data to pass
-in the reverse direction.
-That is, data is read from
-.Sy f ,
-Base64-decoded and digested by
-.Sy md1
-and
-.Sy md2 .
-If this call is made:
-.Pp
-.Dl BIO_pop(md2);
-.Pp
-The call will return
-.Sy b64
-and the new chain will be
-.Sy md1-b64-f ;
-data can be written to
-.Sy md1
-as before.
-.Sh SEE ALSO
-.Xr BIO_find_type 3 ,
-.Xr BIO_new 3 ,
-.Xr BIO_read 3
-.Sh HISTORY
-.Fn BIO_push
-first appeared in SSLeay 0.6.0.
-.Fn BIO_pop
-first appeared in SSLeay 0.6.4.
-Both functions have been available since
-.Ox 2.4 .
-.Pp
-.Fn BIO_set_next
-first appeared in OpenSSL 1.1.0
-and has been available since
-.Ox 7.1 .
-.Sh CAVEATS
-Creating a cyclic chain results in undefined behavior.
-For example, infinite recursion or infinite loops may ensue.
-.Pp
-If it is unknown whether
-.Fa b
-and
-.Fa new_tail
-are already members of the same chain and whether joining them would
-create a cycle, the calling code can use the following safe idiom:
-.Bd -literal -offset indent
-BIO *btest;
-
-for (btest = new_tail; btest != NULL; btest = BIO_next(btest))
-        if (btest == b)
-                /* Bail out because this would create a cycle. */
-BIO_push(b, new_tail);  /* This is now safe. */
-.Ed
-.Pp
-The same idiom can be used with
-.Fn BIO_set_next
-instead of
-.Fn BIO_push .
-.Pp
-Often, the safe idiom is not needed because it is already known that
-.Fa b
-and
-.Fa new_tail
-are not members of the same chain, for example when
-.Fa b
-or
-.Fa new_tail
-was created right before.
diff --git a/src/lib/libcrypto/man/BIO_read.3 b/src/lib/libcrypto/man/BIO_read.3
deleted file mode 100644
index 5fea9f728a..0000000000
--- a/src/lib/libcrypto/man/BIO_read.3
+++ /dev/null
@@ -1,281 +0,0 @@
-.\" $OpenBSD: BIO_read.3,v 1.11 2022/12/18 17:40:55 schwarze Exp $
-.\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2021, 2022 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2000, 2016 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: December 18 2022 $
-.Dt BIO_READ 3
-.Os
-.Sh NAME
-.Nm BIO_read ,
-.Nm BIO_number_read ,
-.Nm BIO_gets ,
-.Nm BIO_write ,
-.Nm BIO_puts ,
-.Nm BIO_indent ,
-.Nm BIO_number_written
-.Nd BIO I/O functions
-.Sh SYNOPSIS
-.In openssl/bio.h
-.Ft int
-.Fo BIO_read
-.Fa "BIO *b"
-.Fa "void *buf"
-.Fa "int len"
-.Fc
-.Ft unsigned long
-.Fo BIO_number_read
-.Fa "BIO *b"
-.Fc
-.Ft int
-.Fo BIO_gets
-.Fa "BIO *b"
-.Fa "char *buf"
-.Fa "int size"
-.Fc
-.Ft int
-.Fo BIO_write
-.Fa "BIO *b"
-.Fa "const void *buf"
-.Fa "int len"
-.Fc
-.Ft int
-.Fo BIO_puts
-.Fa "BIO *b"
-.Fa "const char *string"
-.Fc
-.Ft int
-.Fo BIO_indent
-.Fa "BIO *b"
-.Fa "int indent"
-.Fa "int max"
-.Fc
-.Ft unsigned long
-.Fo BIO_number_written
-.Fa "BIO *b"
-.Fc
-.Sh DESCRIPTION
-.Fn BIO_read
-attempts to read
-.Fa len
-bytes from
-.Fa b
-and places the data in
-.Fa buf .
-.Pp
-.Fn BIO_number_read
-returns the grand total of bytes read from
-.Fa b
-using
-.Fn BIO_read
-so far.
-Bytes read with
-.Fn BIO_gets
-do
-.Sy not
-count.
-.Xr BIO_new 3
-and
-.Xr BIO_set 3
-initialize the counter to 0.
-When reading very large amounts of data,
-the counter will eventually wrap around from
-.Dv ULONG_MAX
-to 0.
-.Pp
-.Fn BIO_gets
-performs the BIOs "gets" operation and places the data in
-.Fa buf .
-Usually this operation will attempt to read a line of data
-from the BIO of maximum length
-.Fa size No \- 1 .
-There are exceptions to this however, for example
-.Fn BIO_gets
-on a digest BIO will calculate and return the digest
-and other BIOs may not support
-.Fn BIO_gets
-at all.
-The returned string is always NUL-terminated.
-.Pp
-.Fn BIO_write
-attempts to write
-.Fa len
-bytes from
-.Fa buf
-to
-.Fa b .
-.Pp
-.Fn BIO_puts
-attempts to write the NUL-terminated
-.Fa string
-to
-.Fa b .
-.Pp
-.Fn BIO_indent
-attempts to write
-.Fa indent
-space characters to
-.Fa b ,
-but not more than
-.Fa max
-characters.
-.Pp
-.Fn BIO_number_written
-returns the grand total of bytes written to
-.Fa b
-using
-.Fn BIO_write ,
-.Fn BIO_puts ,
-and
-.Fn BIO_indent
-so far.
-.Xr BIO_new 3
-and
-.Xr BIO_set 3
-initialize the counter to 0.
-When writing very large amounts of data,
-the counter will eventually wrap around from
-.Dv ULONG_MAX
-to 0.
-.Pp
-One technique sometimes used with blocking sockets
-is to use a system call (such as
-.Xr select 2 ,
-.Xr poll 2
-or equivalent) to determine when data is available and then call
-.Xr read 2
-to read the data.
-The equivalent with BIOs (that is call
-.Xr select 2
-on the underlying I/O structure and then call
-.Fn BIO_read
-to read the data) should
-.Em not
-be used because a single call to
-.Fn BIO_read
-can cause several reads (and writes in the case of SSL BIOs)
-on the underlying I/O structure and may block as a result.
-Instead
-.Xr select 2
-(or equivalent) should be combined with non-blocking I/O
-so successive reads will request a retry instead of blocking.
-.Pp
-See
-.Xr BIO_should_retry 3
-for details of how to determine the cause of a retry and other I/O issues.
-.Pp
-If the
-.Fn BIO_gets
-function is not supported by a BIO then it is possible to
-work around this by adding a buffering BIO
-.Xr BIO_f_buffer 3
-to the chain.
-.Sh RETURN VALUES
-.Fn BIO_indent
-returns 1 if successful, even if nothing was written,
-or 0 if writing fails.
-.Pp
-.Fn BIO_number_read
-and
-.Fn BIO_number_written
-return a number of bytes or 0 if
-.Fa b
-is a
-.Dv NULL
-pointer.
-.Pp
-The other functions return either the amount of data successfully
-read or written (if the return value is positive) or that no data
-was successfully read or written if the result is 0 or \-1.
-If the return value is \-2, then the operation is not implemented
-in the specific BIO type.
-The trailing NUL is not included in the length returned by
-.Fn BIO_gets .
-.Pp
-A 0 or \-1 return is not necessarily an indication of an error.
-In particular when the source/sink is non-blocking or of a certain type
-it may merely be an indication that no data is currently available and that
-the application should retry the operation later.
-.Sh SEE ALSO
-.Xr BIO_meth_new 3 ,
-.Xr BIO_new 3 ,
-.Xr BIO_should_retry 3
-.Sh HISTORY
-.Fn BIO_read ,
-.Fn BIO_gets ,
-.Fn BIO_write ,
-and
-.Fn BIO_puts
-first appeared in SSLeay 0.6.0.
-.Fn BIO_number_read
-and
-.Fn BIO_number_written
-first appeared in SSLeay 0.6.5.
-These functions have been available since
-.Ox 2.4 .
-.Pp
-.Fn BIO_indent
-first appeared in OpenSSL 0.9.7 and has been available since
-.Ox 3.4 .
diff --git a/src/lib/libcrypto/man/BIO_s_accept.3 b/src/lib/libcrypto/man/BIO_s_accept.3
deleted file mode 100644
index 8e88fe1c52..0000000000
--- a/src/lib/libcrypto/man/BIO_s_accept.3
+++ /dev/null
@@ -1,414 +0,0 @@
-.\" $OpenBSD: BIO_s_accept.3,v 1.16 2023/04/29 13:06:10 schwarze Exp $
-.\" full merge up to: OpenSSL c03726ca Thu Aug 27 12:28:08 2015 -0400
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2023 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2000, 2014, 2015 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: April 29 2023 $
-.Dt BIO_S_ACCEPT 3
-.Os
-.Sh NAME
-.Nm BIO_s_accept ,
-.Nm BIO_set_accept_port ,
-.Nm BIO_get_accept_port ,
-.Nm BIO_new_accept ,
-.Nm BIO_set_nbio_accept ,
-.Nm BIO_set_accept_bios ,
-.Nm BIO_set_bind_mode ,
-.Nm BIO_get_bind_mode ,
-.Nm BIO_do_accept
-.Nd accept BIO
-.Sh SYNOPSIS
-.In openssl/bio.h
-.Ft const BIO_METHOD *
-.Fo BIO_s_accept
-.Fa void
-.Fc
-.Ft long
-.Fo BIO_set_accept_port
-.Fa "BIO *b"
-.Fa "char *name"
-.Fc
-.Ft char *
-.Fo BIO_get_accept_port
-.Fa "BIO *b"
-.Fc
-.Ft BIO *
-.Fo BIO_new_accept
-.Fa "const char *host_port"
-.Fc
-.Ft long
-.Fo BIO_set_nbio_accept
-.Fa "BIO *b"
-.Fa "int n"
-.Fc
-.Ft long
-.Fo BIO_set_accept_bios
-.Fa "BIO *b"
-.Fa "char *bio"
-.Fc
-.Ft long
-.Fo BIO_set_bind_mode
-.Fa "BIO *b"
-.Fa "long mode"
-.Fc
-.Ft long
-.Fo BIO_get_bind_mode
-.Fa "BIO *b"
-.Fa "long dummy"
-.Fc
-.Fd #define BIO_BIND_NORMAL                             0
-.Fd #define BIO_BIND_REUSEADDR_IF_UNUSED        1
-.Fd #define BIO_BIND_REUSEADDR                  2
-.Ft long
-.Fo BIO_do_accept
-.Fa "BIO *b"
-.Fc
-.Sh DESCRIPTION
-.Fn BIO_s_accept
-returns the accept BIO method.
-This is a wrapper round the platform's TCP/IP socket
-.Xr accept 2
-routines.
-.Pp
-Using accept BIOs, TCP/IP connections can be accepted
-and data transferred using only BIO routines.
-In this way any platform specific operations
-are hidden by the BIO abstraction.
-.Pp
-Read and write operations on an accept BIO
-will perform I/O on the underlying connection.
-If no connection is established and the port (see below) is set up
-properly then the BIO waits for an incoming connection.
-.Pp
-Accept BIOs support
-.Xr BIO_puts 3
-but not
-.Xr BIO_gets 3 .
-.Pp
-If the close flag is set on an accept BIO, then any active
-connection on that chain is shut down and the socket closed when
-the BIO is freed.
-.Pp
-Calling
-.Xr BIO_reset 3
-on an accept BIO will close any active connection and reset the BIO
-into a state where it awaits another incoming connection.
-.Pp
-.Xr BIO_get_fd 3
-and
-.Xr BIO_set_fd 3
-can be called to retrieve or set the accept socket.
-See
-.Xr BIO_s_fd 3 .
-.Pp
-.Fn BIO_set_accept_port
-uses the string
-.Fa name
-to set the accept port.
-The port is represented as a string of the form
-.Ar host : Ns Ar port ,
-where
-.Ar host
-is the interface to use and
-.Ar port
-is the port.
-The host can be
-.Qq * ,
-which is interpreted as meaning any interface;
-.Ar port
-has the same syntax as the port specified in
-.Xr BIO_set_conn_port 3
-for connect BIOs.
-It can be a numerical port string or a string to look up using
-.Xr getservbyname 3
-and a string table.
-.Pp
-.Fn BIO_new_accept
-combines
-.Xr BIO_new 3
-and
-.Fn BIO_set_accept_port
-into a single call.
-It creates a new accept BIO with port
-.Fa host_port .
-.Pp
-.Fn BIO_set_nbio_accept
-sets the accept socket to blocking mode (the default) if
-.Fa n
-is 0 or non-blocking mode if
-.Fa n
-is 1.
-.Pp
-.Fn BIO_set_accept_bios
-can be used to set a chain of BIOs which will be duplicated
-and prepended to the chain when an incoming connection is received.
-This is useful if, for example, a buffering or SSL BIO
-is required for each connection.
-The chain of BIOs must not be freed after this call -
-they will be automatically freed when the accept BIO is freed.
-.Pp
-.Fn BIO_set_bind_mode
-and
-.Fn BIO_get_bind_mode
-set and retrieve the current bind mode.
-If
-.Dv BIO_BIND_NORMAL Pq the default
-is set, then another socket cannot be bound to the same port.
-If
-.Dv BIO_BIND_REUSEADDR
-is set, then other sockets can bind to the same port.
-If
-.Dv BIO_BIND_REUSEADDR_IF_UNUSED
-is set, then an attempt is first made to use
-.Dv BIO_BIN_NORMAL ;
-if this fails and the port is not in use,
-then a second attempt is made using
-.Dv BIO_BIND_REUSEADDR .
-.Pp
-.Fn BIO_do_accept
-serves two purposes.
-When it is first called, after the accept BIO has been set up,
-it will attempt to create the accept socket and bind an address to it.
-Second and subsequent calls to
-.Fn BIO_do_accept
-will await an incoming connection, or request a retry in non-blocking mode.
-.Sh NOTES
-When an accept BIO is at the end of a chain, it will await an
-incoming connection before processing I/O calls.
-When an accept BIO is not at the end of a chain,
-it passes I/O calls to the next BIO in the chain.
-.Pp
-When a connection is established, a new socket BIO is created
-for the connection and appended to the chain.
-That is the chain is now accept->socket.
-This effectively means that attempting I/O on an initial accept
-socket will await an incoming connection then perform I/O on it.
-.Pp
-If any additional BIOs have been set using
-.Fn BIO_set_accept_bios ,
-then they are placed between the socket and the accept BIO;
-that is, the chain will be accept->otherbios->socket.
-.Pp
-If a server wishes to process multiple connections (as is normally
-the case), then the accept BIO must be made available for further
-incoming connections.
-This can be done by waiting for a connection and then calling:
-.Pp
-.Dl connection = BIO_pop(accept);
-.Pp
-After this call,
-.Sy connection
-will contain a BIO for the recently established connection and
-.Sy accept
-will now be a single BIO again which can be used
-to await further incoming connections.
-If no further connections will be accepted, the
-.Sy accept
-can be freed using
-.Xr BIO_free 3 .
-.Pp
-If only a single connection will be processed,
-it is possible to perform I/O using the accept BIO itself.
-This is often undesirable however because the accept BIO
-will still accept additional incoming connections.
-This can be resolved by using
-.Xr BIO_pop 3
-(see above) and freeing up the accept BIO after the initial connection.
-.Pp
-If the underlying accept socket is non-blocking and
-.Fn BIO_do_accept
-is called to await an incoming connection, it is possible for
-.Xr BIO_should_io_special 3
-with the reason
-.Dv BIO_RR_ACCEPT .
-If this happens, then it is an indication that an accept attempt
-would block: the application should take appropriate action
-to wait until the underlying socket has accepted a connection
-and retry the call.
-.Pp
-.Xr BIO_ctrl 3
-.Fa cmd
-and
-.Fa larg
-arguments correspond to macros as follows:
-.Bl -column BIO_C_DO_STATE_MACHINE larg BIO_get_accept_port(3) -offset 3n
-.It Fa cmd No constant        Ta Fa larg Ta corresponding macro
-.It Dv BIO_C_DO_STATE_MACHINE Ta 0       Ta Fn BIO_do_accept
-.It Dv BIO_C_GET_ACCEPT       Ta 0       Ta Fn BIO_get_accept_port
-.It Dv BIO_C_GET_BIND_MODE    Ta 0       Ta Fn BIO_get_bind_mode
-.It Dv BIO_C_GET_FD           Ta 0       Ta Xr BIO_get_fd 3
-.It Dv BIO_C_SET_ACCEPT       Ta 0       Ta Fn BIO_set_accept_port
-.It                           Ta 1       Ta Fn BIO_set_nbio_accept
-.It                           Ta 2       Ta Fn BIO_set_accept_bios
-.It Dv BIO_C_SET_FD           Ta Fa fd   Ta Xr BIO_set_fd 3
-.It Dv BIO_C_SET_NBIO         Ta Fa n    Ta Xr BIO_set_nbio 3
-.It Dv BIO_C_SET_BIND_MODE    Ta Fa mode Ta Fn BIO_set_bind_mode
-.It Dv BIO_CTRL_GET_CLOSE     Ta 0       Ta Xr BIO_get_close 3
-.It Dv BIO_CTRL_RESET         Ta 0       Ta Xr BIO_reset 3
-.It Dv BIO_CTRL_SET_CLOSE     Ta Fa flag Ta Xr BIO_set_close 3
-.El
-.Sh RETURN VALUES
-When called on an accept BIO object,
-.Xr BIO_method_type 3
-returns the constant
-.Dv BIO_TYPE_ACCEPT
-and
-.Xr BIO_method_name 3
-returns a pointer to the static string
-.Qq socket accept .
-.Pp
-.Fn BIO_do_accept ,
-.Fn BIO_set_accept_port ,
-.Fn BIO_set_nbio_accept ,
-.Fn BIO_set_accept_bios ,
-and
-.Fn BIO_set_bind_mode
-return 1 for success or 0 or -1 for failure.
-.Pp
-.Fn BIO_get_accept_port
-returns the port as a string or
-.Dv NULL
-on error.
-.Pp
-.Fn BIO_get_bind_mode
-returns the set of BIO_BIND flags or -1 on failure.
-.Pp
-.Fn BIO_new_accept
-returns a
-.Vt BIO
-or
-.Dv NULL
-on error.
-.Sh EXAMPLES
-This example accepts two connections on port 4444,
-sends messages down each and finally closes both down.
-.Bd -literal -offset 2n
-BIO *abio, *cbio, *cbio2;
-ERR_load_crypto_strings();
-abio = BIO_new_accept("4444");
-
-/* First call to BIO_accept() sets up accept BIO */
-if (BIO_do_accept(abio) <= 0) {
-        fprintf(stderr, "Error setting up accept\en");
-        ERR_print_errors_fp(stderr);
-        exit(0);
-}
-
-/* Wait for incoming connection */
-if (BIO_do_accept(abio) <= 0) {
-        fprintf(stderr, "Error accepting connection\en");
-        ERR_print_errors_fp(stderr);
-        exit(0);
-}
-fprintf(stderr, "Connection 1 established\en");
-
-/* Retrieve BIO for connection */
-cbio = BIO_pop(abio);
-
-BIO_puts(cbio, "Connection 1: Sending out Data on initial connection\en");
-fprintf(stderr, "Sent out data on connection 1\en");
-
-/* Wait for another connection */
-if (BIO_do_accept(abio) <= 0) {
-        fprintf(stderr, "Error accepting connection\en");
-        ERR_print_errors_fp(stderr);
-        exit(0);
-}
-fprintf(stderr, "Connection 2 established\en");
-
-/* Close accept BIO to refuse further connections */
-cbio2 = BIO_pop(abio);
-BIO_free(abio);
-
-BIO_puts(cbio2, "Connection 2: Sending out Data on second\en");
-fprintf(stderr, "Sent out data on connection 2\en");
-BIO_puts(cbio, "Connection 1: Second connection established\en");
-
-/* Close the two established connections */
-BIO_free(cbio);
-BIO_free(cbio2);
-.Ed
-.Sh SEE ALSO
-.Xr BIO_new 3
-.Sh HISTORY
-.Fn BIO_s_accept ,
-.Fn BIO_set_accept_port ,
-.Fn BIO_new_accept ,
-.Fn BIO_set_accept_bios ,
-and
-.Fn BIO_do_accept
-first appeared in SSLeay 0.8.0.
-.Fn BIO_set_nbio_accept
-and
-.Fn BIO_get_accept_port
-first appeared in SSLeay 0.9.0.
-All these functions have been available since
-.Ox 2.4 .
-.Pp
-.Fn BIO_set_bind_mode
-and
-.Fn BIO_get_bind_mode
-first appeared in SSLeay 0.9.1 and have been available since
-.Ox 2.6 .
diff --git a/src/lib/libcrypto/man/BIO_s_bio.3 b/src/lib/libcrypto/man/BIO_s_bio.3
deleted file mode 100644
index efda019df3..0000000000
--- a/src/lib/libcrypto/man/BIO_s_bio.3
+++ /dev/null
@@ -1,416 +0,0 @@
-.\" $OpenBSD: BIO_s_bio.3,v 1.20 2024/05/19 07:12:50 jsg Exp $
-.\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
-.\"
-.\" This file was written by
-.\" Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE>,
-.\" Dr. Stephen Henson <steve@openssl.org>,
-.\" Bodo Moeller <bodo@openssl.org>,
-.\" and Richard Levitte <levitte@openssl.org>.
-.\" Copyright (c) 2000, 2002, 2015, 2016 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: May 19 2024 $
-.Dt BIO_S_BIO 3
-.Os
-.Sh NAME
-.Nm BIO_s_bio ,
-.Nm BIO_make_bio_pair ,
-.Nm BIO_destroy_bio_pair ,
-.Nm BIO_shutdown_wr ,
-.Nm BIO_set_write_buf_size ,
-.Nm BIO_get_write_buf_size ,
-.Nm BIO_new_bio_pair ,
-.Nm BIO_get_write_guarantee ,
-.Nm BIO_ctrl_get_write_guarantee ,
-.Nm BIO_get_read_request ,
-.Nm BIO_ctrl_get_read_request ,
-.Nm BIO_ctrl_reset_read_request
-.Nd BIO pair BIO
-.Sh SYNOPSIS
-.In openssl/bio.h
-.Ft const BIO_METHOD *
-.Fo BIO_s_bio
-.Fa void
-.Fc
-.Ft int
-.Fo BIO_make_bio_pair
-.Fa "BIO *b1"
-.Fa "BIO *b2"
-.Fc
-.Ft int
-.Fo BIO_destroy_bio_pair
-.Fa "BIO *b"
-.Fc
-.Ft int
-.Fo BIO_shutdown_wr
-.Fa "BIO *b"
-.Fc
-.Ft int
-.Fo BIO_set_write_buf_size
-.Fa "BIO *b"
-.Fa "long size"
-.Fc
-.Ft size_t
-.Fo BIO_get_write_buf_size
-.Fa "BIO *b"
-.Fa "long size"
-.Fc
-.Ft int
-.Fo BIO_new_bio_pair
-.Fa "BIO **bio1"
-.Fa "size_t writebuf1"
-.Fa "BIO **bio2"
-.Fa "size_t writebuf2"
-.Fc
-.Ft int
-.Fo BIO_get_write_guarantee
-.Fa "BIO *b"
-.Fc
-.Ft size_t
-.Fo BIO_ctrl_get_write_guarantee
-.Fa "BIO *b"
-.Fc
-.Ft int
-.Fo BIO_get_read_request
-.Fa "BIO *b"
-.Fc
-.Ft size_t
-.Fo BIO_ctrl_get_read_request
-.Fa "BIO *b"
-.Fc
-.Ft int
-.Fo BIO_ctrl_reset_read_request
-.Fa "BIO *b"
-.Fc
-.Sh DESCRIPTION
-.Fn BIO_s_bio
-returns the method for a BIO pair.
-A BIO pair is a pair of source/sink BIOs where data written to either
-half of the pair is buffered and can be read from the other half.
-Both halves must usually be handled by the same application thread
-since no locking is done on the internal data structures.
-.Pp
-Since BIO chains typically end in a source/sink BIO,
-it is possible to make this one half of a BIO pair and
-have all the data processed by the chain under application control.
-.Pp
-One typical use of BIO pairs is
-to place TLS/SSL I/O under application control.
-This can be used when the application wishes to use a non-standard
-transport for TLS/SSL or the normal socket routines are inappropriate.
-.Pp
-Calls to
-.Xr BIO_read 3
-will read data from the buffer or request a retry if no data is available.
-.Pp
-Calls to
-.Xr BIO_write 3
-will place data in the buffer or request a retry if the buffer is full.
-.Pp
-The standard calls
-.Xr BIO_ctrl_pending 3
-and
-.Xr BIO_ctrl_wpending 3
-can be used to determine the amount of pending data
-in the read or write buffer.
-.Pp
-.Xr BIO_reset 3
-clears any data in the write buffer.
-.Pp
-.Fn BIO_make_bio_pair
-joins two separate BIOs into a connected pair.
-.Pp
-.Fn BIO_destroy_pair
-destroys the association between two connected BIOs.
-Freeing up any half of the pair will automatically destroy the association.
-.Pp
-.Fn BIO_shutdown_wr
-is used to close down a BIO
-.Fa b .
-After this call no further writes on BIO
-.Fa b
-are allowed; they will return an error.
-Reads on the other half of the pair will return any pending data
-or EOF when all pending data has been read.
-.Pp
-.Fn BIO_set_write_buf_size
-sets the write buffer size of BIO
-.Fa b
-to
-.Fa size .
-If the size is not initialized, a default value is used.
-This is currently 17K, sufficient for a maximum size TLS record.
-When a chain containing a BIO pair is copied with
-.Xr BIO_dup_chain 3 ,
-the write buffer size is automatically copied
-from the original BIO object to the new one.
-.Pp
-.Fn BIO_get_write_buf_size
-returns the size of the write buffer.
-.Pp
-.Fn BIO_new_bio_pair
-combines the calls to
-.Xr BIO_new 3 ,
-.Fn BIO_make_bio_pair
-and
-.Fn BIO_set_write_buf_size
-to create a connected pair of BIOs
-.Fa bio1
-and
-.Fa bio2
-with write buffer sizes
-.Fa writebuf1
-and
-.Fa writebuf2 .
-If either size is zero, then the default size is used.
-.Fn BIO_new_bio_pair
-does not check whether
-.Fa bio1
-or
-.Fa bio2
-point to some other BIO; the values are overwritten and
-.Xr BIO_free 3
-is not called.
-.Pp
-.Fn BIO_get_write_guarantee
-and
-.Fn BIO_ctrl_get_write_guarantee
-return the maximum length of data
-that can be currently written to the BIO.
-Writes larger than this value will return a value from
-.Xr BIO_write 3
-less than the amount requested or if the buffer is full request a retry.
-.Fn BIO_ctrl_get_write_guarantee
-is a function whereas
-.Fn BIO_get_write_guarantee
-is a macro.
-.Pp
-.Fn BIO_get_read_request
-and
-.Fn BIO_ctrl_get_read_request
-return the amount of data requested, or the buffer size if it is less,
-if the last read attempt at the other half of the BIO pair failed
-due to an empty buffer.
-This can be used to determine how much data should be
-written to the BIO so the next read will succeed:
-this is most useful in TLS/SSL applications where the amount of
-data read is usually meaningful rather than just a buffer size.
-After a successful read this call will return zero.
-It also will return zero once new data has been written
-satisfying the read request or part of it.
-Note that
-.Fn BIO_get_read_request
-never returns an amount larger than that returned by
-.Fn BIO_get_write_guarantee .
-.Pp
-.Fn BIO_ctrl_reset_read_request
-can also be used to reset the value returned by
-.Fn BIO_get_read_request
-to zero.
-.Pp
-Both halves of a BIO pair should be freed.
-Even if one half is implicitly freed due to a
-.Xr BIO_free_all 3
-or
-.Xr SSL_free 3
-call, the other half still needs to be freed.
-.Pp
-When used in bidirectional applications (such as TLS/SSL),
-care should be taken to flush any data in the write buffer.
-This can be done by calling
-.Xr BIO_pending 3
-on the other half of the pair and, if any data is pending,
-reading it and sending it to the underlying transport.
-This must be done before any normal processing (such as calling
-.Xr select 2 )
-due to a request and
-.Xr BIO_should_read 3
-being true.
-.Pp
-To see why this is important,
-consider a case where a request is sent using
-.Xr BIO_write 3
-and a response read with
-.Xr BIO_read 3 ,
-this can occur during a TLS/SSL handshake for example.
-.Xr BIO_write 3
-will succeed and place data in the write buffer.
-.Xr BIO_read 3
-will initially fail and
-.Xr BIO_should_read 3
-will be true.
-If the application then waits for data to become available
-on the underlying transport before flushing the write buffer,
-it will never succeed because the request was never sent.
-.Pp
-.Xr BIO_eof 3
-is true if no data is in the peer BIO and the peer BIO has been shutdown.
-.Pp
-.Xr BIO_ctrl 3
-.Fa cmd
-arguments correspond to macros as follows:
-.Bl -column BIO_C_GET_WRITE_GUARANTEE BIO_ctrl_reset_read_request() -offset 3n
-.It Fa cmd No constant           Ta corresponding macro
-.It Dv BIO_C_DESTROY_BIO_PAIR    Ta Fn BIO_destroy_bio_pair
-.It Dv BIO_C_GET_READ_REQUEST    Ta Fn BIO_get_read_request
-.It Dv BIO_C_GET_WRITE_BUF_SIZE  Ta Fn BIO_get_write_buf_size
-.It Dv BIO_C_GET_WRITE_GUARANTEE Ta Fn BIO_get_write_guarantee
-.It Dv BIO_C_MAKE_BIO_PAIR       Ta Fn BIO_make_bio_pair
-.It Dv BIO_C_RESET_READ_REQUEST  Ta Fn BIO_ctrl_reset_read_request
-.It Dv BIO_C_SET_WRITE_BUF_SIZE  Ta Fn BIO_set_write_buf_size
-.It Dv BIO_C_SHUTDOWN_WR         Ta Fn BIO_shutdown_wr
-.It Dv BIO_CTRL_EOF              Ta Xr BIO_eof 3
-.It Dv BIO_CTRL_GET_CLOSE        Ta Xr BIO_get_close 3
-.It Dv BIO_CTRL_PENDING          Ta Xr BIO_pending 3
-.It Dv BIO_CTRL_RESET            Ta Xr BIO_reset 3
-.It Dv BIO_CTRL_SET_CLOSE        Ta Xr BIO_set_close 3
-.It Dv BIO_CTRL_WPENDING         Ta Xr BIO_wpending 3
-.El
-.Sh RETURN VALUES
-.Fn BIO_new_bio_pair
-returns 1 on success, with the new BIOs available in
-.Fa bio1
-and
-.Fa bio2 ,
-or 0 on failure, with NULL pointers stored into the locations for
-.Fa bio1
-and
-.Fa bio2 .
-Check the error stack for more information.
-.Pp
-When called on a BIO pair BIO object,
-.Xr BIO_method_type 3
-returns the constant
-.Dv BIO_TYPE_BIO
-and
-.Xr BIO_method_name 3
-returns a pointer to the static string
-.Qq BIO pair .
-.\" XXX More return values need to be added here.
-.Sh EXAMPLES
-The BIO pair can be used to have full control
-over the network access of an application.
-The application can call
-.Xr select 2
-on the socket as required without having to go through the SSL interface.
-.Bd -literal -offset 2n
-BIO *internal_bio, *network_bio;
-\&...
-BIO_new_bio_pair(&internal_bio, 0, &network_bio, 0);
-SSL_set_bio(ssl, internal_bio, internal_bio);
-SSL_operations();  /* e.g. SSL_read() and SSL_write() */
-\&...
-
-application |   TLS-engine
-   |        |
-   +----------> SSL_operations()
-            |     /\e    ||
-            |     ||    \e/
-            |   BIO-pair (internal_bio)
-            |   BIO-pair (network_bio)
-            |     ||     /\e
-            |     \e/     ||
-   +-----------< BIO_operations()
-   |        |
- socket     |
-
-\&...
-SSL_free(ssl);          /* implicitly frees internal_bio */
-BIO_free(network_bio);
-\&...
-.Ed
-.Pp
-As the BIO pair will only buffer the data and never directly access
-the connection, it behaves non-blocking and will return as soon as
-the write buffer is full or the read buffer is drained.
-Then the application has to flush the write buffer
-and/or fill the read buffer.
-.Pp
-Use
-.Xr BIO_ctrl_pending 3
-to find out whether data is buffered in the BIO
-and must be transferred to the network.
-Use
-.Fn BIO_ctrl_get_read_request
-to find out how many bytes must be written into the buffer before the
-SSL operations can successfully be continued.
-.Sh SEE ALSO
-.Xr BIO_new 3 ,
-.Xr BIO_read 3 ,
-.Xr BIO_should_retry 3 ,
-.Xr ssl 3 ,
-.Xr SSL_set_bio 3
-.Sh HISTORY
-.Fn BIO_s_bio ,
-.Fn BIO_make_bio_pair ,
-.Fn BIO_destroy_bio_pair ,
-.Fn BIO_set_write_buf_size ,
-.Fn BIO_get_write_buf_size ,
-.Fn BIO_new_bio_pair ,
-.Fn BIO_get_write_guarantee ,
-.Fn BIO_ctrl_get_write_guarantee ,
-.Fn BIO_get_read_request ,
-and
-.Fn BIO_ctrl_reset_read_request
-first appeared in OpenSSL 0.9.4 and have been available since
-.Ox 2.6 .
-.Pp
-.Fn BIO_ctrl_reset_read_request
-first appeared in OpenSSL 0.9.5 and has been available since
-.Ox 2.7 .
-.Pp
-.Fn BIO_shutdown_wr
-first appeared in OpenSSL 0.9.6 and has been available since
-.Ox 2.9 .
-.Sh CAVEATS
-As the data is buffered, SSL operations may return with an
-.Dv ERROR_SSL_WANT_READ
-condition, but there is still data in the write buffer.
-An application must not rely on the error value of the SSL operation
-but must assure that the write buffer is always flushed first.
-Otherwise a deadlock may occur as the peer might be waiting
-for the data before being able to continue.
diff --git a/src/lib/libcrypto/man/BIO_s_connect.3 b/src/lib/libcrypto/man/BIO_s_connect.3
deleted file mode 100644
index bce68a26b9..0000000000
--- a/src/lib/libcrypto/man/BIO_s_connect.3
+++ /dev/null
@@ -1,503 +0,0 @@
-.\" $OpenBSD: BIO_s_connect.3,v 1.19 2023/04/30 13:53:54 schwarze Exp $
-.\" full merge up to: OpenSSL 0e474b8b Nov 1 15:45:49 2015 +0100
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2023 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2000, 2015 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: April 30 2023 $
-.Dt BIO_S_CONNECT 3
-.Os
-.Sh NAME
-.Nm BIO_s_connect ,
-.Nm BIO_new_connect ,
-.Nm BIO_set_conn_hostname ,
-.Nm BIO_set_conn_port ,
-.Nm BIO_set_conn_ip ,
-.Nm BIO_set_conn_int_port ,
-.Nm BIO_get_conn_hostname ,
-.Nm BIO_get_conn_port ,
-.Nm BIO_get_conn_ip ,
-.Nm BIO_get_conn_int_port ,
-.Nm BIO_set_nbio ,
-.Nm BIO_do_connect
-.Nd connect BIO
-.Sh SYNOPSIS
-.In openssl/bio.h
-.Ft const BIO_METHOD *
-.Fo BIO_s_connect
-.Fa void
-.Fc
-.Ft BIO *
-.Fo BIO_new_connect
-.Fa "const char *name"
-.Fc
-.Ft long
-.Fo BIO_set_conn_hostname
-.Fa "BIO *b"
-.Fa "char *name"
-.Fc
-.Ft long
-.Fo BIO_set_conn_port
-.Fa "BIO *b"
-.Fa "char *port"
-.Fc
-.Ft long
-.Fo BIO_set_conn_ip
-.Fa "BIO *b"
-.Fa "char *ip"
-.Fc
-.Ft long
-.Fo BIO_set_conn_int_port
-.Fa "BIO *b"
-.Fa "char *port"
-.Fc
-.Ft char *
-.Fo BIO_get_conn_hostname
-.Fa "BIO *b"
-.Fc
-.Ft char *
-.Fo BIO_get_conn_port
-.Fa "BIO *b"
-.Fc
-.Ft char *
-.Fo BIO_get_conn_ip
-.Fa "BIO *b"
-.Fc
-.Ft long
-.Fo BIO_get_conn_int_port
-.Fa "BIO *b"
-.Fc
-.Ft long
-.Fo BIO_set_nbio
-.Fa "BIO *b"
-.Fa "long n"
-.Fc
-.Ft long
-.Fo BIO_do_connect
-.Fa "BIO *b"
-.Fc
-.Sh DESCRIPTION
-.Fn BIO_s_connect
-returns the connect BIO method.
-This is a wrapper around the platform's TCP/IP socket connection routines.
-.Pp
-Using connect BIOs, TCP/IP connections can be made and data
-transferred using only BIO routines.
-In this way any platform specific operations
-are hidden by the BIO abstraction.
-.Pp
-Read and write operations on a connect BIO will perform I/O
-on the underlying connection.
-If no connection is established and the port and hostname (see below)
-is set up properly, then a connection is established first.
-.Pp
-Connect BIOs support
-.Xr BIO_puts 3
-but not
-.Xr BIO_gets 3 .
-.Pp
-If the close flag is set on a connect BIO, then any active connection
-is shutdown and the socket closed when the BIO is freed.
-.Pp
-Calling
-.Xr BIO_reset 3
-on a connect BIO will close any active connection and reset the BIO
-into a state where it can connect to the same host again.
-.Pp
-.Xr BIO_get_fd 3
-places the underlying socket in
-.Fa c
-if it is not
-.Dv NULL
-and also returns the socket.
-If
-.Fa c
-is not
-.Dv NULL ,
-it should be of type
-.Vt "int *" .
-.Pp
-.Xr BIO_set_info_callback 3
-and
-.Xr BIO_callback_ctrl 3
-with a
-.Fa cmd
-of
-.Dv BIO_CTRL_SET_CALLBACK
-save the pointer to the
-.Fa cb
-function internally in
-.Fa b
-and
-.Xr BIO_get_info_callback 3
-retrieves this function pointer.
-If such an info callback is installed, it is invoked whenever
-a state change or error occurs in the connect BIO state machine.
-The arguments of the callback include the new
-.Fa state
-in case of a state change or the old
-.Fa state
-in case of an error and the value
-.Fa res
-that the state machine would return to whatever operation invoked it
-if no info callback had been installed.
-If an info callback is installed, the state machine
-returns the return value of the info callback instead.
-Consequently, the info callback is supposed to usually return
-.Fa res .
-The precise effect of the return value depends on which operation
-the state machine was invoked from.
-Usually, \-1 is used to indicate failure and return values less than
-or equal to zero abort the operation in question, whereas positive
-values indicate success and allow the operation to proceed.
-.Pp
-The
-.Fa state
-constants passed to the callback are named according to
-which operation needs to be performed next.
-They are listed here in the order the states are passed through:
-.Pp
-.Bl -tag -width BIO_CONN_S_BLOCKED_CONNECT -offset 3n -compact
-.It Dv BIO_CONN_S_BEFORE
-The BIO is idle and no connection has been initiated yet.
-.It Dv BIO_CONN_S_GET_IP
-The hostname to connect to needs to be converted to an IP address.
-.It Dv BIO_CONN_S_GET_PORT
-The service name to connect to needs to be converted to a TCP port number.
-.It Dv BIO_CONN_S_CREATE_SOCKET
-The TCP socket needs to be created with the
-.Xr socket 2
-system call.
-.It Dv BIO_CONN_S_NBIO
-Socket options may need to be set using
-.Xr fcntl 2
-and
-.Xr setsockopt 2 .
-.It Dv BIO_CONN_S_CONNECT
-The connection needs to be initiated with the
-.Xr connect 2
-system call.
-.It Dv BIO_CONN_S_BLOCKED_CONNECT
-The
-.Xr connect 2
-system call would have blocked and needs to be tried again.
-.It Dv BIO_CONN_S_OK
-The connection has been established and can now be used to transfer data.
-.El
-.Pp
-.Fn BIO_set_conn_hostname
-uses the string
-.Fa name
-to set the hostname.
-The hostname can be an IP address.
-The hostname can also include the port in the form
-.Ar hostname : Ns Ar port .
-It is also acceptable to use the forms
-.Ar hostname Ns / Ns Pa any/other/path
-or
-.Ar hostname : Ns Ar port Ns / Ns Pa any/other/path .
-.Pp
-.Fn BIO_set_conn_port
-sets the port to
-.Fa port .
-.Fa port
-is looked up as a service using
-.Xr getaddrinfo 3 .
-.Pp
-.Fn BIO_set_conn_ip
-sets the IP address to
-.Fa ip
-using binary form i.e. four bytes specifying the IP address
-in big-endian form.
-.Pp
-.Fn BIO_set_conn_int_port
-sets the port using
-.Fa port .
-.Fa port
-should
-be of type
-.Vt "int *" .
-.Pp
-.Fn BIO_get_conn_hostname
-returns the hostname of the connect BIO or
-.Dv NULL
-if the BIO is initialized but no hostname is set.
-This return value is an internal pointer which should not be modified.
-.Pp
-.Fn BIO_get_conn_port
-returns the port as a string.
-This return value is an internal pointer which should not be modified.
-.Pp
-.Fn BIO_get_conn_ip
-returns the IP address in binary form.
-.Pp
-.Fn BIO_get_conn_int_port
-returns the port as an
-.Vt int .
-.Pp
-.Fn BIO_set_nbio
-sets the non-blocking I/O flag to
-.Fa n .
-If
-.Fa n
-is zero then blocking I/O is set.
-If
-.Fa n
-is 1 then non-blocking I/O is set.
-Blocking I/O is the default.
-The call to
-.Fn BIO_set_nbio
-should be made before the connection is established
-because non-blocking I/O is set during the connect process.
-.Pp
-.Fn BIO_new_connect
-combines
-.Xr BIO_new 3
-and
-.Fn BIO_set_conn_hostname
-into a single call.
-It creates a new connect BIO with
-.Fa name .
-.Pp
-.Fn BIO_do_connect
-attempts to connect the supplied BIO.
-It returns 1 if the connection was established successfully.
-A zero or negative value is returned if the connection
-could not be established.
-The call
-.Xr BIO_should_retry 3
-should be used for non-blocking connect BIOs
-to determine if the call should be retried.
-.Pp
-If blocking I/O is set then a non-positive return value from any
-I/O call is caused by an error condition, although a zero return
-will normally mean that the connection was closed.
-.Pp
-If the port name is supplied as part of the host name then this will
-override any value set with
-.Fn BIO_set_conn_port .
-This may be undesirable if the application does not wish to allow
-connection to arbitrary ports.
-This can be avoided by checking for the presence of the
-.Sq \&:
-character in the passed hostname and either indicating an error
-or truncating the string at that point.
-.Pp
-The values returned by
-.Fn BIO_get_conn_hostname ,
-.Fn BIO_get_conn_port ,
-.Fn BIO_get_conn_ip ,
-and
-.Fn BIO_get_conn_int_port
-are updated when a connection attempt is made.
-Before any connection attempt the values returned
-are those set by the application itself.
-.Pp
-Applications do not have to call
-.Fn BIO_do_connect
-but may wish to do so to separate the connection process
-from other I/O processing.
-.Pp
-If non-blocking I/O is set,
-then retries will be requested as appropriate.
-.Pp
-In addition to
-.Xr BIO_should_read 3
-and
-.Xr BIO_should_write 3
-it is also possible for
-.Xr BIO_should_io_special 3
-to be true during the initial connection process with the reason
-.Dv BIO_RR_CONNECT .
-If this is returned, it is an indication
-that a connection attempt would block.
-The application should then take appropriate action to wait
-until the underlying socket has connected and retry the call.
-.Pp
-When a chain containing a connect BIO is copied with
-.Xr BIO_dup_chain 3 ,
-.Fn BIO_set_conn_hostname ,
-.Fn BIO_set_conn_port ,
-.Fn BIO_set_nbio ,
-and
-.Xr BIO_set_info_callback 3
-are called internally to automatically copy the hostname, port,
-non-blocking I/O flag, and info callback from the original BIO object
-to the new one.
-.Pp
-.Xr BIO_ctrl 3
-.Fa cmd
-and
-.Fa larg
-arguments correspond to macros as follows:
-.Bl -column BIO_C_DO_STATE_MACHINE larg BIO_get_conn_hostname(3) -offset 3n
-.It Fa cmd No constant        Ta Fa larg Ta corresponding macro
-.It Dv BIO_C_DO_STATE_MACHINE Ta 0       Ta Fn BIO_do_connect
-.It Dv BIO_C_GET_CONNECT      Ta 0       Ta Fn BIO_get_conn_hostname
-.It                           Ta 1       Ta Fn BIO_get_conn_port
-.It                           Ta 2       Ta Fn BIO_get_conn_ip
-.It                           Ta 3       Ta Fn BIO_get_conn_int_port
-.It Dv BIO_C_GET_FD           Ta 0       Ta Xr BIO_get_fd 3
-.It Dv BIO_C_SET_CONNECT      Ta 0       Ta Fn BIO_set_conn_hostname
-.It                           Ta 1       Ta Fn BIO_set_conn_port
-.It                           Ta 2       Ta Fn BIO_set_conn_ip
-.It                           Ta 3       Ta Fn BIO_set_conn_int_port
-.It Dv BIO_C_SET_NBIO         Ta Fa n    Ta Fn BIO_set_nbio
-.It Dv BIO_CTRL_GET_CLOSE     Ta 0       Ta Xr BIO_get_close 3
-.It Dv BIO_CTRL_RESET         Ta 0       Ta Xr BIO_reset 3
-.It Dv BIO_CTRL_SET_CLOSE     Ta Fa flag Ta Xr BIO_set_close 3
-.El
-.Sh RETURN VALUES
-.Fn BIO_s_connect
-returns the connect BIO method.
-.Pp
-When called on a connect BIO object,
-.Xr BIO_method_type 3
-returns the constant
-.Dv BIO_TYPE_CONNECT
-and
-.Xr BIO_method_name 3
-returns a pointer to the static string
-.Qq socket connect .
-.Pp
-.Xr BIO_get_fd 3
-returns the socket or -1 if the BIO has not been initialized.
-.Pp
-.Fn BIO_set_conn_hostname ,
-.Fn BIO_set_conn_port ,
-.Fn BIO_set_conn_ip ,
-and
-.Fn BIO_set_conn_int_port
-always return 1.
-.Pp
-.Fn BIO_get_conn_hostname
-returns the connected hostname or
-.Dv NULL
-if none is set.
-.Pp
-.Fn BIO_get_conn_port
-returns a string representing the connected port or
-.Dv NULL
-if not set.
-.Pp
-.Fn BIO_get_conn_ip
-returns a pointer to the connected IP address in binary form
-or all zeros if not set.
-.Pp
-.Fn BIO_get_conn_int_port
-returns the connected port or 0 if none was set.
-.Pp
-.Fn BIO_set_nbio
-always returns 1.
-.Pp
-.Fn BIO_do_connect
-returns 1 if the connection was successfully
-established and 0 or -1 if the connection failed.
-.Sh EXAMPLES
-This example connects to a webserver on the local host and attempts
-to retrieve a page and copy the result to standard output.
-.Bd -literal -offset 2n
-BIO *cbio, *out;
-int len;
-char tmpbuf[1024];
-
-ERR_load_crypto_strings();
-cbio = BIO_new_connect("localhost:http");
-out = BIO_new_fp(stdout, BIO_NOCLOSE);
-if (BIO_do_connect(cbio) <= 0) {
-        fprintf(stderr, "Error connecting to server\en");
-        ERR_print_errors_fp(stderr);
-        /* whatever ... */
-}
-BIO_puts(cbio, "GET / HTTP/1.0\en\en");
-for(;;) {
-        len = BIO_read(cbio, tmpbuf, 1024);
-        if (len <= 0)
-                break;
-        BIO_write(out, tmpbuf, len);
-}
-BIO_free(cbio);
-BIO_free(out);
-.Ed
-.Sh SEE ALSO
-.Xr BIO_new 3
-.Sh HISTORY
-.Fn BIO_s_connect ,
-.Fn BIO_new_connect ,
-.Fn BIO_set_nbio ,
-and
-.Fn BIO_do_connect
-first appeared in SSLeay 0.8.0.
-.Fn BIO_set_conn_hostname ,
-.Fn BIO_set_conn_port ,
-.Fn BIO_set_conn_ip ,
-.Fn BIO_set_conn_int_port ,
-.Fn BIO_get_conn_hostname ,
-.Fn BIO_get_conn_port ,
-.Fn BIO_get_conn_ip ,
-and
-.Fn BIO_get_conn_int_port
-first appeared in SSLeay 0.9.0.
-All these functions have been available since
-.Ox 2.4 .
diff --git a/src/lib/libcrypto/man/BIO_s_datagram.3 b/src/lib/libcrypto/man/BIO_s_datagram.3
deleted file mode 100644
index 104823e7a7..0000000000
--- a/src/lib/libcrypto/man/BIO_s_datagram.3
+++ /dev/null
@@ -1,573 +0,0 @@
-.\" $OpenBSD: BIO_s_datagram.3,v 1.3 2023/04/28 16:49:00 schwarze Exp $
-.\"
-.\" Copyright (c) 2022 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: April 28 2023 $
-.Dt BIO_S_DATAGRAM 3
-.Os
-.Sh NAME
-.Nm BIO_s_datagram ,
-.Nm BIO_new_dgram ,
-.Nm BIO_dgram_set_peer ,
-.Nm BIO_ctrl_dgram_connect ,
-.Nm BIO_dgram_get_peer ,
-.Nm BIO_ctrl_set_connected ,
-.Nm BIO_dgram_recv_timedout ,
-.Nm BIO_dgram_send_timedout ,
-.Nm BIO_dgram_non_fatal_error
-.\" .Nm BIO_CTRL_DGRAM_QUERY_MTU and
-.\" .Nm BIO_CTRL_DGRAM_MTU_DISCOVER are intentionally undocumented.
-.\" They are almost unused, and OpenBSD does not appear to support them.
-.Nd datagram socket BIO
-.Sh SYNOPSIS
-.In openssl/bio.h
-.Ft const BIO_METHOD *
-.Fn BIO_s_datagram void
-.Ft BIO *
-.Fo BIO_new_dgram
-.Fa "int fd"
-.Fa "int close_flag"
-.Fc
-.Ft int
-.Fo BIO_dgram_set_peer
-.Fa "BIO *b"
-.Fa "struct sockaddr *sa"
-.Fc
-.Ft int
-.Fo BIO_ctrl_dgram_connect
-.Fa "BIO *b"
-.Fa "struct sockaddr *sa"
-.Fc
-.Ft int
-.Fo BIO_dgram_get_peer
-.Fa "BIO *b"
-.Fa "struct sockaddr *sa"
-.Fc
-.Ft int
-.Fo BIO_ctrl_set_connected
-.Fa "BIO *b"
-.Fa "long argl"
-.Fa "struct sockaddr *sa"
-.Fc
-.Ft int
-.Fn BIO_dgram_recv_timedout "BIO *b"
-.Ft int
-.Fn BIO_dgram_send_timedout "BIO *b"
-.Ft int
-.Fn BIO_dgram_non_fatal_error "int errnum"
-.Sh DESCRIPTION
-.Fn BIO_s_datagram
-returns the datagram socket BIO method.
-The usual application is to transmit data using the IPv4 or IPv6
-.Xr udp 4
-protocol.
-.Pp
-When called on a datagram socket BIO object,
-.Xr BIO_method_type 3
-returns the constant
-.Dv BIO_TYPE_DGRAM
-and
-.Xr BIO_method_name 3
-returns a pointer to the static string
-.Qq datagram socket .
-.Ss Constructors and destructors
-.Xr BIO_new 3
-allocates a new datagram socket BIO object and initializes all its data
-to zero, including the datagram socket file descriptor, the peer address,
-the init flag that can be retrieved with
-.Xr BIO_get_init 3 ,
-the connected flag, the MTU, and all timeout and error information.
-The reference count and the close flag are set to 1.
-.Pp
-.Fn BIO_new_dgram
-allocates and initializes a new datagram socket BIO object with
-.Xr BIO_new 3 ,
-sets the datagram socket file descriptor and the close flag
-according to its arguments, and sets the init flag to 1.
-.Pp
-If the reference count reaches 0 in
-.Xr BIO_free 3
-and the close and init flags are set,
-.Xr shutdown 2
-and
-.Xr close 2
-are called on the datagram socket file descriptor before freeing the
-storage used by the BIO object.
-.Pp
-When a chain containing a datagram socket BIO is copied with
-.Xr BIO_dup_chain 3 ,
-the datagram socket file descriptor, the init flag, the close flag,
-the flags accessible with
-.Xr BIO_test_flags 3 ,
-and any data that was set with
-.Xr BIO_set_ex_data 3
-are automatically copied from the original BIO object to the new one,
-but the peer address, the connected flag, the MTU and all timeout and
-error information are not copied but instead initialized to zero.
-.Ss Initialization and configuration
-If the close flag is set in
-.Fa b ,
-.Xr BIO_set_fd 3
-clears all flags that are set in
-.Fa b
-and if the init flag was set, it calls
-.Xr shutdown 2
-and
-.Xr close 2
-on the previously assigned file descriptor.
-In any case,
-.Xr BIO_set_fd 3
-then sets the new file descriptor and the new close flag according to
-its arguments and sets the init flag to 1.
-.Pp
-If the init flag is set in
-.Fa b ,
-.Xr BIO_get_fd 3
-returns its datagram socket file descriptor, and unless the
-.Fa c
-argument is a
-.Dv NULL
-pointer, it also stores the file descriptor in
-.Pf * Fa c .
-If the init flag is not set,
-.Xr BIO_get_fd 3
-fails and returns \-1.
-.Pp
-.Xr BIO_set_close 3
-sets the close flag in
-.Fa b
-to the
-.Fa flag
-argument.
-.Xr BIO_get_close 3
-returns the value of the close flag from
-.Fa b .
-.Pp
-For datagram socket BIO objects,
-the shutdown flag is the same flag as the close flag.
-Consequently,
-.Xr BIO_set_shutdown 3
-has the same effect as
-.Xr BIO_set_close 3
-and
-.Xr BIO_get_shutdown 3
-has the same effect as
-.Xr BIO_get_close 3 .
-.Pp
-.Fn BIO_dgram_set_peer
-copies
-.Fa sa
-as the peer address into
-.Fa b .
-.Pp
-.Fn BIO_ctrl_dgram_connect
-does exactly the same as
-.Fn BIO_dgram_set_peer .
-Its name is even more misleading than the name of
-.Fn BIO_ctrl_set_connected .
-In addition to what is said there,
-.Fn BIO_ctrl_dgram_connect
-does not even set the connected flag in
-.Fa b .
-.Pp
-.Fn BIO_dgram_get_peer
-copies the peer address from
-.Fa b
-to
-.Pf * Fa sa .
-Before calling this function, the caller has to make sure
-that the peer address is indeed set in
-.Fa b
-and that sufficient memory is available starting at
-.Fa sa
-to copy a complete
-.Vt struct sockaddr ,
-.Vt struct sockaddr_in ,
-or
-.Vt struct sockaddr_in6
-to that place, depending on which address family
-.Fa b
-is currently used for.
-.Pp
-Unless
-.Fa sa
-is
-.Dv NULL ,
-.Fn BIO_ctrl_set_connected
-sets the connected flag in
-.Fa b
-and copies
-.Fa sa
-as the peer address into
-.Fa b .
-If
-.Fa sa
-is
-.Dv NULL ,
-.Fn BIO_ctrl_set_connected
-clears the connected flag and the peer address in
-.Fa b .
-Considering that communication using a datagram protocol is connectionless,
-the name of this function is misleading.
-It is neither establishing or terminating a connection nor changing
-anything with respect to the state of the datagram socket, but merely
-modifying some purely informational data in the wrapping BIO object.
-The additional
-.Fa argl
-argument is passed through to the callbacks documented in
-.Xr BIO_set_callback 3
-if any such callbacks are installed, but it is otherwise ignored.
-.Pp
-.Xr BIO_ctrl 3
-with a
-.Fa cmd
-of
-.Dv BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT
-interprets the
-.Fa parg
-argument as a pointer to a
-.Vt struct timeval
-and sets the read timeout to the specified absolute UTC time.
-.Pp
-.Xr BIO_ctrl 3
-with a
-.Fa cmd
-of
-.Dv BIO_CTRL_DGRAM_SET_RECV_TIMEOUT ,
-.Dv BIO_CTRL_DGRAM_GET_RECV_TIMEOUT ,
-.Dv BIO_CTRL_DGRAM_SET_SEND_TIMEOUT ,
-or
-.Dv BIO_CTRL_DGRAM_GET_SEND_TIMEOUT
-interprets the
-.Fa parg
-argument as a pointer to a
-.Vt struct timeval
-and calls
-.Xr setsockopt 2
-or
-.Xr getsockopt 2
-on the datagram socket file descriptor of
-.Fa b
-with an argument of
-.Dv SO_RCVTIMEO
-or
-.Dv SO_SNDTIMEO ,
-respectively.
-.Dv BIO_CTRL_DGRAM_SET_RECV_TIMEOUT
-and
-.Dv BIO_CTRL_DGRAM_SET_SEND_TIMEOUT
-return 1 on success,
-.Dv BIO_CTRL_DGRAM_GET_RECV_TIMEOUT
-and
-.Dv BIO_CTRL_DGRAM_GET_SEND_TIMEOUT
-the number of bytes written to
-.Pf * Fa parg .
-All four return \-1 on failure.
-Remember that
-.Xr BIO_read 3
-may actually use a shorter timeout when
-.Dv BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT
-is in effect.
-.Pp
-.Xr BIO_ctrl 3
-with a
-.Fa cmd
-of
-.Dv BIO_CTRL_DGRAM_GET_FALLBACK_MTU
-returns 1232 if the peer address is an IPv6 address that is not IPv4 mapped
-or 548 otherwise.
-Making sure that a peer address is set before issuing this command
-is the responsibility of the caller.
-.Pp
-.Xr BIO_ctrl 3
-with a
-.Fa cmd
-of
-.Dv BIO_CTRL_DGRAM_SET_MTU
-sets the MTU attribute of
-.Fa b
-to the value of the
-.Fa larg
-argument and also returns that argument.
-.Xr BIO_ctrl 3
-with a
-.Fa cmd
-of
-.Dv BIO_CTRL_DGRAM_GET_MTU
-returns the MTU attribute of
-.Fa b
-or 0 if it was not set.
-.Pp
-.Xr BIO_ctrl 3
-with a
-.Fa cmd
-of
-.Dv BIO_CTRL_DGRAM_MTU_EXCEEDED
-returns 1 if the most recent non-fatal failure of
-.Xr BIO_read 3
-or
-.Xr BIO_write 3
-was caused by
-.Er EMSGSIZE
-or 0 otherwise.
-This command also clears the
-.Xr errno 2
-value that was saved internally for this particular purpose, so that
-issuing the same command again will return 0 until the next
-.Er EMSGSIZE
-failure occurs.
-.Pp
-.Fn BIO_dgram_recv_timedout
-and
-.Fn BIO_dgram_send_timedout
-check whether the most recent non-fatal failure of
-.Xr BIO_read 3
-or
-.Xr BIO_write 3
-was caused by
-.Er EAGAIN .
-Despite having different names, both functions do exactly the same,
-and both inspect the most recent non-fatal I/O failure, no matter
-whether it occurred during a receive or send operation.
-Both functions also clear the
-.Xr errno 2
-value that was saved internally for this particular purpose,
-so that calling these functions again will return 0 until the next
-.Er EAGAIN
-failure occurs.
-.Pp
-Datagram socket BIOs do not support
-.Xr BIO_eof 3 ,
-.Xr BIO_get_mem_data 3 ,
-.Xr BIO_pending 3 ,
-.Xr BIO_reset 3 ,
-.Xr BIO_seek 3 ,
-.Xr BIO_tell 3 ,
-and
-.Xr BIO_wpending 3 ,
-and attempting any such operation results in failure
-and returns a value of 0.
-.Pp
-Control commands correspond to accessor functions as follows:
-.Pp
-.Bl -tag -width BIO_CTRL_DGRAM_GET_RECV_TIMER_EXP -compact
-.It Dv BIO_C_GET_FD
-.Xr BIO_get_fd 3
-.It Dv BIO_C_SET_FD
-.Xr BIO_set_fd 3
-.It Dv BIO_CTRL_DGRAM_CONNECT
-.Fn BIO_ctrl_dgram_connect Pq deprecated
-.It Dv BIO_CTRL_DGRAM_GET_PEER
-.Fn BIO_dgram_get_peer
-.It BIO_CTRL_DGRAM_GET_RECV_TIMER_EXP
-.Fn BIO_dgram_recv_timedout
-.It BIO_CTRL_DGRAM_GET_SEND_TIMER_EXP
-.Fn BIO_dgram_send_timedout
-.It Dv BIO_CTRL_DGRAM_SET_CONNECTED
-.Fn BIO_ctrl_set_connected
-.It Dv BIO_CTRL_DGRAM_SET_PEER
-.Fn BIO_dgram_set_peer
-.It Dv BIO_CTRL_GET_CLOSE
-.Xr BIO_get_close 3
-.It Dv BIO_CTRL_SET_CLOSE
-.Xr BIO_set_close 3
-.El
-.Ss Input and output operations
-.Xr BIO_read 3
-attempts to read up to
-.Fa len
-bytes into
-.Fa buf
-from the datagram socket file descriptor using
-.Xr recvfrom 2 .
-If a read timeout is set,
-.Xr setsockopt 2
-is used with an argument of
-.Dv SO_RCVTIMEO
-to temporarily shorten the timeout on the datagram socket during the
-.Xr recvfrom 2
-call such that it returns before the read timeout expires.
-.Pp
-If
-.Xr recvfrom 2
-succeeds and the connected flag is not yet set,
-.Xr BIO_read 3
-also copies the peer address received from
-.Xr recvfrom 2
-into
-.Fa b .
-.Pp
-If
-.Xr recvfrom 2
-is attempted,
-.Xr BIO_read 3
-clears the flags
-.Dv BIO_FLAGS_WRITE
-and
-.Dv BIO_FLAGS_IO_SPECIAL
-in
-.Fa b
-and clears or sets the flags
-.Dv BIO_FLAGS_READ
-and
-.Dv BIO_FLAGS_SHOULD_RETRY
-as appropriate.
-.Pp
-If the connected flag is set in
-.Fa b ,
-.Xr BIO_write 3
-attempts to
-.Xr write 2
-.Fa len
-bytes from
-.Fa buf
-to the datagram socket file descriptor.
-If the connected flag is not set, it attempts to transmit
-.Fa len
-bytes from
-.Fa buf
-to the peer using
-.Xr sendto 2 .
-.Pp
-If
-.Xr write 2
-or
-.Xr sendto 2
-is attempted,
-.Xr BIO_write 3
-clears the flags
-.Dv BIO_FLAGS_READ
-and
-.Dv BIO_FLAGS_IO_SPECIAL
-in
-.Fa b
-and clears or sets the flags
-.Dv BIO_FLAGS_WRITE
-and
-.Dv BIO_FLAGS_SHOULD_RETRY
-as appropriate.
-.Pp
-The effect of
-.Xr BIO_puts 3
-is similar to the effect of
-.Xr BIO_write 3
-with a
-.Fa len
-argument of
-.Fn strlen string .
-.Pp
-Datagram socket BIOs do not support
-.Xr BIO_gets 3 .
-Calling this function fails and returns \-2.
-.Pp
-.Xr BIO_flush 3
-has no effect on a datagram socket BIO.
-It always succeeds and returns 1.
-.Sh RETURN VALUES
-.Fn BIO_s_datagram
-returns the datagram socket BIO method.
-.Pp
-.Fn BIO_new_dgram
-returns a newly allocated datagram socket BIO object or
-.Dv NULL
-on failure.
-.Pp
-.Fn BIO_dgram_set_peer ,
-.Fn BIO_ctrl_dgram_connect ,
-and
-.Fn BIO_ctrl_set_connected
-return 1 on success or a value less than or equal to zero on failure.
-They can only fail if
-.Fa b
-is not a datagram socket BIO object.
-.Pp
-.Fn BIO_dgram_get_peer
-returns the number of bytes copied to
-.Fa sa
-or a value less than or equal to zero on failure.
-It can only fail if
-.Fa b
-is not a datagram socket BIO object.
-.Pp
-.Fn BIO_dgram_recv_timedout
-and
-.Fn BIO_dgram_send_timedout
-return 1 if the most recent non-fatal I/O error was caused by
-.Er EAGAIN
-or 0 otherwise.
-.Pp
-.Fn BIO_dgram_non_fatal_error
-returns 1 if
-.Fa errnum
-is
-.Er EAGAIN ,
-.Er EALREADY ,
-.Er EINPROGRESS ,
-or
-.Er EINTR
-or 0 otherwise, even if
-.Fa errnum
-is 0.
-.Sh SEE ALSO
-.Xr close 2 ,
-.Xr getsockopt 2 ,
-.Xr recvfrom 2 ,
-.Xr sendto 2 ,
-.Xr shutdown 2 ,
-.Xr BIO_ctrl 3 ,
-.Xr BIO_get_init 3 ,
-.Xr BIO_new 3 ,
-.Xr BIO_read 3 ,
-.Xr BIO_s_connect 3 ,
-.Xr BIO_set_fd 3 ,
-.Xr BIO_should_retry 3 ,
-.Xr udp 4
-.Sh HISTORY
-.Fn BIO_s_datagram ,
-.Fn BIO_new_dgram ,
-.Fn BIO_dgram_set_peer ,
-.Fn BIO_ctrl_dgram_connect ,
-.Fn BIO_ctrl_set_connected ,
-.Fn BIO_dgram_recv_timedout ,
-.Fn BIO_dgram_send_timedout ,
-and
-.Fn BIO_dgram_non_fatal_error
-first appeared in OpenSSL 0.9.8 and have been available since
-.Ox 4.5 .
-.Pp
-.Fn BIO_dgram_get_peer
-first appeared in OpenSSL 0.9.8m and has been available since
-.Ox 4.9 .
-.Sh BUGS
-If
-.Xr getsockopt 2
-or
-.Xr setsockopt 2
-fails during
-.Xr BIO_read 3 ,
-the library prints an error message to standard error output
-but otherwise ignores the problem, thus possibly using unintended
-timeout values.
-.Pp
-.Xr BIO_read 3
-and
-.Xr BIO_write 3
-may clear the global variable
-.Xr errno 2
-before attempting the
-.Xr recvfrom 2
-or
-.Xr sendto 2
-system call but may not clear it if they fail before reaching this point.
diff --git a/src/lib/libcrypto/man/BIO_s_fd.3 b/src/lib/libcrypto/man/BIO_s_fd.3
deleted file mode 100644
index 852a06756a..0000000000
--- a/src/lib/libcrypto/man/BIO_s_fd.3
+++ /dev/null
@@ -1,290 +0,0 @@
-.\" $OpenBSD: BIO_s_fd.3,v 1.13 2023/11/16 20:19:23 schwarze Exp $
-.\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2022 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: November 16 2023 $
-.Dt BIO_S_FD 3
-.Os
-.Sh NAME
-.Nm BIO_s_fd ,
-.Nm BIO_set_fd ,
-.Nm BIO_get_fd ,
-.Nm BIO_new_fd ,
-.Nm BIO_fd_non_fatal_error ,
-.Nm BIO_fd_should_retry
-.Nd file descriptor BIO
-.Sh SYNOPSIS
-.In openssl/bio.h
-.Ft const BIO_METHOD *
-.Fo BIO_s_fd
-.Fa "void"
-.Fc
-.Ft long
-.Fo BIO_set_fd
-.Fa "BIO *b"
-.Fa "int fd"
-.Fa "long close_flag"
-.Fc
-.Ft long
-.Fo BIO_get_fd
-.Fa "BIO *b"
-.Fa "int *c"
-.Fc
-.Ft BIO *
-.Fo BIO_new_fd
-.Fa "int fd"
-.Fa "int close_flag"
-.Fc
-.Ft int
-.Fn BIO_fd_non_fatal_error "int errnum"
-.Ft int
-.Fn BIO_fd_should_retry "int retval"
-.Sh DESCRIPTION
-.Fn BIO_s_fd
-returns the file descriptor BIO method.
-This is a wrapper around the platform's file descriptor routines such as
-.Xr read 2
-and
-.Xr write 2 .
-.Pp
-.Xr BIO_read 3
-and
-.Xr BIO_write 3
-read or write the underlying descriptor.
-.Xr BIO_puts 3
-is supported but
-.Xr BIO_gets 3
-is not.
-.Pp
-If the close flag is set,
-.Xr close 2
-is called on the underlying file descriptor when the
-.Vt BIO
-is freed.
-.Pp
-.Xr BIO_reset 3
-attempts to set the file pointer to the start of the file using
-.Fn lseek fd 0 0 .
-.Pp
-.Xr BIO_seek 3
-sets the file pointer to position
-.Fa ofs
-from start of file using
-.Fn lseek fd ofs 0 .
-.Pp
-.Xr BIO_tell 3
-returns the current file position by calling
-.Fn lseek fd 0 1 .
-.Pp
-.Fn BIO_set_fd
-sets the file descriptor of
-.Vt BIO
-.Fa b
-to
-.Fa fd
-and the close flag to
-.Fa close_flag .
-.Pp
-.Fn BIO_get_fd
-places the file descriptor in
-.Fa c
-if it is not
-.Dv NULL
-and also returns the file descriptor.
-.Pp
-.Fn BIO_new_fd
-returns a file descriptor BIO using
-.Fa fd
-and
-.Fa close_flag .
-.Pp
-.Fn BIO_fd_non_fatal_error
-determines whether the error status code
-.Fa errnum
-represents a recoverable error.
-.Fn BIO_fd_should_retry
-determines whether a recoverable error occurred by inspecting both
-.Xr errno 2
-and
-.Fa retval ,
-which is supposed to usually be
-the return value of a previously called function like
-.Xr BIO_read 3
-or
-.Xr BIO_write 3 .
-These two functions are mostly used internally; in application code,
-it is usually easier and more robust to use
-.Xr BIO_should_retry 3 ,
-which works for any BIO type.
-.Pp
-The behaviour of
-.Xr BIO_read 3
-and
-.Xr BIO_write 3
-depends on the behavior of the platform's
-.Xr read 2
-and
-.Xr write 2
-calls on the descriptor.
-If the underlying file descriptor is in a non-blocking mode,
-then the BIO will behave in the manner described in the
-.Xr BIO_read 3
-and
-.Xr BIO_should_retry 3
-manual pages.
-.Pp
-File descriptor BIOs should not be used for socket I/O.
-Use socket BIOs instead.
-.Pp
-.Xr BIO_ctrl 3
-.Fa cmd
-arguments correspond to macros as follows:
-.Bl -column BIO_CTRL_GET_CLOSE BIO_get_close(3) -offset 3n
-.It Fa cmd No constant    Ta corresponding macro
-.It Dv BIO_C_FILE_SEEK    Ta Xr BIO_seek 3
-.It Dv BIO_C_FILE_TELL    Ta Xr BIO_tell 3
-.It Dv BIO_C_GET_FD       Ta Fn BIO_get_fd
-.It Dv BIO_C_SET_FD       Ta Fn BIO_set_fd
-.It Dv BIO_CTRL_GET_CLOSE Ta Xr BIO_get_close 3
-.It Dv BIO_CTRL_RESET     Ta Xr BIO_reset 3
-.It Dv BIO_CTRL_SET_CLOSE Ta Xr BIO_set_close 3
-.El
-.Sh RETURN VALUES
-.Fn BIO_s_fd
-returns the file descriptor BIO method.
-.Pp
-When called on a file descriptor BIO object,
-.Xr BIO_method_type 3
-returns the constant
-.Dv BIO_TYPE_FD
-and
-.Xr BIO_method_name 3
-returns a pointer to the static string
-.Qq file descriptor .
-.Pp
-.Fn BIO_set_fd
-always returns 1.
-.Pp
-.Fn BIO_get_fd
-returns the file descriptor or -1 if the
-.Vt BIO
-has not been initialized.
-.Pp
-.Fn BIO_new_fd
-returns the newly allocated
-.Vt BIO
-or
-.Dv NULL
-if an error occurred.
-.Pp
-.Fn BIO_fd_non_fatal_error
-returns 1 if
-.Fa errnum
-is
-.Dv EAGAIN ,
-.Dv EALREADY ,
-.Dv EINPROGRESS ,
-.Dv EINTR ,
-or
-.Dv ENOTCONN
-and 0 otherwise, even if
-.Fa errnum
-is 0.
-.Pp
-.Fn BIO_fd_should_retry
-returns 1 if
-.Fn BIO_fd_non_fatal_error errno
-is 1 and
-.Fa retval
-is either 0 or \-1, or 0 otherwise.
-.Sh EXAMPLES
-This is a file descriptor BIO version of "Hello World":
-.Bd -literal -offset indent
-BIO *out;
-out = BIO_new_fd(fileno(stdout), BIO_NOCLOSE);
-BIO_printf(out, "Hello World\en");
-BIO_free(out);
-.Ed
-.Sh SEE ALSO
-.Xr BIO_new 3 ,
-.Xr BIO_read 3 ,
-.Xr BIO_s_socket 3 ,
-.Xr BIO_seek 3 ,
-.Xr BIO_should_retry 3
-.Sh HISTORY
-.Fn BIO_s_fd ,
-.Fn BIO_set_fd ,
-and
-.Fn BIO_get_fd
-first appeared in SSLeay 0.6.0,
-.Fn BIO_fd_should_retry
-in SSLeay 0.6.5, and
-.Fn BIO_new_fd
-and
-.Fn BIO_fd_non_fatal_error
-in SSLeay 0.8.0.
-All these functions have been available since
-.Ox 2.4 .
diff --git a/src/lib/libcrypto/man/BIO_s_file.3 b/src/lib/libcrypto/man/BIO_s_file.3
deleted file mode 100644
index 14950cad13..0000000000
--- a/src/lib/libcrypto/man/BIO_s_file.3
+++ /dev/null
@@ -1,377 +0,0 @@
-.\" $OpenBSD: BIO_s_file.3,v 1.17 2023/11/16 20:19:23 schwarze Exp $
-.\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
-.\" selective merge up to: OpenSSL 1212818e Sep 11 13:22:14 2018 +0100
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2023 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2000, 2010 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: November 16 2023 $
-.Dt BIO_S_FILE 3
-.Os
-.Sh NAME
-.Nm BIO_s_file ,
-.Nm BIO_new_file ,
-.Nm BIO_new_fp ,
-.Nm BIO_set_fp ,
-.Nm BIO_get_fp ,
-.Nm BIO_read_filename ,
-.Nm BIO_write_filename ,
-.Nm BIO_append_filename ,
-.Nm BIO_rw_filename
-.\" Nm BIO_CTRL_SET_FILENAME is unused and intentionally undocumented.
-.Nd FILE BIO
-.Sh SYNOPSIS
-.In openssl/bio.h
-.Ft const BIO_METHOD *
-.Fo BIO_s_file
-.Fa void
-.Fc
-.Ft BIO *
-.Fo BIO_new_file
-.Fa "const char *filename"
-.Fa "const char *mode"
-.Fc
-.Ft BIO *
-.Fo BIO_new_fp
-.Fa "FILE *stream"
-.Fa "int flags"
-.Fc
-.Ft long
-.Fo BIO_set_fp
-.Fa "BIO *b"
-.Fa "FILE *fp"
-.Fa "int flags"
-.Fc
-.Ft long
-.Fo BIO_get_fp
-.Fa "BIO *b"
-.Fa "FILE **fpp"
-.Fc
-.Ft long
-.Fo BIO_read_filename
-.Fa "BIO *b"
-.Fa "char *name"
-.Fc
-.Ft long
-.Fo BIO_write_filename
-.Fa "BIO *b"
-.Fa "char *name"
-.Fc
-.Ft long
-.Fo BIO_append_filename
-.Fa "BIO *b"
-.Fa "char *name"
-.Fc
-.Ft long
-.Fo BIO_rw_filename
-.Fa "BIO *b"
-.Fa "char *name"
-.Fc
-.Sh DESCRIPTION
-.Fn BIO_s_file
-returns the BIO file method.
-As its name implies, it is a wrapper around the stdio
-.Vt FILE
-structure and it is a source/sink BIO.
-.Pp
-Calls to
-.Xr BIO_read 3
-and
-.Xr BIO_write 3
-read and write data to the underlying stream.
-.Xr BIO_gets 3
-and
-.Xr BIO_puts 3
-are supported on file BIOs.
-.Pp
-.Xr BIO_flush 3
-on a file BIO calls the
-.Xr fflush 3
-function on the wrapped stream.
-.Pp
-.Xr BIO_reset 3
-attempts to change the file pointer to the start of file using
-.Fn fseek stream 0 0 .
-.Pp
-.Xr BIO_seek 3
-sets the file pointer to position
-.Fa ofs
-from the start of the file using
-.Fn fseek stream ofs 0 .
-.Pp
-.Xr BIO_eof 3
-calls
-.Xr feof 3 .
-.Pp
-Setting the
-.Dv BIO_CLOSE
-flag calls
-.Xr fclose 3
-on the stream when the BIO is freed.
-.Pp
-.Fn BIO_new_file
-creates a new file BIO with mode
-.Fa mode .
-The meaning of
-.Fa mode
-is the same as for the stdio function
-.Xr fopen 3 .
-The
-.Dv BIO_CLOSE
-flag is set on the returned BIO.
-.Pp
-.Fn BIO_new_fp
-creates a file BIO wrapping
-.Fa stream .
-Flags can be:
-.Dv BIO_CLOSE , BIO_NOCLOSE Pq the close flag ,
-.Dv BIO_FP_TEXT
-(sets the underlying stream to text mode, default is binary:
-this only has any effect under Win32).
-.Pp
-.Fn BIO_set_fp
-sets the file pointer of a file BIO to
-.Fa fp .
-.Fa flags
-has the same meaning as in
-.Fn BIO_new_fp .
-.Pp
-.Fn BIO_get_fp
-retrieves the file pointer of a file BIO.
-.Pp
-.Xr BIO_seek 3
-sets the position pointer to
-.Fa offset
-bytes from the start of file.
-.Pp
-.Xr BIO_tell 3
-returns the value of the position pointer.
-.Pp
-.Fn BIO_read_filename ,
-.Fn BIO_write_filename ,
-.Fn BIO_append_filename ,
-and
-.Fn BIO_rw_filename
-set the file BIO
-.Fa b
-to use file
-.Fa name
-for reading, writing, append or read write respectively.
-.Pp
-When wrapping stdout, stdin, or stderr, the underlying stream
-should not normally be closed, so the
-.Dv BIO_NOCLOSE
-flag should be set.
-.Pp
-Because the file BIO calls the underlying stdio functions, any quirks
-in stdio behaviour will be mirrored by the corresponding BIO.
-.Pp
-On Windows,
-.Fn BIO_new_files
-reserves for the filename argument to be UTF-8 encoded.
-In other words, if you have to make it work in a multi-lingual
-environment, encode file names in UTF-8.
-.Pp
-The following
-.Xr BIO_ctrl 3
-.Fa cmd
-constants correspond to macros:
-.Bl -column BIO_C_GET_FILE_PTR "corresponding macro" -offset 3n
-.It Fa cmd No constant    Ta corresponding macro
-.It Dv BIO_C_FILE_SEEK    Ta Xr BIO_seek 3
-.It Dv BIO_C_FILE_TELL    Ta Xr BIO_tell 3
-.It Dv BIO_C_GET_FILE_PTR Ta Fn BIO_get_fp
-.It Dv BIO_C_SET_FILE_PTR Ta Fn BIO_set_fp
-.It Dv BIO_C_SET_FILENAME Ta various, see below
-.It Dv BIO_CTRL_EOF       Ta Xr BIO_eof 3
-.It Dv BIO_CTRL_FLUSH     Ta Xr BIO_flush 3
-.It Dv BIO_CTRL_GET_CLOSE Ta Xr BIO_get_close 3
-.It Dv BIO_CTRL_RESET     Ta Xr BIO_reset 3
-.It Dv BIO_CTRL_SET_CLOSE Ta Xr BIO_set_close 3
-.El
-.Pp
-The meaning of
-.Dv BIO_C_SET_FILENAME
-depends on the flags passed in the
-.Xr BIO_ctrl 3
-.Fa larg
-argument:
-.Bl -column "BIO_CLOSE | BIO_FP_READ | BIO_FP_WRITE" "BIO_append_filename()"\
- -offset 3n
-.It Fa larg No argument                        Ta corresponding macro
-.It Dv BIO_CLOSE | BIO_FP_READ                 Ta Fn BIO_read_filename
-.It Dv BIO_CLOSE | BIO_FP_WRITE                Ta Fn BIO_write_filename
-.It Dv BIO_CLOSE | BIO_FP_APPEND               Ta Fn BIO_append_filename
-.It Dv BIO_CLOSE | BIO_FP_READ  | BIO_FP_WRITE Ta Fn BIO_rw_filename
-.El
-.Sh RETURN VALUES
-.Fn BIO_s_file
-returns the file BIO method.
-.Pp
-.Fn BIO_new_file
-and
-.Fn BIO_new_fp
-return a file BIO or
-.Dv NULL
-if an error occurred.
-.Pp
-When called on a file BIO object,
-.Xr BIO_method_type 3
-returns the constant
-.Dv BIO_TYPE_FILE
-and
-.Xr BIO_method_name 3
-returns a pointer to the static string
-.Qq FILE pointer .
-.Pp
-.Fn BIO_set_fp
-and
-.Fn BIO_get_fp
-return 1 for success or 0 for failure (although the current
-implementation never returns 0).
-.Pp
-.Xr BIO_seek 3
-returns the same value as the underlying
-.Xr fseek 3
-function: 0 for success or -1 for failure.
-.Pp
-.Xr BIO_tell 3
-returns the current file position.
-.Pp
-.Fn BIO_read_filename ,
-.Fn BIO_write_filename ,
-.Fn BIO_append_filename ,
-and
-.Fn BIO_rw_filename
-return 1 for success or 0 for failure.
-.Sh EXAMPLES
-File BIO "hello world":
-.Bd -literal -offset indent
-BIO *bio_out;
-bio_out = BIO_new_fp(stdout, BIO_NOCLOSE);
-BIO_printf(bio_out, "Hello World\en");
-.Ed
-.Pp
-Alternative technique:
-.Bd -literal -offset indent
-BIO *bio_out;
-bio_out = BIO_new(BIO_s_file());
-if(bio_out == NULL) /* Error ... */
-if(!BIO_set_fp(bio_out, stdout, BIO_NOCLOSE)) /* Error ... */
-BIO_printf(bio_out, "Hello World\en");
-.Ed
-.Pp
-Write to a file:
-.Bd -literal -offset indent
-BIO *out;
-out = BIO_new_file("filename.txt", "w");
-if(!out) /* Error occurred */
-BIO_printf(out, "Hello World\en");
-BIO_free(out);
-.Ed
-.Pp
-Alternative technique:
-.Bd -literal -offset indent
-BIO *out;
-out = BIO_new(BIO_s_file());
-if(out == NULL) /* Error ... */
-if(!BIO_write_filename(out, "filename.txt")) /* Error ... */
-BIO_printf(out, "Hello World\en");
-BIO_free(out);
-.Ed
-.Sh SEE ALSO
-.Xr BIO_new 3 ,
-.Xr BIO_read 3 ,
-.Xr BIO_seek 3
-.Sh HISTORY
-.Fn BIO_s_file ,
-.Fn BIO_set_fp ,
-.Fn BIO_get_fp ,
-.Fn BIO_read_filename ,
-.Fn BIO_write_filename ,
-and
-.Fn BIO_append_filename
-first appeared in SSLeay 0.6.0.
-.Fn BIO_new_file
-and
-.Fn BIO_new_fp
-first appeared in SSLeay 0.8.0.
-All these functions have been available since
-.Ox 2.4 .
-.Pp
-.Fn BIO_rw_filename
-first appeared in SSLeay 0.9.1 and has been available since
-.Ox 2.6 .
-.Sh BUGS
-.Xr BIO_reset 3
-and
-.Xr BIO_seek 3
-are implemented using
-.Xr fseek 3
-on the underlying stream.
-The return value for
-.Xr fseek 3
-is 0 for success or -1 if an error occurred.
-This differs from other types of BIO which will typically return
-1 for success and a non-positive value if an error occurred.
diff --git a/src/lib/libcrypto/man/BIO_s_mem.3 b/src/lib/libcrypto/man/BIO_s_mem.3
deleted file mode 100644
index d7bbf6af43..0000000000
--- a/src/lib/libcrypto/man/BIO_s_mem.3
+++ /dev/null
@@ -1,306 +0,0 @@
-.\" $OpenBSD: BIO_s_mem.3,v 1.19 2023/11/16 20:19:23 schwarze Exp $
-.\" full merge up to: OpenSSL 8711efb4 Mon Apr 20 11:33:12 2009 +0000
-.\" selective merge up to: OpenSSL 36359cec Mar 7 14:37:23 2018 +0100
-.\"
-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: November 16 2023 $
-.Dt BIO_S_MEM 3
-.Os
-.Sh NAME
-.Nm BIO_s_mem ,
-.Nm BIO_set_mem_eof_return ,
-.Nm BIO_get_mem_data ,
-.Nm BIO_set_mem_buf ,
-.Nm BIO_get_mem_ptr ,
-.Nm BIO_new_mem_buf
-.Nd memory BIO
-.Sh SYNOPSIS
-.In openssl/bio.h
-.Ft const BIO_METHOD *
-.Fo BIO_s_mem
-.Fa "void"
-.Fc
-.Ft long
-.Fo BIO_set_mem_eof_return
-.Fa "BIO *b"
-.Fa "int v"
-.Fc
-.Ft long
-.Fo BIO_get_mem_data
-.Fa "BIO *b"
-.Fa "char **pp"
-.Fc
-.Ft long
-.Fo BIO_set_mem_buf
-.Fa "BIO *b"
-.Fa "BUF_MEM *bm"
-.Fa "int c"
-.Fc
-.Ft long
-.Fo BIO_get_mem_ptr
-.Fa "BIO *b"
-.Fa "BUF_MEM **pp"
-.Fc
-.Ft BIO *
-.Fo BIO_new_mem_buf
-.Fa "const void *buf"
-.Fa "int len"
-.Fc
-.Sh DESCRIPTION
-.Fn BIO_s_mem
-returns the memory BIO method function.
-.Pp
-A memory BIO is a source/sink BIO which uses memory for its I/O.
-Data written to a memory BIO is stored in a
-.Vt BUF_MEM
-structure which is extended as appropriate to accommodate the stored data.
-.Pp
-Any data written to a memory BIO can be recalled by reading from it.
-Unless the memory BIO is read only,
-any data read from it is deleted from the BIO.
-To find out whether a memory BIO is read only,
-.Xr BIO_test_flags 3
-can be called with an argument of
-.Dv BIO_FLAGS_MEM_RDONLY .
-.Pp
-Memory BIOs support
-.Xr BIO_gets 3
-and
-.Xr BIO_puts 3 .
-.Pp
-If the
-.Dv BIO_CLOSE
-flag is set when a memory BIO is freed, the underlying
-.Dv BUF_MEM
-structure is also freed.
-.Pp
-Calling
-.Xr BIO_reset 3
-on a read/write memory BIO clears any data in it.
-On a read only BIO it restores the BIO to its original state
-and the read only data can be read again.
-.Pp
-.Xr BIO_eof 3
-is true if no data is in the BIO.
-.Pp
-.Xr BIO_ctrl_pending 3
-returns the number of bytes currently stored.
-.Pp
-.Fn BIO_set_mem_eof_return
-sets the behaviour of memory BIO
-.Fa b
-when it is empty.
-If
-.Fa v
-is zero, then an empty memory BIO will return EOF:
-it will return zero and
-.Fn BIO_should_retry
-will be false.
-If
-.Fa v
-is non-zero then it will return
-.Fa v
-when it is empty and it will set the read retry flag:
-.Fn BIO_read_retry
-is true.
-To avoid ambiguity with a normal positive return value
-.Fa v
-should be set to a negative value, typically -1.
-.Pp
-.Fn BIO_get_mem_data
-sets
-.Pf * Fa pp
-to a pointer to the start of the memory BIO's data
-and returns the total amount of data available.
-.Pp
-.Fn BIO_set_mem_buf
-sets the internal BUF_MEM structure to
-.Fa bm
-and sets the close flag to
-.Fa c .
-That is,
-.Fa c
-should be either
-.Dv BIO_CLOSE
-or
-.Dv BIO_NOCLOSE .
-.Pp
-.Fn BIO_get_mem_ptr
-places the underlying
-.Vt BUF_MEM
-structure in
-.Pf * Fa pp .
-.Pp
-.Fn BIO_new_mem_buf
-creates a memory BIO using
-.Fa len
-bytes of data at
-.Fa buf .
-If
-.Fa len
-is -1, then
-.Fa buf
-is assumed to be NUL terminated and its length is determined by
-.Xr strlen 3 .
-The BIO is set to a read only state and as a result cannot be written to.
-This is useful when some data needs to be made available
-from a static area of memory in the form of a BIO.
-The supplied data is read directly from the supplied buffer:
-it is
-.Em not
-copied first, so the supplied area of memory must be unchanged
-until the BIO is freed.
-.Pp
-Writes to memory BIOs will always succeed if memory is available:
-their size can grow indefinitely.
-.Pp
-.Xr BIO_ctrl 3
-.Fa cmd
-arguments correspond to macros as follows:
-.Bl -column BIO_C_SET_BUF_MEM_EOF_RETURN BIO_set_mem_eof_return() -offset 3n
-.It Fa cmd No constant              Ta corresponding macro
-.It Dv BIO_C_GET_BUF_MEM_PTR        Ta Fn BIO_get_mem_ptr
-.It Dv BIO_C_SET_BUF_MEM            Ta Fn BIO_set_mem_buf
-.It Dv BIO_C_SET_BUF_MEM_EOF_RETURN Ta Fn BIO_set_mem_eof_return
-.It Dv BIO_CTRL_EOF                 Ta Xr BIO_eof 3
-.It Dv BIO_CTRL_GET_CLOSE           Ta Xr BIO_get_close 3
-.It Dv BIO_CTRL_INFO                Ta Fn BIO_get_mem_data
-.It Dv BIO_CTRL_PENDING             Ta Xr BIO_pending 3
-.It Dv BIO_CTRL_RESET               Ta Xr BIO_reset 3
-.It Dv BIO_CTRL_SET_CLOSE           Ta Xr BIO_set_close 3
-.It Dv BIO_CTRL_WPENDING            Ta Xr BIO_wpending 3
-.El
-.Sh RETURN VALUES
-.Fn BIO_s_mem
-returns a pointer to a static object.
-.Pp
-When called on a memory BIO object,
-.Xr BIO_method_type 3
-returns the constant
-.Dv BIO_TYPE_MEM
-and
-.Xr BIO_method_name 3
-returns a pointer to the static string
-.Qq memory buffer .
-.Pp
-.Fn BIO_set_mem_eof_return ,
-.Fn BIO_get_mem_data ,
-.Fn BIO_set_mem_buf ,
-and
-.Fn BIO_get_mem_ptr
-return 1 on success or a value less than or equal to 0 if an error occurred.
-.Pp
-.Fn BIO_new_mem_buf
-returns a newly allocated
-.Vt BIO
-object on success or
-.Dv NULL
-on error.
-.Sh EXAMPLES
-Create a memory BIO and write some data to it:
-.Bd -literal -offset indent
-BIO *mem = BIO_new(BIO_s_mem());
-BIO_puts(mem, "Hello World\en");
-.Ed
-.Pp
-Create a read only memory BIO:
-.Bd -literal -offset indent
-char data[] = "Hello World";
-BIO *mem;
-mem = BIO_new_mem_buf(data, -1);
-.Ed
-.Pp
-Extract the
-.Vt BUF_MEM
-structure from a memory BIO and then free up the BIO:
-.Bd -literal -offset indent
-BUF_MEM *bptr;
-BIO_get_mem_ptr(mem, &bptr);
-/* Make sure BIO_free() leaves BUF_MEM alone. */
-BIO_set_close(mem, BIO_NOCLOSE);
-BIO_free(mem);
-.Ed
-.Sh SEE ALSO
-.Xr BIO_new 3 ,
-.Xr BUF_MEM_new 3
-.Sh HISTORY
-.Fn BIO_s_mem
-first appeared in SSLeay 0.6.0.
-.Fn BIO_set_mem_buf
-and
-.Fn BIO_get_mem_ptr
-first appeared in SSLeay 0.6.5.
-These functions have been available since
-.Ox 2.4 .
-.Pp
-.Fn BIO_set_mem_eof_return
-and
-.Fn BIO_get_mem_data
-first appeared in SSLeay 0.9.1 and have been available since
-.Ox 2.6 .
-.Pp
-.Fn BIO_new_mem_buf
-first appeared in OpenSSL 0.9.5 and has been available since
-.Ox 2.7 .
-.Sh CAVEATS
-Do not manually switch a writable memory BIO to read-only mode: calling
-.Xr BIO_set_flags 3
-with an argument of
-.Dv BIO_FLAGS_MEM_RDONLY
-will ultimately result in a memory leak when the BIO object is
-finally handed to
-.Xr BIO_free 3 .
-It might also cause security issues because it prevents
-.Xr BIO_reset 3
-from clearing the data.
-.Sh BUGS
-There should be an option to set the maximum size of a memory BIO.
-.Pp
-There should be a way to "rewind" a read/write BIO without destroying
-its contents.
diff --git a/src/lib/libcrypto/man/BIO_s_null.3 b/src/lib/libcrypto/man/BIO_s_null.3
deleted file mode 100644
index 6e7cad6d37..0000000000
--- a/src/lib/libcrypto/man/BIO_s_null.3
+++ /dev/null
@@ -1,101 +0,0 @@
-.\" $OpenBSD: BIO_s_null.3,v 1.10 2023/04/11 16:58:43 schwarze Exp $
-.\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100
-.\"
-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: April 11 2023 $
-.Dt BIO_S_NULL 3
-.Os
-.Sh NAME
-.Nm BIO_s_null
-.\" .Nm BIO_s_log is intentionally undocumented because it is unused
-.Nd null data sink
-.Sh SYNOPSIS
-.In openssl/bio.h
-.Ft const BIO_METHOD *
-.Fo BIO_s_null
-.Fa void
-.Fc
-.Sh DESCRIPTION
-.Fn BIO_s_null
-returns the null sink BIO method.
-Data written to the null sink is discarded, reads return EOF.
-.Pp
-A null sink BIO behaves in a similar manner to the
-.Xr null 4
-device.
-.Pp
-A null BIO can be placed on the end of a chain to discard any data
-passed through it.
-.Pp
-A null sink is useful if, for example, an application wishes
-to digest some data by writing through a digest bio
-but not send the digested data anywhere.
-Since a BIO chain must normally include a source/sink BIO,
-this can be achieved by adding a null sink BIO to the end of the chain.
-.Sh RETURN VALUES
-.Fn BIO_s_null
-returns the null sink BIO method.
-.Pp
-When called on a null sink BIO object,
-.Xr BIO_method_type 3
-returns the constant
-.Dv BIO_TYPE_NULL
-and
-.Xr BIO_method_name 3
-returns a pointer to the static string
-.Qq NULL ,
-not to be confused with a NUL string nor with a
-.Dv NULL
-pointer.
-.Sh SEE ALSO
-.Xr BIO_new 3
-.Sh HISTORY
-.Fn BIO_s_null
-first appeared in SSLeay 0.6.0 and has been available since
-.Ox 2.4 .
diff --git a/src/lib/libcrypto/man/BIO_s_socket.3 b/src/lib/libcrypto/man/BIO_s_socket.3
deleted file mode 100644
index 402622b3bd..0000000000
--- a/src/lib/libcrypto/man/BIO_s_socket.3
+++ /dev/null
@@ -1,125 +0,0 @@
-.\"     $OpenBSD: BIO_s_socket.3,v 1.10 2023/04/11 16:58:43 schwarze Exp $
-.\"     OpenSSL bbdc9c98 Oct 19 22:02:21 2000 +0000
-.\"
-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: April 11 2023 $
-.Dt BIO_S_SOCKET 3
-.Os
-.Sh NAME
-.Nm BIO_s_socket ,
-.Nm BIO_new_socket
-.Nd socket BIO
-.Sh SYNOPSIS
-.In openssl/bio.h
-.Ft const BIO_METHOD *
-.Fo BIO_s_socket
-.Fa void
-.Fc
-.Ft BIO *
-.Fo BIO_new_socket
-.Fa "int sock"
-.Fa "int close_flag"
-.Fc
-.Sh DESCRIPTION
-.Fn BIO_s_socket
-returns the socket BIO method.
-This is a wrapper around the platform's socket routines.
-.Pp
-.Xr BIO_read 3
-and
-.Xr BIO_write 3
-read or write the underlying socket.
-.Xr BIO_puts 3
-is supported but
-.Xr BIO_gets 3
-is not.
-.Pp
-If the close flag is set, then the socket is shut down and closed
-when the BIO is freed.
-.Pp
-.Fn BIO_new_socket
-returns a socket BIO using
-.Fa sock
-and
-.Fa close_flag .
-.Pp
-Socket BIOs also support any relevant functionality of file descriptor BIOs.
-.Pp
-The reason for having separate file descriptor and socket BIOs
-is that on some platforms, sockets are not file descriptors
-and use distinct I/O routines.
-Windows is one such platform.
-Any code mixing the two will not work on all platforms.
-.Sh RETURN VALUES
-.Fn BIO_s_socket
-returns the socket BIO method.
-.Pp
-.Fn BIO_new_socket
-returns the newly allocated BIO or
-.Dv NULL
-if an error occurred.
-.Pp
-When called on a socket BIO object,
-.Xr BIO_method_type 3
-returns the constant
-.Dv BIO_TYPE_SOCKET
-and
-.Xr BIO_method_name 3
-returns a pointer to the static string
-.Qq socket .
-.Sh SEE ALSO
-.Xr BIO_get_fd 3 ,
-.Xr BIO_new 3
-.Sh HISTORY
-.Fn BIO_s_socket
-first appeared in SSLeay 0.6.0.
-.Fn BIO_new_socket
-first appeared in SSLeay 0.8.0.
-Both functions have been available since
-.Ox 2.4 .
diff --git a/src/lib/libcrypto/man/BIO_set_callback.3 b/src/lib/libcrypto/man/BIO_set_callback.3
deleted file mode 100644
index 56a0102be6..0000000000
--- a/src/lib/libcrypto/man/BIO_set_callback.3
+++ /dev/null
@@ -1,396 +0,0 @@
-.\" $OpenBSD: BIO_set_callback.3,v 1.12 2023/04/30 13:57:29 schwarze Exp $
-.\" full merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2018, 2022 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2000, 2016, 2017 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: April 30 2023 $
-.Dt BIO_SET_CALLBACK 3
-.Os
-.Sh NAME
-.Nm BIO_callback_fn_ex ,
-.Nm BIO_set_callback_ex ,
-.Nm BIO_get_callback_ex ,
-.Nm BIO_callback_fn ,
-.Nm BIO_set_callback ,
-.Nm BIO_get_callback ,
-.Nm BIO_set_callback_arg ,
-.Nm BIO_get_callback_arg ,
-.Nm BIO_debug_callback
-.\" The following three macros are intentionally undocumented because
-.\" they are unused and would only cause obfuscation if they were used.
-.\" .Nm BIO_CB_return
-.\" .Nm BIO_cb_pre
-.\" .Nm BIO_cb_post
-.Nd BIO callback functions
-.Sh SYNOPSIS
-.In openssl/bio.h
-.Ft typedef long
-.Fo (*BIO_callback_fn_ex)
-.Fa "BIO *b"
-.Fa "int oper"
-.Fa "const char *argp"
-.Fa "size_t len"
-.Fa "int argi"
-.Fa "long argl"
-.Fa "int ret"
-.Fa "size_t *processed"
-.Fc
-.Ft void
-.Fo BIO_set_callback_ex
-.Fa "BIO *b"
-.Fa "BIO_callback_fn_ex cb_ex"
-.Fc
-.Ft BIO_callback_fn_ex
-.Fo BIO_get_callback_ex
-.Fa "const BIO *b"
-.Fc
-.Ft typedef long
-.Fo (*BIO_callback_fn)
-.Fa "BIO *b"
-.Fa "int oper"
-.Fa "const char *argp"
-.Fa "int argi"
-.Fa "long argl"
-.Fa "long ret"
-.Fc
-.Ft void
-.Fo BIO_set_callback
-.Fa "BIO *b"
-.Fa "BIO_callback_fn cb"
-.Fc
-.Ft BIO_callback_fn
-.Fo BIO_get_callback
-.Fa "BIO *b"
-.Fc
-.Ft void
-.Fo BIO_set_callback_arg
-.Fa "BIO *b"
-.Fa "char *pointer"
-.Fc
-.Ft char *
-.Fo BIO_get_callback_arg
-.Fa "const BIO *b"
-.Fc
-.Ft long
-.Fo BIO_debug_callback
-.Fa "BIO *bio"
-.Fa "int oper"
-.Fa "const char *argp"
-.Fa "int argi"
-.Fa "long argl"
-.Fa "long ret"
-.Fc
-.Sh DESCRIPTION
-.Fn BIO_set_callback_ex
-and
-.Fn BIO_get_callback_ex
-set and retrieve the BIO callback.
-The callback is called during most high-level BIO operations.
-It can be used for debugging purposes to trace operations on a BIO
-or to modify its operation.
-.Pp
-.Fn BIO_set_callback
-and
-.Fn BIO_get_callback
-are deprecated functions that set and retrieve the old-style BIO callback,
-which is only used if no new-style callback is set with
-.Fn BIO_set_callback_ex .
-.Pp
-.Fn BIO_set_callback_arg
-stores the
-.Fa pointer
-internally in
-.Fa b
-and
-.Fn BIO_get_callback_arg
-retrieves it from
-.Fa b .
-The name of these two functions is badly misleading: the
-.Fa pointer
-is never passed as an argument to any callback function.
-But of course, callback functions can call
-.Fn BIO_get_callback_arg
-and access the pointer, just like any other code can.
-.Pp
-.Fn BIO_debug_callback
-is a standard debugging callback which prints
-out information related to each BIO operation.
-If
-.Fn BIO_set_callback_arg
-was called with a
-.Pf non- Dv NULL
-argument, information is sent to the BIO pointed to by the
-.Fa pointer ;
-otherwise, standard error output is used.
-.Pp
-The arguments of the callback functions are as follows:
-.Bl -tag -width Ds
-.It Fa b
-The BIO the callback is attached to.
-.It Fa oper
-The operation being performed, which is one of
-.Dv BIO_CB_CTRL ,
-.Dv BIO_CB_FREE ,
-.Dv BIO_CB_GETS ,
-.Dv BIO_CB_PUTS ,
-.Dv BIO_CB_READ ,
-or
-.Dv BIO_CB_WRITE .
-For some operations, the callback is called twice,
-once before and once after the actual operation.
-The latter case has
-.Fa oper
-OR'ed with
-.Dv BIO_CB_RETURN .
-.It Fa argp , argi , argl
-The meaning of these three arguments depends on the value of
-.Fa oper ,
-that is on the operation being performed.
-.It Fa len
-The length of the data requested to be read or written.
-This is only useful if
-.Fa oper
-is
-.Dv BIO_CB_READ ,
-.Dv BIO_CB_WRITE ,
-or
-.Dv BIO_CB_GETS .
-.It Fa ret
-When
-.Fa oper
-does not include
-.Dv BIO_CB_RETURN ,
-i.e. when the callback is invoked before an operation,
-the value passed into the callback via
-.Fa ret
-is always 1.
-In this case, if the callback returns a negative value, the library
-aborts the requested operation and instead returns the negative
-return value from the callback to the application.
-If the callback returns a non-negative value, that return value is
-ignored by the library, and the operation is performed normally.
-.Pp
-When
-.Fa oper
-includes
-.Dv BIO_CB_RETURN ,
-i.e. when the callback is invoked after an operation,
-the value passed into the callback via
-.Fa ret
-is the return value that the operation would return to the application
-if no callback were present.
-When a callback is present, the operation only passes this value
-to the callback and instead of it returns the return value of the
-callback to the application.
-.It Fa processed
-The location pointed to is updated with the number of bytes
-actually read or written.
-Only used for
-.Dv BIO_CB_READ ,
-.Dv BIO_CB_WRITE ,
-.Dv BIO_CB_GETS ,
-and
-.Dv BIO_CB_PUTS .
-.El
-.Pp
-The callback should normally simply return
-.Fa ret
-when it has finished processing, unless it specifically wishes to
-abort the operation or to modify the value returned to the application.
-.Pp
-The callbacks are called as follows:
-.Bl -tag -width 1n
-.It \&In Fn BIO_free "BIO *b" :
-.Bd -literal
-before the free operation:
-cb_ex(b, BIO_CB_FREE, NULL, 0, 0, 0, 1, NULL)
-or cb(b, BIO_CB_FREE, NULL,    0, 0, 1)
-.Ed
-.It \&In Fn BIO_read "BIO *b" "void *out" "int outl" :
-.Bd -literal
-before the read operation:
-cb_ex(b, BIO_CB_READ, out, outl, 0, 0, 1, NULL)
-or cb(b, BIO_CB_READ, out, outl,    0, 1)
-
-after the read operation:
-cb_ex(b, BIO_CB_READ|BIO_CB_RETURN, out, outl, 0, 0, ret, &bytes)
-or cb(b, BIO_CB_READ|BIO_CB_RETURN, out, outl,    0, ret)
-.Ed
-.It \&In Fn BIO_write "BIO *b" "const void *in" "int inl" :
-.Bd -literal
-before the write operation:
-cb_ex(b, BIO_CB_WRITE, in, inl, 0, 0, 1, NULL)
-or cb(b, BIO_CB_WRITE, in, inl,    0, 1)
-
-after the write operation:
-cb_ex(b, BIO_CB_WRITE|BIO_CB_RETURN, in, inl, 0, 0, ret, &bytes)
-or cb(b, BIO_CB_WRITE|BIO_CB_RETURN, in, inl,    0, ret)
-.Ed
-.It \&In Fn BIO_gets "BIO *b" "char *out" "int outl" :
-.Bd -literal
-before the read operation:
-cb_ex(b, BIO_CB_GETS, out, outl, 0, 0, 1, NULL)
-or cb(b, BIO_CB_GETS, out, outl,    0, 1)
-
-after the read operation:
-cb_ex(b, BIO_CB_GETS|BIO_CB_RETURN, out, outl, 0, 0, ret, &bytes)
-or cb(b, BIO_CB_GETS|BIO_CB_RETURN, out, outl,    0, ret)
-.Ed
-.It \&In Fn BIO_puts "BIO *b" "const char *in" :
-.Bd -literal
-before the write operation:
-cb_ex(b, BIO_CB_PUTS, in, 0, 0, 0, 1, NULL)
-or cb(b, BIO_CB_PUTS, in,    0, 0, 1)
-
-after the write operation:
-cb_ex(b, BIO_CB_PUTS|BIO_CB_RETURN, in, 0, 0, 0, ret, &bytes)
-or cb(b, BIO_CB_PUTS|BIO_CB_RETURN, in,    0, 0, ret)
-.Ed
-.It \&In Fn BIO_ctrl "BIO *b" "int cmd" "long larg" "void *parg" :
-.Bd -literal
-before the control operation:
-cb_ex(b, BIO_CB_CTRL, parg, 0, cmd, larg, 1, NULL)
-or cb(b, BIO_CB_CTRL, parg,    cmd, larg, 1)
-
-after the control operation:
-cb_ex(b, BIO_CB_CTRL|BIO_CB_RETURN, parg, 0, cmd, larg, ret, NULL)
-or cb(b, BIO_CB_CTRL|BIO_CB_RETURN, parg,    cmd, larg, ret)
-.Ed
-.It \&In Fn BIO_callback_ctrl "BIO *b" "int cmd" "BIO_info_cb *fp" :
-.Bd -literal
-before the control operation:
-cb_ex(b, BIO_CB_CTRL, fp, 0, cmd, 0, 1, NULL)
-or cb(b, BIO_CB_CTRL, fp,    cmd, 0, 1)
-
-after the control operation:
-cb_ex(b, BIO_CB_CTRL|BIO_CB_RETURN, fp, 0, cmd, 0, ret, NULL)
-or cb(b, BIO_CB_CTRL|BIO_CB_RETURN, fp,    cmd, 0, ret)
-.Ed
-.El
-.Sh RETURN VALUES
-.Fn BIO_get_callback_ex
-returns a pointer to the function
-.Fa cb_ex
-previously installed with
-.Fn BIO_set_callback_cb ,
-or
-.Dv NULL
-if no such callback was installed.
-.Pp
-.Fn BIO_get_callback
-returns a pointer to the function
-.Fa cb
-previously installed with
-.Fn BIO_set_callback ,
-or
-.Dv NULL
-if no such callback was installed.
-.Pp
-.Fn BIO_get_callback_arg
-returns the
-.Fa pointer
-previously set with
-.Fn BIO_set_callback_arg ,
-or
-.Dv NULL
-if no such pointer was set.
-.Pp
-.Fn BIO_debug_callback
-returns
-.Fa ret
-if the bit
-.Dv BIO_CB_RETURN
-is set in
-.Fa cmd ,
-or 1 otherwise.
-.Sh EXAMPLES
-The
-.Fn BIO_debug_callback
-function is a good example.
-Its source is in the file
-.Pa crypto/bio/bio_cb.c .
-.Sh SEE ALSO
-.Xr BIO_new 3
-.Sh HISTORY
-.Fn BIO_set_callback ,
-.Fn BIO_get_callback ,
-.Fn BIO_set_callback_arg ,
-and
-.Fn BIO_debug_callback
-first appeared in SSLeay 0.6.0.
-.Fn BIO_get_callback_arg
-first appeared in SSLeay 0.8.0.
-These functions have been available since
-.Ox 2.4 .
-.Pp
-.Fn BIO_callback_fn
-first appeared in OpenSSL 1.1.0.
-.Fn BIO_callback_fn_ex ,
-.Fn BIO_set_callback_ex ,
-and
-.Fn BIO_get_callback_ex
-first appeared in OpenSSL 1.1.1.
-These functions have been available since
-.Ox 7.1 .
diff --git a/src/lib/libcrypto/man/BIO_should_retry.3 b/src/lib/libcrypto/man/BIO_should_retry.3
deleted file mode 100644
index 9b93743516..0000000000
--- a/src/lib/libcrypto/man/BIO_should_retry.3
+++ /dev/null
@@ -1,301 +0,0 @@
-.\" $OpenBSD: BIO_should_retry.3,v 1.11 2023/04/30 14:03:47 schwarze Exp $
-.\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
-.\" selective merge up to: OpenSSL 57fd5170 May 13 11:24:11 2018 +0200
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2023 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2000, 2010, 2016 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: April 30 2023 $
-.Dt BIO_SHOULD_RETRY 3
-.Os
-.Sh NAME
-.Nm BIO_should_read ,
-.Nm BIO_should_write ,
-.Nm BIO_should_io_special ,
-.Nm BIO_retry_type ,
-.Nm BIO_should_retry ,
-.Nm BIO_get_retry_BIO ,
-.Nm BIO_get_retry_reason ,
-.Nm BIO_set_retry_reason
-.Nd BIO retry functions
-.Sh SYNOPSIS
-.In openssl/bio.h
-.Ft int
-.Fo BIO_should_read
-.Fa "BIO *b"
-.Fc
-.Ft int
-.Fo BIO_should_write
-.Fa "BIO *b"
-.Fc
-.Ft int
-.Fo BIO_should_io_special
-.Fa "BIO *b"
-.Fc
-.Ft int
-.Fo BIO_retry_type
-.Fa "BIO *b"
-.Fc
-.Ft int
-.Fo BIO_should_retry
-.Fa "BIO *b"
-.Fc
-.Fd #define BIO_FLAGS_READ                      0x01
-.Fd #define BIO_FLAGS_WRITE                     0x02
-.Fd #define BIO_FLAGS_IO_SPECIAL                0x04
-.Fd #define BIO_FLAGS_RWS \e
-.Fd \&  (BIO_FLAGS_READ|BIO_FLAGS_WRITE|BIO_FLAGS_IO_SPECIAL)
-.Fd #define BIO_FLAGS_SHOULD_RETRY      0x08
-.Ft BIO *
-.Fo BIO_get_retry_BIO
-.Fa "BIO *bio"
-.Fa "int *reason"
-.Fc
-.Ft int
-.Fo BIO_get_retry_reason
-.Fa "BIO *bio"
-.Fc
-.Ft void
-.Fo BIO_set_retry_reason
-.Fa "BIO *bio"
-.Fa "int reason"
-.Fc
-.Sh DESCRIPTION
-These functions determine why a BIO is not able to read or write data.
-They will typically be called after a failed
-.Xr BIO_read 3
-or
-.Xr BIO_write 3
-call.
-.Pp
-.Fn BIO_should_retry
-returns 1 if the call that produced this condition should be retried
-at a later time, or 0 if an error occurred.
-.Pp
-.Fn BIO_should_read
-returns 1 if the cause of the retry condition is that a BIO needs
-to read data, or 0 otherwise.
-.Pp
-.Fn BIO_should_write
-returns 1 if the cause of the retry condition is that a BIO needs
-to write data, or 0 otherwise.
-.Pp
-.Fn BIO_should_io_special
-returns 1 if some special condition (i.e. a reason other than reading
-or writing) is the cause of the retry condition, or 0 otherwise.
-.Pp
-.Fn BIO_retry_type
-returns the bitwise OR of one or more of the flags
-.Dv BIO_FLAGS_READ ,
-.Dv BIO_FLAGS_WRITE ,
-and
-.Dv BIO_FLAGS_IO_SPECIAL
-representing the cause of the current retry condition,
-or 0 if there is no retry condition.
-Current BIO types only set one of the flags at a time.
-.Pp
-.Fn BIO_get_retry_BIO
-determines the precise reason for the special condition.
-It walks the BIO chain starting at
-.Fa bio
-and returns the BIO that caused this condition.
-If there is no special condition,
-.Fa bio
-itself is returned.
-If
-.Fa reason
-is not a
-.Dv NULL
-pointer,
-.Pf * Fa reason
-is set to one of the following reason codes:
-.Bl -tag -width 1n -offset 3n
-.It 0
-There is no special condition.
-.It Dv BIO_RR_ACCEPT
-.Xr accept 2
-would have blocked.
-This can occur for BIOs created from
-.Xr BIO_s_accept 3
-or
-.Xr BIO_f_ssl 3 .
-.It Dv BIO_RR_CONNECT
-.Xr connect 2
-would have blocked.
-This can occur for BIOs created from
-.Xr BIO_s_connect 3
-or
-.Xr BIO_f_ssl 3 .
-.It Dv BIO_RR_SSL_X509_LOOKUP
-An application callback set by
-.Xr SSL_CTX_set_client_cert_cb 3
-has asked to be called again.
-This can occur for BIOs created from
-.Xr BIO_f_ssl 3 .
-.El
-.Pp
-.Fn BIO_get_retry_reason
-returns one of the above reason codes for a special condition that occurred in
-.Fa bio .
-It does not walk the chain and returns 0 if no special condition occurred in
-.Fa bio
-itself.
-.Pp
-.Fn BIO_set_retry_reason
-sets the retry reason for a special condition for the given
-.Fa bio .
-It is intended to be called by functions implementing a BIO type
-rather than by functions merely using BIOs.
-.Pp
-.Fn BIO_should_retry ,
-.Fn BIO_should_read ,
-.Fn BIO_should_write ,
-.Fn BIO_should_io_special ,
-and
-.Fn BIO_retry_type
-are implemented as macros.
-.Pp
-If
-.Fn BIO_should_retry
-returns false, then the precise "error condition" depends on
-the BIO type that caused it and the return code of the BIO operation.
-For example if a call to
-.Xr BIO_read 3
-on a socket BIO returns 0 and
-.Fn BIO_should_retry
-is false, then the cause will be that the connection closed.
-A similar condition on a file BIO will mean that it has reached EOF.
-Some BIO types may place additional information on the error queue.
-For more details see the individual BIO type manual pages.
-.Pp
-If the underlying I/O structure is in a blocking mode,
-almost all current BIO types will not request a retry,
-because the underlying I/O calls will not.
-If the application knows that the BIO type will never
-signal a retry then it need not call
-.Fn BIO_should_retry
-after a failed BIO I/O call.
-This is typically done with file BIOs.
-.Pp
-SSL BIOs are the only current exception to this rule:
-they can request a retry even if the underlying I/O structure
-is blocking, if a handshake occurs during a call to
-.Xr BIO_read 3 .
-An application can retry the failed call immediately
-or avoid this situation by setting
-.Dv SSL_MODE_AUTO_RETRY
-on the underlying SSL structure.
-.Pp
-While an application may retry a failed non-blocking call immediately,
-this is likely to be very inefficient because the call will fail
-repeatedly until data can be processed or is available.
-An application will normally wait until the necessary condition
-is satisfied.
-How this is done depends on the underlying I/O structure.
-.Pp
-For example if the cause is ultimately a socket and
-.Fn BIO_should_read
-is true then a call to
-.Xr select 2
-may be made to wait until data is available
-and then retry the BIO operation.
-By combining the retry conditions of several non-blocking BIOs in a single
-.Xr select 2
-call it is possible to service several BIOs in a single thread,
-though the performance may be poor if SSL BIOs are present because
-long delays can occur during the initial handshake process.
-.Pp
-It is possible for a BIO to block indefinitely if the underlying I/O
-structure cannot process or return any data.
-This depends on the behaviour of the platforms I/O functions.
-This is often not desirable: one solution is to use non-blocking I/O
-and use a timeout on the
-.Xr select 2
-(or equivalent) call.
-.Sh SEE ALSO
-.Xr BIO_new 3 ,
-.Xr BIO_read 3
-.Sh HISTORY
-.Fn BIO_should_read ,
-.Fn BIO_should_write ,
-.Fn BIO_retry_type ,
-and
-.Fn BIO_should_retry
-first appeared in SSLeay 0.6.0.
-.Fn BIO_should_io_special ,
-.Fn BIO_get_retry_BIO ,
-and
-.Fn BIO_get_retry_reason
-first appeared in SSLeay 0.8.0.
-All these functions have been available since
-.Ox 2.4 .
-.Pp
-.Fn BIO_set_retry_reason
-first appeared in OpenSSL 1.1.0 and has been available since
-.Ox 7.1 .
-.Sh BUGS
-The OpenSSL ASN.1 functions cannot gracefully deal with non-blocking I/O:
-they cannot retry after a partial read or write.
-This is usually worked around by only passing the relevant data to ASN.1
-functions when the entire structure can be read or written.
diff --git a/src/lib/libcrypto/man/BN_CTX_new.3 b/src/lib/libcrypto/man/BN_CTX_new.3
deleted file mode 100644
index 336b918896..0000000000
--- a/src/lib/libcrypto/man/BN_CTX_new.3
+++ /dev/null
@@ -1,123 +0,0 @@
-.\"     $OpenBSD: BN_CTX_new.3,v 1.10 2023/04/25 17:21:51 tb Exp $
-.\"     OpenSSL aafbe1cc Jun 12 23:42:08 2013 +0100
-.\"
-.\" This file was written by Ulf Moeller <ulf@openssl.org>.
-.\" Copyright (c) 2000, 2013 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: April 25 2023 $
-.Dt BN_CTX_NEW 3
-.Os
-.Sh NAME
-.Nm BN_CTX_new ,
-.Nm BN_CTX_free
-.Nd allocate and free BN_CTX structures
-.Sh SYNOPSIS
-.In openssl/bn.h
-.Ft BN_CTX *
-.Fo BN_CTX_new
-.Fa void
-.Fc
-.Ft void
-.Fo BN_CTX_free
-.Fa "BN_CTX *c"
-.Fc
-.Sh DESCRIPTION
-A
-.Vt BN_CTX
-is a structure that holds
-.Vt BIGNUM
-temporary variables used by library functions.
-Since dynamic memory allocation to create
-.Vt BIGNUM Ns s
-is rather expensive when used in conjunction with repeated subroutine
-calls, the
-.Vt BN_CTX
-structure is used.
-.Pp
-.Fn BN_CTX_new
-allocates and initializes a
-.Vt BN_CTX
-structure.
-.Pp
-.Fn BN_CTX_free
-frees the components of the
-.Vt BN_CTX
-and, if it was created by
-.Fn BN_CTX_new ,
-also the structure itself.
-If
-.Xr BN_CTX_start 3
-has been used on the
-.Vt BN_CTX ,
-.Xr BN_CTX_end 3
-must be called before the
-.Vt BN_CTX
-may be freed by
-.Fn BN_CTX_free .
-If
-.Fa c
-is a
-.Dv NULL
-pointer, no action occurs.
-.Sh RETURN VALUES
-.Fn BN_CTX_new
-returns a pointer to the
-.Vt BN_CTX .
-If the allocation fails, it returns
-.Dv NULL
-and sets an error code that can be obtained by
-.Xr ERR_get_error 3 .
-.Sh SEE ALSO
-.Xr BN_add 3 ,
-.Xr BN_CTX_start 3 ,
-.Xr BN_new 3
-.Sh HISTORY
-.Fn BN_CTX_new
-and
-.Fn BN_CTX_free
-first appeared in SSLeay 0.5.1 and have been available since
-.Ox 2.4 .
diff --git a/src/lib/libcrypto/man/BN_CTX_start.3 b/src/lib/libcrypto/man/BN_CTX_start.3
deleted file mode 100644
index a2b62eff5c..0000000000
--- a/src/lib/libcrypto/man/BN_CTX_start.3
+++ /dev/null
@@ -1,137 +0,0 @@
-.\" $OpenBSD: BN_CTX_start.3,v 1.8 2019/08/20 10:59:09 schwarze Exp $
-.\" full merge up to: OpenSSL 35fd9953 May 28 14:49:38 2019 +0200
-.\"
-.\" This file was written by Ulf Moeller <ulf@openssl.org>.
-.\" Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: August 20 2019 $
-.Dt BN_CTX_START 3
-.Os
-.Sh NAME
-.Nm BN_CTX_start ,
-.Nm BN_CTX_get ,
-.Nm BN_CTX_end
-.Nd use temporary BIGNUM variables
-.Sh SYNOPSIS
-.In openssl/bn.h
-.Ft void
-.Fo BN_CTX_start
-.Fa "BN_CTX *ctx"
-.Fc
-.Ft BIGNUM *
-.Fo BN_CTX_get
-.Fa "BN_CTX *ctx"
-.Fc
-.Ft void
-.Fo BN_CTX_end
-.Fa "BN_CTX *ctx"
-.Fc
-.Sh DESCRIPTION
-These functions are used to obtain temporary
-.Vt BIGNUM
-variables from a
-.Vt BN_CTX
-(which can be created using
-.Xr BN_CTX_new 3 )
-in order to save the overhead of repeatedly creating and freeing
-.Vt BIGNUM Ns s
-in functions that are called from inside a loop.
-.Pp
-A function must call
-.Fn BN_CTX_start
-first.
-Then,
-.Fn BN_CTX_get
-may be called repeatedly to obtain temporary
-.Vt BIGNUM Ns s .
-All
-.Fn BN_CTX_get
-calls must be made before calling any other functions that use the
-.Fa ctx
-as an argument.
-.Pp
-Finally,
-.Fn BN_CTX_end
-must be called before returning from the function.
-When
-.Fn BN_CTX_end
-is called, the
-.Vt BIGNUM
-pointers obtained from
-.Fn BN_CTX_get
-become invalid.
-If
-.Fa ctx
-is
-.Dv NULL ,
-no action occurs.
-.Sh RETURN VALUES
-.Fn BN_CTX_get
-returns a pointer to the
-.Vt BIGNUM ,
-or
-.Dv NULL
-on error.
-Once
-.Fn BN_CTX_get
-has failed, the subsequent calls will return
-.Dv NULL
-as well, so it is sufficient to check the return value of the last
-.Fn BN_CTX_get
-call.
-In case of an error, an error code is set which can be obtained by
-.Xr ERR_get_error 3 .
-.Sh SEE ALSO
-.Xr BN_CTX_new 3 ,
-.Xr BN_new 3
-.Sh HISTORY
-.Fn BN_CTX_start ,
-.Fn BN_CTX_get ,
-and
-.Fn BN_CTX_end
-first appeared in OpenSSL 0.9.5 and have been available since
-.Ox 2.7 .
diff --git a/src/lib/libcrypto/man/BN_add.3 b/src/lib/libcrypto/man/BN_add.3
deleted file mode 100644
index e7de441b7a..0000000000
--- a/src/lib/libcrypto/man/BN_add.3
+++ /dev/null
@@ -1,646 +0,0 @@
-.\" $OpenBSD: BN_add.3,v 1.20 2023/04/27 09:47:03 tb Exp $
-.\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Ulf Moeller <ulf@openssl.org>
-.\" and Bodo Moeller <bodo@openssl.org>.
-.\" Copyright (c) 2000, 2015 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: April 27 2023 $
-.Dt BN_ADD 3
-.Os
-.Sh NAME
-.Nm BN_add ,
-.Nm BN_uadd ,
-.Nm BN_sub ,
-.Nm BN_usub ,
-.Nm BN_mul ,
-.Nm BN_sqr ,
-.Nm BN_div ,
-.Nm BN_mod ,
-.Nm BN_nnmod ,
-.Nm BN_mod_add ,
-.Nm BN_mod_add_quick ,
-.Nm BN_mod_sub ,
-.Nm BN_mod_sub_quick ,
-.Nm BN_mod_mul ,
-.Nm BN_mod_sqr ,
-.Nm BN_mod_lshift ,
-.Nm BN_mod_lshift_quick ,
-.Nm BN_mod_lshift1 ,
-.Nm BN_mod_lshift1_quick ,
-.Nm BN_exp ,
-.Nm BN_mod_exp ,
-.\" The following are public, but intentionally undocumented for now:
-.\" .Nm BN_mod_exp_mont ,  r \(== a ^ p (mod m)
-.\" .Nm BN_mod_exp_mont_consttime ,
-.\" .Nm BN_mod_exp_mont_word ,
-.\" .Nm BN_mod_exp_simple ,
-.\" .Nm BN_mod_exp2_mont   r \(== (a1 ^ p1) * (a2 ^ p2) (mod m)
-.\" Maybe they should be deleted from <openssl/bn.h>.
-.Nm BN_gcd
-.Nd arithmetic operations on BIGNUMs
-.Sh SYNOPSIS
-.In openssl/bn.h
-.Ft int
-.Fo BN_add
-.Fa "BIGNUM *r"
-.Fa "const BIGNUM *a"
-.Fa "const BIGNUM *b"
-.Fc
-.Ft int
-.Fo BN_uadd
-.Fa "BIGNUM *r"
-.Fa "const BIGNUM *a"
-.Fa "const BIGNUM *b"
-.Fc
-.Ft int
-.Fo BN_sub
-.Fa "BIGNUM *r"
-.Fa "const BIGNUM *a"
-.Fa "const BIGNUM *b"
-.Fc
-.Ft int
-.Fo BN_usub
-.Fa "BIGNUM *r"
-.Fa "const BIGNUM *a"
-.Fa "const BIGNUM *b"
-.Fc
-.Ft int
-.Fo BN_mul
-.Fa "BIGNUM *r"
-.Fa "const BIGNUM *a"
-.Fa "const BIGNUM *b"
-.Fa "BN_CTX *ctx"
-.Fc
-.Ft int
-.Fo BN_sqr
-.Fa "BIGNUM *r"
-.Fa "const BIGNUM *a"
-.Fa "BN_CTX *ctx"
-.Fc
-.Ft int
-.Fo BN_div
-.Fa "BIGNUM *dv"
-.Fa "BIGNUM *rem"
-.Fa "const BIGNUM *a"
-.Fa "const BIGNUM *d"
-.Fa "BN_CTX *ctx"
-.Fc
-.Ft int
-.Fo BN_mod
-.Fa "BIGNUM *rem"
-.Fa "const BIGNUM *a"
-.Fa "const BIGNUM *m"
-.Fa "BN_CTX *ctx"
-.Fc
-.Ft int
-.Fo BN_nnmod
-.Fa "BIGNUM *r"
-.Fa "const BIGNUM *a"
-.Fa "const BIGNUM *m"
-.Fa "BN_CTX *ctx"
-.Fc
-.Ft int
-.Fo BN_mod_add
-.Fa "BIGNUM *r"
-.Fa "const BIGNUM *a"
-.Fa "const BIGNUM *b"
-.Fa "const BIGNUM *m"
-.Fa "BN_CTX *ctx"
-.Fc
-.Ft int
-.Fo BN_mod_add_quick
-.Fa "BIGNUM *r"
-.Fa "const BIGNUM *a"
-.Fa "const BIGNUM *b"
-.Fa "const BIGNUM *m"
-.Fc
-.Ft int
-.Fo BN_mod_sub
-.Fa "BIGNUM *r"
-.Fa "const BIGNUM *a"
-.Fa "const BIGNUM *b"
-.Fa "const BIGNUM *m"
-.Fa "BN_CTX *ctx"
-.Fc
-.Ft int
-.Fo BN_mod_sub_quick
-.Fa "BIGNUM *r"
-.Fa "const BIGNUM *a"
-.Fa "const BIGNUM *b"
-.Fa "const BIGNUM *m"
-.Fc
-.Ft int
-.Fo BN_mod_mul
-.Fa "BIGNUM *r"
-.Fa "const BIGNUM *a"
-.Fa "const BIGNUM *b"
-.Fa "const BIGNUM *m"
-.Fa "BN_CTX *ctx"
-.Fc
-.Ft int
-.Fo BN_mod_sqr
-.Fa "BIGNUM *r"
-.Fa "const BIGNUM *a"
-.Fa "const BIGNUM *m"
-.Fa "BN_CTX *ctx"
-.Fc
-.Ft int
-.Fo BN_mod_lshift
-.Fa "BIGNUM *r"
-.Fa "const BIGNUM *a"
-.Fa "int n"
-.Fa "const BIGNUM *m"
-.Fa "BN_CTX *ctx"
-.Fc
-.Ft int
-.Fo BN_mod_lshift_quick
-.Fa "BIGNUM *r"
-.Fa "const BIGNUM *a"
-.Fa "int n"
-.Fa "const BIGNUM *m"
-.Fc
-.Ft int
-.Fo BN_mod_lshift1
-.Fa "BIGNUM *r"
-.Fa "const BIGNUM *a"
-.Fa "const BIGNUM *m"
-.Fa "BN_CTX *ctx"
-.Fc
-.Ft int
-.Fo BN_mod_lshift1_quick
-.Fa "BIGNUM *r"
-.Fa "const BIGNUM *a"
-.Fa "const BIGNUM *m"
-.Fc
-.Ft int
-.Fo BN_exp
-.Fa "BIGNUM *r"
-.Fa "const BIGNUM *a"
-.Fa "const BIGNUM *p"
-.Fa "BN_CTX *ctx"
-.Fc
-.Ft int
-.Fo BN_mod_exp
-.Fa "BIGNUM *r"
-.Fa "const BIGNUM *a"
-.Fa "const BIGNUM *p"
-.Fa "const BIGNUM *m"
-.Fa "BN_CTX *ctx"
-.Fc
-.Ft int
-.Fo BN_gcd
-.Fa "BIGNUM *r"
-.Fa "const BIGNUM *a"
-.Fa "const BIGNUM *b"
-.Fa "BN_CTX *ctx"
-.Fc
-.Sh DESCRIPTION
-.Fn BN_add
-adds
-.Fa a
-and
-.Fa b
-and places the result in
-.Fa r
-.Pq Li r=a+b .
-.Fa r
-may be the same
-.Vt BIGNUM
-as
-.Fa a
-or
-.Fa b .
-.Pp
-.Fn BN_uadd
-adds the absolute values of
-.Fa a
-and
-.Fa b
-and places the result in
-.Fa r
-.Pq Li r=|a|+|b|\& .
-.Fa r
-may be the same
-.Vt BIGNUM
-as
-.Fa a
-or
-.Fa b .
-.Pp
-.Fn BN_sub
-subtracts
-.Fa b
-from
-.Fa a
-and places the result in
-.Fa r
-.Pq Li r=a-b .
-.Fa r
-may be the same
-.Vt BIGNUM
-as
-.Fa a
-or
-.Fa b .
-.Pp
-.Fn BN_usub
-subtracts the absolute value of
-.Fa b
-from the absolute value of
-.Fa a
-and places the result in
-.Fa r
-.Pq Li r=|a|-|b|\& .
-It requires the absolute value of
-.Fa a
-to be greater than the absolute value of
-.Fa b ;
-otherwise it will fail.
-.Fa r
-may be the same
-.Vt BIGNUM
-as
-.Fa a
-or
-.Fa b .
-.Pp
-.Fn BN_mul
-multiplies
-.Fa a
-and
-.Fa b
-and places the result in
-.Fa r
-.Pq Li r=a*b .
-.Fa r
-may be the same
-.Vt BIGNUM
-as
-.Fa a
-or
-.Fa b .
-For multiplication by powers of 2, use
-.Xr BN_lshift 3 .
-.Pp
-.Fn BN_sqr
-takes the square of
-.Fa a
-and places the result in
-.Fa r
-.Pq Li r=a^2 .
-.Fa r
-and
-.Fa a
-may be the same
-.Vt BIGNUM .
-This function is faster than
-.Fn BN_mul r a a .
-.Pp
-.Fn BN_div
-divides
-.Fa a
-by
-.Fa d
-and places the result in
-.Fa dv
-and the remainder in
-.Fa rem
-.Pq Li dv=a/d , rem=a%d .
-If the flag
-.Dv BN_FLG_CONSTTIME
-is set on
-.Fa a
-or
-.Fa d ,
-it operates in constant time.
-Either of
-.Fa dv
-and
-.Fa rem
-may be
-.Dv NULL ,
-in which case the respective value is not returned.
-The result is rounded towards zero; thus if
-.Fa a
-is negative, the remainder will be zero or negative.
-For division by powers of 2, use
-.Fn BN_rshift 3 .
-.Pp
-.Fn BN_mod
-corresponds to
-.Fn BN_div
-with
-.Fa dv
-set to
-.Dv NULL .
-It is implemented as a macro.
-.Pp
-.Fn BN_nnmod
-reduces
-.Fa a
-modulo
-.Fa m
-and places the non-negative remainder in
-.Fa r .
-.Pp
-.Fn BN_mod_add
-adds
-.Fa a
-to
-.Fa b
-modulo
-.Fa m
-and places the non-negative result in
-.Fa r .
-.Pp
-.Fn BN_mod_add_quick
-is a variant of
-.Fn BN_mod_add
-that requires
-.Fa a
-and
-.Fa b
-to both be non-negative and smaller than
-.Fa m .
-If any of these constraints are violated,
-it silently produces wrong results.
-.Pp
-.Fn BN_mod_sub
-subtracts
-.Fa b
-from
-.Fa a
-modulo
-.Fa m
-and places the non-negative result in
-.Fa r .
-.Pp
-.Fn BN_mod_sub_quick
-is a variant of
-.Fn BN_mod_sub
-that requires
-.Fa a
-and
-.Fa b
-to both be non-negative and smaller than
-.Fa m .
-If any of these constraints are violated,
-it silently produces wrong results.
-.Pp
-.Fn BN_mod_mul
-multiplies
-.Fa a
-by
-.Fa b
-and finds the non-negative remainder respective to modulus
-.Fa m
-.Pq Li r=(a*b)%m .
-.Fa r
-may be the same
-.Vt BIGNUM
-as
-.Fa a
-or
-.Fa b .
-For a more efficient algorithm for repeated computations using the same
-modulus, see
-.Xr BN_mod_mul_montgomery 3 .
-.Pp
-.Fn BN_mod_sqr
-takes the square of
-.Fa a
-modulo
-.Fa m
-and places the result in
-.Fa r .
-.Pp
-.Fn BN_mod_lshift
-shifts
-.Fa a
-left by
-.Fa n
-bits, reduces the result modulo
-.Fa m ,
-and places the non-negative remainder in
-.Fa r
-.Pq Li r=a*2^n mod m .
-.Pp
-.Fn BN_mod_lshift1
-shifts
-.Fa a
-left by one bit, reduces the result modulo
-.Fa m ,
-and places the non-negative remainder in
-.Fa r
-.Pq Li r=a*2 mod m .
-.Pp
-.Fn BN_mod_lshift_quick
-and
-.Fn BN_mod_lshift1_quick
-are variants of
-.Fn BN_mod_lshift
-and
-.Fn BN_mod_lshift1 ,
-respectively, that require
-.Fa a
-to be non-negative and less than
-.Fa m .
-If either of these constraints is violated, they sometimes fail
-and sometimes silently produce wrong results.
-.Pp
-.Fn BN_exp
-raises
-.Fa a
-to the
-.Fa p Ns -th
-power and places the result in
-.Fa r
-.Pq Li r=a^p .
-This function is faster than repeated applications of
-.Fn BN_mul .
-.Pp
-.Fn BN_mod_exp
-computes
-.Fa a
-to the
-.Fa p Ns -th
-power modulo
-.Fa m
-.Pq Li r=(a^p)%m .
-If the flag
-.Dv BN_FLG_CONSTTIME
-is set on
-.Fa p ,
-it operates in constant time.
-This function uses less time and space than
-.Fn BN_exp .
-.Pp
-.Fn BN_gcd
-computes the greatest common divisor of
-.Fa a
-and
-.Fa b
-and places the result in
-.Fa r .
-.Fa r
-may be the same
-.Vt BIGNUM
-as
-.Fa a
-or
-.Fa b .
-.Pp
-For all functions,
-.Fa ctx
-is a previously allocated
-.Vt BN_CTX
-used for temporary variables; see
-.Xr BN_CTX_new 3 .
-.Pp
-Unless noted otherwise, the result
-.Vt BIGNUM
-must be different from the arguments.
-.Sh RETURN VALUES
-For all functions, 1 is returned for success, 0 on error.
-The return value should always be checked, for example:
-.Pp
-.Dl if (!BN_add(r,a,b)) goto err;
-.Pp
-The error codes can be obtained by
-.Xr ERR_get_error 3 .
-.Sh SEE ALSO
-.Xr BN_add_word 3 ,
-.Xr BN_CTX_new 3 ,
-.Xr BN_new 3 ,
-.Xr BN_set_bit 3 ,
-.Xr BN_set_flags 3 ,
-.Xr BN_set_negative 3
-.Sh HISTORY
-.Fn BN_add ,
-.Fn BN_sub ,
-.Fn BN_mul ,
-.Fn BN_sqr ,
-.Fn BN_div ,
-.Fn BN_mod ,
-.Fn BN_mod_mul ,
-.Fn BN_mod_exp ,
-and
-.Fn BN_gcd
-first appeared in SSLeay 0.5.1.
-.Fn BN_exp
-first appeared in SSLeay 0.9.0.
-All these functions have been available since
-.Ox 2.4 .
-.Pp
-.Fn BN_uadd ,
-.Fn BN_usub ,
-and the
-.Fa ctx
-argument to
-.Fn BN_mul
-first appeared in SSLeay 0.9.1 and have been available since
-.Ox 2.6 .
-.Pp
-.Fn BN_nnmod ,
-.Fn BN_mod_add ,
-.Fn BN_mod_add_quick ,
-.Fn BN_mod_sub ,
-.Fn BN_mod_sub_quick ,
-.Fn BN_mod_sqr ,
-.Fn BN_mod_lshift ,
-.Fn BN_mod_lshift_quick ,
-.Fn BN_mod_lshift1 ,
-and
-.Fn BN_mod_lshift1_quick
-first appeared in OpenSSL 0.9.7 and have been available since
-.Ox 3.2 .
-.Sh BUGS
-Even if the
-.Dv BN_FLG_CONSTTIME
-flag is set on
-.Fa a
-or
-.Fa b ,
-.Fn BN_gcd
-neither fails nor operates in constant time, potentially allowing
-timing side-channel attacks.
-.Pp
-Even if the
-.Dv BN_FLG_CONSTTIME
-flag is set on
-.Fa p ,
-if the modulus
-.Fa m
-is even,
-.Fn BN_mod_exp
-does not operate in constant time, potentially allowing
-timing side-channel attacks.
-.Pp
-If
-.Dv BN_FLG_CONSTTIME
-is set on
-.Fa p ,
-.Fn BN_exp
-fails instead of operating in constant time.
diff --git a/src/lib/libcrypto/man/BN_add_word.3 b/src/lib/libcrypto/man/BN_add_word.3
deleted file mode 100644
index 161029c302..0000000000
--- a/src/lib/libcrypto/man/BN_add_word.3
+++ /dev/null
@@ -1,182 +0,0 @@
-.\" $OpenBSD: BN_add_word.3,v 1.10 2022/11/22 19:02:07 schwarze Exp $
-.\" full merge up to: OpenSSL 9e183d22 Mar 11 08:56:44 2017 -0500
-.\"
-.\" This file was written by Ulf Moeller <ulf@openssl.org>.
-.\" Copyright (c) 2000, 2005 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: November 22 2022 $
-.Dt BN_ADD_WORD 3
-.Os
-.Sh NAME
-.Nm BN_add_word ,
-.Nm BN_sub_word ,
-.Nm BN_mul_word ,
-.Nm BN_div_word ,
-.Nm BN_mod_word
-.Nd arithmetic functions on BIGNUMs with integers
-.Sh SYNOPSIS
-.In openssl/bn.h
-.Ft int
-.Fo BN_add_word
-.Fa "BIGNUM *a"
-.Fa "BN_ULONG w"
-.Fc
-.Ft int
-.Fo BN_sub_word
-.Fa "BIGNUM *a"
-.Fa "BN_ULONG w"
-.Fc
-.Ft int
-.Fo BN_mul_word
-.Fa "BIGNUM *a"
-.Fa "BN_ULONG w"
-.Fc
-.Ft BN_ULONG
-.Fo BN_div_word
-.Fa "BIGNUM *a"
-.Fa "BN_ULONG w"
-.Fc
-.Ft BN_ULONG
-.Fo BN_mod_word
-.Fa "const BIGNUM *a"
-.Fa "BN_ULONG w"
-.Fc
-.Sh DESCRIPTION
-These functions perform arithmetic operations on BIGNUMs with unsigned
-integers.
-They are much more efficient than the normal BIGNUM arithmetic
-operations.
-.Pp
-.Vt BN_ULONG
-is a macro that expands to
-.Vt unsigned long Pq = Vt uint64_t
-on
-.Dv _LP64
-platforms and
-.Vt unsigned int Pq = Vt uint32_t
-elsewhere.
-.Pp
-.Fn BN_add_word
-adds
-.Fa w
-to
-.Fa a
-.Pq Li a+=w .
-.Pp
-.Fn BN_sub_word
-subtracts
-.Fa w
-from
-.Fa a
-.Pq Li a-=w .
-.Pp
-.Fn BN_mul_word
-multiplies
-.Fa a
-and
-.Fa w
-.Pq Li a*=w .
-.Pp
-.Fn BN_div_word
-divides
-.Fa a
-by
-.Fa w
-.Pq Li a/=w
-and returns the remainder.
-.Pp
-.Fn BN_mod_word
-returns the remainder of
-.Fa a
-divided by
-.Fa w
-.Pq Li a%w .
-.Pp
-For
-.Fn BN_div_word
-and
-.Fn BN_mod_word ,
-.Fa w
-must not be 0.
-.Sh RETURN VALUES
-.Fn BN_add_word ,
-.Fn BN_sub_word ,
-and
-.Fn BN_mul_word
-return 1 for success or 0 on error.
-The error codes can be obtained by
-.Xr ERR_get_error 3 .
-.Pp
-.Fn BN_mod_word
-and
-.Fn BN_div_word
-return
-.Fa a Ns % Ns Fa w
-on success and
-.Po Vt BN_ULONG Pc Ns -1
-if an error occurred.
-.Sh SEE ALSO
-.Xr BN_add 3 ,
-.Xr BN_new 3
-.Sh HISTORY
-.Fn BN_add_word ,
-.Fn BN_div_word ,
-and
-.Fn BN_mod_word
-first appeared in SSLeay 0.5.1.
-.Fn BN_sub_word
-and
-.Fn BN_mul_word
-first appeared in SSLeay 0.9.0.
-All these functions have been available since
-.Ox 2.4 .
-.Pp
-Before 0.9.8a, the return value for
-.Fn BN_div_word
-and
-.Fn BN_mod_word
-in case of an error was 0.
diff --git a/src/lib/libcrypto/man/BN_bn2bin.3 b/src/lib/libcrypto/man/BN_bn2bin.3
deleted file mode 100644
index 0fe9a90738..0000000000
--- a/src/lib/libcrypto/man/BN_bn2bin.3
+++ /dev/null
@@ -1,388 +0,0 @@
-.\" $OpenBSD: BN_bn2bin.3,v 1.16 2023/07/09 06:45:03 tb Exp $
-.\" full merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
-.\"
-.\" This file was written by Ulf Moeller <ulf@openssl.org>
-.\" and Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2000, 2002, 2016 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: July 9 2023 $
-.Dt BN_BN2BIN 3
-.Os
-.Sh NAME
-.Nm BN_bn2bin ,
-.Nm BN_bn2binpad ,
-.Nm BN_bin2bn ,
-.Nm BN_bn2lebinpad ,
-.Nm BN_lebin2bn ,
-.Nm BN_bn2hex ,
-.Nm BN_bn2dec ,
-.Nm BN_hex2bn ,
-.Nm BN_dec2bn ,
-.Nm BN_asc2bn ,
-.Nm BN_print ,
-.Nm BN_print_fp ,
-.Nm BN_bn2mpi ,
-.Nm BN_mpi2bn
-.Nd format conversions
-.Sh SYNOPSIS
-.In openssl/bn.h
-.Ft int
-.Fo BN_bn2bin
-.Fa "const BIGNUM *a"
-.Fa "unsigned char *to"
-.Fc
-.Ft int
-.Fo BN_bn2binpad
-.Fa "const BIGNUM *a"
-.Fa "unsigned char *to"
-.Fa "int tolen"
-.Fc
-.Ft BIGNUM *
-.Fo BN_bin2bn
-.Fa "const unsigned char *s"
-.Fa "int len"
-.Fa "BIGNUM *ret"
-.Fc
-.Ft int
-.Fo BN_bn2lebinpad
-.Fa "const BIGNUM *a"
-.Fa "unsigned char *to"
-.Fa "int tolen"
-.Fc
-.Ft BIGNUM *
-.Fo BN_lebin2bn
-.Fa "const unsigned char *s"
-.Fa "int len"
-.Fa "BIGNUM *ret"
-.Fc
-.Ft char *
-.Fo BN_bn2hex
-.Fa "const BIGNUM *a"
-.Fc
-.Ft char *
-.Fo BN_bn2dec
-.Fa "const BIGNUM *a"
-.Fc
-.Ft int
-.Fo BN_hex2bn
-.Fa "BIGNUM **ap"
-.Fa "const char *str"
-.Fc
-.Ft int
-.Fo BN_dec2bn
-.Fa "BIGNUM **ap"
-.Fa "const char *str"
-.Fc
-.Ft int
-.Fo BN_asc2bn
-.Fa "BIGNUM **ap"
-.Fa "const char *str"
-.Fc
-.Ft int
-.Fo BN_print
-.Fa "BIO *fp"
-.Fa "const BIGNUM *a"
-.Fc
-.Ft int
-.Fo BN_print_fp
-.Fa "FILE *fp"
-.Fa "const BIGNUM *a"
-.Fc
-.Ft int
-.Fo BN_bn2mpi
-.Fa "const BIGNUM *a"
-.Fa "unsigned char *to"
-.Fc
-.Ft BIGNUM *
-.Fo BN_mpi2bn
-.Fa "unsigned char *s"
-.Fa "int len"
-.Fa "BIGNUM *ret"
-.Fc
-.Sh DESCRIPTION
-.Fn BN_bn2bin
-converts the absolute value of
-.Fa a
-into big-endian form and stores it at
-.Fa to .
-.Fa to
-must point to
-.Fn BN_num_bytes a
-bytes of memory.
-.Pp
-.Fn BN_bn2binpad
-also converts the absolute value of
-.Fa a
-into big-endian form and stores it at
-.Fa to .
-.Fa tolen
-indicates the length of the output buffer
-.Pf * Fa to .
-The result is padded with zeros if necessary.
-If
-.Fa tolen
-is less than
-.Fn BN_num_bytes a ,
-an error is returned.
-.Pp
-.Fn BN_bin2bn
-converts the positive integer in big-endian form of length
-.Fa len
-at
-.Fa s
-into a
-.Vt BIGNUM
-and places it in
-.Fa ret .
-If
-.Fa ret
-is
-.Dv NULL ,
-a new
-.Vt BIGNUM
-is created.
-.Pp
-.Fn BN_bn2lebinpad
-and
-.Fn BN_lebin2bn
-are identical to
-.Fn BN_bn2binpad
-and
-.Fn BN_bin2bn
-except the buffer
-.Pf * Fa to
-is in little-endian format.
-.Pp
-.Fn BN_bn2hex
-and
-.Fn BN_bn2dec
-return printable strings containing the hexadecimal and decimal encoding of
-.Fa a
-respectively.
-For negative numbers, the string is prefaced with a leading minus sign.
-The string must be freed later using
-.Xr free 3 .
-.Pp
-.Fn BN_hex2bn
-interprets
-.Fa str
-as a hexadecimal number.
-The string may start with a minus sign
-.Pq Sq - .
-Conversion stops at the first byte that is not a hexadecimal digit.
-The number is converted to a
-.Vt BIGNUM
-and stored in
-.Pf ** Fa ap .
-If
-.Pf * Fa ap
-is
-.Dv NULL ,
-a new
-.Vt BIGNUM
-is created.
-If
-.Fa ap
-is
-.Dv NULL ,
-it only computes the number's length in hexadecimal digits,
-also counting the leading minus sign if there is one.
-A "negative zero" is converted to zero.
-.Fn BN_dec2bn
-is the same using the decimal system.
-.Fn BN_asc2bn
-infers the number base from an optional prefix.
-If
-.Fa str
-starts with
-.Qq 0x
-or
-.Qq 0X ,
-it calls
-.Fn BN_hex2bn ,
-otherwise
-.Fn BN_dec2bn .
-If the number is negative, the minus sign can be given before or
-after the prefix.
-.Pp
-.Fn BN_print
-and
-.Fn BN_print_fp
-write the hexadecimal encoding of
-.Fa a ,
-with a leading minus sign for negative numbers, to the
-.Vt BIO
-or
-.Vt FILE
-.Fa fp .
-.Pp
-.Fn BN_bn2mpi
-and
-.Fn BN_mpi2bn
-convert
-.Vt BIGNUM Ns s
-from and to a format that consists of the number's length in bytes
-represented as a 4-byte big-endian number, and the number itself in
-big-endian format, where the most significant bit signals a negative
-number (the representation of numbers with the MSB set is prefixed with
-a NUL byte).
-.Pp
-.Fn BN_bn2mpi
-stores the representation of
-.Fa a
-at
-.Fa to ,
-where
-.Pf * Fa to
-must be large enough to hold the result.
-The size can be determined by calling
-.Fn BN_bn2mpi a  NULL .
-.Pp
-.Fn BN_mpi2bn
-converts the
-.Fa len
-bytes long representation at
-.Fa s
-to a
-.Vt BIGNUM
-and stores it at
-.Fa ret ,
-or in a newly allocated
-.Vt BIGNUM
-if
-.Fa ret
-is
-.Dv NULL .
-.Sh RETURN VALUES
-.Fn BN_bn2bin
-returns the length of the big-endian number placed at
-.Fa to .
-.Pp
-.Fn BN_bn2binpad
-and
-.Fn BN_bn2lebinpad
-return the number of bytes written
-or \-1 if the supplied buffer is too small.
-.Pp
-.Fn BN_bin2bn
-and
-.Fn BN_lebin2bn
-return the
-.Vt BIGNUM ,
-or
-.Dv NULL
-on error.
-.Pp
-.Fn BN_bn2hex
-and
-.Fn BN_bn2dec
-return a NUL-terminated string, or
-.Dv NULL
-on error.
-.Fn BN_hex2bn
-and
-.Fn BN_dec2bn
-return the number's length in hexadecimal or decimal digits,
-also counting the leading minus sign if there is one,
-or 0 on error, in which case no new
-.Vt BIGNUM
-is created.
-.Fn BN_asc2bn
-returns 1 on success or 0 on error, in which case no new
-.Vt BIGNUM
-is created.
-.Pp
-.Fn BN_print_fp
-and
-.Fn BN_print
-return 1 on success, 0 on write errors.
-.Pp
-.Fn BN_bn2mpi
-returns the length of the representation.
-.Fn BN_mpi2bn
-returns the
-.Vt BIGNUM ,
-or
-.Dv NULL
-on error.
-.Pp
-The error codes can be obtained by
-.Xr ERR_get_error 3 .
-.Sh SEE ALSO
-.Xr ASN1_INTEGER_to_BN 3 ,
-.Xr BN_new 3 ,
-.Xr BN_num_bytes 3 ,
-.Xr BN_zero 3
-.Sh HISTORY
-.Fn BN_bn2bin ,
-.Fn BN_bin2bn ,
-and
-.Fn BN_print
-first appeared in SSLeay 0.5.1.
-.Fn BN_print_fp
-first appeared in SSLeay 0.6.0.
-.Fn BN_bn2hex ,
-.Fn BN_bn2dec ,
-.Fn BN_hex2bn ,
-.Fn BN_dec2bn ,
-.Fn BN_bn2mpi ,
-and
-.Fn BN_mpi2bn
-first appeared in SSLeay 0.9.0.
-All these functions have been available since
-.Ox 2.4 .
-.Pp
-.Fn BN_asc2bin
-first appeared in OpenSSL 1.0.0 and has been available since
-.Ox 4.9 .
-.Pp
-.Fn BN_bn2binpad ,
-.Fn BN_bn2lebinpad ,
-and
-.Fn BN_lebin2bn
-first appeared in OpenSSL 1.1.0 and have been available since
-.Ox 7.0 .
diff --git a/src/lib/libcrypto/man/BN_cmp.3 b/src/lib/libcrypto/man/BN_cmp.3
deleted file mode 100644
index ba973313f0..0000000000
--- a/src/lib/libcrypto/man/BN_cmp.3
+++ /dev/null
@@ -1,169 +0,0 @@
-.\" $OpenBSD: BN_cmp.3,v 1.10 2022/11/22 19:02:07 schwarze Exp $
-.\" full merge up to: OpenSSL 5b31b9df Aug 4 10:45:52 2021 +0300
-.\"
-.\" This file was written by Ulf Moeller <ulf@openssl.org>.
-.\" Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: November 22 2022 $
-.Dt BN_CMP 3
-.Os
-.Sh NAME
-.Nm BN_cmp ,
-.Nm BN_ucmp ,
-.Nm BN_is_zero ,
-.Nm BN_is_one ,
-.Nm BN_is_word ,
-.Nm BN_abs_is_word ,
-.Nm BN_is_odd
-.Nd BIGNUM comparison and test functions
-.Sh SYNOPSIS
-.In openssl/bn.h
-.Ft int
-.Fo BN_cmp
-.Fa "const BIGNUM *a"
-.Fa "const BIGNUM *b"
-.Fc
-.Ft int
-.Fo BN_ucmp
-.Fa "const BIGNUM *a"
-.Fa "const BIGNUM *b"
-.Fc
-.Ft int
-.Fo BN_is_zero
-.Fa "const BIGNUM *a"
-.Fc
-.Ft int
-.Fo BN_is_one
-.Fa "const BIGNUM *a"
-.Fc
-.Ft int
-.Fo BN_is_word
-.Fa "const BIGNUM *a"
-.Fa "const BN_ULONG w"
-.Fc
-.Ft int
-.Fo BN_abs_is_word
-.Fa "const BIGNUM *a"
-.Fa "const BN_ULONG w"
-.Fc
-.Ft int
-.Fo BN_is_odd
-.Fa "const BIGNUM *a"
-.Fc
-.Sh DESCRIPTION
-.Fn BN_cmp
-compares the numbers
-.Fa a
-and
-.Fa b .
-.Fn BN_ucmp
-compares their absolute values.
-.Pp
-.Fn BN_is_zero ,
-.Fn BN_is_one
-and
-.Fn BN_is_word
-test if
-.Fa a
-equals 0, 1, or
-.Fa w
-respectively.
-.Fn BN_abs_is_word
-tests if the absolute value of
-.Fa a
-equals
-.Fa w .
-.Fn BN_is_odd
-tests if a is odd.
-.Pp
-.Vt BN_ULONG
-is a macro that expands to
-.Vt unsigned long Pq = Vt uint64_t
-on
-.Dv _LP64
-platforms and
-.Vt unsigned int Pq = Vt uint32_t
-elsewhere.
-.Sh RETURN VALUES
-.Fn BN_cmp
-returns -1 if
-.Fa a Ns < Ns Fa b ,
-0 if
-.Fa a Ns == Ns Fa b ,
-and 1 if
-.Fa a Ns > Ns Fa b .
-.Fn BN_ucmp
-is the same using the absolute values of
-.Fa a
-and
-.Fa b .
-.Pp
-.Fn BN_is_zero ,
-.Fn BN_is_one ,
-.Fn BN_is_word ,
-.Fn BN_abs_is_word ,
-and
-.Fn BN_is_odd
-return 1 if the condition is true, 0 otherwise.
-.Sh SEE ALSO
-.Xr BN_new 3
-.Sh HISTORY
-.Fn BN_cmp ,
-.Fn BN_ucmp ,
-.Fn BN_is_zero ,
-.Fn BN_is_one ,
-and
-.Fn BN_is_word
-first appeared in SSLeay 0.5.1.
-.Fn BN_is_odd
-first appeared in SSLeay 0.8.0.
-These functions have been available since
-.Ox 2.4 .
-.Pp
-.Fn BN_abs_is_word
-first appeared in OpenSSL 0.9.7 and has been available since
-.Ox 3.2 .
diff --git a/src/lib/libcrypto/man/BN_copy.3 b/src/lib/libcrypto/man/BN_copy.3
deleted file mode 100644
index 383255e382..0000000000
--- a/src/lib/libcrypto/man/BN_copy.3
+++ /dev/null
@@ -1,165 +0,0 @@
-.\"     $OpenBSD: BN_copy.3,v 1.10 2021/12/06 19:45:27 schwarze Exp $
-.\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by Ulf Moeller <ulf@openssl.org>
-.\" and Matt Caswell <matt@openssl.org>.
-.\" Copyright (c) 2000, 2015 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: December 6 2021 $
-.Dt BN_COPY 3
-.Os
-.Sh NAME
-.Nm BN_copy ,
-.Nm BN_dup ,
-.Nm BN_with_flags
-.Nd copy BIGNUMs
-.Sh SYNOPSIS
-.In openssl/bn.h
-.Ft BIGNUM *
-.Fo BN_copy
-.Fa "BIGNUM *to"
-.Fa "const BIGNUM *from"
-.Fc
-.Ft BIGNUM *
-.Fo BN_dup
-.Fa "const BIGNUM *from"
-.Fc
-.Ft void
-.Fo BN_with_flags
-.Fa "BIGNUM *dest"
-.Fa "const BIGNUM *b"
-.Fa "int flags"
-.Fc
-.Sh DESCRIPTION
-.Fn BN_copy
-copies
-.Fa from
-to
-.Fa to .
-.Pp
-.Fn BN_dup
-creates a new
-.Vt BIGNUM
-containing the value
-.Fa from .
-.Pp
-.Fn BN_with_flags
-creates a
-.Em temporary
-shallow copy of
-.Fa b
-in
-.Fa dest .
-It places significant restrictions on the copied data.
-Applications that do not adhere to these restrictions
-may encounter unexpected side effects or crashes.
-For that reason, use of this function is discouraged.
-.Pp
-Any flags provided in
-.Fa flags
-will be set in
-.Fa dest
-in addition to any flags already set in
-.Fa b .
-For example, this can be used to create a temporary copy of a
-.Vt BIGNUM
-with the
-.Dv BN_FLG_CONSTTIME
-flag set for constant time operations.
-.Pp
-The temporary copy in
-.Fa dest
-will share some internal state with
-.Fa b .
-For this reason, the following restrictions apply to the use of
-.Fa dest :
-.Bl -bullet
-.It
-.Fa dest
-should be a newly allocated
-.Vt BIGNUM
-obtained via a call to
-.Xr BN_new 3 .
-It should not have been used for other purposes or initialised in any way.
-.It
-.Fa dest
-must only be used in "read-only" operations, i.e. typically those
-functions where the relevant parameter is declared "const".
-.It
-.Fa dest
-must be used and freed before any further subsequent use of
-.Fa b .
-.El
-.Sh RETURN VALUES
-.Fn BN_copy
-returns
-.Fa to
-on success or
-.Dv NULL
-on error.
-.Fn BN_dup
-returns the new
-.Vt BIGNUM
-or
-.Dv NULL
-on error.
-The error codes can be obtained by
-.Xr ERR_get_error 3 .
-.Sh SEE ALSO
-.Xr BN_new 3 ,
-.Xr BN_set_flags 3
-.Sh HISTORY
-.Fn BN_copy
-and
-.Fn BN_dup
-first appeared in SSLeay 0.5.1 and have been available since
-.Ox 2.4 .
-.Pp
-.Fn BN_with_flags
-first appeared in OpenSSL 0.9.7h and 0.9.8a
-and has been available since
-.Ox 4.0 .
diff --git a/src/lib/libcrypto/man/BN_generate_prime.3 b/src/lib/libcrypto/man/BN_generate_prime.3
deleted file mode 100644
index d9144155c6..0000000000
--- a/src/lib/libcrypto/man/BN_generate_prime.3
+++ /dev/null
@@ -1,375 +0,0 @@
-.\" $OpenBSD: BN_generate_prime.3,v 1.25 2023/12/29 19:12:46 tb Exp $
-.\" full merge up to: OpenSSL f987a4dd Jun 27 10:12:08 2019 +0200
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2022 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Ulf Moeller <ulf@openssl.org>
-.\" Bodo Moeller <bodo@openssl.org>, and Matt Caswell <matt@openssl.org>.
-.\" Copyright (c) 2000, 2003, 2013, 2014, 2018 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: December 29 2023 $
-.Dt BN_GENERATE_PRIME 3
-.Os
-.Sh NAME
-.Nm BN_is_prime_ex ,
-.Nm BN_is_prime_fasttest_ex ,
-.Nm BN_generate_prime_ex ,
-.Nm BN_GENCB_call ,
-.Nm BN_GENCB_new ,
-.Nm BN_GENCB_free ,
-.Nm BN_GENCB_set ,
-.Nm BN_GENCB_get_arg ,
-.Nm BN_GENCB_set_old
-.\" Nm BN_prime_checks_for_size is intentionally undocumented
-.\" because it should not be used outside of libcrypto.
-.Nd generate primes and test for primality
-.Sh SYNOPSIS
-.In openssl/bn.h
-.Ft int
-.Fo BN_is_prime_ex
-.Fa "const BIGNUM *a"
-.Fa "int nchecks"
-.Fa "BN_CTX *ctx"
-.Fa "BN_GENCB *cb"
-.Fc
-.Ft int
-.Fo BN_is_prime_fasttest_ex
-.Fa "const BIGNUM *a"
-.Fa "int nchecks"
-.Fa "BN_CTX *ctx"
-.Fa "int do_trial_division"
-.Fa "BN_GENCB *cb"
-.Fc
-.Ft int
-.Fo BN_generate_prime_ex
-.Fa "BIGNUM *ret"
-.Fa "int bits"
-.Fa "int safe"
-.Fa "const BIGNUM *modulus"
-.Fa "const BIGNUM *remainder"
-.Fa "BN_GENCB *cb"
-.Fc
-.Ft int
-.Fo BN_GENCB_call
-.Fa "BN_GENCB *cb"
-.Fa "int state_code"
-.Fa "int serial_number"
-.Fc
-.Ft BN_GENCB *
-.Fn BN_GENCB_new void
-.Ft void
-.Fo BN_GENCB_free
-.Fa "BN_GENCB *cb"
-.Fc
-.Ft void
-.Fo BN_GENCB_set
-.Fa "BN_GENCB *cb"
-.Fa "int (*cb_fp)(int, int, BN_GENCB *)"
-.Fa "void *cb_arg"
-.Fc
-.Ft void *
-.Fo BN_GENCB_get_arg
-.Fa "BN_GENCB *cb"
-.Fc
-.Pp
-Deprecated:
-.Pp
-.Ft void
-.Fo BN_GENCB_set_old
-.Fa "BN_GENCB *cb"
-.Fa "void (*cb_fp)(int, int, void *)"
-.Fa "void *cb_arg"
-.Fc
-.Sh DESCRIPTION
-.Fn BN_is_prime_ex
-and
-.Fn BN_is_prime_fasttest_ex
-test whether the number
-.Fa a
-is prime.
-In LibreSSL, both functions behave identically
-and use the Baillie-Pomerance-Selfridge-Wagstaff algorithm
-combined with
-.Fa checks
-Miller-Rabin rounds.
-The
-.Fa do_trial_division
-argument is ignored.
-.Pp
-It is unknown whether any composite number exists that the
-Baillie-PSW algorithm misclassifies as a prime.
-Some suspect that there may be infinitely many such numbers,
-but not a single one is currently known.
-It is known that no such number exists below 2\(ha64.
-.Pp
-In order to reduce the likelihood of a composite number
-passing the primality tests
-.Fn BN_is_prime_fasttest_ex
-and
-.Fn BN_is_prime_ex ,
-a number of rounds of the probabilistic Miller-Rabin test is performed.
-If
-.Fa checks
-is positive, it is used as the number of rounds;
-if it is zero or the special value
-.Dv BN_prime_checks ,
-a suitable number of rounds is calculated from the bit length of
-.Fa a .
-.Pp
-If
-.Dv NULL
-is passed for the
-.Fa ctx
-argument, these function allocate a
-.Vt BN_CTX
-object internally when they need one and free it before returning.
-Alternatively, to save the overhead of allocating and freeing
-that object for each call, the caller can pre-allocate a
-.Vt BN_CTX
-object and pass it in the
-.Fa ctx
-argument.
-.Pp
-.Fn BN_generate_prime_ex
-generates a pseudo-random prime number of at least bit length
-.Fa bits
-and places it in
-.Fa ret .
-Primality of
-.Fa ret
-is tested internally using
-.Fn BN_is_prime_ex .
-Consequently, for
-.Fa bits
-larger than 64, it is theoretically possible
-that this function might place a composite number into
-.Fa ret ;
-the probability of such an event is unknown but very small.
-.Pp
-The prime may have to fulfill additional requirements for use in
-Diffie-Hellman key exchange:
-.Bl -bullet
-.It
-If
-.Fa modulus
-is not
-.Dv NULL ,
-a prime is generated that fulfills the condition
-.Fa ret No % Fa modulus No = Fa remainder .
-If the
-.Fa remainder
-argument is
-.Dv NULL ,
-1 is used as the desired remainder.
-.It
-If the
-.Fa safe
-argument is non-zero, a safe prime is generated, that is,
-.Po Fa ret No \- 1 Pc Ns /2
-is also prime.
-.El
-.Pp
-If
-.Fa cb
-is not
-.Dv NULL ,
-it is used as follows:
-.Bl -bullet
-.It
-.Fn BN_GENCB_call cb 0 serial_number
-is called after generating a potential prime number.
-.It
-The
-.Fa state_code
-of 1 is reserved for callbacks during primality testing,
-but LibreSSL performs no such callbacks.
-.It
-When
-.Fa safe
-is non-zero and a safe prime has been found,
-.Fn BN_GENCB_call cb 2 serial_number
-is called.
-.It
-The callers of
-.Fn BN_generate_prime_ex
-may call
-.Fn BN_GENCB_call
-with other values as described in their respective manual pages; see
-.Sx SEE ALSO .
-.El
-.Pp
-In all cases, the
-.Fa serial_number
-is the number of candidates that have already been discarded
-for not being prime; that is,
-.Fa serial_number
-is 0 for the first candidate
-and then incremented whenever a new candidate is generated.
-.Pp
-.Fn BN_GENCB_call
-calls the callback function held in
-.Fa cb
-and passes the
-.Fa state_code
-and the
-.Fa serial_number
-as arguments.
-If
-.Fa cb
-is
-.Dv NULL
-or does not contain a callback function, no action occurs.
-.Pp
-.Fn BN_GENCB_new
-allocates a new
-.Vt BN_GENCB
-object.
-.Pp
-.Fn BN_GENCB_free
-frees
-.Fa cb .
-If
-.Fa cb
-is
-.Dv NULL ,
-no action occurs.
-.Pp
-.Fn BN_GENCB_set
-initialises
-.Fa cb
-to use the callback function pointer
-.Fa cb_fp
-and the additional callback argument
-.Fa cb_arg .
-.Pp
-The deprecated function
-.Fn BN_GENCB_set_old
-initialises
-.Fa cb
-to use the old-style callback function pointer
-.Fa cb_fp
-and the additional callback argument
-.Fa cb_arg .
-.Sh RETURN VALUES
-.Fn BN_is_prime_ex
-and
-.Fn BN_is_prime_fasttest_ex
-return 0 if the number is composite, 1 if it is prime with a very small
-error probability, or \-1 on error.
-.Pp
-.Fn BN_generate_prime_ex
-returns 1 on success or 0 on error.
-.Pp
-.Fn BN_GENCB_call
-returns 1 on success, including when
-.Fa cb
-is
-.Dv NULL
-or does not contain a callback function,
-or 0 on error.
-.Pp
-.Fn BN_GENCB_new
-returns a pointer to the newly allocated
-.Vt BN_GENCB
-object or
-.Dv NULL
-if memory allocation fails.
-.Pp
-The callback functions pointed to by the
-.Fa cb_fp
-arguments are supposed to return 1 on success or 0 on error.
-.Pp
-.Fn BN_GENCB_get_arg
-returns the
-.Fa cb_arg
-pointer that was previously stored in
-.Fa cb
-using
-.Fn BN_GENCB_set
-or
-.Fn BN_GENCB_set_old .
-.Pp
-In some cases, error codes can be obtained by
-.Xr ERR_get_error 3 .
-.Sh SEE ALSO
-.Xr BN_new 3 ,
-.Xr DH_generate_parameters 3 ,
-.Xr DSA_generate_parameters_ex 3 ,
-.Xr RSA_generate_key 3
-.Sh HISTORY
-.Fn BN_generate_prime_ex ,
-.Fn BN_is_prime_ex ,
-.Fn BN_is_prime_fasttest_ex ,
-.Fn BN_GENCB_call ,
-.Fn BN_GENCB_set_old ,
-and
-.Fn BN_GENCB_set
-first appeared in OpenSSL 0.9.8 and have been available since
-.Ox 4.5 .
-.Pp
-.Fn BN_GENCB_new ,
-.Fn BN_GENCB_free ,
-and
-.Fn BN_GENCB_get_arg
-first appeared in OpenSSL 1.1.0 and have been available since
-.Ox 6.3 .
diff --git a/src/lib/libcrypto/man/BN_get_rfc3526_prime_8192.3 b/src/lib/libcrypto/man/BN_get_rfc3526_prime_8192.3
deleted file mode 100644
index abaf80ef20..0000000000
--- a/src/lib/libcrypto/man/BN_get_rfc3526_prime_8192.3
+++ /dev/null
@@ -1,153 +0,0 @@
-.\" $OpenBSD: BN_get_rfc3526_prime_8192.3,v 1.1 2023/07/20 16:26:40 tb Exp $
-.\" checked up to: OpenSSL DH_get_1024_160 99d63d46 Oct 26 13:56:48 2016 -0400
-.\"
-.\" Copyright (c) 2017 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: July 20 2023 $
-.Dt BN_GET_RFC3526_PRIME_8192 3
-.Os
-.Sh NAME
-.Nm BN_get_rfc2409_prime_768 ,
-.Nm BN_get_rfc2409_prime_1024 ,
-.Nm BN_get_rfc3526_prime_1536 ,
-.Nm BN_get_rfc3526_prime_2048 ,
-.Nm BN_get_rfc3526_prime_3072 ,
-.Nm BN_get_rfc3526_prime_4096 ,
-.Nm BN_get_rfc3526_prime_6144 ,
-.Nm BN_get_rfc3526_prime_8192
-.Nd standard moduli for Diffie-Hellman key exchange
-.Sh SYNOPSIS
-.In openssl/bn.h
-.Ft BIGNUM *
-.Fn BN_get_rfc2409_prime_768 "BIGNUM *bn"
-.Ft BIGNUM *
-.Fn BN_get_rfc2409_prime_1024 "BIGNUM *bn"
-.Ft BIGNUM *
-.Fn BN_get_rfc3526_prime_1536 "BIGNUM *bn"
-.Ft BIGNUM *
-.Fn BN_get_rfc3526_prime_2048 "BIGNUM *bn"
-.Ft BIGNUM *
-.Fn BN_get_rfc3526_prime_3072 "BIGNUM *bn"
-.Ft BIGNUM *
-.Fn BN_get_rfc3526_prime_4096 "BIGNUM *bn"
-.Ft BIGNUM *
-.Fn BN_get_rfc3526_prime_6144 "BIGNUM *bn"
-.Ft BIGNUM *
-.Fn BN_get_rfc3526_prime_8192 "BIGNUM *bn"
-.Sh DESCRIPTION
-Each of these functions returns one specific constant Sophie Germain
-prime number
-.Fa p .
-.Pp
-If
-.Fa bn
-is
-.Dv NULL ,
-a new
-.Vt BIGNUM
-object is created and returned.
-Otherwise, the number is stored in
-.Pf * Fa bn
-and
-.Fa bn
-is returned.
-.Pp
-All these numbers are of the form
-.Pp
-.EQ
-p = 2 sup s - 2 sup left ( s - 64 right ) - 1 + 2 sup 64 *
-left { left [ 2 sup left ( s - 130 right ) pi right ] + offset right }
-delim $$
-.EN
-.Pp
-where
-.Ar s
-is the size of the binary representation of the number in bits
-and appears at the end of the function names.
-As long as the offset is sufficiently small, the above form assures
-that the top and bottom 64 bits of each number are all 1.
-.Pp
-The offsets are defined in the standards as follows:
-.Bl -column "8192 = 2 * 2^12" "4743158" -offset indent
-.It size Ar s Ta Ar offset
-.It Ta
-.It \ 768 = 3 * 2^8  Ta  149686
-.It 1024 = 2 * 2^9  Ta  129093
-.It 1536 = 3 * 2^9  Ta  741804
-.It 2048 = 2 * 2^10 Ta  124476
-.It 3072 = 3 * 2^10 Ta 1690314
-.It 4096 = 2 * 2^11 Ta  240904
-.It 6144 = 3 * 2^11 Ta  929484
-.It 8192 = 2 * 2^12 Ta 4743158
-.El
-.Pp
-For each of these prime numbers, the finite group of natural numbers
-smaller than
-.Fa p ,
-where the group operation is defined as multiplication modulo
-.Fa p ,
-is used for Diffie-Hellman key exchange.
-The first two of these groups are called the First Oakley Group and
-the Second Oakley Group.
-Obviously, all these groups are cyclic groups of order
-.Fa p ,
-respectively, and the numbers returned by these functions are not
-secrets.
-.Sh RETURN VALUES
-If memory allocation fails, these functions return
-.Dv NULL .
-That can happen even if
-.Fa bn
-is not
-.Dv NULL .
-.Sh SEE ALSO
-.Xr BN_mod_exp 3 ,
-.Xr BN_new 3 ,
-.Xr BN_set_flags 3 ,
-.Xr DH_new 3
-.Sh STANDARDS
-RFC 2409, "The Internet Key Exchange (IKE)", defines the Oakley Groups.
-.Pp
-RFC 2412, "The OAKLEY Key Determination Protocol", contains additional
-information about these numbers.
-.Pp
-RFC 3526, "More Modular Exponential (MODP) Diffie-Hellman groups
-for Internet Key Exchange (IKE)", defines the other six numbers.
-.Sh HISTORY
-.Fn BN_get_rfc2409_prime_768 ,
-.Fn BN_get_rfc2409_prime_1024 ,
-.Fn BN_get_rfc3526_prime_1536 ,
-.Fn BN_get_rfc3526_prime_2048 ,
-.Fn BN_get_rfc3526_prime_3072 ,
-.Fn BN_get_rfc3526_prime_4096 ,
-.Fn BN_get_rfc3526_prime_6144 ,
-and
-.Fn BN_get_rfc3526_prime_8192
-first appeared in OpenSSL 1.1.0 and have been available since
-.Ox 6.3 .
-The same functions without
-.Sy BN_
-prefix first appeared in OpenSSL 0.9.8a and
-.Ox 4.5 ;
-they were removed in
-.Ox 7.4 .
-.Sh CAVEATS
-As all the memory needed for storing the numbers is dynamically
-allocated, the
-.Dv BN_FLG_STATIC_DATA
-flag is not set on the returned
-.Vt BIGNUM
-objects.
-So be careful to not change the returned numbers.
diff --git a/src/lib/libcrypto/man/BN_kronecker.3 b/src/lib/libcrypto/man/BN_kronecker.3
deleted file mode 100644
index 90b7f43230..0000000000
--- a/src/lib/libcrypto/man/BN_kronecker.3
+++ /dev/null
@@ -1,57 +0,0 @@
-.\" $OpenBSD: BN_kronecker.3,v 1.2 2022/11/15 17:55:00 schwarze Exp $
-.\"
-.\" Copyright (c) 2022 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: November 15 2022 $
-.Dt BN_KRONECKER 3
-.Os
-.Sh NAME
-.Nm BN_kronecker
-.Nd Kronecker symbol
-.Sh SYNOPSIS
-.In openssl/bn.h
-.Ft int
-.Fo BN_kronecker
-.Fa "const BIGNUM *a"
-.Fa "const BIGNUM *b"
-.Fa "BN_CTX *ctx"
-.Fc
-.Sh DESCRIPTION
-.Fn BN_kronecker
-computes the Kronecker symbol
-.Pq a | b ,
-which generalizes the Legendre and Jacobi symbols
-for arbitrary integer numbers
-.Fa b .
-.Sh RETURN VALUES
-.Fn BN_kronecker
-returns \-1, 0, or 1 in case of success or \-2 on error.
-.Sh SEE ALSO
-.Xr BN_CTX_new 3 ,
-.Xr BN_gcd 3 ,
-.Xr BN_mod_sqrt 3 ,
-.Xr BN_new 3
-.Rs
-.%A Henri Cohen
-.%B A Course in Computational Algebraic Number Theory
-.%I Springer
-.%C Berlin
-.%D 1993
-.%O Algorithm 1.4.10
-.Re
-.Sh HISTORY
-.Fn BN_kronecker
-first appeared in OpenSSL 0.9.7 and has been available since
-.Ox 3.2 .
diff --git a/src/lib/libcrypto/man/BN_mod_inverse.3 b/src/lib/libcrypto/man/BN_mod_inverse.3
deleted file mode 100644
index d0a4b458f4..0000000000
--- a/src/lib/libcrypto/man/BN_mod_inverse.3
+++ /dev/null
@@ -1,126 +0,0 @@
-.\"     $OpenBSD: BN_mod_inverse.3,v 1.13 2023/10/21 13:53:43 schwarze Exp $
-.\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by Ulf Moeller <ulf@openssl.org>.
-.\" Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: October 21 2023 $
-.Dt BN_MOD_INVERSE 3
-.Os
-.Sh NAME
-.Nm BN_mod_inverse
-.Nd compute inverse modulo m
-.Sh SYNOPSIS
-.In openssl/bn.h
-.Ft BIGNUM *
-.Fo BN_mod_inverse
-.Fa "BIGNUM *r"
-.Fa "const BIGNUM *a"
-.Fa "const BIGNUM *m"
-.Fa "BN_CTX *ctx"
-.Fc
-.Sh DESCRIPTION
-.Fn BN_mod_inverse
-computes the inverse of
-.Fa a
-modulo
-.Fa m
-and places the result in
-.Fa r ,
-so that
-.Fa r
-satisfies
-.Li a * r == 1 (mod m) .
-If
-.Fa r
-is
-.Dv NULL ,
-a new
-.Vt BIGNUM
-is allocated.
-.Pp
-If the flag
-.Dv BN_FLG_CONSTTIME
-is set on
-.Fa a
-or
-.Fa m ,
-it operates in constant time.
-.Pp
-.Fa ctx
-is a previously allocated
-.Vt BN_CTX
-used for temporary variables.
-.Fa r
-may be the same
-.Vt BIGNUM
-as
-.Fa a
-or
-.Fa m .
-.Sh RETURN VALUES
-.Fn BN_mod_inverse
-returns the
-.Vt BIGNUM
-containing the inverse, or
-.Dv NULL
-on error.
-The error codes can be obtained by
-.Xr ERR_get_error 3 .
-.Sh SEE ALSO
-.Xr BN_add 3 ,
-.Xr BN_new 3 ,
-.Xr BN_set_flags 3
-.Sh HISTORY
-.Fn BN_mod_inverse
-first appeared in SSLeay 0.5.1 and has been available since
-.Ox 2.4 .
-.Pp
-The
-.Fa r
-argument was added in SSLeay 0.9.1 and
-.Ox 2.6 .
diff --git a/src/lib/libcrypto/man/BN_mod_mul_montgomery.3 b/src/lib/libcrypto/man/BN_mod_mul_montgomery.3
deleted file mode 100644
index ed004c2549..0000000000
--- a/src/lib/libcrypto/man/BN_mod_mul_montgomery.3
+++ /dev/null
@@ -1,271 +0,0 @@
-.\" $OpenBSD: BN_mod_mul_montgomery.3,v 1.16 2025/03/09 15:24:25 tb Exp $
-.\" full merge up to: OpenSSL 6859cf74 Sep 25 13:33:28 2002 +0000
-.\" selective merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Ulf Moeller <ulf@openssl.org>.
-.\" Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 9 2025 $
-.Dt BN_MOD_MUL_MONTGOMERY 3
-.Os
-.Sh NAME
-.Nm BN_MONT_CTX_new ,
-.Nm BN_MONT_CTX_free ,
-.Nm BN_MONT_CTX_set ,
-.Nm BN_MONT_CTX_set_locked ,
-.Nm BN_MONT_CTX_copy ,
-.Nm BN_mod_mul_montgomery ,
-.Nm BN_from_montgomery ,
-.Nm BN_to_montgomery
-.Nd Montgomery multiplication
-.Sh SYNOPSIS
-.In openssl/bn.h
-.Ft BN_MONT_CTX *
-.Fo BN_MONT_CTX_new
-.Fa void
-.Fc
-.Ft void
-.Fo BN_MONT_CTX_free
-.Fa "BN_MONT_CTX *mont"
-.Fc
-.Ft int
-.Fo BN_MONT_CTX_set
-.Fa "BN_MONT_CTX *mont"
-.Fa "const BIGNUM *m"
-.Fa "BN_CTX *ctx"
-.Fc
-.Ft BN_MONT_CTX *
-.Fo BN_MONT_CTX_set_locked
-.Fa "BN_MONT_CTX **pmont"
-.Fa "int lock"
-.Fa "const BIGNUM *m"
-.Fa "BN_CTX *ctx"
-.Fc
-.Ft BN_MONT_CTX *
-.Fo BN_MONT_CTX_copy
-.Fa "BN_MONT_CTX *to"
-.Fa "const BN_MONT_CTX *from"
-.Fc
-.Ft int
-.Fo BN_mod_mul_montgomery
-.Fa "BIGNUM *r"
-.Fa "const BIGNUM *a"
-.Fa "const BIGNUM *b"
-.Fa "BN_MONT_CTX *mont"
-.Fa "BN_CTX *ctx"
-.Fc
-.Ft int
-.Fo BN_from_montgomery
-.Fa "BIGNUM *r"
-.Fa "const BIGNUM *a"
-.Fa "BN_MONT_CTX *mont"
-.Fa "BN_CTX *ctx"
-.Fc
-.Ft int
-.Fo BN_to_montgomery
-.Fa "BIGNUM *r"
-.Fa "const BIGNUM *a"
-.Fa "BN_MONT_CTX *mont"
-.Fa "BN_CTX *ctx"
-.Fc
-.Sh DESCRIPTION
-These functions implement Montgomery multiplication.
-They are used automatically when
-.Xr BN_mod_exp 3
-is called with suitable input, but they may be useful when several
-operations are to be performed using the same modulus.
-.Pp
-.Fn BN_MONT_CTX_new
-allocates and initializes a
-.Vt BN_MONT_CTX
-structure.
-.Pp
-.Fn BN_MONT_CTX_set
-sets up the
-.Fa mont
-structure from the modulus
-.Fa m
-by precomputing its inverse and a value R.
-.Pp
-.Fn BN_MONT_CTX_set_locked
-is a wrapper around
-.Fn BN_MONT_CTX_new
-and
-.Fn BN_MONT_CTX_set
-that is useful if more than one thread intends to use the same
-.Vt BN_MONT_CTX
-and none of these threads is exclusively responsible for creating
-and initializing the context.
-.Fn BN_MONT_CTX_set_locked
-first acquires the specified
-.Fa lock
-using
-.Xr CRYPTO_lock 3 .
-If
-.Pf * Fa pmont
-already differs from
-.Dv NULL ,
-no action occurs.
-Otherwise, a new
-.Vt BN_MONT_CTX
-is allocated with
-.Fn BN_MONT_CTX_new ,
-set up with
-.Fn BN_MONT_CTX_set ,
-and a pointer to it is stored in
-.Pf * Fa pmont .
-Finally, the
-.Fa lock
-is released.
-.Pp
-.Fn BN_MONT_CTX_copy
-copies the
-.Vt BN_MONT_CTX
-.Fa from
-to
-.Fa to .
-.Pp
-.Fn BN_MONT_CTX_free
-frees the components of the
-.Vt BN_MONT_CTX ,
-and, if it was created by
-.Fn BN_MONT_CTX_new ,
-also the structure itself.
-If
-.Fa mont
-is a
-.Dv NULL
-pointer, no action occurs.
-.Pp
-.Fn BN_mod_mul_montgomery
-computes
-.Pp
-.D1 Mont Ns Po Fa a , Fa b Pc := Fa a No * Fa b No * R^-1
-.Pp
-and places the result in
-.Fa r .
-.Pp
-.Fn BN_from_montgomery
-performs the Montgomery reduction
-.Pp
-.D1 Fa r No = Fa a No * R^-1
-.Pp
-.Fn BN_to_montgomery
-computes
-.Pp
-.D1 Mont Ns Po Fa a , No R^2 Pc = Fa a No * R
-.Pp
-Note that
-.Fa a
-must be non-negative and smaller than the modulus.
-.Pp
-For all functions,
-.Fa ctx
-is a previously allocated
-.Vt BN_CTX
-used for temporary variables.
-.Pp
-.Sy Warning :
-The inputs must be reduced modulo
-.Fa m ,
-otherwise the result will be outside the expected range.
-.Sh RETURN VALUES
-.Fn BN_MONT_CTX_new
-returns the newly allocated
-.Vt BN_MONT_CTX
-or
-.Dv NULL
-on error.
-.Pp
-.Fn BN_MONT_CTX_set_locked
-returns a pointer to the existing or newly created context or
-.Dv NULL
-on error.
-.Pp
-For the other functions, 1 is returned for success or 0 on error.
-The error codes can be obtained by
-.Xr ERR_get_error 3 .
-.Sh SEE ALSO
-.Xr BN_add 3 ,
-.Xr BN_CTX_new 3 ,
-.Xr BN_new 3 ,
-.Xr CRYPTO_lock 3
-.Sh HISTORY
-.Fn BN_MONT_CTX_new ,
-.Fn BN_MONT_CTX_free ,
-.Fn BN_MONT_CTX_set ,
-.Fn BN_mod_mul_montgomery ,
-.Fn BN_from_montgomery ,
-and
-.Fn BN_to_montgomery
-first appeared in SSLeay 0.6.1 and have been available since
-.Ox 2.4 .
-.Pp
-.Fn BN_MONT_CTX_copy
-first appeared in SSLeay 0.9.1 and has been available since
-.Ox 2.6 .
-.Pp
-.Fn BN_MONT_CTX_set_locked
-first appeared in OpenSSL 0.9.8 and has been available since
-.Ox 4.0 .
diff --git a/src/lib/libcrypto/man/BN_mod_sqrt.3 b/src/lib/libcrypto/man/BN_mod_sqrt.3
deleted file mode 100644
index 7247d907a0..0000000000
--- a/src/lib/libcrypto/man/BN_mod_sqrt.3
+++ /dev/null
@@ -1,111 +0,0 @@
-.\" $OpenBSD: BN_mod_sqrt.3,v 1.2 2022/12/06 22:22:42 tb Exp $
-.\"
-.\" Copyright (c) 2022 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: December 6 2022 $
-.Dt BN_MOD_SQRT 3
-.Os
-.Sh NAME
-.Nm BN_mod_sqrt
-.Nd square root in a prime field
-.Sh SYNOPSIS
-.In openssl/bn.h
-.Ft BIGNUM *
-.Fo BN_mod_sqrt
-.Fa "BIGNUM *r"
-.Fa "const BIGNUM *a"
-.Fa "const BIGNUM *p"
-.Fa "BN_CTX *ctx"
-.Fc
-.Sh DESCRIPTION
-.Fn BN_mod_sqrt
-solves
-.Bd -unfilled -offset indent
-.EQ
-r sup 2 == a ( roman mod p )
-.EN
-.Ed
-.Pp
-for
-.Fa r
-in the prime field of characteristic
-.Fa p
-using the Tonelli-Shanks algorithm if needed
-and places one of the two solutions into
-.Fa r .
-The other solution is
-.Fa p
-\-
-.Fa r .
-.Pp
-The argument
-.Fa p
-is expected to be a prime number.
-.Sh RETURN VALUES
-In case of success,
-.Fn BN_mod_sqrt
-returns
-.Fa r ,
-or a newly allocated
-.Vt BIGNUM
-object if the
-.Fa r
-argument is
-.Dv NULL .
-.Pp
-In case of failure,
-.Dv NULL
-is returned.
-This for example happens if
-.Fa a
-is not a quadratic residue or if memory allocation fails.
-.Sh SEE ALSO
-.Xr BN_CTX_new 3 ,
-.Xr BN_kronecker 3 ,
-.Xr BN_mod_sqr 3 ,
-.Xr BN_new 3
-.Rs
-.%A Henri Cohen
-.%B A Course in Computational Algebraic Number Theory
-.%I Springer
-.%C Berlin
-.%D 1993
-.%O Algorithm 1.5.1
-.Re
-.Sh HISTORY
-.Fn BN_mod_sqrt
-first appeared in OpenSSL 0.9.7 and has been available since
-.Ox 3.2 .
-.Sh CAVEATS
-If
-.Fa p
-is not prime,
-.Fn BN_mod_sqrt
-may succeed or fail.
-If it succeeds, the square of the returned value is congruent to
-.Fa a
-modulo
-.Fa p .
-If it fails, the reason reported by
-.Xr ERR_get_error 3
-is often misleading.
-In particular, even if
-.Fa a
-is a perfect square,
-.Fn BN_mod_sqrt
-often reports
-.Dq not a square
-instead of
-.Dq p is not prime .
diff --git a/src/lib/libcrypto/man/BN_new.3 b/src/lib/libcrypto/man/BN_new.3
deleted file mode 100644
index 088048c622..0000000000
--- a/src/lib/libcrypto/man/BN_new.3
+++ /dev/null
@@ -1,165 +0,0 @@
-.\" $OpenBSD: BN_new.3,v 1.31 2023/07/26 20:08:59 tb Exp $
-.\" full merge up to: OpenSSL man3/BN_new 2457c19d Mar 6 08:43:36 2004 +0000
-.\" selective merge up to: man3/BN_new 681acb31 Sep 29 13:10:34 2017 +0200
-.\" full merge up to: OpenSSL man7/bn 05ea606a May 20 20:52:46 2016 -0400
-.\"
-.\" This file was written by Ulf Moeller <ulf@openssl.org>.
-.\" Copyright (c) 2000, 2004 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: July 26 2023 $
-.Dt BN_NEW 3
-.Os
-.Sh NAME
-.Nm BN_new ,
-.Nm BN_clear ,
-.Nm BN_free ,
-.Nm BN_clear_free
-.Nd allocate and free BIGNUMs
-.Sh SYNOPSIS
-.In openssl/bn.h
-.Ft BIGNUM *
-.Fo BN_new
-.Fa void
-.Fc
-.Ft void
-.Fo BN_clear
-.Fa "BIGNUM *a"
-.Fc
-.Ft void
-.Fo BN_free
-.Fa "BIGNUM *a"
-.Fc
-.Ft void
-.Fo BN_clear_free
-.Fa "BIGNUM *a"
-.Fc
-.Sh DESCRIPTION
-The BN library performs arithmetic operations on integers of arbitrary
-size.
-It was written for use in public key cryptography, such as RSA and
-Diffie-Hellman.
-.Pp
-It uses dynamic memory allocation for storing its data structures.
-That means that there is no limit on the size of the numbers manipulated
-by these functions, but return values must always be checked in case a
-memory allocation error has occurred.
-.Pp
-The basic object in this library is a
-.Vt BIGNUM .
-It is used to hold a single large integer.
-This type should be considered opaque and fields should not be modified
-or accessed directly.
-.Pp
-.Fn BN_new
-allocates and initializes a
-.Vt BIGNUM
-structure, in particular setting the value to zero and the flags to
-.Dv BN_FLG_MALLOCED .
-The security-relevant flag
-.Dv BN_FLG_CONSTTIME
-is not set by default.
-.Pp
-.Fn BN_clear
-is used to destroy sensitive data such as keys when they are no longer
-needed.
-It erases the memory used by
-.Fa a
-and sets it to the value 0.
-.Pp
-.Fn BN_free
-frees the components of the
-.Vt BIGNUM
-and, if it was created by
-.Fn BN_new ,
-also the structure itself.
-.Fn BN_clear_free
-additionally overwrites the data before the memory is returned to the
-system.
-If
-.Fa a
-is a
-.Dv NULL
-pointer, no action occurs.
-.Sh RETURN VALUES
-.Fn BN_new
-returns a pointer to the
-.Vt BIGNUM .
-If the allocation fails, it returns
-.Dv NULL
-and sets an error code that can be obtained by
-.Xr ERR_get_error 3 .
-.Sh SEE ALSO
-.Xr BN_add 3 ,
-.Xr BN_add_word 3 ,
-.Xr BN_bn2bin 3 ,
-.Xr BN_cmp 3 ,
-.Xr BN_copy 3 ,
-.Xr BN_CTX_new 3 ,
-.Xr BN_CTX_start 3 ,
-.Xr BN_generate_prime 3 ,
-.Xr BN_get_rfc3526_prime_8192 3 ,
-.Xr BN_kronecker 3 ,
-.Xr BN_mod_inverse 3 ,
-.Xr BN_mod_mul_montgomery 3 ,
-.Xr BN_mod_sqrt 3 ,
-.Xr BN_num_bytes 3 ,
-.Xr BN_rand 3 ,
-.Xr BN_security_bits 3 ,
-.Xr BN_set_bit 3 ,
-.Xr BN_set_flags 3 ,
-.Xr BN_set_negative 3 ,
-.Xr BN_swap 3 ,
-.Xr BN_zero 3 ,
-.Xr crypto 3
-.Sh HISTORY
-.Fn BN_new ,
-.Fn BN_clear ,
-.Fn BN_free ,
-and
-.Fn BN_clear_free
-first appeared in SSLeay 0.5.1 and have been available since
-.Ox 2.4 .
diff --git a/src/lib/libcrypto/man/BN_num_bytes.3 b/src/lib/libcrypto/man/BN_num_bytes.3
deleted file mode 100644
index 785f43e2f0..0000000000
--- a/src/lib/libcrypto/man/BN_num_bytes.3
+++ /dev/null
@@ -1,175 +0,0 @@
-.\" $OpenBSD: BN_num_bytes.3,v 1.9 2022/11/22 18:55:04 schwarze Exp $
-.\" full merge up to: OpenSSL 9e183d22 Mar 11 08:56:44 2017 -0500
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2022 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Ulf Moeller <ulf@openssl.org>
-.\" and Richard Levitte <levitte@openssl.org>.
-.\" Copyright (c) 2000, 2004 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: November 22 2022 $
-.Dt BN_NUM_BYTES 3
-.Os
-.Sh NAME
-.Nm BN_num_bits_word ,
-.Nm BN_num_bits ,
-.Nm BN_num_bytes
-.Nd get BIGNUM size
-.Sh SYNOPSIS
-.In openssl/bn.h
-.Ft int
-.Fo BN_num_bits_word
-.Fa "BN_ULONG w"
-.Fc
-.Ft int
-.Fo BN_num_bits
-.Fa "const BIGNUM *a"
-.Fc
-.Ft int
-.Fo BN_num_bytes
-.Fa "const BIGNUM *a"
-.Fc
-.Sh DESCRIPTION
-.Fn BN_num_bits_word
-returns the number of significant bits in
-.Fa w ,
-that is, the minimum number of digits needed to write
-.Fa w
-as a binary number.
-Except for an argument of 0, this is
-.Pp
-.D1 floor(log2( Ns Fa w ) ) No + 1 .
-.Pp
-.Vt BN_ULONG
-is a macro that expands to
-.Vt unsigned long Pq = Vt uint64_t
-on
-.Dv _LP64
-platforms and
-.Vt unsigned int Pq = Vt uint32_t
-elsewhere.
-.Pp
-.Fn BN_num_bits
-returns the number of significant bits in the value of the
-.Fa "BIGNUM *a" ,
-following the same principle as
-.Fn BN_num_bits_word .
-.Pp
-.Fn BN_num_bytes
-is a macro that returns the number of significant bytes in
-.Fa a ,
-i.e. the minimum number of bytes needed to store the value of
-.Fa a ,
-that is,
-.Fn BN_num_bits a
-divided by eight and rounded up to the next integer number.
-.Sh RETURN VALUES
-.Fn BN_num_bits_word
-returns the number of significant bits in
-.Fa w
-or 0 if
-.Fa w
-is 0.
-The maximum return value that can occur is
-.Dv BN_BITS2 ,
-which is 64 on
-.Dv _LP64
-platforms and 32 elsewhere.
-.Pp
-.Fn BN_num_bits
-returns the number of significant bits and
-.Fn BN_num_bytes
-the number of significant bytes in
-.Fa a ,
-or 0 if the value of
-.Fa a
-is 0.
-.Sh SEE ALSO
-.Xr BN_new 3 ,
-.Xr BN_security_bits 3 ,
-.Xr DH_size 3 ,
-.Xr DSA_size 3 ,
-.Xr RSA_size 3
-.Sh HISTORY
-.Fn BN_num_bytes
-and
-.Fn BN_num_bits
-first appeared in SSLeay 0.5.1.
-.Fn BN_num_bits_word
-first appeared in SSLeay 0.5.2.
-These functions have been available since
-.Ox 2.4 .
-.Sh CAVEATS
-Some have tried using
-.Fn BN_num_bits
-on individual numbers in RSA keys, DH keys and DSA keys, and found that
-they don't always come up with the number of bits they expected
-(something like 512, 1024, 2048, ...).
-This is because generating a number with some specific number of bits
-doesn't always set the highest bits, thereby making the number of
-.Em significant
-bits a little smaller.
-If you want to know the "key size" of such a key, use functions like
-.Xr RSA_size 3 ,
-.Xr DH_size 3 ,
-and
-.Xr DSA_size 3 .
diff --git a/src/lib/libcrypto/man/BN_rand.3 b/src/lib/libcrypto/man/BN_rand.3
deleted file mode 100644
index 3d4401a429..0000000000
--- a/src/lib/libcrypto/man/BN_rand.3
+++ /dev/null
@@ -1,146 +0,0 @@
-.\"     $OpenBSD: BN_rand.3,v 1.18 2021/11/30 18:34:35 tb Exp $
-.\" full merge up to: OpenSSL 05ea606a May 20 20:52:46 2016 -0400
-.\" selective merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100
-.\"
-.\" This file was written by Ulf Moeller <ulf@openssl.org>.
-.\" Copyright (c) 2000, 2001, 2002, 2013, 2015 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: November 30 2021 $
-.Dt BN_RAND 3
-.Os
-.Sh NAME
-.Nm BN_rand ,
-.Nm BN_rand_range ,
-.Nm BN_pseudo_rand ,
-.Nm BN_pseudo_rand_range
-.Nd generate pseudo-random number
-.Sh SYNOPSIS
-.In openssl/bn.h
-.Ft int
-.Fo BN_rand
-.Fa "BIGNUM *rnd"
-.Fa "int bits"
-.Fa "int top"
-.Fa "int bottom"
-.Fc
-.Ft int
-.Fo BN_rand_range
-.Fa "BIGNUM *rnd"
-.Fa "const BIGNUM *range"
-.Fc
-.Sh DESCRIPTION
-.Fn BN_rand
-generates a cryptographically strong pseudo-random number of
-.Fa bits
-in length and stores it in
-.Fa rnd .
-If
-.Fa top
-is
-.Dv BN_RAND_TOP_ANY ,
-the most significant bit of the random number can be zero.
-If
-.Fa top
-is
-.Dv BN_RAND_TOP_ONE ,
-the most significant bit is set to 1, and if
-.Fa top
-is
-.Dv BN_RAND_TOP_TWO ,
-the two most significant bits of the number will be set to 1, so
-that the product of two such random numbers will always have
-.Pf 2* Fa bits
-length.
-If
-.Fa bottom
-is
-.Dv BN_RAND_BOTTOM_ODD ,
-the number will be odd;
-if it is
-.Dv BN_RAND_BOTTOM_ANY ,
-it can be odd or even.
-The value of
-.Fa bits
-must be zero or greater.
-If
-.Fa bits
-is +1 then
-.Fa top
-cannot be
-.Dv BN_RAND_TOP_TWO .
-.Pp
-.Fn BN_rand_range
-generates a cryptographically strong pseudo-random number
-.Fa rnd
-in the range 0 <=
-.Fa rnd No < Fa range .
-.Pp
-.Fn BN_pseudo_rand
-is a deprecated alias for
-.Fn BN_rand ,
-and
-.Fn BN_pseudo_rand_range
-for
-.Fn BN_rand_range .
-.Sh RETURN VALUES
-The functions return 1 on success, 0 on error.
-The error codes can be obtained by
-.Xr ERR_get_error 3 .
-.Sh SEE ALSO
-.Xr BN_new 3
-.Sh HISTORY
-.Fn BN_rand
-first appeared in SSLeay 0.5.1 and has been available since
-.Ox 2.4 .
-.Pp
-The
-.Fa top
-== -1 case and the function
-.Fn BN_rand_range
-first appeared in OpenSSL 0.9.6a and have been available since
-.Ox 3.0 .
diff --git a/src/lib/libcrypto/man/BN_set_bit.3 b/src/lib/libcrypto/man/BN_set_bit.3
deleted file mode 100644
index 2c53066777..0000000000
--- a/src/lib/libcrypto/man/BN_set_bit.3
+++ /dev/null
@@ -1,216 +0,0 @@
-.\"     $OpenBSD: BN_set_bit.3,v 1.8 2021/11/30 18:34:35 tb Exp $
-.\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by Ulf Moeller <ulf@openssl.org>.
-.\" Copyright (c) 2000, 2015 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: November 30 2021 $
-.Dt BN_SET_BIT 3
-.Os
-.Sh NAME
-.Nm BN_set_bit ,
-.Nm BN_clear_bit ,
-.Nm BN_is_bit_set ,
-.Nm BN_mask_bits ,
-.Nm BN_lshift ,
-.Nm BN_lshift1 ,
-.Nm BN_rshift ,
-.Nm BN_rshift1
-.Nd bit operations on BIGNUMs
-.Sh SYNOPSIS
-.In openssl/bn.h
-.Ft int
-.Fo BN_set_bit
-.Fa "BIGNUM *a"
-.Fa "int n"
-.Fc
-.Ft int
-.Fo BN_clear_bit
-.Fa "BIGNUM *a"
-.Fa "int n"
-.Fc
-.Ft int
-.Fo BN_is_bit_set
-.Fa "const BIGNUM *a"
-.Fa "int n"
-.Fc
-.Ft int
-.Fo BN_mask_bits
-.Fa "BIGNUM *a"
-.Fa "int n"
-.Fc
-.Ft int
-.Fo BN_lshift
-.Fa "BIGNUM *r"
-.Fa "const BIGNUM *a"
-.Fa "int n"
-.Fc
-.Ft int
-.Fo BN_lshift1
-.Fa "BIGNUM *r"
-.Fa "const BIGNUM *a"
-.Fc
-.Ft int
-.Fo BN_rshift
-.Fa "BIGNUM *r"
-.Fa "const BIGNUM *a"
-.Fa "int n"
-.Fc
-.Ft int
-.Fo BN_rshift1
-.Fa "BIGNUM *r"
-.Fa "const BIGNUM *a"
-.Fc
-.Sh DESCRIPTION
-.Fn BN_set_bit
-sets bit
-.Fa n
-in
-.Fa a
-to 1
-.Pq Li a|=(1<<n) .
-The number is expanded if necessary.
-.Pp
-.Fn BN_clear_bit
-sets bit
-.Fa n
-in
-.Fa a
-to 0
-.Pq Li a&=~(1<<n) .
-An error occurs if
-.Fa a
-is shorter than
-.Fa n
-bits.
-.Pp
-.Fn BN_is_bit_set
-tests if bit
-.Fa n
-in
-.Fa a
-is set.
-.Pp
-.Fn BN_mask_bits
-truncates
-.Fa a
-to an
-.Fa n
-bit number
-.Pq Li a&=~((~0)>>n) .
-An error occurs if
-.Fa a
-already is shorter than
-.Fa n
-bits.
-.Pp
-.Fn BN_lshift
-shifts
-.Fa a
-left by
-.Fa n
-bits and places the result in
-.Fa r
-.Pq Li r=a*2^n .
-Note that
-.Fa n
-must be non-negative.
-.Fn BN_lshift1
-shifts
-.Fa a
-left by one and places the result in
-.Fa r
-.Pq Li r=2*a .
-.Pp
-.Fn BN_rshift
-shifts
-.Fa a
-right by
-.Fa n
-bits and places the result in
-.Fa r
-.Pq Li r=a/2^n .
-Note that
-.Fa n
-must be non-negative.
-.Fn BN_rshift1
-shifts
-.Fa a
-right by one and places the result in
-.Fa r
-.Pq Li r=a/2 .
-.Pp
-For the shift functions,
-.Fa r
-and
-.Fa a
-may be the same variable.
-.Sh RETURN VALUES
-.Fn BN_is_bit_set
-returns 1 if the bit is set, 0 otherwise.
-.Pp
-All other functions return 1 for success, 0 on error.
-The error codes can be obtained by
-.Xr ERR_get_error 3 .
-.Sh SEE ALSO
-.Xr BN_add 3 ,
-.Xr BN_new 3 ,
-.Xr BN_num_bytes 3 ,
-.Xr BN_set_negative 3 ,
-.Xr BN_zero 3
-.Sh HISTORY
-.Fn BN_set_bit ,
-.Fn BN_clear_bit ,
-.Fn BN_is_bit_set ,
-.Fn BN_mask_bits ,
-.Fn BN_lshift ,
-.Fn BN_lshift1 ,
-.Fn BN_rshift ,
-and
-.Fn BN_rshift1
-first appeared in SSLeay 0.5.1 and have been available since
-.Ox 2.4 .
diff --git a/src/lib/libcrypto/man/BN_set_flags.3 b/src/lib/libcrypto/man/BN_set_flags.3
deleted file mode 100644
index 1285ae2b28..0000000000
--- a/src/lib/libcrypto/man/BN_set_flags.3
+++ /dev/null
@@ -1,160 +0,0 @@
-.\"     $OpenBSD: BN_set_flags.3,v 1.6 2023/04/27 07:22:22 tb Exp $
-.\"
-.\" Copyright (c) 2017 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: April 27 2023 $
-.Dt BN_SET_FLAGS 3
-.Os
-.Sh NAME
-.Nm BN_set_flags ,
-.Nm BN_get_flags
-.Nd enable and inspect flags on BIGNUM objects
-.Sh SYNOPSIS
-.In openssl/bn.h
-.Ft void
-.Fo BN_set_flags
-.Fa "BIGNUM *b"
-.Fa "int flags"
-.Fc
-.Ft int
-.Fo BN_get_flags
-.Fa "const BIGNUM *b"
-.Fa "int flags"
-.Fc
-.Sh DESCRIPTION
-.Fn BN_set_flags
-enables the given
-.Fa flags
-on
-.Fa b .
-The
-.Fa flags
-argument can contain zero or more of the following constants OR'ed
-together:
-.Bl -tag -width Ds
-.It Dv BN_FLG_CONSTTIME
-If this flag is set on the divident
-.Fa a
-or the divisor
-.Fa d
-in
-.Xr BN_div 3 ,
-on the exponent
-.Fa p
-in
-.Xr BN_mod_exp 3 ,
-or on the divisor
-.Fa a
-or the modulus
-.Fa n
-in
-.Xr BN_mod_inverse 3 ,
-these functions select algorithms with an execution time independent
-of the respective numbers, to avoid exposing sensitive information
-to timing side-channel attacks.
-.Pp
-This flag is off by default for
-.Vt BIGNUM
-objects created with
-.Xr BN_new 3 .
-.It Dv BN_FLG_MALLOCED
-If this flag is set,
-.Xr BN_free 3
-and
-.Xr BN_clear_free 3
-will not only clear and free the components of
-.Fa b ,
-but also
-.Fa b
-itself.
-This flag is set internally by
-.Xr BN_new 3 .
-Setting it manually on an existing
-.Vt BIGNUM
-object is usually a bad idea and can cause calls to
-.Xr free 3
-with bogus arguments.
-.It Dv BN_FLG_STATIC_DATA
-If this flag is set,
-.Xr BN_clear_free 3
-will neither clear nor free the memory used for storing the number.
-Consequently, setting it manually on an existing
-.Vt BIGNUM
-object is usually a terrible idea that can cause both disclosure
-of secret data and memory leaks.
-This flag is automatically set on the constant
-.Vt BIGNUM
-object returned by
-.Xr BN_value_one 3 .
-.El
-.Pp
-.Fn BN_get_flags
-interprets
-.Fa flags
-as a bitmask and returns those of the given flags that are set in
-.Fa b ,
-OR'ed together, or 0 if none of the given
-.Fa flags
-is set.
-The
-.Fa flags
-argument has the same syntax as for
-.Fn BN_set_flags .
-.Sh RETURN VALUES
-.Fn BN_get_flags
-returns zero or more of the above constants, OR'ed together.
-.Sh SEE ALSO
-.Xr BN_mod_exp 3 ,
-.Xr BN_mod_inverse 3 ,
-.Xr BN_new 3 ,
-.Xr BN_with_flags 3
-.Sh HISTORY
-.Fn BN_set_flags
-and
-.Fn BN_get_flags
-first appeared in SSLeay 0.9.1 and have been available since
-.Ox 2.6 .
-.Sh CAVEATS
-No public interface exists to clear a flag once it is set.
-So think twice before using
-.Fn BN_set_flags .
-.Sh BUGS
-Even if the
-.Dv BN_FLG_CONSTTIME
-flag is set on
-.Fa a
-or
-.Fa b ,
-.Fn BN_gcd
-neither fails nor operates in constant time, potentially allowing
-timing side-channel attacks.
-.Pp
-Even if the
-.Dv BN_FLG_CONSTTIME
-flag is set on
-.Fa p ,
-if the modulus
-.Fa m
-is even,
-.Xr BN_mod_exp 3
-does not operate in constant time, potentially allowing
-timing side-channel attacks.
-.Pp
-If
-.Dv BN_FLG_CONSTTIME
-is set on
-.Fa p ,
-.Fn BN_exp
-fails instead of operating in constant time.
diff --git a/src/lib/libcrypto/man/BN_set_negative.3 b/src/lib/libcrypto/man/BN_set_negative.3
deleted file mode 100644
index 6cdff5c974..0000000000
--- a/src/lib/libcrypto/man/BN_set_negative.3
+++ /dev/null
@@ -1,63 +0,0 @@
-.\"     $OpenBSD: BN_set_negative.3,v 1.6 2021/12/06 19:45:27 schwarze Exp $
-.\"
-.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: December 6 2021 $
-.Dt BN_SET_NEGATIVE 3
-.Os
-.Sh NAME
-.Nm BN_set_negative ,
-.Nm BN_is_negative
-.Nd change and inspect the sign of a BIGNUM
-.Sh SYNOPSIS
-.In openssl/bn.h
-.Ft void
-.Fo BN_set_negative
-.Fa "BIGNUM *b"
-.Fa "int n"
-.Fc
-.Ft int
-.Fo BN_is_negative
-.Fa "const BIGNUM *b"
-.Fc
-.Sh DESCRIPTION
-.Fn BN_set_negative
-sets
-.Fa b
-to negative if both
-.Fa b
-and
-.Fa n
-are non-zero, otherwise it sets it to positive.
-.Pp
-.Fn BN_is_negative
-tests the sign of
-.Fa b .
-.Sh RETURN VALUES
-.Fn BN_is_negative
-returns 1 if
-.Fa b
-is negative or 0 otherwise.
-.Sh SEE ALSO
-.Xr BN_add 3 ,
-.Xr BN_new 3 ,
-.Xr BN_set_bit 3 ,
-.Xr BN_zero 3
-.Sh HISTORY
-.Fn BN_set_negative
-and
-.Fn BN_is_negative
-first appeared in OpenSSL 0.9.8 and have been available since
-.Ox 4.5 .
diff --git a/src/lib/libcrypto/man/BN_swap.3 b/src/lib/libcrypto/man/BN_swap.3
deleted file mode 100644
index 218ca1cf02..0000000000
--- a/src/lib/libcrypto/man/BN_swap.3
+++ /dev/null
@@ -1,148 +0,0 @@
-.\" $OpenBSD: BN_swap.3,v 1.6 2021/12/19 22:06:35 schwarze Exp $
-.\" full merge up to: OpenSSL 61f805c1 Jan 16 01:01:46 2018 +0800
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Bodo Moeller <bodo@openssl.org>.
-.\" Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: December 19 2021 $
-.Dt BN_SWAP 3
-.Os
-.Sh NAME
-.Nm BN_swap ,
-.Nm BN_consttime_swap
-.Nd exchange BIGNUMs
-.Sh SYNOPSIS
-.In openssl/bn.h
-.Ft void
-.Fo BN_swap
-.Fa "BIGNUM *a"
-.Fa "BIGNUM *b"
-.Fc
-.Ft void
-.Fo BN_consttime_swap
-.Fa "BN_ULONG condition"
-.Fa "BIGNUM *a"
-.Fa "BIGNUM *b"
-.Fa "int nwords"
-.Fc
-.Sh DESCRIPTION
-.Fn BN_swap
-and
-.Fn BN_consttime_swap
-exchange the values of
-.Fa a
-and
-.Fa b .
-.Pp
-.Fn BN_swap
-implements this by exchanging the pointers to the data buffers of
-.Fa a
-and
-.Fa b
-and also exchanging the values of the
-.Dv BN_FLG_STATIC_DATA
-bits.
-Consequently, the operation is fast and execution time does not depend
-on any properties of the two numbers.
-However, execution time obviously differs between swapping (by calling
-this function) and not swapping (by not calling this function).
-.Pp
-.Fn BN_consttime_swap
-only performs the exchange if the
-.Fa condition
-is non-zero; otherwise, it has no effect.
-It implements the exchange by exchanging the contents of the data
-buffers rather than the pointers to the data buffers.
-This is slower, but implemented in such a way that the execution time
-is not only independent of the properties of the two numbers, but also
-independent of the
-.Fa condition
-argument, i.e. the same for swapping or not swapping.
-Execution time does however grow in an approximately linear manner with the
-.Fa nwords
-argument.
-.Pp
-.Fn BN_consttime_swap
-calls
-.Xr abort 3
-if at least one of
-.Fa a
-or
-.Fa b
-has fewer than
-.Fa nwords
-data words allocated or more than
-.Fa nwords
-data words are currently in use in at least one of them.
-.Sh SEE ALSO
-.Xr BN_new 3 ,
-.Xr BN_set_flags 3
-.Sh HISTORY
-.Fn BN_swap
-first appeared in OpenSSL 0.9.7 and has been available since
-.Ox 3.2 .
-.Pp
-.Fn BN_consttime_swap
-first appeared in OpenSSL 1.0.1g and has been available since
-.Ox 5.6 .
diff --git a/src/lib/libcrypto/man/BN_zero.3 b/src/lib/libcrypto/man/BN_zero.3
deleted file mode 100644
index 0b677b246f..0000000000
--- a/src/lib/libcrypto/man/BN_zero.3
+++ /dev/null
@@ -1,174 +0,0 @@
-.\" $OpenBSD: BN_zero.3,v 1.13 2023/04/30 19:23:54 tb Exp $
-.\" full merge up to: OpenSSL a528d4f0 Oct 27 13:40:11 2015 -0400
-.\" selective merge up to: OpenSSL b713c4ff Jan 22 14:41:09 2018 -0500
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2021, 2022 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Ulf Moeller <ulf@openssl.org>.
-.\" Copyright (c) 2000, 2001, 2018 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: April 30 2023 $
-.Dt BN_ZERO 3
-.Os
-.Sh NAME
-.Nm BN_zero ,
-.Nm BN_one ,
-.Nm BN_value_one ,
-.Nm BN_set_word ,
-.Nm BN_get_word
-.Nd BIGNUM assignment operations
-.Sh SYNOPSIS
-.In openssl/bn.h
-.Ft int
-.Fo BN_zero
-.Fa "BIGNUM *a"
-.Fc
-.Ft int
-.Fo BN_one
-.Fa "BIGNUM *a"
-.Fc
-.Ft const BIGNUM *
-.Fo BN_value_one
-.Fa void
-.Fc
-.Ft int
-.Fo BN_set_word
-.Fa "BIGNUM *a"
-.Fa "BN_ULONG w"
-.Fc
-.Ft BN_ULONG
-.Fo BN_get_word
-.Fa "const BIGNUM *a"
-.Fc
-.Sh DESCRIPTION
-.Vt BN_ULONG
-is a macro that expands to an unsigned integral type optimized
-for the most efficient implementation on the local platform.
-It is
-.Vt unsigned long Pq = Vt uint64_t
-on
-.Dv _LP64
-platforms and
-.Vt unsigned int Pq = Vt uint32_t
-elsewhere.
-.Pp
-.Fn BN_zero ,
-.Fn BN_one ,
-and
-.Fn BN_set_word
-set
-.Fa a
-to the values 0, 1 and
-.Fa w
-respectively.
-.Pp
-.Fn BN_value_one
-returns a
-.Vt BIGNUM
-constant of value 1.
-This constant is useful for comparisons and assignments.
-.Sh RETURN VALUES
-.Fn BN_get_word
-returns the value
-.Fa a ,
-or a number with all bits set if
-.Fa a
-cannot be represented as a
-.Vt BN_ULONG .
-.Pp
-.Fn BN_zero ,
-.Fn BN_one ,
-and
-.Fn BN_set_word
-return 1 on success, 0 otherwise.
-.Fn BN_value_one
-returns the constant.
-.Sh SEE ALSO
-.Xr BN_bn2bin 3 ,
-.Xr BN_new 3 ,
-.Xr BN_set_bit 3 ,
-.Xr BN_set_negative 3
-.Sh HISTORY
-.Fn BN_zero ,
-.Fn BN_one ,
-.Fn BN_value_one ,
-and
-.Fn BN_set_word
-first appeared in SSLeay 0.5.1.
-.Fn BN_get_word
-first appeared in SSLeay 0.6.0.
-These functions have been available since
-.Ox 2.4 .
-.Sh BUGS
-Someone might change the constant.
-.Pp
-If the value of a
-.Vt BIGNUM
-is equal to a
-.Vt BN_ULONG
-with all bits set, the return value of
-.Fn BN_get_word
-collides with return value used to indicate errors.
-.Pp
-.Vt BN_ULONG
-should probably be a typedef rather than a macro.
diff --git a/src/lib/libcrypto/man/BUF_MEM_new.3 b/src/lib/libcrypto/man/BUF_MEM_new.3
deleted file mode 100644
index 8c72091abe..0000000000
--- a/src/lib/libcrypto/man/BUF_MEM_new.3
+++ /dev/null
@@ -1,153 +0,0 @@
-.\"     $OpenBSD: BUF_MEM_new.3,v 1.19 2024/07/24 08:57:58 tb Exp $
-.\"     OpenSSL doc/crypto/buffer.pod 18edda0f Sep 20 03:28:54 2000 +0000
-.\"     not merged: 74924dcb, 58e3457a, 21b0fa91, 7644a9ae
-.\"     OpenSSL doc/crypto/BUF_MEM_new.pod 53934822 Jun 9 16:39:19 2016 -0400
-.\"     not merged: c952780c, 91da5e77
-.\"     OpenSSL doc/man3/BUF_MEM_new.pod 498180de Dec 12 15:35:09 2016 +0300
-.\"
-.\" This file was written by Ralf S. Engelschall <rse@openssl.org>.
-.\" Copyright (c) 1999, 2000, 2016 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: July 24 2024 $
-.Dt BUF_MEM_NEW 3
-.Os
-.Sh NAME
-.Nm BUF_MEM_new ,
-.Nm BUF_MEM_free ,
-.Nm BUF_MEM_grow ,
-.Nm BUF_MEM_grow_clean
-.Nd simple character arrays structure
-.Sh SYNOPSIS
-.In openssl/buffer.h
-.Ft BUF_MEM *
-.Fo BUF_MEM_new
-.Fa void
-.Fc
-.Ft void
-.Fo BUF_MEM_free
-.Fa "BUF_MEM *a"
-.Fc
-.Ft int
-.Fo BUF_MEM_grow
-.Fa "BUF_MEM *str"
-.Fa "size_t len"
-.Fc
-.Ft int
-.Fo BUF_MEM_grow_clean
-.Fa "BUF_MEM *str"
-.Fa "size_t len"
-.Fc
-.Sh DESCRIPTION
-The buffer library handles simple character arrays.
-Buffers are used for various purposes in the library, most notably
-memory BIOs.
-.Pp
-The library uses the
-.Vt BUF_MEM
-structure defined in buffer.h:
-.Bd -literal
-typedef struct buf_mem_st {
-        size_t length;  /* current number of bytes */
-        char *data;
-        size_t max;     /* size of buffer */
-} BUF_MEM;
-.Ed
-.Pp
-.Fa length
-is the current size of the buffer in bytes;
-.Fa max
-is the amount of memory allocated to the buffer.
-There are three functions which handle these and one miscellaneous function.
-.Pp
-.Fn BUF_MEM_new
-allocates a new buffer of zero size.
-.Pp
-.Fn BUF_MEM_free
-frees up an already existing buffer.
-The data is zeroed before freeing up in case the buffer contains
-sensitive data.
-If
-.Fa a
-is a
-.Dv NULL
-pointer, no action occurs.
-.Pp
-.Fn BUF_MEM_grow
-changes the size of an already existing buffer to
-.Fa len .
-Any data already in the buffer is preserved if it increases in size.
-.Pp
-.Fn BUF_MEM_grow_clean
-is similar to
-.Fn BUF_MEM_grow ,
-but it sets any freed or additionally allocated memory to zero.
-.Sh RETURN VALUES
-.Fn BUF_MEM_new
-returns the buffer or
-.Dv NULL
-on error.
-.Pp
-.Fn BUF_MEM_grow
-and
-.Fn BUF_MEM_grow_clean
-return zero on error or the new size (i.e.\&
-.Fa len ) .
-.Sh SEE ALSO
-.Xr BIO_new 3 ,
-.Xr BIO_s_mem 3
-.Sh HISTORY
-.Fn BUF_MEM_new ,
-.Fn BUF_MEM_free ,
-and
-.Fn BUF_MEM_grow
-first appeared in SSLeay 0.6.0.
-All these functions  have been available since
-.Ox 2.4 .
-.Pp
-.Fn BUF_MEM_grow_clean
-first appeared in OpenSSL 0.9.7 and has been available since
-.Ox 3.2 .
diff --git a/src/lib/libcrypto/man/CMAC_Init.3 b/src/lib/libcrypto/man/CMAC_Init.3
deleted file mode 100644
index fd32ca085a..0000000000
--- a/src/lib/libcrypto/man/CMAC_Init.3
+++ /dev/null
@@ -1,273 +0,0 @@
-.\" $OpenBSD: CMAC_Init.3,v 1.9 2024/11/12 00:42:28 schwarze Exp $
-.\"
-.\" Copyright (c) 2020 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: November 12 2024 $
-.Dt CMAC_INIT 3
-.Os
-.Sh NAME
-.Nm CMAC_CTX_new ,
-.Nm CMAC_Init ,
-.Nm CMAC_Update ,
-.Nm CMAC_Final ,
-.Nm CMAC_CTX_copy ,
-.Nm CMAC_CTX_get0_cipher_ctx ,
-.Nm CMAC_CTX_cleanup ,
-.Nm CMAC_CTX_free
-.Nd Cipher-based message authentication code
-.Sh SYNOPSIS
-.In openssl/cmac.h
-.Ft CMAC_CTX *
-.Fn CMAC_CTX_new void
-.Ft int
-.Fo CMAC_Init
-.Fa "CMAC_CTX *ctx"
-.Fa "const void *key"
-.Fa "size_t key_len"
-.Fa "const EVP_CIPHER *cipher"
-.Fa "ENGINE *engine"
-.Fc
-.Ft int
-.Fo CMAC_Update
-.Fa "CMAC_CTX *ctx"
-.Fa "const void *in_data"
-.Fa "size_t in_len"
-.Fc
-.Ft int
-.Fo CMAC_Final
-.Fa "CMAC_CTX *ctx"
-.Fa "unsigned char *out_mac"
-.Fa "size_t *out_len"
-.Fc
-.Ft int
-.Fo CMAC_CTX_copy
-.Fa "CMAC_CTX *out_ctx"
-.Fa "CMAC_CTX *in_ctx"
-.Fc
-.Ft EVP_CIPHER_CTX *
-.Fn CMAC_CTX_get0_cipher_ctx "CMAC_CTX *ctx"
-.Ft void
-.Fn CMAC_CTX_cleanup "CMAC_CTX *ctx"
-.Ft void
-.Fn CMAC_CTX_free "CMAC_CTX *ctx"
-.Sh DESCRIPTION
-CMAC is a message authentication code algorithm that can employ an
-arbitrary block cipher using a symmetric key.
-.Pp
-The present manual page describes low-level functions implementing CMAC.
-Instead of using these functions directly,
-application programs normally call
-.Xr EVP_PKEY_new_CMAC_key 3
-and then pass the resulting
-.Vt EVP_PKEY
-object to
-.Xr EVP_DigestSignInit 3 .
-.Pp
-The CMAC API is object-oriented.
-Calculating a message authentication code requires a
-.Vt CMAC_CTX
-object.
-Usually, the functions
-.Fn CMAC_CTX_new ,
-.Fn CMAC_Init ,
-.Fn CMAC_Update ,
-.Fn CMAC_Final ,
-and
-.Fn CMAC_CTX_free
-need to be called in this order.
-.Pp
-.Fn CMAC_CTX_new
-allocates a new
-.Vt CMAC_CTX
-object, initializes the embedded
-.Vt EVP_CIPHER_CTX
-object, and marks the object itself as uninitialized.
-.Pp
-.Fn CMAC_Init
-selects the given block
-.Fa cipher
-for use by
-.Fa ctx .
-Functions to obtain suitable
-.Vt EVP_CIPHER
-objects are listed in the CIPHER LISTING section of the
-.Xr EVP_EncryptInit 3
-manual page.
-Unless
-.Fa key
-is
-.Dv NULL ,
-.Fn CMAC_Init
-also initializes
-.Fa ctx
-for use with the given symmetric
-.Fa key
-that is
-.Fa key_len
-bytes long.
-In particular, it calculates and internally stores the two subkeys
-and initializes
-.Fa ctx
-for subsequently feeding in data with
-.Fn CMAC_Update .
-The
-.Fa engine
-argument is ignored; passing
-.Dv NULL
-is recommended.
-.Pp
-If
-.Fa ctx
-is already initialized,
-.Fn CMAC_Init
-can be called again with
-.Fa key
-and
-.Fa cipher
-both set to
-.Dv NULL
-and
-.Fa key_len
-set to 0.
-In that case, any data already processed is discarded and
-.Fa ctx
-is re-initialized to start reading data anew.
-.Pp
-.Fn CMAC_Update
-processes
-.Fa in_len
-bytes of input data pointed to by
-.Fa in_data .
-Depending on the number of input bytes already cached in
-.Fa ctx ,
-on
-.Fa in_len ,
-and on the block size, this may encrypt zero or more blocks.
-Unless
-.Fa in_len
-is zero, this function leaves at least one byte and at most one
-block of input cached but unprocessed inside the
-.Fa ctx
-object.
-.Fn CMAC_Update
-can be called multiple times
-to concatenate several chunks of input data of varying sizes.
-.Pp
-.Fn CMAC_Final
-stores the length of the message authentication code in bytes,
-which equals the cipher block size, into
-.Pf * Fa out_len .
-Unless
-.Fa out_mac
-is
-.Dv NULL ,
-it encrypts the last block, padding it if required, and copies the
-resulting message authentication code to
-.Fa out_mac .
-The caller is responsible for providing a buffer of sufficient size.
-.Pp
-.Fn CMAC_CTX_copy
-performs a deep copy of the already initialized
-.Fa in_ctx
-into
-.Fa out_ctx .
-.Pp
-.Fn CMAC_CTX_cleanup
-zeros out both subkeys and all temporary data in
-.Fa ctx
-and in the embedded
-.Vt EVP_CIPHER_CTX
-object, frees all allocated memory associated with it,
-except for
-.Fa ctx
-itself, and marks it as uninitialized,
-such that it can be reused for subsequent
-.Fn CMAC_Init .
-.Pp
-.Fn CMAC_CTX_free
-calls
-.Fn CMAC_CTX_cleanup ,
-then frees
-.Fa ctx
-itself.
-If
-.Fa ctx
-is
-.Dv NULL ,
-no action occurs.
-.Sh RETURN VALUES
-.Fn CMAC_CTX_new
-returns the new context object or
-.Dv NULL
-in case of failure.
-It succeeds unless memory is exhausted.
-.Pp
-.Fn CMAC_Init ,
-.Fn CMAC_Update ,
-.Fn CMAC_Final ,
-and
-.Fn CMAC_CTX_copy
-return 1 on success or 0 on failure.
-.Fn CMAC_Init
-fails if initializing the embedded
-.Vt EVP_CIPHER_CTX
-object fails.
-The others fail if
-.Fa in_ctx
-is uninitialized.
-.Fn CMAC_Update
-and
-.Fn CMAC_Final
-also fail if encrypting a block fails, and
-.Fn CMAC_CTX_copy
-if copying the embedded
-.Vt EVP_CIPHER_CTX
-object fails, which can for example happen when memory is exhausted.
-.Pp
-.Fn CMAC_CTX_get0_cipher_ctx
-returns an internal pointer to the
-.Vt EVP_CIPHER_CTX
-object that is embedded in
-.Fa ctx .
-.Sh ERRORS
-The CMAC code itself does not use the
-.In openssl/err.h
-framework, so in general, the reasons for failure cannot be found out with
-.Xr ERR_get_error 3 .
-However, since the
-.Xr EVP_EncryptInit 3
-functions are used internally, entries may still get pushed onto
-the error stack in some cases of failure.
-.Sh SEE ALSO
-.Xr EVP_aes_128_cbc 3 ,
-.Xr EVP_DigestSignInit 3 ,
-.Xr EVP_EncryptInit 3 ,
-.Xr EVP_PKEY_new_CMAC_key 3 ,
-.Xr HMAC 3
-.Sh STANDARDS
-.Rs
-.%A Morris Dworkin
-.%T "Recommendation for Block Cipher Modes of Operation:\
- The CMAC Mode for Authentication"
-.%I National Institute of Standards and Technology
-.%R NIST Special Publication 800-38B
-.%U https://doi.org/10.6028/NIST.SP.800-38B
-.%C Gaithersburg, Maryland
-.%D May 2005, updated October 6, 2016
-.Re
-.Sh HISTORY
-These functions first appeared in OpenSSL 1.0.1
-and have been available since
-.Ox 5.3 .
diff --git a/src/lib/libcrypto/man/CMS_ContentInfo_new.3 b/src/lib/libcrypto/man/CMS_ContentInfo_new.3
deleted file mode 100644
index d5117fa4ae..0000000000
--- a/src/lib/libcrypto/man/CMS_ContentInfo_new.3
+++ /dev/null
@@ -1,135 +0,0 @@
-.\" $OpenBSD: CMS_ContentInfo_new.3,v 1.4 2024/01/22 14:00:13 tb Exp $
-.\" Copyright (c) 2019 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: January 22 2024 $
-.Dt CMS_CONTENTINFO_NEW 3
-.Os
-.Sh NAME
-.Nm CMS_ContentInfo_new ,
-.Nm CMS_ContentInfo_free ,
-.Nm CMS_ContentInfo_print_ctx ,
-.Nm CMS_ReceiptRequest_new ,
-.Nm CMS_ReceiptRequest_free
-.Nd Cryptographic Message Syntax data structures
-.Sh SYNOPSIS
-.In openssl/cms.h
-.Ft CMS_ContentInfo *
-.Fn CMS_ContentInfo_new void
-.Ft void
-.Fn CMS_ContentInfo_free "CMS_ContentInfo *cms"
-.Ft int
-.Fo CMS_ContentInfo_print_ctx
-.Fa "BIO *out"
-.Fa "CMS_ContentInfo *cms"
-.Fa "int indent"
-.Fa "const ASN1_PCTX *pctx"
-.Fc
-.Ft CMS_ReceiptRequest *
-.Fn CMS_ReceiptRequest_new void
-.Ft void
-.Fn CMS_ReceiptRequest_free "CMS_ReceiptRequest *rr"
-.Sh DESCRIPTION
-.Fn CMS_ContentInfo_new
-allocates and initializes an empty
-.Vt CMS_ContentInfo
-object, representing an ASN.1
-.Vt ContentInfo
-structure defined in RFC 5652 section 3.
-It can hold a pointer to an ASN.1 OBJECT IDENTIFIER
-and a pointer to either a
-.Vt SignedData ,
-.Vt EnvelopedData ,
-.Vt DigestedData ,
-.Vt EncryptedData ,
-.Vt AuthenticatedData ,
-or
-.Vt CompressedData
-object or to an arbitrary ASN.1 object.
-.Fn CMS_ContentInfo_free
-frees
-.Fa cms .
-.Pp
-.Fn CMS_ContentInfo_print_ctx
-prints a human readable representation of
-.Fa cms
-to
-.Fa out .
-.Pp
-.Fn CMS_ReceiptRequest_new
-allocates and initializes an empty
-.Vt CMS_ReceiptRequest
-object, representing an ASN.1
-.Vt ReceiptRequest
-structure defined in RFC 2634 section 2.7.
-It can contain a content identifier, a list of recipients requested
-to return a signed receipt, and a list of users to send the receipt to.
-.Fn CMS_ReceiptRequest_free
-frees
-.Fa rr .
-.Sh RETURN VALUES
-.Fn CMS_ContentInfo_new
-and
-.Fn CMS_ReceiptRequest_new
-return the new
-.Vt CMS_ContentInfo
-or
-.Vt CMS_ReceiptRequest
-object, respectively, or
-.Dv NULL
-if an error occurs.
-.Sh SEE ALSO
-.Xr BIO_new_CMS 3 ,
-.Xr CMS_add0_cert 3 ,
-.Xr CMS_add1_recipient_cert 3 ,
-.Xr CMS_add1_signer 3 ,
-.Xr CMS_compress 3 ,
-.Xr CMS_decrypt 3 ,
-.Xr CMS_encrypt 3 ,
-.Xr CMS_final 3 ,
-.Xr CMS_get0_RecipientInfos 3 ,
-.Xr CMS_get0_SignerInfos 3 ,
-.Xr CMS_get0_type 3 ,
-.Xr CMS_get1_ReceiptRequest 3 ,
-.Xr CMS_sign 3 ,
-.Xr CMS_sign_receipt 3 ,
-.Xr CMS_signed_add1_attr 3 ,
-.Xr CMS_uncompress 3 ,
-.Xr CMS_verify 3 ,
-.Xr CMS_verify_receipt 3 ,
-.Xr crypto 3 ,
-.Xr d2i_CMS_ContentInfo 3 ,
-.Xr i2d_CMS_bio_stream 3 ,
-.Xr PEM_read_bio_PrivateKey 3 ,
-.Xr PEM_write_bio_CMS_stream 3 ,
-.Xr SMIME_read_CMS 3 ,
-.Xr SMIME_write_CMS 3
-.Sh STANDARDS
-RFC 5652: Cryptographic Message Syntax, section 3: General Syntax
-.Pp
-RFC 3274: Compressed Data Content Type for Cryptographic Message Syntax (CMS)
-.Pp
-RFC 2634: Enhanced Security Services for S/MIME,
-section 2.7: Receipt Request Syntax
-.Sh HISTORY
-.Fn CMS_ContentInfo_new ,
-.Fn CMS_ContentInfo_free ,
-.Fn CMS_ReceiptRequest_new ,
-and
-.Fn CMS_ReceiptRequest_free
-first appeared in OpenSSL 0.9.8h and
-.Fn CMS_ContentInfo_print_ctx
-in OpenSSL 1.0.0.
-This functions have been available since
-.Ox 6.7 .
diff --git a/src/lib/libcrypto/man/CMS_add0_cert.3 b/src/lib/libcrypto/man/CMS_add0_cert.3
deleted file mode 100644
index be9357cc9a..0000000000
--- a/src/lib/libcrypto/man/CMS_add0_cert.3
+++ /dev/null
@@ -1,222 +0,0 @@
-.\" $OpenBSD: CMS_add0_cert.3,v 1.10 2024/11/30 21:21:40 tb Exp $
-.\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2019 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: November 30 2024 $
-.Dt CMS_ADD0_CERT 3
-.Os
-.Sh NAME
-.Nm CMS_add0_cert ,
-.Nm CMS_add1_cert ,
-.Nm CMS_get1_certs ,
-.Nm CMS_add0_crl ,
-.Nm CMS_add1_crl ,
-.Nm CMS_get1_crls
-.Nd CMS certificate and CRL utility functions
-.Sh SYNOPSIS
-.In openssl/cms.h
-.Ft int
-.Fo CMS_add0_cert
-.Fa "CMS_ContentInfo *cms"
-.Fa "X509 *certificate"
-.Fc
-.Ft int
-.Fo CMS_add1_cert
-.Fa "CMS_ContentInfo *cms"
-.Fa "X509 *certificate"
-.Fc
-.Ft STACK_OF(X509) *
-.Fo CMS_get1_certs
-.Fa "CMS_ContentInfo *cms"
-.Fc
-.Ft int
-.Fo CMS_add0_crl
-.Fa "CMS_ContentInfo *cms"
-.Fa "X509_CRL *crl"
-.Fc
-.Ft int
-.Fo CMS_add1_crl
-.Fa "CMS_ContentInfo *cms"
-.Fa "X509_CRL *crl"
-.Fc
-.Ft STACK_OF(X509_CRL) *
-.Fo CMS_get1_crls
-.Fa "CMS_ContentInfo *cms"
-.Fc
-.Sh DESCRIPTION
-.Fn CMS_add0_cert
-adds the
-.Fa certificate
-to the
-.Fa certificates
-field of
-.Fa cms
-if it is of the type
-.Vt SignedData
-or to the
-.Fa originatorInfo.certs
-field if it is of the type
-.Vt EnvelopedData .
-.Fn CMS_add1_cert
-does the same and also increments the reference count of the
-.Fa certificate
-with
-.Xr X509_up_ref 3
-in case of success.
-.Pp
-.Fn CMS_get1_certs
-returns all certificates in
-.Fa cms .
-.Pp
-.Fn CMS_add0_crl
-adds the
-.Fa crl
-to the
-.Fa crls
-field of
-.Fa cms
-if it is of the type
-.Vt SignedData
-or to the
-.Fa originatorInfo.crls
-field if it is of the type
-.Vt EnvelopedData .
-.Fn CMS_add1_crl
-does the same and also increments the reference count of the
-.Fa crl
-with
-.Xr X509_CRL_up_ref 3
-in case of success.
-.Pp
-.Fn CMS_get1_crls
-returns any CRLs in
-.Fa cms .
-.Pp
-An error occurs if
-.Fa cms
-is of any type other than
-.Vt SignedData
-or
-.Vt EnvelopedData .
-.Pp
-The same
-.Fa certificate
-or
-.Fa crl
-must not be added to the same
-.Fa cms
-structure more than once.
-.Sh RETURN VALUES
-.Fn CMS_add0_cert ,
-.Fn CMS_add1_cert ,
-.Fn CMS_add0_crl ,
-and
-.Fn CMS_add1_crl
-return 1 for success or 0 for failure.
-.Pp
-.Fn CMS_get1_certs
-and
-.Fn CMS_get1_crls
-return the STACK of certificates or CRLs or
-.Dv NULL
-if there are none or an error occurs.
-Possible errors are that the
-.Fa cms
-type is invalid or memory allocation failure.
-Not all errors result in an error on the error stack.
-The returned stack must be freed using the appropriate
-macro wrapper of
-.Xr sk_pop_free 3 ,
-namely
-.Dv sk_X509_pop_free()
-or
-.Dv sk_X509_CRL_pop_free() .
-.Sh SEE ALSO
-.Xr CMS_ContentInfo_new 3 ,
-.Xr CMS_encrypt 3 ,
-.Xr CMS_final 3 ,
-.Xr CMS_sign 3 ,
-.Xr ERR_get_error 3
-.Sh STANDARDS
-RFC 5652: Cryptographic Message Syntax
-.Bl -dash -compact -offset indent
-.It
-section 5.1: SignedData Type
-.It
-section 6.1: EnvelopedData Type
-.El
-.Sh HISTORY
-.Fn CMS_add0_cert ,
-.Fn CMS_add1_cert ,
-.Fn CMS_get1_certs ,
-.Fn CMS_add0_crl ,
-and
-.Fn CMS_get1_crls
-first appeared in OpenSSL 0.9.8h and
-.Fn CMS_add1_crl
-in OpenSSL 1.0.0.
-These functions have been available since
-.Ox 6.7 .
diff --git a/src/lib/libcrypto/man/CMS_add1_recipient_cert.3 b/src/lib/libcrypto/man/CMS_add1_recipient_cert.3
deleted file mode 100644
index 465119397d..0000000000
--- a/src/lib/libcrypto/man/CMS_add1_recipient_cert.3
+++ /dev/null
@@ -1,200 +0,0 @@
-.\" $OpenBSD: CMS_add1_recipient_cert.3,v 1.7 2019/11/02 15:39:46 schwarze Exp $
-.\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2019 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: November 2 2019 $
-.Dt CMS_ADD1_RECIPIENT_CERT 3
-.Os
-.Sh NAME
-.Nm CMS_add1_recipient_cert ,
-.Nm CMS_add0_recipient_key
-.Nd add recipients to a CMS EnvelopedData structure
-.Sh SYNOPSIS
-.In openssl/cms.h
-.Ft CMS_RecipientInfo *
-.Fo CMS_add1_recipient_cert
-.Fa "CMS_ContentInfo *cms"
-.Fa "X509 *certificate"
-.Fa "unsigned int flags"
-.Fc
-.Ft CMS_RecipientInfo *
-.Fo CMS_add0_recipient_key
-.Fa "CMS_ContentInfo *cms"
-.Fa "int nid"
-.Fa "unsigned char *key"
-.Fa "size_t keylen"
-.Fa "unsigned char *id"
-.Fa "size_t idlen"
-.Fa "ASN1_GENERALIZEDTIME *date"
-.Fa "ASN1_OBJECT *otherTypeId"
-.Fa "ASN1_TYPE *otherType"
-.Fc
-.Sh DESCRIPTION
-These functions add a new
-.Vt RecipientInfo
-structure to the
-.Fa recipientInfos
-field of the
-.Vt EnvelopedData
-structure
-.Fa cms ,
-which should have been obtained from an initial call to
-.Xr CMS_encrypt 3
-with the flag
-.Dv CMS_PARTIAL
-set.
-.Pp
-.Fn CMS_add1_recipient_cert
-adds the recipient
-.Fa certificate
-as a
-.Vt KeyTransRecipientInfo
-structure.
-.Pp
-.Fn CMS_add0_recipient_key
-adds the symmetric
-.Fa key
-of length
-.Fa keylen
-using the wrapping algorithm
-.Fa nid ,
-the identifier
-.Fa id
-of length
-.Fa idlen ,
-and the optional values
-.Fa date ,
-.Fa otherTypeId
-and
-.Fa otherType
-as a
-.Vt KEKRecipientInfo
-structure.
-.Pp
-The main purpose of these functions is to provide finer control over a CMS
-.Vt EnvelopedData
-structure where the simpler
-.Xr CMS_encrypt 3
-function defaults are not appropriate,
-for example if one or more
-.Vt KEKRecipientInfo
-structures need to be added.
-New attributes can also be added using the returned
-.Vt CMS_RecipientInfo
-structure and the CMS attribute utility functions.
-.Pp
-By default, recipient certificates are identified using issuer
-name and serial number.
-If the flag
-.Dv CMS_USE_KEYID
-is set, the subject key identifier value is used instead.
-An error occurs if all recipient certificates do not have a subject key
-identifier extension.
-.Pp
-Currently only AES based key wrapping algorithms are supported for
-.Fa nid ,
-specifically
-.Dv NID_id_aes128_wrap ,
-.Dv NID_id_aes192_wrap ,
-and
-.Dv NID_id_aes256_wrap .
-If
-.Fa nid
-is set to
-.Dv NID_undef ,
-then an AES wrap algorithm will be used consistent with
-.Fa keylen .
-.Sh RETURN VALUES
-.Fn CMS_add1_recipient_cert
-and
-.Fn CMS_add0_recipient_key
-return an internal pointer to the
-.Vt CMS_RecipientInfo
-structure just added or
-.Dv NULL
-if an error occurs.
-.Sh SEE ALSO
-.Xr CMS_ContentInfo_new 3 ,
-.Xr CMS_encrypt 3 ,
-.Xr CMS_final 3 ,
-.Xr ERR_get_error 3
-.Sh STANDARDS
-RFC 5652: Cryptographic Message Syntax
-.Bl -dash -compact -offset indent
-.It
-section 6.1: EnvelopedData Type
-.It
-section 6.2.1: KeyTransRecipientInfo Type
-.It
-section 6.2.3: KEKRecipientInfo Type
-.El
-.Sh HISTORY
-.Fn CMS_add1_recipient_cert
-and
-.Fn CMS_add0_recipient_key
-first appeared in OpenSSL 0.9.8h
-and have been available since
-.Ox 6.7 .
diff --git a/src/lib/libcrypto/man/CMS_add1_signer.3 b/src/lib/libcrypto/man/CMS_add1_signer.3
deleted file mode 100644
index 316d63c5ad..0000000000
--- a/src/lib/libcrypto/man/CMS_add1_signer.3
+++ /dev/null
@@ -1,249 +0,0 @@
-.\" $OpenBSD: CMS_add1_signer.3,v 1.10 2024/04/18 16:50:22 tb Exp $
-.\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2019 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: April 18 2024 $
-.Dt CMS_ADD1_SIGNER 3
-.Os
-.Sh NAME
-.Nm CMS_add1_signer ,
-.Nm CMS_SignerInfo_sign
-.Nd add a signer to a CMS SignedData structure
-.Sh SYNOPSIS
-.In openssl/cms.h
-.Ft CMS_SignerInfo *
-.Fo CMS_add1_signer
-.Fa "CMS_ContentInfo *cms"
-.Fa "X509 *signcert"
-.Fa "EVP_PKEY *pkey"
-.Fa "const EVP_MD *md"
-.Fa "unsigned int flags"
-.Fc
-.Ft int
-.Fo CMS_SignerInfo_sign
-.Fa "CMS_SignerInfo *si"
-.Fc
-.Sh DESCRIPTION
-.Fn CMS_add1_signer
-adds a signer with certificate
-.Fa signcert
-and private key
-.Fa pkey
-using message digest
-.Fa md
-to the
-.Fa signerInfos
-field of the
-.Vt SignedData
-structure
-.Fa cms ,
-which should have been obtained from an initial call to
-.Xr CMS_sign 3
-with the flag
-.Dv CMS_PARTIAL
-set, or which can be a valid
-.Vt SignedData
-structure in the case of re-signing.
-.Pp
-If
-.Fa md
-is
-.Dv NULL ,
-the default digest for the public key algorithm of
-.Fa pkey
-is used.
-.Pp
-Unless the
-.Dv CMS_REUSE_DIGEST
-flag is set, the
-.Fa cms
-structure remains incomplete and must be finalized either by streaming
-(if applicable) or by a call to
-.Xr CMS_final 3 .
-.Pp
-The main purpose of
-.Fn CMS_add1_signer
-is to provide finer control over a CMS
-.Vt SignedData
-structure where the simpler
-.Xr CMS_sign 3
-function defaults are not appropriate, for example if multiple signers
-or non default digest algorithms are needed.
-New attributes can also be added using the returned
-.Vt CMS_SignerInfo
-structure and the CMS attribute utility functions or the CMS signed
-receipt request functions.
-.Pp
-Any of the following flags (OR'ed together) can be passed in the
-.Fa flags
-parameter:
-.Bl -tag -width Ds
-.It Dv CMS_REUSE_DIGEST
-Attempt to copy the content digest value from one of the existing
-.Vt CMS_SignerInfo
-structures in
-.Fa cms
-while adding another signer.
-An error occurs if a matching digest value cannot be found to copy.
-The
-.Fa cms
-structure will be valid and finalized when this flag is set.
-.It Dv CMS_PARTIAL
-If this flag is set in addition to
-.Dv CMS_REUSE_DIGEST ,
-the returned
-.Vt CMS_SignerInfo
-structure will not be finalized so additional attributes can be added.
-In this case an explicit call to
-.Fn CMS_SignerInfo_sign
-is needed to finalize it.
-.It Dv CMS_NOCERTS
-Do not add the signer's certificate to the
-.Fa certificates
-field of
-.Fa cms .
-The signer's certificate must still be supplied in the
-.Fa signcert
-parameter though.
-This flag can reduce the size of the signature if the signer's certificate can
-be obtained by other means, for example from a previously signed message.
-.It Dv CMS_NOATTR
-Leave the
-.Fa signedAttrs
-field of the returned
-.Vt CMS_SignedData
-structure empty.
-By default, several CMS
-.Vt SignedAttributes
-are added, including the signing time, the CMS content type,
-and the supported list of ciphers in an
-.Vt SMIMECapabilities
-attribute.
-.It Dv CMS_NOSMIMECAP
-Omit just the
-.Vt SMIMECapabilities
-attribute.
-.It Dv CMS_USE_KEYID
-Use the subject key identifier value to identify signing certificates.
-An error occurs if the signing certificate does not have a subject key
-identifier extension.
-By default, issuer name and serial number are used instead.
-.El
-.Pp
-If present, the
-.Vt SMIMECapabilities
-attribute indicates support for the
-following algorithms in preference order: 256-bit AES,
-192-bit AES, 128-bit AES, triple DES, 128-bit RC2, 64-bit
-RC2, DES and 40-bit RC2.
-If any of these algorithms is not available then it will not be
-included.
-.Pp
-The
-.Fn CMS_SignerInfo_sign
-function explicitly signs
-.Fa si .
-Its main use is when the
-.Dv CMS_REUSE_DIGEST
-and
-.Dv CMS_PARTIAL
-flags were both set in the call to
-.Fn CMS_add1_signer
-that created
-.Fa si .
-.Sh RETURN VALUES
-.Fn CMS_add1_signer
-returns an internal pointer to the new
-.Vt CMS_SignerInfo
-structure just added or
-.Dv NULL
-if an error occurs.
-.Sh SEE ALSO
-.Xr CMS_ContentInfo_new 3 ,
-.Xr CMS_final 3 ,
-.Xr CMS_sign 3 ,
-.Xr ERR_get_error 3
-.Sh STANDARDS
-RFC 5652: Cryptographic Message Syntax, section 5.1: SignedData Type
-.Pp
-RFC 8419: Use of Edwards-Curve Digital Signature Algorithm (EdDSA) Signatures
-in the Cryptographic Message Syntax (CMS)
-.Pp
-RFC 8551: Secure/Multipurpose Internet Mail Extensions (S/MIME)
-Version\ 4.0 Message Specification
-.Bl -dash -compact -offset indent
-.It
-section 2.5: Attributes and the SignerInfo Type
-.It
-section 2.5.2: SMIMECapabilities Attribute
-.El
-.Sh HISTORY
-.Fn CMS_add1_signer
-and
-.Fn CMS_SignerInfo_sign
-first appeared in OpenSSL 0.9.8h
-and have been available since
-.Ox 6.7 .
diff --git a/src/lib/libcrypto/man/CMS_compress.3 b/src/lib/libcrypto/man/CMS_compress.3
deleted file mode 100644
index 242e4e96cb..0000000000
--- a/src/lib/libcrypto/man/CMS_compress.3
+++ /dev/null
@@ -1,170 +0,0 @@
-.\" $OpenBSD: CMS_compress.3,v 1.7 2019/11/02 15:39:46 schwarze Exp $
-.\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2019 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: November 2 2019 $
-.Dt CMS_COMPRESS 3
-.Os
-.Sh NAME
-.Nm CMS_compress
-.Nd create a CMS CompressedData structure
-.Sh SYNOPSIS
-.In openssl/cms.h
-.Ft CMS_ContentInfo *
-.Fo CMS_compress
-.Fa "BIO *in"
-.Fa "int comp_nid"
-.Fa "unsigned int flags"
-.Fc
-.Sh DESCRIPTION
-.Fn CMS_compress
-creates and returns a CMS
-.Vt CompressedData
-structure.
-.Pp
-.Fa comp_nid
-is the compression algorithm to use or
-.Dv NID_undef
-to use the default algorithm.
-Currently, the default algorithm
-.Dv NID_zlib_compression
-is the only supported algorithm.
-If zlib support is not compiled in,
-.Fn CMS_compress
-always returns an error.
-.Pp
-.Fa in
-provides the content to be compressed.
-.Pp
-Any of the following flags (OR'ed together) can be passed in the
-.Fa flags
-parameter:
-.Bl -tag -width Ds
-.It Dv CMS_TEXT
-Prepend MIME headers for type text/plain to the data.
-.It Dv CMS_BINARY
-Do not translate the supplied content into MIME canonical format,
-even though that is required by the S/MIME specifications.
-This option should be used if the supplied data is in binary format.
-Otherwise, the translation will corrupt it.
-If
-.Dv CMS_BINARY
-is set,
-.Dv CMS_TEXT
-is ignored.
-.It Dv CMS_STREAM
-Return a partial
-.Vt CMS_ContentInfo
-structure suitable for streaming I/O: no data is read from
-.Fa in .
-Several functions including
-.Xr SMIME_write_CMS 3 ,
-.Xr i2d_CMS_bio_stream 3 ,
-or
-.Xr PEM_write_bio_CMS_stream 3
-can be used to finalize the structure.
-Alternatively, finalization can be performed by obtaining the streaming
-ASN1
-.Vt BIO
-directly using
-.Xr BIO_new_CMS 3 .
-Outputting the contents of the
-.Vt CMS_ContentInfo
-structure via a function that does not
-properly finalize it will give unpredictable results.
-.It Dv CMS_DETACHED
-Do not include the compressed data in the
-.Vt CMS_ContentInfo
-structure.
-This is rarely used in practice and is not supported by
-.Xr SMIME_write_CMS 3 .
-.El
-.Pp
-Additional compression parameters such as the zlib compression level
-cannot currently be set.
-.Sh RETURN VALUES
-.Fn CMS_compress
-returns either a
-.Vt CMS_ContentInfo
-structure or
-.Dv NULL
-if an error occurred.
-The error can be obtained from
-.Xr ERR_get_error 3 .
-.Sh SEE ALSO
-.Xr CMS_ContentInfo_new 3 ,
-.Xr CMS_uncompress 3
-.Sh STANDARDS
-RFC 3274: Compressed Data Content Type for Cryptographic Message Syntax (CMS)
-.Sh HISTORY
-.Fn CMS_compress
-first appeared in OpenSSL 0.9.8h
-and has been available since
-.Ox 6.7 .
-.Pp
-The
-.Dv CMS_STREAM
-flag first appeared in OpenSSL 1.0.0.
diff --git a/src/lib/libcrypto/man/CMS_decrypt.3 b/src/lib/libcrypto/man/CMS_decrypt.3
deleted file mode 100644
index 243ab2f30e..0000000000
--- a/src/lib/libcrypto/man/CMS_decrypt.3
+++ /dev/null
@@ -1,226 +0,0 @@
-.\" $OpenBSD: CMS_decrypt.3,v 1.8 2019/11/02 15:39:46 schwarze Exp $
-.\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2019 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2008, 2014 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: November 2 2019 $
-.Dt CMS_DECRYPT 3
-.Os
-.Sh NAME
-.Nm CMS_decrypt ,
-.Nm CMS_decrypt_set1_pkey ,
-.Nm CMS_decrypt_set1_key
-.Nd decrypt content from a CMS EnvelopedData structure
-.Sh SYNOPSIS
-.In openssl/cms.h
-.Ft int
-.Fo CMS_decrypt
-.Fa "CMS_ContentInfo *cms"
-.Fa "EVP_PKEY *private_key"
-.Fa "X509 *certificate"
-.Fa "BIO *dcont"
-.Fa "BIO *out"
-.Fa "unsigned int flags"
-.Fc
-.Ft int
-.Fo CMS_decrypt_set1_pkey
-.Fa "CMS_ContentInfo *cms"
-.Fa "EVP_PKEY *private_key"
-.Fa "X509 *certificate"
-.Fc
-.Ft int
-.Fo CMS_decrypt_set1_key
-.Fa "CMS_ContentInfo *cms"
-.Fa "unsigned char *symmetric_key"
-.Fa "size_t keylen"
-.Fa "const unsigned char *id"
-.Fa "size_t idlen"
-.Fc
-.Sh DESCRIPTION
-.Fn CMS_decrypt
-extracts and decrypts the content from the CMS
-.Vt EnvelopedData
-structure
-.Fa cms
-using the
-.Fa private_key
-and the
-.Fa certificate
-of the recipient.
-It writes the decrypted content to
-.Fa out .
-.Pp
-In the rare case where the compressed content is detached, pass it in via
-.Fa dcont .
-For normal use, set
-.Fa dcont
-to
-.Dv NULL .
-.Pp
-Although the recipient's
-.Fa certificate
-is not needed to decrypt the data, it is needed to locate the
-appropriate (of possibly several) recipients in the CMS structure.
-.Pp
-If the
-.Fa certificate
-is set to
-.Dv NULL ,
-all possible recipients are tried.
-This case however is problematic.
-To thwart the MMA attack (Bleichenbacher's attack on PKCS #1 v1.5 RSA
-padding), all recipients are tried whether they succeed or not.
-If no recipient succeeds, a random symmetric key is used to decrypt
-the content: this will typically output garbage and may (but is not
-guaranteed to) ultimately return a padding error only.
-If
-.Fn CMS_decrypt
-just returned an error when all recipient encrypted keys failed to
-decrypt, an attacker could use this in a timing attack.
-If the special flag
-.Dv CMS_DEBUG_DECRYPT
-is set, the above behaviour is modified and an error
-.Em is
-returned if no recipient encrypted key can be decrypted
-.Em without
-generating a random content encryption key.
-Applications should use this flag with extreme caution
-especially in automated gateways as it can leave them open to attack.
-.Pp
-It is possible to determine the correct recipient key by other means
-(for example by looking them up in a database) and setting them in the
-.Fa cms
-structure in advance using the CMS utility functions such as
-.Fn CMS_decrypt_set1_pkey .
-In this case both
-.Fa certificate
-and
-.Fa private_key
-should be set to
-.Dv NULL
-when calling
-.Fn CMS_decrypt
-later on.
-.Pp
-To process
-.Vt KEKRecipientInfo
-types,
-.Fn CMS_decrypt_set1_key
-or
-.Xr CMS_RecipientInfo_set0_key 3
-and
-.Xr CMS_RecipientInfo_decrypt 3
-should be called before
-.Fn CMS_decrypt
-and
-.Fa certificate
-and
-.Fa private_key
-set to
-.Dv NULL
-when calling
-.Fn CMS_decrypt
-later on.
-.Pp
-If the
-.Dv CMS_TEXT
-bit is set in
-.Fa flags ,
-MIME headers for type text/plain are deleted from the content.
-If the content is not of type text/plain, an error occurs.
-.Sh RETURN VALUES
-.Fn CMS_decrypt ,
-.Fn CMS_decrypt_set1_pkey ,
-and
-.Fn CMS_decrypt_set1_key
-return 1 for success or 0 for failure.
-The error can be obtained from
-.Xr ERR_get_error 3 .
-.Sh SEE ALSO
-.Xr CMS_ContentInfo_new 3 ,
-.Xr CMS_encrypt 3 ,
-.Xr CMS_get0_RecipientInfos 3
-.Sh STANDARDS
-RFC 5652: Cryptographic Message Syntax (CMS)
-.Bl -dash -compact -offset indent
-.It
-section 6.1: EnvelopedData Type
-.It
-section 6.2.3: KEKRecipientInfo Type
-.El
-.Sh HISTORY
-.Fn CMS_decrypt ,
-.Fn CMS_decrypt_set1_pkey ,
-and
-.Fn CMS_decrypt_set1_key
-first appeared in OpenSSL 0.9.8h
-and have been available since
-.Ox 6.7 .
-.Sh BUGS
-The lack of single pass processing and the need to hold all data in
-memory as mentioned in
-.Xr CMS_verify 3
-also applies to
-.Fn CMS_decrypt .
diff --git a/src/lib/libcrypto/man/CMS_encrypt.3 b/src/lib/libcrypto/man/CMS_encrypt.3
deleted file mode 100644
index 03d8b4edbb..0000000000
--- a/src/lib/libcrypto/man/CMS_encrypt.3
+++ /dev/null
@@ -1,191 +0,0 @@
-.\" $OpenBSD: CMS_encrypt.3,v 1.7 2019/11/02 15:39:46 schwarze Exp $
-.\" full merge up to: OpenSSL 83cf7abf May 29 13:07:08 2018 +0100
-.\"
-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: November 2 2019 $
-.Dt CMS_ENCRYPT 3
-.Os
-.Sh NAME
-.Nm CMS_encrypt
-.Nd create a CMS EnvelopedData structure
-.Sh SYNOPSIS
-.In openssl/cms.h
-.Ft CMS_ContentInfo *
-.Fo CMS_encrypt
-.Fa "STACK_OF(X509) *certificates"
-.Fa "BIO *in"
-.Fa "const EVP_CIPHER *cipher"
-.Fa "unsigned int flags"
-.Fc
-.Sh DESCRIPTION
-.Fn CMS_encrypt
-creates a CMS
-.Vt EnvelopedData
-structure, encrypting the content provided by
-.Fa in .
-.Pp
-The recipient
-.Fa certificates
-are added as
-.Vt KeyTransRecipientInfo
-structures by calling the function
-.Xr CMS_add1_recipient_cert 3
-internally.
-Only certificates carrying RSA, Diffie-Hellman or EC keys are supported
-by this function.
-The
-.Fa certificates
-argument can be set to
-.Dv NULL
-if the
-.Dv CMS_PARTIAL
-flag is set and recipients are added later using
-.Xr CMS_add1_recipient_cert 3
-or
-.Xr CMS_add0_recipient_key 3 .
-.Pp
-.Fa cipher
-is the symmetric cipher to use.
-It must support ASN.1 encoding of its parameters.
-.Xr EVP_des_ede3_cbc 3
-(triple DES) is the algorithm of choice for S/MIME use because most
-clients support it.
-.Pp
-Many browsers implement a "sign and encrypt" option which is simply an
-S/MIME
-.Vt EnvelopedData
-containing an S/MIME signed message.
-This can be readily produced by storing the S/MIME signed message in a
-memory BIO and passing it to
-.Fn CMS_encrypt .
-.Pp
-The following flags can be passed in the
-.Fa flags
-parameter:
-.Bl -tag -width Ds
-.It Dv CMS_TEXT
-MIME headers for type text/plain are prepended to the data.
-.It Dv CMS_BINARY
-Do not translate the supplied content into MIME canonical format
-even though that is required by the S/MIME specifications.
-This option should be used if the supplied data is in binary format.
-Otherwise, the translation will corrupt it.
-If
-.Dv CMS_BINARY
-is set, then
-.Dv CMS_TEXT
-is ignored.
-.It Dv CMS_USE_KEYID
-Use the subject key identifier value to identify recipient certificates.
-An error occurs if all recipient certificates do not have a subject key
-identifier extension.
-By default, issuer name and serial number are used instead.
-.It Dv CMS_STREAM
-Return a partial
-.Vt CMS_ContentInfo
-structure suitable for streaming I/O: no data is read from the BIO
-.Fa in .
-Several functions including
-.Xr SMIME_write_CMS 3 ,
-.Xr i2d_CMS_bio_stream 3 ,
-or
-.Xr PEM_write_bio_CMS_stream 3
-can be used  to finalize the structure.
-Alternatively, finalization can be performed by obtaining the streaming
-ASN1
-.Vt BIO
-directly using
-.Xr BIO_new_CMS 3 .
-Outputting the content of the returned
-.Vt CMS_ContentInfo
-structure via a function that does not properly finalize it
-will give unpredictable results.
-.It Dv CMS_PARTIAL
-Return a partial
-.Vt CMS_ContentInfo
-structure to which additional recipients and attributes can
-be added before finalization.
-.It Dv CMS_DETACHED
-Omit the data being encrypted from the
-.Vt CMS_ContentInfo
-structure.
-This is rarely used in practice and is not supported by
-.Xr SMIME_write_CMS 3 .
-.El
-.Sh RETURN VALUES
-.Fn CMS_encrypt
-returns either a
-.Vt CMS_ContentInfo
-structure or
-.Dv NULL
-if an error occurred.
-The error can be obtained from
-.Xr ERR_get_error 3 .
-.Sh SEE ALSO
-.Xr CMS_add0_cert 3 ,
-.Xr CMS_add1_recipient_cert 3 ,
-.Xr CMS_ContentInfo_new 3 ,
-.Xr CMS_decrypt 3
-.Sh STANDARDS
-RFC 5652: Cryptographic Message Syntax (CMS)
-.Bl -dash -compact -offset indent
-.It
-section 6.1: EnvelopedData Type
-.It
-section 6.2.1: KeyTransRecipientInfo Type
-.El
-.Sh HISTORY
-.Fn CMS_encrypt
-first appeared in OpenSSL 0.9.8h
-and has been available since
-.Ox 6.7 .
-.Pp
-The
-.Dv CMS_STREAM
-flag first appeared in OpenSSL 1.0.0.
diff --git a/src/lib/libcrypto/man/CMS_final.3 b/src/lib/libcrypto/man/CMS_final.3
deleted file mode 100644
index 4ca8945923..0000000000
--- a/src/lib/libcrypto/man/CMS_final.3
+++ /dev/null
@@ -1,101 +0,0 @@
-.\" $OpenBSD: CMS_final.3,v 1.6 2019/11/02 15:39:46 schwarze Exp $
-.\" full merge up to: OpenSSL 25ccb589 Jul 1 02:02:06 2019 +0800
-.\"
-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: November 2 2019 $
-.Dt CMS_FINAL 3
-.Os
-.Sh NAME
-.Nm CMS_final
-.Nd finalise a CMS_ContentInfo structure
-.Sh SYNOPSIS
-.In openssl/cms.h
-.Ft int
-.Fo CMS_final
-.Fa "CMS_ContentInfo *cms"
-.Fa "BIO *data"
-.Fa "BIO *dcont"
-.Fa "unsigned int flags"
-.Fc
-.Sh DESCRIPTION
-.Fn CMS_final
-finalises the structure
-.Fa cms .
-Its purpose is to perform any operations necessary on
-.Fa cms
-(digest computation for example) and set the appropriate fields.
-The parameter
-.Fa data
-contains the content to be processed.
-The
-.Fa dcont
-parameter contains a
-.Vt BIO
-to write content to after processing: this is
-only used with detached data and will usually be set to
-.Dv NULL .
-.Pp
-This function will normally be called when the
-.Dv CMS_PARTIAL
-flag is used.
-It should only be used when streaming is not performed because the
-streaming I/O functions perform finalisation operations internally.
-.Sh RETURN VALUES
-.Fn CMS_final
-returns 1 for success or 0 for failure.
-.Sh SEE ALSO
-.Xr CMS_ContentInfo_new 3 ,
-.Xr CMS_encrypt 3 ,
-.Xr CMS_sign 3 ,
-.Xr ERR_get_error 3
-.Sh HISTORY
-.Fn CMS_final
-first appeared in OpenSSL 0.9.8h
-and has been available since
-.Ox 6.7 .
diff --git a/src/lib/libcrypto/man/CMS_get0_RecipientInfos.3 b/src/lib/libcrypto/man/CMS_get0_RecipientInfos.3
deleted file mode 100644
index 094d6ec487..0000000000
--- a/src/lib/libcrypto/man/CMS_get0_RecipientInfos.3
+++ /dev/null
@@ -1,328 +0,0 @@
-.\" $OpenBSD: CMS_get0_RecipientInfos.3,v 1.8 2022/03/31 17:27:16 naddy Exp $
-.\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100
-.\"
-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2008, 2013 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 31 2022 $
-.Dt CMS_GET0_RECIPIENTINFOS 3
-.Os
-.Sh NAME
-.Nm CMS_get0_RecipientInfos ,
-.Nm CMS_RecipientInfo_type ,
-.Nm CMS_RecipientInfo_ktri_get0_signer_id ,
-.Nm CMS_RecipientInfo_ktri_cert_cmp ,
-.Nm CMS_RecipientInfo_set0_pkey ,
-.Nm CMS_RecipientInfo_kekri_get0_id ,
-.Nm CMS_RecipientInfo_kekri_id_cmp ,
-.Nm CMS_RecipientInfo_set0_key ,
-.Nm CMS_RecipientInfo_decrypt ,
-.Nm CMS_RecipientInfo_encrypt
-.Nd CMS EnvelopedData RecipientInfo routines
-.Sh SYNOPSIS
-.In openssl/cms.h
-.Ft STACK_OF(CMS_RecipientInfo) *
-.Fo CMS_get0_RecipientInfos
-.Fa "CMS_ContentInfo *cms"
-.Fc
-.Ft int
-.Fo CMS_RecipientInfo_type
-.Fa "CMS_RecipientInfo *ri"
-.Fc
-.Ft int
-.Fo CMS_RecipientInfo_ktri_get0_signer_id
-.Fa "CMS_RecipientInfo *ri"
-.Fa "ASN1_OCTET_STRING **keyid"
-.Fa "X509_NAME **issuer"
-.Fa "ASN1_INTEGER **sno"
-.Fc
-.Ft int
-.Fo CMS_RecipientInfo_ktri_cert_cmp
-.Fa "CMS_RecipientInfo *ri"
-.Fa "X509 *certificate"
-.Fc
-.Ft int
-.Fo CMS_RecipientInfo_set0_pkey
-.Fa "CMS_RecipientInfo *ri"
-.Fa "EVP_PKEY *pkey"
-.Fc
-.Ft int
-.Fo CMS_RecipientInfo_kekri_get0_id
-.Fa "CMS_RecipientInfo *ri"
-.Fa "X509_ALGOR **palg"
-.Fa "ASN1_OCTET_STRING **pid"
-.Fa "ASN1_GENERALIZEDTIME **pdate"
-.Fa "ASN1_OBJECT **potherid"
-.Fa "ASN1_TYPE **pothertype"
-.Fc
-.Ft int
-.Fo CMS_RecipientInfo_kekri_id_cmp
-.Fa "CMS_RecipientInfo *ri"
-.Fa "const unsigned char *id"
-.Fa "size_t idlen"
-.Fc
-.Ft int
-.Fo CMS_RecipientInfo_set0_key
-.Fa "CMS_RecipientInfo *ri"
-.Fa "unsigned char *key"
-.Fa "size_t keylen"
-.Fc
-.Ft int
-.Fo CMS_RecipientInfo_decrypt
-.Fa "CMS_ContentInfo *cms"
-.Fa "CMS_RecipientInfo *ri"
-.Fc
-.Ft int
-.Fo CMS_RecipientInfo_encrypt
-.Fa "CMS_ContentInfo *cms"
-.Fa "CMS_RecipientInfo *ri"
-.Fc
-.Sh DESCRIPTION
-.Fn CMS_get0_RecipientInfos
-returns all the
-.Vt RecipientInfo
-structures associated with the
-.Vt EnvelopedData
-structure
-.Fa cms .
-.Pp
-.Fn CMS_RecipientInfo_type
-returns the type of
-.Fa ri :
-.Bl -column CMS_RECIPINFO_TRANS for -compact
-.It Dv CMS_RECIPINFO_TRANS Ta for Ta Vt KeyTransRecipientInfo ,
-.It Dv CMS_RECIPINFO_AGREE Ta for Ta Vt KeyAgreeRecipientInfo ,
-.It Dv CMS_RECIPINFO_KEK   Ta for Ta Vt KEKRecipientInfo ,
-.It Dv CMS_RECIPINFO_PASS  Ta for Ta Vt PasswordRecipientinfo , No or
-.It Dv CMS_RECIPINFO_OTHER Ta for Ta Vt OtherRecipientInfo .
-.El
-.Pp
-.Fn CMS_RecipientInfo_ktri_get0_signer_id
-retrieves the certificate
-.Vt RecipientIdentifier
-associated with the
-.Vt KeyTransRecipientInfo
-structure
-.Fa ri .
-Either the
-.Vt SubjectKeyIdentifier
-will be set in
-.Fa keyid
-or both issuer name and serial number in
-.Fa issuer
-and
-.Fa sno .
-.Pp
-.Fn CMS_RecipientInfo_ktri_cert_cmp
-compares the
-.Fa certificate
-against the
-.Vt KeyTransRecipientInfo
-structure
-.Fa ri .
-.Pp
-.Fn CMS_RecipientInfo_set0_pkey
-associates the private key
-.Fa pkey
-with the
-.Vt KeyTransRecipientInfo
-structure
-.Fa ri .
-.Pp
-.Fn CMS_RecipientInfo_kekri_get0_id
-retrieves the key information from the
-.Vt KEKRecipientInfo
-structure
-.Fa ri .
-Fields are copied out as follows:
-.Bl -column keyEncryptionAlgorithm to -compact
-.It Fa keyEncryptionAlgorithm Ta to Ta Pf * Fa palg ,
-.It Fa keyIdentifier          Ta to Ta Pf * Fa pid ,
-.It Fa date                   Ta to Ta Pf * Fa pdate Pq optional ,
-.It Fa other.keyAttrId        Ta to Ta Pf * Fa potherid Pq optional ,
-.It Fa other.keyAttr          Ta to Ta Pf * Fa pothertype Pq optional .
-.El
-Where a field is optional and absent,
-.Dv NULL
-is written to the corresponding parameter.
-Parameters the application is not interested in can be set to
-.Dv NULL .
-.Pp
-.Fn CMS_RecipientInfo_kekri_id_cmp
-compares the identifier in the
-.Fa id
-and
-.Fa idlen
-parameters against the
-.Fa keyIdentifier
-field of the
-.Vt KEKRecipientInfo
-structure
-.Fa ri .
-.Pp
-.Fn CMS_RecipientInfo_set0_key
-associates the symmetric
-.Fa key
-of length
-.Fa keylen
-with the
-.Vt KEKRecipientInfo
-structure
-.Fa ri .
-.Pp
-.Fn CMS_RecipientInfo_decrypt
-attempts to decrypt the
-.Vt RecipientInfo
-structure
-.Fa ri
-in
-.Fa cms .
-A key must have been associated with
-.Fa ri
-first.
-.Pp
-.Fn CMS_RecipientInfo_encrypt
-attempts to encrypt the
-.Vt RecipientInfo
-structure
-.Fa ri
-in
-.Fa cms .
-A key must have been associated with
-.Fa ri
-first and the content encryption key must be available,
-for example by a previous call to
-.Fn CMS_RecipientInfo_decrypt .
-.Pp
-The main purpose of these functions is to enable an application to
-lookup recipient keys using any appropriate technique when the simpler
-method of
-.Xr CMS_decrypt 3
-is not appropriate.
-.Pp
-In typical usage, an application retrieves all
-.Vt CMS_RecipientInfo
-structures using
-.Fn CMS_get0_RecipientInfos
-and checks the type of each using
-.Fn CMS_RecipientInfo_type .
-Depending on the type, the
-.Vt CMS_RecipientInfo
-structure can be ignored or its key identifier data retrieved using
-an appropriate function.
-If the corresponding secret or private key can be obtained by any
-appropriate means, it can then be associated with the structure and
-.Fn CMS_RecipientInfo_decrypt
-called.
-If successful,
-.Xr CMS_decrypt 3
-can be called with a
-.Dv NULL
-key to decrypt the enveloped content.
-.Pp
-The function
-.Fn CMS_RecipientInfo_encrypt
-can be used to add a new recipient to an existing enveloped data
-structure.
-Typically an application will first decrypt an appropriate
-.Vt CMS_RecipientInfo
-structure to make the content encrypt key available.
-It will then add a new recipient using a function such as
-.Xr CMS_add1_recipient_cert 3
-and finally encrypt the content encryption key using
-.Fn CMS_RecipientInfo_encrypt .
-.Sh RETURN VALUES
-.Fn CMS_get0_RecipientInfos
-returns an internal pointer to all the
-.Vt CMS_RecipientInfo
-structures, or
-.Dv NULL
-if an error occurs.
-.Pp
-.Fn CMS_RecipientInfo_type
-returns an integer constant.
-.Pp
-.Fn CMS_RecipientInfo_ktri_get0_signer_id ,
-.Fn CMS_RecipientInfo_set0_pkey ,
-.Fn CMS_RecipientInfo_kekri_get0_id ,
-.Fn CMS_RecipientInfo_set0_key ,
-.Fn CMS_RecipientInfo_decrypt ,
-and
-.Fn CMS_RecipientInfo_encrypt
-return 1 for success or 0 if an error occurs.
-.Pp
-.Fn CMS_RecipientInfo_ktri_cert_cmp
-and
-.Fn CMS_RecipientInfo_kekri_id_cmp
-return 0 when
-.Fa ri
-matches or non-zero otherwise.
-.Pp
-Any error can be obtained from
-.Xr ERR_get_error 3 .
-.Sh SEE ALSO
-.Xr CMS_ContentInfo_new 3 ,
-.Xr CMS_decrypt 3
-.Sh STANDARDS
-RFC 5652 Cryptographic Message Syntax (CMS):
-.Bl -dash -compact -offset indent
-.It
-section 6.1: EnvelopedData Type
-.It
-section 6.2: RecipientInfo Type
-.It
-section 6.2.1: KeyTransRecipientInfo Type
-.It
-section 6.2.3: KEKRecipientInfo Type
-.El
-.Sh HISTORY
-These functions first appeared in OpenSSL 0.9.8h,
-except that
-.Fn CMS_RecipientInfo_encrypt
-first appeared in OpenSSL 1.0.2.
-They have been available since
-.Ox 6.7 .
diff --git a/src/lib/libcrypto/man/CMS_get0_SignerInfos.3 b/src/lib/libcrypto/man/CMS_get0_SignerInfos.3
deleted file mode 100644
index 017fdd40f2..0000000000
--- a/src/lib/libcrypto/man/CMS_get0_SignerInfos.3
+++ /dev/null
@@ -1,214 +0,0 @@
-.\" $OpenBSD: CMS_get0_SignerInfos.3,v 1.9 2024/01/22 14:00:13 tb Exp $
-.\" full merge up to: OpenSSL 83cf7abf May 29 13:07:08 2018 +0100
-.\"
-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2008, 2013 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: January 22 2024 $
-.Dt CMS_GET0_SIGNERINFOS 3
-.Os
-.Sh NAME
-.Nm CMS_get0_SignerInfos ,
-.Nm CMS_SignerInfo_get_version ,
-.Nm CMS_SignerInfo_get0_signer_id ,
-.Nm CMS_SignerInfo_get0_signature ,
-.Nm CMS_SignerInfo_cert_cmp ,
-.Nm CMS_SignerInfo_set1_signer_cert
-.Nd CMS SignedData signer functions
-.Sh SYNOPSIS
-.In openssl/cms.h
-.Ft STACK_OF(CMS_SignerInfo) *
-.Fo CMS_get0_SignerInfos
-.Fa "CMS_ContentInfo *cms"
-.Fc
-.Ft int
-.Fo CMS_SignerInfo_get_version
-.Fa "CMS_SignerInfo *si"
-.Fa "long *version"
-.Fc
-.Ft int
-.Fo CMS_SignerInfo_get0_signer_id
-.Fa "CMS_SignerInfo *si"
-.Fa "ASN1_OCTET_STRING **keyid"
-.Fa "X509_NAME **issuer"
-.Fa "ASN1_INTEGER **sno"
-.Fc
-.Ft ASN1_OCTET_STRING *
-.Fo CMS_SignerInfo_get0_signature
-.Fa "CMS_SignerInfo *si"
-.Fc
-.Ft int
-.Fo CMS_SignerInfo_cert_cmp
-.Fa "CMS_SignerInfo *si"
-.Fa "X509 *certificate"
-.Fc
-.Ft void
-.Fo CMS_SignerInfo_set1_signer_cert
-.Fa "CMS_SignerInfo *si"
-.Fa "X509 *signer"
-.Fc
-.Sh DESCRIPTION
-.Fn CMS_get0_SignerInfos
-returns all the
-.Vt SignerInfo
-structures associated with the
-.Vt SignedData
-structure
-.Fa cms .
-.Pp
-.Fn CMS_SignerInfo_get_version
-sets
-.Pf * Fa version
-to the syntax version number of the
-.Vt SignerInfo
-structure
-.Fa si .
-.Pp
-.Fn CMS_SignerInfo_get0_signer_id
-retrieves the certificate
-.Vt SignerIdentifier
-associated with the
-.Vt SignerInfo
-structure
-.Fa si .
-Either the
-.Vt SubjectKeyIdentifier
-will be set in
-.Fa keyid
-or both issuer name and serial number in
-.Fa issuer
-and
-.Fa sno .
-.Pp
-.Fn CMS_SignerInfo_get0_signature
-retrieves the
-.Fa signature
-field of
-.Fa si .
-The application program is allowed to modify the data pointed to.
-.Pp
-.Fn CMS_SignerInfo_cert_cmp
-compares the
-.Fa certificate
-against the signer identifier of
-.Fa si .
-.Pp
-.Fn CMS_SignerInfo_set1_signer_cert
-sets the signer certificate of
-.Fa si
-to
-.Fa signer .
-.Pp
-The main purpose of these functions is to enable an application to
-look up signer certificates using any appropriate technique when the
-simpler method of
-.Xr CMS_verify 3
-is not appropriate.
-.Pp
-In typical usage, an application retrieves all
-.Vt CMS_SignerInfo
-structures using
-.Fn CMS_get0_SignerInfos
-and retrieves the identifier information using CMS.
-It will then obtain the signer certificate by some unspecified means
-(or return and error if it cannot be found) and set it using
-.Fn CMS_SignerInfo_set1_signer_cert .
-Once all signer certificates have been set,
-.Xr CMS_verify 3
-can be used.
-.Sh RETURN VALUES
-.Fn CMS_get0_SignerInfos
-returns an internal pointer to all the
-.Vt CMS_SignerInfo
-structures, or
-.Dv NULL
-if there are no signers or if
-.Fa cms
-is not of the type
-.Vt SignedData .
-.Pp
-.Fn CMS_SignerInfo_get_version
-always succeeds and returns 1.
-.Pp
-.Fn CMS_SignerInfo_get0_signer_id
-returns 1 for success or 0 for failure.
-.Pp
-.Fn CMS_SignerInfo_get0_signature
-returns an internal pointer to the signature.
-.Pp
-.Fn CMS_SignerInfo_cert_cmp
-returns 0 for a match or non-zero otherwise.
-.Pp
-Any error can be obtained from
-.Xr ERR_get_error 3 .
-.Sh SEE ALSO
-.Xr CMS_ContentInfo_new 3 ,
-.Xr CMS_signed_add1_attr 3 ,
-.Xr CMS_verify 3
-.Sh STANDARDS
-RFC 5652: Cryptographic Message Syntax (CMS)
-.Bl -dash -compact -offset indent
-.It
-section 5.1: SignedData Type
-.It
-section 5.3: SignerInfo Type
-.El
-.Sh HISTORY
-.Fn CMS_get0_SignerInfos ,
-.Fn CMS_SignerInfo_get0_signer_id ,
-.Fn CMS_SignerInfo_cert_cmp ,
-and
-.Fn CMS_SignerInfo_set1_signer_cert
-first appeared in OpenSSL 0.9.8h and
-.Fn CMS_SignerInfo_get0_signature
-in OpenSSL 1.0.2.
-These functions have been available since
-.Ox 6.7 .
-.Pp
-.Fn CMS_SignerInfo_get_version
-first appeared in
-.Ox 7.4 .
diff --git a/src/lib/libcrypto/man/CMS_get0_type.3 b/src/lib/libcrypto/man/CMS_get0_type.3
deleted file mode 100644
index 55adacd86d..0000000000
--- a/src/lib/libcrypto/man/CMS_get0_type.3
+++ /dev/null
@@ -1,226 +0,0 @@
-.\" $OpenBSD: CMS_get0_type.3,v 1.9 2023/07/27 05:31:28 tb Exp $
-.\" full merge up to: OpenSSL 72a7a702 Feb 26 14:05:09 2019 +0000
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2019 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2008, 2015 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: July 27 2023 $
-.Dt CMS_GET0_TYPE 3
-.Os
-.Sh NAME
-.Nm CMS_get0_type ,
-.Nm CMS_get_version ,
-.Nm CMS_set1_eContentType ,
-.Nm CMS_get0_eContentType ,
-.Nm CMS_get0_content
-.Nd get and set CMS content types and content
-.Sh SYNOPSIS
-.In openssl/cms.h
-.Ft const ASN1_OBJECT *
-.Fo CMS_get0_type
-.Fa "const CMS_ContentInfo *cms"
-.Fc
-.Ft int
-.Fo CMS_get_version
-.Fa "const CMS_ContentInfo *cms"
-.Fa "long *version"
-.Fc
-.Ft int
-.Fo CMS_set1_eContentType
-.Fa "CMS_ContentInfo *cms"
-.Fa "const ASN1_OBJECT *oid"
-.Fc
-.Ft const ASN1_OBJECT *
-.Fo CMS_get0_eContentType
-.Fa "CMS_ContentInfo *cms"
-.Fc
-.Ft ASN1_OCTET_STRING **
-.Fo CMS_get0_content
-.Fa "CMS_ContentInfo *cms"
-.Fc
-.Sh DESCRIPTION
-.Fn CMS_get0_type
-returns the content type of the
-.Vt ContentInfo
-structure
-.Fa cms .
-The
-.Vt ASN1_OBJECT
-value returned can be converted to an integer NID value using
-.Xr OBJ_obj2nid 3 .
-The following content types are identified by the following NIDs:
-.Pp
-.Bl -column AuthenticatedData NID_id_smime_ct_compressedData -compact
-.It Vt SignedData        Ta Dv NID_pkcs7_signed
-.It Vt EnvelopedData     Ta Dv NID_pkcs7_enveloped
-.It Vt DigestedData      Ta Dv NID_pkcs7_digest
-.It Vt EncryptedData     Ta Dv NID_pkcs7_encrypted
-.It Vt AuthenticatedData Ta Dv NID_id_smime_ct_authData
-.It Vt CompressedData    Ta Dv NID_id_smime_ct_compressedData
-.It arbitrary data       Ta Dv NID_pkcs7_data
-.El
-.Pp
-The
-.Vt SignedData ,
-.Vt DigestedData ,
-.Vt AuthenticatedData ,
-and
-.Vt CompressedData
-types contain a field
-.Fa encapContentInfo
-to allow embedding content, and
-.Vt EnvelopedData
-and
-.Vt EncryptedData
-contain a field
-.Fa encryptedContentInfo
-for that purpose.
-The type of the embedded content to be stored in that field can be
-set with the function
-.Fn CMS_set1_eContentType ,
-to be called on
-.Fa cms
-structures returned from functions such as
-.Xr CMS_sign 3
-or
-.Xr CMS_encrypt 3
-with the
-.Dv CMS_PARTIAL
-flag set and
-.Em before
-the structure is finalised; otherwise the results are undefined.
-.Fn CMS_set1_eContentType
-copies the supplied
-.Fa oid ,
-so it should be freed up after use.
-.Pp
-.Fn CMS_get_version
-sets
-.Pf * Fa version
-to the syntax version number of the
-.Vt ContentInfo
-structure
-.Fa cms .
-The version is a number between 0 and 5 and is defined for all the
-above content types except for arbitrary data.
-For arbitrary data and unsupported content types
-.Fn CMS_get_version
-fails and the content of
-.Pf * Fa version
-is unspecified.
-.Pp
-.Fn CMS_get0_eContentType
-returns the type of the embedded content.
-.Pp
-.Fn CMS_get0_content
-returns a pointer to the storage location where the pointer to the
-embedded content is stored.
-That means that for example after
-.Pp
-.Dl ASN1_OCTET_STRING **pconf = CMS_get0_content(cms);
-.Pp
-.Pf * Va pconf
-could be
-.Dv NULL
-if there is no embedded content.
-Applications can access, modify or create the embedded content in a
-.Vt CMS_ContentInfo
-structure using this function.
-Applications usually will not need to modify the embedded content as it
-is normally set by higher level functions.
-.Sh RETURN VALUES
-.Fn CMS_get0_type
-and
-.Fn CMS_get0_eContentType
-return internal pointers to
-.Vt OBJECT IDENTIFIER
-structures.
-.Pp
-.Fn CMS_get_version
-returns 1 on success and 0 on failure.
-.Pp
-.Fn CMS_get0_content
-returns an internal pointer to the storage location where the pointer
-to the embedded content is stored.
-.Pp
-.Fn CMS_set1_eContentType
-returns 1 for success or 0 if an error occurred.
-The error can be obtained from
-.Xr ERR_get_error 3 .
-.Sh SEE ALSO
-.Xr CMS_ContentInfo_new 3 ,
-.Xr d2i_CMS_ContentInfo 3 ,
-.Xr SMIME_read_CMS 3
-.Sh STANDARDS
-RFC 5652: Cryptographic Message Syntax
-.Pp
-RFC 3274: Compressed Data Content Type for Cryptographic Message Syntax (CMS)
-.Sh HISTORY
-These functions first appeared in OpenSSL 0.9.8h
-and have been available since
-.Ox 6.7 .
-.Pp
-.Fn CMS_get_version
-first appeared in
-.Ox 7.4 .
diff --git a/src/lib/libcrypto/man/CMS_get1_ReceiptRequest.3 b/src/lib/libcrypto/man/CMS_get1_ReceiptRequest.3
deleted file mode 100644
index 9feedd13a2..0000000000
--- a/src/lib/libcrypto/man/CMS_get1_ReceiptRequest.3
+++ /dev/null
@@ -1,198 +0,0 @@
-.\" $OpenBSD: CMS_get1_ReceiptRequest.3,v 1.7 2019/11/02 15:39:46 schwarze Exp $
-.\" full merge up to: OpenSSL 83cf7abf May 29 13:07:08 2018 +0100
-.\"
-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: November 2 2019 $
-.Dt CMS_GET1_RECEIPTREQUEST 3
-.Os
-.Sh NAME
-.Nm CMS_ReceiptRequest_create0 ,
-.Nm CMS_add1_ReceiptRequest ,
-.Nm CMS_get1_ReceiptRequest ,
-.Nm CMS_ReceiptRequest_get0_values
-.Nd CMS signed receipt request functions
-.Sh SYNOPSIS
-.In openssl/cms.h
-.Ft CMS_ReceiptRequest *
-.Fo CMS_ReceiptRequest_create0
-.Fa "unsigned char *id"
-.Fa "int idlen"
-.Fa "int allorfirst"
-.Fa "STACK_OF(GENERAL_NAMES) *receiptList"
-.Fa "STACK_OF(GENERAL_NAMES) *receiptsTo"
-.Fc
-.Ft int
-.Fo CMS_add1_ReceiptRequest
-.Fa "CMS_SignerInfo *si"
-.Fa "CMS_ReceiptRequest *rr"
-.Fc
-.Ft int
-.Fo CMS_get1_ReceiptRequest
-.Fa "CMS_SignerInfo *si"
-.Fa "CMS_ReceiptRequest **prr"
-.Fc
-.Ft void
-.Fo CMS_ReceiptRequest_get0_values
-.Fa "CMS_ReceiptRequest *rr"
-.Fa "ASN1_STRING **pcid"
-.Fa "int *pallorfirst"
-.Fa "STACK_OF(GENERAL_NAMES) **plist"
-.Fa "STACK_OF(GENERAL_NAMES) **prto"
-.Fc
-.Sh DESCRIPTION
-.Fn CMS_ReceiptRequest_create0
-creates a new
-.Vt ReceiptRequest
-structure.
-The
-.Fa signedContentIdentifier
-field is set using
-.Fa id
-and
-.Fa idlen ,
-or it is set to 32 bytes of pseudo random data if
-.Fa id
-is
-.Dv NULL .
-If
-.Fa receiptList
-is
-.Dv NULL ,
-the
-.Fa allOrFirstTier
-option in the
-.Fa receiptsFrom
-field is set to the value of the
-.Fa allorfirst
-argument.
-If
-.Fa receiptList
-is not
-.Dv NULL ,
-the
-.Fa receiptList
-option in the
-.Fa receiptsFrom
-field is used.
-The
-.Fa receiptsTo
-argument specifies the value of the
-.Fa receiptsTo
-field.
-.Pp
-.Fn CMS_add1_ReceiptRequest
-adds a BER-encoded copy of
-.Fa rr
-to
-.Fa si .
-.Pp
-.Fn CMS_get1_ReceiptRequest
-looks for a signed receipt request in
-.Fa si .
-If any is found, it is decoded and written to
-.Fa prr .
-.Pp
-.Fn CMS_ReceiptRequest_get0_values
-retrieves the values of a receipt request.
-The
-.Fa signedContentIdentifier
-is copied to
-.Fa pcid .
-If the
-.Fa allOrFirstTier
-option is used in the
-.Fa receiptsFrom
-field, its value is copied to
-.Fa pallorfirst ;
-otherwise the
-.Fa receiptList
-field is copied to
-.Fa plist .
-The
-.Fa receiptsTo
-field is copied to
-.Fa prto .
-.Pp
-The contents of a signed receipt should only be considered meaningful if
-the corresponding
-.Vt CMS_ContentInfo
-structure can be successfully verified using
-.Xr CMS_verify 3 .
-.Sh RETURN VALUES
-.Fn CMS_ReceiptRequest_create0
-returns the new signed receipt request structure or
-.Dv NULL
-if an error occurred.
-.Pp
-.Fn CMS_add1_ReceiptRequest
-returns 1 for success or 0 if an error occurred.
-.Pp
-.Fn CMS_get1_ReceiptRequest
-returns 1 is a signed receipt request is found and decoded.
-It returns 0 if a signed receipt request is not present or -1 if it is
-present but malformed.
-.Sh SEE ALSO
-.Xr CMS_ContentInfo_new 3 ,
-.Xr CMS_sign 3 ,
-.Xr CMS_sign_receipt 3 ,
-.Xr CMS_verify 3 ,
-.Xr CMS_verify_receipt 3 ,
-.Xr ERR_get_error 3
-.Sh STANDARDS
-RFC 2634: Enhanced Security Services for S/MIME,
-section 2.7: Receipt Request Syntax
-.Sh HISTORY
-.Fn CMS_ReceiptRequest_create0 ,
-.Fn CMS_add1_ReceiptRequest ,
-.Fn CMS_get1_ReceiptRequest ,
-and
-.Fn CMS_ReceiptRequest_get0_values
-first appeared in OpenSSL 0.9.8h
-and have been available since
-.Ox 6.7 .
diff --git a/src/lib/libcrypto/man/CMS_sign.3 b/src/lib/libcrypto/man/CMS_sign.3
deleted file mode 100644
index 5261c190a6..0000000000
--- a/src/lib/libcrypto/man/CMS_sign.3
+++ /dev/null
@@ -1,246 +0,0 @@
-.\" $OpenBSD: CMS_sign.3,v 1.11 2024/04/18 16:50:22 tb Exp $
-.\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100
-.\"
-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: April 18 2024 $
-.Dt CMS_SIGN 3
-.Os
-.Sh NAME
-.Nm CMS_sign
-.Nd create a CMS SignedData structure
-.Sh SYNOPSIS
-.In openssl/cms.h
-.Ft CMS_ContentInfo *
-.Fo CMS_sign
-.Fa "X509 *signcert"
-.Fa "EVP_PKEY *pkey"
-.Fa "STACK_OF(X509) *certs"
-.Fa "BIO *data"
-.Fa "unsigned int flags"
-.Fc
-.Sh DESCRIPTION
-.Fn CMS_sign
-creates and returns a CMS
-.Vt SignedData
-structure.
-.Fa signcert
-is the certificate to sign with,
-.Fa pkey
-is the corresponding private key.
-.Fa certs
-is an optional additional set of certificates to include in the CMS
-structure (for example any intermediate CAs in the chain).
-Any or all of these parameters can be
-.Dv NULL .
-.Pp
-The data to be signed is read from
-.Fa data .
-.Pp
-Any of the following flags (OR'ed together) can be passed in the
-.Fa flags
-argument:
-.Bl -tag -width Ds
-.It Dv CMS_TEXT
-Prepend MIME headers for the type text/plain to the data.
-Many S/MIME clients expect the signed content to include valid MIME
-headers.
-.It Dv CMS_NOCERTS
-Do not include the signer's certificate in the
-.Vt CMS_ContentInfo
-structure.
-The signer's certificate must still be supplied in the
-.Fa signcert
-parameter though.
-This can reduce the size of the signature if the signer's certificate can
-be obtained by other means, for example from a previously signed message.
-.It Dv CMS_DETACHED
-Omit the data being signed from the
-.Vt CMS_ContentInfo
-structure.
-This is used for
-.Vt CMS_ContentInfo
-detached signatures which are used in S/MIME plaintext signed messages
-for example.
-.It Dv CMS_BINARY
-Do not translate the supplied content into MIME canonical format
-even though that is required by the S/MIME specifications.
-This option should be used if the supplied data is in binary format.
-Otherwise the translation will corrupt it.
-.It Dv CMS_NOATTR
-Do not add any
-.Vt SignedAttributes .
-By default, the
-.Fa signerInfos
-field includes several CMS
-.Vt SignedAttributes
-including the signing time, the CMS content type,
-and the supported list of ciphers in an
-.Vt SMIMECapabilities
-attribute.
-.It Dv CMS_NOSMIMECAP
-Omit just the
-.Vt SMIMECapabilities .
-If present, the SMIMECapabilities attribute indicates support for the
-following algorithms in preference order: 256-bit AES,
-192-bit AES, 128-bit AES, triple DES, 128-bit RC2, 64-bit
-RC2, DES and 40-bit RC2.
-If any of these algorithms is not available, then it will not be
-included.
-.It Dv CMS_USE_KEYID
-Use the subject key identifier value to identify signing certificates.
-An error occurs if the signing certificate does not have a subject key
-identifier extension.
-By default, issuer name and serial number are used instead.
-.It Dv CMS_STREAM
-Only initialize the returned
-.Vt CMS_ContentInfo
-structure to prepare it for performing the signing operation.
-The signing is however
-.Em not
-performed and the data to be signed is not read from the
-.Fa data
-parameter.
-Signing is deferred until after the data has been written.
-In this way, data can be signed in a single pass.
-The returned
-.Vt CMS_ContentInfo
-structure is
-.Em not
-complete and outputting its contents via a function that does not
-properly finalize the
-.Vt CMS_ContentInfo
-structure will give unpredictable results.
-Several functions including
-.Xr SMIME_write_CMS 3 ,
-.Xr i2d_CMS_bio_stream 3 ,
-or
-.Xr PEM_write_bio_CMS_stream 3
-finalize the structure.
-Alternatively, finalization can be performed by obtaining the streaming
-ASN1
-.Vt BIO
-directly using
-.Xr BIO_new_CMS 3 .
-.It Dv CMS_PARTIAL
-Output a partial
-.Vt CMS_ContentInfo
-structure to which additional signers and capabilities can be
-added before finalization.
-.El
-.Pp
-If a signer is specified, it will use the default digest for the signing
-algorithm.
-This is SHA1 for both RSA and DSA keys.
-.Pp
-If
-.Fa signcert
-and
-.Fa pkey
-are
-.Dv NULL ,
-then a certificates only CMS structure is output.
-.Pp
-The function
-.Fn CMS_sign
-is a basic CMS signing function whose output will be suitable for many
-purposes.
-For finer control of the output format the
-.Fa certs ,
-.Fa signcert
-and
-.Fa pkey
-parameters can all be
-.Dv NULL
-and the
-.Dv CMS_PARTIAL
-flag set.
-Then one or more signers can be added using the function
-.Xr CMS_add1_signer 3 ,
-non default digests can be used and custom attributes added.
-.Xr CMS_final 3
-must then be called to finalize the structure if streaming is not
-enabled.
-.Sh RETURN VALUES
-.Fn CMS_sign
-returns either a valid
-.Vt CMS_ContentInfo
-structure or
-.Dv NULL
-if an error occurred.
-The error can be obtained from
-.Xr ERR_get_error 3 .
-.Sh SEE ALSO
-.Xr CMS_add0_cert 3 ,
-.Xr CMS_add1_signer 3 ,
-.Xr CMS_ContentInfo_new 3 ,
-.Xr CMS_final 3 ,
-.Xr CMS_sign_receipt 3 ,
-.Xr CMS_verify 3
-.Sh STANDARDS
-RFC 5652: Cryptographic Message Syntax (CMS)
-.Bl -dash -compact -offset indent
-.It
-section 5.1: SignedData Type
-.It
-section 5.3: SignerInfo Type
-.El
-.Pp
-RFC 8419: Use of Edwards-Curve Digital Signature Algorithm (EdDSA) Signatures
-in the Cryptographic Message Syntax (CMS)
-.Pp
-RFC 8551: Secure/Multipurpose Internet Mail Extensions (S/MIME)
-Version\ 4.0 Message Specification,
-section 2.5.2: SMIMECapabilities Attribute
-.Sh HISTORY
-.Fn CMS_sign
-first appeared in OpenSSL 0.9.8h
-and has been available since
-.Ox 6.7 .
-.Sh BUGS
-Some attributes such as counter signatures are not supported.
diff --git a/src/lib/libcrypto/man/CMS_sign_receipt.3 b/src/lib/libcrypto/man/CMS_sign_receipt.3
deleted file mode 100644
index 6394957846..0000000000
--- a/src/lib/libcrypto/man/CMS_sign_receipt.3
+++ /dev/null
@@ -1,119 +0,0 @@
-.\" $OpenBSD: CMS_sign_receipt.3,v 1.7 2019/11/02 15:39:46 schwarze Exp $
-.\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100
-.\"
-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: November 2 2019 $
-.Dt CMS_SIGN_RECEIPT 3
-.Os
-.Sh NAME
-.Nm CMS_sign_receipt
-.Nd create a CMS signed receipt
-.Sh SYNOPSIS
-.In openssl/cms.h
-.Ft CMS_ContentInfo *
-.Fo CMS_sign_receipt
-.Fa "CMS_SignerInfo *si"
-.Fa "X509 *signcert"
-.Fa "EVP_PKEY *pkey"
-.Fa "STACK_OF(X509) *certs"
-.Fa "unsigned int flags"
-.Fc
-.Sh DESCRIPTION
-.Fn CMS_sign_receipt
-creates a new CMS
-.Vt SignedData
-structure containing a signed
-.Vt Receipt
-as its embedded content.
-.Fa si
-is the
-.Vt SignerInfo
-structure containing the signed receipt request.
-.Fa signcert
-is the certificate to sign with,
-.Fa pkey
-is the corresponding private key.
-.Fa certs
-is an optional additional set of certificates to include in the CMS
-structure (for example any intermediate CAs in the chain).
-.Pp
-This functions behaves in a similar way to
-.Xr CMS_sign 3
-except that the
-.Fa flags
-values
-.Dv CMS_DETACHED ,
-.Dv CMS_BINARY ,
-.Dv CMS_NOATTR ,
-.Dv CMS_TEXT ,
-and
-.Dv CMS_STREAM
-are not supported since they do not make sense in the context of
-signed receipts.
-.Sh RETURN VALUES
-.Fn CMS_sign_receipt
-returns either a valid
-.Vt CMS_ContentInfo
-structure or
-.Dv NULL
-if an error occurred.
-The error can be obtained from
-.Xr ERR_get_error 3 .
-.Sh SEE ALSO
-.Xr CMS_ContentInfo_new 3 ,
-.Xr CMS_get1_ReceiptRequest 3 ,
-.Xr CMS_sign 3 ,
-.Xr CMS_verify_receipt 3
-.Sh STANDARDS
-RFC 2634: Enhanced Security Services for S/MIME, section 2.8: Receipt Syntax
-.Sh HISTORY
-.Fn CMS_sign_receipt
-first appeared in OpenSSL 0.9.8h
-and has been available since
-.Ox 6.7 .
diff --git a/src/lib/libcrypto/man/CMS_signed_add1_attr.3 b/src/lib/libcrypto/man/CMS_signed_add1_attr.3
deleted file mode 100644
index 1a50c0b9d1..0000000000
--- a/src/lib/libcrypto/man/CMS_signed_add1_attr.3
+++ /dev/null
@@ -1,360 +0,0 @@
-.\" $OpenBSD: CMS_signed_add1_attr.3,v 1.5 2024/09/02 07:54:21 tb Exp $
-.\"
-.\" Copyright (c) 2024 Job Snijders <job@openbsd.org>
-.\" Copyright (c) 2024 Theo Buehler <tb@openbsd.org>
-.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: September 2 2024 $
-.Dt CMS_SIGNED_ADD1_ATTR 3
-.Os
-.Sh NAME
-.Nm CMS_signed_add1_attr ,
-.Nm CMS_signed_add1_attr_by_NID ,
-.Nm CMS_signed_add1_attr_by_OBJ ,
-.Nm CMS_signed_add1_attr_by_txt ,
-.Nm CMS_signed_delete_attr ,
-.Nm CMS_signed_get0_data_by_OBJ ,
-.Nm CMS_signed_get_attr ,
-.Nm CMS_signed_get_attr_by_NID ,
-.Nm CMS_signed_get_attr_by_OBJ ,
-.Nm CMS_signed_get_attr_count ,
-.Nm CMS_unsigned_add1_attr ,
-.Nm CMS_unsigned_add1_attr_by_NID ,
-.Nm CMS_unsigned_add1_attr_by_OBJ ,
-.Nm CMS_unsigned_add1_attr_by_txt ,
-.Nm CMS_unsigned_delete_attr ,
-.Nm CMS_unsigned_get0_data_by_OBJ ,
-.Nm CMS_unsigned_get_attr ,
-.Nm CMS_unsigned_get_attr_by_NID ,
-.Nm CMS_unsigned_get_attr_by_OBJ ,
-.Nm CMS_unsigned_get_attr_count
-.Nd change signed and unsigned attributes of a CMS SignerInfo object
-.Sh SYNOPSIS
-.In openssl/cms.h
-.Ft int
-.Fo CMS_signed_add1_attr
-.Fa "CMS_SignerInfo *si"
-.Fa "X509_ATTRIBUTE *attr"
-.Fc
-.Ft int
-.Fo CMS_signed_add1_attr_by_NID
-.Fa "CMS_SignerInfo *si"
-.Fa "int nid"
-.Fa "int type"
-.Fa "const void *bytes"
-.Fa "int len"
-.Fc
-.Ft int
-.Fo CMS_signed_add1_attr_by_OBJ
-.Fa "CMS_SignerInfo *si"
-.Fa "const ASN1_OBJECT *obj"
-.Fa "int type"
-.Fa "const void *bytes"
-.Fa "int len"
-.Fc
-.Ft int
-.Fo CMS_signed_add1_attr_by_txt
-.Fa "CMS_SignerInfo *si"
-.Fa "const char *attrname"
-.Fa "int type"
-.Fa "const void *bytes"
-.Fa "int len"
-.Fc
-.Ft "X509_ATTRIBUTE *"
-.Fo CMS_signed_delete_attr
-.Fa "CMS_SignerInfo *si"
-.Fa "int loc"
-.Fc
-.Ft "void *"
-.Fo CMS_signed_get0_data_by_OBJ
-.Fa "CMS_SignerInfo *si"
-.Fa "const ASN1_OBJECT *oid"
-.Fa "int start_after"
-.Fa "int type"
-.Fc
-.Ft "X509_ATTRIBUTE *"
-.Fo CMS_signed_get_attr
-.Fa "const CMS_SignerInfo *si"
-.Fa "int loc"
-.Fc
-.Ft int
-.Fo CMS_signed_get_attr_by_NID
-.Fa "const CMS_SignerInfo *si"
-.Fa "int nid"
-.Fa "int start_after"
-.Fc
-.Ft int
-.Fo CMS_signed_get_attr_by_OBJ
-.Fa "const CMS_SignerInfo *si"
-.Fa "const ASN1_OBJECT *obj"
-.Fa "int start_after"
-.Fc
-.Ft int
-.Fo CMS_signed_get_attr_count
-.Fa "const CMS_SignerInfo *si"
-.Fc
-.Ft int
-.Fo CMS_unsigned_add1_attr
-.Fa "CMS_SignerInfo *si"
-.Fa "X509_ATTRIBUTE *attr"
-.Fc
-.Ft int
-.Fo CMS_unsigned_add1_attr_by_NID
-.Fa "CMS_SignerInfo *si"
-.Fa "int nid"
-.Fa "int type"
-.Fa "const void *bytes"
-.Fa "int len"
-.Fc
-.Ft int
-.Fo CMS_unsigned_add1_attr_by_OBJ
-.Fa "CMS_SignerInfo *si"
-.Fa "const ASN1_OBJECT *obj"
-.Fa "int type"
-.Fa "const void *bytes"
-.Fa "int len"
-.Fc
-.Ft int
-.Fo CMS_unsigned_add1_attr_by_txt
-.Fa "CMS_SignerInfo *si"
-.Fa "const char *attrname"
-.Fa "int type"
-.Fa "const void *bytes"
-.Fa "int len"
-.Fc
-.Ft "X509_ATTRIBUTE *"
-.Fo CMS_unsigned_delete_attr
-.Fa "CMS_SignerInfo *si"
-.Fa "int loc"
-.Fc
-.Ft "void *"
-.Fo CMS_unsigned_get0_data_by_OBJ
-.Fa "CMS_SignerInfo *si"
-.Fa "ASN1_OBJECT *oid"
-.Fa "int start_after"
-.Fa "int type"
-.Fc
-.Ft "X509_ATTRIBUTE *"
-.Fo CMS_unsigned_get_attr
-.Fa "const CMS_SignerInfo *si"
-.Fa "int loc"
-.Fc
-.Ft int
-.Fo CMS_unsigned_get_attr_by_NID
-.Fa "const CMS_SignerInfo *si"
-.Fa "int nid"
-.Fa "int start_after"
-.Fc
-.Ft int
-.Fo CMS_unsigned_get_attr_by_OBJ
-.Fa "const CMS_SignerInfo *si"
-.Fa "const ASN1_OBJECT *obj"
-.Fa "int start_after"
-.Fc
-.Ft int
-.Fo CMS_unsigned_get_attr_count
-.Fa "const CMS_SignerInfo *si"
-.Fc
-.Sh DESCRIPTION
-A
-.Em CMS_SignerInfo
-object has two optional sets of X.501 attributes:
-a set of signed attributes in the
-.Fa signedAttrs
-array and a set of unsigned attributes in the
-.Fa unsignedAttrs
-array.
-The
-.Fn CMS_signed_*
-and
-.Fn CMS_unsigned_*
-functions are similar, except
-.Fn CMS_signed_*
-modifies the
-.Vt CMS_SignerInfo
-object's set of signed attributes and
-.Fn CMS_unsigned_*
-modifies the
-.Vt CMS_SignerInfo
-object's set of unsigned attributes.
-For brevity only the
-.Fn CMS_signed_*
-functions are described below.
-.Pp
-.Fn CMS_signed_add1_attr
-appends a deep copy of
-.Fa attr
-to the
-.Fa signedAttrs
-array of
-.Fa si ,
-allocating a new array if necessary.
-.Pp
-.Fn CMS_signed_add1_attr_by_NID ,
-.Fn CMS_signed_add1_attr_by_OBJ ,
-and
-.Fn CMS_signed_add1_attr_by_txt
-create a new X.501 Attribute object using
-.Xr X509_ATTRIBUTE_create_by_NID 3 ,
-.Xr X509_ATTRIBUTE_create_by_OBJ 3 ,
-or
-.Xr X509_ATTRIBUTE_create_by_txt 3 ,
-respectively,
-and append it to the
-.Fa signedAttrs
-array of
-.Fa si .
-.Pp
-.Fn CMS_signed_delete_attr
-deletes the element with the zero-based
-.Fa loc
-in
-.Fa signedAttrs
-of
-.Fa si .
-.Pp
-.Fn CMS_signed_get0_data_by_OBJ ,
-.Fn CMS_signed_get_attr_by_NID ,
-and
-.Fn CMS_signed_get_attr_by_OBJ
-search the array starting after the index
-.Fa start_after .
-They fail if no matching object is found.
-.Fn CMS_signed_get0_data_by_OBJ
-also fails if the data is not of the requested
-.Fa type .
-.Pp
-Additionally, the
-.Fa start_after
-argument of
-.Fn CMS_signed_get0_data_by_OBJ
-is interpreted in a special way.
-If
-.Fa start_after
-is \-2 or smaller, the function also fails if the
-.Fa signedAttrs
-array of
-.Fa si ,
-contains more than one matching object.
-If
-.Fa start_after
-is \-3 or smaller, it also fails unless the matching object contains exactly
-one value.
-.Pp
-.Fn CMS_signed_get_attr
-returns the array element at the zero-based
-.Fa loc .
-It fails if the
-.Fa loc
-argument is negative or greater than or equal to the number of objects in the
-array.
-.Pp
-.Fn CMS_signed_get_attr_count
-returns the number of objects currently stored in the
-.Fa signedAttrs
-array of
-.Fa si .
-.Sh RETURN VALUES
-.Fn CMS_signed_add1_attr ,
-.Fn CMS_signed_add1_attr_by_NID ,
-.Fn CMS_signed_add1_attr_by_OBJ ,
-.Fn CMS_signed_add1_attr_by_txt ,
-.Fn CMS_unsigned_add1_attr ,
-.Fn CMS_unsigned_add1_attr_by_NID ,
-.Fn CMS_unsigned_add1_attr_by_OBJ ,
-and
-.Fn CMS_unsigned_add1_attr_by_txt
-return 1 for success or 0 if an error occurs.
-.Pp
-.Fn CMS_signed_delete_attr
-returns the deleted element or
-.Dv NULL
-if the
-.Fa signedAttrs
-array is
-.Dv NULL ,
-or if the requested
-.Fa loc
-argument is negative, or greater than or equal to the number of objects in it.
-.Pp
-.Fn CMS_unsigned_delete_attr
-returns the deleted element or
-.Dv NULL
-if the
-.Fa unsignedAttrs
-array is
-.Dv NULL ,
-or if the requested
-.Fa loc
-argument is negative, or greater than or equal to the number of objects in it.
-.Pp
-.Fn CMS_signed_get0_data_by_OBJ
-and
-.Fn CMS_unsigned_get0_data_by_OBJ
-return an internal pointer to the data contained in the value of the first
-object that has an index greater than
-.Fa start_after
-and a type matching
-.Fa type ,
-or NULL on failure.
-.Pp
-.Fn CMS_signed_get_attr
-and
-.Fn CMS_unsigned_get_attr
-return an internal pointer or NULL on failure.
-.Pp
-.Fn CMS_signed_get_attr_by_NID ,
-.Fn CMS_signed_get_attr_by_OBJ ,
-.Fn CMS_unsigned_get_attr_by_NID ,
-and
-.Fn CMS_unsigned_get_attr_by_OBJ
-return the index of the first object in the array that has an index greater than
-.Fa start_after
-and a type matching
-.Fa nid
-or
-.Fa oid ,
-respectively, or \-1 on failure.
-In addition,
-.Fn CMS_signed_get_attr_by_OBJ
-and
-.Fn CMS_unsigned_get_attr_by_OBJ
-return \-2 if
-.Xr OBJ_nid2obj 3
-fails on the requested
-.Fa nid .
-.Pp
-.Fn CMS_signed_get_attr_count
-and
-.Fn CMS_unsigned_get_attr_count
-return the number of array elements or \-1 on failure.
-.Sh SEE ALSO
-.Xr CMS_add1_signer 3 ,
-.Xr CMS_ContentInfo_new 3 ,
-.Xr CMS_get0_SignerInfos 3 ,
-.Xr OBJ_nid2obj 3 ,
-.Xr X509_ATTRIBUTE_create_by_OBJ 3 ,
-.Xr X509_ATTRIBUTE_new 3
-.Sh STANDARDS
-RFC 5652: Cryptographic Message Syntax (CMS)
-.Bl -dash -compact -offset indent
-.It
-section 5.3: SignerInfo Type
-.It
-section 11: Useful Attributes
-.El
-.Sh HISTORY
-These functions first appeared in OpenSSL 0.9.9 and have been available since
-.Ox 6.6 .
diff --git a/src/lib/libcrypto/man/CMS_uncompress.3 b/src/lib/libcrypto/man/CMS_uncompress.3
deleted file mode 100644
index ed2172521e..0000000000
--- a/src/lib/libcrypto/man/CMS_uncompress.3
+++ /dev/null
@@ -1,115 +0,0 @@
-.\" $OpenBSD: CMS_uncompress.3,v 1.7 2019/11/02 15:39:46 schwarze Exp $
-.\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
-.\"
-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: November 2 2019 $
-.Dt CMS_UNCOMPRESS 3
-.Os
-.Sh NAME
-.Nm CMS_uncompress
-.Nd uncompress a CMS CompressedData structure
-.Sh SYNOPSIS
-.In openssl/cms.h
-.Ft int
-.Fo CMS_uncompress
-.Fa "CMS_ContentInfo *cms"
-.Fa "BIO *dcont"
-.Fa "BIO *out"
-.Fa "unsigned int flags"
-.Fc
-.Sh DESCRIPTION
-.Fn CMS_uncompress
-extracts and uncompresses the content of a CMS
-.Vt CompressedData
-structure
-.Fa cms
-and writes it to
-.Fa out .
-.Pp
-In the rare case where the compressed content is detached,
-pass it in via
-.Fa dcont .
-For normal use, set
-.Fa dcont
-to
-.Dv NULL .
-.Pp
-The only currently supported compression algorithm is zlib: if the
-structure indicates the use of any other algorithm, an error is returned.
-If zlib support is not compiled in,
-.Fn CMS_uncompress
-always returns an error.
-.Pp
-If the
-.Dv CMS_TEXT
-bit is set in
-.Fa flags ,
-MIME headers for type text/plain are deleted from the content.
-If the content is not of type text/plain, an error is returned.
-.Sh RETURN VALUES
-.Fn CMS_uncompress
-returns 1 for success or 0 for failure.
-The error can be obtained from
-.Xr ERR_get_error 3 .
-.Sh SEE ALSO
-.Xr CMS_compress 3 ,
-.Xr CMS_ContentInfo_new 3
-.Sh STANDARDS
-RFC 3274: Compressed Data Content Type for Cryptographic Message Syntax (CMS)
-.Sh HISTORY
-.Fn CMS_uncompress
-first appeared in OpenSSL 0.9.8h
-and has been available since
-.Ox 6.7 .
-.Sh BUGS
-The lack of single pass processing and the need to hold all data in
-memory as mentioned in
-.Xr CMS_verify 3
-also applies to
-.Fn CMS_uncompress .
diff --git a/src/lib/libcrypto/man/CMS_verify.3 b/src/lib/libcrypto/man/CMS_verify.3
deleted file mode 100644
index 63f1b8bb18..0000000000
--- a/src/lib/libcrypto/man/CMS_verify.3
+++ /dev/null
@@ -1,230 +0,0 @@
-.\" $OpenBSD: CMS_verify.3,v 1.10 2024/03/29 06:43:12 tb Exp $
-.\" full merge up to: OpenSSL 35fd9953 May 28 14:49:38 2019 +0200
-.\"
-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 29 2024 $
-.Dt CMS_VERIFY 3
-.Os
-.Sh NAME
-.Nm CMS_verify ,
-.Nm CMS_get0_signers
-.Nd verify a CMS SignedData structure
-.Sh SYNOPSIS
-.In openssl/cms.h
-.Ft int
-.Fo CMS_verify
-.Fa "CMS_ContentInfo *cms"
-.Fa "STACK_OF(X509) *certs"
-.Fa "X509_STORE *store"
-.Fa "BIO *indata"
-.Fa "BIO *out"
-.Fa "unsigned int flags"
-.Fc
-.Ft STACK_OF(X509) *
-.Fo CMS_get0_signers
-.Fa "CMS_ContentInfo *cms"
-.Fc
-.Sh DESCRIPTION
-.Fn CMS_verify
-verifies the CMS
-.Vt SignedData
-structure
-.Fa cms .
-.Fa certs
-is a set of certificates in which to search for the signing
-certificate(s).
-.Fa store
-is a trusted certificate store used for chain verification.
-.Fa indata
-is the detached content if the content is not present in
-.Fa cms .
-The content is written to
-.Fa out
-if it is not
-.Dv NULL .
-.Pp
-.Fn CMS_get0_signers
-retrieves the signing certificate(s) from
-.Fa cms .
-It may only be called after a successful
-.Fn CMS_verify
-operation.
-The signers must be freed with
-.Fn sk_X509_free .
-.Pp
-Normally the verify process proceeds as follows.
-.Pp
-Initially some sanity checks are performed on
-.Fa cms .
-There must be at least one signature on the data.
-If the content is detached,
-.Fa indata
-cannot be
-.Dv NULL .
-.Pp
-An attempt is made to locate all the signing certificate(s), first
-looking in the
-.Fa certs
-parameter (if it is not
-.Dv NULL )
-and then looking in any certificates contained in the
-.Fa cms
-structure itself.
-If any signing certificate cannot be located, the operation fails.
-.Pp
-Each signing certificate is chain verified using the
-.Sy smimesign
-purpose and the supplied trusted certificate
-.Fa store .
-Any internal certificates in the message are used as untrusted CAs.
-If CRL checking is enabled in
-.Fa store ,
-any internal CRLs are used in addition to attempting to look them up in
-.Fa store .
-If any chain verify fails, an error code is returned.
-.Pp
-Finally the signed content is read (and written to
-.Fa out
-if it is not
-.Dv NULL )
-and the signature is checked.
-.Pp
-If all signatures verify correctly, then the function is successful.
-.Pp
-Any of the following
-.Fa flags
-(OR'ed together) can be passed to change the default verify behaviour:
-.Bl -tag -width Ds
-.It Dv CMS_NOINTERN
-Do not use the certificates in the message itself when
-locating the signing certificate(s).
-This means that all the signing certificates must be in the
-.Fa certs
-parameter.
-.It Dv CMS_NOCRL
-If CRL checking is enabled in
-.Fa store ,
-then any CRLs in the message itself are ignored.
-.It Dv CMS_TEXT
-MIME headers for type text/plain are deleted from the content.
-If the content is not of type text/plain, an error is returned.
-.It Dv CMS_NO_SIGNER_CERT_VERIFY
-Do not verify signing certificates.
-.It Dv CMS_NO_ATTR_VERIFY
-Do not check the signed attributes signature.
-.It Dv CMS_NO_CONTENT_VERIFY
-Do not check the content digest.
-.El
-.Pp
-One application of
-.Dv CMS_NOINTERN
-is to only accept messages signed by a small number of certificates.
-The acceptable certificates would be passed in the
-.Fa certs
-parameter.
-In this case, if the signer is not one of the certificates supplied in
-.Fa certs ,
-then the verify will fail because the signer cannot be found.
-.Pp
-In some cases the standard techniques for looking up and validating
-certificates are not appropriate: for example an application may wish to
-lookup certificates in a database or perform customised verification.
-This can be achieved by setting and verifying the signers certificates
-manually using the signed data utility functions.
-.Pp
-Care should be taken when modifying the default verify behaviour, for
-example setting
-.Dv CMS_NO_CONTENT_VERIFY
-will totally disable all content verification and any modified content
-will be considered valid.
-This combination is however useful if one merely wishes to write the
-content to
-.Fa out
-and its validity is not considered important.
-.Pp
-Chain verification should arguably be performed using the signing time
-rather than the current time.
-However since the signing time is supplied by the signer it cannot be
-trusted without additional evidence (such as a trusted timestamp).
-.Sh RETURN VALUES
-.Fn CMS_verify
-returns 1 for a successful verification or 0 if an error occurred.
-.Pp
-.Fn CMS_get0_signers
-returns all signers or
-.Dv NULL
-if an error occurred.
-The signers must be freed with
-.Fn sk_X509_free .
-.Pp
-The error can be obtained from
-.Xr ERR_get_error 3 .
-.Sh SEE ALSO
-.Xr CMS_ContentInfo_new 3 ,
-.Xr CMS_get0_SignerInfos 3 ,
-.Xr CMS_sign 3 ,
-.Xr CMS_verify_receipt 3
-.Sh STANDARDS
-RFC 5652: Cryptographic Message Syntax (CMS),
-section 5.1: SignedData Type
-.Pp
-RFC 8419: Use of Edwards-Curve Digital Signature Algorithm (EdDSA) Signatures
-in the Cryptographic Message Syntax (CMS)
-.Sh HISTORY
-These functions first appeared in OpenSSL 0.9.8h
-and have been available since
-.Ox 6.7 .
-.Sh BUGS
-The trusted certificate store is not searched for the signing certificate.
-This is primarily due to the inadequacies of the current
-.Vt X509_STORE
-functionality.
-.Pp
-The lack of single pass processing means that the signed content must
-all be held in memory if it is not detached.
diff --git a/src/lib/libcrypto/man/CMS_verify_receipt.3 b/src/lib/libcrypto/man/CMS_verify_receipt.3
deleted file mode 100644
index ac50087a4c..0000000000
--- a/src/lib/libcrypto/man/CMS_verify_receipt.3
+++ /dev/null
@@ -1,110 +0,0 @@
-.\" $OpenBSD: CMS_verify_receipt.3,v 1.7 2019/11/02 15:39:46 schwarze Exp $
-.\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100
-.\"
-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: November 2 2019 $
-.Dt CMS_VERIFY_RECEIPT 3
-.Os
-.Sh NAME
-.Nm CMS_verify_receipt
-.Nd verify a CMS signed receipt
-.Sh SYNOPSIS
-.In openssl/cms.h
-.Ft int
-.Fo CMS_verify_receipt
-.Fa "CMS_ContentInfo *rcms"
-.Fa "CMS_ContentInfo *ocms"
-.Fa "STACK_OF(X509) *certs"
-.Fa "X509_STORE *store"
-.Fa "unsigned int flags"
-.Fc
-.Sh DESCRIPTION
-.Fn CMS_verify_receipt
-verifies a CMS signed receipt.
-.Fa rcms
-is the signed receipt to verify.
-.Fa ocms
-is the original
-.Vt SignedData
-structure containing the receipt request.
-.Fa certs
-is a set of certificates in which to search for the signing certificate.
-.Fa store
-is a trusted certificate store (used for chain verification).
-.Pp
-This functions behaves in a similar way to
-.Xr CMS_verify 3
-except that the
-.Fa flags
-values
-.Dv CMS_DETACHED ,
-.Dv CMS_BINARY ,
-.Dv CMS_TEXT ,
-and
-.Dv CMS_STREAM
-are not supported since they do not make sense in the context of signed
-receipts.
-.Sh RETURN VALUES
-.Fn CMS_verify_receipt
-returns 1 for a successful verification or 0 if an error occurred.
-.Pp
-The error can be obtained from
-.Xr ERR_get_error 3 .
-.Sh SEE ALSO
-.Xr CMS_ContentInfo_new 3 ,
-.Xr CMS_get1_ReceiptRequest 3 ,
-.Xr CMS_sign_receipt 3 ,
-.Xr CMS_verify 3
-.Sh STANDARDS
-RFC 2634: Enhanced Security Services for S/MIME, section 2.8: Receipt Syntax
-.Sh HISTORY
-.Fn CMS_verify_receipt
-first appeared in OpenSSL 0.9.8h
-and has been available since
-.Ox 6.7 .
diff --git a/src/lib/libcrypto/man/CONF_modules_free.3 b/src/lib/libcrypto/man/CONF_modules_free.3
deleted file mode 100644
index c5fb840942..0000000000
--- a/src/lib/libcrypto/man/CONF_modules_free.3
+++ /dev/null
@@ -1,100 +0,0 @@
-.\"     $OpenBSD: CONF_modules_free.3,v 1.6 2023/07/21 10:46:54 tb Exp $
-.\"     OpenSSL a528d4f0 Oct 27 13:40:11 2015 -0400
-.\"
-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2004, 2006 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: July 21 2023 $
-.Dt CONF_MODULES_FREE 3
-.Os
-.Sh NAME
-.Nm CONF_modules_free ,
-.Nm CONF_modules_finish ,
-.Nm CONF_modules_unload
-.Nd OpenSSL configuration cleanup functions
-.Sh SYNOPSIS
-.In openssl/conf.h
-.Ft void
-.Fo CONF_modules_free
-.Fa void
-.Fc
-.Ft void
-.Fo CONF_modules_finish
-.Fa void
-.Fc
-.Ft void
-.Fo CONF_modules_unload
-.Fa "int all"
-.Fc
-.Sh DESCRIPTION
-.Fn CONF_modules_free
-closes down and frees up all memory allocated by all configuration
-modules.
-Normally applications will only call this function
-at application exit to tidy up any configuration performed.
-.Pp
-.Fn CONF_modules_finish
-calls the configuration
-.Sy finish
-handler of each configuration module to free up any configuration
-that module may have performed.
-.Pp
-.Fn CONF_modules_unload
-finishes and unloads configuration modules.
-If
-.Fa all
-is set to 1, the builtin modules will be unloaded as well.
-.Sh SEE ALSO
-.Xr CONF_modules_load_file 3 ,
-.Xr OPENSSL_config 3
-.Sh HISTORY
-.Fn CONF_modules_free ,
-.Fn CONF_modules_finish ,
-and
-.Fn CONF_modules_unload
-first appeared in OpenSSL 0.9.7 and have been available since
-.Ox 3.2 .
diff --git a/src/lib/libcrypto/man/CONF_modules_load_file.3 b/src/lib/libcrypto/man/CONF_modules_load_file.3
deleted file mode 100644
index d1bcd49a38..0000000000
--- a/src/lib/libcrypto/man/CONF_modules_load_file.3
+++ /dev/null
@@ -1,282 +0,0 @@
-.\" $OpenBSD: CONF_modules_load_file.3,v 1.14 2023/11/19 20:58:07 tb Exp $
-.\" full merge up to: e9b77246 Jan 20 19:58:49 2017 +0100
-.\" selective merge up to: d090fc00 Feb 26 13:11:10 2019 +0800
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2000, 2015 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: November 19 2023 $
-.Dt CONF_MODULES_LOAD_FILE 3
-.Os
-.Sh NAME
-.Nm CONF_modules_load_file ,
-.Nm CONF_modules_load ,
-.Nm X509_get_default_cert_area
-.Nd OpenSSL configuration functions
-.Sh SYNOPSIS
-.In openssl/conf.h
-.Ft int
-.Fo CONF_modules_load_file
-.Fa "const char *filename"
-.Fa "const char *appname"
-.Fa "unsigned long flags"
-.Fc
-.Ft int
-.Fo CONF_modules_load
-.Fa "const CONF *cnf"
-.Fa "const char *appname"
-.Fa "unsigned long flags"
-.Fc
-.In openssl/x509.h
-.Ft const char *
-.Fn X509_get_default_cert_area void
-.Sh DESCRIPTION
-The function
-.Fn CONF_modules_load_file
-configures OpenSSL using the file
-.Fa filename
-in
-.Xr openssl.cnf 5
-format and the application name
-.Fa appname .
-If
-.Fa filename
-is
-.Dv NULL ,
-the standard OpenSSL configuration file
-.Pa /etc/ssl/openssl.cnf
-is used.
-If
-.Fa appname
-is
-.Dv NULL ,
-the standard OpenSSL application name
-.Qq openssl_conf
-is used.
-The behaviour can be customized using
-.Fa flags .
-.Pp
-See the
-.Sx EXAMPLES
-section for additional functions that may need to be called.
-Calling configuration functions in the right order for the intended
-effect can be tricky because many configuration functions internally
-call each other.
-.Pp
-.Fn CONF_modules_load
-is identical to
-.Fn CONF_modules_load_file
-except it reads configuration information from
-.Fa cnf .
-.Pp
-The following
-.Fa flags
-are currently recognized:
-.Bl -tag -width Ds
-.It Dv CONF_MFLAGS_IGNORE_ERRORS
-Ignore errors returned by individual configuration modules.
-By default, the first module error is considered fatal and no further
-modules are loaded.
-.It Dv CONF_MFLAGS_SILENT
-Do not add any error information.
-By default, all module errors add error information to the error queue.
-.It Dv CONF_MFLAGS_NO_DSO
-Disable loading of configuration modules from DSOs.
-This flag is provided for compatibility and has no effect.
-.It Dv CONF_MFLAGS_IGNORE_MISSING_FILE
-Let
-.Fn CONF_modules_load_file
-ignore missing configuration files.
-By default, a missing configuration file returns an error.
-.It CONF_MFLAGS_DEFAULT_SECTION
-If
-.Fa appname
-is not
-.Dv NULL
-but does not exist, fall back to the default section
-.Qq openssl_conf .
-.El
-.Pp
-By using
-.Fn CONF_modules_load_file
-with appropriate flags, an application can customise application
-configuration to best suit its needs.
-In some cases the use of a configuration file is optional and its
-absence is not an error: in this case
-.Dv CONF_MFLAGS_IGNORE_MISSING_FILE
-would be set.
-.Pp
-Errors during configuration may also be handled differently by
-different applications.
-For example in some cases an error may simply print out a warning
-message and the application may continue.
-In other cases an application might consider a configuration file
-error fatal and exit immediately.
-.Pp
-Applications can use the
-.Fn CONF_modules_load
-function if they wish to load a configuration file themselves and
-have finer control over how errors are treated.
-.Sh RETURN VALUES
-.Fn CONF_modules_load_file
-and
-.Fn CONF_modules_load
-return 1 for success and zero or a negative value for failure.
-If module errors are not ignored, the return code will reflect the return
-value of the failing module (this will always be zero or negative).
-.Pp
-.Fn X509_get_default_cert_area
-returns a pointer to the constant string
-.Qq "/etc/ssl" .
-.Sh FILES
-.Bl -tag -width /etc/ssl/openssl.cnf -compact
-.It Pa /etc/ssl
-standard configuration directory
-.It Pa /etc/ssl/openssl.cnf
-standard configuration file
-.El
-.Sh EXAMPLES
-Load a configuration file and print out any errors and exit (missing
-file considered fatal):
-.Bd -literal
-if (CONF_modules_load_file(NULL, NULL, 0) <= 0) {
-        fprintf(stderr, "FATAL: error loading configuration file\en");
-        ERR_print_errors_fp(stderr);
-        exit(1);
-}
-.Ed
-.Pp
-Load default configuration file using the section indicated
-by "myapp", tolerate missing files, but exit on other errors:
-.Bd -literal
-if (CONF_modules_load_file(NULL, "myapp",
-    CONF_MFLAGS_IGNORE_MISSING_FILE) <= 0) {
-        fprintf(stderr, "FATAL: error loading configuration file\en");
-        ERR_print_errors_fp(stderr);
-        exit(1);
-}
-.Ed
-.Pp
-Load custom configuration file and section instead of the standard one,
-only print warnings on error, missing configuration file ignored:
-.Bd -literal
-OPENSSL_no_config();
-OPENSSL_load_builtin_modules();
-if (CONF_modules_load_file("/something/app.cnf", "myapp",
-    CONF_MFLAGS_IGNORE_MISSING_FILE) <= 0) {
-        fprintf(stderr, "WARNING: error loading configuration file\en");
-        ERR_print_errors_fp(stderr);
-}
-.Ed
-.Pp
-In the previous example, the call to
-.Xr OPENSSL_no_config 3
-is required first to suppress automatic loading
-of the standard configuration file, and the call to
-.Xr OPENSSL_load_builtin_modules 3
-is needed so that the configuration of builtin modules
-is loaded in addition to the configuration of
-.Qq myapp .
-.Pp
-Load and parse configuration file manually, custom error handling:
-.Bd -literal
-FILE    *fp;
-CONF    *cnf = NULL;
-long     eline;
-
-fp = fopen("/somepath/app.cnf", "r");
-if (fp == NULL) {
-        fprintf(stderr, "Error opening configuration file\en");
-        /* Other missing configuration file behaviour */
-} else {
-        cnf = NCONF_new(NULL);
-        if (NCONF_load_fp(cnf, fp, &eline) == 0) {
-                fprintf(stderr, "Error on line %ld of configuration file\en",
-                    eline);
-                ERR_print_errors_fp(stderr);
-                /* Other malformed configuration file behaviour */
-        } else if (CONF_modules_load(cnf, "appname", 0) <= 0) {
-                fprintf(stderr, "Error configuring application\en");
-                ERR_print_errors_fp(stderr);
-                /* Other configuration error behaviour */
-        }
-        fclose(fp);
-        NCONF_free(cnf);
-}
-.Ed
-.Sh SEE ALSO
-.Xr CONF_modules_free 3 ,
-.Xr ERR 3 ,
-.Xr OPENSSL_config 3 ,
-.Xr OPENSSL_load_builtin_modules 3
-.Sh HISTORY
-.Fn X509_get_default_cert_area
-first appeared in SSLeay 0.4.1 and has been available since
-.Ox 2.4 .
-.Pp
-.Fn CONF_modules_load_file
-and
-.Fn CONF_modules_load
-first appeared in OpenSSL 0.9.7 and have been available since
-.Ox 3.2 .
diff --git a/src/lib/libcrypto/man/CRYPTO_lock.3 b/src/lib/libcrypto/man/CRYPTO_lock.3
deleted file mode 100644
index afc5eb54c5..0000000000
--- a/src/lib/libcrypto/man/CRYPTO_lock.3
+++ /dev/null
@@ -1,121 +0,0 @@
-.\"     $OpenBSD: CRYPTO_lock.3,v 1.3 2024/03/14 22:09:40 tb Exp $
-.\"     OpenSSL doc/crypto/threads.pod fb552ac6 Sep 30 23:43:01 2009 +0000
-.\"
-.\" Copyright (c) 2019 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: March 14 2024 $
-.Dt CRYPTO_LOCK 3
-.Os
-.Sh NAME
-.Nm CRYPTO_lock ,
-.Nm CRYPTO_w_lock ,
-.Nm CRYPTO_w_unlock ,
-.Nm CRYPTO_r_lock ,
-.Nm CRYPTO_r_unlock ,
-.Nm CRYPTO_add
-.Nd thread support
-.Sh SYNOPSIS
-.In openssl/crypto.h
-.Ft void
-.Fo CRYPTO_lock
-.Fa "int mode"
-.Fa "int type"
-.Fa "const char *file"
-.Fa "int line"
-.Fc
-.Ft int
-.Fo CRYPTO_add
-.Fa "int *p"
-.Fa "int amount"
-.Fa "int type"
-.Fc
-.Bd -literal
-#define CRYPTO_w_lock(type) \e
-        CRYPTO_lock(CRYPTO_LOCK|CRYPTO_WRITE, type, __FILE__, __LINE__)
-#define CRYPTO_w_unlock(type) \e
-        CRYPTO_lock(CRYPTO_UNLOCK|CRYPTO_WRITE, type, __FILE__, __LINE__)
-#define CRYPTO_r_lock(type) \e
-        CRYPTO_lock(CRYPTO_LOCK|CRYPTO_READ, type, __FILE__, __LINE__)
-#define CRYPTO_r_unlock(type) \e
-        CRYPTO_lock(CRYPTO_UNLOCK|CRYPTO_READ, type, __FILE__, __LINE__)
-.Ed
-.Sh DESCRIPTION
-These functions are obsolete.
-.Pp
-.Fn CRYPTO_lock
-locks or unlocks a mutex lock.
-.Pp
-.Fa mode
-is a bitfield describing what should be done with the lock.
-For each call, either
-.Dv CRYPTO_LOCK
-or
-.Dv CRYPTO_UNLOCK
-must be included.
-In the LibreSSL implementation,
-.Dv CRYPTO_READ
-and
-.Dv CRYPTO_WRITE
-are ignored.
-.Pp
-.Fa type
-is a number in the range 0 <=
-.Fa type No < Dv CRYPTO_NUM_LOCKS
-identifying a particular lock.
-Currently, the value of
-.Dv CRYPTO_NUM_LOCKS
-is 41.
-.Pp
-The
-.Ar file
-and
-.Ar line
-arguments are ignored.
-.Pp
-In the LibreSSL implementation,
-.Fn CRYPTO_lock
-is a wrapper around
-.Xr pthread_mutex_lock 3
-and
-.Xr pthread_mutex_unlock 3 .
-.Pp
-.Fn CRYPTO_add
-locks the lock number
-.Fa type ,
-adds
-.Fa amount
-to
-.Pf * Fa p ,
-and unlocks the lock number
-.Fa type
-again.
-.Sh RETURN VALUES
-.Fn CRYPTO_add
-returns the new value of
-.Pf * Fa p .
-.Sh SEE ALSO
-.Xr crypto 3
-.Sh HISTORY
-.Fn CRYPTO_lock ,
-.Fn CRYPTO_w_lock ,
-.Fn CRYPTO_w_unlock ,
-.Fn CRYPTO_r_lock ,
-and
-.Fn CRYPTO_r_unlock
-first appeared in SSLeay 0.6.0.
-.Fn CRYPTO_add
-first appeared in SSLeay 0.6.2.
-These functions have been available since
-.Ox 2.4 .
diff --git a/src/lib/libcrypto/man/CRYPTO_memcmp.3 b/src/lib/libcrypto/man/CRYPTO_memcmp.3
deleted file mode 100644
index cbc0030c55..0000000000
--- a/src/lib/libcrypto/man/CRYPTO_memcmp.3
+++ /dev/null
@@ -1,95 +0,0 @@
-.\" $OpenBSD: CRYPTO_memcmp.3,v 1.1 2019/08/25 06:20:22 schwarze Exp $
-.\" full merge up to: OpenSSL 1075139c Jun 24 09:18:48 2019 +1000
-.\"
-.\" This file was written by Pauli <paul.dale@oracle.com>.
-.\" Copyright (c) 2019 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: August 25 2019 $
-.Dt CRYPTO_MEMCMP 3
-.Os
-.Sh NAME
-.Nm CRYPTO_memcmp
-.Nd constant time memory comparison
-.Sh SYNOPSIS
-.In openssl/crypto.h
-.Ft int
-.Fo CRYPTO_memcmp
-.Fa "const void *a"
-.Fa "const void *b"
-.Fa "size_t len"
-.Fc
-.Sh DESCRIPTION
-.Fn CRYPTO_memcmp
-compares the
-.Fa len
-bytes pointed to by
-.Fa a
-and
-.Fa b
-for equality.
-It takes an amount of time dependent on
-.Fa len ,
-but independent of the contents of the memory regions pointed to by
-.Fa a
-and
-.Fa b .
-.Sh RETURN VALUES
-.Fn CRYPTO_memcmp
-returns 0 if the content of the memory regions is equal
-or non-zero otherwise.
-.Sh HISTORY
-.Fn CRYPTO_memcmp
-first appeared in OpenSSL 1.0.1d and has been available since
-.Ox 5.6 .
-.Sh BUGS
-Unlike
-.Xr memcmp 3
-and
-.Xr timingsafe_memcmp 3 ,
-this function cannot be used to order the two memory regions.
-In the current implementation, the return value is always greater
-than or equal to 0.
diff --git a/src/lib/libcrypto/man/CRYPTO_set_ex_data.3 b/src/lib/libcrypto/man/CRYPTO_set_ex_data.3
deleted file mode 100644
index c22fb22352..0000000000
--- a/src/lib/libcrypto/man/CRYPTO_set_ex_data.3
+++ /dev/null
@@ -1,564 +0,0 @@
-.\" $OpenBSD: CRYPTO_set_ex_data.3,v 1.15 2023/09/18 14:49:43 schwarze Exp $
-.\"
-.\" Copyright (c) 2023 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: September 18 2023 $
-.Dt CRYPTO_SET_EX_DATA 3
-.Os
-.Sh NAME
-.Nm CRYPTO_get_ex_new_index ,
-.Nm CRYPTO_EX_new ,
-.Nm CRYPTO_EX_free ,
-.Nm CRYPTO_EX_dup ,
-.Nm CRYPTO_new_ex_data ,
-.Nm CRYPTO_set_ex_data ,
-.Nm CRYPTO_get_ex_data ,
-.Nm CRYPTO_free_ex_data
-.Nd low-level functions for application specific data
-.Sh SYNOPSIS
-.In openssl/crypto.h
-.Ft int
-.Fo CRYPTO_get_ex_new_index
-.Fa "int class_index"
-.Fa "long argl"
-.Fa "void *argp"
-.Fa "CRYPTO_EX_new *new_func"
-.Fa "CRYPTO_EX_dup *dup_func"
-.Fa "CRYPTO_EX_free *free_func"
-.Fc
-.Ft typedef int
-.Fo CRYPTO_EX_new
-.Fa "void *parent"
-.Fa "void *data"
-.Fa "CRYPTO_EX_DATA *ad"
-.Fa "int idx"
-.Fa "long argl"
-.Fa "void *argp"
-.Fc
-.Ft typedef void
-.Fo CRYPTO_EX_free
-.Fa "void *parent"
-.Fa "void *data"
-.Fa "CRYPTO_EX_DATA *ad"
-.Fa "int idx"
-.Fa "long argl"
-.Fa "void *argp"
-.Fc
-.Ft typedef int
-.Fo CRYPTO_EX_dup
-.Fa "CRYPTO_EX_DATA *to"
-.Fa "const CRYPTO_EX_DATA *from"
-.Fa "void *datap"
-.Fa "int idx"
-.Fa "long argl"
-.Fa "void *argp"
-.Fc
-.Ft int
-.Fo CRYPTO_new_ex_data
-.Fa "int class_index"
-.Fa "void *parent"
-.Fa "CRYPTO_EX_DATA *ad"
-.Fc
-.Ft int
-.Fo CRYPTO_set_ex_data
-.Fa "CRYPTO_EX_DATA *ad"
-.Fa "int idx"
-.Fa "void *data"
-.Fc
-.Ft void *
-.Fo CRYPTO_get_ex_data
-.Fa "CRYPTO_EX_DATA *ad"
-.Fa "int idx"
-.Fc
-.Ft void
-.Fo CRYPTO_free_ex_data
-.Fa "int class_index"
-.Fa "void *parent"
-.Fa "CRYPTO_EX_DATA *ad"
-.Fc
-.Sh DESCRIPTION
-The library implements the functions documented in the
-.Xr RSA_get_ex_new_index 3
-manual page and similar functions for other parent object types
-using the functions documented in the present manual page.
-Application programs almost never need
-to call the functions documented here directly.
-.Pp
-.Fn CRYPTO_get_ex_new_index
-behaves in the same way as
-.Xr RSA_get_ex_new_index 3
-except that the parent object type that the new
-.Fa idx
-is reserved for is not part of the function name
-but instead specified by the additional
-.Fa class_index
-argument receiving one of the
-.Dv CRYPTO_EX_INDEX_*
-constants defined in
-.In openssl/crypto.h .
-The recommendation given in
-.Xr RSA_get_ex_new_index 3
-to set the
-.Fa argl
-argument to 0 and the last four arguments all to
-.Dv NULL
-applies.
-The library passes the
-.Fa argl
-and
-.Fa argp
-arguments through to the callback functions for the respective
-.Fa idx ,
-but ignores them otherwise.
-.Pp
-If a function pointer is passed for the
-.Fa new_func
-argument, that function is called for the returned
-.Fa idx
-whenever a new parent object is allocated with
-.Xr RSA_new 3
-or a similar function.
-.Pp
-If a function pointer is passed for the
-.Fa free_func
-argument, that function is called for the returned
-.Fa idx
-when a parent object is freed with
-.Xr RSA_free 3
-or a similar function.
-.Pp
-The arguments of
-.Fa new_func
-and
-.Fa free_func
-are as follows:
-.Pp
-.Bl -tag -width Ds -compact
-.It Fa parent
-the parent object that contains the
-.Fa data
-.It Fa data
-the
-.Fa data
-previously set by
-.Fn CRYPTO_set_ex_data
-at
-.Fa idx
-in
-.Fa parent
-.It Fa ad
-the
-.Vt CRYPTO_EX_DATA
-subobject of the
-.Fa parent
-object
-.It Fa idx
-return value of
-.Fn CRYPTO_get_ex_new_index
-that set this callback
-.It Fa argl
-the
-.Fa argl
-passed to
-.Fn CRYPTO_get_ex_new_index
-for this
-.Fa idx
-.It Fa argp
-the
-.Fa argp
-passed to
-.Fn CRYPTO_get_ex_new_index
-for this
-.Fa idx
-.El
-.Pp
-If a function pointer is passed for the
-.Fa dup_func ,
-that function is supposed to be called for the returned
-.Fa idx
-whenever a parent object of the respective type is copied.
-Actually, the only functions doing that are
-.Xr BIO_dup_chain 3 ,
-.Xr EC_KEY_copy 3 ,
-and
-.Xr SSL_dup 3 ,
-and the TLS 1.3 network stack does it internally when duplicating a
-.Vt SSL_SESSION
-object after receiving a new session ticket message.
-Most other object types supporting ex_data do not support
-copying in the first place, whereas
-.Xr DSA_dup_DH 3
-and
-.Xr X509_dup 3
-simply ignore
-.Fa dup_func .
-.Pp
-The arguments of
-.Fa dup_func
-are as follows:
-.Pp
-.Bl -tag -width Ds -compact
-.It Fa to
-the
-.Vt CRYPTO_EX_DATA
-subobject of the new parent object
-.It Fa from
-the
-.Vt CRYPTO_EX_DATA
-subobject of the original parent object
-.It Fa datap
-a pointer to a copy of the pointer to the original ex_data
-.It Fa idx
-return value of
-.Fn CRYPTO_get_ex_new_index
-that set this callback
-.It Fa argl
-the
-.Fa argl
-passed to
-.Fn CRYPTO_get_ex_new_index
-for this
-.Fa idx
-.It Fa argp
-the
-.Fa argp
-passed to
-.Fn CRYPTO_get_ex_new_index
-for this
-.Fa idx
-.El
-.Pp
-Inside
-.Fa dup_func ,
-the
-.Fa data
-pointer contained in the original parent object being copied
-can be accessed by casting and dereferencing
-.Fa datap ,
-for example:
-.Pp
-.Dl char *orig_data = *(char **)datap;
-.Pp
-If the original data is copied, for example in a manner similar to
-.Bd -literal -offset indent
-char *new_data;
-if ((new_data = strdup(orig_data)) == NULL)
-        return 0;
-.Ed
-.Pp
-then the pointer to the newly allocated memory needs to be passed
-back to the caller in the
-.Fa datap
-argument, for example:
-.Bd -literal -offset indent
-*(char **)datap = new_data;
-return 1;
-.Ed
-.Pp
-Calling
-.Fn CRYPTO_set_ex_data to idx new_data
-from inside
-.Fa dup_func
-has no effect because the code calling
-.Fa dup_func
-unconditionally calls
-.Fn CRYPTO_set_ex_data to idx *datap
-after
-.Fa dup_func
-returns successfully.
-Consequently, if
-.Fa dup_func
-does not change
-.Pf * Fa datap ,
-the new parent object ends up containing a pointer to the same memory
-as the original parent object and any memory allocated in
-.Fa dup_func
-is leaked.
-.Pp
-When multiple callback functions are called,
-they are called in increasing order of their
-.Fa idx
-value.
-.Pp
-.Fn CRYPTO_new_ex_data
-is an internal function that initializes the
-.Fa ad
-subobject of the
-.Fa parent
-object, with the type of the parent object specified by the
-.Fa class_index
-argument.
-Initialization includes calling the respective
-.Fa new_func
-callbacks for all reserved
-.Fa idx
-values that have such callbacks configured.
-Despite its name,
-.Fn CRYPTO_new_ex_data
-does not create a new object but requires that
-.Fa ad
-points to an already allocated but still uninitialized object.
-.Pp
-.Fn CRYPTO_set_ex_data
-and
-.Fn CRYPTO_get_ex_data
-behave in the same way as
-.Xr RSA_set_ex_data 3
-and
-.Xr RSA_get_ex_data 3 ,
-respectively, except that they do not accept a pointer
-to the parent object but instead require a pointer to the
-.Vt CRYPTO_EX_DATA
-subobject of that parent object.
-.Pp
-.Fn CRYPTO_free_ex_data
-is an internal function that frees any memory used inside the
-.Fa ad
-subobject of the
-.Fa parent
-object, with the type of the parent object specified by the
-.Fa class_index
-argument.
-This includes calling the respective
-.Fa free_func
-callbacks for all reserved
-.Fa idx
-values that have such callbacks configured.
-Despite its name,
-.Fn CRYPTO_free_ex_data
-does not free
-.Fa ad
-itself.
-.Sh RETURN VALUES
-.Fn CRYPTO_get_ex_new_index
-returns a new index equal to or greater than 1
-or \-1 if memory allocation fails.
-.Pp
-.Fn CRYPTO_EX_new
-and
-.Fn CRYPTO_EX_dup
-functions are supposed to return 1 on success or 0 on failure.
-.Pp
-.Fn CRYPTO_new_ex_data
-and
-.Fn CRYPTO_set_ex_data
-return 1 on success or 0 if memory allocation fails.
-.Pp
-.Fn CRYPTO_get_ex_data
-returns the application specific data or
-.Dv NULL
-if the parent object that contains
-.Fa ad
-does not contain application specific data at the given
-.Fa idx .
-.Sh ERRORS
-After failure of
-.Fn CRYPTO_get_ex_new_index ,
-.Fn CRYPTO_new_ex_data ,
-or
-.Fn CRYPTO_set_ex_data ,
-the following diagnostic can be retrieved with
-.Xr ERR_get_error 3 ,
-.Xr ERR_GET_REASON 3 ,
-and
-.Xr ERR_reason_error_string 3 :
-.Bl -tag -width Ds
-.It Dv ERR_R_MALLOC_FAILURE Qq "malloc failure"
-Memory allocation failed.
-.El
-.Pp
-In a few unusual failure cases,
-.Xr ERR_get_error 3
-may report different errors caused by
-.Xr OPENSSL_init_crypto 3
-or even none at all.
-.Pp
-Even though it cannot indicate failure,
-.Fn CRYPTO_free_ex_data
-may occasionally also set an error code that can be retrieved with
-.Xr ERR_get_error 3 .
-.Pp
-.Fn CRYPTO_get_ex_data
-does not distinguish success from failure.
-Consequently, after
-.Fn CRYPTO_get_ex_data
-returns
-.Dv NULL ,
-.Xr ERR_get_error 3
-returns 0 unless there is still an earlier error in the queue.
-.Sh SEE ALSO
-.Xr BIO_get_ex_new_index 3 ,
-.Xr DH_get_ex_new_index 3 ,
-.Xr DSA_get_ex_new_index 3 ,
-.Xr RSA_get_ex_new_index 3 ,
-.Xr SSL_CTX_get_ex_new_index 3 ,
-.Xr SSL_get_ex_new_index 3 ,
-.Xr SSL_SESSION_get_ex_new_index 3 ,
-.Xr X509_STORE_CTX_get_ex_new_index 3 ,
-.Xr X509_STORE_get_ex_new_index 3
-.Sh HISTORY
-.Fn CRYPTO_get_ex_new_index ,
-.Fn CRYPTO_new_ex_data ,
-.Fn CRYPTO_set_ex_data ,
-.Fn CRYPTO_get_ex_data ,
-and
-.Fn CRYPTO_free_ex_data
-first appeared in SSLeay 0.9.0 and have been available since
-.Ox 2.4 .
-.Pp
-.Fn CRYPTO_EX_new ,
-.Fn CRYPTO_EX_free ,
-and
-.Fn CRYPTO_EX_dup
-first appeared in OpenSSL 0.9.5 and have been available since
-.Ox 2.7 .
-.Sh CAVEATS
-If an program installs callback functions, the last call to
-.Fn CRYPTO_get_ex_new_index
-installing a function of a certain type for a certain
-.Fa class_index
-needs to be complete before the first object of that
-.Fa class_index
-can be created, freed, or copied, respectively.
-Otherwise, incomplete initialization or cleanup will result.
-.Pp
-At the time
-.Fa new_func
-is called, the
-.Fa parent
-object is only partially initialized,
-so trying to access any data in it is strongly discouraged.
-The
-.Fa data
-argument is typically
-.Dv NULL
-in
-.Fa new_func .
-.Pp
-At the time
-.Fa free_func
-is called, the
-.Fa parent
-object is already mostly deconstructed
-and part of its content may have been cleared and freed.
-Consequently, trying to access any data in
-.Fa parent
-is strongly discouraged.
-According to the OpenSSL API documentation, the library code calling
-.Fa free_func
-would even be permitted to pass a
-.Dv NULL
-pointer for the
-.Fa parent
-argument.
-.Pp
-.Fn CRYPTO_set_ex_data
-and
-.Fn CRYPTO_get_ex_data
-cannot reasonably be used outside the callback functions
-because no API function provides access to any pointers of the type
-.Vt CRYPTO_EX_DATA * .
-.Pp
-Inside
-.Fa new_func ,
-calling
-.Fn CRYPTO_get_ex_data
-makes no sense because it always returns
-.Dv NULL ,
-and calling
-.Fn CRYPTO_set_ex_data
-makes no sense because
-.Fa new_func
-does not have access to any meaningful
-.Fa data
-it could store, and the absence of application specific data at any given
-.Fa idx
-is already sufficiently indicated by the default return value
-.Dv NULL
-of
-.Fn CRYPTO_get_ex_data ,
-.Xr RSA_get_ex_data 3 ,
-and similar functions.
-.Pp
-Inside
-.Fa free_func ,
-calling
-.Fn CRYPTO_get_ex_data
-makes no sense because the return value is already available in
-.Fa data ,
-and calling
-.Fn CRYPTO_set_ex_data
-makes no sense because the parent object, including any ex_data
-contained in it, is already being deconstructed and will no longer
-exist by the time application code regains control.
-.Pp
-Inside
-.Fa dup_func ,
-calling
-.Fn CRYPTO_get_ex_data
-makes no sense because the return value for
-.Fa from
-is already available as
-.Pf * Fa datap ,
-and the return value for
-.Fa to
-is
-.Dv NULL .
-Calling
-.Fn CRYPTO_set_ex_data
-makes no sense because changing
-.Fa from
-would cause an undesirable side effect in this context
-and trying to change
-.Fa to
-is ineffective as explained above.
-.Pp
-Consequently, application code can never use
-.Fn CRYPTO_set_ex_data
-or
-.Fn CRYPTO_get_ex_data
-in a meaningful way.
-.Pp
-The fact that the functions documented in the present manual page
-are part of the public API might create the impression
-that application programs could add ex_data support
-to additional object types not offering it by default.
-However, for built-in object types not offering ex_support, this
-is not possible because such objects do not contain the required
-.Vt CRYPTO_EX_DATA
-subobject.
-.Pp
-It is theoretically possible to add ex_data support to an
-application-defined object type by adding a
-.Vt CRYPTO_EX_DATA
-field to the struct declaration, a call to
-.Fn CRYPTO_new_ex_data
-to the object constructor, and a call to
-.Fn CRYPTO_free_ex_data
-to the object destructor.
-The OpenSSL documentation mentions that the constant
-.Dv CRYPTO_EX_INDEX_APP
-is reserved for this very purpose.
-However, doing this would hardly be useful.
-It is much more straightforward to just add
-all the required data fields to the struct declaration itself.
-.Sh BUGS
-If
-.Fa new_func
-or
-.Fa dup_func
-fails, the failure is silently ignored by the library, potentially
-resulting in an incompletely initialized object.
-The application program cannot detect this kind of failure.
diff --git a/src/lib/libcrypto/man/CRYPTO_set_mem_functions.3 b/src/lib/libcrypto/man/CRYPTO_set_mem_functions.3
deleted file mode 100644
index d020d10ff6..0000000000
--- a/src/lib/libcrypto/man/CRYPTO_set_mem_functions.3
+++ /dev/null
@@ -1,96 +0,0 @@
-.\"     $OpenBSD: CRYPTO_set_mem_functions.3,v 1.2 2025/03/08 17:17:09 tb Exp $
-.\"
-.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: March 8 2025 $
-.Dt CRYPTO_SET_MEM_FUNCTIONS 3
-.Os
-.Sh NAME
-.Nm CRYPTO_set_mem_functions ,
-.Nm CRYPTO_mem_ctrl ,
-.Nm CRYPTO_mem_leaks ,
-.Nm CRYPTO_mem_leaks_fp ,
-.Nm CRYPTO_mem_leaks_cb
-.Nd legacy OpenSSL memory allocation control
-.Sh SYNOPSIS
-.In openssl/crypto.h
-.Ft int
-.Fo CRYPTO_set_mem_functions
-.Fa "void *(*m)(size_t, const char *, int)"
-.Fa "void *(*r)(void *, size_t, const char *, int)"
-.Fa "void (*f)(void *, const char *, int)"
-.Fc
-.Ft int
-.Fo CRYPTO_mem_ctrl
-.Fa "int mode"
-.Fc
-.Ft int
-.Fo CRYPTO_mem_leaks
-.Fa "BIO *b"
-.Fc
-.Ft int
-.Fo CRYPTO_mem_leaks_fp
-.Fa "FILE *fp"
-.Fc
-.Ft typedef int *
-.Fo CRYPTO_MEM_LEAK_CB
-.Fa "unsigned long"
-.Fa "const char *"
-.Fa int
-.Fa int
-.Fa "void *"
-.Fc
-.Ft int
-.Fo CRYPTO_mem_leaks_cb
-.Fa "CRYPTO_MEM_LEAK_CB *cb"
-.Fc
-.Sh DESCRIPTION
-Do not use any of the interfaces documented here.
-They are provided purely for compatibility with legacy application code.
-.Pp
-.Fn CRYPTO_set_mem_functions ,
-.Fn CRYPTO_mem_ctrl ,
-.Fn CRYPTO_mem_leaks ,
-.Fn CRYPTO_mem_leaks_fp ,
-and
-.Fn CRYPTO_mem_leaks_cb
-have no effect.
-.Sh RETURN VALUES
-.Fn CRYPTO_set_mem_functions
-always returns 0.
-.Pp
-.Fn CRYPTO_mem_ctrl
-always returns
-.Dv CRYPTO_MEM_CHECK_OFF .
-.Pp
-.Fn CRYPTO_mem_leaks ,
-.Fn CRYPTO_mem_leaks_fp ,
-and
-.Fn CRYPTO_mem_leaks_cb
-always return -1.
-.Sh SEE ALSO
-.Xr crypto 3
-.Sh HISTORY
-.Fn CRYPTO_mem_ctrl ,
-.Fn CRYPTO_mem_leaks ,
-and
-.Fn CRYPTO_mem_leaks_fp
-first appeared in SSLeay 0.6.4.
-.Fn CRYPTO_set_mem_functions
-first appeared in SSLeay 0.6.5.
-.Fn CRYPTO_mem_leaks_cb
-first appeared in SSLeay 0.6.6.
-All these functions have all been available since
-.Ox 2.4 .
diff --git a/src/lib/libcrypto/man/ChaCha.3 b/src/lib/libcrypto/man/ChaCha.3
deleted file mode 100644
index 9aae6d70cf..0000000000
--- a/src/lib/libcrypto/man/ChaCha.3
+++ /dev/null
@@ -1,253 +0,0 @@
-.\" $OpenBSD: ChaCha.3,v 1.3 2022/02/18 10:24:32 jsg Exp $
-.\"
-.\" Copyright (c) 2020 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: February 18 2022 $
-.Dt CHACHA 3
-.Os
-.Sh NAME
-.Nm ChaCha_set_key ,
-.Nm ChaCha_set_iv ,
-.Nm ChaCha ,
-.Nm CRYPTO_chacha_20 ,
-.Nm CRYPTO_hchacha_20 ,
-.Nm CRYPTO_xchacha_20
-.Nd ChaCha20 stream cipher
-.Sh SYNOPSIS
-.In openssl/chacha.h
-.Ft void
-.Fo ChaCha_set_key
-.Fa "ChaCha_ctx *ctx"
-.Fa "const unsigned char *key"
-.Fa "unsigned int keybits"
-.Fc
-.Ft void
-.Fo ChaCha_set_iv
-.Fa "ChaCha_ctx *ctx"
-.Fa "const unsigned char *iv"
-.Fa "const unsigned char *counter"
-.Fc
-.Ft void
-.Fo ChaCha
-.Fa "ChaCha_ctx *ctx"
-.Fa "unsigned char *out"
-.Fa "const unsigned char *in"
-.Fa "size_t len"
-.Fc
-.Ft void
-.Fo CRYPTO_chacha_20
-.Fa "unsigned char *out"
-.Fa "const unsigned char *in"
-.Fa "size_t len"
-.Fa "const unsigned char key[32]"
-.Fa "const unsigned char iv[8]"
-.Fa "uint64_t counter"
-.Fc
-.Ft void
-.Fo CRYPTO_hchacha_20
-.Fa "unsigned char out[32]"
-.Fa "const unsigned char key[32]"
-.Fa "const unsigned char iv[16]"
-.Fc
-.Ft void
-.Fo CRYPTO_xchacha_20
-.Fa "unsigned char *out"
-.Fa "const unsigned char *in"
-.Fa "size_t len"
-.Fa "const unsigned char key[32]"
-.Fa "const unsigned char iv[24]"
-.Fc
-.Sh DESCRIPTION
-These functions provide a low-level implementation
-of the ChaCha stream cipher with 256 and 128-bit keys.
-The number of rounds is hardcoded to 20;
-variants with 8 or 12 rounds are not supported.
-.Pp
-Instead of using these functions directly,
-application programs normally use the more portable
-.Xr EVP_chacha20 3
-high-level interface.
-.Pp
-The ChaCha state is contained in the
-.Vt ChaCha_ctx
-structure and consists of sixteen 32-bit unsigned integers.
-.Pp
-For the recommended value of 256
-.Fa keybits ,
-.Fn ChaCha_set_key
-copies 32 bytes (256 bits) from
-.Fa key
-to the middle eight integers of the ChaCha state,
-using little endian order for each integer.
-For the alternative value of 128
-.Fa keybits ,
-only 16 bytes (128 bits) are copied from
-.Fa key
-to the ChaCha state, but they are copied twice,
-once to the second quarter and once to the third quarter.
-The first quarter of the ChaCha state is set to four constant integers;
-these constants differ depending on whether
-.Fa keybits
-is 128 or 256.
-The last quarter of the ChaCha state remains unchanged.
-.Pp
-.Fn ChaCha_set_iv
-copies eight bytes (64 bits) from
-.Fa counter
-and eight bytes (64 bits) from
-.Fa iv
-to the last quarter of the ChaCha state, the counter to the first
-two integers and the initialization vector to the last two integers,
-again in little endian order.
-If
-.Fa counter
-is
-.Dv NULL ,
-the two respective integers are set to 0 instead.
-The first three quarters of the ChaCha state remain unchanged.
-.Pp
-.Fn ChaCha
-encrypts
-.Fa len
-bytes of data from
-.Fa in
-to
-.Fa out
-using the
-.Fa ctx
-that was previously set up with
-.Fn ChaCha_set_key
-and
-.Fn ChaCha_set_iv .
-Providing an
-.Fa out
-buffer of at least
-.Fa len
-bytes is the responsibility of the caller.
-This function can be called multiple times in a row with varying
-.Fa len
-arguments.
-The
-.Fa len
-does not need to be a multiple of 64.
-.Pp
-.Fn CRYPTO_chacha_20
-encrypts
-.Fa len
-bytes of data from
-.Fa in
-to
-.Fa out
-in a one-shot operation, using the given
-.Fa key
-and
-.Fa iv
-as described for
-.Fn ChaCha_set_key
-and
-.Fn ChaCha_set_iv
-and copying the less significant half of
-.Fa counter
-to the first counter integer in the initial ChaCha state
-and the more significant half to the second integer.
-Providing an
-.Fa out
-buffer of at least
-.Fa len
-bytes is again the responsibility of the caller.
-The maximum supported value for
-.Fa len
-is 2^32 \- 1.
-.Pp
-XChaCha is a variant of ChaCha designed to support longer nonces,
-just like XSalsa20 is a variant of Salsa20 supporting longer nonces.
-.Pp
-.Fn CRYPTO_xchacha_20
-encrypts
-.Fa len
-bytes of data from
-.Fa in
-to
-.Fa out
-in a one-shot operation with the XChaCha algorithm, using the given
-.Fa key
-and
-.Fa iv .
-It is equivalent to
-.Fn CRYPTO_chacha_20
-with the last third of
-.Fa iv ,
-a
-.Fa counter
-of 0, and a key generated with
-.Fn CRYPTO_hchacha_20
-from the first two thirds of
-.Fa iv .
-.Sh SEE ALSO
-.Xr crypto 3 ,
-.Xr EVP_chacha20 3
-.Rs
-.%A Daniel J. Bernstein
-.%T ChaCha, a variant of Salsa20
-.%U https://cr.yp.to/chacha/chacha-20080128.pdf
-.%C Chicago
-.%D January 28, 2008
-.Re
-.Rs
-.%A Daniel J. Bernstein
-.%T Extending the Salsa20 nonce
-.%U https://cr.yp.to/snuffle/xsalsa-20110204.pdf
-.%C Chicago
-.%D August 22, 2017
-.Re
-.Sh STANDARDS
-RFC 8439: ChaCha20 and Poly1305 for IETF Protocols
-.Pp
-Note that the standard specifies
-a 32-bit counter and a 96-bit initialization vector whereas
-this implementation follows Bernstein's original specification
-and uses a 64-bit counter and a 64-bit initialization vector.
-.Pp
-These functions are specific to LibreSSL and not provided by OpenSSL.
-BoringSSL does provide
-.Fn CRYPTO_chacha_20 ,
-but with an incompatible interface, taking a 96-bit
-.Fa iv
-and a 32-bit
-.Fa counter .
-.Sh HISTORY
-.Fn ChaCha_set_key ,
-.Fn ChaCha_set_iv ,
-.Fn ChaCha ,
-and
-.Fn CRYPTO_chacha_20
-first appeared in
-.Ox 5.6 .
-.\" Committed on May 1, 2014.
-.\" BoringSSL added CRYPTO_chacha_20 on June 20, 2014.
-.Pp
-.Fn CRYPTO_hchacha_20
-and
-.Fn CRYPTO_xchacha_20
-first appeared in
-.Ox 6.5 .
-.Sh AUTHORS
-.An -nosplit
-This implementation was written by
-.An Daniel J. Bernstein Aq Mt djb@cr.yp.to .
-The API layer was added by
-.An Joel Sing Aq Mt jsing@openbsd.org
-for ChaCha, and for XChaCha by
-.An David Gwynne Aq Mt dlg@openbsd.org .
diff --git a/src/lib/libcrypto/man/DES_set_key.3 b/src/lib/libcrypto/man/DES_set_key.3
deleted file mode 100644
index fd09d77730..0000000000
--- a/src/lib/libcrypto/man/DES_set_key.3
+++ /dev/null
@@ -1,787 +0,0 @@
-.\" $OpenBSD: DES_set_key.3,v 1.17 2024/05/24 19:18:07 tb Exp $
-.\" full merge up to:
-.\" OpenSSL man3/DES_random_key 521738e9 Oct 5 14:58:30 2018 -0400
-.\"
-.\" --------------------------------------------------------------------------
-.\" Major patches to this file were contributed by
-.\" Ulf Moeller <ulf@openssl.org>, Ben Laurie <ben@openssl.org>,
-.\" and Richard Levitte <levitte@openssl.org>.
-.\" --------------------------------------------------------------------------
-.\" Copyright (c) 2000, 2001, 2017 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.\" --------------------------------------------------------------------------
-.\" Parts of this file are derived from SSLeay documentation,
-.\" which is covered by the following Copyright and license:
-.\" --------------------------------------------------------------------------
-.\"
-.\" Copyright (C) 1995-1998 Tim Hudson (tjh@cryptsoft.com)
-.\" All rights reserved.
-.\"
-.\" This package is an SSL implementation written
-.\" by Eric Young (eay@cryptsoft.com).
-.\" The implementation was written so as to conform with Netscapes SSL.
-.\"
-.\" This library is free for commercial and non-commercial use as long as
-.\" the following conditions are aheared to.  The following conditions
-.\" apply to all code found in this distribution, be it the RC4, RSA,
-.\" lhash, DES, etc., code; not just the SSL code.  The SSL documentation
-.\" included with this distribution is covered by the same copyright terms
-.\" except that the holder is Tim Hudson (tjh@cryptsoft.com).
-.\"
-.\" Copyright remains Eric Young's, and as such any Copyright notices in
-.\" the code are not to be removed.
-.\" If this package is used in a product, Eric Young should be given
-.\" attribution as the author of the parts of the library used.
-.\" This can be in the form of a textual message at program startup or
-.\" in documentation (online or textual) provided with the package.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\" 1. Redistributions of source code must retain the copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in the
-.\"    documentation and/or other materials provided with the distribution.
-.\" 3. All advertising materials mentioning features or use of this software
-.\"    must display the following acknowledgement:
-.\"    "This product includes cryptographic software written by
-.\"     Eric Young (eay@cryptsoft.com)"
-.\"    The word 'cryptographic' can be left out if the rouines from the
-.\"    library being used are not cryptographic related :-).
-.\" 4. If you include any Windows specific code (or a derivative thereof)
-.\"    from the apps directory (application code) you must include an
-.\"    acknowledgement: "This product includes software written by
-.\"    Tim Hudson (tjh@cryptsoft.com)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
-.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
-.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-.\" SUCH DAMAGE.
-.\"
-.\" The licence and distribution terms for any publically available version or
-.\" derivative of this code cannot be changed.  i.e. this code cannot simply be
-.\" copied and put under another distribution licence
-.\" [including the GNU Public Licence.]
-.\"
-.Dd $Mdocdate: May 24 2024 $
-.Dt DES_SET_KEY 3
-.Os
-.Sh NAME
-.Nm DES_random_key ,
-.Nm DES_set_key ,
-.Nm DES_key_sched ,
-.Nm DES_set_key_checked ,
-.Nm DES_set_key_unchecked ,
-.Nm DES_set_odd_parity ,
-.Nm DES_is_weak_key ,
-.Nm DES_ecb_encrypt ,
-.Nm DES_ecb2_encrypt ,
-.Nm DES_ecb3_encrypt ,
-.Nm DES_ncbc_encrypt ,
-.Nm DES_cfb_encrypt ,
-.Nm DES_ofb_encrypt ,
-.Nm DES_pcbc_encrypt ,
-.Nm DES_cfb64_encrypt ,
-.Nm DES_ofb64_encrypt ,
-.Nm DES_xcbc_encrypt ,
-.Nm DES_ede2_cbc_encrypt ,
-.Nm DES_ede2_cfb64_encrypt ,
-.Nm DES_ede2_ofb64_encrypt ,
-.Nm DES_ede3_cbc_encrypt ,
-.Nm DES_ede3_cbcm_encrypt ,
-.Nm DES_ede3_cfb64_encrypt ,
-.Nm DES_ede3_ofb64_encrypt ,
-.Nm DES_cbc_cksum ,
-.Nm DES_quad_cksum ,
-.Nm DES_string_to_key ,
-.Nm DES_string_to_2keys ,
-.Nm DES_fcrypt ,
-.Nm DES_crypt
-.Nd DES encryption
-.Sh SYNOPSIS
-.In openssl/des.h
-.Ft void
-.Fo DES_random_key
-.Fa "DES_cblock *ret"
-.Fc
-.Ft int
-.Fo DES_set_key
-.Fa "const_DES_cblock *key"
-.Fa "DES_key_schedule *schedule"
-.Fc
-.Ft int
-.Fo DES_key_sched
-.Fa "const_DES_cblock *key"
-.Fa "DES_key_schedule *schedule"
-.Fc
-.Ft int
-.Fo DES_set_key_checked
-.Fa "const_DES_cblock *key"
-.Fa "DES_key_schedule *schedule"
-.Fc
-.Ft void
-.Fo DES_set_key_unchecked
-.Fa "const_DES_cblock *key"
-.Fa "DES_key_schedule *schedule"
-.Fc
-.Ft void
-.Fo DES_set_odd_parity
-.Fa "DES_cblock *key"
-.Fc
-.Ft int
-.Fo DES_is_weak_key
-.Fa "const_DES_cblock *key"
-.Fc
-.Ft void
-.Fo DES_ecb_encrypt
-.Fa "const_DES_cblock *input"
-.Fa "DES_cblock *output"
-.Fa "DES_key_schedule *ks"
-.Fa "int enc"
-.Fc
-.Ft void
-.Fo DES_ecb2_encrypt
-.Fa "const_DES_cblock *input"
-.Fa "DES_cblock *output"
-.Fa "DES_key_schedule *ks1"
-.Fa "DES_key_schedule *ks2"
-.Fa "int enc"
-.Fc
-.Ft void
-.Fo DES_ecb3_encrypt
-.Fa "const_DES_cblock *input"
-.Fa "DES_cblock *output"
-.Fa "DES_key_schedule *ks1"
-.Fa "DES_key_schedule *ks2"
-.Fa "DES_key_schedule *ks3"
-.Fa "int enc"
-.Fc
-.Ft void
-.Fo DES_ncbc_encrypt
-.Fa "const unsigned char *input"
-.Fa "unsigned char *output"
-.Fa "long length"
-.Fa "DES_key_schedule *schedule"
-.Fa "DES_cblock *ivec"
-.Fa "int enc"
-.Fc
-.Ft void
-.Fo DES_cfb_encrypt
-.Fa "const unsigned char *in"
-.Fa "unsigned char *out"
-.Fa "int numbits"
-.Fa "long length"
-.Fa "DES_key_schedule *schedule"
-.Fa "DES_cblock *ivec"
-.Fa "int enc"
-.Fc
-.Ft void
-.Fo DES_ofb_encrypt
-.Fa "const unsigned char *in"
-.Fa "unsigned char *out"
-.Fa "int numbits"
-.Fa "long length"
-.Fa "DES_key_schedule *schedule"
-.Fa "DES_cblock *ivec"
-.Fc
-.Ft void
-.Fo DES_pcbc_encrypt
-.Fa "const unsigned char *input"
-.Fa "unsigned char *output"
-.Fa "long length"
-.Fa "DES_key_schedule *schedule"
-.Fa "DES_cblock *ivec"
-.Fa "int enc"
-.Fc
-.Ft void
-.Fo DES_cfb64_encrypt
-.Fa "const unsigned char *in"
-.Fa "unsigned char *out"
-.Fa "long length"
-.Fa "DES_key_schedule *schedule"
-.Fa "DES_cblock *ivec"
-.Fa "int *num"
-.Fa "int enc"
-.Fc
-.Ft void
-.Fo DES_ofb64_encrypt
-.Fa "const unsigned char *in"
-.Fa "unsigned char *out"
-.Fa "long length"
-.Fa "DES_key_schedule *schedule"
-.Fa "DES_cblock *ivec"
-.Fa "int *num"
-.Fc
-.Ft void
-.Fo DES_xcbc_encrypt
-.Fa "const unsigned char *input"
-.Fa "unsigned char *output"
-.Fa "long length"
-.Fa "DES_key_schedule *schedule"
-.Fa "DES_cblock *ivec"
-.Fa "const_DES_cblock *inw"
-.Fa "const_DES_cblock *outw"
-.Fa "int enc"
-.Fc
-.Ft void
-.Fo DES_ede2_cbc_encrypt
-.Fa "const unsigned char *input"
-.Fa "unsigned char *output"
-.Fa "long length"
-.Fa "DES_key_schedule *ks1"
-.Fa "DES_key_schedule *ks2"
-.Fa "DES_cblock *ivec"
-.Fa "int enc"
-.Fc
-.Ft void
-.Fo DES_ede2_cfb64_encrypt
-.Fa "const unsigned char *in"
-.Fa "unsigned char *out"
-.Fa "long length"
-.Fa "DES_key_schedule *ks1"
-.Fa "DES_key_schedule *ks2"
-.Fa "DES_cblock *ivec"
-.Fa "int *num"
-.Fa "int enc"
-.Fc
-.Ft void
-.Fo DES_ede2_ofb64_encrypt
-.Fa "const unsigned char *in"
-.Fa "unsigned char *out"
-.Fa "long length"
-.Fa "DES_key_schedule *ks1"
-.Fa "DES_key_schedule *ks2"
-.Fa "DES_cblock *ivec"
-.Fa "int *num"
-.Fc
-.Ft void
-.Fo DES_ede3_cbc_encrypt
-.Fa "const unsigned char *input"
-.Fa "unsigned char *output"
-.Fa "long length"
-.Fa "DES_key_schedule *ks1"
-.Fa "DES_key_schedule *ks2"
-.Fa "DES_key_schedule *ks3"
-.Fa "DES_cblock *ivec"
-.Fa "int enc"
-.Fc
-.Ft void
-.Fo DES_ede3_cbcm_encrypt
-.Fa "const unsigned char *in"
-.Fa "unsigned char *out"
-.Fa "long length"
-.Fa "DES_key_schedule *ks1"
-.Fa "DES_key_schedule *ks2"
-.Fa "DES_key_schedule *ks3"
-.Fa "DES_cblock *ivec1"
-.Fa "DES_cblock *ivec2"
-.Fa "int enc"
-.Fc
-.Ft void
-.Fo DES_ede3_cfb64_encrypt
-.Fa "const unsigned char *in"
-.Fa "unsigned char *out"
-.Fa "long length"
-.Fa "DES_key_schedule *ks1"
-.Fa "DES_key_schedule *ks2"
-.Fa "DES_key_schedule *ks3"
-.Fa "DES_cblock *ivec"
-.Fa "int *num"
-.Fa "int enc"
-.Fc
-.Ft void
-.Fo DES_ede3_ofb64_encrypt
-.Fa "const unsigned char *in"
-.Fa "unsigned char *out"
-.Fa "long length"
-.Fa "DES_key_schedule *ks1"
-.Fa "DES_key_schedule *ks2"
-.Fa "DES_key_schedule *ks3"
-.Fa "DES_cblock *ivec"
-.Fa "int *num"
-.Fc
-.Ft DES_LONG
-.Fo DES_cbc_cksum
-.Fa "const unsigned char *input"
-.Fa "DES_cblock *output"
-.Fa "long length"
-.Fa "DES_key_schedule *schedule"
-.Fa "const_DES_cblock *ivec"
-.Fc
-.Ft DES_LONG
-.Fo DES_quad_cksum
-.Fa "const unsigned char *input"
-.Fa "DES_cblock output[]"
-.Fa "long length"
-.Fa "int out_count"
-.Fa "DES_cblock *seed"
-.Fc
-.Ft void
-.Fo DES_string_to_key
-.Fa "const char *str"
-.Fa "DES_cblock *key"
-.Fc
-.Ft void
-.Fo DES_string_to_2keys
-.Fa "const char *str"
-.Fa "DES_cblock *key1"
-.Fa "DES_cblock *key2"
-.Fc
-.Ft char *
-.Fo DES_fcrypt
-.Fa "const char *buf"
-.Fa "const char *salt"
-.Fa "char *ret"
-.Fc
-.Ft char *
-.Fo DES_crypt
-.Fa "const char *buf"
-.Fa "const char *salt"
-.Fc
-.Sh DESCRIPTION
-This library contains a fast implementation of the DES encryption
-algorithm.
-.Pp
-There are two phases to the use of DES encryption.
-The first is the generation of a
-.Vt DES_key_schedule
-from a key, and the second is the actual encryption.
-A DES key is of type
-.Vt DES_cblock .
-This type consists of 8 bytes with odd parity.
-The least significant bit in each byte is the parity bit.
-The key schedule is an expanded form of the key; it is used to speed the
-encryption process.
-.Pp
-.Fn DES_random_key
-generates a random key in odd parity.
-.Pp
-Before a DES key can be used, it must be converted into the architecture
-dependent
-.Vt DES_key_schedule
-via the
-.Fn DES_set_key_checked
-or
-.Fn DES_set_key_unchecked
-function.
-.Pp
-.Fn DES_set_key_checked
-will check that the key passed is of odd parity and is not a weak or
-semi-weak key.
-If the parity is wrong, then -1 is returned.
-If the key is a weak key, then -2 is returned.
-If an error is returned, the key schedule is not generated.
-.Pp
-.Fn DES_set_key
-works like
-.Fn DES_set_key_checked
-if the
-.Em DES_check_key
-flag is non-zero, otherwise like
-.Fn DES_set_key_unchecked .
-These functions are available for compatibility; it is recommended to
-use a function that does not depend on a global variable.
-.Pp
-.Fn DES_set_odd_parity
-sets the parity of the passed
-.Fa key
-to odd.
-.Pp
-The following routines mostly operate on an input and output stream of
-.Vt DES_cblock Ns s .
-.Pp
-.Fn DES_ecb_encrypt
-is the basic DES encryption routine that encrypts or decrypts a single
-8-byte
-.Vt DES_cblock
-in electronic code book (ECB) mode.
-It always transforms the input data, pointed to by
-.Fa input ,
-into the output data, pointed to by the
-.Fa output
-argument.
-If the
-.Fa enc
-argument is non-zero
-.Pq Dv DES_ENCRYPT ,
-the
-.Fa input
-(cleartext) is encrypted into the
-.Fa output
-(ciphertext) using the key_schedule specified by the
-.Fa schedule
-argument, previously set via
-.Fn DES_set_key .
-If
-.Fa enc
-is zero
-.Pq Dv DES_DECRYPT ,
-the
-.Fa input
-(now ciphertext) is decrypted into the
-.Fa output
-(now cleartext).
-Input and output may overlap.
-.Fn DES_ecb_encrypt
-does not return a value.
-.Pp
-.Fn DES_ecb3_encrypt
-encrypts/decrypts the
-.Fa input
-block by using three-key Triple-DES encryption in ECB mode.
-This involves encrypting the input with
-.Fa ks1 ,
-decrypting with the key schedule
-.Fa ks2 ,
-and then encrypting with
-.Fa ks3 .
-This routine greatly reduces the chances of brute force breaking of DES
-and has the advantage of if
-.Fa ks1 ,
-.Fa ks2 ,
-and
-.Fa ks3
-are the same, it is equivalent to just encryption using ECB mode and
-.Fa ks1
-as the key.
-.Pp
-The macro
-.Fn DES_ecb2_encrypt
-is provided to perform two-key Triple-DES encryption by using
-.Fa ks1
-for the final encryption.
-.Pp
-.Fn DES_ncbc_encrypt
-encrypts/decrypts using the cipher-block-chaining (CBC) mode of DES.
-If the
-.Fa enc
-argument is non-zero, the routine cipher-block-chain encrypts the
-cleartext data pointed to by the
-.Fa input
-argument into the ciphertext pointed to by the
-.Fa output
-argument, using the key schedule provided by the
-.Fa schedule
-argument, and initialization vector provided by the
-.Fa ivec
-argument.
-If the
-.Fa length
-argument is not an integral multiple of eight bytes, the last block is
-copied to a temporary area and zero filled.
-The output is always an integral multiple of eight bytes.
-.Pp
-.Fn DES_xcbc_encrypt
-is RSA's DESX mode of DES.
-It uses
-.Fa inw
-and
-.Fa outw
-to "whiten" the encryption.
-.Fa inw
-and
-.Fa outw
-are secret (unlike the iv) and are as such, part of the key.
-So the key is sort of 24 bytes.
-This is much better than CBC DES.
-.Pp
-.Fn DES_ede3_cbc_encrypt
-implements outer triple CBC DES encryption with three keys.
-This means that each DES operation inside the CBC mode is
-.Qq Li C=E(ks3,D(ks2,E(ks1,M))) .
-This mode is used by SSL.
-.Pp
-The
-.Fn DES_ede2_cbc_encrypt
-macro implements two-key Triple-DES by reusing
-.Fa ks1
-for the final encryption.
-.Qq Li C=E(ks1,D(ks2,E(ks1,M))) .
-This form of Triple-DES is used by the RSAREF library.
-.Pp
-.Fn DES_pcbc_encrypt
-encrypts/decrypts using the propagating cipher block chaining mode used
-by Kerberos v4.
-Its parameters are the same as
-.Fn DES_ncbc_encrypt .
-.Pp
-.Fn DES_cfb_encrypt
-encrypts/decrypts using cipher feedback mode.
-This method takes an array of characters as input and outputs an array
-of characters.
-It does not require any padding to 8 character groups.
-Note: the
-.Fa ivec
-variable is changed and the new changed value needs to be passed to the
-next call to this function.
-Since this function runs a complete DES ECB encryption per
-.Fa numbits ,
-this function is only suggested for use when sending a small number of
-characters.
-.Pp
-.Fn DES_cfb64_encrypt
-implements CFB mode of DES with 64-bit feedback.
-Why is this useful you ask?
-Because this routine will allow you to encrypt an arbitrary number of
-bytes, without 8 byte padding.
-Each call to this routine will encrypt the input bytes to output and
-then update ivec and num.
-num contains "how far" we are though ivec.
-If this does not make much sense, read more about CFB mode of DES.
-.Pp
-The
-.Fn DES_ede3_cfb64_encrypt
-function and the
-.Fn DES_ede2_cfb64_encrypt
-macro are the same as
-.Fn DES_cfb64_encrypt
-except that Triple-DES is used.
-.Pp
-.Fn DES_ofb_encrypt
-encrypts using output feedback mode.
-This method takes an array of characters as input and outputs an array
-of characters.
-It does not require any padding to 8 character groups.
-Note: the
-.Fa ivec
-variable is changed and the new changed value needs to be passed to the
-next call to this function.
-Since this function runs a complete DES ECB encryption per
-.Fa numbits ,
-this function is only suggested for use when sending a small number
-of characters.
-.Pp
-.Fn DES_ofb64_encrypt
-is the same as
-.Fn DES_cfb64_encrypt
-using Output Feed Back mode.
-.Pp
-The
-.Fn DES_ede3_ofb64_encrypt
-function and the
-.Fn DES_ede2_ofb64_encrypt
-macro are the same as
-.Fn DES_ofb64_encrypt ,
-using Triple-DES.
-.Pp
-The following functions are included in the DES library for
-compatibility with the MIT Kerberos library.
-.Pp
-.Fn DES_cbc_cksum
-produces an 8-byte checksum based on the input stream (via CBC
-encryption).
-The last 4 bytes of the checksum are returned and the complete 8 bytes
-are placed in
-.Fa output .
-This function is used by Kerberos v4.
-Other applications should use
-.Xr EVP_DigestInit 3
-etc. instead.
-.Pp
-.Fn DES_quad_cksum
-is a Kerberos v4 function.
-It returns a 4-byte checksum from the input bytes.
-The algorithm can be iterated over the input, depending on
-.Fa out_count ,
-1, 2, 3 or 4 times.
-If
-.Fa output
-is
-.Pf non- Dv NULL ,
-the 8 bytes generated by each pass are written into
-.Fa output .
-.Pp
-The following are DES-based transformations:
-.Pp
-.Fn DES_fcrypt
-is a fast version of the Unix
-.Xr crypt 3
-function.
-The
-.Fa salt
-must be two ASCII characters.
-This version is different from the normal crypt in that the third
-parameter is the buffer that the return value is written into.
-It needs to be at least 14 bytes long.
-The fourteenth byte is set to NUL.
-This version takes only a small amount of space relative to other
-fast crypt implementations.
-It is thread safe, unlike the normal crypt.
-.Pp
-.Fn DES_crypt
-is a faster replacement for the normal system
-.Xr crypt 3 .
-This function calls
-.Fn DES_fcrypt
-with a static array passed as the third parameter.
-This emulates the normal non-thread safe semantics of
-.Xr crypt 3 .
-.Sh RETURN VALUES
-.Fn DES_set_key ,
-.Fn DES_key_sched ,
-and
-.Fn DES_set_key_checked
-return 0 on success or a negative value on error.
-.Pp
-.Fn DES_is_weak_key
-returns 1 if the passed key is a weak key or 0 if it is ok.
-.Pp
-.Fn DES_cbc_cksum
-and
-.Fn DES_quad_cksum
-return a 4-byte integer representing the last 4 bytes of the checksum
-of the input.
-.Pp
-.Fn DES_fcrypt
-returns a pointer to the caller-provided buffer
-.Fa ret ,
-and
-.Fn DES_crypt
-returns a pointer to a static buffer.
-Both are allowed to return
-.Dv NULL
-to indicate failure, but currently, they cannot fail.
-.Sh SEE ALSO
-.Xr crypt 3 ,
-.Xr EVP_des_cbc 3 ,
-.Xr EVP_EncryptInit 3
-.Sh STANDARDS
-ANSI X3.106
-.Pp
-The DES library was initially written to be source code compatible
-with the MIT Kerberos library.
-.Sh HISTORY
-.Fn DES_random_key ,
-.Fn DES_set_key ,
-.Fn DES_key_sched ,
-.Fn DES_set_odd_parity ,
-.Fn DES_is_weak_key ,
-.Fn DES_ecb_encrypt ,
-.Fn DES_cfb_encrypt ,
-.Fn DES_ofb_encrypt ,
-.Fn DES_pcbc_encrypt ,
-.Fn DES_cfb64_encrypt ,
-.Fn DES_ofb64_encrypt ,
-.Fn DES_ede3_cbc_encrypt ,
-.Fn DES_cbc_cksum ,
-.Fn DES_quad_cksum ,
-.Fn DES_string_to_key ,
-.Fn DES_string_to_2keys ,
-and
-.Fn DES_crypt
-appeared in SSLeay 0.4 or earlier.
-.Fn DES_ncbc_encrypt
-first appeared in SSLeay 0.4.2.
-.Fn DES_ede2_cbc_encrypt
-first appeared in SSLeay 0.4.4.
-.Fn DES_ecb2_encrypt ,
-.Fn DES_ecb3_encrypt ,
-.Fn DES_ede2_cfb64_encrypt ,
-.Fn DES_ede2_ofb64_encrypt ,
-.Fn DES_ede3_cfb64_encrypt ,
-and
-.Fn DES_ede3_ofb64_encrypt
-first appeared in SSLeay 0.5.1.
-.Fn DES_xcbc_encrypt
-first appeared in SSLeay 0.6.2.
-.Fn DES_fcrypt
-first appeared in SSLeay 0.6.5.
-These functions have been available since
-.Ox 2.4 .
-.Pp
-.Fn DES_set_key_checked
-and
-.Fn DES_set_key_unchecked
-first appeared in OpenSSL 0.9.5 and have been available since
-.Ox 2.7 .
-.Pp
-In OpenSSL 0.9.7 and
-.Ox 3.2 ,
-all
-.Sy des_
-functions were renamed to
-.Sy DES_
-to avoid clashes with older versions of libdes.
-.Sh AUTHORS
-.An Eric Young Aq Mt eay@cryptsoft.com
-.Sh CAVEATS
-Single-key DES is insecure due to its short key size.
-ECB mode is not suitable for most applications.
-.Sh BUGS
-DES_cbc_encrypt does not modify
-.Fa ivec ;
-use
-.Fn DES_ncbc_encrypt
-instead.
-.Pp
-.Fn DES_cfb_encrypt
-and
-.Fn DES_ofb_encrypt
-operates on input of 8 bits.
-What this means is that if you set numbits to 12, and length to 2, the
-first 12 bits will come from the 1st input byte and the low half of the
-second input byte.
-The second 12 bits will have the low 8 bits taken from the 3rd input
-byte and the top 4 bits taken from the 4th input byte.
-The same holds for output.
-This function has been implemented this way because most people will be
-using a multiple of 8 and because once you get into pulling input
-bytes apart things get ugly!
-.Pp
-.Fn DES_string_to_key
-is available for backward compatibility with the MIT library.
-New applications should use a cryptographic hash function.
-The same applies for
-.Fn DES_string_to_2key .
diff --git a/src/lib/libcrypto/man/DH_generate_key.3 b/src/lib/libcrypto/man/DH_generate_key.3
deleted file mode 100644
index 076b49f7a1..0000000000
--- a/src/lib/libcrypto/man/DH_generate_key.3
+++ /dev/null
@@ -1,122 +0,0 @@
-.\"     $OpenBSD: DH_generate_key.3,v 1.12 2019/08/19 13:08:26 schwarze Exp $
-.\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by Ulf Moeller <ulf@openssl.org>.
-.\" Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: August 19 2019 $
-.Dt DH_GENERATE_KEY 3
-.Os
-.Sh NAME
-.Nm DH_generate_key ,
-.Nm DH_compute_key
-.Nd perform Diffie-Hellman key exchange
-.Sh SYNOPSIS
-.In openssl/dh.h
-.Ft int
-.Fo DH_generate_key
-.Fa "DH *dh"
-.Fc
-.Ft int
-.Fo DH_compute_key
-.Fa "unsigned char *key"
-.Fa "BIGNUM *pub_key"
-.Fa "DH *dh"
-.Fc
-.Sh DESCRIPTION
-.Fn DH_generate_key
-performs the first step of a Diffie-Hellman key exchange by generating
-private and public DH values.
-By calling
-.Fn DH_compute_key ,
-these are combined with the other party's public value to compute the
-shared key.
-.Pp
-.Fn DH_generate_key
-expects
-.Fa dh
-to contain the shared parameters
-.Sy dh->p
-and
-.Sy dh->g .
-It generates a random private DH value unless
-.Sy dh->priv_key
-is already set, and computes the corresponding public value
-.Sy dh->pub_key ,
-which can then be published.
-.Pp
-.Fn DH_compute_key
-computes the shared secret from the private DH value in
-.Fa dh
-and the other party's public value in
-.Fa pub_key
-and stores it in
-.Fa key .
-.Fa key
-must point to
-.Fn DH_size dh
-bytes of memory.
-.Sh RETURN VALUES
-.Fn DH_generate_key
-returns 1 on success, or 0 otherwise.
-.Pp
-.Fn DH_compute_key
-returns the size of the shared secret on success, or -1 on error.
-.Pp
-The error codes can be obtained by
-.Xr ERR_get_error 3 .
-.Sh SEE ALSO
-.Xr DH_get0_key 3 ,
-.Xr DH_new 3 ,
-.Xr DH_size 3 ,
-.Xr ECDH_compute_key 3
-.Sh HISTORY
-.Fn DH_generate_key
-and
-.Fn DH_compute_key
-first appeared in SSLeay 0.5.1 and have been available since
-.Ox 2.4 .
diff --git a/src/lib/libcrypto/man/DH_generate_parameters.3 b/src/lib/libcrypto/man/DH_generate_parameters.3
deleted file mode 100644
index ac29521ec4..0000000000
--- a/src/lib/libcrypto/man/DH_generate_parameters.3
+++ /dev/null
@@ -1,241 +0,0 @@
-.\" $OpenBSD: DH_generate_parameters.3,v 1.14 2022/07/13 13:47:59 schwarze Exp $
-.\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\" selective merge up to: OpenSSL b0edda11 Mar 20 13:00:17 2018 +0000
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2022 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Ulf Moeller <ulf@openssl.org>
-.\" and Matt Caswell <matt@openssl.org>.
-.\" Copyright (c) 2000, 2016 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: July 13 2022 $
-.Dt DH_GENERATE_PARAMETERS 3
-.Os
-.Sh NAME
-.Nm DH_generate_parameters_ex ,
-.Nm DH_check ,
-.Nm DH_check_pub_key ,
-.Nm DH_generate_parameters
-.Nd generate and check Diffie-Hellman parameters
-.Sh SYNOPSIS
-.In openssl/dh.h
-.Ft int
-.Fo DH_generate_parameters_ex
-.Fa "DH *dh"
-.Fa "int prime_len"
-.Fa "int generator"
-.Fa "BN_GENCB *cb"
-.Fc
-.Ft int
-.Fo DH_check
-.Fa "DH *dh"
-.Fa "int *codes"
-.Fc
-.Ft int
-.Fo DH_check_pub_key
-.Fa "const DH *dh"
-.Fa "const BIGNUM *pub_key"
-.Fa "int *codes"
-.Fc
-.Pp
-Deprecated:
-.Pp
-.Ft DH *
-.Fo DH_generate_parameters
-.Fa "int prime_len"
-.Fa "int generator"
-.Fa "void (*callback)(int, int, void *)"
-.Fa "void *cb_arg"
-.Fc
-.Sh DESCRIPTION
-.Fn DH_generate_parameters_ex
-generates Diffie-Hellman parameters that can be shared among a group of
-users, and stores them in the provided
-.Vt DH
-structure.
-.Pp
-.Fa prime_len
-is the length in bits of the safe prime to be generated.
-.Fa generator
-is a small number > 1, typically 2 or 5.
-.Pp
-A callback function may be used to provide feedback about the progress
-of the key generation.
-If
-.Fa cb
-is not
-.Dv NULL ,
-it will be called as described in
-.Xr BN_generate_prime 3
-while a random prime number is generated, and when a prime has been
-found,
-.Fn BN_GENCB_call cb 3 0
-is called; see
-.Xr BN_GENCB_call 3 .
-.Pp
-.Fn DH_check
-validates Diffie-Hellman parameters.
-If no problems are found,
-.Pf * Ar codes
-is set to zero.
-Otherwise, one or more of the following bits are set:
-.Bl -tag -width Ds
-.It Dv DH_CHECK_P_NOT_PRIME
-The parameter
-.Fa dh->p
-is not prime.
-.It Dv DH_CHECK_P_NOT_SAFE_PRIME
-The parameter
-.Fa dh->p
-is not a safe prime.
-.It Dv DH_UNABLE_TO_CHECK_GENERATOR
-The generator
-.Fa dh->g
-cannot be checked for suitability: it is neither 2 nor 5.
-.It Dv DH_NOT_SUITABLE_GENERATOR
-The generator
-.Fa dh->g
-is not suitable.
-.El
-.Pp
-.Fn DH_check_pub_key
-checks whether
-.Fa pub_key
-is a valid public key when using the domain parameters contained in
-.Fa dh .
-If no problems are found,
-.Pf * Ar codes
-is set to zero.
-Otherwise, one or more of the following bits are set:
-.Bl -tag -width Ds
-.It Dv DH_CHECK_PUBKEY_TOO_SMALL
-.Fa pub_key
-is less than or equal to 1.
-.It Dv DH_CHECK_PUBKEY_TOO_LARGE
-.Fa pub_key
-is greater than or equal to
-.Fa dh->p No \- 1 .
-.It DH_CHECK_PUBKEY_INVALID
-.Fa dh->q
-is set but
-.Fa pub_key
-to the power of
-.Fa dh->q
-is not 1 modulo
-.Fa dh->p .
-.El
-.Sh RETURN VALUES
-.Fn DH_generate_parameters_ex ,
-.Fn DH_check ,
-and
-.Fn DH_check_pub_key
-return 1 if the check could be performed or 0 otherwise.
-.Pp
-.Fn DH_generate_parameters
-(deprecated) returns a pointer to the
-.Vt DH
-structure, or
-.Dv NULL
-if the parameter generation fails.
-.Pp
-The error codes can be obtained by
-.Xr ERR_get_error 3 .
-.Sh SEE ALSO
-.Xr DH_get0_pqg 3 ,
-.Xr DH_new 3
-.Sh HISTORY
-.Fn DH_check
-and
-.Fn DH_generate_parameters
-first appeared in SSLeay 0.5.1 and have been available since
-.Ox 2.4 .
-.Pp
-The
-.Fa cb_arg
-argument to
-.Fn DH_generate_parameters
-was added in SSLeay 0.9.0.
-.Pp
-.Fn DH_check_pub_key
-first appeared in OpenSSL 0.9.8a and has been available since
-.Ox 4.0 .
-.Pp
-.Fn DH_generate_parameters_ex
-first appeared in OpenSSL 0.9.8 and has been available since
-.Ox 4.5 .
-.Sh CAVEATS
-.Fn DH_generate_parameters_ex
-and
-.Fn DH_generate_parameters
-may run for several hours before finding a suitable prime.
-.Pp
-The parameters generated by
-.Fn DH_generate_parameters_ex
-and
-.Fn DH_generate_parameters
-are not to be used in signature schemes.
-.Sh BUGS
-If
-.Fa generator
-is not 2 or 5,
-.Fa dh->g Ns = Ns Fa generator
-is not a usable generator.
diff --git a/src/lib/libcrypto/man/DH_get0_pqg.3 b/src/lib/libcrypto/man/DH_get0_pqg.3
deleted file mode 100644
index eb012980f9..0000000000
--- a/src/lib/libcrypto/man/DH_get0_pqg.3
+++ /dev/null
@@ -1,342 +0,0 @@
-.\" $OpenBSD: DH_get0_pqg.3,v 1.8 2024/07/21 08:36:43 tb Exp $
-.\" selective merge up to: OpenSSL 83cf7abf May 29 13:07:08 2018 +0100
-.\"
-.\" This file was written by Matt Caswell <matt@openssl.org>.
-.\" Copyright (c) 2016, 2018 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: July 21 2024 $
-.Dt DH_GET0_PQG 3
-.Os
-.Sh NAME
-.Nm DH_get0_pqg ,
-.Nm DH_get0_p ,
-.Nm DH_get0_q ,
-.Nm DH_get0_g ,
-.Nm DH_set0_pqg ,
-.Nm DH_get0_key ,
-.Nm DH_get0_pub_key ,
-.Nm DH_get0_priv_key ,
-.Nm DH_set0_key ,
-.Nm DH_clear_flags ,
-.Nm DH_test_flags ,
-.Nm DH_set_flags ,
-.Nm DH_get0_engine ,
-.Nm DH_set_length
-.Nd get data from and set data in a DH object
-.Sh SYNOPSIS
-.In openssl/dh.h
-.Ft void
-.Fo DH_get0_pqg
-.Fa "const DH *dh"
-.Fa "const BIGNUM **p"
-.Fa "const BIGNUM **q"
-.Fa "const BIGNUM **g"
-.Fc
-.Ft "const BIGNUM *"
-.Fo DH_get0_p
-.Fa "const DH *dh"
-.Fc
-.Ft "const BIGNUM *"
-.Fo DH_get0_q
-.Fa "const DH *dh"
-.Fc
-.Ft "const BIGNUM *"
-.Fo DH_get0_g
-.Fa "const DH *dh"
-.Fc
-.Ft int
-.Fo DH_set0_pqg
-.Fa "DH *dh"
-.Fa "BIGNUM *p"
-.Fa "BIGNUM *q"
-.Fa "BIGNUM *g"
-.Fc
-.Ft void
-.Fo DH_get0_key
-.Fa "const DH *dh"
-.Fa "const BIGNUM **pub_key"
-.Fa "const BIGNUM **priv_key"
-.Fc
-.Ft "const BIGNUM *"
-.Fo DH_get0_pub_key
-.Fa "const DH *dh"
-.Fc
-.Ft "const BIGNUM *"
-.Fo DH_get0_priv_key
-.Fa "const DH *dh"
-.Fc
-.Ft int
-.Fo DH_set0_key
-.Fa "DH *dh"
-.Fa "BIGNUM *pub_key"
-.Fa "BIGNUM *priv_key"
-.Fc
-.Ft void
-.Fo DH_clear_flags
-.Fa "DH *dh"
-.Fa "int flags"
-.Fc
-.Ft int
-.Fo DH_test_flags
-.Fa "const DH *dh"
-.Fa "int flags"
-.Fc
-.Ft void
-.Fo DH_set_flags
-.Fa "DH *dh"
-.Fa "int flags"
-.Fc
-.Ft ENGINE *
-.Fo DH_get0_engine
-.Fa "DH *d"
-.Fc
-.Ft int
-.Fo DH_set_length
-.Fa "DH *dh"
-.Fa "long length"
-.Fc
-.Sh DESCRIPTION
-A
-.Vt DH
-object contains the parameters
-.Fa p ,
-.Fa g ,
-and optionally
-.Fa q .
-It also contains a public key
-.Fa pub_key
-and an optional private key
-.Fa priv_key .
-.Pp
-The
-.Fa p ,
-.Fa q ,
-and
-.Fa g
-parameters can be obtained by calling
-.Fn DH_get0_pqg .
-If the parameters have not yet been set, then
-.Pf * Fa p ,
-.Pf * Fa q ,
-and
-.Pf * Fa g
-are set to
-.Dv NULL .
-Otherwise, they are set to pointers to the internal representations
-of the values that should not be freed by the application.
-Any of the out parameters
-.Fa p ,
-.Fa q ,
-and
-.Fa g
-can be
-.Dv NULL ,
-in which case no value is returned for that parameter.
-.Pp
-The
-.Fa p ,
-.Fa q ,
-and
-.Fa g
-values can be set by calling
-.Fn DH_set0_pqg .
-Calling this function transfers the memory management of the values to
-.Fa dh ,
-and therefore they should not be freed by the caller.
-The
-.Fa q
-argument may be
-.Dv NULL .
-.Pp
-The
-.Fn DH_get0_key
-function stores pointers to the internal representations
-of the public key in
-.Pf * Fa pub_key
-and to the private key in
-.Pf * Fa priv_key .
-Either may be
-.Dv NULL
-if it has not yet been set.
-If the private key has been set, then the public key must be.
-Any of the out parameters
-.Fa pub_key
-and
-.Fa priv_key
-can be
-.Dv NULL ,
-in which case no value is returned for that parameter.
-.Pp
-The public and private key values can be set using
-.Fn DH_set0_key .
-Either parameter may be
-.Dv NULL ,
-which means the corresponding
-.Vt DH
-field is left untouched.
-This function transfers the memory management of the key values to
-.Fa dh ,
-and therefore they should not be freed by the caller.
-.Pp
-Values retrieved with
-.Fn DH_get0_pqg
-and
-.Fn DH_get0_key
-are owned by the
-.Vt DH
-object and may therefore not be passed to
-.Fn DH_set0_pqg
-or
-.Fn DH_set0_key .
-If needed, duplicate the received values using
-.Xr BN_dup 3
-and pass the duplicates.
-.Pp
-Any of the values
-.Fa p ,
-.Fa q ,
-.Fa g ,
-.Fa pub_key ,
-and
-.Fa priv_key
-can also be retrieved separately by the corresponding functions
-.Fn DH_get0_p ,
-.Fn DH_get0_q ,
-.Fn DH_get0_g ,
-.Fn DH_get0_pub_key ,
-and
-.Fn DH_get0_priv_key ,
-respectively.
-The pointers are owned by the
-.Vt DH
-object.
-.Pp
-.Fn DH_clear_flags
-clears the specified
-.Fa flags
-in
-.Fa dh .
-.Fn DH_test_flags
-tests the
-.Fa flags
-in
-.Fa dh .
-.Fn DH_set_flags
-sets the
-.Fa flags
-in
-.Fa dh ;
-any flags already set remain set.
-For all three functions, multiple flags can be passed in one call,
-OR'ed together bitwise.
-.Pp
-.Fn DH_set_length
-sets the optional length attribute of
-.Fa dh ,
-indicating the length of the secret exponent (private key) in bits.
-If the length attribute is non-zero, it is used, otherwise it is ignored.
-.Sh RETURN VALUES
-+.Fn DH_get0_p ,
-+.Fn DH_get0_q ,
-+.Fn DH_get0_g ,
-+.Fn DH_get0_pub_key ,
-+and
-+.Fn DH_get0_priv_key ,
-+return a pointer owned by the
-+.Vt DH
-+object if the corresponding value has been set,
-+otherwise they return
-+.Dv NULL .
-.Fn DH_set0_pqg ,
-.Fn DH_set0_key ,
-and
-.Fn DH_set_length
-return 1 on success or 0 on failure.
-.Pp
-.Fn DH_test_flags
-return those of the given
-.Fa flags
-currently set in
-.Fa dh
-or 0 if none of the given
-.Fa flags
-are set.
-.Pp
-.Fn DH_get0_engine
-always returns
-.Dv NULL .
-.Sh SEE ALSO
-.Xr DH_generate_key 3 ,
-.Xr DH_generate_parameters 3 ,
-.Xr DH_new 3 ,
-.Xr DH_security_bits 3 ,
-.Xr DH_size 3 ,
-.Xr DHparams_print 3
-.Sh HISTORY
-.Fn DH_get0_pqg ,
-.Fn DH_set0_pqg ,
-.Fn DH_get0_key ,
-.Fn DH_set0_key ,
-.Fn DH_clear_flags ,
-.Fn DH_test_flags ,
-.Fn DH_set_flags ,
-.Fn DH_get0_engine ,
-and
-.Fn DH_set_length
-first appeared in OpenSSL 1.1.0
-and have been available since
-.Ox 6.3 .
-.Pp
-.Fn DH_get0_p ,
-.Fn DH_get0_q ,
-.Fn DH_get0_g ,
-.Fn DH_get0_pub_key ,
-and
-.Fn DH_get0_priv_key
-first appeared in OpenSSL 1.1.1
-and have been available since
-.Ox 7.1 .
diff --git a/src/lib/libcrypto/man/DH_get_ex_new_index.3 b/src/lib/libcrypto/man/DH_get_ex_new_index.3
deleted file mode 100644
index 81a0aff8ec..0000000000
--- a/src/lib/libcrypto/man/DH_get_ex_new_index.3
+++ /dev/null
@@ -1,99 +0,0 @@
-.\"     $OpenBSD: DH_get_ex_new_index.3,v 1.5 2018/03/23 23:18:17 schwarze Exp $
-.\"     OpenSSL a528d4f0 Oct 27 13:40:11 2015 -0400
-.\"
-.\" This file was written by Ulf Moeller <ulf@openssl.org>.
-.\" Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 23 2018 $
-.Dt DH_GET_EX_NEW_INDEX 3
-.Os
-.Sh NAME
-.Nm DH_get_ex_new_index ,
-.Nm DH_set_ex_data ,
-.Nm DH_get_ex_data
-.Nd add application specific data to DH structures
-.Sh SYNOPSIS
-.In openssl/dh.h
-.Ft int
-.Fo DH_get_ex_new_index
-.Fa "long argl"
-.Fa "void *argp"
-.Fa "CRYPTO_EX_new *new_func"
-.Fa "CRYPTO_EX_dup *dup_func"
-.Fa "CRYPTO_EX_free *free_func"
-.Fc
-.Ft int
-.Fo DH_set_ex_data
-.Fa "DH *d"
-.Fa "int idx"
-.Fa "void *arg"
-.Fc
-.Ft char *
-.Fo DH_get_ex_data
-.Fa "DH *d"
-.Fa "int idx"
-.Fc
-.Sh DESCRIPTION
-These functions handle application specific data in
-.Vt DH
-structures.
-Their usage is identical to that of
-.Xr RSA_get_ex_new_index 3 ,
-.Xr RSA_set_ex_data 3 ,
-and
-.Xr RSA_get_ex_data 3 .
-.Sh SEE ALSO
-.Xr DH_new 3 ,
-.Xr RSA_get_ex_new_index 3
-.Sh HISTORY
-.Fn DH_get_ex_new_index ,
-.Fn DH_set_ex_data ,
-and
-.Fn DH_get_ex_data
-first appeared in OpenSSL 0.9.5
-and have been available since
-.Ox 2.7 .
diff --git a/src/lib/libcrypto/man/DH_new.3 b/src/lib/libcrypto/man/DH_new.3
deleted file mode 100644
index 4993456897..0000000000
--- a/src/lib/libcrypto/man/DH_new.3
+++ /dev/null
@@ -1,133 +0,0 @@
-.\"     $OpenBSD: DH_new.3,v 1.12 2022/07/13 21:51:35 schwarze Exp $
-.\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by Ulf Moeller <ulf@openssl.org>.
-.\" Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: July 13 2022 $
-.Dt DH_NEW 3
-.Os
-.Sh NAME
-.Nm DH_new ,
-.Nm DH_up_ref ,
-.Nm DH_free
-.Nd allocate and free DH objects
-.Sh SYNOPSIS
-.In openssl/dh.h
-.Ft DH*
-.Fn DH_new void
-.Ft int
-.Fo DH_up_ref
-.Fa "DH *dh"
-.Fc
-.Ft void
-.Fo DH_free
-.Fa "DH *dh"
-.Fc
-.Sh DESCRIPTION
-The DH functions implement the Diffie-Hellman key agreement protocol.
-.Pp
-.Fn DH_new
-allocates and initializes a
-.Vt DH
-structure, setting the reference count to 1.
-It is equivalent to
-.Xr DH_new_method 3
-with a
-.Dv NULL
-argument.
-.Pp
-.Fn DH_up_ref
-increments the reference count by 1.
-.Pp
-.Fn DH_free
-decrements the reference count by 1.
-If it reaches 0, it frees the
-.Vt DH
-structure and its components.
-The values are erased before the memory is returned to the system.
-If
-.Fa dh
-is a
-.Dv NULL
-pointer, no action occurs.
-.Sh RETURN VALUES
-If the allocation fails,
-.Fn DH_new
-returns
-.Dv NULL
-and sets an error code that can be obtained by
-.Xr ERR_get_error 3 .
-Otherwise it returns a pointer to the newly allocated structure.
-.Pp
-.Fn DH_up_ref
-returns 1 for success or 0 for failure.
-.Sh SEE ALSO
-.Xr BN_new 3 ,
-.Xr crypto 3 ,
-.Xr d2i_DHparams 3 ,
-.Xr DH_generate_key 3 ,
-.Xr DH_generate_parameters 3 ,
-.Xr DH_get0_pqg 3 ,
-.Xr DH_get_ex_new_index 3 ,
-.Xr DH_security_bits 3 ,
-.Xr DH_set_method 3 ,
-.Xr DH_size 3 ,
-.Xr DHparams_print 3 ,
-.Xr DSA_dup_DH 3 ,
-.Xr EVP_PKEY_CTX_set_dh_paramgen_prime_len 3 ,
-.Xr EVP_PKEY_set1_DH 3
-.Sh HISTORY
-.Fn DH_new
-and
-.Fn DH_free
-first appeared in SSLeay 0.5.1 and have been available since
-.Ox 2.4 .
-.Pp
-.Fn DH_up_ref
-first appeared in OpenSSL 0.9.7 and has been available since
-.Ox 3.2 .
diff --git a/src/lib/libcrypto/man/DH_set_method.3 b/src/lib/libcrypto/man/DH_set_method.3
deleted file mode 100644
index 70cf367c9d..0000000000
--- a/src/lib/libcrypto/man/DH_set_method.3
+++ /dev/null
@@ -1,195 +0,0 @@
-.\"     $OpenBSD: DH_set_method.3,v 1.9 2023/11/19 10:34:26 tb Exp $
-.\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by Ulf Moeller <ulf@openssl.org>.
-.\" Copyright (c) 2000, 2002, 2007 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: November 19 2023 $
-.Dt DH_SET_METHOD 3
-.Os
-.Sh NAME
-.Nm DH_set_default_method ,
-.Nm DH_get_default_method ,
-.Nm DH_set_method ,
-.Nm DH_new_method ,
-.Nm DH_OpenSSL
-.Nd select DH method
-.Sh SYNOPSIS
-.In openssl/dh.h
-.Ft void
-.Fo DH_set_default_method
-.Fa "const DH_METHOD *meth"
-.Fc
-.Ft const DH_METHOD *
-.Fo DH_get_default_method
-.Fa void
-.Fc
-.Ft int
-.Fo DH_set_method
-.Fa "DH *dh"
-.Fa "const DH_METHOD *meth"
-.Fc
-.Ft DH *
-.Fo DH_new_method
-.Fa "ENGINE *engine"
-.Fc
-.Ft const DH_METHOD *
-.Fo DH_OpenSSL
-.Fa void
-.Fc
-.Sh DESCRIPTION
-A
-.Vt DH_METHOD
-object contains pointers to the functions
-used for Diffie-Hellman operations.
-By default, the internal implementation returned by
-.Fn DH_OpenSSL
-is used.
-By selecting another method, alternative implementations
-such as hardware accelerators may be used.
-.Pp
-.Fn DH_set_default_method
-selects
-.Fa meth
-as the default method for all
-.Vt DH
-structures created later.
-.Pp
-.Fn DH_get_default_method
-returns a pointer to the current default method.
-.Pp
-.Fn DH_set_method
-selects
-.Fa meth
-to perform all operations using the key
-.Fa dh .
-This replaces the
-.Vt DH_METHOD
-used by the
-.Fa dh
-key.
-It is possible to have
-.Vt DH
-keys that only work with certain
-.Vt DH_METHOD
-implementations,
-and in such cases attempting to change the
-.Vt DH_METHOD
-for the key can have unexpected results.
-.Pp
-.Fn DH_new_method
-allocates and initializes a
-.Vt DH
-structure.
-The
-.Fa engine
-argument is ignored and
-the default method controlled by
-.Fn DH_set_default_method
-is used.
-.Pp
-The
-.Vt DH_METHOD
-structure is defined as follows:
-.Bd -literal
-typedef struct dh_meth_st
-{
-     /* name of the implementation */
-        const char *name;
-
-     /* generate private and public DH values for key agreement */
-        int (*generate_key)(DH *dh);
-
-     /* compute shared secret */
-        int (*compute_key)(unsigned char *key, BIGNUM *pub_key, DH *dh);
-
-     /* compute r = a ^ p mod m (May be NULL for some implementations) */
-        int (*bn_mod_exp)(DH *dh, BIGNUM *r, BIGNUM *a, const BIGNUM *p,
-                                const BIGNUM *m, BN_CTX *ctx,
-                                BN_MONT_CTX *m_ctx);
-
-     /* called at DH_new */
-        int (*init)(DH *dh);
-
-     /* called at DH_free */
-        int (*finish)(DH *dh);
-
-        int flags;
-
-        char *app_data; /* ?? */
-
-} DH_METHOD;
-.Ed
-.Sh RETURN VALUES
-.Fn DH_OpenSSL
-and
-.Fn DH_get_default_method
-return pointers to the respective
-.Vt DH_METHOD .
-.Pp
-.Fn DH_set_method
-returns 1 on success or 0 on failure.
-Currently, it cannot fail.
-.Pp
-.Fn DH_new_method
-returns
-.Dv NULL
-and sets an error code that can be obtained by
-.Xr ERR_get_error 3
-if the allocation fails.
-Otherwise it returns a pointer to the newly allocated structure.
-.Sh SEE ALSO
-.Xr DH_new 3
-.Sh HISTORY
-.Fn DH_set_default_method ,
-.Fn DH_get_default_method ,
-.Fn DH_set_method ,
-.Fn DH_new_method
-and
-.Fn DH_OpenSSL
-first appeared in OpenSSL 0.9.5 and have been available since
-.Ox 2.7 .
diff --git a/src/lib/libcrypto/man/DH_size.3 b/src/lib/libcrypto/man/DH_size.3
deleted file mode 100644
index 4e6dbc0cba..0000000000
--- a/src/lib/libcrypto/man/DH_size.3
+++ /dev/null
@@ -1,97 +0,0 @@
-.\" $OpenBSD: DH_size.3,v 1.10 2022/07/13 21:51:35 schwarze Exp $
-.\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by Ulf Moeller <ulf@openssl.org>
-.\" and Kurt Roeckx <kurt@roeckx.be>.
-.\" Copyright (c) 2000, 2015 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: July 13 2022 $
-.Dt DH_SIZE 3
-.Os
-.Sh NAME
-.Nm DH_size ,
-.Nm DH_bits
-.Nd get Diffie-Hellman prime size
-.Sh SYNOPSIS
-.In openssl/dh.h
-.Ft int
-.Fo DH_size
-.Fa "const DH *dh"
-.Fc
-.Ft int
-.Fo DH_bits
-.Fa "const DH *dh"
-.Fc
-.Sh DESCRIPTION
-.Fn DH_size
-returns the Diffie-Hellman prime size in bytes.
-It can be used to determine how much memory must be allocated for the
-shared secret computed by
-.Xr DH_compute_key 3 .
-.Pp
-.Fn DH_bits
-returns the number of significant bits in the key.
-.Pp
-.Fa dh
-and
-.Fa dh->p
-must not be
-.Dv NULL .
-.Sh SEE ALSO
-.Xr BN_num_bytes 3 ,
-.Xr DH_generate_key 3 ,
-.Xr DH_get0_key 3 ,
-.Xr DH_new 3 ,
-.Xr DH_security_bits 3
-.Sh HISTORY
-.Fn DH_size
-first appeared in SSLeay 0.5.1 and has been available since
-.Ox 2.4 .
-.Pp
-.Fn DH_bits
-first appeared in OpenSSL 1.1.0 and has been available since
-.Ox 6.3 .
diff --git a/src/lib/libcrypto/man/DIST_POINT_new.3 b/src/lib/libcrypto/man/DIST_POINT_new.3
deleted file mode 100644
index 6a5cc40468..0000000000
--- a/src/lib/libcrypto/man/DIST_POINT_new.3
+++ /dev/null
@@ -1,154 +0,0 @@
-.\"     $OpenBSD: DIST_POINT_new.3,v 1.5 2019/06/06 01:06:58 schwarze Exp $
-.\"
-.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: June 6 2019 $
-.Dt DIST_POINT_NEW 3
-.Os
-.Sh NAME
-.Nm DIST_POINT_new ,
-.Nm DIST_POINT_free ,
-.Nm CRL_DIST_POINTS_new ,
-.Nm CRL_DIST_POINTS_free ,
-.Nm DIST_POINT_NAME_new ,
-.Nm DIST_POINT_NAME_free ,
-.Nm ISSUING_DIST_POINT_new ,
-.Nm ISSUING_DIST_POINT_free
-.Nd X.509 CRL distribution point extensions
-.Sh SYNOPSIS
-.In openssl/x509v3.h
-.Ft DIST_POINT *
-.Fn DIST_POINT_new void
-.Ft void
-.Fn DIST_POINT_free "DIST_POINT *dp"
-.Ft CRL_DIST_POINTS *
-.Fn CRL_DIST_POINTS_new void
-.Ft void
-.Fn CRL_DIST_POINTS_free "CRL_DIST_POINTS *dps"
-.Ft DIST_POINT_NAME *
-.Fn DIST_POINT_NAME_new void
-.Ft void
-.Fn DIST_POINT_NAME_free "DIST_POINT_NAME *name"
-.Ft ISSUING_DIST_POINT *
-.Fn ISSUING_DIST_POINT_new void
-.Ft void
-.Fn ISSUING_DIST_POINT_free "ISSUING_DIST_POINT *dp"
-.Sh DESCRIPTION
-Using the CRL distribution point extension, a certificate can specify
-where to obtain certificate revocation lists that might later revoke it.
-.Pp
-.Fn DIST_POINT_new
-allocates and initializes an empty
-.Vt DIST_POINT
-object, representing an ASN.1
-.Vt DistributionPoint
-structure defined in RFC 5280 section 4.2.1.13.
-It can hold issuer names, distribution point names, and reason flags.
-.Fn DIST_POINT_free
-frees
-.Fa dp .
-.Pp
-.Fn CRL_DIST_POINTS_new
-allocates and initializes an empty
-.Vt CRL_DIST_POINTS
-object, which is a
-.Vt STACK_OF(DIST_POINT)
-and represents the ASN.1
-.Vt CRLDistributionPoints
-structure defined in RFC 5280 section 4.2.1.13.
-It can be used as an extension in
-.Vt X509
-and in
-.Vt X509_CRL
-objects.
-.Fn CRL_DIST_POINTS_free
-frees
-.Fa dps .
-.Pp
-.Fn DIST_POINT_NAME_new
-allocates and initializes an empty
-.Vt DIST_POINT_NAME
-object, representing an ASN.1
-.Vt DistributionPointName
-structure defined in RFC 5280 section 4.2.1.13.
-It is used by the
-.Vt DIST_POINT
-and
-.Vt ISSUING_DIST_POINT
-objects and can hold multiple names, each representing a different
-way to obtain the same CRL.
-.Fn DIST_POINT_NAME_free
-frees
-.Fa name .
-.Pp
-.Fn ISSUING_DIST_POINT_new
-allocates and initializes an empty
-.Vt ISSUING_DIST_POINT
-object, representing an ASN.1
-.Vt IssuingDistributionPoint
-structure defined in RFC 5280 section 5.2.5.
-Using this extension, a CRL can specify which distribution point
-it was issued from and which kinds of certificates and revocation
-reasons it covers.
-.Fn ISSUING_DIST_POINT_free
-frees
-.Fa dp .
-.Sh RETURN VALUES
-.Fn DIST_POINT_new ,
-.Fn CRL_DIST_POINTS_new ,
-.Fn DIST_POINT_NAME_new ,
-and
-.Fn ISSUING_DIST_POINT_new
-return the new
-.Vt DIST_POINT ,
-.Vt CRL_DIST_POINTS ,
-.Vt DIST_POINT_NAME ,
-or
-.Vt ISSUING_DIST_POINT
-object, respectively, or
-.Dv NULL
-if an error occurs.
-.Sh SEE ALSO
-.Xr d2i_DIST_POINT 3 ,
-.Xr GENERAL_NAMES_new 3 ,
-.Xr X509_CRL_new 3 ,
-.Xr X509_EXTENSION_new 3 ,
-.Xr X509_NAME_new 3 ,
-.Xr X509_new 3
-.Sh STANDARDS
-RFC 5280: Internet X.509 Public Key Infrastructure Certificate and
-Certificate Revocation List (CRL) Profile:
-.Bl -dash -compact
-.It
-section 4.2.1.13: CRL Distribution Points
-.It
-section 5.2.5: Issuing Distribution Point
-.El
-.Sh HISTORY
-.Fn DIST_POINT_new ,
-.Fn DIST_POINT_free ,
-.Fn CRL_DIST_POINTS_new ,
-.Fn CRL_DIST_POINTS_free ,
-.Fn DIST_POINT_NAME_new ,
-and
-.Fn DIST_POINT_NAME_free
-first appeared in OpenSSL 0.9.3 and have been available since
-.Ox 2.6 .
-.Pp
-.Fn ISSUING_DIST_POINT_new
-and
-.Fn ISSUING_DIST_POINT_free
-first appeared in OpenSSL 1.0.0 and have been available since
-.Ox 4.9 .
diff --git a/src/lib/libcrypto/man/DSA_SIG_new.3 b/src/lib/libcrypto/man/DSA_SIG_new.3
deleted file mode 100644
index 160b453939..0000000000
--- a/src/lib/libcrypto/man/DSA_SIG_new.3
+++ /dev/null
@@ -1,141 +0,0 @@
-.\" $OpenBSD: DSA_SIG_new.3,v 1.8 2019/06/10 14:58:48 schwarze Exp $
-.\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by Ulf Moeller <ulf@openssl.org>,
-.\" Dr. Stephen Henson <steve@openssl.org>, and
-.\" TJ Saunders <tj@castaglia.org>.
-.\" Copyright (c) 2000, 2016 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: June 10 2019 $
-.Dt DSA_SIG_NEW 3
-.Os
-.Sh NAME
-.Nm DSA_SIG_new ,
-.Nm DSA_SIG_free ,
-.Nm DSA_SIG_get0 ,
-.Nm DSA_SIG_set0
-.Nd manipulate DSA signature objects
-.Sh SYNOPSIS
-.In openssl/dsa.h
-.Ft DSA_SIG *
-.Fn DSA_SIG_new void
-.Ft void
-.Fo DSA_SIG_free
-.Fa "DSA_SIG *sig"
-.Fc
-.Ft void
-.Fo DSA_SIG_get0
-.Fa "const DSA_SIG *sig"
-.Fa "const BIGNUM **r"
-.Fa "const BIGNUM **s"
-.Fc
-.Ft int
-.Fo DSA_SIG_set0
-.Fa "DSA_SIG *sig"
-.Fa "BIGNUM *r"
-.Fa "BIGNUM *s"
-.Fc
-.Sh DESCRIPTION
-.Fn DSA_SIG_new
-allocates an empty
-.Vt DSA_SIG
-structure.
-.Pp
-.Fn DSA_SIG_free
-frees the
-.Vt DSA_SIG
-structure and its components.
-The values are erased before the memory is returned to the system.
-If
-.Fa sig
-is a
-.Dv NULL
-pointer, no action occurs.
-.Pp
-.Fn DSA_SIG_get0
-retrieves internal pointers to the
-.Fa r
-and
-.Fa s
-values contained in
-.Fa sig .
-.Pp
-The
-.Fa r
-and
-.Fa s
-values can be set by calling
-.Fn DSA_SIG_set0 .
-Calling this function transfers the memory management of the values to
-.Fa sig ,
-and therefore they should not be freed by the caller.
-.Sh RETURN VALUES
-If the allocation fails,
-.Fn DSA_SIG_new
-returns
-.Dv NULL
-and sets an error code that can be obtained by
-.Xr ERR_get_error 3 .
-Otherwise it returns a pointer to the newly allocated structure.
-.Pp
-.Fn DSA_SIG_set0
-returns 1 on success or 0 on failure.
-.Sh SEE ALSO
-.Xr DSA_do_sign 3 ,
-.Xr DSA_new 3
-.Sh HISTORY
-.Fn DSA_SIG_new
-and
-.Fn DSA_SIG_free
-first appeared in OpenSSL 0.9.3 and have been available since
-.Ox 2.6 .
-.Pp
-.Fn DSA_SIG_get0
-and
-.Fn DSA_SIG_set0
-first appeared in OpenSSL 1.1.0 and have been available since
-.Ox 6.3 .
diff --git a/src/lib/libcrypto/man/DSA_do_sign.3 b/src/lib/libcrypto/man/DSA_do_sign.3
deleted file mode 100644
index 4602bed872..0000000000
--- a/src/lib/libcrypto/man/DSA_do_sign.3
+++ /dev/null
@@ -1,119 +0,0 @@
-.\"     $OpenBSD: DSA_do_sign.3,v 1.10 2019/06/10 14:58:48 schwarze Exp $
-.\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by Ulf Moeller <ulf@openssl.org>.
-.\" Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: June 10 2019 $
-.Dt DSA_DO_SIGN 3
-.Os
-.Sh NAME
-.Nm DSA_do_sign ,
-.Nm DSA_do_verify
-.Nd raw DSA signature operations
-.Sh SYNOPSIS
-.In openssl/dsa.h
-.Ft DSA_SIG *
-.Fo DSA_do_sign
-.Fa "const unsigned char *dgst"
-.Fa "int dlen"
-.Fa "DSA *dsa"
-.Fc
-.Ft int
-.Fo DSA_do_verify
-.Fa "const unsigned char *dgst"
-.Fa "int dgst_len"
-.Fa "DSA_SIG *sig"
-.Fa "DSA *dsa"
-.Fc
-.Sh DESCRIPTION
-.Fn DSA_do_sign
-computes a digital signature on the
-.Fa dlen
-byte message digest
-.Fa dgst
-using the private key
-.Fa dsa
-and returns it in a newly allocated
-.Vt DSA_SIG
-structure.
-.Pp
-.Xr DSA_sign_setup 3
-may be used to precompute part of the signing operation in case
-signature generation is time-critical.
-.Pp
-.Fn DSA_do_verify
-verifies that the signature
-.Fa sig
-matches a given message digest
-.Fa dgst
-of size
-.Fa dgst_len .
-.Fa dsa
-is the signer's public key.
-.Sh RETURN VALUES
-.Fn DSA_do_sign
-returns the signature or
-.Dv NULL
-on error.
-.Fn DSA_do_verify
-returns 1 for a valid signature, 0 for an incorrect signature,
-and -1 on error.
-The error codes can be obtained by
-.Xr ERR_get_error 3 .
-.Sh SEE ALSO
-.Xr DSA_get0_key 3 ,
-.Xr DSA_meth_set_sign 3 ,
-.Xr DSA_new 3 ,
-.Xr DSA_SIG_new 3 ,
-.Xr DSA_sign 3
-.Sh HISTORY
-.Fn DSA_do_sign
-and
-.Fn DSA_do_verify
-first appeared in OpenSSL 0.9.3 and have been available since
-.Ox 2.6 .
diff --git a/src/lib/libcrypto/man/DSA_dup_DH.3 b/src/lib/libcrypto/man/DSA_dup_DH.3
deleted file mode 100644
index d6163fd3c3..0000000000
--- a/src/lib/libcrypto/man/DSA_dup_DH.3
+++ /dev/null
@@ -1,88 +0,0 @@
-.\"     $OpenBSD: DSA_dup_DH.3,v 1.9 2023/08/12 08:26:38 tb Exp $
-.\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by Ulf Moeller <ulf@openssl.org>.
-.\" Copyright (c) 2000, 2002 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: August 12 2023 $
-.Dt DSA_DUP_DH 3
-.Os
-.Sh NAME
-.Nm DSA_dup_DH
-.Nd create a DH structure out of DSA structure
-.Sh SYNOPSIS
-.In openssl/dsa.h
-.Ft DH *
-.Fo DSA_dup_DH
-.Fa "const DSA *r"
-.Fc
-.Sh DESCRIPTION
-.Fn DSA_dup_DH
-duplicates
-.Vt DSA
-parameters/keys as
-.Vt DH
-parameters/keys.
-.Sh RETURN VALUES
-.Fn DSA_dup_DH
-returns the new
-.Vt DH
-structure or
-.Dv NULL
-on error.
-The error codes can be obtained by
-.Xr ERR_get_error 3 .
-.Sh SEE ALSO
-.Xr DH_new 3 ,
-.Xr DSA_get0_pqg 3 ,
-.Xr DSA_new 3
-.Sh HISTORY
-.Fn DSA_dup_DH
-first appeared in OpenSSL 0.9.4 and has been available since
-.Ox 2.6 .
-.Sh CAVEATS
-Be careful to avoid small subgroup attacks when using this.
diff --git a/src/lib/libcrypto/man/DSA_generate_key.3 b/src/lib/libcrypto/man/DSA_generate_key.3
deleted file mode 100644
index 37d8ec1c0f..0000000000
--- a/src/lib/libcrypto/man/DSA_generate_key.3
+++ /dev/null
@@ -1,84 +0,0 @@
-.\"     $OpenBSD: DSA_generate_key.3,v 1.11 2023/12/29 19:12:47 tb Exp $
-.\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by Ulf Moeller <ulf@openssl.org>.
-.\" Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: December 29 2023 $
-.Dt DSA_GENERATE_KEY 3
-.Os
-.Sh NAME
-.Nm DSA_generate_key
-.Nd generate DSA key pair
-.Sh SYNOPSIS
-.In openssl/dsa.h
-.Ft int
-.Fo DSA_generate_key
-.Fa "DSA *a"
-.Fc
-.Sh DESCRIPTION
-.Fn DSA_generate_key
-expects
-.Fa a
-to contain DSA parameters.
-It generates a new key pair and stores it in
-.Fa a->pub_key
-and
-.Fa a->priv_key .
-.Sh RETURN VALUES
-.Fn DSA_generate_key
-returns 1 on success or 0 otherwise.
-The error codes can be obtained by
-.Xr ERR_get_error 3 .
-.Sh SEE ALSO
-.Xr DSA_generate_parameters_ex 3 ,
-.Xr DSA_get0_key 3 ,
-.Xr DSA_new 3
-.Sh HISTORY
-.Fn DSA_generate_key
-first appeared in SSLeay 0.6.0 and has been available since
-.Ox 2.4 .
diff --git a/src/lib/libcrypto/man/DSA_generate_parameters_ex.3 b/src/lib/libcrypto/man/DSA_generate_parameters_ex.3
deleted file mode 100644
index a318bf8298..0000000000
--- a/src/lib/libcrypto/man/DSA_generate_parameters_ex.3
+++ /dev/null
@@ -1,174 +0,0 @@
-.\"     $OpenBSD: DSA_generate_parameters_ex.3,v 1.1 2023/12/29 19:15:15 tb Exp $
-.\"     OpenSSL 9b86974e Aug 7 22:14:47 2015 -0400
-.\"
-.\" This file was written by Ulf Moeller <ulf@openssl.org>,
-.\" Bodo Moeller <bodo@openssl.org>, and Matt Caswell <matt@openssl.org>.
-.\" Copyright (c) 2000, 2013 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: December 29 2023 $
-.Dt DSA_GENERATE_PARAMETERS_EX 3
-.Os
-.Sh NAME
-.\" .Nm DSA_generate_parameters is intentionally undocumented
-.\" because it will be removed in the next major bump
-.Nm DSA_generate_parameters_ex
-.Nd generate DSA parameters
-.Sh SYNOPSIS
-.In openssl/dsa.h
-.Ft int
-.Fo DSA_generate_parameters_ex
-.Fa "DSA *dsa"
-.Fa "int bits"
-.Fa "const unsigned char *seed"
-.Fa "int seed_len"
-.Fa "int *counter_ret"
-.Fa "unsigned long *h_ret"
-.Fa "BN_GENCB *cb"
-.Fc
-.Sh DESCRIPTION
-.Fn DSA_generate_parameters_ex
-generates primes p and q and a generator g for use in the DSA and stores
-the result in
-.Fa dsa .
-.Pp
-.Fa bits
-is the length of the prime to be generated; the DSS allows a maximum of
-1024 bits.
-.Pp
-If
-.Fa seed
-is
-.Dv NULL
-or
-.Fa seed_len
-< 20, the primes will be generated at random.
-Otherwise, the seed is used to generate them.
-If the given seed does not yield a prime q, a new random seed is chosen
-and placed at
-.Fa seed .
-.Pp
-.Fn DSA_generate_parameters_ex
-places the iteration count in
-.Pf * Fa counter_ret
-and a counter used for finding a generator in
-.Pf * Fa h_ret ,
-unless these are
-.Dv NULL .
-.Pp
-A callback function may be used to provide feedback about the progress
-of the key generation.
-If
-.Fa cb
-is not
-.Dv NULL ,
-it will be called as shown below.
-For information on the
-.Vt BN_GENCB
-structure, refer to
-.Xr BN_GENCB_call 3 .
-.Bl -bullet
-.It
-When a candidate for q is generated,
-.Fn BN_GENCB_call cb 0 m++
-is called
-.Pf ( Fa m
-is 0 for the first candidate).
-.It
-When a candidate for q has passed a test by trial division,
-.Fn BN_GENCB_call cb 1 -1
-is called.
-While a candidate for q is tested by Miller-Rabin primality tests,
-.Fn BN_GENCB_call cb 1 i
-is called in the outer loop (once for each witness that confirms that
-the candidate may be prime);
-.Fa i
-is the loop counter (starting at 0).
-.It
-When a prime q has been found,
-.Fn BN_GENCB_call cb 2 0
-and
-.Fn BN_GENCB_call cb 3 0
-are called.
-.It
-Before a candidate for p (other than the first) is generated and tested,
-.Fn BN_GENCB_call cb 0 counter
-is called.
-.It
-When a candidate for p has passed the test by trial division,
-.Fn BN_GENCB_call cb 1 -1
-is called.
-While it is tested by the Miller-Rabin primality test,
-.Fn BN_GENCB_call cb 1 i
-is called in the outer loop (once for each witness that confirms that
-the candidate may be prime).
-.Fa i
-is the loop counter (starting at 0).
-.It
-When p has been found,
-.Fn BN_GENCB_call cb 2 1
-is called.
-.It
-When the generator has been found,
-.Fn BN_GENCB_call cb 3 1
-is called.
-.El
-.Sh RETURN VALUES
-.Fn DSA_generate_parameters_ex
-returns a 1 on success, or 0 otherwise.
-.Pp
-The error codes can be obtained by
-.Xr ERR_get_error 3 .
-.Sh SEE ALSO
-.Xr BN_generate_prime 3 ,
-.Xr DSA_get0_pqg 3 ,
-.Xr DSA_new 3
-.Sh HISTORY
-.Fn DSA_generate_parameters_ex
-first appeared in OpenSSL 0.9.8 and has been available since
-.Ox 4.5 .
-.Sh BUGS
-Seed lengths > 20 are not supported.
diff --git a/src/lib/libcrypto/man/DSA_get0_pqg.3 b/src/lib/libcrypto/man/DSA_get0_pqg.3
deleted file mode 100644
index b82affba66..0000000000
--- a/src/lib/libcrypto/man/DSA_get0_pqg.3
+++ /dev/null
@@ -1,320 +0,0 @@
-.\" $OpenBSD: DSA_get0_pqg.3,v 1.11 2024/07/21 08:36:43 tb Exp $
-.\" full merge up to: OpenSSL e90fc053 Jul 15 09:39:45 2017 -0400
-.\"
-.\" This file was written by Matt Caswell <matt@openssl.org>.
-.\" Copyright (c) 2016 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: July 21 2024 $
-.Dt DSA_GET0_PQG 3
-.Os
-.Sh NAME
-.Nm DSA_get0_pqg ,
-.Nm DSA_get0_p ,
-.Nm DSA_get0_q ,
-.Nm DSA_get0_g ,
-.Nm DSA_set0_pqg ,
-.Nm DSA_get0_key ,
-.Nm DSA_get0_pub_key ,
-.Nm DSA_get0_priv_key ,
-.Nm DSA_set0_key ,
-.Nm DSA_clear_flags ,
-.Nm DSA_test_flags ,
-.Nm DSA_set_flags ,
-.Nm DSA_get0_engine
-.Nd get data from and set data in a DSA object
-.Sh SYNOPSIS
-.In openssl/dsa.h
-.Ft void
-.Fo DSA_get0_pqg
-.Fa "const DSA *d"
-.Fa "const BIGNUM **p"
-.Fa "const BIGNUM **q"
-.Fa "const BIGNUM **g"
-.Fc
-.Ft "const BIGNUM *"
-.Fo DSA_get0_p
-.Fa "const DSA *d"
-.Fc
-.Ft "const BIGNUM *"
-.Fo DSA_get0_q
-.Fa "const DSA *d"
-.Fc
-.Ft "const BIGNUM *"
-.Fo DSA_get0_g
-.Fa "const DSA *d"
-.Fc
-.Ft int
-.Fo DSA_set0_pqg
-.Fa "DSA *d"
-.Fa "BIGNUM *p"
-.Fa "BIGNUM *q"
-.Fa "BIGNUM *g"
-.Fc
-.Ft void
-.Fo DSA_get0_key
-.Fa "const DSA *d"
-.Fa "const BIGNUM **pub_key"
-.Fa "const BIGNUM **priv_key"
-.Fc
-.Ft "const BIGNUM *"
-.Fo DSA_get0_pub_key
-.Fa "const DSA *d"
-.Fc
-.Ft "const BIGNUM *"
-.Fo DSA_get0_priv_key
-.Fa "const DSA *d"
-.Fc
-.Ft int
-.Fo DSA_set0_key
-.Fa "DSA *d"
-.Fa "BIGNUM *pub_key"
-.Fa "BIGNUM *priv_key"
-.Fc
-.Ft void
-.Fo DSA_clear_flags
-.Fa "DSA *d"
-.Fa "int flags"
-.Fc
-.Ft int
-.Fo DSA_test_flags
-.Fa "const DSA *d"
-.Fa "int flags"
-.Fc
-.Ft void
-.Fo DSA_set_flags
-.Fa "DSA *d"
-.Fa "int flags"
-.Fc
-.Ft ENGINE *
-.Fo DSA_get0_engine
-.Fa "DSA *d"
-.Fc
-.Sh DESCRIPTION
-A
-.Vt DSA
-object contains the parameters
-.Fa p ,
-.Fa q ,
-and
-.Fa g .
-It also contains a public key
-.Fa pub_key
-and an optional private key
-.Fa priv_key .
-.Pp
-The
-.Fa p ,
-.Fa q ,
-and
-.Fa g
-parameters can be obtained by calling
-.Fn DSA_get0_pqg .
-If the parameters have not yet been set, then
-.Pf * Fa p ,
-.Pf * Fa q ,
-and
-.Pf * Fa g
-are set to
-.Dv NULL .
-Otherwise, they are set to pointers to the internal representations
-of the values that should not be freed by the application.
-.Pp
-The
-.Fa p ,
-.Fa q ,
-and
-.Fa g
-values can be set by calling
-.Fn DSA_set0_pqg .
-Calling this function transfers the memory management of the values to
-.Fa d ,
-and therefore they should not be freed by the caller.
-.Pp
-The
-.Fn DSA_get0_key
-function stores pointers to the internal representations
-of the public key in
-.Pf * Fa pub_key
-and to the private key in
-.Pf * Fa priv_key .
-Either may be
-.Dv NULL
-if it has not yet been set.
-If the private key has been set, then the public key must be.
-.Pp
-The public and private key values can be set using
-.Fn DSA_set0_key .
-The public key must be
-.Pf non- Dv NULL
-the first time this function is called on a given
-.Vt DSA
-object.
-The private key may be
-.Dv NULL .
-On subsequent calls, either may be
-.Dv NULL ,
-which means the corresponding
-.Vt DSA
-field is left untouched.
-.Fn DSA_set0_key
-transfers the memory management of the key values to
-.Fa d ,
-and therefore they should not be freed by the caller.
-.Pp
-Values retrieved with
-.Fn DSA_get0_pqg
-and
-.Fn DSA_get0_key
-are owned by the
-.Vt DSA
-object and may therefore not be passed to
-.Fn DSA_set0_pqg
-or
-.Fn DSA_set0_key .
-If needed, duplicate the received values using
-.Xr BN_dup 3
-and pass the duplicates.
-.Pp
-Any of the values
-.Fa p ,
-.Fa q ,
-.Fa g ,
-.Fa pub_key ,
-and
-.Fa priv_key
-can also be retrieved separately by the corresponding functions
-.Fn DSA_get0_p ,
-.Fn DSA_get0_q ,
-.Fn DSA_get0_g ,
-.Fn DSA_get0_pub_key ,
-and
-.Fn DSA_get0_priv_key ,
-respectively.
-The pointers are owned by the
-.Vt DSA
-object.
-.Pp
-.Fn DSA_clear_flags
-clears the specified
-.Fa flags
-in
-.Fa d .
-.Fn DSA_test_flags
-tests the
-.Fa flags
-in
-.Fa d .
-.Fn DSA_set_flags
-sets the
-.Fa flags
-in
-.Fa d ;
-any flags already set remain set.
-For all three functions, multiple flags can be passed in one call,
-OR'ed together bitwise.
-.Sh RETURN VALUES
-.Fn DSA_get0_p ,
-.Fn DSA_get0_q ,
-.Fn DSA_get0_g ,
-.Fn DSA_get0_pub_key ,
-and
-.Fn DSA_get0_priv_key
-return a pointer owned by the
-.Vt DSA
-object if the corresponding value has been set,
-otherwise they return
-.Dv NULL .
-.Fn DSA_set0_pqg
-and
-.Fn DSA_set0_key
-return 1 on success or 0 on failure.
-.Pp
-.Fn DSA_test_flags
-returns those of the given
-.Fa flags
-currently set in
-.Fa d
-or 0 if none of the given
-.Fa flags
-are set.
-.Pp
-.Fn DSA_get0_engine
-always returns
-.Dv NULL .
-.Sh SEE ALSO
-.Xr DSA_do_sign 3 ,
-.Xr DSA_dup_DH 3 ,
-.Xr DSA_generate_key 3 ,
-.Xr DSA_generate_parameters_ex 3 ,
-.Xr DSA_new 3 ,
-.Xr DSA_print 3 ,
-.Xr DSA_security_bits 3 ,
-.Xr DSA_sign 3 ,
-.Xr DSA_size 3
-.Sh HISTORY
-.Fn DSA_get0_pqg ,
-.Fn DSA_set0_pqg ,
-.Fn DSA_get0_key ,
-.Fn DSA_set0_key ,
-.Fn DSA_clear_flags ,
-.Fn DSA_test_flags ,
-.Fn DSA_set_flags ,
-and
-.Fn DSA_get0_engine
-first appeared in OpenSSL 1.1.0
-and have been available since
-.Ox 6.3 .
-.Pp
-.Fn DSA_get0_p ,
-.Fn DSA_get0_q ,
-.Fn DSA_get0_g ,
-.Fn DSA_get0_pub_key ,
-and
-.Fn DSA_get0_priv_key
-first appeared in OpenSSL 1.1.1
-and have been available since
-.Ox 7.1 .
diff --git a/src/lib/libcrypto/man/DSA_get_ex_new_index.3 b/src/lib/libcrypto/man/DSA_get_ex_new_index.3
deleted file mode 100644
index 8fe055f337..0000000000
--- a/src/lib/libcrypto/man/DSA_get_ex_new_index.3
+++ /dev/null
@@ -1,98 +0,0 @@
-.\"     $OpenBSD: DSA_get_ex_new_index.3,v 1.5 2018/03/22 16:06:33 schwarze Exp $
-.\"     OpenSSL a528d4f0 Oct 27 13:40:11 2015 -0400
-.\"
-.\" This file was written by Ulf Moeller <ulf@openssl.org>.
-.\" Copyright (c) 2000, 2009 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 22 2018 $
-.Dt DSA_GET_EX_NEW_INDEX 3
-.Os
-.Sh NAME
-.Nm DSA_get_ex_new_index ,
-.Nm DSA_set_ex_data ,
-.Nm DSA_get_ex_data
-.Nd add application specific data to DSA structures
-.Sh SYNOPSIS
-.In openssl/dsa.h
-.Ft int
-.Fo DSA_get_ex_new_index
-.Fa "long argl"
-.Fa "void *argp"
-.Fa "CRYPTO_EX_new *new_func"
-.Fa "CRYPTO_EX_dup *dup_func"
-.Fa "CRYPTO_EX_free *free_func"
-.Fc
-.Ft int
-.Fo DSA_set_ex_data
-.Fa "DSA *d"
-.Fa "int idx"
-.Fa "void *arg"
-.Fc
-.Ft char *
-.Fo DSA_get_ex_data
-.Fa "DSA *d"
-.Fa "int idx"
-.Fc
-.Sh DESCRIPTION
-These functions handle application specific data in
-.Vt DSA
-structures.
-Their usage is identical to that of
-.Xr RSA_get_ex_new_index 3 ,
-.Xr RSA_set_ex_data 3 ,
-and
-.Xr RSA_get_ex_data 3 .
-.Sh SEE ALSO
-.Xr DSA_new 3 ,
-.Xr RSA_get_ex_new_index 3
-.Sh HISTORY
-.Fn DSA_get_ex_new_index ,
-.Fn DSA_set_ex_data ,
-and
-.Fn DSA_get_ex_data
-first appeared in OpenSSL 0.9.5 and have been available since
-.Ox 2.7 .
diff --git a/src/lib/libcrypto/man/DSA_meth_new.3 b/src/lib/libcrypto/man/DSA_meth_new.3
deleted file mode 100644
index d89cd397b0..0000000000
--- a/src/lib/libcrypto/man/DSA_meth_new.3
+++ /dev/null
@@ -1,230 +0,0 @@
-.\" $OpenBSD: DSA_meth_new.3,v 1.3 2022/07/10 13:41:59 schwarze Exp $
-.\" selective merge up to: OpenSSL c4d3c19b Apr 3 13:57:12 2018 +0100
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2018, 2022 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Matt Caswell <matt@openssl.org>.
-.\" Copyright (c) 2016 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: July 10 2022 $
-.Dt DSA_METH_NEW 3
-.Os
-.Sh NAME
-.Nm DSA_meth_new ,
-.Nm DSA_meth_free ,
-.Nm DSA_meth_dup ,
-.Nm DSA_meth_get0_name ,
-.Nm DSA_meth_set1_name ,
-.Nm DSA_meth_set_sign ,
-.Nm DSA_meth_set_finish
-.Nd build up DSA methods
-.Sh SYNOPSIS
-.In openssl/dsa.h
-.Ft DSA_METHOD *
-.Fo DSA_meth_new
-.Fa "const char *name"
-.Fa "int flags"
-.Fc
-.Ft void
-.Fo DSA_meth_free
-.Fa "DSA_METHOD *meth"
-.Fc
-.Ft DSA_METHOD *
-.Fo DSA_meth_dup
-.Fa "const DSA_METHOD *meth"
-.Fc
-.Ft const char *
-.Fo DSA_meth_get0_name
-.Fa "const DSA_METHOD *meth"
-.Fc
-.Ft int
-.Fo DSA_meth_set1_name
-.Fa "DSA_METHOD *meth"
-.Fa "const char *name"
-.Fc
-.Ft int
-.Fo DSA_meth_set_sign
-.Fa "DSA_METHOD *meth"
-.Fa "DSA_SIG *(*sign)(const unsigned char *, int, DSA *)"
-.Fc
-.Ft int
-.Fo DSA_meth_set_finish
-.Fa "DSA_METHOD *meth"
-.Fa "int (*finish)(DSA *)"
-.Fc
-.Sh DESCRIPTION
-The
-.Vt DSA_METHOD
-structure holds function pointers for custom DSA implementations.
-.Pp
-.Fn DSA_meth_new
-creates a new
-.Vt DSA_METHOD
-structure.
-A copy of the NUL-terminated
-.Fa name
-is stored in the new
-.Vt DSA_METHOD
-object.
-Any new
-.Vt DSA
-object constructed from this
-.Vt DSA_METHOD
-will have the given
-.Fa flags
-set by default.
-.Pp
-.Fn DSA_meth_dup
-creates a deep copy of
-.Fa meth .
-This might be useful for creating a new
-.Vt DSA_METHOD
-based on an existing one, but with some differences.
-.Pp
-.Fn DSA_meth_free
-destroys
-.Fa meth
-and frees any memory associated with it.
-.Pp
-.Fn DSA_meth_get0_name
-returns an internal pointer to the name of
-.Fa meth .
-.Fn DSA_meth_set1_name
-stores a copy of the NUL-terminated
-.Fa name
-in
-.Fa meth
-after freeing the previously stored name.
-Method names are ignored by the default DSA implementation but can be
-used by alternative implementations and by the application program.
-.Pp
-.Fn DSA_meth_set_sign
-sets the function used for creating a DSA signature.
-This function will be called from
-.Xr DSA_do_sign 3
-and indirectly from
-.Xr DSA_sign 3 .
-The parameters of
-.Fa sign
-have the same meaning as for
-.Xr DSA_do_sign 3 .
-.Pp
-.Fn DSA_meth_set_finish
-sets an optional function for destroying a
-.Vt DSA
-object.
-Unless
-.Fa finish
-is
-.Dv NULL ,
-it will be called from
-.Xr DSA_free 3 .
-It takes the same argument
-and is intended to do DSA implementation specific cleanup.
-The memory used by the
-.Vt DSA
-object itself should not be freed by the
-.Fa finish
-function.
-.Sh RETURN VALUES
-.Fn DSA_meth_new
-and
-.Fn DSA_meth_dup
-return the newly allocated
-.Vt DSA_METHOD
-object or
-.Dv NULL
-on failure.
-.Pp
-.Fn DSA_meth_get0_name
-returns an internal pointer which must not be freed by the caller.
-.Pp
-.Fn DSA_meth_set1_name
-and all
-.Fn DSA_meth_set_*
-functions return 1 on success or 0 on failure.
-In the current implementation, only
-.Fn DSA_meth_set1_name
-can actually fail.
-.Sh SEE ALSO
-.Xr DSA_do_sign 3 ,
-.Xr DSA_new 3 ,
-.Xr DSA_set_method 3 ,
-.Xr DSA_SIG_new 3 ,
-.Xr DSA_sign 3
-.Sh HISTORY
-These functions first appeared in OpenSSL 1.1.0.
-.Pp
-.Fn DSA_meth_new ,
-.Fn DSA_meth_free ,
-.Fn DSA_meth_dup ,
-.Fn DSA_meth_set_sign ,
-and
-.Fn DSA_meth_set_finish
-have been available since
-.Ox 6.3 .
-.Pp
-.Fn DSA_meth_get0_name
-and
-.Fn DSA_meth_set1_name
-have been available since
-.Ox 7.2 .
diff --git a/src/lib/libcrypto/man/DSA_new.3 b/src/lib/libcrypto/man/DSA_new.3
deleted file mode 100644
index 5a958b58c4..0000000000
--- a/src/lib/libcrypto/man/DSA_new.3
+++ /dev/null
@@ -1,141 +0,0 @@
-.\"     $OpenBSD: DSA_new.3,v 1.14 2023/12/29 19:12:47 tb Exp $
-.\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by Ulf Moeller <ulf@openssl.org>.
-.\" Copyright (c) 2000, 2002 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: December 29 2023 $
-.Dt DSA_NEW 3
-.Os
-.Sh NAME
-.Nm DSA_new ,
-.Nm DSA_up_ref ,
-.Nm DSA_free
-.Nd allocate and free DSA objects
-.Sh SYNOPSIS
-.In openssl/dsa.h
-.Ft DSA*
-.Fn DSA_new void
-.Ft int
-.Fo DSA_up_ref
-.Fa "DSA *dsa"
-.Fc
-.Ft void
-.Fo DSA_free
-.Fa "DSA *dsa"
-.Fc
-.Sh DESCRIPTION
-The DSA functions implement the Digital Signature Algorithm.
-.Pp
-.Fn DSA_new
-allocates and initializes a
-.Vt DSA
-structure, setting the reference count to 1.
-It is equivalent to calling
-.Xr DSA_new_method 3
-with a
-.Dv NULL
-argument.
-.Pp
-.Fn DSA_up_ref
-increments the reference count by 1.
-.Pp
-.Fn DSA_free
-decrements the reference count by 1.
-If it reaches 0, it frees the
-.Vt DSA
-structure and its components.
-The values are erased before the memory is returned to the system.
-If
-.Fa dsa
-is a
-.Dv NULL
-pointer, no action occurs.
-.Sh RETURN VALUES
-If the allocation fails,
-.Fn DSA_new
-returns
-.Dv NULL
-and sets an error code that can be obtained by
-.Xr ERR_get_error 3 .
-Otherwise it returns a pointer to the newly allocated structure.
-.Pp
-.Fn DSA_up_ref
-returns 1 for success or 0 for failure.
-.Sh SEE ALSO
-.Xr BN_new 3 ,
-.Xr crypto 3 ,
-.Xr d2i_DSAPublicKey 3 ,
-.Xr DH_new 3 ,
-.Xr DSA_do_sign 3 ,
-.Xr DSA_dup_DH 3 ,
-.Xr DSA_generate_key 3 ,
-.Xr DSA_generate_parameters_ex 3 ,
-.Xr DSA_get0_pqg 3 ,
-.Xr DSA_get_ex_new_index 3 ,
-.Xr DSA_meth_new 3 ,
-.Xr DSA_print 3 ,
-.Xr DSA_security_bits 3 ,
-.Xr DSA_set_method 3 ,
-.Xr DSA_SIG_new 3 ,
-.Xr DSA_sign 3 ,
-.Xr DSA_size 3 ,
-.Xr EVP_PKEY_set1_DSA 3 ,
-.Xr RSA_new 3
-.Sh STANDARDS
-US Federal Information Processing Standard FIPS 186 (Digital Signature
-Standard, DSS), ANSI X9.30
-.Sh HISTORY
-.Fn DSA_new
-and
-.Fn DSA_free
-first appeared in SSLeay 0.6.0 and have been available since
-.Ox 2.4 .
-.Pp
-.Fn DSA_up_ref
-first appeared in OpenSSL 0.9.7 and has been available since
-.Ox 3.2 .
diff --git a/src/lib/libcrypto/man/DSA_set_method.3 b/src/lib/libcrypto/man/DSA_set_method.3
deleted file mode 100644
index c60a3e29c3..0000000000
--- a/src/lib/libcrypto/man/DSA_set_method.3
+++ /dev/null
@@ -1,178 +0,0 @@
-.\"     $OpenBSD: DSA_set_method.3,v 1.12 2024/05/11 06:53:19 tb Exp $
-.\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by Ulf Moeller <ulf@openssl.org>.
-.\" Copyright (c) 2000, 2002, 2007 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: May 11 2024 $
-.Dt DSA_SET_METHOD 3
-.Os
-.Sh NAME
-.Nm DSA_set_default_method ,
-.Nm DSA_get_default_method ,
-.Nm DSA_set_method ,
-.Nm DSA_new_method ,
-.Nm DSA_OpenSSL
-.Nd select DSA method
-.Sh SYNOPSIS
-.In openssl/dsa.h
-.Ft void
-.Fo DSA_set_default_method
-.Fa "const DSA_METHOD *meth"
-.Fc
-.Ft const DSA_METHOD *
-.Fn DSA_get_default_method void
-.Ft int
-.Fo DSA_set_method
-.Fa "DSA *dsa"
-.Fa "const DSA_METHOD *meth"
-.Fc
-.Ft DSA *
-.Fo DSA_new_method
-.Fa "ENGINE *engine"
-.Fc
-.Ft DSA_METHOD *
-.Fn DSA_OpenSSL void
-.Sh DESCRIPTION
-A
-.Vt DSA_METHOD
-object contains pointers to the functions used for DSA operations.
-By default, the internal implementation returned by
-.Fn DSA_OpenSSL
-is used.
-By selecting another method, alternative implementations
-such as hardware accelerators may be used.
-.Pp
-.Fn DSA_set_default_method
-selects
-.Fa meth
-as the default method for all
-.Vt DSA
-structures created later.
-.Pp
-.Fn DSA_get_default_method
-returns a pointer to the current default method.
-.Pp
-.Fn DSA_set_method
-selects
-.Fa meth
-to perform all operations using the key
-.Fa dsa .
-This replaces the
-.Vt DSA_METHOD
-used by the DSA key.
-It is possible to have DSA keys that only work with certain
-.Vt DSA_METHOD
-implementations,
-and in such cases attempting to change the
-.Vt DSA_METHOD
-for the key can have unexpected results.
-.Pp
-.Fn DSA_new_method
-allocates and initializes a
-.Vt DSA
-structure.
-The
-.Fa engine
-argument is ignored and
-the default method controlled by
-.Fn DSA_set_default_method
-is used.
-.Pp
-The
-.Vt DSA_METHOD
-structure is defined as follows:
-.Bd -literal
-struct {
-        /* name of the implementation */
-        const char *name;
-        /* sign */
-        DSA_SIG *(*dsa_do_sign)(const unsigned char *dgst, int dlen,
-            DSA *dsa);
-        /* pre-compute k^-1 and r */
-        int (*dsa_sign_setup)(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
-            BIGNUM **rp);
-        /* verify */
-        int (*dsa_do_verify)(const unsigned char *dgst, int dgst_len,
-            DSA_SIG *sig, DSA *dsa);
-        /* called at DSA_new */
-        int (*init)(DSA *DSA);
-        /* called at DSA_free */
-        int (*finish)(DSA *DSA);
-        int flags;
-} DSA_METHOD;
-.Ed
-.Sh RETURN VALUES
-.Fn DSA_OpenSSL
-and
-.Fn DSA_get_default_method
-return pointers to the respective
-.Vt DSA_METHOD .
-.Pp
-.Fn DSA_set_method
-returns 1 on success or 0 on failure.
-Currently, it cannot fail.
-.Pp
-.Fn DSA_new_method
-returns
-.Dv NULL
-and sets an error code that can be obtained by
-.Xr ERR_get_error 3
-if the allocation fails.
-Otherwise it returns a pointer to the newly allocated structure.
-.Sh SEE ALSO
-.Xr DSA_meth_new 3 ,
-.Xr DSA_new 3
-.Sh HISTORY
-.Fn DSA_set_default_method ,
-.Fn DSA_get_default_method ,
-.Fn DSA_set_method ,
-.Fn DSA_new_method ,
-and
-.Fn DSA_OpenSSL
-first appeared in OpenSSL 0.9.5 and have been available since
-.Ox 2.7 .
diff --git a/src/lib/libcrypto/man/DSA_sign.3 b/src/lib/libcrypto/man/DSA_sign.3
deleted file mode 100644
index 59f9042ba6..0000000000
--- a/src/lib/libcrypto/man/DSA_sign.3
+++ /dev/null
@@ -1,173 +0,0 @@
-.\"     $OpenBSD: DSA_sign.3,v 1.10 2019/06/10 14:58:48 schwarze Exp $
-.\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by Ulf Moeller <ulf@openssl.org>.
-.\" Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: June 10 2019 $
-.Dt DSA_SIGN 3
-.Os
-.Sh NAME
-.Nm DSA_sign ,
-.Nm DSA_sign_setup ,
-.Nm DSA_verify
-.Nd DSA signatures
-.Sh SYNOPSIS
-.In openssl/dsa.h
-.Ft int
-.Fo DSA_sign
-.Fa "int type"
-.Fa "const unsigned char *dgst"
-.Fa "int len"
-.Fa "unsigned char *sigret"
-.Fa "unsigned int *siglen"
-.Fa "DSA *dsa"
-.Fc
-.Ft int
-.Fo DSA_sign_setup
-.Fa "DSA *dsa"
-.Fa "BN_CTX *ctx"
-.Fa "BIGNUM **kinvp"
-.Fa "BIGNUM **rp"
-.Fc
-.Ft int
-.Fo DSA_verify
-.Fa "int type"
-.Fa "const unsigned char *dgst"
-.Fa "int len"
-.Fa "unsigned char *sigbuf"
-.Fa "int siglen"
-.Fa "DSA *dsa"
-.Fc
-.Sh DESCRIPTION
-.Fn DSA_sign
-computes a digital signature on the
-.Fa len
-byte message digest
-.Fa dgst
-using the private key
-.Fa dsa
-and places its ASN.1 DER encoding at
-.Fa sigret .
-The length of the signature is placed in
-.Pf * Fa siglen .
-.Fa sigret
-must point to
-.Fn DSA_size dsa
-bytes of memory.
-.Pp
-.Fn DSA_sign_setup
-may be used to precompute part of the signing operation in case
-signature generation is time-critical.
-It expects
-.Fa dsa
-to contain DSA parameters.
-It places the precomputed values in newly allocated
-.Vt BIGNUM Ns s
-at
-.Pf * Fa kinvp
-and
-.Pf * Fa rp ,
-after freeing the old ones unless
-.Fa kinvp
-and
-.Fa rp
-are
-.Dv NULL .
-These values may be passed to
-.Fn DSA_sign
-in
-.Fa dsa->kinv
-and
-.Sy dsa->r .
-.Fa ctx
-is a pre-allocated
-.Vt BN_CTX
-or
-.Dv NULL .
-.Pp
-.Fn DSA_verify
-verifies that the signature
-.Fa sigbuf
-of size
-.Fa siglen
-matches a given message digest
-.Fa dgst
-of size
-.Fa len .
-.Fa dsa
-is the signer's public key.
-.Pp
-The
-.Fa type
-parameter is ignored.
-.Sh RETURN VALUES
-.Fn DSA_sign
-and
-.Fn DSA_sign_setup
-return 1 on success or 0 on error.
-.Fn DSA_verify
-returns 1 for a valid signature, 0 for an incorrect signature,
-and -1 on error.
-The error codes can be obtained by
-.Xr ERR_get_error 3 .
-.Sh SEE ALSO
-.Xr DSA_do_sign 3 ,
-.Xr DSA_get0_key 3 ,
-.Xr DSA_new 3
-.Sh STANDARDS
-US Federal Information Processing Standard FIPS 186 (Digital Signature
-Standard, DSS), ANSI X9.30
-.Sh HISTORY
-.Fn DSA_sign
-and
-.Fn DSA_verify
-first appeared in SSLeay 0.6.0.
-.Fn DSA_sign_setup
-first appeared in SSLeay 0.8.0.
-All these functions have been available since
-.Ox 2.4 .
diff --git a/src/lib/libcrypto/man/DSA_size.3 b/src/lib/libcrypto/man/DSA_size.3
deleted file mode 100644
index 4786acc7e9..0000000000
--- a/src/lib/libcrypto/man/DSA_size.3
+++ /dev/null
@@ -1,122 +0,0 @@
-.\" $OpenBSD: DSA_size.3,v 1.8 2022/07/13 21:44:23 schwarze Exp $
-.\" full merge up to: OpenSSL 61f805c1 Jan 16 01:01:46 2018 +0800
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2022 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Ulf Moeller <ulf@openssl.org>
-.\" and Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2000, 2002, 2016 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: July 13 2022 $
-.Dt DSA_SIZE 3
-.Os
-.Sh NAME
-.Nm DSA_size ,
-.Nm DSA_bits
-.Nd get DSA signature or key size
-.Sh SYNOPSIS
-.In openssl/dsa.h
-.Ft int
-.Fo DSA_size
-.Fa "const DSA *dsa"
-.Fc
-.Ft int
-.Fo DSA_bits
-.Fa "const DSA *dsa"
-.Fc
-.Sh DESCRIPTION
-.Fn DSA_size
-returns the maximum size of an ASN.1 encoded DSA signature for the key
-.Fa dsa
-in bytes.
-It can be used to determine how much memory must be allocated for a DSA
-signature.
-.Pp
-.Fa dsa->q
-must not be
-.Dv NULL .
-.Pp
-.Fn DSA_bits
-returns the number of significant bits in the public domain parameter
-.Fa p
-contained in
-.Fa dsa .
-This is also the number of bits in the public key.
-.Sh RETURN VALUES
-.Fn DSA_size
-returns the size of the signature in bytes.
-.Pp
-.Fn DSA_bits
-returns the size of the public key in bits.
-.Sh SEE ALSO
-.Xr DSA_get0_pqg 3 ,
-.Xr DSA_new 3 ,
-.Xr DSA_security_bits 3 ,
-.Xr DSA_sign 3
-.Sh HISTORY
-.Fn DSA_size
-first appeared in SSLeay 0.6.0 and has been available since
-.Ox 2.4 .
-.Pp
-.Fn DSA_bits
-first appeared in OpenSSL 1.1.0 and has been available since
-.Ox 7.1 .
diff --git a/src/lib/libcrypto/man/ECDH_compute_key.3 b/src/lib/libcrypto/man/ECDH_compute_key.3
deleted file mode 100644
index c49988e141..0000000000
--- a/src/lib/libcrypto/man/ECDH_compute_key.3
+++ /dev/null
@@ -1,88 +0,0 @@
-.\" $OpenBSD: ECDH_compute_key.3,v 1.3 2023/08/29 10:07:42 tb Exp $
-.\" Copyright (c) 2019 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: August 29 2023 $
-.Dt ECDH_COMPUTE_KEY 3
-.Os
-.Sh NAME
-.Nm ECDH_compute_key ,
-.Nm ECDH_size
-.Nd Elliptic Curve Diffie-Hellman key exchange
-.Sh SYNOPSIS
-.In openssl/ec.h
-.Ft int
-.Fo ECDH_compute_key
-.Fa "void *out"
-.Fa "size_t outlen"
-.Fa "const EC_POINT *public_key"
-.Fa "EC_KEY *ecdh"
-.Fa "void *(*KDF)(const void *in, size_t inlen, void *out, size_t *outlen)"
-.Fc
-.Ft int
-.Fo ECDH_size
-.Fa "const EC_KEY *ecdh"
-.Fc
-.Sh DESCRIPTION
-.Fn ECDH_compute_key
-performs Elliptic Curve Diffie-Hellman key agreement.
-It combines the private key contained in
-.Fa ecdh
-with the other party's
-.Fa public_key ,
-takes the
-.Fa x
-component of the affine coordinates,
-and optionally applies the key derivation function
-.Fa KDF .
-It stores the resulting symmetric key in the buffer
-.Fa out ,
-which is
-.Fa outlen
-bytes long.
-If
-.Fa KDF
-is
-.Dv NULL ,
-.Fa outlen
-must be at least
-.Fn ECDH_size ecdh .
-.Pp
-.Fn ECDH_size
-returns the number of bytes needed to store an affine coordinate of a
-point on the elliptic curve used by
-.Fa ecdh ,
-which is one eighth of the degree of the finite field underlying
-that elliptic curve, rounded up to the next integer number.
-.Sh RETURN VALUES
-.Fn ECDH_compute_key
-returns the length of the computed key in bytes or -1 if an error occurs.
-.Pp
-.Fn ECDH_size
-returns the number of bytes needed to store an affine coordinate.
-.Sh SEE ALSO
-.Xr DH_generate_key 3 ,
-.Xr DH_size 3 ,
-.Xr EC_GROUP_new 3 ,
-.Xr EC_KEY_new 3 ,
-.Xr EC_POINT_new 3 ,
-.Xr X25519 3
-.Sh HISTORY
-.Fn ECDH_compute_key
-first appeared in OpenSSL 0.9.8 and has been available since
-.Ox 4.5 .
-.Pp
-.Fn ECDH_size
-first appeared in
-.Ox 6.1 .
diff --git a/src/lib/libcrypto/man/ECDSA_SIG_new.3 b/src/lib/libcrypto/man/ECDSA_SIG_new.3
deleted file mode 100644
index 2b72e6f1b9..0000000000
--- a/src/lib/libcrypto/man/ECDSA_SIG_new.3
+++ /dev/null
@@ -1,452 +0,0 @@
-.\" $OpenBSD: ECDSA_SIG_new.3,v 1.21 2024/11/15 20:14:58 tb Exp $
-.\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100
-.\" selective merge up to: OpenSSL da4ea0cf Aug 5 16:13:24 2019 +0100
-.\"
-.\" This file was written by Nils Larsch <nils@openssl.org>.
-.\" Copyright (c) 2004, 2005, 2013, 2016 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: November 15 2024 $
-.Dt ECDSA_SIG_NEW 3
-.Os
-.Sh NAME
-.Nm ECDSA_SIG_new ,
-.Nm ECDSA_SIG_free ,
-.Nm ECDSA_SIG_get0 ,
-.Nm ECDSA_SIG_get0_r ,
-.Nm ECDSA_SIG_get0_s ,
-.Nm ECDSA_SIG_set0 ,
-.Nm i2d_ECDSA_SIG ,
-.Nm d2i_ECDSA_SIG ,
-.Nm ECDSA_size ,
-.Nm ECDSA_sign ,
-.Nm ECDSA_verify ,
-.Nm ECDSA_do_sign ,
-.Nm ECDSA_do_verify
-.Nd Elliptic Curve Digital Signature Algorithm
-.Sh SYNOPSIS
-.In openssl/ec.h
-.Ft ECDSA_SIG*
-.Fo ECDSA_SIG_new
-.Fa void
-.Fc
-.Ft void
-.Fo ECDSA_SIG_free
-.Fa "ECDSA_SIG *sig"
-.Fc
-.Ft void
-.Fo ECDSA_SIG_get0
-.Fa "const ECDSA_SIG *sig"
-.Fa "const BIGNUM **r"
-.Fa "const BIGNUM **s"
-.Fc
-.Ft "const BIGNUM *"
-.Fo ECDSA_SIG_get0_r
-.Fa "const ECDSA_SIG *sig"
-.Fc
-.Ft "const BIGNUM *"
-.Fo ECDSA_SIG_get0_s
-.Fa "const ECDSA_SIG *sig"
-.Fc
-.Ft int
-.Fo ECDSA_SIG_set0
-.Fa "ECDSA_SIG *sig"
-.Fa "BIGNUM *r"
-.Fa "BIGNUM *s"
-.Fc
-.Ft int
-.Fo i2d_ECDSA_SIG
-.Fa "const ECDSA_SIG *sig_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft ECDSA_SIG*
-.Fo d2i_ECDSA_SIG
-.Fa "ECDSA_SIG **sig_out"
-.Fa "const unsigned char **der_in"
-.Fa "long len"
-.Fc
-.Ft int
-.Fo ECDSA_size
-.Fa "const EC_KEY *eckey"
-.Fc
-.Ft int
-.Fo ECDSA_sign
-.Fa "int type"
-.Fa "const unsigned char *dgst"
-.Fa "int dgstlen"
-.Fa "unsigned char *sig"
-.Fa "unsigned int *siglen"
-.Fa "EC_KEY *eckey"
-.Fc
-.Ft int
-.Fo ECDSA_verify
-.Fa "int type"
-.Fa "const unsigned char *dgst"
-.Fa "int dgstlen"
-.Fa "const unsigned char *sig"
-.Fa "int siglen"
-.Fa "EC_KEY *eckey"
-.Fc
-.Ft ECDSA_SIG*
-.Fo ECDSA_do_sign
-.Fa "const unsigned char *dgst"
-.Fa "int dgst_len"
-.Fa "EC_KEY *eckey"
-.Fc
-.Ft int
-.Fo ECDSA_do_verify
-.Fa "const unsigned char *dgst"
-.Fa "int dgst_len"
-.Fa "const ECDSA_SIG *sig"
-.Fa "EC_KEY* eckey"
-.Fc
-.Sh DESCRIPTION
-These functions provide a low level interface to ECDSA.
-Most applications should use the higher level EVP interface such as
-.Xr EVP_DigestSignInit 3
-or
-.Xr EVP_DigestVerifyInit 3
-instead.
-Creation of the required
-.Vt EC_KEY
-objects is described in
-.Xr EC_KEY_new 3 .
-.Pp
-The
-.Vt ECDSA_SIG
-structure consists of two
-.Vt BIGNUM Ns s
-for the
-.Fa r
-and
-.Fa s
-value of an ECDSA signature (see X9.62 or FIPS 186-2).
-.Bd -literal -offset indent
-struct {
-        BIGNUM *r;
-        BIGNUM *s;
-} ECDSA_SIG;
-.Ed
-.Pp
-.Fn ECDSA_SIG_new
-allocates a new
-.Vt ECDSA_SIG
-structure (note: this function also allocates the
-.Vt BIGNUM Ns s )
-and initializes it.
-.Pp
-.Fn ECDSA_SIG_free
-frees the
-.Vt ECDSA_SIG
-structure
-.Fa sig .
-.Pp
-.Fn ECDSA_SIG_get0
-retrieves internal pointers the
-.Fa r
-and
-.Fa s
-values contained in
-.Fa sig .
-The values
-.Fa r
-and
-.Fa s
-can also be retrieved separately by the corresponding function
-.Fn ECDSA_SIG_get0_r
-and
-.Fn ECDSA_SIG_get0_s ,
-respectively.
-.Pp
-.Fn ECDSA_SIG_set0
-sets the
-.Fa r
-and
-.Fa s
-values in
-.Fa sig .
-Calling this function transfers the memory management of the values to
-.Fa sig .
-Therefore, the values that have been passed in
-should not be freed by the caller.
-.Pp
-.Fn i2d_ECDSA_SIG
-creates the DER encoding of the ECDSA signature
-.Fa sig_in
-and writes the encoded signature to
-.Pf * Fa der_out .
-.Fn d2i_ECDSA_SIG
-decodes the DER-encoded signature stored in the buffer
-.Pf * Fa der_in
-which is
-.Fa len
-bytes long into
-.Pf * Fa sig_out .
-For details about the semantics, examples, caveats, and bugs, see
-.Xr ASN1_item_d2i 3 .
-.Pp
-.Fn ECDSA_size
-returns the maximum length of a DER-encoded ECDSA signature created with
-the private EC key
-.Fa eckey .
-.Pp
-.Fn ECDSA_sign
-computes a digital signature of the
-.Fa dgstlen
-bytes hash value
-.Fa dgst
-using the private EC key
-.Fa eckey .
-The DER-encoded signature is stored in
-.Fa sig
-and its length is returned in
-.Fa siglen .
-Note:
-.Fa sig
-must point to
-.Fn ECDSA_size
-bytes of memory.
-The parameter
-.Fa type
-is ignored.
-.Pp
-.Fn ECDSA_verify
-verifies that the signature in
-.Fa sig
-of size
-.Fa siglen
-is a valid ECDSA signature of the hash value
-.Fa dgst
-of size
-.Fa dgstlen
-using the public key
-.Fa eckey .
-The parameter
-.Fa type
-is ignored.
-.Pp
-.Fn ECDSA_do_sign
-computes a digital signature of the
-.Fa dgst_len
-bytes hash value
-.Fa dgst
-using the private key
-.Fa eckey .
-The signature is returned in a newly allocated
-.Vt ECDSA_SIG
-structure (or
-.Dv NULL
-on error).
-.Pp
-.Fn ECDSA_do_verify
-verifies that the signature
-.Fa sig
-is a valid ECDSA signature of the hash value
-.Fa dgst
-of size
-.Fa dgst_len
-using the public key
-.Fa eckey .
-.Sh RETURN VALUES
-.Fn ECDSA_SIG_new
-returns the new
-.Vt ECDSA_SIG
-object or
-.Dv NULL
-if an error occurs.
-.Pp
-.Fn i2d_ECDSA_SIG
-returns the number of bytes successfully encoded
-or a negative value if an error occurs.
-.Pp
-.Fn d2i_ECDSA_SIG
-returns a pointer to the decoded
-.Vt ECDSA_SIG
-structure or
-.Dv NULL
-if an error occurs.
-.Pp
-.Fn ECDSA_size
-returns the maximum length signature or 0 on error.
-.Pp
-.Fn ECDSA_SIG_get0_r
-and
-.Fn ECDSA_SIG_get0_s
-return a pointer owned by the
-.Vt ECDSA_SIG
-object if it has been set or
-.Dv NULL
-otherwise.
-.Pp
-.Fn ECDSA_SIG_set0
-and
-.Fn ECDSA_sign
-return 1 if successful or 0 on error.
-.Pp
-.Fn ECDSA_do_sign
-returns a pointer to an allocated
-.Vt ECDSA_SIG
-structure or
-.Dv NULL
-on error.
-.Pp
-.Fn ECDSA_verify
-and
-.Fn ECDSA_do_verify
-return 1 for a valid signature, 0 for an invalid signature and -1 on
-error.
-The error codes can be obtained by
-.Xr ERR_get_error 3 .
-.Sh EXAMPLES
-Creating an ECDSA signature of given SHA-384 hash value using the named
-curve secp384r1.
-.Pp
-First step: create an
-.Vt EC_KEY
-object.
-This part is
-.Em not
-ECDSA specific.
-.Bd -literal -offset indent
-int ret;
-ECDSA_SIG *sig;
-EC_KEY *eckey;
-
-eckey = EC_KEY_new_by_curve_name(NID_secp384r1);
-if (eckey == NULL) {
-        /* error */
-}
-if (!EC_KEY_generate_key(eckey)) {
-        /* error */
-}
-.Ed
-.Pp
-Second step: compute the ECDSA signature of a SHA-384 hash value using
-.Fn ECDSA_do_sign
-.Bd -literal -offset indent
-sig = ECDSA_do_sign(digest, SHA384_DIGEST_LENGTH, eckey);
-if (sig == NULL) {
-        /* error */
-}
-.Ed
-.Pp
-or using
-.Fn ECDSA_sign
-.Bd -literal -offset indent
-unsigned char *buffer, *pp;
-int buf_len;
-
-buf_len = ECDSA_size(eckey);
-buffer  = malloc(buf_len);
-pp = buffer;
-if (!ECDSA_sign(0, dgst, dgstlen, pp, &buf_len, eckey) {
-        /* error */
-}
-.Ed
-.Pp
-Third step: verify the created ECDSA signature using
-.Fn ECDSA_do_verify
-.Pp
-.Dl ret = ECDSA_do_verify(digest, SHA384_DIGEST_LENGTH, sig, eckey);
-.Pp
-or using
-.Fn ECDSA_verify
-.Pp
-.Dl ret = ECDSA_verify(0, digest, SHA384_DIGEST_LENGTH, buffer, buf_len, eckey);
-.Pp
-and finally evaluate the return value:
-.Bd -literal -offset indent
-if (ret == -1) {
-        /* error */
-} else if (ret == 0) {
-        /* incorrect signature */
-} else {
-        /* ret == 1 */
-        /* signature ok */
-}
-.Ed
-.Sh SEE ALSO
-.Xr crypto 3 ,
-.Xr d2i_ECPKParameters 3 ,
-.Xr DSA_new 3 ,
-.Xr EC_GROUP_new 3 ,
-.Xr EC_KEY_METHOD_new 3 ,
-.Xr EC_KEY_new 3 ,
-.Xr EC_KEY_set_ex_data 3 ,
-.Xr EVP_DigestSignInit 3 ,
-.Xr EVP_DigestVerifyInit 3 ,
-.Xr RSA_new 3
-.Sh STANDARDS
-ANSI X9.62, US Federal Information Processing Standard FIPS 186-5
-(Digital Signature Standard, DSS)
-.Sh HISTORY
-.Fn ECDSA_SIG_new ,
-.Fn ECDSA_SIG_free ,
-.Fn i2d_ECDSA_SIG ,
-.Fn d2i_ECDSA_SIG ,
-.Fn ECDSA_size ,
-.Fn ECDSA_sign ,
-.Fn ECDSA_verify ,
-.Fn ECDSA_do_sign ,
-and
-.Fn ECDSA_do_verify
-first appeared in OpenSSL 0.9.8 and have been available since
-.Ox 4.5 .
-.Pp
-.Fn ECDSA_SIG_get0
-and
-.Fn ECDSA_SIG_set0
-first appeared in OpenSSL 1.1.0 and have been available since
-.Ox 6.3 .
-.Fn ECDSA_SIG_get0_r
-and
-.Fn ECDSA_SIG_get0_s
-first appeared in OpenSSL 1.1.1 and have been available since
-.Ox 7.1 .
-.Sh AUTHORS
-.An Nils Larsch
-for the OpenSSL project.
diff --git a/src/lib/libcrypto/man/EC_GROUP_copy.3 b/src/lib/libcrypto/man/EC_GROUP_copy.3
deleted file mode 100644
index 2e5e798236..0000000000
--- a/src/lib/libcrypto/man/EC_GROUP_copy.3
+++ /dev/null
@@ -1,492 +0,0 @@
-.\" $OpenBSD: EC_GROUP_copy.3,v 1.16 2025/03/08 16:40:59 tb Exp $
-.\" full merge up to: OpenSSL d900a015 Oct 8 14:40:42 2015 +0200
-.\" selective merge up to: OpenSSL 24c23e1f Aug 22 10:51:25 2019 +0530
-.\"
-.\" This file was written by Matt Caswell <matt@openssl.org>,
-.\" Dr. Stephen Henson <steve@openssl.org>,
-.\" and Jayaram X Matta <jayaramx.matta@intel.com>.
-.\" Copyright (c) 2013, 2015, 2019 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 8 2025 $
-.Dt EC_GROUP_COPY 3
-.Os
-.Sh NAME
-.Nm EC_GROUP_copy ,
-.Nm EC_GROUP_dup ,
-.Nm EC_GROUP_set_generator ,
-.Nm EC_GROUP_get0_generator ,
-.Nm EC_GROUP_get_order ,
-.Nm EC_GROUP_order_bits ,
-.Nm EC_GROUP_get_cofactor ,
-.Nm EC_GROUP_set_curve_name ,
-.Nm EC_GROUP_get_curve_name ,
-.Nm EC_GROUP_set_asn1_flag ,
-.Nm EC_GROUP_get_asn1_flag ,
-.Nm EC_GROUP_set_point_conversion_form ,
-.Nm EC_GROUP_get_point_conversion_form ,
-.Nm EC_GROUP_get0_seed ,
-.Nm EC_GROUP_get_seed_len ,
-.Nm EC_GROUP_set_seed ,
-.Nm EC_GROUP_get_degree ,
-.Nm EC_GROUP_check ,
-.Nm EC_GROUP_check_discriminant ,
-.Nm EC_GROUP_cmp ,
-.Nm EC_GROUP_get_basis_type
-.Nd manipulate EC_GROUP objects
-.Sh SYNOPSIS
-.In openssl/ec.h
-.In openssl/bn.h
-.Ft int
-.Fo EC_GROUP_copy
-.Fa "EC_GROUP *dst"
-.Fa "const EC_GROUP *src"
-.Fc
-.Ft EC_GROUP *
-.Fo EC_GROUP_dup
-.Fa "const EC_GROUP *src"
-.Fc
-.Ft int
-.Fo EC_GROUP_set_generator
-.Fa "EC_GROUP *group"
-.Fa "const EC_POINT *generator"
-.Fa "const BIGNUM *order"
-.Fa "const BIGNUM *cofactor"
-.Fc
-.Ft const EC_POINT *
-.Fo EC_GROUP_get0_generator
-.Fa "const EC_GROUP *group"
-.Fc
-.Ft int
-.Fo EC_GROUP_get_order
-.Fa "const EC_GROUP *group"
-.Fa "BIGNUM *order"
-.Fa "BN_CTX *ctx"
-.Fc
-.Ft int
-.Fo EC_GROUP_order_bits
-.Fa "const EC_GROUP *group"
-.Fc
-.Ft int
-.Fo EC_GROUP_get_cofactor
-.Fa "const EC_GROUP *group"
-.Fa "BIGNUM *cofactor"
-.Fa "BN_CTX *ctx"
-.Fc
-.Ft void
-.Fo EC_GROUP_set_curve_name
-.Fa "EC_GROUP *group"
-.Fa "int nid"
-.Fc
-.Ft int
-.Fo EC_GROUP_get_curve_name
-.Fa "const EC_GROUP *group"
-.Fc
-.Ft void
-.Fo EC_GROUP_set_asn1_flag
-.Fa "EC_GROUP *group"
-.Fa "int flag"
-.Fc
-.Ft int
-.Fo EC_GROUP_get_asn1_flag
-.Fa "const EC_GROUP *group"
-.Fc
-.Ft void
-.Fo EC_GROUP_set_point_conversion_form
-.Fa "EC_GROUP *group"
-.Fa "point_conversion_form_t form"
-.Fc
-.Ft point_conversion_form_t
-.Fo EC_GROUP_get_point_conversion_form
-.Fa "const EC_GROUP *"
-.Fc
-.Ft unsigned char *
-.Fo EC_GROUP_get0_seed
-.Fa "const EC_GROUP *x"
-.Fc
-.Ft size_t
-.Fo EC_GROUP_get_seed_len
-.Fa "const EC_GROUP *"
-.Fc
-.Ft size_t
-.Fo EC_GROUP_set_seed
-.Fa "EC_GROUP *"
-.Fa "const unsigned char *"
-.Fa "size_t len"
-.Fc
-.Ft int
-.Fo EC_GROUP_get_degree
-.Fa "const EC_GROUP *group"
-.Fc
-.Ft int
-.Fo EC_GROUP_check
-.Fa "const EC_GROUP *group"
-.Fa "BN_CTX *ctx"
-.Fc
-.Ft int
-.Fo EC_GROUP_check_discriminant
-.Fa "const EC_GROUP *group"
-.Fa "BN_CTX *ctx"
-.Fc
-.Ft int
-.Fo EC_GROUP_cmp
-.Fa "const EC_GROUP *a"
-.Fa "const EC_GROUP *b"
-.Fa "BN_CTX *ctx"
-.Fc
-.Ft int
-.Fo EC_GROUP_get_basis_type
-.Fa "const EC_GROUP *"
-.Fc
-.Sh DESCRIPTION
-These functions operate on
-.Vt EC_GROUP
-objects created by the functions described in
-.Xr EC_GROUP_new 3 .
-.Pp
-.Fn EC_GROUP_copy
-copies the curve
-.Fa src
-into
-.Fa dst .
-Both
-.Fa src
-and
-.Fa dst
-must use the same
-.Vt EC_METHOD .
-.Pp
-.Fn EC_GROUP_dup
-creates a new
-.Vt EC_GROUP
-object and copies the content from
-.Fa src
-to the newly created
-.Vt EC_GROUP
-object.
-.Pp
-.Fn EC_GROUP_set_generator
-sets curve parameters that must be agreed by all participants using
-the curve.
-These parameters include the
-.Fa generator ,
-the
-.Fa order
-and the
-.Fa cofactor .
-The
-.Fa generator
-is a well defined point on the curve chosen for cryptographic
-operations.
-Integers used for point multiplications will be between 0 and
-.Fa order No - 1 .
-The
-.Fa order
-multiplied by the
-.Fa cofactor
-gives the number of points on the curve.
-.Pp
-.Fn EC_GROUP_get0_generator
-returns the generator for the identified
-.Fa group .
-.Pp
-.Fn EC_GROUP_get_order
-retrieves the order of the
-.Fa group
-and copies its value into
-.Fa order .
-It fails if the order of the
-.Fa group
-is not set or set to zero.
-.Pp
-.Fn EC_GROUP_get_cofactor
-retrieves the cofactor of the
-.Fa group
-and copies its value into
-.Fa cofactor .
-It fails if the cofactor of the
-.Fa group
-is not set or set to zero.
-.Pp
-The functions
-.Fn EC_GROUP_set_curve_name
-and
-.Fn EC_GROUP_get_curve_name
-set and get the NID for the curve, respectively (see
-.Xr EC_GROUP_new 3 ) .
-If a curve does not have a NID associated with it, then
-.Fn EC_GROUP_get_curve_name
-will return
-.Dv NID_undef .
-.Pp
-The asn1_flag value is used to determine whether the curve encoding
-uses explicit parameters or a named curve using an ASN.1 OID:
-many applications only support the latter form.
-If asn1_flag is the default value
-.Dv OPENSSL_EC_NAMED_CURVE ,
-then the named curve form is used and the parameters must have a
-corresponding named curve NID set.
-If asn1_flags is
-.Dv OPENSSL_EC_EXPLICIT_CURVE ,
-the parameters are explicitly encoded.
-The functions
-.Fn EC_GROUP_get_asn1_flag
-and
-.Fn EC_GROUP_set_asn1_flag
-get and set the status of the asn1_flag for the curve.
-.Pp
-The point_conversion_form for a curve controls how
-.Vt EC_POINT
-data is encoded as ASN.1 as defined in X9.62 (ECDSA).
-.Vt point_conversion_form_t
-is an enum defined as follows:
-.Bd -literal
-typedef enum {
-        /** the point is encoded as z||x, where the octet z specifies
-         *   which solution of the quadratic equation y is  */
-        POINT_CONVERSION_COMPRESSED = 2,
-        /** the point is encoded as z||x||y, where z is the octet 0x04  */
-        POINT_CONVERSION_UNCOMPRESSED = 4,
-        /** the point is encoded as z||x||y, where the octet z specifies
-         *  which solution of the quadratic equation y is  */
-        POINT_CONVERSION_HYBRID = 6
-} point_conversion_form_t;
-.Ed
-.Pp
-For
-.Dv POINT_CONVERSION_UNCOMPRESSED
-the point is encoded as an octet signifying the UNCOMPRESSED form
-has been used followed by the octets for x, followed by the octets
-for y.
-.Pp
-For any given x coordinate for a point on a curve it is possible to
-derive two possible y values.
-For
-.Dv POINT_CONVERSION_COMPRESSED
-the point is encoded as an octet signifying that the COMPRESSED
-form has been used AND which of the two possible solutions for y
-has been used, followed by the octets for x.
-.Pp
-For
-.Dv POINT_CONVERSION_HYBRID
-the point is encoded as an octet signifying the HYBRID form has
-been used AND which of the two possible solutions for y has been
-used, followed by the octets for x, followed by the octets for y.
-.Pp
-The functions
-.Fn EC_GROUP_set_point_conversion_form
-and
-.Fn EC_GROUP_get_point_conversion_form
-set and get the point_conversion_form for the curve, respectively.
-.Pp
-ANSI X9.62 (ECDSA standard) defines a method of generating the curve
-parameter b from a random number.
-This provides advantages in that a parameter obtained in this way is
-highly unlikely to be susceptible to special purpose attacks, or have
-any trapdoors in it.
-If the seed is present for a curve then the b parameter was generated in
-a verifiable fashion using that seed.
-The OpenSSL EC library does not use this seed value but does enable you
-to inspect it using
-.Fn EC_GROUP_get0_seed .
-This returns a pointer to a memory block containing the seed that was
-used.
-The length of the memory block can be obtained using
-.Fn EC_GROUP_get_seed_len .
-A number of the builtin curves within the library provide seed values
-that can be obtained.
-It is also possible to set a custom seed using
-.Fn EC_GROUP_set_seed
-and passing a pointer to a memory block, along with the length of
-the seed.
-Again, the EC library will not use this seed value, although it will be
-preserved in any ASN.1 based communications.
-.Pp
-.Fn EC_GROUP_get_degree
-gets the degree of the field.
-For Fp fields this will be the number of bits in p.
-For F2^m fields this will be the value m.
-.Pp
-The function
-.Fn EC_GROUP_check_discriminant
-calculates the discriminant for the curve and verifies that it is
-valid.
-For a curve defined over Fp the discriminant is given by the formula
-4*a^3 + 27*b^2 whilst for F2^m curves the discriminant is simply b.
-In either case for the curve to be valid the discriminant must be
-non-zero.
-.Pp
-The function
-.Fn EC_GROUP_check
-performs a number of checks on a curve to verify that it is valid.
-Checks performed include verifying that the discriminant is non-zero;
-that a generator has been defined; that the generator is on the curve
-and has the correct order.
-.Pp
-.Fn EC_GROUP_cmp
-compares
-.Fa a
-and
-.Fa b
-to determine whether they represent the same curve or not.
-.Pp
-.Fn EC_GROUP_get_basis_type
-always returns 0 and is only provided for compatibility.
-.Sh RETURN VALUES
-The following functions return 1 on success or 0 on error:
-.Fn EC_GROUP_copy ,
-.Fn EC_GROUP_set_generator ,
-.Fn EC_GROUP_check ,
-and
-.Fn EC_GROUP_check_discriminant .
-.Pp
-.Fn EC_GROUP_dup
-returns a pointer to the duplicated curve or
-.Dv NULL
-on error.
-.Pp
-.Fn EC_GROUP_get0_generator
-returns the generator for the given curve or
-.Dv NULL
-on error.
-.Pp
-.Fn EC_GROUP_get_order
-returns 0 if the order is not set or set to zero for the
-.Fa group
-or if copying into
-.Fa order
-fails, or 1 otherwise.
-.Pp
-.Fn EC_GROUP_order_bits
-returns the number of bits in the group order.
-.Pp
-.Fn EC_GROUP_get_cofactor
-returns 0 if the cofactor is not set or set to zero for the
-.Fa group
-or if copying into
-.Fa cofactor
-fails, or 1 otherwise.
-.Pp
-.Fn EC_GROUP_get_curve_name
-returns the curve name (NID) for the
-.Fa group
-or
-.Dv NID_undef
-if no curve name is associated.
-.Pp
-.Fn EC_GROUP_get_asn1_flag
-returns the ASN.1 flag for the specified
-.Fa group .
-.Pp
-.Fn EC_GROUP_get_point_conversion_form
-returns the point_conversion_form for the
-.Fa group .
-.Pp
-.Fn EC_GROUP_get_degree
-returns the degree for the
-.Fa group
-or 0 if the operation is not supported
-by the underlying group implementation.
-.Pp
-.Fn EC_GROUP_get0_seed
-returns a pointer to the seed that was used to generate the parameter
-b, or
-.Dv NULL
-if the seed is not specified.
-.Fn EC_GROUP_get_seed_len
-returns the length of the seed or 0 if the seed is not specified.
-.Pp
-.Fn EC_GROUP_set_seed
-returns the length of the seed that has been set.
-If the supplied seed is
-.Dv NULL
-or the supplied seed length is 0, the return value will be 1.
-On error 0 is returned.
-.Pp
-.Fn EC_GROUP_cmp
-returns 0 if the curves are equal, 1 if they are not equal,
-or -1 on error.
-.Pp
-.Fn EC_GROUP_get_basis_type
-always returns 0.
-.Sh SEE ALSO
-.Xr d2i_ECPKParameters 3 ,
-.Xr EC_GROUP_new 3 ,
-.Xr EC_KEY_new 3 ,
-.Xr EC_POINT_add 3 ,
-.Xr EC_POINT_new 3
-.Sh HISTORY
-.Fn EC_GROUP_copy ,
-.Fn EC_GROUP_set_generator ,
-.Fn EC_GROUP_get0_generator ,
-.Fn EC_GROUP_get_order ,
-and
-.Fn EC_GROUP_get_cofactor
-first appeared in OpenSSL 0.9.7 and have been available since
-.Ox 3.2 .
-.Pp
-.Fn EC_GROUP_dup ,
-.Fn EC_GROUP_set_curve_name ,
-.Fn EC_GROUP_get_curve_name ,
-.Fn EC_GROUP_set_asn1_flag ,
-.Fn EC_GROUP_get_asn1_flag ,
-.Fn EC_GROUP_set_point_conversion_form ,
-.Fn EC_GROUP_get_point_conversion_form ,
-.Fn EC_GROUP_get0_seed ,
-.Fn EC_GROUP_get_seed_len ,
-.Fn EC_GROUP_set_seed ,
-.Fn EC_GROUP_get_degree ,
-.Fn EC_GROUP_check ,
-.Fn EC_GROUP_check_discriminant ,
-.Fn EC_GROUP_cmp ,
-and
-.Fn EC_GROUP_get_basis_type
-first appeared in OpenSSL 0.9.8 and have been available since
-.Ox 4.5 .
-.Pp
-.Fn EC_GROUP_order_bits
-first appeared in OpenSSL 1.1.0 and has been available since
-.Ox 7.0 .
diff --git a/src/lib/libcrypto/man/EC_GROUP_new.3 b/src/lib/libcrypto/man/EC_GROUP_new.3
deleted file mode 100644
index 83e3e4c870..0000000000
--- a/src/lib/libcrypto/man/EC_GROUP_new.3
+++ /dev/null
@@ -1,353 +0,0 @@
-.\"     $OpenBSD: EC_GROUP_new.3,v 1.18 2025/03/08 16:38:13 tb Exp $
-.\"     OpenSSL 6328d367 Sat Jul 4 21:58:30 2020 +0200
-.\"
-.\" This file was written by Matt Caswell <matt@openssl.org>.
-.\" Copyright (c) 2013 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 8 2025 $
-.Dt EC_GROUP_NEW 3
-.Os
-.Sh NAME
-.Nm EC_GROUP_new ,
-.Nm EC_GROUP_free ,
-.Nm EC_GROUP_clear_free ,
-.Nm EC_GROUP_new_curve_GFp ,
-.Nm EC_GROUP_new_by_curve_name ,
-.Nm EC_GROUP_set_curve ,
-.Nm EC_GROUP_get_curve ,
-.Nm EC_GROUP_set_curve_GFp ,
-.Nm EC_GROUP_get_curve_GFp ,
-.Nm EC_get_builtin_curves ,
-.Nm EC_curve_nid2nist ,
-.Nm EC_curve_nist2nid
-.Nd create and destroy EC_GROUP objects
-.Sh SYNOPSIS
-.In openssl/ec.h
-.In openssl/bn.h
-.Ft EC_GROUP *
-.Fo EC_GROUP_new
-.Fa "const EC_METHOD *meth"
-.Fc
-.Ft void
-.Fo EC_GROUP_free
-.Fa "EC_GROUP *group"
-.Fc
-.Ft void
-.Fo EC_GROUP_clear_free
-.Fa "EC_GROUP *group"
-.Fc
-.Ft EC_GROUP *
-.Fo EC_GROUP_new_curve_GFp
-.Fa "const BIGNUM *p"
-.Fa "const BIGNUM *a"
-.Fa "const BIGNUM *b"
-.Fa "BN_CTX *ctx"
-.Fc
-.Ft EC_GROUP *
-.Fo EC_GROUP_new_by_curve_name
-.Fa "int nid"
-.Fc
-.Ft int
-.Fo EC_GROUP_set_curve
-.Fa "EC_GROUP *group"
-.Fa "const BIGNUM *p"
-.Fa "const BIGNUM *a"
-.Fa "const BIGNUM *b"
-.Fa "BN_CTX *ctx"
-.Fc
-.Ft int
-.Fo EC_GROUP_get_curve
-.Fa "const EC_GROUP *group"
-.Fa "BIGNUM *p"
-.Fa "BIGNUM *a"
-.Fa "BIGNUM *b"
-.Fa "BN_CTX *ctx"
-.Fc
-.Ft int
-.Fo EC_GROUP_set_curve_GFp
-.Fa "EC_GROUP *group"
-.Fa "const BIGNUM *p"
-.Fa "const BIGNUM *a"
-.Fa "const BIGNUM *b"
-.Fa "BN_CTX *ctx"
-.Fc
-.Ft int
-.Fo EC_GROUP_get_curve_GFp
-.Fa "const EC_GROUP *group"
-.Fa "BIGNUM *p"
-.Fa "BIGNUM *a"
-.Fa "BIGNUM *b"
-.Fa "BN_CTX *ctx"
-.Fc
-.Ft size_t
-.Fo EC_get_builtin_curves
-.Fa "EC_builtin_curve *r"
-.Fa "size_t nitems"
-.Fc
-.Ft "const char *"
-.Fo EC_curve_nid2nist
-.Fa "int nid"
-.Fc
-.Ft int
-.Fo EC_curve_nist2nid
-.Fa "const char *name"
-.Fc
-.Sh DESCRIPTION
-The EC library provides functions for performing operations on
-elliptic curves in Weierstrass form.
-Such curves are defined over the prime field of order
-.Fa p
-and satisfy the Weierstrass equation with coefficients
-.Fa a
-and
-.Fa b
-.Pp
-.Dl y^2 = x^3 + ax + b
-.Pp
-An
-.Vt EC_GROUP
-structure is used to represent the definition of an elliptic curve.
-A new curve can be constructed by calling
-.Fn EC_GROUP_new ,
-using the implementation provided by
-.Fa meth .
-It is then necessary to call
-.Fn EC_GROUP_set_curve
-to set the curve parameters.
-.Pp
-.Fn EC_GROUP_set_curve
-sets the curve parameters
-.Fa p ,
-.Fa a ,
-and
-.Fa b ,
-where
-.Fa a
-and
-.Fa b
-represent the coefficients of the curve equation.
-.Pp
-.Fn EC_GROUP_set_curve_GFp
-is a deprecated synonym for
-.Fn EC_GROUP_set_curve .
-.Pp
-.Fn EC_GROUP_get_curve
-obtains the previously set curve parameters.
-.Pp
-.Fn EC_GROUP_get_curve_GFp
-is a deprecated synonym for
-.Fn EC_GROUP_get_curve .
-.Pp
-The function
-.Fn EC_GROUP_new_curve_GFp
-is a shortcut for calling
-.Fn EC_GROUP_new
-and
-.Fn EC_GROUP_set_curve .
-An appropriate default implementation method will be used.
-.Pp
-Whilst the library can be used to create any curve using the functions
-described above, there are also a number of predefined curves that are
-available.
-In order to obtain a list of all of the predefined curves, call the
-function
-.Fn EC_get_builtin_curves .
-The parameter
-.Fa r
-should be an array of
-.Vt EC_builtin_cure
-structures of size
-.Fa nitems .
-The function will populate the
-.Fa r
-array with information about the builtin curves.
-If
-.Fa nitems
-is less than the total number of curves available, then the first
-.Fa nitems
-curves will be returned.
-Otherwise the total number of curves will be provided.
-The return value is the total number of curves available (whether that
-number has been populated in
-.Fa r
-or not).
-Passing a
-.Dv NULL
-.Fa r ,
-or setting
-.Fa nitems
-to 0, will do nothing other than return the total number of curves
-available.
-The
-.Vt EC_builtin_curve
-structure is defined as follows:
-.Bd -literal
-typedef struct {
-        int nid;
-        const char *comment;
-} EC_builtin_curve;
-.Ed
-.Pp
-Each
-.Vt EC_builtin_curve
-item has a unique integer ID
-.Pq Fa nid
-and a human readable comment string describing the curve.
-.Pp
-In order to construct a builtin curve, use the function
-.Fn EC_GROUP_new_by_curve_name
-and provide the
-.Fa nid
-of the curve to be constructed.
-.Pp
-.Fn EC_GROUP_free
-frees the memory associated with the
-.Vt EC_GROUP .
-If
-.Fa group
-is a
-.Dv NULL
-pointer, no action occurs.
-.Pp
-.Fn EC_GROUP_clear_free
-destroys any sensitive data held within the
-.Vt EC_GROUP
-and then frees its memory.
-If
-.Fa group
-is a
-.Dv NULL
-pointer, no action occurs.
-.Pp
-Some builtin curves can be identified by their NIST name
-in addition to a numerical identifier (NID).
-.Fn EC_curve_nid2nist
-and
-.Fn EC_curve_nist2nid
-translate between the two.
-The five built-in prime curves are:
-.Pp
-.Bl -column "NIST name" NID_X9_62_prime256v1 "deprecated in SP800-186" -compact
-.It No NIST Fa name Ta Em ASN.1 NID       Ta Em notes
-.It Qq P-192   Ta Dv NID_X9_62_prime192v1 Ta No deprecated in SP800-186
-.It Qq P-224   Ta Dv NID_secp224r1        Ta
-.It Qq P-256   Ta Dv NID_X9_62_prime256v1 Ta
-.It Qq P-384   Ta Dv NID_secp384r1        Ta
-.It Qq P-521   Ta Dv NID_secp521r1        Ta
-.El
-.Pp
-.Fn EC_curve_nid2nist
-and
-.Fn EC_curve_nist2nid
-also accept the ten binary curves defined in FIPS\& 186-4
-and deprecated in SP800-186,
-although they no longer correspond to builtin curves in LibreSSL.
-.Sh RETURN VALUES
-All
-.Fn EC_GROUP_new*
-functions return a pointer to the newly constructed group or
-.Dv NULL
-on error.
-.Pp
-.Fn EC_get_builtin_curves
-returns the number of builtin curves that are available.
-.Pp
-.Fn EC_curve_nid2nist
-returns a string constant containing the NIST name if
-.Fa nid
-identifies a NIST curve or
-.Dv NULL
-otherwise.
-.Pp
-.Fn EC_curve_nist2nid
-returns the NID corresponding to the NIST curve
-.Fa name ,
-or
-.Dv NID_undef .
-.Pp
-.Fn EC_GROUP_set_curve ,
-.Fn EC_GROUP_get_curve ,
-.Fn EC_GROUP_set_curve_GFp ,
-and
-.Fn EC_GROUP_get_curve_GFp
-return 1 on success or 0 on error.
-.Sh SEE ALSO
-.Xr crypto 3 ,
-.Xr d2i_ECPKParameters 3 ,
-.Xr EC_GROUP_copy 3 ,
-.Xr EC_KEY_new 3 ,
-.Xr EC_POINT_add 3 ,
-.Xr EC_POINT_new 3 ,
-.Xr ECDH_compute_key 3 ,
-.Xr ECDSA_SIG_new 3
-.Sh HISTORY
-.Fn EC_GROUP_new ,
-.Fn EC_GROUP_free ,
-.Fn EC_GROUP_clear_free ,
-.Fn EC_GROUP_new_curve_GFp ,
-.Fn EC_GROUP_set_curve_GFp ,
-and
-.Fn EC_GROUP_get_curve_GFp
-first appeared in OpenSSL 0.9.7 and have been available since
-.Ox 3.2 .
-.Pp
-.Fn EC_GROUP_new_by_curve_name
-and
-.Fn EC_get_builtin_curves
-first appeared in OpenSSL 0.9.8 and have been available since
-.Ox 4.5 .
-.Fn EC_curve_nid2nist ,
-and
-.Fn EC_curve_nist2nid
-first appeared in OpenSSL 1.1.0 and have been available since
-.Ox 5.8 .
-.Pp
-.Fn EC_GROUP_set_curve
-and
-.Fn EC_GROUP_get_curve
-first appeared in OpenSSL 1.1.1 and have been available since
-.Ox 7.0 .
diff --git a/src/lib/libcrypto/man/EC_KEY_METHOD_new.3 b/src/lib/libcrypto/man/EC_KEY_METHOD_new.3
deleted file mode 100644
index 79c16ef014..0000000000
--- a/src/lib/libcrypto/man/EC_KEY_METHOD_new.3
+++ /dev/null
@@ -1,320 +0,0 @@
-.\" $OpenBSD: EC_KEY_METHOD_new.3,v 1.4 2024/07/21 08:36:43 tb Exp $
-.\" Copyright (c) 2019 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: July 21 2024 $
-.Dt EC_KEY_METHOD_NEW 3
-.Os
-.Sh NAME
-.Nm EC_KEY_METHOD_new ,
-.Nm EC_KEY_METHOD_free ,
-.Nm EC_KEY_METHOD_set_init ,
-.Nm EC_KEY_METHOD_get_init ,
-.Nm EC_KEY_METHOD_set_sign ,
-.Nm EC_KEY_METHOD_get_sign ,
-.Nm EC_KEY_METHOD_set_verify ,
-.Nm EC_KEY_METHOD_get_verify ,
-.Nm EC_KEY_METHOD_set_keygen ,
-.Nm EC_KEY_METHOD_get_keygen ,
-.Nm EC_KEY_METHOD_set_compute_key ,
-.Nm EC_KEY_METHOD_get_compute_key ,
-.Nm EC_KEY_OpenSSL ,
-.Nm EC_KEY_set_default_method ,
-.Nm EC_KEY_get_default_method ,
-.Nm EC_KEY_new_method ,
-.Nm EC_KEY_set_method ,
-.Nm EC_KEY_get_method
-.Nd custom EC_KEY implementations
-.Sh SYNOPSIS
-.In openssl/ec.h
-.Ft EC_KEY_METHOD *
-.Fo EC_KEY_METHOD_new
-.Fa "const EC_KEY_METHOD *meth"
-.Fc
-.Ft void
-.Fo EC_KEY_METHOD_free
-.Fa "EC_KEY_METHOD *meth"
-.Fc
-.Ft void
-.Fo EC_KEY_METHOD_set_init
-.Fa "EC_KEY_METHOD *meth"
-.Fa "int (*init)(EC_KEY *key)"
-.Fa "void (*finish)(EC_KEY *key)"
-.Fa "int (*copy)(EC_KEY *dest, const EC_KEY *src)"
-.Fa "int (*set_group)(EC_KEY *key, const EC_GROUP *grp)"
-.Fa "int (*set_private)(EC_KEY *key, const BIGNUM *priv_key)"
-.Fa "int (*set_public)(EC_KEY *key, const EC_POINT *pub_key)"
-.Fc
-.Ft void
-.Fo EC_KEY_METHOD_get_init
-.Fa "const EC_KEY_METHOD *meth"
-.Fa "int (**pinit)(EC_KEY *key)"
-.Fa "void (**pfinish)(EC_KEY *key)"
-.Fa "int (**pcopy)(EC_KEY *dest, const EC_KEY *src)"
-.Fa "int (**pset_group)(EC_KEY *key, const EC_GROUP *grp)"
-.Fa "int (**pset_private)(EC_KEY *key, const BIGNUM *priv_key)"
-.Fa "int (**pset_public)(EC_KEY *key, const EC_POINT *pub_key)"
-.Fc
-.Ft void
-.Fo EC_KEY_METHOD_set_sign
-.Fa "EC_KEY_METHOD *meth"
-.Fa "int (*sign)(int type, const unsigned char *dgst, int dgstlen,\
- unsigned char *sig, unsigned int *siglen,\
- const BIGNUM *kinv, const BIGNUM *r, EC_KEY *eckey)"
-.Fa "int (*sign_setup)(EC_KEY *eckey, BN_CTX *ctx,\
- BIGNUM **kinv, BIGNUM **rp)"
-.Fa "ECDSA_SIG *(*sign_sig)(const unsigned char *dgst, int dgstlen,\
- const BIGNUM *kinv, const BIGNUM *rp, EC_KEY *eckey)"
-.Fc
-.Ft void
-.Fo EC_KEY_METHOD_get_sign
-.Fa "const EC_KEY_METHOD *meth"
-.Fa "int (**psign)(int type, const unsigned char *dgst, int dgstlen,\
- unsigned char *sig, unsigned int *siglen,\
- const BIGNUM *kinv, const BIGNUM *r, EC_KEY *eckey)"
-.Fa "int (**psign_setup)(EC_KEY *eckey, BN_CTX *ctx,\
- BIGNUM **kinv, BIGNUM **rp)"
-.Fa "ECDSA_SIG *(**psign_sig)(const unsigned char *dgst, int dgstlen,\
- const BIGNUM *kinv, const BIGNUM *rp, EC_KEY *eckey)"
-.Fc
-.Ft void
-.Fo EC_KEY_METHOD_set_verify
-.Fa "EC_KEY_METHOD *meth"
-.Fa "int (*verify)(int type, const unsigned char *dgst, int dgst_len,\
- const unsigned char *sigbuf, int sig_len, EC_KEY *eckey)"
-.Fa "int (*verify_sig)(const unsigned char *dgst, int dgst_len,\
- const ECDSA_SIG *sig, EC_KEY *eckey)"
-.Fc
-.Ft void
-.Fo EC_KEY_METHOD_get_verify
-.Fa "const EC_KEY_METHOD *meth"
-.Fa "int (**pverify)(int type, const unsigned char *dgst, int dgst_len,\
- const unsigned char *sigbuf, int sig_len, EC_KEY *eckey)"
-.Fa "int (**pverify_sig)(const unsigned char *dgst, int dgst_len,\
- const ECDSA_SIG *sig, EC_KEY *eckey)"
-.Fc
-.Ft void
-.Fo EC_KEY_METHOD_set_keygen
-.Fa "EC_KEY_METHOD *meth"
-.Fa "int (*keygen)(EC_KEY *key)"
-.Fc
-.Ft void
-.Fo EC_KEY_METHOD_get_keygen
-.Fa "const EC_KEY_METHOD *meth"
-.Fa "int (**pkeygen)(EC_KEY *key)"
-.Fc
-.Ft void
-.Fo EC_KEY_METHOD_set_compute_key
-.Fa "EC_KEY_METHOD *meth"
-.Fa "int (*ckey)(void *out, size_t outlen,\
- const EC_POINT *pub_key, EC_KEY *ecdh,\
- void *(*KDF) (const void *in, size_t inlen, void *out, size_t *outlen))"
-.Fc
-.Ft void
-.Fo EC_KEY_METHOD_get_compute_key
-.Fa "const EC_KEY_METHOD *meth"
-.Fa "int (**pck)(void *out, size_t outlen,\
- const EC_POINT *pub_key, EC_KEY *ecdh,\
- void *(*KDF) (const void *in, size_t inlen, void *out, size_t *outlen))"
-.Fc
-.Ft const EC_KEY_METHOD *
-.Fn EC_KEY_OpenSSL void
-.Ft void
-.Fo EC_KEY_set_default_method
-.Fa "const EC_KEY_METHOD *meth"
-.Fc
-.Ft const EC_KEY_METHOD *
-.Fn EC_KEY_get_default_method void
-.Ft EC_KEY *
-.Fo EC_KEY_new_method
-.Fa "ENGINE *engine"
-.Fc
-.Ft int
-.Fo EC_KEY_set_method
-.Fa "EC_KEY *key"
-.Fa "const EC_KEY_METHOD *meth"
-.Fc
-.Ft const EC_KEY_METHOD *
-.Fo EC_KEY_get_method
-.Fa "const EC_KEY *key"
-.Fc
-.Sh DESCRIPTION
-An
-.Vt EC_KEY_METHOD
-object holds function pointers used for
-.Vt EC_KEY
-operations.
-.Pp
-.Fn EC_KEY_METHOD_new
-creates a shallow copy of
-.Fa meth ,
-or an empty
-.Vt EC_KEY_METHOD
-object if
-.Fa meth
-is
-.Dv NULL .
-.Pp
-.Fn EC_KEY_METHOD_free
-frees
-.Fa meth .
-If
-.Fa meth
-is
-.Dv NULL
-or the return value of
-.Fn EC_KEY_OpenSSL ,
-no action occurs.
-.Pp
-.Fn EC_KEY_METHOD_set_init
-and
-.Fn EC_KEY_METHOD_get_init
-set and retrieve optional callback functions called at the following places:
-.Pp
-.Bl -tag -width set_private -compact
-.It Fa init
-at the end of
-.Fn EC_KEY_new_method
-and
-.Fn EC_KEY_set_method
-.It Fa finish
-at the beginning of
-.Xr EC_KEY_free 3 ,
-.Xr EC_KEY_copy 3 ,
-and
-.Fn EC_KEY_set_method
-.It Fa copy
-at the end of
-.Xr EC_KEY_copy 3
-.It Fa set_group
-at the end of
-.Xr EC_KEY_set_group 3
-and
-.Xr EC_KEY_new_by_curve_name 3
-.It Fa set_private
-at the beginning of
-.Xr EC_KEY_set_private_key 3
-.It Fa set_public
-at the beginning of
-.Xr EC_KEY_set_public_key 3
-.El
-.Pp
-If any of these callbacks returns 0, the calling function fails.
-By default, all these callbacks are
-.Dv NULL .
-Arguments of
-.Fn EC_KEY_METHOD_get_init
-can be set to
-.Dv NULL
-to selectively retrieve callback function pointers.
-.Pp
-.Fn EC_KEY_METHOD_set_sign
-and
-.Fn EC_KEY_METHOD_get_sign
-set and retrieve the functions implementing
-.Xr ECDSA_sign 3
-and
-.Xr ECDSA_do_sign 3 .
-.Pp
-.Fn EC_KEY_METHOD_set_verify
-and
-.Fn EC_KEY_METHOD_get_verify
-set and retrieve the functions implementing
-.Xr ECDSA_verify 3
-and
-.Xr ECDSA_do_verify 3 .
-.Pp
-.Fn EC_KEY_METHOD_set_keygen
-and
-.Fn EC_KEY_METHOD_get_keygen
-set and retrieve the function implementing
-.Xr EC_KEY_generate_key 3 .
-.Pp
-.Fn EC_KEY_METHOD_set_compute_key
-and
-.Fn EC_KEY_METHOD_get_compute_key
-set and retrieve the function implementing
-.Xr ECDH_compute_key 3 .
-.Pp
-.Fn EC_KEY_set_default_method
-chooses the
-.Fa meth
-to be used for the creation of new
-.Vt EC_KEY
-objects by future invocations of
-.Fn EC_KEY_new_method ,
-or reverts to the default implementation if
-.Fa meth
-is
-.Dv NULL .
-.Pp
-.Fn EC_KEY_new_method
-creates and initializes a new
-.Vt EC_KEY
-object using the
-.Vt EC_KEY_METHOD
-set with
-.Fn EC_KEY_set_default_method .
-The
-.Fa ENGINE *engine
-argument is always ignored and passing
-.Dv NULL
-is recommended.
-.Pp
-.Fn EC_KEY_set_method
-dissociates the
-.Fa key
-from the
-.Vt ENGINE
-it is using, if any, and causes it to use
-.Fa meth
-in the future.
-.Sh RETURN VALUES
-.Fn EC_KEY_METHOD_new
-returns the newly allocated
-.Vt EC_KEY_METHOD
-object or
-.Dv NULL
-if an error occurs.
-.Pp
-.Fn EC_KEY_OpenSSL
-returns a static object representing the default EC_KEY implementation.
-.Pp
-.Fn EC_KEY_get_default_method
-returns the
-.Vt EC_KEY_METHOD
-that
-.Fn EC_KEY_new_method
-will use for the creation of new
-.Vt EC_KEY
-objects in the future.
-.Pp
-.Fn EC_KEY_new_method
-returns the newly allocated
-.Vt EC_KEY
-object or NULL if an error occurs.
-.Pp
-.Fn EC_KEY_set_method
-returns 1 for success or 0 for failure.
-.Pp
-.Fn EC_KEY_get_method
-returns the EC_KEY implementation used by the given
-.Fa key .
-.Sh SEE ALSO
-.Xr EC_KEY_new 3 ,
-.Xr ECDSA_sign 3
-.Sh HISTORY
-These functions first appeared in OpenSSL 1.1.0
-and have been available since
-.Ox 6.5 .
diff --git a/src/lib/libcrypto/man/EC_KEY_new.3 b/src/lib/libcrypto/man/EC_KEY_new.3
deleted file mode 100644
index c24cb080ef..0000000000
--- a/src/lib/libcrypto/man/EC_KEY_new.3
+++ /dev/null
@@ -1,532 +0,0 @@
-.\" $OpenBSD: EC_KEY_new.3,v 1.21 2025/03/08 16:38:13 tb Exp $
-.\" full merge up to: OpenSSL 3aef36ff Jan 5 13:06:03 2016 -0500
-.\" partial merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100
-.\"
-.\" This file was written by Matt Caswell <matt@openssl.org>.
-.\" Copyright (c) 2013, 2014 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 8 2025 $
-.Dt EC_KEY_NEW 3
-.Os
-.Sh NAME
-.Nm EC_KEY_new ,
-.Nm EC_KEY_get_flags ,
-.Nm EC_KEY_set_flags ,
-.Nm EC_KEY_clear_flags ,
-.Nm EC_KEY_new_by_curve_name ,
-.Nm EC_KEY_free ,
-.Nm EC_KEY_copy ,
-.Nm EC_KEY_dup ,
-.Nm EC_KEY_up_ref ,
-.Nm EC_KEY_get0_group ,
-.Nm EC_KEY_set_group ,
-.Nm EC_KEY_get0_private_key ,
-.Nm EC_KEY_set_private_key ,
-.Nm EC_KEY_get0_public_key ,
-.Nm EC_KEY_set_public_key ,
-.Nm EC_KEY_get_enc_flags ,
-.Nm EC_KEY_set_enc_flags ,
-.Nm EC_KEY_get_conv_form ,
-.Nm EC_KEY_set_conv_form ,
-.Nm EC_KEY_set_asn1_flag ,
-.Nm EC_KEY_precompute_mult ,
-.Nm EC_KEY_generate_key ,
-.Nm EC_KEY_check_key ,
-.Nm EC_KEY_set_public_key_affine_coordinates ,
-.Nm EC_KEY_print ,
-.Nm EC_KEY_print_fp
-.Nd create, destroy and manipulate EC_KEY objects
-.Sh SYNOPSIS
-.In openssl/ec.h
-.In openssl/bn.h
-.Ft EC_KEY *
-.Fn EC_KEY_new void
-.Ft int
-.Fo EC_KEY_get_flags
-.Fa "const EC_KEY *key"
-.Fc
-.Ft void
-.Fo EC_KEY_set_flags
-.Fa "EC_KEY *key"
-.Fa "int flags"
-.Fc
-.Ft void
-.Fo EC_KEY_clear_flags
-.Fa "EC_KEY *key"
-.Fa "int flags"
-.Fc
-.Ft EC_KEY *
-.Fo EC_KEY_new_by_curve_name
-.Fa "int nid"
-.Fc
-.Ft void
-.Fo EC_KEY_free
-.Fa "EC_KEY *key"
-.Fc
-.Ft EC_KEY *
-.Fo EC_KEY_copy
-.Fa "EC_KEY *dst"
-.Fa "const EC_KEY *src"
-.Fc
-.Ft EC_KEY *
-.Fo EC_KEY_dup
-.Fa "const EC_KEY *src"
-.Fc
-.Ft int
-.Fo EC_KEY_up_ref
-.Fa "EC_KEY *key"
-.Fc
-.Ft const EC_GROUP *
-.Fo EC_KEY_get0_group
-.Fa "const EC_KEY *key"
-.Fc
-.Ft int
-.Fo EC_KEY_set_group
-.Fa "EC_KEY *key"
-.Fa "const EC_GROUP *group"
-.Fc
-.Ft const BIGNUM *
-.Fo EC_KEY_get0_private_key
-.Fa "const EC_KEY *key"
-.Fc
-.Ft int
-.Fo EC_KEY_set_private_key
-.Fa "EC_KEY *key"
-.Fa "const BIGNUM *prv"
-.Fc
-.Ft const EC_POINT *
-.Fo EC_KEY_get0_public_key
-.Fa "const EC_KEY *key"
-.Fc
-.Ft int
-.Fo EC_KEY_set_public_key
-.Fa "EC_KEY *key"
-.Fa "const EC_POINT *pub"
-.Fc
-.Ft unsigned int
-.Fo EC_KEY_get_enc_flags
-.Fa "const EC_KEY *key"
-.Fc
-.Ft void
-.Fo EC_KEY_set_enc_flags
-.Fa "EC_KEY *key"
-.Fa "unsigned int flags"
-.Fc
-.Ft point_conversion_form_t
-.Fo EC_KEY_get_conv_form
-.Fa "const EC_KEY *key"
-.Fc
-.Ft void
-.Fo EC_KEY_set_conv_form
-.Fa "EC_KEY *key"
-.Fa "point_conversion_form_t cform"
-.Fc
-.Ft void
-.Fo EC_KEY_set_asn1_flag
-.Fa "EC_KEY *key"
-.Fa "int asn1_flag"
-.Fc
-.Ft int
-.Fo EC_KEY_precompute_mult
-.Fa "EC_KEY *key"
-.Fa "BN_CTX *ctx"
-.Fc
-.Ft int
-.Fo EC_KEY_generate_key
-.Fa "EC_KEY *key"
-.Fc
-.Ft int
-.Fo EC_KEY_check_key
-.Fa "const EC_KEY *key"
-.Fc
-.Ft int
-.Fo EC_KEY_set_public_key_affine_coordinates
-.Fa "EC_KEY *key"
-.Fa "BIGNUM *x"
-.Fa "BIGNUM *y"
-.Fc
-.Ft int
-.Fo EC_KEY_print
-.Fa "BIO *bp"
-.Fa "const EC_KEY *key"
-.Fa "int off"
-.Fc
-.Ft int
-.Fo EC_KEY_print_fp
-.Fa "FILE *fp"
-.Fa "const EC_KEY *key"
-.Fa "int off"
-.Fc
-.Sh DESCRIPTION
-An
-.Vt EC_KEY
-represents a public key and (optionally) an associated private key.
-The public key is a point on a curve represented by an
-.Vt EC_POINT ,
-see
-.Xr EC_POINT_new 3 .
-The private key is simply a
-.Vt BIGNUM ,
-see
-.Xr BN_new 3 .
-.Pp
-A new
-.Vt EC_KEY
-(with no associated curve) can be constructed by calling
-.Fn EC_KEY_new .
-The reference count for the newly created
-.Vt EC_KEY
-is initially set to 1.
-A curve can be associated with the
-.Vt EC_KEY
-by calling
-.Fn EC_KEY_set_group .
-.Pp
-Alternatively a new
-.Vt EC_KEY
-can be constructed by calling
-.Fn EC_KEY_new_by_curve_name
-and supplying the
-.Fa nid
-of the associated curve.
-Refer to
-.Xr EC_GROUP_new 3
-for a description of curve names.
-This function simply wraps calls to
-.Fn EC_KEY_new
-and
-.Fn EC_GROUP_new_by_curve_name .
-.Pp
-Calling
-.Fn EC_KEY_free
-decrements the reference count for the
-.Vt EC_KEY
-object and, if it has dropped to zero, then frees the memory associated
-with it.
-If
-.Fa key
-is a
-.Dv NULL
-pointer, no action occurs.
-.Pp
-.Fn EC_KEY_copy
-copies the contents of the
-.Vt EC_KEY
-in
-.Fa src
-into
-.Fa dst .
-.Pp
-.Fn EC_KEY_dup
-creates a new
-.Vt EC_KEY
-object and copies
-.Fa src
-into it.
-.Pp
-.Fn EC_KEY_up_ref
-increments the reference count associated with the
-.Vt EC_KEY
-object.
-.Pp
-.Fn EC_KEY_generate_key
-generates a new public and private key for the supplied
-.Fa key
-object.
-.Fa key
-must have an
-.Vt EC_GROUP
-object associated with it before calling this function.
-The private key is a random integer (0 < priv_key < order, where order
-is the order of the
-.Vt EC_GROUP
-object).
-The public key is an
-.Vt EC_POINT
-on the curve calculated by multiplying the generator for the curve
-by the private key.
-.Pp
-.Fn EC_KEY_check_key
-performs various sanity checks on the
-.Vt EC_KEY
-object to confirm that it is valid.
-.Pp
-.Fn EC_KEY_set_public_key_affine_coordinates
-sets the public key for
-.Fa key
-based on its affine coordinates, i.e. it constructs an
-.Vt EC_POINT
-object based on the supplied
-.Fa x
-and
-.Fa y
-values and sets the public key to be this
-.Vt EC_POINT .
-It also performs certain sanity checks on the key to confirm that
-it is valid.
-.Pp
-The functions
-.Fn EC_KEY_get0_group ,
-.Fn EC_KEY_set_group ,
-.Fn EC_KEY_get0_private_key ,
-.Fn EC_KEY_set_private_key ,
-.Fn EC_KEY_get0_public_key ,
-and
-.Fn EC_KEY_set_public_key
-get and set the
-.Vt EC_GROUP
-object, the private key and the
-.Vt EC_POINT
-public key for the
-.Fa key ,
-respectively.
-The setters copy the group and key objects without sanity checks
-and it is the caller's responsibility to ensure that
-the resulting key is valid, for example using
-.Fn EC_KEY_check_key .
-.Pp
-The functions
-.Fn EC_KEY_get_enc_flags
-and
-.Fn EC_KEY_set_enc_flags
-get and set the value of the encoding flags for the
-.Fa key .
-There are two encoding flags currently defined:
-.Dv EC_PKEY_NO_PARAMETERS
-and
-.Dv EC_PKEY_NO_PUBKEY .
-These flags define the behaviour of how the
-.Fa key
-is converted into ASN.1 in a call to
-.Fn i2d_ECPrivateKey .
-If
-.Dv EC_PKEY_NO_PARAMETERS
-is set then the public parameters for the curve
-are not encoded along with the private key.
-If
-.Dv EC_PKEY_NO_PUBKEY
-is set then the public key is not encoded along with the private
-key.
-.Pp
-The format of the external representation of the public key written by
-.Xr i2d_ECPrivateKey 3 ,
-such as whether it is stored in a compressed form or not,
-is described by the point_conversion_form.
-See
-.Xr EC_GROUP_copy 3
-for a description of point_conversion_form.
-.Pp
-When reading a private key encoded without an associated public key,
-for example if
-.Dv EC_PKEY_NO_PUBKEY
-was used,
-.Xr d2i_ECPrivateKey 3
-generates the missing public key automatically.
-Private keys encoded without parameters, for example if
-.Dv EC_PKEY_NO_PARAMETERS
-was used, cannot be loaded using
-.Xr d2i_ECPrivateKey 3 .
-.Pp
-The functions
-.Fn EC_KEY_get_conv_form
-and
-.Fn EC_KEY_set_conv_form
-get and set the point_conversion_form for the
-.Fa key .
-For a description of point_conversion_form refer to
-.Xr EC_GROUP_copy 3 .
-.Pp
-.Fn EC_KEY_set_flags
-sets the flags in the
-.Fa flags
-parameter on the
-.Vt EC_KEY
-object.
-Any flags that are already set are left set.
-The currently defined standard flags are
-.Dv EC_FLAG_NON_FIPS_ALLOW
-and
-.Dv EC_FLAG_FIPS_CHECKED .
-In addition there is the ECDH-specific flag
-.Dv EC_FLAG_COFACTOR_ECDH .
-.Fn EC_KEY_get_flags
-returns the current flags that are set for this
-.Vt EC_KEY .
-.Fn EC_KEY_clear_flags
-clears the flags indicated by the
-.Fa flags
-parameter.
-All other flags are left in their existing state.
-.Pp
-.Fn EC_KEY_set_asn1_flag
-sets the asn1_flag on the underlying
-.Vt EC_GROUP
-object (if set).
-Refer to
-.Xr EC_GROUP_copy 3
-for further information on the asn1_flag.
-.Pp
-.Fn EC_KEY_precompute_mult
-stores multiples of the underlying
-.Vt EC_GROUP
-generator for faster point multiplication.
-See also
-.Xr EC_POINT_add 3 .
-.Pp
-.Fn EC_KEY_print
-and
-.Fn EC_KEY_print_fp
-print out the content of
-.Fa key
-to the
-.Vt BIO
-.Fa bp
-or to the
-.Vt FILE
-pointer
-.Fa fp ,
-respectively.
-Each line is indented by
-.Fa indent
-spaces.
-.Sh RETURN VALUES
-.Fn EC_KEY_new ,
-.Fn EC_KEY_new_by_curve_name ,
-and
-.Fn EC_KEY_dup
-return a pointer to the newly created
-.Vt EC_KEY object
-or
-.Dv NULL
-on error.
-.Pp
-.Fn EC_KEY_get_flags
-returns the flags associated with the
-.Vt EC_KEY object .
-.Pp
-.Fn EC_KEY_copy
-returns a pointer to the destination key or
-.Dv NULL
-on error.
-In the latter case, part of the content may already have been copied.
-.Pp
-.Fn EC_KEY_up_ref ,
-.Fn EC_KEY_set_group ,
-.Fn EC_KEY_set_private_key ,
-.Fn EC_KEY_set_public_key ,
-.Fn EC_KEY_precompute_mult ,
-.Fn EC_KEY_generate_key ,
-.Fn EC_KEY_check_key ,
-.Fn EC_KEY_set_public_key_affine_coordinates ,
-.Fn EC_KEY_print ,
-and
-.Fn EC_KEY_print_fp
-return 1 on success or 0 on error.
-.Pp
-.Fn EC_KEY_get0_group
-returns the
-.Vt EC_GROUP
-associated with the
-.Vt EC_KEY .
-.Pp
-.Fn EC_KEY_get0_private_key
-and
-.Fn EC_KEY_get0_public_key
-return the private or public keys, respectively, associated with the
-.Vt EC_KEY .
-.Pp
-.Fn EC_KEY_get_enc_flags
-returns the value of the current encoding flags for the
-.Vt EC_KEY .
-.Pp
-.Fn EC_KEY_get_conv_form
-returns the point_conversion_form for the
-.Vt EC_KEY .
-.Sh SEE ALSO
-.Xr d2i_ECPKParameters 3 ,
-.Xr EC_GROUP_copy 3 ,
-.Xr EC_GROUP_new 3 ,
-.Xr EC_KEY_METHOD_new 3 ,
-.Xr EC_POINT_add 3 ,
-.Xr EC_POINT_new 3 ,
-.Xr ECDH_compute_key 3 ,
-.Xr ECDSA_SIG_new 3 ,
-.Xr EVP_PKEY_set1_EC_KEY 3
-.Sh HISTORY
-.Fn EC_KEY_new ,
-.Fn EC_KEY_new_by_curve_name ,
-.Fn EC_KEY_free ,
-.Fn EC_KEY_copy ,
-.Fn EC_KEY_dup ,
-.Fn EC_KEY_up_ref ,
-.Fn EC_KEY_get0_group ,
-.Fn EC_KEY_set_group ,
-.Fn EC_KEY_get0_private_key ,
-.Fn EC_KEY_set_private_key ,
-.Fn EC_KEY_get0_public_key ,
-.Fn EC_KEY_set_public_key ,
-.Fn EC_KEY_get_enc_flags ,
-.Fn EC_KEY_set_enc_flags ,
-.Fn EC_KEY_get_conv_form ,
-.Fn EC_KEY_set_conv_form ,
-.Fn EC_KEY_set_asn1_flag ,
-.Fn EC_KEY_precompute_mult ,
-.Fn EC_KEY_generate_key ,
-.Fn EC_KEY_check_key ,
-.Fn EC_KEY_print ,
-and
-.Fn EC_KEY_print_fp
-first appeared in OpenSSL 0.9.8 and have been available since
-.Ox 4.5 .
-.Pp
-.Fn EC_KEY_get_flags ,
-.Fn EC_KEY_set_flags ,
-.Fn EC_KEY_clear_flags ,
-and
-.Fn EC_KEY_set_public_key_affine_coordinates
-first appeared in OpenSSL 1.0.1 and have been available since
-.Ox 5.3 .
diff --git a/src/lib/libcrypto/man/EC_POINT_add.3 b/src/lib/libcrypto/man/EC_POINT_add.3
deleted file mode 100644
index cc35499c0e..0000000000
--- a/src/lib/libcrypto/man/EC_POINT_add.3
+++ /dev/null
@@ -1,216 +0,0 @@
-.\"     $OpenBSD: EC_POINT_add.3,v 1.15 2025/03/08 16:48:22 tb Exp $
-.\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by Matt Caswell <matt@openssl.org>.
-.\" Copyright (c) 2013 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 8 2025 $
-.Dt EC_POINT_ADD 3
-.Os
-.Sh NAME
-.Nm EC_POINT_add ,
-.Nm EC_POINT_dbl ,
-.Nm EC_POINT_invert ,
-.Nm EC_POINT_is_at_infinity ,
-.Nm EC_POINT_is_on_curve ,
-.Nm EC_POINT_cmp ,
-.Nm EC_POINT_make_affine ,
-.Nm EC_POINT_mul
-.Nd perform mathematical operations and tests on EC_POINT objects
-.Sh SYNOPSIS
-.In openssl/ec.h
-.In openssl/bn.h
-.Ft int
-.Fo EC_POINT_add
-.Fa "const EC_GROUP *group"
-.Fa "EC_POINT *r"
-.Fa "const EC_POINT *a"
-.Fa "const EC_POINT *b"
-.Fa "BN_CTX *ctx"
-.Fc
-.Ft int
-.Fo EC_POINT_dbl
-.Fa "const EC_GROUP *group"
-.Fa "EC_POINT *r"
-.Fa "const EC_POINT *a"
-.Fa "BN_CTX *ctx"
-.Fc
-.Ft int
-.Fo EC_POINT_invert
-.Fa "const EC_GROUP *group"
-.Fa "EC_POINT *a"
-.Fa "BN_CTX *ctx"
-.Fc
-.Ft int
-.Fo EC_POINT_is_at_infinity
-.Fa "const EC_GROUP *group"
-.Fa "const EC_POINT *p"
-.Fc
-.Ft int
-.Fo EC_POINT_is_on_curve
-.Fa "const EC_GROUP *group"
-.Fa "const EC_POINT *point"
-.Fa "BN_CTX *ctx"
-.Fc
-.Ft int
-.Fo EC_POINT_cmp
-.Fa "const EC_GROUP *group"
-.Fa "const EC_POINT *a"
-.Fa "const EC_POINT *b"
-.Fa "BN_CTX *ctx"
-.Fc
-.Ft int
-.Fo EC_POINT_make_affine
-.Fa "const EC_GROUP *group"
-.Fa "EC_POINT *point"
-.Fa "BN_CTX *ctx"
-.Fc
-.Ft int
-.Fo EC_POINT_mul
-.Fa "const EC_GROUP *group"
-.Fa "EC_POINT *r"
-.Fa "const BIGNUM *n"
-.Fa "const EC_POINT *q"
-.Fa "const BIGNUM *m"
-.Fa "BN_CTX *ctx"
-.Fc
-.Sh DESCRIPTION
-These functions operate on
-.Vt EC_POINT
-objects created by
-.Xr EC_POINT_new 3 .
-.Pp
-.Fn EC_POINT_add
-adds the two points
-.Fa a
-and
-.Fa b
-and places the result in
-.Fa r .
-Similarly
-.Fn EC_POINT_dbl
-doubles the point
-.Fa a
-and places the result in
-.Fa r .
-In both cases it is valid for
-.Fa r
-to be one of
-.Fa a
-or
-.Fa b .
-.Pp
-.Fn EC_POINT_invert
-calculates the inverse of the supplied point
-.Fa a .
-The result is placed back in
-.Fa a .
-.Pp
-The function
-.Fn EC_POINT_is_at_infinity
-tests whether the supplied point is at infinity or not.
-.Pp
-.Fn EC_POINT_is_on_curve
-tests whether the supplied point is on the curve or not.
-.Pp
-.Fn EC_POINT_cmp
-compares the two supplied points and tests whether or not they are
-equal.
-.Pp
-.Fn EC_POINT_mul
-calculates the value
-.Pp
-.D1 generator * n + q * m
-.Pp
-and stores the result in
-.Fa r .
-The value
-.Fa n
-may be
-.Dv NULL ,
-in which case the result is just
-.Pp
-.Dl q * m.
-.Pp
-See
-.Xr EC_GROUP_copy 3
-for information about the generator.
-.Sh RETURN VALUES
-The following functions return 1 on success or 0 on error:
-.Fn EC_POINT_add ,
-.Fn EC_POINT_dbl ,
-.Fn EC_POINT_invert ,
-.Fn EC_POINT_make_affine ,
-and
-.Fn EC_POINT_mul
-.Pp
-.Fn EC_POINT_is_at_infinity
-returns 1 if the point is at infinity or 0 otherwise.
-.Pp
-.Fn EC_POINT_is_on_curve
-returns 1 if the point is on the curve, 0 if not, or -1 on error.
-.Pp
-.Fn EC_POINT_cmp
-returns 1 if the points are not equal, 0 if they are, or -1 on error.
-.Sh SEE ALSO
-.Xr d2i_ECPKParameters 3 ,
-.Xr EC_GROUP_copy 3 ,
-.Xr EC_GROUP_new 3 ,
-.Xr EC_KEY_new 3 ,
-.Xr EC_POINT_new 3
-.Sh HISTORY
-.Fn EC_POINT_add ,
-.Fn EC_POINT_dbl ,
-.Fn EC_POINT_invert ,
-.Fn EC_POINT_is_at_infinity ,
-.Fn EC_POINT_is_on_curve ,
-.Fn EC_POINT_cmp ,
-.Fn EC_POINT_make_affine ,
-and
-.Fn EC_POINT_mul
-first appeared in OpenSSL 0.9.7 and have been available since
-.Ox 3.2 .
diff --git a/src/lib/libcrypto/man/EC_POINT_new.3 b/src/lib/libcrypto/man/EC_POINT_new.3
deleted file mode 100644
index db6280fce7..0000000000
--- a/src/lib/libcrypto/man/EC_POINT_new.3
+++ /dev/null
@@ -1,455 +0,0 @@
-.\" $OpenBSD: EC_POINT_new.3,v 1.17 2025/03/08 17:04:07 tb Exp $
-.\" full merge up to: OpenSSL 50db8163 Jul 30 16:56:41 2018 +0100
-.\"
-.\" This file was written by Matt Caswell <matt@openssl.org>.
-.\" Copyright (c) 2013, 2016 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 8 2025 $
-.Dt EC_POINT_NEW 3
-.Os
-.Sh NAME
-.Nm EC_POINT_new ,
-.Nm EC_POINT_free ,
-.Nm EC_POINT_clear_free ,
-.Nm EC_POINT_copy ,
-.Nm EC_POINT_dup ,
-.Nm EC_POINT_set_to_infinity ,
-.Nm EC_POINT_set_affine_coordinates ,
-.Nm EC_POINT_set_affine_coordinates_GFp ,
-.Nm EC_POINT_get_affine_coordinates ,
-.Nm EC_POINT_get_affine_coordinates_GFp ,
-.Nm EC_POINT_set_compressed_coordinates ,
-.Nm EC_POINT_set_compressed_coordinates_GFp ,
-.Nm EC_POINT_point2oct ,
-.Nm EC_POINT_oct2point ,
-.Nm EC_POINT_point2bn ,
-.Nm EC_POINT_bn2point ,
-.Nm EC_POINT_point2hex ,
-.Nm EC_POINT_hex2point
-.Nd create, destroy, and manipulate EC_POINT objects
-.Sh SYNOPSIS
-.In openssl/ec.h
-.In openssl/bn.h
-.Ft EC_POINT *
-.Fo EC_POINT_new
-.Fa "const EC_GROUP *group"
-.Fc
-.Ft void
-.Fo EC_POINT_free
-.Fa "EC_POINT *point"
-.Fc
-.Ft void
-.Fo EC_POINT_clear_free
-.Fa "EC_POINT *point"
-.Fc
-.Ft int
-.Fo EC_POINT_copy
-.Fa "EC_POINT *dst"
-.Fa "const EC_POINT *src"
-.Fc
-.Ft EC_POINT *
-.Fo EC_POINT_dup
-.Fa "const EC_POINT *src"
-.Fa "const EC_GROUP *group"
-.Fc
-.Ft int
-.Fo EC_POINT_set_to_infinity
-.Fa "const EC_GROUP *group"
-.Fa "EC_POINT *point"
-.Fc
-.Ft int
-.Fo EC_POINT_set_affine_coordinates
-.Fa "const EC_GROUP *group"
-.Fa "EC_POINT *p"
-.Fa "const BIGNUM *x"
-.Fa "const BIGNUM *y"
-.Fa "BN_CTX *ctx"
-.Fc
-.Ft int
-.Fo EC_POINT_set_affine_coordinates_GFp
-.Fa "const EC_GROUP *group"
-.Fa "EC_POINT *p"
-.Fa "const BIGNUM *x"
-.Fa "const BIGNUM *y"
-.Fa "BN_CTX *ctx"
-.Fc
-.Ft int
-.Fo EC_POINT_get_affine_coordinates
-.Fa "const EC_GROUP *group"
-.Fa "const EC_POINT *p"
-.Fa "BIGNUM *x"
-.Fa "BIGNUM *y"
-.Fa "BN_CTX *ctx"
-.Fc
-.Ft int
-.Fo EC_POINT_get_affine_coordinates_GFp
-.Fa "const EC_GROUP *group"
-.Fa "const EC_POINT *p"
-.Fa "BIGNUM *x"
-.Fa "BIGNUM *y"
-.Fa "BN_CTX *ctx"
-.Fc
-.Ft int
-.Fo EC_POINT_set_compressed_coordinates
-.Fa "const EC_GROUP *group"
-.Fa "EC_POINT *p"
-.Fa "const BIGNUM *x"
-.Fa "int y_bit"
-.Fa "BN_CTX *ctx"
-.Fc
-.Ft int
-.Fo EC_POINT_set_compressed_coordinates_GFp
-.Fa "const EC_GROUP *group"
-.Fa "EC_POINT *p"
-.Fa "const BIGNUM *x"
-.Fa "int y_bit"
-.Fa "BN_CTX *ctx"
-.Fc
-.Ft size_t
-.Fo EC_POINT_point2oct
-.Fa "const EC_GROUP *group"
-.Fa "const EC_POINT *p"
-.Fa "point_conversion_form_t form"
-.Fa "unsigned char *buf"
-.Fa "size_t len"
-.Fa "BN_CTX *ctx"
-.Fc
-.Ft int
-.Fo EC_POINT_oct2point
-.Fa "const EC_GROUP *group"
-.Fa "EC_POINT *p"
-.Fa "const unsigned char *buf"
-.Fa "size_t len"
-.Fa "BN_CTX *ctx"
-.Fc
-.Ft BIGNUM *
-.Fo EC_POINT_point2bn
-.Fa "const EC_GROUP *"
-.Fa "const EC_POINT *"
-.Fa "point_conversion_form_t form"
-.Fa "BIGNUM *"
-.Fa "BN_CTX *"
-.Fc
-.Ft EC_POINT *
-.Fo EC_POINT_bn2point
-.Fa "const EC_GROUP *"
-.Fa "const BIGNUM *"
-.Fa "EC_POINT *"
-.Fa "BN_CTX *"
-.Fc
-.Ft char *
-.Fo EC_POINT_point2hex
-.Fa "const EC_GROUP *"
-.Fa "const EC_POINT *"
-.Fa "point_conversion_form_t form"
-.Fa "BN_CTX *"
-.Fc
-.Ft EC_POINT *
-.Fo EC_POINT_hex2point
-.Fa "const EC_GROUP *"
-.Fa "const char *"
-.Fa "EC_POINT *"
-.Fa "BN_CTX *"
-.Fc
-.Sh DESCRIPTION
-An
-.Vt EC_POINT
-represents a point on a curve.
-A curve is represented by an
-.Vt EC_GROUP
-object created by the functions described in
-.Xr EC_GROUP_new 3 .
-.Pp
-A new point is constructed by calling the function
-.Fn EC_POINT_new
-and providing the
-.Fa group
-object that the point relates to.
-.Pp
-.Fn EC_POINT_free
-frees the memory associated with the
-.Vt EC_POINT .
-If
-.Fa point
-is a
-.Dv NULL
-pointer, no action occurs.
-.Pp
-.Fn EC_POINT_clear_free
-destroys any sensitive data held within the
-.Vt EC_POINT
-and then frees its memory.
-If
-.Fa point
-is a
-.Dv NULL
-pointer, no action occurs.
-.Pp
-.Fn EC_POINT_copy
-copies the point
-.Fa src
-into
-.Fa dst .
-Both
-.Fa src
-and
-.Fa dst
-must use the same
-.Vt EC_METHOD .
-.Pp
-.Fn EC_POINT_dup
-creates a new
-.Vt EC_POINT
-object and copies the content from
-.Fa src
-to the newly created
-.Vt EC_POINT
-object.
-.Pp
-A valid point on a curve is the special point at infinity.
-A point is set to be at infinity by calling
-.Fn EC_POINT_set_to_infinity .
-.Pp
-The affine coordinates for a point describe a point in terms of its
-.Fa x
-and
-.Fa y
-position.
-The function
-.Fn EC_POINT_set_affine_coordinates
-sets the
-.Fa x
-and
-.Fa y
-coordinates for the point
-.Fa p
-defined over the curve given in
-.Fa group .
-The function
-.Fn EC_POINT_get_affine_coordinates
-sets
-.Fa x
-and
-.Fa y ,
-either of which may be
-.Dv NULL ,
-to the corresponding coordinates of
-.Fa p .
-.Pp
-The functions
-.Fn EC_POINT_set_affine_coordinates_GFp
-is a deprecated synonym for
-.Fn EC_POINT_set_affine_coordinates
-and the function
-.Fn EC_POINT_get_affine_coordinates_GFp
-is a deprecated synonym for
-.Fn EC_POINT_get_affine_coordinates .
-.Pp
-Points can also be described in terms of their compressed coordinates.
-For a point
-.Pq Fa x , y ,
-for any given value for
-.Fa x
-such that the point is on the curve, there will only ever be two
-possible values for
-.Fa y .
-Therefore, a point can be set using the
-.Fn EC_POINT_set_compressed_coordinates
-function where
-.Fa x
-is the x coordinate and
-.Fa y_bit
-is a value 0 or 1 to identify which of the two possible values for y
-should be used.
-.Pp
-The functions
-.Fn EC_POINT_set_compressed_coordinates_GFp
-is a deprecated synonym for
-.Fn EC_POINT_set_compressed_coordinates .
-.Pp
-In addition
-.Vt EC_POINT Ns s
-can be converted to and from various external representations.
-Supported representations are octet strings,
-.Vt BIGNUM Ns s ,
-and hexadecimal.
-The format of the external representation is described by the
-point_conversion_form.
-See
-.Xr EC_GROUP_copy 3
-for a description of point_conversion_form.
-Octet strings are stored in a buffer along with an associated buffer
-length.
-A point held in a
-.Vt BIGNUM
-is calculated by converting the point to an octet string and then
-converting that octet string into a
-.Vt BIGNUM
-integer.
-Points in hexadecimal format are stored in a NUL terminated character
-string where each character is one of the printable values 0-9 or A-F
-(or a-f).
-.Pp
-The functions
-.Fn EC_POINT_point2oct ,
-.Fn EC_POINT_oct2point ,
-.Fn EC_POINT_point2bn ,
-.Fn EC_POINT_bn2point ,
-.Fn EC_POINT_point2hex ,
-and
-.Fn EC_POINT_hex2point
-convert from and to
-.Vt EC_POINT Ns s
-for the formats octet string,
-.Vt BIGNUM ,
-and hexadecimal, respectively.
-.Pp
-The function
-.Fn EC_POINT_point2oct
-must be supplied with a
-.Fa buf
-long enough to store the octet string.
-The return value provides the number of octets stored.
-Calling the function with a
-.Dv NULL
-.Fa buf
-will not perform the conversion but will still return the required
-buffer length.
-.Pp
-The function
-.Fn EC_POINT_point2hex
-will allocate sufficient memory to store the hexadecimal string.
-It is the caller's responsibility to free this memory with a subsequent
-call to
-.Xr free 3 .
-.Sh RETURN VALUES
-.Fn EC_POINT_new
-and
-.Fn EC_POINT_dup
-return the newly allocated
-.Vt EC_POINT
-or
-.Dv NULL
-on error.
-.Pp
-The following functions return 1 on success or 0 on error:
-.Fn EC_POINT_copy ,
-.Fn EC_POINT_set_to_infinity ,
-.Fn EC_POINT_set_affine_coordinates ,
-.Fn EC_POINT_set_affine_coordinates_GFp ,
-.Fn EC_POINT_get_affine_coordinates ,
-.Fn EC_POINT_get_affine_coordinates_GFp ,
-.Fn EC_POINT_set_compressed_coordinates ,
-.Fn EC_POINT_set_compressed_coordinates_GFp ,
-and
-.Fn EC_POINT_oct2point .
-.Pp
-.Fn EC_POINT_point2oct
-returns the length of the required buffer, or 0 on error.
-.Pp
-.Fn EC_POINT_point2bn
-returns the pointer to the
-.Vt BIGNUM
-supplied or
-.Dv NULL
-on error.
-.Pp
-.Fn EC_POINT_bn2point
-returns the pointer to the
-.Vt EC_POINT
-supplied or
-.Dv NULL
-on error.
-.Pp
-.Fn EC_POINT_point2hex
-returns a pointer to the hex string or
-.Dv NULL
-on error.
-.Pp
-.Fn EC_POINT_hex2point
-returns the pointer to the
-.Vt EC_POINT
-supplied or
-.Dv NULL
-on error.
-.Sh SEE ALSO
-.Xr d2i_ECPKParameters 3 ,
-.Xr EC_GROUP_copy 3 ,
-.Xr EC_GROUP_new 3 ,
-.Xr EC_KEY_new 3 ,
-.Xr EC_POINT_add 3 ,
-.Xr ECDH_compute_key 3
-.Sh HISTORY
-.Fn EC_POINT_new ,
-.Fn EC_POINT_free ,
-.Fn EC_POINT_clear_free ,
-.Fn EC_POINT_copy ,
-.Fn EC_POINT_set_to_infinity ,
-.Fn EC_POINT_set_affine_coordinates_GFp ,
-.Fn EC_POINT_get_affine_coordinates_GFp ,
-.Fn EC_POINT_set_compressed_coordinates_GFp ,
-.Fn EC_POINT_point2oct ,
-and
-.Fn EC_POINT_oct2point
-first appeared in OpenSSL 0.9.7 and have been available since
-.Ox 3.2 .
-.Pp
-.Fn EC_POINT_dup ,
-.Fn EC_POINT_point2bn ,
-.Fn EC_POINT_bn2point ,
-.Fn EC_POINT_point2hex ,
-and
-.Fn EC_POINT_hex2point
-first appeared in OpenSSL 0.9.8 and have been available since
-.Ox 4.5 .
-.Pp
-.Fn EC_POINT_set_affine_coordinates ,
-.Fn EC_POINT_get_affine_coordinates ,
-and
-.Fn EC_POINT_set_compressed_coordinates
-first appeared in OpenSSL 1.1.1 and have been available since
-.Ox 7.0 .
diff --git a/src/lib/libcrypto/man/ENGINE_new.3 b/src/lib/libcrypto/man/ENGINE_new.3
deleted file mode 100644
index 55ed963563..0000000000
--- a/src/lib/libcrypto/man/ENGINE_new.3
+++ /dev/null
@@ -1,174 +0,0 @@
-.\" $OpenBSD: ENGINE_new.3,v 1.10 2023/11/19 21:13:47 tb Exp $
-.\"
-.\" Copyright (c) 2023 Theo Buehler <tb@openbsd.org>
-.\" Copyright (c) 2018 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: November 19 2023 $
-.Dt ENGINE_NEW 3
-.Os
-.Sh NAME
-.Nm ENGINE_new ,
-.Nm ENGINE_free ,
-.Nm ENGINE_init ,
-.Nm ENGINE_finish ,
-.Nm ENGINE_ctrl_cmd ,
-.Nm ENGINE_ctrl_cmd_string ,
-.Nm ENGINE_by_id ,
-.Nm ENGINE_get_id ,
-.Nm ENGINE_get_name ,
-.Nm ENGINE_set_default ,
-.Nm ENGINE_get_default_RSA ,
-.Nm ENGINE_set_default_RSA ,
-.Nm ENGINE_load_private_key ,
-.Nm ENGINE_load_public_key ,
-.Nm ENGINE_load_builtin_engines ,
-.Nm ENGINE_load_dynamic ,
-.Nm ENGINE_load_openssl ,
-.Nm ENGINE_register_all_complete ,
-.Nm ENGINE_cleanup
-.Nd ENGINE stub functions
-.Sh SYNOPSIS
-.In openssl/engine.h
-.Ft ENGINE *
-.Fn ENGINE_new void
-.Ft int
-.Fo ENGINE_free
-.Fa "ENGINE *engine"
-.Fc
-.Ft int
-.Fn ENGINE_init "ENGINE *engine"
-.Ft int
-.Fn ENGINE_finish "ENGINE *engine"
-.Ft int
-.Fo ENGINE_ctrl_cmd
-.Fa "ENGINE *engine"
-.Fa "const char *cmd_name"
-.Fa "long i"
-.Fa "void *p"
-.Fa "void (*f)(void)"
-.Fa "int cmd_optional"
-.Fc
-.Ft int
-.Fo ENGINE_ctrl_cmd_string
-.Fa "ENGINE *engine"
-.Fa "const char *cmd_name"
-.Fa "const char *arg"
-.Fa "int cmd_optional"
-.Fc
-.Ft ENGINE *
-.Fn ENGINE_by_id "const char *id"
-.Ft const char *
-.Fn ENGINE_get_id "const ENGINE *engine"
-.Ft const char *
-.Fn ENGINE_get_name "const ENGINE *engine"
-.Ft int
-.Fn ENGINE_set_default "ENGINE *engine" "unsigned int flags"
-.Ft ENGINE *
-.Fn ENGINE_get_default_RSA "ENGINE *engine"
-.Ft int
-.Fn ENGINE_set_default_RSA "ENGINE *engine"
-.Ft EVP_PKEY *
-.Fo ENGINE_load_private_key
-.Fa "ENGINE *engine"
-.Fa "const char *key_id"
-.Fa "UI_METHOD *ui_method"
-.Fa "void *callback_data"
-.Fc
-.Ft EVP_PKEY *
-.Fo ENGINE_load_public_key
-.Fa "ENGINE *engine"
-.Fa "const char *key_id"
-.Fa "UI_METHOD *ui_method"
-.Fa "void *callback_data"
-.Fc
-.Ft void
-.Fn ENGINE_load_builtin_engines "void"
-.Ft void
-.Fn ENGINE_load_dynamic "void"
-.Ft void
-.Fn ENGINE_load_openssl "void"
-.Ft int
-.Fn ENGINE_register_all_complete "void"
-.Ft void
-.Fn ENGINE_cleanup "void"
-.Sh DESCRIPTION
-.Vt ENGINE
-objects used to provide alternative implementations of
-cryptographic algorithms, for example using specialized hardware.
-LibreSSL no longer supports this feature.
-.Pp
-All functions in this manual ignore all their arguments and
-do nothing except return failure if possible.
-They are provided only to avoid patching software that expects
-.Vt ENGINE
-support to be available.
-.Sh RETURN VALUES
-.Fn ENGINE_new ,
-.Fn ENGINE_by_id ,
-.Fn ENGINE_get_default_RSA ,
-.Fn ENGINE_load_private_key ,
-and
-.Fn ENGINE_load_public_key
-always return
-.Dv NULL .
-.Pp
-.Fn ENGINE_free ,
-.Fn ENGINE_init ,
-.Fn ENGINE_finish ,
-.Fn ENGINE_ctrl_cmd ,
-.Fn ENGINE_ctrl_cmd_string ,
-.Fn ENGINE_set_default ,
-.Fn ENGINE_set_default_RSA ,
-and
-.Fn ENGINE_register_all_complete
-always return 0.
-.Pp
-.Fn ENGINE_get_id
-and
-.Fn ENGINE_get_name
-always return the constant empty string.
-.Sh SEE ALSO
-.Xr crypto 3
-.Sh HISTORY
-.Fn ENGINE_new ,
-.Fn ENGINE_free ,
-.Fn ENGINE_init ,
-.Fn ENGINE_finish ,
-.Fn ENGINE_by_id ,
-.Fn ENGINE_get_id ,
-.Fn ENGINE_get_name ,
-.Fn ENGINE_set_default ,
-.Fn ENGINE_get_default_RSA ,
-.Fn ENGINE_set_default_RSA ,
-.Fn ENGINE_load_private_key ,
-and
-.Fn ENGINE_load_public_key
-first appeared in OpenSSL 0.9.7
-and have been available since
-.Ox 2.9 .
-.Pp
-.Fn ENGINE_ctrl_cmd ,
-.Fn ENGINE_ctrl_cmd_string ,
-.Fn ENGINE_load_builtin_engines ,
-.Fn ENGINE_load_openssl ,
-.Fn ENGINE_register_all_complete ,
-and
-.Fn ENGINE_cleanup
-first appeared in OpenSSL 0.9.7
-and have been available since
-.Ox 3.4 .
-.Pp
-All these functions were turned into stubs in
-.Ox 7.4 .
diff --git a/src/lib/libcrypto/man/ERR.3 b/src/lib/libcrypto/man/ERR.3
deleted file mode 100644
index 8f17e7a329..0000000000
--- a/src/lib/libcrypto/man/ERR.3
+++ /dev/null
@@ -1,152 +0,0 @@
-.\"     $OpenBSD: ERR.3,v 1.11 2023/07/26 20:15:51 tb Exp $
-.\"     OpenSSL 186bb907 Apr 13 11:05:13 2015 -0700
-.\"
-.\" This file was written by Ulf Moeller <ulf@openssl.org> and
-.\" Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2000, 2015 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: July 26 2023 $
-.Dt ERR 3
-.Os
-.Sh NAME
-.Nm ERR
-.Nd OpenSSL error codes
-.Sh SYNOPSIS
-.In openssl/err.h
-.Sh DESCRIPTION
-When a call to the OpenSSL library fails, this is usually signaled by
-the return value, and an error code is stored in an error queue
-associated with the current thread.
-The
-.Nm
-library provides functions to obtain these error codes and textual error
-messages.
-The
-.Xr ERR_get_error 3
-manpage describes how to access error codes.
-.Pp
-Error codes contain information about where the error occurred, and what
-went wrong.
-.Xr ERR_GET_LIB 3
-describes how to extract this information.
-A method to obtain human-readable error messages is described in
-.Xr ERR_error_string 3 .
-.Pp
-.Xr ERR_clear_error 3
-can be used to clear the error queue.
-.Pp
-Note that
-.Xr ERR_remove_state 3
-should be used to avoid memory leaks when threads are terminated.
-.Sh ADDING NEW ERROR CODES TO OPENSSL
-See
-.Xr ERR_put_error 3
-if you want to record error codes in the OpenSSL error system from
-within your application.
-.Pp
-The remainder of this section is of interest only if you want to add new
-error codes to OpenSSL or add error codes from external libraries.
-.Pp
-When you are using new function or reason codes, run
-.Sy make errors .
-The necessary
-.Sy #define Ns s
-will then automatically be added to the sub-library's header file.
-.Ss Adding new libraries
-When adding a new sub-library to OpenSSL, assign it a library number
-.Dv ERR_LIB_XXX ,
-define a macro
-.Fn XXXerr
-(both in
-.In openssl/err.h ) ,
-add its name to
-.Va ERR_str_libraries[]
-(in
-.Pa /usr/src/lib/libcrypto/err/err.c ) ,
-and add
-.Fn ERR_load_XXX_strings
-to the
-.Fn ERR_load_crypto_strings
-function (in
-.Sy /usr/src/lib/libcrypto/err/err_all.c ) .
-Finally, add
-.Pa xxx_err.c
-to the
-.Pa Makefile .
-.Sh USING ERROR CODES IN EXTERNAL LIBRARIES
-It is also possible to use OpenSSL's error code scheme in external
-libraries.
-.Sh INTERNALS
-The error queues are stored in a hash table with one
-.Vt ERR_STATE
-entry for each PID.
-.Fn ERR_get_state
-returns the current thread's
-.Vt ERR_STATE .
-An
-.Vt ERR_STATE
-can hold up to
-.Dv ERR_NUM_ERRORS
-error codes.
-When more error codes are added, the old ones are overwritten, on the
-assumption that the most recent errors are most important.
-.Pp
-Error strings are also stored in a hash table.
-.Sh SEE ALSO
-.Xr crypto 3 ,
-.Xr ERR_asprintf_error_data 3 ,
-.Xr ERR_clear_error 3 ,
-.Xr ERR_error_string 3 ,
-.Xr ERR_get_error 3 ,
-.Xr ERR_GET_LIB 3 ,
-.Xr ERR_load_crypto_strings 3 ,
-.Xr ERR_load_strings 3 ,
-.Xr ERR_print_errors 3 ,
-.Xr ERR_put_error 3 ,
-.Xr ERR_remove_state 3 ,
-.Xr ERR_set_mark 3 ,
-.Xr SSL_get_error 3
diff --git a/src/lib/libcrypto/man/ERR_GET_LIB.3 b/src/lib/libcrypto/man/ERR_GET_LIB.3
deleted file mode 100644
index bc14f0e2ac..0000000000
--- a/src/lib/libcrypto/man/ERR_GET_LIB.3
+++ /dev/null
@@ -1,126 +0,0 @@
-.\"     $OpenBSD: ERR_GET_LIB.3,v 1.7 2018/03/27 17:35:50 schwarze Exp $
-.\"     OpenSSL doc/man3/ERR_GET_LIB.pod 3dfda1a6 Dec 12 11:14:40 2016 -0500
-.\"
-.\" This file was written by Ulf Moeller <ulf@openssl.org>.
-.\" Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 27 2018 $
-.Dt ERR_GET_LIB 3
-.Os
-.Sh NAME
-.Nm ERR_GET_LIB ,
-.Nm ERR_GET_FUNC ,
-.Nm ERR_GET_REASON ,
-.Nm ERR_FATAL_ERROR
-.Nd get library, function and reason codes for OpenSSL errors
-.Sh SYNOPSIS
-.In openssl/err.h
-.Ft int
-.Fo ERR_GET_LIB
-.Fa "unsigned long e"
-.Fc
-.Ft int
-.Fo ERR_GET_FUNC
-.Fa "unsigned long e"
-.Fc
-.Ft int
-.Fo ERR_GET_REASON
-.Fa "unsigned long e"
-.Fc
-.Ft int
-.Fo ERR_FATAL_ERROR
-.Fa "unsigned long e"
-.Fc
-.Sh DESCRIPTION
-The error code returned by
-.Xr ERR_get_error 3
-consists of a library number, function code, and reason code.
-.Fn ERR_GET_LIB ,
-.Fn ERR_GET_FUNC ,
-and
-.Fn ERR_GET_REASON
-can be used to extract these.
-.Pp
-The library number and function code describe where the error occurred,
-whereas the reason code is the information about what went wrong.
-.Pp
-Each sub-library of OpenSSL has a unique library number; function and
-reason codes are unique within each sub-library.
-Note that different libraries may use the same value to signal different
-functions and reasons.
-.Pp
-.Dv ERR_R_*
-reason codes such as
-.Dv ERR_R_MALLOC_FAILURE
-are globally unique.
-However, when checking for sub-library specific reason codes, be sure to
-also compare the library number.
-.Pp
-.Fn ERR_FATAL_ERROR
-indicates whether a given error code is a fatal error.
-.Pp
-These functions are implemented as macros.
-.Sh RETURN VALUES
-.Fn ERR_GET_LIB ,
-.Fn ERR_GET_FUNC ,
-and
-.Fn ERR_GET_REASON
-return the library number, function code, and reason code, respectively.
-.Pp
-.Fn ERR_FATAL_ERROR
-returns non-zero if the error is fatal or 0 otherwise.
-.Sh SEE ALSO
-.Xr ERR 3 ,
-.Xr ERR_get_error 3
-.Sh HISTORY
-.Fn ERR_GET_LIB ,
-.Fn ERR_GET_FUNC ,
-.Fn ERR_GET_REASON ,
-and
-.Fn ERR_FATAL_ERROR
-first appeared in SSLeay 0.4.4 and have been available since
-.Ox 2.4 .
diff --git a/src/lib/libcrypto/man/ERR_asprintf_error_data.3 b/src/lib/libcrypto/man/ERR_asprintf_error_data.3
deleted file mode 100644
index 4291dea23e..0000000000
--- a/src/lib/libcrypto/man/ERR_asprintf_error_data.3
+++ /dev/null
@@ -1,55 +0,0 @@
-.\" $OpenBSD: ERR_asprintf_error_data.3,v 1.3 2024/08/29 20:23:21 tb Exp $
-.\"
-.\" Copyright (c) 2017 Bob Beck <beck@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.Dd $Mdocdate: August 29 2024 $
-.Dt ERR_ASPRINTF_ERROR_DATA 3
-.Os
-.Sh NAME
-.Nm ERR_asprintf_error_data
-.Nd record a LibreSSL error using a formatted string
-.Sh SYNOPSIS
-.In openssl/err.h
-.Ft void
-.Fo ERR_asprintf_error_data
-.Fa "char * format"
-.Fa ...
-.Fc
-.Sh DESCRIPTION
-.Nm
-builds a string using
-.Xr asprintf 3
-called with the provided
-.Ar format
-and arguments.
-The resulting string is then associated with the error code that was most
-recently added.
-If
-.Xr asprintf 3
-fails, the string "malloc failed" is associated instead.
-.Pp
-.Nm
-is intended to be used instead of the OpenSSL functions
-.Fn ERR_add_error_data
-and
-.Fn ERR_add_error_vdata .
-.Sh SEE ALSO
-.Xr ERR 3 ,
-.Xr ERR_put_error 3 ,
-.Xr printf 3
-.Sh HISTORY
-.Nm
-appeared in
-.Ox 5.6
-and is available in all versions of LibreSSL.
diff --git a/src/lib/libcrypto/man/ERR_clear_error.3 b/src/lib/libcrypto/man/ERR_clear_error.3
deleted file mode 100644
index 54f563e166..0000000000
--- a/src/lib/libcrypto/man/ERR_clear_error.3
+++ /dev/null
@@ -1,70 +0,0 @@
-.\"     $OpenBSD: ERR_clear_error.3,v 1.5 2018/03/27 17:35:50 schwarze Exp $
-.\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by Ulf Moeller <ulf@openssl.org>.
-.\" Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 27 2018 $
-.Dt ERR_CLEAR_ERROR 3
-.Os
-.Sh NAME
-.Nm ERR_clear_error
-.Nd clear the OpenSSL error queue
-.Sh SYNOPSIS
-.In openssl/err.h
-.Ft void
-.Fn ERR_clear_error void
-.Sh DESCRIPTION
-.Fn ERR_clear_error
-empties the current thread's error queue.
-.Sh SEE ALSO
-.Xr ERR 3 ,
-.Xr ERR_get_error 3
-.Sh HISTORY
-.Fn ERR_clear_error
-first appeared in SSLeay 0.4.4 and has been available since
-.Ox 2.4 .
diff --git a/src/lib/libcrypto/man/ERR_error_string.3 b/src/lib/libcrypto/man/ERR_error_string.3
deleted file mode 100644
index 60f9132859..0000000000
--- a/src/lib/libcrypto/man/ERR_error_string.3
+++ /dev/null
@@ -1,176 +0,0 @@
-.\"     $OpenBSD: ERR_error_string.3,v 1.7 2018/03/27 17:35:50 schwarze Exp $
-.\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by Ulf Moeller <ulf@openssl.org>.
-.\" Copyright (c) 2000, 2004 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 27 2018 $
-.Dt ERR_ERROR_STRING 3
-.Os
-.Sh NAME
-.Nm ERR_error_string ,
-.Nm ERR_error_string_n ,
-.Nm ERR_lib_error_string ,
-.Nm ERR_func_error_string ,
-.Nm ERR_reason_error_string
-.Nd obtain human-readable OpenSSL error messages
-.Sh SYNOPSIS
-.In openssl/err.h
-.Ft char *
-.Fo ERR_error_string
-.Fa "unsigned long e"
-.Fa "char *buf"
-.Fc
-.Ft void
-.Fo ERR_error_string_n
-.Fa "unsigned long e"
-.Fa "char *buf"
-.Fa "size_t len"
-.Fc
-.Ft const char *
-.Fo ERR_lib_error_string
-.Fa "unsigned long e"
-.Fc
-.Ft const char *
-.Fo ERR_func_error_string
-.Fa "unsigned long e"
-.Fc
-.Ft const char *
-.Fo ERR_reason_error_string
-.Fa "unsigned long e"
-.Fc
-.Sh DESCRIPTION
-.Fn ERR_error_string
-generates a human-readable string representing the error code
-.Fa e
-and places it in
-.Fa buf .
-.Fa buf
-must be at least 256 bytes long.
-If
-.Fa buf
-is
-.Dv NULL ,
-the error string is placed in a static buffer.
-Note that this function is not thread-safe and does no checks on
-the size of the buffer; use
-.Fn ERR_error_string_n
-instead.
-.Pp
-.Fn ERR_error_string_n
-is a variant of
-.Fn ERR_error_string
-that writes at most
-.Fa len
-characters (including the terminating NUL) and truncates the string
-if necessary.
-For
-.Fn ERR_error_string_n ,
-.Fa buf
-may not be
-.Dv NULL .
-.Pp
-The string will have the following format:
-.Pp
-.Dl error:[error code]:[library name]:[function name]:[reason string]
-.Pp
-The error code is an 8-digit hexadecimal number.
-The library name, the function name, and the reason string are ASCII
-text.
-.Pp
-.Fn ERR_lib_error_string ,
-.Fn ERR_func_error_string ,
-and
-.Fn ERR_reason_error_string
-return the library name, the function name, and the reason string,
-respectively.
-.Pp
-The OpenSSL error strings should be loaded by calling
-.Xr ERR_load_crypto_strings 3
-or, for SSL applications,
-.Xr SSL_load_error_strings 3
-first.
-If there is no text string registered for the given error code, the
-error string will contain the numeric code.
-.Pp
-.Xr ERR_print_errors 3
-can be used to print all error codes currently in the queue.
-.Sh RETURN VALUES
-.Fn ERR_error_string
-returns a pointer to a static buffer containing the string if
-.Fa buf
-is
-.Dv NULL ,
-or
-.Fa buf
-otherwise.
-.Pp
-.Fn ERR_lib_error_string ,
-.Fn ERR_func_error_string ,
-and
-.Fn ERR_reason_error_string
-return the strings, or
-.Dv NULL
-if none is registered for the error code.
-.Sh SEE ALSO
-.Xr ERR 3 ,
-.Xr ERR_get_error 3 ,
-.Xr ERR_load_crypto_strings 3 ,
-.Xr ERR_print_errors 3 ,
-.Xr SSL_load_error_strings 3
-.Sh HISTORY
-.Fn ERR_error_string ,
-.Fn ERR_lib_error_string ,
-.Fn ERR_func_error_string ,
-and
-.Fn ERR_reason_error_string
-first appeared in SSLeay 0.4.4 and have been available since
-.Ox 2.4 .
-.Pp
-.Fn ERR_error_string_n
-first appeared in OpenSSL 0.9.6 and has been available since
-.Ox 2.9 .
diff --git a/src/lib/libcrypto/man/ERR_get_error.3 b/src/lib/libcrypto/man/ERR_get_error.3
deleted file mode 100644
index f3bcc09cbc..0000000000
--- a/src/lib/libcrypto/man/ERR_get_error.3
+++ /dev/null
@@ -1,191 +0,0 @@
-.\"     $OpenBSD: ERR_get_error.3,v 1.8 2018/03/27 17:35:50 schwarze Exp $
-.\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by Ulf Moeller <ulf@openssl.org>.
-.\" Copyright (c) 2000, 2002, 2014 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 27 2018 $
-.Dt ERR_GET_ERROR 3
-.Os
-.Sh NAME
-.Nm ERR_get_error ,
-.Nm ERR_peek_error ,
-.Nm ERR_peek_last_error ,
-.Nm ERR_get_error_line ,
-.Nm ERR_peek_error_line ,
-.Nm ERR_peek_last_error_line ,
-.Nm ERR_get_error_line_data ,
-.Nm ERR_peek_error_line_data ,
-.Nm ERR_peek_last_error_line_data
-.Nd obtain OpenSSL error code and data
-.Sh SYNOPSIS
-.In openssl/err.h
-.Ft unsigned long
-.Fn ERR_get_error void
-.Ft unsigned long
-.Fn ERR_peek_error void
-.Ft unsigned long
-.Fn ERR_peek_last_error void
-.Ft unsigned long
-.Fo ERR_get_error_line
-.Fa "const char **file"
-.Fa "int *line"
-.Fc
-.Ft unsigned long
-.Fo ERR_peek_error_line
-.Fa "const char **file"
-.Fa "int *line"
-.Fc
-.Ft unsigned long
-.Fo ERR_peek_last_error_line
-.Fa "const char **file"
-.Fa "int *line"
-.Fc
-.Ft unsigned long
-.Fo ERR_get_error_line_data
-.Fa "const char **file"
-.Fa "int *line"
-.Fa "const char **data"
-.Fa "int *flags"
-.Fc
-.Ft unsigned long
-.Fo ERR_peek_error_line_data
-.Fa "const char **file"
-.Fa "int *line"
-.Fa "const char **data"
-.Fa "int *flags"
-.Fc
-.Ft unsigned long
-.Fo ERR_peek_last_error_line_data
-.Fa "const char **file"
-.Fa "int *line"
-.Fa "const char **data"
-.Fa "int *flags"
-.Fc
-.Sh DESCRIPTION
-.Fn ERR_get_error
-returns the earliest error code from the thread's error queue and
-removes the entry.
-This function can be called repeatedly until there are no more error
-codes to return.
-.Pp
-.Fn ERR_peek_error
-returns the earliest error code from the thread's error queue without
-modifying it.
-.Pp
-.Fn ERR_peek_last_error
-returns the latest error code from the thread's error queue without
-modifying it.
-.Pp
-See
-.Xr ERR_GET_LIB 3
-for obtaining information about the location and reason for the error, and
-.Xr ERR_error_string 3
-for human-readable error messages.
-.Pp
-.Fn ERR_get_error_line ,
-.Fn ERR_peek_error_line ,
-and
-.Fn ERR_peek_last_error_line
-are the same as the above, but they additionally store the file name and
-line number where the error occurred in
-.Pf * Fa file
-and
-.Pf * Fa line ,
-unless these are
-.Dv NULL .
-.Pp
-.Fn ERR_get_error_line_data ,
-.Fn ERR_peek_error_line_data ,
-and
-.Fn ERR_peek_last_error_line_data
-store additional data and flags associated with the error code in
-.Pf * Fa data
-and
-.Pf * Fa flags ,
-unless these are
-.Dv NULL .
-.Pf * Fa data
-contains a string if
-.Pf * Fa flags Ns & Ns Dv ERR_TXT_STRING
-is true.
-.Pp
-An application
-.Sy MUST NOT
-free the
-.Pf * Fa data
-pointer (or any other pointers returned by these functions) with
-.Xr free 3
-as freeing is handled automatically by the error library.
-.Sh RETURN VALUES
-The error code, or 0 if there is no error in the queue.
-.Sh SEE ALSO
-.Xr ERR 3 ,
-.Xr ERR_error_string 3 ,
-.Xr ERR_GET_LIB 3
-.Sh HISTORY
-.Fn ERR_get_error
-and
-.Fn ERR_peek_error
-first appeared in SSLeay 0.4.4.
-.Fn ERR_get_error_line
-and
-.Fn ERR_peek_error_line
-first appeared in SSLeay 0.6.0.
-.Fn ERR_get_error_line_data
-and
-.Fn ERR_peek_error_line_data
-first appeared in SSLeay 0.9.0.
-All these functions have been available since
-.Ox 2.4 .
-.Pp
-.Fn ERR_peek_last_error ,
-.Fn ERR_peek_last_error_line ,
-and
-.Fn ERR_peek_last_error_line_data
-first appeared in OpenSSL 0.9.7 and have been available since
-.Ox 3.2 .
diff --git a/src/lib/libcrypto/man/ERR_load_crypto_strings.3 b/src/lib/libcrypto/man/ERR_load_crypto_strings.3
deleted file mode 100644
index 2bca8af60f..0000000000
--- a/src/lib/libcrypto/man/ERR_load_crypto_strings.3
+++ /dev/null
@@ -1,150 +0,0 @@
-.\" $OpenBSD: ERR_load_crypto_strings.3,v 1.12 2024/03/05 19:21:31 tb Exp $
-.\" full merge up to: OpenSSL f672aee4 Feb 9 11:52:40 2016 -0500
-.\" selective merge up to: OpenSSL b3696a55 Sep 2 09:35:50 2017 -0400
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2017 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Ulf Moeller <ulf@openssl.org>.
-.\" Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 5 2024 $
-.Dt ERR_LOAD_CRYPTO_STRINGS 3
-.Os
-.Sh NAME
-.Nm ERR_load_crypto_strings ,
-.Nm ERR_free_strings ,
-.Nm SSL_load_error_strings
-.Nd load and free OpenSSL error strings
-.\" The following functions are intentionally undocumented
-.\" because they are merely subroutines of ERR_load_crypto_strings(3)
-.\" and should not have been made a part of the API:
-.\" ERR_load_ASN1_strings()
-.\" ERR_load_BIO_strings()
-.\" ERR_load_BN_strings()
-.\" ERR_load_BUF_strings()
-.\" ERR_load_CMS_strings()
-.\" ERR_load_CONF_strings()
-.\" ERR_load_CRYPTO_strings()
-.\" ERR_load_DH_strings()
-.\" ERR_load_DSA_strings()
-.\" ERR_load_EC_strings()
-.\" ERR_load_ERR_strings()
-.\" ERR_load_EVP_strings()
-.\" ERR_load_OBJ_strings()
-.\" ERR_load_OCSP_strings()
-.\" ERR_load_PEM_strings()
-.\" ERR_load_PKCS12_strings()
-.\" ERR_load_PKCS7_strings()
-.\" ERR_load_RAND_strings()
-.\" ERR_load_RSA_strings()
-.\" ERR_load_TS_strings()
-.\" ERR_load_UI_strings()
-.\" ERR_load_X509_strings()
-.\" ERR_load_X509V3_strings()
-.Sh SYNOPSIS
-.In openssl/err.h
-.Ft void
-.Fn ERR_load_crypto_strings void
-.Ft void
-.Fn ERR_free_strings void
-.In openssl/ssl.h
-.Ft void
-.Fn SSL_load_error_strings void
-.Sh DESCRIPTION
-These functions are deprecated.
-It is never useful for any application program to call any of them explicitly.
-The library automatically calls them internally whenever needed.
-.Pp
-.Fn ERR_load_crypto_strings
-registers the error strings for all
-.Xr crypto 3
-functions.
-.Fn SSL_load_error_strings
-does the same, but also registers the
-.Xr ssl 3
-error strings.
-.Pp
-If the error strings were already loaded before, no action occurs.
-.Pp
-.Fn ERR_free_strings
-frees all previously loaded error strings.
-.Sh SEE ALSO
-.Xr ERR 3 ,
-.Xr ERR_error_string 3 ,
-.Xr OPENSSL_config 3
-.Sh HISTORY
-.Fn ERR_load_crypto_strings
-and
-.Fn SSL_load_error_strings
-first appeared in SSLeay 0.4.4.
-.Fn ERR_free_strings
-first appeared in SSLeay 0.5.1.
-These functions been available since
-.Ox 2.4 .
-.Sh BUGS
-Even though the error strings are already compiled into the object
-code of the library as static strings, these functions store them
-again using dynamically allocated memory on the heap.
-That may fail if insufficient memory is available,
-but these functions do not report such errors.
-Instead, they fail silently, possibly having registered none or only
-a part of the strings requested.
diff --git a/src/lib/libcrypto/man/ERR_load_strings.3 b/src/lib/libcrypto/man/ERR_load_strings.3
deleted file mode 100644
index 1020743954..0000000000
--- a/src/lib/libcrypto/man/ERR_load_strings.3
+++ /dev/null
@@ -1,116 +0,0 @@
-.\"     $OpenBSD: ERR_load_strings.3,v 1.8 2024/07/26 03:40:43 tb Exp $
-.\"     OpenSSL 05ea606a May 20 20:52:46 2016 -0400
-.\"
-.\" This file was written by Ulf Moeller <ulf@openssl.org>.
-.\" Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: July 26 2024 $
-.Dt ERR_LOAD_STRINGS 3
-.Os
-.Sh NAME
-.Nm ERR_load_strings ,
-.Nm ERR_PACK ,
-.Nm ERR_get_next_error_library
-.Nd load arbitrary OpenSSL error strings
-.Sh SYNOPSIS
-.In openssl/err.h
-.Ft void
-.Fo ERR_load_strings
-.Fa "int lib"
-.Fa "ERR_STRING_DATA str[]"
-.Fc
-.Ft unsigned long
-.Fo ERR_PACK
-.Fa "int lib"
-.Fa "int func"
-.Fa "int reason"
-.Fc
-.Ft int
-.Fn ERR_get_next_error_library void
-.Sh DESCRIPTION
-.Fn ERR_load_strings
-registers error strings for library number
-.Fa lib .
-.Pp
-.Fa str
-is an array of error string data:
-.Bd -literal -offset indent
-typedef struct ERR_string_data_st {
-        unsigned long error;
-        char *string;
-} ERR_STRING_DATA;
-.Ed
-.Pp
-The error code is generated from the library number and a function and
-reason code:
-.Pp
-.Dl error = ERR_PACK(lib, func, reason)
-.Pp
-.Fn ERR_PACK
-is a macro.
-.Pp
-The last entry in the array is
-.Brq 0 , Dv NULL .
-.Pp
-.Fn ERR_get_next_error_library
-can be used to assign library numbers to user libraries at runtime.
-.Sh RETURN VALUES
-.Fn ERR_PACK
-returns the error code.
-.Fn ERR_get_next_error_library
-returns a new library number.
-.Sh SEE ALSO
-.Xr ERR 3
-.Sh HISTORY
-.Fn ERR_load_strings
-and
-.Fn ERR_PACK
-first appeared in SSLeay 0.4.4.
-.Fn ERR_get_next_error_library
-first appeared in SSLeay 0.9.0.
-These functions have been available since
-.Ox 2.4 .
diff --git a/src/lib/libcrypto/man/ERR_print_errors.3 b/src/lib/libcrypto/man/ERR_print_errors.3
deleted file mode 100644
index a5c7c03287..0000000000
--- a/src/lib/libcrypto/man/ERR_print_errors.3
+++ /dev/null
@@ -1,122 +0,0 @@
-.\"     $OpenBSD: ERR_print_errors.3,v 1.8 2020/03/28 22:40:58 schwarze Exp $
-.\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by Ulf Moeller <ulf@openssl.org>,
-.\" with additions by Rich Salz <rsalz@openssl.org>.
-.\" Copyright (c) 2000, 2016 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 28 2020 $
-.Dt ERR_PRINT_ERRORS 3
-.Os
-.Sh NAME
-.Nm ERR_print_errors ,
-.Nm ERR_print_errors_fp ,
-.Nm ERR_print_errors_cb
-.Nd print OpenSSL error messages
-.Sh SYNOPSIS
-.In openssl/err.h
-.Ft void
-.Fo ERR_print_errors
-.Fa "BIO *bp"
-.Fc
-.Ft void
-.Fo ERR_print_errors_fp
-.Fa "FILE *fp"
-.Fc
-.Ft void
-.Fo ERR_print_errors_cb
-.Fa "int (*cb)(const char *str, size_t len, void *u)"
-.Fa "void *u"
-.Fc
-.Sh DESCRIPTION
-.Fn ERR_print_errors
-is a convenience function that prints the error strings for all errors
-that OpenSSL has recorded to
-.Fa bp ,
-thus emptying the error queue.
-.Pp
-.Fn ERR_print_errors_fp
-is the same, except that the output goes to a
-.Vt FILE .
-.Pp
-.Fn ERR_print_errors_cb
-is the same, except that the callback function,
-.Fa cb ,
-is called for each error line with the string, length, and userdata
-.Fa u
-as the callback parameters.
-.Pp
-The error strings have the following format:
-.Bd -literal
-[pid]:error:[error code]:[library name]:[function name]:[reason string]:
-[file name]:[line]:[optional text message]
-.Ed
-.Pp
-The error code is an 8-digit hexadecimal number.
-The library name, the function name, and the reason string are ASCII
-text, as is the optional text message if one was set for the
-respective error code.
-.Pp
-If there is no text string registered for the given error code, the
-error string will contain the numeric code.
-.Sh SEE ALSO
-.Xr ERR 3 ,
-.Xr ERR_error_string 3 ,
-.Xr ERR_get_error 3 ,
-.Xr ERR_load_crypto_strings 3 ,
-.Xr SSL_load_error_strings 3
-.Sh HISTORY
-.Fn ERR_print_errors
-first appeared in SSLeay 0.4.5.
-.Fn ERR_print_errors_fp
-first appeared in SSLeay 0.6.0.
-Both functions have been available since
-.Ox 2.4 .
-.Pp
-.Fn ERR_print_errors_cb
-first appeared in OpenSSL 0.9.7 and has been available since
-.Ox 3.2 .
diff --git a/src/lib/libcrypto/man/ERR_put_error.3 b/src/lib/libcrypto/man/ERR_put_error.3
deleted file mode 100644
index 37e1b4d1ab..0000000000
--- a/src/lib/libcrypto/man/ERR_put_error.3
+++ /dev/null
@@ -1,125 +0,0 @@
-.\"     $OpenBSD: ERR_put_error.3,v 1.11 2024/08/29 20:23:21 tb Exp $
-.\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by Ulf Moeller <ulf@openssl.org>.
-.\" Copyright (c) 2000, 2016 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: August 29 2024 $
-.Dt ERR_PUT_ERROR 3
-.Os
-.Sh NAME
-.Nm ERR_put_error
-.Nd record an OpenSSL error
-.Sh SYNOPSIS
-.In openssl/err.h
-.Ft void
-.Fo ERR_put_error
-.Fa "int lib"
-.Fa "int func"
-.Fa "int reason"
-.Fa "const char *file"
-.Fa "int line"
-.Fc
-.Sh DESCRIPTION
-.Fn ERR_put_error
-adds an error code to the thread's error queue.
-It signals that the error of reason code
-.Fa reason
-occurred in function
-.Fa func
-of library
-.Fa lib ,
-in line number
-.Fa line
-of
-.Fa file .
-This function is usually called by a macro.
-.Pp
-.Xr ERR_load_strings 3
-can be used to register error strings so that the application can
-generate human-readable error messages for the error code.
-.Pp
-Each sub-library has a specific macro
-.Fn XXXerr f r
-that is used to report errors.
-Its first argument is a function code
-.Dv XXX_F_* ;
-the second argument is a reason code
-.Dv XXX_R_* .
-Function codes are derived from the function names
-whereas reason codes consist of textual error descriptions.
-For example, the function
-.Fn ssl23_read
-reports a "handshake failure" as follows:
-.Pp
-.Dl SSLerr(SSL_F_SSL23_READ, SSL_R_SSL_HANDSHAKE_FAILURE);
-.Pp
-Function and reason codes should consist of upper case characters,
-numbers and underscores only.
-The error file generation script translates function codes into function
-names by looking in the header files for an appropriate function name.
-If none is found, it just uses the capitalized form such as "SSL23_READ"
-in the above example.
-.Pp
-The trailing section of a reason code (after the "_R_") is translated
-into lower case and underscores changed to spaces.
-.Pp
-Although a library will normally report errors using its own specific
-.Fn XXXerr
-macro, another library's macro can be used.
-This is normally only done when a library wants to include ASN.1 code
-which must use the
-.Fn ASN1err
-macro.
-.Sh SEE ALSO
-.Xr ERR 3 ,
-.Xr ERR_asprintf_error_data 3 ,
-.Xr ERR_load_strings 3
-.Sh HISTORY
-.Fn ERR_put_error
-first appeared in SSLeay 0.4.4 and has been available since
-.Ox 2.4 .
diff --git a/src/lib/libcrypto/man/ERR_remove_state.3 b/src/lib/libcrypto/man/ERR_remove_state.3
deleted file mode 100644
index bc28f15dea..0000000000
--- a/src/lib/libcrypto/man/ERR_remove_state.3
+++ /dev/null
@@ -1,108 +0,0 @@
-.\"     $OpenBSD: ERR_remove_state.3,v 1.7 2020/03/28 22:40:58 schwarze Exp $
-.\"     OpenSSL 9b86974e Aug 17 15:21:33 2015 -0400
-.\"
-.\" This file was written by Ulf Moeller <ulf@openssl.org> and
-.\" Matt Caswell <matt@openssl.org>.
-.\" Copyright (c) 2000, 2013 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 28 2020 $
-.Dt ERR_REMOVE_STATE 3
-.Os
-.Sh NAME
-.Nm ERR_remove_thread_state ,
-.Nm ERR_remove_state
-.Nd free a thread's OpenSSL error queue
-.Sh SYNOPSIS
-.In openssl/err.h
-.Ft void
-.Fo ERR_remove_thread_state
-.Fa "const CRYPTO_THREADID *tid"
-.Fc
-.Pp
-Deprecated:
-.Pp
-.Ft void
-.Fo ERR_remove_state
-.Fa "unsigned long pid"
-.Fc
-.Sh DESCRIPTION
-.Fn ERR_remove_thread_state
-frees the error queue associated with thread
-.Fa tid .
-If
-.Fa tid
-is
-.Dv NULL ,
-the current thread will have its error queue removed.
-.Pp
-Since error queue data structures are allocated automatically for new
-threads, they must be freed when threads are terminated in order to
-avoid memory leaks.
-.Pp
-.Fn ERR_remove_state
-is deprecated and has been replaced by
-.Fn ERR_remove_thread_state .
-Since threads in OpenSSL are no longer identified by unsigned long
-values, any argument to this function is ignored.
-Calling
-.Fn ERR_remove_state
-is equivalent to
-.Fn ERR_remove_thread_state NULL .
-.Sh SEE ALSO
-.Xr ERR 3
-.Sh HISTORY
-.Fn ERR_remove_state
-first appeared in SSLeay 0.6.1 and has been available since
-.Ox 2.4 .
-.Pp
-It was deprecated in OpenSSL 1.0.0 and
-.Ox 4.9
-when
-.Fn ERR_remove_thread_state
-was introduced and thread IDs were introduced to identify threads
-instead of
-.Vt unsigned long .
diff --git a/src/lib/libcrypto/man/ERR_set_mark.3 b/src/lib/libcrypto/man/ERR_set_mark.3
deleted file mode 100644
index 2f3486d8c0..0000000000
--- a/src/lib/libcrypto/man/ERR_set_mark.3
+++ /dev/null
@@ -1,86 +0,0 @@
-.\"     $OpenBSD: ERR_set_mark.3,v 1.4 2018/03/23 00:09:11 schwarze Exp $
-.\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by Richard Levitte <levitte@openssl.org>.
-.\" Copyright (c) 2003 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 23 2018 $
-.Dt ERR_SET_MARK 3
-.Os
-.Sh NAME
-.Nm ERR_set_mark ,
-.Nm ERR_pop_to_mark
-.Nd set marks and pop OpenSSL errors until mark
-.Sh SYNOPSIS
-.In openssl/err.h
-.Ft int
-.Fn ERR_set_mark void
-.Ft int
-.Fn ERR_pop_to_mark void
-.Sh DESCRIPTION
-.Fn ERR_set_mark
-sets a mark on the current topmost error record if there is one.
-.Pp
-.Fn ERR_pop_to_mark
-will pop the top of the error stack until a mark is found.
-The mark is then removed.
-If there is no mark, the whole stack is removed.
-.Sh RETURN VALUES
-.Fn ERR_set_mark
-returns 0 if the error stack is empty, otherwise 1.
-.Pp
-.Fn ERR_pop_to_mark
-returns 0 if there was no mark in the error stack, which implies that
-the stack became empty, otherwise 1.
-.Sh SEE ALSO
-.Xr ERR 3
-.Sh HISTORY
-.Fn ERR_set_mark
-and
-.Fn ERR_pop_to_mark
-first appeared in OpenSSL 0.9.8 and have been available since
-.Ox 4.5 .
diff --git a/src/lib/libcrypto/man/ESS_SIGNING_CERT_new.3 b/src/lib/libcrypto/man/ESS_SIGNING_CERT_new.3
deleted file mode 100644
index 4baabbcd99..0000000000
--- a/src/lib/libcrypto/man/ESS_SIGNING_CERT_new.3
+++ /dev/null
@@ -1,117 +0,0 @@
-.\"     $OpenBSD: ESS_SIGNING_CERT_new.3,v 1.5 2019/06/06 01:06:58 schwarze Exp $
-.\"
-.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: June 6 2019 $
-.Dt ESS_SIGNING_CERT_NEW 3
-.Os
-.Sh NAME
-.Nm ESS_SIGNING_CERT_new ,
-.Nm ESS_SIGNING_CERT_free ,
-.Nm ESS_CERT_ID_new ,
-.Nm ESS_CERT_ID_free ,
-.Nm ESS_ISSUER_SERIAL_new ,
-.Nm ESS_ISSUER_SERIAL_free
-.Nd signing certificates for S/MIME
-.Sh SYNOPSIS
-.In openssl/ts.h
-.Ft ESS_SIGNING_CERT *
-.Fn ESS_SIGNING_CERT_new void
-.Ft void
-.Fn ESS_SIGNING_CERT_free "ESS_SIGNING_CERT *signing_cert"
-.Ft ESS_CERT_ID *
-.Fn ESS_CERT_ID_new void
-.Ft void
-.Fn ESS_CERT_ID_free "ESS_CERT_ID *cert_id"
-.Ft ESS_ISSUER_SERIAL *
-.Fn ESS_ISSUER_SERIAL_new void
-.Ft void
-.Fn ESS_ISSUER_SERIAL_free "ESS_ISSUER_SERIAL *issuer_serial"
-.Sh DESCRIPTION
-The signing certificate may be included in the signedAttributes
-field of a
-.Vt SignerInfo
-structure to mitigate simple substitution and re-issue attacks.
-.Pp
-.Fn ESS_SIGNING_CERT_new
-allocates and initializes an empty
-.Vt ESS_SIGNING_CERT
-object, representing an ASN.1
-.Vt SigningCertificate
-structure defined in RFC 2634 section 5.4.
-It can hold the certificate used for signing the data,
-additional authorization certificates that can be used during
-validation, and policies applying to the certificate.
-.Fn ESS_SIGNING_CERT_free
-frees
-.Fa signing_cert .
-.Pp
-.Fn ESS_CERT_ID_new
-allocates and initializes an empty
-.Vt ESS_CERT_ID
-object, representing an ASN.1
-.Vt ESSCertID
-structure defined in RFC 2634 section 5.4.1.
-Such objects can be used inside
-.Vt ESS_SIGNING_CERT
-objects, and each one can hold a SHA1 hash of one certificate.
-.Fn ESS_CERT_ID_free
-frees
-.Fa cert_id .
-.Pp
-.Fn ESS_ISSUER_SERIAL_new
-allocates and initializes an empty
-.Vt ESS_ISSUER_SERIAL
-object, representing an ASN.1
-.Vt IssuerSerial
-structure defined in RFC 2634 section 5.4.1.
-It can hold an issuer name and a serial number and can be included in an
-.Vt ESS_CERT_ID
-object, which is useful for additional authorization certificates,
-but redundant for the signing certificate itself.
-.Fn ESS_ISSUER_SERIAL_free
-frees
-.Fa issuer_serial .
-.Sh RETURN VALUES
-.Fn ESS_SIGNING_CERT_new ,
-.Fn ESS_CERT_ID_new ,
-and
-.Fn ESS_ISSUER_SERIAL_new
-return the new
-.Vt ESS_SIGNING_CERT ,
-.Vt ESS_CERT_ID ,
-or
-.Vt ESS_ISSUER_SERIAL
-object, respectively, or
-.Dv NULL
-if an error occurred.
-.Sh SEE ALSO
-.Xr d2i_ESS_SIGNING_CERT 3
-.Sh STANDARDS
-RFC 2634: Enhanced Security Services for S/MIME,
-section 5: Signing Certificate Attribute
-.Pp
-Note that RFC 2634 has been updated by RFC 5035:
-Enhanced Security Services (ESS) Update:
-Adding CertID Algorithm Agility.
-But the current implementation only supports the
-Signing Certificate Attribute Definition Version 1
-according to RFC 2634, not the
-Signing Certificate Attribute Definition Version 2
-according to RFC 5035.
-.Sh HISTORY
-These functions first appeared in OpenSSL 1.0.0
-and have been available since
-.Ox 4.9 .
diff --git a/src/lib/libcrypto/man/EVP_AEAD_CTX_init.3 b/src/lib/libcrypto/man/EVP_AEAD_CTX_init.3
deleted file mode 100644
index 8b3b8adb0f..0000000000
--- a/src/lib/libcrypto/man/EVP_AEAD_CTX_init.3
+++ /dev/null
@@ -1,411 +0,0 @@
-.\" $OpenBSD: EVP_AEAD_CTX_init.3,v 1.16 2024/07/21 08:36:43 tb Exp $
-.\"
-.\" Copyright (c) 2014, Google Inc.
-.\" Parts of the text were written by Adam Langley and David Benjamin.
-.\" Copyright (c) 2015 Reyk Floeter <reyk@openbsd.org>
-.\" Copyright (c) 2023 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and/or distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: July 21 2024 $
-.Dt EVP_AEAD_CTX_INIT 3
-.Os
-.Sh NAME
-.Nm EVP_AEAD_CTX_new ,
-.Nm EVP_AEAD_CTX_free ,
-.Nm EVP_AEAD_CTX_init ,
-.Nm EVP_AEAD_CTX_cleanup ,
-.Nm EVP_AEAD_CTX_open ,
-.Nm EVP_AEAD_CTX_seal ,
-.Nm EVP_AEAD_key_length ,
-.Nm EVP_AEAD_max_overhead ,
-.Nm EVP_AEAD_max_tag_len ,
-.Nm EVP_AEAD_nonce_length ,
-.Nm EVP_aead_aes_128_gcm ,
-.Nm EVP_aead_aes_256_gcm ,
-.Nm EVP_aead_chacha20_poly1305 ,
-.Nm EVP_aead_xchacha20_poly1305
-.Nd authenticated encryption with additional data
-.Sh SYNOPSIS
-.In openssl/evp.h
-.Ft EVP_AEAD_CTX *
-.Fn EVP_AEAD_CTX_new void
-.Ft void
-.Fo EVP_AEAD_CTX_free
-.Fa "EVP_AEAD_CTX *ctx"
-.Fc
-.Ft int
-.Fo EVP_AEAD_CTX_init
-.Fa "EVP_AEAD_CTX *ctx"
-.Fa "const EVP_AEAD *aead"
-.Fa "const unsigned char *key"
-.Fa "size_t key_len"
-.Fa "size_t tag_len"
-.Fa "ENGINE *engine"
-.Fc
-.Ft void
-.Fo EVP_AEAD_CTX_cleanup
-.Fa "EVP_AEAD_CTX *ctx"
-.Fc
-.Ft int
-.Fo EVP_AEAD_CTX_open
-.Fa "const EVP_AEAD_CTX *ctx"
-.Fa "unsigned char *out"
-.Fa "size_t *out_len"
-.Fa "size_t max_out_len"
-.Fa "const unsigned char *nonce"
-.Fa "size_t nonce_len"
-.Fa "const unsigned char *in"
-.Fa "size_t in_len"
-.Fa "const unsigned char *ad"
-.Fa "size_t ad_len"
-.Fc
-.Ft int
-.Fo EVP_AEAD_CTX_seal
-.Fa "const EVP_AEAD_CTX *ctx"
-.Fa "unsigned char *out"
-.Fa "size_t *out_len"
-.Fa "size_t max_out_len"
-.Fa "const unsigned char *nonce"
-.Fa "size_t nonce_len"
-.Fa "const unsigned char *in"
-.Fa "size_t in_len"
-.Fa "const unsigned char *ad"
-.Fa "size_t ad_len"
-.Fc
-.Ft size_t
-.Fo EVP_AEAD_key_length
-.Fa "const EVP_AEAD *aead"
-.Fc
-.Ft size_t
-.Fo EVP_AEAD_max_overhead
-.Fa "const EVP_AEAD *aead"
-.Fc
-.Ft size_t
-.Fo EVP_AEAD_max_tag_len
-.Fa "const EVP_AEAD *aead"
-.Fc
-.Ft size_t
-.Fo EVP_AEAD_nonce_length
-.Fa "const EVP_AEAD *aead"
-.Fc
-.Ft const EVP_AEAD *
-.Fo EVP_aead_aes_128_gcm
-.Fa void
-.Fc
-.Ft const EVP_AEAD *
-.Fo EVP_aead_aes_256_gcm
-.Fa void
-.Fc
-.Ft const EVP_AEAD *
-.Fo EVP_aead_chacha20_poly1305
-.Fa void
-.Fc
-.Ft const EVP_AEAD *
-.Fo EVP_aead_xchacha20_poly1305
-.Fa void
-.Fc
-.Sh DESCRIPTION
-AEAD (Authenticated Encryption with Additional Data) couples
-confidentiality and integrity in a single primitive.
-AEAD algorithms take a key and can then seal and open individual
-messages.
-Each message has a unique, per-message nonce and, optionally, additional
-data which is authenticated but not included in the output.
-.Pp
-.Fn EVP_AEAD_CTX_new
-allocates a new context for use with
-.Fn EVP_AEAD_CTX_init .
-It can be cleaned up for reuse with
-.Fn EVP_AEAD_CTX_cleanup
-and must be freed with
-.Fn EVP_AEAD_CTX_free .
-.Pp
-.Fn EVP_AEAD_CTX_free
-cleans up
-.Fa ctx
-and frees the space allocated to it.
-.Pp
-.Fn EVP_AEAD_CTX_init
-initializes the context
-.Fa ctx
-for the given AEAD algorithm
-.Fa aead .
-The
-.Fa engine
-argument must be
-.Dv NULL
-for the default implementation;
-other values are not supported.
-Authentication tags may be truncated by passing a tag length.
-A
-.Fa tag_len
-argument of
-.Dv EVP_AEAD_DEFAULT_TAG_LENGTH ,
-which has the value 0, causes the default tag length to be used.
-.Pp
-.Fn EVP_AEAD_CTX_cleanup
-frees any data allocated for the context
-.Fa ctx .
-After
-.Fn EVP_AEAD_CTX_cleanup ,
-.Fa ctx
-is in the same state as after
-.Fn EVP_AEAD_CTX_new .
-.Pp
-.Fn EVP_AEAD_CTX_open
-authenticates the input
-.Fa in
-and optional additional data
-.Fa ad ,
-decrypting the input and writing it as output
-.Fa out .
-This function may be called (with the same
-.Vt EVP_AEAD_CTX )
-concurrently with itself or with
-.Fn EVP_AEAD_CTX_seal .
-At most the number of input bytes are written as output.
-In order to ensure success,
-.Fa max_out_len
-should be at least the same as the input length
-.Fa in_len .
-On successful return
-.Fa out_len
-is set to the actual number of bytes written.
-The length of the
-.Fa nonce
-specified with
-.Fa nonce_len
-must be equal to the result of EVP_AEAD_nonce_length for this AEAD.
-.Fn EVP_AEAD_CTX_open
-never results in partial output.
-If
-.Fa max_out_len
-is insufficient, zero will be returned and
-.Fa out_len
-will be set to zero.
-If the input and output are aliased then
-.Fa out
-must be <=
-.Fa in .
-.Pp
-.Fn EVP_AEAD_CTX_seal
-encrypts and authenticates the input and authenticates any additional
-data provided in
-.Fa ad ,
-the encrypted input and authentication tag being written as output
-.Fa out .
-This function may be called (with the same
-.Vt EVP_AEAD_CTX )
-concurrently with itself or with
-.Fn EVP_AEAD_CTX_open .
-At most
-.Fa max_out_len
-bytes are written as output and, in order to ensure success, this value
-should be the
-.Fa in_len
-plus the result of
-.Fn EVP_AEAD_max_overhead .
-On successful return,
-.Fa out_len
-is set to the actual number of bytes written.
-The length of the
-.Fa nonce
-specified with
-.Fa nonce_len
-must be equal to the result of
-.Fn EVP_AEAD_nonce_length
-for this AEAD.
-.Fn EVP_AEAD_CTX_seal
-never results in a partial output.
-If
-.Fa max_out_len
-is insufficient, zero will be returned and
-.Fa out_len
-will be set to zero.
-If the input and output are aliased then
-.Fa out
-must be <=
-.Fa in .
-.Pp
-.Fn EVP_AEAD_key_length ,
-.Fn EVP_AEAD_max_overhead ,
-.Fn EVP_AEAD_max_tag_len ,
-and
-.Fn EVP_AEAD_nonce_length
-provide information about the AEAD algorithm
-.Fa aead .
-.Pp
-.Fn EVP_AEAD_max_tag_len
-returns the maximum tag length that can be used with the given
-.Fa aead .
-This is the largest value that can be passed as the
-.Fa tag_len
-argument to
-.Fn EVP_AEAD_CTX_init .
-No built-in
-.Vt EVP_AEAD
-object has a maximum tag length larger than the constant
-.Dv EVP_AEAD_MAX_TAG_LENGTH .
-.Pp
-All cipher algorithms have a fixed key length unless otherwise stated.
-The following ciphers are available:
-.Bl -tag -width Ds -offset indent
-.It Fn EVP_aead_aes_128_gcm
-AES-128 in Galois Counter Mode, using a
-.Fa key_len
-of 16 bytes and a
-.Fa nonce_len
-of 12 bytes.
-.It Fn EVP_aead_aes_256_gcm
-AES-256 in Galois Counter Mode, using a
-.Fa key_len
-of 32 bytes and a
-.Fa nonce_len
-of 12 bytes.
-.It Fn EVP_aead_chacha20_poly1305
-ChaCha20 with a Poly1305 authenticator, using a
-.Fa key_len
-of 32 bytes and a
-.Fa nonce_len
-of 12 bytes.
-The constant
-.Dv EVP_CHACHAPOLY_TLS_TAG_LEN
-specifies the length of the authentication tag in bytes and has a value of 16.
-.It Fn EVP_aead_xchacha20_poly1305
-XChaCha20 with a Poly1305 authenticator, using a
-.Fa key_len
-of 32 bytes and a
-.Fa nonce_len
-of 24 bytes.
-.El
-.Pp
-Unless compatibility with other implementations
-like OpenSSL or BoringSSL is required, using the
-.Sy EVP_AEAD
-interface to AEAD ciphers is recommended
-in preference to the functions documented in the
-.Xr EVP_EncryptInit 3 ,
-.Xr EVP_aes_256_gcm 3 ,
-and
-.Xr EVP_chacha20_poly1305 3
-manual pages.
-The code then becomes transparent to the AEAD cipher used
-and much more flexible.
-It is also safer to use as it prevents common mistakes with the EVP APIs.
-.Sh RETURN VALUES
-.Fn EVP_AEAD_CTX_new
-returns the new
-.Vt EVP_AEAD_CTX
-object on success;
-otherwise
-.Dv NULL
-is returned and
-.Va errno
-is set to
-.Er ENOMEM .
-.Pp
-.Fn EVP_AEAD_CTX_init ,
-.Fn EVP_AEAD_CTX_open ,
-and
-.Fn EVP_AEAD_CTX_seal
-return 1 for success or zero for failure.
-.Pp
-.Fn EVP_AEAD_key_length
-returns the length of the key used for this AEAD.
-.Pp
-.Fn EVP_AEAD_max_overhead
-returns the maximum number of additional bytes added by the act of
-sealing data with the AEAD.
-.Pp
-.Fn EVP_AEAD_max_tag_len
-returns the maximum tag length when using this AEAD.
-.Pp
-.Fn EVP_AEAD_nonce_length
-returns the length of the per-message nonce.
-.Sh EXAMPLES
-Encrypt a string using ChaCha20-Poly1305:
-.Bd -literal -offset indent
-const EVP_AEAD *aead = EVP_aead_chacha20_poly1305();
-static const unsigned char nonce[32] = {0};
-size_t buf_len, nonce_len;
-EVP_AEAD_CTX *ctx;
-
-ctx = EVP_AEAD_CTX_new();
-EVP_AEAD_CTX_init(ctx, aead, key32, EVP_AEAD_key_length(aead),
-    EVP_AEAD_DEFAULT_TAG_LENGTH, NULL);
-nonce_len = EVP_AEAD_nonce_length(aead);
-
-EVP_AEAD_CTX_seal(ctx, out, &out_len, BUFSIZE, nonce,
-    nonce_len, in, in_len, NULL, 0);
-
-EVP_AEAD_CTX_free(ctx);
-.Ed
-.Sh SEE ALSO
-.Xr evp 3 ,
-.Xr EVP_EncryptInit 3
-.Sh STANDARDS
-.Rs
-.%A A. Langley
-.%A W. Chang
-.%A N. Mavrogiannopoulos
-.%A J. Strombergson
-.%A S. Josefsson
-.%D June 2016
-.%R RFC 7905
-.%T ChaCha20-Poly1305 Cipher Suites for Transport Layer Security (TLS)
-.Re
-.Pp
-.Rs
-.%A S. Arciszewski
-.%D October 2018
-.%R draft-arciszewski-xchacha-02
-.%T XChaCha: eXtended-nonce ChaCha and AEAD_XChaCha20_Poly1305
-.Re
-.Sh HISTORY
-AEAD is based on the implementation by
-.An Adam Langley
-.\" OpenSSL commit 9a8646510b Sep 9 12:13:24 2013 -0400
-for Chromium/BoringSSL and first appeared in
-.Ox 5.6 .
-.Pp
-.Fn EVP_AEAD_CTX_new
-and
-.Fn EVP_AEAD_CTX_free
-first appeared in
-.Ox 7.1 .
-.Sh CAVEATS
-The original publications and code by
-.An Adam Langley
-used a modified AEAD construction that is incompatible with the common
-style used by AEAD in TLS and incompatible with RFC 7905:
-.Pp
-.Rs
-.%A A. Langley
-.%A W. Chang
-.%D November 2013
-.%R draft-agl-tls-chacha20poly1305-04
-.%T ChaCha20 and Poly1305 based Cipher Suites for TLS
-.Re
-.Pp
-.Rs
-.%A Y. Nir
-.%A A. Langley
-.%D June 2018
-.%R RFC 8439
-.%T ChaCha20 and Poly1305 for IETF Protocols
-.Re
-.Pp
-In particular, the original version used a
-.Fa nonce_len
-of 8 bytes.
diff --git a/src/lib/libcrypto/man/EVP_BytesToKey.3 b/src/lib/libcrypto/man/EVP_BytesToKey.3
deleted file mode 100644
index 1f78b4de06..0000000000
--- a/src/lib/libcrypto/man/EVP_BytesToKey.3
+++ /dev/null
@@ -1,145 +0,0 @@
-.\" $OpenBSD: EVP_BytesToKey.3,v 1.9 2024/12/05 15:12:37 schwarze Exp $
-.\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2001, 2011, 2013, 2014, 2015 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: December 5 2024 $
-.Dt EVP_BYTESTOKEY 3
-.Os
-.Sh NAME
-.Nm EVP_BytesToKey
-.Nd password based encryption routine
-.Sh SYNOPSIS
-.In openssl/evp.h
-.Ft int
-.Fo EVP_BytesToKey
-.Fa "const EVP_CIPHER *type"
-.Fa "const EVP_MD *md"
-.Fa "const unsigned char *salt"
-.Fa "const unsigned char *data"
-.Fa "int datal"
-.Fa "int count"
-.Fa "unsigned char *key"
-.Fa "unsigned char *iv"
-.Fc
-.Sh DESCRIPTION
-.Fn EVP_BytesToKey
-derives a key and IV from various parameters.
-.Fa type
-is the cipher to derive the key and IV for.
-.Fa md
-is the message digest to use.
-The
-.Fa salt
-parameter is used as a salt in the derivation:
-it should point to a buffer containing
-.Dv PKCS5_SALT_LEN No = 8
-bytes or
-.Dv NULL
-if no salt is used.
-.Fa data
-is a buffer containing
-.Fa datal
-bytes which is used to derive the keying data.
-.Fa count
-is the iteration count to use.
-The derived key and IV will be written to
-.Fa key
-and
-.Fa iv ,
-respectively.
-.Pp
-A typical application of this function is to derive keying material for
-an encryption algorithm from a password in the
-.Fa data
-parameter.
-.Pp
-Increasing the
-.Fa count
-parameter slows down the algorithm, which makes it harder for an attacker
-to perform a brute force attack using a large number of candidate
-passwords.
-.Pp
-If the total key and IV length is less than the digest length and MD5
-is used, then the derivation algorithm is compatible with PKCS#5 v1.5.
-Otherwise, a non-standard extension is used to derive the extra data.
-.Pp
-Newer applications should use more standard algorithms such as PBKDF2 as
-defined in PKCS#5v2.1 for key derivation.
-.Sh KEY DERIVATION ALGORITHM
-The key and IV is derived by concatenating D_1, D_2, etc. until enough
-data is available for the key and IV.
-D_i is defined recursively as:
-.Pp
-.Dl D_i = HASH^count(D_(i-1) || data || salt)
-.Pp
-where || denotes concatenation, D_0 is empty, HASH is the digest
-algorithm in use, HASH^1(data) is simply HASH(data), HASH^2(data) is
-HASH(HASH(data)) and so on.
-.Pp
-The initial bytes are used for the key and the subsequent bytes for the
-IV.
-.Sh RETURN VALUES
-If
-.Fa data
-is
-.Dv NULL ,
-.Fn EVP_BytesToKey
-returns the number of bytes needed to store the derived key.
-Otherwise,
-.Fn EVP_BytesToKey
-returns the size of the derived key in bytes or 0 on error.
-.Sh SEE ALSO
-.Xr evp 3 ,
-.Xr EVP_EncryptInit 3 ,
-.Xr PKCS5_PBKDF2_HMAC 3
-.Sh HISTORY
-.Fn EVP_BytesToKey
-first appeared in SSLeay 0.5.1 and has been available since
-.Ox 2.4 .
diff --git a/src/lib/libcrypto/man/EVP_CIPHER_CTX_ctrl.3 b/src/lib/libcrypto/man/EVP_CIPHER_CTX_ctrl.3
deleted file mode 100644
index d7ab36e711..0000000000
--- a/src/lib/libcrypto/man/EVP_CIPHER_CTX_ctrl.3
+++ /dev/null
@@ -1,261 +0,0 @@
-.\" $OpenBSD: EVP_CIPHER_CTX_ctrl.3,v 1.4 2025/03/25 11:54:34 tb Exp $
-.\" full merge up to: OpenSSL 5211e094 Nov 11 14:39:11 2014 -0800
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2018, 2023 Ingo Schwarze <schwarze@openbsd.org>
-.\" Copyright (c) 2018 Damien Miller <djm@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2000, 2001, 2016 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 25 2025 $
-.Dt EVP_CIPHER_CTX_CTRL 3
-.Os
-.Sh NAME
-.Nm EVP_CIPHER_CTX_ctrl ,
-.Nm EVP_CIPHER_CTX_set_padding ,
-.Nm EVP_CIPHER_CTX_set_key_length ,
-.Nm EVP_CIPHER_CTX_key_length ,
-.Nm EVP_CIPHER_key_length ,
-.Nm EVP_CIPHER_CTX_iv_length ,
-.Nm EVP_CIPHER_iv_length ,
-.Nm EVP_CIPHER_CTX_set_iv ,
-.Nm EVP_CIPHER_CTX_get_iv
-.Nd configure EVP cipher contexts
-.Sh SYNOPSIS
-.In openssl/evp.h
-.Ft int
-.Fo EVP_CIPHER_CTX_ctrl
-.Fa "EVP_CIPHER_CTX *ctx"
-.Fa "int type"
-.Fa "int arg"
-.Fa "void *ptr"
-.Fc
-.Ft int
-.Fo EVP_CIPHER_CTX_set_padding
-.Fa "EVP_CIPHER_CTX *x"
-.Fa "int padding"
-.Fc
-.Ft int
-.Fo EVP_CIPHER_CTX_set_key_length
-.Fa "EVP_CIPHER_CTX *x"
-.Fa "int keylen"
-.Fc
-.Ft int
-.Fo EVP_CIPHER_CTX_key_length
-.Fa "const EVP_CIPHER_CTX *ctx"
-.Fc
-.Ft int
-.Fo EVP_CIPHER_key_length
-.Fa "const EVP_CIPHER *e"
-.Fc
-.Ft int
-.Fo EVP_CIPHER_CTX_iv_length
-.Fa "const EVP_CIPHER_CTX *ctx"
-.Fc
-.Ft int
-.Fo EVP_CIPHER_iv_length
-.Fa "const EVP_CIPHER *e"
-.Fc
-.Ft int
-.Fo EVP_CIPHER_CTX_set_iv
-.Fa "EVP_CIPHER_CTX *ctx"
-.Fa "const unsigned char *iv"
-.Fa "size_t len"
-.Fc
-.Ft int
-.Fo EVP_CIPHER_CTX_get_iv
-.Fa "const EVP_CIPHER_CTX *ctx"
-.Fa "unsigned char *iv"
-.Fa "size_t len"
-.Fc
-.Sh DESCRIPTION
-.Fn EVP_CIPHER_CTX_ctrl
-allows various cipher specific parameters to be determined and set.
-Currently only the RC2 effective key length can be set; see
-.Xr EVP_rc2_cbc 3
-for details.
-.Pp
-.Fn EVP_CIPHER_CTX_set_padding
-enables or disables padding.
-This function should be called after the context is set up for
-encryption or decryption with
-.Xr EVP_EncryptInit_ex 3 ,
-.Xr EVP_DecryptInit_ex 3 ,
-or
-.Xr EVP_CipherInit_ex 3 .
-By default encryption operations are padded using standard block padding
-and the padding is checked and removed when decrypting.
-If the
-.Fa padding
-parameter is zero, then no padding is performed, the total amount of data
-encrypted or decrypted must then be a multiple of the block size or an
-error will occur.
-.Pp
-.Fn EVP_CIPHER_CTX_set_key_length
-sets the key length of the cipher ctx.
-If the cipher is a fixed length cipher, then attempting to set the key
-length to any value other than the fixed value is an error.
-.Pp
-.Fn EVP_CIPHER_CTX_key_length
-and
-.Fn EVP_CIPHER_key_length
-return the key length of a cipher when passed an
-.Vt EVP_CIPHER_CTX
-or
-.Vt EVP_CIPHER
-structure.
-The constant
-.Dv EVP_MAX_KEY_LENGTH
-is the maximum key length for all ciphers.
-Note: although
-.Fn EVP_CIPHER_key_length
-is fixed for a given cipher, the value of
-.Fn EVP_CIPHER_CTX_key_length
-may be different for variable key length ciphers.
-.Pp
-.Fn EVP_CIPHER_CTX_iv_length
-and
-.Fn EVP_CIPHER_iv_length
-return the IV length of a cipher when passed an
-.Vt EVP_CIPHER_CTX
-or
-.Vt EVP_CIPHER .
-They will return zero if the cipher does not use an IV.
-.Fn EVP_CIPHER_CTX_iv_length
-can fail and return \-1.
-The constant
-.Dv EVP_MAX_IV_LENGTH
-is the maximum IV length for all ciphers.
-.Pp
-.Fn EVP_CIPHER_CTX_set_iv
-and
-.Fn EVP_CIPHER_CTX_get_iv
-set and retrieve the IV for an
-.Vt EVP_CIPHER_CTX ,
-respectively.
-In both cases, the specified IV length must exactly equal the expected
-IV length for the context as returned by
-.Fn EVP_CIPHER_CTX_iv_length .
-.Sh RETURN VALUES
-.Fn EVP_CIPHER_CTX_ctrl
-returns 1 for success or 0 for failure.
-Some implementations may return negative values for some errors.
-.Pp
-.Fn EVP_CIPHER_CTX_set_padding
-always returns 1.
-.Pp
-.Fn EVP_CIPHER_CTX_set_key_length ,
-.Fn EVP_CIPHER_CTX_set_iv ,
-and
-.Fn EVP_CIPHER_CTX_get_iv
-return 1 for success or 0 for failure.
-.Pp
-.Fn EVP_CIPHER_CTX_key_length
-and
-.Fn EVP_CIPHER_key_length
-return the key length.
-.Pp
-.Fn EVP_CIPHER_CTX_iv_length
-and
-.Fn EVP_CIPHER_iv_length
-return the IV length or zero if the cipher does not use an IV.
-.Fn EVP_CIPHER_CTX_iv_length
-can fail and return \-1.
-.Sh SEE ALSO
-.Xr evp 3 ,
-.Xr EVP_CIPHER_nid 3 ,
-.Xr EVP_EncryptInit 3
-.Sh HISTORY
-.Fn EVP_CIPHER_CTX_key_length ,
-.Fn EVP_CIPHER_key_length ,
-.Fn EVP_CIPHER_CTX_iv_length ,
-and
-.Fn EVP_CIPHER_iv_length
-first appeared in SSLeay 0.6.5 and have been available since
-.Ox 2.4 .
-.Pp
-.Fn EVP_CIPHER_CTX_ctrl
-and
-.Fn EVP_CIPHER_CTX_set_key_length
-first appeared in OpenSSL 0.9.6 and have been available since
-.Ox 2.9 .
-.Pp
-.Fn EVP_CIPHER_CTX_set_padding
-first appeared in OpenSSL 0.9.7 and has been available since
-.Ox 3.2 .
-.Pp
-.Fn EVP_CIPHER_CTX_set_iv
-and
-.Fn EVP_CIPHER_CTX_get_iv
-first appeared in LibreSSL 2.8.1 and have been available since
-.Ox 6.4 .
-.Sh BUGS
-.Dv EVP_MAX_KEY_LENGTH
-and
-.Dv EVP_MAX_IV_LENGTH
-only refer to the internal ciphers with default key lengths.
-If custom ciphers exceed these values, the results are unpredictable.
-This is because it has become standard practice to define a generic key
-as a fixed unsigned char array containing
-.Dv EVP_MAX_KEY_LENGTH
-bytes.
diff --git a/src/lib/libcrypto/man/EVP_CIPHER_CTX_get_cipher_data.3 b/src/lib/libcrypto/man/EVP_CIPHER_CTX_get_cipher_data.3
deleted file mode 100644
index 4f75c8b008..0000000000
--- a/src/lib/libcrypto/man/EVP_CIPHER_CTX_get_cipher_data.3
+++ /dev/null
@@ -1,146 +0,0 @@
-.\" $OpenBSD: EVP_CIPHER_CTX_get_cipher_data.3,v 1.3 2023/08/26 15:12:04 schwarze Exp $
-.\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2023 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Matt Caswell <matt@openssl.org>.
-.\" Copyright (c) 2016 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: August 26 2023 $
-.Dt EVP_CIPHER_CTX_GET_CIPHER_DATA 3
-.Os
-.Sh NAME
-.Nm EVP_CIPHER_CTX_get_cipher_data ,
-.Nm EVP_CIPHER_CTX_set_cipher_data ,
-.Nm EVP_CIPHER_CTX_buf_noconst
-.Nd inspect and modify EVP_CIPHER_CTX objects
-.Sh SYNOPSIS
-.In openssl/evp.h
-.Ft void *
-.Fo EVP_CIPHER_CTX_get_cipher_data
-.Fa "const EVP_CIPHER_CTX *ctx"
-.Fc
-.Ft void *
-.Fo EVP_CIPHER_CTX_set_cipher_data
-.Fa "EVP_CIPHER_CTX *ctx"
-.Fa "void *cipher_data"
-.Fc
-.Ft unsigned char *
-.Fo EVP_CIPHER_CTX_buf_noconst
-.Fa "EVP_CIPHER_CTX *ctx"
-.Fc
-.Sh DESCRIPTION
-.Fn EVP_CIPHER_CTX_get_cipher_data
-returns a pointer to the cipher data of
-.Fa ctx .
-The format and content of this data is specific to the algorithm
-and to the particular implementation of the cipher.
-For example, this data can be used by engines
-to store engine specific information.
-The data is automatically allocated and freed by OpenSSL, so
-applications and engines should not normally free this directly (but see
-below).
-.Pp
-.Fn EVP_CIPHER_CTX_set_cipher_data
-allows an application or engine to replace the existing cipher data
-with new data, transferring ownership of
-.Fa cipher_data
-to the
-.Fa ctx
-object.
-A pointer to any existing cipher data is returned from this function.
-If the old data is no longer required,
-it should be freed through a call to
-.Xr free 3 .
-.Pp
-.Fn EVP_CIPHER_CTX_buf_noconst
-provides engines and custom cipher implementations
-with access to the internal buffer that
-.Xr EVP_EncryptUpdate 3
-copies input data into before encrypting it.
-This function can for example be used
-inside callback functions installed with
-.Xr EVP_CIPHER_meth_set_do_cipher 3 .
-.Sh RETURN VALUES
-.Fn EVP_CIPHER_CTX_get_cipher_data
-returns an internal pointer owned by
-.Fa ctx .
-.Pp
-.Fn EVP_CIPHER_CTX_set_cipher_data
-returns a pointer to the old cipher data of
-.Fa ctx
-and transfers ownership to the caller.
-.Pp
-.Fn EVP_CIPHER_CTX_buf_noconst
-returns a pointer to an internal buffer owned by
-.Fa ctx .
-.Sh SEE ALSO
-.Xr evp 3 ,
-.Xr EVP_CIPHER_meth_new 3 ,
-.Xr EVP_EncryptInit 3
-.Sh HISTORY
-.Fn EVP_CIPHER_CTX_get_cipher_data ,
-.Fn EVP_CIPHER_CTX_set_cipher_data ,
-and
-.Fn EVP_CIPHER_CTX_buf_noconst
-first appeared in OpenSSL 1.1.0 and have been available since
-.Ox 7.1 .
diff --git a/src/lib/libcrypto/man/EVP_CIPHER_CTX_init.3 b/src/lib/libcrypto/man/EVP_CIPHER_CTX_init.3
deleted file mode 100644
index 79a8e540af..0000000000
--- a/src/lib/libcrypto/man/EVP_CIPHER_CTX_init.3
+++ /dev/null
@@ -1,209 +0,0 @@
-.\" $OpenBSD: EVP_CIPHER_CTX_init.3,v 1.4 2024/12/06 15:01:01 schwarze Exp $
-.\" full merge up to:
-.\" OpenSSL EVP_EncryptInit.pod 0874d7f2 Oct 11 13:13:47 2022 +0100
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2018, 2019, 2023 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Dr. Stephen Henson <steve@openssl.org>
-.\" and Richard Levitte <levitte@openssl.org>.
-.\" Copyright (c) 2000-2001, 2015 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: December 6 2024 $
-.Dt EVP_CIPHER_CTX_INIT 3
-.Os
-.Sh NAME
-.Nm EVP_CIPHER_CTX_init ,
-.Nm EVP_CIPHER_CTX_cleanup ,
-.Nm EVP_Cipher
-.Nd obsolete EVP cipher functions
-.Sh SYNOPSIS
-.In openssl/evp.h
-.Ft int
-.Fo EVP_CIPHER_CTX_init
-.Fa "EVP_CIPHER_CTX *ctx"
-.Fc
-.Ft int
-.Fo EVP_CIPHER_CTX_cleanup
-.Fa "EVP_CIPHER_CTX *ctx"
-.Fc
-.Ft int
-.Fo EVP_Cipher
-.Fa "EVP_CIPHER_CTX *ctx"
-.Fa "unsigned char *out"
-.Fa "const unsigned char *in"
-.Fa "unsigned int in_len"
-.Fc
-.Sh DESCRIPTION
-.Fn EVP_CIPHER_CTX_init
-is a deprecated function that could be used to clear a cipher context
-on the stack before
-.Vt EVP_CIPHER_CTX
-was made opaque.
-Calling it on a cipher context just returned from
-.Xr EVP_CIPHER_CTX_new 3
-has no effect.
-Calling it on a cipher context that was already used may leak memory
-with older versions of the library.
-Instead, use
-.Xr EVP_CIPHER_CTX_reset 3
-or
-.Xr EVP_CIPHER_CTX_free 3 .
-.Pp
-.Fn EVP_CIPHER_CTX_cleanup
-is a deprecated alias for
-.Xr EVP_CIPHER_CTX_reset 3 .
-It clears all information from
-.Fa ctx
-and frees all allocated memory associated with it, except the
-.Fa ctx
-object itself.
-.Pp
-.Fn EVP_Cipher
-exposes implementation details of the functions
-.Xr EVP_CipherUpdate 3
-and
-.Xr EVP_CipherFinal 3
-that should never have become part of the public API.
-.Pp
-If the flag
-.Dv EVP_CIPH_FLAG_CUSTOM_CIPHER
-is set for the cipher used by
-.Fa ctx ,
-behaviour depends on
-.Fa in .
-If that argument is
-.Dv NULL
-and
-.Fa in_len
-is 0, behaviour is similar to
-.Xr EVP_CipherFinal 3 ;
-if
-.Fa in_len
-is not 0, behaviour is undefined.
-If
-.Fa in
-is not
-.Dv NULL ,
-behaviour is similar to
-.Xr EVP_CipherUpdate 3 .
-In both cases, the exceptions to the similarity are that arguments
-and return values differ.
-.Pp
-If the flag
-.Dv EVP_CIPH_FLAG_CUSTOM_CIPHER
-is not set for the cipher used by
-.Fa ctx ,
-it encrypts or decrypts aligned blocks of data
-whose lengths match the cipher block size.
-It requires that the previous encryption or decryption operation
-using the same
-.Fa ctx ,
-if there was any, ended exactly on a block boundary and that
-.Fa in_len
-is an integer multiple of the cipher block size.
-If either of these conditions is violated,
-.Fn EVP_Cipher
-silently produces incorrect results.
-For that reason, using the function
-.Xr EVP_CipherUpdate 3
-instead is strongly recommended.
-The latter can safely handle partial blocks, and even if
-.Fa in_len
-actually is a multiple of the cipher block size for all calls,
-the overhead incurred by using
-.Xr EVP_CipherUpdate 3
-is minimal.
-.Sh RETURN VALUES
-.Fn EVP_CIPHER_CTX_init
-always returns 1.
-.Pp
-.Fn EVP_CIPHER_CTX_cleanup
-returns 1 for success or 0 for failure.
-.Pp
-With
-.Dv EVP_CIPH_FLAG_CUSTOM_CIPHER ,
-.Fn EVP_Cipher
-returns the number of bytes written to
-.Fa out
-for success or \-1 for failure.
-Without
-.Dv EVP_CIPH_FLAG_CUSTOM_CIPHER ,
-it returns 1 for success or 0 for failure.
-.Sh SEE ALSO
-.Xr evp 3 ,
-.Xr EVP_EncryptInit 3
-.Sh HISTORY
-.Fn EVP_Cipher
-first appeared in SSLeay 0.6.5.
-.Fn EVP_CIPHER_CTX_cleanup
-first appeared in SSLeay 0.8.0.
-.Fn EVP_CIPHER_CTX_init
-first appeared in SSLeay 0.9.0.
-All these functions have been available since
-.Ox 2.4 .
-.Sh CAVEATS
-Checking the return value of
-.Fn EVP_Cipher
-requires unusual caution: zero signals success if
-.Dv EVP_CIPH_FLAG_CUSTOM_CIPHER
-is set or failure otherwise.
diff --git a/src/lib/libcrypto/man/EVP_CIPHER_CTX_set_flags.3 b/src/lib/libcrypto/man/EVP_CIPHER_CTX_set_flags.3
deleted file mode 100644
index 67ef8679bc..0000000000
--- a/src/lib/libcrypto/man/EVP_CIPHER_CTX_set_flags.3
+++ /dev/null
@@ -1,233 +0,0 @@
-.\" $OpenBSD: EVP_CIPHER_CTX_set_flags.3,v 1.2 2023/09/06 16:26:49 schwarze Exp $
-.\" full merge up to: OpenSSL 5211e094 Nov 11 14:39:11 2014 -0800
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2019 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Dr. Stephen Henson <steve@openssl.org>
-.\" and Patrick Steuer <patrick.steuer@de.ibm.com>.
-.\" Copyright (c) 2000, 2017 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: September 6 2023 $
-.Dt EVP_CIPHER_CTX_SET_FLAGS 3
-.Os
-.Sh NAME
-.Nm EVP_CIPHER_CTX_set_flags ,
-.Nm EVP_CIPHER_CTX_clear_flags ,
-.Nm EVP_CIPHER_CTX_test_flags ,
-.Nm EVP_CIPHER_CTX_rand_key ,
-.Nm EVP_CIPHER_param_to_asn1 ,
-.Nm EVP_CIPHER_asn1_to_param ,
-.\" .Nm EVP_CIPHER_set_asn1_iv and
-.\" .Nm EVP_CIPHER_get_asn1_iv are intentionally undocumented
-.\" because they are unused according to codesearch.debian.net
-.\" and should probably not be public: they seem hardly useful
-.\" even for implementing custom EVP_CIPHER algorithms.
-.Nm EVP_CIPHER_CTX_get_app_data ,
-.Nm EVP_CIPHER_CTX_set_app_data
-.Nd unusual EVP cipher context configuration
-.Sh SYNOPSIS
-.In openssl/evp.h
-.Ft void
-.Fo EVP_CIPHER_CTX_set_flags
-.Fa "EVP_CIPHER_CTX *ctx"
-.Fa "int flags"
-.Fc
-.Ft void
-.Fo EVP_CIPHER_CTX_clear_flags
-.Fa "EVP_CIPHER_CTX *ctx"
-.Fa "int flags"
-.Fc
-.Ft int
-.Fo EVP_CIPHER_CTX_test_flags
-.Fa "EVP_CIPHER_CTX *ctx"
-.Fa "int flags"
-.Fc
-.Ft int
-.Fo EVP_CIPHER_CTX_rand_key
-.Fa "EVP_CIPHER_CTX *ctx"
-.Fa "unsigned char *key"
-.Fc
-.Ft int
-.Fo EVP_CIPHER_param_to_asn1
-.Fa "EVP_CIPHER_CTX *c"
-.Fa "ASN1_TYPE *type"
-.Fc
-.Ft int
-.Fo EVP_CIPHER_asn1_to_param
-.Fa "EVP_CIPHER_CTX *c"
-.Fa "ASN1_TYPE *type"
-.Fc
-.Ft void *
-.Fo EVP_CIPHER_CTX_get_app_data
-.Fa "const EVP_CIPHER_CTX *ctx"
-.Fc
-.Ft void
-.Fo EVP_CIPHER_CTX_set_app_data
-.Fa "const EVP_CIPHER_CTX *ctx"
-.Fa "void *data"
-.Fc
-.Sh DESCRIPTION
-.Fn EVP_CIPHER_CTX_set_flags
-enables the given
-.Fa flags
-in
-.Fa ctx .
-.Fn EVP_CIPHER_CTX_clear_flags
-disables the given
-.Fa flags
-in
-.Fa ctx .
-.Fn EVP_CIPHER_CTX_test_flags
-checks whether any of the given
-.Fa flags
-are currently set in
-.Fa ctx ,
-returning the subset of the
-.Fa flags
-that are set, or 0 if none of them are set.
-Currently, the only supported cipher context flag is
-.Dv EVP_CIPHER_CTX_FLAG_WRAP_ALLOW ;
-see
-.Xr EVP_aes_128_wrap 3
-for details.
-.Pp
-.Fn EVP_CIPHER_CTX_rand_key
-generates a random key of the appropriate length based on the cipher
-context.
-The
-.Vt EVP_CIPHER
-can provide its own random key generation routine to support keys
-of a specific form.
-The
-.Fa key
-argument must point to a buffer at least as big as the value returned by
-.Xr EVP_CIPHER_CTX_key_length 3 .
-.Pp
-.Fn EVP_CIPHER_param_to_asn1
-sets the ASN.1
-.Vt AlgorithmIdentifier
-parameter based on the passed cipher.
-This will typically include any parameters and an IV.
-The cipher IV (if any) must be set when this call is made.
-This call should be made before the cipher is actually "used" (before any
-.Xr EVP_EncryptUpdate 3
-or
-.Xr EVP_DecryptUpdate 3
-calls, for example).
-This function may fail if the cipher does not have any ASN.1 support.
-.Pp
-.Fn EVP_CIPHER_asn1_to_param
-sets the cipher parameters based on an ASN.1
-.Vt AlgorithmIdentifier
-parameter.
-The precise effect depends on the cipher.
-In the case of RC2, for example, it will set the IV and effective
-key length.
-This function should be called after the base cipher type is set but
-before the key is set.
-For example
-.Xr EVP_CipherInit 3
-will be called with the IV and key set to
-.Dv NULL ,
-.Fn EVP_CIPHER_asn1_to_param
-will be called and finally
-.Xr EVP_CipherInit 3
-again with all parameters except the key set to
-.Dv NULL .
-It is possible for this function to fail if the cipher does not
-have any ASN.1 support or the parameters cannot be set (for example
-the RC2 effective key length is not supported).
-.Sh RETURN VALUES
-.Fn EVP_CIPHER_CTX_rand_key
-return 1 for success or 0 for failure.
-.Pp
-.Fn EVP_CIPHER_param_to_asn1
-and
-.Fn EVP_CIPHER_asn1_to_param
-return greater than zero for success and zero or a negative number
-for failure.
-.Sh SEE ALSO
-.Xr evp 3 ,
-.Xr EVP_CIPHER_CTX_ctrl 3 ,
-.Xr EVP_CIPHER_CTX_get_cipher_data 3 ,
-.Xr EVP_CIPHER_nid 3 ,
-.Xr EVP_EncryptInit 3
-.Sh HISTORY
-.Fn EVP_CIPHER_CTX_set_app_data
-and
-.Fn EVP_CIPHER_CTX_get_app_data
-first appeared in SSLeay 0.8.0.
-.Fn EVP_CIPHER_param_to_asn1
-and
-.Fn EVP_CIPHER_asn1_to_param
-first appeared in SSLeay 0.9.0.
-These functions have been available since
-.Ox 2.4 .
-.Pp
-.Fn EVP_CIPHER_CTX_rand_key
-first appeared in OpenSSL 0.9.8 and has been available since
-.Ox 4.5 .
-.Sh BUGS
-The ASN.1 code is incomplete (and sometimes inaccurate).
-It has only been tested for certain common S/MIME ciphers
-(RC2, DES, triple DES) in CBC mode.
diff --git a/src/lib/libcrypto/man/EVP_CIPHER_do_all.3 b/src/lib/libcrypto/man/EVP_CIPHER_do_all.3
deleted file mode 100644
index e912044978..0000000000
--- a/src/lib/libcrypto/man/EVP_CIPHER_do_all.3
+++ /dev/null
@@ -1,211 +0,0 @@
-.\" $OpenBSD: EVP_CIPHER_do_all.3,v 1.3 2024/03/14 23:54:55 tb Exp $
-.\"
-.\" Copyright (c) 2023,2024 Theo Buehler <tb@openbsd.org>
-.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: March 14 2024 $
-.Dt EVP_CIPHER_DO_ALL 3
-.Os
-.Sh NAME
-.Nm EVP_CIPHER_do_all ,
-.Nm EVP_CIPHER_do_all_sorted ,
-.Nm EVP_MD_do_all ,
-.Nm EVP_MD_do_all_sorted ,
-.Nm OBJ_NAME_do_all ,
-.Nm OBJ_NAME_do_all_sorted
-.Nd iterate over lookup tables for ciphers and digests
-.Sh SYNOPSIS
-.In openssl/evp.h
-.Ft void
-.Fo EVP_CIPHER_do_all
-.Fa "void (*fn)(const EVP_CIPHER *cipher, const char *from,\
- const char *to, void *arg)"
-.Fa "void *arg"
-.Fc
-.Ft void
-.Fo EVP_CIPHER_do_all_sorted
-.Fa "void (*fn)(const EVP_CIPHER *cipher, const char *from,\
- const char *to, void *arg)"
-.Fa "void *arg"
-.Fc
-.Ft void
-.Fo EVP_MD_do_all
-.Fa "void (*fn)(const EVP_MD *md, const char *from,\
- const char *to, void *arg)"
-.Fa "void *arg"
-.Fc
-.Ft void
-.Fo EVP_MD_do_all_sorted
-.Fa "void (*fn)(const EVP_MD *md, const char *from,\
- const char *to, void *arg)"
-.Fa "void *arg"
-.Fc
-.Bd -literal
-typedef struct {
-        int         type;
-        int         alias;
-        const char *name;
-        const char *data;
-} OBJ_NAME;
-.Ed
-.Pp
-.Ft void
-.Fo OBJ_NAME_do_all
-.Fa "int type"
-.Fa "void (*fn)(const OBJ_NAME *obj_name, void *arg)"
-.Fa "void *arg"
-.Fc
-.Ft void
-.Fo OBJ_NAME_do_all_sorted
-.Fa "int type"
-.Fa "void (*fn)(const OBJ_NAME *obj_name, void *arg)"
-.Fa "void *arg"
-.Fc
-.Sh DESCRIPTION
-.Fn EVP_CIPHER_do_all
-calls
-.Fa fn
-on every entry of the global table of cipher names and aliases.
-For a cipher name entry,
-.Fa fn
-is called with a non-NULL
-.Fa cipher ,
-its non-NULL cipher name
-.Fa from ,
-a NULL
-.Fa to ,
-and the
-.Fa arg
-pointer.
-For an alias entry,
-.Fa fn
-is called with a NULL
-.Fa cipher ,
-its alias
-.Fa from ,
-the cipher name that alias points
-.Fa to ,
-and the
-.Fa arg
-pointer.
-.Pp
-.Fn EVP_CIPHER_do_all_sorted
-is similar, except that it processes the cipher names and aliases
-in lexicographic order of their
-.Fa from
-names as determined by
-.Xr strcmp 3 .
-.Pp
-.Fn EVP_MD_do_all
-calls
-.Fa fn
-on every entry of the global table of digest names and aliases.
-For a digest name entry,
-.Fa fn
-is called with a non-NULL
-.Fa md ,
-its non-NULL digest name
-.Fa from ,
-a NULL
-.Fa to ,
-and the
-.Fa arg
-pointer.
-For an alias entry,
-.Fa fn
-is called with a NULL
-.Fa md ,
-its alias
-.Fa from ,
-the digest name that alias points
-.Fa to ,
-and the
-.Fa arg
-pointer.
-.Pp
-.Fn EVP_MD_do_all_sorted
-is similar, except that it processes the digest names and aliases
-in lexicographic order of their
-.Fa from
-names as determined by
-.Xr strcmp 3 .
-.Pp
-.Vt OBJ_NAME
-is an abstraction of the types underlying the lookup tables
-for ciphers and their aliases, and digests and their aliases, respectively.
-For a cipher,
-.Fa type
-is
-.Dv OBJ_NAME_TYPE_CIPHER_METH ,
-.Fa alias
-is 0,
-.Fa name
-is its lookup name and
-.Fa data
-is the
-.Vt EVP_CIPHER
-object it represents, cast to
-.Vt const char * .
-For a cipher alias,
-.Fa type
-is
-.Dv OBJ_NAME_TYPE_CIPHER_METH ,
-.Fa alias
-is
-.Dv OBJ_NAME_ALIAS ,
-.Fa name
-is its lookup name and
-.Fa data
-is the name it aliases.
-Digests representing an
-.Vt EVP_MD
-object and their aliases are represented similarly, except that their type is
-.Dv OBJ_NAME_TYPE_MD_METH .
-.Pp
-.Fn OBJ_NAME_do_all
-calls
-.Fa fn
-on every
-.Fa obj_name
-in the table that has the given
-.Fa type
-(either
-.Dv OBJ_NAME_TYPE_CIPHER_METH
-or
-.Dv OBJ_NAME_TYPE_MD_METH ) ,
-also passing the
-.Fa arg
-pointer.
-.Fn OBJ_NAME_do_all_sorted
-is similar except that it processes the
-.Fa obj_name
-in lexicographic order of their names as determined by
-.Xr strcmp 3 .
-.Sh SEE ALSO
-.Xr evp 3 ,
-.Xr EVP_get_cipherbyname 3 ,
-.Xr EVP_get_digestbyname 3
-.Sh HISTORY
-These functions first appeared in OpenSSL 1.0.0 and have been available since
-.Ox 4.9 .
-.Sh CAVEATS
-.Fn EVP_CIPHER_do_all_sorted ,
-.Fn EVP_MD_do_all_sorted ,
-and
-.Fn OBJ_NAME_do_all_sorted
-cannot report errors.
-In some implementations they need to allocate internally and
-if memory allocation fails they do nothing at all,
-without telling the caller about the problem.
diff --git a/src/lib/libcrypto/man/EVP_CIPHER_meth_new.3 b/src/lib/libcrypto/man/EVP_CIPHER_meth_new.3
deleted file mode 100644
index 187dab6d8a..0000000000
--- a/src/lib/libcrypto/man/EVP_CIPHER_meth_new.3
+++ /dev/null
@@ -1,388 +0,0 @@
-.\" $OpenBSD: EVP_CIPHER_meth_new.3,v 1.6 2024/03/04 09:49:07 tb Exp $
-.\" selective merge up to: OpenSSL b0edda11 Mar 20 13:00:17 2018 +0000
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2023 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Richard Levitte <levitte@openssl.org>
-.\" Copyright (c) 2015 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 4 2024 $
-.Dt EVP_CIPHER_METH_NEW 3
-.Os
-.Sh NAME
-.Nm EVP_CIPHER_meth_new ,
-.Nm EVP_CIPHER_meth_dup ,
-.Nm EVP_CIPHER_meth_free ,
-.Nm EVP_CIPHER_meth_set_iv_length ,
-.Nm EVP_CIPHER_meth_set_flags ,
-.Nm EVP_CIPHER_meth_set_impl_ctx_size ,
-.Nm EVP_CIPHER_meth_set_init ,
-.Nm EVP_CIPHER_meth_set_do_cipher ,
-.Nm EVP_CIPHER_meth_set_cleanup ,
-.Nm EVP_CIPHER_meth_set_set_asn1_params ,
-.Nm EVP_CIPHER_meth_set_get_asn1_params ,
-.Nm EVP_CIPHER_meth_set_ctrl
-.Nd Routines to build up EVP_CIPHER methods
-.Sh SYNOPSIS
-.In openssl/evp.h
-.Ft EVP_CIPHER *
-.Fo EVP_CIPHER_meth_new
-.Fa "int cipher_type"
-.Fa "int block_size"
-.Fa "int key_len"
-.Fc
-.Ft EVP_CIPHER *
-.Fo EVP_CIPHER_meth_dup
-.Fa "const EVP_CIPHER *cipher"
-.Fc
-.Ft void
-.Fo EVP_CIPHER_meth_free
-.Fa "EVP_CIPHER *cipher"
-.Fc
-.Ft int
-.Fo EVP_CIPHER_meth_set_iv_length
-.Fa "EVP_CIPHER *cipher"
-.Fa "int iv_len"
-.Fc
-.Ft int
-.Fo EVP_CIPHER_meth_set_flags
-.Fa "EVP_CIPHER *cipher"
-.Fa "unsigned long flags"
-.Fc
-.Ft int
-.Fo EVP_CIPHER_meth_set_impl_ctx_size
-.Fa "EVP_CIPHER *cipher"
-.Fa "int ctx_size"
-.Fc
-.Ft int
-.Fo EVP_CIPHER_meth_set_init
-.Fa "EVP_CIPHER *cipher"
-.Fa "int (*init)(EVP_CIPHER_CTX *ctx, const unsigned char *key,\
- const unsigned char *iv, int enc)"
-.Fc
-.Ft int
-.Fo EVP_CIPHER_meth_set_do_cipher
-.Fa "EVP_CIPHER *cipher"
-.Fa "int (*do_cipher)(EVP_CIPHER_CTX *ctx, unsigned char *out,\
- const unsigned char *in, size_t inl)"
-.Fc
-.Ft int
-.Fo EVP_CIPHER_meth_set_cleanup
-.Fa "EVP_CIPHER *cipher"
-.Fa "int (*cleanup)(EVP_CIPHER_CTX *)"
-.Fc
-.Ft int
-.Fo EVP_CIPHER_meth_set_set_asn1_params
-.Fa "EVP_CIPHER *cipher"
-.Fa "int (*set_asn1_parameters)(EVP_CIPHER_CTX *, ASN1_TYPE *)"
-.Fc
-.Ft int
-.Fo EVP_CIPHER_meth_set_get_asn1_params
-.Fa "EVP_CIPHER *cipher"
-.Fa "int (*get_asn1_parameters)(EVP_CIPHER_CTX *, ASN1_TYPE *)"
-.Fc
-.Ft int
-.Fo EVP_CIPHER_meth_set_ctrl
-.Fa "EVP_CIPHER *cipher"
-.Fa "int (*ctrl)(EVP_CIPHER_CTX *, int type, int arg, void *ptr)"
-.Fc
-.Sh DESCRIPTION
-The
-.Vt EVP_CIPHER
-type is a structure holding function pointers for
-a symmetric cipher implementation.
-.Pp
-.Fn EVP_CIPHER_meth_new
-allocates a new
-.Vt EVP_CIPHER
-structure.
-The cipher's NID (see
-.Xr EVP_CIPHER_nid 3 )
-is set to
-.Fa cipher_type ,
-the block size and key length are set to
-.Fa block_size
-and
-.Fa key_len ,
-respectively.
-.Pp
-.Fn EVP_CIPHER_meth_dup
-creates a copy of
-.Fa cipher .
-.Pp
-.Fn EVP_CIPHER_meth_free
-frees an
-.Vt EVP_CIPHER
-structure.
-.Pp
-.Fn EVP_CIPHER_meth_set_iv_length
-sets the length of the initialization vector.
-This is only needed when the implemented cipher mode requires it.
-.Pp
-.Fn EVP_CIPHER_meth_set_flags
-overwrites the flags to describe optional behaviours in
-.Fa cipher
-with
-.Fa flags .
-At most one of the following cipher modes can be set:
-.Dv EVP_CIPH_STREAM_CIPHER ,
-.Dv EVP_CIPH_ECB_MODE ,
-.Dv EVP_CIPH_CBC_MODE ,
-.Dv EVP_CIPH_CFB_MODE ,
-.Dv EVP_CIPH_OFB_MODE ,
-.Dv EVP_CIPH_CTR_MODE ,
-.Dv EVP_CIPH_GCM_MODE ,
-.Dv EVP_CIPH_CCM_MODE ,
-.Dv EVP_CIPH_XTS_MODE ,
-and
-.Dv EVP_CIPH_WRAP_MODE .
-.Pp
-Zero or more of the following flags can be OR'ed into the
-.Fa flags
-argument:
-.Bl -tag -width Ds
-.It Dv EVP_CIPH_VARIABLE_LENGTH
-This cipher has a variable key length, and the function
-.Xr EVP_CIPHER_CTX_set_key_length 3
-can be used with it.
-.It Dv EVP_CIPH_CUSTOM_IV
-Instruct
-.Xr EVP_CipherInit_ex 3
-and similar initialization functions to leave storing and initialising
-the IV entirely to the implementation.
-If this flag is set,
-the implementation is typically expected to do that in its
-.Fa init
-function.
-.It Dv EVP_CIPH_ALWAYS_CALL_INIT
-Instruct
-.Xr EVP_CipherInit_ex 3
-and similar initialization functions to call the implementation's
-.Fa init
-function even if the
-.Fa key
-argument is
-.Dv NULL .
-.It Dv EVP_CIPH_CTRL_INIT
-Instruct
-.Xr EVP_CipherInit_ex 3
-and similar initialization functions to call the implementation's
-.Fa ctrl
-function with a command
-.Fa type
-of
-.Dv EVP_CTRL_INIT
-early during the setup.
-.It Dv EVP_CIPH_NO_PADDING
-Instruct
-.Xr EVP_CipherFinal_ex 3
-and similar finalization functions to not use standard block padding
-but instead report an error if the total amount of data
-to be encrypted or decrypted is not a multiple of the block size.
-.It Dv EVP_CIPH_RAND_KEY
-Instruct
-.Xr EVP_CIPHER_CTX_rand_key 3
-to not generate a random key using
-.Xr arc4random_buf 3
-but instead leave that to the implementation by calling the
-.Fa ctrl
-function with a command
-.Fa type
-of
-.Dv EVP_CTRL_RAND_KEY
-and the pointer to the key memory storage in
-.Fa ptr .
-.It Dv EVP_CIPH_CUSTOM_COPY
-Instruct
-.Xr EVP_CIPHER_CTX_copy 3
-to call the implementation's
-.Fa ctrl
-function with a command
-.Fa type
-of
-.Dv EVP_CTRL_COPY
-and the destination
-.Fa "EVP_CIPHER_CTX *out"
-in the
-.Fa ptr
-argument immediately before returning successfully.
-The intended use is for further things to deal with after the
-implementation specific data block has been copied.
-The implementation-specific data block is reached with
-.Xr EVP_CIPHER_CTX_get_cipher_data 3 .
-.It Dv EVP_CIPH_FLAG_DEFAULT_ASN1
-Instruct
-.Xr EVP_CIPHER_param_to_asn1 3
-to use
-.Xr ASN1_TYPE_set_octetstring 3
-if no
-.Fa set_asn1_parameters
-function is installed, and instruct
-.Xr EVP_CIPHER_asn1_to_param 3
-to use
-.Xr ASN1_TYPE_get_octetstring 3
-if no
-.Fa get_asn1_parameters
-function is installed.
-.It Dv EVP_CIPH_FLAG_LENGTH_BITS
-Signals that the length of the input buffer for encryption / decryption
-is to be understood as the number of bits instead of bytes for this
-implementation.
-This is only useful for CFB1 ciphers.
-.It Dv EVP_CIPH_FLAG_CUSTOM_CIPHER
-Instruct
-.Xr EVP_CipherUpdate 3 ,
-.Xr EVP_CipherFinal_ex 3 ,
-and similar encryption, decryption, and finalization functions
-that the implementation's
-.Fa do_cipher
-function takes care of everything,
-including padding, buffering and finalization.
-.It Dv EVP_CIPH_FLAG_AEAD_CIPHER
-This indicates that this is an AEAD cipher implementation.
-.El
-.Pp
-.Fn EVP_CIPHER_meth_set_impl_ctx_size
-sets the size of the EVP_CIPHER's implementation context so that it can
-be automatically allocated.
-.Pp
-.Fn EVP_CIPHER_meth_set_init
-sets the
-.Fa init
-function for
-.Fa cipher .
-The cipher init function is called by
-.Xr EVP_CipherInit 3 ,
-.Xr EVP_CipherInit_ex 3 ,
-.Xr EVP_EncryptInit 3 ,
-.Xr EVP_EncryptInit_ex 3 ,
-.Xr EVP_DecryptInit 3 ,
-and
-.Xr EVP_DecryptInit_ex 3 .
-.Pp
-.Fn EVP_CIPHER_meth_set_do_cipher
-sets the cipher function for
-.Fa cipher .
-The cipher function is called by
-.Xr EVP_CipherUpdate 3 ,
-.Xr EVP_EncryptUpdate 3 ,
-.Xr EVP_DecryptUpdate 3 ,
-.Xr EVP_CipherFinal 3 ,
-.Xr EVP_EncryptFinal 3 ,
-.Xr EVP_EncryptFinal_ex 3 ,
-.Xr EVP_DecryptFinal 3
-and
-.Xr EVP_DecryptFinal_ex 3 .
-.Pp
-.Fn EVP_CIPHER_meth_set_cleanup
-sets the function for
-.Fa cipher
-to do extra cleanup before the method's private data structure is
-cleaned out and freed.
-Note that the cleanup function is passed a
-.Sy EVP_CIPHER_CTX * ,
-the private data structure is then available with
-.Xr EVP_CIPHER_CTX_get_cipher_data 3 .
-This cleanup function is called by
-.Xr EVP_CIPHER_CTX_reset 3
-and
-.Xr EVP_CIPHER_CTX_free 3 .
-.Pp
-.Fn EVP_CIPHER_meth_set_set_asn1_params
-sets the function for
-.Fa cipher
-to set the AlgorithmIdentifier "parameter" based on the passed cipher.
-This function is called by
-.Xr EVP_CIPHER_param_to_asn1 3 .
-.Fn EVP_CIPHER_meth_set_get_asn1_params
-sets the function for
-.Fa cipher
-that sets the cipher parameters based on an ASN.1 AlgorithmIdentifier
-"parameter".
-Both these functions are needed when there is a need for custom data
-(more or other than the cipher IV). They are called by
-.Xr EVP_CIPHER_param_to_asn1 3
-and
-.Xr EVP_CIPHER_asn1_to_param 3
-respectively if defined.
-.Pp
-.Fn EVP_CIPHER_meth_set_ctrl
-sets the control function for
-.Fa cipher .
-.Sh RETURN VALUES
-.Fn EVP_CIPHER_meth_new
-and
-.Fn EVP_CIPHER_meth_dup
-return a pointer to a newly created
-.Vt EVP_CIPHER ,
-or NULL on failure.
-.Pp
-All
-.Fn EVP_CIPHER_meth_set_*
-functions return 1.
-.Sh SEE ALSO
-.Xr evp 3 ,
-.Xr EVP_EncryptInit 3
-.Sh HISTORY
-These functions first appeared in OpenSSL 1.1.0 and have been available since
-.Ox 7.3 .
diff --git a/src/lib/libcrypto/man/EVP_CIPHER_nid.3 b/src/lib/libcrypto/man/EVP_CIPHER_nid.3
deleted file mode 100644
index 1feff4f34e..0000000000
--- a/src/lib/libcrypto/man/EVP_CIPHER_nid.3
+++ /dev/null
@@ -1,306 +0,0 @@
-.\" $OpenBSD: EVP_CIPHER_nid.3,v 1.3 2023/09/05 14:54:21 schwarze Exp $
-.\" full merge up to: OpenSSL man3/EVP_EncryptInit.pod
-.\"   0874d7f2 Oct 11 13:13:47 2022 +0100
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2018, 2023 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: September 5 2023 $
-.Dt EVP_CIPHER_NID 3
-.Os
-.Sh NAME
-.Nm EVP_CIPHER_nid ,
-.Nm EVP_CIPHER_CTX_nid ,
-.Nm EVP_CIPHER_name ,
-.Nm EVP_CIPHER_type ,
-.Nm EVP_CIPHER_CTX_type ,
-.Nm EVP_CIPHER_block_size ,
-.Nm EVP_CIPHER_CTX_block_size ,
-.Nm EVP_CIPHER_flags ,
-.Nm EVP_CIPHER_CTX_flags ,
-.Nm EVP_CIPHER_mode ,
-.Nm EVP_CIPHER_CTX_mode
-.Nd inspect EVP_CIPHER objects
-.Sh SYNOPSIS
-.In openssl/evp.h
-.Ft int
-.Fo EVP_CIPHER_nid
-.Fa "const EVP_CIPHER *cipher"
-.Fc
-.Ft int
-.Fo EVP_CIPHER_CTX_nid
-.Fa "const EVP_CIPHER_CTX *ctx"
-.Fc
-.Ft const char *
-.Fo EVP_CIPHER_name
-.Fa "const EVP_CIPHER *cipher"
-.Fc
-.Ft int
-.Fo EVP_CIPHER_type
-.Fa "const EVP_CIPHER *ctx"
-.Fc
-.Ft int
-.Fo EVP_CIPHER_CTX_type
-.Fa "const EVP_CIPHER_CTX *ctx"
-.Fc
-.Ft int
-.Fo EVP_CIPHER_block_size
-.Fa "const EVP_CIPHER *cipher"
-.Fc
-.Ft int
-.Fo EVP_CIPHER_CTX_block_size
-.Fa "const EVP_CIPHER_CTX *ctx"
-.Fc
-.Ft unsigned long
-.Fo EVP_CIPHER_flags
-.Fa "const EVP_CIPHER *cipher"
-.Fc
-.Ft unsigned long
-.Fo EVP_CIPHER_CTX_flags
-.Fa "const EVP_CIPHER_CTX *ctx"
-.Fc
-.Ft unsigned long
-.Fo EVP_CIPHER_mode
-.Fa "const EVP_CIPHER *cipher"
-.Fc
-.Ft unsigned long
-.Fo EVP_CIPHER_CTX_mode
-.Fa "const EVP_CIPHER_CTX *ctx"
-.Fc
-.Sh DESCRIPTION
-.Fn EVP_CIPHER_nid
-returns the numerical identifier (NID) of the
-.Fa cipher .
-The NID is an internal value which may or may not have a corresponding
-ASN.1 OBJECT IDENTIFIER; see
-.Xr OBJ_nid2obj 3
-for details.
-.Pp
-.Fn EVP_CIPHER_CTX_nid
-returns the NID of the cipher that
-.Fa ctx
-is configured to use.
-.Pp
-.Fn EVP_CIPHER_name
-converts the NID of the
-.Fa cipher
-to its short name with
-.Xr OBJ_nid2sn 3 .
-.Pp
-.Fn EVP_CIPHER_type
-returns the NID associated with the ASN.1 OBJECT IDENTIFIER of the
-.Fa cipher ,
-ignoring the cipher parameters.
-For example,
-.Xr EVP_aes_256_cfb1 3 ,
-.Xr EVP_aes_256_cfb8 3 ,
-and
-.Xr EVP_aes_256_cfb128 3
-all return the same NID,
-.Dv NID_aes_256_cfb128 .
-.Pp
-.Fn EVP_CIPHER_CTX_type
-returns the NID associated with the ASN.1 OBJECT IDENTIFIER of the cipher that
-.Fa ctx
-is configured to use.
-.Pp
-.Fn EVP_CIPHER_block_size
-returns the block size of the
-.Fa cipher
-in bytes.
-.Fn EVP_CIPHER_CTX_block_size
-returns the block size of the cipher that
-.Fa ctx
-is configured to use.
-Block sizes are guaranteed to be less than or equal to the constant
-.Dv EVP_MAX_BLOCK_LENGTH .
-Currently,
-.Xr EVP_CipherInit_ex 3
-and the other functions documented in the same manual page
-only support block sizes of 1, 8, and 16 bytes.
-.Pp
-.Fn EVP_CIPHER_flags
-returns the cipher flags used by the
-.Fa cipher .
-The meaning of the flags is described in the
-.Xr EVP_CIPHER_meth_set_flags 3
-manual page.
-.Pp
-.Fn EVP_CIPHER_CTX_flags
-returns the cipher flags of the cipher that
-.Fa ctx
-is configured to use.
-Be careful to not confuse these with the unrelated cipher context flags
-that can be inspected with
-.Xr EVP_CIPHER_CTX_test_flags 3 .
-.Pp
-.Fn EVP_CIPHER_mode
-returns the
-.Fa cipher
-mode, which is the logical AND of the constant
-.Dv EVP_CIPH_MODE
-and the return value of
-.Fn EVP_CIPHER_flags .
-.Pp
-.Fn EVP_CIPHER_CTX_mode
-returns the cipher mode of the cipher that
-.Fa ctx
-is configured to use.
-.Pp
-.Fn EVP_CIPHER_name ,
-.Fn EVP_CIPHER_CTX_type ,
-.Fn EVP_CIPHER_mode ,
-and
-.Fn EVP_CIPHER_CTX_mode
-are implemented as macros.
-.Sh RETURN VALUES
-.Fn EVP_CIPHER_nid
-and
-.Fn EVP_CIPHER_CTX_nid
-return an NID.
-.Pp
-.Fn EVP_CIPHER_name
-returns a pointer to a string that is owned by an internal library object or
-.Dv NULL
-if the NID is neither built into the library nor added to the global
-object table by one of the functions documented in the manual page
-.Xr OBJ_create 3 ,
-of if the object does not contain a short name.
-.Pp
-.Fn EVP_CIPHER_type
-and
-.Fn EVP_CIPHER_CTX_type
-return the NID of the cipher's OBJECT IDENTIFIER or
-.Dv NID_undef
-if it is not associated with an OBJECT IDENTIFIER.
-.Pp
-.Fn EVP_CIPHER_block_size
-and
-.Fn EVP_CIPHER_CTX_block_size
-return the block size in bytes.
-.Pp
-.Fn EVP_CIPHER_flags
-and
-.Fn EVP_CIPHER_CTX_flags
-return one or more
-.Dv EVP_CIPH_*
-flag bits OR'ed together.
-.Pp
-.Fn EVP_CIPHER_mode
-and
-.Fn EVP_CIPHER_CTX_mode
-return one of the constants
-.Dv EVP_CIPH_ECB_MODE ,
-.Dv EVP_CIPH_CBC_MODE ,
-.Dv EVP_CIPH_CFB_MODE ,
-.Dv EVP_CIPH_OFB_MODE ,
-.Dv EVP_CIPH_CTR_MODE ,
-.Dv EVP_CIPH_GCM_MODE ,
-.Dv EVP_CIPH_CCM_MODE ,
-.Dv EVP_CIPH_XTS_MODE ,
-or
-.Dv EVP_CIPH_WRAP_MODE
-to indicate a block cipher or
-.Dv EVP_CIPH_STREAM_CIPHER
-to indicate a stream cipher.
-.Sh SEE ALSO
-.Xr evp 3 ,
-.Xr EVP_CIPHER_CTX_ctrl 3 ,
-.Xr EVP_EncryptInit 3 ,
-.Xr OBJ_nid2obj 3
-.Sh HISTORY
-.Fn EVP_CIPHER_type ,
-.Fn EVP_CIPHER_CTX_type ,
-.Fn EVP_CIPHER_block_size ,
-and
-.Fn EVP_CIPHER_CTX_block_size
-first appeared in SSLeay 0.6.5.
-.Fn EVP_CIPHER_nid
-and
-.Fn EVP_CIPHER_CTX_nid
-first appeared in SSLeay 0.8.0.
-All these functions have been available since
-.Ox 2.4 .
-.Pp
-.Fn EVP_CIPHER_flags ,
-.Fn EVP_CIPHER_CTX_flags ,
-.Fn EVP_CIPHER_mode ,
-and
-.Fn EVP_CIPHER_CTX_mode
-first appeared in OpenSSL 0.9.6 and have been available since
-.Ox 2.9 .
-.Pp
-.Fn EVP_CIPHER_name
-first appeared in OpenSSL 0.9.7 and has been available since
-.Ox 3.2 .
-.Sh CAVEATS
-The behaviour of the functions taking an
-.Vt EVP_CIPHER_CTX
-argument is undefined if they are called on a
-.Fa ctx
-that has no cipher configured yet, for example one freshly returned from
-.Xr EVP_CIPHER_CTX_new 3 .
-In that case, the program may for example be terminated by a
-.Dv NULL
-pointer access.
diff --git a/src/lib/libcrypto/man/EVP_DigestInit.3 b/src/lib/libcrypto/man/EVP_DigestInit.3
deleted file mode 100644
index 668c189bc1..0000000000
--- a/src/lib/libcrypto/man/EVP_DigestInit.3
+++ /dev/null
@@ -1,606 +0,0 @@
-.\" $OpenBSD: EVP_DigestInit.3,v 1.37 2024/12/06 15:01:01 schwarze Exp $
-.\" full merge up to: OpenSSL 7f572e95 Dec 2 13:57:04 2015 +0000
-.\" selective merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2019, 2023 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Dr. Stephen Henson <steve@openssl.org>,
-.\" Richard Levitte <levitte@openssl.org>,
-.\" Paul Yang <yang.yang@baishancloud.com>, and
-.\" Antoine Salon <asalon@vmware.com>.
-.\" Copyright (c) 2000-2004, 2009, 2012-2016, 2018, 2019 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: December 6 2024 $
-.Dt EVP_DIGESTINIT 3
-.Os
-.Sh NAME
-.Nm EVP_MD_CTX_new ,
-.Nm EVP_MD_CTX_reset ,
-.Nm EVP_MD_CTX_free ,
-.Nm EVP_MD_CTX_init ,
-.Nm EVP_MD_CTX_create ,
-.Nm EVP_MD_CTX_cleanup ,
-.Nm EVP_MD_CTX_destroy ,
-.Nm EVP_DigestInit_ex ,
-.Nm EVP_DigestUpdate ,
-.Nm EVP_DigestFinal_ex ,
-.Nm EVP_Digest ,
-.Nm EVP_MD_CTX_copy_ex ,
-.Nm EVP_DigestInit ,
-.Nm EVP_DigestFinal ,
-.Nm EVP_MD_CTX_copy ,
-.Nm EVP_MD_CTX_md ,
-.Nm EVP_md_null ,
-.Nm EVP_sha224 ,
-.Nm EVP_sha256 ,
-.Nm EVP_sha384 ,
-.Nm EVP_sha512 ,
-.Nm EVP_sha512_224 ,
-.Nm EVP_sha512_256 ,
-.Nm EVP_ripemd160 ,
-.Nm EVP_get_digestbyname ,
-.Nm EVP_get_digestbynid ,
-.Nm EVP_get_digestbyobj
-.Nd EVP digest routines
-.Sh SYNOPSIS
-.In openssl/evp.h
-.Ft EVP_MD_CTX *
-.Fn EVP_MD_CTX_new void
-.Ft int
-.Fo EVP_MD_CTX_reset
-.Fa "EVP_MD_CTX *ctx"
-.Fc
-.Ft void
-.Fo EVP_MD_CTX_free
-.Fa "EVP_MD_CTX *ctx"
-.Fc
-.Ft int
-.Fo EVP_MD_CTX_init
-.Fa "EVP_MD_CTX *ctx"
-.Fc
-.Ft EVP_MD_CTX *
-.Fn EVP_MD_CTX_create void
-.Ft int
-.Fo EVP_MD_CTX_cleanup
-.Fa "EVP_MD_CTX *ctx"
-.Fc
-.Ft void
-.Fo EVP_MD_CTX_destroy
-.Fa "EVP_MD_CTX *ctx"
-.Fc
-.Ft int
-.Fo EVP_DigestInit_ex
-.Fa "EVP_MD_CTX *ctx"
-.Fa "const EVP_MD *type"
-.Fa "ENGINE *engine"
-.Fc
-.Ft int
-.Fo EVP_DigestUpdate
-.Fa "EVP_MD_CTX *ctx"
-.Fa "const void *d"
-.Fa "size_t cnt"
-.Fc
-.Ft int
-.Fo EVP_DigestFinal_ex
-.Fa "EVP_MD_CTX *ctx"
-.Fa "unsigned char *md"
-.Fa "unsigned int *s"
-.Fc
-.Ft int
-.Fo EVP_Digest
-.Fa "const void *d"
-.Fa "size_t cnt"
-.Fa "unsigned char *md"
-.Fa "unsigned int *s"
-.Fa "const EVP_MD *type"
-.Fa "ENGINE *engine"
-.Fc
-.Ft int
-.Fo EVP_MD_CTX_copy_ex
-.Fa "EVP_MD_CTX *out"
-.Fa "const EVP_MD_CTX *in"
-.Fc
-.Ft int
-.Fo EVP_DigestInit
-.Fa "EVP_MD_CTX *ctx"
-.Fa "const EVP_MD *type"
-.Fc
-.Ft int
-.Fo EVP_DigestFinal
-.Fa "EVP_MD_CTX *ctx"
-.Fa "unsigned char *md"
-.Fa "unsigned int *s"
-.Fc
-.Ft int
-.Fo EVP_MD_CTX_copy
-.Fa "EVP_MD_CTX *out"
-.Fa "EVP_MD_CTX *in"
-.Fc
-.Ft const EVP_MD *
-.Fo EVP_MD_CTX_md
-.Fa "const EVP_MD_CTX *ctx"
-.Fc
-.Ft const EVP_MD *
-.Fn EVP_md_null void
-.Ft const EVP_MD *
-.Fn EVP_sha224 void
-.Ft const EVP_MD *
-.Fn EVP_sha256 void
-.Ft const EVP_MD *
-.Fn EVP_sha384 void
-.Ft const EVP_MD *
-.Fn EVP_sha512 void
-.Ft const EVP_MD *
-.Fn EVP_sha512_224 void
-.Ft const EVP_MD *
-.Fn EVP_sha512_256 void
-.Ft const EVP_MD *
-.Fn EVP_ripemd160 void
-.Ft const EVP_MD *
-.Fo EVP_get_digestbyname
-.Fa "const char *name"
-.Fc
-.Ft const EVP_MD *
-.Fo EVP_get_digestbynid
-.Fa "int type"
-.Fc
-.Ft const EVP_MD *
-.Fo EVP_get_digestbyobj
-.Fa "const ASN1_OBJECT *o"
-.Fc
-.Sh DESCRIPTION
-The EVP digest routines are a high-level interface to message digests
-and should be used instead of the cipher-specific functions.
-.Pp
-.Fn EVP_MD_CTX_new
-allocates a new, empty digest context.
-.Pp
-.Fn EVP_MD_CTX_reset
-cleans up
-.Fa ctx
-and resets it to the state it had after
-.Fn EVP_MD_CTX_new ,
-such that it can be reused.
-.Pp
-.Fn EVP_MD_CTX_free
-cleans up
-.Fa ctx
-and frees the space allocated to it.
-.Pp
-.Fn EVP_MD_CTX_init
-is a deprecated function to clear a digest context on the stack
-before use.
-Do not use it on a digest context returned from
-.Fn EVP_MD_CTX_new
-or one that was already used.
-.Pp
-.Fn EVP_MD_CTX_create ,
-.Fn EVP_MD_CTX_cleanup ,
-and
-.Fn EVP_MD_CTX_destroy
-are deprecated aliases for
-.Fn EVP_MD_CTX_new ,
-.Fn EVP_MD_CTX_reset ,
-and
-.Fn EVP_MD_CTX_free ,
-respectively.
-.Pp
-.Fn EVP_DigestInit_ex
-sets up the digest context
-.Fa ctx
-to use a digest
-.Fa type .
-The
-.Fa type
-will typically be supplied by a function such as
-.Fn EVP_sha512 .
-The
-.Fa ENGINE *engine
-argument is always ignored and passing
-.Dv NULL
-is recommended.
-.Pp
-.Fn EVP_DigestUpdate
-hashes
-.Fa cnt
-bytes of data at
-.Fa d
-into the digest context
-.Fa ctx .
-This function can be called several times on the same
-.Fa ctx
-to hash additional data.
-.Pp
-.Fn EVP_DigestFinal_ex
-retrieves the digest value from
-.Fa ctx
-and places it in
-.Fa md .
-If the
-.Fa s
-parameter is not
-.Dv NULL ,
-then the number of bytes of data written (i.e. the length of the
-digest) will be written to the integer at
-.Fa s ;
-at most
-.Dv EVP_MAX_MD_SIZE
-bytes will be written.
-After calling
-.Fn EVP_DigestFinal_ex ,
-no additional calls to
-.Fn EVP_DigestUpdate
-can be made, but
-.Fn EVP_DigestInit_ex
-can be called to initialize a new digest operation.
-.Pp
-.Fn EVP_Digest
-is a simple wrapper function to hash
-.Fa cnt
-bytes of data at
-.Fa d
-using the digest
-.Fa type
-in a one-shot operation and place the digest value into
-.Fa md ,
-and, unless
-.Fa s
-is
-.Dv NULL ,
-the length of the digest in bytes into
-.Pf * Fa s .
-This wrapper uses a temporary digest context and passes its arguments to
-.Fn EVP_DigestInit_ex ,
-.Fn EVP_DigestUpdate ,
-and
-.Fn EVP_DigestFinal_ex
-internally.
-The
-.Fa ENGINE *engine
-argument is always ignored and passing
-.Dv NULL
-is recommended.
-.Pp
-.Fn EVP_MD_CTX_copy_ex
-can be used to copy the message digest state from
-.Fa in
-to
-.Fa out .
-This is useful if large amounts of data are to be hashed which only
-differ in the last few bytes.
-.Pp
-.Fn EVP_DigestInit
-is a deprecated function behaving like
-.Fn EVP_DigestInit_ex
-except that it requires
-.Fn EVP_MD_CTX_reset
-before it can be used on a context that was already used.
-.Pp
-.Fn EVP_DigestFinal
-is a deprecated function behaving like
-.Fn EVP_DigestFinal_ex
-except that the digest context
-.Fa ctx
-is automatically cleaned up after use by calling
-.Fn EVP_MD_CTX_reset
-internally.
-.Pp
-.Fn EVP_MD_CTX_copy
-is a deprecated function behaving like
-.Fn EVP_MD_CTX_copy_ex
-except that it requires
-.Fn EVP_MD_CTX_reset
-before a context that was already used can be passed as
-.Fa out .
-.Pp
-.Fn EVP_sha224 ,
-.Fn EVP_sha256 ,
-.Fn EVP_sha384 ,
-.Fn EVP_sha512 ,
-and
-.Fn EVP_ripemd160
-return
-.Vt EVP_MD
-structures for the SHA224, SHA256, SHA384, SHA512 and
-RIPEMD160 digest algorithms respectively.
-.Pp
-.Fn EVP_sha512_224
-and
-.Fn EVP_sha512_256
-return an
-.Vt EVP_MD
-structure that provides the truncated SHA512 variants SHA512/224 and SHA512/256,
-respectively.
-.Pp
-.Fn EVP_md_null
-is a "null" message digest that does nothing:
-i.e. the hash it returns is of zero length.
-.Pp
-.Fn EVP_get_digestbyname ,
-.Fn EVP_get_digestbynid ,
-and
-.Fn EVP_get_digestbyobj
-return an
-.Vt EVP_MD
-structure when passed a digest name, a digest NID, or an ASN1_OBJECT
-structure respectively.
-.Pp
-.Fn EVP_get_digestbynid
-and
-.Fn EVP_get_digestbyobj
-are implemented as macros.
-.Pp
-The EVP interface to message digests should almost always be used
-in preference to the low-level interfaces.
-This is because the code then becomes transparent to the digest used and
-much more flexible.
-.Pp
-The
-.Fa ENGINE *engine
-argument is always ignored and passing
-.Dv NULL
-is recommended.
-.Pp
-The functions
-.Fn EVP_DigestInit ,
-.Fn EVP_DigestFinal ,
-and
-.Fn EVP_MD_CTX_copy
-are obsolete but are retained to maintain compatibility with existing
-code.
-New applications should use
-.Fn EVP_DigestInit_ex ,
-.Fn EVP_DigestFinal_ex ,
-and
-.Fn EVP_MD_CTX_copy_ex
-because they can efficiently reuse a digest context instead of
-initializing and cleaning it up on each call.
-.Pp
-If digest contexts are not cleaned up after use, memory leaks will occur.
-.Sh RETURN VALUES
-.Fn EVP_MD_CTX_new
-and
-.Fn EVP_MD_CTX_create
-return the new
-.Vt EVP_MD_CTX
-object or
-.Dv NULL
-for failure.
-.Pp
-.Fn EVP_MD_CTX_reset ,
-.Fn EVP_MD_CTX_init ,
-and
-.Fn EVP_MD_CTX_cleanup
-always return 1.
-.Pp
-.Fn EVP_DigestInit_ex ,
-.Fn EVP_DigestUpdate ,
-.Fn EVP_DigestFinal_ex ,
-.Fn EVP_Digest ,
-.Fn EVP_MD_CTX_copy_ex ,
-.Fn EVP_DigestInit ,
-.Fn EVP_DigestFinal ,
-and
-.Fn EVP_MD_CTX_copy
-return 1 for success or 0 for failure.
-.Pp
-.Fn EVP_MD_CTX_md
-returns the
-.Vt EVP_MD
-object used by
-.Fa ctx ,
-or
-.Dv NULL
-if
-.Fa ctx
-is
-.Dv NULL
-or does not have any message digest algorithm assigned yet.
-.Pp
-.Fn EVP_md_null ,
-.Fn EVP_sha224 ,
-.Fn EVP_sha256 ,
-.Fn EVP_sha384 ,
-.Fn EVP_sha512 ,
-.Fn EVP_sha512_224 ,
-.Fn EVP_sha512_256 ,
-and
-.Fn EVP_ripemd160
-return pointers to constant static objects owned by the library.
-.Pp
-.Fn EVP_get_digestbyname ,
-.Fn EVP_get_digestbynid ,
-and
-.Fn EVP_get_digestbyobj
-return either an
-.Vt EVP_MD
-structure or
-.Dv NULL
-if an error occurs.
-.Sh EXAMPLES
-This example digests the data "Test Message\en" and "Hello World\en",
-using the digest name passed on the command line.
-.Bd -literal -offset indent
-#include <stdio.h>
-#include <string.h>
-#include <openssl/evp.h>
-
-int
-main(int argc, char *argv[])
-{
-        EVP_MD_CTX *mdctx;
-        const EVP_MD *md;
-        const char mess1[] = "Test Message\en";
-        const char mess2[] = "Hello World\en";
-        unsigned char md_value[EVP_MAX_MD_SIZE];
-        unsigned int md_len, i;
-
-        if (argc <= 1) {
-                printf("Usage: mdtest digestname\en");
-                exit(1);
-        }
-
-        md = EVP_get_digestbyname(argv[1]);
-        if (md == NULL) {
-                printf("Unknown message digest %s\en", argv[1]);
-                exit(1);
-        }
-
-        mdctx = EVP_MD_CTX_new();
-        EVP_DigestInit_ex(mdctx, md, NULL);
-        EVP_DigestUpdate(mdctx, mess1, strlen(mess1));
-        EVP_DigestUpdate(mdctx, mess2, strlen(mess2));
-        EVP_DigestFinal_ex(mdctx, md_value, &md_len);
-        EVP_MD_CTX_free(mdctx);
-
-        printf("Digest is: ");
-        for(i = 0; i < md_len; i++)
-                printf("%02x", md_value[i]);
-        printf("\en");
-
-        return 0;
-}
-.Ed
-.Sh SEE ALSO
-.Xr BIO_f_md 3 ,
-.Xr CMAC_Init 3 ,
-.Xr evp 3 ,
-.Xr EVP_BytesToKey 3 ,
-.Xr EVP_DigestSignInit 3 ,
-.Xr EVP_DigestVerifyInit 3 ,
-.Xr EVP_MD_CTX_ctrl 3 ,
-.Xr EVP_MD_nid 3 ,
-.Xr EVP_PKEY_CTX_set_signature_md 3 ,
-.Xr EVP_sha1 3 ,
-.Xr EVP_sha3_224 3 ,
-.Xr EVP_SignInit 3 ,
-.Xr EVP_sm3 3 ,
-.Xr EVP_VerifyInit 3 ,
-.Xr HMAC 3 ,
-.Xr OCSP_basic_sign 3 ,
-.Xr OCSP_request_sign 3 ,
-.Xr PKCS5_PBKDF2_HMAC 3 ,
-.Xr PKCS7_sign_add_signer 3 ,
-.Xr X509_ALGOR_set0 3 ,
-.Xr X509_digest 3 ,
-.Xr X509_sign 3
-.Sh HISTORY
-.Fn EVP_DigestInit ,
-.Fn EVP_DigestUpdate ,
-and
-.Fn EVP_DigestFinal
-first appeared in SSLeay 0.5.1.
-.Fn EVP_md_null
-and
-.Fn EVP_get_digestbyname
-first appeared in SSLeay 0.8.0.
-.Fn EVP_get_digestbynid
-and
-.Fn EVP_get_digestbyobj
-first appeared in SSLeay 0.8.1.
-.Fn EVP_ripemd160
-first appeared in SSLeay 0.9.0.
-All these functions have been available since
-.Ox 2.4 .
-.Pp
-.Fn EVP_MD_CTX_copy
-first appeared in OpenSSL 0.9.2b and has been available since
-.Ox 2.6 .
-.Pp
-.Fn EVP_MD_CTX_md
-first appeared in OpenSSL 0.9.5 and has been available since
-.Ox 2.7 .
-.Pp
-.Fn EVP_MD_CTX_init ,
-.Fn EVP_MD_CTX_create ,
-.Fn EVP_MD_CTX_cleanup ,
-.Fn EVP_MD_CTX_destroy ,
-.Fn EVP_DigestInit_ex ,
-.Fn EVP_DigestFinal_ex ,
-.Fn EVP_Digest ,
-and
-.Fn EVP_MD_CTX_copy_ex
-first appeared in OpenSSL 0.9.7 and have been available since
-.Ox 3.2 .
-.Pp
-.Fn EVP_sha224 ,
-.Fn EVP_sha256 ,
-.Fn EVP_sha384 ,
-and
-.Fn EVP_sha512
-first appeared in OpenSSL 0.9.7h and 0.9.8a
-and have been available since
-.Ox 4.0 .
-.Pp
-.Fn EVP_MD_CTX_new ,
-.Fn EVP_MD_CTX_reset ,
-and
-.Fn EVP_MD_CTX_free
-first appeared in OpenSSL 1.1.0 and have been available since
-.Ox 6.3 .
-.Pp
-.Fn EVP_sha512_224
-and
-.Fn EVP_sha512_256
-first appeared in OpenSSL 1.1.1 and have been available since
-.Ox 7.4 .
diff --git a/src/lib/libcrypto/man/EVP_DigestSignInit.3 b/src/lib/libcrypto/man/EVP_DigestSignInit.3
deleted file mode 100644
index caf519e28c..0000000000
--- a/src/lib/libcrypto/man/EVP_DigestSignInit.3
+++ /dev/null
@@ -1,243 +0,0 @@
-.\" $OpenBSD: EVP_DigestSignInit.3,v 1.15 2024/12/06 14:27:49 schwarze Exp $
-.\" full merge up to: OpenSSL 28428130 Apr 17 15:18:40 2018 +0200
-.\" selective merge up to: OpenSSL 6328d367 Jul 4 21:58:30 2020 +0200
-.\"
-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2006, 2009, 2015, 2016, 2017 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: December 6 2024 $
-.Dt EVP_DIGESTSIGNINIT 3
-.Os
-.Sh NAME
-.Nm EVP_DigestSignInit ,
-.Nm EVP_DigestSignUpdate ,
-.Nm EVP_DigestSignFinal ,
-.Nm EVP_DigestSign
-.Nd EVP signing functions
-.Sh SYNOPSIS
-.In openssl/evp.h
-.Ft int
-.Fo EVP_DigestSignInit
-.Fa "EVP_MD_CTX *ctx"
-.Fa "EVP_PKEY_CTX **pctx"
-.Fa "const EVP_MD *type"
-.Fa "ENGINE *engine"
-.Fa "EVP_PKEY *pkey"
-.Fc
-.Ft int
-.Fo EVP_DigestSignUpdate
-.Fa "EVP_MD_CTX *ctx"
-.Fa "const void *d"
-.Fa "size_t cnt"
-.Fc
-.Ft int
-.Fo EVP_DigestSignFinal
-.Fa "EVP_MD_CTX *ctx"
-.Fa "unsigned char *sig"
-.Fa "size_t *siglen"
-.Fc
-.Ft int
-.Fo EVP_DigestSign
-.Fa "EVP_MD_CTX *ctx"
-.Fa "unsigned char *sigret"
-.Fa "size_t *siglen"
-.Fa "const unsigned char *tbs"
-.Fa "size_t tbslen"
-.Fc
-.Sh DESCRIPTION
-The EVP signature routines are a high-level interface to digital
-signatures.
-.Pp
-.Fn EVP_DigestSignInit
-sets up the signing context
-.Fa ctx
-to use the digest
-.Fa type
-and the private key
-.Fa pkey .
-Before calling this function, obtain
-.Fa ctx
-from
-.Xr EVP_MD_CTX_new 3
-or call
-.Xr EVP_MD_CTX_reset 3
-on it.
-The
-.Fa engine
-argument is always ignored and passing
-.Dv NULL
-is recommended.
-.Pp
-If
-.Fa pctx
-is not
-.Dv NULL ,
-any pointer passed in as
-.Pf * Fa pctx
-is ignored and overwritten by an internal pointer to the
-.Vt EVP_PKEY_CTX
-used by the signing operation:
-this can be used to set alternative signing options.
-The returned
-.Vt EVP_PKEY_CTX
-must not be freed by the application.
-It is freed automatically when the
-.Vt EVP_MD_CTX
-is freed.
-.Pp
-.Fn EVP_DigestSignUpdate
-hashes
-.Fa cnt
-bytes of data at
-.Fa d
-into the signature context
-.Fa ctx .
-This function can be called several times on the same
-.Fa ctx
-to include additional data.
-This function is currently implemented using a macro.
-.Pp
-.Fn EVP_DigestSignFinal
-signs the data in
-.Fa ctx
-and places the signature in
-.Fa sig .
-If
-.Fa sig
-is
-.Dv NULL ,
-then the maximum size of the output buffer is written to
-.Pf * Fa siglen .
-If
-.Fa sig
-is not
-.Dv NULL ,
-then before the call
-.Fa siglen
-should contain the length of the
-.Fa sig
-buffer.
-If the call is successful, the signature is written to
-.Fa sig
-and the amount of data written to
-.Fa siglen .
-.Pp
-.Fn EVP_DigestSign
-signs
-.Fa tbslen
-bytes of data at
-.Fa tbs
-and places the signature in
-.Fa sigret
-and its length in
-.Fa siglen
-in a similar way to
-.Fn EVP_DigestSignFinal .
-.Fn EVP_DigestSign
-is a one shot operation which signs a single block of data
-with one function call.
-For algorithms that support streaming it is equivalent to calling
-.Fn EVP_DigestSignUpdate
-and
-.Fn EVP_DigestSignFinal .
-.\" For algorithms which do not support streaming
-.\" (e.g. PureEdDSA)
-.\" it is the only way to sign data.
-.Pp
-The EVP interface to digital signatures should almost always be
-used in preference to the low-level interfaces.
-This is because the code then becomes transparent to the algorithm used
-and much more flexible.
-.Pp
-The call to
-.Fn EVP_DigestSignFinal
-internally finalizes a copy of the digest context.
-This means that
-.Fn EVP_DigestSignUpdate
-and
-.Fn EVP_DigestSignFinal
-can be called later to digest and sign additional data.
-.Pp
-Since only a copy of the digest context is ever finalized, the context
-must be cleaned up after use by calling
-.Xr EVP_MD_CTX_free 3 ,
-or a memory leak will occur.
-.Pp
-The use of
-.Xr EVP_PKEY_size 3
-with these functions is discouraged because some signature operations
-may have a signature length which depends on the parameters set.
-As a result,
-.Xr EVP_PKEY_size 3
-would have to return a value which indicates the maximum possible
-signature for any set of parameters.
-.Sh RETURN VALUES
-.Fn EVP_DigestSignInit ,
-.Fn EVP_DigestSignUpdate ,
-.Fn EVP_DigestSignFinal ,
-and
-.Fn EVP_DigestSign
-return 1 for success and 0 for failure.
-.Pp
-The error codes can be obtained from
-.Xr ERR_get_error 3 .
-.Sh SEE ALSO
-.Xr evp 3 ,
-.Xr EVP_DigestInit 3 ,
-.Xr EVP_DigestVerifyInit 3
-.Sh HISTORY
-.Fn EVP_DigestSignInit ,
-.Fn EVP_DigestSignUpdate ,
-and
-.Fn EVP_DigestSignFinal
-first appeared in OpenSSL 1.0.0 and have been available since
-.Ox 4.9 .
-.Pp
-.Fn EVP_DigestSign
-first appeared in OpenSSL 1.1.1 and has been available since
-.Ox 7.0 .
diff --git a/src/lib/libcrypto/man/EVP_DigestVerifyInit.3 b/src/lib/libcrypto/man/EVP_DigestVerifyInit.3
deleted file mode 100644
index fa62f5a0a5..0000000000
--- a/src/lib/libcrypto/man/EVP_DigestVerifyInit.3
+++ /dev/null
@@ -1,223 +0,0 @@
-.\" $OpenBSD: EVP_DigestVerifyInit.3,v 1.17 2024/12/06 14:27:49 schwarze Exp $
-.\" full merge up to OpenSSL f097e875 Aug 23 11:37:22 2018 +0100
-.\" selective merge up to 24a535ea Sep 22 13:14:20 2020 +0100
-.\"
-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2006, 2009, 2014, 2015, 2016, 2017 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: December 6 2024 $
-.Dt EVP_DIGESTVERIFYINIT 3
-.Os
-.Sh NAME
-.Nm EVP_DigestVerifyInit ,
-.Nm EVP_DigestVerifyUpdate ,
-.Nm EVP_DigestVerifyFinal ,
-.Nm EVP_DigestVerify
-.Nd EVP signature verification functions
-.Sh SYNOPSIS
-.In openssl/evp.h
-.Ft int
-.Fo EVP_DigestVerifyInit
-.Fa "EVP_MD_CTX *ctx"
-.Fa "EVP_PKEY_CTX **pctx"
-.Fa "const EVP_MD *type"
-.Fa "ENGINE *engine"
-.Fa "EVP_PKEY *pkey"
-.Fc
-.Ft int
-.Fo EVP_DigestVerifyUpdate
-.Fa "EVP_MD_CTX *ctx"
-.Fa "const void *d"
-.Fa "size_t cnt"
-.Fc
-.Ft int
-.Fo EVP_DigestVerifyFinal
-.Fa "EVP_MD_CTX *ctx"
-.Fa "const unsigned char *sig"
-.Fa "size_t siglen"
-.Fc
-.Ft int
-.Fo EVP_DigestVerify
-.Fa "EVP_MD_CTX *ctx"
-.Fa "const unsigned char *sig"
-.Fa "size_t siglen"
-.Fa "const unsigned char *tbs"
-.Fa "size_t *tbslen"
-.Fc
-.Sh DESCRIPTION
-The EVP signature routines are a high-level interface to digital
-signatures.
-.Pp
-.Fn EVP_DigestVerifyInit
-sets up the verification context
-.Fa ctx
-to use the digest
-.Fa type
-and the public key
-.Fa pkey .
-Before calling this function, obtain
-.Fa ctx
-from
-.Xr EVP_MD_CTX_new 3
-or call
-.Xr EVP_MD_CTX_reset 3
-on it.
-The
-.Fa engine
-argument is always ignored and passing
-.Dv NULL
-is recommended.
-.Pp
-If
-.Fa pctx
-is not
-.Dv NULL ,
-any pointer passed in as
-.Pf * Fa pctx
-is ignored and overwritten by an internal pointer to the
-.Vt EVP_PKEY_CTX
-used by the verification operation:
-this can be used to set alternative signing options.
-The returned
-.Vt EVP_PKEY_CTX
-must not be freed by the application.
-It is freed automatically when the
-.Vt EVP_MD_CTX
-is freed.
-.Pp
-.Fn EVP_DigestVerifyUpdate
-hashes
-.Fa cnt
-bytes of data at
-.Fa d
-into the verification context
-.Fa ctx .
-This function can be called several times on the same
-.Fa ctx
-to include additional data.
-This function is currently implemented using a macro.
-.Pp
-.Fn EVP_DigestVerifyFinal
-verifies the data in
-.Fa ctx
-against the signature in
-.Fa sig
-of length
-.Fa siglen .
-.Pp
-.Fn EVP_DigestVerify
-verifies
-.Fa tbslen
-bytes at
-.Fa tbs
-against the signature in
-.Fa sig
-of length
-.Fa siglen .
-.Fn EVP_DigestVerify
-is a one shot operation which verifies a single block of data
-in one function call.
-For algorithms that support streaming it is equivalent to calling
-.Fn EVP_DigestVerifyUpdate
-and
-.Fn EVP_DigestVerifyFinal .
-.\" For algorithms which do not support streaming
-.\" (e.g. PureEdDSA)
-.\" it is the only way to verify data.
-.Pp
-The EVP interface to digital signatures should almost always be
-used in preference to the low-level interfaces.
-This is because the code then becomes transparent to the algorithm used
-and much more flexible.
-.Pp
-The call to
-.Fn EVP_DigestVerifyFinal
-internally finalizes a copy of the digest context.
-This means that
-.Xr EVP_VerifyUpdate 3
-and
-.Xr EVP_VerifyFinal 3
-can be called later to digest and verify additional data.
-.Pp
-Since only a copy of the digest context is ever finalized, the context
-must be cleaned up after use by calling
-.Xr EVP_MD_CTX_free 3
-or a memory leak will occur.
-.Sh RETURN VALUES
-.Fn EVP_DigestVerifyInit
-and
-.Fn EVP_DigestVerifyUpdate
-return 1 for success and 0 for failure.
-.Pp
-.Fn EVP_DigestVerifyFinal
-and
-.Fn EVP_DigestVerify
-return 1 for success; any other value indicates failure.
-A return value of 0 indicates that the signature did not verify
-successfully (that is, the signature did not match the original
-data or the signature had an invalid form), while other values
-indicate a more serious error (and sometimes also indicate an invalid
-signature form).
-.Pp
-The error codes can be obtained from
-.Xr ERR_get_error 3 .
-.Sh SEE ALSO
-.Xr evp 3 ,
-.Xr EVP_DigestInit 3 ,
-.Xr EVP_DigestSignInit 3
-.Sh HISTORY
-.Fn EVP_DigestVerifyInit ,
-.Fn EVP_DigestVerifyUpdate ,
-and
-.Fn EVP_DigestVerifyFinal
-first appeared in OpenSSL 1.0.0 and have been available since
-.Ox 4.9 .
-.Pp
-.Fn EVP_DigestVerify
-first appeared in OpenSSL 1.1.1 and has been available since
-.Ox 7.0 .
diff --git a/src/lib/libcrypto/man/EVP_EncodeInit.3 b/src/lib/libcrypto/man/EVP_EncodeInit.3
deleted file mode 100644
index da79af84cf..0000000000
--- a/src/lib/libcrypto/man/EVP_EncodeInit.3
+++ /dev/null
@@ -1,334 +0,0 @@
-.\" $OpenBSD: EVP_EncodeInit.3,v 1.7 2019/06/06 01:06:58 schwarze Exp $
-.\" full merge up to: OpenSSL f430ba31 Jun 19 19:39:01 2016 +0200
-.\" selective merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100
-.\"
-.\" This file was written by Matt Caswell <matt@openssl.org>.
-.\" Copyright (c) 2016 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: June 6 2019 $
-.Dt EVP_ENCODEINIT 3
-.Os
-.Sh NAME
-.Nm EVP_ENCODE_CTX_new ,
-.Nm EVP_ENCODE_CTX_free ,
-.Nm EVP_EncodeInit ,
-.Nm EVP_EncodeUpdate ,
-.Nm EVP_EncodeFinal ,
-.Nm EVP_EncodeBlock ,
-.Nm EVP_DecodeInit ,
-.Nm EVP_DecodeUpdate ,
-.Nm EVP_DecodeFinal ,
-.Nm EVP_DecodeBlock
-.Nd EVP base64 encode/decode routines
-.Sh SYNOPSIS
-.In openssl/evp.h
-.Ft EVP_ENCODE_CTX *
-.Fn EVP_ENCODE_CTX_new void
-.Ft void
-.Fo EVP_ENCODE_CTX_free
-.Fa "EVP_ENCODE_CTX *ctx"
-.Fc
-.Ft void
-.Fo EVP_EncodeInit
-.Fa "EVP_ENCODE_CTX *ctx"
-.Fc
-.Ft int
-.Fo EVP_EncodeUpdate
-.Fa "EVP_ENCODE_CTX *ctx"
-.Fa "unsigned char *out"
-.Fa "int *outl"
-.Fa "const unsigned char *in"
-.Fa "int inl"
-.Fc
-.Ft void
-.Fo EVP_EncodeFinal
-.Fa "EVP_ENCODE_CTX *ctx"
-.Fa "unsigned char *out"
-.Fa "int *outl"
-.Fc
-.Ft int
-.Fo EVP_EncodeBlock
-.Fa "unsigned char *t"
-.Fa "const unsigned char *f"
-.Fa "int n"
-.Fc
-.Ft void
-.Fo EVP_DecodeInit
-.Fa "EVP_ENCODE_CTX *ctx"
-.Fc
-.Ft int
-.Fo EVP_DecodeUpdate
-.Fa "EVP_ENCODE_CTX *ctx"
-.Fa "unsigned char *out"
-.Fa "int *outl"
-.Fa "const unsigned char *in"
-.Fa "int inl"
-.Fc
-.Ft int
-.Fo EVP_DecodeFinal
-.Fa "EVP_ENCODE_CTX *ctx"
-.Fa "unsigned char *out"
-.Fa "int *outl"
-.Fc
-.Ft int
-.Fo EVP_DecodeBlock
-.Fa "unsigned char *t"
-.Fa "const unsigned char *f"
-.Fa "int n"
-.Fc
-.Sh DESCRIPTION
-The EVP encode routines provide a high level interface to base64
-encoding and decoding.
-Base64 encoding converts binary data into a printable form that uses
-the characters A-Z, a-z, 0-9, "+" and "/" to represent the data.
-For every 3 bytes of binary data provided, 4 bytes of base64-encoded
-data will be produced, plus some occasional newlines.
-If the input data length is not a multiple of 3, then the output data
-will be padded at the end using the "=" character.
-.Pp
-.Fn EVP_ENCODE_CTX_new
-allocates, initializes and returns a context to be used for the encode
-and decode functions.
-.Pp
-.Fn EVP_ENCODE_CTX_free
-frees
-.Fa ctx .
-.Pp
-Encoding of binary data is performed in blocks of 48 input bytes (or
-less for the final block).
-For each 48-byte input block encoded, 64 bytes of base64 data is output,
-plus an additional newline character, i.e. 65 bytes in total.
-The final block, which may be less than 48 bytes, will output 4 bytes
-for every 3 bytes of input.
-If the data length is not divisible by 3, then a full 4 bytes is still
-output for the final 1 or 2 bytes of input.
-Similarly a newline character will also be output.
-.Pp
-.Fn EVP_EncodeInit
-initialises
-.Fa ctx
-for the start of a new encoding operation.
-.Pp
-.Fn EVP_EncodeUpdate
-encodes
-.Fa inl
-bytes of data found in the buffer pointed to by
-.Fa in .
-The output is stored in the buffer
-.Fa out
-and the number of bytes output is stored in
-.Pf * Fa outl .
-It is the caller's responsibility to ensure that the buffer at
-.Fa out
-is sufficiently large to accommodate the output data.
-Only full blocks of data (48 bytes) will be immediately processed and
-output by this function.
-Any remainder is held in the
-.Fa ctx
-object and will be processed by a subsequent call to
-.Fn EVP_EncodeUpdate
-or
-.Fn EVP_EncodeFinal .
-To calculate the required size of the output buffer, add together the
-value of
-.Fa inl
-with the amount of unprocessed data held in
-.Fa ctx
-and divide the result by 48 (ignore any remainder).
-This gives the number of blocks of data that will be processed.
-Ensure the output buffer contains 65 bytes of storage for each block,
-plus an additional byte for a NUL terminator.
-.Fn EVP_EncodeUpdate
-may be called repeatedly to process large amounts of input data.
-In the event of an error ,
-.Fn EVP_EncodeUpdate
-will set
-.Pf * Fa outl
-to 0 and return 0.
-On success 1 will be returned.
-.Pp
-.Fn EVP_EncodeFinal
-must be called at the end of an encoding operation.
-It will process any partial block of data remaining in the
-.Fa ctx
-object.
-The output data will be stored in
-.Fa out
-and the length of the data written will be stored in
-.Pf * Fa outl .
-It is the caller's responsibility to ensure that
-.Fa out
-is sufficiently large to accommodate the output data, which will
-never be more than 65 bytes plus an additional NUL terminator, i.e.
-66 bytes in total.
-.Pp
-.Fn EVP_EncodeBlock
-encodes a full block of input data in
-.Fa f
-and of length
-.Fa n
-and stores it in
-.Fa t .
-For every 3 bytes of input provided, 4 bytes of output data will be
-produced.
-If
-.Sy n
-is not divisible by 3, then the block is encoded as a final block
-of data and the output is padded such that it is always divisible
-by 4.
-Additionally a NUL terminator character will be added.
-For example, if 16 bytes of input data are provided, then 24 bytes
-of encoded data is created plus 1 byte for a NUL terminator,
-i.e. 25 bytes in total.
-The length of the data generated
-.Em without
-the NUL terminator is returned from the function.
-.Pp
-.Fn EVP_DecodeInit
-initialises
-.Fa ctx
-for the start of a new decoding operation.
-.Pp
-.Fn EVP_DecodeUpdate
-decodes
-.Fa inl
-characters of data found in the buffer pointed to by
-.Fa in .
-The output is stored in the buffer
-.Fa out
-and the number of bytes output is stored in
-.Pf * Fa outl .
-It is the caller's responsibility to ensure that the buffer at
-.Fa out
-is sufficiently large to accommodate the output data.
-This function will attempt to decode as much data as possible in 4-byte
-chunks.
-Any whitespace, newline or carriage return characters are ignored.
-Any partial chunk of unprocessed data (1, 2 or 3 bytes) that remains at
-the end will be held in the
-.Fa ctx
-object and processed by a subsequent call to
-.Fn EVP_DecodeUpdate .
-If any illegal base64 characters are encountered or if the base64
-padding character "=" is encountered in the middle of the data,
-then the function returns -1 to indicate an error.
-A return value of 0 or 1 indicates successful processing of the data.
-A return value of 0 additionally indicates that the last input data
-characters processed included the base64 padding character "=" and
-therefore no more non-padding character data is expected to be
-processed.
-For every 4 valid base64 bytes processed \(em ignoring whitespace,
-carriage returns and line feeds \(em 3 bytes of binary output data
-will be produced, or less at the end of the data where the padding
-character "=" has been used.
-.Pp
-.Fn EVP_DecodeFinal
-must be called at the end of a decoding operation.
-If there is any unprocessed data still in
-.Fa ctx ,
-then the input data must not have been a multiple of 4 and therefore an
-error has occurred.
-The function will return -1 in this case.
-Otherwise the function returns 1 on success.
-.Pp
-.Fn EVP_DecodeBlock
-will decode the block of
-.Fa n
-characters of base64 data contained in
-.Fa f
-and store the result in
-.Fa t .
-Any leading whitespace will be trimmed as will any trailing whitespace,
-newlines, carriage returns or EOF characters.
-After such trimming the length of the data in
-.Fa f
-must be divisible by 4.
-For every 4 input bytes, exactly 3 output bytes will be produced.
-The output will be padded with 0 bits if necessary to ensure that the
-output is always 3 bytes for every 4 input bytes.
-This function will return the length of the data decoded or -1 on error.
-.Sh RETURN VALUES
-.Fn EVP_ENCODE_CTX_new
-returns a pointer to the newly allocated
-.Vt EVP_ENCODE_CTX
-object or
-.Dv NULL
-on error.
-.Pp
-.Fn EVP_EncodeUpdate
-returns 0 on error or 1 on success.
-.Pp
-.Fn EVP_EncodeBlock
-returns the number of bytes encoded excluding the NUL terminator.
-.Pp
-.Fn EVP_DecodeUpdate
-returns -1 on error and 0 or 1 on success.
-If 0 is returned, then no more non-padding base64 characters are
-expected.
-.Pp
-.Fn EVP_DecodeFinal
-returns -1 on error or 1 on success.
-.Pp
-.Fn EVP_DecodeBlock
-returns the length of the data decoded or -1 on error.
-.Sh SEE ALSO
-.Xr BIO_f_base64 3 ,
-.Xr evp 3
-.Sh HISTORY
-The
-.Fn EVP_Encode*
-and
-.Fn EVP_Decode*
-functions first appeared in SSLeay 0.5.1
-and have been available since
-.Ox 2.4 .
-.Pp
-.Fn EVP_ENCODE_CTX_new
-and
-.Fn EVP_ENCODE_CTX_free
-first appeared in OpenSSL 1.1.0 and have been available since
-.Ox 6.5 .
diff --git a/src/lib/libcrypto/man/EVP_EncryptInit.3 b/src/lib/libcrypto/man/EVP_EncryptInit.3
deleted file mode 100644
index 7765be2ca6..0000000000
--- a/src/lib/libcrypto/man/EVP_EncryptInit.3
+++ /dev/null
@@ -1,813 +0,0 @@
-.\" $OpenBSD: EVP_EncryptInit.3,v 1.56 2024/12/20 01:54:03 schwarze Exp $
-.\" full merge up to: OpenSSL 5211e094 Nov 11 14:39:11 2014 -0800
-.\"   EVP_bf_cbc.pod EVP_cast5_cbc.pod EVP_idea_cbc.pod EVP_rc2_cbc.pod
-.\"   7c6d372a Nov 20 13:20:01 2018 +0000
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2019, 2023 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Dr. Stephen Henson <steve@openssl.org>
-.\" and Richard Levitte <levitte@openssl.org>.
-.\" Copyright (c) 2000-2002, 2005, 2012-2016 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: December 20 2024 $
-.Dt EVP_ENCRYPTINIT 3
-.Os
-.Sh NAME
-.Nm EVP_CIPHER_CTX_new ,
-.Nm EVP_CIPHER_CTX_reset ,
-.Nm EVP_CIPHER_CTX_free ,
-.Nm EVP_CIPHER_CTX_copy ,
-.Nm EVP_EncryptInit_ex ,
-.Nm EVP_EncryptUpdate ,
-.Nm EVP_EncryptFinal_ex ,
-.Nm EVP_DecryptInit_ex ,
-.Nm EVP_DecryptUpdate ,
-.Nm EVP_DecryptFinal_ex ,
-.Nm EVP_CipherInit_ex ,
-.Nm EVP_CipherUpdate ,
-.Nm EVP_CipherFinal_ex ,
-.Nm EVP_EncryptInit ,
-.Nm EVP_EncryptFinal ,
-.Nm EVP_DecryptInit ,
-.Nm EVP_DecryptFinal ,
-.Nm EVP_CipherInit ,
-.Nm EVP_CipherFinal ,
-.Nm EVP_CIPHER_CTX_encrypting ,
-.Nm EVP_get_cipherbyname ,
-.Nm EVP_get_cipherbynid ,
-.Nm EVP_get_cipherbyobj ,
-.Nm EVP_CIPHER_CTX_cipher ,
-.Nm EVP_enc_null ,
-.Nm EVP_idea_cbc ,
-.Nm EVP_idea_ecb ,
-.Nm EVP_idea_cfb64 ,
-.Nm EVP_idea_cfb ,
-.Nm EVP_idea_ofb ,
-.Nm EVP_bf_cbc ,
-.Nm EVP_bf_ecb ,
-.Nm EVP_bf_cfb64 ,
-.Nm EVP_bf_cfb ,
-.Nm EVP_bf_ofb ,
-.Nm EVP_cast5_cbc ,
-.Nm EVP_cast5_ecb ,
-.Nm EVP_cast5_cfb64 ,
-.Nm EVP_cast5_cfb ,
-.Nm EVP_cast5_ofb
-.Nd EVP cipher routines
-.Sh SYNOPSIS
-.In openssl/evp.h
-.Ft EVP_CIPHER_CTX *
-.Fn EVP_CIPHER_CTX_new void
-.Ft int
-.Fo EVP_CIPHER_CTX_reset
-.Fa "EVP_CIPHER_CTX *ctx"
-.Fc
-.Ft void
-.Fo EVP_CIPHER_CTX_free
-.Fa "EVP_CIPHER_CTX *ctx"
-.Fc
-.Ft int
-.Fo EVP_CIPHER_CTX_copy
-.Fa "EVP_CIPHER_CTX *out"
-.Fa "const EVP_CIPHER_CTX *in"
-.Fc
-.Ft int
-.Fo EVP_EncryptInit_ex
-.Fa "EVP_CIPHER_CTX *ctx"
-.Fa "const EVP_CIPHER *type"
-.Fa "ENGINE *engine"
-.Fa "const unsigned char *key"
-.Fa "const unsigned char *iv"
-.Fc
-.Ft int
-.Fo EVP_EncryptUpdate
-.Fa "EVP_CIPHER_CTX *ctx"
-.Fa "unsigned char *out"
-.Fa "int *out_len"
-.Fa "const unsigned char *in"
-.Fa "int in_len"
-.Fc
-.Ft int
-.Fo EVP_EncryptFinal_ex
-.Fa "EVP_CIPHER_CTX *ctx"
-.Fa "unsigned char *out"
-.Fa "int *out_len"
-.Fc
-.Ft int
-.Fo EVP_DecryptInit_ex
-.Fa "EVP_CIPHER_CTX *ctx"
-.Fa "const EVP_CIPHER *type"
-.Fa "ENGINE *engine"
-.Fa "const unsigned char *key"
-.Fa "const unsigned char *iv"
-.Fc
-.Ft int
-.Fo EVP_DecryptUpdate
-.Fa "EVP_CIPHER_CTX *ctx"
-.Fa "unsigned char *out"
-.Fa "int *out_len"
-.Fa "const unsigned char *in"
-.Fa "int in_len"
-.Fc
-.Ft int
-.Fo EVP_DecryptFinal_ex
-.Fa "EVP_CIPHER_CTX *ctx"
-.Fa "unsigned char *out"
-.Fa "int *out_len"
-.Fc
-.Ft int
-.Fo EVP_CipherInit_ex
-.Fa "EVP_CIPHER_CTX *ctx"
-.Fa "const EVP_CIPHER *type"
-.Fa "ENGINE *engine"
-.Fa "const unsigned char *key"
-.Fa "const unsigned char *iv"
-.Fa "int enc"
-.Fc
-.Ft int
-.Fo EVP_CipherUpdate
-.Fa "EVP_CIPHER_CTX *ctx"
-.Fa "unsigned char *out"
-.Fa "int *out_len"
-.Fa "const unsigned char *in"
-.Fa "int in_len"
-.Fc
-.Ft int
-.Fo EVP_CipherFinal_ex
-.Fa "EVP_CIPHER_CTX *ctx"
-.Fa "unsigned char *out"
-.Fa "int *out_len"
-.Fc
-.Ft int
-.Fo EVP_EncryptInit
-.Fa "EVP_CIPHER_CTX *ctx"
-.Fa "const EVP_CIPHER *type"
-.Fa "const unsigned char *key"
-.Fa "const unsigned char *iv"
-.Fc
-.Ft int
-.Fo EVP_EncryptFinal
-.Fa "EVP_CIPHER_CTX *ctx"
-.Fa "unsigned char *out"
-.Fa "int *out_len"
-.Fc
-.Ft int
-.Fo EVP_DecryptInit
-.Fa "EVP_CIPHER_CTX *ctx"
-.Fa "const EVP_CIPHER *type"
-.Fa "const unsigned char *key"
-.Fa "const unsigned char *iv"
-.Fc
-.Ft int
-.Fo EVP_DecryptFinal
-.Fa "EVP_CIPHER_CTX *ctx"
-.Fa "unsigned char *out"
-.Fa "int *out_len"
-.Fc
-.Ft int
-.Fo EVP_CipherInit
-.Fa "EVP_CIPHER_CTX *ctx"
-.Fa "const EVP_CIPHER *type"
-.Fa "const unsigned char *key"
-.Fa "const unsigned char *iv"
-.Fa "int enc"
-.Fc
-.Ft int
-.Fo EVP_CipherFinal
-.Fa "EVP_CIPHER_CTX *ctx"
-.Fa "unsigned char *out"
-.Fa "int *out_len"
-.Fc
-.Ft int
-.Fo EVP_CIPHER_CTX_encrypting
-.Fa "const EVP_CIPHER_CTX *ctx"
-.Fc
-.Ft const EVP_CIPHER *
-.Fo EVP_get_cipherbyname
-.Fa "const char *name"
-.Fc
-.Ft const EVP_CIPHER *
-.Fo EVP_get_cipherbynid
-.Fa "int nid"
-.Fc
-.Ft const EVP_CIPHER *
-.Fo EVP_get_cipherbyobj
-.Fa "const ASN1_OBJECT *a"
-.Fc
-.Ft const EVP_CIPHER *
-.Fo EVP_CIPHER_CTX_cipher
-.Fa "const EVP_CIPHER_CTX *ctx"
-.Fc
-.Sh DESCRIPTION
-The EVP cipher routines are a high level interface to certain symmetric
-ciphers.
-.Pp
-.Fn EVP_CIPHER_CTX_new
-creates a new, empty cipher context.
-.Pp
-.Fn EVP_CIPHER_CTX_reset
-clears all information from
-.Fa ctx
-and frees all allocated memory associated with it, except the
-.Fa ctx
-object itself, such that it can be reused for another series of calls to
-.Fn EVP_CipherInit ,
-.Fn EVP_CipherUpdate ,
-and
-.Fn EVP_CipherFinal .
-.Pp
-.Fn EVP_CIPHER_CTX_free
-clears all information from
-.Fa ctx
-and frees all allocated memory associated with it, including
-.Fa ctx
-itself.
-This function should be called after all operations using a cipher
-are complete, so sensitive information does not remain in memory.
-If
-.Fa ctx
-is a
-.Dv NULL
-pointer, no action occurs.
-.Pp
-.Fn EVP_CIPHER_CTX_copy
-calls
-.Fn EVP_CIPHER_CTX_reset
-on
-.Fa out
-and copies all the data from
-.Fa in
-to
-.Fa out ,
-except that the
-.Vt EVP_CIPHER
-object used by
-.Fa in
-and any application specific data set with
-.Xr EVP_CIPHER_CTX_set_app_data 3
-are not copied and
-.Fa out
-will point to the same two objects.
-The algorithm- and implementation-specific cipher data described in
-.Xr EVP_CIPHER_CTX_get_cipher_data 3
-is copied with
-.Xr malloc 3
-and
-.Xr memcpy 3 ,
-i.e. assuming that it does not contain pointers to any sub-objects.
-If the bit
-.Dv EVP_CIPH_CUSTOM_COPY
-has been set with
-.Xr EVP_CIPHER_meth_set_flags 3 ,
-.Xr EVP_CIPHER_CTX_ctrl 3
-is called at the end with arguments
-.Fa in ,
-.Dv EVP_CTRL_COPY ,
-.No 0 ,
-and
-.Fa out
-such that the cipher implementation can perform further algorithm-
-and implementation-specific initializations after the algorithm-
-and implementation-specific cipher data has been copied.
-Among the cipher algorithms built into the library,
-.Dv EVP_CIPH_CUSTOM_COPY
-and
-.Dv EVP_CTRL_COPY
-are used by some of the ciphers documented in the
-.Xr EVP_aes_256_gcm 3
-manual page.
-.Pp
-.Fn EVP_EncryptInit
-and
-.Fn EVP_EncryptInit_ex
-set up the cipher context
-.Fa ctx
-for encryption with cipher
-.Fa type .
-.Fa type
-is normally supplied by a function such as
-.Xr EVP_aes_256_cbc 3 .
-.Fa key
-is the symmetric key to use and
-.Fa iv
-is the IV to use (if necessary).
-The actual number of bytes used for the
-key and IV depends on the cipher.
-The
-.Fa ENGINE *engine
-argument is always ignored and passing
-.Dv NULL
-is recommended.
-It is possible to set all parameters to
-.Dv NULL
-except
-.Fa type
-in an initial call and supply the remaining parameters in subsequent
-calls, all of which have
-.Fa type
-set to
-.Dv NULL .
-This is done when the default cipher parameters are not appropriate.
-.Pp
-.Fn EVP_EncryptUpdate
-encrypts
-.Fa in_len
-bytes from the buffer
-.Fa in
-and writes the encrypted version to
-.Fa out .
-This function can be called multiple times to encrypt successive blocks
-of data.
-The amount of data written depends on the block alignment of the
-encrypted data: as a result the amount of data written may be anything
-from zero bytes to
-.Pq Fa in_len No + cipher_block_size - 1
-so
-.Fa out
-should contain sufficient room.
-The actual number of bytes written is placed in
-.Pf * Fa out_len .
-.Pp
-If padding is enabled (the default) then
-.Fn EVP_EncryptFinal
-and
-.Fn EVP_EncryptFinal_ex ,
-which behave identically,
-encrypt the "final" data, that is any data that remains in a partial
-block.
-It uses NOTES (aka PKCS padding).
-The encrypted final data is written to
-.Fa out
-which should have sufficient space for one cipher block.
-The number of bytes written is placed in
-.Pf * Fa out_len .
-After this function is called, the encryption operation is finished and
-no further calls to
-.Fn EVP_EncryptUpdate
-should be made.
-.Pp
-If padding is disabled then
-.Fn EVP_EncryptFinal
-and
-.Fn EVP_EncryptFinal_ex
-do not encrypt any more data and return an error if any data
-remains in a partial block: that is if the total data length is not a
-multiple of the block size.
-.Pp
-.Fn EVP_DecryptInit ,
-.Fn EVP_DecryptInit_ex ,
-.Fn EVP_DecryptUpdate ,
-.Fn EVP_DecryptFinal ,
-and
-.Fn EVP_DecryptFinal_ex
-are the corresponding decryption operations.
-.Fn EVP_DecryptFinal
-and
-.Fn EVP_DecryptFinal_ex
-return an error code if padding is enabled and the final block is
-not correctly formatted.
-The parameters and restrictions are identical to the encryption
-operations except that if padding is enabled the decrypted data buffer
-.Fa out
-passed to
-.Fn EVP_DecryptUpdate
-should have sufficient room for
-.Pq Fa in_len No + cipher_block_size
-bytes unless the cipher block size is 1 in which case
-.Fa in_len
-bytes is sufficient.
-.Pp
-.Fn EVP_CipherInit ,
-.Fn EVP_CipherInit_ex ,
-.Fn EVP_CipherUpdate ,
-.Fn EVP_CipherFinal ,
-and
-.Fn EVP_CipherFinal_ex
-are functions that can be used for decryption or encryption.
-The operation performed depends on the value of the
-.Fa enc
-parameter.
-It should be set to 1 for encryption, 0 for decryption and -1 to leave
-the value unchanged (the actual value of
-.Fa enc
-being supplied in a previous call).
-.Pp
-.Fn EVP_get_cipherbyname ,
-.Fn EVP_get_cipherbynid ,
-and
-.Fn EVP_get_cipherbyobj
-return an
-.Vt EVP_CIPHER
-structure when passed a cipher name, a NID or an
-.Vt ASN1_OBJECT
-structure.
-.Pp
-.Fn EVP_CIPHER_CTX_cipher
-returns the
-.Vt EVP_CIPHER
-structure when passed an
-.Vt EVP_CIPHER_CTX
-structure.
-.Pp
-Where possible the EVP interface to symmetric ciphers should be
-used in preference to the low level interfaces.
-This is because the code then becomes transparent to the cipher used and
-much more flexible.
-.Pp
-PKCS padding works by adding n padding bytes of value n to make the
-total length of the encrypted data a multiple of the block size.
-Padding is always added so if the data is already a multiple of the
-block size n will equal the block size.
-For example if the block size is 8 and 11 bytes are to be encrypted then
-5 padding bytes of value 5 will be added.
-.Pp
-When decrypting, the final block is checked to see if it has the correct
-form.
-.Pp
-Although the decryption operation can produce an error if padding is
-enabled, it is not a strong test that the input data or key is correct.
-A random block has better than 1 in 256 chance of being of the correct
-format and problems with the input data earlier on will not produce a
-final decrypt error.
-.Pp
-If padding is disabled then the decryption operation will always succeed
-if the total amount of data decrypted is a multiple of the block size.
-.Pp
-.Fn EVP_get_cipherbynid
-and
-.Fn EVP_get_cipherbyobj
-are implemented as macros.
-.Sh RETURN VALUES
-.Fn EVP_CIPHER_CTX_new
-returns a pointer to a newly created
-.Vt EVP_CIPHER_CTX
-for success or
-.Dv NULL
-for failure.
-.Pp
-.Fn EVP_CIPHER_CTX_reset ,
-.Fn EVP_CIPHER_CTX_copy ,
-.Fn EVP_EncryptInit_ex ,
-.Fn EVP_EncryptUpdate ,
-.Fn EVP_EncryptFinal_ex ,
-.Fn EVP_DecryptInit_ex ,
-.Fn EVP_DecryptUpdate ,
-.Fn EVP_DecryptFinal_ex ,
-.Fn EVP_CipherInit_ex ,
-.Fn EVP_CipherUpdate ,
-.Fn EVP_CipherFinal_ex ,
-.Fn EVP_EncryptInit ,
-.Fn EVP_EncryptFinal ,
-.Fn EVP_DecryptInit ,
-.Fn EVP_DecryptFinal ,
-.Fn EVP_CipherInit ,
-and
-.Fn EVP_CipherFinal
-return 1 for success or 0 for failure.
-.Pp
-.Fn EVP_CIPHER_CTX_encrypting
-returns 1 if
-.Fa ctx
-is initialized for encryption or 0 otherwise, in which case
-it may be uninitialized or initialized for decryption.
-.Pp
-.Fn EVP_get_cipherbyname ,
-.Fn EVP_get_cipherbynid ,
-and
-.Fn EVP_get_cipherbyobj
-return an
-.Vt EVP_CIPHER
-structure or
-.Dv NULL
-on error.
-.Pp
-.Fn EVP_CIPHER_CTX_cipher
-returns an
-.Vt EVP_CIPHER
-structure.
-.Sh CIPHER LISTING
-.Bl -tag -width Ds
-.It Fn EVP_enc_null
-Null cipher: does nothing.
-.It Xo
-.Fn EVP_idea_cbc ,
-.Fn EVP_idea_ecb ,
-.Fn EVP_idea_cfb64 ,
-.Fn EVP_idea_ofb
-.Xc
-IDEA encryption algorithm in CBC, ECB, CFB and OFB modes respectively.
-IDEA is a block cipher operating on 64 bit blocks using a 128 bit
-.Fa key .
-.Fn EVP_idea_cfb
-is an alias for
-.Fn EVP_idea_cfb64 ,
-implemented as a macro.
-.It Xo
-.Fn EVP_bf_cbc ,
-.Fn EVP_bf_ecb ,
-.Fn EVP_bf_cfb64 ,
-.Fn EVP_bf_ofb
-.Xc
-Blowfish encryption algorithm in CBC, ECB, CFB and OFB modes
-respectively.
-Blowfish is a block cipher operating on 64 bit blocks using a variable
-.Fa key
-length.
-The default key length is 128 bits.
-.Fn EVP_bf_cfb
-is an alias for
-.Fn EVP_bf_cfb64 ,
-implemented as a macro.
-.It Xo
-.Fn EVP_cast5_cbc ,
-.Fn EVP_cast5_ecb ,
-.Fn EVP_cast5_cfb64 ,
-.Fn EVP_cast5_ofb
-.Xc
-CAST-128 encryption algorithm in CBC, ECB, CFB and OFB modes respectively.
-CAST-128 is a block cipher operating on 64 bit blocks using a variable
-.Fa key
-length.
-The default and maximum key length is 128 bits.
-.Fn EVP_cast5_cfb
-is an alias for
-.Fn EVP_cast5_cfb64 ,
-implemented as a macro.
-.El
-.Pp
-Some algorithms are documented in separate manual pages:
-.Pp
-.Bl -column "EVP_camellia_128_cbc(3)" "block size" -compact
-.It manual page               Ta block size Ta Fa key No size Pq in bits
-.It Xr EVP_aes_128_cbc 3      Ta 128        Ta 128, 192, 256
-.It Xr EVP_aes_128_ccm 3      Ta 128        Ta 128, 192, 256
-.It Xr EVP_aes_128_gcm 3      Ta 128        Ta 128, 192, 256
-.It Xr EVP_camellia_128_cbc 3 Ta 128        Ta 128, 192, 256
-.It Xr EVP_chacha20 3         Ta stream     Ta 256
-.It Xr EVP_des_cbc 3          Ta 64         Ta 64
-.It Xr EVP_rc2_cbc 3          Ta 64         Ta variable, default 128
-.It Xr EVP_rc4 3              Ta stream     Ta variable, default 128
-.It Xr EVP_sm4_cbc 3          Ta 128        Ta 128
-.El
-.Sh EXAMPLES
-Encrypt a string using blowfish:
-.Bd -literal -offset 3n
-int
-do_crypt(char *out_filename)
-{
-        unsigned char out_buf[1024];
-        int out_len, tmp_len;
-        /*
-         * Bogus key and IV: we'd normally set these from
-         * another source.
-         */
-        unsigned char key[] = {0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15};
-        unsigned char iv[] = {1,2,3,4,5,6,7,8};
-        const char in_text[] = "Some Crypto Text";
-        EVP_CIPHER_CTX *ctx;
-        FILE *out_fileptr;
-
-        ctx = EVP_CIPHER_CTX_new();
-        EVP_EncryptInit_ex(ctx, EVP_bf_cbc(), NULL, key, iv);
-
-        if (!EVP_EncryptUpdate(ctx, out_buf, &out_len, in_text,
-            strlen(in_text))) {
-                /* Error */
-                EVP_CIPHER_CTX_free(ctx);
-                return 0;
-        }
-        /*
-         * Buffer passed to EVP_EncryptFinal() must be after data just
-         * encrypted to avoid overwriting it.
-         */
-        if (!EVP_EncryptFinal_ex(ctx, out_buf + out_len, &tmp_len)) {
-                /* Error */
-                EVP_CIPHER_CTX_free(ctx);
-                return 0;
-        }
-        out_len += tmp_len;
-        EVP_CIPHER_CTX_free(ctx);
-        /*
-         * Need binary mode for fopen because encrypted data is
-         * binary data. Also cannot use strlen() on it because
-         * it won't be NUL terminated and may contain embedded
-         * NULs.
-         */
-        out_fileptr = fopen(out_filename, "wb");
-        if (out_fileptr == NULL) {
-                /* Error */
-                return 0;
-        }
-        fwrite(out_buf, 1, out_len, out_fileptr);
-        fclose(out_fileptr);
-        return 1;
-}
-.Ed
-.Pp
-The ciphertext from the above example can be decrypted using the
-.Xr openssl 1
-utility with the command line:
-.Bd -literal -offset indent
-openssl bf -in cipher.bin -K 000102030405060708090A0B0C0D0E0F \e
-           -iv 0102030405060708 -d
-.Ed
-.Pp
-General encryption, decryption function example using FILE I/O and AES128
-with a 128-bit key:
-.Bd -literal
-int
-do_crypt(FILE *in_fileptr, FILE *out_fileptr, int do_encrypt)
-{
-        /* Allow enough space in output buffer for additional block */
-        unsigned char in_buf[1024], out_buf[1024 + EVP_MAX_BLOCK_LENGTH];
-        int in_len, out_len;
-        EVP_CIPHER_CTX *ctx;
-
-        /*
-         * Bogus key and IV: we'd normally set these from
-         * another source.
-         */
-        unsigned char key[] = "0123456789abcdeF";
-        unsigned char iv[] = "1234567887654321";
-
-        ctx = EVP_CIPHER_CTX_new();
-        EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, NULL, NULL,
-            do_encrypt);
-        EVP_CipherInit_ex(ctx, NULL, NULL, key, iv, do_encrypt);
-
-        for (;;) {
-                in_len = fread(in_buf, 1, 1024, in_fileptr);
-                if (in_len <= 0)
-                        break;
-                if (!EVP_CipherUpdate(ctx, out_buf, &out_len, in_buf,
-                    in_len)) {
-                        /* Error */
-                        EVP_CIPHER_CTX_free(ctx);
-                        return 0;
-                }
-                fwrite(out_buf, 1, out_len, out_fileptr);
-        }
-        if (!EVP_CipherFinal_ex(ctx, out_buf, &out_len)) {
-                /* Error */
-                EVP_CIPHER_CTX_free(ctx);
-                return 0;
-        }
-        fwrite(out_buf, 1, out_len, out_fileptr);
-
-        EVP_CIPHER_CTX_free(ctx);
-        return 1;
-}
-.Ed
-.Sh SEE ALSO
-.Xr BIO_f_cipher 3 ,
-.Xr evp 3 ,
-.Xr EVP_AEAD_CTX_init 3 ,
-.Xr EVP_aes_128_cbc 3 ,
-.Xr EVP_aes_128_ccm 3 ,
-.Xr EVP_aes_128_gcm 3 ,
-.Xr EVP_camellia_128_cbc 3 ,
-.Xr EVP_chacha20 3 ,
-.Xr EVP_CIPHER_CTX_ctrl 3 ,
-.Xr EVP_CIPHER_CTX_get_cipher_data 3 ,
-.Xr EVP_CIPHER_CTX_init 3 ,
-.Xr EVP_CIPHER_CTX_set_flags 3 ,
-.Xr EVP_CIPHER_nid 3 ,
-.Xr EVP_des_cbc 3 ,
-.Xr EVP_OpenInit 3 ,
-.Xr EVP_rc2_cbc 3 ,
-.Xr EVP_rc4 3 ,
-.Xr EVP_SealInit 3 ,
-.Xr EVP_sm4_cbc 3
-.Sh HISTORY
-.Fn EVP_EncryptInit ,
-.Fn EVP_EncryptUpdate ,
-.Fn EVP_EncryptFinal ,
-.Fn EVP_DecryptInit ,
-.Fn EVP_DecryptUpdate ,
-.Fn EVP_DecryptFinal ,
-.Fn EVP_CipherInit ,
-.Fn EVP_CipherUpdate ,
-.Fn EVP_CipherFinal ,
-.Fn EVP_get_cipherbyname ,
-.Fn EVP_idea_cbc ,
-.Fn EVP_idea_ecb ,
-.Fn EVP_idea_cfb ,
-and
-.Fn EVP_idea_ofb
-first appeared in SSLeay 0.5.1.
-.Fn EVP_bf_cbc ,
-.Fn EVP_bf_ecb ,
-.Fn EVP_bf_cfb ,
-and
-.Fn EVP_bf_ofb
-first appeared in SSLeay 0.6.6.
-.Fn EVP_get_cipherbyobj ,
-.Fn EVP_CIPHER_CTX_cipher ,
-and
-.Fn EVP_enc_null
-first appeared in SSLeay 0.8.0.
-.Fn EVP_get_cipherbynid
-first appeared in SSLeay 0.8.1.
-All these functions have been available since
-.Ox 2.4 .
-.Pp
-.Fn EVP_EncryptInit_ex ,
-.Fn EVP_EncryptFinal_ex ,
-.Fn EVP_DecryptInit_ex ,
-.Fn EVP_DecryptFinal_ex ,
-.Fn EVP_CipherInit_ex ,
-and
-.Fn EVP_CipherFinal_ex
-first appeared in OpenSSL 0.9.7 and have been available since
-.Ox 3.2 .
-.Pp
-.Fn EVP_bf_cfb64 ,
-.Fn EVP_cast5_cfb64 ,
-and
-.Fn EVP_idea_cfb64
-first appeared in OpenSSL 0.9.7e and have been available since
-.Ox 3.8 .
-.Pp
-.Fn EVP_CIPHER_CTX_new
-and
-.Fn EVP_CIPHER_CTX_free
-first appeared in OpenSSL 0.9.8b and have been available since
-.Ox 4.5 .
-.Pp
-.Fn EVP_CIPHER_CTX_copy
-first appeared in OpenSSL 1.0.0
-and has been available since
-.Ox 4.9 .
-.Pp
-.Fn EVP_CIPHER_CTX_reset
-first appeared in OpenSSL 1.1.0 and has been available since
-.Ox 6.3 .
-.Pp
-.Fn EVP_CIPHER_CTX_encrypting
-first appeared in OpenSSL 1.1.0 and has been available since
-.Ox 6.4 .
-.Sh BUGS
-.Fn EVP_CIPHER_CTX_copy
-may already have cleared the data in
-.Fa out
-and copied some new data into it even if it fails and returns 0.
diff --git a/src/lib/libcrypto/man/EVP_MD_CTX_ctrl.3 b/src/lib/libcrypto/man/EVP_MD_CTX_ctrl.3
deleted file mode 100644
index c8c148faf0..0000000000
--- a/src/lib/libcrypto/man/EVP_MD_CTX_ctrl.3
+++ /dev/null
@@ -1,279 +0,0 @@
-.\" $OpenBSD: EVP_MD_CTX_ctrl.3,v 1.3 2024/03/05 17:21:40 tb Exp $
-.\" full merge up to: OpenSSL man3/EVP_DigestInit.pod
-.\" 24a535ea Sep 22 13:14:20 2020 +0100
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2023 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Richard Levitte <levitte@openssl.org>,
-.\" Todd Short <tshort@akamai.com>, Paul Yang <yang.yang@baishancloud.com>,
-.\" and Antoine Salon <asalon@vmware.com>.
-.\" Copyright (c) 2015, 2016, 2018, 2019 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 5 2024 $
-.Dt EVP_MD_CTX_CTRL 3
-.Os
-.Sh NAME
-.Nm EVP_MD_CTX_ctrl ,
-.Nm EVP_MD_CTX_set_flags ,
-.Nm EVP_MD_CTX_clear_flags ,
-.Nm EVP_MD_CTX_test_flags ,
-.Nm EVP_MD_CTX_pkey_ctx ,
-.Nm EVP_MD_CTX_set_pkey_ctx ,
-.Nm EVP_MD_CTX_md_data
-.Nd configure EVP message digest contexts
-.Sh SYNOPSIS
-.In openssl/evp.h
-.Ft int
-.Fo EVP_MD_CTX_ctrl
-.Fa "EVP_MD_CTX *ctx"
-.Fa "int command"
-.Fa "int p1"
-.Fa "void* p2"
-.Fc
-.Ft void
-.Fo EVP_MD_CTX_set_flags
-.Fa "EVP_MD_CTX *ctx"
-.Fa "int flags"
-.Fc
-.Ft void
-.Fo EVP_MD_CTX_clear_flags
-.Fa "EVP_MD_CTX *ctx"
-.Fa "int flags"
-.Fc
-.Ft int
-.Fo EVP_MD_CTX_test_flags
-.Fa "const EVP_MD_CTX *ctx"
-.Fa "int flags"
-.Fc
-.Ft EVP_PKEY_CTX *
-.Fo EVP_MD_CTX_pkey_ctx
-.Fa "const EVP_MD_CTX *ctx"
-.Fc
-.Ft void
-.Fo EVP_MD_CTX_set_pkey_ctx
-.Fa "EVP_MD_CTX *ctx"
-.Fa "EVP_PKEY_CTX *pctx"
-.Fc
-.Ft void *
-.Fo EVP_MD_CTX_md_data
-.Fa "const EVP_MD_CTX *ctx"
-.Fc
-.Sh DESCRIPTION
-.Fn EVP_MD_CTX_ctrl
-performs the digest-specific control
-.Fa command
-with the command-specific arguments
-.Fa p1
-and
-.Fa p2
-on
-.Fa ctx ,
-which needs to already be set up with
-.Xr EVP_DigestInit_ex 3
-before calling this function.
-Other restrictions may apply depending on the control
-.Fa command
-and digest implementation.
-.Pp
-If the
-.Fa command
-is
-.Dv EVP_MD_CTRL_MICALG ,
-.Fa p1
-is ignored and
-.Fa p2
-is an output argument of the type
-.Fa "char **p2" .
-A string specifying the digest Message Integrity Check algorithm
-is allocated and a pointer to this string is returned in
-.Pf * Fa p2 .
-It is the responsibility of the caller to
-.Xr free 3
-.Pf * Fa p2
-when it is no longer needed.
-This
-.Fa command
-is used by
-.Xr SMIME_write_ASN1 3
-when creating S/MIME multipart/signed messages as specified in RFC 3851.
-.Pp
-.Fn EVP_MD_CTX_set_flags
-sets and
-.Fn EVP_MD_CTX_clear_flags
-clears all the flag bits in
-.Fa ctx
-that are set in the
-.Fa flags
-argument.
-.Fn EVP_MD_CTX_test_flags
-tests which of the flag bits that are set in the
-.Fa flags
-argument are also set in
-.Fa ctx .
-Possible flag bits are:
-.Bl -tag -width Ds -offset 2n
-.It Dv EVP_MD_CTX_FLAG_NO_INIT
-Instruct
-.Xr EVP_DigestInit_ex 3
-and functions calling it not to initialise the internal data
-that is specific to the digest method and its implementation.
-.It Dv EVP_MD_CTX_FLAG_ONESHOT
-Instruct the digest to optimize for one update only, if possible.
-For digest algorithms built into the library, this flag usually
-has no effect.
-.El
-.Pp
-.Fn EVP_MD_CTX_pkey_ctx
-returns the
-.Vt EVP_PKEY_CTX
-assigned to
-.Fa ctx .
-The returned pointer should not be freed by the caller.
-.Pp
-.Fn EVP_MD_CTX_set_pkey_ctx
-assigns
-.Fa pctx
-to
-.Fa ctx .
-This is normally used to provide a customized
-.Vt EVP_PKEY_CTX
-to
-.Xr EVP_DigestSignInit 3
-or
-.Xr EVP_DigestVerifyInit 3 .
-The caller retains ownership of the
-.Fa pctx
-passed to this function and is responsible for freeing it
-when it is no longer needed.
-.Pp
-If the
-.Fa ctx
-already contains a
-.Vt EVP_PKEY_CTX
-when this function is called, that old
-.Vt EVP_PKEY_CTX
-is freed if it was created internally, but if it was also installed with
-.Fn EVP_MD_CTX_set_pkey_ctx ,
-the pointer to the old
-.Vt EVP_PKEY_CTX
-is merely replaced by the new pointer and ownership of the old
-.Vt EVP_PKEY_CTX
-remains with the previous caller.
-.Pp
-Passing a
-.Dv NULL
-pointer for the
-.Fa pctx
-argument is also allowed.
-In that case, any
-.Vt EVP_PKEY_CTX
-already assigned to
-.Fa ctx
-is dissociated from it as described above, but no new
-.Vt EVP_PKEY_CTX
-is assigned.
-.Pp
-.Fn EVP_MD_CTX_md_data
-returns the digest method private data of
-.Fa ctx .
-The space is allocated with a size determined at compile time.
-The size is not exposed by an API.
-.Sh RETURN VALUES
-.Fn EVP_MD_CTX_ctrl
-returns 1 for success or 0 for failure.
-.Pp
-.Fn EVP_MD_CTX_test_flags
-returns the bitwise OR of the
-.Fa flags
-argument and the flags set in
-.Fa ctx .
-.Pp
-.Fn EVP_MD_CTX_pkey_ctx
-and
-.Fn EVP_MD_CTX_md_data
-return pointers to storage owned by
-.Fa ctx .
-.Sh SEE ALSO
-.Xr evp 3 ,
-.Xr EVP_DigestInit 3 ,
-.Xr EVP_MD_nid 3
-.Sh HISTORY
-.Fn EVP_MD_CTX_set_flags ,
-.Fn EVP_MD_CTX_clear_flags ,
-and
-.Fn EVP_MD_CTX_test_flags ,
-first appeared in OpenSSL 0.9.7 and have been available since
-.Ox 3.2 .
-.Pp
-.Fn EVP_MD_CTX_ctrl
-first appeared in OpenSSL 1.1.0 and has been available since
-.Ox 5.7 .
-.Pp
-.Fn EVP_MD_CTX_pkey_ctx
-and
-.Fn EVP_MD_CTX_md_data
-first appeared in OpenSSL 1.1.0 and
-.Fn EVP_MD_CTX_set_pkey_ctx
-in OpenSSL 1.1.1.
-These functions have been available since
-.Ox 7.1 .
diff --git a/src/lib/libcrypto/man/EVP_MD_nid.3 b/src/lib/libcrypto/man/EVP_MD_nid.3
deleted file mode 100644
index 15806091de..0000000000
--- a/src/lib/libcrypto/man/EVP_MD_nid.3
+++ /dev/null
@@ -1,315 +0,0 @@
-.\" $OpenBSD: EVP_MD_nid.3,v 1.4 2024/03/05 17:21:40 tb Exp $
-.\" full merge up to: OpenSSL man3/EVP_DigestInit.pod
-.\" 24a535ea Sep 22 13:14:20 2020 +0100
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2023 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Dr. Stephen Henson <steve@openssl.org>
-.\" and Antoine Salon <asalon@vmware.com>.
-.\" Copyright (c) 2000, 2012, 2019 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 5 2024 $
-.Dt EVP_MD_NID 3
-.Os
-.Sh NAME
-.Nm EVP_MD_nid ,
-.Nm EVP_MD_type ,
-.Nm EVP_MD_CTX_type ,
-.Nm EVP_MD_name ,
-.Nm EVP_MD_size ,
-.Nm EVP_MD_CTX_size ,
-.Nm EVP_MD_block_size ,
-.Nm EVP_MD_CTX_block_size ,
-.Nm EVP_MD_flags ,
-.Nm EVP_MD_pkey_type
-.Nd inspect EVP_MD objects
-.Sh SYNOPSIS
-.In openssl/evp.h
-.Ft int
-.Fo EVP_MD_nid
-.Fa "const EVP_MD *md"
-.Fc
-.Ft int
-.Fo EVP_MD_type
-.Fa "const EVP_MD *md"
-.Fc
-.Ft int
-.Fo EVP_MD_CTX_type
-.Fa "const EVP_MD_CTX *ctx"
-.Fc
-.Ft const char *
-.Fo EVP_MD_name
-.Fa "const EVP_MD *md"
-.Fc
-.Ft int
-.Fo EVP_MD_size
-.Fa "const EVP_MD *md"
-.Fc
-.Ft int
-.Fo EVP_MD_CTX_size
-.Fa "const EVP_MD_CTX *ctx"
-.Fc
-.Ft int
-.Fo EVP_MD_block_size
-.Fa "const EVP_MD *md"
-.Fc
-.Ft int
-.Fo EVP_MD_CTX_block_size
-.Fa "const EVP_MD_CTX *ctx"
-.Fc
-.Ft unsigned long
-.Fo EVP_MD_flags
-.Fa "const EVP_MD *md"
-.Fc
-.Ft int
-.Fo EVP_MD_pkey_type
-.Fa "const EVP_MD *md"
-.Fc
-.Sh DESCRIPTION
-.Fn EVP_MD_nid
-and
-.Fn EVP_MD_type
-are identical and return the numerical identifier (NID) of
-.Fa md .
-The NID is an internal value which may or may not have
-a corresponding ASN.1 OBJECT IDENTIFIER; see
-.Xr OBJ_nid2obj 3
-for details.
-For example ,
-.Fn EVP_MD_type EVP_sha512()
-returns
-.Dv NID_sha512 .
-.Fn EVP_MD_CTX_type
-returns the NID of the message digest algorithm that
-.Fa ctx
-is configured to use.
-These functions are normally used when setting ASN.1 OIDs.
-.Pp
-.Fn EVP_MD_name
-converts the NID of
-.Fa md
-to its short name with
-.Xr OBJ_nid2sn 3 .
-.Pp
-.Fn EVP_MD_size
-returns the size in bytes of the message digests (hashes) produced by
-.Fa md .
-.Fn EVP_MD_CTX_size
-return the size of the hashes produced by the message digest algorithm that
-.Fa ctx
-is configured to use.
-.Pp
-.Fn EVP_MD_block_size
-returns the block size in bytes of
-.Fa md .
-.Fn EVP_MD_CTX_block_size
-returns the block size of the message digest algorithm that
-.Fa ctx
-is configured to use.
-.Pp
-.Fn EVP_MD_flags
-returns the message digest flags used by
-.Fa md .
-Be careful to not confuse these flags with the unrelated
-message digest context flags that can be inspected with
-.Xr EVP_MD_CTX_test_flags 3 .
-The available flags are:
-.Bl -tag -width Ds
-.It Dv EVP_MD_FLAG_DIGALGID_NULL
-The parameters in a
-.Vt DigestAlgorithmIdentifier
-are encoded using an explicit ASN.1
-.Dv NULL
-rather than omitting them.
-This is the default, which means that it takes effect for
-.Vt EVP_MD
-objects that do not have
-.Dv EVP_MD_FLAG_DIGALGID_ABSENT
-set.
-.It Dv EVP_MD_FLAG_DIGALGID_ABSENT
-The parameters in a
-.Vt DigestAlgorithmIdentifier
-are omitted from the ASN.1 encoding.
-This is used by the
-.Vt EVP_MD
-objects documented in the manual page
-.Xr EVP_sha3_224 3
-and by the objects returned from
-.Xr EVP_sha512 3 ,
-.Xr EVP_sha512_256 3 ,
-.Xr EVP_sha512_224 3 ,
-.Xr EVP_sha384 3 ,
-.Xr EVP_sha256 3 ,
-.Xr EVP_sha224 3 ,
-.Xr EVP_sha1 3 ,
-and
-.Xr EVP_sm3 3 .
-.It Dv EVP_MD_FLAG_DIGALGID_CUSTOM
-This flag is reserved for user-defined
-.Vt EVP_MD
-objects supporting custom
-.Vt DigestAlgorithmIdentifier
-handling via
-.Xr EVP_MD_CTX_ctrl 3 ,
-but actually, it is ignored by both LibreSSL and OpenSSL
-and such user-defined behaviour is not supported by the libraries.
-.It Dv EVP_MD_FLAG_FIPS
-Mark the digest method as suitable for FIPS mode.
-This flag is ignored by both LibreSSL and OpenSSL.
-.It Dv EVP_MD_FLAG_ONESHOT
-Intended to indicate that the digest method can only handle one block
-of input, but actually, this flag is ignored by both LibreSSL and OpenSSL.
-.El
-.Pp
-.Fn EVP_MD_pkey_type
-returns the NID of the public key signing algorithm associated with this
-digest.
-For example,
-.Xr EVP_sha512 3
-is associated with RSA, so this returns
-.Dv NID_sha512WithRSAEncryption .
-Since digests and signature algorithms are no longer linked, this
-function is only retained for compatibility reasons.
-.Pp
-.Fn EVP_MD_nid ,
-.Fn EVP_MD_CTX_type ,
-.Fn EVP_MD_name ,
-.Fn EVP_MD_CTX_size ,
-and
-.Fn EVP_MD_CTX_block_size
-are implemented as macros.
-.Sh RETURN VALUES
-.Fn EVP_MD_nid ,
-.Fn EVP_MD_type ,
-.Fn EVP_MD_CTX_type ,
-and
-.Fn EVP_MD_pkey_type
-return the NID of the corresponding OBJECT IDENTIFIER or
-.Dv NID_undef
-if none exists.
-.Pp
-.Fn EVP_MD_name
-returns a pointer to a string
-that is owned by an internal library object or
-.Dv NULL
-if the NID is neither built into the library nor added to the global
-object table by one of the functions documented in the manual page
-.Xr OBJ_create 3 ,
-or if the object does not contain a short name.
-.Pp
-.Fn EVP_MD_size ,
-.Fn EVP_MD_CTX_size ,
-.Fn EVP_MD_block_size ,
-and
-.Fn EVP_MD_CTX_block_size
-return the digest or block size in bytes.
-.Sh SEE ALSO
-.Xr evp 3 ,
-.Xr EVP_DigestInit 3 ,
-.Xr EVP_MD_CTX_ctrl 3 ,
-.Xr OBJ_nid2obj 3
-.Sh STANDARDS
-RFC 5754: Using SHA2 Algorithms with Cryptographic Message Syntax
-.Bl -dash -compact -offset indent
-.It
-section 2: Message Digest Algorithms
-.El
-.Sh HISTORY
-.Fn EVP_MD_size
-first appeared in SSLeay 0.6.6,
-.Fn EVP_MD_CTX_size
-and
-.Fn EVP_MD_CTX_type
-in SSLeay 0.8.0,
-.Fn EVP_MD_type
-and
-.Fn EVP_MD_pkey_type
-in SSLeay 0.8.1, and
-.Fn EVP_MD_block_size
-and
-.Fn EVP_MD_CTX_block_size
-in SSLeay 0.9.0.
-All these functions have been available since
-.Ox 2.4 .
-.Pp
-.Fn EVP_MD_nid
-and
-.Fn EVP_MD_name
-first appeared in OpenSSL 0.9.7 and have been available since
-.Ox 3.2 .
-.Pp
-.Fn EVP_MD_flags
-first appeared in OpenSSL 1.0.0
-and has been available since
-.Ox 4.9 .
-.Sh CAVEATS
-The behaviour of the functions taking an
-.Vt EVP_MD_CTX
-argument is undefined if they are called on a
-.Fa ctx
-that has no message digest configured yet,
-for example one freshly returned from
-.Xr EVP_MD_CTX_new 3 .
-In that case, the program may for example be terminated by a
-.Dv NULL
-pointer access.
diff --git a/src/lib/libcrypto/man/EVP_OpenInit.3 b/src/lib/libcrypto/man/EVP_OpenInit.3
deleted file mode 100644
index fbd0e75571..0000000000
--- a/src/lib/libcrypto/man/EVP_OpenInit.3
+++ /dev/null
@@ -1,157 +0,0 @@
-.\"     $OpenBSD: EVP_OpenInit.3,v 1.9 2023/11/16 20:27:43 schwarze Exp $
-.\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: November 16 2023 $
-.Dt EVP_OPENINIT 3
-.Os
-.Sh NAME
-.Nm EVP_OpenInit ,
-.Nm EVP_OpenUpdate ,
-.Nm EVP_OpenFinal
-.Nd EVP envelope decryption
-.Sh SYNOPSIS
-.In openssl/evp.h
-.Ft int
-.Fo EVP_OpenInit
-.Fa "EVP_CIPHER_CTX *ctx"
-.Fa "EVP_CIPHER *type"
-.Fa "unsigned char *ek"
-.Fa "int ekl"
-.Fa "unsigned char *iv"
-.Fa "EVP_PKEY *priv"
-.Fc
-.Ft int
-.Fo EVP_OpenUpdate
-.Fa "EVP_CIPHER_CTX *ctx"
-.Fa "unsigned char *out"
-.Fa "int *outl"
-.Fa "unsigned char *in"
-.Fa "int inl"
-.Fc
-.Ft int
-.Fo EVP_OpenFinal
-.Fa "EVP_CIPHER_CTX *ctx"
-.Fa "unsigned char *out"
-.Fa "int *outl"
-.Fc
-.Sh DESCRIPTION
-The EVP envelope routines are a high level interface to envelope
-decryption.
-They decrypt a public key encrypted symmetric key and then decrypt data
-using it.
-.Pp
-.Fn EVP_OpenInit
-initializes a cipher context
-.Fa ctx
-for decryption with cipher
-.Fa type .
-It decrypts the encrypted symmetric key of length
-.Fa ekl
-bytes passed in the
-.Fa ek
-parameter using the private key
-.Fa priv .
-The IV is supplied in the
-.Fa iv
-parameter.
-.Pp
-.Fn EVP_OpenUpdate
-and
-.Fn EVP_OpenFinal
-have exactly the same properties as the
-.Xr EVP_DecryptUpdate 3
-and
-.Xr EVP_DecryptFinal 3
-routines.
-.Pp
-It is possible to call
-.Fn EVP_OpenInit
-twice in the same way as
-.Xr EVP_DecryptInit 3 .
-The first call should have
-.Fa priv
-set to
-.Dv NULL
-and (after setting any cipher parameters) it should be
-called again with
-.Fa type
-set to
-.Dv NULL .
-.Pp
-If the cipher passed in the
-.Fa type
-parameter is a variable length cipher then the key length will be set to
-the value of the recovered key length.
-If the cipher is a fixed length cipher then the recovered key length
-must match the fixed cipher length.
-.Pp
-.Fn EVP_OpenUpdate
-is implemented as a macro.
-.Sh RETURN VALUES
-.Fn EVP_OpenInit
-returns 0 on error or a non-zero integer (actually the recovered secret
-key size) if successful.
-.Pp
-.Fn EVP_OpenUpdate
-returns 1 for success or 0 for failure.
-.Pp
-.Fn EVP_OpenFinal
-returns 0 if the decrypt failed or 1 for success.
-.Sh SEE ALSO
-.Xr evp 3 ,
-.Xr EVP_EncryptInit 3 ,
-.Xr EVP_SealInit 3
-.Sh HISTORY
-.Fn EVP_OpenInit ,
-.Fn EVP_OpenUpdate ,
-and
-.Fn EVP_OpenFinal
-first appeared in SSLeay 0.5.1 and have been available since
-.Ox 2.4 .
diff --git a/src/lib/libcrypto/man/EVP_PKCS82PKEY.3 b/src/lib/libcrypto/man/EVP_PKCS82PKEY.3
deleted file mode 100644
index 30a43b8dca..0000000000
--- a/src/lib/libcrypto/man/EVP_PKCS82PKEY.3
+++ /dev/null
@@ -1,60 +0,0 @@
-.\" $OpenBSD: EVP_PKCS82PKEY.3,v 1.3 2024/03/05 19:21:31 tb Exp $
-.\"
-.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: March 5 2024 $
-.Dt EVP_PKCS82PKEY 3
-.Os
-.Sh NAME
-.Nm EVP_PKCS82PKEY ,
-.Nm EVP_PKEY2PKCS8
-.Nd convert between EVP_PKEY and PKCS#8 PrivateKeyInfo
-.Sh SYNOPSIS
-.In openssl/x509.h
-.Ft EVP_PKEY *
-.Fn EVP_PKCS82PKEY "const PKCS8_PRIV_KEY_INFO *keyinfo"
-.Ft PKCS8_PRIV_KEY_INFO *
-.Fn EVP_PKEY2PKCS8 "EVP_PKEY *pkey"
-.Sh DESCRIPTION
-.Fn EVP_PKCS82PKEY
-extracts the private key from a PKCS#8
-.Vt PrivateKeyInfo
-structure.
-.Pp
-.Fn EVP_PKEY2PKCS8
-creates a PKCS#8
-.Vt PrivateKeyInfo
-structure representing the private key contained in
-.Fa pkey .
-.Pp
-Supported algorithms include DH, DSA, EC, and RSA.
-.Sh RETURN VALUES
-These functions return a newly allocated object or
-.Dv NULL
-if the algorithm indicated in
-.Fa keyinfo
-or
-.Fa pkey
-is unsupported or if memory allocation, decoding, or encoding fails.
-.Sh SEE ALSO
-.Xr EVP_PKEY_base_id 3 ,
-.Xr EVP_PKEY_new 3 ,
-.Xr PKCS8_pkey_set0 3 ,
-.Xr PKCS8_PRIV_KEY_INFO_new 3 ,
-.Xr X509_ALGOR_get0 3
-.Sh HISTORY
-These functions first appeared in OpenSSL 0.9.3
-and have been available since
-.Ox 2.6 .
diff --git a/src/lib/libcrypto/man/EVP_PKEY_CTX_ctrl.3 b/src/lib/libcrypto/man/EVP_PKEY_CTX_ctrl.3
deleted file mode 100644
index 137e576c46..0000000000
--- a/src/lib/libcrypto/man/EVP_PKEY_CTX_ctrl.3
+++ /dev/null
@@ -1,582 +0,0 @@
-.\" $OpenBSD: EVP_PKEY_CTX_ctrl.3,v 1.28 2024/12/10 14:54:20 schwarze Exp $
-.\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
-.\" selective merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
-.\" Parts were split out into RSA_pkey_ctx_ctrl(3).
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2019, 2023, 2024 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Dr. Stephen Henson <steve@openssl.org>
-.\" and Antoine Salon <asalon@vmware.com>.
-.\" Copyright (c) 2006, 2009, 2013, 2014, 2015, 2018 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: December 10 2024 $
-.Dt EVP_PKEY_CTX_CTRL 3
-.Os
-.Sh NAME
-.Nm EVP_PKEY_CTX_ctrl ,
-.Nm EVP_PKEY_CTX_ctrl_str ,
-.Nm EVP_PKEY_CTX_set_signature_md ,
-.Nm EVP_PKEY_CTX_get_signature_md ,
-.Nm EVP_PKEY_CTX_set_dsa_paramgen_bits ,
-.Nm EVP_PKEY_CTX_set_dh_paramgen_prime_len ,
-.Nm EVP_PKEY_CTX_set_dh_paramgen_generator ,
-.Nm EVP_PKEY_CTX_set_ec_paramgen_curve_nid ,
-.Nm EVP_PKEY_CTX_set_ec_param_enc ,
-.Nm EVP_PKEY_CTX_set_ecdh_cofactor_mode ,
-.Nm EVP_PKEY_CTX_get_ecdh_cofactor_mode ,
-.Nm EVP_PKEY_CTX_set_ecdh_kdf_type ,
-.Nm EVP_PKEY_CTX_get_ecdh_kdf_type ,
-.Nm EVP_PKEY_CTX_set_ecdh_kdf_md ,
-.Nm EVP_PKEY_CTX_get_ecdh_kdf_md ,
-.Nm EVP_PKEY_CTX_set_ecdh_kdf_outlen ,
-.Nm EVP_PKEY_CTX_get_ecdh_kdf_outlen ,
-.Nm EVP_PKEY_CTX_set0_ecdh_kdf_ukm ,
-.Nm EVP_PKEY_CTX_get0_ecdh_kdf_ukm ,
-.Nm EVP_PKEY_CTX_set1_id ,
-.Nm EVP_PKEY_CTX_get1_id ,
-.Nm EVP_PKEY_CTX_get1_id_len
-.Nd algorithm specific control operations
-.Sh SYNOPSIS
-.In openssl/evp.h
-.Ft int
-.Fo EVP_PKEY_CTX_ctrl
-.Fa "EVP_PKEY_CTX *ctx"
-.Fa "int keytype"
-.Fa "int optype"
-.Fa "int cmd"
-.Fa "int p1"
-.Fa "void *p2"
-.Fc
-.Ft int
-.Fo EVP_PKEY_CTX_ctrl_str
-.Fa "EVP_PKEY_CTX *ctx"
-.Fa "const char *type"
-.Fa "const char *value"
-.Fc
-.Ft int
-.Fo EVP_PKEY_CTX_set_signature_md
-.Fa "EVP_PKEY_CTX *ctx"
-.Fa "const EVP_MD *md"
-.Fc
-.Ft int
-.Fo EVP_PKEY_CTX_get_signature_md
-.Fa "EVP_PKEY_CTX *ctx"
-.Fa "const EVP_MD **pmd"
-.Fc
-.In openssl/dsa.h
-.Ft int
-.Fo EVP_PKEY_CTX_set_dsa_paramgen_bits
-.Fa "EVP_PKEY_CTX *ctx"
-.Fa "int nbits"
-.Fc
-.In openssl/dh.h
-.Ft int
-.Fo EVP_PKEY_CTX_set_dh_paramgen_prime_len
-.Fa "EVP_PKEY_CTX *ctx"
-.Fa "int len"
-.Fc
-.Ft int
-.Fo EVP_PKEY_CTX_set_dh_paramgen_generator
-.Fa "EVP_PKEY_CTX *ctx"
-.Fa "int gen"
-.Fc
-.In openssl/ec.h
-.Ft int
-.Fo EVP_PKEY_CTX_set_ec_paramgen_curve_nid
-.Fa "EVP_PKEY_CTX *ctx"
-.Fa "int nid"
-.Fc
-.Fa int
-.Fo EVP_PKEY_CTX_set_ec_param_enc
-.Fa "EVP_PKEY_CTX *ctx"
-.Fa "int param_enc"
-.Fc
-.Ft int
-.Fo EVP_PKEY_CTX_set_ecdh_cofactor_mode
-.Fa "EVP_PKEY_CTX *ctx"
-.Fa "int cofactor_mode"
-.Fc
-.Ft int
-.Fo EVP_PKEY_CTX_get_ecdh_cofactor_mode
-.Fa "EVP_PKEY_CTX *ctx"
-.Fc
-.Ft int
-.Fo EVP_PKEY_CTX_set_ecdh_kdf_type
-.Fa "EVP_PKEY_CTX *ctx"
-.Fa "int kdf"
-.Fc
-.Ft int
-.Fo EVP_PKEY_CTX_get_ecdh_kdf_type
-.Fa "EVP_PKEY_CTX *ctx"
-.Fc
-.Ft int
-.Fo EVP_PKEY_CTX_set_ecdh_kdf_md
-.Fa "EVP_PKEY_CTX *ctx"
-.Fa "const EVP_MD *md"
-.Fc
-.Ft int
-.Fo EVP_PKEY_CTX_get_ecdh_kdf_md
-.Fa "EVP_PKEY_CTX *ctx"
-.Fa "const EVP_MD **pmd"
-.Fc
-.Ft int
-.Fo EVP_PKEY_CTX_set_ecdh_kdf_outlen
-.Fa "EVP_PKEY_CTX *ctx"
-.Fa "int len"
-.Fc
-.Ft int
-.Fo EVP_PKEY_CTX_get_ecdh_kdf_outlen
-.Fa "EVP_PKEY_CTX *ctx"
-.Fa "int *plen"
-.Fc
-.Ft int
-.Fo EVP_PKEY_CTX_set0_ecdh_kdf_ukm
-.Fa "EVP_PKEY_CTX *ctx"
-.Fa "unsigned char *ukm"
-.Fa "int len"
-.Fc
-.Ft int
-.Fo EVP_PKEY_CTX_get0_ecdh_kdf_ukm
-.Fa "EVP_PKEY_CTX *ctx"
-.Fa "unsigned char **pukm"
-.Fc
-.Ft int
-.Fo EVP_PKEY_CTX_set1_id
-.Fa "EVP_PKEY_CTX *ctx"
-.Fa "void *id"
-.Fa "size_t id_len"
-.Fc
-.Ft int
-.Fo EVP_PKEY_CTX_get1_id
-.Fa "EVP_PKEY_CTX *ctx"
-.Fa "void *id"
-.Fc
-.Ft int
-.Fo EVP_PKEY_CTX_get1_id_len
-.Fa "EVP_PKEY_CTX *ctx"
-.Fa "size_t *pid_len"
-.Fc
-.Sh DESCRIPTION
-The function
-.Fn EVP_PKEY_CTX_ctrl
-sends a control operation to the context
-.Fa ctx .
-The key type used must match
-.Fa keytype
-if it is not -1.
-The parameter
-.Fa optype
-is a mask indicating which operations the control can be applied to.
-The control command is indicated in
-.Fa cmd
-and any additional arguments in
-.Fa p1
-and
-.Fa p2 .
-.Pp
-Applications will not normally call
-.Fn EVP_PKEY_CTX_ctrl
-directly but will instead call one of the algorithm specific macros
-described below and in
-.Xr RSA_pkey_ctx_ctrl 3 .
-.Pp
-The function
-.Fn EVP_PKEY_CTX_ctrl_str
-allows an application to send an algorithm specific control operation to
-a context
-.Fa ctx
-in string form.
-This is intended to be used for options specified on the command line or
-in text files.
-The commands supported are documented in the
-.Xr openssl 1
-utility command line pages for the option
-.Fl pkeyopt
-which is supported by the
-.Cm pkeyutl ,
-.Cm genpkey ,
-and
-.Cm req
-commands.
-.Pp
-All the remaining "functions" are implemented as macros.
-.Pp
-The
-.Fn EVP_PKEY_CTX_set_signature_md
-and
-.Fn EVP_PKEY_CTX_get_signature_md
-macros set and get the message digest type used in a signature.
-They can be used with the RSA, DSA, and ECDSA algorithms.
-If the key is of the type
-.Dv EVP_PKEY_RSA_PSS
-and has usage restrictions, an error occurs if an attempt is made
-to set the digest to anything other than the restricted value.
-.Pp
-These two macros expand to
-.Fn EVP_PKEY_CTX_ctrl
-with an
-.Fa optype
-of
-.Dv EVP_PKEY_OP_TYPE_SIG
-and the following command arguments:
-.Pp
-.Bl -column -compact EVP_PKEY_CTRL_GET_MD EVP_PKEY_CTX_get_signature_md()
-.It Fa cmd No constant      Ta corresponding macro
-.It Dv EVP_PKEY_CTRL_MD     Ta Fn EVP_PKEY_CTX_set_signature_md
-.It Dv EVP_PKEY_CTRL_GET_MD Ta Fn EVP_PKEY_CTX_get_signature_md
-.El
-.Ss DSA parameters
-The macro
-.Fn EVP_PKEY_CTX_set_dsa_paramgen_bits
-sets the number of bits used for DSA parameter generation to
-.Fa nbits .
-If not specified, 1024 is used.
-.Ss DH parameters
-The macro
-.Fn EVP_PKEY_CTX_set_dh_paramgen_prime_len
-sets the length of the DH prime parameter
-.Fa len
-for DH parameter generation.
-It only accepts lengths greater than or equal to 256.
-If this macro is not called, then 1024 is used.
-.Pp
-The
-.Fn EVP_PKEY_CTX_set_dh_paramgen_generator
-macro sets DH generator to
-.Fa gen
-for DH parameter generation.
-If not specified, 2 is used.
-.Ss EC parameters
-The
-.Fn EVP_PKEY_CTX_set_ec_paramgen_curve_nid
-macro sets the EC curve for EC parameter generation to
-.Fa nid .
-For EC parameter generation, this macro must be called or an error occurs
-because there is no default curve.
-.Pp
-The
-.Fn EVP_PKEY_CTX_set_ec_param_enc
-macro sets the EC parameter encoding to
-.Fa param_enc
-when generating EC parameters or an EC key.
-The encoding can be set to 0 for explicit parameters or to
-.Dv OPENSSL_EC_NAMED_CURVE
-to use named curve form.
-.Ss ECDH parameters
-The
-.Fn EVP_PKEY_CTX_set_ecdh_cofactor_mode
-macro sets the cofactor mode to
-.Fa cofactor_mode
-for ECDH key derivation.
-Possible values are 1 to enable cofactor key derivation, 0 to disable
-it, or -1 to clear the stored cofactor mode and fall back to the
-private key cofactor mode.
-.Pp
-The
-.Fn EVP_PKEY_CTX_get_ecdh_cofactor_mode
-macro returns the cofactor mode for
-.Fa ctx
-used for ECDH key derivation.
-Possible return values are 1 when cofactor key derivation is enabled
-or 0 otherwise.
-.Ss ECDH key derivation function parameters
-The
-.Fn EVP_PKEY_CTX_set_ecdh_kdf_type
-macro sets the key derivation function type to
-.Fa kdf
-for ECDH key derivation.
-Possible values are
-.Dv EVP_PKEY_ECDH_KDF_NONE
-or
-.Dv EVP_PKEY_ECDH_KDF_X9_63
-which uses the key derivation specified in X9.63.
-When using key derivation, the
-.Fa kdf_md
-and
-.Fa kdf_outlen
-parameters must also be specified.
-.Pp
-The
-.Fn EVP_PKEY_CTX_get_ecdh_kdf_type
-macro returns the key derivation function type for
-.Fa ctx
-used for ECDH key derivation.
-Possible return values are
-.Dv EVP_PKEY_ECDH_KDF_NONE
-or
-.Dv EVP_PKEY_ECDH_KDF_X9_63 .
-.Pp
-The
-.Fn EVP_PKEY_CTX_set_ecdh_kdf_md
-macro sets the key derivation function message digest to
-.Fa md
-for ECDH key derivation.
-Note that X9.63 specifies that this digest should be SHA1,
-but OpenSSL tolerates other digests.
-.Pp
-The
-.Fn EVP_PKEY_CTX_get_ecdh_kdf_md
-macro gets the key derivation function message digest for
-.Fa ctx
-used for ECDH key derivation.
-.Pp
-The
-.Fn EVP_PKEY_CTX_set_ecdh_kdf_outlen
-macro sets the key derivation function output length to
-.Fa len
-for ECDH key derivation.
-.Pp
-The
-.Fn EVP_PKEY_CTX_get_ecdh_kdf_outlen
-macro gets the key derivation function output length for
-.Fa ctx
-used for ECDH key derivation.
-.Pp
-The
-.Fn EVP_PKEY_CTX_set0_ecdh_kdf_ukm
-macro sets the user key material to
-.Fa ukm
-for ECDH key derivation.
-This parameter is optional and corresponds to the shared info
-in X9.63 terms.
-The library takes ownership of the user key material, so the caller
-should not free the original memory pointed to by
-.Fa ukm .
-.Pp
-The
-.Fn EVP_PKEY_CTX_get0_ecdh_kdf_ukm
-macro gets the user key material for
-.Fa ctx .
-The return value is the user key material length.
-The resulting pointer is owned by the library and should not be
-freed by the caller.
-.Ss CMAC parameters
-Application programs normally implement CMAC as described in
-.Xr EVP_PKEY_new_CMAC_key 3
-and do not need the control commands documented here.
-.Pp
-Alternatively, the call to
-.Xr EVP_PKEY_new_CMAC_key 3
-can be replaced as follows,
-leaving the rest of the example code given there unchanged:
-.Pp
-.Bl -enum -width 2n -compact
-.It
-Create an empty
-.Vt EVP_PKEY_CTX
-object by passing the
-.Dv EVP_PKEY_CMAC
-constant to
-.Xr EVP_PKEY_CTX_new_id 3 .
-.It
-Initialize it with
-.Xr EVP_PKEY_keygen_init 3 .
-.It
-Select the block cipher by calling
-.Fn EVP_PKEY_CTX_ctrl
-with an
-.Fa optype
-of
-.Dv EVP_PKEY_OP_KEYGEN ,
-a
-.Fa cmd
-of
-.Dv EVP_PKEY_CTRL_CIPHER ,
-and
-.Fa p2
-pointing to an
-.Vt EVP_CIPHER
-object, which can be obtained from the functions in the CIPHER LISTING in
-.Xr EVP_EncryptInit 3 .
-The
-.Fa p1
-argument is ignored; passing 0 is recommended.
-.It
-Call
-.Fn EVP_PKEY_CTX_ctrl
-again with an
-.Fa optype
-of
-.Dv EVP_PKEY_OP_KEYGEN ,
-a
-.Fa cmd
-of
-.Dv EVP_PKEY_CTRL_SET_MAC_KEY ,
-.Fa p2
-pointing to the symmetric key, and
-.Fa p1
-specifying the length of the symmetric key in bytes.
-.It
-Extract the desired
-.Vt EVP_PKEY
-object using
-.Xr EVP_PKEY_keygen 3 ,
-making sure the
-.Fa ppkey
-argument points to a storage location containing a
-.Dv NULL
-pointer.
-.It
-Proceed with
-.Xr EVP_MD_CTX_new 3 ,
-.Xr EVP_DigestSignInit 3 ,
-and
-.Xr EVP_DigestSign 3
-as usual.
-.El
-.Ss HMAC parameters
-Application programs normally implement HMAC as described in
-.Xr EVP_PKEY_new_raw_private_key 3 .
-While it is possible to instead use
-.Dv EVP_PKEY_CTRL_SET_MAC_KEY
-directly, similar to the above description for CMAC,
-that is strongly discouraged.
-It's essentially what the deprecated function
-.Xr EVP_PKEY_new_mac_key 3
-does internally, and compared to the direct approach with
-.Xr EVP_PKEY_new_raw_private_key 3 ,
-it requires a lot of cumbersome and unnecessary work.
-.Ss Other parameters
-The
-.Fn EVP_PKEY_CTX_set1_id ,
-.Fn EVP_PKEY_CTX_get1_id ,
-and
-.Fn EVP_PKEY_CTX_get1_id_len
-macros manipulate a special identifier field used for some specific
-signature algorithms such as SM2.
-The
-.Fn EVP_PKEY_set1_id
-macro sets the ID to a copy of
-.Fa id
-with the length
-.Fa id_len .
-The caller can safely free the original memory pointed to by
-.Fa id .
-The
-.Fn EVP_PKEY_CTX_get1_id_len
-macro returns the length of the ID set via a previous call to
-.Fn EVP_PKEY_set1_id .
-That length is typically used to allocate memory for a subsequent call to
-.Fn EVP_PKEY_CTX_get1_id ,
-which copies the previously set ID into
-.Pf * Fa id .
-The caller is responsible for allocating sufficient memory for
-.Fa id
-before calling
-.Fn EVP_PKEY_CTX_get1_id .
-.Sh RETURN VALUES
-.Fn EVP_PKEY_CTX_ctrl
-and its macros return a positive value for success and 0 or a negative
-value for failure.
-In particular, a return value of -2 indicates the operation is not
-supported by the public key algorithm.
-.Sh SEE ALSO
-.Xr DH_new 3 ,
-.Xr EVP_DigestInit 3 ,
-.Xr EVP_PKEY_CTX_new 3 ,
-.Xr EVP_PKEY_decrypt 3 ,
-.Xr EVP_PKEY_derive 3 ,
-.Xr EVP_PKEY_encrypt 3 ,
-.Xr EVP_PKEY_get_default_digest_nid 3 ,
-.Xr EVP_PKEY_keygen 3 ,
-.Xr EVP_PKEY_sign 3 ,
-.Xr EVP_PKEY_verify 3 ,
-.Xr EVP_PKEY_verify_recover 3 ,
-.Xr RSA_pkey_ctx_ctrl 3
-.Sh HISTORY
-The functions
-.Fn EVP_PKEY_CTX_ctrl ,
-.Fn EVP_PKEY_CTX_ctrl_str ,
-.Fn EVP_PKEY_CTX_set_signature_md ,
-.Fn EVP_PKEY_CTX_set_dsa_paramgen_bits ,
-.Fn EVP_PKEY_CTX_set_dh_paramgen_prime_len ,
-.Fn EVP_PKEY_CTX_set_dh_paramgen_generator ,
-and
-.Fn EVP_PKEY_CTX_set_ec_paramgen_curve_nid
-first appeared in OpenSSL 1.0.0 and have been available since
-.Ox 4.9 .
-.Pp
-The functions
-.Fn EVP_PKEY_CTX_get_signature_md ,
-.Fn EVP_PKEY_CTX_set_ec_param_enc ,
-.Fn EVP_PKEY_CTX_set_ecdh_cofactor_mode ,
-.Fn EVP_PKEY_CTX_get_ecdh_cofactor_mode ,
-.Fn EVP_PKEY_CTX_set_ecdh_kdf_type ,
-.Fn EVP_PKEY_CTX_get_ecdh_kdf_type ,
-.Fn EVP_PKEY_CTX_set_ecdh_kdf_md ,
-.Fn EVP_PKEY_CTX_get_ecdh_kdf_md ,
-.Fn EVP_PKEY_CTX_set_ecdh_kdf_outlen ,
-.Fn EVP_PKEY_CTX_get_ecdh_kdf_outlen ,
-.Fn EVP_PKEY_CTX_set0_ecdh_kdf_ukm ,
-and
-.Fn EVP_PKEY_CTX_get0_ecdh_kdf_ukm
-first appeared in OpenSSL 1.0.2 and have been available since
-.Ox 6.6 .
-.Pp
-The functions
-.Fn EVP_PKEY_CTX_set1_id ,
-.Fn EVP_PKEY_CTX_get1_id ,
-and
-.Fn EVP_PKEY_CTX_get1_id_len
-first appeared in OpenSSL 1.1.1 and have been available since
-.Ox 6.6 .
diff --git a/src/lib/libcrypto/man/EVP_PKEY_CTX_get_operation.3 b/src/lib/libcrypto/man/EVP_PKEY_CTX_get_operation.3
deleted file mode 100644
index 2482c746d4..0000000000
--- a/src/lib/libcrypto/man/EVP_PKEY_CTX_get_operation.3
+++ /dev/null
@@ -1,137 +0,0 @@
-.\" $OpenBSD: EVP_PKEY_CTX_get_operation.3,v 1.3 2023/09/12 16:15:23 schwarze Exp $
-.\"
-.\" Copyright (c) 2023 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: September 12 2023 $
-.Dt EVP_PKEY_CTX_GET_OPERATION 3
-.Os
-.Sh NAME
-.Nm EVP_PKEY_CTX_get_operation ,
-.Nm EVP_PKEY_CTX_get0_pkey
-.Nd inspect EVP_PKEY_CTX objects
-.Sh SYNOPSIS
-.In openssl/evp.h
-.Ft int
-.Fo EVP_PKEY_CTX_get_operation
-.Fa "EVP_PKEY_CTX *ctx"
-.Fc
-.Ft EVP_PKEY *
-.Fo EVP_PKEY_CTX_get0_pkey
-.Fa "EVP_PKEY_CTX *ctx"
-.Fc
-.Sh DESCRIPTION
-.Fn EVP_PKEY_CTX_get_operation
-finds out which initialization function has been called on
-.Fa ctx ,
-if any:
-.Bl -column EVP_PKEY_OP_VERIFYRECO EVP_PKEY_verify_recover_init
-.It return value             Ta initialized with            Ta e.g. for
-.It Dv EVP_PKEY_OP_DECRYPT   Ta Xr EVP_PKEY_decrypt_init  3 Ta RSA, SM2
-.It Dv EVP_PKEY_OP_DERIVE    Ta Xr EVP_PKEY_derive_init   3 Ta HKDF
-.It Dv EVP_PKEY_OP_ENCRYPT   Ta Xr EVP_PKEY_encrypt_init  3 Ta RSA, SM2
-.It Dv EVP_PKEY_OP_KEYGEN    Ta Xr EVP_PKEY_keygen_init   3 Ta almost all
-.It Dv EVP_PKEY_OP_PARAMGEN  Ta Xr EVP_PKEY_paramgen_init 3 Ta DH, DSA, EC
-.It Dv EVP_PKEY_OP_SIGN      Ta Xr EVP_PKEY_sign_init     3 Ta DSA,EC,RSA,SM2
-.It Dv EVP_PKEY_OP_SIGN      Ta Xr EVP_DigestSignInit     3 Ta ED25519
-.It Dv EVP_PKEY_OP_SIGNCTX   Ta Xr EVP_DigestSignInit     3 Ta CMAC, HMAC
-.It Dv EVP_PKEY_OP_UNDEFINED Ta not initialized             Ta NONE
-.It Dv EVP_PKEY_OP_VERIFY    Ta Xr EVP_PKEY_verify_init   3 Ta DSA,EC,RSA,SM2
-.It Dv EVP_PKEY_OP_VERIFY    Ta Xr EVP_DigestVerifyInit   3 Ta ED25519
-.It Dv EVP_PKEY_OP_VERIFYCTX Ta Xr EVP_DigestVerifyInit   3 Ta no built-in
-.It Dv EVP_PKEY_OP_VERIFYRECOVER Ta Xr EVP_PKEY_verify_recover_init 3 Ta RSA
-.El
-.Pp
-The rightmost column of the above table shows examples of algorithms
-the return values can occur for.
-For example, if
-.Xr EVP_PKEY_base_id 3
-returns
-.Dv EVP_PKEY_HKDF ,
-then calling
-.Fn EVP_PKEY_CTX_get_operation
-on a
-.Vt EVP_PKEY_CTX
-using that key may return
-.Dv EVP_PKEY_OP_DERIVE .
-.Pp
-If the return value is
-.Dv EVP_PKEY_OP_SIGNCTX
-or
-.Dv EVP_PKEY_OP_VERIFYCTX ,
-the
-.Fa ctx
-supports
-.Xr EVP_DigestSignUpdate 3
-or
-.Xr EVP_DigestVerifyUpdate 3 ,
-respectively.
-If the return value is
-.Dv EVP_PKEY_OP_SIGN
-or
-.Dv EVP_PKEY_OP_VERIFY ,
-if does not, and only one-shot signing or verification is supported.
-.Pp
-The return value
-.Dv EVP_PKEY_OP_UNDEFINED
-can for example occur if the
-.Fa ctx
-was freshly returned from
-.Xr EVP_PKEY_CTX_new 3
-or
-.Xr EVP_PKEY_CTX_new_id 3
-and not yet initialized.
-.Pp
-The following masks are defined as the logical OR of two or more of the above
-.Dv EVP_PKEY_OP_*
-bits:
-.Pp
-.Bl -tag -width EVP_PKEY_OP_TYPE_NOGEN -compact
-.It Dv EVP_PKEY_OP_TYPE_CRYPT
-DECRYPT | ENCRYPT
-.It Dv EVP_PKEY_OP_TYPE_GEN
-KEYGEN | PARAMGEN
-.It Dv EVP_PKEY_OP_TYPE_NOGEN
-CRYPT | DERIVE | SIG
-.It Dv EVP_PKEY_OP_TYPE_SIG
-SIGN | SIGNCTX | VERIFY | VERIFYCTX | VERIFYRECOVER
-.El
-.Sh RETURN VALUES
-.Fn EVP_PKEY_CTX_get_operation
-returns one of the single-bit
-.Dv EVP_PKEY_OP_*
-constants or
-.Dv EVP_PKEY_OP_UNDEFINED
-if
-.Fa ctx
-is not initialized.
-.Pp
-.Fn EVP_PKEY_CTX_get0_pkey
-returns an internal pointer to the
-.Vt EVP_PKEY
-object used by
-.Fa ctx ,
-without incrementing its reference count.
-.Sh SEE ALSO
-.Xr evp 3 ,
-.Xr EVP_PKEY_base_id 3 ,
-.Xr EVP_PKEY_CTX_ctrl 3 ,
-.Xr EVP_PKEY_CTX_new 3 ,
-.Xr EVP_PKEY_new 3
-.Sh HISTORY
-.Fn EVP_PKEY_CTX_get_operation
-and
-.Fn EVP_PKEY_CTX_get0_pkey
-first appeared in OpenSSL 1.0.0 and have been available since
-.Ox 4.9 .
diff --git a/src/lib/libcrypto/man/EVP_PKEY_CTX_new.3 b/src/lib/libcrypto/man/EVP_PKEY_CTX_new.3
deleted file mode 100644
index e74bce9dfb..0000000000
--- a/src/lib/libcrypto/man/EVP_PKEY_CTX_new.3
+++ /dev/null
@@ -1,183 +0,0 @@
-.\" $OpenBSD: EVP_PKEY_CTX_new.3,v 1.16 2024/12/06 14:27:49 schwarze Exp $
-.\" full merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2019, 2020 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2006, 2009, 2015 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: December 6 2024 $
-.Dt EVP_PKEY_CTX_NEW 3
-.Os
-.Sh NAME
-.Nm EVP_PKEY_CTX_new ,
-.Nm EVP_PKEY_CTX_new_id ,
-.Nm EVP_PKEY_CTX_dup ,
-.Nm EVP_PKEY_CTX_free
-.Nd public key algorithm context functions
-.Sh SYNOPSIS
-.In openssl/evp.h
-.Ft EVP_PKEY_CTX *
-.Fo EVP_PKEY_CTX_new
-.Fa "EVP_PKEY *pkey"
-.Fa "ENGINE *engine"
-.Fc
-.Ft EVP_PKEY_CTX *
-.Fo EVP_PKEY_CTX_new_id
-.Fa "int id"
-.Fa "ENGINE *engine"
-.Fc
-.Ft EVP_PKEY_CTX *
-.Fo EVP_PKEY_CTX_dup
-.Fa "EVP_PKEY_CTX *ctx"
-.Fc
-.Ft void
-.Fo EVP_PKEY_CTX_free
-.Fa "EVP_PKEY_CTX *ctx"
-.Fc
-.Sh DESCRIPTION
-The
-.Fn EVP_PKEY_CTX_new
-function allocates a public key algorithm context using the algorithm
-specified in
-.Fa pkey .
-The
-.Fa ENGINE *engine
-argument is always ignored and passing
-.Dv NULL
-is recommended.
-.Pp
-The
-.Fn EVP_PKEY_CTX_new_id
-function allocates a public key algorithm context using the algorithm
-specified by
-.Fa id .
-The
-.Fa ENGINE *engine
-argument is always ignored and passing
-.Dv NULL
-is recommended.
-It is normally used when no
-.Vt EVP_PKEY
-structure is associated with the operations, for example during
-parameter generation of key generation for some algorithms.
-The
-.Fa id
-argument can be any of the constants that
-.Xr EVP_PKEY_base_id 3
-and
-.Xr EVP_PKEY_id 3
-may return.
-.Pp
-.Fn EVP_PKEY_CTX_dup
-duplicates the context
-.Fa ctx .
-.Pp
-.Fn EVP_PKEY_CTX_free
-frees up the context
-.Fa ctx .
-If
-.Fa ctx
-is a
-.Dv NULL
-pointer, no action occurs.
-.Sh RETURN VALUES
-.Fn EVP_PKEY_CTX_new ,
-.Fn EVP_PKEY_CTX_new_id ,
-and
-.Fn EVP_PKEY_CTX_dup
-return either the newly allocated
-.Vt EVP_PKEY_CTX
-structure or
-.Dv NULL
-if an error occurred.
-.Sh SEE ALSO
-.Xr EVP_DigestSignInit 3 ,
-.Xr EVP_DigestVerifyInit 3 ,
-.Xr EVP_PKEY_base_id 3 ,
-.Xr EVP_PKEY_CTX_ctrl 3 ,
-.Xr EVP_PKEY_CTX_get_operation 3 ,
-.Xr EVP_PKEY_CTX_hkdf_mode 3 ,
-.Xr EVP_PKEY_decrypt 3 ,
-.Xr EVP_PKEY_derive 3 ,
-.Xr EVP_PKEY_encrypt 3 ,
-.Xr EVP_PKEY_keygen 3 ,
-.Xr EVP_PKEY_new 3 ,
-.Xr EVP_PKEY_sign 3 ,
-.Xr EVP_PKEY_verify 3 ,
-.Xr EVP_PKEY_verify_recover 3 ,
-.Xr RSA_pkey_ctx_ctrl 3 ,
-.Xr X25519 3
-.Sh HISTORY
-These functions first appeared in OpenSSL 1.0.0
-and have been available since
-.Ox 4.9 .
-.Sh CAVEATS
-The
-.Vt EVP_PKEY_CTX
-structure is an opaque public key algorithm context used by the OpenSSL
-high level public key API.
-Contexts
-.Sy MUST NOT
-be shared between threads.
-It is not permissible to use the same context simultaneously in two
-threads.
diff --git a/src/lib/libcrypto/man/EVP_PKEY_CTX_set_hkdf_md.3 b/src/lib/libcrypto/man/EVP_PKEY_CTX_set_hkdf_md.3
deleted file mode 100644
index 973ae95974..0000000000
--- a/src/lib/libcrypto/man/EVP_PKEY_CTX_set_hkdf_md.3
+++ /dev/null
@@ -1,258 +0,0 @@
-.\" $OpenBSD: EVP_PKEY_CTX_set_hkdf_md.3,v 1.4 2024/07/10 07:57:37 tb Exp $
-.\" full merge up to: OpenSSL 1cb7eff4 Sep 10 13:56:40 2019 +0100
-.\"
-.\" This file was written by Alessandro Ghedini <alessandro@ghedini.me>,
-.\" Matt Caswell <matt@openssl.org>, and Viktor Dukhovni <viktor@dukhovni.org>.
-.\" Copyright (c) 2016 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: July 10 2024 $
-.Dt EVP_PKEY_CTX_SET_HKDF_MD 3
-.Os
-.Sh NAME
-.Nm EVP_PKEY_CTX_set_hkdf_md ,
-.Nm EVP_PKEY_CTX_set1_hkdf_salt ,
-.Nm EVP_PKEY_CTX_set1_hkdf_key ,
-.Nm EVP_PKEY_CTX_add1_hkdf_info ,
-.Nm EVP_PKEY_CTX_hkdf_mode
-.Nd HMAC-based Extract-and-Expand key derivation algorithm
-.Sh SYNOPSIS
-.In openssl/evp.h
-.In openssl/kdf.h
-.Ft int
-.Fo EVP_PKEY_CTX_hkdf_mode
-.Fa "EVP_PKEY_CTX *pctx"
-.Fa "int mode"
-.Fc
-.Ft int
-.Fo EVP_PKEY_CTX_set_hkdf_md
-.Fa "EVP_PKEY_CTX *pctx"
-.Fa "const EVP_MD *md"
-.Fc
-.Ft int
-.Fo EVP_PKEY_CTX_set1_hkdf_salt
-.Fa "EVP_PKEY_CTX *pctx"
-.Fa "unsigned char *salt"
-.Fa "int saltlen"
-.Fc
-.Ft int
-.Fo EVP_PKEY_CTX_set1_hkdf_key
-.Fa "EVP_PKEY_CTX *pctx"
-.Fa "unsigned char *key"
-.Fa "int keylen"
-.Fc
-.Ft int
-.Fo EVP_PKEY_CTX_add1_hkdf_info
-.Fa "EVP_PKEY_CTX *pctx"
-.Fa "unsigned char *info"
-.Fa "int infolen"
-.Fc
-.Sh DESCRIPTION
-The
-.Dv EVP_PKEY_HKDF
-algorithm implements the HKDF key derivation function.
-HKDF follows the "extract-then-expand" paradigm, where the KDF logically
-consists of two modules.
-The first stage takes the input keying material and "extracts" from it a
-fixed-length pseudorandom key K.
-The second stage "expands" the key K
-into several additional pseudorandom keys (the output of the KDF).
-.Pp
-.Fn EVP_PKEY_CTX_hkdf_mode
-sets the mode for the HKDF operation.
-There are three modes that are currently defined:
-.Bl -tag -width Ds
-.It Dv EVP_PKEY_HKDEF_MODE_EXTRACT_AND_EXPAND
-This is the default mode.
-Calling
-.Xr EVP_PKEY_derive 3
-on an
-.Vt EVP_PKEY_CTX
-set up for HKDF will perform an extract followed by
-an expand operation in one go.
-The derived key returned will be the result after the expand operation.
-The intermediate fixed-length pseudorandom key K is not returned.
-.Pp
-In this mode the digest, key, salt and info values must be set before a
-key is derived or an error occurs.
-.It Dv EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY
-In this mode calling
-.Xr EVP_PKEY_derive 3
-will just perform the extract operation.
-The value returned will be the intermediate fixed-length pseudorandom
-key K.
-.Pp
-The digest, key and salt values must be set before a key is derived or
-an error occurs.
-.It Dv EVP_PKEY_HKDEF_MODE_EXPAND_ONLY
-In this mode calling
-.Xr EVP_PKEY_derive 3
-will just perform the expand operation.
-The input key should be set to the intermediate fixed-length
-pseudorandom key K returned from a previous extract operation.
-.Pp
-The digest, key and info values must be set before a key is derived or
-an error occurs.
-.El
-.Pp
-.Fn EVP_PKEY_CTX_set_hkdf_md
-sets the message digest associated with the HKDF.
-.Pp
-.Fn EVP_PKEY_CTX_set1_hkdf_salt
-sets the salt to
-.Fa saltlen
-bytes of the buffer
-.Fa salt .
-Any existing value is replaced.
-.Pp
-.Fn EVP_PKEY_CTX_set1_hkdf_key
-sets the key to
-.Fa keylen
-bytes of the buffer
-.Fa key .
-Any existing value is replaced.
-.Pp
-.Fn EVP_PKEY_CTX_add1_hkdf_info
-sets the info value to
-.Fa infolen
-bytes of the buffer
-.Fa info .
-If a value is already set, it is appended to the existing value.
-.Sh STRING CTRLS
-HKDF also supports string based control operations via
-.Xr EVP_PKEY_CTX_ctrl_str 3 .
-The
-.Fa type
-parameter "md" uses the supplied
-.Fa value
-as the name of the digest algorithm to use.
-The
-.Fa type
-parameter "mode" accepts "EXTRACT_AND_EXPAND", "EXTRACT_ONLY"
-and "EXPAND_ONLY" as
-.Fa value
-to determine the mode to use.
-The
-.Fa type
-parameters "salt", "key" and "info" use the supplied
-.Fa value
-parameter as a
-seed, key, or info.
-The names "hexsalt", "hexkey" and "hexinfo" are similar except they take
-a hex string which is converted to binary.
-.Sh NOTES
-All these functions are implemented as macros.
-.Pp
-A context for HKDF can be obtained by calling:
-.Bd -literal
- EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL);
-.Ed
-.Pp
-The total length of the info buffer cannot exceed 1024 bytes in length:
-this should be more than enough for any normal use of HKDF.
-.Pp
-The output length of an HKDF expand operation is specified via the
-length parameter to the
-.Xr EVP_PKEY_derive 3
-function.
-Since the HKDF output length is variable, passing a
-.Dv NULL
-buffer as a means to obtain the requisite length is not meaningful with
-HKDF in any mode that performs an expand operation.
-Instead, the caller must allocate a buffer of the desired length, and
-pass that buffer to
-.Xr EVP_PKEY_derive 3
-along with (a pointer initialized to) the desired length.
-Passing a
-.Dv NULL
-buffer to obtain the length is allowed when using
-.Dv EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY .
-.Sh RETURN VALUES
-All these functions return 1 for success and 0 or a negative value for
-failure.
-In particular a return value of -2 indicates the operation is not
-supported by the public key algorithm.
-.Sh EXAMPLES
-This example derives 10 bytes using SHA-256 with the secret key
-"secret", salt value "salt" and info value "label":
-.Bd -literal
-EVP_PKEY_CTX *pctx;
-unsigned char out[10];
-size_t outlen = sizeof(out);
-
-if ((pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL)) == NULL)
-        /* Error */
-
-if (EVP_PKEY_derive_init(pctx) <= 0)
-        /* Error */
-if (EVP_PKEY_CTX_set_hkdf_md(pctx, EVP_sha256()) <= 0)
-        /* Error */
-if (EVP_PKEY_CTX_set1_hkdf_salt(pctx, "salt", 4) <= 0)
-        /* Error */
-if (EVP_PKEY_CTX_set1_hkdf_key(pctx, "secret", 6) <= 0)
-        /* Error */
-if (EVP_PKEY_CTX_add1_hkdf_info(pctx, "label", 5) <= 0)
-        /* Error */
-if (EVP_PKEY_derive(pctx, out, &outlen) <= 0)
-        /* Error */
-.Ed
-.Sh SEE ALSO
-.Xr EVP_PKEY_CTX_ctrl_str 3 ,
-.Xr EVP_PKEY_CTX_new 3 ,
-.Xr EVP_PKEY_derive 3
-.Sh STANDARDS
-RFC 5869: HMAC-based Extract-and-Expand Key Derivation Function (HKDF)
-.Sh HISTORY
-.Fn EVP_PKEY_CTX_set_hkdf_md ,
-.Fn EVP_PKEY_CTX_set1_hkdf_salt ,
-.Fn EVP_PKEY_CTX_set1_hkdf_key ,
-and
-.Fn EVP_PKEY_CTX_add1_hkdf_info
-first appeared in OpenSSL 1.1.0 and
-.Fn EVP_PKEY_CTX_hkdf_mode
-in OpenSSL 1.1.1.
-These functions have been available since
-.Ox 7.2 .
diff --git a/src/lib/libcrypto/man/EVP_PKEY_CTX_set_tls1_prf_md.3 b/src/lib/libcrypto/man/EVP_PKEY_CTX_set_tls1_prf_md.3
deleted file mode 100644
index 1b95bbaa98..0000000000
--- a/src/lib/libcrypto/man/EVP_PKEY_CTX_set_tls1_prf_md.3
+++ /dev/null
@@ -1,171 +0,0 @@
-.\" $OpenBSD: EVP_PKEY_CTX_set_tls1_prf_md.3,v 1.2 2024/07/10 10:22:03 tb Exp $
-.\" full merge up to: OpenSSL 1cb7eff4 Sep 10 13:56:40 2019 +0100
-.\"
-.\" This file was written by Dr Stephen Henson <steve@openssl.org>,
-.\" Copyright (c) 2016 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: July 10 2024 $
-.Dt EVP_PKEY_CTX_SET_TLS1_PRF_MD 3
-.Os
-.Sh NAME
-.Nm EVP_PKEY_CTX_set_tls1_prf_md ,
-.Nm EVP_PKEY_CTX_set1_tls1_prf_secret ,
-.Nm EVP_PKEY_CTX_add1_tls1_prf_seed
-.Nd TLS PRF key derivation algorithm
-.Sh SYNOPSIS
-.In openssl/evp.h
-.In openssl/kdf.h
-.Ft int
-.Fo EVP_PKEY_CTX_set_tls1_prf_md
-.Fa "EVP_PKEY_CTX *pctx"
-.Fa "const EVP_MD *md"
-.Fc
-.Ft int
-.Fo EVP_PKEY_CTX_set1_tls1_prf_secret
-.Fa "EVP_PKEY_CTX *pctx"
-.Fa "unsigned char *sec"
-.Fa "int seclen"
-.Fc
-.Ft int
-.Fo EVP_PKEY_CTX_add1_tls1_prf_seed
-.Fa "EVP_PKEY_CTX *pctx"
-.Fa "unsigned char *seed"
-.Fa "int seedlen"
-.Fc
-.Sh DESCRIPTION
-The
-.Dv EVP_PKEY_TLS1_PRF
-algorithm implements the PRF key derivation function for TLS.
-It has no associated private key and only implements key derivation using
-.Xr EVP_PKEY_derive 3 .
-.Pp
-.Fn EVP_PKEY_set_tls1_prf_md
-sets the message digest associated with the TLS PRF.
-.Xr EVP_md5_sha1 3
-is treated as a special case which uses the PRF algorithm using both
-MD5 and SHA1 as used in TLS 1.0 and 1.1.
-.Pp
-.Fn EVP_PKEY_CTX_set_tls1_prf_secret
-sets the secret value of the TLS PRF to
-.Fa seclen
-bytes of the buffer
-.Fa sec .
-Any existing secret value is replaced and any seed is reset.
-.Pp
-.Fn EVP_PKEY_CTX_add1_tls1_prf_seed
-sets the seed to
-.Fa seedlen
-bytes of
-.Fa seed .
-If a seed is already set it is appended to the existing value.
-.Sh STRING CTRLS
-The TLS PRF also supports string based control operations using
-.Xr EVP_PKEY_CTX_ctrl_str 3 .
-The
-.Fa type
-parameter "md" uses the supplied
-.Fa value
-as the name of the digest algorithm to use.
-The
-.Fa type
-parameters "secret" and "seed" use the supplied
-.Fa value
-parameter as a secret or seed value.
-The names "hexsecret" and "hexseed" are similar except they take a hex
-string which is converted to binary.
-.Sh NOTES
-All these functions are implemented as macros.
-.Pp
-A context for the TLS PRF can be obtained by calling:
-.Bd -literal
- EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_TLS1_PRF, NULL);
-.Ed
-.Pp
-The digest, secret value and seed must be set before a key is derived or
-an error occurs.
-.Pp
-The total length of all seeds cannot exceed 1024 bytes in length: this
-should be more than enough for any normal use of the TLS PRF.
-.Pp
-The output length of the PRF is specified by the length parameter in the
-.Xr EVP_PKEY_derive 3
-function.
-Since the output length is variable, setting the buffer to
-.Dv NULL
-is not meaningful for the TLS PRF.
-.Sh RETURN VALUES
-All these functions return 1 for success and 0 or a negative value for
-failure.
-In particular a return value of -2 indicates the operation is not
-supported by the public key algorithm.
-.Sh EXAMPLES
-This example derives 10 bytes using SHA-256 with the secret key "secret"
-and seed value "seed":
-.Bd -literal
- EVP_PKEY_CTX *pctx;
- unsigned char out[10];
- size_t outlen = sizeof(out);
-
- pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_TLS1_PRF, NULL);
- if (EVP_PKEY_derive_init(pctx) <= 0)
-     /* Error */
- if (EVP_PKEY_CTX_set_tls1_prf_md(pctx, EVP_sha256()) <= 0)
-     /* Error */
- if (EVP_PKEY_CTX_set1_tls1_prf_secret(pctx, "secret", 6) <= 0)
-     /* Error */
- if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, "seed", 4) <= 0)
-     /* Error */
- if (EVP_PKEY_derive(pctx, out, &outlen) <= 0)
-     /* Error */
-.Ed
-.Sh SEE ALSO
-.Xr EVP_PKEY_CTX_ctrl_str 3 ,
-.Xr EVP_PKEY_CTX_new 3 ,
-.Xr EVP_PKEY_derive 3
-.Sh HISTORY
-These functions first appeared in OpenSSL 1.1.0 and have been available since
-.Ox 7.6 .
diff --git a/src/lib/libcrypto/man/EVP_PKEY_asn1_get_count.3 b/src/lib/libcrypto/man/EVP_PKEY_asn1_get_count.3
deleted file mode 100644
index f7810789b6..0000000000
--- a/src/lib/libcrypto/man/EVP_PKEY_asn1_get_count.3
+++ /dev/null
@@ -1,242 +0,0 @@
-.\" $OpenBSD: EVP_PKEY_asn1_get_count.3,v 1.10 2024/12/06 12:51:13 schwarze Exp $
-.\" full merge up to: OpenSSL 72a7a702 Feb 26 14:05:09 2019 +0000
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2020, 2023 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Richard Levitte <levitte@openssl.org>.
-.\" Copyright (c) 2017 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: December 6 2024 $
-.Dt EVP_PKEY_ASN1_GET_COUNT 3
-.Os
-.Sh NAME
-.Nm EVP_PKEY_asn1_get_count ,
-.Nm EVP_PKEY_asn1_get0 ,
-.Nm EVP_PKEY_get0_asn1 ,
-.Nm EVP_PKEY_asn1_find ,
-.Nm EVP_PKEY_asn1_find_str ,
-.Nm EVP_PKEY_asn1_get0_info
-.Nd enumerate public key ASN.1 methods
-.Sh SYNOPSIS
-.In openssl/evp.h
-.Ft int
-.Fn EVP_PKEY_asn1_get_count void
-.Ft const EVP_PKEY_ASN1_METHOD *
-.Fo EVP_PKEY_asn1_get0
-.Fa "int idx"
-.Fc
-.Ft const EVP_PKEY_ASN1_METHOD *
-.Fo EVP_PKEY_get0_asn1
-.Fa "const EVP_PKEY *pkey"
-.Fc
-.Ft const EVP_PKEY_ASN1_METHOD *
-.Fo EVP_PKEY_asn1_find
-.Fa "ENGINE **engine"
-.Fa "int type"
-.Fc
-.Ft const EVP_PKEY_ASN1_METHOD *
-.Fo EVP_PKEY_asn1_find_str
-.Fa "ENGINE **engine"
-.Fa "const char *str"
-.Fa "int len"
-.Fc
-.Ft int
-.Fo EVP_PKEY_asn1_get0_info
-.Fa "int *ppkey_id"
-.Fa "int *pkey_base_id"
-.Fa "int *ppkey_flags"
-.Fa "const char **pinfo"
-.Fa "const char **ppem_str"
-.Fa "const EVP_PKEY_ASN1_METHOD *ameth"
-.Fc
-.Sh DESCRIPTION
-.Fn EVP_PKEY_asn1_get_count
-returns the number of public key ASN.1 methods available.
-.Pp
-.Fn EVP_PKEY_asn1_get0
-returns the public key ASN.1 method
-.Fa idx .
-The value of
-.Fa idx
-must be in the range from zero to
-.Fn EVP_PKEY_asn1_get_count
-\- 1.
-.Pp
-.Fn EVP_PKEY_asn1_find
-looks up the method with NID
-.Fa type ,
-which can be any of the values that
-.Xr EVP_PKEY_base_id 3
-and
-.Xr EVP_PKEY_id 3
-may return.
-If
-.Fa engine
-is not
-.Dv NULL ,
-.Pf * Fa engine
-is set to
-.Dv NULL .
-.Pp
-.Fn EVP_PKEY_asn1_find_str
-looks up the method with the PEM type string given by the first
-.Fa len
-bytes of
-.Fa str .
-If
-.Fa len
-is \-1, the
-.Xr strlen 3
-of
-.Fa str
-is used instead.
-The PEM type strings supported by default are listed in the
-.Xr EVP_PKEY_base_id 3
-manual page.
-Just like
-.Fn EVP_PKEY_asn1_find ,
-if
-.Fa engine
-is not
-.Dv NULL ,
-.Pf * Fa engine
-is set to
-.Dv NULL .
-.Pp
-.Fn EVP_PKEY_asn1_get0_info
-retrieves the public key ID as returned by
-.Xr EVP_PKEY_id 3 ,
-the base public key ID as returned by
-.Xr EVP_PKEY_base_id 3
-.Pq both NIDs ,
-any flags, and internal pointers owned by
-.Fa ameth
-pointing to its method description string and its PEM type string.
-.Pp
-The following flags bits can occur, OR'ed together in
-.Pf * Fa ppkey_flags :
-.Bl -tag -width Ds
-.It Dv ASN1_PKEY_ALIAS
-This
-.Fa ameth
-object serves as an alias for another
-.Vt EVP_PKEY_ASN1_METHOD
-object and will never be returned from
-.Fn EVP_PKEY_asn1_find
-or
-.Fn EVP_PKEY_asn1_find_str .
-.It Dv ASN1_PKEY_DYNAMIC
-This flag is unused.
-It could formerly be used to mark an
-.Fa ameth
-object as dynamically allocated.
-.It Dv ASN1_PKEY_SIGPARAM_NULL
-If the signing
-.Fa ctx
-uses an
-.Vt EVP_PKEY
-private key associated with this
-.Fa ameth ,
-instruct
-.Xr ASN1_item_sign_ctx 3
-to use a parameter type of
-.Dv V_ASN1_NULL
-instead of the default
-.Dv V_ASN1_UNDEF
-when encoding the ASN.1
-.Vt AlgorithmIdentifier
-objects with
-.Xr X509_ALGOR_set0 3 .
-In particular, this is used for
-.Dv EVP_PKEY_RSA .
-.El
-.Sh RETURN VALUES
-.Fn EVP_PKEY_asn1_get_count
-returns the number of available public key methods.
-.Pp
-.Fn EVP_PKEY_asn1_get0
-returns a public key method or
-.Dv NULL
-if
-.Fa idx
-is out of range.
-.Pp
-.Fn EVP_PKEY_get0_asn1
-returns the public key method used by
-.Fa pkey .
-.Pp
-.Fn EVP_PKEY_asn1_find
-and
-.Fn EVP_PKEY_asn1_find_str
-return a matching public key method or
-.Dv NULL
-if no match is found.
-.Pp
-.Fn EVP_PKEY_asn1_get0_info
-returns 1 on success or 0 on failure.
-.Sh SEE ALSO
-.Xr EVP_PKEY_base_id 3 ,
-.Xr EVP_PKEY_new 3
-.Sh HISTORY
-These functions first appeared in OpenSSL 1.0.0
-and have been available since
-.Ox 4.9 .
diff --git a/src/lib/libcrypto/man/EVP_PKEY_cmp.3 b/src/lib/libcrypto/man/EVP_PKEY_cmp.3
deleted file mode 100644
index c12843854d..0000000000
--- a/src/lib/libcrypto/man/EVP_PKEY_cmp.3
+++ /dev/null
@@ -1,179 +0,0 @@
-.\" $OpenBSD: EVP_PKEY_cmp.3,v 1.15 2024/12/06 12:51:13 schwarze Exp $
-.\" full merge up to: OpenSSL 05ea606a May 20 20:52:46 2016 -0400
-.\" selective merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2006, 2013, 2014, 2016 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: December 6 2024 $
-.Dt EVP_PKEY_CMP 3
-.Os
-.Sh NAME
-.Nm EVP_PKEY_missing_parameters ,
-.Nm EVP_PKEY_copy_parameters ,
-.Nm EVP_PKEY_cmp_parameters ,
-.Nm EVP_PKEY_cmp
-.\" .Nm EVP_PKEY_save_parameters is intentionally undocumented
-.\" because nothing uses it according to codesearch.debian.net
-.\" and it only affects X509_PUBKEY_set(3) for DSA,
-.\" resulting in incomplete output without the public key parameters.
-.Nd public key parameter and comparison functions
-.Sh SYNOPSIS
-.In openssl/evp.h
-.Ft int
-.Fo EVP_PKEY_missing_parameters
-.Fa "const EVP_PKEY *pkey"
-.Fc
-.Ft int
-.Fo EVP_PKEY_copy_parameters
-.Fa "EVP_PKEY *destination"
-.Fa "const EVP_PKEY *source"
-.Fc
-.Ft int
-.Fo EVP_PKEY_cmp_parameters
-.Fa "const EVP_PKEY *a"
-.Fa "const EVP_PKEY *b"
-.Fc
-.Ft int
-.Fo EVP_PKEY_cmp
-.Fa "const EVP_PKEY *a"
-.Fa "const EVP_PKEY *b"
-.Fc
-.Sh DESCRIPTION
-.Fn EVP_PKEY_missing_parameters
-checks whether any public key parameters are missing from
-.Fa pkey .
-.Pp
-.Fn EVP_PKEY_copy_parameters
-copies all public key parameters from the
-.Fa source
-to the
-.Fa destination .
-If the algorithm does not use parameters, no action occurs.
-.Pp
-.Fn EVP_PKEY_cmp_parameters
-compares the public key parameters of
-.Fa a
-and
-.Fa b .
-This is only supported for algorithms that use parameters.
-.Pp
-.Fn EVP_PKEY_cmp
-compares the public key components of
-.Fa a
-and
-.Fa b .
-If the algorithm uses public key parameters,
-it also compares the parameters.
-.Pp
-The main purpose of the functions
-.Fn EVP_PKEY_missing_parameters
-and
-.Fn EVP_PKEY_copy_parameters
-is to handle public keys in certificates where the parameters are
-sometimes omitted from a public key if they are inherited from the CA
-that signed it.
-.Pp
-Since OpenSSL private keys contain public key components too, the
-function
-.Fn EVP_PKEY_cmp
-can also be used to determine if a private key matches a public key.
-.Sh RETURN VALUES
-.Fn EVP_PKEY_missing_parameters
-returns 1 if the public key parameters of
-.Fa pkey
-are missing or incomplete or 0 if they are present and complete
-or if the algorithm doesn't use parameters.
-.Pp
-.Fn EVP_PKEY_copy_parameters
-returns 1 for success or 0 for failure.
-In particular, it fails if the key types mismatch or if the public
-key parameters in the
-.Fa source
-are missing or incomplete.
-.Pp
-.Fn EVP_PKEY_cmp_parameters
-and
-.Fn EVP_PKEY_cmp
-return 1 if the keys match, 0 if they don't match, -1 if the key types
-are different and -2 if the operation is not supported.
-.Sh SEE ALSO
-.Xr EVP_PKEY_CTX_new 3 ,
-.Xr EVP_PKEY_keygen 3 ,
-.Xr EVP_PKEY_new 3 ,
-.Xr X509_get_pubkey_parameters 3
-.Sh HISTORY
-.Fn EVP_PKEY_missing_parameters
-and
-.Fn EVP_PKEY_copy_parameters
-first appeared in SSLeay 0.8.0.
-.Fn EVP_PKEY_cmp_parameters
-first appeared in SSLeay 0.9.0.
-These functions have been available since
-.Ox 2.4 .
-.Pp
-.Fn EVP_PKEY_cmp
-first appeared in OpenSSL 0.9.8 and has been available since
-.Ox 4.5 .
diff --git a/src/lib/libcrypto/man/EVP_PKEY_decrypt.3 b/src/lib/libcrypto/man/EVP_PKEY_decrypt.3
deleted file mode 100644
index c063847b10..0000000000
--- a/src/lib/libcrypto/man/EVP_PKEY_decrypt.3
+++ /dev/null
@@ -1,175 +0,0 @@
-.\" $OpenBSD: EVP_PKEY_decrypt.3,v 1.10 2024/12/06 14:27:49 schwarze Exp $
-.\" full merge up to: OpenSSL 48e5119a Jan 19 10:49:22 2018 +0100
-.\"
-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2006, 2009, 2013, 2018 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: December 6 2024 $
-.Dt EVP_PKEY_DECRYPT 3
-.Os
-.Sh NAME
-.Nm EVP_PKEY_decrypt_init ,
-.Nm EVP_PKEY_decrypt
-.Nd decrypt using a public key algorithm
-.Sh SYNOPSIS
-.In openssl/evp.h
-.Ft int
-.Fo EVP_PKEY_decrypt_init
-.Fa "EVP_PKEY_CTX *ctx"
-.Fc
-.Ft int
-.Fo EVP_PKEY_decrypt
-.Fa "EVP_PKEY_CTX *ctx"
-.Fa "unsigned char *out"
-.Fa "size_t *outlen"
-.Fa "const unsigned char *in"
-.Fa "size_t inlen"
-.Fc
-.Sh DESCRIPTION
-The
-.Fn EVP_PKEY_decrypt_init
-function initializes a public key algorithm context using key
-.Fa ctx->pkey
-for a decryption operation.
-.Pp
-The
-.Fn EVP_PKEY_decrypt
-function performs a public key decryption operation using
-.Fa ctx .
-The data to be decrypted is specified using the
-.Fa in
-and
-.Fa inlen
-parameters.
-If
-.Fa out
-is
-.Dv NULL
-then the maximum size of the output buffer is written to the
-.Fa outlen
-parameter.
-If
-.Fa out
-is not
-.Dv NULL
-then before the call the
-.Fa outlen
-parameter should contain the length of the
-.Fa out
-buffer.
-If the call is successful, the decrypted data is written to
-.Fa out
-and the amount of data written to
-.Fa outlen .
-.Pp
-After the call to
-.Fn EVP_PKEY_decrypt_init ,
-algorithm specific control operations can be performed to set any
-appropriate parameters for the operation.
-.Pp
-The function
-.Fn EVP_PKEY_decrypt
-can be called more than once on the same context if several operations
-are performed using the same parameters.
-.Sh RETURN VALUES
-.Fn EVP_PKEY_decrypt_init
-and
-.Fn EVP_PKEY_decrypt
-return 1 for success and 0 or a negative value for failure.
-In particular, a return value of -2 indicates the operation is not
-supported by the public key algorithm.
-.Sh EXAMPLES
-Decrypt data using OAEP (for RSA keys):
-.Bd -literal -offset indent
-#include <openssl/evp.h>
-#include <openssl/rsa.h>
-
-EVP_PKEY_CTX *ctx;
-unsigned char *out, *in;
-size_t outlen, inlen;
-EVP_PKEY *key;
-
-/*
- * Assumes that key, in, and inlen are already set up
- * and that key is an RSA private key.
- */
-ctx = EVP_PKEY_CTX_new(key, NULL);
-if (!ctx)
-        /* Error occurred */
-if (EVP_PKEY_decrypt_init(ctx) <= 0)
-        /* Error */
-if (EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_OAEP_PADDING) <= 0)
-        /* Error */
-
-/* Determine buffer length */
-if (EVP_PKEY_decrypt(ctx, NULL, &outlen, in, inlen) <= 0)
-        /* Error */
-
-out = malloc(outlen);
-
-if (!out)
-        /* malloc failure */
-
-if (EVP_PKEY_decrypt(ctx, out, &outlen, in, inlen) <= 0)
-        /* Error */
-
-/* Decrypted data is outlen bytes written to buffer out */
-.Ed
-.Sh SEE ALSO
-.Xr EVP_PKEY_CTX_new 3 ,
-.Xr EVP_PKEY_derive 3 ,
-.Xr EVP_PKEY_encrypt 3 ,
-.Xr EVP_PKEY_sign 3 ,
-.Xr EVP_PKEY_verify 3 ,
-.Xr EVP_PKEY_verify_recover 3
-.Sh HISTORY
-.Fn EVP_PKEY_decrypt_init
-and
-.Fn EVP_PKEY_decrypt
-first appeared in OpenSSL 1.0.0 and have been available since
-.Ox 4.9 .
diff --git a/src/lib/libcrypto/man/EVP_PKEY_derive.3 b/src/lib/libcrypto/man/EVP_PKEY_derive.3
deleted file mode 100644
index 47f467fea1..0000000000
--- a/src/lib/libcrypto/man/EVP_PKEY_derive.3
+++ /dev/null
@@ -1,254 +0,0 @@
-.\" $OpenBSD: EVP_PKEY_derive.3,v 1.12 2024/12/06 14:27:49 schwarze Exp $
-.\" full merge up to: OpenSSL 48e5119a Jan 19 10:49:22 2018 +0100
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2023 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2006, 2009, 2013, 2018 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: December 6 2024 $
-.Dt EVP_PKEY_DERIVE 3
-.Os
-.Sh NAME
-.Nm EVP_PKEY_derive_init ,
-.Nm EVP_PKEY_derive_set_peer ,
-.Nm EVP_PKEY_CTX_get0_peerkey ,
-.Nm EVP_PKEY_derive
-.Nd derive public key algorithm shared secret
-.Sh SYNOPSIS
-.In openssl/evp.h
-.Ft int
-.Fo EVP_PKEY_derive_init
-.Fa "EVP_PKEY_CTX *ctx"
-.Fc
-.Ft int
-.Fo EVP_PKEY_derive_set_peer
-.Fa "EVP_PKEY_CTX *ctx"
-.Fa "EVP_PKEY *peerkey"
-.Fc
-.Ft EVP_PKEY *
-.Fo EVP_PKEY_CTX_get0_peerkey
-.Fa "EVP_PKEY_CTX *ctx"
-.Fc
-.Ft int
-.Fo EVP_PKEY_derive
-.Fa "EVP_PKEY_CTX *ctx"
-.Fa "unsigned char *key"
-.Fa "size_t *keylen"
-.Fc
-.Sh DESCRIPTION
-.Fn EVP_PKEY_derive_init
-initializes the public key algorithm context
-.Fa ctx
-for shared secret derivation using the
-.Vt EVP_PKEY
-object already stored in
-.Fa ctx .
-The library provides built-in support for keys with an
-.Xr EVP_PKEY_base_id 3
-of
-.Dv EVP_PKEY_DH ,
-.Dv EVP_PKEY_EC ,
-.Dv EVP_PKEY_HKDF ,
-and
-.Dv EVP_PKEY_X25519 .
-.Pp
-After the call to
-.Fn EVP_PKEY_derive_init ,
-algorithm specific control operations can optionally be performed
-to set any appropriate parameters for the operation.
-.Pp
-.Fn EVP_PKEY_derive_set_peer
-configures the
-.Fa ctx ,
-which already needs to be initialized with
-.Fn EVP_PKEY_derive_init ,
-.Xr EVP_PKEY_encrypt_init 3 ,
-or
-.Xr EVP_PKEY_decrypt_init 3 ,
-to use the
-.Fa peerkey ,
-which is normally a public key.
-In case of success, the reference count of the
-.Fa peerkey
-is incremented by one.
-Consequently, the caller needs to call
-.Xr EVP_PKEY_free 3
-on the
-.Fa peerkey
-when the caller no longer needs it, even if it is still in use by
-.Fa ctx .
-.Pp
-.Fn EVP_PKEY_derive
-derives a shared secret using
-.Fa ctx .
-If
-.Fa key
-is
-.Dv NULL ,
-then the maximum size of the output buffer is written to the
-.Fa keylen
-parameter.
-If
-.Fa key
-is not
-.Dv NULL
-then before the call the
-.Fa keylen
-parameter should contain the length of the
-.Fa key
-buffer.
-If the call is successful, the shared secret is written to
-.Fa key
-and the amount of data written to
-.Fa keylen .
-.Pp
-The function
-.Fn EVP_PKEY_derive
-can be called more than once on the same context if several operations
-are performed using the same parameters.
-.Sh RETURN VALUES
-.Fn EVP_PKEY_derive_init ,
-.Fn EVP_PKEY_derive_set_peer ,
-and
-.Fn EVP_PKEY_derive
-return 1 for success and 0 or a negative value for failure.
-In particular, a return value of \-2 indicates the operation is not
-supported by the public key algorithm.
-.Pp
-For
-.Fn EVP_PKEY_derive_set_peer ,
-a return value of \-1 can for example occur if
-.Fa ctx
-is not properly initialized, does not contain an
-.Vt EVP_PKEY
-that can be retrieved with
-.Xr EVP_PKEY_CTX_get0_pkey 3 ,
-the
-.Xr EVP_PKEY_id 3
-of both keys mismatch, or
-.Xr EVP_PKEY_cmp_parameters 3
-reports mismatching key parameters.
-.Pp
-.Fn EVP_PKEY_derive
-fails with a return value of \-1 for example if
-.Fa ctx
-has not been successfully initialized with
-.Fn EVP_PKEY_derive_init .
-.Pp
-.Fn EVP_PKEY_CTX_get0_peerkey
-returns an internal pointer to the
-.Fa peerkey
-used by
-.Fa ctx
-without incrementing its reference count.
-.Sh EXAMPLES
-Derive shared secret (for example DH or EC keys):
-.Bd -literal -offset indent
-#include <openssl/evp.h>
-#include <openssl/rsa.h>
-
-EVP_PKEY_CTX *ctx;
-unsigned char *skey;
-size_t skeylen;
-EVP_PKEY *pkey, *peerkey;
-
-/* Assumes that pkey and peerkey have already been set up. */
-ctx = EVP_PKEY_CTX_new(pkey, NULL);
-if (!ctx)
-        /* Error occurred */
-if (EVP_PKEY_derive_init(ctx) <= 0)
-        /* Error */
-if (EVP_PKEY_derive_set_peer(ctx, peerkey) <= 0)
-        /* Error */
-
-/* Determine buffer length */
-if (EVP_PKEY_derive(ctx, NULL, &skeylen) <= 0)
-        /* Error */
-
-skey = malloc(skeylen);
-
-if (!skey)
-        /* malloc failure */
-
-if (EVP_PKEY_derive(ctx, skey, &skeylen) <= 0)
-        /* Error */
-
-/* Shared secret is skey bytes written to buffer skey */
-.Ed
-.Sh SEE ALSO
-.Xr EVP_PKEY_CTX_new 3 ,
-.Xr EVP_PKEY_decrypt 3 ,
-.Xr EVP_PKEY_encrypt 3 ,
-.Xr EVP_PKEY_sign 3 ,
-.Xr EVP_PKEY_verify 3 ,
-.Xr EVP_PKEY_verify_recover 3 ,
-.Xr X25519 3
-.Sh HISTORY
-.Fn EVP_PKEY_derive_init ,
-.Fn EVP_PKEY_derive_set_peer ,
-.Fn EVP_PKEY_CTX_get0_peerkey ,
-and
-.Fn EVP_PKEY_derive
-first appeared in OpenSSL 1.0.0 and have been available since
-.Ox 4.9 .
diff --git a/src/lib/libcrypto/man/EVP_PKEY_encrypt.3 b/src/lib/libcrypto/man/EVP_PKEY_encrypt.3
deleted file mode 100644
index c2e70cb31f..0000000000
--- a/src/lib/libcrypto/man/EVP_PKEY_encrypt.3
+++ /dev/null
@@ -1,183 +0,0 @@
-.\"     $OpenBSD: EVP_PKEY_encrypt.3,v 1.10 2024/12/06 14:27:49 schwarze Exp $
-.\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2006, 2009, 2013, 2014, 2016 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: December 6 2024 $
-.Dt EVP_PKEY_ENCRYPT 3
-.Os
-.Sh NAME
-.Nm EVP_PKEY_encrypt_init ,
-.Nm EVP_PKEY_encrypt
-.Nd encrypt using a public key algorithm
-.Sh SYNOPSIS
-.In openssl/evp.h
-.Ft int
-.Fo EVP_PKEY_encrypt_init
-.Fa "EVP_PKEY_CTX *ctx"
-.Fc
-.Ft int
-.Fo EVP_PKEY_encrypt
-.Fa "EVP_PKEY_CTX *ctx"
-.Fa "unsigned char *out"
-.Fa "size_t *outlen"
-.Fa "const unsigned char *in"
-.Fa "size_t inlen"
-.Fc
-.Sh DESCRIPTION
-The
-.Fn EVP_PKEY_encrypt_init
-function initializes a public key algorithm context using key
-.Fa ctx->pkey
-for an encryption operation.
-.Pp
-The
-.Fn EVP_PKEY_encrypt
-function performs a public key encryption operation using
-.Fa ctx .
-The data to be encrypted is specified using the
-.Fa in
-and
-.Fa inlen
-parameters.
-If
-.Fa out
-is
-.Dv NULL ,
-then the maximum size of the output buffer is written to the
-.Fa outlen
-parameter.
-If
-.Fa out
-is not
-.Dv NULL ,
-then before the call the
-.Fa outlen
-parameter should contain the length of the
-.Fa out
-buffer.
-If the call is successful, the encrypted data is written to
-.Fa out
-and the amount of data written to
-.Fa outlen .
-.Pp
-After the call to
-.Fn EVP_PKEY_encrypt_init ,
-algorithm specific control operations can be performed to set any
-appropriate parameters for the operation.
-.Pp
-The function
-.Fn EVP_PKEY_encrypt
-can be called more than once on the same context if several operations
-are performed using the same parameters.
-.Sh RETURN VALUES
-.Fn EVP_PKEY_encrypt_init
-and
-.Fn EVP_PKEY_encrypt
-return 1 for success and 0 or a negative value for failure.
-In particular, a return value of -2 indicates the operation is not
-supported by the public key algorithm.
-.Sh EXAMPLES
-Encrypt data using OAEP (for RSA keys).
-See also
-.Xr PEM_read_PUBKEY 3
-and
-.Xr d2i_X509 3
-for means to load a public key.
-You may also simply set
-.Dq eng
-to
-.Dv NULL
-to start with the default OpenSSL RSA implementation:
-.Bd -literal -offset indent
-#include <openssl/evp.h>
-#include <openssl/rsa.h>
-
-EVP_PKEY_CTX *ctx;
-unsigned char *out, *in;
-size_t outlen, inlen;
-EVP_PKEY *key;
-/* NB: assumes that key, in, inlen are already set up
- * and that key is an RSA public key
- */
-ctx = EVP_PKEY_CTX_new(key, NULL);
-if (!ctx)
-        /* Error occurred */
-if (EVP_PKEY_encrypt_init(ctx) <= 0)
-        /* Error */
-if (EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_OAEP_PADDING) <= 0)
-        /* Error */
-
-/* Determine buffer length */
-if (EVP_PKEY_encrypt(ctx, NULL, &outlen, in, inlen) <= 0)
-        /* Error */
-
-out = malloc(outlen);
-
-if (!out)
-        /* malloc failure */
-
-if (EVP_PKEY_encrypt(ctx, out, &outlen, in, inlen) <= 0)
-        /* Error */
-
-/* Encrypted data is outlen bytes written to buffer out */
-.Ed
-.Sh SEE ALSO
-.Xr EVP_PKEY_CTX_new 3 ,
-.Xr EVP_PKEY_decrypt 3 ,
-.Xr EVP_PKEY_derive 3 ,
-.Xr EVP_PKEY_sign 3 ,
-.Xr EVP_PKEY_verify 3 ,
-.Xr EVP_PKEY_verify_recover 3
-.Sh HISTORY
-.Fn EVP_PKEY_encrypt_init
-and
-.Fn EVP_PKEY_encrypt
-first appeared in OpenSSL 1.0.0 and have been available since
-.Ox 4.9 .
diff --git a/src/lib/libcrypto/man/EVP_PKEY_get_default_digest_nid.3 b/src/lib/libcrypto/man/EVP_PKEY_get_default_digest_nid.3
deleted file mode 100644
index e9ff7c4609..0000000000
--- a/src/lib/libcrypto/man/EVP_PKEY_get_default_digest_nid.3
+++ /dev/null
@@ -1,128 +0,0 @@
-.\" $OpenBSD: EVP_PKEY_get_default_digest_nid.3,v 1.10 2024/12/06 12:51:13 schwarze Exp $
-.\" full merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2023 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2006, 2009, 2013, 2018 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: December 6 2024 $
-.Dt EVP_PKEY_GET_DEFAULT_DIGEST_NID 3
-.Os
-.Sh NAME
-.Nm EVP_PKEY_get_default_digest_nid
-.Nd get default signature digest
-.Sh SYNOPSIS
-.In openssl/evp.h
-.Ft int
-.Fo EVP_PKEY_get_default_digest_nid
-.Fa "EVP_PKEY *pkey"
-.Fa "int *pnid"
-.Fc
-.Sh DESCRIPTION
-The
-.Fn EVP_PKEY_get_default_digest_nid
-function sets
-.Pf * Fa pnid
-to the default message digest NID for the public key signature
-operations associated with
-.Fa pkey .
-.Pp
-Some signature algorithms, for example
-.Dv EVP_PKEY_ED25519 ,
-do not use a digest during signing.
-In this case,
-.Pf * Fa pnid
-is set to
-.Dv NID_undef .
-.Pp
-Support for the following public key algorithms is built into the library:
-.Pp
-.Bl -column -compact EVP_PKEY_base_id(3) NID_sha256 mandatory
-.It Xr EVP_PKEY_base_id 3 Ta Pf * Fa pnid               Ta return value
-.It Dv EVP_PKEY_DSA       Ta Dv NID_sha1                Ta mandatory
-.It Dv EVP_PKEY_EC        Ta Dv NID_sha1                Ta mandatory
-.It Dv EVP_PKEY_ED25519   Ta Dv NID_undef               Ta mandatory
-.It Dv EVP_PKEY_HMAC      Ta Dv NID_sha1                Ta advisory
-.It Dv EVP_PKEY_RSA       Ta Dv NID_sha256              Ta advisory
-.El
-.Sh RETURN VALUES
-The
-.Fn EVP_PKEY_get_default_digest_nid
-function returns 1 if the message digest is advisory (that is other
-digests can be used) and 2 if it is mandatory (other digests cannot be
-used).
-It returns 0 or a negative value for failure.
-In particular, a return value of -2 indicates the operation is not
-supported by the public key algorithm.
-.Sh SEE ALSO
-.Xr EVP_PKEY_CTX_ctrl 3 ,
-.Xr EVP_PKEY_CTX_new 3 ,
-.Xr EVP_PKEY_new 3 ,
-.Xr EVP_PKEY_sign 3 ,
-.Xr EVP_PKEY_verify 3 ,
-.Xr EVP_PKEY_verify_recover 3
-.Sh HISTORY
-.Fn EVP_PKEY_get_default_digest_nid
-first appeared in OpenSSL 1.0.0 and has been available since
-.Ox 4.9 .
diff --git a/src/lib/libcrypto/man/EVP_PKEY_keygen.3 b/src/lib/libcrypto/man/EVP_PKEY_keygen.3
deleted file mode 100644
index e75859b486..0000000000
--- a/src/lib/libcrypto/man/EVP_PKEY_keygen.3
+++ /dev/null
@@ -1,369 +0,0 @@
-.\" $OpenBSD: EVP_PKEY_keygen.3,v 1.15 2024/12/06 14:27:49 schwarze Exp $
-.\" full merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2023, 2024 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2006, 2009, 2013, 2015, 2016, 2018 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: December 6 2024 $
-.Dt EVP_PKEY_KEYGEN 3
-.Os
-.Sh NAME
-.Nm EVP_PKEY_keygen_init ,
-.Nm EVP_PKEY_keygen ,
-.Nm EVP_PKEY_paramgen_init ,
-.Nm EVP_PKEY_paramgen ,
-.Nm EVP_PKEY_gen_cb ,
-.Nm EVP_PKEY_CTX_set_cb ,
-.Nm EVP_PKEY_CTX_get_cb ,
-.Nm EVP_PKEY_CTX_set0_keygen_info ,
-.Nm EVP_PKEY_CTX_get_keygen_info ,
-.Nm EVP_PKEY_CTX_set_app_data ,
-.Nm EVP_PKEY_CTX_get_app_data ,
-.Nm EVP_PKEY_CTX_set_data ,
-.Nm EVP_PKEY_CTX_get_data
-.Nd key and parameter generation functions
-.Sh SYNOPSIS
-.In openssl/evp.h
-.Ft int
-.Fo EVP_PKEY_keygen_init
-.Fa "EVP_PKEY_CTX *ctx"
-.Fc
-.Ft int
-.Fo EVP_PKEY_keygen
-.Fa "EVP_PKEY_CTX *ctx"
-.Fa "EVP_PKEY **ppkey"
-.Fc
-.Ft int
-.Fo EVP_PKEY_paramgen_init
-.Fa "EVP_PKEY_CTX *ctx"
-.Fc
-.Ft int
-.Fo EVP_PKEY_paramgen
-.Fa "EVP_PKEY_CTX *ctx"
-.Fa "EVP_PKEY **ppkey"
-.Fc
-.Ft typedef int
-.Fo EVP_PKEY_gen_cb
-.Fa "EVP_PKEY_CTX *ctx"
-.Fc
-.Ft void
-.Fo EVP_PKEY_CTX_set_cb
-.Fa "EVP_PKEY_CTX *ctx"
-.Fa "EVP_PKEY_gen_cb *cb"
-.Fc
-.Ft EVP_PKEY_gen_cb *
-.Fo EVP_PKEY_CTX_get_cb
-.Fa "EVP_PKEY_CTX *ctx"
-.Fc
-.Ft void
-.Fo EVP_PKEY_CTX_set0_keygen_info
-.Fa "EVP_PKEY_CTX *ctx"
-.Fa "int *dat"
-.Fa "int datlen"
-.Fc
-.Ft int
-.Fo EVP_PKEY_CTX_get_keygen_info
-.Fa "EVP_PKEY_CTX *ctx"
-.Fa "int idx"
-.Fc
-.Ft void
-.Fo EVP_PKEY_CTX_set_app_data
-.Fa "EVP_PKEY_CTX *ctx"
-.Fa "void *app_data"
-.Fc
-.Ft void *
-.Fo EVP_PKEY_CTX_get_app_data
-.Fa "EVP_PKEY_CTX *ctx"
-.Fc
-.Ft void
-.Fo EVP_PKEY_CTX_set_data
-.Fa "EVP_PKEY_CTX *ctx"
-.Fa "void *data"
-.Fc
-.Ft void *
-.Fo EVP_PKEY_CTX_get_data
-.Fa "EVP_PKEY_CTX *ctx"
-.Fc
-.Sh DESCRIPTION
-The
-.Fn EVP_PKEY_keygen_init
-function initializes a public key algorithm context using key
-.Fa ctx->pkey
-for a key generation operation.
-.Pp
-The
-.Fn EVP_PKEY_keygen
-function performs a key generation operation.
-The generated key is written to
-.Fa ppkey .
-.Pp
-The functions
-.Fn EVP_PKEY_paramgen_init
-and
-.Fn EVP_PKEY_paramgen
-are similar except parameters are generated.
-.Pp
-The functions
-.Fn EVP_PKEY_CTX_set_cb
-and
-.Fn EVP_PKEY_CTX_get_cb
-set and retrieve the key or parameter generation callback, respectively.
-.Pp
-The function
-.Fn EVP_PKEY_CTX_set0_keygen_info
-sets the parameters associated with the generation operation to the array
-.Fa dat
-containing
-.Ft datlen
-integer parameters.
-The caller retains ownership of the
-.Fa dat
-array; it will never be freed by the library.
-.Pp
-The function
-.Fn EVP_PKEY_CTX_get_keygen_info
-returns parameters associated with the generation operation.
-If
-.Fa idx
-is -1, the total number of parameters available is returned.
-Any non-negative value returns the value of that parameter.
-.Fn EVP_PKEY_CTX_get_keygen_info
-with a non-negative value for
-.Fa idx
-should only be called within the generation callback.
-.Pp
-If the callback returns 0, then the key generation operation is aborted
-and an error occurs.
-This might occur during a time consuming operation where a user clicks
-on a "cancel" button.
-.Pp
-The functions
-.Fn EVP_PKEY_CTX_set_app_data
-and
-.Fn EVP_PKEY_CTX_get_app_data
-set and retrieve an opaque pointer.
-This can be used to set some application defined value which can be
-retrieved in the callback: for example a handle which is used to update
-a "progress dialog".
-.Pp
-The deprecated functions
-.Fn EVP_PKEY_CTX_set_data
-and
-.Fn EVP_PKEY_CTX_get_data
-set and retrieve a
-.Em different
-opaque pointer that is ignored by the library.
-.Pp
-After the call to
-.Fn EVP_PKEY_keygen_init
-or
-.Fn EVP_PKEY_paramgen_init ,
-algorithm specific control operations can be performed to set any
-appropriate parameters for the operation.
-.Pp
-The functions
-.Fn EVP_PKEY_keygen
-and
-.Fn EVP_PKEY_paramgen
-can be called more than once on the same context if several operations
-are performed using the same parameters.
-.Pp
-The meaning of the parameters passed to the callback will depend on the
-algorithm and the specific implementation of the algorithm.
-Some might not give any useful information at all during key or
-parameter generation.
-Others might not even call the callback.
-.Pp
-The operation performed by key or parameter generation depends on the
-algorithm used.
-In some cases (e.g. EC with a supplied named curve) the "generation"
-option merely sets the appropriate fields in an
-.Vt EVP_PKEY
-structure.
-.Pp
-In OpenSSL, an
-.Vt EVP_PKEY
-structure containing a private key also contains the public key
-components and parameters (if any).
-An OpenSSL private key is equivalent to what some libraries call a "key
-pair".
-A private key can be used in functions which require the use of a public
-key or parameters.
-.Sh RETURN VALUES
-.Fn EVP_PKEY_keygen_init ,
-.Fn EVP_PKEY_paramgen_init ,
-.Fn EVP_PKEY_keygen ,
-and
-.Fn EVP_PKEY_paramgen
-return 1 for success and 0 or a negative value for failure.
-In particular, a return value of -2 indicates the operation is not
-supported by the public key algorithm.
-.Pp
-Callback functions of the type
-.Fn EVP_PKEY_gen_cb
-are supposed to return 1 on success or 0 on error.
-.Pp
-.Fn EVP_PKEY_CTX_get_cb
-returns a function pointer to the currently installed callback function or
-.Dv NULL
-if no callback function is installed.
-.Pp
-.Fn EVP_PKEY_CTX_get_keygen_info
-returns the number of available parameters if
-.Fa idx
-is \-1, one of these parameters if
-.Fa idx
-is greater than or equal to zero but less than the number
-of available parameters, or 0 otherwise.
-.Pp
-.Fn EVP_PKEY_CTX_get_app_data
-and
-.Fn EVP_PKEY_CTX_get_data
-return the pointer that was last passed to the corresponding set function, or
-.Dv NULL
-if the corresponding set function was never called on
-.Fa ctx .
-.Sh EXAMPLES
-Generate a 2048-bit RSA key:
-.Bd -literal -offset indent
-#include <openssl/evp.h>
-#include <openssl/rsa.h>
-
-EVP_PKEY_CTX *ctx;
-EVP_PKEY *pkey = NULL;
-
-ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, NULL);
-if (!ctx)
-        /* Error occurred */
-if (EVP_PKEY_keygen_init(ctx) <= 0)
-        /* Error */
-if (EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, 2048) <= 0)
-        /* Error */
-
-/* Generate key */
-if (EVP_PKEY_keygen(ctx, &pkey) <= 0)
-        /* Error */
-.Ed
-.Pp
-Generate a key from a set of parameters:
-.Bd -literal -offset indent
-#include <openssl/evp.h>
-#include <openssl/rsa.h>
-
-EVP_PKEY_CTX *ctx;
-EVP_PKEY *pkey = NULL, *param;
-
-/* Assumes that param is already set up. */
-ctx = EVP_PKEY_CTX_new(param, NULL);
-if (!ctx)
-        /* Error occurred */
-if (EVP_PKEY_keygen_init(ctx) <= 0)
-        /* Error */
-
-/* Generate key */
-if (EVP_PKEY_keygen(ctx, &pkey) <= 0)
-        /* Error */
-.Ed
-.Pp
-Example of generation callback for OpenSSL public key implementations:
-.Bd -literal -offset indent
-/* Application data is a BIO to output status to */
-
-EVP_PKEY_CTX_set_app_data(ctx, status_bio);
-
-static int
-genpkey_cb(EVP_PKEY_CTX *ctx)
-{
-        char c = '*';
-        BIO *b = EVP_PKEY_CTX_get_app_data(ctx);
-        int p;
-
-        p = EVP_PKEY_CTX_get_keygen_info(ctx, 0);
-        if (p == 0)
-                c = '.';
-        if (p == 1)
-                c = '+';
-        if (p == 2)
-                c = '*';
-        if (p == 3)
-                c = '\en';
-        BIO_write(b, &c, 1);
-        (void)BIO_flush(b);
-        return 1;
-}
-.Ed
-.Sh SEE ALSO
-.Xr EVP_PKEY_CTX_new 3 ,
-.Xr EVP_PKEY_decrypt 3 ,
-.Xr EVP_PKEY_derive 3 ,
-.Xr EVP_PKEY_encrypt 3 ,
-.Xr EVP_PKEY_sign 3 ,
-.Xr EVP_PKEY_verify 3 ,
-.Xr EVP_PKEY_verify_recover 3 ,
-.Xr X25519 3
-.Sh HISTORY
-These functions first appeared in OpenSSL 1.0.0
-and have been available since
-.Ox 4.9 .
diff --git a/src/lib/libcrypto/man/EVP_PKEY_new.3 b/src/lib/libcrypto/man/EVP_PKEY_new.3
deleted file mode 100644
index 3b1ef029c3..0000000000
--- a/src/lib/libcrypto/man/EVP_PKEY_new.3
+++ /dev/null
@@ -1,347 +0,0 @@
-.\" $OpenBSD: EVP_PKEY_new.3,v 1.26 2024/12/10 15:10:26 schwarze Exp $
-.\" full merge up to: OpenSSL 4dcfdfce May 27 11:50:05 2020 +0100
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2022, 2024 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Dr. Stephen Henson <steve@openssl.org>
-.\" and Matt Caswell <matt@openssl.org>.
-.\" Copyright (c) 2002, 2018, 2020 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: December 10 2024 $
-.Dt EVP_PKEY_NEW 3
-.Os
-.Sh NAME
-.Nm EVP_PKEY_new ,
-.Nm EVP_PKEY_up_ref ,
-.Nm EVP_PKEY_free ,
-.Nm EVP_PKEY_new_raw_private_key ,
-.Nm EVP_PKEY_new_raw_public_key ,
-.Nm EVP_PKEY_new_mac_key ,
-.Nm EVP_PKEY_get_raw_private_key ,
-.Nm EVP_PKEY_get_raw_public_key
-.Nd public and private key allocation and raw key handling functions
-.Sh SYNOPSIS
-.In openssl/evp.h
-.Ft EVP_PKEY *
-.Fn EVP_PKEY_new void
-.Ft int
-.Fo EVP_PKEY_up_ref
-.Fa "EVP_PKEY *pkey"
-.Fc
-.Ft void
-.Fo EVP_PKEY_free
-.Fa "EVP_PKEY *pkey"
-.Fc
-.Ft EVP_PKEY *
-.Fo EVP_PKEY_new_raw_private_key
-.Fa "int type"
-.Fa "ENGINE *engine"
-.Fa "const unsigned char *rawpriv"
-.Fa "size_t rawlen"
-.Fc
-.Ft EVP_PKEY *
-.Fo EVP_PKEY_new_raw_public_key
-.Fa "int type"
-.Fa "ENGINE *engine"
-.Fa "const unsigned char *rawpub"
-.Fa "size_t rawlen"
-.Fc
-.Ft EVP_PKEY *
-.Fo EVP_PKEY_new_mac_key
-.Fa "int type"
-.Fa "ENGINE *engine"
-.Fa "const unsigned char *rawpriv"
-.Fa "int rawlen"
-.Fc
-.Ft int
-.Fo EVP_PKEY_get_raw_private_key
-.Fa "const EVP_PKEY *pkey"
-.Fa "unsigned char *rawpriv"
-.Fa "size_t *rawlen"
-.Fc
-.Ft int
-.Fo EVP_PKEY_get_raw_public_key
-.Fa "const EVP_PKEY *pkey"
-.Fa "unsigned char *rawpub"
-.Fa "size_t *rawlen"
-.Fc
-.Sh DESCRIPTION
-The
-.Vt EVP_PKEY
-structure is used by various OpenSSL functions which require a general
-private or public key without reference to any particular algorithm.
-.Pp
-The
-.Fn EVP_PKEY_new
-function allocates an empty
-.Vt EVP_PKEY
-structure.
-The reference count is set to 1.
-To add a private or public key to it, use the functions described in
-.Xr EVP_PKEY_set1_RSA 3 .
-.Pp
-.Fn EVP_PKEY_up_ref
-increments the reference count of
-.Fa pkey
-by 1.
-.Pp
-.Fn EVP_PKEY_free
-decrements the reference count of
-.Fa pkey
-by 1, and if the reference count reaches zero, frees it up.
-If
-.Fa pkey
-is a
-.Dv NULL
-pointer, no action occurs.
-.Pp
-.Fn EVP_PKEY_new_raw_private_key
-allocates a new
-.Vt EVP_PKEY .
-The NID of a public key algorithm that supports raw private keys, i.e.\&
-.Dv EVP_PKEY_HMAC ,
-.Dv EVP_PKEY_X25519 ,
-or
-.Dv EVP_PKEY_ED25519 ,
-is provided in the
-.Fa type
-argument and
-.Fa rawlen
-bytes of raw private key data of that type in
-.Fa rawpriv .
-The public key data is automatically derived from the given private
-key data, if appropriate for the algorithm type.
-The
-.Fa ENGINE *engine
-argument is always ignored and passing
-.Dv NULL
-is recommended.
-.Pp
-.Fn EVP_PKEY_new_raw_public_key
-works in the same way as
-.Fn EVP_PKEY_new_raw_private_key
-except that
-.Fa rawpub
-points to the raw public key data.
-The
-.Vt EVP_PKEY
-structure is initialised without any private key information.
-Algorithm types that support raw public keys are
-.Dv EVP_PKEY_X25519
-and
-.Dv EVP_PKEY_ED25519 .
-.Pp
-.Fn EVP_PKEY_new_mac_key
-is a deprecated function that achieves the same effect as
-.Fn EVP_PKEY_new_raw_private_key
-in a more complicated way and only works with a
-.Fa type
-of
-.Dv EVP_PKEY_HMAC .
-.Pp
-.Fn EVP_PKEY_get_raw_private_key
-writes up to
-.Pf * Fa rawlen
-bytes of raw private key data to the buffer starting at
-.Fa rawpriv
-and stores the number of bytes written in
-.Pf * Fa rawlen .
-The calling application is responsible for ensuring that the buffer
-is large enough to receive the private key data.
-If the
-.Fa rawpriv
-argument is
-.Dv NULL ,
-the number of bytes required to hold the key is stored in
-.Pf * Fa rawlen .
-This function only works for algorithms that support raw private keys.
-Currently these are
-.Dv EVP_PKEY_HMAC ,
-.Dv EVP_PKEY_X25519 ,
-and
-.Dv EVP_PKEY_ED25519 .
-.Pp
-.Fn EVP_PKEY_get_raw_public_key
-is similar to
-.Fn EVP_PKEY_get_raw_private_key
-except that it writes raw public key data.
-This function only works for algorithms that support raw public keys.
-Currently these are
-.Dv EVP_PKEY_X25519
-and
-.Dv EVP_PKEY_ED25519 .
-.Sh RETURN VALUES
-.Fn EVP_PKEY_new ,
-.Fn EVP_PKEY_new_raw_private_key ,
-.Fn EVP_PKEY_new_raw_public_key ,
-and
-.Fn EVP_PKEY_new_mac_key
-return either the newly allocated
-.Vt EVP_PKEY
-structure or
-.Dv NULL
-if an error occurred.
-.Pp
-.Fn EVP_PKEY_up_ref ,
-.Fn EVP_PKEY_get_raw_private_key ,
-and
-.Fn EVP_PKEY_get_raw_public_key
-return 1 for success or 0 for failure.
-.Sh EXAMPLES
-The following code digests a message with HMAC-SHA256:
-.Bd -literal -offset indent
-/* Bogus key: would normally be set from another source */
-const unsigned char *key = "key";
-const size_t key_len = strlen(key);
-
-const char *msg = "The quick brown fox jumps over the lazy dog";
-const size_t msg_len = strlen(msg);
-
-unsigned char *out_mac;
-size_t out_len, i;
-
-EVP_PKEY *pkey;
-EVP_MD_CTX *md_ctx;
-
-pkey = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL,
-    key, key_len);
-if (pkey == NULL)
-        err(1, "EVP_PKEY_new_raw_private_key");
-
-md_ctx = EVP_MD_CTX_new();
-if (md_ctx == NULL)
-        err(1, "EVP_MD_CTX_new");
-
-if (EVP_DigestSignInit(md_ctx, NULL, EVP_sha256(), NULL, pkey) == 0)
-        err(1, "EVP_DigestSignInit");
-if (EVP_DigestSign(md_ctx, NULL, &out_len, msg, msg_len) == 0)
-        err(1, "EVP_DigestSign(NULL)");
-if ((out_mac = calloc(1, out_len)) == NULL)
-        err(1, "calloc");
-if (EVP_DigestSign(md_ctx, out_mac, &out_len, msg, msg_len) == 0)
-        err(1, "EVP_DigestSign(MAC)");
-
-EVP_MD_CTX_free(md_ctx);
-EVP_PKEY_free(pkey);
-
-printf(" MAC = ");
-for (i = 0; i < out_len; i++)
-        printf("%02x", out_mac[i]);
-printf("\en");
-free(out_mac);
-.Ed
-.Pp
-Even though the type name
-.Vt EVP_PKEY
-was originally intended to stand for
-.Dq private key
-and the
-.Xr EVP_DigestSignInit 3
-API was designed for digital signatures in the context of public key
-cryptography, both are also used here because a MAC also requires a key,
-even though that is a symmetric key.
-.Pp
-The same code can be used for signing with Ed25519 by making the key
-.Dv ED25519_PRIVATE_KEY_LENGTH No = 32
-bytes long, replacing
-.Dv EVP_PKEY_HMAC
-with
-.Dv EVP_PKEY_ED25519 ,
-and replacing the call to
-.Xr EVP_sha256 3
-with
-.Dv NULL .
-.Sh SEE ALSO
-.Xr CMAC_Init 3 ,
-.Xr d2i_PrivateKey 3 ,
-.Xr evp 3 ,
-.Xr EVP_PKCS82PKEY 3 ,
-.Xr EVP_PKEY_cmp 3 ,
-.Xr EVP_PKEY_CTX_new 3 ,
-.Xr EVP_PKEY_get_default_digest_nid 3 ,
-.Xr EVP_PKEY_new_CMAC_key 3 ,
-.Xr EVP_PKEY_print_private 3 ,
-.Xr EVP_PKEY_set1_RSA 3 ,
-.Xr EVP_PKEY_size 3 ,
-.Xr X509_get_pubkey_parameters 3
-.Sh HISTORY
-.Fn EVP_PKEY_new
-and
-.Fn EVP_PKEY_free
-first appeared in SSLeay 0.6.0 and have been available since
-.Ox 2.4 .
-.Pp
-.Fn EVP_PKEY_new_mac_key
-first appeared in OpenSSL 1.0.0 and has been available since
-.Ox 4.9 .
-.Pp
-.Fn EVP_PKEY_up_ref
-first appeared in OpenSSL 1.1.0 and has been available since
-.Ox 6.3 .
-.Pp
-.Fn EVP_PKEY_new_raw_private_key ,
-.Fn EVP_PKEY_new_raw_public_key ,
-.Fn EVP_PKEY_get_raw_private_key ,
-and
-.Fn EVP_PKEY_get_raw_public_key
-first appeared in OpenSSL 1.1.1 and have been available since
-.Ox 7.3 .
diff --git a/src/lib/libcrypto/man/EVP_PKEY_new_CMAC_key.3 b/src/lib/libcrypto/man/EVP_PKEY_new_CMAC_key.3
deleted file mode 100644
index d09af3a012..0000000000
--- a/src/lib/libcrypto/man/EVP_PKEY_new_CMAC_key.3
+++ /dev/null
@@ -1,159 +0,0 @@
-.\" $OpenBSD: EVP_PKEY_new_CMAC_key.3,v 1.1 2024/11/12 20:00:36 schwarze Exp $
-.\"
-.\" Copyright (c) 2024 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: November 12 2024 $
-.Dt EVP_PKEY_NEW_CMAC_KEY 3
-.Os
-.Sh NAME
-.Nm EVP_PKEY_new_CMAC_key
-.Nd CMAC in the EVP framework
-.Sh SYNOPSIS
-.In openssl/evp.h
-.Ft EVP_PKEY *
-.Fo EVP_PKEY_new_CMAC_key
-.Fa "ENGINE *engine"
-.Fa "const unsigned char *key"
-.Fa "size_t key_len"
-.Fa "const EVP_CIPHER *cipher"
-.Fc
-.Sh DESCRIPTION
-.Fn EVP_PKEY_new_CMAC_key
-allocates a new
-.Vt EVP_PKEY
-object, sets its type to
-.Dv EVP_PKEY_CMAC ,
-and configures it as a wrapper around the low-level functions documented in
-.Xr CMAC_Init 3
-using the block
-.Fa cipher
-with the symmetric
-.Fa key
-that is
-.Fa key_len
-bytes long.
-.Pp
-Functions to obtain suitable
-.Vt EVP_CIPHER
-objects are listed in the CIPHER LISTING section of the
-.Xr EVP_EncryptInit 3
-manual page.
-Always use an object that implements the CBC mode of operation.
-As in
-.Xr CMAC_Init 3 ,
-only ciphers with a block size of either 64 or 128 bits
-are supported by this implementation.
-.Pp
-The
-.Fa engine
-argument is ignored; passing
-.Dv NULL
-is recommended.
-.Sh RETURN VALUES
-.Fn EVP_PKEY_new_CMAC_key
-returns the newly allocated
-.Vt EVP_PKEY
-structure or
-.Dv NULL
-if an error occurred.
-.Sh EXAMPLES
-The following code digests a message with AES-CMAC
-using the key length of 128 bits specified in RFC 4493.
-.Bd -literal -offset indent
-/* Bogus key: would normally be set from another source. */
-const unsigned char key[] = "symmetric secret";
-const size_t key_len = strlen(key);  /* 16 = 128/8 */
-
-const char *msg = "Hello World!";
-const size_t msg_len = strlen(msg);
-
-unsigned char out_mac[16];
-size_t out_len = sizeof(out_mac);
-size_t i;
-
-EVP_PKEY *pkey;
-EVP_MD_CTX *md_ctx;
-
-pkey = EVP_PKEY_new_CMAC_key(NULL, key, key_len, EVP_aes_128_cbc());
-if (pkey == NULL)
-        err(1, "EVP_PKEY_new_CMAC_key");
-md_ctx = EVP_MD_CTX_new();
-if (md_ctx == NULL)
-        err(1, "EVP_MD_CTX_new");
-
-if (EVP_DigestSignInit(md_ctx, NULL, NULL, NULL, pkey) == 0)
-        err(1, "EVP_DigestSignInit");
-if (EVP_DigestSign(md_ctx, out_mac, &out_len, msg, msg_len) == 0)
-        err(1, "EVP_DigestSign");
-EVP_MD_CTX_free(md_ctx);
-EVP_PKEY_free(pkey);
-
-printf(" MAC = ");
-for (i = 0; i < out_len; i++)
-        printf("%02x:", out_mac[i]);
-printf("\en");
-.Ed
-.Pp
-Consider the following details:
-.Bl -bullet -width 1n
-.It
-Even though the type name
-.Vt EVP_PKEY
-was originally intended to stand for
-.Dq private key
-and the
-.Xr EVP_DigestSignInit 3
-API was designed for digital signatures in the context
-of public key cryptography, both are also used here because a MAC
-also requires a key, even though that is a symmetric key.
-.It
-In contrast to digital signing which requires both a digest algorithm
-and a private key, the CMAC algorithm only requires a block cipher
-and a shared key, both of which are stored in the somewhat abused
-.Vt EVP_PKEY
-object.
-Consequently, the
-.Vt "EVP_MD *type"
-argument of
-.Xr EVP_DigestSignInit 3
-has to be set to
-.Dv NULL .
-.It
-The size of the resulting message digest equals the block size
-of the used cipher.
-.It
-The function
-.Xr EVP_DigestSignInit 3
-does not transfer ownership of the
-.Fa pkey
-object to
-.Ft md_ctx
-but merely increments the reference count.
-Consequently, the caller is responsible for freeing the
-.Vt EVP_PKEY
-object when it is no longer needed.
-.El
-.Sh SEE ALSO
-.Xr CMAC_Init 3 ,
-.Xr evp 3 ,
-.Xr EVP_DigestSignInit 3 ,
-.Xr EVP_EncryptInit 3 ,
-.Xr EVP_PKEY_new 3
-.Sh STANDARDS
-RFC 4493: The AES-CMAC Algorithm
-.Sh HISTORY
-.Fn EVP_PKEY_new_CMAC_key
-first appeared in OpenSSL 1.1.1 and has been available since
-.Ox 6.9 .
diff --git a/src/lib/libcrypto/man/EVP_PKEY_print_private.3 b/src/lib/libcrypto/man/EVP_PKEY_print_private.3
deleted file mode 100644
index a4b51a4bbb..0000000000
--- a/src/lib/libcrypto/man/EVP_PKEY_print_private.3
+++ /dev/null
@@ -1,129 +0,0 @@
-.\"     $OpenBSD: EVP_PKEY_print_private.3,v 1.8 2024/12/06 12:51:13 schwarze Exp $
-.\"     OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
-.\"
-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2006, 2009 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: December 6 2024 $
-.Dt EVP_PKEY_PRINT_PRIVATE 3
-.Os
-.Sh NAME
-.Nm EVP_PKEY_print_public ,
-.Nm EVP_PKEY_print_private ,
-.Nm EVP_PKEY_print_params
-.Nd public key algorithm printing routines
-.Sh SYNOPSIS
-.In openssl/evp.h
-.Ft int
-.Fo EVP_PKEY_print_public
-.Fa "BIO *out"
-.Fa "const EVP_PKEY *pkey"
-.Fa "int indent"
-.Fa "ASN1_PCTX *pctx"
-.Fc
-.Ft int
-.Fo EVP_PKEY_print_private
-.Fa "BIO *out"
-.Fa "const EVP_PKEY *pkey"
-.Fa "int indent"
-.Fa "ASN1_PCTX *pctx"
-.Fc
-.Ft int
-.Fo EVP_PKEY_print_params
-.Fa "BIO *out"
-.Fa "const EVP_PKEY *pkey"
-.Fa "int indent"
-.Fa "ASN1_PCTX *pctx"
-.Fc
-.Sh DESCRIPTION
-The functions
-.Fn EVP_PKEY_print_public ,
-.Fn EVP_PKEY_print_private ,
-and
-.Fn EVP_PKEY_print_params
-print out the public, private or parameter components of key
-.Fa pkey ,
-respectively.
-The key is sent to
-.Vt BIO
-.Fa out
-in human readable form.
-The parameter
-.Fa indent
-indicates how far the printout should be indented.
-.Pp
-The
-.Fa pctx
-parameter allows the print output to be finely tuned by using ASN.1
-printing options.
-If
-.Fa pctx
-is set to
-.Dv NULL ,
-then default values will be used.
-Currently, no public key algorithms include any options in the
-.Fa pctx
-parameter.
-.Pp
-If the key does not include all the components indicated by the function,
-then only those contained in the key will be printed.
-For example, passing a public key to
-.Fn EVP_PKEY_print_private
-will only print the public components.
-.Sh RETURN VALUES
-These functions all return 1 for success and 0 or a negative value for
-failure.
-In particular, a return value of -2 indicates the operation is not
-supported by the public key algorithm.
-.Sh SEE ALSO
-.Xr EVP_PKEY_CTX_new 3 ,
-.Xr EVP_PKEY_keygen 3 ,
-.Xr EVP_PKEY_new 3
-.Sh HISTORY
-These functions first appeared in OpenSSL 1.0.0
-and have been available since
-.Ox 4.9 .
diff --git a/src/lib/libcrypto/man/EVP_PKEY_set1_RSA.3 b/src/lib/libcrypto/man/EVP_PKEY_set1_RSA.3
deleted file mode 100644
index 39404f5286..0000000000
--- a/src/lib/libcrypto/man/EVP_PKEY_set1_RSA.3
+++ /dev/null
@@ -1,498 +0,0 @@
-.\" $OpenBSD: EVP_PKEY_set1_RSA.3,v 1.24 2024/12/09 11:25:25 schwarze Exp $
-.\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2019, 2020, 2023 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2002, 2015, 2016 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: December 9 2024 $
-.Dt EVP_PKEY_SET1_RSA 3
-.Os
-.Sh NAME
-.Nm EVP_PKEY_set1_RSA ,
-.Nm EVP_PKEY_set1_DSA ,
-.Nm EVP_PKEY_set1_DH ,
-.Nm EVP_PKEY_set1_EC_KEY ,
-.Nm EVP_PKEY_get1_RSA ,
-.Nm EVP_PKEY_get1_DSA ,
-.Nm EVP_PKEY_get1_DH ,
-.Nm EVP_PKEY_get1_EC_KEY ,
-.Nm EVP_PKEY_get0_RSA ,
-.Nm EVP_PKEY_get0_DSA ,
-.Nm EVP_PKEY_get0_DH ,
-.Nm EVP_PKEY_get0_EC_KEY ,
-.Nm EVP_PKEY_get0_hmac ,
-.Nm EVP_PKEY_get0 ,
-.Nm EVP_PKEY_assign_RSA ,
-.Nm EVP_PKEY_assign_DSA ,
-.Nm EVP_PKEY_assign_DH ,
-.Nm EVP_PKEY_assign_EC_KEY ,
-.Nm EVP_PKEY_assign ,
-.Nm EVP_PKEY_base_id ,
-.Nm EVP_PKEY_id ,
-.Nm EVP_PKEY_type ,
-.Nm EVP_PKEY_set_type ,
-.Nm EVP_PKEY_set_type_str
-.\" The function X509_certificate_type(3) is intentionally undocumented
-.\" and scheduled for deletion from the library.  BoringSSL already
-.\" deleted it and OpenSSL deprecates it in version 3.0.
-.\" The following constants are also intentionally undocumented
-.\" because they are only used by that function:
-.\" EVP_PK_DH EVP_PK_DSA EVP_PK_EC EVP_PK_RSA
-.\" EVP_PKS_DSA EVP_PKS_EC EVP_PKS_RSA
-.\" EVP_PKT_ENC EVP_PKT_EXCH EVP_PKT_EXP EVP_PKT_SIGN
-.Nd EVP_PKEY assignment functions
-.Sh SYNOPSIS
-.In openssl/evp.h
-.Ft int
-.Fo EVP_PKEY_set1_RSA
-.Fa "EVP_PKEY *pkey"
-.Fa "RSA *key"
-.Fc
-.Ft int
-.Fo EVP_PKEY_set1_DSA
-.Fa "EVP_PKEY *pkey"
-.Fa "DSA *key"
-.Fc
-.Ft int
-.Fo EVP_PKEY_set1_DH
-.Fa "EVP_PKEY *pkey"
-.Fa "DH *key"
-.Fc
-.Ft int
-.Fo EVP_PKEY_set1_EC_KEY
-.Fa "EVP_PKEY *pkey"
-.Fa "EC_KEY *key"
-.Fc
-.Ft RSA *
-.Fo EVP_PKEY_get1_RSA
-.Fa "EVP_PKEY *pkey"
-.Fc
-.Ft DSA *
-.Fo EVP_PKEY_get1_DSA
-.Fa "EVP_PKEY *pkey"
-.Fc
-.Ft DH *
-.Fo EVP_PKEY_get1_DH
-.Fa "EVP_PKEY *pkey"
-.Fc
-.Ft EC_KEY *
-.Fo EVP_PKEY_get1_EC_KEY
-.Fa "EVP_PKEY *pkey"
-.Fc
-.Ft RSA *
-.Fo EVP_PKEY_get0_RSA
-.Fa "EVP_PKEY *pkey"
-.Fc
-.Ft DSA *
-.Fo EVP_PKEY_get0_DSA
-.Fa "EVP_PKEY *pkey"
-.Fc
-.Ft DH *
-.Fo EVP_PKEY_get0_DH
-.Fa "EVP_PKEY *pkey"
-.Fc
-.Ft EC_KEY *
-.Fo EVP_PKEY_get0_EC_KEY
-.Fa "EVP_PKEY *pkey"
-.Fc
-.Ft const unsigned char *
-.Fo EVP_PKEY_get0_hmac
-.Fa "const EVP_PKEY *pkey"
-.Fa "size_t *len"
-.Fc
-.Ft void *
-.Fo EVP_PKEY_get0
-.Fa "const EVP_PKEY *pkey"
-.Fc
-.Ft int
-.Fo EVP_PKEY_assign_RSA
-.Fa "EVP_PKEY *pkey"
-.Fa "RSA *key"
-.Fc
-.Ft int
-.Fo EVP_PKEY_assign_DSA
-.Fa "EVP_PKEY *pkey"
-.Fa "DSA *key"
-.Fc
-.Ft int
-.Fo EVP_PKEY_assign_DH
-.Fa "EVP_PKEY *pkey"
-.Fa "DH *key"
-.Fc
-.Ft int
-.Fo EVP_PKEY_assign_EC_KEY
-.Fa "EVP_PKEY *pkey"
-.Fa "EC_KEY *key"
-.Fc
-.Ft int
-.Fo EVP_PKEY_assign
-.Fa "EVP_PKEY *pkey"
-.Fa "int type"
-.Fa "void *key"
-.Fc
-.Ft int
-.Fo EVP_PKEY_base_id
-.Fa "EVP_PKEY *pkey"
-.Fc
-.Ft int
-.Fo EVP_PKEY_id
-.Fa "EVP_PKEY *pkey"
-.Fc
-.Ft int
-.Fo EVP_PKEY_type
-.Fa "int type"
-.Fc
-.Ft int
-.Fo EVP_PKEY_set_type
-.Fa "EVP_PKEY *pkey"
-.Fa "int type"
-.Fc
-.Ft int
-.Fo EVP_PKEY_set_type_str
-.Fa "EVP_PKEY *pkey"
-.Fa "const char *str"
-.Fa "int len"
-.Fc
-.Sh DESCRIPTION
-.Fn EVP_PKEY_set1_RSA ,
-.Fn EVP_PKEY_set1_DSA ,
-.Fn EVP_PKEY_set1_DH ,
-and
-.Fn EVP_PKEY_set1_EC_KEY
-set the key referenced by
-.Fa pkey
-to
-.Fa key
-and increment the reference count of
-.Fa key
-by 1 in case of success.
-.Pp
-.Fn EVP_PKEY_get1_RSA ,
-.Fn EVP_PKEY_get1_DSA ,
-.Fn EVP_PKEY_get1_DH ,
-and
-.Fn EVP_PKEY_get1_EC_KEY
-return the key referenced in
-.Fa pkey ,
-incrementing its reference count by 1, or
-.Dv NULL
-if the key is not of the correct type.
-.Pp
-.Fn EVP_PKEY_get0_RSA ,
-.Fn EVP_PKEY_get0_DSA ,
-.Fn EVP_PKEY_get0_DH ,
-.Fn EVP_PKEY_get0_EC_KEY ,
-and
-.Fn EVP_PKEY_get0
-are identical except that they do not increment the reference count.
-Consequently, the returned key must not be freed by the caller.
-.Pp
-.Fn EVP_PKEY_get0_hmac
-returns an internal pointer to the key referenced in
-.Fa pkey
-and sets
-.Pf * Fa len
-to its length in bytes.
-The returned pointer must not be freed by the caller.
-If
-.Fa pkey
-is not of the correct type,
-.Dv NULL
-is returned and the content of
-.Pf * Fa len
-becomes unspecified.
-.Pp
-.Fn EVP_PKEY_assign_RSA ,
-.Fn EVP_PKEY_assign_DSA ,
-.Fn EVP_PKEY_assign_DH ,
-.Fn EVP_PKEY_assign_EC_KEY ,
-and
-.Fn EVP_PKEY_assign
-also set the referenced key to
-.Fa key ;
-however these use the supplied
-.Fa key
-internally without incrementing its reference count, such that
-.Fa key
-will be freed when the parent
-.Fa pkey
-is freed.
-If the
-.Fa key
-is of the wrong type, these functions report success even though
-.Fa pkey
-ends up in a corrupted state.
-Even the functions explicitly containing the type in their name are
-.Em not
-type safe because they are implemented as macros.
-The following types are supported:
-.Dv EVP_PKEY_RSA ,
-.Dv EVP_PKEY_DSA ,
-.Dv EVP_PKEY_DH ,
-and
-.Dv EVP_PKEY_EC .
-.Pp
-.Fn EVP_PKEY_base_id
-returns the type of
-.Fa pkey
-according to the following table:
-.Pp
-.Bl -column -compact -offset 2n EVP_PKEY_RSA_PSS NID_X9_62_id_ecPublicKey
-.It Sy return value      Ta                               Ta Sy PEM type string
-.It Dv EVP_PKEY_CMAC     Ta = Dv NID_cmac                 Ta CMAC
-.It Dv EVP_PKEY_DH       Ta = Dv NID_dhKeyAgreement       Ta DH
-.It Dv EVP_PKEY_DSA      Ta = Dv NID_dsa                  Ta DSA
-.It Dv EVP_PKEY_EC       Ta = Dv NID_X9_62_id_ecPublicKey Ta EC
-.It Dv EVP_PKEY_HMAC     Ta = Dv NID_hmac                 Ta HMAC
-.It Dv EVP_PKEY_RSA      Ta = Dv NID_rsaEncryption        Ta RSA
-.It Dv EVP_PKEY_RSA_PSS  Ta = Dv NID_rsassaPss            Ta RSA-PSS
-.El
-.Pp
-.Fn EVP_PKEY_id
-returns the actual OID associated with
-.Fa pkey .
-Historically keys using the same algorithm could use different OIDs.
-The following deprecated aliases are still supported:
-.Pp
-.Bl -column -compact -offset 2n EVP_PKEY_DSA4 NID_dsaWithSHA1_2
-.It Sy return value         Ta                                  Ta Sy alias for
-.It Dv EVP_PKEY_DSA1        Ta = Dv NID_dsa_2                     Ta DSA
-.It Dv EVP_PKEY_DSA2        Ta = Dv NID_dsaWithSHA                Ta DSA
-.It Dv EVP_PKEY_DSA3        Ta = Dv NID_dsaWithSHA1               Ta DSA
-.It Dv EVP_PKEY_DSA4        Ta = Dv NID_dsaWithSHA1_2             Ta DSA
-.It Dv EVP_PKEY_RSA2        Ta = Dv NID_rsa                       Ta RSA
-.El
-.Pp
-Most applications wishing to know a key type will simply call
-.Fn EVP_PKEY_base_id
-and will not care about the actual type,
-which will be identical in almost all cases.
-.Pp
-.Fn EVP_PKEY_type
-returns the underlying type of the NID
-.Fa type .
-For example,
-.Fn EVP_PKEY_type EVP_PKEY_RSA2
-will return
-.Dv EVP_PKEY_RSA .
-.Pp
-.Fn EVP_PKEY_set_type
-frees the key referenced in
-.Fa pkey ,
-if any, and sets the key type of
-.Fa pkey
-to
-.Fa type
-without referencing a new key from
-.Fa pkey
-yet.
-For
-.Fa type ,
-any of the possible return values of
-.Fn EVP_PKEY_base_id
-and
-.Fn EVP_PKEY_id
-can be passed.
-.Pp
-.Fn EVP_PKEY_set_type_str
-frees the key referenced in
-.Fa pkey ,
-if any, and sets the key type of
-.Fa pkey
-according to the PEM type string given by the first
-.Fa len
-bytes of
-.Fa str .
-If
-.Fa len
-is \-1, the
-.Xr strlen 3
-of
-.Fa str
-is used instead.
-The PEM type strings supported by default are listed in the table above.
-This function does not reference a new key from
-.Fa pkey .
-.Pp
-If
-.Fa pkey
-is a
-.Dv NULL
-pointer,
-.Fn EVP_PKEY_set_type
-and
-.Fn EVP_PKEY_set_type_str
-check that a matching key type exists but do not change any object.
-.Pp
-In accordance with the OpenSSL naming convention, the key obtained from
-or assigned to
-.Fa pkey
-using the
-.Sy 1
-functions must be freed as well as
-.Fa pkey .
-.Sh RETURN VALUES
-.Fn EVP_PKEY_set1_RSA ,
-.Fn EVP_PKEY_set1_DSA ,
-.Fn EVP_PKEY_set1_DH ,
-.Fn EVP_PKEY_set1_EC_KEY ,
-.Fn EVP_PKEY_assign_RSA ,
-.Fn EVP_PKEY_assign_DSA ,
-.Fn EVP_PKEY_assign_DH ,
-.Fn EVP_PKEY_assign_EC_KEY ,
-.Fn EVP_PKEY_assign ,
-.Fn EVP_PKEY_set_type ,
-and
-.Fn EVP_PKEY_set_type_str
-return 1 for success or 0 for failure.
-.Pp
-.Fn EVP_PKEY_get1_RSA ,
-.Fn EVP_PKEY_get1_DSA ,
-.Fn EVP_PKEY_get1_DH ,
-.Fn EVP_PKEY_get1_EC_KEY ,
-.Fn EVP_PKEY_get0_RSA ,
-.Fn EVP_PKEY_get0_DSA ,
-.Fn EVP_PKEY_get0_DH ,
-.Fn EVP_PKEY_get0_EC_KEY ,
-.Fn EVP_PKEY_get0_hmac ,
-and
-.Fn EVP_PKEY_get0
-return the referenced key or
-.Dv NULL
-if an error occurred.
-For
-.Fn EVP_PKEY_get0 ,
-the return value points to an
-.Vt RSA ,
-.Vt DSA ,
-.Vt DH ,
-.Vt EC_KEY ,
-or
-.Vt ASN1_OCTET_STRING
-object depending on the type of
-.Fa pkey .
-.Pp
-.Fn EVP_PKEY_base_id ,
-.Fn EVP_PKEY_id ,
-and
-.Fn EVP_PKEY_type
-return a key type or
-.Dv NID_undef
-(equivalently
-.Dv EVP_PKEY_NONE )
-on error.
-.Sh SEE ALSO
-.Xr DH_new 3 ,
-.Xr DSA_new 3 ,
-.Xr EC_KEY_new 3 ,
-.Xr EVP_PKEY_get0_asn1 3 ,
-.Xr EVP_PKEY_new 3 ,
-.Xr RSA_new 3
-.Sh HISTORY
-.Fn EVP_PKEY_assign_RSA ,
-.Fn EVP_PKEY_assign_DSA ,
-.Fn EVP_PKEY_assign_DH ,
-.Fn EVP_PKEY_assign ,
-and
-.Fn EVP_PKEY_type
-first appeared in SSLeay 0.8.0 and have been available since
-.Ox 2.4 .
-.Pp
-.Fn EVP_PKEY_set1_RSA ,
-.Fn EVP_PKEY_set1_DSA ,
-.Fn EVP_PKEY_set1_DH ,
-.Fn EVP_PKEY_get1_RSA ,
-.Fn EVP_PKEY_get1_DSA ,
-and
-.Fn EVP_PKEY_get1_DH
-first appeared in OpenSSL 0.9.5 and have been available since
-.Ox 2.7 .
-.Pp
-.Fn EVP_PKEY_set1_EC_KEY ,
-.Fn EVP_PKEY_get1_EC_KEY ,
-and
-.Fn EVP_PKEY_assign_EC_KEY
-first appeared in OpenSSL 0.9.8 and have been available since
-.Ox 4.5 .
-.Pp
-.Fn EVP_PKEY_get0 ,
-.Fn EVP_PKEY_base_id ,
-.Fn EVP_PKEY_id ,
-.Fn EVP_PKEY_set_type ,
-and
-.Fn EVP_PKEY_set_type_str
-first appeared in OpenSSL 1.0.0 and have been available since
-.Ox 4.9 .
-.Pp
-.Fn EVP_PKEY_get0_RSA ,
-.Fn EVP_PKEY_get0_DSA ,
-.Fn EVP_PKEY_get0_DH ,
-and
-.Fn EVP_PKEY_get0_EC_KEY
-first appeared in OpenSSL 1.1.0 and have been available since
-.Ox 6.3 .
-.Pp
-.Fn EVP_PKEY_get0_hmac
-first appeared in OpenSSL 1.1.0 and has been available since
-.Ox 6.5 .
diff --git a/src/lib/libcrypto/man/EVP_PKEY_sign.3 b/src/lib/libcrypto/man/EVP_PKEY_sign.3
deleted file mode 100644
index d73b0abb7b..0000000000
--- a/src/lib/libcrypto/man/EVP_PKEY_sign.3
+++ /dev/null
@@ -1,190 +0,0 @@
-.\"     $OpenBSD: EVP_PKEY_sign.3,v 1.9 2024/12/06 14:27:49 schwarze Exp $
-.\"     OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
-.\"
-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2006, 2009, 2013, 2014 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: December 6 2024 $
-.Dt EVP_PKEY_SIGN 3
-.Os
-.Sh NAME
-.Nm EVP_PKEY_sign_init ,
-.Nm EVP_PKEY_sign
-.Nd sign using a public key algorithm
-.Sh SYNOPSIS
-.In openssl/evp.h
-.Ft int
-.Fo EVP_PKEY_sign_init
-.Fa "EVP_PKEY_CTX *ctx"
-.Fc
-.Ft int
-.Fo EVP_PKEY_sign
-.Fa "EVP_PKEY_CTX *ctx"
-.Fa "unsigned char *sig"
-.Fa "size_t *siglen"
-.Fa "const unsigned char *tbs"
-.Fa "size_t tbslen"
-.Fc
-.Sh DESCRIPTION
-The
-.Fn EVP_PKEY_sign_init
-function initializes a public key algorithm context using the key
-.Fa ctx->pkey
-for a signing operation.
-.Pp
-The
-.Fn EVP_PKEY_sign
-function performs a public key signing operation using
-.Fa ctx .
-The data to be signed is specified using the
-.Fa tbs
-and
-.Fa tbslen
-parameters.
-If
-.Fa sig
-is
-.Dv NULL ,
-then the maximum size of the output buffer is written to the
-.Fa siglen
-parameter.
-If
-.Fa sig
-is not
-.Dv NULL ,
-then before the call the
-.Fa siglen
-parameter should contain the length of the
-.Fa sig
-buffer.
-If the call is successful, the signature is written to
-.Fa sig
-and the amount of data written to
-.Fa siglen .
-.Pp
-.Fn EVP_PKEY_sign
-does not hash the data to be signed, and therefore is normally used
-to sign digests.
-For signing arbitrary messages, see the
-.Xr EVP_DigestSignInit 3
-and
-.Xr EVP_SignInit 3
-signing interfaces instead.
-.Pp
-After the call to
-.Fn EVP_PKEY_sign_init ,
-algorithm specific control operations can be performed to set any
-appropriate parameters for the operation; see
-.Xr EVP_PKEY_CTX_ctrl 3 .
-.Pp
-The function
-.Fn EVP_PKEY_sign
-can be called more than once on the same context if several operations
-are performed using the same parameters.
-.Sh RETURN VALUES
-.Fn EVP_PKEY_sign_init
-and
-.Fn EVP_PKEY_sign
-return 1 for success and 0 or a negative value for failure.
-In particular, a return value of -2 indicates the operation is not
-supported by the public key algorithm.
-.Sh EXAMPLES
-Sign data using RSA with PKCS#1 padding and SHA256 digest:
-.Bd -literal -offset indent
-#include <openssl/evp.h>
-#include <openssl/rsa.h>
-
-EVP_PKEY_CTX *ctx;
-/* md is a SHA-256 digest in this example. */
-unsigned char *md, *sig;
-size_t mdlen = 32, siglen;
-EVP_PKEY *signing_key;
-
-/*
- * NB: assumes signing_key and md are set up before the next
- * step. signing_key must be an RSA private key and md must
- * point to the SHA-256 digest to be signed.
- */
-ctx = EVP_PKEY_CTX_new(signing_key, NULL /* no engine */);
-if (!ctx)
-        /* Error occurred */
-if (EVP_PKEY_sign_init(ctx) <= 0)
-        /* Error */
-if (EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) <= 0)
-        /* Error */
-if (EVP_PKEY_CTX_set_signature_md(ctx, EVP_sha256()) <= 0)
-        /* Error */
-
-/* Determine buffer length */
-if (EVP_PKEY_sign(ctx, NULL, &siglen, md, mdlen) <= 0)
-        /* Error */
-
-sig = malloc(siglen);
-
-if (!sig)
-        /* malloc failure */
-
-if (EVP_PKEY_sign(ctx, sig, &siglen, md, mdlen) <= 0)
-        /* Error */
-
-/* Signature is siglen bytes written to buffer sig */
-.Ed
-.Sh SEE ALSO
-.Xr EVP_PKEY_CTX_ctrl 3 ,
-.Xr EVP_PKEY_CTX_new 3 ,
-.Xr EVP_PKEY_decrypt 3 ,
-.Xr EVP_PKEY_derive 3 ,
-.Xr EVP_PKEY_encrypt 3 ,
-.Xr EVP_PKEY_verify 3 ,
-.Xr EVP_PKEY_verify_recover 3
-.Sh HISTORY
-.Fn EVP_PKEY_sign_init
-and
-.Fn EVP_PKEY_sign
-first appeared in OpenSSL 1.0.0 and have been available since
-.Ox 4.9 .
diff --git a/src/lib/libcrypto/man/EVP_PKEY_size.3 b/src/lib/libcrypto/man/EVP_PKEY_size.3
deleted file mode 100644
index cd25eec9c2..0000000000
--- a/src/lib/libcrypto/man/EVP_PKEY_size.3
+++ /dev/null
@@ -1,224 +0,0 @@
-.\" $OpenBSD: EVP_PKEY_size.3,v 1.4 2024/12/06 12:51:13 schwarze Exp $
-.\" full merge up to: OpenSSL eed9d03b Jan 8 11:04:15 2020 +0100
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2022, 2023 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Richard Levitte <levitte@openssl.org>.
-.\" Copyright (c) 2020 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: December 6 2024 $
-.Dt EVP_PKEY_SIZE 3
-.Os
-.Sh NAME
-.Nm EVP_PKEY_size ,
-.Nm EVP_PKEY_bits ,
-.Nm EVP_PKEY_security_bits
-.Nd EVP_PKEY information functions
-.Sh SYNOPSIS
-.In openssl/evp.h
-.Ft int
-.Fo EVP_PKEY_size
-.Fa "const EVP_PKEY *pkey"
-.Fc
-.Ft int
-.Fo EVP_PKEY_bits
-.Fa "const EVP_PKEY *pkey"
-.Fc
-.Ft int
-.Fo EVP_PKEY_security_bits
-.Fa "const EVP_PKEY *pkey"
-.Fc
-.Sh DESCRIPTION
-.Fn EVP_PKEY_size
-returns the maximum size in bytes needed for the output buffer
-for almost any operation that can be done with
-.Fa pkey .
-The primary use is with
-.Xr EVP_SignFinal 3
-and
-.Xr EVP_SealInit 3 .
-The returned size is also large enough for the output buffer of
-.Xr EVP_PKEY_sign 3 ,
-.Xr EVP_PKEY_encrypt 3 ,
-.Xr EVP_PKEY_decrypt 3 ,
-and
-.Xr EVP_PKEY_derive 3 .
-.Pp
-Unless the documentation for the operation says otherwise,
-the size returned by
-.Fn EVP_PKEY_size
-is only an upper limit and the final content of the target
-buffer may be smaller.
-It is therefore crucial to take note of the size given back by the
-function that performs the operation.
-For example,
-.Xr EVP_PKEY_sign 3
-returns that length in the
-.Pf * Fa siglen
-argument.
-.Pp
-Using
-.Fn EVP_PKEY_size
-is discouraged with
-.Xr EVP_DigestSignFinal 3 .
-.Pp
-Most functions using an output buffer support passing
-.Dv NULL
-for the buffer and a pointer to an integer
-to get the exact size that this function call delivers
-in the context that it is called in.
-This allows those functions to be called twice, once to find out the
-exact buffer size, then allocate the buffer in between, and call that
-function again to actually output the data.
-For those functions, it isn't strictly necessary to call
-.Fn EVP_PKEY_size
-to find out the buffer size, but it may still be useful in cases
-where it's desirable to know the upper limit in advance.
-.Pp
-.Fn EVP_PKEY_size
-is supported for the following algorithms:
-.Bl -column ED25519 "EVP_MAX_BLOCK_LENGTH = 32"
-.It        Ta same result as from:
-.It CMAC   Ta Dv EVP_MAX_BLOCK_LENGTH No = 32
-.It DH     Ta Xr DH_size 3
-.It DSA    Ta Xr DSA_size 3
-.It EC     Ta Xr ECDSA_size 3
-.It ED25519 Ta 64, but see below
-.It HMAC   Ta Dv EVP_MAX_MD_SIZE No = 64
-.It RSA    Ta Xr RSA_size 3
-.It X25519 Ta Dv X25519_KEYLEN No = 32
-.El
-.Pp
-For
-.Dv EVP_PKEY_ED25519 ,
-the situation is special: while the key size is
-.Dv ED25519_KEYLEN No = 32 bytes ,
-.Fn EVP_PKEY_size
-returns 64 because the signature is longer than the keys.
-.Pp
-.Fn EVP_PKEY_bits
-returns the cryptographic length of the cryptosystem to which the key in
-.Fa pkey
-belongs, in bits.
-The definition of cryptographic length is specific to the key cryptosystem.
-The following algorithms are supported:
-.Bl -column ED25519 "the public domain parameter p" DSA_bits(3)
-.It        Ta cryptographic length = Ta same result as from:
-.It        Ta significant bits in ... Ta
-.It DH     Ta the public domain parameter Fa p Ta Xr DH_bits 3
-.It DSA    Ta the public domain parameter Fa p Ta Xr DSA_bits 3
-.It EC     Ta the order of the group Ta Xr EC_GROUP_order_bits 3
-.It ED25519 Ta 253 Ta \(em
-.It RSA    Ta the public modulus Ta Xr RSA_bits 3
-.It X25519 Ta 253 Ta \(em
-.El
-.Pp
-.Fn EVP_PKEY_security_bits
-returns the security strength measured in bits of the given
-.Fa pkey
-as defined in NIST SP800-57.
-The following algorithms are supported:
-.Bl -column ED25519 DSA_security_bits(3)
-.It        Ta same result as from:
-.It DH     Ta Xr DH_security_bits 3
-.It DSA    Ta Xr DSA_security_bits 3
-.It EC     Ta Xr EC_GROUP_order_bits 3 divided by 2
-.It ED25519 Ta 128
-.It RSA    Ta Xr RSA_security_bits 3
-.It X25519 Ta 128
-.El
-.Pp
-For EC keys, if the result is greater than 80, it is rounded down
-to 256, 192, 128, 112, or 80.
-.Sh RETURN VALUES
-.Fn EVP_PKEY_size
-and
-.Fn EVP_PKEY_bits
-return a positive number or 0 if this size isn't available.
-.Pp
-.Fn EVP_PKEY_security_bits
-returns a number in the range from 0 to 256 inclusive
-or \-2 if this function is unsupported for the algorithm used by
-.Fa pkey .
-It returns 0 if
-.Fa pkey
-is
-.Dv NULL .
-.Sh SEE ALSO
-.Xr EVP_PKEY_decrypt 3 ,
-.Xr EVP_PKEY_derive 3 ,
-.Xr EVP_PKEY_encrypt 3 ,
-.Xr EVP_PKEY_new 3 ,
-.Xr EVP_PKEY_sign 3 ,
-.Xr EVP_SealInit 3 ,
-.Xr EVP_SignFinal 3
-.Sh HISTORY
-.Fn EVP_PKEY_size
-first appeared in SSLeay 0.6.0 and
-.Fn EVP_PKEY_bits
-in SSLeay 0.9.0.
-Both functions have been available since
-.Ox 2.4 .
-.Pp
-.Fn EVP_PKEY_security_bits
-first appeared in OpenSSL 1.1.0 and has been available since
-.Ox 7.2 .
diff --git a/src/lib/libcrypto/man/EVP_PKEY_verify.3 b/src/lib/libcrypto/man/EVP_PKEY_verify.3
deleted file mode 100644
index d096a3a7be..0000000000
--- a/src/lib/libcrypto/man/EVP_PKEY_verify.3
+++ /dev/null
@@ -1,167 +0,0 @@
-.\" $OpenBSD: EVP_PKEY_verify.3,v 1.8 2024/12/06 14:27:49 schwarze Exp $
-.\" full merge up to: OpenSSL 48e5119a Jan 19 10:49:22 2018 +0100
-.\"
-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2006, 2009, 2010, 2013, 2018 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: December 6 2024 $
-.Dt EVP_PKEY_VERIFY 3
-.Os
-.Sh NAME
-.Nm EVP_PKEY_verify_init ,
-.Nm EVP_PKEY_verify
-.Nd signature verification using a public key algorithm
-.Sh SYNOPSIS
-.In openssl/evp.h
-.Ft int
-.Fo EVP_PKEY_verify_init
-.Fa "EVP_PKEY_CTX *ctx"
-.Fc
-.Ft int
-.Fo EVP_PKEY_verify
-.Fa "EVP_PKEY_CTX *ctx"
-.Fa "const unsigned char *sig"
-.Fa "size_t siglen"
-.Fa "const unsigned char *tbs"
-.Fa "size_t tbslen"
-.Fc
-.Sh DESCRIPTION
-The
-.Fn EVP_PKEY_verify_init
-function initializes a public key algorithm context using key
-.Fa ctx->pkey
-for a signature verification operation.
-.Pp
-The
-.Fn EVP_PKEY_verify
-function performs a public key verification operation using
-.Fa ctx .
-The signature is specified using the
-.Fa sig
-and
-.Fa siglen
-parameters.
-The verified data (i.e. the data believed originally signed) is
-specified using the
-.Fa tbs
-and
-.Fa tbslen
-parameters.
-.Pp
-After the call to
-.Fn EVP_PKEY_verify_init ,
-algorithm specific control operations can be performed to set any
-appropriate parameters for the operation.
-.Pp
-The function
-.Fn EVP_PKEY_verify
-can be called more than once on the same context if several operations
-are performed using the same parameters.
-.Sh RETURN VALUES
-.Fn EVP_PKEY_verify_init
-and
-.Fn EVP_PKEY_verify
-return 1 if the verification was successful and 0 if it failed.
-Unlike other functions the return value 0 from
-.Fn EVP_PKEY_verify
-only indicates that the signature did not verify successfully.
-That is,
-.Fa tbs
-did not match the original data or the signature was of invalid form.
-It is not an indication of a more serious error.
-.Pp
-A negative value indicates an error other that signature verification
-failure.
-In particular, a return value of -2 indicates the operation is not
-supported by the public key algorithm.
-.Sh EXAMPLES
-Verify signature using PKCS#1 and SHA256 digest:
-.Bd -literal -offset 3n
-#include <openssl/evp.h>
-#include <openssl/rsa.h>
-
-EVP_PKEY_CTX *ctx;
-unsigned char *md, *sig;
-size_t mdlen, siglen;
-EVP_PKEY *verify_key;
-
-/*
- * Assumes that verify_key, sig, siglen, md, and mdlen are already set up
- * and that verify_key is an RSA public key.
- */
-ctx = EVP_PKEY_CTX_new(verify_key, NULL);
-if (!ctx)
-        /* Error occurred */
-if (EVP_PKEY_verify_init(ctx) <= 0)
-        /* Error */
-if (EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) <= 0)
-        /* Error */
-if (EVP_PKEY_CTX_set_signature_md(ctx, EVP_sha256()) <= 0)
-        /* Error */
-
-/* Perform operation */
-ret = EVP_PKEY_verify(ctx, sig, siglen, md, mdlen);
-
-/*
- * ret == 1 indicates success, 0 verify failure,
- * and < 0 some other error.
- */
-.Ed
-.Sh SEE ALSO
-.Xr EVP_PKEY_CTX_new 3 ,
-.Xr EVP_PKEY_decrypt 3 ,
-.Xr EVP_PKEY_derive 3 ,
-.Xr EVP_PKEY_encrypt 3 ,
-.Xr EVP_PKEY_sign 3 ,
-.Xr EVP_PKEY_verify_recover 3
-.Sh HISTORY
-.Fn EVP_PKEY_verify_init
-and
-.Fn EVP_PKEY_verify
-first appeared in OpenSSL 1.0.0 and have been available since
-.Ox 4.9 .
diff --git a/src/lib/libcrypto/man/EVP_PKEY_verify_recover.3 b/src/lib/libcrypto/man/EVP_PKEY_verify_recover.3
deleted file mode 100644
index 30c034cdb5..0000000000
--- a/src/lib/libcrypto/man/EVP_PKEY_verify_recover.3
+++ /dev/null
@@ -1,188 +0,0 @@
-.\" $OpenBSD: EVP_PKEY_verify_recover.3,v 1.10 2024/12/06 14:27:49 schwarze Exp $
-.\" full merge up to: OpenSSL 48e5119a Jan 19 10:49:22 2018 +0100
-.\"
-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2006, 2009, 2010, 2013, 2018 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: December 6 2024 $
-.Dt EVP_PKEY_VERIFY_RECOVER 3
-.Os
-.Sh NAME
-.Nm EVP_PKEY_verify_recover_init ,
-.Nm EVP_PKEY_verify_recover
-.Nd recover signature using a public key algorithm
-.Sh SYNOPSIS
-.In openssl/evp.h
-.Ft int
-.Fo EVP_PKEY_verify_recover_init
-.Fa "EVP_PKEY_CTX *ctx"
-.Fc
-.Ft int
-.Fo EVP_PKEY_verify_recover
-.Fa "EVP_PKEY_CTX *ctx"
-.Fa "unsigned char *rout"
-.Fa "size_t *routlen"
-.Fa "const unsigned char *sig"
-.Fa "size_t siglen"
-.Fc
-.Sh DESCRIPTION
-The
-.Fn EVP_PKEY_verify_recover_init
-function initializes a public key algorithm context using key
-.Fa ctx->pkey
-for a verify recover operation.
-.Pp
-The
-.Fn EVP_PKEY_verify_recover
-function recovers signed data using
-.Fa ctx .
-The signature is specified using the
-.Fa sig
-and
-.Fa siglen
-parameters.
-If
-.Fa rout
-is
-.Dv NULL ,
-then the maximum size of the output buffer is written to the
-.Fa routlen
-parameter.
-If
-.Fa rout
-is not
-.Dv NULL ,
-then before the call the
-.Fa routlen
-parameter should contain the length of the
-.Fa rout
-buffer.
-If the call is successful, recovered data is written to
-.Fa rout
-and the amount of data written to
-.Fa routlen .
-.Pp
-Normally an application is only interested in whether a signature
-verification operation is successful.
-In those cases, the
-.Xr EVP_PKEY_verify 3
-function should be used.
-.Pp
-Sometimes however it is useful to obtain the data originally signed
-using a signing operation.
-Only certain public key algorithms can recover a signature in this way
-(for example RSA in PKCS padding mode).
-.Pp
-After the call to
-.Fn EVP_PKEY_verify_recover_init ,
-algorithm specific control operations can be performed to set any
-appropriate parameters for the operation.
-.Pp
-The function
-.Fn EVP_PKEY_verify_recover
-can be called more than once on the same context if several operations
-are performed using the same parameters.
-.Sh RETURN VALUES
-.Fn EVP_PKEY_verify_recover_init
-and
-.Fn EVP_PKEY_verify_recover
-return 1 for success and 0 or a negative value for failure.
-In particular, a return value of -2 indicates the operation is not
-supported by the public key algorithm.
-.Sh EXAMPLES
-Recover digest originally signed using PKCS#1 and SHA256 digest:
-.Bd -literal -offset indent
-#include <openssl/evp.h>
-#include <openssl/rsa.h>
-
-EVP_PKEY_CTX *ctx;
-unsigned char *rout, *sig;
-size_t routlen, siglen;
-EVP_PKEY *verify_key;
-
-/*
- * Assumes that verify_key, sig, and siglen are already set up
- * and that verify_key is an RSA public key.
- */
-ctx = EVP_PKEY_CTX_new(verify_key, NULL);
-if (!ctx)
-        /* Error occurred */
-if (EVP_PKEY_verify_recover_init(ctx) <= 0)
-        /* Error */
-if (EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) <= 0)
-        /* Error */
-if (EVP_PKEY_CTX_set_signature_md(ctx, EVP_sha256()) <= 0)
-        /* Error */
-
-/* Determine buffer length */
-if (EVP_PKEY_verify_recover(ctx, NULL, &routlen, sig, siglen) <= 0)
-        /* Error */
-
-rout = malloc(routlen);
-
-if (!rout)
-        /* malloc failure */
-
-if (EVP_PKEY_verify_recover(ctx, rout, &routlen, sig, siglen) <= 0)
-        /* Error */
-
-/* Recovered data is routlen bytes written to buffer rout */
-.Ed
-.Sh SEE ALSO
-.Xr EVP_PKEY_CTX_new 3 ,
-.Xr EVP_PKEY_decrypt 3 ,
-.Xr EVP_PKEY_derive 3 ,
-.Xr EVP_PKEY_encrypt 3 ,
-.Xr EVP_PKEY_sign 3 ,
-.Xr EVP_PKEY_verify 3
-.Sh HISTORY
-.Fn EVP_PKEY_verify_recover_init
-and
-.Fn EVP_PKEY_verify_recover
-first appeared in OpenSSL 1.0.0 and have been available since
-.Ox 4.9 .
diff --git a/src/lib/libcrypto/man/EVP_SealInit.3 b/src/lib/libcrypto/man/EVP_SealInit.3
deleted file mode 100644
index da53535274..0000000000
--- a/src/lib/libcrypto/man/EVP_SealInit.3
+++ /dev/null
@@ -1,191 +0,0 @@
-.\"     $OpenBSD: EVP_SealInit.3,v 1.9 2023/11/16 20:27:43 schwarze Exp $
-.\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2000, 2002, 2003, 2005, 2015 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: November 16 2023 $
-.Dt EVP_SEALINIT 3
-.Os
-.Sh NAME
-.Nm EVP_SealInit ,
-.Nm EVP_SealUpdate ,
-.Nm EVP_SealFinal
-.Nd EVP envelope encryption
-.Sh SYNOPSIS
-.In openssl/evp.h
-.Ft int
-.Fo EVP_SealInit
-.Fa "EVP_CIPHER_CTX *ctx"
-.Fa "const EVP_CIPHER *type"
-.Fa "unsigned char **ek"
-.Fa "int *ekl"
-.Fa "unsigned char *iv"
-.Fa "EVP_PKEY **pubk"
-.Fa "int npubk"
-.Fc
-.Ft int
-.Fo EVP_SealUpdate
-.Fa "EVP_CIPHER_CTX *ctx"
-.Fa "unsigned char *out"
-.Fa "int *outl"
-.Fa "unsigned char *in"
-.Fa "int inl"
-.Fc
-.Ft int
-.Fo EVP_SealFinal
-.Fa "EVP_CIPHER_CTX *ctx"
-.Fa "unsigned char *out"
-.Fa "int *outl"
-.Fc
-.Sh DESCRIPTION
-The EVP envelope routines are a high level interface to envelope
-encryption.
-They generate a random key and IV (if required) then "envelope" it by
-using public key encryption.
-Data can then be encrypted using this key.
-.Pp
-.Fn EVP_SealInit
-initializes a cipher context
-.Fa ctx
-for encryption with cipher
-.Fa type
-using a random secret key and IV.
-.Fa type
-is normally supplied by a function such as
-.Xr EVP_aes_256_cbc 3 ;
-see
-.Xr EVP_EncryptInit 3
-for details.
-The secret key is encrypted using one or more public keys.
-This allows the same encrypted data to be decrypted using any of
-the corresponding private keys.
-.Fa ek
-is an array of buffers where the public key encrypted secret key will be
-written.
-Each buffer must contain enough room for the corresponding encrypted
-key: that is
-.Fa ek[i]
-must have room for
-.Fn EVP_PKEY_size pubk[i]
-bytes.
-The actual size of each encrypted secret key is written to the array
-.Fa ekl .
-.Fa pubk
-is an array of
-.Fa npubk
-public keys.
-.Pp
-The
-.Fa iv
-parameter is a buffer where the generated IV is written to.
-It must contain enough room for the corresponding cipher's IV, as
-determined by (for example)
-.Fn EVP_CIPHER_iv_length type .
-.Pp
-If the cipher does not require an IV then the
-.Fa iv
-parameter is ignored and can be
-.Dv NULL .
-.Pp
-.Fn EVP_SealUpdate
-and
-.Fn EVP_SealFinal
-have exactly the same properties as the
-.Xr EVP_EncryptUpdate 3
-and
-.Xr EVP_EncryptFinal 3
-routines.
-.Pp
-The public key must be RSA because it is the only OpenSSL public key
-algorithm that supports key transport.
-.Pp
-Envelope encryption is the usual method of using public key encryption
-on large amounts of data.
-This is because public key encryption is slow but symmetric encryption
-is fast.
-So symmetric encryption is used for bulk encryption and the small random
-symmetric key used is transferred using public key encryption.
-.Pp
-It is possible to call
-.Fn EVP_SealInit
-twice in the same way as
-.Xr EVP_EncryptInit 3 .
-The first call should have
-.Fa npubk
-set to 0 and (after setting any cipher parameters) it should be called
-again with
-.Fa type
-set to NULL.
-.Pp
-.Fn EVP_SealUpdate
-is implemented as a macro.
-.Sh RETURN VALUES
-.Fn EVP_SealInit
-returns 0 on error or
-.Fa npubk
-if successful.
-.Pp
-.Fn EVP_SealUpdate
-and
-.Fn EVP_SealFinal
-return 1 for success and 0 for failure.
-.Sh SEE ALSO
-.Xr evp 3 ,
-.Xr EVP_EncryptInit 3 ,
-.Xr EVP_OpenInit 3
-.Sh HISTORY
-.Fn EVP_SealInit ,
-.Fn EVP_SealUpdate ,
-and
-.Fn EVP_SealFinal
-first appeared in SSLeay 0.5.1 and have been available since
-.Ox 2.4 .
-.Pp
-.Fn EVP_SealFinal
-did not return a value before OpenSSL 0.9.7.
diff --git a/src/lib/libcrypto/man/EVP_SignInit.3 b/src/lib/libcrypto/man/EVP_SignInit.3
deleted file mode 100644
index 8158b21dbf..0000000000
--- a/src/lib/libcrypto/man/EVP_SignInit.3
+++ /dev/null
@@ -1,211 +0,0 @@
-.\" $OpenBSD: EVP_SignInit.3,v 1.21 2024/12/06 12:51:13 schwarze Exp $
-.\" full merge up to: OpenSSL 6328d367 Jul 4 21:58:30 2020 +0200
-.\"
-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2000-2002, 2005, 2006, 2014-2016 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: December 6 2024 $
-.Dt EVP_SIGNINIT 3
-.Os
-.Sh NAME
-.Nm EVP_SignInit_ex ,
-.Nm EVP_SignUpdate ,
-.Nm EVP_SignFinal ,
-.Nm EVP_SignInit
-.Nd EVP signing functions
-.Sh SYNOPSIS
-.In openssl/evp.h
-.Ft int
-.Fo EVP_SignInit_ex
-.Fa "EVP_MD_CTX *ctx"
-.Fa "const EVP_MD *type"
-.Fa "ENGINE *engine"
-.Fc
-.Ft int
-.Fo EVP_SignUpdate
-.Fa "EVP_MD_CTX *ctx"
-.Fa "const void *d"
-.Fa "unsigned int cnt"
-.Fc
-.Ft int
-.Fo EVP_SignFinal
-.Fa "EVP_MD_CTX *ctx"
-.Fa "unsigned char *sig"
-.Fa "unsigned int *s"
-.Fa "EVP_PKEY *pkey"
-.Fc
-.Ft void
-.Fo EVP_SignInit
-.Fa "EVP_MD_CTX *ctx"
-.Fa "const EVP_MD *type"
-.Fc
-.Sh DESCRIPTION
-The EVP signature routines are a high-level interface to digital
-signatures.
-.Pp
-.Fn EVP_SignInit_ex
-sets up the signing context
-.Fa ctx
-to use the digest
-.Fa type .
-Before calling this function, obtain
-.Fa ctx
-from
-.Xr EVP_MD_CTX_new 3
-or call
-.Xr EVP_MD_CTX_reset 3
-on it.
-The
-.Fa engine
-argument is always ignored and passing
-.Dv NULL
-is recommended.
-.Pp
-.Fn EVP_SignUpdate
-hashes
-.Fa cnt
-bytes of data at
-.Fa d
-into the signature context
-.Fa ctx .
-This function can be called several times on the same
-.Fa ctx
-to include additional data.
-.Pp
-.Fn EVP_SignFinal
-signs the data in
-.Fa ctx
-using the private key
-.Fa pkey
-and places the signature in
-.Fa sig .
-.Fa sig
-must be at least
-.Xr EVP_PKEY_size 3
-bytes in size.
-.Fa s
-is an OUT parameter, and not used as an IN parameter.
-The number of bytes of data written (i.e.\&
-the length of the signature) will be written to the integer at
-.Fa s .
-At most
-.Xr EVP_PKEY_size 3
-bytes will be written.
-.Pp
-.Fn EVP_SignInit
-initializes a signing context
-.Fa ctx
-to use the default implementation of digest
-.Fa type .
-.Pp
-The EVP interface to digital signatures should almost always be
-used in preference to the low-level interfaces.
-This is because the code then becomes transparent to the algorithm used
-and much more flexible.
-.Pp
-The call to
-.Fn EVP_SignFinal
-internally finalizes a copy of the digest context.
-This means that calls to
-.Fn EVP_SignUpdate
-and
-.Fn EVP_SignFinal
-can be called later to digest and sign additional data.
-.Pp
-Since only a copy of the digest context is ever finalized, the context
-must be cleaned up after use by calling
-.Xr EVP_MD_CTX_free 3
-or a memory leak will occur.
-.Pp
-.Fn EVP_SignInit_ex ,
-.Fn EVP_SignUpdate ,
-and
-.Fn EVP_SignInit
-are implemented as macros.
-.Sh RETURN VALUES
-.Fn EVP_SignInit_ex ,
-.Fn EVP_SignUpdate ,
-and
-.Fn EVP_SignFinal
-return 1 for success and 0 for failure.
-.Pp
-The error codes can be obtained by
-.Xr ERR_get_error 3 .
-.Sh SEE ALSO
-.Xr evp 3 ,
-.Xr EVP_DigestInit 3 ,
-.Xr EVP_PKEY_size 3 ,
-.Xr EVP_VerifyInit 3
-.Sh HISTORY
-.Fn EVP_SignInit ,
-.Fn EVP_SignUpdate ,
-and
-.Fn EVP_SignFinal
-first appeared in SSLeay 0.5.1 and have been available since
-.Ox 2.4 .
-.Pp
-.Fn EVP_SignInit_ex
-first appeared in OpenSSL 0.9.7 and has been available since
-.Ox 3.2 .
-.Sh BUGS
-Older versions of this documentation wrongly stated that calls to
-.Fn EVP_SignUpdate
-could not be made after calling
-.Fn EVP_SignFinal .
-.Pp
-Since the private key is passed in the call to
-.Fn EVP_SignFinal ,
-any error relating to the private key (for example an unsuitable key and
-digest combination) will not be indicated until after potentially large
-amounts of data have been passed through
-.Fn EVP_SignUpdate .
-.Pp
-It is not possible to change the signing parameters using these
-function.
-.Pp
-The previous two bugs are fixed in the newer EVP_DigestSign* function.
diff --git a/src/lib/libcrypto/man/EVP_VerifyInit.3 b/src/lib/libcrypto/man/EVP_VerifyInit.3
deleted file mode 100644
index 0baadfb9fb..0000000000
--- a/src/lib/libcrypto/man/EVP_VerifyInit.3
+++ /dev/null
@@ -1,205 +0,0 @@
-.\" $OpenBSD: EVP_VerifyInit.3,v 1.13 2024/11/08 22:23:35 schwarze Exp $
-.\" full merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
-.\"
-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2000, 2001, 2006, 2016 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: November 8 2024 $
-.Dt EVP_VERIFYINIT 3
-.Os
-.Sh NAME
-.Nm EVP_VerifyInit_ex ,
-.Nm EVP_VerifyUpdate ,
-.Nm EVP_VerifyFinal ,
-.Nm EVP_VerifyInit
-.Nd EVP signature verification functions
-.Sh SYNOPSIS
-.In openssl/evp.h
-.Ft int
-.Fo EVP_VerifyInit_ex
-.Fa "EVP_MD_CTX *ctx"
-.Fa "const EVP_MD *type"
-.Fa "ENGINE *engine"
-.Fc
-.Ft int
-.Fo EVP_VerifyUpdate
-.Fa "EVP_MD_CTX *ctx"
-.Fa "const void *d"
-.Fa "unsigned int cnt"
-.Fc
-.Ft int
-.Fo EVP_VerifyFinal
-.Fa "EVP_MD_CTX *ctx"
-.Fa "unsigned char *sigbuf"
-.Fa "unsigned int siglen"
-.Fa "EVP_PKEY *pkey"
-.Fc
-.Ft int
-.Fo EVP_VerifyInit
-.Fa "EVP_MD_CTX *ctx"
-.Fa "const EVP_MD *type"
-.Fc
-.Sh DESCRIPTION
-The EVP signature verification routines are a high-level interface to
-digital signatures.
-.Pp
-.Fn EVP_VerifyInit_ex
-sets up the verification context
-.Fa ctx
-to use the digest
-.Fa type .
-Before calling this function, obtain
-.Fa ctx
-from
-.Xr EVP_MD_CTX_new 3
-or call
-.Xr EVP_MD_CTX_reset 3
-on it.
-The
-.Fa engine
-argument is always ignored and passing
-.Dv NULL
-is recommended.
-.Pp
-.Fn EVP_VerifyUpdate
-hashes
-.Fa cnt
-bytes of data at
-.Fa d
-into the verification context
-.Fa ctx .
-This function can be called several times on the same
-.Fa ctx
-to include additional data.
-.Pp
-.Fn EVP_VerifyFinal
-verifies the data in
-.Fa ctx
-using the public key
-.Fa pkey
-and against the
-.Fa siglen
-bytes at
-.Fa sigbuf .
-.Pp
-.Fn EVP_VerifyInit
-initializes a verification context
-.Fa ctx
-to use the default implementation of digest
-.Fa type .
-.Pp
-The EVP interface to digital signatures should almost always be
-used in preference to the low-level interfaces.
-This is because the code then becomes transparent to the algorithm used
-and much more flexible.
-.Pp
-The call to
-.Fn EVP_VerifyFinal
-internally finalizes a copy of the digest context.
-This means that calls to
-.Fn EVP_VerifyUpdate
-and
-.Fn EVP_VerifyFinal
-can be called later to digest and verify additional data.
-.Pp
-Since only a copy of the digest context is ever finalized, the context
-must be cleaned up after use by calling
-.Xr EVP_MD_CTX_free 3 ,
-or a memory leak will occur.
-.Pp
-.Fn EVP_VerifyInit_ex ,
-.Fn EVP_VerifyUpdate ,
-and
-.Fn EVP_VerifyInit
-are implemented as macros.
-.Sh RETURN VALUES
-.Fn EVP_VerifyInit_ex
-and
-.Fn EVP_VerifyUpdate
-return 1 for success and 0 for failure.
-.Pp
-.Fn EVP_VerifyFinal
-returns 1 for a correct signature, 0 for failure, and -1 if some other
-error occurred.
-.Pp
-The error codes can be obtained by
-.Xr ERR_get_error 3 .
-.Sh SEE ALSO
-.Xr evp 3 ,
-.Xr EVP_DigestInit 3 ,
-.Xr EVP_SignInit 3
-.Sh HISTORY
-.Fn EVP_VerifyInit ,
-.Fn EVP_VerifyUpdate ,
-and
-.Fn EVP_VerifyFinal
-first appeared in SSLeay 0.5.1 and have been available since
-.Ox 2.4 .
-.Pp
-.Fn EVP_VerifyInit_ex
-first appeared in OpenSSL 0.9.7 and has been available since
-.Ox 3.2 .
-.Sh BUGS
-Older versions of this documentation wrongly stated that calls to
-.Fn EVP_VerifyUpdate
-could not be made after calling
-.Fn EVP_VerifyFinal .
-.Pp
-Since the public key is passed in the call to
-.Xr EVP_SignFinal 3 ,
-any error relating to the private key (for example an unsuitable key and
-digest combination) will not be indicated until after potentially large
-amounts of data have been passed through
-.Xr EVP_SignUpdate 3 .
-.Pp
-It is not possible to change the signing parameters using these
-functions.
-.Pp
-The previous two bugs are fixed in the newer functions of the
-.Xr EVP_DigestVerifyInit 3
-family.
diff --git a/src/lib/libcrypto/man/EVP_aes_128_cbc.3 b/src/lib/libcrypto/man/EVP_aes_128_cbc.3
deleted file mode 100644
index 46e3ef0bdc..0000000000
--- a/src/lib/libcrypto/man/EVP_aes_128_cbc.3
+++ /dev/null
@@ -1,304 +0,0 @@
-.\" $OpenBSD: EVP_aes_128_cbc.3,v 1.8 2024/12/20 01:54:03 schwarze Exp $
-.\" selective merge up to: OpenSSL 7c6d372a Nov 20 13:20:01 2018 +0000
-.\"
-.\" This file was written by Ronald Tse <ronald.tse@ribose.com>
-.\" Copyright (c) 2017 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: December 20 2024 $
-.Dt EVP_AES_128_CBC 3
-.Os
-.Sh NAME
-.Nm EVP_aes_128_cbc ,
-.Nm EVP_aes_192_cbc ,
-.Nm EVP_aes_256_cbc ,
-.Nm EVP_aes_128_cfb1 ,
-.Nm EVP_aes_192_cfb1 ,
-.Nm EVP_aes_256_cfb1 ,
-.Nm EVP_aes_128_cfb8 ,
-.Nm EVP_aes_192_cfb8 ,
-.Nm EVP_aes_256_cfb8 ,
-.Nm EVP_aes_128_cfb128 ,
-.Nm EVP_aes_192_cfb128 ,
-.Nm EVP_aes_256_cfb128 ,
-.Nm EVP_aes_128_cfb ,
-.Nm EVP_aes_192_cfb ,
-.Nm EVP_aes_256_cfb ,
-.Nm EVP_aes_128_ctr ,
-.Nm EVP_aes_192_ctr ,
-.Nm EVP_aes_256_ctr ,
-.Nm EVP_aes_128_ecb ,
-.Nm EVP_aes_192_ecb ,
-.Nm EVP_aes_256_ecb ,
-.Nm EVP_aes_128_ofb ,
-.Nm EVP_aes_192_ofb ,
-.Nm EVP_aes_256_ofb ,
-.Nm EVP_aes_128_cbc_hmac_sha1 ,
-.Nm EVP_aes_256_cbc_hmac_sha1 ,
-.Nm EVP_aes_128_wrap ,
-.Nm EVP_aes_192_wrap ,
-.Nm EVP_aes_256_wrap ,
-.Nm EVP_aes_128_xts ,
-.Nm EVP_aes_256_xts
-.Nd EVP AES cipher
-.Sh SYNOPSIS
-.In openssl/evp.h
-.Ft const EVP_CIPHER *
-.Fn EVP_aes_128_cbc void
-.Ft const EVP_CIPHER *
-.Fn EVP_aes_192_cbc void
-.Ft const EVP_CIPHER *
-.Fn EVP_aes_256_cbc void
-.Ft const EVP_CIPHER *
-.Fn EVP_aes_128_cfb1 void
-.Ft const EVP_CIPHER *
-.Fn EVP_aes_192_cfb1 void
-.Ft const EVP_CIPHER *
-.Fn EVP_aes_256_cfb1 void
-.Ft const EVP_CIPHER *
-.Fn EVP_aes_128_cfb8 void
-.Ft const EVP_CIPHER *
-.Fn EVP_aes_192_cfb8 void
-.Ft const EVP_CIPHER *
-.Fn EVP_aes_256_cfb8 void
-.Ft const EVP_CIPHER *
-.Fn EVP_aes_128_cfb128 void
-.Ft const EVP_CIPHER *
-.Fn EVP_aes_192_cfb128 void
-.Ft const EVP_CIPHER *
-.Fn EVP_aes_256_cfb128 void
-.Ft const EVP_CIPHER *
-.Fn EVP_aes_128_cfb void
-.Ft const EVP_CIPHER *
-.Fn EVP_aes_192_cfb void
-.Ft const EVP_CIPHER *
-.Fn EVP_aes_256_cfb void
-.Ft const EVP_CIPHER *
-.Fn EVP_aes_128_ctr void
-.Ft const EVP_CIPHER *
-.Fn EVP_aes_192_ctr void
-.Ft const EVP_CIPHER *
-.Fn EVP_aes_256_ctr void
-.Ft const EVP_CIPHER *
-.Fn EVP_aes_128_ecb void
-.Ft const EVP_CIPHER *
-.Fn EVP_aes_192_ecb void
-.Ft const EVP_CIPHER *
-.Fn EVP_aes_256_ecb void
-.Ft const EVP_CIPHER *
-.Fn EVP_aes_128_ofb void
-.Ft const EVP_CIPHER *
-.Fn EVP_aes_192_ofb void
-.Ft const EVP_CIPHER *
-.Fn EVP_aes_256_ofb void
-.Ft const EVP_CIPHER *
-.Fn EVP_aes_128_cbc_hmac_sha1 void
-.Ft const EVP_CIPHER *
-.Fn EVP_aes_256_cbc_hmac_sha1 void
-.Ft const EVP_CIPHER *
-.Fn EVP_aes_128_wrap void
-.Ft const EVP_CIPHER *
-.Fn EVP_aes_192_wrap void
-.Ft const EVP_CIPHER *
-.Fn EVP_aes_256_wrap void
-.Ft const EVP_CIPHER *
-.Fn EVP_aes_128_xts void
-.Ft const EVP_CIPHER *
-.Fn EVP_aes_256_xts void
-.Sh DESCRIPTION
-These functions provide the AES encryption algorithm in the
-.Xr evp 3
-framework.
-AES is a family of block ciphers operating on 128 bit blocks
-using key lengths of 128, 192, and 256 bits.
-.Pp
-.Fn EVP_aes_128_cbc ,
-.Fn EVP_aes_192_cbc ,
-.Fn EVP_aes_256_cbc ,
-.Fn EVP_aes_128_cfb1 ,
-.Fn EVP_aes_192_cfb1 ,
-.Fn EVP_aes_256_cfb1 ,
-.Fn EVP_aes_128_cfb8 ,
-.Fn EVP_aes_192_cfb8 ,
-.Fn EVP_aes_256_cfb8 ,
-.Fn EVP_aes_128_cfb128 ,
-.Fn EVP_aes_192_cfb128 ,
-.Fn EVP_aes_256_cfb128 ,
-.Fn EVP_aes_128_ctr ,
-.Fn EVP_aes_192_ctr ,
-.Fn EVP_aes_256_ctr ,
-.Fn EVP_aes_128_ecb ,
-.Fn EVP_aes_192_ecb ,
-.Fn EVP_aes_256_ecb ,
-.Fn EVP_aes_128_ofb ,
-.Fn EVP_aes_192_ofb ,
-and
-.Fn EVP_aes_256_ofb
-provide AES for 128, 192, and 256-bit keys in the following modes:
-CBC, CFB with 1-bit shift, CFB with 8-bit shift, CFB with 128-bit shift,
-CTR, ECB, and OFB.
-.Pp
-.Fn EVP_aes_128_cfb ,
-.Fn EVP_aes_192_cfb ,
-and
-.Fn EVP_aes_256_cfb
-are aliases for
-.Fn EVP_aes_128_cfb128 ,
-.Fn EVP_aes_192_cfb128 ,
-and
-.Fn EVP_aes_256_cfb128 ,
-implemented as macros.
-.Pp
-.Fn EVP_aes_128_cbc_hmac_sha1
-and
-.Fn EVP_aes_256_cbc_hmac_sha1
-provide authenticated encryption with AES in CBC mode using SHA-1 as HMAC,
-with keys of 128 and 256-bit length respectively.
-The authentication tag is 160 bits long.
-This is not intended for usage outside of TLS and requires
-calling of some undocumented control functions.
-These ciphers do not conform to the EVP AEAD interface.
-.Pp
-.Fn EVP_aes_128_wrap ,
-.Fn EVP_aes_192_wrap ,
-and
-.Fn EVP_aes_256_wrap
-provide AES key wrap with 128, 192 and 256-bit keys
-according to RFC 3394 section 2.2.1 ("wrap").
-When the returned
-.Vt EVP_CIPHER
-object is later passed to
-.Xr EVP_CipherInit_ex 3 ,
-.Xr EVP_EncryptInit_ex 3 ,
-or
-.Xr EVP_DecryptInit_ex 3
-together with an
-.Vt EVP_CIPHER_CTX
-object, the flag
-.Dv EVP_CIPHER_CTX_FLAG_WRAP_ALLOW
-must have been set in the
-.Vt EVP_CIPHER_CTX
-using
-.Xr EVP_CIPHER_CTX_set_flags 3 .
-Otherwise, or when passing the returned
-.Vt EVP_CIPHER
-object to
-.Xr EVP_CipherInit 3 ,
-.Xr EVP_EncryptInit 3 ,
-or
-.Xr EVP_DecryptInit 3 ,
-initialization fails with a
-.Dq wrap not allowed
-error.
-.Pp
-.Fn EVP_aes_128_xts
-and
-.Fn EVP_aes_256_xts
-provide XEX-based tweaked-codebook mode with ciphertext stealing (XTS-AES)
-as specified in IEEE Std. 1619-2007 and described in NIST SP 800-38E.
-It was designed for encrypting data on a storage device,
-provides confidentiality but not authentication of data,
-and requires a key of double length for protection of a certain key size.
-In particular, XTS-AES-128 takes input of a 256-bit key to achieve
-AES 128-bit security, and XTS-AES-256 takes input of a 512-bit key
-to achieve AES 256-bit security.
-.Sh RETURN VALUES
-These functions return an
-.Vt EVP_CIPHER
-structure that provides the implementation of the symmetric cipher.
-.Sh SEE ALSO
-.Xr AES_encrypt 3 ,
-.Xr evp 3 ,
-.Xr EVP_aes_128_ccm 3 ,
-.Xr EVP_aes_128_gcm 3 ,
-.Xr EVP_EncryptInit 3
-.Sh HISTORY
-.Fn EVP_aes_128_cbc ,
-.Fn EVP_aes_192_cbc ,
-.Fn EVP_aes_256_cbc ,
-.Fn EVP_aes_128_cfb ,
-.Fn EVP_aes_192_cfb ,
-.Fn EVP_aes_256_cfb ,
-.Fn EVP_aes_128_ebc ,
-.Fn EVP_aes_192_ebc ,
-.Fn EVP_aes_256_ebc ,
-.Fn EVP_aes_128_ofb ,
-.Fn EVP_aes_192_ofb ,
-and
-.Fn EVP_aes_256_ofb
-first appeared in OpenSSL 0.9.7 and have been available since
-.Ox 3.2 .
-.Pp
-.Fn EVP_aes_128_cfb1 ,
-.Fn EVP_aes_192_cfb1 ,
-.Fn EVP_aes_256_cfb1 ,
-.Fn EVP_aes_128_cfb8 ,
-.Fn EVP_aes_192_cfb8 ,
-.Fn EVP_aes_256_cfb8 ,
-.Fn EVP_aes_128_cfb128 ,
-.Fn EVP_aes_192_cfb128 ,
-and
-.Fn EVP_aes_256_cfb128
-first appeared in OpenSSL 0.9.7e and have been available since
-.Ox 3.8 .
-.Pp
-.Fn EVP_aes_128_ctr ,
-.Fn EVP_aes_192_ctr ,
-.Fn EVP_aes_256_ctr ,
-.Fn EVP_aes_128_cbc_hmac_sha1 ,
-.Fn EVP_aes_256_cbc_hmac_sha1 ,
-.Fn EVP_aes_128_xts ,
-and
-.Fn EVP_aes_256_xts
-first appeared in OpenSSL 1.0.1 and have been available since
-.Ox 5.3 .
-.Pp
-.Fn EVP_aes_128_wrap ,
-.Fn EVP_aes_192_wrap ,
-and
-.Fn EVP_aes_256_wrap
-first appeared in OpenSSL 1.0.2 and have been available since
-.Ox 6.5 .
diff --git a/src/lib/libcrypto/man/EVP_aes_128_ccm.3 b/src/lib/libcrypto/man/EVP_aes_128_ccm.3
deleted file mode 100644
index e9023a5b67..0000000000
--- a/src/lib/libcrypto/man/EVP_aes_128_ccm.3
+++ /dev/null
@@ -1,573 +0,0 @@
-.\" $OpenBSD: EVP_aes_128_ccm.3,v 1.5 2024/12/29 12:27:28 schwarze Exp $
-.\" full merge up to:
-.\" OpenSSL EVP_EncryptInit.pod 0874d7f2 Oct 11 13:13:47 2022 +0100
-.\" OpenSSL EVP_aes.pod a1ec85c1 Apr 21 10:49:12 2020 +0100
-.\"
-.\" Copyright (c) 2024 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" This file is a derived work containing a few sentences
-.\" written by Dr. Stephen Henson <steve@openssl.org>
-.\" covered by the following license:
-.\"
-.\" Copyright (c) 2012 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: December 29 2024 $
-.Dt EVP_AES_128_CCM 3
-.Os
-.Sh NAME
-.Nm EVP_aes_128_ccm ,
-.Nm EVP_aes_192_ccm ,
-.Nm EVP_aes_256_ccm
-.Nd EVP AES cipher in Counter with CBC-MAC mode
-.Sh SYNOPSIS
-.In openssl/evp.h
-.Ft const EVP_CIPHER *
-.Fn EVP_aes_128_ccm void
-.Ft const EVP_CIPHER *
-.Fn EVP_aes_192_ccm void
-.Ft const EVP_CIPHER *
-.Fn EVP_aes_256_ccm void
-.\" The following #define'd constants are intentionally undocumented:
-.\" Completely unused by anything:
-.\" EVP_CTRL_CCM_SET_MSGLEN, EVP_CCM_TLS_FIXED_IV_LEN, EVP_CCM_TLS_IV_LEN
-.\" Very rarely used and unused in LibreSSL:
-.\" EVP_CCM_TLS_EXPLICIT_IV_LEN, EVP_CCM_TLS_TAG_LEN, EVP_CCM8_TLS_TAG_LEN
-.Sh DESCRIPTION
-.Fn EVP_aes_128_ccm ,
-.Fn EVP_aes_192_ccm ,
-and
-.Fn EVP_aes_256_ccm
-provide the Advanced Encryption Standard algorithm for 128, 192 and 256-bit
-keys in Counter with CBC-MAC (CCM) mode in the
-.Xr evp 3
-framework.
-This mode supports Authenticated Encryption with Additional Data (AEAD)
-and can be used in a number of communication protocols.
-Longer keys make precomputation attacks harder at a cost in performance.
-.Pp
-For CCM mode ciphers, the behaviour of the EVP interface is subtly
-altered and several additional
-.Xr EVP_CIPHER_CTX_ctrl 3
-operations are required to function correctly.
-Some of the
-.Dv EVP_CTRL_CCM_*
-control commands are older aliases for corresponding
-.Dv EVP_CTRL_AEAD_*
-constants as indicated below.
-.Pp
-The less cumbersome and less error-prone
-.Xr EVP_AEAD_CTX_new 3
-API does not provide CCM modes.
-Some communication protocols support alternatives to CCM, which may
-sometimes allow choosing the better API by avoiding CCM.
-.Ss Configuration controls
-The following two control commands can be issued as soon as
-.Xr EVP_EncryptInit 3
-has been called with a CCM
-.Fa type
-and
-.Dv NULL
-pointers for
-.Fa key
-and
-.Fa iv .
-Both commands are optional and override each other.
-If issued when a nonce is already set, they silently cause data corruption.
-The
-.Fa ptr
-argument is ignored by both; passing
-.Dv NULL
-is recommended.
-.Bl -tag -width Ds
-.It Dv EVP_CTRL_CCM_SET_L
-Set the size
-.Ms L
-of the length field to
-.Fa arg
-bytes and the size of the nonce to
-.No 15 \- Fa arg
-bytes.
-By default, 8 bytes are used for the length field and 7 for the nonce.
-Selecting a smaller size
-.Ms L
-for the length field reduces des maximum size of messages that can be sent,
-but in return allows transmitting more messages with the same key.
-It is an error to pass less than 2 or more than the default value of 8 for
-.Fa arg .
-.It Dv EVP_CTRL_AEAD_SET_IVLEN Pq == Dv EVP_CTRL_CCM_SET_IVLEN
-Set the size of the nonce to
-.Fa arg
-bytes and the size
-.Ms L
-of the length field to
-.No 15 \- Fa arg
-bytes.
-By default, 7 bytes are used for the nonce and 8 for the length field.
-Selecting a larger size of the nonce allows transmitting more messages with
-the same key at the expense of reducing the maximum size for each message.
-It is an error to pass more than 13 or less than the default value of 7 for
-.Fa arg .
-.El
-.Pp
-After optionally issuing one of the above control commands,
-.Xr EVP_EncryptInit 3
-can be called a second time, this time passing
-.Dv NULL
-for the
-.Fa type
-argument, with the other two arguments pointing to the desired AES key
-and to the desired nonce.
-.Ss Encryption controls
-.Bl -tag -width Ds
-.It Dv EVP_CTRL_AEAD_SET_TAG Pq == Dv EVP_CTRL_CCM_SET_TAG
-If the
-.Fa ptr
-argument is
-.Dv NULL ,
-set the tag length
-.Ms M
-to
-.Fa arg
-bytes.
-The default value is 12.
-Selecting a larger value makes tampering harder for an attacker,
-at a small expense of making the messages slightly longer.
-Selecting a smaller value is not recommended.
-It is an error to pass an odd number for
-.Fa arg ,
-or a number that is less than 4 or greater than 16, or to pass
-.Dv NULL
-to
-.Fa ptr
-when
-.Fa ctx
-is not configured for encrypting.
-Issuing this control command when an encryption key is already configured
-silently causes data corruption.
-.It Dv EVP_CTRL_AEAD_GET_TAG Pq == Dv EVP_CTRL_CCM_GET_TAG
-Store the
-.Fa arg
-bytes of the tag in the memory provided by the caller starting at
-.Fa ptr .
-It is an error to issue this control command when
-.Fa ctx
-is not configured for encrypting, when no data was encrypted yet, with an
-.Fa arg
-that does not match the configured tag length
-.Ms M ,
-or when the tag has already been retrieved earlier.
-.El
-.Pp
-Before passing any plaintext data to
-.Xr EVP_EncryptUpdate 3 ,
-call
-.Xr EVP_EncryptUpdate 3
-with both
-.Fa in
-and
-.Fa out
-set to
-.Dv NULL ,
-passing the total plaintext length in bytes as
-.Fa in_len .
-This constructs the first block to be digested with CBC-MAC
-and copies the text length to
-.Pf * Fa out_len .
-It does not check whether
-.Fa in_len
-exceeds the limit of
-.Pf 256\(ha Ms L ;
-the most significant bytes of excessive values are silently discarded.
-.Pp
-It is an error if the
-.Fa in_len
-argument of the
-.Xr EVP_EncryptUpdate 3
-call passing the plaintext data does not match the total length
-specified earlier.
-Splitting the text into more than one chunks to be passed in multiple calls of
-.Xr EVP_EncryptUpdate 3
-is not supported for CCM.
-.Pp
-To specify any additional authenticated data (AAD), call
-.Xr EVP_EncryptUpdate 3
-with the
-.Fa out
-argument set to
-.Dv NULL .
-.Ss Decryption controls
-.Bl -tag -width Ds
-.It Dv EVP_CTRL_AEAD_SET_TAG Pq == Dv EVP_CTRL_CCM_SET_TAG
-If the
-.Fa ptr
-argument is not
-.Dv NULL ,
-copy
-.Fa arg
-bytes starting at
-.Fa ptr
-to the expected CCM tag value.
-It is an error to pass an odd number for
-.Fa arg ,
-or a number that is less than 4 or greater than 16.
-Passing a number that does not correspond to the tag length
-.Ms M
-that was used for encryption does not raise an error right away,
-but results in undefined behaviour
-and typically causes subsequent authentication failure.
-It is also an error to pass a
-.Pf non- Dv NULL
-.Fa ptr
-when
-.Fa ctx
-is configured for encryption.
-.El
-.Pp
-Before passing any ciphertext data to
-.Xr EVP_DecryptUpdate 3 ,
-call
-.Xr EVP_DecryptUpdate 3
-with both
-.Fa in
-and
-.Fa out
-set to
-.Dv NULL ,
-passing the total ciphertext length in bytes as
-.Fa in_len .
-This constructs the first block to be digested with CBC-MAC
-and copies the text length to
-.Pf * Fa out_len .
-It does not check whether
-.Fa in_len
-exceeds the limit of
-.Pf 256\(ha Ms L ;
-the most significant bytes of excessive values are silently discarded.
-.Pp
-It is an error if the
-.Fa in_len
-argument of the
-.Xr EVP_DecryptUpdate 3
-call passing the ciphertext data does not match the total length
-specified earlier.
-Splitting the text into more than one chunks to be passed in multiple calls of
-.Xr EVP_DecryptUpdate 3
-is not supported for CCM.
-.Pp
-To specify any additional authenticated data (AAD), call
-.Xr EVP_DecryptUpdate 3
-with the
-.Fa out
-argument set to
-.Dv NULL .
-.Pp
-If the return value of
-.Xr EVP_DecryptUpdate 3
-does not indicate success, the authentication operation may have failed.
-In that case, regard any output data as corrupted.
-.Pp
-Do not call
-.Xr EVP_DecryptFinal 3
-when using CCM.
-Such a call would not do anything useful, and it would fail
-because the tag that was set with
-.Dv EVP_CTRL_CCM_SET_TAG
-was already consumed by
-.Xr EVP_DecryptUpdate 3 .
-.Sh RETURN VALUES
-These functions return a static constant
-.Vt EVP_CIPHER
-structure that provides the implementation of the respective AEAD cipher mode.
-.Sh EXAMPLES
-The following code encrypts and digests some secret text
-and some additional, public data with AES-CCM.
-Specifically, it implements the Test Vector #1
-given in section 8 of RFC 3610.
-.Bd -literal -offset indent
-/* input data */
-const unsigned char key[] = {
-    0xC0, 0xC1, 0xC2, 0xC3,  0xC4, 0xC5, 0xC6, 0xC7,
-    0xC8, 0xC9, 0xCA, 0xCB,  0xCC, 0xCD, 0xCE, 0xCF
-};
-const unsigned char nonce[] = {
-    0x00, 0x00, 0x00, 0x03,  0x02, 0x01, 0x00, 0xA0,
-    0xA1, 0xA2, 0xA3, 0xA4,  0xA5
-};
-const int nonce_len = sizeof(nonce);
-const int size_len = 15 - nonce_len;
-
-const unsigned char aad[] = {
-    0x00, 0x01, 0x02, 0x03,  0x04, 0x05, 0x06, 0x07
-};
-const int aad_len = sizeof(aad);
-
-const unsigned char plaintext[] = {
-    0x08, 0x09, 0x0A, 0x0B,  0x0C, 0x0D, 0x0E, 0x0F,
-    0x10, 0x11, 0x12, 0x13,  0x14, 0x15, 0x16, 0x17,
-    0x18, 0x19, 0x1A, 0x1B,  0x1C, 0x1D, 0x1E
-};
-const int text_len = sizeof(plaintext);
-
-/* expected output data */
-const unsigned char ciphertext[] = {
-    0x58, 0x8C, 0x97, 0x9A,  0x61, 0xC6, 0x63, 0xD2,
-    0xF0, 0x66, 0xD0, 0xC2,  0xC0, 0xF9, 0x89, 0x80,
-    0x6D, 0x5F, 0x6B, 0x61,  0xDA, 0xC3, 0x84
-};
-
-const unsigned char wanted_tag[] = {
-    0x17, 0xE8, 0xD1, 0x2C,  0xFD, 0xF9, 0x26, 0xE0
-};
-const int tag_len = sizeof(wanted_tag);
-
-const int out_len = aad_len + text_len + tag_len;
-unsigned char out_buf[out_len];
-unsigned char *out_p = out_buf;
-unsigned char *out_end = out_buf + out_len;
-
-/* auxiliary variables */
-EVP_CIPHER_CTX *ctx;
-int irv, i;
-
-/* configuration */
-ctx = EVP_CIPHER_CTX_new();
-if (ctx == NULL)
-        err(1, "EVP_CIPHER_CTX_new");
-
-if (EVP_EncryptInit(ctx, EVP_aes_128_ccm(), NULL, NULL) != 1)
-        err(1, "EVP_EncryptInit(NULL)");
-
-if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_L,
-    size_len, NULL) <= 0)
-        err(1, "EVP_CTRL_CCM_SET_L(%d)", size_len);
-
-if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_TAG,
-    tag_len, NULL) <= 0)
-        err(1, "EVP_CTRL_CCM_SET_TAG(%d)", tag_len);
-
-/* process input data */
-if (EVP_EncryptInit(ctx, NULL, key, nonce) != 1)
-        err(1, "EVP_EncryptInit(key, nonce)");
-
-if (EVP_EncryptUpdate(ctx, NULL, &irv, NULL, text_len) != 1)
-        err(1, "EVP_EncryptUpdate(len = %d)", text_len);
-if (irv != text_len)
-        errx(1, "text length: want %d, got %d", text_len, irv);
-
-irv = -1;
-if (EVP_EncryptUpdate(ctx, NULL, &irv, aad, aad_len) != 1)
-        err(1, "EVP_EncryptUpdate(AAD)");
-memcpy(out_p, aad, aad_len);
-out_p += aad_len;
-
-irv = -1;
-if (EVP_EncryptUpdate(ctx, out_p, &irv, plaintext, text_len) != 1)
-        err(1, "EVP_EncryptUpdate(plaintext)");
-if (irv != text_len)
-        errx(1, "text_len: want %d, got %d", text_len, irv);
-out_p += irv;
-
-/*
- * EVP_EncryptFinal(3) doesn't really do anything for CCM.
- * Call it anyway to stay closer to normal EVP_Encrypt*(3) idioms,
- * to match what the OpenSSL Wiki suggests since 2013, and to ease
- * later migration of the code to a different AEAD algorithm.
- */
-irv = -1;
-if (EVP_EncryptFinal(ctx, out_p, &irv) != 1)
-        err(1, "EVP_EncryptFinal");
-if (irv != 0)
-        errx(1, "final_len: want 0, got %d", irv);
-
-/* check output data */
-if (memcmp(out_buf + aad_len, ciphertext, text_len) != 0)
-        errx(1, "ciphertext mismatch");
-
-if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_GET_TAG,
-    tag_len, out_p) <= 0)
-        err(1, "EVP_CTRL_CCM_GET_TAG");
-if (memcmp(out_p, wanted_tag, tag_len) != 0)
-        errx(1, "tag mismatch");
-out_p += tag_len;
-if (out_p != out_end)
-        errx(1, "end of output: want %p, got %p", out_end, out_p);
-
-printf("Total packet length = %d.", out_len);
-printf(" [Authenticated and Encrypted Output]");
-for (i = 0; i < out_len; i++) {
-        if (i % 16 == 0)
-                printf("\en         ");
-        if (i % 4 == 0)
-                putchar(' ');
-        printf(" %02X", out_buf[i]);
-}
-putchar('\en');
-
-EVP_CIPHER_CTX_free(ctx);
-.Ed
-.Pp
-The reverse operation for the same test vector,
-i.e. decrypting and comparing the digest,
-is implemented by the following code.
-.Pp
-The variable declarations and definitions up to the call of
-.Xr EVP_CIPHER_CTX_new 3
-are the same as above.
-The chief differences are:
-.Bl -dash -width 1n -compact
-.It
-The tag is not part of the output,
-so the total output length is shorter.
-.It
-No
-.Xr memcmp 3
-of the tag takes place.
-Instead, the control command
-.Dv EVP_CTRL_CCM_SET_TAG
-requires the tag that is going to be verified as an additional argument.
-.It
-While
-.Xr EVP_EncryptFinal 3
-is an optional no-op,
-.Xr EVP_DecryptFinal 3
-is not called and would fail.
-.El
-.Bd -literal -offset indent
-const int out_len = aad_len + text_len;
-
-/* configuration */
-ctx = EVP_CIPHER_CTX_new();
-if (ctx == NULL)
-        err(1, "EVP_CIPHER_CTX_new");
-
-if (EVP_DecryptInit(ctx, EVP_aes_128_ccm(), NULL, NULL) != 1)
-        err(1, "EVP_DecryptInit(NULL)");
-
-if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_L, size_len, NULL) <= 0)
-        err(1, "EVP_CTRL_CCM_SET_L(%d)", size_len);
-
-if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_TAG,
-    tag_len, (void *)wanted_tag) <= 0)
-        err(1, "EVP_CTRL_CCM_SET_TAG(%d)", tag_len);
-
-/* process input data */
-if (EVP_DecryptInit(ctx, NULL, key, nonce) != 1)
-        err(1, "EVP_DecryptInit(key, nonce)");
-
-if (EVP_DecryptUpdate(ctx, NULL, &irv, NULL, text_len) != 1)
-        err(1, "EVP_DecryptUpdate(len = %d)", text_len);
-if (irv != text_len)
-        errx(1, "text length: want %d, got %d", text_len, irv);
-
-irv = -1;
-if (EVP_DecryptUpdate(ctx, NULL, &irv, aad, aad_len) != 1)
-        err(1, "EVP_DecryptUpdate(AAD)");
-memcpy(out_p, aad, aad_len);
-out_p += aad_len;
-
-irv = -1;
-if (EVP_DecryptUpdate(ctx, out_p, &irv, ciphertext, text_len) != 1)
-        err(1, "EVP_DecryptUpdate(ciphertext)");
-if (irv != text_len)
-        errx(1, "text_len: want %d, got %d", text_len, irv);
-out_p += irv;
-
-/* Do not call EVP_DecryptFinal(3); it would fail and do nothing. */
-
-/* check output data */
-if (memcmp(out_buf + aad_len, plaintext, text_len) != 0)
-        errx(1, "plaintext mismatch");
-if (out_p != out_end)
-        errx(1, "end of output: want %p, got %p", out_end, out_p);
-
-printf("Total packet length = %d.", out_len);
-printf(" [Decrypted and Authenticated Input]");
-for (i = 0; i < out_len; i++) {
-        if (i % 16 == 0)
-                printf("\n         ");
-        if (i % 4 == 0)
-                putchar(' ');
-        printf(" %02X", out_buf[i]);
-}
-putchar('\n');
-
-EVP_CIPHER_CTX_free(ctx);
-.Ed
-.Sh SEE ALSO
-.Xr AES_encrypt 3 ,
-.Xr evp 3 ,
-.Xr EVP_aes_128_cbc 3 ,
-.Xr EVP_aes_128_gcm 3 ,
-.Xr EVP_EncryptInit 3
-.Sh STANDARDS
-.Rs
-.%A Doug Whiting
-.%A Russ Housley
-.%A Niels Ferguson
-.%T Counter with CBC-MAC (CCM)
-.%R RFC 3610
-.%D September 2003
-.Re
-.Sh HISTORY
-.Fn EVP_aes_128_ccm ,
-.Fn EVP_aes_192_ccm ,
-and
-.Fn EVP_aes_256_ccm
-first appeared in OpenSSL 1.0.1 and have been available since
-.Ox 5.3 .
diff --git a/src/lib/libcrypto/man/EVP_aes_128_gcm.3 b/src/lib/libcrypto/man/EVP_aes_128_gcm.3
deleted file mode 100644
index 53c41ea162..0000000000
--- a/src/lib/libcrypto/man/EVP_aes_128_gcm.3
+++ /dev/null
@@ -1,254 +0,0 @@
-.\" $OpenBSD: EVP_aes_128_gcm.3,v 1.2 2024/12/29 12:27:28 schwarze Exp $
-.\" full merge up to:
-.\" OpenSSL EVP_EncryptInit.pod 0874d7f2 Oct 11 13:13:47 2022 +0100
-.\" OpenSSL EVP_aes.pod a1ec85c1 Apr 21 10:49:12 2020 +0100
-.\"
-.\" Copyright (c) 2024 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" This file is a derived work containing a few sentences
-.\" written by Dr. Stephen Henson <steve@openssl.org>
-.\" covered by the following license:
-.\"
-.\" Copyright (c) 2012 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: December 29 2024 $
-.Dt EVP_AES_128_GCM 3
-.Os
-.Sh NAME
-.Nm EVP_aes_128_gcm ,
-.Nm EVP_aes_192_gcm ,
-.Nm EVP_aes_256_gcm
-.Nd EVP AES cipher in Galois Counter Mode
-.Sh SYNOPSIS
-.In openssl/evp.h
-.Ft const EVP_CIPHER *
-.Fn EVP_aes_128_gcm void
-.Ft const EVP_CIPHER *
-.Fn EVP_aes_192_gcm void
-.Ft const EVP_CIPHER *
-.Fn EVP_aes_256_gcm void
-.Sh DESCRIPTION
-.Fn EVP_aes_128_gcm ,
-.Fn EVP_aes_192_gcm ,
-and
-.Fn EVP_aes_256_gcm
-provide the Advanced Encryption Standard algorithm for 128, 192 and 256-bit
-keys in and Galois Counter Mode in the
-.Xr evp 3
-framework.
-.Pp
-For GCM mode ciphers, the behaviour of the EVP interface is subtly
-altered and several additional
-.Xr EVP_CIPHER_CTX_ctrl 3
-operations are required to function correctly.
-Some of the
-.Dv EVP_CTRL_GCM_*
-control commands are older aliases for corresponding
-.Dv EVP_CTRL_AEAD_*
-constants as indicated below.
-.Pp
-To avoid using the cumbersome and error-prone API documented
-in the present manual page, consider using the functions documented in
-.Xr EVP_AEAD_CTX_init 3
-instead.
-.Ss Configuration controls
-.\" The following constants are intentionally undocumented
-.\" because they are very rarely used in application programs:
-.\" EVP_GCM_TLS_FIXED_IV_LEN (unused in the library)
-.\" EVP_GCM_TLS_EXPLICIT_IV_LEN and EVP_GCM_TLS_TAG_LEN (used internally
-.\" only in aes_gcm_tls_cipher(), which is unused)
-.Bl -tag -width Ds
-.It Dv EVP_CTRL_AEAD_SET_IVLEN Pq == Dv EVP_CTRL_GCM_SET_IVLEN
-Set the length of the initialization vector to
-.Fa arg
-bytes; the
-.Fa ptr
-argument is ignored and passing
-.Dv NULL
-is recommended.
-This call can only be made before specifying an initialization vector.
-If not called, the default IV length of 12 bytes is used.
-.Pp
-Using this control command is discouraged because section 5.2.1.1 of the
-specification explicitly recommends that implementations of GCM restrict
-support to the default IV length of 12 bytes for interoperability,
-efficiency, and simplicity of design.
-.It Dv EVP_CTRL_AEAD_SET_IV_FIXED Pq == Dv EVP_CTRL_GCM_SET_IV_FIXED
-Usually, \-1 is passed for
-.Fa arg .
-In that case, the complete initialization vector is copied from
-.Fa ptr .
-.Pp
-Otherwise, set the fixed field at the beginning of the initialization
-vector to the
-.Fa arg
-bytes pointed to by
-.Fa ptr .
-When encrypting, also generate the remaining bytes
-of the initialization vector at random.
-It is an error to specify an
-.Fa arg
-that is less than 4 or so large that less than 8 bytes remain.
-.El
-.Ss Encryption controls
-.Bl -tag -width Ds
-.It Dv EVP_CTRL_GCM_IV_GEN
-Generate the precounter block from the initialization vector,
-copy the last
-.Fa arg
-bytes of the initialization vector to the location pointed to by
-.Fa ptr ,
-or all of it if
-.Fa arg
-is less than 1 or greater than the length of the initialization vector,
-and increment the initialization vector by 1.
-Incrementing ignores the IV length and the fixed field length
-that may have been configured earlier and always operates on the
-last eight bytes of the initialization vector.
-It is an error to issue this command
-when no key or no initialization vector is set.
-.It Dv EVP_CTRL_AEAD_GET_TAG Pq == Dv EVP_CTRL_GCM_GET_TAG
-Write
-.Fa arg
-bytes of the tag value to the location pointed to by
-.Fa ptr .
-This control command only makes sense after all data has been processed,
-e.g. after calling
-.Xr EVP_EncryptFinal 3 .
-It is an error to issue this command while decrypting,
-before any data has been processed, or to specify an
-.Fa arg
-that is less than 1 or greater than 16.
-.El
-.Pp
-To specify any additional authenticated data (AAD), call
-.Xr EVP_EncryptUpdate 3
-with the
-.Fa out
-argument set to
-.Dv NULL .
-.Ss Decryption controls
-.Bl -tag -width Ds
-.It Dv EVP_CTRL_GCM_SET_IV_INV
-Copy
-.Fa arg
-bytes from
-.Fa ptr
-to the last bytes of the initialization vector
-and generate the precounter block from the initialization vector.
-The library does not check whether the arguments are consistent
-with the configured initialization vector and fixed field lengths.
-When default lengths are in use, pass 8 for
-.Fa arg .
-In that case, this control command sets the invocation field.
-It is an error to issue this command
-when no key or no initialization vector is set, or when encrypting.
-.It Dv EVP_CTRL_AEAD_SET_TAG Pq == Dv EVP_CTRL_GCM_SET_TAG
-Set the expected tag to the
-.Fa arg
-bytes located at
-.Fa ptr .
-This control command is mandatory before any data is processed,
-e.g. before calling
-.Xr EVP_DecryptUpdate 3 .
-It is an error to issue this command while encrypting or to specify an
-.Fa arg
-that is less than 1 or greater than 16.
-.El
-.Pp
-To specify any additional authenticated data (AAD), call
-.Xr EVP_DecryptUpdate 3
-with the
-.Fa out
-argument set to
-.Dv NULL .
-.Pp
-If the return value of
-.Xr EVP_DecryptFinal 3 ,
-.Xr EVP_DecryptFinal_ex 3 ,
-.Xr EVP_CipherFinal 3 ,
-or
-.Xr EVP_CipherFinal_ex 3
-does not indicate success when decrypting,
-the authentication operation failed.
-In that case, regard any output data as corrupted.
-.Sh SEE ALSO
-.Xr AES_encrypt 3 ,
-.Xr evp 3 ,
-.Xr EVP_AEAD_CTX_init 3 ,
-.Xr EVP_aes_128_cbc 3 ,
-.Xr EVP_CIPHER_CTX_ctrl 3 ,
-.Xr EVP_EncryptInit 3
-.Sh STANDARDS
-.Rs
-.%A Morris Dworkin
-.%I National Institute of Standards and Technology
-.%R Recommendation for Block Cipher Modes of Operation:\
- Galois/Counter Mode (GCM) and GMAC
-.%N NIST Special Publication 800-38D
-.%C Gaithersburg, Maryland
-.%D November 2007
-.Re
-.Sh HISTORY
-.Fn EVP_aes_128_gcm ,
-.Fn EVP_aes_192_gcm ,
-and
-.Fn EVP_aes_256_gcm
-first appeared in OpenSSL 1.0.1 and have been available since
-.Ox 5.3 .
diff --git a/src/lib/libcrypto/man/EVP_camellia_128_cbc.3 b/src/lib/libcrypto/man/EVP_camellia_128_cbc.3
deleted file mode 100644
index 6f15a85f7f..0000000000
--- a/src/lib/libcrypto/man/EVP_camellia_128_cbc.3
+++ /dev/null
@@ -1,151 +0,0 @@
-.\" $OpenBSD: EVP_camellia_128_cbc.3,v 1.3 2024/11/09 22:03:49 schwarze Exp $
-.\" selective merge up to: OpenSSL 7c6d372a Nov 20 13:20:01 2018 +0000
-.\"
-.\" This file was written by Ronald Tse <ronald.tse@ribose.com>
-.\" Copyright (c) 2017 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: November 9 2024 $
-.Dt EVP_CAMELLIA_128_CBC 3
-.Os
-.Sh NAME
-.Nm EVP_camellia_128_cbc ,
-.Nm EVP_camellia_192_cbc ,
-.Nm EVP_camellia_256_cbc ,
-.Nm EVP_camellia_128_cfb ,
-.Nm EVP_camellia_192_cfb ,
-.Nm EVP_camellia_256_cfb ,
-.Nm EVP_camellia_128_cfb1 ,
-.Nm EVP_camellia_192_cfb1 ,
-.Nm EVP_camellia_256_cfb1 ,
-.Nm EVP_camellia_128_cfb8 ,
-.Nm EVP_camellia_192_cfb8 ,
-.Nm EVP_camellia_256_cfb8 ,
-.Nm EVP_camellia_128_cfb128 ,
-.Nm EVP_camellia_192_cfb128 ,
-.Nm EVP_camellia_256_cfb128 ,
-.Nm EVP_camellia_128_ecb ,
-.Nm EVP_camellia_192_ecb ,
-.Nm EVP_camellia_256_ecb ,
-.Nm EVP_camellia_128_ofb ,
-.Nm EVP_camellia_192_ofb ,
-.Nm EVP_camellia_256_ofb
-.Nd EVP Camellia cipher
-.Sh SYNOPSIS
-.In openssl/evp.h
-.Ft const EVP_CIPHER *
-.Fn EVP_camellia_128_cbc void
-.Ft const EVP_CIPHER *
-.Fn EVP_camellia_192_cbc void
-.Ft const EVP_CIPHER *
-.Fn EVP_camellia_256_cbc void
-.Ft const EVP_CIPHER *
-.Fn EVP_camellia_128_cfb void
-.Ft const EVP_CIPHER *
-.Fn EVP_camellia_192_cfb void
-.Ft const EVP_CIPHER *
-.Fn EVP_camellia_256_cfb void
-.Ft const EVP_CIPHER *
-.Fn EVP_camellia_128_cfb1 void
-.Ft const EVP_CIPHER *
-.Fn EVP_camellia_192_cfb1 void
-.Ft const EVP_CIPHER *
-.Fn EVP_camellia_256_cfb1 void
-.Ft const EVP_CIPHER *
-.Fn EVP_camellia_128_cfb8 void
-.Ft const EVP_CIPHER *
-.Fn EVP_camellia_192_cfb8 void
-.Ft const EVP_CIPHER *
-.Fn EVP_camellia_256_cfb8 void
-.Ft const EVP_CIPHER *
-.Fn EVP_camellia_128_cfb128 void
-.Ft const EVP_CIPHER *
-.Fn EVP_camellia_192_cfb128 void
-.Ft const EVP_CIPHER *
-.Fn EVP_camellia_256_cfb128 void
-.Ft const EVP_CIPHER *
-.Fn EVP_camellia_128_ecb void
-.Ft const EVP_CIPHER *
-.Fn EVP_camellia_192_ecb void
-.Ft const EVP_CIPHER *
-.Fn EVP_camellia_256_ecb void
-.Ft const EVP_CIPHER *
-.Fn EVP_camellia_128_ofb void
-.Ft const EVP_CIPHER *
-.Fn EVP_camellia_192_ofb void
-.Ft const EVP_CIPHER *
-.Fn EVP_camellia_256_ofb void
-.Sh DESCRIPTION
-These functions provide the Camellia encryption algorithm in the
-.Xr evp 3
-framework.
-Camellia is a block cipher operating on 128 bit blocks.
-These functions use 128, 192, and 256-bit keys
-in the following modes, respectively:
-CBC, CFB with 1-bit shift, CFB with 8-bit shift, CFB with 128-bit shift,
-ECB, and OFB.
-.Pp
-.Fn EVP_camellia_128_cfb ,
-.Fn EVP_camellia_192_cfb ,
-and
-.Fn EVP_camellia_256_cfb
-are aliases for
-.Fn EVP_camellia_128_cfb128 ,
-.Fn EVP_camellia_192_cfb128 ,
-and
-.Fn EVP_camellia_256_cfb128 ,
-implemented as macros.
-.Sh RETURN VALUES
-These functions return an
-.Vt EVP_CIPHER
-structure that provides the implementation of the symmetric cipher.
-.Sh SEE ALSO
-.Xr evp 3 ,
-.Xr EVP_EncryptInit 3
-.Sh HISTORY
-These functions first appeared in OpenSSL 0.9.8c
-and have been available since
-.Ox 4.5 .
diff --git a/src/lib/libcrypto/man/EVP_chacha20.3 b/src/lib/libcrypto/man/EVP_chacha20.3
deleted file mode 100644
index 8fc79dbf2b..0000000000
--- a/src/lib/libcrypto/man/EVP_chacha20.3
+++ /dev/null
@@ -1,292 +0,0 @@
-.\" $OpenBSD: EVP_chacha20.3,v 1.8 2024/12/09 11:55:52 schwarze Exp $
-.\" full merge up to: OpenSSL 35fd9953 May 28 14:49:38 2019 +0200
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2023 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Ronald Tse <ronald.tse@ribose.com>.
-.\" Copyright (c) 2017 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: December 9 2024 $
-.Dt EVP_CHACHA20 3
-.Os
-.Sh NAME
-.Nm EVP_chacha20 ,
-.Nm EVP_chacha20_poly1305
-.Nd ChaCha20 stream cipher for EVP
-.Sh SYNOPSIS
-.In openssl/evp.h
-.Ft const EVP_CIPHER *
-.Fn EVP_chacha20 void
-.Ft const EVP_CIPHER *
-.Fn EVP_chacha20_poly1305 void
-.Sh DESCRIPTION
-.Fn EVP_chacha20
-provides the ChaCha20 stream cipher in the EVP framework.
-.Xr EVP_EncryptInit_ex 3 ,
-.Xr EVP_DecryptInit_ex 3 ,
-and
-.Xr EVP_CipherInit_ex 3
-take a
-.Fa key
-argument of 32 bytes = 256 bits and an
-.Fa iv
-argument of 16 bytes = 128 bits, internally using
-.Xr ChaCha_set_key 3
-and
-.Xr ChaCha_set_iv 3 .
-The lower 8 bytes = 64 bits of
-.Fa iv
-are used as counter and the remaining 8 bytes are used as
-the initialization vector of
-.Xr ChaCha_set_iv 3 .
-.Xr EVP_EncryptUpdate 3 ,
-.Xr EVP_EncryptFinal_ex 3 ,
-.Xr EVP_DecryptUpdate 3 ,
-and
-.Xr EVP_DecryptFinal_ex 3
-internally use
-.Xr ChaCha 3
-to perform encryption and decryption.
-.Xr EVP_CIPHER_CTX_ctrl 3
-always fails for
-.Fa ctx
-objects created from
-.Fn EVP_chacha20 .
-.Pp
-.Fn EVP_chacha20_poly1305
-provides authenticated encryption with ChaCha20-Poly1305.
-Unless compatibility with other implementations
-like OpenSSL or BoringSSL is required, using
-.Xr EVP_AEAD_CTX_init 3
-with
-.Xr EVP_aead_chacha20_poly1305 3
-is recommended instead because the code then becomes transparent
-to the AEAD cipher used, more flexible, and less error prone.
-.Pp
-With
-.Fn EVP_chacha20_poly1305 ,
-.Xr EVP_EncryptInit_ex 3 ,
-.Xr EVP_DecryptInit_ex 3 ,
-and
-.Xr EVP_CipherInit_ex 3
-take a
-.Fa key
-argument of 32 bytes = 256 bits and an
-.Fa iv
-argument of 12 bytes = 96 bits.
-This supports additional authenticated data (AAD) and produces a 128-bit
-authentication tag.
-The constant
-.Dv EVP_CHACHAPOLY_TLS_TAG_LEN
-specifies the length of the authentication tag in bytes and has a value of 16.
-.Pp
-The following
-.Fa type
-arguments are supported for
-.Xr EVP_CIPHER_CTX_ctrl 3 :
-.Bl -tag -width Ds
-.It Dv EVP_CTRL_AEAD_GET_TAG
-Copy the number of bytes indicated by the
-.Fa arg
-argument from the tag to the location indicated by the
-.Fa ptr
-argument;
-to be called after
-.Xr EVP_EncryptFinal_ex 3 .
-This control operation fails if the
-.Fa ctx
-is not configured for encryption or if
-.Fa arg
-is less than 1 or greater than 16.
-.It Dv EVP_CTRL_AEAD_SET_TAG
-Copy the number of bytes indicated by the
-.Fa arg
-argument from the location indicated by the
-.Fa ptr
-argument and designate them as the expected tag length and tag,
-causing subsequent
-.Xr EVP_DecryptFinal_ex 3
-to fail if the tag calculated during decryption does not match.
-It is strongly recommended to specify
-.Fa arg
-as exactly 16.
-Otherwise, only the initial part of the tag may be compared
-and mismatches near the end of the tag may get silently ignored.
-This control operation fails if the
-.Fa ctx
-is configured for encryption or if
-.Fa arg
-is less than 1 or greater than 16.
-If the
-.Fa ptr
-argument is a
-.Dv NULL
-pointer, this control operation succeeds without having any effect.
-.It Dv EVP_CTRL_AEAD_SET_IV_FIXED
-Set the initialization vector by reading the 12 bytes pointed to by the
-.Fa ptr
-argument, independently of
-.Xr EVP_EncryptInit_ex 3 ,
-.Xr EVP_DecryptInit_ex 3 ,
-and
-.Xr EVP_CipherInit_ex 3 .
-This control operation fails if the
-.Fa arg
-argument is not exactly 12.
-.It Dv EVP_CTRL_AEAD_SET_IVLEN
-Instruct subsequent
-.Xr EVP_EncryptInit_ex 3 ,
-.Xr EVP_DecryptInit_ex 3 ,
-or
-.Xr EVP_CipherInit_ex 3
-to expect an
-.Fa iv
-argument shorter than the default of 12 bytes; the
-.Fa arg
-argument specifies the number of bytes to be used.
-The initialization functions will only read
-the specified smaller number of bytes from
-.Fa iv
-and internally zero-pad them on the left.
-Using this is not recommended because it is likely more fragile
-and less often tested than the equivalent method of simply providing
-a full-sized
-.Fa iv .
-This control operation fails if
-.Fa arg
-is less than 1 or greater than 16.
-.It Dv EVP_CTRL_INIT
-Set the length of the initialization vector to the default value
-of 12 bytes and clear the Poly1305 internal state.
-The application program usually does not need to invoke this control
-operation manually because it is automatically called internally by
-.Xr EVP_EncryptInit_ex 3 ,
-.Xr EVP_DecryptInit_ex 3 ,
-and
-.Xr EVP_CipherInit_ex 3 .
-.El
-.Sh RETURN VALUES
-.Fn EVP_chacha20
-and
-.Fn EVP_chacha20_poly1305
-return pointers to static
-.Vt EVP_CIPHER
-objects that contain the implementations of the symmetric cipher.
-.Pp
-If
-.Fa ctx
-was created from
-.Fn EVP_chacha20
-or
-.Fn EVP_chacha20_poly1305 ,
-.Xr EVP_CIPHER_CTX_ctrl 3
-returns 1 for success or 0 for failure.
-.Sh SEE ALSO
-.Xr ChaCha 3 ,
-.Xr evp 3 ,
-.Xr EVP_aead_chacha20_poly1305 3 ,
-.Xr EVP_CIPHER_meth_new 3 ,
-.Xr EVP_EncryptInit 3
-.Sh STANDARDS
-.Rs
-.%A A. Langley
-.%A W. Chang
-.%A N. Mavrogiannopoulos
-.%A J. Strombergson
-.%A S. Josefsson
-.%D June 2016
-.%R RFC 7905
-.%T ChaCha20-Poly1305 Cipher Suites for Transport Layer Security (TLS)
-.Re
-.Sh HISTORY
-.Fn EVP_chacha20
-first appeared in
-.Ox 5.6 .
-.Pp
-.Fn EVP_chacha20_poly1305
-first appeared in OpenSSL 1.1.0
-.\" OpenSSL commit bd989745 Dec 9 21:30:56 2015 +0100 Andy Polyakov
-and has been available since
-.Ox 7.2 .
-.Sh CAVEATS
-The original publications and code by
-.An Adam Langley
-used a modified AEAD construction that is incompatible with the common
-style used by AEAD in TLS and incompatible with RFC 7905:
-.Pp
-.Rs
-.%A A. Langley
-.%A W. Chang
-.%D November 2013
-.%R draft-agl-tls-chacha20poly1305-04
-.%T ChaCha20 and Poly1305 based Cipher Suites for TLS
-.Re
-.Pp
-.Rs
-.%A Y. Nir
-.%A A. Langley
-.%D May 2018
-.%R RFC 8439
-.%T ChaCha20 and Poly1305 for IETF Protocols
-.Re
-.Pp
-In particular, the original version used a nonce of 8 instead of 12 bytes.
diff --git a/src/lib/libcrypto/man/EVP_des_cbc.3 b/src/lib/libcrypto/man/EVP_des_cbc.3
deleted file mode 100644
index 7c8a08c7db..0000000000
--- a/src/lib/libcrypto/man/EVP_des_cbc.3
+++ /dev/null
@@ -1,230 +0,0 @@
-.\" $OpenBSD: EVP_des_cbc.3,v 1.2 2024/11/09 22:03:49 schwarze Exp $
-.\" full merge up to:
-.\"   OpenSSL EVP_desx_cbc.pod 8fa4d95e Oct 21 11:59:09 2017 +0900
-.\" selective merge up to:
-.\"   OpenSSL EVP_des.pod 7c6d372a Nov 20 13:20:01 2018 +0000
-.\"
-.\" This file was written by Ronald Tse <ronald.tse@ribose.com>
-.\" Copyright (c) 2017 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: November 9 2024 $
-.Dt EVP_DES_CBC 3
-.Os
-.Sh NAME
-.Nm EVP_des_cbc ,
-.Nm EVP_des_cfb ,
-.Nm EVP_des_cfb1 ,
-.Nm EVP_des_cfb8 ,
-.Nm EVP_des_cfb64 ,
-.Nm EVP_des_ecb ,
-.Nm EVP_des_ofb ,
-.Nm EVP_des_ede ,
-.Nm EVP_des_ede_cbc ,
-.Nm EVP_des_ede_cfb ,
-.Nm EVP_des_ede_cfb64 ,
-.Nm EVP_des_ede_ecb ,
-.Nm EVP_des_ede_ofb ,
-.Nm EVP_des_ede3 ,
-.Nm EVP_des_ede3_cbc ,
-.Nm EVP_des_ede3_cfb ,
-.Nm EVP_des_ede3_cfb1 ,
-.Nm EVP_des_ede3_cfb8 ,
-.Nm EVP_des_ede3_cfb64 ,
-.Nm EVP_des_ede3_ecb ,
-.Nm EVP_des_ede3_ofb ,
-.Nm EVP_desx_cbc
-.Nd EVP DES cipher
-.Sh SYNOPSIS
-.In openssl/evp.h
-.Ft const EVP_CIPHER *
-.Fn EVP_des_cbc void
-.Ft const EVP_CIPHER *
-.Fn EVP_des_cfb void
-.Ft const EVP_CIPHER *
-.Fn EVP_des_cfb1 void
-.Ft const EVP_CIPHER *
-.Fn EVP_des_cfb8 void
-.Ft const EVP_CIPHER *
-.Fn EVP_des_cfb64 void
-.Ft const EVP_CIPHER *
-.Fn EVP_des_ecb void
-.Ft const EVP_CIPHER *
-.Fn EVP_des_ofb void
-.Ft const EVP_CIPHER *
-.Fn EVP_des_ede void
-.Ft const EVP_CIPHER *
-.Fn EVP_des_ede_cbc void
-.Ft const EVP_CIPHER *
-.Fn EVP_des_ede_cfb void
-.Ft const EVP_CIPHER *
-.Fn EVP_des_ede_cfb64 void
-.Ft const EVP_CIPHER *
-.Fn EVP_des_ede_ecb void
-.Ft const EVP_CIPHER *
-.Fn EVP_des_ede_ofb void
-.Ft const EVP_CIPHER *
-.Fn EVP_des_ede3 void
-.Ft const EVP_CIPHER *
-.Fn EVP_des_ede3_cbc void
-.Ft const EVP_CIPHER *
-.Fn EVP_des_ede3_cfb void
-.Ft const EVP_CIPHER *
-.Fn EVP_des_ede3_cfb1 void
-.Ft const EVP_CIPHER *
-.Fn EVP_des_ede3_cfb8 void
-.Ft const EVP_CIPHER *
-.Fn EVP_des_ede3_cfb64 void
-.Ft const EVP_CIPHER *
-.Fn EVP_des_ede3_ecb void
-.Ft const EVP_CIPHER *
-.Fn EVP_des_ede3_ofb void
-.Ft const EVP_CIPHER *
-.Fn EVP_desx_cbc void
-.Sh DESCRIPTION
-These functions provide the DES encryption algorithm in the
-.Xr evp 3
-framework.
-DES is a block cipher operating on 64 bit blocks.
-The key length to be used for
-.Xr EVP_EncryptInit 3
-is 64 bits.
-However, only 56 of these bits are used in the encryption algorithm.
-The least significant bit in each of the eight bytes is only used
-for checking parity.
-Using this algorithm is discouraged because the short key length
-makes it vulnerable to brute force attacks.
-.Pp
-.Fn EVP_des_cbc ,
-.Fn EVP_des_cfb1 ,
-.Fn EVP_des_cfb8 ,
-.Fn EVP_des_cfb64 ,
-.Fn EVP_des_ecb ,
-and
-.Fn EVP_des_ofb
-provide DES in CBC, CFB with 1-bit shift, CFB with 8-bit shift,
-CFB with 64-bit shift, ECB, and OFB modes.
-.Fn EVP_des_cfb
-is an alias for
-.Fn EVP_des_cfb64 ,
-implemented as a macro.
-.Pp
-.Fn EVP_des_ede_cbc ,
-.Fn EVP_des_ede_cfb64 ,
-.Fn EVP_des_ede_ecb ,
-and
-.Fn EVP_des_ede_ofb
-provide two key triple DES in CBC, CFB with 64-bit shift, ECB, and OFB modes.
-.Fn EVP_des_ede_cfb
-is an alias for
-.Fn EVP_des_ede_cfb64 ,
-implemented as a macro.
-.Fn EVP_des_ede
-is an alias for
-.Fn EVP_des_ede_ecb .
-.Pp
-.Fn EVP_des_ede3_cbc ,
-.Fn EVP_des_ede3_cfb1 ,
-.Fn EVP_des_ede3_cfb8 ,
-.Fn EVP_des_ede3_cfb64 ,
-.Fn EVP_des_ede3_ecb ,
-.Fn EVP_des_ede3_ofb
-provide three key triple DES in CBC, CFB with 1-bit shift, CFB with 8-bit
-shift, CFB with 64-bit shift, ECB, and OFB modes.
-.Fn EVP_des_ede3_cfb
-is an alias for
-.Fn EVP_des_ede3_cfb64 ,
-implemented as a macro.
-.Fn EVP_des_ede3
-is an alias for
-.Fn EVP_des_ede3_ecb .
-.Pp
-.Fn EVP_desx_cbc
-provides the DES-X encryption algorithm in CBC mode.
-It uses a key length of 128 bits and acts on blocks of 128 bits.
-.Sh RETURN VALUES
-These functions return an
-.Vt EVP_CIPHER
-structure that provides the implementation of the symmetric cipher.
-.Sh SEE ALSO
-.Xr evp 3 ,
-.Xr EVP_EncryptInit 3
-.Sh HISTORY
-.Fn EVP_des_cbc ,
-.Fn EVP_des_cfb ,
-.Fn EVP_des_ecb ,
-.Fn EVP_des_ofb ,
-.Fn EVP_des_ede ,
-.Fn EVP_des_ede_cbc ,
-.Fn EVP_des_ede_cfb ,
-.Fn EVP_des_ede_ofb ,
-.Fn EVP_des_ede3 ,
-.Fn EVP_des_ede3_cbc ,
-.Fn EVP_des_ede3_cfb ,
-and
-.Fn EVP_des_ede3_ofb
-first appeared in SSLeay 0.5.1.
-.Fn EVP_desx_cbc
-first appeared in SSLeay 0.6.2.
-These functions have been available since
-.Ox 2.4 .
-.Pp
-.Fn EVP_des_ede_ecb
-and
-.Fn EVP_des_ede3_ecb
-first appeared in OpenSSL 0.9.7 and have been available since
-.Ox 3.2 .
-.Pp
-.Fn EVP_des_cfb1 ,
-.Fn EVP_des_cfb8 ,
-.Fn EVP_des_cfb64 ,
-.Fn EVP_des_ede_cfb64 ,
-.Fn EVP_des_ede3_cfb1 ,
-.Fn EVP_des_ede3_cfb8 ,
-and
-.Fn EVP_des_ede3_cfb64
-first appeared in OpenSSL 0.9.7e and have been available since
-.Ox 3.8 .
diff --git a/src/lib/libcrypto/man/EVP_rc2_cbc.3 b/src/lib/libcrypto/man/EVP_rc2_cbc.3
deleted file mode 100644
index 38c8184260..0000000000
--- a/src/lib/libcrypto/man/EVP_rc2_cbc.3
+++ /dev/null
@@ -1,201 +0,0 @@
-.\" $OpenBSD: EVP_rc2_cbc.3,v 1.1 2024/12/08 17:41:23 schwarze Exp $
-.\"
-.\" Copyright (c) 2024 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: December 8 2024 $
-.Dt EVP_RC2_CBC 3
-.Os
-.Sh NAME
-.Nm EVP_rc2_cbc ,
-.Nm EVP_rc2_ecb ,
-.Nm EVP_rc2_cfb64 ,
-.Nm EVP_rc2_cfb ,
-.Nm EVP_rc2_ofb ,
-.Nm EVP_rc2_40_cbc ,
-.Nm EVP_rc2_64_cbc
-.Nd Rivest Cipher 2 in the EVP framework
-.Sh SYNOPSIS
-.In openssl/evp.h
-.Ft const EVP_CIPHER *
-.Fn EVP_rc2_cbc void
-.Ft const EVP_CIPHER *
-.Fn EVP_rc2_ecb void
-.Ft const EVP_CIPHER *
-.Fn EVP_rc2_cfb64 void
-.Ft const EVP_CIPHER *
-.Fn EVP_rc2_cfb void
-.Ft const EVP_CIPHER *
-.Fn EVP_rc2_ofb void
-.Ft const EVP_CIPHER *
-.Fn EVP_rc2_40_cbc void
-.Ft const EVP_CIPHER *
-.Fn EVP_rc2_64_cbc void
-.In openssl/rc2.h
-.Fd #define RC2_BLOCK 8
-.Fd #define RC2_KEY_LENGTH 16
-.Sh DESCRIPTION
-RC2 is a block cipher operating on blocks of
-.Dv RC2_BLOCK No = 8
-bytes, equivalent to 64 bits, using a variable
-.Fa key
-length with an additional parameter called
-.Dq effective key bits
-or
-.Dq effective key length .
-.Pp
-.Fn EVP_rc2_cbc ,
-.Fn EVP_rc2_ecb ,
-.Fn EVP_rc2_cfb64 ,
-and
-.Fn EVP_rc2_ofb
-provide the RC2 encryption algorithm in CBC, ECB, CFB and OFB mode,
-respectively.
-.Fn EVP_rc2_cfb
-is an alias for
-.Fn EVP_rc2_cfb64 ,
-implemented as a macro.
-.Pp
-By default, these functions set both the key length
-and the effective key length to
-.Dv RC2_KEY_LENGTH No = 16
-bytes, which is not a very useful value because it is quite short.
-.Pp
-Configuring normally requires a multi-step process:
-.Bl -enum -width 2n
-.It
-Create a new, empty
-.Vt EVP_CIPHER_CTX
-object with
-.Xr EVP_CIPHER_CTX_new 3 .
-.It
-Select the operation mode by calling
-.Xr EVP_EncryptInit 3
-with the desired
-.Fa type
-argument, passing
-.Dv NULL
-pointers for the
-.Fa key
-and
-.Fa iv
-arguments.
-.It
-Select the
-.Fa key
-length by passing the desired number of bytes to
-.Xr EVP_CIPHER_CTX_set_key_length 3 .
-Doing so overrides the default key length of
-.Dv RC2_KEY_LENGTH No = 16 .
-Valid values for
-.Fa keylen
-are positive and less than or equal to 128.
-.It
-Select the effective key length by calling
-.Xr EVP_CIPHER_CTX_ctrl 3
-with a
-.Fa type
-argument of
-.Dv EVP_CTRL_SET_RC2_KEY_BITS ,
-passing the desired number of bits in
-.Fa arg .
-Doing so overrides the default effective key length of 128 bits.
-Valid values for
-.Fa arg
-are positive and less than or equal to 1024.
-The
-.Fa ptr
-argument is ignored; passing
-.Dv NULL
-is recommended.
-.It
-Call
-.Xr EVP_EncryptInit 3
-a second time, this time passing
-.Dv NULL
-for the type argument.
-The
-.Fa key
-argument points to an array containing the number of bytes that was passed to
-.Xr EVP_CIPHER_CTX_set_key_length 3 ,
-and the
-.Fa iv
-argument points to an array of eight bytes.
-.It
-Finally,
-.Xr EVP_EncryptUpdate 3
-and
-.Xr EVP_EncryptFinal 3
-can be used in the normal way.
-.El
-.Pp
-Once a
-.Fa ctx
-object is fully configured, calling
-.Xr EVP_CIPHER_CTX_ctrl 3
-with a
-.Fa type
-argument of
-.Dv EVP_CTRL_GET_RC2_KEY_BITS
-interprets
-.Fa ptr
-as a pointer to
-.Vt int
-and stores the effective key length in bits at that location.
-In this case,
-.Fa arg
-is ignored and passing 0 is recommended.
-.Pp
-In the CFB and OFB modes, the minimum required total length in bytes
-of the output buffer is equal to the total number of input bytes to
-be encoded.
-In the CBC and ECB modes, the minimum required total length
-of the output buffer has to be rounded up to the next multiple
-of the block size of eight bytes.
-.Pp
-.Fn EVP_rc2_40_cbc
-and
-.Fn EVP_rc2_64_cbc
-are obsolete functions that provide the RC2 algorithm in CBC mode
-with a key length and an effective key length of 40 and 64 bits,
-respectively.
-.Sh RETURN VALUES
-With the
-.Vt EVP_CIPHER
-objects documented in the present manual page,
-.Fn EVP_CIPHER_CTX_ctrl
-returns 1 for success or 0 if an error occurs.
-.Sh SEE ALSO
-.Xr evp 3 ,
-.Xr EVP_CIPHER_CTX_set_key_length 3 ,
-.Xr EVP_EncryptInit 3 ,
-.Xr RC2_encrypt 3
-.Sh HISTORY
-.Fn EVP_rc2_cbc ,
-.Fn EVP_rc2_ecb ,
-.Fn EVP_rc2_cfb ,
-and
-.Fn EVP_rc2_ofb
-first appeared in SSLeay 0.5.2 and have been available since
-.Ox 2.4 .
-.Pp
-.Fn EVP_rc2_40_cbc
-and
-.Fn EVP_rc2_64_cbc
-first appeared in SSLeay 0.9.1 and have been available since
-.Ox 2.6 .
-.Pp
-.Fn EVP_rc2_cfb64
-first appeared in OpenSSL 0.9.7e and has been available since
-.Ox 3.8 .
diff --git a/src/lib/libcrypto/man/EVP_rc4.3 b/src/lib/libcrypto/man/EVP_rc4.3
deleted file mode 100644
index fda041113c..0000000000
--- a/src/lib/libcrypto/man/EVP_rc4.3
+++ /dev/null
@@ -1,109 +0,0 @@
-.\" $OpenBSD: EVP_rc4.3,v 1.1 2019/03/21 13:37:25 schwarze Exp $
-.\" full merge up to: OpenSSL 8fa4d95e Oct 21 11:59:09 2017 +0900
-.\"
-.\" This file was written by Ronald Tse <ronald.tse@ribose.com>
-.\" Copyright (c) 2017 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 21 2019 $
-.Dt EVP_RC4 3
-.Os
-.Sh NAME
-.Nm EVP_rc4 ,
-.Nm EVP_rc4_40 ,
-.Nm EVP_rc4_hmac_md5
-.Nd EVP RC4 stream cipher
-.Sh SYNOPSIS
-.In openssl/evp.h
-.Ft const EVP_CIPHER *
-.Fn EVP_rc4 void
-.Ft const EVP_CIPHER *
-.Fn EVP_rc4_40 void
-.Ft const EVP_CIPHER *
-.Fn EVP_rc4_hmac_md5 void
-.Sh DESCRIPTION
-These functions provide the RC4 stream cipher in the
-.Xr evp 3
-framework.
-It is a variable key length cipher.
-.Pp
-.Fn EVP_rc4
-uses a default key length of 128 bits.
-.Pp
-.Fn EVP_rc4_40
-uses a key length of 40 bits instead.
-This function is deprecated.
-Use
-.Fn EVP_rc4
-and
-.Xr EVP_CIPHER_CTX_set_key_length 3
-instead.
-.Pp
-.Fn EVP_rc4_hmac_md5
-provides authenticated encryption with the RC4 stream cipher
-with MD5 as HMAC.
-This function is not intended for usage outside of TLS
-and requires calling of some undocumented control functions.
-It does not conform to the EVP AEAD interface.
-.Sh RETURN VALUES
-These functions return an
-.Vt EVP_CIPHER
-structure that provides the implementation of the symmetric cipher.
-.Sh SEE ALSO
-.Xr evp 3 ,
-.Xr EVP_EncryptInit 3
-.Sh HISTORY
-.Fn EVP_rc4
-first appeared in SSLeay 0.5.1
-and
-.Fn EVP_rc4_40
-in OpenSSL 0.9.1.
-These functions have been available since
-.Ox 2.4 .
-.Pp
-.Fn EVP_rc4_hmac_md5
-first appeared in OpenSSL 1.0.1 and has been available since
-.Ox 5.3 .
diff --git a/src/lib/libcrypto/man/EVP_sha1.3 b/src/lib/libcrypto/man/EVP_sha1.3
deleted file mode 100644
index b28c9f54c3..0000000000
--- a/src/lib/libcrypto/man/EVP_sha1.3
+++ /dev/null
@@ -1,120 +0,0 @@
-.\" $OpenBSD: EVP_sha1.3,v 1.2 2024/03/05 17:21:40 tb Exp $
-.\"
-.\" Copyright (c) 2023 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: March 5 2024 $
-.Dt EVP_SHA1 3
-.Os
-.Sh NAME
-.Nm EVP_sha1 ,
-.Nm EVP_md5 ,
-.Nm EVP_md5_sha1 ,
-.Nm EVP_md4
-.Nd legacy message digest algorithms
-.Sh SYNOPSIS
-.In openssl/evp.h
-.Ft const EVP_MD *
-.Fn EVP_sha1 void
-.Ft const EVP_MD *
-.Fn EVP_md5 void
-.Ft const EVP_MD *
-.Fn EVP_md5_sha1 void
-.Ft const EVP_MD *
-.Fn EVP_md4 void
-.Sh DESCRIPTION
-The following message digest algorithms are cryptographically broken.
-None of them should be used in new code unless there is no way around it.
-.Pp
-.Fn EVP_sha1
-implements the SHA-1 algorithm and produces 160 bits of output
-from a given input.
-Examples of protocols and software still requiring it
-include OCSP, DNS, and the
-.Sy git
-version control system.
-.Pp
-.Fn EVP_md5
-implements the MD5 algorithm and produces 128 bits of output
-from a given input.
-It is still occasionally used when no security is required
-but a fast hash algorithm is beneficial.
-.Pp
-.Fn EVP_md5_sha1
-produces concatenated MD5 and SHA-1 message digests.
-Do not use this except where it is required for the historic SSLv3 protocol.
-.Pp
-.Fn EVP_md4
-implements the MD4 algorithm and produces 128 bits of output
-from a given input.
-It has been marked as
-.Dq historic
-by the Internet Engineering Task Force since 2011.
-.Sh RETURN VALUES
-These functions return pointers to static
-.Vt EVP_MD
-objects implementing the hash functions.
-.Sh SEE ALSO
-.Xr evp 3 ,
-.Xr EVP_DigestInit 3
-.Sh STANDARDS
-.Rs
-.%A T. Polk
-.%A L. Chen
-.%A S. Turner
-.%A P. Hoffman
-.%T Security Considerations for the SHA-0 and SHA-1 Message-Digest Algorithms
-.%R RFC 6194
-.%D March 2011
-.Re
-.Pp
-.Rs
-.%A S. Turner
-.%A L. Chen
-.%T Updated Security Considerations for the MD5 Message-Digest\
- and the HMAC-MD5 Algorithms
-.%R RFC 6151
-.%D March 2011
-.Re
-.Pp
-.Rs
-.%A S. Turner
-.%A L. Chen
-.%T MD4 to Historic Status
-.%R RFC 6150
-.%D March 2011
-.Re
-.Pp
-.Rs
-.%A P. Kocher
-.%A P. Karlton
-.%A A. Freier
-.%T The Secure Sockets Layer (SSL) Protocol Version 3.0
-.%R RFC 6101
-.%D August 2011
-.Re
-.Sh HISTORY
-.Fn EVP_sha1
-and
-.Fn EVP_md5
-first appeared in SSLeay 0.5.1 and have been available since
-.Ox 2.4 .
-.Pp
-.Fn EVP_md4
-first appeared in OpenSSL 0.9.6 and has been available since
-.Ox 2.9 .
-.Pp
-.Fn EVP_md5_sha1
-first appeared in OpenSSL 1.1.0 and has been available since
-.Ox 6.3 .
diff --git a/src/lib/libcrypto/man/EVP_sha3_224.3 b/src/lib/libcrypto/man/EVP_sha3_224.3
deleted file mode 100644
index 3c21ae1a09..0000000000
--- a/src/lib/libcrypto/man/EVP_sha3_224.3
+++ /dev/null
@@ -1,91 +0,0 @@
-.\" $OpenBSD: EVP_sha3_224.3,v 1.3 2024/03/05 17:21:40 tb Exp $
-.\" selective merge up to: OpenSSL bbda8ce9 Oct 31 15:43:01 2017 +0800
-.\"
-.\" This file was written by Ronald Tse <ronald.tse@ribose.com>.
-.\" Copyright (c) 2017 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 5 2024 $
-.Dt EVP_SHA3_224 3
-.Os
-.Sh NAME
-.Nm EVP_sha3_224 ,
-.Nm EVP_sha3_256 ,
-.Nm EVP_sha3_384 ,
-.Nm EVP_sha3_512
-.Nd Secure Hash Algorithm 3 for EVP
-.Sh SYNOPSIS
-.In openssl/evp.h
-.Ft const EVP_MD *
-.Fn EVP_sha3_224 void
-.Ft const EVP_MD *
-.Fn EVP_sha3_256 void
-.Ft const EVP_MD *
-.Fn EVP_sha3_384 void
-.Ft const EVP_MD *
-.Fn EVP_sha3_512 void
-.Sh DESCRIPTION
-SHA-3 (Secure Hash Algorithm 3) is a family of cryptographic hash
-functions standardized in NIST FIPS 202, first published in 2015.
-It is based on the Keccak algorithm.
-.Pp
-.Fn EVP_sha3_224 ,
-.Fn EVP_sha3_256 ,
-.Fn EVP_sha3_384 ,
-and
-.Fn EVP_sha3_512
-implement the SHA3-224, SHA3-256, SHA3-384, and SHA3-512 algorithms
-and produce 224, 256, 384 and 512 bits of output from a given input,
-respectively.
-.Sh RETURN VALUES
-These functions return pointers to static
-.Vt EVP_MD
-objects implementing the hash functions.
-.Sh SEE ALSO
-.Xr evp 3 ,
-.Xr EVP_DigestInit 3
-.Sh STANDARDS
-NIST FIPS 202
diff --git a/src/lib/libcrypto/man/EVP_sm3.3 b/src/lib/libcrypto/man/EVP_sm3.3
deleted file mode 100644
index aa6789f249..0000000000
--- a/src/lib/libcrypto/man/EVP_sm3.3
+++ /dev/null
@@ -1,82 +0,0 @@
-.\" $OpenBSD: EVP_sm3.3,v 1.1 2019/08/25 17:08:20 schwarze Exp $
-.\" full merge up to: OpenSSL 21ebd2fc Aug 24 20:38:04 2018 +0800
-.\"
-.\" This file was written by Jack Lloyd <jack.lloyd@ribose.com>
-.\" and Ronald Tse <ronald.tse@ribose.com>.
-.\" Copyright (c) 2017 The OpenSSL Project.  All rights reserved.
-.\" Copyright (c) 2017 Ribose Inc.  All Rights Reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: August 25 2019 $
-.Dt EVP_SM3 3
-.Os
-.Sh NAME
-.Nm EVP_sm3
-.Nd SM3 hash function for EVP
-.Sh SYNOPSIS
-.In openssl/evp.h
-.Ft const EVP_MD *
-.Fn EVP_sm3 void
-.Sh DESCRIPTION
-SM3 is a cryptographic hash function with a 256-bit output.
-It is part of the Chinese
-.Dq Commercial Cryptography
-suite of algorithms which is required
-for certain commercial applications in China.
-.Sh RETURN VALUES
-.Fn EVP_sm3
-returns a pointer to a static
-.Vt EVP_MD
-object implementing the SM3 hash function.
-.Sh SEE ALSO
-.Xr evp 3 ,
-.Xr EVP_DigestInit 3
-.Sh STANDARDS
-GB/T 32905-2016 and GM/T 0004-2012
-.Sh HISTORY
-.Fn EVP_sm3
-first appeared in OpenSSL 1.1.1 and has been available since
-.Ox 6.5 .
diff --git a/src/lib/libcrypto/man/EVP_sm4_cbc.3 b/src/lib/libcrypto/man/EVP_sm4_cbc.3
deleted file mode 100644
index 0605a52faa..0000000000
--- a/src/lib/libcrypto/man/EVP_sm4_cbc.3
+++ /dev/null
@@ -1,82 +0,0 @@
-.\" $OpenBSD: EVP_sm4_cbc.3,v 1.2 2023/11/16 20:27:43 schwarze Exp $
-.\" full merge up to: OpenSSL 87103969 Oct 1 14:11:57 2018 -0700
-.\"
-.\" Copyright (c) 2017 Ribose Inc
-.\" Copyright (c) 2019 Ingo Schwarze <schwarze@openbsd.org>
-.\" The original version of this file
-.\" was written by Ronald Tse <ronald.tse@ribose.com>.
-.\"
-.\" Permission to use, copy, modify, and/or distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHORS DISCLAIM ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: November 16 2023 $
-.Dt EVP_SM4_CBC 3
-.Os
-.Sh NAME
-.Nm EVP_sm4_cbc ,
-.Nm EVP_sm4_ecb ,
-.Nm EVP_sm4_cfb ,
-.Nm EVP_sm4_cfb128 ,
-.Nm EVP_sm4_ofb ,
-.Nm EVP_sm4_ctr
-.Nd EVP SM4 cipher
-.Sh SYNOPSIS
-.In openssl/evp.h
-.Ft const EVP_CIPHER *
-.Fn EVP_sm4_cbc void
-.Ft const EVP_CIPHER *
-.Fn EVP_sm4_ecb void
-.Ft const EVP_CIPHER *
-.Fn EVP_sm4_cfb void
-.Ft const EVP_CIPHER *
-.Fn EVP_sm4_cfb128 void
-.Ft const EVP_CIPHER *
-.Fn EVP_sm4_ofb void
-.Ft const EVP_CIPHER *
-.Fn EVP_sm4_ctr void
-.Sh DESCRIPTION
-These functions provide the SM4 blockcipher in the
-.Xr evp 3
-framework.
-.Pp
-All modes use a key length of 128 bits and act on blocks of 128
-bits.
-.Pp
-.Fn EVP_sm4_cfb
-is an alias for
-.Fn EVP_sm4_cfb128 ,
-implemented as a macro.
-.Pp
-With an argument of
-.Qq sm4
-or
-.Qq SM4 ,
-.Xr EVP_get_cipherbyname 3
-returns
-.Fn EVP_sm4_cbc .
-.Sh RETURN VALUES
-These functions return an
-.Vt EVP_CIPHER
-structure that provides the implementation of the symmetric cipher.
-.Sh SEE ALSO
-.Xr evp 3 ,
-.Xr EVP_EncryptInit 3
-.Sh STANDARDS
-.Rs
-.%T Information security technology - SM4 block cipher algorithm
-.%I National Standards of People's Republic of China
-.%N GB/T 32907-2016
-.%D August 29, 2016
-.Re
-.Sh HISTORY
-These functions appeared in OpenSSL 1.1.1 and have been available since
-.Ox 6.5 .
diff --git a/src/lib/libcrypto/man/EXTENDED_KEY_USAGE_new.3 b/src/lib/libcrypto/man/EXTENDED_KEY_USAGE_new.3
deleted file mode 100644
index 3d1ed17ff3..0000000000
--- a/src/lib/libcrypto/man/EXTENDED_KEY_USAGE_new.3
+++ /dev/null
@@ -1,84 +0,0 @@
-.\" $OpenBSD: EXTENDED_KEY_USAGE_new.3,v 1.6 2021/10/27 11:24:47 schwarze Exp $
-.\"
-.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: October 27 2021 $
-.Dt EXTENDED_KEY_USAGE_NEW 3
-.Os
-.Sh NAME
-.Nm EXTENDED_KEY_USAGE_new ,
-.Nm EXTENDED_KEY_USAGE_free
-.Nd X.509 key usage restrictions
-.Sh SYNOPSIS
-.In openssl/x509v3.h
-.Ft EXTENDED_KEY_USAGE
-.Fn EXTENDED_KEY_USAGE_new void
-.Ft void
-.Fn EXTENDED_KEY_USAGE_free "EXTENDED_KEY_USAGE *eku"
-.Sh DESCRIPTION
-By using the key usage extension, the extended key usage extension,
-or both of them,
-.Vt X509
-end entity certificates may indicate that the key contained in them
-is only intended to be used for the specified purposes.
-If both extensions are present, only uses compatible with both
-extensions are intended.
-.Pp
-.Fn EXTENDED_KEY_USAGE_new
-allocates and initializes an empty
-.Vt EXTENDED_KEY_USAGE
-object, which is a
-.Vt STACK_OF(ASN1_OBJECT)
-and represents an ASN.1
-.Vt ExtKeyUsageSyntax
-structure defined in RFC 5280 section 4.2.1.12.
-It can hold key purpose identifiers.
-.Pp
-.Fn EXTENDED_KEY_USAGE_free
-frees
-.Fa eku .
-.Pp
-The key usage extension uses the ASN.1 BIT STRING data type
-and doesn't require any dedicated object.
-.Sh RETURN VALUES
-.Fn EXTENDED_KEY_USAGE_new
-returns the new
-.Vt EXTENDED_KEY_USAGE
-object or
-.Dv NULL
-if an error occurs.
-.Sh SEE ALSO
-.Xr BASIC_CONSTRAINTS_new 3 ,
-.Xr d2i_EXTENDED_KEY_USAGE 3 ,
-.Xr POLICYINFO_new 3 ,
-.Xr X509_check_purpose 3 ,
-.Xr X509_EXTENSION_new 3 ,
-.Xr X509_get_extension_flags 3 ,
-.Xr X509_new 3
-.Sh STANDARDS
-RFC 5280: Internet X.509 Public Key Infrastructure Certificate and
-Certificate Revocation List (CRL) Profile:
-.Bl -dash -compact
-.It
-section 4.2.1.3: Key Usage
-.It
-section 4.2.1.12: Extended Key Usage
-.El
-.Sh HISTORY
-.Fn EXTENDED_KEY_USAGE_new
-and
-.Fn EXTENDED_KEY_USAGE_free
-first appeared in OpenSSL 0.9.7 and have been available since
-.Ox 3.2 .
diff --git a/src/lib/libcrypto/man/GENERAL_NAME_new.3 b/src/lib/libcrypto/man/GENERAL_NAME_new.3
deleted file mode 100644
index a6b7ee56da..0000000000
--- a/src/lib/libcrypto/man/GENERAL_NAME_new.3
+++ /dev/null
@@ -1,165 +0,0 @@
-.\"     $OpenBSD: GENERAL_NAME_new.3,v 1.6 2019/06/06 01:06:58 schwarze Exp $
-.\"
-.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: June 6 2019 $
-.Dt GENERAL_NAME_NEW 3
-.Os
-.Sh NAME
-.Nm GENERAL_NAME_new ,
-.Nm GENERAL_NAME_free ,
-.Nm GENERAL_NAMES_new ,
-.Nm GENERAL_NAMES_free ,
-.Nm EDIPARTYNAME_new ,
-.Nm EDIPARTYNAME_free ,
-.Nm OTHERNAME_new ,
-.Nm OTHERNAME_free
-.Nd names for use in X.509 extensions
-.Sh SYNOPSIS
-.In openssl/x509v3.h
-.Ft GENERAL_NAME *
-.Fn GENERAL_NAME_new void
-.Ft void
-.Fn GENERAL_NAME_free "GENERAL_NAME *name"
-.Ft GENERAL_NAMES *
-.Fn GENERAL_NAMES_new void
-.Ft void
-.Fn GENERAL_NAMES_free "GENERAL_NAMES *names"
-.Ft EDIPARTYNAME *
-.Fn EDIPARTYNAME_new void
-.Ft void
-.Fn EDIPARTYNAME_free "EDIPARTYNAME *name"
-.Ft OTHERNAME *
-.Fn OTHERNAME_new void
-.Ft void
-.Fn OTHERNAME_free "OTHERNAME *name"
-.Sh DESCRIPTION
-Even though the X.501
-.Vt Name
-documented in
-.Xr X509_NAME_new 3
-is a complicated multi-layered structure, it is very rigid and not
-flexible enough to represent various entities that many people want
-to use as names in certificates.
-For that reason, X.509 extensions use the X.509
-.Vt GeneralName
-wrapper structure rather than using the X.501
-.Vt Name
-structure directly, at the expense of adding one or two additional
-layers of indirection.
-.Pp
-.Fn GENERAL_NAME_new
-allocates and initializes an empty
-.Vt GENERAL_NAME
-object, representing the ASN.1
-.Vt GeneralName
-structure defined in RFC 5280 section 4.2.1.6.
-It can for example hold an
-.Vt X509_name
-object, an IP address, a DNS host name, a uniform resource identifier,
-an email address, or an
-.Vt EDIPARTYNAME
-or
-.Vt OTHERNAME
-object described below.
-.Fn GENERAL_NAME_free
-frees
-.Fa name .
-.Pp
-.Fn GENERAL_NAMES_new
-allocates and initializes an empty
-.Vt GENERAL_NAMES
-object, which is a
-.Vt STACK_OF(GENERAL_NAME)
-and represents the ASN.1
-.Vt GeneralNames
-structure defined in RFC 5280 section 4.2.1.6.
-It is used by extension structures that can contain multiple names,
-for example key identifier, alternative name, and distribution point
-extensions.
-.Fn GENERAL_NAMES_free
-frees
-.Fa names .
-.Pp
-.Fn EDIPARTYNAME_new
-allocates and initializes an empty
-.Vt EDIPARTYNAME
-object, representing the ASN.1
-.Vt EDIPartyName
-structure defined in RFC 5280 section 4.2.1.6, where
-.Dq EDI
-stands for
-.Dq electronic data identifier .
-It can hold two strings, the name itself and the name of the authority
-that assigned that name.
-.Fn EDIPARTYNAME_free
-frees
-.Fa name .
-.Pp
-.Fn OTHERNAME_new
-allocates and initializes an empty
-.Vt OTHERNAME
-object, representing the ASN.1
-.Vt OtherName
-structure defined in RFC 5280 section 4.2.1.6.
-It can hold data of any
-.Vt ASN1_TYPE
-together with a type identifier.
-.Fn OTHERNAME_free
-frees
-.Fa name .
-.Sh RETURN VALUES
-.Fn GENERAL_NAME_new ,
-.Fn GENERAL_NAMES_new ,
-.Fn EDIPARTYNAME_new ,
-and
-.Fn OTHERNAME_new
-return a new
-.Vt GENERAL_NAME ,
-.Vt GENERAL_NAMES ,
-.Vt EDIPARTYNAME ,
-or
-.Vt OTHERNAME
-object or
-.Dv NULL
-if an error occurs.
-.Sh SEE ALSO
-.Xr d2i_GENERAL_NAME 3 ,
-.Xr X509_EXTENSION_new 3 ,
-.Xr X509_NAME_new 3
-.Sh STANDARDS
-RFC 5280: Internet X.509 Public Key Infrastructure Certificate and
-Certificate Revocation List (CRL) Profile,
-section 4.2: Certificate Extensions
-.Sh HISTORY
-.Fn GENERAL_NAME_new ,
-.Fn GENERAL_NAME_free ,
-.Fn GENERAL_NAMES_new ,
-and
-.Fn GENERAL_NAMES_free
-first appeared in OpenSSL 0.9.2b and have been available since
-.Ox 2.6 .
-.Pp
-.Fn OTHERNAME_new
-and
-.Fn OTHERNAME_free
-first appeared in OpenSSL 0.9.5 and have been available since
-.Ox 2.7 .
-.Pp
-.Fn EDIPARTYNAME_new
-and
-.Fn EDIPARTYNAME_free
-first appeared in OpenSSL 0.9.7 and have been available since
-.Ox 3.2 .
diff --git a/src/lib/libcrypto/man/HMAC.3 b/src/lib/libcrypto/man/HMAC.3
deleted file mode 100644
index a515014fca..0000000000
--- a/src/lib/libcrypto/man/HMAC.3
+++ /dev/null
@@ -1,324 +0,0 @@
-.\" $OpenBSD: HMAC.3,v 1.23 2024/08/29 20:21:53 tb Exp $
-.\" full merge up to: OpenSSL crypto/hmac a528d4f0 Oct 27 13:40:11 2015 -0400
-.\" selective merge up to: OpenSSL man3/HMAC b3696a55 Sep 2 09:35:50 2017 -0400
-.\"
-.\" This file was written by Ulf Moeller <ulf@openssl.org>,
-.\" Richard Levitte <levitte@openssl.org>, and
-.\" Matt Caswell <matt@openssl.org>.
-.\" Copyright (c) 2000-2002, 2006, 2008, 2009, 2013, 2015, 2016
-.\" The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: August 29 2024 $
-.Dt HMAC 3
-.Os
-.Sh NAME
-.Nm HMAC ,
-.Nm HMAC_CTX_new ,
-.Nm HMAC_CTX_reset ,
-.Nm HMAC_CTX_free ,
-.Nm HMAC_Init_ex ,
-.Nm HMAC_Update ,
-.Nm HMAC_Final ,
-.Nm HMAC_CTX_copy ,
-.Nm HMAC_CTX_set_flags ,
-.Nm HMAC_CTX_get_md ,
-.Nm HMAC_size
-.Nd HMAC message authentication code
-.Sh SYNOPSIS
-.In openssl/hmac.h
-.Ft unsigned char *
-.Fo HMAC
-.Fa "const EVP_MD *evp_md"
-.Fa "const void *key"
-.Fa "int key_len"
-.Fa "const unsigned char *d"
-.Fa "size_t n"
-.Fa "unsigned char *md"
-.Fa "unsigned int *md_len"
-.Fc
-.Ft HMAC_CTX *
-.Fn HMAC_CTX_new void
-.Ft int
-.Fo HMAC_CTX_reset
-.Fa "HMAC_CTX *ctx"
-.Fc
-.Ft void
-.Fo HMAC_CTX_free
-.Fa "HMAC_CTX *ctx"
-.Fc
-.Ft int
-.Fo HMAC_Init_ex
-.Fa "HMAC_CTX *ctx"
-.Fa "const void *key"
-.Fa "int key_len"
-.Fa "const EVP_MD *md"
-.Fa "ENGINE *engine"
-.Fc
-.Ft int
-.Fo HMAC_Update
-.Fa "HMAC_CTX *ctx"
-.Fa "const unsigned char *data"
-.Fa "size_t len"
-.Fc
-.Ft int
-.Fo HMAC_Final
-.Fa "HMAC_CTX *ctx"
-.Fa "unsigned char *md"
-.Fa "unsigned int *len"
-.Fc
-.Ft int
-.Fo HMAC_CTX_copy
-.Fa "HMAC_CTX *dctx"
-.Fa "HMAC_CTX *sctx"
-.Fc
-.Ft void
-.Fo HMAC_CTX_set_flags
-.Fa "HMAC_CTX *ctx"
-.Fa "unsigned long flags"
-.Fc
-.Ft const EVP_MD *
-.Fo HMAC_CTX_get_md
-.Fa "const HMAC_CTX *ctx"
-.Fc
-.Ft size_t
-.Fo HMAC_size
-.Fa "const HMAC_CTX *e"
-.Fc
-.Sh DESCRIPTION
-HMAC is a MAC (message authentication code), i.e. a keyed hash
-function used for message authentication, which is based on a hash
-function.
-.Pp
-.Fn HMAC
-computes the message authentication code of the
-.Fa n
-bytes at
-.Fa d
-using the hash function
-.Fa evp_md
-and the key
-.Fa key
-which is
-.Fa key_len
-bytes long.
-.Pp
-It places the result in
-.Fa md ,
-which must have space for the output of the hash function, which is no
-more than
-.Dv EVP_MAX_MD_SIZE
-bytes.
-The size of the output is placed in
-.Fa md_len ,
-unless it is
-.Dv NULL .
-.Pp
-.Fa evp_md
-can be
-.Xr EVP_sha1 3 ,
-.Xr EVP_ripemd160 3 ,
-etc.
-.Pp
-.Fn HMAC_CTX_new
-allocates and initializes a new
-.Vt HMAC_CTX
-object.
-.Pp
-.Fn HMAC_CTX_reset
-zeroes and re-initializes
-.Fa ctx
-and associated resources, making it suitable for new computations
-as if it was deleted with
-.Fn HMAC_CTX_free
-and newly created with
-.Fn HMAC_CTX_new .
-.Pp
-.Fn HMAC_CTX_free
-erases the key and other data from
-.Fa ctx ,
-releases any associated resources, and finally frees
-.Fa ctx
-itself.
-.Pp
-The following functions may be used if the message is not completely
-stored in memory:
-.Pp
-.Fn HMAC_Init_ex
-sets up or reuses
-.Fa ctx
-to use the hash function
-.Fa evp_md
-and the key
-.Fa key .
-Either can be
-.Dv NULL ,
-in which case the existing one is reused.
-The
-.Fa ctx
-must have been created with
-.Fn HMAC_CTX_new
-before the first use in this function.
-If
-.Fn HMAC_Init_ex
-is called with a
-.Dv NULL
-.Fa key
-but
-.Fa evp_md
-is neither
-.Dv NULL
-nor the same as the previous digest used by
-.Fa ctx ,
-then an error is returned because reuse of an existing key with a
-different digest is not supported.
-The
-.Fa ENGINE *engine
-argument is always ignored and passing
-.Dv NULL
-is recommended.
-.Pp
-.Fn HMAC_Update
-can be called repeatedly with chunks of the message to be authenticated
-.Pq Fa len No bytes at Fa data .
-.Pp
-.Fn HMAC_Final
-places the message authentication code in
-.Fa md ,
-which must have space for the hash function output.
-.Pp
-.Fn HMAC_CTX_copy
-copies all of the internal state from
-.Fa sctx
-into
-.Fa dctx .
-.Pp
-.Fn HMAC_CTX_set_flags
-applies the specified flags to the internal
-.Vt EVP_MD_CTX
-objects.
-Possible flag values
-.Dv EVP_MD_CTX_FLAG_*
-are defined in
-.In openssl/evp.h .
-.Pp
-.Fn HMAC_size
-returns the length in bytes of the underlying hash function output.
-It is implemented as a macro.
-.Sh RETURN VALUES
-.Fn HMAC
-returns a pointer to the message authentication code or
-.Dv NULL
-if an error occurred.
-.Pp
-.Fn HMAC_CTX_new
-returns a pointer to the new
-.Vt HMAC_CTX
-object or
-.Dv NULL
-if an error occurred.
-.Pp
-.Fn HMAC_CTX_reset ,
-.Fn HMAC_Init_ex ,
-.Fn HMAC_Update ,
-.Fn HMAC_Final ,
-and
-.Fn HMAC_CTX_copy
-return 1 for success or 0 if an error occurred.
-.Pp
-.Fn HMAC_CTX_get_md
-returns the message digest that was previously set for
-.Fa ctx
-with
-.Fn HMAC_Init_ex ,
-or
-.Dv NULL
-if none was set.
-.Pp
-.Fn HMAC_size
-returns the length in bytes of the underlying hash function output
-or 0 on error.
-.Sh SEE ALSO
-.Xr CMAC_Init 3 ,
-.Xr EVP_DigestInit 3
-.Sh STANDARDS
-RFC 2104
-.Sh HISTORY
-.Fn HMAC ,
-.Fn HMAC_Update ,
-.Fn HMAC_Final ,
-and
-.Fn HMAC_size
-first appeared in SSLeay 0.9.0 and have been available since
-.Ox 2.4 .
-.Pp
-.Fn HMAC_Init_ex
-first appeared in OpenSSL 0.9.7 and have been available since
-.Ox 3.2 .
-.Pp
-.Fn HMAC_CTX_set_flags
-first appeared in OpenSSL 0.9.7f and have been available since
-.Ox 3.8 .
-.Pp
-.Fn HMAC_CTX_copy
-first appeared in OpenSSL 1.0.0 and has been available since
-.Ox 4.9 .
-.Pp
-.Fn HMAC_CTX_new ,
-.Fn HMAC_CTX_reset ,
-.Fn HMAC_CTX_free ,
-and
-.Fn HMAC_CTX_get_md
-first appeared in OpenSSL 1.1.0 and have been available since
-.Ox 6.3 .
-.Sh CAVEATS
-Other implementations allow
-.Fa md
-in
-.Fn HMAC
-to be
-.Dv NULL
-and return a static array, which is not thread safe.
diff --git a/src/lib/libcrypto/man/IPAddressRange_new.3 b/src/lib/libcrypto/man/IPAddressRange_new.3
deleted file mode 100644
index a812107cdf..0000000000
--- a/src/lib/libcrypto/man/IPAddressRange_new.3
+++ /dev/null
@@ -1,525 +0,0 @@
-.\" $OpenBSD: IPAddressRange_new.3,v 1.9 2023/10/03 09:58:06 tb Exp $
-.\"
-.\" Copyright (c) 2023 Theo Buehler <tb@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: October 3 2023 $
-.Dt IPADDRESSRANGE_NEW 3
-.Os
-.Sh NAME
-.Nm IPAddressRange_new ,
-.Nm IPAddressRange_free ,
-.Nm d2i_IPAddressRange ,
-.Nm i2d_IPAddressRange ,
-.Nm IPAddressOrRange_new ,
-.Nm IPAddressOrRange_free ,
-.Nm d2i_IPAddressOrRange ,
-.Nm i2d_IPAddressOrRange ,
-.Nm IPAddressChoice_new ,
-.Nm IPAddressChoice_free ,
-.Nm d2i_IPAddressChoice ,
-.Nm i2d_IPAddressChoice ,
-.Nm IPAddressFamily_new ,
-.Nm IPAddressFamily_free ,
-.Nm d2i_IPAddressFamily ,
-.Nm i2d_IPAddressFamily
-.Nd RFC 3779 IP address prefixes and ranges
-.Sh SYNOPSIS
-.In openssl/x509v3.h
-.Ft "IPAddressRange *"
-.Fn IPAddressRange_new void
-.Ft void
-.Fn IPAddressRange_free "IPAddressRange *range"
-.Ft IPAddressRange *
-.Fo d2i_IPAddressRange
-.Fa "IPAddressRange **range"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_IPAddressRange
-.Fa "IPAddressRange *range"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft "IPAddressOrRange *"
-.Fn IPAddressOrRange_new void
-.Ft void
-.Fn IPAddressOrRange_free "IPAddressOrRange *aor"
-.Ft IPAddressOrRange *
-.Fo d2i_IPAddressOrRange
-.Fa "IPAddressOrRange **aor"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_IPAddressOrRange
-.Fa "IPAddressOrRange *aor"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft "IPAddressChoice *"
-.Fn IPAddressChoice_new void
-.Ft void
-.Fn IPAddressChoice_free "IPAddressChoice *ac"
-.Ft IPAddressChoice *
-.Fo d2i_IPAddressChoice
-.Fa "IPAddressChoice **ac"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_IPAddressChoice
-.Fa "IPAddressChoice *ac"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft "IPAddressFamily *"
-.Fn IPAddressFamily_new void
-.Ft void
-.Fn IPAddressFamily_free "IPAddressFamily *af"
-.Ft IPAddressFamily *
-.Fo d2i_IPAddressFamily
-.Fa "IPAddressFamily **af"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_IPAddressFamily
-.Fa "IPAddressFamily *af"
-.Fa "unsigned char **der_out"
-.Fc
-.Sh DESCRIPTION
-.Vt IPAddressRange ,
-.Vt IPAddressOrRange ,
-.Vt IPAddressChoice ,
-and
-.Vt IPAddressFamily
-are building blocks of the
-.Vt IPAddrBlocks
-type representing the RFC 3779 IP address delegation extension.
-.Pp
-Per RFC 3779, section 2.1.1,
-an IPv4 or an IPv6 address is encoded in network byte order in an
-ASN.1 BIT STRING of bit size 32 or 128 bits, respectively.
-The bit size of a prefix is its prefix length;
-all insignificant zero bits are omitted
-from the encoding.
-Per section 2.1.2,
-an address range is expressed as a pair of BIT STRINGs
-where all the least significant zero bits of the lower bound
-and all the least significant one bits of the upper bound are omitted.
-.Pp
-The library provides no API for directly converting an IP address or
-prefix (in any form) to and from an
-.Vt ASN1_BIT_STRING .
-It also provides no API for directly handling ranges.
-The
-.Vt ASN1_BIT_STRING
-internals are subtle and directly manipulating them in the
-context of the RFC 3779 API is discouraged.
-The bit size of an
-.Vt ASN1_BIT_STRING
-representing an IP address prefix or range is eight times its
-.Fa length
-member minus the lowest three bits of its
-.Fa flags ,
-provided the
-.Dv ASN1_STRING_FLAG_BITS_LEFT
-flag is set.
-.Pp
-The
-.Vt IPAddressRange
-type defined in RFC 3779 section 2.2.3.9 is implemented as
-.Bd -literal -offset indent
-typedef struct IPAddressRange_st {
-        ASN1_BIT_STRING *min;
-        ASN1_BIT_STRING *max;
-} IPAddressRange;
-.Ed
-.Pp
-It represents the closed range [min,max] of IP addresses between
-.Fa min
-and
-.Fa max ,
-where
-.Fa min
-should be strictly smaller than
-.Fa max
-and the range should not be expressible as a prefix.
-.Pp
-.Fn IPAddressRange_new
-allocates a new
-.Vt IPAddressRange
-object with allocated, empty
-.Fa min
-and
-.Fa max ,
-thus representing the entire address space invalidly as a non-prefix.
-.Pp
-.Fn IPAddressRange_free
-frees
-.Fa range
-including any data contained in it.
-If
-.Fa range
-is
-.Dv NULL ,
-no action occurs.
-.Pp
-There is no dedicated type representing the
-.Vt IPAddress
-type defined in RFC 3779 section 2.2.3.8.
-The API uses
-.Vt ASN1_BIT_STRING
-for this.
-.Pp
-The
-.Vt IPAddressOrRange
-type defined in RFC 3779 section 2.2.3.7 is implemented as
-.Bd -literal -offset indent
-typedef struct IPAddressOrRange_st {
-        int type;
-        union {
-                ASN1_BIT_STRING *addressPrefix;
-                IPAddressRange *addressRange;
-        } u;
-} IPAddressOrRange;
-.Ed
-.Pp
-representing an individual address prefix or an address range.
-The
-.Fa type
-member should be set to
-.Dv IPAddressOrRange_addressPrefix
-or
-.Dv IPAddressOrRange_addressRange
-to indicate which member of the union
-.Fa u
-is valid.
-.Pp
-.Fn IPAddressOrRange_new
-returns a new
-.Vt IPAddressOrRange
-object with invalid type and
-.Dv NULL
-members of the union
-.Fa u .
-.Pp
-.Fn IPAddressOrRange_free
-frees
-.Fa aor
-including any data contained in it,
-provided
-.Fa type
-is set correctly.
-If
-.Fa aor
-is
-.Dv NULL ,
-no action occurs.
-.Pp
-In order to express a list of address prefixes and address ranges,
-RFC 3779 section 2.2.3.6
-uses an ASN.1 SEQUENCE,
-which is implemented via a
-.Xr STACK_OF 3
-construction over
-.Vt IPAddressOrRange :
-.Bd -literal -offset indent
-typedef STACK_OF(IPAddressOrRange) IPAddressOrRanges;
-.Ed
-.Pp
-Since an
-.Vt IPAddressOrRanges
-object should be sorted in a specific way (see
-.Xr X509v3_addr_canonize 3 ) ,
-a comparison function is needed for a correct instantiation
-with
-.Xr sk_new 3 .
-The
-.Fn v4IPAddressOrRange_cmp
-and
-.Fn v6IPAddressOrRange_cmp
-functions are not directly exposed and not easily accessible
-from outside the library,
-and they are non-trivial to implement.
-It is therefore discouraged to use
-.Vt IPAddressOrRanges
-objects that are not part of an
-.Vt IPAddrBlocks
-object.
-.Pp
-The
-.Dq inherit
-marker from RFC 3779 section 2.2.3.5 is implemented as
-.Vt ASN1_NULL .
-It has no dedicated type or API and can be instantiated with
-.Xr ASN1_NULL_new 3 .
-.Pp
-The
-.Vt IPAddressChoice
-type defined in RFC 3779 section 2.2.3.4 is implemented as
-.Bd -literal -offset indent
-typedef struct IPAddressChoice_st {
-        int type;
-        union {
-                ASN1_NULL *inherit;
-                IPAddressOrRanges *addressesOrRanges;
-        } u;
-} IPAddressChoice;
-.Ed
-.Pp
-where the
-.Fa type
-member should be set to
-.Dv IPAddressChoice_inherit
-or
-.Dv IPAddressChoice_addressesOrRanges
-to indicate whether a given
-.Vt IPAddressChoice
-object represents an inherited list or an explicit list.
-.Pp
-.Fn IPAddressChoice_new
-returns a new
-.Vt IPAddressChoice
-object with invalid type and
-.Dv NULL
-members of the union
-.Fa u .
-.Pp
-.Fn IPAddressChoice_free
-frees
-.Fa ac
-including any data contained in it,
-provided
-.Fa type
-is set correctly.
-.Pp
-The
-.Fa addressFamily
-element defined in RFC 3779 section 2.2.3.3 is implemented as an
-.Vt ASN1_OCTET_STRING
-and it contains two or three octets.
-The first two octets are always present and represent the
-address family identifier (AFI)
-in network byte order.
-The optional subsequent address family identifier (SAFI)
-occupies the third octet.
-For IPv4 and IPv6,
-.Dv IANA_AFI_IPV4
-and
-.Dv IANA_AFI_IPV6
-are predefined.
-Other AFIs are not supported by this implementation.
-.Pp
-The
-.Vt IPAddressFamily
-type defined in RFC 3779 section 2.2.3.2 is implemented as
-.Bd -literal -offset indent
-typedef struct IPAddressFamily_st {
-        ASN1_OCTET_STRING *addressFamily;
-        IPAddressChoice *ipAddressChoice;
-} IPAddressFamily;
-.Ed
-.Pp
-The
-.Fa addressFamily
-member indicates the address family the
-.Fa ipAddressChoice
-represents.
-.Pp
-.Fn IPAddressFamily_new
-returns a new
-.Vt IPAddressFamily
-object with empty
-.Fa addressFamily
-and invalid
-.Fa ipAddressChoice
-members.
-.Pp
-.Fn IPAddressFamily_free
-frees
-.Fa af
-including any data contained in it.
-If
-.Fa af
-is
-.Dv NULL ,
-no action occurs.
-.Pp
-The
-.Vt IPAddrBlocks
-type defined in RFC 3779 section 2.2.3.1
-uses an ASN.1 SEQUENCE,
-which is implemented via a
-.Xr STACK_OF 3
-construction over
-.Vt IPAddressFamily :
-.Bd -literal -offset indent
-typedef STACK_OF(IPAddressFamily) IPAddrBlocks;
-.Ed
-.Pp
-It can be instantiated with
-.Fn sk_IPAddressFamily_new_null
-and the correct sorting function can be installed with
-.Xr X509v3_addr_canonize 3 .
-To populate it, use
-.Xr X509v3_addr_add_prefix 3
-and related functions.
-.Pp
-.Fn d2i_IPAddressRange ,
-.Fn i2d_IPAddressRange ,
-.Fn d2i_IPAddressOrRange ,
-.Fn i2d_IPAddressOrRange ,
-.Fn d2i_IPAddressChoice ,
-.Fn i2d_IPAddressChoice ,
-.Fn d2i_IPAddressFamily ,
-and
-.Fn i2d_IPAddressFamily
-decode and encode ASN.1
-.Vt IPAddressRange ,
-.Vt IPAddressOrRange ,
-.Vt IPAddressChoice ,
-and
-.Vt IPAddressFamily
-objects.
-For details about the semantics, examples, caveats, and bugs, see
-.Xr ASN1_item_d2i 3 .
-There is no easy way of ensuring that the encodings generated by
-these functions are correct, unless they are applied to objects
-that are part of a canonical
-.Vt IPAddrBlocks
-structure, see
-.Xr X509v3_addr_is_canonical 3 .
-.Sh RETURN VALUES
-.Fn IPAddressRange_new
-returns a new
-.Vt IPAddressRange
-object with allocated, empty members, or
-.Dv NULL
-if an error occurs.
-.Pp
-.Fn IPAddressOrRange_new
-returns a new, empty
-.Vt IPAddressOrRange
-object or
-.Dv NULL
-if an error occurs.
-.Pp
-.Fn IPAddressChoice_new
-returns a new, empty
-.Vt IPAddressChoice
-object or
-.Dv NULL
-if an error occurs.
-.Pp
-.Fn IPAddressFamily_new
-returns a new
-.Vt IPAddressFamily
-object with allocated, empty members, or
-.Dv NULL
-if an error occurs.
-.Pp
-The decoding functions
-.Fn d2i_IPAddressRange ,
-.Fn d2i_IPAddressOrRange ,
-.Fn d2i_IPAddressChoice ,
-and
-.Fn d2i_IPAddressFamily
-return an
-.Vt IPAddressRange ,
-an
-.Vt IPAddressOrRange ,
-an
-.Vt IPAddressChoice ,
-or an
-.Vt IPAddressFamily
-object, respectively,
-or
-.Dv NULL
-if an error occurs.
-.Pp
-The encoding functions
-.Fn i2d_IPAddressRange ,
-.Fn i2d_IPAddressOrRange ,
-.Fn i2d_IPAddressChoice ,
-and
-.Fn i2d_IPAddressFamily
-return the number of bytes successfully encoded
-or a value <= 0 if an error occurs.
-.Sh SEE ALSO
-.Xr ASIdentifiers_new 3 ,
-.Xr ASN1_BIT_STRING_new 3 ,
-.Xr ASN1_OCTET_STRING_new 3 ,
-.Xr ASN1_OCTET_STRING_set 3 ,
-.Xr crypto 3 ,
-.Xr X509_new 3 ,
-.Xr X509v3_addr_add_inherit 3 ,
-.Xr X509v3_addr_inherits 3 ,
-.Xr X509v3_addr_subset 3
-.Sh STANDARDS
-RFC 3779: X.509 Extensions for IP Addresses and AS Identifiers:
-.Bl -dash -compact
-.It
-section 2.1.1: Encoding of an IP Address or Prefix
-.It
-section 2.1.2: Encoding of a Range of IP Addresses
-.It
-section 2.2.3: Syntax
-.It
-section 2.2.3.1: Type IPAddrBlocks
-.It
-section 2.2.3.2: Type IPAddressFamily
-.It
-section 2.2.3.3: Element addressFamily
-.It
-section 2.2.3.4: Element ipAddressChoice and Type IPAddressChoice
-.It
-section 2.2.3.5: Element inherit
-.It
-section 2.2.3.6: Element addressesOrRanges
-.It
-section 2.2.3.7: Type IPAddressOrRange
-.It
-section 2.2.3.8: Element addressPrefix and Type IPAddress
-.It
-section 2.2.3.9: Element addressRange and Type IPAddressRange
-.El
-.Pp
-ITU-T Recommendation X.690, also known as ISO/IEC 8825-1:
-Information technology - ASN.1 encoding rules:
-Specification of Basic Encoding Rules (BER), Canonical Encoding
-Rules (CER) and Distinguished Encoding Rules (DER),
-section 8.6: Encoding of a bitstring value
-.Sh HISTORY
-These functions first appeared in OpenSSL 0.9.8e
-and have been available since
-.Ox 7.1 .
-.Sh BUGS
-.\" The internals do not seem to consistently apply and check
-.\" .Dv ASN1_STRING_FLAG_BITS_LEFT
-.\" which may lead to incorrect encoding and misinterpretation
-As it stands, the API is barely usable
-due to missing convenience accessors, constructors and destructors
-and due to the complete absence of API that checks that the
-individual building blocks are correct.
-Extracting information from a given object can be done relatively
-safely.
-However, constructing objects is very error prone, be it
-by hand or using the bug-ridden
-.Xr X509v3_addr_add_inherit 3
-API.
-.Pp
-RFC 3779 has element
-.Dq addressesOrRanges .
-Its type in this API is
-.Vt IPAddressOrRanges .
diff --git a/src/lib/libcrypto/man/MD5.3 b/src/lib/libcrypto/man/MD5.3
deleted file mode 100644
index 01e715f406..0000000000
--- a/src/lib/libcrypto/man/MD5.3
+++ /dev/null
@@ -1,201 +0,0 @@
-.\"     $OpenBSD: MD5.3,v 1.9 2024/05/26 09:54:16 tb Exp $
-.\"     OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
-.\"
-.\" This file was written by Ulf Moeller <ulf@openssl.org> and
-.\" Richard Levitte <levitte@openssl.org>.
-.\" Copyright (c) 2000, 2006 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: May 26 2024 $
-.Dt MD5 3
-.Os
-.Sh NAME
-.Nm MD4 ,
-.Nm MD5 ,
-.Nm MD4_Init ,
-.Nm MD4_Update ,
-.Nm MD4_Final ,
-.Nm MD5_Init ,
-.Nm MD5_Update ,
-.Nm MD5_Final
-.Nd MD4 and MD5 hash functions
-.Sh SYNOPSIS
-.In openssl/md4.h
-.Ft unsigned char *
-.Fo MD4
-.Fa "const unsigned char *d"
-.Fa "unsigned long n"
-.Fa "unsigned char *md"
-.Fc
-.Ft int
-.Fo MD4_Init
-.Fa "MD4_CTX *c"
-.Fc
-.Ft int
-.Fo MD4_Update
-.Fa "MD4_CTX *c"
-.Fa "const void *data"
-.Fa "unsigned long len"
-.Fc
-.Ft int
-.Fo MD4_Final
-.Fa "unsigned char *md"
-.Fa "MD4_CTX *c"
-.Fc
-.In openssl/md5.h
-.Ft unsigned char *
-.Fo MD5
-.Fa "const unsigned char *d"
-.Fa "unsigned long n"
-.Fa "unsigned char *md"
-.Fc
-.Ft int
-.Fo MD5_Init
-.Fa "MD5_CTX *c"
-.Fc
-.Ft int
-.Fo MD5_Update
-.Fa "MD5_CTX *c"
-.Fa "const void *data"
-.Fa "unsigned long len"
-.Fc
-.Ft int
-.Fo MD5_Final
-.Fa "unsigned char *md"
-.Fa "MD5_CTX *c"
-.Fc
-.Sh DESCRIPTION
-MD4 and MD5 are cryptographic hash functions with a 128-bit
-output.
-.Pp
-.Fn MD4
-and
-.Fn MD5
-compute the MD4 and MD5 message digest of the
-.Fa n
-bytes at
-.Fa d
-and place it in
-.Fa md ,
-which must have space for
-.Dv MD4_DIGEST_LENGTH No == Dv MD5_DIGEST_LENGTH No == 16
-bytes of output.
-.Pp
-The following functions may be used if the message is not completely
-stored in memory:
-.Pp
-.Fn MD5_Init
-initializes a
-.Vt MD5_CTX
-structure.
-.Pp
-.Fn MD5_Update
-can be called repeatedly with chunks of the message to be hashed
-.Pq Fa len No bytes at Fa data .
-.Pp
-.Fn MD5_Final
-places the message digest in
-.Fa md ,
-which must have space for
-.Dv MD5_DIGEST_LENGTH No == 16
-bytes of output, and erases the
-.Vt MD5_CTX .
-.Pp
-.Fn MD4_Init ,
-.Fn MD4_Update ,
-and
-.Fn MD4_Final
-are analogous using an
-.Vt MD4_CTX
-structure.
-.Pp
-Applications should use the higher level functions
-.Xr EVP_DigestInit 3
-etc. instead of calling these hash functions directly.
-.Sh RETURN VALUES
-.Fn MD4
-and
-.Fn MD5
-return pointers to the hash value.
-.Pp
-.Fn MD4_Init ,
-.Fn MD4_Update ,
-.Fn MD4_Final ,
-.Fn MD5_Init ,
-.Fn MD5_Update ,
-and
-.Fn MD5_Final
-return 1 for success or 0 otherwise.
-.Sh SEE ALSO
-.Xr EVP_DigestInit 3
-.Sh STANDARDS
-RFC 1320, RFC 1321
-.Sh HISTORY
-.Fn MD5 ,
-.Fn MD5_Init ,
-.Fn MD5_Update ,
-and
-.Fn MD5_Final
-appeared in SSLeay 0.4 or earlier and have been available since
-.Ox 2.4 .
-.Pp
-.Fn MD4 ,
-.Fn MD4_Init ,
-.Fn MD4_Update ,
-and
-.Fn MD4_Final
-first appeared in OpenSSL 0.9.6 and have been available since
-.Ox 2.9 .
-.Sh CAVEATS
-Other implementations allow
-.Fa md
-in
-.Fn MD4
-and
-.Fn MD5
-to be
-.Dv NULL
-and return a static array, which is not thread safe.
diff --git a/src/lib/libcrypto/man/Makefile b/src/lib/libcrypto/man/Makefile
deleted file mode 100644
index 9f3d448432..0000000000
--- a/src/lib/libcrypto/man/Makefile
+++ /dev/null
@@ -1,436 +0,0 @@
-# $OpenBSD: Makefile,v 1.307 2025/03/08 17:12:55 tb Exp $
-
-.include <bsd.own.mk>
-
-MAN=    \
-        ACCESS_DESCRIPTION_new.3 \
-        AES_encrypt.3 \
-        ASIdentifiers_new.3 \
-        ASN1_BIT_STRING_set.3 \
-        ASN1_INTEGER_get.3 \
-        ASN1_NULL_new.3 \
-        ASN1_OBJECT_new.3 \
-        ASN1_PRINTABLE_type.3 \
-        ASN1_STRING_TABLE_get.3 \
-        ASN1_STRING_length.3 \
-        ASN1_STRING_new.3 \
-        ASN1_STRING_print_ex.3 \
-        ASN1_TIME_set.3 \
-        ASN1_TYPE_get.3 \
-        ASN1_UNIVERSALSTRING_to_string.3 \
-        ASN1_generate_nconf.3 \
-        ASN1_get_object.3 \
-        ASN1_item_d2i.3 \
-        ASN1_item_digest.3 \
-        ASN1_item_new.3 \
-        ASN1_item_pack.3 \
-        ASN1_item_sign.3 \
-        ASN1_item_verify.3 \
-        ASN1_mbstring_copy.3 \
-        ASN1_parse_dump.3 \
-        ASN1_put_object.3 \
-        ASRange_new.3 \
-        AUTHORITY_KEYID_new.3 \
-        BASIC_CONSTRAINTS_new.3 \
-        BF_set_key.3 \
-        BIO_accept.3 \
-        BIO_ctrl.3 \
-        BIO_dump.3 \
-        BIO_dup_chain.3 \
-        BIO_f_base64.3 \
-        BIO_f_buffer.3 \
-        BIO_f_cipher.3 \
-        BIO_f_md.3 \
-        BIO_f_null.3 \
-        BIO_find_type.3 \
-        BIO_get_data.3 \
-        BIO_get_ex_new_index.3 \
-        BIO_meth_new.3 \
-        BIO_new.3 \
-        BIO_new_CMS.3 \
-        BIO_printf.3 \
-        BIO_push.3 \
-        BIO_read.3 \
-        BIO_s_accept.3 \
-        BIO_s_bio.3 \
-        BIO_s_connect.3 \
-        BIO_s_datagram.3 \
-        BIO_s_fd.3 \
-        BIO_s_file.3 \
-        BIO_s_mem.3 \
-        BIO_s_null.3 \
-        BIO_s_socket.3 \
-        BIO_set_callback.3 \
-        BIO_should_retry.3 \
-        BN_CTX_new.3 \
-        BN_CTX_start.3 \
-        BN_add.3 \
-        BN_add_word.3 \
-        BN_bn2bin.3 \
-        BN_cmp.3 \
-        BN_copy.3 \
-        BN_generate_prime.3 \
-        BN_get_rfc3526_prime_8192.3 \
-        BN_kronecker.3 \
-        BN_mod_inverse.3 \
-        BN_mod_mul_montgomery.3 \
-        BN_mod_sqrt.3 \
-        BN_new.3 \
-        BN_num_bytes.3 \
-        BN_rand.3 \
-        BN_set_bit.3 \
-        BN_set_flags.3 \
-        BN_set_negative.3 \
-        BN_swap.3 \
-        BN_zero.3 \
-        BUF_MEM_new.3 \
-        CMAC_Init.3 \
-        CMS_ContentInfo_new.3 \
-        CMS_add0_cert.3 \
-        CMS_add1_recipient_cert.3 \
-        CMS_add1_signer.3 \
-        CMS_compress.3 \
-        CMS_decrypt.3 \
-        CMS_encrypt.3 \
-        CMS_final.3 \
-        CMS_get0_RecipientInfos.3 \
-        CMS_get0_SignerInfos.3 \
-        CMS_get0_type.3 \
-        CMS_get1_ReceiptRequest.3 \
-        CMS_sign.3 \
-        CMS_sign_receipt.3 \
-        CMS_signed_add1_attr.3 \
-        CMS_uncompress.3 \
-        CMS_verify.3 \
-        CMS_verify_receipt.3 \
-        CONF_modules_free.3 \
-        CONF_modules_load_file.3 \
-        CRYPTO_lock.3 \
-        CRYPTO_memcmp.3 \
-        CRYPTO_set_ex_data.3 \
-        CRYPTO_set_mem_functions.3 \
-        ChaCha.3 \
-        DES_set_key.3 \
-        DH_generate_key.3 \
-        DH_generate_parameters.3 \
-        DH_get0_pqg.3 \
-        DH_get_ex_new_index.3 \
-        DH_new.3 \
-        DH_set_method.3 \
-        DH_size.3 \
-        DIST_POINT_new.3 \
-        DSA_SIG_new.3 \
-        DSA_do_sign.3 \
-        DSA_dup_DH.3 \
-        DSA_generate_key.3 \
-        DSA_generate_parameters_ex.3 \
-        DSA_get0_pqg.3 \
-        DSA_get_ex_new_index.3 \
-        DSA_meth_new.3 \
-        DSA_new.3 \
-        DSA_set_method.3 \
-        DSA_sign.3 \
-        DSA_size.3 \
-        ECDH_compute_key.3 \
-        ECDSA_SIG_new.3 \
-        EC_GROUP_copy.3 \
-        EC_GROUP_new.3 \
-        EC_KEY_METHOD_new.3 \
-        EC_KEY_new.3 \
-        EC_POINT_add.3 \
-        EC_POINT_new.3 \
-        ENGINE_new.3 \
-        ERR.3 \
-        ERR_GET_LIB.3 \
-        ERR_asprintf_error_data.3 \
-        ERR_clear_error.3 \
-        ERR_error_string.3 \
-        ERR_get_error.3 \
-        ERR_load_crypto_strings.3 \
-        ERR_load_strings.3 \
-        ERR_print_errors.3 \
-        ERR_put_error.3 \
-        ERR_remove_state.3 \
-        ERR_set_mark.3 \
-        ESS_SIGNING_CERT_new.3 \
-        EVP_AEAD_CTX_init.3 \
-        EVP_BytesToKey.3 \
-        EVP_CIPHER_CTX_ctrl.3 \
-        EVP_CIPHER_CTX_get_cipher_data.3 \
-        EVP_CIPHER_CTX_init.3 \
-        EVP_CIPHER_CTX_set_flags.3 \
-        EVP_CIPHER_do_all.3 \
-        EVP_CIPHER_meth_new.3 \
-        EVP_CIPHER_nid.3 \
-        EVP_DigestInit.3 \
-        EVP_DigestSignInit.3 \
-        EVP_DigestVerifyInit.3 \
-        EVP_EncodeInit.3 \
-        EVP_EncryptInit.3 \
-        EVP_MD_CTX_ctrl.3 \
-        EVP_MD_nid.3 \
-        EVP_OpenInit.3 \
-        EVP_PKCS82PKEY.3 \
-        EVP_PKEY_CTX_ctrl.3 \
-        EVP_PKEY_CTX_get_operation.3 \
-        EVP_PKEY_CTX_new.3 \
-        EVP_PKEY_CTX_set_hkdf_md.3 \
-        EVP_PKEY_CTX_set_tls1_prf_md.3 \
-        EVP_PKEY_asn1_get_count.3 \
-        EVP_PKEY_cmp.3 \
-        EVP_PKEY_decrypt.3 \
-        EVP_PKEY_derive.3 \
-        EVP_PKEY_encrypt.3 \
-        EVP_PKEY_get_default_digest_nid.3 \
-        EVP_PKEY_keygen.3 \
-        EVP_PKEY_new.3 \
-        EVP_PKEY_new_CMAC_key.3 \
-        EVP_PKEY_print_private.3 \
-        EVP_PKEY_set1_RSA.3 \
-        EVP_PKEY_sign.3 \
-        EVP_PKEY_size.3 \
-        EVP_PKEY_verify.3 \
-        EVP_PKEY_verify_recover.3 \
-        EVP_SealInit.3 \
-        EVP_SignInit.3 \
-        EVP_VerifyInit.3 \
-        EVP_aes_128_cbc.3 \
-        EVP_aes_128_ccm.3 \
-        EVP_aes_128_gcm.3 \
-        EVP_camellia_128_cbc.3 \
-        EVP_chacha20.3 \
-        EVP_des_cbc.3 \
-        EVP_rc2_cbc.3 \
-        EVP_rc4.3 \
-        EVP_sha1.3 \
-        EVP_sha3_224.3 \
-        EVP_sm3.3 \
-        EVP_sm4_cbc.3 \
-        EXTENDED_KEY_USAGE_new.3 \
-        GENERAL_NAME_new.3 \
-        HMAC.3 \
-        IPAddressRange_new.3 \
-        MD5.3 \
-        NAME_CONSTRAINTS_new.3 \
-        OBJ_NAME_add.3 \
-        OBJ_create.3 \
-        OBJ_find_sigid_algs.3 \
-        OBJ_nid2obj.3 \
-        OCSP_CRLID_new.3 \
-        OCSP_REQUEST_new.3 \
-        OCSP_SERVICELOC_new.3 \
-        OCSP_cert_to_id.3 \
-        OCSP_request_add1_nonce.3 \
-        OCSP_resp_find_status.3 \
-        OCSP_response_status.3 \
-        OCSP_sendreq_new.3 \
-        OPENSSL_VERSION_NUMBER.3 \
-        OPENSSL_cleanse.3 \
-        OPENSSL_config.3 \
-        OPENSSL_init_crypto.3 \
-        OPENSSL_load_builtin_modules.3 \
-        OPENSSL_malloc.3 \
-        OPENSSL_sk_new.3 \
-        OpenSSL_add_all_algorithms.3 \
-        PEM_ASN1_read.3 \
-        PEM_X509_INFO_read.3 \
-        PEM_bytes_read_bio.3 \
-        PEM_read.3 \
-        PEM_read_bio_PrivateKey.3 \
-        PEM_write_bio_CMS_stream.3 \
-        PEM_write_bio_PKCS7_stream.3 \
-        PKCS12_SAFEBAG_new.3 \
-        PKCS12_create.3 \
-        PKCS12_new.3 \
-        PKCS12_newpass.3 \
-        PKCS12_parse.3 \
-        PKCS5_PBKDF2_HMAC.3 \
-        PKCS7_add_attribute.3 \
-        PKCS7_dataFinal.3 \
-        PKCS7_dataInit.3 \
-        PKCS7_decrypt.3 \
-        PKCS7_encrypt.3 \
-        PKCS7_final.3 \
-        PKCS7_get_signer_info.3 \
-        PKCS7_new.3 \
-        PKCS7_set_content.3 \
-        PKCS7_set_type.3 \
-        PKCS7_sign.3 \
-        PKCS7_sign_add_signer.3 \
-        PKCS7_verify.3 \
-        PKCS8_PRIV_KEY_INFO_new.3 \
-        PKCS8_pkey_set0.3 \
-        PKEY_USAGE_PERIOD_new.3 \
-        POLICYINFO_new.3 \
-        RAND_add.3 \
-        RAND_bytes.3 \
-        RAND_load_file.3 \
-        RAND_set_rand_method.3 \
-        RC2_encrypt.3 \
-        RC4.3 \
-        RIPEMD160.3 \
-        RSA_PSS_PARAMS_new.3 \
-        RSA_blinding_on.3 \
-        RSA_check_key.3 \
-        RSA_generate_key.3 \
-        RSA_get0_key.3 \
-        RSA_get_ex_new_index.3 \
-        RSA_meth_new.3 \
-        RSA_new.3 \
-        RSA_padding_add_PKCS1_type_1.3 \
-        RSA_pkey_ctx_ctrl.3 \
-        RSA_print.3 \
-        RSA_private_encrypt.3 \
-        RSA_public_encrypt.3 \
-        RSA_security_bits.3 \
-        RSA_set_method.3 \
-        RSA_sign.3 \
-        RSA_sign_ASN1_OCTET_STRING.3 \
-        RSA_size.3 \
-        SHA1.3 \
-        SMIME_crlf_copy.3 \
-        SMIME_read_ASN1.3 \
-        SMIME_read_CMS.3 \
-        SMIME_read_PKCS7.3 \
-        SMIME_text.3 \
-        SMIME_write_ASN1.3 \
-        SMIME_write_CMS.3 \
-        SMIME_write_PKCS7.3 \
-        STACK_OF.3 \
-        TS_REQ_new.3 \
-        UI_create_method.3 \
-        UI_get_string_type.3 \
-        UI_new.3 \
-        X25519.3 \
-        X509V3_EXT_get_nid.3 \
-        X509V3_EXT_print.3 \
-        X509V3_extensions_print.3 \
-        X509V3_get_d2i.3 \
-        X509V3_parse_list.3 \
-        X509_ALGOR_dup.3 \
-        X509_ATTRIBUTE_get0_object.3 \
-        X509_ATTRIBUTE_new.3 \
-        X509_ATTRIBUTE_set1_object.3 \
-        X509_CINF_new.3 \
-        X509_CRL_get0_by_serial.3 \
-        X509_CRL_new.3 \
-        X509_CRL_print.3 \
-        X509_EXTENSION_set_object.3 \
-        X509_INFO_new.3 \
-        X509_LOOKUP_hash_dir.3 \
-        X509_LOOKUP_new.3 \
-        X509_NAME_ENTRY_get_object.3 \
-        X509_NAME_add_entry_by_txt.3 \
-        X509_NAME_get_index_by_NID.3 \
-        X509_NAME_hash.3 \
-        X509_NAME_new.3 \
-        X509_NAME_print_ex.3 \
-        X509_OBJECT_get0_X509.3 \
-        X509_PKEY_new.3 \
-        X509_PUBKEY_new.3 \
-        X509_PURPOSE_set.3 \
-        X509_REQ_add1_attr.3 \
-        X509_REQ_add_extensions.3 \
-        X509_REQ_new.3 \
-        X509_REQ_print_ex.3 \
-        X509_REVOKED_new.3 \
-        X509_SIG_get0.3 \
-        X509_SIG_new.3 \
-        X509_STORE_CTX_get_error.3 \
-        X509_STORE_CTX_get_ex_new_index.3 \
-        X509_STORE_CTX_new.3 \
-        X509_STORE_CTX_set_flags.3 \
-        X509_STORE_CTX_set_verify.3 \
-        X509_STORE_CTX_set_verify_cb.3 \
-        X509_STORE_get_by_subject.3 \
-        X509_STORE_load_locations.3 \
-        X509_STORE_new.3 \
-        X509_STORE_set1_param.3 \
-        X509_STORE_set_verify_cb_func.3 \
-        X509_VERIFY_PARAM_new.3 \
-        X509_VERIFY_PARAM_set_flags.3 \
-        X509_add1_trust_object.3 \
-        X509_check_ca.3 \
-        X509_check_host.3 \
-        X509_check_issued.3 \
-        X509_check_private_key.3 \
-        X509_check_purpose.3 \
-        X509_cmp.3 \
-        X509_cmp_time.3 \
-        X509_digest.3 \
-        X509_find_by_subject.3 \
-        X509_get0_notBefore.3 \
-        X509_get0_signature.3 \
-        X509_get1_email.3 \
-        X509_get_extension_flags.3 \
-        X509_get_pubkey.3 \
-        X509_get_pubkey_parameters.3 \
-        X509_get_serialNumber.3 \
-        X509_get_subject_name.3 \
-        X509_get_version.3 \
-        X509_keyid_set1.3 \
-        X509_load_cert_file.3 \
-        X509_new.3 \
-        X509_ocspid_print.3 \
-        X509_print_ex.3 \
-        X509_sign.3 \
-        X509_signature_dump.3 \
-        X509_verify_cert.3 \
-        X509v3_addr_add_inherit.3 \
-        X509v3_addr_get_range.3 \
-        X509v3_addr_inherits.3 \
-        X509v3_addr_subset.3 \
-        X509v3_addr_validate_path.3 \
-        X509v3_asid_add_id_or_range.3 \
-        X509v3_get_ext_by_NID.3 \
-        a2d_ASN1_OBJECT.3 \
-        a2i_ipadd.3 \
-        crypto.3 \
-        d2i_ASN1_NULL.3 \
-        d2i_ASN1_OBJECT.3 \
-        d2i_ASN1_OCTET_STRING.3 \
-        d2i_ASN1_SEQUENCE_ANY.3 \
-        d2i_AUTHORITY_KEYID.3 \
-        d2i_BASIC_CONSTRAINTS.3 \
-        d2i_CMS_ContentInfo.3 \
-        d2i_DHparams.3 \
-        d2i_DIST_POINT.3 \
-        d2i_DSAPublicKey.3 \
-        d2i_ECPKParameters.3 \
-        d2i_ESS_SIGNING_CERT.3 \
-        d2i_GENERAL_NAME.3 \
-        d2i_OCSP_REQUEST.3 \
-        d2i_OCSP_RESPONSE.3 \
-        d2i_PKCS12.3 \
-        d2i_PKCS7.3 \
-        d2i_PKCS8PrivateKey_bio.3 \
-        d2i_PKCS8_PRIV_KEY_INFO.3 \
-        d2i_PKEY_USAGE_PERIOD.3 \
-        d2i_POLICYINFO.3 \
-        d2i_PrivateKey.3 \
-        d2i_RSAPublicKey.3 \
-        d2i_TS_REQ.3 \
-        d2i_X509.3 \
-        d2i_X509_ALGOR.3 \
-        d2i_X509_ATTRIBUTE.3 \
-        d2i_X509_CRL.3 \
-        d2i_X509_EXTENSION.3 \
-        d2i_X509_NAME.3 \
-        d2i_X509_REQ.3 \
-        d2i_X509_SIG.3 \
-        des_read_pw.3 \
-        evp.3 \
-        i2a_ASN1_STRING.3 \
-        i2d_CMS_bio_stream.3 \
-        i2d_PKCS7_bio_stream.3 \
-        lh_new.3 \
-        openssl.cnf.5 \
-        s2i_ASN1_INTEGER.3 \
-        v2i_ASN1_BIT_STRING.3 \
-        x509v3.cnf.5
-
-all clean cleandir depend includes obj tags:
-
-install: maninstall
-
-.include <bsd.man.mk>
diff --git a/src/lib/libcrypto/man/NAME_CONSTRAINTS_new.3 b/src/lib/libcrypto/man/NAME_CONSTRAINTS_new.3
deleted file mode 100644
index fec3aba7f7..0000000000
--- a/src/lib/libcrypto/man/NAME_CONSTRAINTS_new.3
+++ /dev/null
@@ -1,100 +0,0 @@
-.\" $OpenBSD: NAME_CONSTRAINTS_new.3,v 1.4 2020/09/17 08:50:05 schwarze Exp $
-.\"
-.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: September 17 2020 $
-.Dt NAME_CONSTRAINTS_NEW 3
-.Os
-.Sh NAME
-.Nm NAME_CONSTRAINTS_new ,
-.Nm NAME_CONSTRAINTS_free ,
-.Nm GENERAL_SUBTREE_new ,
-.Nm GENERAL_SUBTREE_free
-.\" .Nm NAME_CONSTRAINTS_check is intentionally undocumented.
-.\" beck@ said in the x509/x509_ncons.c rev. 1.4 commit message:
-.\" We probably need to deprecate it thoughtfully.
-.Nd X.509 CA name constraints extension
-.Sh SYNOPSIS
-.In openssl/x509v3.h
-.Ft NAME_CONSTRAINTS *
-.Fn NAME_CONSTRAINTS_new void
-.Ft void
-.Fn NAME_CONSTRAINTS_free "NAME_CONSTRAINTS *names"
-.Ft GENERAL_SUBTREE *
-.Fn GENERAL_SUBTREE_new void
-.Ft void
-.Fn GENERAL_SUBTREE_free "GENERAL_SUBTREE *name"
-.Sh DESCRIPTION
-X.509 CA certificates can use the name constraints extension
-to restrict the subject names of subsequent certificates in a
-certification path.
-.Pp
-.Fn NAME_CONSTRAINTS_new
-allocates and initializes an empty
-.Vt NAME_CONSTRAINTS
-object, representing an ASN.1
-.Vt NameConstraints
-structure defined in RFC 5280 section 4.2.1.10.
-It consists of two
-.Vt STACK_OF(GENERAL_SUBTREE)
-objects, one specifying permitted names, the other excluded names.
-.Fn NAME_CONSTRAINTS_free
-frees
-.Fa names .
-.Pp
-.Fn GENERAL_SUBTREE_new
-allocates and initializes an empty
-.Vt GENERAL_SUBTREE
-object, representing an ASN.1
-.Vt GeneralSubtree
-structure defined in RFC 5280 section 4.2.1.10.
-It is a trivial wrapper around the
-.Vt GENERAL_NAME
-object documented in
-.Xr GENERAL_NAME_new 3 .
-The standard requires the other fields of
-.Vt GENERAL_SUBTREE
-to be ignored.
-.Fn GENERAL_SUBTREE_free
-frees
-.Fa name .
-.Sh RETURN VALUES
-.Fn NAME_CONSTRAINTS_new
-and
-.Fn GENERAL_SUBTREE_new
-return the new
-.Vt NAME_CONSTRAINTS
-or
-.Vt GENERAL_SUBTREE
-object, respectively, or
-.Dv NULL
-if an error occurs.
-.Sh SEE ALSO
-.Xr BASIC_CONSTRAINTS_new 3 ,
-.Xr GENERAL_NAMES_new 3 ,
-.Xr X509_EXTENSION_new 3 ,
-.Xr X509_new 3
-.Sh STANDARDS
-RFC 5280: Internet X.509 Public Key Infrastructure Certificate and
-Certificate Revocation List (CRL) Profile,
-section 4.2.1.10: Name Constraints
-.Sh HISTORY
-.Fn NAME_CONSTRAINTS_new ,
-.Fn NAME_CONSTRAINTS_free ,
-.Fn GENERAL_SUBTREE_new ,
-and
-.Fn GENERAL_SUBTREE_free
-first appeared in OpenSSL 0.9.8 and have been available since
-.Ox 4.5 .
diff --git a/src/lib/libcrypto/man/OBJ_NAME_add.3 b/src/lib/libcrypto/man/OBJ_NAME_add.3
deleted file mode 100644
index 0b46010c49..0000000000
--- a/src/lib/libcrypto/man/OBJ_NAME_add.3
+++ /dev/null
@@ -1,307 +0,0 @@
-.\" $OpenBSD: OBJ_NAME_add.3,v 1.6 2024/01/31 08:02:53 tb Exp $
-.\"
-.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: January 31 2024 $
-.Dt OBJ_NAME_ADD 3
-.Os
-.Sh NAME
-.Nm OBJ_NAME_add ,
-.Nm OBJ_NAME_remove ,
-.Nm OBJ_NAME_get ,
-.Nm OBJ_NAME_new_index ,
-.Nm OBJ_NAME_init ,
-.Nm OBJ_NAME_cleanup
-.Nd global associative array
-.Sh SYNOPSIS
-.In openssl/objects.h
-.Ft int
-.Fo OBJ_NAME_add
-.Fa "const char *name"
-.Fa "int type"
-.Fa "const char *value"
-.Fc
-.Ft int
-.Fo OBJ_NAME_remove
-.Fa "const char *name"
-.Fa "int type"
-.Fc
-.Ft const char *
-.Fo OBJ_NAME_get
-.Fa "const char *name"
-.Fa "int type"
-.Fc
-.Ft int
-.Fo OBJ_NAME_new_index
-.Fa "unsigned long (*hash_func)(const char *name)"
-.Fa "int (*cmp_func)(const char *name1, const char *name2)"
-.Fa "void (*free_func)(const char *name, int type, const char *value)"
-.Fc
-.Ft int
-.Fn OBJ_NAME_init void
-.Ft void
-.Fn OBJ_NAME_cleanup "int type"
-.Bd -literal
-typedef struct {
-        int         type;
-        int         alias;
-        const char *name;
-        const char *data;
-} OBJ_NAME;
-.Ed
-.Sh DESCRIPTION
-These functions implement a single, static associative array
-with the following properties:
-.Bl -bullet
-.It
-The keys are ordered pairs consisting of a NUL-terminated string
-.Pq called the Fa name
-and an
-.Vt int
-number
-.Pq called the Fa type .
-Two types are predefined and used internally by the library:
-.Dv OBJ_NAME_TYPE_MD_METH
-and
-.Dv OBJ_NAME_TYPE_CIPHER_METH .
-Two additional types are predefined but not used internally:
-.Dv OBJ_NAME_TYPE_PKEY_METH
-and
-.Dv OBJ_NAME_TYPE_COMP_METH .
-All predefined types are greater than
-.Dv OBJ_NAME_TYPE_UNDEF
-and smaller than
-.Dv OBJ_NAME_TYPE_NUM .
-.It
-The values are pointers.
-Formally, they are of the type
-.Vt const char * ,
-but in practice, pointers of other types, for example
-.Vt EVP_CIPHER *
-or
-.Vt EVP_MD * ,
-are often stored as values
-and cast back to the correct type on retrieval.
-.It
-The array supports type-specific aliases for names.
-.El
-.Pp
-.Fn OBJ_NAME_add
-removes the key-value pair or alias with the key
-.Pq Fa name , type
-in the same way as
-.Fn OBJ_NAME_remove
-and inserts a key-value pair with the specified
-.Fa name ,
-.Fa type ,
-and
-.Fa value .
-If the bit
-.Dv OBJ_NAME_ALIAS
-is set in the
-.Fa type
-argument, that bit is cleared before using the
-.Fa type
-and the key
-.Pq Fa name , type
-becomes an alias for the key
-.Pq Fa value , type
-instead of setting a value.
-It is not checked whether the key
-.Pq Fa value , type
-already exists.
-Consequently, it is possible to define an alias
-before setting the associated value.
-.Pp
-.Fn OBJ_NAME_remove
-removes the key-value pair or alias with the key
-.Pq Fa name , type
-from the array, if it exists.
-Otherwise, it has no effect.
-If the bit
-.Dv OBJ_NAME_ALIAS
-is set in the
-.Fa type
-argument, it is ignored and cleared before using the
-.Fa type .
-If the
-.Fa type
-is an application-defined type added with
-.Fn OBJ_NAME_new_index
-and the
-.Fa free_func
-associated with the
-.Fa type
-is not a
-.Dv NULL
-pointer, it is called with the
-.Fa name ,
-.Fa type ,
-and
-.Fa value
-of the key-value pair being removed or with the
-.Fa name ,
-.Fa type ,
-and alias target name of the alias being removed.
-In typical usage, this function might free the
-.Fa name ,
-and it might free the
-.Fa value
-in a type-specific way.
-.Pp
-.Fn OBJ_NAME_get
-looks up the key
-.Pq Fa name , type ,
-recursively resolving up to ten aliases if needed.
-If the bit
-.Dv OBJ_NAME_ALIAS
-is set in the
-.Fa type
-argument, it is cleared before using the
-.Fa type ,
-processing of aliases is disabled, and if
-.Pq Fa name , type
-is an alias, the target name of the alias is returned instead of a value.
-.Pp
-.Fn OBJ_NAME_new_index
-assigns the smallest unassigned positive integer number
-to represent a new, application-defined
-.Fa type .
-The three function pointers will be used, respectively,
-to hash a name for this type, to compare two names for this type,
-and to free the contents of a key-value pair holding the given
-.Fa name ,
-.Fa type ,
-and
-.Fa value .
-If the
-.Fa hash_func
-argument is a
-.Dv NULL
-pointer,
-.Xr lh_strhash 3
-is used instead.
-If the
-.Fa cmp_func
-argument is a
-.Dv NULL
-pointer,
-.Xr strcmp 3
-is used instead.
-If the
-.Fa free_func
-argument is a
-.Dv NULL
-pointer, the
-.Fa name
-and
-.Fa value
-pointers contained in the key-value pair are not freed,
-only the structure representing the pair itself is.
-This default behaviour is also used for the built-in types.
-.Pp
-.Fn OBJ_NAME_init
-initializes the array.
-After initialization, the array is empty.
-Calling
-.Fn OBJ_NAME_init
-when the array is already initialized has no effect.
-Application programs do not need to call this function because
-.Fn OBJ_NAME_add
-and
-.Fn OBJ_NAME_get
-automatically call it whenever needed.
-.Pp
-.Fn OBJ_NAME_cleanup
-removes all key-value pairs and aliases of the given
-.Fa type
-from the array by calling
-.Fn OBJ_NAME_remove
-on every such pair and alias.
-If the
-.Fa type
-argument is negative, it removes all key-value pairs and aliases
-of any type and also reverses all effects of
-.Fn OBJ_NAME_new_index
-and
-.Fn OBJ_NAME_init ,
-in particular resetting the list of types to the predefined types
-and releasing all memory reserved by these functions.
-.Pp
-The
-.Vt OBJ_NAME
-structure represents one key-value pair or one alias with the key
-.Pq Fa name , type .
-If the
-.Fa alias
-field is 0, the
-.Fa data
-field contains the value; otherwise, it contains the alias target name.
-.Sh RETURN VALUES
-.Fn OBJ_NAME_add
-and
-.Fn OBJ_NAME_init
-return 1 on success or 0 if memory allocation fails.
-.Pp
-.Fn OBJ_NAME_remove
-returns 1 if one key-value pair or alias was removed or 0 otherwise.
-.Pp
-.Fn OBJ_NAME_get
-returns the
-.Fa value
-associated with the key
-.Pq Fa name , type
-or
-.Dv NULL
-if
-.Fa name
-is
-.Dv NULL ,
-if the array does not contain a value for this key,
-or if more than ten aliases are encountered before finding a value.
-.Pp
-.Fn OBJ_NAME_new_index
-returns a positive integer greater than or equal to
-.Dv OBJ_NAME_TYPE_NUM
-representing the new type or 0 if memory allocation fails.
-.Sh SEE ALSO
-.Xr EVP_cleanup 3 ,
-.Xr EVP_get_cipherbyname 3 ,
-.Xr EVP_get_digestbyname 3 ,
-.Xr lh_new 3 ,
-.Xr OBJ_create 3 ,
-.Xr OBJ_nid2obj 3
-.Sh BUGS
-Calling
-.Fn OBJ_NAME_get
-with the bit
-.Dv OBJ_NAME_ALIAS
-is not very useful because there is no way to tell
-whether the returned pointer points to a value or to a name,
-short of calling the function again without setting the bit
-and comparing the two returned pointers.
-.Pp
-The
-.Fa free_func
-has no way to tell whether its
-.Fa value
-argument is indeed of the given
-.Fa type
-or whether it is merely the target name of an alias.
-Consequently, to use values of a type
-that requires more cleanup than merely calling
-.Xr free 3
-on it, instances of the type need to begin with a magic number or string
-that cannot occur at the beginning of a name.
diff --git a/src/lib/libcrypto/man/OBJ_create.3 b/src/lib/libcrypto/man/OBJ_create.3
deleted file mode 100644
index fa5bde3dd3..0000000000
--- a/src/lib/libcrypto/man/OBJ_create.3
+++ /dev/null
@@ -1,249 +0,0 @@
-.\" $OpenBSD: OBJ_create.3,v 1.10 2024/01/31 08:02:53 tb Exp $
-.\" full merge up to:
-.\" OpenSSL OBJ_nid2obj.pod 9b86974e Aug 17 15:21:33 2015 -0400
-.\" selective merge up to:
-.\" OpenSSL OBJ_nid2obj.pod 0c5bc96f Mar 15 13:57:22 2022 +0000
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2017, 2021, 2023 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2002, 2006 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: January 31 2024 $
-.Dt OBJ_CREATE 3
-.Os
-.Sh NAME
-.Nm OBJ_new_nid ,
-.Nm OBJ_add_object ,
-.Nm OBJ_create ,
-.\" OBJ_create_and_add_object is a deprecated, unused alias for OBJ_create(3).
-.Nm OBJ_create_objects ,
-.Nm OBJ_cleanup
-.Nd modify the table of ASN.1 object identifiers
-.Sh SYNOPSIS
-.In openssl/objects.h
-.Ft int
-.Fn OBJ_new_nid "int increment"
-.Ft int
-.Fn OBJ_add_object "const ASN1_OBJECT *object"
-.Ft int
-.Fo OBJ_create
-.Fa "const char *oid"
-.Fa "const char *sn"
-.Fa "const char *ln"
-.Fc
-.Ft int
-.Fn OBJ_create_objects "BIO *in_bio"
-.Ft void
-.Fn OBJ_cleanup void
-.Sh DESCRIPTION
-.Fn OBJ_new_nid
-returns the smallest currently unassigned ASN.1 numeric
-object identifier (NID) and reserves
-.Fa increment
-consecutive NIDs starting with it.
-Passing an argument of 1 is usually recommended.
-The return value can be assigned to a new object by passing it as the
-.Fa nid
-argument to
-.Xr ASN1_OBJECT_create 3
-and by passing the resulting object to
-.Fn OBJ_add_object .
-.Pp
-.Fn OBJ_add_object
-adds a copy of the
-.Fa object
-to the internal table of ASN.1 object identifiers for use by
-.Xr OBJ_nid2obj 3
-and related functions.
-.Pp
-.Fn OBJ_create
-provides a simpler way to add a new object to the internal table.
-.Fa oid
-is the numerical form of the object,
-.Fa sn
-the short name and
-.Fa ln
-the long name.
-A new NID is automatically assigned using
-.Fn OBJ_new_nid .
-.Pp
-.Fn OBJ_create_objects
-reads text lines of the form
-.Pp
-.D1 Fa oid sn ln
-.Pp
-from
-.Fa in_bio
-and calls
-.Fn OBJ_create oid sn ln
-for every line read.
-The three fields of the input lines
-are separated by one or more whitespace characters.
-.Pp
-For all three functions, the objects added to the internal table and
-all the data contained in them is marked as not dynamically allocated.
-Consequently, retrieving them with
-.Xr OBJ_nid2obj 3
-or a similar function and then calling
-.Xr ASN1_OBJECT_free 3
-on the returned pointer will have no effect.
-.Pp
-.Fn OBJ_cleanup
-resets the internal object table to its default state,
-removing and freeing all objects that were added with
-.Fn OBJ_add_object ,
-.Fn OBJ_create ,
-or
-.Fn OBJ_create_objects .
-.Sh RETURN VALUES
-.Fn OBJ_new_nid
-returns the new NID.
-.Pp
-.Fn OBJ_add_object
-returns the NID of the added
-.Fa object
-or
-.Dv NID_undef
-if no object was added because the
-.Fa object
-argument was
-.Dv NULL ,
-did not contain an NID, or memory allocation failed.
-.Pp
-.Fn OBJ_create
-returns the new NID or
-.Dv NID_undef
-if
-.Fa oid
-is not a valid representation of an object identifier
-or if memory allocation fails.
-.Pp
-.Fn OBJ_create_objects
-returns the number of objects added.
-.Pp
-In some cases of failure of
-.Fn OBJ_add_object ,
-.Fn OBJ_create ,
-and
-.Fn OBJ_create_objects ,
-the reason can be determined with
-.Xr ERR_get_error 3 .
-.Sh EXAMPLES
-Create a new NID and initialize an object from it:
-.Bd -literal -offset indent
-int new_nid;
-ASN1_OBJECT *obj;
-
-new_nid = OBJ_create("1.2.3.4", "NewOID", "New Object Identifier");
-obj = OBJ_nid2obj(new_nid);
-.Ed
-.Sh SEE ALSO
-.Xr ASN1_OBJECT_new 3 ,
-.Xr OBJ_nid2obj 3
-.Sh HISTORY
-.Fn OBJ_new_nid ,
-.Fn OBJ_add_object ,
-and
-.Fn OBJ_cleanup
-first appeared in SSLeay 0.8.0 and
-.Fn OBJ_create
-in SSLeay 0.9.0.
-These functions have been available since
-.Ox 2.4 .
-.Sh CAVEATS
-.Fn OBJ_add_object
-indicates success even after adding an incomplete object that was created with
-.Xr ASN1_OBJECT_create 3
-but lacks a short name, a long name, or an OID.
-.Pp
-Even
-.Fn OBJ_create
-tolerates
-.Dv NULL
-pointers being passed for the
-.Fa sn
-and/or
-.Fa ln
-arguments, in which case
-.Xr OBJ_nid2sn 3
-and
-.Xr OBJ_sn2nid 3
-or
-.Xr OBJ_nid2ln 3
-and
-.Xr OBJ_ln2nid 3
-will not work on the added object, respectively.
-.Sh BUGS
-.Fn OBJ_new_nid
-does not reserve any return value to indicate an error.
-Consequently, to avoid conflicting NID assignments and integer overflows,
-care must be taken to not pass negative, zero, or large arguments to
-.Fn OBJ_new_nid .
-.Pp
-.Fn OBJ_create_objects
-does not distinguish between end of file, I/O errors, temporary
-unavailability of data on a non-blocking BIO, invalid input syntax,
-and memory allocation failure.
-In all these cases, reading is aborted and the number of objects
-that were already added is returned.
diff --git a/src/lib/libcrypto/man/OBJ_find_sigid_algs.3 b/src/lib/libcrypto/man/OBJ_find_sigid_algs.3
deleted file mode 100644
index 1d7a2b649b..0000000000
--- a/src/lib/libcrypto/man/OBJ_find_sigid_algs.3
+++ /dev/null
@@ -1,89 +0,0 @@
-.\" $OpenBSD: OBJ_find_sigid_algs.3,v 1.2 2024/01/31 08:02:53 tb Exp $
-.\"
-.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: January 31 2024 $
-.Dt OBJ_FIND_SIGID_ALGS 3
-.Os
-.Sh NAME
-.Nm OBJ_find_sigid_algs ,
-.Nm OBJ_find_sigid_by_algs
-.Nd signature algorithm mappings
-.Sh SYNOPSIS
-.In openssl/objects.h
-.Ft int
-.Fo OBJ_find_sigid_algs
-.Fa "int signature"
-.Fa "int *pdigest"
-.Fa "int *pencryption"
-.Fc
-.Ft int
-.Fo OBJ_find_sigid_by_algs
-.Fa "int *psignature"
-.Fa "int digest"
-.Fa "int encryption"
-.Fc
-.Sh DESCRIPTION
-.Fn OBJ_find_sigid_algs
-looks up the
-.Fa signature
-algorithm.
-If it is found, the associated digest algorithm is stored in
-.Pf * Fa pdigest
-unless
-.Fa pdigest
-is a
-.Dv NULL
-pointer, and the associated encryption algorithm is stored in
-.Pf * Fa pencryption
-unless
-.Fa pencryption
-is a
-.Dv NULL
-pointer.
-.Pp
-.Fn OBJ_find_sigid_by_algs
-looks up the pair
-.Pq Fa digest , encryption .
-If it is found, the associated signature algorithm is stored in
-.Pf * Fa psignature
-unless
-.Fa psignature
-is a
-.Dv NULL
-pointer.
-.Sh RETURN VALUES
-.Fn OBJ_find_sigid_algs
-returns 1 if a definition of the
-.Fa signature
-algorithm is found or 0 if a definition of the
-.Fa signature
-algorithm is not built into the library.
-.Pp
-.Fn OBJ_find_sigid_by_algs
-returns 1 if a signature algorithm using the specified
-.Fa digest
-and
-.Fa encryption
-algorithms is defined or 0 if the definition of such an algorithm
-is not built into the library.
-.Sh SEE ALSO
-.Xr EVP_cleanup 3 ,
-.Xr OBJ_create 3 ,
-.Xr OBJ_nid2obj 3
-.Sh HISTORY
-These functions first appeared in OpenSSL 1.0.0
-and have been available since
-.Ox 4.9 .
diff --git a/src/lib/libcrypto/man/OBJ_nid2obj.3 b/src/lib/libcrypto/man/OBJ_nid2obj.3
deleted file mode 100644
index ccab1ed30c..0000000000
--- a/src/lib/libcrypto/man/OBJ_nid2obj.3
+++ /dev/null
@@ -1,521 +0,0 @@
-.\" $OpenBSD: OBJ_nid2obj.3,v 1.22 2024/01/31 08:02:53 tb Exp $
-.\" full merge up to: OpenSSL c264592d May 14 11:28:00 2006 +0000
-.\" selective merge up to: OpenSSL 35fd9953 May 28 14:49:38 2019 +0200
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2017, 2021, 2023 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2002, 2006, 2016 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: January 31 2024 $
-.Dt OBJ_NID2OBJ 3
-.Os
-.Sh NAME
-.Nm OBJ_nid2obj ,
-.Nm OBJ_nid2ln ,
-.Nm OBJ_nid2sn ,
-.Nm OBJ_obj2nid ,
-.Nm OBJ_ln2nid ,
-.Nm OBJ_sn2nid ,
-.Nm OBJ_txt2nid ,
-.Nm OBJ_txt2obj ,
-.Nm OBJ_obj2txt ,
-.Nm OBJ_cmp ,
-.Nm OBJ_dup ,
-.Nm i2t_ASN1_OBJECT ,
-.Nm i2a_ASN1_OBJECT
-.Nd inspect and create ASN.1 object identifiers
-.Sh SYNOPSIS
-.In openssl/objects.h
-.Ft ASN1_OBJECT *
-.Fo OBJ_nid2obj
-.Fa "int nid"
-.Fc
-.Ft const char *
-.Fo OBJ_nid2ln
-.Fa "int nid"
-.Fc
-.Ft const char *
-.Fo OBJ_nid2sn
-.Fa "int nid"
-.Fc
-.Ft int
-.Fo OBJ_obj2nid
-.Fa "const ASN1_OBJECT *object"
-.Fc
-.Ft int
-.Fo OBJ_ln2nid
-.Fa "const char *ln"
-.Fc
-.Ft int
-.Fo OBJ_sn2nid
-.Fa "const char *sn"
-.Fc
-.Ft int
-.Fo OBJ_txt2nid
-.Fa "const char *s"
-.Fc
-.Ft ASN1_OBJECT *
-.Fo OBJ_txt2obj
-.Fa "const char *s"
-.Fa "int no_name"
-.Fc
-.Ft int
-.Fo OBJ_obj2txt
-.Fa "char *buf"
-.Fa "int buf_len"
-.Fa "const ASN1_OBJECT *object"
-.Fa "int no_name"
-.Fc
-.Ft int
-.Fo OBJ_cmp
-.Fa "const ASN1_OBJECT *a"
-.Fa "const ASN1_OBJECT *b"
-.Fc
-.Ft ASN1_OBJECT *
-.Fo OBJ_dup
-.Fa "const ASN1_OBJECT *object"
-.Fc
-.In openssl/asn1.h
-.Ft int
-.Fo i2t_ASN1_OBJECT
-.Fa "char *buf"
-.Fa "int buf_len"
-.Fa "const ASN1_OBJECT *object"
-.Fc
-.Ft int
-.Fo i2a_ASN1_OBJECT
-.Fa "BIO *out_bio"
-.Fa "const ASN1_OBJECT *object"
-.Fc
-.Sh DESCRIPTION
-The ASN.1 object utility functions process
-.Vt ASN1_OBJECT
-structures, in the following called
-.Dq objects .
-An object represents an ASN.1
-.Vt OBJECT IDENTIFIER
-.Pq OID .
-The library maintains an internal global table of objects.
-Many of these objects are built into the library
-and contained in the global table by default.
-The application program can add additional objects to the global table
-by using functions documented in the
-.Xr OBJ_create 3
-manual page.
-Consequently, there are three classes of objects:
-built-in table objects, user-defined table objects, and non-table objects.
-.Pp
-In addition to the OID, each object can hold
-a long name, a short name, and a numerical identifier (NID).
-Even though the concept of NIDs is specific to the library
-and not standardized, using the NID is often the most convenient way
-for source code to refer to a specific OID.
-The NIDs of the built-in objects are available as defined constants.
-.Pp
-Built-in table objects have certain advantages
-over objects that are not in the global table:
-for example, their NIDs can be used in C language switch statements.
-They are also shared:
-there is only a single static constant structure for each built-on OID.
-.Pp
-Some functions operate on table objects only:
-.Pp
-.Fn OBJ_nid2obj
-retrieves the table object associated with the
-.Fa nid .
-.Fn OBJ_nid2ln
-and
-.Fn OBJ_nid2sn
-retrieve its long and short name, respectively.
-.Pp
-.Fn OBJ_obj2nid
-retrieves the NID associated with the given
-.Fa object ,
-which is either the NID stored in the
-.Fa object
-itself, if any, or otherwise the NID stored in a table object
-containing the same OID.
-.Pp
-.Fn OBJ_ln2nid
-and
-.Fn OBJ_sn2nid
-retrieve the NID from the table object with the long name
-.Fa ln
-or the short name
-.Fa sn ,
-respectively.
-.Pp
-.Fn OBJ_txt2nid
-retrieves the NID from the table object described by the text string
-.Fa s ,
-which can be a long name, a short name,
-or the numerical representation of an OID.
-.Pp
-The remaining functions can be used both on table objects
-and on objects that are not in the global table:
-.Pp
-.Fn OBJ_txt2obj
-retrieves or creates an object matching the text string
-.Fa s .
-If
-.Fa no_name
-is 1, only the numerical representation of an OID is accepted.
-If
-.Fa no_name
-is 0, long names and short names are accepted as well.
-.Pp
-.Fn OBJ_obj2txt
-writes a NUL terminated textual representation
-of the OID contained in the given
-.Fa object
-into
-.Fa buf .
-At most
-.Fa buf_len
-bytes are written, truncating the result if necessary.
-The total amount of space required is returned.
-If
-.Fa no_name
-is 0 and the table object containing the same OID
-contains a long name, the long name is written.
-Otherwise, if
-.Fa no_name
-is 0 and the table object containing the same OID
-contains a short name, the short name is written.
-Otherwise, the numerical representation of the OID is written.
-.Pp
-.Fn i2t_ASN1_OBJECT
-is the same as
-.Fn OBJ_obj2txt
-with
-.Fa no_name
-set to 0.
-.Pp
-.Fn i2a_ASN1_OBJECT
-writes a textual representation of the OID contained in the given
-.Fa object
-to
-.Fa out_bio
-using
-.Xr BIO_write 3 .
-It does not write a terminating NUL byte.
-If the
-.Fa object
-argument is
-.Dv NULL
-or contains no OID, it writes the 4-byte string
-.Qq NULL .
-If
-.Fn i2t_ASN1_OBJECT
-fails,
-.Fn i2a_ASN1_OBJECT
-writes the 9-byte string
-.Qq <INVALID> .
-Otherwise, it writes the string constructed with
-.Fn i2t_ASN1_OBJECT .
-.Pp
-.Fn OBJ_cmp
-tests whether
-.Fa a
-and
-.Fa b
-represent the same ASN.1
-.Vt OBJECT IDENTIFIER .
-Any names and NIDs contained in the two objects are ignored,
-even if they differ between both objects.
-.Pp
-.Fn OBJ_dup
-returns a deep copy of the given
-.Fa object
-if it is marked as dynamically allocated.
-The new object and all data contained in it are marked as dynamically
-allocated.
-If the given
-.Fa object
-is not marked as dynamically allocated,
-.Fn OBJ_dup
-just returns a pointer to the
-.Fa object
-itself.
-.Sh RETURN VALUES
-Application code should treat all returned values \(em
-objects, names, and NIDs \(em as constants.
-.Pp
-.Fn OBJ_nid2obj
-returns a pointer to a table object owned by the library or
-.Dv NULL
-if no matching table object is found.
-.Pp
-.Fn OBJ_nid2ln
-and
-.Fn OBJ_nid2sn
-return a pointer to a string owned by a table object or
-.Dv NULL
-if no matching table object is found.
-For
-.Dv NID_undef ,
-they return the constant static strings
-.Qq undefined
-and
-.Qq UNDEF ,
-respectively.
-.Pp
-.Fn OBJ_obj2nid
-returns an NID on success, or
-.Dv NID_undef
-if
-.Fa object
-is
-.Dv NULL ,
-does not contain an OID,
-if no table object matching the OID is found,
-or if the matching object does not contain an NID.
-.Pp
-.Fn OBJ_ln2nid
-and
-.Fn OBJ_sn2nid
-return an NID on success or
-.Dv NID_undef
-if no matching table object is found
-or if the matching object does not contain an NID.
-.Pp
-.Fn OBJ_txt2nid
-returns an NID on success or
-.Dv NID_undef
-if parsing of
-.Fa s
-or memory allocation fails, if no matching table object is found,
-or if the matching object does not contain an NID.
-.Pp
-.Fn OBJ_txt2obj
-returns a pointer to a table object owned by the library if lookup of
-.Fa s
-as a long or short name succeeds.
-Otherwise, it returns a newly created object,
-transferring ownership to the caller, or
-.Dv NULL
-if parsing of
-.Fa s
-or memory allocation fails.
-.Pp
-.Fn OBJ_obj2txt
-and
-.Fn i2t_ASN1_OBJECT
-return the amount of space required in bytes,
-including the terminating NUL byte,
-or zero if an error occurs before the required space can be calculated,
-in particular if
-.Fa buf_len
-is negative,
-.Fa object
-is
-.Dv NULL
-or does not contain an OID,
-or if memory allocation fails.
-.Pp
-.Fn OBJ_cmp
-returns 0 if both objects refer to the same OID
-or neither of them are associated with any OID,
-or a non-zero value if at least one of them refers to an OID
-but the other one does not refer to the same OID.
-.Pp
-.Fn OBJ_dup
-returns the pointer to the original
-.Fa object
-if it is not marked as dynamically allocated.
-Otherwise, it returns a newly created object,
-transferring ownership to the caller, or
-.Dv NULL
-if
-.Fa object
-is
-.Dv NULL
-or memory allocation fails.
-.Pp
-.Fn i2a_ASN1_OBJECT
-returns the number of bytes written, even if the given
-.Fa object
-is invalid or contains invalid data,
-but a negative value if memory allocation or a write operation fails.
-.Pp
-In some cases of failure of
-.Fn OBJ_nid2obj ,
-.Fn OBJ_nid2ln ,
-.Fn OBJ_nid2sn ,
-.Fn OBJ_txt2nid ,
-.Fn OBJ_txt2obj ,
-.Fn OBJ_obj2txt ,
-.Fn OBJ_dup ,
-.Fn i2t_ASN1_OBJECT ,
-and
-.Fn i2a_ASN1_OBJECT ,
-the reason can be determined with
-.Xr ERR_get_error 3 .
-.Sh EXAMPLES
-Retrieve the object for
-.Sy commonName :
-.Bd -literal -offset indent
-ASN1_OBJECT *object;
-object = OBJ_nid2obj(NID_commonName);
-.Ed
-.Pp
-Check whether an object contains the OID for
-.Sy commonName :
-.Bd -literal -offset indent
-if (OBJ_obj2nid(object) == NID_commonName)
-        /* Do something */
-.Ed
-.Pp
-Create a new object directly:
-.Bd -literal -offset indent
-object = OBJ_txt2obj("1.2.3.4", 1);
-.Ed
-.Sh SEE ALSO
-.Xr ASN1_OBJECT_new 3 ,
-.Xr BIO_new 3 ,
-.Xr d2i_ASN1_OBJECT 3 ,
-.Xr OBJ_create 3
-.Sh HISTORY
-.Fn OBJ_nid2obj ,
-.Fn OBJ_nid2ln ,
-.Fn OBJ_nid2sn ,
-.Fn OBJ_obj2nid ,
-.Fn OBJ_ln2nid ,
-.Fn OBJ_sn2nid ,
-.Fn OBJ_txt2nid ,
-.Fn OBJ_cmp ,
-and
-.Fn OBJ_dup
-first appeared in SSLeay 0.5.1.
-.Fn i2a_ASN1_OBJECT
-first appeared in SSLeay 0.6.0, and
-.Fn i2t_ASN1_OBJECT
-in SSLeay 0.9.0.
-All these functions have been available since
-.Ox 2.4 .
-.Pp
-.Fn OBJ_txt2obj
-first appeared in OpenSSL 0.9.2b.
-.Fn OBJ_obj2txt
-first appeared in OpenSSL 0.9.4.
-Both functions have been available since
-.Ox 2.6 .
-.Sh CAVEATS
-The API contract of
-.Fn OBJ_txt2obj
-when called with a
-.Fa no_name
-argument of 0 and of
-.Fn OBJ_dup
-is scary in so far as the caller cannot find out from the returned
-object whether it is owned by the library or whether ownership was
-transferred to the caller.
-Consequently, it is best practice to assume that ownership of the object
-may have been transferred and call
-.Xr ASN1_OBJECT_free 3
-on the returned object when the caller no longer needs it.
-In case the library retained ownership of the returned object,
-.Xr ASN1_OBJECT_free 3
-has no effect and is harmless.
-.Pp
-Objects returned from
-.Fn OBJ_txt2obj
-with a
-.Fa no_name
-argument of 1 always require
-.Xr ASN1_OBJECT_free 3
-to prevent memory leaks.
-.Pp
-Objects returned from
-.Fn OBJ_nid2obj
-never require
-.Xr ASN1_OBJECT_free 3 ,
-but calling it anyway has no effect and is harmless.
-.Sh BUGS
-Usually, an object is expected to contain an NID other than
-.Dv NID_undef
-if and only if it is a table object.
-However, this is not an invariant guaranteed by the API.
-In particular,
-.Xr ASN1_OBJECT_create 3
-allows the creation of non-table objects containing bogus NIDs.
-.Fn OBJ_obj2nid
-returns such bogus NIDs even though
-.Fn OBJ_nid2obj
-cannot use them for retrieval.
-On top of that, the global table contains one built-in object with an NID of
-.Dv NID_undef .
-.Pp
-.Fn OBJ_obj2txt
-is awkward and messy to use: it doesn't follow the convention of other
-OpenSSL functions where the buffer can be set to
-.Dv NULL
-to determine the amount of data that should be written.
-Instead
-.Fa buf
-must point to a valid buffer and
-.Fa buf_len
-should be set to a positive value.
-A buffer length of 80 should be more than enough to handle any OID
-encountered in practice.
diff --git a/src/lib/libcrypto/man/OCSP_CRLID_new.3 b/src/lib/libcrypto/man/OCSP_CRLID_new.3
deleted file mode 100644
index 6feb608654..0000000000
--- a/src/lib/libcrypto/man/OCSP_CRLID_new.3
+++ /dev/null
@@ -1,113 +0,0 @@
-.\"     $OpenBSD: OCSP_CRLID_new.3,v 1.8 2022/01/15 23:38:50 jsg Exp $
-.\"
-.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: January 15 2022 $
-.Dt OCSP_CRLID_NEW 3
-.Os
-.Sh NAME
-.Nm OCSP_CRLID_new ,
-.Nm OCSP_CRLID_free ,
-.Nm OCSP_crlID_new
-.Nd OCSP CRL extension
-.Sh SYNOPSIS
-.In openssl/ocsp.h
-.Ft OCSP_CRLID *
-.Fn OCSP_CRLID_new void
-.Ft void
-.Fn OCSP_CRLID_free "OCSP_CRLID *crlid"
-.Ft X509_EXTENSION *
-.Fo OCSP_crlID_new
-.Fa "const char *url"
-.Fa "long *number"
-.Fa "char *time"
-.Fc
-.Sh DESCRIPTION
-If a client asks about the validity of a certificate and it turns
-out to be invalid, the responder may optionally communicate which
-certificate revocation list the certificate was found on.
-The required data is stored as an ASN.1
-.Vt CrlID
-structure in the singleExtensions field of the
-.Vt SingleResponse
-structure.
-The
-.Vt CrlID
-is represented by an
-.Vt OCSP_CRLID
-object, which will be stored inside the
-.Vt OCSP_SINGLERESP
-object documented in
-.Xr OCSP_SINGLERESP_new 3 .
-.Pp
-.Fn OCSP_CRLID_new
-allocates and initializes an empty
-.Vt OCSP_CRLID
-object.
-.Fn OCSP_CRLID_free
-frees
-.Fa crlid .
-.Pp
-.Fn OCSP_crlID_new
-accepts the
-.Fa url
-at which the CRL is available, the CRL
-.Fa number ,
-and/or the
-.Fa time
-at which the CRL was created.
-Each argument can be
-.Dv NULL ,
-in which case the respective field is omitted.
-The resulting
-.Vt CrlID
-structure is encoded in ASN.1 using
-.Xr X509V3_EXT_i2d 3
-with criticality 0.
-.Sh RETURN VALUES
-.Fn OCSP_CRLID_new
-returns a new
-.Vt OCSP_CRLID
-object or
-.Dv NULL
-if an error occurred.
-.Pp
-.Fn OCSP_crlID_new
-returns a new
-.Vt X509_EXTENSION
-object or
-.Dv NULL
-if an error occurred.
-.Sh SEE ALSO
-.Xr OCSP_REQUEST_new 3 ,
-.Xr OCSP_resp_find_status 3 ,
-.Xr OCSP_response_status 3 ,
-.Xr X509_EXTENSION_new 3
-.Sh STANDARDS
-RFC 6960: X.509 Internet Public Key Infrastructure Online Certificate
-Status Protocol, section 4.4.2: CRL References
-.Sh HISTORY
-.Fn OCSP_CRLID_new ,
-.Fn OCSP_CRLID_free ,
-and
-.Fn OCSP_crlID_new
-first appeared in OpenSSL 0.9.7 and have been available since
-.Ox 3.2 .
-.Sh CAVEATS
-The function names
-.Fn OCSP_CRLID_new
-and
-.Fn OCSP_crlID_new
-only differ in case.
diff --git a/src/lib/libcrypto/man/OCSP_REQUEST_new.3 b/src/lib/libcrypto/man/OCSP_REQUEST_new.3
deleted file mode 100644
index a304f60160..0000000000
--- a/src/lib/libcrypto/man/OCSP_REQUEST_new.3
+++ /dev/null
@@ -1,329 +0,0 @@
-.\"     $OpenBSD: OCSP_REQUEST_new.3,v 1.12 2022/02/19 13:09:36 jsg Exp $
-.\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2014, 2016 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: February 19 2022 $
-.Dt OCSP_REQUEST_NEW 3
-.Os
-.Sh NAME
-.Nm OCSP_REQUEST_new ,
-.Nm OCSP_REQUEST_free ,
-.Nm OCSP_SIGNATURE_new ,
-.Nm OCSP_SIGNATURE_free ,
-.Nm OCSP_REQINFO_new ,
-.Nm OCSP_REQINFO_free ,
-.Nm OCSP_ONEREQ_new ,
-.Nm OCSP_ONEREQ_free ,
-.Nm OCSP_request_add0_id ,
-.Nm OCSP_request_sign ,
-.Nm OCSP_request_add1_cert ,
-.Nm OCSP_request_onereq_count ,
-.Nm OCSP_request_onereq_get0
-.Nd OCSP request functions
-.Sh SYNOPSIS
-.In openssl/ocsp.h
-.Ft OCSP_REQUEST *
-.Fn OCSP_REQUEST_new void
-.Ft void
-.Fn OCSP_REQUEST_free "OCSP_REQUEST *req"
-.Ft OCSP_SIGNATURE *
-.Fn OCSP_SIGNATURE_new void
-.Ft void
-.Fn OCSP_SIGNATURE_free "OCSP_SIGNATURE *signature"
-.Ft OCSP_REQINFO *
-.Fn OCSP_REQINFO_new void
-.Ft void
-.Fn OCSP_REQINFO_free "OCSP_REQINFO *reqinfo"
-.Ft OCSP_ONEREQ *
-.Fn OCSP_ONEREQ_new void
-.Ft void
-.Fn OCSP_ONEREQ_free "OCSP_ONEREQ *onereq"
-.Ft OCSP_ONEREQ *
-.Fo OCSP_request_add0_id
-.Fa "OCSP_REQUEST *req"
-.Fa "OCSP_CERTID *cid"
-.Fc
-.Ft int
-.Fo OCSP_request_sign
-.Fa "OCSP_REQUEST *req"
-.Fa "X509 *signer"
-.Fa "EVP_PKEY *key"
-.Fa "const EVP_MD *dgst"
-.Fa "STACK_OF(X509) *certs"
-.Fa "unsigned long flags"
-.Fc
-.Ft int
-.Fo OCSP_request_add1_cert
-.Fa "OCSP_REQUEST *req"
-.Fa "X509 *cert"
-.Fc
-.Ft int
-.Fo OCSP_request_onereq_count
-.Fa "OCSP_REQUEST *req"
-.Fc
-.Ft OCSP_ONEREQ *
-.Fo OCSP_request_onereq_get0
-.Fa "OCSP_REQUEST *req"
-.Fa "int i"
-.Fc
-.Sh DESCRIPTION
-.Fn OCSP_REQUEST_new
-allocates and initializes an empty
-.Vt OCSP_REQUEST
-object, representing an ASN.1
-.Vt OCSPRequest
-structure defined in RFC 6960.
-.Fn OCSP_REQUEST_free
-frees
-.Fa req .
-.Pp
-.Fn OCSP_SIGNATURE_new
-allocates and initializes an empty
-.Vt OCSP_SIGNATURE
-object, representing an ASN.1
-.Vt Signature
-structure defined in RFC 6960.
-Such an object is used inside
-.Vt OCSP_REQUEST .
-.Fn OCSP_SIGNATURE_free
-frees
-.Fa signature .
-.Pp
-.Fn OCSP_REQINFO_new
-allocates and initializes an empty
-.Vt OCSP_REQINFO
-object, representing an ASN.1
-.Vt TBSRequest
-structure defined in RFC 6960.
-Such an object is used inside
-.Vt OCSP_REQUEST .
-It asks about the validity of one or more certificates.
-.Fn OCSP_REQINFO_free
-frees
-.Fa reqinfo .
-.Pp
-.Fn OCSP_ONEREQ_new
-allocates and initializes an empty
-.Vt OCSP_ONEREQ
-object, representing an ASN.1
-.Vt Request
-structure defined in RFC 6960.
-Such objects are used inside
-.Vt OCSP_REQINFO .
-Each one asks about the validity of one certificate.
-.Fn OCSP_ONEREQ_free
-frees
-.Fa onereq .
-.Pp
-.Fn OCSP_request_add0_id
-adds certificate ID
-.Fa cid
-to
-.Fa req .
-It returns the
-.Vt OCSP_ONEREQ
-object added so an application can add additional extensions to the
-request.
-The
-.Fa cid
-parameter must not be freed up after the operation.
-.Pp
-.Fn OCSP_request_sign
-signs OCSP request
-.Fa req
-using certificate
-.Fa signer ,
-private key
-.Fa key ,
-digest
-.Fa dgst ,
-and additional certificates
-.Fa certs .
-If the
-.Fa flags
-option
-.Dv OCSP_NOCERTS
-is set, then no certificates will be included in the request.
-.Pp
-.Fn OCSP_request_add1_cert
-adds certificate
-.Fa cert
-to request
-.Fa req .
-The application is responsible for freeing up
-.Fa cert
-after use.
-.Pp
-.Fn OCSP_request_onereq_count
-returns the total number of
-.Vt OCSP_ONEREQ
-objects in
-.Fa req .
-.Pp
-.Fn OCSP_request_onereq_get0
-returns an internal pointer to the
-.Vt OCSP_ONEREQ
-contained in
-.Fa req
-of index
-.Fa i .
-The index value
-.Fa i
-runs from 0 to
-.Fn OCSP_request_onereq_count req No - 1 .
-.Pp
-.Fn OCSP_request_onereq_count
-and
-.Fn OCSP_request_onereq_get0
-are mainly used by OCSP responders.
-.Sh RETURN VALUES
-.Fn OCSP_REQUEST_new ,
-.Fn OCSP_SIGNATURE_new ,
-.Fn OCSP_REQINFO_new ,
-and
-.Fn OCSP_ONEREQ_new
-return an empty
-.Vt OCSP_REQUEST ,
-.Vt OCSP_SIGNATURE ,
-.Vt OCSP_REQINFO ,
-or
-.Vt OCSP_ONEREQ
-object, respectively, or
-.Dv NULL
-if an error occurred.
-.Pp
-.Fn OCSP_request_add0_id
-returns the
-.Vt OCSP_ONEREQ
-object containing
-.Fa cid
-or
-.Dv NULL
-if an error occurred.
-.Pp
-.Fn OCSP_request_sign
-and
-.Fn OCSP_request_add1_cert
-return 1 for success or 0 for failure.
-.Pp
-.Fn OCSP_request_onereq_count
-returns the total number of
-.Vt OCSP_ONEREQ
-objects in
-.Fa req .
-.Pp
-.Fn OCSP_request_onereq_get0
-returns a pointer to an
-.Vt OCSP_ONEREQ
-object or
-.Dv NULL
-if the index value is out of range.
-.Sh EXAMPLES
-Create an
-.Vt OCSP_REQUEST
-object for certificate
-.Fa cert
-with issuer
-.Fa issuer :
-.Bd -literal -offset indent
-OCSP_REQUEST *req;
-OCSP_ID *cid;
-
-req = OCSP_REQUEST_new();
-if (req == NULL)
-        /* error */
-cid = OCSP_cert_to_id(EVP_sha1(), cert, issuer);
-if (cid == NULL)
-        /* error */
-
-if (OCSP_REQUEST_add0_id(req, cid) == NULL)
-        /* error */
-
- /* Do something with req, e.g. query responder */
-
-OCSP_REQUEST_free(req);
-.Ed
-.Sh SEE ALSO
-.Xr ACCESS_DESCRIPTION_new 3 ,
-.Xr crypto 3 ,
-.Xr d2i_OCSP_REQUEST 3 ,
-.Xr d2i_OCSP_RESPONSE 3 ,
-.Xr EVP_DigestInit 3 ,
-.Xr OCSP_cert_to_id 3 ,
-.Xr OCSP_CRLID_new 3 ,
-.Xr OCSP_request_add1_nonce 3 ,
-.Xr OCSP_resp_find_status 3 ,
-.Xr OCSP_response_status 3 ,
-.Xr OCSP_sendreq_new 3 ,
-.Xr OCSP_SERVICELOC_new 3 ,
-.Xr X509_ocspid_print 3
-.Sh STANDARDS
-RFC 6960: X.509 Internet Public Key Infrastructure Online Certificate
-Status Protocol, section 4.1: Request Syntax
-.Sh HISTORY
-These functions first appeared in OpenSSL 0.9.7
-and have been available since
-.Ox 3.2 .
diff --git a/src/lib/libcrypto/man/OCSP_SERVICELOC_new.3 b/src/lib/libcrypto/man/OCSP_SERVICELOC_new.3
deleted file mode 100644
index 62eb8c320f..0000000000
--- a/src/lib/libcrypto/man/OCSP_SERVICELOC_new.3
+++ /dev/null
@@ -1,109 +0,0 @@
-.\" $OpenBSD: OCSP_SERVICELOC_new.3,v 1.8 2019/08/23 12:23:39 schwarze Exp $
-.\"
-.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: August 23 2019 $
-.Dt OCSP_SERVICELOC_NEW 3
-.Os
-.Sh NAME
-.Nm OCSP_SERVICELOC_new ,
-.Nm OCSP_SERVICELOC_free ,
-.Nm OCSP_url_svcloc_new
-.Nd OCSP service locator extension
-.Sh SYNOPSIS
-.In openssl/ocsp.h
-.Ft OCSP_SERVICELOC *
-.Fn OCSP_SERVICELOC_new void
-.Ft void
-.Fn OCSP_SERVICELOC_free "OCSP_SERVICELOC *sloc"
-.Ft X509_EXTENSION *
-.Fo OCSP_url_svcloc_new
-.Fa "X509_NAME *issuer"
-.Fa "const char **urls"
-.Fc
-.Sh DESCRIPTION
-Due to restrictions of network routing, a client may be unable to
-directly contact the authoritative OCSP server for a certificate
-that needs to be checked.
-In that case, the request can be sent via a proxy server.
-An ASN.1
-.Vt ServiceLocator
-structure is included in the singleRequestExtensions field of the
-.Vt Request
-structure to indicate where to forward the request.
-The
-.Vt ServiceLocator
-is represented by a
-.Vt OCSP_SERVICELOC
-object, which will be stored inside the
-.Vt OCSP_ONEREQ
-object documented in
-.Xr OCSP_ONEREQ_new 3 .
-.Pp
-.Fn OCSP_SERVICELOC_new
-allocates and initializes an empty
-.Vt OCSP_SERVICELOC
-object.
-.Fn OCSP_SERVICELOC_free
-frees
-.Fa sloc .
-.Pp
-.Fn OCSP_url_svcloc_new
-requires an
-.Fa issuer
-name and optionally accepts an array of
-.Fa urls .
-If
-.Fa urls
-or its first element is
-.Dv NULL ,
-the locator field is omitted from the
-.Vt ServiceLocator
-structure and only the issuer is included.
-The resulting
-.Vt ServiceLocator
-structure is encoded in ASN.1 using
-.Xr X509V3_EXT_i2d 3
-with criticality 0.
-.Sh RETURN VALUES
-.Fn OCSP_SERVICELOC_new
-returns a new
-.Vt OCSP_SERVICELOC
-object or
-.Dv NULL
-if an error occurred.
-.Pp
-.Fn OCSP_url_svcloc_new
-returns a new
-.Vt X509_EXTENSION
-object or
-.Dv NULL
-if an error occurred.
-.Sh SEE ALSO
-.Xr OCSP_REQUEST_new 3 ,
-.Xr X509_EXTENSION_new 3 ,
-.Xr X509_get1_ocsp 3 ,
-.Xr X509_get_issuer_name 3 ,
-.Xr X509_NAME_new 3
-.Sh STANDARDS
-RFC 6960: X.509 Internet Public Key Infrastructure Online Certificate
-Status Protocol, section 4.4.6: Service Locator
-.Sh HISTORY
-.Fn OCSP_SERVICELOC_new ,
-.Fn OCSP_SERVICELOC_free ,
-and
-.Fn OCSP_url_svcloc_new
-first appeared in OpenSSL 0.9.7 and have been available since
-.Ox 3.2 .
diff --git a/src/lib/libcrypto/man/OCSP_cert_to_id.3 b/src/lib/libcrypto/man/OCSP_cert_to_id.3
deleted file mode 100644
index e014a1d262..0000000000
--- a/src/lib/libcrypto/man/OCSP_cert_to_id.3
+++ /dev/null
@@ -1,239 +0,0 @@
-.\"     $OpenBSD: OCSP_cert_to_id.3,v 1.13 2024/08/24 19:31:09 tb Exp $
-.\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2014, 2016 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: August 24 2024 $
-.Dt OCSP_CERT_TO_ID 3
-.Os
-.Sh NAME
-.Nm OCSP_CERTID_new ,
-.Nm OCSP_CERTID_free ,
-.Nm OCSP_cert_to_id ,
-.Nm OCSP_cert_id_new ,
-.Nm OCSP_id_issuer_cmp ,
-.Nm OCSP_id_cmp ,
-.Nm OCSP_id_get0_info
-.Nd OCSP certificate ID utility functions
-.Sh SYNOPSIS
-.In openssl/ocsp.h
-.Ft OCSP_CERTID *
-.Fn OCSP_CERTID_new void
-.Ft void
-.Fn OCSP_CERTID_free "OCSP_CERTID *id"
-.Ft OCSP_CERTID *
-.Fo OCSP_cert_to_id
-.Fa "const EVP_MD *dgst"
-.Fa "const X509 *subject"
-.Fa "const X509 *issuer"
-.Fc
-.Ft OCSP_CERTID *
-.Fo OCSP_cert_id_new
-.Fa "const EVP_MD *dgst"
-.Fa "const X509_NAME *issuerName"
-.Fa "const ASN1_BIT_STRING *issuerKey"
-.Fa "const ASN1_INTEGER *serialNumber"
-.Fc
-.Ft int
-.Fo OCSP_id_issuer_cmp
-.Fa "OCSP_CERTID *a"
-.Fa "OCSP_CERTID *b"
-.Fc
-.Ft int
-.Fo OCSP_id_cmp
-.Fa "OCSP_CERTID *a"
-.Fa "OCSP_CERTID *b"
-.Fc
-.Ft int
-.Fo OCSP_id_get0_info
-.Fa "ASN1_OCTET_STRING **piNameHash"
-.Fa "ASN1_OBJECT **pmd"
-.Fa "ASN1_OCTET_STRING **pikeyHash"
-.Fa "ASN1_INTEGER **pserial"
-.Fa "OCSP_CERTID *cid"
-.Fc
-.Sh DESCRIPTION
-.Fn OCSP_CERTID_new
-allocates and initializes an empty
-.Vt OCSP_CERTID
-object, representing an ASN.1
-.Vt CertID
-structure defined in RFC 6960.
-It can store hashes of an issuer's distinguished name and public
-key together with a serial number of a certificate.
-It is used by the
-.Vt OCSP_ONEREQ
-object described in
-.Xr OCSP_ONEREQ_new 3
-and by the
-.Vt OCSP_SINGLERESP
-object described in
-.Xr OCSP_SINGLERESP_new 3 .
-.Fn OCSP_CERTID_free
-frees
-.Fa id .
-.Pp
-.Fn OCSP_cert_to_id
-creates and returns a new
-.Vt OCSP_CERTID
-object using message digest
-.Fa dgst
-for certificate
-.Fa subject
-with issuer
-.Fa issuer .
-If
-.Fa dgst
-is
-.Dv NULL
-then SHA1 is used.
-.Pp
-.Fn OCSP_cert_id_new
-creates and returns a new
-.Vt OCSP_CERTID
-using
-.Fa dgst
-and issuer name
-.Fa issuerName ,
-issuer key hash
-.Fa issuerKey
-and serial number
-.Fa serialNumber .
-.Pp
-.Fn OCSP_id_issuer_cmp
-compares the hash algorithms,
-the hashed issuer distinguished names and
-the hashed public keys of
-.Vt OCSP_CERTID
-.Fa a
-and
-.Fa b .
-.Pp
-.Fn OCSP_id_cmp
-compares
-.Vt OCSP_CERTID
-.Fa a
-and
-.Fa b
-using
-.Fn OCSP_id_issuer_cmp
-followed by a comparison of the certificate serial numbers with
-.Xr ASN1_INTEGER_cmp 3 .
-.Pp
-.Fn OCSP_id_get0_info
-returns the issuer name hash, hash OID, issuer key hash and serial
-number contained in
-.Fa cid .
-If any of the values are not required, the corresponding parameter can be
-set to
-.Dv NULL .
-The values returned by
-.Fn OCSP_id_get0_info
-are internal pointers and must not be freed up by an application:
-they will be freed when the corresponding
-.Vt OCSP_CERTID
-object is freed.
-.Pp
-OCSP clients will typically only use
-.Fn OCSP_cert_to_id
-or
-.Fn OCSP_cert_id_new :
-the other functions are used by responder applications.
-.Sh RETURN VALUES
-.Fn OCSP_CERTID_new ,
-.Fn OCSP_cert_to_id ,
-and
-.Fn OCSP_cert_id_new
-return either a pointer to a valid
-.Vt OCSP_CERTID
-object or
-.Dv NULL
-if an error occurred.
-.Pp
-.Fn OCSP_id_cmp
-and
-.Fn OCSP_id_issuer_cmp
-return 0 for a match or non-zero otherwise.
-.Pp
-.Fn OCSP_id_get0_info
-returns 1 for success or 0 for failure.
-.Sh SEE ALSO
-.Xr ASN1_INTEGER_cmp 3 ,
-.Xr EVP_DigestInit 3 ,
-.Xr OCSP_request_add1_nonce 3 ,
-.Xr OCSP_REQUEST_new 3 ,
-.Xr OCSP_resp_find_status 3 ,
-.Xr OCSP_response_status 3 ,
-.Xr OCSP_sendreq_new 3 ,
-.Xr X509_get_issuer_name 3 ,
-.Xr X509_NAME_new 3 ,
-.Xr X509_ocspid_print 3
-.Sh STANDARDS
-RFC 6960: X.509 Internet Public Key Infrastructure Online Certificate
-Status Protocol, section 4: Details of the Protocol
-.Sh HISTORY
-These functions first appeared in OpenSSL 0.9.7
-and have been available since
-.Ox 3.2 .
diff --git a/src/lib/libcrypto/man/OCSP_request_add1_nonce.3 b/src/lib/libcrypto/man/OCSP_request_add1_nonce.3
deleted file mode 100644
index 036c937c61..0000000000
--- a/src/lib/libcrypto/man/OCSP_request_add1_nonce.3
+++ /dev/null
@@ -1,163 +0,0 @@
-.\"     $OpenBSD: OCSP_request_add1_nonce.3,v 1.4 2018/03/22 21:08:22 schwarze Exp $
-.\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2014, 2016 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 22 2018 $
-.Dt OCSP_REQUEST_ADD1_NONCE 3
-.Os
-.Sh NAME
-.Nm OCSP_request_add1_nonce ,
-.Nm OCSP_basic_add1_nonce ,
-.Nm OCSP_check_nonce ,
-.Nm OCSP_copy_nonce
-.Nd OCSP nonce functions
-.Sh SYNOPSIS
-.In openssl/ocsp.h
-.Ft int
-.Fo OCSP_request_add1_nonce
-.Fa "OCSP_REQUEST *req"
-.Fa "unsigned char *val"
-.Fa "int len"
-.Fc
-.Ft int
-.Fo OCSP_basic_add1_nonce
-.Fa "OCSP_BASICRESP *resp"
-.Fa "unsigned char *val"
-.Fa "int len"
-.Fc
-.Ft int
-.Fo OCSP_check_nonce
-.Fa "OCSP_REQUEST *req"
-.Fa "OCSP_BASICRESP *resp"
-.Fc
-.Ft int
-.Fo OCSP_copy_nonce
-.Fa "OCSP_BASICRESP *resp"
-.Fa "OCSP_REQUEST *req"
-.Fc
-.Sh DESCRIPTION
-An OCSP nonce is typically added to an OCSP request to thwart replay
-attacks by checking the same nonce value appears in the response.
-.Pp
-.Fn OCSP_request_add1_nonce
-adds a nonce of value
-.Fa val
-and length
-.Fa len
-to OCSP request
-.Fa req .
-If
-.Fa val
-is
-.Dv NULL ,
-a random nonce is used.
-If
-.Fa len
-is zero or negative, a default length will be used (currently 16 bytes).
-For most purposes the nonce value in a request is set to a random value
-so the
-.Fa val
-parameter in
-.Fn OCSP_request_add1_nonce
-is usually NULL.
-.Pp
-.Fn OCSP_basic_add1_nonce
-is identical to
-.Fn OCSP_request_add1_nonce
-except it adds a nonce to OCSP basic response
-.Fa resp .
-.Pp
-.Fn OCSP_check_nonce
-compares the nonce value in
-.Fa req
-and
-.Fa resp .
-.Pp
-.Fn OCSP_copy_nonce
-copies any nonce value present in
-.Fa req
-to
-.Fa resp .
-.Pp
-Some responders may include a nonce in all responses even if one is not
-supplied.
-.Pp
-Some responders cache OCSP responses and do not sign each response for
-performance reasons.
-As a result they do not support nonces.
-.Sh RETURN VALUES
-.Fn OCSP_request_add1_nonce
-and
-.Fn OCSP_basic_add1_nonce
-return 1 for success or 0 for failure.
-.Pp
-.Fn OCSP_copy_nonce
-returns 1 if a nonce was successfully copied, 2 if no nonce was
-present in
-.Fa req ,
-or 0 if an error occurred.
-.Pp
-.Fn OCSP_check_nonce
-returns positive values for success: 1 if nonces are present and
-equal, 2 if both nonces are absent, or 3 if a nonce is present in
-the response only.
-A zero return value indicates that both nonces are present but
-mismatch: this should be treated as an error condition.
-A return value of -1 indicates that a nonce is present in the request
-only: this will happen if the responder doesn't support nonces.
-.Sh SEE ALSO
-.Xr OCSP_cert_to_id 3 ,
-.Xr OCSP_REQUEST_new 3 ,
-.Xr OCSP_resp_find_status 3 ,
-.Xr OCSP_response_status 3 ,
-.Xr OCSP_sendreq_new 3
-.Sh HISTORY
-These functions first appeared in OpenSSL 0.9.7
-and have been available since
-.Ox 3.2 .
diff --git a/src/lib/libcrypto/man/OCSP_resp_find_status.3 b/src/lib/libcrypto/man/OCSP_resp_find_status.3
deleted file mode 100644
index 06d0354bd6..0000000000
--- a/src/lib/libcrypto/man/OCSP_resp_find_status.3
+++ /dev/null
@@ -1,494 +0,0 @@
-.\" $OpenBSD: OCSP_resp_find_status.3,v 1.11 2022/03/31 17:27:17 naddy Exp $
-.\" full merge up to: OpenSSL c952780c Jun 21 07:03:34 2016 -0400
-.\" selective merge up to: OpenSSL 1212818e Sep 11 13:22:14 2018 +0100
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2016, 2018, 2019 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Dr. Stephen Henson <steve@openssl.org>
-.\" and David von Oheimb <David.von.Oheimb@siemens.com>.
-.\" Copyright (c) 2014, 2018 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 31 2022 $
-.Dt OCSP_RESP_FIND_STATUS 3
-.Os
-.Sh NAME
-.Nm OCSP_SINGLERESP_new ,
-.Nm OCSP_SINGLERESP_free ,
-.Nm OCSP_CERTSTATUS_new ,
-.Nm OCSP_CERTSTATUS_free ,
-.Nm OCSP_REVOKEDINFO_new ,
-.Nm OCSP_REVOKEDINFO_free ,
-.Nm OCSP_resp_find_status ,
-.Nm OCSP_cert_status_str ,
-.Nm OCSP_resp_count ,
-.Nm OCSP_resp_get0 ,
-.Nm OCSP_resp_find ,
-.Nm OCSP_SINGLERESP_get0_id ,
-.Nm OCSP_single_get0_status ,
-.Nm OCSP_check_validity ,
-.Nm OCSP_basic_verify
-.Nd OCSP response utility functions
-.Sh SYNOPSIS
-.In openssl/ocsp.h
-.Ft OCSP_SINGLERESP *
-.Fn OCSP_SINGLERESP_new void
-.Ft void
-.Fn OCSP_SINGLERESP_free "OCSP_SINGLERESP *single"
-.Ft OCSP_CERTSTATUS *
-.Fn OCSP_CERTSTATUS_new void
-.Ft void
-.Fn OCSP_CERTSTATUS_free "OCSP_CERTSTATUS *certstatus"
-.Ft OCSP_REVOKEDINFO *
-.Fn OCSP_REVOKEDINFO_new void
-.Ft void
-.Fn OCSP_REVOKEDINFO_free "OCSP_REVOKEDINFO *revokedinfo"
-.Ft int
-.Fo OCSP_resp_find_status
-.Fa "OCSP_BASICRESP *bs"
-.Fa "OCSP_CERTID *id"
-.Fa "int *status"
-.Fa "int *reason"
-.Fa "ASN1_GENERALIZEDTIME **revtime"
-.Fa "ASN1_GENERALIZEDTIME **thisupd"
-.Fa "ASN1_GENERALIZEDTIME **nextupd"
-.Fc
-.Ft const char *
-.Fo OCSP_cert_status_str
-.Fa "long status"
-.Fc
-.Ft int
-.Fo OCSP_resp_count
-.Fa "OCSP_BASICRESP *bs"
-.Fc
-.Ft OCSP_SINGLERESP *
-.Fo OCSP_resp_get0
-.Fa "OCSP_BASICRESP *bs"
-.Fa "int idx"
-.Fc
-.Ft int
-.Fo OCSP_resp_find
-.Fa "OCSP_BASICRESP *bs"
-.Fa "OCSP_CERTID *id"
-.Fa "int last"
-.Fc
-.Ft const OCSP_CERTID *
-.Fo OCSP_SINGLERESP_get0_id
-.Fa "const OCSP_SINGLERESP *single"
-.Fc
-.Ft int
-.Fo OCSP_single_get0_status
-.Fa "OCSP_SINGLERESP *single"
-.Fa "int *reason"
-.Fa "ASN1_GENERALIZEDTIME **revtime"
-.Fa "ASN1_GENERALIZEDTIME **thisupd"
-.Fa "ASN1_GENERALIZEDTIME **nextupd"
-.Fc
-.Ft int
-.Fo OCSP_check_validity
-.Fa "ASN1_GENERALIZEDTIME *thisupd"
-.Fa "ASN1_GENERALIZEDTIME *nextupd"
-.Fa "long sec"
-.Fa "long maxsec"
-.Fc
-.Ft int
-.Fo OCSP_basic_verify
-.Fa "OCSP_BASICRESP *bs"
-.Fa "STACK_OF(X509) *certs"
-.Fa "X509_STORE *st"
-.Fa "unsigned long flags"
-.Fc
-.Sh DESCRIPTION
-.Fn OCSP_SINGLERESP_new
-allocates and initializes an empty
-.Vt OCSP_SINGLERESP
-object, representing an ASN.1
-.Vt SingleResponse
-structure defined in RFC 6960.
-Each such object can store the server's answer regarding the validity
-of one individual certificate.
-Such objects are used inside the
-.Vt OCSP_RESPDATA
-of
-.Vt OCSP_BASICRESP
-objects, which are described in
-.Xr OCSP_BASICRESP_new 3 .
-.Fn OCSP_SINGLERESP_free
-frees
-.Fa single .
-.Pp
-.Fn OCSP_CERTSTATUS_new
-allocates and initializes an empty
-.Vt OCSP_CERTSTATUS
-object, representing an ASN.1
-.Vt CertStatus
-structure defined in RFC 6960.
-Such an object is used inside
-.Vt OCSP_SINGLERESP .
-.Fn OCSP_CERTSTATUS_free
-frees
-.Fa certstatus .
-.Pp
-.Fn OCSP_REVOKEDINFO_new
-allocates and initializes an empty
-.Vt OCSP_REVOKEDINFO
-object, representing an ASN.1
-.Vt RevokedInfo
-structure defined in RFC 6960.
-Such an object is used inside
-.Vt OCSP_CERTSTATUS .
-.Fn OCSP_REVOKEDINFO_free
-frees
-.Fa revokedinfo .
-.Pp
-.Fn OCSP_resp_find_status
-searches
-.Fa bs
-for an OCSP response for
-.Fa id .
-If it is successful, the fields of the response are returned in
-.Pf * Fa status ,
-.Pf * Fa reason ,
-.Pf * Fa revtime ,
-.Pf * Fa thisupd
-and
-.Pf * Fa nextupd .
-The
-.Pf * Fa status
-value will be one of
-.Dv V_OCSP_CERTSTATUS_GOOD ,
-.Dv V_OCSP_CERTSTATUS_REVOKED ,
-or
-.Dv V_OCSP_CERTSTATUS_UNKNOWN .
-The
-.Pf * Fa reason
-and
-.Pf * Fa revtime
-fields are only set if the status is
-.Dv V_OCSP_CERTSTATUS_REVOKED .
-If set, the
-.Pf * Fa reason
-field will be set to the revocation reason which will be one of
-.Dv OCSP_REVOKED_STATUS_NOSTATUS ,
-.Dv OCSP_REVOKED_STATUS_UNSPECIFIED ,
-.Dv OCSP_REVOKED_STATUS_KEYCOMPROMISE ,
-.Dv OCSP_REVOKED_STATUS_CACOMPROMISE ,
-.Dv OCSP_REVOKED_STATUS_AFFILIATIONCHANGED ,
-.Dv OCSP_REVOKED_STATUS_SUPERSEDED ,
-.Dv OCSP_REVOKED_STATUS_CESSATIONOFOPERATION ,
-.Dv OCSP_REVOKED_STATUS_CERTIFICATEHOLD
-or
-.Dv OCSP_REVOKED_STATUS_REMOVEFROMCRL .
-.Pp
-.Fn OCSP_cert_status_str
-converts one of the
-.Fa status
-codes retrieved by
-.Fn OCSP_resp_find_status
-to a string consisting of one word.
-.Pp
-.Fn OCSP_resp_count
-returns the number of
-.Vt OCSP_SINGLERESP
-structures in
-.Fa bs .
-.Pp
-.Fn OCSP_resp_get0
-returns the
-.Vt OCSP_SINGLERESP
-structure in
-.Fa bs
-corresponding to index
-.Fa idx ,
-where
-.Fa idx
-runs from 0 to
-.Fn OCSP_resp_count bs No - 1 .
-.Pp
-.Fn OCSP_resp_find
-searches
-.Fa bs
-for
-.Fa id
-and returns the index of the first matching entry after
-.Fa last
-or starting from the beginning if
-.Fa last
-is -1.
-.Pp
-.Fn OCSP_single_get0_status
-extracts the fields of
-.Fa single
-in
-.Pf * Fa reason ,
-.Pf * Fa revtime ,
-.Pf * Fa thisupd ,
-and
-.Pf * Fa nextupd .
-.Pp
-.Fn OCSP_check_validity
-checks the validity of
-.Fa thisupd
-and
-.Fa nextupd
-values which will be typically obtained from
-.Fn OCSP_resp_find_status
-or
-.Fn OCSP_single_get0_status .
-If
-.Fa sec
-is non-zero, it indicates how many seconds leeway should be allowed in
-the check.
-If
-.Fa maxsec
-is positive, it indicates the maximum age of
-.Fa thisupd
-in seconds.
-.Pp
-Applications will typically call
-.Fn OCSP_resp_find_status
-using the certificate ID of interest and then check its validity using
-.Fn OCSP_check_validity .
-They can then take appropriate action based on the status of the
-certificate.
-.Pp
-An OCSP response for a certificate contains
-.Sy thisUpdate
-and
-.Sy nextUpdate
-fields.
-Normally the current time should be between these two values.
-To account for clock skew, the
-.Fa maxsec
-field can be set to non-zero in
-.Fn OCSP_check_validity .
-Some responders do not set the
-.Sy nextUpdate
-field.
-This would otherwise mean an ancient response would be considered
-valid: the
-.Fa maxsec
-parameter to
-.Fn OCSP_check_validity
-can be used to limit the permitted age of responses.
-.Pp
-The values written to
-.Pf * Fa revtime ,
-.Pf * Fa thisupd ,
-and
-.Pf * Fa nextupd
-by
-.Fn OCSP_resp_find_status
-and
-.Fn OCSP_single_get0_status
-are internal pointers which must not be freed up by the calling
-application.
-Any or all of these parameters can be set to
-.Dv NULL
-if their value is not required.
-.Pp
-.Fn OCSP_basic_verify
-checks that the basic response message
-.Fa bs
-is correctly signed and that the signer certificate can be validated.
-It takes
-.Fa st
-as the trusted store and
-.Fa certs
-as a set of untrusted intermediate certificates.
-The function first tries to find the signer certificate of the response in
-.Fa certs .
-It also searches the certificates the responder may have included in
-.Fa bs
-unless the
-.Fa flags
-contain
-.Dv OCSP_NOINTERN .
-It fails if the signer certificate cannot be found.
-Next, the function checks the signature of
-.Fa bs
-and fails on error unless the
-.Fa flags
-contain
-.Dv OCSP_NOSIGS .
-Then the function already returns
-success if the
-.Fa flags
-contain
-.Dv OCSP_NOVERIFY
-or if the signer certificate was found in
-.Fa certs
-and the
-.Fa flags
-contain
-.Dv OCSP_TRUSTOTHER .
-Otherwise the function continues by validating the signer certificate.
-To this end, all certificates in
-.Fa certs
-and in
-.Fa bs
-are considered as untrusted certificates for the construction of
-the validation path for the signer certificate unless the
-.Dv OCSP_NOCHAIN
-flag is set.
-After successful path
-validation, the function returns success if the
-.Dv OCSP_NOCHECKS
-flag is set.
-Otherwise it verifies that the signer certificate meets the OCSP issuer
-criteria including potential delegation.
-If this does not succeed and the
-.Fa flags
-do not contain
-.Dv OCSP_NOEXPLICIT ,
-the function checks for explicit trust for OCSP signing
-in the root CA certificate.
-.Sh RETURN VALUES
-.Fn OCSP_SINGLERESP_new ,
-.Fn OCSP_CERTSTATUS_new ,
-and
-.Fn OCSP_REVOKEDINFO_new
-return a pointer to an empty
-.Vt OCSP_SINGLERESP ,
-.Vt OCSP_CERTSTATUS ,
-or
-.Vt OCSP_REVOKEDINFO
-object, respectively, or
-.Dv NULL
-if an error occurred.
-.Pp
-.Fn OCSP_resp_find_status
-returns 1 if
-.Fa id
-is found in
-.Fa bs
-or 0 otherwise.
-.Pp
-.Fn OCSP_cert_status_str
-returns a pointer to a static string.
-.Pp
-.Fn OCSP_resp_count
-returns the total number of
-.Vt OCSP_SINGLERESP
-fields in
-.Fa bs .
-.Pp
-.Fn OCSP_resp_get0
-returns a pointer to an
-.Vt OCSP_SINGLERESP
-structure or
-.Dv NULL
-if
-.Fa idx
-is out of range.
-.Pp
-.Fn OCSP_resp_find
-returns the index of
-.Fa id
-in
-.Fa bs
-(which may be 0) or -1 if
-.Fa id
-was not found.
-.Pp
-.Fn OCSP_SINGLERESP_get0_id
-returns an internal pointer to the certificate ID object used by
-.Fa single ;
-the returned pointer should not be freed by the caller.
-.Pp
-.Fn OCSP_single_get0_status
-returns the status of
-.Fa single
-or -1 if an error occurred.
-.Pp
-.Fn OCSP_basic_verify
-returns 1 on success, 0 on error, or -1 on fatal error such as malloc failure.
-.Sh SEE ALSO
-.Xr OCSP_cert_to_id 3 ,
-.Xr OCSP_CRLID_new 3 ,
-.Xr OCSP_request_add1_nonce 3 ,
-.Xr OCSP_REQUEST_new 3 ,
-.Xr OCSP_response_status 3 ,
-.Xr OCSP_sendreq_new 3
-.Sh STANDARDS
-RFC 6960: X.509 Internet Public Key Infrastructure Online Certificate
-Status Protocol, section 4.2: Response Syntax
-.Sh HISTORY
-.Fn OCSP_SINGLERESP_new ,
-.Fn OCSP_SINGLERESP_free ,
-.Fn OCSP_CERTSTATUS_new ,
-.Fn OCSP_CERTSTATUS_free ,
-.Fn OCSP_REVOKEDINFO_new ,
-.Fn OCSP_REVOKEDINFO_free ,
-.Fn OCSP_resp_find_status ,
-.Fn OCSP_cert_status_str ,
-.Fn OCSP_resp_count ,
-.Fn OCSP_resp_get0 ,
-.Fn OCSP_resp_find ,
-.Fn OCSP_single_get0_status ,
-and
-.Fn OCSP_check_validity
-first appeared in OpenSSL 0.9.7 and have been available since
-.Ox 3.2 .
-.Pp
-.Fn OCSP_SINGLERESP_get0_id
-first appeared in OpenSSL 1.1.0 and has been available since
-.Ox 6.3 .
diff --git a/src/lib/libcrypto/man/OCSP_response_status.3 b/src/lib/libcrypto/man/OCSP_response_status.3
deleted file mode 100644
index 4e85384fb0..0000000000
--- a/src/lib/libcrypto/man/OCSP_response_status.3
+++ /dev/null
@@ -1,308 +0,0 @@
-.\" $OpenBSD: OCSP_response_status.3,v 1.8 2019/08/27 09:40:29 schwarze Exp $
-.\" full merge up to: OpenSSL bb9ad09e Jun 6 00:43:05 2016 -0400
-.\" selective merge up to: OpenSSL 6738bf14 Feb 13 12:51:29 2018 +0000
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2016, 2019 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2014, 2016, 2018 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: August 27 2019 $
-.Dt OCSP_RESPONSE_STATUS 3
-.Os
-.Sh NAME
-.Nm OCSP_RESPONSE_new ,
-.Nm OCSP_RESPONSE_free ,
-.Nm OCSP_RESPBYTES_new ,
-.Nm OCSP_RESPBYTES_free ,
-.Nm OCSP_BASICRESP_new ,
-.Nm OCSP_BASICRESP_free ,
-.Nm OCSP_RESPDATA_new ,
-.Nm OCSP_RESPDATA_free ,
-.Nm OCSP_RESPID_new ,
-.Nm OCSP_RESPID_free ,
-.Nm OCSP_response_create ,
-.Nm OCSP_response_status ,
-.Nm OCSP_response_status_str ,
-.Nm OCSP_response_get1_basic ,
-.Nm OCSP_basic_sign
-.Nd OCSP response functions
-.Sh SYNOPSIS
-.In openssl/ocsp.h
-.Ft OCSP_RESPONSE *
-.Fn OCSP_RESPONSE_new void
-.Ft void
-.Fn OCSP_RESPONSE_free "OCSP_RESPONSE *resp"
-.Ft OCSP_RESPBYTES *
-.Fn OCSP_RESPBYTES_new void
-.Ft void
-.Fn OCSP_RESPBYTES_free "OCSP_RESPBYTES *respbytes"
-.Ft OCSP_BASICRESP *
-.Fn OCSP_BASICRESP_new void
-.Ft void
-.Fn OCSP_BASICRESP_free "OCSP_BASICRESP *bs"
-.Ft OCSP_RESPDATA *
-.Fn OCSP_RESPDATA_new void
-.Ft void
-.Fn OCSP_RESPDATA_free "OCSP_RESPDATA *respdata"
-.Ft OCSP_RESPID *
-.Fn OCSP_RESPID_new void
-.Ft void
-.Fn OCSP_RESPID_free "OCSP_RESPID *respid"
-.Ft OCSP_RESPONSE *
-.Fo OCSP_response_create
-.Fa "int status"
-.Fa "OCSP_BASICRESP *bs"
-.Fc
-.Ft int
-.Fo OCSP_response_status
-.Fa "OCSP_RESPONSE *resp"
-.Fc
-.Ft const char *
-.Fo OCSP_response_status_str
-.Fa "long code"
-.Fc
-.Ft OCSP_BASICRESP *
-.Fo OCSP_response_get1_basic
-.Fa "OCSP_RESPONSE *resp"
-.Fc
-.Ft int
-.Fo OCSP_basic_sign
-.Fa "OCSP_BASICRESP *bs"
-.Fa "X509 *signer"
-.Fa "EVP_PKEY *key"
-.Fa "const EVP_MD *dgst"
-.Fa "STACK_OF(X509) *certs"
-.Fa "unsigned long flags"
-.Fc
-.Sh DESCRIPTION
-.Fn OCSP_RESPONSE_new
-allocates and initializes an empty
-.Vt OCSP_RESPONSE
-object, representing an ASN.1
-.Vt OCSPResponse
-structure defined in RFC 6960.
-.Fn OCSP_RESPONSE_free
-frees
-.Fa resp .
-.Pp
-.Fn OCSP_RESPBYTES_new
-allocates and initializes an empty
-.Vt OCSP_RESPBYTES
-object, representing an ASN.1
-.Vt ResponseBytes
-structure defined in RFC 6960.
-Such an object is used inside
-.Vt OCSP_RESPONSE .
-.Fn OCSP_RESPBYTES_free
-frees
-.Fa respbytes .
-.Pp
-.Fn OCSP_BASICRESP_new
-allocates and initializes an empty
-.Vt OCSP_BASICRESP
-object, representing an ASN.1
-.Vt BasicOCSPResponse
-structure defined in RFC 6960.
-.Vt OCSP_RESPBYTES
-contains the DER-encoded form of an
-.Vt OCSP_BASICRESP
-object.
-.Fn OCSP_BASICRESP_free
-frees
-.Fa bs .
-.Pp
-.Fn OCSP_RESPDATA_new
-allocates and initializes an empty
-.Vt OCSP_RESPDATA
-object, representing an ASN.1
-.Vt ResponseData
-structure defined in RFC 6960.
-Such an object is used inside
-.Vt OCSP_BASICRESP .
-.Fn OCSP_RESPDATA_free
-frees
-.Fa respdata .
-.Pp
-.Fn OCSP_RESPID_new
-allocates and initializes an empty
-.Vt OCSP_RESPID
-object, representing an ASN.1
-.Vt ResponderID
-structure defined in RFC 6960.
-Such an object is used inside
-.Vt OCSP_RESPDATA .
-.Fn OCSP_RESPID_free
-frees
-.Fa respid .
-.Pp
-.Fn OCSP_response_create
-creates an
-.Vt OCSP_RESPONSE
-object for
-.Fa status
-and optionally including the basic response
-.Fa bs .
-.Pp
-.Fn OCSP_response_status
-returns the OCSP response status of
-.Fa resp .
-It returns one of the values
-.Dv OCSP_RESPONSE_STATUS_SUCCESSFUL ,
-.Dv OCSP_RESPONSE_STATUS_MALFORMEDREQUEST ,
-.Dv OCSP_RESPONSE_STATUS_INTERNALERROR ,
-.Dv OCSP_RESPONSE_STATUS_TRYLATER ,
-.Dv OCSP_RESPONSE_STATUS_SIGREQUIRED ,
-or
-.Dv OCSP_RESPONSE_STATUS_UNAUTHORIZED .
-.Pp
-.Fn OCSP_response_status_str
-converts one of the
-.Fa status
-codes returned by
-.Fn OCSP_response_status
-to a string consisting of one word.
-.Pp
-.Fn OCSP_response_get1_basic
-decodes and returns the
-.Vt OCSP_BASICRESP
-object contained in
-.Fa resp .
-It is only called if the status of a response is
-.Dv OCSP_RESPONSE_STATUS_SUCCESSFUL .
-.Pp
-.Fn OCSP_basic_sign
-signs the OCSP response
-.Fa bs
-using the certificate
-.Fa signer ,
-the private key
-.Fa key ,
-the digest
-.Fa dgst ,
-and the additional certificates
-.Fa certs .
-If the
-.Fa flags
-option
-.Dv OCSP_NOCERTS
-is set, then no certificates will be included in the request.
-If the
-.Fa flags
-option
-.Dv OCSP_RESPID_KEY
-is set, then the responder is identified by key ID
-rather than by name.
-.Sh RETURN VALUES
-.Fn OCSP_RESPONSE_new
-and
-.Fn OCSP_response_create
-return a pointer to an
-.Vt OCSP_RESPONSE
-object or
-.Dv NULL
-if an error occurred.
-.Pp
-.Fn OCSP_BASICRESP_new
-and
-.Fn OCSP_response_get1_basic
-return a pointer to an
-.Vt OCSP_BASICRESP
-object or
-.Dv NULL
-if an error occurred.
-.Pp
-.Fn OCSP_RESPBYTES_new ,
-.Fn OCSP_RESPDATA_new ,
-and
-.Fn OCSP_RESPID_new
-return a pointer to an empty
-.Vt OCSP_RESPBYTES ,
-.Vt OCSP_RESPDATA ,
-or
-.Vt OCSP_RESPID
-object, respectively, or
-.Dv NULL
-if an error occurred.
-.Pp
-.Fn OCSP_response_status
-returns a status value.
-.Pp
-.Fn OCSP_response_status_str
-returns a pointer to a static string.
-.Pp
-.Fn OCSP_basic_sign
-return 1 on success or 0 on failure.
-.Sh SEE ALSO
-.Xr EVP_DigestInit 3 ,
-.Xr OCSP_cert_to_id 3 ,
-.Xr OCSP_request_add1_nonce 3 ,
-.Xr OCSP_REQUEST_new 3 ,
-.Xr OCSP_resp_find_status 3 ,
-.Xr OCSP_sendreq_new 3
-.Sh STANDARDS
-RFC 6960: X.509 Internet Public Key Infrastructure Online Certificate
-Status Protocol, section 4.2: Response Syntax
-.Sh HISTORY
-These functions first appeared in OpenSSL 0.9.7
-and have been available since
-.Ox 3.2 .
diff --git a/src/lib/libcrypto/man/OCSP_sendreq_new.3 b/src/lib/libcrypto/man/OCSP_sendreq_new.3
deleted file mode 100644
index 300f719525..0000000000
--- a/src/lib/libcrypto/man/OCSP_sendreq_new.3
+++ /dev/null
@@ -1,323 +0,0 @@
-.\" $OpenBSD: OCSP_sendreq_new.3,v 1.10 2022/03/31 17:27:17 naddy Exp $
-.\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2018, 2019 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2014, 2016 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 31 2022 $
-.Dt OCSP_SENDREQ_NEW 3
-.Os
-.Sh NAME
-.Nm OCSP_sendreq_new ,
-.Nm OCSP_sendreq_nbio ,
-.Nm OCSP_REQ_CTX_free ,
-.Nm OCSP_REQ_CTX_add1_header ,
-.Nm OCSP_REQ_CTX_set1_req ,
-.Nm OCSP_parse_url ,
-.Nm OCSP_sendreq_bio
-.Nd OCSP responder query functions
-.Sh SYNOPSIS
-.In openssl/ocsp.h
-.Ft OCSP_REQ_CTX *
-.Fo OCSP_sendreq_new
-.Fa "BIO *io"
-.Fa "const char *path"
-.Fa "OCSP_REQUEST *req"
-.Fa "int maxline"
-.Fc
-.Ft int
-.Fo OCSP_sendreq_nbio
-.Fa "OCSP_RESPONSE **presp"
-.Fa "OCSP_REQ_CTX *rctx"
-.Fc
-.Ft void
-.Fo OCSP_REQ_CTX_free
-.Fa "OCSP_REQ_CTX *rctx"
-.Fc
-.Ft int
-.Fo OCSP_REQ_CTX_add1_header
-.Fa "OCSP_REQ_CTX *rctx"
-.Fa "const char *name"
-.Fa "const char *value"
-.Fc
-.Ft int
-.Fo OCSP_REQ_CTX_set1_req
-.Fa "OCSP_REQ_CTX *rctx"
-.Fa "OCSP_REQUEST *req"
-.Fc
-.Ft int
-.Fo OCSP_parse_url
-.Fa "const char *url"
-.Fa "char **phost"
-.Fa "char **pport"
-.Fa "char **ppath"
-.Fa "int *pssl"
-.Fc
-.Ft OCSP_RESPONSE *
-.Fo OCSP_sendreq_bio
-.Fa "BIO *io"
-.Fa "const char *path"
-.Fa "OCSP_REQUEST *req"
-.Fc
-.Sh DESCRIPTION
-The function
-.Fn OCSP_sendreq_new
-returns an
-.Vt OCSP_REQ_CTX
-structure using the responder
-.Fa io ,
-the URI path
-.Fa path ,
-the OCSP request
-.Fa req
-and with a response header maximum line length of
-.Fa maxline .
-If
-.Fa maxline
-is zero, a default value of 4k is used.
-The OCSP request
-.Fa req
-may be set to
-.Dv NULL
-and provided later if required.
-.Pp
-The arguments to
-.Fn OCSP_sendreq_new
-correspond to the components of the URI.
-For example, if the responder URI is
-.Pa http://ocsp.com/ocspreq ,
-the BIO
-.Fa io
-should be connected to host
-.Pa ocsp.com
-on port 80 and
-.Fa path
-should be set to
-.Qq /ocspreq .
-.Pp
-.Fn OCSP_sendreq_nbio
-performs non-blocking I/O on the OCSP request context
-.Fa rctx .
-When the operation is complete, it returns the response in
-.Pf * Fa presp .
-If
-.Fn OCSP_sendreq_nbio
-indicates an operation should be retried, the corresponding BIO can
-be examined to determine which operation (read or write) should be
-retried and appropriate action can be taken, for example a
-.Xr select 2
-call on the underlying socket.
-.Pp
-.Fn OCSP_REQ_CTX_free
-frees up the OCSP context
-.Fa rctx .
-.Pp
-.Fn OCSP_REQ_CTX_add1_header
-adds header
-.Fa name
-with value
-.Fa value
-to the context
-.Fa rctx .
-The added headers are of the form
-.Qq Fa name : value
-or just
-.Qq Fa name
-if
-.Fa value
-is
-.Dv NULL .
-.Fn OCSP_REQ_CTX_add1_header
-can be called more than once to add multiple headers.
-It must be called before any calls to
-.Fn OCSP_sendreq_nbio .
-The
-.Fa req
-parameter in the initial to
-.Fn OCSP_sendreq_new
-call must be set to
-.Dv NULL
-if additional headers are set.
-.Pp
-.Fn OCSP_REQ_CTX_set1_req
-sets the OCSP request in
-.Fa rctx
-to
-.Fa req .
-This function should be called after any calls to
-.Fn OCSP_REQ_CTX_add1_header .
-.Pp
-.Fn OCSP_parse_url
-is a utility function to parse a
-.Fa url
-of the form
-.Sm off
-.Sy http Op Sy s
-.Pf :// Ar host
-.Op : Ar port
-.Op / Ar path
-.Sm on
-and store pointers to newly allocated copies of the strings
-.Ar host ,
-.Ar port ,
-and
-.Ar path
-in
-.Pf * phost ,
-.Pf * pport ,
-and
-.Pf * ppath ,
-respectively.
-By default,
-.Pf * ppath
-is set to
-.Qq /
-and
-.Pf * pport
-to
-.Qq 443
-for
-.Sy https
-or
-.Qq 80
-for
-.Sy http .
-For
-.Sy https ,
-.Pf * Fa pssl
-is set to 1; otherwise, to 0.
-.Pp
-.Fn OCSP_sendreq_bio
-performs an OCSP request using the responder
-.Fa io ,
-the URI path
-.Fa path ,
-the OCSP request
-.Fa req .
-It does not support retries and so cannot handle non-blocking I/O
-efficiently.
-It is retained for compatibility and its use in new applications
-is not recommended.
-.Sh RETURN VALUES
-.Fn OCSP_sendreq_new
-returns a valid
-.Vt OCSP_REQ_CTX
-structure or
-.Dv NULL
-if an error occurred.
-.Pp
-.Fn OCSP_sendreq_nbio
-returns 1 if the operation was completed successfully,
--1 if the operation should be retried,
-or 0 if an error occurred.
-.Pp
-.Fn OCSP_REQ_CTX_add1_header ,
-.Fn OCSP_REQ_CTX_set1_req ,
-and
-.Fn OCSP_parse_url
-return 1 for success or 0 for failure.
-.Pp
-.Fn OCSP_sendreq_bio
-returns the
-.Vt OCSP_RESPONSE
-structure sent by the responder or
-.Dv NULL
-if an error occurred.
-.Sh EXAMPLES
-Add a Host header for
-.Pa ocsp.com :
-.Pp
-.Dl OCSP_REQ_CTX_add1_header(ctx, "Host", "ocsp.com");
-.Sh SEE ALSO
-.Xr OCSP_cert_to_id 3 ,
-.Xr OCSP_request_add1_nonce 3 ,
-.Xr OCSP_REQUEST_new 3 ,
-.Xr OCSP_resp_find_status 3 ,
-.Xr OCSP_response_status 3 ,
-.Xr X509_get1_ocsp 3
-.Sh HISTORY
-.Fn OCSP_parse_url
-and
-.Fn OCSP_sendreq_bio
-first appeared in OpenSSL 0.9.7 and have been available since
-.Ox 3.2 .
-.Pp
-.Fn OCSP_sendreq_new ,
-.Fn OCSP_sendreq_nbio ,
-and
-.Fn OCSP_REQ_CTX_free
-first appeared in OpenSSL 0.9.8h and have been available since
-.Ox 4.5 .
-.Pp
-.Fn OCSP_REQ_CTX_add1_header
-and
-.Fn OCSP_REQ_CTX_set1_req
-first appeared in OpenSSL 1.0.0 and have been available since
-.Ox 4.9 .
-.Sh CAVEATS
-These functions only perform a minimal HTTP query to a responder.
-If an application wishes to support more advanced features, it
-should use an alternative, more complete, HTTP library.
-.Pp
-Currently only HTTP POST queries to responders are supported.
diff --git a/src/lib/libcrypto/man/OPENSSL_VERSION_NUMBER.3 b/src/lib/libcrypto/man/OPENSSL_VERSION_NUMBER.3
deleted file mode 100644
index 76427a864b..0000000000
--- a/src/lib/libcrypto/man/OPENSSL_VERSION_NUMBER.3
+++ /dev/null
@@ -1,281 +0,0 @@
-.\" $OpenBSD: OPENSSL_VERSION_NUMBER.3,v 1.13 2023/11/16 20:17:04 schwarze Exp $
-.\" full merge up to: OpenSSL 1f13ad31 Dec 25 17:50:39 2017 +0800
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2017, 2018 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Ulf Moeller <ulf@openssl.org>,
-.\" Richard Levitte <levitte@openssl.org>, and
-.\" Bodo Moeller <bodo@openssl.org>.
-.\" Copyright (c) 2000, 2002, 2015, 2016, 2017 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: November 16 2023 $
-.Dt OPENSSL_VERSION_NUMBER 3
-.Os
-.Sh NAME
-.Nm OPENSSL_VERSION_NUMBER ,
-.Nm LIBRESSL_VERSION_NUMBER ,
-.Nm LIBRESSL_VERSION_TEXT ,
-.Nm OPENSSL_VERSION_TEXT ,
-.Nm OpenSSL_version_num ,
-.Nm OpenSSL_version ,
-.Nm SSLeay ,
-.Nm SSLeay_version
-.Nd get OpenSSL version number
-.Sh SYNOPSIS
-.In openssl/opensslv.h
-.Fd #define OPENSSL_VERSION_NUMBER 0x020000000L
-.Fd #define LIBRESSL_VERSION_NUMBER 0x02nnnn00fL
-.Fd #define LIBRESSL_VERSION_TEXT \(dqLibreSSL 2.n.n\(dq
-.Fd #define OPENSSL_VERSION_TEXT LIBRESSL_VERSION_TEXT
-.In openssl/crypto.h
-.Ft unsigned long
-.Fn OpenSSL_version_num void
-.Ft const char *
-.Fo OpenSSL_version
-.Fa "int t"
-.Fc
-.Ft long
-.Fn SSLeay void
-.Ft const char *
-.Fo SSLeay_version
-.Fa "int t"
-.Fc
-.Sh DESCRIPTION
-.Dv OPENSSL_VERSION_NUMBER
-and
-.Dv LIBRESSL_VERSION_NUMBER
-are numeric release version identifiers.
-The first two digits contain the major release number,
-the third and fourth digits the minor release number,
-and the fifth and sixth digits the fix release number.
-For OpenSSL, the seventh and eight digits contain the patch release number
-and the final digit is 0 for development, 1 to e for betas 1 to 14, or f
-for release.
-For LibreSSL,
-.Dv OPENSSL_VERSION_NUMBER
-is always 0x020000000,
-and
-.Dv LIBRESSL_VERSION_NUMBER
-always ends with 00f.
-.Pp
-For example:
-.Bd -literal -offset indent
-OPENSSL_VERSION_NUMBER:
-0x000906000 == 0.9.6 dev
-0x000906023 == 0.9.6b beta 3
-0x00090605f == 0.9.6e release
-0x020000000 == 2.0.0 for any version of LibreSSL
-
-LIBRESSL_VERSION_NUMBER:
-0x02070000f == LibreSSL 2.7.0
-.Ed
-.Pp
-OpenSSL versions prior to 0.9.3 had identifiers < 0x0930.
-For versions between 0.9.3 and 0.9.5,
-the seventh digit was 1 for release and 0 otherwise,
-and the eighth and ninth digits were the patch release number.
-.Pp
-For example:
-.Bd -literal
-0x000904100 == 0.9.4 release
-0x000905000 == 0.9.5 dev
-.Ed
-.Pp
-OpenSSL version 0.9.5a had an interim interpretation that is like the current
-one, except the patch level got the highest bit set, to keep continuity.
-The number was therefore 0x0090581f.
-.Pp
-.Fn OpenSSL_version_num
-returns
-.Dv OPENSSL_VERSION_NUMBER .
-.Pp
-.Fn OpenSSL_version
-returns different strings depending on
-.Fa t :
-.Bl -tag -width Ds
-.It Dv OPENSSL_VERSION
-The text variant of the version number,
-.Dv OPENSSL_VERSION_TEXT .
-For OpenSSL, it includes the release date, for example
-.Qq OpenSSL 0.9.5a 1 Apr 2000 .
-For LibreSSL,
-.Dv LIBRESSL_VERSION_TEXT
-is returned.
-.It Dv OPENSSL_CFLAGS
-The compiler flags set for the compilation process in the form
-.Qq compiler: ...
-if available or
-.Qq compiler: information not available
-otherwise.
-LibreSSL never provides compiler information.
-.It Dv OPENSSL_BUILT_ON
-The date of the build process in the form
-.Qq built on: ...
-if available or
-.Qq built on: date not available
-otherwise.
-LibreSSL never provides information on the build date.
-.It Dv OPENSSL_PLATFORM
-The Configure target of the library build in the form
-.Qq platform: ...
-if available or
-.Qq platform: information not available
-otherwise.
-LibreSSL never provides platform information.
-.It Dv OPENSSL_DIR
-The
-.Dv OPENSSLDIR
-setting of the library build in the form
-.Qq OPENSSLDIR: Qq ...
-if available or
-.Qq OPENSSLDIR: N/A
-otherwise.
-For LibreSSL, the default is
-.Qq OPENSSLDIR: Qq /etc/ssl .
-.It Dv OPENSSL_ENGINES_DIR
-The
-.Dv ENGINESDIR
-setting of the library build in the form
-.Qq ENGINESDIR: Qq ...
-if available or
-.Qq ENGINESDIR: N/A
-otherwise.
-LibreSSL never provides or uses an
-.Dv ENGINESDIR .
-.El
-.Pp
-For an unknown
-.Fa t ,
-the text
-.Qq not available
-is returned.
-.Pp
-For backward compatibility,
-.Dv SSLEAY_VERSION_NUMBER
-is an alias for
-.Dv OPENSSL_VERSION_NUMBER
-and
-.Fn SSLeay
-for
-.Fn OpenSSL_version_num .
-The legacy function
-.Fn SSLeay_version
-is similar to
-.Fn OpenSSL_version
-except that it takes arguments
-.Dv SSLEAY_VERSION ,
-.Dv SSLEAY_CFLAGS ,
-.Dv SSLEAY_BUILT_ON ,
-.Dv SSLEAY_PLATFORM ,
-and
-.Dv SSLEAY_DIR
-which expand to
-.Em other
-numerical values than the corresponding
-.Dv OPENSSL_*
-macros.
-.Sh RETURN VALUES
-.Fn OpenSSL_version_num
-and
-.Fn SSLeay
-return a constant version number.
-.Pp
-.Fn OpenSSL_version
-and
-.Fn SSLeay_version
-return pointers to static strings.
-.Sh SEE ALSO
-.Xr crypto 3 ,
-.Xr OPENSSL_config 3
-.Sh HISTORY
-.Fn SSLeay ,
-.Fn SSLeay_version ,
-and
-.Dv SSLEAY_VERSION_NUMBER
-first appeared in SSLeay 0.6.0 and have been available since
-.Ox 2.4 .
-.Pp
-.Dv OPENSSL_VERSION_NUMBER
-first appeared in the first OpenSSL release, OpenSSL 0.9.1c,
-and has been available since
-.Ox 2.6 .
-.Pp
-.Dv SSLEAY_DIR
-first appeared in OpenSSL 0.9.7 and have been available since
-.Ox 3.2 .
-.Pp
-.Dv LIBRESSL_VERSION_NUMBER
-first appeared in LibreSSL 2.0.0 and
-.Ox 5.6
-and got its final format in LibreSSL 2.3.2 and
-.Ox 5.9 .
-.Dv LIBRESSL_VERSION_TEXT
-first appeared in LibreSSL 2.2.2 and
-.Ox 5.8 .
-.Pp
-.Fn OpenSSL_version_num
-and
-.Fn OpenSSL_version
-first appeared in OpenSSL 1.1.0
-and have been available since LibreSSL 2.7.1 and
-.Ox 6.3 .
diff --git a/src/lib/libcrypto/man/OPENSSL_cleanse.3 b/src/lib/libcrypto/man/OPENSSL_cleanse.3
deleted file mode 100644
index 95fe6b86fd..0000000000
--- a/src/lib/libcrypto/man/OPENSSL_cleanse.3
+++ /dev/null
@@ -1,42 +0,0 @@
-.\"     $OpenBSD: OPENSSL_cleanse.3,v 1.4 2019/06/10 09:49:48 schwarze Exp $
-.\"
-.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: June 10 2019 $
-.Dt OPENSSL_CLEANSE 3
-.Os
-.Sh NAME
-.Nm OPENSSL_cleanse
-.Nd OpenSSL memory cleaning operation
-.Sh SYNOPSIS
-.In openssl/crypto.h
-.Ft void
-.Fo OPENSSL_cleanse
-.Fa "void *ptr"
-.Fa "size_t len"
-.Fc
-.Sh DESCRIPTION
-Do not use the interface documented here.
-It is provided purely for compatibility with legacy application code.
-.Pp
-.Fn OPENSSL_cleanse
-has the same semantics as, and is a wrapper around,
-.Xr explicit_bzero 3 .
-.Sh SEE ALSO
-.Xr crypto 3
-.Sh HISTORY
-.Fn OPENSSL_cleanse
-first appeared in OpenSSL 0.9.6h and has been available since
-.Ox 3.4 .
diff --git a/src/lib/libcrypto/man/OPENSSL_config.3 b/src/lib/libcrypto/man/OPENSSL_config.3
deleted file mode 100644
index f5f31571a1..0000000000
--- a/src/lib/libcrypto/man/OPENSSL_config.3
+++ /dev/null
@@ -1,152 +0,0 @@
-.\" $OpenBSD: OPENSSL_config.3,v 1.16 2023/11/19 21:01:27 tb Exp $
-.\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2018 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2004 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: November 19 2023 $
-.Dt OPENSSL_CONFIG 3
-.Os
-.Sh NAME
-.Nm OPENSSL_config ,
-.Nm OPENSSL_no_config
-.Nd simple crypto and ssl library configuration
-.Sh SYNOPSIS
-.In openssl/conf.h
-.Ft void
-.Fo OPENSSL_config
-.Fa "const char *appname"
-.Fc
-.Ft void
-.Fn OPENSSL_no_config void
-.Sh DESCRIPTION
-.Fn OPENSSL_config
-initializes the crypto library and calls
-.Xr CONF_modules_load_file 3
-with the standard configuration file and the given
-.Fa appname .
-If
-.Fa appname
-is
-.Dv NULL ,
-then the default name
-.Sy openssl_conf
-is used.
-Any errors are ignored.
-Further calls to
-.Fn OPENSSL_config
-have no effect.
-.Pp
-.Fn OPENSSL_no_config
-suppresses the loading of the standard configuration file, so that any
-future calls to
-.Fn OPENSSL_config
-or to
-.Xr OPENSSL_init_crypto 3
-will ensure the library is initialized but no configuration
-file will be loaded.
-.Pp
-Calling these functions is optional.
-All required initialization of the crypto libraries happens
-automatically when needed.
-.Pp
-To use a non-standard configuration file, refer to
-.Xr CONF_modules_load_file 3 .
-.Pp
-Internally,
-.Fn OPENSSL_config
-calls
-.Xr OPENSSL_init_crypto 3
-and
-.Xr OPENSSL_load_builtin_modules 3 .
-.Pp
-If an application is compiled with the preprocessor symbol
-.Dv OPENSSL_LOAD_CONF
-#define'd,
-.Xr OpenSSL_add_all_algorithms 3
-automatically calls
-.Fn OPENSSL_config .
-.Pp
-Applications should free up configuration at application closedown by
-calling
-.Xr CONF_modules_free 3 .
-.Sh FILES
-.Bl -tag -width /etc/ssl/openssl.cnf -compact
-.It Pa /etc/ssl/openssl.cnf
-standard configuration file
-.El
-.Sh SEE ALSO
-.Xr CONF_modules_free 3 ,
-.Xr CONF_modules_load_file 3 ,
-.Xr crypto 3 ,
-.Xr OPENSSL_load_builtin_modules 3 ,
-.Xr OPENSSL_VERSION_NUMBER 3 ,
-.Xr openssl.cnf 5 ,
-.Xr x509v3.cnf 5
-.Sh HISTORY
-.Fn OPENSSL_config
-and
-.Fn OPENSSL_no_config
-first appeared in OpenSSL 0.9.7 and have been available since
-.Ox 3.2 .
diff --git a/src/lib/libcrypto/man/OPENSSL_init_crypto.3 b/src/lib/libcrypto/man/OPENSSL_init_crypto.3
deleted file mode 100644
index 6f38c7bda2..0000000000
--- a/src/lib/libcrypto/man/OPENSSL_init_crypto.3
+++ /dev/null
@@ -1,115 +0,0 @@
-.\" $OpenBSD: OPENSSL_init_crypto.3,v 1.5 2020/05/24 12:21:31 schwarze Exp $
-.\" Copyright (c) 2018, 2020 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: May 24 2020 $
-.Dt OPENSSL_INIT_CRYPTO 3
-.Os
-.Sh NAME
-.Nm OPENSSL_init_crypto ,
-.Nm OPENSSL_init
-.Nd initialise the crypto library
-.Sh SYNOPSIS
-.In openssl/crypto.h
-.Ft int
-.Fo OPENSSL_init_crypto
-.Fa "uint64_t options"
-.Fa "const void *dummy"
-.Fc
-.Ft void
-.Fn OPENSSL_init void
-.Sh DESCRIPTION
-These functions are deprecated.
-It is never useful for an application program
-to call either of them explicitly.
-.Pp
-The library automatically calls
-.Fn OPENSSL_init_crypto
-internally with an
-.Fa options
-argument of 0 whenever needed.
-It is safest to assume that any function may do so.
-.Pp
-To enable or disable the standard configuration file, instead use
-.Xr OPENSSL_config 3
-or
-.Xr OPENSSL_no_config 3 ,
-respectively.
-To load a non-standard configuration file, refer to
-.Xr CONF_modules_load_file 3 .
-.Pp
-If
-.Fn OPENSSL_init_crypto
-is called before any other crypto or ssl functions, the crypto
-library is initialised by allocating various internal resources,
-in particular calling
-.Xr ERR_load_crypto_strings 3 ,
-.Xr OpenSSL_add_all_ciphers 3 ,
-and
-.Xr OpenSSL_add_all_digests 3 .
-.Pp
-The following
-.Fa options
-are supported:
-.Bl -tag -width Ds
-.It Dv OPENSSL_INIT_LOAD_CONFIG
-At the end of the initialization, call
-.Xr OPENSSL_config 3
-with a
-.Dv NULL
-argument, loading the default configuration file.
-.It Dv OPENSSL_INIT_NO_LOAD_CONFIG
-Ignore any later calls to
-.Xr OPENSSL_config 3 .
-.El
-.Pp
-The other
-.Fa options
-flags defined by OpenSSL are all ignored by LibreSSL.
-The
-.Fa dummy
-argument has no effect.
-.Pp
-If this function is called more than once, none of the calls except
-the first one have any effect.
-.Pp
-.Fn OPENSSL_init
-has no effect at all.
-.Sh RETURN VALUES
-.Fn OPENSSL_init_crypto
-is intended to return 1 on success or 0 on error.
-.Sh SEE ALSO
-.Xr CONF_modules_load_file 3 ,
-.Xr OPENSSL_config 3 ,
-.Xr OPENSSL_load_builtin_modules 3 ,
-.Xr openssl.cnf 5
-.Sh HISTORY
-.Fn OPENSSL_init
-first appeared in OpenSSL 1.0.0e and has been available since
-.Ox 5.3 .
-It stopped having any effect in OpenSSL 1.1.1 and in
-.Ox 5.6 .
-.Pp
-.Fn OPENSSL_init_crypto
-first appeared in OpenSSL 1.1.0 and has been available since
-.Ox 6.3 .
-.Sh BUGS
-.Fn OPENSSL_init_crypto
-silently ignores almost all kinds of errors.
-In particular, if memory allocation fails, initialisation is likely
-to remain incomplete, the library may be in an inconsistent internal
-state, but the return value will usually indicate success anyway.
-There is no way for the application program to find out whether
-library initialisation is actually complete, nor to get back to a
-consistent state if it isn't.
diff --git a/src/lib/libcrypto/man/OPENSSL_load_builtin_modules.3 b/src/lib/libcrypto/man/OPENSSL_load_builtin_modules.3
deleted file mode 100644
index 2b20efaf0e..0000000000
--- a/src/lib/libcrypto/man/OPENSSL_load_builtin_modules.3
+++ /dev/null
@@ -1,101 +0,0 @@
-.\"     $OpenBSD: OPENSSL_load_builtin_modules.3,v 1.8 2023/12/05 02:41:13 jsg Exp $
-.\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2004, 2013 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: December 5 2023 $
-.Dt OPENSSL_LOAD_BUILTIN_MODULES 3
-.Os
-.Sh NAME
-.Nm OPENSSL_load_builtin_modules ,
-.Nm ASN1_add_oid_module
-.Nd add standard configuration modules
-.Sh SYNOPSIS
-.In openssl/conf.h
-.Ft void
-.Fn OPENSSL_load_builtin_modules void
-.Ft void
-.Fn ASN1_add_oid_module void
-.Sh DESCRIPTION
-The function
-.Fn OPENSSL_load_builtin_modules
-adds all the standard OpenSSL configuration modules to the internal
-list.
-They can then be used by the OpenSSL configuration code.
-.Pp
-.Fn ASN1_add_oid_module
-adds just the ASN.1 OBJECT module.
-.Pp
-If the simple configuration function
-.Xr OPENSSL_config 3
-is called then
-.Fn OPENSSL_load_builtin_modules
-is called automatically.
-.Pp
-Applications which use configuration functions like
-.Xr CONF_modules_load_file 3
-directly need to call
-.Fn OPENSSL_load_builtin_modules
-themselves
-.Em before
-any other configuration code.
-.Pp
-Applications should call
-.Xr OPENSSL_config 3
-or
-.Fn OPENSSL_load_builtin_modules
-to load all configuration modules instead of adding modules selectively:
-otherwise functionality may be missing from the application when
-new modules are added.
-.Sh SEE ALSO
-.Xr CONF_modules_load_file 3 ,
-.Xr OPENSSL_config 3
-.Sh HISTORY
-These functions first appeared in OpenSSL 0.9.7
-and have been available since
-.Ox 3.2 .
diff --git a/src/lib/libcrypto/man/OPENSSL_malloc.3 b/src/lib/libcrypto/man/OPENSSL_malloc.3
deleted file mode 100644
index a43dc56923..0000000000
--- a/src/lib/libcrypto/man/OPENSSL_malloc.3
+++ /dev/null
@@ -1,101 +0,0 @@
-.\"     $OpenBSD: OPENSSL_malloc.3,v 1.13 2024/04/04 09:30:43 tb Exp $
-.\"
-.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: April 4 2024 $
-.Dt OPENSSL_MALLOC 3
-.Os
-.Sh NAME
-.Nm OPENSSL_malloc ,
-.Nm OPENSSL_free ,
-.Nm OPENSSL_strdup ,
-.Nm CRYPTO_malloc ,
-.Nm CRYPTO_free ,
-.Nm CRYPTO_strdup
-.Nd legacy OpenSSL memory allocation wrappers
-.Sh SYNOPSIS
-.In openssl/crypto.h
-.Ft void *
-.Fo OPENSSL_malloc
-.Fa "size_t num"
-.Fc
-.Ft void
-.Fo OPENSSL_free
-.Fa "void *addr"
-.Fc
-.Ft char *
-.Fo OPENSSL_strdup
-.Fa "const char *str"
-.Fc
-.Ft void *
-.Fo CRYPTO_malloc
-.Fa "size_t num"
-.Fa "const char *file"
-.Fa "int line"
-.Fc
-.Ft void
-.Fo CRYPTO_free
-.Fa "void *str"
-.Fa "const char *"
-.Fa int
-.Fc
-.Ft char *
-.Fo CRYPTO_strdup
-.Fa "const char *p"
-.Fa "const char *file"
-.Fa "int line"
-.Fc
-.Sh DESCRIPTION
-Do not use any of the interfaces documented here in new code.
-They are provided purely for compatibility with legacy application code.
-.Pp
-These functions are wrappers around the corresponding
-standard
-.Xr malloc 3 ,
-.Xr free 3 ,
-and
-.Xr strdup 3
-functions.
-.Pp
-The
-.Fn OPENSSL_*
-functions are implemented as macros.
-.Sh RETURN VALUES
-These functions return the same type and value as the corresponding
-standard functions.
-.Sh SEE ALSO
-.Xr crypto 3
-.Sh HISTORY
-.Fn CRYPTO_malloc
-and
-.Fn CRYPTO_free
-first appeared in SSLeay 0.6.4 and have been available since
-.Ox 2.4 .
-.Pp
-.Fn OPENSSL_malloc
-and
-.Fn OPENSSL_free
-first appeared in OpenSSL 0.9.6 and have been available since
-.Ox 2.9 .
-.Pp
-.Fn CRYPTO_strdup
-and
-.Fn OPENSSL_strdup
-first appeared in OpenSSL 0.9.8j and have been available since
-.Ox 4.5 .
-.Sh CAVEATS
-If interoperability with other implementations is required,
-memory returned by the library as bare pointers must be freed with
-.Fn OPENSSL_free .
diff --git a/src/lib/libcrypto/man/OPENSSL_sk_new.3 b/src/lib/libcrypto/man/OPENSSL_sk_new.3
deleted file mode 100644
index 8f06bb4212..0000000000
--- a/src/lib/libcrypto/man/OPENSSL_sk_new.3
+++ /dev/null
@@ -1,553 +0,0 @@
-.\" $OpenBSD: OPENSSL_sk_new.3,v 1.13 2024/03/04 09:47:34 tb Exp $
-.\"
-.\" Copyright (c) 2018 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: March 4 2024 $
-.Dt OPENSSL_SK_NEW 3
-.Os
-.Sh NAME
-.Nm sk_new_null ,
-.Nm sk_new ,
-.Nm sk_set_cmp_func ,
-.Nm sk_dup ,
-.Nm sk_free ,
-.Nm sk_pop_free ,
-.Nm sk_num ,
-.Nm sk_value ,
-.Nm sk_find ,
-.Nm sk_sort ,
-.Nm sk_is_sorted ,
-.Nm sk_push ,
-.Nm sk_unshift ,
-.Nm sk_insert ,
-.Nm sk_set ,
-.Nm sk_pop ,
-.Nm sk_shift ,
-.Nm sk_delete ,
-.Nm sk_delete_ptr ,
-.Nm sk_zero
-.Nd variable-sized arrays of void pointers, called OpenSSL stacks
-.Sh SYNOPSIS
-.In openssl/stack.h
-.Ft _STACK *
-.Fn sk_new_null void
-.Ft _STACK *
-.Fo sk_new
-.Fa "int (*compfunc)(const void *, const void *)"
-.Fc
-.Ft old_function_pointer
-.Fo sk_set_cmp_func
-.Fa "_STACK *stack"
-.Fa "int (*compfunc)(const void *, const void *)"
-.Fc
-.Ft _STACK *
-.Fo sk_dup
-.Fa "_STACK *stack"
-.Fc
-.Ft void
-.Fo sk_free
-.Fa "_STACK *stack"
-.Fc
-.Ft void
-.Fo sk_pop_free
-.Fa "_STACK *stack"
-.Fa "void (*freefunc)(void *)"
-.Fc
-.Ft int
-.Fo sk_num
-.Fa "const _STACK *stack"
-.Fc
-.Ft void *
-.Fo sk_value
-.Fa "const _STACK *stack"
-.Fa "int index"
-.Fc
-.Ft int
-.Fo sk_find
-.Fa "_STACK *stack"
-.Fa "void *wanted"
-.Fc
-.Ft void
-.Fo sk_sort
-.Fa "_STACK *stack"
-.Fc
-.Ft int
-.Fo sk_is_sorted
-.Fa "const _STACK *stack"
-.Fc
-.Ft int
-.Fo sk_push
-.Fa "_STACK *stack"
-.Fa "void *new_item"
-.Fc
-.Ft int
-.Fo sk_unshift
-.Fa "_STACK *stack"
-.Fa "void *new_item"
-.Fc
-.Ft int
-.Fo sk_insert
-.Fa "_STACK *stack"
-.Fa "void *new_item"
-.Fa "int index"
-.Fc
-.Ft void *
-.Fo sk_set
-.Fa "_STACK *stack"
-.Fa "int index"
-.Fa "void *new_item"
-.Fc
-.Ft void *
-.Fo sk_pop
-.Fa "_STACK *stack"
-.Fc
-.Ft void *
-.Fo sk_shift
-.Fa "_STACK *stack"
-.Fc
-.Ft void *
-.Fo sk_delete
-.Fa "_STACK *stack"
-.Fa "int index"
-.Fc
-.Ft void *
-.Fo sk_delete_ptr
-.Fa "_STACK *stack"
-.Fa "void *wanted"
-.Fc
-.Ft void
-.Fo sk_zero
-.Fa "_STACK *stack"
-.Fc
-.Sh DESCRIPTION
-OpenSSL introduced an idiosyncratic concept of variable sized arrays
-of pointers and somewhat misleadingly called such an array a
-.Dq stack .
-Intrinsically, and as documented in this manual page, OpenSSL stacks
-are not type safe but only handle
-.Vt void *
-function arguments and return values.
-.Pp
-OpenSSL also provides a fragile, unusually complicated system of
-macro-generated wrappers that offers superficial type safety at the
-expense of extensive obfuscation, implemented using large amounts
-of autogenerated code involving exceedingly ugly, nested
-.Xr cpp 1
-macros; see the
-.Xr STACK_OF 3
-manual page for details.
-.Pp
-The fundamental data type is the
-.Vt _STACK
-structure.
-It stores a variable number of void pointers
-and remembers the number of pointers currently stored.
-It can optionally hold a pointer to a comparison function.
-As long as no comparison function is installed, the order of pointers
-is meaningful; as soon as a comparison function is installed, it
-becomes ill-defined.
-.Pp
-.Fn sk_new_null
-allocates and initializes a new, empty stack.
-.Fn sk_new
-is identical except that it also installs
-.Fa compfunc
-as the comparison function for the new stack object.
-.Fn sk_set_cmp_func
-installs
-.Fa compfunc
-for the existing
-.Fa stack .
-The
-.Fa compfunc
-is allowed to be
-.Dv NULL ,
-but the
-.Fa stack
-is not.
-.Pp
-.Fn sk_dup
-creates a shallow copy of the given
-.Fa stack ,
-which must not be a
-.Dv NULL
-pointer.
-It neither copies the objects pointed to from the stack nor
-increases their reference counts, but merely copies the pointers.
-Extreme care must be taken in order to avoid freeing the memory twice,
-for example by calling
-.Fn sk_free
-on one copy and only calling
-.Fn sk_pop_free
-on the other.
-.Pp
-.Fn sk_free
-frees the given
-.Fa stack .
-It does not free any of the pointers stored on the stack.
-Unless these pointers are merely copies of pointers owned by
-other objects, they must be freed before calling
-.Fn sk_free ,
-in order to avoid leaking memory.
-If
-.Fa stack
-is a
-.Dv NULL
-pointer, no action occurs.
-.Pp
-.Fn sk_pop_free
-is severely misnamed.
-It does not at all do what one would expect from a function called
-.Dq pop .
-Instead, it does the same as
-.Fn sk_free ,
-except that it also calls the function
-.Fa freefunc
-on each of the pointers contained in the
-.Fa stack .
-If the calls to
-.Fa freefunc
-are intended to free the memory in use by the objects on the stack,
-ensure that no other pointers to the same objects remain elsewhere.
-.Pp
-.Fn sk_find
-searches the
-.Fa stack
-for the
-.Fa wanted
-pointer.
-If the
-.Fa stack
-contains more than one copy of the
-.Fa wanted
-pointer, only the first match is found.
-If a comparison function is installed for the stack, the stack is
-first sorted with
-.Fn sk_sort ,
-and instead of comparing pointers, two pointers are considered to match
-if the comparison function returns 0.
-.Pp
-.Fn sk_sort
-sorts the
-.Fa stack
-using
-.Xr qsort 3
-and the installed comparison function.
-If
-.Fa stack
-is a
-.Dv NULL
-pointer or already considered sorted, no action occurs.
-This function can only be called if a comparison function is installed.
-.Pp
-.Fn sk_is_sorted
-reports whether the
-.Fa stack
-is considered sorted.
-Calling
-.Fn sk_new_null
-or
-.Fn sk_new ,
-successfully calling
-.Fn sk_push ,
-.Fn sk_unshift ,
-.Fn sk_insert ,
-or
-.Fn sk_set ,
-or changing the comparison function sets the state to unsorted.
-If a comparison function is installed, calling
-.Fn sk_sort ,
-or
-.Fn sk_find
-sets the state to sorted.
-.Pp
-.Fn sk_push
-pushes
-.Fa new_item
-onto the end of the
-.Fa stack ,
-increasing the number of pointers by 1.
-If
-.Fa stack
-is a
-.Dv NULL
-pointer, no action occurs.
-.Pp
-.Fn sk_unshift
-inserts
-.Fa new_item
-at the beginning of the
-.Fa stack ,
-such that it gets the index 0.
-The number of pointers increases by 1.
-If
-.Fa stack
-is a
-.Dv NULL
-pointer, no action occurs.
-.Pp
-.Fn sk_insert
-inserts the
-.Fa new_item
-into the
-.Fa stack
-such that it gets the given
-.Fa index .
-If
-.Fa index
-is less than 0 or greater than or equal to
-.Fn sk_num stack ,
-the effect is the same as for
-.Fn sk_push .
-If
-.Fa stack
-is a
-.Dv NULL
-pointer, no action occurs.
-.Pp
-.Fn sk_set
-replaces the pointer with the given
-.Fa index
-on the
-.Fa stack
-with the
-.Fa new_item .
-The old pointer is not freed,
-which may leak memory if no copy of it exists elsewhere.
-If
-.Fa stack
-is a
-.Dv NULL
-pointer or if
-.Fa index
-is less than 0 or greater than or equal to
-.Fn sk_num stack ,
-no action occurs.
-.Pp
-.Fn sk_pop
-and
-.Fn sk_shift
-remove the pointer with the highest or lowest index from the
-.Fa stack ,
-respectively, reducing the number of pointers by 1.
-If
-.Fa stack
-is a
-.Dv NULL
-pointer or if it is empty, no action occurs.
-.Pp
-.Fn sk_delete
-removes the pointer with the given
-.Fa index
-from the
-.Fa stack ,
-reducing the number of pointers by 1.
-If
-.Fa stack
-is a
-.Dv NULL
-pointer or the
-.Fa index
-is less than 0 or greater than or equal to
-.Fn sk_num stack ,
-no action occurs.
-.Pp
-.Fn sk_delete_ptr
-removes the
-.Fa wanted
-pointer from the
-.Fa stack ,
-reducing the number of pointers by 1 if it is found.
-It never uses a comparison function
-but only compares pointers themselves.
-The
-.Fa stack
-pointer must not be
-.Dv NULL .
-.Pp
-.Fn sk_zero
-removes all pointers from the
-.Fa stack .
-It does not free any of the pointers.
-Unless these pointers are merely copies of pointers owned by other
-objects, they must be freed before calling
-.Fn sk_zero ,
-in order to avoid leaking memory.
-If
-.Fa stack
-is a
-.Dv NULL
-pointer, no action occurs.
-.Sh RETURN VALUES
-.Fn sk_new_null ,
-.Fn sk_new ,
-and
-.Fn sk_dup
-return a pointer to the newly allocated stack object or
-.Dv NULL
-if insufficient memory is available.
-.Pp
-.Fn sk_set_cmp_func
-returns a pointer to the comparison function
-that was previously installed for the
-.Fa stack
-or
-.Dv NULL
-if none was installed.
-.Pp
-.Fn sk_num
-returns the number of pointers currently stored on the
-.Fa stack ,
-or \-1 if
-.Fa stack
-is a
-.Dv NULL
-pointer.
-.Pp
-.Fn sk_value
-returns the pointer with the given
-.Fa index
-from the
-.Fa stack ,
-or
-.Dv NULL
-if
-.Fa stack
-is a
-.Dv NULL
-pointer or if the
-.Fa index
-is less than 0 or greater than or equal to
-.Fn sk_num stack .
-.Pp
-.Fn sk_find
-returns the lowest index considered to match or \-1 if
-.Fa stack
-is a
-.Dv NULL
-pointer or if no match is found.
-.Pp
-.Fn sk_is_sorted
-returns 1 if the
-.Fa stack
-is considered sorted or if it is a
-.Dv NULL
-pointer, or 0 otherwise.
-.Pp
-.Fn sk_push ,
-.Fn sk_unshift ,
-and
-.Fn sk_insert
-return the new number of pointers on the
-.Fa stack
-or 0 if
-.Fa stack
-is a
-.Dv NULL
-pointer or if memory allocation fails.
-.Pp
-.Fn sk_set
-returns
-.Fa new_item
-or
-.Dv NULL
-if
-.Fa stack
-is a
-.Dv NULL
-pointer or if the
-.Fa index
-is less than 0 or greater than or equal to
-.Fn sk_num stack .
-.Pp
-.Fn sk_pop
-and
-.Fn sk_shift
-return the deleted pointer or
-.Dv NULL
-if
-.Fa stack
-is a
-.Dv NULL
-pointer or if it is empty.
-.Pp
-.Fn sk_delete
-returns the deleted pointer or
-.Dv NULL
-if
-.Fa stack
-is a
-.Dv NULL
-pointer or if the
-.Fa index
-is less than 0 or greater than or equal to
-.Fn sk_num stack .
-.Pp
-.Fn sk_delete_ptr
-returns
-.Fa wanted
-or
-.Dv NULL
-if it is not found.
-.Sh SEE ALSO
-.Xr STACK_OF 3
-.Sh HISTORY
-.Fn sk_new_null ,
-.Fn sk_new ,
-.Fn sk_free ,
-.Fn sk_pop_free ,
-.Fn sk_num ,
-.Fn sk_value ,
-.Fn sk_find ,
-.Fn sk_push ,
-.Fn sk_unshift ,
-.Fn sk_insert ,
-.Fn sk_pop ,
-.Fn sk_shift ,
-.Fn sk_delete ,
-and
-.Fn sk_delete_ptr
-first appeared in SSLeay 0.5.1.
-.Fn sk_set_cmp_func ,
-.Fn sk_dup ,
-and
-.Fn sk_zero
-first appeared in SSLeay 0.8.0.
-These functions have been available since
-.Ox 2.4 .
-.Pp
-.Fn sk_set
-first appeared in OpenSSL 0.9.3.
-.Fn sk_sort
-first appeared in OpenSSL 0.9.4.
-Both functions have been available since
-.Ox 2.6 .
-.Pp
-.Fn sk_is_sorted
-first appeared in OpenSSL 0.9.7e and has been available since
-.Ox 3.8 .
-.Sh BUGS
-Even if a comparison function is installed, empty stacks and
-stacks containing a single pointer are sometimes considered
-sorted and sometimes considered unsorted.
-.Pp
-If a comparison function is installed, the concept of
-.Dq first match
-in
-.Fn sk_find
-is ill-defined because
-.Xr qsort 3
-is not a stable sorting function.
-It is probably best to only assume that they return an arbitrary match.
diff --git a/src/lib/libcrypto/man/OpenSSL_add_all_algorithms.3 b/src/lib/libcrypto/man/OpenSSL_add_all_algorithms.3
deleted file mode 100644
index 88ecef9768..0000000000
--- a/src/lib/libcrypto/man/OpenSSL_add_all_algorithms.3
+++ /dev/null
@@ -1,152 +0,0 @@
-.\" $OpenBSD: OpenSSL_add_all_algorithms.3,v 1.16 2024/03/04 19:04:47 tb Exp $
-.\" full merge up to: OpenSSL b3696a55 Sep 2 09:35:50 2017 -0400
-.\"
-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2000, 2003, 2013 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 4 2024 $
-.Dt OPENSSL_ADD_ALL_ALGORITHMS 3
-.Os
-.Sh NAME
-.Nm OpenSSL_add_all_algorithms ,
-.Nm OpenSSL_add_all_ciphers ,
-.Nm OpenSSL_add_all_digests ,
-.Nm EVP_cleanup ,
-.Nm SSLeay_add_all_algorithms
-.\" .Nm OPENSSL_add_all_algorithms_conf ,
-.\" .Nm OPENSSL_add_all_algorithms_noconf ,
-.\" .Nm SSLeay_add_all_ciphers , and
-.\" .Nm SSLeay_add_all_digests are intentionally undocumented
-.\" because they are unused aliases.
-.Nd add algorithms to internal table
-.Sh SYNOPSIS
-.In openssl/evp.h
-.Ft void
-.Fn OpenSSL_add_all_algorithms void
-.Ft void
-.Fn OpenSSL_add_all_ciphers void
-.Ft void
-.Fn OpenSSL_add_all_digests void
-.Ft void
-.Fn EVP_cleanup void
-.Ft void
-.Fn SSLeay_add_all_algorithms void
-.Sh DESCRIPTION
-These functions are deprecated.
-It is never useful for any application program
-to call any of them explicitly.
-The library automatically calls them internally whenever needed.
-.Pp
-OpenSSL keeps an internal table of digest algorithms and ciphers.
-It uses this table to look up ciphers via functions such as
-.Xr EVP_get_cipherbyname 3 .
-.Pp
-.Fn OpenSSL_add_all_algorithms
-adds all algorithms to the table (digests and ciphers).
-If an application is compiled with the preprocessor symbol
-.Dv OPENSSL_LOAD_CONF
-#define'd, it also calls
-.Xr OPENSSL_config 3
-with a
-.Dv NULL
-argument, loading the default configuration file.
-.Pp
-.Fn OpenSSL_add_all_digests
-adds all digest algorithms to the table.
-.Pp
-.Fn OpenSSL_add_all_ciphers
-adds all encryption algorithms to the table including password based
-encryption algorithms.
-.Pp
-If any of the above functions is called more than once,
-only the first call has an effect.
-.Pp
-.Fn EVP_cleanup
-removes all ciphers and digests from the table and also calls
-.Xr OBJ_NAME_cleanup 3
-with an argument of \-1 ,
-thus resetting the global associative array of names
-and all signature algorithm definitions to their default states,
-removing all application-defined types, key-value pairs, and aliases,
-including any that are unrelated to the EVP library.
-.Pp
-.Fn SSLeay_add_all_algorithms
-is a deprecated alias for
-.Fn OpenSSL_add_all_algorithms .
-.Pp
-.Fn OpenSSL_add_all_algorithms
-and
-.Fn SSLeay_add_all_algorithms
-are implemented as macros.
-.Sh SEE ALSO
-.Xr evp 3 ,
-.Xr EVP_DigestInit 3 ,
-.Xr EVP_EncryptInit 3 ,
-.Xr OBJ_cleanup 3 ,
-.Xr OBJ_NAME_add 3 ,
-.Xr OPENSSL_config 3
-.Sh HISTORY
-.Fn EVP_cleanup ,
-.Fn SSLeay_add_all_algorithms ,
-and precursor functions
-.Fn SSLeay_add_all_ciphers
-and
-.Fn SSLeay_add_all_digests
-first appeared in SSLeay 0.8.0 and have been available since
-.Ox 2.4 .
-.Pp
-.Fn OpenSSL_add_all_algorithms ,
-.Fn OpenSSL_add_all_ciphers ,
-and
-.Fn OpenSSL_add_all_digests
-first appeared in OpenSSL 0.9.5 and have been available since
-.Ox 2.7 .
-.Sh BUGS
-Although the functions do not return error codes, it is possible for them
-to fail.
-This will only happen as a result of a memory allocation failure so this
-is not too much of a problem in practice.
diff --git a/src/lib/libcrypto/man/PEM_ASN1_read.3 b/src/lib/libcrypto/man/PEM_ASN1_read.3
deleted file mode 100644
index 53ebe5ada4..0000000000
--- a/src/lib/libcrypto/man/PEM_ASN1_read.3
+++ /dev/null
@@ -1,172 +0,0 @@
-.\" $OpenBSD: PEM_ASN1_read.3,v 1.2 2020/07/23 17:34:53 schwarze Exp $
-.\"
-.\" Copyright (c) 2020 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: July 23 2020 $
-.Dt PEM_ASN1_READ 3
-.Os
-.Sh NAME
-.Nm d2i_of_void ,
-.Nm PEM_ASN1_read ,
-.Nm PEM_ASN1_read_bio
-.Nd PEM and DER decode an arbitrary ASN.1 value
-.Sh SYNOPSIS
-.In openssl/pem.h
-.Ft typedef void *
-.Fo d2i_of_void
-.Fa "void **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft void *
-.Fo PEM_ASN1_read
-.Fa "d2i_of_void *d2i"
-.Fa "const char *name"
-.Fa "FILE *in_fp"
-.Fa "void **val_out"
-.Fa "pem_password_cb *cb"
-.Fa "void *u"
-.Fc
-.Ft void *
-.Fo PEM_ASN1_read_bio
-.Fa "d2i_of_void *d2i"
-.Fa "const char *name"
-.Fa "BIO *in_bp"
-.Fa "void **val_out"
-.Fa "pem_password_cb *cb"
-.Fa "void *u"
-.Fc
-.Sh DESCRIPTION
-These functions read one object from
-.Fa in_fp
-or
-.Fa in_bp
-and perform both PEM and DER decoding.
-They are needed when more specific decoding functions
-like those documented in
-.Xr PEM_read_bio_PrivateKey 3
-and
-.Xr PEM_read_SSL_SESSION 3
-are inadequate for the type
-.Fa name .
-.Pp
-For PEM decoding,
-.Xr PEM_bytes_read_bio 3
-is called internally.
-Consequently, the first object of type
-.Fa name
-is returned and preceding objects of other types are discarded.
-If necessary, data is decrypted, using
-.Fa cb
-and/or
-.Fa u
-if they are not
-.Dv NULL ,
-as described in the
-.Xr pem_password_cb 3
-manual page.
-.Pp
-For subsequent DER decoding, pass a
-.Fa d2i
-callback function that is adequate for the type
-.Fa name ,
-typically returning a pointer of a type more specific than
-.Ft void * .
-For example,
-.Xr d2i_ASN1_TYPE 3
-can always be used and its manual page describes the required
-behaviour of the callback function to be passed.
-Normally, passing a more specific function is more useful;
-candidate functions can be found with
-.Ql man -k Nm~^d2i_ .
-.Pp
-For the
-.Fa name
-argument, the
-.Dv PEM_STRING_*
-string constants defined in
-.In openssl/pem.h
-can be used.
-.Pp
-The
-.Fa val_out
-argument is useless and its many dangers are described in detail in the
-.Xr d2i_ASN1_TYPE 3
-manual page.
-To reduce the risk of bugs, always passing
-.Dv NULL
-is recommended.
-.Sh RETURN VALUES
-These functions return a pointer to the decoded object or
-.Dv NULL
-if an error occurs.
-They fail if
-.Xr PEM_bytes_read_bio 3
-fails, for example because of invalid syntax in the input, an unknown
-encryption, or an invalid passphrase entered by the user.
-They also fail if
-.Fa d2i
-returns
-.Dv NULL ,
-for example due to DER decoding errors.
-.Pp
-.Fn PEM_ASN1_read
-may also fail if memory is exhausted.
-.Sh EXAMPLES
-Typical usage of
-.Fn PEM_ASN1_read
-is demonstrated by the implementation of the more specific function
-to PEM and DER decode an X.509 certificate:
-.Bd -literal -offset 2n
-X509 *
-PEM_read_X509(FILE *fp, X509 **val_out, pem_password_cb *cb, void *u)
-{
-        return PEM_ASN1_read((d2i_of_void *)d2i_X509, PEM_STRING_X509,
-            fp, (void **)val_out, cb, u);
-}
-.Ed
-.Sh ERRORS
-Diagnostics that can be retrieved with
-.Xr ERR_get_error 3 ,
-.Xr ERR_GET_REASON 3 ,
-and
-.Xr ERR_reason_error_string 3
-include:
-.Bl -tag -width Ds
-.It Dv ERR_R_BUF_LIB Qq "BUF lib"
-.Fn PEM_ASN1_read
-failed to set up a temporary BIO,
-for example because memory was exhausted.
-.It Dv ERR_R_ASN1_LIB Qq "ASN1 lib"
-.Fa d2i
-returned
-.Dv NULL ,
-for example due to a DER syntax error.
-.El
-.Pp
-Additional types of errors can result from
-.Xr PEM_bytes_read_bio 3 .
-.Sh SEE ALSO
-.Xr BIO_new 3 ,
-.Xr d2i_ASN1_TYPE 3 ,
-.Xr PEM_bytes_read_bio 3 ,
-.Xr PEM_read 3 ,
-.Xr PEM_read_bio_PrivateKey 3 ,
-.Xr PEM_read_SSL_SESSION 3 ,
-.Xr PEM_X509_INFO_read 3
-.Sh HISTORY
-These functions first appeared in SSLeay 0.5.1
-and have been available since
-.Ox 2.4 .
diff --git a/src/lib/libcrypto/man/PEM_X509_INFO_read.3 b/src/lib/libcrypto/man/PEM_X509_INFO_read.3
deleted file mode 100644
index b3216a89b6..0000000000
--- a/src/lib/libcrypto/man/PEM_X509_INFO_read.3
+++ /dev/null
@@ -1,189 +0,0 @@
-.\" $OpenBSD: PEM_X509_INFO_read.3,v 1.4 2021/10/19 10:39:33 schwarze Exp $
-.\"
-.\" Copyright (c) 2020 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: October 19 2021 $
-.Dt PEM_X509_INFO_READ 3
-.Os
-.Sh NAME
-.Nm PEM_X509_INFO_read ,
-.Nm PEM_X509_INFO_read_bio
-.Nd PEM and DER decode X.509 certificates, private keys, and revocation lists
-.Sh SYNOPSIS
-.In openssl/pem.h
-.Ft STACK_OF(X509_INFO) *
-.Fo PEM_X509_INFO_read
-.Fa "FILE *in_fp"
-.Fa "STACK_OF(X509_INFO) *sk"
-.Fa "pem_password_cb *cb"
-.Fa "void *u"
-.Fc
-.Ft STACK_OF(X509_INFO) *
-.Fo PEM_X509_INFO_read_bio
-.Fa "BIO *in_bp"
-.Fa "STACK_OF(X509_INFO) *sk"
-.Fa "pem_password_cb *cb"
-.Fa "void *u"
-.Fc
-.Sh DESCRIPTION
-These functions read zero or more objects
-related to X.509 certificates from
-.Fa in_fp
-or
-.Fa in_bp ,
-perform both PEM and DER decoding,
-and wrap the resulting objects in newly allocated
-.Vt X509_INFO
-containers.
-.Pp
-Setting
-.Fa sk
-to
-.Dv NULL
-is recommended, in which case
-a new stack is allocated, populated, and returned.
-If an existing
-.Fa sk
-is passed in, the created
-.Vt X509_INFO
-objects are pushed onto that stack.
-.Pp
-For PEM decoding,
-.Xr PEM_read_bio 3
-is used internally, implying that any non-PEM data
-before, between, and after the objects is silently discarded.
-.Pp
-For subsequent DER decoding,
-the decoding function and the field of the
-.Vt X509_INFO
-structure to store the new object in
-are selected according to the PEM type name:
-.Bl -column "TRUSTED CERTIFICATE" "d2i_PrivateKey()" "revocation list"
-.It PEM type name       Ta decoder             Ta Vt X509_INFO No field
-.It CERTIFICATE         Ta Xr d2i_X509 3       Ta certificate
-.It X509 CERTIFICATE    Ta Xr d2i_X509 3       Ta certificate
-.It TRUSTED CERTIFICATE Ta Xr d2i_X509_AUX 3   Ta certificate
-.It X509 CRL            Ta Xr d2i_X509_CRL 3   Ta revocation list
-.It RSA PRIVATE KEY     Ta Xr d2i_PrivateKey 3 Ta private key
-.It DSA PRIVATE KEY     Ta Xr d2i_PrivateKey 3 Ta private key
-.It EC PRIVATE KEY      Ta Xr d2i_PrivateKey 3 Ta private key
-.El
-.Pp
-Whenever the selected field is already occupied, another new
-.Vt X509_INFO
-container is allocated and pushed onto the stack.
-Depending on the sequence of objects in the input, this can result
-in several partially populated
-.Vt X509_INFO
-containers being pushed onto the stack.
-.Pp
-PEM objects of types not listed in the above table are silently skipped.
-.Pp
-Encrypted certificates and revocation lists are decrypted by calling
-.Xr PEM_do_header 3
-internally, passing through the optional arguments
-.Fa cb
-and
-.Fa u .
-Encrypted private keys are not decrypted.
-Instead, the encrypted form is stored as read.
-All the same,
-.Xr PEM_get_EVP_CIPHER_INFO 3
-is called internally to check that PEM headers, if there are any,
-are valid and specify an encryption the library is prepared to handle.
-.Pp
-If any error occurs, objects that had already been read
-during the same call are deleted again and
-.Fa sk
-is left unchanged.
-.Sh RETURN VALUES
-These functions return a pointer to the stack
-the objects read were pushed onto or
-.Dv NULL
-if an error occurs.
-They fail if
-.Xr PEM_read_bio 3 ,
-.Xr PEM_get_EVP_CIPHER_INFO 3 ,
-.Xr PEM_do_header 3 ,
-or DER decoding fails or if memory is exhausted.
-.Sh ERRORS
-Diagnostics that can be retrieved with
-.Xr ERR_get_error 3 ,
-.Xr ERR_GET_REASON 3 ,
-and
-.Xr ERR_reason_error_string 3
-include:
-.Bl -tag -width Ds
-.It Dv ERR_R_ASN1_LIB Qq "ASN1 lib"
-DER decoding of a PEM object failed.
-.It Dv ERR_R_BUF_LIB Qq BUF lib
-.Fn PEM_X509_INFO_read
-failed to set up a temporary BIO, for example because memory was exhausted.
-.It Dv ERR_R_MALLOC_FAILURE Qq "malloc failure"
-.Fn PEM_X509_INFO_read_bio
-failed to allocate a new
-.Vt X509_INFO ,
-.Vt STACK_OF(X509_INFO) ,
-or
-.Vt X509_PKEY
-object.
-.El
-.Pp
-Additional types of errors can result from
-.Xr PEM_read_bio 3 ,
-.Xr PEM_get_EVP_CIPHER_INFO 3 ,
-and
-.Xr PEM_do_header 3 .
-.Pp
-After these functions failed due to memory exhaustion,
-.Xr ERR_get_error 3
-may sometimes return 0 anyway.
-.Sh SEE ALSO
-.Xr BIO_new 3 ,
-.Xr d2i_PrivateKey 3 ,
-.Xr d2i_X509 3 ,
-.Xr d2i_X509_CRL 3 ,
-.Xr EVP_PKEY_new 3 ,
-.Xr PEM_read 3 ,
-.Xr PEM_read_bio_PrivateKey 3 ,
-.Xr STACK_OF 3 ,
-.Xr X509_CRL_new 3 ,
-.Xr X509_INFO_new 3 ,
-.Xr X509_LOOKUP_new 3 ,
-.Xr X509_new 3 ,
-.Xr X509_PKEY_new 3
-.Sh HISTORY
-.Fn PEM_X509_INFO_read
-first appeared in SSLeay 0.5.1 and
-.Fn PEM_X509_INFO_read_bio
-in SSLeay 0.6.0.
-Both functions have been available since
-.Ox 2.4 .
-.Sh CAVEATS
-It is not an error
-if the input does not contain any objects of the desired types.
-In that case, nothing is added to
-.Fa sk ,
-or if
-.Fa sk
-is
-.Dv NULL ,
-a newly allocated, empty stack is returned.
-The only way to detect this situation is by comparing
-the number of objects on the stack before and after the call.
-.Sh BUGS
-When reaching the end of the input, these functions call
-.Xr ERR_clear_error 3 ,
-which may hide errors that occurred before calling these functions.
diff --git a/src/lib/libcrypto/man/PEM_bytes_read_bio.3 b/src/lib/libcrypto/man/PEM_bytes_read_bio.3
deleted file mode 100644
index 20ad6b8a4d..0000000000
--- a/src/lib/libcrypto/man/PEM_bytes_read_bio.3
+++ /dev/null
@@ -1,184 +0,0 @@
-.\" $OpenBSD: PEM_bytes_read_bio.3,v 1.6 2020/07/23 17:34:53 schwarze Exp $
-.\" selective merge up to:
-.\" OpenSSL PEM_bytes_read_bio.pod 7671342e Feb 29 15:47:12 2016 -0600
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\" Copyright (c) 2020 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Benjamin Kaduk <bkaduk at akamai dot com>.
-.\" Copyright (c) 2017 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: July 23 2020 $
-.Dt PEM_BYTES_READ_BIO 3
-.Os
-.Sh NAME
-.Nm PEM_bytes_read_bio
-.Nd read a PEM-encoded data structure from a BIO
-.Sh SYNOPSIS
-.In openssl/pem.h
-.Ft int
-.Fo PEM_bytes_read_bio
-.Fa "unsigned char **pdata"
-.Fa "long *plen"
-.Fa "char **pnm"
-.Fa "const char *name"
-.Fa "BIO *in_bp"
-.Fa "pem_password_cb *cb"
-.Fa "void *u"
-.Fc
-.Sh DESCRIPTION
-.Fn PEM_bytes_read_bio
-reads and PEM decodes the first object of type
-.Fa name
-.Pq e.g. RSA PRIVATE KEY, CERTIFICATE, etc.\&
-from
-.Fa in_bp .
-If multiple PEM-encoded data structures are present in the same stream,
-it skips non-matching data types and continues reading.
-Before reading each PEM object, lines not starting with
-.Qq "-----BEGIN "
-are also skipped; see
-.Xr PEM_read_bio 3
-for details of PEM parsing.
-.Pp
-The PEM header may indicate that the following data is encrypted; if so,
-the data is decrypted, optionally using
-.Fa cb
-and
-.Fa u ,
-as described in
-.Xr pem_password_cb 3 .
-.Pp
-Some data types have compatibility aliases, such as a file containing
-X509 CERTIFICATE matching a request for the deprecated type CERTIFICATE.
-The actual type indicated by the file is returned in
-.Em *pnm
-if
-.Fa pnm
-is
-.Pf non- Dv NULL .
-The caller must free the storage pointed to by
-.Em *pnm .
-.Pp
-The returned data is the DER-encoded form of the requested type, in
-.Em *pdata
-with length
-.Em *plen .
-The caller must free the storage pointed to by
-.Em *pdata .
-.Sh RETURN VALUES
-.Fn PEM_bytes_read_bio
-returns 1 for success or 0 for failure.
-.Sh ERRORS
-Diagnostics that can be retrieved with
-.Xr ERR_get_error 3 ,
-.Xr ERR_GET_REASON 3 ,
-and
-.Xr ERR_reason_error_string 3
-include:
-.Bl -tag -width Ds
-.It Dv PEM_R_NO_START_LINE Qq no start line
-No more PEM objects were found in the input.
-This can happen when the input contains no PEM objects at all,
-or only objects that do not match the type
-.Fa name .
-.It Dv PEM_R_NOT_PROC_TYPE Qq not proc type
-The first PEM header does not start with
-.Qq "Proc-Type: " .
-.It Dv PEM_R_NOT_ENCRYPTED Qq not encrypted
-The Proc-Type header differs from
-.Qq 4,ENCRYPTED .
-.It Dv PEM_R_SHORT_HEADER Qq short header
-The Proc-Type header is the last header line.
-.It Dv PEM_R_NOT_DEK_INFO Qq not dek info
-The second PEM header does not start with
-.Qq "DEK-Info: " .
-.It Dv PEM_R_UNSUPPORTED_ENCRYPTION Qq unsupported encryption
-The cipher name given in the DEK-Info header is unknown to
-.Xr EVP_get_cipherbyname 3 .
-.It Dv PEM_R_BAD_IV_CHARS Qq "bad iv chars"
-The word following the cipher name in the DEK-Info header
-contains bytes that are not hexadecimal digits.
-This also happens when the initialization vector is missing or too short.
-.It Dv PEM_R_BAD_PASSWORD_READ Qq bad password read
-.Fa cb
-reported failure.
-This may for example happen when the user mistypes the password.
-.It Dv PEM_R_BAD_DECRYPT Qq bad decrypt
-.Xr EVP_DecryptInit_ex 3 ,
-.Xr EVP_DecryptUpdate 3 ,
-or
-.Xr EVP_DecryptFinal_ex 3
-failed.
-.El
-.Pp
-Additional types of errors can result from
-.Xr PEM_read_bio 3 .
-.Sh SEE ALSO
-.Xr PEM_ASN1_read 3 ,
-.Xr PEM_read 3 ,
-.Xr PEM_read_bio_PrivateKey 3 ,
-.Xr PEM_X509_INFO_read 3
-.Sh STANDARDS
-RFC 1421: Privacy Enhancement for Internet Electronic Mail (PEM), Part I
-.Sh HISTORY
-.Fn PEM_bytes_read_bio
-first appeared in OpenSSL 0.9.7 and has been available since
-.Ox 3.2 .
diff --git a/src/lib/libcrypto/man/PEM_read.3 b/src/lib/libcrypto/man/PEM_read.3
deleted file mode 100644
index 1493d54fc4..0000000000
--- a/src/lib/libcrypto/man/PEM_read.3
+++ /dev/null
@@ -1,416 +0,0 @@
-.\" $OpenBSD: PEM_read.3,v 1.15 2023/09/18 15:26:46 schwarze Exp $
-.\" full merge up to: OpenSSL 83cf7abf May 29 13:07:08 2018 +0100
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2020 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Viktor Dukhovni
-.\" and by Rich Salz <rsalz@openssl.org>.
-.\" Copyright (c) 2016 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: September 18 2023 $
-.Dt PEM_READ 3
-.Os
-.Sh NAME
-.Nm PEM_write ,
-.Nm PEM_write_bio ,
-.Nm PEM_read ,
-.Nm PEM_read_bio ,
-.Nm PEM_get_EVP_CIPHER_INFO ,
-.Nm PEM_do_header ,
-.Nm PEM_def_callback ,
-.Nm pem_password_cb
-.Nd PEM encoding routines
-.Sh SYNOPSIS
-.In openssl/pem.h
-.Ft int
-.Fo PEM_write
-.Fa "FILE *fp"
-.Fa "const char *name"
-.Fa "const char *header"
-.Fa "const unsigned char *data"
-.Fa "long len"
-.Fc
-.Ft int
-.Fo PEM_write_bio
-.Fa "BIO *bp"
-.Fa "const char *name"
-.Fa "const char *header"
-.Fa "const unsigned char *data"
-.Fa "long len"
-.Fc
-.Ft int
-.Fo PEM_read
-.Fa "FILE *fp"
-.Fa "char **name"
-.Fa "char **header"
-.Fa "unsigned char **data"
-.Fa "long *len"
-.Fc
-.Ft int
-.Fo PEM_read_bio
-.Fa "BIO *bp"
-.Fa "char **name"
-.Fa "char **header"
-.Fa "unsigned char **data"
-.Fa "long *len"
-.Fc
-.Ft int
-.Fo PEM_get_EVP_CIPHER_INFO
-.Fa "char *header"
-.Fa "EVP_CIPHER_INFO *cinfo"
-.Fc
-.Ft int
-.Fo PEM_do_header
-.Fa "EVP_CIPHER_INFO *cinfo"
-.Fa "unsigned char *data"
-.Fa "long *len"
-.Fa "pem_password_cb *cb"
-.Fa "void *userdata"
-.Fc
-.Ft int
-.Fo PEM_def_callback
-.Fa "char *password"
-.Fa "int size"
-.Fa "int verify"
-.Fa "void *userdata"
-.Fc
-.Ft typedef int
-.Fo pem_password_cb
-.Fa "char *password"
-.Fa "int size"
-.Fa "int verify"
-.Fa "void *userdata"
-.Fc
-.Sh DESCRIPTION
-These functions read and write PEM-encoded objects, using the PEM type
-.Fa name ,
-any additional
-.Fa header
-information, and the raw
-.Fa data
-of length
-.Fa len .
-.Pp
-PEM is the binary content encoding first defined in IETF RFC 1421.
-The content is a series of base64-encoded lines, surrounded by
-begin/end markers each on their own line.
-For example:
-.Bd -literal -offset indent
------BEGIN PRIVATE KEY-----
-MIICdg....
-\&... bhTQ==
------END PRIVATE KEY-----
-.Ed
-.Pp
-Optional header line(s) may appear after the begin line, and their
-existence depends on the type of object being written or read.
-.Pp
-.Fn PEM_write
-writes to the file
-.Fa fp ,
-while
-.Fn PEM_write_bio
-writes to the BIO
-.Fa bp .
-The
-.Fa name
-is the name to use in the marker, the
-.Fa header
-is the header value or
-.Dv NULL ,
-and
-.Fa data
-and
-.Fa len
-specify the data and its length.
-.Pp
-The final
-.Fa data
-buffer is typically an ASN.1 object which can be decoded with the
-.Fn d2i_*
-function appropriate to the type
-.Fa name ;
-see
-.Xr d2i_X509 3
-for examples.
-.Pp
-.Fn PEM_read
-reads from the file
-.Fa fp ,
-while
-.Fn PEM_read_bio
-reads from the BIO
-.Fa bp .
-Both skip any non-PEM data that precedes the start of the next PEM
-object.
-When an object is successfully retrieved, the type name from the
-"----BEGIN <type>-----" is returned via the
-.Fa name
-argument, any encapsulation headers are returned in
-.Fa header ,
-and the base64-decoded content and its length are returned via
-.Fa data
-and
-.Fa len ,
-respectively.
-The
-.Fa name ,
-.Fa header ,
-and
-.Fa data
-pointers should be freed by the caller when no longer needed.
-.Pp
-The remaining functions are deprecated because the underlying PEM
-encryption format is obsolete and should be avoided.
-It uses an encryption format with an OpenSSL-specific key-derivation
-function, which employs MD5 with an iteration count of 1.
-Instead, private keys should be stored in PKCS#8 form, with a strong
-PKCS#5 v2.0 PBE; see
-.Xr PEM_write_PrivateKey 3
-and
-.Xr d2i_PKCS8PrivateKey_bio 3 .
-.Pp
-.Fn PEM_get_EVP_CIPHER_INFO
-can be used to determine the
-.Fa data
-returned by
-.Fn PEM_read
-or
-.Fn PEM_read_bio
-is encrypted and to retrieve the associated cipher and IV.
-The caller passes a pointer to a structure of type
-.Vt EVP_CIPHER_INFO
-via the
-.Fa cinfo
-argument and the
-.Fa header
-returned via
-.Fn PEM_read
-or
-.Fn PEM_read_bio .
-If the call is successful, 1 is returned and the cipher and IV are
-stored at the address pointed to by
-.Fa cinfo .
-When the header is malformed or not supported or when the cipher is
-unknown or some internal error happens, 0 is returned.
-.Pp
-.Fn PEM_do_header
-can then be used to decrypt the data if the header indicates encryption.
-The
-.Fa cinfo
-argument is a pointer to the structure initialized by a preceding call
-to
-.Fn PEM_get_EVP_CIPHER_INFO .
-If that structure indicates the absence of encryption,
-.Fn PEM_do_header
-returns successfully without taking any action.
-The
-.Fa data
-and
-.Fa len
-arguments are used both to pass in the encrypted data that was
-returned in the same arguments from the preceding call to
-.Fn PEM_read
-or
-.Fn PEM_read_bio
-and to pass out the decrypted data.
-.Pp
-The callback function
-.Fa cb
-is used to obtain the encryption
-.Fa password ;
-if
-.Fa cb
-is
-.Dv NULL ,
-.Fn PEM_def_callback
-is used instead.
-The
-.Fa password
-buffer needs to be at least
-.Fa size
-bytes long.
-Unless
-.Fa userdata
-is
-.Dv NULL ,
-.Fn PEM_def_callback
-ignores the
-.Fa verify
-argument and copies the NUL-terminated byte string
-.Fa userdata
-to
-.Fa password
-without a terminating NUL byte, silently truncating the copy to at most
-.Fa size
-bytes.
-If
-.Fa userdata
-is
-.Dv NULL ,
-.Fn PEM_def_callback
-instead prompts the user for the password with echoing turned off
-by calling
-.Xr EVP_read_pw_string_min 3
-internally.
-In this case, the
-.Fa size
-is silently reduced to at most
-.Dv BUFSIZ
-and at most
-.Fa size No \- 1
-bytes are accepted from the user and copied into the byte string buffer
-.Fa password .
-A callback function
-.Fa cb
-supplied by the application may use
-.Fa userdata
-for a different purpose than
-.Fn PEM_def_callback
-does, e.g., as auxiliary data to use while acquiring the password.
-For example, a GUI application might pass a window handle.
-If the
-.Fa verify
-flag is non-zero, the user is prompted twice for the password to
-make typos less likely and it is checked that both inputs agree.
-This flag is not set by
-.Fn PEM_do_header
-nor by other read functions, but it is typically set by write functions.
-.Pp
-If the data is a priori known to not be encrypted, then neither
-.Fn PEM_get_EVP_CIPHER_INFO
-nor
-.Fn PEM_do_header
-need to be called.
-.Sh RETURN VALUES
-.Fn PEM_read
-and
-.Fn PEM_read_bio
-return 1 on success or 0 on failure.
-The latter includes the case when no more PEM objects remain in the
-input file.
-To distinguish end of file from more serious errors, the caller
-must peek at the error stack and check for
-.Dv PEM_R_NO_START_LINE ,
-which indicates that no more PEM objects were found.
-See
-.Xr ERR_peek_last_error 3
-and
-.Xr ERR_GET_REASON 3 .
-.Pp
-.Fn PEM_get_EVP_CIPHER_INFO
-and
-.Fn PEM_do_header
-return 1 on success or 0 on failure.
-The
-.Fa data
-is likely meaningless if these functions fail.
-.Pp
-.Fn PEM_def_callback
-returns the number of bytes stored into
-.Fa buf
-or a negative value on failure, and
-.Fa cb
-is expected to behave in the same way.
-If
-.Fa userdata
-is
-.Dv NULL ,
-.Fn PEM_def_callback
-fails if
-.Fa num
-is less than 5
-or if an error occurs trying to prompt the user for the password.
-Otherwise, it fails when
-.Fa num
-is negative.
-The details of the circumstances that cause
-.Fa cb
-to fail may differ.
-.Sh SEE ALSO
-.Xr crypto 3 ,
-.Xr d2i_PKCS8PrivateKey_bio 3 ,
-.Xr PEM_ASN1_read 3 ,
-.Xr PEM_bytes_read_bio 3 ,
-.Xr PEM_read_bio_PrivateKey 3 ,
-.Xr PEM_read_SSL_SESSION 3 ,
-.Xr PEM_write_bio_CMS_stream 3 ,
-.Xr PEM_write_bio_PKCS7_stream 3 ,
-.Xr PEM_X509_INFO_read 3
-.Sh HISTORY
-.Fn PEM_write ,
-.Fn PEM_read ,
-and
-.Fn PEM_do_header
-appeared in SSLeay 0.4 or earlier.
-.Fn PEM_get_EVP_CIPHER_INFO
-first appeared in SSLeay 0.5.1.
-.Fn PEM_write_bio
-and
-.Fn PEM_read_bio
-first appeared in SSLeay 0.6.0.
-These functions have been available since
-.Ox 2.4 .
-.Pp
-.Fn PEM_def_callback
-first appeared in OpenSSL 0.9.7 and has been available since
-.Ox 3.2 .
diff --git a/src/lib/libcrypto/man/PEM_read_bio_PrivateKey.3 b/src/lib/libcrypto/man/PEM_read_bio_PrivateKey.3
deleted file mode 100644
index 9f45261725..0000000000
--- a/src/lib/libcrypto/man/PEM_read_bio_PrivateKey.3
+++ /dev/null
@@ -1,1335 +0,0 @@
-.\" $OpenBSD: PEM_read_bio_PrivateKey.3,v 1.23 2024/09/02 08:04:32 tb Exp $
-.\" full merge up to:
-.\" OpenSSL man3/PEM_read_bio_PrivateKey.pod 18bad535 Apr 9 15:13:55 2019 +0100
-.\" OpenSSL man3/PEM_read_CMS.pod 83cf7abf May 29 13:07:08 2018 +0100
-.\"
-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2001-2004, 2009, 2013-2016 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: September 2 2024 $
-.Dt PEM_READ_BIO_PRIVATEKEY 3
-.Os
-.Sh NAME
-.Nm PEM_read_bio_PrivateKey ,
-.Nm PEM_read_PrivateKey ,
-.Nm PEM_write_bio_PrivateKey ,
-.Nm PEM_write_PrivateKey ,
-.Nm PEM_write_bio_PKCS8PrivateKey ,
-.Nm PEM_write_PKCS8PrivateKey ,
-.Nm PEM_write_bio_PKCS8PrivateKey_nid ,
-.Nm PEM_write_PKCS8PrivateKey_nid ,
-.Nm PEM_read_bio_PKCS8 ,
-.Nm PEM_read_PKCS8 ,
-.Nm PEM_write_bio_PKCS8 ,
-.Nm PEM_write_PKCS8 ,
-.Nm PEM_read_bio_PKCS8_PRIV_KEY_INFO ,
-.Nm PEM_read_PKCS8_PRIV_KEY_INFO ,
-.Nm PEM_write_bio_PKCS8_PRIV_KEY_INFO ,
-.Nm PEM_write_PKCS8_PRIV_KEY_INFO ,
-.Nm PEM_read_bio_PUBKEY ,
-.Nm PEM_read_PUBKEY ,
-.Nm PEM_write_bio_PUBKEY ,
-.Nm PEM_write_PUBKEY ,
-.Nm PEM_read_bio_RSAPrivateKey ,
-.Nm PEM_read_RSAPrivateKey ,
-.Nm PEM_write_bio_RSAPrivateKey ,
-.Nm PEM_write_RSAPrivateKey ,
-.Nm PEM_read_bio_RSAPublicKey ,
-.Nm PEM_read_RSAPublicKey ,
-.Nm PEM_write_bio_RSAPublicKey ,
-.Nm PEM_write_RSAPublicKey ,
-.Nm PEM_read_bio_RSA_PUBKEY ,
-.Nm PEM_read_RSA_PUBKEY ,
-.Nm PEM_write_bio_RSA_PUBKEY ,
-.Nm PEM_write_RSA_PUBKEY ,
-.Nm PEM_read_bio_DSAPrivateKey ,
-.Nm PEM_read_DSAPrivateKey ,
-.Nm PEM_write_bio_DSAPrivateKey ,
-.Nm PEM_write_DSAPrivateKey ,
-.Nm PEM_read_bio_DSA_PUBKEY ,
-.Nm PEM_read_DSA_PUBKEY ,
-.Nm PEM_write_bio_DSA_PUBKEY ,
-.Nm PEM_write_DSA_PUBKEY ,
-.Nm PEM_read_bio_DSAparams ,
-.Nm PEM_read_DSAparams ,
-.Nm PEM_write_bio_DSAparams ,
-.Nm PEM_write_DSAparams ,
-.Nm PEM_read_bio_DHparams ,
-.Nm PEM_read_DHparams ,
-.Nm PEM_write_bio_DHparams ,
-.Nm PEM_write_DHparams ,
-.Nm PEM_read_bio_ECPKParameters ,
-.Nm PEM_read_ECPKParameters ,
-.Nm PEM_write_bio_ECPKParameters ,
-.Nm PEM_write_ECPKParameters ,
-.Nm PEM_read_bio_ECPrivateKey ,
-.Nm PEM_read_ECPrivateKey ,
-.Nm PEM_write_bio_ECPrivateKey ,
-.Nm PEM_write_ECPrivateKey ,
-.Nm PEM_read_bio_EC_PUBKEY ,
-.Nm PEM_read_EC_PUBKEY ,
-.Nm PEM_write_bio_EC_PUBKEY ,
-.Nm PEM_write_EC_PUBKEY ,
-.Nm PEM_read_bio_X509 ,
-.Nm PEM_read_X509 ,
-.Nm PEM_write_bio_X509 ,
-.Nm PEM_write_X509 ,
-.Nm PEM_read_bio_X509_AUX ,
-.Nm PEM_read_X509_AUX ,
-.Nm PEM_write_bio_X509_AUX ,
-.Nm PEM_write_X509_AUX ,
-.Nm PEM_read_bio_X509_REQ ,
-.Nm PEM_read_X509_REQ ,
-.Nm PEM_write_bio_X509_REQ ,
-.Nm PEM_write_X509_REQ ,
-.Nm PEM_write_bio_X509_REQ_NEW ,
-.Nm PEM_write_X509_REQ_NEW ,
-.Nm PEM_read_bio_X509_CRL ,
-.Nm PEM_read_X509_CRL ,
-.Nm PEM_write_bio_X509_CRL ,
-.Nm PEM_write_X509_CRL ,
-.Nm PEM_read_bio_PKCS7 ,
-.Nm PEM_read_PKCS7 ,
-.Nm PEM_write_bio_PKCS7 ,
-.Nm PEM_write_PKCS7 ,
-.Nm PEM_read_CMS ,
-.Nm PEM_read_bio_CMS ,
-.Nm PEM_write_CMS ,
-.Nm PEM_write_bio_CMS
-.Nd PEM routines
-.Sh SYNOPSIS
-.In openssl/pem.h
-.Ft EVP_PKEY *
-.Fo PEM_read_bio_PrivateKey
-.Fa "BIO *bp"
-.Fa "EVP_PKEY **x"
-.Fa "pem_password_cb *cb"
-.Fa "void *u"
-.Fc
-.Ft EVP_PKEY *
-.Fo PEM_read_PrivateKey
-.Fa "FILE *fp"
-.Fa "EVP_PKEY **x"
-.Fa "pem_password_cb *cb"
-.Fa "void *u"
-.Fc
-.Ft int
-.Fo PEM_write_bio_PrivateKey
-.Fa "BIO *bp"
-.Fa "EVP_PKEY *x"
-.Fa "const EVP_CIPHER *enc"
-.Fa "unsigned char *kstr"
-.Fa "int klen"
-.Fa "pem_password_cb *cb"
-.Fa "void *u"
-.Fc
-.Ft int
-.Fo PEM_write_PrivateKey
-.Fa "FILE *fp"
-.Fa "EVP_PKEY *x"
-.Fa "const EVP_CIPHER *enc"
-.Fa "unsigned char *kstr"
-.Fa "int klen"
-.Fa "pem_password_cb *cb"
-.Fa "void *u"
-.Fc
-.Ft int
-.Fo PEM_write_bio_PKCS8PrivateKey
-.Fa "BIO *bp"
-.Fa "EVP_PKEY *x"
-.Fa "const EVP_CIPHER *enc"
-.Fa "char *kstr"
-.Fa "int klen"
-.Fa "pem_password_cb *cb"
-.Fa "void *u"
-.Fc
-.Ft int
-.Fo PEM_write_PKCS8PrivateKey
-.Fa "FILE *fp"
-.Fa "EVP_PKEY *x"
-.Fa "const EVP_CIPHER *enc"
-.Fa "char *kstr"
-.Fa "int klen"
-.Fa "pem_password_cb *cb"
-.Fa "void *u"
-.Fc
-.Ft int
-.Fo PEM_write_bio_PKCS8PrivateKey_nid
-.Fa "BIO *bp"
-.Fa "EVP_PKEY *x"
-.Fa "int nid"
-.Fa "char *kstr"
-.Fa "int klen"
-.Fa "pem_password_cb *cb"
-.Fa "void *u"
-.Fc
-.Ft int
-.Fo PEM_write_PKCS8PrivateKey_nid
-.Fa "FILE *fp"
-.Fa "EVP_PKEY *x"
-.Fa "int nid"
-.Fa "char *kstr"
-.Fa "int klen"
-.Fa "pem_password_cb *cb"
-.Fa "void *u"
-.Fc
-.Ft X509_SIG *
-.Fo PEM_read_bio_PKCS8
-.Fa "BIO *bp"
-.Fa "X509_SIG **x"
-.Fa "pem_password_cb *cb"
-.Fa "void *u"
-.Fc
-.Ft X509_SIG *
-.Fo PEM_read_PKCS8
-.Fa "FILE *fp"
-.Fa "X509_SIG **x"
-.Fa "pem_password_cb *cb"
-.Fa "void *u"
-.Fc
-.Ft int
-.Fo PEM_write_bio_PKCS8
-.Fa "BIO *bp"
-.Fa "X509_SIG *x"
-.Fc
-.Ft int
-.Fo PEM_write_PKCS8
-.Fa "FILE *fp"
-.Fa "X509_SIG *x"
-.Fc
-.Ft PKCS8_PRIV_KEY_INFO *
-.Fo PEM_read_bio_PKCS8_PRIV_KEY_INFO
-.Fa "BIO *bp"
-.Fa "PKCS8_PRIV_KEY_INFO **x"
-.Fa "pem_password_cb *cb"
-.Fa "void *u"
-.Fc
-.Ft PKCS8_PRIV_KEY_INFO *
-.Fo PEM_read_PKCS8_PRIV_KEY_INFO
-.Fa "FILE *fp"
-.Fa "PKCS8_PRIV_KEY_INFO **x"
-.Fa "pem_password_cb *cb"
-.Fa "void *u"
-.Fc
-.Ft int
-.Fo PEM_write_bio_PKCS8_PRIV_KEY_INFO
-.Fa "BIO *bp"
-.Fa "PKCS8_PRIV_KEY_INFO *x"
-.Fc
-.Ft int
-.Fo PEM_write_PKCS8_PRIV_KEY_INFO
-.Fa "FILE *fp"
-.Fa "PKCS8_PRIV_KEY_INFO *x"
-.Fc
-.Ft EVP_PKEY *
-.Fo PEM_read_bio_PUBKEY
-.Fa "BIO *bp"
-.Fa "EVP_PKEY **x"
-.Fa "pem_password_cb *cb"
-.Fa "void *u"
-.Fc
-.Ft EVP_PKEY *
-.Fo PEM_read_PUBKEY
-.Fa "FILE *fp"
-.Fa "EVP_PKEY **x"
-.Fa "pem_password_cb *cb"
-.Fa "void *u"
-.Fc
-.Ft int
-.Fo PEM_write_bio_PUBKEY
-.Fa "BIO *bp"
-.Fa "EVP_PKEY *x"
-.Fc
-.Ft int
-.Fo PEM_write_PUBKEY
-.Fa "FILE *fp"
-.Fa "EVP_PKEY *x"
-.Fc
-.Ft RSA *
-.Fo PEM_read_bio_RSAPrivateKey
-.Fa "BIO *bp"
-.Fa "RSA **x"
-.Fa "pem_password_cb *cb"
-.Fa "void *u"
-.Fc
-.Ft RSA *
-.Fo PEM_read_RSAPrivateKey
-.Fa "FILE *fp"
-.Fa "RSA **x"
-.Fa "pem_password_cb *cb"
-.Fa "void *u"
-.Fc
-.Ft int
-.Fo PEM_write_bio_RSAPrivateKey
-.Fa "BIO *bp"
-.Fa "RSA *x"
-.Fa "const EVP_CIPHER *enc"
-.Fa "unsigned char *kstr"
-.Fa "int klen"
-.Fa "pem_password_cb *cb"
-.Fa "void *u"
-.Fc
-.Ft int
-.Fo PEM_write_RSAPrivateKey
-.Fa "FILE *fp"
-.Fa "RSA *x"
-.Fa "const EVP_CIPHER *enc"
-.Fa "unsigned char *kstr"
-.Fa "int klen"
-.Fa "pem_password_cb *cb"
-.Fa "void *u"
-.Fc
-.Ft RSA *
-.Fo PEM_read_bio_RSAPublicKey
-.Fa "BIO *bp"
-.Fa "RSA **x"
-.Fa "pem_password_cb *cb"
-.Fa "void *u"
-.Fc
-.Ft RSA *
-.Fo PEM_read_RSAPublicKey
-.Fa "FILE *fp"
-.Fa "RSA **x"
-.Fa "pem_password_cb *cb"
-.Fa "void *u"
-.Fc
-.Ft int
-.Fo PEM_write_bio_RSAPublicKey
-.Fa "BIO *bp"
-.Fa "RSA *x"
-.Fc
-.Ft int
-.Fo PEM_write_RSAPublicKey
-.Fa "FILE *fp"
-.Fa "RSA *x"
-.Fc
-.Ft RSA *
-.Fo PEM_read_bio_RSA_PUBKEY
-.Fa "BIO *bp"
-.Fa "RSA **x"
-.Fa "pem_password_cb *cb"
-.Fa "void *u"
-.Fc
-.Ft RSA *
-.Fo PEM_read_RSA_PUBKEY
-.Fa "FILE *fp"
-.Fa "RSA **x"
-.Fa "pem_password_cb *cb"
-.Fa "void *u"
-.Fc
-.Ft int
-.Fo PEM_write_bio_RSA_PUBKEY
-.Fa "BIO *bp"
-.Fa "RSA *x"
-.Fc
-.Ft int
-.Fo PEM_write_RSA_PUBKEY
-.Fa "FILE *fp"
-.Fa "RSA *x"
-.Fc
-.Ft DSA *
-.Fo PEM_read_bio_DSAPrivateKey
-.Fa "BIO *bp"
-.Fa "DSA **x"
-.Fa "pem_password_cb *cb"
-.Fa "void *u"
-.Fc
-.Ft DSA *
-.Fo PEM_read_DSAPrivateKey
-.Fa "FILE *fp"
-.Fa "DSA **x"
-.Fa "pem_password_cb *cb"
-.Fa "void *u"
-.Fc
-.Ft int
-.Fo PEM_write_bio_DSAPrivateKey
-.Fa "BIO *bp"
-.Fa "DSA *x"
-.Fa "const EVP_CIPHER *enc"
-.Fa "unsigned char *kstr"
-.Fa "int klen"
-.Fa "pem_password_cb *cb"
-.Fa "void *u"
-.Fc
-.Ft int
-.Fo PEM_write_DSAPrivateKey
-.Fa "FILE *fp"
-.Fa "DSA *x"
-.Fa "const EVP_CIPHER *enc"
-.Fa "unsigned char *kstr"
-.Fa "int klen"
-.Fa "pem_password_cb *cb"
-.Fa "void *u"
-.Fc
-.Ft DSA *
-.Fo PEM_read_bio_DSA_PUBKEY
-.Fa "BIO *bp"
-.Fa "DSA **x"
-.Fa "pem_password_cb *cb"
-.Fa "void *u"
-.Fc
-.Ft DSA *
-.Fo PEM_read_DSA_PUBKEY
-.Fa "FILE *fp"
-.Fa "DSA **x"
-.Fa "pem_password_cb *cb"
-.Fa "void *u"
-.Fc
-.Ft int
-.Fo PEM_write_bio_DSA_PUBKEY
-.Fa "BIO *bp"
-.Fa "DSA *x"
-.Fc
-.Ft int
-.Fo PEM_write_DSA_PUBKEY
-.Fa "FILE *fp"
-.Fa "DSA *x"
-.Fc
-.Ft DSA *
-.Fo PEM_read_bio_DSAparams
-.Fa "BIO *bp"
-.Fa "DSA **x"
-.Fa "pem_password_cb *cb"
-.Fa "void *u"
-.Fc
-.Ft DSA *
-.Fo PEM_read_DSAparams
-.Fa "FILE *fp"
-.Fa "DSA **x"
-.Fa "pem_password_cb *cb"
-.Fa "void *u"
-.Fc
-.Ft int
-.Fo PEM_write_bio_DSAparams
-.Fa "BIO *bp"
-.Fa "DSA *x"
-.Fc
-.Ft int
-.Fo PEM_write_DSAparams
-.Fa "FILE *fp"
-.Fa "DSA *x"
-.Fc
-.Ft DH *
-.Fo PEM_read_bio_DHparams
-.Fa "BIO *bp"
-.Fa "DH **x"
-.Fa "pem_password_cb *cb"
-.Fa "void *u"
-.Fc
-.Ft DH *
-.Fo PEM_read_DHparams
-.Fa "FILE *fp"
-.Fa "DH **x"
-.Fa "pem_password_cb *cb"
-.Fa "void *u"
-.Fc
-.Ft int
-.Fo PEM_write_bio_DHparams
-.Fa "BIO *bp"
-.Fa "DH *x"
-.Fc
-.Ft int
-.Fo PEM_write_DHparams
-.Fa "FILE *fp"
-.Fa "DH *x"
-.Fc
-.Ft EC_GROUP *
-.Fo PEM_read_bio_ECPKParameters
-.Fa "BIO *bp"
-.Fa "EC_GROUP **x"
-.Fa "pem_password_cb *cb"
-.Fa "void *u"
-.Fc
-.Ft EC_GROUP *
-.Fo PEM_read_ECPKParameters
-.Fa "FILE *fp"
-.Fa "EC_GROUP **x"
-.Fa "pem_password_cb *cb"
-.Fa "void *u"
-.Fc
-.Ft int
-.Fo PEM_write_bio_ECPKParameters
-.Fa "BIO *bp"
-.Fa "const EC_GROUP *x"
-.Fc
-.Ft int
-.Fo PEM_write_ECPKParameters
-.Fa "FILE *fp"
-.Fa "const EC_GROUP *x"
-.Fc
-.Ft EC_KEY *
-.Fo PEM_read_bio_ECPrivateKey
-.Fa "BIO *bp"
-.Fa "EC_KEY **key"
-.Fa "pem_password_cb *cb"
-.Fa "void *u"
-.Fc
-.Ft EC_KEY *
-.Fo PEM_read_ECPrivateKey
-.Fa "FILE *fp"
-.Fa "EC_KEY **eckey"
-.Fa "pem_password_cb *cb"
-.Fa "void *u"
-.Fc
-.Ft int
-.Fo PEM_write_bio_ECPrivateKey
-.Fa "BIO *bp"
-.Fa "EC_KEY *x"
-.Fa "const EVP_CIPHER *enc"
-.Fa "unsigned char *kstr"
-.Fa "int klen"
-.Fa "pem_password_cb *cb"
-.Fa "void *u"
-.Fc
-.Ft int
-.Fo PEM_write_ECPrivateKey
-.Fa "FILE *fp"
-.Fa "EC_KEY *x"
-.Fa "const EVP_CIPHER *enc"
-.Fa "unsigned char *kstr"
-.Fa "int klen"
-.Fa "pem_password_cb *cb"
-.Fa "void *u"
-.Fc
-.Ft EC_KEY *
-.Fo PEM_read_bio_EC_PUBKEY
-.Fa "BIO *bp"
-.Fa "EC_KEY **x"
-.Fa "pem_password_cb *cb"
-.Fa "void *u"
-.Fc
-.Ft EC_KEY *
-.Fo PEM_read_EC_PUBKEY
-.Fa "FILE *fp"
-.Fa "EC_KEY **x"
-.Fa "pem_password_cb *cb"
-.Fa "void *u"
-.Fc
-.Ft int
-.Fo PEM_write_bio_EC_PUBKEY
-.Fa "BIO *bp"
-.Fa "EC_KEY *x"
-.Fc
-.Ft int
-.Fo PEM_write_EC_PUBKEY
-.Fa "FILE *fp"
-.Fa "EC_KEY *x"
-.Fc
-.Ft X509 *
-.Fo PEM_read_bio_X509
-.Fa "BIO *bp"
-.Fa "X509 **x"
-.Fa "pem_password_cb *cb"
-.Fa "void *u"
-.Fc
-.Ft X509 *
-.Fo PEM_read_X509
-.Fa "FILE *fp"
-.Fa "X509 **x"
-.Fa "pem_password_cb *cb"
-.Fa "void *u"
-.Fc
-.Ft int
-.Fo PEM_write_bio_X509
-.Fa "BIO *bp"
-.Fa "X509 *x"
-.Fc
-.Ft int
-.Fo PEM_write_X509
-.Fa "FILE *fp"
-.Fa "X509 *x"
-.Fc
-.Ft X509 *
-.Fo PEM_read_bio_X509_AUX
-.Fa "BIO *bp"
-.Fa "X509 **x"
-.Fa "pem_password_cb *cb"
-.Fa "void *u"
-.Fc
-.Ft X509 *
-.Fo PEM_read_X509_AUX
-.Fa "FILE *fp"
-.Fa "X509 **x"
-.Fa "pem_password_cb *cb"
-.Fa "void *u"
-.Fc
-.Ft int
-.Fo PEM_write_bio_X509_AUX
-.Fa "BIO *bp"
-.Fa "X509 *x"
-.Fc
-.Ft int
-.Fo PEM_write_X509_AUX
-.Fa "FILE *fp"
-.Fa "X509 *x"
-.Fc
-.Ft X509_REQ *
-.Fo PEM_read_bio_X509_REQ
-.Fa "BIO *bp"
-.Fa "X509_REQ **x"
-.Fa "pem_password_cb *cb"
-.Fa "void *u"
-.Fc
-.Ft X509_REQ *
-.Fo PEM_read_X509_REQ
-.Fa "FILE *fp"
-.Fa "X509_REQ **x"
-.Fa "pem_password_cb *cb"
-.Fa "void *u"
-.Fc
-.Ft int
-.Fo PEM_write_bio_X509_REQ
-.Fa "BIO *bp"
-.Fa "X509_REQ *x"
-.Fc
-.Ft int
-.Fo PEM_write_X509_REQ
-.Fa "FILE *fp"
-.Fa "X509_REQ *x"
-.Fc
-.Ft int
-.Fo PEM_write_bio_X509_REQ_NEW
-.Fa "BIO *bp"
-.Fa "X509_REQ *x"
-.Fc
-.Ft int
-.Fo PEM_write_X509_REQ_NEW
-.Fa "FILE *fp"
-.Fa "X509_REQ *x"
-.Fc
-.Ft X509_CRL *
-.Fo PEM_read_bio_X509_CRL
-.Fa "BIO *bp"
-.Fa "X509_CRL **x"
-.Fa "pem_password_cb *cb"
-.Fa "void *u"
-.Fc
-.Ft X509_CRL *
-.Fo PEM_read_X509_CRL
-.Fa "FILE *fp"
-.Fa "X509_CRL **x"
-.Fa "pem_password_cb *cb"
-.Fa "void *u"
-.Fc
-.Ft int
-.Fo PEM_write_bio_X509_CRL
-.Fa "BIO *bp"
-.Fa "X509_CRL *x"
-.Fc
-.Ft int
-.Fo PEM_write_X509_CRL
-.Fa "FILE *fp"
-.Fa "X509_CRL *x"
-.Fc
-.Ft PKCS7 *
-.Fo PEM_read_bio_PKCS7
-.Fa "BIO *bp"
-.Fa "PKCS7 **x"
-.Fa "pem_password_cb *cb"
-.Fa "void *u"
-.Fc
-.Ft PKCS7 *
-.Fo PEM_read_PKCS7
-.Fa "FILE *fp"
-.Fa "PKCS7 **x"
-.Fa "pem_password_cb *cb"
-.Fa "void *u"
-.Fc
-.Ft int
-.Fo PEM_write_bio_PKCS7
-.Fa "BIO *bp"
-.Fa "PKCS7 *x"
-.Fc
-.Ft int
-.Fo PEM_write_PKCS7
-.Fa "FILE *fp"
-.Fa "PKCS7 *x"
-.Fc
-.In openssl/cms.h
-.Ft CMS_ContentInfo *
-.Fo PEM_read_CMS
-.Fa "FILE *fp"
-.Fa "CMS_ContentInfo **x"
-.Fa "pem_password_cb *cb"
-.Fa "void *u"
-.Fc
-.Ft CMS_ContentInfo *
-.Fo PEM_read_bio_CMS
-.Fa "BIO *bp"
-.Fa "CMS_ContentInfo **x"
-.Fa "pem_password_cb *cb"
-.Fa "void *u"
-.Fc
-.Ft int
-.Fo PEM_write_CMS
-.Fa "FILE *fp"
-.Fa "const CMS_ContentInfo *x"
-.Fc
-.Ft int
-.Fo PEM_write_bio_CMS
-.Fa "BIO *bp"
-.Fa "const CMS_ContentInfo *x"
-.Fc
-.Sh DESCRIPTION
-The PEM functions read or write structures in PEM format.
-In this sense PEM format is simply base64-encoded data surrounded by
-header lines; see
-.Xr PEM_read 3
-for more details.
-.Pp
-For more details about the meaning of arguments see the
-.Sx PEM function arguments
-section.
-.Pp
-Each operation has four functions associated with it.
-For brevity the term
-.Dq Ar TYPE No functions
-will be used to collectively refer to the
-.Fn PEM_read_bio_TYPE ,
-.Fn PEM_read_TYPE ,
-.Fn PEM_write_bio_TYPE ,
-and
-.Fn PEM_write_TYPE
-functions.
-If no set of specific functions exists for a given type,
-.Xr PEM_ASN1_read 3
-can be used instead.
-.Pp
-The
-.Sy PrivateKey
-functions read or write a private key in PEM format using an
-.Vt EVP_PKEY
-structure.
-The write routines use "traditional" private key format and can handle
-both RSA and DSA private keys.
-The read functions can additionally transparently handle PKCS#8 format
-encrypted and unencrypted keys too.
-.Pp
-.Fn PEM_write_bio_PKCS8PrivateKey
-and
-.Fn PEM_write_PKCS8PrivateKey
-write a private key in an
-.Vt EVP_PKEY
-structure in PKCS#8
-.Vt EncryptedPrivateKeyInfo
-format using PKCS#5 v2.0 password based encryption algorithms.
-The
-.Fa enc
-argument specifies the encryption algorithm to use: unlike all other PEM
-routines, the encryption is applied at the PKCS#8 level and not in the
-PEM headers.
-If
-.Fa enc
-is
-.Dv NULL ,
-then no encryption is used and a PKCS#8
-.Vt PrivateKeyInfo
-structure is used instead.
-.Pp
-.Fn PEM_write_bio_PKCS8PrivateKey_nid
-and
-.Fn PEM_write_PKCS8PrivateKey_nid
-also write out a private key as a PKCS#8
-.Vt EncryptedPrivateKeyInfo .
-However they use PKCS#5 v1.5 or PKCS#12 encryption algorithms instead.
-The algorithm to use is specified in the
-.Fa nid
-parameter and should be the NID of the corresponding OBJECT IDENTIFIER.
-.Pp
-The
-.Sy PKCS8
-functions process an encrypted private key using an
-.Vt X509_SIG
-structure and the
-.Xr d2i_X509_SIG 3
-function.
-.Pp
-The
-.Sy PKCS8_PRIV_KEY_INFO
-functions process a private key using a
-.Vt PKCS8_PRIV_KEY_INFO
-structure.
-.Pp
-The
-.Sy PUBKEY
-functions process a public key using an
-.Vt EVP_PKEY
-structure.
-The public key is encoded as an ASN.1
-.Vt SubjectPublicKeyInfo
-structure.
-.Pp
-The
-.Sy RSAPrivateKey
-functions process an RSA private key using an
-.Vt RSA
-structure.
-They handle the same formats as the
-.Sy PrivateKey
-functions, but an error occurs if the private key is not RSA.
-.Pp
-The
-.Sy RSAPublicKey
-functions process an RSA public key using an
-.Vt RSA
-structure.
-The public key is encoded using a PKCS#1
-.Vt RSAPublicKey
-structure.
-.Pp
-The
-.Sy RSA_PUBKEY
-functions also process an RSA public key using an
-.Vt RSA
-structure.
-However the public key is encoded using an ASN.1
-.Vt SubjectPublicKeyInfo
-structure and an error occurs if the public key is not RSA.
-.Pp
-The
-.Sy DSAPrivateKey
-functions process a DSA private key using a
-.Vt DSA
-structure.
-They handle the same formats as the
-.Sy PrivateKey
-functions but an error occurs if the private key is not DSA.
-.Pp
-The
-.Sy DSA_PUBKEY
-functions process a DSA public key using a
-.Vt DSA
-structure.
-The public key is encoded using an ASN.1
-.Vt SubjectPublicKeyInfo
-structure and an error occurs if the public key is not DSA.
-.Pp
-The
-.Sy DSAparams
-functions process DSA parameters using a
-.Vt DSA
-structure.
-The parameters are encoded using a Dss-Parms structure as defined in RFC 2459.
-.Pp
-The
-.Sy DHparams
-functions process DH parameters using a
-.Vt DH
-structure.
-The parameters are encoded using a PKCS#3 DHparameter structure.
-.Pp
-The
-.Sy ECPKParameters
-functions process EC parameters using an
-.Vt EC_GROUP
-structure and the
-.Xr d2i_ECPKParameters 3
-function.
-.Pp
-The
-.Sy ECPrivateKey
-functions process an EC private key using an
-.Vt EC_KEY
-structure.
-.Pp
-The
-.Sy EC_PUBKEY
-functions process an EC public key using an
-.Vt EC_KEY
-structure.
-.Pp
-The
-.Sy X509
-functions process an X509 certificate using an
-.Vt X509
-structure.
-They will also process a trusted X509 certificate but any trust settings
-are discarded.
-.Pp
-The
-.Sy X509_AUX
-functions process a trusted X509 certificate using an
-.Vt X509
-structure.
-.Pp
-The
-.Sy X509_REQ
-and
-.Sy X509_REQ_NEW
-functions process a PKCS#10 certificate request using an
-.Vt X509_REQ
-structure.
-The
-.Sy X509_REQ
-write functions use CERTIFICATE REQUEST in the header whereas the
-.Sy X509_REQ_NEW
-functions use NEW CERTIFICATE REQUEST (as required by some CAs).
-The
-.Sy X509_REQ
-read functions will handle either form so there are no
-.Sy X509_REQ_NEW
-read functions.
-.Pp
-The
-.Sy X509_CRL
-functions process an X509 CRL using an
-.Vt X509_CRL
-structure.
-.Pp
-The
-.Sy PKCS7
-functions process a PKCS#7
-.Vt ContentInfo
-using a
-.Vt PKCS7
-structure.
-.Pp
-The
-.Sy CMS
-functions process a
-.Vt CMS_ContentInfo
-structure.
-.Pp
-The old
-.Sy PrivateKey
-write routines are retained for compatibility.
-New applications should write private keys using the
-.Fn PEM_write_bio_PKCS8PrivateKey
-or
-.Fn PEM_write_PKCS8PrivateKey
-routines because they are more secure (they use an iteration count of
-2048 whereas the traditional routines use a count of 1) unless
-compatibility with older versions of OpenSSL is important.
-.Pp
-The
-.Sy PrivateKey
-read routines can be used in all applications because they handle all
-formats transparently.
-.Ss PEM function arguments
-The PEM functions have many common arguments.
-.Pp
-The
-.Fa bp
-parameter specifies the
-.Vt BIO
-to read from or write to.
-.Pp
-The
-.Fa fp
-parameter specifies the
-.Vt FILE
-pointer to read from or write to.
-.Pp
-The PEM read functions all take a pointer to pointer argument
-.Fa x
-and return a pointer of the same type.
-If
-.Fa x
-is
-.Dv NULL ,
-then the parameter is ignored.
-If
-.Fa x
-is not
-.Dv NULL
-but
-.Pf * Fa x
-is
-.Dv NULL ,
-then the structure returned will be written to
-.Pf * Fa x .
-If neither
-.Fa x
-nor
-.Pf * Fa x
-are
-.Dv NULL ,
-then an attempt is made to reuse the structure at
-.Pf * Fa x ,
-but see the
-.Sx BUGS
-and
-.Sx EXAMPLES
-sections.
-Irrespective of the value of
-.Fa x ,
-a pointer to the structure is always returned, or
-.Dv NULL
-if an error occurred.
-.Pp
-The PEM functions which write private keys take an
-.Fa enc
-parameter, which specifies the encryption algorithm to use.
-Encryption is done at the PEM level.
-If this parameter is set to
-.Dv NULL ,
-then the private key is written in unencrypted form.
-.Pp
-The optional arguments
-.Fa u
-and
-.Fa cb
-are a passphrase used for encrypting a PEM structure
-or a callback to obtain the passphrase; see
-.Xr pem_password_cb 3
-for details.
-.Pp
-For the PEM write routines, if the
-.Fa kstr
-parameter is not
-.Dv NULL ,
-then
-.Fa klen
-bytes at
-.Fa kstr
-are used as the passphrase and
-.Fa cb
-is ignored.
-.Ss PEM encryption format
-These old
-.Sy PrivateKey
-routines use a non-standard technique for encryption.
-.Pp
-The private key (or other data) takes the following form:
-.Bd -literal -offset indent
------BEGIN RSA PRIVATE KEY-----
-Proc-Type: 4,ENCRYPTED
-DEK-Info: DES-EDE3-CBC,3F17F5316E2BAC89
-
-\&...base64 encoded data...
------END RSA PRIVATE KEY-----
-.Ed
-.Pp
-The line beginning with
-.Dq DEK-Info
-contains two comma separated pieces of information:
-the encryption algorithm name as used by
-.Xr EVP_get_cipherbyname 3
-and an 8-byte salt encoded as a set of hexadecimal digits.
-.Pp
-After this is the base64-encoded encrypted data.
-.Pp
-The encryption key is determined using
-.Xr EVP_BytesToKey 3 ,
-using the salt and an iteration count of 1.
-The IV used is the value of the salt and *not* the IV returned by
-.Xr EVP_BytesToKey 3 .
-.Sh RETURN VALUES
-The read routines return either a pointer to the structure read or
-.Dv NULL
-if an error occurred.
-.Pp
-The write routines return 1 for success or 0 for failure.
-.Sh EXAMPLES
-Although the PEM routines take several arguments, in almost all
-applications most of them are set to 0 or
-.Dv NULL .
-.Pp
-Read a certificate in PEM format from a
-.Vt BIO :
-.Bd -literal -offset indent
-X509 *x;
-x = PEM_read_bio_X509(bp, NULL, 0, NULL);
-if (x == NULL) {
-        /* Error */
-}
-.Ed
-.Pp
-Alternative method:
-.Bd -literal -offset indent
-X509 *x = NULL;
-if (!PEM_read_bio_X509(bp, &x, 0, NULL)) {
-        /* Error */
-}
-.Ed
-.Pp
-Write a certificate to a
-.Vt BIO :
-.Bd -literal -offset indent
-if (!PEM_write_bio_X509(bp, x)) {
-        /* Error */
-}
-.Ed
-.Pp
-Write an unencrypted private key to a
-.Vt FILE :
-.Bd -literal -offset indent
-if (!PEM_write_PrivateKey(fp, key, NULL, NULL, 0, 0, NULL)) {
-        /* Error */
-}
-.Ed
-.Pp
-Write a private key (using traditional format) to a
-.Vt BIO
-using triple DES encryption; the pass phrase is prompted for:
-.Bd -literal -offset indent
-if (!PEM_write_bio_PrivateKey(bp, key, EVP_des_ede3_cbc(),
-    NULL, 0, 0, NULL)) {
-        /* Error */
-}
-.Ed
-.Pp
-Write a private key (using PKCS#8 format) to a
-.Vt BIO
-using triple DES encryption, using the pass phrase "hello":
-.Bd -literal -offset indent
-if (!PEM_write_bio_PKCS8PrivateKey(bp, key, EVP_des_ede3_cbc(),
-    NULL, 0, 0, "hello")) {
-        /* Error */
-}
-.Ed
-.Pp
-Read a private key from a
-.Vt BIO
-using the pass phrase "hello":
-.Bd -literal -offset indent
-key = PEM_read_bio_PrivateKey(bp, NULL, 0, "hello");
-if (key == NULL) {
-        /* Error */
-}
-.Ed
-.Pp
-Read a private key from a
-.Vt BIO
-using a pass phrase callback:
-.Bd -literal -offset indent
-key = PEM_read_bio_PrivateKey(bp, NULL, pass_cb, "My Private Key");
-if (key == NULL) {
-        /* Error */
-}
-.Ed
-.Pp
-Skeleton pass phrase callback:
-.Bd -literal -offset indent
-int
-pass_cb(char *buf, int size, int rwflag, void *u)
-{
-        char    *tmp;
-        size_t   len;
-
-        /* We'd probably do something else if 'rwflag' is 1 */
-        printf("Enter pass phrase for \e"%s\e"\en", u);
-
-        /*
-         * Instead of the following line, get the passphrase
-         * from the user in some way.
-         */
-        tmp = "hello";
-        if (tmp == NULL) /* An error occurred. */
-                return -1;
-
-        len = strlen(tmp);
-        if (len == 0) /* Treat an empty passphrase as an error, too. */
-                return -1;
-
-        /* if too long, truncate */
-        if (len > size)
-                len = size;
-        memcpy(buf, tmp, len);
-        return len;
-}
-.Ed
-.Sh SEE ALSO
-.Xr BIO_new 3 ,
-.Xr DSA_new 3 ,
-.Xr PEM_ASN1_read 3 ,
-.Xr PEM_bytes_read_bio 3 ,
-.Xr PEM_read 3 ,
-.Xr PEM_read_SSL_SESSION 3 ,
-.Xr PEM_write_bio_CMS_stream 3 ,
-.Xr PEM_write_bio_PKCS7_stream 3 ,
-.Xr PEM_X509_INFO_read 3 ,
-.Xr RSA_new 3 ,
-.Xr X509_CRL_new 3 ,
-.Xr X509_REQ_new 3 ,
-.Xr X509_SIG_new 3
-.Sh HISTORY
-.Fn PEM_read_X509
-and
-.Fn PEM_write_X509
-appeared in SSLeay 0.4 or earlier.
-.Fn PEM_read_X509_REQ ,
-.Fn PEM_write_X509_REQ ,
-.Fn PEM_read_X509_CRL ,
-and
-.Fn PEM_write_X509_CRL
-first appeared in SSLeay 0.4.4.
-.Fn PEM_read_RSAPrivateKey ,
-.Fn PEM_write_RSAPrivateKey ,
-.Fn PEM_read_DHparams ,
-.Fn PEM_write_DHparams ,
-.Fn PEM_read_PKCS7 ,
-and
-.Fn PEM_write_PKCS7
-first appeared in SSLeay 0.5.1.
-.Fn PEM_read_bio_PrivateKey ,
-.Fn PEM_read_PrivateKey ,
-.Fn PEM_read_bio_RSAPrivateKey ,
-.Fn PEM_write_bio_RSAPrivateKey ,
-.Fn PEM_read_bio_DSAPrivateKey ,
-.Fn PEM_read_DSAPrivateKey ,
-.Fn PEM_write_bio_DSAPrivateKey ,
-.Fn PEM_write_DSAPrivateKey ,
-.Fn PEM_read_bio_DHparams ,
-.Fn PEM_write_bio_DHparams ,
-.Fn PEM_read_bio_X509 ,
-.Fn PEM_write_bio_X509 ,
-.Fn PEM_read_bio_X509_REQ ,
-.Fn PEM_write_bio_X509_REQ ,
-.Fn PEM_read_bio_X509_CRL ,
-.Fn PEM_write_bio_X509_CRL ,
-.Fn PEM_read_bio_PKCS7 ,
-and
-.Fn PEM_write_bio_PKCS7
-first appeared in SSLeay 0.6.0.
-.Fn PEM_write_bio_PrivateKey ,
-.Fn PEM_write_PrivateKey ,
-.Fn PEM_read_bio_DSAparams ,
-.Fn PEM_read_DSAparams ,
-.Fn PEM_write_bio_DSAparams ,
-and
-.Fn PEM_write_DSAparams
-first appeared in SSLeay 0.8.0.
-.Fn PEM_read_bio_RSAPublicKey ,
-.Fn PEM_read_RSAPublicKey ,
-.Fn PEM_write_bio_RSAPublicKey ,
-and
-.Fn PEM_write_RSAPublicKey
-first appeared in SSLeay 0.8.1.
-All these functions have been available since
-.Ox 2.4 .
-.Pp
-.Fn PEM_write_bio_PKCS8PrivateKey ,
-.Fn PEM_write_PKCS8PrivateKey ,
-.Fn PEM_read_bio_PKCS8 ,
-.Fn PEM_read_PKCS8 ,
-.Fn PEM_write_bio_PKCS8 ,
-.Fn PEM_write_PKCS8 ,
-.Fn PEM_read_bio_PKCS8_PRIV_KEY_INFO ,
-.Fn PEM_read_PKCS8_PRIV_KEY_INFO ,
-.Fn PEM_write_bio_PKCS8_PRIV_KEY_INFO ,
-.Fn PEM_write_PKCS8_PRIV_KEY_INFO ,
-.Pp
-.Fn PEM_write_bio_PKCS8PrivateKey_nid ,
-.Fn PEM_write_PKCS8PrivateKey_nid ,
-.Fn PEM_read_bio_PUBKEY ,
-.Fn PEM_read_PUBKEY ,
-.Fn PEM_write_bio_PUBKEY ,
-.Fn PEM_write_PUBKEY ,
-.Fn PEM_read_bio_RSA_PUBKEY ,
-.Fn PEM_read_RSA_PUBKEY ,
-.Fn PEM_write_bio_RSA_PUBKEY ,
-.Fn PEM_write_RSA_PUBKEY ,
-.Fn PEM_read_bio_DSA_PUBKEY ,
-.Fn PEM_read_DSA_PUBKEY ,
-.Fn PEM_write_bio_DSA_PUBKEY ,
-.Fn PEM_write_DSA_PUBKEY ,
-.Fn PEM_write_bio_X509_REQ_NEW ,
-.Fn PEM_write_X509_REQ_NEW ,
-.Fn PEM_read_bio_X509_AUX ,
-.Fn PEM_read_X509_AUX ,
-.Fn PEM_write_bio_X509_AUX ,
-and
-.Fn PEM_write_X509_AUX
-first appeared in OpenSSL 0.9.5 and have been available since
-.Ox 2.7 .
-.Pp
-.Fn PEM_read_bio_ECPKParameters ,
-.Fn PEM_read_ECPKParameters ,
-.Fn PEM_write_bio_ECPKParameters ,
-.Fn PEM_write_ECPKParameters ,
-.Fn PEM_read_bio_ECPrivateKey ,
-.Fn PEM_read_ECPrivateKey ,
-.Fn PEM_write_bio_ECPrivateKey ,
-.Fn PEM_write_ECPrivateKey ,
-.Fn PEM_read_bio_EC_PUBKEY ,
-.Fn PEM_read_EC_PUBKEY ,
-.Fn PEM_write_bio_EC_PUBKEY ,
-and
-.Fn PEM_write_EC_PUBKEY
-first appeared in OpenSSL 0.9.8 and have been available since
-.Ox 4.5 .
-.Pp
-.Fn PEM_read_CMS ,
-.Fn PEM_read_bio_CMS ,
-.Fn PEM_write_CMS ,
-and
-.Fn PEM_write_bio_CMS
-first appeared in OpenSSL 0.9.8h and have been available since
-.Ox 6.7 .
-.Sh CAVEATS
-A frequent cause of problems is attempting to use the PEM routines like
-this:
-.Bd -literal -offset indent
-X509 *x;
-PEM_read_bio_X509(bp, &x, 0, NULL);
-.Ed
-.Pp
-This is a bug because an attempt will be made to reuse the data at
-.Fa x ,
-which is an uninitialised pointer.
-.Pp
-These functions make no assumption regarding the pass phrase received
-from the password callback.
-It will simply be treated as a byte sequence.
-.Sh BUGS
-The PEM read routines in some versions of OpenSSL will not correctly
-reuse an existing structure.
-Therefore
-.Pp
-.Dl PEM_read_bio_X509(bp, &x, 0, NULL);
-.Pp
-where
-.Fa x
-already contains a valid certificate may not work, whereas
-.Bd -literal -offset indent
-X509_free(x);
-x = PEM_read_bio_X509(bp, NULL, 0, NULL);
-.Ed
-.Pp
-is guaranteed to work.
diff --git a/src/lib/libcrypto/man/PEM_write_bio_CMS_stream.3 b/src/lib/libcrypto/man/PEM_write_bio_CMS_stream.3
deleted file mode 100644
index 88adbba74f..0000000000
--- a/src/lib/libcrypto/man/PEM_write_bio_CMS_stream.3
+++ /dev/null
@@ -1,95 +0,0 @@
-.\" $OpenBSD: PEM_write_bio_CMS_stream.3,v 1.6 2023/05/01 07:28:11 tb Exp $
-.\" full merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100
-.\"
-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: May 1 2023 $
-.Dt PEM_WRITE_BIO_CMS_STREAM 3
-.Os
-.Sh NAME
-.Nm PEM_write_bio_CMS_stream
-.Nd output CMS_ContentInfo structure in PEM format
-.Sh SYNOPSIS
-.In openssl/cms.h
-.Ft int
-.Fo PEM_write_bio_CMS_stream
-.Fa "BIO *out"
-.Fa "CMS_ContentInfo *cms"
-.Fa "BIO *data"
-.Fa "int flags"
-.Fc
-.Sh DESCRIPTION
-.Fn PEM_write_bio_CMS_stream
-outputs a
-.Vt CMS_ContentInfo
-structure in PEM format.
-.Pp
-It is otherwise identical to the function
-.Xr SMIME_write_CMS 3 .
-.Pp
-This function is effectively a version of
-.Xr PEM_write_bio_CMS 3
-supporting streaming.
-.Sh RETURN VALUES
-.Fn PEM_write_bio_CMS_stream
-returns 1 for success or 0 for failure.
-.Sh SEE ALSO
-.Xr CMS_ContentInfo_new 3 ,
-.Xr CMS_decrypt 3 ,
-.Xr CMS_encrypt 3 ,
-.Xr CMS_sign 3 ,
-.Xr CMS_verify 3 ,
-.Xr ERR_get_error 3 ,
-.Xr i2d_CMS_bio_stream 3 ,
-.Xr PEM_write 3 ,
-.Xr SMIME_write_CMS 3
-.Sh HISTORY
-.Fn PEM_write_bio_CMS_stream
-first appeared in OpenSSL 1.0.0
-and has been available since
-.Ox 6.7 .
diff --git a/src/lib/libcrypto/man/PEM_write_bio_PKCS7_stream.3 b/src/lib/libcrypto/man/PEM_write_bio_PKCS7_stream.3
deleted file mode 100644
index 9050b8562f..0000000000
--- a/src/lib/libcrypto/man/PEM_write_bio_PKCS7_stream.3
+++ /dev/null
@@ -1,90 +0,0 @@
-.\" $OpenBSD: PEM_write_bio_PKCS7_stream.3,v 1.12 2023/05/01 07:28:11 tb Exp $
-.\" full merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100
-.\"
-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2007, 2009, 2016 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: May 1 2023 $
-.Dt PEM_WRITE_BIO_PKCS7_STREAM 3
-.Os
-.Sh NAME
-.Nm PEM_write_bio_PKCS7_stream
-.Nd output PKCS7 structure in PEM format
-.Sh SYNOPSIS
-.In openssl/pkcs7.h
-.Ft int
-.Fo PEM_write_bio_PKCS7_stream
-.Fa "BIO *out"
-.Fa "PKCS7 *p7"
-.Fa "BIO *data"
-.Fa "int flags"
-.Fc
-.Sh DESCRIPTION
-.Fn PEM_write_bio_PKCS7_stream
-outputs a PKCS7 structure in PEM format.
-.Pp
-It is otherwise identical to the function
-.Xr SMIME_write_PKCS7 3 .
-.Pp
-This function is effectively a version of
-.Xr PEM_write_bio_PKCS7 3
-supporting streaming.
-.Sh RETURN VALUES
-Upon successful completion, 1 is returned;
-otherwise 0 is returned and an error code can be retrieved with
-.Xr ERR_get_error 3 .
-.Sh SEE ALSO
-.Xr BIO_new 3 ,
-.Xr i2d_PKCS7_bio_stream 3 ,
-.Xr PEM_write_PKCS7 3 ,
-.Xr PKCS7_final 3 ,
-.Xr PKCS7_new 3 ,
-.Xr SMIME_write_PKCS7 3
-.Sh HISTORY
-.Fn PEM_write_bio_PKCS7_stream
-first appeared in OpenSSL 1.0.0 and has been available since
-.Ox 4.9 .
diff --git a/src/lib/libcrypto/man/PKCS12_SAFEBAG_new.3 b/src/lib/libcrypto/man/PKCS12_SAFEBAG_new.3
deleted file mode 100644
index e7d20ea7f6..0000000000
--- a/src/lib/libcrypto/man/PKCS12_SAFEBAG_new.3
+++ /dev/null
@@ -1,104 +0,0 @@
-.\"     $OpenBSD: PKCS12_SAFEBAG_new.3,v 1.4 2019/06/06 01:06:58 schwarze Exp $
-.\"
-.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: June 6 2019 $
-.Dt PKCS12_SAFEBAG_NEW 3
-.Os
-.Sh NAME
-.Nm PKCS12_SAFEBAG_new ,
-.Nm PKCS12_SAFEBAG_free ,
-.Nm PKCS12_BAGS_new ,
-.Nm PKCS12_BAGS_free
-.Nd PKCS#12 container for one piece of information
-.Sh SYNOPSIS
-.In openssl/pkcs12.h
-.Ft PKCS12_SAFEBAG *
-.Fn PKCS12_SAFEBAG_new void
-.Ft void
-.Fn PKCS12_SAFEBAG_free "PKCS12_SAFEBAG *safebag"
-.Ft PKCS12_BAGS *
-.Fn PKCS12_BAGS_new void
-.Ft void
-.Fn PKCS12_BAGS_free "PKCS12_BAGS *bag"
-.Sh DESCRIPTION
-.Fn PKCS12_SAFEBAG_new
-allocates and initializes an empty
-.Vt PKCS12_SAFEBAG
-object, representing an ASN.1
-.Vt SafeBag
-structure defined in RFC 7292 section 4.2.
-It can hold a pointer to a
-.Vt PKCS12_BAGS
-object together with a type identifier and optional attributes.
-.Fn PKCS12_SAFEBAG_free
-frees
-.Fa safebag .
-.Pp
-.Fn PKCS12_BAGS_new
-allocates and initializes an empty
-.Vt PKCS12_BAGS
-object, representing the bagValue field of an ASN.1
-.Vt SafeBag
-structure.
-It is used in
-.Vt PKCS12_SAFEBAG
-and can hold a DER-encoded X.509 certificate,
-a base64-encoded SDSI certificate,
-a DER-encoded X.509 CRL,
-or other user-defined information.
-.Pp
-If an instance of
-.Vt PKCS12_SAFEBAG
-contains
-.Vt PKCS8_PRIV_KEY_INFO ,
-.Vt X509_SIG ,
-or nested
-.Vt PKCS12_SAFEBAG
-objects, the respective pointers are stored directly in the
-.Vt PKCS12_SAFEBAG
-object rather than in the contained
-.Vt PKCS12_BAGS
-object as required by RFC 7292.
-.Sh RETURN VALUES
-.Fn PKCS12_SAFEBAG_new
-and
-.Fn PKCS12_BAGS_new
-return the new
-.Vt PKCS12_SAFEBAG
-or
-.Vt PKCS12_BAGS
-object, respectively, or
-.Dv NULL
-if an error occurs.
-.Sh SEE ALSO
-.Xr PKCS12_create 3 ,
-.Xr PKCS12_new 3 ,
-.Xr PKCS8_PRIV_KEY_INFO_new 3 ,
-.Xr X509_ATTRIBUTE_new 3 ,
-.Xr X509_CRL_new 3 ,
-.Xr X509_new 3 ,
-.Xr X509_SIG_new 3
-.Sh STANDARDS
-RFC 7292: PKCS #12: Personal Information Exchange Syntax,
-section 4.2: The SafeBag Type
-.Sh HISTORY
-.Fn PKCS12_SAFEBAG_new ,
-.Fn PKCS12_SAFEBAG_free ,
-.Fn PKCS12_BAGS_new ,
-and
-.Fn PKCS12_BAGS_free
-first appeared in OpenSSL 0.9.3 and have been available since
-.Ox 2.6 .
diff --git a/src/lib/libcrypto/man/PKCS12_create.3 b/src/lib/libcrypto/man/PKCS12_create.3
deleted file mode 100644
index 904166da73..0000000000
--- a/src/lib/libcrypto/man/PKCS12_create.3
+++ /dev/null
@@ -1,188 +0,0 @@
-.\" $OpenBSD: PKCS12_create.3,v 1.13 2024/08/22 12:26:01 tb Exp $
-.\" full merge up to: OpenSSL 05ea606a May 20 20:52:46 2016 -0400
-.\" selective merge up to: OpenSSL 61f805c1 Jan 16 01:01:46 2018 +0800
-.\"
-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2002, 2015 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: August 22 2024 $
-.Dt PKCS12_CREATE 3
-.Os
-.Sh NAME
-.Nm PKCS12_create
-.Nd create a PKCS#12 structure
-.Sh SYNOPSIS
-.In openssl/pkcs12.h
-.Ft PKCS12 *
-.Fo PKCS12_create
-.Fa "const char *pass"
-.Fa "const char *name"
-.Fa "EVP_PKEY *pkey"
-.Fa "X509 *cert"
-.Fa "STACK_OF(X509) *ca"
-.Fa "int nid_key"
-.Fa "int nid_cert"
-.Fa "int iter"
-.Fa "int mac_iter"
-.Fa "int keytype"
-.Fc
-.Sh DESCRIPTION
-.Fn PKCS12_create
-creates a PKCS#12 structure.
-.Pp
-.Fa pass
-is the passphrase to use.
-.Fa name
-is the
-.Sy friendlyName
-to use for the supplied certificate and key.
-.Fa pkey
-is the private key to include in the structure and
-.Fa cert
-its corresponding certificates.
-.Fa ca
-is an optional set of certificates to also include in the structure.
-.Fa pkey ,
-.Fa cert ,
-or both can be
-.Dv NULL
-to indicate that no key or certificate is required.
-.Pp
-.Fa nid_key
-and
-.Fa nid_cert
-are the encryption algorithms that should be used for the key and
-certificate, respectively.
-If either
-.Fa nid_key
-or
-.Fa nid_cert
-is set to -1, no encryption will be used.
-.Pp
-.Fa iter
-is the encryption algorithm iteration count to use and
-.Fa mac_iter
-is the MAC iteration count to use.
-If
-.Fa mac_iter
-is set to -1, the MAC will be omitted entirely.
-.Pp
-.Fa keytype
-is the type of key.
-.Pp
-The parameters
-.Fa nid_key ,
-.Fa nid_cert ,
-.Fa iter ,
-.Fa mac_iter ,
-and
-.Fa keytype
-can all be set to zero and sensible defaults will be used.
-.Pp
-These defaults are: 40-bit RC2 encryption for certificates, triple DES
-encryption for private keys, a key iteration count of
-PKCS12_DEFAULT_ITER (currently 2048) and a MAC iteration count of 1.
-.Pp
-The default MAC iteration count is 1 in order to retain compatibility
-with old software which did not interpret MAC iteration counts.
-If such compatibility is not required then
-.Fa mac_iter
-should be set to PKCS12_DEFAULT_ITER.
-.Pp
-.Fa keytype
-adds a flag to the store private key.
-This is a non-standard extension that is only currently interpreted by
-MSIE.
-If set to zero, the flag is omitted; if set to
-.Dv KEY_SIG ,
-the key can be used for signing only; and if set to
-.Dv KEY_EX ,
-it can be used for signing and encryption.
-This option was useful for old export grade software which could use
-signing only keys of arbitrary size but had restrictions on the
-permissible sizes of keys which could be used for encryption.
-.Pp
-If a certificate contains an
-.Sy alias
-or
-.Sy keyid
-then this will be used for the corresponding
-.Sy friendlyName
-or
-.Sy localKeyID
-in the PKCS12 structure.
-.Sh RETURN VALUES
-.Fn PKCS12_create
-returns a valid
-.Vt PKCS12
-structure or
-.Dv NULL
-if an error occurred.
-.Sh SEE ALSO
-.Xr crypto 3 ,
-.Xr d2i_PKCS12 3 ,
-.Xr PKCS12_new 3 ,
-.Xr PKCS12_newpass 3 ,
-.Xr PKCS12_parse 3 ,
-.Xr PKCS12_SAFEBAG_new 3 ,
-.Xr X509_keyid_set1 3
-.Sh HISTORY
-.Fn PKCS12_create
-first appeared in OpenSSL 0.9.3 and has been available since
-.Ox 2.6 .
-.Pp
-Before OpenSSL 0.9.8, neither
-.Fa pkey
-nor
-.Fa cert
-were allowed to be
-.Dv NULL ,
-and a value of -1 was not allowed for
-.Fa nid_key ,
-.Fa nid_cert ,
-and
-.Fa mac_iter .
diff --git a/src/lib/libcrypto/man/PKCS12_new.3 b/src/lib/libcrypto/man/PKCS12_new.3
deleted file mode 100644
index c7ccdb4911..0000000000
--- a/src/lib/libcrypto/man/PKCS12_new.3
+++ /dev/null
@@ -1,99 +0,0 @@
-.\"     $OpenBSD: PKCS12_new.3,v 1.4 2019/06/06 01:06:58 schwarze Exp $
-.\"
-.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: June 6 2019 $
-.Dt PKCS12_NEW 3
-.Os
-.Sh NAME
-.Nm PKCS12_new ,
-.Nm PKCS12_free ,
-.Nm PKCS12_MAC_DATA_new ,
-.Nm PKCS12_MAC_DATA_free
-.Nd PKCS#12 personal information exchange (PFX)
-.Sh SYNOPSIS
-.In openssl/pkcs12.h
-.Ft PKCS12 *
-.Fn PKCS12_new void
-.Ft void
-.Fn PKCS12_free "PKCS12 *pfx"
-.Ft PKCS12_MAC_DATA *
-.Fn PKCS12_MAC_DATA_new void
-.Ft void
-.Fn PKCS12_MAC_DATA_free "PKCS12_MAC_DATA *mac_data"
-.Sh DESCRIPTION
-.Fn PKCS12_new
-allocates and initializes an empty
-.Vt PKCS12
-object, representing an ASN.1
-.Vt PFX
-.Pq personal information exchange
-structure defined in RFC 7292 section 4.
-It can hold a pointer to a
-.Vt PKCS7
-object described in
-.Xr PKCS7_new 3
-and optionally an instance of
-.Vt PKCS12_MAC_DATA
-described below.
-.Fn PKCS12_free
-frees
-.Fa pfx .
-.Pp
-.Fn PKCS12_MAC_DATA_new
-allocates and initializes an empty
-.Vt PKCS12_MAC_DATA
-object, representing an ASN.1
-.Vt MacData
-structure defined in RFC 7292 section 4.
-It is used inside
-.Vt PKCS12
-and can hold a pointer to an
-.Vt X509_SIG
-object described in
-.Xr X509_SIG_new 3
-together with a salt value and an iteration count.
-.Fn PKCS12_MAC_DATA_free
-frees
-.Fa mac_data .
-.Sh RETURN VALUES
-.Fn PKCS12_new
-and
-.Fn PKCS12_MAC_DATA_new
-return the new
-.Vt PKCS12
-or
-.Vt PKCS12_MAC_DATA
-object, respectively, or
-.Dv NULL
-if an error occurs.
-.Sh SEE ALSO
-.Xr d2i_PKCS12 3 ,
-.Xr PKCS12_create 3 ,
-.Xr PKCS12_newpass 3 ,
-.Xr PKCS12_parse 3 ,
-.Xr PKCS12_SAFEBAG_new 3 ,
-.Xr PKCS7_new 3 ,
-.Xr X509_SIG_new 3
-.Sh STANDARDS
-RFC 7292: PKCS #12: Personal Information Exchange Syntax
-.Sh HISTORY
-.Fn PKCS12_new ,
-.Fn PKCS12_free ,
-.Fn PKCS12_MAC_DATA_new ,
-and
-.Fn PKCS12_MAC_DATA_free
-first appeared in OpenSSL 0.9.3 and have been available since
-.Ox 2.6 .
diff --git a/src/lib/libcrypto/man/PKCS12_newpass.3 b/src/lib/libcrypto/man/PKCS12_newpass.3
deleted file mode 100644
index b5642c96ea..0000000000
--- a/src/lib/libcrypto/man/PKCS12_newpass.3
+++ /dev/null
@@ -1,155 +0,0 @@
-.\"     $OpenBSD: PKCS12_newpass.3,v 1.4 2019/06/14 13:59:32 schwarze Exp $
-.\"     OpenSSL c95a8b4e May 5 14:26:26 2016 +0100
-.\"
-.\" This file was written by Jeffrey Walton <noloader@gmail.com>.
-.\" Copyright (c) 2016 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: June 14 2019 $
-.Dt PKCS12_NEWPASS 3
-.Os
-.Sh NAME
-.Nm PKCS12_newpass
-.Nd change the password of a PKCS#12 structure
-.Sh SYNOPSIS
-.In openssl/pkcs12.h
-.Ft int
-.Fo PKCS12_newpass
-.Fa "PKCS12 *p12"
-.Fa "const char *oldpass"
-.Fa "const char *newpass"
-.Fc
-.Sh DESCRIPTION
-.Fn PKCS12_newpass
-changes the password of a PKCS#12 structure.
-.Pp
-.Fa p12
-is a pointer to a PKCS#12 structure.
-.Fa oldpass
-is the existing password and
-.Fa newpass
-is the new password.
-.Pp
-If the PKCS#12 structure does not have a password, use the empty
-string
-.Qq \&
-for
-.Fa oldpass .
-Passing
-.Dv NULL
-for
-.Fa oldpass
-results in a
-.Fn PKCS12_newpass
-failure.
-.Pp
-If the wrong password is used for
-.Fa oldpass ,
-the function will fail with a MAC verification error.
-In rare cases, the PKCS#12 structure does not contain a MAC:
-in this case it will usually fail with a decryption padding error.
-.Sh RETURN VALUES
-Upon successful completion, 1 is returned;
-otherwise 0 is returned and an error code can be retrieved with
-.Xr ERR_get_error 3 .
-.Sh EXAMPLES
-This example loads a PKCS#12 file, changes its password,
-and writes out the result to a new file.
-.Bd -literal
-#include <stdio.h>
-#include <stdlib.h>
-#include <openssl/pem.h>
-#include <openssl/err.h>
-#include <openssl/pkcs12.h>
-
-int main(int argc, char **argv)
-{
-        FILE *fp;
-        PKCS12 *p12;
-        if (argc != 5) {
-                fprintf(stderr,
-                    "Usage: pkread p12file password newpass opfile\en");
-                return 1;
-        }
-        if ((fp = fopen(argv[1], "rb")) == NULL) {
-                fprintf(stderr, "Error opening file %s\en", argv[1]);
-                return 1;
-        }
-        p12 = d2i_PKCS12_fp(fp, NULL);
-        fclose(fp);
-        if (p12 == NULL) {
-                fprintf(stderr, "Error reading PKCS#12 file\en");
-                ERR_print_errors_fp(stderr);
-                return 1;
-        }
-        if (PKCS12_newpass(p12, argv[2], argv[3]) == 0) {
-                fprintf(stderr, "Error changing password\en");
-                ERR_print_errors_fp(stderr);
-                PKCS12_free(p12);
-                return 1;
-        }
-        if ((fp = fopen(argv[4], "wb")) == NULL) {
-                fprintf(stderr, "Error opening file %s\en", argv[4]);
-                PKCS12_free(p12);
-                return 1;
-        }
-        i2d_PKCS12_fp(fp, p12);
-        PKCS12_free(p12);
-        fclose(fp);
-        return 0;
-}
-.Ed
-.Sh SEE ALSO
-.Xr PKCS12_create 3 ,
-.Xr PKCS12_new 3
-.Sh HISTORY
-.Fn PKCS12_newpass
-first appeared in OpenSSL 0.9.5 and has been available since
-.Ox 2.7 .
-.Sh BUGS
-The password format is a NUL terminated ASCII string which is
-converted to Unicode form internally.
-As a result, some passwords cannot be supplied to this function.
diff --git a/src/lib/libcrypto/man/PKCS12_parse.3 b/src/lib/libcrypto/man/PKCS12_parse.3
deleted file mode 100644
index 4e92d303c7..0000000000
--- a/src/lib/libcrypto/man/PKCS12_parse.3
+++ /dev/null
@@ -1,145 +0,0 @@
-.\"     $OpenBSD: PKCS12_parse.3,v 1.7 2021/07/09 12:07:27 schwarze Exp $
-.\"     OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
-.\"
-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2002, 2009 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: July 9 2021 $
-.Dt PKCS12_PARSE 3
-.Os
-.Sh NAME
-.Nm PKCS12_parse
-.Nd parse a PKCS#12 structure
-.Sh SYNOPSIS
-.In openssl/pkcs12.h
-.Ft int
-.Fo PKCS12_parse
-.Fa "PKCS12 *p12"
-.Fa "const char *pass"
-.Fa "EVP_PKEY **pkey"
-.Fa "X509 **cert"
-.Fa "STACK_OF(X509) **ca"
-.Fc
-.Sh DESCRIPTION
-.Fn PKCS12_parse
-parses a PKCS12 structure.
-.Pp
-.Fa p12
-is the
-.Vt PKCS12
-structure to parse.
-.Fa pass
-is the passphrase to use.
-If successful, the private key will be written to
-.Pf * Fa pkey ,
-the corresponding certificate to
-.Pf * Fa cert ,
-and any additional certificates to
-.Pf * Fa ca .
-.Pp
-The parameters
-.Fa pkey
-and
-.Fa cert
-cannot be
-.Dv NULL .
-.Fa ca
-can be
-.Dv NULL ,
-in which case additional certificates will be discarded.
-.Pf * Fa ca
-can also be a valid STACK, in which case additional certificates are
-appended to
-.Pf * Fa ca .
-If
-.Pf * Fa ca
-is
-.Dv NULL ,
-a new STACK will be allocated.
-.Pp
-The
-.Sy friendlyName
-and
-.Sy localKeyID
-attributes (if present) of each certificate will be stored in the
-.Fa alias
-and
-.Fa keyid
-attributes of the
-.Vt X509
-structure.
-.Sh RETURN VALUES
-.Fn PKCS12_parse
-returns 1 for success and 0 if an error occurred.
-.Pp
-The error can be obtained from
-.Xr ERR_get_error 3 .
-.Sh SEE ALSO
-.Xr d2i_PKCS12 3 ,
-.Xr PKCS12_create 3 ,
-.Xr PKCS12_new 3 ,
-.Xr X509_keyid_set1 3
-.Sh HISTORY
-.Fn PKCS12_parse
-first appeared in OpenSSL 0.9.3 and has been available since
-.Ox 2.6 .
-.Sh BUGS
-Only a single private key and corresponding certificate is returned by
-this function.
-More complex PKCS#12 files with multiple private keys will only return
-the first match.
-.Pp
-Only
-.Sy friendlyName
-and
-.Sy localKeyID
-attributes are currently stored in certificates.
-Other attributes are discarded.
-.Pp
-Attributes currently cannot be stored in the private key
-.Vt EVP_PKEY
-structure.
diff --git a/src/lib/libcrypto/man/PKCS5_PBKDF2_HMAC.3 b/src/lib/libcrypto/man/PKCS5_PBKDF2_HMAC.3
deleted file mode 100644
index 3a448b92a7..0000000000
--- a/src/lib/libcrypto/man/PKCS5_PBKDF2_HMAC.3
+++ /dev/null
@@ -1,163 +0,0 @@
-.\"     $OpenBSD: PKCS5_PBKDF2_HMAC.3,v 1.9 2019/06/07 20:46:25 schwarze Exp $
-.\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by Jeffrey Walton <noloader@gmail.com>.
-.\" Copyright (c) 2014, 2015 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: June 7 2019 $
-.Dt PKCS5_PBKDF2_HMAC 3
-.Os
-.Sh NAME
-.Nm PKCS5_PBKDF2_HMAC ,
-.Nm PKCS5_PBKDF2_HMAC_SHA1
-.Nd password based derivation routines with salt and iteration count
-.Sh SYNOPSIS
-.In openssl/evp.h
-.Ft int
-.Fo PKCS5_PBKDF2_HMAC
-.Fa "const char *pass"
-.Fa "int passlen"
-.Fa "const unsigned char *salt"
-.Fa "int saltlen"
-.Fa "int iter"
-.Fa "const EVP_MD *digest"
-.Fa "int keylen"
-.Fa "unsigned char *out"
-.Fc
-.Ft int
-.Fo PKCS5_PBKDF2_HMAC_SHA1
-.Fa "const char *pass"
-.Fa "int passlen"
-.Fa "const unsigned char *salt"
-.Fa "int saltlen"
-.Fa "int iter"
-.Fa "int keylen"
-.Fa "unsigned char *out"
-.Fc
-.Sh DESCRIPTION
-.Fn PKCS5_PBKDF2_HMAC
-derives a key from a password using a salt and iteration count as
-specified in RFC 2898.
-.Pp
-.Fa pass
-is the password used in the derivation of length
-.Fa passlen .
-.Fa pass
-is an optional parameter and can be
-.Dv NULL .
-If
-.Fa passlen
-is -1, then the function will calculate the length of
-.Fa pass
-using
-.Xr strlen 3 .
-.Pp
-.Fa salt
-is the salt used in the derivation of length
-.Fa saltlen .
-If the
-.Fa salt
-is
-.Dv NULL ,
-then
-.Fa saltlen
-must be 0.
-The function will not attempt to calculate the length of the
-.Fa salt
-because it is not assumed to be NUL terminated.
-.Pp
-.Fa iter
-is the iteration count and its value should be greater than or equal to 1.
-RFC 2898 suggests an iteration count of at least 1000.
-Any
-.Fa iter
-less than 1 is treated as a single iteration.
-.Pp
-.Fa digest
-is the message digest function used in the derivation.
-Values include any of the EVP_* message digests.
-.Fn PKCS5_PBKDF2_HMAC_SHA1
-calls
-.Fn PKCS5_PBKDF2_HMAC
-with
-.Xr EVP_sha1 3 .
-.Pp
-The derived key will be written to
-.Fa out .
-The size of the
-.Fa out
-buffer is specified via
-.Fa keylen .
-.Pp
-A typical application of this function is to derive keying material for
-an encryption algorithm from a password in the
-.Fa pass ,
-a salt in
-.Fa salt ,
-and an iteration count.
-.Pp
-Increasing the
-.Fa iter
-parameter slows down the algorithm which makes it harder for an attacker
-to perform a brute force attack using a large number of candidate
-passwords.
-.Sh RETURN VALUES
-.Fn PKCS5_PBKDF2_HMAC
-and
-.Fn PBKCS5_PBKDF2_HMAC_SHA1
-return 1 on success or 0 on error.
-.Sh SEE ALSO
-.Xr EVP_BytesToKey 3 ,
-.Xr EVP_DigestInit 3
-.Sh HISTORY
-.Fn PKCS5_PBKDF2_HMAC_SHA1
-first appeared in OpenSSL 0.9.4 and has been available since
-.Ox 2.6 .
-.Pp
-.Fn PKCS5_PBKDF2_HMAC
-first appeared in OpenSSL 1.0.0 and has been available since
-.Ox 4.9 .
diff --git a/src/lib/libcrypto/man/PKCS7_add_attribute.3 b/src/lib/libcrypto/man/PKCS7_add_attribute.3
deleted file mode 100644
index 4a1c350f98..0000000000
--- a/src/lib/libcrypto/man/PKCS7_add_attribute.3
+++ /dev/null
@@ -1,365 +0,0 @@
-.\" $OpenBSD: PKCS7_add_attribute.3,v 1.3 2020/06/10 11:39:12 schwarze Exp $
-.\"
-.\" Copyright (c) 2020 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: June 10 2020 $
-.Dt PKCS7_ADD_ATTRIBUTE 3
-.Os
-.Sh NAME
-.Nm PKCS7_add_attribute ,
-.Nm PKCS7_set_attributes ,
-.Nm PKCS7_get_attribute ,
-.Nm PKCS7_add_signed_attribute ,
-.Nm PKCS7_set_signed_attributes ,
-.Nm PKCS7_get_signed_attribute ,
-.Nm PKCS7_add_attrib_content_type ,
-.Nm PKCS7_add1_attrib_digest ,
-.Nm PKCS7_add0_attrib_signing_time ,
-.Nm PKCS7_add_attrib_smimecap
-.Nd attributes of SignerInfo objects
-.Sh SYNOPSIS
-.In openssl/pkcs7.h
-.Ft int
-.Fo PKCS7_add_attribute
-.Fa "PKCS7_SIGNER_INFO *si"
-.Fa "int nid"
-.Fa "int attrtype"
-.Fa "void *value"
-.Fc
-.Ft int
-.Fo PKCS7_set_attributes
-.Fa "PKCS7_SIGNER_INFO *si"
-.Fa "STACK_OF(X509_ATTRIBUTE) *sk"
-.Fc
-.Ft ASN1_TYPE *
-.Fo PKCS7_get_attribute
-.Fa "PKCS7_SIGNER_INFO *si"
-.Fa "int nid"
-.Fc
-.Ft int
-.Fo PKCS7_add_signed_attribute
-.Fa "PKCS7_SIGNER_INFO *si"
-.Fa "int nid"
-.Fa "int attrtype"
-.Fa "void *value"
-.Fc
-.Ft int
-.Fo PKCS7_set_signed_attributes
-.Fa "PKCS7_SIGNER_INFO *si"
-.Fa "STACK_OF(X509_ATTRIBUTE) *sk"
-.Fc
-.Ft ASN1_TYPE *
-.Fo PKCS7_get_signed_attribute
-.Fa "PKCS7_SIGNER_INFO *si"
-.Fa "int nid"
-.Fc
-.Ft int
-.Fo PKCS7_add_attrib_content_type
-.Fa "PKCS7_SIGNER_INFO *si"
-.Fa "ASN1_OBJECT *coid"
-.Fc
-.Ft int
-.Fo PKCS7_add1_attrib_digest
-.Fa "PKCS7_SIGNER_INFO *si"
-.Fa "const unsigned char *md"
-.Fa "int mdlen"
-.Fc
-.Ft int
-.Fo PKCS7_add0_attrib_signing_time
-.Fa "PKCS7_SIGNER_INFO *si"
-.Fa "ASN1_TIME *t"
-.Fc
-.Ft int
-.Fo PKCS7_add_attrib_smimecap
-.Fa "PKCS7_SIGNER_INFO *si"
-.Fa "STACK_OF(X509_ALGOR) *cap"
-.Fc
-.Sh DESCRIPTION
-.Fn PKCS7_add_attribute
-appends a new attribute of type
-.Fa nid
-to the
-.Fa unauthenticatedAttributes
-list of
-.Fa si ,
-and it adds a new ASN.1 ANY object of type
-.Fa attrtype
-with the given
-.Fa value
-to the new attribute.
-Ownership of the
-.Fa value
-is transferred into the new attribute object, so the calling code
-must not
-.Xr free 3
-the
-.Fa value .
-If the list already contains an unauthenticated attribute of type
-.Fa nid
-before the call, the new attribute replaces the old one
-instead of being appended to the end of the list.
-.Pp
-.Fn PKCS7_set_attributes
-frees the
-.Fa unauthenticatedAttributes
-list of
-.Fa si
-and all the attributes contained in it and replaces it with a deep copy of
-.Fa sk .
-.Pp
-.Fn PKCS7_get_attribute
-retrieves the first ASN.1 ANY member of the attribute of type
-.Fa nid
-from the
-.Fa unauthenticatedAttributes
-list of
-.Fa si .
-.Pp
-The behaviour of
-.Fn PKCS7_add_signed_attribute ,
-.Fn PKCS7_set_signed_attributes ,
-and
-.Fn PKCS7_get_signed_attribute
-is identical except that they operate on the list of
-.Fa authenticatedAttributes .
-.Pp
-The normal way to use
-.Fn PKCS7_add_signed_attribute
-is to first create a
-.Vt SignedInfo
-object with
-.Xr PKCS7_sign 3
-using the
-.Dv PKCS7_PARTIAL
-or
-.Dv PKCS7_STREAM
-flag, retrieve the
-.Vt PKCS7_SIGNER_INFO
-object with
-.Xr PKCS7_get_signer_info 3
-or add an additional one with
-.Xr PKCS7_sign_add_signer 3 ,
-call
-.Fn PKCS7_add_signed_attribute
-for each desired additional attribute, then do the signing with
-.Xr PKCS7_final 3
-or with another finalizing function.
-.Pp
-The four remaining functions are wrappers around
-.Fn PKCS7_add_signed_attribute .
-.Pp
-.Fn PKCS7_add_attrib_content_type
-sets the
-.Dv NID_pkcs9_contentType
-attribute to
-.Fa coid ,
-which specifies the content type of the
-.Vt ContentInfo
-value to be signed.
-This attribute is mandatory and automatically added by
-.Xr PKCS7_sign 3
-and
-.Xr PKCS7_sign_add_signer 3
-unless the
-.Dv PKCS7_NOATTR
-flag is present.
-Objects suitable as
-.Fa coid
-arguments can for example be obtained with
-.Xr OBJ_nid2obj 3 .
-If
-.Fa coid
-is
-.Dv NULL ,
-the content type defaults to
-.Dv NID_pkcs7_data .
-.Pp
-.Fn PKCS7_add1_attrib_digest
-sets or replaces the
-.Dv NID_pkcs9_messageDigest
-attribute, which is the message digest of the contents octets
-of the DER-encoding of the content field of the
-.Vt ContentInfo
-value being signed, to a copy of
-.Fa md ,
-which is assumed to be
-.Fa mdlen
-bytes long.
-If
-.Fa mdlen
-is -1, then
-.Fn strlen md
-is used instead of
-.Fa mdlen .
-This attribute is mandatory and automatically added by
-.Xr PKCS7_dataFinal 3
-and
-.Xr PKCS7_final 3 .
-.Pp
-.Fn PKCS7_add0_attrib_signing_time
-sets or replaces the optional
-.Dv NID_pkcs9_signingTime
-attribute to
-.Fa t ,
-specifying the time at which the signer performed the signing process.
-Ownership of
-.Fa t
-is transferred into the new attribute object, so the calling code
-must not
-.Xr free 3
-.Fa t .
-If
-.Fa t
-is
-.Dv NULL ,
-a new
-.Vt ASN1_TIME
-structure is allocated.
-This attribute is automatically added by
-.Xr PKCS7_dataFinal 3
-and
-.Xr PKCS7_final 3 .
-.Pp
-.Fn PKCS7_add_attrib_smimecap
-sets or replaces the optional
-.Dv NID_SMIMECapabilities
-attribute, indicating algorithms the sender is prepared to handle.
-The
-.Fa cap
-pointer is not stored in the new attribute object and can be passed to
-.Fn sk_X509_ALGOR_pop_free
-after the call.
-This attribute is automatically added by
-.Xr PKCS7_sign 3
-and
-.Xr PKCS7_sign_add_signer 3
-unless the
-.Dv PKCS7_NOATTR
-or
-.Dv PKCS7_NOSMIMECAP
-flag is present.
-.Sh RETURN VALUES
-.Fn PKCS7_add_attribute ,
-.Fn PKCS7_set_attributes ,
-.Fn PKCS7_add_signed_attribute ,
-.Fn PKCS7_set_signed_attributes ,
-.Fn PKCS7_add_attrib_content_type ,
-.Fn PKCS7_add1_attrib_digest ,
-.Fn PKCS7_add0_attrib_signing_time ,
-and
-.Fn PKCS7_add_attrib_smimecap
-return 1 on success or 0 on failure.
-The most common reason for failure is lack of memory.
-.Fn PKCS7_add_attribute
-and
-.Fn PKCS7_add_signed_attribute
-also fail if
-.Fa nid
-is invalid, and
-.Fn PKCS7_add_attrib_content_type
-if
-.Fa si
-already contains an authenticated attribute of type
-.Dv NID_pkcs9_contentType .
-.Pp
-.Fn PKCS7_get_attribute
-and
-.Fn PKCS7_get_signed_attribute
-return an internal pointer to an ASN.1 ANY object or
-.Dv NULL
-on failure.
-They fail if
-.Fa nid
-is invalid, if the respective list in
-.Fa si
-contains no attribute of the requested type, or if an invalid element
-is found in the list before finding the attribute of the requested type.
-.Sh SEE ALSO
-.Xr ASN1_TIME_new 3 ,
-.Xr ASN1_TYPE_new 3 ,
-.Xr OBJ_nid2obj 3 ,
-.Xr PKCS7_final 3 ,
-.Xr PKCS7_get_signer_info 3 ,
-.Xr PKCS7_new 3 ,
-.Xr PKCS7_sign 3 ,
-.Xr PKCS7_sign_add_signer 3 ,
-.Xr STACK_OF 3 ,
-.Xr X509_ALGOR_new 3 ,
-.Xr X509_ATTRIBUTE_new 3
-.Sh STANDARDS
-RFC 2315: PKCS #7: Cryptographic Message Syntax Version 1.5,
-section 9.2: SignerInfo type
-.Pp
-RFC 2985: PKCS #9: Selected Object Classes and Attribute Types Version 2.0,
-section 5.3: Attribute types for use in PKCS #7 data
-and section 5.6: Attributes defined in S/MIME
-.Pp
-RFC 8551: Secure/Multipurpose Internet Mail Extensions (S/MIME)
-Version 4.0 Message Specification,
-section 2.5.2: SMIMECapabilities Attribute
-.Sh HISTORY
-.Fn PKCS7_add_attribute ,
-.Fn PKCS7_set_attributes ,
-.Fn PKCS7_get_attribute ,
-.Fn PKCS7_add_signed_attribute ,
-.Fn PKCS7_set_signed_attributes ,
-and
-.Fn PKCS7_get_signed_attribute
-first appeared in OpenSSL 0.9.1 and have been available since
-.Ox 2.6 .
-.Pp
-.Fn PKCS7_add_attrib_smimecap
-first appeared in OpenSSL 0.9.5 and has been available since
-.Ox 2.7 .
-.Pp
-.Fn PKCS7_add_attrib_content_type ,
-.Fn PKCS7_add1_attrib_digest ,
-and
-.Fn PKCS7_add0_attrib_signing_time
-first appeared in OpenSSL 1.0.0 and have been available since
-.Ox 4.9 .
-.Sh CAVEATS
-.Fn PKCS7_set_signed_attributes
-does not validate that
-.Fa sk
-contains the PKCS #9 content type and message digest attributes
-required by RFC 2315.
-It succeeds even when
-.Fa sk
-is empty, leaving
-.Fa si
-in a state that violates the standard.
-.Pp
-.Fn PKCS7_add0_attrib_signing_time
-does not validate
-.Fa t
-in any way.
-In particular, it may set the signing time to the future
-or to the remote past.
-.Sh BUGS
-A function to remove individual attributes from these lists
-does not appear to exist.
-A program desiring to do that might have to manually iterate the fields
-.Fa auth_attr
-and
-.Fa unauth_attr
-of
-.Fa si ,
-which are both of type
-.Vt STACK_OF(X509_ATTRIBUTE) ,
-using the facilities described in
-.Xr STACK_OF 3
-and
-.Xr OPENSSL_sk_new 3 .
diff --git a/src/lib/libcrypto/man/PKCS7_dataFinal.3 b/src/lib/libcrypto/man/PKCS7_dataFinal.3
deleted file mode 100644
index 1a01b2ff61..0000000000
--- a/src/lib/libcrypto/man/PKCS7_dataFinal.3
+++ /dev/null
@@ -1,158 +0,0 @@
-.\" $OpenBSD: PKCS7_dataFinal.3,v 1.3 2022/12/26 07:18:52 jmc Exp $
-.\"
-.\" Copyright (c) 2020 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: December 26 2022 $
-.Dt PKCS7_DATAFINAL 3
-.Os
-.Sh NAME
-.Nm PKCS7_dataFinal
-.Nd move data from a BIO chain to a ContentInfo object
-.Sh SYNOPSIS
-.In openssl/pkcs7.h
-.Ft int
-.Fo PKCS7_dataFinal
-.Fa "PKCS7 *p7"
-.Fa "BIO *chain"
-.Fc
-.Sh DESCRIPTION
-.Fn PKCS7_dataFinal
-transfers the data from the memory BIO at the end of the given
-.Fa chain
-into the appropriate content field of
-.Fa p7
-itself or of its appropriate substructure.
-It is typically used as the final step of populating
-.Fa p7 ,
-after creating the
-.Fa chain
-with
-.Xr PKCS7_dataInit 3
-and after writing the data into it.
-.Pp
-After calling
-.Fn PKCS7_dataFinal ,
-the program can call
-.Xr BIO_free_all 3
-on the
-.Fa chain
-because such chains are not designed for reuse.
-.Pp
-Depending on the
-.Fa contentType
-of
-.Fa p7 ,
-.Fn PKCS7_dataFinal
-sets the following fields:
-.Bl -tag -width Ds
-.It for Vt SignedData No or Vt DigestedData :
-in substructures of the
-.Fa content
-field of
-.Fa p7 :
-the
-.Fa content
-field in the
-.Vt ContentInfo
-structure (unless
-.Fa p7
-is configured to store a detached signature) and the
-.Fa encryptedDigest
-fields in all the
-.Vt SignerInfo
-structures
-.It for Vt EnvelopedData No or Vt SignedAndEnvelopedData :
-the
-.Fa encryptedContent
-field in the
-.Vt EncryptedContentInfo
-structure contained in the
-.Fa content
-field of
-.Fa p7
-.It for arbitrary data :
-the
-.Fa content
-field of
-.Fa p7
-itself
-.El
-.Sh RETURN VALUES
-.Fn PKCS7_dataFinal
-returns 1 on success or 0 on failure.
-.Pp
-Possible reasons for failure include:
-.Pp
-.Bl -dash -compact -offset 2n -width 1n
-.It
-.Fa p7
-is
-.Dv NULL .
-.It
-The
-.Fa content
-field of
-.Fa p7
-is empty.
-.It
-The
-.Fa contentType
-of
-.Fa p7
-is unsupported.
-.It
-The
-.Fa chain
-does not contain the expected memory BIO.
-.It
-Signing or digesting is requested and
-.Fa p7
-is not configured to store a detached signature,
-but does not contain the required field to store the content either.
-.It
-At least one signer lacks a usable digest algorithm.
-.It
-Signing or digesting fails.
-.It
-Memory allocation fails.
-.El
-.Pp
-Signers lacking private keys do not cause failure
-but are silently skipped.
-.Sh SEE ALSO
-.Xr BIO_new 3 ,
-.Xr PKCS7_dataInit 3 ,
-.Xr PKCS7_final 3 ,
-.Xr PKCS7_new 3 ,
-.Xr PKCS7_sign 3
-.Sh HISTORY
-.Fn PKCS7_dataFinal
-first appeared in SSLeay 0.9.1 and has been available since
-.Ox 2.6 .
-.Sh CAVEATS
-This function does not support
-.Vt EncryptedData .
-.Pp
-Even though this function is typically used after
-.Xr PKCS7_dataInit 3
-and even though
-.Xr PKCS7_dataInit 3
-also supports reading from
-.Vt ContentInfo
-structures that are already fully populated, do not use
-.Fn PKCS7_dataFinal
-on fully populated structures.
-It is only intended for putting data into new structures
-and it is neither needed nor suitable for reading.
diff --git a/src/lib/libcrypto/man/PKCS7_dataInit.3 b/src/lib/libcrypto/man/PKCS7_dataInit.3
deleted file mode 100644
index cb54d3f95c..0000000000
--- a/src/lib/libcrypto/man/PKCS7_dataInit.3
+++ /dev/null
@@ -1,226 +0,0 @@
-.\" $OpenBSD: PKCS7_dataInit.3,v 1.2 2020/06/03 13:41:27 schwarze Exp $
-.\"
-.\" Copyright (c) 2020 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: June 3 2020 $
-.Dt PKCS7_DATAINIT 3
-.Os
-.Sh NAME
-.Nm PKCS7_dataInit
-.Nd construct a BIO chain for adding or retrieving content
-.Sh SYNOPSIS
-.In openssl/pkcs7.h
-.Ft BIO *
-.Fo PKCS7_dataInit
-.Fa "PKCS7 *p7"
-.Fa "BIO *indata"
-.Fc
-.Sh DESCRIPTION
-.Fn PKCS7_dataInit
-constructs a BIO chain in preparation for putting data into
-or retrieving data out of
-.Fa p7 .
-Depending on the
-.Fa contentType
-of
-.Fa p7 ,
-the created chain starts with:
-.Bl -tag -width Ds
-.It for Vt SignedData :
-one or more
-.Xr BIO_f_md 3
-message digest filters
-.It for Vt EnvelopedData :
-one
-.Xr BIO_f_cipher 3
-encryption filter
-.It for Vt SignedAndEnvelopedData :
-one or more
-.Xr BIO_f_md 3
-message digest filters followed by one
-.Xr BIO_f_cipher 3
-encryption filter
-.It for Vt DigestedData :
-one
-.Xr BIO_f_md 3
-message digest filter
-.It for arbitrary data :
-no filter BIO
-.El
-.Pp
-One additional BIO is appended to the end of the chain,
-depending on the first condition that holds in the following list:
-.Bl -tag -width Ds
-.It Fa indata
-if the
-.Fa indata
-argument is not
-.Dv NULL .
-This only makes sense while verifying a detached signature, in which case
-.Fa indata
-is expected to supply the content associated with the detached signature.
-.It Xr BIO_s_null 3
-if the
-.Fa contentType
-of
-.Fa p7
-is
-.Vt SignedData
-and it is configured to contain a detached signature.
-This only makes sense while creating the detached signature.
-.It Xr BIO_new_mem_buf 3
-when reading from a
-.Vt SignedData
-or
-.Vt DigestedData
-object.
-.Fn PKCS7_dataInit
-attaches the end of the chain to the nested content of
-.Fa p7 .
-.It Xr BIO_s_mem 3
-otherwise.
-This is the most common case while writing data to
-.Fa p7 .
-.Xr PKCS7_dataFinal 3
-can later be used to transfer the data from the memory BIO into
-.Fa p7 .
-.El
-.Ss Adding content
-Before calling
-.Fn PKCS7_dataInit
-in order to add content,
-.Xr PKCS7_new 3 ,
-.Xr PKCS7_set_type 3 ,
-and
-.Xr PKCS7_content_new 3
-are typically required to create
-.Fa p7 ,
-to choose its desired type, and to allocate the nested
-.Vt ContentInfo
-structure.
-Alternatively, for
-.Vt SignedData ,
-.Xr PKCS7_sign 3
-can be used with the
-.Dv PKCS7_PARTIAL
-or
-.Dv PKCS7_STREAM
-.Fa flags
-or for
-.Vt EnvelopedData ,
-.Xr PKCS7_encrypt 3
-with the
-.Dv PKCS7_STREAM
-flag.
-.Pp
-After calling
-.Fn PKCS7_dataInit ,
-the desired data can be written into the returned
-.Vt BIO ,
-.Xr BIO_flush 3
-can be called on it,
-.Xr PKCS7_dataFinal 3
-can be used to transfer the processed data
-from the returned memory BIO to the
-.Fa p7
-structure, and the chain can finally be destroyed with
-.Xr BIO_free_all 3 .
-.Pp
-While
-.Fn PKCS7_dataInit
-does support the
-.Vt EnvelopedData
-and
-.Vt SignedAndEnvelopedData
-types, using it for these types is awkward and error prone
-except when using
-.Xr PKCS7_encrypt 3
-for the setup because
-.Xr PKCS7_content_new 3
-does not support these two types.
-So in addition to creating
-.Fa p7
-itself and setting its type, the nested
-.Fa ContentInfo
-structure also needs to be constructed with
-.Xr PKCS7_new 3
-and
-.Xr PKCS7_set_type 3
-and manually inserted into the correct field
-of the respective sub-structure of
-.Fa p7 .
-.Ss Retrieving content
-.Fn PKCS7_dataInit
-can also be called on a fully populated object of type
-.Vt SignedData
-or
-.Vt DigestedData .
-After that,
-.Xr BIO_read 3
-can be used to retrieve data from it.
-In this use case, do not call
-.Xr PKCS7_dataFinal 3 ;
-simply proceed directly to
-.Xr BIO_free_all 3
-after reading the data.
-.Sh RETURN VALUES
-.Fn PKCS7_dataInit
-returns a BIO chain on success or
-.Dv NULL
-on failure.
-It fails if
-.Fa p7
-is
-.Dv NULL ,
-if the
-.Fa content
-field of
-.Fa p7
-is empty, if the
-.Fa contentType
-of
-.Fa p7
-is unsupported, if a cipher is required but none is configured, or
-if any required operation fails, for example due to lack of memory
-or for various other reasons.
-.Sh SEE ALSO
-.Xr BIO_new 3 ,
-.Xr BIO_read 3 ,
-.Xr PKCS7_content_new 3 ,
-.Xr PKCS7_dataFinal 3 ,
-.Xr PKCS7_encrypt 3 ,
-.Xr PKCS7_final 3 ,
-.Xr PKCS7_new 3 ,
-.Xr PKCS7_set_type 3 ,
-.Xr PKCS7_sign 3
-.Sh HISTORY
-.Fn PKCS7_dataInit
-first appeared in SSLeay 0.8.1 and has been available since
-.Ox 2.4 .
-.Sh CAVEATS
-This function does not support
-.Vt EncryptedData .
-.Sh BUGS
-If
-.Fa p7
-is a fully populated structure containing
-.Vt EnvelopedData ,
-.Vt SignedAndEnvelopedData ,
-or arbitrary data,
-.Fn PKCS7_dataInit
-returns a BIO chain that ultimately reads from an empty memory BIO,
-so reading from it will instantly return an end-of-file indication
-rather than reading the actual data contained in
-.Fa p7 .
diff --git a/src/lib/libcrypto/man/PKCS7_decrypt.3 b/src/lib/libcrypto/man/PKCS7_decrypt.3
deleted file mode 100644
index 8d00499b57..0000000000
--- a/src/lib/libcrypto/man/PKCS7_decrypt.3
+++ /dev/null
@@ -1,118 +0,0 @@
-.\"     $OpenBSD: PKCS7_decrypt.3,v 1.10 2019/06/10 14:58:48 schwarze Exp $
-.\"     OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
-.\"
-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2002, 2006 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: June 10 2019 $
-.Dt PKCS7_DECRYPT 3
-.Os
-.Sh NAME
-.Nm PKCS7_decrypt
-.Nd decrypt content from a PKCS#7 envelopedData structure
-.Sh SYNOPSIS
-.In openssl/pkcs7.h
-.Ft int
-.Fo PKCS7_decrypt
-.Fa "PKCS7 *p7"
-.Fa "EVP_PKEY *pkey"
-.Fa "X509 *cert"
-.Fa "BIO *data"
-.Fa "int flags"
-.Fc
-.Sh DESCRIPTION
-.Fn PKCS7_decrypt
-extracts and decrypts the content from a PKCS#7 envelopedData structure.
-.Fa pkey
-is the private key of the recipient,
-.Fa cert
-is the recipient's certificate,
-.Fa data
-is a
-.Vt BIO
-to write the content to and
-.Fa flags
-is an optional set of flags.
-.Pp
-Although the recipient's certificate is not needed to decrypt the data,
-it is needed to locate the appropriate recipients
-in the PKCS#7 structure.
-.Pp
-If the
-.Dv PKCS7_TEXT
-.Fa flag
-is set, MIME headers for type
-.Sy text/plain
-are deleted from the content.
-If the content is not of type
-.Sy text/plain ,
-an error is returned.
-.Sh RETURN VALUES
-.Fn PKCS7_decrypt
-returns 1 for success or 0 for failure.
-.Pp
-The error can be obtained from
-.Xr ERR_get_error 3 .
-.Sh SEE ALSO
-.Xr PKCS7_encrypt 3 ,
-.Xr PKCS7_new 3 ,
-.Xr PKCS7_verify 3
-.Sh HISTORY
-.Fn PKCS7_decrypt
-first appeared in OpenSSL 0.9.5 and has been available since
-.Ox 2.7 .
-.Sh BUGS
-.Fn PKCS7_decrypt
-must be passed the correct recipient key and certificate.
-It would be better if it could look up the correct key and certificate
-from a database.
-.Pp
-The lack of single pass processing and need to hold all data in memory
-as mentioned in
-.Xr PKCS7_sign 3
-also applies to
-.Fn PKCS7_decrypt .
diff --git a/src/lib/libcrypto/man/PKCS7_encrypt.3 b/src/lib/libcrypto/man/PKCS7_encrypt.3
deleted file mode 100644
index 700498a1de..0000000000
--- a/src/lib/libcrypto/man/PKCS7_encrypt.3
+++ /dev/null
@@ -1,169 +0,0 @@
-.\" $OpenBSD: PKCS7_encrypt.3,v 1.11 2020/06/03 13:41:27 schwarze Exp $
-.\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100
-.\"
-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2002, 2006, 2007, 2008, 2009 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: June 3 2020 $
-.Dt PKCS7_ENCRYPT 3
-.Os
-.Sh NAME
-.Nm PKCS7_encrypt
-.Nd create a PKCS#7 envelopedData structure
-.Sh SYNOPSIS
-.In openssl/pkcs7.h
-.Ft PKCS7 *
-.Fo PKCS7_encrypt
-.Fa "STACK_OF(X509) *certs"
-.Fa "BIO *in"
-.Fa "const EVP_CIPHER *cipher"
-.Fa "int flags"
-.Fc
-.Sh DESCRIPTION
-.Fn PKCS7_encrypt
-creates and returns a PKCS#7 envelopedData structure.
-.Fa certs
-is a list of recipient certificates.
-.Fa in
-is the content to be encrypted.
-.Fa cipher
-is the symmetric cipher to use.
-.Fa flags
-is an optional set of flags.
-.Pp
-Only RSA keys are supported in PKCS#7 and envelopedData so the recipient
-certificates supplied to this function must all contain RSA public keys,
-though they do not have to be signed using the RSA algorithm.
-.Pp
-The algorithm passed in the
-.Fa cipher
-parameter must support ASN.1 encoding of its parameters.
-.Pp
-Many browsers implement a "sign and encrypt" option which is simply an
-S/MIME envelopedData containing an S/MIME signed message.
-This can be readily produced by storing the S/MIME signed message in a
-memory
-.Vt BIO
-and passing it to
-.Fn PKCS7_encrypt .
-.Pp
-The following flags can be passed in the
-.Fa flags
-parameter.
-.Pp
-If the
-.Dv PKCS7_TEXT
-flag is set, MIME headers for type
-.Sy text/plain
-are prepended to the data.
-.Pp
-Normally the supplied content is translated into MIME canonical format
-(as required by the S/MIME specifications).
-If
-.Dv PKCS7_BINARY
-is set, no translation occurs.
-This option should be used if the supplied data is in binary format;
-otherwise, the translation will corrupt it.
-If
-.Dv PKCS7_BINARY
-is set, then
-.Dv PKCS7_TEXT
-is ignored.
-.Pp
-If the
-.Dv PKCS7_STREAM
-flag is set, a partial
-.Vt PKCS7
-structure is output suitable for streaming I/O: no data is read from
-.Fa in .
-.Pp
-If the flag
-.Dv PKCS7_STREAM
-is set, the returned
-.Vt PKCS7
-structure is
-.Sy not
-complete and outputting its contents via a function that does not
-properly finalize the
-.Vt PKCS7
-structure will give unpredictable results.
-.Pp
-Several functions including
-.Xr PKCS7_final 3 ,
-.Xr SMIME_write_PKCS7 3 ,
-.Xr PEM_write_bio_PKCS7_stream 3 ,
-and
-.Xr i2d_PKCS7_bio_stream 3
-finalize the structure.
-Alternatively finalization can be performed by obtaining the streaming
-ASN.1
-.Vt BIO
-directly using
-.Fn BIO_new_PKCS7 .
-.Sh RETURN VALUES
-.Fn PKCS7_encrypt
-returns either a
-.Vt PKCS7
-structure or
-.Dv NULL
-if an error occurred.
-The error can be obtained from
-.Xr ERR_get_error 3 .
-.Sh SEE ALSO
-.Xr PKCS7_decrypt 3 ,
-.Xr PKCS7_final 3 ,
-.Xr PKCS7_new 3 ,
-.Xr PKCS7_sign 3
-.Sh HISTORY
-.Fn PKCS7_encrypt
-first appeared in OpenSSL 0.9.5 and has been available since
-.Ox 2.7 .
-.Pp
-The
-.Dv PKCS7_STREAM
-flag was first supported in OpenSSL 1.0.0.
diff --git a/src/lib/libcrypto/man/PKCS7_final.3 b/src/lib/libcrypto/man/PKCS7_final.3
deleted file mode 100644
index 775b84d984..0000000000
--- a/src/lib/libcrypto/man/PKCS7_final.3
+++ /dev/null
@@ -1,202 +0,0 @@
-.\" $OpenBSD: PKCS7_final.3,v 1.3 2022/12/26 07:18:52 jmc Exp $
-.\"
-.\" Copyright (c) 2020 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: December 26 2022 $
-.Dt PKCS7_FINAL 3
-.Os
-.Sh NAME
-.Nm PKCS7_final
-.Nd read data from a BIO into a ContentInfo object
-.Sh SYNOPSIS
-.In openssl/pkcs7.h
-.Ft int
-.Fo PKCS7_final
-.Fa "PKCS7 *p7"
-.Fa "BIO *data"
-.Fa "int flags"
-.Fc
-.Sh DESCRIPTION
-.Fn PKCS7_final
-reads
-.Fa data
-and puts it into the appropriate content field of
-.Fa p7
-itself or of its appropriate substructure, which can be of type
-.Vt SignedData ,
-.Vt EnvelopedData ,
-.Vt SignedAndEnvelopedData ,
-.Vt DigestedData ,
-or arbitrary data.
-The
-.Xr PKCS7_dataFinal 3
-manual explains which field exactly the data is put into.
-.Pp
-The following
-.Fa flags
-are recognized:
-.Bl -tag -width PKCS7_BINARY
-.It Dv PKCS7_BINARY
-Copy the data verbatim without changing any bytes.
-By default, line endings are replaced with two-byte
-.Qq \er\en
-sequences (ASCII CR+LF).
-If this flag is set,
-.Dv PKCS7_TEXT
-is ignored.
-.It Dv PKCS7_TEXT
-Prepend
-.Qq Content-Type: text/plain
-followed by a blank line to the data.
-This flag is ignored if
-.Dv PKCS7_BINARY
-is also set.
-.El
-.Pp
-If any other bits are set in
-.Fa flags ,
-for example
-.Dv PKCS7_STREAM
-or
-.Dv PKCS7_PARTIAL ,
-they are ignored, allowing to pass the same
-.Fa flags
-argument that was already passed to
-.Xr PKCS7_sign 3
-or
-.Xr PKCS7_encrypt 3 .
-.Pp
-.Fn PKCS7_final
-is most commonly used to finalize a
-.Fa p7
-object returned from a call to
-.Xr PKCS7_sign 3
-that used
-.Fa flags
-including
-.Dv PKCS7_PARTIAL
-or
-.Dv PKCS7_STREAM .
-With these flags,
-.Xr PKCS7_sign 3
-ignores its
-.Fa data
-argument.
-The partial
-.Fa p7
-object returned can then be customized, for example setting up
-multiple signers or non-default digest algorithms with
-.Xr PKCS7_sign_add_signer 3 ,
-before calling
-.Fn PKCS7_final .
-.Pp
-Similarly,
-.Fn PKCS7_final
-can be used to finalize a
-.Fa p7
-object returned from a call to
-.Xr PKCS7_encrypt 3
-that used
-.Fa flags
-including
-.Dv PKCS7_STREAM .
-.Pp
-Since
-.Fn PKCS7_final
-starts by calling
-.Xr PKCS7_dataInit 3
-internally, using it to finalize a
-.Fa p7
-object containing
-.Vt SignedAndEnvelopedData ,
-.Vt DigestedData ,
-or arbitrary data requires the setup described in the
-.Xr PKCS7_dataInit 3
-manual.
-For
-.Vt SignedData
-and
-.Vt EnvelopedData ,
-such manual setup is also feasible, but it is more easily performed with
-.Xr PKCS7_sign 3
-or
-.Xr PKCS7_encrypt 3 ,
-respectively.
-.Pp
-.Fn PKCS7_final
-is only one among several functions that can be used to finalize
-.Fa p7 ;
-alternatives include
-.Xr SMIME_write_PKCS7 3 ,
-.Xr PEM_write_bio_PKCS7_stream 3 ,
-and
-.Xr i2d_PKCS7_bio_stream 3 .
-.Sh RETURN VALUES
-.Fn PKCS7_final
-returns 1 on success or 0 on failure.
-.Pp
-Possible reasons for failure include:
-.Pp
-.Bl -dash -compact -offset 2n -width 1n
-.It
-.Fa p7
-is
-.Dv NULL .
-.It
-The
-.Fa content
-field of
-.Fa p7
-is empty.
-.It
-The
-.Fa contentType
-of
-.Fa p7
-is unsupported.
-.It
-Signing or digesting is requested and
-.Fa p7
-is not configured to store a detached signature, but does not contain
-the required field to store the content either.
-.It
-At least one signer lacks a usable digest algorithm.
-.It
-A cipher is required but none is configured.
-.It
-Any required operation fails, for example signing or digesting.
-.It
-Memory allocation fails.
-.El
-.Pp
-Signers lacking private keys do not cause failure but are silently skipped.
-.Sh SEE ALSO
-.Xr BIO_new 3 ,
-.Xr i2d_PKCS7_bio_stream 3 ,
-.Xr PEM_write_bio_PKCS7_stream 3 ,
-.Xr PKCS7_add_attribute 3 ,
-.Xr PKCS7_dataFinal 3 ,
-.Xr PKCS7_dataInit 3 ,
-.Xr PKCS7_encrypt 3 ,
-.Xr PKCS7_new 3 ,
-.Xr PKCS7_sign 3 ,
-.Xr SMIME_write_PKCS7 3
-.Sh HISTORY
-.Fn PKCS7_final
-first appeared in OpenSSL 1.0.0 and has been available since
-.Ox 4.9 .
-.Sh CAVEATS
-This function does not support
-.Vt EncryptedData .
diff --git a/src/lib/libcrypto/man/PKCS7_get_signer_info.3 b/src/lib/libcrypto/man/PKCS7_get_signer_info.3
deleted file mode 100644
index 280f373ead..0000000000
--- a/src/lib/libcrypto/man/PKCS7_get_signer_info.3
+++ /dev/null
@@ -1,62 +0,0 @@
-.\" $OpenBSD: PKCS7_get_signer_info.3,v 1.1 2020/06/10 11:43:08 schwarze Exp $
-.\"
-.\" Copyright (c) 2020 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: June 10 2020 $
-.Dt PKCS7_GET_SIGNER_INFO 3
-.Os
-.Sh NAME
-.Nm PKCS7_get_signer_info
-.Nd retrieve signerInfos from a SignedData object
-.Sh SYNOPSIS
-.In openssl/pkcs7.h
-.Ft STACK_OF(PKCS7_SIGNER_INFO) *
-.Fn PKCS7_get_signer_info "PKCS7 *p7"
-.Sh DESCRIPTION
-This function retrieves the set of
-.Vt SignerInfo
-structures from the
-.Fa signerInfos
-field of
-.Fa p7 .
-.Pp
-These can subsequently be manipulated with the functions documented in
-.Xr PKCS7_add_attribute 3 .
-.Sh RETURN VALUES
-.Fn PKCS7_get_signer_info
-returns an internal pointer to a
-.Vt STACK_OF(PKCS7_SIGNER_INFO)
-object or
-.Dv NULL
-on failure.
-It fails if
-.Fa p7
-is
-.Dv NULL ,
-if it has no content,
-or if it is of a type other than
-.Vt SignedData
-or
-.Vt SignedAndEnvelopedData .
-.Sh SEE ALSO
-.Xr PKCS7_add_attribute 3 ,
-.Xr PKCS7_final 3 ,
-.Xr PKCS7_new 3 ,
-.Xr PKCS7_sign 3 ,
-.Xr PKCS7_sign_add_signer 3
-.Sh HISTORY
-.Fn PKCS7_get_signer_info
-first appeared in SSLeay 0.8.1 and has been available since
-.Ox 2.4 .
diff --git a/src/lib/libcrypto/man/PKCS7_new.3 b/src/lib/libcrypto/man/PKCS7_new.3
deleted file mode 100644
index 151261a312..0000000000
--- a/src/lib/libcrypto/man/PKCS7_new.3
+++ /dev/null
@@ -1,269 +0,0 @@
-.\" $OpenBSD: PKCS7_new.3,v 1.12 2020/06/10 11:43:08 schwarze Exp $
-.\"
-.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: June 10 2020 $
-.Dt PKCS7_NEW 3
-.Os
-.Sh NAME
-.Nm PKCS7_new ,
-.Nm PKCS7_free ,
-.Nm PKCS7_SIGNED_new ,
-.Nm PKCS7_SIGNED_free ,
-.Nm PKCS7_ENVELOPE_new ,
-.Nm PKCS7_ENVELOPE_free ,
-.Nm PKCS7_SIGN_ENVELOPE_new ,
-.Nm PKCS7_SIGN_ENVELOPE_free ,
-.Nm PKCS7_DIGEST_new ,
-.Nm PKCS7_DIGEST_free ,
-.Nm PKCS7_ENCRYPT_new ,
-.Nm PKCS7_ENCRYPT_free ,
-.Nm PKCS7_ENC_CONTENT_new ,
-.Nm PKCS7_ENC_CONTENT_free ,
-.Nm PKCS7_SIGNER_INFO_new ,
-.Nm PKCS7_SIGNER_INFO_free ,
-.Nm PKCS7_RECIP_INFO_new ,
-.Nm PKCS7_RECIP_INFO_free ,
-.Nm PKCS7_ISSUER_AND_SERIAL_new ,
-.Nm PKCS7_ISSUER_AND_SERIAL_free
-.Nd PKCS#7 data structures
-.Sh SYNOPSIS
-.In openssl/pkcs7.h
-.Ft PKCS7 *
-.Fn PKCS7_new void
-.Ft void
-.Fn PKCS7_free "PKCS7 *p7"
-.Ft PKCS7_SIGNED *
-.Fn PKCS7_SIGNED_new void
-.Ft void
-.Fn PKCS7_SIGNED_free "PKCS7_SIGNED *signed"
-.Ft PKCS7_ENVELOPE *
-.Fn PKCS7_ENVELOPE_new void
-.Ft void
-.Fn PKCS7_ENVELOPE_free "PKCS7_ENVELOPE *envelope"
-.Ft PKCS7_SIGN_ENVELOPE *
-.Fn PKCS7_SIGN_ENVELOPE_new void
-.Ft void
-.Fn PKCS7_SIGN_ENVELOPE_free "PKCS7_SIGN_ENVELOPE *signed_envelope"
-.Ft PKCS7_DIGEST *
-.Fn PKCS7_DIGEST_new void
-.Ft void
-.Fn PKCS7_DIGEST_free "PKCS7_DIGEST *digested"
-.Ft PKCS7_ENCRYPT *
-.Fn PKCS7_ENCRYPT_new void
-.Ft void
-.Fn PKCS7_ENCRYPT_free "PKCS7_ENCRYPT *encrypted"
-.Ft PKCS7_ENC_CONTENT *
-.Fn PKCS7_ENC_CONTENT_new void
-.Ft void
-.Fn PKCS7_ENC_CONTENT_free "PKCS7_ENC_CONTENT *content"
-.Ft PKCS7_SIGNER_INFO *
-.Fn PKCS7_SIGNER_INFO_new void
-.Ft void
-.Fn PKCS7_SIGNER_INFO_free "PKCS7_SIGNER_INFO *signer"
-.Ft PKCS7_RECIP_INFO *
-.Fn PKCS7_RECIP_INFO_new void
-.Ft void
-.Fn PKCS7_RECIP_INFO_free "PKCS7_RECIP_INFO *recip"
-.Ft PKCS7_ISSUER_AND_SERIAL *
-.Fn PKCS7_ISSUER_AND_SERIAL_new void
-.Ft void
-.Fn PKCS7_ISSUER_AND_SERIAL_free "PKCS7_ISSUER_AND_SERIAL *cert"
-.Sh DESCRIPTION
-PKCS#7 is an ASN.1-based format for transmitting data that has
-cryptography applied to it, in particular signed and encrypted data.
-.Pp
-.Fn PKCS7_new
-allocates and initializes an empty
-.Vt PKCS7
-object, representing an ASN.1
-.Vt ContentInfo
-structure defined in RFC 2315 section 7.
-It is the top-level data structure able to hold any kind of content
-that can be transmitted using PKCS#7.
-It can be used recursively in
-.Vt PKCS7_SIGNED
-and
-.Vt PKCS7_DIGEST
-objects.
-.Fn PKCS7_free
-frees
-.Fa p7 .
-.Pp
-.Fn PKCS7_SIGNED_new
-allocates and initializes an empty
-.Vt PKCS7_SIGNED
-object, representing an ASN.1
-.Vt SignedData
-structure defined in RFC 2315 section 9.
-It can be used inside
-.Vt PKCS7
-objects and holds any kind of content together with signatures by
-zero or more signers and information about the signing algorithm
-and certificates used.
-.Fn PKCS7_SIGNED_free
-frees
-.Fa signed .
-.Pp
-.Fn PKCS7_ENVELOPE_new
-allocates and initializes an empty
-.Vt PKCS7_ENVELOPE
-object, representing an ASN.1
-.Vt EnvelopedData
-structure defined in RFC 2315 section 10.
-It can be used inside
-.Vt PKCS7
-objects and holds any kind of encrypted content together with
-content-encryption keys for one or more recipients.
-.Fn PKCS7_ENVELOPE_free
-frees
-.Fa envelope .
-.Pp
-.Fn PKCS7_SIGN_ENVELOPE_new
-allocates and initializes an empty
-.Vt PKCS7_SIGN_ENVELOPE
-object, representing an ASN.1
-.Vt SignedAndEnvelopedData
-structure defined in RFC 2315 section 11.
-It can be used inside
-.Vt PKCS7
-objects and holds any kind of encrypted content together with
-signatures by one or more signers, information about the signing
-algorithm and certificates used, and content-encryption keys for
-one or more recipients.
-.Fn PKCS7_SIGN_ENVELOPE_free
-frees
-.Fa signed_envelope .
-.Pp
-.Fn PKCS7_DIGEST_new
-allocates and initializes an empty
-.Vt PKCS7_DIGEST
-object, representing an ASN.1
-.Vt DigestedData
-structure defined in RFC 2315 section 12.
-It can be used inside
-.Vt PKCS7
-objects and holds any kind of content together with a message digest
-for checking its integrity and information about the algorithm used.
-.Fn PKCS7_DIGEST_free
-frees
-.Fa digested .
-.Pp
-.Fn PKCS7_ENCRYPT_new
-allocates and initializes an empty
-.Vt PKCS7_ENCRYPT
-object, representing an ASN.1
-.Vt EncryptedData
-structure defined in RFC 2315 section 13.
-It can be used inside
-.Vt PKCS7
-objects and holds any kind of encrypted content.
-Keys are not included and need to be communicated separately.
-.Fn PKCS7_ENCRYPT_free
-frees
-.Fa encrypted .
-.Pp
-.Fn PKCS7_ENC_CONTENT_new
-allocates and initializes an empty
-.Vt PKCS7_ENC_CONTENT
-object, representing an ASN.1
-.Vt EncryptedContentInfo
-structure defined in RFC 2315 section 10.1.
-It can be used inside
-.Vt PKCS7_ENVELOPE ,
-.Vt PKCS7_SIGN_ENVELOPE ,
-and
-.Vt PKCS7_ENCRYPT
-objects and holds encrypted content together with information about
-the encryption algorithm used.
-.Fn PKCS7_ENC_CONTENT_free
-frees
-.Fa content .
-.Pp
-.Fn PKCS7_SIGNER_INFO_new
-allocates and initializes an empty
-.Vt PKCS7_SIGNER_INFO
-object, representing an ASN.1
-.Vt SignerInfo
-structure defined in RFC 2315 section 9.2.
-It can be used inside
-.Vt PKCS7_SIGNED
-and
-.Vt PKCS7_SIGN_ENVELOPE
-objects and holds a signature together with information about the
-signer and the algorithms used.
-.Fn PKCS7_SIGNER_INFO_free
-frees
-.Fa signer .
-.Pp
-.Fn PKCS7_RECIP_INFO_new
-allocates and initializes an empty
-.Vt PKCS7_RECIP_INFO
-object, representing an ASN.1
-.Vt RecipientInfo
-structure defined in RFC 2315 section 10.2.
-It can be used inside
-.Vt PKCS7_ENVELOPE
-and
-.Vt PKCS7_SIGN_ENVELOPE
-objects and holds a content-encryption key together with information
-about the intended recipient and the key encryption algorithm used.
-.Fn PKCS7_RECIP_INFO_free
-frees
-.Fa recip .
-.Pp
-.Fn PKCS7_ISSUER_AND_SERIAL_new
-allocates and initializes an empty
-.Vt PKCS7_ISSUER_AND_SERIAL
-object, representing an ASN.1
-.Vt IssuerAndSerialNumber
-structure defined in RFC 2315 section 6.7.
-It can be used inside
-.Vt PKCS7_SIGNER_INFO
-and
-.Vt PKCS7_RECIP_INFO
-objects and identifies a certificate by holding the distinguished
-name of the certificate issuer and an issuer-specific certificate
-serial number.
-.Fn PKCS7_ISSUER_AND_SERIAL_free
-frees
-.Fa cert .
-.Sh SEE ALSO
-.Xr crypto 3 ,
-.Xr d2i_PKCS7 3 ,
-.Xr i2d_PKCS7_bio_stream 3 ,
-.Xr PEM_read_PKCS7 3 ,
-.Xr PEM_write_bio_PKCS7_stream 3 ,
-.Xr PKCS7_add_attribute 3 ,
-.Xr PKCS7_dataFinal 3 ,
-.Xr PKCS7_dataInit 3 ,
-.Xr PKCS7_decrypt 3 ,
-.Xr PKCS7_encrypt 3 ,
-.Xr PKCS7_final 3 ,
-.Xr PKCS7_get_signer_info 3 ,
-.Xr PKCS7_ISSUER_AND_SERIAL_digest 3 ,
-.Xr PKCS7_set_content 3 ,
-.Xr PKCS7_set_type 3 ,
-.Xr PKCS7_sign 3 ,
-.Xr PKCS7_sign_add_signer 3 ,
-.Xr PKCS7_verify 3 ,
-.Xr SMIME_read_PKCS7 3 ,
-.Xr SMIME_write_PKCS7 3
-.Sh STANDARDS
-RFC 2315: PKCS #7: Cryptographic Message Syntax Version 1.5
-.Sh HISTORY
-These functions first appeared in SSLeay 0.5.1
-and have been available since
-.Ox 2.4 .
diff --git a/src/lib/libcrypto/man/PKCS7_set_content.3 b/src/lib/libcrypto/man/PKCS7_set_content.3
deleted file mode 100644
index fa057341d5..0000000000
--- a/src/lib/libcrypto/man/PKCS7_set_content.3
+++ /dev/null
@@ -1,120 +0,0 @@
-.\" $OpenBSD: PKCS7_set_content.3,v 1.2 2020/05/24 12:37:30 schwarze Exp $
-.\"
-.\" Copyright (c) 2020 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: May 24 2020 $
-.Dt PKCS7_SET_CONTENT 3
-.Os
-.Sh NAME
-.Nm PKCS7_set_content ,
-.Nm PKCS7_content_new
-.Nd set the nested contentInfo in a PKCS#7 structure
-.Sh SYNOPSIS
-.In openssl/pkcs7.h
-.Ft int
-.Fo PKCS7_set_content
-.Fa "PKCS7 *outer"
-.Fa "PKCS7 *inner"
-.Fc
-.Ft int
-.Fo PKCS7_content_new
-.Fa "PKCS7 *outer"
-.Fa "int inner_type"
-.Fc
-.Sh DESCRIPTION
-If the
-.Fa contentType
-of the
-.Fa outer
-PKCS7 structure is
-.Vt SignedData
-or
-.Vt DigestedData ,
-.Fn PKCS7_set_content
-sets the
-.Fa contentInfo
-field of the
-.Fa content
-field of
-.Fa outer
-to
-.Fa inner ,
-without copying
-.Fa inner .
-If there was previous
-.Fa contentInfo ,
-it is freed rather than overwritten.
-The rest of the internal state of
-.Fa outer
-and of its
-.Fa content
-remains unchanged.
-.Pp
-.Fn PKCS7_content_new
-is similar except that it first allocates and initializes a new, empty
-.Fa inner
-object of the given
-.Fa inner_type
-using
-.Xr PKCS7_new 3
-and
-.Xr PKCS7_set_type 3 .
-The
-.Fa inner_type
-can be any of the NIDs listed in the
-.Xr PKCS7_set_type 3
-manual.
-.Sh RETURN VALUES
-These functions return 1 on success or 0 on failure.
-They fail if the
-.Fa contentType
-of
-.Fa outer
-is unsupported.
-.Fn PKCS7_content_new
-can also fail when memory is exhausted.
-In case of failure,
-.Fa outer
-remains unchanged.
-.Sh SEE ALSO
-.Xr PKCS7_dataInit 3 ,
-.Xr PKCS7_new 3 ,
-.Xr PKCS7_set_type 3 ,
-.Xr PKCS7_sign 3
-.Sh STANDARDS
-RFC 2315: PKCS #7: Cryptographic Message Syntax Version 1.5
-.Bl -bullet -compact -offset 1n -width 1n
-.It
-Section 7. General syntax
-.It
-Section 9. Signed-data content type
-.It
-Section 12.\& Digested-data content type
-.El
-.Sh HISTORY
-These functions first appeared in SSLeay 0.8.1
-and have been available since
-.Ox 2.4 .
-.Sh CAVEATS
-Despite the function names, these functions do not set the
-.Fa content
-field of
-.Fa outer ,
-but only the
-.Fa contentInfo
-field inside it.
-The rest of the
-.Fa content
-remains unchanged.
diff --git a/src/lib/libcrypto/man/PKCS7_set_type.3 b/src/lib/libcrypto/man/PKCS7_set_type.3
deleted file mode 100644
index f414b128a2..0000000000
--- a/src/lib/libcrypto/man/PKCS7_set_type.3
+++ /dev/null
@@ -1,119 +0,0 @@
-.\" $OpenBSD: PKCS7_set_type.3,v 1.2 2020/05/20 11:40:26 schwarze Exp $
-.\"
-.\" Copyright (c) 2020 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: May 20 2020 $
-.Dt PKCS7_SET_TYPE 3
-.Os
-.Sh NAME
-.Nm PKCS7_set_type ,
-.Nm PKCS7_set0_type_other
-.Nd initialize type of PKCS#7 ContentInfo
-.Sh SYNOPSIS
-.In openssl/pkcs7.h
-.Ft int
-.Fo PKCS7_set_type
-.Fa "PKCS7 *p7"
-.Fa "int type"
-.Fc
-.Ft int
-.Fo PKCS7_set0_type_other
-.Fa "PKCS7 *p7"
-.Fa "int type"
-.Fa "ASN1_TYPE *content"
-.Fc
-.Sh DESCRIPTION
-These functions set the
-.Fa type
-of an unused
-.Vt ContentInfo
-structure
-.Fa p7 .
-.Pp
-The function
-.Fn PKCS7_set_type
-also allocates and initializes an empty child object in
-.Fa p7 .
-The
-.Fa type
-argument can be any of these NIDs,
-creating a child object of the indicated data type:
-.Pp
-.Bl -column NID_pkcs7_signedAndEnveloped PKCS7_SIGN_ENVELOPE n.a. -compact
-.It Fa type No argument             Ta data type of child     Ta version
-.It Dv NID_pkcs7_data               Ta Vt ASN1_OCTET_STRING   Ta n.a.
-.It Dv NID_pkcs7_digest             Ta Vt PKCS7_DIGEST        Ta 0
-.It Dv NID_pkcs7_encrypted          Ta Vt PKCS7_ENCRYPT       Ta 0
-.It Dv NID_pkcs7_enveloped          Ta Vt PKCS7_ENVELOPE      Ta 0
-.It Dv NID_pkcs7_signed             Ta Vt PKCS7_SIGNED        Ta 1
-.It Dv NID_pkcs7_signedAndEnveloped Ta Vt PKCS7_SIGN_ENVELOPE Ta 1
-.El
-.Pp
-If the provided
-.Fa type
-is invalid,
-.Fa p7
-remains unchanged and
-.Fn PKCS7_set_type
-fails.
-.Pp
-If memory allocation fails,
-.Fn PKCS7_set_type
-fails and
-.Fa p7
-may remain in an inconsistent state.
-.Pp
-The function
-.Fn PKCS7_set0_type_other
-accepts an arbitrary NID as the
-.Fa type
-and also sets the
-.Fa content ,
-neither checking it in any way nor copying it.
-.Pp
-For both functions, the rest of the internal state of
-.Fa p7
-remains unchanged.
-.Sh RETURN VALUES
-The function
-.Fn PKCS7_set_type
-returns 1 on success or 0 on failure.
-.Pp
-The function
-.Fn PKCS7_set0_type_other
-does no error handling at all and always returns 1.
-.Sh SEE ALSO
-.Xr ASN1_OCTET_STRING_new 3 ,
-.Xr ASN1_TYPE_new 3 ,
-.Xr PKCS7_encrypt 3 ,
-.Xr PKCS7_new 3 ,
-.Xr PKCS7_set_content 3 ,
-.Xr PKCS7_sign 3
-.Sh HISTORY
-The function
-.Fn PKCS7_set_type
-first appeared in SSLeay 0.8.1 and
-.Fn PKCS7_set0_type_other
-in OpenSSL 0.9.8.
-Both have been available since
-.Ox 2.4 .
-.Sh CAVEATS
-If
-.Fa p7
-has already been in use before being passed to one of these functions,
-it will report success even though it leaks memory.
-Later on, if other functions try to use
-.Fa p7
-in its former role, they are likely to misbehave.
diff --git a/src/lib/libcrypto/man/PKCS7_sign.3 b/src/lib/libcrypto/man/PKCS7_sign.3
deleted file mode 100644
index 37257e60fd..0000000000
--- a/src/lib/libcrypto/man/PKCS7_sign.3
+++ /dev/null
@@ -1,251 +0,0 @@
-.\" $OpenBSD: PKCS7_sign.3,v 1.13 2020/06/10 11:43:08 schwarze Exp $
-.\" full merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100
-.\"
-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2002, 2003, 2006-2009, 2015 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: June 10 2020 $
-.Dt PKCS7_SIGN 3
-.Os
-.Sh NAME
-.Nm PKCS7_sign
-.Nd create a PKCS#7 signedData structure
-.Sh SYNOPSIS
-.In openssl/pkcs7.h
-.Ft PKCS7 *
-.Fo PKCS7_sign
-.Fa "X509 *signcert"
-.Fa "EVP_PKEY *pkey"
-.Fa "STACK_OF(X509) *certs"
-.Fa "BIO *data"
-.Fa "int flags"
-.Fc
-.Sh DESCRIPTION
-.Fn PKCS7_sign
-creates and returns a PKCS#7 signedData structure.
-.Fa signcert
-is the certificate to sign with,
-.Fa pkey
-is the corresponding private key.
-.Fa certs
-is an optional additional set of certificates to include in the PKCS#7
-structure (for example any intermediate CAs in the chain).
-.Pp
-The data to be signed is read from
-.Vt BIO
-.Fa data .
-.Pp
-.Fa flags
-is an optional set of flags.
-.Pp
-Any of the following flags (OR'ed together) can be passed in the
-.Fa flags
-parameter.
-.Pp
-Many S/MIME clients expect the signed content to include valid MIME
-headers.
-If the
-.Dv PKCS7_TEXT
-flag is set, MIME headers for type
-.Sy text/plain
-are prepended to the data.
-.Pp
-If
-.Dv PKCS7_NOCERTS
-is set, the signer's certificate will not be included in the PKCS7
-structure, though the signer's certificate must still be supplied in the
-.Fa signcert
-parameter.
-This can reduce the size of the signature if the signer's certificate can
-be obtained by other means: for example a previously signed message.
-.Pp
-The data being signed is included in the
-.Vt PKCS7
-structure, unless
-.Dv PKCS7_DETACHED
-is set, in which case it is omitted.
-This is used for PKCS7 detached signatures which are used in S/MIME
-plaintext signed messages for example.
-.Pp
-Normally the supplied content is translated into MIME canonical format
-(as required by the S/MIME specifications).
-If
-.Dv PKCS7_BINARY
-is set, no translation occurs.
-This option should be used if the supplied data is in binary format;
-otherwise, the translation will corrupt it.
-.Pp
-The signedData structure includes several PKCS#7 authenticatedAttributes
-including the signing time, the PKCS#7 content type and the supported
-list of ciphers in an SMIMECapabilities attribute.
-If
-.Dv PKCS7_NOATTR
-is set, then no authenticatedAttributes will be used.
-If
-.Dv PKCS7_NOSMIMECAP
-is set, then just the SMIMECapabilities are omitted.
-.Pp
-If present, the SMIMECapabilities attribute indicates support for the
-following algorithms: triple DES, 128-bit RC2, 64-bit RC2, DES
-and 40-bit RC2.
-If any of these algorithms is disabled then it will not be included.
-.Pp
-If the flags
-.Dv PKCS7_STREAM
-is set, then the returned
-.Vt PKCS7
-structure is just initialized ready to perform the signing operation.
-The signing is however
-.Sy not
-performed and the data to be signed is not read from the
-.Fa data
-parameter.
-Signing is deferred until after the data has been written.
-In this way data can be signed in a single pass.
-.Pp
-If the
-.Dv PKCS7_PARTIAL
-flag is set, a partial
-.Vt PKCS7
-structure is output to which additional signers and capabilities can be
-added before finalization.
-.Pp
-If the flag
-.Dv PKCS7_STREAM
-is set, the returned
-.Vt PKCS7
-structure is
-.Sy not
-complete and outputting its contents via a function that does not
-properly finalize the
-.Vt PKCS7
-structure will give unpredictable results.
-.Pp
-Several functions including
-.Xr PKCS7_final 3 ,
-.Xr SMIME_write_PKCS7 3 ,
-.Xr PEM_write_bio_PKCS7_stream 3 ,
-and
-.Xr i2d_PKCS7_bio_stream 3
-finalize the structure.
-Alternatively finalization can be performed by obtaining the streaming
-ASN.1
-.Vt BIO
-directly using
-.Fn BIO_new_PKCS7 .
-.Pp
-If a signer is specified, it will use the default digest for the
-signing algorithm.
-This is
-.Sy SHA1
-for both RSA and DSA keys.
-.Pp
-In OpenSSL 1.0.0, the
-.Fa certs ,
-.Fa signcert ,
-and
-.Fa pkey
-parameters can all be
-.Dv NULL
-if the
-.Dv PKCS7_PARTIAL
-flag is set.
-One or more signers can be added using the function
-.Xr PKCS7_sign_add_signer 3
-and attributes can be added using the functions described in
-.Xr PKCS7_add_attribute 3 .
-.Xr PKCS7_final 3
-must also be called to finalize the structure if streaming is not
-enabled.
-Alternative signing digests can also be specified using this method.
-.Pp
-In OpenSSL 1.0.0, if
-.Fa signcert
-and
-.Fa pkey
-are
-.Dv NULL ,
-then a certificate-only PKCS#7 structure is output.
-.Pp
-In versions of OpenSSL before 1.0.0 the
-.Fa signcert
-and
-.Fa pkey
-parameters must
-.Sy NOT
-be
-.Dv NULL .
-.Sh RETURN VALUES
-.Fn PKCS7_sign
-returns either a valid
-.Vt PKCS7
-structure or
-.Dv NULL
-if an error occurred.
-The error can be obtained from
-.Xr ERR_get_error 3 .
-.Sh SEE ALSO
-.Xr PKCS7_add_attribute 3 ,
-.Xr PKCS7_encrypt 3 ,
-.Xr PKCS7_final 3 ,
-.Xr PKCS7_get_signer_info 3 ,
-.Xr PKCS7_new 3 ,
-.Xr PKCS7_sign_add_signer 3 ,
-.Xr PKCS7_verify 3
-.Sh HISTORY
-.Fn PKCS7_sign
-first appeared in OpenSSL 0.9.5 and have been available since
-.Ox 2.7 .
-.Pp
-The
-.Dv PKCS7_PARTIAL
-and
-.Dv PKCS7_STREAM
-flags were added in OpenSSL 1.0.0.
-.Sh BUGS
-Some advanced attributes such as counter signatures are not supported.
diff --git a/src/lib/libcrypto/man/PKCS7_sign_add_signer.3 b/src/lib/libcrypto/man/PKCS7_sign_add_signer.3
deleted file mode 100644
index 195d6388c9..0000000000
--- a/src/lib/libcrypto/man/PKCS7_sign_add_signer.3
+++ /dev/null
@@ -1,187 +0,0 @@
-.\" $OpenBSD: PKCS7_sign_add_signer.3,v 1.13 2020/06/10 11:43:08 schwarze Exp $
-.\" full merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100
-.\"
-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2007, 2008, 2009, 2015 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: June 10 2020 $
-.Dt PKCS7_SIGN_ADD_SIGNER 3
-.Os
-.Sh NAME
-.Nm PKCS7_sign_add_signer
-.Nd add a signer to a SignedData structure
-.Sh SYNOPSIS
-.In openssl/pkcs7.h
-.Ft PKCS7_SIGNER_INFO *
-.Fo PKCS7_sign_add_signer
-.Fa "PKCS7 *p7"
-.Fa "X509 *signcert"
-.Fa "EVP_PKEY *pkey"
-.Fa "const EVP_MD *md"
-.Fa "int flags"
-.Fc
-.Sh DESCRIPTION
-.Fn PKCS7_sign_add_signer
-adds a signer with certificate
-.Fa signcert
-and private key
-.Fa pkey
-using message digest
-.Fa md
-to a
-.Vt PKCS7
-signed data structure
-.Fa p7 .
-.Pp
-The
-.Vt PKCS7
-structure should be obtained from an initial call to
-.Xr PKCS7_sign 3
-with the flag
-.Dv PKCS7_PARTIAL
-set or, in the case or re-signing, a valid
-.Vt PKCS7
-signed data structure.
-.Pp
-If the
-.Fa md
-parameter is
-.Dv NULL ,
-then the default digest for the public key algorithm will be used.
-.Pp
-Unless the
-.Dv PKCS7_REUSE_DIGEST
-flag is set, the returned
-.Dv PKCS7
-structure is not complete and must be
-finalized either by streaming (if applicable) or by a call to
-.Xr PKCS7_final 3 .
-.Pp
-The main purpose of this function is to provide finer control over a
-PKCS#7 signed data structure where the simpler
-.Xr PKCS7_sign 3
-function defaults are not appropriate, for example if multiple
-signers or non default digest algorithms are needed.
-.Pp
-Any of the following flags (OR'ed together) can be passed in the
-.Fa flags
-parameter.
-.Pp
-If
-.Dv PKCS7_REUSE_DIGEST
-is set, then an attempt is made to copy the content digest value from the
-.Vt PKCS7
-structure: to add a signer to an existing structure.
-An error occurs if a matching digest value cannot be found to copy.
-The returned
-.Vt PKCS7
-structure will be valid and finalized when this flag is set.
-.Pp
-If
-.Dv PKCS7_PARTIAL
-is set in addition to
-.Dv PKCS7_REUSE_DIGEST ,
-then the
-.Dv PKCS7_SIGNER_INO
-structure will not be finalized, so additional attributes can be added.
-In this case an explicit call to
-.Fn PKCS7_SIGNER_INFO_sign
-is needed to finalize it.
-.Pp
-If
-.Dv PKCS7_NOCERTS
-is set, the signer's certificate will not be included in the
-.Vt PKCS7
-structure, though the signer's certificate must still be supplied in the
-.Fa signcert
-parameter.
-This can reduce the size of the signature if the signers certificate can
-be obtained by other means: for example a previously signed message.
-.Pp
-The signedData structure includes several PKCS#7 authenticatedAttributes
-including the signing time, the PKCS#7 content type and the supported
-list of ciphers in an SMIMECapabilities attribute.
-If
-.Dv PKCS7_NOATTR
-is set, then no authenticatedAttributes will be used.
-If
-.Dv PKCS7_NOSMIMECAP
-is set, then just the SMIMECapabilities are omitted.
-.Pp
-If present, the SMIMECapabilities attribute indicates support for the
-following algorithms: triple DES, 128-bit RC2, 64-bit RC2, DES
-and 40-bit RC2.
-If any of these algorithms is disabled, then it will not be included.
-.Pp
-.Fn PKCS7_sign_add_signer
-returns an internal pointer to the
-.Vt PKCS7_SIGNER_INFO
-structure just added, which can be used to set additional attributes
-with the functions described in
-.Xr PKCS7_add_attribute 3
-before it is finalized.
-.Sh RETURN VALUES
-.Fn PKCS7_sign_add_signer
-returns an internal pointer to the
-.Vt PKCS7_SIGNER_INFO
-structure just added or
-.Dv NULL
-if an error occurs.
-In some cases of failure, the reason can be determined with
-.Xr ERR_get_error 3 .
-.Sh SEE ALSO
-.Xr EVP_DigestInit 3 ,
-.Xr PKCS7_add_attribute 3 ,
-.Xr PKCS7_final 3 ,
-.Xr PKCS7_get_signer_info 3 ,
-.Xr PKCS7_new 3 ,
-.Xr PKCS7_sign 3
-.Sh HISTORY
-.Fn PKCS7_sign_add_signer
-first appeared in OpenSSL 1.0.0 and has been available since
-.Ox 4.9 .
diff --git a/src/lib/libcrypto/man/PKCS7_verify.3 b/src/lib/libcrypto/man/PKCS7_verify.3
deleted file mode 100644
index d091c03dfd..0000000000
--- a/src/lib/libcrypto/man/PKCS7_verify.3
+++ /dev/null
@@ -1,252 +0,0 @@
-.\"     $OpenBSD: PKCS7_verify.3,v 1.11 2022/03/31 17:27:17 naddy Exp $
-.\"     OpenSSL a528d4f0 Oct 27 13:40:11 2015 -0400
-.\"
-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2002, 2006, 2013, 2014, 2015 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 31 2022 $
-.Dt PKCS7_VERIFY 3
-.Os
-.Sh NAME
-.Nm PKCS7_verify ,
-.Nm PKCS7_get0_signers
-.Nd verify a PKCS#7 signedData structure
-.Sh SYNOPSIS
-.In openssl/pkcs7.h
-.Ft int
-.Fo PKCS7_verify
-.Fa "PKCS7 *p7"
-.Fa "STACK_OF(X509) *certs"
-.Fa "X509_STORE *store"
-.Fa "BIO *indata"
-.Fa "BIO *out"
-.Fa "int flags"
-.Fc
-.Ft STACK_OF(X509) *
-.Fo PKCS7_get0_signers
-.Fa "PKCS7 *p7"
-.Fa "STACK_OF(X509) *certs"
-.Fa "int flags"
-.Fc
-.Sh DESCRIPTION
-.Fn PKCS7_verify
-verifies a PKCS#7 signedData structure.
-.Fa p7
-is the
-.Vt PKCS7
-structure to verify.
-.Fa certs
-is a set of certificates in which to search for the signer's
-certificate.
-.Fa store
-is a trusted certificate store (used for chain verification).
-.Fa indata
-is the signed data if the content is not present in
-.Fa p7 ,
-that is if it is detached.
-The content is written to
-.Fa out
-if it is not
-.Dv NULL .
-.Pp
-.Fa flags
-is an optional set of flags, which can be used to modify the verify
-operation.
-.Pp
-.Fn PKCS7_get0_signers
-retrieves the signer's certificates from
-.Fa p7 .
-The signers must be freed with
-.Fn sk_X509_free .
-It does
-.Sy not
-check their validity or whether any signatures are valid.
-The
-.Fa certs
-and
-.Fa flags
-parameters have the same meanings as in
-.Fn PKCS7_verify .
-.Pp
-Normally the verify process proceeds as follows.
-.Pp
-Initially some sanity checks are performed on
-.Fa p7 .
-The type of
-.Fa p7
-must be signedData.
-There must be at least one signature on the data and if the content
-is detached,
-.Fa indata
-cannot be
-.Dv NULL .
-.Pp
-An attempt is made to locate all the signer's certificates, first
-looking in the
-.Fa certs
-parameter (if it is not
-.Dv NULL )
-and then looking in any certificates contained in the
-.Fa p7
-structure itself.
-If any signer's certificates cannot be located, the operation fails.
-.Pp
-Each signer's certificate is chain verified using the
-.Sy smimesign
-purpose and the supplied trusted certificate store.
-Any internal certificates in the message are used as untrusted CAs.
-If any chain verify fails, an error code is returned.
-.Pp
-Finally, the signed content is read (and written to
-.Fa out
-if it is not
-.Dv NULL )
-and the signature's checked.
-.Pp
-If all signature's verify correctly then the function is successful.
-.Pp
-Any of the following flags (OR'ed together) can be passed in the
-.Fa flags
-parameter to change the default verify behaviour.
-Only the flag
-.Dv PKCS7_NOINTERN
-is meaningful to
-.Fn PKCS7_get0_signers .
-.Pp
-If
-.Dv PKCS7_NOINTERN
-is set, the certificates in the message itself are not searched when
-locating the signer's certificate.
-This means that all the signer's certificates must be in the
-.Fa certs
-parameter.
-.Pp
-If the
-.Dv PKCS7_TEXT
-flag is set, MIME headers for type
-.Sy text/plain
-are deleted from the content.
-If the content is not of type
-.Sy text/plain ,
-then an error is returned.
-.Pp
-If
-.Dv PKCS7_NOVERIFY
-is set, the signer's certificates are not chain verified.
-.Pp
-If
-.Dv PKCS7_NOCHAIN
-is set, then the certificates contained in the message are not used as
-untrusted CAs.
-This means that the whole verify chain (apart from the signer's
-certificate) must be contained in the trusted store.
-.Pp
-If
-.Dv PKCS7_NOSIGS
-is set, then the signatures on the data are not checked.
-.Pp
-One application of
-.Dv PKCS7_NOINTERN
-is to only accept messages signed by a small number of certificates.
-The acceptable certificates would be passed in the
-.Fa certs
-parameter.
-In this case, if the signer is not one of the certificates supplied in
-.Fa certs ,
-then the verify will fail because the signer cannot be found.
-.Pp
-Care should be taken when modifying the default verify behaviour, for
-example setting
-.Dv PKCS7_NOVERIFY | PKCS7_NOSIGS
-will totally disable all verification and any signed message will be
-considered valid.
-This combination is however useful if one merely wishes to write the
-content to
-.Fa out
-and its validity is not considered important.
-.Pp
-Chain verification should arguably be performed using the signing time
-rather than the current time.
-However since the signing time is supplied by the signer, it cannot be
-trusted without additional evidence (such as a trusted timestamp).
-.Sh RETURN VALUES
-.Fn PKCS7_verify
-returns 1 for a successful verification and 0 or a negative value if
-an error occurs.
-.Pp
-.Fn PKCS7_get0_signers
-returns all signers or
-.Dv NULL
-if an error occurred.
-The signers must be freed with
-.Fn sk_X509_free .
-.Pp
-The error can be obtained from
-.Xr ERR_get_error 3 .
-.Sh SEE ALSO
-.Xr PKCS7_decrypt 3 ,
-.Xr PKCS7_new 3 ,
-.Xr PKCS7_sign 3 ,
-.Xr X509_STORE_new 3
-.Sh HISTORY
-.Fn PKCS7_verify
-and
-.Fn PKCS7_get0_signers
-first appeared in OpenSSL 0.9.5 and have been available since
-.Ox 2.7 .
-.Sh BUGS
-The trusted certificate store is not searched for the signer's
-certificate.
-This is primarily due to the inadequacies of the current
-.Vt X509_STORE
-functionality.
-.Pp
-The lack of single pass processing and the need to hold all data
-in memory as mentioned in
-.Xr PKCS7_sign 3
-also applies to
-.Fn PKCS7_verify .
diff --git a/src/lib/libcrypto/man/PKCS8_PRIV_KEY_INFO_new.3 b/src/lib/libcrypto/man/PKCS8_PRIV_KEY_INFO_new.3
deleted file mode 100644
index 822968f58d..0000000000
--- a/src/lib/libcrypto/man/PKCS8_PRIV_KEY_INFO_new.3
+++ /dev/null
@@ -1,65 +0,0 @@
-.\"     $OpenBSD: PKCS8_PRIV_KEY_INFO_new.3,v 1.7 2024/12/06 12:51:13 schwarze Exp $
-.\"
-.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: December 6 2024 $
-.Dt PKCS8_PRIV_KEY_INFO_NEW 3
-.Os
-.Sh NAME
-.Nm PKCS8_PRIV_KEY_INFO_new ,
-.Nm PKCS8_PRIV_KEY_INFO_free
-.Nd PKCS#8 private key information
-.Sh SYNOPSIS
-.In openssl/x509.h
-.Ft PKCS8_PRIV_KEY_INFO *
-.Fn PKCS8_PRIV_KEY_INFO_new void
-.Ft void
-.Fn PKCS8_PRIV_KEY_INFO_free "PKCS8_PRIV_KEY_INFO *key"
-.Sh DESCRIPTION
-.Fn PKCS8_PRIV_KEY_INFO_new
-allocates and initializes an empty
-.Vt PKCS8_PRIV_KEY_INFO
-object, representing an ASN.1
-.Vt PrivateKeyInfo
-structure defined in RFC 5208 section 5.
-It can hold a private key together with information about the
-algorithm to be used with it and optional attributes.
-.Pp
-.Fn PKCS8_PRIV_KEY_INFO_free
-frees
-.Fa key .
-.Sh RETURN VALUES
-.Fn PKCS8_PRIV_KEY_INFO_new
-returns the new
-.Vt PKCS8_PRIV_KEY_INFO
-object or
-.Dv NULL
-if an error occurs.
-.Sh SEE ALSO
-.Xr d2i_PKCS8_PRIV_KEY_INFO 3 ,
-.Xr d2i_PKCS8PrivateKey_bio 3 ,
-.Xr EVP_PKCS82PKEY 3 ,
-.Xr PEM_read_PKCS8_PRIV_KEY_INFO 3 ,
-.Xr PKCS12_parse 3 ,
-.Xr PKCS8_pkey_set0 3 ,
-.Xr X509_ATTRIBUTE_new 3
-.Sh STANDARDS
-RFC 5208: PKCS#8: Private-Key Information Syntax Specification
-.Sh HISTORY
-.Fn PKCS8_PRIV_KEY_INFO_new
-and
-.Fn PKCS8_PRIV_KEY_INFO_free
-first appeared in OpenSSL 0.9.3 and have been available since
-.Ox 2.6 .
diff --git a/src/lib/libcrypto/man/PKCS8_pkey_set0.3 b/src/lib/libcrypto/man/PKCS8_pkey_set0.3
deleted file mode 100644
index f3d5a294c3..0000000000
--- a/src/lib/libcrypto/man/PKCS8_pkey_set0.3
+++ /dev/null
@@ -1,159 +0,0 @@
-.\" $OpenBSD: PKCS8_pkey_set0.3,v 1.3 2024/09/02 07:45:09 tb Exp $
-.\"
-.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: September 2 2024 $
-.Dt PKCS8_PKEY_SET0 3
-.Os
-.Sh NAME
-.Nm PKCS8_pkey_set0 ,
-.Nm PKCS8_pkey_get0 ,
-.Nm PKCS8_pkey_add1_attr_by_NID ,
-.Nm PKCS8_pkey_get0_attrs
-.Nd change and inspect PKCS#8 PrivateKeyInfo objects
-.Sh SYNOPSIS
-.In openssl/x509.h
-.Ft int
-.Fo PKCS8_pkey_set0
-.Fa "PKCS8_PRIV_KEY_INFO *keyinfo"
-.Fa "ASN1_OBJECT *aobj"
-.Fa "int version"
-.Fa "int ptype"
-.Fa "void *pval"
-.Fa "unsigned char *data"
-.Fa "int len"
-.Fc
-.Ft int
-.Fo PKCS8_pkey_get0
-.Fa "const ASN1_OBJECT **paobj"
-.Fa "const unsigned char **pdata"
-.Fa "int *plen"
-.Fa "const X509_ALGOR **palgor"
-.Fa "const PKCS8_PRIV_KEY_INFO *keyinfo"
-.Fc
-.Ft int
-.Fo PKCS8_pkey_add1_attr_by_NID
-.Fa "PKCS8_PRIV_KEY_INFO *keyinfo"
-.Fa "int nid"
-.Fa "int type"
-.Fa "const unsigned char *data"
-.Fa "int len"
-.Fc
-.Ft const STACK_OF(X509_ATTRIBUTE) *
-.Fo PKCS8_pkey_get0_attrs
-.Fa "const PKCS8_PRIV_KEY_INFO *keyinfo"
-.Fc
-.Sh DESCRIPTION
-.Fn PKCS8_pkey_set0
-initializes the
-.Fa keyinfo
-object.
-The algorithm is set to
-.Fa aobj
-with the associated parameter type
-.Fa ptype
-and parameter value
-.Fa pval
-using
-.Xr X509_ALGOR_set0 3 ,
-replacing any previous information about the algorithm.
-Unless
-.Fa data
-is
-.Dv NULL ,
-the encoded private key is set to the
-.Fa len
-bytes starting at
-.Fa data
-using
-.Xr ASN1_STRING_set0 3 ,
-not performing any validation.
-If
-.Fa data
-is
-.Dv NULL ,
-the key data remains unchanged.
-If the
-.Fa version
-argument is greater than or equal to 0, it replaces any existing version;
-otherwise, the version remains unchanged.
-If
-.Fa keyinfo
-contains any attributes, they remain unchanged.
-.Pp
-.Fn PKCS8_pkey_get0
-retrieves some information from the
-.Fa keyinfo
-object.
-Internal pointers to the algorithm OID, the
-.Vt AlgorithmIdentifier ,
-and the encoded private key are stored in
-.Pf * Fa paobj ,
-.Pf * Fa palgor ,
-and
-.Pf * Fa pdata ,
-respectively.
-.Dv NULL
-pointers can be passed for any of these three arguments if the respective
-information is not needed.
-Unless
-.Fa pdata
-is
-.Dv NULL ,
-.Pf * Fa plen
-is set to the number of bytes in
-.Pf * Fa pdata .
-.Pp
-.Fn PKCS8_pkey_add1_attr_by_NID
-creates a new X.501 Attribute object using
-.Xr X509_ATTRIBUTE_create_by_NID 3
-and appends it to the attributes of
-.Fa keyinfo .
-.Sh RETURN VALUES
-.Fn PKCS8_pkey_set0
-and
-.Fn PKCS8_pkey_add1_attr_by_NID
-return 1 for success or 0 for failure.
-.Pp
-.Fn PKCS8_pkey_get0
-always returns 1.
-.Pp
-.Fn PKCS8_pkey_get0_attrs
-returns an internal pointer to the array of attributes associated with
-.Fa keyinfo
-or
-.Dv NULL
-if no attributes are set.
-.Sh SEE ALSO
-.Xr ASN1_STRING_set0 3 ,
-.Xr EVP_PKCS82PKEY 3 ,
-.Xr OBJ_nid2obj 3 ,
-.Xr PKCS8_PRIV_KEY_INFO_new 3 ,
-.Xr STACK_OF 3 ,
-.Xr X509_ALGOR_new 3 ,
-.Xr X509_ATTRIBUTE_create_by_NID 3 ,
-.Xr X509_ATTRIBUTE_new 3
-.Sh HISTORY
-.Fn PKCS8_pkey_set0
-and
-.Fn PKCS8_pkey_get0
-first appeared in OpenSSL 1.0.0 and have been available since
-.Ox 4.9 .
-.Pp
-.Fn PKCS8_pkey_add1_attr_by_NID
-and
-.Fn PKCS8_pkey_get0_attrs
-first appeared in OpenSSL 1.1.0 and have been available since
-.Ox 6.4 .
diff --git a/src/lib/libcrypto/man/PKEY_USAGE_PERIOD_new.3 b/src/lib/libcrypto/man/PKEY_USAGE_PERIOD_new.3
deleted file mode 100644
index 40735c6f86..0000000000
--- a/src/lib/libcrypto/man/PKEY_USAGE_PERIOD_new.3
+++ /dev/null
@@ -1,74 +0,0 @@
-.\"     $OpenBSD: PKEY_USAGE_PERIOD_new.3,v 1.5 2019/06/06 01:06:59 schwarze Exp $
-.\"
-.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: June 6 2019 $
-.Dt PKEY_USAGE_PERIOD_NEW 3
-.Os
-.Sh NAME
-.Nm PKEY_USAGE_PERIOD_new ,
-.Nm PKEY_USAGE_PERIOD_free
-.Nd X.509 certificate private key usage period extension
-.Sh SYNOPSIS
-.In openssl/x509v3.h
-.Ft PKEY_USAGE_PERIOD *
-.Fn PKEY_USAGE_PERIOD_new void
-.Ft void
-.Fn PKEY_USAGE_PERIOD_free "PKEY_USAGE_PERIOD *period"
-.Sh DESCRIPTION
-.Fn PKEY_USAGE_PERIOD_new
-allocates and initializes an empty
-.Vt PKEY_USAGE_PERIOD
-object, representing an ASN.1
-.Vt PrivateKeyUsagePeriod
-structure defined in RFC 3280 section 4.2.1.4.
-It could be used in
-.Vt X509
-certificates to specify a validity period for the private key
-that differed from the validity period of the certificate.
-.Pp
-.Fn PKEY_USAGE_PERIOD_free
-frees
-.Fa period .
-.Sh RETURN VALUES
-.Fn PKEY_USAGE_PERIOD_new
-returns the new
-.Vt PKEY_USAGE_PERIOD
-object or
-.Dv NULL
-if an error occurs.
-.Sh SEE ALSO
-.Xr d2i_PKEY_USAGE_PERIOD 3 ,
-.Xr EXTENDED_KEY_USAGE_new 3 ,
-.Xr X509_CINF_new 3 ,
-.Xr X509_EXTENSION_new 3 ,
-.Xr X509_new 3
-.Sh STANDARDS
-RFC 3280: Internet X.509 Public Key Infrastructure Certificate and
-Certificate Revocation List (CRL) Profile,
-section 4.2.1.4: Private Key Usage Period
-.Pp
-RFC 3280 was obsoleted by RFC 5280, which says: "Section 4.2.1.4
-in RFC 3280, which specified the
-.Vt PrivateKeyUsagePeriod
-certificate extension but deprecated its use, was removed.
-Use of this ISO standard extension is neither deprecated
-nor recommended for use in the Internet PKI."
-.Sh HISTORY
-.Fn PKEY_USAGE_PERIOD_new
-and
-.Fn PKEY_USAGE_PERIOD_free
-first appeared in OpenSSL 0.9.2b and have been available since
-.Ox 2.6 .
diff --git a/src/lib/libcrypto/man/POLICYINFO_new.3 b/src/lib/libcrypto/man/POLICYINFO_new.3
deleted file mode 100644
index 52c004414e..0000000000
--- a/src/lib/libcrypto/man/POLICYINFO_new.3
+++ /dev/null
@@ -1,218 +0,0 @@
-.\"     $OpenBSD: POLICYINFO_new.3,v 1.11 2023/05/14 08:03:57 tb Exp $
-.\"
-.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: May 14 2023 $
-.Dt POLICYINFO_NEW 3
-.Os
-.Sh NAME
-.Nm POLICYINFO_new ,
-.Nm POLICYINFO_free ,
-.Nm CERTIFICATEPOLICIES_new ,
-.Nm CERTIFICATEPOLICIES_free ,
-.Nm POLICYQUALINFO_new ,
-.Nm POLICYQUALINFO_free ,
-.Nm USERNOTICE_new ,
-.Nm USERNOTICE_free ,
-.Nm NOTICEREF_new ,
-.Nm NOTICEREF_free ,
-.Nm POLICY_MAPPING_new ,
-.Nm POLICY_MAPPING_free ,
-.Nm POLICY_CONSTRAINTS_new ,
-.Nm POLICY_CONSTRAINTS_free
-.Nd X.509 certificate policies
-.Sh SYNOPSIS
-.In openssl/x509v3.h
-.Ft POLICYINFO *
-.Fn POLICYINFO_new void
-.Ft void
-.Fn POLICYINFO_free "POLICYINFO *pi"
-.Ft CERTIFICATEPOLICIES *
-.Fn CERTIFICATEPOLICIES_new void
-.Ft void
-.Fn CERTIFICATEPOLICIES_free "CERTIFICATEPOLICIES *pis"
-.Ft POLICYQUALINFO *
-.Fn POLICYQUALINFO_new void
-.Ft void
-.Fn POLICYQUALINFO_free "POLICYQUALINFO *pqi"
-.Ft USERNOTICE *
-.Fn USERNOTICE_new void
-.Ft void
-.Fn USERNOTICE_free "USERNOTICE *usernotice"
-.Ft NOTICEREF *
-.Fn NOTICEREF_new void
-.Ft void
-.Fn NOTICEREF_free "NOTICEREF *noticeref"
-.Ft POLICY_MAPPING *
-.Fn POLICY_MAPPING_new void
-.Ft void
-.Fn POLICY_MAPPING_free "POLICY_MAPPING *pm"
-.Ft POLICY_CONSTRAINTS *
-.Fn POLICY_CONSTRAINTS_new void
-.Ft void
-.Fn POLICY_CONSTRAINTS_free "POLICY_CONSTRAINTS *pc"
-.Sh DESCRIPTION
-X.509 CA and end entity certificates can optionally indicate
-restrictions on their intended use.
-.Pp
-.Fn POLICYINFO_new
-allocates and initializes an empty
-.Vt POLICYINFO
-object, representing an ASN.1
-.Vt PolicyInformation
-structure defined in RFC 5280 section 4.2.1.4.
-It can hold a policy identifier and optional advisory qualifiers.
-.Fn POLICYINFO_free
-frees
-.Fa pi .
-.Pp
-.Fn CERTIFICATEPOLICIES_new
-allocates and initializes an empty
-.Vt CERTIFICATEPOLICIES
-object, which is a
-.Vt STACK_OF(POLICYINFO)
-and represents an ASN.1
-.Vt CertificatePolicies
-structure defined in RFC 5280 section 4.2.1.4.
-It can be used by
-.Vt X509
-objects, both by CA certificates and end entity certificates.
-.Fn CERTIFICATEPOLICIES_free
-frees
-.Fa pis .
-.Pp
-.Fn POLICYQUALINFO_new
-allocates and initializes an empty
-.Vt POLICYQUALINFO
-object, representing an ASN.1
-.Vt PolicyQualifierInfo
-structure defined in RFC 5280 section 4.2.1.4.
-It can be used in
-.Vt POLICYINFO
-and it can hold either a uniform resource identifier of a certification
-practice statement published by the CA, or a pointer to a
-.Vt USERNOTICE
-object, or arbitrary other information.
-.Fn POLICYQUALINFO_free
-frees
-.Fa pqi .
-.Pp
-.Fn USERNOTICE_new
-allocates and initializes an empty
-.Vt USERNOTICE
-object, representing an ASN.1
-.Vt UserNotice
-structure defined in RFC 5280 section 4.2.1.4.
-It can be used in
-.Vt POLICYQUALINFO
-and it can hold either an
-.Vt ASN1_STRING
-intended for display to the user or a pointer to a
-.Vt NOTICEREF
-object.
-.Fn NOTICEREF_free
-frees
-.Fa usernotice .
-.Pp
-.Fn NOTICEREF_new
-allocates and initializes an empty
-.Vt NOTICEREF
-object, representing an ASN.1
-.Vt NoticeReference
-structure defined in RFC 5280 section 4.2.1.4.
-It can be used in
-.Vt USERNOTICE
-and can hold an organization name and a stack of notice numbers.
-.Fn NOTICEREF_free
-frees
-.Fa noticeref .
-.Pp
-.Fn POLICY_MAPPING_new
-allocates and initializes an empty
-.Vt POLICY_MAPPING
-object, representing an ASN.1
-.Vt PolicyMappings
-structure defined in RFC 5280 section 4.2.1.5.
-It can be used in
-.Vt X509
-CA certificates and can hold a list of pairs of policy identifiers,
-declaring one of the policies in each pair as equivalent to the
-other.
-.Fn POLICY_MAPPING_free
-frees
-.Fa pm .
-.Pp
-.Fn POLICY_CONSTRAINTS_new
-allocates and initializes an empty
-.Vt POLICY_CONSTRAINTS
-object, representing an ASN.1
-.Vt PolicyConstraints
-structure defined in RFC 5280 section 4.2.1.11.
-It can be used in
-.Vt X509
-CA certificates to restrict policy mapping and/or to require explicit
-certificate policies in subsequent intermediate certificates in the
-certification path.
-.Fn POLICY_CONSTRAINTS_free
-frees
-.Fa pc .
-.Sh RETURN VALUES
-The constructor functions return a new object of the respective
-type or
-.Dv NULL
-if an error occurs.
-.Sh SEE ALSO
-.Xr BASIC_CONSTRAINTS_new 3 ,
-.Xr d2i_POLICYINFO 3 ,
-.Xr NAME_CONSTRAINTS_new 3 ,
-.Xr X509_EXTENSION_new 3 ,
-.Xr X509_get_extension_flags 3 ,
-.Xr X509_new 3
-.Sh STANDARDS
-RFC 5280: Internet X.509 Public Key Infrastructure Certificate and
-Certificate Revocation List (CRL) Profile:
-.Bl -dash -compact
-.It
-section 4.2.1.4: Certificate Policies
-.It
-section 4.2.1.5: Policy Mappings
-.It
-section 4.2.1.11: Policy Constraints
-.El
-.Sh HISTORY
-.Fn POLICYINFO_new ,
-.Fn POLICYINFO_free ,
-.Fn CERTIFICATEPOLICIES_new ,
-.Fn CERTIFICATEPOLICIES_free ,
-.Fn POLICYQUALINFO_new ,
-.Fn POLICYQUALINFO_free ,
-.Fn USERNOTICE_new ,
-.Fn USERNOTICE_free ,
-.Fn NOTICEREF_new ,
-and
-.Fn NOTICEREF_free
-first appeared in OpenSSL 0.9.3 and have been available since
-.Ox 2.6 .
-.Pp
-.Fn POLICY_MAPPING_new ,
-.Fn POLICY_MAPPING_free ,
-.Fn POLICY_CONSTRAINTS_new ,
-and
-.Fn POLICY_CONSTRAINTS_free
-first appeared in OpenSSL 0.9.8 and have been available since
-.Ox 4.5 .
-.Sh BUGS
-This is a lot of nested data structures, but most of them are
-designed to have almost no effect.
diff --git a/src/lib/libcrypto/man/RAND_add.3 b/src/lib/libcrypto/man/RAND_add.3
deleted file mode 100644
index 5404f696a3..0000000000
--- a/src/lib/libcrypto/man/RAND_add.3
+++ /dev/null
@@ -1,73 +0,0 @@
-.\" $OpenBSD: RAND_add.3,v 1.10 2018/03/27 17:35:50 schwarze Exp $
-.\" content checked up to: OpenSSL c16de9d8 Aug 31 23:16:22 2017 +0200
-.\"
-.\" Copyright (c) 2014 Miod Vallat <miod@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: March 27 2018 $
-.Dt RAND_ADD 3
-.Os
-.Sh NAME
-.Nm RAND_add ,
-.Nm RAND_cleanup ,
-.Nm RAND_poll ,
-.Nm RAND_seed ,
-.Nm RAND_status
-.Nd manipulate the PRNG state
-.Sh SYNOPSIS
-.In openssl/rand.h
-.Ft void
-.Fo RAND_add
-.Fa "const void *buf"
-.Fa "int num"
-.Fa "double entropy"
-.Fc
-.Ft void
-.Fn RAND_cleanup void
-.Ft int
-.Fn RAND_poll void
-.Ft void
-.Fo RAND_seed
-.Fa "const void *buf"
-.Fa "int num"
-.Fc
-.Ft int
-.Fn RAND_status void
-.Sh DESCRIPTION
-These functions used to allow for the state of the random number
-generator to be controlled by external sources.
-.Pp
-They are kept for ABI compatibility but are no longer functional, and
-should not be used in new programs.
-.Sh RETURN VALUES
-.Fn RAND_poll
-and
-.Fn RAND_status
-always return 1.
-.Sh HISTORY
-.Fn RAND_cleanup
-and
-.Fn RAND_seed
-first appeared in SSLeay 0.5.1 and have been available since
-.Ox 2.4 .
-.Pp
-.Fn RAND_add
-and
-.Fn RAND_status
-first appeared in OpenSSL 0.9.5 and have been available since
-.Ox 2.7 .
-.Pp
-.Fn RAND_poll
-first appeared in OpenSSL 0.9.6 and has been available since
-.Ox 2.9 .
diff --git a/src/lib/libcrypto/man/RAND_bytes.3 b/src/lib/libcrypto/man/RAND_bytes.3
deleted file mode 100644
index 19427a82df..0000000000
--- a/src/lib/libcrypto/man/RAND_bytes.3
+++ /dev/null
@@ -1,108 +0,0 @@
-.\"     $OpenBSD: RAND_bytes.3,v 1.6 2018/03/27 17:35:50 schwarze Exp $
-.\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by Ulf Moeller <ulf@openssl.org>.
-.\" Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 27 2018 $
-.Dt RAND_BYTES 3
-.Os
-.Sh NAME
-.Nm RAND_bytes ,
-.Nm RAND_pseudo_bytes
-.Nd generate random data
-.Sh SYNOPSIS
-.In openssl/rand.h
-.Ft int
-.Fo RAND_bytes
-.Fa "unsigned char *buf"
-.Fa "int num"
-.Fc
-.Ft int
-.Fo RAND_pseudo_bytes
-.Fa "unsigned char *buf"
-.Fa "int num"
-.Fc
-.Sh DESCRIPTION
-These functions are deprecated and only retained for compatibility
-with legacy application programs.
-Use
-.Xr arc4random_buf 3
-instead.
-.Pp
-.Fn RAND_bytes
-puts
-.Fa num
-cryptographically strong pseudo-random bytes into
-.Fa buf .
-.Pp
-.Fn RAND_pseudo_bytes
-puts
-.Fa num
-pseudo-random bytes into
-.Fa buf .
-Pseudo-random byte sequences generated by
-.Fn RAND_pseudo_bytes
-will be unique if they are of sufficient length, but are not necessarily
-unpredictable.
-They can be used for non-cryptographic purposes and for certain purposes
-in cryptographic protocols, but usually not for key generation etc.
-.Sh RETURN VALUES
-.Fn RAND_bytes
-returns 1.
-.Fn RAND_pseudo_bytes
-returns 1.
-.Sh HISTORY
-.Fn RAND_bytes
-first appeared in SSLeay 0.5.1 and has been available since
-.Ox 2.4 .
-It has a return value since OpenSSL 0.9.5 and
-.Ox 2.7 .
-.Pp
-.Fn RAND_pseudo_bytes
-first appeared in OpenSSL 0.9.5 and has been available since
-.Ox 2.7 .
diff --git a/src/lib/libcrypto/man/RAND_load_file.3 b/src/lib/libcrypto/man/RAND_load_file.3
deleted file mode 100644
index 9227e2721b..0000000000
--- a/src/lib/libcrypto/man/RAND_load_file.3
+++ /dev/null
@@ -1,119 +0,0 @@
-.\"     $OpenBSD: RAND_load_file.3,v 1.6 2018/03/27 17:35:50 schwarze Exp $
-.\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by Ulf Moeller <ulf@openssl.org>.
-.\" Copyright (c) 2000, 2001 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 27 2018 $
-.Dt RAND_LOAD_FILE 3
-.Os
-.Sh NAME
-.Nm RAND_file_name ,
-.Nm RAND_load_file ,
-.Nm RAND_write_file
-.Nd PRNG seed file
-.Sh SYNOPSIS
-.In openssl/rand.h
-.Ft const char *
-.Fo RAND_file_name
-.Fa "char *buf"
-.Fa "size_t num"
-.Fc
-.Ft int
-.Fo RAND_load_file
-.Fa "const char *filename"
-.Fa "long max_bytes"
-.Fc
-.Ft int
-.Fo RAND_write_file
-.Fa "const char *filename"
-.Fc
-.Sh DESCRIPTION
-.Fn RAND_file_name
-returns a default path for the random seed file.
-.Fa buf
-points to a buffer of size
-.Fa num
-in which to store the filename.
-If
-.Fa num
-is too small for the path name, an error occurs.
-.Pp
-.Fn RAND_load_file
-used to allow for the state of the random number generator to be
-controlled by external sources.
-It is kept for ABI compatibility but is no longer functional, and should
-not be used in new programs.
-.Pp
-.Fn RAND_write_file
-writes a number of random bytes (currently 1024) to file
-.Fa filename .
-.Sh RETURN VALUES
-.Fn RAND_load_file
-returns
-.Fa max_bytes ,
-or a bogus positive value if
-.Fa max_bytes
-is -1.
-.Pp
-.Fn RAND_write_file
-returns the number of bytes written, or a number less than or equal
-to 1 if an error occurs.
-.Pp
-.Fn RAND_file_name
-returns a pointer to
-.Fa buf
-on success or
-.Dv NULL
-on error.
-.Sh HISTORY
-.Fn RAND_load_file ,
-.Fn RAND_write_file ,
-and
-.Fn RAND_file_name
-first appeared in SSLeay 0.5.1 and have been available since
-.Ox 2.4 .
diff --git a/src/lib/libcrypto/man/RAND_set_rand_method.3 b/src/lib/libcrypto/man/RAND_set_rand_method.3
deleted file mode 100644
index d94d794daf..0000000000
--- a/src/lib/libcrypto/man/RAND_set_rand_method.3
+++ /dev/null
@@ -1,55 +0,0 @@
-.\"     $OpenBSD: RAND_set_rand_method.3,v 1.4 2018/03/21 09:03:49 schwarze Exp $
-.\"
-.\" Copyright (c) 2014 Miod Vallat <miod@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: March 21 2018 $
-.Dt RAND_SET_RAND_METHOD 3
-.Os
-.Sh NAME
-.Nm RAND_set_rand_method ,
-.Nm RAND_get_rand_method ,
-.Nm RAND_SSLeay
-.Nd select RAND method
-.Sh SYNOPSIS
-.In openssl/rand.h
-.Ft int
-.Fo RAND_set_rand_method
-.Fa "const RAND_METHOD *meth"
-.Fc
-.Ft const RAND_METHOD *
-.Fn RAND_get_rand_method void
-.Ft RAND_METHOD *
-.Fn RAND_SSLeay void
-.Sh DESCRIPTION
-These functions used to allow for the random number generator functions
-to be replaced by arbitrary code.
-.Pp
-They are kept for ABI compatibility but are no longer functional, and
-should not be used in new programs.
-.Sh RETURN VALUES
-.Fn RAND_set_rand_method
-always returns 1.
-.Fn RAND_get_rand_method
-and
-.Fn RAND_SSLeay
-always return
-.Dv NULL .
-.Sh HISTORY
-.Fn RAND_set_rand_method ,
-.Fn RAND_get_rand_method ,
-and
-.Fn RAND_SSLeay
-first appeared in SSLeay 0.9.1 and have been available since
-.Ox 2.6 .
diff --git a/src/lib/libcrypto/man/RC2_encrypt.3 b/src/lib/libcrypto/man/RC2_encrypt.3
deleted file mode 100644
index a90e0f574b..0000000000
--- a/src/lib/libcrypto/man/RC2_encrypt.3
+++ /dev/null
@@ -1,195 +0,0 @@
-.\" $OpenBSD: RC2_encrypt.3,v 1.2 2024/12/18 04:15:48 jsg Exp $
-.\"
-.\" Copyright (c) 2024 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: December 18 2024 $
-.Dt RC2_ENCRYPT 3
-.Os
-.Sh NAME
-.Nm RC2_set_key ,
-.Nm RC2_encrypt ,
-.Nm RC2_decrypt ,
-.Nm RC2_cbc_encrypt ,
-.Nm RC2_ecb_encrypt ,
-.Nm RC2_cfb64_encrypt ,
-.Nm RC2_ofb64_encrypt
-.Nd low-level functions for Rivest Cipher 2
-.Sh SYNOPSIS
-.In openssl/rc2.h
-.Ft void
-.Fo RC2_set_key
-.Fa "RC2_KEY *expanded_key"
-.Fa "int len"
-.Fa "const unsigned char *user_key"
-.Fa "int effective_bits"
-.Fc
-.Ft void
-.Fo RC2_encrypt
-.Fa "unsigned long *data"
-.Fa "RC2_KEY *expanded_key"
-.Fc
-.Ft void
-.Fo RC2_decrypt
-.Fa "unsigned long *data"
-.Fa "RC2_KEY *expanded_key"
-.Fc
-.Ft void
-.Fo RC2_cbc_encrypt
-.Fa "const unsigned char *in"
-.Fa "unsigned char *out"
-.Fa "long length"
-.Fa "RC2_KEY *expanded_key"
-.Fa "unsigned char *iv"
-.Fa "int encrypt"
-.Fc
-.Ft void
-.Fo RC2_ecb_encrypt
-.Fa "const unsigned char *in"
-.Fa "unsigned char *out"
-.Fa "RC2_KEY *expanded_key"
-.Fa "int encrypt"
-.Fc
-.Ft void
-.Fo RC2_cfb64_encrypt
-.Fa "const unsigned char *in"
-.Fa "unsigned char *out"
-.Fa "long length"
-.Fa "RC2_KEY *expanded_key"
-.Fa "unsigned char *iv"
-.Fa "int *num"
-.Fa "int encrypt"
-.Fc
-.Ft void
-.Fo RC2_ofb64_encrypt
-.Fa "const unsigned char *in"
-.Fa "unsigned char *out"
-.Fa "long length"
-.Fa "RC2_KEY *expanded_key"
-.Fa "unsigned char *iv"
-.Fa "int *num"
-.Fc
-.Sh DESCRIPTION
-RC2 is a block cipher operating on blocks of
-.Dv RC2_BLOCK No = 8
-bytes, equivalent to 64 bits, using a variable key length
-with an additional parameter called
-.Dq effective key bits
-or
-.Dq effective key length .
-The maximum effective key length is 1024 bits.
-.Pp
-If using RC2 cannot be avoided, it is recommended that application
-programs use the
-.Xr EVP_rc2_cbc 3
-family of functions instead of the functions documented in the present
-manual page, to ease later migration to less outdated encryption algorithms.
-.Pp
-.Fn RC2_set_key
-expands the first
-.Fa len
-bytes of
-.Fa user_key
-into the
-.Vt RC2_KEY
-structure
-.Pf * Fa expanded_key .
-The storage for the expanded key has to be provided by the calling code.
-If the
-.Fa len
-argument exceeds 128, only the first 128 bytes are used.
-.Pp
-Optionally, if the
-.Fa effective_bits
-argument is positive and less than 1024, the effective key length of
-.Pf * Fa expanded_key
-is reduced to
-.Fa effective_bits .
-Reducing the effective key length is not cryptographically useful.
-This option was originally designed to conform to US export regulations
-valid at the time, which were designed to allow the US government
-to spy on foreign encrypted communications.
-Unless interoperability requires otherwise, setting
-.Fa effective_bits
-to 1024 is recommended.
-.Pp
-.Fn RC2_encrypt
-and
-.Fn RC2_decrypt
-interpret
-.Fa data
-as an array of two 32 bit integers and encrypt or decrypt
-that single block in place, respectively, using the
-.Fa expanded_key .
-.Pp
-The remaining functions encode or decode
-.Fa length
-bytes starting at
-.Fa in
-to
-.Fa length
-bytes starting at
-.Fa out
-in various modes of operation using the
-.Fa expanded_key .
-Both arrays need to be long enough to hold
-.Fa length
-bytes rounded up to the next multiple of 8.
-The
-.Fa iv
-argument points to an array of 8 bytes used as the initialization vector.
-If the
-.Fa encrypt
-argument is
-.Dv RC2_ENCRYPT
-or another non-zero value, encryption is performed;
-if it is
-.Dv RC2_DECRYPT No = 0 ,
-decryption is performed.
-.Pp
-.Fn RC2_cbc_encrypt
-operates in cipher block chaining mode.
-.Pp
-.Fn RC2_ecb_encrypt
-encodes or decodes eight bytes at
-.Fa in
-to
-eight bytes at
-.Fa out
-in electronic codebook mode.
-.Pp
-.Fn RC2_cfb64_encrypt
-and
-.Fn RC2_ofb64_encrypt
-operate in cipher feedback mode and output feedback mode, respectively,
-with 64 bit blocks.
-The number of bytes used from the last 8 byte block is kept track of in
-.Pf * Fa num .
-.Sh SEE ALSO
-.Xr crypto 3 ,
-.Xr EVP_EncryptInit 3 ,
-.Xr EVP_rc2_cbc 3
-.Sh HISTORY
-.Fn RC2_set_key ,
-.Fn RC2_encrypt ,
-.Fn RC2_cbc_encrypt ,
-.Fn RC2_ecb_encrypt ,
-.Fn RC2_cfb64_encrypt ,
-and
-.Fn RC2_ofb64_encrypt
-first appeared in SSLeay 0.5.2.
-.Fn RC2_decrypt
-first appeared in SSLeay 0.9.0.
-All these functions have been available since
-.Ox 2.4 .
diff --git a/src/lib/libcrypto/man/RC4.3 b/src/lib/libcrypto/man/RC4.3
deleted file mode 100644
index 8b20a434b7..0000000000
--- a/src/lib/libcrypto/man/RC4.3
+++ /dev/null
@@ -1,126 +0,0 @@
-.\"     $OpenBSD: RC4.3,v 1.8 2020/03/29 17:05:02 schwarze Exp $
-.\"     OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
-.\"
-.\" This file was written by Ulf Moeller <ulf@openssl.org>.
-.\" Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 29 2020 $
-.Dt RC4 3
-.Os
-.Sh NAME
-.Nm RC4_set_key ,
-.Nm RC4
-.Nd RC4 encryption
-.Sh SYNOPSIS
-.In openssl/rc4.h
-.Ft void
-.Fo RC4_set_key
-.Fa "RC4_KEY *key"
-.Fa "int len"
-.Fa "const unsigned char *data"
-.Fc
-.Ft void
-.Fo RC4
-.Fa "RC4_KEY *key"
-.Fa "unsigned long len"
-.Fa "const unsigned char *indata"
-.Fa "unsigned char *outdata"
-.Fc
-.Sh DESCRIPTION
-This library implements the alleged RC4 cipher, which is described for
-example in
-.Qq Applied Cryptography .
-It is believed to be compatible with RC4[TM], a proprietary cipher of
-RSA Security Inc.
-.Pp
-RC4 is a stream cipher with variable key length.
-Typically, 128-bit (16-byte) keys are used for strong encryption, but
-shorter insecure key sizes have been widely used due to export
-restrictions.
-.Pp
-RC4 consists of a key setup phase and the actual encryption or
-decryption phase.
-.Pp
-.Fn RC4_set_key
-sets up the
-.Vt RC4_KEY
-.Fa key
-using the
-.Fa len
-bytes long key at
-.Fa data .
-.Pp
-.Fn RC4
-encrypts or decrypts the
-.Fa len
-bytes of data at
-.Fa indata
-using
-.Fa key
-and places the result at
-.Fa outdata .
-Repeated
-.Fn RC4
-calls with the same
-.Fa key
-yield a continuous key stream.
-.Pp
-Since RC4 is a stream cipher (the input is XOR'ed with a pseudo-random
-key stream to produce the output), decryption uses the same function
-calls as encryption.
-.Sh SEE ALSO
-.Xr blowfish 3 ,
-.Xr EVP_EncryptInit 3 ,
-.Xr EVP_rc4 3
-.Sh HISTORY
-.Fn RC4_set_key
-and
-.Fn RC4
-appeared in SSLeay 0.4 or earlier and have been available since
-.Ox 2.4 .
-.Sh BUGS
-This cipher is broken and should no longer be used.
diff --git a/src/lib/libcrypto/man/RIPEMD160.3 b/src/lib/libcrypto/man/RIPEMD160.3
deleted file mode 100644
index 43c6694036..0000000000
--- a/src/lib/libcrypto/man/RIPEMD160.3
+++ /dev/null
@@ -1,154 +0,0 @@
-.\" $OpenBSD: RIPEMD160.3,v 1.8 2024/05/26 09:54:16 tb Exp $
-.\" full merge up to: OpenSSL 72a7a702 Feb 26 14:05:09 2019 +0000
-.\"
-.\" This file was written by Ulf Moeller <ulf@openssl.org>.
-.\" Copyright (c) 2000, 2006, 2014 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: May 26 2024 $
-.Dt RIPEMD160 3
-.Os
-.Sh NAME
-.Nm RIPEMD160 ,
-.Nm RIPEMD160_Init ,
-.Nm RIPEMD160_Update ,
-.Nm RIPEMD160_Final
-.Nd RIPEMD-160 hash function
-.Sh SYNOPSIS
-.In openssl/ripemd.h
-.Ft unsigned char *
-.Fo RIPEMD160
-.Fa "const unsigned char *d"
-.Fa "unsigned long n"
-.Fa "unsigned char *md"
-.Fc
-.Ft int
-.Fo RIPEMD160_Init
-.Fa "RIPEMD160_CTX *c"
-.Fc
-.Ft int
-.Fo RIPEMD160_Update
-.Fa "RIPEMD160_CTX *c"
-.Fa "const void *data"
-.Fa "unsigned long len"
-.Fc
-.Ft int
-.Fo RIPEMD160_Final
-.Fa "unsigned char *md"
-.Fa "RIPEMD160_CTX *c"
-.Fc
-.Sh DESCRIPTION
-RIPEMD-160 is a cryptographic hash function with a 160-bit output.
-.Pp
-.Fn RIPEMD160
-computes the RIPEMD-160 message digest of the
-.Fa n
-bytes at
-.Fa d
-and places it in
-.Fa md ,
-which must have space for
-.Dv RIPEMD160_DIGEST_LENGTH
-== 20 bytes of output.
-.Pp
-The following functions may be used if the message is not completely
-stored in memory:
-.Pp
-.Fn RIPEMD160_Init
-initializes a
-.Vt RIPEMD160_CTX
-structure.
-.Pp
-.Fn RIPEMD160_Update
-can be called repeatedly with chunks of the message to be hashed
-.Pq Fa len No bytes at Fa data .
-.Pp
-.Fn RIPEMD160_Final
-places the message digest in
-.Fa md ,
-which must have space for
-.Dv RIPEMD160_DIGEST_LENGTH
-== 20 bytes of output,
-and erases the
-.Vt RIPEMD160_CTX .
-.Pp
-Applications should use the higher level functions
-.Xr EVP_DigestInit 3
-etc. instead of calling the hash functions directly.
-.Sh RETURN VALUES
-.Fn RIPEMD160
-returns a pointer to the hash value.
-.Pp
-.Fn RIPEMD160_Init ,
-.Fn RIPEMD160_Update ,
-and
-.Fn RIPEMD160_Final
-return 1 for success or 0 otherwise.
-.Sh SEE ALSO
-.Xr EVP_DigestInit 3 ,
-.Xr HMAC 3
-.Sh STANDARDS
-.Bd -unfilled
-ISO/IEC 10118-3:2004/Cor 1:2011
-Hash-functions \(em Part 3: Dedicated hash-functions
-Clause 7: RIPEMD-160
-.Ed
-.Sh HISTORY
-.Fn RIPEMD160 ,
-.Fn RIPEMD160_Init ,
-.Fn RIPEMD160_Update ,
-and
-.Fn RIPEMD160_Final
-first appeared in SSLeay 0.9.0 and have been available since
-.Ox 2.4 .
-.Sh CAVEATS
-Other implementations allow
-.Fa md
-in
-.Fn RIPEMD160
-to be
-.Dv NULL
-and return a static array, which is not thread safe.
diff --git a/src/lib/libcrypto/man/RSA_PSS_PARAMS_new.3 b/src/lib/libcrypto/man/RSA_PSS_PARAMS_new.3
deleted file mode 100644
index f69f33dbe5..0000000000
--- a/src/lib/libcrypto/man/RSA_PSS_PARAMS_new.3
+++ /dev/null
@@ -1,60 +0,0 @@
-.\"     $OpenBSD: RSA_PSS_PARAMS_new.3,v 1.4 2019/06/06 01:06:59 schwarze Exp $
-.\"
-.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: June 6 2019 $
-.Dt RSA_PSS_PARAMS_NEW 3
-.Os
-.Sh NAME
-.Nm RSA_PSS_PARAMS_new ,
-.Nm RSA_PSS_PARAMS_free
-.Nd probabilistic signature scheme with RSA hashing
-.Sh SYNOPSIS
-.In openssl/rsa.h
-.Ft RSA_PSS_PARAMS *
-.Fn RSA_PSS_PARAMS_new void
-.Ft void
-.Fn RSA_PSS_PARAMS_free "RSA_PSS_PARAMS *params"
-.Sh DESCRIPTION
-.Fn RSA_PSS_PARAMS_new
-allocates and initializes an empty
-.Vt RSA_PSS_PARAMS
-object, representing an ASN.1
-.Vt RSASSA-PSS-params
-structure defined in RFC 8017 appendix A.2.3.
-It references the hash function and the mask generation function
-and stores the length of the salt and the trailer field number.
-.Fn RSA_PSS_PARAMS_free
-frees
-.Fa params .
-.Sh RETURN VALUES
-.Fn RSA_PSS_PARAMS_new
-returns the new
-.Vt RSA_PSS_PARAMS
-object or
-.Dv NULL
-if an error occurs.
-.Sh SEE ALSO
-.Xr RSA_new 3 ,
-.Xr RSA_padding_add_PKCS1_type_1 3 ,
-.Xr X509_sign 3
-.Sh STANDARDS
-RFC 8017: PKCS#1: RSA Cryptography Specifications Version 2.2
-.Sh HISTORY
-.Fn RSA_PSS_PARAMS_new
-and
-.Fn RSA_PSS_PARAMS_free
-first appeared in OpenSSL 1.0.1 and have been available since
-.Ox 5.3 .
diff --git a/src/lib/libcrypto/man/RSA_blinding_on.3 b/src/lib/libcrypto/man/RSA_blinding_on.3
deleted file mode 100644
index bd2a301377..0000000000
--- a/src/lib/libcrypto/man/RSA_blinding_on.3
+++ /dev/null
@@ -1,97 +0,0 @@
-.\"     $OpenBSD: RSA_blinding_on.3,v 1.7 2023/07/26 20:08:59 tb Exp $
-.\"     OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
-.\"
-.\" This file was written by Ulf Moeller <ulf@openssl.org>.
-.\" Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: July 26 2023 $
-.Dt RSA_BLINDING_ON 3
-.Os
-.Sh NAME
-.Nm RSA_blinding_on ,
-.Nm RSA_blinding_off
-.Nd protect the RSA operation from timing attacks
-.Sh SYNOPSIS
-.In openssl/rsa.h
-.Ft int
-.Fo RSA_blinding_on
-.Fa "RSA *rsa"
-.Fa "BN_CTX *ctx"
-.Fc
-.Ft void
-.Fo RSA_blinding_off
-.Fa "RSA *rsa"
-.Fc
-.Sh DESCRIPTION
-RSA is vulnerable to timing attacks.
-In a setup where attackers can measure the time of RSA decryption or
-signature operations, blinding must be used to protect the RSA operation
-from that attack.
-.Pp
-.Fn RSA_blinding_on
-turns blinding on for key
-.Fa rsa
-and generates a random blinding factor.
-.Fa ctx
-is
-.Dv NULL
-or a pre-allocated and initialized
-.Vt BN_CTX .
-.Pp
-.Fn RSA_blinding_off
-turns blinding off and frees the memory used for the blinding factor.
-.Sh RETURN VALUES
-.Fn RSA_blinding_on
-returns 1 on success, and 0 if an error occurred.
-.Sh SEE ALSO
-.Xr RSA_new 3
-.Sh HISTORY
-.Fn RSA_blinding_on
-and
-.Fn RSA_blinding_off
-first appeared in SSLeay 0.9.0 and have been available since
-.Ox 2.4 .
diff --git a/src/lib/libcrypto/man/RSA_check_key.3 b/src/lib/libcrypto/man/RSA_check_key.3
deleted file mode 100644
index 36b613b3a5..0000000000
--- a/src/lib/libcrypto/man/RSA_check_key.3
+++ /dev/null
@@ -1,130 +0,0 @@
-.\"     $OpenBSD: RSA_check_key.3,v 1.10 2023/11/19 21:06:15 tb Exp $
-.\"     OpenSSL 6859cf74 Sep 25 13:33:28 2002 +0000
-.\"
-.\" This file was written by Ulf Moeller <ulf@openssl.org> and
-.\" Geoff Thorpe <geoff@openssl.org>.
-.\" Copyright (c) 2000, 2002 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: November 19 2023 $
-.Dt RSA_CHECK_KEY 3
-.Os
-.Sh NAME
-.Nm RSA_check_key
-.Nd validate private RSA keys
-.Sh SYNOPSIS
-.In openssl/rsa.h
-.Ft int
-.Fo RSA_check_key
-.Fa "RSA *rsa"
-.Fc
-.Sh DESCRIPTION
-This function validates RSA keys.
-It checks that
-.Fa rsa->p
-and
-.Fa rsa->q
-are in fact prime, and that
-.Fa rsa->n
-satisfies n = p*q.
-.Pp
-It also checks that
-.Fa rsa->d
-and
-.Fa rsa->e
-satisfy d*e = 1 mod ((p-1)*(q-1)),
-and that
-.Fa rsa->dmp1 ,
-.Fa rsa->dmq1 ,
-and
-.Fa resa->iqmp
-are set correctly or are
-.Dv NULL .
-.Pp
-This function does not work on RSA public keys that have only the
-modulus and public exponent elements populated.
-It performs integrity checks on all the RSA key material, so the
-.Vt RSA
-key structure must contain all the private key data too.
-Therefore, it cannot be used with any arbitrary
-.Vt RSA
-key object, even if it is otherwise fit for regular RSA operation.
-.Sh RETURN VALUES
-.Fn RSA_check_key
-returns 1 if
-.Fa rsa
-is a valid RSA key, and 0 otherwise.
--1 is returned if an error occurs while checking the key.
-.Pp
-If the key is invalid or an error occurred, the reason code can be
-obtained using
-.Xr ERR_get_error 3 .
-.Sh SEE ALSO
-.Xr BN_is_prime_ex 3 ,
-.Xr RSA_get0_key 3 ,
-.Xr RSA_new 3
-.Sh HISTORY
-.Fn RSA_check_key
-first appeared in OpenSSL 0.9.4 and has been available since
-.Ox 2.6 .
-.Sh BUGS
-A method of verifying the RSA key using opaque RSA API functions might
-need to be considered.
-Right now
-.Fn RSA_check_key
-simply uses the
-.Vt RSA
-structure elements directly, bypassing the
-.Vt RSA_METHOD
-table altogether (and completely violating encapsulation and
-object-orientation in the process).
-The best fix will probably be to introduce a
-.Fn check_key
-handler
-to the
-.Vt RSA_METHOD
-function table so that alternative implementations can also provide
-their own verifiers.
diff --git a/src/lib/libcrypto/man/RSA_generate_key.3 b/src/lib/libcrypto/man/RSA_generate_key.3
deleted file mode 100644
index 83703b1eaa..0000000000
--- a/src/lib/libcrypto/man/RSA_generate_key.3
+++ /dev/null
@@ -1,164 +0,0 @@
-.\"     $OpenBSD: RSA_generate_key.3,v 1.13 2019/06/10 14:58:48 schwarze Exp $
-.\"     OpenSSL RSA_generate_key.pod bb6c5e7f Feb 5 10:29:22 2017 -0500
-.\"
-.\" This file was written by Ulf Moeller <ulf@openssl.org>.
-.\" Copyright (c) 2000, 2002, 2013 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: June 10 2019 $
-.Dt RSA_GENERATE_KEY 3
-.Os
-.Sh NAME
-.Nm RSA_generate_key_ex ,
-.Nm RSA_generate_key
-.Nd generate RSA key pair
-.Sh SYNOPSIS
-.In openssl/rsa.h
-.Ft int
-.Fo RSA_generate_key_ex
-.Fa "RSA *rsa"
-.Fa "int bits"
-.Fa "BIGNUM *e"
-.Fa "BN_GENCB *cb"
-.Fc
-.Pp
-Deprecated:
-.Pp
-.Ft RSA *
-.Fo RSA_generate_key
-.Fa "int num"
-.Fa "unsigned long e"
-.Fa "void (*callback)(int, int, void *)"
-.Fa "void *cb_arg"
-.Fc
-.Sh DESCRIPTION
-.Fn RSA_generate_key_ex
-generates a key pair and stores it in
-.Fa rsa .
-.Pp
-The modulus size will be of length
-.Fa bits ,
-and the public exponent will be
-.Fa e .
-Key sizes with
-.Fa num
-< 1024 should be considered insecure.
-The exponent is an odd number, typically 3, 17 or 65537.
-.Pp
-A callback function may be used to provide feedback about the progress
-of the key generation.
-If
-.Fa cb
-is not
-.Dv NULL ,
-it will be called as follows using the
-.Xr BN_GENCB_call 3
-function:
-.Bl -bullet
-.It
-While a random prime number is generated, it is called as described in
-.Xr BN_generate_prime 3 .
-.It
-When the
-.Fa n Ns -th
-randomly generated prime is rejected as not suitable for
-the key,
-.Fn BN_GENCB_call cb 2 n
-is called.
-.It
-When a random p has been found with p-1 relatively prime to
-.Fa e ,
-it is called as
-.Fn BN_GENCB_call cb 3 0 .
-.El
-.Pp
-The process is then repeated for prime q with
-.Fn BN_GENCB_call cb 3 1 .
-.Pp
-.Fn RSA_generate_key
-is deprecated.
-New applications should use
-.Fn RSA_generate_key_ex
-instead.
-.Fn RSA_generate_key
-works in the same way as
-.Fn RSA_generate_key_ex
-except it uses "old style" call backs.
-See
-.Xr BN_generate_prime 3
-for further details.
-.Sh RETURN VALUES
-.Fn RSA_generate_key_ex
-returns 1 on success or 0 on error.
-.Fn RSA_generate_key
-returns the key on success or
-.Dv NULL
-on error.
-.Pp
-The error codes can be obtained by
-.Xr ERR_get_error 3 .
-.Sh SEE ALSO
-.Xr BN_generate_prime 3 ,
-.Xr RSA_get0_key 3 ,
-.Xr RSA_meth_set_keygen 3 ,
-.Xr RSA_new 3
-.Sh HISTORY
-.Fn RSA_generate_key
-appeared in SSLeay 0.4 or earlier and had its
-.Fa cb_arg
-argument added in SSLeay 0.9.0.
-It has been available since
-.Ox 2.4 .
-.Pp
-.Fn RSA_generate_key_ex
-first appeared in OpenSSL 0.9.8 and has been available since
-.Ox 4.5 .
-.Sh BUGS
-.Fn BN_GENCB_call cb 2 x
-is used with two different meanings.
-.Pp
-.Fn RSA_generate_key
-goes into an infinite loop for illegal input values.
diff --git a/src/lib/libcrypto/man/RSA_get0_key.3 b/src/lib/libcrypto/man/RSA_get0_key.3
deleted file mode 100644
index f09fb00d2b..0000000000
--- a/src/lib/libcrypto/man/RSA_get0_key.3
+++ /dev/null
@@ -1,460 +0,0 @@
-.\" $OpenBSD: RSA_get0_key.3,v 1.8 2025/01/05 15:40:42 tb Exp $
-.\" selective merge up to: OpenSSL 665d899f Aug 2 02:19:43 2017 +0800
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2019 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Richard Levitte <levitte@openssl.org>
-.\" Copyright (c) 2016 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: January 5 2025 $
-.Dt RSA_GET0_KEY 3
-.Os
-.Sh NAME
-.Nm RSA_get0_key ,
-.Nm RSA_get0_n ,
-.Nm RSA_get0_e ,
-.Nm RSA_get0_d ,
-.Nm RSA_set0_key ,
-.Nm RSA_get0_factors ,
-.Nm RSA_get0_p ,
-.Nm RSA_get0_q ,
-.Nm RSA_set0_factors ,
-.Nm RSA_get0_crt_params ,
-.Nm RSA_get0_dmp1 ,
-.Nm RSA_get0_dmq1 ,
-.Nm RSA_get0_iqmp ,
-.Nm RSA_set0_crt_params ,
-.Nm RSA_clear_flags ,
-.Nm RSA_test_flags ,
-.Nm RSA_set_flags
-.Nd get and set data in an RSA object
-.Sh SYNOPSIS
-.In openssl/rsa.h
-.Ft void
-.Fo RSA_get0_key
-.Fa "const RSA *r"
-.Fa "const BIGNUM **n"
-.Fa "const BIGNUM **e"
-.Fa "const BIGNUM **d"
-.Fc
-.Ft "const BIGNUM *"
-.Fo RSA_get0_n
-.Fa "const RSA *r"
-.Fc
-.Ft "const BIGNUM *"
-.Fo RSA_get0_e
-.Fa "const RSA *r"
-.Fc
-.Ft "const BIGNUM *"
-.Fo RSA_get0_d
-.Fa "const RSA *r"
-.Fc
-.Ft int
-.Fo RSA_set0_key
-.Fa "RSA *r"
-.Fa "BIGNUM *n"
-.Fa "BIGNUM *e"
-.Fa "BIGNUM *d"
-.Fc
-.Ft void
-.Fo RSA_get0_factors
-.Fa "const RSA *r"
-.Fa "const BIGNUM **p"
-.Fa "const BIGNUM **q"
-.Fc
-.Ft "const BIGNUM *"
-.Fo RSA_get0_p
-.Fa "const RSA *r"
-.Fc
-.Ft "const BIGNUM *"
-.Fo RSA_get0_q
-.Fa "const RSA *r"
-.Fc
-.Ft int
-.Fo RSA_set0_factors
-.Fa "RSA *r"
-.Fa "BIGNUM *p"
-.Fa "BIGNUM *q"
-.Fc
-.Ft void
-.Fo RSA_get0_crt_params
-.Fa "const RSA *r"
-.Fa "const BIGNUM **dmp1"
-.Fa "const BIGNUM **dmq1"
-.Fa "const BIGNUM **iqmp"
-.Fc
-.Ft "const BIGNUM *"
-.Fo RSA_get0_dmp1
-.Fa "const RSA *r"
-.Fc
-.Ft "const BIGNUM *"
-.Fo RSA_get0_dmq1
-.Fa "const RSA *r"
-.Fc
-.Ft "const BIGNUM *"
-.Fo RSA_get0_iqmp
-.Fa "const RSA *r"
-.Fc
-.Ft int
-.Fo RSA_set0_crt_params
-.Fa "RSA *r"
-.Fa "BIGNUM *dmp1"
-.Fa "BIGNUM *dmq1"
-.Fa "BIGNUM *iqmp"
-.Fc
-.Ft void
-.Fo RSA_clear_flags
-.Fa "RSA *r"
-.Fa "int flags"
-.Fc
-.Ft int
-.Fo RSA_test_flags
-.Fa "const RSA *r"
-.Fa "int flags"
-.Fc
-.Ft void
-.Fo RSA_set_flags
-.Fa "RSA *r"
-.Fa "int flags"
-.Fc
-.Sh DESCRIPTION
-An
-.Vt RSA
-object contains the components for the public and private key.
-.Fa n
-is the modulus common to both public and private key,
-.Fa e
-is the public exponent and
-.Fa d
-is the private exponent.
-.Fa p ,
-.Fa q ,
-.Fa dmp1 ,
-.Fa dmq1 ,
-and
-.Fa iqmp
-are the factors for the second representation of a private key
-(see PKCS#1 section 3 Key Types), where
-.Fa p
-and
-.Fa q
-are the first and second factor of
-.Fa n .
-.Fa dmp1 ,
-.Fa dmq1 ,
-and
-.Fa iqmp
-are the exponents and coefficient
-for Chinese Remainder Theorem (CRT) calculations.
-.Pp
-The
-.Fa n ,
-.Fa e ,
-and
-.Fa d
-parameters can be obtained by calling
-.Fn RSA_get0_key .
-If they have not been set yet, then
-.Pf * Fa n ,
-.Pf * Fa e ,
-and
-.Pf * Fa d
-are set to
-.Dv NULL .
-Otherwise, they are set to pointers to the internal representations
-of the values that should not be freed by the caller.
-.Pp
-The
-.Fa n ,
-.Fa e ,
-and
-.Fa d
-parameter values can be set by calling
-.Fn RSA_set0_key .
-The values
-.Fa n
-and
-.Fa e
-must be
-.Pf non- Dv NULL
-the first time this function is called on a given
-.Vt RSA
-object.
-The value
-.Fa d
-may be
-.Dv NULL .
-On subsequent calls, any of these values may be
-.Dv NULL ,
-which means that the corresponding field is left untouched.
-Calling this function transfers the memory management of the values to
-the RSA object.
-Therefore, the values that have been passed in
-should not be freed by the caller.
-.Pp
-In a similar fashion, the
-.Fa p
-and
-.Fa q
-parameters can be obtained and set with
-.Fn RSA_get0_factors
-and
-.Fn RSA_set0_factors ,
-and the
-.Fa dmp1 ,
-.Fa dmq1 ,
-and
-.Fa iqmp
-parameters can be obtained and set with
-.Fn RSA_get0_crt_params
-and
-.Fn RSA_set0_crt_params .
-.Pp
-For
-.Fn RSA_get0_key ,
-.Fn RSA_get0_factors ,
-and
-.Fn RSA_get0_crt_params ,
-.Dv NULL
-value
-.Vt BIGNUM **
-output arguments are permitted.
-The functions
-ignore
-.Dv NULL
-arguments but return values for other,
-.Pf non- Dv NULL ,
-arguments.
-.Pp
-Values retrieved with
-.Fn RSA_get0_key ,
-.Fn RSA_get0_factors ,
-and
-.Fn RSA_get0_crt_params
-are owned by the
-.Vt RSA
-object used in the call and may therefore
-.Em not
-be passed to
-.Fn RSA_set0_key ,
-.Fn RSA_set0_factors ,
-or
-.Fn RSA_set0_crt_params .
-If needed, duplicate the received value using
-.Xr BN_dup 3
-and pass the duplicate.
-.Pp
-Any of the values
-.Fa n ,
-.Fa e ,
-.Fa d ,
-.Fa p ,
-.Fa q ,
-.Fa dmp1 ,
-.Fa dmq1 ,
-and
-.Fa iqmp
-can also be retrieved separately by the corresponding functions
-.Fn RSA_get0_n ,
-.Fn RSA_get0_e ,
-.Fn RSA_get0_d ,
-.Fn RSA_get0_p ,
-.Fn RSA_get0_q ,
-.Fn RSA_get0_dmp1 ,
-.Fn RSA_get0_dmq1 ,
-and
-.Fn RSA_get0_iqmp ,
-respectively.
-The pointers are owned by the
-.Vt RSA
-object.
-.Pp
-.Fn RSA_clear_flags
-clears the specified
-.Fa flags
-in
-.Fa r .
-.Fn RSA_test_flags
-tests the
-.Fa flags
-in
-.Fa r .
-.Fn RSA_set_flags
-sets the
-.Fa flags
-in
-.Fa r ;
-any flags already set remain set.
-For all three functions, multiple flags can be passed in one call,
-OR'ed together bitwise.
-.Pp
-The following flags are supported:
-.Bl -tag -width Ds
-.It Dv RSA_FLAG_CACHE_PRIVATE No and Dv RSA_FLAG_CACHE_PUBLIC
-Precompute information needed for Montgomery multiplication
-from the private and public key, respectively, and cache it in
-.Fa r
-for repeated use.
-These two flags are set by default for the default RSA implementation,
-.Xr RSA_PKCS1_SSLeay 3 .
-.It Dv RSA_FLAG_EXT_PKEY
-The function set with
-.Xr RSA_meth_set_mod_exp 3
-is used for private key operations even if
-.Fa p ,
-.Fa q ,
-.Fa dmp1 ,
-.Fa dmq1 ,
-and
-.Fa iqmp
-are all
-.Dv NULL .
-This flag may be useful with RSA implementations that do not use the
-private key components stored in the standard fields, for example
-because they store the private key in external hardware.
-If this flag is unset, the function set with
-.Xr RSA_meth_set_bn_mod_exp 3
-is used with
-.Fa n
-and
-.Fa d
-instead.
-.It Dv RSA_FLAG_NO_BLINDING
-Turn off blinding during private key encryption and decryption.
-This flag is set by
-.Xr RSA_blinding_off 3 .
-.It Dv RSA_FLAG_SIGN_VER
-This flag has no effect.
-It is provided only for backward compatibility with legacy applications.
-.El
-.Pp
-The flags
-.Dv RSA_FLAG_BLINDING ,
-.Dv RSA_FLAG_CHECKED ,
-.Dv RSA_FLAG_FIPS_METHOD ,
-.Dv RSA_FLAG_NON_FIPS_ALLOW ,
-and
-.Dv RSA_FLAG_THREAD_SAFE
-are defined for compatibility with existing code but have no effect.
-.Sh RETURN VALUES
-.Fn RSA_get0_n ,
-.Fn RSA_get0_e ,
-.Fn RSA_get0_d ,
-.Fn RSA_get0_p ,
-.Fn RSA_get0_q ,
-.Fn RSA_get0_dmp1 ,
-.Fn RSA_get0_dmq1 ,
-and
-.Fn RSA_get0_iqmp
-return a pointer owned by the
-.Vt RSA
-object if the corresponding value has been set,
-otherwise they return
-.Dv NULL .
-.Pp
-.Fn RSA_set0_key ,
-.Fn RSA_set0_factors ,
-and
-.Fn RSA_set0_crt_params
-return 1 on success or 0 on failure.
-.Pp
-.Fn RSA_test_flags
-returns those of the given
-.Fa flags
-currently set in
-.Fa r
-or 0 if none of the given
-.Fa flags
-are set.
-.Sh SEE ALSO
-.Xr RSA_check_key 3 ,
-.Xr RSA_generate_key 3 ,
-.Xr RSA_new 3 ,
-.Xr RSA_print 3 ,
-.Xr RSA_size 3
-.Sh HISTORY
-.Fn RSA_get0_key ,
-.Fn RSA_set0_key ,
-.Fn RSA_get0_factors ,
-.Fn RSA_set0_factors ,
-.Fn RSA_get0_crt_params ,
-.Fn RSA_set0_crt_params ,
-.Fn RSA_clear_flags ,
-.Fn RSA_test_flags ,
-and
-.Fn RSA_set_flags
-first appeared in OpenSSL 1.1.0
-and have been available since
-.Ox 6.3 .
-.Pp
-.Fn RSA_get0_n ,
-.Fn RSA_get0_e ,
-.Fn RSA_get0_d ,
-.Fn RSA_get0_p ,
-.Fn RSA_get0_q ,
-.Fn RSA_get0_dmp1 ,
-.Fn RSA_get0_dmq1 ,
-and
-.Fn RSA_get0_iqmp
-first appeared in OpenSSL 1.1.1
-and have been available since
-.Ox 7.1 .
diff --git a/src/lib/libcrypto/man/RSA_get_ex_new_index.3 b/src/lib/libcrypto/man/RSA_get_ex_new_index.3
deleted file mode 100644
index 5f1fb4335f..0000000000
--- a/src/lib/libcrypto/man/RSA_get_ex_new_index.3
+++ /dev/null
@@ -1,382 +0,0 @@
-.\" $OpenBSD: RSA_get_ex_new_index.3,v 1.13 2023/11/19 21:08:04 tb Exp $
-.\"
-.\" Copyright (c) 2023 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: November 19 2023 $
-.Dt RSA_GET_EX_NEW_INDEX 3
-.Os
-.Sh NAME
-.Nm RSA_get_ex_new_index ,
-.Nm RSA_set_ex_data ,
-.Nm RSA_get_ex_data
-.Nd add application specific data to RSA objects
-.Sh SYNOPSIS
-.In openssl/rsa.h
-.Ft int
-.Fo RSA_get_ex_new_index
-.Fa "long argl"
-.Fa "void *argp"
-.Fa "CRYPTO_EX_new *new_func"
-.Fa "CRYPTO_EX_dup *dup_func"
-.Fa "CRYPTO_EX_free *free_func"
-.Fc
-.Ft int
-.Fo RSA_set_ex_data
-.Fa "RSA *rsa"
-.Fa "int idx"
-.Fa "void *data"
-.Fc
-.Ft void *
-.Fo RSA_get_ex_data
-.Fa "RSA *rsa"
-.Fa "int idx"
-.Fc
-.Sh DESCRIPTION
-The following parent objects can have application specific data called
-.Dq ex_data
-attached to them:
-.Vt BIO , DH , DSA , EC_KEY , RSA ,
-.Vt SSL , SSL_CTX , SSL_SESSION , UI , X509 , X509_STORE ,
-and
-.Vt X509_STORE_CTX .
-.\" CRYPTO_EX_INDEX_APP and CRYPTO_EX_INDEX_UI_METHOD are unused.
-The present manual page documents the related API functions taking the
-.Vt RSA
-object type as an example.
-The functions for the other object types work in exactly the same way:
-just replace the string
-.Qq RSA
-with the name of the respective object type
-throughout the rest of this manual page.
-.Pp
-By default, each individual
-.Vt RSA
-object can store one
-.Vt void *
-pointing to application specific data.
-That specific pointer is identified by an
-.Fa idx
-argument of 0.
-.Pp
-.Fn RSA_get_ex_new_index
-reserves the next consecutive
-.Fa idx
-argument, enabling storage of one additional
-.Vt void *
-per
-.Vt RSA
-object.
-It is typically called at program startup.
-It can be called more than once if some
-.Vt RSA
-objects need to store more than two application specific pointers.
-Reserving an additional index for one parent object type, for example for
-.Vt RSA ,
-does not change the numbers of indices that can be used
-with any other parent object type.
-.Pp
-It is strongly recommended to always pass three
-.Dv NULL
-pointers for the arguments
-.Fa new_func ,
-.Fa dup_func ,
-and
-.Fa free_func .
-When following this recommendation, the arguments
-.Fa argl
-and
-.Fa argp
-are ignored; conventionally, passing 0 and
-.Dv NULL
-is recommended.
-Because using them is discouraged, the three function callback types
-are only documented in the low-level
-.Xr CRYPTO_EX_new 3
-manual page.
-.Pp
-.Fn RSA_set_ex_data
-stores the
-.Fa data
-pointer as application specific data at the given
-.Fa idx
-in the given
-.Fa rsa
-object.
-The meaning of the data pointed to is up to the application.
-The caller retains ownership of the
-.Fa data
-and is responsible for freeing it when neither the caller nor the
-.Fa rsa
-object need it any longer.
-Any other pointer that was previously stored at the same
-.Fa idx
-in the same
-.Fa rsa
-object is silently overwritten.
-Passing a
-.Dv NULL
-pointer for the
-.Fa data
-argument is valid and indicates that no application specific data
-currently needs to be stored at the given
-.Fa idx .
-.Pp
-.Fn RSA_get_ex_data
-retrieves the last pointer that was stored using
-.Fn RSA_set_ex_data
-at the given
-.Fa idx
-in the given
-.Fa rsa
-object.
-.Sh RETURN VALUES
-.Fn RSA_get_ex_new_index
-returns a new index equal to or greater than 1
-or \-1 if memory allocation fails.
-.Pp
-.Fn RSA_set_ex_data
-returns 1 on success or 0 if memory allocation fails.
-.Pp
-.Fn RSA_get_ex_data
-returns the application specific data or
-.Dv NULL
-if
-.Fa rsa
-does not contain application specific data at the given
-.Fa idx .
-.Sh ERRORS
-After failure of
-.Fn RSA_get_ex_new_index
-or
-.Fn RSA_set_ex_data ,
-the following diagnostic can be retrieved with
-.Xr ERR_get_error 3 ,
-.Xr ERR_GET_REASON 3 ,
-and
-.Xr ERR_reason_error_string 3 :
-.Bl -tag -width Ds
-.It Dv ERR_R_MALLOC_FAILURE Qq "malloc failure"
-Memory allocation failed.
-.El
-.Pp
-In a few unusual failure cases,
-.Xr ERR_get_error 3
-may report different errors caused by
-.Xr OPENSSL_init_crypto 3
-or even none at all.
-.Pp
-.Fn RSA_get_ex_data
-does not distinguish success from failure.
-Consequently, after
-.Fn RSA_get_ex_data
-returns
-.Dv NULL ,
-.Xr ERR_get_error 3
-returns 0 unless there is still an earlier error in the queue.
-.Sh SEE ALSO
-.Xr BIO_set_ex_data 3 ,
-.Xr CRYPTO_set_ex_data 3 ,
-.Xr DH_set_ex_data 3 ,
-.Xr DSA_set_ex_data 3 ,
-.Xr RSA_new 3 ,
-.Xr SSL_CTX_set_ex_data 3 ,
-.Xr SSL_SESSION_set_ex_data 3 ,
-.Xr SSL_set_ex_data 3 ,
-.Xr X509_STORE_CTX_set_ex_data 3 ,
-.Xr X509_STORE_set_ex_data 3
-.Sh HISTORY
-These functions first appeared in SSLeay 0.9.0
-and have been available since
-.Ox 2.4 .
-.Sh CAVEATS
-A relatively small minority of application programs
-attempt to change the API contract such that
-.Fn RSA_set_ex_data
-transfers ownership of the
-.Fa data
-to the
-.Fa rsa
-object.
-They do this by providing a
-.Fa free_func
-that calls
-.Xr free 3
-or higher-level
-.Fn *_free
-functions on the
-.Fa data
-and sometimes also attempt additional cleanup work as a side effect.
-.Pp
-This practice is discouraged for several reasons:
-.Bl -enum
-.It
-Due to a massive design mistake in the low-level API function
-.Xr CRYPTO_free_ex_data 3 ,
-this practice creates a possibility that
-.Xr RSA_free 3
-may fail due to memory allocation failure, consequently leaking the
-memory containing the application specific data and silently skipping
-any additional cleanup work the
-.Fa free_func
-was supposed to do, leaving the application in an undetectably
-inconsistent state.
-Arguably, leaking additional memory while trying to free some
-is most unfortunate especially when the program
-is already starved for memory.
-.It
-This practice introduces a risk of use-after-free and double-free
-bugs in case the
-.Fa rsa
-object gets destructed while a caller of
-.Fn RSA_set_ex_data
-or
-.Fn RSA_get_ex_data
-still holds a
-.Fa data
-pointer.
-No such risk exists when no
-.Fa free_func
-is installed.
-.It
-Attempting additional cleanup work in
-.Fa free_func
-is an even worse idea because
-.Fa free_func
-is unable to report any issues it might detect while doing that work.
-Instead, if any additional cleanup work is needed, it is recommended
-that the calling code takes care of that before calling
-.Xr RSA_free 3 .
-.El
-.Pp
-Even fewer application programs install a
-.Fa new_func
-that allocates memory and stores a pointer to it in the
-.Fa rsa
-object by calling
-.Xr CRYPTO_set_ex_data 3 .
-That is useless because
-.Fa new_func
-does not have access to any useful information it could store in such memory
-and because the default return value of
-.Dv NULL
-from
-.Fn RSA_get_ex_data
-is sufficient to indicate
-that no application specific data has been stored yet.
-In addition, allocating memory in
-.Fa new_func
-is also inadvisable because it introduces an additional responsibility
-for callers of
-.Fn RSA_set_ex_data
-to always call
-.Fn RSA_get_ex_data
-first, even when it is the first time the application wants to set
-application specific data in a particular
-.Fa rsa
-object, and to either modify whatever
-.Fn RSA_get_ex_data
-returns or to free it before calling
-.Fn RSA_set_ex_data .
-If that is forgotten, a memory leak results.
-.Pp
-Consequently, allocating any required memory
-is better left to the application code that calls
-.Fn RSA_set_ex_data .
-.Pp
-Installing a
-.Fa dup_func
-is often seen in combination with installing a
-.Fa free_func ,
-for obvious reasons.
-It is rarely useful because for most parent object types
-that support ex_data, including for
-.Vt RSA ,
-the library does not provide a copying API function in the first place, and
-even where copying functions exist, they tend to be fragile and error-prone.
-When a new object is needed, it is usually advisable to construct it from
-scratch whenever possible, rather than attempting a copy operation.
-.Pp
-On top of that, if
-.Fa dup_func
-fails, for example because of a memory allocation failure, the
-failure is neither reported nor detectable in any way, leaving the
-new parent object with incomplete data and potentially in an
-inconsistent state.
-.Sh BUGS
-If
-.Fn RSA_set_ex_data
-fails, recovery is very difficult.
-In particular, calling
-.Xr RSA_free 3
-on the parent
-.Fa rsa
-object right afterwards is likely to also hit a memory allocation
-failure, leaking all memory internally allocated by all earlier calls of
-.Fn RSA_set_ex_data
-on
-.Fa rsa
-rather than freeing that memory.
-In order to recover, the application program
-would have to free a sufficient amount of
-.Em other
-memory before calling
-.Xr RSA_free 3 ,
-which will rarely be feasible.
-Consequently, after a failure of
-.Fn RSA_set_ex_data ,
-terminating the program is likely the only reasonable option.
-.Pp
-If
-.Fn RSA_set_ex_data
-is called with an
-.Fa idx
-argument greater than the last one previously returned from
-.Fn RSA_get_ex_new_index ,
-it may still succeed, and though that is not guaranteed by the API,
-retrieving the
-.Fa data
-from such a bogus
-.Fa idx
-may even be possible with
-.Fn RSA_get_ex_data ,
-hiding the bug in the application program that caused passing the bogus
-.Fa idx
-to
-.Fn RSA_set_ex_data
-in the first place.
-.Pp
-If the bogus
-.Fa idx
-argument is large,
-.Fn RSA_set_ex_data
-may uselessly allocate a large amount of memory.
-Calling
-.Xr RSA_free 3
-on the parent
-.Fa rsa
-object is the only way to recover that memory.
-.Pp
-If the bogus
-.Fa idx
-argument is very large,
-.Fn RSA_set_ex_data
-is likely to cause a significant delay before eventually failing
-due to memory exhaustion.
-It is likely to return without releasing the memory already
-allocated, causing any subsequent attempt to allocate memory
-for other purposes to fail, too.
-In this situation, what was said above about failure of
-.Fn RSA_set_ex_data
-applies, so terminating the program is likely the only reasonable option.
diff --git a/src/lib/libcrypto/man/RSA_meth_new.3 b/src/lib/libcrypto/man/RSA_meth_new.3
deleted file mode 100644
index a3a5c549e5..0000000000
--- a/src/lib/libcrypto/man/RSA_meth_new.3
+++ /dev/null
@@ -1,606 +0,0 @@
-.\" $OpenBSD: RSA_meth_new.3,v 1.6 2025/01/05 15:40:42 tb Exp $
-.\" full merge up to: OpenSSL a970b14f Jul 31 18:58:40 2017 -0400
-.\" selective merge up to: OpenSSL 24907560 Sep 17 07:47:42 2018 +1000
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2018, 2019 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Richard Levitte <levitte@openssl.org>.
-.\" Copyright (c) 2016 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: January 5 2025 $
-.Dt RSA_METH_NEW 3
-.Os
-.Sh NAME
-.Nm RSA_meth_new ,
-.Nm RSA_meth_dup ,
-.Nm RSA_meth_free ,
-.Nm RSA_meth_get0_name ,
-.Nm RSA_meth_set1_name ,
-.Nm RSA_meth_get_flags ,
-.Nm RSA_meth_set_flags ,
-.Nm RSA_meth_get0_app_data ,
-.Nm RSA_meth_set0_app_data ,
-.Nm RSA_meth_get_init ,
-.Nm RSA_meth_set_init ,
-.Nm RSA_meth_get_finish ,
-.Nm RSA_meth_set_finish ,
-.Nm RSA_meth_get_pub_enc ,
-.Nm RSA_meth_set_pub_enc ,
-.Nm RSA_meth_get_pub_dec ,
-.Nm RSA_meth_set_pub_dec ,
-.Nm RSA_meth_get_priv_enc ,
-.Nm RSA_meth_set_priv_enc ,
-.Nm RSA_meth_get_priv_dec ,
-.Nm RSA_meth_set_priv_dec ,
-.Nm RSA_meth_get_sign ,
-.Nm RSA_meth_set_sign ,
-.Nm RSA_meth_get_verify ,
-.Nm RSA_meth_set_verify ,
-.Nm RSA_meth_get_mod_exp ,
-.Nm RSA_meth_set_mod_exp ,
-.Nm RSA_meth_get_bn_mod_exp ,
-.Nm RSA_meth_set_bn_mod_exp ,
-.Nm RSA_meth_get_keygen ,
-.Nm RSA_meth_set_keygen
-.Nd build up RSA methods
-.Sh SYNOPSIS
-.In openssl/rsa.h
-.Ft RSA_METHOD *
-.Fo RSA_meth_new
-.Fa "const char *name"
-.Fa "int flags"
-.Fc
-.Ft RSA_METHOD *
-.Fo RSA_meth_dup
-.Fa "const RSA_METHOD *meth"
-.Fc
-.Ft void
-.Fo RSA_meth_free
-.Fa "RSA_METHOD *meth"
-.Fc
-.Ft const char *
-.Fo RSA_meth_get0_name
-.Fa "const RSA_METHOD *meth"
-.Fc
-.Ft int
-.Fo RSA_meth_set1_name
-.Fa "RSA_METHOD *meth"
-.Fa "const char *name"
-.Fc
-.Ft int
-.Fo RSA_meth_get_flags
-.Fa "const RSA_METHOD *meth"
-.Fc
-.Ft int
-.Fo RSA_meth_set_flags
-.Fa "RSA_METHOD *meth"
-.Fa "int flags"
-.Fc
-.Ft void *
-.Fo RSA_meth_get0_app_data
-.Fa "const RSA_METHOD *meth"
-.Fc
-.Ft int
-.Fo RSA_meth_set0_app_data
-.Fa "RSA_METHOD *meth"
-.Fa "void *app_data"
-.Fc
-.Ft int
-.Fo "(*RSA_meth_get_init(const RSA_METHOD *meth))"
-.Fa "RSA *rsa"
-.Fc
-.Ft int
-.Fo "RSA_meth_set_init"
-.Fa "RSA_METHOD *meth"
-.Fa "int (*init)(RSA *rsa)"
-.Fc
-.Ft int
-.Fo "(*RSA_meth_get_finish(const RSA_METHOD *meth))"
-.Fa "RSA *rsa"
-.Fc
-.Ft int
-.Fo RSA_meth_set_finish
-.Fa "RSA_METHOD *meth"
-.Fa "int (*finish)(RSA *rsa)"
-.Fc
-.Ft int
-.Fo "(*RSA_meth_get_pub_enc(const RSA_METHOD *meth))"
-.Fa "int flen"
-.Fa "const unsigned char *from"
-.Fa "unsigned char *to"
-.Fa "RSA *rsa"
-.Fa "int padding"
-.Fc
-.Ft int
-.Fo RSA_meth_set_pub_enc
-.Fa "RSA_METHOD *meth"
-.Fa "int (*pub_enc)(int flen, const unsigned char *from,\
- unsigned char *to, RSA *rsa, int padding)"
-.Fc
-.Ft int
-.Fo "(*RSA_meth_get_pub_dec(const RSA_METHOD *meth))"
-.Fa "int flen"
-.Fa "const unsigned char *from"
-.Fa "unsigned char *to"
-.Fa "RSA *rsa"
-.Fa "int padding"
-.Fc
-.Ft int
-.Fo RSA_meth_set_pub_dec
-.Fa "RSA_METHOD *meth"
-.Fa "int (*pub_dec)(int flen, const unsigned char *from,\
- unsigned char *to, RSA *rsa, int padding)"
-.Fc
-.Ft int
-.Fo "(*RSA_meth_get_priv_enc(const RSA_METHOD *meth))"
-.Fa "int flen"
-.Fa "const unsigned char *from"
-.Fa "unsigned char *to"
-.Fa "RSA *rsa"
-.Fa "int padding"
-.Fc
-.Ft int
-.Fo RSA_meth_set_priv_enc
-.Fa "RSA_METHOD *meth"
-.Fa "int (*priv_enc)(int flen, const unsigned char *from,\
- unsigned char *to, RSA *rsa, int padding)"
-.Fc
-.Ft int
-.Fo "(*RSA_meth_get_priv_dec(const RSA_METHOD *meth))"
-.Fa "int flen"
-.Fa "const unsigned char *from"
-.Fa "unsigned char *to"
-.Fa "RSA *rsa"
-.Fa "int padding"
-.Fc
-.Ft int
-.Fo RSA_meth_set_priv_dec
-.Fa "RSA_METHOD *meth"
-.Fa "int (*priv_dec)(int flen, const unsigned char *from,\
- unsigned char *to, RSA *rsa, int padding)"
-.Fc
-.Ft int
-.Fo "(*RSA_meth_get_sign(const RSA_METHOD *meth))"
-.Fa "int type"
-.Fa "const unsigned char *m"
-.Fa "unsigned int m_length"
-.Fa "unsigned char *sigret"
-.Fa "unsigned int *siglen"
-.Fa "const RSA *rsa"
-.Fc
-.Ft int
-.Fo RSA_meth_set_sign
-.Fa "RSA_METHOD *rsa"
-.Fa "int (*sign)(int type, const unsigned char *m, unsigned int m_length,\
- unsigned char *sigret, unsigned int *siglen, const RSA *rsa)"
-.Fc
-.Ft int
-.Fo "(*RSA_meth_get_verify(const RSA_METHOD *meth))"
-.Fa "int dtype"
-.Fa "const unsigned char *m"
-.Fa "unsigned int m_length"
-.Fa "const unsigned char *sigbuf"
-.Fa "unsigned int siglen"
-.Fa "const RSA *rsa"
-.Fc
-.Ft int
-.Fo RSA_meth_set_verify
-.Fa "RSA_METHOD *rsa"
-.Fa "int (*verify)(int dtype, const unsigned char *m,\
- unsigned int m_length, const unsigned char *sigbuf,\
- unsigned int siglen, const RSA *rsa)"
-.Fc
-.Ft int
-.Fo "(*RSA_meth_get_mod_exp(const RSA_METHOD *meth))"
-.Fa "BIGNUM *r0"
-.Fa "const BIGNUM *i"
-.Fa "RSA *rsa"
-.Fa "BN_CTX *ctx"
-.Fc
-.Ft int
-.Fo RSA_meth_set_mod_exp
-.Fa "RSA_METHOD *meth"
-.Fa "int (*mod_exp)(BIGNUM *r0, const BIGNUM *i, RSA *rsa, BN_CTX *ctx)"
-.Fc
-.Ft int
-.Fo "(*RSA_meth_get_bn_mod_exp(const RSA_METHOD *meth))"
-.Fa "BIGNUM *r"
-.Fa "const BIGNUM *a"
-.Fa "const BIGNUM *p"
-.Fa "const BIGNUM *m"
-.Fa "BN_CTX *ctx"
-.Fa "BN_MONT_CTX *m_ctx"
-.Fc
-.Ft int
-.Fo RSA_meth_set_bn_mod_exp
-.Fa "RSA_METHOD *meth"
-.Fa "int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,\
- const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)"
-.Fc
-.Ft int
-.Fo "(*RSA_meth_get_keygen(const RSA_METHOD *meth))"
-.Fa "RSA *rsa"
-.Fa "int bits"
-.Fa "BIGNUM *e"
-.Fa "BN_GENCB *cb"
-.Fc
-.Ft int
-.Fo RSA_meth_set_keygen
-.Fa "RSA_METHOD *meth"
-.Fa "int (*keygen)(RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb)"
-.Fc
-.Sh DESCRIPTION
-The
-.Vt RSA_METHOD
-structure holds function pointers for custom RSA implementations.
-.Pp
-.Fn RSA_meth_new
-creates a new
-.Vt RSA_METHOD
-structure.
-A copy of the NUL-terminated
-.Fa name
-is stored in the new
-.Vt RSA_METHOD
-object.
-Any new
-.Vt RSA
-object constructed from this
-.Vt RSA_METHOD
-will have the given
-.Fa flags
-set by default, as if they were set with
-.Xr RSA_set_flags 3 .
-.Pp
-.Fn RSA_meth_dup
-creates a deep copy of
-.Fa meth ,
-except that a pointer stored into it with
-.Fn RSA_meth_set0_app_data
-is copied as a pointer without creating a copy of its content.
-This might be useful for creating a new
-.Vt RSA_METHOD
-based on an existing one, but with some differences.
-.Pp
-.Fn RSA_meth_free
-destroys
-.Fa meth
-and frees any memory associated with it,
-except that memory pointed to by a pointer set with
-.Fn RSA_meth_set0_app_data
-is not freed.
-If
-.Fa meth
-is
-.Dv NULL ,
-no action occurs.
-.Pp
-.Fn RSA_meth_get0_name
-returns an internal pointer to the name of
-.Fa meth .
-.Fn RSA_meth_set1_name
-stores a copy of the NUL-terminated
-.Fa name
-in the
-.Vt RSA_METHOD
-object after freeing the previously stored name.
-Method names are ignored by the default RSA implementation
-but can be used by alternative implementations
-and by the application program.
-.Pp
-.Fn RSA_meth_get_flags
-retrieves the flags from
-.Fa meth .
-Flags are documented in
-.Xr RSA_test_flags 3 .
-.Fn RSA_meth_set_flags
-overwrites all flags in
-.Fa meth .
-Unlike
-.Xr RSA_set_flags 3 ,
-it does not preserve any flags that were set before the call.
-.Pp
-.Fn RSA_meth_get0_app_data
-and
-.Fn RSA_meth_set0_app_data
-get and set a pointer to implementation-specific data.
-The function
-.Fn RSA_meth_free
-does not
-.Xr free 3
-the memory pointed to by
-.Fa app_data .
-The default RSA implementation does not use
-.Fa app_data .
-.Pp
-.Fn RSA_meth_get_init
-and
-.Fn RSA_meth_set_init
-get and set an optional function used when creating a new
-.Vt RSA
-object.
-Unless
-.Fa init
-is
-.Dv NULL ,
-it will be called at the end of
-.Xr RSA_new 3 ,
-.Xr RSA_new_method 3 ,
-and
-.Xr RSA_set_method 3 ,
-passing a pointer to the newly allocated or reset
-.Vt RSA
-object as an argument.
-The default RSA implementation,
-.Xr RSA_PKCS1_SSLeay 3 ,
-contains an
-.Fa init
-function equivalent to calling
-.Xr RSA_set_flags 3
-with an argument of
-.Dv RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE .
-.Pp
-.Fn RSA_meth_get_finish
-and
-.Fn RSA_meth_set_finish
-get and set an optional function for destroying an
-.Vt RSA
-object.
-Unless
-.Fa finish
-is
-.Dv NULL ,
-it will be called from
-.Xr RSA_set_method 3
-and from
-.Xr RSA_free 3 .
-It takes the same argument as
-.Xr RSA_free 3
-and is intended to do RSA implementation specific cleanup.
-The memory used by the
-.Vt RSA
-object itself should not be freed by the
-.Fa finish
-function.
-The default RSA implementation contains a
-.Fa finish
-function freeing the memory used by the
-.Dv RSA_FLAG_CACHE_PUBLIC
-and
-.Dv RSA_FLAG_CACHE_PRIVATE
-caches.
-.Pp
-.Fn RSA_meth_get_pub_enc ,
-.Fn RSA_meth_set_pub_enc ,
-.Fn RSA_meth_get_pub_dec ,
-.Fn RSA_meth_set_pub_dec ,
-.Fn RSA_meth_get_priv_enc ,
-.Fn RSA_meth_set_priv_enc ,
-.Fn RSA_meth_get_priv_dec ,
-and
-.Fn RSA_meth_set_priv_dec
-get and set the mandatory functions
-used for public and private key encryption and decryption.
-These functions will be called from
-.Xr RSA_public_encrypt 3 ,
-.Xr RSA_public_decrypt 3 ,
-.Xr RSA_private_encrypt 3 ,
-and
-.Xr RSA_private_decrypt 3 ,
-respectively, and take the same parameters as those.
-.Pp
-.Fn RSA_meth_get_sign ,
-.Fn RSA_meth_set_sign ,
-.Fn RSA_meth_get_verify ,
-and
-.Fn RSA_meth_set_verify
-get and set the optional functions
-used for creating and verifying an RSA signature.
-.Pp
-.Fn RSA_meth_get_mod_exp
-and
-.Fn RSA_meth_set_mod_exp
-get and set the function
-used for Chinese Remainder Theorem (CRT) computations involving the
-.Fa p ,
-.Fa q ,
-.Fa dmp1 ,
-.Fa dmq1 ,
-and
-.Fa iqmp
-fields of an
-.Vt RSA
-object.
-It is used by the default RSA implementation during
-.Xr RSA_private_encrypt 3
-and
-.Xr RSA_private_decrypt 3
-when the required components of the private key are available
-or when the
-.Dv RSA_FLAG_EXT_PKEY
-flag is set.
-.Pp
-.Fn RSA_meth_get_bn_mod_exp
-and
-.Fn RSA_meth_set_bn_mod_exp
-get and set the function used for CRT computations,
-specifically the value r =
-.Fa a
-\(ha
-.Fa p
-mod
-.Fa m .
-It is used by the default RSA implementation during
-.Xr RSA_public_encrypt 3
-and
-.Xr RSA_public_decrypt 3
-and as a fallback during
-.Xr RSA_private_encrypt 3
-and
-.Xr RSA_private_decrypt 3 .
-.Pp
-.Fn RSA_meth_get_keygen
-and
-.Fn RSA_meth_set_keygen
-get and set the optional function used for generating a new RSA key pair.
-Unless
-.Fa keygen
-is
-.Dv NULL ,
-it will be called from
-.Xr RSA_generate_key_ex 3
-and takes the same parameters.
-Otherwise, a builtin default implementation is used.
-.Sh RETURN VALUES
-.Fn RSA_meth_new
-and
-.Fn RSA_meth_dup
-return the newly allocated
-.Vt RSA_METHOD
-object or
-.Dv NULL
-on failure.
-.Pp
-.Fn RSA_meth_get0_name
-returns an internal pointer which must not be freed by the caller.
-.Pp
-.Fn RSA_meth_get_flags
-returns zero or more
-.Dv RSA_FLAG_*
-constants OR'ed together, or 0 if no flags are set in
-.Fa meth .
-.Pp
-.Fn RSA_meth_get0_app_data
-returns the pointer that was earlier passed to
-.Fn RSA_meth_set0_app_data
-or
-.Dv NULL
-otherwise.
-.Pp
-All other
-.Fn RSA_meth_get_*
-functions return the appropriate function pointer that has been set
-with the corresponding
-.Fn RSA_meth_set_*
-function, or
-.Dv NULL
-if no such pointer has been set in
-.Fa meth .
-.Pp
-All
-.Fn RSA_meth_set*
-functions return 1 on success or 0 on failure.
-In the current implementation, only
-.Fn RSA_meth_set1_name
-can actually fail.
-.Sh SEE ALSO
-.Xr RSA_generate_key_ex 3 ,
-.Xr RSA_new 3 ,
-.Xr RSA_private_encrypt 3 ,
-.Xr RSA_public_encrypt 3 ,
-.Xr RSA_set_flags 3 ,
-.Xr RSA_set_method 3 ,
-.Xr RSA_sign 3
-.Sh HISTORY
-These functions first appeared in OpenSSL 1.1.0.
-.Fn RSA_meth_new ,
-.Fn RSA_meth_dup ,
-.Fn RSA_meth_free ,
-.Fn RSA_meth_set_finish ,
-.Fn RSA_meth_set_priv_enc ,
-and
-.Fn RSA_meth_set_priv_dec
-have been available since
-.Ox 6.3 ,
-.Fn RSA_meth_set1_name
-and
-.Fn RSA_meth_get_finish
-since
-.Ox 6.4 ,
-and
-.Fn RSA_meth_get0_name ,
-.Fn RSA_meth_get_flags ,
-.Fn RSA_meth_set_flags ,
-.Fn RSA_meth_get0_app_data ,
-.Fn RSA_meth_set0_app_data ,
-.Fn RSA_meth_get_init ,
-.Fn RSA_meth_set_init ,
-.Fn RSA_meth_set_finish ,
-.Fn RSA_meth_get_pub_enc ,
-.Fn RSA_meth_set_pub_enc ,
-.Fn RSA_meth_get_pub_dec ,
-.Fn RSA_meth_set_pub_dec ,
-.Fn RSA_meth_get_priv_enc ,
-.Fn RSA_meth_get_priv_dec ,
-.Fn RSA_meth_get_sign ,
-.Fn RSA_meth_set_sign ,
-.Fn RSA_meth_get_verify ,
-.Fn RSA_meth_set_verify ,
-.Fn RSA_meth_get_mod_exp ,
-.Fn RSA_meth_set_mod_exp ,
-.Fn RSA_meth_get_bn_mod_exp ,
-.Fn RSA_meth_set_bn_mod_exp ,
-.Fn RSA_meth_get_keygen ,
-and
-.Fn RSA_meth_set_keygen
-since
-.Ox 6.6 .
diff --git a/src/lib/libcrypto/man/RSA_new.3 b/src/lib/libcrypto/man/RSA_new.3
deleted file mode 100644
index f5c7929e77..0000000000
--- a/src/lib/libcrypto/man/RSA_new.3
+++ /dev/null
@@ -1,248 +0,0 @@
-.\" $OpenBSD: RSA_new.3,v 1.18 2023/11/19 21:03:22 tb Exp $
-.\" full merge up to:
-.\" OpenSSL doc/man3/RSA_new.pod e9b77246 Jan 20 19:58:49 2017 +0100
-.\" OpenSSL doc/crypto/rsa.pod 35d2e327 Jun 3 16:19:49 2016 -0400 (final)
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2018, 2019 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Ulf Moeller <ulf@openssl.org>.
-.\" Copyright (c) 2000, 2002, 2016 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: November 19 2023 $
-.Dt RSA_NEW 3
-.Os
-.Sh NAME
-.Nm RSA_new ,
-.Nm RSAPrivateKey_dup ,
-.Nm RSAPublicKey_dup ,
-.Nm RSA_up_ref ,
-.Nm RSA_free
-.Nd allocate and free RSA objects
-.Sh SYNOPSIS
-.In openssl/rsa.h
-.Ft RSA *
-.Fn RSA_new void
-.Ft RSA *
-.Fo RSAPrivateKey_dup
-.Fa "RSA *rsa"
-.Fc
-.Ft RSA *
-.Fo RSAPublicKey_dup
-.Fa "RSA *rsa"
-.Fc
-.Ft int
-.Fo RSA_up_ref
-.Fa "RSA *rsa"
-.Fc
-.Ft void
-.Fo RSA_free
-.Fa "RSA *rsa"
-.Fc
-.Sh DESCRIPTION
-The RSA functions implement RSA public key encryption and signatures
-as defined in PKCS #1 v2.0 (RFC 2437).
-.Pp
-.Fn RSA_new
-allocates and initializes an
-.Vt RSA
-structure, setting the reference count to 1.
-It is equivalent to calling
-.Xr RSA_new_method 3
-with a
-.Dv NULL
-argument.
-.Pp
-.Fn RSAPrivateKey_dup
-calls
-.Fn RSA_new
-and copies the public and private key components from
-.Fa rsa
-into the new structure.
-.Fn RSAPublicKey_dup
-does the same except that it copies the public key components only.
-.Pp
-.Fn RSA_up_ref
-increments the reference count by 1.
-.Pp
-.Fn RSA_free
-decrements the reference count by 1.
-If it reaches 0, it calls the optional
-.Fa finish
-function set up with
-.Xr RSA_meth_set_finish 3
-and frees the
-.Vt RSA
-structure and its components.
-The key is erased before the memory is returned to the system.
-If
-.Fa rsa
-is a
-.Dv NULL
-pointer, no action occurs.
-.Pp
-The
-.Vt RSA
-structure consists of several
-.Vt BIGNUM
-components.
-It can contain public as well as private RSA keys:
-.Bd -literal
-typedef struct {
-        BIGNUM *n;              // public modulus
-        BIGNUM *e;              // public exponent
-        BIGNUM *d;              // private exponent
-        BIGNUM *p;              // secret prime factor
-        BIGNUM *q;              // secret prime factor
-        BIGNUM *dmp1;           // d mod (p-1)
-        BIGNUM *dmq1;           // d mod (q-1)
-        BIGNUM *iqmp;           // q^-1 mod p
-        // ...
-} RSA;
-.Ed
-.Pp
-In public keys, the private exponent
-.Fa d
-and the related secret values
-.Fa p , q , dmp1 , dmp2 ,
-and
-.Fa iqmp
-are
-.Dv NULL .
-.Pp
-.Fa p ,
-.Fa q ,
-.Fa dmp1 ,
-.Fa dmq1 ,
-and
-.Fa iqmp
-may be
-.Dv NULL
-in private keys, but the RSA operations are much faster when these
-values are available.
-.Pp
-Note that RSA keys may use non-standard
-.Vt RSA_METHOD
-implementations.
-In some cases, these
-.Vt BIGNUM
-values will not be used by the implementation or may be used for
-alternative data storage.
-For this reason, applications should generally avoid using
-.Vt RSA
-structure elements directly and instead use API functions to query
-or modify keys.
-.Sh RETURN VALUES
-.Fn RSA_new ,
-.Fn RSAPrivateKey_dup ,
-and
-.Fn RSAPublicKey_dup
-return a pointer to the newly allocated structure, or
-.Dv NULL
-if an error occurs.
-An error code can be obtained by
-.Xr ERR_get_error 3 .
-.Pp
-.Fn RSA_up_ref
-returns 1 for success or 0 for failure.
-.Sh SEE ALSO
-.Xr BN_new 3 ,
-.Xr crypto 3 ,
-.Xr d2i_RSAPublicKey 3 ,
-.Xr DH_new 3 ,
-.Xr DSA_new 3 ,
-.Xr EVP_PKEY_set1_RSA 3 ,
-.Xr RSA_blinding_on 3 ,
-.Xr RSA_check_key 3 ,
-.Xr RSA_generate_key 3 ,
-.Xr RSA_get0_key 3 ,
-.Xr RSA_get_ex_new_index 3 ,
-.Xr RSA_meth_new 3 ,
-.Xr RSA_padding_add_PKCS1_type_1 3 ,
-.Xr RSA_pkey_ctx_ctrl 3 ,
-.Xr RSA_print 3 ,
-.Xr RSA_private_encrypt 3 ,
-.Xr RSA_PSS_PARAMS_new 3 ,
-.Xr RSA_public_encrypt 3 ,
-.Xr RSA_security_bits 3 ,
-.Xr RSA_set_method 3 ,
-.Xr RSA_sign 3 ,
-.Xr RSA_sign_ASN1_OCTET_STRING 3 ,
-.Xr RSA_size 3
-.Sh STANDARDS
-SSL, PKCS #1 v2.0
-.Pp
-RSA was covered by a US patent which expired in September 2000.
-.Sh HISTORY
-.Fn RSA_new
-and
-.Fn RSA_free
-appeared in SSLeay 0.4 or earlier.
-.Fn RSAPrivateKey_dup
-first appeared in SSLeay 0.5.1 and
-.Fn RSAPublicKey_dup
-in SSLeay 0.5.2.
-These functions have been available since
-.Ox 2.4 .
-.Pp
-.Fn RSA_up_ref
-first appeared in OpenSSL 0.9.7 and has been available since
-.Ox 3.2 .
diff --git a/src/lib/libcrypto/man/RSA_padding_add_PKCS1_type_1.3 b/src/lib/libcrypto/man/RSA_padding_add_PKCS1_type_1.3
deleted file mode 100644
index e7c3a2a624..0000000000
--- a/src/lib/libcrypto/man/RSA_padding_add_PKCS1_type_1.3
+++ /dev/null
@@ -1,236 +0,0 @@
-.\"     $OpenBSD: RSA_padding_add_PKCS1_type_1.3,v 1.8 2018/03/21 16:09:51 schwarze Exp $
-.\"     OpenSSL 1e3f62a3 Jul 17 16:47:13 2017 +0200
-.\"
-.\" This file was written by Ulf Moeller <ulf@openssl.org>.
-.\" Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 21 2018 $
-.Dt RSA_PADDING_ADD_PKCS1_TYPE_1 3
-.Os
-.Sh NAME
-.Nm RSA_padding_add_PKCS1_type_1 ,
-.Nm RSA_padding_check_PKCS1_type_1 ,
-.Nm RSA_padding_add_PKCS1_type_2 ,
-.Nm RSA_padding_check_PKCS1_type_2 ,
-.Nm RSA_padding_add_PKCS1_OAEP ,
-.Nm RSA_padding_check_PKCS1_OAEP ,
-.Nm RSA_padding_add_none ,
-.Nm RSA_padding_check_none
-.Nd asymmetric encryption padding
-.Sh SYNOPSIS
-.In openssl/rsa.h
-.Ft int
-.Fo RSA_padding_add_PKCS1_type_1
-.Fa "unsigned char *to"
-.Fa "int tlen"
-.Fa "unsigned char *f"
-.Fa "int fl"
-.Fc
-.Ft int
-.Fo RSA_padding_check_PKCS1_type_1
-.Fa "unsigned char *to"
-.Fa "int tlen"
-.Fa "unsigned char *f"
-.Fa "int fl"
-.Fa "int rsa_len"
-.Fc
-.Ft int
-.Fo RSA_padding_add_PKCS1_type_2
-.Fa "unsigned char *to"
-.Fa "int tlen"
-.Fa "unsigned char *f"
-.Fa "int fl"
-.Fc
-.Ft int
-.Fo RSA_padding_check_PKCS1_type_2
-.Fa "unsigned char *to"
-.Fa "int tlen"
-.Fa "unsigned char *f"
-.Fa "int fl"
-.Fa "int rsa_len"
-.Fc
-.Ft int
-.Fo RSA_padding_add_PKCS1_OAEP
-.Fa "unsigned char *to"
-.Fa "int tlen"
-.Fa "unsigned char *f"
-.Fa "int fl"
-.Fa "unsigned char *p"
-.Fa "int pl"
-.Fc
-.Ft int
-.Fo RSA_padding_check_PKCS1_OAEP
-.Fa "unsigned char *to"
-.Fa "int tlen"
-.Fa "unsigned char *f"
-.Fa "int fl"
-.Fa "int rsa_len"
-.Fa "unsigned char *p"
-.Fa "int pl"
-.Fc
-.Ft int
-.Fo RSA_padding_add_none
-.Fa "unsigned char *to"
-.Fa "int tlen"
-.Fa "unsigned char *f"
-.Fa "int fl"
-.Fc
-.Ft int
-.Fo RSA_padding_check_none
-.Fa "unsigned char *to"
-.Fa "int tlen"
-.Fa "unsigned char *f"
-.Fa "int fl"
-.Fa "int rsa_len"
-.Fc
-.Sh DESCRIPTION
-These functions are called from the RSA encrypt, decrypt, sign, and
-verify functions.
-Normally they should not be called from application programs.
-.Pp
-However, they can also be called directly to implement padding for other
-asymmetric ciphers.
-.Fn RSA_padding_add_PKCS1_OAEP
-and
-.Fn RSA_padding_check_PKCS1_OAEP
-may be used in an application combined with
-.Dv RSA_NO_PADDING
-in order to implement OAEP with an encoding parameter.
-.Pp
-.Fn RSA_padding_add_*
-encodes
-.Fa fl
-bytes from
-.Fa f
-so as to fit into
-.Fa tlen
-bytes and stores the result at
-.Fa to .
-An error occurs if
-.Fa fl
-does not meet the size requirements of the encoding method.
-.Pp
-The following encoding methods are implemented:
-.Pp
-.Bl -tag -width PKCS1_type_2 -compact
-.It PKCS1_type_1
-PKCS #1 v2.0 EMSA-PKCS1-v1_5 (PKCS #1 v1.5 block type 1);
-used for signatures
-.It PKCS1_type_2
-PKCS #1 v2.0 EME-PKCS1-v1_5 (PKCS #1 v1.5 block type 2)
-.It PKCS1_OAEP
-PKCS #1 v2.0 EME-OAEP
-.It none
-simply copy the data
-.El
-.Pp
-.Fn RSA_padding_check_*
-verifies that the
-.Fa fl
-bytes at
-.Fa f
-contain a valid encoding for a
-.Fa rsa_len
-byte RSA key in the respective encoding method and stores the recovered
-data of at most
-.Fa tlen
-bytes (for
-.Dv RSA_NO_PADDING :
-of size
-.Fa tlen )
-at
-.Fa to .
-.Pp
-For
-.Fn RSA_padding_*_OAEP ,
-.Fa p
-points to the encoding parameter of length
-.Fa pl .
-.Fa p
-may be
-.Dv NULL
-if
-.Fa pl
-is 0.
-.Sh RETURN VALUES
-The
-.Fn RSA_padding_add_*
-functions return 1 on success or 0 on error.
-The
-.Fn RSA_padding_check_*
-functions return the length of the recovered data or -1 on error.
-Error codes can be obtained by calling
-.Xr ERR_get_error 3 .
-.Sh SEE ALSO
-.Xr RSA_new 3 ,
-.Xr RSA_private_decrypt 3 ,
-.Xr RSA_public_encrypt 3 ,
-.Xr RSA_sign 3 ,
-.Xr RSA_verify 3
-.Sh HISTORY
-.Fn RSA_padding_add_PKCS1_type_1 ,
-.Fn RSA_padding_check_PKCS1_type_1 ,
-.Fn RSA_padding_add_PKCS1_type_2 ,
-.Fn RSA_padding_check_PKCS1_type_2 ,
-.Fn RSA_padding_add_none ,
-and
-.Fn RSA_padding_check_none
-first appeared in SSLeay 0.9.0 and have been available since
-.Ox 2.4 .
-.Pp
-.Fn RSA_padding_add_PKCS1_OAEP
-and
-.Fn RSA_padding_check_PKCS1_OAEP
-first appeared in OpenSSL 0.9.2b and have been available since
-.Ox 2.6 .
-.Sh BUGS
-The
-.Fn RSA_padding_check_PKCS1_type_2
-padding check leaks timing information which can potentially be
-used to mount a Bleichenbacher padding oracle attack.
-This is an inherent weakness in the PKCS #1 v1.5 padding design.
-Prefer PKCS1_OAEP padding.
diff --git a/src/lib/libcrypto/man/RSA_pkey_ctx_ctrl.3 b/src/lib/libcrypto/man/RSA_pkey_ctx_ctrl.3
deleted file mode 100644
index 3d4e79cc47..0000000000
--- a/src/lib/libcrypto/man/RSA_pkey_ctx_ctrl.3
+++ /dev/null
@@ -1,402 +0,0 @@
-.\" $OpenBSD: RSA_pkey_ctx_ctrl.3,v 1.8 2024/12/06 14:27:49 schwarze Exp $
-.\" full merge up to:
-.\" OpenSSL man3/EVP_PKEY_CTX_ctrl.pod 99d63d46 Oct 26 13:56:48 2016 -0400
-.\" OpenSSL man3/EVP_PKEY_CTX_set_rsa_pss_keygen_md.pod
-.\"   87103969 Oct 1 14:11:57 2018 -0700
-.\" selective merge up to:
-.\" OpenSSL man3/EVP_PKEY_CTX_ctrl.pod df75c2b f Dec 9 01:02:36 2018 +0100
-.\"
-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>
-.\" and Antoine Salon <asalon@vmware.com>.
-.\" Copyright (c) 2006, 2009, 2013, 2014, 2015, 2017, 2018 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: December 6 2024 $
-.Dt RSA_PKEY_CTX_CTRL 3
-.Os
-.Sh NAME
-.Nm RSA_pkey_ctx_ctrl ,
-.Nm EVP_PKEY_CTX_set_rsa_padding ,
-.Nm EVP_PKEY_CTX_get_rsa_padding ,
-.Nm EVP_PKEY_CTX_set_rsa_keygen_bits ,
-.Nm EVP_PKEY_CTX_set_rsa_keygen_pubexp ,
-.Nm EVP_PKEY_CTX_set_rsa_mgf1_md ,
-.Nm EVP_PKEY_CTX_get_rsa_mgf1_md ,
-.Nm EVP_PKEY_CTX_set_rsa_oaep_md ,
-.Nm EVP_PKEY_CTX_get_rsa_oaep_md ,
-.Nm EVP_PKEY_CTX_set0_rsa_oaep_label ,
-.Nm EVP_PKEY_CTX_get0_rsa_oaep_label ,
-.Nm EVP_PKEY_CTX_set_rsa_pss_saltlen ,
-.Nm EVP_PKEY_CTX_get_rsa_pss_saltlen ,
-.Nm EVP_PKEY_CTX_set_rsa_pss_keygen_md ,
-.Nm EVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md ,
-.Nm EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen
-.Nd RSA private key control operations
-.Sh SYNOPSIS
-.In openssl/rsa.h
-.Ft int
-.Fo RSA_pkey_ctx_ctrl
-.Fa "EVP_PKEY_CTX *ctx"
-.Fa "int optype"
-.Fa "int cmd"
-.Fa "int p1"
-.Fa "void *p2"
-.Fc
-.Ft int
-.Fo EVP_PKEY_CTX_set_rsa_padding
-.Fa "EVP_PKEY_CTX *ctx"
-.Fa "int pad"
-.Fc
-.Ft int
-.Fo EVP_PKEY_CTX_get_rsa_padding
-.Fa "EVP_PKEY_CTX *ctx"
-.Fa "int *ppad"
-.Fc
-.Ft int
-.Fo EVP_PKEY_CTX_set_rsa_keygen_bits
-.Fa "EVP_PKEY_CTX *ctx"
-.Fa "int mbits"
-.Fc
-.Ft int
-.Fo EVP_PKEY_CTX_set_rsa_keygen_pubexp
-.Fa "EVP_PKEY_CTX *ctx"
-.Fa "BIGNUM *pubexp"
-.Fc
-.Ft int
-.Fo EVP_PKEY_CTX_set_rsa_mgf1_md
-.Fa "EVP_PKEY_CTX *ctx"
-.Fa "const EVP_MD *md"
-.Fc
-.Ft int
-.Fo EVP_PKEY_CTX_get_rsa_mgf1_md
-.Fa "EVP_PKEY_CTX *ctx"
-.Fa "const EVP_MD **pmd"
-.Fc
-.Ft int
-.Fo EVP_PKEY_CTX_set_rsa_oaep_md
-.Fa "EVP_PKEY_CTX *ctx"
-.Fa "const EVP_MD *md"
-.Fc
-.Ft int
-.Fo EVP_PKEY_CTX_get_rsa_oaep_md
-.Fa "EVP_PKEY_CTX *ctx"
-.Fa "const EVP_MD **pmd"
-.Fc
-.Ft int
-.Fo EVP_PKEY_CTX_set0_rsa_oaep_label
-.Fa "EVP_PKEY_CTX *ctx"
-.Fa "unsigned char *label"
-.Fa "int len"
-.Fc
-.Ft int
-.Fo EVP_PKEY_CTX_get0_rsa_oaep_label
-.Fa "EVP_PKEY_CTX *ctx"
-.Fa "unsigned char **plabel"
-.Fc
-.Ft int
-.Fo EVP_PKEY_CTX_set_rsa_pss_saltlen
-.Fa "EVP_PKEY_CTX *ctx"
-.Fa "int len"
-.Fc
-.Ft int
-.Fo EVP_PKEY_CTX_get_rsa_pss_saltlen
-.Fa "EVP_PKEY_CTX *ctx"
-.Fa "int *plen"
-.Fc
-.Ft int
-.Fo EVP_PKEY_CTX_set_rsa_pss_keygen_md
-.Fa "EVP_PKEY_CTX *pctx"
-.Fa "const EVP_MD *md"
-.Fc
-.Ft int
-.Fo EVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md
-.Fa "EVP_PKEY_CTX *pctx"
-.Fa "const EVP_MD *md"
-.Fc
-.Ft int
-.Fo EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen
-.Fa "EVP_PKEY_CTX *pctx"
-.Fa "int saltlen"
-.Fc
-.Sh DESCRIPTION
-The function
-.Fn RSA_pkey_ctx_ctrl
-is a shallow wrapper around
-.Xr EVP_PKEY_CTX_ctrl 3
-which only succeeds if
-.Fa ctx
-matches either
-.Dv EVP_PKEY_RSA
-or
-.Dv EVP_PKEY_RSA_PSS .
-.Pp
-All the remaining "functions" are implemented as macros.
-.Pp
-The
-.Fn EVP_PKEY_CTX_set_rsa_padding
-macro sets the RSA padding mode for
-.Fa ctx .
-The
-.Fa pad
-parameter can take the value
-.Dv RSA_PKCS1_PADDING
-for PKCS#1 padding,
-.Dv RSA_NO_PADDING
-for no padding,
-.Dv RSA_PKCS1_OAEP_PADDING
-for OAEP padding (encrypt and decrypt only),
-.Dv RSA_X931_PADDING
-for X9.31 padding (signature operations only) and
-.Dv RSA_PKCS1_PSS_PADDING
-(sign and verify only).
-Only the last one can be used with keys of the type
-.Dv EVP_PKEY_RSA_PSS .
-.Pp
-Two RSA padding modes behave differently if
-.Xr EVP_PKEY_CTX_set_signature_md 3
-is used.
-If this macro is called for PKCS#1 padding, the plaintext buffer is an
-actual digest value and is encapsulated in a
-.Vt DigestInfo
-structure according to PKCS#1 when signing and this structure is
-expected (and stripped off) when verifying.
-If this control is not used with RSA and PKCS#1 padding then the
-supplied data is used directly and not encapsulated.
-In the case of X9.31 padding for RSA the algorithm identifier byte is
-added or checked and removed if this control is called.
-If it is not called then the first byte of the plaintext buffer is
-expected to be the algorithm identifier byte.
-.Pp
-The
-.Fn EVP_PKEY_CTX_get_rsa_padding
-macro retrieves the RSA padding mode for
-.Fa ctx .
-.Pp
-The
-.Fn EVP_PKEY_CTX_set_rsa_keygen_bits
-macro sets the RSA key length for RSA or RSA-PSS key generation to
-.Fa mbits .
-The smallest supported value is 512 bits.
-If not specified, 1024 bits is used.
-.Pp
-The
-.Fn EVP_PKEY_CTX_set_rsa_keygen_pubexp
-macro sets the public exponent value for RSA or RSA-PSS key generation to
-.Fa pubexp .
-Currently, it should be an odd integer.
-The
-.Fa pubexp
-pointer is used internally by this function, so it should not be modified
-or freed after the call.
-If this macro is not called, then 65537 is used.
-.Pp
-The
-.Fn EVP_PKEY_CTX_set_rsa_mgf1_md
-macro sets the MGF1 digest for RSA padding schemes to
-.Fa md .
-Unless explicitly specified, the signing digest is used.
-The padding mode must have been set to
-.Dv RSA_PKCS1_OAEP_PADDING
-or
-.Dv RSA_PKCS1_PSS_PADDING .
-If the key is of the type
-.Dv EVP_PKEY_RSA_PSS
-and has usage restrictions, an error occurs if an attempt is made
-to set the digest to anything other than the restricted value.
-.Pp
-The
-.Fn EVP_PKEY_CTX_get_rsa_mgf1_md
-macro retrieves the MGF1 digest for
-.Fa ctx .
-Unless explicitly specified, the signing digest is used.
-The padding mode must have been set to
-.Dv RSA_PKCS1_OAEP_PADDING
-or
-.Dv RSA_PKCS1_PSS_PADDING .
-.Ss Optimal asymmetric encryption padding
-The following macros require that the padding mode was set to
-.Dv RSA_PKCS1_OAEP_PADDING .
-.Pp
-The
-.Fn EVP_PKEY_CTX_set_rsa_oaep_md
-macro sets the message digest type used in RSA OAEP to
-.Fa md .
-.Pp
-The
-.Fn EVP_PKEY_CTX_get_rsa_oaep_md
-macro gets the message digest type used in RSA OAEP to
-.Pf * Fa pmd .
-.Pp
-The
-.Fn EVP_PKEY_CTX_set0_rsa_oaep_label
-macro sets the RSA OAEP label to
-.Fa label
-and its length to
-.Fa len .
-If
-.Fa label
-is
-.Dv NULL
-or
-.Fa len
-is 0, the label is cleared.
-The library takes ownership of the label so the caller should not
-free the original memory pointed to by
-.Fa label .
-.Pp
-The
-.Fn EVP_PKEY_CTX_get0_rsa_oaep_label
-macro gets the RSA OAEP label to
-.Pf * Fa plabel .
-The return value is the label length.
-The resulting pointer is owned by the library and should not be
-freed by the caller.
-.Ss Probabilistic signature scheme
-The following macros require that the padding mode was set to
-.Dv RSA_PKCS1_PSS_PADDING .
-.Pp
-The
-.Fn EVP_PKEY_CTX_set_rsa_pss_saltlen
-macro sets the RSA PSS salt length to
-.Fa len .
-Three special values are supported:
-.Dv RSA_PSS_SALTLEN_DIGEST
-sets the salt length to the digest length.
-.Dv RSA_PSS_SALTLEN_MAX
-sets the salt length to the maximum permissible value.
-When signing,
-.Dv RSA_PSS_SALTLEN_AUTO
-sets the salt length to the maximum permissible value.
-When verifying,
-.Dv RSA_PSS_SALTLEN_AUTO
-causes the salt length to be automatically determined based on the
-PSS block structure.
-If this macro is not called, a salt length value of
-.Dv RSA_PSS_SALTLEN_AUTO
-is used by default.
-.Pp
-If the key has usage restrictions and an attempt is made to set the
-salt length below the minimum value, an error occurs.
-Also, if the key has usage restrictions,
-.Dv RSA_PSS_SALTLEN_AUTO
-is not supported for verification.
-.Pp
-The
-.Fn EVP_PKEY_CTX_get_rsa_pss_saltlen
-macro retrieves the RSA PSS salt length for
-.Fa ctx .
-.Pp
-Optional parameter restrictions can be specified when generating a PSS
-key.
-If any restrictions are set using the macros described below,
-then all parameters are restricted.
-For example, setting a minimum salt length also restricts the digest and
-MGF1 algorithms.
-If any restrictions are in place, then they are reflected in the
-corresponding parameters of the public key when (for example) a
-certificate request is signed.
-.Pp
-.Fn EVP_PKEY_CTX_set_rsa_pss_keygen_md
-restricts the digest algorithm the generated key can use to
-.Fa md .
-.Pp
-.Fn EVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md
-restricts the MGF1 algorithm the generated key can use to
-.Fa md .
-.Pp
-.Fn EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen
-restricts the minimum salt length to
-.Fa saltlen .
-.Sh RETURN VALUES
-These functions return a positive value for success or 0 or a negative
-value for failure.
-In particular, a return value of -2 indicates the operation is not
-supported by the public key algorithm.
-.Sh SEE ALSO
-.Xr EVP_DigestInit 3 ,
-.Xr EVP_PKEY_CTX_ctrl 3 ,
-.Xr EVP_PKEY_CTX_new 3 ,
-.Xr EVP_PKEY_decrypt 3 ,
-.Xr EVP_PKEY_derive 3 ,
-.Xr EVP_PKEY_encrypt 3 ,
-.Xr EVP_PKEY_get_default_digest_nid 3 ,
-.Xr EVP_PKEY_keygen 3 ,
-.Xr EVP_PKEY_sign 3 ,
-.Xr EVP_PKEY_verify 3 ,
-.Xr EVP_PKEY_verify_recover 3
-.Sh HISTORY
-The functions
-.Fn EVP_PKEY_CTX_set_rsa_padding ,
-.Fn EVP_PKEY_CTX_set_rsa_keygen_bits ,
-.Fn EVP_PKEY_CTX_set_rsa_keygen_pubexp ,
-and
-.Fn EVP_PKEY_CTX_set_rsa_pss_saltlen
-first appeared in OpenSSL 1.0.0 and have been available since
-.Ox 4.9 .
-.Pp
-The functions
-.Fn EVP_PKEY_CTX_get_rsa_padding ,
-.Fn EVP_PKEY_CTX_set_rsa_mgf1_md ,
-.Fn EVP_PKEY_CTX_get_rsa_mgf1_md ,
-and
-.Fn EVP_PKEY_CTX_get_rsa_pss_saltlen
-first appeared in OpenSSL 1.0.1 and have been available since
-.Ox 5.3 .
-.Pp
-The functions
-.Fn EVP_PKEY_CTX_set_rsa_oaep_md ,
-.Fn EVP_PKEY_CTX_get_rsa_oaep_md ,
-.Fn EVP_PKEY_CTX_set0_rsa_oaep_label ,
-and
-.Fn EVP_PKEY_CTX_get0_rsa_oaep_label
-first appeared in OpenSSL 1.0.2 and have been available since
-.Ox 6.7 .
-.Pp
-The function
-.Fn RSA_pkey_ctx_ctrl
-first appeared in OpenSSL 1.1.1 and has been available since
-.Ox 6.7 .
diff --git a/src/lib/libcrypto/man/RSA_print.3 b/src/lib/libcrypto/man/RSA_print.3
deleted file mode 100644
index 767241ce1c..0000000000
--- a/src/lib/libcrypto/man/RSA_print.3
+++ /dev/null
@@ -1,144 +0,0 @@
-.\"     $OpenBSD: RSA_print.3,v 1.9 2019/06/06 01:06:59 schwarze Exp $
-.\"     OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
-.\"
-.\" This file was written by Ulf Moeller <ulf@openssl.org>.
-.\" Copyright (c) 2000, 2002, 2003 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: June 6 2019 $
-.Dt RSA_PRINT 3
-.Os
-.Sh NAME
-.Nm RSA_print ,
-.Nm RSA_print_fp ,
-.Nm DSAparams_print ,
-.Nm DSAparams_print_fp ,
-.Nm DSA_print ,
-.Nm DSA_print_fp ,
-.Nm DHparams_print ,
-.Nm DHparams_print_fp
-.Nd print cryptographic parameters
-.Sh SYNOPSIS
-.In openssl/rsa.h
-.Ft int
-.Fo RSA_print
-.Fa "BIO *bp"
-.Fa "RSA *x"
-.Fa "int offset"
-.Fc
-.Ft int
-.Fo RSA_print_fp
-.Fa "FILE *fp"
-.Fa "RSA *x"
-.Fa "int offset"
-.Fc
-.In openssl/dsa.h
-.Ft int
-.Fo DSAparams_print
-.Fa "BIO *bp"
-.Fa "DSA *x"
-.Fc
-.Ft int
-.Fo DSAparams_print_fp
-.Fa "FILE *fp"
-.Fa "DSA *x"
-.Fc
-.Ft int
-.Fo DSA_print
-.Fa "BIO *bp"
-.Fa "DSA *x"
-.Fa "int offset"
-.Fc
-.Ft int
-.Fo DSA_print_fp
-.Fa "FILE *fp"
-.Fa "DSA *x"
-.Fa "int offset"
-.Fc
-.In openssl/dh.h
-.Ft int
-.Fo DHparams_print
-.Fa "BIO *bp"
-.Fa "DH *x"
-.Fc
-.Ft int
-.Fo DHparams_print_fp
-.Fa "FILE *fp"
-.Fa "DH *x"
-.Fc
-.Sh DESCRIPTION
-A human-readable hexadecimal output of the components of the RSA key,
-DSA parameters or key or DH parameters is printed to
-.Fa bp
-or
-.Fa fp .
-.Pp
-The output lines are indented by
-.Fa offset
-spaces.
-.Sh RETURN VALUES
-These functions return 1 on success or 0 on error.
-.Sh SEE ALSO
-.Xr BN_bn2bin 3 ,
-.Xr DH_get0_pqg 3 ,
-.Xr DH_new 3 ,
-.Xr DSA_get0_pqg 3 ,
-.Xr RSA_get0_key 3 ,
-.Xr RSA_new 3
-.Sh HISTORY
-.Fn RSA_print
-and
-.Fn DHparams_print
-first appeared in SSLeay 0.5.1.
-.Fn RSA_print_fp ,
-.Fn DSA_print ,
-and
-.Fn DHparams_print_fp
-first appeared in SSLeay 0.6.0.
-.Fn DSA_print_fp
-first appeared in SSLeay 0.8.0.
-All these functions have been available since
-.Ox 2.4 .
diff --git a/src/lib/libcrypto/man/RSA_private_encrypt.3 b/src/lib/libcrypto/man/RSA_private_encrypt.3
deleted file mode 100644
index 2bf6c57dba..0000000000
--- a/src/lib/libcrypto/man/RSA_private_encrypt.3
+++ /dev/null
@@ -1,150 +0,0 @@
-.\"     $OpenBSD: RSA_private_encrypt.3,v 1.10 2019/06/10 14:58:48 schwarze Exp $
-.\"     OpenSSL RSA_private_encrypt.pod b41f6b64 Mar 10 15:49:04 2017 +0000
-.\"
-.\" This file was written by Ulf Moeller <ulf@openssl.org>.
-.\" Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: June 10 2019 $
-.Dt RSA_PRIVATE_ENCRYPT 3
-.Os
-.Sh NAME
-.Nm RSA_private_encrypt ,
-.Nm RSA_public_decrypt
-.Nd low level signature operations
-.Sh SYNOPSIS
-.In openssl/rsa.h
-.Ft int
-.Fo RSA_private_encrypt
-.Fa "int flen"
-.Fa "const unsigned char *from"
-.Fa "unsigned char *to"
-.Fa "RSA *rsa"
-.Fa "int padding"
-.Fc
-.Ft int
-.Fo RSA_public_decrypt
-.Fa "int flen"
-.Fa "const unsigned char *from"
-.Fa "unsigned char *to"
-.Fa "RSA *rsa"
-.Fa "int padding"
-.Fc
-.Sh DESCRIPTION
-These functions handle RSA signatures at a low level.
-.Pp
-.Fn RSA_private_encrypt
-signs the
-.Fa flen
-bytes at
-.Fa from
-(usually a message digest with an algorithm identifier) using the
-private key
-.Fa rsa
-and stores the signature in
-.Fa to .
-.Fa to
-must point to
-.Fn RSA_size rsa
-bytes of memory.
-.Pp
-.Fa padding
-denotes one of the following modes:
-.Bl -tag -width Ds
-.It Dv RSA_PKCS1_PADDING
-PKCS #1 v1.5 padding.
-This function does not handle the
-.Sy algorithmIdentifier
-specified in PKCS #1.
-When generating or verifying PKCS #1 signatures,
-.Xr RSA_sign 3
-and
-.Xr RSA_verify 3
-should be used.
-.It Dv RSA_NO_PADDING
-Raw RSA signature.
-This mode should only be used to implement cryptographically sound
-padding modes in the application code.
-Signing user data directly with RSA is insecure.
-.El
-.Pp
-.Fn RSA_public_decrypt
-recovers the message digest from the
-.Fa flen
-bytes long signature at
-.Fa from
-using the signer's public key
-.Fa rsa .
-.Fa to
-must point to a memory section large enough to hold the message digest
-(which is smaller than
-.Fn RSA_size rsa
-- 11).
-.Fa padding
-is the padding mode that was used to sign the data.
-.Sh RETURN VALUES
-.Fn RSA_private_encrypt
-returns the size of the signature (i.e.\&
-.Fn RSA_size rsa ) .
-.Fn RSA_public_decrypt
-returns the size of the recovered message digest.
-.Pp
-On error, -1 is returned; the error codes can be obtained by
-.Xr ERR_get_error 3 .
-.Sh SEE ALSO
-.Xr RSA_meth_set_priv_enc 3 ,
-.Xr RSA_new 3 ,
-.Xr RSA_sign 3 ,
-.Xr RSA_verify 3
-.Sh HISTORY
-.Fn RSA_private_encrypt
-and
-.Fn RSA_public_decrypt
-appeared in SSLeay 0.4 or earlier and have been available since
-.Ox 2.4 .
-.Pp
-.Dv RSA_NO_PADDING
-is available since SSLeay 0.9.0.
diff --git a/src/lib/libcrypto/man/RSA_public_encrypt.3 b/src/lib/libcrypto/man/RSA_public_encrypt.3
deleted file mode 100644
index be3afdf402..0000000000
--- a/src/lib/libcrypto/man/RSA_public_encrypt.3
+++ /dev/null
@@ -1,247 +0,0 @@
-.\"     $OpenBSD: RSA_public_encrypt.3,v 1.13 2023/09/10 16:04:15 schwarze Exp $
-.\"     OpenSSL RSA_public_encrypt.pod 1e3f62a3 Jul 17 16:47:13 2017 +0200
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2023 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Ulf Moeller <ulf@openssl.org>.
-.\" Copyright (c) 2000, 2004 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: September 10 2023 $
-.Dt RSA_PUBLIC_ENCRYPT 3
-.Os
-.Sh NAME
-.Nm RSA_public_encrypt ,
-.Nm RSA_private_decrypt ,
-.Nm EVP_PKEY_encrypt_old ,
-.Nm EVP_PKEY_decrypt_old
-.Nd RSA public key cryptography
-.Sh SYNOPSIS
-.In openssl/rsa.h
-.Ft int
-.Fo RSA_public_encrypt
-.Fa "int flen"
-.Fa "const unsigned char *from"
-.Fa "unsigned char *to"
-.Fa "RSA *rsa"
-.Fa "int padding"
-.Fc
-.Ft int
-.Fo RSA_private_decrypt
-.Fa "int flen"
-.Fa "const unsigned char *from"
-.Fa "unsigned char *to"
-.Fa "RSA *rsa"
-.Fa "int padding"
-.Fc
-.In openssl/evp.h
-.Ft int
-.Fo EVP_PKEY_encrypt_old
-.Fa "unsigned char *to"
-.Fa "const unsigned char *from"
-.Fa "int flen"
-.Fa "EVP_PKEY *pkey"
-.Fc
-.Ft int
-.Fo EVP_PKEY_decrypt_old
-.Fa "unsigned char *to"
-.Fa "const unsigned char *from"
-.Fa "int flen"
-.Fa "EVP_PKEY *pkey"
-.Fc
-.Sh DESCRIPTION
-.Fn RSA_public_encrypt
-encrypts the
-.Fa flen
-bytes at
-.Fa from
-(usually a session key) using the public key
-.Fa rsa
-and stores the ciphertext in
-.Fa to .
-.Fa to
-must point to
-.Fn RSA_size rsa
-bytes of memory.
-.Pp
-.Fa padding
-denotes one of the following modes:
-.Bl -tag -width Ds
-.It Dv RSA_PKCS1_PADDING
-PKCS #1 v1.5 padding.
-This currently is the most widely used mode.
-.It Dv RSA_PKCS1_OAEP_PADDING
-EME-OAEP as defined in PKCS #1 v2.0 with SHA-1, MGF1 and an empty
-encoding parameter.
-This mode is recommended for all new applications.
-.It Dv RSA_NO_PADDING
-Raw RSA encryption.
-This mode should only be used to implement cryptographically sound
-padding modes in the application code.
-Encrypting user data directly with RSA is insecure.
-.El
-.Pp
-.Fa flen
-must be less than
-.Fn RSA_size rsa
-- 11 for the PKCS #1 v1.5 based padding modes, less than
-.Fn RSA_size rsa
-- 41 for
-.Dv RSA_PKCS1_OAEP_PADDING
-and exactly
-.Fn RSA_size rsa
-for
-.Dv RSA_NO_PADDING .
-.Pp
-.Fn RSA_private_decrypt
-decrypts the
-.Fa flen
-bytes at
-.Fa from
-using the private key
-.Fa rsa
-and stores the plaintext in
-.Fa to .
-.Fa to
-must point to a memory section large enough to hold the decrypted data
-(which is smaller than
-.Fn RSA_size rsa ) .
-.Fa padding
-is the padding mode that was used to encrypt the data.
-.Pp
-.Fn EVP_PKEY_encrypt_old
-is a deprecated wrapper around
-.Fn RSA_public_encrypt
-that uses the
-.Vt RSA
-public key stored in
-.Fa pkey
-and
-.Dv RSA_PKCS1_PADDING .
-.Pp
-.Fn EVP_PKEY_decrypt_old
-is a deprecated wrapper around
-.Fn RSA_private_decrypt
-that uses the
-.Vt RSA
-private key stored in
-.Fa pkey
-and
-.Dv RSA_PKCS1_PADDING .
-.Sh RETURN VALUES
-.Fn RSA_public_encrypt
-and
-.Fn EVP_PKEY_encrypt_old
-return the size of the encrypted data (i.e.\&
-.Fn RSA_size rsa ) .
-.Fn RSA_private_decrypt
-and
-.Fn EVP_PKEY_decrypt_old
-returns the size of the recovered plaintext.
-On error, \-1 is returned; the error codes can be obtained by
-.Xr ERR_get_error 3 .
-.Pp
-In addition to the return values documented above,
-.Fn EVP_PKEY_encrypt_old
-may return 0 if the
-.Xr EVP_PKEY_id 3
-of
-.Fa pkey
-is not
-.Dv EVP_PKEY_RSA .
-.Sh SEE ALSO
-.Xr EVP_PKEY_decrypt 3 ,
-.Xr EVP_PKEY_encrypt 3 ,
-.Xr RSA_meth_set_priv_dec 3 ,
-.Xr RSA_new 3 ,
-.Xr RSA_size 3
-.Sh STANDARDS
-SSL, PKCS #1 v2.0
-.Sh HISTORY
-.Fn RSA_public_encrypt
-and
-.Fn RSA_private_decrypt
-appeared in SSLeay 0.4 or earlier and have been available since
-.Ox 2.4 .
-.Pp
-.Fn EVP_PKEY_encrypt
-and
-.Fn EVP_PKEY_decrypt
-first appeared in SSLeay 0.9.0 and have been available since
-.Ox 2.4 .
-There were renamed to
-.Fn EVP_PKEY_encrypt_old
-and
-.Fn EVP_PKEY_decrypt_old
-in OpenSSL 1.0.0 and
-.Ox 4.9 .
-.Pp
-.Dv RSA_NO_PADDING
-is available since SSLeay 0.9.0.
-OAEP was added in OpenSSL 0.9.2b.
-.Sh BUGS
-Decryption failures in the
-.Dv RSA_PKCS1_PADDING
-mode leak information which can potentially be used to mount a
-Bleichenbacher padding oracle attack.
-This is an inherent weakness in the PKCS #1 v1.5 padding design.
-Prefer
-.Dv RSA_PKCS1_OAEP_PADDING .
diff --git a/src/lib/libcrypto/man/RSA_security_bits.3 b/src/lib/libcrypto/man/RSA_security_bits.3
deleted file mode 100644
index f7024a7956..0000000000
--- a/src/lib/libcrypto/man/RSA_security_bits.3
+++ /dev/null
@@ -1,137 +0,0 @@
-.\" $OpenBSD: RSA_security_bits.3,v 1.1 2022/07/13 17:32:16 schwarze Exp $
-.\"
-.\" Copyright (c) 2022 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: July 13 2022 $
-.Dt RSA_SECURITY_BITS 3
-.Os
-.Sh NAME
-.Nm RSA_security_bits ,
-.Nm DSA_security_bits ,
-.Nm DH_security_bits ,
-.Nm BN_security_bits
-.Nd get security strength
-.Sh SYNOPSIS
-.In openssl/rsa.h
-.Ft int
-.Fn RSA_security_bits "const RSA *rsa"
-.In openssl/dsa.h
-.Ft int
-.Fn DSA_security_bits "const DSA *dsa"
-.In openssl/dh.h
-.Ft int
-.Fn DH_security_bits "const DH *dh"
-.In openssl/bn.h
-.Ft int
-.Fo BN_security_bits
-.Fa "int pubbits"
-.Fa "int privbits"
-.Fc
-.Sh DESCRIPTION
-These functions return the security strength of some specific types of
-cryptographic keys, measured in bits.
-It is approximately the binary logarithm of the number of operations
-an attacker has to perform in order to break the key.
-.Pp
-.Fn RSA_security_bits
-uses only the number of significant bits in the public modulus of
-.Fa rsa
-as returned by
-.Xr RSA_bits 3 .
-It returns
-.Bl -column 256 for 15360 last_column -offset indent
-.It 256 Ta for Ta 15360 Ta or more significant bits
-.It 192 Ta     Ta  7680 Ta
-.It 128 Ta     Ta  3072 Ta
-.It 112 Ta     Ta  2048 Ta
-.It  80 Ta     Ta  1024 Ta
-.El
-.Pp
-or 0 otherwise.
-.Pp
-.Fn DSA_security_bits
-uses the number of significant bits in the public domain parameter
-.Fa p
-contained in the
-.Fa dsa
-object, which is equal to the size of the public key, in the same way as
-.Fn RSA_security_bits .
-In addition, the public domain parameter
-.Fa q
-contained in the
-.Fa dsa
-object, which is equal to the size of the private key, is inspected.
-The return value is either the security strength according to the above table
-or half the size of the private key, whichever is smaller.
-If the return value would be smaller than 80, 0 is returned instead.
-.Pp
-.Fn DH_security_bits
-uses the number of significant bits in the shared secret contained in the
-.Fa dh
-object as returned by
-.Xr DH_bits 3
-in the same way as
-.Fn RSA_security_bits .
-If
-.Fa dh
-contains the domain parameter
-.Fa q ,
-its number of significant bits is used in the same way as for
-.Fn DSA_security_bits
-to limit the return value.
-Otherwise, if
-.Fa dh
-contains the length of the secret exponent in bits,
-that number is used.
-If neither is available, only the above table is used
-without calculating a minimum.
-.Pp
-.Fn BN_security_bits
-is a combined function.
-If \-1 is passed for the
-.Fa privbits
-argument, it behaves like
-.Fn RSA_security_bits .
-Otherwise, it behaves like
-.Fn DSA_security_bits .
-.Sh RETURN VALUES
-All these functions return numbers in the range from 0 to 256 inclusive.
-.Pp
-.Fn DSA_security_bits
-fails and returns \-1 unless both of the
-.Fa p
-and
-.Fa q
-domain parameters are present.
-.Sh SEE ALSO
-.Xr BN_num_bits 3 ,
-.Xr DH_bits 3 ,
-.Xr DH_get0_pqg 3 ,
-.Xr DSA_get0_pqg 3 ,
-.Xr RSA_bits 3 ,
-.Xr SSL_CTX_set_security_level 3
-.Rs
-.%A Elaine Barker
-.%T Recommendation for Key Management
-.%I U.S. National Institute of Standards and Technology
-.%R NIST Special Publication 800-57 Part 1 Revision 5
-.%U https://doi.org/10.6028/NIST.SP.800-57pt1r5
-.%C Gaithersburg, MD
-.%D May 2020
-.Re
-.Sh HISTORY
-These functions first appeared in OpenSSL 1.1.0
-and have been available since
-.Ox 7.2 .
diff --git a/src/lib/libcrypto/man/RSA_set_method.3 b/src/lib/libcrypto/man/RSA_set_method.3
deleted file mode 100644
index ffe22c116f..0000000000
--- a/src/lib/libcrypto/man/RSA_set_method.3
+++ /dev/null
@@ -1,252 +0,0 @@
-.\"     $OpenBSD: RSA_set_method.3,v 1.18 2023/11/19 10:34:26 tb Exp $
-.\"     OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
-.\"
-.\" This file was written by Ulf Moeller <ulf@openssl.org>
-.\" and Geoff Thorpe <geoff@openssl.org>.
-.\" Copyright (c) 2000, 2002, 2007, 2014 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: November 19 2023 $
-.Dt RSA_SET_METHOD 3
-.Os
-.Sh NAME
-.Nm RSA_set_default_method ,
-.Nm RSA_get_default_method ,
-.Nm RSA_set_method ,
-.Nm RSA_get_method ,
-.Nm RSA_PKCS1_SSLeay ,
-.Nm RSA_flags ,
-.Nm RSA_new_method
-.Nd select RSA method
-.Sh SYNOPSIS
-.In openssl/rsa.h
-.Ft void
-.Fo RSA_set_default_method
-.Fa "const RSA_METHOD *meth"
-.Fc
-.Ft const RSA_METHOD *
-.Fn RSA_get_default_method void
-.Ft int
-.Fo RSA_set_method
-.Fa "RSA *rsa"
-.Fa "const RSA_METHOD *meth"
-.Fc
-.Ft const RSA_METHOD *
-.Fo RSA_get_method
-.Fa "const RSA *rsa"
-.Fc
-.Ft const RSA_METHOD *
-.Fn RSA_PKCS1_SSLeay void
-.Ft int
-.Fo RSA_flags
-.Fa "const RSA *rsa"
-.Fc
-.Ft RSA *
-.Fo RSA_new_method
-.Fa "ENGINE *engine"
-.Fc
-.Sh DESCRIPTION
-An
-.Vt RSA_METHOD
-object contains pointers to the functions used for RSA operations.
-By default, the internal implementation returned by
-.Fn RSA_PKCS1_SSLeay
-is used.
-By selecting another method, alternative implementations
-such as hardware accelerators may be used.
-.Pp
-.Fn RSA_set_default_method
-selects
-.Fa meth
-as the default method for all
-.Vt RSA
-structures created later.
-.Pp
-.Fn RSA_get_default_method
-returns a pointer to the current default method.
-.Pp
-.Fn RSA_set_method
-selects
-.Fa meth
-to perform all operations using the key
-.Fa rsa .
-This replaces the previous
-.Vt RSA_METHOD
-used by the RSA key, calling the
-.Fa finish
-function set up with
-.Xr RSA_meth_set_finish 3
-if any.
-If
-.Fa meth
-contains an
-.Fa init
-function set up with
-.Xr RSA_meth_set_init 3 ,
-that function is called just before returning from
-.Fn RSA_set_method .
-.Pp
-It is possible to have RSA keys that only work with certain
-.Vt RSA_METHOD
-implementations,
-and in such cases attempting to change the
-.Vt RSA_METHOD
-for the key can have unexpected results.
-.Pp
-.Fn RSA_get_method
-returns a pointer to the
-.Vt RSA_METHOD
-being used by
-.Fa rsa .
-.Pp
-The misleadingly named function
-.Fn RSA_flags
-returns the flags that are set for the current
-.Vt RSA_METHOD
-of
-.Fa rsa .
-The flags used by
-.Fa rsa
-itself can instead be tested with
-.Xr RSA_test_flags 3 .
-See the
-.Sx BUGS
-section for more details.
-.Pp
-.Fn RSA_new_method
-allocates and initializes an
-.Vt RSA
-structure.
-The
-.Fa engine
-argument is ignored and
-the default method controlled by
-.Fn RSA_set_default_method
-is used.
-.Pp
-The initial
-.Fa flags
-are copied from the
-.Vt RSA_METHOD
-object used and will not be affected by later changes to that object,
-but may be modified by the optional
-.Fa init
-function which may have been set up with
-.Xr RSA_meth_set_init 3
-and which is called just before returning from
-.Fn RSA_new_method .
-.Sh RETURN VALUES
-.Fn RSA_PKCS1_SSLeay ,
-.Fn RSA_get_default_method ,
-and
-.Fn RSA_get_method
-return pointers to the respective
-.Vt RSA_METHOD .
-.Pp
-.Fn RSA_set_method
-returns 1 on success or 0 on failure.
-Currently, it cannot fail.
-.Pp
-.Fn RSA_new_method
-returns
-.Dv NULL
-and sets an error code that can be obtained by
-.Xr ERR_get_error 3
-if the allocation fails.
-Otherwise it returns a pointer to the newly allocated structure.
-.Sh SEE ALSO
-.Xr RSA_meth_new 3 ,
-.Xr RSA_new 3
-.Sh HISTORY
-.Fn RSA_set_default_method ,
-.Fn RSA_PKCS1_SSLeay ,
-and
-.Fn RSA_new_method
-first appeared in SSLeay 0.8.0.
-.Fn RSA_flags
-first appeared in SSLeay 0.9.0.
-These functions have been available since
-.Ox 2.4 .
-.Pp
-.Fn RSA_get_default_method ,
-.Fn RSA_set_method ,
-and
-.Fn RSA_get_method
-as well as the
-.Fa rsa_sign
-and
-.Fa rsa_verify
-components of
-.Vt RSA_METHOD
-first appeared in OpenSSL 0.9.4 and have been available since
-.Ox 2.6 .
-.Sh BUGS
-The behaviour of
-.Fn RSA_flags
-is a misfeature that is left as-is for now to avoid creating
-compatibility problems.
-RSA functionality, such as the encryption functions, are controlled by
-the
-.Fa flags
-value in the
-.Vt RSA
-key itself, not by the
-.Fa flags
-value in the
-.Vt RSA_METHOD
-attached to the RSA key (which is what this function returns).
-If the flags element of an
-.Vt RSA
-key is changed, the changes will be honoured by RSA functionality
-but will not be reflected in the return value of the
-.Fn RSA_flags
-function - in effect
-.Fn RSA_flags
-behaves more like an
-.Fn RSA_default_flags
-function, which does not
-currently exist.
diff --git a/src/lib/libcrypto/man/RSA_sign.3 b/src/lib/libcrypto/man/RSA_sign.3
deleted file mode 100644
index 65e9dc99b8..0000000000
--- a/src/lib/libcrypto/man/RSA_sign.3
+++ /dev/null
@@ -1,147 +0,0 @@
-.\"     $OpenBSD: RSA_sign.3,v 1.8 2019/06/10 14:58:48 schwarze Exp $
-.\"     OpenSSL aa90ca11 Aug 20 15:48:56 2016 -0400
-.\"
-.\" This file was written by Ulf Moeller <ulf@openssl.org>.
-.\" Copyright (c) 2000, 2005, 2014, 2015, 2016 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: June 10 2019 $
-.Dt RSA_SIGN 3
-.Os
-.Sh NAME
-.Nm RSA_sign ,
-.Nm RSA_verify
-.Nd RSA signatures
-.Sh SYNOPSIS
-.In openssl/rsa.h
-.Ft int
-.Fo RSA_sign
-.Fa "int type"
-.Fa "const unsigned char *m"
-.Fa "unsigned int m_len"
-.Fa "unsigned char *sigret"
-.Fa "unsigned int *siglen"
-.Fa "RSA *rsa"
-.Fc
-.Ft int
-.Fo RSA_verify
-.Fa "int type"
-.Fa "const unsigned char *m"
-.Fa "unsigned int m_len"
-.Fa "unsigned char *sigbuf"
-.Fa "unsigned int siglen"
-.Fa "RSA *rsa"
-.Fc
-.Sh DESCRIPTION
-.Fn RSA_sign
-signs the message digest
-.Fa m
-of size
-.Fa m_len
-using the private key
-.Fa rsa
-using RSASSA-PKCS1-v1_5 as specified in RFC 3447.
-It stores the signature in
-.Fa sigret
-and the signature size in
-.Fa siglen .
-.Fa sigret
-must point to
-.Fn RSA_size rsa
-bytes of memory.
-Note that PKCS #1 adds meta-data, placing limits on the size of the key
-that can be used.
-See
-.Xr RSA_private_encrypt 3
-for lower-level operations.
-.Pp
-.Fa type
-denotes the message digest algorithm that was used to generate
-.Fa m .
-If
-.Fa type
-is
-.Sy NID_md5_sha1 ,
-an SSL signature (MD5 and SHA1 message digests with PKCS #1 padding and
-no algorithm identifier) is created.
-.Pp
-.Fn RSA_verify
-verifies that the signature
-.Fa sigbuf
-of size
-.Fa siglen
-matches a given message digest
-.Fa m
-of size
-.Fa m_len .
-.Fa type
-denotes the message digest algorithm that was used to generate the
-signature.
-.Fa rsa
-is the signer's public key.
-.Sh RETURN VALUES
-.Fn RSA_sign
-returns 1 on success.
-.Fn RSA_verify
-returns 1 on successful verification.
-.Pp
-The error codes can be obtained by
-.Xr ERR_get_error 3 .
-.Sh SEE ALSO
-.Xr RSA_meth_set_sign 3 ,
-.Xr RSA_new 3 ,
-.Xr RSA_private_encrypt 3 ,
-.Xr RSA_public_decrypt 3
-.Sh STANDARDS
-SSL, PKCS #1 v2.0
-.Sh HISTORY
-.Fn RSA_sign
-first appeared in SSLeay 0.4.4.
-.Fn RSA_verify
-first appeared in SSLeay 0.6.0.
-Both functions have been available since
-.Ox 2.4 .
diff --git a/src/lib/libcrypto/man/RSA_sign_ASN1_OCTET_STRING.3 b/src/lib/libcrypto/man/RSA_sign_ASN1_OCTET_STRING.3
deleted file mode 100644
index 34aef42c48..0000000000
--- a/src/lib/libcrypto/man/RSA_sign_ASN1_OCTET_STRING.3
+++ /dev/null
@@ -1,131 +0,0 @@
-.\"     $OpenBSD: RSA_sign_ASN1_OCTET_STRING.3,v 1.7 2019/06/10 14:58:48 schwarze Exp $
-.\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by Ulf Moeller <ulf@openssl.org>.
-.\" Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: June 10 2019 $
-.Dt RSA_SIGN_ASN1_OCTET_STRING 3
-.Os
-.Sh NAME
-.Nm RSA_sign_ASN1_OCTET_STRING ,
-.Nm RSA_verify_ASN1_OCTET_STRING
-.Nd RSA signatures
-.Sh SYNOPSIS
-.In openssl/rsa.h
-.Ft int
-.Fo RSA_sign_ASN1_OCTET_STRING
-.Fa "int dummy"
-.Fa "unsigned char *m"
-.Fa "unsigned int m_len"
-.Fa "unsigned char *sigret"
-.Fa "unsigned int *siglen"
-.Fa "RSA *rsa"
-.Fc
-.Ft int
-.Fo RSA_verify_ASN1_OCTET_STRING
-.Fa "int dummy"
-.Fa "unsigned char *m"
-.Fa "unsigned int m_len"
-.Fa "unsigned char *sigbuf"
-.Fa "unsigned int siglen"
-.Fa "RSA *rsa"
-.Fc
-.Sh DESCRIPTION
-.Fn RSA_sign_ASN1_OCTET_STRING
-signs the octet string
-.Fa m
-of size
-.Fa m_len
-using the private key
-.Fa rsa
-represented in DER using PKCS #1 padding.
-It stores the signature in
-.Fa sigret
-and the signature size in
-.Fa siglen .
-.Fa sigret
-must point to
-.Fn RSA_size rsa
-bytes of memory.
-.Pp
-.Fa dummy
-is ignored.
-.Pp
-.Fn RSA_verify_ASN1_OCTET_STRING
-verifies that the signature
-.Fa sigbuf
-of size
-.Fa siglen
-is the DER representation of a given octet string
-.Fa m
-of size
-.Fa m_len .
-.Fa dummy
-is ignored.
-.Fa rsa
-is the signer's public key.
-.Sh RETURN VALUES
-.Fn RSA_sign_ASN1_OCTET_STRING
-returns 1 on success or 0 otherwise.
-.Fn RSA_verify_ASN1_OCTET_STRING
-returns 1 on successful verification or 0 otherwise.
-.Pp
-The error codes can be obtained by
-.Xr ERR_get_error 3 .
-.Sh SEE ALSO
-.Xr RSA_new 3 ,
-.Xr RSA_sign 3 ,
-.Xr RSA_verify 3
-.Sh HISTORY
-.Fn RSA_sign_ASN1_OCTET_STRING
-and
-.Fn RSA_verify_ASN1_OCTET_STRING
-first appeared in SSLeay 0.8.0 and have been available since
-.Ox 2.4 .
-.Sh BUGS
-These functions serve no recognizable purpose.
diff --git a/src/lib/libcrypto/man/RSA_size.3 b/src/lib/libcrypto/man/RSA_size.3
deleted file mode 100644
index 8a552b4e67..0000000000
--- a/src/lib/libcrypto/man/RSA_size.3
+++ /dev/null
@@ -1,97 +0,0 @@
-.\" $OpenBSD: RSA_size.3,v 1.10 2022/07/13 21:51:35 schwarze Exp $
-.\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
-.\"
-.\" This file was written by Ulf Moeller <ulf@openssl.org> and
-.\" Kurt Roeckx <kurt@roeckx.be>.
-.\" Copyright (c) 2000, 2002, 2015 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: July 13 2022 $
-.Dt RSA_SIZE 3
-.Os
-.Sh NAME
-.Nm RSA_size ,
-.Nm RSA_bits
-.Nd get the RSA modulus size
-.Sh SYNOPSIS
-.In openssl/rsa.h
-.Ft int
-.Fo RSA_size
-.Fa "const RSA *rsa"
-.Fc
-.Ft int
-.Fo RSA_bits
-.Fa "const RSA *rsa"
-.Fc
-.Sh DESCRIPTION
-.Fn RSA_size
-returns the RSA modulus size in bytes.
-It can be used to determine how much memory must be allocated for
-an RSA encrypted value.
-.Pp
-.Fn RSA_bits
-returns the number of significant bits.
-.Pp
-.Fa rsa
-and
-.Fa rsa->n
-must not be
-.Dv NULL .
-.Sh RETURN VALUES
-The size.
-.Sh SEE ALSO
-.Xr BN_num_bits 3 ,
-.Xr RSA_get0_key 3 ,
-.Xr RSA_new 3 ,
-.Xr RSA_security_bits 3
-.Sh HISTORY
-.Fn RSA_size
-first appeared in SSLeay 0.4.4 and has been available since
-.Ox 2.4 .
-.Pp
-.Fn RSA_bits
-first appeared in OpenSSL 1.1.0 and has been available since
-.Ox 6.3 .
diff --git a/src/lib/libcrypto/man/SHA1.3 b/src/lib/libcrypto/man/SHA1.3
deleted file mode 100644
index 4ccb08157c..0000000000
--- a/src/lib/libcrypto/man/SHA1.3
+++ /dev/null
@@ -1,285 +0,0 @@
-.\"     $OpenBSD: SHA1.3,v 1.9 2024/06/01 12:35:23 tb Exp $
-.\"     OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
-.\"
-.\" This file was written by Ulf Moeller <ulf@openssl.org> and
-.\" Matt Caswell <matt@openssl.org>.
-.\" Copyright (c) 2000, 2006, 2015 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: June 1 2024 $
-.Dt SHA1 3
-.Os
-.Sh NAME
-.Nm SHA1 ,
-.Nm SHA1_Init ,
-.Nm SHA1_Update ,
-.Nm SHA1_Final ,
-.Nm SHA224 ,
-.Nm SHA224_Init ,
-.Nm SHA224_Update ,
-.Nm SHA224_Final ,
-.Nm SHA256 ,
-.Nm SHA256_Init ,
-.Nm SHA256_Update ,
-.Nm SHA256_Final ,
-.Nm SHA384 ,
-.Nm SHA384_Init ,
-.Nm SHA384_Update ,
-.Nm SHA384_Final ,
-.Nm SHA512 ,
-.Nm SHA512_Init ,
-.Nm SHA512_Update ,
-.Nm SHA512_Final
-.Nd Secure Hash Algorithm
-.Sh SYNOPSIS
-.In openssl/sha.h
-.Ft unsigned char *
-.Fo SHA1
-.Fa "const unsigned char *d"
-.Fa "size_t n"
-.Fa "unsigned char *md"
-.Fc
-.Ft int
-.Fo SHA1_Init
-.Fa "SHA_CTX *c"
-.Fc
-.Ft int
-.Fo SHA1_Update
-.Fa "SHA_CTX *c"
-.Fa "const void *data"
-.Fa "size_t len"
-.Fc
-.Ft int
-.Fo SHA1_Final
-.Fa "unsigned char *md"
-.Fa "SHA_CTX *c"
-.Fc
-.Ft unsigned char *
-.Fo SHA224
-.Fa "const unsigned char *d"
-.Fa "size_t n"
-.Fa "unsigned char *md"
-.Fc
-.Ft int
-.Fo SHA224_Init
-.Fa "SHA256_CTX *c"
-.Fc
-.Ft int
-.Fo SHA224_Update
-.Fa "SHA256_CTX *c"
-.Fa "const void *data"
-.Fa "size_t len"
-.Fc
-.Ft int
-.Fo SHA224_Final
-.Fa "unsigned char *md"
-.Fa "SHA256_CTX *c"
-.Fc
-.Ft unsigned char *
-.Fo SHA256
-.Fa "const unsigned char *d"
-.Fa "size_t n"
-.Fa "unsigned char *md"
-.Fc
-.Ft int
-.Fo SHA256_Init
-.Fa "SHA256_CTX *c"
-.Fc
-.Ft int
-.Fo SHA256_Update
-.Fa "SHA256_CTX *c"
-.Fa "const void *data"
-.Fa "size_t len"
-.Fc
-.Ft int
-.Fo SHA256_Final
-.Fa "unsigned char *md"
-.Fa "SHA256_CTX *c"
-.Fc
-.Ft unsigned char *
-.Fo SHA384
-.Fa "const unsigned char *d"
-.Fa "size_t n"
-.Fa "unsigned char *md"
-.Fc
-.Ft int
-.Fo SHA384_Init
-.Fa "SHA512_CTX *c"
-.Fc
-.Ft int
-.Fo SHA384_Update
-.Fa "SHA512_CTX *c"
-.Fa "const void *data"
-.Fa "size_t len"
-.Fc
-.Ft int
-.Fo SHA384_Final
-.Fa "unsigned char *md"
-.Fa "SHA512_CTX *c"
-.Fc
-.Ft unsigned char *
-.Fo SHA512
-.Fa "const unsigned char *d"
-.Fa "size_t n"
-.Fa "unsigned char *md"
-.Fc
-.Ft int
-.Fo SHA512_Init
-.Fa "SHA512_CTX *c"
-.Fc
-.Ft int
-.Fo SHA512_Update
-.Fa "SHA512_CTX *c"
-.Fa "const void *data"
-.Fa "size_t len"
-.Fc
-.Ft int
-.Fo SHA512_Final
-.Fa "unsigned char *md"
-.Fa "SHA512_CTX *c"
-.Fc
-.Sh DESCRIPTION
-SHA-1 (Secure Hash Algorithm) is a cryptographic hash function with a
-160-bit output.
-.Pp
-.Fn SHA1
-computes the SHA-1 message digest of the
-.Fa n
-bytes at
-.Fa d
-and places it in
-.Fa md ,
-which must have space for
-.Dv SHA_DIGEST_LENGTH
-== 20 bytes of output.
-.Pp
-The following functions may be used if the message is not completely
-stored in memory:
-.Pp
-.Fn SHA1_Init
-initializes a
-.Vt SHA_CTX
-structure.
-.Pp
-.Fn SHA1_Update
-can be called repeatedly with chunks of the message to be hashed
-.Pq Fa len No bytes at Fa data .
-.Pp
-.Fn SHA1_Final
-places the message digest in
-.Fa md ,
-which must have space for
-.Dv SHA_DIGEST_LENGTH
-== 20 bytes of output, and erases the
-.Vt SHA_CTX .
-.Pp
-The SHA224, SHA256, SHA384, and SHA512 families of functions operate
-in the same way as the SHA1 functions.
-Note that SHA224 and SHA256 use a
-.Vt SHA256_CTX
-object instead of
-.Vt SHA_CTX ,
-and SHA384 and SHA512 use
-.Vt SHA512_CTX .
-The buffer
-.Fa md
-must have space for the output from the SHA variant being used:
-.Dv SHA224_DIGEST_LENGTH ,
-.Dv SHA256_DIGEST_LENGTH ,
-.Dv SHA384_DIGEST_LENGTH ,
-or
-.Dv SHA512_DIGEST_LENGTH
-bytes.
-.Pp
-Applications should use the higher level functions
-.Xr EVP_DigestInit 3
-etc.  instead of calling the hash functions directly.
-.Sh RETURN VALUES
-.Fn SHA1 ,
-.Fn SHA224 ,
-.Fn SHA256 ,
-.Fn SHA384 ,
-and
-.Fn SHA512
-return a pointer to the hash value.
-The other functions return 1 for success or 0 otherwise.
-.Sh SEE ALSO
-.Xr EVP_DigestInit 3 ,
-.Xr HMAC 3 ,
-.Xr RIPEMD160 3
-.Sh STANDARDS
-.Rs
-.%T Secure Hash Standard (SHS)
-.%R NIST FIPS Publication
-.%N 180-4
-.%U https://doi.org/10.6028/NIST.FIPS.180-4
-.%D 2015
-.Re
-.Sh HISTORY
-.Fn SHA1 ,
-.Fn SHA1_Init ,
-.Fn SHA1_Update ,
-and
-.Fn SHA1_Final
-first appeared in SSLeay 0.5.1 and have been available since
-.Ox 2.4 .
-.Pp
-The other functions first appeared in OpenSSL 0.9.8
-and have been available since
-.Ox 4.5 .
-.Sh CAVEATS
-Other implementations allow
-.Fa md
-in
-.Fn SHA1 ,
-.Fn SHA224 ,
-.Fn SHA256 ,
-.Fn SHA384 ,
-and
-.Fn SHA512
-to be
-.Dv NULL
-and return a static array, which is not thread safe.
diff --git a/src/lib/libcrypto/man/SMIME_crlf_copy.3 b/src/lib/libcrypto/man/SMIME_crlf_copy.3
deleted file mode 100644
index 3b46138473..0000000000
--- a/src/lib/libcrypto/man/SMIME_crlf_copy.3
+++ /dev/null
@@ -1,96 +0,0 @@
-.\" $OpenBSD: SMIME_crlf_copy.3,v 1.3 2023/05/01 07:28:11 tb Exp $
-.\"
-.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: May 1 2023 $
-.Dt SMIME_CRLF_COPY 3
-.Os
-.Sh NAME
-.Nm SMIME_crlf_copy
-.Nd buffered copy between BIOs
-.Sh SYNOPSIS
-.Ft int
-.Fo SMIME_crlf_copy
-.Fa "BIO *in_bio"
-.Fa "BIO *out_bio"
-.Fa "int flags"
-.Fc
-.Sh DESCRIPTION
-.Fn SMIME_crlf_copy
-copies data from
-.Fa in_bio
-to
-.Fa out_bio .
-To avoid many small write operations on
-.Fa out_bio ,
-a buffering BIO created with
-.Xr BIO_f_buffer 3
-is temporarily prepended to it.
-.Pp
-If the bit
-.Dv SMIME_BINARY
-is set in the
-.Fa flags
-argument, all the data is copied verbatim using
-.Xr BIO_read 3
-and
-.Xr BIO_write 3 .
-.Pp
-Otherwise, the data is read as text.
-All trailing carriage return and newline characters are discarded
-from every input line and a single pair of carriage return and
-newline characters is appended to mark the end of every output line,
-except that the last output line will end without such a pair if
-the last input line does not have a newline character at the end.
-.Pp
-If the bit
-.Dv SMIME_TEXT
-is set in the
-.Fa flags
-argument and the bit
-.Dv SMIME_BINARY
-is not set, the line
-.Qq Content-Type: text/plain
-is prepended to the output
-with two pairs of carriage return and newline characters after it.
-.Pp
-In any case,
-.Xr BIO_flush 3
-is called on the output at the end of the function.
-.Sh RETURN VALUES
-.Fn SMIME_crlf_copy
-is intended to return 1 on success or 0 on failure.
-.Sh SEE ALSO
-.Xr BIO_f_buffer 3 ,
-.Xr BIO_flush 3 ,
-.Xr BIO_new 3 ,
-.Xr BIO_push 3 ,
-.Xr BIO_read 3 ,
-.Xr SMIME_text 3 ,
-.Xr SMIME_write_ASN1 3
-.Sh HISTORY
-.Fn SMIME_crlf_copy
-first appeared in OpenSSL 1.0.0 and has been available since
-.Ox 4.9 .
-.Sh BUGS
-.Fn SMIME_crlf_copy
-silently ignores most errors and may return 1
-even if it lost part or all of the data in transit.
-.Pp
-Only blocking BIOs are supported.
-If any of the
-.Vt BIO
-arguments is non-blocking, part or all of the data is likely
-to be silently lost in transit.
diff --git a/src/lib/libcrypto/man/SMIME_read_ASN1.3 b/src/lib/libcrypto/man/SMIME_read_ASN1.3
deleted file mode 100644
index 320064567c..0000000000
--- a/src/lib/libcrypto/man/SMIME_read_ASN1.3
+++ /dev/null
@@ -1,124 +0,0 @@
-.\" $OpenBSD: SMIME_read_ASN1.3,v 1.2 2021/12/14 15:22:49 schwarze Exp $
-.\" full merge up to:
-.\" OpenSSL SMIME_read_PKCS7.pod 83cf7abf May 29 13:07:08 2018 +0100
-.\" OpenSSL SMIME_read_CMS.pod b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2002, 2006, 2008 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: December 14 2021 $
-.Dt SMIME_READ_ASN1 3
-.Os
-.Sh NAME
-.Nm SMIME_read_ASN1
-.Nd generic S/MIME message parser
-.Sh SYNOPSIS
-.In openssl/asn1.h
-.Ft ASN1_VALUE *
-.Fo SMIME_read_ASN1
-.Fa "BIO *in_bio"
-.Fa "BIO **out_bio"
-.Fa "const ASN1_ITEM *it"
-.Fc
-.Sh DESCRIPTION
-.Fn SMIME_read_ASN1
-reads a message in S/MIME format from
-.Fa in_bio .
-.Pp
-If the message uses cleartext signing, the content is saved in a memory
-.Vt BIO
-which is written to
-.Pf * Fa out_bio .
-Otherwise,
-.Pf * Fa out_bio
-is set to
-.Dv NULL .
-.Pp
-To support future functionality, if
-.Fa out_bio
-is not
-.Dv NULL ,
-.Pf * Fa out_bio
-should be initialized to
-.Dv NULL
-before calling
-.Fn SMIME_read_ASN1 .
-.Sh RETURN VALUES
-.Fn SMIME_read_ASN1
-returns a newly allocated object of type
-.Fa it
-or
-.Dv NULL
-if an error occurred.
-The error can be obtained from
-.Xr ERR_get_error 3 .
-.Sh SEE ALSO
-.Xr ASN1_item_d2i_bio 3 ,
-.Xr BIO_f_base64 3 ,
-.Xr BIO_new 3 ,
-.Xr SMIME_read_CMS 3 ,
-.Xr SMIME_read_PKCS7 3 ,
-.Xr SMIME_text 3
-.Sh HISTORY
-.Fn SMIME_read_ASN1
-first appeared in OpenSSL 0.9.8h and has been available since
-.Ox 4.5 .
-.Sh BUGS
-The MIME parser used by
-.Fn SMIME_read_ASN1
-is somewhat primitive.
-While it will handle most S/MIME messages, more complex compound
-formats may not work.
-.Pp
-The parser assumes that the
-structure is always base64 encoded, and it will not handle the case
-where it is in binary format or uses quoted printable format.
-.Pp
-The use of a memory
-to hold the signed content limits the size of the message which can
-be processed due to memory restraints: a streaming single pass
-option should be available.
diff --git a/src/lib/libcrypto/man/SMIME_read_CMS.3 b/src/lib/libcrypto/man/SMIME_read_CMS.3
deleted file mode 100644
index e1b1d07499..0000000000
--- a/src/lib/libcrypto/man/SMIME_read_CMS.3
+++ /dev/null
@@ -1,132 +0,0 @@
-.\" $OpenBSD: SMIME_read_CMS.3,v 1.7 2021/12/14 14:30:50 schwarze Exp $
-.\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: December 14 2021 $
-.Dt SMIME_READ_CMS 3
-.Os
-.Sh NAME
-.Nm SMIME_read_CMS
-.Nd extract CMS ContentInfo from an S/MIME message
-.Sh SYNOPSIS
-.In openssl/cms.h
-.Ft CMS_ContentInfo *
-.Fo SMIME_read_CMS
-.Fa "BIO *in"
-.Fa "BIO **bcont"
-.Fc
-.Sh DESCRIPTION
-.Fn SMIME_read_CMS
-parses a message in S/MIME format from
-.Fa in .
-.Pp
-If the message uses cleartext signing, the content is saved in a memory BIO
-which is written to
-.Pf * Fa bcont
-and which can then be passed to
-.Xr CMS_verify 3
-with the
-.Dv CMS_DETACHED
-flag set.
-Otherwise,
-.Pf * Fa bcont
-is set to
-.Dv NULL
-and the type of the returned structure can be determined using
-.Xr CMS_get0_type 3 .
-.Pp
-To support future functionality if
-.Fa bcont
-is not
-.Dv NULL ,
-.Pf * Fa bcont
-should be initialized to
-.Dv NULL ,
-for example:
-.Bd -literal -offset indent
-BIO *cont = NULL;
-CMS_ContentInfo *cms = SMIME_read_CMS(in, &cont);
-.Ed
-.Sh RETURN VALUES
-.Fn SMIME_read_CMS
-returns a valid
-.Vt CMS_ContentInfo
-structure or
-.Dv NULL
-if an error occurred.
-The error can be obtained from
-.Xr ERR_get_error 3 .
-.Sh SEE ALSO
-.Xr CMS_ContentInfo_new 3 ,
-.Xr CMS_decrypt 3 ,
-.Xr CMS_get0_type 3 ,
-.Xr CMS_verify 3 ,
-.Xr d2i_CMS_ContentInfo 3 ,
-.Xr SMIME_read_ASN1 3 ,
-.Xr SMIME_write_CMS 3
-.Sh HISTORY
-.Fn SMIME_read_CMS
-first appeared in OpenSSL 0.9.8h
-and has been available since
-.Ox 6.7 .
-.Sh BUGS
-The MIME parser used by
-.Fn SMIME_read_CMS
-is somewhat primitive.
-While it will handle most S/MIME messages, more complex compound formats
-may not work.
-.Pp
-The parser assumes that the
-.Vt CMS_ContentInfo
-structure is always base64 encoded and will not handle the case
-where it is in binary format or uses quoted printable format.
-.Pp
-The use of a memory BIO to hold the signed content limits the size of
-the message which can be processed due to memory restraints: a streaming
-single pass option should be available.
diff --git a/src/lib/libcrypto/man/SMIME_read_PKCS7.3 b/src/lib/libcrypto/man/SMIME_read_PKCS7.3
deleted file mode 100644
index dbe2765b8b..0000000000
--- a/src/lib/libcrypto/man/SMIME_read_PKCS7.3
+++ /dev/null
@@ -1,150 +0,0 @@
-.\" $OpenBSD: SMIME_read_PKCS7.3,v 1.8 2021/12/14 14:30:50 schwarze Exp $
-.\" full merge up to: OpenSSL 83cf7abf May 29 13:07:08 2018 +0100
-.\"
-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2002, 2006 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: December 14 2021 $
-.Dt SMIME_READ_PKCS7 3
-.Os
-.Sh NAME
-.Nm SMIME_read_PKCS7
-.Nd extract a PKCS#7 object from an S/MIME message
-.Sh SYNOPSIS
-.In openssl/pkcs7.h
-.Ft PKCS7 *
-.Fo SMIME_read_PKCS7
-.Fa "BIO *in"
-.Fa "BIO **bcont"
-.Fc
-.Sh DESCRIPTION
-.Fn SMIME_read_PKCS7
-parses a message in S/MIME format.
-.Pp
-.Fa in
-is a
-.Vt BIO
-to read the message from.
-.Pp
-If cleartext signing is used, then the content is saved in a memory
-.Vt BIO
-which is written to
-.Pf * Fa bcont ,
-otherwise
-.Pf * Fa bcont
-is set to
-.Dv NULL .
-.Pp
-The parsed PKCS#7 structure is returned, or
-.Dv NULL
-if an error occurred.
-.Pp
-If
-.Pf * Fa bcont
-is not
-.Dv NULL ,
-then the message is clear text signed.
-.Pf * Fa bcont
-can then be passed to
-.Xr PKCS7_verify 3
-with the
-.Dv PKCS7_DETACHED
-flag set.
-.Pp
-Otherwise the type of the returned structure can be determined using the
-.Fn PKCS7_type_is_*
-macros defined in
-.In openssl/pkcs7.h .
-.Pp
-To support future functionality, if
-.Fa bcont
-is not
-.Dv NULL ,
-.Pf * Fa bcont
-should be initialized to
-.Dv NULL .
-For example:
-.Bd -literal -offset indent
-BIO *cont = NULL;
-PKCS7 *p7;
-
-p7 = SMIME_read_PKCS7(in, &cont);
-.Ed
-.Sh RETURN VALUES
-.Fn SMIME_read_PKCS7
-returns a valid
-.Vt PKCS7
-structure or
-.Dv NULL
-if an error occurred.
-The error can be obtained from
-.Xr ERR_get_error 3 .
-.Sh SEE ALSO
-.Xr PKCS7_new 3 ,
-.Xr SMIME_read_ASN1 3 ,
-.Xr SMIME_write_PKCS7 3
-.Sh HISTORY
-.Fn SMIME_read_PKCS7
-first appeared in OpenSSL 0.9.5 and has been available since
-.Ox 2.7 .
-.Sh BUGS
-The MIME parser used by
-.Fn SMIME_read_PKCS7
-is somewhat primitive.
-While it will handle most S/MIME messages, more complex compound
-formats may not work.
-.Pp
-The parser assumes that the
-.Vt PKCS7
-structure is always base64 encoded, and it will not handle the case
-where it is in binary format or uses quoted printable format.
-.Pp
-The use of a memory
-.Vt BIO
-to hold the signed content limits the size of the message which can
-be processed due to memory restraints: a streaming single pass
-option should be available.
diff --git a/src/lib/libcrypto/man/SMIME_text.3 b/src/lib/libcrypto/man/SMIME_text.3
deleted file mode 100644
index a4c9689925..0000000000
--- a/src/lib/libcrypto/man/SMIME_text.3
+++ /dev/null
@@ -1,57 +0,0 @@
-.\" $OpenBSD: SMIME_text.3,v 1.1 2021/12/14 15:22:49 schwarze Exp $
-.\"
-.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: December 14 2021 $
-.Dt SMIME_TEXT 3
-.Os
-.Sh NAME
-.Nm SMIME_text
-.Nd remove text/plain MIME headers
-.Sh SYNOPSIS
-.In openssl/asn1.h
-.Ft int
-.Fo SMIME_text
-.Fa "BIO *in_bio"
-.Fa "BIO *out_bio"
-.Fc
-.Sh DESCRIPTION
-.Fn SMIME_text
-reads MIME headers from
-.Fa in_bio ,
-checks that the content type is
-.Dq text/plain ,
-discards the MIME headers,
-and copies the text that follows the headers from
-.Fa in_bio
-to
-.Fa out_bio .
-.Sh RETURN VALUES
-.Fn SMIME_text
-returns 1 on success or 0 if memory allocation, reading the input,
-or parsing the MIME headers fails, if there is no
-.Dq content-type
-header, or if the content type is not
-.Dq text/plain .
-.Sh SEE ALSO
-.Xr SMIME_crlf_copy 3 ,
-.Xr SMIME_read_ASN1 3
-.Sh HISTORY
-.Fn SMIME_text
-first appeared in OpenSSL 1.0.0 and has been available since
-.Ox 4.9 .
-.Sh CAVEATS
-.Fn SMIME_text
-does not support non-blocking BIOs.
diff --git a/src/lib/libcrypto/man/SMIME_write_ASN1.3 b/src/lib/libcrypto/man/SMIME_write_ASN1.3
deleted file mode 100644
index a02fa58570..0000000000
--- a/src/lib/libcrypto/man/SMIME_write_ASN1.3
+++ /dev/null
@@ -1,163 +0,0 @@
-.\" $OpenBSD: SMIME_write_ASN1.3,v 1.2 2023/05/01 07:28:11 tb Exp $
-.\"
-.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: May 1 2023 $
-.Dt SMIME_WRITE_ASN1 3
-.Os
-.Sh NAME
-.Nm SMIME_write_ASN1
-.Nd generate an S/MIME message
-.Sh SYNOPSIS
-.In openssl/asn1.h
-.Ft int
-.Fo SMIME_write_ASN1
-.Fa "BIO *out_bio"
-.Fa "ASN1_VALUE *val_in"
-.Fa "BIO *in_bio"
-.Fa "int flags"
-.Fa "int ctype_nid"
-.Fa "int econt_nid"
-.Fa "STACK_OF(X509_ALGOR) *micalg"
-.Fa "const ASN1_ITEM *it"
-.Fc
-.Sh DESCRIPTION
-.Fn SMIME_write_ASN1
-generates an S/MIME message on
-.Fa out_bio
-by writing MIME 1.0 headers
-followed by a BER- and base64-encoded serialization of
-.Fa val_in ,
-which can be of the type
-.Vt CMS_ContentInfo
-or
-.Vt PKCS7
-and has to match the
-.Fa it
-argument.
-.Pp
-The
-.Fa flags
-can be the logical OR of zero or more of the following bits:
-.Bl -tag -width Ds
-.It Dv PKCS7_REUSE_DIGEST
-Skip the calls to
-.Xr PKCS7_dataInit 3
-and
-.Xr PKCS7_dataFinal 3 .
-This flag has no effect unless
-.Dv SMIME_DETACHED
-is also set.
-It is normally used if
-.Fa out_bio
-is already set up to calculate and finalize the digest when written through.
-.It Dv SMIME_BINARY
-If specified, this flag is passed through to
-.Xr SMIME_crlf_copy 3 .
-.It Dv SMIME_CRLFEOL
-End MIME header lines with pairs of carriage return and newline characters.
-By default, no carriage return characters are written
-and header lines are ended with newline characters only.
-.It Dv SMIME_DETACHED
-Use cleartext signing.
-Generate a
-.Qq multipart/signed
-S/MIME message using the
-.Fa micalg
-argument and ignoring the
-.Fa ctype_nid
-and
-.Fa econt_nid
-arguments.
-The content is read from
-.Fa in_bio .
-If
-.Fa in_bio
-is a
-.Dv NULL
-pointer, this flag is ignored.
-.Pp
-If this flag is ignored or not specified,
-the smime-type is chosen according to
-.Fa ctype_nid
-instead:
-.Bl -tag -width Ds
-.It Dv NID_pkcs7_enveloped
-.Qq enveloped-data
-.It Dv NID_pkcs7_signed
-.Qq signed-receipt
-if
-.Fa econt_nid
-is
-.Dv NID_id_smime_ct_receipt
-.br
-.Qq signed-data
-if
-.Fa micalg
-is not empty
-.br
-.Qq certs-only
-if
-.Fa micalg
-is empty
-.It Dv NID_id_smime_ct_compressedData
-.Qq compressed-data
-.El
-.It Dv SMIME_OLDMIME
-In Content-Type headers, use
-.Qq application/x-pkcs7-mime
-or
-.Qq application/x-pkcs7-signature .
-By default,
-.Qq application/pkcs7-mime
-or
-.Qq application/pkcs7-signature
-are used instead.
-.It Dv SMIME_STREAM
-Perform streaming by reading the content from
-.Fa in_bio .
-This only works if
-.Dv SMIME_DETACHED
-is not specified.
-.It SMIME_TEXT
-Prepend the line
-.Qq Content-Type: text/plain
-to the content.
-This only makes sense if
-.Dv SMIME_DETACHED
-is also set.
-It is ignored if the flag
-.Dv SMIME_BINARY
-is also set.
-.El
-.Sh RETURN VALUES
-.Fn SMIME_write_ASN1
-is intended to return 1 on success or 0 on failure.
-.Sh SEE ALSO
-.Xr ASN1_item_i2d_bio 3 ,
-.Xr BIO_f_base64 3 ,
-.Xr BIO_new 3 ,
-.Xr SMIME_crlf_copy 3 ,
-.Xr SMIME_write_CMS 3 ,
-.Xr SMIME_write_PKCS7 3 ,
-.Xr X509_ALGOR_new 3
-.Sh HISTORY
-.Fn SMIME_write_ASN1
-first appeared in OpenSSL 1.0.0 and has been available since
-.Ox 4.9 .
-.Sh BUGS
-.Fn SMIME_write_ASN1
-ignores most errors and is likely to return 1
-even after producing corrupt or incomplete output.
diff --git a/src/lib/libcrypto/man/SMIME_write_CMS.3 b/src/lib/libcrypto/man/SMIME_write_CMS.3
deleted file mode 100644
index c2c6b77e53..0000000000
--- a/src/lib/libcrypto/man/SMIME_write_CMS.3
+++ /dev/null
@@ -1,133 +0,0 @@
-.\" $OpenBSD: SMIME_write_CMS.3,v 1.6 2021/12/13 17:24:39 schwarze Exp $
-.\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
-.\"
-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: December 13 2021 $
-.Dt SMIME_WRITE_CMS 3
-.Os
-.Sh NAME
-.Nm SMIME_write_CMS
-.Nd convert CMS structure to S/MIME format
-.Sh SYNOPSIS
-.In openssl/cms.h
-.Ft int
-.Fo SMIME_write_CMS
-.Fa "BIO *out"
-.Fa "CMS_ContentInfo *cms"
-.Fa "BIO *data"
-.Fa "int flags"
-.Fc
-.Sh DESCRIPTION
-.Fn SMIME_write_CMS
-adds the appropriate MIME headers to the
-.Fa cms
-structure to produce an S/MIME message and writes it to
-.Fa out .
-If streaming is enabled, the content must be supplied in the
-.Fa data
-argument.
-.Pp
-The following
-.Fa flags
-can be passed:
-.Bl -tag -width Ds
-.It Dv CMS_DETACHED
-Use cleartext signing.
-This option only makes sense if
-.Fa cms
-is of the type
-.Vt SignedData
-and
-.Dv CMS_DETACHED
-was also set when it was created with
-.Xr CMS_sign 3 .
-.Pp
-If
-.Dv CMS_STREAM
-is not set, the data must be read twice:
-once to compute the signature in
-.Xr CMS_sign 3
-and once to output the S/MIME message.
-.It Dv CMS_TEXT
-Add MIME headers for type text/plain to the content.
-This only makes sense if
-.Dv CMS_DETACHED
-is also set.
-.It Dv CMS_STREAM
-Perform streaming.
-This flag should only be set if
-.Dv CMS_STREAM
-was also passed to the function that created
-.Fa cms .
-.Pp
-The content is output in BER format using indefinite length
-constructed encoding except in the case of
-.Vt SignedData
-with detached content where the content is absent and DER format is
-used.
-.El
-.Sh RETURN VALUES
-.Fn SMIME_write_CMS
-returns 1 for success or 0 for failure.
-.Sh SEE ALSO
-.Xr CMS_ContentInfo_new 3 ,
-.Xr CMS_encrypt 3 ,
-.Xr CMS_sign 3 ,
-.Xr d2i_CMS_ContentInfo 3 ,
-.Xr ERR_get_error 3 ,
-.Xr SMIME_write_ASN1 3
-.Sh HISTORY
-.Fn SMIME_write_CMS
-first appeared in OpenSSL 0.9.8h
-and has been available since
-.Ox 6.7 .
-.Sh BUGS
-.Fn SMIME_write_CMS
-always base64 encodes CMS structures.
-There should be an option to disable this.
diff --git a/src/lib/libcrypto/man/SMIME_write_PKCS7.3 b/src/lib/libcrypto/man/SMIME_write_PKCS7.3
deleted file mode 100644
index c1a9f051d0..0000000000
--- a/src/lib/libcrypto/man/SMIME_write_PKCS7.3
+++ /dev/null
@@ -1,184 +0,0 @@
-.\" $OpenBSD: SMIME_write_PKCS7.3,v 1.9 2021/12/14 15:46:48 schwarze Exp $
-.\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2002, 2003, 2006, 2007, 2015 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: December 14 2021 $
-.Dt SMIME_WRITE_PKCS7 3
-.Os
-.Sh NAME
-.Nm SMIME_write_PKCS7
-.Nd convert PKCS#7 structure to S/MIME format
-.Sh SYNOPSIS
-.In openssl/pkcs7.h
-.Ft int
-.Fo SMIME_write_PKCS7
-.Fa "BIO *out"
-.Fa "PKCS7 *p7"
-.Fa "BIO *data"
-.Fa "int flags"
-.Fc
-.Sh DESCRIPTION
-.Fn SMIME_write_PKCS7
-adds the appropriate MIME headers to a PKCS#7 structure to produce an
-S/MIME message.
-.Pp
-.Fa out
-is the
-.Vt BIO
-to write the data to.
-.Fa p7
-is the appropriate
-.Vt PKCS7
-structure.
-If streaming is enabled, then the content must be supplied in the
-.Fa data
-argument.
-.Fa flags
-is an optional set of flags.
-.Pp
-The following flags can be passed in the
-.Fa flags
-parameter.
-.Pp
-If
-.Dv PKCS7_DETACHED
-is set, then cleartext signing will be used.
-This option only makes sense for signedData where
-.Dv PKCS7_DETACHED
-is also set when
-.Xr PKCS7_sign 3
-is also called.
-.Pp
-If the
-.Dv PKCS7_TEXT
-flag is set, MIME headers for type
-.Sy text/plain
-are added to the content.
-This only makes sense if
-.Dv PKCS7_DETACHED
-is also set.
-.Pp
-If the
-.Dv PKCS7_STREAM
-flag is set, streaming is performed.
-This flag should only be set if
-.Dv PKCS7_STREAM
-was also set in the previous call to
-.Xr PKCS7_sign 3
-or
-.Xr PKCS7_encrypt 3 .
-.Pp
-The bit
-.Dv SMIME_OLDMIME
-is inverted before passing on the
-.Fa flags
-to
-.Xr SMIME_write_ASN1 3 .
-Consequently, if this bit is set in the
-.Fa flags
-argument,
-.Qq application/pkcs7-mime
-or
-.Qq application/pkcs7-signature
-is used in Content-Type headers.
-Otherwise,
-.Qq application/x-pkcs7-mime
-or
-.Qq application/x-pkcs7-signature
-is used.
-.Pp
-If cleartext signing is being used and
-.Dv PKCS7_STREAM
-is not set, then the data must be read twice: once to compute the
-signature in
-.Xr PKCS7_sign 3
-and once to output the S/MIME message.
-.Pp
-If streaming is performed, the content is output in BER format using
-indefinite length constructed encoding except in the case of signed
-data with detached content where the content is absent and DER
-format is used.
-.Sh RETURN VALUES
-Upon successful completion, 1 is returned;
-otherwise 0 is returned and an error code can be retrieved with
-.Xr ERR_get_error 3 .
-.Sh SEE ALSO
-.Xr i2d_PKCS7_bio_stream 3 ,
-.Xr PEM_write_bio_PKCS7_stream 3 ,
-.Xr PEM_write_PKCS7 3 ,
-.Xr PKCS7_final 3 ,
-.Xr PKCS7_new 3 ,
-.Xr SMIME_read_PKCS7 3 ,
-.Xr SMIME_write_ASN1 3
-.Sh HISTORY
-.Fn SMIME_write_PKCS7
-first appeared in OpenSSL 0.9.5 and has been available since
-.Ox 2.7 .
-.Sh BUGS
-.Fn SMIME_write_PKCS7
-always base64 encodes PKCS#7 structures.
-There should be an option to disable this.
diff --git a/src/lib/libcrypto/man/STACK_OF.3 b/src/lib/libcrypto/man/STACK_OF.3
deleted file mode 100644
index 4c627eed9b..0000000000
--- a/src/lib/libcrypto/man/STACK_OF.3
+++ /dev/null
@@ -1,207 +0,0 @@
-.\" $OpenBSD: STACK_OF.3,v 1.5 2021/10/24 13:10:46 schwarze Exp $
-.\"
-.\" Copyright (c) 2018 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: October 24 2021 $
-.Dt STACK_OF 3
-.Os
-.Sh NAME
-.Nm STACK_OF
-.Nd variable-sized arrays of pointers, called OpenSSL stacks
-.Sh SYNOPSIS
-.In openssl/safestack.h
-.Fn STACK_OF type
-.Sh DESCRIPTION
-The
-.In openssl/safestack.h
-header provides a fragile, unusually complicated system of
-macro-generated wrappers around the functions described in the
-.Xr OPENSSL_sk_new 3
-manual page.
-It is intended to implement superficially type-safe variable-sized
-arrays of pointers, somewhat misleadingly called
-.Dq stacks
-by OpenSSL.
-Due to the excessive number of API functions, it is impossible to
-properly document this system.
-In particular, calling
-.Xr man 1
-for any of the functions operating on stacks cannot yield any result.
-.Pp
-Unfortunately, application programs can hardly avoid using the concept
-because several important OpenSSL APIs rely on it; see the
-.Sx SEE ALSO
-section for examples.
-Even though both pages are more complicated than any manual page
-ought to be, using the concept safely requires a complete understanding
-of all the details in both this manual page and in
-.Xr OPENSSL_sk_new 3 .
-.Pp
-The
-.Fn STACK_OF
-macro takes a
-.Fa type
-name as its argument, typically the name of a type
-that has been defined as an alias for a specific
-.Vt struct
-type using a
-.Sy typedef
-declaration.
-It expands to an incomplete
-.Vt struct
-type which is intended to represent a
-.Dq stack
-of objects of the given
-.Fa type .
-That type does not actually exist, so it is not possible to define,
-for example, an automatic variable
-.Ql STACK_OF(X509) my_certificates ;
-it is only possible to define pointers to stacks, for example
-.Ql STACK_OF(X509) *my_certificates .
-The only way such pointers can ever be used is by wrapper functions
-casting them to the type
-.Vt _STACK *
-described in
-.Xr OPENSSL_sk_new 3 .
-.Pp
-For a considerable number of types, OpenSSL provides one wrapper
-function for each function described in
-.Xr OPENSSL_sk_new 3 .
-The names of these wrapper functions are usually constructed by
-inserting the name of the type and an underscore after the
-.Sq sk_
-prefix of the function name.
-Usually, where the real functions take
-.Vt void *
-arguments, the wrappers take pointers to the
-.Fa type
-in questions, and where the real functions take
-.Vt _STACK *
-arguments, the wrappers take pointers to
-.Fn STACK_OF type .
-The same applies to return values.
-Various exceptions to all this exist, but the above applies to
-all the types listed below.
-.Pp
-Using the above may make sense for the following types because
-public API functions exist that take stacks of these types as
-arguments or return them:
-.Vt ASN1_INTEGER ,
-.Vt ASN1_OBJECT ,
-.Vt ASN1_UTF8STRING ,
-.Vt CMS_RecipientInfo ,
-.Vt CMS_SignerInfo ,
-.Vt CONF_VALUE ,
-.Vt GENERAL_NAMES ,
-.Vt GENERAL_SUBTREE ,
-.Vt OPENSSL_STRING Pq which is just Vt char * ,
-.Vt PKCS12_SAFEBAG ,
-.Vt PKCS7 ,
-.Vt PKCS7_RECIP_INFO ,
-.Vt PKCS7_SIGNER_INFO ,
-.Vt POLICYQUALINFO ,
-.Vt SRTP_PROTECTION_PROFILE ,
-.Vt SSL_CIPHER ,
-.Vt SSL_COMP ,
-.Vt X509 ,
-.Vt X509_ALGOR ,
-.Vt X509_ATTRIBUTE ,
-.Vt X509_CRL ,
-.Vt X509_EXTENSION ,
-.Vt X509_INFO ,
-.Vt X509_NAME ,
-.Vt X509_OBJECT ,
-.Vt X509_POLICY_NODE ,
-.Vt X509_REVOKED .
-.Pp
-Additionally, some public API functions use the following types
-which are declared with
-.Sy typedef :
-.Bl -column STACK_OF(ACCESS_DESCRIPTION) AUTHORITY_INFO_ACCESS
-.It Vt STACK_OF(ACCESS_DESCRIPTION) Ta Vt AUTHORITY_INFO_ACCESS
-.It Vt STACK_OF(ASN1_OBJECT)        Ta Vt EXTENDED_KEY_USAGE
-.It Vt STACK_OF(ASN1_TYPE)          Ta Vt ASN1_SEQUENCE_ANY
-.It Vt STACK_OF(DIST_POINT)         Ta Vt CRL_DIST_POINTS
-.It Vt STACK_OF(GENERAL_NAME)       Ta Vt GENERAL_NAMES
-.It Vt STACK_OF(IPAddressFamily)    Ta Vt IPAddrBlocks
-.It Vt STACK_OF(POLICY_MAPPING)     Ta Vt POLICY_MAPPINGS
-.It Vt STACK_OF(POLICYINFO)         Ta Vt CERTIFICATEPOLICIES
-.It Vt STACK_OF(X509_ALGOR)         Ta Vt X509_ALGORS
-.It Vt STACK_OF(X509_EXTENSION)     Ta Vt X509_EXTENSIONS
-.El
-.Pp
-Even though the OpenSSL headers declare wrapper functions for many
-more types and even though the OpenSSL documentation says that users
-can declare their own stack types, using
-.Fn STACK_OF
-with any type not listed here is strongly discouraged.
-For other types, there may be subtle, undocumented differences
-in syntax and semantics, and attempting to declare custom stack
-types is very error prone; using plain C arrays of pointers to
-the desired type is much simpler and less dangerous.
-.Sh EXAMPLES
-The following program creates a certificate object, puts two
-pointers to it on a stack, and uses
-.Xr X509_free 3
-to clean up properly:
-.Bd -literal
-#include <err.h>
-#include <stdio.h>
-#include <openssl/x509.h>
-
-int
-main(void)
-{
-        STACK_OF(X509)  *stack;
-        X509            *x;
-
-        if ((stack = sk_X509_new_null()) == NULL)
-                err(1, NULL);
-        if ((x = X509_new()) == NULL)
-                err(1, NULL);
-        if (sk_X509_push(stack, x) == 0)
-                err(1, NULL);
-        if (X509_up_ref(x) == 0)
-                errx(1, "X509_up_ref failed");
-        if (sk_X509_push(stack, x) == 0)
-                err(1, NULL);
-        printf("%d pointers: %p, %p\en", sk_X509_num(stack),
-            sk_X509_value(stack, 0), sk_X509_value(stack, 1));
-        sk_X509_pop_free(stack, X509_free);
-
-        return 0;
-}
-.Ed
-.Pp
-The output looks similar to:
-.Pp
-.Dl 2 pointers: 0x4693ff24c00, 0x4693ff24c00
-.Sh SEE ALSO
-.Xr crypto 3 ,
-.Xr OCSP_request_sign 3 ,
-.Xr OPENSSL_sk_new 3 ,
-.Xr PKCS12_parse 3 ,
-.Xr PKCS7_encrypt 3 ,
-.Xr SSL_CTX_set_client_CA_list 3 ,
-.Xr SSL_get_ciphers 3 ,
-.Xr SSL_get_peer_cert_chain 3 ,
-.Xr SSL_load_client_CA_file 3 ,
-.Xr X509_CRL_get_REVOKED 3 ,
-.Xr X509_STORE_CTX_get0_chain 3
-.Sh HISTORY
-The
-.Fn STACK_OF
-macro first appeared in OpenSSL 0.9.3 and has been available since
-.Ox 2.6 .
diff --git a/src/lib/libcrypto/man/TS_REQ_new.3 b/src/lib/libcrypto/man/TS_REQ_new.3
deleted file mode 100644
index 8dbd15ea7e..0000000000
--- a/src/lib/libcrypto/man/TS_REQ_new.3
+++ /dev/null
@@ -1,182 +0,0 @@
-.\"     $OpenBSD: TS_REQ_new.3,v 1.6 2019/06/06 01:06:59 schwarze Exp $
-.\"
-.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: June 6 2019 $
-.Dt TS_REQ_NEW 3
-.Os
-.Sh NAME
-.Nm TS_REQ_new ,
-.Nm TS_REQ_free ,
-.Nm TS_RESP_new ,
-.Nm TS_RESP_free ,
-.Nm TS_STATUS_INFO_new ,
-.Nm TS_STATUS_INFO_free ,
-.Nm TS_TST_INFO_new ,
-.Nm TS_TST_INFO_free ,
-.Nm TS_ACCURACY_new ,
-.Nm TS_ACCURACY_free ,
-.Nm TS_MSG_IMPRINT_new ,
-.Nm TS_MSG_IMPRINT_free
-.Nd X.509 time-stamp protocol
-.Sh SYNOPSIS
-.In openssl/ts.h
-.Ft TS_REQ *
-.Fn TS_REQ_new void
-.Ft void
-.Fn TS_REQ_free "TS_REQ *req"
-.Ft TS_RESP *
-.Fn TS_RESP_new void
-.Ft void
-.Fn TS_RESP_free "TS_RESP *resp"
-.Ft TS_STATUS_INFO *
-.Fn TS_STATUS_INFO_new void
-.Ft void
-.Fn TS_STATUS_INFO_free "TS_STATUS_INFO *status"
-.Ft TS_TST_INFO *
-.Fn TS_TST_INFO_new void
-.Ft void
-.Fn TS_TST_INFO_free "TS_TST_INFO *token"
-.Ft TS_ACCURACY *
-.Fn TS_ACCURACY_new void
-.Ft void
-.Fn TS_ACCURACY_free "TS_ACCURACY *accuracy"
-.Ft TS_MSG_IMPRINT *
-.Fn TS_MSG_IMPRINT_new void
-.Ft void
-.Fn TS_MSG_IMPRINT_free "TS_MSG_IMPRINT *imprint"
-.Sh DESCRIPTION
-A time-stamping authority is a trusted third party which allows its
-clients to prove that specific data existed at a particular point
-in time.
-Clients send time-stamping requests to the time-stamping server,
-which returns time-stamp tokens to the clients.
-.Pp
-.Fn TS_REQ_new
-allocates and initializes an empty
-.Vt TS_REQ
-object, representing an ASN.1
-.Vt TimeStampReq
-structure defined in RFC 3161 section 2.4.1.
-It can hold a hash of the datum to be time-stamped and some
-auxiliary, optional information.
-.Fn TS_REQ_free
-frees
-.Fa req .
-.Pp
-.Fn TS_RESP_new
-allocates and initializes an empty
-.Vt TS_RESP
-object, representing an ASN.1
-.Vt TimeStampResp
-structure defined in RFC 3161 section 2.4.2.
-It can hold status information and a time-stamp token.
-.Fn TS_RESP_free
-frees
-.Fa resp .
-.Pp
-.Fn TS_STATUS_INFO_new
-allocates and initializes an empty
-.Vt TS_STATUS_INFO
-object, representing an ASN.1
-.Vt PKIStatusInfo
-structure defined in RFC 3161 section 2.4.2.
-It is used inside
-.Vt TS_RESP
-and describes the outcome of one time-stamp request.
-.Fn TS_STATUS_INFO_free
-frees
-.Fa status .
-.Pp
-.Fn TS_TST_INFO_new
-allocates and initializes an empty
-.Vt TS_TST_INFO
-object, representing an ASN.1
-.Vt TSTInfo
-structure defined in RFC 3161 section 2.4.2.
-It is the time-stamp token included in a
-.Vt TS_RESP
-object in case of success, and it can hold the hash of the datum
-copied from a request, the time of generation, and some auxiliary
-information.
-.Fn TS_TST_INFO_free
-frees
-.Fa token .
-.Pp
-.Fn TS_ACCURACY_new
-allocates and initializes an empty
-.Vt TS_ACCURACY
-object, representing an ASN.1
-.Vt Accuracy
-structure defined in RFC 3161 section 2.4.2.
-It can be used inside a
-.Vt TS_TST_INFO
-object and indicates the maximum error of the time stated in the token.
-.Fn TS_ACCURACY_free
-frees
-.Fa accuracy .
-.Pp
-.Fn TS_MSG_IMPRINT_new
-allocates and initializes an empty
-.Vt TS_MSG_IMPRINT
-object, representing an ASN.1
-.Vt MessageImprint
-structure defined in RFC 3161 section 2.4.1.
-It is used inside
-.Vt TS_REQ
-and
-.Vt TS_RESP
-objects.
-It specifies a hash algorithm and stores the hash value of the datum.
-.Fn TS_MSG_IMPRINT_free
-frees
-.Fa imprint .
-.Sh RETURN VALUES
-.Fn TS_REQ_new ,
-.Fn TS_RESP_new ,
-.Fn TS_STATUS_INFO_new ,
-.Fn TS_TST_INFO_new ,
-.Fn TS_ACCURACY_new ,
-and
-.Fn TS_MSG_IMPRINT_new
-return the new
-.Vt TS_REQ ,
-.Vt TS_RESP ,
-.Vt TS_STATUS_INFO ,
-.Vt TS_TST_INFO ,
-.Vt TS_ACCURACY ,
-or
-.Vt TS_MSG_IMPRINT
-object, respectively, or
-.Dv NULL
-if an error occurred.
-.Sh SEE ALSO
-.Xr ACCESS_DESCRIPTION_new 3 ,
-.Xr ESS_SIGNING_CERT_new 3 ,
-.Xr X509_EXTENSION_new 3
-.Sh STANDARDS
-RFC 3161: Internet X.509 Public Key Infrastructure Time-Stamp Protocol
-.Pp
-Note that RFC 3161 has been updated
-by RFC 5816: ESSCertIDv2 Update for RFC 3161.
-That update allows using the Signing Certificate Attribute Definition
-Version 2 according to RFC 5035, but the current implementation
-only supports the Signing Certificate Attribute Definition Version
-1 according to RFC 2634, and hence only supports RFC 3161, but not
-RFC 5816 functionality.
-.Sh HISTORY
-These functions first appeared in OpenSSL 1.0.0
-and have been available since
-.Ox 4.9 .
diff --git a/src/lib/libcrypto/man/UI_create_method.3 b/src/lib/libcrypto/man/UI_create_method.3
deleted file mode 100644
index ffd6b98157..0000000000
--- a/src/lib/libcrypto/man/UI_create_method.3
+++ /dev/null
@@ -1,284 +0,0 @@
-.\"     $OpenBSD: UI_create_method.3,v 1.6 2023/05/22 19:38:04 tb Exp $
-.\"     OpenSSL UI_create_method.pod 8e3d46e5 Mar 11 10:51:04 2017 +0100
-.\"
-.\" This file was written by Richard Levitte <levitte@openssl.org>.
-.\" Copyright (c) 2017 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: May 22 2023 $
-.Dt UI_CREATE_METHOD 3
-.Os
-.Sh NAME
-.Nm UI_create_method ,
-.Nm UI_destroy_method ,
-.Nm UI_method_set_opener ,
-.Nm UI_method_set_writer ,
-.Nm UI_method_set_flusher ,
-.Nm UI_method_set_reader ,
-.Nm UI_method_set_closer ,
-.Nm UI_method_set_prompt_constructor ,
-.Nm UI_method_get_opener ,
-.Nm UI_method_get_writer ,
-.Nm UI_method_get_flusher ,
-.Nm UI_method_get_reader ,
-.Nm UI_method_get_closer ,
-.Nm UI_method_get_prompt_constructor
-.Nd user interface method creation and destruction
-.Sh SYNOPSIS
-.In openssl/ui.h
-.Ft UI_METHOD *
-.Fo UI_create_method
-.Fa "const char *name"
-.Fc
-.Ft void
-.Fo UI_destroy_method
-.Fa "UI_METHOD *ui_method"
-.Fc
-.Ft int
-.Fo UI_method_set_opener
-.Fa "UI_METHOD *method"
-.Fa "int (*opener)(UI *ui)"
-.Fc
-.Ft int
-.Fo UI_method_set_writer
-.Fa "UI_METHOD *method"
-.Fa "int (*writer)(UI *ui, UI_STRING *uis)"
-.Fc
-.Ft int
-.Fo UI_method_set_flusher
-.Fa "UI_METHOD *method"
-.Fa "int (*flusher)(UI *ui)"
-.Fc
-.Ft int
-.Fo UI_method_set_reader
-.Fa "UI_METHOD *method"
-.Fa "int (*reader)(UI *ui, UI_STRING *uis)"
-.Fc
-.Ft int
-.Fo UI_method_set_closer
-.Fa "UI_METHOD *method"
-.Fa "int (*closer)(UI *ui)"
-.Fc
-.Ft int
-.Fo UI_method_set_prompt_constructor
-.Fa "UI_METHOD *method"
-.Fa "char *(*prompt_constructor)(UI *ui, const char *object_desc,\
- const char *object_name)"
-.Fc
-.Ft int
-.Fo "(*UI_method_get_opener(const UI_METHOD *method))"
-.Fa "UI *"
-.Fc
-.Ft int
-.Fo "(*UI_method_get_writer(const UI_METHOD *method))"
-.Fa "UI *"
-.Fa "UI_STRING *"
-.Fc
-.Ft int
-.Fo "(*UI_method_get_flusher(const UI_METHOD *method))"
-.Fa "UI *"
-.Fc
-.Ft int
-.Fo "(*UI_method_get_reader(const UI_METHOD *method))"
-.Fa "UI *"
-.Fa "UI_STRING *"
-.Fc
-.Ft int
-.Fo "(*UI_method_get_closer(const UI_METHOD *method))"
-.Fa "UI *"
-.Fc
-.Ft char *
-.Fo "(*UI_method_get_prompt_constructor(UI_METHOD *method))"
-.Fa "UI *"
-.Fa "const char *"
-.Fa "const char *"
-.Fc
-.Sh DESCRIPTION
-A method contains a few functions that implement the low level of the
-User Interface.
-These functions are:
-.Bl -tag -width Ds
-.It an opener
-This function takes a reference to a UI and starts a session, for
-example by opening a channel to a tty, or by creating a dialog box.
-.It a writer
-This function takes a reference to a UI and a UI String, and writes the
-string where appropriate, maybe to the tty, maybe added as a field label
-in a dialog box.
-Note that this gets fed all strings associated with a UI, one after the
-other, so care must be taken which ones it actually uses.
-.It a flusher
-This function takes a reference to a UI, and flushes everything that has
-been output so far.
-For example, if the method builds up a dialog box, this can be used to
-actually display it and accepting input ended with a pressed button.
-.It a reader
-This function takes a reference to a UI and a UI string and reads off
-the given prompt, maybe from the tty, maybe from a field in a dialog
-box.
-Note that this gets fed all strings associated with a UI, one after the
-other, so care must be taken which ones it actually uses.
-.It a closer
-This function takes a reference to a UI, and closes the session, maybe
-by closing the channel to the tty, maybe by destroying a dialog box.
-.El
-.Pp
-All of these functions are expected to return 0 on error, 1 on success,
-or -1 on out-off-band events, for example if some prompting has been
-cancelled (by pressing Ctrl-C, for example).
-Only the flusher or the reader are expected to return -1.
-If returned by another of the functions, it's treated as if 0 was returned.
-.Pp
-Regarding the writer and the reader, don't assume the former should only
-write and don't assume the latter should only read.
-This depends on the needs of the method.
-.Pp
-For example, a typical tty reader wouldn't write the prompts in the
-write, but would rather do so in the reader, because of the sequential
-nature of prompting on a tty.
-This is how the
-.Xr UI_OpenSSL 3
-method does it.
-.Pp
-In contrast, a method that builds up a dialog box would add all prompt
-text in the writer, have all input read in the flusher and store the
-results in some temporary buffer, and finally have the reader just fetch
-those results.
-.Pp
-The central function that uses these method functions is
-.Xr UI_process 3 ,
-and it does it in five steps:
-.Bl -enum
-.It
-Open the session using the opener function if that one is defined.
-If an error occurs, jump to 5.
-.It
-For every UI String associated with the UI, call the writer function if
-that one is defined.
-If an error occurs, jump to 5.
-.It
-Flush everything using the flusher function if that one is defined.
-If an error occurs, jump to 5.
-.It
-For every UI String associated with the UI, call the reader function if
-that one is defined.
-If an error occurs, jump to 5.
-.It
-Close the session using the closer function if that one is defined.
-.El
-.Pp
-.Fn UI_create_method
-creates a new UI method with a given
-.Fa name .
-.Pp
-.Fn UI_destroy_method
-destroys the given
-.Fa ui_method .
-.Pp
-.Fn UI_method_set_opener ,
-.Fn UI_method_set_writer ,
-.Fn UI_method_set_flusher ,
-.Fn UI_method_set_reader
-and
-.Fn UI_method_set_closer
-set one of the five main methods to the given function pointer.
-.Pp
-.Fn UI_method_set_prompt_constructor
-sets the prompt constructor, see
-.Xr UI_construct_prompt 3 .
-.Sh RETURN VALUES
-.Fn UI_create_method
-returns a
-.Vt UI_METHOD
-pointer on success or
-.Dv NULL
-on error.
-.Pp
-.Fn UI_method_set_opener ,
-.Fn UI_method_set_writer ,
-.Fn UI_method_set_flusher ,
-.Fn UI_method_set_reader ,
-.Fn UI_method_set_closer ,
-and
-.Fn UI_method_set_prompt_constructor
-return 0 on success or -1 if the given method is
-.Dv NULL .
-.Pp
-.Fn UI_method_get_opener ,
-.Fn UI_method_get_writer ,
-.Fn UI_method_get_flusher ,
-.Fn UI_method_get_reader ,
-.Fn UI_method_get_closer ,
-and
-.Fn UI_method_get_prompt_constructor
-return the requested function pointer if it is set in the method,
-or otherwise
-.Dv NULL .
-.Sh SEE ALSO
-.Xr UI_get_string_type 3 ,
-.Xr UI_new 3
-.Sh HISTORY
-.Fn UI_create_method ,
-.Fn UI_destroy_method ,
-.Fn UI_method_set_opener ,
-.Fn UI_method_set_writer ,
-.Fn UI_method_set_flusher ,
-.Fn UI_method_set_reader ,
-.Fn UI_method_set_closer ,
-.Fn UI_method_get_opener ,
-.Fn UI_method_get_writer ,
-.Fn UI_method_get_flusher ,
-.Fn UI_method_get_reader ,
-and
-.Fn UI_method_get_closer
-first appeared in OpenSSL 0.9.7 and have been available since
-.Ox 3.2 .
-.Pp
-.Fn UI_method_set_prompt_constructor
-and
-.Fn UI_method_get_prompt_constructor
-first appeared in OpenSSL 1.0.0 and have been available since
-.Ox 4.9 .
diff --git a/src/lib/libcrypto/man/UI_get_string_type.3 b/src/lib/libcrypto/man/UI_get_string_type.3
deleted file mode 100644
index bc0449a90e..0000000000
--- a/src/lib/libcrypto/man/UI_get_string_type.3
+++ /dev/null
@@ -1,281 +0,0 @@
-.\"     $OpenBSD: UI_get_string_type.3,v 1.4 2018/03/22 21:08:22 schwarze Exp $
-.\"     OpenSSL UI_STRING.pod e9c9971b Jul 1 18:28:50 2017 +0200
-.\"
-.\" This file was written by Richard Levitte <levitte@openssl.org>
-.\" Copyright (c) 2017 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 22 2018 $
-.Dt UI_GET_STRING_TYPE 3
-.Os
-.Sh NAME
-.Nm UI_get_string_type ,
-.Nm UI_get_input_flags ,
-.Nm UI_get0_output_string ,
-.Nm UI_get0_action_string ,
-.Nm UI_get0_result_string ,
-.Nm UI_get0_test_string ,
-.Nm UI_get_result_minsize ,
-.Nm UI_get_result_maxsize ,
-.Nm UI_set_result
-.Nd OpenSSL user interface string parsing
-.Sh SYNOPSIS
-.In openssl/ui.h
-.Bd -literal
-enum UI_string_types {
-        UIT_NONE = 0,
-        UIT_PROMPT,     /* Prompt for a string */
-        UIT_VERIFY,     /* Prompt for a string and verify */
-        UIT_BOOLEAN,    /* Prompt for a yes/no response */
-        UIT_INFO,       /* Send info to the user */
-        UIT_ERROR       /* Send an error message to the user */
-};
-.Ed
-.Pp
-.Ft enum UI_string_types
-.Fo UI_get_string_type
-.Fa "UI_STRING *uis"
-.Fc
-.Ft int
-.Fo UI_get_input_flags
-.Fa "UI_STRING *uis"
-.Fc
-.Ft const char *
-.Fo UI_get0_output_string
-.Fa "UI_STRING *uis"
-.Fc
-.Ft const char *
-.Fo UI_get0_action_string
-.Fa "UI_STRING *uis"
-.Fc
-.Ft const char *
-.Fo UI_get0_result_string
-.Fa "UI_STRING *uis"
-.Fc
-.Ft const char *
-.Fo UI_get0_test_string
-.Fa "UI_STRING *uis"
-.Fc
-.Ft int
-.Fo UI_get_result_minsize
-.Fa "UI_STRING *uis"
-.Fc
-.Ft int
-.Fo UI_get_result_maxsize
-.Fa "UI_STRING *uis"
-.Fc
-.Ft int
-.Fo UI_set_result
-.Fa "UI *ui"
-.Fa "UI_STRING *uis"
-.Fa "const char *result"
-.Fc
-.Sh DESCRIPTION
-A
-.Vt UI_STRING
-gets created internally and added to a
-.Vt UI
-object whenever one of the functions
-.Xr UI_add_input_string 3 ,
-.Xr UI_dup_input_string 3 ,
-.Xr UI_add_verify_string 3 ,
-.Xr UI_dup_verify_string 3 ,
-.Xr UI_add_input_boolean 3 ,
-.Xr UI_dup_input_boolean 3 ,
-.Xr UI_add_info_string 3 ,
-.Xr UI_dup_info_string 3 ,
-.Xr UI_add_error_string 3
-or
-.Xr UI_dup_error_string 3
-is called.
-For a
-.Vt UI_METHOD
-user, there's no need to know more.
-For a
-.Vt UI_METHOD
-creator, it is of interest to fetch text from these
-.Vt UI_STRING
-objects as well as adding results to some of them.
-.Pp
-.Fn UI_get_string_type
-is used to retrieve the type of the given
-.Vt UI_STRING .
-.Pp
-.Fn UI_get_input_flags
-is used to retrieve the flags associated with the given
-.Vt UI_STRING .
-.Pp
-.Fn UI_get0_output_string
-is used to retrieve the actual string to output (prompt, info, error, ...).
-.Pp
-.Fn UI_get0_action_string
-is used to retrieve the action description associated with a
-.Dv UIT_BOOLEAN
-type
-.Vt UI_STRING .
-See
-.Xr UI_add_input_boolean 3 .
-.Pp
-.Fn UI_get0_result_string
-is used to retrieve the result of a prompt.
-This is only useful for
-.Dv UIT_PROMPT
-and
-.Dv UIT_VERIFY
-type strings.
-.Pp
-.Fn UI_get0_test_string
-is used to retrieve the string to compare the prompt result with.
-This is only useful for
-.Dv UIT_VERIFY
-type strings.
-.Pp
-.Fn UI_get_result_minsize
-and
-.Fn UI_get_result_maxsize
-are used to retrieve the minimum and maximum required size of the
-result.
-This is only useful for
-.Dv UIT_PROMPT
-and
-.Dv UIT_VERIFY
-type strings.
-.Pp
-.Fn UI_set_result
-is used to set the result value of a prompt.
-For
-.Sy UIT_PROMPT
-and
-.Sy UIT_VERIFY
-type UI strings, this sets the result retrievable with
-.Fn UI_get0_result_string
-by copying the contents of
-.Fa result
-if its length fits the minimum and maximum size requirements.
-For
-.Dv UIT_BOOLEAN
-type UI strings, this sets the first character of the result retrievable
-with
-.Fn UI_get0_result_string
-to the first of the
-.Fa ok_chars
-given with
-.Xr UI_add_input_boolean 3
-or
-.Xr UI_dup_input_boolean 3
-if the
-.Fa result
-matched any of them, or the first of the
-.Fa cancel_chars
-if the
-.Fa result
-matched any of them, otherwise it's set to the NUL char.
-See
-.Xr UI_add_input_boolean 3
-for more information on
-.Fa ok_chars
-and
-.Fa cancel_chars .
-.Sh RETURN VALUES
-.Fn UI_get_string_type
-returns the UI string type.
-.Pp
-.Fn UI_get_input_flags
-returns the UI string flags.
-.Pp
-.Fn UI_get0_output_string
-returns the UI string output string.
-.Pp
-.Fn UI_get0_action_string
-returns the UI string action description string for
-.Dv UIT_BOOLEAN
-type UI strings, or
-.Dv NULL
-for any other type.
-.Pp
-.Fn UI_get0_result_string
-returns the UI string result buffer for
-.Dv UIT_PROMPT
-and
-.Dv UIT_VERIFY
-type UI strings, or
-.Dv NULL
-for any other type.
-.Pp
-.Fn UI_get0_test_string
-returns the UI string action description string for
-.Dv UIT_VERIFY
-type UI strings, or
-.Dv NULL
-for any other type.
-.Pp
-.Fn UI_get_result_minsize
-returns the minimum allowed result size for the UI string for
-.Dv UIT_PROMPT
-and
-.Dv UIT_VERIFY
-type strings, or -1 for any other type.
-.Pp
-.Fn UI_get_result_maxsize
-returns the minimum allowed result size for the UI string for
-.Dv UIT_PROMPT
-and
-.Dv UIT_VERIFY
-type strings, or -1 for any other type.
-.Pp
-.Fn UI_set_result
-returns 0 on success or when the UI string is of any type other than
-.Dv UIT_PROMPT ,
-.Dv UIT_VERIFY ,
-or
-.Dv UIT_BOOLEAN ,
-or -1 on error.
-.Sh SEE ALSO
-.Xr UI_new 3
-.Sh HISTORY
-These functions first appeared in OpenSSL 0.9.7
-and have been available since
-.Ox 3.2 .
diff --git a/src/lib/libcrypto/man/UI_new.3 b/src/lib/libcrypto/man/UI_new.3
deleted file mode 100644
index e55477f31e..0000000000
--- a/src/lib/libcrypto/man/UI_new.3
+++ /dev/null
@@ -1,529 +0,0 @@
-.\" $OpenBSD: UI_new.3,v 1.13 2025/03/09 15:25:14 tb Exp $
-.\" full merge up to: OpenSSL 78b19e90 Jan 11 00:12:01 2017 +0100
-.\" selective merge up to: OpenSSL 61f805c1 Jan 16 01:01:46 2018 +0800
-.\"
-.\" This file was written by Richard Levitte <levitte@openssl.org>.
-.\" Copyright (c) 2001, 2016, 2017 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 9 2025 $
-.Dt UI_NEW 3
-.Os
-.Sh NAME
-.Nm UI_new ,
-.Nm UI_new_method ,
-.Nm UI_free ,
-.Nm UI_add_input_string ,
-.Nm UI_dup_input_string ,
-.Nm UI_add_verify_string ,
-.Nm UI_dup_verify_string ,
-.Nm UI_add_input_boolean ,
-.Nm UI_dup_input_boolean ,
-.Nm UI_add_info_string ,
-.Nm UI_dup_info_string ,
-.Nm UI_add_error_string ,
-.Nm UI_dup_error_string ,
-.Nm UI_construct_prompt ,
-.Nm UI_add_user_data ,
-.Nm UI_get0_user_data ,
-.Nm UI_get0_result ,
-.Nm UI_process ,
-.Nm UI_ctrl ,
-.Nm UI_set_default_method ,
-.Nm UI_get_default_method ,
-.Nm UI_get_method ,
-.Nm UI_set_method ,
-.Nm UI_OpenSSL ,
-.Nm UI_null
-.Nd New User Interface
-.Sh SYNOPSIS
-.In openssl/ui.h
-.Ft UI *
-.Fn UI_new void
-.Ft UI *
-.Fo UI_new_method
-.Fa "const UI_METHOD *method"
-.Fc
-.Ft void
-.Fo UI_free
-.Fa "UI *ui"
-.Fc
-.Ft int
-.Fo UI_add_input_string
-.Fa "UI *ui"
-.Fa "const char *prompt"
-.Fa "int flags"
-.Fa "char *result_buf"
-.Fa "int minsize"
-.Fa "int maxsize"
-.Fc
-.Ft int
-.Fo UI_dup_input_string
-.Fa "UI *ui"
-.Fa "const char *prompt"
-.Fa "int flags"
-.Fa "char *result_buf"
-.Fa "int minsize"
-.Fa "int maxsize"
-.Fc
-.Ft int
-.Fo UI_add_verify_string
-.Fa "UI *ui"
-.Fa "const char *prompt"
-.Fa "int flags"
-.Fa "char *result_buf"
-.Fa "int minsize"
-.Fa "int maxsize"
-.Fa "const char *test_buf"
-.Fc
-.Ft int
-.Fo UI_dup_verify_string
-.Fa "UI *ui"
-.Fa "const char *prompt"
-.Fa "int flags"
-.Fa "char *result_buf"
-.Fa "int minsize"
-.Fa "int maxsize"
-.Fa "const char *test_buf"
-.Fc
-.Ft int
-.Fo UI_add_input_boolean
-.Fa "UI *ui"
-.Fa "const char *prompt"
-.Fa "const char *action_desc"
-.Fa "const char *ok_chars"
-.Fa "const char *cancel_chars"
-.Fa "int flags"
-.Fa "char *result_buf"
-.Fc
-.Ft int
-.Fo UI_dup_input_boolean
-.Fa "UI *ui"
-.Fa "const char *prompt"
-.Fa "const char *action_desc"
-.Fa "const char *ok_chars"
-.Fa "const char *cancel_chars"
-.Fa "int flags"
-.Fa "char *result_buf"
-.Fc
-.Ft int
-.Fo UI_add_info_string
-.Fa "UI *ui"
-.Fa "const char *text"
-.Fc
-.Ft int
-.Fo UI_dup_info_string
-.Fa "UI *ui"
-.Fa "const char *text"
-.Fc
-.Ft int
-.Fo UI_add_error_string
-.Fa "UI *ui"
-.Fa "const char *text"
-.Fc
-.Ft int
-.Fo UI_dup_error_string
-.Fa "UI *ui"
-.Fa "const char *text"
-.Fc
-.Fd /* These are the possible flags.  They can be OR'ed together. */
-.Fd #define UI_INPUT_FLAG_ECHO          0x01
-.Fd #define UI_INPUT_FLAG_DEFAULT_PWD   0x02
-.Ft char *
-.Fo UI_construct_prompt
-.Fa "UI *ui_method"
-.Fa "const char *object_desc"
-.Fa "const char *object_name"
-.Fc
-.Ft void *
-.Fo UI_add_user_data
-.Fa "UI *ui"
-.Fa "void *user_data"
-.Fc
-.Ft void *
-.Fo UI_get0_user_data
-.Fa "UI *ui"
-.Fc
-.Ft const char *
-.Fo UI_get0_result
-.Fa "UI *ui"
-.Fa "int i"
-.Fc
-.Ft int
-.Fo UI_process
-.Fa "UI *ui"
-.Fc
-.Ft int
-.Fo UI_ctrl
-.Fa "UI *ui"
-.Fa "int cmd"
-.Fa "long i"
-.Fa "void *p"
-.Fa "void (*f)()"
-.Fc
-.Fd #define UI_CTRL_PRINT_ERRORS                1
-.Fd #define UI_CTRL_IS_REDOABLE         2
-.Ft void
-.Fo UI_set_default_method
-.Fa "const UI_METHOD *meth"
-.Fc
-.Ft const UI_METHOD *
-.Fo UI_get_default_method
-.Fa void
-.Fc
-.Ft const UI_METHOD *
-.Fo UI_get_method
-.Fa "UI *ui"
-.Fc
-.Ft const UI_METHOD *
-.Fo UI_set_method
-.Fa "UI *ui"
-.Fa "const UI_METHOD *meth"
-.Fc
-.Ft const UI_METHOD *
-.Fo UI_OpenSSL
-.Fa void
-.Fc
-.Ft const UI_METHOD *
-.Fo UI_null
-.Fa void
-.Fc
-.Sh DESCRIPTION
-UI stands for User Interface, and is a general purpose set of routines
-to prompt the user for text-based information.
-Through user-written methods (see
-.Xr UI_create_method 3 ) ,
-prompting can be done in any way imaginable, be it plain text prompting,
-through dialog boxes or from a cell phone.
-.Pp
-All the functions work through a context of the type
-.Vt UI .
-This context contains all the information needed to prompt correctly
-as well as a reference to a
-.Vt UI_METHOD ,
-which is an ordered vector of functions that carry out the actual
-prompting.
-.Pp
-The first thing to do is to create a
-.Vt UI
-with
-.Fn UI_new
-or
-.Fn UI_new_method ,
-then add information to it with the
-.Fn UI_add_*
-or
-.Fn UI_dup_*
-functions.
-Also, user-defined random data can be passed down to the underlying
-method through calls to
-.Fn UI_add_user_data .
-The default UI method doesn't care about these data, but other methods
-might.
-Finally, use
-.Fn UI_process
-to actually perform the prompting and
-.Fn UI_get0_result
-to find the result to the prompt.
-.Pp
-A
-.Vt UI
-can contain more than one prompt, which are performed in the given
-sequence.
-Each prompt gets an index number which is returned by the
-.Fn UI_add_*
-and
-.Fn UI_dup_*
-functions, and has to be used to get the corresponding result with
-.Fn UI_get0_result .
-.Pp
-The functions are as follows:
-.Pp
-.Fn UI_new
-creates a new
-.Vt UI
-using the default UI method.
-When done with this UI, it should be freed using
-.Fn UI_free .
-.Pp
-.Fn UI_new_method
-creates a new
-.Vt UI
-using the given UI method.
-When done with this UI, it should be freed using
-.Fn UI_free .
-.Pp
-.Fn UI_OpenSSL
-returns the built-in UI method (note: not necessarily the default one,
-since the default can be changed.
-See further on).
-This method is the most machine/OS dependent part of OpenSSL and
-normally generates the most problems when porting.
-.Pp
-.Fn UI_null
-returns a UI method that does nothing.
-Its use is to avoid getting internal defaults for passed
-.Vt UI_METHOD
-pointers.
-.Pp
-.Fn UI_free
-removes
-.Fa ui
-from memory, along with all other pieces of memory that are connected
-to it, like duplicated input strings, results and others.
-If
-.Fa ui
-is a
-.Dv NULL
-pointer, no action occurs.
-.Pp
-.Fn UI_add_input_string
-and
-.Fn UI_add_verify_string
-add a prompt to
-.Fa ui ,
-as well as flags and a result buffer and the desired minimum and
-maximum sizes of the result, not counting the final NUL character.
-The given information is used to prompt for information, for example
-a password, and to verify a password (i.e. having the user enter
-it twice and check that the same string was entered twice).
-.Fn UI_add_verify_string
-takes an extra argument that should be a pointer to the result buffer
-of the input string that it's supposed to verify, or verification will
-fail.
-.Pp
-.Fn UI_add_input_boolean
-adds a prompt to
-.Fa ui
-that's supposed to be answered in a boolean way, with a single
-character for yes and a different character for no.
-A set of characters that can be used to cancel the prompt is given as
-well.
-The prompt itself is really divided in two, one part being the
-descriptive text (given through the
-.Fa prompt
-argument) and one describing the possible answers (given through the
-.Fa action_desc
-argument).
-.Pp
-.Fn UI_add_info_string
-and
-.Fn UI_add_error_string
-add strings that are shown at the same time as the prompt for extra
-information or to show an error string.
-The difference between the two is only conceptual.
-With the builtin method, there's no technical difference between them.
-Other methods may make a difference between them, however.
-.Pp
-The flags currently supported are
-.Dv UI_INPUT_FLAG_ECHO ,
-which is relevant for
-.Fn UI_add_input_string
-and will have the users response be echoed (when prompting for a
-password, this flag should obviously not be used), and
-.Dv UI_INPUT_FLAG_DEFAULT_PWD ,
-which means that a default password of some sort will be used
-(completely depending on the application and the UI method).
-.Pp
-.Fn UI_dup_input_string ,
-.Fn UI_dup_verify_string ,
-.Fn UI_dup_input_boolean ,
-.Fn UI_dup_info_string ,
-and
-.Fn UI_dup_error_string
-are basically the same as their
-.Fn UI_add_*
-counterparts, except that they make their own copies of all strings.
-.Pp
-.Fn UI_construct_prompt
-is a helper function that can be used to create a prompt from two pieces
-of information: a description and a name.
-The default constructor (if there is none provided by the method used)
-creates a string "Enter
-.Em description
-for
-.Em name Ns :".
-With the description "pass phrase" and the file name "foo.key", that
-becomes "Enter pass phrase for foo.key:". Other methods may create
-whatever string and may include encodings that will be processed by the
-other method functions.
-.Pp
-.Fn UI_add_user_data
-adds a user data pointer for the method to use at any time.
-The builtin UI method doesn't care about this info.
-Note that several calls to this function doesn't add data -
-the previous blob is replaced with the one given as argument.
-.Pp
-.Fn UI_get0_user_data
-retrieves the data that has last been given to the
-.Fa ui
-with
-.Fn UI_add_user_data .
-.Pp
-.Fn UI_get0_result
-returns a pointer to the result buffer associated with the information
-indexed by
-.Fa i .
-.Pp
-.Fn UI_process
-goes through the information given so far, does all the printing and
-prompting and returns the final status, which is -2 on out-of-band
-events (Interrupt, Cancel, ...), -1 on error, or 0 on success.
-.Pp
-.Fn UI_ctrl
-adds extra control for the application author.
-For now, it understands two commands:
-.Dv UI_CTRL_PRINT_ERRORS ,
-which makes
-.Fn UI_process
-print the OpenSSL error stack as part of processing the
-.Fa ui ,
-and
-.Dv UI_CTRL_IS_REDOABLE ,
-which returns a flag saying if the used
-.Fa ui
-can be used again or not.
-.Pp
-.Fn UI_set_default_method
-changes the default UI method to the one given.
-This function is not thread-safe and should not be called at the
-same time as other OpenSSL functions.
-.Pp
-.Fn UI_get_default_method
-returns a pointer to the current default UI method.
-.Pp
-.Fn UI_get_method
-returns the UI method associated with a given
-.Fa ui .
-.Pp
-.Fn UI_set_method
-changes the UI method associated with a given
-.Fa ui .
-.Sh RETURN VALUES
-.Fn UI_new
-and
-.Fn UI_new_method
-return a valid
-.Vt UI
-structure or
-.Dv NULL
-if an error occurred.
-.Pp
-.Fn UI_add_input_string ,
-.Fn UI_dup_input_string ,
-.Fn UI_add_verify_string ,
-.Fn UI_dup_verify_string ,
-.Fn UI_add_input_boolean ,
-.Fn UI_dup_input_boolean ,
-.Fn UI_add_info_string ,
-.Fn UI_dup_info_string ,
-.Fn UI_add_error_string ,
-and
-.Fn UI_dup_error_string
-return a positive number on success or a number
-less than or equal to zero otherwise.
-.Pp
-.Fn UI_construct_prompt
-and
-.Fn UI_get0_result
-return a string or
-.Dv NULL
-if an error occurred.
-.Pp
-.Fn UI_add_user_data
-and
-.Fn UI_get0_user_data
-return a pointer to the user data that was contained in
-.Fa ui
-before the call.
-In particular,
-.Dv NULL
-is a valid return value.
-.Pp
-.Fn UI_process
-returns 0 on success or a negative value on error.
-.Pp
-.Fn UI_ctrl
-returns a mask on success or \-1 on error.
-.Pp
-.Fn UI_get_default_method ,
-.Fn UI_OpenSSL
-and
-.Fn UI_null
-always return a pointer to a valid
-.Vt UI_METHOD
-structure.
-.Pp
-.Fn UI_get_method
-and
-.Fn UI_set_method
-return a pointer to the
-.Vt UI_METHOD
-structure that is installed in
-.Fa ui
-after the call.
-The OpenSSL documentation says that they can fail and return
-.Dv NULL ,
-but currently, this can only happen when and after
-.Fn UI_set_method
-is called with an explicit
-.Dv NULL
-argument.
-.Sh SEE ALSO
-.Xr crypto 3 ,
-.Xr UI_create_method 3 ,
-.Xr UI_get_string_type 3
-.Sh HISTORY
-These functions first appeared in  OpenSSL 0.9.7
-and have been available since
-.Ox 3.2 .
-.Pp
-.Fn UI_null
-first appeared in OpenSSL 1.1.1 and has been available since
-.Ox 7.3 .
-.Sh AUTHORS
-.An Richard Levitte Aq Mt richard@levitte.org
-for the OpenSSL project.
diff --git a/src/lib/libcrypto/man/X25519.3 b/src/lib/libcrypto/man/X25519.3
deleted file mode 100644
index a327f8c7b2..0000000000
--- a/src/lib/libcrypto/man/X25519.3
+++ /dev/null
@@ -1,211 +0,0 @@
-.\" $OpenBSD: X25519.3,v 1.7 2022/12/15 17:20:48 schwarze Exp $
-.\" contains some text from: BoringSSL curve25519.h, curve25519.c
-.\" content also checked up to: OpenSSL f929439f Mar 15 12:19:16 2018 +0000
-.\"
-.\" Copyright (c) 2015 Google Inc.
-.\" Copyright (c) 2018, 2022 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and/or distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHORS DISCLAIM ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" According to the BoringSSL git history, those parts of the text in
-.\" the present manual page that are Copyrighted by Google were probably
-.\" written by Adam Langley <agl@google.com> in 2015.
-.\" I fail to see any such text in the public domain files written
-.\" by Daniel J. Bernstein and others that are included in SUPERCOP
-.\" and that Adam Langley's BoringSSL implementation is based on.
-.\"
-.Dd $Mdocdate: December 15 2022 $
-.Dt X25519 3
-.Os
-.Sh NAME
-.Nm X25519 ,
-.Nm X25519_keypair ,
-.Nm ED25519_keypair ,
-.Nm ED25519_sign ,
-.Nm ED25519_verify
-.Nd Elliptic Curve Diffie-Hellman and signature primitives based on Curve25519
-.Sh SYNOPSIS
-.In openssl/curve25519.h
-.Ft int
-.Fo X25519
-.Fa "uint8_t out_shared_key[X25519_KEY_LENGTH]"
-.Fa "const uint8_t private_key[X25519_KEY_LENGTH]"
-.Fa "const uint8_t peer_public_value[X25519_KEY_LENGTH]"
-.Fc
-.Ft void
-.Fo X25519_keypair
-.Fa "uint8_t out_public_value[X25519_KEY_LENGTH]"
-.Fa "uint8_t out_private_key[X25519_KEY_LENGTH]"
-.Fc
-.Ft void
-.Fo ED25519_keypair
-.Fa "uint8_t out_public_key[ED25519_PUBLIC_KEY_LENGTH]"
-.Fa "uint8_t out_private_key[ED25519_PRIVATE_KEY_LENGTH]"
-.Fc
-.Ft int
-.Fo ED25519_sign
-.Fa "uint8_t *out_sig"
-.Fa "const uint8_t *message"
-.Fa "size_t message_len"
-.Fa "const uint8_t public_key[ED25519_PUBLIC_KEY_LENGTH]"
-.Fa "const uint8_t private_key_seed[ED25519_PRIVATE_KEY_LENGTH]"
-.Fc
-.Ft int
-.Fo ED25519_verify
-.Fa "const uint8_t *message"
-.Fa "size_t message_len"
-.Fa "const uint8_t signature[ED25519_SIGNATURE_LENGTH]"
-.Fa "const uint8_t public_key[ED25519_PUBLIC_KEY_LENGTH]"
-.Fc
-.Sh DESCRIPTION
-Curve25519 is an elliptic curve over a prime field
-specified in RFC 7748 section 4.1.
-The prime field is defined by the prime number 2^255 - 19.
-.Pp
-X25519
-is the Diffie-Hellman primitive built from Curve25519 as described
-in RFC 7748 section 5.
-Section 6.1 describes the intended use in an Elliptic Curve Diffie-Hellman
-(ECDH) protocol.
-.Pp
-.Fn X25519
-writes a shared key to
-.Fa out_shared_key
-that is calculated from the given
-.Fa private_key
-and the
-.Fa peer_public_value
-by scalar multiplication.
-Do not use the shared key directly, rather use a key derivation
-function and also include the two public values as inputs.
-.Pp
-.Fn X25519_keypair
-sets
-.Fa out_public_value
-and
-.Fa out_private_key
-to a freshly generated public/private key pair.
-First, the
-.Fa out_private_key
-is generated with
-.Xr arc4random_buf 3 .
-Then, the opposite of the masking described in RFC 7748 section 5
-is applied to it to make sure that the generated private key is never
-correctly masked.
-The purpose is to cause incorrect implementations on the peer side
-to consistently fail.
-Correct implementations will decode the key correctly even when it is
-not correctly masked.
-Finally, the
-.Fa out_public_value
-is calculated from the
-.Fa out_private_key
-by multiplying it with the Montgomery base point
-.Vt uint8_t u[32] No = Brq 9 .
-.Pp
-The size of a public and private key is
-.Dv X25519_KEY_LENGTH No = 32
-bytes each.
-.Pp
-Ed25519 is a signature scheme using a twisted Edwards curve
-that is birationally equivalent to Curve25519.
-.Pp
-.Fn ED25519_keypair
-sets
-.Fa out_public_key
-and
-.Fa out_private_key
-to a freshly generated public/private key pair.
-First, the
-.Fa out_private_key
-is generated with
-.Xr arc4random_buf 3 .
-Then, the
-.Fa out_public_key
-is calculated from the private key.
-.Pp
-.Fn ED25519_sign
-signs the
-.Fa message
-of
-.Fa message_len
-bytes using the
-.Fa public_key
-and the
-.Fa private_key
-and writes the signature to
-.Fa out_sig .
-.Pp
-.Fn ED25519_verify
-checks that signing the
-.Fa message
-of
-.Fa message_len
-bytes using the
-.Fa public_key
-would indeed result in the given
-.Fa signature .
-.Pp
-The sizes of a public and private keys are
-.Dv ED25519_PUBLIC_KEY_LENGTH
-and
-.Dv ED25519_PRIVATE_KEY_LENGTH ,
-which are both 32 bytes, and the size of a signature is
-.Dv ED25519_SIGNATURE_LENGTH No = 64
-bytes.
-.Sh RETURN VALUES
-.Fn X25519
-and
-.Fn ED25519_sign
-return 1 on success or 0 on error.
-.Fn X25519
-can fail if the input is a point of small order.
-.Fn ED25519_sign
-always succeeds in LibreSSL, but the API reserves the return value 0
-for memory allocation failure.
-.Pp
-.Fn ED25519_verify
-returns 1 if the
-.Fa signature
-is valid or 0 otherwise.
-.Sh SEE ALSO
-.Xr ECDH_compute_key 3 ,
-.Xr EVP_DigestSign 3 ,
-.Xr EVP_DigestVerify 3 ,
-.Xr EVP_PKEY_derive 3 ,
-.Xr EVP_PKEY_keygen 3
-.Rs
-.%A Daniel J. Bernstein
-.%R A state-of-the-art Diffie-Hellman function:\
-    How do I use Curve25519 in my own software?
-.%U https://cr.yp.to/ecdh.html
-.Re
-.Rs
-.%A Daniel J. Bernstein
-.%A Niels Duif
-.%A Tanja Lange
-.%A Peter Schwabe
-.%A Bo-Yin Yang
-.%T High-Speed High-Security Signatures
-.%B Cryptographic Hardware and Embedded Systems \(em CHES 2011
-.%I Springer
-.%J Lecture Notes in Computer Science
-.%V vol 6917
-.%U https://doi.org/10.1007/978-3-642-23951-9_9
-.%C Nara, Japan
-.%D September 29, 2011
-.Re
-.Sh STANDARDS
-RFC 7748: Elliptic Curves for Security
-.Pp
-RFC 8032: Edwards-Curve Digital Signature Algorithm (EdDSA)
diff --git a/src/lib/libcrypto/man/X509V3_EXT_get_nid.3 b/src/lib/libcrypto/man/X509V3_EXT_get_nid.3
deleted file mode 100644
index ad153c36d0..0000000000
--- a/src/lib/libcrypto/man/X509V3_EXT_get_nid.3
+++ /dev/null
@@ -1,94 +0,0 @@
-.\" $OpenBSD: X509V3_EXT_get_nid.3,v 1.8 2024/12/24 09:48:56 schwarze Exp $
-.\"
-.\" Copyright (c) 2024 Theo Buehler <tb@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: December 24 2024 $
-.Dt X509V3_EXT_GET_NID 3
-.Os
-.Sh NAME
-.Nm X509V3_EXT_get_nid ,
-.Nm X509V3_EXT_get
-.Nd retrieve X.509v3 certificate extension methods
-.Sh SYNOPSIS
-.In openssl/x509v3.h
-.Ft const X509V3_EXT_METHOD *
-.Fo X509V3_EXT_get_nid
-.Fa "int nid"
-.Fc
-.Ft const X509V3_EXT_METHOD *
-.Fo X509V3_EXT_get
-.Fa "X509_EXTENSION *ext"
-.Fc
-.Sh DESCRIPTION
-An X.509v3 certificate extension contains an Object Identifier (OID),
-a boolean criticality indicator, and an opaque extension value
-.Po
-an
-.Vt ASN1_OCTET_STRING
-.Pc
-whose meaning is determined by the OID.
-The library's
-.Vt X509V3_EXT_METHOD
-type,
-which is not yet documented in detail,
-contains a numeric identifier (NID) to represent the OID and various
-handlers for encoding, decoding, printing, and configuring the
-extension's value.
-Criticality is handled separately, for example as an argument to
-.Xr X509V3_add1_i2d 3 .
-.Sh RETURN VALUES
-.Fn X509V3_EXT_get_nid
-returns the
-.Vt X509V3_EXT_METHOD
-corresponding to the numeric identifier
-.Fa nid ,
-or
-.Dv NULL
-if there is none.
-.Pp
-.Fn X509V3_EXT_get
-returns the
-.Vt X509V3_EXT_METHOD
-associated with the extension type of
-.Fa ext ,
-or
-.Dv NULL
-if there is none.
-.Sh SEE ALSO
-.Xr i2s_ASN1_ENUMERATED_TABLE 3 ,
-.Xr OBJ_create 3 ,
-.Xr v2i_ASN1_BIT_STRING 3 ,
-.Xr X509_EXTENSION_get_object 3 ,
-.Xr X509V3_get_d2i 3
-.Sh STANDARDS
-RFC 5280: Internet X.509 Public Key Infrastructure Certificate and
-Certificate Revocation List (CRL) Profile
-.Bl -dash -compact
-.It
-section 4.2: Certificate Extensions
-.El
-.Sh HISTORY
-These functions first appeared in OpenSSL 0.9.2b and
-have been available since
-.Ox 2.6 .
-.Sh CAVEATS
-In LibreSSL, these functions only support built-in
-.Fa nid
-values corresponding to static built-in objects.
-Other implementations have incomplete support for custom extension methods,
-whose API is not threadsafe, does not affect the behavior of
-.Xr X509_verify_cert 3 ,
-and has various other surprising quirks.
-Both functions prefer built-in methods over custom methods with the same OID.
diff --git a/src/lib/libcrypto/man/X509V3_EXT_print.3 b/src/lib/libcrypto/man/X509V3_EXT_print.3
deleted file mode 100644
index edb97d3a36..0000000000
--- a/src/lib/libcrypto/man/X509V3_EXT_print.3
+++ /dev/null
@@ -1,195 +0,0 @@
-.\" $OpenBSD: X509V3_EXT_print.3,v 1.3 2024/12/28 10:19:45 schwarze Exp $
-.\"
-.\" Copyright (c) 2021, 2024 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: December 28 2024 $
-.Dt X509V3_EXT_PRINT 3
-.Os
-.Sh NAME
-.Nm X509V3_EXT_print ,
-.Nm X509V3_EXT_print_fp
-.Nd pretty-print an X.509 extension
-.Sh SYNOPSIS
-.In openssl/x509v3.h
-.Ft int
-.Fo X509V3_EXT_print
-.Fa "BIO *bio"
-.Fa "X509_EXTENSION *ext"
-.Fa "unsigned long flags"
-.Fa "int indent"
-.Fc
-.Ft int
-.Fo X509V3_EXT_print_fp
-.Fa "FILE *file"
-.Fa "X509_EXTENSION *ext"
-.Fa "int flags"
-.Fa "int indent"
-.Fc
-.Sh DESCRIPTION
-.Fn X509V3_EXT_print
-and
-.Fn X509V3_EXT_print_fp
-decode
-.Fa ext
-and print the data contained in it to the
-.Fa bio
-or
-.Fa file ,
-respectively, in a human-readable format with a left margin of
-.Fa indent
-space characters.
-The details of both the decoding and the printing depend on the type of
-.Fa ext .
-.Pp
-For most extension types, the decoding is done in the same way
-as it would be done by the appropriate public API function, for example:
-.Pp
-.Bl -tag -width NID_authority_key_identifier -compact
-.It Sy extension type
-.Sy decoding function
-.It Dv NID_authority_key_identifier
-.Xr d2i_AUTHORITY_KEYID 3
-.It Dv NID_certificate_policies
-.Xr d2i_CERTIFICATEPOLICIES 3
-.It Dv NID_crl_number
-.Xr d2i_ASN1_INTEGER 3
-.It Dv NID_crl_reason
-.Xr d2i_ASN1_ENUMERATED 3
-.It Dv NID_hold_instruction_code
-.Xr d2i_ASN1_OBJECT 3
-.It Dv NID_id_pkix_OCSP_CrlID
-.Xr d2i_OCSP_CRLID 3
-.It Dv NID_id_pkix_OCSP_noCheck
-.Xr d2i_ASN1_NULL 3
-.It Dv NID_id_pkix_OCSP_Nonce
-non-public function built into the library
-.It Dv NID_invalidity_date
-.Xr d2i_ASN1_GENERALIZEDTIME 3
-.It Dv NID_key_usage
-.Xr d2i_ASN1_BIT_STRING 3
-.It Dv NID_subject_alt_name
-.Xr d2i_GENERAL_NAMES 3
-.It Dv NID_subject_key_identifier
-.Xr d2i_ASN1_OCTET_STRING 3
-.El
-.Pp
-For some types, the printing is performed
-by a dedicated non-public function built into the library.
-For some other types, the printing function is a public API function,
-for example:
-.Pp
-.Bl -tag -width NID_id_pkix_OCSP_archiveCutoff -compact
-.It Sy extension type
-.Sy printing function
-.It Dv NID_crl_number
-.Xr i2s_ASN1_INTEGER 3
-.It Dv NID_crl_reason
-.Xr i2s_ASN1_ENUMERATED_TABLE 3
-.It Dv NID_delta_crl
-.Xr i2s_ASN1_INTEGER 3
-.It Dv NID_hold_instruction_code
-.Xr i2a_ASN1_OBJECT 3
-.It Dv NID_id_pkix_OCSP_archiveCutoff
-.Xr ASN1_GENERALIZEDTIME_print 3
-.It Dv NID_id_pkix_OCSP_Nonce
-.Xr i2a_ASN1_STRING 3
-.It Dv NID_inhibit_any_policy
-.Xr i2s_ASN1_INTEGER 3
-.It Dv NID_invalidity_date
-.Xr ASN1_GENERALIZEDTIME_print 3
-.It Dv NID_key_usage
-.Xr i2v_ASN1_BIT_STRING 3
-.It Dv NID_subject_key_identifier
-.Xr i2s_ASN1_OCTET_STRING 3
-.El
-.Pp
-Some of the public printing functions are not documented yet.
-.Pp
-If
-.Fa ext
-is of an unknown extension type or if decoding fails
-while using the decoding function for the relevant type,
-the action taken depends on the
-.Fa flags
-argument:
-.Bl -bullet
-.It
-If the bit
-.Dv X509V3_EXT_PARSE_UNKNOWN
-is set,
-.Xr ASN1_parse_dump 3
-is called on the BER-encoded data of the extension, passing \-1 for the
-.Fa dump
-argument.
-Thus, some information about the encoding of the extension gets printed
-and some about its decoded content, falling back to
-.Xr BIO_dump_indent 3
-for the decoded content unless a dedicated printing method is known
-for the respective data type(s).
-Note that even if an extension type is unknown, the data type used
-by the unknown extension, or, if that data type is constructed, of
-the values contained in it, may still be known, which may allow
-printing the content of even an unknown extension in a structured
-or partially structured form.
-.It
-If the bit
-.Dv X509V3_EXT_DUMP_UNKNOWN
-is set,
-.Xr BIO_dump_indent 3
-is called on the BER-encoded data of the extension without decoding
-it first, which is usually less readable than the above but poses
-a smaller risk of omitting or misrepresenting parts of the information.
-.It
-If the bit
-.Dv X509V3_EXT_ERROR_UNKNOWN
-is set, only the fixed string
-.Qq "<Not Supported>"
-is printed for an unknown type or only the fixed string
-.Qq "<Parse Error>"
-if the parsing functions fails,
-but printing is considered as successful anyway.
-.It
-If more than one of these three bits is set, or if a bit in
-.Dv X509V3_EXT_UNKNOWN_MASK
-is set that is not listed above, nothing is printed, but printing
-is considered as successful anyway.
-.It
-If none of the bits in
-.Dv X509V3_EXT_UNKNOWN_MASK
-are set, nothing is printed and printing is considered as failed.
-.El
-.Sh RETURN VALUES
-.Fn X509V3_EXT_print
-and
-.Fn X509V3_EXT_print_fp
-return 0 if failure was both detected and considered relevant.
-Otherwise, 1 is returned, and in general the user cannot tell whether
-failure simply went undetected, whether the function detected failure
-but regarded it as irrelevant, or whether printing did indeed
-succeed.
-.Sh SEE ALSO
-.Xr BIO_new 3 ,
-.Xr X509_EXTENSION_new 3 ,
-.Xr X509_get0_extensions 3 ,
-.Xr X509_get_ext 3 ,
-.Xr X509V3_extensions_print 3
-.Sh HISTORY
-These functions first appeared in OpenSSL 0.9.2 and have been available since
-.Ox 2.6 .
-.Sh BUGS
-These functions lack error handling throughout.
-When a write operation fails, they will usually ignore the fact that
-information was omitted from the output and report success to the
-caller anyway.
diff --git a/src/lib/libcrypto/man/X509V3_extensions_print.3 b/src/lib/libcrypto/man/X509V3_extensions_print.3
deleted file mode 100644
index 8c43fe9b01..0000000000
--- a/src/lib/libcrypto/man/X509V3_extensions_print.3
+++ /dev/null
@@ -1,100 +0,0 @@
-.\" $OpenBSD: X509V3_extensions_print.3,v 1.2 2021/11/26 13:48:21 jsg Exp $
-.\"
-.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: November 26 2021 $
-.Dt X509V3_EXTENSIONS_PRINT 3
-.Os
-.Sh NAME
-.Nm X509V3_extensions_print
-.Nd pretty-print an array of X.509 extensions
-.Sh SYNOPSIS
-.In openssl/x509v3.h
-.Ft int
-.Fo X509V3_extensions_print
-.Fa "BIO *bio"
-.Fa "char *title"
-.Fa "const STACK_OF(X509_EXTENSION) *sk"
-.Fa "unsigned long flags"
-.Fa "int indent"
-.Fc
-.Sh DESCRIPTION
-For each member of the variable sized array
-.Fa sk ,
-.Fn X509V3_extensions_print
-prints the following information to
-.Fa bio
-in the following order:
-.Bl -bullet
-.It
-The extension type as printed by
-.Xr i2a_ASN1_OBJECT 3 .
-.It
-If the extension is critical, the fixed string
-.Qq "critical" .
-.It
-A human-readable representation of the data contained in the extension
-as printed by
-.Xr X509V3_EXT_print 3 ,
-passing through the
-.Fa flags .
-If that function indicates failure,
-the BER-encoded data of the extension is dumped with
-.Xr ASN1_STRING_print 3
-without decoding it first.
-In both cases, an
-.Fa indent
-incremented by 4 space characters is used.
-.El
-.Pp
-If
-.Fa sk
-is a
-.Dv NULL
-pointer or empty,
-.Fn X509V3_extensions_print
-prints nothing and indicates success.
-.Pp
-Unless
-.Fa title
-is
-.Dv NULL ,
-it is printed on its own output line before the rest of the output, and
-.Fa indent
-is increased by 4 space characters.
-This additional global indentation is cumulative
-to the one applied to individual extensions mentioned above.
-.Sh RETURN VALUES
-.Fn X509V3_extensions_print
-is intended to return 1 on success or 0 if an error occurs.
-.Sh SEE ALSO
-.Xr BIO_new 3 ,
-.Xr STACK_OF 3 ,
-.Xr X509_EXTENSION_get_critical 3 ,
-.Xr X509_get0_extensions 3 ,
-.Xr X509_get_ext 3 ,
-.Xr X509V3_EXT_print 3
-.Sh HISTORY
-.Fn X509V3_extensions_print
-first appeared in OpenSSL 0.9.7 and has been available since
-.Ox 3.2 .
-.Sh BUGS
-Many parsing and printing errors are silently ignored,
-and the function may return indicating success even though
-.Fa sk
-contains invalid data.
-Even if all the data is valid, success may be indicated  even when the
-information printed is incomplete for various reasons, for example
-due to memory allocation failures or I/O errors.
diff --git a/src/lib/libcrypto/man/X509V3_get_d2i.3 b/src/lib/libcrypto/man/X509V3_get_d2i.3
deleted file mode 100644
index bf442dc846..0000000000
--- a/src/lib/libcrypto/man/X509V3_get_d2i.3
+++ /dev/null
@@ -1,507 +0,0 @@
-.\" $OpenBSD: X509V3_get_d2i.3,v 1.25 2024/12/31 20:17:00 tb Exp $
-.\" full merge up to: OpenSSL ff7fbfd5 Nov 2 11:52:01 2015 +0000
-.\" selective merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2023, 2024 Theo Buehler <tb@openbsd.org>
-.\" Copyright (c) 2024 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2014, 2015, 2016 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: December 31 2024 $
-.Dt X509V3_GET_D2I 3
-.Os
-.Sh NAME
-.Nm X509V3_get_d2i ,
-.Nm X509V3_add1_i2d ,
-.Nm X509V3_EXT_d2i ,
-.Nm X509V3_EXT_i2d ,
-.Nm X509_get_ext_d2i ,
-.Nm X509_add1_ext_i2d ,
-.Nm X509_CRL_get_ext_d2i ,
-.Nm X509_CRL_add1_ext_i2d ,
-.Nm X509_REVOKED_get_ext_d2i ,
-.Nm X509_REVOKED_add1_ext_i2d ,
-.Nm X509_get0_extensions ,
-.Nm X509_CRL_get0_extensions ,
-.Nm X509_REVOKED_get0_extensions ,
-.Nm X509_get0_uids
-.Nd X509 extension decode and encode functions
-.Sh SYNOPSIS
-.In openssl/x509v3.h
-.Ft void *
-.Fo X509V3_get_d2i
-.Fa "const STACK_OF(X509_EXTENSION) *x"
-.Fa "int nid"
-.Fa "int *crit"
-.Fa "int *idx"
-.Fc
-.Ft int
-.Fo X509V3_add1_i2d
-.Fa "STACK_OF(X509_EXTENSION) **x"
-.Fa "int nid"
-.Fa "void *value"
-.Fa "int crit"
-.Fa "unsigned long flags"
-.Fc
-.Ft void *
-.Fo X509V3_EXT_d2i
-.Fa "X509_EXTENSION *ext"
-.Fc
-.Ft X509_EXTENSION *
-.Fo X509V3_EXT_i2d
-.Fa "int ext_nid"
-.Fa "int crit"
-.Fa "void *ext"
-.Fc
-.Ft void *
-.Fo X509_get_ext_d2i
-.Fa "const X509 *x"
-.Fa "int nid"
-.Fa "int *crit"
-.Fa "int *idx"
-.Fc
-.Ft int
-.Fo X509_add1_ext_i2d
-.Fa "X509 *x"
-.Fa "int nid"
-.Fa "void *value"
-.Fa "int crit"
-.Fa "unsigned long flags"
-.Fc
-.Ft void *
-.Fo X509_CRL_get_ext_d2i
-.Fa "const X509_CRL *crl"
-.Fa "int nid"
-.Fa "int *crit"
-.Fa "int *idx"
-.Fc
-.Ft int
-.Fo X509_CRL_add1_ext_i2d
-.Fa "X509_CRL *crl"
-.Fa "int nid"
-.Fa "void *value"
-.Fa "int crit"
-.Fa "unsigned long flags"
-.Fc
-.Ft void *
-.Fo X509_REVOKED_get_ext_d2i
-.Fa "const X509_REVOKED *r"
-.Fa "int nid"
-.Fa "int *crit"
-.Fa "int *idx"
-.Fc
-.Ft int
-.Fo X509_REVOKED_add1_ext_i2d
-.Fa "X509_REVOKED *r"
-.Fa "int nid"
-.Fa "void *value"
-.Fa "int crit"
-.Fa "unsigned long flags"
-.Fc
-.Ft const STACK_OF(X509_EXTENSION) *
-.Fo X509_get0_extensions
-.Fa "const X509 *x"
-.Fc
-.Ft const STACK_OF(X509_EXTENSION) *
-.Fo X509_CRL_get0_extensions
-.Fa "const X509_CRL *crl"
-.Fc
-.Ft const STACK_OF(X509_EXTENSION) *
-.Fo X509_REVOKED_get0_extensions
-.Fa "const X509_REVOKED *r"
-.Fc
-.Ft void
-.Fo X509_get0_uids
-.Fa "const X509 *x"
-.Fa "const ASN1_BIT_STRING **issuerUID"
-.Fa "const ASN1_BIT_STRING **subjectUID"
-.Fc
-.Sh DESCRIPTION
-.Fn X509V3_get_d2i
-looks for an extension with OID
-.Fa nid
-in the extensions
-.Fa x
-and, if found, decodes it.
-If
-.Fa idx
-is
-.Dv NULL ,
-then only one occurrence of an extension is permissible.
-Otherwise the first extension after index
-.Pf * Fa idx
-is returned and
-.Pf * Fa idx
-is updated to the location of the extension.
-If
-.Fa crit
-is not
-.Dv NULL ,
-then
-.Pf * Fa crit
-is set to a status value: -2 if the extension occurs multiple times
-(this is only returned if
-.Fa idx
-is
-.Dv NULL ) ,
--1 if the extension could not be found, 0 if the extension is found
-and is not critical, and 1 if it is critical.
-A pointer to an extension specific structure or
-.Dv NULL
-is returned.
-.Pp
-.Fn X509V3_add1_i2d
-adds extension
-.Fa value
-to STACK
-.Pf * Fa x
-(allocating a new STACK if necessary) using OID
-.Fa nid
-and criticality
-.Fa crit
-according to
-.Fa flags .
-.Pp
-.Fn X509V3_EXT_d2i
-attempts to decode the ASN.1 data contained in extension
-.Fa ext
-and returns a pointer to an extension specific structure or
-.Dv NULL
-if the extension could not be decoded (invalid syntax or not supported).
-.Pp
-.Fn X509V3_EXT_i2d
-encodes the extension specific structure
-.Fa ext
-with OID
-.Fa ext_nid
-and criticality
-.Fa crit .
-.Pp
-.Fn X509_get_ext_d2i
-and
-.Fn X509_add1_ext_i2d
-operate on the extensions of certificate
-.Fa x ,
-and are otherwise identical to
-.Fn X509V3_get_d2i
-and
-.Fn X509V3_add1_i2d .
-.Pp
-.Fn X509_CRL_get_ext_d2i
-and
-.Fn X509_CRL_add1_ext_i2d
-operate on the extensions of CRL
-.Fa crl ,
-and are otherwise identical to
-.Fn X509V3_get_d2i
-and
-.Fn X509V3_add1_i2d .
-.Pp
-.Fn X509_REVOKED_get_ext_d2i
-and
-.Fn X509_REVOKED_add1_ext_i2d
-operate on the extensions of the
-.Vt X509_REVOKED
-structure
-.Fa r
-(i.e. for CRL entry extensions), and are otherwise identical to
-.Fn X509V3_get_d2i
-and
-.Fn X509V3_add1_i2d .
-.Pp
-.Fn X509_get0_extensions ,
-.Fn X509_CRL_get0_extensions ,
-and
-.Fn X509_REVOKED_get0_extensions
-return a stack of all the extensions of a certificate, a CRL,
-or a CRL entry, respectively.
-.Pp
-In almost all cases an extension can occur at most once and multiple
-occurrences is an error.
-Therefore the
-.Fa idx
-parameter is usually
-.Dv NULL .
-.Pp
-The
-.Fa flags
-argument consists of two parts OR'ed together:
-the operation mode and the optional silent flag.
-The operation mode is the bitwise OR of the
-.Fa flags
-and the bitmask
-.Dv X509V3_ADD_OP_MASK .
-The following operation modes are recognized:
-.Pp
-.Dv X509V3_ADD_DEFAULT
-appends a new extension only if the extension does not already exist.
-An error is returned if the extension does already exist.
-.Pp
-.Dv X509V3_ADD_APPEND
-appends a new extension, ignoring whether the extension already exists.
-This is a misfeature and should not be used because certificates must
-not include the same extension more than once.
-.Pp
-.Dv X509V3_ADD_REPLACE
-replaces an extension if it exists otherwise appends a new extension.
-.Pp
-.Dv X509V3_ADD_REPLACE_EXISTING
-replaces an existing extension if it exists otherwise returns an error.
-.Pp
-.Dv X509V3_ADD_KEEP_EXISTING
-appends a new extension only if the extension does not already exist.
-An error
-.Sy is not
-returned if the extension does already exist.
-.Pp
-.Dv X509V3_ADD_DELETE
-deletes extension
-.Fa nid
-if it exists and errors otherwise.
-No new extension is added.
-.Pp
-Any other operation mode results in an error.
-.Pp
-If
-.Dv X509V3_ADD_SILENT
-is OR'd into the
-.Fa flags ,
-any error returned will not be added to the error queue.
-.Pp
-The function
-.Fn X509V3_get_d2i
-will return
-.Dv NULL
-if the extension is not found, occurs multiple times or cannot be
-decoded.
-It is possible to determine the precise reason by checking the value of
-.Pf * Fa crit .
-.Pp
-.Fn X509_get0_uids
-returns the issuer and subject unique identifiers of the certificate
-.Fa x
-in
-.Pf * Fa issuerUID
-and
-.Pf * Fa subjectUID .
-If a unique identifier field is not present in
-.Fa x ,
-.Dv NULL
-is returned.
-Either one of
-.Fa issuerUID
-and
-.Fa subjectUID
-can be
-.Dv NULL .
-.Sh SUPPORTED EXTENSIONS
-The following sections contain a list of all supported extensions
-including their name and NID.
-.Ss PKIX Certificate Extensions
-The following certificate extensions are defined in PKIX standards such
-as RFC 5280.
-.Bl -column 30n 30n
-.It Basic Constraints             Ta Dv NID_basic_constraints
-.It Key Usage                     Ta Dv NID_key_usage
-.It Extended Key Usage            Ta Dv NID_ext_key_usage
-.It Subject Key Identifier        Ta Dv NID_subject_key_identifier
-.It Authority Key Identifier      Ta Dv NID_authority_key_identifier
-.It Private Key Usage Period      Ta Dv NID_private_key_usage_period
-.It Subject Alternative Name      Ta Dv NID_subject_alt_name
-.It Issuer Alternative Name       Ta Dv NID_issuer_alt_name
-.It Authority Information Access  Ta Dv NID_info_access
-.It Subject Information Access    Ta Dv NID_sinfo_access
-.It Name Constraints              Ta Dv NID_name_constraints
-.It Certificate Policies          Ta Dv NID_certificate_policies
-.It Policy Mappings               Ta Dv NID_policy_mappings
-.It Policy Constraints            Ta Dv NID_policy_constraints
-.It Inhibit Any Policy            Ta Dv NID_inhibit_any_policy
-.It IP Address Delegation         Ta Dv NID_sbgp_ipAddrBlock
-.It Autonomous System Identifier Delegation\
-                                  Ta Dv NID_sbgp_autonomousSysNum
-.El
-.Ss Netscape Certificate Extensions
-The following are (largely obsolete) Netscape certificate extensions.
-.Bl -column 30n 30n
-.It Netscape Cert Type            Ta Dv NID_netscape_cert_type
-.It Netscape Base Url             Ta Dv NID_netscape_base_url
-.It Netscape Revocation Url       Ta Dv NID_netscape_revocation_url
-.It Netscape CA Revocation Url    Ta Dv NID_netscape_ca_revocation_url
-.It Netscape Renewal Url          Ta Dv NID_netscape_renewal_url
-.It Netscape CA Policy Url        Ta Dv NID_netscape_ca_policy_url
-.It Netscape SSL Server Name      Ta Dv NID_netscape_ssl_server_name
-.It Netscape Comment              Ta Dv NID_netscape_comment
-.El
-.Ss PKIX CRL Extensions
-The following are CRL extensions from PKIX standards such as RFC 5280.
-.Bl -column 30n 30n
-.It CRL Number                    Ta Dv NID_crl_number
-.It CRL Distribution Points       Ta Dv NID_crl_distribution_points
-.It Delta CRL Indicator           Ta Dv NID_delta_crl
-.It Freshest CRL                  Ta Dv NID_freshest_crl
-.It Invalidity Date               Ta Dv NID_invalidity_date
-.It Issuing Distribution Point    Ta Dv NID_issuing_distribution_point
-.El
-.Pp
-The following are CRL entry extensions from PKIX standards such as
-RFC 5280.
-.Bl -column 30n 30n
-.It CRL Reason Code               Ta Dv NID_crl_reason
-.It Certificate Issuer            Ta Dv NID_certificate_issuer
-.El
-.Ss OCSP Extensions
-.Bl -column 30n 30n
-.It OCSP Nonce                    Ta Dv NID_id_pkix_OCSP_Nonce
-.It OCSP CRL ID                   Ta Dv NID_id_pkix_OCSP_CrlID
-.It Acceptable OCSP Responses     Ta Dv NID_id_pkix_OCSP_acceptableResponses
-.It OCSP No Check                 Ta Dv NID_id_pkix_OCSP_noCheck
-.It OCSP Archive Cutoff           Ta Dv NID_id_pkix_OCSP_archiveCutoff
-.It OCSP Service Locator          Ta Dv NID_id_pkix_OCSP_serviceLocator
-.It Hold Instruction Code         Ta Dv NID_hold_instruction_code
-.El
-.Sh RETURN VALUES
-.Fn X509V3_get_d2i ,
-.Fn X509V3_EXT_d2i ,
-.Fn X509_get_ext_d2i ,
-.Fn X509_CRL_get_ext_d2i ,
-and
-.Fn X509_REVOKED_get_ext_d2i
-return a pointer to an extension specific structure or
-.Dv NULL
-if an error occurs.
-.Pp
-.Fn X509V3_add1_i2d ,
-.Fn X509_add1_ext_i2d ,
-.Fn X509_CRL_add1_ext_i2d ,
-and
-.Fn X509_REVOKED_add1_ext_i2d
-return 1 if the operation is successful, 0 if it fails due to a
-non-fatal error (extension not found, already exists, cannot be encoded),
-or -1 due to a fatal error such as a memory allocation failure.
-In some cases of failure, the reason can be determined with
-.Xr ERR_get_error 3 .
-.Pp
-The
-.Fn X509V3_EXT_i2d
-function returns a pointer to an
-.Vt X509_EXTENSION
-structure if successful; otherwise
-.Dv NULL
-is returned and an error code can be retrieved with
-.Xr ERR_get_error 3 .
-.Pp
-.Fn X509_get0_extensions ,
-.Fn X509_CRL_get0_extensions ,
-and
-.Fn X509_REVOKED_get0_extensions
-return a stack of extensions, or
-.Dv NULL
-if no extensions are present.
-.Sh SEE ALSO
-.Xr d2i_X509 3 ,
-.Xr d2i_X509_EXTENSION 3 ,
-.Xr X509_check_purpose 3 ,
-.Xr X509_CRL_get0_by_serial 3 ,
-.Xr X509_CRL_new 3 ,
-.Xr X509_EXTENSION_new 3 ,
-.Xr X509_get_pubkey 3 ,
-.Xr X509_get_subject_name 3 ,
-.Xr X509_get_version 3 ,
-.Xr X509_new 3 ,
-.Xr X509_REVOKED_new 3 ,
-.Xr X509V3_EXT_print 3 ,
-.Xr X509V3_extensions_print 3
-.Sh HISTORY
-.Fn X509V3_EXT_d2i
-first appeared in OpenSSL 0.9.2b.
-.Fn X509V3_EXT_i2d
-first appeared in OpenSSL 0.9.3.
-Both functions have been available since
-.Ox 2.6 .
-.Pp
-.Fn X509V3_get_d2i ,
-.Fn X509_get_ext_d2i ,
-.Fn X509_CRL_get_ext_d2i ,
-and
-.Fn X509_REVOKED_get_ext_d2i
-first appeared in OpenSSL 0.9.5 and have been available since
-.Ox 2.7 .
-.Pp
-.Fn X509V3_add1_i2d ,
-.Fn X509_add1_ext_i2d ,
-.Fn X509_CRL_add1_ext_i2d ,
-and
-.Fn X509_REVOKED_add1_ext_i2d
-first appeared in OpenSSL 0.9.7 and have been available since
-.Ox 3.2 .
-.Pp
-.Fn X509_get0_extensions ,
-.Fn X509_CRL_get0_extensions ,
-and
-.Fn X509_REVOKED_get0_extensions
-first appeared in OpenSSL 1.1.0 and have been available since
-.Ox 6.3 .
-.Pp
-.Fn X509_get0_uids
-first appeared in OpenSSL 1.1.0 and has been available since
-.Ox 7.3 .
diff --git a/src/lib/libcrypto/man/X509V3_parse_list.3 b/src/lib/libcrypto/man/X509V3_parse_list.3
deleted file mode 100644
index 447f1a5e94..0000000000
--- a/src/lib/libcrypto/man/X509V3_parse_list.3
+++ /dev/null
@@ -1,101 +0,0 @@
-.\" $OpenBSD: X509V3_parse_list.3,v 1.2 2024/12/24 09:48:56 schwarze Exp $
-.\"
-.\" Copyright (c) 2024 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: December 24 2024 $
-.Dt X509V3_PARSE_LIST 3
-.Os
-.Sh NAME
-.Nm X509V3_parse_list ,
-.Nm X509V3_conf_free
-.Nd create and destroy CONF_VALUE objects
-.Sh SYNOPSIS
-.In openssl/x509v3.h
-.Ft STACK_OF(CONF_VALUE) *
-.Fn X509V3_parse_list "const char *string"
-.Ft void
-.Fn X509V3_conf_free "CONF_VALUE *conf"
-.Sh DESCRIPTION
-.Fn X509V3_parse_list
-parses the
-.Fa string
-and allocates an array of
-.Vt CONF_VALUE
-objects according to the following rules.
-.Bl -enum -width 2n
-.It
-The string is split into fields at comma
-.Pq Sq \&,
-characters.
-.It
-If a field contains a colon
-.Pq Sq \&:
-character, the part before the colon is regarded as a name
-and the part after the first colon as the associated value.
-Otherwise, the whole field is regarded as the name and
-.Dv NULL
-is used as the associated value.
-.It
-For each name and each value, leading and trailing whitespace as defined by
-.Xr isspace 3
-is ignored.
-.It
-Parsing ends when a NUL, carriage return, or newline character
-is encountered.
-.El
-.Pp
-A new, empty
-.Vt STACK_OF(CONF_VALUE)
-is allocated and for each parsed name, one
-.Vt CONF_VALUE
-structure containing the optional value is pushed onto it.
-.Pp
-.Fn X509V3_conf_free
-releases all memory used by
-.Fa conf .
-If
-.Fa conf
-is
-.Dv NULL ,
-no action occurs.
-.Pp
-The typical way to release the memory returned from
-.Fn X509V3_parse_list
-is by calling
-.Fn sk_CONF_VALUE_pop_free
-on it, passing a pointer to the function
-.Fn X509V3_conf_free
-as the second argument.
-.Sh RETURN VALUES
-.Fn X509V3_parse_list
-returns the new
-.Vt STACK_OF(CONF_VALUE)
-object or
-.Dv NULL
-if an error occurs, in particular if there isn't any name,
-if the name before a colon or after a comma is empty,
-if the value after a colon is empty,
-or if memory allocation fails.
-.Sh SEE ALSO
-.Xr isspace 3 ,
-.Xr sk_pop_free 3 ,
-.Xr STACK_OF 3 ,
-.Xr v2i_ASN1_BIT_STRING 3
-.Sh HISTORY
-.Fn X509V3_parse_list
-and
-.Fn X509V3_conf_free
-first appeared in OpenSSL 0.9.2 and have been available since
-.Ox 2.6 .
diff --git a/src/lib/libcrypto/man/X509_ALGOR_dup.3 b/src/lib/libcrypto/man/X509_ALGOR_dup.3
deleted file mode 100644
index ef7ca75863..0000000000
--- a/src/lib/libcrypto/man/X509_ALGOR_dup.3
+++ /dev/null
@@ -1,297 +0,0 @@
-.\"     $OpenBSD: X509_ALGOR_dup.3,v 1.23 2024/03/19 17:34:05 tb Exp $
-.\"     OpenSSL 4692340e Jun 7 15:49:08 2016 -0400
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2023 Theo Buehler <tb@openbsd.org>
-.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2002, 2015 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 19 2024 $
-.Dt X509_ALGOR_DUP 3
-.Os
-.Sh NAME
-.Nm X509_ALGOR_new ,
-.Nm X509_ALGOR_free ,
-.Nm X509_ALGOR_dup ,
-.Nm X509_ALGOR_set0 ,
-.Nm X509_ALGOR_get0 ,
-.Nm X509_ALGOR_cmp
-.Nd create, change, and inspect algorithm identifiers
-.Sh SYNOPSIS
-.In openssl/x509.h
-.Ft X509_ALGOR *
-.Fn X509_ALGOR_new void
-.Ft void
-.Fn X509_ALGOR_free "X509_ALGOR *alg"
-.Ft X509_ALGOR *
-.Fo X509_ALGOR_dup
-.Fa "X509_ALGOR *alg"
-.Fc
-.Ft int
-.Fo X509_ALGOR_set0
-.Fa "X509_ALGOR *alg"
-.Fa "ASN1_OBJECT *aobj"
-.Fa "int ptype"
-.Fa "void *pval"
-.Fc
-.Ft void
-.Fo X509_ALGOR_get0
-.Fa "const ASN1_OBJECT **paobj"
-.Fa "int *pptype"
-.Fa "const void **ppval"
-.Fa "const X509_ALGOR *alg"
-.Fc
-.Ft int
-.Fo X509_ALGOR_cmp
-.Fa "const X509_ALGOR *a"
-.Fa "const X509_ALGOR *b"
-.Fc
-.Sh DESCRIPTION
-An
-.Vt X509_ALGOR
-object represents an ASN.1
-.Vt AlgorithmIdentifier
-structure defined in RFC 5280 section 4.1.1.2.
-It specifies a cryptographic
-.Fa algorithm
-by an ASN.1 object identifier (OID) that can be obtained from
-.Xr OBJ_nid2obj 3 ,
-together with optional algorithm-specific
-.Fa parameters
-of the type
-.Vt ASN1_TYPE ,
-see
-.Xr ASN1_TYPE_set 3 .
-.Vt X509_ALGOR
-objects are used by many other objects, for example certificates,
-certificate revocation lists, and certificate requests.
-.Pp
-.Fn X509_ALGOR_new
-allocates a new
-.Vt X509_ALGOR
-object containing the object that
-.Xr OBJ_nid2obj 3
-returns for
-.Dv NID_undef
-as the
-.Fa algorithm
-and a
-.Dv NULL
-pointer as the
-.Fa parameters .
-.Pp
-.Fn X509_ALGOR_free
-frees
-.Fa alg
-and any data contained in it.
-If
-.Fa alg
-is
-.Dv NULL ,
-no action occurs.
-.Pp
-.Fn X509_ALGOR_dup
-creates a deep copy of
-.Fa alg .
-It is implemented by calling
-.Xr ASN1_item_dup 3
-with arguments of
-.Dv X509_ALGOR_it
-and
-.Fa alg ,
-which is equivalent to calling
-.Xr i2d_X509_ALGOR 3
-and
-.Xr d2i_X509_ALGOR 3 .
-.Pp
-.Fn X509_ALGOR_set0
-sets the algorithm OID of
-.Fa alg
-to
-.Fa aobj
-and the associated parameter type to
-.Fa ptype
-with value
-.Fa pval .
-If
-.Fa ptype
-is
-.Dv V_ASN1_UNDEF ,
-the parameter is omitted and
-.Fa pval
-is ignored.
-If
-.Fa ptype
-is zero,
-.Fa pval
-is ignored and the existing parameter is left unchanged, or if
-.Fa alg
-does not contain a parameter, a new, empty parameter of type
-.Dv V_ASN1_UNDEF
-is added.
-Otherwise
-.Fa ptype
-and
-.Fa pval
-have the same meaning as the
-.Fa type
-and
-.Fa value
-parameters to
-.Xr ASN1_TYPE_set 3 .
-Ownership of
-.Fa aobj
-and, unless it is ignored, of
-.Fa pval
-is transferred to
-.Fa alg
-on success.
-.Pp
-.Fn X509_ALGOR_get0
-returns
-.Fa alg Ns 's
-algorithm OID in
-.Pf * Fa paobj ,
-its parameter type in
-.Pf * Fa pptype ,
-and its parameter value in
-.Pf * Fa ppval .
-Any of
-.Fa paobj ,
-.Fa pptype ,
-and
-.Fa ppval
-can be
-.Dv NULL .
-If
-.Fa pptype is
-.Dv NULL
-or if
-.Pf * Fa pptype
-is
-.Dv V_ASN1_UNDEF
-then
-.Pf * Fa ppval Ns 's
-value is undefined.
-.Pp
-.Fn X509_ALGOR_cmp
-compares
-.Fa a
-and
-.Fa b .
-.Sh RETURN VALUES
-.Fn X509_ALGOR_new
-and
-.Fn X509_ALGOR_dup
-return a new
-.Vt X509_ALGOR
-object or
-.Dv NULL
-if an error occurs.
-.Pp
-.Fn X509_ALGOR_set0
-returns 1 for success or 0 if
-.Fa alg
-is
-.Dv NULL
-or memory allocation fails.
-.Pp
-.Fn X509_ALGOR_cmp
-returns 0 if
-.Fa a
-and
-.Fa b
-have identical encodings or non-zero otherwise.
-.Sh SEE ALSO
-.Xr ASN1_TYPE_set 3 ,
-.Xr d2i_X509_ALGOR 3 ,
-.Xr EVP_DigestInit 3 ,
-.Xr OBJ_nid2obj 3 ,
-.Xr X509_get0_signature 3 ,
-.Xr X509_new 3 ,
-.Xr X509_PUBKEY_get0_param 3 ,
-.Xr X509_signature_dump 3
-.Sh STANDARDS
-RFC 5280: Internet X.509 Public Key Infrastructure Certificate and
-Certificate Revocation List (CRL) Profile
-.Sh HISTORY
-.Fn X509_ALGOR_new
-and
-.Fn X509_ALGOR_free
-appeared in SSLeay 0.4 or earlier and have been available since
-.Ox 2.4 .
-.Pp
-.Fn X509_ALGOR_dup
-first appeared in SSLeay 0.9.1 and has been available since
-.Ox 2.6 .
-.Pp
-.Fn X509_ALGOR_set0
-and
-.Fn X509_ALGOR_get0
-first appeared in OpenSSL 0.9.8h and have been available since
-.Ox 4.5 .
-.Pp
-.Fn X509_ALGOR_cmp
-first appeared in OpenSSL 0.9.8zd, 1.0.0p, and 1.0.1k
-and has been available since
-.Ox 4.9 .
diff --git a/src/lib/libcrypto/man/X509_ATTRIBUTE_get0_object.3 b/src/lib/libcrypto/man/X509_ATTRIBUTE_get0_object.3
deleted file mode 100644
index 4212e27d7e..0000000000
--- a/src/lib/libcrypto/man/X509_ATTRIBUTE_get0_object.3
+++ /dev/null
@@ -1,136 +0,0 @@
-.\" $OpenBSD: X509_ATTRIBUTE_get0_object.3,v 1.2 2021/10/21 16:26:34 schwarze Exp $
-.\"
-.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: October 21 2021 $
-.Dt X509_ATTRIBUTE_GET0_OBJECT 3
-.Os
-.Sh NAME
-.Nm X509_ATTRIBUTE_get0_object ,
-.Nm X509_ATTRIBUTE_count ,
-.Nm X509_ATTRIBUTE_get0_type ,
-.Nm X509_ATTRIBUTE_get0_data
-.\" In the following line, "X.501" and "Attribute" are not typos.
-.\" The "Attribute" type is defined in X.501, not in X.509.
-.\" The type is called "Attribute" with capital "A", not "attribute".
-.Nd X.501 Attribute read accessors
-.Sh SYNOPSIS
-.In openssl/x509.h
-.Ft ASN1_OBJECT *
-.Fo X509_ATTRIBUTE_get0_object
-.Fa "X509_ATTRIBUTE *attr"
-.Fc
-.Ft int
-.Fo X509_ATTRIBUTE_count
-.Fa "const X509_ATTRIBUTE *attr"
-.Fc
-.Ft ASN1_TYPE *
-.Fo X509_ATTRIBUTE_get0_type
-.Fa "X509_ATTRIBUTE *attr"
-.Fa "int index"
-.Fc
-.Ft void *
-.Fo X509_ATTRIBUTE_get0_data
-.Fa "X509_ATTRIBUTE *attr"
-.Fa "int index"
-.Fa "int type"
-.Fa "void *data"
-.Fc
-.Sh DESCRIPTION
-These functions provide read access to the X.501 Attribute object
-.Fa attr .
-.Pp
-For
-.Fn X509_ATTRIBUTE_get0_data ,
-the
-.Fa type
-argument usually is one of the
-.Dv V_ASN1_*
-constants defined in
-.In openssl/asn1.h .
-For example, if a return value of the type
-.Vt ASN1_OCTET_STRING
-is expected, pass
-.Dv V_ASN1_OCTET_STRING
-as the
-.Fa type
-argument.
-The
-.Fa data
-argument is ignored; passing
-.Dv NULL
-is recommended.
-.Sh RETURN VALUES
-.Fn X509_ATTRIBUTE_get0_object
-returns an internal pointer to the type of
-.Fa attr
-or
-.Dv NULL
-if
-.Fa attr
-is
-.Dv NULL
-or if its type is not set.
-.Pp
-.Fn X509_ATTRIBUTE_count
-returns the number of values stored in
-.Fa attr
-or 0 if no value or values are set.
-.Pp
-.Fn X509_ATTRIBUTE_get0_type
-returns an internal pointer to the ASN.1 ANY object
-representing the value with the given zero-based
-.Fa index
-or
-.Dv NULL
-if
-.Fa attr
-is
-.Dv NULL ,
-if the
-.Fa index
-is larger than or equal to the number of values stored in
-.Fa attr ,
-or if no value or values are set.
-.Pp
-.Fn X509_ATTRIBUTE_get0_data
-returns an internal pointer to the data
-contained in the value with the given zero-based
-.Fa index
-or
-.Dv NULL
-if
-.Fa attr
-is
-.Dv NULL ,
-if the
-.Fa index
-is larger than or equal to the number of values stored in
-.Fa attr ,
-if no value or values are set,
-or if the ASN.1 ANY object representing the value with the given
-.Fa index
-is not of the requested
-.Fa type .
-.Sh SEE ALSO
-.Xr ASN1_OBJECT_new 3 ,
-.Xr ASN1_TYPE_new 3 ,
-.Xr OPENSSL_sk_new 3 ,
-.Xr X509_ATTRIBUTE_new 3 ,
-.Xr X509_ATTRIBUTE_set1_object 3
-.Sh HISTORY
-These functions first appeared in OpenSSL 0.9.5
-and have been available since
-.Ox 2.7 .
diff --git a/src/lib/libcrypto/man/X509_ATTRIBUTE_new.3 b/src/lib/libcrypto/man/X509_ATTRIBUTE_new.3
deleted file mode 100644
index cc2b27d4c0..0000000000
--- a/src/lib/libcrypto/man/X509_ATTRIBUTE_new.3
+++ /dev/null
@@ -1,180 +0,0 @@
-.\" $OpenBSD: X509_ATTRIBUTE_new.3,v 1.18 2024/09/02 07:57:27 tb Exp $
-.\"
-.\" Copyright (c) 2016, 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: September 2 2024 $
-.Dt X509_ATTRIBUTE_NEW 3
-.Os
-.Sh NAME
-.Nm X509_ATTRIBUTE_new ,
-.Nm X509_ATTRIBUTE_create ,
-.Nm X509_ATTRIBUTE_dup ,
-.Nm X509_ATTRIBUTE_free
-.\" In the following line, "X.501" and "Attribute" are not typos.
-.\" The "Attribute" type is defined in X.501, not in X.509.
-.\" The type is called "Attribute" with capital "A", not "attribute".
-.Nd generic X.501 Attribute
-.Sh SYNOPSIS
-.In openssl/x509.h
-.Ft X509_ATTRIBUTE *
-.Fn X509_ATTRIBUTE_new void
-.Ft X509_ATTRIBUTE *
-.Fn X509_ATTRIBUTE_create "int nid" "int type" "void *value"
-.Ft X509_ATTRIBUTE *
-.Fn X509_ATTRIBUTE_dup "X509_ATTRIBUTE *attr"
-.Ft void
-.Fn X509_ATTRIBUTE_free "X509_ATTRIBUTE *attr"
-.Sh DESCRIPTION
-In the X.501 standard, an
-.Vt Attribute
-is the fundamental ASN.1 data type used to represent any kind of
-property of any kind of directory entry.
-In OpenSSL, very few objects use it directly, most notably the
-.Vt X509_REQ_INFO
-object used for PKCS#10 certification requests described in
-.Xr X509_REQ_new 3 ,
-the
-.Vt PKCS8_PRIV_KEY_INFO
-object used for PKCS#8 private key information described in
-.Xr PKCS8_PRIV_KEY_INFO_new 3 ,
-and the
-.Vt PKCS12_SAFEBAG
-container object described in
-.Xr PKCS12_SAFEBAG_new 3 .
-.Pp
-.Fn X509_ATTRIBUTE_new
-allocates and initializes an empty
-.Vt X509_ATTRIBUTE
-object.
-.Pp
-.Fn X509_ATTRIBUTE_create
-allocates a new multi-valued
-.Vt X509_ATTRIBUTE
-object of the type
-.Fa nid
-and initializes its set of values
-to contain one new ASN.1 ANY object with the given
-.Fa value
-and
-.Fa type .
-The
-.Fa type
-usually is one of the
-.Dv V_ASN1_*
-constants defined in
-.In openssl/asn1.h ;
-it is stored without validating it.
-If the function succeeds, ownership of the
-.Fa value
-is transferred to the new
-.Vt X509_ATTRIBUTE
-object.
-.Pp
-Be careful to not confuse the type of the attribute
-and the type of the value.
-.Pp
-.Fn X509_ATTRIBUTE_dup
-creates a deep copy of
-.Fa attr .
-.Pp
-.Fn X509_ATTRIBUTE_free
-frees
-.Fa attr .
-.Sh RETURN VALUES
-.Fn X509_ATTRIBUTE_new ,
-.Fn X509_ATTRIBUTE_create ,
-and
-.Fn X509_ATTRIBUTE_dup
-return the new
-.Vt X509_ATTRIBUTE
-object or
-.Dv NULL
-if an error occurs.
-.Pp
-In particular, these functions fail if memory allocation fails.
-.Fn X509_ATTRIBUTE_create
-also fails if
-.Xr OBJ_nid2obj 3
-fails on
-.Fa nid .
-.Sh SEE ALSO
-.Xr d2i_X509_ATTRIBUTE 3 ,
-.Xr OBJ_nid2obj 3 ,
-.Xr PKCS12_SAFEBAG_new 3 ,
-.Xr PKCS7_add_attribute 3 ,
-.Xr PKCS8_pkey_get0_attrs 3 ,
-.Xr PKCS8_PRIV_KEY_INFO_new 3 ,
-.Xr X509_ATTRIBUTE_get0_object 3 ,
-.Xr X509_ATTRIBUTE_set1_object 3 ,
-.Xr X509_EXTENSION_new 3 ,
-.Xr X509_new 3 ,
-.Xr X509_REQ_add1_attr 3 ,
-.Xr X509_REQ_new 3
-.Sh STANDARDS
-.Bl -ohang
-.It Xo
-For the general definition of the
-.Vt Attribute
-data type:
-.Xc
-ITU-T Recommendation X.501, also known as ISO/IEC 9594-2:
-Information Technology \(en Open Systems Interconnection \(en
-The Directory: Models, section 8.2: Overall structure
-.It For the specific definition in the context of certification requests:
-RFC 2986: PKCS #10: Certification Request Syntax Specification,
-section 4.1: CertificationRequestInfo
-.It For the specific use in the context of private key information:
-RFC 5208: Public-Key Cryptography Standards (PKCS) #8:
-Private-Key Information Syntax Specification
-.It For the specific definition in the context of PFX:
-RFC 7292: PKCS #12: Personal Information Exchange Syntax,
-section 4.2: The SafeBag Type
-.El
-.Sh HISTORY
-.Fn X509_ATTRIBUTE_new
-and
-.Fn X509_ATTRIBUTE_free
-first appeared in SSLeay 0.5.1 and have been available since
-.Ox 2.4 .
-.Pp
-.Fn X509_ATTRIBUTE_create
-and
-.Fn X509_ATTRIBUTE_dup
-first appeared in SSLeay 0.9.1 and have been available since
-.Ox 2.6 .
-.Sh BUGS
-A data type designed to hold arbitrary data is an oxymoron.
-.Pp
-While it may occasionally be useful for abstract syntax specification
-or for generic container objects, using it for the representation
-of specific data in a specific data structure feels like dubious
-design.
-.Pp
-Having two distinct data types to hold arbitrary data \(en
-in this case,
-.Vt X509_ATTRIBUTE
-on the X.501 language level and
-.Vt X509_EXTENSION
-as described in
-.Xr X509_EXTENSION_new 3
-on the X.509 language level \(en feels even more questionable,
-in particular considering that Attributes in certification requests
-can be used to ask for Extensions in certificates.
-.Pp
-At the very least, the direct use of the low-level generic
-.Vt X509_ATTRIBUTE
-type in specific data types like certification requests or private
-key information looks like a layering violation and appears to put
-type safety into jeopardy.
diff --git a/src/lib/libcrypto/man/X509_ATTRIBUTE_set1_object.3 b/src/lib/libcrypto/man/X509_ATTRIBUTE_set1_object.3
deleted file mode 100644
index 3555d4b169..0000000000
--- a/src/lib/libcrypto/man/X509_ATTRIBUTE_set1_object.3
+++ /dev/null
@@ -1,267 +0,0 @@
-.\" $OpenBSD: X509_ATTRIBUTE_set1_object.3,v 1.3 2021/11/26 13:48:21 jsg Exp $
-.\"
-.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: November 26 2021 $
-.Dt X509_ATTRIBUTE_SET1_OBJECT 3
-.Os
-.Sh NAME
-.Nm X509_ATTRIBUTE_set1_object ,
-.Nm X509_ATTRIBUTE_set1_data ,
-.Nm X509_ATTRIBUTE_create_by_OBJ ,
-.Nm X509_ATTRIBUTE_create_by_NID ,
-.Nm X509_ATTRIBUTE_create_by_txt
-.\" In the following line, "X.501" and "Attribute" are not typos.
-.\" The "Attribute" type is defined in X.501, not in X.509.
-.\" The type is called "Attribute" with capital "A", not "attribute".
-.Nd modify an X.501 Attribute
-.Sh SYNOPSIS
-.In openssl/x509.h
-.Ft int
-.Fo X509_ATTRIBUTE_set1_object
-.Fa "X509_ATTRIBUTE *attr"
-.Fa "const ASN1_OBJECT *obj"
-.Fc
-.Ft int
-.Fo X509_ATTRIBUTE_set1_data
-.Fa "X509_ATTRIBUTE *attr"
-.Fa "int type"
-.Fa "const void *data"
-.Fa "int len"
-.Fc
-.Ft X509_ATTRIBUTE *
-.Fo X509_ATTRIBUTE_create_by_OBJ
-.Fa "X509_ATTRIBUTE **pattr"
-.Fa "const ASN1_OBJECT *obj"
-.Fa "int type"
-.Fa "const void *data"
-.Fa "int len"
-.Fc
-.Ft X509_ATTRIBUTE *
-.Fo X509_ATTRIBUTE_create_by_NID
-.Fa "X509_ATTRIBUTE **pattr"
-.Fa "int nid"
-.Fa "int type"
-.Fa "const void *data"
-.Fa "int len"
-.Fc
-.Ft X509_ATTRIBUTE *
-.Fo X509_ATTRIBUTE_create_by_txt
-.Fa "X509_ATTRIBUTE **pattr"
-.Fa "const char *name"
-.Fa "int type"
-.Fa "const unsigned char *data"
-.Fa "int len"
-.Fc
-.Sh DESCRIPTION
-.Fn X509_ATTRIBUTE_set1_object
-sets the type of
-.Fa attr
-to
-.Fa obj .
-If
-.Fa obj
-is dynamically allocated, a deep copy is created.
-If the type of
-.Fa attr
-was already set, the old type is freed
-as far as it was dynamically allocated.
-After calling this function,
-.Fa attr
-may be in an inconsistent state
-because its values may not agree with the new attribute type.
-.Pp
-.Fn X509_ATTRIBUTE_set1_data
-sets
-.Fa attr
-to be multi-valued and initializes its set of values
-to contain a single new ASN.1 ANY object representing the
-.Fa data .
-.Pp
-The interpretation of the
-.Fa data
-depends on the values of the
-.Fa type
-and
-.Fa len
-arguments; there are four different cases.
-.Pp
-If the
-.Fa type
-argument has the bit
-.Dv MBSTRING_FLAG
-set,
-.Fa data
-is expected to point to a multibyte character string that is
-.Fa len
-bytes long and uses the encoding specified by the
-.Fa type
-argument, and it is expected that an attribute type was already assigned to
-.Fa attr ,
-for example by calling
-.Fn X509_ATTRIBUTE_set1_object
-before calling
-.Fn X509_ATTRIBUTE_set1_data .
-In this case, an appropriate ASN.1 multibyte string type is chosen and
-a new object of that type is allocated and populated to represent the
-.Fa data
-by calling
-.Xr ASN1_STRING_set_by_NID 3 .
-The type of that new ASN.1 string object is subsequently used instead of the
-.Fa type
-argument.
-.Pp
-If the
-.Fa type
-argument does not have the bit
-.Dv MBSTRING_FLAG
-set and the
-.Fa len argument
-is not \-1, the
-.Fa type
-argument is expected to be one of the types documented in
-.Xr ASN1_STRING_new 3
-and
-.Fa data
-is expected to point to a buffer of
-.Fa len
-bytes.
-In this case, a new object is allocated with
-.Xr ASN1_STRING_type_new 3
-and populated with
-.Xr ASN1_STRING_set 3 .
-.Pp
-If the
-.Fa type
-argument does not have the bit
-.Dv MBSTRING_FLAG
-set and the
-.Fa len argument
-is \-1,
-.Fa data
-is expected to point to an object of the given
-.Fa type
-rather than to a buffer.
-In this case, a deep copy of the existing object
-into the new ASN.1 ANY object is performed with
-.Xr ASN1_TYPE_set1 3 .
-.Pp
-If the
-.Fa type
-argument is 0, the
-.Fa data
-and
-.Fa len
-arguments are ignored and the set of values is left empty
-instead of adding a single ASN.1 ANY object to it.
-This violates section 8.2 of the X.501 standard, which requires
-every attribute to contain at least one value, but some attribute
-types used by the library use empty sets of values anyway.
-.Pp
-.Fn X509_ATTRIBUTE_create_by_OBJ
-sets the type of
-.Pf ** Fa attr
-to
-.Fa obj
-using
-.Fn X509_ATTRIBUTE_set1_object
-and copies the
-.Fa data
-into it using
-.Fn X509_ATTRIBUTE_set1_data .
-If
-.Fa attr
-or
-.Pf * Fa attr
-is
-.Dv NULL ,
-a new
-.Vt X509_ATTRIBUTE
-object is allocated, populated, and returned.
-.Pp
-.Fn X509_ATTRIBUTE_create_by_NID
-is a wrapper around
-.Fn X509_ATTRIBUTE_create_by_OBJ
-that obtains the required
-.Fa obj
-argument by calling
-.Xr OBJ_nid2obj 3
-on the
-.Fa nid
-argument.
-.Pp
-.Fn X509_ATTRIBUTE_create_by_txt
-is a similar wrapper that obtains
-.Fa obj
-by calling
-.Xr OBJ_txt2obj 3
-with the arguments
-.Fa name
-and 0, which means that long names, short names, and numerical OID
-strings are all acceptable.
-.Sh RETURN VALUES
-.Fn X509_ATTRIBUTE_set1_object
-returns 1 if successful or 0 if
-.Fa attr
-or
-.Fa obj
-is
-.Dv NULL
-or if memory allocation fails.
-.Pp
-.Fn X509_ATTRIBUTE_set1_data
-returns 1 if successful or 0 if
-.Fa attr
-is
-.Dv NULL
-or if
-.Xr ASN1_STRING_set_by_NID 3 ,
-.Xr ASN1_STRING_set 3 ,
-.Xr ASN1_TYPE_set1 3 ,
-or memory allocation fails.
-.Pp
-.Fn X509_ATTRIBUTE_create_by_OBJ ,
-.Fn X509_ATTRIBUTE_create_by_NID ,
-and
-.Fn X509_ATTRIBUTE_create_by_txt
-return a pointer to the changed or new object or
-.Dv NULL
-if obtaining
-.Fa obj ,
-allocating memory, or copying fails.
-.Sh SEE ALSO
-.Xr ASN1_OBJECT_new 3 ,
-.Xr ASN1_STRING_new 3 ,
-.Xr ASN1_STRING_set 3 ,
-.Xr ASN1_STRING_set_by_NID 3 ,
-.Xr ASN1_TYPE_new 3 ,
-.Xr OBJ_nid2obj 3 ,
-.Xr X509_ATTRIBUTE_get0_object 3 ,
-.Xr X509_ATTRIBUTE_new 3
-.Sh HISTORY
-These functions first appeared in OpenSSL 0.9.5
-and have been available since
-.Ox 2.7 .
-.Sh BUGS
-If
-.Fa attr
-already contains one or more values,
-.Fn X509_ATTRIBUTE_set1_data ,
-.Fn X509_ATTRIBUTE_create_by_OBJ ,
-.Fn X509_ATTRIBUTE_create_by_NID ,
-and
-.Fn X509_ATTRIBUTE_create_by_txt
-silently overwrite the pointers to the old values
-and leak the memory used for them.
diff --git a/src/lib/libcrypto/man/X509_CINF_new.3 b/src/lib/libcrypto/man/X509_CINF_new.3
deleted file mode 100644
index 6c09c58545..0000000000
--- a/src/lib/libcrypto/man/X509_CINF_new.3
+++ /dev/null
@@ -1,117 +0,0 @@
-.\"     $OpenBSD: X509_CINF_new.3,v 1.11 2024/09/02 08:04:32 tb Exp $
-.\"
-.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: September 2 2024 $
-.Dt X509_CINF_NEW 3
-.Os
-.Sh NAME
-.Nm X509_CINF_new ,
-.Nm X509_CINF_free ,
-.Nm X509_VAL_new ,
-.Nm X509_VAL_free ,
-.Nm X509_CERT_AUX_new ,
-.Nm X509_CERT_AUX_free
-.Nd X.509 certificate information objects
-.Sh SYNOPSIS
-.In openssl/x509.h
-.Ft X509_CINF *
-.Fn X509_CINF_new void
-.Ft void
-.Fn X509_CINF_free "X509_CINF *inf"
-.Ft X509_VAL *
-.Fn X509_VAL_new void
-.Ft void
-.Fn X509_VAL_free "X509_VAL *val"
-.Ft X509_CERT_AUX *
-.Fn X509_CERT_AUX_new void
-.Ft void
-.Fn X509_CERT_AUX_free "X509_CERT_AUX *aux"
-.Sh DESCRIPTION
-.Fn X509_CINF_new
-allocates and initializes an empty
-.Vt X509_CINF
-object, representing an ASN.1
-.Vt TBSCertificate
-structure defined in RFC 5280 section 4.1.
-It is used inside the
-.Vt X509
-object and holds the main information contained in the X.509
-certificate including subject, public key, issuer, serial number,
-validity period, and extensions.
-.Fn X509_CINF_free
-frees
-.Fa inf .
-.Pp
-.Fn X509_VAL_new
-allocates and initializes an empty
-.Vt X509_VAL
-object, representing an ASN.1
-.Vt Validity
-structure defined in RFC 5280 section 4.1.
-It is used inside the
-.Vt X509_CINF
-object and holds the validity period of the certificate.
-.Fn X509_VAL_free
-frees
-.Fa val .
-.Pp
-.Fn X509_CERT_AUX_new
-allocates and initializes an empty
-.Vt X509_CERT_AUX
-structure.
-It can be used inside an
-.Vt X509
-object to hold optional non-standard auxiliary data appended to a
-certificate, for example friendly alias names and trust data.
-.Fn X509_CERT_AUX_free
-frees
-.Fa aux .
-.Sh RETURN VALUES
-.Fn X509_CINF_new ,
-.Fn X509_VAL_new ,
-and
-.Fn X509_CERT_AUX_new
-return the new
-.Vt X509_CINF ,
-.Vt X509_VAL ,
-or
-.Vt X509_CERT_AUX
-object, respectively, or
-.Dv NULL
-if an error occurs.
-.Sh SEE ALSO
-.Xr d2i_X509_CINF 3 ,
-.Xr X509_add1_trust_object 3 ,
-.Xr X509_CERT_AUX_print 3 ,
-.Xr X509_keyid_set1 3 ,
-.Xr X509_new 3
-.Sh STANDARDS
-RFC 5280: Internet X.509 Public Key Infrastructure Certificate and
-Certificate Revocation List (CRL) Profile
-.Sh HISTORY
-.Fn X509_CINF_new ,
-.Fn X509_CINF_free ,
-.Fn X509_VAL_new ,
-and
-.Fn X509_VAL_free
-appeared in SSLeay 0.4 or earlier and have been available since
-.Ox 2.4 .
-.Pp
-.Fn X509_CERT_AUX_new
-and
-.Fn X509_CERT_AUX_free
-first appeared in OpenSSL 0.9.5 and have been available since
-.Ox 2.7 .
diff --git a/src/lib/libcrypto/man/X509_CRL_get0_by_serial.3 b/src/lib/libcrypto/man/X509_CRL_get0_by_serial.3
deleted file mode 100644
index f5edee6085..0000000000
--- a/src/lib/libcrypto/man/X509_CRL_get0_by_serial.3
+++ /dev/null
@@ -1,179 +0,0 @@
-.\" $OpenBSD: X509_CRL_get0_by_serial.3,v 1.13 2024/03/06 02:34:14 tb Exp $
-.\" full merge up to: OpenSSL cdd6c8c5 Mar 20 12:29:37 2017 +0100
-.\"
-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2015, 2017 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 6 2024 $
-.Dt X509_CRL_GET0_BY_SERIAL 3
-.Os
-.Sh NAME
-.Nm X509_CRL_get0_by_serial ,
-.Nm X509_CRL_get0_by_cert ,
-.Nm X509_CRL_get_REVOKED ,
-.Nm X509_CRL_add0_revoked ,
-.Nm X509_CRL_sort
-.Nd add, sort, and retrieve CRL entries
-.Sh SYNOPSIS
-.In openssl/x509.h
-.Ft int
-.Fo X509_CRL_get0_by_serial
-.Fa "X509_CRL *crl"
-.Fa "X509_REVOKED **ret"
-.Fa "ASN1_INTEGER *serial"
-.Fc
-.Ft int
-.Fo X509_CRL_get0_by_cert
-.Fa "X509_CRL *crl"
-.Fa "X509_REVOKED **ret"
-.Fa "X509 *x"
-.Fc
-.Ft STACK_OF(X509_REVOKED) *
-.Fo X509_CRL_get_REVOKED
-.Fa "X509_CRL *crl"
-.Fc
-.Ft int
-.Fo X509_CRL_add0_revoked
-.Fa "X509_CRL *crl"
-.Fa "X509_REVOKED *rev"
-.Fc
-.Ft int
-.Fo X509_CRL_sort
-.Fa "X509_CRL *crl"
-.Fc
-.Sh DESCRIPTION
-.Fn X509_CRL_get0_by_serial
-attempts to find a revoked entry in
-.Fa crl
-for serial number
-.Fa serial .
-If it is successful, it sets
-.Pf * Fa ret
-to the internal pointer of the matching entry.
-Consequently,
-.Pf * Fa ret
-must not be freed up after the call.
-.Pp
-.Fn X509_CRL_get0_by_cert
-is similar to
-.Fn X509_CRL_get0_by_serial
-except that it looks for a revoked entry using the serial number
-of certificate
-.Fa x .
-.Pp
-.Fn X509_CRL_get_REVOKED
-returns an internal pointer to a stack of all revoked entries for
-.Fa crl .
-.Pp
-.Fn X509_CRL_add0_revoked
-appends revoked entry
-.Fa rev
-to CRL
-.Fa crl .
-The pointer
-.Fa rev
-is used internally so it must not be freed up after the call: it is
-freed when the parent CRL is freed.
-.Pp
-.Fn X509_CRL_sort
-sorts the revoked entries of
-.Fa crl
-into ascending serial number order.
-.Pp
-Applications can determine the number of revoked entries returned by
-.Fn X509_CRL_get_revoked
-using
-.Fn sk_X509_REVOKED_num
-and examine each one in turn using
-.Fn sk_X509_REVOKED_value ,
-both defined in
-.In openssl/safestack.h .
-.Sh RETURN VALUES
-.Fn X509_CRL_get0_by_serial
-and
-.Fn X509_CRL_get0_by_cert
-return 0 for failure or 1 for success, except if the revoked entry
-has the reason
-.Qq removeFromCRL ,
-in which case 2 is returned.
-.Pp
-The
-.Fn X509_CRL_add0_revoked
-function returns 1 if successful;
-otherwise 0 is returned and an error code can be retrieved with
-.Xr ERR_get_error 3 .
-.Pp
-.Fn X509_CRL_sort
-returns 1 for success or 0 for failure.
-The current implementation cannot fail.
-.Pp
-.Fn X509_CRL_get_REVOKED
-returns a STACK of revoked entries.
-.Sh SEE ALSO
-.Xr d2i_X509_CRL 3 ,
-.Xr X509_CRL_get_ext 3 ,
-.Xr X509_CRL_get_issuer 3 ,
-.Xr X509_CRL_get_version 3 ,
-.Xr X509_CRL_new 3 ,
-.Xr X509_REVOKED_new 3 ,
-.Xr X509V3_get_d2i 3
-.Sh HISTORY
-.Fn X509_CRL_get_REVOKED
-first appeared in OpenSSL 0.9.2b and has been available since
-.Ox 2.6 .
-.Pp
-.Fn X509_CRL_add0_revoked
-and
-.Fn X509_CRL_sort
-first appeared in OpenSSL 0.9.7 and have been available since
-.Ox 3.2 .
-.Pp
-.Fn X509_CRL_get0_by_serial
-and
-.Fn X509_CRL_get0_by_cert
-first appeared in OpenSSL 1.0.0 and have been available since
-.Ox 4.9 .
diff --git a/src/lib/libcrypto/man/X509_CRL_new.3 b/src/lib/libcrypto/man/X509_CRL_new.3
deleted file mode 100644
index f9355fcfd3..0000000000
--- a/src/lib/libcrypto/man/X509_CRL_new.3
+++ /dev/null
@@ -1,143 +0,0 @@
-.\" $OpenBSD: X509_CRL_new.3,v 1.14 2024/03/06 02:34:14 tb Exp $
-.\"
-.\" Copyright (c) 2016, 2018, 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: March 6 2024 $
-.Dt X509_CRL_NEW 3
-.Os
-.Sh NAME
-.Nm X509_CRL_new ,
-.Nm X509_CRL_dup ,
-.Nm X509_CRL_up_ref ,
-.Nm X509_CRL_free ,
-.Nm X509_CRL_INFO_new ,
-.Nm X509_CRL_INFO_free
-.Nd X.509 certificate revocation lists
-.Sh SYNOPSIS
-.In openssl/x509.h
-.Ft X509_CRL *
-.Fn X509_CRL_new void
-.Ft X509_CRL *
-.Fn X509_CRL_dup "X509_CRL *crl"
-.Ft int
-.Fn X509_CRL_up_ref "X509_CRL *crl"
-.Ft void
-.Fn X509_CRL_free "X509_CRL *crl"
-.Ft X509_CRL_INFO *
-.Fn X509_CRL_INFO_new void
-.Ft void
-.Fn X509_CRL_INFO_free "X509_CRL_INFO *crl_info"
-.Sh DESCRIPTION
-.Fn X509_CRL_new
-allocates and initializes an empty
-.Vt X509_CRL
-object, representing an ASN.1
-.Vt CertificateList
-structure defined in RFC 5280 section 5.1.
-It can hold a pointer to an
-.Vt X509_CRL_INFO
-object discussed below together with a cryptographic signature
-and information about the signature algorithm used.
-The reference count is set to 1.
-.Pp
-.Fn X509_CRL_dup
-creates a deep copy of
-.Fa crl .
-.Pp
-.Fn X509_CRL_up_ref
-increments the reference count of
-.Fa crl
-by 1.
-.Pp
-.Fn X509_CRL_free
-decrements the reference count of
-.Fa crl
-by 1.
-If the reference count reaches 0, it frees
-.Fa crl .
-.Pp
-.Fn X509_CRL_INFO_new
-allocates and initializes an empty
-.Vt X509_CRL_INFO
-object, representing an ASN.1
-.Vt TBSCertList
-structure defined in RFC 5280 section 5.1.
-It is used inside the
-.Vt X509_CRL
-object and can hold a list of revoked certificates, an issuer name,
-the time the list was issued, the time when the next update of the
-list is due, and optional extensions.
-.Fn X509_CRL_INFO_free
-frees
-.Fa crl_info .
-.Sh RETURN VALUES
-.Fn X509_CRL_new ,
-.Fn X509_CRL_dup ,
-and
-.Fn X509_CRL_INFO_new
-return the new
-.Vt X509_CRL
-or
-.Vt X509_CRL_INFO
-object, respectively, or
-.Dv NULL
-if an error occurs.
-.Pp
-.Fn X509_CRL_up_ref
-returns 1 on success or 0 on error.
-.Sh SEE ALSO
-.Xr ACCESS_DESCRIPTION_new 3 ,
-.Xr AUTHORITY_KEYID_new 3 ,
-.Xr d2i_X509_CRL 3 ,
-.Xr DIST_POINT_new 3 ,
-.Xr PEM_read_X509_CRL 3 ,
-.Xr X509_CRL_digest 3 ,
-.Xr X509_CRL_get0_by_serial 3 ,
-.Xr X509_CRL_get0_lastUpdate 3 ,
-.Xr X509_CRL_get0_signature 3 ,
-.Xr X509_CRL_get_ext 3 ,
-.Xr X509_CRL_get_ext_d2i 3 ,
-.Xr X509_CRL_get_issuer 3 ,
-.Xr X509_CRL_get_version 3 ,
-.Xr X509_CRL_match 3 ,
-.Xr X509_CRL_print 3 ,
-.Xr X509_CRL_sign 3 ,
-.Xr X509_EXTENSION_new 3 ,
-.Xr X509_INFO_new 3 ,
-.Xr X509_load_crl_file 3 ,
-.Xr X509_new 3 ,
-.Xr X509_OBJECT_get0_X509_CRL 3 ,
-.Xr X509_REVOKED_new 3 ,
-.Xr X509_STORE_CTX_set0_crls 3 ,
-.Xr X509_STORE_get1_crls 3
-.Sh STANDARDS
-RFC 5280: Internet X.509 Public Key Infrastructure Certificate and
-Certificate Revocation List (CRL) Profile, section 5: CRL and CRL
-Extensions Profile
-.Sh HISTORY
-.Fn X509_CRL_new ,
-.Fn X509_CRL_free ,
-.Fn X509_CRL_INFO_new ,
-and
-.Fn X509_CRL_INFO_free
-first appeared in SSLeay 0.4.4.
-.Fn X509_CRL_dup
-first appeared in SSLeay 0.5.1.
-These functions have been available since
-.Ox 2.4 .
-.Pp
-.Fn X509_CRL_up_ref
-first appeared in OpenSSL 1.1.0 and has been available since
-.Ox 6.3 .
diff --git a/src/lib/libcrypto/man/X509_CRL_print.3 b/src/lib/libcrypto/man/X509_CRL_print.3
deleted file mode 100644
index 2f4832f0e7..0000000000
--- a/src/lib/libcrypto/man/X509_CRL_print.3
+++ /dev/null
@@ -1,113 +0,0 @@
-.\" $OpenBSD: X509_CRL_print.3,v 1.1 2021/07/19 13:16:43 schwarze Exp $
-.\"
-.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: July 19 2021 $
-.Dt X509_CRL_PRINT 3
-.Os
-.Sh NAME
-.Nm X509_CRL_print ,
-.Nm X509_CRL_print_fp
-.Nd pretty-print a certificate revocation list
-.Sh SYNOPSIS
-.In openssl/x509.h
-.Ft int
-.Fo X509_CRL_print
-.Fa "BIO *bio"
-.Fa "X509_CRL *crl"
-.Fc
-.Ft int
-.Fo X509_CRL_print_fp
-.Fa "FILE *fp"
-.Fa "X509_CRL *crl"
-.Fc
-.Sh DESCRIPTION
-.Fn X509_CRL_print
-prints information contained in
-.Fa crl
-to
-.Fa bio
-in human-readable form, in the following order:
-.Bl -bullet
-.It
-The certificate revocation list version number as defined by
-the standard, followed in parentheses by the value contained
-in the version field in hexadecimal notation.
-See
-.Xr X509_CRL_get_version 3
-for details.
-.It
-The name of the signature algorithm is printed with
-.Xr X509_signature_print 3 .
-.It
-The issuer name as returned by
-.Xr X509_CRL_get_issuer 3 .
-.It
-The times of the last and next updates as returned by
-.Xr X509_CRL_get0_lastUpdate 3
-and
-.Xr X509_CRL_get0_nextUpdate 3
-are printed with
-.Xr ASN1_TIME_print 3 .
-.It
-All X.509 extensions directly contained
-in the certificate revocation list object
-.Fa crl
-are printed with
-.Xr X509V3_extensions_print 3 .
-.It
-Information about revoked certificates is retrieved with
-.Xr X509_CRL_get_REVOKED 3 ,
-and for each revoked certificate, the following is printed:
-.Bl -bullet
-.It
-The serial number of the certificate is printed with
-.Xr i2a_ASN1_INTEGER 3 .
-.It
-The revocation date is printed with
-.Xr ASN1_TIME_print 3 .
-.It
-All X.509 extensions contained in the revocation entry are printed with
-.Xr X509V3_extensions_print 3 .
-.El
-.It
-The signature of
-.Fa crl
-is printed with
-.Xr X509_signature_print 3 .
-.El
-.Pp
-.Fn X509_CRL_print_fp
-is similar to
-.Fn X509_CRL_print
-except that it prints to
-.Fa fp .
-.Sh RETURN VALUES
-These functions are intended to return 1 for success and 0 for error.
-.Sh SEE ALSO
-.Xr BIO_new 3 ,
-.Xr X509_CRL_new 3 ,
-.Xr X509_print_ex 3 ,
-.Xr X509_REVOKED_new 3
-.Sh HISTORY
-These functions first appeared in OpenSSL 0.9.2 and have been available since
-.Ox 2.6 .
-.Sh BUGS
-Most I/O errors are silently ignored.
-Even if the information printed is incomplete, these functions may
-return 1 anyway.
-.Pp
-If the version number is invalid, no information from the CRL is printed
-and the functions fail.
diff --git a/src/lib/libcrypto/man/X509_EXTENSION_set_object.3 b/src/lib/libcrypto/man/X509_EXTENSION_set_object.3
deleted file mode 100644
index 45cf0dbaa5..0000000000
--- a/src/lib/libcrypto/man/X509_EXTENSION_set_object.3
+++ /dev/null
@@ -1,348 +0,0 @@
-.\" $OpenBSD: X509_EXTENSION_set_object.3,v 1.19 2024/12/28 11:04:09 schwarze Exp $
-.\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2016, 2021, 2024 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2015 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: December 28 2024 $
-.Dt X509_EXTENSION_SET_OBJECT 3
-.Os
-.Sh NAME
-.Nm X509_EXTENSION_new ,
-.Nm X509_EXTENSION_dup ,
-.Nm X509_EXTENSION_free ,
-.Nm X509_EXTENSION_create_by_NID ,
-.Nm X509_EXTENSION_create_by_OBJ ,
-.Nm X509_EXTENSION_set_object ,
-.Nm X509_EXTENSION_set_critical ,
-.Nm X509_EXTENSION_set_data ,
-.Nm X509_EXTENSION_get_object ,
-.Nm X509_EXTENSION_get_critical ,
-.Nm X509_EXTENSION_get_data ,
-.Nm X509_supported_extension
-.\" In the next line, the capital "E" is not a typo.
-.\" The ASN.1 structure is called "Extension", not "extension".
-.Nd create, change, and inspect X.509 Extension objects
-.Sh SYNOPSIS
-.In openssl/x509.h
-.Ft X509_EXTENSION *
-.Fn X509_EXTENSION_new void
-.Ft X509_EXTENSION *
-.Fn X509_EXTENSION_dup "X509_EXTENSION *ex"
-.Ft void
-.Fn X509_EXTENSION_free "X509_EXTENSION *ex"
-.Ft X509_EXTENSION *
-.Fo X509_EXTENSION_create_by_NID
-.Fa "X509_EXTENSION **ex"
-.Fa "int nid"
-.Fa "int crit"
-.Fa "ASN1_OCTET_STRING *data"
-.Fc
-.Ft X509_EXTENSION *
-.Fo X509_EXTENSION_create_by_OBJ
-.Fa "X509_EXTENSION **ex"
-.Fa "const ASN1_OBJECT *obj"
-.Fa "int crit"
-.Fa "ASN1_OCTET_STRING *data"
-.Fc
-.Ft int
-.Fo X509_EXTENSION_set_object
-.Fa "X509_EXTENSION *ex"
-.Fa "const ASN1_OBJECT *obj"
-.Fc
-.Ft int
-.Fo X509_EXTENSION_set_critical
-.Fa "X509_EXTENSION *ex"
-.Fa "int crit"
-.Fc
-.Ft int
-.Fo X509_EXTENSION_set_data
-.Fa "X509_EXTENSION *ex"
-.Fa "ASN1_OCTET_STRING *data"
-.Fc
-.Ft ASN1_OBJECT *
-.Fo X509_EXTENSION_get_object
-.Fa "X509_EXTENSION *ex"
-.Fc
-.Ft int
-.Fo X509_EXTENSION_get_critical
-.Fa "const X509_EXTENSION *ex"
-.Fc
-.Ft ASN1_OCTET_STRING *
-.Fo X509_EXTENSION_get_data
-.Fa "X509_EXTENSION *ex"
-.Fc
-.Ft int
-.Fo X509_supported_extension
-.Fa "X509_EXTENSION *ex"
-.Fc
-.Sh DESCRIPTION
-.Fn X509_EXTENSION_new
-allocates and initializes an empty
-.Vt X509_EXTENSION
-object, representing an ASN.1
-.Vt Extension
-structure defined in RFC 5280 section 4.1.
-It is a wrapper object around specific extension objects of different
-types and stores an extension type identifier and a criticality
-flag in addition to the DER-encoded form of the wrapped object.
-.Vt X509_EXTENSION
-objects can be used for X.509 v3 certificates inside
-.Vt X509_CINF
-objects and for X.509 v2 certificate revocation lists inside
-.Vt X509_CRL_INFO
-and
-.Vt X509_REVOKED
-objects.
-.Pp
-.Fn X509_EXTENSION_dup
-creates a deep copy of
-.Fa ex
-using
-.Xr ASN1_item_dup 3 .
-.Pp
-.Fn X509_EXTENSION_free
-frees
-.Fa ex
-and all objects it is using.
-.Pp
-.Fn X509_EXTENSION_create_by_NID
-creates an extension of type
-.Fa nid
-and criticality
-.Fa crit
-using data
-.Fa data .
-The created extension is returned and written to
-.Pf * Fa ex
-reusing or allocating a new extension if necessary, so
-.Pf * Fa ex
-should either be
-.Dv NULL
-or a valid
-.Vt X509_EXTENSION
-structure.
-It must not be an uninitialised pointer.
-.Pp
-.Fn X509_EXTENSION_create_by_OBJ
-is identical to
-.Fn X509_EXTENSION_create_by_NID
-except that it creates an extension using
-.Fa obj
-instead of a NID.
-.Pp
-.Fn X509_EXTENSION_set_object
-sets the extension type of
-.Fa ex
-to
-.Fa obj .
-The
-.Fa obj
-pointer is duplicated internally so
-.Fa obj
-should be freed up after use.
-.Pp
-.Fn X509_EXTENSION_set_critical
-sets the criticality of
-.Fa ex
-to
-.Fa crit .
-If
-.Fa crit
-is zero, the extension in non-critical, otherwise it is critical.
-.Pp
-.Fn X509_EXTENSION_set_data
-sets the data in extension
-.Fa ex
-to
-.Fa data .
-The
-.Fa data
-pointer is duplicated internally.
-.Pp
-.Fn X509_EXTENSION_get_object
-returns the extension type of
-.Fa ex
-as an
-.Vt ASN1_OBJECT
-pointer.
-The returned pointer is an internal value which must not be freed up.
-.Pp
-.Fn X509_EXTENSION_get_critical
-tests whether
-.Fa ex
-is critical.
-.Pp
-.Fn X509_EXTENSION_get_data
-returns the data of extension
-.Fa ex .
-The returned pointer is an internal value which must not be freed up.
-.Pp
-.Fn X509_supported_extension
-checks whether
-.Fa ex
-is of a type supported by the verifier.
-The list of supported extension types is hardcoded into the library.
-If an extension is critical but unsupported,
-the certificate will normally be rejected.
-.Pp
-These functions manipulate the contents of an extension directly.
-Most applications will want to parse or encode and add an extension:
-they should use the extension encode and decode functions instead
-such as
-.Xr X509_add1_ext_i2d 3
-and
-.Xr X509_get_ext_d2i 3 .
-.Pp
-The
-.Fa data
-associated with an extension is the extension encoding in an
-.Vt ASN1_OCTET_STRING
-structure.
-.Sh RETURN VALUES
-.Fn X509_EXTENSION_new ,
-.Fn X509_EXTENSION_dup ,
-.Fn X509_EXTENSION_create_by_NID ,
-and
-.Fn X509_EXTENSION_create_by_OBJ
-return an
-.Vt X509_EXTENSION
-pointer or
-.Dv NULL
-if an error occurs.
-.Pp
-.Fn X509_EXTENSION_set_object ,
-.Fn X509_EXTENSION_set_critical ,
-and
-.Fn X509_EXTENSION_set_data
-return 1 for success or 0 for failure.
-.Pp
-.Fn X509_EXTENSION_get_object
-returns an
-.Vt ASN1_OBJECT
-pointer.
-.Pp
-.Fn X509_EXTENSION_get_critical
-returns 0 for non-critical or 1 for critical.
-.Pp
-.Fn X509_EXTENSION_get_data
-returns an
-.Vt ASN1_OCTET_STRING
-pointer.
-.Pp
-.Fn X509_supported_extension
-returns 1 if the type of
-.Fa ex
-is supported by the verifier or 0 otherwise.
-.Sh SEE ALSO
-.Xr ACCESS_DESCRIPTION_new 3 ,
-.Xr AUTHORITY_KEYID_new 3 ,
-.Xr BASIC_CONSTRAINTS_new 3 ,
-.Xr d2i_X509_EXTENSION 3 ,
-.Xr DIST_POINT_new 3 ,
-.Xr ESS_SIGNING_CERT_new 3 ,
-.Xr EXTENDED_KEY_USAGE_new 3 ,
-.Xr GENERAL_NAME_new 3 ,
-.Xr NAME_CONSTRAINTS_new 3 ,
-.Xr OCSP_CRLID_new 3 ,
-.Xr OCSP_SERVICELOC_new 3 ,
-.Xr PKEY_USAGE_PERIOD_new 3 ,
-.Xr POLICYINFO_new 3 ,
-.Xr TS_REQ_new 3 ,
-.Xr X509_check_ca 3 ,
-.Xr X509_check_host 3 ,
-.Xr X509_check_issued 3 ,
-.Xr X509_get_extension_flags 3 ,
-.Xr X509_REQ_add_extensions 3 ,
-.Xr X509V3_EXT_get_nid 3 ,
-.Xr X509V3_EXT_print 3 ,
-.Xr X509V3_extensions_print 3 ,
-.Xr X509V3_get_d2i 3 ,
-.Xr X509v3_get_ext_by_NID 3
-.Sh STANDARDS
-RFC 5280: Internet X.509 Public Key Infrastructure Certificate and
-Certificate Revocation List (CRL) Profile
-.Sh HISTORY
-.Fn X509_EXTENSION_new
-and
-.Fn X509_EXTENSION_free
-first appeared in SSLeay 0.6.2,
-.Fn X509_EXTENSION_dup
-in SSLeay 0.6.5, and
-.Fn X509_EXTENSION_create_by_NID ,
-.Fn X509_EXTENSION_create_by_OBJ ,
-.Fn X509_EXTENSION_set_object ,
-.Fn X509_EXTENSION_set_critical ,
-.Fn X509_EXTENSION_set_data ,
-.Fn X509_EXTENSION_get_object ,
-.Fn X509_EXTENSION_get_critical ,
-and
-.Fn X509_EXTENSION_get_data
-in SSLeay 0.8.0.
-These functions have been available since
-.Ox 2.4 .
-.Pp
-.Fn X509_supported_extension
-first appeared in OpenSSL 0.9.7 and has been available since
-.Ox 3.2 .
diff --git a/src/lib/libcrypto/man/X509_INFO_new.3 b/src/lib/libcrypto/man/X509_INFO_new.3
deleted file mode 100644
index 1e9bb832f3..0000000000
--- a/src/lib/libcrypto/man/X509_INFO_new.3
+++ /dev/null
@@ -1,72 +0,0 @@
-.\" $OpenBSD: X509_INFO_new.3,v 1.3 2021/10/19 10:39:33 schwarze Exp $
-.\" Copyright (c) 2019 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: October 19 2021 $
-.Dt X509_INFO_NEW 3
-.Os
-.Sh NAME
-.Nm X509_INFO_new ,
-.Nm X509_INFO_free
-.Nd X.509 certificate wrapper object
-.Sh SYNOPSIS
-.In openssl/x509.h
-.Ft X509_INFO *
-.Fn X509_INFO_new void
-.Ft void
-.Fn X509_INFO_free "X509_INFO *info"
-.Sh DESCRIPTION
-.Vt X509_INFO
-is a reference-counted wrapper object storing a pointer to an X.509
-certificate together with pointers to the associated private key
-and to an associated certificate revocation list.
-It is for example used internally by
-.Xr X509_load_cert_crl_file 3 .
-.Pp
-.Fn X509_INFO_new
-allocates and initializes an empty
-.Vt X509_INFO
-object and sets its reference count to 1.
-.Pp
-.Fn X509_INFO_free
-decrements the reference count of
-.Fa info
-by 1.
-If the reference count reaches 0, it frees all referenced objects
-as well as the storage needed for
-.Fa info
-itself.
-If
-.Fa info
-is a
-.Dv NULL
-pointer, no action occurs.
-.Sh RETURN VALUES
-.Fn X509_INFO_new
-returns the newly allocated
-.Vt X509_INFO
-object or
-.Dv NULL
-if an error occurs.
-.Sh SEE ALSO
-.Xr PEM_X509_INFO_read 3 ,
-.Xr X509_CRL_new 3 ,
-.Xr X509_new 3 ,
-.Xr X509_PKEY_new 3
-.Sh HISTORY
-.Fn X509_INFO_new
-and
-.Fn X509_INFO_free
-first appeared in SSLeay 0.5.1 and have been available since
-.Ox 2.4 .
diff --git a/src/lib/libcrypto/man/X509_LOOKUP_hash_dir.3 b/src/lib/libcrypto/man/X509_LOOKUP_hash_dir.3
deleted file mode 100644
index 5980f8f80d..0000000000
--- a/src/lib/libcrypto/man/X509_LOOKUP_hash_dir.3
+++ /dev/null
@@ -1,188 +0,0 @@
-.\" $OpenBSD: X509_LOOKUP_hash_dir.3,v 1.13 2024/09/02 07:20:21 tb Exp $
-.\" full merge up to: OpenSSL 61f805c1 Jan 16 01:01:46 2018 +0800
-.\" selective merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Victor B. Wagner <vitus@cryptocom.ru>
-.\" and Claus Assmann.
-.\" Copyright (c) 2015, 2016 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: September 2 2024 $
-.Dt X509_LOOKUP_HASH_DIR 3
-.Os
-.Sh NAME
-.Nm X509_LOOKUP_hash_dir ,
-.Nm X509_LOOKUP_file ,
-.Nm X509_LOOKUP_mem
-.Nd certificate lookup methods
-.Sh SYNOPSIS
-.In openssl/x509_vfy.h
-.Ft const X509_LOOKUP_METHOD *
-.Fn X509_LOOKUP_hash_dir void
-.Ft const X509_LOOKUP_METHOD *
-.Fn X509_LOOKUP_file void
-.Ft const X509_LOOKUP_METHOD *
-.Fn X509_LOOKUP_mem void
-.Sh DESCRIPTION
-.Fn X509_LOOKUP_hash_dir ,
-.Fn X509_LOOKUP_file ,
-and
-.Fn X509_LOOKUP_mem
-return pointers to static certificate lookup method objects
-built into the library, for use with
-.Vt X509_STORE .
-.Pp
-Users of the library typically do not need
-to retrieve pointers to these method objects manually.
-They are automatically used by the
-.Xr X509_STORE_load_locations 3
-or
-.Xr SSL_CTX_load_verify_locations 3
-functions.
-.Ss File Method
-The
-.Fn X509_LOOKUP_file
-method loads all the certificates or CRLs present in a file into memory
-at the time the file is added as a lookup source.
-.Pp
-The file format is ASCII text which contains concatenated PEM
-certificates and CRLs.
-.Pp
-This method should be used by applications which work with a small set
-of CAs.
-.Ss Hashed Directory Method
-.Fa X509_LOOKUP_hash_dir
-is a more advanced method which loads certificates and CRLs on demand,
-and caches them in memory once they are loaded.
-As of OpenSSL 1.0.0, it also checks for newer CRLs upon each lookup, so
-that newer CRLs are used as soon as they appear in the directory.
-.Pp
-The directory should contain one certificate or CRL per file in PEM
-format, with a filename of the form
-.Ar hash . Ns Ar N
-for a certificate, or
-.Ar hash . Ns Sy r Ns Ar N
-for a CRL.
-The
-.Ar hash
-is the value returned by the
-.Xr X509_NAME_hash 3
-function applied to the subject name for certificates or issuer
-name for CRLs.
-The hash can also be obtained via the
-.Fl hash
-option of the
-.Xr openssl 1
-.Cm x509
-or
-.Cm crl
-commands.
-.Pp
-The
-.Ar N
-suffix is a sequence number that starts at zero and is incremented
-consecutively for each certificate or CRL with the same
-.Ar hash
-value.
-Gaps in the sequence numbers are not supported.
-It is assumed that there are no more objects with the same hash
-beyond the first missing number in the sequence.
-.Pp
-Sequence numbers make it possible for the directory to contain multiple
-certificates with the same subject name hash value.
-For example, it is possible to have in the store several certificates
-with the same subject or several CRLs with the same issuer (and, for
-example, a different validity period).
-.Pp
-When checking for new CRLs, once one CRL for a given hash value is
-loaded, hash_dir lookup method checks only for certificates with
-sequence number greater than that of the already cached CRL.
-.Pp
-Note that the hash algorithm used for subject name hashing changed in
-OpenSSL 1.0.0, and all certificate stores have to be rehashed when
-moving from OpenSSL 0.9.8 to 1.0.0.
-.Ss Memory Method
-The
-.Fn X509_LOOKUP_mem
-method supports loading PEM-encoded certificates and revocation lists
-that are already stored in memory, using the function
-.Xr X509_LOOKUP_add_mem 3 .
-This is particularly useful in processes using
-.Xr chroot 2 .
-.Sh RETURN VALUES
-These functions always return a pointer to a static object.
-.Sh SEE ALSO
-.Xr SSL_CTX_load_verify_locations 3 ,
-.Xr X509_LOOKUP_new 3 ,
-.Xr X509_STORE_load_locations 3 ,
-.Xr X509_STORE_new 3
-.Sh HISTORY
-.Fn X509_LOOKUP_hash_dir
-and
-.Fn X509_LOOKUP_file
-first appeared in SSLeay 0.8.0 and have been available since
-.Ox 2.4 .
-.Pp
-.Fn X509_LOOKUP_mem
-first appeared in
-.Ox 5.7 .
diff --git a/src/lib/libcrypto/man/X509_LOOKUP_new.3 b/src/lib/libcrypto/man/X509_LOOKUP_new.3
deleted file mode 100644
index 559dbbb594..0000000000
--- a/src/lib/libcrypto/man/X509_LOOKUP_new.3
+++ /dev/null
@@ -1,460 +0,0 @@
-.\" $OpenBSD: X509_LOOKUP_new.3,v 1.12 2024/09/06 07:48:20 tb Exp $
-.\"
-.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: September 6 2024 $
-.Dt X509_LOOKUP_NEW 3
-.Os
-.Sh NAME
-.Nm X509_LOOKUP_free ,
-.Nm X509_LOOKUP_ctrl ,
-.Nm X509_LOOKUP_add_dir ,
-.Nm X509_LOOKUP_load_file ,
-.Nm X509_LOOKUP_add_mem ,
-.Nm X509_get_default_cert_dir ,
-.Nm X509_get_default_cert_file ,
-.Nm X509_get_default_cert_dir_env ,
-.Nm X509_get_default_cert_file_env
-.\" X509_get_default_private_dir is intentionally undocumented
-.\" because it appears to be unused by any real-world software
-.\" and because it doesn't do much in the first place.
-.Nd certificate lookup object
-.Sh SYNOPSIS
-.In openssl/x509_vfy.h
-.Ft void
-.Fn X509_LOOKUP_free "X509_LOOKUP *lookup"
-.Ft int
-.Fo X509_LOOKUP_ctrl
-.Fa "X509_LOOKUP *lookup"
-.Fa "int command"
-.Fa "const char *source"
-.Fa "long type"
-.Fa "char **ret"
-.Fc
-.Ft int
-.Fo X509_LOOKUP_add_dir
-.Fa "X509_LOOKUP *lookup"
-.Fa "const char *source"
-.Fa "long type"
-.Fc
-.Ft int
-.Fo X509_LOOKUP_load_file
-.Fa "X509_LOOKUP *lookup"
-.Fa "const char *source"
-.Fa "long type"
-.Fc
-.Ft int
-.Fo X509_LOOKUP_add_mem
-.Fa "X509_LOOKUP *lookup"
-.Fa "const struct iovec *source"
-.Fa "long type"
-.Fc
-.In openssl/x509.h
-.Ft const char *
-.Fn X509_get_default_cert_dir void
-.Ft const char *
-.Fn X509_get_default_cert_file void
-.Ft const char *
-.Fn X509_get_default_cert_dir_env void
-.Ft const char *
-.Fn X509_get_default_cert_file_env void
-.Sh DESCRIPTION
-.Fn X509_LOOKUP_free
-is a deprecated function that
-releases the memory used by
-.Fa lookup .
-It is provided for compatibility only.
-If
-.Fa lookup
-is a
-.Dv NULL
-pointer, no action occurs.
-.Pp
-The operation of
-.Fn X509_LOOKUP_ctrl
-depends on the
-.Vt X509_LOOKUP_METHOD
-used by
-.Fa lookup :
-.Bl -tag -width 4n
-.It Xr X509_LOOKUP_hash_dir 3
-The
-.Fa command
-is required to be
-.Dv X509_L_ADD_DIR
-and the
-.Fa source
-argument is interpreted
-as a colon-separated, NUL-terminated list of directory names.
-These directories are added to an internal list of directories to search
-for certificate files of the given
-.Fa type .
-.Pp
-If
-.Fa type
-is
-.Dv X509_FILETYPE_DEFAULT ,
-the
-.Fa source
-argument is ignored and
-.Pa /etc/ssl/certs
-and a type of
-.Dv X509_FILETYPE_PEM
-are used instead.
-.Pp
-.Fn X509_LOOKUP_add_dir
-is a macro that calls
-.Fn X509_LOOKUP_ctrl
-with a
-.Fa command
-of
-.Dv X509_L_ADD_DIR
-and
-.Fa ret
-set to
-.Dv NULL .
-.Pp
-This lookup method is peculiar in so far as calling
-.Fn X509_LOOKUP_ctrl
-on a lookup object using it does not yet add any certificates to the associated
-.Vt X509_STORE
-object.
-.It Xr X509_LOOKUP_file 3
-The
-.Fa command
-is required to be
-.Dv X509_L_FILE_LOAD
-and the
-.Fa source
-argument is interpreted as a NUL-terminated file name.
-If the
-.Fa type
-is
-.Dv X509_FILETYPE_PEM ,
-the file is read with
-.Xr BIO_new_file 3
-and
-.Xr PEM_X509_INFO_read_bio 3
-and the certificates and revocation lists found are added to the
-.Vt X509_STORE
-object associated with
-.Fa lookup
-using
-.Xr X509_STORE_add_cert 3
-and
-.Xr X509_STORE_add_crl 3 .
-If
-.Fa type
-is
-.Dv X509_FILETYPE_DEFAULT ,
-the
-.Fa source
-argument is ignored and
-.Pa /etc/ssl/certs.pem
-and a type of
-.Dv X509_FILETYPE_PEM
-are used instead.
-If
-.Fa type
-is
-.Dv X509_FILETYPE_ASN1 ,
-the file is read with
-.Xr d2i_X509_bio 3
-and the single certificate is added to the
-.Vt X509_STORE
-object associated with
-.Fa lookup
-using
-.Xr X509_STORE_add_cert 3 .
-.Pp
-.Fn X509_LOOKUP_load_file
-is a macro calling
-.Fn X509_LOOKUP_ctrl
-with a
-.Fa command
-of
-.Dv X509_L_FILE_LOAD
-and
-.Fa ret
-set to
-.Dv NULL .
-.It Xr X509_LOOKUP_mem 3
-The
-.Fa command
-and
-.Fa type
-are required to be
-.Dv X509_L_MEM
-and
-.Dv X509_FILETYPE_PEM ,
-respectively.
-The
-.Fa source
-argument is interpreted as a pointer to an
-.Vt iovec
-structure defined in
-.In sys/uio.h .
-The memory area described by that structure is read with
-.Xr BIO_new_mem_buf 3
-and
-.Xr PEM_X509_INFO_read_bio 3
-and the certificates and revocation lists found are added to the
-.Vt X509_STORE
-object associated with
-.Fa lookup
-using
-.Xr X509_STORE_add_cert 3
-and
-.Xr X509_STORE_add_crl 3 .
-.Pp
-.Fn X509_LOOKUP_add_mem
-is a macro calling
-.Fn X509_LOOKUP_ctrl
-with a command of
-.Dv X509_L_MEM
-and
-.Fa ret
-set to
-.Dv NULL .
-.El
-.Pp
-With LibreSSL,
-.Fn X509_LOOKUP_ctrl
-always ignores the
-.Fa ret
-argument.
-.Pp
-If the
-.Fa type
-is
-.Dv X509_LU_X509 ,
-it searches the configured directories for files having that name,
-with a file name extension that is a small, non-negative decimal integer
-starting at
-.Qq ".0" .
-These files are read with
-.Xr X509_load_cert_file 3 .
-In each directory, the search is ended once a file with the expected name
-and extension does not exists.
-.Pp
-If the
-.Fa type
-is
-.Dv X509_LU_CRL ,
-the file name extensions are expected to have a prefix of
-.Qq "r" ,
-i.e. they start with
-.Qq ".r0" ,
-and the files are read with
-.Xr X509_load_crl_file 3 .
-.Pp
-In case of success, the first match is returned in the
-.Pf * Fa object
-provided by the caller, overwriting any previous content.
-.Sh RETURN VALUES
-.Fn X509_LOOKUP_ctrl
-returns 1 for success or 0 for failure.
-With library implementations other than LibreSSL,
-it might also return \-1 for internal errors.
-.Pp
-.Fn X509_get_default_cert_dir
-returns a pointer to the constant string
-.Qq /etc/ssl/certs ,
-.Fn X509_get_default_cert_file
-to
-.Qq /etc/ssl/certs.pem ,
-.Fn X509_get_default_cert_dir_env
-to
-.Qq SSL_CERT_DIR ,
-and
-.Fn X509_get_default_cert_file_env
-to
-.Qq SSL_CERT_FILE .
-.Sh ENVIRONMENT
-For reasons of security and simplicity,
-LibreSSL ignores the environment variables
-.Ev SSL_CERT_DIR
-and
-.Ev SSL_CERT_FILE ,
-but other library implementations may use their contents instead
-of the standard locations for trusted certificates, and a few
-third-party application programs also inspect these variables
-directly and may pass their values to
-.Fn X509_LOOKUP_add_dir
-and
-.Fn X509_LOOKUP_load_file .
-.Sh FILES
-.Bl -tag -width /etc/ssl/certs.pem -compact
-.It Pa /etc/ssl/certs/
-default directory for storing trusted certificates
-.It Pa /etc/ssl/certs.pem
-default file for storing trusted certificates
-.El
-.Sh ERRORS
-The following diagnostics can be retrieved with
-.Xr ERR_get_error 3 ,
-.Xr ERR_GET_REASON 3 ,
-and
-.Xr ERR_reason_error_string 3 :
-.Bl -tag -width Ds
-.It Dv ERR_R_ASN1_LIB Qq "ASN1 lib"
-.Xr d2i_X509_bio 3
-failed in
-.Fn X509_LOOKUP_ctrl .
-.It Dv X509_R_BAD_X509_FILETYPE Qq "bad x509 filetype"
-.Fn X509_LOOKUP_ctrl
-was called with an invalid
-.Fa type .
-.It Dv ERR_R_BUF_LIB Qq "BUF lib"
-Memory allocation failed.
-.It Dv X509_R_INVALID_DIRECTORY Qq "invalid directory"
-The
-.Fa source
-argument of
-.Fn X509_LOOKUP_ctrl
-with
-.Dv X509_L_ADD_DIR
-or
-.Fn X509_LOOKUP_add_dir
-was
-.Dv NULL
-or an empty string.
-.It Dv X509_R_LOADING_CERT_DIR Qq "loading cert dir"
-.Fn X509_LOOKUP_ctrl
-with
-.Dv X509_L_ADD_DIR
-or
-.Fn X509_LOOKUP_add_dir
-was called with
-.Dv X509_FILETYPE_DEFAULT
-and adding the default directories failed.
-This error is added after and in addition to a more specific diagnostic.
-.It Dv X509_R_LOADING_DEFAULTS Qq "loading defaults"
-.Fn X509_LOOKUP_ctrl
-with
-.Dv X509_L_FILE_LOAD
-or
-.Fn X509_LOOKUP_load_file
-was called with
-.Dv X509_FILETYPE_DEFAULT
-and adding the certificates and revocation lists failed.
-This error is added after and in addition to a more specific diagnostic.
-.It Dv ERR_R_MALLOC_FAILURE Qq "malloc failure"
-Memory allocation failed.
-.It Dv ERR_R_PEM_LIB Qq "PEM lib"
-.Xr PEM_X509_INFO_read_bio 3 ,
-.Xr PEM_read_bio_X509_AUX 3 ,
-or
-.Xr PEM_read_bio_X509_CRL 3
-failed in
-.Fn X509_LOOKUP_ctrl .
-.It Dv ERR_R_SYS_LIB Qq "system lib"
-.Xr BIO_new 3 ,
-.Xr BIO_new_file 3 ,
-or
-.Xr BIO_read_filename 3
-failed in
-.Fn X509_LOOKUP_ctrl .
-.It Dv X509_R_WRONG_LOOKUP_TYPE Qq "wrong lookup type"
-.Xr X509_STORE_CTX_get_by_subject 3
-was called with an invalid
-.Fa type .
-.El
-.Pp
-Passing an invalid
-.Fa command
-to
-.Fn X509_LOOKUP_ctrl
-causes failure but provides no diagnostics.
-.Sh SEE ALSO
-.Xr d2i_X509_bio 3 ,
-.Xr PEM_read_bio_X509_AUX 3 ,
-.Xr PEM_X509_INFO_read_bio 3 ,
-.Xr X509_load_cert_file 3 ,
-.Xr X509_LOOKUP_hash_dir 3 ,
-.Xr X509_NAME_hash 3 ,
-.Xr X509_NAME_new 3 ,
-.Xr X509_new 3 ,
-.Xr X509_OBJECT_get_type 3 ,
-.Xr X509_STORE_add_cert 3 ,
-.Xr X509_STORE_get_by_subject 3
-.Sh HISTORY
-.Fn X509_get_default_cert_dir ,
-.Fn X509_get_default_cert_file ,
-.Fn X509_get_default_cert_dir_env ,
-and
-.Fn X509_get_default_cert_file_env
-first appeared in SSLeay 0.4.1 and have been available since
-.Ox 2.4 .
-.Pp
-.Fn X509_LOOKUP_add_mem
-first appeared in
-.Ox 5.7 .
-.Pp
-The other functions first appeared in SSLeay 0.8.0
-and have been available since
-.Ox 2.4 .
-.Sh BUGS
-If the
-.Fa type
-is
-.Dv X509_FILETYPE_DEFAULT
-or
-.Dv X509_FILETYPE_PEM ,
-.Fn X509_LOOKUP_ctrl
-with
-.Dv X509_L_FILE_LOAD
-and
-.Fn X509_LOOKUP_load_file
-silently ignore failure of
-.Xr X509_STORE_add_cert 3
-and
-.Xr X509_STORE_add_crl 3
-and indicate success anyway.
-.Pp
-Handling of a
-.Dv NULL
-.Fa source
-is inconsistent for
-.Fn X509_LOOKUP_ctrl
-with
-.Dv X509_L_FILE_LOAD
-and for
-.Fn X509_LOOKUP_load_file .
-With
-.Dv X509_FILETYPE_PEM ,
-it causes failure, but with
-.Dv X509_FILETYPE_ASN1 ,
-no action occurs and success is indicated.
-.Pp
-When called on a
-.Fa lookup
-object using
-.Xr X509_LOOKUP_mem 3 ,
-.Fn X509_LOOKUP_ctrl
-raises
-.Dv ERR_R_PEM_LIB
-when called with an invalid
-.Fa command
-or
-.Fa type ,
-when
-.Xr BIO_new_mem_buf 3
-fails, when
-.Fa source
-contains zero objects, or when
-.Xr X509_STORE_add_cert 3
-fails on the first object encountered, which is all inconsistent
-with the behaviour of the other lookup methods.
diff --git a/src/lib/libcrypto/man/X509_NAME_ENTRY_get_object.3 b/src/lib/libcrypto/man/X509_NAME_ENTRY_get_object.3
deleted file mode 100644
index 2eadec7b4d..0000000000
--- a/src/lib/libcrypto/man/X509_NAME_ENTRY_get_object.3
+++ /dev/null
@@ -1,391 +0,0 @@
-.\" $OpenBSD: X509_NAME_ENTRY_get_object.3,v 1.16 2021/12/10 16:58:20 schwarze Exp $
-.\" full merge up to: OpenSSL aebb9aac Jul 19 09:27:53 2016 -0400
-.\" selective merge up to: OpenSSL ca34e08d Dec 12 07:38:07 2018 +0100
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2016, 2018, 2019, 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2002, 2005, 2006, 2017 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: December 10 2021 $
-.Dt X509_NAME_ENTRY_GET_OBJECT 3
-.Os
-.Sh NAME
-.Nm X509_NAME_ENTRY_new ,
-.Nm X509_NAME_ENTRY_free ,
-.Nm X509_NAME_ENTRY_get_object ,
-.Nm X509_NAME_ENTRY_get_data ,
-.Nm X509_NAME_ENTRY_set ,
-.Nm X509_NAME_ENTRY_set_object ,
-.Nm X509_NAME_ENTRY_set_data ,
-.Nm X509_NAME_ENTRY_create_by_txt ,
-.Nm X509_NAME_ENTRY_create_by_NID ,
-.Nm X509_NAME_ENTRY_create_by_OBJ
-.\" In the following line, "X.501" is not a typo.
-.\" This object defined in X.501, not in X.509.
-.Nd X.501 relative distinguished name
-.Sh SYNOPSIS
-.In openssl/x509.h
-.Ft X509_NAME_ENTRY *
-.Fn X509_NAME_ENTRY_new void
-.Ft void
-.Fo X509_NAME_ENTRY_free
-.Fa "X509_NAME_ENTRY* ne"
-.Fc
-.Ft ASN1_OBJECT *
-.Fo X509_NAME_ENTRY_get_object
-.Fa "const X509_NAME_ENTRY *ne"
-.Fc
-.Ft ASN1_STRING *
-.Fo X509_NAME_ENTRY_get_data
-.Fa "const X509_NAME_ENTRY *ne"
-.Fc
-.Ft int
-.Fo X509_NAME_ENTRY_set
-.Fa "const X509_NAME_ENTRY *ne"
-.Fc
-.Ft int
-.Fo X509_NAME_ENTRY_set_object
-.Fa "X509_NAME_ENTRY *ne"
-.Fa "const ASN1_OBJECT *obj"
-.Fc
-.Ft int
-.Fo X509_NAME_ENTRY_set_data
-.Fa "X509_NAME_ENTRY *ne"
-.Fa "int type"
-.Fa "const unsigned char *bytes"
-.Fa "int len"
-.Fc
-.Ft X509_NAME_ENTRY *
-.Fo X509_NAME_ENTRY_create_by_txt
-.Fa "X509_NAME_ENTRY **ne"
-.Fa "const char *field"
-.Fa "int type"
-.Fa "const unsigned char *bytes"
-.Fa "int len"
-.Fc
-.Ft X509_NAME_ENTRY *
-.Fo X509_NAME_ENTRY_create_by_NID
-.Fa "X509_NAME_ENTRY **ne"
-.Fa "int nid"
-.Fa "int type"
-.Fa "const unsigned char *bytes"
-.Fa "int len"
-.Fc
-.Ft X509_NAME_ENTRY *
-.Fo X509_NAME_ENTRY_create_by_OBJ
-.Fa "X509_NAME_ENTRY **ne"
-.Fa "const ASN1_OBJECT *obj"
-.Fa "int type"
-.Fa "const unsigned char *bytes"
-.Fa "int len"
-.Fc
-.Sh DESCRIPTION
-An X.501
-.Vt RelativeDistinguishedName
-is an ordered set of field type and value pairs.
-It is the building block for constructing X.501
-.Vt Name
-objects.
-The
-.Vt X509_NAME_ENTRY
-object stores one such pair, containing one field type and one value.
-.Pp
-.Vt X509_NAME_ENTRY
-objects are intended for use by the
-.Vt X509_NAME
-objects documented in
-.Xr X509_NAME_new 3 .
-Since part of the information about how several
-.Vt X509_NAME_ENTRY
-objects combine to form an X.501
-.Vt Name
-is stored in the individual
-.Vt X509_NAME_ENTRY
-objects rather than in the
-.Vt X509_NAME
-object, any given
-.Vt X509_NAME_ENTRY
-object can only be used by one
-.Vt X509_NAME
-object at a time.
-.Pp
-.Fn X509_NAME_ENTRY_new
-allocates and initializes an empty
-.Vt X509_NAME_ENTRY
-object, representing an ASN.1
-.Vt RelativeDistinguishedName
-structure defined in RFC 5280 section 4.1.2.4, but containing not more
-than one type-value-pair.
-.Pp
-.Fn X509_NAME_ENTRY_free
-frees
-.Fa ne
-and the type and value contained in it.
-.Pp
-.Fn X509_NAME_ENTRY_get_object
-retrieves the field type of
-.Fa ne
-in an
-.Vt ASN1_OBJECT
-structure.
-.Fn X509_NAME_ENTRY_get_data
-retrieves the field value of
-.Fa ne
-in an
-.Vt ASN1_STRING
-structure.
-These two functions can be used to examine an
-.Vt X509_NAME_ENTRY
-object as returned by
-.Xr X509_NAME_get_entry 3 .
-.Pp
-.Fn X509_NAME_ENTRY_set
-retrieves the index of the X.501
-.Vt RelativeDistinguishedName Pq RDN
-that
-.Fa ne
-is part of in the X.501
-.Vt Name
-object using it.
-The first RDN has index 0.
-If an RDN consists of more than one
-.Vt X509_NAME_ENTRY
-object, they all share the same index.
-In practice, RDNs containing more than one type-value-pair are rarely
-used, so if an
-.Va X509_NAME *name
-object uses
-.Fa ne ,
-then
-.Fn X509_NAME_ENTRY_set ne
-usually agrees with
-.Fn sk_X509_NAME_ENTRY_find name->entries ne ,
-but when multi-pair RDNs are used, it may be smaller.
-.Pp
-.Fn X509_NAME_ENTRY_set_object
-sets the field type of
-.Fa ne
-to
-.Fa obj .
-.Pp
-.Fn X509_NAME_ENTRY_set_data
-sets the field value of
-.Fa ne
-to the given string
-.Fa type
-and the value determined by
-.Fa bytes
-and
-.Fa len .
-If the
-.Fa type
-argument is positive and includes the
-.Fa MBSTRING_FLAG
-bit,
-.Xr ASN1_STRING_set_by_NID 3
-is used for setting the value, passing the
-.Fa type
-as the
-.Fa inform
-argument and using the
-.Fa nid
-corresponding to
-.Fa ne .
-Otherwise, if the
-.Fa type
-argument is
-.Dv V_ASN1_APP_CHOOSE ,
-the type of
-.Fa ne
-is set to the return value of
-.Xr ASN1_PRINTABLE_type 3 .
-.Pp
-.Fn X509_NAME_ENTRY_create_by_txt ,
-.Fn X509_NAME_ENTRY_create_by_NID ,
-and
-.Fn X509_NAME_ENTRY_create_by_OBJ
-create and return an
-.Vt X509_NAME_ENTRY
-structure.
-.Pp
-Except for
-.Fn X509_NAME_ENTRY_get_object
-and
-.Fn X509_NAME_ENTRY_get_data ,
-these functions are rarely used because
-.Vt X509_NAME_ENTRY
-structures are almost always part of
-.Vt X509_NAME
-structures and the functions described in
-.Xr X509_NAME_add_entry_by_txt 3
-are typically used to create and add new entries in a single operation.
-.Pp
-The arguments of these functions support similar options to the
-similarly named ones described in
-.Xr X509_NAME_add_entry_by_txt 3 .
-So for example
-.Fa type
-can be set to
-.Dv MBSTRING_ASC ,
-but in the case of
-.Fn X509_NAME_ENTRY_set_data
-the field type must be set first so the relevant field information
-can be looked up internally.
-.Sh RETURN VALUES
-The
-.Fn X509_NAME_ENTRY_new
-function returns a valid
-.Vt X509_NAME_ENTRY
-structure if successful; otherwise
-.Dv NULL
-is returned and an error code can be retrieved with
-.Xr ERR_get_error 3 .
-.Pp
-.Fn X509_NAME_ENTRY_get_object
-returns a valid
-.Vt ASN1_OBJECT
-structure if it is set or
-.Dv NULL
-if an error occurred.
-.Pp
-.Fn X509_NAME_ENTRY_get_data
-returns a valid
-.Vt ASN1_STRING
-structure if it is set or
-.Dv NULL
-if an error occurred.
-.Pp
-.Fn X509_NAME_ENTRY_set
-returns the zero-based index of the RDN
-.Fa ne
-is used in, or 0 if
-.Fa ne
-is not yet used by any
-.Vt X509_NAME
-object.
-.Pp
-The
-.Fn X509_NAME_ENTRY_set_object
-function returns 1 if successful;
-otherwise 0 is returned and an error code can be retrieved with
-.Xr ERR_get_error 3 .
-.Pp
-.Fn X509_NAME_ENTRY_set_data
-returns 1 on success or 0 on error.
-In some cases of failure, the reason can be determined with
-.Xr ERR_get_error 3 .
-.Pp
-.Fn X509_NAME_ENTRY_create_by_txt ,
-.Fn X509_NAME_ENTRY_create_by_NID ,
-and
-.Fn X509_NAME_ENTRY_create_by_OBJ
-return a valid
-.Vt X509_NAME_ENTRY
-structure on success or
-.Dv NULL
-if an error occurred.
-In some cases of failure, the reason can be determined with
-.Xr ERR_get_error 3 .
-.Sh SEE ALSO
-.Xr OBJ_nid2obj 3 ,
-.Xr X509_NAME_add_entry 3 ,
-.Xr X509_NAME_get_entry 3 ,
-.Xr X509_NAME_new 3
-.Sh STANDARDS
-RFC 5280: Internet X.509 Public Key Infrastructure Certificate and
-Certificate Revocation List (CRL) Profile
-.Pp
-ITU-T Recommendation X.501, also known as ISO/IEC 9594-2: Information
-Technology  Open Systems Interconnection  The Directory: Models,
-section 9.3: Relative distinguished name
-.Sh HISTORY
-.Fn X509_NAME_ENTRY_new
-and
-.Fn X509_NAME_ENTRY_free
-first appeared in SSLeay 0.5.1.
-.Fn X509_NAME_ENTRY_get_object ,
-.Fn X509_NAME_ENTRY_get_data ,
-.Fn X509_NAME_ENTRY_set_object ,
-.Fn X509_NAME_ENTRY_set_data ,
-.Fn X509_NAME_ENTRY_create_by_NID ,
-and
-.Fn X509_NAME_ENTRY_create_by_OBJ
-first appeared in SSLeay 0.8.0.
-These functions have been available since
-.Ox 2.4 .
-.Pp
-.Fn X509_NAME_ENTRY_create_by_txt
-first appeared in OpenSSL 0.9.5 and has been available since
-.Ox 2.7 .
-.Pp
-.Fn X509_NAME_ENTRY_set
-first appeared in OpenSSL 1.1.0 and has been available since
-.Ox 6.3 .
-.Sh CAVEATS
-Despite its name,
-.Fn X509_NAME_ENTRY_set
-does not set anything.
-Something like
-.Dq X509_NAME_ENTRY_get_set
-would have been a better name.
diff --git a/src/lib/libcrypto/man/X509_NAME_add_entry_by_txt.3 b/src/lib/libcrypto/man/X509_NAME_add_entry_by_txt.3
deleted file mode 100644
index 3c1237d20e..0000000000
--- a/src/lib/libcrypto/man/X509_NAME_add_entry_by_txt.3
+++ /dev/null
@@ -1,283 +0,0 @@
-.\"     $OpenBSD: X509_NAME_add_entry_by_txt.3,v 1.16 2022/03/31 17:27:17 naddy Exp $
-.\"     OpenSSL aebb9aac Jul 19 09:27:53 2016 -0400
-.\"
-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2002, 2005, 2006, 2013, 2014 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 31 2022 $
-.Dt X509_NAME_ADD_ENTRY_BY_TXT 3
-.Os
-.Sh NAME
-.Nm X509_NAME_add_entry_by_txt ,
-.Nm X509_NAME_add_entry_by_OBJ ,
-.Nm X509_NAME_add_entry_by_NID ,
-.Nm X509_NAME_add_entry ,
-.Nm X509_NAME_delete_entry
-.Nd X509_NAME modification functions
-.Sh SYNOPSIS
-.In openssl/x509.h
-.Ft int
-.Fo X509_NAME_add_entry_by_txt
-.Fa "X509_NAME *name"
-.Fa "const char *field"
-.Fa "int type"
-.Fa "const unsigned char *bytes"
-.Fa "int len"
-.Fa "int loc"
-.Fa "int set"
-.Fc
-.Ft int
-.Fo X509_NAME_add_entry_by_OBJ
-.Fa "X509_NAME *name"
-.Fa "const ASN1_OBJECT *obj"
-.Fa "int type"
-.Fa "const unsigned char *bytes"
-.Fa "int len"
-.Fa "int loc"
-.Fa "int set"
-.Fc
-.Ft int
-.Fo X509_NAME_add_entry_by_NID
-.Fa "X509_NAME *name"
-.Fa "int nid"
-.Fa "int type"
-.Fa "const unsigned char *bytes"
-.Fa "int len"
-.Fa "int loc"
-.Fa "int set"
-.Fc
-.Ft int
-.Fo X509_NAME_add_entry
-.Fa "X509_NAME *name"
-.Fa "const X509_NAME_ENTRY *ne"
-.Fa "int loc"
-.Fa "int set"
-.Fc
-.Ft X509_NAME_ENTRY *
-.Fo X509_NAME_delete_entry
-.Fa "X509_NAME *name"
-.Fa "int loc"
-.Fc
-.Sh DESCRIPTION
-.Fn X509_NAME_add_entry_by_txt ,
-.Fn X509_NAME_add_entry_by_OBJ ,
-and
-.Fn X509_NAME_add_entry_by_NID
-add a field whose name is defined by a string
-.Fa field ,
-an object
-.Fa obj
-or a NID
-.Fa nid ,
-respectively.
-The field value to be added is in
-.Fa bytes
-of length
-.Fa len .
-If
-.Fa len
-is -1 then the field length is calculated internally using
-.Fn strlen bytes .
-.Pp
-The type of field is determined by
-.Fa type
-which can either be a definition of the type of
-.Fa bytes
-(such as
-.Dv MBSTRING_ASC )
-or a standard ASN.1 type (such as
-.Dv V_ASN1_IA5STRING ) .
-The new entry is added to a position determined by
-.Fa loc
-and
-.Fa set .
-.Pp
-.Fn X509_NAME_add_entry
-adds a copy of an
-.Vt X509_NAME_ENTRY
-structure
-.Fa ne
-to
-.Fa name .
-The new entry is added to a position determined by
-.Fa loc
-and
-.Fa set .
-Since a copy of
-.Fa ne
-is added,
-.Fa ne
-must be freed up after the call.
-.Pp
-.Fn X509_NAME_delete_entry
-deletes an entry from
-.Fa name
-at position
-.Fa loc .
-The deleted entry is returned and must be freed up.
-.Pp
-The use of string types such as
-.Dv MBSTRING_ASC
-or
-.Dv MBSTRING_UTF8
-is strongly recommended for the
-.Fa type
-parameter.
-This allows the internal code to correctly determine the type of the
-field and to apply length checks according to the relevant standards.
-.Pp
-If instead an ASN.1 type is used, no checks are performed and the supplied
-data in
-.Fa bytes
-is used directly.
-.Pp
-In
-.Fn X509_NAME_add_entry_by_txt
-the
-.Fa field
-string represents the field name using
-.Fn OBJ_txt2obj field 0 .
-.Pp
-The
-.Fa loc
-and
-.Fa set
-parameters determine where a new entry should be added.
-For almost all applications,
-.Fa loc
-can be set to -1 and
-.Fa set
-to 0.
-This adds a new entry to the end of
-.Fa name
-as a single valued
-.Vt RelativeDistinguishedName
-(RDN).
-.Pp
-.Fa loc
-actually determines the index where the new entry is inserted:
-if it is -1 it is appended.
-.Pp
-.Fa set
-determines how the new type is added.
-If it is zero, a new RDN is created.
-.Pp
-If
-.Fa set
-is -1 or 1, it is added to the previous or next RDN structure
-respectively.
-This will then be a multivalued RDN: since multivalue RDNs are very
-seldom used,
-.Fa set
-is almost always set to zero.
-.Sh RETURN VALUES
-.Fn X509_NAME_add_entry_by_txt ,
-.Fn X509_NAME_add_entry_by_OBJ ,
-.Fn X509_NAME_add_entry_by_NID ,
-and
-.Fn X509_NAME_add_entry
-return 1 for success or 0 if an error occurred.
-.Pp
-.Fn X509_NAME_delete_entry
-returns either the deleted
-.Vt X509_NAME_ENTRY
-structure or
-.Dv NULL
-if an error occurred.
-.Pp
-In some cases of failure, the reason can be determined with
-.Xr ERR_get_error 3 .
-.Sh EXAMPLES
-Create an
-.Vt X509_NAME
-structure:
-.Bd -literal -offset indent
-C=UK, O=Disorganized Organization, CN=Joe Bloggs
-
-X509_NAME *nm;
-nm = X509_NAME_new();
-if (nm == NULL)
-        /* Some error */
-if (!X509_NAME_add_entry_by_txt(nm, "C", MBSTRING_ASC,
-                "UK", -1, -1, 0))
-        /* Error */
-if (!X509_NAME_add_entry_by_txt(nm, "O", MBSTRING_ASC,
-                "Disorganized Organization", -1, -1, 0))
-        /* Error */
-if (!X509_NAME_add_entry_by_txt(nm, "CN", MBSTRING_ASC,
-                "Joe Bloggs", -1, -1, 0))
-        /* Error */
-.Ed
-.Sh SEE ALSO
-.Xr d2i_X509_NAME 3 ,
-.Xr X509_NAME_ENTRY_get_object 3 ,
-.Xr X509_NAME_get_index_by_NID 3 ,
-.Xr X509_NAME_new 3
-.Sh HISTORY
-.Fn X509_NAME_add_entry
-and
-.Fn X509_NAME_delete_entry
-first appeared in SSLeay 0.8.0 and have been available since
-.Ox 2.4 .
-.Pp
-.Fn X509_NAME_add_entry_by_txt ,
-.Fn X509_NAME_add_entry_by_OBJ ,
-and
-.Fn X509_NAME_add_entry_by_NID
-first appeared in OpenSSL 0.9.5 and have been available since
-.Ox 2.7 .
-.Sh BUGS
-.Fa type
-can still be set to
-.Dv V_ASN1_APP_CHOOSE
-to use
-.Xr ASN1_PRINTABLE_type 3
-to determine field types.
-Since this form does not understand multicharacter types, performs
-no length checks, and can result in invalid field types, its use
-is strongly discouraged.
diff --git a/src/lib/libcrypto/man/X509_NAME_get_index_by_NID.3 b/src/lib/libcrypto/man/X509_NAME_get_index_by_NID.3
deleted file mode 100644
index a2ceb10eb5..0000000000
--- a/src/lib/libcrypto/man/X509_NAME_get_index_by_NID.3
+++ /dev/null
@@ -1,265 +0,0 @@
-.\"     $OpenBSD: X509_NAME_get_index_by_NID.3,v 1.16 2023/05/29 11:54:50 beck Exp $
-.\"     OpenSSL aebb9aac Jul 19 09:27:53 2016 -0400
-.\"
-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2002, 2006, 2014, 2015, 2016 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: May 29 2023 $
-.Dt X509_NAME_GET_INDEX_BY_NID 3
-.Os
-.Sh NAME
-.Nm X509_NAME_get_index_by_NID ,
-.Nm X509_NAME_get_index_by_OBJ ,
-.Nm X509_NAME_entry_count ,
-.Nm X509_NAME_get_entry ,
-.Nm X509_NAME_get_text_by_NID ,
-.Nm X509_NAME_get_text_by_OBJ
-.Nd X509_NAME lookup and enumeration functions
-.Sh SYNOPSIS
-.In openssl/x509.h
-.Ft int
-.Fo X509_NAME_get_index_by_NID
-.Fa "const X509_NAME *name"
-.Fa "int nid"
-.Fa "int lastpos"
-.Fc
-.Ft int
-.Fo X509_NAME_get_index_by_OBJ
-.Fa "const X509_NAME *name"
-.Fa "const ASN1_OBJECT *obj"
-.Fa "int lastpos"
-.Fc
-.Ft int
-.Fo X509_NAME_entry_count
-.Fa "const X509_NAME *name"
-.Fc
-.Ft X509_NAME_ENTRY *
-.Fo X509_NAME_get_entry
-.Fa "const X509_NAME *name"
-.Fa "int loc"
-.Fc
-.Ft int
-.Fo X509_NAME_get_text_by_NID
-.Fa "X509_NAME *name"
-.Fa "int nid"
-.Fa "char *buf"
-.Fa "int len"
-.Fc
-.Ft int
-.Fo X509_NAME_get_text_by_OBJ
-.Fa "X509_NAME *name"
-.Fa "const ASN1_OBJECT *obj"
-.Fa "char *buf"
-.Fa "int len"
-.Fc
-.Sh DESCRIPTION
-These functions allow an
-.Vt X509_NAME
-structure to be examined.
-The
-.Vt X509_NAME
-structure is the same as the ASN.1
-.Vt Name
-type defined in RFC 2459 (and elsewhere) and used, for example,
-in certificate subject and issuer names.
-.Pp
-.Fn X509_NAME_get_index_by_NID
-and
-.Fn X509_NAME_get_index_by_OBJ
-retrieve the next index matching
-.Fa nid
-or
-.Fa obj
-after
-.Fa lastpos .
-.Fa lastpos
-should initially be set to -1.
-.Pp
-.Fn X509_NAME_get_entry
-retrieves the
-.Vt X509_NAME_ENTRY
-from
-.Fa name
-corresponding to index
-.Fa loc .
-Acceptable values for
-.Fa loc
-run from 0 to
-.Fn X509_NAME_entry_count name
-- 1.
-.Pp
-.Fn X509_NAME_get_text_by_NID
-and
-.Fn X509_NAME_get_text_by_OBJ
-retrieve the bytes encoded as UTF-8 from the first entry in
-.Fa name
-which matches
-.Fa nid
-or
-.Fa obj .
-If
-.Fa buf
-is
-.Dv NULL ,
-nothing is written, but the return value is calculated as usual.
-If
-.Fa buf
-is not
-.Dv NULL ,
-no more than
-.Fa len
-bytes will be written and the text written to
-.Fa buf
-will be NUL terminated.
-.Pp
-If
-.Fa len
-is not large enough to hold the NUL byte terminated UTF-8 encoding of
-the text, or if the UTF-8 encoding of the text would contains a NUL
-byte, no data will be written and the call will return failure.
-.Pp
-All relevant
-.Dv NID_*
-and
-.Dv OBJ_*
-codes can be found in the
-.In openssl/objects.h
-header file.
-.Pp
-Applications which could pass invalid NIDs to
-.Fn X509_NAME_get_index_by_NID
-should check for the return value of -2.
-Alternatively the NID validity can be determined first by checking that
-.Fn OBJ_nid2obj nid
-is not
-.Dv NULL .
-.Sh RETURN VALUES
-.Fn X509_NAME_get_index_by_NID
-returns the index of the next matching entry, -1 if not found, or -2 if the
-.Fa nid
-does not correspond to a valid OID.
-.Pp
-.Fn X509_NAME_get_index_by_OBJ
-returns the index of the next matching entry or -1 if not found.
-.Pp
-.Fn X509_NAME_entry_count
-returns the total number of entries in
-.Fa name .
-.Pp
-.Fn X509_NAME_get_entry
-returns an internal pointer which must not be freed by the caller or
-.Dv NULL
-if the index is invalid.
-.Pp
-.Fn X509_NAME_get_text_by_NID
-and
-.Fn X509_NAME_get_text_by_OBJ
-return the length of the output UTF-8 string written, not counting the
-terminating NUL, or -1 in the case of an error or no match being found.
-.Pp
-In some cases of failure of
-.Fn X509_NAME_get_index_by_NID
-and
-.Fn X509_NAME_get_text_by_NID ,
-the reason can be determined with
-.Xr ERR_get_error 3 .
-.Sh EXAMPLES
-Process all entries:
-.Bd -literal
-int i;
-X509_NAME_ENTRY *e;
-
-for (i = 0; i < X509_NAME_entry_count(nm); i++) {
-        e = X509_NAME_get_entry(nm, i);
-        /* Do something with e */
-}
-.Ed
-.Pp
-Process all commonName entries:
-.Bd -literal
-int lastpos = -1;
-X509_NAME_ENTRY *e;
-
-for (;;) {
-        lastpos = X509_NAME_get_index_by_NID(nm, NID_commonName, lastpos);
-        if (lastpos == -1)
-                break;
-        e = X509_NAME_get_entry(nm, lastpos);
-        /* Do something with e */
-}
-.Ed
-.Sh SEE ALSO
-.Xr d2i_X509_NAME 3 ,
-.Xr X509_NAME_ENTRY_get_object 3 ,
-.Xr X509_NAME_new 3
-.Sh HISTORY
-These functions first appeared in SSLeay 0.8.0
-and have been available since
-.Ox 2.4 .
-.Sh CAVEATS
-.Fn X509_NAME_get_text_by_NID
-and
-.Fn X509_NAME_get_text_by_OBJ
-are legacy functions which have various limitations which make them of
-minimal use in practice.
-They can only find the first matching entry and will copy the contents
-of the field verbatim: this can be highly confusing if the target is a
-multicharacter string type like a
-.Vt BMPString
-or a
-.Vt UTF8String .
-.Pp
-For a more general solution,
-.Fn X509_NAME_get_index_by_NID
-or
-.Fn X509_NAME_get_index_by_OBJ
-should be used, followed by
-.Fn X509_NAME_get_entry
-on any matching indices and then the various
-.Vt X509_NAME_ENTRY
-utility functions on the result.
diff --git a/src/lib/libcrypto/man/X509_NAME_hash.3 b/src/lib/libcrypto/man/X509_NAME_hash.3
deleted file mode 100644
index 8766109525..0000000000
--- a/src/lib/libcrypto/man/X509_NAME_hash.3
+++ /dev/null
@@ -1,97 +0,0 @@
-.\" $OpenBSD: X509_NAME_hash.3,v 1.3 2021/07/31 14:54:33 schwarze Exp $
-.\"
-.\" Copyright (c) 2017, 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: July 31 2021 $
-.Dt X509_NAME_HASH 3
-.Os
-.Sh NAME
-.Nm X509_NAME_hash ,
-.Nm X509_issuer_name_hash ,
-.Nm X509_subject_name_hash ,
-.\" X509_issuer_and_serial_hash() is intentionally undocumented
-.\" because it uses MD5 only and is unused in real-world code.
-.Nm X509_NAME_hash_old ,
-.Nm X509_issuer_name_hash_old ,
-.Nm X509_subject_name_hash_old
-.\" In the following line, "X.501" and "Name" are not typos.
-.\" The "Name" type is defined in X.501, not in X.509.
-.\" The type is called "Name" with capital "N", not "name".
-.Nd calculate SHA-1 or MD5 hashes of X.501 Name objects
-.Sh SYNOPSIS
-.In openssl/x509.h
-.Ft unsigned long
-.Fn X509_NAME_hash "X509_NAME *name"
-.Ft unsigned long
-.Fn X509_issuer_name_hash "X509 *x"
-.Ft unsigned long
-.Fn X509_subject_name_hash "X509 *x"
-.Ft unsigned long
-.Fn X509_NAME_hash_old "X509_NAME *name"
-.Ft unsigned long
-.Fn X509_issuer_name_hash_old "X509 *x"
-.Ft unsigned long
-.Fn X509_subject_name_hash_old "X509 *x"
-.Sh DESCRIPTION
-.Fn X509_NAME_hash
-calculates an
-.Xr SHA1 3
-hash of the DER-encoded form of
-.Fa name .
-It is for example used by
-.Xr X509_LOOKUP_hash_dir 3
-to locate certificate files in the file system.
-.Pp
-.Fn X509_issuer_name_hash
-and
-.Fn X509_subject_name_hash
-are wrappers to calculate this hash of the issuer or subject name of
-.Fa x ,
-respectively.
-.Pp
-.Fn X509_NAME_hash_old ,
-.Fn X509_issuer_name_hash_old ,
-and
-.Fn X509_subject_name_hash_old
-are variants that use MD5 instead of SHA-1.
-.Sh RETURN VALUES
-These functions return the hash value or 0 if an error occurs.
-.Sh SEE ALSO
-.Xr i2d_X509_NAME 3 ,
-.Xr X509_get_subject_name 3 ,
-.Xr X509_LOOKUP_new 3 ,
-.Xr X509_NAME_digest 3 ,
-.Xr X509_NAME_new 3
-.Sh HISTORY
-.Fn X509_subject_name_hash
-first appeared in SSLeay 0.4.0,
-.Fn X509_issuer_name_hash
-in SSLeay 0.5.1, and
-.Fn X509_NAME_hash
-in SSLeay 0.8.0.
-They were switched to hashing the DER representation of the name
-rather than an ASCII rendering in SSLeay 0.9.0 and have all been
-available since
-.Ox 2.4 .
-.Pp
-They were switched to using SHA1 instead of MD5 in OpenSSL 1.0.0 and in
-.Ox 4.9 .
-.Pp
-.Fn X509_NAME_hash_old ,
-.Fn X509_issuer_name_hash_old ,
-and
-.Fn X509_subject_name_hash_old
-first appeared in OpenSSL 1.0.0 and have been available since
-.Ox 4.9 .
diff --git a/src/lib/libcrypto/man/X509_NAME_new.3 b/src/lib/libcrypto/man/X509_NAME_new.3
deleted file mode 100644
index 3a4786a9ae..0000000000
--- a/src/lib/libcrypto/man/X509_NAME_new.3
+++ /dev/null
@@ -1,103 +0,0 @@
-.\" $OpenBSD: X509_NAME_new.3,v 1.9 2021/07/20 17:31:32 schwarze Exp $
-.\"
-.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: July 20 2021 $
-.Dt X509_NAME_NEW 3
-.Os
-.Sh NAME
-.Nm X509_NAME_new ,
-.Nm X509_NAME_free
-.\" In the following line, "X.501" and "Name" are not typos.
-.\" The "Name" type is defined in X.501, not in X.509.
-.\" The type in called "Name" with capital "N", not "name".
-.Nd X.501 Name object
-.Sh SYNOPSIS
-.In openssl/x509.h
-.Ft X509_NAME *
-.Fn X509_NAME_new void
-.Ft void
-.Fn X509_NAME_free "X509_NAME *name"
-.Sh DESCRIPTION
-An X.501
-.Vt Name
-is an ordered sequence of relative distinguished names.
-A relative distinguished name is a set of key-value pairs; see
-.Xr X509_NAME_ENTRY_new 3
-for details.
-.Pp
-Various X.509 structures contain X.501
-.Vt Name
-substructures.
-They are for example used for the issuers of certificates and
-certificate revocation lists and for the subjects of certificates
-and certificate requests.
-.Pp
-.Fn X509_NAME_new
-allocates and initializes an empty
-.Vt X509_NAME
-object, representing an ASN.1
-.Vt Name
-structure defined in RFC 5280 section 4.1.2.4.
-Data can be added to such objects with the functions described in
-.Xr X509_NAME_add_entry_by_txt 3 ,
-and they can be inspected with the functions described in
-.Xr X509_NAME_get_index_by_NID 3 .
-.Pp
-.Fn X509_NAME_free
-frees
-.Fa name
-and all the
-.Vt X509_NAME_ENTRY
-objects contained in it.
-If
-.Fa name
-is a
-.Dv NULL
-pointer, no action occurs.
-.Sh RETURN VALUES
-.Fn X509_NAME_new
-returns a new
-.Vt X509_NAME
-object or
-.Dv NULL
-if an error occurred.
-.Sh SEE ALSO
-.Xr d2i_X509_NAME 3 ,
-.Xr GENERAL_NAME_new 3 ,
-.Xr NAME_CONSTRAINTS_new 3 ,
-.Xr SSL_load_client_CA_file 3 ,
-.Xr X509_get_subject_name 3 ,
-.Xr X509_NAME_add_entry_by_txt 3 ,
-.Xr X509_NAME_cmp 3 ,
-.Xr X509_NAME_digest 3 ,
-.Xr X509_NAME_ENTRY_new 3 ,
-.Xr X509_NAME_get_index_by_NID 3 ,
-.Xr X509_NAME_hash 3 ,
-.Xr X509_NAME_print_ex 3 ,
-.Xr X509_new 3
-.Sh STANDARDS
-RFC 5280: Internet X.509 Public Key Infrastructure Certificate and
-Certificate Revocation List (CRL) Profile
-.Pp
-ITU-T Recommendation X.501, also known as ISO/IEC 9594-2:
-Information Technology \(en Open Systems Interconnection \(en
-The Directory: Models, section 9: Names
-.Sh HISTORY
-.Fn X509_NAME_new
-and
-.Fn X509_NAME_free
-appeared in SSLeay 0.4 or earlier and have been available since
-.Ox 2.4 .
diff --git a/src/lib/libcrypto/man/X509_NAME_print_ex.3 b/src/lib/libcrypto/man/X509_NAME_print_ex.3
deleted file mode 100644
index fc06a717cc..0000000000
--- a/src/lib/libcrypto/man/X509_NAME_print_ex.3
+++ /dev/null
@@ -1,260 +0,0 @@
-.\" $OpenBSD: X509_NAME_print_ex.3,v 1.17 2025/03/09 16:45:31 tb Exp $
-.\" full merge up to: OpenSSL aebb9aac Jul 19 09:27:53 2016 -0400
-.\" selective merge up to: OpenSSL 61f805c1 Jan 16 01:01:46 2018 +0800
-.\"
-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2002, 2004, 2007, 2016, 2017 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 9 2025 $
-.Dt X509_NAME_PRINT_EX 3
-.Os
-.Sh NAME
-.Nm X509_NAME_print_ex ,
-.Nm X509_NAME_print_ex_fp ,
-.Nm X509_NAME_oneline
-.Nd X509_NAME printing routines
-.Sh SYNOPSIS
-.In openssl/x509.h
-.Ft int
-.Fo X509_NAME_print_ex
-.Fa "BIO *out"
-.Fa "const X509_NAME *nm"
-.Fa "int indent"
-.Fa "unsigned long flags"
-.Fc
-.Ft int
-.Fo X509_NAME_print_ex_fp
-.Fa "FILE *fp"
-.Fa "const X509_NAME *nm"
-.Fa "int indent"
-.Fa "unsigned long flags"
-.Fc
-.Ft char *
-.Fo X509_NAME_oneline
-.Fa "const X509_NAME *a"
-.Fa "char *buf"
-.Fa "int size"
-.Fc
-.Sh DESCRIPTION
-.Fn X509_NAME_print_ex
-prints a human readable version of
-.Fa nm
-to
-.Vt BIO
-.Fa out .
-Each line (for multiline formats) is indented by
-.Fa indent
-spaces.
-The output format can be extensively customised by use of the
-.Fa flags
-parameter.
-.Pp
-.Fn X509_NAME_print_ex_fp
-is identical to
-.Fn X509_NAME_print_ex
-except the output is written to the
-.Vt FILE
-pointer
-.Fa fp .
-.Pp
-.Fn X509_NAME_oneline
-prints an ASCII version of
-.Fa a
-to
-.Fa buf .
-If
-.Fa buf
-is
-.Dv NULL ,
-then a buffer is dynamically allocated and returned, and
-.Fa size
-is ignored.
-Otherwise, at most
-.Fa size
-bytes will be written, including the ending NUL, and
-.Fa buf
-is returned.
-.Pp
-.Fn X509_NAME_oneline
-is a legacy function which produces a non-standard output form.
-It doesn't handle multi-character fields and has various quirks
-and inconsistencies.
-Its use is strongly discouraged in new applications.
-.Pp
-Although there are a large number of possible flags, for most purposes
-.Dv XN_FLAG_ONELINE ,
-.Dv XN_FLAG_MULTILINE ,
-or
-.Dv XN_FLAG_RFC2253
-will suffice.
-As noted on the
-.Xr ASN1_STRING_print_ex 3
-manual page, for UTF-8 terminals the
-.Dv ASN1_STRFLGS_ESC_MSB
-should be unset: so for example
-.Dv XN_FLAG_ONELINE No & Pf ~ Dv ASN1_STRFLGS_ESC_MSB
-would be used.
-.Pp
-The complete set of the flags supported by
-.Dv X509_NAME_print_ex
-is listed below.
-.Pp
-Several options can be OR'ed together.
-.Pp
-The options
-.Dv XN_FLAG_SEP_COMMA_PLUS ,
-.Dv XN_FLAG_SEP_CPLUS_SPC ,
-.Dv XN_FLAG_SEP_SPLUS_SPC ,
-and
-.Dv XN_FLAG_SEP_MULTILINE
-determine the field separators to use.
-Two distinct separators are used between distinct
-.Vt RelativeDistinguishedName
-components and separate values in the same RDN for a multi-valued RDN.
-Multi-valued RDNs are currently very rare so the second separator
-will hardly ever be used.
-.Pp
-.Dv XN_FLAG_SEP_COMMA_PLUS
-uses comma and plus as separators.
-.Dv XN_FLAG_SEP_CPLUS_SPC
-uses comma and plus with spaces:
-this is more readable that plain comma and plus.
-.Dv XN_FLAG_SEP_SPLUS_SPC
-uses spaced semicolon and plus.
-.Dv XN_FLAG_SEP_MULTILINE
-uses spaced newline and plus respectively.
-.Dv XN_FLAG_SEP_MASK
-contains the bits used to represent these four options.
-.Pp
-If
-.Dv XN_FLAG_DN_REV
-is set, the whole DN is printed in reversed order.
-.Pp
-The fields
-.Dv XN_FLAG_FN_SN ,
-.Dv XN_FLAG_FN_LN ,
-.Dv XN_FLAG_FN_OID ,
-and
-.Dv XN_FLAG_FN_NONE
-determine how a field name is displayed.
-It will use the short name (e.g. CN), the long name (e.g. commonName),
-always use OID numerical form (normally OIDs are only used if the
-field name is not recognised) and no field name, respectively.
-.Dv XN_FLAG_FN_MASK
-contains the bits used to represent these four options.
-.Pp
-If
-.Dv XN_FLAG_SPC_EQ
-is set, then spaces will be placed around the
-.Ql =
-character separating field names and values.
-.Pp
-If
-.Dv XN_FLAG_DUMP_UNKNOWN_FIELDS
-is set, then the encoding of unknown fields is printed instead of the
-values.
-.Pp
-If
-.Dv XN_FLAG_FN_ALIGN
-is set, then field names are padded to 20 characters:
-this is only of use for multiline format.
-.Pp
-Additionally, all the options supported by
-.Xr ASN1_STRING_print_ex 3
-can be used to control how each field value is displayed.
-.Pp
-In addition a number of options can be set for commonly used formats.
-.Pp
-.Dv XN_FLAG_RFC2253
-sets options which produce an output compatible with RFC 2253.
-It is equivalent to
-.Dv ASN1_STRFLGS_RFC2253 | XN_FLAG_SEP_COMMA_PLUS | XN_FLAG_DN_REV |
-.Dv XN_FLAG_FN_SN | XN_FLAG_DUMP_UNKNOWN_FIELDS .
-.Pp
-.Dv XN_FLAG_ONELINE
-is a more readable one line format which is the same as:
-.Dv ASN1_STRFLGS_RFC2253 | ASN1_STRFLGS_ESC_QUOTE | XN_FLAG_SEP_CPLUS_SPC |
-.Dv XN_FLAG_SPC_EQ | XN_FLAG_FN_SN .
-.Pp
-.Dv XN_FLAG_MULTILINE
-is a multiline format which is the same as:
-.Dv ASN1_STRFLGS_ESC_CTRL | ASN1_STRFLGS_ESC_MSB | XN_FLAG_SEP_MULTILINE |
-.Dv XN_FLAG_SPC_EQ | XN_FLAG_FN_LN | XN_FLAG_FN_ALIGN .
-.Pp
-.Dv XN_FLAG_COMPAT
-uses the traditional non-standard SSLeay format.
-.Sh RETURN VALUES
-.Fn X509_NAME_print_ex
-and
-.Fn X509_NAME_print_ex_fp
-return 1 on success or 0 on error if
-.Dv XN_FLAG_COMPAT
-is set in
-.Fa flags .
-Otherwise, they return the number of printed bytes including the
-indentation or \-1 on error.
-.Pp
-.Fn X509_NAME_oneline
-returns a valid string on success or
-.Dv NULL
-on error.
-.Sh SEE ALSO
-.Xr ASN1_STRING_print_ex 3 ,
-.Xr d2i_X509_NAME 3 ,
-.Xr X509_NAME_get_index_by_NID 3 ,
-.Xr X509_NAME_new 3
-.Sh HISTORY
-.Fn X509_NAME_oneline
-first appeared in SSLeay 0.5.1 and has been available since
-.Ox 2.4 .
-.Pp
-.Fn X509_NAME_print_ex
-and
-.Fn X509_NAME_print_ex_fp
-first appeared in OpenSSL 0.9.6 and have been available since
-.Ox 2.9 .
diff --git a/src/lib/libcrypto/man/X509_OBJECT_get0_X509.3 b/src/lib/libcrypto/man/X509_OBJECT_get0_X509.3
deleted file mode 100644
index 56b3926a8b..0000000000
--- a/src/lib/libcrypto/man/X509_OBJECT_get0_X509.3
+++ /dev/null
@@ -1,252 +0,0 @@
-.\" $OpenBSD: X509_OBJECT_get0_X509.3,v 1.16 2025/03/08 17:02:59 tb Exp $
-.\"
-.\" Copyright (c) 2018, 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: March 8 2025 $
-.Dt X509_OBJECT_GET0_X509 3
-.Os
-.Sh NAME
-.Nm X509_OBJECT_get_type ,
-.Nm X509_OBJECT_new ,
-.Nm X509_OBJECT_free ,
-.Nm X509_OBJECT_get0_X509 ,
-.Nm X509_OBJECT_get0_X509_CRL ,
-.Nm X509_OBJECT_idx_by_subject ,
-.Nm X509_OBJECT_retrieve_by_subject ,
-.Nm X509_OBJECT_retrieve_match
-.Nd certificate, CRL, private key, and string wrapper for certificate stores
-.Sh SYNOPSIS
-.In openssl/x509_vfy.h
-.Ft X509_LOOKUP_TYPE
-.Fo X509_OBJECT_get_type
-.Fa "const X509_OBJECT *obj"
-.Fc
-.Ft X509_OBJECT *
-.Fo X509_OBJECT_new
-.Fa void
-.Fc
-.Ft void
-.Fo X509_OBJECT_free
-.Fa "X509_OBJECT *obj"
-.Fc
-.Ft X509 *
-.Fo X509_OBJECT_get0_X509
-.Fa "const X509_OBJECT *obj"
-.Fc
-.Ft X509_CRL *
-.Fo X509_OBJECT_get0_X509_CRL
-.Fa "X509_OBJECT *obj"
-.Fc
-.Ft int
-.Fo X509_OBJECT_idx_by_subject
-.Fa "STACK_OF(X509_OBJECT) *stack"
-.Fa "X509_LOOKUP_TYPE type"
-.Fa "X509_NAME *name"
-.Fc
-.Ft X509_OBJECT *
-.Fo X509_OBJECT_retrieve_by_subject
-.Fa "STACK_OF(X509_OBJECT) *stack"
-.Fa "X509_LOOKUP_TYPE type"
-.Fa "X509_NAME *name"
-.Fc
-.Ft X509_OBJECT *
-.Fo X509_OBJECT_retrieve_match
-.Fa "STACK_OF(X509_OBJECT) *stack"
-.Fa "X509_OBJECT *obj"
-.Fc
-.Sh DESCRIPTION
-The
-.Vt X509_OBJECT
-structure is a shallow wrapper around one
-.Vt X509
-certificate object or one
-.Vt X509_CRL
-certificate revocation list object.
-The type of object stored at any given time can be inspected with
-.Fn X509_OBJECT_get_type .
-.Pp
-Each
-.Vt X509_STORE
-object uses one stack of
-.Vt X509_OBJECT
-structures as its main storage area.
-.Pp
-.Fn X509_OBJECT_new
-allocates a new
-.Vt X509_OBJECT
-structure.
-It sets the object type to
-.Dv X509_LU_NONE
-and the pointer to the certificate or CRL to
-.Dv NULL .
-.Pp
-If
-.Fa obj
-contains an
-.Vt X509
-certificate,
-.Fn X509_OBJECT_free
-calls
-.Xr X509_free 3
-on that inner object.
-If
-.Fa obj
-contains an
-.Vt X509_CRL
-certificate revocation list, it calls
-.Xr X509_CRL_free 3
-on that inner list.
-.Fn X509_OBJECT_free
-then frees the storage used for the
-.Fa obj
-itself.
-.Pp
-If
-.Fa type
-is
-.Dv X509_LU_X509 ,
-.Fn X509_OBJECT_idx_by_subject
-and
-.Fn X509_OBJECT_retrieve_by_subject
-search the given
-.Fa stack
-for a certificate with the subject
-.Fa name .
-If
-.Fa type
-is
-.Dv X509_LU_CRL ,
-they search for a certificate revocation list with the issuer
-.Fa name
-instead.
-.Pp
-If
-.Fa obj
-contains a certificate,
-.Fn X509_OBJECT_retrieve_match
-searches the given
-.Fa stack
-for a certificate with a matching subject name;
-if it contains a certificate revocation list, it searches for a
-certificate revocation list with a matching issuer name instead;
-otherwise, it searches for an
-.Vt X509_OBJECT
-with a matching type.
-.Sh RETURN VALUES
-.Fn X509_OBJECT_get_type
-returns
-.Dv X509_LU_X509
-if
-.Fa obj
-contains a certificate,
-.Dv X509_LU_CRL
-if it contains a certificate revocation list, or
-.Dv X509_LU_NONE
-if it contains neither.
-.Pp
-.Fn X509_OBJECT_new
-returns the new object or
-.Dv NULL
-if memory allocation fails.
-.Pp
-.Fn X509_OBJECT_get0_X509
-returns an internal pointer to the certificate contained in
-.Fa obj
-or
-.Dv NULL
-if
-.Fa obj
-is
-.Dv NULL
-or contains no certificate.
-.Pp
-.Fn X509_OBJECT_get0_X509_CRL
-returns an internal pointer to the certificate revocation list contained in
-.Fa obj
-or
-.Dv NULL
-if
-.Fa obj
-is
-.Dv NULL
-or contains no certificate revocation list.
-.Pp
-.Fn X509_OBJECT_idx_by_subject
-returns the zero-based index of the first matching certificate
-or revocation list in the
-.Fa stack
-or \-1 if
-.Fa type
-is neither
-.Dv X509_LU_X509
-nor
-.Dv X509_LU_CRL
-or if no match is found.
-.Pp
-.Fn X509_OBJECT_retrieve_by_subject
-returns the first matching certificate or revocation list in the
-.Fa stack
-or
-.Dv NULL
-if
-.Fa type
-is neither
-.Dv X509_LU_X509
-nor
-.Dv X509_LU_CRL
-or if no match is found.
-.Pp
-.Fn X509_OBJECT_retrieve_match
-returns the first matching
-.Vt X509_OBJECT
-or
-.Dv NULL
-if
-.Fa stack
-or
-.Fa obj
-is
-.Dv NULL
-or no match is found.
-.Sh SEE ALSO
-.Xr STACK_OF 3 ,
-.Xr X509_CRL_new 3 ,
-.Xr X509_LOOKUP_new 3 ,
-.Xr X509_NAME_new 3 ,
-.Xr X509_new 3 ,
-.Xr X509_STORE_get0_objects 3 ,
-.Xr X509_STORE_get_by_subject 3 ,
-.Xr X509_STORE_load_locations 3 ,
-.Xr X509_STORE_new 3
-.Sh HISTORY
-.Fn X509_OBJECT_idx_by_subject ,
-.Fn X509_OBJECT_retrieve_by_subject ,
-and
-.Fn X509_OBJECT_retrieve_match
-first appeared in OpenSSL 0.9.6 and have been available since
-.Ox 2.9 .
-.Pp
-.Fn X509_OBJECT_get_type ,
-.Fn X509_OBJECT_get0_X509 ,
-and
-.Fn X509_OBJECT_get0_X509_CRL
-first appeared in OpenSSL 1.1.0 and have been available since
-.Ox 6.3 .
-.Pp
-.Fn X509_OBJECT_new
-and
-.Fn X509_OBJECT_free
-first appeared in OpenSSL 1.1.0 and have been available since
-.Ox 7.1 .
diff --git a/src/lib/libcrypto/man/X509_PKEY_new.3 b/src/lib/libcrypto/man/X509_PKEY_new.3
deleted file mode 100644
index 253b0f6db5..0000000000
--- a/src/lib/libcrypto/man/X509_PKEY_new.3
+++ /dev/null
@@ -1,92 +0,0 @@
-.\" $OpenBSD: X509_PKEY_new.3,v 1.1 2021/10/19 10:39:33 schwarze Exp $
-.\"
-.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: October 19 2021 $
-.Dt X509_PKEY_NEW 3
-.Os
-.Sh NAME
-.Nm X509_PKEY_new ,
-.Nm X509_PKEY_free
-.Nd X.509 private key wrapper object
-.Sh SYNOPSIS
-.In openssl/x509.h
-.Ft X509_PKEY *
-.Fn X509_PKEY_new void
-.Ft void
-.Fn X509_PKEY_free "X509_PKEY *wrapper"
-.Sh DESCRIPTION
-.Vt X509_PKEY
-is a reference-counted wrapper object that can store
-.Bl -bullet -width 1n
-.It
-a pointer to an encrypted and ASN.1-encoded private key
-.It
-a pointer to an
-.Vt EVP_PKEY
-object representing the same key in decrypted form
-.It
-a pointer to an
-.Vt X509_ALGOR
-object identifying the algorithm used by the key
-.El
-.Pp
-The object may contain only the encrypted key or only the decrypted
-key or both.
-.Pp
-.Vt X509_PKEY
-is used as a sub-object of the
-.Vt X509_INFO
-object created by
-.Xr PEM_X509_INFO_read_bio 3
-if the PEM file contains any RSA, DSA, or EC PRIVATE KEY object.
-.Pp
-.Fn X509_PKEY_new
-allocates and initializes an empty
-.Vt X509_PKEY
-object and sets its reference count to 1.
-.Pp
-.Fn X509_PKEY_free
-decrements the reference count of the
-.Fa wrapper
-object by 1.
-If the reference count reaches 0,
-it frees all internal objects allocated by the
-.Fa wrapper
-as well as the storage needed for the
-.Fa wrapper
-object itself.
-If
-.Fa wrapper
-is a
-.Dv NULL
-pointer, no action occurs.
-.Sh RETURN VALUES
-.Fn X509_PKEY_new
-returns a pointer to the new
-.Vt X509_PKEY
-object or
-.Dv NULL
-if memory allocation fails.
-.Sh SEE ALSO
-.Xr EVP_PKEY_new 3 ,
-.Xr PEM_X509_INFO_read 3 ,
-.Xr X509_INFO_new 3
-.Sh HISTORY
-.Fn X509_PKEY_new
-and
-.Fn X509_PKEY_free
-first appeared in SSLeay 0.6.0 and have been available since
-.Ox 2.4 .
diff --git a/src/lib/libcrypto/man/X509_PUBKEY_new.3 b/src/lib/libcrypto/man/X509_PUBKEY_new.3
deleted file mode 100644
index df1c50bda2..0000000000
--- a/src/lib/libcrypto/man/X509_PUBKEY_new.3
+++ /dev/null
@@ -1,401 +0,0 @@
-.\" $OpenBSD: X509_PUBKEY_new.3,v 1.18 2024/12/06 12:51:13 schwarze Exp $
-.\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2020, 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2016 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: December 6 2024 $
-.Dt X509_PUBKEY_NEW 3
-.Os
-.Sh NAME
-.Nm X509_PUBKEY_new ,
-.Nm X509_PUBKEY_free ,
-.Nm X509_PUBKEY_set ,
-.Nm X509_PUBKEY_get0 ,
-.Nm X509_PUBKEY_get ,
-.Nm d2i_X509_PUBKEY ,
-.Nm i2d_X509_PUBKEY ,
-.Nm d2i_PUBKEY ,
-.Nm i2d_PUBKEY ,
-.Nm d2i_PUBKEY_bio ,
-.Nm d2i_PUBKEY_fp ,
-.Nm i2d_PUBKEY_fp ,
-.Nm i2d_PUBKEY_bio ,
-.Nm X509_PUBKEY_set0_param ,
-.Nm X509_PUBKEY_get0_param
-.Nd X.509 SubjectPublicKeyInfo structure
-.Sh SYNOPSIS
-.In openssl/x509.h
-.Ft X509_PUBKEY *
-.Fn X509_PUBKEY_new void
-.Ft void
-.Fo X509_PUBKEY_free
-.Fa "X509_PUBKEY *a"
-.Fc
-.Ft int
-.Fo X509_PUBKEY_set
-.Fa "X509_PUBKEY **x"
-.Fa "EVP_PKEY *pkey"
-.Fc
-.Ft EVP_PKEY *
-.Fo X509_PUBKEY_get0
-.Fa "X509_PUBKEY *key"
-.Fc
-.Ft EVP_PKEY *
-.Fo X509_PUBKEY_get
-.Fa "X509_PUBKEY *key"
-.Fc
-.Ft X509_PUBKEY *
-.Fo d2i_X509_PUBKEY
-.Fa "X509_PUBKEY **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_X509_PUBKEY
-.Fa "X509_PUBKEY *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft EVP_PKEY *
-.Fo d2i_PUBKEY
-.Fa "EVP_PKEY **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_PUBKEY
-.Fa "EVP_PKEY *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft EVP_PKEY *
-.Fo d2i_PUBKEY_bio
-.Fa "BIO *bp"
-.Fa "EVP_PKEY **val_out"
-.Fc
-.Ft EVP_PKEY *
-.Fo d2i_PUBKEY_fp
-.Fa "FILE *fp"
-.Fa "EVP_PKEY **val_out"
-.Fc
-.Ft int
-.Fo i2d_PUBKEY_fp
-.Fa "FILE *fp"
-.Fa "EVP_PKEY *val_in"
-.Fc
-.Ft int
-.Fo i2d_PUBKEY_bio
-.Fa "BIO *bp"
-.Fa "EVP_PKEY *val_in"
-.Fc
-.Ft int
-.Fo X509_PUBKEY_set0_param
-.Fa "X509_PUBKEY *pub"
-.Fa "ASN1_OBJECT *aobj"
-.Fa "int ptype"
-.Fa "void *pval"
-.Fa "unsigned char *penc"
-.Fa "int penclen"
-.Fc
-.Ft int
-.Fo X509_PUBKEY_get0_param
-.Fa "ASN1_OBJECT **ppkalg"
-.Fa "const unsigned char **pk"
-.Fa "int *ppklen"
-.Fa "X509_ALGOR **pa"
-.Fa "X509_PUBKEY *pub"
-.Fc
-.Sh DESCRIPTION
-The
-.Vt X509_PUBKEY
-structure represents the ASN.1
-.Vt SubjectPublicKeyInfo
-structure defined in RFC 5280 section 4.1 and used in certificates
-and certificate requests.
-.Pp
-.Fn X509_PUBKEY_new
-allocates and initializes an
-.Vt X509_PUBKEY
-structure.
-.Pp
-.Fn X509_PUBKEY_free
-frees up the
-.Vt X509_PUBKEY
-structure
-.Fa a .
-If
-.Fa a
-is a
-.Dv NULL
-pointer, no action occurs.
-.Pp
-.Fn X509_PUBKEY_set
-sets the public key in
-.Pf * Fa x
-to the public key contained in the
-.Vt EVP_PKEY
-structure
-.Fa pkey .
-If
-.Pf * Fa x
-is not
-.Dv NULL ,
-any existing public key structure will be freed.
-.Pp
-.Fn X509_PUBKEY_get0
-returns the public key contained in
-.Fa key .
-The returned value is an internal pointer which must not be freed after use.
-.Pp
-.Fn X509_PUBKEY_get
-is similar to
-.Fn X509_PUBKEY_get0
-except that the reference
-count on the returned key is incremented so it must be freed using
-.Xr EVP_PKEY_free 3
-after use.
-.Pp
-.Fn d2i_X509_PUBKEY ,
-.Fn i2d_X509_PUBKEY ,
-.Fn d2i_PUBKEY ,
-and
-.Fn i2d_PUBKEY
-decode and encode an ASN.1
-.Vt SubjectPublicKeyInfo
-structure using either the
-.Vt X509_PUBKEY
-or the
-.Vt EVP_PKEY
-object type, respectively.
-For details about the semantics, examples, caveats, and bugs, see
-.Xr ASN1_item_d2i 3 .
-.Fn d2i_PUBKEY_bio ,
-.Fn d2i_PUBKEY_fp ,
-.Fn i2d_PUBKEY_bio
-and
-.Fn i2d_PUBKEY_fp
-are similar to
-.Fn d2i_PUBKEY
-and
-.Fn i2d_PUBKEY
-except they decode or encode using a
-.Vt BIO
-or
-.Vt FILE
-pointer.
-.Pp
-.Fn X509_PUBKEY_set0_param
-sets the public key parameters of
-.Fa pub .
-The OID associated with the algorithm is set to
-.Fa aobj .
-The type of the algorithm parameters is set to
-.Fa ptype
-using the structure
-.Fa pval .
-The encoding of the public key itself is set to the
-.Fa penclen
-bytes contained in buffer
-.Fa penc .
-On success ownership of all the supplied parameters is passed to
-.Fa pub
-so they must not be freed after the call.
-.Pp
-.Fn X509_PUBKEY_get0_param
-retrieves the public key parameters from
-.Fa pub ,
-.Pf * Fa ppkalg
-is set to the associated OID and the encoding consists of
-.Pf * Fa ppklen
-bytes at
-.Pf * Fa pk ,
-and
-.Pf * Fa pa
-is set to the associated
-.Vt AlgorithmIdentifier
-for the public key.
-If the value of any of these parameters is not required,
-it can be set to
-.Dv NULL .
-All of the retrieved pointers are internal and must not be freed after
-the call.
-.Sh RETURN VALUES
-If the allocation fails,
-.Fn X509_PUBKEY_new
-returns
-.Dv NULL
-and sets an error code that can be obtained by
-.Xr ERR_get_error 3 .
-Otherwise it returns a pointer to the newly allocated structure.
-.Pp
-.Fn X509_PUBKEY_get0
-returns an internal pointer or
-.Dv NULL
-if an error occurs.
-.Pp
-.Fn X509_PUBKEY_get
-returns a pointer to an object that had its reference count incremented or
-.Dv NULL
-if an error occurs.
-.Pp
-.Fn d2i_X509_PUBKEY ,
-.Fn d2i_PUBKEY ,
-.Fn d2i_PUBKEY_bio ,
-and
-.Fn d2i_PUBKEY_fp
-return a pointer to a valid object or
-.Dv NULL
-if an error occurs.
-.Pp
-.Fn i2d_X509_PUBKEY
-and
-.Fn i2d_PUBKEY
-return the number of bytes successfully encoded or a negative value
-if an error occurs.
-.Pp
-.Fn X509_PUBKEY_set ,
-.Fn X509_PUBKEY_set0_param ,
-.Fn X509_PUBKEY_get0_param ,
-.Fn i2d_PUBKEY_fp ,
-and
-.Fn i2d_PUBKEY_bio
-return 1 for success and 0 if an error occurred.
-.Sh ERRORS
-After failure of
-.Fn X509_PUBKEY_get0
-or
-.Fn X509_PUBKEY_get ,
-one of the following diagnostics can be retrieved with
-.Xr ERR_get_error 3 ,
-.Xr ERR_GET_REASON 3 ,
-and
-.Xr ERR_reason_error_string 3 :
-.Bl -tag -width Ds
-.It Dv X509_R_UNSUPPORTED_ALGORITHM Qq "unsupported algorithm"
-The public key uses an algorithm unsupported by
-.Xr EVP_PKEY_set_type 3 .
-.It X509_R_METHOD_NOT_SUPPORTED Qq "method not supported"
-While the algorithm is known to
-.Xr EVP_PKEY_set_type 3 ,
-using it for decoding is not supported.
-.It X509_R_PUBLIC_KEY_DECODE_ERROR Qq "public key decode error"
-Decoding the public key failed.
-.It Dv ERR_R_MALLOC_FAILURE Qq "malloc failure"
-Memory was exhausted when trying to allocate the new
-.Vt EVP_PKEY
-object.
-.El
-.Pp
-If
-.Fa key
-is
-.Dv NULL
-or does not contain a public key,
-these functions fail but no error is pushed onto the stack.
-.Sh SEE ALSO
-.Xr d2i_X509 3 ,
-.Xr X509_ALGOR_new 3 ,
-.Xr X509_get_pubkey 3 ,
-.Xr X509_new 3
-.Sh STANDARDS
-RFC 5280: Internet X.509 Public Key Infrastructure Certificate and
-Certificate Revocation List (CRL) Profile
-.Sh HISTORY
-.Fn X509_PUBKEY_new
-and
-.Fn X509_PUBKEY_free
-appeared in SSLeay 0.4 or earlier.
-.Fn d2i_X509_PUBKEY
-and
-.Fn i2d_X509_PUBKEY
-first appeared in SSLeay 0.5.1.
-.Fn X509_PUBKEY_set
-and
-.Fn X509_PUBKEY_get
-first appeared in SSLeay 0.8.0.
-These functions have been available since
-.Ox 2.4 .
-.Pp
-.Fn d2i_PUBKEY
-and
-.Fn i2d_PUBKEY
-first appeared in OpenSSL 0.9.5 and have been available since
-.Ox 2.7 .
-.Pp
-.Fn d2i_PUBKEY_bio ,
-.Fn d2i_PUBKEY_fp ,
-.Fn i2d_PUBKEY_fp ,
-and
-.Fn i2d_PUBKEY_bio
-first appeared in OpenSSL 0.9.6 and have been available since
-.Ox 2.9 .
-.Pp
-.Fn X509_PUBKEY_set0_param
-and
-.Fn X509_PUBKEY_get0_param
-first appeared in OpenSSL 1.0.0 and have been available since
-.Ox 4.9 .
-.Pp
-.Fn X509_PUBKEY_get0
-first appeared in OpenSSL 1.1.0 and has been available since
-.Ox 6.3 .
diff --git a/src/lib/libcrypto/man/X509_PURPOSE_set.3 b/src/lib/libcrypto/man/X509_PURPOSE_set.3
deleted file mode 100644
index 1f723e9b9f..0000000000
--- a/src/lib/libcrypto/man/X509_PURPOSE_set.3
+++ /dev/null
@@ -1,295 +0,0 @@
-.\" $OpenBSD: X509_PURPOSE_set.3,v 1.1 2021/07/23 14:27:32 schwarze Exp $
-.\"
-.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: July 23 2021 $
-.Dt X509_PURPOSE_SET 3
-.Os
-.Sh NAME
-.Nm X509_PURPOSE_set ,
-.Nm X509_PURPOSE_get_by_id ,
-.Nm X509_PURPOSE_add ,
-.Nm X509_PURPOSE_get_count ,
-.Nm X509_PURPOSE_cleanup ,
-.Nm X509_PURPOSE_get0 ,
-.Nm X509_PURPOSE_get_by_sname ,
-.Nm X509_PURPOSE_get_id ,
-.Nm X509_PURPOSE_get0_name ,
-.Nm X509_PURPOSE_get0_sname ,
-.Nm X509_PURPOSE_get_trust
-.Nd purpose objects, indices, and identifiers
-.Sh SYNOPSIS
-.In openssl/x509v3.h
-.Ft int
-.Fo X509_PURPOSE_set
-.Fa "int *id_out"
-.Fa "int id_in"
-.Fc
-.Ft int
-.Fn X509_PURPOSE_get_by_id "int identifier"
-.Ft int
-.Fo X509_PURPOSE_add
-.Fa "int identifier"
-.Fa "int trust"
-.Fa "int flags"
-.Fa "int (*check_purpose)(const X509_PURPOSE *, const X509 *, int)"
-.Fa "const char *name"
-.Fa "const char *sname"
-.Fa "void *usr_data"
-.Fc
-.Ft int
-.Fn X509_PURPOSE_get_count void
-.Ft void
-.Fn X509_PURPOSE_cleanup void
-.Ft X509_PURPOSE *
-.Fn X509_PURPOSE_get0 "int index"
-.Ft int
-.Fn X509_PURPOSE_get_by_sname "const char *sname"
-.Ft int
-.Fn X509_PURPOSE_get_id "const X509_PURPOSE *object"
-.Ft char *
-.Fn X509_PURPOSE_get0_name "const X509_PURPOSE *object"
-.Ft char *
-.Fn X509_PURPOSE_get0_sname "const X509_PURPOSE *object"
-.Ft int
-.Fn X509_PURPOSE_get_trust "const X509_PURPOSE *object"
-.Sh DESCRIPTION
-The purposes that an X.509 certificate is intended to be used for
-can be identified in three equivalent ways:
-.Bl -enum
-.It
-By purpose identifiers, which are positive integer constants.
-Standard purpose identifiers lie in the range from
-.Dv X509_PURPOSE_MIN
-to
-.Dv X509_PURPOSE_MAX ,
-inclusive, and are listed in the
-.Xr X509_check_purpose 3
-manual page.
-User defined purpose identifiers are larger than
-.Dv X509_PURPOSE_MAX .
-.It
-By purpose indices, which are non-negative integer constants
-but differ from the purpose identifiers for the same purpose.
-Standard purpose indices are smaller than
-.Dv X509_PURPOSE_MAX .
-User defined purpose indices are larger than or equal to
-.Dv X509_PURPOSE_MAX .
-.It
-By purpose objects of the type
-.Vt X509_PURPOSE .
-Standard purpose objects are available in static storage.
-User defined purpose objects can be created with
-.Fn X509_PURPOSE_add .
-.El
-.Pp
-Application programmers cannot choose the way to identify purposes
-that they like best; depending on the circumstances, all three ways
-are needed.
-Be warned that the naming of most functions is misleading.
-.Pp
-Most API functions documented outside the present manual page
-use purpose identifiers rather than purpose indices.
-.Ss Using purpose identifiers
-.Fn X509_PURPOSE_set
-validates the purpose identifier
-.Fa id_in .
-If it is valid, it is copied to
-.Pf * Fa id_out .
-Otherwise,
-.Pf * Fa id_out
-remains unchanged.
-.Pp
-.Fn X509_PURPOSE_get_by_id
-converts the purpose
-.Fa identifier
-to the corresponding purpose index.
-To find the corresponding purpose object, pass the result to
-.Fn X509_PURPOSE_get0 .
-.Pp
-.Fn X509_PURPOSE_add
-defines a purpose with the given
-.Fa identifier
-or modifies its properties if it already exists.
-The purpose
-.Fa identifier ,
-the
-.Fa trust
-identifier, the
-.Fa flags ,
-the
-.Fa check_purpose
-function, the
-.Fa name ,
-the short name
-.Fa sname ,
-and the
-.Fa usr_data
-pointer are copied into the
-.Vt X509_PURPOSE
-object.
-When modifying an existing purpose object, previous values of fields are
-overwritten and previous
-.Fa name
-and
-.Fa sname
-strings are freed if they were dynamically allocated.
-When creating a new purpose object,
-it is added to the global array of user-defined purpose objects.
-.Pp
-.Dv X509_PURPOSE_DYNAMIC
-and
-.Dv X509_PURPOSE_DYNAMIC_NAME
-are always ignored in the
-.Fa flags
-argument.
-.Dv X509_PURPOSE_DYNAMIC
-is automatically set if the object was created by the user.
-It is never set for standard objects, not even if they were
-modified by the user.
-.Dv X509_PURPOSE_DYNAMIC_NAME
-is automatically set if the object was created or modified by the user.
-It is only unset for unmodified standard objects.
-The library does not appear to define any other flags, so the
-.Fa flags
-argument is probably useless unless users define their own flags
-and use them in the
-.Fa check_purpose
-function.
-.Pp
-The third and final argument of the
-.Fa check_purpose
-function is the
-.Fa ca
-argument documented in
-.Xr X509_check_purpose 3 .
-.Pp
-.Fn X509_PURPOSE_get_count
-returns the total number of purposes currently defined,
-including both standard and user-defined purposes.
-If no user-defined purposes exist, the returned value is
-.Dv X509_PURPOSE_MAX .
-.Pp
-.Fn X509_PURPOSE_cleanup
-deletes all user-defined purpose objects
-and invalidates their purpose identifiers and purpose indices.
-If any of the standard purpose objects were modified by the user,
-those changes are
-.Em not
-reverted.
-.Ss Using purpose indices
-.Fn X509_PURPOSE_get0
-converts the purpose
-.Fa index
-to a pointer to the corresponding purpose object.
-To find the corresponding purpose identifier, pass the result to
-.Fn X509_PURPOSE_get_id .
-.Pp
-.Fn X509_PURPOSE_get_by_sname
-returns the lowest index of a purpose with the given short name.
-.Ss Using purpose objects
-.Fn X509_PURPOSE_get_id
-converts a pointer to a purpose
-.Fa object
-to the corresponding purpose identifier.
-To find the corresponding purpose index, pass the result to
-.Fn X509_PURPOSE_get_by_id .
-.Pp
-.Fn X509_PURPOSE_get0_name ,
-.Fn X509_PURPOSE_get0_sname ,
-and
-.Fn X509_PURPOSE_get_trust
-retrieve the name, short name, and trust identifier from the
-.Fa object ,
-respectively.
-.Sh RETURN VALUES
-.Fn X509_PURPOSE_set
-returns 1 if
-.Fa id_in
-is valid or 0 otherwise.
-.Pp
-.Fn X509_PURPOSE_get_by_id
-and
-.Fn X509_PURPOSE_get_by_sname
-return the corresponding purpose index
-or \-1 if no matching purpose is found.
-.Pp
-.Fn X509_PURPOSE_add
-returns 1 for success or 0 for failure.
-.Pp
-.Fn X509_PURPOSE_get_count
-returns the total number of purposes currently defined.
-.Pp
-.Fn X509_PURPOSE_get0
-returns a standard or user-defined purpose object or
-.Dv NULL
-if the
-.Fa index
-is invalid.
-.Pp
-.Fn X509_PURPOSE_get_id
-always returns a valid purpose identifier.
-.Pp
-.Fn X509_PURPOSE_get0_name
-and
-.Fn X509_PURPOSE_get0_sname
-return pointers to storage owned by the
-.Fa object .
-.Pp
-.Fn X509_PURPOSE_get_trust
-returns the trust identifier associated with the
-.Fa object .
-.Sh ERRORS
-The following diagnostics can be retrieved with
-.Xr ERR_get_error 3 ,
-.Xr ERR_GET_REASON 3 ,
-and
-.Xr ERR_reason_error_string 3 :
-.Bl -tag -width Ds
-.It Dv X509V3_R_INVALID_PURPOSE Qq "invalid purpose"
-.Fn X509_PURPOSE_set
-was called with an invalid
-.Fa id_in
-argument.
-.It Dv X509V3_R_INVALID_NULL_ARGUMENT Qq "invalid null argument"
-.Fn X509_PURPOSE_add
-was called with a
-.Fa name
-or
-.Fa sname
-argument of
-.Dv NULL .
-.It Dv ERR_R_MALLOC_FAILURE Qq "malloc failure"
-.Fn X509_PURPOSE_add
-failed to allocate memory.
-.El
-.Pp
-The other functions provide no diagnostics.
-.Sh SEE ALSO
-.Xr X509_check_purpose 3 ,
-.Xr X509_new 3 ,
-.Xr X509_STORE_set_purpose 3 ,
-.Xr X509_VERIFY_PARAM_set_purpose 3
-.Sh HISTORY
-.Fn X509_PURPOSE_set
-first appeared in OpenSSL 0.9.7 and has been available since
-.Ox 3.2 .
-.Pp
-The other functions first appeared in OpenSSL 0.9.5
-and have been available since
-.Ox 2.7 .
-.Sh CAVEATS
-The difference between purpose identifiers and purpose indices provides
-an ideal breeding ground for off-by-one bugs.
diff --git a/src/lib/libcrypto/man/X509_REQ_add1_attr.3 b/src/lib/libcrypto/man/X509_REQ_add1_attr.3
deleted file mode 100644
index f9b602dbef..0000000000
--- a/src/lib/libcrypto/man/X509_REQ_add1_attr.3
+++ /dev/null
@@ -1,172 +0,0 @@
-.\" $OpenBSD: X509_REQ_add1_attr.3,v 1.4 2024/09/02 07:56:28 tb Exp $
-.\"
-.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: September 2 2024 $
-.Dt X509_REQ_ADD1_ATTR 3
-.Os
-.Sh NAME
-.Nm X509_REQ_add1_attr ,
-.Nm X509_REQ_add1_attr_by_OBJ ,
-.Nm X509_REQ_add1_attr_by_NID ,
-.Nm X509_REQ_add1_attr_by_txt ,
-.Nm X509_REQ_delete_attr ,
-.Nm X509_REQ_get_attr ,
-.Nm X509_REQ_get_attr_count ,
-.Nm X509_REQ_get_attr_by_OBJ ,
-.Nm X509_REQ_get_attr_by_NID
-.Nd X.501 Attributes of PKCS#10 certification requests
-.Sh SYNOPSIS
-.In openssl/x509.h
-.Ft int
-.Fo X509_REQ_add1_attr
-.Fa "X509_REQ *req"
-.Fa "X509_ATTRIBUTE *attr"
-.Fc
-.Ft int
-.Fo X509_REQ_add1_attr_by_OBJ
-.Fa "X509_REQ *req"
-.Fa "const ASN1_OBJECT *obj"
-.Fa "int type"
-.Fa "const unsigned char *data"
-.Fa "int len"
-.Fc
-.Ft int
-.Fo X509_REQ_add1_attr_by_NID
-.Fa "X509_REQ *req"
-.Fa "int nid"
-.Fa "int type"
-.Fa "const unsigned char *data"
-.Fa "int len"
-.Fc
-.Ft int
-.Fo X509_REQ_add1_attr_by_txt
-.Fa "X509_REQ *req"
-.Fa "const char *name"
-.Fa "int type"
-.Fa "const unsigned char *data"
-.Fa "int len"
-.Fc
-.Ft X509_ATTRIBUTE *
-.Fo X509_REQ_delete_attr
-.Fa "X509_REQ *req"
-.Fa "int index"
-.Fc
-.Ft X509_ATTRIBUTE *
-.Fo X509_REQ_get_attr
-.Fa "const X509_REQ *req"
-.Fa "int index"
-.Fc
-.Ft int
-.Fo X509_REQ_get_attr_count
-.Fa "const X509_REQ *req"
-.Fc
-.Ft int
-.Fo X509_REQ_get_attr_by_OBJ
-.Fa "const X509_REQ *req"
-.Fa "const ASN1_OBJECT *obj"
-.Fa "int start_after"
-.Fc
-.Ft int
-.Fo X509_REQ_get_attr_by_NID
-.Fa "const X509_REQ *req"
-.Fa "int nid"
-.Fa "int start_after"
-.Fc
-.Sh DESCRIPTION
-These functions support associating an array of X.501 Attributes
-with a PKCS#10 certification request.
-.Pp
-.Fn X509_REQ_add1_attr
-appends a deep copy of the
-.Fa attr ,
-allocating a new array if necessary.
-.Pp
-.Fn X509_REQ_add1_attr_by_OBJ ,
-.Fn X509_REQ_add1_attr_by_NID ,
-and
-.Fn X509_REQ_add1_attr_by_txt
-create a new X.501 Attribute object using
-.Xr X509_ATTRIBUTE_create_by_OBJ 3 ,
-.Xr X509_ATTRIBUTE_create_by_NID 3 ,
-or
-.Xr X509_ATTRIBUTE_create_by_txt 3 ,
-respectively,
-allocating a new array if necessary.
-.Pp
-.Fn X509_REQ_delete_attr
-deletes the attribute with the zero-based
-.Fa index .
-.Pp
-.Fn X509_REQ_get_attr
-returns the attribute with the zero-based
-.Fa index .
-.Pp
-.Fn X509_REQ_get_attr_count
-returns the number of attributes currently associated with
-.Fa req .
-.Pp
-.Fn X509_REQ_get_attr_by_OBJ
-and
-.Fn X509_REQ_get_attr_by_NID
-search for an attribute of the type
-.Fa obj
-or
-.Fa nid .
-.Sh RETURN VALUES
-.Fn X509_REQ_add1_attr ,
-.Fn X509_REQ_add1_attr_by_OBJ ,
-.Fn X509_REQ_add1_attr_by_NID ,
-and
-.Fn X509_REQ_add1_attr_by_txt
-return 1 for success or 0 for failure.
-.Pp
-.Fn X509_REQ_delete_attr
-and
-.Fn X509_REQ_get_attr
-return the deleted or requested attribute or
-.Dv NULL
-if the requested index is negative or greater than or equal to
-the current number of attributes associated with
-.Fa req .
-.Pp
-.Fn X509_REQ_get_attr_count
-returns the current number of attributes.
-.Pp
-.Fn X509_REQ_get_attr_by_OBJ
-and
-.Fn X509_REQ_get_attr_by_NID
-return the index of the first attribute that has an index greater than
-.Fa start_after
-and a type matching
-.Fa obj
-or
-.Fa nid ,
-respectively, or \-1 on failure.
-In addition,
-.Fn X509_REQ_get_attr_by_NID
-returns \-2 if
-.Xr OBJ_nid2obj 3
-fails on the requested
-.Fa nid .
-.Sh SEE ALSO
-.Xr OBJ_nid2obj 3 ,
-.Xr X509_ATTRIBUTE_create_by_OBJ 3 ,
-.Xr X509_ATTRIBUTE_new 3 ,
-.Xr X509_REQ_new 3
-.Sh HISTORY
-These functions first appeared in OpenSSL 0.9.5
-and have been available since
-.Ox 2.7 .
diff --git a/src/lib/libcrypto/man/X509_REQ_add_extensions.3 b/src/lib/libcrypto/man/X509_REQ_add_extensions.3
deleted file mode 100644
index ff33edf474..0000000000
--- a/src/lib/libcrypto/man/X509_REQ_add_extensions.3
+++ /dev/null
@@ -1,113 +0,0 @@
-.\" $OpenBSD: X509_REQ_add_extensions.3,v 1.2 2024/08/18 11:04:55 tb Exp $
-.\"
-.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: August 18 2024 $
-.Dt X509_REQ_ADD_EXTENSIONS 3
-.Os
-.Sh NAME
-.Nm X509_REQ_add_extensions ,
-.Nm X509_REQ_add_extensions_nid ,
-.Nm X509_REQ_get_extensions ,
-.Nm X509_REQ_extension_nid
-.Nd extensions in certification requests
-.Sh SYNOPSIS
-.In openssl/x509.h
-.Ft int
-.Fo X509_REQ_add_extensions
-.Fa "X509_REQ *req"
-.Fa "STACK_OF(X509_EXTENSION) *extensions"
-.Fc
-.Ft int
-.Fo X509_REQ_add_extensions_nid
-.Fa "X509_REQ *req"
-.Fa "STACK_OF(X509_EXTENSION) *extensions"
-.Fa "int nid"
-.Fc
-.Ft STACK_OF(X509_EXTENSION) *
-.Fn X509_REQ_get_extensions "X509_REQ *req"
-.Ft int
-.Fn X509_REQ_extension_nid "int nid"
-.Sh DESCRIPTION
-.Fn X509_REQ_add_extensions
-encodes the array of
-.Fa extensions
-using
-.Xr i2d_X509_EXTENSIONS 3
-and adds a new X.501 Attribute object of the type
-.Dv NID_ext_req
-to
-.Fa req
-using the equivalent of
-.Xr X509_ATTRIBUTE_create_by_NID 3
-with a
-.Fa type
-of
-.Dv V_ASN1_SEQUENCE .
-.Pp
-.Fn X509_REQ_add_extensions_nid
-is identical except that the specified
-.Fa nid
-is used as the X.501 Attribute type instead of
-.Dv NID_ext_req .
-.Pp
-.Fn X509_REQ_get_extensions
-retrieves the first value of the first X.501 Attribute of appropriate type.
-By default, the attribute types
-.Dv NID_ext_req
-and
-.Dv NID_ms_ext_req
-are considered appropriate.
-.Pp
-.Fn X509_REQ_extension_nid
-checks whether
-.Fn X509_REQ_get_extensions
-regards the
-.Fa nid
-argument as a type appropriate for storing extensions.
-.Sh RETURN VALUES
-.Fn X509_REQ_add_extensions
-and
-.Fn X509_REQ_add_extensions_nid
-returns 1 for success or 0 for failure.
-.Pp
-.Fn X509_REQ_get_extensions
-returns a newly allocated array of ASN.1
-.Vt Extension
-objects or
-.Dv NULL
-if
-.Fa req
-is
-.Dv NULL ,
-does not contain
-.Vt CertificationRequestInfo ,
-contains no attribute of an appropriate type,
-or if decoding or memory allocation fails.
-.Pp
-.Fn X509_REQ_extension_nid
-returns 1 if
-.Fa nid
-is considered appropriate or 0 otherwise.
-.Sh SEE ALSO
-.Xr d2i_X509_EXTENSION 3 ,
-.Xr STACK_OF 3 ,
-.Xr X509_EXTENSION_new 3 ,
-.Xr X509_REQ_new 3 ,
-.Xr X509V3_extensions_print 3
-.Sh HISTORY
-These functions first appeared in OpenSSL 0.9.5
-and have been available since
-.Ox 2.7 .
diff --git a/src/lib/libcrypto/man/X509_REQ_new.3 b/src/lib/libcrypto/man/X509_REQ_new.3
deleted file mode 100644
index 0a5828d5d4..0000000000
--- a/src/lib/libcrypto/man/X509_REQ_new.3
+++ /dev/null
@@ -1,145 +0,0 @@
-.\" $OpenBSD: X509_REQ_new.3,v 1.11 2021/10/29 09:42:07 schwarze Exp $
-.\"
-.\" Copyright (c) 2016, 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: October 29 2021 $
-.Dt X509_REQ_NEW 3
-.Os
-.Sh NAME
-.Nm X509_REQ_new ,
-.Nm X509_REQ_dup ,
-.Nm X509_to_X509_REQ ,
-.Nm X509_REQ_free ,
-.Nm X509_REQ_INFO_new ,
-.Nm X509_REQ_INFO_free
-.Nd PKCS#10 certification requests
-.Sh SYNOPSIS
-.In openssl/x509.h
-.Ft X509_REQ *
-.Fn X509_REQ_new void
-.Ft X509_REQ *
-.Fn X509_REQ_dup "X509_REQ *req"
-.Ft X509_REQ *
-.Fn X509_to_X509_REQ "X509 *x" "EVP_PKEY *pkey" "const EVP_MD *md"
-.Ft void
-.Fn X509_REQ_free "X509_REQ *req"
-.Ft X509_REQ_INFO *
-.Fn X509_REQ_INFO_new void
-.Ft void
-.Fn X509_REQ_INFO_free "X509_REQ_INFO *req_info"
-.Sh DESCRIPTION
-.Fn X509_REQ_new
-allocates and initializes an empty
-.Vt X509_REQ
-object, representing an ASN.1
-.Vt CertificationRequest
-structure defined in RFC 2986 section 4.2.
-It can hold a pointer to an
-.Vt X509_REQ_INFO
-object discussed below together with a cryptographic signature and
-information about the signature algorithm used.
-.Pp
-.Fn X509_REQ_dup
-creates a deep copy of
-.Fa req
-using
-.Xr ASN1_item_dup 3 ,
-setting the reference count of the copy to 1.
-.Pp
-.Fn X509_to_X509_REQ
-allocates a new certification request object, copies
-the subject name and the public key into it from the certificate
-.Fa x ,
-and sets the version to zero.
-Unless
-.Fa pkey
-is
-.Dv NULL ,
-it also signs the request with
-.Xr X509_REQ_sign 3
-using
-.Fa pkey
-and
-.Fa md .
-.Pp
-.Fn X509_REQ_free
-frees
-.Fa req .
-If
-.Fa req
-is a
-.Dv NULL
-pointer, no action occurs.
-.Pp
-.Fn X509_REQ_INFO_new
-allocates and initializes an empty
-.Vt X509_REQ_INFO
-object, representing an ASN.1
-.Vt CertificationRequestInfo
-structure defined in RFC 2986 section 4.1.
-It is used inside the
-.Vt X509_REQ
-object and can hold the subject and the public key of the requested
-certificate and additional attributes.
-.Fn X509_REQ_INFO_free
-frees
-.Fa req_info .
-If
-.Fa req_info
-is a
-.Dv NULL
-pointer, no action occurs.
-.Sh RETURN VALUES
-.Fn X509_REQ_new ,
-.Fn X509_REQ_dup ,
-.Fn X509_to_X509_REQ ,
-and
-.Fn X509_REQ_INFO_new
-return the new
-.Vt X509_REQ
-or
-.Vt X509_REQ_INFO
-object, respectively, or
-.Dv NULL
-if an error occurs.
-.Sh SEE ALSO
-.Xr d2i_X509_REQ 3 ,
-.Xr PEM_read_X509_REQ 3 ,
-.Xr X509_new 3 ,
-.Xr X509_REQ_add1_attr 3 ,
-.Xr X509_REQ_add_extensions 3 ,
-.Xr X509_REQ_check_private_key 3 ,
-.Xr X509_REQ_digest 3 ,
-.Xr X509_REQ_get0_signature 3 ,
-.Xr X509_REQ_get_pubkey 3 ,
-.Xr X509_REQ_get_subject_name 3 ,
-.Xr X509_REQ_get_version 3 ,
-.Xr X509_REQ_print_ex 3 ,
-.Xr X509_REQ_sign 3
-.Sh STANDARDS
-RFC 2986: PKCS #10: Certification Request Syntax Specification
-.Sh HISTORY
-.Fn X509_REQ_new ,
-.Fn X509_REQ_free ,
-.Fn X509_REQ_INFO_new ,
-and
-.Fn X509_REQ_INFO_free
-first appeared in SSLeay 0.4.4,
-.Fn X509_REQ_dup
-in SSLeay 0.5.1, and
-.Fn X509_to_X509_REQ
-in SSLeay 0.6.0.
-These functions have been available since
-.Ox 2.4 .
diff --git a/src/lib/libcrypto/man/X509_REQ_print_ex.3 b/src/lib/libcrypto/man/X509_REQ_print_ex.3
deleted file mode 100644
index eee06abb21..0000000000
--- a/src/lib/libcrypto/man/X509_REQ_print_ex.3
+++ /dev/null
@@ -1,173 +0,0 @@
-.\" $OpenBSD: X509_REQ_print_ex.3,v 1.3 2025/03/09 14:02:46 tb Exp $
-.\"
-.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: March 9 2025 $
-.Dt X509_REQ_PRINT_EX 3
-.Os
-.Sh NAME
-.Nm X509_REQ_print_ex ,
-.Nm X509_REQ_print ,
-.Nm X509_REQ_print_fp
-.Nd pretty-print a PKCS#10 certification request
-.Sh SYNOPSIS
-.Ft int
-.Fo X509_REQ_print_ex
-.Fa "BIO *bio"
-.Fa "X509_REQ *req"
-.Fa "unsigned long nameflags"
-.Fa "unsigned long skipflags"
-.Fc
-.Ft int
-.Fo X509_REQ_print
-.Fa "BIO *bio"
-.Fa "X509_REQ *req"
-.Fc
-.Ft int
-.Fo X509_REQ_print_fp
-.Fa "FILE *fp"
-.Fa "X509_REQ *req"
-.Fc
-.Sh DESCRIPTION
-.Fn X509_REQ_print_ex
-prints information contained in
-.Fa req
-to
-.Fa bio
-in human-readable form.
-Printing is aborted as soon as any operation fails, with the exception
-that failures while attempting to decode or print the public key
-are not considered as errors.
-.Pp
-By default, the following blocks of information
-are printed in the following order.
-Each block can be skipped by setting the corresponding bit in
-.Fa skipflags ,
-provided in parentheses after each block description.
-.Bl -bullet
-.It
-A pair of lines reading
-.Qq Certificate Request:\&
-and
-.Qq Data:\&
-containing no information.
-.Pq Dv X509_FLAG_NO_HEADER
-.It
-The value contained in the version field
-in decimal and hexadecimal notation.
-.Pq Dv X509_FLAG_NO_VERSION
-.It
-The subject name is printed with
-.Xr X509_NAME_print_ex 3 .
-.Pq Dv X509_FLAG_NO_SUBJECT
-.It
-The public key algorithm is printed with
-.Xr i2a_ASN1_OBJECT 3 ,
-and the public key returned from
-.Xr X509_REQ_get_pubkey 3
-with
-.Xr EVP_PKEY_print_public 3 .
-.Pq Dv X509_FLAG_NO_PUBKEY
-.It
-For each X.501 attribute that is not a requested extension according to
-.Xr X509_REQ_extension_nid 3 ,
-the object identifier is printed with
-.Xr i2a_ASN1_OBJECT 3 ,
-and all values of the types
-.Dv V_ASN1_PRINTABLESTRING ,
-.Dv V_ASN1_T61STRING ,
-and
-.Dv V_ASN1_IA5STRING
-are printed with
-.Xr BIO_write 3 .
-.Pq Dv X509_FLAG_NO_ATTRIBUTES
-.It
-The requested extensions are retrieved with
-.Xr X509_REQ_get_extensions 3
-and their types and values are printed with
-.Xr i2a_ASN1_OBJECT 3
-and
-.Xr X509V3_EXT_print 3 ,
-or, if the latter fails, with
-.Xr ASN1_STRING_print 3 .
-.Pq Dv X509_FLAG_NO_EXTENSIONS
-.It
-The signature is printed with
-.Xr X509_signature_print 3 .
-.Pq Dv X509_FLAG_NO_SIGDUMP
-.El
-.Pp
-The
-.Fa nameflags
-argument modifies the format for printing X.501
-.Vt Name
-objects contained in
-.Fa req .
-It is passed through to
-.Xr X509_NAME_print_ex 3 .
-If
-.Fa nameflags
-is
-.Dv X509_FLAG_COMPAT ,
-the
-.Fa indent
-argument of
-.Xr X509_NAME_print_ex 3
-is set to 16 spaces and the traditional SSLeay format is used.
-Otherwise, if the only bit set in
-.Dv XN_FLAG_SEP_MASK
-is
-.Dv XN_FLAG_SEP_MULTILINE ,
-.Fa indent
-is set to 12 spaces.
-Otherwise, indent is set to zero.
-.Pp
-.Fn X509_REQ_print
-is a wrapper function setting the
-.Fa nameflags
-to
-.Dv XN_FLAG_COMPAT
-and the
-.Fa skipflags
-to
-.Dv X509_FLAG_COMPAT .
-.Pp
-.Fn X509_REQ_print_fp
-is similar to
-.Fn X509_REQ_print
-except that it prints to
-.Fa fp .
-.Sh RETURN VALUES
-These functions return 1 if all requested information was successfully
-printed, even if failures occurred while attempting to decode or
-print the public key, or 0 if any operation fails.
-.Sh SEE ALSO
-.Xr BIO_new 3 ,
-.Xr X509_print_ex 3 ,
-.Xr X509_REQ_new 3
-.Sh HISTORY
-.Fn X509_REQ_print
-first appeared in SSLeay 0.4.4 and
-.Fn X509_REQ_print_fp
-in SSLeay 0.6.0.
-These functions have been available since
-.Ox 2.4 .
-.Pp
-.Fn X509_REQ_print_ex
-first appeared in OpenSSL 0.9.7 and has been available since
-.Ox 3.2 .
-.Sh BUGS
-Some printing failures are silently ignored while printing extensions,
-which may result in incomplete data being printed.
diff --git a/src/lib/libcrypto/man/X509_REVOKED_new.3 b/src/lib/libcrypto/man/X509_REVOKED_new.3
deleted file mode 100644
index c1a50d1c9a..0000000000
--- a/src/lib/libcrypto/man/X509_REVOKED_new.3
+++ /dev/null
@@ -1,213 +0,0 @@
-.\" $OpenBSD: X509_REVOKED_new.3,v 1.12 2021/07/19 13:16:43 schwarze Exp $
-.\" full merge up to:
-.\" OpenSSL man3/X509_CRL_get0_by_serial cdd6c8c5 Mar 20 12:29:37 2017 +0100
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2015 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: July 19 2021 $
-.Dt X509_REVOKED_NEW 3
-.Os
-.Sh NAME
-.Nm X509_REVOKED_new ,
-.Nm X509_REVOKED_dup ,
-.Nm X509_REVOKED_free ,
-.Nm X509_REVOKED_get0_serialNumber ,
-.Nm X509_REVOKED_get0_revocationDate ,
-.Nm X509_REVOKED_set_serialNumber ,
-.Nm X509_REVOKED_set_revocationDate
-.Nd create, change, and inspect an X.509 CRL revoked entry
-.Sh SYNOPSIS
-.In openssl/x509.h
-.Ft X509_REVOKED *
-.Fn X509_REVOKED_new void
-.Ft X509_REVOKED *
-.Fo X509_REVOKED_dup
-.Fa "X509_REVOKED *r"
-.Fc
-.Ft void
-.Fn X509_REVOKED_free "X509_REVOKED *r"
-.Ft const ASN1_INTEGER *
-.Fo X509_REVOKED_get0_serialNumber
-.Fa "const X509_REVOKED *r"
-.Fc
-.Ft const ASN1_TIME *
-.Fo X509_REVOKED_get0_revocationDate
-.Fa "const X509_REVOKED *r"
-.Fc
-.Ft int
-.Fo X509_REVOKED_set_serialNumber
-.Fa "X509_REVOKED *r"
-.Fa "ASN1_INTEGER *serial"
-.Fc
-.Ft int
-.Fo X509_REVOKED_set_revocationDate
-.Fa "X509_REVOKED *r"
-.Fa "ASN1_TIME *tm"
-.Fc
-.Sh DESCRIPTION
-.Fn X509_REVOKED_new
-allocates and initializes an empty
-.Vt X509_REVOKED
-object, representing one of the elements of
-the revokedCertificates field of the ASN.1
-.Vt TBSCertList
-structure defined in RFC 5280 section 5.1.
-It is used by
-.Vt X509_CRL
-objects and can hold information about one revoked certificate
-including issuer names, serial number, revocation date, and revocation
-reason.
-.Pp
-.Fn X509_REVOKED_dup
-creates a deep copy of
-.Fa r .
-.Pp
-.Fn X509_REVOKED_free
-frees
-.Fa r .
-.Pp
-.Fn X509_REVOKED_set_serialNumber
-sets the serial number of
-.Fa r
-to
-.Fa serial .
-The supplied
-.Fa serial
-pointer is not used internally so it should be freed up after use.
-.Pp
-.Fn X509_REVOKED_set_revocationDate
-sets the revocation date of
-.Fa r
-to
-.Fa tm .
-The supplied
-.Fa tm
-pointer is not used internally so it should be freed up after use.
-.Sh RETURN VALUES
-The
-.Fn X509_REVOKED_new
-function returns the new
-.Vt X509_REVOKED
-object if successful; otherwise
-.Dv NULL
-is returned and an error code can be retrieved with
-.Xr ERR_get_error 3 .
-.Pp
-.Fn X509_REVOKED_dup
-return the new
-.Vt X509_REVOKED
-object or
-.Dv NULL
-if an error occurs.
-In some cases of failure, the reason can be determined with
-.Xr ERR_get_error 3 .
-.Pp
-.Fn X509_REVOKED_get0_serialNumber
-returns an internal pointer to the serial number of
-.Fa r .
-.Pp
-.Fn X509_REVOKED_get0_revocationDate
-returns an internal pointer to the revocation date of
-.Fa r .
-.Pp
-.Fn X509_REVOKED_set_serialNumber
-and
-.Fn X509_REVOKED_set_revocationDate
-return 1 for success or 0 for failure.
-In some cases of failure, the reason can be determined with
-.Xr ERR_get_error 3 .
-.Sh SEE ALSO
-.Xr d2i_X509_CRL 3 ,
-.Xr PEM_read_X509_CRL 3 ,
-.Xr X509_CRL_get0_by_serial 3 ,
-.Xr X509_CRL_new 3 ,
-.Xr X509_CRL_print 3 ,
-.Xr X509_EXTENSION_new 3 ,
-.Xr X509_REVOKED_get_ext 3 ,
-.Xr X509_REVOKED_get_ext_d2i 3
-.Sh STANDARDS
-RFC 5280: Internet X.509 Public Key Infrastructure Certificate and
-Certificate Revocation List (CRL) Profile, section 5.1: CRL Fields
-.Sh HISTORY
-.Fn X509_REVOKED_new
-and
-.Fn X509_REVOKED_free
-first appeared in SSLeay 0.4.4 and have been available since
-.Ox 2.4 .
-.Pp
-.Fn X509_REVOKED_set_serialNumber
-and
-.Fn X509_REVOKED_set_revocationDate
-first appeared in OpenSSL 0.9.7 and have been available since
-.Ox 3.2 .
-.Pp
-.Fn X509_REVOKED_dup
-first appeared in OpenSSL 1.0.2.
-.Fn X509_REVOKED_get0_serialNumber
-and
-.Fn X509_REVOKED_get0_revocationDate
-first appeared in OpenSSL 1.1.0.
-These functions have been available since
-.Ox 6.3 .
diff --git a/src/lib/libcrypto/man/X509_SIG_get0.3 b/src/lib/libcrypto/man/X509_SIG_get0.3
deleted file mode 100644
index 456261ca3f..0000000000
--- a/src/lib/libcrypto/man/X509_SIG_get0.3
+++ /dev/null
@@ -1,90 +0,0 @@
-.\" $OpenBSD: X509_SIG_get0.3,v 1.1 2021/10/23 15:39:06 tb Exp $
-.\" full merge up to: OpenSSL 61f805c1 Jan 16 01:01:46 2018 +0800
-.\"
-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2016 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: October 23 2021 $
-.Dt X509_SIG_GET0 3
-.Os
-.Sh NAME
-.Nm X509_SIG_get0 ,
-.Nm X509_SIG_getm
-.Nd DigestInfo functions
-.Sh SYNOPSIS
-.In openssl/x509.h
-.Ft void
-.Fo X509_SIG_get0
-.Fa "const X509_SIG *sig"
-.Fa "const X509_ALGOR **palg"
-.Fa "const ASN1_OCTET_STRING **pdigest"
-.Fc
-.Ft void
-.Fo X509_SIG_getm
-.Fa "X509_SIG *sig"
-.Fa "X509_ALGOR **palg"
-.Fa "ASN1_OCTET_STRING **pdigest"
-.Fc
-.Sh DESCRIPTION
-.Fn X509_SIG_get0
-returns pointers to the algorithm identifier and digest value in
-.Fa sig .
-.Fn X509_SIG_getm
-is identical to
-.Fn X509_SIG_get0 ,
-except the pointers returned are not constant and can be modified,
-for example to initialise them.
-.Sh SEE ALSO
-.Xr d2i_X509 3 ,
-.Xr X509_SIG_new 3
-.Sh HISTORY
-.Fn X509_SIG_get0
-and
-.Fn X509_SIG_getm
-first appeared in OpenSSL 1.1.0 and have been available since
-.Ox 7.1 .
diff --git a/src/lib/libcrypto/man/X509_SIG_new.3 b/src/lib/libcrypto/man/X509_SIG_new.3
deleted file mode 100644
index 8e6b29dea5..0000000000
--- a/src/lib/libcrypto/man/X509_SIG_new.3
+++ /dev/null
@@ -1,68 +0,0 @@
-.\"     $OpenBSD: X509_SIG_new.3,v 1.5 2021/10/27 11:24:47 schwarze Exp $
-.\"
-.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: October 27 2021 $
-.Dt X509_SIG_NEW 3
-.Os
-.Sh NAME
-.Nm X509_SIG_new ,
-.Nm X509_SIG_free
-.Nd PKCS#7 digest information
-.Sh SYNOPSIS
-.In openssl/x509.h
-.Ft X509_SIG *
-.Fn X509_SIG_new void
-.Ft void
-.Fn X509_SIG_free "X509_SIG *sig"
-.Sh DESCRIPTION
-.Fn X509_SIG_new
-allocates and initializes an empty
-.Vt X509_SIG
-object, representing an ASN.1
-.Vt DigestInfo
-structure defined in RFC 2315 section 9.4
-and equivalently in RFC 8017 section 9.2.
-It can hold a message digest together with information about
-the algorithm used.
-.Pp
-.Fn X509_SIG_free
-frees
-.Fa sig .
-.Sh RETURN VALUES
-.Fn X509_SIG_new
-returns the new
-.Vt X509_SIG
-object or
-.Dv NULL
-if an error occurs.
-.Sh SEE ALSO
-.Xr d2i_X509_SIG 3 ,
-.Xr PEM_read_PKCS8 3 ,
-.Xr RSA_sign 3 ,
-.Xr X509_new 3 ,
-.Xr X509_SIG_get0 3
-.Sh STANDARDS
-RFC 2315: PKCS #7: Cryptographic Message Syntax,
-section 9: Signed-data content type
-.Pp
-RFC 8017: PKCS #1: RSA Cryptography Specifications,
-section 9: Encoding Methods for Signatures
-.Sh HISTORY
-.Fn X509_SIG_new
-and
-.Fn X509_SIG_free
-appeared in SSLeay 0.4 or earlier and have been available since
-.Ox 2.4 .
diff --git a/src/lib/libcrypto/man/X509_STORE_CTX_get_error.3 b/src/lib/libcrypto/man/X509_STORE_CTX_get_error.3
deleted file mode 100644
index 1f221563cb..0000000000
--- a/src/lib/libcrypto/man/X509_STORE_CTX_get_error.3
+++ /dev/null
@@ -1,591 +0,0 @@
-.\" $OpenBSD: X509_STORE_CTX_get_error.3,v 1.28 2023/06/06 16:20:13 schwarze Exp $
-.\" full merge up to:
-.\" OpenSSL man3/X509_STORE_CTX_get_error 24a535ea Sep 22 13:14:20 2020 +0100
-.\" OpenSSL man3/X509_STORE_CTX_new 24a535ea Sep 22 13:14:20 2020 +0100
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Dr. Stephen Henson <steve@openssl.org>
-.\" and Rich Salz <rsalz@openssl.org>.
-.\" Copyright (c) 2009, 2016 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: June 6 2023 $
-.Dt X509_STORE_CTX_GET_ERROR 3
-.Os
-.Sh NAME
-.Nm X509_STORE_CTX_get_error ,
-.Nm X509_STORE_CTX_set_error ,
-.Nm X509_STORE_CTX_get_error_depth ,
-.Nm X509_STORE_CTX_set_error_depth ,
-.Nm X509_STORE_CTX_get_current_cert ,
-.Nm X509_STORE_CTX_set_current_cert ,
-.Nm X509_STORE_CTX_get0_current_issuer ,
-.Nm X509_STORE_CTX_get0_current_crl ,
-.Nm X509_STORE_CTX_get0_parent_ctx ,
-.Nm X509_STORE_CTX_get_num_untrusted ,
-.Nm X509_STORE_CTX_get0_chain ,
-.Nm X509_STORE_CTX_get_chain ,
-.Nm X509_STORE_CTX_get1_chain ,
-.Nm X509_STORE_CTX_set0_verified_chain ,
-.Nm X509_verify_cert_error_string
-.Nd get or set certificate verification status information
-.Sh SYNOPSIS
-.In openssl/x509_vfy.h
-.Ft int
-.Fo X509_STORE_CTX_get_error
-.Fa "X509_STORE_CTX *ctx"
-.Fc
-.Ft void
-.Fo X509_STORE_CTX_set_error
-.Fa "X509_STORE_CTX *ctx"
-.Fa "int s"
-.Fc
-.Ft int
-.Fo X509_STORE_CTX_get_error_depth
-.Fa "X509_STORE_CTX *ctx"
-.Fc
-.Ft void
-.Fo X509_STORE_CTX_set_error_depth
-.Fa "X509_STORE_CTX *ctx"
-.Fa "int depth"
-.Fc
-.Ft X509 *
-.Fo X509_STORE_CTX_get_current_cert
-.Fa "X509_STORE_CTX *ctx"
-.Fc
-.Ft void
-.Fo X509_STORE_CTX_set_current_cert
-.Fa "X509_STORE_CTX *ctx"
-.Fa "X509 *cert"
-.Fc
-.Ft X509 *
-.Fo X509_STORE_CTX_get0_current_issuer
-.Fa "X509_STORE_CTX *ctx"
-.Fc
-.Ft X509_CRL *
-.Fo X509_STORE_CTX_get0_current_crl
-.Fa "X509_STORE_CTX *ctx"
-.Fc
-.Ft X509_STORE_CTX *
-.Fo X509_STORE_CTX_get0_parent_ctx
-.Fa "X509_STORE_CTX *ctx"
-.Fc
-.Ft int
-.Fo X509_STORE_CTX_get_num_untrusted
-.Fa "X509_STORE_CTX *ctx"
-.Fc
-.Ft STACK_OF(X509) *
-.Fo X509_STORE_CTX_get0_chain
-.Fa "X509_STORE_CTX *ctx"
-.Fc
-.Ft STACK_OF(X509) *
-.Fo X509_STORE_CTX_get_chain
-.Fa "X509_STORE_CTX *ctx"
-.Fc
-.Ft STACK_OF(X509) *
-.Fo X509_STORE_CTX_get1_chain
-.Fa "X509_STORE_CTX *ctx"
-.Fc
-.Ft void
-.Fo X509_STORE_CTX_set0_verified_chain
-.Fa "X509_STORE_CTX *ctx"
-.Fa "STACK_OF(X509) *chain"
-.Fc
-.In openssl/x509.h
-.Ft const char *
-.Fo X509_verify_cert_error_string
-.Fa "long n"
-.Fc
-.Sh DESCRIPTION
-Most of these functions are typically called after
-.Xr X509_verify_cert 3
-to inspect status information related to certificate verification.
-Some may also be called in a verification callback to determine the
-nature of an error.
-.Pp
-.Fn X509_STORE_CTX_get_error
-returns the error code of
-.Fa ctx .
-See the
-.Sy ERROR CODES
-section for a full description of all error codes.
-.Pp
-.Fn X509_STORE_CTX_set_error
-sets the error code of
-.Fa ctx
-to
-.Fa s .
-For example it might be used in a verification callback to set an error
-based on additional checks.
-.Pp
-.Fn X509_STORE_CTX_get_error_depth
-returns the depth of the error.
-This is a non-negative integer representing where in the certificate
-chain the error occurred.
-If it is zero, it occurred in the end entity certificate, one if it is
-the certificate which signed the end entity certificate, and so on.
-.Pp
-.Fn X509_STORE_CTX_set_error_depth
-sets the error depth.
-This can be used in combination with
-.Fn X509_STORE_CTX_set_error
-to set the depth at which an error condition was detected.
-.Pp
-.Fn X509_STORE_CTX_get_current_cert
-returns the certificate in
-.Fa ctx
-which caused the error or
-.Dv NULL
-if no certificate is relevant.
-.Pp
-.Fn X509_STORE_CTX_set_current_cert
-sets the certificate which caused the error in
-.Fa ctx
-to the given
-.Fa cert .
-This value is not intended to remain valid for very long,
-and remains owned by the caller.
-It may be examined by a verification callback invoked to handle
-each error encountered during chain verification and is no longer
-required after such a callback.
-If a callback wishes the save the certificate for use after it returns,
-it needs to increment its reference count via
-.Xr X509_up_ref 3 .
-Once such a saved certificate is no longer needed, it can be freed with
-.Xr X509_free 3 .
-.Pp
-.Fn X509_STORE_CTX_get0_current_issuer
-returns the certificate that caused issuer validation to fail or
-.Dv NULL
-if no CA certificate is relevant.
-.Pp
-.Fn X509_STORE_CTX_get0_current_crl
-returns the certificate revocation list that caused CRL checking to fail or
-.Dv NULL
-if no CRL is relevant.
-.Pp
-When, during certification path validation, the need arises to check
-the validity of the certification path of a CRL issuer certificate,
-the library creates a new, temporary
-.Vt X509_STORE_CTX
-object.
-If
-.Fn X509_STORE_CTX_get0_parent_ctx
-is called on that temporary object, a pointer to the original
-certification path validation context is returned.
-This may be useful in callback functions called from
-.Xr X509_verify_cert 3
-or from its subroutines to find out whether the callback is called
-from the path validation of the target certificate or from the path
-validation of a related CRL issuer certificate, and if the latter,
-what the target certificate is.
-.Pp
-.Fn X509_STORE_CTX_get0_chain
-returns an internal pointer to a complete validate chain
-if a previous call to
-.Xr X509_verify_cert 3
-was successful.
-If the call to
-.Xr X509_verify_cert 3
-was not successful, the returned chain may be incomplete or invalid.
-.Fn X509_STORE_CTX_get_chain
-is a deprecated alias of
-.Fn X509_STORE_CTX_get0_chain .
-.Fn X509_STORE_CTX_get1_chain
-returns a deep copy of the same chain which persists even after the
-.Fa ctx
-structure is freed.
-When it is no longer needed, it should be freed using
-.Fn sk_X509_pop_free chain X509_free .
-.Pp
-.Fn X509_STORE_CTX_set0_verified_chain
-frees the validate chain generated by if a previous call to
-.Xr X509_verify_cert 3 ,
-if any, and replaces it with the given
-.Fa chain .
-Ownership of the
-.Fa chain
-is transferred to the
-.Fa ctx ,
-so it should not be freed by the caller.
-.Pp
-.Fn X509_verify_cert_error_string
-returns a human readable error string for verification error
-.Fa n .
-.Pp
-The above functions should be used instead of directly referencing the
-fields in the
-.Sy X509_VERIFY_CTX
-structure.
-.Pp
-In versions of OpenSSL before 1.0, the current certificate returned by
-.Fn X509_STORE_CTX_get_current_cert
-was never
-.Dv NULL .
-Applications should check the return value before printing out any
-debugging information relating to the current certificate.
-.Pp
-If an unrecognised error code is passed to
-.Fn X509_verify_cert_error_string ,
-"Unknown certificate verification error"
-is returned.
-This should never happen unless an invalid code is passed.
-.Sh RETURN VALUES
-.Fn X509_STORE_CTX_get_error
-returns
-.Dv X509_V_OK
-or an error code.
-.Pp
-.Fn X509_STORE_CTX_get_error_depth
-returns a non-negative error depth.
-.Pp
-.Fn X509_STORE_CTX_get_current_cert ,
-.Fn X509_STORE_CTX_get0_current_issuer ,
-and
-.Fn X509_STORE_CTX_get0_current_crl
-return the object which caused the error or
-.Dv NULL
-if no object of the requested kind is relevant to the error.
-.Pp
-.Fn X509_STORE_CTX_get0_parent_ctx
-returns the parent context or
-.Dv NULL
-if
-.Fa ctx
-is not a temporary child context
-used for path validation of a CRL issuer certificate.
-.Pp
-.Fn X509_STORE_CTX_get_num_untrusted
-returns the number of untrusted certificates
-that were used in building the chain during a call to
-.Xr X509_verify_cert 3 .
-.Pp
-.Fn X509_STORE_CTX_get0_chain ,
-.Fn X509_STORE_CTX_get_chain ,
-and
-.Fn X509_STORE_CTX_get1_chain
-return a pointer to a stack of certificates or
-.Dv NULL
-if an error occurs.
-.Pp
-.Fn X509_verify_cert_error_string
-returns a human readable error string for verification error
-.Fa n .
-.Sh ERROR CODES
-A list of error codes and messages is shown below.
-Some of the error codes are defined but currently never returned:
-these are described as "unused".
-.Bl -tag -width Ds
-.It Dv X509_V_OK : No ok
-The operation was successful.
-.It Dv X509_V_ERR_UNSPECIFIED : \
- No Unspecified certificate verification error
-An error was encountered during certificate verification and
-the internal routines failed to set a more specific error.
-.It Dv X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT : \
- No unable to get issuer certificate
-The issuer certificate of a locally looked up certificate could not be found.
-This normally means the list of trusted certificates is not complete.
-.It Dv X509_V_ERR_UNABLE_TO_GET_CRL : No unable to get certificate CRL
-The CRL of a certificate could not be found.
-.It Dv X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE : \
- No unable to decrypt certificate's signature
-The certificate signature could not be decrypted.
-This means that the actual signature value could not be determined
-rather than it not matching the expected value.
-This is only meaningful for RSA keys.
-.It Dv X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE : \
- No unable to decrypt CRL's signature
-The CRL signature could not be decrypted: this means that the actual
-signature value could not be determined rather than it not matching the
-expected value.
-Unused.
-.It Dv X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY : \
- No unable to decode issuer public key
-The public key in the certificate
-.Vt SubjectPublicKeyInfo
-could not be read.
-.It Dv X509_V_ERR_CERT_SIGNATURE_FAILURE : No certificate signature failure
-The signature of the certificate is invalid.
-.It Dv X509_V_ERR_CRL_SIGNATURE_FAILURE : No CRL signature failure
-The signature of the CRL is invalid.
-.It Dv X509_V_ERR_CERT_NOT_YET_VALID : No certificate is not yet valid
-The certificate is not yet valid: the notBefore date is after the
-current time.
-.It Dv X509_V_ERR_CERT_HAS_EXPIRED : No certificate has expired
-The certificate has expired: that is the notAfter date is before the
-current time.
-.It Dv X509_V_ERR_CRL_NOT_YET_VALID : No CRL is not yet valid
-The CRL is not yet valid.
-.It Dv X509_V_ERR_CRL_HAS_EXPIRED : No CRL has expired
-The CRL has expired.
-.It Dv X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD : \
- No format error in certificate's notBefore field
-The certificate notBefore field contains an invalid time.
-.It Dv X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD : \
- No format error in certificate's notAfter field
-The certificate notAfter field contains an invalid time.
-.It Dv X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD : \
- No format error in CRL's lastUpdate field
-The CRL thisUpdate field (sic!) contains an invalid time.
-Both the name of the error constant and the text of the error message
-give a wrong name for the field that contains the problem.
-.It Dv X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD : \
- No format error in CRL's nextUpdate field
-The CRL nextUpdate field contains an invalid time.
-.It Dv X509_V_ERR_OUT_OF_MEM : No out of memory
-An error occurred trying to allocate memory.
-This should never happen.
-.It Dv X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT : No self signed certificate
-The passed certificate is self signed and the same certificate cannot be
-found in the list of trusted certificates.
-.It Dv X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN : \
- No self signed certificate in certificate chain
-The certificate chain could be built up using the untrusted certificates
-but the root could not be found locally.
-.It Dv X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY : \
- No unable to get local issuer certificate
-The issuer certificate could not be found: this occurs if the issuer
-certificate of an untrusted certificate cannot be found.
-.It Dv X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE : \
- No unable to verify the first certificate
-No signatures could be verified because the chain contains only one
-certificate and it is not self signed.
-.It Dv X509_V_ERR_CERT_CHAIN_TOO_LONG : No certificate chain too long
-The certificate chain length is greater than the supplied maximum depth.
-.It Dv X509_V_ERR_CERT_REVOKED : No certificate revoked
-The certificate has been revoked.
-.It Dv X509_V_ERR_INVALID_CA : No invalid CA certificate
-A CA certificate is invalid.
-Either it is not a CA or its extensions are not consistent with the
-supplied purpose.
-.It Dv X509_V_ERR_PATH_LENGTH_EXCEEDED : No path length constraint exceeded
-The basicConstraints path-length parameter has been exceeded.
-.It Dv X509_V_ERR_INVALID_PURPOSE : No unsupported certificate purpose
-The supplied certificate cannot be used for the specified purpose.
-.It Dv X509_V_ERR_CERT_UNTRUSTED : No certificate not trusted
-The root CA is not marked as trusted for the specified purpose.
-.It Dv X509_V_ERR_CERT_REJECTED : No certificate rejected
-The root CA is marked to reject the specified purpose.
-.It Dv X509_V_ERR_SUBJECT_ISSUER_MISMATCH : No subject issuer mismatch
-The current candidate issuer certificate was rejected because its
-subject name did not match the issuer name of the current certificate.
-This is only set if issuer check debugging is enabled; it is used for
-status notification and is
-.Sy not
-in itself an error.
-.It Dv X509_V_ERR_AKID_SKID_MISMATCH : \
- No authority and subject key identifier mismatch
-The current candidate issuer certificate was rejected because its
-subject key identifier was present and did not match the authority key
-identifier current certificate.
-This is only set if issuer check debugging is enabled; it is used for
-status notification and is
-.Sy not
-in itself an error.
-.It Dv X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH : \
- No authority and issuer serial number mismatch
-The current candidate issuer certificate was rejected because its issuer
-name and serial number was present and did not match the authority key
-identifier of the current certificate.
-This is only set if issuer check debugging is enabled; it is used for
-status notification and is
-.Sy not
-in itself an error.
-.It Dv X509_V_ERR_KEYUSAGE_NO_CERTSIGN : \
- No key usage does not include certificate signing
-The current candidate issuer certificate was rejected because its
-keyUsage extension does not permit certificate signing.
-This is only set if issuer check debugging is enabled it is used for
-status notification and is
-.Sy not
-in itself an error.
-.It Dv X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER : \
- No unable to get CRL issuer certificate
-The CRL's issuer could not be found:
-there is no alternative CRL issuer set on
-.Ar ctx
-and the last certificate in the chain is not self signed.
-.It Dv X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION : \
- No unhandled critical extension
-The certificate contains a critical extension that is unsupported
-by the library.
-.It Dv X509_V_ERR_KEYUSAGE_NO_CRL_SIGN : \
- No key usage does not include CRL signing
-The CRL issuer has a key usage extension with unset cRLSign bit.
-.It Dv X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION : \
- No unhandled critical CRL extension
-The CRL contains a critical extension that is unsupported
-by the library.
-.\" XXX - The following are unreachable (X509_V_ERR_INVALID_NON_CA) or unused.
-.\" .It Dv X509_V_ERR_INVALID_NON_CA : \
-.\"  No invalid non-CA certificate (has CA markings)
-.\" .It Dv X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED : \
-.\"  No proxy path length constraint exceeded
-.\" .It Dv X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE : \
-.\"  No key usage does not include digital signature
-.\" .It Dv X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED : \
-.\"  No proxy certificates not allowed, please set the appropriate flag
-.It Dv X509_V_ERR_INVALID_EXTENSION : \
- No invalid or inconsistent certificate extension
-A certificate extension had an invalid value (for example an incorrect
-encoding) or some value inconsistent with other extensions.
-.It Dv X509_V_ERR_INVALID_POLICY_EXTENSION : \
- No invalid or inconsistent certificate policy extension
-A certificate policies extension had an invalid value (for example an
-incorrect encoding) or some value inconsistent with other extensions.
-This error only occurs if policy processing is enabled.
-.It Dv X509_V_ERR_NO_EXPLICIT_POLICY : No no explicit policy
-The verification flags were set to require an explicit policy but none
-was present.
-.It Dv X509_V_ERR_DIFFERENT_CRL_SCOPE : No different CRL scope
-The only CRLs that could be found did not match the scope of the
-certificate.
-.It Dv X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE : \
- No unsupported extension feature
-Some feature of a certificate extension is not supported.
-Unused.
-.It Dv X509_V_ERR_UNNESTED_RESOURCE : \
- No RFC 3779 resource not subset of parent's resources
-When walking up a certificate chain, all resources specified in
-RFC 3779 extensions must be contained in the resources delegated in
-the issuer's RFC 3779 extensions.
-The error indicates that this is not the case or that the trust anchor
-has inheritance.
-.It Dv X509_V_ERR_PERMITTED_VIOLATION : No permitted subtree violation
-A name constraint violation occurred in the permitted subtrees.
-.It Dv X509_V_ERR_EXCLUDED_VIOLATION : No excluded subtree violation
-A name constraint violation occurred in the excluded subtrees.
-.It Dv X509_V_ERR_SUBTREE_MINMAX : \
- No name constraints minimum and maximum not supported
-A certificate name constraints extension included a minimum or maximum
-field: this is not supported.
-.It Dv X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE : \
- No unsupported name constraint type
-An unsupported name constraint type was encountered.
-OpenSSL currently only supports directory name, DNS name, email and URI
-types.
-.It Dv X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX : \
- No unsupported or invalid name constraint syntax
-The format of the name constraint is not recognised: for example an
-email address format of a form not mentioned in RFC 3280.
-This could be caused by a garbage extension or some new feature not
-currently supported.
-.\" X509_V_ERR_UNSUPPORTED_NAME_SYNTAX : No unsupported or invalid name syntax
-.It Dv X509_V_ERR_CRL_PATH_VALIDATION_ERROR : No CRL path validation error
-An error occurred when attempting to verify the CRL path.
-This error can only happen if extended CRL checking is enabled.
-.It Dv X509_V_ERR_APPLICATION_VERIFICATION : \
- No application verification failure
-An application specific error.
-This will never be returned unless explicitly set by an application.
-.\" .It Dv X509_V_ERR_HOSTNAME_MISMATCH : No Hostname mismatch
-.\" .It Dv X509_V_ERR_EMAIL_MISMATCH : No Email address mismatch
-.\" .It Dv X509_V_ERR_IP_ADDRESS_MISMATCH : No IP address mismatch
-.\" .It Dv X509_V_ERR_INVALID_CALL : \
-.\"  No Invalid certificate verification context
-.\" .It Dv X509_V_ERR_STORE_LOOKUP : No Issuer certificate lookup error
-.\" .It Dv X509_V_ERR_EE_KEY_TOO_SMALL : No EE certificate key too weak
-.\" .It Dv X509_V_ERR_CA_KEY_TOO_SMALL : No CA certificate key too weak
-.\" .It Dv X509_V_ERR_CA_MD_TOO_WEAK : \
-.\"  No CA signature digest algorithm too weak
-.El
-.Sh SEE ALSO
-.Xr X509_STORE_CTX_new 3 ,
-.Xr X509_STORE_CTX_set_verify 3 ,
-.Xr X509_STORE_CTX_set_verify_cb 3 ,
-.Xr X509_STORE_set_verify_cb 3 ,
-.Xr X509_up_ref 3 ,
-.Xr X509_verify_cert 3
-.Sh HISTORY
-.Fn X509_STORE_CTX_get_error ,
-.Fn X509_STORE_CTX_set_error ,
-.Fn X509_STORE_CTX_get_error_depth ,
-.Fn X509_STORE_CTX_get_current_cert ,
-.Fn X509_STORE_CTX_get_chain ,
-and
-.Fn X509_verify_cert_error_string
-first appeared in SSLeay 0.8.0 and have been available since
-.Ox 2.4 .
-.Pp
-.Fn X509_STORE_CTX_get1_chain
-first appeared in OpenSSL 0.9.5 and has been available since
-.Ox 2.7 .
-.Pp
-.Fn X509_STORE_CTX_get0_current_issuer ,
-.Fn X509_STORE_CTX_get0_current_crl ,
-and
-.Fn X509_STORE_CTX_get0_parent_ctx
-first appeared in OpenSSL 1.0.0 and have been available since
-.Ox 4.9 .
-.Pp
-.Fn X509_STORE_CTX_get0_chain
-first appeared in OpenSSL 1.1.0 and has been available since
-.Ox 6.3 .
-.Pp
-.Fn X509_STORE_CTX_set_error_depth ,
-.Fn X509_STORE_CTX_set_current_cert ,
-.Fn X509_STORE_CTX_get_num_untrusted ,
-and
-.Fn X509_STORE_CTX_set0_verified_chain
-first appeared in OpenSSL 1.1.0 and have been available since
-.Ox 7.1 .
diff --git a/src/lib/libcrypto/man/X509_STORE_CTX_get_ex_new_index.3 b/src/lib/libcrypto/man/X509_STORE_CTX_get_ex_new_index.3
deleted file mode 100644
index bfec65a123..0000000000
--- a/src/lib/libcrypto/man/X509_STORE_CTX_get_ex_new_index.3
+++ /dev/null
@@ -1,153 +0,0 @@
-.\"     $OpenBSD: X509_STORE_CTX_get_ex_new_index.3,v 1.6 2021/07/29 08:32:13 schwarze Exp $
-.\"     OpenSSL a528d4f0 Oct 27 13:40:11 2015 -0400
-.\"
-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2009, 2014 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: July 29 2021 $
-.Dt X509_STORE_CTX_GET_EX_NEW_INDEX 3
-.Os
-.Sh NAME
-.Nm X509_STORE_CTX_get_ex_new_index ,
-.Nm X509_STORE_CTX_set_ex_data ,
-.Nm X509_STORE_CTX_get_ex_data ,
-.Nm X509_STORE_CTX_set_app_data ,
-.Nm X509_STORE_CTX_get_app_data
-.Nd add application specific data to X509_STORE_CTX structures
-.Sh SYNOPSIS
-.In openssl/x509_vfy.h
-.Ft int
-.Fo X509_STORE_CTX_get_ex_new_index
-.Fa "long argl"
-.Fa "void *argp"
-.Fa "CRYPTO_EX_new *new_func"
-.Fa "CRYPTO_EX_dup *dup_func"
-.Fa "CRYPTO_EX_free *free_func"
-.Fc
-.Ft int
-.Fo X509_STORE_CTX_set_ex_data
-.Fa "X509_STORE_CTX *d"
-.Fa "int idx"
-.Fa "void *arg"
-.Fc
-.Ft void *
-.Fo X509_STORE_CTX_get_ex_data
-.Fa "X509_STORE_CTX *d"
-.Fa "int idx"
-.Fc
-.Ft int
-.Fo X509_STORE_CTX_set_app_data
-.Fa "X509_STORE_CTX *d"
-.Fa "void *arg"
-.Fc
-.Ft void *
-.Fo X509_STORE_CTX_get_app_data
-.Fa "X509_STORE_CTX *d"
-.Fc
-.Sh DESCRIPTION
-These functions handle application specific data in
-.Vt X509_STORE_CTX
-structures.
-Their usage is identical to that of
-.Xr RSA_get_ex_new_index 3 ,
-.Xr RSA_set_ex_data 3 ,
-and
-.Xr RSA_get_ex_data 3 .
-.Pp
-This mechanism is used internally by the
-.Xr ssl 3
-library to store the
-.Vt SSL
-structure associated with a verification operation in an
-.Vt X509_STORE_CTX
-structure.
-.Pp
-.Fn X509_STORE_CTX_set_app_data
-and
-.Fn X509_STORE_CTX_get_app_data
-are macros calling
-.Fn X509_STORE_CTX_set_ex_data
-and
-.Fn X509_STORE_CTX_get_ex_data ,
-respectively, with an
-.Fa idx
-of 0.
-.Sh RETURN VALUES
-.Fn X509_STORE_CTX_get_ex_new_index
-returns a new index or \-1 on failure.
-.Pp
-.Fn X509_STORE_CTX_set_ex_data
-and
-.Fn X509_STORE_CTX_set_app_data
-return 1 on success or 0 on failure.
-.Pp
-.Fn X509_STORE_CTX_get_ex_data
-and
-.Fn X509_STORE_CTX_get_app_data
-return the application data or
-.Dv NULL
-on failure.
-.Dv NULL
-may also be valid application data, but currently these functions
-can only fail if given an invalid
-.Fa idx
-argument.
-.Sh SEE ALSO
-.Xr RSA_get_ex_new_index 3 ,
-.Xr X509_STORE_CTX_new 3
-.Sh HISTORY
-.Fn X509_STORE_CTX_set_app_data
-and
-.Fn X509_STORE_CTX_get_app_data
-first appeared in SSLeay 0.8.0 and
-.Fn X509_STORE_CTX_get_ex_new_index ,
-.Fn X509_STORE_CTX_set_ex_data ,
-and
-.Fn X509_STORE_CTX_get_ex_data
-in SSLeay 0.9.0.
-All these functions have been available since
-.Ox 2.4 .
diff --git a/src/lib/libcrypto/man/X509_STORE_CTX_new.3 b/src/lib/libcrypto/man/X509_STORE_CTX_new.3
deleted file mode 100644
index 96af7a8afb..0000000000
--- a/src/lib/libcrypto/man/X509_STORE_CTX_new.3
+++ /dev/null
@@ -1,365 +0,0 @@
-.\" $OpenBSD: X509_STORE_CTX_new.3,v 1.27 2022/11/16 14:55:40 schwarze Exp $
-.\" full merge up to: OpenSSL aae41f8c Jun 25 09:47:15 2015 +0100
-.\" selective merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Dr. Stephen Henson <steve@openssl.org>
-.\" and Rich Salz <rsalz@openssl.org>.
-.\" Copyright (c) 2009, 2016 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: November 16 2022 $
-.Dt X509_STORE_CTX_NEW 3
-.Os
-.Sh NAME
-.Nm X509_STORE_CTX_new ,
-.Nm X509_STORE_CTX_init ,
-.Nm X509_STORE_CTX_cleanup ,
-.Nm X509_STORE_CTX_free ,
-.Nm X509_STORE_CTX_get0_store ,
-.Nm X509_STORE_CTX_set0_trusted_stack ,
-.Nm X509_STORE_CTX_trusted_stack ,
-.Nm X509_STORE_CTX_set_cert ,
-.Nm X509_STORE_CTX_get0_cert ,
-.\" X509_STORE_CTX_get0_chain moved to X509_STORE_CTX_get_error(3)
-.Nm X509_STORE_CTX_set_chain ,
-.Nm X509_STORE_CTX_set0_untrusted ,
-.Nm X509_STORE_CTX_get0_untrusted ,
-.Nm X509_STORE_CTX_set0_crls
-.\" X509_STORE_CTX_verify_fn moved to X509_STORE_CTX_set_verify(3)
-.\" X509_STORE_CTX_set_verify moved to X509_STORE_CTX_set_verify(3)
-.Nd X509_STORE_CTX initialisation
-.Sh SYNOPSIS
-.In openssl/x509_vfy.h
-.Ft X509_STORE_CTX *
-.Fn X509_STORE_CTX_new void
-.Ft int
-.Fo X509_STORE_CTX_init
-.Fa "X509_STORE_CTX *ctx"
-.Fa "X509_STORE *store"
-.Fa "X509 *x"
-.Fa "STACK_OF(X509) *untrusted"
-.Fc
-.Ft void
-.Fo X509_STORE_CTX_cleanup
-.Fa "X509_STORE_CTX *ctx"
-.Fc
-.Ft void
-.Fo X509_STORE_CTX_free
-.Fa "X509_STORE_CTX *ctx"
-.Fc
-.Ft X509_STORE *
-.Fo X509_STORE_CTX_get0_store
-.Fa "X509_STORE_CTX *ctx"
-.Fc
-.Ft void
-.Fo X509_STORE_CTX_set0_trusted_stack
-.Fa "X509_STORE_CTX *ctx"
-.Fa "STACK_OF(X509) *trusted"
-.Fc
-.Ft void
-.Fo X509_STORE_CTX_trusted_stack
-.Fa "X509_STORE_CTX *ctx"
-.Fa "STACK_OF(X509) *trusted"
-.Fc
-.Ft void
-.Fo X509_STORE_CTX_set_cert
-.Fa "X509_STORE_CTX *ctx"
-.Fa "X509 *x"
-.Fc
-.Ft X509 *
-.Fo X509_STORE_CTX_get0_cert
-.Fa "X509_STORE_CTX *ctx"
-.Fc
-.Ft void
-.Fo X509_STORE_CTX_set_chain
-.Fa "X509_STORE_CTX *ctx"
-.Fa "STACK_OF(X509) *untrusted"
-.Fc
-.Ft void
-.Fo X509_STORE_CTX_set0_untrusted
-.Fa "X509_STORE_CTX *ctx"
-.Fa "STACK_OF(X509) *untrusted"
-.Fc
-.Ft STACK_OF(X509) *
-.Fo X509_STORE_CTX_get0_untrusted
-.Fa "X509_STORE_CTX *ctx"
-.Fc
-.Ft void
-.Fo X509_STORE_CTX_set0_crls
-.Fa "X509_STORE_CTX *ctx"
-.Fa "STACK_OF(X509_CRL) *crls"
-.Fc
-.Sh DESCRIPTION
-These functions set up an
-.Vt X509_STORE_CTX
-object for subsequent use by
-.Xr X509_verify_cert 3 .
-.Pp
-.Fn X509_STORE_CTX_new
-allocates an empty
-.Vt X509_STORE_CTX
-object not yet containing the subobjects required for normal operation.
-.Pp
-.Fn X509_STORE_CTX_init
-needs to be called on each new
-.Fa ctx
-before any of the other functions become useful.
-It prepares
-.Fa ctx
-for one single verification operation using
-.Xr X509_verify_cert 3 .
-The trusted certificate
-.Fa store
-to be used, the end entity certificate
-.Fa x
-to be verified, and a set of additional
-.Fa untrusted
-certificates, to be used for building the chain,
-can be supplied, or any or all of them can be set to
-.Dv NULL .
-The three pointers passed in are stored internally, the three objects
-pointed to are not copied, their reference count is not incremented,
-and the caller remains responsible for managing their storage and for
-not freeing them before
-.Fn X509_STORE_CTX_free
-is called on
-.Fa ctx .
-If a
-.Fa store
-is provided, the verification parameters contained in it are copied using
-.Xr X509_VERIFY_PARAM_inherit 3 .
-.Pp
-.Fn X509_STORE_CTX_cleanup
-internally cleans up
-.Fa ctx ,
-returning it to an empty state similar to the one after
-.Fn X509_STORE_CTX_new .
-It can then be reused with a new call to
-.Fn X509_STORE_CTX_init .
-.Pp
-.Fn X509_STORE_CTX_free
-calls
-.Fn X509_STORE_CTX_cleanup
-and frees the storage pointed to by
-.Fa ctx .
-If
-.Fa ctx
-is a
-.Dv NULL
-pointer, no action occurs.
-.Pp
-.Fn X509_STORE_CTX_get0_store
-returns the internal pointer to the trusted certificate
-.Fa store
-that was set with
-.Fn X509_STORE_CTX_init .
-.Pp
-.Fn X509_STORE_CTX_set0_trusted_stack
-sets the set of
-.Fa trusted
-certificates used by
-.Fa ctx .
-This is an alternative way of specifying trusted certificates instead of
-using the
-.Fa store .
-.Fn X509_STORE_CTX_trusted_stack
-is a deprecated alias for
-.Fn X509_STORE_CTX_set0_trusted_stack .
-.Pp
-.Fn X509_STORE_CTX_set_cert
-sets the certificate to be verified in
-.Fa ctx
-to
-.Fa x ,
-overriding the certificate that was set with
-.Fn X509_STORE_CTX_init .
-Again, the certificate is not copied
-and its reference count is not incremented.
-.Pp
-.Fn X509_STORE_CTX_get0_cert
-retrieves the internal pointer to the certificate being verified by
-.Fa ctx ,
-i.e. the last one set using either
-.Fn X509_STORE_CTX_init
-or
-.Fn X509_STORE_CTX_set_cert .
-.Pp
-.Fn X509_STORE_CTX_set_chain
-and
-.Fn X509_STORE_CTX_set0_untrusted
-are identical and set the additional,
-.Fa untrusted
-certificates used by
-.Fa ctx ,
-overriding the set of additional, untrusted certificates that was set with
-.Fn X509_STORE_CTX_init .
-Again, the set and the certificates contained in it are not copied
-and their reference counts are not incremented.
-.Pp
-.Fn X509_STORE_CTX_get0_untrusted
-retrieves the internal pointer
-to the set of additional, untrusted certificates associated with
-.Fa ctx ,
-i.e. the last one set using either
-.Fn X509_STORE_CTX_init ,
-.Fn X509_STORE_CTX_set_chain ,
-or
-.Fn X509_STORE_CTX_set0_untrusted .
-.Pp
-.Fn X509_STORE_CTX_set0_crls
-sets a set of
-.Fa crls
-to use during certificate verification.
-These CRLs will only be used if CRL verification is enabled in the
-associated
-.Vt X509_VERIFY_PARAM
-structure.
-This might be used where additional "useful" CRLs are supplied as part
-of a protocol, for example in a PKCS#7 structure.
-.Pp
-Legacy applications might implicitly use an
-.Vt X509_STORE_CTX
-like this:
-.Bd -literal -offset indent
-X509_STORE_CTX ctx;
-X509_STORE_CTX_init(&ctx, store, cert, chain);
-.Ed
-.Pp
-This is
-.Sy not
-recommended in new applications.
-They should instead do:
-.Bd -literal -offset indent
-X509_STORE_CTX *ctx;
-ctx = X509_STORE_CTX_new();
-if (ctx == NULL)
-        /* Bad error */
-X509_STORE_CTX_init(ctx, store, cert, chain);
-.Ed
-.Sh RETURN VALUES
-.Fn X509_STORE_CTX_new
-returns a newly allocated context or
-.Dv NULL
-if an error occurred.
-.Pp
-.Fn X509_STORE_CTX_init
-returns 1 for success or 0 if an error occurred.
-.Pp
-.Fn X509_STORE_CTX_get0_store
-returns the internal pointer to the trusted certificate store or
-.Dv NULL
-if none was set.
-.Pp
-.Fn X509_STORE_CTX_get0_cert
-returns the internal pointer to the certificate to be verified or
-.Dv NULL
-if no such certificate was set.
-.Pp
-.Fn X509_STORE_CTX_get0_untrusted
-returns the internal pointer
-to the set of additional, untrusted certificates or
-.Dv NULL
-if no set of additional certificates was provided.
-.Sh SEE ALSO
-.Xr X509_CRL_new 3 ,
-.Xr X509_STORE_CTX_get_error 3 ,
-.Xr X509_STORE_CTX_get_ex_new_index 3 ,
-.Xr X509_STORE_CTX_set_flags 3 ,
-.Xr X509_STORE_CTX_set_verify 3 ,
-.Xr X509_STORE_CTX_set_verify_cb 3 ,
-.Xr X509_STORE_get_by_subject 3 ,
-.Xr X509_STORE_new 3 ,
-.Xr X509_STORE_set1_param 3 ,
-.Xr X509_STORE_set_verify_cb 3 ,
-.Xr X509_verify_cert 3 ,
-.Xr X509_VERIFY_PARAM_inherit 3 ,
-.Xr X509_VERIFY_PARAM_set_flags 3
-.Sh HISTORY
-.Fn X509_STORE_CTX_init ,
-.Fn X509_STORE_CTX_cleanup ,
-.Fn X509_STORE_CTX_set_cert ,
-and
-.Fn X509_STORE_CTX_set_chain
-first appeared in SSLeay 0.8.0 and have been available since
-.Ox 2.4 .
-.Pp
-.Fn X509_STORE_CTX_new
-and
-.Fn X509_STORE_CTX_free
-first appeared in OpenSSL 0.9.5 and have been available since
-.Ox 2.7 .
-.Pp
-.Fn X509_STORE_CTX_trusted_stack
-first appeared in OpenSSL 0.9.6 and has been available since
-.Ox 2.9 .
-.Pp
-.Fn X509_STORE_CTX_get0_store
-first appeared in OpenSSL 1.0.2.
-.Fn X509_STORE_CTX_set0_trusted_stack ,
-.Fn X509_STORE_CTX_get0_cert ,
-.Fn X509_STORE_CTX_set0_untrusted ,
-and
-.Fn X509_STORE_CTX_get0_untrusted
-first appeared in OpenSSL 1.1.0.
-These functions have been available since
-.Ox 6.3 .
diff --git a/src/lib/libcrypto/man/X509_STORE_CTX_set_flags.3 b/src/lib/libcrypto/man/X509_STORE_CTX_set_flags.3
deleted file mode 100644
index 04bb202bac..0000000000
--- a/src/lib/libcrypto/man/X509_STORE_CTX_set_flags.3
+++ /dev/null
@@ -1,326 +0,0 @@
-.\" $OpenBSD: X509_STORE_CTX_set_flags.3,v 1.8 2024/08/29 20:21:10 tb Exp $
-.\" full merge up to: OpenSSL aae41f8c Jun 25 09:47:15 2015 +0100
-.\" selective merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2019 Claudio Jeker <claudio@openbsd.org>
-.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHORS DISCLAIM ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2009 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: August 29 2024 $
-.Dt X509_STORE_CTX_SET_FLAGS 3
-.Os
-.Sh NAME
-.Nm X509_STORE_CTX_set_flags ,
-.Nm X509_STORE_CTX_set_time ,
-.Nm X509_STORE_CTX_set_depth ,
-.Nm X509_STORE_CTX_set_trust ,
-.Nm X509_STORE_CTX_set_purpose ,
-.\" .Nm X509_STORE_CTX_purpose_inherit is intentionally undocumented
-.\" because it will be removed in the next major bump.
-.Nm X509_STORE_CTX_get0_param ,
-.Nm X509_STORE_CTX_set0_param ,
-.Nm X509_STORE_CTX_set_default
-.Nd X509_STORE_CTX parameter initialisation
-.Sh SYNOPSIS
-.In openssl/x509_vfy.h
-.Ft void
-.Fo X509_STORE_CTX_set_flags
-.Fa "X509_STORE_CTX *ctx"
-.Fa "unsigned long flags"
-.Fc
-.Ft void
-.Fo X509_STORE_CTX_set_time
-.Fa "X509_STORE_CTX *ctx"
-.Fa "unsigned long dummy"
-.Fa "time_t time"
-.Fc
-.Ft void
-.Fo X509_STORE_CTX_set_depth
-.Fa "X509_STORE_CTX *ctx"
-.Fa "int depth"
-.Fc
-.Ft int
-.Fo X509_STORE_CTX_set_trust
-.Fa "X509_STORE_CTX *ctx"
-.Fa "int trust"
-.Fc
-.Ft int
-.Fo X509_STORE_CTX_set_purpose
-.Fa "X509_STORE_CTX *ctx"
-.Fa "int purpose"
-.Fc
-.Ft X509_VERIFY_PARAM *
-.Fo X509_STORE_CTX_get0_param
-.Fa "X509_STORE_CTX *ctx"
-.Fc
-.Ft void
-.Fo X509_STORE_CTX_set0_param
-.Fa "X509_STORE_CTX *ctx"
-.Fa "X509_VERIFY_PARAM *param"
-.Fc
-.Ft int
-.Fo X509_STORE_CTX_set_default
-.Fa "X509_STORE_CTX *ctx"
-.Fa "const char *name"
-.Fc
-.Sh DESCRIPTION
-These functions operate on the
-.Vt X509_VERIFY_PARAM
-object used by
-.Fa ctx .
-Usually,
-.Xr X509_STORE_CTX_init 3
-is called on
-.Fa ctx
-before these functions, and
-.Xr X509_verify_cert 3
-afterwards.
-.Pp
-.Fn X509_STORE_CTX_set_flags
-sets the internal verification parameter flags to
-.Fa flags .
-See
-.Xr X509_VERIFY_PARAM_set_flags 3
-for a description of the verification flags.
-.Pp
-.Fn X509_STORE_CTX_set_time
-sets the verification
-.Fa time
-using
-.Xr X509_VERIFY_PARAM_set_time 3 .
-The
-.Fa dummy
-argument is ignored.
-.Pp
-.Fn X509_STORE_CTX_set_depth
-sets the maximum verification
-.Fa depth
-using
-.Xr X509_VERIFY_PARAM_set_depth 3 .
-That is the maximum number of untrusted CA certificates
-that can appear in a chain.
-.Pp
-.Fn X509_STORE_CTX_set_trust
-sets the
-.Fa trust
-identifier that can also be set using
-.Xr X509_VERIFY_PARAM_set_trust 3 .
-If the
-.Fa trust
-argument is 0 or invalid
-or the trust identifier is already set to a non-zero value in the
-.Vt X509_VERIFY_PARAM
-object, no action occurs.
-.Pp
-.Fn X509_STORE_CTX_set_purpose
-sets the
-.Fa purpose
-identifier that can also be set using
-.Xr X509_VERIFY_PARAM_set_purpose 3 .
-If the
-.Fa purpose
-argument is 0 or any failure occurs, nothing is changed.
-.Pp
-In the following, the trust identifier contained in the
-.Vt X509_PURPOSE
-object associated with
-.Fa purpose
-is called the
-.Dq associated trust .
-.Pp
-The function fails if the
-.Fa purpose
-argument or the associated trust is invalid but not 0; otherwise,
-.Fn X509_STORE_CTX_set_purpose
-also does the equivalent of calling
-.Fn X509_STORE_CTX_set_trust
-with the associated trust.
-.Pp
-If the purpose identifier is already set to a non-zero value in the
-.Vt X509_VERIFY_PARAM
-object, it is not changed, even if the
-.Fa purpose
-argument is valid, too.
-.Pp
-.Fn X509_STORE_CTX_get0_param
-retrieves an internal pointer to the verification parameters associated
-with
-.Fa ctx .
-.Pp
-.Fn X509_STORE_CTX_set0_param
-sets the internal verification parameter pointer to
-.Fa param .
-After this call
-.Fa param
-should not be used.
-.Pp
-.Fn X509_STORE_CTX_set_default
-looks up and sets the default verification method to
-.Fa name .
-This uses the function
-.Xr X509_VERIFY_PARAM_lookup 3
-to find an appropriate set of parameters from
-.Fa name
-and copies them using
-.Xr X509_VERIFY_PARAM_inherit 3 .
-.Sh RETURN VALUES
-.Fn X509_STORE_CTX_set_trust
-returns 1 if the
-.Fa trust
-argument is 0 or valid or 0 if it is invalid but not 0.
-A return value of 1 does
-.Em not
-imply that the trust identifier stored in the
-.Vt X509_VERIFY_PARAM
-object was changed.
-.Pp
-.Fn X509_STORE_CTX_set_purpose
-returns 1 if both the
-.Fa purpose
-argument and the associated trust are 0 or valid.
-It returns 0 if either the
-.Fa purpose
-argument or the associated trust is invalid but not 0.
-A return value of 1 does not imply that any data was changed.
-.Pp
-.Fn X509_STORE_CTX_get0_param
-returns a pointer to an
-.Vt X509_VERIFY_PARAM
-structure or
-.Dv NULL
-if an error occurred.
-.Pp
-.Fn X509_STORE_CTX_set_default
-returns 1 for success or 0 if an error occurred.
-.Sh ERRORS
-The following diagnostics can be retrieved with
-.Xr ERR_get_error 3 ,
-.Xr ERR_GET_REASON 3 ,
-and
-.Xr ERR_reason_error_string 3 :
-.Bl -tag -width Ds
-.It Dv X509_R_UNKNOWN_TRUST_ID Qq "unknown trust id"
-.Fn X509_STORE_CTX_set_trust
-was called with a
-.Fa trust
-argument that is invalid but not 0.
-Other implementations may also return this when
-.Fn X509_STORE_CTX_set_purpose
-is called with a
-.Fa purpose
-argument with invalid associated trust.
-.It Dv X509_R_UNKNOWN_PURPOSE_ID Qq "unknown purpose id"
-The
-.Fa purpose
-argument is invalid but not 0.
-.El
-.Pp
-The other functions provide no diagnostics.
-.Sh SEE ALSO
-.Xr X509_STORE_CTX_get_error 3 ,
-.Xr X509_STORE_CTX_new 3 ,
-.Xr X509_STORE_CTX_set_verify 3 ,
-.Xr X509_STORE_CTX_set_verify_cb 3 ,
-.Xr X509_STORE_new 3 ,
-.Xr X509_STORE_set1_param 3 ,
-.Xr X509_STORE_set_verify_cb 3 ,
-.Xr X509_verify_cert 3 ,
-.Xr X509_VERIFY_PARAM_new 3 ,
-.Xr X509_VERIFY_PARAM_set_flags 3
-.Sh HISTORY
-.Fn X509_STORE_CTX_set_depth
-first appeared in OpenSSL 0.9.3 and has been available since
-.Ox 2.4 .
-.Pp
-.Fn X509_STORE_CTX_set_trust
-and
-.Fn X509_STORE_CTX_set_purpose
-first appeared in OpenSSL 0.9.5 and have been available since
-.Ox 2.7 .
-.Pp
-.Fn X509_STORE_CTX_set_flags
-and
-.Fn X509_STORE_CTX_set_time
-first appeared in OpenSSL 0.9.6 and have been available since
-.Ox 2.9 .
-.Pp
-.Fn X509_STORE_CTX_get0_param ,
-.Fn X509_STORE_CTX_set0_param ,
-and
-.Fn X509_STORE_CTX_set_default
-first appeared in OpenSSL 0.9.8 and have been available since
-.Ox 4.5 .
-.Sh CAVEATS
-The precise effect of a successful call to
-.Fn X509_STORE_CTX_set_trust
-and
-.Fn X509_STORE_CTX_set_purpose
-is unclear unless only one of these functions is used immediately after
-.Xr X509_STORE_CTX_init 3 .
-It is therefore recommended to use
-.Fn X509_STORE_CTX_get0_param ,
-.Xr X509_VERIFY_PARAM_set_trust 3 ,
-and
-.Xr X509_VERIFY_PARAM_set_purpose 3
-instead.
diff --git a/src/lib/libcrypto/man/X509_STORE_CTX_set_verify.3 b/src/lib/libcrypto/man/X509_STORE_CTX_set_verify.3
deleted file mode 100644
index 8c27deea5d..0000000000
--- a/src/lib/libcrypto/man/X509_STORE_CTX_set_verify.3
+++ /dev/null
@@ -1,256 +0,0 @@
-.\" $OpenBSD: X509_STORE_CTX_set_verify.3,v 1.8 2024/06/07 05:51:39 tb Exp $
-.\"
-.\" Copyright (c) 2021, 2022 Ingo Schwarze <schwarze@openbsd.org>
-.\" Copyright (c) 2023 Job Snijders <job@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: June 7 2024 $
-.Dt X509_STORE_CTX_SET_VERIFY 3
-.Os
-.Sh NAME
-.Nm X509_STORE_CTX_verify_fn ,
-.Nm X509_STORE_CTX_set_verify ,
-.Nm X509_STORE_CTX_get_verify ,
-.Nm X509_STORE_set_verify ,
-.Nm X509_STORE_set_verify_func ,
-.Nm X509_STORE_get_verify ,
-.Nm X509_STORE_CTX_check_issued_fn ,
-.Nm X509_STORE_set_check_issued ,
-.Nm X509_STORE_get_check_issued ,
-.Nm X509_STORE_CTX_get_check_issued
-.Nd user-defined certificate chain verification function
-.Sh SYNOPSIS
-.In openssl/x509_vfy.h
-.Ft typedef int
-.Fo (*X509_STORE_CTX_verify_fn)
-.Fa "X509_STORE_CTX *ctx"
-.Fc
-.Ft void
-.Fo X509_STORE_CTX_set_verify
-.Fa "X509_STORE_CTX *ctx"
-.Fa "X509_STORE_CTX_verify_fn verify"
-.Fc
-.Ft X509_STORE_CTX_verify_fn
-.Fo X509_STORE_CTX_get_verify
-.Fa "X509_STORE_CTX *ctx"
-.Fc
-.Ft void
-.Fo X509_STORE_set_verify
-.Fa "X509_STORE *store"
-.Fa "X509_STORE_CTX_verify_fn verify"
-.Fc
-.Ft void
-.Fo X509_STORE_set_verify_func
-.Fa "X509_STORE *store"
-.Fa "X509_STORE_CTX_verify_fn verify"
-.Fc
-.Ft X509_STORE_CTX_verify_fn
-.Fo X509_STORE_get_verify
-.Fa "X509_STORE_CTX *ctx"
-.Fc
-.Ft typedef int
-.Fo (*X509_STORE_CTX_check_issued_fn)
-.Fa "X509_STORE_CTX *ctx"
-.Fa "X509 *subject"
-.Fa "X509 *issuer"
-.Fc
-.Ft void
-.Fo X509_STORE_set_check_issued
-.Fa "X509_STORE *store"
-.Fa "X509_STORE_CTX_check_issued_fn check_issued"
-.Fc
-.Ft X509_STORE_CTX_check_issued_fn
-.Fo X509_STORE_get_check_issued
-.Fa "X509_STORE *store"
-.Fc
-.Ft X509_STORE_CTX_check_issued_fn
-.Fo X509_STORE_CTX_get_check_issued
-.Fa "X509_STORE_CTX *ctx"
-.Fc
-.Sh DESCRIPTION
-.Fn X509_STORE_CTX_set_verify
-configures
-.Fa ctx
-to use the
-.Fa verify
-argument as the X.509 certificate chain verification function instead
-of the default verification function built into the library when
-.Xr X509_verify_cert 3
-is called.
-.Pp
-The
-.Fa verify
-function provided by the user is only called if the
-.Dv X509_V_FLAG_LEGACY_VERIFY
-or
-.Dv X509_V_FLAG_NO_ALT_CHAINS
-flag was set on
-.Fa ctx
-using
-.Xr X509_STORE_CTX_set_flags 3
-or
-.Xr X509_VERIFY_PARAM_set_flags 3 .
-Otherwise, it is ignored and a different algorithm is used that does
-not support replacing the verification function.
-.Pp
-.Fn X509_STORE_set_verify
-saves the function pointer
-.Fa verify
-in the given
-.Fa store
-object.
-That pointer will be copied to an
-.Vt X509_STORE_CTX
-object when
-.Fa store
-is later passed as an argument to
-.Xr X509_STORE_CTX_init 3 .
-.Pp
-.Fn X509_STORE_set_verify_func
-is an alias for
-.Fn X509_STORE_set_verify
-implemented as a macro.
-.Pp
-.Fn X509_STORE_set_check_issued
-saves the function pointer
-.Fa check_issued
-in the given
-.Fa store
-object.
-That pointer will be copied to an
-.Vt X509_STORE_CTX
-object when
-.Fa store
-is later passed as an argument to
-.Fn X509_STORE_CTX_init 3 .
-.Pp
-The
-.Fa check_issued
-function provided by the user should check whether a given certificate
-.Fa subject
-was issued using the CA certificate
-.Fa issuer ,
-and must return 0 on failure and 1 on success.
-The default implementation ignores the
-.Fa ctx
-argument and returns success if and only if
-.Xr X509_check_issued 3
-returns
-.Dv X509_V_OK .
-It is important to pay close attention to the order of the
-.Fa issuer
-and
-.Fa subject
-arguments.
-In
-.Xr X509_check_issued 3
-the
-.Fa issuer
-precedes the
-.Fa subject
-while in
-.Fn check_issued
-the
-.Fa subject
-comes first.
-.Sh RETURN VALUES
-.Fn X509_STORE_CTX_verify_fn
-is supposed to return 1 to indicate that the chain is valid
-or 0 if it is not or if an error occurred.
-.Pp
-.Fn X509_STORE_CTX_get_verify
-returns a function pointer previously set with
-.Fn X509_STORE_CTX_set_verify
-or
-.Xr X509_STORE_CTX_init 3 ,
-or
-.Dv NULL
-if
-.Fa ctx
-is uninitialized.
-.Pp
-.Fn X509_STORE_get_verify
-returns the function pointer previously set with
-.Fn X509_STORE_set_verify ,
-or
-.Dv NULL
-if that function was not called on the
-.Fa store .
-.Pp
-.Fn X509_STORE_get_check_issued
-returns the function pointer previously set with
-.Fn X509_STORE_set_check_issued ,
-or
-.Dv NULL
-if that function was not called on the
-.Fa store .
-.Pp
-.Fn X509_STORE_CTX_get_check_issued
-returns the
-.Fn check_issued
-function pointer set on the
-.Vt X509_STORE_CTX .
-This is either the
-.Fn check_issued
-function inherited from the
-.Fa store
-used in
-.Xr X509_STORE_CTX_init 3
-or the library's default implementation.
-.Sh SEE ALSO
-.Xr X509_check_issued 3 ,
-.Xr X509_STORE_CTX_init 3 ,
-.Xr X509_STORE_CTX_set_error 3 ,
-.Xr X509_STORE_CTX_set_flags 3 ,
-.Xr X509_STORE_CTX_set_verify_cb 3 ,
-.Xr X509_STORE_new 3 ,
-.Xr X509_STORE_set_flags 3 ,
-.Xr X509_STORE_set_verify_cb 3 ,
-.Xr X509_verify_cert 3 ,
-.Xr X509_VERIFY_PARAM_set_flags 3
-.Sh HISTORY
-.Fn X509_STORE_set_verify_func
-first appeared in SSLeay 0.8.0 and has been available since
-.Ox 2.4 .
-.Pp
-.Fn X509_STORE_CTX_set_verify
-and
-.Fn X509_STORE_CTX_get_verify
-first appeared in OpenSSL 1.1.0 and have been available since
-.Ox 7.1 .
-.Pp
-.Fn X509_STORE_CTX_verify_fn ,
-.Fn X509_STORE_set_verify ,
-and
-.Fn X509_STORE_get_verify
-first appeared in OpenSSL 1.1.0 and have been available since
-.Ox 7.2 .
-.Pp
-.Fn X509_STORE_set_check_issued ,
-.Fn X509_STORE_get_check_issued ,
-and
-.Fn X509_STORE_CTX_get_check_issued
-first appeared in OpenSSL 1.1.0 and have been available since
-.Ox 7.3 .
-.Sh BUGS
-The reversal of order of
-.Fa subject
-and
-.Fa issuer
-between
-.Fn check_issued
-and
-.Xr X509_check_issued 3
-is very confusing.
-It has led to bugs and will cause many more.
diff --git a/src/lib/libcrypto/man/X509_STORE_CTX_set_verify_cb.3 b/src/lib/libcrypto/man/X509_STORE_CTX_set_verify_cb.3
deleted file mode 100644
index 0fe086b721..0000000000
--- a/src/lib/libcrypto/man/X509_STORE_CTX_set_verify_cb.3
+++ /dev/null
@@ -1,309 +0,0 @@
-.\" $OpenBSD: X509_STORE_CTX_set_verify_cb.3,v 1.12 2023/05/30 07:37:34 op Exp $
-.\" full merge up to: OpenSSL aebb9aac Jul 19 09:27:53 2016 -0400
-.\" selective merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2009 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: May 30 2023 $
-.Dt X509_STORE_CTX_SET_VERIFY_CB 3
-.Os
-.Sh NAME
-.Nm X509_STORE_CTX_verify_cb ,
-.Nm X509_STORE_CTX_set_verify_cb ,
-.Nm X509_STORE_CTX_get_verify_cb
-.Nd set and retrieve verification callback
-.Sh SYNOPSIS
-.In openssl/x509_vfy.h
-.Ft typedef int
-.Fo (*X509_STORE_CTX_verify_cb)
-.Fa "int ok"
-.Fa "X509_STORE_CTX *ctx"
-.Fc
-.Ft void
-.Fo X509_STORE_CTX_set_verify_cb
-.Fa "X509_STORE_CTX *ctx"
-.Fa "X509_STORE_CTX_verify_cb verify_cb"
-.Fc
-.Ft X509_STORE_CTX_verify_cb
-.Fo X509_STORE_CTX_get_verify_cb
-.Fa "X509_STORE_CTX *ctx"
-.Fc
-.Sh DESCRIPTION
-.Fn X509_STORE_CTX_set_verify_cb
-sets the verification callback of
-.Fa ctx
-to
-.Fa verify_cb
-overwriting any existing callback.
-.Pp
-The verification callback can be used to modify the operation of
-certificate verification, either by overriding error conditions or
-logging errors for debugging purposes.
-The use of a verification callback is not essential, and should not
-be used in security sensitive programs.
-.Pp
-Do not use this function.
-It is extremely fragile and unpredictable.
-This callback exposes implementation details of certificate verification,
-which change as the library evolves.
-Attempting to use it for security checks can introduce vulnerabilities if
-making incorrect assumptions about when the callback is called.
-Additionally, overriding
-.Fa ok
-may leave
-.Fa ctx
-in an inconsistent state and break invariants.
-.Pp
-Instead, customize certificate verification by configuring options on the
-.Vt X509_STORE_CTX
-before verification, or applying additional checks after
-.Xr X509_verify_cert 3
-completes successfully.
-.Pp
-The
-.Fa ok
-parameter to the callback indicates the value the callback should return
-to retain the default behaviour.
-If it is zero then an error condition is indicated.
-If it is 1 then no error occurred.
-As the default behaviour is internal to the verifier, and possibly unknown
-to the caller, changing this parameter is inherently dangerous and should not
-normally be done except for debugging purposes, and should not be expected to
-be consistent if the verifier changes.
-If the flag
-.Dv X509_V_FLAG_NOTIFY_POLICY
-is set, then
-.Fa ok
-is set to 2 to indicate the policy checking is complete.
-.Pp
-The
-.Fa ctx
-parameter to the callback is the
-.Vt X509_STORE_CTX
-structure that is performing the verification operation.
-A callback can examine this structure and receive additional information
-about the error, for example by calling
-.Xr X509_STORE_CTX_get_current_cert 3 .
-Additional application data can be passed to the callback via the
-.Sy ex_data
-mechanism.
-.Pp
-The verification callback can be set and inherited from the parent
-structure performing the operation.
-In some cases (such as S/MIME verification) the
-.Vt X509_STORE_CTX
-structure is created and destroyed internally and the only way to set a
-custom verification callback is by inheriting it from the associated
-.Vt X509_STORE .
-.Sh RETURN VALUES
-.Fn X509_STORE_CTX_get_verify_cb
-returns a pointer to the current callback function
-used by the specified
-.Fa ctx .
-If no callback was set using
-.Fn X509_STORE_CTX_set_verify_cb ,
-that is a pointer to a built-in static function
-which does nothing except returning the
-.Fa ok
-argument passed to it.
-.Sh EXAMPLES
-Default callback operation:
-.Bd -literal
-int
-verify_callback(int ok, X509_STORE_CTX *ctx)
-{
-        return ok;
-}
-.Ed
-.Pp
-This is likely the only safe callback to use.
-.Pp
-Simple and terrible example that should not be used.
-Suppose a certificate in the chain is expired and we
-wish to continue after this error:
-.Bd -literal
-int
-verify_callback(int ok, X509_STORE_CTX *ctx)
-{
-        /* Tolerate certificate expiration */
-        if (X509_STORE_CTX_get_error(ctx) == X509_V_ERR_CERT_HAS_EXPIRED)
-                return 1;
-        /* Otherwise don't override */
-        return ok;
-}
-.Ed
-.Pp
-While this example is presented for historical purposes,
-this is not the correct way to accomplish this.
-The verification flag
-.Dv X509_V_FLAG_NO_CHECK_TIME
-should be set on the
-.Vt STORE_CTX
-using
-.Xr X509_VERIFY_PARAM_set_flags 3
-instead.
-.Pp
-Full featured debugging logging callback - note that the output and
-order that things happen from this can change over time and should not
-be parsed or expected to be consistent.
-In this case the
-.Fa bio_err
-is assumed to be a global logging
-.Vt BIO ,
-an alternative would to store a
-.Vt BIO
-in
-.Fa ctx
-using
-.Sy ex_data .
-.Bd -literal
-int
-verify_callback(int ok, X509_STORE_CTX *ctx)
-{
-        X509 *err_cert;
-        int err,depth;
-
-        err_cert = X509_STORE_CTX_get_current_cert(ctx);
-        err =   X509_STORE_CTX_get_error(ctx);
-        depth = X509_STORE_CTX_get_error_depth(ctx);
-
-        BIO_printf(bio_err,"depth=%d ",depth);
-        if (err_cert) {
-                X509_NAME_print_ex(bio_err,
-                    X509_get_subject_name(err_cert), 0,
-                    XN_FLAG_ONELINE);
-                BIO_puts(bio_err, "\en");
-        } else
-                BIO_puts(bio_err, "<no cert>\en");
-        if (!ok)
-                BIO_printf(bio_err, "verify error:num=%d:%s\en",
-                    err, X509_verify_cert_error_string(err));
-        switch (err) {
-        case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
-                BIO_puts(bio_err, "issuer= ");
-                X509_NAME_print_ex(bio_err,
-                    X509_get_issuer_name(err_cert), 0,
-                    XN_FLAG_ONELINE);
-                BIO_puts(bio_err, "\en");
-                break;
-        case X509_V_ERR_CERT_NOT_YET_VALID:
-        case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
-                BIO_printf(bio_err, "notBefore=");
-                ASN1_TIME_print(bio_err,
-                    X509_get_notBefore(err_cert));
-                BIO_printf(bio_err, "\en");
-                break;
-        case X509_V_ERR_CERT_HAS_EXPIRED:
-        case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
-                BIO_printf(bio_err, "notAfter=");
-                ASN1_TIME_print(bio_err, X509_get_notAfter(err_cert));
-                BIO_printf(bio_err, "\en");
-                break;
-        case X509_V_ERR_NO_EXPLICIT_POLICY:
-                policies_print(bio_err, ctx);
-                break;
-        }
-        if (err == X509_V_OK && ok == 2)
-                /* print out policies */
-
-        BIO_printf(bio_err,"verify return:%d\en",ok);
-        return(ok);
-}
-.Ed
-.Sh SEE ALSO
-.Xr X509_STORE_CTX_get_error 3 ,
-.Xr X509_STORE_CTX_get_ex_new_index 3 ,
-.Xr X509_STORE_CTX_new 3 ,
-.Xr X509_STORE_CTX_set_error 3 ,
-.Xr X509_STORE_CTX_set_flags 3 ,
-.Xr X509_STORE_CTX_set_verify 3 ,
-.Xr X509_STORE_set_verify_cb 3 ,
-.Xr X509_verify_cert 3 ,
-.Xr X509_VERIFY_PARAM_set_flags 3
-.Sh HISTORY
-.Fn X509_STORE_CTX_set_verify_cb
-first appeared in OpenSSL 0.9.6c and has been available since
-.Ox 3.2 .
-.Pp
-.Fn X509_STORE_CTX_get_verify_cb
-first appeared in OpenSSL 1.1.0 and has been available since
-.Ox 7.1 .
-.Pp
-.Fn X509_STORE_CTX_verify_cb
-first appeared in OpenSSL 1.1.0 and has been available since
-.Ox 7.2 .
-.Sh CAVEATS
-In general a verification callback should
-.Sy NOT
-return a changed value of
-.Fa ok
-because this can allow the verification to appear to succeed
-in an unpredictable way.
-This can effectively remove all security from the application because
-untrusted or invalid certificates may be accepted.
-Doing this can possibly make
-.Xr X509_verify_cert 3
-return what appears to be a validated chain of certificates that has not
-been validated or even had the signatures checked.
diff --git a/src/lib/libcrypto/man/X509_STORE_get_by_subject.3 b/src/lib/libcrypto/man/X509_STORE_get_by_subject.3
deleted file mode 100644
index 0f6fbd8410..0000000000
--- a/src/lib/libcrypto/man/X509_STORE_get_by_subject.3
+++ /dev/null
@@ -1,246 +0,0 @@
-.\" $OpenBSD: X509_STORE_get_by_subject.3,v 1.6 2024/05/12 05:08:59 tb Exp $
-.\"
-.\" Copyright (c) 2021, 2023 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: May 12 2024 $
-.Dt X509_STORE_GET_BY_SUBJECT 3
-.Os
-.Sh NAME
-.Nm X509_STORE_CTX_get_by_subject ,
-.Nm X509_STORE_CTX_get_obj_by_subject ,
-.Nm X509_STORE_CTX_get1_certs ,
-.Nm X509_STORE_CTX_get1_crls ,
-.Nm X509_STORE_CTX_get1_issuer ,
-.Nm X509_STORE_get_by_subject ,
-.Nm X509_STORE_get1_certs ,
-.Nm X509_STORE_get1_crls
-.Nd retrieve objects from a certificate store
-.Sh SYNOPSIS
-.In openssl/x509_vfy.h
-.Ft int
-.Fo X509_STORE_CTX_get_by_subject
-.Fa "X509_STORE_CTX *ctx"
-.Fa "X509_LOOKUP_TYPE type"
-.Fa "X509_NAME *name"
-.Fa "X509_OBJECT *object"
-.Fc
-.Ft X509_OBJECT *
-.Fo X509_STORE_CTX_get_obj_by_subject
-.Fa "X509_STORE_CTX *ctx"
-.Fa "X509_LOOKUP_TYPE type"
-.Fa "X509_NAME *name"
-.Fc
-.Ft STACK_OF(X509) *
-.Fo X509_STORE_CTX_get1_certs
-.Fa "X509_STORE_CTX *ctx"
-.Fa "X509_NAME *name"
-.Fc
-.Ft STACK_OF(X509_CRL) *
-.Fo X509_STORE_CTX_get1_crls
-.Fa "X509_STORE_CTX *ctx"
-.Fa "X509_NAME *name"
-.Fc
-.Ft int
-.Fo X509_STORE_CTX_get1_issuer
-.Fa "X509 **issuer"
-.Fa "X509_STORE_CTX *ctx"
-.Fa "X509 *certificate"
-.Fc
-.Ft int
-.Fo X509_STORE_get_by_subject
-.Fa "X509_STORE_CTX *ctx"
-.Fa "X509_LOOKUP_TYPE type"
-.Fa "X509_NAME *name"
-.Fa "X509_OBJECT *object"
-.Fc
-.Ft STACK_OF(X509) *
-.Fo X509_STORE_get1_certs
-.Fa "X509_STORE_CTX *ctx"
-.Fa "X509_NAME *name"
-.Fc
-.Ft STACK_OF(X509_CRL) *
-.Fo X509_STORE_get1_crls
-.Fa "X509_STORE_CTX *ctx"
-.Fa "X509_NAME *name"
-.Fc
-.Sh DESCRIPTION
-.Fn X509_STORE_CTX_get_by_subject
-retrieves the first object having a matching
-.Fa type
-and
-.Fa name
-from the
-.Vt X509_STORE
-associated with the
-.Fa ctx .
-The
-.Fa type
-can be
-.Dv X509_LU_X509
-to retrieve a certificate or
-.Dv X509_LU_CRL
-to retrieve a revocation list.
-.Pp
-If the store does not yet contain a matching object or if the type is
-.Dv X509_LU_CRL ,
-a lookup by subject is performed on
-.Vt X509_LOOKUP
-objects associated with the store until a match is found,
-which may add zero or more objects to the store.
-.Pp
-In case of success, the content of the
-.Fa object
-provided by the caller is overwritten with a pointer to the first
-match, and the reference count of that certificate or revocation
-list is incremented by 1.
-Avoiding a memory leak by making sure the provided
-.Fa object
-is empty is the responsibility of the caller.
-.Pp
-.Fn X509_STORE_CTX_get_obj_by_subject
-is similar except that a new object is allocated and returned.
-.Pp
-.Fn X509_STORE_CTX_get1_certs
-retrieves all certificates matching the subject
-.Vt name
-from the
-.Vt X509_STORE
-associated with
-.Fa ctx .
-If there are none yet,
-.Fn X509_STORE_CTX_get_by_subject
-is called to try and add some.
-In case of success, the reference counts of all certificates
-added to the returned array are incremented by 1.
-.Pp
-.Fn X509_STORE_CTX_get1_crls
-is similar except that it operates on certificate revocation lists
-rather than on certificates and that it always calls
-.Fn X509_STORE_CTX_get_by_subject ,
-even if the
-.Vt X509_STORE
-already contains a matching revocation list.
-.Pp
-.Fn X509_STORE_CTX_get1_issuer
-retrieves the
-.Fa issuer
-CA certificate for the given
-.Fa certificate
-from the
-.Vt X509_STORE
-associated with
-.Fa ctx .
-Internally, the issuer name is retrieved with
-.Xr X509_get_issuer_name 3
-and the candidate issuer CA certificate with
-.Fn X509_STORE_X509_get_by_subject
-using that issuer name.
-.Xr X509_check_issued 3
-or a user-supplied replacement function is used to check whether the
-.Fa certificate
-was indeed issued using the
-.Fa issuer
-CA certificate before returning it.
-If verification parameters associated with
-.Fa ctx
-encourage checking of validity times, CAs with a valid time are
-preferred, but if no matching CA has a valid time, one with an
-invalid time is accepted anyway.
-.Pp
-The following are deprecated aliases implemented as macros:
-.Bl -column X509_STORE_get_by_subject F X509_STORE_CTX_get_by_subject
-.It Fn X509_STORE_get_by_subject Ta for Ta Fn X509_STORE_CTX_get_by_subject
-.It Fn X509_STORE_get1_certs     Ta for Ta Fn X509_STORE_CTX_get1_certs
-.It Fn X509_STORE_get1_crls      Ta for Ta Fn X509_STORE_CTX_get1_crls
-.El
-.Sh RETURN VALUES
-.Fn X509_STORE_CTX_get_by_subject
-and
-.Fn X509_STORE_get_by_subject
-return 1 if a match is found or 0 on failure.
-In addition to simply not finding a match,
-they may also fail due to memory allocation failure.
-With library implementations other than LibreSSL,
-they might also return negative values for internal errors.
-.Pp
-.Fn X509_STORE_CTX_get_obj_by_subject
-returns the new object or
-.Dv NULL
-on failure, in particular if no match is found or memory allocation fails.
-.Pp
-.Fn X509_STORE_CTX_get1_certs
-and
-.Fn X509_STORE_get1_certs
-return a newly allocated and populated array of certificates or
-.Dv NULL
-on failure.
-They fail if no match is found, if
-.Fn X509_STORE_CTX_get_by_subject
-fails, or if memory allocation fails.
-.Pp
-.Fn X509_STORE_CTX_get1_crls
-and
-.Fn X509_STORE_get1_crls
-return a newly allocated and populated array of CRLs or
-.Dv NULL
-on failure.
-They fail if
-.Fn X509_STORE_CTX_get_by_subject
-finds no new match, even if the associated
-.Vt X509_STORE
-already contains matching CRLs, or if memory allocation fails.
-.Pp
-.Fn X509_STORE_CTX_get1_issuer
-returns 1 if a matching
-.Fa issuer
-CA certificate is found or 0 otherwise.
-With library implementations other than LibreSSL,
-it might also return negative values for internal errors.
-.Sh SEE ALSO
-.Xr STACK_OF 3 ,
-.Xr X509_check_issued 3 ,
-.Xr X509_CRL_new 3 ,
-.Xr X509_get_issuer_name 3 ,
-.Xr X509_NAME_new 3 ,
-.Xr X509_new 3 ,
-.Xr X509_OBJECT_retrieve_by_subject 3 ,
-.Xr X509_STORE_CTX_new 3 ,
-.Xr X509_VERIFY_PARAM_set_flags 3
-.Sh HISTORY
-.Fn X509_STORE_get_by_subject
-first appeared in SSLeay 0.8.0 and has been available since
-.Ox 2.4 .
-.Pp
-.Fn X509_STORE_CTX_get1_issuer
-first appeared in OpenSSL 0.9.6 and has been available since
-.Ox 2.9 .
-.Pp
-.Fn X509_STORE_get1_certs
-and
-.Fn X509_STORE_get1_crls
-first appeared in OpenSSL 1.0.0 and have been available since
-.Ox 4.9 .
-.Pp
-.Fn X509_STORE_CTX_get_by_subject
-and
-.Fn X509_STORE_CTX_get_obj_by_subject
-first appeared in OpenSSL 1.1.0 and have been available since
-.Ox 7.1 .
-.Pp
-.Fn X509_STORE_CTX_get1_certs
-and
-.Fn X509_STORE_CTX_get1_crls
-first appeared in OpenSSL 1.1.0 and have been available since
-.Ox 7.4 .
diff --git a/src/lib/libcrypto/man/X509_STORE_load_locations.3 b/src/lib/libcrypto/man/X509_STORE_load_locations.3
deleted file mode 100644
index a8177b0fd4..0000000000
--- a/src/lib/libcrypto/man/X509_STORE_load_locations.3
+++ /dev/null
@@ -1,188 +0,0 @@
-.\" $OpenBSD: X509_STORE_load_locations.3,v 1.12 2024/09/02 07:20:21 tb Exp $
-.\" full merge up to:
-.\" OpenSSL X509_STORE_add_cert b0edda11 Mar 20 13:00:17 2018 +0000
-.\"
-.\" Copyright (c) 2017, 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: September 2 2024 $
-.Dt X509_STORE_LOAD_LOCATIONS 3
-.Os
-.Sh NAME
-.Nm X509_STORE_load_locations ,
-.Nm X509_STORE_set_default_paths ,
-.Nm X509_STORE_load_mem ,
-.Nm X509_STORE_add_lookup
-.Nd configure files and directories used by a certificate store
-.Sh SYNOPSIS
-.In openssl/x509_vfy.h
-.Ft int
-.Fo X509_STORE_load_locations
-.Fa "X509_STORE *store"
-.Fa "const char *file"
-.Fa "const char *dirs"
-.Fc
-.Ft int
-.Fo X509_STORE_set_default_paths
-.Fa "X509_STORE *store"
-.Fc
-.Ft int
-.Fo X509_STORE_load_mem
-.Fa "X509_STORE *store"
-.Fa "void *buffer"
-.Fa "int length"
-.Fc
-.Ft X509_LOOKUP *
-.Fo X509_STORE_add_lookup
-.Fa "X509_STORE *store"
-.Fa "const X509_LOOKUP_METHOD *method"
-.Fc
-.Sh DESCRIPTION
-.Fn X509_STORE_load_locations
-instructs the
-.Fa store
-to use the PEM
-.Fa file
-and all the PEM files in the directories
-contained in the colon-separated list
-.Fa dirs
-for looking up certificates, in addition to files and directories
-that are already configured.
-The certificates in the directories must be in hashed form, as documented in
-.Xr X509_LOOKUP_hash_dir 3 .
-Directories already in use are not added again.
-If
-.Dv NULL
-is passed for
-.Fa file
-or
-.Fa dirs ,
-no new file or no new directories are added, respectively.
-.Pp
-.Fn X509_STORE_load_locations
-is identical to
-.Xr SSL_CTX_load_verify_locations 3
-except that it operates directly on an
-.Vt X509_STORE
-object, rather than on the store used by an SSL context.
-See that manual page for more information.
-.Pp
-.Fn X509_STORE_set_default_paths
-is similar except that it instructs the
-.Fa store
-to use the default PEM file and directory
-(as documented in
-.Sx FILES )
-in addition to what is already configured.
-It ignores errors that occur while trying to load the file or to
-add the directory, but it may still fail for other reasons, for
-example when out of memory while trying to allocate the required
-.Vt X509_LOOKUP
-objects.
-.Pp
-.Fn X509_STORE_set_default_paths
-is identical to
-.Xr SSL_CTX_set_default_verify_paths 3
-except that it operates directly on an
-.Vt X509_STORE
-object, rather than on the store used by an SSL context.
-See that manual page for more information.
-.Pp
-The above functions are wrappers around
-.Xr X509_LOOKUP_load_file 3
-and
-.Xr X509_LOOKUP_add_dir 3 .
-.Pp
-.Fn X509_STORE_load_mem
-instructs the
-.Fa store
-to use the certificates contained in the memory
-.Fa buffer
-of the given
-.Fa length
-for certificate lookup.
-It is a wrapper around
-.Xr X509_LOOKUP_add_mem 3 .
-.Pp
-.Fn X509_STORE_add_lookup
-checks whether the
-.Fa store
-already contains an
-.Vt X509_LOOKUP
-object using the given
-.Fa method ;
-if it does, the existing object is returned and no other action occurs.
-Otherwise, a new
-.Vt X509_LOOKUP
-object is allocated, added, and returned.
-This function is used internally by all the functions listed above.
-.Sh RETURN VALUES
-.Fn X509_STORE_load_locations
-returns 1 if all files and directories specified were successfully
-added.
-It returns 0 for failure.
-That can happen if adding the file failed, if adding any of the
-directories failed, or if both arguments were
-.Dv NULL .
-.Pp
-.Fn X509_STORE_set_default_paths
-returns 0 for some error conditions and 1 otherwise, not just for
-success, but also for various cases of failure.
-.Pp
-.Fn X509_STORE_load_mem
-returns 1 for success or 0 for failure.
-In particular, parse errors or lack of memory can cause failure.
-.Pp
-.Fn X509_STORE_add_lookup
-returns the existing or new lookup object or
-.Dv NULL
-on failure.
-This is an internal pointer that must not be freed.
-With LibreSSL, the only reason for failure is lack of memory.
-.Sh FILES
-.Bl -tag -width Ds
-.It Pa /etc/ssl/cert.pem
-default PEM file for
-.Fn X509_STORE_set_default_paths
-.It Pa /etc/ssl/certs/
-default directory for
-.Fn X509_STORE_set_default_paths
-.El
-.Sh SEE ALSO
-.Xr SSL_CTX_load_verify_locations 3 ,
-.Xr X509_load_cert_file 3 ,
-.Xr X509_LOOKUP_hash_dir 3 ,
-.Xr X509_LOOKUP_new 3 ,
-.Xr X509_STORE_new 3 ,
-.Xr X509_STORE_set1_param 3 ,
-.Xr X509_STORE_set_verify_cb 3
-.Sh HISTORY
-.Fn X509_STORE_load_locations ,
-.Fn X509_STORE_set_default_paths ,
-and
-.Fn X509_STORE_add_lookup
-first appeared in SSLeay 0.8.0 and have been available since
-.Ox 2.4 .
-.Pp
-.Fn X509_STORE_load_mem
-first appeared in
-.Ox 5.7 .
-.Sh BUGS
-By the time that adding a directory is found to have failed,
-the file and some other directories may already have been successfully loaded,
-so these functions may change the state of the store even when they fail.
-.Pp
-.Fn X509_STORE_set_default_paths
-clears the error queue, deleting even error information that was
-already present when it was called.
diff --git a/src/lib/libcrypto/man/X509_STORE_new.3 b/src/lib/libcrypto/man/X509_STORE_new.3
deleted file mode 100644
index a17da03a41..0000000000
--- a/src/lib/libcrypto/man/X509_STORE_new.3
+++ /dev/null
@@ -1,145 +0,0 @@
-.\" $OpenBSD: X509_STORE_new.3,v 1.7 2021/11/17 16:08:32 schwarze Exp $
-.\" full merge up to: OpenSSL 05ea606a May 20 20:52:46 2016 -0400
-.\" selective merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2018 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by
-.\" Alessandro Ghedini <alessandro@ghedini.me>.
-.\" Copyright (c) 2016 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: November 17 2021 $
-.Dt X509_STORE_NEW 3
-.Os
-.Sh NAME
-.Nm X509_STORE_new ,
-.Nm X509_STORE_up_ref ,
-.Nm X509_STORE_free
-.Nd allocate and free X.509 certificate stores
-.Sh SYNOPSIS
-.In openssl/x509_vfy.h
-.Ft X509_STORE *
-.Fn X509_STORE_new void
-.Ft int
-.Fo X509_STORE_up_ref
-.Fa "X509_STORE *store"
-.Fc
-.Ft void
-.Fo X509_STORE_free
-.Fa "X509_STORE *store"
-.Fc
-.Sh DESCRIPTION
-.Fn X509_STORE_new
-allocates and initializes an empty X.509 certificate store
-and sets its reference count to 1.
-.Pp
-.Fn X509_STORE_up_ref
-increments the reference count of
-.Fa store
-by 1.
-.Pp
-.Fn X509_STORE_free
-decrements the reference count of
-.Fa store
-by 1.
-If the reference count reaches 0,
-all resources used by the store, including all certificates
-contained in it, are released and
-.Fa store
-itself is freed.
-If
-.Fa store
-is a
-.Dv NULL
-pointer, no action occurs.
-.Sh RETURN VALUES
-.Fn X509_STORE_new
-returns a newly created
-.Vt X509_STORE
-object or
-.Dv NULL
-if an error occurs.
-.Pp
-.Fn X509_STORE_up_ref
-returns 1 for success and 0 for failure.
-.Sh SEE ALSO
-.Xr PKCS7_verify 3 ,
-.Xr SSL_CTX_set_cert_store 3 ,
-.Xr X509_load_cert_file 3 ,
-.Xr X509_LOOKUP_hash_dir 3 ,
-.Xr X509_OBJECT_get0_X509 3 ,
-.Xr X509_STORE_CTX_new 3 ,
-.Xr X509_STORE_get_ex_new_index 3 ,
-.Xr X509_STORE_load_locations 3 ,
-.Xr X509_STORE_set1_param 3 ,
-.Xr X509_STORE_set_verify_cb 3 ,
-.Xr X509_verify_cert 3
-.Sh HISTORY
-.Fn X509_STORE_new
-and
-.Fn X509_STORE_free
-first appeared in SSLeay 0.8.0 and have been available since
-.Ox 2.4 .
-.Pp
-.Fn X509_STORE_up_ref
-first appeared in OpenSSL 1.1.0 and has been available since
-.Ox 6.3 .
diff --git a/src/lib/libcrypto/man/X509_STORE_set1_param.3 b/src/lib/libcrypto/man/X509_STORE_set1_param.3
deleted file mode 100644
index 527fe652e5..0000000000
--- a/src/lib/libcrypto/man/X509_STORE_set1_param.3
+++ /dev/null
@@ -1,268 +0,0 @@
-.\" $OpenBSD: X509_STORE_set1_param.3,v 1.22 2024/03/14 22:19:12 tb Exp $
-.\" content checked up to:
-.\" OpenSSL man3/X509_STORE_add_cert b0edda11 Mar 20 13:00:17 2018 +0000
-.\" OpenSSL man3/X509_STORE_get0_param e90fc053 Jul 15 09:39:45 2017 -0400
-.\"
-.\" Copyright (c) 2018 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: March 14 2024 $
-.Dt X509_STORE_SET1_PARAM 3
-.Os
-.Sh NAME
-.Nm X509_STORE_set1_param ,
-.Nm X509_STORE_set_flags ,
-.Nm X509_STORE_set_purpose ,
-.Nm X509_STORE_set_trust ,
-.Nm X509_STORE_set_depth ,
-.Nm X509_STORE_add_cert ,
-.Nm X509_STORE_add_crl ,
-.Nm X509_STORE_get0_param ,
-.Nm X509_STORE_get1_objects ,
-.Nm X509_STORE_get0_objects ,
-.Nm X509_STORE_get_ex_new_index ,
-.Nm X509_STORE_set_ex_data ,
-.Nm X509_STORE_get_ex_data
-.Nd get and set X509_STORE data
-.Sh SYNOPSIS
-.In openssl/x509_vfy.h
-.Ft int
-.Fo X509_STORE_set1_param
-.Fa "X509_STORE *store"
-.Fa "X509_VERIFY_PARAM *pm"
-.Fc
-.Ft int
-.Fo X509_STORE_set_flags
-.Fa "X509_STORE *store"
-.Fa "unsigned long flags"
-.Fc
-.Ft int
-.Fo X509_STORE_set_purpose
-.Fa "X509_STORE *store"
-.Fa "int purpose"
-.Fc
-.Ft int
-.Fo X509_STORE_set_trust
-.Fa "X509_STORE *store"
-.Fa "int trust"
-.Fc
-.Ft int
-.Fo X509_STORE_set_depth
-.Fa "X509_STORE *store"
-.Fa "int depth"
-.Fc
-.Ft int
-.Fo X509_STORE_add_cert
-.Fa "X509_STORE *store"
-.Fa "X509 *x"
-.Fc
-.Ft int
-.Fo X509_STORE_add_crl
-.Fa "X509_STORE *store"
-.Fa "X509_CRL *crl"
-.Fc
-.Ft X509_VERIFY_PARAM *
-.Fo X509_STORE_get0_param
-.Fa "X509_STORE *store"
-.Fc
-.Ft STACK_OF(X509_OBJECT) *
-.Fo X509_STORE_get1_objects
-.Fa "X509_STORE *store"
-.Fc
-.Ft STACK_OF(X509_OBJECT) *
-.Fo X509_STORE_get0_objects
-.Fa "X509_STORE *store"
-.Fc
-.Ft int
-.Fo X509_STORE_get_ex_new_index
-.Fa "long argl"
-.Fa "void *argp"
-.Fa "CRYPTO_EX_new *new_func"
-.Fa "CRYPTO_EX_dup *dup_func"
-.Fa "CRYPTO_EX_free *free_func"
-.Fc
-.Ft int
-.Fo X509_STORE_set_ex_data
-.Fa "X509_STORE *store"
-.Fa "int idx"
-.Fa "void *arg"
-.Fc
-.Ft void *
-.Fo X509_STORE_get_ex_data
-.Fa "X509_STORE *store"
-.Fa "int idx"
-.Fc
-.Sh DESCRIPTION
-.Fn X509_STORE_set1_param
-copies the verification parameters from
-.Fa pm
-using
-.Xr X509_VERIFY_PARAM_set1 3
-into the verification parameter object contained in the
-.Fa store .
-.Pp
-.Fn X509_VERIFY_PARAM_set_flags ,
-.Fn X509_STORE_set_purpose ,
-.Fn X509_STORE_set_trust ,
-and
-.Fn X509_STORE_set_depth
-call
-.Fn X509_VERIFY_PARAM_set_flags ,
-.Fn X509_VERIFY_PARAM_set_purpose ,
-.Fn X509_VERIFY_PARAM_set_trust ,
-and
-.Fn X509_VERIFY_PARAM_set_depth
-on the verification parameter object contained in the
-.Fa store .
-.Pp
-.Fn X509_STORE_add_cert
-and
-.Fn X509_STORE_add_crl
-add the certificate
-.Fa x
-or the certificate revocation list
-.Fa crl
-to the
-.Fa store ,
-increasing its reference count by 1 in case of success.
-Untrusted objects should not be added in this way.
-.Pp
-.Fn X509_STORE_get_ex_new_index ,
-.Fn X509_STORE_set_ex_data ,
-and
-.Fn X509_STORE_get_ex_data
-handle application specific data in
-.Vt X509_STORE
-objects.
-Their usage is identical to that of
-.Xr RSA_get_ex_new_index 3 ,
-.Xr RSA_set_ex_data 3 ,
-and
-.Xr RSA_get_ex_data 3 .
-.Fn X509_STORE_get_ex_new_index
-is implemented as a macro.
-.Sh RETURN VALUES
-.Fn X509_STORE_set1_param ,
-.Fn X509_STORE_set_purpose ,
-.Fn X509_STORE_set_trust ,
-and
-.Fn X509_STORE_set_ex_data
-return 1 for success or 0 for failure.
-.Pp
-.Fn X509_STORE_set_flags
-and
-.Fn X509_STORE_set_depth
-always return 1, indicating success.
-.Pp
-.Fn X509_STORE_add_cert
-and
-.Fn X509_STORE_add_crl
-return 1 for success or 0 for failure.
-For example, they fail if
-.Fa x
-or
-.Fa crl
-is a
-.Dv NULL
-pointer, if a certificate with the same subject name as
-.Fa x
-or a revocation list with the same issuer name as
-.Fa crl
-are already contained in the
-.Fa store ,
-or if memory allocation fails.
-.Pp
-.Fn X509_STORE_get0_param
-returns an internal pointer to the verification parameter object
-contained in the
-.Fa store .
-The returned pointer must not be freed by the calling application.
-.Pp
-.Fn X509_STORE_get1_objects
-returns a newly allocated stack containing
-the certificates, revocation lists, and private keys in
-.Fa store ,
-as well as cached objects added by
-.Xr X509_LOOKUP_hash_dir 3 .
-The caller must release the result with
-.Xr sk_pop_free 3
-and
-.Xr X509_OBJECT_free 3
-when done.
-.Pp
-.Fn X509_STORE_get0_objects
-is a deprecated function returning an internal pointer to
-the stack of certificates, revocation lists, and private keys contained in
-.Fa store .
-The returned pointer must not be modified or freed by the calling application.
-This function is not thread-safe.
-If
-.Fa store
-is shared across multiple threads, callers cannot safely inspect the result of
-this function, because another thread may have concurrently added to it.
-In particular,
-.Xr X509_LOOKUP_hash_dir 3
-treats this list as a cache and may add to it in the course of certificate
-verification.
-.Pp
-.Fn X509_STORE_get_ex_new_index
-returns a new index or \-1 on failure.
-.Pp
-.Fn X509_STORE_get_ex_data
-returns the application data or
-.Dv NULL
-on failure.
-.Sh SEE ALSO
-.Xr RSA_get_ex_new_index 3 ,
-.Xr SSL_set1_param 3 ,
-.Xr X509_LOOKUP_new 3 ,
-.Xr X509_OBJECT_get0_X509 3 ,
-.Xr X509_STORE_CTX_set0_param 3 ,
-.Xr X509_STORE_load_locations 3 ,
-.Xr X509_STORE_new 3 ,
-.Xr X509_VERIFY_PARAM_new 3 ,
-.Xr X509_VERIFY_PARAM_set_flags 3
-.Sh HISTORY
-.Fn X509_STORE_add_cert
-first appeared in SSLeay 0.8.0.
-.Fn X509_STORE_add_crl
-first appeared in SSLeay 0.9.0.
-These functions have been available since
-.Ox 2.4 .
-.Pp
-.Fn X509_STORE_set_flags ,
-.Fn X509_STORE_set_purpose ,
-and
-.Fn X509_STORE_set_trust
-first appeared in OpenSSL 0.9.7 and have been available since
-.Ox 3.2 .
-.Pp
-.Fn X509_STORE_set1_param
-and
-.Fn X509_STORE_set_depth
-first appeared in OpenSSL 0.9.8 and have been available since
-.Ox 4.5 .
-.Pp
-.Fn X509_STORE_get0_param ,
-.Fn X509_STORE_get0_objects ,
-.Fn X509_STORE_get_ex_new_index ,
-.Fn X509_STORE_set_ex_data ,
-and
-.Fn X509_STORE_get_ex_data
-first appeared in OpenSSL 1.1.0 and have been available since
-.Ox 6.3 .
-.Pp
-.Fn X509_STORE_get1_objects
-first appeared in BoringSSL and has been available since
-.Ox 7.5 .
diff --git a/src/lib/libcrypto/man/X509_STORE_set_verify_cb_func.3 b/src/lib/libcrypto/man/X509_STORE_set_verify_cb_func.3
deleted file mode 100644
index bdd5ea5044..0000000000
--- a/src/lib/libcrypto/man/X509_STORE_set_verify_cb_func.3
+++ /dev/null
@@ -1,121 +0,0 @@
-.\" $OpenBSD: X509_STORE_set_verify_cb_func.3,v 1.12 2022/11/16 14:51:08 schwarze Exp $
-.\" full merge up to: OpenSSL 05ea606a May 20 20:52:46 2016 -0400
-.\" selective merge up to: OpenSSL 315c47e0 Dec 1 14:22:16 2020 +0100
-.\"
-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2009 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: November 16 2022 $
-.Dt X509_STORE_SET_VERIFY_CB_FUNC 3
-.Os
-.Sh NAME
-.Nm X509_STORE_set_verify_cb ,
-.Nm X509_STORE_set_verify_cb_func ,
-.Nm X509_STORE_get_verify_cb
-.Nd set verification callback
-.Sh SYNOPSIS
-.In openssl/x509_vfy.h
-.Ft void
-.Fo X509_STORE_set_verify_cb
-.Fa "X509_STORE *st"
-.Fa "X509_STORE_CTX_verify_cb verify_cb"
-.Fc
-.Ft void
-.Fo X509_STORE_set_verify_cb_func
-.Fa "X509_STORE *st"
-.Fa "X509_STORE_CTX_verify_cb verify_cb"
-.Fc
-.Ft X509_STORE_CTX_verify_cb
-.Fo X509_STORE_get_verify_cb
-.Fa "X509_STORE *st"
-.Fc
-.Sh DESCRIPTION
-.Fn X509_STORE_set_verify_cb
-sets the verification callback of
-.Sy ctx
-to
-.Sy verify_cb ,
-overwriting any existing callback.
-.Pp
-.Fn X509_STORE_set_verify_cb_func
-also sets the verification callback but it is implemented as a macro.
-.Pp
-The verification callback from an
-.Vt X509_STORE
-is inherited by the corresponding
-.Vt X509_STORE_CTX
-structure when it is initialized.
-This can be used to set the verification callback when the
-.Vt X509_STORE_CTX
-is otherwise inaccessible (for example during S/MIME verification).
-.Sh RETURN VALUES
-.Fn X509_STORE_get_verify_cb
-returns the function pointer set with
-.Fn X509_STORE_set_verify_cb ,
-or
-.Dv NULL
-if that function was not called on
-.Fa st .
-.Sh SEE ALSO
-.Xr X509_STORE_CTX_new 3 ,
-.Xr X509_STORE_CTX_set_verify 3 ,
-.Xr X509_STORE_CTX_set_verify_cb 3 ,
-.Xr X509_STORE_new 3 ,
-.Xr X509_STORE_set_flags 3 ,
-.Xr X509_verify_cert 3
-.Sh HISTORY
-.Fn X509_STORE_set_verify_cb_func
-first appeared in SSLeay 0.8.0 and has been available since
-.Ox 2.4 .
-.Pp
-.Fn X509_STORE_set_verify_cb
-first appeared in OpenSSL 1.0.0 and has been available since
-.Ox 4.9 .
-.Pp
-.Fn X509_STORE_get_verify_cb
-first appeared in OpenSSL 1.1.0 and has been available since
-.Ox 7.2 .
diff --git a/src/lib/libcrypto/man/X509_VERIFY_PARAM_new.3 b/src/lib/libcrypto/man/X509_VERIFY_PARAM_new.3
deleted file mode 100644
index a22d2b1b4b..0000000000
--- a/src/lib/libcrypto/man/X509_VERIFY_PARAM_new.3
+++ /dev/null
@@ -1,306 +0,0 @@
-.\" $OpenBSD: X509_VERIFY_PARAM_new.3,v 1.5 2023/05/24 09:57:50 tb Exp $
-.\"
-.\" Copyright (c) 2018, 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: May 24 2023 $
-.Dt X509_VERIFY_PARAM_NEW 3
-.Os
-.Sh NAME
-.Nm X509_VERIFY_PARAM_new ,
-.Nm X509_VERIFY_PARAM_inherit ,
-.Nm X509_VERIFY_PARAM_set1 ,
-.Nm X509_VERIFY_PARAM_free ,
-.Nm X509_VERIFY_PARAM_add0_table ,
-.Nm X509_VERIFY_PARAM_lookup ,
-.Nm X509_VERIFY_PARAM_get_count ,
-.Nm X509_VERIFY_PARAM_get0 ,
-.Nm X509_VERIFY_PARAM_table_cleanup
-.\" The following constants defined in the public header <openssl/x509_vfy.h>
-.\" are intentionally undocumented because X509_VERIFY_PARAM is an opaque
-.\" struct and LibreSSL provides neither X509_VERIFY_PARAM_set_inh_flags(3)
-.\" nor X509_VERIFY_PARAM_get_inh_flags(3):
-.\" X509_VP_FLAG_DEFAULT
-.\" X509_VP_FLAG_OVERWRITE
-.\" X509_VP_FLAG_RESET_FLAGS
-.\" X509_VP_FLAG_LOCKED
-.\" X509_VP_FLAG_ONCE
-.Nd X509 verification parameter objects
-.Sh SYNOPSIS
-.In openssl/x509_vfy.h
-.Ft X509_VERIFY_PARAM *
-.Fo X509_VERIFY_PARAM_new
-.Fa void
-.Fc
-.Ft int
-.Fo X509_VERIFY_PARAM_inherit
-.Fa "X509_VERIFY_PARAM *destination"
-.Fa "const X509_VERIFY_PARAM *source"
-.Fc
-.Ft int
-.Fo X509_VERIFY_PARAM_set1
-.Fa "X509_VERIFY_PARAM *destination"
-.Fa "const X509_VERIFY_PARAM *source"
-.Fc
-.Ft void
-.Fo X509_VERIFY_PARAM_free
-.Fa "X509_VERIFY_PARAM *param"
-.Fc
-.Ft int
-.Fo X509_VERIFY_PARAM_add0_table
-.Fa "X509_VERIFY_PARAM *param"
-.Fc
-.Ft const X509_VERIFY_PARAM *
-.Fo X509_VERIFY_PARAM_lookup
-.Fa "const char *name"
-.Fc
-.Ft int
-.Fo X509_VERIFY_PARAM_get_count
-.Fa void
-.Fc
-.Ft const X509_VERIFY_PARAM *
-.Fo X509_VERIFY_PARAM_get0
-.Fa "int id"
-.Fc
-.Ft void
-.Fo X509_VERIFY_PARAM_table_cleanup
-.Fa void
-.Fc
-.Sh DESCRIPTION
-.Fn X509_VERIFY_PARAM_new
-allocates and initializes an empty
-.Vt X509_VERIFY_PARAM
-object.
-.Pp
-.Fn X509_VERIFY_PARAM_inherit
-copies some data from the
-.Fa source
-object to the
-.Fa destination
-object.
-.Pp
-The verification flags set with
-.Xr X509_VERIFY_PARAM_set_flags 3
-in the
-.Fa source
-object are always OR'ed into the verification flags of the
-.Fa destination
-object.
-.Pp
-Fields having their default value in the
-.Fa source
-object are not copied.
-.Pp
-By default, fields in the
-.Fa destination
-object already having a non-default value are not overwritten.
-However, if at least one of the
-.Fa source
-or
-.Fa destination
-objects was created during a call to
-.Xr X509_STORE_CTX_init 3
-that did not have a
-.Fa store
-argument, and if that object was not previously used as the
-.Fa destination
-in an earlier call to
-.Fn X509_VERIFY_PARAM_inherit ,
-this restriction is waived and even non-default fields in the
-.Fa destination
-object get overwritten.
-If fields overwritten in this way contain pointers to allocated memory,
-that memory is freed.
-.Pp
-As far as permitted by the above rules, the following fields are copied:
-.Bl -bullet -width 1n
-.It
-the verification purpose identifier set with
-.Xr X509_VERIFY_PARAM_set_purpose 3
-.It
-the trust setting set with
-.Xr X509_VERIFY_PARAM_set_trust 3
-.It
-the verification time set with
-.Xr X509_VERIFY_PARAM_set_time 3 ;
-in this case, the only condition is that
-.Dv X509_V_FLAG_USE_CHECK_TIME
-is not set in the
-.Fa destination
-object, whereas the time value in the
-.Fa destination
-object is not inspected before overwriting it
-.It
-the acceptable policy set with
-.Xr X509_VERIFY_PARAM_set1_policies 3
-.It
-the maximum verification depth set with
-.Xr X509_VERIFY_PARAM_set_depth 3
-.It
-flags that were set with
-.Xr X509_VERIFY_PARAM_set_hostflags 3
-.It
-the list of expected DNS hostnames built with
-.Xr X509_VERIFY_PARAM_set1_host 3
-and
-.Xr X509_VERIFY_PARAM_add1_host 3
-.It
-the expected RFC 822 email address set with
-.Xr X509_VERIFY_PARAM_set1_email 3
-.It
-the expected IP address set with
-.Xr X509_VERIFY_PARAM_set1_ip 3
-or
-.Xr X509_VERIFY_PARAM_set1_ip_asc 3
-.El
-.Pp
-Some data that may be contained in the
-.Fa source
-object is never copied, for example the subject name of the peer
-certificate that can be retrieved with
-.Xr X509_VERIFY_PARAM_get0_peername 3 .
-.Pp
-If
-.Fa source
-is a
-.Dv NULL
-pointer, the function has no effect but returns successfully.
-.Pp
-.Fn X509_VERIFY_PARAM_set1
-is identical to
-.Fn X509_VERIFY_PARAM_inherit
-except that fields in the
-.Fa destination
-object are overwritten even if they do not match their default values.
-Still, fields having their default value in the
-.Fa source
-object are not copied.
-.Pp
-If
-.Fn X509_VERIFY_PARAM_inherit
-or
-.Fn X509_VERIFY_PARAM_set1
-fail, partial copying may have occurred, so all data in the
-.Fa destination
-object should be regarded as invalid.
-.Pp
-.Fn X509_VERIFY_PARAM_inherit
-is used internally by
-.Xr X509_STORE_CTX_init 3
-and by
-.Xr X509_STORE_CTX_set_default 3 ,
-and
-.Fn X509_VERIFY_PARAM_set1
-is used internally by
-.Xr X509_STORE_set1_param 3 .
-.Pp
-.Fn X509_VERIFY_PARAM_free
-clears all data contained in
-.Fa param
-and releases all memory used by it.
-If
-.Fa param
-is a
-.Dv NULL
-pointer, no action occurs.
-.Pp
-.Fn X509_VERIFY_PARAM_add0_table
-adds
-.Fa param
-to a static list of
-.Vt X509_VERIFY_PARAM
-objects maintained by the library.
-This function is extremely dangerous because contrary to the name
-of the function, if the list already contains an object that happens
-to have the same name, that old object is not only silently removed
-from the list, but also silently freed, which may silently invalidate
-various pointers existing elsewhere in the program.
-.Pp
-.Fn X509_VERIFY_PARAM_lookup
-searches this list for an object of the given
-.Fa name .
-If no match is found, the predefined objects built-in to the library
-are also inspected.
-.Pp
-.Fn X509_VERIFY_PARAM_get_count
-returns the sum of the number of objects on this list and the number
-of predefined objects built-in to the library.
-Note that this is not necessarily the total number of
-.Vt X509_VERIFY_PARAM
-objects existing in the program because there may be additional such
-objects that were never added to the list.
-.Pp
-.Fn X509_VERIFY_PARAM_get0
-accesses predefined and user-defined objects using
-.Fa id
-as an index, useful for looping over objects without knowing their names.
-An argument less than the number of predefined objects selects
-one of the predefined objects; a higher argument selects an object
-from the list.
-.Pp
-.Fn X509_VERIFY_PARAM_table_cleanup
-deletes all objects from this list.
-It is extremely dangerous because it also invalidates all data that
-was contained in all objects that were on the list and because it
-frees all these objects, which may invalidate various pointers
-existing elsewhere in the program.
-.Sh RETURN VALUES
-.Fn X509_VERIFY_PARAM_new
-returns a pointer to the new object, or
-.Dv NULL
-on allocation failure.
-.Pp
-.Fn X509_VERIFY_PARAM_inherit ,
-.Fn X509_VERIFY_PARAM_set1 ,
-and
-.Fn X509_VERIFY_PARAM_add0_table
-return 1 for success or 0 for failure.
-.Pp
-.Fn X509_VERIFY_PARAM_lookup
-and
-.Fn X509_VERIFY_PARAM_get0
-return a pointer to an existing built-in or user-defined object, or
-.Dv NULL
-if no object with the given
-.Fa name
-is found, or if
-.Fa id
-is at least
-.Fn X509_VERIFY_PARAM_get_count .
-.Pp
-.Fn X509_VERIFY_PARAM_get_count
-returns a number of objects.
-.Sh SEE ALSO
-.Xr SSL_set1_param 3 ,
-.Xr X509_STORE_CTX_set0_param 3 ,
-.Xr X509_STORE_set1_param 3 ,
-.Xr X509_verify_cert 3 ,
-.Xr X509_VERIFY_PARAM_set_flags 3
-.Sh HISTORY
-.Fn X509_VERIFY_PARAM_new ,
-.Fn X509_VERIFY_PARAM_inherit ,
-.Fn X509_VERIFY_PARAM_set1 ,
-.Fn X509_VERIFY_PARAM_free ,
-.Fn X509_VERIFY_PARAM_add0_table ,
-.Fn X509_VERIFY_PARAM_lookup ,
-and
-.Fn X509_VERIFY_PARAM_table_cleanup
-first appeared in OpenSSL 0.9.8 and have been available since
-.Ox 4.5 .
-.Pp
-.Fn X509_VERIFY_PARAM_get_count
-and
-.Fn X509_VERIFY_PARAM_get0
-first appeared in OpenSSL 1.0.2 and have been available since
-.Ox 6.3 .
diff --git a/src/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3 b/src/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3
deleted file mode 100644
index a0ae839f9a..0000000000
--- a/src/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3
+++ /dev/null
@@ -1,736 +0,0 @@
-.\" $OpenBSD: X509_VERIFY_PARAM_set_flags.3,v 1.29 2023/04/30 19:40:23 tb Exp $
-.\" full merge up to: OpenSSL d33def66 Feb 9 14:17:13 2016 -0500
-.\" selective merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2018, 2021, 2022 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Dr. Stephen Henson <steve@openssl.org>
-.\" and Viktor Dukhovni <viktor@dukhovni.org>.
-.\" Copyright (c) 2009, 2013, 2014, 2015, 2016, 2017 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: April 30 2023 $
-.Dt X509_VERIFY_PARAM_SET_FLAGS 3
-.Os
-.Sh NAME
-.Nm X509_VERIFY_PARAM_get0_name ,
-.Nm X509_VERIFY_PARAM_set1_name ,
-.Nm X509_VERIFY_PARAM_set_flags ,
-.Nm X509_VERIFY_PARAM_clear_flags ,
-.Nm X509_VERIFY_PARAM_get_flags ,
-.Nm X509_VERIFY_PARAM_set_purpose ,
-.Nm X509_VERIFY_PARAM_set_trust ,
-.Nm X509_VERIFY_PARAM_set_time ,
-.Nm X509_VERIFY_PARAM_get_time ,
-.Nm X509_VERIFY_PARAM_add0_policy ,
-.Nm X509_VERIFY_PARAM_set1_policies ,
-.Nm X509_VERIFY_PARAM_set_depth ,
-.Nm X509_VERIFY_PARAM_get_depth ,
-.Nm X509_VERIFY_PARAM_set_auth_level ,
-.Nm X509_VERIFY_PARAM_set1_host ,
-.Nm X509_VERIFY_PARAM_add1_host ,
-.Nm X509_VERIFY_PARAM_set_hostflags ,
-.Nm X509_VERIFY_PARAM_get0_peername ,
-.Nm X509_VERIFY_PARAM_set1_email ,
-.Nm X509_VERIFY_PARAM_set1_ip ,
-.Nm X509_VERIFY_PARAM_set1_ip_asc
-.Nd X509 verification parameters
-.Sh SYNOPSIS
-.In openssl/x509_vfy.h
-.Ft const char *
-.Fo X509_VERIFY_PARAM_get0_name
-.Fa "const X509_VERIFY_PARAM *param"
-.Fc
-.Ft int
-.Fo X509_VERIFY_PARAM_set1_name
-.Fa "X509_VERIFY_PARAM *param"
-.Fa "const char *name"
-.Fc
-.Ft int
-.Fo X509_VERIFY_PARAM_set_flags
-.Fa "X509_VERIFY_PARAM *param"
-.Fa "unsigned long flags"
-.Fc
-.Ft int
-.Fo X509_VERIFY_PARAM_clear_flags
-.Fa "X509_VERIFY_PARAM *param"
-.Fa "unsigned long flags"
-.Fc
-.Ft unsigned long
-.Fo X509_VERIFY_PARAM_get_flags
-.Fa "X509_VERIFY_PARAM *param"
-.Fc
-.Ft int
-.Fo X509_VERIFY_PARAM_set_purpose
-.Fa "X509_VERIFY_PARAM *param"
-.Fa "int purpose"
-.Fc
-.Ft int
-.Fo X509_VERIFY_PARAM_set_trust
-.Fa "X509_VERIFY_PARAM *param"
-.Fa "int trust"
-.Fc
-.Ft void
-.Fo X509_VERIFY_PARAM_set_time
-.Fa "X509_VERIFY_PARAM *param"
-.Fa "time_t t"
-.Fc
-.Ft time_t
-.Fo X509_VERIFY_PARAM_get_time
-.Fa const X509_VERIFY_PARAM *param"
-.Fc
-.Ft int
-.Fo X509_VERIFY_PARAM_add0_policy
-.Fa "X509_VERIFY_PARAM *param"
-.Fa "ASN1_OBJECT *policy"
-.Fc
-.Ft int
-.Fo X509_VERIFY_PARAM_set1_policies
-.Fa "X509_VERIFY_PARAM *param"
-.Fa "STACK_OF(ASN1_OBJECT) *policies"
-.Fc
-.Ft void
-.Fo X509_VERIFY_PARAM_set_depth
-.Fa "X509_VERIFY_PARAM *param"
-.Fa "int depth"
-.Fc
-.Ft int
-.Fo X509_VERIFY_PARAM_get_depth
-.Fa "const X509_VERIFY_PARAM *param"
-.Fc
-.Ft void
-.Fo X509_VERIFY_PARAM_set_auth_level
-.Fa "X509_VERIFY_PARAM *param"
-.Fa "int auth_level"
-.Fc
-.Ft int
-.Fo X509_VERIFY_PARAM_set1_host
-.Fa "X509_VERIFY_PARAM *param"
-.Fa "const char *name"
-.Fa "size_t namelen"
-.Fc
-.Ft int
-.Fo X509_VERIFY_PARAM_add1_host
-.Fa "X509_VERIFY_PARAM *param"
-.Fa "const char *name"
-.Fa "size_t namelen"
-.Fc
-.Ft void
-.Fo X509_VERIFY_PARAM_set_hostflags
-.Fa "X509_VERIFY_PARAM *param"
-.Fa "unsigned int flags"
-.Fc
-.Ft char *
-.Fo X509_VERIFY_PARAM_get0_peername
-.Fa "X509_VERIFY_PARAM *param"
-.Fc
-.Ft int
-.Fo X509_VERIFY_PARAM_set1_email
-.Fa "X509_VERIFY_PARAM *param"
-.Fa "const char *email"
-.Fa "size_t emaillen"
-.Fc
-.Ft int
-.Fo X509_VERIFY_PARAM_set1_ip
-.Fa "X509_VERIFY_PARAM *param"
-.Fa "const unsigned char *ip"
-.Fa "size_t iplen"
-.Fc
-.Ft int
-.Fo X509_VERIFY_PARAM_set1_ip_asc
-.Fa "X509_VERIFY_PARAM *param"
-.Fa "const char *ipasc"
-.Fc
-.Sh DESCRIPTION
-These functions manipulate an
-.Vt X509_VERIFY_PARAM
-object associated with a certificate verification operation.
-.Pp
-.Fn X509_VERIFY_PARAM_get0_name
-returns the name of the given
-.Fa param
-object, usually describing its purpose, for example
-.Qq default ,
-.Qq pkcs7 ,
-.Qq smime_sign ,
-.Qq ssl_client ,
-or
-.Qq ssl_server .
-For user-defined objects, the returned pointer may be
-.Dv NULL
-even if the object is otherwise valid.
-.Pp
-.Fn X509_VERIFY_PARAM_set1_name
-sets the name of
-.Fa param
-to a copy of
-.Fa name ,
-or to
-.Dv NULL
-if
-.Fa name
-is
-.Dv NULL .
-.Pp
-.Fn X509_VERIFY_PARAM_set_flags
-sets the flags in
-.Fa param
-by OR'ing it with
-.Fa flags .
-See the
-.Sx VERIFICATION FLAGS
-section for a complete description of values the
-.Fa flags
-parameter can take.
-.Pp
-If the
-.Fa flags
-argument includes any of the flags contained in
-.Dv X509_V_FLAG_POLICY_MASK ,
-that is, any of
-.Dv X509_V_FLAG_POLICY_CHECK ,
-.Dv X509_V_FLAG_EXPLICIT_POLICY ,
-.Dv X509_V_FLAG_INHIBIT_ANY ,
-and
-.Dv X509_V_FLAG_INHIBIT_MAP ,
-then
-.Dv X509_V_FLAG_POLICY_CHECK
-is set in addition to the flags contained in the
-.Fa flags
-argument.
-.Pp
-.Fn X509_VERIFY_PARAM_get_flags
-returns the flags in
-.Fa param .
-.Pp
-.Fn X509_VERIFY_PARAM_clear_flags
-clears the specified
-.Fa flags
-in
-.Fa param .
-.Pp
-Calling this function can result in unusual internal states of the
-.Fa param
-object, for example having a verification time configured but having
-.Dv X509_V_FLAG_USE_CHECK_TIME
-unset, or having
-.Dv X509_V_FLAG_EXPLICIT_POLICY
-set but
-.Dv X509_V_FLAG_POLICY_CHECK
-unset, which may have surprising effects.
-.Pp
-.Fn X509_VERIFY_PARAM_set_purpose
-sets the verification
-.Fa purpose
-identifier in
-.Fa param .
-This determines the acceptable purpose of the certificate chain, for example
-.Dv X509_PURPOSE_SSL_CLIENT
-or
-.Dv X509_PURPOSE_SSL_SERVER .
-Standard purposes are listed in
-.Xr X509_check_purpose 3 ,
-and additional purposes can be defined with
-.Xr X509_PURPOSE_add 3 .
-.Pp
-.Fn X509_VERIFY_PARAM_set_trust
-sets the trust setting in
-.Fa param
-to
-.Fa trust .
-.Pp
-.Fn X509_VERIFY_PARAM_set_time
-sets the flag
-.Dv X509_V_FLAG_USE_CHECK_TIME
-in
-.Fa param
-in addition to the flags already set and sets the verification time to
-.Fa t .
-If this function is not called, the current time is used instead,
-or the UNIX Epoch (January 1, 1970) if
-.Dv X509_V_FLAG_USE_CHECK_TIME
-is manually set using
-.Fn X509_VERIFY_PARAM_set_flags .
-.Pp
-.Fn X509_VERIFY_PARAM_add0_policy
-enables policy checking (it is disabled by default) and adds
-.Fa policy
-to the acceptable policy set.
-.Pp
-.Fn X509_VERIFY_PARAM_set1_policies
-enables policy checking (it is disabled by default) and sets the
-acceptable policy set to
-.Fa policies .
-Any existing policy set is cleared.
-The
-.Fa policies
-parameter can be
-.Dv NULL
-to clear an existing policy set.
-.Pp
-.Fn X509_VERIFY_PARAM_set_depth
-sets the maximum verification depth to
-.Fa depth .
-That is the maximum number of untrusted CA certificates that can appear
-in a chain.
-.Pp
-.Fn X509_VERIFY_PARAM_set_auth_level
-sets the security level as defined in
-.Xr SSL_CTX_set_security_level 3
-for certificate chain validation.
-For a certificate chain to validate, the public keys of all the
-certificates must meet the specified security level.
-The signature algorithm security level is not enforced for the
-chain's trust anchor certificate, which is either directly trusted
-or validated by means other than its signature.
-.Pp
-From the point of view of the X.509 library,
-the default security level is 0.
-However, the SSL library
-uses a different default security level of 1 and calls
-.Fn X509_VERIFY_PARAM_set_auth_level
-with its own level before validating a certificate chain.
-.Pp
-.Fn X509_VERIFY_PARAM_set1_host
-sets the expected DNS hostname to
-.Fa name
-clearing any previously specified hostname or names.
-If
-.Fa name
-is
-.Dv NULL
-or empty, the list of hostnames is cleared, and name checks are not
-performed on the peer certificate.
-.Fa namelen
-should be set to the length of
-.Fa name .
-For historical compatibility, if
-.Fa name
-is NUL-terminated,
-.Fa namelen
-may be specified as zero.
-When a hostname is specified, certificate verification automatically
-invokes
-.Xr X509_check_host 3
-with flags equal to the
-.Fa flags
-argument given to
-.Fn X509_VERIFY_PARAM_set_hostflags
-(default zero).
-.Fn X509_VERIFY_PARAM_set1_host
-will fail if
-.Fa name
-contains any embedded 0 bytes.
-.Pp
-.Fn X509_VERIFY_PARAM_add1_host
-adds
-.Fa name
-as an additional reference identifier that can match the peer's
-certificate.
-Any previous names set via
-.Fn X509_VERIFY_PARAM_set1_host
-and
-.Fn X509_VERIFY_PARAM_add1_host
-are retained.
-No change is made if
-.Fa name
-is
-.Dv NULL
-or empty.
-.Fa namelen
-should be set to the length of
-.Fa name .
-For historical compatibility, if
-.Fa name
-is NUL-terminated,
-.Fa namelen
-may be specified as zero.
-.Fn X509_VERIFY_PARAM_add1_host
-will fail if
-.Fa name
-contains any embedded 0 bytes.
-When multiple names are configured, the peer is considered verified when
-any name matches.
-.Pp
-.Fn X509_VERIFY_PARAM_get0_peername
-returns the DNS hostname or subject CommonName from the peer certificate
-that matched one of the reference identifiers.
-When wildcard matching is not disabled, or when a reference identifier
-specifies a parent domain (starts with ".") rather than a hostname, the
-peer name may be a wildcard name or a sub-domain of the reference
-identifier respectively.
-.Pp
-.Fn X509_VERIFY_PARAM_set1_email
-sets the expected RFC 822 email address to
-.Fa email .
-.Fa emaillen
-should be set to the length of
-.Fa email .
-For historical compatibility, if
-.Fa email
-is NUL-terminated,
-.Fa emaillen
-may be specified as zero,
-.Fn X509_VERIFY_PARAM_set1_email
-will fail if
-.Fa email
-is NULL, an empty string, or contains embedded 0 bytes.
-When an email address is specified, certificate verification
-automatically invokes
-.Xr X509_check_email 3 .
-.Pp
-.Fn X509_VERIFY_PARAM_set1_ip
-sets the expected IP address to
-.Fa ip .
-The
-.Fa ip
-argument is in binary format, in network byte-order, and
-.Fa iplen
-must be set to 4 for IPv4 and 16 for IPv6.
-.Fn X509_VERIFY_PARAM_set1_ip
-will fail if
-.Fa ip
-is NULL or if
-.Fa iplen
-is not 4 or 16.
-When an IP address is specified,
-certificate verification automatically invokes
-.Xr X509_check_ip 3 .
-.Pp
-.Fn X509_VERIFY_PARAM_set1_ip_asc
-sets the expected IP address to
-.Fa ipasc .
-The
-.Fa ipasc
-argument is a NUL-terminal ASCII string:
-dotted decimal quad for IPv4 and colon-separated hexadecimal for IPv6.
-The condensed "::" notation is supported for IPv6 addresses.
-.Fn X509_VERIFY_PARAM_set1_ip_asc
-will fail if
-.Fa ipasc
-is unparsable.
-.Sh RETURN VALUES
-.Fn X509_VERIFY_PARAM_set1_name ,
-.Fn X509_VERIFY_PARAM_set_flags ,
-.Fn X509_VERIFY_PARAM_clear_flags ,
-.Fn X509_VERIFY_PARAM_set_purpose ,
-.Fn X509_VERIFY_PARAM_set_trust ,
-.Fn X509_VERIFY_PARAM_add0_policy ,
-and
-.Fn X509_VERIFY_PARAM_set1_policies
-return 1 for success or 0 for failure.
-.Pp
-.Fn X509_VERIFY_PARAM_set1_host ,
-.Fn X509_VERIFY_PARAM_add1_host ,
-.Fn X509_VERIFY_PARAM_set1_email ,
-.Fn X509_VERIFY_PARAM_set1_ip ,
-and
-.Fn X509_VERIFY_PARAM_set1_ip_asc
-return 1 for success or 0 for failure.
-A failure from these routines will poison
-the
-.Vt X509_VERIFY_PARAM
-object so that future calls to
-.Xr X509_verify_cert 3
-using the poisoned object will fail.
-.Pp
-.Fn X509_VERIFY_PARAM_get_flags
-returns the current verification flags.
-.Pp
-.Fn X509_VERIFY_PARAM_get_time
-always returns the configured verification time.
-It does so even if the returned time will not be used because the flag
-.Dv X509_V_FLAG_USE_CHECK_TIME
-is unset.
-.Pp
-.Fn X509_VERIFY_PARAM_get_depth
-returns the current verification depth.
-.Pp
-.Fn X509_VERIFY_PARAM_get0_name
-and
-.Fn X509_VERIFY_PARAM_get0_peername
-return pointers to strings that are only valid
-during the lifetime of the given
-.Fa param
-object and that must not be freed by the application program.
-.Sh VERIFICATION FLAGS
-The verification flags consists of zero or more of the following
-flags OR'ed together.
-.Pp
-.Dv X509_V_FLAG_CRL_CHECK
-enables CRL checking for the certificate chain leaf certificate.
-An error occurs if a suitable CRL cannot be found.
-.Pp
-.Dv X509_V_FLAG_CRL_CHECK_ALL
-enables CRL checking for the entire certificate chain.
-.Pp
-.Dv X509_V_FLAG_IGNORE_CRITICAL
-disables critical extension checking.
-By default any unhandled critical extensions in certificates or (if
-checked) CRLs results in a fatal error.
-If this flag is set, unhandled critical extensions are ignored.
-.Sy WARNING :
-setting this option for anything other than debugging purposes can be a
-security risk.
-Finer control over which extensions are supported can be performed in
-the verification callback.
-.Pp
-The
-.Dv X509_V_FLAG_X509_STRICT
-flag disables workarounds for some broken certificates and makes the
-verification strictly apply X509 rules.
-.Pp
-.Dv X509_V_FLAG_ALLOW_PROXY_CERTS
-deprecated flag that used to
-enable proxy certificate verification.
-In LibreSSL, this flag has no effect.
-.Pp
-.Dv X509_V_FLAG_POLICY_CHECK
-enables certificate policy checking; by default no policy checking is
-performed.
-Additional information is sent to the verification callback relating to
-policy checking.
-.Pp
-.Dv X509_V_FLAG_EXPLICIT_POLICY ,
-.Dv X509_V_FLAG_INHIBIT_ANY ,
-and
-.Dv X509_V_FLAG_INHIBIT_MAP
-set the
-.Dq require explicit policy ,
-.Dq inhibit any policy ,
-and
-.Dq inhibit policy mapping
-flags, respectively, as defined in RFC 3280.
-These three flags are ignored unless
-.Dv X509_V_FLAG_POLICY_CHECK
-is also set.
-.Pp
-If
-.Dv X509_V_FLAG_NOTIFY_POLICY
-is set and policy checking is successful, a special status code is
-sent to the verification callback.
-.Pp
-By default some additional features such as indirect CRLs and CRLs
-signed by different keys are disabled.
-If
-.Dv X509_V_FLAG_EXTENDED_CRL_SUPPORT
-is set, they are enabled.
-.Pp
-If
-.Dv X509_V_FLAG_USE_DELTAS
-is set, delta CRLs (if present) are used to determine certificate
-status.
-If not set, deltas are ignored.
-.Pp
-.Dv X509_V_FLAG_CHECK_SS_SIGNATURE
-enables checking of the root CA self signed certificate signature.
-By default this check is disabled because it doesn't add any additional
-security but in some cases applications might want to check the
-signature anyway.
-A side effect of not checking the root CA signature is that disabled or
-unsupported message digests on the root CA are not treated as fatal
-errors.
-.Pp
-The deprecated
-.Dv X509_V_FLAG_CB_ISSUER_CHECK
-flag used to enable debugging of certificate issuer checks.
-It is provided for binary backwards compatibility and has no effect.
-.Pp
-When
-.Dv X509_V_FLAG_TRUSTED_FIRST
-is set, construction of the certificate chain in
-.Xr X509_verify_cert 3
-will search the trust store for issuer certificates before searching the
-provided untrusted certificates.
-Local issuer certificates are often more likely to satisfy local
-security requirements and lead to a locally trusted root.
-This is especially important when some certificates in the trust store
-have explicit trust settings; see the trust settings options of the
-.Cm x509
-command in
-.Xr openssl 1 .
-.Pp
-The
-.Dv X509_V_FLAG_NO_ALT_CHAINS
-flag suppresses checking for alternative chains.
-By default, unless
-.Dv X509_V_FLAG_TRUSTED_FIRST
-is set, when building a certificate chain, if the first certificate
-chain found is not trusted, then OpenSSL will attempt to replace
-untrusted certificates supplied by the peer with certificates from the
-trust store to see if an alternative chain can be found that is trusted.
-.Pp
-The
-.Dv X509_V_FLAG_PARTIAL_CHAIN
-flag causes intermediate certificates in the trust store to be treated
-as trust-anchors, in the same way as the self-signed root CA
-certificates.
-This makes it possible to trust certificates issued by an intermediate
-CA without having to trust its ancestor root CA.
-.Pp
-If
-.Dv X509_V_FLAG_USE_CHECK_TIME
-is set, the validity period of certificates and CRLs is checked.
-In this case,
-.Dv X509_V_FLAG_NO_CHECK_TIME
-is ignored.
-If the validation time was set with
-.Fn X509_VERIFY_PARAM_set_time ,
-that time is used.
-If
-.Fn X509_VERIFY_PARAM_set_time
-was not called, the UNIX Epoch (January 1, 1970) is used.
-.Pp
-If neither
-.Dv X509_V_FLAG_USE_CHECK_TIME
-nor
-.Dv X509_V_FLAG_NO_CHECK_TIME
-is set, the validity period of certificates and CRLs is checked
-using the current time.
-This is the default behaviour.
-In this case, if a validation time was set with
-.Fn X509_VERIFY_PARAM_set_time
-but
-.Dv X509_V_FLAG_USE_CHECK_TIME
-was later cleared with
-.Fn X509_VERIFY_PARAM_clear_flags ,
-the configured validation time is ignored
-and the current time is used anyway.
-.Pp
-If
-.Dv X509_V_FLAG_USE_CHECK_TIME
-is not set but
-.Dv X509_V_FLAG_NO_CHECK_TIME
-is set, the validity period of certificates and CRLs is not checked
-at all, and like in the previous case, any configured validation
-time is ignored.
-.Sh EXAMPLES
-Enable CRL checking when performing certificate verification during
-SSL connections associated with an
-.Vt SSL_CTX
-structure
-.Fa ctx :
-.Bd -literal -offset indent
-X509_VERIFY_PARAM *param;
-
-param = X509_VERIFY_PARAM_new();
-X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK);
-SSL_CTX_set1_param(ctx, param);
-X509_VERIFY_PARAM_free(param);
-.Ed
-.Sh SEE ALSO
-.Xr SSL_set1_host 3 ,
-.Xr SSL_set1_param 3 ,
-.Xr X509_check_host 3 ,
-.Xr X509_STORE_CTX_new 3 ,
-.Xr X509_STORE_new 3 ,
-.Xr X509_verify_cert 3 ,
-.Xr X509_VERIFY_PARAM_new 3
-.Sh HISTORY
-.Fn X509_VERIFY_PARAM_set1_name ,
-.Fn X509_VERIFY_PARAM_set_flags ,
-.Fn X509_VERIFY_PARAM_set_purpose ,
-.Fn X509_VERIFY_PARAM_set_trust ,
-.Fn X509_VERIFY_PARAM_set_time ,
-.Fn X509_VERIFY_PARAM_add0_policy ,
-.Fn X509_VERIFY_PARAM_set1_policies ,
-.Fn X509_VERIFY_PARAM_set_depth ,
-and
-.Fn X509_VERIFY_PARAM_get_depth
-first appeared in OpenSSL 0.9.8.
-.Fn X509_VERIFY_PARAM_clear_flags
-and
-.Fn X509_VERIFY_PARAM_get_flags
-first appeared in OpenSSL 0.9.8a.
-All these functions have been available since
-.Ox 4.5 .
-.Pp
-.Fn X509_VERIFY_PARAM_get0_name ,
-.Fn X509_VERIFY_PARAM_set1_host ,
-.Fn X509_VERIFY_PARAM_add1_host ,
-.Fn X509_VERIFY_PARAM_set_hostflags ,
-.Fn X509_VERIFY_PARAM_get0_peername ,
-.Fn X509_VERIFY_PARAM_set1_email ,
-.Fn X509_VERIFY_PARAM_set1_ip ,
-and
-.Fn X509_VERIFY_PARAM_set1_ip_asc
-first appeared in OpenSSL 1.0.2 and have been available since
-.Ox 6.3 .
-.Pp
-.Fn X509_VERIFY_PARAM_set_auth_level
-first appeared in OpenSSL 1.1.0 and
-.Fn X509_VERIFY_PARAM_get_time
-in OpenSSL 1.1.0d.
-Both functions have been available since
-.Ox 7.2 .
-.Sh BUGS
-Delta CRL checking is currently primitive.
-Only a single delta can be used and (partly due to limitations of
-.Vt X509_STORE )
-constructed CRLs are not maintained.
-.Pp
-If CRLs checking is enabled, CRLs are expected to be available in
-the corresponding
-.Vt X509_STORE
-structure.
-No attempt is made to download CRLs from the CRL distribution points
-extension.
diff --git a/src/lib/libcrypto/man/X509_add1_trust_object.3 b/src/lib/libcrypto/man/X509_add1_trust_object.3
deleted file mode 100644
index 067bf64464..0000000000
--- a/src/lib/libcrypto/man/X509_add1_trust_object.3
+++ /dev/null
@@ -1,99 +0,0 @@
-.\" $OpenBSD: X509_add1_trust_object.3,v 1.4 2024/09/02 08:04:32 tb Exp $
-.\"
-.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: September 2 2024 $
-.Dt X509_ADD1_TRUST_OBJECT 3
-.Os
-.Sh NAME
-.Nm X509_add1_trust_object ,
-.Nm X509_trust_clear ,
-.Nm X509_add1_reject_object ,
-.Nm X509_reject_clear
-.Nd mark an X.509 certificate as intended for a specific purpose
-.Sh SYNOPSIS
-.In openssl/x509.h
-.Ft int
-.Fo X509_add1_trust_object
-.Fa "X509 *x"
-.Fa "const ASN1_OBJECT *purpose"
-.Fc
-.Ft void
-.Fo X509_trust_clear
-.Fa "X509 *x"
-.Fc
-.Ft int
-.Fo X509_add1_reject_object
-.Fa "X509 *x"
-.Fa "const ASN1_OBJECT *purpose"
-.Fc
-.Ft void
-.Fo X509_reject_clear
-.Fa "X509 *x"
-.Fc
-.Sh DESCRIPTION
-.Fn X509_add1_trust_object
-appends a deep copy of the
-.Fa purpose
-object to the set of intended purposes that
-.Fa x
-contains as non-standard auxiliary data.
-The function
-.Xr OBJ_nid2obj 3
-can be used to create appropriate purpose objects from the
-.Dv NID_*
-constants mentioned in
-.Xr X509_check_purpose 3 ,
-even though the
-.Dv X509_PURPOSE_*
-constants listed in that manual page are not intended for use with
-.Fn X509_add1_trust_object .
-.Pp
-.Fn X509_trust_clear
-frees and removes all purpose objects from the set of intended
-purposes in the non-standard auxiliary data of
-.Fa x .
-.Pp
-.Fn X509_add1_reject_object
-and
-.Fn X509_reject_clear
-are similar except that they operate on a set of unintended purposes.
-.Pp
-As an alternative to using the functions documented in the present
-manual page, X.509 certificate extensions can be used.
-At the price of higher complexity, those allow storing the purpose
-inside the certificate itself in a standard-conforming way rather than
-merely in non-standard auxiliary data associated with the certificate.
-See
-.Xr EXTENDED_KEY_USAGE_new 3
-for details.
-.Sh RETURN VALUES
-.Fn X509_add1_trust_object
-and
-.Fn X509_add1_reject_object
-return the new number of purposes in the respective set
-or 0 if an error occurs, in particular if memory
-allocation fails or if
-.Fa x
-does not contain a sub-object that can hold non-standard auxiliary data.
-.Sh SEE ALSO
-.Xr ASN1_OBJECT_new 3 ,
-.Xr EXTENDED_KEY_USAGE_new 3 ,
-.Xr OBJ_nid2obj 3 ,
-.Xr X509_CERT_AUX_new 3 ,
-.Xr X509_new 3
-.Sh HISTORY
-These functions first appeared in OpenSSL 0.9.4 and have been available since
-.Ox 2.7 .
diff --git a/src/lib/libcrypto/man/X509_check_ca.3 b/src/lib/libcrypto/man/X509_check_ca.3
deleted file mode 100644
index 114bac69e7..0000000000
--- a/src/lib/libcrypto/man/X509_check_ca.3
+++ /dev/null
@@ -1,117 +0,0 @@
-.\"     $OpenBSD: X509_check_ca.3,v 1.7 2022/05/10 19:44:29 tb Exp $
-.\"     OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
-.\"
-.\" This file was written by Victor B. Wagner <vitus@cryptocom.ru>.
-.\" Copyright (c) 2015, 2016 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: May 10 2022 $
-.Dt X509_CHECK_CA 3
-.Os
-.Sh NAME
-.Nm X509_check_ca
-.Nd check whether a certificate is a CA certificate
-.Sh SYNOPSIS
-.In openssl/x509v3.h
-.Ft int
-.Fo X509_check_ca
-.Fa "X509 *cert"
-.Fc
-.Sh DESCRIPTION
-The
-.Fn X509_check_ca
-function checks whether the given certificate is a CA certificate,
-that is, whether it can be used to sign other certificates.
-.Sh RETURN VALUES
-If
-.Fa cert
-is a CA certificate, a non-zero value is returned; 0 otherwise.
-.Pp
-The following return values identify specific kinds of CA certificates:
-.Bl -tag -width 2n
-.It 1
-an X.509 v3 CA certificate with
-.Sy basicConstraints
-extension CA:TRUE
-.It 3
-a self-signed X.509 v1 certificate
-.It 4
-a certificate with
-.Sy keyUsage
-extension with bit
-.Sy keyCertSign
-set, but without
-.Sy basicConstraints
-.It 5
-a certificate with an outdated Netscape Certificate Type extension telling
-that it is a CA certificate
-.El
-.Sh SEE ALSO
-.Xr BASIC_CONSTRAINTS_new 3 ,
-.Xr EXTENDED_KEY_USAGE_new 3 ,
-.Xr X509_check_issued 3 ,
-.Xr X509_check_purpose 3 ,
-.Xr X509_EXTENSION_new 3 ,
-.Xr X509_new 3 ,
-.Xr X509_verify_cert 3
-.Sh HISTORY
-.Fn X509_check_ca
-first appeared in OpenSSL 0.9.7f and has been available since
-.Ox 3.8 .
-.Sh BUGS
-If
-.Fn X509_check_ca
-fails to cache X509v3 extension values, the return value may
-be incorrect.
-An application should
-call
-.Xr X509_check_purpose 3
-with a
-.Fa purpose
-argument of \-1,
-ensuring that the X509v3 extensions are cached,
-before calling
-.Fn X509_check_ca .
diff --git a/src/lib/libcrypto/man/X509_check_host.3 b/src/lib/libcrypto/man/X509_check_host.3
deleted file mode 100644
index dbc56c0d21..0000000000
--- a/src/lib/libcrypto/man/X509_check_host.3
+++ /dev/null
@@ -1,246 +0,0 @@
-.\" $OpenBSD: X509_check_host.3,v 1.6 2020/09/17 08:04:22 schwarze Exp $
-.\" full merge up to: OpenSSL a09e4d24 Jun 12 01:56:31 2014 -0400
-.\" selective merge up to: OpenSSL 6328d367 Jul 4 21:58:30 2020 +0200
-.\"
-.\" This file was written by Florian Weimer <fweimer@redhat.com> and
-.\" Viktor Dukhovni <openssl-users@dukhovni.org>.
-.\" Copyright (c) 2012, 2014, 2015, 2016 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: September 17 2020 $
-.Dt X509_CHECK_HOST 3
-.Os
-.Sh NAME
-.Nm X509_check_host ,
-.Nm X509_check_email ,
-.Nm X509_check_ip ,
-.Nm X509_check_ip_asc
-.Nd X.509 certificate matching
-.Sh SYNOPSIS
-.In openssl/x509v3.h
-.Ft int
-.Fo X509_check_host
-.Fa "X509 *x"
-.Fa "const char *name"
-.Fa "size_t namelen"
-.Fa "unsigned int flags"
-.Fa "char **peername"
-.Fc
-.Ft int
-.Fo X509_check_email
-.Fa "X509 *x"
-.Fa "const char *address"
-.Fa "size_t addresslen"
-.Fa "unsigned int flags"
-.Fc
-.Ft int
-.Fo X509_check_ip
-.Fa "X509 *x"
-.Fa "const unsigned char *address"
-.Fa "size_t addresslen"
-.Fa "unsigned int flags"
-.Fc
-.Ft int
-.Fo X509_check_ip_asc
-.Fa "X509 *x"
-.Fa "const char *address"
-.Fa "unsigned int flags"
-.Fc
-.Sh DESCRIPTION
-The certificate matching functions are used to check whether a
-certificate matches a given hostname, email address, or IP address.
-The validity of the certificate and its trust level has to be checked by
-other means.
-.Pp
-.Fn X509_check_host
-checks if the certificate Subject Alternative Name (SAN) or Subject
-CommonName (CN) matches the specified hostname, which must be encoded
-in the preferred name syntax described in section 3.5 of RFC 1034.
-By default, wildcards are supported and they match only in the
-left-most label; they may match part of that label with an
-explicit prefix or suffix.
-For example, by default, the host
-.Fa name
-.Qq www.example.com
-would match a certificate with a SAN or CN value of
-.Qq *.example.com ,
-.Qq w*.example.com
-or
-.Qq *w.example.com .
-.Pp
-Per section 6.4.2 of RFC 6125,
-.Fa name
-values representing international domain names must be given in A-label
-form.
-The
-.Fa namelen
-argument must be the number of characters in the name string or zero, in
-which case the length is calculated with
-.Fn strlen name .
-When
-.Fa name
-starts with a dot (e.g.\&
-.Qq .example.com ) ,
-it will be matched by a certificate valid for any sub-domain of
-.Fa name ;
-see also
-.Fa X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS
-below.
-.Pp
-When the certificate is matched and
-.Fa peername
-is not
-.Dv NULL ,
-a pointer to a copy of the matching SAN or CN from the peer
-certificate is stored at the address passed in
-.Fa peername .
-The application is responsible for freeing the peername via
-.Xr free 3
-when it is no longer needed.
-.Pp
-.Fn X509_check_email
-checks if the certificate matches the specified email
-.Fa address .
-Only the mailbox syntax of RFC 822 is supported.
-Comments are not allowed,
-and no attempt is made to normalize quoted characters.
-The
-.Fa addresslen
-argument must be the number of characters in the address string or zero,
-in which case the length is calculated with
-.Fn strlen address .
-.Pp
-.Fn X509_check_ip
-checks if the certificate matches a specified IPv4 or IPv6 address.
-The
-.Fa address
-array is in binary format, in network byte order.
-The length is either 4 (IPv4) or 16 (IPv6).
-Only explicitly marked addresses in the certificates are considered;
-IP addresses stored in DNS names and Common Names are ignored.
-.Pp
-.Fn X509_check_ip_asc
-is similar, except that the NUL-terminated string
-.Fa address
-is first converted to the internal representation.
-.Pp
-The
-.Fa flags
-argument is usually 0, but it can be the bitwise OR of the following
-flags.
-.Pp
-The
-.Dv X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT
-flag causes the function to consider the subject DN even if the
-certificate contains at least one subject alternative name of the right
-type (DNS name or email address as appropriate); the default is to
-ignore the subject DN when at least one corresponding subject
-alternative names is present.
-.Pp
-The remaining flags are only meaningful for
-.Fn X509_check_host .
-.Pp
-The
-.Dv X509_CHECK_FLAG_NO_WILDCARDS
-flag disables wildcard expansion.
-.Pp
-The
-.Dv X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
-flag suppresses support for
-.Qq *
-as a wildcard pattern in labels that have a
-prefix or suffix, such as
-.Qq www*
-or
-.Qq *www .
-.Pp
-The
-.Dv X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS
-flag allows a
-.Qq *
-that constitutes the complete label of a DNS name (e.g.\&
-.Qq *.example.com )
-to match more than one label in
-.Fa name .
-.Pp
-The
-.Dv X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS
-flag restricts
-.Fa name
-values which start with
-.Qq \&. ,
-that would otherwise match any sub-domain in the peer certificate,
-to only match direct child sub-domains.
-Thus, for instance, with this flag set a
-.Fa name
-of
-.Qq .example.com
-would match a peer certificate with a DNS name of
-.Qq www.example.com ,
-but would not match a peer certificate with a DNS name of
-.Qq www.sub.example.com .
-.Sh RETURN VALUES
-The functions return 1 for a successful match, 0 for a failed match and
--1 for an internal error: typically a memory allocation failure or an
-ASN.1 decoding error.
-.Pp
-All functions can also return -2 if the input is malformed.
-For example,
-.Fn X509_check_host
-returns -2 if the provided
-.Fa name
-contains embedded NUL bytes.
-.Sh SEE ALSO
-.Xr SSL_set1_host 3 ,
-.Xr X509_EXTENSION_new 3 ,
-.Xr X509_get1_email 3 ,
-.Xr X509_new 3 ,
-.Xr X509_VERIFY_PARAM_set1_host 3
-.Sh HISTORY
-These functions first appeared in OpenSSL 1.0.2
-and have been available since
-.Ox 6.1 .
diff --git a/src/lib/libcrypto/man/X509_check_issued.3 b/src/lib/libcrypto/man/X509_check_issued.3
deleted file mode 100644
index f8c2a5297a..0000000000
--- a/src/lib/libcrypto/man/X509_check_issued.3
+++ /dev/null
@@ -1,109 +0,0 @@
-.\"     $OpenBSD: X509_check_issued.3,v 1.4 2019/06/06 01:06:59 schwarze Exp $
-.\"     OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
-.\"
-.\" This file was written by Victor B. Wagner <vitus@cryptocom.ru>.
-.\" Copyright (c) 2015 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: June 6 2019 $
-.Dt X509_CHECK_ISSUED 3
-.Os
-.Sh NAME
-.Nm X509_check_issued
-.Nd check whether a certificate was issued using a given CA certificate
-.Sh SYNOPSIS
-.In openssl/x509v3.h
-.Ft int
-.Fo X509_check_issued
-.Fa "X509 *issuer"
-.Fa "X509 *subject"
-.Fc
-.Sh DESCRIPTION
-This function checks whether the certificate
-.Fa subject
-was issued using the CA certificate
-.Fa issuer .
-It does the following checks:
-.Bl -bullet
-.It
-match the issuer field of
-.Fa subject
-against the subject field of
-.Fa issuer
-.It
-if
-.Sy authorityKeyIdentifier
-is present in the
-.Fa subject
-certificate,
-compare it to the
-.Sy subjectKeyIdentifier
-of
-.Fa issuer
-.It
-check the
-.Sy keyUsage
-field of
-.Fa issuer .
-.El
-.Sh RETURN VALUES
-This function returns
-.Dv X509_V_OK
-if the certificate
-.Fa subject
-is issued by
-.Fa issuer ,
-or some
-.Dv X509_V_ERR*
-constant to indicate an error.
-.Sh SEE ALSO
-.Xr X509_check_ca 3 ,
-.Xr X509_new 3 ,
-.Xr X509_verify_cert 3
-.Sh HISTORY
-.Fn X509_check_issued
-first appeared in OpenSSL 0.9.6 and has been available since
-.Ox 2.9 .
diff --git a/src/lib/libcrypto/man/X509_check_private_key.3 b/src/lib/libcrypto/man/X509_check_private_key.3
deleted file mode 100644
index 31df2126cc..0000000000
--- a/src/lib/libcrypto/man/X509_check_private_key.3
+++ /dev/null
@@ -1,73 +0,0 @@
-.\"     $OpenBSD: X509_check_private_key.3,v 1.6 2019/06/06 01:06:59 schwarze Exp $
-.\"     OpenSSL X509_check_private_key.pod 09ddb878 Jun 5 03:56:07 2017 +0800
-.\"
-.\" Copyright (c) 2017 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: June 6 2019 $
-.Dt X509_CHECK_PRIVATE_KEY 3
-.Os
-.Sh NAME
-.Nm X509_check_private_key ,
-.Nm X509_REQ_check_private_key
-.Nd compare public key components
-.Sh SYNOPSIS
-.In openssl/x509.h
-.Ft int
-.Fo X509_check_private_key
-.Fa "const X509 *x"
-.Fa "const EVP_PKEY *k"
-.Fc
-.Ft int
-.Fo X509_REQ_check_private_key
-.Fa "X509_REQ *x"
-.Fa "EVP_PKEY *k"
-.Fc
-.Sh DESCRIPTION
-These functions are seriously misnamed.
-.Fn X509_check_private_key
-compares the
-.Em public
-key components (e.g. exponent and modulus of an RSA key)
-and parameters (e.g. EC params of an EC key) of
-.Fa k
-with the corresponding properties of
-.Fa x .
-Despite the name, it neither checks whether
-.Fa k
-contains private key components at all, nor, if any are present,
-whether they are consistent with the public key components.
-.Pp
-.Fn X509_REQ_check_private_key
-is equivalent to
-.Fn X509_check_private_key
-except that it compares to the public key
-contained in a certificate request.
-.Sh RETURN VALUES
-These functions return 1 if the public key components and parameters
-match, or 0 if they do not or if an error occurs.
-On error or mismatch, a reason code can be obtained using
-.Xr ERR_get_error 3 .
-.Sh SEE ALSO
-.Xr SSL_check_private_key 3 ,
-.Xr X509_new 3 ,
-.Xr X509_REQ_new 3
-.Sh HISTORY
-.Fn X509_check_private_key
-first appeared in SSLeay 0.6.5 and has been available since
-.Ox 2.4 .
-.Pp
-.Fn X509_REQ_check_private_key
-first appeared in OpenSSL 0.9.8 and has been available since
-.Ox 4.5 .
diff --git a/src/lib/libcrypto/man/X509_check_purpose.3 b/src/lib/libcrypto/man/X509_check_purpose.3
deleted file mode 100644
index 8fea6679fc..0000000000
--- a/src/lib/libcrypto/man/X509_check_purpose.3
+++ /dev/null
@@ -1,431 +0,0 @@
-.\" $OpenBSD: X509_check_purpose.3,v 1.12 2024/09/02 08:04:32 tb Exp $
-.\"
-.\" Copyright (c) 2019, 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: September 2 2024 $
-.Dt X509_CHECK_PURPOSE 3
-.Os
-.Sh NAME
-.Nm X509_check_purpose
-.Nd check intended usage of a public key
-.Sh SYNOPSIS
-.In openssl/x509v3.h
-.Ft int
-.Fo X509_check_purpose
-.Fa "X509 *certificate"
-.Fa "int purpose"
-.Fa "int ca"
-.Fc
-.Sh DESCRIPTION
-If the
-.Fa purpose
-argument is \-1,
-.Fn X509_check_purpose
-ignores the
-.Fa ca
-argument and checks that all the extensions of the
-.Fa certificate
-can be parsed and pass minimal sanity checks, ensuring that
-no extension occurs more than once.
-It also makes sure that all extensions are cached in the
-.Vt X509
-object.
-.Pp
-If the
-.Fa purpose
-argument is not \-1 and the
-.Fa ca
-flag is 0,
-.Fn X509_check_purpose
-also checks whether the public key contained in the
-.Fa certificate
-is intended to be used for the given
-.Fa purpose ,
-which can be one of the following integer constants.
-The check succeeds if none of the conditions given in the list below
-are violated.
-It always fails if parsing fails for any extension contained in the
-.Fa certificate .
-.Bl -tag -width 1n
-.It Dv X509_PURPOSE_SSL_CLIENT
-.Bl -dash -width 1n -compact
-.It
-If the
-.Fa certificate
-contains an Extended Key Usage extension, it contains the RFC 5280
-.Dq TLS WWW client authentication
-purpose
-.Pq Dv NID_client_auth .
-.It
-If the
-.Fa certificate
-contains a Key Usage extension, the
-.Dv digitalSignature
-bit is set.
-.It
-If the
-.Fa certificate
-contains a Netscape Cert Type extension, the
-.Dq SSL client certificate
-bit is set
-.Pq Dv NS_SSL_CLIENT .
-.El
-.It Dv X509_PURPOSE_SSL_SERVER
-.Bl -dash -width 1n -compact
-.It
-If the
-.Fa certificate
-contains an Extended Key Usage extension, it contains the RFC 5280
-.Dq TLS WWW server authentication
-purpose
-.Pq Dv NID_server_auth
-or the private
-.Dq Netscape Server Gated Crypto
-.Pq Dv NID_ns_sgc
-or
-.Dq Microsoft Server Gated Crypto
-.Pq Dv NID_ms_sgc
-purpose.
-.It
-If the
-.Fa certificate
-contains a Key Usage extension, at least one of the
-.Dv digitalSignature
-and
-.Dv keyEncipherment
-bits is set.
-.It
-If the
-.Fa certificate
-contains a Netscape Cert Type extension, the
-.Dq SSL server certificate
-bit is set
-.Pq Dv NS_SSL_SERVER
-.El
-.It Dv X509_PURPOSE_NS_SSL_SERVER
-.\" check_purpose_ns_ssl_server, "Netscape SSL server"
-This does the same checks as
-.Dv X509_PURPOSE_SSL_SERVER
-and additionally requires that a Key Usage extension, if present,
-has the
-.Dv keyEncipherment
-bit set.
-.It Dv X509_PURPOSE_SMIME_SIGN
-.\" check_purpose_smime_sign, "S/MIME signing"
-.Bl -dash -width 1n -compact
-.It
-If the
-.Fa certificate
-contains an Extended Key Usage extension, it contains the RFC 5280
-.Dq Email protection
-purpose
-.Pq Dv NID_email_protect .
-.It
-If the
-.Fa certificate
-contains a Key Usage extension, at least one of the
-.Dv digitalSignature
-and
-.Dv nonRepudiation
-bits is set.
-.It
-If the
-.Fa certificate
-contains a Netscape Cert Type extension, it has the
-.Dq S/MIME certificate
-bit set.
-If the
-.Dq SSL client certificate
-bit is set but the
-.Dq S/MIME certificate
-bit is not, no decision is made.
-.El
-.It Dv X509_PURPOSE_SMIME_ENCRYPT
-.\" check_purpose_smime_encrypt, "S/MIME encryption"
-.Bl -dash -width 1n -compact
-.It
-If the
-.Fa certificate
-contains an Extended Key Usage extension, it contains the RFC 5280
-.Dq Email protection
-purpose
-.Pq Dv NID_email_protect .
-.It
-If the
-.Fa certificate
-contains a Key Usage extension, the
-.Dv keyEncipherment
-bit is set.
-.It
-If the
-.Fa certificate
-contains a Netscape Cert Type extension, it has the
-.Dq S/MIME certificate
-bit set.
-If the
-.Dq SSL client certificate
-bit is set but the
-.Dq S/MIME certificate
-bit is not, no decision is made.
-.El
-.It Dv X509_PURPOSE_CRL_SIGN
-.\" check_purpose_crl_sign, "CRL signing"
-.Bl -dash -width 1n -compact
-.It
-If the
-.Fa certificate
-contains a Key Usage extension, the
-.Dv cRLSign
-bit is set.
-.El
-.It Dv X509_PURPOSE_ANY
-Nothing is required except that, if any extensions are present,
-parsing them needs to succeed.
-.It Dv X509_PURPOSE_OCSP_HELPER
-.\" ocsp_helper, "OCSP helper"
-Nothing is required except that, if any extensions are present,
-parsing them needs to succeed.
-The application program is expected
-to do the actual checking by other means.
-.It Dv X509_PURPOSE_TIMESTAMP_SIGN
-.\" check_purpose_timestamp_sign, "Time Stamp signing"
-.Bl -dash -width 1n -compact
-.It
-The
-.Fa certificate
-contains an Extended Key Usage extension containing the RFC 5280
-.Dq Time Stamping
-purpose and no other purpose.
-This extension is marked as critical.
-.It
-If the
-.Fa certificate
-contains a Key Usage extension, at least one of the
-.Dv digitalSignature
-and
-.Dv nonRepudiation
-bits is set, and no other bits are set.
-.El
-.El
-.Pp
-If the
-.Fa purpose
-argument is not \-1 and the
-.Fa ca
-flag is non-zero,
-.Fn X509_check_purpose
-instead checks, in addition to the minimal sanity checks, whether the
-.Fa certificate
-can be used as a certificate authority certificate
-in the context of the given
-.Fa purpose .
-To succeed, the check always requires that none of the following
-conditions are violated:
-.Pp
-.Bl -dash -width 1n -compact
-.It
-If the
-.Fa certificate
-contains any extensions, parsing them succeeds.
-.It
-If the
-.Fa certificate
-contains a Key Usage extension, the
-.Dv keyCertSign
-bit is set.
-.It
-If the
-.Fa certificate
-contains a Basic Constraints extension, the
-.Fa cA
-field is set.
-.It
-If the
-.Fa certificate
-is a version 1 certificate, the subject name matches the issuer name
-and the certificate is self signed.
-.El
-.Pp
-The check succeeds if none of the additional conditions given in
-the list below are violated.
-.Bl -tag -width 1n
-.It Dv X509_PURPOSE_SSL_CLIENT
-.Bl -dash -width 1n -compact
-.It
-If the
-.Fa certificate
-contains an Extended Key Usage extension, it contains the RFC 5280
-.Dq TLS WWW client authentication
-purpose
-.Pq Dv NID_client_auth .
-.It
-If the
-.Fa certificate
-is not a version 1 certificate and does not contain a Basic Constraints
-extension, it contains a Key Usage extension with the
-.Dv keyCertSign
-bit set or a Netscape Cert Type extension with the
-.Dq SSL CA certificate
-bit set.
-.El
-.It Dv X509_PURPOSE_SSL_SERVER No or Dv X509_PURPOSE_NS_SSL_SERVER
-.Bl -dash -width 1n -compact
-.It
-If the
-.Fa certificate
-contains an Extended Key Usage extension, it contains the RFC 5280
-.Dq TLS WWW server authentication
-purpose
-.Pq Dv NID_server_auth
-or the private
-.Dq Netscape Server Gated Crypto
-.Pq Dv NID_ns_sgc
-or
-.Dq Microsoft Server Gated Crypto
-.Pq Dv NID_ms_sgc
-purpose.
-.It
-If the
-.Fa certificate
-is not a version 1 certificate and does not contain a Basic Constraints
-extension, it contains a Key Usage extension with the
-.Dv keyCertSign
-bit set or a Netscape Cert Type extension with the
-.Dq SSL CA certificate
-bit set.
-.El
-.It Dv X509_PURPOSE_SMIME_SIGN No or Dv X509_PURPOSE_SMIME_ENCRYPT
-.Bl -dash -width 1n -compact
-.It
-If the
-.Fa certificate
-contains an Extended Key Usage extension, it contains the RFC 5280
-.Dq Email protection
-purpose
-.Pq Dv NID_email_protect .
-.It
-If the
-.Fa certificate
-is not a version 1 certificate and does not contain a Basic Constraints
-extension, it contains a Key Usage extension with the
-.Dv keyCertSign
-bit set or a Netscape Cert Type extension with the
-.Dq S/MIME CA certificate
-bit set.
-.El
-.It Xo
-.Dv X509_PURPOSE_CRL_SIGN ,
-.Dv X509_PURPOSE_OCSP_HELPER ,
-or
-.Dv X509_PURPOSE_TIMESTAMP_SIGN
-.Xc
-.Bl -dash -width 1n -compact
-.It
-If the
-.Fa certificate
-is not a version 1 certificate and does not contain a Basic Constraints
-extension, it contains a Key Usage extension with the
-.Dv keyCertSign
-bit set or a Netscape Cert Type extension with at least one of the
-.Dq SSL CA certificate ,
-.Dq S/MIME CA certificate ,
-or
-.Dq Object-signing CA certificate
-bits set.
-.El
-.It Dv X509_PURPOSE_ANY
-Nothing is required except that, if any extensions are present,
-parsing them needs to succeed.
-The check even succeeds if the three other common conditions
-cited above this list are violated.
-.El
-.Pp
-If the function
-.Xr X509_PURPOSE_add 3
-was called before
-.Fn X509_check_purpose ,
-it may have installed different, user-supplied checking functions
-for some of the standard purposes listed above, or it may have
-installed additional, user-supplied checking functions for user-defined
-.Fa purpose
-identifiers not listed above.
-.Sh RETURN VALUES
-If the parsing of certificate extensions fails, sanity checks fail or the
-.Fa purpose
-is invalid,
-.Fn X509_check_purpose
-returns \-1 to indicate the error.
-.Pp
-If the
-.Fa purpose
-argument is \-1 and parsing and minimal sanity checks succeed,
-.Fn X509_check_purpose
-returns 1 to indicate success.
-.Pp
-Otherwise, it returns the following values:
-.Pp
-If
-.Fa ca
-is 0:
-.Bl -column -1 Failure -compact
-.It 0 Ta Failure Ta The
-.Fa certificate
-cannot be used for the
-.Fa purpose .
-.It 1 Ta Success Ta The
-.Fa certificate
-can be used for the
-.Fa purpose .
-.It 2 Ta Unknown Ta \&No decision can be made.
-.El
-.Pp
-If
-.Fa ca
-is non-zero:
-.Bl -column -1 Failure -compact
-.It 0 Ta Failure Ta The
-.Fa certificate
-cannot be used as a CA for the
-.Fa purpose .
-.It 1 Ta Success Ta The
-.Fa certificate
-can be used as a CA for the
-.Fa purpose .
-.It 3 Ta Success Ta The Fa certificate No is a version 1 CA .
-.It 4 Ta Success Ta The Key Usage allows Dv keyCertSign .
-.It 5 Ta Success Ta A Netscape Cert Type allows usage as a CA.
-.El
-.Sh SEE ALSO
-.Xr BASIC_CONSTRAINTS_new 3 ,
-.Xr EXTENDED_KEY_USAGE_new 3 ,
-.Xr X509_new 3 ,
-.Xr X509_PURPOSE_set 3 ,
-.Xr X509V3_get_d2i 3 ,
-.Xr x509v3.cnf 5
-.Sh STANDARDS
-RFC 5280: Internet X.509 Public Key Infrastructure Certificate and
-Certificate Revocation List (CRL) Profile
-.Bl -dash -offset indent -compact
-.It
-section 4.2.1.3: Key Usage
-.It
-section 4.2.1.9: Basic Constraints
-.It
-section 4.2.1.12: Extended Key Usage
-.El
-.Sh HISTORY
-.Fn X509_check_purpose
-first appeared in OpenSSL 0.9.5 and has been available since
-.Ox 2.7 .
diff --git a/src/lib/libcrypto/man/X509_cmp.3 b/src/lib/libcrypto/man/X509_cmp.3
deleted file mode 100644
index b1cdec1773..0000000000
--- a/src/lib/libcrypto/man/X509_cmp.3
+++ /dev/null
@@ -1,235 +0,0 @@
-.\" $OpenBSD: X509_cmp.3,v 1.4 2024/06/07 14:00:09 job Exp $
-.\" full merge up to: OpenSSL ea5d4b89 Jun 6 11:42:02 2019 +0800
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2019 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Paul Yang <yang.yang@baishancloud.com>.
-.\" Copyright (c) 2019 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: June 7 2024 $
-.Dt X509_CMP 3
-.Os
-.Sh NAME
-.Nm X509_cmp ,
-.Nm X509_NAME_cmp ,
-.\" The alias X509_name_cmp(3) is intentionally undocumented
-.\" because it is almost unused in real-world code.
-.Nm X509_issuer_and_serial_cmp ,
-.Nm X509_issuer_name_cmp ,
-.Nm X509_subject_name_cmp ,
-.Nm X509_CRL_cmp ,
-.Nm X509_CRL_match
-.Nd compare X.509 certificates and related values
-.\" The function name_cmp() is intentionally undocumented.
-.\" It was a mistake to make it public in the first place,
-.\" and it is no longer part of the public API in OpenSSL 1.1.
-.Sh SYNOPSIS
-.In openssl/x509.h
-.Ft int
-.Fo X509_cmp
-.Fa "const X509 *a"
-.Fa "const X509 *b"
-.Fc
-.Ft int
-.Fo X509_NAME_cmp
-.Fa "const X509_NAME *a"
-.Fa "const X509_NAME *b"
-.Fc
-.Ft int
-.Fo X509_issuer_and_serial_cmp
-.Fa "const X509 *a"
-.Fa "const X509 *b"
-.Fc
-.Ft int
-.Fo X509_issuer_name_cmp
-.Fa "const X509 *a"
-.Fa "const X509 *b"
-.Fc
-.Ft int
-.Fo X509_subject_name_cmp
-.Fa "const X509 *a"
-.Fa "const X509 *b"
-.Fc
-.Ft int
-.Fo X509_CRL_cmp
-.Fa "const X509_CRL *a"
-.Fa "const X509_CRL *b"
-.Fc
-.Ft int
-.Fo X509_CRL_match
-.Fa "const X509_CRL *a"
-.Fa "const X509_CRL *b"
-.Fc
-.Sh DESCRIPTION
-.Fn X509_cmp
-compares two X.509 certificates using
-.Xr memcmp 3
-on the hashes of their canonical (DER) representations as generated with
-.Xr X509_digest 3 .
-The digest function is implementation-specific: LibreSSL uses SHA-512, other
-implementations use SHA-1.
-.Pp
-.Fn X509_NAME_cmp
-compares two X.501
-.Vt Name
-objects using their canonical (DER) representations generated with
-.Xr i2d_X509_NAME 3 .
-.Pp
-.Fn X509_issuer_and_serial_cmp
-compares the
-.Fa issuer
-and
-.Fa serialNumber
-fields of two
-.Vt TBSCertificate
-structures, using
-.Fn X509_NAME_cmp
-for the
-.Fa issuer
-fields.
-.Pp
-.Fn X509_issuer_name_cmp
-compares the
-.Fa issuer
-fields of two
-.Vt TBSCertificate
-structures using
-.Fn X509_NAME_cmp .
-.Pp
-.Fn X509_subject_name_cmp
-compares the
-.Fa subject
-fields of two
-.Vt TBSCertificate
-structures using
-.Fn X509_NAME_cmp .
-.Pp
-.Fn X509_CRL_cmp
-is misnamed; it only compares the
-.Fa issuer
-fields of two
-.Vt TBSCertList
-structures using
-.Fn X509_NAME_cmp .
-.Pp
-.Fn X509_CRL_match
-compares two certificate revocation lists using
-.Xr memcmp 3
-on the hashes of their canonical (DER) representations as generated with
-.Xr X509_CRL_digest 3 .
-The digest function is implementation-specific: LibreSSL uses SHA-512, other
-implementations use SHA-1.
-.Sh RETURN VALUES
-All these functions return 0 to indicate a match or a non-zero value
-to indicate a mismatch.
-.Pp
-.Fn X509_NAME_cmp ,
-.Fn X509_issuer_and_serial_cmp ,
-.Fn X509_issuer_name_cmp ,
-.Fn X509_subject_name_cmp
-and
-.Fn X509_CRL_cmp
-may return -2 to indicate an error.
-.Sh SEE ALSO
-.Xr i2d_X509_NAME 3 ,
-.Xr X509_CRL_new 3 ,
-.Xr X509_digest 3 ,
-.Xr X509_NAME_new 3 ,
-.Xr X509_new 3
-.Sh STANDARDS
-RFC 5280: Internet X.509 Public Key Infrastructure Certificate
-and Certificate Revocation List (CRL) Profile
-.Bl -dash -compact -offset indent
-.It
-section 4.1: Basic Certificate Fields
-.It
-section 5.1: CRL Fields
-.El
-.Sh HISTORY
-.Fn X509_issuer_and_serial_cmp ,
-.Fn X509_issuer_name_cmp ,
-and
-.Fn X509_subject_name_cmp
-first appeared in SSLeay 0.5.1 and
-.Fn X509_NAME_cmp
-and
-.Fn X509_CRL_cmp
-in SSLeay 0.8.0.
-These functions have been available since
-.Ox 2.4 .
-.Pp
-.Fn X509_cmp
-first appeared in OpenSSL 0.9.5 and has been available since
-.Ox 2.7 .
-.Pp
-.Fn X509_CRL_match
-first appeared in OpenSSL 1.0.0 and has been available since
-.Ox 4.9 .
-.Sh BUGS
-For
-.Fn X509_NAME_cmp ,
-.Fn X509_issuer_and_serial_cmp ,
-.Fn X509_issuer_name_cmp ,
-.Fn X509_subject_name_cmp
-and
-.Fn X509_CRL_cmp ,
-the return value -2 sometimes indicates a mismatch and sometimes an error.
diff --git a/src/lib/libcrypto/man/X509_cmp_time.3 b/src/lib/libcrypto/man/X509_cmp_time.3
deleted file mode 100644
index bb430dfbb7..0000000000
--- a/src/lib/libcrypto/man/X509_cmp_time.3
+++ /dev/null
@@ -1,200 +0,0 @@
-.\" $OpenBSD: X509_cmp_time.3,v 1.12 2024/03/05 18:30:40 tb Exp $
-.\" full merge up to: OpenSSL 83cf7abf May 29 13:07:08 2018 +0100
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2017, 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Emilia Kasper <emilia@openssl.org>
-.\" Copyright (c) 2017 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 5 2024 $
-.Dt X509_CMP_TIME 3
-.Os
-.Sh NAME
-.Nm X509_cmp_time ,
-.Nm X509_cmp_current_time ,
-.Nm X509_time_adj_ex ,
-.Nm X509_time_adj ,
-.Nm X509_gmtime_adj
-.Nd ASN.1 Time utilities
-.Sh SYNOPSIS
-.In openssl/x509.h
-.Ft int
-.Fo X509_cmp_time
-.Fa "const ASN1_TIME *asn1_time"
-.Fa "time_t *cmp_time"
-.Fc
-.Ft int
-.Fo X509_cmp_current_time
-.Fa "const ASN1_TIME *asn1_time"
-.Fc
-.Ft ASN1_TIME *
-.Fo X509_time_adj_ex
-.Fa "ASN1_TIME *out_time"
-.Fa "int offset_day"
-.Fa "long offset_sec"
-.Fa "time_t *in_time"
-.Fc
-.Ft ASN1_TIME *
-.Fo X509_time_adj
-.Fa "ASN1_TIME *out_time"
-.Fa "long offset_sec"
-.Fa "time_t *in_time"
-.Fc
-.Ft ASN1_TIME *
-.Fo X509_gmtime_adj
-.Fa "ASN1_TIME *out_time"
-.Fa "long offset_sec"
-.Fc
-.Sh DESCRIPTION
-.Fn X509_cmp_time
-parses
-.Fa asn1_time
-and compares it to
-.Fa cmp_time ,
-or to the current time if
-.Fa cmp_time
-is
-.Dv NULL .
-.Fn X509_cmp_current_time
-compares it to the current time.
-.Pp
-.Fn X509_time_adj_ex
-sets
-.Fa out_time
-to a time
-.Fa offset_day
-and
-.Fa offset_sec
-later than
-.Fa in_time .
-The values of
-.Fa offset_day
-and
-.Fa offset_sec
-can be negative to set a time before
-.Fa in_time .
-The
-.Fa offset_sec
-value can also exceed the number of seconds in a day.
-If
-.Fa in_time
-is
-.Dv NULL ,
-the current time is used instead.
-If
-.Fa out_time
-is
-.Dv NULL ,
-a new
-.Vt ASN1_TIME
-structure is allocated and returned.
-.Pp
-.Fn X509_time_adj
-does the same with a 0 day offset.
-.Pp
-.Fn X509_gmtime_adj
-does the same using the current time instead of
-.Fa in_time ,
-that is, it sets
-.Fa out_time
-to a time
-.Fa offset_sec
-seconds later than the current time.
-.Sh RETURN VALUES
-.Fn X509_cmp_time
-and
-.Fn X509_cmp_current_time
-return -1 if
-.Fa asn1_time
-is earlier than or equal to
-.Fa cmp_time ,
-1 if it is later, or 0 on error.
-.Pp
-.Fn X509_time_adj_ex ,
-.Fn X509_time_adj ,
-and
-.Fn X509_gmtime_adj
-return a pointer to the updated or newly allocated
-.Vt ASN1_TIME
-structure or
-.Dv NULL
-on error.
-.Sh SEE ALSO
-.Xr ASN1_TIME_new 3 ,
-.Xr ASN1_TIME_set 3 ,
-.Xr time 3
-.Sh HISTORY
-.Fn X509_cmp_current_time
-and
-.Fn X509_gmtime_adj
-first appeared in SSLeay 0.6.0 and have been available since
-.Ox 2.4 .
-.Pp
-.Fn X509_cmp_time
-and
-.Fn X509_time_adj
-first appeared in OpenSSL 0.9.6 and have been available since
-.Ox 2.9 .
-.Pp
-.Fn X509_time_adj_ex
-first appeared in OpenSSL 1.0.0 and has been available since
-.Ox 4.9 .
diff --git a/src/lib/libcrypto/man/X509_digest.3 b/src/lib/libcrypto/man/X509_digest.3
deleted file mode 100644
index 7627e07731..0000000000
--- a/src/lib/libcrypto/man/X509_digest.3
+++ /dev/null
@@ -1,155 +0,0 @@
-.\" $OpenBSD: X509_digest.3,v 1.8 2019/08/20 13:27:19 schwarze Exp $
-.\" full merge up to: OpenSSL 1212818e Sep 11 13:22:14 2018 +0100
-.\"
-.\" This file was written by Rich Salz <rsalz@openssl.org>
-.\" Copyright (c) 2017 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: August 20 2019 $
-.Dt X509_DIGEST 3
-.Os
-.Sh NAME
-.Nm X509_digest ,
-.Nm X509_CRL_digest ,
-.Nm X509_pubkey_digest ,
-.Nm X509_NAME_digest ,
-.Nm X509_REQ_digest ,
-.Nm PKCS7_ISSUER_AND_SERIAL_digest
-.Nd get digests of various objects
-.Sh SYNOPSIS
-.In openssl/x509.h
-.Ft int
-.Fo X509_digest
-.Fa "const X509 *data"
-.Fa "const EVP_MD *type"
-.Fa "unsigned char *md"
-.Fa "unsigned int *len"
-.Fc
-.Ft int
-.Fo X509_CRL_digest
-.Fa "const X509_CRL *data"
-.Fa "const EVP_MD *type"
-.Fa "unsigned char *md"
-.Fa "unsigned int *len"
-.Fc
-.Ft int
-.Fo X509_pubkey_digest
-.Fa "const X509 *data"
-.Fa "const EVP_MD *type"
-.Fa "unsigned char *md"
-.Fa "unsigned int *len"
-.Fc
-.Ft int
-.Fo X509_REQ_digest
-.Fa "const X509_REQ *data"
-.Fa "const EVP_MD *type"
-.Fa "unsigned char *md"
-.Fa "unsigned int *len"
-.Fc
-.Ft int
-.Fo X509_NAME_digest
-.Fa "const X509_NAME *data"
-.Fa "const EVP_MD *type"
-.Fa "unsigned char *md"
-.Fa "unsigned int *len"
-.Fc
-.In openssl/pkcs7.h
-.Ft int
-.Fo PKCS7_ISSUER_AND_SERIAL_digest
-.Fa "PKCS7_ISSUER_AND_SERIAL *data"
-.Fa "const EVP_MD *type"
-.Fa "unsigned char *md"
-.Fa "unsigned int *len"
-.Fc
-.Sh DESCRIPTION
-.Fn X509_pubkey_digest
-returns a digest of the DER representation of the public key contained in
-.Fa data .
-All other functions described here return a digest of the DER
-representation of their entire
-.Fa data
-object.
-.Pp
-The
-.Fa type
-parameter specifies the digest to be used, such as
-.Xr EVP_sha1 3 .
-.Fa md
-is a pointer to the buffer where the digest will be copied and is
-assumed to be large enough; a size of at least
-.Dv EVP_MAX_MD_SIZE
-bytes is suggested.
-The
-.Fa len
-parameter, if not
-.Dv NULL ,
-points to a place where the digest size will be stored.
-.Sh RETURN VALUES
-These functions return 1 for success or 0 for failure.
-.Sh SEE ALSO
-.Xr EVP_get_digestbyname 3 ,
-.Xr X509_cmp 3 ,
-.Xr X509_CRL_new 3 ,
-.Xr X509_NAME_new 3 ,
-.Xr X509_new 3 ,
-.Xr X509_REQ_new 3
-.Sh HISTORY
-.Fn X509_digest ,
-.Fn X509_NAME_digest ,
-and
-.Fn PKCS7_ISSUER_AND_SERIAL_digest
-first appeared in SSLeay 0.6.5 and have been available since
-.Ox 2.4 .
-.Pp
-.Fn X509_CRL_digest
-and
-.Fn X509_REQ_digest
-first appeared in OpenSSL 0.9.6 and have been available since
-.Ox 2.9 .
-.Pp
-.Fn X509_pubkey_digest
-first appeared in OpenSSL 0.9.7 and has been available since
-.Ox 3.2 .
diff --git a/src/lib/libcrypto/man/X509_find_by_subject.3 b/src/lib/libcrypto/man/X509_find_by_subject.3
deleted file mode 100644
index 98a76a1fca..0000000000
--- a/src/lib/libcrypto/man/X509_find_by_subject.3
+++ /dev/null
@@ -1,69 +0,0 @@
-.\" $OpenBSD: X509_find_by_subject.3,v 1.1 2021/07/04 12:56:27 schwarze Exp $
-.\"
-.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: July 4 2021 $
-.Dt X509_FIND_BY_SUBJECT 3
-.Os
-.Sh NAME
-.Nm X509_find_by_subject ,
-.Nm X509_find_by_issuer_and_serial
-.Nd search an array of X.509 certificates
-.Sh SYNOPSIS
-.In openssl/x509.h
-.Ft X509 *
-.Fo X509_find_by_subject
-.Fa "STACK_OF(X509) *sk"
-.Fa "X509_NAME *subject"
-.Fc
-.Ft X509 *
-.Fo X509_find_by_issuer_and_serial
-.Fa "STACK_OF(X509) *sk"
-.Fa "X509_NAME *issuer"
-.Fa "ASN1_INTEGER *serial"
-.Fc
-.Sh DESCRIPTION
-.Fn X509_find_by_subject
-searches the variable-sized array
-.Fa sk
-for a certificate with a matching
-.Fa subject
-name.
-.Pp
-.Fn X509_find_by_issuer_and_serial
-searches the array for a certificate where both the
-.Fa issuer
-name and the
-.Fa serial
-number match the arguments.
-.Sh RETURN VALUES
-These functions return a pointer to the first matching certificate or
-.Dv NULL
-if
-.Fa sk
-is
-.Dv NULL
-or does not contain a matching certificate.
-.Sh SEE ALSO
-.Xr ASN1_INTEGER_new 3 ,
-.Xr STACK_OF 3 ,
-.Xr X509_cmp 3 ,
-.Xr X509_get_serialNumber 3 ,
-.Xr X509_get_subject_name 3 ,
-.Xr X509_NAME_new 3 ,
-.Xr X509_new 3
-.Sh HISTORY
-These functions first appeared in SSLeay 0.8.1 and have been available since
-.Ox 2.4 .
diff --git a/src/lib/libcrypto/man/X509_get0_notBefore.3 b/src/lib/libcrypto/man/X509_get0_notBefore.3
deleted file mode 100644
index 5e5c08b79a..0000000000
--- a/src/lib/libcrypto/man/X509_get0_notBefore.3
+++ /dev/null
@@ -1,264 +0,0 @@
-.\" $OpenBSD: X509_get0_notBefore.3,v 1.7 2024/03/05 18:30:40 tb Exp $
-.\" content checked up to: OpenSSL 27b138e9 May 19 00:16:38 2017 +0000
-.\"
-.\" Copyright (c) 2018, 2020 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: March 5 2024 $
-.Dt X509_GET0_NOTBEFORE 3
-.Os
-.Sh NAME
-.Nm X509_get0_notBefore ,
-.Nm X509_get0_notAfter ,
-.Nm X509_getm_notBefore ,
-.Nm X509_getm_notAfter ,
-.Nm X509_get_notBefore ,
-.Nm X509_get_notAfter ,
-.Nm X509_CRL_get0_lastUpdate ,
-.Nm X509_CRL_get0_nextUpdate ,
-.Nm X509_CRL_get_lastUpdate ,
-.Nm X509_CRL_get_nextUpdate ,
-.Nm X509_set1_notBefore ,
-.Nm X509_set1_notAfter ,
-.Nm X509_set_notBefore ,
-.Nm X509_set_notAfter ,
-.Nm X509_CRL_set1_lastUpdate ,
-.Nm X509_CRL_set1_nextUpdate ,
-.Nm X509_CRL_set_lastUpdate ,
-.Nm X509_CRL_set_nextUpdate
-.Nd get and set certificate and CRL validity dates
-.Sh SYNOPSIS
-.In openssl/x509.h
-.Ft const ASN1_TIME *
-.Fo X509_get0_notBefore
-.Fa "const X509 *x"
-.Fc
-.Ft const ASN1_TIME *
-.Fo X509_get0_notAfter
-.Fa "const X509 *x"
-.Fc
-.Ft ASN1_TIME *
-.Fo X509_getm_notBefore
-.Fa "const X509 *x"
-.Fc
-.Ft ASN1_TIME *
-.Fo X509_getm_notAfter
-.Fa "const X509 *x"
-.Fc
-.Ft ASN1_TIME *
-.Fo X509_get_notBefore
-.Fa "const X509 *x"
-.Fc
-.Ft ASN1_TIME *
-.Fo X509_get_notAfter
-.Fa "const X509 *x"
-.Fc
-.Ft const ASN1_TIME *
-.Fo X509_CRL_get0_lastUpdate
-.Fa "const X509_CRL *crl"
-.Fc
-.Ft const ASN1_TIME *
-.Fo X509_CRL_get0_nextUpdate
-.Fa "const X509_CRL *crl"
-.Fc
-.Ft ASN1_TIME *
-.Fo X509_CRL_get_lastUpdate
-.Fa "X509_CRL *crl"
-.Fc
-.Ft ASN1_TIME *
-.Fo X509_CRL_get_nextUpdate
-.Fa "X509_CRL *crl"
-.Fc
-.Ft int
-.Fo X509_set1_notBefore
-.Fa "X509 *x"
-.Fa "const ASN1_TIME *tm"
-.Fc
-.Ft int
-.Fo X509_set1_notAfter
-.Fa "X509 *x"
-.Fa "const ASN1_TIME *tm"
-.Fc
-.Ft int
-.Fo X509_set_notBefore
-.Fa "X509 *x"
-.Fa "const ASN1_TIME *tm"
-.Fc
-.Ft int
-.Fo X509_set_notAfter
-.Fa "X509 *x"
-.Fa "const ASN1_TIME *tm"
-.Fc
-.Ft int
-.Fo X509_CRL_set1_lastUpdate
-.Fa "X509_CRL *crl"
-.Fa "const ASN1_TIME *tm"
-.Fc
-.Ft int
-.Fo X509_CRL_set1_nextUpdate
-.Fa "X509_CRL *crl"
-.Fa "const ASN1_TIME *tm"
-.Fc
-.Ft int
-.Fo X509_CRL_set_lastUpdate
-.Fa "X509_CRL *crl"
-.Fa "const ASN1_TIME *tm"
-.Fc
-.Ft int
-.Fo X509_CRL_set_nextUpdate
-.Fa "X509_CRL *crl"
-.Fa "const ASN1_TIME *tm"
-.Fc
-.Sh DESCRIPTION
-.Fn X509_getm_notBefore
-and
-.Fn X509_getm_notAfter
-return pointers to the
-.Fa notBefore
-and
-.Fa notAfter
-fields of the validity period of the certificate
-.Fa x ,
-respectively.
-.Fn X509_get_notBefore
-and
-.Fn X509_get_notAfter
-are deprecated aliases implemented as macros.
-.Pp
-.Fn X509_get0_notBefore
-and
-.Fn X509_get0_notAfter
-are identical except for the const qualifier on the return type.
-.Pp
-.Fn X509_CRL_get0_lastUpdate
-is misnamed in a confusing way: it returns a pointer to the
-.Fa thisUpdate
-field of the
-.Fa crl ,
-indicating the time when this
-.Fa crl
-was issued.
-.Pp
-.Fn X509_CRL_get0_nextUpdate
-returns a pointer to the
-.Fa nextUpdate
-field of the
-.Fa crl ,
-indicating the time when issuing the subsequent CRL will be due.
-.Pp
-.Fn X509_CRL_get_lastUpdate
-and
-.Fn X509_CRL_get_nextUpdate
-are deprecated and identical except for the const qualifier
-on the argument and on the return type.
-.Pp
-.Fn X509_set1_notBefore ,
-.Fn X509_set1_notAfter ,
-.Fn X509_CRL_set1_lastUpdate ,
-and
-.Fn X509_CRL_set1_nextUpdate
-set the
-.Fa notBefore ,
-.Fa notAfter ,
-.Fa thisUpdate Pq sic!\& ,
-or
-.Fa nextUpdate
-field of
-.Fa x
-or
-.Fa crl ,
-respectively, to a deep copy of
-.Fa tm
-and free the
-.Vt ASN1_TIME
-value that they replace.
-.Pp
-.Fn X509_set_notBefore ,
-.Fn X509_set_notAfter ,
-.Fn X509_CRL_set_lastUpdate ,
-and
-.Fn X509_CRL_set_nextUpdate
-are deprecated aliases.
-.Sh RETURN VALUES
-The
-.Sy get
-functions return internal pointers
-which must not be freed by the application, or
-.Dv NULL
-if the requested field is not available.
-They may crash with a
-.Dv NULL
-pointer access if
-.Fa x
-or
-.Fa crl
-is
-.Dv NULL .
-.Pp
-The
-.Sy set
-functions return 1 on success or 0 on failure.
-They fail if
-.Fa x
-is
-.Dv NULL
-or does not contain a
-.Fa validity
-substructure, if
-.Fa crl
-is
-.Dv NULL ,
-or if
-.Xr ASN1_STRING_dup 3
-fails.
-.Pp
-Except for some cases of
-.Xr ASN1_STRING_dup 3
-failure, these functions do not support
-determining reasons for failure with
-.Xr ERR_get_error 3 .
-.Sh SEE ALSO
-.Xr ASN1_TIME_set 3 ,
-.Xr X509_cmp_time 3 ,
-.Xr X509_CRL_get0_by_serial 3 ,
-.Xr X509_CRL_new 3 ,
-.Xr X509_get_subject_name 3 ,
-.Xr X509_new 3 ,
-.Xr X509_sign 3 ,
-.Xr X509_VAL_new 3 ,
-.Xr X509_verify_cert 3
-.Sh HISTORY
-.Fn X509_get_notBefore ,
-.Fn X509_get_notAfter ,
-.Fn X509_set_notBefore ,
-and
-.Fn X509_set_notAfter
-first appeared in SSLeay 0.6.5 and have been available since
-.Ox 2.4 .
-.Pp
-.Fn X509_CRL_get_lastUpdate
-and
-.Fn X509_CRL_get_nextUpdate
-first appeared in OpenSSL 0.9.2 and have been available since
-.Ox 2.6 .
-.Pp
-.Fn X509_CRL_set_lastUpdate
-and
-.Fn X509_CRL_set_nextUpdate
-first appeared in OpenSSL 0.9.7 and have been available since
-.Ox 3.2 .
-.Pp
-The remaining functions first appeared in OpenSSL 1.1.0
-and have been available since
-.Ox 6.3 .
diff --git a/src/lib/libcrypto/man/X509_get0_signature.3 b/src/lib/libcrypto/man/X509_get0_signature.3
deleted file mode 100644
index dc3be2c70a..0000000000
--- a/src/lib/libcrypto/man/X509_get0_signature.3
+++ /dev/null
@@ -1,280 +0,0 @@
-.\" $OpenBSD: X509_get0_signature.3,v 1.9 2024/08/28 07:18:55 tb Exp $
-.\" selective merge up to:
-.\" OpenSSL man3/X509_get0_signature 2f7a2520 Apr 25 17:28:08 2017 +0100
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2020 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2015 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: August 28 2024 $
-.Dt X509_GET0_SIGNATURE 3
-.Os
-.Sh NAME
-.Nm X509_get0_signature ,
-.Nm X509_REQ_get0_signature ,
-.Nm X509_CRL_get0_signature ,
-.Nm X509_get0_tbs_sigalg ,
-.Nm X509_CRL_get0_tbs_sigalg ,
-.Nm X509_get_signature_type ,
-.Nm X509_get_signature_nid ,
-.Nm X509_REQ_get_signature_nid ,
-.Nm X509_CRL_get_signature_nid ,
-.Nm X509_get_signature_info
-.Nd signature information
-.Sh SYNOPSIS
-.In openssl/x509.h
-.Ft void
-.Fo X509_get0_signature
-.Fa "const ASN1_BIT_STRING **psig"
-.Fa "const X509_ALGOR **palg"
-.Fa "const X509 *x"
-.Fc
-.Ft void
-.Fo X509_REQ_get0_signature
-.Fa "const X509_REQ *req"
-.Fa "const ASN1_BIT_STRING **psig"
-.Fa "const X509_ALGOR **palg"
-.Fc
-.Ft void
-.Fo X509_CRL_get0_signature
-.Fa "const X509_CRL *crl"
-.Fa "const ASN1_BIT_STRING **psig"
-.Fa "const X509_ALGOR **palg"
-.Fc
-.Ft const X509_ALGOR *
-.Fo X509_get0_tbs_sigalg
-.Fa "const X509 *x"
-.Fc
-.Ft const X509_ALGOR *
-.Fo X509_CRL_get0_tbs_sigalg
-.Fa "const X509_CRL *crl"
-.Fc
-.Ft int
-.Fo X509_get_signature_type
-.Fa "const X509 *x"
-.Fc
-.Ft int
-.Fo X509_get_signature_nid
-.Fa "const X509 *x"
-.Fc
-.Ft int
-.Fo X509_REQ_get_signature_nid
-.Fa "const X509_REQ *req"
-.Fc
-.Ft int
-.Fo X509_CRL_get_signature_nid
-.Fa "const X509_CRL *crl"
-.Fc
-.Ft int
-.Fo X509_get_signature_info
-.Fa "X509 *x"
-.Fa "int *md_nid"
-.Fa "int *pkey_nid"
-.Fa "int *security_bits"
-.Fa "uint32_t *flags"
-.Fc
-.Sh DESCRIPTION
-.Fn X509_get0_signature ,
-.Fn X509_REQ_get0_signature ,
-and
-.Fn X509_CRL_get0_signature
-set
-.Pf * Fa psig
-to the signature and
-.Pf * Fa palg
-to the signature algorithm of
-.Fa x ,
-.Fa req ,
-or
-.Fa crl ,
-respectively.
-.Fn X509_get0_tbs_sigalg
-and
-.Fn X509_CRL_get0_tbs_sigalg
-return the signature algorithm in the signed portion of
-.Fa x
-or
-.Fa crl ,
-respectively.
-The values returned are internal pointers
-that must not be freed by the caller.
-.Pp
-.Fn X509_get_signature_type
-returns the base NID corresponding to the signature algorithm of
-.Fa x
-just like
-.Xr EVP_PKEY_base_id 3
-does.
-.Pp
-.Fn X509_get_signature_nid ,
-.Fn X509_REQ_get_signature_nid ,
-and
-.Fn X509_CRL_get_signature_nid
-return the NID corresponding to the signature algorithm of
-.Fa x ,
-.Fa req ,
-or
-.Fa crl ,
-respectively, just like
-.Xr EVP_PKEY_id 3
-does.
-.Pp
-.Fn X509_get_signature_info
-retrieves information about the signature of certificate
-.Fa x .
-The NID of the digest algorithm is written to
-.Pf * Fa md_nid ,
-the public key algorithm to
-.Pf * Fa pkey_nid ,
-the effective security bits to
-.Pf * Fa security_bits ,
-and flag details to
-.Pf * Fa flags .
-Any of the output parameters can be set to
-.Dv NULL
-if the information is not required.
-If
-.Fa flags
-is not a
-.Dv NULL
-pointer,
-.Pf * Fa flags
-is set to the bitwise OR of:
-.Bl -tag -width 1n -offset 3n
-.It Dv X509_SIG_INFO_VALID
-No error occurred.
-This flag is set if
-.Fn X509_get_signature_info
-returns 1.
-.It Dv X509_SIG_INFO_TLS
-The signature algorithm is appropriate for use in TLS.
-For a supported EdDSA algorithm (in LibreSSL this is Ed25519)
-this flag is always set.
-For an RSASSA-PSS PSS algorithm this flag is set if
-the parameters are DER encoded,
-the digest algorithm is one of SHA256, SHA384, or SHA512,
-the same digest algorithm is used in the mask generation function,
-and the salt length is equal to the digest algorithm's output length.
-For all other signature algorithms this flag is set if the digest
-algorithm is one of SHA1, SHA256, SHA384, or SHA512.
-.El
-.Pp
-.Fn X509_get_signature_info
-returns 1 on success and 0 on failure.
-Failure conditions include unsupported signature algorithms,
-certificate parsing errors and memory allocation failure.
-.Pp
-These functions provide lower level access to the signature
-for cases where an application wishes to analyse or generate a
-signature in a form where
-.Xr X509_sign 3
-is not appropriate, for example in a non-standard or unsupported format.
-.Sh SEE ALSO
-.Xr EVP_PKEY_base_id 3 ,
-.Xr OBJ_obj2nid 3 ,
-.Xr X509_ALGOR_new 3 ,
-.Xr X509_CRL_get0_by_serial 3 ,
-.Xr X509_CRL_new 3 ,
-.Xr X509_get_pubkey 3 ,
-.Xr X509_get_subject_name 3 ,
-.Xr X509_get_version 3 ,
-.Xr X509_new 3 ,
-.Xr X509_REQ_new 3 ,
-.Xr X509_sign 3 ,
-.Xr X509_signature_dump 3 ,
-.Xr X509_verify_cert 3
-.Sh HISTORY
-.Fn X509_get_signature_type
-first appeared in SSLeay 0.8.0 and has been available since
-.Ox 2.4 .
-.Pp
-.Fn X509_get0_signature
-and
-.Fn X509_get_signature_nid
-first appeared in OpenSSL 1.0.2.
-.Fn X509_REQ_get0_signature ,
-.Fn X509_CRL_get0_signature ,
-.Fn X509_get0_tbs_sigalg ,
-.Fn X509_REQ_get_signature_nid ,
-and
-.Fn X509_CRL_get_signature_nid
-first appeared in OpenSSL 1.1.0.
-All these functions have been available since
-.Ox 6.3 .
-.Pp
-.Fn X509_CRL_get0_tbs_sigalg
-first appeared in LibreSSL 3.7.1 and has been available since
-.Ox 7.3 .
-.Pp
-.Fn X509_get_signature_info
-first appeared in OpenSSL 1.1.1 and has been available since
-.Ox 7.6 .
-.Sh CAVEATS
-The security bits returned by
-.Fn X509_get_signature_info
-refer to the information available from the certificate signature
-(such as the signing digest).
-In some cases the actual security of the signature is smaller
-because the signing key is less secure.
-For example in a certificate signed using SHA512
-and a 1024-bit RSA key.
diff --git a/src/lib/libcrypto/man/X509_get1_email.3 b/src/lib/libcrypto/man/X509_get1_email.3
deleted file mode 100644
index c38a604899..0000000000
--- a/src/lib/libcrypto/man/X509_get1_email.3
+++ /dev/null
@@ -1,123 +0,0 @@
-.\" $OpenBSD: X509_get1_email.3,v 1.1 2019/08/23 12:23:39 schwarze Exp $
-.\"
-.\" Copyright (c) 2019 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: August 23 2019 $
-.Dt X509_GET1_EMAIL 3
-.Os
-.Sh NAME
-.Nm X509_get1_email ,
-.Nm X509_get1_ocsp ,
-.Nm X509_email_free
-.Nd utilities for stacks of strings
-.Sh SYNOPSIS
-.In openssl/x509v3.h
-.Vt typedef char *OPENSSL_STRING ;
-.Ft STACK_OF(OPENSSL_STRING) *
-.Fo X509_get1_email
-.Fa "X509 *certificate"
-.Fc
-.Ft STACK_OF(OPENSSL_STRING) *
-.Fo X509_get1_ocsp
-.Fa "X509 *certificate"
-.Fc
-.Ft void
-.Fo X509_email_free
-.Fa "STACK_OF(OPENSSL_STRING) *stack"
-.Fc
-.Sh DESCRIPTION
-.Fn X509_get1_email
-retrieves all email addresses from the
-.Fa subject
-field and from any
-Subject Alternative Name extension of the
-.Fa certificate .
-.Pp
-.Fn X509_get1_ocsp
-retrieves all uniform resource identifiers
-from all
-.Vt AccessDescription
-objects having an
-.Fa accessMethod
-of OCSP which are contained in the Authority Information Access extension
-of the
-.Fa certificate .
-.Pp
-.Fn X509_email_free
-frees all strings stored in the
-.Fa stack
-as well as the stack itself.
-If
-.Fa stack
-is a
-.Dv NULL
-pointer, no action occurs.
-.Sh RETURN VALUES
-.Fn X509_REQ_get1_email
-and
-.Fn X509_get1_ocsp
-return newly allocated stacks of
-.Vt char *
-containing copies of the addresses in question, or
-.Dv NULL
-if there are no addresses or if an error occurs.
-.Sh SEE ALSO
-.Xr OCSP_sendreq_new 3 ,
-.Xr OCSP_SERVICELOC_new 3 ,
-.Xr OPENSSL_sk_new 3 ,
-.Xr STACK_OF 3 ,
-.Xr X509_check_email 3 ,
-.Xr X509_get_ext_d2i 3 ,
-.Xr X509_get_subject_name 3 ,
-.Xr X509_new 3 ,
-.Xr x509v3.cnf 5
-.Sh STANDARDS
-RFC 5280: Internet X.509 Public Key Infrastructure Certificate and
-Certificate Revocation List (CRL) Profile
-.Bl -dash -offset indent -compact
-.It
-section 4.1: Basic Certificate Fields
-.It
-section 4.1.2.6: Subject
-.It
-section 4.2.1.6: Subject Alternative Name
-.It
-section 4.2.2.1: Authority Information Access
-.El
-.Pp
-RFC 2985: PKCS #9: Selected Object Classes and Attribute Types
-.Bl -dash -offset indent -compact
-.It
-section 5.2.1: Electronic-mail address
-.It
-appendix B.3.5: emailAddress
-.El
-.Sh HISTORY
-.Fn X509_get1_email
-and
-.Fn X509_email_free
-first appeared in OpenSSL 0.9.6 and have been available since
-.Ox 2.9 .
-.Pp
-.Fn X509_get1_ocsp
-first appeared in OpenSSL 0.9.8h and has been available since
-.Ox 4.5 .
-.Sh BUGS
-.Fn X509_email_free
-is utterly misnamed.
-It does not operate on any
-.Vt X509
-object, nor is it in any way restricted to email addresses;
-instead, it simply frees a stack of strings.
diff --git a/src/lib/libcrypto/man/X509_get_extension_flags.3 b/src/lib/libcrypto/man/X509_get_extension_flags.3
deleted file mode 100644
index 1d7f29c687..0000000000
--- a/src/lib/libcrypto/man/X509_get_extension_flags.3
+++ /dev/null
@@ -1,234 +0,0 @@
-.\" $OpenBSD: X509_get_extension_flags.3,v 1.4 2023/04/30 19:40:23 tb Exp $
-.\" full merge up to: OpenSSL 361136f4 Sep 1 18:56:58 2015 +0100
-.\" selective merge up to: OpenSSL 2b2e3106f Feb 16 15:04:45 2021 +0000
-.\"
-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2015 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: April 30 2023 $
-.Dt X509_GET_EXTENSION_FLAGS 3
-.Os
-.Sh NAME
-.Nm X509_get_extension_flags ,
-.Nm X509_get_key_usage ,
-.Nm X509_get_extended_key_usage
-.Nd retrieve certificate extension data
-.Sh SYNOPSIS
-.In openssl/x509v3.h
-.Ft uint32_t
-.Fo X509_get_extension_flags
-.Fa "X509 *x"
-.Fc
-.Ft uint32_t
-.Fo X509_get_key_usage
-.Fa "X509 *x"
-.Fc
-.Ft uint32_t
-.Fo X509_get_extended_key_usage
-.Fa "X509 *x"
-.Fc
-.Sh DESCRIPTION
-These functions retrieve information related to commonly used
-certificate extensions.
-.Pp
-.Fn X509_get_extension_flags
-retrieves general information about a certificate.
-It returns one or more of the following flags OR'ed together.
-.Bl -tag -width Ds
-.It Dv EXFLAG_V1
-The certificate is an obsolete version 1 certificate.
-.It Dv EXFLAG_BCONS
-The certificate contains a basic constraints extension.
-.It Dv EXFLAG_CA
-The certificate contains basic constraints and asserts the CA flag.
-.It Dv EXFLAG_PROXY
-The certificate is a valid proxy certificate.
-In LibreSSL this flag is never set.
-.It Dv EXFLAG_SI
-The certificate is self issued (that is subject and issuer names match).
-.It Dv EXFLAG_SS
-The subject and issuer names match and extension values imply it is self
-signed.
-.It Dv EXFLAG_FRESHEST
-The freshest CRL extension is present in the certificate.
-.It Dv EXFLAG_CRITICAL
-The certificate contains an unhandled critical extension.
-.It Dv EXFLAG_INVALID
-Some certificate extension values are invalid or inconsistent.
-The certificate should be rejected.
-This bit may also be raised after an out-of-memory error while
-processing the X509 object, so it may not be related to the processed
-ASN1 object itself.
-.\" EXFLAG_NO_FINGERPRINT is not available in LibreSSL. Do we need
-.\" https://github.com/openssl/openssl/issues/13698 and the fix it fixes?
-.\".It Dv EXFLAG_NO_FINGERPRINT
-.\" Failed to compute the internal SHA1 hash value of the certificate.
-.\" This may be due to malloc failure or because no SHA1 implementation was
-.\" found.
-.It Dv EXFLAG_INVALID_POLICY
-The
-.Dv NID_certificate_policies
-certificate extension is invalid or inconsistent.
-The certificate should be rejected.
-This bit may also be raised after an out-of-memory error while
-processing the X509 object, so it may not be related to the processed
-ASN1 object itself.
-.It Dv EXFLAG_KUSAGE
-The certificate contains a key usage extension.
-The value can be retrieved using
-.Fn X509_get_key_usage .
-.It Dv EXFLAG_XKUSAGE
-The certificate contains an extended key usage extension.
-The value can be retrieved using
-.Fn X509_get_extended_key_usage .
-.El
-.Pp
-.Fn X509_get_key_usage
-returns the value of the key usage extension.
-If key usage is present, it returns zero or more of these flags:
-.Dv KU_DIGITAL_SIGNATURE ,
-.Dv KU_NON_REPUDIATION ,
-.Dv KU_KEY_ENCIPHERMENT ,
-.Dv KU_DATA_ENCIPHERMENT ,
-.Dv KU_KEY_AGREEMENT ,
-.Dv KU_KEY_CERT_SIGN ,
-.Dv KU_CRL_SIGN ,
-.Dv KU_ENCIPHER_ONLY ,
-or
-.Dv KU_DECIPHER_ONLY ,
-corresponding to individual key usage bits.
-If key usage is absent,
-.Dv UINT32_MAX
-is returned.
-.Pp
-The following aliases for these flags are defined in
-.In openssl/x509.h :
-.Dv X509v3_KU_DIGITAL_SIGNATURE ,
-.Dv X509v3_KU_NON_REPUDIATION ,
-.Dv X509v3_KU_KEY_ENCIPHERMENT ,
-.Dv X509v3_KU_DATA_ENCIPHERMENT ,
-.Dv X509v3_KU_KEY_AGREEMENT ,
-.Dv X509v3_KU_KEY_CERT_SIGN ,
-.Dv X509v3_KU_CRL_SIGN ,
-.Dv X509v3_KU_ENCIPHER_ONLY ,
-and
-.Dv X509v3_KU_DECIPHER_ONLY .
-.\" X509v3_KU_UNDEF is intentionally undocumented because nothing uses it.
-.Pp
-.Fn X509_get_extended_key_usage
-returns the value of the extended key usage extension.
-If extended key usage is present, it returns zero or more of these
-flags:
-.Dv XKU_SSL_SERVER ,
-.Dv XKU_SSL_CLIENT ,
-.Dv XKU_SMIME ,
-.Dv XKU_CODE_SIGN
-.Dv XKU_OCSP_SIGN ,
-.Dv XKU_TIMESTAMP ,
-.Dv XKU_DVCS ,
-or
-.Dv XKU_ANYEKU .
-These correspond to the OIDs
-.Qq id-kp-serverAuth ,
-.Qq id-kp-clientAuth ,
-.Qq id-kp-emailProtection ,
-.Qq id-kp-codeSigning ,
-.Qq id-kp-OCSPSigning ,
-.Qq id-kp-timeStamping ,
-.Qq id-kp-dvcs ,
-and
-.Qq anyExtendedKeyUsage ,
-respectively.
-Additionally,
-.Dv XKU_SGC
-is set if either Netscape or Microsoft SGC OIDs are present.
-.Pp
-The value of the flags correspond to extension values which are cached
-in the
-.Vt X509
-structure.
-If the flags returned do not provide sufficient information,
-an application should examine extension values directly,
-for example using
-.Xr X509_get_ext_d2i 3 .
-.Pp
-If the key usage or extended key usage extension is absent then
-typically usage is unrestricted.
-For this reason
-.Fn X509_get_key_usage
-and
-.Fn X509_get_extended_key_usage
-return
-.Dv UINT32_MAX
-when the corresponding extension is absent.
-Applications can additionally check the return value of
-.Fn X509_get_extension_flags
-and take appropriate action if an extension is absent.
-.Sh RETURN VALUES
-.Fn X509_get_extension_flags ,
-.Fn X509_get_key_usage
-and
-.Fn X509_get_extended_key_usage
-return sets of flags corresponding to the certificate extension values.
-.Sh SEE ALSO
-.Xr BASIC_CONSTRAINTS_new 3 ,
-.Xr EXTENDED_KEY_USAGE_new 3 ,
-.Xr POLICYINFO_new 3 ,
-.Xr X509_check_ca 3 ,
-.Xr X509_check_purpose 3 ,
-.Xr X509_EXTENSION_new 3 ,
-.Xr X509_get_ext_d2i 3 ,
-.Xr X509_get_subject_name 3 ,
-.Xr X509_get_version 3 ,
-.Xr X509_new 3
-.Sh HISTORY
-.Nm X509_get_extension_flags ,
-.Nm X509_get_key_usage ,
-and
-.Nm X509_get_extended_key_usage
-first appeared in OpenSSL 1.1.0 and have been available since
-.Ox 7.1 .
diff --git a/src/lib/libcrypto/man/X509_get_pubkey.3 b/src/lib/libcrypto/man/X509_get_pubkey.3
deleted file mode 100644
index 0829397982..0000000000
--- a/src/lib/libcrypto/man/X509_get_pubkey.3
+++ /dev/null
@@ -1,296 +0,0 @@
-.\" $OpenBSD: X509_get_pubkey.3,v 1.13 2022/03/31 17:27:17 naddy Exp $
-.\" selective merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2020, 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2015 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 31 2022 $
-.Dt X509_GET_PUBKEY 3
-.Os
-.Sh NAME
-.Nm X509_get_pubkey ,
-.Nm X509_get0_pubkey ,
-.Nm X509_set_pubkey ,
-.Nm X509_get_X509_PUBKEY ,
-.Nm X509_get0_pubkey_bitstr ,
-.Nm X509_REQ_get_pubkey ,
-.Nm X509_REQ_get0_pubkey ,
-.Nm X509_REQ_set_pubkey ,
-.Nm X509_extract_key ,
-.Nm X509_REQ_extract_key
-.Nd get or set certificate or certificate request public key
-.Sh SYNOPSIS
-.In openssl/x509.h
-.Ft EVP_PKEY *
-.Fo X509_get_pubkey
-.Fa "X509 *x"
-.Fc
-.Ft EVP_PKEY *
-.Fo X509_get0_pubkey
-.Fa "const X509 *x"
-.Fc
-.Ft int
-.Fo X509_set_pubkey
-.Fa "X509 *x"
-.Fa "EVP_PKEY *pkey"
-.Fc
-.Ft X509_PUBKEY *
-.Fo X509_get_X509_PUBKEY
-.Fa "const X509 *x"
-.Fc
-.Ft ASN1_BIT_STRING *
-.Fo X509_get0_pubkey_bitstr
-.Fa "const X509 *x"
-.Fc
-.Ft EVP_PKEY *
-.Fo X509_REQ_get_pubkey
-.Fa "X509_REQ *req"
-.Fc
-.Ft EVP_PKEY *
-.Fo X509_REQ_get0_pubkey
-.Fa "X509_REQ *req"
-.Fc
-.Ft int
-.Fo X509_REQ_set_pubkey
-.Fa "X509_REQ *x"
-.Fa "EVP_PKEY *pkey"
-.Fc
-.Ft EVP_PKEY *
-.Fo X509_extract_key
-.Fa "X509 *x"
-.Fc
-.Ft EVP_PKEY *
-.Fo X509_REQ_extract_key
-.Fa "X509_REQ *req"
-.Fc
-.Sh DESCRIPTION
-.Fn X509_get_pubkey
-attempts to decode the public key for certificate
-.Fa x .
-If successful, it returns the public key as an
-.Vt EVP_PKEY
-pointer with its reference count incremented: this means the returned
-key must be freed up after use.
-.Fn X509_get0_pubkey
-is similar except that it does not increment the reference count
-of the returned
-.Vt EVP_PKEY ,
-so it must not be freed up after use.
-.Pp
-.Fn X509_get_X509_PUBKEY
-returns an internal pointer to the
-.Vt SubjectPublicKeyInfo
-structure contained in
-.Fa x .
-The returned value must not be freed up after use.
-.Pp
-.Fn X509_get0_pubkey_bitstr
-returns an internal pointer to just the public key contained in this
-.Vt SubjectPublicKeyInfo
-structure, without the information about the algorithm used.
-.Pp
-.Fn X509_set_pubkey
-attempts to set the public key for certificate
-.Fa x
-to
-.Fa pkey .
-The key
-.Fa pkey
-should be freed up after use.
-.Pp
-.Fn X509_REQ_get_pubkey ,
-.Fn X509_REQ_get0_pubkey ,
-and
-.Fn X509_REQ_set_pubkey
-are similar but operate on certificate request
-.Fa req .
-.Pp
-The first time a public key is decoded, the
-.Vt EVP_PKEY
-structure is cached in the certificate or certificate request itself.
-Subsequent calls return the cached structure with its reference count
-incremented to improve performance.
-.Pp
-.Fn X509_extract_key
-and
-.Fn X509_REQ_extract_key
-are deprecated aliases for
-.Fn X509_get_pubkey
-and
-.Fn X509_REQ_get_pubkey ,
-respectively, implemented as macros.
-.Sh RETURN VALUES
-.Fn X509_get_pubkey ,
-.Fn X509_get0_pubkey ,
-.Fn X509_get_X509_PUBKEY ,
-.Fn X509_get0_pubkey_bitstr ,
-.Fn X509_REQ_get_pubkey ,
-.Fn X509_REQ_get0_pubkey ,
-.Fn X509_extract_key ,
-and
-.Fn X509_REQ_extract_key
-return a public key or
-.Dv NULL
-if an error occurred.
-.Pp
-.Fn X509_set_pubkey
-and
-.Fn X509_REQ_set_pubkey
-return 1 for success or 0 for failure.
-.Pp
-In some cases of failure of
-.Fn X509_get0_pubkey ,
-.Fn X509_set_pubkey ,
-.Fn X509_REQ_get_pubkey ,
-.Fn X509_REQ_get0_pubkey ,
-and
-.Fn X509_REQ_set_pubkey ,
-the reason can be determined with
-.Xr ERR_get_error 3 .
-.Sh ERRORS
-.Fn X509_get_pubkey ,
-.Fn X509_get0_pubkey ,
-.Fn X509_REQ_get_pubkey ,
-.Fn X509_extract_key ,
-and
-.Fn X509_REQ_extract_key
-provide diagnostics as documented for
-.Xr X509_PUBKEY_get 3 .
-If
-.Fa x
-or
-.Fa req
-is
-.Dv NULL
-or contains no certificate information,
-they fail without pushing an error onto the stack.
-.Pp
-.Fn X509_get_X509_PUBKEY
-provides no diagnostics and crashes by accessing a
-.Dv NULL
-pointer if
-.Fa x
-is
-.Dv NULL
-or contains no certificate information,
-.Pp
-.Fn X509_get0_pubkey_bitstr
-provides no diagnostics
-and fails without pushing an error onto the stack if
-.Fa x
-is
-.Dv NULL ,
-but it crashes by accessing a
-.Dv NULL
-pointer if
-.Fa x
-contains no certificate information.
-.Sh SEE ALSO
-.Xr d2i_X509 3 ,
-.Xr X509_CRL_get0_by_serial 3 ,
-.Xr X509_NAME_add_entry_by_txt 3 ,
-.Xr X509_NAME_ENTRY_get_object 3 ,
-.Xr X509_NAME_get_index_by_NID 3 ,
-.Xr X509_NAME_print_ex 3 ,
-.Xr X509_new 3 ,
-.Xr X509_PUBKEY_new 3 ,
-.Xr X509_REQ_new 3 ,
-.Xr X509_sign 3 ,
-.Xr X509_verify_cert 3 ,
-.Xr X509V3_get_d2i 3
-.Sh STANDARDS
-RFC 5280, Internet X.509 Public Key Infrastructure Certificate
-and Certificate Revocation List (CRL) Profile,
-section 4.1 Basic Certificate Fields
-.Pp
-RFC 2986: PKCS #10: Certification Request Syntax Specification,
-section 4.1 CertificationRequestInfo
-.Sh HISTORY
-.Fn X509_extract_key
-and
-.Fn X509_REQ_extract_key
-first appeared in SSLeay 0.5.1 but returned a pointer to an
-.Vt RSA
-object before SSLeay 0.6.0.
-.Fn X509_get_pubkey ,
-.Fn X509_set_pubkey ,
-.Fn X509_REQ_get_pubkey ,
-and
-.Fn X509_REQ_set_pubkey
-first appeared in SSLeay 0.6.5.
-.Fn X509_get_X509_PUBKEY
-first appeared in SSLeay 0.8.0.
-These functions have been available since
-.Ox 2.4 .
-.Pp
-.Fn X509_get0_pubkey_bitstr
-first appeared in OpenSSL 0.9.7 and has been available since
-.Ox 3.4 .
-.Pp
-.Fn X509_get0_pubkey
-first appeared in OpenSSL 1.1.0 and has been available since
-.Ox 6.3 .
-.Fn X509_REQ_get0_pubkey
-first appeared in OpenSSL 1.1.0 and has been available since
-.Ox 7.1 .
diff --git a/src/lib/libcrypto/man/X509_get_pubkey_parameters.3 b/src/lib/libcrypto/man/X509_get_pubkey_parameters.3
deleted file mode 100644
index 181361477e..0000000000
--- a/src/lib/libcrypto/man/X509_get_pubkey_parameters.3
+++ /dev/null
@@ -1,99 +0,0 @@
-.\" $OpenBSD: X509_get_pubkey_parameters.3,v 1.2 2021/11/26 13:35:10 schwarze Exp $
-.\"
-.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: November 26 2021 $
-.Dt X509_GET_PUBKEY_PARAMETERS 3
-.Os
-.Sh NAME
-.Nm X509_get_pubkey_parameters
-.Nd copy public key parameters from a chain
-.Sh SYNOPSIS
-.In openssl/x509.h
-.Ft int
-.Fo X509_get_pubkey_parameters
-.Fa "EVP_PKEY *pkey"
-.Fa "STACK_OF(X509) *chain"
-.Fc
-.Sh DESCRIPTION
-.Fn X509_get_pubkey_parameters
-copies public key parameters from the first appropriate certificate in the
-.Fa chain .
-.Pp
-If
-.Fa pkey
-is not
-.Dv NULL
-and already contains complete public key parameters or uses an
-algorithm that does not use any parameters, no action occurs and
-the function indicates success without inspecting the existing
-parameters, without inspecting the
-.Fa chain ,
-and without comparing any parameters.
-.Pp
-Otherwise, all public key parameters are copied
-from the first certificate in the
-.Fa chain
-that contains complete public key parameters
-to each certificate preceding it in the
-.Fa chain .
-Unless
-.Fa pkey
-is a
-.Dv NULL
-pointer, the same parameters are also copied to
-.Fa pkey .
-.Sh RETURN VALUES
-.Fn X509_get_pubkey_parameters
-returns 1 for success or 0 for failure.
-.Sh ERRORS
-The following diagnostics can be retrieved with
-.Xr ERR_get_error 3 ,
-.Xr ERR_GET_REASON 3 ,
-and
-.Xr ERR_reason_error_string 3 :
-.Bl -tag -width Ds
-.It Dv X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY Qq unable to get certs public key
-Retrieving the public key from a certificate in the
-.Fa chain
-failed before a certificate containing complete public key parameters
-could be found.
-.It Xo
-.Dv X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN
-.Qq unable to find parameters in chain
-.Xc
-None of the certificates in the chain
-contain complete public key parameters.
-.El
-.Sh SEE ALSO
-.Xr EVP_PKEY_copy_parameters 3 ,
-.Xr EVP_PKEY_new 3 ,
-.Xr X509_get_pubkey 3 ,
-.Xr X509_new 3
-.Sh HISTORY
-.Fn X509_get_pubkey_parameters
-first appeared in SSLeay 0.8.0 and has been available since
-.Ox 2.4 .
-.Sh CAVEATS
-If
-.Fn X509_get_pubkey_parameters
-fails and returns 0, a part of the parameters may or may not have
-been copied before the failure was detected, whereas other parts of
-.Fa pkey
-and
-.Fa chain
-may remain unchanged.
-So in case of failure, the state of the arguments may change
-and possibly become inconsistent.
diff --git a/src/lib/libcrypto/man/X509_get_serialNumber.3 b/src/lib/libcrypto/man/X509_get_serialNumber.3
deleted file mode 100644
index 7d757c7a71..0000000000
--- a/src/lib/libcrypto/man/X509_get_serialNumber.3
+++ /dev/null
@@ -1,129 +0,0 @@
-.\" $OpenBSD: X509_get_serialNumber.3,v 1.5 2020/06/19 12:01:20 schwarze Exp $
-.\" full merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100
-.\"
-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2016 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: June 19 2020 $
-.Dt X509_GET_SERIALNUMBER 3
-.Os
-.Sh NAME
-.Nm X509_get_serialNumber ,
-.Nm X509_get0_serialNumber ,
-.Nm X509_set_serialNumber
-.Nd get or set certificate serial number
-.Sh SYNOPSIS
-.In openssl/x509.h
-.Ft ASN1_INTEGER *
-.Fo X509_get_serialNumber
-.Fa "X509 *x"
-.Fc
-.Ft const ASN1_INTEGER *
-.Fo X509_get0_serialNumber
-.Fa "const X509 *x"
-.Fc
-.Ft int
-.Fo X509_set_serialNumber
-.Fa "X509 *x"
-.Fa "ASN1_INTEGER *serial"
-.Fc
-.Sh DESCRIPTION
-.Fn X509_get_serialNumber
-returns the serial number of certificate
-.Fa x
-as an
-.Vt ASN1_INTEGER
-structure which can be examined or initialised.
-The value returned is an internal pointer which must not be freed
-up after the call.
-.Pp
-.Fn X509_get0_serialNumber
-does the same except that it accepts a constant argument
-and returns a constant result.
-.Pp
-.Fn X509_set_serialNumber
-sets the serial number of certificate
-.Fa x
-to
-.Fa serial .
-A copy of the serial number is used internally so
-.Fa serial
-should be freed up after use.
-.Sh RETURN VALUES
-.Fn X509_get_serialNumber
-and
-.Fn X509_get0_serialNumber
-return a pointer to an
-.Vt ASN1_INTEGER
-structure.
-.Pp
-.Fn X509_set_serialNumber
-returns 1 for success or 0 for failure.
-In some cases of failure, the reason can be determined with
-.Xr ERR_get_error 3 .
-.Sh SEE ALSO
-.Xr d2i_X509 3 ,
-.Xr X509_CRL_get0_by_serial 3 ,
-.Xr X509_get_pubkey 3 ,
-.Xr X509_NAME_add_entry_by_txt 3 ,
-.Xr X509_NAME_ENTRY_get_object 3 ,
-.Xr X509_NAME_get_index_by_NID 3 ,
-.Xr X509_NAME_print_ex 3 ,
-.Xr X509_new 3 ,
-.Xr X509_sign 3 ,
-.Xr X509_verify_cert 3 ,
-.Xr X509V3_get_d2i 3
-.Sh HISTORY
-.Fn X509_get_serialNumber
-and
-.Fn X509_set_serialNumber
-first appeared in SSLeay 0.6.5 and have been available since
-.Ox 2.4 .
-.Pp
-.Fn X509_get0_serialNumber
-first appeared in OpenSSL 1.1.0 and has been available since
-.Ox 6.4 .
diff --git a/src/lib/libcrypto/man/X509_get_subject_name.3 b/src/lib/libcrypto/man/X509_get_subject_name.3
deleted file mode 100644
index fb9611f645..0000000000
--- a/src/lib/libcrypto/man/X509_get_subject_name.3
+++ /dev/null
@@ -1,189 +0,0 @@
-.\"     $OpenBSD: X509_get_subject_name.3,v 1.10 2020/10/21 17:17:44 tb Exp $
-.\"     OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
-.\"
-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2015 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: October 21 2020 $
-.Dt X509_GET_SUBJECT_NAME 3
-.Os
-.Sh NAME
-.Nm X509_get_subject_name ,
-.Nm X509_set_subject_name ,
-.Nm X509_get_issuer_name ,
-.Nm X509_set_issuer_name ,
-.Nm X509_REQ_get_subject_name ,
-.Nm X509_REQ_set_subject_name ,
-.Nm X509_CRL_get_issuer ,
-.Nm X509_CRL_set_issuer_name
-.Nd get and set issuer or subject names
-.Sh SYNOPSIS
-.In openssl/x509.h
-.Ft X509_NAME *
-.Fo X509_get_subject_name
-.Fa "const X509 *x"
-.Fc
-.Ft int
-.Fo X509_set_subject_name
-.Fa "X509 *x"
-.Fa "X509_NAME *name"
-.Fc
-.Ft X509_NAME *
-.Fo X509_get_issuer_name
-.Fa "const X509 *x"
-.Fc
-.Ft int
-.Fo X509_set_issuer_name
-.Fa "X509 *x"
-.Fa "X509_NAME *name"
-.Fc
-.Ft X509_NAME *
-.Fo X509_REQ_get_subject_name
-.Fa "const X509_REQ *req"
-.Fc
-.Ft int
-.Fo X509_REQ_set_subject_name
-.Fa "X509_REQ *req"
-.Fa "X509_NAME *name"
-.Fc
-.Ft X509_NAME *
-.Fo X509_CRL_get_issuer
-.Fa "const X509_CRL *crl"
-.Fc
-.Ft int
-.Fo X509_CRL_set_issuer_name
-.Fa "X509_CRL *x"
-.Fa "X509_NAME *name"
-.Fc
-.Sh DESCRIPTION
-.Fn X509_get_subject_name
-returns the subject name of certificate
-.Fa x .
-The returned value is an internal pointer which must not be freed.
-.Pp
-.Fn X509_set_subject_name
-sets the issuer name of certificate
-.Fa x
-to
-.Fa name .
-The
-.Fa name
-parameter is copied internally and should be freed up when it is no
-longer needed.
-.Pp
-.Fn X509_get_issuer_name
-and
-.Fn X509_set_issuer_name
-are identical to
-.Fn X509_get_subject_name
-and
-.Fn X509_set_subject_name
-except that they get and set the issuer name of
-.Fa x .
-.Pp
-Similarly
-.Fn X509_REQ_get_subject_name ,
-.Fn X509_REQ_set_subject_name ,
-.Fn X509_CRL_get_issuer ,
-and
-.Fn X509_CRL_set_issuer_name
-get or set the subject or issuer names of certificate requests
-of CRLs, respectively.
-.Sh RETURN VALUES
-.Fn X509_get_subject_name ,
-.Fn X509_get_issuer_name ,
-.Fn X509_REQ_get_subject_name ,
-and
-.Fn X509_CRL_get_issuer
-return a pointer to an
-.Vt X509_NAME
-object.
-.Pp
-.Fn X509_set_subject_name ,
-.Fn X509_set_issuer_name ,
-.Fn X509_REQ_set_subject_name ,
-and
-.Fn X509_CRL_set_issuer_name
-return 1 for success or 0 for failure.
-In some cases of failure, the reason can be determined with
-.Xr ERR_get_error 3 .
-.Sh SEE ALSO
-.Xr d2i_X509_NAME 3 ,
-.Xr X509_CRL_get0_by_serial 3 ,
-.Xr X509_CRL_new 3 ,
-.Xr X509_get_pubkey 3 ,
-.Xr X509_NAME_add_entry_by_txt 3 ,
-.Xr X509_NAME_ENTRY_get_object 3 ,
-.Xr X509_NAME_get_index_by_NID 3 ,
-.Xr X509_NAME_new 3 ,
-.Xr X509_NAME_print_ex 3 ,
-.Xr X509_new 3 ,
-.Xr X509_REQ_new 3 ,
-.Xr X509_sign 3 ,
-.Xr X509_verify_cert 3 ,
-.Xr X509V3_get_d2i 3
-.Sh HISTORY
-.Fn X509_get_subject_name
-and
-.Fn X509_get_issuer_name
-appeared in SSLeay 0.4 or earlier.
-.Fn X509_set_subject_name ,
-.Fn X509_set_issuer_name ,
-.Fn X509_REQ_get_subject_name ,
-and
-.Fn X509_REQ_set_subject_name
-first appeared in SSLeay 0.6.5.
-These functions have been available since
-.Ox 2.4 .
-.Pp
-.Fn X509_CRL_get_issuer
-first appeared in OpenSSL 0.9.2b and has been available since
-.Ox 2.6 .
-.Pp
-.Fn X509_CRL_set_issuer_name
-first appeared in OpenSSL 0.9.7 and has been available since
-.Ox 3.2 .
diff --git a/src/lib/libcrypto/man/X509_get_version.3 b/src/lib/libcrypto/man/X509_get_version.3
deleted file mode 100644
index ee46ff7c8c..0000000000
--- a/src/lib/libcrypto/man/X509_get_version.3
+++ /dev/null
@@ -1,162 +0,0 @@
-.\"     $OpenBSD: X509_get_version.3,v 1.8 2020/10/21 17:17:44 tb Exp $
-.\"     OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
-.\"
-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2015, 2016 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: October 21 2020 $
-.Dt X509_GET_VERSION 3
-.Os
-.Sh NAME
-.Nm X509_get_version ,
-.Nm X509_set_version ,
-.Nm X509_REQ_get_version ,
-.Nm X509_REQ_set_version ,
-.Nm X509_CRL_get_version ,
-.Nm X509_CRL_set_version
-.Nd get or set certificate, certificate request, or CRL version
-.Sh SYNOPSIS
-.In openssl/x509.h
-.Ft long
-.Fo X509_get_version
-.Fa "const X509 *x"
-.Fc
-.Ft int
-.Fo X509_set_version
-.Fa "X509 *x"
-.Fa "long version"
-.Fc
-.Ft long
-.Fo X509_REQ_get_version
-.Fa "const X509_REQ *req"
-.Fc
-.Ft int
-.Fo X509_REQ_set_version
-.Fa "X509_REQ *x"
-.Fa "long version"
-.Fc
-.Ft long
-.Fo X509_CRL_get_version
-.Fa "const X509_CRL *crl"
-.Fc
-.Ft int
-.Fo X509_CRL_set_version
-.Fa "X509_CRL *x"
-.Fa "long version"
-.Fc
-.Sh DESCRIPTION
-.Fn X509_get_version
-returns the numerical value of the version field of certificate
-.Fa x .
-Note: this is defined by standards (X.509 et al.) to be one less
-than the certificate version.
-So a version 3 certificate will return 2 and a version 1 certificate
-will return 0.
-.Pp
-.Fn X509_set_version
-sets the numerical value of the version field of certificate
-.Fa x
-to
-.Fa version .
-.Pp
-Similarly
-.Fn X509_REQ_get_version ,
-.Fn X509_REQ_set_version ,
-.Fn X509_CRL_get_version ,
-and
-.Fn X509_CRL_set_version
-get and set the version number of certificate requests and CRLs.
-.Pp
-The version field of certificates, certificate requests, and CRLs
-has a DEFAULT value of v1(0) meaning the field should be omitted
-for version 1.
-This is handled transparently by these functions.
-.Sh RETURN VALUES
-.Fn X509_get_version ,
-.Fn X509_REQ_get_version ,
-and
-.Fn X509_CRL_get_version
-return the numerical value of the version field.
-.Pp
-.Fn X509_set_version ,
-.Fn X509_REQ_set_version ,
-and
-.Fn X509_CRL_set_version
-return 1 for success or 0 for failure.
-In some cases of failure, the reason can be determined with
-.Xr ERR_get_error 3 .
-.Sh SEE ALSO
-.Xr d2i_X509 3 ,
-.Xr X509_CRL_get0_by_serial 3 ,
-.Xr X509_CRL_new 3 ,
-.Xr X509_get_pubkey 3 ,
-.Xr X509_get_subject_name 3 ,
-.Xr X509_NAME_add_entry_by_txt 3 ,
-.Xr X509_NAME_ENTRY_get_object 3 ,
-.Xr X509_NAME_get_index_by_NID 3 ,
-.Xr X509_NAME_print_ex 3 ,
-.Xr X509_new 3 ,
-.Xr X509_REQ_new 3 ,
-.Xr X509_sign 3 ,
-.Xr X509_verify_cert 3 ,
-.Xr X509V3_get_d2i 3
-.Sh HISTORY
-.Fn X509_get_version ,
-.Fn X509_set_version ,
-.Fn X509_REQ_get_version ,
-and
-.Fn X509_REQ_set_version
-first appeared in SSLeay 0.6.5 and have been available since
-.Ox 2.4 .
-.Pp
-.Fn X509_CRL_get_version
-first appeared in OpenSSL 0.9.2b and has been available since
-.Ox 2.6 .
-.Pp
-.Fn X509_CRL_set_version
-first appeared in OpenSSL 0.9.7 and has been available since
-.Ox 3.2 .
diff --git a/src/lib/libcrypto/man/X509_keyid_set1.3 b/src/lib/libcrypto/man/X509_keyid_set1.3
deleted file mode 100644
index c529fc742b..0000000000
--- a/src/lib/libcrypto/man/X509_keyid_set1.3
+++ /dev/null
@@ -1,171 +0,0 @@
-.\" $OpenBSD: X509_keyid_set1.3,v 1.2 2021/07/09 14:41:14 tb Exp $
-.\"
-.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: July 9 2021 $
-.Dt X509_KEYID_SET1 3
-.Os
-.Sh NAME
-.Nm X509_keyid_set1 ,
-.Nm X509_keyid_get0 ,
-.Nm X509_alias_set1 ,
-.Nm X509_alias_get0
-.Nd auxiliary certificate data for PKCS#12
-.Sh SYNOPSIS
-.In openssl/x509.h
-.Ft int
-.Fo X509_keyid_set1
-.Fa "X509 *x"
-.Fa "const unsigned char *data"
-.Fa "int len"
-.Fc
-.Ft unsigned char *
-.Fo X509_keyid_get0
-.Fa "X509 *x"
-.Fa "int *plen"
-.Fc
-.Ft int
-.Fo X509_alias_set1
-.Fa "X509 *x"
-.Fa "const unsigned char *data"
-.Fa "int len"
-.Fc
-.Ft unsigned char *
-.Fo X509_alias_get0
-.Fa "X509 *x"
-.Fa "int *plen"
-.Fc
-.Sh DESCRIPTION
-These functions store non-standard auxiliary data in
-.Fa x
-and retrieve it.
-.Pp
-The
-.Fa len
-bytes of
-.Fa data
-stored using
-.Fn X509_keyid_set1
-will be written to the
-.Sy localKeyID
-attribute of the PKCS#12 structure if
-.Xr PKCS12_create 3
-is later called on
-.Fa x ,
-and the
-.Fa data
-stored using
-.Fn X509_alias_set1
-will be written to the
-.Sy friendlyName
-attribute.
-If
-.Fa data
-points to a NUL-terminated string, \-1 can be passed as the
-.Fa len
-argument to let
-.Fa len
-be calculated internally using
-.Xr strlen 3 .
-If a
-.Dv NULL
-pointer is passed as the
-.Fa data
-argument, the respective auxiliary data stored in
-.Fa x ,
-if any, is removed from
-.Fa x
-and freed.
-.Pp
-Conversely,
-.Xr PKCS12_parse 3
-retrieves these attributes from a PKCS#12 structure such that they can
-subsequently be accessed with
-.Fn X509_keyid_get0
-and
-.Fn X509_alias_get0 .
-Unless
-.Dv NULL
-is passed for the
-.Fa plen
-argument, these functions store the size of the returned buffer in bytes in
-.Pf * Fa plen .
-After the call, the returned buffer is not necessarily NUL-terminated,
-but it may contain internal NUL bytes.
-.Pp
-API design is very incomplete; given the complexity of PKCS#12,
-that's probably an asset rather than a defect.
-The PKCS#12 standard defines many attributes that cannot be stored in
-.Vt X509
-objects.
-.Pp
-To associate certificates with alternative names and key identifiers,
-X.509 certificate extensions are more commonly used than PKCS#12
-attributes, for example using
-.Xr X509_EXTENSION_create_by_NID 3
-with
-.Dv NID_subject_alt_name
-or
-.Dv NID_subject_key_identifier .
-.Sh RETURN VALUES
-.Fn X509_keyid_set1
-and
-.Fn X509_alias_set1
-return 1 if
-.Fa data
-is
-.Dv NULL
-or if the input
-.Fa data
-was successfully copied into
-.Fa x ,
-or 0 if
-.Fa data
-is not
-.Dv NULL
-but could not be copied because
-.Fa x
-is
-.Dv NULL
-or memory allocation failed.
-.Pp
-.Fn X509_keyid_get0
-and
-.Fn X509_alias_get0
-return an internal pointer to an array of bytes or
-.Dv NULL
-if
-.Fa x
-does not contain auxiliary data of the requested kind.
-.Sh SEE ALSO
-.Xr ASN1_STRING_set 3 ,
-.Xr X509_CERT_AUX_new 3 ,
-.Xr X509_EXTENSION_new 3 ,
-.Xr X509_new 3 ,
-.Xr X509V3_get_d2i 3
-.Sh HISTORY
-.Fn X509_alias_set1
-and
-.Fn X509_alias_get0
-first appeared in OpenSSL 0.9.5 and have been available since
-.Ox 2.7 .
-.Pp
-.Fn X509_keyid_set1
-first appeared in OpenSSL 0.9.6 and has been available since
-.Ox 2.9 .
-.Pp
-.Fn X509_keyid_get0
-first appeared in OpenSSL 0.9.8 and has been available since
-.Ox 4.5 .
diff --git a/src/lib/libcrypto/man/X509_load_cert_file.3 b/src/lib/libcrypto/man/X509_load_cert_file.3
deleted file mode 100644
index 95a83dd00e..0000000000
--- a/src/lib/libcrypto/man/X509_load_cert_file.3
+++ /dev/null
@@ -1,133 +0,0 @@
-.\" $OpenBSD: X509_load_cert_file.3,v 1.1 2021/11/09 16:23:04 schwarze Exp $
-.\"
-.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: November 9 2021 $
-.Dt X509_LOAD_CERT_FILE 3
-.Os
-.Sh NAME
-.Nm X509_load_cert_file ,
-.Nm X509_load_crl_file ,
-.Nm X509_load_cert_crl_file
-.Nd read, decode, and cache certificates and CRLs
-.Sh SYNOPSIS
-.In openssl/x509_vfy.h
-.Ft int
-.Fo X509_load_cert_file
-.Fa "X509_LOOKUP *ctx"
-.Fa "const char *file"
-.Fa "int type"
-.Fc
-.Ft int
-.Fo X509_load_crl_file
-.Fa "X509_LOOKUP *ctx"
-.Fa "const char *file"
-.Fa "int type"
-.Fc
-.Ft int
-.Fo X509_load_cert_crl_file
-.Fa "X509_LOOKUP *ctx"
-.Fa "const char *file"
-.Fa "int type"
-.Fc
-.Sh DESCRIPTION
-.Fn X509_load_cert_file
-with a
-.Fa type
-of
-.Dv X509_FILETYPE_PEM
-reads one or more certificates in PEM format from the given
-.Fa file
-using
-.Xr PEM_read_bio_X509_AUX 3 ;
-with a type of
-.Dv X509_FILETYPE_ASN1 ,
-if reads one certificate in DER format using
-.Xr d2i_X509_bio 3 .
-The certificates read are added to the
-.Vt X509_STORE
-memory cache object associated with the given
-.Fa ctx
-using
-.Xr X509_STORE_add_cert 3 .
-.Pp
-.Fn X509_load_crl_file
-with a
-.Fa type
-of
-.Dv X509_FILETYPE_PEM
-reads one or more certificate revocation lists in PEM format from the given
-.Fa file
-using
-.Xr PEM_read_bio_X509_CRL 3 ;
-with a type of
-.Dv X509_FILETYPE_ASN1 ,
-if reads one certificate revocation lists in DER format using
-.Xr d2i_X509_CRL_bio 3 .
-The certificate revocation lists read are added to the
-.Vt X509_STORE
-memory cache object associated with the given
-.Fa ctx
-using
-.Xr X509_STORE_add_crl 3 .
-.Pp
-.Fn X509_load_cert_crl_file
-with a
-.Fa type
-of
-.Dv X509_FILETYPE_PEM
-read one or more certificates and/or certificate revocation lists
-in PEM format from the given
-.Fa file
-using
-.Xr PEM_X509_INFO_read_bio 3
-and adds them to the
-.Vt X509_STORE
-memory cache object associated with the given
-.Fa ctx
-using
-.Xr X509_STORE_add_cert 3
-and
-.Xr X509_STORE_add_crl 3 ,
-respectively.
-.Pp
-.Fn X509_load_cert_crl_file
-with a
-.Fa type
-of
-.Dv X509_FILETYPE_ASN1
-is equivalent to
-.Fn X509_load_cert_file
-and cannot be used to read a certificate revocation list.
-.Sh RETURN VALUES
-These functions return the number of objects loaded or 0 on error.
-.Sh SEE ALSO
-.Xr d2i_X509_bio 3 ,
-.Xr PEM_read_PrivateKey 3 ,
-.Xr X509_LOOKUP_new 3 ,
-.Xr X509_OBJECT_get0_X509 3 ,
-.Xr X509_STORE_load_locations 3 ,
-.Xr X509_STORE_new 3
-.Sh HISTORY
-.Fn X509_load_cert_file
-first appeared in SSLeay 0.8.0 and
-.Fn X509_load_crl_file
-in SSLeay 0.9.0.
-These functions have been available since
-.Ox 2.4 .
-.Pp
-.Fn X509_load_cert_crl_file
-first appeared in OpenSSL 0.9.5 and has been available since
-.Ox 2.7 .
diff --git a/src/lib/libcrypto/man/X509_new.3 b/src/lib/libcrypto/man/X509_new.3
deleted file mode 100644
index 7b62363d4d..0000000000
--- a/src/lib/libcrypto/man/X509_new.3
+++ /dev/null
@@ -1,279 +0,0 @@
-.\" $OpenBSD: X509_new.3,v 1.45 2024/09/02 08:04:32 tb Exp $
-.\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2016, 2018, 2019, 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2002, 2006, 2015, 2016 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: September 2 2024 $
-.Dt X509_NEW 3
-.Os
-.Sh NAME
-.Nm X509_new ,
-.Nm X509_dup ,
-.Nm X509_REQ_to_X509 ,
-.Nm X509_free ,
-.Nm X509_up_ref ,
-.Nm X509_chain_up_ref
-.Nd X.509 certificate object
-.Sh SYNOPSIS
-.In openssl/x509.h
-.Ft X509 *
-.Fn X509_new void
-.Ft X509 *
-.Fo X509_dup
-.Fa "X509 *a"
-.Fc
-.Ft X509 *
-.Fo X509_REQ_to_X509
-.Fa "X509_REQ *req"
-.Fa "int days"
-.Fa "EVP_PKEY *pkey"
-.Fc
-.Ft void
-.Fo X509_free
-.Fa "X509 *a"
-.Fc
-.Ft int
-.Fo X509_up_ref
-.Fa "X509 *a"
-.Fc
-.Ft STACK_OF(X509) *
-.Fo X509_chain_up_ref
-.Fa "STACK_OF(X509) *chain"
-.Fc
-.Sh DESCRIPTION
-.Fn X509_new
-allocates and initializes an empty
-.Vt X509
-object with reference count 1.
-It represents an ASN.1
-.Vt Certificate
-structure defined in RFC 5280 section 4.1.
-It can hold a public key together with information about the person,
-organization, device, or function the associated private key belongs to.
-.Pp
-.Fn X509_dup
-creates a deep copy of
-.Fa a
-using
-.Xr ASN1_item_dup 3 ,
-setting the reference count of the copy to 1.
-.Pp
-.Fn X509_REQ_to_X509
-allocates a new certificate object, copies the public key from
-.Fa req
-into it, copies the subject name of
-.Fa req
-to both the subject and issuer names of the new certificate, sets the
-.Fa notBefore
-field to the current time and the
-.Fa notAfter
-field to the given number of
-.Fa days
-in the future, and signs the new certificate with
-.Xr X509_sign 3
-using
-.Fa pkey
-and the MD5 algorithm.
-If
-.Fa req
-contains at least one attribute,
-the version of the new certificate is set to 2.
-.Pp
-.Fn X509_free
-decrements the reference count of the
-.Vt X509
-structure
-.Fa a
-and frees it up if the reference count reaches 0.
-If
-.Fa a
-is a
-.Dv NULL
-pointer, no action occurs.
-.Pp
-.Fn X509_up_ref
-increments the reference count of
-.Fa a
-by 1.
-This function is useful if a certificate structure is being used
-by several different operations each of which will free it up after
-use: this avoids the need to duplicate the entire certificate
-structure.
-.Pp
-.Fn X509_chain_up_ref
-performs a shallow copy of the given
-.Fa chain
-using
-.Fn sk_X509_dup
-and increments the reference count of each contained certificate
-by 1.
-Its purpose is similar to
-.Fn X509_up_ref :
-The returned chain persists after the original is freed.
-.Sh RETURN VALUES
-.Fn X509_new ,
-.Fn X509_dup ,
-and
-.Fn X509_REQ_to_X509
-return a pointer to the newly allocated object or
-.Dv NULL
-if an error occurs; an error code can be obtained by
-.Xr ERR_get_error 3 .
-.Pp
-.Fn X509_up_ref
-returns 1 for success or 0 for failure.
-.Pp
-.Fn X509_chain_up_ref
-returns the copy of the
-.Fa chain
-or
-.Dv NULL
-if an error occurs.
-.Sh SEE ALSO
-.Xr ASIdentifiers_new 3 ,
-.Xr ASRange_new 3 ,
-.Xr AUTHORITY_KEYID_new 3 ,
-.Xr BASIC_CONSTRAINTS_new 3 ,
-.Xr crypto 3 ,
-.Xr d2i_X509 3 ,
-.Xr IPAddressRange_new 3 ,
-.Xr PKCS8_PRIV_KEY_INFO_new 3 ,
-.Xr X509_ALGOR_new 3 ,
-.Xr X509_ATTRIBUTE_new 3 ,
-.Xr X509_check_ca 3 ,
-.Xr X509_check_host 3 ,
-.Xr X509_check_issued 3 ,
-.Xr X509_check_private_key 3 ,
-.Xr X509_check_purpose 3 ,
-.Xr X509_CINF_new 3 ,
-.Xr X509_cmp 3 ,
-.Xr X509_CRL_new 3 ,
-.Xr X509_digest 3 ,
-.Xr X509_EXTENSION_new 3 ,
-.Xr X509_find_by_subject 3 ,
-.Xr X509_get0_notBefore 3 ,
-.Xr X509_get0_signature 3 ,
-.Xr X509_get1_email 3 ,
-.Xr X509_get_ex_new_index 3 ,
-.Xr X509_get_extension_flags 3 ,
-.Xr X509_get_pubkey 3 ,
-.Xr X509_get_pubkey_parameters 3 ,
-.Xr X509_get_serialNumber 3 ,
-.Xr X509_get_subject_name 3 ,
-.Xr X509_get_version 3 ,
-.Xr X509_INFO_new 3 ,
-.Xr X509_load_cert_file 3 ,
-.Xr X509_LOOKUP_hash_dir 3 ,
-.Xr X509_LOOKUP_new 3 ,
-.Xr X509_NAME_new 3 ,
-.Xr X509_OBJECT_new 3 ,
-.Xr X509_PKEY_new 3 ,
-.Xr X509_print_ex 3 ,
-.Xr X509_PUBKEY_new 3 ,
-.Xr X509_PURPOSE_set 3 ,
-.Xr X509_REQ_new 3 ,
-.Xr X509_SIG_new 3 ,
-.Xr X509_sign 3 ,
-.Xr X509_STORE_CTX_new 3 ,
-.Xr X509_STORE_get_by_subject 3 ,
-.Xr X509_STORE_new 3 ,
-.Xr X509v3_addr_add_inherit 3 ,
-.Xr X509v3_addr_get_range 3 ,
-.Xr X509v3_addr_inherits 3 ,
-.Xr X509v3_addr_subset 3 ,
-.Xr X509v3_addr_validate_path 3 ,
-.Xr X509v3_asid_add_id_or_range 3
-.Sh STANDARDS
-RFC 5280: Internet X.509 Public Key Infrastructure Certificate and
-Certificate Revocation List (CRL) Profile
-.Sh HISTORY
-.Fn X509_new
-and
-.Fn X509_free
-appeared in SSLeay 0.4 or earlier,
-.Fn X509_dup
-in SSLeay 0.4.4, and
-.Fn X509_REQ_to_X509
-in SSLeay 0.6.0 .
-These functions have been available since
-.Ox 2.4 .
-.Pp
-.Fn X509_up_ref
-first appeared in OpenSSL 1.1.0 and has been available since
-.Ox 6.1 .
-.Pp
-.Fn X509_chain_up_ref
-first appeared in OpenSSL 1.0.2 and has been available since
-.Ox 6.3 .
-.Sh BUGS
-The X.509 public key infrastructure and its data types contain too
-many design bugs to list them.
-For lots of examples, see the classic
-.Lk https://www.cs.auckland.ac.nz/~pgut001/pubs/x509guide.txt\
- "X.509 Style Guide"
-that
-.An Peter Gutmann
-published in 2000.
diff --git a/src/lib/libcrypto/man/X509_ocspid_print.3 b/src/lib/libcrypto/man/X509_ocspid_print.3
deleted file mode 100644
index b9b6c92fbb..0000000000
--- a/src/lib/libcrypto/man/X509_ocspid_print.3
+++ /dev/null
@@ -1,58 +0,0 @@
-.\" $OpenBSD: X509_ocspid_print.3,v 1.1 2021/08/06 21:45:55 schwarze Exp $
-.\"
-.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: August 6 2021 $
-.Dt X509_OCSPID_PRINT 3
-.Os
-.Sh NAME
-.Nm X509_ocspid_print
-.Nd pretty-print hashes of subject name and public key
-.Sh SYNOPSIS
-.In openssl/x509.h
-.Ft int
-.Fo X509_ocspid_print
-.Fa "BIO *bio"
-.Fa "X509 *issuer"
-.Fc
-.Sh DESCRIPTION
-.Fn X509_ocspid_print
-produces human-readable output to
-.Fa bio
-containing hexadecimal representations of SHA-1 hashes of the
-DER-encoded forms of the subject name and the public key of the
-.Fa issuer
-certificate, as these hashes appear in OCSP requests.
-.Sh RETURN VALUES
-.Fn X509_ocspid_print
-returns 1 for success or 0 for failure.
-.Sh EXAMPLES
-This function is used by the
-.Fl ocspid
-flag of the
-.Xr openssl 1
-.Cm x509
-command.
-.Sh SEE ALSO
-.Xr EVP_sha1 3 ,
-.Xr i2d_X509_NAME 3 ,
-.Xr OCSP_cert_to_id 3 ,
-.Xr OCSP_REQUEST_new 3 ,
-.Xr X509_get_pubkey 3 ,
-.Xr X509_get_subject_name 3
-.Sh HISTORY
-.Fn X509_ocspid_print
-first appeared in OpenSSL 0.9.7 and has been available since
-.Ox 3.2 .
diff --git a/src/lib/libcrypto/man/X509_print_ex.3 b/src/lib/libcrypto/man/X509_print_ex.3
deleted file mode 100644
index c769e77c32..0000000000
--- a/src/lib/libcrypto/man/X509_print_ex.3
+++ /dev/null
@@ -1,279 +0,0 @@
-.\" $OpenBSD: X509_print_ex.3,v 1.5 2025/03/09 14:02:46 tb Exp $
-.\"
-.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: March 9 2025 $
-.Dt X509_PRINT_EX 3
-.Os
-.Sh NAME
-.Nm X509_print_ex ,
-.Nm X509_CERT_AUX_print ,
-.Nm X509_print_ex_fp ,
-.Nm X509_print ,
-.Nm X509_print_fp
-.Nd pretty-print an X.509 certificate
-.Sh SYNOPSIS
-.In openssl/x509.h
-.Ft int
-.Fo X509_print_ex
-.Fa "BIO *bio"
-.Fa "X509 *x"
-.Fa "unsigned long nameflags"
-.Fa "unsigned long skipflags"
-.Fc
-.Ft int
-.Fo X509_CERT_AUX_print
-.Fa "BIO *bio"
-.Fa "X509_CERT_AUX *aux"
-.Fa "int indent"
-.Fc
-.Ft int
-.Fo X509_print_ex_fp
-.Fa "FILE *fp"
-.Fa "X509 *x"
-.Fa "unsigned long nameflags"
-.Fa "unsigned long skipflags"
-.Fc
-.Ft int
-.Fo X509_print
-.Fa "BIO *bio"
-.Fa "X509 *x"
-.Fc
-.Ft int
-.Fo X509_print_fp
-.Fa "FILE *fp"
-.Fa "X509 *x"
-.Fc
-.Sh DESCRIPTION
-.Fn X509_print_ex
-prints information contained in
-.Fa x
-to
-.Fa bio
-in human-readable form.
-Printing is aborted as soon as any operation fails, with the exception
-that failures while attempting to decode or print the public key,
-the X.509 version 3 extensions, or non-standard auxiliary data are
-not considered as errors.
-.Pp
-By default, the following blocks of information are printed
-in the following order.
-Each block can be skipped by setting the corresponding bit in
-.Fa skipflags ,
-provided in parentheses after each block description.
-.Bl -bullet
-.It
-A pair of lines reading
-.Qq Certificate:\&
-and
-.Qq Data:\&
-containing no information.
-.Pq Dv X509_FLAG_NO_HEADER
-.It
-The certificate version number as defined by the standard,
-followed in parentheses by the value contained in the version field
-in hexadecimal notation.
-See
-.Xr X509_get_version 3
-for details.
-.Pq Dv X509_FLAG_NO_VERSION
-.It
-The serial number of the certificate as returned by
-.Xr X509_get_serialNumber 3 .
-If it is not \-1 and converting it to
-.Vt long
-succeeds, it is printed in both decimal and hexadecimal format.
-If it is \-1, too wide to fit in
-.Vt long ,
-or conversion fails, it is printed byte-by-byte in hexadecimal notation.
-.Pq Dv X509_FLAG_NO_SERIAL
-.It
-The name of the signature algorithm is printed with
-.Xr X509_signature_print 3 .
-.Pq Dv X509_FLAG_NO_SIGNAME
-.It
-The issuer name returned by
-.Xr X509_get_issuer_name 3
-is printed with
-.Xr X509_NAME_print_ex 3 .
-.Pq Dv X509_FLAG_NO_ISSUER
-.It
-The validity period from
-.Xr X509_get_notBefore 3
-to
-.Xr X509_get_notAfter 3
-is printed using
-.Xr ASN1_TIME_print 3 .
-.Pq Dv X509_FLAG_NO_VALIDITY
-.It
-The subject name returned from
-.Xr X509_get_subject_name 3
-is printed with
-.Xr X509_NAME_print_ex 3 .
-.Pq Dv X509_FLAG_NO_SUBJECT
-.It
-The public key algorithm is printed with
-.Xr i2a_ASN1_OBJECT 3 ,
-and the public key returned from
-.Xr X509_get_pubkey 3
-with
-.Xr EVP_PKEY_print_public 3 .
-.Pq Dv X509_FLAG_NO_PUBKEY
-.It
-All X.509 extensions contained in the certificate are printed with
-.Xr X509V3_extensions_print 3 .
-.Pq Dv X509_FLAG_NO_EXTENSIONS
-.It
-The signature is printed with
-.Xr X509_signature_print 3 .
-.Pq Dv X509_FLAG_NO_SIGDUMP
-.It
-Non-standard auxiliary data associated with the certificate is printed
-using the function
-.Fn X509_CERT_AUX_print
-documented below.
-.Pq Dv X509_FLAG_NO_AUX
-.El
-.Pp
-The
-.Fa nameflags
-argument modifies the format for printing X.501
-.Vt Name
-objects contained in
-.Fa x .
-It is passed through to
-.Xr X509_NAME_print_ex 3 .
-If
-.Fa nameflags
-is
-.Dv X509_FLAG_COMPAT ,
-the
-.Fa indent
-argument of
-.Xr X509_NAME_print_ex 3
-is set to 16 spaces and the traditional SSLeay format is used.
-Otherwise, if the only bit set in
-.Dv XN_FLAG_SEP_MASK
-is
-.Dv XN_FLAG_SEP_MULTILINE ,
-.Fa indent
-is set to 12 spaces.
-Otherwise,
-.Fa indent
-is set to zero.
-.Pp
-.Fn X509_CERT_AUX_print
-prints information contained in
-.Fa aux
-to
-.Fa bio
-in human-readable form with a left margin of
-.Fa indent
-spaces.
-If
-.Fa aux
-is
-.Dv NULL ,
-it prints nothing.
-.Pp
-Information is printed in the following order:
-.Bl -bullet
-.It
-Purposes the certificate is intended to be used for as set with
-.Xr X509_add1_trust_object 3 ,
-each printed with
-.Xr OBJ_obj2txt 3 .
-.It
-Purposes the certificate is explicitly
-.Em not
-intended to be used for as set with
-.Xr X509_add1_reject_object 3 ,
-again each printed with
-.Xr OBJ_obj2txt 3 .
-.It
-If
-.Fa aux
-contains data set with
-.Xr X509_alias_set1 3 ,
-the raw bytes are printed in unencoded form.
-.It
-If
-.Fa aux
-contains data set with
-.Xr X509_keyid_set1 3 ,
-the bytes are printed in hexadecimal notation with colons in between.
-.El
-.Pp
-.Fn X509_print_ex_fp
-is similar to
-.Fn X509_print_ex
-except that it prints to
-.Fa fp .
-.Pp
-.Fn X509_print
-and
-.Fn X509_print_fp
-are wrapper functions setting the
-.Fa nameflags
-to
-.Dv XN_FLAG_COMPAT
-and the
-.Fa skipflags
-to
-.Dv X509_FLAG_COMPAT .
-.Sh RETURN VALUES
-.Fn X509_print_ex ,
-.Fn X509_print_ex_fp ,
-.Fn X509_print ,
-and
-.Fn X509_print_fp
-return 1 if all requested information was successfully printed,
-even if failures occurred while attempting to decode or print the
-public key or X.509 version 3 extensions, or 0 if any other operation
-failed.
-.Pp
-.Fn X509_CERT_AUX_print
-always returns 1 and silently ignores write errors.
-.Sh SEE ALSO
-.Xr BIO_new 3 ,
-.Xr X509_CERT_AUX_new 3 ,
-.Xr X509_CRL_print 3 ,
-.Xr X509_new 3 ,
-.Xr X509_REQ_print_ex 3
-.Sh HISTORY
-.Fn X509_print
-first appeared in SSLeay 0.5.1 and was changed to print to a
-.Vt BIO
-in SSLeay 0.6.0.
-.Fn X509_print_fp
-first appeared in SSLeay 0.6.0.
-Both functions have been available since
-.Ox 2.4 .
-.Pp
-.Fn X509_CERT_AUX_print
-first appeared in OpenSSL 0.9.5 and has been available since
-.Ox 2.7 .
-.Pp
-.Fn X509_print_ex
-and
-.Fn X509_print_ex_fp
-first appeared in OpenSSL 0.9.7 and have been available since
-.Ox 3.2 .
-.Sh BUGS
-If arbitrary data was stored into
-.Fa x
-using
-.Xr X509_alias_set1 3 ,
-these functions may print binary data and even NUL bytes.
diff --git a/src/lib/libcrypto/man/X509_sign.3 b/src/lib/libcrypto/man/X509_sign.3
deleted file mode 100644
index 059d92bac5..0000000000
--- a/src/lib/libcrypto/man/X509_sign.3
+++ /dev/null
@@ -1,209 +0,0 @@
-.\" $OpenBSD: X509_sign.3,v 1.11 2024/03/06 02:34:14 tb Exp $
-.\" full merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100
-.\"
-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2015, 2016 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 6 2024 $
-.Dt X509_SIGN 3
-.Os
-.Sh NAME
-.Nm X509_sign ,
-.Nm X509_sign_ctx ,
-.Nm X509_verify ,
-.Nm X509_REQ_sign ,
-.Nm X509_REQ_sign_ctx ,
-.Nm X509_REQ_verify ,
-.Nm X509_CRL_sign ,
-.Nm X509_CRL_sign_ctx ,
-.Nm X509_CRL_verify
-.Nd sign or verify certificate, certificate request, or CRL signature
-.Sh SYNOPSIS
-.In openssl/x509.h
-.Ft int
-.Fo X509_sign
-.Fa "X509 *x"
-.Fa "EVP_PKEY *pkey"
-.Fa "const EVP_MD *md"
-.Fc
-.Ft int
-.Fo X509_sign_ctx
-.Fa "X509 *x"
-.Fa "EVP_MD_CTX *ctx"
-.Fc
-.Ft int
-.Fo X509_verify
-.Fa "X509 *a"
-.Fa "EVP_PKEY *r"
-.Fc
-.Ft int
-.Fo X509_REQ_sign
-.Fa "X509_REQ *x"
-.Fa "EVP_PKEY *pkey"
-.Fa "const EVP_MD *md"
-.Fc
-.Ft int
-.Fo X509_REQ_sign_ctx
-.Fa "X509_REQ *x"
-.Fa "EVP_MD_CTX *ctx"
-.Fc
-.Ft int
-.Fo X509_REQ_verify
-.Fa "X509_REQ *a"
-.Fa "EVP_PKEY *r"
-.Fc
-.Ft int
-.Fo X509_CRL_sign
-.Fa "X509_CRL *x"
-.Fa "EVP_PKEY *pkey"
-.Fa "const EVP_MD *md"
-.Fc
-.Ft int
-.Fo X509_CRL_sign_ctx
-.Fa "X509_CRL *x"
-.Fa "EVP_MD_CTX *ctx"
-.Fc
-.Ft int
-.Fo X509_CRL_verify
-.Fa "X509_CRL *a"
-.Fa "EVP_PKEY *r"
-.Fc
-.Sh DESCRIPTION
-.Fn X509_sign
-signs the certificate
-.Fa x
-using the private key
-.Fa pkey
-and the message digest
-.Fa md
-and sets the signature in
-.Fa x .
-.Fn X509_sign_ctx
-also signs the certificate
-.Fa x
-but uses the parameters contained in digest context
-.Fa ctx .
-.Pp
-.Fn X509_verify
-verifies the signature of certificate
-.Fa x
-using the public key
-.Fa pkey .
-Only the signature is checked: no other checks (such as certificate
-chain validity) are performed.
-.Pp
-.Fn X509_REQ_sign ,
-.Fn X509_REQ_sign_ctx ,
-.Fn X509_REQ_verify ,
-.Fn X509_CRL_sign ,
-.Fn X509_CRL_sign_ctx ,
-and
-.Fn X509_CRL_verify
-sign and verify certificate requests and CRLs, respectively.
-.Pp
-.Fn X509_sign_ctx
-is used where the default parameters for the corresponding public key
-and digest are not suitable.
-It can be used to sign keys using RSA-PSS for example.
-.Sh RETURN VALUES
-.Fn X509_sign ,
-.Fn X509_sign_ctx ,
-.Fn X509_REQ_sign ,
-.Fn X509_REQ_sign_ctx ,
-.Fn X509_CRL_sign ,
-and
-.Fn X509_CRL_sign_ctx
-return the size of the signature in bytes for success or 0 for failure.
-.Pp
-.Fn X509_verify ,
-.Fn X509_REQ_verify ,
-and
-.Fn X509_CRL_verify
-return 1 if the signature is valid or 0 if the signature check fails.
-If the signature could not be checked at all because it was invalid or
-some other error occurred, then -1 is returned.
-.Pp
-In some cases of failure, the reason can be determined with
-.Xr ERR_get_error 3 .
-.Sh SEE ALSO
-.Xr d2i_X509 3 ,
-.Xr EVP_DigestInit 3 ,
-.Xr X509_CRL_get0_by_serial 3 ,
-.Xr X509_CRL_new 3 ,
-.Xr X509_get_pubkey 3 ,
-.Xr X509_get_subject_name 3 ,
-.Xr X509_get_version 3 ,
-.Xr X509_NAME_add_entry_by_txt 3 ,
-.Xr X509_NAME_ENTRY_get_object 3 ,
-.Xr X509_NAME_get_index_by_NID 3 ,
-.Xr X509_NAME_print_ex 3 ,
-.Xr X509_new 3 ,
-.Xr X509_REQ_new 3 ,
-.Xr X509_verify_cert 3 ,
-.Xr X509V3_get_d2i 3
-.Sh HISTORY
-.Fn X509_verify
-appeared in SSLeay 0.4 or earlier.
-.Fn X509_sign
-and
-.Fn X509_REQ_sign
-first appeared in SSLeay 0.4.4.
-.Fn X509_REQ_verify
-and
-.Fn X509_CRL_verify
-first appeared in SSLeay 0.4.5b.
-.Fn X509_CRL_sign
-first appeared in SSLeay 0.5.1.
-These functions have been available since
-.Ox 2.4 .
-.Pp
-.Fn X509_sign_ctx ,
-.Fn X509_REQ_sign_ctx ,
-and
-.Fn X509_CRL_sign_ctx
-first appeared in OpenSSL 1.0.1 and have been available since
-.Ox 5.3 .
diff --git a/src/lib/libcrypto/man/X509_signature_dump.3 b/src/lib/libcrypto/man/X509_signature_dump.3
deleted file mode 100644
index 3333a615bf..0000000000
--- a/src/lib/libcrypto/man/X509_signature_dump.3
+++ /dev/null
@@ -1,85 +0,0 @@
-.\" $OpenBSD: X509_signature_dump.3,v 1.3 2024/12/06 12:51:13 schwarze Exp $
-.\"
-.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: December 6 2024 $
-.Dt X509_SIGNATURE_DUMP 3
-.Os
-.Sh NAME
-.Nm X509_signature_dump ,
-.Nm X509_signature_print
-.Nd pretty-print ASN.1 strings
-.Sh SYNOPSIS
-.In openssl/x509.h
-.Ft int
-.Fo X509_signature_dump
-.Fa "BIO *bio"
-.Fa "const ASN1_STRING *signature"
-.Fa "int indent"
-.Fc
-.Ft int
-.Fo X509_signature_print
-.Fa "BIO *bio"
-.Fa "const X509_ALGOR *algorithm"
-.Fa "const ASN1_STRING *signature"
-.Fc
-.Sh DESCRIPTION
-.Fn X509_signature_dump
-writes the data bytes contained in the
-.Fa signature
-to
-.Fa bio
-in hexadecimal format with colons between bytes,
-18 bytes per output line, each line indented with
-.Fa indent
-space characters.
-.Pp
-.Fn X509_signature_print
-writes the name of the signature
-.Fa algorithm ,
-or, if no name for it is known, its object identifier (OID) to
-.Fa bio
-using
-.Xr i2a_ASN1_OBJECT 3 .
-After that, if a method object for the algorithm can be retrieved with
-.Xr EVP_PKEY_asn1_find 3
-and if that object defines a printing method, that printing method is
-used to print the
-.Fa signature .
-Otherwise, unless the
-.Fa signature
-is
-.Dv NULL ,
-it is printed using
-.Fn X509_signature_dump .
-.Sh RETURN VALUES
-These functions return 1 on success or 0 on failure.
-They fail and return as soon as any write operation fails.
-.Sh SEE ALSO
-.Xr ASN1_STRING_new 3 ,
-.Xr ASN1_STRING_print_ex 3 ,
-.Xr BIO_new 3 ,
-.Xr EVP_PKEY_asn1_find 3 ,
-.Xr OBJ_find_sigid_algs 3 ,
-.Xr X509_ALGOR_new 3 ,
-.Xr X509_get0_signature 3
-.Sh HISTORY
-.Fn X509_signature_print
-first appeared in OpenSSL 0.9.7 and has been available since
-.Ox 3.2 .
-.Pp
-.Fn X509_signature_dump
-first appeared in OpenSSL 1.0.1 and has been available since
-.Ox 5.3 .
diff --git a/src/lib/libcrypto/man/X509_verify_cert.3 b/src/lib/libcrypto/man/X509_verify_cert.3
deleted file mode 100644
index 9c085d7780..0000000000
--- a/src/lib/libcrypto/man/X509_verify_cert.3
+++ /dev/null
@@ -1,93 +0,0 @@
-.\"     $OpenBSD: X509_verify_cert.3,v 1.8 2019/06/06 01:06:59 schwarze Exp $
-.\"     OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
-.\"
-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2009, 2015 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: June 6 2019 $
-.Dt X509_VERIFY_CERT 3
-.Os
-.Sh NAME
-.Nm X509_verify_cert
-.Nd discover and verify X509 certificate chain
-.Sh SYNOPSIS
-.In openssl/x509.h
-.Ft int
-.Fo X509_verify_cert
-.Fa "X509_STORE_CTX *ctx"
-.Fc
-.Sh DESCRIPTION
-The
-.Fn X509_verify_cert
-function attempts to discover and validate a certificate chain based on
-parameters in
-.Fa ctx .
-.Pp
-Applications rarely call this function directly, but it is used by
-OpenSSL internally for certificate validation, in both the S/MIME and
-SSL/TLS code.
-.Sh RETURN VALUES
-If a complete chain can be built and validated this function returns 1,
-otherwise it returns a value <= 0 indicating failure.
-.Pp
-Additional error information can be obtained by examining
-.Fa ctx ,
-using
-.Xr X509_STORE_CTX_get_error 3 .
-.Sh SEE ALSO
-.Xr openssl 1 ,
-.Xr X509_STORE_CTX_get_error 3 ,
-.Xr X509_STORE_CTX_new 3
-.Sh HISTORY
-.Fn X509_verify_cert
-first appeared in SSLeay 0.8.0 and has been available since
-.Ox 2.4 .
-.Sh BUGS
-This function uses the header
-.In openssl/x509.h
-as opposed to most chain verification functions which use
-.In openssl/x509_vfy.h .
diff --git a/src/lib/libcrypto/man/X509v3_addr_add_inherit.3 b/src/lib/libcrypto/man/X509v3_addr_add_inherit.3
deleted file mode 100644
index 4b2d150c86..0000000000
--- a/src/lib/libcrypto/man/X509v3_addr_add_inherit.3
+++ /dev/null
@@ -1,475 +0,0 @@
-.\" $OpenBSD: X509v3_addr_add_inherit.3,v 1.11 2023/10/01 22:46:21 tb Exp $
-.\"
-.\" Copyright (c) 2023 Theo Buehler <tb@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: October 1 2023 $
-.Dt X509V3_ADDR_ADD_INHERIT 3
-.Os
-.Sh NAME
-.Nm X509v3_addr_add_inherit ,
-.Nm X509v3_addr_add_prefix ,
-.Nm X509v3_addr_add_range ,
-.Nm X509v3_addr_canonize ,
-.Nm X509v3_addr_is_canonical
-.Nd RFC 3779 IP address delegation extensions
-.Sh SYNOPSIS
-.In openssl/x509v3.h
-.Ft int
-.Fo X509v3_addr_add_inherit
-.Fa "IPAddrBlocks *addrblocks"
-.Fa "const unsigned afi"
-.Fa "const unsigned *safi"
-.Fc
-.Ft int
-.Fo X509v3_addr_add_prefix
-.Fa "IPAddrBlocks *addrblocks"
-.Fa "const unsigned afi"
-.Fa "const unsigned *safi"
-.Fa "unsigned char *prefix"
-.Fa "const int prefixlen"
-.Fc
-.Ft int
-.Fo X509v3_addr_add_range
-.Fa "IPAddrBlocks *addrblocks"
-.Fa "const unsigned afi"
-.Fa "const unsigned *safi"
-.Fa "unsigned char *min"
-.Fa "unsigned char *max"
-.Fc
-.Ft int
-.Fo X509v3_addr_canonize
-.Fa "IPAddrBlocks *addrblocks"
-.Fc
-.Ft int
-.Fo X509v3_addr_is_canonical
-.Fa "IPAddrBlocks *addrblocks"
-.Fc
-.Sh DESCRIPTION
-An
-.Vt IPAddrBlocks
-object represents the content of
-an IP address delegation extension
-as defined in RFC 3779, section 2.2.3.1.
-It holds lists of IP address prefixes and IP address ranges
-delegated from the issuer to the subject of the certificate.
-It can be instantiated as explained in the EXAMPLES section
-and its internals are documented in
-.Xr IPAddressRange_new 3 .
-.Pp
-Each list in a well-formed
-.Vt IPAddrBlocks
-object is uniquely identified by
-an address family identifier (AFI) and
-an optional subsequent address family identifier (SAFI).
-Lists can be absent or can contain an
-.Dq inherit
-marker to indicate that the resources are to be inherited
-from the corresponding list of the issuer certificate.
-.Pp
-Per specification, an AFI is an unsigned 16-bit integer and
-a SAFI is an unsigned 8-bit integer.
-For IPv4 and IPv6 there are the predefined constants
-.Dv IANA_AFI_IPV4
-and
-.Dv IANA_AFI_IPV6 ,
-which should be the only values used for
-.Fa afi
-in this API.
-In practice,
-.Fa safi
-is always NULL.
-.Fa afi
-is generally silently truncated to its lowest 16 bits and, if
-.Fa safi
-is non-NULL,
-only the lowest 8 bits of the value pointed at are used.
-.Pp
-.Fn X509v3_addr_add_inherit
-adds a list with an
-.Dq inherit
-marker to
-.Fa addrblocks .
-If a list corresponding to
-.Fa afi
-and
-.Fa safi
-already exists, no action occurs if it is marked
-.Dq inherit ,
-otherwise the call fails.
-.Pp
-.Fn X509v3_addr_add_prefix
-adds a newly allocated internal representation of the
-.Fa prefix
-of length
-.Fa prefixlen
-to the list corresponding to
-.Fa afi
-and the optional
-.Fa safi
-in
-.Fa addrblocks .
-If no such list exists, it is created first.
-If the list exists and is marked
-.Dq inherit ,
-the call fails.
-.Fa prefix
-is expected to be a byte array in network byte order.
-It should point at enough memory to accommodate
-.Fa prefixlen
-bits and it is recommended that all the bits not covered by the
-.Fa prefixlen
-be set to 0.
-It is the caller's responsibility to ensure that the
-.Fa prefix
-has no address in common with any of
-the prefixes or ranges already in the list.
-If
-.Fa afi
-is
-.Dv IANA_AFI_IPV4 ,
-.Fa prefixlen
-should be between 0 and 32 (inclusive) and if
-.Fa afi
-is
-.Dv IANA_AFI_IPV6 ,
-.Fa prefixlen
-should be between 0 and 128 (inclusive).
-.Pp
-.Fn X509v3_addr_add_range
-is similar to
-.Fn X509v3_addr_add_prefix
-for the closed interval of IP addresses between
-.Fa min
-and
-.Fa max
-in network presentation.
-If
-.Fa afi
-is
-.Dv IANA_AFI_IPV4 ,
-.Fa min
-and
-.Fa max
-should point at 4 bytes of memory
-and if
-.Fa afi
-is
-.Dv IANA_AFI_IPV6 ,
-.Fa min
-and
-.Fa max
-should point at 16 bytes of memory.
-In case the range of IP addresses between
-.Fa min
-and
-.Fa max
-is a prefix, a prefix will be added instead of a range.
-It is the caller's responsibility to ensure that
-.Fa min
-is less than or equal to
-.Fa max
-and that it does not contain any address already present
-in the list.
-Failure to do so will result in a subsequent failure of
-.Fn X509v3_addr_canonize .
-.Pp
-.Fn X509v3_addr_canonize
-attempts to bring the
-.Pf non- Dv NULL
-.Fa addrblocks
-into canonical form.
-An
-.Vt IPAddrBlocks
-object is said to be in canonical form if it conforms
-to the ordering specified in RFC 3779:
-section 2.2.3.3 requires that
-the list of lists be sorted first by increasing
-.Fa afi
-and then by increasing
-.Fa safi ,
-where NULL is the minimal SAFI;
-section 2.2.3.6 requires that each list be in minimal form and sorted.
-The minimality requirement is that all adjacent prefixes
-and ranges must be merged into a single range and that each
-range must be expressed as a prefix, if possible.
-In particular, any given address can be in at most one list entry.
-The order is by increasing minimal IP address in network byte order.
-.Pp
-.Fn X509v3_addr_is_canonical
-indicates whether
-.Fa addrblocks
-is in canonical form.
-.Sh RETURN VALUES
-All these functions return 1 on success and 0 on failure.
-Memory allocation failure is one possible reason for all of them.
-Sometimes an error code can be obtained by
-.Xr ERR_get_error 3 .
-.Pp
-.Fn X509v3_addr_add_inherit
-fails if the list corresponding to
-.Fa afi
-and the optional
-.Fa safi
-already exists and is not marked
-.Dq inherit .
-.Pp
-.Fn X509v3_addr_add_prefix
-and
-.Fn X509v3_addr_add_range
-fail if a list corresponding to
-.Fa afi
-and the optional
-.Fa safi
-already exists and is marked
-.Dq inherit ,
-or if
-.Fa prefixlen
-is outside the interval [0,32] for IPv4 addresses
-or [0,128] for IPv6 addresses.
-.Pp
-.Fn X509v3_addr_canonize
-fails if one of the lists in
-.Fa addrblocks
-is malformed,
-in particular if it contains corrupt, overlapping,
-or duplicate entries.
-Corruption includes ranges where
-.Fa max
-is strictly smaller than
-.Fa min .
-The error conditions are generally indistinguishable.
-.Pp
-.Fn X509v3_addr_is_canonical
-returns 1 if
-.Fa addrblocks
-is in canonical form.
-A return value of 0 can indicate non-canonical form or a corrupted list.
-.Sh EXAMPLES
-Construct the first extension from RFC 3779, Appendix B.
-.Bd -literal
-#include <sys/socket.h>
-#include <arpa/inet.h>
-
-#include <err.h>
-#include <stdio.h>
-#include <unistd.h>
-
-#include <openssl/asn1.h>
-#include <openssl/objects.h>
-#include <openssl/x509.h>
-#include <openssl/x509v3.h>
-
-const char *prefixes[] = {
-        "10.0.32/20", "10.0.64/24", "10.1/16",
-        "10.2.48/20", "10.2.64/24", "10.3/16",
-};
-#define N_PREFIXES (sizeof(prefixes) / sizeof(prefixes[0]))
-
-static void
-hexdump(const unsigned char *buf, size_t len)
-{
-        size_t i;
-
-        for (i = 1; i <= len; i++)
-                printf(" 0x%02x,%s", buf[i \- 1], i % 8 ? "" : "\en");
-        if (len % 8)
-                printf("\en");
-}
-
-int
-main(void)
-{
-        IPAddrBlocks *addrblocks;
-        X509_EXTENSION *ext;
-        unsigned char *der;
-        int der_len;
-        size_t i;
-
-        if (pledge("stdio", NULL) == \-1)
-                err(1, "pledge");
-
-        /*
-         * Somebody forgot to implement IPAddrBlocks_new().  IPAddrBlocks
-         * is the same as STACK_OF(IPAddressFamily).  As such, it should
-         * have IPAddressFamily_cmp() as its comparison function.  It is
-         * not possible to call sk_new(3) because IPAddressFamily_cmp()
-         * is not part of the public API.  The correct comparison function
-         * can be installed as a side-effect of X509v3_addr_canonize(3).
-         */
-        if ((addrblocks = sk_IPAddressFamily_new_null()) == NULL)
-                err(1, "sk_IPAddressFamily_new_null");
-        if (!X509v3_addr_canonize(addrblocks))
-                errx(1, "X509v3_addr_canonize");
-
-        /* Add the prefixes as IPv4 unicast. */
-        for (i = 0; i < N_PREFIXES; i++) {
-                unsigned char addr[16] = {0};
-                int len;
-                int unicast = 1; /* SAFI for unicast forwarding. */
-
-                len = inet_net_pton(AF_INET, prefixes[i], addr,
-                    sizeof(addr));
-                if (len == \-1)
-                        errx(1, "inet_net_pton(%s)", prefixes[i]);
-                if (!X509v3_addr_add_prefix(addrblocks, IANA_AFI_IPV4,
-                    &unicast, addr, len))
-                        errx(1, "X509v3_addr_add_prefix(%s)", prefixes[i]);
-        }
-        if (!X509v3_addr_add_inherit(addrblocks, IANA_AFI_IPV6, NULL))
-                errx(1, "X509v3_addr_add_inherit");
-
-        /*
-         * Ensure the extension is in canonical form.  Otherwise the two
-         * adjacent prefixes 10.2.48/20 and 10.2.64/24 are not merged into
-         * the range 10.2.48.0--10.2.64.255.  This results in invalid DER
-         * encoding from X509V3_EXT_i2d(3) and i2d_X509_EXTENSION(3).
-         */
-        if (!X509v3_addr_canonize(addrblocks))
-                errx(1, "X509v3_addr_canonize");
-
-        /* Create the extension with the correct OID; mark it critical. */
-        ext = X509V3_EXT_i2d(NID_sbgp_ipAddrBlock, 1, addrblocks);
-        if (ext == NULL)
-                errx(1, "X509V3_EXT_i2d");
-
-        der = NULL;
-        if ((der_len = i2d_X509_EXTENSION(ext, &der)) <= 0)
-                errx(1, "i2d_X509_EXTENSION");
-
-        hexdump(der, der_len);
-
-        /* One way of implementing IPAddrBlocks_free(). */
-        sk_IPAddressFamily_pop_free(addrblocks, IPAddressFamily_free);
-        X509_EXTENSION_free(ext);
-        free(der);
-
-        return 0;
-}
-.Ed
-.Pp
-Implement the missing public API
-.Fn d2i_IPAddrBlocks
-and
-.Fn i2d_IPAddrBlocks
-using
-.Xr ASN1_item_d2i 3 :
-.Bd -literal
-IPAddrBlocks *
-d2i_IPAddrBlocks(IPAddrBlocks **addrblocks, const unsigned char **in,
-    long len)
-{
-        const X509V3_EXT_METHOD *v3_addr;
-
-        if ((v3_addr = X509V3_EXT_get_nid(NID_sbgp_ipAddrBlock)) == NULL)
-                return NULL;
-        return (IPAddrBlocks *)ASN1_item_d2i((ASN1_VALUE **)addrblocks,
-            in, len, ASN1_ITEM_ptr(v3_addr\->it));
-}
-
-int
-i2d_IPAddrBlocks(IPAddrBlocks *addrblocks, unsigned char **out)
-{
-        const X509V3_EXT_METHOD *v3_addr;
-
-        if ((v3_addr = X509V3_EXT_get_nid(NID_sbgp_ipAddrBlock)) == NULL)
-                return \-1;
-        return ASN1_item_i2d((ASN1_VALUE *)addrblocks, out,
-            ASN1_ITEM_ptr(v3_addr\->it));
-}
-.Ed
-.Pp
-The use of the undocumented macro
-.Dv ASN1_ITEM_ptr()
-is necessary if compatibility with modern versions of other implementations
-is desired.
-.Sh SEE ALSO
-.Xr ASIdentifiers_new 3 ,
-.Xr crypto 3 ,
-.Xr inet_net_ntop 3 ,
-.Xr inet_ntop 3 ,
-.Xr IPAddressRange_new 3 ,
-.Xr X509_new 3 ,
-.Xr X509v3_addr_get_range 3 ,
-.Xr X509v3_addr_validate_path 3 ,
-.Xr X509v3_asid_add_id_or_range 3
-.Sh STANDARDS
-RFC 3779: X.509 Extensions for IP Addresses and AS Identifiers:
-.Bl -dash -compact
-.It
-section 2: IP Address delegation extension
-.El
-.Pp
-RFC 7020: The Internet Numbers Registry System
-.Pp
-RFC 7249: Internet Number Registries
-.Pp
-.Rs
-.%T Address Family Numbers
-.%U https://www.iana.org/assignments/address\-family\-numbers
-.Re
-.Pp
-.Rs
-.%T Subsequent Address Family Identifiers (SAFI) Parameters
-.%U https://www.iana.org/assignments/safi\-namespace
-.Re
-.Sh HISTORY
-These functions first appeared in OpenSSL 0.9.8e
-and have been available since
-.Ox 7.1 .
-.Sh BUGS
-.Fn IPAddrBlocks_new ,
-.Fn IPAddrBlocks_free ,
-.Fn d2i_IPAddrBlocks ,
-and
-.Fn i2d_IPAddrBlocks
-do not exist and
-.Fa IPAddrBlocks_it
-is not public.
-The above examples show how to implement the four missing functions
-with public API.
-.Pp
-.Fn X509v3_addr_add_range
-should check for inverted range bounds and overlaps
-on insertion and fail instead of creating a nonsensical
-.Fa addrblocks
-that fails to be canonized by
-.Fn X509v3_addr_canonize .
-.Pp
-If
-.Dv NULL
-is passed to
-.Xr X509v3_asid_canonize 3 ,
-it succeeds.
-.Fn X509v3_addr_is_canonical
-considers
-.Dv NULL
-to be a canonical
-.Vt IPAddrBlocks .
-In contrast,
-.Fn X509v3_addr_canonize
-crashes with a
-.Dv NULL
-dereference.
-.Pp
-The code only supports the IPv4 and IPv6 AFIs.
-This is not consistently enforced across implementations.
-.Pp
-.Fn X509v3_addr_add_range
-fails to clear the unused bits set to 1 in the last octet of
-the
-.Vt ASN1_BIT_STRING
-representation of
-.Fa max .
-This confuses some software.
diff --git a/src/lib/libcrypto/man/X509v3_addr_get_range.3 b/src/lib/libcrypto/man/X509v3_addr_get_range.3
deleted file mode 100644
index e0d83b1162..0000000000
--- a/src/lib/libcrypto/man/X509v3_addr_get_range.3
+++ /dev/null
@@ -1,132 +0,0 @@
-.\" $OpenBSD: X509v3_addr_get_range.3,v 1.2 2023/09/30 14:12:40 schwarze Exp $
-.\"
-.\" Copyright (c) 2023 Theo Buehler <tb@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: September 30 2023 $
-.Dt X509V3_ADDR_GET_RANGE 3
-.Os
-.Sh NAME
-.Nm X509v3_addr_get_afi ,
-.Nm X509v3_addr_get_range
-.Nd parse helpers for the IP address delegation extension
-.Sh SYNOPSIS
-.In openssl/x509v3.h
-.Ft unsigned
-.Fn X509v3_addr_get_afi "const IPAddressFamily *af"
-.Ft int
-.Fo X509v3_addr_get_range
-.Fa "IPAddressOrRange *aor"
-.Fa "const unsigned afi"
-.Fa "unsigned char *min"
-.Fa "unsigned char *max"
-.Fa "const int length"
-.Fc
-.Sh DESCRIPTION
-.Fn X509v3_addr_get_afi
-returns the address family identifier (AFI) of
-.Fa af .
-.Pp
-.Fn X509v3_addr_get_range
-converts the minimum and maximum addresses in
-the address prefix or range
-.Fa aor
-from internal encoding to IP addresses in network byte order
-and places copies in the arrays
-.Fa min
-and
-.Fa max ,
-of size
-.Fa length .
-The
-.Fa length
-must be large enough to accommodate an address for
-.Fa afi ,
-which is at least 4 for
-.Dv IANA_AFI_IPV4
-and at least 16 for
-.Dv IANA_AFI_IPV6 .
-.Sh RETURN VALUES
-.Fn X509v3_addr_get_afi
-returns the AFI encoded in
-.Fa af
-or 0 if
-.Fa af
-does not contain a valid AFI, or if the AFI is not IPv4 or IPv6.
-.Pp
-.Fn X509v3_addr_get_range
-returns the number of bytes copied into
-.Fa min
-and
-.Fa max
-or 0 on error.
-An error occurs if
-.Fa aor
-is malformed, if
-.Fa afi
-is not
-.Dv IANA_AFI_IPV4
-or
-.Dv IANA_AFI_IPV6 ,
-if either
-.Fa min
-or
-.Fa max
-is
-.Dv NULL ,
-or if
-.Fa length
-is smaller than 4 or 16, respectively.
-.Sh SEE ALSO
-.Xr crypto 3 ,
-.Xr inet_ntop 3 ,
-.Xr IPAddressRange_new 3 ,
-.Xr X509_new 3 ,
-.Xr X509v3_addr_add_inherit 3
-.Sh STANDARDS
-RFC 3779: X.509 Extensions for IP Addresses and AS Identifiers:
-.Bl -dash -compact
-.It
-section 2: IP Address delegation extension
-.It
-section 2.2.3.3: Element addressFamily
-.It
-section 2.2.3.7: Type IPAddressOrRange
-.It
-section 2.2.3.8: Element addressPrefix and Type IPAddress
-.El
-.Pp
-.Rs
-.%T Address Family Numbers
-.%U https://www.iana.org/assignments/address-family-numbers
-.Re
-.Sh HISTORY
-These functions first appeared in OpenSSL 0.9.8e
-and have been available since
-.Ox 7.1 .
-.Sh BUGS
-There is no accessor for the SAFI of
-.Fa af .
-.Pp
-An error from
-.Fn X509v3_addr_get_afi
-is indistinguishable from the reserved AFI 0 being set on
-.Fa af .
-.Pp
-It is not entirely clear how a caller is supposed to obtain an
-.Vt IPAddressFamily
-object or an
-.Vt IPAddressOrRange
-object without reaching into various structs documented in
-.Xr IPAddressRange_new 3 .
diff --git a/src/lib/libcrypto/man/X509v3_addr_inherits.3 b/src/lib/libcrypto/man/X509v3_addr_inherits.3
deleted file mode 100644
index 8e3cecf7ae..0000000000
--- a/src/lib/libcrypto/man/X509v3_addr_inherits.3
+++ /dev/null
@@ -1,104 +0,0 @@
-.\" $OpenBSD: X509v3_addr_inherits.3,v 1.3 2023/09/30 14:21:57 schwarze Exp $
-.\"
-.\" Copyright (c) 2023 Theo Buehler <tb@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: September 30 2023 $
-.Dt X509V3_ADDR_INHERITS 3
-.Os
-.Sh NAME
-.Nm X509v3_addr_inherits ,
-.Nm X509v3_asid_inherits
-.Nd RFC 3779 inheritance
-.Sh SYNOPSIS
-.In openssl/x509v3.h
-.Ft int
-.Fn X509v3_addr_inherits "IPAddrBlocks *addrblocks"
-.Ft int
-.Fn X509v3_asid_inherits "ASIdentifiers *asids"
-.Sh DESCRIPTION
-.Fn X509v3_addr_inherits
-determines if there is at least one address family in
-.Fa addrblocks
-that uses inheritance.
-.Pp
-.Fn X509v3_asid_inherits
-is intended to determine if at least one of
-the list of autonomous system numbers or
-the list of routing domain identifiers
-uses inheritance.
-.Sh RETURN VALUES
-.Fn X509v3_addr_inherits
-returns 1 if and only if
-.Fa addrblocks
-contains at least one
-.Fa IPAddressFamily
-object that is correctly marked
-.Dq inherit :
-its
-.Fa IPAddressChoice
-is of
-.Fa type
-.Dv IPAddressChoice_inherit
-and its
-.Fa inherit
-element is present.
-Otherwise it returns 0.
-.Pp
-.Fn X509v3_asid_inherits
-returns 1 if and only if
-at least one of the
-.Fa asnum
-or the
-.Fa rdi
-lists has
-.Fa type
-.Dv ASIdentifierChoice_inherit .
-Otherwise it returns 0.
-.Sh SEE ALSO
-.Xr ASIdentifiers_new 3 ,
-.Xr ASRange_new 3 ,
-.Xr crypto 3 ,
-.Xr IPAddressRange_new 3 ,
-.Xr X509_new 3 ,
-.Xr X509v3_addr_add_inherit 3 ,
-.Xr X509v3_asid_add_inherit 3
-.Sh STANDARDS
-RFC 3779: X.509 Extensions for IP Addresses and AS Identifiers:
-.Bl -dash -compact
-.It
-section 2: IP Address delegation extension
-.It
-section 2.2.3.5: Element inherit
-.It
-section 3: AS identifiers delegation extension
-.It
-section 3.2.3.3: Element inherit
-.El
-.Sh HISTORY
-These functions first appeared in OpenSSL 0.9.8e
-and have been available since
-.Ox 7.1 .
-.Sh BUGS
-.Fn X509v3_asid_inherits
-ignores whether the
-.Fa inherit
-element is present or absent in the list that is considered to use inheritance.
-.Pp
-There is no API that determines whether all lists contained in an
-.Vt ASIdentifiers
-or an
-.Vt IPAddrBlocks
-object inherit.
-See RFC 9287, 5.1.2 for an example where this is relevant.
diff --git a/src/lib/libcrypto/man/X509v3_addr_subset.3 b/src/lib/libcrypto/man/X509v3_addr_subset.3
deleted file mode 100644
index 93714a26fa..0000000000
--- a/src/lib/libcrypto/man/X509v3_addr_subset.3
+++ /dev/null
@@ -1,176 +0,0 @@
-.\" $OpenBSD: X509v3_addr_subset.3,v 1.2 2023/09/30 14:24:00 schwarze Exp $
-.\"
-.\" Copyright (c) 2023 Theo Buehler <tb@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: September 30 2023 $
-.Dt X509V3_ADDR_SUBSET 3
-.Os
-.Sh NAME
-.Nm X509v3_addr_subset ,
-.Nm X509v3_asid_subset
-.Nd RFC 3779 subset relationship
-.Sh SYNOPSIS
-.In openssl/x509v3.h
-.Ft int
-.Fn X509v3_addr_subset "IPAddrBlocks *child" "IPAddrBlocks *parent"
-.Ft int
-.Fn X509v3_asid_subset "ASIdentifiers *child" "ASIdentifiers *parent"
-.Sh DESCRIPTION
-.Fn X509v3_addr_subset
-determines if all IP address resources present in
-.Fa child
-are contained in the corresponding resources in
-.Fa parent .
-.Pp
-The implementation assumes but does not ensure that both
-.Fa child
-and
-.Fa parent
-are in canonical form as described in
-.Xr X509v3_addr_is_canonical 3 .
-In particular, both
-.Fa child
-and
-.Fa parent
-are sorted appropriately and they contain at most one
-.Vt IPAddressFamily
-object per address family identifier (AFI) and optional
-subsequent address family identifier (SAFI).
-.Pp
-The checks are, in order:
-.Bl -enum
-.It
-If
-.Fa child
-is
-.Dv NULL
-or identical to
-.Fa parent
-then
-.Fa child
-is a subset of
-.Fa parent .
-In particular, a
-.Dv NULL
-.Fa parent
-is allowed for a
-.Dv NULL
-.Fa child .
-.It
-If
-.Fa parent
-is
-.Dv NULL
-then
-.Fa child
-is not a subset of
-.Fa parent .
-.It
-If
-.Xr X509v3_addr_inherits 3
-determines that
-.Fa child
-inherits or that
-.Fa parent
-inherits
-then
-.Fa child
-is not a subset of
-.Fa parent .
-.It
-Each address prefix or range in
-.Fa child
-must be a subset of an address prefix or range in the
-.Fa parent ,
-taking AFI and optional SAFI into account:
-.Bl -bullet -compact
-.It
-For each
-.Vt IPAddressFamily
-of
-.Fa child
-there must be an
-.Vt IPAddressFamily
-of
-.Fa parent
-with the same AFI and optional SAFI.
-.It
-Since the address prefixes and ranges in corresponding
-.Vt IPAddressFamily
-objects in
-.Fa child
-and
-.Fa parent
-are sorted in ascending order,
-and do not overlap,
-they can be traversed simultaneously in linear time.
-For each prefix or range in
-.Fa child
-there must be a prefix or range in
-.Fa parent
-whose minimal address is smaller
-and whose maximal address is larger.
-.El
-If any of these steps fails,
-.Fa child
-is not a subset of
-.Fa parent .
-.El
-.Pp
-.Fn X509v3_asid_subset
-determines if all AS identifier resources in
-.Fa child
-are contained in the corresponding resources in
-.Fa parent .
-.Pp
-The description for
-.Fn X509v3_addr_subset
-applies mutatis mutandis.
-In particular,
-.Fa child
-and
-.Fa parent
-must be in canonical form per
-.Xr X509v3_asid_is_canonical 3 ,
-but this is not enforced.
-.Sh RETURN VALUES
-.Fn X509v3_addr_subset
-and
-.Fn X509v3_asid_subset
-return 1 if and only if
-.Fa child
-is a subset of
-.Fa parent ,
-otherwise they return 0.
-If both
-.Fa child
-and
-.Fa parent
-are in canonical form,
-these functions cannot fail.
-.Sh SEE ALSO
-.Xr ASIdentifiers_new 3 ,
-.Xr ASRange_new 3 ,
-.Xr crypto 3 ,
-.Xr IPAddressRange_new 3 ,
-.Xr X509_new 3 ,
-.Xr X509v3_addr_add_inherit 3 ,
-.Xr X509v3_asid_add_inherit 3
-.Sh STANDARDS
-RFC 3779: X.509 Extensions for IP Addresses and AS Identifiers.
-.Sh HISTORY
-These functions first appeared in OpenSSL 0.9.8e
-and have been available since
-.Ox 7.1 .
diff --git a/src/lib/libcrypto/man/X509v3_addr_validate_path.3 b/src/lib/libcrypto/man/X509v3_addr_validate_path.3
deleted file mode 100644
index fe6065d599..0000000000
--- a/src/lib/libcrypto/man/X509v3_addr_validate_path.3
+++ /dev/null
@@ -1,203 +0,0 @@
-.\" $OpenBSD: X509v3_addr_validate_path.3,v 1.5 2023/09/30 19:07:38 tb Exp $
-.\"
-.\" Copyright (c) 2023 Theo Buehler <tb@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: September 30 2023 $
-.Dt X509V3_ADDR_VALIDATE_PATH 3
-.Os
-.Sh NAME
-.Nm X509v3_addr_validate_path ,
-.Nm X509v3_addr_validate_resource_set ,
-.Nm X509v3_asid_validate_path ,
-.Nm X509v3_asid_validate_resource_set
-.Nd RFC 3779 path validation for IP address and AS number delegation
-.Sh SYNOPSIS
-.In openssl/x509v3.h
-.Ft int
-.Fn X509v3_addr_validate_path "X509_STORE_CTX *ctx"
-.Ft int
-.Fo X509v3_addr_validate_resource_set
-.Fa "STACK_OF(X509) *chain"
-.Fa "IPAddrBlocks *addrblocks"
-.Fa "int allow_inherit"
-.Fc
-.Ft int
-.Fn X509v3_asid_validate_path "X509_STORE_CTX *ctx"
-.Ft int
-.Fo X509v3_asid_validate_resource_set
-.Fa "STACK_OF(X509) *chain"
-.Fa "ASIdentifiers *asid"
-.Fa "int allow_inherit"
-.Fc
-.Sh DESCRIPTION
-Both RFC 3779 extensions require additional checking in the certification
-path validation.
-.Bl -enum
-.It
-The initial set of allowed IP address and AS number resources is defined in
-the trust anchor, where inheritance is not allowed.
-.It
-An issuer may only delegate subsets of resources present in its
-RFC 3779 extensions or subsets of resources inherited from its issuer.
-.It
-If an RFC 3779 extension is present in a certificate,
-the same type of extension must also be present in its issuer.
-.It
-All RFC 3779 extensions
-appearing in the validation path must be in canonical form
-according to
-.Xr X509v3_addr_is_canonical 3
-and
-.Xr X509v3_asid_is_canonical 3 .
-.El
-.Pp
-.Fn X509v3_addr_validate_path
-and
-.Fn X509v3_asid_validate_path
-are called from
-.Xr X509_verify_cert 3
-as part of the verification chain building.
-On encountering an error or a violation of the above rules,
-.Fa error ,
-.Fa error_depth ,
-and
-.Fa current_cert
-are set on
-.Fa ctx
-and the verify callback is called with
-.Fa ok
-set to 0.
-.Dv X509_V_ERR_INVALID_EXTENSION
-indicates a non-canonical resource,
-.Dv X509_V_ERR_UNNESTED_RESOURCE
-indicates a violation of the other rules above.
-In rare circumstances, the error can be
-.Dv X509_V_ERR_UNSPECIFIED
-and for IP address resources
-.Dv X509_V_ERR_OUT_OF_MEM
-is also possible.
-.Pp
-.Fn X509v3_addr_validate_resource_set
-validates the resources in
-.Fa addrblocks
-against a specific certificate
-.Fa chain .
-After checking that
-.Fa addrblocks
-is canonical, its IP addresses are checked to be covered in
-the certificate at depth 0,
-then the chain is walked all the way to the trust anchor
-until an error or a violation of the above rules is encountered.
-.Fa addrblocks
-is allowed to use inheritance according to
-.Xr X509v3_addr_inherits 3
-if and only if
-.Fa allow_inherit
-is non-zero.
-.Pp
-.Fn X509v3_asid_validate_resource_set
-performs similar checks as
-.Fn X509v3_addr_validate_resource_set
-for
-.Fa asid .
-.Sh RETURN VALUES
-All these functions return 1 on successful validation and 0 otherwise.
-.Pp
-For
-.Fn X509v3_addr_validate_path
-and
-.Fn X509v3_asid_validate_path
-a non-empty
-.Fa chain
-and a
-.Fa verify_cb
-must be present on
-.Fa ctx ,
-otherwise they fail and set the
-.Fa error
-on
-.Fa ctx
-to
-.Dv X509_V_ERR_UNSPECIFIED .
-The
-.Fa verify_cb
-is called with the error codes described above
-on most errors encountered during validation.
-Some malformed extensions can lead to an error
-that cannot be intercepted by the callback.
-With the exception of an allocation error,
-no error codes are set on the error stack.
-.Pp
-.Fn X509v3_addr_validate_resource_set
-accepts a
-.Dv NULL
-.Fa addrblocks
-and
-.Fn X509v3_asid_validate_resource_set
-accepts a
-.Dv NULL
-.Fa asid
-as valid.
-They fail if
-.Fa chain
-is
-.Dv NULL
-or empty.
-If
-.Fa allow_inherit
-is 0,
-.Fa addrblocks
-or
-.Fa asid
-is checked for inheritance with
-.Xr X509v3_addr_inherits 3
-or
-.Xr X509v3_asid_inherits 3 .
-The remaining failure cases are the same as for
-.Fn X509v3_addr_validate_path
-and
-.Fn X509v3_asid_validate_path .
-They cannot and do not attempt to communicate
-the cause of the error to the caller.
-.Sh SEE ALSO
-.Xr ASIdentifiers_new 3 ,
-.Xr crypto 3 ,
-.Xr IPAddressRange_new 3 ,
-.Xr X509_new 3 ,
-.Xr X509_STORE_CTX_get_error 3 ,
-.Xr X509_verify_cert 3 ,
-.Xr X509v3_addr_add_inherit 3 ,
-.Xr X509v3_addr_inherits 3 ,
-.Xr X509v3_asid_add_id_or_range 3
-.Sh STANDARDS
-RFC 3779: X.509 Extensions for IP Addresses and AS Identifiers:
-.Bl -dash -compact
-.It
-section 2.3: IP Address Delegation Extension Certification Path Validation
-.It
-section 3.3: Autonomous System Identifier Delegation Extension Certification
-Path Validation
-.El
-.Pp
-RFC 5280: Internet X.509 Public Key Infrastructure Certificate
-and Certificate Revocation List (CRL) Profile
-.Bl -dash -compact
-.It
-section 6: Certification Path Validation
-.El
-.Sh HISTORY
-These functions first appeared in OpenSSL 0.9.8e
-and have been available since
-.Ox 7.1 .
diff --git a/src/lib/libcrypto/man/X509v3_asid_add_id_or_range.3 b/src/lib/libcrypto/man/X509v3_asid_add_id_or_range.3
deleted file mode 100644
index 81221ca9bc..0000000000
--- a/src/lib/libcrypto/man/X509v3_asid_add_id_or_range.3
+++ /dev/null
@@ -1,327 +0,0 @@
-.\" $OpenBSD: X509v3_asid_add_id_or_range.3,v 1.9 2023/09/30 18:16:44 tb Exp $
-.\"
-.\" Copyright (c) 2023 Theo Buehler <tb@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: September 30 2023 $
-.Dt X509V3_ASID_ADD_ID_OR_RANGE 3
-.Os
-.Sh NAME
-.Nm X509v3_asid_add_id_or_range ,
-.Nm X509v3_asid_add_inherit ,
-.Nm X509v3_asid_canonize ,
-.Nm X509v3_asid_is_canonical
-.Nd RFC 3779 autonomous system identifier delegation extension
-.Sh SYNOPSIS
-.In openssl/x509v3.h
-.Ft int
-.Fo X509v3_asid_add_id_or_range
-.Fa "ASIdentifiers *asid"
-.Fa "int type"
-.Fa "ASN1_INTEGER *min"
-.Fa "ASN1_INTEGER *max"
-.Fc
-.Ft int
-.Fo X509v3_asid_add_inherit
-.Fa "ASIdentifiers *asid"
-.Fa "int type"
-.Fc
-.Ft int
-.Fo X509v3_asid_canonize
-.Fa "ASIdentifiers *asid"
-.Fc
-.Ft int
-.Fo X509v3_asid_is_canonical
-.Fa "ASIdentifiers *asid"
-.Fc
-.Sh DESCRIPTION
-An
-.Vt ASIdentifiers
-object represents the content of the certificate extension
-defined in RFC 3779, section 3.2.3.1.
-It can be instantiated with
-.Xr ASIdentifiers_new 3
-and its internals are documented in
-.Xr ASRange_new 3 .
-.Pp
-An autonomous system is identified by an unsigned 32-bit integer,
-called an AS identifier or AS number.
-An
-.Vt ASIdentifiers
-object can hold two lists:
-a list of
-.Fa type
-.Dv V3_ASID_ASNUM
-containing individual AS identifiers and ranges of AS identifiers,
-and an obsolete list of
-.Fa type
-.Dv V3_ASID_RDI
-containing routing domain identifiers (RDIs).
-Either of these lists may be absent, or it may contain nothing
-but a special
-.Dq inherit
-marker that indicates that the list is inherited from the issuer
-of the certificate.
-.Pp
-.Fn X509v3_asid_add_id_or_range
-adds an individual identifier or a range of identifiers to the list of
-.Fa type
-(either
-.Dv V3_ASID_ASNUM
-or
-.Dv V3_ASID_RDI )
-in
-.Fa asid .
-If no such list exists, it is created first.
-If a list of
-.Fa type
-already exists and contains the
-.Dq inherit
-marker, the call fails.
-.Fa min
-must be a
-.Pf non- Dv NULL
-.Vt ASN1_INTEGER .
-If
-.Fa max
-is
-.Dv NULL ,
-.Fa min
-is added as an individual identifier.
-Ownership of
-.Fa min
-and
-.Fa max
-is transferred to
-.Fa asid
-on success.
-It is the responsibility of the caller to ensure that
-the resulting
-.Fa asid
-does not contain lists with overlapping ranges and that
-.Fa min
-is strictly less than
-.Fa max
-if both are
-.Pf non- Dv NULL .
-The caller should also ensure that the AS identifiers are
-32-bit integers.
-Failure to do so may result in an
-.Fa asid
-that cannot be brought into canonical form by
-.Fn X509v3_asid_canonize .
-.Pp
-.Fn X509v3_asid_add_inherit
-adds the list of
-.Fa type
-(either
-.Dv V3_ASID_ASNUM
-or
-.Dv V3_ASID_RDI )
-in
-.Fa asid
-if necessary and marks it
-.Dq inherit .
-This fails if
-.Fa asid
-already contains a list of
-.Fa type
-that is not marked
-.Dq inherit .
-.Pp
-.Fn X509v3_asid_canonize
-attempts to bring both lists in
-.Fa asid
-into canonical form.
-If
-.Fa asid
-is
-.Dv NULL
-the call succeeds and no action occurs.
-A list is in canonical form if it is either one of
-.Bl -dash -compact
-.It
-absent,
-.It
-marked
-.Dq inherit ,
-.It
-non-empty and all identifiers and ranges are listed in increasing order.
-Ranges must not overlap,
-.\" the following is not currently specified and leads to ambiguity:
-.\" contain at least two elements,
-and adjacent ranges must be fully merged.
-.El
-.Pp
-.Fn X509v3_asid_canonize
-merges adjacent ranges
-but refuses to merge overlapping ranges or to discard duplicates.
-For example, the adjacent ranges [a,b] and [b+1,c] are merged
-into the single range [a,c], but if both [a,b] and [b,c] appear in a list,
-this results in an error since they are considered overlapping.
-Likewise, the identifier a is absorbed into the adjacent
-range [a+1,b] to yield [a,b].
-.Fn X509v3_asid_canonize
-errors if the minimum of any range is larger than the maximum.
-In contrast, minimum and maximum of a range may be equal.
-.Pp
-.Fn X509v3_asid_is_canonical
-checks whether
-.Fa asid
-is in canonical form.
-Once
-.Fn X509v3_asid_canonize
-is called successfully on
-.Fa asid ,
-all subsequent calls to
-.Fn X509v3_asid_is_canonical
-succeed on an unmodified
-.Fa asid
-unless memory allocation fails.
-.Sh RETURN VALUES
-All these functions return 1 on success and 0 on failure.
-.Pp
-.Fn X509v3_asid_add_id_or_range
-and
-.Fn X509v3_asid_add_inherit
-fail if
-.Fa asid
-is
-.Dv NULL
-or if
-.Fa type
-is distinct from
-.Dv V3_ASID_ASNUM
-and
-.Dv V3_ASID_RDI ,
-or on memory allocation failure.
-In addition,
-.Fn X509v3_asid_add_id_or_range
-fails if
-.Fa asid
-contains a list of
-.Fa type
-that is marked
-.Dq inherit ,
-and
-.Fn X509v3_asid_add_inherit
-fails if
-.Fa asid
-contains a list of
-.Fa type
-that is not marked
-.Dq inherit .
-.Pp
-.Fn X509v3_asid_canonize
-fails if either list is empty and not marked
-.Dq inherit ,
-or if it is malformed, or if memory allocation fails.
-Malformed lists include lists containing duplicate, overlapping,
-or malformed elements, for example AS ranges where the minimum is
-larger than the maximum.
-Some of these failure modes result in an error being pushed onto the
-error stack.
-.Pp
-.Fn X509v3_asid_is_canonical
-returns 1 if
-.Fa asid
-is canonical and 0 if it is not canonical or on memory allocation
-failure.
-.Sh SEE ALSO
-.Xr ASIdentifiers_new 3 ,
-.Xr crypto 3 ,
-.Xr s2i_ASN1_INTEGER 3 ,
-.Xr X509_new 3 ,
-.Xr X509v3_addr_add_inherit 3 ,
-.Xr X509v3_addr_validate_path 3
-.Sh STANDARDS
-RFC 3779: X.509 Extensions for IP Addresses and AS Identifiers,
-.Bl -dash -compact
-.It
-section 3: Autonomous System Delegation Extension
-.El
-.Pp
-.Rs
-.%T Autonomous System (AS) Numbers
-.%U https://www.iana.org/assignments/as-numbers
-.Re
-.Sh HISTORY
-These functions first appeared in OpenSSL 0.9.8e
-and have been available since
-.Ox 7.1 .
-.Sh BUGS
-.Fn X509v3_asid_add_id_or_range
-does not check for inverted range bounds and overlaps
-on insertion.
-It is very easy to create an
-.Fa asid
-that fails to be canonized by
-.Fn X509v3_asid_canonize
-and it is very hard to diagnose why.
-.Pp
-Both
-.Fn X509v3_asid_add_id_or_range
-and
-.Fn X509v3_asid_add_inherit
-can leave
-.Fa asid
-in a corrupted state if memory allocation fails during their execution.
-In addition,
-.Fn X509v3_asid_add_id_or_range
-may already have freed the
-.Fa min
-and
-.Fa max
-arguments on failure.
-.Pp
-RFC 3779 does not explicitly disallow ranges where the minimum
-is equal to the maximum.
-The isolated AS identifier
-.Fa min
-and the AS range
-.Bq Fa min , Ns Fa min
-where the minimum and the maximum are equal to
-.Fa min
-have the same semantics.
-.Fn X509v3_asid_is_canonical
-accepts both representations as valid and
-.Fn X509v3_asid_canonize
-does not prefer either representation over the other.
-The encodings of the two representations produced by
-.Xr i2d_ASIdentifiers 3
-are distinct.
-.Pp
-.Fn X509v3_asid_is_canonical
-does not fully check inheriting lists to be well formed.
-It only checks the
-.Fa type
-to be
-.Dv ASIdentifierChoice_inherit
-and ignores the presence or absence of the
-.Fa inherit
-element.
-.Fn X509v3_asid_canonize
-does not fix that up.
-This can lead to incorrect or unexpected DER encoding of
-.Dq canonical
-.Vt ASIdentifiers
-objects.
-In particular, it is possible to construct an
-.Vt ASIdentifiers
-object for which both
-.Fn X509v3_asid_is_canonical
-and
-.Xr X509v3_asid_inherits 3
-return 1, and after a round trip through DER the latter
-returns 0.
diff --git a/src/lib/libcrypto/man/X509v3_get_ext_by_NID.3 b/src/lib/libcrypto/man/X509v3_get_ext_by_NID.3
deleted file mode 100644
index 8c7c159f80..0000000000
--- a/src/lib/libcrypto/man/X509v3_get_ext_by_NID.3
+++ /dev/null
@@ -1,408 +0,0 @@
-.\" $OpenBSD: X509v3_get_ext_by_NID.3,v 1.15 2024/05/22 09:44:10 tb Exp $
-.\" full merge up to: OpenSSL fd38836b Jun 20 15:25:43 2018 +0100
-.\"
-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2015 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: May 22 2024 $
-.Dt X509V3_GET_EXT_BY_NID 3
-.Os
-.Sh NAME
-.Nm X509v3_get_ext_count ,
-.Nm X509v3_get_ext ,
-.Nm X509v3_get_ext_by_NID ,
-.Nm X509v3_get_ext_by_OBJ ,
-.Nm X509v3_get_ext_by_critical ,
-.Nm X509v3_delete_ext ,
-.Nm X509v3_add_ext ,
-.Nm X509_get_ext_count ,
-.Nm X509_get_ext ,
-.Nm X509_get_ext_by_NID ,
-.Nm X509_get_ext_by_OBJ ,
-.Nm X509_get_ext_by_critical ,
-.Nm X509_delete_ext ,
-.Nm X509_add_ext ,
-.Nm X509_CRL_get_ext_count ,
-.Nm X509_CRL_get_ext ,
-.Nm X509_CRL_get_ext_by_NID ,
-.Nm X509_CRL_get_ext_by_OBJ ,
-.Nm X509_CRL_get_ext_by_critical ,
-.Nm X509_CRL_delete_ext ,
-.Nm X509_CRL_add_ext ,
-.Nm X509_REVOKED_get_ext_count ,
-.Nm X509_REVOKED_get_ext ,
-.Nm X509_REVOKED_get_ext_by_NID ,
-.Nm X509_REVOKED_get_ext_by_OBJ ,
-.Nm X509_REVOKED_get_ext_by_critical ,
-.Nm X509_REVOKED_delete_ext ,
-.Nm X509_REVOKED_add_ext
-.Nd extension stack utility functions
-.Sh SYNOPSIS
-.In openssl/x509.h
-.Ft int
-.Fo X509v3_get_ext_count
-.Fa "const STACK_OF(X509_EXTENSION) *x"
-.Fc
-.Ft X509_EXTENSION *
-.Fo X509v3_get_ext
-.Fa "const STACK_OF(X509_EXTENSION) *x"
-.Fa "int loc"
-.Fc
-.Ft int
-.Fo X509v3_get_ext_by_NID
-.Fa "const STACK_OF(X509_EXTENSION) *x"
-.Fa "int nid"
-.Fa "int lastpos"
-.Fc
-.Ft int
-.Fo X509v3_get_ext_by_OBJ
-.Fa "const STACK_OF(X509_EXTENSION) *x"
-.Fa "const ASN1_OBJECT *obj"
-.Fa "int lastpos"
-.Fc
-.Ft int
-.Fo X509v3_get_ext_by_critical
-.Fa "const STACK_OF(X509_EXTENSION) *x"
-.Fa "int crit"
-.Fa "int lastpos"
-.Fc
-.Ft X509_EXTENSION *
-.Fo X509v3_delete_ext
-.Fa "STACK_OF(X509_EXTENSION) *x"
-.Fa "int loc"
-.Fc
-.Ft STACK_OF(X509_EXTENSION) *
-.Fo X509v3_add_ext
-.Fa "STACK_OF(X509_EXTENSION) **x"
-.Fa "X509_EXTENSION *ex"
-.Fa "int loc"
-.Fc
-.Ft int
-.Fo X509_get_ext_count
-.Fa "const X509 *x"
-.Fc
-.Ft X509_EXTENSION *
-.Fo X509_get_ext
-.Fa "const X509 *x"
-.Fa "int loc"
-.Fc
-.Ft int
-.Fo X509_get_ext_by_NID
-.Fa "const X509 *x"
-.Fa "int nid"
-.Fa "int lastpos"
-.Fc
-.Ft int
-.Fo X509_get_ext_by_OBJ
-.Fa "const X509 *x"
-.Fa "const ASN1_OBJECT *obj"
-.Fa "int lastpos"
-.Fc
-.Ft int
-.Fo X509_get_ext_by_critical
-.Fa "const X509 *x"
-.Fa "int crit"
-.Fa "int lastpos"
-.Fc
-.Ft X509_EXTENSION *
-.Fo X509_delete_ext
-.Fa "X509 *x"
-.Fa "int loc"
-.Fc
-.Ft int
-.Fo X509_add_ext
-.Fa "X509 *x"
-.Fa "X509_EXTENSION *ex"
-.Fa "int loc"
-.Fc
-.Ft int
-.Fo X509_CRL_get_ext_count
-.Fa "const X509_CRL *x"
-.Fc
-.Ft X509_EXTENSION *
-.Fo X509_CRL_get_ext
-.Fa "const X509_CRL *x"
-.Fa "int loc"
-.Fc
-.Ft int
-.Fo X509_CRL_get_ext_by_NID
-.Fa "const X509_CRL *x"
-.Fa "int nid"
-.Fa "int lastpos"
-.Fc
-.Ft int
-.Fo X509_CRL_get_ext_by_OBJ
-.Fa "const X509_CRL *x"
-.Fa "const ASN1_OBJECT *obj"
-.Fa "int lastpos"
-.Fc
-.Ft int
-.Fo X509_CRL_get_ext_by_critical
-.Fa "const X509_CRL *x"
-.Fa "int crit"
-.Fa "int lastpos"
-.Fc
-.Ft X509_EXTENSION *
-.Fo X509_CRL_delete_ext
-.Fa "X509_CRL *x"
-.Fa "int loc"
-.Fc
-.Ft int
-.Fo X509_CRL_add_ext
-.Fa "X509_CRL *x"
-.Fa "X509_EXTENSION *ex"
-.Fa "int loc"
-.Fc
-.Ft int
-.Fo X509_REVOKED_get_ext_count
-.Fa "const X509_REVOKED *x"
-.Fc
-.Ft X509_EXTENSION *
-.Fo X509_REVOKED_get_ext
-.Fa "const X509_REVOKED *x"
-.Fa "int loc"
-.Fc
-.Ft int
-.Fo X509_REVOKED_get_ext_by_NID
-.Fa "const X509_REVOKED *x"
-.Fa "int nid"
-.Fa "int lastpos"
-.Fc
-.Ft int
-.Fo X509_REVOKED_get_ext_by_OBJ
-.Fa "const X509_REVOKED *x"
-.Fa "const ASN1_OBJECT *obj"
-.Fa "int lastpos"
-.Fc
-.Ft int
-.Fo X509_REVOKED_get_ext_by_critical
-.Fa "const X509_REVOKED *x"
-.Fa "int crit"
-.Fa "int lastpos"
-.Fc
-.Ft X509_EXTENSION *
-.Fo X509_REVOKED_delete_ext
-.Fa "X509_REVOKED *x"
-.Fa "int loc"
-.Fc
-.Ft int
-.Fo X509_REVOKED_add_ext
-.Fa "X509_REVOKED *x"
-.Fa "X509_EXTENSION *ex"
-.Fa "int loc"
-.Fc
-.Sh DESCRIPTION
-.Fn X509v3_get_ext_count
-retrieves the number of extensions in
-.Fa x .
-.Pp
-.Fn X509v3_get_ext
-retrieves extension
-.Fa loc
-from
-.Fa x .
-The index
-.Fa loc
-can take any value from 0 to
-.Fn X509_get_ext_count x No \- 1 .
-The returned extension is an internal pointer which must not be
-freed up by the application.
-.Pp
-.Fn X509v3_get_ext_by_NID
-and
-.Fn X509v3_get_ext_by_OBJ
-look for an extension with
-.Fa nid
-or
-.Fa obj
-from extension stack
-.Fa x .
-The search starts from the extension after
-.Fa lastpos
-or from the beginning if
-.Fa lastpos
-is \-1.
-If the extension is found, its index is returned; otherwise, a negative
-value is returned.
-.Pp
-.Fn X509v3_get_ext_by_critical
-is similar to
-.Fn X509v3_get_ext_by_NID
-except that it looks for an extension of criticality
-.Fa crit .
-A zero value for
-.Fa crit
-looks for a non-critical extension; a non-zero value looks for a
-critical extension.
-.Pp
-.Fn X509v3_delete_ext
-deletes the extension with index
-.Fa loc
-from
-.Fa x .
-The deleted extension is returned and must be freed by the caller.
-If
-.Fa loc
-is an invalid index value,
-.Dv NULL
-is returned.
-.Pp
-.Fn X509v3_add_ext
-adds the extension
-.Fa ex
-to the stack
-.Pf * Fa x
-at position
-.Fa loc .
-If
-.Fa loc
-is \-1, the new extension is added to the end.
-If
-.Pf * Fa x
-is
-.Dv NULL ,
-a new stack will be allocated.
-The passed extension
-.Fa ex
-is duplicated internally so it must be freed after use.
-.Pp
-.Fn X509_get_ext_count ,
-.Fn X509_get_ext ,
-.Fn X509_get_ext_by_NID ,
-.Fn X509_get_ext_by_OBJ ,
-.Fn X509_get_ext_by_critical ,
-.Fn X509_delete_ext ,
-and
-.Fn X509_add_ext
-operate on the extensions of certificate
-.Fa x .
-They are otherwise identical to the X509v3 functions.
-.Pp
-.Fn X509_CRL_get_ext_count ,
-.Fn X509_CRL_get_ext ,
-.Fn X509_CRL_get_ext_by_NID ,
-.Fn X509_CRL_get_ext_by_OBJ ,
-.Fn X509_CRL_get_ext_by_critical ,
-.Fn X509_CRL_delete_ext ,
-and
-.Fn X509_CRL_add_ext
-operate on the extensions of the CRL
-.Fa x .
-They are otherwise identical to the X509v3 functions.
-.Pp
-.Fn X509_REVOKED_get_ext_count ,
-.Fn X509_REVOKED_get_ext ,
-.Fn X509_REVOKED_get_ext_by_NID ,
-.Fn X509_REVOKED_get_ext_by_OBJ ,
-.Fn X509_REVOKED_get_ext_by_critical ,
-.Fn X509_REVOKED_delete_ext ,
-and
-.Fn X509_REVOKED_add_ext
-operate on the extensions of the CRL entry
-.Fa x .
-They are otherwise identical to the X509v3 functions.
-.Pp
-These functions are used to examine stacks of extensions directly.
-Many applications will want to parse or encode and add an extension:
-they should use the extension encode and decode functions instead
-such as
-.Xr X509_get_ext_d2i 3 .
-.Pp
-Extension indices start from zero, so a zero index return value is
-not an error.
-These search functions start from the extension
-.Em after
-the
-.Fa lastpos
-parameter, so it should initially be set to \-1.
-If it is set to 0, the initial extension will not be checked.
-.Sh RETURN VALUES
-.Fn X509v3_get_ext_count
-returns the extension count.
-.Pp
-.Fn X509v3_get_ext ,
-.Fn X509v3_delete_ext ,
-and
-.Fn X509_delete_ext
-return an
-.Vt X509_EXTENSION
-pointer or
-.Dv NULL
-if an error occurs.
-.Pp
-.Fn X509v3_get_ext_by_NID ,
-.Fn X509v3_get_ext_by_OBJ ,
-and
-.Fn X509v3_get_ext_by_critical
-return the extension index or \-1 if an error occurs.
-In addition,
-.Fn X509v3_get_ext_by_NID
-returns \-2 if
-.Xr OBJ_nid2obj 3
-fails on the requested
-.Fa nid .
-.Pp
-.Fn X509v3_add_ext
-returns a stack of extensions or
-.Dv NULL
-on error.
-.Pp
-.Fn X509_add_ext
-returns 1 on success or 0 on error.
-.Sh SEE ALSO
-.Xr OBJ_nid2obj 3 ,
-.Xr X509_CRL_new 3 ,
-.Xr X509_EXTENSION_new 3 ,
-.Xr X509_new 3 ,
-.Xr X509_REVOKED_new 3 ,
-.Xr X509V3_EXT_print 3 ,
-.Xr X509V3_extensions_print 3 ,
-.Xr X509V3_get_d2i 3
-.Sh HISTORY
-These functions first appeared in SSLeay 0.8.0
-and have been available since
-.Ox 2.4 .
diff --git a/src/lib/libcrypto/man/a2d_ASN1_OBJECT.3 b/src/lib/libcrypto/man/a2d_ASN1_OBJECT.3
deleted file mode 100644
index 7d36a54be2..0000000000
--- a/src/lib/libcrypto/man/a2d_ASN1_OBJECT.3
+++ /dev/null
@@ -1,84 +0,0 @@
-.\" $OpenBSD: a2d_ASN1_OBJECT.3,v 1.3 2023/08/09 17:34:39 schwarze Exp $
-.\"
-.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: August 9 2023 $
-.Dt A2D_ASN1_OBJECT 3
-.Os
-.Sh NAME
-.Nm a2d_ASN1_OBJECT
-.Nd DER content octets of an ASN.1 object identifier
-.Sh SYNOPSIS
-.In openssl/asn1.h
-.Ft int
-.Fo a2d_ASN1_OBJECT
-.Fa "unsigned char *der_out"
-.Fa "int olen"
-.Fa "const char *val_in"
-.Fa "int ilen"
-.Fc
-.Sh DESCRIPTION
-.Fn a2d_ASN1_OBJECT
-accepts an ASCII string
-.Fa val_in
-of
-.Fa ilen
-bytes and interprets it as the numerical form of an ASN.1 object identifier.
-It writes the content octets of the DER encoding of the object identifier
-to the buffer
-.Fa der_out
-which is
-.Fa olen
-bytes long.
-The identifier and length octets of the DER encoding are not written.
-.Pp
-If
-.Fa ilen
-is \-1, the
-.Xr strlen 3
-of
-.Fa val_in
-is used instead.
-.Pp
-If
-.Fa der_out
-is a
-.Dv NULL
-pointer, writing the content octets is skipped
-and only the return value is calculated.
-.Sh RETURN VALUES
-.Fn a2d_ASN1_OBJECT
-returns the number of content octets that were or would be written or 0 if
-.Fa ilen
-is 0, if
-.Fa val_in
-is not a valid representation of an object identifier,
-if memory allocation fails, or if the number of content octets
-would be larger than
-.Fa olen .
-.Sh SEE ALSO
-.Xr ASN1_OBJECT_new 3 ,
-.Xr i2d_ASN1_OBJECT 3 ,
-.Xr OBJ_create 3
-.Sh STANDARDS
-ITU-T Recommendation X.690, also known as ISO/IEC 8825-1:
-Information technology - ASN.1 encoding rules:
-Specification of Basic Encoding Rules (BER), Canonical Encoding
-Rules (CER) and Distinguished Encoding Rules (DER),
-section 8.19: Encoding of an object identifier value
-.Sh HISTORY
-.Fn a2d_ASN1_OBJECT
-first appeared in SSLeay 0.8.0 and has been available since
-.Ox 2.4 .
diff --git a/src/lib/libcrypto/man/a2i_ipadd.3 b/src/lib/libcrypto/man/a2i_ipadd.3
deleted file mode 100644
index 1372b2acfd..0000000000
--- a/src/lib/libcrypto/man/a2i_ipadd.3
+++ /dev/null
@@ -1,136 +0,0 @@
-.\" $OpenBSD: a2i_ipadd.3,v 1.1 2024/12/27 15:30:17 schwarze Exp $
-.\"
-.\" Copyright (c) 2024 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: December 27 2024 $
-.Dt A2I_IPADD 3
-.Os
-.Sh NAME
-.Nm a2i_ipadd ,
-.Nm a2i_IPADDRESS ,
-.Nm a2i_IPADDRESS_NC
-.Nd parse Internet Protocol addresses into ASN.1 OCTET STRINGs for X.509
-.Sh SYNOPSIS
-.In openssl/x509v3.h
-.Ft int
-.Fo a2i_ipadd
-.Fa "unsigned char *ipout"
-.Fa "const char *ipasc"
-.Fc
-.Ft ASN1_OCTET_STRING *
-.Fo a2i_IPADDRESS
-.Fa "const char *ipasc"
-.Fc
-.Ft ASN1_OCTET_STRING *
-.Fo a2i_IPADDRESS_NC
-.Fa "const char *ipasc"
-.Fc
-.Sh DESCRIPTION
-.Fn a2i_ipadd
-and
-.Fn a2i_IPADDRESS
-parse the string
-.Fa ipasc
-containing an IPv4 or IPv6 address
-in one of the following formats:
-.Bd -literal -offset indent
-d.d.d.d
-x:x:x:x:x:x:x:x (exactly 8 words)
-(x:)*x::x(:x)* (less than 8 words)
-(x:)*x:: (less than 8 words)
-::x(:x)* (less than 8 words)
-::
-(x:)*d.d.d.d (up to 6 hexadecimal words, :: can be used)
-.Ed
-.Pp
-where each
-.Ar d
-represents a non-negative decimal number less than 256
-with one, two or three digits and each
-.Ar x
-represents a non-negative hexadecimal number
-with one, two, three, or four digits.
-Both the lower case letters a-f and the upper case letters A-F can be used.
-.Pp
-.Fn a2i_ipadd
-stores the bytes of the address in network byte order (big endian) starting at
-.Fa ipout .
-The caller is responsible for providing sufficient space;
-always providing a buffer of at least 16 bytes is recommended,
-even if an IPv4 address is expected, to avoid buffer overruns in case
-.Fa ipasc
-is malformed.
-.Pp
-.Fn a2i_IPADDRESS
-stores the address in a newly allocated ASN.1
-.Vt OCTET STRING .
-.Pp
-.Fn a2i_IPADDRESS_NC
-expects
-.Fa ipasc
-to contain two addresses of the same address family in the above form,
-separated by a slash
-.Pq Sq /
-character, and stores the concatenation of both addresses
-in a newly allocated ASN.1
-.Vt OCTET STRING ,
-which is typically used for address/mask pairs
-in name constraint extensions of CA certificates.
-.Sh RETURN VALUES
-.Fn a2i_ipadd
-returns the number of bytes written to
-.Fa ipout
-in case of success, i.e. 4 for an IPv4 or 16 for an IPv6 address,
-or 0 if parsing failed.
-.Pp
-.Fn a2i_IPADDRESS
-and
-.Fn a2i_IPADDRESS_NC
-return the new object or
-.Dv NULL
-if parsing or memory allocation failed.
-.Sh SEE ALSO
-.Xr a2i_ASN1_STRING 3 ,
-.Xr ASN1_OCTET_STRING_new 3 ,
-.Xr ASN1_OCTET_STRING_set 3 ,
-.Xr GENERAL_NAME_new 3 ,
-.Xr IPAddressRange_new 3 ,
-.Xr NAME_CONSTRAINTS_new 3 ,
-.Xr s2i_ASN1_OCTET_STRING 3 ,
-.Xr X509_EXTENSION_new 3
-.Sh STANDARDS
-RFC 5280: Internet X.509 Public Key Infrastructure Certificate and
-Certificate Revocation List (CRL) Profile
-.Bl -dash -width 1n -compact
-.It
-section 4.2.1.6: Subject Alternative Name
-.It
-section 4.2.1.10: Name Constraints
-.El
-.Sh HISTORY
-.Fn a2i_IPADDRESS
-and
-.Fn a2i_IPADDRESS_NC
-first appeared in OpenSSL 0.9.8 and
-.Fn a2i_ipadd
-in OpenSSL 0.9.8e.
-They have been available since
-.Ox 4.5 .
-.Sh CAVEATS
-While some syntax errors are caught, only minimal validation takes place,
-and these functions often return objects that make no sense, in particular
-in the context of IPv6.
-For example, the trailing :d.d.d.d syntax can be appended
-to a hexadecimal part that results in twelve arbitrary bytes.
diff --git a/src/lib/libcrypto/man/bn_dump.3 b/src/lib/libcrypto/man/bn_dump.3
deleted file mode 100644
index b4272441e5..0000000000
--- a/src/lib/libcrypto/man/bn_dump.3
+++ /dev/null
@@ -1,415 +0,0 @@
-.\" $OpenBSD: bn_dump.3,v 1.9 2023/11/16 18:10:19 schwarze Exp $
-.\" full merge up to:
-.\" OpenSSL crypto/bn/README.pod aebb9aac Jul 19 09:27:53 2016 -0400
-.\"
-.\" This file was written by Ulf Moeller <ulf@openssl.org>.
-.\" Copyright (c) 2000, 2003, 2006, 2009 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: November 16 2023 $
-.Dt BN_DUMP 3
-.Os
-.Sh NAME
-.Nm bn_mul_words ,
-.Nm bn_mul_add_words ,
-.Nm bn_sqr_words ,
-.Nm bn_div_words ,
-.Nm bn_add_words ,
-.Nm bn_sub_words ,
-.Nm bn_mul_comba4 ,
-.Nm bn_mul_comba8 ,
-.Nm bn_sqr_comba4 ,
-.Nm bn_sqr_comba8 ,
-.Nm bn_mul_normal ,
-.Nm bn_expand ,
-.Nm bn_wexpand
-.Nd BIGNUM library internal functions
-.Sh SYNOPSIS
-.Fd #include "bn_local.h"
-.Ft BN_ULONG
-.Fo bn_mul_words
-.Fa "BN_ULONG *rp"
-.Fa "BN_ULONG *ap"
-.Fa "int num"
-.Fa "BN_ULONG w"
-.Fc
-.Ft BN_ULONG
-.Fo bn_mul_add_words
-.Fa "BN_ULONG *rp"
-.Fa "BN_ULONG *ap"
-.Fa "int num"
-.Fa "BN_ULONG w"
-.Fc
-.Ft void
-.Fo bn_sqr_words
-.Fa "BN_ULONG *rp"
-.Fa "BN_ULONG *ap"
-.Fa "int num"
-.Fc
-.Ft BN_ULONG
-.Fo bn_div_words
-.Fa "BN_ULONG h"
-.Fa "BN_ULONG l"
-.Fa "BN_ULONG d"
-.Fc
-.Ft BN_ULONG
-.Fo bn_add_words
-.Fa "BN_ULONG *rp"
-.Fa "BN_ULONG *ap"
-.Fa "BN_ULONG *bp"
-.Fa "int num"
-.Fc
-.Ft BN_ULONG
-.Fo bn_sub_words
-.Fa "BN_ULONG *rp"
-.Fa "BN_ULONG *ap"
-.Fa "BN_ULONG *bp"
-.Fa "int num"
-.Fc
-.Ft void
-.Fo bn_mul_comba4
-.Fa "BN_ULONG *r"
-.Fa "BN_ULONG *a"
-.Fa "BN_ULONG *b"
-.Fc
-.Ft void
-.Fo bn_mul_comba8
-.Fa "BN_ULONG *r"
-.Fa "BN_ULONG *a"
-.Fa "BN_ULONG *b"
-.Fc
-.Ft void
-.Fo bn_sqr_comba4
-.Fa "BN_ULONG *r"
-.Fa "BN_ULONG *a"
-.Fc
-.Ft void
-.Fo bn_sqr_comba8
-.Fa "BN_ULONG *r"
-.Fa "BN_ULONG *a"
-.Fc
-.Ft void
-.Fo bn_mul_normal
-.Fa "BN_ULONG *r"
-.Fa "BN_ULONG *a"
-.Fa "int na"
-.Fa "BN_ULONG *b"
-.Fa "int nb"
-.Fc
-.Ft BIGNUM *
-.Fo bn_expand
-.Fa "BIGNUM *a"
-.Fa "int bits"
-.Fc
-.Ft BIGNUM *
-.Fo bn_wexpand
-.Fa "BIGNUM *a"
-.Fa "int n"
-.Fc
-.Sh DESCRIPTION
-This page documents some internal functions used by the
-.Vt BIGNUM
-implementation.
-They are described here to facilitate debugging and extending the
-library.
-They are
-.Em not
-to be used by applications.
-.Ss The BIGNUM structure
-.Bd -literal
-typedef struct bignum_st BIGNUM;
-
-struct bignum_st {
-        BN_ULONG *d;    /* Pointer to an array of 'BN_BITS2' bit chunks. */
-        int top;        /* Index of last used d +1. */
-        /* The next are internal book keeping for bn_expand. */
-        int dmax;       /* Size of the d array. */
-        int neg;        /* one if the number is negative */
-        int flags;
-};
-.Ed
-.Pp
-The integer value is stored in
-.Fa d ,
-a
-.Xr malloc 3 Ap ed
-array of words
-.Pq Vt BN_ULONG ,
-least significant word first.
-.Vt BN_ULONG
-is a macro that expands to
-.Vt unsigned long Pq = Vt uint64_t
-on
-.Dv _LP64
-platforms and
-.Vt unsigned int Pq = Vt uint32_t
-elsewhere.
-.Pp
-.Fa dmax
-is the size of the
-.Fa d
-array that has been allocated.
-.Fa top
-is the number of words being used, so for a value of 4, bn.d[0]=4 and
-bn.top=1.
-.Fa neg
-is 1 if the number is negative.
-When a
-.Vt BIGNUM
-is 0, the
-.Fa d
-field can be
-.Dv NULL
-and
-.Fa top
-== 0.
-.Pp
-.Fa flags
-is a bit field of flags which are defined in
-.In openssl/bn.h .
-The flags begin with
-.Dv BN_FLG_ .
-The functions
-.Xr BN_set_flags 3
-and
-.Xr BN_get_flags 3
-enable or inspect
-.Fa flags .
-.Pp
-Various routines in this library require the use of temporary
-.Vt BIGNUM
-variables during their execution.
-Since dynamic memory allocation to create
-.Vt BIGNUM Ns s
-is rather expensive when used in conjunction with repeated subroutine
-calls, the
-.Vt BN_CTX
-structure is used.
-This structure contains BN_CTX_NUM
-.Vt BIGNUM Ns s ;
-see
-.Xr BN_CTX_start 3 .
-.Ss Low level arithmetic operations
-These functions are implemented in C and for several platforms in
-assembly language:
-.Pp
-.Fn bn_mul_words rp ap num w
-operates on the
-.Fa num
-word arrays
-.Fa rp
-and
-.Fa ap .
-It computes
-.Fa ap
-*
-.Fa w ,
-places the result in
-.Fa rp ,
-and returns the high word (carry).
-.Pp
-.Fn bn_mul_add_words rp ap num w
-operates on the
-.Fa num
-word arrays
-.Fa rp
-and
-.Fa ap .
-It computes
-.Fa ap
-*
-.Fa w
-+
-.Fa rp ,
-places the result in
-.Fa rp ,
-and returns the high word (carry).
-.Pp
-.Fn bn_sqr_words rp ap num
-operates on the
-.Fa num
-word array
-.Fa ap
-and the
-.Pf 2* Fa num
-word array
-.Fa ap .
-It computes
-.Fa ap
-*
-.Fa ap
-word-wise, and places the low and high bytes of the result in
-.Fa rp .
-.Pp
-.Fn bn_div_words h l d
-divides the two word number
-.Pq Fa h , Fa l
-by
-.Fa d
-and returns the result.
-.Pp
-.Fn bn_add_words rp ap bp num
-operates on the
-.Fa num
-word arrays
-.Fa ap ,
-.Fa bp
-and
-.Fa rp .
-It computes
-.Fa ap
-+
-.Fa bp ,
-places the result in
-.Fa rp ,
-and returns the high word (carry).
-.Pp
-.Fn bn_sub_words rp ap bp num
-operates on the
-.Fa num
-word arrays
-.Fa ap ,
-.Fa bp
-and
-.Fa rp .
-It computes
-.Fa ap
--
-.Fa bp ,
-places the result in
-.Fa rp ,
-and returns the carry (1 if
-.Fa bp
-\(ra
-.Fa ap ,
-0 otherwise).
-.Pp
-.Fn bn_mul_comba4 r a b
-operates on the 4 word arrays
-.Fa a
-and
-.Fa b
-and the 8-word array
-.Fa r .
-It computes
-.Fa a Ns * Ns Fa b
-and places the result in
-.Fa r .
-.Pp
-.Fn bn_mul_comba8 r a b
-operates on the 8-word arrays
-.Fa a
-and
-.Fa b
-and the 16-word array
-.Fa r .
-It computes
-.Fa a Ns * Ns Fa b
-and places the result in
-.Fa r .
-.Pp
-.Fn bn_sqr_comba4 r a b
-operates on the 4-word arrays
-.Fa a
-and
-.Fa b
-and the 8-word array
-.Fa r .
-.Pp
-.Fn bn_sqr_comba8 r a b
-operates on the 8-word arrays
-.Fa a
-and
-.Fa b
-and the 16 word array
-.Fa r .
-.Pp
-The following functions are implemented in C:
-.Pp
-.Fn bn_mul_normal r a na b nb
-operates on the
-.Fa na
-word array
-.Fa a ,
-the
-.Fa nb
-word array
-.Fa b
-and the
-.Fa na Ns + Ns Fa nb
-word array
-.Fa r .
-It computes
-.Fa a Ns * Ns Fa b
-and places the result in
-.Fa r .
-.Pp
-.Xr BN_mul 3
-calls
-.Fn bn_mul_comba4
-if both factors are 4 words long,
-.Fn bn_mul_comba8
-if both factors are 8 words long,
-or
-.Fn bn_mul_normal
-otherwise.
-.Ss Size changes
-.Fn bn_expand
-ensures that
-.Fa b
-has enough space for a
-.Fa bits
-bit number.
-.Fn bn_wexpand
-ensures that
-.Fa b
-has enough space for an
-.Fa n
-word number.
-They return 0 on error or 1 otherwise.
-.Sh SEE ALSO
-.Xr BN_new 3
diff --git a/src/lib/libcrypto/man/crypto.3 b/src/lib/libcrypto/man/crypto.3
deleted file mode 100644
index f1367e9e62..0000000000
--- a/src/lib/libcrypto/man/crypto.3
+++ /dev/null
@@ -1,419 +0,0 @@
-.\"     $OpenBSD: crypto.3,v 1.30 2024/12/07 19:22:15 schwarze Exp $
-.\"     OpenSSL a9c85cea Nov 11 09:33:55 2016 +0100
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Ulf Moeller <ulf@openssl.org> and
-.\" Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2000, 2002 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: December 7 2024 $
-.Dt CRYPTO 3
-.Os
-.Sh NAME
-.Nm crypto
-.Nd OpenSSL cryptographic library
-.Sh DESCRIPTION
-The OpenSSL crypto library implements a wide range of cryptographic
-algorithms used in various Internet standards.
-The services provided by this library are used by the OpenSSL
-implementations of TLS and S/MIME, and they have also been used to
-implement SSH, OpenPGP, and other cryptographic standards.
-.Pp
-.Sy Symmetric ciphers
-including AES, Blowfish, CAST, ChaCha20, IDEA, DES, RC2, and RC4
-are provided by the generic interface
-.Xr EVP_EncryptInit 3 .
-Low-level stand-alone interfaces include
-.Xr AES_encrypt 3 ,
-.Xr BF_set_key 3 ,
-.Xr ChaCha 3 ,
-.Xr DES_set_key 3 ,
-.Xr RC2_encrypt 3 ,
-and
-.Xr RC4 3 .
-.Pp
-.Sy Public key cryptography and key agreement
-are provided by
-.Xr DH_new 3 ,
-.Xr ECDH_compute_key 3 ,
-.Xr X25519 3 ,
-.Xr DSA_new 3 ,
-.Xr ECDSA_SIG_new 3 ,
-.Xr RSA_new 3 ,
-and
-.Xr EVP_PKEY_new 3 .
-.Pp
-.Sy Certificates
-are handled by
-.Xr X509_new 3
-and
-.Xr X509v3_add_ext 3 .
-.Pp
-.Sy Authentication codes and hash functions
-offered include
-.Xr EVP_DigestInit 3 ,
-.Xr CMAC_Init 3 ,
-.Xr HMAC 3 ,
-.Xr MD4 3 ,
-.Xr MD5 3 ,
-.Xr RIPEMD160 3 ,
-.Xr SHA1 3 ,
-and
-.Xr SHA256 3 .
-.Pp
-.Sy Input, output, and data encoding
-facilities include
-.Xr ASN1_TYPE_get 3 ,
-.Xr BIO_new 3 ,
-.Xr CMS_ContentInfo_new 3 ,
-.Xr evp 3 ,
-.Xr EVP_EncodeInit 3 ,
-.Xr PEM_read 3 ,
-.Xr PKCS7_encrypt 3 ,
-.Xr PKCS7_sign 3 ,
-.Xr PKCS12_create 3 ,
-and
-.Xr SMIME_write_PKCS7 3 .
-.Pp
-.Sy Auxiliary features include:
-.Bl -dash -compact
-.It
-configuration file handling: see
-.Xr OPENSSL_config 3
-.It
-error reporting: see
-.Xr ERR 3
-.It
-.Xr OCSP_REQUEST_new 3
-.It
-.Xr UI_new 3
-.El
-.Pp
-.Sy Internal utilities
-include
-.Xr BIO_f_buffer 3 ,
-.Xr BN_new 3 ,
-.Xr EC_GROUP_new 3 ,
-.Xr lh_new 3 ,
-and
-.Xr STACK_OF 3 .
-.Sh NAMING CONVENTIONS
-Elements used in the names of API functions include the following:
-.Bl -tag -width Ds
-.It add0
-See
-.Dq set0
-below.
-.It add1
-See
-.Dq set1
-below.
-.It BIO
-basic input and/or output abstraction:
-The function manipulates objects of the idiosyncratic OpenSSL
-.Vt BIO
-object type.
-See
-.Xr BIO_new 3 .
-.It bio
-The function uses a
-.Vt BIO
-object for input or output.
-In many cases, simpler variants of the function are available
-that operate directly on
-.In stdio.h
-.Vt FILE
-objects or directly in RAM, usually using byte arrays.
-.It BIO_f_
-filter BIO:
-The function returns a pointer to a static built-in object that,
-when passed to
-.Xr BIO_new 3 ,
-results in the creation of a BIO object that can write data to
-and/or read data from another
-.Vt BIO
-object.
-.It BIO_s_
-source and/or sink BIO:
-The function returns a pointer to a static built-in object that,
-when passed to
-.Xr BIO_new 3 ,
-results in the creation of a BIO object
-that can write data to an external destination
-and/or read data from an external source,
-for example a file descriptor or object, a memory buffer, or the network.
-.It BN
-big number:
-The function operates on
-.Vt BIGNUM
-objects representing integer numbers of variable, almost unlimited size.
-See
-.Xr BN_new 3 .
-.It cb
-callback:
-The function takes or returns a function pointer
-that is called by API functions from inside the library.
-The function pointed to may be defined by the application program.
-In some cases, API functions with
-.Dq cb
-in their name may return function pointers to internal functions
-defined inside the library that are not API functions.
-The element
-.Dq cb
-is also used in the names of some function pointer datatypes
-declared with
-.Sy typedef .
-In a small number of cases, the all caps form
-.Dq CB
-is used with the same meaning.
-.It CTX
-context:
-The function operates on a wrapper object around another object.
-The purposes and properties of such
-.Dq CTX
-wrapper objects vary wildly depending on the objects in question.
-A few function names use the lower case form
-.Dq ctx
-in the same sense.
-.It d2i
-DER to internal:
-The function decodes input conforming to ASN.1 basic encoding rules (BER)
-and either stores the result in an existing object
-or in a newly allocated object.
-The latter is usually preferable because
-creating a new object is more robust and less error prone.
-In spite of the name, the input usually does not need to conform to ASN.1
-distinguished encoding rules (DER), which are more restrictive than BER.
-.It EVP
-digital EnVeloPe library:
-See
-.Xr evp 3 .
-.It ex
-This name element is used for two completely unrelated purposes.
-.Pp
-extended version:
-The function is similar to an older function without the
-.Dq ex
-in its name, but takes one or more additional arguments
-in order to make it more versatile.
-In several cases, the older version is now deprecated.
-.Pp
-extra data:
-Some object types support storing additional, application-specific data
-inside objects in addition to the data the object is designed to hold.
-The function sets, retrieves, or prepares for using such extra data.
-Related function names usually contain
-.Dq ex_data
-or
-.Dq ex_new_index .
-See
-.Xr CRYPTO_set_ex_data 3 .
-.It fp
-file pointer:
-The function takes a
-.Vt FILE *
-argument.
-Usually, the function is a variant of another function taking a
-.Vt BIO *
-argument instead.
-.It i2d
-internal to DER:
-The function encodes an object passed as an argument
-according to ASN.1 distinguished encoding rules (DER).
-There are a few rare exceptions of functions that have
-.Dq i2d
-in their name but produce output anyway
-that only conforms to ASN.1 basic encoding rules (BER) and not to DER.
-.It get0
-The function returns an internal pointer
-owned by the object passed as an argument.
-The returned pointer must not be freed by the calling code.
-It will be freed automatically
-when the object owning the pointer will be freed.
-.It get1
-The function returns a copy of a sub-object
-of an object passed as an argument.
-The caller is responsible for freeing the returned object
-when it is no longer needed.
-.Pp
-If the object type is reference counted, usually the reference count
-is incremented instead of copying the object.
-Consequently, modifying the returned object may still impact all
-objects containing references to it.
-The caller is responsible for freeing the returned object
-when it is no longer needed; for reference-counted objects still
-referenced elsewhere, this will merely decrement the reference count.
-.It get
-Functions containing
-.Dq get
-in their name without a following digit may behave in
-.Dq get0
-or, more rarely, in
-.Dq get1
-style.
-To find out which is the case, refer to the individual manual pages.
-.It lh
-linear hash:
-The function manipulates a dynamic hash table.
-See
-.Xr lh_new 3 .
-.It md
-message digest.
-Some function names use the all caps form
-.Dq MD
-in the same sense.
-.It meth
-The function manipulates an object holding a function table.
-Usually, such function tables allow the application program
-to implement additional cryptographic or I/O algorithms
-and to use them with the same high-level API functions as the
-algorithms provided by the library itself, or to replace the
-implementations of algorithms provided by the library with
-custom implementations provided by the application program.
-Some API functions use the name elements
-.Dq method
-or
-.Dq METHOD
-in the same sense.
-See also the
-.Dq cb
-entry in the present list.
-.It nid
-numerical identifier:
-A non-standard, LibreSSL-specific
-.Vt int
-number associated with an ASN.1 object identifier.
-In several cases, the all caps form
-.Dq NID
-is used in the same sense.
-See
-.Xr OBJ_nid2obj 3 .
-.It obj
-This name element and its all caps form
-.Dq OBJ
-usually refer to ASN.1 object identifiers represented by the
-.Vt ASN1_OBJECT
-data type.
-See
-.Xr ASN1_OBJECT_new 3 .
-.It PKEY
-In most cases, this name element and its lower case form
-.Dq pkey
-mean
-.Dq private key ,
-but for both forms, there are some cases where they mean
-.Dq public key
-instead.
-.It set0
-The function transfers ownership of a pointer passed as an argument
-to an object passed as another argument,
-by storing the pointer inside the object.
-The transferred pointer must not be freed by the calling code.
-It will be freed automatically
-when the object now owning the pointer will be freed.
-.It set1
-The function copies the content of one object passed as an argument
-into another object also passed as an argument.
-When the calling code no longer needs the copied object,
-it can free that object.
-.Pp
-In some cases, if the object to be copied is reference counted,
-the function does not actually copy the object but merely increments
-its reference count and stores the pointer to it in the other object.
-When the calling code no longer needs its original pointer to
-the now inner object, it can free the original pointer, thus
-decrementing the reference count of the inner object
-and transferring ownership of the inner object to the outer object.
-The inner object will then be freed automatically
-when the outer object is freed later on.
-.It set
-Functions containing
-.Dq set
-in their name without a following digit may behave in
-.Dq set0
-or, more rarely, in
-.Dq set1
-style.
-To find out which is the case, refer to the individual manual pages.
-.It sk
-stack:
-The function manipulates a variable-sized array of pointers
-in the idiosyncratic style described in
-.Xr OPENSSL_sk_new 3 .
-.It TS
-X.509 time-stamp protocol:
-See
-.Xr TS_REQ_new 3 .
-.It up_ref
-The function increments the reference count of the argument by one.
-Only a minority of object types support reference counting.
-For those that do, if the reference count is greater than one,
-the corresponding
-.Dq free
-function reverses the effect of one call to the
-.Dq up_ref
-function rather than freeing the object.
-.El
-.Sh SEE ALSO
-.Xr openssl 1 ,
-.Xr ssl 3
diff --git a/src/lib/libcrypto/man/d2i_ASN1_NULL.3 b/src/lib/libcrypto/man/d2i_ASN1_NULL.3
deleted file mode 100644
index 037c9c93e1..0000000000
--- a/src/lib/libcrypto/man/d2i_ASN1_NULL.3
+++ /dev/null
@@ -1,92 +0,0 @@
-.\"     $OpenBSD: d2i_ASN1_NULL.3,v 1.5 2023/09/26 09:36:22 tb Exp $
-.\"
-.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: September 26 2023 $
-.Dt D2I_ASN1_NULL 3
-.Os
-.Sh NAME
-.Nm d2i_ASN1_NULL ,
-.Nm i2d_ASN1_NULL
-.Nd decode and encode an ASN.1 NULL type
-.Sh SYNOPSIS
-.In openssl/asn1.h
-.Ft ASN1_NULL *
-.Fo d2i_ASN1_NULL
-.Fa "ASN1_NULL **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_ASN1_NULL
-.Fa "ASN1_NULL *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Sh DESCRIPTION
-These functions decode and encode the ASN.1 value NULL of type NULL.
-For details about the semantics, examples, caveats, and bugs, see
-.Xr ASN1_item_d2i 3 .
-.Pp
-.Fn d2i_ASN1_NULL
-verifies that the BER-encoded value at
-.Pf * Fa der_in
-is NULL and of type NULL.
-It fails if
-.Fa length
-is less than 2 or if the first two bytes of
-.Pf * Fa der_in
-differ from 0x05 and 0x00.
-In case of success,
-.Pf * Fa der_in
-is advanced by two bytes and
-.Pf * Fa val_out
-is set to a specific invalid pointer representing the unique
-.Vt ASN1_NULL
-object.
-.Pp
-.Fn i2d_ASN1_NULL
-ignores
-.Fa val_in
-and encodes the ASN.1 value NULL of type NULL using DER.
-Specifically, it writes the identifier octet for the type NULL,
-0x05, followed by the length octet 0x00, and no content or
-end-of-content octets.
-.Sh RETURN VALUES
-.Fn d2i_ASN1_NULL
-returns a specific invalid pointer representing the unique
-.Vt ASN1_NULL
-object or
-.Dv NULL
-if an error occurs.
-.Pp
-.Fn i2d_ASN1_NULL
-returns 2 if successful or 0 if an error occurs.
-.Sh SEE ALSO
-.Xr ASN1_item_d2i 3 ,
-.Xr ASN1_item_new 3 ,
-.Xr ASN1_NULL_new 3 ,
-.Xr ASN1_TYPE_get 3
-.Sh STANDARDS
-ITU-T Recommendation X.690, also known as ISO/IEC 8825-1:
-Information technology - ASN.1 encoding rules:
-Specification of Basic Encoding Rules (BER), Canonical Encoding
-Rules (CER) and Distinguished Encoding Rules (DER),
-section 8.8: Encoding of a null value
-.Sh HISTORY
-.Fn d2i_ASN1_NULL
-and
-.Fn i2d_ASN1_NULL
-first appeared in OpenSSL 0.9.5 and have been available since
-.Ox 2.7 .
diff --git a/src/lib/libcrypto/man/d2i_ASN1_OBJECT.3 b/src/lib/libcrypto/man/d2i_ASN1_OBJECT.3
deleted file mode 100644
index bbb70ad8c6..0000000000
--- a/src/lib/libcrypto/man/d2i_ASN1_OBJECT.3
+++ /dev/null
@@ -1,164 +0,0 @@
-.\" $OpenBSD: d2i_ASN1_OBJECT.3,v 1.15 2025/03/14 21:32:15 tb Exp $
-.\"
-.\" Copyright (c) 2017, 2022, 2023 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: March 14 2025 $
-.Dt D2I_ASN1_OBJECT 3
-.Os
-.Sh NAME
-.Nm d2i_ASN1_OBJECT ,
-.Nm i2d_ASN1_OBJECT ,
-.Nm OBJ_get0_data ,
-.Nm OBJ_length
-.Nd decode and encode ASN.1 object identifiers
-.Sh SYNOPSIS
-.In openssl/asn1.h
-.Ft ASN1_OBJECT *
-.Fo d2i_ASN1_OBJECT
-.Fa "ASN1_OBJECT **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_ASN1_OBJECT
-.Fa "const ASN1_OBJECT *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.In openssl/objects.h
-.Ft const unsigned char *
-.Fn OBJ_get0_data "const ASN1_OBJECT *val_in"
-.Ft size_t
-.Fn OBJ_length "const ASN1_OBJECT *val_in"
-.Sh DESCRIPTION
-These functions decode and encode ASN.1 object identifiers.
-For details about the semantics, examples, caveats, and bugs, see
-.Xr ASN1_item_d2i 3 .
-.Pp
-The LibreSSL implementation of
-.Fn d2i_ASN1_OBJECT
-always calls
-.Xr ASN1_OBJECT_free 3
-if an existing object is passed in via
-.Fa val_out
-and it always creates a new object from scratch.
-Other implementations may attempt to reuse an existing object,
-which is fragile and prone to bugs.
-Consequently, always passing
-.Dv NULL
-for the
-.Fa val_out
-argument is recommended.
-.Pp
-The objects returned from
-.Fn d2i_ASN1_OBJECT
-and the data contained in them are always marked as dynamically
-allocated, so when they are no longer needed,
-.Xr ASN1_OBJECT_free 3
-can be called on them.
-.Pp
-.Fn i2d_ASN1_OBJECT
-encodes the object identifier pointed to by
-.Fa val_in
-into DER format.
-.Fn OBJ_get0_data
-and
-.Fn OBJ_length
-only deal with the content octets of that DER encoding,
-without taking the identifier and length octets into account.
-.Sh RETURN VALUES
-.Fn d2i_ASN1_OBJECT
-returns a pointer to the new
-.Vt ASN1_OBJECT
-object or
-.Dv NULL
-if an error occurs.
-With other implementations, it might return a pointer to the reused
-.Vt ASN1_OBJECT .
-.Pp
-.Fn i2d_ASN1_OBJECT
-returns the number of octets successfully encoded
-or a value <= 0 if an error occurs.
-.Pp
-.Fn OBJ_get0_data
-returns an internal pointer to the first content octet of the DER
-encoding of
-.Fa val_in .
-The other content octets follow the returned pointer contiguously.
-.Fn OBJ_length
-returns the number of content octets contained in the DER encoding of
-.Fa val_in .
-This number is always smaller than the total length of the encoding
-returned by
-.Xr ASN1_object_size 3 .
-.Pp
-If
-.Fa val_in
-is a
-.Dv NULL
-pointer or points to an empty object, for example one freshly created with
-.Xr ASN1_OBJECT_new 3 ,
-.Fn OBJ_get0_data
-returns
-.Dv NULL
-and
-.Fn OBJ_length
-returns zero.
-.Sh SEE ALSO
-.Xr a2d_ASN1_OBJECT 3 ,
-.Xr ASN1_item_d2i 3 ,
-.Xr ASN1_OBJECT_new 3 ,
-.Xr ASN1_put_object 3 ,
-.Xr OBJ_nid2obj 3
-.Sh STANDARDS
-ITU-T Recommendation X.690, also known as ISO/IEC 8825-1:
-Information technology - ASN.1 encoding rules:
-Specification of Basic Encoding Rules (BER), Canonical Encoding
-Rules (CER) and Distinguished Encoding Rules (DER),
-section 8.19: Encoding of an object identifier value
-.Sh HISTORY
-.Fn d2i_ASN1_OBJECT
-and
-.Fn i2d_ASN1_OBJECT
-first appeared in SSLeay 0.5.1 and have been available since
-.Ox 2.4 .
-.Pp
-.Fn OBJ_get0_data
-and
-.Fn OBJ_length
-first appeared in OpenSSL 1.1.0 and have been available since
-.Ox 7.1 .
-.Sh CAVEATS
-.Fn d2i_ASN1_OBJECT
-never sets the long and short names of the object, not even if the
-object identifier matches one that is built into the library.
-To find the names of an object identifier parsed from DER or BER
-input, call
-.Xr OBJ_obj2nid 3
-on the returned object, and then
-.Xr OBJ_nid2sn 3
-and
-.Xr OBJ_nid2ln 3
-on the result.
-.Pp
-Calling
-.Fn OBJ_get0_data
-and then accessing memory in front of the returned pointer
-results in undefined behaviour.
-In particular, it is not possible to find the identifier or
-length octets in that way; use
-.Xr ASN1_put_object 3
-or
-.Fn i2d_ASN1_OBJECT
-instead.
diff --git a/src/lib/libcrypto/man/d2i_ASN1_OCTET_STRING.3 b/src/lib/libcrypto/man/d2i_ASN1_OCTET_STRING.3
deleted file mode 100644
index d544af0fe4..0000000000
--- a/src/lib/libcrypto/man/d2i_ASN1_OCTET_STRING.3
+++ /dev/null
@@ -1,461 +0,0 @@
-.\"     $OpenBSD: d2i_ASN1_OCTET_STRING.3,v 1.20 2024/02/13 12:38:43 job Exp $
-.\"
-.\" Copyright (c) 2017 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: February 13 2024 $
-.Dt D2I_ASN1_OCTET_STRING 3
-.Os
-.Sh NAME
-.Nm d2i_ASN1_OCTET_STRING ,
-.Nm i2d_ASN1_OCTET_STRING ,
-.Nm d2i_ASN1_BIT_STRING ,
-.Nm i2d_ASN1_BIT_STRING ,
-.Nm d2i_ASN1_INTEGER ,
-.Nm i2d_ASN1_INTEGER ,
-.Nm d2i_ASN1_UINTEGER ,
-.Nm d2i_ASN1_ENUMERATED ,
-.Nm i2d_ASN1_ENUMERATED ,
-.Nm d2i_ASN1_UTF8STRING ,
-.Nm i2d_ASN1_UTF8STRING ,
-.Nm d2i_ASN1_IA5STRING ,
-.Nm i2d_ASN1_IA5STRING ,
-.Nm d2i_ASN1_UNIVERSALSTRING ,
-.Nm i2d_ASN1_UNIVERSALSTRING ,
-.Nm d2i_ASN1_BMPSTRING ,
-.Nm i2d_ASN1_BMPSTRING ,
-.Nm d2i_ASN1_GENERALSTRING ,
-.Nm i2d_ASN1_GENERALSTRING ,
-.Nm d2i_ASN1_T61STRING ,
-.Nm i2d_ASN1_T61STRING ,
-.Nm d2i_ASN1_VISIBLESTRING ,
-.Nm i2d_ASN1_VISIBLESTRING ,
-.Nm d2i_ASN1_PRINTABLESTRING ,
-.Nm i2d_ASN1_PRINTABLESTRING ,
-.Nm d2i_ASN1_PRINTABLE ,
-.Nm i2d_ASN1_PRINTABLE ,
-.Nm d2i_DIRECTORYSTRING ,
-.Nm i2d_DIRECTORYSTRING ,
-.Nm d2i_DISPLAYTEXT ,
-.Nm i2d_DISPLAYTEXT ,
-.Nm d2i_ASN1_GENERALIZEDTIME ,
-.Nm i2d_ASN1_GENERALIZEDTIME ,
-.Nm d2i_ASN1_UTCTIME ,
-.Nm i2d_ASN1_UTCTIME ,
-.Nm d2i_ASN1_TIME ,
-.Nm i2d_ASN1_TIME
-.Nd decode and encode ASN1_STRING objects
-.Sh SYNOPSIS
-.In openssl/asn1.h
-.Ft ASN1_OCTET_STRING *
-.Fo d2i_ASN1_OCTET_STRING
-.Fa "ASN1_OCTET_STRING **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_ASN1_OCTET_STRING
-.Fa "ASN1_OCTET_STRING *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft ASN1_BIT_STRING *
-.Fo d2i_ASN1_BIT_STRING
-.Fa "ASN1_BIT_STRING **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_ASN1_BIT_STRING
-.Fa "ASN1_BIT_STRING *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft ASN1_INTEGER *
-.Fo d2i_ASN1_INTEGER
-.Fa "ASN1_INTEGER **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_ASN1_INTEGER
-.Fa "ASN1_INTEGER *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft ASN1_INTEGER *
-.Fo d2i_ASN1_UINTEGER
-.Fa "ASN1_INTEGER **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft ASN1_ENUMERATED *
-.Fo d2i_ASN1_ENUMERATED
-.Fa "ASN1_ENUMERATED **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_ASN1_ENUMERATED
-.Fa "ASN1_ENUMERATED *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft ASN1_UTF8STRING *
-.Fo d2i_ASN1_UTF8STRING
-.Fa "ASN1_UTF8STRING **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_ASN1_UTF8STRING
-.Fa "ASN1_UTF8STRING *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft ASN1_IA5STRING *
-.Fo d2i_ASN1_IA5STRING
-.Fa "ASN1_IA5STRING **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_ASN1_IA5STRING
-.Fa "ASN1_IA5STRING *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft ASN1_UNIVERSALSTRING *
-.Fo d2i_ASN1_UNIVERSALSTRING
-.Fa "ASN1_UNIVERSALSTRING **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_ASN1_UNIVERSALSTRING
-.Fa "ASN1_UNIVERSALSTRING *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft ASN1_BMPSTRING *
-.Fo d2i_ASN1_BMPSTRING
-.Fa "ASN1_BMPSTRING **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_ASN1_BMPSTRING
-.Fa "ASN1_BMPSTRING *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft ASN1_GENERALSTRING *
-.Fo d2i_ASN1_GENERALSTRING
-.Fa "ASN1_GENERALSTRING **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_ASN1_GENERALSTRING
-.Fa "ASN1_GENERALSTRING *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft ASN1_T61STRING *
-.Fo d2i_ASN1_T61STRING
-.Fa "ASN1_T61STRING **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_ASN1_T61STRING
-.Fa "ASN1_T61STRING *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft ASN1_VISIBLESTRING *
-.Fo d2i_ASN1_VISIBLESTRING
-.Fa "ASN1_VISIBLESTRING **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_ASN1_VISIBLESTRING
-.Fa "ASN1_VISIBLESTRING *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft ASN1_PRINTABLESTRING *
-.Fo d2i_ASN1_PRINTABLESTRING
-.Fa "ASN1_PRINTABLESTRING **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_ASN1_PRINTABLESTRING
-.Fa "ASN1_PRINTABLESTRING *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft ASN1_STRING *
-.Fo d2i_ASN1_PRINTABLE
-.Fa "ASN1_STRING **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_ASN1_PRINTABLE
-.Fa "ASN1_STRING *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft ASN1_STRING *
-.Fo d2i_DIRECTORYSTRING
-.Fa "ASN1_STRING **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_DIRECTORYSTRING
-.Fa "ASN1_STRING *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft ASN1_STRING *
-.Fo d2i_DISPLAYTEXT
-.Fa "ASN1_STRING **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_DISPLAYTEXT
-.Fa "ASN1_STRING *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft ASN1_GENERALIZEDTIME *
-.Fo d2i_ASN1_GENERALIZEDTIME
-.Fa "ASN1_GENERALIZEDTIME **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_ASN1_GENERALIZEDTIME
-.Fa "ASN1_GENERALIZEDTIME *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft ASN1_UTCTIME *
-.Fo d2i_ASN1_UTCTIME
-.Fa "ASN1_UTCTIME **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_ASN1_UTCTIME
-.Fa "ASN1_UTCTIME *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft ASN1_TIME *
-.Fo d2i_ASN1_TIME
-.Fa "ASN1_TIME **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_ASN1_TIME
-.Fa "ASN1_TIME *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Sh DESCRIPTION
-These functions decode and encode various ASN.1 built-in types
-that can be represented by
-.Vt ASN1_STRING
-objects.
-For details about the semantics, examples, caveats, and bugs, see
-.Xr ASN1_item_d2i 3 .
-.Pp
-The format consists of one identifier byte, one or more length bytes,
-and one or more content bytes.
-The identifier bytes and corresponding ASN.1 types are as follows:
-.Bl -column ASN1_GENERALIZEDTIME identifier
-.It Em OpenSSL type Ta Em identifier Ta Em ASN.1 type
-.It Ta
-.It Vt ASN1_OCTET_STRING    Ta 0x04 Ta OCTET STRING
-.It Vt ASN1_BIT_STRING      Ta 0x03 Ta BIT STRING
-.It Vt ASN1_INTEGER         Ta 0x02 Ta INTEGER
-.It Vt ASN1_ENUMERATED      Ta 0x0a Ta ENUMERATED
-.It Vt ASN1_UTF8STRING      Ta 0x0c Ta UTF8String
-.It Vt ASN1_IA5STRING       Ta 0x16 Ta IA5String
-.It Vt ASN1_UNIVERSALSTRING Ta 0x1c Ta UniversalString
-.It Vt ASN1_BMPSTRING       Ta 0x1e Ta BMPString
-.It Vt ASN1_GENERALSTRING   Ta 0x1b Ta GeneralString
-.It Vt ASN1_T61STRING       Ta 0x14 Ta T61String
-.It Vt ASN1_VISIBLESTRING   Ta 0x1a Ta VisibleString
-.It Vt ASN1_PRINTABLESTRING Ta 0x13 Ta PrintableString
-.It Vt ASN1_GENERALIZEDTIME Ta 0x18 Ta GeneralizedTime
-.It Vt ASN1_UTCTIME         Ta 0x17 Ta UTCTime
-.El
-.Pp
-.Fn d2i_DIRECTORYSTRING
-and
-.Fn i2d_DIRECTORYSTRING
-decode and encode an ASN.1
-.Vt DirectoryString
-structure defined in RFC 5280 section 4.1.2.4
-and used for ASN.1
-.Vt EDIPartyName
-structures; see
-.Xr EDIPARTYNAME_new 3 .
-When decoding, it accepts any of the types UTF8String, UniversalString,
-BMPString, T61String, or PrintableString.
-When encoding,
-it writes out the character string type that is actually passed in.
-.Pp
-.Fn d2i_ASN1_PRINTABLE
-and
-.Fn i2d_ASN1_PRINTABLE
-are non-standard variants of
-.Fn d2i_DIRECTORYSTRING
-and
-.Fn i2d_DIRECTORYSTRING
-that also accept IA5String, NumericString, BIT STRING, and SEQUENCE
-ASN.1 values as well as ASN.1 values with unknown identifier
-bytes (0x07, 0x08, 0x09, 0x0b, 0x0d, 0x0e, 0x0f, 0x1d, and 0x1f).
-Even though the standard requires the use of
-.Vt DirectoryString
-in the relative distinguished names described in
-.Xr X509_NAME_ENTRY_new 3 ,
-the library accepts this wider range of choices.
-.Pp
-.Fn d2i_DISPLAYTEXT
-and
-.Fn i2d_DISPLAYTEXT
-decode and encode an ASN.1
-.Vt DisplayText
-structure defined in RFC 5280 section 4.2.1.4
-and used for ASN.1
-.Vt UserNotice
-structures in certificate policies; see
-.Xr USERNOTICE_new 3 .
-When decoding, it accepts any of the types UTF8String, IA5String,
-BMPString, or VisibleString.
-When encoding,
-it writes out the character string type that is actually passed in.
-.Pp
-.Fn d2i_ASN1_TIME
-and
-.Fn i2d_ASN1_TIME
-decode and encode an ASN.1
-.Vt Time
-structure defined in RFC 5280 section 4.1
-and used for ASN.1
-.Vt Validity
-structures in certificates; see
-.Xr X509_VAL_new 3 .
-They are also used for certificate revocation lists; see
-.Xr X509_CRL_INFO_new 3 .
-When decoding, it accepts either GeneralizedTime or UTCTime.
-When encoding, it writes out the time type that is actually passed in.
-.Pp
-The following constants describe the ASN.1 tags that are valid
-when decoding with the above functions.
-See
-.Xr ASN1_tag2bit 3
-for more details about the
-.Dv B_ASN1_*
-constants.
-.Bl -column d2i_DIRECTORYSTRING() B_ASN1_DIRECTORYSTRING -offset indent
-.It decoding function      Ta mask constant
-.It Fn d2i_DIRECTORYSTRING Ta Dv B_ASN1_DIRECTORYSTRING
-.It Fn d2i_ASN1_PRINTABLE  Ta Dv B_ASN1_PRINTABLE
-.It Fn d2i_DISPLAYTEXT     Ta Dv B_ASN1_DISPLAYTEXT
-.It Fn d2i_ASN1_TIME       Ta Dv B_ASN1_TIME
-.El
-.Pp
-.Fn d2i_ASN1_UINTEGER
-is similar to
-.Fn d2i_ASN1_INTEGER
-except that it ignores the sign bit in the BER encoding and treats
-all integers as positive.
-It helps to process BER input produced by broken software
-that neglects adding a leading NUL content byte where required.
-.Sh RETURN VALUES
-The
-.Fn d2i_*
-decoding functions return an
-.Vt ASN1_STRING
-object or
-.Dv NULL
-if an error occurs.
-.Pp
-The
-.Fn i2d_*
-encoding functions return the number of bytes successfully encoded
-or a negative value if an error occurs.
-.Sh SEE ALSO
-.Xr ASN1_item_d2i 3 ,
-.Xr ASN1_STRING_new 3
-.Sh STANDARDS
-ITU-T Recommendation X.680, also known as ISO/IEC 8824-1:
-Information technology - Abstract Syntax Notation One (ASN.1):
-Specification of basic notation
-.Pp
-RFC 5280: Internet X.509 Public Key Infrastructure Certificate and
-Certificate Revocation List (CRL) Profile
-.Sh HISTORY
-.Fn d2i_ASN1_OCTET_STRING ,
-.Fn i2d_ASN1_OCTET_STRING ,
-.Fn d2i_ASN1_BIT_STRING ,
-.Fn i2d_ASN1_BIT_STRING ,
-.Fn d2i_ASN1_INTEGER ,
-.Fn i2d_ASN1_INTEGER ,
-.Fn d2i_ASN1_IA5STRING ,
-.Fn i2d_ASN1_IA5STRING ,
-.Fn d2i_ASN1_T61STRING ,
-.Fn i2d_ASN1_T61STRING ,
-.Fn d2i_ASN1_PRINTABLESTRING ,
-.Fn i2d_ASN1_PRINTABLESTRING ,
-.Fn d2i_ASN1_PRINTABLE ,
-.Fn i2d_ASN1_PRINTABLE ,
-.Fn d2i_ASN1_UTCTIME ,
-and
-.Fn i2d_ASN1_UTCTIME
-first appeared in SSLeay 0.5.1 and have been available since
-.Ox 2.4 .
-.Pp
-.Fn d2i_ASN1_BMPSTRING
-and
-.Fn i2d_ASN1_BMPSTRING
-first appeared in SSLeay 0.9.1.
-.Fn d2i_ASN1_ENUMERATED ,
-.Fn i2d_ASN1_ENUMERATED ,
-.Fn d2i_ASN1_GENERALIZEDTIME ,
-.Fn i2d_ASN1_GENERALIZEDTIME ,
-.Fn d2i_ASN1_TIME ,
-and
-.Fn i2d_ASN1_TIME
-first appeared in OpenSSL 0.9.2b.
-.Fn d2i_ASN1_UINTEGER ,
-.Fn d2i_ASN1_UTF8STRING ,
-.Fn i2d_ASN1_UTF8STRING ,
-.Fn d2i_ASN1_VISIBLESTRING ,
-.Fn i2d_ASN1_VISIBLESTRING ,
-.Fn d2i_DIRECTORYSTRING ,
-.Fn i2d_DIRECTORYSTRING ,
-.Fn d2i_DISPLAYTEXT
-and
-.Fn i2d_DISPLAYTEXT
-first appeared in OpenSSL 0.9.3.
-These functions have been available since
-.Ox 2.6 .
-.Pp
-.Fn d2i_ASN1_UNIVERSALSTRING ,
-.Fn i2d_ASN1_UNIVERSALSTRING ,
-.Fn d2i_ASN1_GENERALSTRING ,
-and
-.Fn i2d_ASN1_GENERALSTRING
-first appeared in OpenSSL 0.9.7 and have been available since
-.Ox 3.2 .
-.Sh CAVEATS
-Other implementations may accept or emit invalid DER encodings of
-GeneralizedTime and UTCTime.
-Portable applications should use
-.Fn ASN1_STRING_length
-to double check whether a given GeneralizedTime or UTCTime object is at least
-15 or 13 bytes, respectively.
diff --git a/src/lib/libcrypto/man/d2i_ASN1_SEQUENCE_ANY.3 b/src/lib/libcrypto/man/d2i_ASN1_SEQUENCE_ANY.3
deleted file mode 100644
index 654f0b1e6b..0000000000
--- a/src/lib/libcrypto/man/d2i_ASN1_SEQUENCE_ANY.3
+++ /dev/null
@@ -1,98 +0,0 @@
-.\" $OpenBSD: d2i_ASN1_SEQUENCE_ANY.3,v 1.3 2021/12/09 19:05:09 schwarze Exp $
-.\"
-.\" Copyright (c) 2017, 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: December 9 2021 $
-.Dt D2I_ASN1_SEQUENCE_ANY 3
-.Os
-.Sh NAME
-.Nm d2i_ASN1_SEQUENCE_ANY ,
-.Nm i2d_ASN1_SEQUENCE_ANY ,
-.Nm d2i_ASN1_SET_ANY ,
-.Nm i2d_ASN1_SET_ANY
-.Nd decode and encode ASN.1 sequences and sets
-.Sh SYNOPSIS
-.In openssl/asn1.h
-.Ft ASN1_SEQUENCE_ANY *
-.Fo d2i_ASN1_SEQUENCE_ANY
-.Fa "ASN1_SEQUENCE_ANY **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_ASN1_SEQUENCE_ANY
-.Fa "const ASN1_SEQUENCE_ANY *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft ASN1_SEQUENCE_ANY *
-.Fo d2i_ASN1_SET_ANY
-.Fa "ASN1_SEQUENCE_ANY **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_ASN1_SET_ANY
-.Fa "const ASN1_SEQUENCE_ANY *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Sh DESCRIPTION
-These functions decode and encode ASN.1 sequences and sets,
-which are also represented by the
-.Dv V_ASN1_SEQUENCE
-and
-.Dv V_ASN1_SET
-type identifier constants, respectively.
-For details about the semantics, examples, caveats, and bugs, see
-.Xr ASN1_item_d2i 3 .
-.Pp
-The type
-.Vt ASN1_SEQUENCE_ANY
-is defined as
-.Vt STACK_OF(ASN1_TYPE) .
-Whether such an object represents a sequence or a set is not stored
-in the object itself but needs to be remembered separately.
-.Pp
-Like for
-.Xr d2i_ASN1_TYPE 3
-and
-.Xr i2d_ASN1_TYPE 3 ,
-the type of the individual values contained in the sequence or set
-is not specified when calling the functions.
-It might vary among the members, and it is stored together with
-each value in each
-.Vt ASN1_TYPE
-object contained in the sequence or set.
-.Sh RETURN VALUES
-.Fn d2i_ASN1_SEQUENCE_ANY
-returns an
-.Vt ASN1_SEQUENCE_ANY
-object or
-.Dv NULL
-if an error occurs.
-.Pp
-.Fn i2d_ASN1_SEQUENCE_ANY
-returns the number of bytes written or a negative value if an error
-occurs.
-.Sh SEE ALSO
-.Xr ASN1_item_d2i 3 ,
-.Xr ASN1_TYPE_new 3
-.Sh HISTORY
-.Fn d2i_ASN1_SEQUENCE_ANY ,
-.Fn i2d_ASN1_SEQUENCE_ANY ,
-.Fn d2i_ASN1_SET_ANY ,
-and
-.Fn i2d_ASN1_SET_ANY
-first appeared in OpenSSL 1.0.0 and have been available since
-.Ox 4.9 .
diff --git a/src/lib/libcrypto/man/d2i_AUTHORITY_KEYID.3 b/src/lib/libcrypto/man/d2i_AUTHORITY_KEYID.3
deleted file mode 100644
index 413f41e179..0000000000
--- a/src/lib/libcrypto/man/d2i_AUTHORITY_KEYID.3
+++ /dev/null
@@ -1,75 +0,0 @@
-.\"     $OpenBSD: d2i_AUTHORITY_KEYID.3,v 1.2 2018/03/21 16:09:51 schwarze Exp $
-.\"
-.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: March 21 2018 $
-.Dt D2I_AUTHORITY_KEYID 3
-.Os
-.Sh NAME
-.Nm d2i_AUTHORITY_KEYID ,
-.Nm i2d_AUTHORITY_KEYID
-.Nd decode and encode X.509 authority key identifiers
-.Sh SYNOPSIS
-.In openssl/x509v3.h
-.Ft AUTHORITY_KEYID *
-.Fo d2i_AUTHORITY_KEYID
-.Fa "AUTHORITY_KEYID **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_AUTHORITY_KEYID
-.Fa "AUTHORITY_KEYID *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Sh DESCRIPTION
-.Fn d2i_AUTHORITY_KEYID
-and
-.Fn i2d_AUTHORITY_KEYID
-decode and encode an ASN.1
-.Vt AuthorityKeyIdentifier
-structure  defined in RFC 5280 section 4.2.1.1.
-For details about the semantics, examples, caveats, and bugs, see
-.Xr ASN1_item_d2i 3 .
-.Sh RETURN VALUES
-.Fn d2i_AUTHORITY_KEYID
-returns an
-.Vt AUTHORITY_KEYID
-object or
-.Dv NULL
-if an error occurs.
-.Pp
-.Fn i2d_AUTHORITY_KEYID
-returns the number of bytes successfully encoded or a negative value
-if an error occurs.
-.Sh SEE ALSO
-.Xr ASN1_item_d2i 3 ,
-.Xr AUTHORITY_KEYID_new 3 ,
-.Xr X509_EXTENSION_new 3
-.Sh STANDARDS
-RFC 5280: Internet X.509 Public Key Infrastructure Certificate and
-Certificate Revocation List (CRL) Profile:
-.Bl -dash -compact
-.It
-section 4.2.1.1: Certificate Extensions: Authority Key Identifier
-.It
-section 5.2.1: CRL Extensions: Authority Key Identifier
-.El
-.Sh HISTORY
-.Fn d2i_AUTHORITY_KEYID
-and
-.Fn i2d_AUTHORITY_KEYID
-first appeared in OpenSSL 0.9.2b and have been available since
-.Ox 2.6 .
diff --git a/src/lib/libcrypto/man/d2i_BASIC_CONSTRAINTS.3 b/src/lib/libcrypto/man/d2i_BASIC_CONSTRAINTS.3
deleted file mode 100644
index 2964a1f90e..0000000000
--- a/src/lib/libcrypto/man/d2i_BASIC_CONSTRAINTS.3
+++ /dev/null
@@ -1,106 +0,0 @@
-.\"     $OpenBSD: d2i_BASIC_CONSTRAINTS.3,v 1.3 2018/03/22 21:08:22 schwarze Exp $
-.\"
-.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: March 22 2018 $
-.Dt D2I_BASIC_CONSTRAINTS 3
-.Os
-.Sh NAME
-.Nm d2i_BASIC_CONSTRAINTS ,
-.Nm i2d_BASIC_CONSTRAINTS ,
-.Nm d2i_EXTENDED_KEY_USAGE ,
-.Nm i2d_EXTENDED_KEY_USAGE
-.Nd decode and encode X.509 key usage purposes
-.Sh SYNOPSIS
-.In openssl/x509v3.h
-.Ft BASIC_CONSTRAINTS *
-.Fo d2i_BASIC_CONSTRAINTS
-.Fa "BASIC_CONSTRAINTS **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_BASIC_CONSTRAINTS
-.Fa "BASIC_CONSTRAINTS *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft EXTENDED_KEY_USAGE *
-.Fo d2i_EXTENDED_KEY_USAGE
-.Fa "EXTENDED_KEY_USAGE **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_EXTENDED_KEY_USAGE
-.Fa "EXTENDED_KEY_USAGE *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Sh DESCRIPTION
-These functions decode and encode data structures describing the
-intended purposes that the key contained in an X.509 certificate
-is to be used for.
-For details about the semantics, examples, caveats, and bugs, see
-.Xr ASN1_item_d2i 3 .
-.Pp
-.Fn d2i_BASIC_CONSTRAINTS
-and
-.Fn i2d_BASIC_CONSTRAINTS
-decode and encode an ASN.1
-.Vt BasicConstraints
-structure defined in RFC 5280 section 4.2.1.9.
-.Pp
-.Fn d2i_EXTENDED_KEY_USAGE
-and
-.Fn i2d_EXTENDED_KEY_USAGE
-decode and encode an ASN.1
-.Vt ExtKeyUsageSyntax
-structure defined in RFC 5280 section 4.2.1.12.
-.Sh RETURN VALUES
-.Fn d2i_BASIC_CONSTRAINTS
-and
-.Fn d2i_EXTENDED_KEY_USAGE
-return a
-.Vt BASIC_CONSTRAINTS
-or
-.Vt EXTENDED_KEY_USAGE
-object, respectively, or
-.Dv NULL
-if an error occurs.
-.Pp
-.Fn i2d_BASIC_CONSTRAINTS
-and
-.Fn i2d_EXTENDED_KEY_USAGE
-return the number of bytes successfully encoded or a negative value
-if an error occurs.
-.Sh SEE ALSO
-.Xr ASN1_item_d2i 3 ,
-.Xr BASIC_CONSTRAINTS_new 3 ,
-.Xr EXTENDED_KEY_USAGE_new 3 ,
-.Xr X509_EXTENSION_new 3
-.Sh STANDARDS
-RFC 5280: Internet X.509 Public Key Infrastructure Certificate and
-Certificate Revocation List (CRL) Profile
-.Sh HISTORY
-.Fn d2i_BASIC_CONSTRAINTS
-and
-.Fn i2d_BASIC_CONSTRAINTS
-first appeared in OpenSSL 0.9.2b and have been available since
-.Ox 2.6 .
-.Pp
-.Fn d2i_EXTENDED_KEY_USAGE
-and
-.Fn i2d_EXTENDED_KEY_USAGE
-first appeared in OpenSSL 0.9.7 and have been available since
-.Ox 3.2 .
diff --git a/src/lib/libcrypto/man/d2i_CMS_ContentInfo.3 b/src/lib/libcrypto/man/d2i_CMS_ContentInfo.3
deleted file mode 100644
index 0c61047c42..0000000000
--- a/src/lib/libcrypto/man/d2i_CMS_ContentInfo.3
+++ /dev/null
@@ -1,128 +0,0 @@
-.\" $OpenBSD: d2i_CMS_ContentInfo.3,v 1.3 2019/11/02 15:39:46 schwarze Exp $
-.\" Copyright (c) 2019 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: November 2 2019 $
-.Dt D2I_CMS_CONTENTINFO 3
-.Os
-.Sh NAME
-.Nm d2i_CMS_ContentInfo ,
-.Nm i2d_CMS_ContentInfo ,
-.Nm d2i_CMS_bio ,
-.Nm i2d_CMS_bio ,
-.Nm d2i_CMS_ReceiptRequest ,
-.Nm i2d_CMS_ReceiptRequest
-.Nd decode and encode Cryptographic Message Syntax data
-.Sh SYNOPSIS
-.In openssl/cms.h
-.Ft CMS_ContentInfo *
-.Fo d2i_CMS_ContentInfo
-.Fa "CMS_ContentInfo **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_CMS_ContentInfo
-.Fa "CMS_ContentInfo *val_in"
-.Fa "unsigned char **out"
-.Fc
-.Ft CMS_ContentInfo *
-.Fo d2i_CMS_bio
-.Fa "BIO *in_bio"
-.Fa "CMS_ContentInfo **val_out"
-.Fc
-.Ft int
-.Fo i2d_CMS_bio
-.Fa "BIO *out_bio"
-.Fa "CMS_ContentInfo *val_in"
-.Fc
-.Ft CMS_ReceiptRequest *
-.Fo d2i_CMS_ReceiptRequest
-.Fa "CMS_ReceiptRequest **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_CMS_ReceiptRequest
-.Fa "CMS_ReceiptRequest *val_in"
-.Fa "unsigned char **out"
-.Fc
-.Sh DESCRIPTION
-These functions decode and encode Cryptographic Message Syntax
-data structures.
-For details about the semantics, examples, caveats, and bugs, see
-.Xr ASN1_item_d2i 3 .
-.Pp
-.Fn d2i_CMS_ContentInfo
-and
-.Fn i2d_CMS_ContentInfo
-decode and encode a
-.Vt CMS_ContentInfo
-structure defined in RFC 5652 section 3.
-.Fn d2i_CMS_bio
-and
-.Fn i2d_CMS_bio
-are similar except that they decode or encode using a
-.Vt BIO
-pointer.
-.Pp
-.Fn d2i_CMS_ReceiptRequest
-and
-.Fn i2d_CMS_ReceiptRequest
-decode and encode a
-.Vt CMS_ReceiptRequest
-structure defined in RFC 2634 section 2.7.
-.Sh RETURN VALUES
-.Fn d2i_CMS_ContentInfo
-and
-.Fn d2i_CMS_bio
-return a valid
-.Vt CMS_ContentInfo
-structure or
-.Dv NULL
-if an error occurs.
-.Pp
-.Fn d2i_CMS_ReceiptRequest
-returns a valid
-.Vt CMS_ReceiptRequest
-structure or
-.Dv NULL
-if an error occurs.
-.Pp
-.Fn i2d_CMS_ContentInfo
-and
-.Fn i2d_CMS_ReceiptRequest
-return the number of bytes successfully encoded
-or a negative value if an error occurs.
-.Pp
-.Fn i2d_CMS_bio
-returns 1 for success or 0 if an error occurs.
-.Pp
-For all functions, the error code can be obtained by
-.Xr ERR_get_error 3 .
-.Sh SEE ALSO
-.Xr ASN1_item_d2i 3 ,
-.Xr CMS_ContentInfo_new 3 ,
-.Xr CMS_get0_type 3 ,
-.Xr CMS_ReceiptRequest_create0 3 ,
-.Xr i2d_CMS_bio_stream 3
-.Sh STANDARDS
-RFC 5652: Cryptographic Message Syntax, section 3: General Syntax
-.Pp
-RFC 2634: Enhanced Security Services for S/MIME,
-section 2.7: Receipt Request Syntax
-.Sh HISTORY
-These functions first appeared in OpenSSL 0.9.8h
-and have been available since
-.Ox 6.7 .
diff --git a/src/lib/libcrypto/man/d2i_DHparams.3 b/src/lib/libcrypto/man/d2i_DHparams.3
deleted file mode 100644
index 7fd9878dc0..0000000000
--- a/src/lib/libcrypto/man/d2i_DHparams.3
+++ /dev/null
@@ -1,99 +0,0 @@
-.\" $OpenBSD: d2i_DHparams.3,v 1.8 2018/03/27 17:35:50 schwarze Exp $
-.\" full merge up to: OpenSSL 61f805c1 Jan 16 01:01:46 2018 +0800
-.\"
-.\" This file was written by Ulf Moeller <ulf@openssl.org> and
-.\" Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2000, 2002, 2015, 2017 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 27 2018 $
-.Dt D2I_DHPARAMS 3
-.Os
-.Sh NAME
-.Nm d2i_DHparams ,
-.Nm i2d_DHparams
-.Nd PKCS#3 DH parameter functions
-.Sh SYNOPSIS
-.In openssl/dh.h
-.Ft DH *
-.Fo d2i_DHparams
-.Fa "DH **a"
-.Fa "unsigned char **pp"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_DHparams
-.Fa "DH *a"
-.Fa "unsigned char **pp"
-.Fc
-.Sh DESCRIPTION
-These functions decode and encode PKCS#3 DH parameters using the
-DHparameter structure described in PKCS#3.
-They otherwise behave in a way similar to
-.Xr d2i_X509 3
-and
-.Xr i2d_X509 3 .
-.Sh RETURN VALUES
-.Fn d2i_DHparams
-returns a
-.Vt DH
-object or
-.Dv NULL
-if an error occurs.
-.Pp
-.Fn i2d_DHparams
-returns the number of bytes successfully encoded or a value <= 0
-if an error occurs.
-.Sh SEE ALSO
-.Xr d2i_X509 3 ,
-.Xr DH_new 3
-.Sh HISTORY
-.Fn d2i_DHparams
-and
-.Fn i2d_DHparams
-first appeared in SSLeay 0.5.1 and have been available since
-.Ox 2.4 .
diff --git a/src/lib/libcrypto/man/d2i_DIST_POINT.3 b/src/lib/libcrypto/man/d2i_DIST_POINT.3
deleted file mode 100644
index 34bdb26fb4..0000000000
--- a/src/lib/libcrypto/man/d2i_DIST_POINT.3
+++ /dev/null
@@ -1,201 +0,0 @@
-.\"     $OpenBSD: d2i_DIST_POINT.3,v 1.4 2018/03/23 04:34:23 schwarze Exp $
-.\"
-.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: March 23 2018 $
-.Dt D2I_DIST_POINT 3
-.Os
-.Sh NAME
-.Nm d2i_DIST_POINT ,
-.Nm i2d_DIST_POINT ,
-.Nm d2i_CRL_DIST_POINTS ,
-.Nm i2d_CRL_DIST_POINTS ,
-.Nm d2i_DIST_POINT_NAME ,
-.Nm i2d_DIST_POINT_NAME ,
-.Nm d2i_ISSUING_DIST_POINT ,
-.Nm i2d_ISSUING_DIST_POINT ,
-.Nm d2i_ACCESS_DESCRIPTION ,
-.Nm i2d_ACCESS_DESCRIPTION ,
-.Nm d2i_AUTHORITY_INFO_ACCESS ,
-.Nm i2d_AUTHORITY_INFO_ACCESS
-.Nd decode and encode X.509 data access extensions
-.Sh SYNOPSIS
-.In openssl/x509v3.h
-.Ft DIST_POINT *
-.Fo d2i_DIST_POINT
-.Fa "DIST_POINT_NAME **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_DIST_POINT
-.Fa "DIST_POINT *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft CRL_DIST_POINTS *
-.Fo d2i_CRL_DIST_POINTS
-.Fa "CRL_DIST_POINTS_NAME **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_CRL_DIST_POINTS
-.Fa "CRL_DIST_POINTS *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft DIST_POINT_NAME *
-.Fo d2i_DIST_POINT_NAME
-.Fa "DIST_POINT_NAME_NAME **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_DIST_POINT_NAME
-.Fa "DIST_POINT_NAME *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft ISSUING_DIST_POINT *
-.Fo d2i_ISSUING_DIST_POINT
-.Fa "ISSUING_DIST_POINT_NAME **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_ISSUING_DIST_POINT
-.Fa "ISSUING_DIST_POINT *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft ACCESS_DESCRIPTION *
-.Fo d2i_ACCESS_DESCRIPTION
-.Fa "ACCESS_DESCRIPTION_NAME **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_ACCESS_DESCRIPTION
-.Fa "ACCESS_DESCRIPTION *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft AUTHORITY_INFO_ACCESS *
-.Fo d2i_AUTHORITY_INFO_ACCESS
-.Fa "AUTHORITY_INFO_ACCESS_NAME **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_AUTHORITY_INFO_ACCESS
-.Fa "AUTHORITY_INFO_ACCESS *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Sh DESCRIPTION
-These functions decode and encode X.509 extensions that communicate
-where to retrieve additional information online.
-For details about the semantics, examples, caveats, and bugs, see
-.Xr ASN1_item_d2i 3 .
-.Pp
-.Fn d2i_DIST_POINT
-and
-.Fn i2d_DIST_POINT
-decode and encode an ASN.1
-.Vt DistributionPoint
-structure defined in RFC 5280 section 4.2.1.13.
-.Pp
-.Fn d2i_CRL_DIST_POINTS
-and
-.Fn i2d_CRL_DIST_POINTS
-decode and encode an ASN.1
-.Vt CRLDistributionPoints
-structure defined in RFC 5280 section 4.2.1.13.
-.Pp
-.Fn d2i_DIST_POINT_NAME
-and
-.Fn i2d_DIST_POINT_NAME
-decode and encode an ASN.1
-.Vt DistributionPointName
-structure defined in RFC 5280 section 4.2.1.13.
-.Pp
-.Fn d2i_ISSUING_DIST_POINT
-and
-.Fn i2d_ISSUING_DIST_POINT
-decode and encode an ASN.1
-.Vt IssuingDistributionPoint
-structure defined in RFC 5280 section 5.2.5.
-.Pp
-.Fn d2i_ACCESS_DESCRIPTION
-and
-.Fn i2d_ACCESS_DESCRIPTION
-decode and encode an ASN.1
-.Vt AccessDescription
-structure defined in RFC 5280 section 4.2.2.1.
-.Pp
-.Fn d2i_AUTHORITY_INFO_ACCESS
-and
-.Fn i2d_AUTHORITY_INFO_ACCESS
-decode and encode an ASN.1
-.Vt AuthorityInfoAccessSyntax
-structure defined in RFC 5280 section 4.2.2.1.
-.Sh RETURN VALUES
-.Fn d2i_DIST_POINT ,
-.Fn d2i_CRL_DIST_POINTS ,
-.Fn d2i_DIST_POINT_NAME ,
-.Fn d2i_ISSUING_DIST_POINT ,
-.Fn d2i_ACCESS_DESCRIPTION ,
-and
-.Fn d2i_AUTHORITY_INFO_ACCESS
-return an object of the respective type or
-.Dv NULL
-if an error occurs.
-.Pp
-.Fn i2d_DIST_POINT ,
-.Fn i2d_CRL_DIST_POINTS ,
-.Fn i2d_DIST_POINT_NAME ,
-.Fn i2d_ISSUING_DIST_POINT ,
-.Fn i2d_ACCESS_DESCRIPTION ,
-and
-.Fn i2d_AUTHORITY_INFO_ACCESS
-return the number of bytes successfully encoded or a negative value
-if an error occurs.
-.Sh SEE ALSO
-.Xr ACCESS_DESCRIPTION_new 3 ,
-.Xr ASN1_item_d2i 3 ,
-.Xr DIST_POINT_new 3 ,
-.Xr X509_EXTENSION_new 3
-.Sh STANDARDS
-RFC 5280: Internet X.509 Public Key Infrastructure Certificate and
-Certificate Revocation List (CRL) Profile
-.Sh HISTORY
-.Fn d2i_DIST_POINT ,
-.Fn i2d_DIST_POINT ,
-.Fn d2i_CRL_DIST_POINTS ,
-.Fn i2d_CRL_DIST_POINTS ,
-.Fn d2i_DIST_POINT_NAME ,
-and
-.Fn i2d_DIST_POINT_NAME
-first appeared in OpenSSL 0.9.3 and have been available since
-.Ox 2.6 .
-.Pp
-.Fn d2i_ACCESS_DESCRIPTION ,
-.Fn i2d_ACCESS_DESCRIPTION ,
-.Fn d2i_AUTHORITY_INFO_ACCESS ,
-and
-.Fn i2d_AUTHORITY_INFO_ACCESS
-first appeared in OpenSSL 0.9.5 and have been available since
-.Ox 2.7 .
-.Pp
-.Fn d2i_ISSUING_DIST_POINT
-and
-.Fn i2d_ISSUING_DIST_POINT
-first appeared in OpenSSL 1.0.0 and have been available since
-.Ox 4.9 .
diff --git a/src/lib/libcrypto/man/d2i_DSAPublicKey.3 b/src/lib/libcrypto/man/d2i_DSAPublicKey.3
deleted file mode 100644
index 37ef22e1b9..0000000000
--- a/src/lib/libcrypto/man/d2i_DSAPublicKey.3
+++ /dev/null
@@ -1,412 +0,0 @@
-.\"     $OpenBSD: d2i_DSAPublicKey.3,v 1.14 2018/08/26 17:03:32 tb Exp $
-.\"     OpenSSL bb9ad09e Jun 6 00:43:05 2016 -0400
-.\"
-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2002, 2003, 2013, 2015, 2016 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: August 26 2018 $
-.Dt D2I_DSAPUBLICKEY 3
-.Os
-.Sh NAME
-.Nm d2i_DSAPublicKey ,
-.Nm i2d_DSAPublicKey ,
-.Nm d2i_DSA_PUBKEY ,
-.Nm i2d_DSA_PUBKEY ,
-.Nm d2i_DSA_PUBKEY_bio ,
-.Nm d2i_DSA_PUBKEY_fp ,
-.Nm i2d_DSA_PUBKEY_bio ,
-.Nm i2d_DSA_PUBKEY_fp ,
-.Nm d2i_DSAPrivateKey ,
-.Nm i2d_DSAPrivateKey ,
-.Nm d2i_DSAPrivateKey_bio ,
-.Nm d2i_DSAPrivateKey_fp ,
-.Nm i2d_DSAPrivateKey_bio ,
-.Nm i2d_DSAPrivateKey_fp ,
-.Nm d2i_DSAparams ,
-.Nm i2d_DSAparams ,
-.Nm d2i_DSAparams_bio ,
-.Nm i2d_DSAparams_bio ,
-.Nm d2i_DSAparams_fp ,
-.Nm i2d_DSAparams_fp ,
-.Nm DSAparams_dup ,
-.Nm d2i_DSA_SIG ,
-.Nm i2d_DSA_SIG
-.Nd decode and encode DSA keys
-.Sh SYNOPSIS
-.In openssl/dsa.h
-.Ft DSA *
-.Fo d2i_DSAPublicKey
-.Fa "DSA **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_DSAPublicKey
-.Fa "const DSA *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.In openssl/x509.h
-.Ft DSA *
-.Fo d2i_DSA_PUBKEY
-.Fa "DSA **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_DSA_PUBKEY
-.Fa "const DSA *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft DSA *
-.Fo d2i_DSA_PUBKEY_bio
-.Fa "BIO *in_bio"
-.Fa "DSA **val_out"
-.Fc
-.Ft DSA *
-.Fo d2i_DSA_PUBKEY_fp
-.Fa "FILE *in_fp"
-.Fa "DSA **val_out"
-.Fc
-.Ft int
-.Fo i2d_DSA_PUBKEY_bio
-.Fa "BIO *out_bio"
-.Fa "DSA *val_in"
-.Fc
-.Ft int
-.Fo i2d_DSA_PUBKEY_fp
-.Fa "FILE *out_fp"
-.Fa "DSA *val_in"
-.Fc
-.In openssl/dsa.h
-.Ft DSA *
-.Fo d2i_DSAPrivateKey
-.Fa "DSA **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_DSAPrivateKey
-.Fa "const DSA *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.In openssl/x509.h
-.Ft DSA *
-.Fo d2i_DSAPrivateKey_bio
-.Fa "BIO *in_bio"
-.Fa "DSA **val_out"
-.Fc
-.Ft DSA *
-.Fo d2i_DSAPrivateKey_fp
-.Fa "FILE *in_fp"
-.Fa "DSA **val_out"
-.Fc
-.Ft int
-.Fo i2d_DSAPrivateKey_bio
-.Fa "BIO *out_bio"
-.Fa "DSA *val_in"
-.Fc
-.Ft int
-.Fo i2d_DSAPrivateKey_fp
-.Fa "FILE *out_fp"
-.Fa "DSA *val_in"
-.Fc
-.In openssl/dsa.h
-.Ft DSA *
-.Fo d2i_DSAparams
-.Fa "DSA **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_DSAparams
-.Fa "const DSA *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft DSA *
-.Fo d2i_DSAparams_bio
-.Fa "BIO *in_bio"
-.Fa "DSA **val_out"
-.Fc
-.Ft int
-.Fo i2d_DSAparams_bio
-.Fa "BIO *out_bio"
-.Fa "DSA *val_in"
-.Fc
-.Ft DSA *
-.Fo d2i_DSAparams_fp
-.Fa "FILE *in_fp"
-.Fa "DSA **val_out"
-.Fc
-.Ft int
-.Fo i2d_DSAparams_fp
-.Fa FILE *out_fp
-.Fa "DSA *val_in"
-.Fc
-.Ft DSA *
-.Fo DSAparams_dup
-.Fa "DSA *val_in"
-.Fc
-.Ft DSA_SIG *
-.Fo d2i_DSA_SIG
-.Fa "DSA_SIG **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_DSA_SIG
-.Fa "const DSA_SIG *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Sh DESCRIPTION
-These functions decode and encode DSA keys and parameters.
-For details about the semantics, examples, caveats, and bugs, see
-.Xr ASN1_item_d2i 3 .
-.Pp
-.Fn d2i_DSAPublicKey
-and
-.Fn i2d_DSAPublicKey
-decode and encode the DSA public key components using a non-standard
-format, so consider using
-.Fn d2i_DSA_PUBKEY
-and
-.Fn i2d_DSA_PUBKEY
-instead.
-The actual data encoded depends on the value of
-.Fa val_in->write_params .
-If
-.Fa val_in->write_params
-is zero, only the
-.Fa val_in->pub_key
-field is encoded as an ASN.1 INTEGER.
-If
-.Fa val_in->write_params
-is 1, then a SEQUENCE consisting of the
-.Fa val_in->p ,
-.Fa val_in->q ,
-.Fa val_in->g ,
-and
-.Fa val_in->pub_key
-fields is encoded.
-.Pp
-.Fn d2i_DSA_PUBKEY
-and
-.Fn i2d_DSA_PUBKEY
-decode and encode a DSA public key using an ASN.1
-.Vt SubjectPublicKeyInfo
-structure defined in RFC 5280 section 4.1
-and documented in
-.Xr X509_PUBKEY_new 3 .
-.Fn d2i_DSA_PUBKEY_bio ,
-.Fn d2i_DSA_PUBKEY_fp ,
-.Fn i2d_DSA_PUBKEY_bio ,
-and
-.Fn i2d_DSA_PUBKEY_fp
-are similar except that they decode or encode using a
-.Vt BIO
-or
-.Vt FILE
-pointer.
-.Pp
-.Fn d2i_DSAPrivateKey
-and
-.Fn i2d_DSAPrivateKey
-decode and encode the DSA private key components.
-The
-.Vt DSA
-object passed to the private key encoding functions should have all
-the private key components present.
-These functions use a non-standard structure consisting of a
-SEQUENCE containing the
-.Fa val_in->p ,
-.Fa val_in->q ,
-.Fa val_in->g ,
-.Fa val_in->pub_key ,
-and
-.Fa val_in->priv_key
-fields.
-This data format is unencrypted.
-For private key security when writing private keys to files,
-consider using
-.Xr PEM_write_DSAPrivateKey 3
-instead.
-.Fn d2i_DSAPrivateKey_bio ,
-.Fn d2i_DSAPrivateKey_fp ,
-.Fn i2d_DSAPrivateKey_bio ,
-and
-.Fn i2d_DSAPrivateKey_fp
-are similar except that they decode or encode using a
-.Vt BIO
-or
-.Vt FILE
-pointer.
-.Pp
-.Fn d2i_DSAparams
-and
-.Fn i2d_DSAparams
-decode and encode the DSA parameters using an ASN.1
-.Vt Dss-Parms
-structure defined in RFC 3279 section 2.3.2
-and used for the parameters field of the ASN.1
-.Vt AlgorithmIdentifier
-structure defined in RFC 5280 section 4.1.1.2.
-.Fn d2i_DSAparams_bio ,
-.Fn i2d_DSAparams_bio ,
-.Fn d2i_DSAparams_fp ,
-.Fn i2d_DSAparams_fp
-are similar except that they decode or encode using a
-.Vt BIO
-or
-.Vt FILE
-pointer.
-.Pp
-.Fn DSAparams_dup
-allocates and initializes an empty
-.Vt DSA
-object and copies the DSA parameters from
-.Fa val_in
-to it by calling
-.Fn i2d_DSAparams
-and
-.Fn d2i_DSAparams .
-If a private or public key are present in
-.Fa val_in ,
-they are not copied.
-.Pp
-.Fn d2i_DSA_SIG
-and
-.Fn i2d_DSA_SIG
-decode and encode a DSA signature using an ASN.1
-.Vt Dss-Sig-Value
-structure as defined in RFC 3279 section 2.2.2
-and used for the signatureValue field of the ASN.1
-.Vt Certificate
-structure described in RFC 5280 sections 4.1.1.3 and 5.1.1.3.
-.Sh RETURN VALUES
-.Fn d2i_DSAPublicKey ,
-.Fn d2i_DSA_PUBKEY ,
-.Fn d2i_DSA_PUBKEY_bio ,
-.Fn d2i_DSA_PUBKEY_fp ,
-.Fn d2i_DSAPrivateKey ,
-.Fn d2i_DSAPrivateKey_bio ,
-.Fn d2i_DSAPrivateKey_fp ,
-.Fn d2i_DSAparams ,
-.Fn d2i_DSAparams_bio ,
-.Fn d2i_DSAparams_fp ,
-and
-.Fn DSAparams_dup
-return a valid
-.Vt DSA
-object or
-.Dv NULL
-if an error occurs.
-.Pp
-.Fn d2i_DSA_SIG
-returns a valid
-.Vt DSA_SIG
-object or
-.Dv NULL
-if an error occurs.
-.Sh SEE ALSO
-.Xr ASN1_item_d2i 3 ,
-.Xr DSA_new 3 ,
-.Xr DSA_SIG_new 3 ,
-.Xr EVP_PKEY_set1_DSA 3 ,
-.Xr PEM_write_DSAPrivateKey 3 ,
-.Xr X509_PUBKEY_new 3
-.Sh STANDARDS
-RFC 5280: Internet X.509 Public Key Infrastructure Certificate and
-Certificate Revocation List (CRL) Profile,
-section 4.1: Basic Certificate Fields
-.Pp
-RFC 3279: Algorithms and Identifiers for the Internet X.509 Public
-Key Infrastructure Certificate and Certificate Revocation List (CRL)
-Profile:
-.Bl -dash -compact
-.It
-section 2.2.2: DSA Signature Algorithm
-.It
-section 2.3.2: DSA Signature Keys
-.El
-.Sh HISTORY
-.Fn d2i_DSAPublicKey ,
-.Fn i2d_DSAPublicKey ,
-.Fn d2i_DSAPrivateKey ,
-and
-.Fn i2d_DSAPrivateKey
-first appeared in SSLeay 0.6.0.
-.Fn d2i_DSAPrivateKey_bio ,
-.Fn d2i_DSAPrivateKey_fp ,
-.Fn i2d_DSAPrivateKey_bio ,
-.Fn i2d_DSAPrivateKey_fp ,
-.Fn d2i_DSAparams ,
-.Fn i2d_DSAparams ,
-.Fn d2i_DSAparams_bio ,
-.Fn i2d_DSAparams_bio ,
-.Fn d2i_DSAparams_fp ,
-.Fn i2d_DSAparams_fp ,
-and
-.Fn DSAparams_dup
-first appeared in SSLeay 0.8.0.
-These functions have been available since
-.Ox 2.4 .
-.Pp
-.Fn d2i_DSA_SIG
-and
-.Fn i2d_DSA_SIG
-first appeared in OpenSSL 0.9.3 and have been available since
-.Ox 2.6 .
-.Pp
-.Fn d2i_DSA_PUBKEY ,
-.Fn i2d_DSA_PUBKEY ,
-.Fn d2i_DSA_PUBKEY_bio ,
-.Fn d2i_DSA_PUBKEY_fp ,
-.Fn i2d_DSA_PUBKEY_bio ,
-and
-.Fn i2d_DSA_PUBKEY_fp
-first appeared in OpenSSL 0.9.5 and have been available since
-.Ox 2.7 .
diff --git a/src/lib/libcrypto/man/d2i_ECPKParameters.3 b/src/lib/libcrypto/man/d2i_ECPKParameters.3
deleted file mode 100644
index c4ede82f3b..0000000000
--- a/src/lib/libcrypto/man/d2i_ECPKParameters.3
+++ /dev/null
@@ -1,467 +0,0 @@
-.\"     $OpenBSD: d2i_ECPKParameters.3,v 1.13 2024/10/24 21:42:10 tb Exp $
-.\"     OpenSSL 05ea606a May 20 20:52:46 2016 -0400
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Matt Caswell <matt@openssl.org>.
-.\" Copyright (c) 2013, 2015 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: October 24 2024 $
-.Dt D2I_ECPKPARAMETERS 3
-.Os
-.Sh NAME
-.Nm d2i_ECPKParameters ,
-.Nm i2d_ECPKParameters ,
-.Nm d2i_ECPKParameters_bio ,
-.Nm i2d_ECPKParameters_bio ,
-.Nm d2i_ECPKParameters_fp ,
-.Nm i2d_ECPKParameters_fp ,
-.Nm d2i_ECParameters ,
-.Nm i2d_ECParameters ,
-.Nm ECParameters_dup ,
-.Nm d2i_ECPrivateKey ,
-.Nm i2d_ECPrivateKey ,
-.Nm d2i_ECPrivateKey_bio ,
-.Nm i2d_ECPrivateKey_bio ,
-.Nm d2i_ECPrivateKey_fp ,
-.Nm i2d_ECPrivateKey_fp ,
-.Nm o2i_ECPublicKey ,
-.Nm i2o_ECPublicKey ,
-.Nm ECPKParameters_print ,
-.Nm ECPKParameters_print_fp ,
-.Nm ECParameters_print ,
-.Nm ECParameters_print_fp ,
-.Nm d2i_EC_PUBKEY ,
-.Nm i2d_EC_PUBKEY ,
-.Nm d2i_EC_PUBKEY_bio ,
-.Nm i2d_EC_PUBKEY_bio ,
-.Nm d2i_EC_PUBKEY_fp ,
-.Nm i2d_EC_PUBKEY_fp
-.Nd decode and encode ASN.1 representations of elliptic curve entities
-.Sh SYNOPSIS
-.In openssl/ec.h
-.Ft EC_GROUP *
-.Fo d2i_ECPKParameters
-.Fa "EC_GROUP **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_ECPKParameters
-.Fa "const EC_GROUP *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft EC_GROUP *
-.Fo d2i_ECPKParameters_bio
-.Fa "BIO *in_bio"
-.Fa "EC_GROUP **val_out"
-.Fc
-.Ft int
-.Fo i2d_ECPKParameters_bio
-.Fa "BIO *out_bio"
-.Fa "EC_GROUP *val_in"
-.Fc
-.Ft EC_GROUP *
-.Fo d2i_ECPKParameters_fp
-.Fa "FILE *in_fp"
-.Fa "EC_GROUP **val_out"
-.Fc
-.Ft int
-.Fo i2d_ECPKParameters_fp
-.Fa "FILE *out_fp"
-.Fa "EC_GROUP *val_in"
-.Fc
-.Ft EC_KEY *
-.Fo d2i_ECParameters
-.Fa "EC_KEY **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_ECParameters
-.Fa "EC_KEY *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft EC_KEY *
-.Fo ECParameters_dup
-.Fa "EC_KEY *val_in"
-.Fc
-.Ft EC_KEY *
-.Fo d2i_ECPrivateKey
-.Fa "EC_KEY **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_ECPrivateKey
-.Fa "EC_KEY *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft EC_KEY *
-.Fo d2i_ECPrivateKey_bio
-.Fa "BIO *in_bio"
-.Fa "EC_KEY **val_out"
-.Fc
-.Ft int
-.Fo i2d_ECPrivateKey_bio
-.Fa "BIO *out_bio"
-.Fa "EC_KEY *val_in"
-.Fc
-.Ft EC_KEY *
-.Fo d2i_ECPrivateKey_fp
-.Fa "FILE *in_fp"
-.Fa "EC_KEY **val_out"
-.Fc
-.Ft int
-.Fo i2d_ECPrivateKey_fp
-.Fa "FILE *out_fp"
-.Fa "EC_KEY *val_in"
-.Fc
-.Ft EC_KEY *
-.Fo o2i_ECPublicKey
-.Fa "EC_KEY **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2o_ECPublicKey
-.Fa "const EC_KEY *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft int
-.Fo ECPKParameters_print
-.Fa "BIO *out_bio"
-.Fa "const EC_GROUP *val_in"
-.Fa "int indent"
-.Fc
-.Ft int
-.Fo ECPKParameters_print_fp
-.Fa "FILE *out_fp"
-.Fa "const EC_GROUP *val_in"
-.Fa "int indent"
-.Fc
-.Ft int
-.Fo ECParameters_print
-.Fa "BIO *out_bio"
-.Fa "const EC_KEY *val_in"
-.Fc
-.Ft int
-.Fo ECParameters_print_fp
-.Fa "FILE *out_fp"
-.Fa "const EC_KEY *val_in"
-.Fc
-.In openssl/x509.h
-.Ft EC_KEY *
-.Fo d2i_EC_PUBKEY
-.Fa "EC_KEY **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_EC_PUBKEY
-.Fa "EC_KEY *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft EC_KEY *
-.Fo d2i_EC_PUBKEY_bio
-.Fa "BIO *in_bio"
-.Fa "EC_KEY **val_out"
-.Fc
-.Ft int
-.Fo i2d_EC_PUBKEY_bio
-.Fa "BIO *out_bio"
-.Fa "EC_KEY *val_in"
-.Fc
-.Ft EC_KEY *
-.Fo d2i_EC_PUBKEY_fp
-.Fa "FILE *in_fp"
-.Fa "EC_KEY **val_out"
-.Fc
-.Ft int
-.Fo i2d_EC_PUBKEY_fp
-.Fa "FILE *out_fp"
-.Fa "EC_KEY *val_in"
-.Fc
-.Sh DESCRIPTION
-These functions decode and encode elliptic curve keys and parameters.
-For details about the semantics, examples, caveats, and bugs, see
-.Xr ASN1_item_d2i 3 .
-.Pp
-.Fn d2i_ECPKParameters
-and
-.Fn i2d_ECPKParameters
-decode and encode the parameters of an elliptic curve.
-.Fn d2i_ECPKParameters_bio ,
-.Fn i2d_ECPKParameters_bio ,
-.Fn d2i_ECPKParameters_fp ,
-and
-.Fn i2d_ECPKParameters_fp
-are similar except that they decode or encode using a
-.Vt BIO
-or
-.Vt FILE
-pointer.
-These four functions are currently implemented as macros.
-.Pp
-.Fn d2i_ECParameters
-does the same parsing as
-.Fn d2i_ECPKParameters
-but saves the result in the
-.Fa group
-field of an
-.Vt EC_KEY
-structure.
-.Pp
-.Fn i2d_ECParameters
-produces the same output as
-.Fn i2d_ECPKParameters
-but uses
-.Fa val_in->group
-for input instead of
-.Fa val_in .
-.Pp
-.Fn ECParameters_dup
-allocates and initializes an empty
-.Vt EC_KEY
-object and copies the EC parameters from
-.Fa val_in
-to it by calling
-.Fn i2d_ECParameters
-and
-.Fn d2i_ECParameters .
-If a private or public key or any flags are present in
-.Fa val_in ,
-they are not copied.
-.Pp
-.Fn d2i_ECPrivateKey
-and
-.Fn i2d_ECPrivateKey
-decode and encode an EC private key using an ASN.1
-.Vt ECPrivateKey
-structure defined in RFC 5915 section 3 and used for the privateKey
-field of the ASN.1
-.Vt PrivateKeyInfo
-structure defined in RFC 5208 section 5, see
-.Xr PKCS8_PRIV_KEY_INFO_new 3 .
-.Fn d2i_ECPrivateKey_bio ,
-.Fn i2d_ECPrivateKey_bio ,
-.Fn d2i_ECPrivateKey_fp ,
-and
-.Fn i2d_ECPrivateKey_fp
-are similar except that they decode or encode using a
-.Vt BIO
-or
-.Vt FILE
-pointer.
-.Pp
-.Fn o2i_ECPublicKey
-and
-.Fn i2o_ECPublicKey
-decode and encode an EC public key.
-In contrast to
-.Xr ASN1_item_d2i 3 ,
-.Fn o2i_ECPublicKey
-requires
-.Fa val_out ,
-.Pf * Fa val_out ,
-and
-.Po Pf * Fa val_out Pc Ns -> Ns Fa group
-to be
-.Pf non- Dv NULL .
-.Pp
-.Fn ECPKParameters_print
-and
-.Fn ECPKParameters_print_fp
-print human-readable output of the public parameters of the
-.Vt EC_GROUP
-to
-.Fa out_bio
-or
-.Fa out_fp .
-The output lines are indented by
-.Fa indent
-spaces.
-.Pp
-.Fn ECParameters_print
-and
-.Fn ECParameters_print_fp
-print the parameter components of
-.Fa val_in
-to
-.Fa out_bio
-or
-.Fa out_fp .
-.Pp
-.Fn d2i_EC_PUBKEY
-and
-.Fn i2d_EC_PUBKEY
-decode and encode an EC public key using an ASN.1
-.Vt SubjectPublicKeyInfo
-structure defined in RFC 5280 section 4.1 and documented in
-.Xr X509_PUBKEY_new 3 .
-.Fn d2i_EC_PUBKEY_bio ,
-.Fn i2d_EC_PUBKEY_bio ,
-.Fn d2i_EC_PUBKEY_fp ,
-and
-.Fn i2d_EC_PUBKEY_fp
-are similar except that they decode or encode using a
-.Vt BIO
-or
-.Vt FILE
-pointer.
-.Sh RETURN VALUES
-.Fn d2i_ECPKParameters ,
-.Fn d2i_ECPKParameters_bio ,
-and
-.Fn d2i_ECPKParameters_fp
-return a valid
-.Vt EC_GROUP
-structure or
-.Dv NULL
-if an error occurs.
-.Pp
-.Fn d2i_ECParameters ,
-.Fn ECParameters_dup ,
-.Fn d2i_ECPrivateKey ,
-.Fn d2i_ECPrivateKey_bio ,
-.Fn d2i_ECPrivateKey_fp ,
-.Fn o2i_ECPublicKey ,
-.Fn d2i_EC_PUBKEY ,
-.Fn d2i_EC_PUBKEY_bio ,
-and
-.Fn d2i_EC_PUBKEY_fp
-return a valid
-.Vt EC_KEY
-structure or
-.Dv NULL
-if an error occurs.
-.Pp
-.Fn i2d_ECPKParameters ,
-.Fn i2d_ECParameters ,
-.Fn i2d_ECPrivateKey ,
-.Fn i2o_ECPublicKey ,
-and
-.Fn i2d_EC_PUBKEY
-return the number of bytes successfully encoded or a negative value if
-an error occurs.
-.Pp
-.Fn i2d_ECPKParameters_bio ,
-.Fn i2d_ECPKParameters_fp ,
-.Fn i2d_ECPrivateKey_bio ,
-.Fn i2d_ECPrivateKey_fp ,
-.Fn ECPKParameters_print ,
-.Fn ECPKParameters_print_fp ,
-.Fn ECParameters_print ,
-.Fn ECParameters_print_fp ,
-.Fn i2d_EC_PUBKEY_bio ,
-and
-.Fn i2d_EC_PUBKEY_fp
-return 1 for success or 0 if an error occurs.
-.Sh SEE ALSO
-.Xr ASN1_item_d2i 3 ,
-.Xr EC_GROUP_copy 3 ,
-.Xr EC_GROUP_new 3 ,
-.Xr EC_KEY_new 3 ,
-.Xr EVP_PKEY_set1_EC_KEY 3 ,
-.Xr PEM_write_ECPrivateKey 3 ,
-.Xr PKCS8_PRIV_KEY_INFO_new 3 ,
-.Xr X509_PUBKEY_new 3
-.Sh STANDARDS
-RFC 5915: Elliptic Curve Private Key Structure
-.Pp
-RFC 5208: Public-Key Cryptography Standards (PKCS) #8:
-Private-Key Information Syntax Specification
-.Pp
-RFC 5280: Internet X.509 Public Key Infrastructure Certificate and
-Certificate Revocation List (CRL) Profile,
-section 4.1: Basic Certificate Fields
-.Sh HISTORY
-.Fn d2i_ECPKParameters ,
-.Fn i2d_ECPKParameters ,
-.Fn d2i_ECPKParameters_bio ,
-.Fn i2d_ECPKParameters_bio ,
-.Fn d2i_ECPKParameters_fP ,
-.Fn i2d_ECPKParameters_fp ,
-.Fn d2i_ECParameters ,
-.Fn i2d_ECParameters ,
-.Fn ECParameters_dup ,
-.Fn d2i_ECPrivateKey ,
-.Fn i2d_ECPrivateKey ,
-.Fn d2i_ECPrivateKey_bio ,
-.Fn i2d_ECPrivateKey_bio ,
-.Fn d2i_ECPrivateKey_fp ,
-.Fn i2d_ECPrivateKey_fp ,
-.Fn o2i_ECPublicKey ,
-.Fn i2o_ECPublicKey ,
-.Fn ECPKParameters_print ,
-.Fn ECPKParameters_print_fp ,
-.Fn ECParameters_print ,
-.Fn ECParameters_print_fp ,
-.Fn d2i_EC_PUBKEY ,
-.Fn i2d_EC_PUBKEY ,
-.Fn d2i_EC_PUBKEY_bio ,
-.Fn i2d_EC_PUBKEY_bio ,
-.Fn d2i_EC_PUBKEY_fp ,
-and
-.Fn i2d_EC_PUBKEY_fp
-first appeared in OpenSSL 0.9.8 and have been available since
-.Ox 4.5 .
diff --git a/src/lib/libcrypto/man/d2i_ESS_SIGNING_CERT.3 b/src/lib/libcrypto/man/d2i_ESS_SIGNING_CERT.3
deleted file mode 100644
index c1d61d3b5e..0000000000
--- a/src/lib/libcrypto/man/d2i_ESS_SIGNING_CERT.3
+++ /dev/null
@@ -1,118 +0,0 @@
-.\"     $OpenBSD: d2i_ESS_SIGNING_CERT.3,v 1.2 2018/03/23 04:34:23 schwarze Exp $
-.\"
-.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: March 23 2018 $
-.Dt D2I_ESS_SIGNING_CERT 3
-.Os
-.Sh NAME
-.Nm d2i_ESS_SIGNING_CERT ,
-.Nm i2d_ESS_SIGNING_CERT ,
-.Nm d2i_ESS_CERT_ID ,
-.Nm i2d_ESS_CERT_ID ,
-.Nm d2i_ESS_ISSUER_SERIAL ,
-.Nm i2d_ESS_ISSUER_SERIAL
-.Nd decode and encode signing certificates for S/MIME
-.Sh SYNOPSIS
-.In openssl/ts.h
-.Ft ESS_SIGNING_CERT *
-.Fo d2i_ESS_SIGNING_CERT
-.Fa "ESS_SIGNING_CERT **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_ESS_SIGNING_CERT
-.Fa "const ESS_SIGNING_CERT *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft ESS_CERT_ID *
-.Fo d2i_ESS_CERT_ID
-.Fa "ESS_CERT_ID **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_ESS_CERT_ID
-.Fa "const ESS_CERT_ID *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft ESS_ISSUER_SERIAL *
-.Fo d2i_ESS_ISSUER_SERIAL
-.Fa "ESS_ISSUER_SERIAL **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_ESS_ISSUER_SERIAL
-.Fa "const ESS_ISSUER_SERIAL *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Sh DESCRIPTION
-These functions decode and encode signing certificate attribute
-structures.
-For details about the semantics, examples, caveats, and bugs, see
-.Xr ASN1_item_d2i 3 .
-.Pp
-.Fn d2i_ESS_SIGNING_CERT
-and
-.Fn i2d_ESS_SIGNING_CERT
-decode and encode an ASN.1
-.Vt SigningCertificate
-structure defined in RFC 2634 section 5.4.
-.Pp
-.Fn d2i_ESS_CERT_ID
-and
-.Fn i2d_ESS_CERT_ID
-decode and encode an ASN.1
-.Vt ESSCertID
-structure defined in RFC 2634 section 5.4.1.
-.Pp
-.Fn d2i_ESS_ISSUER_SERIAL
-and
-.Fn i2d_ESS_ISSUER_SERIAL
-decode and encode an ASN.1
-.Vt IssuerSerial
-structure defined in RFC 2634 section 5.4.1.
-.Sh RETURN VALUES
-.Fn d2i_ESS_SIGNING_CERT ,
-.Fn d2i_ESS_CERT_ID ,
-and
-.Fn d2i_ESS_ISSUER_SERIAL
-return an
-.Vt ESS_SIGNING_CERT ,
-.Vt ESS_CERT_ID ,
-or
-.Vt ESS_ISSUER_SERIAL
-object, respectively, or
-.Dv NULL
-if an error occurs.
-.Pp
-.Fn i2d_ESS_SIGNING_CERT ,
-.Fn i2d_ESS_CERT_ID ,
-and
-.Fn i2d_ESS_ISSUER_SERIAL
-return the number of bytes successfully encoded or a negative value
-if an error occurs.
-.Sh SEE ALSO
-.Xr ASN1_item_d2i 3 ,
-.Xr ESS_SIGNING_CERT_new 3
-.Sh STANDARDS
-RFC 2634: Enhanced Security Services for S/MIME,
-section 5: Signing Certificate Attribute
-.Sh HISTORY
-These functions first appeared in OpenSSL 1.0.0
-and have been available since
-.Ox 4.9 .
diff --git a/src/lib/libcrypto/man/d2i_GENERAL_NAME.3 b/src/lib/libcrypto/man/d2i_GENERAL_NAME.3
deleted file mode 100644
index bfdcc6c67c..0000000000
--- a/src/lib/libcrypto/man/d2i_GENERAL_NAME.3
+++ /dev/null
@@ -1,160 +0,0 @@
-.\"     $OpenBSD: d2i_GENERAL_NAME.3,v 1.4 2018/03/22 21:08:22 schwarze Exp $
-.\"
-.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: March 22 2018 $
-.Dt D2I_GENERAL_NAME 3
-.Os
-.Sh NAME
-.Nm d2i_GENERAL_NAME ,
-.Nm i2d_GENERAL_NAME ,
-.Nm d2i_GENERAL_NAMES ,
-.Nm i2d_GENERAL_NAMES ,
-.Nm d2i_EDIPARTYNAME ,
-.Nm i2d_EDIPARTYNAME ,
-.Nm d2i_OTHERNAME ,
-.Nm i2d_OTHERNAME
-.Nd decode and encode names for use in X.509 extensions
-.Sh SYNOPSIS
-.In openssl/x509v3.h
-.Ft GENERAL_NAME *
-.Fo d2i_GENERAL_NAME
-.Fa "GENERAL_NAME **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_GENERAL_NAME
-.Fa "GENERAL_NAME *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft GENERAL_NAMES *
-.Fo d2i_GENERAL_NAMES
-.Fa "GENERAL_NAMES **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_GENERAL_NAMES
-.Fa "GENERAL_NAMES *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft EDIPARTYNAME *
-.Fo d2i_EDIPARTYNAME
-.Fa "EDIPARTYNAME **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_EDIPARTYNAME
-.Fa "EDIPARTYNAME *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft OTHERNAME *
-.Fo d2i_OTHERNAME
-.Fa "OTHERNAME **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_OTHERNAME
-.Fa "OTHERNAME *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Sh DESCRIPTION
-These functions decode and encode names that can be used in X.509
-extensions.
-For details about the semantics, examples, caveats, and bugs, see
-.Xr ASN1_item_d2i 3 .
-.Pp
-.Fn d2i_GENERAL_NAME
-and
-.Fn i2d_GENERAL_NAME
-decode and encode an ASN.1
-.Vt GeneralName
-structure defined in RFC 5280 section 4.2.1.6.
-.Pp
-.Fn d2i_GENERAL_NAMES
-and
-.Fn i2d_GENERAL_NAMES
-decode and encode an ASN.1
-.Vt GeneralNames
-structure defined in RFC 5280 section 4.2.1.6.
-.Pp
-.Fn d2i_EDIPARTYNAME
-and
-.Fn i2d_EDIPARTYNAME
-decode and encode an ASN.1
-.Vt EDIPartyName
-structure defined in RFC 5280 section 4.2.1.6.
-.Pp
-.Fn d2i_OTHERNAME
-and
-.Fn i2d_OTHERNAME
-decode and encode an ASN.1
-.Vt OtherName
-structure defined in RFC 5280 section 4.2.1.6.
-.Sh RETURN VALUES
-.Fn d2i_GENERAL_NAME ,
-.Fn d2i_GENERAL_NAMES ,
-.Fn d2i_EDIPARTYNAME ,
-and
-.Fn d2i_OTHERNAME
-return a
-.Vt GENERAL_NAME ,
-.Vt GENERAL_NAMES ,
-.Vt EDIPARTYNAME ,
-or
-.Vt OTHERNAME
-object, respectively, or
-.Dv NULL
-if an error occurs.
-.Pp
-.Fn i2d_GENERAL_NAME ,
-.Fn i2d_GENERAL_NAMES ,
-.Fn i2d_EDIPARTYNAME ,
-and
-.Fn i2d_OTHERNAME
-return the number of bytes successfully encoded or a negative value
-if an error occurs.
-.Sh SEE ALSO
-.Xr ASN1_item_d2i 3 ,
-.Xr d2i_X509_NAME 3 ,
-.Xr GENERAL_NAME_new 3 ,
-.Xr X509_EXTENSION_new 3
-.Sh STANDARDS
-RFC 5280: Internet X.509 Public Key Infrastructure Certificate and
-Certificate Revocation List (CRL) Profile,
-section 4.2: Certificate Extensions
-.Sh HISTORY
-.Fn d2i_GENERAL_NAME ,
-.Fn i2d_GENERAL_NAME ,
-.Fn d2i_GENERAL_NAMES ,
-and
-.Fn i2d_GENERAL_NAMES
-first appeared in OpenSSL 0.9.2b and have been available since
-.Ox 2.6 .
-.Pp
-.Fn d2i_OTHERNAME
-and
-.Fn i2d_OTHERNAME
-first appeared in OpenSSL 0.9.5 and have been available since
-.Ox 2.7 .
-.Pp
-.Fn d2i_EDIPARTYNAME
-and
-.Fn i2d_EDIPARTYNAME
-first appeared in OpenSSL 0.9.7 and have been available since
-.Ox 3.2 .
diff --git a/src/lib/libcrypto/man/d2i_OCSP_REQUEST.3 b/src/lib/libcrypto/man/d2i_OCSP_REQUEST.3
deleted file mode 100644
index 07a990556d..0000000000
--- a/src/lib/libcrypto/man/d2i_OCSP_REQUEST.3
+++ /dev/null
@@ -1,181 +0,0 @@
-.\"     $OpenBSD: d2i_OCSP_REQUEST.3,v 1.3 2021/03/12 05:18:00 jsg Exp $
-.\"
-.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: March 12 2021 $
-.Dt D2I_OCSP_REQUEST 3
-.Os
-.Sh NAME
-.Nm d2i_OCSP_REQUEST ,
-.Nm i2d_OCSP_REQUEST ,
-.Nm d2i_OCSP_SIGNATURE ,
-.Nm i2d_OCSP_SIGNATURE ,
-.Nm d2i_OCSP_REQINFO ,
-.Nm i2d_OCSP_REQINFO ,
-.Nm d2i_OCSP_ONEREQ ,
-.Nm i2d_OCSP_ONEREQ ,
-.Nm d2i_OCSP_CERTID ,
-.Nm i2d_OCSP_CERTID ,
-.Nm d2i_OCSP_SERVICELOC ,
-.Nm i2d_OCSP_SERVICELOC
-.Nd decode and encode OCSP requests
-.Sh SYNOPSIS
-.In openssl/ocsp.h
-.Ft OCSP_REQUEST *
-.Fo d2i_OCSP_REQUEST
-.Fa "OCSP_REQUEST **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_OCSP_REQUEST
-.Fa "OCSP_REQUEST *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft OCSP_SIGNATURE *
-.Fo d2i_OCSP_SIGNATURE
-.Fa "OCSP_SIGNATURE **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_OCSP_SIGNATURE
-.Fa "OCSP_SIGNATURE *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft OCSP_REQINFO *
-.Fo d2i_OCSP_REQINFO
-.Fa "OCSP_REQINFO **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_OCSP_REQINFO
-.Fa "OCSP_REQINFO *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft OCSP_ONEREQ *
-.Fo d2i_OCSP_ONEREQ
-.Fa "OCSP_ONEREQ **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_OCSP_ONEREQ
-.Fa "OCSP_ONEREQ *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft OCSP_CERTID *
-.Fo d2i_OCSP_CERTID
-.Fa "OCSP_CERTID **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_OCSP_CERTID
-.Fa "OCSP_CERTID *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft OCSP_SERVICELOC *
-.Fo d2i_OCSP_SERVICELOC
-.Fa "OCSP_SERVICELOC **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_OCSP_SERVICELOC
-.Fa "OCSP_SERVICELOC *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Sh DESCRIPTION
-These functions decode and encode ASN.1 structures used for OCSP
-requests.
-For details about the semantics, examples, caveats, and bugs, see
-.Xr ASN1_item_d2i 3 .
-.Pp
-.Fn d2i_OCSP_REQUEST
-and
-.Fn i2d_OCSP_REQUEST
-decode and encode an ASN.1
-.Vt OCSPRequest
-structure defined in RFC 6960 section 4.1.1.
-.Pp
-.Fn d2i_OCSP_SIGNATURE
-and
-.Fn i2d_OCSP_SIGNATURE
-decode and encode an ASN.1
-.Vt Signature
-structure defined in RFC 6960 section 4.1.1.
-.Pp
-.Fn d2i_OCSP_REQINFO
-and
-.Fn i2d_OCSP_REQINFO
-decode and encode an ASN.1
-.Vt TBSRequest
-structure defined in RFC 6960 section 4.1.1.
-.Pp
-.Fn d2i_OCSP_ONEREQ
-and
-.Fn i2d_OCSP_ONEREQ
-decode and encode an ASN.1
-.Vt Request
-structure defined in RFC 6960 section 4.1.1.
-.Pp
-.Fn d2i_OCSP_CERTID
-and
-.Fn i2d_OCSP_CERTID
-decode and encode an ASN.1
-.Vt CertID
-structure defined in RFC 6960 section 4.1.1.
-.Pp
-.Fn d2i_OCSP_SERVICELOC
-and
-.Fn i2d_OCSP_SERVICELOC
-decode and encode an ASN.1
-.Vt ServiceLocator
-structure defined in RFC 6960 section 4.4.6.
-.Sh RETURN VALUES
-.Fn d2i_OCSP_REQUEST ,
-.Fn d2i_OCSP_SIGNATURE ,
-.Fn d2i_OCSP_REQINFO ,
-.Fn d2i_OCSP_ONEREQ ,
-.Fn d2i_OCSP_CERTID ,
-and
-.Fn d2i_OCSP_SERVICELOC
-return an object of the respective type or
-.Dv NULL
-if an error occurs.
-.Pp
-.Fn i2d_OCSP_REQUEST ,
-.Fn i2d_OCSP_SIGNATURE ,
-.Fn i2d_OCSP_REQINFO ,
-.Fn i2d_OCSP_ONEREQ ,
-.Fn i2d_OCSP_CERTID ,
-and
-.Fn i2d_OCSP_SERVICELOC
-return the number of bytes successfully encoded or a negative value
-if an error occurs.
-.Sh SEE ALSO
-.Xr ASN1_item_d2i 3 ,
-.Xr OCSP_CERTID_new 3 ,
-.Xr OCSP_REQUEST_new 3 ,
-.Xr OCSP_SERVICELOC_new 3
-.Sh STANDARDS
-RFC 6960: X.509 Internet Public Key Infrastructure Online Certificate
-Status Protocol, section 4.1: Request Syntax
-.Sh HISTORY
-These functions first appeared in OpenSSL 0.9.7
-and have been available since
-.Ox 3.2 .
diff --git a/src/lib/libcrypto/man/d2i_OCSP_RESPONSE.3 b/src/lib/libcrypto/man/d2i_OCSP_RESPONSE.3
deleted file mode 100644
index 716e85dc6e..0000000000
--- a/src/lib/libcrypto/man/d2i_OCSP_RESPONSE.3
+++ /dev/null
@@ -1,248 +0,0 @@
-.\"     $OpenBSD: d2i_OCSP_RESPONSE.3,v 1.4 2021/03/12 05:18:00 jsg Exp $
-.\"
-.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: March 12 2021 $
-.Dt D2I_OCSP_RESPONSE 3
-.Os
-.Sh NAME
-.Nm d2i_OCSP_RESPONSE ,
-.Nm i2d_OCSP_RESPONSE ,
-.Nm d2i_OCSP_RESPBYTES ,
-.Nm i2d_OCSP_RESPBYTES ,
-.Nm d2i_OCSP_BASICRESP ,
-.Nm i2d_OCSP_BASICRESP ,
-.Nm d2i_OCSP_RESPDATA ,
-.Nm i2d_OCSP_RESPDATA ,
-.Nm d2i_OCSP_RESPID ,
-.Nm i2d_OCSP_RESPID ,
-.Nm d2i_OCSP_SINGLERESP ,
-.Nm i2d_OCSP_SINGLERESP ,
-.Nm d2i_OCSP_CERTSTATUS ,
-.Nm i2d_OCSP_CERTSTATUS ,
-.Nm d2i_OCSP_REVOKEDINFO ,
-.Nm i2d_OCSP_REVOKEDINFO ,
-.Nm d2i_OCSP_CRLID ,
-.Nm i2d_OCSP_CRLID
-.Nd decode and encode OCSP responses
-.Sh SYNOPSIS
-.In openssl/ocsp.h
-.Ft OCSP_RESPONSE *
-.Fo d2i_OCSP_RESPONSE
-.Fa "OCSP_RESPONSE **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_OCSP_RESPONSE
-.Fa "OCSP_RESPONSE *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft OCSP_RESPBYTES *
-.Fo d2i_OCSP_RESPBYTES
-.Fa "OCSP_RESPBYTES **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_OCSP_RESPBYTES
-.Fa "OCSP_RESPBYTES *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft OCSP_BASICRESP *
-.Fo d2i_OCSP_BASICRESP
-.Fa "OCSP_BASICRESP **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_OCSP_BASICRESP
-.Fa "OCSP_BASICRESP *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft OCSP_RESPDATA *
-.Fo d2i_OCSP_RESPDATA
-.Fa "OCSP_RESPDATA **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_OCSP_RESPDATA
-.Fa "OCSP_RESPDATA *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft OCSP_RESPID *
-.Fo d2i_OCSP_RESPID
-.Fa "OCSP_RESPID **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_OCSP_RESPID
-.Fa "OCSP_RESPID *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft OCSP_SINGLERESP *
-.Fo d2i_OCSP_SINGLERESP
-.Fa "OCSP_SINGLERESP **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_OCSP_SINGLERESP
-.Fa "OCSP_SINGLERESP *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft OCSP_CERTSTATUS *
-.Fo d2i_OCSP_CERTSTATUS
-.Fa "OCSP_CERTSTATUS **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_OCSP_CERTSTATUS
-.Fa "OCSP_CERTSTATUS *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft OCSP_REVOKEDINFO *
-.Fo d2i_OCSP_REVOKEDINFO
-.Fa "OCSP_REVOKEDINFO **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_OCSP_REVOKEDINFO
-.Fa "OCSP_REVOKEDINFO *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft OCSP_CRLID *
-.Fo d2i_OCSP_CRLID
-.Fa "OCSP_CRLID **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_OCSP_CRLID
-.Fa "OCSP_CRLID *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Sh DESCRIPTION
-These functions decode and encode ASN.1 structures used for OCSP
-responses.
-For details about the semantics, examples, caveats, and bugs, see
-.Xr ASN1_item_d2i 3 .
-.Pp
-.Fn d2i_OCSP_RESPONSE
-and
-.Fn i2d_OCSP_RESPONSE
-decode and encode an ASN.1
-.Vt OCSPResponse
-structure defined in RFC 6960 section 4.2.1.
-.Pp
-.Fn d2i_OCSP_RESPBYTES
-and
-.Fn i2d_OCSP_RESPBYTES
-decode and encode an ASN.1
-.Vt ResponseBytes
-structure defined in RFC 6960 section 4.2.1.
-.Pp
-.Fn d2i_OCSP_BASICRESP
-and
-.Fn i2d_OCSP_BASICRESP
-decode and encode an ASN.1
-.Vt BasicOCSPResponse
-structure defined in RFC 6960 section 4.2.1.
-.Pp
-.Fn d2i_OCSP_RESPDATA
-and
-.Fn i2d_OCSP_RESPDATA
-decode and encode an ASN.1
-.Vt ResponseData
-structure defined in RFC 6960 section 4.2.1.
-.Pp
-.Fn d2i_OCSP_RESPID
-and
-.Fn i2d_OCSP_RESPID
-decode and encode an ASN.1
-.Vt ResponderID
-structure defined in RFC 6960 section 4.2.1.
-.Pp
-.Fn d2i_OCSP_SINGLERESP
-and
-.Fn i2d_OCSP_SINGLERESP
-decode and encode an ASN.1
-.Vt SingleResponse
-structure defined in RFC 6960 section 4.2.1.
-.Pp
-.Fn d2i_OCSP_CERTSTATUS
-and
-.Fn i2d_OCSP_CERTSTATUS
-decode and encode an ASN.1
-.Vt CertStatus
-structure defined in RFC 6960 section 4.2.1.
-.Pp
-.Fn d2i_OCSP_REVOKEDINFO
-and
-.Fn i2d_OCSP_REVOKEDINFO
-decode and encode an ASN.1
-.Vt RevokedInfo
-structure defined in RFC 6960 section 4.2.1.
-.Pp
-.Fn d2i_OCSP_CRLID
-and
-.Fn i2d_OCSP_CRLID
-decode and encode an ASN.1
-.Vt CrlID
-structure defined in RFC 6960 section 4.4.2.
-.Sh RETURN VALUES
-.Fn d2i_OCSP_RESPONSE ,
-.Fn d2i_OCSP_RESPBYTES ,
-.Fn d2i_OCSP_BASICRESP ,
-.Fn d2i_OCSP_RESPDATA ,
-.Fn d2i_OCSP_RESPID ,
-.Fn d2i_OCSP_SINGLERESP ,
-.Fn d2i_OCSP_CERTSTATUS ,
-.Fn d2i_OCSP_REVOKEDINFO ,
-and
-.Fn d2i_OCSP_CRLID
-return an object of the respective type or
-.Dv NULL
-if an error occurs.
-.Pp
-.Fn i2d_OCSP_RESPONSE ,
-.Fn i2d_OCSP_RESPBYTES ,
-.Fn i2d_OCSP_BASICRESP ,
-.Fn i2d_OCSP_RESPDATA ,
-.Fn i2d_OCSP_RESPID ,
-.Fn i2d_OCSP_SINGLERESP ,
-.Fn i2d_OCSP_CERTSTATUS ,
-.Fn i2d_OCSP_REVOKEDINFO ,
-and
-.Fn i2d_OCSP_CRLID
-return the number of bytes successfully encoded or a negative value
-if an error occurs.
-.Sh SEE ALSO
-.Xr ASN1_item_d2i 3 ,
-.Xr OCSP_CRLID_new 3 ,
-.Xr OCSP_REQUEST_new 3 ,
-.Xr OCSP_RESPONSE_new 3 ,
-.Xr OCSP_SINGLERESP_new 3
-.Sh STANDARDS
-RFC 6960: X.509 Internet Public Key Infrastructure Online Certificate
-Status Protocol, section 4.2: Response Syntax
-.Sh HISTORY
-These functions first appeared in OpenSSL 0.9.7
-and have been available since
-.Ox 3.2 .
diff --git a/src/lib/libcrypto/man/d2i_PKCS12.3 b/src/lib/libcrypto/man/d2i_PKCS12.3
deleted file mode 100644
index 55272d1f36..0000000000
--- a/src/lib/libcrypto/man/d2i_PKCS12.3
+++ /dev/null
@@ -1,202 +0,0 @@
-.\"     $OpenBSD: d2i_PKCS12.3,v 1.2 2018/03/21 17:57:48 schwarze Exp $
-.\"
-.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: March 21 2018 $
-.Dt D2I_PKCS12 3
-.Os
-.Sh NAME
-.Nm d2i_PKCS12 ,
-.Nm i2d_PKCS12 ,
-.Nm d2i_PKCS12_bio ,
-.Nm i2d_PKCS12_bio ,
-.Nm d2i_PKCS12_fp ,
-.Nm i2d_PKCS12_fp ,
-.Nm d2i_PKCS12_MAC_DATA ,
-.Nm i2d_PKCS12_MAC_DATA ,
-.Nm d2i_PKCS12_SAFEBAG ,
-.Nm i2d_PKCS12_SAFEBAG ,
-.Nm d2i_PKCS12_BAGS ,
-.Nm i2d_PKCS12_BAGS
-.Nd decode and encode PKCS#12 structures
-.Sh SYNOPSIS
-.In openssl/pkcs12.h
-.Ft PKCS12 *
-.Fo d2i_PKCS12
-.Fa "PKCS12 **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_PKCS12
-.Fa "PKCS12 *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft PKCS12 *
-.Fo d2i_PKCS12_bio
-.Fa "BIO *in_bio"
-.Fa "PKCS12 **val_out"
-.Fc
-.Ft int
-.Fo i2d_PKCS12_bio
-.Fa "BIO *out_bio"
-.Fa "PKCS12 *val_in"
-.Fc
-.Ft PKCS12 *
-.Fo d2i_PKCS12_fp
-.Fa "FILE *in_fp"
-.Fa "PKCS12 **val_out"
-.Fc
-.Ft int
-.Fo i2d_PKCS12_fp
-.Fa "FILE *out_fp"
-.Fa "PKCS12 *val_in"
-.Fc
-.Ft PKCS12_MAC_DATA *
-.Fo d2i_PKCS12_MAC_DATA
-.Fa "PKCS12_MAC_DATA **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_PKCS12_MAC_DATA
-.Fa "PKCS12_MAC_DATA *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft PKCS12_SAFEBAG *
-.Fo d2i_PKCS12_SAFEBAG
-.Fa "PKCS12_SAFEBAG **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_PKCS12_SAFEBAG
-.Fa "PKCS12_SAFEBAG *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft PKCS12_BAGS *
-.Fo d2i_PKCS12_BAGS
-.Fa "PKCS12_BAGS **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_PKCS12_BAGS
-.Fa "PKCS12_BAGS *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Sh DESCRIPTION
-These functions decode and encode PKCS#12 structures.
-For details about the semantics, examples, caveats, and bugs, see
-.Xr ASN1_item_d2i 3 .
-.Pp
-.Fn d2i_PKCS12
-and
-.Fn i2d_PKCS12
-decode and encode an ASN.1
-.Vt PFX
-.Pq personal information exchange
-structure defined in RFC 7292 section 4.
-.Fn d2i_PKCS12_bio ,
-.Fn i2d_PKCS12_bio ,
-.Fn d2i_PKCS12_fp ,
-and
-.Fn i2d_PKCS12_fp
-are similar except that they decode or encode using a
-.Vt BIO
-or
-.Vt FILE
-pointer.
-.Pp
-.Fn d2i_PKCS12_MAC_DATA
-and
-.Fn i2d_PKCS12_MAC_DATA
-decode and encode an ASN.1
-.Vt MacData
-structure defined in RFC 7292 section 4.
-.Pp
-.Fn d2i_PKCS12_SAFEBAG
-and
-.Fn i2d_PKCS12_SAFEBAG
-decode and encode an ASN.1
-.Vt SafeBag
-structure defined in RFC 7292 section 4.2.
-.Pp
-.Fn d2i_PKCS12_BAGS
-and
-.Fn i2d_PKCS12_BAGS
-decode and encode the bagValue field of an ASN.1
-.Vt SafeBag
-structure.
-.Sh RETURN VALUES
-.Fn d2i_PKCS12 ,
-.Fn d2i_PKCS12_bio ,
-and
-.Fn d2i_PKCS12_fp
-return a
-.Vt PKCS12
-object or
-.Dv NULL
-if an error occurs.
-.Pp
-.Fn d2i_PKCS12_MAC_DATA ,
-.Fn d2i_PKCS12_SAFEBAG ,
-and
-.Fn d2i_PKCS12_BAGS
-return a
-.Vt PKCS12_MAC_DATA ,
-.Vt PKCS12_SAFEBAG ,
-or
-.Vt PKCS12_BAGS
-object, respectively, or
-.Dv NULL
-if an error occurs.
-.Pp
-.Fn i2d_PKCS12 ,
-.Fn i2d_PKCS12_MAC_DATA ,
-.Fn i2d_PKCS12_SAFEBAG ,
-and
-.Fn i2d_PKCS12_BAGS
-return the number of bytes successfully encoded or a negative value
-if an error occurs.
-.Pp
-.Fn i2d_PKCS12_bio
-and
-.Fn i2d_PKCS12_fp
-return 1 for success or 0 if an error occurs.
-.Sh SEE ALSO
-.Xr ASN1_item_d2i 3 ,
-.Xr PKCS12_create 3 ,
-.Xr PKCS12_new 3 ,
-.Xr PKCS12_parse 3 ,
-.Xr PKCS12_SAFEBAG_new 3
-.Sh STANDARDS
-RFC 7292: PKCS #12: Personal Information Exchange Syntax
-.Sh HISTORY
-.Fn d2i_PKCS12 ,
-.Fn i2d_PKCS12 ,
-.Fn d2i_PKCS12_bio ,
-.Fn i2d_PKCS12_bio ,
-.Fn d2i_PKCS12_fp ,
-.Fn i2d_PKCS12_fp ,
-.Fn d2i_PKCS12_MAC_DATA ,
-.Fn i2d_PKCS12_MAC_DATA ,
-.Fn d2i_PKCS12_SAFEBAG ,
-.Fn i2d_PKCS12_SAFEBAG ,
-.Fn d2i_PKCS12_BAGS ,
-and
-.Fn i2d_PKCS12_BAGS
-first appeared in OpenSSL 0.9.3 and have been available since
-.Ox 2.6 .
diff --git a/src/lib/libcrypto/man/d2i_PKCS7.3 b/src/lib/libcrypto/man/d2i_PKCS7.3
deleted file mode 100644
index e587787465..0000000000
--- a/src/lib/libcrypto/man/d2i_PKCS7.3
+++ /dev/null
@@ -1,341 +0,0 @@
-.\"     $OpenBSD: d2i_PKCS7.3,v 1.7 2023/04/25 18:05:07 tb Exp $
-.\"
-.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: April 25 2023 $
-.Dt D2I_PKCS7 3
-.Os
-.Sh NAME
-.Nm d2i_PKCS7 ,
-.Nm i2d_PKCS7 ,
-.Nm d2i_PKCS7_bio ,
-.Nm i2d_PKCS7_bio ,
-.Nm d2i_PKCS7_fp ,
-.Nm i2d_PKCS7_fp ,
-.Nm d2i_PKCS7_DIGEST ,
-.Nm i2d_PKCS7_DIGEST ,
-.Nm d2i_PKCS7_ENCRYPT ,
-.Nm i2d_PKCS7_ENCRYPT ,
-.Nm d2i_PKCS7_ENC_CONTENT ,
-.Nm i2d_PKCS7_ENC_CONTENT ,
-.Nm d2i_PKCS7_ENVELOPE ,
-.Nm i2d_PKCS7_ENVELOPE ,
-.Nm d2i_PKCS7_ISSUER_AND_SERIAL ,
-.Nm i2d_PKCS7_ISSUER_AND_SERIAL ,
-.Nm d2i_PKCS7_RECIP_INFO ,
-.Nm i2d_PKCS7_RECIP_INFO ,
-.Nm d2i_PKCS7_SIGNED ,
-.Nm i2d_PKCS7_SIGNED ,
-.Nm d2i_PKCS7_SIGNER_INFO ,
-.Nm i2d_PKCS7_SIGNER_INFO ,
-.Nm d2i_PKCS7_SIGN_ENVELOPE ,
-.Nm i2d_PKCS7_SIGN_ENVELOPE
-.Nd decode and encode PKCS#7 data structures
-.Sh SYNOPSIS
-.In openssl/pkcs7.h
-.Ft PKCS7 *
-.Fo d2i_PKCS7
-.Fa "PKCS7 **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_PKCS7
-.Fa "PKCS7 *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft PKCS7 *
-.Fo d2i_PKCS7_bio
-.Fa "BIO *in_bio"
-.Fa "PKCS7 **val_out"
-.Fc
-.Ft int
-.Fo i2d_PKCS7_bio
-.Fa "BIO *out_bio"
-.Fa "PKCS7 *val_in"
-.Fc
-.Ft PKCS7 *
-.Fo d2i_PKCS7_fp
-.Fa "FILE *in_fp"
-.Fa "PKCS7 **val_out"
-.Fc
-.Ft int
-.Fo i2d_PKCS7_fp
-.Fa "FILE *out_fp"
-.Fa "PKCS7 *val_in"
-.Fc
-.Ft PKCS7_DIGEST *
-.Fo d2i_PKCS7_DIGEST
-.Fa "PKCS7_DIGEST **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_PKCS7_DIGEST
-.Fa "PKCS7_DIGEST *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft PKCS7_ENCRYPT *
-.Fo d2i_PKCS7_ENCRYPT
-.Fa "PKCS7_ENCRYPT **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_PKCS7_ENCRYPT
-.Fa "PKCS7_ENCRYPT *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft PKCS7_ENC_CONTENT *
-.Fo d2i_PKCS7_ENC_CONTENT
-.Fa "PKCS7_ENC_CONTENT **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_PKCS7_ENC_CONTENT
-.Fa "PKCS7_ENC_CONTENT *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft PKCS7_ENVELOPE *
-.Fo d2i_PKCS7_ENVELOPE
-.Fa "PKCS7_ENVELOPE **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_PKCS7_ENVELOPE
-.Fa "PKCS7_ENVELOPE *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft PKCS7_ISSUER_AND_SERIAL *
-.Fo d2i_PKCS7_ISSUER_AND_SERIAL
-.Fa "PKCS7_ISSUER_AND_SERIAL **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_PKCS7_ISSUER_AND_SERIAL
-.Fa "PKCS7_ISSUER_AND_SERIAL *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft PKCS7_RECIP_INFO *
-.Fo d2i_PKCS7_RECIP_INFO
-.Fa "PKCS7_RECIP_INFO **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_PKCS7_RECIP_INFO
-.Fa "PKCS7_RECIP_INFO *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft PKCS7_SIGNED *
-.Fo d2i_PKCS7_SIGNED
-.Fa "PKCS7_SIGNED **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_PKCS7_SIGNED
-.Fa "PKCS7_SIGNED *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft PKCS7_SIGNER_INFO *
-.Fo d2i_PKCS7_SIGNER_INFO
-.Fa "PKCS7_SIGNER_INFO **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_PKCS7_SIGNER_INFO
-.Fa "PKCS7_SIGNER_INFO *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft PKCS7_SIGN_ENVELOPE *
-.Fo d2i_PKCS7_SIGN_ENVELOPE
-.Fa "PKCS7_SIGN_ENVELOPE **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_PKCS7_SIGN_ENVELOPE
-.Fa "PKCS7_SIGN_ENVELOPE *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Sh DESCRIPTION
-These functions decode and encode PKCS#7 data structures.
-For details about the semantics, examples, caveats, and bugs, see
-.Xr ASN1_item_d2i 3 .
-.Pp
-.Fn d2i_PKCS7
-and
-.Fn i2d_PKCS7
-decode and encode an ASN.1
-.Vt ContentInfo
-structure defined in RFC 2315 section 7.
-.Fn d2i_PKCS7_bio ,
-.Fn i2d_PKCS7_bio ,
-.Fn d2i_PKCS7_fp ,
-and
-.Fn i2d_PKCS7_fp
-are similar except that they decode or encode using a
-.Vt BIO
-or
-.Vt FILE
-pointer.
-.Pp
-.Fn d2i_PKCS7_DIGEST
-and
-.Fn i2d_PKCS7_DIGEST
-decode and encode an ASN.1
-.Vt DigestedData
-structure defined in RFC 2315 section 12.
-.Pp
-.Fn d2i_PKCS7_ENCRYPT
-and
-.Fn i2d_PKCS7_ENCRYPT
-decode and encode an ASN.1
-.Vt EncryptedData
-structure defined in RFC 2315 section 13.
-.Pp
-.Fn d2i_PKCS7_ENC_CONTENT
-and
-.Fn i2d_PKCS7_ENC_CONTENT
-decode and encode an ASN.1
-.Vt EncryptedContentInfo
-structure defined in RFC 2315 section 10.1.
-.Pp
-.Fn d2i_PKCS7_ENVELOPE
-and
-.Fn i2d_PKCS7_ENVELOPE
-decode and encode an ASN.1
-.Vt EnvelopedData
-structure defined in RFC 2315 section 10.
-.Pp
-.Fn d2i_PKCS7_ISSUER_AND_SERIAL
-and
-.Fn i2d_PKCS7_ISSUER_AND_SERIAL
-decode and encode an ASN.1
-.Vt IssuerAndSerialNumber
-structure defined in RFC 2315 section 6.7.
-.Pp
-.Fn d2i_PKCS7_RECIP_INFO
-and
-.Fn i2d_PKCS7_RECIP_INFO
-decode and encode an ASN.1
-.Vt RecipientInfo
-structure defined in RFC 2315 section 10.2.
-.Pp
-.Fn d2i_PKCS7_SIGNED
-and
-.Fn i2d_PKCS7_SIGNED
-decode and encode an ASN.1
-.Vt SignedData
-structure defined in RFC 2315 section 9.
-.Pp
-.Fn d2i_PKCS7_SIGNER_INFO
-and
-.Fn i2d_PKCS7_SIGNER_INFO
-decode and encode an ASN.1
-.Vt SignerInfo
-structure defined in RFC 2315 section 9.2.
-.Pp
-.Fn d2i_PKCS7_SIGN_ENVELOPE
-and
-.Fn i2d_PKCS7_SIGN_ENVELOPE
-decode and encode an ASN.1
-.Vt SignedAndEnvelopedData
-structure defined in RFC 2315 section 11.
-.Sh RETURN VALUES
-.Fn d2i_PKCS7 ,
-.Fn d2i_PKCS7_bio ,
-and
-.Fn d2i_PKCS7_fp
-return a
-.Vt PKCS7
-object or
-.Dv NULL
-if an error occurs.
-.Pp
-.Fn d2i_PKCS7_DIGEST ,
-.Fn d2i_PKCS7_ENCRYPT ,
-.Fn d2i_PKCS7_ENC_CONTENT ,
-.Fn d2i_PKCS7_ENVELOPE ,
-.Fn d2i_PKCS7_ISSUER_AND_SERIAL ,
-.Fn d2i_PKCS7_RECIP_INFO ,
-.Fn d2i_PKCS7_SIGNED ,
-.Fn d2i_PKCS7_SIGNER_INFO ,
-and
-.Fn d2i_PKCS7_SIGN_ENVELOPE
-return an object of the respective type or
-.Dv NULL
-if an error occurs.
-.Pp
-.Fn i2d_PKCS7 ,
-.Fn i2d_PKCS7_DIGEST ,
-.Fn i2d_PKCS7_ENCRYPT ,
-.Fn i2d_PKCS7_ENC_CONTENT ,
-.Fn i2d_PKCS7_ENVELOPE ,
-.Fn i2d_PKCS7_ISSUER_AND_SERIAL ,
-.Fn i2d_PKCS7_RECIP_INFO ,
-.Fn i2d_PKCS7_SIGNED ,
-.Fn i2d_PKCS7_SIGNER_INFO ,
-and
-.Fn i2d_PKCS7_SIGN_ENVELOPE
-return the number of bytes successfully encoded or a negative value
-if an error occurs.
-.Pp
-.Fn i2d_PKCS7_bio
-and
-.Fn i2d_PKCS7_fp
-return 1 for success or 0 if an error occurs.
-.Sh SEE ALSO
-.Xr ASN1_item_d2i 3 ,
-.Xr i2d_PKCS7_bio_stream 3 ,
-.Xr PEM_write_bio_PKCS7_stream 3 ,
-.Xr PEM_write_PKCS7 3 ,
-.Xr PKCS7_new 3 ,
-.Xr SMIME_write_PKCS7 3
-.Sh STANDARDS
-RFC 2315: PKCS #7: Cryptographic Message Syntax Version 1.5
-.Sh HISTORY
-.Fn d2i_PKCS7 ,
-.Fn i2d_PKCS7 ,
-.Fn d2i_PKCS7_bio ,
-.Fn i2d_PKCS7_bio ,
-.Fn d2i_PKCS7_fp ,
-.Fn i2d_PKCS7_fp ,
-.Fn d2i_PKCS7_DIGEST ,
-.Fn i2d_PKCS7_DIGEST ,
-.Fn d2i_PKCS7_ENCRYPT ,
-.Fn i2d_PKCS7_ENCRYPT ,
-.Fn d2i_PKCS7_ENC_CONTENT ,
-.Fn i2d_PKCS7_ENC_CONTENT ,
-.Fn d2i_PKCS7_ENVELOPE ,
-.Fn i2d_PKCS7_ENVELOPE ,
-.Fn d2i_PKCS7_ISSUER_AND_SERIAL ,
-.Fn i2d_PKCS7_ISSUER_AND_SERIAL ,
-.Fn d2i_PKCS7_RECIP_INFO ,
-.Fn i2d_PKCS7_RECIP_INFO ,
-.Fn d2i_PKCS7_SIGNED ,
-.Fn i2d_PKCS7_SIGNED ,
-.Fn d2i_PKCS7_SIGNER_INFO ,
-.Fn i2d_PKCS7_SIGNER_INFO ,
-.Fn d2i_PKCS7_SIGN_ENVELOPE ,
-and
-.Fn i2d_PKCS7_SIGN_ENVELOPE
-first appeared in SSLeay 0.5.1 and have been available since
-.Ox 2.4 .
diff --git a/src/lib/libcrypto/man/d2i_PKCS8PrivateKey_bio.3 b/src/lib/libcrypto/man/d2i_PKCS8PrivateKey_bio.3
deleted file mode 100644
index 58dd989fae..0000000000
--- a/src/lib/libcrypto/man/d2i_PKCS8PrivateKey_bio.3
+++ /dev/null
@@ -1,172 +0,0 @@
-.\" $OpenBSD: d2i_PKCS8PrivateKey_bio.3,v 1.11 2019/06/07 19:28:52 schwarze Exp $
-.\" full merge up to: OpenSSL 61f805c1 Jan 16 01:01:46 2018 +0800
-.\"
-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2002, 2016, 2017 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: June 7 2019 $
-.Dt D2I_PKCS8PRIVATEKEY_BIO 3
-.Os
-.Sh NAME
-.Nm d2i_PKCS8PrivateKey_bio ,
-.Nm d2i_PKCS8PrivateKey_fp ,
-.Nm i2d_PKCS8PrivateKey_bio ,
-.Nm i2d_PKCS8PrivateKey_fp ,
-.Nm i2d_PKCS8PrivateKey_nid_bio ,
-.Nm i2d_PKCS8PrivateKey_nid_fp
-.Nd PKCS#8 format private key functions
-.Sh SYNOPSIS
-.In openssl/evp.h
-.Ft EVP_PKEY *
-.Fo d2i_PKCS8PrivateKey_bio
-.Fa "BIO *bp"
-.Fa "EVP_PKEY **x"
-.Fa "pem_password_cb *cb"
-.Fa "void *u"
-.Fc
-.Ft EVP_PKEY *
-.Fo d2i_PKCS8PrivateKey_fp
-.Fa "FILE *fp"
-.Fa "EVP_PKEY **x"
-.Fa "pem_password_cb *cb"
-.Fa "void *u"
-.Fc
-.Ft int
-.Fo i2d_PKCS8PrivateKey_bio
-.Fa "BIO *bp"
-.Fa "EVP_PKEY *x"
-.Fa "const EVP_CIPHER *enc"
-.Fa "char *kstr"
-.Fa "int klen"
-.Fa "pem_password_cb *cb"
-.Fa "void *u"
-.Fc
-.Ft int
-.Fo i2d_PKCS8PrivateKey_fp
-.Fa "FILE *fp"
-.Fa "EVP_PKEY *x"
-.Fa "const EVP_CIPHER *enc"
-.Fa "char *kstr"
-.Fa "int klen"
-.Fa "pem_password_cb *cb"
-.Fa "void *u"
-.Fc
-.Ft int
-.Fo i2d_PKCS8PrivateKey_nid_bio
-.Fa "BIO *bp"
-.Fa "EVP_PKEY *x"
-.Fa "int nid"
-.Fa "char *kstr"
-.Fa "int klen"
-.Fa "pem_password_cb *cb"
-.Fa "void *u"
-.Fc
-.Ft int
-.Fo i2d_PKCS8PrivateKey_nid_fp
-.Fa "FILE *fp"
-.Fa "EVP_PKEY *x"
-.Fa "int nid"
-.Fa "char *kstr"
-.Fa "int klen"
-.Fa "pem_password_cb *cb"
-.Fa "void *u"
-.Fc
-.Sh DESCRIPTION
-The PKCS#8 functions encode and decode private keys in PKCS#8 format
-using both PKCS#5 v1.5 and PKCS#5 v2.0 password based encryption
-algorithms.
-.Pp
-Other than the use of DER as opposed to PEM these functions are
-identical to the corresponding functions described in
-.Xr PEM_read_PrivateKey 3 .
-.Pp
-These functions are currently the only way to store encrypted private
-keys using DER format.
-.Pp
-Currently all the functions use
-.Vt BIO
-or
-.Vt FILE
-pointers.
-There are no functions which work directly on memory,
-though this can be readily worked around
-by converting the buffers to memory BIOs;
-see
-.Xr BIO_s_mem 3
-for details.
-.Sh RETURN VALUES
-.Fn d2i_PKCS8PrivateKey_bio
-and
-.Fn d2i_PKCS8PrivateKey_fp
-return a
-.Vt EVP_PKEY
-object or
-.Dv NULL
-if an error occurs.
-.Pp
-.Fn i2d_PKCS8PrivateKey_bio ,
-.Fn i2d_PKCS8PrivateKey_fp ,
-.Fn i2d_PKCS8PrivateKey_nid_bio ,
-and
-.Fn i2d_PKCS8PrivateKey_nid_fp
-return 1 on success or 0 on error.
-.Sh SEE ALSO
-.Xr d2i_X509_SIG 3 ,
-.Xr PEM_write_PKCS8PrivateKey 3 ,
-.Xr PKCS8_PRIV_KEY_INFO_new 3
-.Sh HISTORY
-These functions first appeared in OpenSSL 0.9.5
-and have been available since
-.Ox 2.7 .
-.Sh CAVEATS
-Do not confuse these functions with
-.Xr i2d_PKCS8PrivateKeyInfo_bio 3
-and
-.Xr i2d_PKCS8PrivateKeyInfo_fp 3 ,
-which write out private keys in
-.Sy unencrypted
-DER format.
diff --git a/src/lib/libcrypto/man/d2i_PKCS8_PRIV_KEY_INFO.3 b/src/lib/libcrypto/man/d2i_PKCS8_PRIV_KEY_INFO.3
deleted file mode 100644
index 1ac0f2c308..0000000000
--- a/src/lib/libcrypto/man/d2i_PKCS8_PRIV_KEY_INFO.3
+++ /dev/null
@@ -1,127 +0,0 @@
-.\"     $OpenBSD: d2i_PKCS8_PRIV_KEY_INFO.3,v 1.3 2018/03/21 21:18:08 schwarze Exp $
-.\"
-.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: March 21 2018 $
-.Dt D2I_PKCS8_PRIV_KEY_INFO 3
-.Os
-.Sh NAME
-.Nm d2i_PKCS8_PRIV_KEY_INFO ,
-.Nm i2d_PKCS8_PRIV_KEY_INFO ,
-.Nm d2i_PKCS8_PRIV_KEY_INFO_bio ,
-.Nm i2d_PKCS8_PRIV_KEY_INFO_bio ,
-.Nm d2i_PKCS8_PRIV_KEY_INFO_fp ,
-.Nm i2d_PKCS8_PRIV_KEY_INFO_fp
-.Nd decode and encode PKCS#8 private key
-.Sh SYNOPSIS
-.In openssl/x509.h
-.Ft PKCS8_PRIV_KEY_INFO *
-.Fo d2i_PKCS8_PRIV_KEY_INFO
-.Fa "PKCS8_PRIV_KEY_INFO **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_PKCS8_PRIV_KEY_INFO
-.Fa "PKCS8_PRIV_KEY_INFO *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft PKCS8_PRIV_KEY_INFO *
-.Fo d2i_PKCS8_PRIV_KEY_INFO_bio
-.Fa "BIO *in_bio"
-.Fa "PKCS8_PRIV_KEY_INFO **val_out"
-.Fc
-.Ft int
-.Fo i2d_PKCS8_PRIV_KEY_INFO_bio
-.Fa "BIO *out_bio"
-.Fa "PKCS8_PRIV_KEY_INFO *val_in"
-.Fc
-.Ft PKCS8_PRIV_KEY_INFO *
-.Fo d2i_PKCS8_PRIV_KEY_INFO_fp
-.Fa "FILE *in_fp"
-.Fa "PKCS8_PRIV_KEY_INFO **val_out"
-.Fc
-.Ft int
-.Fo i2d_PKCS8_PRIV_KEY_INFO_fp
-.Fa "BIO *out_fp"
-.Fa "PKCS8_PRIV_KEY_INFO *val_in"
-.Fc
-.Sh DESCRIPTION
-.Fn d2i_PKCS8_PRIV_KEY_INFO
-and
-.Fn i2d_PKCS8_PRIV_KEY_INFO
-decode and encode an ASN.1
-.Vt PrivateKeyInfo
-structure defined in RFC 5208 section 5.
-.Pp
-.Fn d2i_PKCS8_PRIV_KEY_INFO_bio ,
-.Fn i2d_PKCS8_PRIV_KEY_INFO_bio ,
-.Fn d2i_PKCS8_PRIV_KEY_INFO_fp ,
-and
-.Fn i2d_PKCS8_PRIV_KEY_INFO_fp
-are similar except that they decode or encode using a
-.Vt BIO
-or
-.Vt FILE
-pointer.
-.Pp
-For details about the semantics, examples, caveats, and bugs, see
-.Xr ASN1_item_d2i 3 .
-.Pp
-These functions all use unencrypted DER format.
-To store private keys in encrypted form, consider
-.Xr d2i_PKCS8PrivateKey_bio 3
-or
-.Xr PEM_write_PKCS8PrivateKey 3 .
-.Sh RETURN VALUES
-.Fn d2i_PKCS8_PRIV_KEY_INFO ,
-.Fn d2i_PKCS8_PRIV_KEY_INFO_bio ,
-and
-.Fn d2i_PKCS8_PRIV_KEY_INFO_fp
-return a
-.Vt PKCS8_PRIV_KEY_INFO
-object or
-.Dv NULL
-if an error occurs.
-.Pp
-.Fn i2d_PKCS8_PRIV_KEY_INFO
-returns the number of bytes successfully encoded or a negative value
-if an error occurs.
-.Pp
-.Fn i2d_PKCS8_PRIV_KEY_INFO_bio
-and
-.Fn i2d_PKCS8_PRIV_KEY_INFO_fp
-return 1 for success or 0 if an error occurs.
-.Sh SEE ALSO
-.Xr ASN1_item_d2i 3 ,
-.Xr d2i_PKCS8PrivateKey_bio 3 ,
-.Xr d2i_PrivateKey 3 ,
-.Xr PEM_write_PKCS8_PRIV_KEY_INFO 3 ,
-.Xr PKCS8_PRIV_KEY_INFO_new 3
-.Sh STANDARDS
-RFC 5208: PKCS#8: Private-Key Information Syntax Specification
-.Sh HISTORY
-.Fn d2i_PKCS8_PRIV_KEY_INFO
-and
-.Fn i2d_PKCS8_PRIV_KEY_INFO
-first appeared in OpenSSL 0.9.3.
-.Fn d2i_PKCS8_PRIV_KEY_INFO_bio ,
-.Fn i2d_PKCS8_PRIV_KEY_INFO_bio ,
-.Fn d2i_PKCS8_PRIV_KEY_INFO_fp ,
-and
-.Fn i2d_PKCS8_PRIV_KEY_INFO_fp
-first appeared in OpenSSL 0.9.4.
-All these functions have been available since
-.Ox 2.6 .
diff --git a/src/lib/libcrypto/man/d2i_PKEY_USAGE_PERIOD.3 b/src/lib/libcrypto/man/d2i_PKEY_USAGE_PERIOD.3
deleted file mode 100644
index df8639264c..0000000000
--- a/src/lib/libcrypto/man/d2i_PKEY_USAGE_PERIOD.3
+++ /dev/null
@@ -1,74 +0,0 @@
-.\"     $OpenBSD: d2i_PKEY_USAGE_PERIOD.3,v 1.2 2018/03/21 16:09:51 schwarze Exp $
-.\"
-.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: March 21 2018 $
-.Dt D2I_PKEY_USAGE_PERIOD 3
-.Os
-.Sh NAME
-.Nm d2i_PKEY_USAGE_PERIOD ,
-.Nm i2d_PKEY_USAGE_PERIOD
-.Nd decode and encode X.509 key usage period extensions
-.Sh SYNOPSIS
-.In openssl/x509v3.h
-.Ft PKEY_USAGE_PERIOD *
-.Fo d2i_PKEY_USAGE_PERIOD
-.Fa "PKEY_USAGE_PERIOD **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_PKEY_USAGE_PERIOD
-.Fa "PKEY_USAGE_PERIOD *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Sh DESCRIPTION
-.Fn d2i_PKEY_USAGE_PERIOD
-and
-.Fn i2d_PKEY_USAGE_PERIOD
-decode and encode an ASN.1
-.Vt PrivateKeyUsagePeriod
-structure defined in RFC 3280 section 4.2.1.4.
-For details about the semantics, examples, caveats, and bugs, see
-.Xr ASN1_item_d2i 3 .
-.Sh RETURN VALUES
-.Fn d2i_PKEY_USAGE_PERIOD
-returns a
-.Vt PKEY_USAGE_PERIOD
-object or
-.Dv NULL
-if an error occurs.
-.Pp
-.Fn i2d_PKEY_USAGE_PERIOD
-returns the number of bytes successfully encoded or a negative value
-if an error occurs.
-.Sh SEE ALSO
-.Xr ASN1_item_d2i 3 ,
-.Xr PKEY_USAGE_PERIOD_new 3 ,
-.Xr X509_EXTENSION_new 3
-.Sh STANDARDS
-RFC 3280: Internet X.509 Public Key Infrastructure Certificate and
-Certificate Revocation List (CRL) Profile,
-section 4.2.1.4: Private Key Usage Period
-.Pp
-RFC 3280 was obsoleted by RFC 5280; see
-.Xr PKEY_USAGE_PERIOD_new 3
-for details.
-.Sh HISTORY
-.Fn d2i_PKEY_USAGE_PERIOD
-and
-.Fn i2d_PKEY_USAGE_PERIOD
-first appeared in OpenSSL 0.9.2b and have been available since
-.Ox 2.6 .
diff --git a/src/lib/libcrypto/man/d2i_POLICYINFO.3 b/src/lib/libcrypto/man/d2i_POLICYINFO.3
deleted file mode 100644
index bae78b17c7..0000000000
--- a/src/lib/libcrypto/man/d2i_POLICYINFO.3
+++ /dev/null
@@ -1,165 +0,0 @@
-.\"     $OpenBSD: d2i_POLICYINFO.3,v 1.2 2018/03/21 17:57:48 schwarze Exp $
-.\"
-.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: March 21 2018 $
-.Dt D2I_POLICYINFO 3
-.Os
-.Sh NAME
-.Nm d2i_POLICYINFO ,
-.Nm i2d_POLICYINFO ,
-.Nm d2i_CERTIFICATEPOLICIES ,
-.Nm i2d_CERTIFICATEPOLICIES ,
-.Nm d2i_POLICYQUALINFO ,
-.Nm i2d_POLICYQUALINFO ,
-.Nm d2i_USERNOTICE ,
-.Nm i2d_USERNOTICE ,
-.Nm d2i_NOTICEREF ,
-.Nm i2d_NOTICEREF
-.Nd decode and encode X.509 certificate policies
-.Sh SYNOPSIS
-.In openssl/x509v3.h
-.Ft POLICYINFO *
-.Fo d2i_POLICYINFO
-.Fa "POLICYINFO **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_POLICYINFO
-.Fa "POLICYINFO *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft CERTIFICATEPOLICIES *
-.Fo d2i_CERTIFICATEPOLICIES
-.Fa "CERTIFICATEPOLICIES **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_CERTIFICATEPOLICIES
-.Fa "CERTIFICATEPOLICIES *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft POLICYQUALINFO *
-.Fo d2i_POLICYQUALINFO
-.Fa "POLICYQUALINFO **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_POLICYQUALINFO
-.Fa "POLICYQUALINFO *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft USERNOTICE *
-.Fo d2i_USERNOTICE
-.Fa "USERNOTICE **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_USERNOTICE
-.Fa "USERNOTICE *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft NOTICEREF *
-.Fo d2i_NOTICEREF
-.Fa "NOTICEREF **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_NOTICEREF
-.Fa "NOTICEREF *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Sh DESCRIPTION
-These functions decode and encode X.509 certificate policies.
-For details about the semantics, examples, caveats, and bugs, see
-.Xr ASN1_item_d2i 3 .
-.Pp
-.Fn d2i_POLICYINFO
-and
-.Fn i2d_POLICYINFO
-decode and encode an ASN.1
-.Vt PolicyInformation
-structure defined in RFC 5280 section 4.2.1.4.
-.Pp
-.Fn d2i_CERTIFICATEPOLICIES
-and
-.Fn i2d_CERTIFICATEPOLICIES
-decode and encode an ASN.1
-.Vt CertificatePolicies
-structure defined in RFC 5280 section 4.2.1.4.
-.Pp
-.Fn d2i_POLICYQUALINFO
-and
-.Fn i2d_POLICYQUALINFO
-decode and encode an ASN.1
-.Vt PolicyQualifierInfo
-structure defined in RFC 5280 section 4.2.1.4.
-.Pp
-.Fn d2i_USERNOTICE
-and
-.Fn i2d_USERNOTICE
-decode and encode an ASN.1
-.Vt UserNotice
-structure defined in RFC 5280 section 4.2.1.4.
-.Pp
-.Fn d2i_NOTICEREF
-and
-.Fn i2d_NOTICEREF
-decode and encode an ASN.1
-.Vt NoticeReference
-structure defined in RFC 5280 section 4.2.1.4.
-.Sh RETURN VALUES
-.Fn d2i_POLICYINFO ,
-.Fn d2i_CERTIFICATEPOLICIES ,
-.Fn d2i_POLICYQUALINFO ,
-.Fn d2i_USERNOTICE ,
-and
-.Fn d2i_NOTICEREF
-return a
-.Vt POLICYINFO ,
-.Vt CERTIFICATEPOLICIES ,
-.Vt POLICYQUALINFO ,
-.Vt USERNOTICE ,
-or
-.Vt NOTICEREF
-object, respectively, or
-.Dv NULL
-if an error occurs.
-.Pp
-.Fn i2d_POLICYINFO ,
-.Fn i2d_CERTIFICATEPOLICIES ,
-.Fn i2d_POLICYQUALINFO ,
-.Fn i2d_USERNOTICE ,
-and
-.Fn i2d_NOTICEREF
-return the number of bytes successfully encoded or a negative value
-if an error occurs.
-.Sh SEE ALSO
-.Xr ASN1_item_d2i 3 ,
-.Xr POLICYINFO_new 3 ,
-.Xr X509_EXTENSION_new 3
-.Sh STANDARDS
-RFC 5280: Internet X.509 Public Key Infrastructure Certificate and
-Certificate Revocation List (CRL) Profile,
-section 4.2.1.4: Certificate Policies
-.Sh HISTORY
-These functions first appeared in OpenSSL 0.9.3
-and have been available since
-.Ox 2.6 .
diff --git a/src/lib/libcrypto/man/d2i_PrivateKey.3 b/src/lib/libcrypto/man/d2i_PrivateKey.3
deleted file mode 100644
index b544ea0e9a..0000000000
--- a/src/lib/libcrypto/man/d2i_PrivateKey.3
+++ /dev/null
@@ -1,312 +0,0 @@
-.\" $OpenBSD: d2i_PrivateKey.3,v 1.11 2024/10/24 21:42:10 tb Exp $
-.\" full merge up to: OpenSSL b0edda11 Mar 20 13:00:17 2018 +0000
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2016, 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2016 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: October 24 2024 $
-.Dt D2I_PRIVATEKEY 3
-.Os
-.Sh NAME
-.Nm d2i_PrivateKey ,
-.Nm d2i_AutoPrivateKey ,
-.Nm d2i_PrivateKey_bio ,
-.Nm d2i_PrivateKey_fp ,
-.Nm i2d_PrivateKey ,
-.Nm i2d_PrivateKey_bio ,
-.Nm i2d_PrivateKey_fp ,
-.Nm i2d_PKCS8PrivateKeyInfo_bio ,
-.Nm i2d_PKCS8PrivateKeyInfo_fp ,
-.Nm d2i_PublicKey ,
-.Nm i2d_PublicKey
-.Nd decode and encode EVP_PKEY objects
-.Sh SYNOPSIS
-.In openssl/evp.h
-.Ft EVP_PKEY *
-.Fo d2i_PrivateKey
-.Fa "int type"
-.Fa "EVP_PKEY **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft EVP_PKEY *
-.Fo d2i_AutoPrivateKey
-.Fa "EVP_PKEY **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft EVP_PKEY *
-.Fo d2i_PrivateKey_bio
-.Fa "BIO *in_bio"
-.Fa "EVP_PKEY **val_out"
-.Fc
-.Ft EVP_PKEY *
-.Fo d2i_PrivateKey_fp
-.Fa "FILE *in_fp"
-.Fa "EVP_PKEY **val_out"
-.Fc
-.Ft int
-.Fo i2d_PrivateKey
-.Fa "EVP_PKEY *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft int
-.Fo i2d_PrivateKey_bio
-.Fa "BIO *out_bio"
-.Fa "EVP_PKEY *val_in"
-.Fc
-.Ft int
-.Fo i2d_PrivateKey_fp
-.Fa "FILE *out_fp"
-.Fa "EVP_PKEY *val_in"
-.Fc
-.Ft int
-.Fo i2d_PKCS8PrivateKeyInfo_bio
-.Fa "BIO *out_bio"
-.Fa "EVP_PKEY *val_in"
-.Fc
-.Ft int
-.Fo i2d_PKCS8PrivateKeyInfo_fp
-.Fa "FILE *out_fp"
-.Fa "EVP_PKEY *val_in"
-.Fc
-.Ft EVP_PKEY *
-.Fo d2i_PublicKey
-.Fa "int type"
-.Fa "EVP_PKEY **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_PublicKey
-.Fa "EVP_PKEY *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Sh DESCRIPTION
-These are algorithm-independent interfaces to decode and encode
-private and public keys.
-For details about the semantics, examples, caveats, and bugs, see
-.Xr ASN1_item_d2i 3 .
-.Pp
-.Fn d2i_PrivateKey
-decodes a private key using algorithm
-.Fa type .
-It attempts to use any algorithm specific format or the PKCS#8 unencrypted
-.Vt PrivateKeyInfo
-format defined in RFC 5208 section 5.
-The
-.Fa type
-parameter should be a public key algorithm constant such as
-.Dv EVP_PKEY_RSA .
-An error occurs if the decoded key does not match
-.Fa type .
-.Pp
-.Fn d2i_AutoPrivateKey
-is similar to
-.Fn d2i_PrivateKey
-except that it attempts to automatically detect the algorithm.
-.Pp
-.Fn d2i_PrivateKey_bio
-and
-.Fn d2i_PrivateKey_fp
-are similar to
-.Fn d2i_PrivateKey
-except that they read from a
-.Vt BIO
-or
-.Vt FILE
-pointer.
-.Pp
-.Fn i2d_PrivateKey
-encodes
-.Fa val_in .
-It uses an algorithm specific format or, if none is defined for
-that key type, the PKCS#8 unencrypted
-.Vt PrivateKeyInfo
-format.
-.Pp
-.Fn i2d_PrivateKey_bio
-and
-.Fn i2d_PrivateKey_fp
-are similar to
-.Fn i2d_PrivateKey
-except that they write to a
-.Vt BIO
-or
-.Vt FILE
-pointer and use a different convention for their return values.
-.Pp
-.Fn i2d_PKCS8PrivateKeyInfo_bio
-and
-.Fn i2d_PKCS8PrivateKeyInfo_fp
-encode
-.Fa val_in
-in PKCS#8 unencrypted
-.Vt PrivateKeyInfo
-format.
-They are similar to
-.Fn i2d_PrivateKey
-except that they don't use any algorithm-specific formats
-and that they write to a
-.Vt BIO
-or
-.Vt FILE
-pointer rather than to a buffer.
-.Pp
-All these functions use DER format and unencrypted keys.
-Applications wishing to encrypt or decrypt private keys should use other
-functions such as
-.Xr d2i_PKCS8PrivateKey_bio 3
-instead.
-.Pp
-If
-.Pf * Fa val_out
-is not
-.Dv NULL
-when calling
-.Fn d2i_PrivateKey
-or
-.Fn d2i_AutoPrivateKey
-(i.e. an existing structure is being reused) and the key format is
-PKCS#8, then
-.Pf * Fa val_out
-will be freed and replaced on a successful call.
-.Pp
-.Fn d2i_PublicKey
-calls
-.Xr d2i_DSAPublicKey 3 ,
-.Xr o2i_ECPublicKey 3 ,
-or
-.Xr d2i_RSAPublicKey 3
-depending on
-.Fa type
-and stores the result in the returned
-.Vt EVP_PKEY
-object.
-.Pp
-.Fn i2d_PublicKey
-calls
-.Xr i2d_DSAPublicKey 3 ,
-.Xr i2o_ECPublicKey 3 ,
-or
-.Xr i2d_RSAPublicKey 3
-depending on the algorithm used by
-.Fa val_in .
-.Sh RETURN VALUES
-.Fn d2i_PrivateKey ,
-.Fn d2i_AutoPrivateKey ,
-.Fn d2i_PrivateKey_bio ,
-.Fn d2i_PrivateKey_fp ,
-and
-.Fn d2i_PublicKey
-return a valid
-.Vt EVP_PKEY
-structure or
-.Dv NULL
-if an error occurs.
-.Pp
-.Fn i2d_PrivateKey
-and
-.Fn i2d_PublicKey
-return the number of bytes successfully encoded or a negative value if
-an error occurs.
-.Pp
-.Fn i2d_PrivateKey_bio ,
-.Fn i2d_PrivateKey_fp ,
-.Fn i2d_PKCS8PrivateKeyInfo_bio ,
-and
-.Fn i2d_PKCS8PrivateKeyInfo_fp
-return 1 for success or 0 if an error occurs.
-.Pp
-For all functions, the error code can be obtained by calling
-.Xr ERR_get_error 3 .
-.Sh SEE ALSO
-.Xr d2i_PKCS8_PRIV_KEY_INFO 3 ,
-.Xr d2i_PKCS8PrivateKey_bio 3 ,
-.Xr EVP_PKEY_new 3 ,
-.Xr EVP_PKEY_type 3 ,
-.Xr PEM_write_PrivateKey 3 ,
-.Xr PKCS8_PRIV_KEY_INFO_new 3
-.Sh STANDARDS
-RFC 5208: Public-Key Cryptography Standards (PKCS) #8: Private-Key
-Information Syntax Specification
-.Sh HISTORY
-.Fn d2i_PrivateKey ,
-.Fn i2d_PrivateKey ,
-.Fn d2i_PublicKey ,
-and
-.Fn i2d_PublicKey
-first appeared in SSLeay 0.6.0 and have been available since
-.Ox 2.4 .
-.Pp
-.Fn d2i_AutoPrivateKey ,
-.Fn d2i_PrivateKey_bio ,
-.Fn d2i_PrivateKey_fp ,
-.Fn i2d_PrivateKey_bio ,
-.Fn i2d_PrivateKey_fp ,
-.Fn i2d_PKCS8PrivateKeyInfo_bio ,
-and
-.Fn i2d_PKCS8PrivateKeyInfo_fp
-first appeared in OpenSSL 0.9.5 and have been available since
-.Ox 2.7 .
diff --git a/src/lib/libcrypto/man/d2i_RSAPublicKey.3 b/src/lib/libcrypto/man/d2i_RSAPublicKey.3
deleted file mode 100644
index d6c376d84b..0000000000
--- a/src/lib/libcrypto/man/d2i_RSAPublicKey.3
+++ /dev/null
@@ -1,389 +0,0 @@
-.\"     $OpenBSD: d2i_RSAPublicKey.3,v 1.13 2018/03/27 17:35:50 schwarze Exp $
-.\"     OpenSSL bb9ad09e Jun 6 00:43:05 2016 -0400
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Ulf Moeller <ulf@openssl.org> and
-.\" Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2000, 2002, 2003, 2009, 2016 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 27 2018 $
-.Dt D2I_RSAPUBLICKEY 3
-.Os
-.Sh NAME
-.Nm d2i_RSAPublicKey ,
-.Nm i2d_RSAPublicKey ,
-.Nm d2i_RSAPrivateKey ,
-.Nm i2d_RSAPrivateKey ,
-.Nm d2i_Netscape_RSA ,
-.Nm i2d_Netscape_RSA ,
-.Nm d2i_RSA_PSS_PARAMS ,
-.Nm i2d_RSA_PSS_PARAMS ,
-.Nm d2i_RSAPublicKey_bio ,
-.Nm d2i_RSAPublicKey_fp ,
-.Nm i2d_RSAPublicKey_bio ,
-.Nm i2d_RSAPublicKey_fp ,
-.Nm d2i_RSAPrivateKey_bio ,
-.Nm d2i_RSAPrivateKey_fp ,
-.Nm i2d_RSAPrivateKey_bio ,
-.Nm i2d_RSAPrivateKey_fp ,
-.Nm d2i_RSA_PUBKEY ,
-.Nm i2d_RSA_PUBKEY ,
-.Nm d2i_RSA_PUBKEY_bio ,
-.Nm d2i_RSA_PUBKEY_fp ,
-.Nm i2d_RSA_PUBKEY_bio ,
-.Nm i2d_RSA_PUBKEY_fp
-.Nd decode and encode RSA keys and parameters
-.Sh SYNOPSIS
-.In openssl/rsa.h
-.Ft RSA *
-.Fo d2i_RSAPublicKey
-.Fa "RSA **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_RSAPublicKey
-.Fa "RSA *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft RSA *
-.Fo d2i_RSAPrivateKey
-.Fa "RSA **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_RSAPrivateKey
-.Fa "RSA *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft RSA *
-.Fo d2i_Netscape_RSA
-.Fa "RSA **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fa "int (*cb)()"
-.Fc
-.Ft int
-.Fo i2d_Netscape_RSA
-.Fa "RSA *val_in"
-.Fa "unsigned char **der_out"
-.Fa "int (*cb)()"
-.Fc
-.Ft RSA_PSS_PARAMS *
-.Fo d2i_RSA_PSS_PARAMS
-.Fa "RSA_PSS_PARAMS **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_RSA_PSS_PARAMS
-.Fa "RSA_PSS_PARAMS *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.In openssl/x509.h
-.Ft RSA *
-.Fo d2i_RSAPublicKey_bio
-.Fa "BIO *in_bio"
-.Fa "RSA **val_out"
-.Fc
-.Ft RSA *
-.Fo d2i_RSAPublicKey_fp
-.Fa "FILE *in_fp"
-.Fa "RSA **val_out"
-.Fc
-.Ft int
-.Fo i2d_RSAPublicKey_bio
-.Fa "BIO *out_bio"
-.Fa "RSA *val_in"
-.Fc
-.Ft int
-.Fo i2d_RSAPublicKey_fp
-.Fa "FILE *out_fp"
-.Fa "RSA *val_in"
-.Fc
-.Ft RSA *
-.Fo d2i_RSAPrivateKey_bio
-.Fa "BIO *in_bio"
-.Fa "RSA **val_out"
-.Fc
-.Ft RSA *
-.Fo d2i_RSAPrivateKey_fp
-.Fa "FILE *in_fp"
-.Fa "RSA **val_out"
-.Fc
-.Ft int
-.Fo i2d_RSAPrivateKey_bio
-.Fa "BIO *out_bio"
-.Fa "RSA *val_in"
-.Fc
-.Ft int
-.Fo i2d_RSAPrivateKey_fp
-.Fa "FILE *out_fp"
-.Fa "RSA *val_in"
-.Fc
-.Ft RSA *
-.Fo d2i_RSA_PUBKEY
-.Fa "RSA **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_RSA_PUBKEY
-.Fa "RSA *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft RSA *
-.Fo d2i_RSA_PUBKEY_bio
-.Fa "BIO *in_bio"
-.Fa "RSA **val_out"
-.Fc
-.Ft RSA *
-.Fo d2i_RSA_PUBKEY_fp
-.Fa "FILE *in_fp"
-.Fa "RSA **val_out"
-.Fc
-.Ft int
-.Fo i2d_RSA_PUBKEY_bio
-.Fa "BIO *out_bio"
-.Fa "RSA *val_in"
-.Fc
-.Ft int
-.Fo i2d_RSA_PUBKEY_fp
-.Fa "FILE *out_fp"
-.Fa "RSA *val_in"
-.Fc
-.Sh DESCRIPTION
-These functions decode and encode RSA private and public keys.
-For details about the semantics, examples, caveats, and bugs, see
-.Xr ASN1_item_d2i 3 .
-.Pp
-.Fn d2i_RSAPublicKey
-and
-.Fn i2d_RSAPublicKey
-decode and encode a PKCS#1
-.Vt RSAPublicKey
-structure defined in RFC 8017 appendix A.1.1.
-.Fn d2i_RSAPublicKey_bio ,
-.Fn d2i_RSAPublicKey_fp ,
-.Fn i2d_RSAPublicKey_bio ,
-and
-.Fn i2d_RSAPublicKey_fp
-are similar except that they decode or encode using a
-.Vt BIO
-or
-.Vt FILE
-pointer.
-.Pp
-.Fn d2i_RSAPrivateKey
-and
-.Fn i2d_RSAPrivateKey
-decode and encode a PKCS#1
-.Vt RSAPrivateKey
-structure defined in RFC 8017 appendix A.1.2.
-The
-.Vt RSA
-structure passed to the private key encoding functions should have
-all the PKCS#1 private key components present.
-The data encoded by the private key functions is unencrypted and
-therefore offers no private key security.
-.Fn d2i_RSAPrivateKey_bio ,
-.Fn d2i_RSAPrivateKey_fp ,
-.Fn i2d_RSAPrivateKey_bio ,
-and
-.Fn i2d_RSAPrivateKey_fp
-are similar except that they decode or encode using a
-.Vt BIO
-or
-.Vt FILE
-pointer.
-.Pp
-.Fn d2i_Netscape_RSA
-and
-.Fn i2d_Netscape_RSA
-decode and encode an RSA private key in NET format.
-These functions are present to provide compatibility with
-certain very old software.
-The NET format has some severe security weaknesses and should be
-avoided if possible.
-.Pp
-.Fn d2i_RSA_PSS_PARAMS
-and
-.Fn i2d_RSA_PSS_PARAMS
-decode and encode a PKCS#1
-.Vt RSASSA-PSS-params
-structure defined in RFC 8017 appendix A.2.3 and documented in
-.Xr RSA_PSS_PARAMS_new 3 .
-.Pp
-.Fn d2i_RSA_PUBKEY
-and
-.Fn i2d_RSA_PUBKEY
-decode and encode an RSA public key using an ASN.1
-.Vt SubjectPublicKeyInfo
-structure defined in RFC 5280 section 4.1 and documented in
-.Xr X509_PUBKEY_new 3 .
-.Fn d2i_RSA_PUBKEY_bio ,
-.Fn d2i_RSA_PUBKEY_fp ,
-.Fn i2d_RSA_PUBKEY_bio ,
-and
-.Fn i2d_RSA_PUBKEY_fp
-are similar except that they decode or encode using a
-.Vt BIO
-or
-.Vt FILE
-pointer.
-.Sh RETURN VALUES
-.Fn d2i_RSAPublicKey ,
-.Fn d2i_RSAPublicKey_bio ,
-.Fn d2i_RSAPublicKey_fp ,
-.Fn d2i_RSAPrivateKey ,
-.Fn d2i_RSAPrivateKey_bio ,
-.Fn d2i_RSAPrivateKey_fp ,
-.Fn d2i_Netscape_RSA ,
-.Fn d2i_RSA_PUBKEY ,
-.Fn d2i_RSA_PUBKEY_bio ,
-and
-.Fn d2i_RSA_PUBKEY_fp
-return a valid
-.Vt RSA
-object or
-.Dv NULL
-if an error occurs.
-.Pp
-.Fn d2i_RSA_PSS_PARAMS
-returns a valid
-.Vt RSA_PSS_PARAMS
-object or
-.Dv NULL
-if an error occurs.
-.Pp
-.Fn i2d_RSAPublicKey ,
-.Fn i2d_RSAPrivateKey ,
-.Fn i2d_Netscape_RSA ,
-.Fn i2d_RSA_PSS_PARAMS ,
-and
-.Fn i2d_RSA_PUBKEY
-return the number of bytes successfully encoded or a negative value
-if an error occurs.
-.Pp
-.Fn i2d_RSAPublicKey_bio ,
-.Fn i2d_RSAPublicKey_fp ,
-.Fn i2d_RSAPrivateKey_bio ,
-.Fn i2d_RSAPrivateKey_fp ,
-.Fn i2d_RSA_PUBKEY_bio ,
-and
-.Fn i2d_RSA_PUBKEY_fp
-return 1 for success or 0 if an error occurs.
-.Sh SEE ALSO
-.Xr ASN1_item_d2i 3 ,
-.Xr EVP_PKEY_set1_RSA 3 ,
-.Xr PEM_write_RSAPrivateKey 3 ,
-.Xr RSA_new 3 ,
-.Xr RSA_PSS_PARAMS_new 3 ,
-.Xr X509_PUBKEY_new 3
-.Sh STANDARDS
-RFC 8017: PKCS #1: RSA Cryptography Specifications
-.Pp
-RFC 5280: Internet X.509 Public Key Infrastructure Certificate and
-Certificate Revocation List (CRL) Profile,
-section 4.1: Basic Certificate Fields
-.Sh HISTORY
-.Fn d2i_RSAPublicKey ,
-.Fn i2d_RSAPublicKey ,
-.Fn d2i_RSAPrivateKey ,
-.Fn i2d_RSAPrivateKey ,
-.Fn d2i_RSAPrivateKey_fp ,
-.Fn i2d_RSAPrivateKey_fp ,
-.Fn d2i_Netscape_RSA ,
-and
-.Fn i2d_Netscape_RSA
-first appeared in SSLeay 0.5.1.
-.Fn d2i_RSAPrivateKey_bio
-and
-.Fn i2d_RSAPrivateKey_bio
-first appeared in SSLeay 0.6.0.
-.Fn d2i_RSAPublicKey_bio ,
-.Fn d2i_RSAPublicKey_fp ,
-.Fn i2d_RSAPublicKey_bio ,
-and
-.Fn i2d_RSAPublicKey_fp
-first appeared in SSLeay 0.8.1.
-These functions have been available since
-.Ox 2.4 .
-.Pp
-.Fn d2i_RSA_PUBKEY ,
-.Fn i2d_RSA_PUBKEY ,
-.Fn d2i_RSA_PUBKEY_bio ,
-.Fn d2i_RSA_PUBKEY_fp ,
-.Fn i2d_RSA_PUBKEY_bio ,
-and
-.Fn i2d_RSA_PUBKEY_fp
-first appeared in OpenSSL 0.9.5 and have been available since
-.Ox 2.7 .
-.Pp
-.Fn d2i_RSA_PSS_PARAMS
-and
-.Fn i2d_RSA_PSS_PARAMS
-first appeared in OpenSSL 1.0.1 and have been available since
-.Ox 5.3 .
diff --git a/src/lib/libcrypto/man/d2i_TS_REQ.3 b/src/lib/libcrypto/man/d2i_TS_REQ.3
deleted file mode 100644
index 9f7c860fa1..0000000000
--- a/src/lib/libcrypto/man/d2i_TS_REQ.3
+++ /dev/null
@@ -1,333 +0,0 @@
-.\"     $OpenBSD: d2i_TS_REQ.3,v 1.2 2018/03/23 04:34:23 schwarze Exp $
-.\"
-.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: March 23 2018 $
-.Dt D2I_TS_REQ 3
-.Os
-.Sh NAME
-.Nm d2i_TS_REQ ,
-.Nm i2d_TS_REQ ,
-.Nm d2i_TS_REQ_bio ,
-.Nm i2d_TS_REQ_bio ,
-.Nm d2i_TS_REQ_fp ,
-.Nm i2d_TS_REQ_fp ,
-.Nm d2i_TS_RESP ,
-.Nm i2d_TS_RESP ,
-.Nm d2i_TS_RESP_bio ,
-.Nm i2d_TS_RESP_bio ,
-.Nm d2i_TS_RESP_fp ,
-.Nm i2d_TS_RESP_fp ,
-.Nm d2i_TS_STATUS_INFO ,
-.Nm i2d_TS_STATUS_INFO ,
-.Nm d2i_TS_TST_INFO ,
-.Nm i2d_TS_TST_INFO ,
-.Nm d2i_TS_TST_INFO_bio ,
-.Nm i2d_TS_TST_INFO_bio ,
-.Nm d2i_TS_TST_INFO_fp ,
-.Nm i2d_TS_TST_INFO_fp ,
-.Nm d2i_TS_ACCURACY ,
-.Nm i2d_TS_ACCURACY ,
-.Nm d2i_TS_MSG_IMPRINT ,
-.Nm i2d_TS_MSG_IMPRINT ,
-.Nm d2i_TS_MSG_IMPRINT_bio ,
-.Nm i2d_TS_MSG_IMPRINT_bio ,
-.Nm d2i_TS_MSG_IMPRINT_fp ,
-.Nm i2d_TS_MSG_IMPRINT_fp
-.Nd decode and encode X.509 time-stamp protocol structures
-.Sh SYNOPSIS
-.In openssl/ts.h
-.Ft TS_REQ *
-.Fo d2i_TS_REQ
-.Fa "TS_REQ **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_TS_REQ
-.Fa "const TS_REQ *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft TS_REQ *
-.Fo d2i_TS_REQ_bio
-.Fa "BIO *in_bio"
-.Fa "TS_REQ **val_out"
-.Fc
-.Ft int
-.Fo i2d_TS_REQ_bio
-.Fa "BIO *out_bio"
-.Fa "TS_REQ *val_in"
-.Fc
-.Ft TS_REQ *
-.Fo d2i_TS_REQ_fp
-.Fa "FILE *in_fp"
-.Fa "TS_REQ **val_out"
-.Fc
-.Ft int
-.Fo i2d_TS_REQ_fp
-.Fa "FILE *out_fp"
-.Fa "TS_REQ *val_in"
-.Fc
-.Ft TS_RESP *
-.Fo d2i_TS_RESP
-.Fa "TS_RESP **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_TS_RESP
-.Fa "const TS_RESP *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft TS_RESP *
-.Fo d2i_TS_RESP_bio
-.Fa "BIO *in_bio"
-.Fa "TS_RESP **val_out"
-.Fc
-.Ft int
-.Fo i2d_TS_RESP_bio
-.Fa "BIO *out_bio"
-.Fa "TS_RESP *val_in"
-.Fc
-.Ft TS_RESP *
-.Fo d2i_TS_RESP_fp
-.Fa "FILE *in_fp"
-.Fa "TS_RESP **val_out"
-.Fc
-.Ft int
-.Fo i2d_TS_RESP_fp
-.Fa "FILE *out_fp"
-.Fa "TS_RESP *val_in"
-.Fc
-.Ft TS_STATUS_INFO *
-.Fo d2i_TS_STATUS_INFO
-.Fa "TS_STATUS_INFO **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_TS_STATUS_INFO
-.Fa "const TS_STATUS_INFO *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft TS_TST_INFO *
-.Fo d2i_TS_TST_INFO
-.Fa "TS_TST_INFO **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_TS_TST_INFO
-.Fa "const TS_TST_INFO *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft TS_TST_INFO *
-.Fo d2i_TS_TST_INFO_bio
-.Fa "BIO *in_bio"
-.Fa "TS_TST_INFO **val_out"
-.Fc
-.Ft int
-.Fo i2d_TS_TST_INFO_bio
-.Fa "BIO *out_bio"
-.Fa "TS_TST_INFO *val_in"
-.Fc
-.Ft TS_TST_INFO *
-.Fo d2i_TS_TST_INFO_fp
-.Fa "FILE *in_fp"
-.Fa "TS_TST_INFO **val_out"
-.Fc
-.Ft int
-.Fo i2d_TS_TST_INFO_fp
-.Fa "FILE *out_fp"
-.Fa "TS_TST_INFO *val_in"
-.Fc
-.Ft TS_ACCURACY *
-.Fo d2i_TS_ACCURACY
-.Fa "TS_ACCURACY **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_TS_ACCURACY
-.Fa "const TS_ACCURACY *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft TS_MSG_IMPRINT *
-.Fo d2i_TS_MSG_IMPRINT
-.Fa "TS_MSG_IMPRINT **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_TS_MSG_IMPRINT
-.Fa "const TS_MSG_IMPRINT *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft TS_MSG_IMPRINT *
-.Fo d2i_TS_MSG_IMPRINT_bio
-.Fa "BIO *in_bio"
-.Fa "TS_MSG_IMPRINT **val_out"
-.Fc
-.Ft int
-.Fo i2d_TS_MSG_IMPRINT_bio
-.Fa "BIO *out_bio"
-.Fa "TS_MSG_IMPRINT *val_in"
-.Fc
-.Ft TS_MSG_IMPRINT *
-.Fo d2i_TS_MSG_IMPRINT_fp
-.Fa "FILE *in_fp"
-.Fa "TS_MSG_IMPRINT **val_out"
-.Fc
-.Ft int
-.Fo i2d_TS_MSG_IMPRINT_fp
-.Fa "FILE *out_fp"
-.Fa "TS_MSG_IMPRINT *val_in"
-.Fc
-.Sh DESCRIPTION
-These functions decode and encode X.509 structures used for the
-time-stamp protocol.
-For details about the semantics, examples, caveats, and bugs, see
-.Xr ASN1_item_d2i 3 .
-.Pp
-.Fn d2i_TS_REQ
-and
-.Fn i2d_TS_REQ
-decode and encode an ASN.1
-.Vt TimeStampReq
-structure defined in RFC 3161 section 2.4.1.
-.Fn d2i_TS_REQ_bio ,
-.Fn i2d_TS_REQ_bio ,
-.Fn d2i_TS_REQ_fp ,
-and
-.Fn i2d_TS_REQ_fp
-are similar except that they decode or encode using a
-.Vt BIO
-or
-.Vt FILE
-pointer.
-.Pp
-.Fn d2i_TS_RESP
-and
-.Fn i2d_TS_RESP
-decode and encode an ASN.1
-.Vt TimeStampResp
-structure defined in RFC 3161 section 2.4.2.
-.Fn d2i_TS_RESP_bio ,
-.Fn i2d_TS_RESP_bio ,
-.Fn d2i_TS_RESP_fp ,
-and
-.Fn i2d_TS_RESP_fp
-are similar except that they decode or encode using a
-.Vt BIO
-or
-.Vt FILE
-pointer.
-.Pp
-.Fn d2i_TS_STATUS_INFO
-and
-.Fn i2d_TS_STATUS_INFO
-decode and encode an ASN.1
-.Vt PKIStatusInfo
-structure defined in RFC 3161 section 2.4.2.
-.Pp
-.Fn d2i_TS_TST_INFO
-and
-.Fn i2d_TS_TST_INFO
-decode and encode an ASN.1
-.Vt TSTInfo
-structure defined in RFC 3161 section 2.4.2.
-.Fn d2i_TS_TST_INFO_bio ,
-.Fn i2d_TS_TST_INFO_bio ,
-.Fn d2i_TS_TST_INFO_fp ,
-and
-.Fn i2d_TS_TST_INFO_fp
-are similar except that they decode or encode using a
-.Vt BIO
-or
-.Vt FILE
-pointer.
-.Pp
-.Fn d2i_TS_ACCURACY
-and
-.Fn i2d_TS_ACCURACY
-decode and encode an ASN.1
-.Vt Accuracy
-structure defined in RFC 3161 section 2.4.2.
-.Pp
-.Fn d2i_TS_MSG_IMPRINT
-and
-.Fn i2d_TS_MSG_IMPRINT
-decode and encode an ASN.1
-.Vt MessageImprint
-structure defined in RFC 3161 section 2.4.1.
-.Fn d2i_TS_MSG_IMPRINT_bio ,
-.Fn i2d_TS_MSG_IMPRINT_bio ,
-.Fn d2i_TS_MSG_IMPRINT_fp ,
-and
-.Fn i2d_TS_MSG_IMPRINT_fp
-are similar except that they decode or encode using a
-.Vt BIO
-or
-.Vt FILE
-pointer.
-.Sh RETURN VALUES
-.Fn d2i_TS_REQ ,
-.Fn d2i_TS_REQ_bio ,
-.Fn d2i_TS_REQ_fp ,
-.Fn d2i_TS_RESP ,
-.Fn d2i_TS_RESP_bio ,
-.Fn d2i_TS_RESP_fp ,
-.Fn d2i_TS_STATUS_INFO ,
-.Fn d2i_TS_TST_INFO ,
-.Fn d2i_TS_TST_INFO_bio ,
-.Fn d2i_TS_TST_INFO_fp ,
-.Fn d2i_TS_ACCURACY ,
-.Fn d2i_TS_MSG_IMPRINT ,
-.Fn d2i_TS_MSG_IMPRINT_bio ,
-and
-.Fn d2i_TS_MSG_IMPRINT_fp
-return an object of the respective type or
-.Dv NULL
-if an error occurs.
-.Pp
-.Fn i2d_TS_REQ ,
-.Fn i2d_TS_RESP ,
-.Fn i2d_TS_STATUS_INFO ,
-.Fn i2d_TS_TST_INFO ,
-.Fn i2d_TS_ACCURACY ,
-and
-.Fn i2d_TS_MSG_IMPRINT
-return the number of bytes successfully encoded or a negative value
-if an error occurs.
-.Pp
-.Fn i2d_TS_REQ_bio ,
-.Fn i2d_TS_REQ_fp ,
-.Fn i2d_TS_RESP_bio ,
-.Fn i2d_TS_RESP_fp ,
-.Fn i2d_TS_TST_INFO_bio ,
-.Fn i2d_TS_TST_INFO_fp ,
-.Fn i2d_TS_MSG_IMPRINT_bio ,
-and
-.Fn i2d_TS_MSG_IMPRINT_fp
-return 1 for success or 0 if an error occurs.
-.Sh SEE ALSO
-.Xr ASN1_item_d2i 3 ,
-.Xr TS_REQ_new 3
-.Sh STANDARDS
-RFC 3161: Internet X.509 Public Key Infrastructure Time-Stamp Protocol
-.Sh HISTORY
-These functions first appeared in OpenSSL 1.0.0
-and have been available since
-.Ox 4.9 .
diff --git a/src/lib/libcrypto/man/d2i_X509.3 b/src/lib/libcrypto/man/d2i_X509.3
deleted file mode 100644
index 6102e49e0e..0000000000
--- a/src/lib/libcrypto/man/d2i_X509.3
+++ /dev/null
@@ -1,362 +0,0 @@
-.\" $OpenBSD: d2i_X509.3,v 1.11 2021/10/27 10:35:43 schwarze Exp $
-.\" OpenSSL d2i_X509.pod checked up to:
-.\" 256989ce4 Jun 19 15:00:32 2020 +0200
-.\" OpenSSL i2d_re_X509_tbs.pod checked up to:
-.\" 61f805c1 Jan 16 01:01:46 2018 +0800
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original files were written by Dr. Stephen Henson <steve@openssl.org>,
-.\" Emilia Kasper <emilia@openssl.org>, Viktor Dukhovni <viktor@openssl.org>,
-.\" and Rich Salz <rsalz@openssl.org>.
-.\" Copyright (c) 2002, 2014, 2016 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: October 27 2021 $
-.Dt D2I_X509 3
-.Os
-.Sh NAME
-.Nm d2i_X509 ,
-.Nm i2d_X509 ,
-.Nm d2i_X509_bio ,
-.Nm d2i_X509_fp ,
-.Nm i2d_X509_bio ,
-.Nm i2d_X509_fp ,
-.Nm d2i_X509_AUX ,
-.Nm i2d_X509_AUX ,
-.Nm d2i_X509_CERT_AUX ,
-.Nm i2d_X509_CERT_AUX ,
-.Nm d2i_X509_CINF ,
-.Nm i2d_X509_CINF ,
-.Nm d2i_X509_VAL ,
-.Nm i2d_X509_VAL ,
-.Nm i2d_re_X509_tbs ,
-.Nm i2d_re_X509_CRL_tbs ,
-.Nm i2d_re_X509_REQ_tbs
-.Nd decode and encode X.509 certificates
-.Sh SYNOPSIS
-.In openssl/x509.h
-.Ft X509 *
-.Fo d2i_X509
-.Fa "X509 **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_X509
-.Fa "X509 *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft X509 *
-.Fo d2i_X509_bio
-.Fa "BIO *in_bio"
-.Fa "X509 **val_out"
-.Fc
-.Ft X509 *
-.Fo d2i_X509_fp
-.Fa "FILE *in_fp"
-.Fa "X509 **val_out"
-.Fc
-.Ft int
-.Fo i2d_X509_bio
-.Fa "BIO *out_bio"
-.Fa "X509 *val_in"
-.Fc
-.Ft int
-.Fo i2d_X509_fp
-.Fa "FILE *out_fp"
-.Fa "X509 *val_in"
-.Fc
-.Ft X509 *
-.Fo d2i_X509_AUX
-.Fa "X509 **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_X509_AUX
-.Fa "X509 *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft X509_CERT_AUX *
-.Fo d2i_X509_CERT_AUX
-.Fa "X509_CERT_AUX **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_X509_CERT_AUX
-.Fa "X509_CERT_AUX *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft X509_CINF *
-.Fo d2i_X509_CINF
-.Fa "X509_CINF **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_X509_CINF
-.Fa "X509_CINF *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft X509_VAL *
-.Fo d2i_X509_VAL
-.Fa "X509_VAL **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_X509_VAL
-.Fa "X509_VAL *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft int
-.Fo i2d_re_X509_tbs
-.Fa "X509 *x"
-.Fa "unsigned char **out"
-.Fc
-.Ft int
-.Fo i2d_re_X509_CRL_tbs
-.Fa "X509_CRL *crl"
-.Fa "unsigned char **pp"
-.Fc
-.Ft int
-.Fo i2d_re_X509_REQ_tbs
-.Fa "X509_REQ *req"
-.Fa "unsigned char **pp"
-.Fc
-.Sh DESCRIPTION
-These functions decode and encode X.509 certificates
-and some of their substructures.
-For details about the semantics, examples, caveats, and bugs, see
-.Xr ASN1_item_d2i 3 .
-.Pp
-.Fn d2i_X509
-and
-.Fn i2d_X509
-decode and encode an ASN.1
-.Vt Certificate
-structure defined in RFC 5280 section 4.1.
-.Pp
-.Fn d2i_X509_bio ,
-.Fn d2i_X509_fp ,
-.Fn i2d_X509_bio ,
-and
-.Fn i2d_X509_fp
-are similar except that they decode or encode using a
-.Vt BIO
-or
-.Vt FILE
-pointer.
-.Pp
-.Fn d2i_X509_AUX
-is similar to
-.Fn d2i_X509 ,
-but the input is expected to consist of an X.509 certificate followed
-by auxiliary trust information.
-This is used by the PEM routines to read TRUSTED CERTIFICATE objects.
-This function should not be called on untrusted input.
-.Pp
-.Fn i2d_X509_AUX
-is similar to
-.Fn i2d_X509 ,
-but the encoded output contains both the certificate and any auxiliary
-trust information.
-This is used by the PEM routines to write TRUSTED CERTIFICATE objects.
-Note that this is a non-standard OpenSSL-specific data format.
-.Pp
-.Fn d2i_X509_CERT_AUX
-and
-.Fn i2d_X509_CERT_AUX
-decode and encode optional non-standard auxiliary data appended to
-a certificate, for example friendly alias names and trust data.
-.Pp
-.Fn d2i_X509_CINF
-and
-.Fn i2d_X509_CINF
-decode and encode an ASN.1
-.Vt TBSCertificate
-structure defined in RFC 5280 section 4.1.
-.Pp
-.Fn d2i_X509_VAL
-and
-.Fn i2d_X509_VAL
-decode and encode an ASN.1
-.Vt Validity
-structure defined in RFC 5280 section 4.1.
-.Pp
-.Fn i2d_re_X509_tbs
-is similar to
-.Fn i2d_X509 ,
-except it encodes only the TBSCertificate portion of the certificate.
-.Fn i2d_re_X509_CRL_tbs
-and
-.Fn i2d_re_X509_REQ_tbs
-are analogous for CRL and certificate request, respectively.
-The "re" in
-.Fn i2d_re_X509_tbs
-stands for "re-encode", and ensures that a fresh encoding is generated
-in case the object has been modified after creation.
-.Pp
-The encoding of the TBSCertificate portion of a certificate is cached in
-the
-.Vt X509
-structure internally to improve encoding performance and to ensure
-certificate signatures are verified correctly in some certificates with
-broken (non-DER) encodings.
-.Pp
-If, after modification, the
-.Vt X509
-object is re-signed with
-.Xr X509_sign 3 ,
-the encoding is automatically renewed.
-Otherwise, the encoding of the TBSCertificate portion of the
-.Vt X509
-can be manually renewed by calling
-.Fn i2d_re_X509_tbs .
-.Sh RETURN VALUES
-.Fn d2i_X509 ,
-.Fn d2i_X509_bio ,
-.Fn d2i_X509_fp ,
-and
-.Fn d2i_X509_AUX
-return a valid
-.Vt X509
-structure or
-.Dv NULL
-if an error occurs.
-.Pp
-.Fn d2i_X509_CERT_AUX ,
-.Fn d2i_X509_CINF ,
-and
-.Fn d2i_X509_VAL
-return an
-.Vt X509_CERT_AUX ,
-.Vt X509_CINF ,
-or
-.Vt X509_VAL
-object, respectively, or
-.Dv NULL
-if an error occurs.
-.Pp
-.Fn i2d_X509 ,
-.Fn i2d_X509_AUX ,
-.Fn i2d_X509_CERT_AUX ,
-.Fn i2d_X509_CINF ,
-and
-.Fn i2d_X509_VAL
-return the number of bytes successfully encoded or a negative value
-if an error occurs.
-.Pp
-.Fn i2d_X509_bio
-and
-.Fn i2d_X509_fp
-return 1 for success or 0 if an error occurs.
-.Pp
-.Fn i2d_re_X509_tbs ,
-.Fn i2d_re_X509_CRL_tbs ,
-and
-.Fn i2d_re_X509_REQ_tbs
-return the number of bytes successfully encoded or 0 if an error occurs.
-.Pp
-For all functions, the error code can be obtained by
-.Xr ERR_get_error 3 .
-.Sh SEE ALSO
-.Xr ASN1_item_d2i 3 ,
-.Xr X509_CINF_new 3 ,
-.Xr X509_new 3
-.Sh STANDARDS
-RFC 5280: Internet X.509 Public Key Infrastructure Certificate and
-Certificate Revocation List (CRL) Profile
-.Sh HISTORY
-.Fn d2i_X509 ,
-.Fn i2d_X509 ,
-.Fn d2i_X509_fp ,
-.Fn i2d_X509_fp ,
-.Fn d2i_X509_CINF ,
-.Fn i2d_X509_CINF ,
-.Fn d2i_X509_VAL ,
-and
-.Fn i2d_X509_VAL
-first appeared in SSLeay 0.5.1.
-.Fn d2i_X509_bio
-and
-.Fn i2d_X509_bio
-first appeared in SSLeay 0.6.0.
-These functions have been available since
-.Ox 2.4 .
-.Pp
-.Fn d2i_X509_AUX ,
-.Fn i2d_X509_AUX ,
-.Fn d2i_X509_CERT_AUX ,
-and
-.Fn i2d_X509_CERT_AUX
-first appeared in OpenSSL 0.9.5 and have been available since
-.Ox 2.7 .
-.Pp
-.Fn i2d_re_X509_tbs ,
-.Fn i2d_re_X509_CRL_tbs ,
-and
-.Fn i2d_re_X509_REQ_tbs
-first appeared in OpenSSL 1.1.0 and have been available since
-.Ox 7.1 .
diff --git a/src/lib/libcrypto/man/d2i_X509_ALGOR.3 b/src/lib/libcrypto/man/d2i_X509_ALGOR.3
deleted file mode 100644
index 252f3fc344..0000000000
--- a/src/lib/libcrypto/man/d2i_X509_ALGOR.3
+++ /dev/null
@@ -1,89 +0,0 @@
-.\" $OpenBSD: d2i_X509_ALGOR.3,v 1.11 2025/03/14 21:32:15 tb Exp $
-.\"
-.\" Copyright (c) 2016, 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: March 14 2025 $
-.Dt D2I_X509_ALGOR 3
-.Os
-.Sh NAME
-.Nm d2i_X509_ALGOR ,
-.Nm i2d_X509_ALGOR ,
-.Nm d2i_X509_ALGORS ,
-.Nm i2d_X509_ALGORS
-.Nd decode and encode algorithm identifiers
-.Sh SYNOPSIS
-.In openssl/x509.h
-.Ft X509_ALGOR *
-.Fo d2i_X509_ALGOR
-.Fa "X509_ALGOR **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_X509_ALGOR
-.Fa "X509_ALGOR *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft X509_ALGORS *
-.Fo d2i_X509_ALGORS
-.Fa "X509_ALGORS **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_X509_ALGORS
-.Fa "X509_ALGORS *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Sh DESCRIPTION
-.Fn d2i_X509_ALGOR
-and
-.Fn i2d_X509_ALGOR
-decode and encode an ASN.1
-.Vt AlgorithmIdentifier
-structure defined in RFC 5280 section 4.1.1.2.
-.Pp
-.Fn d2i_X509_ALGORS
-and
-.Fn i2d_X509_ALGORS
-decode and encode an ASN.1 sequence of
-.Vt AlgorithmIdentifier
-structures.
-The data type
-.Vt X509_ALGORS
-is defined as
-.Vt STACK_OF(X509_ALGOR) .
-.Pp
-For details about the semantics, examples, caveats, and bugs, see
-.Xr ASN1_item_d2i 3 .
-.Sh SEE ALSO
-.Xr ASN1_item_d2i 3 ,
-.Xr STACK_OF 3 ,
-.Xr X509_ALGOR_new 3
-.Sh STANDARDS
-RFC 5280: Internet X.509 Public Key Infrastructure Certificate and
-Certificate Revocation List (CRL) Profile
-.Sh HISTORY
-.Fn d2i_X509_ALGOR
-and
-.Fn i2d_X509_ALGOR
-first appeared in SSLeay 0.5.1 and have been available since
-.Ox 2.4 .
-.Pp
-.Fn d2i_X509_ALGORS
-and
-.Fn i2d_X509_ALGORS
-first appeared in OpenSSL 0.9.8h and have been available since
-.Ox 4.5 .
diff --git a/src/lib/libcrypto/man/d2i_X509_ATTRIBUTE.3 b/src/lib/libcrypto/man/d2i_X509_ATTRIBUTE.3
deleted file mode 100644
index 6b070e5e51..0000000000
--- a/src/lib/libcrypto/man/d2i_X509_ATTRIBUTE.3
+++ /dev/null
@@ -1,76 +0,0 @@
-.\"     $OpenBSD: d2i_X509_ATTRIBUTE.3,v 1.3 2018/03/27 17:35:50 schwarze Exp $
-.\"
-.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: March 27 2018 $
-.Dt D2I_X509_ATTRIBUTE 3
-.Os
-.Sh NAME
-.Nm d2i_X509_ATTRIBUTE ,
-.Nm i2d_X509_ATTRIBUTE
-.\" In the following line, "X.501" and "Attribute" are not typos.
-.\" The "Attribute" type is defined in X.501, not in X.509.
-.\" The type in called "Attribute" with capital "A", not "attribute".
-.Nd decode and encode generic X.501 Attribute
-.Sh SYNOPSIS
-.In openssl/x509.h
-.Ft X509_ATTRIBUTE *
-.Fo d2i_X509_ATTRIBUTE
-.Fa "X509_ATTRIBUTE **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_X509_ATTRIBUTE
-.Fa "X509_ATTRIBUTE *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Sh DESCRIPTION
-.Fn d2i_X509_ATTRIBUTE
-and
-.Fn i2d_X509_ATTRIBUTE
-decode and encode a generic ASN.1
-.Vt Attribute
-structure defined in X.501 section 8.2.
-For details about the semantics, examples, caveats, and bugs, see
-.Xr ASN1_item_d2i 3 .
-.Sh RETURN VALUES
-.Fn d2i_X509_ATTRIBUTE
-returns an
-.Vt X509_ATTRIBUTE
-object or
-.Dv NULL
-if an error occurs.
-.Pp
-.Fn i2d_X509_ATTRIBUTE
-returns the number of bytes successfully encoded or a negative value
-if an error occurs.
-.Sh SEE ALSO
-.Xr ASN1_item_d2i 3 ,
-.Xr d2i_PKCS12 3 ,
-.Xr d2i_PKCS8_PRIV_KEY_INFO 3 ,
-.Xr d2i_X509_EXTENSION 3 ,
-.Xr d2i_X509_REQ 3 ,
-.Xr X509_ATTRIBUTE_new 3
-.Sh STANDARDS
-ITU-T Recommendation X.501, also known as ISO/IEC 9594-2: Information
-Technology  Open Systems Interconnection  The Directory: Models,
-section 8.2: Overall structure
-.Sh HISTORY
-.Fn d2i_X509_ATTRIBUTE
-and
-.Fn i2d_X509_ATTRIBUTE
-first appeared in SSLeay 0.5.1 and have been available since
-.Ox 2.4 .
diff --git a/src/lib/libcrypto/man/d2i_X509_CRL.3 b/src/lib/libcrypto/man/d2i_X509_CRL.3
deleted file mode 100644
index 79c1ed9f8c..0000000000
--- a/src/lib/libcrypto/man/d2i_X509_CRL.3
+++ /dev/null
@@ -1,148 +0,0 @@
-.\" $OpenBSD: d2i_X509_CRL.3,v 1.10 2025/03/15 15:17:41 tb Exp $
-.\"
-.\" Copyright (c) 2016, 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: March 15 2025 $
-.Dt D2I_X509_CRL 3
-.Os
-.Sh NAME
-.Nm d2i_X509_CRL ,
-.Nm i2d_X509_CRL ,
-.Nm d2i_X509_CRL_bio ,
-.Nm d2i_X509_CRL_fp ,
-.Nm i2d_X509_CRL_bio ,
-.Nm i2d_X509_CRL_fp ,
-.Nm d2i_X509_CRL_INFO ,
-.Nm i2d_X509_CRL_INFO ,
-.Nm d2i_X509_REVOKED ,
-.Nm i2d_X509_REVOKED
-.Nd decode and encode X.509 certificate revocation lists
-.Sh SYNOPSIS
-.In openssl/x509.h
-.Ft X509_CRL *
-.Fo d2i_X509_CRL
-.Fa "X509_CRL **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_X509_CRL
-.Fa "X509_CRL *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft X509_CRL *
-.Fo d2i_X509_CRL_bio
-.Fa "BIO *in_bio"
-.Fa "X509_CRL **val_out"
-.Fc
-.Ft X509_CRL *
-.Fo d2i_X509_CRL_fp
-.Fa "FILE *in_fp"
-.Fa "X509_CRL **val_out"
-.Fc
-.Ft int
-.Fo i2d_X509_CRL_bio
-.Fa "BIO *out_bio"
-.Fa "X509_CRL *val_in"
-.Fc
-.Ft int
-.Fo i2d_X509_CRL_fp
-.Fa "FILE *out_fp"
-.Fa "X509_CRL *val_in"
-.Fc
-.Ft X509_CRL_INFO *
-.Fo d2i_X509_CRL_INFO
-.Fa "X509_CRL_INFO **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_X509_CRL_INFO
-.Fa "X509_CRL_INFO *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft X509_REVOKED *
-.Fo d2i_X509_REVOKED
-.Fa "X509_REVOKED **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_X509_REVOKED
-.Fa "X509_REVOKED *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Sh DESCRIPTION
-These functions decode and encode X.509 certificate revocation lists.
-For details about the semantics, examples, caveats, and bugs, see
-.Xr ASN1_item_d2i 3 .
-.Pp
-.Fn d2i_X509_CRL
-and
-.Fn i2d_X509_CRL
-decode and encode an ASN.1
-.Vt CertificateList
-structure defined in RFC 5280 section 5.1.
-.Pp
-.Fn d2i_X509_CRL_bio ,
-.Fn d2i_X509_CRL_fp ,
-.Fn i2d_X509_CRL_bio ,
-and
-.Fn i2d_X509_CRL_fp
-are similar except that they decode or encode using a
-.Vt BIO
-or
-.Vt FILE
-pointer.
-.Pp
-.Fn d2i_X509_CRL_INFO
-and
-.Fn i2d_X509_CRL_INFO
-decode and encode an ASN.1
-.Vt TBSCertList
-structure defined in RFC 5280 section 5.1.
-.Pp
-.Fn d2i_X509_REVOKED
-and
-.Fn i2d_X509_REVOKED
-decode and encode an ASN.1 structure representing one element of
-the revokedCertificates field of the ASN.1
-.Vt TBSCertList
-structure.
-.Sh SEE ALSO
-.Xr ASN1_item_d2i 3 ,
-.Xr X509_CRL_new 3 ,
-.Xr X509_REVOKED_new 3
-.Sh STANDARDS
-RFC 5280: Internet X.509 Public Key Infrastructure Certificate and
-Certificate Revocation List (CRL) Profile,
-section 5: CRL and CRL Extensions Profile
-.Sh HISTORY
-.Fn d2i_X509_CRL ,
-.Fn i2d_X509_CRL ,
-.Fn d2i_X509_CRL_fp ,
-.Fn i2d_X509_CRL_fp ,
-.Fn d2i_X509_CRL_INFO ,
-.Fn i2d_X509_CRL_INFO ,
-.Fn d2i_X509_REVOKED ,
-and
-.Fn i2d_X509_REVOKED
-first appeared in SSLeay 0.5.1.
-.Fn d2i_X509_CRL_bio
-and
-.Fn i2d_X509_CRL_bio
-first appeared in SSLeay 0.6.0.
-These functions have been available since
-.Ox 2.4 .
diff --git a/src/lib/libcrypto/man/d2i_X509_EXTENSION.3 b/src/lib/libcrypto/man/d2i_X509_EXTENSION.3
deleted file mode 100644
index 46a680c1ba..0000000000
--- a/src/lib/libcrypto/man/d2i_X509_EXTENSION.3
+++ /dev/null
@@ -1,104 +0,0 @@
-.\"     $OpenBSD: d2i_X509_EXTENSION.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $
-.\"
-.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: March 27 2018 $
-.Dt D2I_X509_EXTENSION 3
-.Os
-.Sh NAME
-.Nm d2i_X509_EXTENSION ,
-.Nm i2d_X509_EXTENSION ,
-.Nm d2i_X509_EXTENSIONS ,
-.Nm i2d_X509_EXTENSIONS
-.\" In the next line, the capital "E" is not a typo.
-.\" The ASN.1 structure is called "Extensions", not "extensions".
-.Nd decode and encode X.509 Extensions
-.Sh SYNOPSIS
-.In openssl/x509.h
-.Ft X509_EXTENSION *
-.Fo d2i_X509_EXTENSION
-.Fa "X509_EXTENSION **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_X509_EXTENSION
-.Fa "X509_EXTENSION *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft X509_EXTENSIONS *
-.Fo d2i_X509_EXTENSIONS
-.Fa "X509_EXTENSIONS **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_X509_EXTENSIONS
-.Fa "X509_EXTENSIONS *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Sh DESCRIPTION
-.Fn d2i_X509_EXTENSION
-and
-.Fn i2d_X509_EXTENSION
-decode and encode an ASN.1
-.Vt Extension
-structure defined in RFC 5280 section 4.1.
-.Pp
-.Fn d2i_X509_EXTENSIONS
-and
-.Fn i2d_X509_EXTENSIONS
-decode and encode an ASN.1
-.Vt Extensions
-structure defined in RFC 5280 section 4.1,
-which is a SEQUENCE OF
-.Vt Extension .
-.Sh RETURN VALUES
-.Fn d2i_X509_EXTENSION
-and
-.Fn d2i_X509_EXTENSIONS
-return an
-.Vt X509_EXTENSION
-or
-.Vt X509_EXTENSIONS
-object, respectively, or
-.Dv NULL
-if an error occurs.
-.Pp
-.Fn i2d_X509_EXTENSION
-and
-.Fn i2d_X509_EXTENSIONS
-return the number of bytes successfully encoded or a negative value
-if an error occurs.
-.Sh SEE ALSO
-.Xr ASN1_item_d2i 3 ,
-.Xr X509_EXTENSION_new 3 ,
-.Xr X509V3_get_d2i 3 ,
-.Xr X509v3_get_ext_by_NID 3
-.Sh STANDARDS
-RFC 5280: Internet X.509 Public Key Infrastructure Certificate and
-Certificate Revocation List (CRL) Profile
-.Sh HISTORY
-.Fn d2i_X509_EXTENSION
-and
-.Fn i2d_X509_EXTENSION
-first appeared in SSLeay 0.6.2 and have been available since
-.Ox 2.4 .
-.Pp
-.Fn d2i_X509_EXTENSIONS
-and
-.Fn i2d_X509_EXTENSIONS
-first appeared in OpenSSL 0.9.8h and have been available since
-.Ox 4.5 .
diff --git a/src/lib/libcrypto/man/d2i_X509_NAME.3 b/src/lib/libcrypto/man/d2i_X509_NAME.3
deleted file mode 100644
index f5cafaee97..0000000000
--- a/src/lib/libcrypto/man/d2i_X509_NAME.3
+++ /dev/null
@@ -1,213 +0,0 @@
-.\" $OpenBSD: d2i_X509_NAME.3,v 1.18 2025/03/14 21:32:15 tb Exp $
-.\" checked up to:
-.\" OpenSSL crypto/d2i_X509_NAME 4692340e Jun 7 15:49:08 2016 -0400 and
-.\" OpenSSL man3/X509_NAME_get0_der 99d63d46 Oct 26 13:56:48 2016 -0400
-.\"
-.\" Copyright (c) 2016, 2018 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: March 14 2025 $
-.Dt D2I_X509_NAME 3
-.Os
-.Sh NAME
-.Nm d2i_X509_NAME ,
-.Nm i2d_X509_NAME ,
-.Nm X509_NAME_get0_der ,
-.Nm X509_NAME_dup ,
-.Nm X509_NAME_set ,
-.Nm d2i_X509_NAME_ENTRY ,
-.Nm i2d_X509_NAME_ENTRY ,
-.Nm X509_NAME_ENTRY_dup
-.\" In the following line, "X.501" and "Name" are not typos.
-.\" The "Name" type is defined in X.501, not in X.509.
-.\" The type is called "Name" with capital "N", not "name".
-.Nd decode and encode X.501 Name objects
-.Sh SYNOPSIS
-.In openssl/x509.h
-.Ft X509_NAME *
-.Fo d2i_X509_NAME
-.Fa "X509_NAME **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_X509_NAME
-.Fa "X509_NAME *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft int
-.Fo X509_NAME_get0_der
-.Fa "X509_NAME *val_in"
-.Fa "const unsigned char **der_out"
-.Fa "size_t *out_len"
-.Fc
-.Ft X509_NAME *
-.Fo X509_NAME_dup
-.Fa "X509_NAME *val_in"
-.Fc
-.Ft int
-.Fo X509_NAME_set
-.Fa "X509_NAME **val_out"
-.Fa "X509_NAME *val_in"
-.Fc
-.Ft X509_NAME_ENTRY *
-.Fo d2i_X509_NAME_ENTRY
-.Fa "X509_NAME_ENTRY **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_X509_NAME_ENTRY
-.Fa "X509_NAME_ENTRY *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft X509_NAME_ENTRY *
-.Fo X509_NAME_ENTRY_dup
-.Fa "X509_NAME_ENTRY *val_in"
-.Fc
-.Sh DESCRIPTION
-These functions decode and encode X.501
-.Vt Name
-objects using DER format.
-For details about the semantics, examples, caveats, and bugs, see
-.Xr ASN1_item_d2i 3 .
-.Pp
-.Fn d2i_X509_NAME
-and
-.Fn i2d_X509_NAME
-decode and encode an ASN.1
-.Vt Name
-structure defined in RFC 5280 section 4.1.2.4.
-.Pp
-.Fn X509_NAME_get0_der
-is a variant of
-.Fn i2d_X509_NAME
-that does not copy the encoded output but instead returns a pointer
-to the internally cached DER-encoded version of the name.
-Also, it does not return the length of the output in bytes,
-but instead stores it in
-.Fa out_len .
-If the cached encoded form happens to be out of date, both functions
-update it before copying it or returning a pointer to it.
-.Pp
-.Fn X509_NAME_dup
-copies
-.Fa val_in
-by calling
-.Fn i2d_X509_NAME
-and
-.Fn d2i_X509_NAME .
-.Pp
-.Fn X509_NAME_set
-makes sure that
-.Pf * Fa val_out
-contains the same data as
-.Fa val_in
-after the call, except that it fails if
-.Fa val_in
-is
-.Dv NULL .
-If
-.Pf * Fa val_out
-is the same pointer as
-.Fa val_in ,
-the function succeeds without changing anything.
-Otherwise, it copies
-.Fa val_in
-using
-.Fn X509_NAME_dup ,
-and in case of success, it frees
-.Pf * Fa val_out
-and sets it to a pointer to the new object.
-When the function fails, it never changes anything.
-In any case,
-.Fa val_in
-remains valid and may or may not be the same pointer as
-.Pf * Fa val_out
-after the call.
-.Pp
-.Fn d2i_X509_NAME_ENTRY
-and
-.Fn i2d_X509_NAME_ENTRY
-decode and encode an ASN.1
-.Vt RelativeDistinguishedName
-structure defined in RFC 5280 section 4.1.2.4.
-.Pp
-.Fn X509_NAME_ENTRY_dup
-copies
-.Fa val_in
-by calling
-.Fn i2d_X509_NAME_ENTRY
-and
-.Fn d2i_X509_NAME_ENTRY .
-.Sh RETURN VALUES
-.Fn d2i_X509_NAME
-and
-.Fn X509_NAME_dup
-return the new
-.Vt X509_NAME
-object or
-.Dv NULL
-if an error occurs.
-.Pp
-.Fn X509_NAME_set
-and
-.Fn X509_NAME_get0_der
-return 1 on success or 0 if an error occurs.
-.Pp
-.Fn d2i_X509_NAME_ENTRY
-and
-.Fn X509_NAME_ENTRY_dup
-return the new
-.Vt X509_NAME_ENTRY
-object or
-.Dv NULL
-if an error occurs.
-.Pp
-.Fn i2d_X509_NAME
-and
-.Fn i2d_X509_NAME_ENTRY
-return the number of bytes successfully encoded or a negative value
-if an error occurs.
-.Sh SEE ALSO
-.Xr ASN1_item_d2i 3 ,
-.Xr X509_NAME_ENTRY_new 3 ,
-.Xr X509_NAME_new 3 ,
-.Xr X509_NAME_print_ex 3
-.Sh STANDARDS
-RFC 5280: Internet X.509 Public Key Infrastructure Certificate and
-Certificate Revocation List (CRL) Profile
-.Pp
-ITU-T Recommendation X.690, also known as ISO/IEC 8825-1:
-Information technology - ASN.1 encoding rules:
-Specification of Basic Encoding Rules (BER), Canonical Encoding
-Rules (CER) and Distinguished Encoding Rules (DER).
-.Sh HISTORY
-.Fn X509_NAME_dup
-first appeared in SSLeay 0.4.4.
-.Fn d2i_X509_NAME ,
-.Fn i2d_X509_NAME ,
-.Fn d2i_X509_NAME_ENTRY ,
-.Fn i2d_X509_NAME_ENTRY ,
-and
-.Fn X509_NAME_ENTRY_dup
-first appeared in SSLeay 0.5.1.
-.Fn X509_NAME_set
-first appeared in SSLeay 0.8.0.
-These functions have been available since
-.Ox 2.4 .
-.Pp
-.Fn X509_NAME_get0_der
-first appeared in OpenSSL 1.1.0 and has been available since
-.Ox 6.3 .
diff --git a/src/lib/libcrypto/man/d2i_X509_REQ.3 b/src/lib/libcrypto/man/d2i_X509_REQ.3
deleted file mode 100644
index 95785a2d25..0000000000
--- a/src/lib/libcrypto/man/d2i_X509_REQ.3
+++ /dev/null
@@ -1,151 +0,0 @@
-.\"     $OpenBSD: d2i_X509_REQ.3,v 1.7 2018/03/27 17:35:50 schwarze Exp $
-.\"     OpenSSL bb9ad09e Jun 6 00:43:05 2016 -0400
-.\"
-.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: March 27 2018 $
-.Dt D2I_X509_REQ 3
-.Os
-.Sh NAME
-.Nm d2i_X509_REQ ,
-.Nm i2d_X509_REQ ,
-.Nm d2i_X509_REQ_bio ,
-.Nm d2i_X509_REQ_fp ,
-.Nm i2d_X509_REQ_bio ,
-.Nm i2d_X509_REQ_fp ,
-.Nm d2i_X509_REQ_INFO ,
-.Nm i2d_X509_REQ_INFO
-.Nd decode and encode PKCS#10 certification requests
-.Sh SYNOPSIS
-.In openssl/x509.h
-.Ft X509_REQ *
-.Fo d2i_X509_REQ
-.Fa "X509_REQ **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_X509_REQ
-.Fa "X509_REQ *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft X509_REQ *
-.Fo d2i_X509_REQ_bio
-.Fa "BIO *in_bio"
-.Fa "X509_REQ **val_out"
-.Fc
-.Ft X509_REQ *
-.Fo d2i_X509_REQ_fp
-.Fa "FILE *in_fp"
-.Fa "X509_REQ **val_out"
-.Fc
-.Ft int
-.Fo i2d_X509_REQ_bio
-.Fa "BIO *out_bio"
-.Fa "X509_REQ *val_in"
-.Fc
-.Ft int
-.Fo i2d_X509_REQ_fp
-.Fa "FILE *out_fp"
-.Fa "X509_REQ *val_in"
-.Fc
-.Ft X509_REQ_INFO *
-.Fo d2i_X509_REQ_INFO
-.Fa "X509_REQ_INFO **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_X509_REQ_INFO
-.Fa "X509_REQ_INFO *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Sh DESCRIPTION
-These functions decode and encode PKCS#10 certification requests.
-For details about the semantics, examples, caveats, and bugs, see
-.Xr ASN1_item_d2i 3 .
-.Pp
-.Fn d2i_X509_REQ
-and
-.Fn i2d_X509_REQ
-decode and encode an ASN.1
-.Vt CertificationRequest
-structure defined in RFC 2986 section 4.2.
-.Fn d2i_X509_REQ_bio ,
-.Fn d2i_X509_REQ_fp ,
-.Fn i2d_X509_REQ_bio ,
-and
-.Fn i2d_X509_REQ_fp
-are similar except that they decode or encode using a
-.Vt BIO
-or
-.Vt FILE
-pointer.
-.Pp
-.Fn d2i_X509_REQ_INFO
-and
-.Fn i2d_X509_REQ_INFO
-decode and encode an ASN.1
-.Vt CertificationRequestInfo
-structure defined in RFC 2986 section 4.1.
-.Sh RETURN VALUES
-.Fn d2i_X509_REQ ,
-.Fn d2i_X509_REQ_bio ,
-and
-.Fn d2i_X509_REQ_fp
-return an
-.Vt X509_REQ
-object or
-.Dv NULL
-if an error occurs.
-.Pp
-.Fn d2i_X509_REQ_INFO
-returns an
-.Vt X509_REQ_INFO
-object or
-.Dv NULL
-if an error occurs.
-.Pp
-.Fn i2d_X509_REQ
-and
-.Fn i2d_X509_REQ_INFO
-return the number of bytes successfully encoded or a negative value
-if an error occurs.
-.Pp
-.Fn i2d_X509_REQ_bio
-and
-.Fn i2d_X509_REQ_fp
-return 1 for success or 0 if an error occurs.
-.Sh SEE ALSO
-.Xr ASN1_item_d2i 3 ,
-.Xr PEM_read_X509_REQ 3 ,
-.Xr X509_REQ_new 3
-.Sh STANDARDS
-RFC 2986: PKCS #10: Certification Request Syntax Specification
-.Sh HISTORY
-.Fn d2i_X509_REQ ,
-.Fn i2d_X509_REQ ,
-.Fn d2i_X509_REQ_fp ,
-.Fn i2d_X509_REQ_fp ,
-.Fn d2i_X509_REQ_INFO ,
-and
-.Fn i2d_X509_REQ_INFO
-first appeared in SSLeay 0.5.1.
-.Fn d2i_X509_REQ_bio
-and
-.Fn i2d_X509_REQ_bio
-first appeared in SSLeay 0.6.0.
-These functions have been available since
-.Ox 2.4 .
diff --git a/src/lib/libcrypto/man/d2i_X509_SIG.3 b/src/lib/libcrypto/man/d2i_X509_SIG.3
deleted file mode 100644
index c9fbf86633..0000000000
--- a/src/lib/libcrypto/man/d2i_X509_SIG.3
+++ /dev/null
@@ -1,159 +0,0 @@
-.\"     $OpenBSD: d2i_X509_SIG.3,v 1.10 2025/03/14 21:32:15 tb Exp $
-.\"     OpenSSL 9b86974e Aug 17 15:21:33 2015 -0400
-.\"
-.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: March 14 2025 $
-.Dt D2I_X509_SIG 3
-.Os
-.Sh NAME
-.Nm d2i_X509_SIG ,
-.Nm i2d_X509_SIG ,
-.Nm d2i_PKCS8_bio ,
-.Nm i2d_PKCS8_bio ,
-.Nm d2i_PKCS8_fp ,
-.Nm i2d_PKCS8_fp
-.\" In the next line, the number "7" is not a typo.
-.\" These functions are misnamed.
-.Nd decode and encode PKCS#7 digest information
-.Sh SYNOPSIS
-.In openssl/x509.h
-.Ft X509_SIG *
-.Fo d2i_X509_SIG
-.Fa "X509_SIG **val_out"
-.Fa "const unsigned char **der_in"
-.Fa "long length"
-.Fc
-.Ft int
-.Fo i2d_X509_SIG
-.Fa "X509_SIG *val_in"
-.Fa "unsigned char **der_out"
-.Fc
-.Ft X509_SIG *
-.Fo d2i_PKCS8_bio
-.Fa "BIO *in_bio"
-.Fa "X509_SIG **val_out"
-.Fc
-.Ft int
-.Fo i2d_PKCS8_bio
-.Fa "BIO *out_bio"
-.Fa "X509_SIG *val_in"
-.Fc
-.Ft X509_SIG *
-.Fo d2i_PKCS8_fp
-.Fa "FILE *in_fp"
-.Fa "X509_SIG **val_out"
-.Fc
-.Ft int
-.Fo i2d_PKCS8_fp
-.Fa "FILE *out_fp"
-.Fa "X509_SIG *val_in"
-.Fc
-.Sh DESCRIPTION
-.Fn d2i_X509_SIG
-and
-.Fn i2d_X509_SIG
-decode and encode an ASN.1
-.Vt DigestInfo
-structure defined in RFC 2315 section 9.4
-and equivalently in RFC 8017 section 9.2.
-For details about the semantics, examples, caveats, and bugs, see
-.Xr ASN1_item_d2i 3 .
-.Pp
-.Fn d2i_PKCS8_bio
-and
-.Fn d2i_PKCS8_fp
-are similar to
-.Fn d2i_X509_SIG
-except that they read from a
-.Vt BIO
-or
-.Vt FILE
-pointer.
-.Pp
-.Fn i2d_PKCS8_bio
-and
-.Fn i2d_PKCS8_fp
-are similar to
-.Fn i2d_X509_SIG
-except that they write to a
-.Vt BIO
-or
-.Vt FILE
-pointer.
-.Sh RETURN VALUES
-.Fn d2i_X509_SIG ,
-.Fn d2i_PKCS8_bio ,
-and
-.Fn d2i_PKCS8_fp
-return a
-.Vt X509_SIG
-object or
-.Dv NULL
-if an error occurs.
-.Pp
-.Fn i2d_X509_SIG
-returns the number of bytes successfully encoded or a negative value
-if an error occurs.
-.Pp
-.Fn i2d_PKCS8_bio
-and
-.Fn i2d_PKCS8_fp
-return 1 for success or 0 if an error occurs.
-.Sh SEE ALSO
-.Xr ASN1_item_d2i 3 ,
-.Xr PKCS7_new 3 ,
-.Xr RSA_sign 3 ,
-.Xr X509_SIG_new 3
-.Sh STANDARDS
-RFC 2315: PKCS #7: Cryptographic Message Syntax,
-section 9: Signed-data content type
-.Pp
-RFC 8017: PKCS #1: RSA Cryptography Specifications,
-section 9: Encoding Methods for Signatures
-.Sh HISTORY
-.Fn d2i_X509_SIG
-and
-.Fn i2d_X509_SIG
-first appeared in SSLeay 0.5.1 and have been available since
-.Ox 2.4 .
-.Pp
-.Fn d2i_PKCS8_bio ,
-.Fn i2d_PKCS8_bio ,
-.Fn d2i_PKCS8_fp ,
-and
-.Fn i2d_PKCS8_fp
-first appeared in OpenSSL 0.9.4 and have been available since
-.Ox 2.6 .
-.Sh BUGS
-.Fn d2i_PKCS8_bio ,
-.Fn i2d_PKCS8_bio ,
-.Fn d2i_PKCS8_fp ,
-and
-.Fn i2d_PKCS8_fp
-are severely misnamed and should have been called
-.Dq d2i_X509_SIG_bio
-and so on.
-.Pp
-Or arguably, the
-.Vt X509_SIG
-object is misnamed itself, considering that it represents
-.Vt DigestInfo
-from PKCS#7 and PKCS#1.
-Then again, calling it
-.Dq PKCS8
-instead clearly isn't an improvement.
-.Pp
-Either way, these names just don't fit.
diff --git a/src/lib/libcrypto/man/des_read_pw.3 b/src/lib/libcrypto/man/des_read_pw.3
deleted file mode 100644
index 7cb35b47f8..0000000000
--- a/src/lib/libcrypto/man/des_read_pw.3
+++ /dev/null
@@ -1,197 +0,0 @@
-.\" $OpenBSD: des_read_pw.3,v 1.12 2024/08/24 07:48:37 tb Exp $
-.\" full merge up to: OpenSSL doc/crypto/des.pod
-.\" 53934822 Jun 9 16:39:19 2016 -0400
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2023 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Ulf Moeller <ulf@openssl.org>.
-.\" Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: August 24 2024 $
-.Dt DES_READ_PW 3
-.Os
-.Sh NAME
-.Nm EVP_read_pw_string ,
-.Nm EVP_read_pw_string_min ,
-.Nm EVP_set_pw_prompt ,
-.Nm EVP_get_pw_prompt
-.Nd compatibility user interface functions
-.Sh SYNOPSIS
-.In openssl/evp.h
-.Ft int
-.Fo EVP_read_pw_string
-.Fa "char *buf"
-.Fa "int length"
-.Fa "const char *prompt"
-.Fa "int verify"
-.Fc
-.Ft int
-.Fo EVP_read_pw_string_min
-.Fa "char *buf"
-.Fa "int min_length"
-.Fa "int length"
-.Fa "const char *prompt"
-.Fa "int verify"
-.Fc
-.Ft void
-.Fo EVP_set_pw_prompt
-.Fa "const char *default_prompt"
-.Fc
-.Ft char *
-.Fn EVP_get_pw_prompt void
-.Sh DESCRIPTION
-.Fn EVP_read_pw_string
-writes the
-.Fa prompt
-to
-.Pa /dev/tty ,
-or, if that could not be opened, to standard output, turns echo off,
-and reads an input string from
-.Pa /dev/tty ,
-or, if that could not be opened, from standard input.
-The string is returned in
-.Fa buf ,
-which must have space for at least
-.Fa length
-bytes.
-If the
-.Fa length
-argument exceeds
-.Dv BUFSIZ ,
-.Dv BUFSIZ
-is used instead.
-If
-.Fa verify
-is set, the user is asked for the password twice and unless the two
-copies match, an error is returned.
-.Pp
-.Fn EVP_read_pw_string_min
-additionally checks that the password is at least
-.Fa min_length
-bytes long.
-.Pp
-.Fn EVP_set_pw_prompt
-sets a default prompt to a copy of
-.Fa default_prompt ,
-or clears the default prompt if the
-.Fa default_prompt
-argument is
-.Dv NULL
-or an empty string.
-If the
-.Fa default_prompt
-argument is longer than 79 bytes,
-the copy is silently truncated to a string length of 79 bytes.
-.Pp
-As long as a default prompt is set,
-.Fn EVP_read_pw_string
-and
-.Fn EVP_read_pw_string_min
-can be called with a
-.Fa prompt
-argument of
-.Dv NULL ,
-in which case the default prompt is used instead.
-.Sh RETURN VALUES
-.Fn EVP_read_pw_string
-and
-.Fn EVP_read_pw_string_min
-return 0 on success or a negative value on failure.
-.Pp
-They return \-1 if
-.Fa length
-is less than or equal to zero or on memory allocation failure.
-They return \-1 or \-2 if the internal call to
-.Xr UI_process 3
-fails.
-.Pp
-In addition,
-.Fa EVP_read_pw_string_min
-returns \-1 if
-.Fa min_length
-is negative, if
-.Fa length
-is less than or equal to
-.Fa min_length ,
-or if the user entered a password shorter than
-.Fa min_length .
-.Pp
-.Fn EVP_get_pw_prompt
-returns an internal pointer to static memory containing the default prompt, or
-.Dv NULL
-if no default prompt is set.
-.Sh SEE ALSO
-.Xr UI_new 3
-.Sh HISTORY
-.Fn EVP_read_pw_string
-first appeared in SSLeay 0.5.1 and
-.Fn EVP_set_pw_prompt
-and
-.Fn EVP_get_pw_prompt
-in SSLeay 0.6.0.
-These functions have been available since
-.Ox 2.4 .
-.Pp
-.Fn EVP_read_pw_string_min
-first appeared in OpenSSL 1.0.0
-and has been available since
-.Ox 4.9 .
diff --git a/src/lib/libcrypto/man/evp.3 b/src/lib/libcrypto/man/evp.3
deleted file mode 100644
index 2c54c0f981..0000000000
--- a/src/lib/libcrypto/man/evp.3
+++ /dev/null
@@ -1,249 +0,0 @@
-.\" $OpenBSD: evp.3,v 1.36 2024/12/06 14:27:49 schwarze Exp $
-.\" full merge up to: OpenSSL man7/evp 24a535ea Sep 22 13:14:20 2020 +0100
-.\"
-.\" This file was written by Ulf Moeller <ulf@openssl.org>,
-.\" Matt Caswell <matt@openssl.org>, Geoff Thorpe <geoff@openssl.org>,
-.\" and Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2000, 2002, 2006, 2013, 2016 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: December 6 2024 $
-.Dt EVP 3
-.Os
-.Sh NAME
-.Nm evp
-.Nd high-level cryptographic functions
-.Sh SYNOPSIS
-.In openssl/evp.h
-.Sh DESCRIPTION
-The EVP library provides a high-level interface to cryptographic
-functions.
-The abbreviation
-.Dq EVP
-is intended to mean
-.Dq EnVeloPe
-in the sense of
-.Dq wrapper library .
-It is not related to the technical meaning of the term
-.Dq envelope
-in contexts like
-.Xr CMS_encrypt 3 ,
-.Xr EVP_SealInit 3 ,
-.Xr PKCS7_encrypt 3 ,
-or
-.Xr SMIME_write_ASN1 3 .
-.Pp
-.Xr EVP_SealInit 3
-and
-.Xr EVP_OpenInit 3
-provide public key encryption and decryption to implement digital
-"envelopes".
-.Pp
-The
-.Xr EVP_DigestSignInit 3
-and
-.Xr EVP_DigestVerifyInit 3
-functions implement digital signatures and Message Authentication Codes
-(MACs).
-Also see the older
-.Xr EVP_SignInit 3
-and
-.Xr EVP_VerifyInit 3
-functions.
-.Pp
-Symmetric encryption is available with the
-.Xr EVP_EncryptInit 3
-functions.
-The
-.Xr EVP_DigestInit 3
-functions provide message digests.
-.Pp
-Authenticated encryption with additional data (AEAD) is available with
-the
-.Xr EVP_AEAD_CTX_init 3
-functions.
-.Pp
-The
-.Fn EVP_PKEY_*
-functions provide a high-level interface to asymmetric algorithms.
-To create a new
-.Vt EVP_PKEY ,
-see
-.Xr EVP_PKEY_new 3 .
-.Vt EVP_PKEY Ns s
-can be associated with a private key of a particular algorithm
-by using the functions described in the
-.Xr EVP_PKEY_set1_RSA 3
-page, or new keys can be generated using
-.Xr EVP_PKEY_keygen 3 .
-.Vt EVP_PKEY Ns s
-can be compared using
-.Xr EVP_PKEY_cmp 3
-or printed using
-.Xr EVP_PKEY_print_private 3 .
-.Pp
-The
-.Fn EVP_PKEY_*
-functions support the full range of asymmetric algorithm operations:
-.Bl -bullet
-.It
-For key agreement, see
-.Xr EVP_PKEY_derive 3 .
-.It
-For signing and verifying, see
-.Xr EVP_PKEY_sign 3 ,
-.Xr EVP_PKEY_verify 3 ,
-and
-.Xr EVP_PKEY_verify_recover 3 .
-However, note that these functions do not perform a digest of the
-data to be signed.
-Therefore, normally you would use the
-.Xr EVP_DigestSignInit 3
-functions for this purpose.
-.It
-For encryption and decryption see
-.Xr EVP_PKEY_encrypt 3
-and
-.Xr EVP_PKEY_decrypt 3 ,
-respectively.
-However, note that these functions perform encryption and decryption only.
-As public key encryption is an expensive operation, normally you
-would wrap an encrypted message in a digital envelope using the
-.Xr EVP_SealInit 3
-and
-.Xr EVP_OpenInit 3
-functions.
-.El
-.Pp
-The
-.Xr EVP_BytesToKey 3
-function provides some limited support for password based encryption.
-Careful selection of the parameters will provide a PKCS#5 PBKDF1
-compatible implementation.
-However, new applications should typically not use this (preferring, for
-example, PBKDF2 from PCKS#5).
-.Pp
-The
-.Xr EVP_EncodeInit 3
-family of functions provides base64 encoding and decoding.
-.Sh SEE ALSO
-.Xr ASN1_item_digest 3 ,
-.Xr ASN1_item_sign 3 ,
-.Xr BIO_f_cipher 3 ,
-.Xr BIO_f_md 3 ,
-.Xr CMAC_Init 3 ,
-.Xr CMS_encrypt 3 ,
-.Xr CMS_sign 3 ,
-.Xr crypto 3 ,
-.Xr d2i_PKCS8PrivateKey_bio 3 ,
-.Xr d2i_PrivateKey 3 ,
-.Xr EVP_AEAD_CTX_init 3 ,
-.Xr EVP_aes_128_cbc 3 ,
-.Xr EVP_BytesToKey 3 ,
-.Xr EVP_camellia_128_cbc 3 ,
-.Xr EVP_chacha20 3 ,
-.Xr EVP_CIPHER_CTX_ctrl 3 ,
-.Xr EVP_CIPHER_CTX_get_cipher_data 3 ,
-.Xr EVP_CIPHER_CTX_init 3 ,
-.Xr EVP_CIPHER_CTX_set_flags 3 ,
-.Xr EVP_CIPHER_do_all 3 ,
-.Xr EVP_CIPHER_meth_new 3 ,
-.Xr EVP_CIPHER_nid 3 ,
-.Xr EVP_des_cbc 3 ,
-.Xr EVP_DigestInit 3 ,
-.Xr EVP_DigestSignInit 3 ,
-.Xr EVP_DigestVerifyInit 3 ,
-.Xr EVP_EncodeInit 3 ,
-.Xr EVP_EncryptInit 3 ,
-.Xr EVP_MD_CTX_ctrl 3 ,
-.Xr EVP_MD_nid 3 ,
-.Xr EVP_OpenInit 3 ,
-.Xr EVP_PKCS82PKEY 3 ,
-.Xr EVP_PKEY_asn1_get_count 3 ,
-.Xr EVP_PKEY_cmp 3 ,
-.Xr EVP_PKEY_CTX_ctrl 3 ,
-.Xr EVP_PKEY_CTX_get_operation 3 ,
-.Xr EVP_PKEY_CTX_new 3 ,
-.Xr EVP_PKEY_CTX_set_hkdf_md 3 ,
-.Xr EVP_PKEY_decrypt 3 ,
-.Xr EVP_PKEY_derive 3 ,
-.Xr EVP_PKEY_encrypt 3 ,
-.Xr EVP_PKEY_get_default_digest_nid 3 ,
-.Xr EVP_PKEY_keygen 3 ,
-.Xr EVP_PKEY_new 3 ,
-.Xr EVP_PKEY_print_private 3 ,
-.Xr EVP_PKEY_set1_RSA 3 ,
-.Xr EVP_PKEY_sign 3 ,
-.Xr EVP_PKEY_size 3 ,
-.Xr EVP_PKEY_verify 3 ,
-.Xr EVP_PKEY_verify_recover 3 ,
-.Xr EVP_rc4 3 ,
-.Xr EVP_SealInit 3 ,
-.Xr EVP_sha1 3 ,
-.Xr EVP_sha3_224 3 ,
-.Xr EVP_SignInit 3 ,
-.Xr EVP_sm3 3 ,
-.Xr EVP_sm4_cbc 3 ,
-.Xr EVP_VerifyInit 3 ,
-.Xr HMAC 3 ,
-.Xr OCSP_basic_sign 3 ,
-.Xr OCSP_request_sign 3 ,
-.Xr PEM_get_EVP_CIPHER_INFO 3 ,
-.Xr PEM_read_bio_PrivateKey 3 ,
-.Xr PKCS12_create 3 ,
-.Xr PKCS5_PBKDF2_HMAC 3 ,
-.Xr PKCS7_encrypt 3 ,
-.Xr PKCS7_sign 3 ,
-.Xr RSA_pkey_ctx_ctrl 3 ,
-.Xr SSL_CTX_set_tlsext_ticket_key_cb 3 ,
-.Xr X509_ALGOR_set0 3 ,
-.Xr X509_check_private_key 3 ,
-.Xr X509_digest 3 ,
-.Xr X509_get_pubkey 3 ,
-.Xr X509_PUBKEY_set 3 ,
-.Xr X509_sign 3 ,
-.Xr X509_to_X509_REQ 3
diff --git a/src/lib/libcrypto/man/i2a_ASN1_STRING.3 b/src/lib/libcrypto/man/i2a_ASN1_STRING.3
deleted file mode 100644
index 7d46474775..0000000000
--- a/src/lib/libcrypto/man/i2a_ASN1_STRING.3
+++ /dev/null
@@ -1,255 +0,0 @@
-.\" $OpenBSD: i2a_ASN1_STRING.3,v 1.5 2024/12/27 15:30:17 schwarze Exp $
-.\"
-.\" Copyright (c) 2019, 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: December 27 2024 $
-.Dt I2A_ASN1_STRING 3
-.Os
-.Sh NAME
-.Nm i2a_ASN1_STRING ,
-.Nm i2a_ASN1_INTEGER ,
-.Nm i2a_ASN1_ENUMERATED ,
-.Nm a2i_ASN1_STRING ,
-.Nm a2i_ASN1_INTEGER ,
-.Nm a2i_ASN1_ENUMERATED
-.Nd hexadecimal dump of an ASN.1 string
-.Sh SYNOPSIS
-.In openssl/asn1.h
-.Ft int
-.Fo i2a_ASN1_STRING
-.Fa "BIO *out_bio"
-.Fa "const ASN1_STRING *a"
-.Fa "int type"
-.Fc
-.Ft int
-.Fo i2a_ASN1_INTEGER
-.Fa "BIO *out_bio"
-.Fa "const ASN1_INTEGER *a"
-.Fc
-.Ft int
-.Fo i2a_ASN1_ENUMERATED
-.Fa "BIO *out_bio"
-.Fa "const i2a_ASN1_ENUMERATED *a"
-.Fc
-.Ft int
-.Fo a2i_ASN1_STRING
-.Fa "BIO *in_bio"
-.Fa "ASN1_STRING *out_string"
-.Fa "char *buffer"
-.Fa "int size"
-.Fc
-.Ft int
-.Fo a2i_ASN1_INTEGER
-.Fa "BIO *in_bio"
-.Fa "ASN1_INTEGER *out_string"
-.Fa "char *buffer"
-.Fa "int size"
-.Fc
-.Ft int
-.Fo a2i_ASN1_ENUMERATED
-.Fa "BIO *in_bio"
-.Fa "ASN1_ENUMERATED *out_string"
-.Fa "char *buffer"
-.Fa "int size"
-.Fc
-.Sh DESCRIPTION
-The functions
-.Fn i2a_ASN1_STRING ,
-.Fn i2a_ASN1_INTEGER ,
-and
-.Fn i2a_ASN1_ENUMERATED
-write a hexadecimal representation of
-.Fa a
-to
-.Fa out_bio .
-The
-.Fa type
-argument is ignored.
-.Pp
-Each byte of
-.Xr ASN1_STRING_get0_data 3
-is written as a number consisting of two upper-case hexadecimal digits.
-After each group of 70 digits, a backslash and a linefeed
-are inserted before the next digit.
-.Pp
-If the
-.Xr ASN1_STRING_length 3
-of
-.Fa a
-is 0, instead a pair of zero digits
-.Pq Qq 00
-is written by
-.Fn i2a_ASN1_INTEGER
-and
-.Fn i2a_ASN1_ENUMERATED
-and a single zero digit
-.Pq Qq 0
-by
-.Fn i2a_ASN1_STRING .
-If
-.Fa a
-is a
-.Dv NULL
-pointer, nothing is written.
-.Pp
-If
-.Fa a
-represents a negative integer,
-.Fn i2a_ASN1_INTEGER
-prepends a minus sign to the output.
-.Pp
-The functions
-.Fn a2i_ASN1_STRING ,
-.Fn a2i_ASN1_INTEGER ,
-and
-.Fn a2i_ASN1_ENUMERATED
-parse a hexadecimal representation of an ASN.1 string into
-.Fa out_string .
-Both lower-case and upper-case hexadecimal digits are accepted.
-Every pair of input digits is converted into one output byte.
-.Pp
-On every input line, the trailing newline character and an optional
-carriage return character preceding it are ignored.
-The trailing newline need not be present on the last line.
-If there is a backslash character before the newline character,
-parsing is continued on the next input line.
-.Pp
-At least one pair of input digits is required by
-.Fn a2i_ASN1_INTEGER
-and
-.Fn a2i_ASN1_ENUMERATED ,
-whereas
-.Fn a2i_ASN1_STRING
-converts empty input to an empty string.
-.Pp
-These functions are able to parse the output of
-.Fn i2a_ASN1_ENUMERATED .
-They can parse the output of
-.Fn i2a_ASN1_INTEGER
-unless
-.Fa a
-was negative, and they can parse the output of
-.Fn i2a_ASN1_STRING
-unless the
-.Xr ASN1_STRING_length 3
-of
-.Fa a
-was 0.
-.Pp
-Parsing fails if an input line contains an odd number of input
-digits or if memory allocation fails.
-.Pp
-These functions use the
-.Fa buffer
-provided by the caller and assume it is at least
-.Fa size
-bytes long.
-It is unspecified what the buffer contains after the functions return.
-.Sh RETURN VALUES
-The functions
-.Fn i2a_ASN1_STRING ,
-.Fn i2a_ASN1_INTEGER ,
-and
-.Fn i2a_ASN1_ENUMERATED
-return the number of bytes written or \-1 if
-.Xr BIO_write 3
-fails.
-In particular, they all return 0 when
-.Fa a
-is a
-.Dv NULL
-pointer.
-.Fn i2a_ASN1_STRING
-returns 1 for an empty string or an even number greater than 1
-for a string that is not empty.
-.Fn i2a_ASN1_INTEGER
-returns an even number greater than 1 for positive input
-or an odd number greater than 2 for negative input.
-.Fn i2a_ASN1_ENUMERATED
-always returns a non-negative even number when successful.
-.Pp
-The functions
-.Fn a2i_ASN1_STRING ,
-.Fn a2i_ASN1_INTEGER ,
-and
-.Fn a2i_ASN1_ENUMERATED
-are intended to return 1 for success or 0 for failure, but see the
-.Sx BUGS
-section for a number of traps.
-.Sh SEE ALSO
-.Xr a2i_ipadd 3 ,
-.Xr ASN1_STRING_length 3 ,
-.Xr ASN1_STRING_new 3 ,
-.Xr ASN1_STRING_print_ex 3 ,
-.Xr i2a_ASN1_OBJECT 3 ,
-.Xr i2s_ASN1_INTEGER 3
-.Sh HISTORY
-.Fn i2a_ASN1_INTEGER
-and
-.Fn a2i_ASN1_INTEGER
-first appeared in SSLeay 0.6.0.
-.Fn i2a_ASN1_STRING
-and
-.Fn a2i_ASN1_STRING
-first appeared in SSLeay 0.6.5.
-.Fn a2i_ASN1_STRING
-has been part of the public API since SSLeay 0.6.5 and
-.Fn i2a_ASN1_STRING
-since SSLeay 0.8.0.
-These functions have been available since
-.Ox 2.4 .
-.Pp
-.Fn i2a_ASN1_ENUMERATED
-and
-.Fn a2i_ASN1_ENUMERATED
-first appeared in OpenSSL 0.9.2 and have been available since
-.Ox 2.6 .
-.Sh BUGS
-If the first call to
-.Xr BIO_gets 3
-does not return any data, even if that is caused by a fatal I/O error,
-if the BIO type does not support the
-.Dq gets
-operation, or if it is caused by the BIO being non-blocking,
-.Fn a2i_ASN1_STRING
-immediately succeeds and returns an empty
-.Fa out_string .
-.Pp
-If
-.Fn BIO_gets 3
-returns a partial line, for example because the given
-.Fa size
-is insufficient to contain one of the input lines
-or for reasons specific to the BIO type,
-.Fn a2i_ASN1_STRING ,
-.Fn a2i_ASN1_INTEGER ,
-and
-.Fn a2i_ASN1_ENUMERATED
-may fail or silently return a truncated result.
-The caller is responsible for providing a
-.Fa buffer
-of sufficient size to contain the longest possible input line
-and for choosing a BIO of a type that only returns complete
-input lines and does not perform partial reads.
-.Pp
-The functions
-.Fn a2i_ASN1_STRING ,
-.Fn a2i_ASN1_INTEGER ,
-and
-.Fn a2i_ASN1_ENUMERATED
-do not support non-blocking BIOs.
-Reading is terminated as soon as
-.Xr BIO_gets 3
-returns a value less than 1.
diff --git a/src/lib/libcrypto/man/i2d_CMS_bio_stream.3 b/src/lib/libcrypto/man/i2d_CMS_bio_stream.3
deleted file mode 100644
index b60468464c..0000000000
--- a/src/lib/libcrypto/man/i2d_CMS_bio_stream.3
+++ /dev/null
@@ -1,95 +0,0 @@
-.\" $OpenBSD: i2d_CMS_bio_stream.3,v 1.6 2023/05/01 07:28:11 tb Exp $
-.\" full merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100
-.\"
-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: May 1 2023 $
-.Dt I2D_CMS_BIO_STREAM 3
-.Os
-.Sh NAME
-.Nm i2d_CMS_bio_stream
-.Nd output CMS_ContentInfo structure in BER format
-.Sh SYNOPSIS
-.In openssl/cms.h
-.Ft int
-.Fo i2d_CMS_bio_stream
-.Fa "BIO *out"
-.Fa "CMS_ContentInfo *cms"
-.Fa "BIO *data"
-.Fa "int flags"
-.Fc
-.Sh DESCRIPTION
-.Fn i2d_CMS_bio_stream
-outputs a
-.Vt CMS_ContentInfo
-structure in BER format.
-.Pp
-It is otherwise identical to the function
-.Xr SMIME_write_CMS 3 .
-.Pp
-This function is effectively a version of
-.Xr i2d_CMS_bio 3
-supporting streaming.
-.Sh RETURN VALUES
-.Fn i2d_CMS_bio_stream
-returns 1 for success or 0 for failure.
-.Sh SEE ALSO
-.Xr CMS_ContentInfo_new 3 ,
-.Xr CMS_encrypt 3 ,
-.Xr CMS_sign 3 ,
-.Xr ERR_get_error 3 ,
-.Xr PEM_write_bio_CMS_stream 3 ,
-.Xr SMIME_write_CMS 3
-.Sh HISTORY
-.Fn i2d_CMS_bio_stream
-first appeared in OpenSSL 1.0.0
-and has been available since
-.Ox 6.7 .
-.Sh BUGS
-The prefix "i2d" is arguably wrong because the function outputs BER
-format.
diff --git a/src/lib/libcrypto/man/i2d_PKCS7_bio_stream.3 b/src/lib/libcrypto/man/i2d_PKCS7_bio_stream.3
deleted file mode 100644
index 7a47ba3026..0000000000
--- a/src/lib/libcrypto/man/i2d_PKCS7_bio_stream.3
+++ /dev/null
@@ -1,94 +0,0 @@
-.\" $OpenBSD: i2d_PKCS7_bio_stream.3,v 1.11 2023/05/01 07:28:11 tb Exp $
-.\" OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100
-.\"
-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2007, 2008, 2009, 2013 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: May 1 2023 $
-.Dt I2D_PKCS7_BIO_STREAM 3
-.Os
-.Sh NAME
-.Nm i2d_PKCS7_bio_stream
-.Nd output PKCS7 structure in BER format
-.Sh SYNOPSIS
-.In openssl/pkcs7.h
-.Ft int
-.Fo i2d_PKCS7_bio_stream
-.Fa "BIO *out"
-.Fa "PKCS7 *p7"
-.Fa "BIO *data"
-.Fa "int flags"
-.Fc
-.Sh DESCRIPTION
-.Fn i2d_PKCS7_bio_stream
-outputs a
-.Vt PKCS7
-structure in BER format.
-It is otherwise identical to the function
-.Xr SMIME_write_PKCS7 3 .
-This function is effectively a version of
-.Xr i2d_PKCS7_bio 3
-supporting streaming.
-.Sh RETURN VALUES
-.Fn i2d_PKCS7_bio_stream
-returns 1 for success or 0 for failure.
-.Sh SEE ALSO
-.Xr BIO_new 3 ,
-.Xr ERR_get_error 3 ,
-.Xr PEM_write_bio_PKCS7_stream 3 ,
-.Xr PEM_write_PKCS7 3 ,
-.Xr PKCS7_final 3 ,
-.Xr PKCS7_new 3 ,
-.Xr SMIME_write_PKCS7 3
-.Sh HISTORY
-.Fn i2d_PKCS7_bio_stream
-first appeared in OpenSSL 1.0.0 and has been available since
-.Ox 4.9 .
-.Sh BUGS
-The prefix "i2d" is arguably wrong because the function outputs BER
-format.
diff --git a/src/lib/libcrypto/man/lh_new.3 b/src/lib/libcrypto/man/lh_new.3
deleted file mode 100644
index 2550a7d2e7..0000000000
--- a/src/lib/libcrypto/man/lh_new.3
+++ /dev/null
@@ -1,554 +0,0 @@
-.\" $OpenBSD: lh_new.3,v 1.13 2024/03/05 22:15:29 tb Exp $
-.\" full merge up to:
-.\" OpenSSL doc/crypto/lhash.pod 1bc74519 May 20 08:11:46 2016 -0400
-.\" selective merge up to:
-.\" OpenSSL doc/man3/OPENSSL_LH_COMPFUNC.pod 24a535ea Sep 22 13:14:20 2020 +0100
-.\"
-.\" --------------------------------------------------------------------------
-.\" Major patches to this file were contributed by
-.\" Ulf Moeller <ulf@openssl.org>, Geoff Thorpe <geoff@openssl.org>,
-.\" and Ben Laurie <ben@openssl.org>.
-.\" --------------------------------------------------------------------------
-.\" Copyright (c) 2000, 2001, 2002, 2008, 2009 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.\" --------------------------------------------------------------------------
-.\" Parts of this file are derived from SSLeay documentation,
-.\" which is covered by the following Copyright and license:
-.\" --------------------------------------------------------------------------
-.\"
-.\" Copyright (C) 1995-1998 Tim Hudson (tjh@cryptsoft.com)
-.\" All rights reserved.
-.\"
-.\" This package is an SSL implementation written
-.\" by Eric Young (eay@cryptsoft.com).
-.\" The implementation was written so as to conform with Netscapes SSL.
-.\"
-.\" This library is free for commercial and non-commercial use as long as
-.\" the following conditions are aheared to.  The following conditions
-.\" apply to all code found in this distribution, be it the RC4, RSA,
-.\" lhash, DES, etc., code; not just the SSL code.  The SSL documentation
-.\" included with this distribution is covered by the same copyright terms
-.\" except that the holder is Tim Hudson (tjh@cryptsoft.com).
-.\"
-.\" Copyright remains Eric Young's, and as such any Copyright notices in
-.\" the code are not to be removed.
-.\" If this package is used in a product, Eric Young should be given
-.\" attribution as the author of the parts of the library used.
-.\" This can be in the form of a textual message at program startup or
-.\" in documentation (online or textual) provided with the package.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\" 1. Redistributions of source code must retain the copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in the
-.\"    documentation and/or other materials provided with the distribution.
-.\" 3. All advertising materials mentioning features or use of this software
-.\"    must display the following acknowledgement:
-.\"    "This product includes cryptographic software written by
-.\"     Eric Young (eay@cryptsoft.com)"
-.\"    The word 'cryptographic' can be left out if the rouines from the
-.\"    library being used are not cryptographic related :-).
-.\" 4. If you include any Windows specific code (or a derivative thereof)
-.\"    from the apps directory (application code) you must include an
-.\"    acknowledgement: "This product includes software written by
-.\"    Tim Hudson (tjh@cryptsoft.com)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
-.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
-.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-.\" SUCH DAMAGE.
-.\"
-.\" The licence and distribution terms for any publically available version or
-.\" derivative of this code cannot be changed.  i.e. this code cannot simply be
-.\" copied and put under another distribution licence
-.\" [including the GNU Public Licence.]
-.\"
-.Dd $Mdocdate: March 5 2024 $
-.Dt LH_NEW 3
-.Os
-.Sh NAME
-.Nm lh_new ,
-.Nm lh_free ,
-.Nm lh_insert ,
-.Nm lh_delete ,
-.Nm lh_retrieve ,
-.Nm lh_doall ,
-.Nm lh_doall_arg ,
-.Nm lh_error ,
-.Nm LHASH_COMP_FN_TYPE ,
-.Nm LHASH_HASH_FN_TYPE ,
-.Nm LHASH_DOALL_FN_TYPE ,
-.Nm LHASH_DOALL_ARG_FN_TYPE ,
-.Nm lh_strhash
-.Nd dynamic hash table
-.Sh SYNOPSIS
-.In openssl/lhash.h
-.Fn DECLARE_LHASH_OF <type>
-.Ft LHASH *
-.Fn lh_<type>_new void
-.Ft void
-.Fo lh_<type>_free
-.Fa "LHASH_OF(<type>) *table"
-.Fc
-.Ft <type> *
-.Fo lh_<type>_insert
-.Fa "LHASH_OF(<type>) *table"
-.Fa "<type> *data"
-.Fc
-.Ft <type> *
-.Fo lh_<type>_delete
-.Fa "LHASH_OF(<type>) *table"
-.Fa "<type> *data"
-.Fc
-.Ft <type> *
-.Fo lh_<type>_retrieve
-.Fa "LHASH_OF(<type>) *table"
-.Fa "<type> *data"
-.Fc
-.Ft void
-.Fo lh_<type>_doall
-.Fa "LHASH_OF(<type>) *table"
-.Fa "LHASH_DOALL_FN_TYPE func"
-.Fc
-.Ft void
-.Fo lh_<type>_doall_arg
-.Fa "LHASH_OF(<type>) *table"
-.Fa "LHASH_DOALL_ARG_FN_TYPE func"
-.Fa "<type2>"
-.Fa "<type2> *arg"
-.Fc
-.Ft int
-.Fo lh_<type>_error
-.Fa "LHASH_OF(<type>) *table"
-.Fc
-.Ft typedef int
-.Fo (*LHASH_COMP_FN_TYPE)
-.Fa "const void *"
-.Fa "const void *"
-.Fc
-.Ft typedef unsigned long
-.Fo (*LHASH_HASH_FN_TYPE)
-.Fa "const void *"
-.Fc
-.Ft typedef void
-.Fo (*LHASH_DOALL_FN_TYPE)
-.Fa "const void *"
-.Fc
-.Ft typedef void
-.Fo (*LHASH_DOALL_ARG_FN_TYPE)
-.Fa "const void *"
-.Fa "const void *"
-.Fc
-.Ft unsigned long
-.Fo lh_strhash
-.Fa "const char *c"
-.Fc
-.Sh DESCRIPTION
-This library implements type-checked dynamic hash tables.
-The hash table entries can be arbitrary structures.
-Usually they consist of key and value fields.
-.Pp
-.Fn lh_<type>_new
-creates a new
-.Vt LHASH_OF(<type>)
-structure to store arbitrary data entries, and provides the hash and
-compare callbacks to be used in organising the table's entries.
-The hash callback takes a pointer to a table entry as its argument
-and returns an unsigned long hash value for its key field.
-The hash value is normally truncated to a power of 2, so make sure that
-your hash function returns well mixed low order bits.
-The compare callback takes two arguments (pointers to two hash table
-entries), and returns 0 if their keys are equal, non-zero otherwise.
-If your hash table will contain items of some particular type and the
-hash and compare callbacks hash and compare these types, then the
-.Fn DECLARE_LHASH_HASH_FN
-and
-.Fn IMPLEMENT_LHASH_COMP_FN
-macros can be used to create callback wrappers of the prototypes
-required by
-.Fn lh_<type>_new .
-These provide per-variable casts before calling the type-specific
-callbacks written by the application author.
-These macros, as well as those used for the doall callbacks, are
-defined as;
-.Bd -literal -offset 2n
-#define DECLARE_LHASH_HASH_FN(name, o_type) \e
-        unsigned long name##_LHASH_HASH(const void *);
-#define IMPLEMENT_LHASH_HASH_FN(name, o_type) \e
-        unsigned long name##_LHASH_HASH(const void *arg) { \e
-                const o_type *a = arg; \e
-                return name##_hash(a); }
-#define LHASH_HASH_FN(name) name##_LHASH_HASH
-
-#define DECLARE_LHASH_COMP_FN(name, o_type) \e
-        int name##_LHASH_COMP(const void *, const void *);
-#define IMPLEMENT_LHASH_COMP_FN(name, o_type) \e
-        int name##_LHASH_COMP(const void *arg1, const void *arg2) { \e
-                const o_type *a = arg1;             \e
-                const o_type *b = arg2; \e
-                return name##_cmp(a,b); }
-#define LHASH_COMP_FN(name) name##_LHASH_COMP
-
-#define DECLARE_LHASH_DOALL_FN(name, o_type) \e
-        void name##_LHASH_DOALL(void *);
-#define IMPLEMENT_LHASH_DOALL_FN(name, o_type) \e
-        void name##_LHASH_DOALL(void *arg) { \e
-                o_type *a = arg; \e
-                name##_doall(a); }
-#define LHASH_DOALL_FN(name) name##_LHASH_DOALL
-
-#define DECLARE_LHASH_DOALL_ARG_FN(name, o_type, a_type) \e
-        void name##_LHASH_DOALL_ARG(void *, void *);
-#define IMPLEMENT_LHASH_DOALL_ARG_FN(name, o_type, a_type) \e
-        void name##_LHASH_DOALL_ARG(void *arg1, void *arg2) { \e
-                o_type *a = arg1; \e
-                a_type *b = arg2; \e
-                name##_doall_arg(a, b); }
-#define LHASH_DOALL_ARG_FN(name) name##_LHASH_DOALL_ARG
-.Ed
-.Pp
-An example of a hash table storing (pointers to) structures of type
-\&'STUFF' could be defined as follows;
-.Bd -literal -offset 2n
-/* Calculate the hash value of 'tohash' (implemented elsewhere) */
-unsigned long STUFF_hash(const STUFF *tohash);
-/* Order 'arg1' and 'arg2' (implemented elsewhere) */
-int stuff_cmp(const STUFF *arg1, const STUFF *arg2);
-/* Create type-safe wrapper functions for use in the LHASH internals */
-static IMPLEMENT_LHASH_HASH_FN(stuff, STUFF);
-static IMPLEMENT_LHASH_COMP_FN(stuff, STUFF);
-/* ... */
-int main(int argc, char *argv[]) {
-        /* Create the new hash table using the hash/compare wrappers */
-        LHASH_OF(STUFF) *hashtable =
-            lh_STUFF_new(LHASH_HASH_FN(STUFF_hash),
-                LHASH_COMP_FN(STUFF_cmp));
-        /* ... */
-}
-.Ed
-.Pp
-.Fn lh_<type>_free
-frees the
-.Vt LHASH_OF(<type>)
-structure
-.Fa table .
-Allocated hash table entries will not be freed; consider using
-.Fn lh_<type>_doall
-to deallocate any remaining entries in the hash table (see below).
-.Pp
-.Fn lh_<type>_insert
-inserts the structure pointed to by
-.Fa data
-into
-.Fa table .
-If there already is an entry with the same key, the old value is
-replaced.
-Note that
-.Fn lh_<type>_insert
-stores pointers, the data are not copied.
-.Pp
-.Fn lh_<type>_delete
-deletes an entry from
-.Fa table .
-.Pp
-.Fn lh_<type>_retrieve
-looks up an entry in
-.Fa table .
-Normally,
-.Fa data
-is a structure with the key field(s) set; the function will return a
-pointer to a fully populated structure.
-.Pp
-.Fn lh_<type>_doall
-will, for every entry in the hash table, call
-.Fa func
-with the data item as its parameter.
-For
-.Fn lh_<type>_doall
-and
-.Fn lh_<type>_doall_arg ,
-function pointer casting should be avoided in the callbacks (see
-.Sx NOTES )
-\(em instead use the declare/implement macros to create type-checked
-wrappers that cast variables prior to calling your type-specific
-callbacks.
-An example of this is illustrated here where the callback is used to
-cleanup resources for items in the hash table prior to the hashtable
-itself being deallocated:
-.Bd -literal -offset 2n
-/* Clean up resources belonging to 'a' (this is implemented elsewhere) */
-void STUFF_cleanup_doall(STUFF *a);
-/* Implement a prototype-compatible wrapper for "STUFF_cleanup" */
-IMPLEMENT_LHASH_DOALL_FN(STUFF_cleanup, STUFF)
-        /* ... then later in the code ... */
-/* So to run "STUFF_cleanup" against all items in a hash table ... */
-lh_STUFF_doall(hashtable, LHASH_DOALL_FN(STUFF_cleanup));
-/* Then the hash table itself can be deallocated */
-lh_STUFF_free(hashtable);
-.Ed
-.Pp
-A callback may delete entries from the hash table, however, it is
-not safe to insert new entries.
-.Pp
-.Fn lh_<type>_doall_arg
-is the same as
-.Fn lh_<type>_doall
-except that
-.Fa func
-will be called with
-.Fa arg
-as the second argument and
-.Fa func
-should be of type
-.Vt LHASH_DOALL_ARG_FN_TYPE
-(a callback prototype that is passed both the table entry and an extra
-argument).
-As with
-.Fn lh_<type>_doall ,
-you can instead choose to declare your callback with a prototype
-matching the types you are dealing with and use the declare/implement
-macros to create compatible wrappers that cast variables before calling
-your type-specific callbacks.
-An example of this is demonstrated here (printing all hash table entries
-to a BIO that is provided by the caller):
-.Bd -literal -offset 2n
-/* Print item 'a' to 'output_bio' (this is implemented elsewhere) */
-void STUFF_print_doall_arg(const STUFF *a, BIO *output_bio);
-/* Implement a prototype-compatible wrapper for "STUFF_print" */
-static IMPLEMENT_LHASH_DOALL_ARG_FN(STUFF, const STUFF, BIO)
-        /* ... then later in the code ... */
-/* Print out the entire hashtable to a particular BIO */
-lh_STUFF_doall_arg(hashtable, LHASH_DOALL_ARG_FN(STUFF_print), BIO,
-        logging_bio);
-.Ed
-.Pp
-.Fn lh_<type>_error
-can be used to determine if an error occurred in the last operation.
-.Sh RETURN VALUES
-.Fn lh_<type>_new
-returns
-.Dv NULL
-on error, otherwise a pointer to the new
-.Vt LHASH
-structure.
-.Pp
-When a hash table entry is replaced,
-.Fn lh_<type>_insert
-returns the value being replaced.
-.Dv NULL
-is returned on normal operation and on error.
-.Pp
-.Fn lh_<type>_delete
-returns the entry being deleted.
-.Dv NULL
-is returned if there is no such value in the hash table.
-.Pp
-.Fn lh_<type>_retrieve
-returns the hash table entry if it has been found, or
-.Dv NULL
-otherwise.
-.Pp
-.Fn lh_<type>_error
-returns 1 if an error occurred in the last operation, or 0 otherwise.
-.Sh NOTES
-The various LHASH macros and callback types exist to make it possible to
-write type-checked code without resorting to function-prototype casting
-\(em an evil that makes application code much harder to audit/verify and
-also opens the window of opportunity for stack corruption and other
-hard-to-find bugs.
-It also, apparently, violates ANSI-C.
-.Pp
-The LHASH code regards table entries as constant data.
-As such, it internally represents
-.Fn lh_<type>_insert Ap ed
-items with a
-.Vt const void *
-pointer type.
-This is why callbacks such as those used by
-.Fn lh_<type>_doall
-and
-.Fn lh_<type>_doall_arg
-declare their prototypes with "const", even for the parameters that pass
-back the table items' data pointers \(em for consistency, user-provided
-data is "const" at all times as far as the LHASH code is concerned.
-However, as callers are themselves providing these pointers, they can
-choose whether they too should be treating all such parameters as
-constant.
-.Pp
-As an example, a hash table may be maintained by code that, for
-reasons of encapsulation, has only "const" access to the data being
-indexed in the hash table (i.e. it is returned as "const" from
-elsewhere in their code) \(em in this case the LHASH prototypes are
-appropriate as-is.
-Conversely, if the caller is responsible for the life-time of the data
-in question, then they may well wish to make modifications to table item
-passed back in the
-.Fn lh_<type>_doall
-or
-.Fn lh_<type>_doall_arg
-callbacks (see the "STUFF_cleanup" example above).
-If so, the caller can either cast the "const" away (if they're providing
-the raw callbacks themselves) or use the macros to declare/implement the
-wrapper functions without "const" types.
-.Pp
-Callers that only have "const" access to data they are indexing in a
-table, yet declare callbacks without constant types (or cast the "const"
-away themselves), are therefore creating their own risks/bugs without
-being encouraged to do so by the API.
-On a related note, those auditing code should pay special attention
-to any instances of DECLARE/IMPLEMENT_LHASH_DOALL_[ARG_]_FN macros
-that provide types without any "const" qualifiers.
-.Sh INTERNALS
-The following description is based on the SSLeay documentation:
-.Pp
-The lhash library implements a hash table described in the
-.Em Communications of the ACM
-in 1991.
-What makes this hash table different is that as the table fills,
-the hash table is increased (or decreased) in size via
-.Xr reallocarray 3 .
-When a 'resize' is done, instead of all hashes being redistributed over
-twice as many 'buckets', one bucket is split.
-So when an 'expand' is done, there is only a minimal cost to
-redistribute some values.
-Subsequent inserts will cause more single 'bucket' redistributions but
-there will never be a sudden large cost due to redistributing all the
-\&'buckets'.
-.Pp
-The state for a particular hash table is kept in the
-.Vt LHASH
-structure.
-The decision to increase or decrease the hash table size is made
-depending on the 'load' of the hash table.
-The load is the number of items in the hash table divided by the size of
-the hash table.
-The default values are as follows.
-If (hash->up_load < load) => expand.
-If (hash->down_load > load) => contract.
-The
-.Fa up_load
-has a default value of 1 and
-.Fa down_load
-has a default value of 2.
-These numbers can be modified by the application by just playing
-with the
-.Fa up_load
-and
-.Fa down_load
-variables.
-The 'load' is kept in a form which is multiplied by 256.
-So hash->up_load=8*256 will cause a load of 8 to be set.
-.Pp
-If you are interested in performance, the field to watch is
-.Fa num_comp_calls .
-The hash library keeps track of the 'hash' value for each item so when a
-lookup is done, the 'hashes' are compared, if there is a match, then a
-full compare is done, and hash->num_comp_calls is incremented.
-If num_comp_calls is not equal to num_delete plus num_retrieve, it means
-that your hash function is generating hashes that are the same for
-different values.
-It is probably worth changing your hash function if this is the case
-because even if your hash table has 10 items in a 'bucket', it can be
-searched with 10
-.Vt unsigned long
-compares and 10 linked list traverses.
-This will be much less expensive that 10 calls to your compare function.
-.Pp
-.Fn lh_strhash
-is a demo string hashing function.
-Since the LHASH routines would normally be passed structures, this
-routine would not normally be passed to
-.Fn lh_<type>_new ,
-rather it would be used in the function passed to
-.Fn lh_<type>_new .
-.Sh SEE ALSO
-.Xr crypto 3
-.Sh HISTORY
-.Fn lh_new ,
-.Fn lh_free ,
-.Fn lh_insert ,
-.Fn lh_delete ,
-.Fn lh_retrieve ,
-.Fn lh_doall ,
-and
-.Fn lh_strhash
-appeared in SSLeay 0.4 or earlier.
-.Fn lh_doall_arg
-first appeared in SSLeay 0.5.1.
-These functions have been available since
-.Ox 2.4 .
-.Pp
-.Fn lh_<type>_error
-was added in SSLeay 0.9.1b.
-.Pp
-In OpenSSL 0.9.7, all lhash functions that were passed function pointers
-were changed for better type safety, and the function types
-.Vt LHASH_COMP_FN_TYPE ,
-.Vt LHASH_HASH_FN_TYPE ,
-.Vt LHASH_DOALL_FN_TYPE ,
-and
-.Vt LHASH_DOALL_ARG_FN_TYPE
-became available.
-.Pp
-In OpenSSL 1.0.0, the lhash interface was revamped for even better type
-checking.
-.Sh BUGS
-.Fn lh_<type>_insert
-returns
-.Dv NULL
-both for success and error.
diff --git a/src/lib/libcrypto/man/openssl.cnf.5 b/src/lib/libcrypto/man/openssl.cnf.5
deleted file mode 100644
index 4047eb059a..0000000000
--- a/src/lib/libcrypto/man/openssl.cnf.5
+++ /dev/null
@@ -1,361 +0,0 @@
-.\" $OpenBSD: openssl.cnf.5,v 1.11 2024/07/08 15:02:28 jmc Exp $
-.\" full merge up to: OpenSSL man5/config b53338cb Feb 28 12:30:28 2017 +0100
-.\" selective merge up to: OpenSSL a8c5ed81 Jul 18 13:57:25 2017 -0400
-.\"
-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 1999, 2000, 2004, 2013, 2015, 2016, 2017 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: July 8 2024 $
-.Dt OPENSSL.CNF 5
-.Os
-.Sh NAME
-.Nm openssl.cnf
-.Nd OpenSSL configuration files
-.Sh DESCRIPTION
-The OpenSSL CONF library can be used to read configuration files; see
-.Xr CONF_modules_load_file 3 .
-It is used for the OpenSSL master configuration file
-.Pa /etc/ssl/openssl.cnf
-and in a few other places such as certificate extension files for the
-.Xr openssl 1
-.Cm x509
-utility.
-OpenSSL applications can also use the CONF library for their own
-purposes.
-.Pp
-A configuration file is divided into a number of sections.
-Each section starts with a line
-.Bq Ar section_name
-and ends when a new section is started or the end of the file is reached.
-A section name can consist of alphanumeric characters and underscores.
-.Pp
-The first section of a configuration file is special and is referred to
-as the
-.Dq default section .
-It is usually unnamed and extends from the start of file to the
-first named section.
-When a name is being looked up, it is first looked up in a named
-section (if any) and then in the default section.
-.Pp
-The environment is mapped onto a section called
-.Ic ENV .
-.Pp
-Comments can be included by preceding them with the
-.Ql #
-character.
-.Pp
-Each section in a configuration file consists of a number of name and
-value pairs of the form
-.Ar name Ns = Ns Ar value .
-.Pp
-The
-.Ar name
-string can contain any alphanumeric characters as well as a few
-punctuation symbols such as
-.Ql \&.
-.Ql \&,
-.Ql \&;
-and
-.Ql _ .
-.Pp
-The
-.Ar value
-string consists of the string following the
-.Ql =
-character until the end of the line with any leading and trailing
-whitespace removed.
-.Pp
-The value string undergoes variable expansion.
-This can be done by including substrings of the form
-.Pf $ Ar name
-or
-.Pf $ Brq Ar name :
-this will substitute the value of the named variable in the current
-section.
-It is also possible to substitute a value from another section using the
-syntax
-.Pf $ Ar section Ns :: Ns Ar name
-or
-.Pf $ Brq Ar section Ns :: Ns Ar name .
-By using the form
-.Pf $ Ic ENV Ns :: Ns Ar name ,
-environment variables can be substituted.
-It is also possible to assign values to environment variables by using
-the name
-.Ic ENV Ns :: Ns Ar name .
-This will work if the program looks up environment variables using
-the CONF library instead of calling
-.Xr getenv 3
-directly.
-The value string must not exceed 64k in length after variable expansion or an
-error will occur.
-.Pp
-It is possible to escape certain characters by using any kind of quote
-or the
-.Ql \e
-character.
-By making the last character of a line a
-.Ql \e ,
-a
-.Ar value
-string can be spread across multiple lines.
-In addition the sequences
-.Ql \en ,
-.Ql \er ,
-.Ql \eb ,
-and
-.Ql \et
-are recognized.
-.Sh OPENSSL LIBRARY CONFIGURATION
-Applications can automatically configure certain aspects of OpenSSL
-using the master OpenSSL configuration file, or optionally an
-alternative configuration file.
-The
-.Xr openssl 1
-utility includes this functionality: any sub command uses the master
-OpenSSL configuration file unless an option is used in the sub command
-to use an alternative configuration file.
-.Pp
-To enable library configuration, the default section needs to contain
-an appropriate line which points to the main configuration section.
-The default name is
-.Ic openssl_conf ,
-which is used by the
-.Xr openssl 1
-utility.
-Other applications may use an alternative name such as
-.Sy myapplication_conf .
-All library configuration lines appear in the default section
-at the start of the configuration file.
-.Pp
-The configuration section should consist of a set of name value pairs
-which contain specific module configuration information.
-The
-.Ar name
-represents the name of the configuration module.
-The meaning of the
-.Ar value
-is module specific: it may, for example, represent a further
-configuration section containing configuration module specific
-information.
-For example:
-.Bd -literal -offset indent
-# The following line must be in the default section.
-openssl_conf = openssl_init
-
-[openssl_init]
-oid_section = new_oids
-
-[new_oids]
-\&... new oids here ...
-.Ed
-.Pp
-The features of each configuration module are described below.
-.Ss ASN1 Object Configuration Module
-This module has the name
-.Ic oid_section .
-The value of this variable points to a section containing name value
-pairs of OIDs: the name is the OID short and long name, and the value is the
-numerical form of the OID.
-Although some of the
-.Xr openssl 1
-utility subcommands already have their own ASN1 OBJECT section
-functionality, not all do.
-By using the ASN1 OBJECT configuration module, all the
-.Xr openssl 1
-utility subcommands can see the new objects as well as any compliant
-applications.
-For example:
-.Bd -literal -offset indent
-[new_oids]
-some_new_oid = 1.2.3.4
-some_other_oid = 1.2.3.5
-.Ed
-.Pp
-It is also possible to set the value to the long name followed by a
-comma and the numerical OID form.
-For example:
-.Pp
-.Dl shortName = some object long name, 1.2.3.4
-.Sh FILES
-.Bl -tag -width /etc/ssl/openssl.cnf -compact
-.It Pa /etc/ssl/openssl.cnf
-standard configuration file
-.El
-.Sh EXAMPLES
-Here is a sample configuration file using some of the features
-mentioned above:
-.Bd -literal -offset indent
-# This is the default section.
-HOME=/temp
-RANDFILE= ${ENV::HOME}/.rnd
-configdir=$ENV::HOME/config
-
-[ section_one ]
-# We are now in section one.
-
-# Quotes permit leading and trailing whitespace
-any = " any variable name "
-
-other = A string that can \e
-cover several lines \e
-by including \e\e characters
-
-message = Hello World\en
-
-[ section_two ]
-greeting = $section_one::message
-.Ed
-.Pp
-This next example shows how to expand environment variables safely.
-.Pp
-Suppose you want a variable called
-.Sy tmpfile
-to refer to a temporary filename.
-The directory it is placed in can determined by the
-.Ev TEMP
-or
-.Ev TMP
-environment variables but they may not be set to any value at all.
-If you just include the environment variable names and the variable
-doesn't exist then this will cause an error when an attempt is made to
-load the configuration file.
-By making use of the default section both values can be looked up with
-.Ev TEMP
-taking priority and
-.Pa /tmp
-used if neither is defined:
-.Bd -literal -offset indent
-TMP=/tmp
-# The above value is used if TMP isn't in the environment
-TEMP=$ENV::TMP
-# The above value is used if TEMP isn't in the environment
-tmpfile=${ENV::TEMP}/tmp.filename
-.Ed
-.Pp
-More complex OpenSSL library configuration.
-Add OID:
-.Bd -literal -offset indent
-# Default appname: should match "appname" parameter (if any)
-# supplied to CONF_modules_load_file et al.
-openssl_conf = openssl_conf_section
-
-[openssl_conf_section]
-# Configuration module list
-oid_section = new_oids
-
-[new_oids]
-# New OID, just short name
-newoid1 = 1.2.3.4.1
-# New OID shortname and long name
-newoid2 = New OID 2 long name, 1.2.3.4.2
-.Ed
-.Pp
-The above examples can be used with any application supporting library
-configuration if "openssl_conf" is modified to match the appropriate
-"appname".
-.Pp
-For example if the second sample file above is saved to "example.cnf"
-then the command line:
-.Pp
-.Dl OPENSSL_CONF=example.cnf openssl asn1parse -genstr OID:1.2.3.4.1
-.Pp
-will output:
-.Dl 0:d=0  hl=2 l=   4 prim: OBJECT            :newoid1
-.Pp
-showing that the OID "newoid1" has been added as "1.2.3.4.1".
-.Sh SEE ALSO
-.Xr openssl 1 ,
-.Xr CONF_modules_load_file 3 ,
-.Xr OPENSSL_config 3 ,
-.Xr x509v3.cnf 5
-.Sh CAVEATS
-If a configuration file attempts to expand a variable that doesn't
-exist, then an error is flagged and the file will not load.
-This can also happen if an attempt is made to expand an environment
-variable that doesn't exist.
-For example, in a previous version of OpenSSL the default OpenSSL
-master configuration file used the value of
-.Ev HOME
-which may not be defined on non Unix systems and would cause an error.
-.Pp
-This can be worked around by including a default section to provide
-a default value: then if the environment lookup fails, the default
-value will be used instead.
-For this to work properly, the default value must be defined earlier
-in the configuration file than the expansion.
-See the
-.Sx EXAMPLES
-section for an example of how to do this.
-.Pp
-If the same variable is defined more than once in the same section,
-then all but the last value will be silently ignored.
-In certain circumstances such as with DNs, the same field may occur
-multiple times.
-This is usually worked around by ignoring any characters before an
-initial
-.Ql \&. ,
-for example:
-.Bd -literal -offset indent
-1.OU="My first OU"
-2.OU="My Second OU"
-.Ed
-.Sh BUGS
-Currently there is no way to include characters using the octal
-.Pf \e Ar nnn
-form.
-Strings are all NUL terminated, so NUL bytes cannot form part of
-the value.
-.Pp
-The escaping isn't quite right: if you want to use sequences like
-.Ql \en ,
-you can't use any quote escaping on the same line.
-.Pp
-Files are loaded in a single pass.
-This means that a variable expansion will only work if the variables
-referenced are defined earlier in the file.
diff --git a/src/lib/libcrypto/man/s2i_ASN1_INTEGER.3 b/src/lib/libcrypto/man/s2i_ASN1_INTEGER.3
deleted file mode 100644
index a2105bc4bc..0000000000
--- a/src/lib/libcrypto/man/s2i_ASN1_INTEGER.3
+++ /dev/null
@@ -1,215 +0,0 @@
-.\" $OpenBSD: s2i_ASN1_INTEGER.3,v 1.9 2024/12/27 15:30:17 schwarze Exp $
-.\"
-.\" Copyright (c) 2023 Theo Buehler <tb@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: December 27 2024 $
-.Dt S2I_ASN1_INTEGER 3
-.Os
-.Sh NAME
-.Nm i2s_ASN1_ENUMERATED ,
-.Nm i2s_ASN1_ENUMERATED_TABLE ,
-.Nm i2s_ASN1_INTEGER ,
-.Nm s2i_ASN1_INTEGER ,
-.Nm i2s_ASN1_OCTET_STRING ,
-.Nm s2i_ASN1_OCTET_STRING
-.Nd ASN.1 data type conversion utilities for certificate extensions
-.Sh SYNOPSIS
-.In openssl/asn1.h
-.In openssl/x509v3.h
-.Ft "char *"
-.Fo i2s_ASN1_ENUMERATED
-.Fa "X509V3_EXT_METHOD *method"
-.Fa "const ASN1_ENUMERATED *a"
-.Fc
-.Ft "char *"
-.Fo i2s_ASN1_INTEGER
-.Fa "X509V3_EXT_METHOD *method"
-.Fa "const ASN1_INTEGER *a"
-.Fc
-.Ft "ASN1_INTEGER *"
-.Fo s2i_ASN1_INTEGER
-.Fa "X509V3_EXT_METHOD *method"
-.Fa "const char *value"
-.Fc
-.Ft "char *"
-.Fo i2s_ASN1_OCTET_STRING
-.Fa "X509V3_EXT_METHOD *method"
-.Fa "const ASN1_OCTET_STRING *aos"
-.Fc
-.Ft "ASN1_OCTET_STRING *"
-.Fo s2i_ASN1_OCTET_STRING
-.Fa "X509V3_EXT_METHOD *method"
-.Fa "X509V3_CTX *ctx"
-.Fa "const char *value"
-.Fc
-.Ft "char *"
-.Fo i2s_ASN1_ENUMERATED_TABLE
-.Fa "X509V3_EXT_METHOD *method"
-.Fa "const ASN1_ENUMERATED *a"
-.Fc
-.Sh DESCRIPTION
-These functions convert to and from
-.Vt ASN1_ENUMERATED ,
-.Vt ASN1_INTEGER ,
-and
-.Vt ASN1_OCTET_STRING
-objects.
-They are primarily used internally for parsing configuration files and
-displaying X.509v3 certificate extensions.
-With the exception of
-.Fn i2s_ASN1_ENUMERATED_TABLE ,
-these functions ignore the
-.Fa method
-argument.
-Any object or string returned by these functions must be freed by the caller.
-.Pp
-.Fn i2s_ASN1_ENUMERATED
-and
-.Fn i2s_ASN1_INTEGER
-first convert
-.Fa a
-into a
-.Vt BIGNUM
-object with
-.Xr ASN1_ENUMERATED_to_BN 3
-or
-.Xr ASN1_INTEGER_to_BN 3
-and then derive a string representation using
-.Xr BN_bn2dec 3
-or
-.Xr BN_bn2hex 3 .
-Decimal representation is used if the number has less than 128 bits,
-otherwise hexadecimal representation is used to avoid excessive conversion cost.
-.Pp
-.Fn s2i_ASN1_INTEGER
-converts the NUL-terminated decimal or hexadecimal string representation of
-an integer in
-.Fa value
-into an
-.Vt ASN1_INTEGER
-object.
-A sign prefix of
-.Sq -
-indicates a negative number and the base prefixes
-.Sq 0x
-and
-.Sq 0X
-indicate hexadecimal representation,
-otherwise decimal representation is assumed.
-After skipping the sign and base prefixes, an intermediate conversion into a
-.Vt BIGNUM
-is performed using
-.Xr BN_dec2bn 3
-or
-.Xr BN_hex2bn 3
-and the
-.Vt ASN1_INTEGER
-is then obtained with
-.Xr BN_to_ASN1_INTEGER 3 .
-.Pp
-.Fn i2s_ASN1_OCTET_STRING
-converts the octets in
-.Fa aos
-into a string where the octets are colon-separated and
-represented as pairs of uppercase hexadecimal digits.
-.Pp
-.Fn s2i_ASN1_OCTET_STRING
-converts the NUL-terminated string
-.Fa str
-into an
-.Vt ASN1_OCTET_STRING .
-The
-.Fa method
-and
-.Fa ctx
-arguments are ignored.
-Every pair of hexadecimal digits is converted into an octet.
-Colons are ignored if they are at the start, the end or
-if they separate two pairs of digits.
-.Pp
-.Fn i2s_ASN1_ENUMERATED_TABLE
-looks up the value of
-.Fa a
-in the
-.Fa usr_data
-field of the
-.Pf non- Dv NULL
-.Fa method
-and returns a copy of the associated long name.
-If no match is found,
-.Fa a
-is passed to
-.Fn i2s_ASN1_ENUMERATED .
-The
-.Fa method
-argument can be provided by application programs or it can be a
-default method obtained from
-.Xr X509V3_EXT_get_nid 3 .
-The default
-.Fa methods
-corresponding to the following
-.Fa nid
-arguments have strings configured in their usr_data field:
-.Pp
-.Bl -column NID_netscape_cert_type "Netscape certificate type (obsolete)" -compact
-.It Dv NID_crl_reason           Ta reason codes, RFC 5280, 5.3.1
-.It Dv NID_key_usage            Ta key usage, RFC 5280, 4.2.1.3
-.It Dv NID_netscape_cert_type   Ta Netscape certificate type (obsolete)
-.El
-.Sh RETURN VALUES
-.Fn i2s_ASN1_ENUMERATED ,
-.Fn i2s_ASN1_ENUMERATED_TABLE ,
-.Fn i2s_ASN1_INTEGER ,
-and
-.Fn i2s_ASN1_OCTET_STRING
-return a NUL-terminated string, or NULL on memory allocation failure.
-.Pp
-.Fn s2i_ASN1_INTEGER
-returns an
-.Vt ASN1_INTEGER ,
-or NULL on error.
-Error conditions are memory allocation failure or if
-.Fa value
-is not a valid decimal or hexadecimal encoding of an integer.
-.Pp
-.Fn s2i_ASN1_OCTET_STRING
-returns an
-.Vt ASN1_OCTET_STRING ,
-or NULL on error.
-Error conditions are memory allocation failure or if
-.Fa value
-contains an odd number of hexadecimal digits or anything except
-colons at the start, the end or between pairs of hexadecimal digits.
-.Pp
-Error codes can sometimes be obtained by
-.Xr ERR_get_error 3 .
-.Sh SEE ALSO
-.Xr a2i_ASN1_INTEGER 3 ,
-.Xr a2i_ipadd 3 ,
-.Xr ASN1_INTEGER_new 3 ,
-.Xr ASN1_INTEGER_to_BN 3 ,
-.Xr ASN1_OCTET_STRING_new 3 ,
-.Xr crypto 3 ,
-.Xr v2i_ASN1_BIT_STRING 3 ,
-.Xr X509V3_get_d2i 3
-.Sh HISTORY
-These functions first appeared in OpenSSL 0.9.4 and
-have been available since
-.Ox 2.6 .
-.Sh BUGS
-Of these functions at least
-.Fn i2s_ASN1_ENUMERATED_TABLE
-can succeed while setting an error and fail without setting an error
-on the error stack.
diff --git a/src/lib/libcrypto/man/v2i_ASN1_BIT_STRING.3 b/src/lib/libcrypto/man/v2i_ASN1_BIT_STRING.3
deleted file mode 100644
index 36d9f7496b..0000000000
--- a/src/lib/libcrypto/man/v2i_ASN1_BIT_STRING.3
+++ /dev/null
@@ -1,125 +0,0 @@
-.\" $OpenBSD: v2i_ASN1_BIT_STRING.3,v 1.1 2024/12/24 09:48:56 schwarze Exp $
-.\"
-.\" Copyright (c) 2024 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: December 24 2024 $
-.Dt V2I_ASN1_BIT_STRING 3
-.Os
-.Sh NAME
-.Nm v2i_ASN1_BIT_STRING ,
-.Nm i2v_ASN1_BIT_STRING
-.Nd ASN.1 BIT STRING utility functions for certificate extensions
-.Sh SYNOPSIS
-.In openssl/x509v3.h
-.Ft ASN1_BIT_STRING *
-.Fo v2i_ASN1_BIT_STRING
-.Fa "X509V3_EXT_METHOD *method"
-.Fa "X509V3_CTX *ctx"
-.Fa "STACK_OF(CONF_VALUE) *nval"
-.Fc
-.Ft STACK_OF(CONF_VALUE) *
-.Fo i2v_ASN1_BIT_STRING
-.Fa "X509V3_EXT_METHOD *method"
-.Fa "ASN1_BIT_STRING *bit_string"
-.Fa "STACK_OF(CONF_VALUE) *nval"
-.Fc
-.Sh DESCRIPTION
-.Fn v2i_ASN1_BIT_STRING
-allocates a new ASN.1
-.Vt BIT STRING
-object and initializes it from a list of bit names.
-The
-.Fa nval
-argument is essentially used as the list of the names of the bits to set.
-Both long names and short names can be used.
-One name is taken from each element of
-.Fa nval .
-The
-.Fa ctx
-argument and any section names or values contained in the elements of
-.Fa nval
-are ignored.
-To convert a C string containing a comma-separated list of names
-to the input format of this function,
-.Xr X509V3_parse_list 3
-can be used.
-.Pp
-.Fn i2v_ASN1_BIT_STRING
-translates the numbers of the bits that are set in the
-.Fa bit_string
-to long names.
-For each bit that is set,
-one element containing the corresponding long name is added to
-.Fa nval .
-If a
-.Dv NULL
-pointer is passed for the
-.Fa nval
-argument, a new
-.Vt STACK_OF(CONF_VALUE)
-is allocated.
-.Pp
-For both functions, the
-.Fa method
-argument is only used for the translation of bit names to bit numbers
-and vice versa.
-Any names and bit numbers that do not occur in the
-.Fa usr_data
-translation table in the
-.Fa method
-are silently ignored.
-.Pp
-For the following arguments,
-.Xr X509V3_EXT_get_nid 3
-returns static constant
-.Fa method
-objects supporting these functions:
-.Pp
-.Bl -tag -width NID_netscape_cert_type -compact
-.It Dv NID_crl_reason
-reason codes, RFC 5280 section 5.3.1
-.It Dv NID_key_usage
-key usage purposes, RFC 5280 section 4.2.1.3
-.It Dv NID_netscape_cert_type
-Netscape certificate types (obsolete)
-.El
-.Pp
-While an application program could theoretically provide its own
-.Fa method
-object containing a custom translation table, that is unlikely to be
-useful for any practical purpose.
-.Sh RETURN VALUES
-.Fn v2i_ASN1_BIT_STRING
-returns the new
-.Vt BIT STRING
-object and
-.Fn i2v_ASN1_BIT_STRING
-the modified or new list of bit names.
-Both functions return
-.Dv NULL
-if an error occurs, in particular if memory allocation fails.
-.Sh SEE ALSO
-.Xr ASN1_BIT_STRING_new 3 ,
-.Xr ASN1_BIT_STRING_set 3 ,
-.Xr i2s_ASN1_ENUMERATED_TABLE 3 ,
-.Xr STACK_OF 3 ,
-.Xr tls_peer_ocsp_crl_reason 3 ,
-.Xr X509_get_key_usage 3 ,
-.Xr X509V3_EXT_get_nid 3 ,
-.Xr X509V3_get_d2i 3 ,
-.Xr X509V3_parse_list 3
-.Sh HISTORY
-These functions first appeared in OpenSSL 0.9.8 and have been available since
-.Ox 4.5 .
diff --git a/src/lib/libcrypto/man/x509_verify.3 b/src/lib/libcrypto/man/x509_verify.3
deleted file mode 100644
index b9fe13a54f..0000000000
--- a/src/lib/libcrypto/man/x509_verify.3
+++ /dev/null
@@ -1,221 +0,0 @@
-.\" $OpenBSD: x509_verify.3,v 1.2 2020/09/14 14:21:46 schwarze Exp $
-.\"
-.\" Copyright (c) 2020 Bob Beck <beck@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: September 14 2020 $
-.Dt X509_VERIFY 3
-.Os
-.Sh NAME
-.Nm x509_verify ,
-.Nm x509_verify_ctx_new ,
-.Nm x509_verify_ctx_free ,
-.Nm x509_verify_ctx_set_max_depth ,
-.Nm x509_verify_ctx_set_max_signatures ,
-.Nm x509_verify_ctx_set_max_chains ,
-.Nm x509_verify_ctx_set_purpose ,
-.Nm x509_verify_ctx_set_intermediates ,
-.Nm x509_verify_ctx_error_string ,
-.Nm x509_verify_ctx_error_depth ,
-.Nm x509_verify_ctx_chain
-.Nd discover and verify X.509 certificate chains
-.Sh SYNOPSIS
-.In openssl/x509_verify.h
-.Ft size_t
-.Fo x509_verify
-.Fa "X509_VERIFY_CTX *ctx"
-.Fa "X509 *leaf"
-.Fa "char *name"
-.Fc
-.Ft X509_VERIFY_CTX *
-.Fo x509_verify_ctx_new
-.Fa "STACK_OF(X509) *roots"
-.Fc
-.Ft void
-.Fo x509_verify_ctx_free
-.Fa "X509_VERIFY_CTX *ctx"
-.Fc
-.Ft int
-.Fo x509_verify_ctx_set_max_depth
-.Fa "X509_VERIFY_CTX *ctx"
-.Fa "size_t max"
-.Fc
-.Ft int
-.Fo x509_verify_ctx_set_max_signatures
-.Fa "X509_VERIFY_CTX *ctx"
-.Fa "size_t max"
-.Fc
-.Ft int
-.Fo x509_verify_ctx_set_max_chains
-.Fa "X509_VERIFY_CTX *ctx"
-.Fa "size_t max"
-.Fc
-.Ft int
-.Fo x509_verify_ctx_set_purpose
-.Fa "X509_VERIFY_CTX *ctx"
-.Fa "int purpose_id"
-.Fc
-.Ft int
-.Fo x509_verify_ctx_set_intermediates
-.Fa "X509_VERIFY_CTX *ctx"
-.Fa "STACK_OF(X509) *intermediates"
-.Fc
-.Ft const char *
-.Fo x509_verify_ctx_error_string
-.Fa "X509_VERIFY_CTX *ctx"
-.Fc
-.Ft size_t
-.Fo x509_verify_ctx_error_depth
-.Fa "X509_VERIFY_CTX *ctx"
-.Fc
-.Ft STACK_OF(X509) *
-.Fo x509_verify_ctx_chain
-.Fa "X509_VERIFY_CTX *ctx"
-.Fa "size_t index"
-.Fc
-.Sh DESCRIPTION
-The
-.Fn x509_verify
-function attempts to discover and validate all certificate chains
-for the
-.Fa name
-from the
-.Fa leaf
-certificate based on the parameters in
-.Fa ctx .
-Multiple chains may be built and validated.
-Revocation checking is not done by this function, and should be
-performed by the caller on any returned chains if so desired.
-.Pp
-.Fn x509_verify_ctx_new
-allocates a new context using the trusted
-.Fa roots .
-In case of success, it increments the reference count of
-.Fa roots .
-.Pp
-.Fn x509_verify_ctx_free
-frees
-.Fa ctx
-and decrements the reference count of the
-.Fa roots
-and
-.Fa intermediates
-associated with it.
-If
-.Fa ctx
-is
-.Dv NULL ,
-no action occurs.
-.Pp
-.Fn x509_verify_ctx_set_max_depth
-sets the maximum depth of certificate chains that will be constructed to
-.Fa max ,
-which can be in the range from 1 to the default of 32.
-.Pp
-.Fn x509_verify_ctx_set_max_signatures
-sets the maximum number of public key signature operations that will be
-used when verifying certificate chains to
-.Fa max ,
-which can be in the range from 1 to 100000.
-The default is 256.
-.Pp
-.Fn x509_verify_ctx_set_max_chains
-sets the maximum number of chains which may be returned to
-.Fa max ,
-which can be in the range from 1 to the default of 8.
-.Pp
-.Fn x509_verify_ctx_set_purpose
-sets the certificate purpose for validation to
-.Fa purpose_id .
-The
-.Dv X509_PURPOSE_*
-constants listed in
-.Xr X509_check_purpose 3
-can be used.
-.Pp
-.Fn x509_verify_ctx_set_intermediates
-provides some intermediate certificates, typically received from
-the peer, to be used for building chains.
-In case of success, this function increases the reference count of
-.Fa intermediates .
-.Pp
-.Fn x509_verify_ctx_error_string
-extracts a description of the last error encountered by a previous
-call to
-.Fn x509_verify
-from
-.Fa ctx .
-.Pp
-.Fn x509_verify_ctx_error_depth
-extracts the depth of the last error encountered by a previous
-call to
-.Fn x509_verify
-from
-.Fa ctx .
-.Pp
-.Fn x509_verify_ctx_chain
-extracts the validated chain with the given
-.Fa index
-from
-.Fa ctx
-after a previous call to
-.Fn x509_verify .
-The
-.Fa index
-starts at 0, and it is an error to pass a number
-greater than or equal to the return value of
-.Fn x509_verify .
-The returned chain is neither copied,
-nor is its reference count increased.
-.Sh RETURN VALUES
-.Fn x509_verify
-returns the number of chains successfully built and validated
-or 0 on failure.
-.Pp
-.Fn x509_verify_ctx_new
-returns a newly allocated context or
-.Dv NULL
-on failure.
-.Pp
-.Fn x509_verify_ctx_set_max_depth ,
-.Fn x509_verify_ctx_set_max_signatures ,
-.Fn x509_verify_ctx_set_max_chains ,
-.Fn x509_verify_ctx_set_purpose ,
-and
-.Fn x509_verify_ctx_set_intermediates
-return 1 on success or 0 on failure.
-.Pp
-.Fn x509_verify_ctx_error_string
-returns a pointer to a human readable error string.
-If no error occurred,
-.Qq ok
-is returned.
-.Pp
-.Fn x509_verify_ctx_chain
-returns an internal pointer to a validated chain or
-.Dv NULL
-if
-.Fa index
-is greater than or equal to the number of chains
-that were successfully built and validated.
-The returned pointer becomes invalid when
-.Fa ctx
-is destroyed.
-.Sh SEE ALSO
-.Xr X509_verify_cert 3
-.Sh HISTORY
-These functions first appeared in
-.Ox 6.8 .
-.Sh AUTHORS
-.An Bob Beck Aq Mt beck@openbsd.org
diff --git a/src/lib/libcrypto/man/x509v3.cnf.5 b/src/lib/libcrypto/man/x509v3.cnf.5
deleted file mode 100644
index 89f52d6a01..0000000000
--- a/src/lib/libcrypto/man/x509v3.cnf.5
+++ /dev/null
@@ -1,738 +0,0 @@
-.\" $OpenBSD: x509v3.cnf.5,v 1.8 2022/03/31 17:27:17 naddy Exp $
-.\" full merge up to:
-.\" OpenSSL man5/x509v3_config a41815f0 Mar 17 18:43:53 2017 -0700
-.\" selective merge up to: OpenSSL 36cf10cf Oct 4 02:11:08 2017 -0400
-.\"
-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2004, 2006, 2013, 2014, 2015, 2016 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 31 2022 $
-.Dt X509V3.CNF 5
-.Os
-.Sh NAME
-.Nm x509v3.cnf
-.Nd X.509 V3 certificate extension configuration format
-.Sh DESCRIPTION
-Several of the OpenSSL utilities can add extensions to a certificate or
-certificate request based on the contents of a configuration file.
-The file format is based on the
-.Xr openssl.cnf 5
-format.
-.Pp
-Typically the application will contain an option to point to an
-extension section.
-Each line of the extension section takes the form:
-.Pp
-.D1 Ar extension_name Ns = Ns Oo Cm critical , Oc Ar extension_options
-.Pp
-If
-.Cm critical
-is present, then the extension will be critical.
-.Pp
-The format of
-.Ar extension_options
-depends on the value of
-.Ar extension_name .
-.Pp
-There are four main types of extension: string extensions, multi-valued
-extensions, raw extensions, and arbitrary extensions.
-.Pp
-String extensions simply have a string which contains either the value
-itself or how it is obtained.
-For example:
-.Pp
-.Dl nsComment="This is a Comment"
-.Pp
-Multi-valued extensions have a short form and a long form.
-The short form is a list of names and values:
-.Pp
-.Dl basicConstraints=critical,CA:true,pathlen:1
-.Pp
-The long form allows the values to be placed in a separate section:
-.Bd -literal -offset indent
-basicConstraints=critical,@bs_section
-
-[bs_section]
-CA=true
-pathlen=1
-.Ed
-.Pp
-Both forms are equivalent.
-.Pp
-The syntax of raw extensions is governed by the extension code:
-it can for example contain data in multiple sections.
-The correct syntax to use is defined by the extension code itself:
-check out the certificate policies extension for an example.
-.Pp
-If an extension type is unsupported, then the arbitrary extension
-syntax must be used; see the
-.Sx ARBITRARY EXTENSIONS
-section for more details.
-.Sh STANDARD EXTENSIONS
-The following sections describe each supported extension in detail.
-.Ss Basic constraints
-This is a multi-valued extension which indicates whether a certificate
-is a CA certificate.
-The first (mandatory) name is
-.Ic CA
-followed by
-.Cm TRUE
-or
-.Cm FALSE .
-If
-.Ic CA
-is
-.Cm TRUE ,
-then an optional
-.Ic pathlen
-name followed by a non-negative value can be included.
-For example:
-.Bd -literal -offset indent
-basicConstraints=CA:TRUE
-basicConstraints=CA:FALSE
-basicConstraints=critical,CA:TRUE, pathlen:0
-.Ed
-.Pp
-A CA certificate must include the
-.Ic basicConstraints
-value with the
-.Ic CA
-field set to
-.Cm TRUE .
-An end user certificate must either set
-.Ic CA
-to
-.Cm FALSE
-or exclude the extension entirely.
-Some software may require the inclusion of
-.Ic basicConstraints
-with
-.Ic CA
-set to
-.Cm FALSE
-for end entity certificates.
-.Pp
-The
-.Ic pathlen
-parameter indicates the maximum number of CAs that can appear below
-this one in a chain.
-So if you have a CA with a
-.Ic pathlen
-of zero, it can only be used to sign end user certificates and not
-further CAs.
-.Ss Key usage
-Key usage is a multi-valued extension consisting of a list of names of
-the permitted key usages.
-.Pp
-The supported names are:
-.Ic digitalSignature ,
-.Ic nonRepudiation ,
-.Ic keyEncipherment ,
-.Ic dataEncipherment ,
-.Ic keyAgreement ,
-.Ic keyCertSign ,
-.Ic cRLSign ,
-.Ic encipherOnly ,
-and
-.Ic decipherOnly .
-Examples:
-.Bd -literal -offset indent
-keyUsage=digitalSignature, nonRepudiation
-keyUsage=critical, keyCertSign
-.Ed
-.Ss Extended key usage
-This extension consists of a list of purposes for
-which the certificate public key can be used.
-.Pp
-These can either be object short names or the dotted numerical form of OIDs.
-While any OID can be used, only certain values make sense.
-In particular the following PKIX, NS and MS values are meaningful:
-.Bl -column emailProtection
-.It Em value Ta Em meaning
-.It Ic serverAuth      Ta TLS server authentication
-.It Ic clientAuth      Ta TLS client authentication
-.It Ic codeSigning     Ta code signing
-.It Ic emailProtection Ta E-mail protection (S/MIME)
-.It Ic timeStamping    Ta trusted timestamping
-.It Ic OCSPSigning     Ta OCSP signing
-.It Ic ipsecIKE        Ta IPsec internet key exchange
-.It Ic msCodeInd       Ta Microsoft individual code signing (authenticode)
-.It Ic msCodeCom       Ta Microsoft commercial code signing (authenticode)
-.It Ic msCTLSign       Ta Microsoft trust list signing
-.It Ic msEFS           Ta Microsoft encrypted file system
-.El
-.Pp
-Examples:
-.Bd -literal -offset indent
-extendedKeyUsage=critical,codeSigning,1.2.3.4
-extendedKeyUsage=serverAuth,clientAuth
-.Ed
-.Ss Subject key identifier
-This is really a string extension and can take two possible values.
-Either the word
-.Cm hash
-which will automatically follow the guidelines in RFC 3280
-or a hex string giving the extension value to include.
-The use of the hex string is strongly discouraged.
-Example:
-.Pp
-.Dl subjectKeyIdentifier=hash
-.Ss Authority key identifier
-The authority key identifier extension permits two options,
-.Cm keyid
-and
-.Cm issuer :
-both can take the optional value
-.Cm always .
-.Pp
-If the
-.Cm keyid
-option is present, an attempt is made to copy the subject
-key identifier from the parent certificate.
-If the value
-.Cm always
-is present, then an error is returned if the option fails.
-.Pp
-The
-.Cm issuer
-option copies the issuer and serial number from the issuer certificate.
-This will only be done if the
-.Cm keyid
-option fails or is not included unless the
-.Cm always
-flag will always include the value.
-Example:
-.Pp
-.Dl authorityKeyIdentifier=keyid,issuer
-.Ss Subject alternative name
-The subject alternative name extension allows various literal values to
-be included in the configuration file.
-These include
-.Ic email
-(an email address),
-.Ic URI
-(a uniform resource indicator),
-.Ic DNS
-(a DNS domain name),
-.Ic RID
-(a registered ID: OBJECT IDENTIFIER),
-.Ic IP
-(an IP address),
-.Ic dirName
-(a distinguished name), and
-.Ic otherName .
-.Pp
-The
-.Ic email
-option can include a special
-.Cm copy
-value.
-This will automatically include any email addresses contained in the
-certificate subject name in the extension.
-.Pp
-The IP address used in the
-.Ic IP
-options can be in either IPv4 or IPv6 format.
-.Pp
-The value of
-.Ic dirName
-should point to a section containing the distinguished name to use as a
-set of name value pairs.
-Multi values AVAs can be formed by prefacing the name with a
-.Ql +
-character.
-.Pp
-.Ic otherName
-can include arbitrary data associated with an OID: the value should
-be the OID followed by a semicolon and the content in standard
-.Xr ASN1_generate_nconf 3
-format.
-Examples:
-.Bd -literal -offset 2n
-subjectAltName=email:copy,email:my@other.address,URI:http://my.url.here/
-subjectAltName=IP:192.168.7.1
-subjectAltName=IP:13::17
-subjectAltName=email:my@other.address,RID:1.2.3.4
-subjectAltName=otherName:1.2.3.4;UTF8:some other identifier
-
-subjectAltName=dirName:dir_sect
-
-[dir_sect]
-C=UK
-O=My Organization
-OU=My Unit
-CN=My Name
-.Ed
-.Ss Issuer alternative name
-The issuer alternative name option supports all the literal options of
-subject alternative name.
-It does not support the
-.Ic email : Ns Cm copy
-option because that would not make sense.
-It does support an additional
-.Ic issuer : Ns Cm copy
-option that will copy all the subject alternative name values from
-the issuer certificate (if possible).
-Example:
-.Pp
-.Dl issuerAltName = issuer:copy
-.Ss Authority info access
-The authority information access extension gives details about how to
-access certain information relating to the CA.
-Its syntax is
-.Ar accessOID ; location
-where
-.Ar location
-has the same syntax as subject alternative name (except that
-.Ic email : Ns Cm copy
-is not supported).
-.Ar accessOID
-can be any valid OID but only certain values are meaningful,
-for example
-.Cm OCSP
-and
-.Cm caIssuers .
-Example:
-.Bd -literal -offset indent
-authorityInfoAccess = OCSP;URI:http://ocsp.my.host/
-authorityInfoAccess = caIssuers;URI:http://my.ca/ca.html
-.Ed
-.Ss CRL distribution points
-This is a multi-valued extension whose options can be either in
-.Ar name : Ns Ar value
-pair form using the same form as subject alternative name or a
-single value representing a section name containing all the
-distribution point fields.
-.Pp
-For a
-.Ar name : Ns Ar value
-pair a new DistributionPoint with the fullName field set to the
-given value, both the cRLissuer and reasons fields are omitted in
-this case.
-.Pp
-In the single option case, the section indicated contains values
-for each field.
-In this section:
-.Pp
-If the name is
-.Ic fullname ,
-the value field should contain the full name of the distribution
-point in the same format as subject alternative name.
-.Pp
-If the name is
-.Ic relativename ,
-then the value field should contain a section name whose contents
-represent a DN fragment to be placed in this field.
-.Pp
-The name
-.Ic CRLIssuer ,
-if present, should contain a value for this field in subject
-alternative name format.
-.Pp
-If the name is
-.Ic reasons ,
-the value field should consist of a comma separated field containing
-the reasons.
-Valid reasons are:
-.Cm keyCompromise ,
-.Cm CACompromise ,
-.Cm affiliationChanged ,
-.Cm superseded ,
-.Cm cessationOfOperation ,
-.Cm certificateHold ,
-.Cm privilegeWithdrawn ,
-and
-.Cm AACompromise .
-.Pp
-Simple examples:
-.Bd -literal -offset indent
-crlDistributionPoints=URI:http://myhost.com/myca.crl
-crlDistributionPoints=URI:http://my.com/my.crl,URI:http://oth.com/my.crl
-.Ed
-.Pp
-Full distribution point example:
-.Bd -literal -offset indent
-crlDistributionPoints=crldp1_section
-
-[crldp1_section]
-fullname=URI:http://myhost.com/myca.crl
-CRLissuer=dirName:issuer_sect
-reasons=keyCompromise, CACompromise
-
-[issuer_sect]
-C=UK
-O=Organisation
-CN=Some Name
-.Ed
-.Ss Issuing distribution point
-This extension should only appear in CRLs.
-It is a multi-valued extension whose syntax is similar to the "section"
-pointed to by the CRL distribution points extension with a few
-differences.
-.Pp
-The names
-.Ic reasons
-and
-.Ic CRLissuer
-are not recognized.
-.Pp
-The name
-.Ic onlysomereasons
-is accepted, which sets this field.
-The value is in the same format as the CRL distribution point
-.Ic reasons
-field.
-.Pp
-The names
-.Ic onlyuser ,
-.Ic onlyCA ,
-.Ic onlyAA ,
-and
-.Ic indirectCRL
-are also accepted.
-The values should be a boolean values
-.Cm ( TRUE
-or
-.Cm FALSE )
-to indicate the value of the corresponding field.
-Example:
-.Bd -literal -offset indent
-issuingDistributionPoint=critical, @idp_section
-
-[idp_section]
-fullname=URI:http://myhost.com/myca.crl
-indirectCRL=TRUE
-onlysomereasons=keyCompromise, CACompromise
-
-[issuer_sect]
-C=UK
-O=Organisation
-CN=Some Name
-.Ed
-.Ss Certificate policies
-This is a raw extension.
-All the fields of this extension can be set by using the appropriate
-syntax.
-.Pp
-If you follow the PKIX recommendations and just use one OID, then you
-just include the value of that OID.
-Multiple OIDs can be set separated by commas, for example:
-.Pp
-.Dl certificatePolicies= 1.2.4.5, 1.1.3.4
-.Pp
-If you wish to include qualifiers, then the policy OID and qualifiers
-need to be specified in a separate section: this is done by using the
-.Pf @ Ar section
-syntax instead of a literal OID value.
-.Pp
-The section referred to must include the policy OID using the name
-.Ic policyIdentifier .
-.Ic CPSuri
-qualifiers can be included using the syntax:
-.Pp
-.D1 Ic CPS . Ns Ar nnn Ns = Ns Ar value
-.Pp
-.Ic userNotice
-qualifiers can be set using the syntax:
-.Pp
-.D1 Ic userNotice . Ns Ar nnn Ns =@ Ns Ar notice
-.Pp
-The value of the
-.Ic userNotice
-qualifier is specified in the relevant section.
-This section can include
-.Ic explicitText ,
-.Ic organization ,
-and
-.Ic noticeNumbers
-options.
-.Ic explicitText
-and
-.Ic organization
-are text strings,
-and
-.Ic noticeNumbers
-is a comma separated list of numbers.
-The
-.Ic organization
-and
-.Ic noticeNumbers
-options (if included) must
-.Em both
-be present.
-If you use the
-.Ic userNotice
-option with IE5 then you need the
-.Ic ia5org
-option at the top level to modify the encoding: otherwise it will
-not be interpreted properly.
-Example:
-.Bd -literal -offset indent
-certificatePolicies=ia5org,1.2.3.4,1.5.6.7.8,@polsect
-
-[polsect]
-policyIdentifier = 1.3.5.8
-CPS.1="http://my.host.name/"
-CPS.2="http://my.your.name/"
-userNotice.1=@notice
-
-[notice]
-explicitText="Explicit Text Here"
-organization="Organisation Name"
-noticeNumbers=1,2,3,4
-.Ed
-.Pp
-The
-.Ic ia5org
-option changes the type of the
-.Ic organization
-field.
-In RFC 2459, it can only be of type
-.Vt DisplayText .
-In RFC 3280,
-.Vt IA5String
-is also permissible.
-Some software (for example some versions of MSIE) may require
-.Ic ia5org .
-.Ss Policy constraints
-This is a multi-valued extension which consists of the names
-.Ic requireExplicitPolicy
-or
-.Ic inhibitPolicyMapping
-and a non-negative integer value.
-At least one component must be present.
-Example:
-.Pp
-.Dl policyConstraints = requireExplicitPolicy:3
-.Ss Inhibit any policy
-This is a string extension whose value must be a non-negative integer.
-Example:
-.Pp
-.Dl inhibitAnyPolicy = 2
-.Ss Name constraints
-The name constraints extension is a multi-valued extension.
-The name should begin with the word
-.Cm permitted
-or
-.Cm excluded ,
-followed by a semicolon.
-The rest of the name and the value follows the syntax of subjectAltName
-except
-.Ic email : Ns Cm copy
-is not supported and the
-.Ic IP
-form should consist of an IP addresses and subnet mask separated
-by a slash.
-Examples:
-.Bd -literal -offset indent
-nameConstraints=permitted;IP:192.168.0.0/255.255.0.0
-nameConstraints=permitted;email:.somedomain.com
-nameConstraints=excluded;email:.com
-.Ed
-.Ss OCSP no check
-The OCSP no check extension is a string extension,
-but its value is ignored.
-Example:
-.Pp
-.Dl noCheck = ignored
-.Ss TLS Feature (aka must staple)
-This is a multi-valued extension consisting of a list of TLS extension
-identifiers.
-Each identifier may be a number in the range from 0 to 65535 or a
-supported name.
-When a TLS client sends a listed extension, the TLS server is expected
-to include that extension in its reply.
-.Pp
-The supported names are:
-.Cm status_request
-and
-.Cm status_request_v2 .
-Example:
-.Pp
-.Dl tlsfeature = status_request
-.Sh DEPRECATED EXTENSIONS
-The following extensions are non-standard, Netscape specific and largely
-obsolete.
-Their use in new applications is discouraged.
-.Ss Netscape string extensions
-Netscape comment
-.Ic ( nsComment )
-is a string extension containing a comment which will be displayed when
-the certificate is viewed in some browsers.
-Example:
-.Pp
-.Dl nsComment = "Some Random Comment"
-.Pp
-Other supported extensions in this category are:
-.Ic nsBaseUrl ,
-.Ic nsRevocationUrl ,
-.Ic nsCaRevocationUrl ,
-.Ic nsRenewalUrl ,
-.Ic nsCaPolicyUrl ,
-and
-.Ic nsSslServerName .
-.Ss Netscape certificate type
-This is a multi-valued extensions which consists of a list of flags to
-be included.
-It was used to indicate the purposes for which a certificate could be
-used.
-The
-.Ic basicConstraints ,
-.Ic keyUsage ,
-and extended key usage extensions are now used instead.
-.Pp
-Acceptable values for
-.Ic nsCertType
-are:
-.Cm client ,
-.Cm server ,
-.Cm email ,
-.Cm objsign ,
-.Cm reserved ,
-.Cm sslCA ,
-.Cm emailCA ,
-.Cm objCA .
-.Sh ARBITRARY EXTENSIONS
-If an extension is not supported by the OpenSSL code, then it must
-be encoded using the arbitrary extension format.
-It is also possible to use the arbitrary format for supported
-extensions.
-Extreme care should be taken to ensure that the data is formatted
-correctly for the given extension type.
-.Pp
-There are two ways to encode arbitrary extensions.
-.Pp
-The first way is to use the word
-.Cm ASN1
-followed by the extension content using the same syntax as
-.Xr ASN1_generate_nconf 3 .
-For example:
-.Bd -literal -offset indent
-1.2.3.4=critical,ASN1:UTF8String:Some random data
-1.2.3.4=ASN1:SEQUENCE:seq_sect
-
-[seq_sect]
-field1 = UTF8:field1
-field2 = UTF8:field2
-.Ed
-.Pp
-It is also possible to use the word
-.Cm DER
-to include the raw encoded data in any extension.
-.Bd -literal -offset indent
-1.2.3.4=critical,DER:01:02:03:04
-1.2.3.4=DER:01020304
-.Ed
-.Pp
-The value following
-.Cm DER
-is a hex dump of the DER encoding of the extension.
-Any extension can be placed in this form to override the default behaviour.
-For example:
-.Pp
-.Dl basicConstraints=critical,DER:00:01:02:03
-.Sh FILES
-.Bl -tag -width /etc/ssl/x509v3.cnf -compact
-.It Pa /etc/ssl/x509v3.cnf
-standard configuration file
-.El
-.Sh SEE ALSO
-.Xr openssl 1 ,
-.Xr ASN1_generate_nconf 3 ,
-.Xr OPENSSL_config 3 ,
-.Xr openssl.cnf 5
-.Sh HISTORY
-X509v3 extension code was first added to OpenSSL 0.9.2.
-.Sh CAVEATS
-There is no guarantee that a specific implementation will process a
-given extension.
-It may therefore sometimes be possible to use certificates for purposes
-prohibited by their extensions because a specific application does not
-recognize or honour the values of the relevant extensions.
-.Pp
-The
-.Cm DER
-and
-.Cm ASN1
-options should be used with caution.
-It is possible to create totally invalid extensions if they are not used
-carefully.
-.Pp
-If an extension is multi-value and a field value must contain a comma,
-the long form must be used.
-Otherwise the comma would be misinterpreted as a field separator.
-For example,
-.Pp
-.Dl subjectAltName=URI:ldap://somehost.com/CN=foo,OU=bar
-.Pp
-will produce an error, but the following form is valid:
-.Bd -literal -offset indent
-subjectAltName=@subject_alt_section
-
-[subject_alt_section]
-subjectAltName=URI:ldap://somehost.com/CN=foo,OU=bar
-.Ed
-.Pp
-Due to the behaviour of the OpenSSL CONF library, the same field
-name can only occur once in a section.
-That means that
-.Bd -literal -offset indent
-subjectAltName=@alt_section
-
-[alt_section]
-email=steve@here
-email=steve@there
-.Ed
-.Pp
-will only use the last value.
-This can be worked around by using the form:
-.Bd -literal -offset indent
-[alt_section]
-email.1=steve@here
-email.2=steve@there
-.Ed