13 files changed, 0 insertions, 2018 deletions

diff --git a/src/lib/libtls/man/Makefile b/src/lib/libtls/man/Makefile
deleted file mode 100644
index 4883377669..0000000000
--- a/src/lib/libtls/man/Makefile
+++ /dev/null
@@ -1,23 +0,0 @@
-# $OpenBSD: Makefile,v 1.1 2017/01/25 23:53:18 schwarze Exp $
-
-.include <bsd.own.mk>
-
-MAN = \
-        tls_accept_socket.3 \
-        tls_client.3 \
-        tls_config_ocsp_require_stapling.3 \
-        tls_config_set_protocols.3 \
-        tls_config_set_session_id.3 \
-        tls_config_verify.3 \
-        tls_conn_version.3 \
-        tls_connect.3 \
-        tls_init.3 \
-        tls_load_file.3 \
-        tls_ocsp_process_response.3 \
-        tls_read.3 \
-
-all clean cleandir depend includes obj tags:
-
-install: maninstall
-
-.include <bsd.man.mk>
diff --git a/src/lib/libtls/man/tls_accept_socket.3 b/src/lib/libtls/man/tls_accept_socket.3
deleted file mode 100644
index 931b9346ec..0000000000
--- a/src/lib/libtls/man/tls_accept_socket.3
+++ /dev/null
@@ -1,107 +0,0 @@
-.\" $OpenBSD: tls_accept_socket.3,v 1.4 2018/05/26 12:35:26 schwarze Exp $
-.\"
-.\" Copyright (c) 2015 Ted Unangst <tedu@openbsd.org>
-.\" Copyright (c) 2015 Joel Sing <jsing@openbsd.org>
-.\" Copyright (c) 2016 Brent Cook <bcook@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: May 26 2018 $
-.Dt TLS_ACCEPT_SOCKET 3
-.Os
-.Sh NAME
-.Nm tls_accept_socket ,
-.Nm tls_accept_fds ,
-.Nm tls_accept_cbs
-.Nd accept an incoming client connection in a TLS server
-.Sh SYNOPSIS
-.In tls.h
-.Ft int
-.Fo tls_accept_socket
-.Fa "struct tls *tls"
-.Fa "struct tls **cctx"
-.Fa "int socket"
-.Fc
-.Ft int
-.Fo tls_accept_fds
-.Fa "struct tls *tls"
-.Fa "struct tls **cctx"
-.Fa "int fd_read"
-.Fa "int fd_write"
-.Fc
-.Ft int
-.Fo tls_accept_cbs
-.Fa "struct tls *tls"
-.Fa "struct tls **cctx"
-.Fa "ssize_t (*tls_read_cb)(struct tls *ctx,\
- void *buf, size_t buflen, void *cb_arg)"
-.Fa "ssize_t (*tls_write_cb)(struct tls *ctx,\
- const void *buf, size_t buflen, void *cb_arg)"
-.Fa "void *cb_arg"
-.Fc
-.Sh DESCRIPTION
-After creating a TLS server context
-.Fa tls
-with
-.Xr tls_server 3
-and configuring it with
-.Xr tls_configure 3 ,
-a server can accept a new client connection by calling
-.Fn tls_accept_socket
-on an already established socket connection.
-.Pp
-Alternatively, a new client connection can be accepted over a pair of existing
-file descriptors by calling
-.Fn tls_accept_fds .
-.Pp
-Calling
-.Fn tls_accept_cbs
-allows read and write callback functions to handle data transfers.
-The specified
-.Fa cb_arg
-parameter is passed back to the functions,
-and can contain a pointer to any caller-specified data.
-.Pp
-All these functions create a new context suitable for reading and writing
-and return it in
-.Pf * Fa cctx .
-.Sh RETURN VALUES
-These functions return 0 on success or -1 on error.
-.Sh SEE ALSO
-.Xr tls_close 3 ,
-.Xr tls_config_set_session_id 3 ,
-.Xr tls_configure 3 ,
-.Xr tls_connect 3 ,
-.Xr tls_init 3 ,
-.Xr tls_server 3
-.Sh HISTORY
-.Fn tls_accept_socket
-appeared in
-.Ox 5.6
-and got its final name in
-.Ox 5.7 .
-.Pp
-.Fn tls_accept_fds
-appeared in
-.Ox 5.8
-and
-.Fn tls_accept_cbs
-in
-.Ox 6.1 .
-.Sh AUTHORS
-.An Joel Sing Aq Mt jsing@openbsd.org
-.Pp
-.An -nosplit
-.Fn tls_accept_cbs
-was written by
-.An Tobias Pape Aq Mt tobias@netshed.de .
diff --git a/src/lib/libtls/man/tls_client.3 b/src/lib/libtls/man/tls_client.3
deleted file mode 100644
index 98f58d4c20..0000000000
--- a/src/lib/libtls/man/tls_client.3
+++ /dev/null
@@ -1,110 +0,0 @@
-.\" $OpenBSD: tls_client.3,v 1.4 2017/08/12 03:41:48 jsing Exp $
-.\"
-.\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: August 12 2017 $
-.Dt TLS_CLIENT 3
-.Os
-.Sh NAME
-.Nm tls_client ,
-.Nm tls_server ,
-.Nm tls_configure ,
-.Nm tls_reset ,
-.Nm tls_free
-.Nd configure a TLS connection
-.Sh SYNOPSIS
-.In tls.h
-.Ft struct tls *
-.Fn tls_client void
-.Ft struct tls *
-.Fn tls_server void
-.Ft int
-.Fo tls_configure
-.Fa "struct tls *ctx"
-.Fa "struct tls_config *config"
-.Fc
-.Ft void
-.Fn tls_free "struct tls *ctx"
-.Ft void
-.Fn tls_reset "struct tls *ctx"
-.Sh DESCRIPTION
-A TLS connection is represented as a
-.Vt struct tls
-object called a
-.Dq context .
-A new context is created by either the
-.Fn tls_client
-or
-.Fn tls_server
-functions.
-.Fn tls_client
-is used in TLS client programs,
-.Fn tls_server
-in TLS server programs.
-.Pp
-The context can then be configured with the function
-.Fn tls_configure .
-The same
-.Vt tls_config
-object can be used to configure multiple contexts.
-.Pp
-After configuration,
-.Xr tls_connect 3
-can be called on objects created with
-.Fn tls_client ,
-and
-.Xr tls_accept_socket 3
-on objects created with
-.Fn tls_server .
-.Pp
-After use, a TLS context should be closed with
-.Xr tls_close 3 ,
-and then freed by calling
-.Fn tls_free .
-If
-.Fn tls_free
-is called with an argument of
-.Dv NULL ,
-no action occurs.
-.Pp
-A TLS context can be reset by calling
-.Fn tls_reset ,
-allowing for it to be reused.
-This is essentially equivalent to calling
-.Fn tls_free ,
-followed by a call to the same function that was used to originally allocate
-the TLS context.
-.Sh RETURN VALUES
-.Fn tls_client
-and
-.Fn tls_server
-return
-.Dv NULL
-on error or an out of memory condition.
-.Pp
-.Fn tls_configure
-returns 0 on success or -1 on error.
-.Sh SEE ALSO
-.Xr tls_accept_socket 3 ,
-.Xr tls_config_new 3 ,
-.Xr tls_connect 3 ,
-.Xr tls_init 3
-.Sh HISTORY
-These functions appeared in
-.Ox 5.6
-and got their final names in
-.Ox 5.7 .
-.Sh AUTHORS
-.An Joel Sing Aq Mt jsing@openbsd.org
diff --git a/src/lib/libtls/man/tls_config_ocsp_require_stapling.3 b/src/lib/libtls/man/tls_config_ocsp_require_stapling.3
deleted file mode 100644
index a0694d304f..0000000000
--- a/src/lib/libtls/man/tls_config_ocsp_require_stapling.3
+++ /dev/null
@@ -1,40 +0,0 @@
-.\" $OpenBSD: tls_config_ocsp_require_stapling.3,v 1.5 2017/01/31 20:53:50 jmc Exp $
-.\"
-.\" Copyright (c) 2016 Bob Beck <beck@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: January 31 2017 $
-.Dt TLS_CONFIG_OCSP_REQUIRE_STAPLING 3
-.Os
-.Sh NAME
-.Nm tls_config_ocsp_require_stapling
-.Nd OCSP configuration for libtls
-.Sh SYNOPSIS
-.In tls.h
-.Ft void
-.Fn tls_config_ocsp_require_stapling "struct tls_config *config"
-.Sh DESCRIPTION
-.Fn tls_config_ocsp_require_stapling
-requires that a valid stapled OCSP response be provided
-during the TLS handshake.
-.Sh SEE ALSO
-.Xr tls_config_add_keypair_file 3 ,
-.Xr tls_handshake 3 ,
-.Xr tls_init 3 ,
-.Xr tls_ocsp_process_response 3
-.Sh HISTORY
-These functions appeared in
-.Ox 6.1 .
-.Sh AUTHORS
-.An Bob Beck Aq Mt beck@openbsd.org
diff --git a/src/lib/libtls/man/tls_config_set_protocols.3 b/src/lib/libtls/man/tls_config_set_protocols.3
deleted file mode 100644
index 32b8cce757..0000000000
--- a/src/lib/libtls/man/tls_config_set_protocols.3
+++ /dev/null
@@ -1,229 +0,0 @@
-.\" $OpenBSD: tls_config_set_protocols.3,v 1.12 2023/07/02 06:37:27 beck Exp $
-.\"
-.\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
-.\" Copyright (c) 2015, 2016 Joel Sing <jsing@openbsd.org>
-.\" Copyright (c) 2015 Bob Beck <beck@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: July 2 2023 $
-.Dt TLS_CONFIG_SET_PROTOCOLS 3
-.Os
-.Sh NAME
-.Nm tls_config_set_protocols ,
-.Nm tls_config_parse_protocols ,
-.Nm tls_config_set_alpn ,
-.Nm tls_config_set_ciphers ,
-.Nm tls_config_set_dheparams ,
-.Nm tls_config_set_ecdhecurves ,
-.Nm tls_config_prefer_ciphers_client ,
-.Nm tls_config_prefer_ciphers_server
-.Nd TLS protocol and cipher selection
-.Sh SYNOPSIS
-.In tls.h
-.Ft int
-.Fo tls_config_set_protocols
-.Fa "struct tls_config *config"
-.Fa "uint32_t protocols"
-.Fc
-.Ft int
-.Fo tls_config_parse_protocols
-.Fa "uint32_t *protocols"
-.Fa "const char *protostr"
-.Fc
-.Ft int
-.Fo tls_config_set_alpn
-.Fa "struct tls_config *config"
-.Fa "const char *alpn"
-.Fc
-.Ft int
-.Fo tls_config_set_ciphers
-.Fa "struct tls_config *config"
-.Fa "const char *ciphers"
-.Fc
-.Ft int
-.Fo tls_config_set_dheparams
-.Fa "struct tls_config *config"
-.Fa "const char *params"
-.Fc
-.Ft int
-.Fo tls_config_set_ecdhecurves
-.Fa "struct tls_config *config"
-.Fa "const char *curves"
-.Fc
-.Ft void
-.Fn tls_config_prefer_ciphers_client "struct tls_config *config"
-.Ft void
-.Fn tls_config_prefer_ciphers_server "struct tls_config *config"
-.Sh DESCRIPTION
-These functions modify a configuration by setting parameters.
-The configuration options apply to both clients and servers, unless noted
-otherwise.
-.Pp
-.Fn tls_config_set_protocols
-specifies which versions of the TLS protocol may be used.
-Possible values are the bitwise OR of:
-.Pp
-.Bl -item -offset indent -compact
-.It
-.Dv TLS_PROTOCOL_TLSv1_2
-.It
-.Dv TLS_PROTOCOL_TLSv1_3
-.El
-.Pp
-Additionally, the values
-.Dv TLS_PROTOCOL_TLSv1
-(TLSv1.2, TLSv1.3),
-.Dv TLS_PROTOCOLS_ALL
-(all supported protocols) and
-.Dv TLS_PROTOCOLS_DEFAULT
-(TLSv1.2 and TLSv1.3) may be used.
-.Pp
-The
-.Fn tls_config_parse_protocols
-utility function parses a protocol string and returns the corresponding
-value via the
-.Ar protocols
-argument.
-This value can then be passed to the
-.Fn tls_config_set_protocols
-function.
-The protocol string is a comma or colon separated list of keywords.
-Valid keywords are:
-.Pp
-.Bl -tag -width "tlsv1.3" -offset indent -compact
-.It Dv tlsv1.2
-.It Dv tlsv1.3
-.It Dv all
-.Pq all supported protocols
-.It Dv default
-.Pq an alias for Dv secure
-.It Dv legacy
-.Pq an alias for Dv all
-.It Dv secure
-.Pq currently TLSv1.2 and TLSv1.3
-.El
-.Pp
-If a value has a negative prefix (in the form of a leading exclamation mark)
-then it is removed from the list of available protocols, rather than being
-added to it.
-.Pp
-.Fn tls_config_set_alpn
-sets the ALPN protocols that are supported.
-The alpn string is a comma separated list of protocols, in order of preference.
-.Pp
-.Fn tls_config_set_ciphers
-sets the list of ciphers that may be used.
-Lists of ciphers are specified by name, and the
-permitted names are:
-.Pp
-.Bl -item -offset indent -compact
-.It
-.Dv secure Pq or alias Dv default
-.It
-.Dv compat
-.It
-.Dv legacy
-.It
-.Dv insecure Pq or alias Dv all
-.El
-.Pp
-Alternatively, libssl cipher strings can be specified.
-See the CIPHERS section of
-.Xr openssl 1
-for further information.
-.Pp
-.Fn tls_config_set_dheparams
-specifies the parameters that will be used during Diffie-Hellman Ephemeral
-(DHE) key exchange.
-Possible values are:
-.Pp
-.Bl -item -offset indent -compact
-.It
-.Dv none
-.It
-.Dv auto
-.It
-.Dv legacy
-.El
-.Pp
-In
-.Dv auto
-mode, the key size for the ephemeral key is automatically selected
-based on the size of the private key being used for signing.
-In
-.Dv legacy
-mode, 1024 bit ephemeral keys are used.
-The default value is
-.Dv none ,
-which disables DHE key exchange.
-.Pp
-.Fn tls_config_set_ecdhecurves
-specifies the names of the elliptic curves that may be used during Elliptic
-Curve Diffie-Hellman Ephemeral (ECDHE) key exchange.
-This is a comma separated list, given in order of preference.
-The special value of "default" will use the default curves (currently X25519,
-P-256 and P-384).
-This function replaces
-.Fn tls_config_set_ecdhecurve ,
-which is deprecated.
-.Pp
-.Fn tls_config_prefer_ciphers_client
-prefers ciphers in the client's cipher list when selecting a cipher suite
-(server only).
-This is considered to be less secure than preferring the server's list.
-.Pp
-.Fn tls_config_prefer_ciphers_server
-prefers ciphers in the server's cipher list when selecting a cipher suite
-(server only).
-This is considered to be more secure than preferring the client's list and is
-the default.
-.Sh RETURN VALUES
-These functions return 0 on success or -1 on error.
-.Sh SEE ALSO
-.Xr tls_config_ocsp_require_stapling 3 ,
-.Xr tls_config_set_session_id 3 ,
-.Xr tls_config_verify 3 ,
-.Xr tls_init 3 ,
-.Xr tls_load_file 3
-.Sh HISTORY
-.Fn tls_config_set_ciphers
-appeared in
-.Ox 5.6
-and got its final name in
-.Ox 5.7 .
-.Pp
-.Fn tls_config_set_protocols ,
-.Fn tls_config_parse_protocols ,
-.Fn tls_config_set_dheparams ,
-and
-.Fn tls_config_set_ecdhecurve
-appeared in
-.Ox 5.7 ,
-.Fn tls_config_prefer_ciphers_client
-and
-.Fn tls_config_prefer_ciphers_server
-in
-.Ox 5.9 ,
-and
-.Fn tls_config_set_alpn
-in
-.Ox 6.1 .
-.Sh AUTHORS
-.An Joel Sing Aq Mt jsing@openbsd.org
-with contributions from
-.An Ted Unangst Aq Mt tedu@openbsd.org
-.Pq Fn tls_config_set_ciphers
-and
-.An Reyk Floeter Aq Mt reyk@openbsd.org
-.Pq Fn tls_config_set_ecdhecurve
diff --git a/src/lib/libtls/man/tls_config_set_session_id.3 b/src/lib/libtls/man/tls_config_set_session_id.3
deleted file mode 100644
index d969e01e33..0000000000
--- a/src/lib/libtls/man/tls_config_set_session_id.3
+++ /dev/null
@@ -1,105 +0,0 @@
-.\" $OpenBSD: tls_config_set_session_id.3,v 1.5 2018/02/10 06:07:43 jsing Exp $
-.\"
-.\" Copyright (c) 2017 Claudio Jeker <claudio@openbsd.org>
-.\" Copyright (c) 2018 Joel Sing <jsing@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: February 10 2018 $
-.Dt TLS_CONFIG_SET_SESSION_ID 3
-.Os
-.Sh NAME
-.Nm tls_config_set_session_fd ,
-.Nm tls_config_set_session_id ,
-.Nm tls_config_set_session_lifetime ,
-.Nm tls_config_add_ticket_key
-.Nd configure resuming of TLS handshakes
-.Sh SYNOPSIS
-.In tls.h
-.Ft int
-.Fo tls_config_set_session_fd
-.Fa "struct tls_config *config"
-.Fa "int session_fd"
-.Fc
-.Ft int
-.Fo tls_config_set_session_id
-.Fa "struct tls_config *config"
-.Fa "const unsigned char *session_id"
-.Fa "size_t len"
-.Fc
-.Ft int
-.Fo tls_config_set_session_lifetime
-.Fa "struct tls_config *config"
-.Fa "int lifetime"
-.Fc
-.Ft int
-.Fo tls_config_add_ticket_key
-.Fa "struct tls_config *config"
-.Fa "uint32_t keyrev"
-.Fa "unsigned char *key"
-.Fa "size_t keylen"
-.Fc
-.Sh DESCRIPTION
-.Fn tls_config_set_session_fd
-sets a file descriptor to be used to manage data for TLS sessions (client only).
-The given file descriptor must be a regular file and be owned by the current
-user, with permissions being restricted to only allow the owner to read and
-write the file (0600).
-If the file has a non-zero length, the client will attempt to read session
-data from this file and resume the previous TLS session with the server.
-Upon a successful handshake the file will be updated with current session
-data, if available.
-The caller is responsible for closing this file descriptor, after all TLS
-contexts that have been configured to use it have been freed via
-.Fn tls_free .
-.Pp
-.Fn tls_config_set_session_id
-sets the session identifier that will be used by the TLS server when
-sessions are enabled (server only).
-By default a random value is used.
-.Pp
-.Fn tls_config_set_session_lifetime
-sets the lifetime to be used for TLS sessions (server only).
-Session support is disabled if a lifetime of zero is specified, which is the
-default.
-.Pp
-.Fn tls_config_add_ticket_key
-adds a key used for the encryption and authentication of TLS tickets
-(server only).
-By default keys are generated and rotated automatically based on their lifetime.
-This function should only be used to synchronise ticket encryption key across
-multiple processes.
-Re-adding a known key will result in an error, unless it is the most recently
-added key.
-.Sh RETURN VALUES
-These functions return 0 on success or -1 on error.
-.Sh SEE ALSO
-.Xr tls_accept_socket 3 ,
-.Xr tls_config_set_protocols 3 ,
-.Xr tls_init 3 ,
-.Xr tls_load_file 3 ,
-.Xr tls_server 3
-.Sh HISTORY
-.Fn tls_config_set_session_id ,
-.Fn tls_config_set_session_lifetime
-and
-.Fn tls_config_add_ticket_key
-appeared in
-.Ox 6.1 .
-.Pp
-.Fn tls_config_set_session_fd
-appeared in
-.Ox 6.3 .
-.Sh AUTHORS
-.An Claudio Jeker Aq Mt claudio@openbsd.org
-.An Joel Sing Aq Mt jsing@openbsd.org
diff --git a/src/lib/libtls/man/tls_config_verify.3 b/src/lib/libtls/man/tls_config_verify.3
deleted file mode 100644
index 4a43c834d7..0000000000
--- a/src/lib/libtls/man/tls_config_verify.3
+++ /dev/null
@@ -1,79 +0,0 @@
-.\" $OpenBSD: tls_config_verify.3,v 1.4 2017/03/02 11:05:50 jmc Exp $
-.\"
-.\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
-.\" Copyright (c) 2015 Joel Sing <jsing@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: March 2 2017 $
-.Dt TLS_CONFIG_VERIFY 3
-.Os
-.Sh NAME
-.Nm tls_config_verify ,
-.Nm tls_config_insecure_noverifycert ,
-.Nm tls_config_insecure_noverifyname ,
-.Nm tls_config_insecure_noverifytime
-.Nd insecure TLS configuration
-.Sh SYNOPSIS
-.In tls.h
-.Ft void
-.Fn tls_config_verify "struct tls_config *config"
-.Ft void
-.Fn tls_config_insecure_noverifycert "struct tls_config *config"
-.Ft void
-.Fn tls_config_insecure_noverifyname "struct tls_config *config"
-.Ft void
-.Fn tls_config_insecure_noverifytime "struct tls_config *config"
-.Sh DESCRIPTION
-These functions disable parts of the normal certificate verification
-process, resulting in insecure configurations.
-Be very careful when using them.
-.Pp
-.Fn tls_config_insecure_noverifycert
-disables certificate verification and OCSP validation.
-.Pp
-.Fn tls_config_insecure_noverifyname
-disables server name verification (client only).
-.Pp
-.Fn tls_config_insecure_noverifytime
-disables validity checking of certificates and OCSP validation.
-.Pp
-.Fn tls_config_verify
-reenables server name and certificate verification.
-.Sh SEE ALSO
-.Xr tls_client 3 ,
-.Xr tls_config_ocsp_require_stapling 3 ,
-.Xr tls_config_set_protocols 3 ,
-.Xr tls_conn_version 3 ,
-.Xr tls_connect 3 ,
-.Xr tls_handshake 3 ,
-.Xr tls_init 3
-.Sh HISTORY
-.Fn tls_config_verify
-appeared in
-.Ox 5.6
-and got its final name in
-.Ox 5.7 .
-.Pp
-.Fn tls_config_insecure_noverifycert
-and
-.Fn tls_config_insecure_noverifyname
-appeared in
-.Ox 5.7
-and
-.Nm tls_config_insecure_noverifytime
-in
-.Ox 5.9 .
-.Sh AUTHORS
-.An Joel Sing Aq Mt jsing@openbsd.org
-.An Ted Unangst Aq Mt tedu@openbsd.org
diff --git a/src/lib/libtls/man/tls_conn_version.3 b/src/lib/libtls/man/tls_conn_version.3
deleted file mode 100644
index 8fb30624d7..0000000000
--- a/src/lib/libtls/man/tls_conn_version.3
+++ /dev/null
@@ -1,225 +0,0 @@
-.\" $OpenBSD: tls_conn_version.3,v 1.11 2024/12/10 08:42:12 tb Exp $
-.\"
-.\" Copyright (c) 2015 Bob Beck <beck@openbsd.org>
-.\" Copyright (c) 2016, 2018 Joel Sing <jsing@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: December 10 2024 $
-.Dt TLS_CONN_VERSION 3
-.Os
-.Sh NAME
-.Nm tls_conn_version ,
-.Nm tls_conn_cipher ,
-.Nm tls_conn_cipher_strength ,
-.Nm tls_conn_alpn_selected ,
-.Nm tls_conn_servername ,
-.Nm tls_conn_session_resumed ,
-.Nm tls_peer_cert_provided ,
-.Nm tls_peer_cert_contains_name ,
-.Nm tls_peer_cert_chain_pem ,
-.Nm tls_peer_cert_issuer ,
-.Nm tls_peer_cert_subject ,
-.Nm tls_peer_cert_common_name ,
-.Nm tls_peer_cert_hash ,
-.Nm tls_peer_cert_notbefore ,
-.Nm tls_peer_cert_notafter
-.Nd inspect an established TLS connection
-.Sh SYNOPSIS
-.In tls.h
-.Ft const char *
-.Fn tls_conn_version "struct tls *ctx"
-.Ft const char *
-.Fn tls_conn_cipher "struct tls *ctx"
-.Ft int
-.Fn tls_conn_cipher_strength "struct tls *ctx"
-.Ft const char *
-.Fn tls_conn_alpn_selected "struct tls *ctx"
-.Ft const char *
-.Fn tls_conn_servername "struct tls *ctx"
-.Ft int
-.Fn tls_conn_session_resumed "struct tls *ctx"
-.Ft int
-.Fn tls_peer_cert_provided "struct tls *ctx"
-.Ft int
-.Fo tls_peer_cert_contains_name
-.Fa "struct tls *ctx"
-.Fa "const char *name"
-.Fc
-.Ft const uint8_t *
-.Fo tls_peer_cert_chain_pem
-.Fa "struct tls *ctx"
-.Fa "size_t *size"
-.Fc
-.Ft const char *
-.Fn tls_peer_cert_issuer "struct tls *ctx"
-.Ft const char *
-.Fn tls_peer_cert_subject "struct tls *ctx"
-.Ft const char *
-.Fn tls_peer_cert_common_name "struct tls *ctx"
-.Ft const char *
-.Fn tls_peer_cert_hash "struct tls *ctx"
-.Ft time_t
-.Fn tls_peer_cert_notbefore "struct tls *ctx"
-.Ft time_t
-.Fn tls_peer_cert_notafter "struct tls *ctx"
-.Sh DESCRIPTION
-These functions return information about a TLS connection and will only
-succeed after the handshake is complete (the connection information applies
-to both clients and servers, unless noted otherwise):
-.Pp
-.Fn tls_conn_version
-returns a string corresponding to a TLS version negotiated with the peer
-connected to
-.Ar ctx .
-.Pp
-.Fn tls_conn_cipher
-returns a string corresponding to the cipher suite negotiated with the peer
-connected to
-.Ar ctx .
-.Pp
-.Fn tls_conn_cipher_strength
-returns the strength in bits for the symmetric cipher that is being
-used with the peer connected to
-.Ar ctx .
-.Pp
-.Fn tls_conn_alpn_selected
-returns a string that specifies the ALPN protocol selected for use with the peer
-connected to
-.Ar ctx .
-If no protocol was selected then NULL is returned.
-.Pp
-.Fn tls_conn_servername
-returns a string corresponding to the servername that the client connected to
-.Ar ctx
-requested by sending a TLS Server Name Indication extension (server only).
-.Pp
-.Fn tls_conn_session_resumed
-indicates whether a TLS session has been resumed during the handshake with
-the server connected to
-.Ar ctx
-(client only).
-.Pp
-.Fn tls_peer_cert_provided
-checks if the peer of
-.Ar ctx
-has provided a certificate.
-.Pp
-.Fn tls_peer_cert_contains_name
-checks if the peer of a TLS
-.Ar ctx
-has provided a certificate that contains a
-SAN or CN that matches
-.Ar name .
-.Pp
-.Fn tls_peer_cert_chain_pem
-returns a pointer to memory containing a PEM-encoded certificate chain for the
-peer certificate from
-.Ar ctx .
-.Pp
-.Fn tls_peer_cert_subject
-returns a string
-corresponding to the subject of the peer certificate from
-.Ar ctx .
-.Pp
-.Fn tls_peer_cert_issuer
-returns a string
-corresponding to the issuer of the peer certificate from
-.Ar ctx .
-.Fn tls_peer_cert_common_name
-returns a string
-corresponding to the common name of the peer certificate from
-.Ar ctx
-or the empty string if no common name is present.
-.Pp
-.Fn tls_peer_cert_hash
-returns a string
-corresponding to a hash of the raw peer certificate from
-.Ar ctx
-prefixed by a hash name followed by a colon.
-The hash currently used is SHA256, though this
-could change in the future.
-The hash string for a certificate in file
-.Ar mycert.crt
-can be generated using the commands:
-.Bd -literal -offset indent
-h=$(openssl x509 -outform der -in mycert.crt | sha256)
-printf "SHA256:${h}\\n"
-.Ed
-.Pp
-.Fn tls_peer_cert_notbefore
-returns the time corresponding to the start of the validity period of
-the peer certificate from
-.Ar ctx .
-.Pp
-.Fn tls_peer_cert_notafter
-returns the time corresponding to the end of the validity period of
-the peer certificate from
-.Ar ctx .
-.Sh RETURN VALUES
-The
-.Fn tls_conn_session_resumed
-function returns 1 if a TLS session was resumed or 0 if it was not.
-.Pp
-The
-.Fn tls_peer_cert_provided
-and
-.Fn tls_peer_cert_contains_name
-functions return 1 if the check succeeds or 0 if it does not.
-.Pp
-.Fn tls_peer_cert_notbefore
-and
-.Fn tls_peer_cert_notafter
-return a time in epoch-seconds on success or -1 on error.
-.Pp
-The functions that return a pointer return
-.Dv NULL
-on error or an out of memory condition.
-.Sh SEE ALSO
-.Xr tls_configure 3 ,
-.Xr tls_handshake 3 ,
-.Xr tls_init 3 ,
-.Xr tls_ocsp_process_response 3
-.Sh HISTORY
-.Fn tls_conn_version ,
-.Fn tls_conn_cipher ,
-.Fn tls_peer_cert_provided ,
-.Fn tls_peer_cert_contains_name ,
-.Fn tls_peer_cert_issuer ,
-.Fn tls_peer_cert_subject ,
-.Fn tls_peer_cert_hash ,
-.Fn tls_peer_cert_notbefore ,
-and
-.Fn tls_peer_cert_notafter
-appeared in
-.Ox 5.9 .
-.Pp
-.Fn tls_conn_servername
-and
-.Fn tls_conn_alpn_selected
-appeared in
-.Ox 6.1 .
-.Pp
-.Fn tls_conn_session_resumed
-appeared in
-.Ox 6.3 .
-.Pp
-.Fn tls_conn_cipher_strength
-appeared in
-.Ox 6.7 .
-.Fn tls_peer_cert_common_name
-appeared in
-.Ox 7.7 .
-.Sh AUTHORS
-.An Bob Beck Aq Mt beck@openbsd.org
-.An Joel Sing Aq Mt jsing@openbsd.org
diff --git a/src/lib/libtls/man/tls_connect.3 b/src/lib/libtls/man/tls_connect.3
deleted file mode 100644
index 4c4f01c256..0000000000
--- a/src/lib/libtls/man/tls_connect.3
+++ /dev/null
@@ -1,144 +0,0 @@
-.\" $OpenBSD: tls_connect.3,v 1.4 2018/07/09 19:51:18 tb Exp $
-.\"
-.\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
-.\" Copyright (c) 2014, 2015 Joel Sing <jsing@openbsd.org>
-.\" Copyright (c) 2016 Brent Cook <bcook@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: July 9 2018 $
-.Dt TLS_CONNECT 3
-.Os
-.Sh NAME
-.Nm tls_connect ,
-.Nm tls_connect_fds ,
-.Nm tls_connect_servername ,
-.Nm tls_connect_socket ,
-.Nm tls_connect_cbs
-.Nd instruct a TLS client to establish a connection
-.Sh SYNOPSIS
-.In tls.h
-.Ft int
-.Fo tls_connect
-.Fa "struct tls *ctx"
-.Fa "const char *host"
-.Fa "const char *port"
-.Fc
-.Ft int
-.Fo tls_connect_fds
-.Fa "struct tls *ctx"
-.Fa "int fd_read"
-.Fa "int fd_write"
-.Fa "const char *servername"
-.Fc
-.Ft int
-.Fo tls_connect_servername
-.Fa "struct tls *ctx"
-.Fa "const char *host"
-.Fa "const char *port"
-.Fa "const char *servername"
-.Fc
-.Ft int
-.Fo tls_connect_socket
-.Fa "struct tls *ctx"
-.Fa "int s"
-.Fa "const char *servername"
-.Fc
-.Ft int
-.Fo tls_connect_cbs
-.Fa "struct tls *ctx"
-.Fa "ssize_t (*tls_read_cb)(struct tls *ctx,\
- void *buf, size_t buflen, void *cb_arg)"
-.Fa "ssize_t (*tls_write_cb)(struct tls *ctx,\
- const void *buf, size_t buflen, void *cb_arg)"
-.Fa "void *cb_arg"
-.Fa "const char *servername"
-.Fc
-.Sh DESCRIPTION
-After creating a TLS client context with
-.Xr tls_client 3
-and configuring it with
-.Xr tls_configure 3 ,
-a client connection is initiated by calling
-.Fn tls_connect .
-This function will create a new socket, connect to the specified
-.Fa host
-and
-.Fa port ,
-and then establish a secure connection.
-The
-.Fa port
-may be numeric or a service name.
-If it is
-.Dv NULL ,
-then a
-.Fa host
-of the format "hostname:port" is permitted.
-The name to use for verification is inferred from the
-.Ar host
-value.
-.Pp
-The
-.Fn tls_connect_servername
-function has the same behaviour, however the name to use for verification is
-explicitly provided, for the case where the TLS server name differs from the
-DNS name.
-.Pp
-An already existing socket can be upgraded to a secure connection by calling
-.Fn tls_connect_socket .
-.Pp
-Alternatively, a secure connection can be established over a pair of existing
-file descriptors by calling
-.Fn tls_connect_fds .
-.Pp
-Calling
-.Fn tls_connect_cbs
-allows read and write callback functions to handle data transfers.
-The specified cb_arg parameter is passed back to the functions,
-and can contain a pointer to any caller-specified data.
-.Sh RETURN VALUES
-These functions return 0 on success or -1 on error.
-.Sh SEE ALSO
-.Xr tls_accept_socket 3 ,
-.Xr tls_client 3 ,
-.Xr tls_close 3 ,
-.Xr tls_config_ocsp_require_stapling 3 ,
-.Xr tls_configure 3 ,
-.Xr tls_handshake 3 ,
-.Xr tls_init 3
-.Sh HISTORY
-.Fn tls_connect
-and
-.Fn tls_connect_socket
-appeared in
-.Ox 5.6
-and got their final names in
-.Ox 5.7 .
-.Pp
-.Fn tls_connect_fds
-and
-.Fn tls_connect_servername
-appeared in
-.Ox 5.7
-and
-.Fn tls_connect_cbs
-in
-.Ox 6.1 .
-.Sh AUTHORS
-.An Joel Sing Aq Mt jsing@openbsd.org
-.An Reyk Floeter Aq Mt reyk@openbsd.org
-.Pp
-.An -nosplit
-.Fn tls_connect_cbs
-was written by
-.An Tobias Pape Aq Mt tobias@netshed.de .
diff --git a/src/lib/libtls/man/tls_init.3 b/src/lib/libtls/man/tls_init.3
deleted file mode 100644
index 557998107c..0000000000
--- a/src/lib/libtls/man/tls_init.3
+++ /dev/null
@@ -1,180 +0,0 @@
-.\" $OpenBSD: tls_init.3,v 1.13 2018/07/09 19:47:20 tb Exp $
-.\"
-.\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
-.\" Copyright (c) 2016 Joel Sing <jsing@openbsd.org>
-.\" Copyright (c) 2017 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: July 9 2018 $
-.Dt TLS_INIT 3
-.Os
-.Sh NAME
-.Nm tls_init ,
-.Nm tls_config_new ,
-.Nm tls_config_free ,
-.Nm tls_config_error
-.Nd initialize TLS client and server API
-.Sh SYNOPSIS
-.In tls.h
-.Ft int
-.Fn tls_init void
-.Ft struct tls_config *
-.Fn tls_config_new void
-.Ft void
-.Fn tls_config_free "struct tls_config *config"
-.Ft const char *
-.Fn tls_config_error "struct tls_config *config"
-.Sh DESCRIPTION
-The
-.Nm tls
-family of functions establishes a secure communications channel
-using the TLS socket protocol.
-Both clients and servers are supported.
-.Pp
-The
-.Fn tls_init
-function initializes global data structures.
-It is no longer necessary to call this function directly,
-since it is invoked internally when needed.
-It may be called more than once, and may be called concurrently.
-.Pp
-Before a connection is created, a configuration must be created.
-The
-.Fn tls_config_new
-function allocates, initializes, and returns a new default configuration
-object that can be used for future connections.
-Several functions exist to change the options of the configuration; see
-.Xr tls_config_set_protocols 3 ,
-.Xr tls_load_file 3 ,
-.Xr tls_config_ocsp_require_stapling 3 ,
-and
-.Xr tls_config_verify 3 .
-.Pp
-The
-.Fn tls_config_error
-function may be used to retrieve a string containing more information
-about the most recent error relating to a configuration.
-.Pp
-A TLS connection object is created by
-.Xr tls_client 3
-or
-.Xr tls_server 3
-and configured with
-.Xr tls_configure 3 .
-.Pp
-A client connection is initiated after configuration by calling
-.Xr tls_connect 3 .
-A server can accept a new client connection by calling
-.Xr tls_accept_socket 3
-on an already established socket connection.
-.Pp
-Two functions are provided for input and output,
-.Xr tls_read 3
-and
-.Xr tls_write 3 .
-Both automatically perform the
-.Xr tls_handshake 3
-when needed.
-.Pp
-The properties of established TLS connections
-can be inspected with the functions described in
-.Xr tls_conn_version 3
-and
-.Xr tls_ocsp_process_response 3 .
-.Pp
-After use, a TLS connection should be closed with
-.Xr tls_close 3
-and then freed by calling
-.Xr tls_free 3 .
-.Pp
-When no more contexts are to be configured,
-the configuration object should be freed by calling
-.Fn tls_config_free .
-It is safe to call
-.Fn tls_config_free
-as soon as the final call to
-.Fn tls_configure
-has been made.
-If
-.Fa config
-is
-.Dv NULL ,
-no action occurs.
-.Sh RETURN VALUES
-.Fn tls_init
-returns 0 on success or -1 on error.
-.Pp
-.Fn tls_config_new
-returns
-.Dv NULL
-on error or an out of memory condition.
-.Pp
-.Fn tls_config_error
-returns
-.Dv NULL
-if no error occurred with
-.Fa config
-at all, or if memory allocation failed while trying to assemble the
-string describing the most recent error related to
-.Fa config .
-.Sh SEE ALSO
-.Xr tls_accept_socket 3 ,
-.Xr tls_client 3 ,
-.Xr tls_config_ocsp_require_stapling 3 ,
-.Xr tls_config_set_protocols 3 ,
-.Xr tls_config_verify 3 ,
-.Xr tls_conn_version 3 ,
-.Xr tls_connect 3 ,
-.Xr tls_load_file 3 ,
-.Xr tls_ocsp_process_response 3 ,
-.Xr tls_read 3
-.Sh HISTORY
-The
-.Nm tls
-API first appeared in
-.Ox 5.6
-as a response to the unnecessary challenges other APIs present in
-order to use them safely.
-.Pp
-All functions were renamed from
-.Fn ressl_*
-to
-.Fn tls_*
-for
-.Ox 5.7 .
-.Pp
-.Fn tls_config_error
-appeared in
-.Ox 6.0 .
-.Sh AUTHORS
-.An Joel Sing Aq Mt jsing@openbsd.org
-.An Ted Unangst Aq Mt tedu@openbsd.org
-.Pp
-Many others contributed to various parts of the library; see the
-individual manual pages for more information.
-.Sh CAVEATS
-The function
-.Fn tls_config_error
-returns an internal pointer.
-It must not be freed by the application, or a double free error
-will occur.
-The pointer will become invalid when the next error occurs with
-.Fa config .
-Consequently, if the application may need the message at a later
-time, it has to copy the string before calling the next
-.Sy libtls
-function involving
-.Fa config ,
-or a segmentation fault or read access to unintended data is the
-likely result.
diff --git a/src/lib/libtls/man/tls_load_file.3 b/src/lib/libtls/man/tls_load_file.3
deleted file mode 100644
index cf33b575ef..0000000000
--- a/src/lib/libtls/man/tls_load_file.3
+++ /dev/null
@@ -1,369 +0,0 @@
-.\" $OpenBSD: tls_load_file.3,v 1.14 2022/01/01 02:18:28 jsg Exp $
-.\"
-.\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
-.\" Copyright (c) 2015 Reyk Floeter <reyk@openbsd.org>
-.\" Copyright (c) 2015 Bob Beck <beck@openbsd.org>
-.\" Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: January 1 2022 $
-.Dt TLS_LOAD_FILE 3
-.Os
-.Sh NAME
-.Nm tls_load_file ,
-.Nm tls_unload_file ,
-.Nm tls_config_set_ca_file ,
-.Nm tls_config_set_ca_path ,
-.Nm tls_config_set_ca_mem ,
-.Nm tls_config_set_cert_file ,
-.Nm tls_config_set_cert_mem ,
-.Nm tls_config_set_crl_file ,
-.Nm tls_config_set_crl_mem ,
-.Nm tls_config_set_key_file ,
-.Nm tls_config_set_key_mem ,
-.Nm tls_config_set_ocsp_staple_mem ,
-.Nm tls_config_set_ocsp_staple_file ,
-.Nm tls_config_set_keypair_file ,
-.Nm tls_config_set_keypair_mem ,
-.Nm tls_config_set_keypair_ocsp_file ,
-.Nm tls_config_set_keypair_ocsp_mem ,
-.Nm tls_config_add_keypair_file ,
-.Nm tls_config_add_keypair_ocsp_mem ,
-.Nm tls_config_add_keypair_ocsp_file ,
-.Nm tls_config_add_keypair_mem ,
-.Nm tls_config_clear_keys ,
-.Nm tls_config_set_verify_depth ,
-.Nm tls_config_verify_client ,
-.Nm tls_config_verify_client_optional ,
-.Nm tls_default_ca_cert_file
-.Nd TLS certificate and key configuration
-.Sh SYNOPSIS
-.In tls.h
-.Ft uint8_t *
-.Fo tls_load_file
-.Fa "const char *file"
-.Fa "size_t *len"
-.Fa "char *password"
-.Fc
-.Ft void
-.Fo tls_unload_file
-.Fa "uint8_t *buf"
-.Fa "size_t len"
-.Fc
-.Ft int
-.Fo tls_config_set_ca_file
-.Fa "struct tls_config *config"
-.Fa "const char *ca_file"
-.Fc
-.Ft int
-.Fo tls_config_set_ca_path
-.Fa "struct tls_config *config"
-.Fa "const char *ca_path"
-.Fc
-.Ft int
-.Fo tls_config_set_ca_mem
-.Fa "struct tls_config *config"
-.Fa "const uint8_t *cert"
-.Fa "size_t len"
-.Fc
-.Ft int
-.Fo tls_config_set_cert_file
-.Fa "struct tls_config *config"
-.Fa "const char *cert_file"
-.Fc
-.Ft int
-.Fo tls_config_set_cert_mem
-.Fa "struct tls_config *config"
-.Fa "const uint8_t *cert"
-.Fa "size_t len"
-.Fc
-.Ft int
-.Fo tls_config_set_crl_file
-.Fa "struct tls_config *config"
-.Fa "const char *crl_file"
-.Fc
-.Ft int
-.Fo tls_config_set_crl_mem
-.Fa "struct tls_config *config"
-.Fa "const uint8_t *crl"
-.Fa "size_t len"
-.Fc
-.Ft int
-.Fo tls_config_set_key_file
-.Fa "struct tls_config *config"
-.Fa "const char *key_file"
-.Fc
-.Ft int
-.Fo tls_config_set_key_mem
-.Fa "struct tls_config *config"
-.Fa "const uint8_t *key"
-.Fa "size_t len"
-.Fc
-.Ft int
-.Fo tls_config_set_ocsp_staple_mem
-.Fa "struct tls_config *config"
-.Fa "const uint8_t *staple"
-.Fa "size_t len"
-.Fc
-.Ft int
-.Fo tls_config_set_ocsp_staple_file
-.Fa "struct tls_config *config"
-.Fa "const char *staple_file"
-.Fc
-.Ft int
-.Fo tls_config_set_keypair_file
-.Fa "struct tls_config *config"
-.Fa "const char *cert_file"
-.Fa "const char *key_file"
-.Fc
-.Ft int
-.Fo tls_config_set_keypair_mem
-.Fa "struct tls_config *config"
-.Fa "const uint8_t *cert"
-.Fa "size_t cert_len"
-.Fa "const uint8_t *key"
-.Fa "size_t key_len"
-.Fc
-.Ft int
-.Fo tls_config_set_keypair_ocsp_file
-.Fa "struct tls_config *config"
-.Fa "const char *cert_file"
-.Fa "const char *key_file"
-.Fa "const char *staple_file"
-.Fc
-.Ft int
-.Fo tls_config_set_keypair_ocsp_mem
-.Fa "struct tls_config *config"
-.Fa "const uint8_t *cert"
-.Fa "size_t cert_len"
-.Fa "const uint8_t *key"
-.Fa "size_t key_len"
-.Fa "const uint8_t *staple"
-.Fa "size_t staple_len"
-.Fc
-.Ft int
-.Fo tls_config_add_keypair_file
-.Fa "struct tls_config *config"
-.Fa "const char *cert_file"
-.Fa "const char *key_file"
-.Fc
-.Ft int
-.Fo tls_config_add_keypair_mem
-.Fa "struct tls_config *config"
-.Fa "const uint8_t *cert"
-.Fa "size_t cert_len"
-.Fa "const uint8_t *key"
-.Fa "size_t key_len"
-.Fc
-.Ft int
-.Fo tls_config_add_keypair_ocsp_file
-.Fa "struct tls_config *config"
-.Fa "const char *cert_file"
-.Fa "const char *key_file"
-.Fa "const char *staple_file"
-.Fc
-.Ft int
-.Fo tls_config_add_keypair_ocsp_mem
-.Fa "struct tls_config *config"
-.Fa "const uint8_t *cert"
-.Fa "size_t cert_len"
-.Fa "const uint8_t *key"
-.Fa "size_t key_len"
-.Fa "const uint8_t *staple"
-.Fa "size_t staple_len"
-.Fc
-.Ft void
-.Fn tls_config_clear_keys "struct tls_config *config"
-.Ft int
-.Fo tls_config_set_verify_depth
-.Fa "struct tls_config *config"
-.Fa "int verify_depth"
-.Fc
-.Ft void
-.Fn tls_config_verify_client "struct tls_config *config"
-.Ft void
-.Fn tls_config_verify_client_optional "struct tls_config *config"
-.Ft const char *
-.Fn tls_default_ca_cert_file "void"
-.Sh DESCRIPTION
-.Fn tls_load_file
-loads a certificate or key from disk into memory to be used with
-.Fn tls_config_set_ca_mem ,
-.Fn tls_config_set_cert_mem ,
-.Fn tls_config_set_crl_mem
-or
-.Fn tls_config_set_key_mem .
-A private key will be decrypted if the optional
-.Ar password
-argument is specified.
-.Pp
-.Fn tls_unload_file
-unloads the memory that was returned from an earlier
-.Fn tls_load_file
-call, ensuring that the memory contents is discarded.
-.Pp
-.Fn tls_default_ca_cert_file
-returns the path of the file that contains the default root certificates.
-.Pp
-.Fn tls_config_set_ca_file
-loads a file containing the root certificates.
-.Pp
-.Fn tls_config_set_ca_path
-sets the path (directory) which should be searched for root
-certificates.
-.Pp
-.Fn tls_config_set_ca_mem
-sets the root certificates directly from memory.
-.Pp
-.Fn tls_config_set_cert_file
-loads a file containing the public certificate.
-.Pp
-.Fn tls_config_set_cert_mem
-sets the public certificate directly from memory.
-.Pp
-.Fn tls_config_set_crl_file
-loads a file containing the Certificate Revocation List (CRL).
-.Pp
-.Fn tls_config_set_crl_mem
-sets the CRL directly from memory.
-.Pp
-.Fn tls_config_set_key_file
-loads a file containing the private key.
-.Pp
-.Fn tls_config_set_key_mem
-directly sets the private key from memory.
-.Pp
-.Fn tls_config_set_ocsp_staple_file
-loads a file containing a DER-encoded OCSP response to be stapled
-during the TLS handshake.
-.Pp
-.Fn tls_config_set_ocsp_staple_mem
-sets a DER-encoded OCSP response to be stapled during the TLS handshake from
-memory.
-.Pp
-.Fn tls_config_set_keypair_file
-loads two files from which the public certificate and private key will be read.
-.Pp
-.Fn tls_config_set_keypair_mem
-directly sets the public certificate and private key from memory.
-.Pp
-.Fn tls_config_set_keypair_ocsp_file
-loads three files containing the public certificate, private key,
-and DER-encoded OCSP staple.
-.Pp
-.Fn tls_config_set_keypair_ocsp_mem
-directly sets the public certificate, private key, and DER-encoded OCSP staple
-from memory.
-.Pp
-.Fn tls_config_add_keypair_file
-adds an additional public certificate and private key from the specified files,
-used as an alternative certificate for Server Name Indication (server only).
-.Pp
-.Fn tls_config_add_keypair_mem
-adds an additional public certificate and private key from memory, used as an
-alternative certificate for Server Name Indication (server only).
-.Pp
-.Fn tls_config_add_keypair_ocsp_file
-adds an additional public certificate, private key, and DER-encoded OCSP staple
-from the specified files, used as an alternative certificate for Server Name
-Indication (server only).
-.Pp
-.Fn tls_config_add_keypair_ocsp_mem
-adds an additional public certificate, private key, and DER-encoded OCSP staple
-from memory, used as an alternative certificate for Server Name Indication
-(server only).
-.Pp
-.Fn tls_config_clear_keys
-clears any secret keys from memory.
-.Pp
-.Fn tls_config_set_verify_depth
-limits the number of intermediate certificates that will be followed during
-certificate validation.
-.Pp
-.Fn tls_config_verify_client
-enables client certificate verification, requiring the client to send
-a certificate (server only).
-.Pp
-.Fn tls_config_verify_client_optional
-enables client certificate verification, without requiring the client
-to send a certificate (server only).
-.Sh RETURN VALUES
-.Fn tls_load_file
-returns
-.Dv NULL
-on error or an out of memory condition.
-.Pp
-The other functions return 0 on success or -1 on error.
-.Sh SEE ALSO
-.Xr tls_config_ocsp_require_stapling 3 ,
-.Xr tls_config_set_protocols 3 ,
-.Xr tls_config_set_session_id 3 ,
-.Xr tls_configure 3 ,
-.Xr tls_init 3
-.Sh HISTORY
-.Fn tls_config_set_ca_file ,
-.Fn tls_config_set_ca_path ,
-.Fn tls_config_set_cert_file ,
-.Fn tls_config_set_cert_mem ,
-.Fn tls_config_set_key_file ,
-.Fn tls_config_set_key_mem ,
-and
-.Fn tls_config_set_verify_depth
-appeared in
-.Ox 5.6
-and got their final names in
-.Ox 5.7 .
-.Pp
-.Fn tls_load_file ,
-.Fn tls_config_set_ca_mem ,
-and
-.Fn tls_config_clear_keys
-appeared in
-.Ox 5.7 .
-.Pp
-.Fn tls_config_verify_client
-and
-.Fn tls_config_verify_client_optional
-appeared in
-.Ox 5.9 .
-.Pp
-.Fn tls_config_set_keypair_file
-and
-.Fn tls_config_set_keypair_mem
-appeared in
-.Ox 6.0 ,
-and
-.Fn tls_config_add_keypair_file
-and
-.Fn tls_config_add_keypair_mem
-in
-.Ox 6.1 .
-.Pp
-.Fn tls_config_set_crl_file
-and
-.Fn tls_config_set_crl_mem
-appeared in
-.Ox 6.2 .
-.Sh AUTHORS
-.An Joel Sing Aq Mt jsing@openbsd.org
-with contributions from
-.An Ted Unangst Aq Mt tedu@openbsd.org
-and
-.An Bob Beck Aq Mt beck@openbsd.org .
-.Pp
-.Fn tls_load_file
-and
-.Fn tls_config_set_ca_mem
-were written by
-.An Reyk Floeter Aq Mt reyk@openbsd.org .
diff --git a/src/lib/libtls/man/tls_ocsp_process_response.3 b/src/lib/libtls/man/tls_ocsp_process_response.3
deleted file mode 100644
index 6e3aa4aecc..0000000000
--- a/src/lib/libtls/man/tls_ocsp_process_response.3
+++ /dev/null
@@ -1,167 +0,0 @@
-.\" $OpenBSD: tls_ocsp_process_response.3,v 1.6 2018/07/24 02:01:34 tb Exp $
-.\"
-.\" Copyright (c) 2016 Bob Beck <beck@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: July 24 2018 $
-.Dt TLS_OCSP_PROCESS_RESPONSE 3
-.Os
-.Sh NAME
-.Nm tls_ocsp_process_response ,
-.Nm tls_peer_ocsp_url ,
-.Nm tls_peer_ocsp_response_status ,
-.Nm tls_peer_ocsp_cert_status ,
-.Nm tls_peer_ocsp_crl_reason ,
-.Nm tls_peer_ocsp_result ,
-.Nm tls_peer_ocsp_revocation_time ,
-.Nm tls_peer_ocsp_this_update ,
-.Nm tls_peer_ocsp_next_update
-.Nd inspect an OCSP response
-.Sh SYNOPSIS
-.In tls.h
-.Ft int
-.Fo tls_ocsp_process_response
-.Fa "struct tls *ctx"
-.Fa "const unsigned char *response"
-.Fa "size_t size"
-.Fc
-.Ft const char *
-.Fn tls_peer_ocsp_url "struct tls *ctx"
-.Ft int
-.Fn tls_peer_ocsp_response_status "struct tls *ctx"
-.Ft int
-.Fn tls_peer_ocsp_cert_status "struct tls *ctx"
-.Ft int
-.Fn tls_peer_ocsp_crl_reason "struct tls *ctx"
-.Ft const char *
-.Fn tls_peer_ocsp_result "struct tls *ctx"
-.Ft time_t
-.Fn tls_peer_ocsp_revocation_time "struct tls *ctx"
-.Ft time_t
-.Fn tls_peer_ocsp_this_update "struct tls *ctx"
-.Ft time_t
-.Fn tls_peer_ocsp_next_update "struct tls *ctx"
-.Sh DESCRIPTION
-.Fn tls_ocsp_process_response
-processes a raw OCSP response in
-.Ar response
-of size
-.Ar size
-to check the revocation status of the peer certificate from
-.Ar ctx .
-A successful return code of 0 indicates that the certificate
-has not been revoked.
-.Pp
-.Fn tls_peer_ocsp_url
-returns the URL for OCSP validation of the peer certificate from
-.Ar ctx .
-.Pp
-The following functions return information about the peer certificate from
-.Ar ctx
-that was obtained by validating a stapled OCSP response during the handshake,
-or via a previous call to
-.Fn tls_ocsp_process_response .
-.Pp
-.Fn tls_peer_ocsp_response_status
-returns the OCSP response status as per RFC 6960 section 2.3.
-.Pp
-.Fn tls_peer_ocsp_cert_status
-returns the OCSP certificate status code as per RFC 6960 section 2.2.
-.Pp
-.Fn tls_peer_ocsp_crl_reason
-returns the OCSP certificate revocation reason status code as per RFC 5280
-section 5.3.1.
-.Pp
-.Fn tls_peer_ocsp_result
-returns a textual representation of the OCSP status code
-returned by one of the previous three functions.
-If the OCSP response was valid and the certificate was not
-revoked, the string indicates the OCSP certificate status.
-Otherwise, the string indicates
-the OCSP certificate revocation reason or the OCSP error.
-.Pp
-.Fn tls_peer_ocsp_revocation_time
-returns the OCSP revocation time.
-.Pp
-.Fn tls_peer_ocsp_this_update
-returns the OCSP this update time.
-.Pp
-.Fn tls_peer_ocsp_next_update
-returns the OCSP next update time.
-.Sh RETURN VALUES
-.Fn tls_ocsp_process_response
-returns 0 on success or -1 on error.
-.Pp
-.Fn tls_peer_ocsp_url
-and
-.Fn tls_peer_ocsp_result
-return
-.Dv NULL
-on error or an out of memory condition.
-.Pp
-The
-.Fn tls_peer_ocsp_response_status
-function returns one of
-.Dv TLS_OCSP_RESPONSE_SUCCESSFUL ,
-.Dv TLS_OCSP_RESPONSE_MALFORMED ,
-.Dv TLS_OCSP_RESPONSE_INTERNALERROR ,
-.Dv TLS_OCSP_RESPONSE_TRYLATER ,
-.Dv TLS_OCSP_RESPONSE_SIGREQUIRED ,
-or
-.Dv TLS_OCSP_RESPONSE_UNAUTHORIZED
-on success or -1 on error.
-.Pp
-The
-.Fn tls_peer_ocsp_cert_status
-function returns one of
-.Dv TLS_OCSP_CERT_GOOD ,
-.Dv TLS_OCSP_CERT_REVOKED ,
-or
-.Dv TLS_OCSP_CERT_UNKNOWN
-on success, and -1 on error.
-.Pp
-The
-.Fn tls_peer_ocsp_crl_reason
-function returns one of
-.Dv TLS_CRL_REASON_UNSPECIFIED ,
-.Dv TLS_CRL_REASON_KEY_COMPROMISE ,
-.Dv TLS_CRL_REASON_CA_COMPROMISE ,
-.Dv TLS_CRL_REASON_AFFILIATION_CHANGED ,
-.Dv TLS_CRL_REASON_SUPERSEDED ,
-.Dv TLS_CRL_REASON_CESSATION_OF_OPERATION ,
-.Dv TLS_CRL_REASON_CERTIFICATE_HOLD ,
-.Dv TLS_CRL_REASON_REMOVE_FROM_CRL ,
-.Dv TLS_CRL_REASON_PRIVILEGE_WITHDRAWN ,
-or
-.Dv  TLS_CRL_REASON_AA_COMPROMISE
-on success or -1 on error.
-.Pp
-.Fn tls_peer_ocsp_revocation_time ,
-.Fn tls_peer_ocsp_this_update ,
-and
-.Fn tls_peer_ocsp_next_update
-return a time in epoch-seconds on success or -1 on error.
-.Sh SEE ALSO
-.Xr tls_client 3 ,
-.Xr tls_config_ocsp_require_stapling 3 ,
-.Xr tls_conn_version 3 ,
-.Xr tls_connect 3 ,
-.Xr tls_handshake 3 ,
-.Xr tls_init 3
-.Sh HISTORY
-These functions appeared in
-.Ox 6.1 .
-.Sh AUTHORS
-.An Bob Beck Aq Mt beck@openbsd.org
-.An Marko Kreen Aq Mt markokr@gmail.com
diff --git a/src/lib/libtls/man/tls_read.3 b/src/lib/libtls/man/tls_read.3
deleted file mode 100644
index f9d949eef5..0000000000
--- a/src/lib/libtls/man/tls_read.3
+++ /dev/null
@@ -1,240 +0,0 @@
-.\" $OpenBSD: tls_read.3,v 1.8 2023/09/18 17:25:15 schwarze Exp $
-.\"
-.\" Copyright (c) 2014, 2015 Ted Unangst <tedu@openbsd.org>
-.\" Copyright (c) 2015 Doug Hogan <doug@openbsd.org>
-.\" Copyright (c) 2015 Joel Sing <jsing@openbsd.org>
-.\" Copyright (c) 2015 Bob Beck <beck@openbsd.org>
-.\" Copyright (c) 2017 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: September 18 2023 $
-.Dt TLS_READ 3
-.Os
-.Sh NAME
-.Nm tls_read ,
-.Nm tls_write ,
-.Nm tls_handshake ,
-.Nm tls_error ,
-.Nm tls_close
-.Nd use a TLS connection
-.Sh SYNOPSIS
-.In tls.h
-.Ft ssize_t
-.Fo tls_read
-.Fa "struct tls *ctx"
-.Fa "void *buf"
-.Fa "size_t buflen"
-.Fc
-.Ft ssize_t
-.Fo tls_write
-.Fa "struct tls *ctx"
-.Fa "const void *buf"
-.Fa "size_t buflen"
-.Fc
-.Ft int
-.Fn tls_handshake "struct tls *ctx"
-.Ft const char *
-.Fn tls_error "struct tls *ctx"
-.Ft int
-.Fn tls_close "struct tls *ctx"
-.Sh DESCRIPTION
-.Fn tls_read
-reads
-.Fa buflen
-bytes of data from the socket into
-.Fa buf .
-It returns the amount of data read.
-.Pp
-.Fn tls_write
-writes
-.Fa buflen
-bytes of data from
-.Fa buf
-to the socket.
-It returns the amount of data written.
-.Pp
-.Fn tls_handshake
-explicitly performs the TLS handshake.
-It is only necessary to call this function if you need to guarantee that the
-handshake has completed, as both
-.Fn tls_read
-and
-.Fn tls_write
-automatically perform the TLS handshake when necessary.
-.Pp
-The
-.Fn tls_error
-function may be used to retrieve a string containing more information
-about the most recent error relating to a context.
-.Pp
-.Fn tls_close
-closes a connection after use.
-Only the TLS layer will be shut down and the caller is responsible for closing
-the file descriptors, unless the connection was established using
-.Xr tls_connect 3
-or
-.Xr tls_connect_servername 3 .
-After closing the connection,
-.Fa ctx
-can be passed to
-.Xr tls_free 3 .
-.Sh RETURN VALUES
-.Fn tls_read
-and
-.Fn tls_write
-return a size on success or -1 on error.
-.Pp
-.Fn tls_handshake
-and
-.Fn tls_close
-return 0 on success or -1 on error.
-.Pp
-The
-.Fn tls_read ,
-.Fn tls_write ,
-.Fn tls_handshake ,
-and
-.Fn tls_close
-functions also have two special return values:
-.Pp
-.Bl -tag -width "TLS_WANT_POLLOUT" -offset indent -compact
-.It Dv TLS_WANT_POLLIN
-The underlying read file descriptor needs to be readable in order to continue.
-.It Dv TLS_WANT_POLLOUT
-The underlying write file descriptor needs to be writeable in order to continue.
-.El
-.Pp
-In the case of blocking file descriptors, the same function call should be
-repeated immediately.
-In the case of non-blocking file descriptors, the same function call should be
-repeated when the required condition has been met.
-.Pp
-Callers of these functions cannot rely on the value of the global
-.Ar errno .
-To prevent mishandling of error conditions,
-.Fn tls_read ,
-.Fn tls_write ,
-.Fn tls_handshake ,
-and
-.Fn tls_close
-all explicitly clear
-.Ar errno .
-.Pp
-.Fn tls_error
-returns
-.Dv NULL
-if no error occurred with
-.Fa ctx
-during or since the last call to
-.Fn tls_handshake ,
-.Fn tls_read ,
-.Fn tls_write ,
-.Fn tls_close ,
-or
-.Xr tls_reset 3
-involving
-.Fa ctx ,
-or if memory allocation failed while trying to assemble the string
-describing the most recent error related to
-.Fa ctx .
-.Sh EXAMPLES
-The following example demonstrates how to handle TLS writes on a blocking
-file descriptor:
-.Bd -literal -offset indent
-\&...
-while (len > 0) {
-        ssize_t ret;
-
-        ret = tls_write(ctx, buf, len);
-        if (ret == TLS_WANT_POLLIN || ret == TLS_WANT_POLLOUT)
-                continue;
-        if (ret == -1)
-                errx(1, "tls_write: %s", tls_error(ctx));
-        buf += ret;
-        len -= ret;
-}
-\&...
-.Ed
-.Pp
-The following example demonstrates how to handle TLS writes on a
-non-blocking file descriptor using
-.Xr poll 2 :
-.Bd -literal -offset indent
-\&...
-pfd[0].fd = fd;
-pfd[0].events = POLLIN|POLLOUT;
-while (len > 0) {
-        nready = poll(pfd, 1, 0);
-        if (nready == -1)
-                err(1, "poll");
-        if ((pfd[0].revents & (POLLERR|POLLNVAL)))
-                errx(1, "bad fd %d", pfd[0].fd);
-        if ((pfd[0].revents & (pfd[0].events|POLLHUP))) {
-                ssize_t ret;
-
-                ret = tls_write(ctx, buf, len);
-                if (ret == TLS_WANT_POLLIN)
-                        pfd[0].events = POLLIN;
-                else if (ret == TLS_WANT_POLLOUT)
-                        pfd[0].events = POLLOUT;
-                else if (ret == -1)
-                        errx(1, "tls_write: %s", tls_error(ctx));
-                else {
-                        buf += ret;
-                        len -= ret;
-                }
-        }
-}
-\&...
-.Ed
-.Sh SEE ALSO
-.Xr tls_accept_socket 3 ,
-.Xr tls_configure 3 ,
-.Xr tls_conn_version 3 ,
-.Xr tls_connect 3 ,
-.Xr tls_init 3 ,
-.Xr tls_ocsp_process_response 3
-.Sh HISTORY
-.Fn tls_read ,
-.Fn tls_write ,
-.Fn tls_error ,
-and
-.Fn tls_close
-appeared in
-.Ox 5.6
-and got their final names in
-.Ox 5.7 .
-.Pp
-.Fn tls_handshake
-appeared in
-.Ox 5.9 .
-.Sh AUTHORS
-.An Joel Sing Aq Mt jsing@openbsd.org
-with contributions from
-.An Bob Beck Aq Mt beck@openbsd.org
-.Sh CAVEATS
-The function
-.Fn tls_error
-returns an internal pointer.
-It must not be freed by the application, or a double free error
-will occur.
-The pointer will become invalid when the next error occurs with
-.Fa ctx .
-Consequently, if the application may need the message at a later
-time, it has to copy the string before calling the next
-.Sy libtls
-function involving
-.Fa ctx ,
-or a segmentation fault or read access to unintended data is the
-likely result.