7 files changed, 1259 insertions, 1 deletions

diff --git a/src/lib/libcrypto/man/Makefile b/src/lib/libcrypto/man/Makefile
index 447c7d23c3..a1cc37cb35 100644
--- a/src/lib/libcrypto/man/Makefile
+++ b/src/lib/libcrypto/man/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.55 2016/11/26 18:09:35 schwarze Exp $
+# $OpenBSD: Makefile,v 1.56 2016/11/27 20:40:07 schwarze Exp $
 
 .include <bsd.own.mk>
 
@@ -122,6 +122,12 @@ MAN=	\
         HMAC.3 \
         MD5.3 \
         OBJ_nid2obj.3 \
+        OCSP_REQUEST_new.3 \
+        OCSP_cert_to_id.3 \
+        OCSP_request_add1_nonce.3 \
+        OCSP_resp_find_status.3 \
+        OCSP_response_status.3 \
+        OCSP_sendreq_new.3 \
         OPENSSL_VERSION_NUMBER.3 \
         OPENSSL_config.3 \
         OPENSSL_load_builtin_modules.3 \
diff --git a/src/lib/libcrypto/man/OCSP_REQUEST_new.3 b/src/lib/libcrypto/man/OCSP_REQUEST_new.3
new file mode 100644
index 0000000000..dd08b7c2ca
--- /dev/null
+++ b/src/lib/libcrypto/man/OCSP_REQUEST_new.3
@@ -0,0 +1,241 @@
+.\"     $OpenBSD: OCSP_REQUEST_new.3,v 1.1 2016/11/27 20:40:07 schwarze Exp $
+.\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
+.\"
+.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
+.\" Copyright (c) 2014, 2016 The OpenSSL Project.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in
+.\"    the documentation and/or other materials provided with the
+.\"    distribution.
+.\"
+.\" 3. All advertising materials mentioning features or use of this
+.\"    software must display the following acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+.\"
+.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+.\"    endorse or promote products derived from this software without
+.\"    prior written permission. For written permission, please contact
+.\"    openssl-core@openssl.org.
+.\"
+.\" 5. Products derived from this software may not be called "OpenSSL"
+.\"    nor may "OpenSSL" appear in their names without prior written
+.\"    permission of the OpenSSL Project.
+.\"
+.\" 6. Redistributions of any form whatsoever must retain the following
+.\"    acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+.\" OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: November 27 2016 $
+.Dt OCSP_REQUEST_NEW 3
+.Os
+.Sh NAME
+.Nm OCSP_REQUEST_new ,
+.Nm OCSP_REQUEST_free ,
+.Nm OCSP_request_add0_id ,
+.Nm OCSP_request_sign ,
+.Nm OCSP_request_add1_cert ,
+.Nm OCSP_request_onereq_count ,
+.Nm OCSP_request_onereq_get0 ,
+.Nd OCSP request functions
+.Sh SYNOPSIS
+.In openssl/ocsp.h
+.Ft OCSP_REQUEST *
+.Fn OCSP_REQUEST_new void
+.Ft void
+.Fo OCSP_REQUEST_free
+.Fa "OCSP_REQUEST *req"
+.Fc
+.Ft OCSP_ONEREQ *
+.Fo OCSP_request_add0_id
+.Fa "OCSP_REQUEST *req"
+.Fa "OCSP_CERTID *cid"
+.Fc
+.Ft int
+.Fo OCSP_request_sign
+.Fa "OCSP_REQUEST *req"
+.Fa "X509 *signer"
+.Fa "EVP_PKEY *key"
+.Fa "const EVP_MD *dgst"
+.Fa "STACK_OF(X509) *certs"
+.Fa "unsigned long flags"
+.Fc
+.Ft int
+.Fo OCSP_request_add1_cert
+.Fa "OCSP_REQUEST *req"
+.Fa "X509 *cert"
+.Fc
+.Ft int
+.Fo OCSP_request_onereq_count
+.Fa "OCSP_REQUEST *req"
+.Fc
+.Ft OCSP_ONEREQ *
+.Fo OCSP_request_onereq_get0
+.Fa "OCSP_REQUEST *req"
+.Fa "int i"
+.Fc
+.Sh DESCRIPTION
+.Fn OCSP_REQUEST_new
+allocates and returns an empty
+.Vt OCSP_REQUEST
+structure.
+.Pp
+.Fn OCSP_REQUEST_free
+frees up the request structure
+.Fa req .
+.Pp
+.Fn OCSP_request_add0_id
+adds certificate ID
+.Fa cid
+to
+.Fa req .
+It returns the
+.Vt OCSP_ONEREQ
+structure added so an application can add additional extensions to the
+request.
+The
+.Fa cid
+parameter must not be freed up after the operation.
+.Pp
+.Fn OCSP_request_sign
+signs OCSP request
+.Fa req
+using certificate
+.Fa signer ,
+private key
+.Fa key ,
+digest
+.Fa dgst ,
+and additional certificates
+.Fa certs .
+If the
+.Fa flags
+option
+.Dv OCSP_NOCERTS
+is set, then no certificates will be included in the request.
+.Pp
+.Fn OCSP_request_add1_cert
+adds certificate
+.Fa cert
+to request
+.Fa req .
+The application is responsible for freeing up
+.Fa cert
+after use.
+.Pp
+.Fn OCSP_request_onereq_count
+returns the total number of
+.Vt OCSP_ONEREQ
+structures in
+.Fa req .
+.Pp
+.Fn OCSP_request_onereq_get0
+returns an internal pointer to the
+.Vt OCSP_ONEREQ
+contained in
+.Fa req
+of index
+.Fa i .
+The index value
+.Fa i
+runs from 0 to
+.Fn OCSP_request_onereq_count req No - 1 .
+.Pp
+An
+.Vt OCSP_REQUEST
+structure contains one or more
+.Vt OCSP_ONEREQ
+structures corresponding to each certificate.
+.Pp
+.Fn OCSP_request_onereq_count
+and
+.Fn OCSP_request_onereq_get0
+are mainly used by OCSP responders.
+.Sh RETURN VALUES
+.Fn OCSP_REQUEST_new
+returns an empty
+.Vt OCSP_REQUEST
+structure or
+.Dv NULL
+if an error occurred.
+.Pp
+.Fn OCSP_request_add0_id
+returns the
+.Vt OCSP_ONEREQ
+structure containing
+.Fa cid
+or
+.Dv NULL
+if an error occurred.
+.Pp
+.Fn OCSP_request_sign
+and
+.Fn OCSP_request_add1_cert
+return 1 for success or 0 for failure.
+.Pp
+.Fn OCSP_request_onereq_count
+returns the total number of
+.Vt OCSP_ONEREQ
+structures in
+.Fa req .
+.Pp
+.Fn OCSP_request_onereq_get0
+returns a pointer to an
+.Vt OCSP_ONEREQ
+structure or
+.Dv NULL
+if the index value is out or range.
+.Sh EXAMPLE
+Create an
+.Vt OCSP_REQUEST
+structure for certificate
+.Fa cert
+with issuer
+.Fa issuer :
+.Bd -literal -offset indent
+OCSP_REQUEST *req;
+OCSP_ID *cid;
+
+req = OCSP_REQUEST_new();
+if (req == NULL)
+        /* error */
+cid = OCSP_cert_to_id(EVP_sha1(), cert, issuer);
+if (cid == NULL)
+        /* error */
+
+if (OCSP_REQUEST_add0_id(req, cid) == NULL)
+        /* error */
+
+ /* Do something with req, e.g. query responder */
+
+OCSP_REQUEST_free(req);
+.Ed
+.Sh SEE ALSO
+.Xr crypto 3 ,
+.Xr OCSP_cert_to_id 3 ,
+.Xr OCSP_request_add1_nonce 3 ,
+.Xr OCSP_resp_find_status 3 ,
+.Xr OCSP_response_status 3 ,
+.Xr OCSP_sendreq_new 3
diff --git a/src/lib/libcrypto/man/OCSP_cert_to_id.3 b/src/lib/libcrypto/man/OCSP_cert_to_id.3
new file mode 100644
index 0000000000..6742e45415
--- /dev/null
+++ b/src/lib/libcrypto/man/OCSP_cert_to_id.3
@@ -0,0 +1,187 @@
+.\"     $OpenBSD: OCSP_cert_to_id.3,v 1.1 2016/11/27 20:40:07 schwarze Exp $
+.\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
+.\"
+.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
+.\" Copyright (c) 2014, 2016 The OpenSSL Project.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in
+.\"    the documentation and/or other materials provided with the
+.\"    distribution.
+.\"
+.\" 3. All advertising materials mentioning features or use of this
+.\"    software must display the following acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+.\"
+.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+.\"    endorse or promote products derived from this software without
+.\"    prior written permission. For written permission, please contact
+.\"    openssl-core@openssl.org.
+.\"
+.\" 5. Products derived from this software may not be called "OpenSSL"
+.\"    nor may "OpenSSL" appear in their names without prior written
+.\"    permission of the OpenSSL Project.
+.\"
+.\" 6. Redistributions of any form whatsoever must retain the following
+.\"    acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+.\" OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: November 27 2016 $
+.Dt OCSP_CERT_TO_ID 3
+.Os
+.Sh NAME
+.Nm OCSP_cert_to_id ,
+.Nm OCSP_cert_id_new ,
+.Nm OCSP_CERTID_free ,
+.Nm OCSP_id_issuer_cmp ,
+.Nm OCSP_id_cmp ,
+.Nm OCSP_id_get0_info
+.Nd OCSP certificate ID utility functions
+.Sh SYNOPSIS
+.In openssl/ocsp.h
+.Ft OCSP_CERTID *
+.Fo OCSP_cert_to_id
+.Fa "const EVP_MD *dgst"
+.Fa "X509 *subject"
+.Fa "X509 *issuer"
+.Fc
+.Ft OCSP_CERTID *
+.Fo OCSP_cert_id_new
+.Fa "const EVP_MD *dgst"
+.Fa "X509_NAME *issuerName"
+.Fa "ASN1_BIT_STRING *issuerKey"
+.Fa "ASN1_INTEGER *serialNumber"
+.Fc
+.Ft void
+.Fo OCSP_CERTID_free
+.Fa "OCSP_CERTID *id"
+.Fc
+.Ft int
+.Fo OCSP_id_issuer_cmp
+.Fa "OCSP_CERTID *a"
+.Fa "OCSP_CERTID *b"
+.Fc
+.Ft int
+.Fo OCSP_id_cmp
+.Fa "OCSP_CERTID *a"
+.Fa "OCSP_CERTID *b"
+.Fc
+.Ft int
+.Fo OCSP_id_get0_info
+.Fa "ASN1_OCTET_STRING **piNameHash"
+.Fa "ASN1_OBJECT **pmd"
+.Fa "ASN1_OCTET_STRING **pikeyHash"
+.Fa "ASN1_INTEGER **pserial"
+.Fa "OCSP_CERTID *cid"
+.Fc
+.Sh DESCRIPTION
+.Fn OCSP_cert_to_id
+creates and returns a new
+.Vt OCSP_CERTID
+structure using message digest
+.Fa dgst
+for certificate
+.Fa subject
+with issuer
+.Fa issuer .
+If
+.Fa dgst
+is
+.Dv NULL
+then SHA1 is used.
+.Pp
+.Fn OCSP_cert_id_new
+creates and returns a new
+.Vt OCSP_CERTID
+using
+.Fa dgst
+and issuer name
+.Fa issuerName ,
+issuer key hash
+.Fa issuerKey
+and serial number
+.Fa serialNumber .
+.Pp
+.Fn OCSP_CERTID_free
+frees up
+.Fa id .
+.Pp
+.Fn OCSP_id_cmp
+compares
+.Vt OCSP_CERTID
+.Fa a
+and
+.Fa b .
+.Pp
+.Fn OCSP_id_issuer_cmp
+compares only the issuer name of
+.Vt OCSP_CERTID
+.Fa a
+and
+.Fa b .
+.Pp
+.Fn OCSP_id_get0_info
+returns the issuer name hash, hash OID, issuer key hash and serial
+number contained in
+.Fa cid .
+If any of the values are not required the corresponding parameter can be
+set to
+.Dv NULL .
+The values returned by
+.Fn OCSP_id_get0_info
+are internal pointers and must not be freed up by an application:
+they will be freed when the corresponding
+.Vt OCSP_CERTID
+structure is freed.
+.Pp
+OCSP clients will typically only use
+.Fn OCSP_cert_to_id
+or
+.Fn OCSP_cert_id_new :
+the other functions are used by responder applications.
+.Sh RETURN VALUES
+.Fn OCSP_cert_to_id
+and
+.Fn OCSP_cert_id_new
+return either a pointer to a valid
+.Vt OCSP_CERTID
+structure or
+.Dv NULL
+if an error occurred.
+.Pp
+.Fn OCSP_id_cmp
+and
+.Fn OCSP_id_issuer_cmp
+returns 0 for a match or non-zero otherwise.
+.Pp
+.Fn OCSP_id_get0_info
+returns 1 for success or 0 for failure.
+.Sh SEE ALSO
+.Xr crypto 3 ,
+.Xr OCSP_request_add1_nonce 3 ,
+.Xr OCSP_REQUEST_new 3 ,
+.Xr OCSP_resp_find_status 3 ,
+.Xr OCSP_response_status 3 ,
+.Xr OCSP_sendreq_new 3
diff --git a/src/lib/libcrypto/man/OCSP_request_add1_nonce.3 b/src/lib/libcrypto/man/OCSP_request_add1_nonce.3
new file mode 100644
index 0000000000..8de58d2731
--- /dev/null
+++ b/src/lib/libcrypto/man/OCSP_request_add1_nonce.3
@@ -0,0 +1,160 @@
+.\"     $OpenBSD: OCSP_request_add1_nonce.3,v 1.1 2016/11/27 20:40:07 schwarze Exp $
+.\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
+.\"
+.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
+.\" Copyright (c) 2014, 2016 The OpenSSL Project.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in
+.\"    the documentation and/or other materials provided with the
+.\"    distribution.
+.\"
+.\" 3. All advertising materials mentioning features or use of this
+.\"    software must display the following acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+.\"
+.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+.\"    endorse or promote products derived from this software without
+.\"    prior written permission. For written permission, please contact
+.\"    openssl-core@openssl.org.
+.\"
+.\" 5. Products derived from this software may not be called "OpenSSL"
+.\"    nor may "OpenSSL" appear in their names without prior written
+.\"    permission of the OpenSSL Project.
+.\"
+.\" 6. Redistributions of any form whatsoever must retain the following
+.\"    acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+.\" OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: November 27 2016 $
+.Dt OCSP_REQUEST_ADD1_NONCE 3
+.Os
+.Sh NAME
+.Nm OCSP_request_add1_nonce ,
+.Nm OCSP_basic_add1_nonce ,
+.Nm OCSP_check_nonce ,
+.Nm OCSP_copy_nonce
+.Nd OCSP nonce functions
+.Sh SYNOPSIS
+.In openssl/ocsp.h
+.Ft int
+.Fo OCSP_request_add1_nonce
+.Fa "OCSP_REQUEST *req"
+.Fa "unsigned char *val"
+.Fa "int len"
+.Fc
+.Ft int
+.Fo OCSP_basic_add1_nonce
+.Fa "OCSP_BASICRESP *resp"
+.Fa "unsigned char *val"
+.Fa "int len"
+.Fc
+.Ft int
+.Fo OCSP_copy_nonce
+.Fa "OCSP_BASICRESP *resp"
+.Fa "OCSP_REQUEST *req"
+.Fc
+.Ft int
+.Fo OCSP_check_nonce
+.Fa "OCSP_REQUEST *req"
+.Fa "OCSP_BASICRESP *resp"
+.Fc
+.Sh DESCRIPTION
+An OCSP nonce is typically added to an OCSP request to thwart replay
+attacks by checking the same nonce value appears in the response.
+.Pp
+.Fn OCSP_request_add1_nonce
+adds a nonce of value
+.Fa val
+and length
+.Fa len
+to OCSP request
+.Fa req .
+If
+.Fa val
+is
+.Dv NULL ,
+a random nonce is used.
+If
+.Fa len
+is zero or negative, a default length will be used (currently 16 bytes).
+For most purposes the nonce value in a request is set to a random value
+so the
+.Fa val
+parameter in
+.Fn OCSP_request_add1_nonce
+is usually NULL.
+.Pp
+.Fn OCSP_basic_add1_nonce
+is identical to
+.Fn OCSP_request_add1_nonce
+except it adds a nonce to OCSP basic response
+.Fa resp .
+.Pp
+.Fn OCSP_check_nonce
+compares the nonce value in
+.Fa req
+and
+.Fa resp .
+.Pp
+.Fn OCSP_copy_nonce
+copies any nonce value present in
+.Fa req
+to
+.Fa resp .
+.Pp
+Some responders may include a nonce in all responses even if one is not
+supplied.
+.Pp
+Some responders cache OCSP responses and do not sign each response for
+performance reasons.
+As a result they do not support nonces.
+.Sh RETURN VALUES
+.Fn OCSP_request_add1_nonce
+and
+.Fn OCSP_basic_add1_nonce
+return 1 for success or 0 for failure.
+.Pp
+.Fn OCSP_copy_nonce
+returns 1 if a nonce was successfully copied, 2 if no nonce was
+present in
+.Fa req ,
+or 0 if an error occurred.
+.Pp
+.Fn OCSP_check_nonce
+returns positive values for success: 1 if nonces are present and
+equal, 2 if both nonces are absent, or 3 if a nonce is present in
+the response only.
+A zero return value indicates that both nonces are present but
+mismatch: this should be treated as an error condition.
+A return value of -1 indicates that a nonce is present in the request
+only: this will happen if the responder doesn't support nonces.
+.Sh SEE ALSO
+.Xr crypto 3 ,
+.Xr OCSP_cert_to_id 3 ,
+.Xr OCSP_REQUEST_new 3 ,
+.Xr OCSP_resp_find_status 3 ,
+.Xr OCSP_response_status 3 ,
+.Xr OCSP_sendreq_new 3
diff --git a/src/lib/libcrypto/man/OCSP_resp_find_status.3 b/src/lib/libcrypto/man/OCSP_resp_find_status.3
new file mode 100644
index 0000000000..603b155455
--- /dev/null
+++ b/src/lib/libcrypto/man/OCSP_resp_find_status.3
@@ -0,0 +1,285 @@
+.\"     $OpenBSD: OCSP_resp_find_status.3,v 1.1 2016/11/27 20:40:07 schwarze Exp $
+.\"     OpenSSL c952780c Jun 21 07:03:34 2016 -0400
+.\"
+.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
+.\" Copyright (c) 2014 The OpenSSL Project.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in
+.\"    the documentation and/or other materials provided with the
+.\"    distribution.
+.\"
+.\" 3. All advertising materials mentioning features or use of this
+.\"    software must display the following acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+.\"
+.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+.\"    endorse or promote products derived from this software without
+.\"    prior written permission. For written permission, please contact
+.\"    openssl-core@openssl.org.
+.\"
+.\" 5. Products derived from this software may not be called "OpenSSL"
+.\"    nor may "OpenSSL" appear in their names without prior written
+.\"    permission of the OpenSSL Project.
+.\"
+.\" 6. Redistributions of any form whatsoever must retain the following
+.\"    acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+.\" OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: November 27 2016 $
+.Dt OCSP_RESP_FIND_STATUS 3
+.Os
+.Sh NAME
+.Nm OCSP_resp_find_status ,
+.Nm OCSP_resp_count ,
+.Nm OCSP_resp_get0 ,
+.Nm OCSP_resp_find ,
+.Nm OCSP_single_get0_status ,
+.Nm OCSP_check_validity
+.Nd OCSP response utility functions
+.Sh SYNOPSIS
+.In openssl/ocsp.h
+.Ft int
+.Fo OCSP_resp_find_status
+.Fa "OCSP_BASICRESP *bs"
+.Fa "OCSP_CERTID *id"
+.Fa "int *status"
+.Fa "int *reason"
+.Fa "ASN1_GENERALIZEDTIME **revtime"
+.Fa "ASN1_GENERALIZEDTIME **thisupd"
+.Fa "ASN1_GENERALIZEDTIME **nextupd"
+.Fc
+.Ft int
+.Fo OCSP_resp_count
+.Fa "OCSP_BASICRESP *bs"
+.Fc
+.Ft OCSP_SINGLERESP *
+.Fo OCSP_resp_get0
+.Fa "OCSP_BASICRESP *bs"
+.Fa "int idx"
+.Fc
+.Ft int
+.Fo OCSP_resp_find
+.Fa "OCSP_BASICRESP *bs"
+.Fa "OCSP_CERTID *id"
+.Fa "int last"
+.Fc
+.Ft int
+.Fo OCSP_single_get0_status
+.Fa "OCSP_SINGLERESP *single"
+.Fa "int *reason"
+.Fa "ASN1_GENERALIZEDTIME **revtime"
+.Fa "ASN1_GENERALIZEDTIME **thisupd"
+.Fa "ASN1_GENERALIZEDTIME **nextupd"
+.Fc
+.Ft int
+.Fo OCSP_check_validity
+.Fa "ASN1_GENERALIZEDTIME *thisupd"
+.Fa "ASN1_GENERALIZEDTIME *nextupd"
+.Fa "long sec"
+.Fa "long maxsec"
+.Fc
+.Sh DESCRIPTION
+.Fn OCSP_resp_find_status
+searches
+.Fa bs
+for an OCSP response for
+.Fa id .
+If it is successful, the fields of the response are returned in
+.Pf * Fa status ,
+.Pf * Fa reason ,
+.Pf * Fa revtime ,
+.Pf * Fa thisupd
+and
+.Pf * Fa nextupd .
+The
+.Pf * Fa status
+value will be one of
+.Dv V_OCSP_CERTSTATUS_GOOD ,
+.Dv V_OCSP_CERTSTATUS_REVOKED ,
+or
+.Dv V_OCSP_CERTSTATUS_UNKNOWN .
+The
+.Pf * Fa reason
+and
+.Pf * Fa revtime
+fields are only set if the status is
+.Dv V_OCSP_CERTSTATUS_REVOKED .
+If set, the
+.Pf * Fa reason
+field will be set to the revocation reason which will be one of
+.Dv OCSP_REVOKED_STATUS_NOSTATUS ,
+.Dv OCSP_REVOKED_STATUS_UNSPECIFIED ,
+.Dv OCSP_REVOKED_STATUS_KEYCOMPROMISE ,
+.Dv OCSP_REVOKED_STATUS_CACOMPROMISE ,
+.Dv OCSP_REVOKED_STATUS_AFFILIATIONCHANGED ,
+.Dv OCSP_REVOKED_STATUS_SUPERSEDED ,
+.Dv OCSP_REVOKED_STATUS_CESSATIONOFOPERATION ,
+.Dv OCSP_REVOKED_STATUS_CERTIFICATEHOLD
+or
+.Dv OCSP_REVOKED_STATUS_REMOVEFROMCRL .
+.Pp
+.Fn OCSP_resp_count
+returns the number of
+.Vt OCSP_SINGLERESP
+structures in
+.Fa bs .
+.Pp
+.Fn OCSP_resp_get0
+returns the
+.Vt OCSP_SINGLERESP
+structure in
+.Fa bs
+corresponding to index
+.Fa idx ,
+where
+.Fa idx
+runs from 0 to
+.Fn OCSP_resp_count bs No - 1 .
+.Pp
+.Fn OCSP_resp_find
+searches
+.Fa bs
+for
+.Fa id
+and returns the index of the first matching entry after
+.Fa last
+or starting from the beginning if
+.Fa last
+is -1.
+.Pp
+.Fn OCSP_single_get0_status
+extracts the fields of
+.Fa single
+in
+.Pf * Fa reason ,
+.Pf * Fa revtime ,
+.Pf * Fa thisupd ,
+and
+.Pf * Fa nextupd .
+.Pp
+.Fn OCSP_check_validity
+checks the validity of
+.Fa thisupd
+and
+.Fa nextupd
+values which will be typically obtained from
+.Fn OCSP_resp_find_status
+or
+.Fn OCSP_single_get0_status .
+If
+.Fa sec
+is non-zero it indicates how many seconds leeway should be allowed in
+the check.
+If
+.Fa maxsec
+is positive it indicates the maximum age of
+.Fa thisupd
+in seconds.
+.Pp
+Applications will typically call
+.Fn OCSP_resp_find_status
+using the certificate ID of interest and then check its validity using
+.Fn OCSP_check_validity .
+They can then take appropriate action based on the status of the
+certificate.
+.Pp
+An OCSP response for a certificate contains
+.Sy thisUpdate
+and
+.Sy nextUpdate
+fields.
+Normally the current time should be between these two values.
+To account for clock skew, the
+.Fa maxsec
+field can be set to non-zero in
+.Fn OCSP_check_validity .
+Some responders do not set the
+.Sy nextUpdate
+field.
+This would otherwise mean an ancient response would be considered
+valid: the
+.Fa maxsec
+parameter to
+.Fn OCSP_check_validity
+can be used to limit the permitted age of responses.
+.Pp
+The values written to
+.Pf * Fa revtime ,
+.Pf * Fa thisupd ,
+and
+.Pf * Fa nextupd
+by
+.Fn OCSP_resp_find_status
+and
+.Fn OCSP_single_get0_status
+are internal pointers which must not be freed up by the calling
+application.
+Any or all of these parameters can be set to
+.Dv NULL
+if their value is not required.
+.Sh RETURN VALUES
+.Fn OCSP_resp_find_status
+returns 1 if
+.Fa id
+is found in
+.Fa bs
+or 0 otherwise.
+.Pp
+.Fn OCSP_resp_count
+returns the total number of
+.Vt OCSP_SINGLERESP
+fields in
+.Fa bs .
+.Pp
+.Fn OCSP_resp_get0
+returns a pointer to an
+.Vt OCSP_SINGLERESP
+structure or
+.Dv NULL
+if
+.Fa idx
+is out of range.
+.Pp
+.Fn OCSP_resp_find
+returns the index of
+.Fa id
+in
+.Fa bs
+(which may be 0) or -1 if
+.Fa id
+was not found.
+.Pp
+.Fn OCSP_single_get0_status
+returns the status of
+.Fa single
+or -1 if an error occurred.
+.Sh SEE ALSO
+.Xr crypto 3 ,
+.Xr OCSP_cert_to_id 3 ,
+.Xr OCSP_request_add1_nonce 3 ,
+.Xr OCSP_REQUEST_new 3 ,
+.Xr OCSP_response_status 3 ,
+.Xr OCSP_sendreq_new 3
diff --git a/src/lib/libcrypto/man/OCSP_response_status.3 b/src/lib/libcrypto/man/OCSP_response_status.3
new file mode 100644
index 0000000000..c6fef0dc2e
--- /dev/null
+++ b/src/lib/libcrypto/man/OCSP_response_status.3
@@ -0,0 +1,134 @@
+.\"     $OpenBSD: OCSP_response_status.3,v 1.1 2016/11/27 20:40:07 schwarze Exp $
+.\"     OpenSSL bb9ad09e Jun 6 00:43:05 2016 -0400
+.\"
+.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
+.\" Copyright (c) 2014, 2016 The OpenSSL Project.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in
+.\"    the documentation and/or other materials provided with the
+.\"    distribution.
+.\"
+.\" 3. All advertising materials mentioning features or use of this
+.\"    software must display the following acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+.\"
+.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+.\"    endorse or promote products derived from this software without
+.\"    prior written permission. For written permission, please contact
+.\"    openssl-core@openssl.org.
+.\"
+.\" 5. Products derived from this software may not be called "OpenSSL"
+.\"    nor may "OpenSSL" appear in their names without prior written
+.\"    permission of the OpenSSL Project.
+.\"
+.\" 6. Redistributions of any form whatsoever must retain the following
+.\"    acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+.\" OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: November 27 2016 $
+.Dt OCSP_RESPONSE_STATUS 3
+.Os
+.Sh NAME
+.Nm OCSP_response_status ,
+.Nm OCSP_response_get1_basic ,
+.Nm OCSP_response_create ,
+.Nm OCSP_RESPONSE_free
+.Nd OCSP response functions
+.Sh SYNOPSIS
+.In openssl/ocsp.h
+.Ft int
+.Fo OCSP_response_status
+.Fa "OCSP_RESPONSE *resp"
+.Fc
+.Ft OCSP_BASICRESP *
+.Fo OCSP_response_get1_basic
+.Fa "OCSP_RESPONSE *resp"
+.Fc
+.Ft OCSP_RESPONSE *
+.Fo OCSP_response_create
+.Fa "int status"
+.Fa "OCSP_BASICRESP *bs"
+.Fc
+.Ft void
+.Fo OCSP_RESPONSE_free
+.Fa "OCSP_RESPONSE *resp"
+.Fc
+.Sh DESCRIPTION
+.Fn OCSP_response_status
+returns the OCSP response status of
+.Fa resp .
+It returns one of the values:
+.Dv OCSP_RESPONSE_STATUS_SUCCESSFUL ,
+.Dv OCSP_RESPONSE_STATUS_MALFORMEDREQUEST ,
+.Dv OCSP_RESPONSE_STATUS_INTERNALERROR ,
+.Dv OCSP_RESPONSE_STATUS_TRYLATER ,
+.Dv OCSP_RESPONSE_STATUS_SIGREQUIRED ,
+or
+.Dv OCSP_RESPONSE_STATUS_UNAUTHORIZED .
+.Pp
+.Fn OCSP_response_get1_basic
+decodes and returns the
+.Vt OCSP_BASICRESP
+structure contained in
+.Fa resp .
+It is only called if the status of a response is
+.Dv OCSP_RESPONSE_STATUS_SUCCESSFUL .
+.Pp
+.Fn OCSP_response_create
+creates and returns an
+.Vt OCSP_RESPONSE
+structure for
+.Fa status
+and optionally including basic response
+.Fa bs .
+.Pp
+.Fn OCSP_RESPONSE_free
+frees up OCSP response
+.Fa resp .
+.Sh RETURN VALUES
+.Fn OCSP_response_status
+returns a status value.
+.Pp
+.Fn OCSP_response_get1_basic
+returns an
+.Vt OCSP_BASICRESP
+structure pointer or
+.Dv NULL
+if an error occurred.
+.Pp
+.Fn OCSP_response_create
+returns an
+.Vt OCSP_RESPONSE
+structure pointer or
+.Dv NULL
+if an error occurred.
+.Sh SEE ALSO
+.Xr crypto 3 ,
+.Xr OCSP_cert_to_id 3 ,
+.Xr OCSP_request_add1_nonce 3 ,
+.Xr OCSP_REQUEST_new 3 ,
+.Xr OCSP_resp_find_status 3 ,
+.Xr OCSP_sendreq_new 3
diff --git a/src/lib/libcrypto/man/OCSP_sendreq_new.3 b/src/lib/libcrypto/man/OCSP_sendreq_new.3
new file mode 100644
index 0000000000..994ce9cc2a
--- /dev/null
+++ b/src/lib/libcrypto/man/OCSP_sendreq_new.3
@@ -0,0 +1,245 @@
+.\"     $OpenBSD: OCSP_sendreq_new.3,v 1.1 2016/11/27 20:40:07 schwarze Exp $
+.\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
+.\"
+.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
+.\" Copyright (c) 2014, 2016 The OpenSSL Project.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in
+.\"    the documentation and/or other materials provided with the
+.\"    distribution.
+.\"
+.\" 3. All advertising materials mentioning features or use of this
+.\"    software must display the following acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+.\"
+.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+.\"    endorse or promote products derived from this software without
+.\"    prior written permission. For written permission, please contact
+.\"    openssl-core@openssl.org.
+.\"
+.\" 5. Products derived from this software may not be called "OpenSSL"
+.\"    nor may "OpenSSL" appear in their names without prior written
+.\"    permission of the OpenSSL Project.
+.\"
+.\" 6. Redistributions of any form whatsoever must retain the following
+.\"    acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+.\" OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: November 27 2016 $
+.Dt OCSP_SENDREQ_NEW 3
+.Os
+.Sh NAME
+.Nm OCSP_sendreq_new ,
+.Nm OCSP_sendreq_nbio ,
+.Nm OCSP_REQ_CTX_free ,
+.Nm OCSP_REQ_CTX_add1_header ,
+.Nm OCSP_REQ_CTX_set1_req ,
+.Nm OCSP_sendreq_bio
+.Nd OCSP responder query functions
+.Sh SYNOPSIS
+.In openssl/ocsp.h
+.Ft OCSP_REQ_CTX *
+.Fo OCSP_sendreq_new
+.Fa "BIO *io"
+.Fa "const char *path"
+.Fa "OCSP_REQUEST *req"
+.Fa "int maxline"
+.Fc
+.Ft int
+.Fo OCSP_sendreq_nbio
+.Fa "OCSP_RESPONSE **presp"
+.Fa "OCSP_REQ_CTX *rctx"
+.Fc
+.Ft void
+.Fo OCSP_REQ_CTX_free
+.Fa "OCSP_REQ_CTX *rctx"
+.Fc
+.Ft int
+.Fo OCSP_REQ_CTX_add1_header
+.Fa "OCSP_REQ_CTX *rctx"
+.Fa "const char *name"
+.Fa "const char *value"
+.Fc
+.Ft int
+.Fo OCSP_REQ_CTX_set1_req
+.Fa "OCSP_REQ_CTX *rctx"
+.Fa "OCSP_REQUEST *req"
+.Fc
+.Ft OCSP_RESPONSE *
+.Fo OCSP_sendreq_bio
+.Fa "BIO *io"
+.Fa "const char *path"
+.Fa "OCSP_REQUEST *req"
+.Fc
+.Sh DESCRIPTION
+The function
+.Fn OCSP_sendreq_new
+returns an
+.Vt OCSP_REQ_CTX
+structure using the responder
+.Fa io ,
+the URI path
+.Fa path ,
+the OCSP request
+.Fa req
+and with a response header maximum line length of
+.Fa maxline .
+If
+.Fa maxline
+is zero, a default value of 4k is used.
+The OCSP request
+.Fa req
+may be set to
+.Dv NULL
+and provided later if required.
+.Pp
+The arguments to
+.Fn OCSP_sendreq_new
+correspond to the components of the URI.
+For example, if the responder URI is
+.Pa http://ocsp.com/ocspreq ,
+the BIO
+.Fa io
+should be connected to host
+.Pa ocsp.com
+on port 80 and
+.Fa path
+should be set to
+.Qq /ocspreq .
+.Pp
+.Fn OCSP_sendreq_nbio
+performs non-blocking I/O on the OCSP request context
+.Fa rctx .
+When the operation is complete it returns the response in
+.Pf * Fa presp .
+If
+.Fn OCSP_sendreq_nbio
+indicates an operation should be retried, the corresponding BIO can
+be examined to determine which operation (read or write) should be
+retried and appropriate action can be taken, for example a
+.Xr select 3
+call on the underlying socket.
+.Pp
+.Fn OCSP_REQ_CTX_free
+frees up the OCSP context
+.Fa rctx .
+.Pp
+.Fn OCSP_REQ_CTX_add1_header
+adds header
+.Fa name
+with value
+.Fa value
+to the context
+.Fa rctx .
+The added headers are of the form
+.Qq Fa name : value
+or just
+.Qq Fa name
+if
+.Fa value
+is
+.Dv NULL .
+.Fn OCSP_REQ_CTX_add1_header
+can be called more than once to add multiple headers.
+It must be called before any calls to
+.Fn OCSP_sendreq_nbio .
+The
+.Fa req
+parameter in the initial to
+.Fn OCSP_sendreq_new
+call must be set to
+.Dv NULL
+if additional headers are set.
+.Pp
+.Fn OCSP_REQ_CTX_set1_req
+sets the OCSP request in
+.Fa rctx
+to
+.Fa req .
+This function should be called after any calls to
+.Fn OCSP_REQ_CTX_add1_header .
+.Pp
+.Fn OCSP_sendreq_bio
+performs an OCSP request using the responder
+.Fa io ,
+the URI path
+.Fa path ,
+the OCSP request
+.Fa req .
+It does not support retries and so cannot handle non-blocking I/O
+efficiently.
+It is retained for compatibility and its use in new applications
+is not recommended.
+.Sh RETURN VALUES
+.Fn OCSP_sendreq_new
+returns a valid
+.Vt OCSP_REQ_CTX
+structure or
+.Dv NULL
+if an error occurred.
+.Pp
+.Fn OCSP_sendreq_nbio
+returns
+.Sy 1
+if the operation was completed successfully,
+.Sy -1
+if the operation should be retried, or
+.Sy 0
+if an error occurred.
+.Pp
+.Fn OCSP_REQ_CTX_add1_header
+and
+.Fn OCSP_REQ_CTX_set1_req
+return
+.Sy 1
+for success or
+.Sy 0
+for failure.
+.Pp
+.Fn OCSP_sendreq_bio
+returns the
+.Vt OCSP_RESPONSE
+structure sent by the responder or
+.Dv NULL
+if an error occurred.
+.Sh EXAMPLES
+Add a Host header for
+.Pa ocsp.com :
+.Pp
+.Dl OCSP_REQ_CTX_add1_header(ctx, "Host", "ocsp.com");
+.Sh SEE ALSO
+.Xr crypto 3 ,
+.Xr OCSP_cert_to_id 3 ,
+.Xr OCSP_request_add1_nonce 3 ,
+.Xr OCSP_REQUEST_new 3 ,
+.Xr OCSP_resp_find_status 3 ,
+.Xr OCSP_response_status 3
+.Sh CAVEATS
+These functions only perform a minimal HTTP query to a responder.
+If an application wishes to support more advanced features, it
+should use an alternative more complete HTTP library.
+.Pp
+Currently only HTTP POST queries to responders are supported.