1 files changed, 32 insertions, 107 deletions

diff --git a/secure/lib/libcrypto/man/man3/SSL_check_chain.3 b/secure/lib/libcrypto/man/man3/SSL_check_chain.3
index 64f494b86a7b..2d62f054ce85 100644
--- a/secure/lib/libcrypto/man/man3/SSL_check_chain.3
+++ b/secure/lib/libcrypto/man/man3/SSL_check_chain.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.40)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -69,85 +53,26 @@
 .\}
 .rr rF
 .\"
-.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
+.\" Required to disable full justification in groff 1.23.0.
+.if n .ds AD l
 .\" ========================================================================
 .\"
-.IX Title "SSL_CHECK_CHAIN 3"
-.TH SSL_CHECK_CHAIN 3 "2022-07-05" "1.1.1q" "OpenSSL"
+.IX Title "SSL_CHECK_CHAIN 3ossl"
+.TH SSL_CHECK_CHAIN 3ossl 2026-04-07 3.5.6 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_check_chain \- check certificate chain suitability
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
 \&
 \& int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBSSL_check_chain()\fR checks whether certificate \fBx\fR, private key \fBpk\fR and
 certificate chain \fBchain\fR is suitable for use with the current session
@@ -157,36 +82,36 @@ certificate chain \fBchain\fR is suitable for use with the current session
 \&\fBSSL_check_chain()\fR returns a bitmap of flags indicating the validity of the
 chain.
 .PP
-\&\fB\s-1CERT_PKEY_VALID\s0\fR: the chain can be used with the current session.
+\&\fBCERT_PKEY_VALID\fR: the chain can be used with the current session.
 If this flag is \fBnot\fR set then the certificate will never be used even
 if the application tries to set it because it is inconsistent with the
 peer preferences.
 .PP
-\&\fB\s-1CERT_PKEY_SIGN\s0\fR: the \s-1EE\s0 key can be used for signing.
+\&\fBCERT_PKEY_SIGN\fR: the EE key can be used for signing.
 .PP
-\&\fB\s-1CERT_PKEY_EE_SIGNATURE\s0\fR: the signature algorithm of the \s-1EE\s0 certificate is
+\&\fBCERT_PKEY_EE_SIGNATURE\fR: the signature algorithm of the EE certificate is
 acceptable.
 .PP
-\&\fB\s-1CERT_PKEY_CA_SIGNATURE\s0\fR: the signature algorithms of all \s-1CA\s0 certificates
+\&\fBCERT_PKEY_CA_SIGNATURE\fR: the signature algorithms of all CA certificates
 are acceptable.
 .PP
-\&\fB\s-1CERT_PKEY_EE_PARAM\s0\fR: the parameters of the end entity certificate are
+\&\fBCERT_PKEY_EE_PARAM\fR: the parameters of the end entity certificate are
 acceptable (e.g. it is a supported curve).
 .PP
-\&\fB\s-1CERT_PKEY_CA_PARAM\s0\fR: the parameters of all \s-1CA\s0 certificates are acceptable.
+\&\fBCERT_PKEY_CA_PARAM\fR: the parameters of all CA certificates are acceptable.
 .PP
-\&\fB\s-1CERT_PKEY_EXPLICIT_SIGN\s0\fR: the end entity certificate algorithm
+\&\fBCERT_PKEY_EXPLICIT_SIGN\fR: the end entity certificate algorithm
 can be used explicitly for signing (i.e. it is mentioned in the signature
 algorithms extension).
 .PP
-\&\fB\s-1CERT_PKEY_ISSUER_NAME\s0\fR: the issuer name is acceptable. This is only
+\&\fBCERT_PKEY_ISSUER_NAME\fR: the issuer name is acceptable. This is only
 meaningful for client authentication.
 .PP
-\&\fB\s-1CERT_PKEY_CERT_TYPE\s0\fR: the certificate type is acceptable. Only meaningful
+\&\fBCERT_PKEY_CERT_TYPE\fR: the certificate type is acceptable. Only meaningful
 for client authentication.
 .PP
-\&\fB\s-1CERT_PKEY_SUITEB\s0\fR: chain is suitable for Suite B use.
-.SH "NOTES"
+\&\fBCERT_PKEY_SUITEB\fR: chain is suitable for Suite B use.
+.SH NOTES
 .IX Header "NOTES"
 \&\fBSSL_check_chain()\fR must be called in servers after a client hello message or in
 clients after a certificate request message. It will typically be called
@@ -197,29 +122,29 @@ function on each chain in turn: starting with the one it considers the
 most secure. It could then use the chain of the first set which returns
 suitable flags.
 .PP
-As a minimum the flag \fB\s-1CERT_PKEY_VALID\s0\fR must be set for a chain to be
-usable. An application supporting multiple chains with different \s-1CA\s0 signature
-algorithms may also wish to check \fB\s-1CERT_PKEY_CA_SIGNATURE\s0\fR too. If no
+As a minimum the flag \fBCERT_PKEY_VALID\fR must be set for a chain to be
+usable. An application supporting multiple chains with different CA signature
+algorithms may also wish to check \fBCERT_PKEY_CA_SIGNATURE\fR too. If no
 chain is suitable a server should fall back to the most secure chain which
-sets \fB\s-1CERT_PKEY_VALID\s0\fR.
+sets \fBCERT_PKEY_VALID\fR.
 .PP
 The validity of a chain is determined by checking if it matches a supported
 signature algorithm, supported curves and in the case of client authentication
 certificate types and issuer names.
 .PP
-Since the supported signature algorithms extension is only used in \s-1TLS 1.2,
-TLS 1.3\s0 and \s-1DTLS 1.2\s0 the results for earlier versions of \s-1TLS\s0 and \s-1DTLS\s0 may not
-be very useful. Applications may wish to specify a different \*(L"legacy\*(R" chain
-for earlier versions of \s-1TLS\s0 or \s-1DTLS.\s0
+Since the supported signature algorithms extension is only used in TLS 1.2,
+TLS 1.3 and DTLS 1.2 the results for earlier versions of TLS and DTLS may not
+be very useful. Applications may wish to specify a different "legacy" chain
+for earlier versions of TLS or DTLS.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBSSL_CTX_set_cert_cb\fR\|(3),
 \&\fBssl\fR\|(7)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2015\-2018 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the OpenSSL license (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.