This commit was manufactured by cvs2svn to create tagrelease/4.5.0

'RELENG_4_5_0_RELEASE'.

23 files changed, 0 insertions, 1556 deletions

diff --git a/contrib/bind/bin/named-bootconf/test.boot b/contrib/bind/bin/named-bootconf/test.boot
deleted file mode 100644
index 2b001e4ab041..000000000000
--- a/contrib/bind/bin/named-bootconf/test.boot
+++ /dev/null
@@ -1,30 +0,0 @@
-directory /var/named
-forwarders 1.2.3.4 1.2.3.5
-limit datasize 10000000
-limit files 1000
-limit transfers-in 100
-limit transfers-per-ns 20
-; no-round-robin in HP specific
-options no-round-robin fake-iquery forward-only no-fetch-glue no-recursion
-slave
-tcplist 10.0.0.1
-xfrnets 10.0.0.2
-cache .	rootservers
-primary example.net example.net.db
-secondary example.com 127.0.0.1 example.com.db
-stub example.org 127.0.0.1 example.org.db
-primary/IN example.net example.net.db
-secondary/IN example.com 127.0.0.1 example.com.db
-stub/IN example.org 127.0.0.1 example.org.db
-secondary/IN example.com 127.0.0.1
-stub/IN example.org 127.0.0.1
-primary/CHAOS example.net example.net.db
-secondary/CHAOS example.com 127.0.0.1 example.com.db
-stub/CHAOS example.org 127.0.0.1 example.org.db
-secondary/CHAOS example.com 127.0.0.1
-stub/CHAOS example.org 127.0.0.1
-primary/HS example.net example.net.db
-secondary/HS example.com 127.0.0.1 example.com.db
-stub/HS example.org 127.0.0.1 example.org.db
-secondary/HS example.com 127.0.0.1
-stub/HS example.org 127.0.0.1
diff --git a/contrib/bind/include/netgroup.h b/contrib/bind/include/netgroup.h
deleted file mode 100644
index 30efb9414413..000000000000
--- a/contrib/bind/include/netgroup.h
+++ /dev/null
@@ -1,17 +0,0 @@
-#ifndef netgroup_h
-#define netgroup_h
-
-int getnetgrent(const char **machinep, const char **userp,
-		const char **domainp);
-
-int getnetgrent_r(char **machinep, char **userp, char **domainp,
-		  char *buffer, int buflen);
-
-void setnetgrent(const char *netgroup);
-
-void endnetgrent(void);
-
-int innetgr(const char *netgroup, const char *machine,
-	    const char *user, const char *domain);
-
-#endif
diff --git a/contrib/bind/lib/inet/inet_data.c b/contrib/bind/lib/inet/inet_data.c
deleted file mode 100644
index 47b6d9bf6579..000000000000
--- a/contrib/bind/lib/inet/inet_data.c
+++ /dev/null
@@ -1,44 +0,0 @@
-/*
- * Copyright (c) 1995-1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
- * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
- * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
- * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
- * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
- * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
- * SOFTWARE.
- */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static char rcsid[] = "$Id: inet_data.c,v 1.2 2001/06/20 22:06:36 marka Exp $";
-#endif /* LIBC_SCCS and not lint */
-
-#include "port_before.h"
-
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/socket.h>
-#include <sys/time.h>
-
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <arpa/nameser.h>
-
-#include <ctype.h>
-#include <netdb.h>
-#include <resolv.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-
-#include "port_after.h"
-
-const struct in6_addr isc_in6addr_any = IN6ADDR_ANY_INIT;
-const struct in6_addr isc_in6addr_loopback = IN6ADDR_LOOPBACK_INIT;
diff --git a/contrib/bind/lib/isc/hex.c b/contrib/bind/lib/isc/hex.c
deleted file mode 100644
index 223979629896..000000000000
--- a/contrib/bind/lib/isc/hex.c
+++ /dev/null
@@ -1,116 +0,0 @@
-/*
- * Copyright (c) 2001 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
- * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
- * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
- * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
- * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
- * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
- * SOFTWARE.
- */
-
-#include <port_before.h>
-#include <ctype.h>
-#include <stdio.h>
-#include <string.h>
-#include <isc/misc.h>
-#include <port_after.h>
-
-static const char hex[17] = "0123456789abcdef";
-
-int
-isc_gethexstring(unsigned char *buf, size_t len, int count, FILE *fp,
-		 int *multiline)
-{
-	int c, n;
-	unsigned char x;
-	char *s;
-	int result = count;
-	
-	x = 0; /* silence compiler */
-	n = 0;
-	while (count > 0) {
-		c = fgetc(fp);
-
-		if ((c == EOF) ||
-		    (c == '\n' && !*multiline) ||
-		    (c == '(' && *multiline) ||
-		    (c == ')' && !*multiline))
-			goto formerr;
-		/* comment */
-		if (c == ';') {
-			while ((c = fgetc(fp)) != EOF && c != '\n')
-				/* empty */
-			if (c == '\n' && *multiline)
-				continue;
-			goto formerr;
-		}
-		/* white space */
-		if (c == ' ' || c == '\t' || c == '\n' || c == '\r')
-			continue;
-		/* multiline */
-		if ('(' == c || c == ')') {
-			*multiline = (c == '(' /*)*/);
-			continue;
-		}
-		if ((s = strchr(hex, tolower(c))) == NULL)
-			goto formerr;
-		x = (x<<4) | (s - hex);
-		if (++n == 2) {
-			if (len > 0) {
-				*buf++ = x;
-				len--;
-			} else
-				result = -1;
-			count--;
-			n = 0;
-		}
-	}
-	return (result);
-
- formerr:
-	if (c == '\n')
-		ungetc(c, fp);
-	return (-1);
-}
-
-void
-isc_puthexstring(FILE *fp, const unsigned char *buf, size_t buflen,
-		 size_t len1, size_t len2, const char *sep)
-{
-	size_t i = 0;
-
-	if (len1 < 4)
-		len1 = 4;
-	if (len2 < 4)
-		len2 = 4;
-	while (buflen > 0) {
-		fputc(hex[(buf[0]>>4)&0xf], fp);
-		fputc(hex[buf[0]&0xf], fp);
-		i += 2;
-		buflen--;
-		buf++;
-		if (i >= len1 && sep != NULL) {
-			fputs(sep, fp);
-			i = 0;
-			len1 = len2;
-		}
-	}
-}
-
-void
-isc_tohex(const unsigned char *buf, size_t buflen, char *t) {
-	while (buflen > 0) {
-		*t++ = hex[(buf[0]>>4)&0xf];
-		*t++ = hex[buf[0]&0xf];
-		buf++;
-		buflen--;
-	}
-	*t = '\0';
-}
diff --git a/contrib/bzip2/FREEBSD-upgrade b/contrib/bzip2/FREEBSD-upgrade
deleted file mode 100644
index eebf2febc34d..000000000000
--- a/contrib/bzip2/FREEBSD-upgrade
+++ /dev/null
@@ -1,32 +0,0 @@
-$FreeBSD$
-
-Julian Seward's bzip2
-	originals can be found at: 	http://sources.redhat.com/bzip2/
-
-Imported by:
-
-	cvs import -m "Virgin import (trimmed) of Bzip2 version 1.0.2." \
-		src/contrib/bzip2 BZIP2 v1_0_2
-
-Notes:
-	1. The following log shows details of trimming:
-
-	$ tar xvfz bzip2-1.0.2.tar.gz
-	$ cd bzip2-1.0.2
-	$ rm bzdiff bzdiff.1 bzgrep bzgrep.1 bzip2.1.preformatted bzip2.txt
-	$ rm bzmore bzmore.1 dlltest.dsp libbz2.dsp manual.html manual.pdf
-	$ rm manual.ps manual_1.html manual_2.html manual_3.html manual_4.html
-	$ rm manual_abt.html manual_ovr.html manual_toc.html mk251.c
-	$ uuencode sample1.bz2 sample1.bz2 > sample1.bz2.uu
-	$ uuencode sample2.bz2 sample2.bz2 > sample2.bz2.uu
-	$ uuencode sample3.bz2 sample3.bz2 > sample3.bz2.uu
-	$ gzip -9 sample1.ref sample2.ref sample3.ref
-	$ uuencode sample1.ref.gz sample1.ref.gz > sample1.ref.gz.uu
-	$ uuencode sample2.ref.gz sample2.ref.gz > sample2.ref.gz.uu
-	$ uuencode sample3.ref.gz sample3.ref.gz > sample3.ref.gz.uu
-	$ rm sample1.bz2 sample1.ref.gz sample2.bz2 sample2.ref.gz
-	$ rm sample3.bz2 sample3.ref.gz
-
-
-sobomax@FreeBSD.org
-1 February 2002
diff --git a/crypto/openssl/doc/ssl/SSL_COMP_add_compression_method.pod b/crypto/openssl/doc/ssl/SSL_COMP_add_compression_method.pod
deleted file mode 100644
index 2a987391147c..000000000000
--- a/crypto/openssl/doc/ssl/SSL_COMP_add_compression_method.pod
+++ /dev/null
@@ -1,70 +0,0 @@
-=pod
-
-=head1 NAME
-
-SSL_COMP_add_compression_method - handle SSL/TLS integrated compression methods
-
-=head1 SYNOPSIS
-
- #include <openssl/ssl.h>
-
- int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm);
-
-=head1 DESCRIPTION
-
-SSL_COMP_add_compression_method() adds the compression method B<cm> with
-the identifier B<id> to the list of available compression methods. This
-list is globally maintained for all SSL operations within this application.
-It cannot be set for specific SSL_CTX or SSL objects.
-
-=head1 NOTES
-
-The TLS standard (or SSLv3) allows the integration of compression methods
-into the communication. The TLS RFC does however not specify compression
-methods or their corresponding identifiers, so there is currently no compatible
-way to integrate compression with unknown peers. It is therefore currently not
-recommended to integrate compression into applications. Applications for
-non-public use may agree on certain compression methods. Using different
-compression methods with the same identifier will lead to connection failure.
-
-An OpenSSL client speaking a protocol that allows compression (SSLv3, TLSv1)
-will unconditionally send the list of all compression methods enabled with
-SSL_COMP_add_compression_method() to the server during the handshake.
-Unlike the mechanisms to set a cipher list, there is no method available to
-restrict the list of compression method on a per connection basis.
-
-An OpenSSL server will match the identifiers listed by a client against
-its own compression methods and will unconditionally activate compression
-when a matching identifier is found. There is no way to restrict the list
-of compression methods supported on a per connection basis.
-
-The OpenSSL library has the compression methods B<COMP_rle()> and (when
-especially enabled during compilation) B<COMP_zlib()> available.
-
-=head1 WARNINGS
-
-Once the identities of the compression methods for the TLS protocol have
-been standardized, the compression API will most likely be changed. Using
-it in the current state is not recommended.
-
-=head1 RETURN VALUES
-
-SSL_COMP_add_compression_method() may return the following values:
-
-=over 4
-
-=item 1
-
-The operation succeeded.
-
-=item 0
-
-The operation failed. Check the error queue to find out the reason.
-
-=back
-
-=head1 SEE ALSO
-
-L<ssl(3)|ssl(3)>
-
-=cut
diff --git a/crypto/openssl/doc/ssl/SSL_CTX_ctrl.pod b/crypto/openssl/doc/ssl/SSL_CTX_ctrl.pod
deleted file mode 100644
index 4228225ae81b..000000000000
--- a/crypto/openssl/doc/ssl/SSL_CTX_ctrl.pod
+++ /dev/null
@@ -1,34 +0,0 @@
-=pod
-
-=head1 NAME
-
-SSL_CTX_ctrl, SSL_CTX_callback_ctrl, SSL_ctrl, SSL_callback_ctrl - internal handling functions for SSL_CTX and SSL objects
-
-=head1 SYNOPSIS
-
- #include <openssl/ssl.h>
-
- long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, char *parg);
- long SSL_CTX_callback_ctrl(SSL_CTX *, int cmd, void (*fp)());
-
- long SSL_ctrl(SSL *ssl, int cmd, long larg, char *parg);
- long SSL_callback_ctrl(SSL *, int cmd, void (*fp)());
-
-=head1 DESCRIPTION
-
-The SSL_*_ctrl() family of functions is used to manipulate settings of
-the SSL_CTX and SSL objects. Depending on the command B<cmd> the arguments
-B<larg>, B<parg>, or B<fp> are evaluated. These functions should never
-be called directly. All functionalities needed are made available via
-other functions or macros.
-
-=head1 RETURN VALUES
-
-The return values of the SSL*_ctrl() functions depend on the command
-supplied via the B<cmd> parameter.
-
-=head1 SEE ALSO
-
-L<ssl(3)|ssl(3)>
-
-=cut
diff --git a/crypto/openssl/doc/ssl/SSL_CTX_set_cert_verify_callback.pod b/crypto/openssl/doc/ssl/SSL_CTX_set_cert_verify_callback.pod
deleted file mode 100644
index 723fc140d42f..000000000000
--- a/crypto/openssl/doc/ssl/SSL_CTX_set_cert_verify_callback.pod
+++ /dev/null
@@ -1,75 +0,0 @@
-=pod
-
-=head1 NAME
-
-SSL_CTX_set_cert_verify_callback - set peer certificate verification procedure
-
-=head1 SYNOPSIS
-
- #include <openssl/ssl.h>
-
- void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, int (*callback)(),
-                                       char *arg);
- int (*callback)();
-
-=head1 DESCRIPTION
-
-SSL_CTX_set_cert_verify_callback() sets the verification callback function for
-B<ctx>. SSL objects, that are created from B<ctx> inherit the setting valid at
-the time, L<SSL_new(3)|SSL_new(3)> is called. B<arg> is currently ignored.
-
-=head1 NOTES
-
-Whenever a certificate is verified during a SSL/TLS handshake, a verification
-function is called. If the application does not explicitly specify a
-verification callback function, the built-in verification function is used.
-If a verification callback B<callback> is specified via
-SSL_CTX_set_cert_verify_callback(), the supplied callback function is called
-instead. By setting B<callback> to NULL, the default behaviour is restored.
-
-When the verification must be performed, B<callback> will be called with
-the argument callback(X509_STORE_CTX *x509_store_ctx). The arguments B<arg>
-that can be specified when setting B<callback> are currently ignored.
-
-B<callback> should return 1 to indicate verification success and 0 to
-indicate verification failure. If SSL_VERIFY_PEER is set and B<callback>
-returns 0, the handshake will fail. As the verification procedure may
-allow to continue the connection in case of failure (by always returning 1)
-the verification result must be set in any case using the B<error>
-member of B<x509_store_ctx>, so that the calling application will be informed
-about the detailed result of the verification procedure! 
-
-Within B<x509_store_ctx>, B<callback> has access to the B<verify_callback>
-function set using L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)>.
-
-=head1 WARNINGS
-
-Do not mix the verification callback described in this function with the
-B<verify_callback> function called during the verification process. The
-latter is set using the L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)>
-family of functions.
-
-Providing a complete verification procedure including certificate purpose
-settings etc is a complex task. The built-in procedure is quite powerful
-and in most cases it should be sufficient to modify its behaviour using
-the B<verify_callback> function.
-
-=head1 BUGS
-
-It is possible to specify arguments to be passed to the verification callback.
-Currently they are however not passed but ignored.
-
-The B<callback> function is not specified via a prototype, so that no
-type checking takes place.
-
-=head1 RETURN VALUES
-
-SSL_CTX_set_cert_verify_callback() does not provide diagnostic information.
-
-=head1 SEE ALSO
-
-L<ssl(3)|ssl(3)>, L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)>,
-L<SSL_get_verify_result(3)|SSL_get_verify_result(3)>,
-L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)>
-
-=cut
diff --git a/crypto/openssl/doc/ssl/SSL_CTX_set_info_callback.pod b/crypto/openssl/doc/ssl/SSL_CTX_set_info_callback.pod
deleted file mode 100644
index 63d0b8d33f87..000000000000
--- a/crypto/openssl/doc/ssl/SSL_CTX_set_info_callback.pod
+++ /dev/null
@@ -1,153 +0,0 @@
-=pod
-
-=head1 NAME
-
-SSL_CTX_set_info_callback, SSL_CTX_get_info_callback, SSL_set_info_callback, SSL_get_info_callback - handle information callback for SSL connections
-
-=head1 SYNOPSIS
-
- #include <openssl/ssl.h>
-
- void SSL_CTX_set_info_callback(SSL_CTX *ctx, void (*callback)());
- void (*SSL_CTX_get_info_callback(SSL_CTX *ctx))();
-
- void SSL_set_info_callback(SSL *ssl, void (*callback)());
- void (*SSL_get_info_callback(SSL *ssl))();
-
-=head1 DESCRIPTION
-
-SSL_CTX_set_info_callback() sets the B<callback> function, that can be used to
-obtain state information for SSL objects created from B<ctx> during connection
-setup and use. The setting for B<ctx> is overridden from the setting for
-a specific SSL object, if specified.
-When B<callback> is NULL, not callback function is used.
-
-SSL_set_info_callback() sets the B<callback> function, that can be used to
-obtain state information for B<ssl> during connection setup and use.
-When B<callback> is NULL, the callback setting currently valid for
-B<ctx> is used.
-
-SSL_CTX_get_info_callback() returns a pointer to the currently set information
-callback function for B<ctx>.
-
-SSL_get_info_callback() returns a pointer to the currently set information
-callback function for B<ssl>.
-
-=head1 NOTES
-
-When setting up a connection and during use, it is possible to obtain state
-information from the SSL/TLS engine. When set, an information callback function
-is called whenever the state changes, an alert appears, or an error occurs.
-
-The callback function is called as B<callback(SSL *ssl, int where, int ret)>.
-The B<where> argument specifies information about where (in which context)
-the callback function was called. If B<ret> is 0, an error condition occurred.
-If an alert is handled, SSL_CB_ALERT is set and B<ret> specifies the alert
-information.
-
-B<where> is a bitmask made up of the following bits:
-
-=over 4
-
-=item SSL_CB_LOOP
-
-Callback has been called to indicate state change inside a loop.
-
-=item SSL_CB_EXIT
-
-Callback has been called to indicate error exit of a handshake function.
-(May be soft error with retry option for non-blocking setups.)
-
-=item SSL_CB_READ
-
-Callback has been called during read operation.
-
-=item SSL_CB_WRITE
-
-Callback has been called during write operation.
-
-=item SSL_CB_ALERT
-
-Callback has been called due to an alert being sent or received.
-
-=item SSL_CB_READ_ALERT               (SSL_CB_ALERT|SSL_CB_READ)
-
-=item SSL_CB_WRITE_ALERT              (SSL_CB_ALERT|SSL_CB_WRITE)
-
-=item SSL_CB_ACCEPT_LOOP              (SSL_ST_ACCEPT|SSL_CB_LOOP)
-
-=item SSL_CB_ACCEPT_EXIT              (SSL_ST_ACCEPT|SSL_CB_EXIT)
-
-=item SSL_CB_CONNECT_LOOP             (SSL_ST_CONNECT|SSL_CB_LOOP)
-
-=item SSL_CB_CONNECT_EXIT             (SSL_ST_CONNECT|SSL_CB_EXIT)
-
-=item SSL_CB_HANDSHAKE_START
-
-Callback has been called because a new handshake is started.
-
-=item SSL_CB_HANDSHAKE_DONE           0x20
-
-Callback has been called because a handshake is finished.
-
-=back
-
-The current state information can be obtained using the
-L<SSL_state_string(3)|SSL_state_string(3)> family of functions.
-
-The B<ret> information can be evaluated using the
-L<SSL_alert_type_string(3)|SSL_alert_type_string(3)> family of functions.
-
-=head1 RETURN VALUES
-
-SSL_set_info_callback() does not provide diagnostic information.
-
-SSL_get_info_callback() returns the current setting.
-
-=head1 EXAMPLES
-
-The following example callback function prints state strings, information
-about alerts being handled and error messages to the B<bio_err> BIO.
-
- void apps_ssl_info_callback(SSL *s, int where, int ret)
-	{
-	const char *str;
-	int w;
-
-	w=where& ~SSL_ST_MASK;
-
-	if (w & SSL_ST_CONNECT) str="SSL_connect";
-	else if (w & SSL_ST_ACCEPT) str="SSL_accept";
-	else str="undefined";
-
-	if (where & SSL_CB_LOOP)
-		{
-		BIO_printf(bio_err,"%s:%s\n",str,SSL_state_string_long(s));
-		}
-	else if (where & SSL_CB_ALERT)
-		{
-		str=(where & SSL_CB_READ)?"read":"write";
-		BIO_printf(bio_err,"SSL3 alert %s:%s:%s\n",
-			str,
-			SSL_alert_type_string_long(ret),
-			SSL_alert_desc_string_long(ret));
-		}
-	else if (where & SSL_CB_EXIT)
-		{
-		if (ret == 0)
-			BIO_printf(bio_err,"%s:failed in %s\n",
-				str,SSL_state_string_long(s));
-		else if (ret < 0)
-			{
-			BIO_printf(bio_err,"%s:error in %s\n",
-				str,SSL_state_string_long(s));
-			}
-		}
-	}
-
-=head1 SEE ALSO
-
-L<ssl(3)|ssl(3)>, L<SSL_state_string(3)|SSL_state_string(3)>,
-L<SSL_alert_type_string(3)|SSL_alert_type_string(3)>
-
-=cut
diff --git a/crypto/openssl/doc/ssl/SSL_CTX_set_quiet_shutdown.pod b/crypto/openssl/doc/ssl/SSL_CTX_set_quiet_shutdown.pod
deleted file mode 100644
index 1d0526d59a3f..000000000000
--- a/crypto/openssl/doc/ssl/SSL_CTX_set_quiet_shutdown.pod
+++ /dev/null
@@ -1,63 +0,0 @@
-=pod
-
-=head1 NAME
-
-SSL_CTX_set_quiet_shutdown, SSL_CTX_get_quiet_shutdown, SSL_set_quiet_shutdown, SSL_get_quiet_shutdown - manipulate shutdown behaviour
-
-=head1 SYNOPSIS
-
- #include <openssl/ssl.h>
-
- void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx, int mode);
- int SSL_CTX_get_quiet_shutdown(SSL_CTX *ctx);
-
- void SSL_set_quiet_shutdown(SSL *ssl, int mode);
- int SSL_get_quiet_shutdown(SSL *ssl);
-
-=head1 DESCRIPTION
-
-SSL_CTX_set_quiet_shutdown() sets the "quiet shutdown" flag for B<ctx> to be
-B<mode>. SSL objects created from B<ctx> inherit the B<mode> valid at the time
-L<SSL_new(3)|SSL_new(3)> is called. B<mode> may be 0 or 1.
-
-SSL_CTX_get_quiet_shutdown() returns the "quiet shutdown" setting of B<ctx>.
-
-SSL_set_quiet_shutdown() sets the "quiet shutdown" flag for B<ssl> to be
-B<mode>. The setting stays valid until B<ssl> is removed with
-L<SSL_free(3)|SSL_free(3)> or SSL_set_quiet_shutdown() is called again.
-It is not changed when L<SSL_clear(3)|SSL_clear(3)> is called.
-B<mode> may be 0 or 1.
-
-SSL_get_quiet_shutdown() returns the "quiet shutdown" setting of B<ssl>.
-
-=head1 NOTES
-
-Normally when a SSL connection is finished, the parties must send out
-"close notify" alert messages using L<SSL_shutdown(3)|SSL_shutdown(3)>
-for a clean shutdown.
-
-When setting the "quiet shutdown" flag to 1, L<SSL_shutdown(3)|SSL_shutdown(3)>
-will set the internal flags to SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN.
-(L<SSL_shutdown(3)|SSL_shutdown(3)> then behaves like
-L<SSL_set_shutdown(3)|SSL_set_shutdown(3)> called with
-SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN.)
-The session is thus considered to be shutdown, but no "close notify" alert
-is sent to the peer. This behaviour violates the TLS standard.
-
-The default is normal shutdown behaviour as described by the TLS standard.
-
-=head1 RETURN VALUES
-
-SSL_CTX_set_quiet_shutdown() and SSL_set_quiet_shutdown() do not return
-diagnostic information.
-
-SSL_CTX_get_quiet_shutdown() and SSL_get_quiet_shutdown return the current
-setting.
-
-=head1 SEE ALSO
-
-L<ssl(3)|ssl(3)>, L<SSL_shutdown(3)|SSL_shutdown(3)>,
-L<SSL_set_shutdown(3)|SSL_set_shutdown(3)>, L<SSL_new(3)|SSL_new(3)>,
-L<SSL_clear(3)|SSL_clear(3)>, L<SSL_free(3)|SSL_free(3)>
-
-=cut
diff --git a/crypto/openssl/doc/ssl/SSL_CTX_set_tmp_dh_callback.pod b/crypto/openssl/doc/ssl/SSL_CTX_set_tmp_dh_callback.pod
deleted file mode 100644
index 29d1f8a6fbfe..000000000000
--- a/crypto/openssl/doc/ssl/SSL_CTX_set_tmp_dh_callback.pod
+++ /dev/null
@@ -1,170 +0,0 @@
-=pod
-
-=head1 NAME
-
-SSL_CTX_set_tmp_dh_callback, SSL_CTX_set_tmp_dh, SSL_set_tmp_dh_callback, SSL_set_tmp_dh - handle DH keys for ephemeral key exchange
-
-=head1 SYNOPSIS
-
- #include <openssl/ssl.h>
-
- void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,
-            DH *(*tmp_dh_callback)(SSL *ssl, int is_export, int keylength));
- long SSL_CTX_set_tmp_dh(SSL_CTX *ctx, DH *dh);
-
- void SSL_set_tmp_dh_callback(SSL_CTX *ctx,
-            DH *(*tmp_dh_callback)(SSL *ssl, int is_export, int keylength));
- long SSL_set_tmp_dh(SSL *ssl, DH *dh)
-
- DH *(*tmp_dh_callback)(SSL *ssl, int is_export, int keylength));
-
-=head1 DESCRIPTION
-
-SSL_CTX_set_tmp_dh_callback() sets the callback function for B<ctx> to be
-used when a DH parameters are required to B<tmp_dh_callback>.
-The callback is inherited by all B<ssl> objects created from B<ctx>.
-
-SSL_CTX_set_tmp_dh() sets DH parameters to be used to be B<dh>.
-The key is inherited by all B<ssl> objects created from B<ctx>.
-
-SSL_set_tmp_dh_callback() sets the callback only for B<ssl>.
-
-SSL_set_tmp_dh() sets the parameters only for B<ssl>.
-
-These functions apply to SSL/TLS servers only.
-
-=head1 NOTES
-
-When using a cipher with RSA authentication, an ephemeral DH key exchange
-can take place. Ciphers with DSA keys always use ephemeral DH keys as well.
-In these cases, the session data are negotiated using the
-ephemeral/temporary DH key and the key supplied and certified
-by the certificate chain is only used for signing.
-Anonymous ciphers (without a permanent server key) also use ephemeral DH keys.
-
-Using ephemeral DH key exchange yields forward secrecy, as the connection
-can only be decrypted, when the DH key is known. By generating a temporary
-DH key inside the server application that is lost when the application
-is left, it becomes impossible for an attacker to decrypt past sessions,
-even if he gets hold of the normal (certified) key, as this key was
-only used for signing.
-
-In order to perform a DH key exchange the server must use a DH group
-(DH parameters) and generate a DH key. The server will always generate a new
-DH key during the negotiation, when the DH parameters are supplied via
-callback and/or when the SSL_OP_SINGLE_DH_USE option of
-L<SSL_CTX_set_options(3)|SSL_CTX_set_options(3)> is set. It will
-immediately create a DH key, when DH parameters are supplied via
-SSL_CTX_set_tmp_dh() and SSL_OP_SINGLE_DH_USE is not set. In this case,
-it may happen that a key is generated on initialization without later
-being needed, while on the other hand the computer time during the
-negotiation is being saved.
-
-If "strong" primes were used to generate the DH parameters, it is not strictly
-necessary to generate a new key for each handshake but it does improve forward
-secrecy. If it is not assured, that "strong" primes were used (see especially
-the section about DSA parameters below), SSL_OP_SINGLE_DH_USE must be used
-in order to prevent small subgroup attacks. Always using SSL_OP_SINGLE_DH_USE
-has an impact on the computer time needed during negotiation, but it is not
-very large, so application authors/users should consider to always enable
-this option.
-
-As generating DH parameters is extremely time consuming, an application
-should not generate the parameters on the fly but supply the parameters.
-DH parameters can be reused, as the actual key is newly generated during
-the negotiation. The risk in reusing DH parameters is that an attacker
-may specialize on a very often used DH group. Applications should therefore
-generate their own DH parameters during the installation process using the
-openssl L<dhparam(1)|dhparam(1)> application. In order to reduce the computer
-time needed for this generation, it is possible to use DSA parameters
-instead (see L<dhparam(1)|dhparam(1)>), but in this case SSL_OP_SINGLE_DH_USE
-is mandatory.
-
-Application authors may compile in DH parameters. Files dh512.pem,
-dh1024.pem, dh2048.pem, and dh4096 in the 'apps' directory of current
-version of the OpenSSL distribution contain the 'SKIP' DH parameters,
-which use safe primes and were generated verifiably pseudo-randomly.
-These files can be converted into C code using the B<-C> option of the
-L<dhparam(1)|dhparam(1)> application.
-Authors may also generate their own set of parameters using
-L<dhparam(1)|dhparam(1)>, but a user may not be sure how the parameters were
-generated. The generation of DH parameters during installation is therefore
-recommended.
-
-An application may either directly specify the DH parameters or
-can supply the DH parameters via a callback function. The callback approach
-has the advantage, that the callback may supply DH parameters for different
-key lengths.
-
-The B<tmp_dh_callback> is called with the B<keylength> needed and
-the B<is_export> information. The B<is_export> flag is set, when the
-ephemeral DH key exchange is performed with an export cipher.
-
-=head1 EXAMPLES
-
-Handle DH parameters for key lengths of 512 and 1024 bits. (Error handling
-partly left out.)
-
- ...
- /* Set up ephemeral DH stuff */
- DH *dh_512 = NULL;
- DH *dh_1024 = NULL;
- FILE *paramfile;
-
- ...
- /* "openssl dhparam -out dh_param_512.pem -2 512" */
- paramfile = fopen("dh_param_512.pem", "r");
- if (paramfile) {
-   dh_512 = PEM_read_DHparams(paramfile, NULL, NULL, NULL);
-   fclose(paramfile);
- }
- /* "openssl dhparam -out dh_param_1024.pem -2 1024" */
- paramfile = fopen("dh_param_1024.pem", "r");
- if (paramfile) {
-   dh_1024 = PEM_read_DHparams(paramfile, NULL, NULL, NULL);
-   fclose(paramfile);
- }
- ...
-
- /* "openssl dhparam -C -2 512" etc... */
- DH *get_dh512() { ... }
- DH *get_dh1024() { ... }
-
- DH *tmp_dh_callback(SSL *s, int is_export, int keylength)
- {
-    DH *dh_tmp=NULL;
-
-    switch (keylength) {
-    case 512:
-      if (!dh_512)
-        dh_512 = get_dh512();
-      dh_tmp = dh_512;
-      break;
-    case 1024:
-      if (!dh_1024) 
-        dh_1024 = get_dh1024();
-      dh_tmp = dh_1024;
-      break;
-    default:
-      /* Generating a key on the fly is very costly, so use what is there */
-      setup_dh_parameters_like_above();
-    }
-    return(dh_tmp);
- }
-
-=head1 RETURN VALUES
-
-SSL_CTX_set_tmp_dh_callback() and SSL_set_tmp_dh_callback() do not return
-diagnostic output.
-
-SSL_CTX_set_tmp_dh() and SSL_set_tmp_dh() do return 1 on success and 0
-on failure. Check the error queue to find out the reason of failure.
-
-=head1 SEE ALSO
-
-L<ssl(3)|ssl(3)>, L<SSL_CTX_set_cipher_list(3)|SSL_CTX_set_cipher_list(3)>,
-L<SSL_CTX_set_tmp_rsa_callback(3)|SSL_CTX_set_tmp_rsa_callback(3)>,
-L<SSL_CTX_set_options(3)|SSL_CTX_set_options(3)>,
-L<ciphers(1)|ciphers(1)>, L<dhparam(1)|dhparam(1)>
-
-=cut
diff --git a/crypto/openssl/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod b/crypto/openssl/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod
deleted file mode 100644
index f85775927dda..000000000000
--- a/crypto/openssl/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod
+++ /dev/null
@@ -1,166 +0,0 @@
-=pod
-
-=head1 NAME
-
-SSL_CTX_set_tmp_rsa_callback, SSL_CTX_set_tmp_rsa, SSL_CTX_need_tmp_rsa, SSL_set_tmp_rsa_callback, SSL_set_tmp_rsa, SSL_need_tmp_rsa - handle RSA keys for ephemeral key exchange
-
-=head1 SYNOPSIS
-
- #include <openssl/ssl.h>
-
- void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx,
-            RSA *(*tmp_rsa_callback)(SSL *ssl, int is_export, int keylength));
- long SSL_CTX_set_tmp_rsa(SSL_CTX *ctx, RSA *rsa);
- long SSL_CTX_need_tmp_rsa(SSL_CTX *ctx);
-
- void SSL_set_tmp_rsa_callback(SSL_CTX *ctx,
-            RSA *(*tmp_rsa_callback)(SSL *ssl, int is_export, int keylength));
- long SSL_set_tmp_rsa(SSL *ssl, RSA *rsa)
- long SSL_need_tmp_rsa(SSL *ssl)
-
- RSA *(*tmp_rsa_callback)(SSL *ssl, int is_export, int keylength));
-
-=head1 DESCRIPTION
-
-SSL_CTX_set_tmp_rsa_callback() sets the callback function for B<ctx> to be
-used when a temporary/ephemeral RSA key is required to B<tmp_rsa_callback>.
-The callback is inherited by all SSL objects newly created from B<ctx>
-with <SSL_new(3)|SSL_new(3)>. Already created SSL objects are not affected.
-
-SSL_CTX_set_tmp_rsa() sets the temporary/ephemeral RSA key to be used to be
-B<rsa>. The key is inherited by all SSL objects newly created from B<ctx>
-with <SSL_new(3)|SSL_new(3)>. Already created SSL objects are not affected.
-
-SSL_CTX_need_tmp_rsa() returns 1, if a temporary/ephemeral RSA key is needed
-for RSA-based strength-limited 'exportable' ciphersuites because a RSA key
-with a keysize larger than 512 bits is installed.
-
-SSL_set_tmp_rsa_callback() sets the callback only for B<ssl>.
-
-SSL_set_tmp_rsa() sets the key only for B<ssl>.
-
-SSL_need_tmp_rsa() returns 1, if a temporary/ephemeral RSA key is needed,
-for RSA-based strength-limited 'exportable' ciphersuites because a RSA key
-with a keysize larger than 512 bits is installed.
-
-These functions apply to SSL/TLS servers only.
-
-=head1 NOTES
-
-When using a cipher with RSA authentication, an ephemeral RSA key exchange
-can take place. In this case the session data are negotiated using the
-ephemeral/temporary RSA key and the RSA key supplied and certified
-by the certificate chain is only used for signing.
-
-Under previous export restrictions, ciphers with RSA keys shorter (512 bits)
-than the usual key length of 1024 bits were created. To use these ciphers
-with RSA keys of usual length, an ephemeral key exchange must be performed,
-as the normal (certified) key cannot be directly used.
-
-Using ephemeral RSA key exchange yields forward secrecy, as the connection
-can only be decrypted, when the RSA key is known. By generating a temporary
-RSA key inside the server application that is lost when the application
-is left, it becomes impossible for an attacker to decrypt past sessions,
-even if he gets hold of the normal (certified) RSA key, as this key was
-used for signing only. The downside is that creating a RSA key is
-computationally expensive.
-
-Additionally, the use of ephemeral RSA key exchange is only allowed in
-the TLS standard, when the RSA key can be used for signing only, that is
-for export ciphers. Using ephemeral RSA key exchange for other purposes
-violates the standard and can break interoperability with clients.
-It is therefore strongly recommended to not use ephemeral RSA key
-exchange and use EDH (Ephemeral Diffie-Hellman) key exchange instead
-in order to achieve forward secrecy (see
-L<SSL_CTX_set_tmp_dh_callback(3)|SSL_CTX_set_tmp_dh_callback(3)>).
-
-On OpenSSL servers ephemeral RSA key exchange is therefore disabled by default
-and must be explicitly enabled  using the SSL_OP_EPHEMERAL_RSA option of
-L<SSL_CTX_set_options(3)|SSL_CTX_set_options(3)>, violating the TLS/SSL
-standard. When ephemeral RSA key exchange is required for export ciphers,
-it will automatically be used without this option!
-
-An application may either directly specify the key or can supply the key via
-a callback function. The callback approach has the advantage, that the
-callback may generate the key only in case it is actually needed. As the
-generation of a RSA key is however costly, it will lead to a significant
-delay in the handshake procedure.  Another advantage of the callback function
-is that it can supply keys of different size (e.g. for SSL_OP_EPHEMERAL_RSA
-usage) while the explicit setting of the key is only useful for key size of
-512 bits to satisfy the export restricted ciphers and does give away key length
-if a longer key would be allowed.
-
-The B<tmp_rsa_callback> is called with the B<keylength> needed and
-the B<is_export> information. The B<is_export> flag is set, when the
-ephemeral RSA key exchange is performed with an export cipher.
-
-=head1 EXAMPLES
-
-Generate temporary RSA keys to prepare ephemeral RSA key exchange. As the
-generation of a RSA key costs a lot of computer time, they saved for later
-reuse. For demonstration purposes, two keys for 512 bits and 1024 bits
-respectively are generated.
-
- ...
- /* Set up ephemeral RSA stuff */
- RSA *rsa_512 = NULL;
- RSA *rsa_1024 = NULL;
-
- rsa_512 = RSA_generate_key(512,RSA_F4,NULL,NULL);
- if (rsa_512 == NULL)
-     evaluate_error_queue();
-
- rsa_1024 = RSA_generate_key(1024,RSA_F4,NULL,NULL);
- if (rsa_1024 == NULL)
-   evaluate_error_queue();
-
- ...
-
- RSA *tmp_rsa_callback(SSL *s, int is_export, int keylength)
- {
-    RSA *rsa_tmp=NULL;
-
-    switch (keylength) {
-    case 512:
-      if (rsa_512)
-        rsa_tmp = rsa_512;
-      else { /* generate on the fly, should not happen in this example */
-        rsa_tmp = RSA_generate_key(keylength,RSA_F4,NULL,NULL);
-        rsa_512 = rsa_tmp; /* Remember for later reuse */
-      }
-      break;
-    case 1024:
-      if (rsa_1024)
-        rsa_tmp=rsa_1024;
-      else
-        should_not_happen_in_this_example();
-      break;
-    default:
-      /* Generating a key on the fly is very costly, so use what is there */
-      if (rsa_1024)
-        rsa_tmp=rsa_1024;
-      else
-        rsa_tmp=rsa_512; /* Use at least a shorter key */
-    }
-    return(rsa_tmp);
- }
-
-=head1 RETURN VALUES
-
-SSL_CTX_set_tmp_rsa_callback() and SSL_set_tmp_rsa_callback() do not return
-diagnostic output.
-
-SSL_CTX_set_tmp_rsa() and SSL_set_tmp_rsa() do return 1 on success and 0
-on failure. Check the error queue to find out the reason of failure.
-
-SSL_CTX_need_tmp_rsa() and SSL_need_tmp_rsa() return 1 if a temporary
-RSA key is needed and 0 otherwise.
-
-=head1 SEE ALSO
-
-L<ssl(3)|ssl(3)>, L<SSL_CTX_set_cipher_list(3)|SSL_CTX_set_cipher_list(3)>,
-L<SSL_CTX_set_options(3)|SSL_CTX_set_options(3)>,
-L<SSL_CTX_set_tmp_dh_callback(3)|SSL_CTX_set_tmp_dh_callback(3)>,
-L<SSL_new(3)|SSL_new(3)>, L<ciphers(1)|ciphers(1)>
-
-=cut
diff --git a/crypto/openssl/doc/ssl/SSL_alert_type_string.pod b/crypto/openssl/doc/ssl/SSL_alert_type_string.pod
deleted file mode 100644
index 783758943d1b..000000000000
--- a/crypto/openssl/doc/ssl/SSL_alert_type_string.pod
+++ /dev/null
@@ -1,228 +0,0 @@
-=pod
-
-=head1 NAME
-
-SSL_alert_type_string, SSL_alert_type_string_long, SSL_alert_desc_string, SSL_alert_desc_string_long - get textual description of alert information
-
-=head1 SYNOPSIS
-
- #include <openssl/ssl.h>
-
- char *SSL_alert_type_string(int value);
- char *SSL_alert_type_string_long(int value);
-
- char *SSL_alert_desc_string(int value);
- char *SSL_alert_desc_string_long(int value);
-
-=head1 DESCRIPTION
-
-SSL_alert_type_string() returns a one letter string indicating the
-type of the alert specified by B<value>.
-
-SSL_alert_type_string_long() returns a string indicating the type of the alert
-specified by B<value>.
-
-SSL_alert_desc_string() returns a two letter string as a short form
-describing the reason of the alert specified by B<value>.
-
-SSL_alert_desc_string_long() returns a string describing the reason
-of the alert specified by B<value>.
-
-=head1 NOTES
-
-When one side of an SSL/TLS communication wants to inform the peer about
-a special situation, it sends an alert. The alert is sent as a special message
-and does not influence the normal data stream (unless its contents results
-in the communication being canceled).
-
-A warning alert is sent, when a non-fatal error condition occurs. The
-"close notify" alert is sent as a warning alert. Other examples for
-non-fatal errors are certificate errors ("certificate expired",
-"unsupported certificate"), for which a warning alert may be sent.
-(The sending party may however decide to send a fatal error.) The
-receiving side may cancel the connection on reception of a warning
-alert on it discretion.
-
-Several alert messages must be sent as fatal alert messages as specified
-by the TLS RFC. A fatal alert always leads to a connection abort.
-
-=head1 RETURN VALUES
-
-The following strings can occur for SSL_alert_type_string() or
-SSL_alert_type_string_long():
-
-=over 4
-
-=item "W"/"warning"
-
-=item "F"/"fatal"
-
-=item "U"/"unknown"
-
-This indicates that no support is available for this alert type.
-Probably B<value> does not contain a correct alert message.
-
-=back
-
-The following strings can occur for SSL_alert_desc_string() or
-SSL_alert_desc_string_long():
-
-=over 4
-
-=item "CN"/"close notify"
-
-The connection shall be closed. This is a warning alert.
-
-=item "UM"/"unexpected message"
-
-An inappropriate message was received. This alert is always fatal
-and should never be observed in communication between proper
-implementations.
-
-=item "BM"/"bad record mac"
-
-This alert is returned if a record is received with an incorrect
-MAC. This message is always fatal.
-
-=item "DF"/"decompression failure"
-
-The decompression function received improper input (e.g. data
-that would expand to excessive length). This message is always
-fatal.
-
-=item "HF"/"handshake failure"
-
-Reception of a handshake_failure alert message indicates that the
-sender was unable to negotiate an acceptable set of security
-parameters given the options available. This is a fatal error.
-
-=item "NC"/"no certificate"
-
-A client, that was asked to send a certificate, does not send a certificate
-(SSLv3 only).
-
-=item "BC"/"bad certificate"
-
-A certificate was corrupt, contained signatures that did not
-verify correctly, etc
-
-=item "UC"/"unsupported certificate"
-
-A certificate was of an unsupported type.
-
-=item "CR"/"certificate revoked"
-
-A certificate was revoked by its signer.
-
-=item "CE"/"certificate expired"
-
-A certificate has expired or is not currently valid.
-
-=item "CU"/"certificate unknown"
-
-Some other (unspecified) issue arose in processing the
-certificate, rendering it unacceptable.
-
-=item "IP"/"illegal parameter"
-
-A field in the handshake was out of range or inconsistent with
-other fields. This is always fatal.
-
-=item "DC"/"decryption failed"
-
-A TLSCiphertext decrypted in an invalid way: either it wasn't an
-even multiple of the block length or its padding values, when
-checked, weren't correct. This message is always fatal.
-
-=item "RO"/"record overflow"
-
-A TLSCiphertext record was received which had a length more than
-2^14+2048 bytes, or a record decrypted to a TLSCompressed record
-with more than 2^14+1024 bytes. This message is always fatal.
-
-=item "CA"/"unknown CA"
-
-A valid certificate chain or partial chain was received, but the
-certificate was not accepted because the CA certificate could not
-be located or couldn't be matched with a known, trusted CA.  This
-message is always fatal.
-
-=item "AD"/"access denied"
-
-A valid certificate was received, but when access control was
-applied, the sender decided not to proceed with negotiation.
-This message is always fatal.
-
-=item "DE"/"decode error"
-
-A message could not be decoded because some field was out of the
-specified range or the length of the message was incorrect. This
-message is always fatal.
-
-=item "CY"/"decrypt error"
-
-A handshake cryptographic operation failed, including being
-unable to correctly verify a signature, decrypt a key exchange,
-or validate a finished message.
-
-=item "ER"/"export restriction"
-
-A negotiation not in compliance with export restrictions was
-detected; for example, attempting to transfer a 1024 bit
-ephemeral RSA key for the RSA_EXPORT handshake method. This
-message is always fatal.
-
-=item "PV"/"protocol version"
-
-The protocol version the client has attempted to negotiate is
-recognized, but not supported. (For example, old protocol
-versions might be avoided for security reasons). This message is
-always fatal.
-
-=item "IS"/"insufficient security"
-
-Returned instead of handshake_failure when a negotiation has
-failed specifically because the server requires ciphers more
-secure than those supported by the client. This message is always
-fatal.
-
-=item "IE"/"internal error"
-
-An internal error unrelated to the peer or the correctness of the
-protocol makes it impossible to continue (such as a memory
-allocation failure). This message is always fatal.
-
-=item "US"/"user canceled"
-
-This handshake is being canceled for some reason unrelated to a
-protocol failure. If the user cancels an operation after the
-handshake is complete, just closing the connection by sending a
-close_notify is more appropriate. This alert should be followed
-by a close_notify. This message is generally a warning.
-
-=item "NR"/"no renegotiation"
-
-Sent by the client in response to a hello request or by the
-server in response to a client hello after initial handshaking.
-Either of these would normally lead to renegotiation; when that
-is not appropriate, the recipient should respond with this alert;
-at that point, the original requester can decide whether to
-proceed with the connection. One case where this would be
-appropriate would be where a server has spawned a process to
-satisfy a request; the process might receive security parameters
-(key length, authentication, etc.) at startup and it might be
-difficult to communicate changes to these parameters after that
-point. This message is always a warning.
-
-=item "UK"/"unknown"
-
-This indicates that no description is available for this alert type.
-Probably B<value> does not contain a correct alert message.
-
-=back
-
-=head1 SEE ALSO
-
-L<ssl(3)|ssl(3)>, L<SSL_CTX_set_info_callback(3)|SSL_CTX_set_info_callback(3)>
-
-=cut
diff --git a/crypto/openssl/doc/ssl/SSL_get_SSL_CTX.pod b/crypto/openssl/doc/ssl/SSL_get_SSL_CTX.pod
deleted file mode 100644
index 52d0227b193d..000000000000
--- a/crypto/openssl/doc/ssl/SSL_get_SSL_CTX.pod
+++ /dev/null
@@ -1,26 +0,0 @@
-=pod
-
-=head1 NAME
-
-SSL_get_SSL_CTX - get the SSL_CTX from which an SSL is created
-
-=head1 SYNOPSIS
-
- #include <openssl/ssl.h>
-
- SSL_CTX *SSL_get_SSL_CTX(SSL *ssl);
-
-=head1 DESCRIPTION
-
-SSL_get_SSL_CTX() returns a pointer to the SSL_CTX object, from which
-B<ssl> was created with L<SSL_new(3)|SSL_new(3)>.
-
-=head1 RETURN VALUES
-
-The pointer to the SSL_CTX object is returned.
-
-=head1 SEE ALSO
-
-L<ssl(3)|ssl(3)>, L<SSL_new(3)|SSL_new(3)>
-
-=cut
diff --git a/crypto/openssl/doc/ssl/SSL_get_default_timeout.pod b/crypto/openssl/doc/ssl/SSL_get_default_timeout.pod
deleted file mode 100644
index 8d43b31345df..000000000000
--- a/crypto/openssl/doc/ssl/SSL_get_default_timeout.pod
+++ /dev/null
@@ -1,41 +0,0 @@
-=pod
-
-=head1 NAME
-
-SSL_get_default_timeout - get default session timeout value
-
-=head1 SYNOPSIS
-
- #include <openssl/ssl.h>
-
- long SSL_get_default_timeout(SSL *ssl);
-
-=head1 DESCRIPTION
-
-SSL_get_default_timeout() returns the default timeout value assigned to
-SSL_SESSION objects negotiated for the protocol valid for B<ssl>.
-
-=head1 NOTES
-
-Whenever a new session is negotiated, it is assigned a timeout value,
-after which it will not be accepted for session reuse. If the timeout
-value was not explicitly set using
-L<SSL_CTX_set_timeout(3)|SSL_CTX_set_timeout(3)>, the hardcoded default
-timeout for the protocol will be used.
-
-SSL_get_default_timeout() return this hardcoded value, which is 300 seconds
-for all currently supported protocols (SSLv2, SSLv3, and TLSv1).
-
-=head1 RETURN VALUES
-
-See description.
-
-=head1 SEE ALSO
-
-L<ssl(3)|ssl(3)>,
-L<SSL_CTX_set_session_cache_mode(3)|SSL_CTX_set_session_cache_mode(3)>,
-L<SSL_SESSION_get_time(3)|SSL_SESSION_get_time(3)>,
-L<SSL_CTX_flush_sessions(3)|SSL_CTX_flush_sessions(3)>,
-L<SSL_get_default_timeout(3)|SSL_get_default_timeout(3)>
-
-=cut
diff --git a/crypto/openssl/doc/ssl/SSL_rstate_string.pod b/crypto/openssl/doc/ssl/SSL_rstate_string.pod
deleted file mode 100644
index 6dbbb99b9358..000000000000
--- a/crypto/openssl/doc/ssl/SSL_rstate_string.pod
+++ /dev/null
@@ -1,59 +0,0 @@
-=pod
-
-=head1 NAME
-
-SSL_rstate_string, SSL_rstate_string_long - get textual description of state of an SSL object during read operation
-
-=head1 SYNOPSIS
-
- #include <openssl/ssl.h>
-
- char *SSL_rstate_string(SSL *ssl);
- char *SSL_rstate_string_long(SSL *ssl);
-
-=head1 DESCRIPTION
-
-SSL_rstate_string() returns a 2 letter string indicating the current read state
-of the SSL object B<ssl>.
-
-SSL_rstate_string_long() returns a string indicating the current read state of
-the SSL object B<ssl>.
-
-=head1 NOTES
-
-When performing a read operation, the SSL/TLS engine must parse the record,
-consisting of header and body. When working in a blocking environment,
-SSL_rstate_string[_long]() should always return "RD"/"read done".
-
-This function should only seldom be needed in applications.
-
-=head1 RETURN VALUES
-
-SSL_rstate_string() and SSL_rstate_string_long() can return the following
-values:
-
-=over 4
-
-=item "RH"/"read header"
-
-The header of the record is being evaluated.
-
-=item "RB"/"read body"
-
-The body of the record is being evaluated.
-
-=item "RD"/"read done"
-
-The record has been completely processed.
-
-=item "unknown"/"unknown"
-
-The read state is unknown. This should never happen.
-
-=back
-
-=head1 SEE ALSO
-
-L<ssl(3)|ssl(3)>
-
-=cut
diff --git a/crypto/openssl/doc/ssl/SSL_session_reused.pod b/crypto/openssl/doc/ssl/SSL_session_reused.pod
deleted file mode 100644
index da7d06264d04..000000000000
--- a/crypto/openssl/doc/ssl/SSL_session_reused.pod
+++ /dev/null
@@ -1,45 +0,0 @@
-=pod
-
-=head1 NAME
-
-SSL_session_reused - query whether a reused session was negotiated during handshake
-
-=head1 SYNOPSIS
-
- #include <openssl/ssl.h>
-
- int SSL_session_reused(SSL *ssl);
-
-=head1 DESCRIPTION
-
-Query, whether a reused session was negotiated during the handshake.
-
-=head1 NOTES
-
-During the negotiation, a client can propose to reuse a session. The server
-then looks up the session in its cache. If both client and server agree
-on the session, it will be reused and a flag is being set that can be
-queried by the application.
-
-=head1 RETURN VALUES
-
-The following return values can occur:
-
-=over 4
-
-=item 0
-
-A new session was negotiated.
-
-=item 1
-
-A session was reused.
-
-=back
-
-=head1 SEE ALSO
-
-L<ssl(3)|ssl(3)>, L<SSL_set_session(3)|SSL_set_session(3)>,
-L<SSL_CTX_set_session_cache_mode(3)|SSL_CTX_set_session_cache_mode(3)>
-
-=cut
diff --git a/crypto/openssl/doc/ssl/SSL_state_string.pod b/crypto/openssl/doc/ssl/SSL_state_string.pod
deleted file mode 100644
index 440459514160..000000000000
--- a/crypto/openssl/doc/ssl/SSL_state_string.pod
+++ /dev/null
@@ -1,45 +0,0 @@
-=pod
-
-=head1 NAME
-
-SSL_state_string, SSL_state_string_long - get textual description of state of an SSL object
-
-=head1 SYNOPSIS
-
- #include <openssl/ssl.h>
-
- char *SSL_state_string(SSL *ssl);
- char *SSL_state_string_long(SSL *ssl);
-
-=head1 DESCRIPTION
-
-SSL_state_string() returns a 6 letter string indicating the current state
-of the SSL object B<ssl>.
-
-SSL_state_string_long() returns a string indicating the current state of
-the SSL object B<ssl>.
-
-=head1 NOTES
-
-During its use, an SSL objects passes several states. The state is internally
-maintained. Querying the state information is not very informative before
-or when a connection has been established. It however can be of significant
-interest during the handshake.
-
-When using non-blocking sockets, the function call performing the handshake
-may return with SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE condition,
-so that SSL_state_string[_long]() may be called.
-
-For both blocking or non-blocking sockets, the details state information
-can be used within the info_callback function set with the
-SSL_set_info_callback() call.
-
-=head1 RETURN VALUES
-
-Detailed description of possible states to be included later.
-
-=head1 SEE ALSO
-
-L<ssl(3)|ssl(3)>, L<SSL_CTX_set_info_callback(3)|SSL_CTX_set_info_callback(3)>
-
-=cut
diff --git a/crypto/openssl/doc/ssl/SSL_want.pod b/crypto/openssl/doc/ssl/SSL_want.pod
deleted file mode 100644
index 50cc89db80b9..000000000000
--- a/crypto/openssl/doc/ssl/SSL_want.pod
+++ /dev/null
@@ -1,77 +0,0 @@
-=pod
-
-=head1 NAME
-
-SSL_want, SSL_want_nothing, SSL_want_read, SSL_want_write, SSL_want_x509_lookup - obtain state information TLS/SSL I/O operation
-
-=head1 SYNOPSIS
-
- #include <openssl/ssl.h>
-
- int SSL_want(SSL *ssl);
- int SSL_want_nothing(SSL *ssl);
- int SSL_want_read(SSL *ssl);
- int SSL_want_write(SSL *ssl);
- int SSL_want_x509_lookup(SSL *ssl);
-
-=head1 DESCRIPTION
-
-SSL_want() returns state information for the SSL object B<ssl>.
-
-The other SSL_want_*() calls are shortcuts for the possible states returned
-by SSL_want().
-
-=head1 NOTES
-
-SSL_want() examines the internal state information of the SSL object. Its
-return values are similar to that of L<SSL_get_error(3)|SSL_get_error(3)>.
-Unlike L<SSL_get_error(3)|SSL_get_error(3)>, which also evaluates the
-error queue, the results are obtained by examining an internal state flag
-only. The information must therefore only be used for normal operation under
-non-blocking I/O. Error conditions are not handled and must be treated
-using L<SSL_get_error(3)|SSL_get_error(3)>.
-
-The result returned by SSL_want() should always be consistent with
-the result of L<SSL_get_error(3)|SSL_get_error(3)>.
-
-=head1 RETURN VALUES
-
-The following return values can currently occur for SSL_want():
-
-=over 4
-
-=item SSL_NOTHING
-
-There is no data to be written or to be read.
-
-=item SSL_WRITING
-
-There are data in the SSL buffer that must be written to the underlying
-B<BIO> layer in order to complete the actual SSL_*() operation.
-A call to L<SSL_get_error(3)|SSL_get_error(3)> should return
-SSL_ERROR_WANT_WRITE.
-
-=item SSL_READING
-
-More data must be read from the underlying B<BIO> layer in order to
-complete the actual SSL_*() operation.
-A call to L<SSL_get_error(3)|SSL_get_error(3)> should return
-SSL_ERROR_WANT_READ.
-
-=item SSL_X509_LOOKUP
-
-The operation did not complete because an application callback set by
-SSL_CTX_set_client_cert_cb() has asked to be called again.
-A call to L<SSL_get_error(3)|SSL_get_error(3)> should return
-SSL_ERROR_WANT_X509_LOOKUP.
-
-=back
-
-SSL_want_nothing(), SSL_want_read(), SSL_want_write(), SSL_want_x509_lookup()
-return 1, when the corresponding condition is true or 0 otherwise.
-
-=head1 SEE ALSO
-
-L<ssl(3)|ssl(3)>, L<err(3)|err(3)>, L<SSL_get_error(3)|SSL_get_error(3)>
-
-=cut
diff --git a/crypto/openssl/tools/c89.sh b/crypto/openssl/tools/c89.sh
deleted file mode 100755
index b25c9fda2df1..000000000000
--- a/crypto/openssl/tools/c89.sh
+++ /dev/null
@@ -1,15 +0,0 @@
-#!/bin/sh -k
-#
-# Re-order arguments so that -L comes first
-#
-opts=""
-lopts=""
-        
-for arg in $* ; do
-  case $arg in
-    -L*) lopts="$lopts $arg" ;;
-    *) opts="$opts $arg" ;;
-  esac
-done
-
-c89 $lopts $opts
diff --git a/lib/libstand/bzlib.h.diff b/lib/libstand/bzlib.h.diff
deleted file mode 100644
index ef6c4da16f49..000000000000
--- a/lib/libstand/bzlib.h.diff
+++ /dev/null
@@ -1,15 +0,0 @@
-$FreeBSD$
-
---- bzlib.h	2002/02/01 15:20:44	1.1
-+++ bzlib.h	2002/02/01 15:20:49
-@@ -110,8 +110,10 @@
- #define BZ_EXPORT
- #endif
- 
-+#ifndef BZ_NO_STDIO
- /* Need a definitition for FILE */
- #include <stdio.h>
-+#endif
- 
- #ifdef _WIN32
- #   include <windows.h>
diff --git a/lib/libstand/bzlib_private.h.diff b/lib/libstand/bzlib_private.h.diff
deleted file mode 100644
index 240eb8e56895..000000000000
--- a/lib/libstand/bzlib_private.h.diff
+++ /dev/null
@@ -1,13 +0,0 @@
-$FreeBSD$
-
---- bzlib_private.h	2002/02/01 15:41:26	1.1
-+++ bzlib_private.h	2002/02/01 15:41:46
-@@ -70,7 +70,7 @@
- #include <string.h>
- #endif
- 
--#include "bzlib.h"
-+#include "_bzlib.h"
- 
- 
- 
diff --git a/usr.bin/bzip2/doc/manual.texi.diff b/usr.bin/bzip2/doc/manual.texi.diff
deleted file mode 100644
index 0c14f6307b58..000000000000
--- a/usr.bin/bzip2/doc/manual.texi.diff
+++ /dev/null
@@ -1,22 +0,0 @@
-$FreeBSD$
-
---- manual.texi	2002/02/01 16:00:45	1.1
-+++ manual.texi	2002/02/01 16:01:11
-@@ -46,8 +46,6 @@
- find it identical to that contained in the file LICENSE in the 
- source distribution.
- 
--@bf{------------------ START OF THE LICENSE ------------------}
--
- This program, @code{bzip2}, 
- and associated library @code{libbzip2}, are
- Copyright (C) 1996-2002 Julian R Seward.  All rights reserved.
-@@ -89,8 +87,6 @@
- @code{jseward@@acm.org}
- 
- @code{bzip2}/@code{libbzip2} version 1.0.2 of 30 December 2001.
--
--@bf{------------------ END OF THE LICENSE ------------------}
- 
- Web sites:
-