Vendor import of OpenSSL 0.9.7e.

5 files changed, 31 insertions, 9 deletions

diff --git a/crypto/openssl/doc/apps/enc.pod b/crypto/openssl/doc/apps/enc.pod
index ddf0816..18fe7c8 100644
--- a/crypto/openssl/doc/apps/enc.pod
+++ b/crypto/openssl/doc/apps/enc.pod
@@ -86,7 +86,7 @@ versions of OpenSSL. Superseded by the B<-pass> argument.
 =item B<-kfile filename>
 
 read the password to derive the key from the first line of B<filename>.
-This is for computability with previous versions of OpenSSL. Superseded by
+This is for compatibility with previous versions of OpenSSL. Superseded by
 the B<-pass> argument.
 
 =item B<-S salt>
diff --git a/crypto/openssl/doc/crypto/BN_num_bytes.pod b/crypto/openssl/doc/crypto/BN_num_bytes.pod
index 61589fb..a6a2e3f 100644
--- a/crypto/openssl/doc/crypto/BN_num_bytes.pod
+++ b/crypto/openssl/doc/crypto/BN_num_bytes.pod
@@ -16,8 +16,14 @@ BN_num_bits, BN_num_bytes, BN_num_bits_word - get BIGNUM size
 
 =head1 DESCRIPTION
 
-These functions return the size of a B<BIGNUM> in bytes or bits,
-and the size of an unsigned integer in bits.
+BN_num_bytes() returns the size of a B<BIGNUM> in bytes.
+
+BN_num_bits_word() returns the number of significant bits in a word.
+If we take 0x00000432 as an example, it returns 11, not 16, not 32.
+Basically, except for a zero, it returns I<floor(log2(w))+1>.
+
+BN_num_bits() returns the number of significant bits in a B<BIGNUM>,
+following the same principle as BN_num_bits_word().
 
 BN_num_bytes() is a macro.
 
@@ -25,9 +31,23 @@ BN_num_bytes() is a macro.
 
 The size.
 
+=head1 NOTES
+
+Some have tried using BN_num_bits() on individual numbers in RSA keys,
+DH keys and DSA keys, and found that they don't always come up with
+the number of bits they expected (something like 512, 1024, 2048,
+...).  This is because generating a number with some specific number
+of bits doesn't always set the highest bits, thereby making the number
+of I<significant> bits a little lower.  If you want to know the "key
+size" of such a key, either use functions like RSA_size(), DH_size()
+and DSA_size(), or use BN_num_bytes() and multiply with 8 (although
+there's no real guarantee that will match the "key size", just a lot
+more probability).
+
 =head1 SEE ALSO
 
-L<bn(3)|bn(3)>
+L<bn(3)|bn(3)>, L<DH_size(3)|DH_size(3)>, L<DSA_size(3)|DSA_size(3)>,
+L<RSA_size(3)|RSA_size(3)>
 
 =head1 HISTORY
 
diff --git a/crypto/openssl/doc/crypto/RSA_public_encrypt.pod b/crypto/openssl/doc/crypto/RSA_public_encrypt.pod
index d53e19d..ab0fe3b 100644
--- a/crypto/openssl/doc/crypto/RSA_public_encrypt.pod
+++ b/crypto/openssl/doc/crypto/RSA_public_encrypt.pod
@@ -47,9 +47,10 @@ Encrypting user data directly with RSA is insecure.
 =back
 
 B<flen> must be less than RSA_size(B<rsa>) - 11 for the PKCS #1 v1.5
-based padding modes, and less than RSA_size(B<rsa>) - 41 for
-RSA_PKCS1_OAEP_PADDING. The random number generator must be seeded
-prior to calling RSA_public_encrypt().
+based padding modes, less than RSA_size(B<rsa>) - 41 for
+RSA_PKCS1_OAEP_PADDING and exactly RSA_size(B<rsa>) for RSA_NO_PADDING.
+The random number generator must be seeded prior to calling
+RSA_public_encrypt().
 
 RSA_private_decrypt() decrypts the B<flen> bytes at B<from> using the
 private key B<rsa> and stores the plaintext in B<to>. B<to> must point
diff --git a/crypto/openssl/doc/crypto/pem.pod b/crypto/openssl/doc/crypto/pem.pod
index 8613114..4f9a27d 100644
--- a/crypto/openssl/doc/crypto/pem.pod
+++ b/crypto/openssl/doc/crypto/pem.pod
@@ -471,6 +471,6 @@ is guaranteed to work.
 =head1 RETURN CODES
 
 The read routines return either a pointer to the structure read or NULL
-is an error occurred.
+if an error occurred.
 
 The write routines return 1 for success or 0 for failure.
diff --git a/crypto/openssl/doc/ssl/SSL_CTX_set_session_id_context.pod b/crypto/openssl/doc/ssl/SSL_CTX_set_session_id_context.pod
index 5949395..58fc685 100644
--- a/crypto/openssl/doc/ssl/SSL_CTX_set_session_id_context.pod
+++ b/crypto/openssl/doc/ssl/SSL_CTX_set_session_id_context.pod
@@ -46,7 +46,8 @@ B<SSL_MAX_SSL_SESSION_ID_LENGTH>.
 
 =head1 WARNINGS
 
-If the session id context is not set on an SSL/TLS server, stored sessions
+If the session id context is not set on an SSL/TLS server and client
+certificates are used, stored sessions
 will not be reused but a fatal error will be flagged and the handshake
 will fail.