Merge OpenSSL 1.0.1c.

Approved by:	benl (maintainer)

48 files changed, 3387 insertions, 477 deletions

diff --git a/secure/usr.bin/openssl/Makefile b/secure/usr.bin/openssl/Makefile
index 8166254..89deb68 100644
--- a/secure/usr.bin/openssl/Makefile
+++ b/secure/usr.bin/openssl/Makefile
@@ -10,15 +10,15 @@ LDADD=	-lssl -lcrypto
 .endif
 .include "../../lib/libcrypto/Makefile.inc"
 
-CFLAGS+= -DMONOLITH -I${.CURDIR}
+CFLAGS+=-DMONOLITH -I${.CURDIR}
 
 SRCS+=	app_rand.c apps.c asn1pars.c ca.c ciphers.c cms.c crl.c crl2p7.c \
-	dgst.c dh.c dhparam.c dsa.c dsaparam.c ec.c ecparam.c enc.c \
-	engine.c errstr.c \
-	gendh.c gendsa.c genrsa.c nseq.c ocsp.c openssl.c passwd.c \
-	pkcs12.c pkcs7.c pkcs8.c prime.c rand.c req.c rsa.c rsautl.c s_cb.c \
-	s_client.c s_server.c s_socket.c s_time.c sess_id.c smime.c \
-	speed.c spkac.c verify.c version.c x509.c
+	dgst.c dh.c dhparam.c dsa.c dsaparam.c ec.c ecparam.c enc.c engine.c \
+	errstr.c gendh.c gendsa.c genpkey.c genrsa.c nseq.c ocsp.c openssl.c \
+	passwd.c pkcs12.c pkcs7.c pkcs8.c pkey.c pkeyparam.c pkeyutl.c \
+	prime.c rand.c req.c rsa.c rsautl.c s_cb.c s_client.c s_server.c \
+	s_socket.c s_time.c sess_id.c smime.c speed.c spkac.c srp.c ts.c \
+	verify.c version.c x509.c
 
 .include <bsd.prog.mk>
 
diff --git a/secure/usr.bin/openssl/Makefile.man b/secure/usr.bin/openssl/Makefile.man
index b87642f..5903f66 100644
--- a/secure/usr.bin/openssl/Makefile.man
+++ b/secure/usr.bin/openssl/Makefile.man
@@ -4,6 +4,7 @@ MAN+= CA.pl.1
 MAN+= asn1parse.1
 MAN+= ca.1
 MAN+= ciphers.1
+MAN+= cms.1
 MAN+= crl.1
 MAN+= crl2pkcs7.1
 MAN+= dgst.1
@@ -15,6 +16,7 @@ MAN+= ecparam.1
 MAN+= enc.1
 MAN+= errstr.1
 MAN+= gendsa.1
+MAN+= genpkey.1
 MAN+= genrsa.1
 MAN+= nseq.1
 MAN+= ocsp.1
@@ -23,6 +25,9 @@ MAN+= passwd.1
 MAN+= pkcs12.1
 MAN+= pkcs7.1
 MAN+= pkcs8.1
+MAN+= pkey.1
+MAN+= pkeyparam.1
+MAN+= pkeyutl.1
 MAN+= rand.1
 MAN+= req.1
 MAN+= rsa.1
@@ -34,6 +39,8 @@ MAN+= sess_id.1
 MAN+= smime.1
 MAN+= speed.1
 MAN+= spkac.1
+MAN+= ts.1
+MAN+= tsget.1
 MAN+= verify.1
 MAN+= version.1
 MAN+= x509.1
diff --git a/secure/usr.bin/openssl/man/CA.pl.1 b/secure/usr.bin/openssl/man/CA.pl.1
index 9b8a3b8..f7f4ca3 100644
--- a/secure/usr.bin/openssl/man/CA.pl.1
+++ b/secure/usr.bin/openssl/man/CA.pl.1
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "CA.PL 1"
-.TH CA.PL 1 "2012-05-10" "0.9.8x" "OpenSSL"
+.TH CA.PL 1 "2012-05-10" "1.0.1c" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/usr.bin/openssl/man/asn1parse.1 b/secure/usr.bin/openssl/man/asn1parse.1
index c630c49..461e7b0 100644
--- a/secure/usr.bin/openssl/man/asn1parse.1
+++ b/secure/usr.bin/openssl/man/asn1parse.1
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "ASN1PARSE 1"
-.TH ASN1PARSE 1 "2012-05-10" "0.9.8x" "OpenSSL"
+.TH ASN1PARSE 1 "2012-05-10" "1.0.1c" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -186,11 +186,11 @@ option can be used multiple times to \*(L"drill down\*(R" into a nested structur
 .IP "\fB\-genstr string\fR, \fB\-genconf file\fR" 4
 .IX Item "-genstr string, -genconf file"
 generate encoded data based on \fBstring\fR, \fBfile\fR or both using
-\&\fIASN1_generate_nconf()\fR format. If \fBfile\fR only is present then the string
-is obtained from the default section using the name \fBasn1\fR. The encoded
-data is passed through the \s-1ASN1\s0 parser and printed out as though it came
-from a file, the contents can thus be examined and written to a file
-using the \fBout\fR option.
+\&\fIASN1_generate_nconf\fR\|(3) format. If \fBfile\fR only is
+present then the string is obtained from the default section using the name
+\&\fBasn1\fR. The encoded data is passed through the \s-1ASN1\s0 parser and printed out as
+though it came from a file, the contents can thus be examined and written to a
+file using the \fBout\fR option.
 .SS "\s-1OUTPUT\s0"
 .IX Subsection "OUTPUT"
 The output will typically contain lines like this:
@@ -292,3 +292,6 @@ Example config file:
 .IX Header "BUGS"
 There should be options to change the format of output lines. The output of some
 \&\s-1ASN\s0.1 types is not well handled (if at all).
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fIASN1_generate_nconf\fR\|(3)
diff --git a/secure/usr.bin/openssl/man/ca.1 b/secure/usr.bin/openssl/man/ca.1
index df41661..0aee071 100644
--- a/secure/usr.bin/openssl/man/ca.1
+++ b/secure/usr.bin/openssl/man/ca.1
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "CA 1"
-.TH CA 1 "2012-05-10" "0.9.8x" "OpenSSL"
+.TH CA 1 "2012-05-10" "1.0.1c" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -303,7 +303,9 @@ the section of the configuration file containing certificate extensions
 to be added when a certificate is issued (defaults to \fBx509_extensions\fR
 unless the \fB\-extfile\fR option is used). If no extension section is
 present then, a V1 certificate is created. If the extension section
-is present (even if it is empty), then a V3 certificate is created.
+is present (even if it is empty), then a V3 certificate is created. See the:w
+\&\fIx509v3_config\fR\|(5) manual page for details of the
+extension section format.
 .IP "\fB\-extfile file\fR" 4
 .IX Item "-extfile file"
 an additional configuration file to read certificate extensions from
@@ -311,7 +313,7 @@ an additional configuration file to read certificate extensions from
 used).
 .IP "\fB\-engine id\fR" 4
 .IX Item "-engine id"
-specifying an engine (by it's unique \fBid\fR string) will cause \fBreq\fR
+specifying an engine (by its unique \fBid\fR string) will cause \fBca\fR
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.
@@ -379,7 +381,9 @@ include. If no \s-1CRL\s0 extension section is present then a V1 \s-1CRL\s0 is
 created, if the \s-1CRL\s0 extension section is present (even if it is
 empty) then a V2 \s-1CRL\s0 is created. The \s-1CRL\s0 extensions specified are
 \&\s-1CRL\s0 extensions and \fBnot\fR \s-1CRL\s0 entry extensions.  It should be noted
-that some software (for example Netscape) can't handle V2 CRLs.
+that some software (for example Netscape) can't handle V2 CRLs. See
+\&\fIx509v3_config\fR\|(5) manual page for details of the
+extension section format.
 .SH "CONFIGURATION FILE OPTIONS"
 .IX Header "CONFIGURATION FILE OPTIONS"
 The section of the configuration file containing options for \fBca\fR
@@ -724,4 +728,4 @@ then even if a certificate is issued with \s-1CA:TRUE\s0 it will not be valid.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fIreq\fR\|(1), \fIspkac\fR\|(1), \fIx509\fR\|(1), \s-1\fICA\s0.pl\fR\|(1),
-\&\fIconfig\fR\|(5)
+\&\fIconfig\fR\|(5), \fIx509v3_config\fR\|(5)
diff --git a/secure/usr.bin/openssl/man/ciphers.1 b/secure/usr.bin/openssl/man/ciphers.1
index 6a4e76c..3fa96b6 100644
--- a/secure/usr.bin/openssl/man/ciphers.1
+++ b/secure/usr.bin/openssl/man/ciphers.1
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "CIPHERS 1"
-.TH CIPHERS 1 "2012-05-10" "0.9.8x" "OpenSSL"
+.TH CIPHERS 1 "2012-05-10" "1.0.1c" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -135,26 +135,30 @@ ciphers \- SSL cipher display and cipher list tool.
 .IX Header "SYNOPSIS"
 \&\fBopenssl\fR \fBciphers\fR
 [\fB\-v\fR]
+[\fB\-V\fR]
 [\fB\-ssl2\fR]
 [\fB\-ssl3\fR]
 [\fB\-tls1\fR]
 [\fBcipherlist\fR]
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
-The \fBcipherlist\fR command converts OpenSSL cipher lists into ordered
+The \fBciphers\fR command converts textual OpenSSL cipher lists into ordered
 \&\s-1SSL\s0 cipher preference lists. It can be used as a test tool to determine
 the appropriate cipherlist.
 .SH "COMMAND OPTIONS"
 .IX Header "COMMAND OPTIONS"
 .IP "\fB\-v\fR" 4
 .IX Item "-v"
-verbose option. List ciphers with a complete description of
+Verbose option. List ciphers with a complete description of
 protocol version (SSLv2 or SSLv3; the latter includes \s-1TLS\s0), key exchange,
 authentication, encryption and mac algorithms used along with any key size
 restrictions and whether the algorithm is classed as an \*(L"export\*(R" cipher.
 Note that without the \fB\-v\fR option, ciphers may seem to appear twice
 in a cipher list; this is when similar ciphers are available for
 \&\s-1SSL\s0 v2 and for \s-1SSL\s0 v3/TLS v1.
+.IP "\fB\-V\fR" 4
+.IX Item "-V"
+Like \fB\-V\fR, but include cipher suite codes in output (hex format).
 .IP "\fB\-ssl3\fR" 4
 .IX Item "-ssl3"
 only include \s-1SSL\s0 v3 ciphers.
@@ -215,8 +219,8 @@ the current cipher list in order of encryption algorithm key length.
 The following is a list of all permitted cipher strings and their meanings.
 .IP "\fB\s-1DEFAULT\s0\fR" 4
 .IX Item "DEFAULT"
-the default cipher list. This is determined at compile time and is normally
-\&\fB\s-1AES:ALL:\s0!aNULL:!eNULL:+RC4:@STRENGTH\fR. This must be the first cipher string
+the default cipher list. This is determined at compile time and, as of OpenSSL
+1.0.0, is normally \fB\s-1ALL:\s0!aNULL:!eNULL\fR. This must be the first cipher string
 specified.
 .IP "\fB\s-1COMPLEMENTOFDEFAULT\s0\fR" 4
 .IX Item "COMPLEMENTOFDEFAULT"
@@ -225,7 +229,8 @@ this is \fB\s-1ADH\s0\fR. Note that this rule does not cover \fBeNULL\fR, which
 not included by \fB\s-1ALL\s0\fR (use \fB\s-1COMPLEMENTOFALL\s0\fR if necessary).
 .IP "\fB\s-1ALL\s0\fR" 4
 .IX Item "ALL"
-all ciphers suites except the \fBeNULL\fR ciphers which must be explicitly enabled.
+all cipher suites except the \fBeNULL\fR ciphers which must be explicitly enabled;
+as of OpenSSL, the \fB\s-1ALL\s0\fR cipher suites are reasonably ordered by default
 .IP "\fB\s-1COMPLEMENTOFALL\s0\fR" 4
 .IX Item "COMPLEMENTOFALL"
 the cipher suites not enabled by \fB\s-1ALL\s0\fR, currently being \fBeNULL\fR.
@@ -324,6 +329,26 @@ cipher suites using \s-1MD5\s0.
 .IP "\fB\s-1SHA1\s0\fR, \fB\s-1SHA\s0\fR" 4
 .IX Item "SHA1, SHA"
 cipher suites using \s-1SHA1\s0.
+.IP "\fBaGOST\fR" 4
+.IX Item "aGOST"
+cipher suites using \s-1GOST\s0 R 34.10 (either 2001 or 94) for authenticaction
+(needs an engine supporting \s-1GOST\s0 algorithms).
+.IP "\fBaGOST01\fR" 4
+.IX Item "aGOST01"
+cipher suites using \s-1GOST\s0 R 34.10\-2001 authentication.
+.IP "\fBaGOST94\fR" 4
+.IX Item "aGOST94"
+cipher suites using \s-1GOST\s0 R 34.10\-94 authentication (note that R 34.10\-94
+standard has been expired so use \s-1GOST\s0 R 34.10\-2001)
+.IP "\fBkGOST\fR" 4
+.IX Item "kGOST"
+cipher suites, using \s-1VKO\s0 34.10 key exchange, specified in the \s-1RFC\s0 4357.
+.IP "\fB\s-1GOST94\s0\fR" 4
+.IX Item "GOST94"
+cipher suites, using \s-1HMAC\s0 based on \s-1GOST\s0 R 34.11\-94.
+.IP "\fB\s-1GOST89MAC\s0\fR" 4
+.IX Item "GOST89MAC"
+cipher suites using \s-1GOST\s0 28147\-89 \s-1MAC\s0 \fBinstead of\fR \s-1HMAC\s0.
 .SH "CIPHER SUITE NAMES"
 .IX Header "CIPHER SUITE NAMES"
 The following lists give the \s-1SSL\s0 or \s-1TLS\s0 cipher suites names from the
@@ -451,6 +476,17 @@ e.g. \s-1DES\-CBC3\-SHA\s0. In these cases, \s-1RSA\s0 authentication is used.
 \&
 \& TLS_DH_anon_WITH_SEED_CBC_SHA          ADH\-SEED\-SHA
 .Ve
+.SS "\s-1GOST\s0 ciphersuites from draft-chudov-cryptopro-cptls, extending \s-1TLS\s0 v1.0"
+.IX Subsection "GOST ciphersuites from draft-chudov-cryptopro-cptls, extending TLS v1.0"
+Note: these ciphers require an engine which including \s-1GOST\s0 cryptographic
+algorithms, such as the \fBccgost\fR engine, included in the OpenSSL distribution.
+.PP
+.Vb 4
+\& TLS_GOSTR341094_WITH_28147_CNT_IMIT GOST94\-GOST89\-GOST89
+\& TLS_GOSTR341001_WITH_28147_CNT_IMIT GOST2001\-GOST89\-GOST89
+\& TLS_GOSTR341094_WITH_NULL_GOSTR3411 GOST94\-NULL\-GOST94
+\& TLS_GOSTR341001_WITH_NULL_GOSTR3411 GOST2001\-NULL\-GOST94
+.Ve
 .SS "Additional Export 1024 and other cipher suites"
 .IX Subsection "Additional Export 1024 and other cipher suites"
 Note: these ciphers can also be used in \s-1SSL\s0 v3.
@@ -518,5 +554,6 @@ encryption.
 \&\fIs_client\fR\|(1), \fIs_server\fR\|(1), \fIssl\fR\|(3)
 .SH "HISTORY"
 .IX Header "HISTORY"
-The \fB\s-1COMPLENTOFALL\s0\fR and \fB\s-1COMPLEMENTOFDEFAULT\s0\fR selection options were
-added in version 0.9.7.
+The \fB\s-1COMPLENTOFALL\s0\fR and \fB\s-1COMPLEMENTOFDEFAULT\s0\fR selection options
+for cipherlist strings were added in OpenSSL 0.9.7.
+The \fB\-V\fR option for the \fBciphers\fR command was added in OpenSSL 1.0.0.
diff --git a/secure/usr.bin/openssl/man/cms.1 b/secure/usr.bin/openssl/man/cms.1
new file mode 100644
index 0000000..3adc736
--- /dev/null
+++ b/secure/usr.bin/openssl/man/cms.1
@@ -0,0 +1,677 @@
+.\" Automatically generated by Pod::Man 2.23 (Pod::Simple 3.22)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" Set up some character translations and predefined strings.  \*(-- will
+.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
+.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
+.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
+.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
+.\" nothing in troff, for use with C<>.
+.tr \(*W-
+.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.ie n \{\
+.    ds -- \(*W-
+.    ds PI pi
+.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
+.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
+.    ds L" ""
+.    ds R" ""
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds -- \|\(em\|
+.    ds PI \(*p
+.    ds L" ``
+.    ds R" ''
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.ie \nF \{\
+.    de IX
+.    tm Index:\\$1\t\\n%\t"\\$2"
+..
+.    nr % 0
+.    rr F
+.\}
+.el \{\
+.    de IX
+..
+.\}
+.\"
+.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
+.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
+.    \" fudge factors for nroff and troff
+.if n \{\
+.    ds #H 0
+.    ds #V .8m
+.    ds #F .3m
+.    ds #[ \f1
+.    ds #] \fP
+.\}
+.if t \{\
+.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
+.    ds #V .6m
+.    ds #F 0
+.    ds #[ \&
+.    ds #] \&
+.\}
+.    \" simple accents for nroff and troff
+.if n \{\
+.    ds ' \&
+.    ds ` \&
+.    ds ^ \&
+.    ds , \&
+.    ds ~ ~
+.    ds /
+.\}
+.if t \{\
+.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
+.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
+.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
+.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
+.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
+.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
+.\}
+.    \" troff and (daisy-wheel) nroff accents
+.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
+.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
+.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
+.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
+.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
+.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
+.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
+.ds ae a\h'-(\w'a'u*4/10)'e
+.ds Ae A\h'-(\w'A'u*4/10)'E
+.    \" corrections for vroff
+.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
+.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
+.    \" for low resolution devices (crt and lpr)
+.if \n(.H>23 .if \n(.V>19 \
+\{\
+.    ds : e
+.    ds 8 ss
+.    ds o a
+.    ds d- d\h'-1'\(ga
+.    ds D- D\h'-1'\(hy
+.    ds th \o'bp'
+.    ds Th \o'LP'
+.    ds ae ae
+.    ds Ae AE
+.\}
+.rm #[ #] #H #V #F C
+.\" ========================================================================
+.\"
+.IX Title "CMS 1"
+.TH CMS 1 "2012-05-10" "1.0.1c" "OpenSSL"
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH "NAME"
+cms \- CMS utility
+.SH "SYNOPSIS"
+.IX Header "SYNOPSIS"
+\&\fBopenssl\fR \fBcms\fR
+[\fB\-encrypt\fR]
+[\fB\-decrypt\fR]
+[\fB\-sign\fR]
+[\fB\-verify\fR]
+[\fB\-cmsout\fR]
+[\fB\-resign\fR]
+[\fB\-data_create\fR]
+[\fB\-data_out\fR]
+[\fB\-digest_create\fR]
+[\fB\-digest_verify\fR]
+[\fB\-compress\fR]
+[\fB\-uncompress\fR]
+[\fB\-EncryptedData_encrypt\fR]
+[\fB\-sign_receipt\fR]
+[\fB\-verify_receipt receipt\fR]
+[\fB\-in filename\fR]
+[\fB\-inform SMIME|PEM|DER\fR]
+[\fB\-rctform SMIME|PEM|DER\fR]
+[\fB\-out filename\fR]
+[\fB\-outform SMIME|PEM|DER\fR]
+[\fB\-stream \-indef \-noindef\fR]
+[\fB\-noindef\fR]
+[\fB\-content filename\fR]
+[\fB\-text\fR]
+[\fB\-noout\fR]
+[\fB\-print\fR]
+[\fB\-CAfile file\fR]
+[\fB\-CApath dir\fR]
+[\fB\-md digest\fR]
+[\fB\-[cipher]\fR]
+[\fB\-nointern\fR]
+[\fB\-no_signer_cert_verify\fR]
+[\fB\-nocerts\fR]
+[\fB\-noattr\fR]
+[\fB\-nosmimecap\fR]
+[\fB\-binary\fR]
+[\fB\-nodetach\fR]
+[\fB\-certfile file\fR]
+[\fB\-certsout file\fR]
+[\fB\-signer file\fR]
+[\fB\-recip file\fR]
+[\fB\-keyid\fR]
+[\fB\-receipt_request_all \-receipt_request_first\fR]
+[\fB\-receipt_request_from emailaddress\fR]
+[\fB\-receipt_request_to emailaddress\fR]
+[\fB\-receipt_request_print\fR]
+[\fB\-secretkey key\fR]
+[\fB\-secretkeyid id\fR]
+[\fB\-econtent_type type\fR]
+[\fB\-inkey file\fR]
+[\fB\-passin arg\fR]
+[\fB\-rand file(s)\fR]
+[\fBcert.pem...\fR]
+[\fB\-to addr\fR]
+[\fB\-from addr\fR]
+[\fB\-subject subj\fR]
+[cert.pem]...
+.SH "DESCRIPTION"
+.IX Header "DESCRIPTION"
+The \fBcms\fR command handles S/MIME v3.1 mail. It can encrypt, decrypt, sign and
+verify, compress and uncompress S/MIME messages.
+.SH "COMMAND OPTIONS"
+.IX Header "COMMAND OPTIONS"
+There are fourteen operation options that set the type of operation to be
+performed. The meaning of the other options varies according to the operation
+type.
+.IP "\fB\-encrypt\fR" 4
+.IX Item "-encrypt"
+encrypt mail for the given recipient certificates. Input file is the message
+to be encrypted. The output file is the encrypted mail in \s-1MIME\s0 format. The
+actual \s-1CMS\s0 type is <B>EnvelopedData<B>.
+.IP "\fB\-decrypt\fR" 4
+.IX Item "-decrypt"
+decrypt mail using the supplied certificate and private key. Expects an
+encrypted mail message in \s-1MIME\s0 format for the input file. The decrypted mail
+is written to the output file.
+.IP "\fB\-sign\fR" 4
+.IX Item "-sign"
+sign mail using the supplied certificate and private key. Input file is
+the message to be signed. The signed message in \s-1MIME\s0 format is written
+to the output file.
+.IP "\fB\-verify\fR" 4
+.IX Item "-verify"
+verify signed mail. Expects a signed mail message on input and outputs
+the signed data. Both clear text and opaque signing is supported.
+.IP "\fB\-cmsout\fR" 4
+.IX Item "-cmsout"
+takes an input message and writes out a \s-1PEM\s0 encoded \s-1CMS\s0 structure.
+.IP "\fB\-resign\fR" 4
+.IX Item "-resign"
+resign a message: take an existing message and one or more new signers.
+.IP "\fB\-data_create\fR" 4
+.IX Item "-data_create"
+Create a \s-1CMS\s0 \fBData\fR type.
+.IP "\fB\-data_out\fR" 4
+.IX Item "-data_out"
+\&\fBData\fR type and output the content.
+.IP "\fB\-digest_create\fR" 4
+.IX Item "-digest_create"
+Create a \s-1CMS\s0 \fBDigestedData\fR type.
+.IP "\fB\-digest_verify\fR" 4
+.IX Item "-digest_verify"
+Verify a \s-1CMS\s0 \fBDigestedData\fR type and output the content.
+.IP "\fB\-compress\fR" 4
+.IX Item "-compress"
+Create a \s-1CMS\s0 \fBCompressedData\fR type. OpenSSL must be compiled with \fBzlib\fR
+support for this option to work, otherwise it will output an error.
+.IP "\fB\-uncompress\fR" 4
+.IX Item "-uncompress"
+Uncompress a \s-1CMS\s0 \fBCompressedData\fR type and output the content. OpenSSL must be
+compiled with \fBzlib\fR support for this option to work, otherwise it will
+output an error.
+.IP "\fB\-EncryptedData_encrypt\fR" 4
+.IX Item "-EncryptedData_encrypt"
+Encrypt suppled content using supplied symmetric key and algorithm using a \s-1CMS\s0
+\&\fBEncrytedData\fR type and output the content.
+.IP "\fB\-sign_receipt\fR" 4
+.IX Item "-sign_receipt"
+Generate and output a signed receipt for the supplied message. The input 
+message \fBmust\fR contain a signed receipt request. Functionality is otherwise
+similar to the \fB\-sign\fR operation.
+.IP "\fB\-verify_receipt receipt\fR" 4
+.IX Item "-verify_receipt receipt"
+Verify a signed receipt in filename \fBreceipt\fR. The input message \fBmust\fR 
+contain the original receipt request. Functionality is otherwise similar
+to the \fB\-verify\fR operation.
+.IP "\fB\-in filename\fR" 4
+.IX Item "-in filename"
+the input message to be encrypted or signed or the message to be decrypted
+or verified.
+.IP "\fB\-inform SMIME|PEM|DER\fR" 4
+.IX Item "-inform SMIME|PEM|DER"
+this specifies the input format for the \s-1CMS\s0 structure. The default
+is \fB\s-1SMIME\s0\fR which reads an S/MIME format message. \fB\s-1PEM\s0\fR and \fB\s-1DER\s0\fR
+format change this to expect \s-1PEM\s0 and \s-1DER\s0 format \s-1CMS\s0 structures
+instead. This currently only affects the input format of the \s-1CMS\s0
+structure, if no \s-1CMS\s0 structure is being input (for example with
+\&\fB\-encrypt\fR or \fB\-sign\fR) this option has no effect.
+.IP "\fB\-rctform SMIME|PEM|DER\fR" 4
+.IX Item "-rctform SMIME|PEM|DER"
+specify the format for a signed receipt for use with the \fB\-receipt_verify\fR
+operation.
+.IP "\fB\-out filename\fR" 4
+.IX Item "-out filename"
+the message text that has been decrypted or verified or the output \s-1MIME\s0
+format message that has been signed or verified.
+.IP "\fB\-outform SMIME|PEM|DER\fR" 4
+.IX Item "-outform SMIME|PEM|DER"
+this specifies the output format for the \s-1CMS\s0 structure. The default
+is \fB\s-1SMIME\s0\fR which writes an S/MIME format message. \fB\s-1PEM\s0\fR and \fB\s-1DER\s0\fR
+format change this to write \s-1PEM\s0 and \s-1DER\s0 format \s-1CMS\s0 structures
+instead. This currently only affects the output format of the \s-1CMS\s0
+structure, if no \s-1CMS\s0 structure is being output (for example with
+\&\fB\-verify\fR or \fB\-decrypt\fR) this option has no effect.
+.IP "\fB\-stream \-indef \-noindef\fR" 4
+.IX Item "-stream -indef -noindef"
+the \fB\-stream\fR and \fB\-indef\fR options are equivalent and enable streaming I/O
+for encoding operations. This permits single pass processing of data without
+the need to hold the entire contents in memory, potentially supporting very
+large files. Streaming is automatically set for S/MIME signing with detached
+data if the output format is \fB\s-1SMIME\s0\fR it is currently off by default for all
+other operations.
+.IP "\fB\-noindef\fR" 4
+.IX Item "-noindef"
+disable streaming I/O where it would produce and indefinite length constructed
+encoding. This option currently has no effect. In future streaming will be
+enabled by default on all relevant operations and this option will disable it.
+.IP "\fB\-content filename\fR" 4
+.IX Item "-content filename"
+This specifies a file containing the detached content, this is only
+useful with the \fB\-verify\fR command. This is only usable if the \s-1CMS\s0
+structure is using the detached signature form where the content is
+not included. This option will override any content if the input format
+is S/MIME and it uses the multipart/signed \s-1MIME\s0 content type.
+.IP "\fB\-text\fR" 4
+.IX Item "-text"
+this option adds plain text (text/plain) \s-1MIME\s0 headers to the supplied
+message if encrypting or signing. If decrypting or verifying it strips
+off text headers: if the decrypted or verified message is not of \s-1MIME\s0 
+type text/plain then an error occurs.
+.IP "\fB\-noout\fR" 4
+.IX Item "-noout"
+for the \fB\-cmsout\fR operation do not output the parsed \s-1CMS\s0 structure. This
+is useful when combined with the \fB\-print\fR option or if the syntax of the \s-1CMS\s0
+structure is being checked.
+.IP "\fB\-print\fR" 4
+.IX Item "-print"
+for the \fB\-cmsout\fR operation print out all fields of the \s-1CMS\s0 structure. This
+is mainly useful for testing purposes.
+.IP "\fB\-CAfile file\fR" 4
+.IX Item "-CAfile file"
+a file containing trusted \s-1CA\s0 certificates, only used with \fB\-verify\fR.
+.IP "\fB\-CApath dir\fR" 4
+.IX Item "-CApath dir"
+a directory containing trusted \s-1CA\s0 certificates, only used with
+\&\fB\-verify\fR. This directory must be a standard certificate directory: that
+is a hash of each subject name (using \fBx509 \-hash\fR) should be linked
+to each certificate.
+.IP "\fB\-md digest\fR" 4
+.IX Item "-md digest"
+digest algorithm to use when signing or resigning. If not present then the
+default digest algorithm for the signing key will be used (usually \s-1SHA1\s0).
+.IP "\fB\-[cipher]\fR" 4
+.IX Item "-[cipher]"
+the encryption algorithm to use. For example triple \s-1DES\s0 (168 bits) \- \fB\-des3\fR
+or 256 bit \s-1AES\s0 \- \fB\-aes256\fR. Any standard algorithm name (as used by the
+\&\fIEVP_get_cipherbyname()\fR function) can also be used preceded by a dash, for 
+example \fB\-aes_128_cbc\fR. See \fBenc\fR for a list of ciphers
+supported by your version of OpenSSL.
+.Sp
+If not specified triple \s-1DES\s0 is used. Only used with \fB\-encrypt\fR and 
+\&\fB\-EncryptedData_create\fR commands.
+.IP "\fB\-nointern\fR" 4
+.IX Item "-nointern"
+when verifying a message normally certificates (if any) included in
+the message are searched for the signing certificate. With this option
+only the certificates specified in the \fB\-certfile\fR option are used.
+The supplied certificates can still be used as untrusted CAs however.
+.IP "\fB\-no_signer_cert_verify\fR" 4
+.IX Item "-no_signer_cert_verify"
+do not verify the signers certificate of a signed message.
+.IP "\fB\-nocerts\fR" 4
+.IX Item "-nocerts"
+when signing a message the signer's certificate is normally included
+with this option it is excluded. This will reduce the size of the
+signed message but the verifier must have a copy of the signers certificate
+available locally (passed using the \fB\-certfile\fR option for example).
+.IP "\fB\-noattr\fR" 4
+.IX Item "-noattr"
+normally when a message is signed a set of attributes are included which
+include the signing time and supported symmetric algorithms. With this
+option they are not included.
+.IP "\fB\-nosmimecap\fR" 4
+.IX Item "-nosmimecap"
+exclude the list of supported algorithms from signed attributes, other options
+such as signing time and content type are still included.
+.IP "\fB\-binary\fR" 4
+.IX Item "-binary"
+normally the input message is converted to \*(L"canonical\*(R" format which is
+effectively using \s-1CR\s0 and \s-1LF\s0 as end of line: as required by the S/MIME
+specification. When this option is present no translation occurs. This
+is useful when handling binary data which may not be in \s-1MIME\s0 format.
+.IP "\fB\-nodetach\fR" 4
+.IX Item "-nodetach"
+when signing a message use opaque signing: this form is more resistant
+to translation by mail relays but it cannot be read by mail agents that
+do not support S/MIME.  Without this option cleartext signing with
+the \s-1MIME\s0 type multipart/signed is used.
+.IP "\fB\-certfile file\fR" 4
+.IX Item "-certfile file"
+allows additional certificates to be specified. When signing these will
+be included with the message. When verifying these will be searched for
+the signers certificates. The certificates should be in \s-1PEM\s0 format.
+.IP "\fB\-certsout file\fR" 4
+.IX Item "-certsout file"
+any certificates contained in the message are written to \fBfile\fR.
+.IP "\fB\-signer file\fR" 4
+.IX Item "-signer file"
+a signing certificate when signing or resigning a message, this option can be
+used multiple times if more than one signer is required. If a message is being
+verified then the signers certificates will be written to this file if the
+verification was successful.
+.IP "\fB\-recip file\fR" 4
+.IX Item "-recip file"
+the recipients certificate when decrypting a message. This certificate
+must match one of the recipients of the message or an error occurs.
+.IP "\fB\-keyid\fR" 4
+.IX Item "-keyid"
+use subject key identifier to identify certificates instead of issuer name and
+serial number. The supplied certificate \fBmust\fR include a subject key
+identifier extension. Supported by \fB\-sign\fR and \fB\-encrypt\fR options.
+.IP "\fB\-receipt_request_all \-receipt_request_first\fR" 4
+.IX Item "-receipt_request_all -receipt_request_first"
+for \fB\-sign\fR option include a signed receipt request. Indicate requests should
+be provided by all receipient or first tier recipients (those mailed directly
+and not from a mailing list). Ignored it \fB\-receipt_request_from\fR is included.
+.IP "\fB\-receipt_request_from emailaddress\fR" 4
+.IX Item "-receipt_request_from emailaddress"
+for \fB\-sign\fR option include a signed receipt request. Add an explicit email
+address where receipts should be supplied.
+.IP "\fB\-receipt_request_to emailaddress\fR" 4
+.IX Item "-receipt_request_to emailaddress"
+Add an explicit email address where signed receipts should be sent to. This 
+option \fBmust\fR but supplied if a signed receipt it requested.
+.IP "\fB\-receipt_request_print\fR" 4
+.IX Item "-receipt_request_print"
+For the \fB\-verify\fR operation print out the contents of any signed receipt
+requests.
+.IP "\fB\-secretkey key\fR" 4
+.IX Item "-secretkey key"
+specify symmetric key to use. The key must be supplied in hex format and be
+consistent with the algorithm used. Supported by the \fB\-EncryptedData_encrypt\fR
+\&\fB\-EncrryptedData_decrypt\fR, \fB\-encrypt\fR and \fB\-decrypt\fR options. When used
+with \fB\-encrypt\fR or \fB\-decrypt\fR the supplied key is used to wrap or unwrap the
+content encryption key using an \s-1AES\s0 key in the \fBKEKRecipientInfo\fR type.
+.IP "\fB\-secretkeyid id\fR" 4
+.IX Item "-secretkeyid id"
+the key identifier for the supplied symmetric key for \fBKEKRecipientInfo\fR type.
+This option \fBmust\fR be present if the \fB\-secretkey\fR option is used with
+\&\fB\-encrypt\fR. With \fB\-decrypt\fR operations the \fBid\fR is used to locate the
+relevant key if it is not supplied then an attempt is used to decrypt any
+\&\fBKEKRecipientInfo\fR structures.
+.IP "\fB\-econtent_type type\fR" 4
+.IX Item "-econtent_type type"
+set the encapsulated content type to \fBtype\fR if not supplied the \fBData\fR type
+is used. The \fBtype\fR argument can be any valid \s-1OID\s0 name in either text or
+numerical format.
+.IP "\fB\-inkey file\fR" 4
+.IX Item "-inkey file"
+the private key to use when signing or decrypting. This must match the
+corresponding certificate. If this option is not specified then the
+private key must be included in the certificate file specified with
+the \fB\-recip\fR or \fB\-signer\fR file. When signing this option can be used
+multiple times to specify successive keys.
+.IP "\fB\-passin arg\fR" 4
+.IX Item "-passin arg"
+the private key password source. For more information about the format of \fBarg\fR
+see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1).
+.IP "\fB\-rand file(s)\fR" 4
+.IX Item "-rand file(s)"
+a file or files containing random data used to seed the random number
+generator, or an \s-1EGD\s0 socket (see \fIRAND_egd\fR\|(3)).
+Multiple files can be specified separated by a OS-dependent character.
+The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
+all others.
+.IP "\fBcert.pem...\fR" 4
+.IX Item "cert.pem..."
+one or more certificates of message recipients: used when encrypting
+a message.
+.IP "\fB\-to, \-from, \-subject\fR" 4
+.IX Item "-to, -from, -subject"
+the relevant mail headers. These are included outside the signed
+portion of a message so they may be included manually. If signing
+then many S/MIME mail clients check the signers certificate's email
+address matches that specified in the From: address.
+.IP "\fB\-purpose, \-ignore_critical, \-issuer_checks, \-crl_check, \-crl_check_all, \-policy_check, \-extended_crl, \-x509_strict, \-policy \-check_ss_sig\fR" 4
+.IX Item "-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig"
+Set various certificate chain valiadition option. See the
+\&\fBverify\fR manual page for details.
+.SH "NOTES"
+.IX Header "NOTES"
+The \s-1MIME\s0 message must be sent without any blank lines between the
+headers and the output. Some mail programs will automatically add
+a blank line. Piping the mail directly to sendmail is one way to
+achieve the correct format.
+.PP
+The supplied message to be signed or encrypted must include the
+necessary \s-1MIME\s0 headers or many S/MIME clients wont display it
+properly (if at all). You can use the \fB\-text\fR option to automatically
+add plain text headers.
+.PP
+A \*(L"signed and encrypted\*(R" message is one where a signed message is
+then encrypted. This can be produced by encrypting an already signed
+message: see the examples section.
+.PP
+This version of the program only allows one signer per message but it
+will verify multiple signers on received messages. Some S/MIME clients
+choke if a message contains multiple signers. It is possible to sign
+messages \*(L"in parallel\*(R" by signing an already signed message.
+.PP
+The options \fB\-encrypt\fR and \fB\-decrypt\fR reflect common usage in S/MIME
+clients. Strictly speaking these process \s-1CMS\s0 enveloped data: \s-1CMS\s0
+encrypted data is used for other purposes.
+.PP
+The \fB\-resign\fR option uses an existing message digest when adding a new
+signer. This means that attributes must be present in at least one existing
+signer using the same message digest or this operation will fail.
+.PP
+The \fB\-stream\fR and \fB\-indef\fR options enable experimental streaming I/O support.
+As a result the encoding is \s-1BER\s0 using indefinite length constructed encoding
+and no longer \s-1DER\s0. Streaming is supported for the \fB\-encrypt\fR operation and the
+\&\fB\-sign\fR operation if the content is not detached.
+.PP
+Streaming is always used for the \fB\-sign\fR operation with detached data but
+since the content is no longer part of the \s-1CMS\s0 structure the encoding
+remains \s-1DER\s0.
+.SH "EXIT CODES"
+.IX Header "EXIT CODES"
+.IP "0" 4
+the operation was completely successfully.
+.IP "1" 4
+.IX Item "1"
+an error occurred parsing the command options.
+.IP "2" 4
+.IX Item "2"
+one of the input files could not be read.
+.IP "3" 4
+.IX Item "3"
+an error occurred creating the \s-1CMS\s0 file or when reading the \s-1MIME\s0
+message.
+.IP "4" 4
+.IX Item "4"
+an error occurred decrypting or verifying the message.
+.IP "5" 4
+.IX Item "5"
+the message was verified correctly but an error occurred writing out
+the signers certificates.
+.SH "COMPATIBILITY WITH PKCS#7 format."
+.IX Header "COMPATIBILITY WITH PKCS#7 format."
+The \fBsmime\fR utility can only process the older \fBPKCS#7\fR format. The \fBcms\fR
+utility supports Cryptographic Message Syntax format. Use of some features
+will result in messages which cannot be processed by applications which only
+support the older format. These are detailed below.
+.PP
+The use of the \fB\-keyid\fR option with \fB\-sign\fR or \fB\-encrypt\fR.
+.PP
+The \fB\-outform \s-1PEM\s0\fR option uses different headers.
+.PP
+The \fB\-compress\fR option.
+.PP
+The \fB\-secretkey\fR option when used with \fB\-encrypt\fR.
+.PP
+Additionally the \fB\-EncryptedData_create\fR and \fB\-data_create\fR type cannot
+be processed by the older \fBsmime\fR command.
+.SH "EXAMPLES"
+.IX Header "EXAMPLES"
+Create a cleartext signed message:
+.PP
+.Vb 2
+\& openssl cms \-sign \-in message.txt \-text \-out mail.msg \e
+\&        \-signer mycert.pem
+.Ve
+.PP
+Create an opaque signed message
+.PP
+.Vb 2
+\& openssl cms \-sign \-in message.txt \-text \-out mail.msg \-nodetach \e
+\&        \-signer mycert.pem
+.Ve
+.PP
+Create a signed message, include some additional certificates and
+read the private key from another file:
+.PP
+.Vb 2
+\& openssl cms \-sign \-in in.txt \-text \-out mail.msg \e
+\&        \-signer mycert.pem \-inkey mykey.pem \-certfile mycerts.pem
+.Ve
+.PP
+Create a signed message with two signers, use key identifier:
+.PP
+.Vb 2
+\& openssl cms \-sign \-in message.txt \-text \-out mail.msg \e
+\&        \-signer mycert.pem \-signer othercert.pem \-keyid
+.Ve
+.PP
+Send a signed message under Unix directly to sendmail, including headers:
+.PP
+.Vb 3
+\& openssl cms \-sign \-in in.txt \-text \-signer mycert.pem \e
+\&        \-from steve@openssl.org \-to someone@somewhere \e
+\&        \-subject "Signed message" | sendmail someone@somewhere
+.Ve
+.PP
+Verify a message and extract the signer's certificate if successful:
+.PP
+.Vb 1
+\& openssl cms \-verify \-in mail.msg \-signer user.pem \-out signedtext.txt
+.Ve
+.PP
+Send encrypted mail using triple \s-1DES:\s0
+.PP
+.Vb 3
+\& openssl cms \-encrypt \-in in.txt \-from steve@openssl.org \e
+\&        \-to someone@somewhere \-subject "Encrypted message" \e
+\&        \-des3 user.pem \-out mail.msg
+.Ve
+.PP
+Sign and encrypt mail:
+.PP
+.Vb 4
+\& openssl cms \-sign \-in ml.txt \-signer my.pem \-text \e
+\&        | openssl cms \-encrypt \-out mail.msg \e
+\&        \-from steve@openssl.org \-to someone@somewhere \e
+\&        \-subject "Signed and Encrypted message" \-des3 user.pem
+.Ve
+.PP
+Note: the encryption command does not include the \fB\-text\fR option because the
+message being encrypted already has \s-1MIME\s0 headers.
+.PP
+Decrypt mail:
+.PP
+.Vb 1
+\& openssl cms \-decrypt \-in mail.msg \-recip mycert.pem \-inkey key.pem
+.Ve
+.PP
+The output from Netscape form signing is a PKCS#7 structure with the
+detached signature format. You can use this program to verify the
+signature by line wrapping the base64 encoded structure and surrounding
+it with:
+.PP
+.Vb 2
+\& \-\-\-\-\-BEGIN PKCS7\-\-\-\-\-
+\& \-\-\-\-\-END PKCS7\-\-\-\-\-
+.Ve
+.PP
+and using the command,
+.PP
+.Vb 1
+\& openssl cms \-verify \-inform PEM \-in signature.pem \-content content.txt
+.Ve
+.PP
+alternatively you can base64 decode the signature and use
+.PP
+.Vb 1
+\& openssl cms \-verify \-inform DER \-in signature.der \-content content.txt
+.Ve
+.PP
+Create an encrypted message using 128 bit Camellia:
+.PP
+.Vb 1
+\& openssl cms \-encrypt \-in plain.txt \-camellia128 \-out mail.msg cert.pem
+.Ve
+.PP
+Add a signer to an existing message:
+.PP
+.Vb 1
+\& openssl cms \-resign \-in mail.msg \-signer newsign.pem \-out mail2.msg
+.Ve
+.SH "BUGS"
+.IX Header "BUGS"
+The \s-1MIME\s0 parser isn't very clever: it seems to handle most messages that I've
+thrown at it but it may choke on others.
+.PP
+The code currently will only write out the signer's certificate to a file: if
+the signer has a separate encryption certificate this must be manually
+extracted. There should be some heuristic that determines the correct
+encryption certificate.
+.PP
+Ideally a database should be maintained of a certificates for each email
+address.
+.PP
+The code doesn't currently take note of the permitted symmetric encryption
+algorithms as supplied in the SMIMECapabilities signed attribute. this means the
+user has to manually include the correct encryption algorithm. It should store
+the list of permitted ciphers in a database and only use those.
+.PP
+No revocation checking is done on the signer's certificate.
+.SH "HISTORY"
+.IX Header "HISTORY"
+The use of multiple \fB\-signer\fR options and the \fB\-resign\fR command were first
+added in OpenSSL 1.0.0
diff --git a/secure/usr.bin/openssl/man/config.1 b/secure/usr.bin/openssl/man/config.1
deleted file mode 100644
index b6d8584..0000000
--- a/secure/usr.bin/openssl/man/config.1
+++ /dev/null
@@ -1,282 +0,0 @@
-.\" Automatically generated by Pod::Man version 1.15
-.\" Sun Jan 12 18:05:02 2003
-.\"
-.\" Standard preamble:
-.\" ======================================================================
-.de Sh \" Subsection heading
-.br
-.if t .Sp
-.ne 5
-.PP
-\fB\\$1\fR
-.PP
-..
-.de Sp \" Vertical space (when we can't use .PP)
-.if t .sp .5v
-.if n .sp
-..
-.de Ip \" List item
-.br
-.ie \\n(.$>=3 .ne \\$3
-.el .ne 3
-.IP "\\$1" \\$2
-..
-.de Vb \" Begin verbatim text
-.ft CW
-.nf
-.ne \\$1
-..
-.de Ve \" End verbatim text
-.ft R
-
-.fi
-..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  | will give a
-.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used
-.\" to do unbreakable dashes and therefore won't be available.  \*(C` and
-.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<>
-.tr \(*W-|\(bv\*(Tr
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
-.ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
-.    ds C` ""
-.    ds C' ""
-'br\}
-.el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
-'br\}
-.\"
-.\" If the F register is turned on, we'll generate index entries on stderr
-.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and
-.\" index entries marked with X<> in POD.  Of course, you'll have to process
-.\" the output yourself in some meaningful fashion.
-.if \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
-..
-.    nr % 0
-.    rr F
-.\}
-.\"
-.\" For nroff, turn off justification.  Always turn off hyphenation; it
-.\" makes way too many mistakes in technical documents.
-.hy 0
-.if n .na
-.\"
-.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.bd B 3
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
-.\" ======================================================================
-.\"
-.IX Title "config 3"
-.TH config 3 "0.9.7" "2003-01-12" "OpenSSL"
-.UC
-.SH "NAME"
-config \- OpenSSL \s-1CONF\s0 library configuration files
-.SH "DESCRIPTION"
-.IX Header "DESCRIPTION"
-The OpenSSL \s-1CONF\s0 library can be used to read configuration files.
-It is used for the OpenSSL master configuration file \fBopenssl.cnf\fR
-and in a few other places like \fB\s-1SPKAC\s0\fR files and certificate extension
-files for the \fBx509\fR utility.
-.PP
-A configuration file is divided into a number of sections. Each section
-starts with a line \fB[ section_name ]\fR and ends when a new section is
-started or end of file is reached. A section name can consist of
-alphanumeric characters and underscores.
-.PP
-The first section of a configuration file is special and is referred
-to as the \fBdefault\fR section this is usually unnamed and is from the
-start of file until the first named section. When a name is being looked up
-it is first looked up in a named section (if any) and then the
-default section.
-.PP
-The environment is mapped onto a section called \fB\s-1ENV\s0\fR.
-.PP
-Comments can be included by preceding them with the \fB#\fR character
-.PP
-Each section in a configuration file consists of a number of name and
-value pairs of the form \fBname=value\fR
-.PP
-The \fBname\fR string can contain any alphanumeric characters as well as
-a few punctuation symbols such as \fB.\fR \fB,\fR \fB;\fR and \fB_\fR.
-.PP
-The \fBvalue\fR string consists of the string following the \fB=\fR character
-until end of line with any leading and trailing white space removed.
-.PP
-The value string undergoes variable expansion. This can be done by
-including the form \fB$var\fR or \fB${var}\fR: this will substitute the value
-of the named variable in the current section. It is also possible to
-substitute a value from another section using the syntax \fB$section::name\fR
-or \fB${section::name}\fR. By using the form \fB$ENV::name\fR environment
-variables can be substituted. It is also possible to assign values to
-environment variables by using the name \fB\s-1ENV:\s0:name\fR, this will work
-if the program looks up environment variables using the \fB\s-1CONF\s0\fR library
-instead of calling \fB\f(BIgetenv()\fB\fR directly.
-.PP
-It is possible to escape certain characters by using any kind of quote
-or the \fB\e\fR character. By making the last character of a line a \fB\e\fR
-a \fBvalue\fR string can be spread across multiple lines. In addition
-the sequences \fB\en\fR, \fB\er\fR, \fB\eb\fR and \fB\et\fR are recognized.
-.SH "NOTES"
-.IX Header "NOTES"
-If a configuration file attempts to expand a variable that doesn't exist
-then an error is flagged and the file will not load. This can happen
-if an attempt is made to expand an environment variable that doesn't
-exist. For example the default OpenSSL master configuration file used
-the value of \fB\s-1HOME\s0\fR which may not be defined on non Unix systems.
-.PP
-This can be worked around by including a \fBdefault\fR section to provide
-a default value: then if the environment lookup fails the default value
-will be used instead. For this to work properly the default value must
-be defined earlier in the configuration file than the expansion. See
-the \fB\s-1EXAMPLES\s0\fR section for an example of how to do this.
-.PP
-If the same variable exists in the same section then all but the last
-value will be silently ignored. In certain circumstances such as with
-DNs the same field may occur multiple times. This is usually worked
-around by ignoring any characters before an initial \fB.\fR e.g.
-.PP
-.Vb 2
-\& 1.OU="My first OU"
-\& 2.OU="My Second OU"
-.Ve
-.SH "EXAMPLES"
-.IX Header "EXAMPLES"
-Here is a sample configuration file using some of the features
-mentioned above.
-.PP
-.Vb 1
-\& # This is the default section.
-.Ve
-.Vb 3
-\& HOME=/temp
-\& RANDFILE= ${ENV::HOME}/.rnd
-\& configdir=$ENV::HOME/config
-.Ve
-.Vb 1
-\& [ section_one ]
-.Ve
-.Vb 1
-\& # We are now in section one.
-.Ve
-.Vb 2
-\& # Quotes permit leading and trailing whitespace
-\& any = " any variable name "
-.Ve
-.Vb 3
-\& other = A string that can \e
-\& cover several lines \e
-\& by including \e\e characters
-.Ve
-.Vb 1
-\& message = Hello World\en
-.Ve
-.Vb 1
-\& [ section_two ]
-.Ve
-.Vb 1
-\& greeting = $section_one::message
-.Ve
-This next example shows how to expand environment variables safely.
-.PP
-Suppose you want a variable called \fBtmpfile\fR to refer to a
-temporary filename. The directory it is placed in can determined by
-the the \fB\s-1TEMP\s0\fR or \fB\s-1TMP\s0\fR environment variables but they may not be
-set to any value at all. If you just include the environment variable
-names and the variable doesn't exist then this will cause an error when
-an attempt is made to load the configuration file. By making use of the
-default section both values can be looked up with \fB\s-1TEMP\s0\fR taking 
-priority and \fB/tmp\fR used if neither is defined:
-.PP
-.Vb 5
-\& TMP=/tmp
-\& # The above value is used if TMP isn't in the environment
-\& TEMP=$ENV::TMP
-\& # The above value is used if TEMP isn't in the environment
-\& tmpfile=${ENV::TEMP}/tmp.filename
-.Ve
-.SH "BUGS"
-.IX Header "BUGS"
-Currently there is no way to include characters using the octal \fB\ennn\fR
-form. Strings are all null terminated so nulls cannot form part of
-the value.
-.PP
-The escaping isn't quite right: if you want to use sequences like \fB\en\fR
-you can't use any quote escaping on the same line.
-.PP
-Files are loaded in a single pass. This means that an variable expansion
-will only work if the variables referenced are defined earlier in the
-file.
-.SH "SEE ALSO"
-.IX Header "SEE ALSO"
-x509(1), req(1), ca(1)
diff --git a/secure/usr.bin/openssl/man/crl.1 b/secure/usr.bin/openssl/man/crl.1
index cf49f2a..bf7b539 100644
--- a/secure/usr.bin/openssl/man/crl.1
+++ b/secure/usr.bin/openssl/man/crl.1
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "CRL 1"
-.TH CRL 1 "2012-05-10" "0.9.8x" "OpenSSL"
+.TH CRL 1 "2012-05-10" "1.0.1c" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/usr.bin/openssl/man/crl2pkcs7.1 b/secure/usr.bin/openssl/man/crl2pkcs7.1
index 59b20e1..94d7915 100644
--- a/secure/usr.bin/openssl/man/crl2pkcs7.1
+++ b/secure/usr.bin/openssl/man/crl2pkcs7.1
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "CRL2PKCS7 1"
-.TH CRL2PKCS7 1 "2012-05-10" "0.9.8x" "OpenSSL"
+.TH CRL2PKCS7 1 "2012-05-10" "1.0.1c" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/usr.bin/openssl/man/dgst.1 b/secure/usr.bin/openssl/man/dgst.1
index fd40ca4..d332e12 100644
--- a/secure/usr.bin/openssl/man/dgst.1
+++ b/secure/usr.bin/openssl/man/dgst.1
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "DGST 1"
-.TH DGST 1 "2012-05-10" "0.9.8x" "OpenSSL"
+.TH DGST 1 "2012-05-10" "1.0.1c" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -141,6 +141,7 @@ dgst, md5, md4, md2, sha1, sha, mdc2, ripemd160 \- message digests
 [\fB\-binary\fR]
 [\fB\-out filename\fR]
 [\fB\-sign filename\fR]
+[\fB\-keyform arg\fR]
 [\fB\-passin arg\fR]
 [\fB\-verify filename\fR]
 [\fB\-prverify filename\fR]
@@ -178,6 +179,19 @@ filename to output to, or standard output by default.
 .IP "\fB\-sign filename\fR" 4
 .IX Item "-sign filename"
 digitally sign the digest using the private key in \*(L"filename\*(R".
+.IP "\fB\-keyform arg\fR" 4
+.IX Item "-keyform arg"
+Specifies the key format to sign digest with. Only \s-1PEM\s0 and \s-1ENGINE\s0
+formats are supported by the \fBdgst\fR command.
+.IP "\fB\-engine id\fR" 4
+.IX Item "-engine id"
+Use engine \fBid\fR for operations (including private key storage).
+This engine is not used as source for digest algorithms, unless it is
+also specified in the configuration file.
+.IP "\fB\-sigopt nm:v\fR" 4
+.IX Item "-sigopt nm:v"
+Pass options to the signature algorithm during sign or verify operations.
+Names and values of these options are algorithm-specific.
 .IP "\fB\-passin arg\fR" 4
 .IX Item "-passin arg"
 the private key password source. For more information about the format of \fBarg\fR
@@ -195,6 +209,31 @@ the actual signature to verify.
 .IP "\fB\-hmac key\fR" 4
 .IX Item "-hmac key"
 create a hashed \s-1MAC\s0 using \*(L"key\*(R".
+.IP "\fB\-mac alg\fR" 4
+.IX Item "-mac alg"
+create \s-1MAC\s0 (keyed Message Authentication Code). The most popular \s-1MAC\s0
+algorithm is \s-1HMAC\s0 (hash-based \s-1MAC\s0), but there are other \s-1MAC\s0 algorithms
+which are not based on hash, for instance \fBgost-mac\fR algorithm,
+supported by \fBccgost\fR engine. \s-1MAC\s0 keys and other options should be set
+via \fB\-macopt\fR parameter.
+.IP "\fB\-macopt nm:v\fR" 4
+.IX Item "-macopt nm:v"
+Passes options to \s-1MAC\s0 algorithm, specified by \fB\-mac\fR key.
+Following options are supported by both by \fB\s-1HMAC\s0\fR and \fBgost-mac\fR:
+.RS 4
+.IP "\fBkey:string\fR" 8
+.IX Item "key:string"
+Specifies \s-1MAC\s0 key as alphnumeric string (use if key contain printable
+characters only). String length must conform to any restrictions of
+the \s-1MAC\s0 algorithm for example exactly 32 chars for gost-mac.
+.IP "\fBhexkey:string\fR" 8
+.IX Item "hexkey:string"
+Specifies \s-1MAC\s0 key in hexadecimal form (two hex digits per byte).
+Key length must conform to any restrictions of the \s-1MAC\s0 algorithm
+for example exactly 32 chars for gost-mac.
+.RE
+.RS 4
+.RE
 .IP "\fB\-rand file(s)\fR" 4
 .IX Item "-rand file(s)"
 a file or files containing random data used to seed the random number
diff --git a/secure/usr.bin/openssl/man/dhparam.1 b/secure/usr.bin/openssl/man/dhparam.1
index a638a6b..b20c633 100644
--- a/secure/usr.bin/openssl/man/dhparam.1
+++ b/secure/usr.bin/openssl/man/dhparam.1
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "DHPARAM 1"
-.TH DHPARAM 1 "2012-05-10" "0.9.8x" "OpenSSL"
+.TH DHPARAM 1 "2012-05-10" "1.0.1c" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -211,7 +211,7 @@ this option converts the parameters into C code. The parameters can then
 be loaded by calling the \fBget_dh\fR\fInumbits\fR\fB()\fR function.
 .IP "\fB\-engine id\fR" 4
 .IX Item "-engine id"
-specifying an engine (by it's unique \fBid\fR string) will cause \fBreq\fR
+specifying an engine (by its unique \fBid\fR string) will cause \fBdhparam\fR
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.
diff --git a/secure/usr.bin/openssl/man/dsa.1 b/secure/usr.bin/openssl/man/dsa.1
index 3761f70..80e48ba 100644
--- a/secure/usr.bin/openssl/man/dsa.1
+++ b/secure/usr.bin/openssl/man/dsa.1
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "DSA 1"
-.TH DSA 1 "2012-05-10" "0.9.8x" "OpenSSL"
+.TH DSA 1 "2012-05-10" "1.0.1c" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -220,7 +220,7 @@ key will be output instead. This option is automatically set if the input is
 a public key.
 .IP "\fB\-engine id\fR" 4
 .IX Item "-engine id"
-specifying an engine (by it's unique \fBid\fR string) will cause \fBreq\fR
+specifying an engine (by its unique \fBid\fR string) will cause \fBdsa\fR
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.
diff --git a/secure/usr.bin/openssl/man/dsaparam.1 b/secure/usr.bin/openssl/man/dsaparam.1
index 76e1a43..44fabe7 100644
--- a/secure/usr.bin/openssl/man/dsaparam.1
+++ b/secure/usr.bin/openssl/man/dsaparam.1
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "DSAPARAM 1"
-.TH DSAPARAM 1 "2012-05-10" "0.9.8x" "OpenSSL"
+.TH DSAPARAM 1 "2012-05-10" "1.0.1c" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -198,7 +198,7 @@ this option specifies that a parameter set should be generated of size
 the input file (if any) is ignored.
 .IP "\fB\-engine id\fR" 4
 .IX Item "-engine id"
-specifying an engine (by it's unique \fBid\fR string) will cause \fBreq\fR
+specifying an engine (by its unique \fBid\fR string) will cause \fBdsaparam\fR
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.
diff --git a/secure/usr.bin/openssl/man/ec.1 b/secure/usr.bin/openssl/man/ec.1
index 8af4d8d..941e637 100644
--- a/secure/usr.bin/openssl/man/ec.1
+++ b/secure/usr.bin/openssl/man/ec.1
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "EC 1"
-.TH EC 1 "2012-05-10" "0.9.8x" "OpenSSL"
+.TH EC 1 "2012-05-10" "1.0.1c" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -239,7 +239,7 @@ explicitly given (see \s-1RFC\s0 3279 for the definition of the
 is currently not implemented in OpenSSL.
 .IP "\fB\-engine id\fR" 4
 .IX Item "-engine id"
-specifying an engine (by it's unique \fBid\fR string) will cause \fBreq\fR
+specifying an engine (by its unique \fBid\fR string) will cause \fBec\fR
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.
diff --git a/secure/usr.bin/openssl/man/ecparam.1 b/secure/usr.bin/openssl/man/ecparam.1
index dea8a2e..f79dbc8 100644
--- a/secure/usr.bin/openssl/man/ecparam.1
+++ b/secure/usr.bin/openssl/man/ecparam.1
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "ECPARAM 1"
-.TH ECPARAM 1 "2012-05-10" "0.9.8x" "OpenSSL"
+.TH ECPARAM 1 "2012-05-10" "1.0.1c" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -229,7 +229,7 @@ The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
 all others.
 .IP "\fB\-engine id\fR" 4
 .IX Item "-engine id"
-specifying an engine (by it's unique \fBid\fR string) will cause \fBreq\fR
+specifying an engine (by its unique \fBid\fR string) will cause \fBecparam\fR
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.
diff --git a/secure/usr.bin/openssl/man/enc.1 b/secure/usr.bin/openssl/man/enc.1
index 9e82bcc5..6626c16 100644
--- a/secure/usr.bin/openssl/man/enc.1
+++ b/secure/usr.bin/openssl/man/enc.1
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "ENC 1"
-.TH ENC 1 "2012-05-10" "0.9.8x" "OpenSSL"
+.TH ENC 1 "2012-05-10" "1.0.1c" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -139,17 +139,24 @@ enc \- symmetric cipher routines
 [\fB\-pass arg\fR]
 [\fB\-e\fR]
 [\fB\-d\fR]
-[\fB\-a\fR]
+[\fB\-a/\-base64\fR]
 [\fB\-A\fR]
 [\fB\-k password\fR]
 [\fB\-kfile filename\fR]
 [\fB\-K key\fR]
 [\fB\-iv \s-1IV\s0\fR]
+[\fB\-S salt\fR]
+[\fB\-salt\fR]
+[\fB\-nosalt\fR]
+[\fB\-z\fR]
+[\fB\-md\fR]
 [\fB\-p\fR]
 [\fB\-P\fR]
 [\fB\-bufsize number\fR]
 [\fB\-nopad\fR]
 [\fB\-debug\fR]
+[\fB\-none\fR]
+[\fB\-engine id\fR]
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
 The symmetric cipher commands allow data to be encrypted or decrypted
@@ -187,6 +194,9 @@ decrypt the input data.
 base64 process the data. This means that if encryption is taking place
 the data is base64 encoded after encryption. If decryption is set then
 the input data is base64 decoded before being decrypted.
+.IP "\fB\-base64\fR" 4
+.IX Item "-base64"
+same as \fB\-a\fR
 .IP "\fB\-A\fR" 4
 .IX Item "-A"
 if the \fB\-a\fR option is set then base64 process the data on one line.
@@ -199,10 +209,16 @@ versions of OpenSSL. Superseded by the \fB\-pass\fR argument.
 read the password to derive the key from the first line of \fBfilename\fR.
 This is for compatibility with previous versions of OpenSSL. Superseded by
 the \fB\-pass\fR argument.
+.IP "\fB\-nosalt\fR" 4
+.IX Item "-nosalt"
+do not use a salt
+.IP "\fB\-salt\fR" 4
+.IX Item "-salt"
+use salt (randomly generated or provide with \fB\-S\fR option) when
+encrypting (this is the default).
 .IP "\fB\-S salt\fR" 4
 .IX Item "-S salt"
-the actual salt to use: this must be represented as a string comprised only
-of hex digits.
+the actual salt to use: this must be represented as a string of hex digits.
 .IP "\fB\-K key\fR" 4
 .IX Item "-K key"
 the actual key to use: this must be represented as a string comprised only
@@ -233,10 +249,30 @@ disable standard block padding
 .IP "\fB\-debug\fR" 4
 .IX Item "-debug"
 debug the BIOs used for I/O.
+.IP "\fB\-z\fR" 4
+.IX Item "-z"
+Compress or decompress clear text using zlib before encryption or after
+decryption. This option exists only if OpenSSL with compiled with zlib
+or zlib-dynamic option.
+.IP "\fB\-none\fR" 4
+.IX Item "-none"
+Use \s-1NULL\s0 cipher (no encryption or decryption of input).
 .SH "NOTES"
 .IX Header "NOTES"
 The program can be called either as \fBopenssl ciphername\fR or
-\&\fBopenssl enc \-ciphername\fR.
+\&\fBopenssl enc \-ciphername\fR. But the first form doesn't work with
+engine-provided ciphers, because this form is processed before the
+configuration file is read and any ENGINEs loaded.
+.PP
+Engines which provide entirely new encryption algorithms (such as ccgost
+engine which provides gost89 algorithm) should be configured in the
+configuration file. Engines, specified in the command line using \-engine
+options can only be used for hadrware-assisted implementations of
+ciphers, which are supported by OpenSSL core or other engine, specified
+in the configuration file.
+.PP
+When enc command lists supported ciphers, ciphers provided by engines,
+specified in the configuration files are listed too.
 .PP
 A password will be prompted for to derive the key and \s-1IV\s0 if necessary.
 .PP
@@ -268,6 +304,13 @@ All \s-1RC2\s0 ciphers have the same key and effective key length.
 Blowfish and \s-1RC5\s0 algorithms use a 128 bit key.
 .SH "SUPPORTED CIPHERS"
 .IX Header "SUPPORTED CIPHERS"
+Note that some of these ciphers can be disabled at compile time
+and some are available only if an appropriate engine is configured
+in the configuration file. The output of the \fBenc\fR command run with
+unsupported options (for example \fBopenssl enc \-help\fR) includes a
+list of ciphers, supported by your versesion of OpenSSL, including
+ones provided by configured engines.
+.PP
 .Vb 1
 \& base64             Base 64
 \&
@@ -303,6 +346,9 @@ Blowfish and \s-1RC5\s0 algorithms use a 128 bit key.
 \&
 \& desx               DESX algorithm.
 \&
+\& gost89             GOST 28147\-89 in CFB mode (provided by ccgost engine)
+\& gost89\-cnt        \`GOST 28147\-89 in CNT mode (provided by ccgost engine) 
+\&
 \& idea\-cbc           IDEA algorithm in CBC mode
 \& idea               same as idea\-cbc
 \& idea\-cfb           IDEA in CFB mode
diff --git a/secure/usr.bin/openssl/man/errstr.1 b/secure/usr.bin/openssl/man/errstr.1
index 37eb645..edf14fc 100644
--- a/secure/usr.bin/openssl/man/errstr.1
+++ b/secure/usr.bin/openssl/man/errstr.1
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "ERRSTR 1"
-.TH ERRSTR 1 "2012-05-10" "0.9.8x" "OpenSSL"
+.TH ERRSTR 1 "2012-05-10" "1.0.1c" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/usr.bin/openssl/man/gendsa.1 b/secure/usr.bin/openssl/man/gendsa.1
index 089ee89..5d2beae 100644
--- a/secure/usr.bin/openssl/man/gendsa.1
+++ b/secure/usr.bin/openssl/man/gendsa.1
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "GENDSA 1"
-.TH GENDSA 1 "2012-05-10" "0.9.8x" "OpenSSL"
+.TH GENDSA 1 "2012-05-10" "1.0.1c" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -161,7 +161,7 @@ The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
 all others.
 .IP "\fB\-engine id\fR" 4
 .IX Item "-engine id"
-specifying an engine (by it's unique \fBid\fR string) will cause \fBreq\fR
+specifying an engine (by its unique \fBid\fR string) will cause \fBgendsa\fR
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.
diff --git a/secure/usr.bin/openssl/man/genpkey.1 b/secure/usr.bin/openssl/man/genpkey.1
new file mode 100644
index 0000000..b883b8c
--- /dev/null
+++ b/secure/usr.bin/openssl/man/genpkey.1
@@ -0,0 +1,306 @@
+.\" Automatically generated by Pod::Man 2.23 (Pod::Simple 3.22)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" Set up some character translations and predefined strings.  \*(-- will
+.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
+.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
+.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
+.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
+.\" nothing in troff, for use with C<>.
+.tr \(*W-
+.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.ie n \{\
+.    ds -- \(*W-
+.    ds PI pi
+.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
+.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
+.    ds L" ""
+.    ds R" ""
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds -- \|\(em\|
+.    ds PI \(*p
+.    ds L" ``
+.    ds R" ''
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.ie \nF \{\
+.    de IX
+.    tm Index:\\$1\t\\n%\t"\\$2"
+..
+.    nr % 0
+.    rr F
+.\}
+.el \{\
+.    de IX
+..
+.\}
+.\"
+.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
+.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
+.    \" fudge factors for nroff and troff
+.if n \{\
+.    ds #H 0
+.    ds #V .8m
+.    ds #F .3m
+.    ds #[ \f1
+.    ds #] \fP
+.\}
+.if t \{\
+.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
+.    ds #V .6m
+.    ds #F 0
+.    ds #[ \&
+.    ds #] \&
+.\}
+.    \" simple accents for nroff and troff
+.if n \{\
+.    ds ' \&
+.    ds ` \&
+.    ds ^ \&
+.    ds , \&
+.    ds ~ ~
+.    ds /
+.\}
+.if t \{\
+.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
+.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
+.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
+.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
+.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
+.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
+.\}
+.    \" troff and (daisy-wheel) nroff accents
+.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
+.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
+.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
+.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
+.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
+.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
+.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
+.ds ae a\h'-(\w'a'u*4/10)'e
+.ds Ae A\h'-(\w'A'u*4/10)'E
+.    \" corrections for vroff
+.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
+.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
+.    \" for low resolution devices (crt and lpr)
+.if \n(.H>23 .if \n(.V>19 \
+\{\
+.    ds : e
+.    ds 8 ss
+.    ds o a
+.    ds d- d\h'-1'\(ga
+.    ds D- D\h'-1'\(hy
+.    ds th \o'bp'
+.    ds Th \o'LP'
+.    ds ae ae
+.    ds Ae AE
+.\}
+.rm #[ #] #H #V #F C
+.\" ========================================================================
+.\"
+.IX Title "GENPKEY 1"
+.TH GENPKEY 1 "2012-05-10" "1.0.1c" "OpenSSL"
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH "NAME"
+genpkey \- generate a private key
+.SH "SYNOPSIS"
+.IX Header "SYNOPSIS"
+\&\fBopenssl\fR \fBgenpkey\fR
+[\fB\-out filename\fR]
+[\fB\-outform PEM|DER\fR]
+[\fB\-pass arg\fR]
+[\fB\-cipher\fR]
+[\fB\-engine id\fR]
+[\fB\-paramfile file\fR]
+[\fB\-algorithm alg\fR]
+[\fB\-pkeyopt opt:value\fR]
+[\fB\-genparam\fR]
+[\fB\-text\fR]
+.SH "DESCRIPTION"
+.IX Header "DESCRIPTION"
+The \fBgenpkey\fR command generates a private key.
+.SH "OPTIONS"
+.IX Header "OPTIONS"
+.IP "\fB\-out filename\fR" 4
+.IX Item "-out filename"
+the output filename. If this argument is not specified then standard output is
+used.
+.IP "\fB\-outform DER|PEM\fR" 4
+.IX Item "-outform DER|PEM"
+This specifies the output format \s-1DER\s0 or \s-1PEM\s0.
+.IP "\fB\-pass arg\fR" 4
+.IX Item "-pass arg"
+the output file password source. For more information about the format of \fBarg\fR
+see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1).
+.IP "\fB\-cipher\fR" 4
+.IX Item "-cipher"
+This option encrypts the private key with the supplied cipher. Any algorithm
+name accepted by \fIEVP_get_cipherbyname()\fR is acceptable such as \fBdes3\fR.
+.IP "\fB\-engine id\fR" 4
+.IX Item "-engine id"
+specifying an engine (by its unique \fBid\fR string) will cause \fBgenpkey\fR
+to attempt to obtain a functional reference to the specified engine,
+thus initialising it if needed. The engine will then be set as the default
+for all available algorithms. If used this option should precede all other
+options.
+.IP "\fB\-algorithm alg\fR" 4
+.IX Item "-algorithm alg"
+public key algorithm to use such as \s-1RSA\s0, \s-1DSA\s0 or \s-1DH\s0. If used this option must
+precede any \fB\-pkeyopt\fR options. The options \fB\-paramfile\fR and \fB\-algorithm\fR
+are mutually exclusive.
+.IP "\fB\-pkeyopt opt:value\fR" 4
+.IX Item "-pkeyopt opt:value"
+set the public key algorithm option \fBopt\fR to \fBvalue\fR. The precise set of
+options supported depends on the public key algorithm used and its
+implementation. See \fB\s-1KEY\s0 \s-1GENERATION\s0 \s-1OPTIONS\s0\fR below for more details.
+.IP "\fB\-genparam\fR" 4
+.IX Item "-genparam"
+generate a set of parameters instead of a private key. If used this option must
+precede and \fB\-algorithm\fR, \fB\-paramfile\fR or \fB\-pkeyopt\fR options.
+.IP "\fB\-paramfile filename\fR" 4
+.IX Item "-paramfile filename"
+Some public key algorithms generate a private key based on a set of parameters.
+They can be supplied using this option. If this option is used the public key
+algorithm used is determined by the parameters. If used this option must
+precede and \fB\-pkeyopt\fR options. The options \fB\-paramfile\fR and \fB\-algorithm\fR
+are mutually exclusive.
+.IP "\fB\-text\fR" 4
+.IX Item "-text"
+Print an (unencrypted) text representation of private and public keys and
+parameters along with the \s-1PEM\s0 or \s-1DER\s0 structure.
+.SH "KEY GENERATION OPTIONS"
+.IX Header "KEY GENERATION OPTIONS"
+The options supported by each algorith and indeed each implementation of an
+algorithm can vary. The options for the OpenSSL implementations are detailed
+below.
+.SH "RSA KEY GENERATION OPTIONS"
+.IX Header "RSA KEY GENERATION OPTIONS"
+.IP "\fBrsa_keygen_bits:numbits\fR" 4
+.IX Item "rsa_keygen_bits:numbits"
+The number of bits in the generated key. If not specified 1024 is used.
+.IP "\fBrsa_keygen_pubexp:value\fR" 4
+.IX Item "rsa_keygen_pubexp:value"
+The \s-1RSA\s0 public exponent value. This can be a large decimal or
+hexadecimal value if preceded by \fB0x\fR. Default value is 65537.
+.SH "DSA PARAMETER GENERATION OPTIONS"
+.IX Header "DSA PARAMETER GENERATION OPTIONS"
+.IP "\fBdsa_paramgen_bits:numbits\fR" 4
+.IX Item "dsa_paramgen_bits:numbits"
+The number of bits in the generated parameters. If not specified 1024 is used.
+.SH "DH PARAMETER GENERATION OPTIONS"
+.IX Header "DH PARAMETER GENERATION OPTIONS"
+.IP "\fBdh_paramgen_prime_len:numbits\fR" 4
+.IX Item "dh_paramgen_prime_len:numbits"
+The number of bits in the prime parameter \fBp\fR.
+.IP "\fBdh_paramgen_generator:value\fR" 4
+.IX Item "dh_paramgen_generator:value"
+The value to use for the generator \fBg\fR.
+.SH "EC PARAMETER GENERATION OPTIONS"
+.IX Header "EC PARAMETER GENERATION OPTIONS"
+.IP "\fBec_paramgen_curve:curve\fR" 4
+.IX Item "ec_paramgen_curve:curve"
+the \s-1EC\s0 curve to use.
+.SH "GOST2001 KEY GENERATION AND PARAMETER OPTIONS"
+.IX Header "GOST2001 KEY GENERATION AND PARAMETER OPTIONS"
+Gost 2001 support is not enabled by default. To enable this algorithm,
+one should load the ccgost engine in the OpenSSL configuration file.
+See \s-1README\s0.gost file in the engines/ccgost directiry of the source
+distribution for more details.
+.PP
+Use of a parameter file for the \s-1GOST\s0 R 34.10 algorithm is optional.
+Parameters can be specified during key generation directly as well as
+during generation of parameter file.
+.IP "\fBparamset:name\fR" 4
+.IX Item "paramset:name"
+Specifies \s-1GOST\s0 R 34.10\-2001 parameter set according to \s-1RFC\s0 4357.
+Parameter set can be specified using abbreviated name, object short name or
+numeric \s-1OID\s0. Following parameter sets are supported:
+.Sp
+.Vb 7
+\&  paramset   OID               Usage
+\&  A          1.2.643.2.2.35.1  Signature
+\&  B          1.2.643.2.2.35.2  Signature
+\&  C          1.2.643.2.2.35.3  Signature
+\&  XA         1.2.643.2.2.36.0  Key exchange
+\&  XB         1.2.643.2.2.36.1  Key exchange
+\&  test       1.2.643.2.2.35.0  Test purposes
+.Ve
+.SH "NOTES"
+.IX Header "NOTES"
+The use of the genpkey program is encouraged over the algorithm specific
+utilities because additional algorithm options and \s-1ENGINE\s0 provided algorithms
+can be used.
+.SH "EXAMPLES"
+.IX Header "EXAMPLES"
+Generate an \s-1RSA\s0 private key using default parameters:
+.PP
+.Vb 1
+\& openssl genpkey \-algorithm RSA \-out key.pem
+.Ve
+.PP
+Encrypt output private key using 128 bit \s-1AES\s0 and the passphrase \*(L"hello\*(R":
+.PP
+.Vb 1
+\& openssl genpkey \-algorithm RSA \-out key.pem \-aes\-128\-cbc \-pass pass:hello
+.Ve
+.PP
+Generate a 2048 bit \s-1RSA\s0 key using 3 as the public exponent:
+.PP
+.Vb 2
+\& openssl genpkey \-algorithm RSA \-out key.pem \-pkeyopt rsa_keygen_bits:2048 \e
+\&                                                \-pkeyopt rsa_keygen_pubexp:3
+.Ve
+.PP
+Generate 1024 bit \s-1DSA\s0 parameters:
+.PP
+.Vb 2
+\& openssl genpkey \-genparam \-algorithm DSA \-out dsap.pem \e
+\&                                                \-pkeyopt dsa_paramgen_bits:1024
+.Ve
+.PP
+Generate \s-1DSA\s0 key from parameters:
+.PP
+.Vb 1
+\& openssl genpkey \-paramfile dsap.pem \-out dsakey.pem
+.Ve
+.PP
+Generate 1024 bit \s-1DH\s0 parameters:
+.PP
+.Vb 2
+\& openssl genpkey \-genparam \-algorithm DH \-out dhp.pem \e
+\&                                        \-pkeyopt dh_paramgen_prime_len:1024
+.Ve
+.PP
+Generate \s-1DH\s0 key from parameters:
+.PP
+.Vb 1
+\& openssl genpkey \-paramfile dhp.pem \-out dhkey.pem
+.Ve
diff --git a/secure/usr.bin/openssl/man/genrsa.1 b/secure/usr.bin/openssl/man/genrsa.1
index 701ffb5..6bc5242 100644
--- a/secure/usr.bin/openssl/man/genrsa.1
+++ b/secure/usr.bin/openssl/man/genrsa.1
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "GENRSA 1"
-.TH GENRSA 1 "2012-05-10" "0.9.8x" "OpenSSL"
+.TH GENRSA 1 "2012-05-10" "1.0.1c" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -175,7 +175,7 @@ The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
 all others.
 .IP "\fB\-engine id\fR" 4
 .IX Item "-engine id"
-specifying an engine (by it's unique \fBid\fR string) will cause \fBreq\fR
+specifying an engine (by its unique \fBid\fR string) will cause \fBgenrsa\fR
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.
diff --git a/secure/usr.bin/openssl/man/nseq.1 b/secure/usr.bin/openssl/man/nseq.1
index c42b273..9fa30f3 100644
--- a/secure/usr.bin/openssl/man/nseq.1
+++ b/secure/usr.bin/openssl/man/nseq.1
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "NSEQ 1"
-.TH NSEQ 1 "2012-05-10" "0.9.8x" "OpenSSL"
+.TH NSEQ 1 "2012-05-10" "1.0.1c" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/usr.bin/openssl/man/ocsp.1 b/secure/usr.bin/openssl/man/ocsp.1
index 0e11a6d..934630f 100644
--- a/secure/usr.bin/openssl/man/ocsp.1
+++ b/secure/usr.bin/openssl/man/ocsp.1
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "OCSP 1"
-.TH OCSP 1 "2012-05-10" "0.9.8x" "OpenSSL"
+.TH OCSP 1 "2012-05-10" "1.0.1c" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -178,6 +178,7 @@ ocsp \- Online Certificate Status Protocol utility
 [\fB\-ndays n\fR]
 [\fB\-resp_key_id\fR]
 [\fB\-nrequest n\fR]
+[\fB\-md5|\-sha1|...\fR]
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
 The Online Certificate Status Protocol (\s-1OCSP\s0) enables applications to
@@ -306,6 +307,10 @@ If the \fBnotAfter\fR time is omitted from a response then this means that new s
 information is immediately available. In this case the age of the \fBnotBefore\fR field
 is checked to see it is not older than \fBage\fR seconds old. By default this additional
 check is not performed.
+.IP "\fB\-md5|\-sha1|\-sha256|\-ripemod160|...\fR" 4
+.IX Item "-md5|-sha1|-sha256|-ripemod160|..."
+this option sets digest algorithm to use for certificate identification
+in the \s-1OCSP\s0 request. By default \s-1SHA\-1\s0 is used.
 .SH "OCSP SERVER OPTIONS"
 .IX Header "OCSP SERVER OPTIONS"
 .IP "\fB\-index indexfile\fR" 4
diff --git a/secure/usr.bin/openssl/man/openssl.1 b/secure/usr.bin/openssl/man/openssl.1
index 9b64fb6..e616626 100644
--- a/secure/usr.bin/openssl/man/openssl.1
+++ b/secure/usr.bin/openssl/man/openssl.1
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "OPENSSL 1"
-.TH OPENSSL 1 "2012-05-10" "0.9.8x" "OpenSSL"
+.TH OPENSSL 1 "2012-05-10" "1.0.1c" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -138,7 +138,7 @@ openssl \- OpenSSL command line tool
 [ \fIcommand_opts\fR ]
 [ \fIcommand_args\fR ]
 .PP
-\&\fBopenssl\fR [ \fBlist-standard-commands\fR | \fBlist-message-digest-commands\fR | \fBlist-cipher-commands\fR ]
+\&\fBopenssl\fR [ \fBlist-standard-commands\fR | \fBlist-message-digest-commands\fR | \fBlist-cipher-commands\fR | \fBlist-cipher-algorithms\fR | \fBlist-message-digest-algorithms\fR | \fBlist-public-key-algorithms\fR]
 .PP
 \&\fBopenssl\fR \fBno\-\fR\fI\s-1XXX\s0\fR [ \fIarbitrary options\fR ]
 .SH "DESCRIPTION"
@@ -151,13 +151,15 @@ The \fBopenssl\fR program is a command line tool for using the various
 cryptography functions of OpenSSL's \fBcrypto\fR library from the shell. 
 It can be used for
 .PP
-.Vb 6
-\& o  Creation of RSA, DH and DSA key parameters
+.Vb 8
+\& o  Creation and management of private keys, public keys and parameters
+\& o  Public key cryptographic operations
 \& o  Creation of X.509 certificates, CSRs and CRLs 
 \& o  Calculation of Message Digests
 \& o  Encryption and Decryption with Ciphers
 \& o  SSL/TLS Client and Server Tests
 \& o  Handling of S/MIME signed or encrypted mail
+\& o  Time Stamp requests, generation and verification
 .Ve
 .SH "COMMAND SUMMARY"
 .IX Header "COMMAND SUMMARY"
@@ -170,6 +172,16 @@ and \fBlist-cipher-commands\fR output a list (one entry per line) of the names
 of all standard commands, message digest commands, or cipher commands,
 respectively, that are available in the present \fBopenssl\fR utility.
 .PP
+The pseudo-commands \fBlist-cipher-algorithms\fR and
+\&\fBlist-message-digest-algorithms\fR list all cipher and message digest names, one entry per line. Aliases are listed as:
+.PP
+.Vb 1
+\& from => to
+.Ve
+.PP
+The pseudo-command \fBlist-public-key-algorithms\fR lists all supported public
+key algorithms.
+.PP
 The pseudo-command \fBno\-\fR\fI\s-1XXX\s0\fR tests whether a command of the
 specified name is available.  If no command named \fI\s-1XXX\s0\fR exists, it
 returns 0 (success) and prints \fBno\-\fR\fI\s-1XXX\s0\fR; otherwise it returns 1
@@ -191,6 +203,9 @@ Certificate Authority (\s-1CA\s0) Management.
 .IP "\fBciphers\fR" 10
 .IX Item "ciphers"
 Cipher Suite Description Determination.
+.IP "\fBcms\fR" 10
+.IX Item "cms"
+\&\s-1CMS\s0 (Cryptographic Message Syntax) utility
 .IP "\fBcrl\fR" 10
 .IX Item "crl"
 Certificate Revocation List (\s-1CRL\s0) Management.
@@ -204,31 +219,49 @@ Message Digest Calculation.
 .IX Item "dh"
 Diffie-Hellman Parameter Management.
 Obsoleted by \fBdhparam\fR.
+.IP "\fBdhparam\fR" 10
+.IX Item "dhparam"
+Generation and Management of Diffie-Hellman Parameters. Superseded by 
+\&\fBgenpkey\fR and \fBpkeyparam\fR
 .IP "\fBdsa\fR" 10
 .IX Item "dsa"
 \&\s-1DSA\s0 Data Management.
 .IP "\fBdsaparam\fR" 10
 .IX Item "dsaparam"
-\&\s-1DSA\s0 Parameter Generation.
+\&\s-1DSA\s0 Parameter Generation and Management. Superseded by 
+\&\fBgenpkey\fR and \fBpkeyparam\fR
+.IP "\fBec\fR" 10
+.IX Item "ec"
+\&\s-1EC\s0 (Elliptic curve) key processing
+.IP "\fBecparam\fR" 10
+.IX Item "ecparam"
+\&\s-1EC\s0 parameter manipulation and generation
 .IP "\fBenc\fR" 10
 .IX Item "enc"
 Encoding with Ciphers.
+.IP "\fBengine\fR" 10
+.IX Item "engine"
+Engine (loadble module) information and manipulation.
 .IP "\fBerrstr\fR" 10
 .IX Item "errstr"
 Error Number to Error String Conversion.
-.IP "\fBdhparam\fR" 10
-.IX Item "dhparam"
-Generation and Management of Diffie-Hellman Parameters.
 .IP "\fBgendh\fR" 10
 .IX Item "gendh"
 Generation of Diffie-Hellman Parameters.
 Obsoleted by \fBdhparam\fR.
 .IP "\fBgendsa\fR" 10
 .IX Item "gendsa"
-Generation of \s-1DSA\s0 Parameters.
+Generation of \s-1DSA\s0 Private Key from Parameters. Superseded by 
+\&\fBgenpkey\fR and \fBpkey\fR
+.IP "\fBgenpkey\fR" 10
+.IX Item "genpkey"
+Generation of Private Key or Parameters.
 .IP "\fBgenrsa\fR" 10
 .IX Item "genrsa"
-Generation of \s-1RSA\s0 Parameters.
+Generation of \s-1RSA\s0 Private Key. Superceded by \fBgenpkey\fR.
+.IP "\fBnseq\fR" 10
+.IX Item "nseq"
+Create or examine a netscape certificate sequence
 .IP "\fBocsp\fR" 10
 .IX Item "ocsp"
 Online Certificate Status Protocol utility.
@@ -241,18 +274,28 @@ PKCS#12 Data Management.
 .IP "\fBpkcs7\fR" 10
 .IX Item "pkcs7"
 PKCS#7 Data Management.
+.IP "\fBpkey\fR" 10
+.IX Item "pkey"
+Public and private key management.
+.IP "\fBpkeyparam\fR" 10
+.IX Item "pkeyparam"
+Public key algorithm parameter management.
+.IP "\fBpkeyutl\fR" 10
+.IX Item "pkeyutl"
+Public key algorithm cryptographic operation utility.
 .IP "\fBrand\fR" 10
 .IX Item "rand"
 Generate pseudo-random bytes.
 .IP "\fBreq\fR" 10
 .IX Item "req"
-X.509 Certificate Signing Request (\s-1CSR\s0) Management.
+PKCS#10 X.509 Certificate Signing Request (\s-1CSR\s0) Management.
 .IP "\fBrsa\fR" 10
 .IX Item "rsa"
-\&\s-1RSA\s0 Data Management.
+\&\s-1RSA\s0 key management.
 .IP "\fBrsautl\fR" 10
 .IX Item "rsautl"
-\&\s-1RSA\s0 utility for signing, verification, encryption, and decryption.
+\&\s-1RSA\s0 utility for signing, verification, encryption, and decryption. Superseded
+by  \fBpkeyutl\fR
 .IP "\fBs_client\fR" 10
 .IX Item "s_client"
 This implements a generic \s-1SSL/TLS\s0 client which can establish a transparent
@@ -279,6 +322,12 @@ S/MIME mail processing.
 .IP "\fBspeed\fR" 10
 .IX Item "speed"
 Algorithm Speed Measurement.
+.IP "\fBspkac\fR" 10
+.IX Item "spkac"
+\&\s-1SPKAC\s0 printing and generating utility
+.IP "\fBts\fR" 10
+.IX Item "ts"
+Time Stamping Authority tool (client/server)
 .IP "\fBverify\fR" 10
 .IX Item "verify"
 X.509 Certificate Verification.
@@ -390,7 +439,7 @@ read the password from standard input.
 \&\fIasn1parse\fR\|(1), \fIca\fR\|(1), \fIconfig\fR\|(5),
 \&\fIcrl\fR\|(1), \fIcrl2pkcs7\fR\|(1), \fIdgst\fR\|(1),
 \&\fIdhparam\fR\|(1), \fIdsa\fR\|(1), \fIdsaparam\fR\|(1),
-\&\fIenc\fR\|(1), \fIgendsa\fR\|(1),
+\&\fIenc\fR\|(1), \fIgendsa\fR\|(1), \fIgenpkey\fR\|(1),
 \&\fIgenrsa\fR\|(1), \fInseq\fR\|(1), \fIopenssl\fR\|(1),
 \&\fIpasswd\fR\|(1),
 \&\fIpkcs12\fR\|(1), \fIpkcs7\fR\|(1), \fIpkcs8\fR\|(1),
@@ -399,11 +448,12 @@ read the password from standard input.
 \&\fIs_server\fR\|(1), \fIs_time\fR\|(1),
 \&\fIsmime\fR\|(1), \fIspkac\fR\|(1),
 \&\fIverify\fR\|(1), \fIversion\fR\|(1), \fIx509\fR\|(1),
-\&\fIcrypto\fR\|(3), \fIssl\fR\|(3)
+\&\fIcrypto\fR\|(3), \fIssl\fR\|(3), \fIx509v3_config\fR\|(5)
 .SH "HISTORY"
 .IX Header "HISTORY"
 The \fIopenssl\fR\|(1) document appeared in OpenSSL 0.9.2.
 The \fBlist\-\fR\fI\s-1XXX\s0\fR\fB\-commands\fR pseudo-commands were added in OpenSSL 0.9.3;
+The \fBlist\-\fR\fI\s-1XXX\s0\fR\fB\-algorithms\fR pseudo-commands were added in OpenSSL 1.0.0;
 the \fBno\-\fR\fI\s-1XXX\s0\fR pseudo-commands were added in OpenSSL 0.9.5a.
 For notes on the availability of other commands, see their individual
 manual pages.
diff --git a/secure/usr.bin/openssl/man/passwd.1 b/secure/usr.bin/openssl/man/passwd.1
index de375d7..80e8637 100644
--- a/secure/usr.bin/openssl/man/passwd.1
+++ b/secure/usr.bin/openssl/man/passwd.1
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "PASSWD 1"
-.TH PASSWD 1 "2012-05-10" "0.9.8x" "OpenSSL"
+.TH PASSWD 1 "2012-05-10" "1.0.1c" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/usr.bin/openssl/man/pkcs12.1 b/secure/usr.bin/openssl/man/pkcs12.1
index bc695f6..cc8e999 100644
--- a/secure/usr.bin/openssl/man/pkcs12.1
+++ b/secure/usr.bin/openssl/man/pkcs12.1
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "PKCS12 1"
-.TH PKCS12 1 "2012-05-10" "0.9.8x" "OpenSSL"
+.TH PKCS12 1 "2012-05-10" "1.0.1c" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -149,22 +149,23 @@ pkcs12 \- PKCS#12 file utility
 [\fB\-cacerts\fR]
 [\fB\-nokeys\fR]
 [\fB\-info\fR]
-[\fB\-des\fR]
-[\fB\-des3\fR]
-[\fB\-idea\fR]
-[\fB\-nodes\fR]
+[\fB\-des | \-des3 | \-idea | \-aes128 | \-aes192 | \-aes256 | \-camellia128 | \-camellia192 | \-camellia256 | \-nodes\fR]
 [\fB\-noiter\fR]
-[\fB\-maciter\fR]
+[\fB\-maciter | \-nomaciter | \-nomac\fR]
 [\fB\-twopass\fR]
 [\fB\-descert\fR]
-[\fB\-certpbe\fR]
-[\fB\-keypbe\fR]
+[\fB\-certpbe cipher\fR]
+[\fB\-keypbe cipher\fR]
+[\fB\-macalg digest\fR]
 [\fB\-keyex\fR]
 [\fB\-keysig\fR]
 [\fB\-password arg\fR]
 [\fB\-passin arg\fR]
 [\fB\-passout arg\fR]
 [\fB\-rand file(s)\fR]
+[\fB\-CAfile file\fR]
+[\fB\-CApath dir\fR]
+[\fB\-CSP name\fR]
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
 The \fBpkcs12\fR command allows PKCS#12 files (sometimes referred to as
@@ -173,7 +174,7 @@ programs including Netscape, \s-1MSIE\s0 and \s-1MS\s0 Outlook.
 .SH "COMMAND OPTIONS"
 .IX Header "COMMAND OPTIONS"
 There are a lot of options the meaning of some depends of whether a PKCS#12 file
-is being created or parsed. By default a PKCS#12 file is parsed a PKCS#12
+is being created or parsed. By default a PKCS#12 file is parsed. A PKCS#12
 file can be created by using the \fB\-export\fR option (see below).
 .SH "PARSING OPTIONS"
 .IX Header "PARSING OPTIONS"
@@ -183,22 +184,22 @@ This specifies filename of the PKCS#12 file to be parsed. Standard input is used
 by default.
 .IP "\fB\-out filename\fR" 4
 .IX Item "-out filename"
-The filename to write certificates and private keys to, standard output by default.
-They are all written in \s-1PEM\s0 format.
+The filename to write certificates and private keys to, standard output by
+default.  They are all written in \s-1PEM\s0 format.
 .IP "\fB\-pass arg\fR, \fB\-passin arg\fR" 4
 .IX Item "-pass arg, -passin arg"
-the PKCS#12 file (i.e. input file) password source. For more information about the
-format of \fBarg\fR see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in
+the PKCS#12 file (i.e. input file) password source. For more information about
+the format of \fBarg\fR see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in
 \&\fIopenssl\fR\|(1).
 .IP "\fB\-passout arg\fR" 4
 .IX Item "-passout arg"
-pass phrase source to encrypt any outputed private keys with. For more information
-about the format of \fBarg\fR see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in
-\&\fIopenssl\fR\|(1).
+pass phrase source to encrypt any outputed private keys with. For more
+information about the format of \fBarg\fR see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section
+in \fIopenssl\fR\|(1).
 .IP "\fB\-noout\fR" 4
 .IX Item "-noout"
-this option inhibits output of the keys and certificates to the output file version
-of the PKCS#12 file.
+this option inhibits output of the keys and certificates to the output file
+version of the PKCS#12 file.
 .IP "\fB\-clcerts\fR" 4
 .IX Item "-clcerts"
 only output client certificates (not \s-1CA\s0 certificates).
@@ -224,6 +225,12 @@ use triple \s-1DES\s0 to encrypt private keys before outputting, this is the def
 .IP "\fB\-idea\fR" 4
 .IX Item "-idea"
 use \s-1IDEA\s0 to encrypt private keys before outputting.
+.IP "\fB\-aes128\fR, \fB\-aes192\fR, \fB\-aes256\fR" 4
+.IX Item "-aes128, -aes192, -aes256"
+use \s-1AES\s0 to encrypt private keys before outputting.
+.IP "\fB\-camellia128\fR, \fB\-camellia192\fR, \fB\-camellia256\fR" 4
+.IX Item "-camellia128, -camellia192, -camellia256"
+use Camellia to encrypt private keys before outputting.
 .IP "\fB\-nodes\fR" 4
 .IX Item "-nodes"
 don't encrypt the private keys at all.
@@ -247,18 +254,18 @@ This specifies filename to write the PKCS#12 file to. Standard output is used
 by default.
 .IP "\fB\-in filename\fR" 4
 .IX Item "-in filename"
-The filename to read certificates and private keys from, standard input by default.
-They must all be in \s-1PEM\s0 format. The order doesn't matter but one private key and
-its corresponding certificate should be present. If additional certificates are
-present they will also be included in the PKCS#12 file.
+The filename to read certificates and private keys from, standard input by
+default.  They must all be in \s-1PEM\s0 format. The order doesn't matter but one
+private key and its corresponding certificate should be present. If additional
+certificates are present they will also be included in the PKCS#12 file.
 .IP "\fB\-inkey filename\fR" 4
 .IX Item "-inkey filename"
 file to read private key from. If not present then a private key must be present
 in the input file.
 .IP "\fB\-name friendlyname\fR" 4
 .IX Item "-name friendlyname"
-This specifies the \*(L"friendly name\*(R" for the certificate and private key. This name
-is typically displayed in list boxes by software importing the file.
+This specifies the \*(L"friendly name\*(R" for the certificate and private key. This
+name is typically displayed in list boxes by software importing the file.
 .IP "\fB\-certfile filename\fR" 4
 .IX Item "-certfile filename"
 A filename to read additional certificates from.
@@ -291,9 +298,11 @@ key is encrypted using triple \s-1DES\s0 and the certificate using 40 bit \s-1RC
 .IP "\fB\-keypbe alg\fR, \fB\-certpbe alg\fR" 4
 .IX Item "-keypbe alg, -certpbe alg"
 these options allow the algorithm used to encrypt the private key and
-certificates to be selected. Although any PKCS#5 v1.5 or PKCS#12 algorithms
-can be selected it is advisable only to use PKCS#12 algorithms. See the list
-in the \fB\s-1NOTES\s0\fR section for more information.
+certificates to be selected. Any PKCS#5 v1.5 or PKCS#12 \s-1PBE\s0 algorithm name
+can be used (see \fB\s-1NOTES\s0\fR section for more information). If a a cipher name
+(as output by the \fBlist-cipher-algorithms\fR command is specified then it
+is used with PKCS#5 v2.0. For interoperability reasons it is advisable to only
+use PKCS#12 algorithms.
 .IP "\fB\-keyex|\-keysig\fR" 4
 .IX Item "-keyex|-keysig"
 specifies that the private key is to be used for key exchange or just signing.
@@ -304,6 +313,9 @@ option marks the key for signing only. Signing only keys can be used for
 S/MIME signing, authenticode (ActiveX control signing)  and \s-1SSL\s0 client
 authentication, however due to a bug only \s-1MSIE\s0 5.0 and later support
 the use of signing only keys for \s-1SSL\s0 client authentication.
+.IP "\fB\-macalg digest\fR" 4
+.IX Item "-macalg digest"
+specify the \s-1MAC\s0 digest algorithm. If not included them \s-1SHA1\s0 will be used.
 .IP "\fB\-nomaciter\fR, \fB\-noiter\fR" 4
 .IX Item "-nomaciter, -noiter"
 these options affect the iteration counts on the \s-1MAC\s0 and key algorithms.
@@ -325,6 +337,9 @@ option.
 .IX Item "-maciter"
 This option is included for compatibility with previous versions, it used
 to be needed to use \s-1MAC\s0 iterations counts but they are now used by default.
+.IP "\fB\-nomac\fR" 4
+.IX Item "-nomac"
+don't attempt to provide the \s-1MAC\s0 integrity.
 .IP "\fB\-rand file(s)\fR" 4
 .IX Item "-rand file(s)"
 a file or files containing random data used to seed the random number
@@ -332,6 +347,17 @@ generator, or an \s-1EGD\s0 socket (see \fIRAND_egd\fR\|(3)).
 Multiple files can be specified separated by a OS-dependent character.
 The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
 all others.
+.IP "\fB\-CAfile file\fR" 4
+.IX Item "-CAfile file"
+\&\s-1CA\s0 storage as a file.
+.IP "\fB\-CApath dir\fR" 4
+.IX Item "-CApath dir"
+\&\s-1CA\s0 storage as a directory. This directory must be a standard certificate
+directory: that is a hash of each subject name (using \fBx509 \-hash\fR) should be
+linked to each certificate.
+.IP "\fB\-CSP name\fR" 4
+.IX Item "-CSP name"
+write \fBname\fR as a Microsoft \s-1CSP\s0 name.
 .SH "NOTES"
 .IX Header "NOTES"
 Although there are a large number of options most of them are very rarely
diff --git a/secure/usr.bin/openssl/man/pkcs7.1 b/secure/usr.bin/openssl/man/pkcs7.1
index b29ac1e..96e5029 100644
--- a/secure/usr.bin/openssl/man/pkcs7.1
+++ b/secure/usr.bin/openssl/man/pkcs7.1
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "PKCS7 1"
-.TH PKCS7 1 "2012-05-10" "0.9.8x" "OpenSSL"
+.TH PKCS7 1 "2012-05-10" "1.0.1c" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -178,7 +178,7 @@ don't output the encoded version of the PKCS#7 structure (or certificates
 is \fB\-print_certs\fR is set).
 .IP "\fB\-engine id\fR" 4
 .IX Item "-engine id"
-specifying an engine (by it's unique \fBid\fR string) will cause \fBreq\fR
+specifying an engine (by its unique \fBid\fR string) will cause \fBpkcs7\fR
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.
diff --git a/secure/usr.bin/openssl/man/pkcs8.1 b/secure/usr.bin/openssl/man/pkcs8.1
index 1172289..67aa47e 100644
--- a/secure/usr.bin/openssl/man/pkcs8.1
+++ b/secure/usr.bin/openssl/man/pkcs8.1
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "PKCS8 1"
-.TH PKCS8 1 "2012-05-10" "0.9.8x" "OpenSSL"
+.TH PKCS8 1 "2012-05-10" "1.0.1c" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -235,7 +235,7 @@ This option specifies a PKCS#5 v1.5 or PKCS#12 algorithm to use. A complete
 list of possible algorithms is included below.
 .IP "\fB\-engine id\fR" 4
 .IX Item "-engine id"
-specifying an engine (by it's unique \fBid\fR string) will cause \fBreq\fR
+specifying an engine (by its unique \fBid\fR string) will cause \fBpkcs8\fR
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.
diff --git a/secure/usr.bin/openssl/man/pkey.1 b/secure/usr.bin/openssl/man/pkey.1
new file mode 100644
index 0000000..6ddd950
--- /dev/null
+++ b/secure/usr.bin/openssl/man/pkey.1
@@ -0,0 +1,251 @@
+.\" Automatically generated by Pod::Man 2.23 (Pod::Simple 3.22)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" Set up some character translations and predefined strings.  \*(-- will
+.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
+.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
+.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
+.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
+.\" nothing in troff, for use with C<>.
+.tr \(*W-
+.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.ie n \{\
+.    ds -- \(*W-
+.    ds PI pi
+.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
+.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
+.    ds L" ""
+.    ds R" ""
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds -- \|\(em\|
+.    ds PI \(*p
+.    ds L" ``
+.    ds R" ''
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.ie \nF \{\
+.    de IX
+.    tm Index:\\$1\t\\n%\t"\\$2"
+..
+.    nr % 0
+.    rr F
+.\}
+.el \{\
+.    de IX
+..
+.\}
+.\"
+.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
+.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
+.    \" fudge factors for nroff and troff
+.if n \{\
+.    ds #H 0
+.    ds #V .8m
+.    ds #F .3m
+.    ds #[ \f1
+.    ds #] \fP
+.\}
+.if t \{\
+.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
+.    ds #V .6m
+.    ds #F 0
+.    ds #[ \&
+.    ds #] \&
+.\}
+.    \" simple accents for nroff and troff
+.if n \{\
+.    ds ' \&
+.    ds ` \&
+.    ds ^ \&
+.    ds , \&
+.    ds ~ ~
+.    ds /
+.\}
+.if t \{\
+.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
+.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
+.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
+.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
+.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
+.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
+.\}
+.    \" troff and (daisy-wheel) nroff accents
+.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
+.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
+.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
+.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
+.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
+.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
+.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
+.ds ae a\h'-(\w'a'u*4/10)'e
+.ds Ae A\h'-(\w'A'u*4/10)'E
+.    \" corrections for vroff
+.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
+.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
+.    \" for low resolution devices (crt and lpr)
+.if \n(.H>23 .if \n(.V>19 \
+\{\
+.    ds : e
+.    ds 8 ss
+.    ds o a
+.    ds d- d\h'-1'\(ga
+.    ds D- D\h'-1'\(hy
+.    ds th \o'bp'
+.    ds Th \o'LP'
+.    ds ae ae
+.    ds Ae AE
+.\}
+.rm #[ #] #H #V #F C
+.\" ========================================================================
+.\"
+.IX Title "PKEY 1"
+.TH PKEY 1 "2012-05-10" "1.0.1c" "OpenSSL"
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH "NAME"
+pkey \- public or private key processing tool
+.SH "SYNOPSIS"
+.IX Header "SYNOPSIS"
+\&\fBopenssl\fR \fBpkey\fR
+[\fB\-inform PEM|DER\fR]
+[\fB\-outform PEM|DER\fR]
+[\fB\-in filename\fR]
+[\fB\-passin arg\fR]
+[\fB\-out filename\fR]
+[\fB\-passout arg\fR]
+[\fB\-cipher\fR]
+[\fB\-text\fR]
+[\fB\-text_pub\fR]
+[\fB\-noout\fR]
+[\fB\-pubin\fR]
+[\fB\-pubout\fR]
+[\fB\-engine id\fR]
+.SH "DESCRIPTION"
+.IX Header "DESCRIPTION"
+The \fBpkey\fR command processes public or private keys. They can be converted
+between various forms and their components printed out.
+.SH "COMMAND OPTIONS"
+.IX Header "COMMAND OPTIONS"
+.IP "\fB\-inform DER|PEM\fR" 4
+.IX Item "-inform DER|PEM"
+This specifies the input format \s-1DER\s0 or \s-1PEM\s0.
+.IP "\fB\-outform DER|PEM\fR" 4
+.IX Item "-outform DER|PEM"
+This specifies the output format, the options have the same meaning as the 
+\&\fB\-inform\fR option.
+.IP "\fB\-in filename\fR" 4
+.IX Item "-in filename"
+This specifies the input filename to read a key from or standard input if this
+option is not specified. If the key is encrypted a pass phrase will be
+prompted for.
+.IP "\fB\-passin arg\fR" 4
+.IX Item "-passin arg"
+the input file password source. For more information about the format of \fBarg\fR
+see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1).
+.IP "\fB\-out filename\fR" 4
+.IX Item "-out filename"
+This specifies the output filename to write a key to or standard output if this
+option is not specified. If any encryption options are set then a pass phrase
+will be prompted for. The output filename should \fBnot\fR be the same as the input
+filename.
+.IP "\fB\-passout password\fR" 4
+.IX Item "-passout password"
+the output file password source. For more information about the format of \fBarg\fR
+see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1).
+.IP "\fB\-cipher\fR" 4
+.IX Item "-cipher"
+These options encrypt the private key with the supplied cipher. Any algorithm
+name accepted by \fIEVP_get_cipherbyname()\fR is acceptable such as \fBdes3\fR.
+.IP "\fB\-text\fR" 4
+.IX Item "-text"
+prints out the various public or private key components in
+plain text in addition to the encoded version.
+.IP "\fB\-text_pub\fR" 4
+.IX Item "-text_pub"
+print out only public key components even if a private key is being processed.
+.IP "\fB\-noout\fR" 4
+.IX Item "-noout"
+do not output the encoded version of the key.
+.IP "\fB\-pubin\fR" 4
+.IX Item "-pubin"
+by default a private key is read from the input file: with this
+option a public key is read instead.
+.IP "\fB\-pubout\fR" 4
+.IX Item "-pubout"
+by default a private key is output: with this option a public
+key will be output instead. This option is automatically set if
+the input is a public key.
+.IP "\fB\-engine id\fR" 4
+.IX Item "-engine id"
+specifying an engine (by its unique \fBid\fR string) will cause \fBpkey\fR
+to attempt to obtain a functional reference to the specified engine,
+thus initialising it if needed. The engine will then be set as the default
+for all available algorithms.
+.SH "EXAMPLES"
+.IX Header "EXAMPLES"
+To remove the pass phrase on an \s-1RSA\s0 private key:
+.PP
+.Vb 1
+\& openssl pkey \-in key.pem \-out keyout.pem
+.Ve
+.PP
+To encrypt a private key using triple \s-1DES:\s0
+.PP
+.Vb 1
+\& openssl pkey \-in key.pem \-des3 \-out keyout.pem
+.Ve
+.PP
+To convert a private key from \s-1PEM\s0 to \s-1DER\s0 format:
+.PP
+.Vb 1
+\& openssl pkey \-in key.pem \-outform DER \-out keyout.der
+.Ve
+.PP
+To print out the components of a private key to standard output:
+.PP
+.Vb 1
+\& openssl pkey \-in key.pem \-text \-noout
+.Ve
+.PP
+To print out the public components of a private key to standard output:
+.PP
+.Vb 1
+\& openssl pkey \-in key.pem \-text_pub \-noout
+.Ve
+.PP
+To just output the public part of a private key:
+.PP
+.Vb 1
+\& openssl pkey \-in key.pem \-pubout \-out pubkey.pem
+.Ve
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fIgenpkey\fR\|(1), \fIrsa\fR\|(1), \fIpkcs8\fR\|(1),
+\&\fIdsa\fR\|(1), \fIgenrsa\fR\|(1), \fIgendsa\fR\|(1)
diff --git a/secure/usr.bin/openssl/man/pkeyparam.1 b/secure/usr.bin/openssl/man/pkeyparam.1
new file mode 100644
index 0000000..41172fc
--- /dev/null
+++ b/secure/usr.bin/openssl/man/pkeyparam.1
@@ -0,0 +1,182 @@
+.\" Automatically generated by Pod::Man 2.23 (Pod::Simple 3.22)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" Set up some character translations and predefined strings.  \*(-- will
+.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
+.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
+.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
+.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
+.\" nothing in troff, for use with C<>.
+.tr \(*W-
+.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.ie n \{\
+.    ds -- \(*W-
+.    ds PI pi
+.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
+.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
+.    ds L" ""
+.    ds R" ""
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds -- \|\(em\|
+.    ds PI \(*p
+.    ds L" ``
+.    ds R" ''
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.ie \nF \{\
+.    de IX
+.    tm Index:\\$1\t\\n%\t"\\$2"
+..
+.    nr % 0
+.    rr F
+.\}
+.el \{\
+.    de IX
+..
+.\}
+.\"
+.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
+.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
+.    \" fudge factors for nroff and troff
+.if n \{\
+.    ds #H 0
+.    ds #V .8m
+.    ds #F .3m
+.    ds #[ \f1
+.    ds #] \fP
+.\}
+.if t \{\
+.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
+.    ds #V .6m
+.    ds #F 0
+.    ds #[ \&
+.    ds #] \&
+.\}
+.    \" simple accents for nroff and troff
+.if n \{\
+.    ds ' \&
+.    ds ` \&
+.    ds ^ \&
+.    ds , \&
+.    ds ~ ~
+.    ds /
+.\}
+.if t \{\
+.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
+.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
+.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
+.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
+.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
+.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
+.\}
+.    \" troff and (daisy-wheel) nroff accents
+.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
+.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
+.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
+.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
+.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
+.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
+.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
+.ds ae a\h'-(\w'a'u*4/10)'e
+.ds Ae A\h'-(\w'A'u*4/10)'E
+.    \" corrections for vroff
+.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
+.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
+.    \" for low resolution devices (crt and lpr)
+.if \n(.H>23 .if \n(.V>19 \
+\{\
+.    ds : e
+.    ds 8 ss
+.    ds o a
+.    ds d- d\h'-1'\(ga
+.    ds D- D\h'-1'\(hy
+.    ds th \o'bp'
+.    ds Th \o'LP'
+.    ds ae ae
+.    ds Ae AE
+.\}
+.rm #[ #] #H #V #F C
+.\" ========================================================================
+.\"
+.IX Title "PKEYPARAM 1"
+.TH PKEYPARAM 1 "2012-05-10" "1.0.1c" "OpenSSL"
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH "NAME"
+pkeyparam \- public key algorithm parameter processing tool
+.SH "SYNOPSIS"
+.IX Header "SYNOPSIS"
+\&\fBopenssl\fR \fBpkeyparam\fR
+[\fB\-in filename\fR]
+[\fB\-out filename\fR]
+[\fB\-text\fR]
+[\fB\-noout\fR]
+[\fB\-engine id\fR]
+.SH "DESCRIPTION"
+.IX Header "DESCRIPTION"
+The \fBpkey\fR command processes public or private keys. They can be converted
+between various forms and their components printed out.
+.SH "COMMAND OPTIONS"
+.IX Header "COMMAND OPTIONS"
+.IP "\fB\-in filename\fR" 4
+.IX Item "-in filename"
+This specifies the input filename to read parameters from or standard input if
+this option is not specified.
+.IP "\fB\-out filename\fR" 4
+.IX Item "-out filename"
+This specifies the output filename to write parameters to or standard output if
+this option is not specified.
+.IP "\fB\-text\fR" 4
+.IX Item "-text"
+prints out the parameters in plain text in addition to the encoded version.
+.IP "\fB\-noout\fR" 4
+.IX Item "-noout"
+do not output the encoded version of the parameters.
+.IP "\fB\-engine id\fR" 4
+.IX Item "-engine id"
+specifying an engine (by its unique \fBid\fR string) will cause \fBpkeyparam\fR
+to attempt to obtain a functional reference to the specified engine,
+thus initialising it if needed. The engine will then be set as the default
+for all available algorithms.
+.SH "EXAMPLE"
+.IX Header "EXAMPLE"
+Print out text version of parameters:
+.PP
+.Vb 1
+\& openssl pkeyparam \-in param.pem \-text
+.Ve
+.SH "NOTES"
+.IX Header "NOTES"
+There are no \fB\-inform\fR or \fB\-outform\fR options for this command because only
+\&\s-1PEM\s0 format is supported because the key type is determined by the \s-1PEM\s0 headers.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fIgenpkey\fR\|(1), \fIrsa\fR\|(1), \fIpkcs8\fR\|(1),
+\&\fIdsa\fR\|(1), \fIgenrsa\fR\|(1), \fIgendsa\fR\|(1)
diff --git a/secure/usr.bin/openssl/man/pkeyutl.1 b/secure/usr.bin/openssl/man/pkeyutl.1
new file mode 100644
index 0000000..5cab115
--- /dev/null
+++ b/secure/usr.bin/openssl/man/pkeyutl.1
@@ -0,0 +1,320 @@
+.\" Automatically generated by Pod::Man 2.23 (Pod::Simple 3.22)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" Set up some character translations and predefined strings.  \*(-- will
+.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
+.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
+.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
+.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
+.\" nothing in troff, for use with C<>.
+.tr \(*W-
+.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.ie n \{\
+.    ds -- \(*W-
+.    ds PI pi
+.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
+.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
+.    ds L" ""
+.    ds R" ""
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds -- \|\(em\|
+.    ds PI \(*p
+.    ds L" ``
+.    ds R" ''
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.ie \nF \{\
+.    de IX
+.    tm Index:\\$1\t\\n%\t"\\$2"
+..
+.    nr % 0
+.    rr F
+.\}
+.el \{\
+.    de IX
+..
+.\}
+.\"
+.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
+.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
+.    \" fudge factors for nroff and troff
+.if n \{\
+.    ds #H 0
+.    ds #V .8m
+.    ds #F .3m
+.    ds #[ \f1
+.    ds #] \fP
+.\}
+.if t \{\
+.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
+.    ds #V .6m
+.    ds #F 0
+.    ds #[ \&
+.    ds #] \&
+.\}
+.    \" simple accents for nroff and troff
+.if n \{\
+.    ds ' \&
+.    ds ` \&
+.    ds ^ \&
+.    ds , \&
+.    ds ~ ~
+.    ds /
+.\}
+.if t \{\
+.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
+.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
+.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
+.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
+.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
+.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
+.\}
+.    \" troff and (daisy-wheel) nroff accents
+.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
+.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
+.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
+.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
+.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
+.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
+.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
+.ds ae a\h'-(\w'a'u*4/10)'e
+.ds Ae A\h'-(\w'A'u*4/10)'E
+.    \" corrections for vroff
+.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
+.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
+.    \" for low resolution devices (crt and lpr)
+.if \n(.H>23 .if \n(.V>19 \
+\{\
+.    ds : e
+.    ds 8 ss
+.    ds o a
+.    ds d- d\h'-1'\(ga
+.    ds D- D\h'-1'\(hy
+.    ds th \o'bp'
+.    ds Th \o'LP'
+.    ds ae ae
+.    ds Ae AE
+.\}
+.rm #[ #] #H #V #F C
+.\" ========================================================================
+.\"
+.IX Title "PKEYUTL 1"
+.TH PKEYUTL 1 "2012-05-10" "1.0.1c" "OpenSSL"
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH "NAME"
+pkeyutl \- public key algorithm utility
+.SH "SYNOPSIS"
+.IX Header "SYNOPSIS"
+\&\fBopenssl\fR \fBpkeyutl\fR
+[\fB\-in file\fR]
+[\fB\-out file\fR]
+[\fB\-sigfile file\fR]
+[\fB\-inkey file\fR]
+[\fB\-keyform PEM|DER\fR]
+[\fB\-passin arg\fR]
+[\fB\-peerkey file\fR]
+[\fB\-peerform PEM|DER\fR]
+[\fB\-pubin\fR]
+[\fB\-certin\fR]
+[\fB\-rev\fR]
+[\fB\-sign\fR]
+[\fB\-verify\fR]
+[\fB\-verifyrecover\fR]
+[\fB\-encrypt\fR]
+[\fB\-decrypt\fR]
+[\fB\-derive\fR]
+[\fB\-pkeyopt opt:value\fR]
+[\fB\-hexdump\fR]
+[\fB\-asn1parse\fR]
+[\fB\-engine id\fR]
+.SH "DESCRIPTION"
+.IX Header "DESCRIPTION"
+The \fBpkeyutl\fR command can be used to perform public key operations using
+any supported algorithm.
+.SH "COMMAND OPTIONS"
+.IX Header "COMMAND OPTIONS"
+.IP "\fB\-in filename\fR" 4
+.IX Item "-in filename"
+This specifies the input filename to read data from or standard input
+if this option is not specified.
+.IP "\fB\-out filename\fR" 4
+.IX Item "-out filename"
+specifies the output filename to write to or standard output by
+default.
+.IP "\fB\-inkey file\fR" 4
+.IX Item "-inkey file"
+the input key file, by default it should be a private key.
+.IP "\fB\-keyform PEM|DER\fR" 4
+.IX Item "-keyform PEM|DER"
+the key format \s-1PEM\s0, \s-1DER\s0 or \s-1ENGINE\s0.
+.IP "\fB\-passin arg\fR" 4
+.IX Item "-passin arg"
+the input key password source. For more information about the format of \fBarg\fR
+see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1).
+.IP "\fB\-peerkey file\fR" 4
+.IX Item "-peerkey file"
+the peer key file, used by key derivation (agreement) operations.
+.IP "\fB\-peerform PEM|DER\fR" 4
+.IX Item "-peerform PEM|DER"
+the peer key format \s-1PEM\s0, \s-1DER\s0 or \s-1ENGINE\s0.
+.IP "\fB\-engine id\fR" 4
+.IX Item "-engine id"
+specifying an engine (by its unique \fBid\fR string) will cause \fBpkeyutl\fR
+to attempt to obtain a functional reference to the specified engine,
+thus initialising it if needed. The engine will then be set as the default
+for all available algorithms.
+.IP "\fB\-pubin\fR" 4
+.IX Item "-pubin"
+the input file is a public key.
+.IP "\fB\-certin\fR" 4
+.IX Item "-certin"
+the input is a certificate containing a public key.
+.IP "\fB\-rev\fR" 4
+.IX Item "-rev"
+reverse the order of the input buffer. This is useful for some libraries
+(such as CryptoAPI) which represent the buffer in little endian format.
+.IP "\fB\-sign\fR" 4
+.IX Item "-sign"
+sign the input data and output the signed result. This requires
+a private key.
+.IP "\fB\-verify\fR" 4
+.IX Item "-verify"
+verify the input data against the signature file and indicate if the
+verification succeeded or failed.
+.IP "\fB\-verifyrecover\fR" 4
+.IX Item "-verifyrecover"
+verify the input data and output the recovered data.
+.IP "\fB\-encrypt\fR" 4
+.IX Item "-encrypt"
+encrypt the input data using a public key.
+.IP "\fB\-decrypt\fR" 4
+.IX Item "-decrypt"
+decrypt the input data using a private key.
+.IP "\fB\-derive\fR" 4
+.IX Item "-derive"
+derive a shared secret using the peer key.
+.IP "\fB\-hexdump\fR" 4
+.IX Item "-hexdump"
+hex dump the output data.
+.IP "\fB\-asn1parse\fR" 4
+.IX Item "-asn1parse"
+asn1parse the output data, this is useful when combined with the
+\&\fB\-verifyrecover\fR option when an \s-1ASN1\s0 structure is signed.
+.SH "NOTES"
+.IX Header "NOTES"
+The operations and options supported vary according to the key algorithm
+and its implementation. The OpenSSL operations and options are indicated below.
+.PP
+Unless otherwise mentioned all algorithms support the \fBdigest:alg\fR option
+which specifies the digest in use for sign, verify and verifyrecover operations.
+The value \fBalg\fR should represent a digest name as used in the
+\&\fIEVP_get_digestbyname()\fR function for example \fBsha1\fR.
+.SH "RSA ALGORITHM"
+.IX Header "RSA ALGORITHM"
+The \s-1RSA\s0 algorithm supports encrypt, decrypt, sign, verify and verifyrecover
+operations in general. Some padding modes only support some of these 
+operations however.
+.IP "\-\fBrsa_padding_mode:mode\fR" 4
+.IX Item "-rsa_padding_mode:mode"
+This sets the \s-1RSA\s0 padding mode. Acceptable values for \fBmode\fR are \fBpkcs1\fR for
+PKCS#1 padding, \fBsslv23\fR for SSLv23 padding, \fBnone\fR for no padding, \fBoaep\fR
+for \fB\s-1OAEP\s0\fR mode, \fBx931\fR for X9.31 mode and \fBpss\fR for \s-1PSS\s0.
+.Sp
+In PKCS#1 padding if the message digest is not set then the supplied data is 
+signed or verified directly instead of using a \fBDigestInfo\fR structure. If a
+digest is set then the a \fBDigestInfo\fR structure is used and its the length
+must correspond to the digest type.
+.Sp
+For \fBoeap\fR mode only encryption and decryption is supported.
+.Sp
+For \fBx931\fR if the digest type is set it is used to format the block data
+otherwise the first byte is used to specify the X9.31 digest \s-1ID\s0. Sign,
+verify and verifyrecover are can be performed in this mode.
+.Sp
+For \fBpss\fR mode only sign and verify are supported and the digest type must be
+specified.
+.IP "\fBrsa_pss_saltlen:len\fR" 4
+.IX Item "rsa_pss_saltlen:len"
+For \fBpss\fR mode only this option specifies the salt length. Two special values
+are supported: \-1 sets the salt length to the digest length. When signing \-2
+sets the salt length to the maximum permissible value. When verifying \-2 causes
+the salt length to be automatically determined based on the \fB\s-1PSS\s0\fR block
+structure.
+.SH "DSA ALGORITHM"
+.IX Header "DSA ALGORITHM"
+The \s-1DSA\s0 algorithm supports signing and verification operations only. Currently
+there are no additional options other than \fBdigest\fR. Only the \s-1SHA1\s0
+digest can be used and this digest is assumed by default.
+.SH "DH ALGORITHM"
+.IX Header "DH ALGORITHM"
+The \s-1DH\s0 algorithm only supports the derivation operation and no additional
+options.
+.SH "EC ALGORITHM"
+.IX Header "EC ALGORITHM"
+The \s-1EC\s0 algorithm supports sign, verify and derive operations. The sign and
+verify operations use \s-1ECDSA\s0 and derive uses \s-1ECDH\s0. Currently there are no
+additional options other than \fBdigest\fR. Only the \s-1SHA1\s0 digest can be used and
+this digest is assumed by default.
+.SH "EXAMPLES"
+.IX Header "EXAMPLES"
+Sign some data using a private key:
+.PP
+.Vb 1
+\& openssl pkeyutl \-sign \-in file \-inkey key.pem \-out sig
+.Ve
+.PP
+Recover the signed data (e.g. if an \s-1RSA\s0 key is used):
+.PP
+.Vb 1
+\& openssl pkeyutl \-verifyrecover \-in sig \-inkey key.pem
+.Ve
+.PP
+Verify the signature (e.g. a \s-1DSA\s0 key):
+.PP
+.Vb 1
+\& openssl pkeyutl \-verify \-in file \-sigfile sig \-inkey key.pem
+.Ve
+.PP
+Sign data using a message digest value (this is currently only valid for \s-1RSA\s0):
+.PP
+.Vb 1
+\& openssl pkeyutl \-sign \-in file \-inkey key.pem \-out sig \-pkeyopt digest:sha256
+.Ve
+.PP
+Derive a shared secret value:
+.PP
+.Vb 1
+\& openssl pkeyutl \-derive \-inkey key.pem \-peerkey pubkey.pem \-out secret
+.Ve
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fIgenpkey\fR\|(1), \fIpkey\fR\|(1), \fIrsautl\fR\|(1)
+\&\fIdgst\fR\|(1), \fIrsa\fR\|(1), \fIgenrsa\fR\|(1)
diff --git a/secure/usr.bin/openssl/man/rand.1 b/secure/usr.bin/openssl/man/rand.1
index bbed733..17dbe56 100644
--- a/secure/usr.bin/openssl/man/rand.1
+++ b/secure/usr.bin/openssl/man/rand.1
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "RAND 1"
-.TH RAND 1 "2012-05-10" "0.9.8x" "OpenSSL"
+.TH RAND 1 "2012-05-10" "1.0.1c" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/usr.bin/openssl/man/req.1 b/secure/usr.bin/openssl/man/req.1
index e23d286..d46412f 100644
--- a/secure/usr.bin/openssl/man/req.1
+++ b/secure/usr.bin/openssl/man/req.1
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "REQ 1"
-.TH REQ 1 "2012-05-10" "0.9.8x" "OpenSSL"
+.TH REQ 1 "2012-05-10" "1.0.1c" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -148,12 +148,13 @@ req \- PKCS#10 certificate request and certificate generating utility.
 [\fB\-new\fR]
 [\fB\-rand file(s)\fR]
 [\fB\-newkey rsa:bits\fR]
-[\fB\-newkey dsa:file\fR]
+[\fB\-newkey alg:file\fR]
 [\fB\-nodes\fR]
 [\fB\-key filename\fR]
 [\fB\-keyform PEM|DER\fR]
 [\fB\-keyout filename\fR]
-[\fB\-[md5|sha1|md2|mdc2]\fR]
+[\fB\-keygen_engine id\fR]
+[\fB\-[digest]\fR]
 [\fB\-config filename\fR]
 [\fB\-subj arg\fR]
 [\fB\-multivalue\-rdn\fR]
@@ -161,11 +162,15 @@ req \- PKCS#10 certificate request and certificate generating utility.
 [\fB\-days n\fR]
 [\fB\-set_serial n\fR]
 [\fB\-asn1\-kludge\fR]
+[\fB\-no\-asn1\-kludge\fR]
 [\fB\-newhdr\fR]
 [\fB\-extensions section\fR]
 [\fB\-reqexts section\fR]
 [\fB\-utf8\fR]
 [\fB\-nameopt\fR]
+[\fB\-reqopt\fR]
+[\fB\-subject\fR]
+[\fB\-subj arg\fR]
 [\fB\-batch\fR]
 [\fB\-verbose\fR]
 [\fB\-engine id\fR]
@@ -206,6 +211,10 @@ see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in \fIopenssl\f
 .IP "\fB\-text\fR" 4
 .IX Item "-text"
 prints out the certificate request in text form.
+.IP "\fB\-subject\fR" 4
+.IX Item "-subject"
+prints out the request subject (or certificate subject if \fB\-x509\fR is
+specified)
 .IP "\fB\-pubkey\fR" 4
 .IX Item "-pubkey"
 outputs the public key.
@@ -228,6 +237,12 @@ in the configuration file and any requested extensions.
 .Sp
 If the \fB\-key\fR option is not used it will generate a new \s-1RSA\s0 private
 key using information specified in the configuration file.
+.IP "\fB\-subj arg\fR" 4
+.IX Item "-subj arg"
+Replaces subject field of input request with specified data and outputs
+modified request. The arg must be formatted as
+\&\fI/type0=value0/type1=value1/type2=...\fR,
+characters may be escaped by \e (backslash), no spaces are skipped.
 .IP "\fB\-rand file(s)\fR" 4
 .IX Item "-rand file(s)"
 a file or files containing random data used to seed the random number
@@ -238,10 +253,33 @@ all others.
 .IP "\fB\-newkey arg\fR" 4
 .IX Item "-newkey arg"
 this option creates a new certificate request and a new private
-key. The argument takes one of two forms. \fBrsa:nbits\fR, where
+key. The argument takes one of several forms. \fBrsa:nbits\fR, where
 \&\fBnbits\fR is the number of bits, generates an \s-1RSA\s0 key \fBnbits\fR
-in size. \fBdsa:filename\fR generates a \s-1DSA\s0 key using the parameters
-in the file \fBfilename\fR.
+in size. If \fBnbits\fR is omitted, i.e. \fB\-newkey rsa\fR specified,
+the default key size, specified in the configuration file is used.
+.Sp
+All other algorithms support the \fB\-newkey alg:file\fR form, where file may be
+an algorithm parameter file, created by the \fBgenpkey \-genparam\fR command
+or and X.509 certificate for a key with approriate algorithm.
+.Sp
+\&\fBparam:file\fR generates a key using the parameter file or certificate \fBfile\fR,
+the algorithm is determined by the parameters. \fBalgname:file\fR use algorithm
+\&\fBalgname\fR and parameter file \fBfile\fR: the two algorithms must match or an
+error occurs. \fBalgname\fR just uses algorithm \fBalgname\fR, and parameters,
+if neccessary should be specified via \fB\-pkeyopt\fR parameter.
+.Sp
+\&\fBdsa:filename\fR generates a \s-1DSA\s0 key using the parameters
+in the file \fBfilename\fR. \fBec:filename\fR generates \s-1EC\s0 key (usable both with
+\&\s-1ECDSA\s0 or \s-1ECDH\s0 algorithms), \fBgost2001:filename\fR generates \s-1GOST\s0 R
+34.10\-2001 key (requires \fBccgost\fR engine configured in the configuration
+file). If just \fBgost2001\fR is specified a parameter set should be
+specified by \fB\-pkeyopt paramset:X\fR
+.IP "\fB\-pkeyopt opt:value\fR" 4
+.IX Item "-pkeyopt opt:value"
+set the public key algorithm option \fBopt\fR to \fBvalue\fR. The precise set of
+options supported depends on the public key algorithm used and its
+implementation. See \fB\s-1KEY\s0 \s-1GENERATION\s0 \s-1OPTIONS\s0\fR in the \fBgenpkey\fR manual page
+for more details.
 .IP "\fB\-key filename\fR" 4
 .IX Item "-key filename"
 This specifies the file to read the private key from. It also
@@ -259,11 +297,15 @@ configuration file is used.
 .IX Item "-nodes"
 if this option is specified then if a private key is created it
 will not be encrypted.
-.IP "\fB\-[md5|sha1|md2|mdc2]\fR" 4
-.IX Item "-[md5|sha1|md2|mdc2]"
-this specifies the message digest to sign the request with. This
-overrides the digest algorithm specified in the configuration file.
-This option is ignored for \s-1DSA\s0 requests: they always use \s-1SHA1\s0.
+.IP "\fB\-[digest]\fR" 4
+.IX Item "-[digest]"
+this specifies the message digest to sign the request with (such as
+\&\fB\-md5\fR, \fB\-sha1\fR). This overrides the digest algorithm specified in
+the configuration file.
+.Sp
+Some public key algorithms may override this choice. For instance, \s-1DSA\s0
+signatures always use \s-1SHA1\s0, \s-1GOST\s0 R 34.10 signatures always use
+\&\s-1GOST\s0 R 34.11\-94 (\fB\-md_gost94\fR).
 .IP "\fB\-config filename\fR" 4
 .IX Item "-config filename"
 this allows an alternative configuration file to be specified,
@@ -323,6 +365,13 @@ option which determines how the subject or issuer names are displayed. The
 \&\fBoption\fR argument can be a single option or multiple options separated by
 commas.  Alternatively the \fB\-nameopt\fR switch may be used more than once to
 set multiple options. See the \fIx509\fR\|(1) manual page for details.
+.IP "\fB\-reqopt\fR" 4
+.IX Item "-reqopt"
+customise the output format used with \fB\-text\fR. The \fBoption\fR argument can be
+a single option or multiple options separated by commas.
+.Sp
+See discission of the  \fB\-certopt\fR parameter in the \fBx509\fR
+command.
 .IP "\fB\-asn1\-kludge\fR" 4
 .IX Item "-asn1-kludge"
 by default the \fBreq\fR command outputs certificate requests containing
@@ -337,6 +386,9 @@ empty \fB\s-1SET\s0 \s-1OF\s0\fR. The invalid form does not include the empty
 \&\fB\s-1SET\s0 \s-1OF\s0\fR whereas the correct form does.
 .Sp
 It should be noted that very few CAs still require the use of this option.
+.IP "\fB\-no\-asn1\-kludge\fR" 4
+.IX Item "-no-asn1-kludge"
+Reverses effect of \fB\-asn1\-kludge\fR
 .IP "\fB\-newhdr\fR" 4
 .IX Item "-newhdr"
 Adds the word \fB\s-1NEW\s0\fR to the \s-1PEM\s0 file header and footer lines on the outputed
@@ -349,10 +401,14 @@ non-interactive mode.
 print extra details about the operations being performed.
 .IP "\fB\-engine id\fR" 4
 .IX Item "-engine id"
-specifying an engine (by it's unique \fBid\fR string) will cause \fBreq\fR
+specifying an engine (by its unique \fBid\fR string) will cause \fBreq\fR
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.
+.IP "\fB\-keygen_engine id\fR" 4
+.IX Item "-keygen_engine id"
+specifies an engine (by its unique \fBid\fR string) which would be used
+for key generation operations.
 .SH "CONFIGURATION FILE FORMAT"
 .IX Header "CONFIGURATION FILE FORMAT"
 The configuration options are specified in the \fBreq\fR section of
@@ -421,7 +477,9 @@ problems with BMPStrings and UTF8Strings: in particular Netscape.
 .IX Item "req_extensions"
 this specifies the configuration file section containing a list of
 extensions to add to the certificate request. It can be overridden
-by the \fB\-reqexts\fR command line switch.
+by the \fB\-reqexts\fR command line switch. See the 
+\&\fIx509v3_config\fR\|(5) manual page for details of the
+extension section format.
 .IP "\fBx509_extensions\fR" 4
 .IX Item "x509_extensions"
 this specifies the configuration file section containing a list of
@@ -698,4 +756,5 @@ address in subjectAltName should be input by the user.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fIx509\fR\|(1), \fIca\fR\|(1), \fIgenrsa\fR\|(1),
-\&\fIgendsa\fR\|(1), \fIconfig\fR\|(5)
+\&\fIgendsa\fR\|(1), \fIconfig\fR\|(5),
+\&\fIx509v3_config\fR\|(5)
diff --git a/secure/usr.bin/openssl/man/rsa.1 b/secure/usr.bin/openssl/man/rsa.1
index 96ca9ad..524db11 100644
--- a/secure/usr.bin/openssl/man/rsa.1
+++ b/secure/usr.bin/openssl/man/rsa.1
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "RSA 1"
-.TH RSA 1 "2012-05-10" "0.9.8x" "OpenSSL"
+.TH RSA 1 "2012-05-10" "1.0.1c" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -228,7 +228,7 @@ key will be output instead. This option is automatically set if
 the input is a public key.
 .IP "\fB\-engine id\fR" 4
 .IX Item "-engine id"
-specifying an engine (by it's unique \fBid\fR string) will cause \fBreq\fR
+specifying an engine (by its unique \fBid\fR string) will cause \fBrsa\fR
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.
diff --git a/secure/usr.bin/openssl/man/rsautl.1 b/secure/usr.bin/openssl/man/rsautl.1
index 0636a24..10c2440 100644
--- a/secure/usr.bin/openssl/man/rsautl.1
+++ b/secure/usr.bin/openssl/man/rsautl.1
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "RSAUTL 1"
-.TH RSAUTL 1 "2012-05-10" "0.9.8x" "OpenSSL"
+.TH RSAUTL 1 "2012-05-10" "1.0.1c" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/usr.bin/openssl/man/s_client.1 b/secure/usr.bin/openssl/man/s_client.1
index 9da80bc..9df5590 100644
--- a/secure/usr.bin/openssl/man/s_client.1
+++ b/secure/usr.bin/openssl/man/s_client.1
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "S_CLIENT 1"
-.TH S_CLIENT 1 "2012-05-10" "0.9.8x" "OpenSSL"
+.TH S_CLIENT 1 "2012-05-10" "1.0.1c" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -214,6 +214,10 @@ also used when building the client certificate chain.
 .IX Item "-CAfile file"
 A file containing trusted certificates to use during server authentication
 and to use when attempting to build the client certificate chain.
+.IP "\fB\-purpose, \-ignore_critical, \-issuer_checks, \-crl_check, \-crl_check_all, \-policy_check, \-extended_crl, \-x509_strict, \-policy \-check_ss_sig\fR" 4
+.IX Item "-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig"
+Set various certificate chain valiadition option. See the
+\&\fBverify\fR manual page for details.
 .IP "\fB\-reconnect\fR" 4
 .IX Item "-reconnect"
 reconnects to the same server 5 times using the same session \s-1ID\s0, this can
@@ -262,6 +266,14 @@ input.
 .IX Item "-quiet"
 inhibit printing of session and certificate information.  This implicitly
 turns on \fB\-ign_eof\fR as well.
+.IP "\fB\-psk_identity identity\fR" 4
+.IX Item "-psk_identity identity"
+Use the \s-1PSK\s0 identity \fBidentity\fR when using a \s-1PSK\s0 cipher suite.
+.IP "\fB\-psk key\fR" 4
+.IX Item "-psk key"
+Use the \s-1PSK\s0 key \fBkey\fR when using a \s-1PSK\s0 cipher suite. The key is
+given as a hexadecimal number without leading 0x, for example \-psk
+1a2b3c4d.
 .IP "\fB\-ssl2\fR, \fB\-ssl3\fR, \fB\-tls1\fR, \fB\-no_ssl2\fR, \fB\-no_ssl3\fR, \fB\-no_tls1\fR" 4
 .IX Item "-ssl2, -ssl3, -tls1, -no_ssl2, -no_ssl3, -no_tls1"
 these options disable the use of certain \s-1SSL\s0 or \s-1TLS\s0 protocols. By default
@@ -289,13 +301,10 @@ send the protocol-specific message(s) to switch to \s-1TLS\s0 for communication.
 supported keywords are \*(L"smtp\*(R", \*(L"pop3\*(R", \*(L"imap\*(R", and \*(L"ftp\*(R".
 .IP "\fB\-tlsextdebug\fR" 4
 .IX Item "-tlsextdebug"
-print out a hex dump of any \s-1TLS\s0 extensions received from the server. Note: this
-option is only available if extension support is explicitly enabled at compile
-time
+print out a hex dump of any \s-1TLS\s0 extensions received from the server.
 .IP "\fB\-no_ticket\fR" 4
 .IX Item "-no_ticket"
-disable RFC4507bis session ticket support. Note: this option is only available
-if extension support is explicitly enabled at compile time
+disable RFC4507bis session ticket support.
 .IP "\fB\-sess_out filename\fR" 4
 .IX Item "-sess_out filename"
 output \s-1SSL\s0 session to \fBfilename\fR
@@ -305,7 +314,7 @@ load \s-1SSL\s0 session from \fBfilename\fR. The client will attempt to resume a
 connection from this session.
 .IP "\fB\-engine id\fR" 4
 .IX Item "-engine id"
-specifying an engine (by it's unique \fBid\fR string) will cause \fBs_client\fR
+specifying an engine (by its unique \fBid\fR string) will cause \fBs_client\fR
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.
@@ -363,9 +372,6 @@ If there are problems verifying a server certificate then the
 Since the SSLv23 client hello cannot include compression methods or extensions
 these will only be supported if its use is disabled, for example by using the
 \&\fB\-no_sslv2\fR option.
-.PP
-\&\s-1TLS\s0 extensions are only supported in OpenSSL 0.9.8 if they are explictly
-enabled at compile time using for example the \fBenable-tlsext\fR switch.
 .SH "BUGS"
 .IX Header "BUGS"
 Because this program has a lot of options and also because some of
diff --git a/secure/usr.bin/openssl/man/s_server.1 b/secure/usr.bin/openssl/man/s_server.1
index 67fac18..1fbc480 100644
--- a/secure/usr.bin/openssl/man/s_server.1
+++ b/secure/usr.bin/openssl/man/s_server.1
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "S_SERVER 1"
-.TH S_SERVER 1 "2012-05-10" "0.9.8x" "OpenSSL"
+.TH S_SERVER 1 "2012-05-10" "1.0.1c" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -289,6 +289,14 @@ this option translated a line feed from the terminal into \s-1CR+LF\s0.
 .IP "\fB\-quiet\fR" 4
 .IX Item "-quiet"
 inhibit printing of session and certificate information.
+.IP "\fB\-psk_hint hint\fR" 4
+.IX Item "-psk_hint hint"
+Use the \s-1PSK\s0 identity hint \fBhint\fR when using a \s-1PSK\s0 cipher suite.
+.IP "\fB\-psk key\fR" 4
+.IX Item "-psk key"
+Use the \s-1PSK\s0 key \fBkey\fR when using a \s-1PSK\s0 cipher suite. The key is
+given as a hexadecimal number without leading 0x, for example \-psk
+1a2b3c4d.
 .IP "\fB\-ssl2\fR, \fB\-ssl3\fR, \fB\-tls1\fR, \fB\-no_ssl2\fR, \fB\-no_ssl3\fR, \fB\-no_tls1\fR" 4
 .IX Item "-ssl2, -ssl3, -tls1, -no_ssl2, -no_ssl3, -no_tls1"
 these options disable the use of certain \s-1SSL\s0 or \s-1TLS\s0 protocols. By default
@@ -335,7 +343,7 @@ assumed to contain a complete and correct \s-1HTTP\s0 response (lines that
 are part of the \s-1HTTP\s0 response line and headers must end with \s-1CRLF\s0).
 .IP "\fB\-engine id\fR" 4
 .IX Item "-engine id"
-specifying an engine (by it's unique \fBid\fR string) will cause \fBs_server\fR
+specifying an engine (by its unique \fBid\fR string) will cause \fBs_server\fR
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.
@@ -399,9 +407,6 @@ is strictly speaking a protocol violation, some \s-1SSL\s0 clients interpret thi
 mean any \s-1CA\s0 is acceptable. This is useful for debugging purposes.
 .PP
 The session parameters can printed out using the \fBsess_id\fR program.
-.PP
-\&\s-1TLS\s0 extensions are only supported in OpenSSL 0.9.8 if they are explictly
-enabled at compile time using for example the \fBenable-tlsext\fR switch.
 .SH "BUGS"
 .IX Header "BUGS"
 Because this program has a lot of options and also because some of
diff --git a/secure/usr.bin/openssl/man/s_time.1 b/secure/usr.bin/openssl/man/s_time.1
index 5f0dff3..94b0fdd 100644
--- a/secure/usr.bin/openssl/man/s_time.1
+++ b/secure/usr.bin/openssl/man/s_time.1
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "S_TIME 1"
-.TH S_TIME 1 "2012-05-10" "0.9.8x" "OpenSSL"
+.TH S_TIME 1 "2012-05-10" "1.0.1c" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/usr.bin/openssl/man/sess_id.1 b/secure/usr.bin/openssl/man/sess_id.1
index b70b292..6e6e1d9 100644
--- a/secure/usr.bin/openssl/man/sess_id.1
+++ b/secure/usr.bin/openssl/man/sess_id.1
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SESS_ID 1"
-.TH SESS_ID 1 "2012-05-10" "0.9.8x" "OpenSSL"
+.TH SESS_ID 1 "2012-05-10" "1.0.1c" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/usr.bin/openssl/man/smime.1 b/secure/usr.bin/openssl/man/smime.1
index 2c3f91b..d313abd 100644
--- a/secure/usr.bin/openssl/man/smime.1
+++ b/secure/usr.bin/openssl/man/smime.1
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SMIME 1"
-.TH SMIME 1 "2012-05-10" "0.9.8x" "OpenSSL"
+.TH SMIME 1 "2012-05-10" "1.0.1c" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -137,19 +137,10 @@ smime \- S/MIME utility
 [\fB\-encrypt\fR]
 [\fB\-decrypt\fR]
 [\fB\-sign\fR]
+[\fB\-resign\fR]
 [\fB\-verify\fR]
 [\fB\-pk7out\fR]
-[\fB\-des\fR]
-[\fB\-des3\fR]
-[\fB\-rc2\-40\fR]
-[\fB\-rc2\-64\fR]
-[\fB\-rc2\-128\fR]
-[\fB\-aes128\fR]
-[\fB\-aes192\fR]
-[\fB\-aes256\fR]
-[\fB\-camellia128\fR]
-[\fB\-camellia192\fR]
-[\fB\-camellia256\fR]
+[\fB\-[cipher]\fR]
 [\fB\-in file\fR]
 [\fB\-certfile file\fR]
 [\fB\-signer file\fR]
@@ -164,7 +155,11 @@ smime \- S/MIME utility
 [\fB\-from ad\fR]
 [\fB\-subject s\fR]
 [\fB\-text\fR]
+[\fB\-indef\fR]
+[\fB\-noindef\fR]
+[\fB\-stream\fR]
 [\fB\-rand file(s)\fR]
+[\fB\-md digest\fR]
 [cert.pem]...
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
@@ -172,7 +167,7 @@ The \fBsmime\fR command handles S/MIME mail. It can encrypt, decrypt, sign and
 verify S/MIME messages.
 .SH "COMMAND OPTIONS"
 .IX Header "COMMAND OPTIONS"
-There are five operation options that set the type of operation to be performed.
+There are six operation options that set the type of operation to be performed.
 The meaning of the other options varies according to the operation type.
 .IP "\fB\-encrypt\fR" 4
 .IX Item "-encrypt"
@@ -195,6 +190,9 @@ the signed data. Both clear text and opaque signing is supported.
 .IP "\fB\-pk7out\fR" 4
 .IX Item "-pk7out"
 takes an input message and writes out a \s-1PEM\s0 encoded PKCS#7 structure.
+.IP "\fB\-resign\fR" 4
+.IX Item "-resign"
+resign a message: take an existing message and one or more new signers.
 .IP "\fB\-in filename\fR" 4
 .IX Item "-in filename"
 the input message to be encrypted or signed or the \s-1MIME\s0 message to
@@ -219,6 +217,19 @@ format change this to write \s-1PEM\s0 and \s-1DER\s0 format PKCS#7 structures
 instead. This currently only affects the output format of the PKCS#7
 structure, if no PKCS#7 structure is being output (for example with
 \&\fB\-verify\fR or \fB\-decrypt\fR) this option has no effect.
+.IP "\fB\-stream \-indef \-noindef\fR" 4
+.IX Item "-stream -indef -noindef"
+the \fB\-stream\fR and \fB\-indef\fR options are equivalent and enable streaming I/O
+for encoding operations. This permits single pass processing of data without
+the need to hold the entire contents in memory, potentially supporting very
+large files. Streaming is automatically set for S/MIME signing with detached
+data if the output format is \fB\s-1SMIME\s0\fR it is currently off by default for all
+other operations.
+.IP "\fB\-noindef\fR" 4
+.IX Item "-noindef"
+disable streaming I/O where it would produce and indefinite length constructed
+encoding. This option currently has no effect. In future streaming will be
+enabled by default on all relevant operations and this option will disable it.
 .IP "\fB\-content filename\fR" 4
 .IX Item "-content filename"
 This specifies a file containing the detached content, this is only
@@ -241,11 +252,19 @@ a directory containing trusted \s-1CA\s0 certificates, only used with
 \&\fB\-verify\fR. This directory must be a standard certificate directory: that
 is a hash of each subject name (using \fBx509 \-hash\fR) should be linked
 to each certificate.
-.IP "\fB\-des \-des3 \-rc2\-40 \-rc2\-64 \-rc2\-128 \-aes128 \-aes192 \-aes256 \-camellia128 \-camellia192 \-camellia256\fR" 4
-.IX Item "-des -des3 -rc2-40 -rc2-64 -rc2-128 -aes128 -aes192 -aes256 -camellia128 -camellia192 -camellia256"
-the encryption algorithm to use. \s-1DES\s0 (56 bits), triple \s-1DES\s0 (168 bits),
-40, 64 or 128 bit \s-1RC2\s0, 128, 192 or 256 bit \s-1AES\s0, or 128, 192 or 256 bit Camellia respectively.  If not
-specified 40 bit \s-1RC2\s0 is used. Only used with \fB\-encrypt\fR.
+.IP "\fB\-md digest\fR" 4
+.IX Item "-md digest"
+digest algorithm to use when signing or resigning. If not present then the
+default digest algorithm for the signing key will be used (usually \s-1SHA1\s0).
+.IP "\fB\-[cipher]\fR" 4
+.IX Item "-[cipher]"
+the encryption algorithm to use. For example \s-1DES\s0  (56 bits) \- \fB\-des\fR,
+triple \s-1DES\s0 (168 bits) \- \fB\-des3\fR,
+\&\fIEVP_get_cipherbyname()\fR function) can also be used preceded by a dash, for 
+example \fB\-aes_128_cbc\fR. See \fBenc\fR for list of ciphers
+supported by your version of OpenSSL.
+.Sp
+If not specified 40 bit \s-1RC2\s0 is used. Only used with \fB\-encrypt\fR.
 .IP "\fB\-nointern\fR" 4
 .IX Item "-nointern"
 when verifying a message normally certificates (if any) included in
@@ -292,9 +311,10 @@ be included with the message. When verifying these will be searched for
 the signers certificates. The certificates should be in \s-1PEM\s0 format.
 .IP "\fB\-signer file\fR" 4
 .IX Item "-signer file"
-the signers certificate when signing a message. If a message is
-being verified then the signers certificates will be written to this
-file if the verification was successful.
+a signing certificate when signing or resigning a message, this option can be
+used multiple times if more than one signer is required. If a message is being
+verified then the signers certificates will be written to this file if the
+verification was successful.
 .IP "\fB\-recip file\fR" 4
 .IX Item "-recip file"
 the recipients certificate when decrypting a message. This certificate
@@ -304,7 +324,8 @@ must match one of the recipients of the message or an error occurs.
 the private key to use when signing or decrypting. This must match the
 corresponding certificate. If this option is not specified then the
 private key must be included in the certificate file specified with
-the \fB\-recip\fR or \fB\-signer\fR file.
+the \fB\-recip\fR or \fB\-signer\fR file. When signing this option can be used
+multiple times to specify successive keys.
 .IP "\fB\-passin arg\fR" 4
 .IX Item "-passin arg"
 the private key password source. For more information about the format of \fBarg\fR
@@ -326,6 +347,10 @@ the relevant mail headers. These are included outside the signed
 portion of a message so they may be included manually. If signing
 then many S/MIME mail clients check the signers certificate's email
 address matches that specified in the From: address.
+.IP "\fB\-purpose, \-ignore_critical, \-issuer_checks, \-crl_check, \-crl_check_all, \-policy_check, \-extended_crl, \-x509_strict, \-policy \-check_ss_sig\fR" 4
+.IX Item "-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig"
+Set various options of certificate chain verification. See
+\&\fBverify\fR manual page for details.
 .SH "NOTES"
 .IX Header "NOTES"
 The \s-1MIME\s0 message must be sent without any blank lines between the
@@ -350,6 +375,19 @@ messages \*(L"in parallel\*(R" by signing an already signed message.
 The options \fB\-encrypt\fR and \fB\-decrypt\fR reflect common usage in S/MIME
 clients. Strictly speaking these process PKCS#7 enveloped data: PKCS#7
 encrypted data is used for other purposes.
+.PP
+The \fB\-resign\fR option uses an existing message digest when adding a new
+signer. This means that attributes must be present in at least one existing
+signer using the same message digest or this operation will fail.
+.PP
+The \fB\-stream\fR and \fB\-indef\fR options enable experimental streaming I/O support.
+As a result the encoding is \s-1BER\s0 using indefinite length constructed encoding
+and no longer \s-1DER\s0. Streaming is supported for the \fB\-encrypt\fR operation and the
+\&\fB\-sign\fR operation if the content is not detached.
+.PP
+Streaming is always used for the \fB\-sign\fR operation with detached data but
+since the content is no longer part of the PKCS#7 structure the encoding
+remains \s-1DER\s0.
 .SH "EXIT CODES"
 .IX Header "EXIT CODES"
 .IP "0" 4
@@ -380,7 +418,7 @@ Create a cleartext signed message:
 \&        \-signer mycert.pem
 .Ve
 .PP
-Create and opaque signed message:
+Create an opaque signed message:
 .PP
 .Vb 2
 \& openssl smime \-sign \-in message.txt \-text \-out mail.msg \-nodetach \e
@@ -395,6 +433,13 @@ read the private key from another file:
 \&        \-signer mycert.pem \-inkey mykey.pem \-certfile mycerts.pem
 .Ve
 .PP
+Create a signed message with two signers:
+.PP
+.Vb 2
+\& openssl smime \-sign \-in message.txt \-text \-out mail.msg \e
+\&        \-signer mycert.pem \-signer othercert.pem
+.Ve
+.PP
 Send a signed message under Unix directly to sendmail, including headers:
 .PP
 .Vb 3
@@ -426,8 +471,8 @@ Sign and encrypt mail:
 \&        \-subject "Signed and Encrypted message" \-des3 user.pem
 .Ve
 .PP
-Note: the encryption command does not include the \fB\-text\fR option because the message
-being encrypted already has \s-1MIME\s0 headers.
+Note: the encryption command does not include the \fB\-text\fR option because the
+message being encrypted already has \s-1MIME\s0 headers.
 .PP
 Decrypt mail:
 .PP
@@ -462,16 +507,24 @@ Create an encrypted message using 128 bit Camellia:
 .Vb 1
 \& openssl smime \-encrypt \-in plain.txt \-camellia128 \-out mail.msg cert.pem
 .Ve
+.PP
+Add a signer to an existing message:
+.PP
+.Vb 1
+\& openssl smime \-resign \-in mail.msg \-signer newsign.pem \-out mail2.msg
+.Ve
 .SH "BUGS"
 .IX Header "BUGS"
-The \s-1MIME\s0 parser isn't very clever: it seems to handle most messages that I've thrown
-at it but it may choke on others.
+The \s-1MIME\s0 parser isn't very clever: it seems to handle most messages that I've
+thrown at it but it may choke on others.
 .PP
-The code currently will only write out the signer's certificate to a file: if the
-signer has a separate encryption certificate this must be manually extracted. There
-should be some heuristic that determines the correct encryption certificate.
+The code currently will only write out the signer's certificate to a file: if
+the signer has a separate encryption certificate this must be manually
+extracted. There should be some heuristic that determines the correct
+encryption certificate.
 .PP
-Ideally a database should be maintained of a certificates for each email address.
+Ideally a database should be maintained of a certificates for each email
+address.
 .PP
 The code doesn't currently take note of the permitted symmetric encryption
 algorithms as supplied in the SMIMECapabilities signed attribute. This means the
@@ -482,3 +535,7 @@ No revocation checking is done on the signer's certificate.
 .PP
 The current code can only handle S/MIME v2 messages, the more complex S/MIME v3
 structures may cause parsing errors.
+.SH "HISTORY"
+.IX Header "HISTORY"
+The use of multiple \fB\-signer\fR options and the \fB\-resign\fR command were first
+added in OpenSSL 1.0.0
diff --git a/secure/usr.bin/openssl/man/speed.1 b/secure/usr.bin/openssl/man/speed.1
index 9753718..55db20f 100644
--- a/secure/usr.bin/openssl/man/speed.1
+++ b/secure/usr.bin/openssl/man/speed.1
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SPEED 1"
-.TH SPEED 1 "2012-05-10" "0.9.8x" "OpenSSL"
+.TH SPEED 1 "2012-05-10" "1.0.1c" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -167,7 +167,7 @@ This command is used to test the performance of cryptographic algorithms.
 .IX Header "OPTIONS"
 .IP "\fB\-engine id\fR" 4
 .IX Item "-engine id"
-specifying an engine (by it's unique \fBid\fR string) will cause \fBspeed\fR
+specifying an engine (by its unique \fBid\fR string) will cause \fBspeed\fR
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.
diff --git a/secure/usr.bin/openssl/man/spkac.1 b/secure/usr.bin/openssl/man/spkac.1
index 7e1601c..15c6a52 100644
--- a/secure/usr.bin/openssl/man/spkac.1
+++ b/secure/usr.bin/openssl/man/spkac.1
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SPKAC 1"
-.TH SPKAC 1 "2012-05-10" "0.9.8x" "OpenSSL"
+.TH SPKAC 1 "2012-05-10" "1.0.1c" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -194,7 +194,7 @@ being created).
 verifies the digital signature on the supplied \s-1SPKAC\s0.
 .IP "\fB\-engine id\fR" 4
 .IX Item "-engine id"
-specifying an engine (by it's unique \fBid\fR string) will cause \fBreq\fR
+specifying an engine (by its unique \fBid\fR string) will cause \fBspkac\fR
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.
diff --git a/secure/usr.bin/openssl/man/ts.1 b/secure/usr.bin/openssl/man/ts.1
new file mode 100644
index 0000000..0554913
--- /dev/null
+++ b/secure/usr.bin/openssl/man/ts.1
@@ -0,0 +1,649 @@
+.\" Automatically generated by Pod::Man 2.23 (Pod::Simple 3.22)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" Set up some character translations and predefined strings.  \*(-- will
+.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
+.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
+.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
+.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
+.\" nothing in troff, for use with C<>.
+.tr \(*W-
+.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.ie n \{\
+.    ds -- \(*W-
+.    ds PI pi
+.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
+.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
+.    ds L" ""
+.    ds R" ""
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds -- \|\(em\|
+.    ds PI \(*p
+.    ds L" ``
+.    ds R" ''
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.ie \nF \{\
+.    de IX
+.    tm Index:\\$1\t\\n%\t"\\$2"
+..
+.    nr % 0
+.    rr F
+.\}
+.el \{\
+.    de IX
+..
+.\}
+.\"
+.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
+.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
+.    \" fudge factors for nroff and troff
+.if n \{\
+.    ds #H 0
+.    ds #V .8m
+.    ds #F .3m
+.    ds #[ \f1
+.    ds #] \fP
+.\}
+.if t \{\
+.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
+.    ds #V .6m
+.    ds #F 0
+.    ds #[ \&
+.    ds #] \&
+.\}
+.    \" simple accents for nroff and troff
+.if n \{\
+.    ds ' \&
+.    ds ` \&
+.    ds ^ \&
+.    ds , \&
+.    ds ~ ~
+.    ds /
+.\}
+.if t \{\
+.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
+.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
+.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
+.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
+.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
+.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
+.\}
+.    \" troff and (daisy-wheel) nroff accents
+.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
+.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
+.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
+.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
+.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
+.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
+.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
+.ds ae a\h'-(\w'a'u*4/10)'e
+.ds Ae A\h'-(\w'A'u*4/10)'E
+.    \" corrections for vroff
+.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
+.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
+.    \" for low resolution devices (crt and lpr)
+.if \n(.H>23 .if \n(.V>19 \
+\{\
+.    ds : e
+.    ds 8 ss
+.    ds o a
+.    ds d- d\h'-1'\(ga
+.    ds D- D\h'-1'\(hy
+.    ds th \o'bp'
+.    ds Th \o'LP'
+.    ds ae ae
+.    ds Ae AE
+.\}
+.rm #[ #] #H #V #F C
+.\" ========================================================================
+.\"
+.IX Title "TS 1"
+.TH TS 1 "2012-05-10" "1.0.1c" "OpenSSL"
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH "NAME"
+ts \- Time Stamping Authority tool (client/server)
+.SH "SYNOPSIS"
+.IX Header "SYNOPSIS"
+\&\fBopenssl\fR \fBts\fR
+\&\fB\-query\fR
+[\fB\-rand\fR file:file...]
+[\fB\-config\fR configfile]
+[\fB\-data\fR file_to_hash]
+[\fB\-digest\fR digest_bytes]
+[\fB\-md2\fR|\fB\-md4\fR|\fB\-md5\fR|\fB\-sha\fR|\fB\-sha1\fR|\fB\-mdc2\fR|\fB\-ripemd160\fR|\fB...\fR]
+[\fB\-policy\fR object_id]
+[\fB\-no_nonce\fR]
+[\fB\-cert\fR]
+[\fB\-in\fR request.tsq]
+[\fB\-out\fR request.tsq]
+[\fB\-text\fR]
+.PP
+\&\fBopenssl\fR \fBts\fR
+\&\fB\-reply\fR
+[\fB\-config\fR configfile]
+[\fB\-section\fR tsa_section]
+[\fB\-queryfile\fR request.tsq]
+[\fB\-passin\fR password_src]
+[\fB\-signer\fR tsa_cert.pem]
+[\fB\-inkey\fR private.pem]
+[\fB\-chain\fR certs_file.pem]
+[\fB\-policy\fR object_id]
+[\fB\-in\fR response.tsr]
+[\fB\-token_in\fR]
+[\fB\-out\fR response.tsr]
+[\fB\-token_out\fR]
+[\fB\-text\fR]
+[\fB\-engine\fR id]
+.PP
+\&\fBopenssl\fR \fBts\fR
+\&\fB\-verify\fR
+[\fB\-data\fR file_to_hash]
+[\fB\-digest\fR digest_bytes]
+[\fB\-queryfile\fR request.tsq]
+[\fB\-in\fR response.tsr]
+[\fB\-token_in\fR]
+[\fB\-CApath\fR trusted_cert_path]
+[\fB\-CAfile\fR trusted_certs.pem]
+[\fB\-untrusted\fR cert_file.pem]
+.SH "DESCRIPTION"
+.IX Header "DESCRIPTION"
+The \fBts\fR command is a basic Time Stamping Authority (\s-1TSA\s0) client and server
+application as specified in \s-1RFC\s0 3161 (Time-Stamp Protocol, \s-1TSP\s0). A
+\&\s-1TSA\s0 can be part of a \s-1PKI\s0 deployment and its role is to provide long
+term proof of the existence of a certain datum before a particular
+time. Here is a brief description of the protocol:
+.IP "1." 4
+The \s-1TSA\s0 client computes a one-way hash value for a data file and sends
+the hash to the \s-1TSA\s0.
+.IP "2." 4
+The \s-1TSA\s0 attaches the current date and time to the received hash value,
+signs them and sends the time stamp token back to the client. By
+creating this token the \s-1TSA\s0 certifies the existence of the original
+data file at the time of response generation.
+.IP "3." 4
+The \s-1TSA\s0 client receives the time stamp token and verifies the
+signature on it. It also checks if the token contains the same hash
+value that it had sent to the \s-1TSA\s0.
+.PP
+There is one \s-1DER\s0 encoded protocol data unit defined for transporting a time
+stamp request to the \s-1TSA\s0 and one for sending the time stamp response
+back to the client. The \fBts\fR command has three main functions:
+creating a time stamp request based on a data file,
+creating a time stamp response based on a request, verifying if a
+response corresponds to a particular request or a data file.
+.PP
+There is no support for sending the requests/responses automatically
+over \s-1HTTP\s0 or \s-1TCP\s0 yet as suggested in \s-1RFC\s0 3161. The users must send the
+requests either by ftp or e\-mail.
+.SH "OPTIONS"
+.IX Header "OPTIONS"
+.SS "Time Stamp Request generation"
+.IX Subsection "Time Stamp Request generation"
+The \fB\-query\fR switch can be used for creating and printing a time stamp
+request with the following options:
+.IP "\fB\-rand\fR file:file..." 4
+.IX Item "-rand file:file..."
+The files containing random data for seeding the random number
+generator. Multiple files can be specified, the separator is \fB;\fR for
+MS-Windows, \fB,\fR for \s-1VMS\s0 and \fB:\fR for all other platforms. (Optional)
+.IP "\fB\-config\fR configfile" 4
+.IX Item "-config configfile"
+The configuration file to use, this option overrides the
+\&\fB\s-1OPENSSL_CONF\s0\fR environment variable. Only the \s-1OID\s0 section
+of the config file is used with the \fB\-query\fR command. (Optional)
+.IP "\fB\-data\fR file_to_hash" 4
+.IX Item "-data file_to_hash"
+The data file for which the time stamp request needs to be
+created. stdin is the default if neither the \fB\-data\fR nor the \fB\-digest\fR
+parameter is specified. (Optional)
+.IP "\fB\-digest\fR digest_bytes" 4
+.IX Item "-digest digest_bytes"
+It is possible to specify the message imprint explicitly without the data
+file. The imprint must be specified in a hexadecimal format, two characters
+per byte, the bytes optionally separated by colons (e.g. 1A:F6:01:... or
+1AF601...). The number of bytes must match the message digest algorithm 
+in use. (Optional)
+.IP "\fB\-md2\fR|\fB\-md4\fR|\fB\-md5\fR|\fB\-sha\fR|\fB\-sha1\fR|\fB\-mdc2\fR|\fB\-ripemd160\fR|\fB...\fR" 4
+.IX Item "-md2|-md4|-md5|-sha|-sha1|-mdc2|-ripemd160|..."
+The message digest to apply to the data file, it supports all the message
+digest algorithms that are supported by the openssl \fBdgst\fR command.
+The default is \s-1SHA\-1\s0. (Optional)
+.IP "\fB\-policy\fR object_id" 4
+.IX Item "-policy object_id"
+The policy that the client expects the \s-1TSA\s0 to use for creating the
+time stamp token. Either the dotted \s-1OID\s0 notation or \s-1OID\s0 names defined
+in the config file can be used. If no policy is requested the \s-1TSA\s0 will
+use its own default policy. (Optional)
+.IP "\fB\-no_nonce\fR" 4
+.IX Item "-no_nonce"
+No nonce is specified in the request if this option is
+given. Otherwise a 64 bit long pseudo-random none is
+included in the request. It is recommended to use nonce to
+protect against replay-attacks. (Optional)
+.IP "\fB\-cert\fR" 4
+.IX Item "-cert"
+The \s-1TSA\s0 is expected to include its signing certificate in the
+response. (Optional)
+.IP "\fB\-in\fR request.tsq" 4
+.IX Item "-in request.tsq"
+This option specifies a previously created time stamp request in \s-1DER\s0
+format that will be printed into the output file. Useful when you need
+to examine the content of a request in human-readable
+.Sp
+format. (Optional)
+.IP "\fB\-out\fR request.tsq" 4
+.IX Item "-out request.tsq"
+Name of the output file to which the request will be written. Default
+is stdout. (Optional)
+.IP "\fB\-text\fR" 4
+.IX Item "-text"
+If this option is specified the output is human-readable text format
+instead of \s-1DER\s0. (Optional)
+.SS "Time Stamp Response generation"
+.IX Subsection "Time Stamp Response generation"
+A time stamp response (TimeStampResp) consists of a response status
+and the time stamp token itself (ContentInfo), if the token generation was
+successful. The \fB\-reply\fR command is for creating a time stamp
+response or time stamp token based on a request and printing the
+response/token in human-readable format. If \fB\-token_out\fR is not
+specified the output is always a time stamp response (TimeStampResp),
+otherwise it is a time stamp token (ContentInfo).
+.IP "\fB\-config\fR configfile" 4
+.IX Item "-config configfile"
+The configuration file to use, this option overrides the
+\&\fB\s-1OPENSSL_CONF\s0\fR environment variable. See \fB\s-1CONFIGURATION\s0 \s-1FILE\s0
+\&\s-1OPTIONS\s0\fR for configurable variables. (Optional)
+.IP "\fB\-section\fR tsa_section" 4
+.IX Item "-section tsa_section"
+The name of the config file section conatining the settings for the
+response generation. If not specified the default \s-1TSA\s0 section is
+used, see \fB\s-1CONFIGURATION\s0 \s-1FILE\s0 \s-1OPTIONS\s0\fR for details. (Optional)
+.IP "\fB\-queryfile\fR request.tsq" 4
+.IX Item "-queryfile request.tsq"
+The name of the file containing a \s-1DER\s0 encoded time stamp request. (Optional)
+.IP "\fB\-passin\fR password_src" 4
+.IX Item "-passin password_src"
+Specifies the password source for the private key of the \s-1TSA\s0. See
+\&\fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR in \fIopenssl\fR\|(1). (Optional)
+.IP "\fB\-signer\fR tsa_cert.pem" 4
+.IX Item "-signer tsa_cert.pem"
+The signer certificate of the \s-1TSA\s0 in \s-1PEM\s0 format. The \s-1TSA\s0 signing
+certificate must have exactly one extended key usage assigned to it:
+timeStamping. The extended key usage must also be critical, otherwise
+the certificate is going to be refused. Overrides the \fBsigner_cert\fR
+variable of the config file. (Optional)
+.IP "\fB\-inkey\fR private.pem" 4
+.IX Item "-inkey private.pem"
+The signer private key of the \s-1TSA\s0 in \s-1PEM\s0 format. Overrides the
+\&\fBsigner_key\fR config file option. (Optional)
+.IP "\fB\-chain\fR certs_file.pem" 4
+.IX Item "-chain certs_file.pem"
+The collection of certificates in \s-1PEM\s0 format that will all
+be included in the response in addition to the signer certificate if
+the \fB\-cert\fR option was used for the request. This file is supposed to
+contain the certificate chain for the signer certificate from its
+issuer upwards. The \fB\-reply\fR command does not build a certificate
+chain automatically. (Optional)
+.IP "\fB\-policy\fR object_id" 4
+.IX Item "-policy object_id"
+The default policy to use for the response unless the client
+explicitly requires a particular \s-1TSA\s0 policy. The \s-1OID\s0 can be specified
+either in dotted notation or with its name. Overrides the
+\&\fBdefault_policy\fR config file option. (Optional)
+.IP "\fB\-in\fR response.tsr" 4
+.IX Item "-in response.tsr"
+Specifies a previously created time stamp response or time stamp token
+(if \fB\-token_in\fR is also specified) in \s-1DER\s0 format that will be written
+to the output file. This option does not require a request, it is
+useful e.g. when you need to examine the content of a response or
+token or you want to extract the time stamp token from a response. If
+the input is a token and the output is a time stamp response a default
+\&'granted' status info is added to the token. (Optional)
+.IP "\fB\-token_in\fR" 4
+.IX Item "-token_in"
+This flag can be used together with the \fB\-in\fR option and indicates
+that the input is a \s-1DER\s0 encoded time stamp token (ContentInfo) instead
+of a time stamp response (TimeStampResp). (Optional)
+.IP "\fB\-out\fR response.tsr" 4
+.IX Item "-out response.tsr"
+The response is written to this file. The format and content of the
+file depends on other options (see \fB\-text\fR, \fB\-token_out\fR). The default is
+stdout. (Optional)
+.IP "\fB\-token_out\fR" 4
+.IX Item "-token_out"
+The output is a time stamp token (ContentInfo) instead of time stamp
+response (TimeStampResp). (Optional)
+.IP "\fB\-text\fR" 4
+.IX Item "-text"
+If this option is specified the output is human-readable text format
+instead of \s-1DER\s0. (Optional)
+.IP "\fB\-engine\fR id" 4
+.IX Item "-engine id"
+Specifying an engine (by its unique \fBid\fR string) will cause \fBts\fR
+to attempt to obtain a functional reference to the specified engine,
+thus initialising it if needed. The engine will then be set as the default
+for all available algorithms. Default is builtin. (Optional)
+.SS "Time Stamp Response verification"
+.IX Subsection "Time Stamp Response verification"
+The \fB\-verify\fR command is for verifying if a time stamp response or time
+stamp token is valid and matches a particular time stamp request or
+data file. The \fB\-verify\fR command does not use the configuration file.
+.IP "\fB\-data\fR file_to_hash" 4
+.IX Item "-data file_to_hash"
+The response or token must be verified against file_to_hash. The file
+is hashed with the message digest algorithm specified in the token. 
+The \fB\-digest\fR and \fB\-queryfile\fR options must not be specified with this one.
+(Optional)
+.IP "\fB\-digest\fR digest_bytes" 4
+.IX Item "-digest digest_bytes"
+The response or token must be verified against the message digest specified
+with this option. The number of bytes must match the message digest algorithm
+specified in the token. The \fB\-data\fR and \fB\-queryfile\fR options must not be
+specified with this one. (Optional)
+.IP "\fB\-queryfile\fR request.tsq" 4
+.IX Item "-queryfile request.tsq"
+The original time stamp request in \s-1DER\s0 format. The \fB\-data\fR and \fB\-digest\fR
+options must not be specified with this one. (Optional)
+.IP "\fB\-in\fR response.tsr" 4
+.IX Item "-in response.tsr"
+The time stamp response that needs to be verified in \s-1DER\s0 format. (Mandatory)
+.IP "\fB\-token_in\fR" 4
+.IX Item "-token_in"
+This flag can be used together with the \fB\-in\fR option and indicates
+that the input is a \s-1DER\s0 encoded time stamp token (ContentInfo) instead
+of a time stamp response (TimeStampResp). (Optional)
+.IP "\fB\-CApath\fR trusted_cert_path" 4
+.IX Item "-CApath trusted_cert_path"
+The name of the directory containing the trused \s-1CA\s0 certificates of the
+client. See the similar option of \fIverify\fR\|(1) for additional
+details. Either this option or \fB\-CAfile\fR must be specified. (Optional)
+.IP "\fB\-CAfile\fR trusted_certs.pem" 4
+.IX Item "-CAfile trusted_certs.pem"
+The name of the file containing a set of trusted self-signed \s-1CA\s0 
+certificates in \s-1PEM\s0 format. See the similar option of 
+\&\fIverify\fR\|(1) for additional details. Either this option 
+or \fB\-CApath\fR must be specified.
+(Optional)
+.IP "\fB\-untrusted\fR cert_file.pem" 4
+.IX Item "-untrusted cert_file.pem"
+Set of additional untrusted certificates in \s-1PEM\s0 format which may be
+needed when building the certificate chain for the \s-1TSA\s0's signing
+certificate. This file must contain the \s-1TSA\s0 signing certificate and
+all intermediate \s-1CA\s0 certificates unless the response includes them.
+(Optional)
+.SH "CONFIGURATION FILE OPTIONS"
+.IX Header "CONFIGURATION FILE OPTIONS"
+The \fB\-query\fR and \fB\-reply\fR commands make use of a configuration file
+defined by the \fB\s-1OPENSSL_CONF\s0\fR environment variable. See \fIconfig\fR\|(5)
+for a general description of the syntax of the config file. The
+\&\fB\-query\fR command uses only the symbolic \s-1OID\s0 names section
+and it can work without it. However, the \fB\-reply\fR command needs the
+config file for its operation.
+.PP
+When there is a command line switch equivalent of a variable the
+switch always overrides the settings in the config file.
+.IP "\fBtsa\fR section, \fBdefault_tsa\fR" 4
+.IX Item "tsa section, default_tsa"
+This is the main section and it specifies the name of another section
+that contains all the options for the \fB\-reply\fR command. This default
+section can be overriden with the \fB\-section\fR command line switch. (Optional)
+.IP "\fBoid_file\fR" 4
+.IX Item "oid_file"
+See \fIca\fR\|(1) for description. (Optional)
+.IP "\fBoid_section\fR" 4
+.IX Item "oid_section"
+See \fIca\fR\|(1) for description. (Optional)
+.IP "\fB\s-1RANDFILE\s0\fR" 4
+.IX Item "RANDFILE"
+See \fIca\fR\|(1) for description. (Optional)
+.IP "\fBserial\fR" 4
+.IX Item "serial"
+The name of the file containing the hexadecimal serial number of the
+last time stamp response created. This number is incremented by 1 for
+each response. If the file does not exist at the time of response
+generation a new file is created with serial number 1. (Mandatory)
+.IP "\fBcrypto_device\fR" 4
+.IX Item "crypto_device"
+Specifies the OpenSSL engine that will be set as the default for 
+all available algorithms. The default value is builtin, you can specify 
+any other engines supported by OpenSSL (e.g. use chil for the NCipher \s-1HSM\s0).
+(Optional)
+.IP "\fBsigner_cert\fR" 4
+.IX Item "signer_cert"
+\&\s-1TSA\s0 signing certificate in \s-1PEM\s0 format. The same as the \fB\-signer\fR
+command line option. (Optional)
+.IP "\fBcerts\fR" 4
+.IX Item "certs"
+A file containing a set of \s-1PEM\s0 encoded certificates that need to be
+included in the response. The same as the \fB\-chain\fR command line
+option. (Optional)
+.IP "\fBsigner_key\fR" 4
+.IX Item "signer_key"
+The private key of the \s-1TSA\s0 in \s-1PEM\s0 format. The same as the \fB\-inkey\fR
+command line option. (Optional)
+.IP "\fBdefault_policy\fR" 4
+.IX Item "default_policy"
+The default policy to use when the request does not mandate any
+policy. The same as the \fB\-policy\fR command line option. (Optional)
+.IP "\fBother_policies\fR" 4
+.IX Item "other_policies"
+Comma separated list of policies that are also acceptable by the \s-1TSA\s0
+and used only if the request explicitly specifies one of them. (Optional)
+.IP "\fBdigests\fR" 4
+.IX Item "digests"
+The list of message digest algorithms that the \s-1TSA\s0 accepts. At least
+one algorithm must be specified. (Mandatory)
+.IP "\fBaccuracy\fR" 4
+.IX Item "accuracy"
+The accuracy of the time source of the \s-1TSA\s0 in seconds, milliseconds
+and microseconds. E.g. secs:1, millisecs:500, microsecs:100. If any of
+the components is missing zero is assumed for that field. (Optional)
+.IP "\fBclock_precision_digits\fR" 4
+.IX Item "clock_precision_digits"
+Specifies the maximum number of digits, which represent the fraction of 
+seconds, that  need to be included in the time field. The trailing zeroes
+must be removed from the time, so there might actually be fewer digits,
+or no fraction of seconds at all. Supported only on \s-1UNIX\s0 platforms.
+The maximum value is 6, default is 0.
+(Optional)
+.IP "\fBordering\fR" 4
+.IX Item "ordering"
+If this option is yes the responses generated by this \s-1TSA\s0 can always
+be ordered, even if the time difference between two responses is less
+than the sum of their accuracies. Default is no. (Optional)
+.IP "\fBtsa_name\fR" 4
+.IX Item "tsa_name"
+Set this option to yes if the subject name of the \s-1TSA\s0 must be included in
+the \s-1TSA\s0 name field of the response. Default is no. (Optional)
+.IP "\fBess_cert_id_chain\fR" 4
+.IX Item "ess_cert_id_chain"
+The SignedData objects created by the \s-1TSA\s0 always contain the
+certificate identifier of the signing certificate in a signed
+attribute (see \s-1RFC\s0 2634, Enhanced Security Services). If this option
+is set to yes and either the \fBcerts\fR variable or the \fB\-chain\fR option
+is specified then the certificate identifiers of the chain will also
+be included in the SigningCertificate signed attribute. If this
+variable is set to no, only the signing certificate identifier is
+included. Default is no. (Optional)
+.SH "ENVIRONMENT VARIABLES"
+.IX Header "ENVIRONMENT VARIABLES"
+\&\fB\s-1OPENSSL_CONF\s0\fR contains the path of the configuration file and can be
+overriden by the \fB\-config\fR command line option.
+.SH "EXAMPLES"
+.IX Header "EXAMPLES"
+All the examples below presume that \fB\s-1OPENSSL_CONF\s0\fR is set to a proper
+configuration file, e.g. the example configuration file 
+openssl/apps/openssl.cnf will do.
+.SS "Time Stamp Request"
+.IX Subsection "Time Stamp Request"
+To create a time stamp request for design1.txt with \s-1SHA\-1\s0 
+without nonce and policy and no certificate is required in the response:
+.PP
+.Vb 2
+\&  openssl ts \-query \-data design1.txt \-no_nonce \e
+\&        \-out design1.tsq
+.Ve
+.PP
+To create a similar time stamp request with specifying the message imprint
+explicitly:
+.PP
+.Vb 2
+\&  openssl ts \-query \-digest b7e5d3f93198b38379852f2c04e78d73abdd0f4b \e
+\&         \-no_nonce \-out design1.tsq
+.Ve
+.PP
+To print the content of the previous request in human readable format:
+.PP
+.Vb 1
+\&  openssl ts \-query \-in design1.tsq \-text
+.Ve
+.PP
+To create a time stamp request which includes the \s-1MD\-5\s0 digest 
+of design2.txt, requests the signer certificate and nonce,
+specifies a policy id (assuming the tsa_policy1 name is defined in the
+\&\s-1OID\s0 section of the config file):
+.PP
+.Vb 2
+\&  openssl ts \-query \-data design2.txt \-md5 \e
+\&        \-policy tsa_policy1 \-cert \-out design2.tsq
+.Ve
+.SS "Time Stamp Response"
+.IX Subsection "Time Stamp Response"
+Before generating a response a signing certificate must be created for
+the \s-1TSA\s0 that contains the \fBtimeStamping\fR critical extended key usage extension
+without any other key usage extensions. You can add the
+\&'extendedKeyUsage = critical,timeStamping' line to the user certificate section
+of the config file to generate a proper certificate. See \fIreq\fR\|(1),
+\&\fIca\fR\|(1), \fIx509\fR\|(1) for instructions. The examples
+below assume that cacert.pem contains the certificate of the \s-1CA\s0,
+tsacert.pem is the signing certificate issued by cacert.pem and
+tsakey.pem is the private key of the \s-1TSA\s0.
+.PP
+To create a time stamp response for a request:
+.PP
+.Vb 2
+\&  openssl ts \-reply \-queryfile design1.tsq \-inkey tsakey.pem \e
+\&        \-signer tsacert.pem \-out design1.tsr
+.Ve
+.PP
+If you want to use the settings in the config file you could just write:
+.PP
+.Vb 1
+\&  openssl ts \-reply \-queryfile design1.tsq \-out design1.tsr
+.Ve
+.PP
+To print a time stamp reply to stdout in human readable format:
+.PP
+.Vb 1
+\&  openssl ts \-reply \-in design1.tsr \-text
+.Ve
+.PP
+To create a time stamp token instead of time stamp response:
+.PP
+.Vb 1
+\&  openssl ts \-reply \-queryfile design1.tsq \-out design1_token.der \-token_out
+.Ve
+.PP
+To print a time stamp token to stdout in human readable format:
+.PP
+.Vb 1
+\&  openssl ts \-reply \-in design1_token.der \-token_in \-text \-token_out
+.Ve
+.PP
+To extract the time stamp token from a response:
+.PP
+.Vb 1
+\&  openssl ts \-reply \-in design1.tsr \-out design1_token.der \-token_out
+.Ve
+.PP
+To add 'granted' status info to a time stamp token thereby creating a
+valid response:
+.PP
+.Vb 1
+\&  openssl ts \-reply \-in design1_token.der \-token_in \-out design1.tsr
+.Ve
+.SS "Time Stamp Verification"
+.IX Subsection "Time Stamp Verification"
+To verify a time stamp reply against a request:
+.PP
+.Vb 2
+\&  openssl ts \-verify \-queryfile design1.tsq \-in design1.tsr \e
+\&        \-CAfile cacert.pem \-untrusted tsacert.pem
+.Ve
+.PP
+To verify a time stamp reply that includes the certificate chain:
+.PP
+.Vb 2
+\&  openssl ts \-verify \-queryfile design2.tsq \-in design2.tsr \e
+\&        \-CAfile cacert.pem
+.Ve
+.PP
+To verify a time stamp token against the original data file:
+  openssl ts \-verify \-data design2.txt \-in design2.tsr \e
+	\-CAfile cacert.pem
+.PP
+To verify a time stamp token against a message imprint:
+  openssl ts \-verify \-digest b7e5d3f93198b38379852f2c04e78d73abdd0f4b \e
+	 \-in design2.tsr \-CAfile cacert.pem
+.PP
+You could also look at the 'test' directory for more examples.
+.SH "BUGS"
+.IX Header "BUGS"
+If you find any bugs or you have suggestions please write to
+Zoltan Glozik <zglozik@opentsa.org>. Known issues:
+.IP "\(bu" 4
+No support for time stamps over \s-1SMTP\s0, though it is quite easy
+to implement an automatic e\-mail based \s-1TSA\s0 with \fIprocmail\fR\|(1) 
+and \fIperl\fR\|(1). \s-1HTTP\s0 server support is provided in the form of 
+a separate apache module. \s-1HTTP\s0 client support is provided by
+\&\fItsget\fR\|(1). Pure \s-1TCP/IP\s0 protocol is not supported.
+.IP "\(bu" 4
+The file containing the last serial number of the \s-1TSA\s0 is not
+locked when being read or written. This is a problem if more than one
+instance of \fIopenssl\fR\|(1) is trying to create a time stamp
+response at the same time. This is not an issue when using the apache
+server module, it does proper locking.
+.IP "\(bu" 4
+Look for the \s-1FIXME\s0 word in the source files.
+.IP "\(bu" 4
+The source code should really be reviewed by somebody else, too.
+.IP "\(bu" 4
+More testing is needed, I have done only some basic tests (see
+test/testtsa).
+.SH "AUTHOR"
+.IX Header "AUTHOR"
+Zoltan Glozik <zglozik@opentsa.org>, OpenTSA project (http://www.opentsa.org)
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fItsget\fR\|(1), \fIopenssl\fR\|(1), \fIreq\fR\|(1), 
+\&\fIx509\fR\|(1), \fIca\fR\|(1), \fIgenrsa\fR\|(1), 
+\&\fIconfig\fR\|(5)
diff --git a/secure/usr.bin/openssl/man/tsget.1 b/secure/usr.bin/openssl/man/tsget.1
new file mode 100644
index 0000000..89479f5
--- /dev/null
+++ b/secure/usr.bin/openssl/man/tsget.1
@@ -0,0 +1,311 @@
+.\" Automatically generated by Pod::Man 2.23 (Pod::Simple 3.22)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" Set up some character translations and predefined strings.  \*(-- will
+.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
+.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
+.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
+.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
+.\" nothing in troff, for use with C<>.
+.tr \(*W-
+.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.ie n \{\
+.    ds -- \(*W-
+.    ds PI pi
+.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
+.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
+.    ds L" ""
+.    ds R" ""
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds -- \|\(em\|
+.    ds PI \(*p
+.    ds L" ``
+.    ds R" ''
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.ie \nF \{\
+.    de IX
+.    tm Index:\\$1\t\\n%\t"\\$2"
+..
+.    nr % 0
+.    rr F
+.\}
+.el \{\
+.    de IX
+..
+.\}
+.\"
+.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
+.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
+.    \" fudge factors for nroff and troff
+.if n \{\
+.    ds #H 0
+.    ds #V .8m
+.    ds #F .3m
+.    ds #[ \f1
+.    ds #] \fP
+.\}
+.if t \{\
+.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
+.    ds #V .6m
+.    ds #F 0
+.    ds #[ \&
+.    ds #] \&
+.\}
+.    \" simple accents for nroff and troff
+.if n \{\
+.    ds ' \&
+.    ds ` \&
+.    ds ^ \&
+.    ds , \&
+.    ds ~ ~
+.    ds /
+.\}
+.if t \{\
+.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
+.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
+.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
+.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
+.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
+.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
+.\}
+.    \" troff and (daisy-wheel) nroff accents
+.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
+.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
+.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
+.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
+.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
+.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
+.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
+.ds ae a\h'-(\w'a'u*4/10)'e
+.ds Ae A\h'-(\w'A'u*4/10)'E
+.    \" corrections for vroff
+.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
+.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
+.    \" for low resolution devices (crt and lpr)
+.if \n(.H>23 .if \n(.V>19 \
+\{\
+.    ds : e
+.    ds 8 ss
+.    ds o a
+.    ds d- d\h'-1'\(ga
+.    ds D- D\h'-1'\(hy
+.    ds th \o'bp'
+.    ds Th \o'LP'
+.    ds ae ae
+.    ds Ae AE
+.\}
+.rm #[ #] #H #V #F C
+.\" ========================================================================
+.\"
+.IX Title "TSGET 1"
+.TH TSGET 1 "2012-05-10" "1.0.1c" "OpenSSL"
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH "NAME"
+tsget \- Time Stamping HTTP/HTTPS client
+.SH "SYNOPSIS"
+.IX Header "SYNOPSIS"
+\&\fBtsget\fR
+\&\fB\-h\fR server_url
+[\fB\-e\fR extension]
+[\fB\-o\fR output]
+[\fB\-v\fR]
+[\fB\-d\fR]
+[\fB\-k\fR private_key.pem]
+[\fB\-p\fR key_password]
+[\fB\-c\fR client_cert.pem]
+[\fB\-C\fR CA_certs.pem]
+[\fB\-P\fR CA_path]
+[\fB\-r\fR file:file...]
+[\fB\-g\fR EGD_socket]
+[request]...
+.SH "DESCRIPTION"
+.IX Header "DESCRIPTION"
+The \fBtsget\fR command can be used for sending a time stamp request, as
+specified in \fB\s-1RFC\s0 3161\fR, to a time stamp server over \s-1HTTP\s0 or \s-1HTTPS\s0 and storing
+the time stamp response in a file. This tool cannot be used for creating the
+requests and verifying responses, you can use the OpenSSL \fB\f(BIts\fB\|(1)\fR command to
+do that. \fBtsget\fR can send several requests to the server without closing
+the \s-1TCP\s0 connection if more than one requests are specified on the command
+line.
+.PP
+The tool sends the following \s-1HTTP\s0 request for each time stamp request:
+.PP
+.Vb 7
+\&        POST url HTTP/1.1
+\&        User\-Agent: OpenTSA tsget.pl/<version>
+\&        Host: <host>:<port>
+\&        Pragma: no\-cache
+\&        Content\-Type: application/timestamp\-query
+\&        Accept: application/timestamp\-reply
+\&        Content\-Length: length of body
+\&
+\&        ...binary request specified by the user...
+.Ve
+.PP
+\&\fBtsget\fR expects a response of type application/timestamp\-reply, which is
+written to a file without any interpretation.
+.SH "OPTIONS"
+.IX Header "OPTIONS"
+.IP "\fB\-h\fR server_url" 4
+.IX Item "-h server_url"
+The \s-1URL\s0 of the \s-1HTTP/HTTPS\s0 server listening for time stamp requests.
+.IP "\fB\-e\fR extension" 4
+.IX Item "-e extension"
+If the \fB\-o\fR option is not given this argument specifies the extension of the
+output files. The base name of the output file will be the same as those of
+the input files. Default extension is '.tsr'. (Optional)
+.IP "\fB\-o\fR output" 4
+.IX Item "-o output"
+This option can be specified only when just one request is sent to the
+server. The time stamp response will be written to the given output file. '\-'
+means standard output. In case of multiple time stamp requests or the absence
+of this argument the names of the output files will be derived from the names
+of the input files and the default or specified extension argument. (Optional)
+.IP "\fB\-v\fR" 4
+.IX Item "-v"
+The name of the currently processed request is printed on standard
+error. (Optional)
+.IP "\fB\-d\fR" 4
+.IX Item "-d"
+Switches on verbose mode for the underlying \fBcurl\fR library. You can see
+detailed debug messages for the connection. (Optional)
+.IP "\fB\-k\fR private_key.pem" 4
+.IX Item "-k private_key.pem"
+(\s-1HTTPS\s0) In case of certificate-based client authentication over \s-1HTTPS\s0
+<private_key.pem> must contain the private key of the user. The private key
+file can optionally be protected by a passphrase. The \fB\-c\fR option must also
+be specified. (Optional)
+.IP "\fB\-p\fR key_password" 4
+.IX Item "-p key_password"
+(\s-1HTTPS\s0) Specifies the passphrase for the private key specified by the \fB\-k\fR
+argument. If this option is omitted and the key is passphrase protected \fBtsget\fR
+will ask for it. (Optional)
+.IP "\fB\-c\fR client_cert.pem" 4
+.IX Item "-c client_cert.pem"
+(\s-1HTTPS\s0) In case of certificate-based client authentication over \s-1HTTPS\s0
+<client_cert.pem> must contain the X.509 certificate of the user.  The \fB\-k\fR
+option must also be specified. If this option is not specified no
+certificate-based client authentication will take place. (Optional)
+.IP "\fB\-C\fR CA_certs.pem" 4
+.IX Item "-C CA_certs.pem"
+(\s-1HTTPS\s0) The trusted \s-1CA\s0 certificate store. The certificate chain of the peer's
+certificate must include one of the \s-1CA\s0 certificates specified in this file.
+Either option \fB\-C\fR or option \fB\-P\fR must be given in case of \s-1HTTPS\s0. (Optional)
+.IP "\fB\-P\fR CA_path" 4
+.IX Item "-P CA_path"
+(\s-1HTTPS\s0) The path containing the trusted \s-1CA\s0 certificates to verify the peer's
+certificate. The directory must be prepared with the \fBc_rehash\fR
+OpenSSL utility. Either option \fB\-C\fR or option \fB\-P\fR must be given in case of
+\&\s-1HTTPS\s0. (Optional)
+.IP "\fB\-rand\fR file:file..." 4
+.IX Item "-rand file:file..."
+The files containing random data for seeding the random number
+generator. Multiple files can be specified, the separator is \fB;\fR for
+MS-Windows, \fB,\fR for \s-1VMS\s0 and \fB:\fR for all other platforms. (Optional)
+.IP "\fB\-g\fR EGD_socket" 4
+.IX Item "-g EGD_socket"
+The name of an \s-1EGD\s0 socket to get random data from. (Optional)
+.IP "[request]..." 4
+.IX Item "[request]..."
+List of files containing \fB\s-1RFC\s0 3161\fR DER-encoded time stamp requests. If no
+requests are specifed only one request will be sent to the server and it will be
+read from the standard input. (Optional)
+.SH "ENVIRONMENT VARIABLES"
+.IX Header "ENVIRONMENT VARIABLES"
+The \fB\s-1TSGET\s0\fR environment variable can optionally contain default
+arguments. The content of this variable is added to the list of command line
+arguments.
+.SH "EXAMPLES"
+.IX Header "EXAMPLES"
+The examples below presume that \fBfile1.tsq\fR and \fBfile2.tsq\fR contain valid
+time stamp requests, tsa.opentsa.org listens at port 8080 for \s-1HTTP\s0 requests
+and at port 8443 for \s-1HTTPS\s0 requests, the \s-1TSA\s0 service is available at the /tsa
+absolute path.
+.PP
+Get a time stamp response for file1.tsq over \s-1HTTP\s0, output is written to 
+file1.tsr:
+.PP
+.Vb 1
+\&  tsget \-h http://tsa.opentsa.org:8080/tsa file1.tsq
+.Ve
+.PP
+Get a time stamp response for file1.tsq and file2.tsq over \s-1HTTP\s0 showing
+progress, output is written to file1.reply and file2.reply respectively:
+.PP
+.Vb 2
+\&  tsget \-h http://tsa.opentsa.org:8080/tsa \-v \-e .reply \e
+\&        file1.tsq file2.tsq
+.Ve
+.PP
+Create a time stamp request, write it to file3.tsq, send it to the server and
+write the response to file3.tsr:
+.PP
+.Vb 3
+\&  openssl ts \-query \-data file3.txt \-cert | tee file3.tsq \e
+\&        | tsget \-h http://tsa.opentsa.org:8080/tsa \e
+\&        \-o file3.tsr
+.Ve
+.PP
+Get a time stamp response for file1.tsq over \s-1HTTPS\s0 without client
+authentication:
+.PP
+.Vb 2
+\&  tsget \-h https://tsa.opentsa.org:8443/tsa \e
+\&        \-C cacerts.pem file1.tsq
+.Ve
+.PP
+Get a time stamp response for file1.tsq over \s-1HTTPS\s0 with certificate-based
+client authentication (it will ask for the passphrase if client_key.pem is
+protected):
+.PP
+.Vb 2
+\&  tsget \-h https://tsa.opentsa.org:8443/tsa \-C cacerts.pem \e
+\&        \-k client_key.pem \-c client_cert.pem file1.tsq
+.Ve
+.PP
+You can shorten the previous command line if you make use of the \fB\s-1TSGET\s0\fR
+environment variable. The following commands do the same as the previous
+example:
+.PP
+.Vb 4
+\&  TSGET=\*(Aq\-h https://tsa.opentsa.org:8443/tsa \-C cacerts.pem \e
+\&        \-k client_key.pem \-c client_cert.pem\*(Aq
+\&  export TSGET
+\&  tsget file1.tsq
+.Ve
+.SH "AUTHOR"
+.IX Header "AUTHOR"
+Zoltan Glozik <zglozik@opentsa.org>, OpenTSA project (http://www.opentsa.org)
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fIopenssl\fR\|(1), \fIts\fR\|(1), \fIcurl\fR\|(1), 
+\&\fB\s-1RFC\s0 3161\fR
diff --git a/secure/usr.bin/openssl/man/verify.1 b/secure/usr.bin/openssl/man/verify.1
index 76359fa..3c970f7 100644
--- a/secure/usr.bin/openssl/man/verify.1
+++ b/secure/usr.bin/openssl/man/verify.1
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "VERIFY 1"
-.TH VERIFY 1 "2012-05-10" "0.9.8x" "OpenSSL"
+.TH VERIFY 1 "2012-05-10" "1.0.1c" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -137,6 +137,18 @@ verify \- Utility to verify certificates.
 [\fB\-CApath directory\fR]
 [\fB\-CAfile file\fR]
 [\fB\-purpose purpose\fR]
+[\fB\-policy arg\fR]
+[\fB\-ignore_critical\fR]
+[\fB\-crl_check\fR]
+[\fB\-crl_check_all\fR]
+[\fB\-policy_check\fR]
+[\fB\-explicit_policy\fR]
+[\fB\-inhibit_any\fR]
+[\fB\-inhibit_map\fR]
+[\fB\-x509_strict\fR]
+[\fB\-extended_crl\fR]
+[\fB\-use_deltas\fR]
+[\fB\-policy_print\fR]
 [\fB\-untrusted file\fR]
 [\fB\-help\fR]
 [\fB\-issuer_checks\fR]
@@ -181,6 +193,51 @@ of the current certificate. This shows why each candidate issuer
 certificate was rejected. However the presence of rejection messages
 does not itself imply that anything is wrong: during the normal
 verify process several rejections may take place.
+.IP "\fB\-policy arg\fR" 4
+.IX Item "-policy arg"
+Enable policy processing and add \fBarg\fR to the user-initial-policy-set
+(see \s-1RFC3280\s0 et al). The policy \fBarg\fR can be an object name an \s-1OID\s0 in numeric
+form. This argument can appear more than once.
+.IP "\fB\-policy_check\fR" 4
+.IX Item "-policy_check"
+Enables certificate policy processing.
+.IP "\fB\-explicit_policy\fR" 4
+.IX Item "-explicit_policy"
+Set policy variable require-explicit-policy (see \s-1RFC3280\s0 et al).
+.IP "\fB\-inhibit_any\fR" 4
+.IX Item "-inhibit_any"
+Set policy variable inhibit-any-policy (see \s-1RFC3280\s0 et al).
+.IP "\fB\-inhibit_map\fR" 4
+.IX Item "-inhibit_map"
+Set policy variable inhibit-policy-mapping (see \s-1RFC3280\s0 et al).
+.IP "\fB\-policy_print\fR" 4
+.IX Item "-policy_print"
+Print out diagnostics, related to policy checking
+.IP "\fB\-crl_check\fR" 4
+.IX Item "-crl_check"
+Checks end entity certificate validity by attempting to lookup a valid \s-1CRL\s0.
+If a valid \s-1CRL\s0 cannot be found an error occurs.
+.IP "\fB\-crl_check_all\fR" 4
+.IX Item "-crl_check_all"
+Checks the validity of \fBall\fR certificates in the chain by attempting
+to lookup valid CRLs.
+.IP "\fB\-ignore_critical\fR" 4
+.IX Item "-ignore_critical"
+Normally if an unhandled critical extension is present which is not
+supported by OpenSSL the certificate is rejected (as required by
+\&\s-1RFC3280\s0 et al). If this option is set critical extensions are
+ignored.
+.IP "\fB\-x509_strict\fR" 4
+.IX Item "-x509_strict"
+Disable workarounds for broken certificates which have to be disabled
+for strict X.509 compliance.
+.IP "\fB\-extended_crl\fR" 4
+.IX Item "-extended_crl"
+Enable extended \s-1CRL\s0 features such as indirect CRLs and alternate \s-1CRL\s0
+signing keys.
+.IP "\fB\-use_deltas\fR" 4
+.IX Item "-use_deltas"
+Enable support for delta CRLs.
 .IP "\fB\-check_ss_sig\fR" 4
 .IX Item "-check_ss_sig"
 Verify the signature on the self-signed root \s-1CA\s0. This is disabled by default
@@ -281,7 +338,7 @@ the issuer certificate of a looked up certificate could not be found. This
 normally means the list of trusted certificates is not complete.
 .IP "\fB3 X509_V_ERR_UNABLE_TO_GET_CRL: unable to get certificate \s-1CRL\s0\fR" 4
 .IX Item "3 X509_V_ERR_UNABLE_TO_GET_CRL: unable to get certificate CRL"
-the \s-1CRL\s0 of a certificate could not be found. Unused.
+the \s-1CRL\s0 of a certificate could not be found.
 .IP "\fB4 X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: unable to decrypt certificate's signature\fR" 4
 .IX Item "4 X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: unable to decrypt certificate's signature"
 the certificate signature could not be decrypted. This means that the actual signature value
@@ -299,7 +356,7 @@ the public key in the certificate SubjectPublicKeyInfo could not be read.
 the signature of the certificate is invalid.
 .IP "\fB8 X509_V_ERR_CRL_SIGNATURE_FAILURE: \s-1CRL\s0 signature failure\fR" 4
 .IX Item "8 X509_V_ERR_CRL_SIGNATURE_FAILURE: CRL signature failure"
-the signature of the certificate is invalid. Unused.
+the signature of the certificate is invalid.
 .IP "\fB9 X509_V_ERR_CERT_NOT_YET_VALID: certificate is not yet valid\fR" 4
 .IX Item "9 X509_V_ERR_CERT_NOT_YET_VALID: certificate is not yet valid"
 the certificate is not yet valid: the notBefore date is after the current time.
@@ -308,10 +365,10 @@ the certificate is not yet valid: the notBefore date is after the current time.
 the certificate has expired: that is the notAfter date is before the current time.
 .IP "\fB11 X509_V_ERR_CRL_NOT_YET_VALID: \s-1CRL\s0 is not yet valid\fR" 4
 .IX Item "11 X509_V_ERR_CRL_NOT_YET_VALID: CRL is not yet valid"
-the \s-1CRL\s0 is not yet valid. Unused.
+the \s-1CRL\s0 is not yet valid.
 .IP "\fB12 X509_V_ERR_CRL_HAS_EXPIRED: \s-1CRL\s0 has expired\fR" 4
 .IX Item "12 X509_V_ERR_CRL_HAS_EXPIRED: CRL has expired"
-the \s-1CRL\s0 has expired. Unused.
+the \s-1CRL\s0 has expired.
 .IP "\fB13 X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: format error in certificate's notBefore field\fR" 4
 .IX Item "13 X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: format error in certificate's notBefore field"
 the certificate notBefore field contains an invalid time.
@@ -320,10 +377,10 @@ the certificate notBefore field contains an invalid time.
 the certificate notAfter field contains an invalid time.
 .IP "\fB15 X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: format error in \s-1CRL\s0's lastUpdate field\fR" 4
 .IX Item "15 X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: format error in CRL's lastUpdate field"
-the \s-1CRL\s0 lastUpdate field contains an invalid time. Unused.
+the \s-1CRL\s0 lastUpdate field contains an invalid time.
 .IP "\fB16 X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: format error in \s-1CRL\s0's nextUpdate field\fR" 4
 .IX Item "16 X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: format error in CRL's nextUpdate field"
-the \s-1CRL\s0 nextUpdate field contains an invalid time. Unused.
+the \s-1CRL\s0 nextUpdate field contains an invalid time.
 .IP "\fB17 X509_V_ERR_OUT_OF_MEM: out of memory\fR" 4
 .IX Item "17 X509_V_ERR_OUT_OF_MEM: out of memory"
 an error occurred trying to allocate memory. This should never happen.
@@ -348,7 +405,7 @@ self signed.
 the certificate chain length is greater than the supplied maximum depth. Unused.
 .IP "\fB23 X509_V_ERR_CERT_REVOKED: certificate revoked\fR" 4
 .IX Item "23 X509_V_ERR_CERT_REVOKED: certificate revoked"
-the certificate has been revoked. Unused.
+the certificate has been revoked.
 .IP "\fB24 X509_V_ERR_INVALID_CA: invalid \s-1CA\s0 certificate\fR" 4
 .IX Item "24 X509_V_ERR_INVALID_CA: invalid CA certificate"
 a \s-1CA\s0 certificate is invalid. Either it is not a \s-1CA\s0 or its extensions are not consistent
diff --git a/secure/usr.bin/openssl/man/version.1 b/secure/usr.bin/openssl/man/version.1
index 05d03b3..9d91001 100644
--- a/secure/usr.bin/openssl/man/version.1
+++ b/secure/usr.bin/openssl/man/version.1
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "VERSION 1"
-.TH VERSION 1 "2012-05-10" "0.9.8x" "OpenSSL"
+.TH VERSION 1 "2012-05-10" "1.0.1c" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/secure/usr.bin/openssl/man/x509.1 b/secure/usr.bin/openssl/man/x509.1
index 9b22df5..5addff6 100644
--- a/secure/usr.bin/openssl/man/x509.1
+++ b/secure/usr.bin/openssl/man/x509.1
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "X509 1"
-.TH X509 1 "2012-05-10" "0.9.8x" "OpenSSL"
+.TH X509 1 "2012-05-10" "1.0.1c" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -149,6 +149,7 @@ x509 \- Certificate display and signing utility
 [\fB\-issuer\fR]
 [\fB\-nameopt option\fR]
 [\fB\-email\fR]
+[\fB\-ocsp_uri\fR]
 [\fB\-startdate\fR]
 [\fB\-enddate\fR]
 [\fB\-purpose\fR]
@@ -220,7 +221,7 @@ specified then \s-1SHA1\s0 is used. If the key being used to sign with is a \s-1
 then this option has no effect: \s-1SHA1\s0 is always used with \s-1DSA\s0 keys.
 .IP "\fB\-engine id\fR" 4
 .IX Item "-engine id"
-specifying an engine (by it's unique \fBid\fR string) will cause \fBreq\fR
+specifying an engine (by its unique \fBid\fR string) will cause \fBx509\fR
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.
@@ -260,6 +261,14 @@ outputs the \*(L"hash\*(R" of the certificate issuer name.
 .IP "\fB\-hash\fR" 4
 .IX Item "-hash"
 synonym for \*(L"\-subject_hash\*(R" for backward compatibility reasons.
+.IP "\fB\-subject_hash_old\fR" 4
+.IX Item "-subject_hash_old"
+outputs the \*(L"hash\*(R" of the certificate subject name using the older algorithm
+as used by OpenSSL versions before 1.0.0.
+.IP "\fB\-issuer_hash_old\fR" 4
+.IX Item "-issuer_hash_old"
+outputs the \*(L"hash\*(R" of the certificate issuer name using the older algorithm
+as used by OpenSSL versions before 1.0.0.
 .IP "\fB\-subject\fR" 4
 .IX Item "-subject"
 outputs the subject name.
@@ -275,6 +284,9 @@ set multiple options. See the \fB\s-1NAME\s0 \s-1OPTIONS\s0\fR section for more
 .IP "\fB\-email\fR" 4
 .IX Item "-email"
 outputs the email address(es) if any.
+.IP "\fB\-ocsp_uri\fR" 4
+.IX Item "-ocsp_uri"
+outputs the \s-1OCSP\s0 responder address(es) if any.
 .IP "\fB\-startdate\fR" 4
 .IX Item "-startdate"
 prints out the start date of the certificate, that is the notBefore date.
@@ -439,7 +451,9 @@ no extensions are added to the certificate.
 the section to add certificate extensions from. If this option is not
 specified then the extensions should either be contained in the unnamed
 (default) section or the default section should contain a variable called
-\&\*(L"extensions\*(R" which contains the section to use.
+\&\*(L"extensions\*(R" which contains the section to use. See the
+\&\fIx509v3_config\fR\|(5) manual page for details of the
+extension section format.
 .SS "\s-1NAME\s0 \s-1OPTIONS\s0"
 .IX Subsection "NAME OPTIONS"
 The \fBnameopt\fR command line switch determines how the subject and issuer
@@ -844,7 +858,14 @@ OpenSSL 0.9.5 and later.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fIreq\fR\|(1), \fIca\fR\|(1), \fIgenrsa\fR\|(1),
-\&\fIgendsa\fR\|(1), \fIverify\fR\|(1)
+\&\fIgendsa\fR\|(1), \fIverify\fR\|(1),
+\&\fIx509v3_config\fR\|(5)
 .SH "HISTORY"
 .IX Header "HISTORY"
 Before OpenSSL 0.9.8, the default digest for \s-1RSA\s0 keys was \s-1MD5\s0.
+.PP
+The hash algorithm used in the \fB\-subject_hash\fR and \fB\-issuer_hash\fR options
+before OpenSSL 1.0.0 was based on the deprecated \s-1MD5\s0 algorithm and the encoding
+of the distinguished name. In OpenSSL 1.0.0 and later it is based on a
+canonical version of the \s-1DN\s0 using \s-1SHA1\s0. This means that any directories using
+the old form must have their links rebuilt using \fBc_rehash\fR or similar.
diff --git a/secure/usr.bin/openssl/man/x509v3_config.1 b/secure/usr.bin/openssl/man/x509v3_config.1
index 5ea2a96..e8df656 100644
--- a/secure/usr.bin/openssl/man/x509v3_config.1
+++ b/secure/usr.bin/openssl/man/x509v3_config.1
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "X509V3_CONFIG 1"
-.TH X509V3_CONFIG 1 "2012-05-10" "0.9.8x" "OpenSSL"
+.TH X509V3_CONFIG 1 "2012-05-10" "1.0.1c" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -185,7 +185,7 @@ use is defined by the extension code itself: check out the certificate
 policies extension for an example.
 .PP
 If an extension type is unsupported then the \fIarbitrary\fR extension syntax
-must be used, see the \s-1ARBITRART\s0 \s-1EXTENSIONS\s0 section for more details.
+must be used, see the \s-1ARBITRARY\s0 \s-1EXTENSIONS\s0 section for more details.
 .SH "STANDARD EXTENSIONS"
 .IX Header "STANDARD EXTENSIONS"
 The following sections describe each supported extension in detail.
@@ -311,7 +311,7 @@ preceeding the name with a \fB+\fR character.
 .PP
 otherName can include arbitrary data associated with an \s-1OID:\s0 the value
 should be the \s-1OID\s0 followed by a semicolon and the content in standard
-\&\fIASN1_generate_nconf()\fR format.
+\&\fIASN1_generate_nconf\fR\|(3) format.
 .PP
 Examples:
 .PP
@@ -359,22 +359,84 @@ Example:
 .Ve
 .SS "\s-1CRL\s0 distribution points."
 .IX Subsection "CRL distribution points."
-This is a multi-valued extension that supports all the literal options of
-subject alternative name. Of the few software packages that currently interpret
-this extension most only interpret the \s-1URI\s0 option.
+This is a multi-valued extension whose options can be either in name:value pair
+using the same form as subject alternative name or a single value representing
+a section name containing all the distribution point fields.
 .PP
-Currently each option will set a new DistributionPoint with the fullName
-field set to the given value.
+For a name:value pair a new DistributionPoint with the fullName field set to
+the given value both the cRLissuer and reasons fields are omitted in this case.
 .PP
-Other fields like cRLissuer and reasons cannot currently be set or displayed:
-at this time no examples were available that used these fields.
+In the single option case the section indicated contains values for each
+field. In this section:
 .PP
-Examples:
+If the name is \*(L"fullname\*(R" the value field should contain the full name
+of the distribution point in the same format as subject alternative name.
+.PP
+If the name is \*(L"relativename\*(R" then the value field should contain a section
+name whose contents represent a \s-1DN\s0 fragment to be placed in this field.
+.PP
+The name \*(L"CRLIssuer\*(R" if present should contain a value for this field in
+subject alternative name format.
+.PP
+If the name is \*(L"reasons\*(R" the value field should consist of a comma
+separated field containing the reasons. Valid reasons are: \*(L"keyCompromise\*(R",
+\&\*(L"CACompromise\*(R", \*(L"affiliationChanged\*(R", \*(L"superseded\*(R", \*(L"cessationOfOperation\*(R",
+\&\*(L"certificateHold\*(R", \*(L"privilegeWithdrawn\*(R" and \*(L"AACompromise\*(R".
+.PP
+Simple examples:
 .PP
 .Vb 2
 \& crlDistributionPoints=URI:http://myhost.com/myca.crl
 \& crlDistributionPoints=URI:http://my.com/my.crl,URI:http://oth.com/my.crl
 .Ve
+.PP
+Full distribution point example:
+.PP
+.Vb 1
+\& crlDistributionPoints=crldp1_section
+\&
+\& [crldp1_section]
+\&
+\& fullname=URI:http://myhost.com/myca.crl
+\& CRLissuer=dirName:issuer_sect
+\& reasons=keyCompromise, CACompromise
+\&
+\& [issuer_sect]
+\& C=UK
+\& O=Organisation
+\& CN=Some Name
+.Ve
+.SS "Issuing Distribution Point"
+.IX Subsection "Issuing Distribution Point"
+This extension should only appear in CRLs. It is a multi valued extension
+whose syntax is similar to the \*(L"section\*(R" pointed to by the \s-1CRL\s0 distribution
+points extension with a few differences.
+.PP
+The names \*(L"reasons\*(R" and \*(L"CRLissuer\*(R" are not recognized.
+.PP
+The name \*(L"onlysomereasons\*(R" is accepted which sets this field. The value is
+in the same format as the \s-1CRL\s0 distribution point \*(L"reasons\*(R" field.
+.PP
+The names \*(L"onlyuser\*(R", \*(L"onlyCA\*(R", \*(L"onlyAA\*(R" and \*(L"indirectCRL\*(R" are also accepted
+the values should be a boolean value (\s-1TRUE\s0 or \s-1FALSE\s0) to indicate the value of
+the corresponding field.
+.PP
+Example:
+.PP
+.Vb 1
+\& issuingDistributionPoint=critical, @idp_section
+\&
+\& [idp_section]
+\&
+\& fullname=URI:http://myhost.com/myca.crl
+\& indirectCRL=TRUE
+\& onlysomereasons=keyCompromise, CACompromise
+\&
+\& [issuer_sect]
+\& C=UK
+\& O=Organisation
+\& CN=Some Name
+.Ve
 .SS "Certificate Policies."
 .IX Subsection "Certificate Policies."
 This is a \fIraw\fR extension. All the fields of this extension can be set by
@@ -471,6 +533,16 @@ Examples:
 \& nameConstraints=permitted;email:.somedomain.com
 \&
 \& nameConstraints=excluded;email:.com
+\&issuingDistributionPoint = idp_section
+.Ve
+.SS "\s-1OCSP\s0 No Check"
+.IX Subsection "OCSP No Check"
+The \s-1OCSP\s0 No Check extension is a string extension but its value is ignored.
+.PP
+Example:
+.PP
+.Vb 1
+\& noCheck = ignored
 .Ve
 .SH "DEPRECATED EXTENSIONS"
 .IX Header "DEPRECATED EXTENSIONS"
@@ -509,7 +581,8 @@ the data is formatted correctly for the given extension type.
 There are two ways to encode arbitrary extensions.
 .PP
 The first way is to use the word \s-1ASN1\s0 followed by the extension content
-using the same syntax as \fIASN1_generate_nconf()\fR. For example:
+using the same syntax as \fIASN1_generate_nconf\fR\|(3).
+For example:
 .PP
 .Vb 1
 \& 1.2.3.4=critical,ASN1:UTF8String:Some random data
@@ -598,4 +671,5 @@ The \fBdirectoryName\fR and \fBotherName\fR option as well as the \fB\s-1ASN1\s0
 for arbitrary extensions was added in OpenSSL 0.9.8
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\fIreq\fR\|(1), \fIca\fR\|(1), \fIx509\fR\|(1)
+\&\fIreq\fR\|(1), \fIca\fR\|(1), \fIx509\fR\|(1),
+\&\fIASN1_generate_nconf\fR\|(3)