From fb3c70eda88d3175627edc6a3316b4508b3d29c5 Mon Sep 17 00:00:00 2001
From: simon <simon@FreeBSD.org>
Date: Sat, 29 Jul 2006 19:10:21 +0000
Subject: Vendor import of OpenSSL 0.9.8b

---
 crypto/openssl/doc/HOWTO/certificates.txt          |  11 +-
 crypto/openssl/doc/HOWTO/keys.txt                  |   6 +-
 crypto/openssl/doc/HOWTO/proxy_certificates.txt    | 322 +++++++++++++++
 crypto/openssl/doc/apps/CA.pl.pod                  |   2 +-
 crypto/openssl/doc/apps/asn1parse.pod              |  44 +-
 crypto/openssl/doc/apps/ca.pod                     |  78 +++-
 crypto/openssl/doc/apps/config.pod                 |   7 +
 crypto/openssl/doc/apps/dgst.pod                   |   6 +
 crypto/openssl/doc/apps/ec.pod                     | 190 +++++++++
 crypto/openssl/doc/apps/ecparam.pod                | 179 ++++++++
 crypto/openssl/doc/apps/enc.pod                    |  16 +-
 crypto/openssl/doc/apps/errstr.pod                 |  39 ++
 crypto/openssl/doc/apps/req.pod                    |  10 +
 crypto/openssl/doc/apps/s_client.pod               |  16 +
 crypto/openssl/doc/apps/s_server.pod               |  23 ++
 crypto/openssl/doc/apps/x509.pod                   |  20 +-
 crypto/openssl/doc/apps/x509v3_config.pod          | 456 +++++++++++++++++++++
 crypto/openssl/doc/crypto/ASN1_STRING_print_ex.pod |   6 +-
 crypto/openssl/doc/crypto/ASN1_generate_nconf.pod  | 253 ++++++++++++
 crypto/openssl/doc/crypto/BIO_f_base64.pod         |   2 +-
 crypto/openssl/doc/crypto/BN_BLINDING_new.pod      | 109 +++++
 crypto/openssl/doc/crypto/BN_add_word.pod          |  10 +-
 crypto/openssl/doc/crypto/BN_new.pod               |   2 +-
 crypto/openssl/doc/crypto/ERR_error_string.pod     |   2 +-
 crypto/openssl/doc/crypto/ERR_set_mark.pod         |  38 ++
 crypto/openssl/doc/crypto/EVP_BytesToKey.pod       |   2 +-
 crypto/openssl/doc/crypto/EVP_DigestInit.pod       |   2 +-
 crypto/openssl/doc/crypto/EVP_EncryptInit.pod      |   8 +-
 crypto/openssl/doc/crypto/EVP_SealInit.pod         |   5 +-
 crypto/openssl/doc/crypto/EVP_SignInit.pod         |   9 +-
 crypto/openssl/doc/crypto/OPENSSL_Applink.pod      |  21 +
 crypto/openssl/doc/crypto/OPENSSL_config.pod       |   2 +-
 crypto/openssl/doc/crypto/OPENSSL_ia32cap.pod      |  35 ++
 crypto/openssl/doc/crypto/PKCS12_create.pod        |  18 +
 crypto/openssl/doc/crypto/PKCS7_sign.pod           |  24 +-
 crypto/openssl/doc/crypto/PKCS7_verify.pod         |   2 +-
 crypto/openssl/doc/crypto/RSA_sign.pod             |   4 +-
 crypto/openssl/doc/crypto/SMIME_write_PKCS7.pod    |  14 +-
 .../doc/crypto/X509_NAME_ENTRY_get_object.pod      |   6 +-
 .../doc/crypto/X509_NAME_add_entry_by_txt.pod      |   6 +-
 crypto/openssl/doc/crypto/X509_NAME_print_ex.pod   |   4 +-
 crypto/openssl/doc/crypto/blowfish.pod             |   2 +-
 crypto/openssl/doc/crypto/bn.pod                   |  25 +-
 crypto/openssl/doc/crypto/bn_internal.pod          |  14 +-
 crypto/openssl/doc/crypto/d2i_X509.pod             |   6 +-
 crypto/openssl/doc/crypto/d2i_X509_CRL.pod         |   2 +-
 crypto/openssl/doc/crypto/d2i_X509_REQ.pod         |   2 +-
 crypto/openssl/doc/crypto/des_modes.pod            |   2 +
 crypto/openssl/doc/crypto/ecdsa.pod                | 210 ++++++++++
 crypto/openssl/doc/crypto/engine.pod               | 206 +++++-----
 crypto/openssl/doc/crypto/hmac.pod                 |   2 +-
 crypto/openssl/doc/crypto/threads.pod              |  25 +-
 crypto/openssl/doc/crypto/x509.pod                 |  64 +++
 crypto/openssl/doc/fingerprints.txt                |  57 +++
 crypto/openssl/doc/openssl.txt                     |  27 +-
 crypto/openssl/doc/ssl/SSL_CIPHER_get_name.pod     |   6 +-
 .../openssl/doc/ssl/SSL_CTX_get_ex_new_index.pod   |   2 +-
 crypto/openssl/doc/ssl/SSL_CTX_get_verify_mode.pod |  12 +-
 crypto/openssl/doc/ssl/SSL_CTX_set_cert_store.pod  |   2 +-
 .../openssl/doc/ssl/SSL_CTX_set_info_callback.pod  |   4 +-
 crypto/openssl/doc/ssl/SSL_CTX_set_options.pod     |   4 +-
 .../openssl/doc/ssl/SSL_CTX_set_quiet_shutdown.pod |   4 +-
 crypto/openssl/doc/ssl/SSL_CTX_use_certificate.pod |  16 +-
 .../doc/ssl/SSL_SESSION_get_ex_new_index.pod       |   2 +-
 crypto/openssl/doc/ssl/SSL_SESSION_get_time.pod    |   8 +-
 crypto/openssl/doc/ssl/SSL_get_SSL_CTX.pod         |   2 +-
 crypto/openssl/doc/ssl/SSL_get_ciphers.pod         |   4 +-
 crypto/openssl/doc/ssl/SSL_get_client_CA_list.pod  |   4 +-
 crypto/openssl/doc/ssl/SSL_get_current_cipher.pod  |   2 +-
 crypto/openssl/doc/ssl/SSL_get_default_timeout.pod |   2 +-
 crypto/openssl/doc/ssl/SSL_get_error.pod           |   2 +-
 crypto/openssl/doc/ssl/SSL_get_ex_new_index.pod    |   2 +-
 crypto/openssl/doc/ssl/SSL_get_fd.pod              |   6 +-
 crypto/openssl/doc/ssl/SSL_get_peer_cert_chain.pod |   2 +-
 .../openssl/doc/ssl/SSL_get_peer_certificate.pod   |   2 +-
 crypto/openssl/doc/ssl/SSL_get_session.pod         |   4 +-
 crypto/openssl/doc/ssl/SSL_get_verify_result.pod   |   2 +-
 crypto/openssl/doc/ssl/SSL_get_version.pod         |   2 +-
 crypto/openssl/doc/ssl/SSL_pending.pod             |   2 +-
 crypto/openssl/doc/ssl/SSL_set_shutdown.pod        |   2 +-
 crypto/openssl/doc/ssl/SSL_shutdown.pod            |   2 +-
 crypto/openssl/doc/ssl/SSL_state_string.pod        |   4 +-
 crypto/openssl/doc/ssl/SSL_want.pod                |  10 +-
 crypto/openssl/doc/ssl/d2i_SSL_SESSION.pod         |   2 +-
 crypto/openssl/doc/ssl/ssl.pod                     | 110 ++---
 crypto/openssl/doc/ssleay.txt                      |   2 +-
 crypto/openssl/doc/standards.txt                   |   4 +
 87 files changed, 2560 insertions(+), 327 deletions(-)
 create mode 100644 crypto/openssl/doc/HOWTO/proxy_certificates.txt
 create mode 100644 crypto/openssl/doc/apps/ec.pod
 create mode 100644 crypto/openssl/doc/apps/ecparam.pod
 create mode 100644 crypto/openssl/doc/apps/errstr.pod
 create mode 100644 crypto/openssl/doc/apps/x509v3_config.pod
 create mode 100644 crypto/openssl/doc/crypto/ASN1_generate_nconf.pod
 create mode 100644 crypto/openssl/doc/crypto/BN_BLINDING_new.pod
 create mode 100644 crypto/openssl/doc/crypto/ERR_set_mark.pod
 create mode 100644 crypto/openssl/doc/crypto/OPENSSL_Applink.pod
 create mode 100644 crypto/openssl/doc/crypto/OPENSSL_ia32cap.pod
 create mode 100644 crypto/openssl/doc/crypto/ecdsa.pod
 create mode 100644 crypto/openssl/doc/crypto/x509.pod
 create mode 100644 crypto/openssl/doc/fingerprints.txt

(limited to 'crypto/openssl/doc')

diff --git a/crypto/openssl/doc/HOWTO/certificates.txt b/crypto/openssl/doc/HOWTO/certificates.txt
index d3a6254..a8a34c7 100644
--- a/crypto/openssl/doc/HOWTO/certificates.txt
+++ b/crypto/openssl/doc/HOWTO/certificates.txt
@@ -66,14 +66,13 @@ Section 5 will tell you more on how to handle the certificate you
 received.
 
 
-4. Creating a self-signed certificate
+4. Creating a self-signed test certificate
 
 If you don't want to deal with another certificate authority, or just
-want to create a test certificate for yourself, or are setting up a
-certificate authority of your own, you may want to make the requested
-certificate a self-signed one.  This is similar to creating a
-certificate request, but creates a certificate instead of a
-certificate request (1095 is 3 years):
+want to create a test certificate for yourself.  This is similar to
+creating a certificate request, but creates a certificate instead of
+a certificate request.  This is NOT the recommended way to create a
+CA certificate, see ca.txt.
 
   openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095
 
diff --git a/crypto/openssl/doc/HOWTO/keys.txt b/crypto/openssl/doc/HOWTO/keys.txt
index 45f42ea..7ae2a3a 100644
--- a/crypto/openssl/doc/HOWTO/keys.txt
+++ b/crypto/openssl/doc/HOWTO/keys.txt
@@ -40,9 +40,9 @@ consider insecure or to be insecure pretty soon.
 
 3. To generate a DSA key
 
-A DSA key can be used both for signing only.  This is important to
-keep in mind to know what kind of purposes a certificate request with
-a DSA key can really be used for.
+A DSA key can be used for signing only.  This is important to keep
+in mind to know what kind of purposes a certificate request with a
+DSA key can really be used for.
 
 Generating a key for the DSA algorithm is a two-step process.  First,
 you have to generate parameters from which to generate the key:
diff --git a/crypto/openssl/doc/HOWTO/proxy_certificates.txt b/crypto/openssl/doc/HOWTO/proxy_certificates.txt
new file mode 100644
index 0000000..3d36b02
--- /dev/null
+++ b/crypto/openssl/doc/HOWTO/proxy_certificates.txt
@@ -0,0 +1,322 @@
+<DRAFT!>
+			HOWTO proxy certificates
+
+0. WARNING
+
+NONE OF THE CODE PRESENTED HERE HAVE BEEN CHECKED!  They are just an
+example to show you how things can be done.  There may be typos or
+type conflicts, and you will have to resolve them.
+
+1. Introduction
+
+Proxy certificates are defined in RFC 3820.  They are really usual
+certificates with the mandatory extension proxyCertInfo.
+
+Proxy certificates are issued by an End Entity (typically a user),
+either directly with the EE certificate as issuing certificate, or by
+extension through an already issued proxy certificate..  They are used
+to extend rights to some other entity (a computer process, typically,
+or sometimes to the user itself), so it can perform operations in the
+name of the owner of the EE certificate.
+
+See http://www.ietf.org/rfc/rfc3820.txt for more information.
+
+
+2. A warning about proxy certificates
+
+Noone seems to have tested proxy certificates with security in mind.
+Basically, to this date, it seems that proxy certificates have only
+been used in a world that's highly aware of them.  What would happen
+if an unsuspecting application is to validate a chain of certificates
+that contains proxy certificates?  It would usually consider the leaf
+to be the certificate to check for authorisation data, and since proxy
+certificates are controlled by the EE certificate owner alone, it's
+would be normal to consider what the EE certificate owner could do
+with them.
+
+subjectAltName and issuerAltName are forbidden in proxy certificates,
+and this is enforced in OpenSSL.  The subject must be the same as the
+issuer, with one commonName added on.
+
+Possible threats are, as far as has been imagined so far:
+
+ - impersonation through commonName (think server certificates).
+ - use of additional extensions, possibly non-standard ones used in
+   certain environments, that would grant extra or different
+   authorisation rights.
+
+For this reason, OpenSSL requires that the use of proxy certificates
+be explicitely allowed.  Currently, this can be done using the
+following methods:
+
+ - if the application calls X509_verify_cert() itself, it can do the
+   following prior to that call (ctx is the pointer passed in the call
+   to X509_verify_cert()):
+
+	X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_ALLOW_PROXY_CERTS);
+
+ - in all other cases, proxy certificate validation can be enabled
+   before starting the application by setting the envirnoment variable
+   OPENSSL_ALLOW_PROXY with some non-empty value.
+
+There are thoughts to allow proxy certificates with a line in the
+default openssl.cnf, but that's still in the future.
+
+
+3. How to create proxy cerificates
+
+It's quite easy to create proxy certificates, by taking advantage of
+the lack of checks of the 'openssl x509' application (*ahem*).  But
+first, you need to create a configuration section that contains a
+definition of the proxyCertInfo extension, a little like this:
+
+  [ v3_proxy ]
+  # A proxy certificate MUST NEVER be a CA certificate.
+  basicConstraints=CA:FALSE
+
+  # Usual authority key ID
+  authorityKeyIdentifier=keyid,issuer:always
+
+  # Now, for the extension that marks this certificate as a proxy one
+  proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:1,policy:text:AB
+
+It's also possible to give the proxy extension in a separate section:
+
+  proxyCertInfo=critical,@proxy_ext
+
+  [ proxy_ext ]
+  language=id-ppl-anyLanguage
+  pathlen=0
+  policy=text:BC
+
+The policy value has a specific syntax, {syntag}:{string}, where the
+syntag determines what will be done with the string.  The recognised
+syntags are as follows:
+
+  text	indicates that the string is simply the bytes, not
+	encoded in any kind of way:
+
+		policy=text:räksmörgås
+
+	Previous versions of this design had a specific tag
+	for UTF-8 text.  However, since the bytes are copied
+	as-is anyway, there's no need for it.  Instead, use
+	the text: tag, like this:
+
+		policy=text:räksmörgås
+
+  hex	indicates the string is encoded in hex, with colons
+	between each byte (every second hex digit):
+
+		policy=hex:72:E4:6B:73:6D:F6:72:67:E5:73
+
+	Previous versions of this design had a tag to insert a
+	complete DER blob.  However, the only legal use for
+	this would be to surround the bytes that would go with
+	the hex: tag with what's needed to construct a correct
+	OCTET STRING.  Since hex: does that, the DER tag felt
+	superfluous, and was therefore removed.
+
+  file	indicates that the text of the policy should really be
+	taken from a file.  The string is then really a file
+	name.  This is useful for policies that are large
+	(more than a few of lines) XML documents, for example.
+
+The 'policy' setting can be split up in multiple lines like this:
+
+  0.policy=This is
+  1.polisy= a multi-
+  2.policy=line policy.
+
+NOTE: the proxy policy value is the part that determines the rights
+granted to the process using the proxy certificate.  The value is
+completely dependent on the application reading and interpretting it!
+
+Now that you have created an extension section for your proxy
+certificate, you can now easily create a proxy certificate like this:
+
+  openssl req -new -config openssl.cnf \
+	  -out proxy.req -keyout proxy.key
+  openssl x509 -req -CAcreateserial -in proxy.req -days 7 \
+	  -out proxy.crt -CA user.crt -CAkey user.key \
+	  -extfile openssl.cnf -extensions v3_proxy
+
+It's just as easy to create a proxy certificate using another proxy
+certificate as issuer (note that I'm using a different configuration
+section for it):
+
+  openssl req -new -config openssl.cnf \
+	  -out proxy2.req -keyout proxy2.key
+  openssl x509 -req -CAcreateserial -in proxy2.req -days 7 \
+	  -out proxy2.crt -CA proxy.crt -CAkey proxy.key \
+	  -extfile openssl.cnf -extensions v3_proxy2
+
+
+4. How to have your application interpret the policy?
+
+The basic way to interpret proxy policies is to prepare some default
+rights, then do a check of the proxy certificate against the a chain
+of proxy certificates, user certificate and CA certificates, and see
+what rights came out by the end.  Sounds easy, huh?  It almost is.
+
+The slightly complicated part is how to pass data between your
+application and the certificate validation procedure.
+
+You need the following ingredients:
+
+ - a callback routing that will be called for every certificate that's
+   validated.  It will be called several times for each certificates,
+   so you must be attentive to when it's a good time to do the proxy
+   policy interpretation and check, as well as to fill in the defaults
+   when the EE certificate is checked.
+
+ - a structure of data that's shared between your application code and
+   the callback.
+
+ - a wrapper function that sets it all up.
+
+ - an ex_data index function that creates an index into the generic
+   ex_data store that's attached to an X509 validation context.
+
+This is some cookbook code for you to fill in:
+
+  /* In this example, I will use a view of granted rights as a bit
+     array, one bit for each possible right.  */
+  typedef struct your_rights {
+    unsigned char rights[total_rights / 8];
+  } YOUR_RIGHTS;
+
+  /* The following procedure will create an index for the ex_data
+     store in the X509 validation context the first time it's called.
+     Subsequent calls will return the same index.  */
+  static int get_proxy_auth_ex_data_idx(void)
+  {
+    static volatile int idx = -1;
+    if (idx < 0)
+      {
+        CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
+        if (idx < 0)
+          {
+            idx = X509_STORE_CTX_get_ex_new_index(0,
+                                                  "for verify callback",
+                                                  NULL,NULL,NULL);
+          }
+        CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
+      }
+    return idx;
+  }
+
+  /* Callback to be given to the X509 validation procedure.  */
+  static int verify_callback(int ok, X509_STORE_CTX *ctx)
+  {
+    if (ok == 1) /* It's REALLY important you keep the proxy policy
+                    check within this secion.  It's important to know
+                    that when ok is 1, the certificates are checked
+                    from top to bottom.  You get the CA root first,
+                    followed by the possible chain of intermediate
+                    CAs, followed by the EE certificate, followed by
+                    the possible proxy certificates.  */
+      {
+        X509 *xs = ctx->current_cert;
+
+        if (xs->ex_flags & EXFLAG_PROXY)
+          {
+	    YOUR_RIGHTS *rights =
+              (YOUR_RIGHTS *)X509_STORE_CTX_get_ex_data(ctx,
+                get_proxy_auth_ex_data_idx());
+            PROXY_CERT_INFO_EXTENSION *pci =
+              X509_get_ext_d2i(xs, NID_proxyCertInfo, NULL, NULL);
+
+            switch (OBJ_obj2nid(pci->proxyPolicy->policyLanguage))
+              {
+              case NID_Independent:
+                /* Do whatever you need to grant explicit rights to
+                   this particular proxy certificate, usually by
+                   pulling them from some database.  If there are none
+                   to be found, clear all rights (making this and any
+                   subsequent proxy certificate void of any rights).
+                */
+                memset(rights->rights, 0, sizeof(rights->rights));
+                break;
+              case NID_id_ppl_inheritAll:
+                /* This is basically a NOP, we simply let the current
+                   rights stand as they are. */
+                break;
+              default:
+                /* This is usually the most complex section of code.
+                   You really do whatever you want as long as you
+                   follow RFC 3820.  In the example we use here, the
+                   simplest thing to do is to build another, temporary
+                   bit array and fill it with the rights granted by
+                   the current proxy certificate, then use it as a
+                   mask on the accumulated rights bit array, and
+                   voilà, you now have a new accumulated rights bit
+                   array.  */
+                {
+                  int i;
+                  YOUR_RIGHTS tmp_rights;
+		  memset(tmp_rights.rights, 0, sizeof(tmp_rights.rights));
+
+                  /* process_rights() is supposed to be a procedure
+                     that takes a string and it's length, interprets
+                     it and sets the bits in the YOUR_RIGHTS pointed
+                     at by the third argument.  */
+                  process_rights((char *) pci->proxyPolicy->policy->data,
+                                 pci->proxyPolicy->policy->length,
+                                 &tmp_rights);
+
+                  for(i = 0; i < total_rights / 8; i++)
+                    rights->rights[i] &= tmp_rights.rights[i];
+                }
+                break;
+              }
+            PROXY_CERT_INFO_EXTENSION_free(pci);
+          }
+        else if (!(xs->ex_flags & EXFLAG_CA))
+          {
+            /* We have a EE certificate, let's use it to set default!
+            */
+	    YOUR_RIGHTS *rights =
+              (YOUR_RIGHTS *)X509_STORE_CTX_get_ex_data(ctx,
+                get_proxy_auth_ex_data_idx());
+
+            /* The following procedure finds out what rights the owner
+               of the current certificate has, and sets them in the
+               YOUR_RIGHTS structure pointed at by the second
+               argument.  */
+            set_default_rights(xs, rights);
+          }
+      }
+    return ok;
+  }
+
+  static int my_X509_verify_cert(X509_STORE_CTX *ctx,
+                                 YOUR_RIGHTS *needed_rights)
+  {
+    int i;
+    int (*save_verify_cb)(int ok,X509_STORE_CTX *ctx) = ctx->verify_cb;
+    YOUR_RIGHTS rights;
+
+    X509_STORE_CTX_set_verify_cb(ctx, verify_callback);
+    X509_STORE_CTX_set_ex_data(ctx, get_proxy_auth_ex_data_idx(), &rights);
+    X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_ALLOW_PROXY_CERTS);
+    ok = X509_verify_cert(ctx);
+
+    if (ok == 1)
+      {
+        ok = check_needed_rights(rights, needed_rights);
+      }
+
+    X509_STORE_CTX_set_verify_cb(ctx, save_verify_cb);
+
+    return ok;
+  }
+
+If you use SSL or TLS, you can easily set up a callback to have the
+certificates checked properly, using the code above:
+
+  SSL_CTX_set_cert_verify_callback(s_ctx, my_X509_verify_cert, &needed_rights);
+
+
+-- 
+Richard Levitte
diff --git a/crypto/openssl/doc/apps/CA.pl.pod b/crypto/openssl/doc/apps/CA.pl.pod
index 58e0f52..ed69952 100644
--- a/crypto/openssl/doc/apps/CA.pl.pod
+++ b/crypto/openssl/doc/apps/CA.pl.pod
@@ -47,7 +47,7 @@ written to the file "newreq.pem".
 creates a new certificate request. The private key and request are
 written to the file "newreq.pem".
 
-=item B<-newreq-nowdes>
+=item B<-newreq-nodes>
 
 is like B<-newreq> except that the private key will not be encrypted.
 
diff --git a/crypto/openssl/doc/apps/asn1parse.pod b/crypto/openssl/doc/apps/asn1parse.pod
index e76e981..542d969 100644
--- a/crypto/openssl/doc/apps/asn1parse.pod
+++ b/crypto/openssl/doc/apps/asn1parse.pod
@@ -16,6 +16,8 @@ B<openssl> B<asn1parse>
 [B<-i>]
 [B<-oid filename>]
 [B<-strparse offset>]
+[B<-genstr string>]
+[B<-genconf file>]
 
 =head1 DESCRIPTION
 
@@ -67,6 +69,14 @@ file is described in the NOTES section below.
 parse the contents octets of the ASN.1 object starting at B<offset>. This
 option can be used multiple times to "drill down" into a nested structure.
 
+=item B<-genstr string>, B<-genconf file>
+
+generate encoded data based on B<string>, B<file> or both using
+ASN1_generate_nconf() format. If B<file> only is present then the string
+is obtained from the default section using the name B<asn1>. The encoded
+data is passed through the ASN1 parser and printed out as though it came
+from a file, the contents can thus be examined and written to a file
+using the B<out> option. 
 
 =back
 
@@ -121,9 +131,41 @@ by white space. The final column is the rest of the line and is the
 
 C<1.2.3.4	shortName	A long name>
 
+=head1 EXAMPLES
+
+Parse a file:
+
+ openssl asn1parse -in file.pem
+
+Parse a DER file:
+
+ openssl asn1parse -inform DER -in file.der
+
+Generate a simple UTF8String:
+
+ openssl asn1parse -genstr 'UTF8:Hello World'
+
+Generate and write out a UTF8String, don't print parsed output:
+
+ openssl asn1parse -genstr 'UTF8:Hello World' -noout -out utf8.der
+
+Generate using a config file:
+
+ openssl asn1parse -genconf asn1.cnf -noout -out asn1.der
+
+Example config file:
+
+ asn1=SEQUENCE:seq_sect
+
+ [seq_sect]
+
+ field1=BOOL:TRUE
+ field2=EXP:0, UTF8:some random string
+
+
 =head1 BUGS
 
-There should be options to change the format of input lines. The output of some
+There should be options to change the format of output lines. The output of some
 ASN.1 types is not well handled (if at all).
 
 =cut
diff --git a/crypto/openssl/doc/apps/ca.pod b/crypto/openssl/doc/apps/ca.pod
index 74f45ca..5618c2d 100644
--- a/crypto/openssl/doc/apps/ca.pod
+++ b/crypto/openssl/doc/apps/ca.pod
@@ -17,7 +17,6 @@ B<openssl> B<ca>
 [B<-crl_hold instruction>]
 [B<-crl_compromise time>]
 [B<-crl_CA_compromise time>]
-[B<-subj arg>]
 [B<-crldays days>]
 [B<-crlhours hours>]
 [B<-crlexts section>]
@@ -30,6 +29,7 @@ B<openssl> B<ca>
 [B<-key arg>]
 [B<-passin arg>]
 [B<-cert file>]
+[B<-selfsign>]
 [B<-in file>]
 [B<-out file>]
 [B<-notext>]
@@ -44,6 +44,9 @@ B<openssl> B<ca>
 [B<-extensions section>]
 [B<-extfile section>]
 [B<-engine id>]
+[B<-subj arg>]
+[B<-utf8>]
+[B<-multivalue-rdn>]
 
 =head1 DESCRIPTION
 
@@ -113,6 +116,20 @@ the password used to encrypt the private key. Since on some
 systems the command line arguments are visible (e.g. Unix with
 the 'ps' utility) this option should be used with caution.
 
+=item B<-selfsign>
+
+indicates the issued certificates are to be signed with the key
+the certificate requests were signed with (given with B<-keyfile>).
+Cerificate requests signed with a different key are ignored.  If
+B<-spkac>, B<-ss_cert> or B<-gencrl> are given, B<-selfsign> is
+ignored.
+
+A consequence of using B<-selfsign> is that the self-signed
+certificate appears among the entries in the certificate database
+(see the configuration option B<database>), and uses the same
+serial number counter as all other certificates sign with the
+self-signed certificate.
+
 =item B<-passin arg>
 
 the key password source. For more information about the format of B<arg>
@@ -203,6 +220,28 @@ to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.
 
+=item B<-subj arg>
+
+supersedes subject name given in the request.
+The arg must be formatted as I</type0=value0/type1=value1/type2=...>,
+characters may be escaped by \ (backslash), no spaces are skipped.
+
+=item B<-utf8>
+
+this option causes field values to be interpreted as UTF8 strings, by 
+default they are interpreted as ASCII. This means that the field
+values, whether prompted from a terminal or obtained from a
+configuration file, must be valid UTF8 strings.
+
+=item B<-multivalue-rdn>
+
+this option causes the -subj argument to be interpretedt with full
+support for multivalued RDNs. Example:
+
+I</DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe>
+
+If -multi-rdn is not used then the UID value is I<123456+CN=John Doe>.
+
 =back
 
 =head1 CRL OPTIONS
@@ -253,12 +292,6 @@ B<time>. B<time> should be in GeneralizedTime format that is B<YYYYMMDDHHMMSSZ>.
 This is the same as B<crl_compromise> except the revocation reason is set to
 B<CACompromise>.
 
-=item B<-subj arg>
-
-supersedes subject name given in the request.
-The arg must be formatted as I</type0=value0/type1=value1/type2=...>,
-characters may be escaped by \ (backslash), no spaces are skipped.
-
 =item B<-crlexts section>
 
 the section of the configuration file containing CRL extensions to
@@ -359,11 +392,27 @@ the same as the B<-md> option. The message digest to use. Mandatory.
 the text database file to use. Mandatory. This file must be present
 though initially it will be empty.
 
+=item B<unique_subject>
+
+if the value B<yes> is given, the valid certificate entries in the
+database must have unique subjects.  if the value B<no> is given,
+several valid certificate entries may have the exact same subject.
+The default value is B<yes>, to be compatible with older (pre 0.9.8)
+versions of OpenSSL.  However, to make CA certificate roll-over easier,
+it's recommended to use the value B<no>, especially if combined with
+the B<-selfsign> command line option.
+
 =item B<serial>
 
 a text file containing the next serial number to use in hex. Mandatory.
 This file must be present and contain a valid serial number.
 
+=item B<crlnumber>
+
+a text file containing the next CRL number to use in hex. The crl number
+will be inserted in the CRLs only if this file exists. If this file is
+present, it must contain a valid CRL number.
+
 =item B<x509_extensions>
 
 the same as B<-extensions>.
@@ -391,7 +440,7 @@ the same as B<-msie_hack>
 the same as B<-policy>. Mandatory. See the B<POLICY FORMAT> section
 for more information.
 
-=item B<nameopt>, B<certopt>
+=item B<name_opt>, B<cert_opt>
 
 these options allow the format used to display the certificate details
 when asking the user to confirm signing. All the options supported by
@@ -513,8 +562,8 @@ A sample configuration file with the relevant sections for B<ca>:
  policy         = policy_any            # default policy
  email_in_dn    = no                    # Don't add the email into cert DN
 
- nameopt	= ca_default		# Subject name display option
- certopt	= ca_default		# Certificate display option
+ name_opt	= ca_default		# Subject name display option
+ cert_opt	= ca_default		# Certificate display option
  copy_extensions = none			# Don't copy extensions from request
 
  [ policy_any ]
@@ -554,8 +603,7 @@ if corrupted it can be difficult to fix. It is theoretically possible
 to rebuild the index file from all the issued certificates and a current
 CRL: however there is no option to do this.
 
-V2 CRL features like delta CRL support and CRL numbers are not currently
-supported.
+V2 CRL features like delta CRLs are not currently supported.
 
 Although several requests can be input and handled at once it is only
 possible to include one SPKAC or self signed certificate.
@@ -566,12 +614,6 @@ The use of an in memory text database can cause problems when large
 numbers of certificates are present because, as the name implies
 the database has to be kept in memory.
 
-It is not possible to certify two certificates with the same DN: this
-is a side effect of how the text database is indexed and it cannot easily
-be fixed without introducing other problems. Some S/MIME clients can use
-two certificates with the same DN for separate signing and encryption
-keys.
-
 The B<ca> command really needs rewriting or the required functionality
 exposed at either a command or interface level so a more friendly utility
 (perl script or GUI) can handle things properly. The scripts B<CA.sh> and
diff --git a/crypto/openssl/doc/apps/config.pod b/crypto/openssl/doc/apps/config.pod
index 8f823fa..ace34b6 100644
--- a/crypto/openssl/doc/apps/config.pod
+++ b/crypto/openssl/doc/apps/config.pod
@@ -1,6 +1,8 @@
 
 =pod
 
+=for comment openssl_manual_section:5
+
 =head1 NAME
 
 config - OpenSSL CONF library configuration files
@@ -105,6 +107,11 @@ as any compliant applications. For example:
  some_new_oid = 1.2.3.4
  some_other_oid = 1.2.3.5
 
+In OpenSSL 0.9.8 it is also possible to set the value to the long name followed
+by a comma and the numerical OID form. For example:
+
+ shortName = some object long name, 1.2.3.4
+
 =head2 ENGINE CONFIGURATION MODULE
 
 This ENGINE configuration module has the name B<engines>. The value of this
diff --git a/crypto/openssl/doc/apps/dgst.pod b/crypto/openssl/doc/apps/dgst.pod
index 1648742..b0d1987 100644
--- a/crypto/openssl/doc/apps/dgst.pod
+++ b/crypto/openssl/doc/apps/dgst.pod
@@ -14,6 +14,7 @@ B<openssl> B<dgst>
 [B<-binary>]
 [B<-out filename>]
 [B<-sign filename>]
+[B<-passin arg>]
 [B<-verify filename>]
 [B<-prverify filename>]
 [B<-signature filename>]
@@ -59,6 +60,11 @@ filename to output to, or standard output by default.
 
 digitally sign the digest using the private key in "filename".
 
+=item B<-passin arg>
+
+the private key password source. For more information about the format of B<arg>
+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
+
 =item B<-verify filename>
 
 verify the signature using the the public key in "filename".
diff --git a/crypto/openssl/doc/apps/ec.pod b/crypto/openssl/doc/apps/ec.pod
new file mode 100644
index 0000000..1d4a36d
--- /dev/null
+++ b/crypto/openssl/doc/apps/ec.pod
@@ -0,0 +1,190 @@
+=pod
+
+=head1 NAME
+
+ec - EC key processing
+
+=head1 SYNOPSIS
+
+B<openssl> B<ec>
+[B<-inform PEM|DER>]
+[B<-outform PEM|DER>]
+[B<-in filename>]
+[B<-passin arg>]
+[B<-out filename>]
+[B<-passout arg>]
+[B<-des>]
+[B<-des3>]
+[B<-idea>]
+[B<-text>]
+[B<-noout>]
+[B<-param_out>]
+[B<-pubin>]
+[B<-pubout>]
+[B<-conv_form arg>]
+[B<-param_enc arg>]
+[B<-engine id>]
+
+=head1 DESCRIPTION
+
+The B<ec> command processes EC keys. They can be converted between various
+forms and their components printed out. B<Note> OpenSSL uses the 
+private key format specified in 'SEC 1: Elliptic Curve Cryptography'
+(http://www.secg.org/). To convert a OpenSSL EC private key into the
+PKCS#8 private key format use the B<pkcs8> command.
+
+=head1 COMMAND OPTIONS
+
+=over 4
+
+=item B<-inform DER|PEM>
+
+This specifies the input format. The B<DER> option with a private key uses
+an ASN.1 DER encoded SEC1 private key. When used with a public key it
+uses the SubjectPublicKeyInfo structur as specified in RFC 3280.
+The B<PEM> form is the default format: it consists of the B<DER> format base64
+encoded with additional header and footer lines. In the case of a private key
+PKCS#8 format is also accepted.
+
+=item B<-outform DER|PEM>
+
+This specifies the output format, the options have the same meaning as the 
+B<-inform> option.
+
+=item B<-in filename>
+
+This specifies the input filename to read a key from or standard input if this
+option is not specified. If the key is encrypted a pass phrase will be
+prompted for.
+
+=item B<-passin arg>
+
+the input file password source. For more information about the format of B<arg>
+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
+
+=item B<-out filename>
+
+This specifies the output filename to write a key to or standard output by
+is not specified. If any encryption options are set then a pass phrase will be
+prompted for. The output filename should B<not> be the same as the input
+filename.
+
+=item B<-passout arg>
+
+the output file password source. For more information about the format of B<arg>
+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
+
+=item B<-des|-des3|-idea>
+
+These options encrypt the private key with the DES, triple DES, IDEA or 
+any other cipher supported by OpenSSL before outputting it. A pass phrase is
+prompted for.
+If none of these options is specified the key is written in plain text. This
+means that using the B<ec> utility to read in an encrypted key with no
+encryption option can be used to remove the pass phrase from a key, or by
+setting the encryption options it can be use to add or change the pass phrase.
+These options can only be used with PEM format output files.
+
+=item B<-text>
+
+prints out the public, private key components and parameters.
+
+=item B<-noout>
+
+this option prevents output of the encoded version of the key.
+
+=item B<-modulus>
+
+this option prints out the value of the public key component of the key.
+
+=item B<-pubin>
+
+by default a private key is read from the input file: with this option a
+public key is read instead.
+
+=item B<-pubout>
+
+by default a private key is output. With this option a public
+key will be output instead. This option is automatically set if the input is
+a public key.
+
+=item B<-conv_form>
+
+This specifies how the points on the elliptic curve are converted
+into octet strings. Possible values are: B<compressed> (the default
+value), B<uncompressed> and B<hybrid>. For more information regarding
+the point conversion forms please read the X9.62 standard.
+B<Note> Due to patent issues the B<compressed> option is disabled
+by default for binary curves and can be enabled by defining
+the preprocessor macro B<OPENSSL_EC_BIN_PT_COMP> at compile time.
+
+=item B<-param_enc arg>
+
+This specifies how the elliptic curve parameters are encoded.
+Possible value are: B<named_curve>, i.e. the ec parameters are
+specified by a OID, or B<explicit> where the ec parameters are
+explicitly given (see RFC 3279 for the definition of the 
+EC parameters structures). The default value is B<named_curve>.
+B<Note> the B<implicitlyCA> alternative ,as specified in RFC 3279,
+is currently not implemented in OpenSSL.
+
+=item B<-engine id>
+
+specifying an engine (by it's unique B<id> string) will cause B<req>
+to attempt to obtain a functional reference to the specified engine,
+thus initialising it if needed. The engine will then be set as the default
+for all available algorithms.
+
+=back
+
+=head1 NOTES
+
+The PEM private key format uses the header and footer lines:
+
+ -----BEGIN EC PRIVATE KEY-----
+ -----END EC PRIVATE KEY-----
+
+The PEM public key format uses the header and footer lines:
+
+ -----BEGIN PUBLIC KEY-----
+ -----END PUBLIC KEY-----
+
+=head1 EXAMPLES
+
+To encrypt a private key using triple DES:
+
+ openssl ec -in key.pem -des3 -out keyout.pem
+
+To convert a private key from PEM to DER format: 
+
+ openssl ec -in key.pem -outform DER -out keyout.der
+
+To print out the components of a private key to standard output:
+
+ openssl ec -in key.pem -text -noout
+
+To just output the public part of a private key:
+
+ openssl ec -in key.pem -pubout -out pubkey.pem
+
+To change the parameters encoding to B<explicit>:
+
+ openssl ec -in key.pem -param_enc explicit -out keyout.pem
+
+To change the point conversion form to B<compressed>:
+
+ openssl ec -in key.pem -conv_form compressed -out keyout.pem
+
+=head1 SEE ALSO
+
+L<ecparam(1)|ecparam(1)>, L<dsa(1)|dsa(1)>, L<rsa(1)|rsa(1)>
+
+=head1 HISTORY
+
+The ec command was first introduced in OpenSSL 0.9.8.
+
+=head1 AUTHOR
+
+Nils Larsch for the OpenSSL project (http://www.openssl.org).
+
+=cut
diff --git a/crypto/openssl/doc/apps/ecparam.pod b/crypto/openssl/doc/apps/ecparam.pod
new file mode 100644
index 0000000..1a12105
--- /dev/null
+++ b/crypto/openssl/doc/apps/ecparam.pod
@@ -0,0 +1,179 @@
+=pod
+
+=head1 NAME
+
+ecparam - EC parameter manipulation and generation
+
+=head1 SYNOPSIS
+
+B<openssl ecparam>
+[B<-inform DER|PEM>]
+[B<-outform DER|PEM>]
+[B<-in filename>]
+[B<-out filename>]
+[B<-noout>]
+[B<-text>]
+[B<-C>]
+[B<-check>]
+[B<-name arg>]
+[B<-list_curve>]
+[B<-conv_form arg>]
+[B<-param_enc arg>]
+[B<-no_seed>]
+[B<-rand file(s)>]
+[B<-genkey>]
+[B<-engine id>]
+
+=head1 DESCRIPTION
+
+This command is used to manipulate or generate EC parameter files.
+
+=head1 OPTIONS
+
+=over 4
+
+=item B<-inform DER|PEM>
+
+This specifies the input format. The B<DER> option uses an ASN.1 DER encoded
+form compatible with RFC 3279 EcpkParameters. The PEM form is the default
+format: it consists of the B<DER> format base64 encoded with additional 
+header and footer lines.
+
+=item B<-outform DER|PEM>
+
+This specifies the output format, the options have the same meaning as the 
+B<-inform> option.
+
+=item B<-in filename>
+
+This specifies the input filename to read parameters from or standard input if
+this option is not specified.
+
+=item B<-out filename>
+
+This specifies the output filename parameters to. Standard output is used
+if this option is not present. The output filename should B<not> be the same
+as the input filename.
+
+=item B<-noout>
+
+This option inhibits the output of the encoded version of the parameters.
+
+=item B<-text>
+
+This option prints out the EC parameters in human readable form.
+
+=item B<-C>
+
+This option converts the EC parameters into C code. The parameters can then
+be loaded by calling the B<get_ec_group_XXX()> function.
+
+=item B<-check>
+
+Validate the elliptic curve parameters.
+
+=item B<-name arg>
+
+Use the EC parameters with the specified 'short' name. Use B<-list_curves>
+to get a list of all currently implemented EC parameters.
+
+=item B<-list_curves>
+
+If this options is specified B<ecparam> will print out a list of all
+currently implemented EC parameters names and exit.
+
+=item B<-conv_form>
+
+This specifies how the points on the elliptic curve are converted
+into octet strings. Possible values are: B<compressed> (the default
+value), B<uncompressed> and B<hybrid>. For more information regarding
+the point conversion forms please read the X9.62 standard.
+B<Note> Due to patent issues the B<compressed> option is disabled
+by default for binary curves and can be enabled by defining
+the preprocessor macro B<OPENSSL_EC_BIN_PT_COMP> at compile time.
+
+=item B<-param_enc arg>
+
+This specifies how the elliptic curve parameters are encoded.
+Possible value are: B<named_curve>, i.e. the ec parameters are
+specified by a OID, or B<explicit> where the ec parameters are
+explicitly given (see RFC 3279 for the definition of the 
+EC parameters structures). The default value is B<named_curve>.
+B<Note> the B<implicitlyCA> alternative ,as specified in RFC 3279,
+is currently not implemented in OpenSSL.
+
+=item B<-no_seed>
+
+This option inhibits that the 'seed' for the parameter generation
+is included in the ECParameters structure (see RFC 3279).
+
+=item B<-genkey>
+
+This option will generate a EC private key using the specified parameters.
+
+=item B<-rand file(s)>
+
+a file or files containing random data used to seed the random number
+generator, or an EGD socket (see L<RAND_egd(3)|RAND_egd(3)>).
+Multiple files can be specified separated by a OS-dependent character.
+The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
+all others.
+
+=item B<-engine id>
+
+specifying an engine (by it's unique B<id> string) will cause B<req>
+to attempt to obtain a functional reference to the specified engine,
+thus initialising it if needed. The engine will then be set as the default
+for all available algorithms.
+
+=back
+
+=head1 NOTES
+
+PEM format EC parameters use the header and footer lines:
+
+ -----BEGIN EC PARAMETERS-----
+ -----END EC PARAMETERS-----
+
+OpenSSL is currently not able to generate new groups and therefore
+B<ecparam> can only create EC parameters from known (named) curves. 
+
+=head1 EXAMPLES
+
+To create EC parameters with the group 'prime192v1':
+
+  openssl ecparam -out ec_param.pem -name prime192v1
+
+To create EC parameters with explicit parameters:
+
+  openssl ecparam -out ec_param.pem -name prime192v1 -param_enc explicit
+
+To validate given EC parameters:
+
+  openssl ecparam -in ec_param.pem -check
+
+To create EC parameters and a private key:
+
+  openssl ecparam -out ec_key.pem -name prime192v1 -genkey
+
+To change the point encoding to 'compressed':
+
+  openssl ecparam -in ec_in.pem -out ec_out.pem -conv_form compressed
+
+To print out the EC parameters to standard output:
+
+  openssl ecparam -in ec_param.pem -noout -text
+
+=head1 SEE ALSO
+
+L<ec(1)|ec(1)>, L<dsaparam(1)|dsaparam(1)>
+
+=head1 HISTORY
+
+The ecparam command was first introduced in OpenSSL 0.9.8.
+
+=head1 AUTHOR
+
+Nils Larsch for the OpenSSL project (http://www.openssl.org)
+
+=cut
diff --git a/crypto/openssl/doc/apps/enc.pod b/crypto/openssl/doc/apps/enc.pod
index 18fe7c8..c43da5b 100644
--- a/crypto/openssl/doc/apps/enc.pod
+++ b/crypto/openssl/doc/apps/enc.pod
@@ -191,12 +191,12 @@ Blowfish and RC5 algorithms use a 128 bit key.
  des-ecb            DES in ECB mode
 
  des-ede-cbc        Two key triple DES EDE in CBC mode
- des-ede            Alias for des-ede
+ des-ede            Two key triple DES EDE in ECB mode
  des-ede-cfb        Two key triple DES EDE in CFB mode
  des-ede-ofb        Two key triple DES EDE in OFB mode
 
  des-ede3-cbc       Three key triple DES EDE in CBC mode
- des-ede3           Alias for des-ede3-cbc
+ des-ede3           Three key triple DES EDE in ECB mode
  des3               Alias for des-ede3-cbc
  des-ede3-cfb       Three key triple DES EDE CFB mode
  des-ede3-ofb       Three key triple DES EDE in OFB mode
@@ -211,9 +211,9 @@ Blowfish and RC5 algorithms use a 128 bit key.
 
  rc2-cbc            128 bit RC2 in CBC mode
  rc2                Alias for rc2-cbc
- rc2-cfb            128 bit RC2 in CBC mode
- rc2-ecb            128 bit RC2 in CBC mode
- rc2-ofb            128 bit RC2 in CBC mode
+ rc2-cfb            128 bit RC2 in CFB mode
+ rc2-ecb            128 bit RC2 in ECB mode
+ rc2-ofb            128 bit RC2 in OFB mode
  rc2-64-cbc         64 bit RC2 in CBC mode
  rc2-40-cbc         40 bit RC2 in CBC mode
 
@@ -223,9 +223,9 @@ Blowfish and RC5 algorithms use a 128 bit key.
 
  rc5-cbc            RC5 cipher in CBC mode
  rc5                Alias for rc5-cbc
- rc5-cfb            RC5 cipher in CBC mode
- rc5-ecb            RC5 cipher in CBC mode
- rc5-ofb            RC5 cipher in CBC mode
+ rc5-cfb            RC5 cipher in CFB mode
+ rc5-ecb            RC5 cipher in ECB mode
+ rc5-ofb            RC5 cipher in OFB mode
 
 =head1 EXAMPLES
 
diff --git a/crypto/openssl/doc/apps/errstr.pod b/crypto/openssl/doc/apps/errstr.pod
new file mode 100644
index 0000000..b3c6ccfc
--- /dev/null
+++ b/crypto/openssl/doc/apps/errstr.pod
@@ -0,0 +1,39 @@
+=pod
+
+=head1 NAME
+
+errstr - lookup error codes
+
+=head1 SYNOPSIS
+
+B<openssl errstr error_code>
+
+=head1 DESCRIPTION
+
+Sometimes an application will not load error message and only
+numerical forms will be available. The B<errstr> utility can be used to 
+display the meaning of the hex code. The hex code is the hex digits after the
+second colon.
+
+=head1 EXAMPLE
+
+The error code:
+
+ 27594:error:2006D080:lib(32):func(109):reason(128):bss_file.c:107:
+
+can be displayed with:
+ 
+ openssl errstr 2006D080
+
+to produce the error message:
+
+ error:2006D080:BIO routines:BIO_new_file:no such file
+
+=head1 SEE ALSO
+
+L<err(3)|err(3)>,
+L<ERR_load_crypto_strings(3)|ERR_load_crypto_strings(3)>,
+L<SSL_load_error_strings(3)|SSL_load_error_strings(3)>
+
+
+=cut
diff --git a/crypto/openssl/doc/apps/req.pod b/crypto/openssl/doc/apps/req.pod
index e2b5d0d..82b565c 100644
--- a/crypto/openssl/doc/apps/req.pod
+++ b/crypto/openssl/doc/apps/req.pod
@@ -30,6 +30,7 @@ B<openssl> B<req>
 [B<-[md5|sha1|md2|mdc2]>]
 [B<-config filename>]
 [B<-subj arg>]
+[B<-multivalue-rdn>]
 [B<-x509>]
 [B<-days n>]
 [B<-set_serial n>]
@@ -173,6 +174,15 @@ when processing a request.
 The arg must be formatted as I</type0=value0/type1=value1/type2=...>,
 characters may be escaped by \ (backslash), no spaces are skipped.
 
+=item B<-multivalue-rdn>
+
+this option causes the -subj argument to be interpreted with full
+support for multivalued RDNs. Example:
+
+I</DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe>
+
+If -multi-rdn is not used then the UID value is I<123456+CN=John Doe>.
+
 =item B<-x509>
 
 this option outputs a self signed certificate instead of a certificate
diff --git a/crypto/openssl/doc/apps/s_client.pod b/crypto/openssl/doc/apps/s_client.pod
index 8d19079..e1e1ba9 100644
--- a/crypto/openssl/doc/apps/s_client.pod
+++ b/crypto/openssl/doc/apps/s_client.pod
@@ -11,7 +11,10 @@ B<openssl> B<s_client>
 [B<-connect host:port>]
 [B<-verify depth>]
 [B<-cert filename>]
+[B<-certform DER|PEM>]
 [B<-key filename>]
+[B<-keyform DER|PEM>]
+[B<-pass arg>]
 [B<-CApath directory>]
 [B<-CAfile filename>]
 [B<-reconnect>]
@@ -57,11 +60,24 @@ then an attempt is made to connect to the local host on port 4433.
 The certificate to use, if one is requested by the server. The default is
 not to use a certificate.
 
+=item B<-certform format>
+
+The certificate format to use: DER or PEM. PEM is the default.
+
 =item B<-key keyfile>
 
 The private key to use. If not specified then the certificate file will
 be used.
 
+=item B<-keyform format>
+
+The private format to use: DER or PEM. PEM is the default.
+
+=item B<-pass arg>
+
+the private key password source. For more information about the format of B<arg>
+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
+
 =item B<-verify depth>
 
 The verify depth to use. This specifies the maximum length of the
diff --git a/crypto/openssl/doc/apps/s_server.pod b/crypto/openssl/doc/apps/s_server.pod
index 1d21921..7c1a958 100644
--- a/crypto/openssl/doc/apps/s_server.pod
+++ b/crypto/openssl/doc/apps/s_server.pod
@@ -13,9 +13,15 @@ B<openssl> B<s_server>
 [B<-verify depth>]
 [B<-Verify depth>]
 [B<-cert filename>]
+[B<-certform DER|PEM>]
 [B<-key keyfile>]
+[B<-keyform DER|PEM>]
+[B<-pass arg>]
 [B<-dcert filename>]
+[B<-dcertform DER|PEM>]
 [B<-dkey keyfile>]
+[B<-dkeyform DER|PEM>]
+[B<-dpass arg>]
 [B<-dhparam filename>]
 [B<-nbio>]
 [B<-nbio_test>]
@@ -70,11 +76,24 @@ certificate and some require a certificate with a certain public key type:
 for example the DSS cipher suites require a certificate containing a DSS
 (DSA) key. If not specified then the filename "server.pem" will be used.
 
+=item B<-certform format>
+
+The certificate format to use: DER or PEM. PEM is the default.
+
 =item B<-key keyfile>
 
 The private key to use. If not specified then the certificate file will
 be used.
 
+=item B<-keyform format>
+
+The private format to use: DER or PEM. PEM is the default.
+
+=item B<-pass arg>
+
+the private key password source. For more information about the format of B<arg>
+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
+
 =item B<-dcert filename>, B<-dkey keyname>
 
 specify an additional certificate and private key, these behave in the
@@ -86,6 +105,10 @@ and some a DSS (DSA) key. By using RSA and DSS certificates and keys
 a server can support clients which only support RSA or DSS cipher suites
 by using an appropriate certificate.
 
+=item B<-dcertform format>, B<-dkeyform format>, B<-dpass arg>
+
+addtional certificate and private key format and passphrase respectively.
+
 =item B<-nocert>
 
 if this option is set then no certificate is used. This restricts the
diff --git a/crypto/openssl/doc/apps/x509.pod b/crypto/openssl/doc/apps/x509.pod
index 50343cd..a46378f 100644
--- a/crypto/openssl/doc/apps/x509.pod
+++ b/crypto/openssl/doc/apps/x509.pod
@@ -17,6 +17,8 @@ B<openssl> B<x509>
 [B<-out filename>]
 [B<-serial>]
 [B<-hash>]
+[B<-subject_hash>]
+[B<-issuer_hash>]
 [B<-subject>]
 [B<-issuer>]
 [B<-nameopt option>]
@@ -96,8 +98,8 @@ default.
 
 the digest to use. This affects any signing or display option that uses a message
 digest, such as the B<-fingerprint>, B<-signkey> and B<-CA> options. If not
-specified then MD5 is used. If the key being used to sign with is a DSA key then
-this option has no effect: SHA1 is always used with DSA keys.
+specified then SHA1 is used. If the key being used to sign with is a DSA key
+then this option has no effect: SHA1 is always used with DSA keys.
 
 =item B<-engine id>
 
@@ -141,12 +143,20 @@ contained in the certificate.
 
 outputs the certificate serial number.
 
-=item B<-hash>
+=item B<-subject_hash>
 
 outputs the "hash" of the certificate subject name. This is used in OpenSSL to
 form an index to allow certificates in a directory to be looked up by subject
 name.
 
+=item B<-issuer_hash>
+
+outputs the "hash" of the certificate issuer name.
+
+=item B<-hash>
+
+synonym for "-hash" for backward compatibility reasons.
+
 =item B<-subject>
 
 outputs the subject name.
@@ -815,4 +825,8 @@ OpenSSL 0.9.5 and later.
 L<req(1)|req(1)>, L<ca(1)|ca(1)>, L<genrsa(1)|genrsa(1)>,
 L<gendsa(1)|gendsa(1)>, L<verify(1)|verify(1)>
 
+=head1 HISTORY
+
+Before OpenSSL 0.9.8, the default digest for RSA keys was MD5.
+
 =cut
diff --git a/crypto/openssl/doc/apps/x509v3_config.pod b/crypto/openssl/doc/apps/x509v3_config.pod
new file mode 100644
index 0000000..38c46e8
--- /dev/null
+++ b/crypto/openssl/doc/apps/x509v3_config.pod
@@ -0,0 +1,456 @@
+=pod
+
+=for comment openssl_manual_section:5
+
+=head1 NAME
+
+x509v3_config - X509 V3 certificate extension configuration format
+
+=head1 DESCRIPTION
+
+Several of the OpenSSL utilities can add extensions to a certificate or
+certificate request based on the contents of a configuration file.
+
+Typically the application will contain an option to point to an extension
+section. Each line of the extension section takes the form:
+
+ extension_name=[critical,] extension_options
+
+If B<critical> is present then the extension will be critical.
+
+The format of B<extension_options> depends on the value of B<extension_name>.
+
+There are four main types of extension: I<string> extensions, I<multi-valued>
+extensions, I<raw> and I<arbitrary> extensions.
+
+String extensions simply have a string which contains either the value itself
+or how it is obtained.
+
+For example:
+
+ nsComment="This is a Comment"
+
+Multi-valued extensions have a short form and a long form. The short form
+is a list of names and values:
+
+ basicConstraints=critical,CA:true,pathlen:1
+
+The long form allows the values to be placed in a separate section:
+
+ basicConstraints=critical,@bs_section
+
+ [bs_section]
+
+ CA=true
+ pathlen=1
+
+Both forms are equivalent.
+
+The syntax of raw extensions is governed by the extension code: it can
+for example contain data in multiple sections. The correct syntax to
+use is defined by the extension code itself: check out the certificate
+policies extension for an example.
+
+If an extension type is unsupported then the I<arbitrary> extension syntax
+must be used, see the L<ARBITRART EXTENSIONS|/"ARBITRARY EXTENSIONS"> section for more details.
+
+=head1 STANDARD EXTENSIONS
+
+The following sections describe each supported extension in detail.
+
+=head2 Basic Constraints.
+
+This is a multi valued extension which indicates whether a certificate is
+a CA certificate. The first (mandatory) name is B<CA> followed by B<TRUE> or
+B<FALSE>. If B<CA> is B<TRUE> then an optional B<pathlen> name followed by an
+non-negative value can be included.
+
+For example:
+
+ basicConstraints=CA:TRUE
+
+ basicConstraints=CA:FALSE
+
+ basicConstraints=critical,CA:TRUE, pathlen:0
+
+A CA certificate B<must> include the basicConstraints value with the CA field
+set to TRUE. An end user certificate must either set CA to FALSE or exclude the
+extension entirely. Some software may require the inclusion of basicConstraints
+with CA set to FALSE for end entity certificates.
+
+The pathlen parameter indicates the maximum number of CAs that can appear
+below this one in a chain. So if you have a CA with a pathlen of zero it can
+only be used to sign end user certificates and not further CAs.
+
+
+=head2 Key Usage.
+
+Key usage is a multi valued extension consisting of a list of names of the
+permitted key usages.
+
+The supporte names are: digitalSignature, nonRepudiation, keyEncipherment,
+dataEncipherment, keyAgreement, keyCertSign, cRLSign, encipherOnly
+and decipherOnly.
+
+Examples:
+
+ keyUsage=digitalSignature, nonRepudiation
+
+ keyUsage=critical, keyCertSign
+
+
+=head2 Extended Key Usage.
+
+This extensions consists of a list of usages indicating purposes for which
+the certificate public key can be used for,
+
+These can either be object short names of the dotted numerical form of OIDs.
+While any OID can be used only certain values make sense. In particular the
+following PKIX, NS and MS values are meaningful:
+
+ Value			Meaning
+ -----			-------
+ serverAuth		SSL/TLS Web Server Authentication.
+ clientAuth		SSL/TLS Web Client Authentication.
+ codeSigning		Code signing.
+ emailProtection	E-mail Protection (S/MIME).
+ timeStamping		Trusted Timestamping
+ msCodeInd		Microsoft Individual Code Signing (authenticode)
+ msCodeCom		Microsoft Commercial Code Signing (authenticode)
+ msCTLSign		Microsoft Trust List Signing
+ msSGC			Microsoft Server Gated Crypto
+ msEFS			Microsoft Encrypted File System
+ nsSGC			Netscape Server Gated Crypto
+
+Examples:
+
+ extendedKeyUsage=critical,codeSigning,1.2.3.4
+ extendedKeyUsage=nsSGC,msSGC
+
+
+=head2 Subject Key Identifier.
+
+This is really a string extension and can take two possible values. Either
+the word B<hash> which will automatically follow the guidelines in RFC3280
+or a hex string giving the extension value to include. The use of the hex
+string is strongly discouraged.
+
+Example:
+
+ subjectKeyIdentifier=hash
+
+
+=head2 Authority Key Identifier.
+
+The authority key identifier extension permits two options. keyid and issuer:
+both can take the optional value "always".
+
+If the keyid option is present an attempt is made to copy the subject key
+identifier from the parent certificate. If the value "always" is present
+then an error is returned if the option fails.
+
+The issuer option copies the issuer and serial number from the issuer
+certificate. This will only be done if the keyid option fails or
+is not included unless the "always" flag will always include the value.
+
+Example:
+
+ authorityKeyIdentifier=keyid,issuer
+
+
+=head2 Subject Alternative Name.
+
+The subject alternative name extension allows various literal values to be
+included in the configuration file. These include B<email> (an email address)
+B<URI> a uniform resource indicator, B<DNS> (a DNS domain name), B<RID> (a
+registered ID: OBJECT IDENTIFIER), B<IP> (an IP address), B<dirName>
+(a distinguished name) and otherName.
+
+The email option include a special 'copy' value. This will automatically
+include and email addresses contained in the certificate subject name in
+the extension.
+
+The IP address used in the B<IP> options can be in either IPv4 or IPv6 format.
+
+The value of B<dirName> should point to a section containing the distinguished
+name to use as a set of name value pairs. Multi values AVAs can be formed by
+preceeding the name with a B<+> character.
+
+otherName can include arbitrary data associated with an OID: the value
+should be the OID followed by a semicolon and the content in standard
+ASN1_generate_nconf() format.
+
+Examples:
+
+ subjectAltName=email:copy,email:my@other.address,URI:http://my.url.here/
+ subjectAltName=IP:192.168.7.1
+ subjectAltName=IP:13::17
+ subjectAltName=email:my@other.address,RID:1.2.3.4
+ subjectAltName=otherName:1.2.3.4;UTF8:some other identifier
+
+ subjectAltName=dirName:dir_sect
+
+ [dir_sect]
+ C=UK
+ O=My Organization
+ OU=My Unit
+ CN=My Name
+
+
+=head2 Issuer Alternative Name.
+
+The issuer alternative name option supports all the literal options of
+subject alternative name. It does B<not> support the email:copy option because
+that would not make sense. It does support an additional issuer:copy option
+that will copy all the subject alternative name values from the issuer 
+certificate (if possible).
+
+Example:
+
+ issuserAltName = issuer:copy
+
+
+=head2 Authority Info Access.
+
+The authority information access extension gives details about how to access
+certain information relating to the CA. Its syntax is accessOID;location
+where I<location> has the same syntax as subject alternative name (except
+that email:copy is not supported). accessOID can be any valid OID but only
+certain values are meaningful, for example OCSP and caIssuers.
+
+Example:
+
+ authorityInfoAccess = OCSP;URI:http://ocsp.my.host/
+ authorityInfoAccess = caIssuers;URI:http://my.ca/ca.html
+
+
+=head2 CRL distribution points.
+
+This is a multi-valued extension that supports all the literal options of
+subject alternative name. Of the few software packages that currently interpret
+this extension most only interpret the URI option.
+
+Currently each option will set a new DistributionPoint with the fullName
+field set to the given value.
+
+Other fields like cRLissuer and reasons cannot currently be set or displayed:
+at this time no examples were available that used these fields.
+
+Examples:
+
+ crlDistributionPoints=URI:http://myhost.com/myca.crl
+ crlDistributionPoints=URI:http://my.com/my.crl,URI:http://oth.com/my.crl
+
+=head2 Certificate Policies.
+
+This is a I<raw> extension. All the fields of this extension can be set by
+using the appropriate syntax.
+
+If you follow the PKIX recommendations and just using one OID then you just
+include the value of that OID. Multiple OIDs can be set separated by commas,
+for example:
+
+ certificatePolicies= 1.2.4.5, 1.1.3.4
+
+If you wish to include qualifiers then the policy OID and qualifiers need to
+be specified in a separate section: this is done by using the @section syntax
+instead of a literal OID value.
+
+The section referred to must include the policy OID using the name
+policyIdentifier, cPSuri qualifiers can be included using the syntax:
+
+ CPS.nnn=value
+
+userNotice qualifiers can be set using the syntax:
+
+ userNotice.nnn=@notice
+
+The value of the userNotice qualifier is specified in the relevant section.
+This section can include explicitText, organization and noticeNumbers
+options. explicitText and organization are text strings, noticeNumbers is a
+comma separated list of numbers. The organization and noticeNumbers options
+(if included) must BOTH be present. If you use the userNotice option with IE5
+then you need the 'ia5org' option at the top level to modify the encoding:
+otherwise it will not be interpreted properly.
+
+Example:
+
+ certificatePolicies=ia5org,1.2.3.4,1.5.6.7.8,@polsect
+
+ [polsect]
+
+ policyIdentifier = 1.3.5.8
+ CPS.1="http://my.host.name/"
+ CPS.2="http://my.your.name/"
+ userNotice.1=@notice
+
+ [notice]
+
+ explicitText="Explicit Text Here"
+ organization="Organisation Name"
+ noticeNumbers=1,2,3,4
+
+The B<ia5org> option changes the type of the I<organization> field. In RFC2459
+it can only be of type DisplayText. In RFC3280 IA5Strring is also permissible.
+Some software (for example some versions of MSIE) may require ia5org.
+
+=head2 Policy Constraints
+
+This is a multi-valued extension which consisting of the names
+B<requireExplicitPolicy> or B<inhibitPolicyMapping> and a non negative intger
+value. At least one component must be present.
+
+Example:
+
+ policyConstraints = requireExplicitPolicy:3
+
+
+=head2 Inhibit Any Policy
+
+This is a string extension whose value must be a non negative integer.
+
+Example:
+
+ inhibitAnyPolicy = 2
+
+
+=head2 Name Constraints
+
+The name constraints extension is a multi-valued extension. The name should
+begin with the word B<permitted> or B<excluded> followed by a B<;>. The rest of
+the name and the value follows the syntax of subjectAltName except email:copy
+is not supported and the B<IP> form should consist of an IP addresses and 
+subnet mask separated by a B</>.
+
+Examples:
+
+ nameConstraints=permitted;IP:192.168.0.0/255.255.0.0
+
+ nameConstraints=permitted;email:.somedomain.com
+
+ nameConstraints=excluded;email:.com
+
+=head1 DEPRECATED EXTENSIONS
+
+The following extensions are non standard, Netscape specific and largely
+obsolete. Their use in new applications is discouraged.
+
+=head2 Netscape String extensions.
+
+Netscape Comment (B<nsComment>) is a string extension containing a comment
+which will be displayed when the certificate is viewed in some browsers.
+
+Example:
+
+ nsComment = "Some Random Comment"
+
+Other supported extensions in this category are: B<nsBaseUrl>,
+B<nsRevocationUrl>, B<nsCaRevocationUrl>, B<nsRenewalUrl>, B<nsCaPolicyUrl>
+and B<nsSslServerName>.
+
+
+=head2 Netscape Certificate Type
+
+This is a multi-valued extensions which consists of a list of flags to be
+included. It was used to indicate the purposes for which a certificate could
+be used. The basicConstraints, keyUsage and extended key usage extensions are
+now used instead.
+
+Acceptable values for nsCertType are: B<client>, B<server>, B<email>,
+B<objsign>, B<reserved>, B<sslCA>, B<emailCA>, B<objCA>.
+
+
+=head1 ARBITRARY EXTENSIONS
+
+If an extension is not supported by the OpenSSL code then it must be encoded
+using the arbitrary extension format. It is also possible to use the arbitrary
+format for supported extensions. Extreme care should be taken to ensure that
+the data is formatted correctly for the given extension type.
+
+There are two ways to encode arbitrary extensions.
+
+The first way is to use the word ASN1 followed by the extension content
+using the same syntax as ASN1_generate_nconf(). For example:
+
+ 1.2.3.4=critical,ASN1:UTF8String:Some random data
+
+ 1.2.3.4=ASN1:SEQUENCE:seq_sect
+
+ [seq_sect]
+
+ field1 = UTF8:field1
+ field2 = UTF8:field2
+
+It is also possible to use the word DER to include the raw encoded data in any
+extension.
+
+ 1.2.3.4=critical,DER:01:02:03:04
+ 1.2.3.4=DER:01020304
+
+The value following DER is a hex dump of the DER encoding of the extension
+Any extension can be placed in this form to override the default behaviour.
+For example:
+
+ basicConstraints=critical,DER:00:01:02:03
+
+=head1 WARNING
+
+There is no guarantee that a specific implementation will process a given
+extension. It may therefore be sometimes possible to use certificates for
+purposes prohibited by their extensions because a specific application does
+not recognize or honour the values of the relevant extensions.
+
+The DER and ASN1 options should be used with caution. It is possible to create
+totally invalid extensions if they are not used carefully.
+
+
+=head1 NOTES
+
+If an extension is multi-value and a field value must contain a comma the long
+form must be used otherwise the comma would be misinterpreted as a field
+separator. For example:
+
+ subjectAltName=URI:ldap://somehost.com/CN=foo,OU=bar
+
+will produce an error but the equivalent form:
+
+ subjectAltName=@subject_alt_section
+
+ [subject_alt_section]
+ subjectAltName=URI:ldap://somehost.com/CN=foo,OU=bar
+
+is valid. 
+
+Due to the behaviour of the OpenSSL B<conf> library the same field name
+can only occur once in a section. This means that:
+
+ subjectAltName=@alt_section
+
+ [alt_section]
+
+ email=steve@here
+ email=steve@there
+
+will only recognize the last value. This can be worked around by using the form:
+
+ [alt_section]
+
+ email.1=steve@here
+ email.2=steve@there
+
+=head1 HISTORY
+
+The X509v3 extension code was first added to OpenSSL 0.9.2.
+
+Policy mappings, inhibit any policy and name constraints support was added in
+OpenSSL 0.9.8
+
+The B<directoryName> and B<otherName> option as well as the B<ASN1> option
+for arbitrary extensions was added in OpenSSL 0.9.8
+
+=head1 SEE ALSO
+
+L<req(1)|req(1)>, L<ca(1)|ca(1)>, L<x509(1)|x509(1)>
+
+
+=cut
diff --git a/crypto/openssl/doc/crypto/ASN1_STRING_print_ex.pod b/crypto/openssl/doc/crypto/ASN1_STRING_print_ex.pod
index fbf9a1f..d662225 100644
--- a/crypto/openssl/doc/crypto/ASN1_STRING_print_ex.pod
+++ b/crypto/openssl/doc/crypto/ASN1_STRING_print_ex.pod
@@ -30,8 +30,8 @@ with '.'.
 
 ASN1_STRING_print() is a legacy function which should be avoided in new applications.
 
-Although there are a large number of options frequently B<ASN1_STRFLAGS_RFC2253> is 
-suitable, or on UTF8 terminals B<ASN1_STRFLAGS_RFC2253 & ~ASN1_STRFLAGS_ESC_MSB>.
+Although there are a large number of options frequently B<ASN1_STRFLGS_RFC2253> is 
+suitable, or on UTF8 terminals B<ASN1_STRFLGS_RFC2253 & ~ASN1_STRFLGS_ESC_MSB>.
 
 The complete set of supported options for B<flags> is listed below.
 
@@ -72,7 +72,7 @@ octet.
 If B<ASN1_STRFLGS_DUMP_ALL> is set then any type is dumped.
 
 Normally non character string types (such as OCTET STRING) are assumed to be
-one byte per character, if B<ASN1_STRFLAGS_DUMP_UNKNOWN> is set then they will
+one byte per character, if B<ASN1_STRFLGS_DUMP_UNKNOWN> is set then they will
 be dumped instead.
 
 When a type is dumped normally just the content octets are printed, if 
diff --git a/crypto/openssl/doc/crypto/ASN1_generate_nconf.pod b/crypto/openssl/doc/crypto/ASN1_generate_nconf.pod
new file mode 100644
index 0000000..ba6e3c2
--- /dev/null
+++ b/crypto/openssl/doc/crypto/ASN1_generate_nconf.pod
@@ -0,0 +1,253 @@
+=pod
+
+=head1 NAME
+
+ASN1_generate_nconf, ASN1_generate_v3 - ASN1 generation functions
+
+=head1 SYNOPSIS
+
+ ASN1_TYPE *ASN1_generate_nconf(char *str, CONF *nconf);
+ ASN1_TYPE *ASN1_generate_v3(char *str, X509V3_CTX *cnf);
+
+=head1 DESCRIPTION
+
+These functions generate the ASN1 encoding of a string
+in an B<ASN1_TYPE> structure.
+
+B<str> contains the string to encode B<nconf> or B<cnf> contains
+the optional configuration information where additional strings
+will be read from. B<nconf> will typically come from a config
+file wherease B<cnf> is obtained from an B<X509V3_CTX> structure
+which will typically be used by X509 v3 certificate extension
+functions. B<cnf> or B<nconf> can be set to B<NULL> if no additional
+configuration will be used.
+
+=head1 GENERATION STRING FORMAT
+
+The actual data encoded is determined by the string B<str> and
+the configuration information. The general format of the string
+is:
+
+ B<[modifier,]type[:value]>
+
+That is zero or more comma separated modifiers followed by a type
+followed by an optional colon and a value. The formats of B<type>,
+B<value> and B<modifier> are explained below.
+
+=head2 SUPPORTED TYPES
+
+The supported types are listed below. Unless otherwise specified
+only the B<ASCII> format is permissible.
+
+=over 2
+
+=item B<BOOLEAN>, B<BOOL>
+
+This encodes a boolean type. The B<value> string is mandatory and
+should be B<TRUE> or B<FALSE>. Additionally B<TRUE>, B<true>, B<Y>,
+B<y>, B<YES>, B<yes>, B<FALSE>, B<false>, B<N>, B<n>, B<NO> and B<no>
+are acceptable. 
+
+=item B<NULL>
+
+Encode the B<NULL> type, the B<value> string must not be present.
+
+=item B<INTEGER>, B<INT>
+
+Encodes an ASN1 B<INTEGER> type. The B<value> string represents
+the value of the integer, it can be preceeded by a minus sign and
+is normally interpreted as a decimal value unless the prefix B<0x>
+is included.
+
+=item B<ENUMERATED>, B<ENUM>
+
+Encodes the ASN1 B<ENUMERATED> type, it is otherwise identical to
+B<INTEGER>.
+
+=item B<OBJECT>, B<OID>
+
+Encodes an ASN1 B<OBJECT IDENTIFIER>, the B<value> string can be
+a short name, a long name or numerical format.
+
+=item B<UTCTIME>, B<UTC>
+
+Encodes an ASN1 B<UTCTime> structure, the value should be in
+the format B<YYMMDDHHMMSSZ>. 
+
+=item B<GENERALIZEDTIME>, B<GENTIME>
+
+Encodes an ASN1 B<GeneralizedTime> structure, the value should be in
+the format B<YYYYMMDDHHMMSSZ>. 
+
+=item B<OCTETSTRING>, B<OCT>
+
+Emcodes an ASN1 B<OCTET STRING>. B<value> represents the contents
+of this structure, the format strings B<ASCII> and B<HEX> can be
+used to specify the format of B<value>.
+
+=item B<BITSRING>, B<BITSTR>
+
+Emcodes an ASN1 B<BIT STRING>. B<value> represents the contents
+of this structure, the format strings B<ASCII>, B<HEX> and B<BITLIST>
+can be used to specify the format of B<value>.
+
+If the format is anything other than B<BITLIST> the number of unused
+bits is set to zero.
+
+=item B<UNIVERSALSTRING>, B<UNIV>, B<IA5>, B<IA5STRING>, B<UTF8>,
+B<UTF8String>, B<BMP>, B<BMPSTRING>, B<VISIBLESTRING>,
+B<VISIBLE>, B<PRINTABLESTRING>, B<PRINTABLE>, B<T61>,
+B<T61STRING>, B<TELETEXSTRING>, B<GeneralString>
+
+These encode the corresponding string types. B<value> represents the
+contents of this structure. The format can be B<ASCII> or B<UTF8>.
+
+=item B<SEQUENCE>, B<SEQ>, B<SET>
+
+Formats the result as an ASN1 B<SEQUENCE> or B<SET> type. B<value>
+should be a section name which will contain the contents. The
+field names in the section are ignored and the values are in the
+generated string format. If B<value> is absent then an empty SEQUENCE
+will be encoded.
+
+=back
+
+=head2 MODIFIERS
+
+Modifiers affect the following structure, they can be used to
+add EXPLICIT or IMPLICIT tagging, add wrappers or to change
+the string format of the final type and value. The supported
+formats are documented below.
+
+=over 2
+
+=item B<EXPLICIT>, B<EXP>
+
+Add an explicit tag to the following structure. This string
+should be followed by a colon and the tag value to use as a
+decimal value.
+
+By following the number with B<U>, B<A>, B<P> or B<C> UNIVERSAL,
+APPLICATION, PRIVATE or CONTEXT SPECIFIC tagging can be used,
+the default is CONTEXT SPECIFIC.
+
+=item B<IMPLICIT>, B<IMP>
+
+This is the same as B<EXPLICIT> except IMPLICIT tagging is used
+instead.
+
+=item B<OCTWRAP>, B<SEQWRAP>, B<SETWRAP>, B<BITWRAP>
+
+The following structure is surrounded by an OCTET STRING, a SEQUENCE,
+a SET or a BIT STRING respectively. For a BIT STRING the number of unused
+bits is set to zero.
+
+=item B<FORMAT>
+
+This specifies the format of the ultimate value. It should be followed
+by a colon and one of the strings B<ASCII>, B<UTF8>, B<HEX> or B<BITLIST>.
+
+If no format specifier is included then B<ASCII> is used. If B<UTF8> is specified
+then the value string must be a valid B<UTF8> string. For B<HEX> the output must
+be a set of hex digits. B<BITLIST> (which is only valid for a BIT STRING) is a
+comma separated list of set bits.
+
+=back
+
+=head1 EXAMPLES
+
+A simple IA5String:
+
+ IA5STRING:Hello World
+
+An IA5String explicitly tagged:
+
+ EXPLICIT:0,IA5STRING:Hello World
+
+An IA5String explicitly tagged using APPLICATION tagging:
+
+ EXPLICIT:0A,IA5STRING:Hello World
+
+A more complex example using a config file to produce a
+SEQUENCE consiting of a BOOL an OID and a UTF8String:
+
+asn1 = SEQUENCE:seq_section
+
+[seq_section]
+
+field1 = BOOLEAN:TRUE
+field2 = OID:commonName
+field3 = UTF8:Third field
+
+This example produces an RSAPrivateKey structure, this is the
+key contained in the file client.pem in all OpenSSL distributions
+(note: the field names such as 'coeff' are ignored and are present just
+for clarity):
+
+ asn1=SEQUENCE:private_key
+ [private_key]
+ version=INTEGER:0
+
+ n=INTEGER:0xBB6FE79432CC6EA2D8F970675A5A87BFBE1AFF0BE63E879F2AFFB93644\
+ D4D2C6D000430DEC66ABF47829E74B8C5108623A1C0EE8BE217B3AD8D36D5EB4FCA1D9
+
+ e=INTEGER:0x010001
+
+ d=INTEGER:0x6F05EAD2F27FFAEC84BEC360C4B928FD5F3A9865D0FCAAD291E2A52F4A\
+ F810DC6373278C006A0ABBA27DC8C63BF97F7E666E27C5284D7D3B1FFFE16B7A87B51D
+
+ p=INTEGER:0xF3929B9435608F8A22C208D86795271D54EBDFB09DDEF539AB083DA912\
+ D4BD57
+
+ q=INTEGER:0xC50016F89DFF2561347ED1186A46E150E28BF2D0F539A1594BBD7FE467\
+ 46EC4F
+
+ exp1=INTEGER:0x9E7D4326C924AFC1DEA40B45650134966D6F9DFA3A7F9D698CD4ABEA\
+ 9C0A39B9
+
+ exp2=INTEGER:0xBA84003BB95355AFB7C50DF140C60513D0BA51D637272E355E397779\
+ E7B2458F
+
+ coeff=INTEGER:0x30B9E4F2AFA5AC679F920FC83F1F2DF1BAF1779CF989447FABC2F5\
+ 628657053A
+
+This example is the corresponding public key in a SubjectPublicKeyInfo
+structure:
+
+ # Start with a SEQUENCE
+ asn1=SEQUENCE:pubkeyinfo
+
+ # pubkeyinfo contains an algorithm identifier and the public key wrapped
+ # in a BIT STRING
+ [pubkeyinfo]
+ algorithm=SEQUENCE:rsa_alg
+ pubkey=BITWRAP,SEQUENCE:rsapubkey
+
+ # algorithm ID for RSA is just an OID and a NULL
+ [rsa_alg]
+ algorithm=OID:rsaEncryption
+ parameter=NULL
+
+ # Actual public key: modulus and exponent
+ [rsapubkey]
+ n=INTEGER:0xBB6FE79432CC6EA2D8F970675A5A87BFBE1AFF0BE63E879F2AFFB93644\
+ D4D2C6D000430DEC66ABF47829E74B8C5108623A1C0EE8BE217B3AD8D36D5EB4FCA1D9
+
+ e=INTEGER:0x010001
+
+=head1 RETURN VALUES
+
+ASN1_generate_nconf() and ASN1_generate_v3() return the encoded
+data as an B<ASN1_TYPE> structure or B<NULL> if an error occurred.
+
+The error codes that can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+
+=head1 SEE ALSO
+
+L<ERR_get_error(3)|ERR_get_error(3)>
+
+=head1 HISTORY
+
+ASN1_generate_nconf() and ASN1_generate_v3() were added to OpenSSL 0.9.8
+
+=cut
diff --git a/crypto/openssl/doc/crypto/BIO_f_base64.pod b/crypto/openssl/doc/crypto/BIO_f_base64.pod
index 929557d..438af3b 100644
--- a/crypto/openssl/doc/crypto/BIO_f_base64.pod
+++ b/crypto/openssl/doc/crypto/BIO_f_base64.pod
@@ -63,7 +63,7 @@ data to standard output:
  bio = BIO_new_fp(stdin, BIO_NOCLOSE);
  bio_out = BIO_new_fp(stdout, BIO_NOCLOSE);
  bio = BIO_push(b64, bio);
- while((inlen = BIO_read(bio, inbuf, 512) > 0) 
+ while((inlen = BIO_read(bio, inbuf, 512)) > 0) 
 	BIO_write(bio_out, inbuf, inlen);
 
  BIO_free_all(bio);
diff --git a/crypto/openssl/doc/crypto/BN_BLINDING_new.pod b/crypto/openssl/doc/crypto/BN_BLINDING_new.pod
new file mode 100644
index 0000000..7b087f7
--- /dev/null
+++ b/crypto/openssl/doc/crypto/BN_BLINDING_new.pod
@@ -0,0 +1,109 @@
+=pod
+
+=head1 NAME
+
+BN_BLINDING_new, BN_BLINDING_free, BN_BLINDING_update, BN_BLINDING_convert, 
+BN_BLINDING_invert, BN_BLINDING_convert_ex, BN_BLINDING_invert_ex, 
+BN_BLINDING_get_thread_id, BN_BLINDING_set_thread_id, BN_BLINDING_get_flags,
+BN_BLINDING_set_flags, BN_BLINDING_create_param - blinding related BIGNUM
+functions.
+
+=head1 SYNOPSIS
+
+ #include <openssl/bn.h>
+
+ BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai,
+	BIGNUM *mod);
+ void BN_BLINDING_free(BN_BLINDING *b);
+ int BN_BLINDING_update(BN_BLINDING *b,BN_CTX *ctx);
+ int BN_BLINDING_convert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx);
+ int BN_BLINDING_invert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx);
+ int BN_BLINDING_convert_ex(BIGNUM *n, BIGNUM *r, BN_BLINDING *b,
+	BN_CTX *ctx);
+ int BN_BLINDING_invert_ex(BIGNUM *n, const BIGNUM *r, BN_BLINDING *b,
+	BN_CTX *ctx);
+ unsigned long BN_BLINDING_get_thread_id(const BN_BLINDING *);
+ void BN_BLINDING_set_thread_id(BN_BLINDING *, unsigned long);
+ unsigned long BN_BLINDING_get_flags(const BN_BLINDING *);
+ void BN_BLINDING_set_flags(BN_BLINDING *, unsigned long);
+ BN_BLINDING *BN_BLINDING_create_param(BN_BLINDING *b,
+	const BIGNUM *e, BIGNUM *m, BN_CTX *ctx,
+	int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+			  const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx),
+	BN_MONT_CTX *m_ctx);
+
+=head1 DESCRIPTION
+
+BN_BLINDING_new() allocates a new B<BN_BLINDING> structure and copies
+the B<A> and B<Ai> values into the newly created B<BN_BLINDING> object.
+
+BN_BLINDING_free() frees the B<BN_BLINDING> structure.
+
+BN_BLINDING_update() updates the B<BN_BLINDING> parameters by squaring
+the B<A> and B<Ai> or, after specific number of uses and if the
+necessary parameters are set, by re-creating the blinding parameters.
+
+BN_BLINDING_convert_ex() multiplies B<n> with the blinding factor B<A>.
+If B<r> is not NULL a copy the inverse blinding factor B<Ai> will be
+returned in B<r> (this is useful if a B<RSA> object is shared amoung
+several threads). BN_BLINDING_invert_ex() multiplies B<n> with the
+inverse blinding factor B<Ai>. If B<r> is not NULL it will be used as
+the inverse blinding.
+
+BN_BLINDING_convert() and BN_BLINDING_invert() are wrapper
+functions for BN_BLINDING_convert_ex() and BN_BLINDING_invert_ex()
+with B<r> set to NULL.
+
+BN_BLINDING_set_thread_id() and BN_BLINDING_get_thread_id()
+set and get the "thread id" value of the B<BN_BLINDING> structure,
+a field provided to users of B<BN_BLINDING> structure to help them
+provide proper locking if needed for multi-threaded use. The 
+"thread id" of a newly allocated B<BN_BLINDING> structure is zero.
+
+BN_BLINDING_get_flags() returns the BN_BLINDING flags. Currently
+there are two supported flags: B<BN_BLINDING_NO_UPDATE> and
+B<BN_BLINDING_NO_RECREATE>. B<BN_BLINDING_NO_UPDATE> inhibits the
+automatic update of the B<BN_BLINDING> parameters after each use
+and B<BN_BLINDING_NO_RECREATE> inhibits the automatic re-creation
+of the B<BN_BLINDING> parameters after a fixed number of uses (currently
+32). In newly allocated B<BN_BLINDING> objects no flags are set.
+BN_BLINDING_set_flags() sets the B<BN_BLINDING> parameters flags.
+
+BN_BLINDING_create_param() creates new B<BN_BLINDING> parameters
+using the exponent B<e> and the modulus B<m>. B<bn_mod_exp> and
+B<m_ctx> can be used to pass special functions for exponentiation
+(normally BN_mod_exp_mont() and B<BN_MONT_CTX>).
+
+=head1 RETURN VALUES
+
+BN_BLINDING_new() returns the newly allocated B<BN_BLINDING> structure
+or NULL in case of an error.
+
+BN_BLINDING_update(), BN_BLINDING_convert(), BN_BLINDING_invert(),
+BN_BLINDING_convert_ex() and BN_BLINDING_invert_ex() return 1 on
+success and 0 if an error occured.
+
+BN_BLINDING_get_thread_id() returns the thread id (a B<unsigned long>
+value) or 0 if not set.
+
+BN_BLINDING_get_flags() returns the currently set B<BN_BLINDING> flags
+(a B<unsigned long> value).
+
+BN_BLINDING_create_param() returns the newly created B<BN_BLINDING> 
+parameters or NULL on error.
+
+=head1 SEE ALSO
+
+L<bn(3)|bn(3)>
+
+=head1 HISTORY
+
+BN_BLINDING_convert_ex, BN_BLINDIND_invert_ex, BN_BLINDING_get_thread_id,
+BN_BLINDING_set_thread_id, BN_BLINDING_set_flags, BN_BLINDING_get_flags
+and BN_BLINDING_create_param were first introduced in OpenSSL 0.9.8
+
+=head1 AUTHOR
+
+Nils Larsch for the OpenSSL project (http://www.openssl.org).
+
+=cut
diff --git a/crypto/openssl/doc/crypto/BN_add_word.pod b/crypto/openssl/doc/crypto/BN_add_word.pod
index 94244ad..70667d2 100644
--- a/crypto/openssl/doc/crypto/BN_add_word.pod
+++ b/crypto/openssl/doc/crypto/BN_add_word.pod
@@ -29,11 +29,11 @@ BN_add_word() adds B<w> to B<a> (C<a+=w>).
 
 BN_sub_word() subtracts B<w> from B<a> (C<a-=w>).
 
-BN_mul_word() multiplies B<a> and B<w> (C<a*=b>).
+BN_mul_word() multiplies B<a> and B<w> (C<a*=w>).
 
 BN_div_word() divides B<a> by B<w> (C<a/=w>) and returns the remainder.
 
-BN_mod_word() returns the remainder of B<a> divided by B<w> (C<a%m>).
+BN_mod_word() returns the remainder of B<a> divided by B<w> (C<a%w>).
 
 For BN_div_word() and BN_mod_word(), B<w> must not be 0.
 
@@ -42,7 +42,8 @@ For BN_div_word() and BN_mod_word(), B<w> must not be 0.
 BN_add_word(), BN_sub_word() and BN_mul_word() return 1 for success, 0
 on error. The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
 
-BN_mod_word() and BN_div_word() return B<a>%B<w>.
+BN_mod_word() and BN_div_word() return B<a>%B<w> on success and
+B<(BN_ULONG)-1> if an error occurred.
 
 =head1 SEE ALSO
 
@@ -54,4 +55,7 @@ BN_add_word() and BN_mod_word() are available in all versions of
 SSLeay and OpenSSL. BN_div_word() was added in SSLeay 0.8, and
 BN_sub_word() and BN_mul_word() in SSLeay 0.9.0.
 
+Before 0.9.8a the return value for BN_div_word() and BN_mod_word()
+in case of an error was 0.
+
 =cut
diff --git a/crypto/openssl/doc/crypto/BN_new.pod b/crypto/openssl/doc/crypto/BN_new.pod
index 3033789..ab7a105 100644
--- a/crypto/openssl/doc/crypto/BN_new.pod
+++ b/crypto/openssl/doc/crypto/BN_new.pod
@@ -20,7 +20,7 @@ BN_new, BN_init, BN_clear, BN_free, BN_clear_free - allocate and free BIGNUMs
 
 =head1 DESCRIPTION
 
-BN_new() allocated and initializes a B<BIGNUM> structure. BN_init()
+BN_new() allocates and initializes a B<BIGNUM> structure. BN_init()
 initializes an existing uninitialized B<BIGNUM>.
 
 BN_clear() is used to destroy sensitive data such as keys when they
diff --git a/crypto/openssl/doc/crypto/ERR_error_string.pod b/crypto/openssl/doc/crypto/ERR_error_string.pod
index e01beb8..cdfa7fe 100644
--- a/crypto/openssl/doc/crypto/ERR_error_string.pod
+++ b/crypto/openssl/doc/crypto/ERR_error_string.pod
@@ -11,7 +11,7 @@ error message
  #include <openssl/err.h>
 
  char *ERR_error_string(unsigned long e, char *buf);
- char *ERR_error_string_n(unsigned long e, char *buf, size_t len);
+ void ERR_error_string_n(unsigned long e, char *buf, size_t len);
 
  const char *ERR_lib_error_string(unsigned long e);
  const char *ERR_func_error_string(unsigned long e);
diff --git a/crypto/openssl/doc/crypto/ERR_set_mark.pod b/crypto/openssl/doc/crypto/ERR_set_mark.pod
new file mode 100644
index 0000000..d3ca4f2
--- /dev/null
+++ b/crypto/openssl/doc/crypto/ERR_set_mark.pod
@@ -0,0 +1,38 @@
+=pod
+
+=head1 NAME
+
+ERR_set_mark, ERR_pop_to_mark - set marks and pop errors until mark
+
+=head1 SYNOPSIS
+
+ #include <openssl/err.h>
+
+ int ERR_set_mark(void);
+
+ int ERR_pop_to_mark(void);
+
+=head1 DESCRIPTION
+
+ERR_set_mark() sets a mark on the current topmost error record if there
+is one.
+
+ERR_pop_to_mark() will pop the top of the error stack until a mark is found.
+The mark is then removed.  If there is no mark, the whole stack is removed.
+
+=head1 RETURN VALUES
+
+ERR_set_mark() returns 0 if the error stack is empty, otherwise 1.
+
+ERR_pop_to_mark() returns 0 if there was no mark in the error stack, which
+implies that the stack became empty, otherwise 1.
+
+=head1 SEE ALSO
+
+L<err(3)|err(3)>
+
+=head1 HISTORY
+
+ERR_set_mark() and ERR_pop_to_mark() were added in OpenSSL 0.9.8.
+
+=cut
diff --git a/crypto/openssl/doc/crypto/EVP_BytesToKey.pod b/crypto/openssl/doc/crypto/EVP_BytesToKey.pod
index 016381f..d375c46 100644
--- a/crypto/openssl/doc/crypto/EVP_BytesToKey.pod
+++ b/crypto/openssl/doc/crypto/EVP_BytesToKey.pod
@@ -60,7 +60,7 @@ EVP_BytesToKey() returns the size of the derived key in bytes.
 =head1 SEE ALSO
 
 L<evp(3)|evp(3)>, L<rand(3)|rand(3)>,
-L<EVP_EncryptInit(3)|EVP_EncryptInit(3)>,
+L<EVP_EncryptInit(3)|EVP_EncryptInit(3)>
 
 =head1 HISTORY
 
diff --git a/crypto/openssl/doc/crypto/EVP_DigestInit.pod b/crypto/openssl/doc/crypto/EVP_DigestInit.pod
index 1cb315e..130cd7f 100644
--- a/crypto/openssl/doc/crypto/EVP_DigestInit.pod
+++ b/crypto/openssl/doc/crypto/EVP_DigestInit.pod
@@ -18,7 +18,7 @@ EVP digest routines
  EVP_MD_CTX *EVP_MD_CTX_create(void);
 
  int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl);
- int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *d, unsigned int cnt);
+ int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *d, size_t cnt);
  int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md,
         unsigned int *s);
 
diff --git a/crypto/openssl/doc/crypto/EVP_EncryptInit.pod b/crypto/openssl/doc/crypto/EVP_EncryptInit.pod
index daf57e5..8271d3d 100644
--- a/crypto/openssl/doc/crypto/EVP_EncryptInit.pod
+++ b/crypto/openssl/doc/crypto/EVP_EncryptInit.pod
@@ -22,7 +22,7 @@ EVP_CIPHER_CTX_set_padding - EVP cipher routines
 
  #include <openssl/evp.h>
 
- int EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *a);
+ void EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *a);
 
  int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
 	 ENGINE *impl, unsigned char *key, unsigned char *iv);
@@ -236,8 +236,8 @@ RC5 can be set.
 
 =head1 RETURN VALUES
 
-EVP_CIPHER_CTX_init, EVP_EncryptInit_ex(), EVP_EncryptUpdate() and
-EVP_EncryptFinal_ex() return 1 for success and 0 for failure.
+EVP_EncryptInit_ex(), EVP_EncryptUpdate() and EVP_EncryptFinal_ex()
+return 1 for success and 0 for failure.
 
 EVP_DecryptInit_ex() and EVP_DecryptUpdate() return 1 for success and 0 for failure.
 EVP_DecryptFinal_ex() returns 0 if the decrypt failed or 1 for success.
@@ -479,6 +479,7 @@ General encryption, decryption function example using FILE I/O and RC2 with an
 		if(!EVP_CipherUpdate(&ctx, outbuf, &outlen, inbuf, inlen))
 			{
 			/* Error */
+			EVP_CIPHER_CTX_cleanup(&ctx);
 			return 0;
 			}
 		fwrite(outbuf, 1, outlen, out);
@@ -486,6 +487,7 @@ General encryption, decryption function example using FILE I/O and RC2 with an
 	if(!EVP_CipherFinal_ex(&ctx, outbuf, &outlen))
 		{
 		/* Error */
+		EVP_CIPHER_CTX_cleanup(&ctx);
 		return 0;
 		}
 	fwrite(outbuf, 1, outlen, out);
diff --git a/crypto/openssl/doc/crypto/EVP_SealInit.pod b/crypto/openssl/doc/crypto/EVP_SealInit.pod
index b5e477e..7d793e1 100644
--- a/crypto/openssl/doc/crypto/EVP_SealInit.pod
+++ b/crypto/openssl/doc/crypto/EVP_SealInit.pod
@@ -8,8 +8,9 @@ EVP_SealInit, EVP_SealUpdate, EVP_SealFinal - EVP envelope encryption
 
  #include <openssl/evp.h>
 
- int EVP_SealInit(EVP_CIPHER_CTX *ctx, EVP_CIPHER *type, unsigned char **ek,
-		int *ekl, unsigned char *iv,EVP_PKEY **pubk, int npubk);
+ int EVP_SealInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
+                  unsigned char **ek, int *ekl, unsigned char *iv,
+                  EVP_PKEY **pubk, int npubk);
  int EVP_SealUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
          int *outl, unsigned char *in, int inl);
  int EVP_SealFinal(EVP_CIPHER_CTX *ctx, unsigned char *out,
diff --git a/crypto/openssl/doc/crypto/EVP_SignInit.pod b/crypto/openssl/doc/crypto/EVP_SignInit.pod
index b203c3a..b6e62ce 100644
--- a/crypto/openssl/doc/crypto/EVP_SignInit.pod
+++ b/crypto/openssl/doc/crypto/EVP_SignInit.pod
@@ -29,11 +29,10 @@ EVP_SignUpdate() hashes B<cnt> bytes of data at B<d> into the
 signature context B<ctx>. This function can be called several times on the
 same B<ctx> to include additional data.
 
-EVP_SignFinal() signs the data in B<ctx> using the private key B<pkey>
-and places the signature in B<sig>. If the B<s> parameter is not NULL
-then the number of bytes of data written (i.e. the length of the signature)
-will be written to the integer at B<s>, at most EVP_PKEY_size(pkey) bytes
-will be written. 
+EVP_SignFinal() signs the data in B<ctx> using the private key B<pkey> and
+places the signature in B<sig>. The number of bytes of data written (i.e. the
+length of the signature) will be written to the integer at B<s>, at most
+EVP_PKEY_size(pkey) bytes will be written. 
 
 EVP_SignInit() initializes a signing context B<ctx> to use the default
 implementation of digest B<type>.
diff --git a/crypto/openssl/doc/crypto/OPENSSL_Applink.pod b/crypto/openssl/doc/crypto/OPENSSL_Applink.pod
new file mode 100644
index 0000000..e54de12
--- /dev/null
+++ b/crypto/openssl/doc/crypto/OPENSSL_Applink.pod
@@ -0,0 +1,21 @@
+=pod
+
+=head1 NAME
+
+OPENSSL_Applink - glue between OpenSSL BIO and Win32 compiler run-time
+
+=head1 SYNOPSIS
+
+ __declspec(dllexport) void **OPENSSL_Applink();
+
+=head1 DESCRIPTION
+
+OPENSSL_Applink is application-side interface which provides a glue
+between OpenSSL BIO layer and Win32 compiler run-time environment.
+Even though it appears at application side, it's essentially OpenSSL
+private interface. For this reason application developers are not
+expected to implement it, but to compile provided module with
+compiler of their choice and link it into the target application.
+The referred module is available as <openssl>/ms/applink.c.
+
+=cut
diff --git a/crypto/openssl/doc/crypto/OPENSSL_config.pod b/crypto/openssl/doc/crypto/OPENSSL_config.pod
index 1660062..e7bba2a 100644
--- a/crypto/openssl/doc/crypto/OPENSSL_config.pod
+++ b/crypto/openssl/doc/crypto/OPENSSL_config.pod
@@ -35,7 +35,7 @@ calls OPENSSL_add_all_algorithms() by compiling an application with the
 preprocessor symbol B<OPENSSL_LOAD_CONF> #define'd. In this way configuration
 can be added without source changes.
 
-The environment variable B<OPENSSL_CONFIG> can be set to specify the location
+The environment variable B<OPENSSL_CONF> can be set to specify the location
 of the configuration file.
  
 Currently ASN1 OBJECTs and ENGINE configuration can be performed future
diff --git a/crypto/openssl/doc/crypto/OPENSSL_ia32cap.pod b/crypto/openssl/doc/crypto/OPENSSL_ia32cap.pod
new file mode 100644
index 0000000..121a8dd
--- /dev/null
+++ b/crypto/openssl/doc/crypto/OPENSSL_ia32cap.pod
@@ -0,0 +1,35 @@
+=pod
+
+=head1 NAME
+
+OPENSSL_ia32cap - finding the IA-32 processor capabilities
+
+=head1 SYNOPSIS
+
+ unsigned long *OPENSSL_ia32cap_loc(void);
+ #define OPENSSL_ia32cap (*(OPENSSL_ia32cap_loc()))
+
+=head1 DESCRIPTION
+
+Value returned by OPENSSL_ia32cap_loc() is address of a variable
+containing IA-32 processor capabilities bit vector as it appears in EDX
+register after executing CPUID instruction with EAX=1 input value (see
+Intel Application Note #241618). Naturally it's meaningful on IA-32[E]
+platforms only. The variable is normally set up automatically upon
+toolkit initialization, but can be manipulated afterwards to modify
+crypto library behaviour. For the moment of this writing three bits are
+significant, namely bit #28 denoting Hyperthreading, which is used to
+distinguish Intel P4 core, bit #26 denoting SSE2 support, and bit #4
+denoting presence of Time-Stamp Counter. Clearing bit #26 at run-time
+for example disables high-performance SSE2 code present in the crypto
+library. You might have to do this if target OpenSSL application is
+executed on SSE2 capable CPU, but under control of OS which does not
+support SSE2 extentions. Even though you can manipulate the value
+programmatically, you most likely will find it more appropriate to set
+up an environment variable with the same name prior starting target
+application, e.g. 'env OPENSSL_ia32cap=0x10 apps/openssl', to achieve
+same effect without modifying the application source code.
+Alternatively you can reconfigure the toolkit with no-sse2 option and
+recompile.
+
+=cut
diff --git a/crypto/openssl/doc/crypto/PKCS12_create.pod b/crypto/openssl/doc/crypto/PKCS12_create.pod
index 48f3bb8..de7cab2 100644
--- a/crypto/openssl/doc/crypto/PKCS12_create.pod
+++ b/crypto/openssl/doc/crypto/PKCS12_create.pod
@@ -46,6 +46,24 @@ export grade software which could use signing only keys of arbitrary size but
 had restrictions on the permissible sizes of keys which could be used for
 encryption.
 
+=head1 NEW FUNCTIONALITY IN OPENSSL 0.9.8
+
+Some additional functionality was added to PKCS12_create() in OpenSSL
+0.9.8. These extensions are detailed below.
+
+If a certificate contains an B<alias> or B<keyid> then this will be
+used for the corresponding B<friendlyName> or B<localKeyID> in the
+PKCS12 structure.
+
+Either B<pkey>, B<cert> or both can be B<NULL> to indicate that no key or
+certficate is required. In previous versions both had to be present or
+a fatal error is returned.
+
+B<nid_key> or B<nid_cert> can be set to -1 indicating that no encryption
+should be used. 
+
+B<mac_iter> can be set to -1 and the MAC will then be omitted entirely.
+
 =head1 SEE ALSO
 
 L<d2i_PKCS12(3)|d2i_PKCS12(3)>
diff --git a/crypto/openssl/doc/crypto/PKCS7_sign.pod b/crypto/openssl/doc/crypto/PKCS7_sign.pod
index fc7e649..ffd0c73 100644
--- a/crypto/openssl/doc/crypto/PKCS7_sign.pod
+++ b/crypto/openssl/doc/crypto/PKCS7_sign.pod
@@ -51,6 +51,24 @@ If present the SMIMECapabilities attribute indicates support for the following
 algorithms: triple DES, 128 bit RC2, 64 bit RC2, DES and 40 bit RC2. If any
 of these algorithms is disabled then it will not be included.
 
+If the flags B<PKCS7_PARTSIGN> is set then the returned B<PKCS7> structure
+is just initialized ready to perform the signing operation. The signing
+is however B<not> performed and the data to be signed is not read from
+the B<data> parameter. Signing is deferred until after the data has been
+written. In this way data can be signed in a single pass. Currently the
+flag B<PKCS7_DETACHED> B<must> also be set.
+
+=head1 NOTES
+
+Currently the flag B<PKCS7_PARTSIGN> is only supported for detached
+data. If this flag is set the returned B<PKCS7> structure is B<not>
+complete and outputting its contents via a function that does not
+properly finalize the B<PKCS7> structure will give unpredictable 
+results.
+
+At present only the SMIME_write_PKCS7() function properly finalizes the
+structure.
+
 =head1 BUGS
 
 PKCS7_sign() is somewhat limited. It does not support multiple signers, some
@@ -64,10 +82,6 @@ signed due to memory restraints. There should be a way to sign data without
 having to hold it all in memory, this would however require fairly major
 revisions of the OpenSSL ASN1 code.
 
-Clear text signing does not store the content in memory but the way PKCS7_sign()
-operates means that two passes of the data must typically be made: one to compute
-the signatures and a second to output the data along with the signature. There
-should be a way to process the data with only a single pass.
 
 =head1 RETURN VALUES
 
@@ -82,4 +96,6 @@ L<ERR_get_error(3)|ERR_get_error(3)>, L<PKCS7_verify(3)|PKCS7_verify(3)>
 
 PKCS7_sign() was added to OpenSSL 0.9.5
 
+The B<PKCS7_PARTSIGN> flag was added in OpenSSL 0.9.8
+
 =cut
diff --git a/crypto/openssl/doc/crypto/PKCS7_verify.pod b/crypto/openssl/doc/crypto/PKCS7_verify.pod
index 07c9fda..3490b5d 100644
--- a/crypto/openssl/doc/crypto/PKCS7_verify.pod
+++ b/crypto/openssl/doc/crypto/PKCS7_verify.pod
@@ -8,7 +8,7 @@ PKCS7_verify - verify a PKCS#7 signedData structure
 
 int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, BIO *indata, BIO *out, int flags);
 
-int PKCS7_get0_signers(PKCS7 *p7, STACK_OF(X509) *certs, int flags);
+STACK_OF(X509) *PKCS7_get0_signers(PKCS7 *p7, STACK_OF(X509) *certs, int flags);
 
 =head1 DESCRIPTION
 
diff --git a/crypto/openssl/doc/crypto/RSA_sign.pod b/crypto/openssl/doc/crypto/RSA_sign.pod
index 71688a6..8553be8 100644
--- a/crypto/openssl/doc/crypto/RSA_sign.pod
+++ b/crypto/openssl/doc/crypto/RSA_sign.pod
@@ -8,10 +8,10 @@ RSA_sign, RSA_verify - RSA signatures
 
  #include <openssl/rsa.h>
 
- int RSA_sign(int type, unsigned char *m, unsigned int m_len,
+ int RSA_sign(int type, const unsigned char *m, unsigned int m_len,
     unsigned char *sigret, unsigned int *siglen, RSA *rsa);
 
- int RSA_verify(int type, unsigned char *m, unsigned int m_len,
+ int RSA_verify(int type, const unsigned char *m, unsigned int m_len,
     unsigned char *sigbuf, unsigned int siglen, RSA *rsa);
 
 =head1 DESCRIPTION
diff --git a/crypto/openssl/doc/crypto/SMIME_write_PKCS7.pod b/crypto/openssl/doc/crypto/SMIME_write_PKCS7.pod
index 2cfad2e..61945b3 100644
--- a/crypto/openssl/doc/crypto/SMIME_write_PKCS7.pod
+++ b/crypto/openssl/doc/crypto/SMIME_write_PKCS7.pod
@@ -30,18 +30,20 @@ If the B<PKCS7_TEXT> flag is set MIME headers for type B<text/plain>
 are added to the content, this only makes sense if B<PKCS7_DETACHED>
 is also set.
 
-If cleartext signing is being used then the data must be read twice:
-once to compute the signature in PKCS7_sign() and once to output the
-S/MIME message.
+If the B<PKCS7_PARTSIGN> flag is set the signed data is finalized
+and output along with the content. This flag should only be set
+if B<PKCS7_DETACHED> is also set and the previous call to PKCS7_sign()
+also set these flags.
+
+If cleartext signing is being used and B<PKCS7_PARTSIGN> not set then
+the data must be read twice: once to compute the signature in PKCS7_sign()
+and once to output the S/MIME message.
 
 =head1 BUGS
 
 SMIME_write_PKCS7() always base64 encodes PKCS#7 structures, there
 should be an option to disable this.
 
-There should really be a way to produce cleartext signing using only
-a single pass of the data.
-
 =head1 RETURN VALUES
 
 SMIME_write_PKCS7() returns 1 for success or 0 for failure.
diff --git a/crypto/openssl/doc/crypto/X509_NAME_ENTRY_get_object.pod b/crypto/openssl/doc/crypto/X509_NAME_ENTRY_get_object.pod
index d287c18..11b35f6 100644
--- a/crypto/openssl/doc/crypto/X509_NAME_ENTRY_get_object.pod
+++ b/crypto/openssl/doc/crypto/X509_NAME_ENTRY_get_object.pod
@@ -13,11 +13,11 @@ ASN1_OBJECT * X509_NAME_ENTRY_get_object(X509_NAME_ENTRY *ne);
 ASN1_STRING * X509_NAME_ENTRY_get_data(X509_NAME_ENTRY *ne);
 
 int X509_NAME_ENTRY_set_object(X509_NAME_ENTRY *ne, ASN1_OBJECT *obj);
-int X509_NAME_ENTRY_set_data(X509_NAME_ENTRY *ne, int type, unsigned char *bytes, int len);
+int X509_NAME_ENTRY_set_data(X509_NAME_ENTRY *ne, int type, const unsigned char *bytes, int len);
 
-X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_txt(X509_NAME_ENTRY **ne, char *field, int type, unsigned char *bytes, int len);
+X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_txt(X509_NAME_ENTRY **ne, const char *field, int type, const unsigned char *bytes, int len);
 X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_NID(X509_NAME_ENTRY **ne, int nid, int type,unsigned char *bytes, int len);
-X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_OBJ(X509_NAME_ENTRY **ne, ASN1_OBJECT *obj, int type,unsigned char *bytes, int len);
+X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_OBJ(X509_NAME_ENTRY **ne, ASN1_OBJECT *obj, int type, const unsigned char *bytes, int len);
 
 =head1 DESCRIPTION
 
diff --git a/crypto/openssl/doc/crypto/X509_NAME_add_entry_by_txt.pod b/crypto/openssl/doc/crypto/X509_NAME_add_entry_by_txt.pod
index 4472a1c..e2ab4b0 100644
--- a/crypto/openssl/doc/crypto/X509_NAME_add_entry_by_txt.pod
+++ b/crypto/openssl/doc/crypto/X509_NAME_add_entry_by_txt.pod
@@ -7,10 +7,14 @@ X509_NAME_add_entry, X509_NAME_delete_entry - X509_NAME modification functions
 
 =head1 SYNOPSIS
 
-int X509_NAME_add_entry_by_txt(X509_NAME *name, char *field, int type, unsigned char *bytes, int len, int loc, int set);
+int X509_NAME_add_entry_by_txt(X509_NAME *name, const char *field, int type, const unsigned char *bytes, int len, int loc, int set);
+
 int X509_NAME_add_entry_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, int type, unsigned char *bytes, int len, int loc, int set);
+
 int X509_NAME_add_entry_by_NID(X509_NAME *name, int nid, int type, unsigned char *bytes, int len, int loc, int set);
+
 int X509_NAME_add_entry(X509_NAME *name,X509_NAME_ENTRY *ne, int loc, int set);
+
 X509_NAME_ENTRY *X509_NAME_delete_entry(X509_NAME *name, int loc);
 
 =head1 DESCRIPTION
diff --git a/crypto/openssl/doc/crypto/X509_NAME_print_ex.pod b/crypto/openssl/doc/crypto/X509_NAME_print_ex.pod
index 907c04f..919b908 100644
--- a/crypto/openssl/doc/crypto/X509_NAME_print_ex.pod
+++ b/crypto/openssl/doc/crypto/X509_NAME_print_ex.pod
@@ -41,8 +41,8 @@ applications.
 Although there are a large number of possible flags for most purposes
 B<XN_FLAG_ONELINE>, B<XN_FLAG_MULTILINE> or B<XN_FLAG_RFC2253> will suffice.
 As noted on the L<ASN1_STRING_print_ex(3)|ASN1_STRING_print_ex(3)> manual page
-for UTF8 terminals the B<ASN1_STRFLAGS_ESC_MSB> should be unset: so for example
-B<XN_FLAG_ONELINE & ~ASN1_STRFLAGS_ESC_MSB> would be used.
+for UTF8 terminals the B<ASN1_STRFLGS_ESC_MSB> should be unset: so for example
+B<XN_FLAG_ONELINE & ~ASN1_STRFLGS_ESC_MSB> would be used.
 
 The complete set of the flags supported by X509_NAME_print_ex() is listed below.
 
diff --git a/crypto/openssl/doc/crypto/blowfish.pod b/crypto/openssl/doc/crypto/blowfish.pod
index ed71334..5b2d274 100644
--- a/crypto/openssl/doc/crypto/blowfish.pod
+++ b/crypto/openssl/doc/crypto/blowfish.pod
@@ -32,7 +32,7 @@ by Counterpane (see http://www.counterpane.com/blowfish.html ).
 
 Blowfish is a block cipher that operates on 64 bit (8 byte) blocks of data.
 It uses a variable size key, but typically, 128 bit (16 byte) keys are
-a considered good for strong encryption.  Blowfish can be used in the same
+considered good for strong encryption.  Blowfish can be used in the same
 modes as DES (see L<des_modes(7)|des_modes(7)>).  Blowfish is currently one
 of the faster block ciphers.  It is quite a bit faster than DES, and much
 faster than IDEA or RC2.
diff --git a/crypto/openssl/doc/crypto/bn.pod b/crypto/openssl/doc/crypto/bn.pod
index 210dfea..cd2f8e5 100644
--- a/crypto/openssl/doc/crypto/bn.pod
+++ b/crypto/openssl/doc/crypto/bn.pod
@@ -27,6 +27,9 @@ bn - multiprecision integer arithmetics
  int BN_num_bits(const BIGNUM *a);
  int BN_num_bits_word(BN_ULONG w);
 
+ void BN_set_negative(BIGNUM *a, int n);
+ int  BN_is_negative(const BIGNUM *a);
+
  int BN_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b);
  int BN_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b);
  int BN_mul(BIGNUM *r, BIGNUM *a, BIGNUM *b, BN_CTX *ctx);
@@ -118,6 +121,25 @@ bn - multiprecision integer arithmetics
  int BN_to_montgomery(BIGNUM *r, BIGNUM *a, BN_MONT_CTX *mont,
          BN_CTX *ctx);
 
+ BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai,
+	BIGNUM *mod);
+ void BN_BLINDING_free(BN_BLINDING *b);
+ int BN_BLINDING_update(BN_BLINDING *b,BN_CTX *ctx);
+ int BN_BLINDING_convert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx);
+ int BN_BLINDING_invert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx);
+ int BN_BLINDING_convert_ex(BIGNUM *n, BIGNUM *r, BN_BLINDING *b,
+	BN_CTX *ctx);
+ int BN_BLINDING_invert_ex(BIGNUM *n,const BIGNUM *r,BN_BLINDING *b,
+	BN_CTX *ctx);
+ unsigned long BN_BLINDING_get_thread_id(const BN_BLINDING *);
+ void BN_BLINDING_set_thread_id(BN_BLINDING *, unsigned long);
+ unsigned long BN_BLINDING_get_flags(const BN_BLINDING *);
+ void BN_BLINDING_set_flags(BN_BLINDING *, unsigned long);
+ BN_BLINDING *BN_BLINDING_create_param(BN_BLINDING *b,
+	const BIGNUM *e, BIGNUM *m, BN_CTX *ctx,
+	int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+			  const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx),
+	BN_MONT_CTX *m_ctx);
 
 =head1 DESCRIPTION
 
@@ -153,6 +175,7 @@ L<BN_cmp(3)|BN_cmp(3)>, L<BN_zero(3)|BN_zero(3)>, L<BN_rand(3)|BN_rand(3)>,
 L<BN_generate_prime(3)|BN_generate_prime(3)>, L<BN_set_bit(3)|BN_set_bit(3)>,
 L<BN_bn2bin(3)|BN_bn2bin(3)>, L<BN_mod_inverse(3)|BN_mod_inverse(3)>,
 L<BN_mod_mul_reciprocal(3)|BN_mod_mul_reciprocal(3)>,
-L<BN_mod_mul_montgomery(3)|BN_mod_mul_montgomery(3)> 
+L<BN_mod_mul_montgomery(3)|BN_mod_mul_montgomery(3)>,
+L<BN_BLINDING_new(3)|BN_BLINDING_new(3)>
 
 =cut
diff --git a/crypto/openssl/doc/crypto/bn_internal.pod b/crypto/openssl/doc/crypto/bn_internal.pod
index 9805a7c..8919146 100644
--- a/crypto/openssl/doc/crypto/bn_internal.pod
+++ b/crypto/openssl/doc/crypto/bn_internal.pod
@@ -72,19 +72,19 @@ applications.
 
  typedef struct bignum_st
         {
-        int top;      /* index of last used d (most significant word) */
-        BN_ULONG *d;  /* pointer to an array of 'BITS2' bit chunks */
+        int top;      /* number of words used in d */
+        BN_ULONG *d;  /* pointer to an array containing the integer value */
         int max;      /* size of the d array */
         int neg;      /* sign */
         } BIGNUM;
 
-The big number is stored in B<d>, a malloc()ed array of B<BN_ULONG>s,
-least significant first. A B<BN_ULONG> can be either 16, 32 or 64 bits
-in size (B<BITS2>), depending on the 'number of bits' specified in
+The integer value is stored in B<d>, a malloc()ed array of words (B<BN_ULONG>),
+least significant word first. A B<BN_ULONG> can be either 16, 32 or 64 bits
+in size, depending on the 'number of bits' (B<BITS2>) specified in
 C<openssl/bn.h>.
 
 B<max> is the size of the B<d> array that has been allocated.  B<top>
-is the 'last' entry being used, so for a value of 4, bn.d[0]=4 and
+is the number of words being used, so for a value of 4, bn.d[0]=4 and
 bn.top=1.  B<neg> is 1 if the number is negative.  When a B<BIGNUM> is
 B<0>, the B<d> field can be B<NULL> and B<top> == B<0>.
 
@@ -202,7 +202,7 @@ call bn_expand2(), which allocates a new B<d> array and copies the
 data.  They return B<NULL> on error, B<b> otherwise.
 
 The bn_fix_top() macro reduces B<a-E<gt>top> to point to the most
-significant non-zero word when B<a> has shrunk.
+significant non-zero word plus one when B<a> has shrunk.
 
 =head2 Debugging
 
diff --git a/crypto/openssl/doc/crypto/d2i_X509.pod b/crypto/openssl/doc/crypto/d2i_X509.pod
index 5e3c3d0..5bfa18a 100644
--- a/crypto/openssl/doc/crypto/d2i_X509.pod
+++ b/crypto/openssl/doc/crypto/d2i_X509.pod
@@ -9,7 +9,7 @@ i2d_X509_fp - X509 encode and decode functions
 
  #include <openssl/x509.h>
 
- X509 *d2i_X509(X509 **px, unsigned char **in, int len);
+ X509 *d2i_X509(X509 **px, const unsigned char **in, int len);
  int i2d_X509(X509 *x, unsigned char **out);
 
  X509 *d2i_X509_bio(BIO *bp, X509 **x);
@@ -23,13 +23,13 @@ i2d_X509_fp - X509 encode and decode functions
 The X509 encode and decode routines encode and parse an
 B<X509> structure, which represents an X509 certificate.
 
-d2i_X509() attempts to decode B<len> bytes at B<*out>. If 
+d2i_X509() attempts to decode B<len> bytes at B<*in>. If 
 successful a pointer to the B<X509> structure is returned. If an error
 occurred then B<NULL> is returned. If B<px> is not B<NULL> then the
 returned structure is written to B<*px>. If B<*px> is not B<NULL>
 then it is assumed that B<*px> contains a valid B<X509>
 structure and an attempt is made to reuse it. If the call is
-successful B<*out> is incremented to the byte following the
+successful B<*in> is incremented to the byte following the
 parsed data.
 
 i2d_X509() encodes the structure pointed to by B<x> into DER format.
diff --git a/crypto/openssl/doc/crypto/d2i_X509_CRL.pod b/crypto/openssl/doc/crypto/d2i_X509_CRL.pod
index 06c5b23..e7295a5 100644
--- a/crypto/openssl/doc/crypto/d2i_X509_CRL.pod
+++ b/crypto/openssl/doc/crypto/d2i_X509_CRL.pod
@@ -9,7 +9,7 @@ i2d_X509_CRL_bio, i2d_X509_CRL_fp - PKCS#10 certificate request functions.
 
  #include <openssl/x509.h>
 
- X509_CRL *d2i_X509_CRL(X509_CRL **a, unsigned char **pp, long length);
+ X509_CRL *d2i_X509_CRL(X509_CRL **a, const unsigned char **pp, long length);
  int i2d_X509_CRL(X509_CRL *a, unsigned char **pp);
 
  X509_CRL *d2i_X509_CRL_bio(BIO *bp, X509_CRL **x);
diff --git a/crypto/openssl/doc/crypto/d2i_X509_REQ.pod b/crypto/openssl/doc/crypto/d2i_X509_REQ.pod
index be4ad68..ae32a38 100644
--- a/crypto/openssl/doc/crypto/d2i_X509_REQ.pod
+++ b/crypto/openssl/doc/crypto/d2i_X509_REQ.pod
@@ -9,7 +9,7 @@ i2d_X509_REQ_bio, i2d_X509_REQ_fp - PKCS#10 certificate request functions.
 
  #include <openssl/x509.h>
 
- X509_REQ *d2i_X509_REQ(X509_REQ **a, unsigned char **pp, long length);
+ X509_REQ *d2i_X509_REQ(X509_REQ **a, const unsigned char **pp, long length);
  int i2d_X509_REQ(X509_REQ *a, unsigned char **pp);
 
  X509_REQ *d2i_X509_REQ_bio(BIO *bp, X509_REQ **x);
diff --git a/crypto/openssl/doc/crypto/des_modes.pod b/crypto/openssl/doc/crypto/des_modes.pod
index da75e80..0266403 100644
--- a/crypto/openssl/doc/crypto/des_modes.pod
+++ b/crypto/openssl/doc/crypto/des_modes.pod
@@ -1,5 +1,7 @@
 =pod
 
+=for comment openssl_manual_section:7
+
 =head1 NAME
 
 Modes of DES - the variants of DES and other crypto algorithms of OpenSSL
diff --git a/crypto/openssl/doc/crypto/ecdsa.pod b/crypto/openssl/doc/crypto/ecdsa.pod
new file mode 100644
index 0000000..49b10f2
--- /dev/null
+++ b/crypto/openssl/doc/crypto/ecdsa.pod
@@ -0,0 +1,210 @@
+=pod
+
+=head1 NAME
+
+ecdsa - Elliptic Curve Digital Signature Algorithm
+
+=head1 SYNOPSIS
+
+ #include <openssl/ecdsa.h>
+
+ ECDSA_SIG*	ECDSA_SIG_new(void);
+ void		ECDSA_SIG_free(ECDSA_SIG *sig);
+ int		i2d_ECDSA_SIG(const ECDSA_SIG *sig, unsigned char **pp);
+ ECDSA_SIG*	d2i_ECDSA_SIG(ECDSA_SIG **sig, const unsigned char **pp, 
+		long len);
+
+ ECDSA_SIG*	ECDSA_do_sign(const unsigned char *dgst, int dgst_len,
+			EC_KEY *eckey);
+ ECDSA_SIG*	ECDSA_do_sign_ex(const unsigned char *dgst, int dgstlen, 
+			const BIGNUM *kinv, const BIGNUM *rp,
+			EC_KEY *eckey);
+ int		ECDSA_do_verify(const unsigned char *dgst, int dgst_len,
+			const ECDSA_SIG *sig, EC_KEY* eckey);
+ int		ECDSA_sign_setup(EC_KEY *eckey, BN_CTX *ctx,
+			BIGNUM **kinv, BIGNUM **rp);
+ int		ECDSA_sign(int type, const unsigned char *dgst,
+			int dgstlen, unsigned char *sig,
+			unsigned int *siglen, EC_KEY *eckey);
+ int		ECDSA_sign_ex(int type, const unsigned char *dgst,
+			int dgstlen, unsigned char *sig,
+			unsigned int *siglen, const BIGNUM *kinv, 
+			const BIGNUM *rp, EC_KEY *eckey);
+ int		ECDSA_verify(int type, const unsigned char *dgst,
+			int dgstlen, const unsigned char *sig,
+			int siglen, EC_KEY *eckey);
+ int		ECDSA_size(const EC_KEY *eckey);
+
+ const ECDSA_METHOD*	ECDSA_OpenSSL(void);
+ void		ECDSA_set_default_method(const ECDSA_METHOD *meth);
+ const ECDSA_METHOD*	ECDSA_get_default_method(void);
+ int		ECDSA_set_method(EC_KEY *eckey,const ECDSA_METHOD *meth);
+
+ int		ECDSA_get_ex_new_index(long argl, void *argp,
+			CRYPTO_EX_new *new_func,
+			CRYPTO_EX_dup *dup_func,
+			CRYPTO_EX_free *free_func);
+ int		ECDSA_set_ex_data(EC_KEY *d, int idx, void *arg);
+ void*		ECDSA_get_ex_data(EC_KEY *d, int idx);
+
+=head1 DESCRIPTION
+
+The B<ECDSA_SIG> structure consists of two BIGNUMs for the
+r and s value of a ECDSA signature (see X9.62 or FIPS 186-2).
+
+ struct
+	{
+	BIGNUM *r;
+	BIGNUM *s;
+ } ECDSA_SIG;
+
+ECDSA_SIG_new() allocates a new B<ECDSA_SIG> structure (note: this
+function also allocates the BIGNUMs) and initialize it.
+
+ECDSA_SIG_free() frees the B<ECDSA_SIG> structure B<sig>.
+
+i2d_ECDSA_SIG() creates the DER encoding of the ECDSA signature
+B<sig> and writes the encoded signature to B<*pp> (note: if B<pp>
+is NULL B<i2d_ECDSA_SIG> returns the expected length in bytes of 
+the DER encoded signature). B<i2d_ECDSA_SIG> returns the length
+of the DER encoded signature (or 0 on error).
+
+d2i_ECDSA_SIG() decodes a DER encoded ECDSA signature and returns
+the decoded signature in a newly allocated B<ECDSA_SIG> structure.
+B<*sig> points to the buffer containing the DER encoded signature
+of size B<len>.
+
+ECDSA_size() returns the maximum length of a DER encoded
+ECDSA signature created with the private EC key B<eckey>.
+
+ECDSA_sign_setup() may be used to precompute parts of the
+signing operation. B<eckey> is the private EC key and B<ctx>
+is a pointer to B<BN_CTX> structure (or NULL). The precomputed
+values or returned in B<kinv> and B<rp> and can be used in a
+later call to B<ECDSA_sign_ex> or B<ECDSA_do_sign_ex>.
+
+ECDSA_sign() is wrapper function for ECDSA_sign_ex with B<kinv>
+and B<rp> set to NULL.
+
+ECDSA_sign_ex() computes a digital signature of the B<dgstlen> bytes
+hash value B<dgst> using the private EC key B<eckey> and the optional
+pre-computed values B<kinv> and B<rp>. The DER encoded signatures is
+stored in B<sig> and it's length is returned in B<sig_len>. Note: B<sig>
+must point to B<ECDSA_size> bytes of memory. The parameter B<type>
+is ignored.
+
+ECDSA_verify() verifies that the signature in B<sig> of size
+B<siglen> is a valid ECDSA signature of the hash value
+value B<dgst> of size B<dgstlen> using the public key B<eckey>.
+The parameter B<type> is ignored.
+
+ECDSA_do_sign() is wrapper function for ECDSA_do_sign_ex with B<kinv>
+and B<rp> set to NULL.
+
+ECDSA_do_sign_ex() computes a digital signature of the B<dgst_len>
+bytes hash value B<dgst> using the private key B<eckey> and the
+optional pre-computed values B<kinv> and B<rp>. The signature is
+returned in a newly allocated B<ECDSA_SIG> structure (or NULL on error).
+
+ECDSA_do_verify() verifies that the signature B<sig> is a valid
+ECDSA signature of the hash value B<dgst> of size B<dgst_len>
+using the public key B<eckey>.
+
+=head1 RETURN VALUES
+
+ECDSA_size() returns the maximum length signature or 0 on error.
+
+ECDSA_sign_setup() and ECDSA_sign() return 1 if successful or -1
+on error.
+
+ECDSA_verify() and ECDSA_do_verify() return 1 for a valid
+signature, 0 for an invalid signature and -1 on error.
+The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
+
+=head1 EXAMPLES
+
+Creating a ECDSA signature of given SHA-1 hash value using the
+named curve secp192k1.
+
+First step: create a EC_KEY object (note: this part is B<not> ECDSA
+specific)
+
+ int        ret;
+ ECDSA_SIG *sig;
+ EC_KEY    *eckey = EC_KEY_new();
+ if (eckey == NULL)
+	{
+	/* error */
+	}
+ key->group = EC_GROUP_new_by_nid(NID_secp192k1);
+ if (key->group == NULL)
+	{
+	/* error */
+	}
+ if (!EC_KEY_generate_key(eckey))
+	{
+	/* error */
+	}
+
+Second step: compute the ECDSA signature of a SHA-1 hash value 
+using B<ECDSA_do_sign> 
+
+ sig = ECDSA_do_sign(digest, 20, eckey);
+ if (sig == NULL)
+	{
+	/* error */
+	}
+
+or using B<ECDSA_sign>
+
+ unsigned char *buffer, *pp;
+ int            buf_len;
+ buf_len = ECDSA_size(eckey);
+ buffer  = OPENSSL_malloc(buf_len);
+ pp = buffer;
+ if (!ECDSA_sign(0, dgst, dgstlen, pp, &buf_len, eckey);
+	{
+	/* error */
+	}
+
+Third step: verify the created ECDSA signature using B<ECDSA_do_verify>
+
+ ret = ECDSA_do_verify(digest, 20, sig, eckey);
+
+or using B<ECDSA_verify>
+
+ ret = ECDSA_verify(0, digest, 20, buffer, buf_len, eckey);
+
+and finally evaluate the return value:
+
+ if (ret == -1)
+	{
+	/* error */
+	}
+ else if (ret == 0)
+	{
+	/* incorrect signature */
+	}
+ else	/* ret == 1 */
+	{
+	/* signature ok */
+	}
+
+=head1 CONFORMING TO
+
+ANSI X9.62, US Federal Information Processing Standard FIPS 186-2
+(Digital Signature Standard, DSS)
+
+=head1 SEE ALSO
+
+L<dsa(3)|dsa(3)>, L<rsa(3)|rsa(3)>
+
+=head1 HISTORY
+
+The ecdsa implementation was first introduced in OpenSSL 0.9.8
+
+=head1 AUTHOR
+
+Nils Larsch for the OpenSSL project (http://www.openssl.org).
+
+=cut
diff --git a/crypto/openssl/doc/crypto/engine.pod b/crypto/openssl/doc/crypto/engine.pod
index c77dad5..75933fc 100644
--- a/crypto/openssl/doc/crypto/engine.pod
+++ b/crypto/openssl/doc/crypto/engine.pod
@@ -23,21 +23,26 @@ engine - ENGINE cryptographic module support
 
  void ENGINE_load_openssl(void);
  void ENGINE_load_dynamic(void);
- void ENGINE_load_cswift(void);
- void ENGINE_load_chil(void);
+ #ifndef OPENSSL_NO_STATIC_ENGINE
+ void ENGINE_load_4758cca(void);
+ void ENGINE_load_aep(void);
  void ENGINE_load_atalla(void);
+ void ENGINE_load_chil(void);
+ void ENGINE_load_cswift(void);
+ void ENGINE_load_gmp(void);
  void ENGINE_load_nuron(void);
- void ENGINE_load_ubsec(void);
- void ENGINE_load_aep(void);
  void ENGINE_load_sureware(void);
- void ENGINE_load_4758cca(void);
- void ENGINE_load_openbsd_dev_crypto(void);
+ void ENGINE_load_ubsec(void);
+ #endif
+ void ENGINE_load_cryptodev(void);
  void ENGINE_load_builtin_engines(void);
 
  void ENGINE_cleanup(void);
 
  ENGINE *ENGINE_get_default_RSA(void);
  ENGINE *ENGINE_get_default_DSA(void);
+ ENGINE *ENGINE_get_default_ECDH(void);
+ ENGINE *ENGINE_get_default_ECDSA(void);
  ENGINE *ENGINE_get_default_DH(void);
  ENGINE *ENGINE_get_default_RAND(void);
  ENGINE *ENGINE_get_cipher_engine(int nid);
@@ -45,6 +50,8 @@ engine - ENGINE cryptographic module support
 
  int ENGINE_set_default_RSA(ENGINE *e);
  int ENGINE_set_default_DSA(ENGINE *e);
+ int ENGINE_set_default_ECDH(ENGINE *e);
+ int ENGINE_set_default_ECDSA(ENGINE *e);
  int ENGINE_set_default_DH(ENGINE *e);
  int ENGINE_set_default_RAND(ENGINE *e);
  int ENGINE_set_default_ciphers(ENGINE *e);
@@ -62,12 +69,21 @@ engine - ENGINE cryptographic module support
  int ENGINE_register_DSA(ENGINE *e);
  void ENGINE_unregister_DSA(ENGINE *e);
  void ENGINE_register_all_DSA(void);
+ int ENGINE_register_ECDH(ENGINE *e);
+ void ENGINE_unregister_ECDH(ENGINE *e);
+ void ENGINE_register_all_ECDH(void);
+ int ENGINE_register_ECDSA(ENGINE *e);
+ void ENGINE_unregister_ECDSA(ENGINE *e);
+ void ENGINE_register_all_ECDSA(void);
  int ENGINE_register_DH(ENGINE *e);
  void ENGINE_unregister_DH(ENGINE *e);
  void ENGINE_register_all_DH(void);
  int ENGINE_register_RAND(ENGINE *e);
  void ENGINE_unregister_RAND(ENGINE *e);
  void ENGINE_register_all_RAND(void);
+ int ENGINE_register_STORE(ENGINE *e);
+ void ENGINE_unregister_STORE(ENGINE *e);
+ void ENGINE_register_all_STORE(void);
  int ENGINE_register_ciphers(ENGINE *e);
  void ENGINE_unregister_ciphers(ENGINE *e);
  void ENGINE_register_all_ciphers(void);
@@ -77,12 +93,12 @@ engine - ENGINE cryptographic module support
  int ENGINE_register_complete(ENGINE *e);
  int ENGINE_register_all_complete(void);
 
- int ENGINE_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)());
+ int ENGINE_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void));
  int ENGINE_cmd_is_executable(ENGINE *e, int cmd);
  int ENGINE_ctrl_cmd(ENGINE *e, const char *cmd_name,
-         long i, void *p, void (*f)(), int cmd_optional);
+         long i, void *p, void (*f)(void), int cmd_optional);
  int ENGINE_ctrl_cmd_string(ENGINE *e, const char *cmd_name, const char *arg,
-                 int cmd_optional);
+         int cmd_optional);
 
  int ENGINE_set_ex_data(ENGINE *e, int idx, void *arg);
  void *ENGINE_get_ex_data(const ENGINE *e, int idx);
@@ -92,13 +108,17 @@ engine - ENGINE cryptographic module support
 
  ENGINE *ENGINE_new(void);
  int ENGINE_free(ENGINE *e);
+ int ENGINE_up_ref(ENGINE *e);
 
  int ENGINE_set_id(ENGINE *e, const char *id);
  int ENGINE_set_name(ENGINE *e, const char *name);
  int ENGINE_set_RSA(ENGINE *e, const RSA_METHOD *rsa_meth);
  int ENGINE_set_DSA(ENGINE *e, const DSA_METHOD *dsa_meth);
+ int ENGINE_set_ECDH(ENGINE *e, const ECDH_METHOD *dh_meth);
+ int ENGINE_set_ECDSA(ENGINE *e, const ECDSA_METHOD *dh_meth);
  int ENGINE_set_DH(ENGINE *e, const DH_METHOD *dh_meth);
  int ENGINE_set_RAND(ENGINE *e, const RAND_METHOD *rand_meth);
+ int ENGINE_set_STORE(ENGINE *e, const STORE_METHOD *rand_meth);
  int ENGINE_set_destroy_function(ENGINE *e, ENGINE_GEN_INT_FUNC_PTR destroy_f);
  int ENGINE_set_init_function(ENGINE *e, ENGINE_GEN_INT_FUNC_PTR init_f);
  int ENGINE_set_finish_function(ENGINE *e, ENGINE_GEN_INT_FUNC_PTR finish_f);
@@ -114,8 +134,11 @@ engine - ENGINE cryptographic module support
  const char *ENGINE_get_name(const ENGINE *e);
  const RSA_METHOD *ENGINE_get_RSA(const ENGINE *e);
  const DSA_METHOD *ENGINE_get_DSA(const ENGINE *e);
+ const ECDH_METHOD *ENGINE_get_ECDH(const ENGINE *e);
+ const ECDSA_METHOD *ENGINE_get_ECDSA(const ENGINE *e);
  const DH_METHOD *ENGINE_get_DH(const ENGINE *e);
  const RAND_METHOD *ENGINE_get_RAND(const ENGINE *e);
+ const STORE_METHOD *ENGINE_get_STORE(const ENGINE *e);
  ENGINE_GEN_INT_FUNC_PTR ENGINE_get_destroy_function(const ENGINE *e);
  ENGINE_GEN_INT_FUNC_PTR ENGINE_get_init_function(const ENGINE *e);
  ENGINE_GEN_INT_FUNC_PTR ENGINE_get_finish_function(const ENGINE *e);
@@ -148,7 +171,8 @@ The cryptographic functionality that can be provided by an B<ENGINE>
 implementation includes the following abstractions;
 
  RSA_METHOD - for providing alternative RSA implementations
- DSA_METHOD, DH_METHOD, RAND_METHOD - alternative DSA, DH, and RAND
+ DSA_METHOD, DH_METHOD, RAND_METHOD, ECDH_METHOD, ECDSA_METHOD,
+       STORE_METHOD - similarly for other OpenSSL APIs
  EVP_CIPHER - potentially multiple cipher algorithms (indexed by 'nid')
  EVP_DIGEST - potentially multiple hash algorithms (indexed by 'nid')
  key-loading - loading public and/or private EVP_PKEY keys
@@ -157,21 +181,20 @@ implementation includes the following abstractions;
 
 Due to the modular nature of the ENGINE API, pointers to ENGINEs need to be
 treated as handles - ie. not only as pointers, but also as references to
-the underlying ENGINE object. Ie. you should obtain a new reference when
+the underlying ENGINE object. Ie. one should obtain a new reference when
 making copies of an ENGINE pointer if the copies will be used (and
 released) independantly.
 
 ENGINE objects have two levels of reference-counting to match the way in
 which the objects are used. At the most basic level, each ENGINE pointer is
-inherently a B<structural> reference - you need a structural reference
-simply to refer to the pointer value at all, as this kind of reference is
-your guarantee that the structure can not be deallocated until you release
-your reference.
-
-However, a structural reference provides no guarantee that the ENGINE has
-been initiliased to be usable to perform any of its cryptographic
-implementations - and indeed it's quite possible that most ENGINEs will not
-initialised at all on standard setups, as ENGINEs are typically used to
+inherently a B<structural> reference - a structural reference is required
+to use the pointer value at all, as this kind of reference is a guarantee
+that the structure can not be deallocated until the reference is released.
+
+However, a structural reference provides no guarantee that the ENGINE is
+initiliased and able to use any of its cryptographic
+implementations. Indeed it's quite possible that most ENGINEs will not
+initialise at all in typical environments, as ENGINEs are typically used to
 support specialised hardware. To use an ENGINE's functionality, you need a
 B<functional> reference. This kind of reference can be considered a
 specialised form of structural reference, because each functional reference
@@ -179,30 +202,24 @@ implicitly contains a structural reference as well - however to avoid
 difficult-to-find programming bugs, it is recommended to treat the two
 kinds of reference independantly. If you have a functional reference to an
 ENGINE, you have a guarantee that the ENGINE has been initialised ready to
-perform cryptographic operations and will not be uninitialised or cleaned
-up until after you have released your reference.
-
-We will discuss the two kinds of reference separately, including how to
-tell which one you are dealing with at any given point in time (after all
-they are both simply (ENGINE *) pointers, the difference is in the way they
-are used).
+perform cryptographic operations and will remain uninitialised
+until after you have released your reference.
 
 I<Structural references>
 
-This basic type of reference is typically used for creating new ENGINEs
-dynamically, iterating across OpenSSL's internal linked-list of loaded
+This basic type of reference is used for instantiating new ENGINEs,
+iterating across OpenSSL's internal linked-list of loaded
 ENGINEs, reading information about an ENGINE, etc. Essentially a structural
 reference is sufficient if you only need to query or manipulate the data of
 an ENGINE implementation rather than use its functionality.
 
 The ENGINE_new() function returns a structural reference to a new (empty)
-ENGINE object. Other than that, structural references come from return
-values to various ENGINE API functions such as; ENGINE_by_id(),
-ENGINE_get_first(), ENGINE_get_last(), ENGINE_get_next(),
-ENGINE_get_prev(). All structural references should be released by a
-corresponding to call to the ENGINE_free() function - the ENGINE object
-itself will only actually be cleaned up and deallocated when the last
-structural reference is released.
+ENGINE object. There are other ENGINE API functions that return structural
+references such as; ENGINE_by_id(), ENGINE_get_first(), ENGINE_get_last(),
+ENGINE_get_next(), ENGINE_get_prev(). All structural references should be
+released by a corresponding to call to the ENGINE_free() function - the
+ENGINE object itself will only actually be cleaned up and deallocated when
+the last structural reference is released.
 
 It should also be noted that many ENGINE API function calls that accept a
 structural reference will internally obtain another reference - typically
@@ -237,15 +254,9 @@ call the ENGINE_init() function. This returns zero if the ENGINE was not
 already operational and couldn't be successfully initialised (eg. lack of
 system drivers, no special hardware attached, etc), otherwise it will
 return non-zero to indicate that the ENGINE is now operational and will
-have allocated a new B<functional> reference to the ENGINE. In this case,
-the supplied ENGINE pointer is, from the point of the view of the caller,
-both a structural reference and a functional reference - so if the caller
-intends to use it as a functional reference it should free the structural
-reference with ENGINE_free() first. If the caller wishes to use it only as
-a structural reference (eg. if the ENGINE_init() call was simply to test if
-the ENGINE seems available/online), then it should free the functional
-reference; all functional references are released by the ENGINE_finish()
-function.
+have allocated a new B<functional> reference to the ENGINE. All functional
+references are released by calling ENGINE_finish() (which removes the
+implicit structural reference as well).
 
 The second way to get a functional reference is by asking OpenSSL for a
 default implementation for a given task, eg. by ENGINE_get_default_RSA(),
@@ -259,26 +270,21 @@ algorithm-specific types in OpenSSL, such as RSA, DSA, EVP_CIPHER_CTX, etc.
 For each supported abstraction, the ENGINE code maintains an internal table
 of state to control which implementations are available for a given
 abstraction and which should be used by default. These implementations are
-registered in the tables separated-out by an 'nid' index, because
+registered in the tables and indexed by an 'nid' value, because
 abstractions like EVP_CIPHER and EVP_DIGEST support many distinct
-algorithms and modes - ENGINEs will support different numbers and
-combinations of these. In the case of other abstractions like RSA, DSA,
-etc, there is only one "algorithm" so all implementations implicitly
-register using the same 'nid' index. ENGINEs can be B<registered> into
-these tables to make themselves available for use automatically by the
-various abstractions, eg. RSA. For illustrative purposes, we continue with
-the RSA example, though all comments apply similarly to the other
-abstractions (they each get their own table and linkage to the
-corresponding section of openssl code).
-
-When a new RSA key is being created, ie. in RSA_new_method(), a
-"get_default" call will be made to the ENGINE subsystem to process the RSA
-state table and return a functional reference to an initialised ENGINE
-whose RSA_METHOD should be used. If no ENGINE should (or can) be used, it
-will return NULL and the RSA key will operate with a NULL ENGINE handle by
-using the conventional RSA implementation in OpenSSL (and will from then on
-behave the way it used to before the ENGINE API existed - for details see
-L<RSA_new_method(3)|RSA_new_method(3)>).
+algorithms and modes, and ENGINEs can support arbitrarily many of them.
+In the case of other abstractions like RSA, DSA, etc, there is only one
+"algorithm" so all implementations implicitly register using the same 'nid'
+index.
+
+When a default ENGINE is requested for a given abstraction/algorithm/mode, (eg.
+when calling RSA_new_method(NULL)), a "get_default" call will be made to the
+ENGINE subsystem to process the corresponding state table and return a
+functional reference to an initialised ENGINE whose implementation should be
+used. If no ENGINE should (or can) be used, it will return NULL and the caller
+will operate with a NULL ENGINE handle - this usually equates to using the
+conventional software implementation. In the latter case, OpenSSL will from
+then on behave the way it used to before the ENGINE API existed.
 
 Each state table has a flag to note whether it has processed this
 "get_default" query since the table was last modified, because to process
@@ -295,36 +301,9 @@ instead the only way for the state table to return a non-NULL ENGINE to the
 "get_default" query will be if one is expressly set in the table. Eg.
 ENGINE_set_default_RSA() does the same job as ENGINE_register_RSA() except
 that it also sets the state table's cached response for the "get_default"
-query.
-
-In the case of abstractions like EVP_CIPHER, where implementations are
-indexed by 'nid', these flags and cached-responses are distinct for each
-'nid' value.
-
-It is worth illustrating the difference between "registration" of ENGINEs
-into these per-algorithm state tables and using the alternative
-"set_default" functions. The latter handles both "registration" and also
-setting the cached "default" ENGINE in each relevant state table - so
-registered ENGINEs will only have a chance to be initialised for use as a
-default if a default ENGINE wasn't already set for the same state table.
-Eg. if ENGINE X supports cipher nids {A,B} and RSA, ENGINE Y supports
-ciphers {A} and DSA, and the following code is executed;
-
- ENGINE_register_complete(X);
- ENGINE_set_default(Y, ENGINE_METHOD_ALL);
- e1 = ENGINE_get_default_RSA();
- e2 = ENGINE_get_cipher_engine(A);
- e3 = ENGINE_get_cipher_engine(B);
- e4 = ENGINE_get_default_DSA();
- e5 = ENGINE_get_cipher_engine(C);
-
-The results would be as follows;
-
- assert(e1 == X);
- assert(e2 == Y);
- assert(e3 == X);
- assert(e4 == Y);
- assert(e5 == NULL);
+query. In the case of abstractions like EVP_CIPHER, where implementations are
+indexed by 'nid', these flags and cached-responses are distinct for each 'nid'
+value.
 
 =head2 Application requirements
 
@@ -360,7 +339,7 @@ mention an important API function;
 
 If no ENGINE API functions are called at all in an application, then there
 are no inherent memory leaks to worry about from the ENGINE functionality,
-however if any ENGINEs are "load"ed, even if they are never registered or
+however if any ENGINEs are loaded, even if they are never registered or
 used, it is necessary to use the ENGINE_cleanup() function to
 correspondingly cleanup before program exit, if the caller wishes to avoid
 memory leaks. This mechanism uses an internal callback registration table
@@ -375,7 +354,7 @@ linker.
 The fact that ENGINEs are made visible to OpenSSL (and thus are linked into
 the program and loaded into memory at run-time) does not mean they are
 "registered" or called into use by OpenSSL automatically - that behaviour
-is something for the application to have control over. Some applications
+is something for the application to control. Some applications
 will want to allow the user to specify exactly which ENGINE they want used
 if any is to be used at all. Others may prefer to load all support and have
 OpenSSL automatically use at run-time any ENGINE that is able to
@@ -433,7 +412,7 @@ it should be used. The following code illustrates how this can work;
 That's all that's required. Eg. the next time OpenSSL tries to set up an
 RSA key, any bundled ENGINEs that implement RSA_METHOD will be passed to
 ENGINE_init() and if any of those succeed, that ENGINE will be set as the
-default for use with RSA from then on.
+default for RSA use from then on.
 
 =head2 Advanced configuration support
 
@@ -441,7 +420,7 @@ There is a mechanism supported by the ENGINE framework that allows each
 ENGINE implementation to define an arbitrary set of configuration
 "commands" and expose them to OpenSSL and any applications based on
 OpenSSL. This mechanism is entirely based on the use of name-value pairs
-and and assumes ASCII input (no unicode or UTF for now!), so it is ideal if
+and assumes ASCII input (no unicode or UTF for now!), so it is ideal if
 applications want to provide a transparent way for users to provide
 arbitrary configuration "directives" directly to such ENGINEs. It is also
 possible for the application to dynamically interrogate the loaded ENGINE
@@ -450,8 +429,8 @@ available "control commands", providing a more flexible configuration
 scheme. However, if the user is expected to know which ENGINE device he/she
 is using (in the case of specialised hardware, this goes without saying)
 then applications may not need to concern themselves with discovering the
-supported control commands and simply prefer to allow settings to passed
-into ENGINEs exactly as they are provided by the user.
+supported control commands and simply prefer to pass settings into ENGINEs
+exactly as they are provided by the user.
 
 Before illustrating how control commands work, it is worth mentioning what
 they are typically used for. Broadly speaking there are two uses for
@@ -459,13 +438,13 @@ control commands; the first is to provide the necessary details to the
 implementation (which may know nothing at all specific to the host system)
 so that it can be initialised for use. This could include the path to any
 driver or config files it needs to load, required network addresses,
-smart-card identifiers, passwords to initialise password-protected devices,
+smart-card identifiers, passwords to initialise protected devices,
 logging information, etc etc. This class of commands typically needs to be
 passed to an ENGINE B<before> attempting to initialise it, ie. before
 calling ENGINE_init(). The other class of commands consist of settings or
 operations that tweak certain behaviour or cause certain operations to take
 place, and these commands may work either before or after ENGINE_init(), or
-in same cases both. ENGINE implementations should provide indications of
+in some cases both. ENGINE implementations should provide indications of
 this in the descriptions attached to builtin control commands and/or in
 external product documentation.
 
@@ -529,14 +508,14 @@ FALSE.
 I<Discovering supported control commands>
 
 It is possible to discover at run-time the names, numerical-ids, descriptions
-and input parameters of the control commands supported from a structural
-reference to any ENGINE. It is first important to note that some control
-commands are defined by OpenSSL itself and it will intercept and handle these
-control commands on behalf of the ENGINE, ie. the ENGINE's ctrl() handler is not
-used for the control command. openssl/engine.h defines a symbol,
-ENGINE_CMD_BASE, that all control commands implemented by ENGINEs from. Any
-command value lower than this symbol is considered a "generic" command is
-handled directly by the OpenSSL core routines.
+and input parameters of the control commands supported by an ENGINE using a
+structural reference. Note that some control commands are defined by OpenSSL
+itself and it will intercept and handle these control commands on behalf of the
+ENGINE, ie. the ENGINE's ctrl() handler is not used for the control command.
+openssl/engine.h defines an index, ENGINE_CMD_BASE, that all control commands
+implemented by ENGINEs should be numbered from. Any command value lower than
+this symbol is considered a "generic" command is handled directly by the
+OpenSSL core routines.
 
 It is using these "core" control commands that one can discover the the control
 commands implemented by a given ENGINE, specifically the commands;
@@ -552,8 +531,8 @@ commands implemented by a given ENGINE, specifically the commands;
  #define ENGINE_CTRL_GET_CMD_FLAGS		18
 
 Whilst these commands are automatically processed by the OpenSSL framework code,
-they use various properties exposed by each ENGINE by which to process these
-queries. An ENGINE has 3 properties it exposes that can affect this behaviour;
+they use various properties exposed by each ENGINE to process these
+queries. An ENGINE has 3 properties it exposes that can affect how this behaves;
 it can supply a ctrl() handler, it can specify ENGINE_FLAGS_MANUAL_CMD_CTRL in
 the ENGINE's flags, and it can expose an array of control command descriptions.
 If an ENGINE specifies the ENGINE_FLAGS_MANUAL_CMD_CTRL flag, then it will
@@ -615,7 +594,6 @@ implementations.
 
 =head1 SEE ALSO
 
-L<rsa(3)|rsa(3)>, L<dsa(3)|dsa(3)>, L<dh(3)|dh(3)>, L<rand(3)|rand(3)>,
-L<RSA_new_method(3)|RSA_new_method(3)>
+L<rsa(3)|rsa(3)>, L<dsa(3)|dsa(3)>, L<dh(3)|dh(3)>, L<rand(3)|rand(3)>
 
 =cut
diff --git a/crypto/openssl/doc/crypto/hmac.pod b/crypto/openssl/doc/crypto/hmac.pod
index 3976baf..0bd79a6 100644
--- a/crypto/openssl/doc/crypto/hmac.pod
+++ b/crypto/openssl/doc/crypto/hmac.pod
@@ -18,7 +18,7 @@ authentication code
  void HMAC_Init(HMAC_CTX *ctx, const void *key, int key_len,
                const EVP_MD *md);
  void HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int key_len,
-               	   const EVP_MD *md);
+               	   const EVP_MD *md, ENGINE *impl);
  void HMAC_Update(HMAC_CTX *ctx, const unsigned char *data, int len);
  void HMAC_Final(HMAC_CTX *ctx, unsigned char *md, unsigned int *len);
 
diff --git a/crypto/openssl/doc/crypto/threads.pod b/crypto/openssl/doc/crypto/threads.pod
index afa45cd..3df4ecd 100644
--- a/crypto/openssl/doc/crypto/threads.pod
+++ b/crypto/openssl/doc/crypto/threads.pod
@@ -65,9 +65,10 @@ B<CRYPTO_LOCK>, and releases it otherwise.
 B<file> and B<line> are the file number of the function setting the
 lock. They can be useful for debugging.
 
-id_function(void) is a function that returns a thread ID. It is not
+id_function(void) is a function that returns a thread ID, for example
+pthread_self() if it returns an integer (see NOTES below).  It isn't
 needed on Windows nor on platforms where getpid() returns a different
-ID for each thread (most notably Linux).
+ID for each thread (see NOTES below).
 
 Additionally, OpenSSL supports dynamic locks, and sometimes, some parts
 of OpenSSL need it for better performance.  To enable this, the following
@@ -124,13 +125,13 @@ CRYPTO_get_new_dynlockid() returns the index to the newly created lock.
 
 The other functions return no values.
 
-=head1 NOTE
+=head1 NOTES
 
 You can find out if OpenSSL was configured with thread support:
 
  #define OPENSSL_THREAD_DEFINES
  #include <openssl/opensslconf.h>
- #if defined(THREADS)
+ #if defined(OPENSSL_THREADS)
    // thread support enabled
  #else
    // no thread support
@@ -139,6 +140,22 @@ You can find out if OpenSSL was configured with thread support:
 Also, dynamic locks are currently not used internally by OpenSSL, but
 may do so in the future.
 
+Defining id_function(void) has it's own issues.  Generally speaking,
+pthread_self() should be used, even on platforms where getpid() gives
+different answers in each thread, since that may depend on the machine
+the program is run on, not the machine where the program is being
+compiled.  For instance, Red Hat 8 Linux and earlier used
+LinuxThreads, whose getpid() returns a different value for each
+thread.  Red Hat 9 Linux and later use NPTL, which is
+Posix-conformant, and has a getpid() that returns the same value for
+all threads in a process.  A program compiled on Red Hat 8 and run on
+Red Hat 9 will therefore see getpid() returning the same value for
+all threads.
+
+There is still the issue of platforms where pthread_self() returns
+something other than an integer.  This is a bit unusual, and this
+manual has no cookbook solution for that case.
+
 =head1 EXAMPLES
 
 B<crypto/threads/mttest.c> shows examples of the callback functions on
diff --git a/crypto/openssl/doc/crypto/x509.pod b/crypto/openssl/doc/crypto/x509.pod
new file mode 100644
index 0000000..f9e58e0
--- /dev/null
+++ b/crypto/openssl/doc/crypto/x509.pod
@@ -0,0 +1,64 @@
+=pod
+
+=head1 NAME
+
+x509 - X.509 certificate handling
+
+=head1 SYNOPSIS
+
+ #include <openssl/x509.h>
+
+=head1 DESCRIPTION
+
+A X.509 certificate is a structured grouping of information about
+an individual, a device, or anything one can imagine.  A X.509 CRL
+(certificate revocation list) is a tool to help determine if a
+certificate is still valid.  The exact definition of those can be
+found in the X.509 document from ITU-T, or in RFC3280 from PKIX.
+In OpenSSL, the type X509 is used to express such a certificate, and
+the type X509_CRL is used to express a CRL.
+
+A related structure is a certificate request, defined in PKCS#10 from
+RSA Security, Inc, also reflected in RFC2896.  In OpenSSL, the type
+X509_REQ is used to express such a certificate request.
+
+To handle some complex parts of a certificate, there are the types
+X509_NAME (to express a certificate name), X509_ATTRIBUTE (to express
+a certificate attributes), X509_EXTENSION (to express a certificate
+extension) and a few more.
+
+Finally, there's the supertype X509_INFO, which can contain a CRL, a
+certificate and a corresponding private key.
+
+B<X509_>I<...>, B<d2i_X509_>I<...> and B<i2d_X509_>I<...> handle X.509
+certificates, with some exceptions, shown below.
+
+B<X509_CRL_>I<...>, B<d2i_X509_CRL_>I<...> and B<i2d_X509_CRL_>I<...>
+handle X.509 CRLs.
+
+B<X509_REQ_>I<...>, B<d2i_X509_REQ_>I<...> and B<i2d_X509_REQ_>I<...>
+handle PKCS#10 certificate requests.
+
+B<X509_NAME_>I<...> handle certificate names.
+
+B<X509_ATTRIBUTE_>I<...> handle certificate attributes.
+
+B<X509_EXTENSION_>I<...> handle certificate extensions.
+
+=head1 SEE ALSO
+
+L<X509_NAME_ENTRY_get_object(3)|X509_NAME_ENTRY_get_object(3)>,
+L<X509_NAME_add_entry_by_txt(3)|X509_NAME_add_entry_by_txt(3)>,
+L<X509_NAME_add_entry_by_NID(3)|X509_NAME_add_entry_by_NID(3)>,
+L<X509_NAME_print_ex(3)|X509_NAME_print_ex(3)>,
+L<X509_NAME_new(3)|X509_NAME_new(3)>,
+L<d2i_X509(3)|d2i_X509(3)>,
+L<d2i_X509_ALGOR(3)|d2i_X509_ALGOR(3)>,
+L<d2i_X509_CRL(3)|d2i_X509_CRL(3)>,
+L<d2i_X509_NAME(3)|d2i_X509_NAME(3)>,
+L<d2i_X509_REQ(3)|d2i_X509_REQ(3)>,
+L<d2i_X509_SIG(3)|d2i_X509_SIG(3)>,
+L<crypto(3)|crypto(3)>,
+L<x509v3(3)|x509v3(3)>
+
+=cut
diff --git a/crypto/openssl/doc/fingerprints.txt b/crypto/openssl/doc/fingerprints.txt
new file mode 100644
index 0000000..7d05a85
--- /dev/null
+++ b/crypto/openssl/doc/fingerprints.txt
@@ -0,0 +1,57 @@
+                              Fingerprints
+
+OpenSSL releases are signed with PGP/GnuPG keys.  You can find the
+signatures in separate files in the same location you find the
+distributions themselves.  The normal file name is the same as the
+distribution file, with '.asc' added.  For example, the signature for
+the distribution of OpenSSL 0.9.7f, openssl-0.9.7f.tar.gz, is found in
+the file openssl-0.9.7f.tar.gz.asc.
+
+The following is the list of fingerprints for the keys that are
+currently in use (have been used since summer 2004) to sign OpenSSL
+distributions:
+
+pub   1024D/F709453B 2003-10-20
+      Key fingerprint = C4CA B749 C34F 7F4C C04F  DAC9 A7AF 9E78 F709 453B
+uid                  Richard Levitte <richard@levitte.org>
+uid                  Richard Levitte <levitte@openssl.org>
+uid                  Richard Levitte <levitte@lp.se>
+
+pub   2048R/F295C759 1998-12-13
+      Key fingerprint = D0 5D 8C 61 6E 27 E6 60  41 EC B1 B8 D5 7E E5 97
+uid                  Dr S N Henson <shenson@drh-consultancy.demon.co.uk>
+
+pub   1024R/49A563D9 1997-02-24
+      Key fingerprint = 7B 79 19 FA 71 6B 87 25  0E 77 21 E5 52 D9 83 BF
+uid                  Mark Cox <mjc@redhat.com>
+uid                  Mark Cox <mark@awe.com>
+uid                  Mark Cox <mjc@apache.org>
+
+pub   1024R/26BB437D 1997-04-28
+      Key fingerprint = 00 C9 21 8E D1 AB 70 37  DD 67 A2 3A 0A 6F 8D A5
+uid                  Ralf S. Engelschall <rse@engelschall.com>
+
+pub   1024R/9C58A66D 1997-04-03
+      Key fingerprint = 13 D0 B8 9D 37 30 C3 ED  AC 9C 24 7D 45 8C 17 67
+uid                  jaenicke@openssl.org
+uid                  Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE>
+
+pub   1024D/2118CF83 1998-07-13
+      Key fingerprint = 7656 55DE 62E3 96FF 2587  EB6C 4F6D E156 2118 CF83
+uid                  Ben Laurie <ben@thebunker.net>
+uid                  Ben Laurie <ben@cryptix.org>
+uid                  Ben Laurie <ben@algroup.co.uk>
+sub   4096g/1F5143E7 1998-07-13
+
+pub   1024R/5A6A9B85 1994-03-22
+      Key fingerprint = C7 AC 7E AD 56 6A 65 EC  F6 16 66 83 7E 86 68 28
+uid                  Bodo Moeller <2005@bmoeller.de>
+uid                  Bodo Moeller <2003@bmoeller.de>
+uid                  Bodo Moeller <2004@bmoeller.de>
+uid                  Bodo Moeller <bmoeller@acm.org>
+uid                  Bodo Moeller <bodo@openssl.org>
+uid                  Bodo Moeller <bm@ulf.mali.sub.org>
+uid                  Bodo Moeller <3moeller@informatik.uni-hamburg.de>
+uid                  Bodo Moeller <Bodo_Moeller@public.uni-hamburg.de>
+uid                  Bodo Moeller <3moeller@rzdspc5.informatik.uni-hamburg.de>
+
diff --git a/crypto/openssl/doc/openssl.txt b/crypto/openssl/doc/openssl.txt
index 432a17b..f8817b0 100644
--- a/crypto/openssl/doc/openssl.txt
+++ b/crypto/openssl/doc/openssl.txt
@@ -154,8 +154,22 @@ for example contain data in multiple sections. The correct syntax to
 use is defined by the extension code itself: check out the certificate
 policies extension for an example.
 
-In addition it is also possible to use the word DER to include arbitrary
-data in any extension.
+There are two ways to encode arbitrary extensions.
+
+The first way is to use the word ASN1 followed by the extension content
+using the same syntax as ASN1_generate_nconf(). For example:
+
+1.2.3.4=critical,ASN1:UTF8String:Some random data
+
+1.2.3.4=ASN1:SEQUENCE:seq_sect
+
+[seq_sect]
+
+field1 = UTF8:field1
+field2 = UTF8:field2
+
+It is also possible to use the word DER to include arbitrary data in any
+extension.
 
 1.2.3.4=critical,DER:01:02:03:04
 1.2.3.4=DER:01020304
@@ -336,16 +350,21 @@ Subject Alternative Name.
 The subject alternative name extension allows various literal values to be
 included in the configuration file. These include "email" (an email address)
 "URI" a uniform resource indicator, "DNS" (a DNS domain name), RID (a
-registered ID: OBJECT IDENTIFIER) and IP (and IP address).
+registered ID: OBJECT IDENTIFIER), IP (and IP address) and otherName.
 
 Also the email option include a special 'copy' value. This will automatically
 include and email addresses contained in the certificate subject name in
 the extension.
 
+otherName can include arbitrary data associated with an OID: the value
+should be the OID followed by a semicolon and the content in standard
+ASN1_generate_nconf() format.
+
 Examples:
 
 subjectAltName=email:copy,email:my@other.address,URI:http://my.url.here/
 subjectAltName=email:my@other.address,RID:1.2.3.4
+subjectAltName=otherName:1.2.3.4;UTF8:some other identifier
 
 Issuer Alternative Name.
 
@@ -759,7 +778,7 @@ called.
 
 The X509V3_EXT_METHOD structure is described below.
 
-strut {
+struct {
 int ext_nid;
 int ext_flags;
 X509V3_EXT_NEW ext_new;
diff --git a/crypto/openssl/doc/ssl/SSL_CIPHER_get_name.pod b/crypto/openssl/doc/ssl/SSL_CIPHER_get_name.pod
index 4b91c63..f81f692 100644
--- a/crypto/openssl/doc/ssl/SSL_CIPHER_get_name.pod
+++ b/crypto/openssl/doc/ssl/SSL_CIPHER_get_name.pod
@@ -8,9 +8,9 @@ SSL_CIPHER_get_name, SSL_CIPHER_get_bits, SSL_CIPHER_get_version, SSL_CIPHER_des
 
  #include <openssl/ssl.h>
 
- const char *SSL_CIPHER_get_name(SSL_CIPHER *cipher);
- int SSL_CIPHER_get_bits(SSL_CIPHER *cipher, int *alg_bits);
- char *SSL_CIPHER_get_version(SSL_CIPHER *cipher);
+ const char *SSL_CIPHER_get_name(const SSL_CIPHER *cipher);
+ int SSL_CIPHER_get_bits(const SSL_CIPHER *cipher, int *alg_bits);
+ char *SSL_CIPHER_get_version(const SSL_CIPHER *cipher);
  char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int size);
 
 =head1 DESCRIPTION
diff --git a/crypto/openssl/doc/ssl/SSL_CTX_get_ex_new_index.pod b/crypto/openssl/doc/ssl/SSL_CTX_get_ex_new_index.pod
index 5686faf..0c40a91 100644
--- a/crypto/openssl/doc/ssl/SSL_CTX_get_ex_new_index.pod
+++ b/crypto/openssl/doc/ssl/SSL_CTX_get_ex_new_index.pod
@@ -15,7 +15,7 @@ SSL_CTX_get_ex_new_index, SSL_CTX_set_ex_data, SSL_CTX_get_ex_data - internal ap
 
  int SSL_CTX_set_ex_data(SSL_CTX *ctx, int idx, void *arg);
 
- void *SSL_CTX_get_ex_data(SSL_CTX *ctx, int idx);
+ void *SSL_CTX_get_ex_data(const SSL_CTX *ctx, int idx);
 
  typedef int new_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
                 int idx, long argl, void *argp);
diff --git a/crypto/openssl/doc/ssl/SSL_CTX_get_verify_mode.pod b/crypto/openssl/doc/ssl/SSL_CTX_get_verify_mode.pod
index 7f10c6e..2a3747e 100644
--- a/crypto/openssl/doc/ssl/SSL_CTX_get_verify_mode.pod
+++ b/crypto/openssl/doc/ssl/SSL_CTX_get_verify_mode.pod
@@ -8,12 +8,12 @@ SSL_CTX_get_verify_mode, SSL_get_verify_mode, SSL_CTX_get_verify_depth, SSL_get_
 
  #include <openssl/ssl.h>
 
- int SSL_CTX_get_verify_mode(SSL_CTX *ctx);
- int SSL_get_verify_mode(SSL *ssl);
- int SSL_CTX_get_verify_depth(SSL_CTX *ctx);
- int SSL_get_verify_depth(SSL *ssl);
- int (*SSL_CTX_get_verify_callback(SSL_CTX *ctx))(int, X509_STORE_CTX *);
- int (*SSL_get_verify_callback(SSL *ssl))(int, X509_STORE_CTX *);
+ int SSL_CTX_get_verify_mode(const SSL_CTX *ctx);
+ int SSL_get_verify_mode(const SSL *ssl);
+ int SSL_CTX_get_verify_depth(const SSL_CTX *ctx);
+ int SSL_get_verify_depth(const SSL *ssl);
+ int (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx))(int, X509_STORE_CTX *);
+ int (*SSL_get_verify_callback(const SSL *ssl))(int, X509_STORE_CTX *);
 
 =head1 DESCRIPTION
 
diff --git a/crypto/openssl/doc/ssl/SSL_CTX_set_cert_store.pod b/crypto/openssl/doc/ssl/SSL_CTX_set_cert_store.pod
index 3a240c4..6acf0d9 100644
--- a/crypto/openssl/doc/ssl/SSL_CTX_set_cert_store.pod
+++ b/crypto/openssl/doc/ssl/SSL_CTX_set_cert_store.pod
@@ -9,7 +9,7 @@ SSL_CTX_set_cert_store, SSL_CTX_get_cert_store - manipulate X509 certificate ver
  #include <openssl/ssl.h>
 
  void SSL_CTX_set_cert_store(SSL_CTX *ctx, X509_STORE *store);
- X509_STORE *SSL_CTX_get_cert_store(SSL_CTX *ctx);
+ X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *ctx);
 
 =head1 DESCRIPTION
 
diff --git a/crypto/openssl/doc/ssl/SSL_CTX_set_info_callback.pod b/crypto/openssl/doc/ssl/SSL_CTX_set_info_callback.pod
index 63d0b8d..0b4affd5 100644
--- a/crypto/openssl/doc/ssl/SSL_CTX_set_info_callback.pod
+++ b/crypto/openssl/doc/ssl/SSL_CTX_set_info_callback.pod
@@ -9,10 +9,10 @@ SSL_CTX_set_info_callback, SSL_CTX_get_info_callback, SSL_set_info_callback, SSL
  #include <openssl/ssl.h>
 
  void SSL_CTX_set_info_callback(SSL_CTX *ctx, void (*callback)());
- void (*SSL_CTX_get_info_callback(SSL_CTX *ctx))();
+ void (*SSL_CTX_get_info_callback(const SSL_CTX *ctx))();
 
  void SSL_set_info_callback(SSL *ssl, void (*callback)());
- void (*SSL_get_info_callback(SSL *ssl))();
+ void (*SSL_get_info_callback(const SSL *ssl))();
 
 =head1 DESCRIPTION
 
diff --git a/crypto/openssl/doc/ssl/SSL_CTX_set_options.pod b/crypto/openssl/doc/ssl/SSL_CTX_set_options.pod
index 766f0c9..fa63263 100644
--- a/crypto/openssl/doc/ssl/SSL_CTX_set_options.pod
+++ b/crypto/openssl/doc/ssl/SSL_CTX_set_options.pod
@@ -86,7 +86,7 @@ doing a re-connect, always takes the first cipher in the cipher list.
 
 =item SSL_OP_MSIE_SSLV2_RSA_PADDING
 
-...
+As of OpenSSL 0.9.7h and 0.9.8a, this option has no effect.
 
 =item SSL_OP_SSLEAY_080_CLIENT_DH_BUG
 
@@ -163,7 +163,7 @@ When choosing a cipher, use the server's preferences instead of the client
 preferences. When not set, the SSL server will always follow the clients
 preferences. When set, the SSLv3/TLSv1 server will choose following its
 own preferences. Because of the different protocol, for SSLv2 the server
-will send his list of preferences to the client and the client chooses.
+will send its list of preferences to the client and the client chooses.
 
 =item SSL_OP_PKCS1_CHECK_1
 
diff --git a/crypto/openssl/doc/ssl/SSL_CTX_set_quiet_shutdown.pod b/crypto/openssl/doc/ssl/SSL_CTX_set_quiet_shutdown.pod
index 1d0526d..393f8ff 100644
--- a/crypto/openssl/doc/ssl/SSL_CTX_set_quiet_shutdown.pod
+++ b/crypto/openssl/doc/ssl/SSL_CTX_set_quiet_shutdown.pod
@@ -9,10 +9,10 @@ SSL_CTX_set_quiet_shutdown, SSL_CTX_get_quiet_shutdown, SSL_set_quiet_shutdown,
  #include <openssl/ssl.h>
 
  void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx, int mode);
- int SSL_CTX_get_quiet_shutdown(SSL_CTX *ctx);
+ int SSL_CTX_get_quiet_shutdown(const SSL_CTX *ctx);
 
  void SSL_set_quiet_shutdown(SSL *ssl, int mode);
- int SSL_get_quiet_shutdown(SSL *ssl);
+ int SSL_get_quiet_shutdown(const SSL *ssl);
 
 =head1 DESCRIPTION
 
diff --git a/crypto/openssl/doc/ssl/SSL_CTX_use_certificate.pod b/crypto/openssl/doc/ssl/SSL_CTX_use_certificate.pod
index ea2faba..10be95f 100644
--- a/crypto/openssl/doc/ssl/SSL_CTX_use_certificate.pod
+++ b/crypto/openssl/doc/ssl/SSL_CTX_use_certificate.pod
@@ -31,8 +31,8 @@ SSL_CTX_use_certificate, SSL_CTX_use_certificate_ASN1, SSL_CTX_use_certificate_f
  int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, unsigned char *d, long len);
  int SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type);
 
- int SSL_CTX_check_private_key(SSL_CTX *ctx);
- int SSL_check_private_key(SSL *ssl);
+ int SSL_CTX_check_private_key(const SSL_CTX *ctx);
+ int SSL_check_private_key(const SSL *ssl);
 
 =head1 DESCRIPTION
 
@@ -77,6 +77,12 @@ SSL_CTX_use_PrivateKey() adds B<pkey> as private key to B<ctx>.
 SSL_CTX_use_RSAPrivateKey() adds the private key B<rsa> of type RSA
 to B<ctx>. SSL_use_PrivateKey() adds B<pkey> as private key to B<ssl>;
 SSL_use_RSAPrivateKey() adds B<rsa> as private key of type RSA to B<ssl>.
+If a certificate has already been set and the private does not belong
+to the certificate an error is returned. To change a certificate, private
+key pair the new certificate needs to be set with SSL_use_certificate()
+or SSL_CTX_use_certificate() before setting the private key with
+SSL_CTX_use_PrivateKey() or SSL_use_PrivateKey(). 
+
 
 SSL_CTX_use_PrivateKey_ASN1() adds the private key of type B<pk>
 stored at memory location B<d> (length B<len>) to B<ctx>.
@@ -154,4 +160,10 @@ L<SSL_CTX_set_cipher_list(3)|SSL_CTX_set_cipher_list(3)>,
 L<SSL_CTX_set_client_cert_cb(3)|SSL_CTX_set_client_cert_cb(3)>,
 L<SSL_CTX_add_extra_chain_cert(3)|SSL_CTX_add_extra_chain_cert(3)>
 
+=head1 HISTORY
+
+Support for DER encoded private keys (SSL_FILETYPE_ASN1) in
+SSL_CTX_use_PrivateKey_file() and SSL_use_PrivateKey_file() was added
+in 0.9.8 .
+
 =cut
diff --git a/crypto/openssl/doc/ssl/SSL_SESSION_get_ex_new_index.pod b/crypto/openssl/doc/ssl/SSL_SESSION_get_ex_new_index.pod
index da0bcf1..657cda9 100644
--- a/crypto/openssl/doc/ssl/SSL_SESSION_get_ex_new_index.pod
+++ b/crypto/openssl/doc/ssl/SSL_SESSION_get_ex_new_index.pod
@@ -15,7 +15,7 @@ SSL_SESSION_get_ex_new_index, SSL_SESSION_set_ex_data, SSL_SESSION_get_ex_data -
 
  int SSL_SESSION_set_ex_data(SSL_SESSION *session, int idx, void *arg);
 
- void *SSL_SESSION_get_ex_data(SSL_SESSION *session, int idx);
+ void *SSL_SESSION_get_ex_data(const SSL_SESSION *session, int idx);
 
  typedef int new_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
                 int idx, long argl, void *argp);
diff --git a/crypto/openssl/doc/ssl/SSL_SESSION_get_time.pod b/crypto/openssl/doc/ssl/SSL_SESSION_get_time.pod
index ea3c2bc..00883ed 100644
--- a/crypto/openssl/doc/ssl/SSL_SESSION_get_time.pod
+++ b/crypto/openssl/doc/ssl/SSL_SESSION_get_time.pod
@@ -8,14 +8,14 @@ SSL_SESSION_get_time, SSL_SESSION_set_time, SSL_SESSION_get_timeout, SSL_SESSION
 
  #include <openssl/ssl.h>
 
- long SSL_SESSION_get_time(SSL_SESSION *s);
+ long SSL_SESSION_get_time(const SSL_SESSION *s);
  long SSL_SESSION_set_time(SSL_SESSION *s, long tm);
- long SSL_SESSION_get_timeout(SSL_SESSION *s);
+ long SSL_SESSION_get_timeout(const SSL_SESSION *s);
  long SSL_SESSION_set_timeout(SSL_SESSION *s, long tm);
 
- long SSL_get_time(SSL_SESSION *s);
+ long SSL_get_time(const SSL_SESSION *s);
  long SSL_set_time(SSL_SESSION *s, long tm);
- long SSL_get_timeout(SSL_SESSION *s);
+ long SSL_get_timeout(const SSL_SESSION *s);
  long SSL_set_timeout(SSL_SESSION *s, long tm);
 
 =head1 DESCRIPTION
diff --git a/crypto/openssl/doc/ssl/SSL_get_SSL_CTX.pod b/crypto/openssl/doc/ssl/SSL_get_SSL_CTX.pod
index 52d0227..659c482 100644
--- a/crypto/openssl/doc/ssl/SSL_get_SSL_CTX.pod
+++ b/crypto/openssl/doc/ssl/SSL_get_SSL_CTX.pod
@@ -8,7 +8,7 @@ SSL_get_SSL_CTX - get the SSL_CTX from which an SSL is created
 
  #include <openssl/ssl.h>
 
- SSL_CTX *SSL_get_SSL_CTX(SSL *ssl);
+ SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl);
 
 =head1 DESCRIPTION
 
diff --git a/crypto/openssl/doc/ssl/SSL_get_ciphers.pod b/crypto/openssl/doc/ssl/SSL_get_ciphers.pod
index 2a57455..aecadd9 100644
--- a/crypto/openssl/doc/ssl/SSL_get_ciphers.pod
+++ b/crypto/openssl/doc/ssl/SSL_get_ciphers.pod
@@ -8,8 +8,8 @@ SSL_get_ciphers, SSL_get_cipher_list - get list of available SSL_CIPHERs
 
  #include <openssl/ssl.h>
 
- STACK_OF(SSL_CIPHER) *SSL_get_ciphers(SSL *ssl);
- const char *SSL_get_cipher_list(SSL *ssl, int priority);
+ STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *ssl);
+ const char *SSL_get_cipher_list(const SSL *ssl, int priority);
 
 =head1 DESCRIPTION
 
diff --git a/crypto/openssl/doc/ssl/SSL_get_client_CA_list.pod b/crypto/openssl/doc/ssl/SSL_get_client_CA_list.pod
index 5693fde..68181b2 100644
--- a/crypto/openssl/doc/ssl/SSL_get_client_CA_list.pod
+++ b/crypto/openssl/doc/ssl/SSL_get_client_CA_list.pod
@@ -8,8 +8,8 @@ SSL_get_client_CA_list, SSL_CTX_get_client_CA_list - get list of client CAs
 
  #include <openssl/ssl.h>
 
- STACK_OF(X509_NAME) *SSL_get_client_CA_list(SSL *s);
- STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(SSL_CTX *ctx); 
+ STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *s);
+ STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *ctx); 
 
 =head1 DESCRIPTION
 
diff --git a/crypto/openssl/doc/ssl/SSL_get_current_cipher.pod b/crypto/openssl/doc/ssl/SSL_get_current_cipher.pod
index 2dd7261..e5ab124 100644
--- a/crypto/openssl/doc/ssl/SSL_get_current_cipher.pod
+++ b/crypto/openssl/doc/ssl/SSL_get_current_cipher.pod
@@ -9,7 +9,7 @@ SSL_get_cipher_bits, SSL_get_cipher_version - get SSL_CIPHER of a connection
 
  #include <openssl/ssl.h>
 
- SSL_CIPHER *SSL_get_current_cipher(SSL *ssl);
+ SSL_CIPHER *SSL_get_current_cipher(const SSL *ssl);
  #define SSL_get_cipher(s) \
                 SSL_CIPHER_get_name(SSL_get_current_cipher(s))
  #define SSL_get_cipher_name(s) \
diff --git a/crypto/openssl/doc/ssl/SSL_get_default_timeout.pod b/crypto/openssl/doc/ssl/SSL_get_default_timeout.pod
index 8d43b31..a648a9b 100644
--- a/crypto/openssl/doc/ssl/SSL_get_default_timeout.pod
+++ b/crypto/openssl/doc/ssl/SSL_get_default_timeout.pod
@@ -8,7 +8,7 @@ SSL_get_default_timeout - get default session timeout value
 
  #include <openssl/ssl.h>
 
- long SSL_get_default_timeout(SSL *ssl);
+ long SSL_get_default_timeout(const SSL *ssl);
 
 =head1 DESCRIPTION
 
diff --git a/crypto/openssl/doc/ssl/SSL_get_error.pod b/crypto/openssl/doc/ssl/SSL_get_error.pod
index fe28dd9..48c6b15 100644
--- a/crypto/openssl/doc/ssl/SSL_get_error.pod
+++ b/crypto/openssl/doc/ssl/SSL_get_error.pod
@@ -8,7 +8,7 @@ SSL_get_error - obtain result code for TLS/SSL I/O operation
 
  #include <openssl/ssl.h>
 
- int SSL_get_error(SSL *ssl, int ret);
+ int SSL_get_error(const SSL *ssl, int ret);
 
 =head1 DESCRIPTION
 
diff --git a/crypto/openssl/doc/ssl/SSL_get_ex_new_index.pod b/crypto/openssl/doc/ssl/SSL_get_ex_new_index.pod
index 6644ef8..228d23d 100644
--- a/crypto/openssl/doc/ssl/SSL_get_ex_new_index.pod
+++ b/crypto/openssl/doc/ssl/SSL_get_ex_new_index.pod
@@ -15,7 +15,7 @@ SSL_get_ex_new_index, SSL_set_ex_data, SSL_get_ex_data - internal application sp
 
  int SSL_set_ex_data(SSL *ssl, int idx, void *arg);
 
- void *SSL_get_ex_data(SSL *ssl, int idx);
+ void *SSL_get_ex_data(const SSL *ssl, int idx);
 
  typedef int new_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
                 int idx, long argl, void *argp);
diff --git a/crypto/openssl/doc/ssl/SSL_get_fd.pod b/crypto/openssl/doc/ssl/SSL_get_fd.pod
index a3f7625..89260b5 100644
--- a/crypto/openssl/doc/ssl/SSL_get_fd.pod
+++ b/crypto/openssl/doc/ssl/SSL_get_fd.pod
@@ -8,9 +8,9 @@ SSL_get_fd - get file descriptor linked to an SSL object
 
  #include <openssl/ssl.h>
 
- int SSL_get_fd(SSL *ssl);
- int SSL_get_rfd(SSL *ssl);
- int SSL_get_wfd(SSL *ssl);
+ int SSL_get_fd(const SSL *ssl);
+ int SSL_get_rfd(const SSL *ssl);
+ int SSL_get_wfd(const SSL *ssl);
 
 =head1 DESCRIPTION
 
diff --git a/crypto/openssl/doc/ssl/SSL_get_peer_cert_chain.pod b/crypto/openssl/doc/ssl/SSL_get_peer_cert_chain.pod
index 390ce0b..49fb88f 100644
--- a/crypto/openssl/doc/ssl/SSL_get_peer_cert_chain.pod
+++ b/crypto/openssl/doc/ssl/SSL_get_peer_cert_chain.pod
@@ -8,7 +8,7 @@ SSL_get_peer_cert_chain - get the X509 certificate chain of the peer
 
  #include <openssl/ssl.h>
 
- STACKOF(X509) *SSL_get_peer_cert_chain(SSL *ssl);
+ STACKOF(X509) *SSL_get_peer_cert_chain(const SSL *ssl);
 
 =head1 DESCRIPTION
 
diff --git a/crypto/openssl/doc/ssl/SSL_get_peer_certificate.pod b/crypto/openssl/doc/ssl/SSL_get_peer_certificate.pod
index 60635a9..ef7c8be 100644
--- a/crypto/openssl/doc/ssl/SSL_get_peer_certificate.pod
+++ b/crypto/openssl/doc/ssl/SSL_get_peer_certificate.pod
@@ -8,7 +8,7 @@ SSL_get_peer_certificate - get the X509 certificate of the peer
 
  #include <openssl/ssl.h>
 
- X509 *SSL_get_peer_certificate(SSL *ssl);
+ X509 *SSL_get_peer_certificate(const SSL *ssl);
 
 =head1 DESCRIPTION
 
diff --git a/crypto/openssl/doc/ssl/SSL_get_session.pod b/crypto/openssl/doc/ssl/SSL_get_session.pod
index dd9aba4..0c41caa 100644
--- a/crypto/openssl/doc/ssl/SSL_get_session.pod
+++ b/crypto/openssl/doc/ssl/SSL_get_session.pod
@@ -8,8 +8,8 @@ SSL_get_session - retrieve TLS/SSL session data
 
  #include <openssl/ssl.h>
 
- SSL_SESSION *SSL_get_session(SSL *ssl);
- SSL_SESSION *SSL_get0_session(SSL *ssl);
+ SSL_SESSION *SSL_get_session(const SSL *ssl);
+ SSL_SESSION *SSL_get0_session(const SSL *ssl);
  SSL_SESSION *SSL_get1_session(SSL *ssl);
 
 =head1 DESCRIPTION
diff --git a/crypto/openssl/doc/ssl/SSL_get_verify_result.pod b/crypto/openssl/doc/ssl/SSL_get_verify_result.pod
index e6bac9c..55b56a5 100644
--- a/crypto/openssl/doc/ssl/SSL_get_verify_result.pod
+++ b/crypto/openssl/doc/ssl/SSL_get_verify_result.pod
@@ -8,7 +8,7 @@ SSL_get_verify_result - get result of peer certificate verification
 
  #include <openssl/ssl.h>
 
- long SSL_get_verify_result(SSL *ssl);
+ long SSL_get_verify_result(const SSL *ssl);
 
 =head1 DESCRIPTION
 
diff --git a/crypto/openssl/doc/ssl/SSL_get_version.pod b/crypto/openssl/doc/ssl/SSL_get_version.pod
index 24d5291..cc271db 100644
--- a/crypto/openssl/doc/ssl/SSL_get_version.pod
+++ b/crypto/openssl/doc/ssl/SSL_get_version.pod
@@ -8,7 +8,7 @@ SSL_get_version - get the protocol version of a connection.
 
  #include <openssl/ssl.h>
 
- const char *SSL_get_version(SSL *ssl);
+ const char *SSL_get_version(const SSL *ssl);
 
 =head1 DESCRIPTION
 
diff --git a/crypto/openssl/doc/ssl/SSL_pending.pod b/crypto/openssl/doc/ssl/SSL_pending.pod
index b4c4859..43f2874 100644
--- a/crypto/openssl/doc/ssl/SSL_pending.pod
+++ b/crypto/openssl/doc/ssl/SSL_pending.pod
@@ -8,7 +8,7 @@ SSL_pending - obtain number of readable bytes buffered in an SSL object
 
  #include <openssl/ssl.h>
 
- int SSL_pending(SSL *ssl);
+ int SSL_pending(const SSL *ssl);
 
 =head1 DESCRIPTION
 
diff --git a/crypto/openssl/doc/ssl/SSL_set_shutdown.pod b/crypto/openssl/doc/ssl/SSL_set_shutdown.pod
index 6289e63..011a022 100644
--- a/crypto/openssl/doc/ssl/SSL_set_shutdown.pod
+++ b/crypto/openssl/doc/ssl/SSL_set_shutdown.pod
@@ -10,7 +10,7 @@ SSL_set_shutdown, SSL_get_shutdown - manipulate shutdown state of an SSL connect
 
  void SSL_set_shutdown(SSL *ssl, int mode);
 
- int SSL_get_shutdown(SSL *ssl);
+ int SSL_get_shutdown(const SSL *ssl);
 
 =head1 DESCRIPTION
 
diff --git a/crypto/openssl/doc/ssl/SSL_shutdown.pod b/crypto/openssl/doc/ssl/SSL_shutdown.pod
index 6b5012b..89911ac 100644
--- a/crypto/openssl/doc/ssl/SSL_shutdown.pod
+++ b/crypto/openssl/doc/ssl/SSL_shutdown.pod
@@ -38,7 +38,7 @@ behaviour.
 =over 4
 
 =item When the application is the first party to send the "close notify"
-alert, SSL_shutdown() will only send the alert and the set the
+alert, SSL_shutdown() will only send the alert and then set the
 SSL_SENT_SHUTDOWN flag (so that the session is considered good and will
 be kept in cache). SSL_shutdown() will then return with 0. If a unidirectional
 shutdown is enough (the underlying connection shall be closed anyway), this
diff --git a/crypto/openssl/doc/ssl/SSL_state_string.pod b/crypto/openssl/doc/ssl/SSL_state_string.pod
index b4be1aa..fe25d47 100644
--- a/crypto/openssl/doc/ssl/SSL_state_string.pod
+++ b/crypto/openssl/doc/ssl/SSL_state_string.pod
@@ -8,8 +8,8 @@ SSL_state_string, SSL_state_string_long - get textual description of state of an
 
  #include <openssl/ssl.h>
 
- const char *SSL_state_string(SSL *ssl);
- const char *SSL_state_string_long(SSL *ssl);
+ const char *SSL_state_string(const SSL *ssl);
+ const char *SSL_state_string_long(const SSL *ssl);
 
 =head1 DESCRIPTION
 
diff --git a/crypto/openssl/doc/ssl/SSL_want.pod b/crypto/openssl/doc/ssl/SSL_want.pod
index 50cc89d..c0059c0 100644
--- a/crypto/openssl/doc/ssl/SSL_want.pod
+++ b/crypto/openssl/doc/ssl/SSL_want.pod
@@ -8,11 +8,11 @@ SSL_want, SSL_want_nothing, SSL_want_read, SSL_want_write, SSL_want_x509_lookup
 
  #include <openssl/ssl.h>
 
- int SSL_want(SSL *ssl);
- int SSL_want_nothing(SSL *ssl);
- int SSL_want_read(SSL *ssl);
- int SSL_want_write(SSL *ssl);
- int SSL_want_x509_lookup(SSL *ssl);
+ int SSL_want(const SSL *ssl);
+ int SSL_want_nothing(const SSL *ssl);
+ int SSL_want_read(const SSL *ssl);
+ int SSL_want_write(const SSL *ssl);
+ int SSL_want_x509_lookup(const SSL *ssl);
 
 =head1 DESCRIPTION
 
diff --git a/crypto/openssl/doc/ssl/d2i_SSL_SESSION.pod b/crypto/openssl/doc/ssl/d2i_SSL_SESSION.pod
index 0321a5a..81d2764 100644
--- a/crypto/openssl/doc/ssl/d2i_SSL_SESSION.pod
+++ b/crypto/openssl/doc/ssl/d2i_SSL_SESSION.pod
@@ -8,7 +8,7 @@ d2i_SSL_SESSION, i2d_SSL_SESSION - convert SSL_SESSION object from/to ASN1 repre
 
  #include <openssl/ssl.h>
 
- SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, unsigned char **pp, long length);
+ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, long length);
  int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp);
 
 =head1 DESCRIPTION
diff --git a/crypto/openssl/doc/ssl/ssl.pod b/crypto/openssl/doc/ssl/ssl.pod
index 3dc5358..266697d 100644
--- a/crypto/openssl/doc/ssl/ssl.pod
+++ b/crypto/openssl/doc/ssl/ssl.pod
@@ -213,7 +213,7 @@ protocol context defined in the B<SSL_CTX> structure.
 
 =item int B<SSL_CTX_add_session>(SSL_CTX *ctx, SSL_SESSION *c);
 
-=item int B<SSL_CTX_check_private_key>(SSL_CTX *ctx);
+=item int B<SSL_CTX_check_private_key>(const SSL_CTX *ctx);
 
 =item long B<SSL_CTX_ctrl>(SSL_CTX *ctx, int cmd, long larg, char *parg);
 
@@ -225,23 +225,23 @@ protocol context defined in the B<SSL_CTX> structure.
 
 =item X509_STORE *B<SSL_CTX_get_cert_store>(SSL_CTX *ctx);
 
-=item STACK *B<SSL_CTX_get_client_CA_list>(SSL_CTX *ctx);
+=item STACK *B<SSL_CTX_get_client_CA_list>(const SSL_CTX *ctx);
 
 =item int (*B<SSL_CTX_get_client_cert_cb>(SSL_CTX *ctx))(SSL *ssl, X509 **x509, EVP_PKEY **pkey);
 
-=item char *B<SSL_CTX_get_ex_data>(SSL_CTX *s, int idx);
+=item char *B<SSL_CTX_get_ex_data>(const SSL_CTX *s, int idx);
 
 =item int B<SSL_CTX_get_ex_new_index>(long argl, char *argp, int (*new_func);(void), int (*dup_func)(void), void (*free_func)(void))
 
 =item void (*B<SSL_CTX_get_info_callback>(SSL_CTX *ctx))(SSL *ssl, int cb, int ret);
 
-=item int B<SSL_CTX_get_quiet_shutdown>(SSL_CTX *ctx);
+=item int B<SSL_CTX_get_quiet_shutdown>(const SSL_CTX *ctx);
 
 =item int B<SSL_CTX_get_session_cache_mode>(SSL_CTX *ctx);
 
-=item long B<SSL_CTX_get_timeout>(SSL_CTX *ctx);
+=item long B<SSL_CTX_get_timeout>(const SSL_CTX *ctx);
 
-=item int (*B<SSL_CTX_get_verify_callback>(SSL_CTX *ctx))(int ok, X509_STORE_CTX *ctx);
+=item int (*B<SSL_CTX_get_verify_callback>(const SSL_CTX *ctx))(int ok, X509_STORE_CTX *ctx);
 
 =item int B<SSL_CTX_get_verify_mode>(SSL_CTX *ctx);
 
@@ -383,27 +383,27 @@ sessions defined in the B<SSL_SESSION> structures.
 
 =over 4
 
-=item int B<SSL_SESSION_cmp>(SSL_SESSION *a, SSL_SESSION *b);
+=item int B<SSL_SESSION_cmp>(const SSL_SESSION *a, const SSL_SESSION *b);
 
 =item void B<SSL_SESSION_free>(SSL_SESSION *ss);
 
 =item char *B<SSL_SESSION_get_app_data>(SSL_SESSION *s);
 
-=item char *B<SSL_SESSION_get_ex_data>(SSL_SESSION *s, int idx);
+=item char *B<SSL_SESSION_get_ex_data>(const SSL_SESSION *s, int idx);
 
 =item int B<SSL_SESSION_get_ex_new_index>(long argl, char *argp, int (*new_func);(void), int (*dup_func)(void), void (*free_func)(void))
 
-=item long B<SSL_SESSION_get_time>(SSL_SESSION *s);
+=item long B<SSL_SESSION_get_time>(const SSL_SESSION *s);
 
-=item long B<SSL_SESSION_get_timeout>(SSL_SESSION *s);
+=item long B<SSL_SESSION_get_timeout>(const SSL_SESSION *s);
 
-=item unsigned long B<SSL_SESSION_hash>(SSL_SESSION *a);
+=item unsigned long B<SSL_SESSION_hash>(const SSL_SESSION *a);
 
 =item SSL_SESSION *B<SSL_SESSION_new>(void);
 
-=item int B<SSL_SESSION_print>(BIO *bp, SSL_SESSION *x);
+=item int B<SSL_SESSION_print>(BIO *bp, const SSL_SESSION *x);
 
-=item int B<SSL_SESSION_print_fp>(FILE *fp, SSL_SESSION *x);
+=item int B<SSL_SESSION_print_fp>(FILE *fp, const SSL_SESSION *x);
 
 =item void B<SSL_SESSION_set_app_data>(SSL_SESSION *s, char *a);
 
@@ -438,7 +438,7 @@ connection defined in the B<SSL> structure.
 
 =item char *B<SSL_alert_type_string_long>(int value);
 
-=item int B<SSL_check_private_key>(SSL *ssl);
+=item int B<SSL_check_private_key>(const SSL *ssl);
 
 =item void B<SSL_clear>(SSL *ssl);
 
@@ -446,7 +446,7 @@ connection defined in the B<SSL> structure.
 
 =item int B<SSL_connect>(SSL *ssl);
 
-=item void B<SSL_copy_session_id>(SSL *t, SSL *f);
+=item void B<SSL_copy_session_id>(SSL *t, const SSL *f);
 
 =item long B<SSL_ctrl>(SSL *ssl, int cmd, long larg, char *parg);
 
@@ -458,77 +458,77 @@ connection defined in the B<SSL> structure.
 
 =item void B<SSL_free>(SSL *ssl);
 
-=item SSL_CTX *B<SSL_get_SSL_CTX>(SSL *ssl);
+=item SSL_CTX *B<SSL_get_SSL_CTX>(const SSL *ssl);
 
 =item char *B<SSL_get_app_data>(SSL *ssl);
 
-=item X509 *B<SSL_get_certificate>(SSL *ssl);
+=item X509 *B<SSL_get_certificate>(const SSL *ssl);
 
-=item const char *B<SSL_get_cipher>(SSL *ssl);
+=item const char *B<SSL_get_cipher>(const SSL *ssl);
 
-=item int B<SSL_get_cipher_bits>(SSL *ssl, int *alg_bits);
+=item int B<SSL_get_cipher_bits>(const SSL *ssl, int *alg_bits);
 
-=item char *B<SSL_get_cipher_list>(SSL *ssl, int n);
+=item char *B<SSL_get_cipher_list>(const SSL *ssl, int n);
 
-=item char *B<SSL_get_cipher_name>(SSL *ssl);
+=item char *B<SSL_get_cipher_name>(const SSL *ssl);
 
-=item char *B<SSL_get_cipher_version>(SSL *ssl);
+=item char *B<SSL_get_cipher_version>(const SSL *ssl);
 
-=item STACK *B<SSL_get_ciphers>(SSL *ssl);
+=item STACK *B<SSL_get_ciphers>(const SSL *ssl);
 
-=item STACK *B<SSL_get_client_CA_list>(SSL *ssl);
+=item STACK *B<SSL_get_client_CA_list>(const SSL *ssl);
 
 =item SSL_CIPHER *B<SSL_get_current_cipher>(SSL *ssl);
 
-=item long B<SSL_get_default_timeout>(SSL *ssl);
+=item long B<SSL_get_default_timeout>(const SSL *ssl);
 
-=item int B<SSL_get_error>(SSL *ssl, int i);
+=item int B<SSL_get_error>(const SSL *ssl, int i);
 
-=item char *B<SSL_get_ex_data>(SSL *ssl, int idx);
+=item char *B<SSL_get_ex_data>(const SSL *ssl, int idx);
 
 =item int B<SSL_get_ex_data_X509_STORE_CTX_idx>(void);
 
 =item int B<SSL_get_ex_new_index>(long argl, char *argp, int (*new_func);(void), int (*dup_func)(void), void (*free_func)(void))
 
-=item int B<SSL_get_fd>(SSL *ssl);
+=item int B<SSL_get_fd>(const SSL *ssl);
 
-=item void (*B<SSL_get_info_callback>(SSL *ssl);)(void)
+=item void (*B<SSL_get_info_callback>(const SSL *ssl);)()
 
-=item STACK *B<SSL_get_peer_cert_chain>(SSL *ssl);
+=item STACK *B<SSL_get_peer_cert_chain>(const SSL *ssl);
 
-=item X509 *B<SSL_get_peer_certificate>(SSL *ssl);
+=item X509 *B<SSL_get_peer_certificate>(const SSL *ssl);
 
 =item EVP_PKEY *B<SSL_get_privatekey>(SSL *ssl);
 
-=item int B<SSL_get_quiet_shutdown>(SSL *ssl);
+=item int B<SSL_get_quiet_shutdown>(const SSL *ssl);
 
-=item BIO *B<SSL_get_rbio>(SSL *ssl);
+=item BIO *B<SSL_get_rbio>(const SSL *ssl);
 
-=item int B<SSL_get_read_ahead>(SSL *ssl);
+=item int B<SSL_get_read_ahead>(const SSL *ssl);
 
-=item SSL_SESSION *B<SSL_get_session>(SSL *ssl);
+=item SSL_SESSION *B<SSL_get_session>(const SSL *ssl);
 
-=item char *B<SSL_get_shared_ciphers>(SSL *ssl, char *buf, int len);
+=item char *B<SSL_get_shared_ciphers>(const SSL *ssl, char *buf, int len);
 
-=item int B<SSL_get_shutdown>(SSL *ssl);
+=item int B<SSL_get_shutdown>(const SSL *ssl);
 
 =item SSL_METHOD *B<SSL_get_ssl_method>(SSL *ssl);
 
-=item int B<SSL_get_state>(SSL *ssl);
+=item int B<SSL_get_state>(const SSL *ssl);
 
-=item long B<SSL_get_time>(SSL *ssl);
+=item long B<SSL_get_time>(const SSL *ssl);
 
-=item long B<SSL_get_timeout>(SSL *ssl);
+=item long B<SSL_get_timeout>(const SSL *ssl);
 
-=item int (*B<SSL_get_verify_callback>(SSL *ssl);)(void)
+=item int (*B<SSL_get_verify_callback>(const SSL *ssl))(int,X509_STORE_CTX *)
 
-=item int B<SSL_get_verify_mode>(SSL *ssl);
+=item int B<SSL_get_verify_mode>(const SSL *ssl);
 
-=item long B<SSL_get_verify_result>(SSL *ssl);
+=item long B<SSL_get_verify_result>(const SSL *ssl);
 
-=item char *B<SSL_get_version>(SSL *ssl);
+=item char *B<SSL_get_version>(const SSL *ssl);
 
-=item BIO *B<SSL_get_wbio>(SSL *ssl);
+=item BIO *B<SSL_get_wbio>(const SSL *ssl);
 
 =item int B<SSL_in_accept_init>(SSL *ssl);
 
@@ -550,7 +550,7 @@ connection defined in the B<SSL> structure.
 
 =item int B<SSL_peek>(SSL *ssl, void *buf, int num);
 
-=item int B<SSL_pending>(SSL *ssl);
+=item int B<SSL_pending>(const SSL *ssl);
 
 =item int B<SSL_read>(SSL *ssl, void *buf, int num);
 
@@ -610,11 +610,11 @@ connection defined in the B<SSL> structure.
 
 =item int B<SSL_shutdown>(SSL *ssl);
 
-=item int B<SSL_state>(SSL *ssl);
+=item int B<SSL_state>(const SSL *ssl);
 
-=item char *B<SSL_state_string>(SSL *ssl);
+=item char *B<SSL_state_string>(const SSL *ssl);
 
-=item char *B<SSL_state_string_long>(SSL *ssl);
+=item char *B<SSL_state_string_long>(const SSL *ssl);
 
 =item long B<SSL_total_renegotiations>(SSL *ssl);
 
@@ -636,17 +636,17 @@ connection defined in the B<SSL> structure.
 
 =item int B<SSL_use_certificate_file>(SSL *ssl, char *file, int type);
 
-=item int B<SSL_version>(SSL *ssl);
+=item int B<SSL_version>(const SSL *ssl);
 
-=item int B<SSL_want>(SSL *ssl);
+=item int B<SSL_want>(const SSL *ssl);
 
-=item int B<SSL_want_nothing>(SSL *ssl);
+=item int B<SSL_want_nothing>(const SSL *ssl);
 
-=item int B<SSL_want_read>(SSL *ssl);
+=item int B<SSL_want_read>(const SSL *ssl);
 
-=item int B<SSL_want_write>(SSL *ssl);
+=item int B<SSL_want_write>(const SSL *ssl);
 
-=item int B<SSL_want_x509_lookup>(s);
+=item int B<SSL_want_x509_lookup>(const SSL *ssl);
 
 =item int B<SSL_write>(SSL *ssl, const void *buf, int num);
 
diff --git a/crypto/openssl/doc/ssleay.txt b/crypto/openssl/doc/ssleay.txt
index d44d2f0..c753129 100644
--- a/crypto/openssl/doc/ssleay.txt
+++ b/crypto/openssl/doc/ssleay.txt
@@ -4295,7 +4295,7 @@ X-Status:
 Loading client certs into MSIE 3.01
 ===================================
 
-This document conatains all the information necessary to succesfully set up 
+This document contains all the information necessary to successfully set up 
 some scripts to issue client certs to Microsoft Internet Explorer. It 
 includes the required knowledge about the model MSIE uses for client 
 certification and includes complete sample scripts ready to play with. The 
diff --git a/crypto/openssl/doc/standards.txt b/crypto/openssl/doc/standards.txt
index edbe2f3..f6675b5 100644
--- a/crypto/openssl/doc/standards.txt
+++ b/crypto/openssl/doc/standards.txt
@@ -88,6 +88,10 @@ PKCS#12: Personal Information Exchange Syntax Standard, version 1.0.
      (Format: TXT=143173 bytes) (Obsoletes RFC2437) (Status:           
      INFORMATIONAL)                                         
 
+3820 Internet X.509 Public Key Infrastructure (PKI) Proxy Certificate
+     Profile. S. Tuecke, V. Welch, D. Engert, L. Pearlman, M. Thompson.
+     June 2004. (Format: TXT=86374 bytes) (Status: PROPOSED STANDARD)
+
 
 Related:
 --------
-- 
cgit v1.1